From nobody Tue Apr  7 22:04:09 2026
Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com
 [209.85.216.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 40D6C3101A2
	for <linux-kernel@vger.kernel.org>; Wed, 11 Mar 2026 10:50:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.50
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773226259; cv=none;
 b=cLRmwCIybmvS+AXZuL7Y0wtHopQh05YivZn56XnMbB0rw5m8IocouZGIM2AkaJmwRYg1wqp95IueT1ogYx2T4lZxqJIfeVXPK1eSKtcxtZkcKVW5S3cIz7LJxLI2PTroOIOrF3wxwzYnym/NTGZb0BxFG31w+vkIAwhOAFjLExk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773226259; c=relaxed/simple;
	bh=nxhU3u3/44UIWGv8Z0joiYCgy1yhL4yxlOFfmkafIgQ=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=q/8oZwrQsb2i6ZxJ4J3YOGNK/YZucmb33cwq4mwPbXonSEAypn0HeuoEQ+hqs4GJXah+i9GJSSLmJoeh+tt+vu6uBZZkZ4fzwnsFOlVfzyR8u7MPvdNJwPx2kJI4pbA0yRmS3SDT58BUW29qMzh/SOmNHWZLfBS9Ga/IPYZphdc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=theori.io;
 spf=pass smtp.mailfrom=theori.io;
 dkim=pass (1024-bit key) header.d=theori.io header.i=@theori.io
 header.b=CHyh+lYy; arc=none smtp.client-ip=209.85.216.50
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=theori.io
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=theori.io
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=theori.io header.i=@theori.io
 header.b="CHyh+lYy"
Received: by mail-pj1-f50.google.com with SMTP id
 98e67ed59e1d1-358d80f60ccso7713095a91.3
        for <linux-kernel@vger.kernel.org>;
 Wed, 11 Mar 2026 03:50:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=theori.io; s=google; t=1773226257; x=1773831057;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=RLRAIJS9+xmUqJ+a2ICFLZwCy9T0XK2a/x2w50jOsh4=;
        b=CHyh+lYymMK1zhYItuyIq8rUbAV1Bc8ykujz20TieZM7BMOhFZ3r0oJ/rR+WrMfMwl
         MV71IRvg4gZIzEJN99FoUThOVA2rPTjsk6vsFBaji8HUwyycOkBKdA8vxUOZTVEPLoUl
         m8Qhsf/XWayjzL472uRI7fjGQ4mcXSYwNv2jk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1773226257; x=1773831057;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=RLRAIJS9+xmUqJ+a2ICFLZwCy9T0XK2a/x2w50jOsh4=;
        b=GZBo8wkO835LNv06z+o4tPDmNCCpZMLK7ihXvywz1lgR6fjg/f8NTEJDqwspYGrI8G
         RCsbOMITE5ihffM/UUqNbCIxP7WiEQgxrriVKiq2uNZo2g4PN+3CjZms8C4NX6N+QOes
         B0NVe5x8PAd93O37iT98s+jxYdnCKC2yPBe5bAmlemUg3PKRA9NfotxKEndHTNVriI7e
         N4BBS7DMir2bCJ2Z3tKyWq8SW3MVN+6pM3S/FqIWMdX4/babp/dwvDzvE3xBBB3R8FGf
         iEi3ifTZgvC/jJ3LqvhXJkpHfy31JOBSXbxpUu/L1hHBvCrdRpZydsjJRLK5Nsv9b6q4
         wFUA==
X-Forwarded-Encrypted: i=1;
 AJvYcCWIPDp7kWI0yhfhFgiVGfeTsUKaEzWfac07uuBtnhTYG9VWjk04F5dxwdFDKkhi2jVjKDxP49KFZNOZu9c=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy+0/DzwjPdKO1XN0XdZHlZ7GU0oCTfQtzxcZVXY7ghBnGueWe6
	PX0pPFdxOcLgvI9s6K9AV2pB8CvpOW/ESE4fgTq14Iq57jSVXeS7a+8zbJI2tfbgpHRNDmujokH
	dsJHvyEA=
X-Gm-Gg: ATEYQzwmGY/w2V23KFeZkKOZmqMgOaAFDM41Y3+ldO806ff9gSXybU3n+pGJp2FSx5q
	usSFYBohzqpCfFU2EwwznbCWDGtY08Zn/GXpFCLxm49JaYwh5YmaSUihhjANsL9arQFbGFHyqCE
	03RY2vv6vxkz7YTfRG60cDEQSa8xaYUXMwLfyzjCGgzJA5MceLybYCoyseeg9s9Kpv7rjLfRTr1
	DLi1puBCjzCKdyj5BxWjaW5i39YPjdFiCS0Yg89ytp6RTNp+oVR7Ljokwh0HhFGnRMQh4as+Qav
	7J07mlmdaF3H1DSc8WxtqUZT4Q9DI9QHAd8l3FRHMxdGApbxvxGsQUAQatXyIt9enONK19CL8zO
	NwnSqw31lbdwWrocJbOpq5BJwpaMBwc7ePhRpgALo8bqVTiDYD6NlWlEJcKzjXEZ+ze7FWf2p/C
	TyXjKWu5eU+NflrjiVgskIYJNXCVerf2Yjdh+9kqBWVQ==
X-Received: by 2002:a17:90b:3d4e:b0:349:7f0a:381b with SMTP id
 98e67ed59e1d1-35a01201723mr2197767a91.8.1773226257570;
        Wed, 11 Mar 2026 03:50:57 -0700 (PDT)
Received: from localhost.localdomain ([211.219.71.65])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-359f05ee51csm5684401a91.1.2026.03.11.03.50.55
        (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
        Wed, 11 Mar 2026 03:50:57 -0700 (PDT)
From: Taeyang Lee <0wn@theori.io>
To: kvm@vger.kernel.org
Cc: Taeyang Lee <0wn@theori.io>,
	Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	KarimAllah Ahmed <karahmed@amazon.de>,
	linux-kernel@vger.kernel.org
Subject: [PATCH] KVM: clear map->gfn in kvm_vcpu_unmap() to prevent stale
 validity checks
Date: Wed, 11 Mar 2026 19:50:47 +0900
Message-Id: <20260311105047.18517-1-0wn@theori.io>
X-Mailer: git-send-email 2.39.5 (Apple Git-154)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

