From nobody Tue Apr  7 13:02:01 2026
Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com
 [209.85.216.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3E238239E9A
	for <linux-kernel@vger.kernel.org>; Fri, 13 Mar 2026 00:33:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.73
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773361988; cv=none;
 b=GhV2eCwHApKUJSjNlkzSFNrAKDXIIUJEP2PbkHbPVkjS1ZpZuGNz18UeKOV2Vmx4dhb4e4NJCohdyuIMlJUnY4abJ9RJeYkuJ3/MKHrw87/YoD4UKkMIcQ9ns79Iu2/ZDBZBGarmdCBSZ8/s8A4/Bqg8fuocAyjY4OGHwvW1T5c=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773361988; c=relaxed/simple;
	bh=SNqwYxgD9MGCPwM0Dfkv+5erZ1X5wiJpDLSKV7XA9M0=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=pCqVvcfa577e6tgs1orrfM0kJoRMzJRDRVv3Am6Yl08cJg1cKK2LiOjr9ZIEg30WIPuuVDJglk1zhq/mgc7qyygtJhCxHzKXRZQDF1khyhyFzHLn+kkZnWFuwuTeyxIwzDiytyL0yNKyTS4WJkzOqNAuDoQPefQvaEvCsYXCBfE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=kh99InrD; arc=none smtp.client-ip=209.85.216.73
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="kh99InrD"
Received: by mail-pj1-f73.google.com with SMTP id
 98e67ed59e1d1-358e95e81aeso9606112a91.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 12 Mar 2026 17:33:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1773361986; x=1773966786;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=mPkCvx2pnFym8JsephJmvr2CxcigT4hd7pOFhKXxM5k=;
        b=kh99InrDZIb4hxYiMp2OnQhfLWE3/+WAa13xcqn6YeN4JPS5uIIyRR6oZvVgrhAe0M
         3dxDe7F7jdad43gaSNV5gU79Hi6e+5E8q3iVR2Husw+8dG1IpEH4tMfdIzEJMuMWYIOI
         swGP/5Q6R1gBTEzOkcaVcIwvIoX47ynudqeL8iuMnx+D8w7eE/ed5rQnVnQh45gplEqO
         WBDXc51FhAZ0uMV0kVp8CAxy2JE2+aPnD61zum4oou9fKzVJrLOASnFtpQBcvr737lsD
         tgeMcVpQ15vgaO5bktBgk4S4Gd7YzFZ95lBMpkP+KUg8c7l3stSQOhSeT8dNi9aiyTn5
         Uxjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773361986; x=1773966786;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=mPkCvx2pnFym8JsephJmvr2CxcigT4hd7pOFhKXxM5k=;
        b=fo1y1Uzht4xzEsW9oHKr9yJ+itVtka+ODOnuElVk1VqJj50kdK+mZF7f3Ly26vjhdB
         KKkcH7Q89PdGpaKX0pWx1qgAXz2tRIEU1jrEuTEBI2WxCmwTe0u0p5RqMk60+WLZsgWS
         amNQDNWr6Fjv0oHnCKAiOU7um355MR2DC2JlUmlkIqNfWB4p937w5FKPRNuKOQ88xrMt
         JjKw7Nk7o+dSQgs7CZSC10KO3N0Bfu2Fet28Jla1sM0DfqzpioUSJab+m2O3g/hIb0a5
         GtPsyER6shBmlkUfkM30A+2v2Vc1vhwPem35ECC1/4LQALqgwRH+D8gMlADkBtMR1ykk
         hxig==
X-Forwarded-Encrypted: i=1;
 AJvYcCWTmRwoqQSHRVwZISHUD/NWWNXPDj9+b4Uu8xZDvtkzcex+W53ybxz00gYwu8eGR8ij++oI+kJ+W8mJVE0=@vger.kernel.org
X-Gm-Message-State: AOJu0YwkybBuING6/Zevl3j/qiRNLKMKZbeyxjwC/jTKECcw/wcrTYDI
	vejRUQ5Tu2u2bydpih0rwOPqgXrTyO1N+UUsyPvkzmR9hw5O6f2m9Ga6UHnu41ndwbChfxwqyp4
	YSF4wXQ==
X-Received: from pgac13.prod.google.com
 ([2002:a05:6a02:294d:b0:c70:ab5b:1dbf])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:28c4:b0:354:c600:1a1
 with SMTP id 98e67ed59e1d1-35a21fdd4e4mr1269621a91.19.1773361986375; Thu, 12
 Mar 2026 17:33:06 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Thu, 12 Mar 2026 17:32:58 -0700
In-Reply-To: <20260313003302.3136111-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260313003302.3136111-1-seanjc@google.com>
X-Mailer: git-send-email 2.53.0.851.ga537e3e6e9-goog
Message-ID: <20260313003302.3136111-2-seanjc@google.com>
Subject: [PATCH 1/5] KVM: SEV: Drop WARN on large size for
 KVM_MEMORY_ENCRYPT_REG_REGION
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Liam Merwick <liam.merwick@oracle.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Drop the WARN in sev_pin_memory() on npages overflowing an int, as the
WARN is comically trivially to trigger from userspace, e.g. by doing:

  struct kvm_enc_region range =3D {
          .addr =3D 0,
          .size =3D -1ul,
  };

  __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range);

Note, the checks in sev_mem_enc_register_region() that presumably exist to
verify the incoming address+size are completely worthless, as both "addr"
and "size" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater
than ULONG_MAX.  That wart will be cleaned up in the near future.

	if (range->addr > ULONG_MAX || range->size > ULONG_MAX)
		return -EINVAL;

Opportunistically add a comment to explain why the code calculates the
number of pages the "hard" way, e.g. instead of just shifting @ulen.

Fixes: 78824fabc72e ("KVM: SVM: fix svn_pin_memory()'s use of get_user_page=
s_fast()")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
Tested-by: Liam Merwick <liam.merwick@oracle.com>
---
 arch/x86/kvm/svm/sev.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index b1aa85a6ca5a..23a383f2e43d 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -690,10 +690,16 @@ static struct page **sev_pin_memory(struct kvm *kvm, =
unsigned long uaddr,
 	if (ulen =3D=3D 0 || uaddr + ulen < uaddr)
 		return ERR_PTR(-EINVAL);
=20
-	/* Calculate number of pages. */
+	/*
+	 * Calculate the number of pages that need to be pinned to cover the
+	 * entire range.  Note!  This isn't simply ulen >> PAGE_SHIFT, as KVM
+	 * doesn't require the incoming address+size to be page aligned!
+	 */
 	first =3D (uaddr & PAGE_MASK) >> PAGE_SHIFT;
 	last =3D ((uaddr + ulen - 1) & PAGE_MASK) >> PAGE_SHIFT;
 	npages =3D (last - first + 1);
+	if (npages > INT_MAX)
+		return ERR_PTR(-EINVAL);
=20
 	locked =3D sev->pages_locked + npages;
 	lock_limit =3D rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
@@ -702,9 +708,6 @@ static struct page **sev_pin_memory(struct kvm *kvm, un=
signed long uaddr,
 		return ERR_PTR(-ENOMEM);
 	}
=20
-	if (WARN_ON_ONCE(npages > INT_MAX))
-		return ERR_PTR(-EINVAL);
-
 	/* Avoid using vmalloc for smaller buffers. */
 	size =3D npages * sizeof(struct page *);
 	if (size > PAGE_SIZE)
--=20
2.53.0.851.ga537e3e6e9-goog
From nobody Tue Apr  7 13:02:01 2026
Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com
 [209.85.215.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D4B9228DB49
	for <linux-kernel@vger.kernel.org>; Fri, 13 Mar 2026 00:33:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773361990; cv=none;
 b=YL0bKGlpgZQQuyj8fxVioS3qtmIzibdbUstlyu/14c9OKAKk0b1oRmrLi6WJe5UFrwZbKaWN9Ft9yHuHua5gaE81Gfvzv67sRhZRrX2RTd3HoaR0SiMtzRnyVN3QK1b9MsGHmGJQ6VAfQ0xn3PNHPZVXt1LcT7dSAhPZr/ZKwdk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773361990; c=relaxed/simple;
	bh=ugj8UDoOW98hDBU9yiqY9dU7o/bzNnqLvw5mzSYorEs=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=c/7hIfLB058RhqBIzKXuK99F9feV2JS+DaKM6J8lb6r2UIWhLyIz0fr4XIV8pik6yPsPdErP3mPlWaCpldfQKDpXrI4p8reNdRbAB8sM5ps6BssopRurif+lmO4pcuHcw2XMUTm9TERjYXtRguzf3KlX2J05qSboPBew3MJqFbs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=Dm78ReDp; arc=none smtp.client-ip=209.85.215.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="Dm78ReDp"