kvm_vcpu_unmap() clears map->hva and map->page but leaves map->gfn with
its previous value. This creates an inconsistent state: callers that
check gfn !=3D 0 as a proxy for map validity will believe the map is still
valid when hva is already NULL.

This pattern caused a null pointer dereference in the 6.1.x LTS branch,
where vmx_guest_apic_has_interrupt() checked virtual_apic_map.gfn but
dereferenced virtual_apic_map.hva unconditionally. That specific call
site no longer exists in mainline due to the gfn_to_pfn_cache
refactoring, but the inconsistency in kvm_vcpu_unmap() remains and could
affect future kvm_host_map users that rely on gfn for validity.

Similarly, kvm_vcpu_map() does not modify the map struct on failure, so
stale gfn values from a previous successful mapping survive a failed
remap attempt. Clearing gfn in kvm_vcpu_unmap() ensures that after an
unmap-then-failed-remap sequence, gfn correctly reflects that no valid
mapping exists.

Clear map->gfn in kvm_vcpu_unmap().

Reported-by: Taeyang Lee <0wn@theori.io>
Fixes: e45adf665a53 ("KVM: Introduce a new guest mapping API")
Signed-off-by: Taeyang Lee <0wn@theori.io>
---
 virt/kvm/kvm_main.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 7a4fd1dbe0d7..88fc8b20aa8f 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -2887,6 +2887,7 @@ void kvm_vcpu_unmap(struct kvm_vcpu *vcpu, struct kvm=
_host_map *map, bool dirty)
=20
 	map->hva =3D NULL;
 	map->page =3D NULL;
+	map->gfn =3D 0;
 }
 EXPORT_SYMBOL_GPL(kvm_vcpu_unmap);
=20
--=20
2.39.5 (Apple Git-154)