Received: by mail-pg1-f201.google.com with SMTP id
 41be03b00d2f7-c737b6686ddso1063088a12.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 12 Mar 2026 17:33:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1773361988; x=1773966788;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=JDd4PhY9bJhpZgSv4RiGr3oEGXZFNbQJpQq76MQNlqg=;
        b=Dm78ReDpKfXORPZgTQymJB47AZpkva6Qnet9d+OBF4Jgs8MiAVLvIngpP24qDoRkAP
         wju35QjXqrsy5swtKbt6gvyo9KDAoEuvRWm+qfbWO0zYb95KSF4t85zB2dbwuXblIB24
         zb9AhfawFwavK+S2SqTX8fqNQ7KBRHHFFCGCOrGwmYKJj/Jm4grSKunejNy1zU6M6TK3
         Ipoe2FSUww0ztJP6U8yTtpnr5+8QXme7laOvdlJpJpvR3yEKG09yHcCed25WNlkfmbUS
         6PlhA40mbbPxlxRoS9RdQLKwF1uT5vbKdgOqMXKPI8sN1JJVK+eRlZz5ofZpYZy325uO
         K1bg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773361988; x=1773966788;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=JDd4PhY9bJhpZgSv4RiGr3oEGXZFNbQJpQq76MQNlqg=;
        b=DweBvtjEwQIgxkd1q7tpBj9CXVn0KjGvvl8gwqXT9p7vNW7bxSlKqYNnWp3FXTXx/8
         7MspNWAqkeFmMfBiFL1ErZKb1/0nZJZiT8Ho2glhihnT+c4OSQ4kDnpfDkMK3Smj3nCU
         eLpNw3buykj1VbMWvr0nqDxwJy4dXHGd6w0veYrPOauxMVoPwd65264wwIK2aYp/PONA
         X8rpdms3F11xBDV23zEuZfAAInEBxYrDadfJuAxXt5mjJbQrRMRSIvCprPB+TgxPRJfX
         ouvIYRpt/x3WVUL+8Fq7PXo6QOFgDqgBQoI5zCcOOIke8/HnEBQjmT+1w55LF3Fhn1RV
         wnrg==
X-Forwarded-Encrypted: i=1;
 AJvYcCWuaAudrzuydFnz/YYhNeStpgN3reuLhOM2ebOeoLJvEMzEjx90/gokOnCSjire2/Koe5eRuZw6biTT/DQ=@vger.kernel.org
X-Gm-Message-State: AOJu0YxNFFHvV+7kDoOyKAEg9xbEOM9ADRBVczWRvoRpCIQ7C0ESKHPM
	RoWTkaJ/KlxFwwtwUG/sswt05y1JKS/FBP3Pkx5ELgoWhVEt9n6MOGaofT6gqe29axriVDw2VJ4
	aOlz3TA==
X-Received: from pgmj24.prod.google.com ([2002:a63:5958:0:b0:c6e:3f59:895e])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a21:3981:b0:398:9c2b:c92c
 with SMTP id adf61e73a8af0-398ecadefdbmr972992637.27.1773361987985; Thu, 12
 Mar 2026 17:33:07 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Thu, 12 Mar 2026 17:32:59 -0700
In-Reply-To: <20260313003302.3136111-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260313003302.3136111-1-seanjc@google.com>
X-Mailer: git-send-email 2.53.0.851.ga537e3e6e9-goog
Message-ID: <20260313003302.3136111-3-seanjc@google.com>
Subject: [PATCH 2/5] KVM: SEV: Drop useless sanity checks in
 sev_mem_enc_register_region()
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Liam Merwick <liam.merwick@oracle.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Drop sev_mem_enc_register_region()'s sanity checks on the incoming address
and size, as SEV is 64-bit only, making ULONG_MAX a 64-bit, all-ones value,
and thus making it impossible for kvm_enc_region.{addr,size} to be greater
than ULONG_MAX.

Note, sev_pin_memory() verifies the incoming address is non-NULL (which
isn't strictly required, but whatever), and that addr+size don't wrap to
zero (which _is_ needed and what really needs to be guarded against).

Note #2, pin_user_pages_fast() guards against the end address walking into
kernel address space, so lack of an access_ok() check is also safe (maybe
not ideal, but safe).

No functional change intended (the generated code is literally the same,
i.e. the compiler was smart enough to know the checks were useless).

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
Tested-by: Liam Merwick <liam.merwick@oracle.com>
---
 arch/x86/kvm/svm/sev.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 23a383f2e43d..857771586f16 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -2711,9 +2711,6 @@ int sev_mem_enc_register_region(struct kvm *kvm,
 	if (is_mirroring_enc_context(kvm))
 		return -EINVAL;
=20
-	if (range->addr > ULONG_MAX || range->size > ULONG_MAX)
-		return -EINVAL;
-
 	region =3D kzalloc_obj(*region, GFP_KERNEL_ACCOUNT);
 	if (!region)
 		return -ENOMEM;
--=20
2.53.0.851.ga537e3e6e9-goog
From nobody Tue Apr  7 13:02:01 2026
Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com
 [209.85.214.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 62D502E06E4
	for <linux-kernel@vger.kernel.org>; Fri, 13 Mar 2026 00:33:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773361993; cv=none;
 b=bbVBRDLM7tJQ0Joe4slQg4jwDsnwu1zdkWlgz3szIkn0o6BecebLC3ewW3dYY5QHdhtX+wDQYU1WmCNt+Xdk+8+F3QCfIbeadfU5aLYe84euwdG53Dop8BxHd4SgCBBYjiL52huPg7GLPiwDgRcjFWDG09YdaMUpmyd/o1xNi3s=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773361993; c=relaxed/simple;
	bh=ncwO479Ti98I8zSlwhrWIMZzmBm9etfHe57WTf4Gajo=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=WUzDEcJJjUYzzYZwYLxES1XWxZQKs4KnRn88YghC6VFRDsoFCpeqY5tey903/3YhhQIJasC2AG+s6R19PWAbK+EwKaI3OAdrml0KdvpKrug5FbYYIKDEie/Im73Ji3og54gIaLeHDYjHXr8XQYusMwvCk3JcSvHedkzwLdK6pWw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=KDBrSqpL; arc=none smtp.client-ip=209.85.214.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="KDBrSqpL"
Received: by mail-pl1-f201.google.com with SMTP id
 d9443c01a7336-2ae57228f64so16000475ad.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 12 Mar 2026 17:33:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1773361990; x=1773966790;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=gb1zr6ZxdKV2CmAeJFzlikcGZHx46idh5fE52X1mFZ4=;
        b=KDBrSqpLB6eJq0WkUuVDvBM9FT0UcKGQVyz3Q/vQrUnf2wJN223UgoblIIsUMC0xUC
         M8nSSgv4sIFJSRO0jCmFD5W/XmfPu3QS8TKikdpFqfv4AJYva+X2BnbW72fdVC9axcRL
         aySyYGl6aHpUu87FmOHYkYjHMTB6tkPiulNRm+haD7eKVxueYbs0iGaPM5RgJpW4jQAa
         QpSKg2oNtj9H90DQD/HhMZrxZrd6vkqO7KkeIB2p9kN2JnYpognkJP0oswdRk3hYfmWj
         mDWmq+uoNJ9M5N6kKCeutk2b1Nidoa0mBOMVO0NOARLcH/BKjhNXbZ4188Tkz52RB/5z
         ePYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773361990; x=1773966790;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=gb1zr6ZxdKV2CmAeJFzlikcGZHx46idh5fE52X1mFZ4=;
        b=hCEAa3WL4nxHNqNYrNZhu9+QT5h4uHDRSVRXpTE0r6VhYSSeoRpoUpkXXWHk9GRIhg
         kkSYUQkvYjA1JF7gzq2DpdZltYz8BgzOOR30IBUUQ4rCAzS9NjaWRLZ6iflGl8BgGCnd
         Zd5REGpHPd28RM2k9xfCDdW0LkNu4sG2iCs+vuhL4RKI0+cAzfqh8v+Ba+dva5dgJ6G/
         jsB4WFXjqKOlqM0WHL0d33JZvz4+kYYxUnDSlERGnvkGzUwOfnp+t9npzxDxIwyjd7FU
         Rf3VQBgjIdRO4bD1dR+rNAQX90WPjgpT7ZG6mAtscd2Vzgs0lR0+obKX108qjuJ58eTj
         am4A==
X-Forwarded-Encrypted: i=1;
 AJvYcCWor/wuNqIBptQ+/R8inoasvCDEM0bm55OfdUjfHcVnvlLQz5oGooJPm0yrWaty8sPL0wmmZHmqcIomAVM=@vger.kernel.org
X-Gm-Message-State: AOJu0YzHjNTllEMsULKvUNpQil8OgefyK7gUn+K2UJxyn1x/kESrM7iN
	Vbfls7CcNANuYtdvk8W7ODmwL+d5l5ZWYr39pR4ceZcX+RPRVJvwPlTF0Sy5PLmIHdE+wkjunY0
	QZEGbcA==
X-Received: from plzu6.prod.google.com ([2002:a17:902:82c6:b0:2ae:3d74:7993])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:902:ce08:b0:2ae:69d3:5b9f
 with SMTP id d9443c01a7336-2aecac3d018mr12176195ad.52.1773361989553; Thu, 12
 Mar 2026 17:33:09 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Thu, 12 Mar 2026 17:33:00 -0700
In-Reply-To: <20260313003302.3136111-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260313003302.3136111-1-seanjc@google.com>
X-Mailer: git-send-email 2.53.0.851.ga537e3e6e9-goog
Message-ID: <20260313003302.3136111-4-seanjc@google.com>
Subject: [PATCH 3/5] KVM: SEV: Disallow pinning more pages than exist in the
 system
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Liam Merwick <liam.merwick@oracle.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Explicitly disallow pinning more pages for an SEV VM than exist in the
system to defend against absurd userspace requests without relying on
somewhat arbitrary kernel functionality to prevent truly stupid KVM
behavior.  E.g. even with the INT_MAX check, userspace can request that
KVM pin nearly 8TiB of memory, regardless of how much RAM exists in the
system.

Opportunistically rename "locked" to a more descriptive "total_npages".

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
Tested-by: Liam Merwick <liam.merwick@oracle.com>
---
 arch/x86/kvm/svm/sev.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 857771586f16..bd94c64a9783 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -680,7 +680,7 @@ static struct page **sev_pin_memory(struct kvm *kvm, un=
signed long uaddr,
 	struct kvm_sev_info *sev =3D to_kvm_sev_info(kvm);
 	unsigned long npages, size;
 	int npinned;
-	unsigned long locked, lock_limit;
+	unsigned long total_npages, lock_limit;
 	struct page **pages;
 	unsigned long first, last;
 	int ret;
@@ -701,10 +701,14 @@ static struct page **sev_pin_memory(struct kvm *kvm, =
unsigned long uaddr,
 	if (npages > INT_MAX)
 		return ERR_PTR(-EINVAL);
=20
-	locked =3D sev->pages_locked + npages;
+	total_npages =3D sev->pages_locked + npages;
+	if (total_npages > totalram_pages())
+		return ERR_PTR(-EINVAL);
+
 	lock_limit =3D rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
-	if (locked > lock_limit && !capable(CAP_IPC_LOCK)) {
-		pr_err("SEV: %lu locked pages exceed the lock limit of %lu.\n", locked, =
lock_limit);
+	if (total_npages > lock_limit && !capable(CAP_IPC_LOCK)) {
+		pr_err("SEV: %lu total pages would exceed the lock limit of %lu.\n",
+		       total_npages, lock_limit);
 		return ERR_PTR(-ENOMEM);
 	}
=20
@@ -727,7 +731,7 @@ static struct page **sev_pin_memory(struct kvm *kvm, un=
signed long uaddr,
 	}
=20
 	*n =3D npages;
-	sev->pages_locked =3D locked;
+	sev->pages_locked =3D total_npages;
=20
 	return pages;
=20
--=20
2.53.0.851.ga537e3e6e9-goog
From nobody Tue Apr  7 13:02:01 2026
Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com
 [209.85.215.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4646022E3F0
	for <linux-kernel@vger.kernel.org>; Fri, 13 Mar 2026 00:33:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773361993; cv=none;
 b=W/rG0PQxO6j1ZzcOGBtqvdyP0BjQa/kuzL7cOb/ZoQ+txgDLa/2SjFILSF3qUOIrxd0jgmGtRh6sadUmN5Hth/fsUYb0aSu9miUpnbO9Nv4uWkQztOky3GFxZ5uuDV5CYIr4XI8WNGsIqX2X18Tek7lHkgbqTPc+x2RwIO3NEww=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773361993; c=relaxed/simple;
	bh=KUPKNTDRVZ/QfetP6CHMafZgrCFxAJkTY0y1vHbaZjU=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=qv6uBNag1PAydM4rhMWeIMszvt9arLKzqH7s2rKByS4qC3T0P0fnhIizLLClArM6f2TxpxjpDhf8QUkCaA5YJcKzfi/sQYq3ZXSmoDaHFiOWGPBNQdBv7vTeWhzLYECOZiQW1lWTOnbV4mzO0aY84TNKBlw1F0YpnjzXdNxP6CY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=HDzmXS2n; arc=none smtp.client-ip=209.85.215.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="HDzmXS2n"
Received: by mail-pg1-f201.google.com with SMTP id
 41be03b00d2f7-c73a4983fc0so915053a12.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 12 Mar 2026 17:33:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1773361991; x=1773966791;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=AqRK5iKJVJvsAdFdvM1kG/PPXB8Ro1UYz8Z7jtmY8dE=;
        b=HDzmXS2nXKLuGrGYJI06KRha5ezF7RA311D7R2+SULm24fvGVB0BcwN3xucLBO8qsd
         8vHR5V58x8r0xS39kSUZE6ONXnMIKawtkmrCfmLcLmuvYWR5InfyVzjvpPNw8kvCn4wh
         JHPchTXDlzar8F19D+DL3uG+O1cXs7pJIhTItxMB7MLM4BAGe05gyVWCGov1Pb5AtNlE
         7ceggEWGjO6EifPwCRPiP+R9a3mtm98KexvNyAxn+tWqz1bLWBei0tHDxXaHVTQqu4o2
         HAT3FytZovccBX61XHQrizxB94zkWqMa9y48GD8SRxN5aoojKQUmtWryTfflxl4sk0yZ
         0y6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773361991; x=1773966791;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=AqRK5iKJVJvsAdFdvM1kG/PPXB8Ro1UYz8Z7jtmY8dE=;
        b=COMtFZFn+1acLHau8nhbp+YsP6YXJ+hgjBO8l2KC5hZEB9TmMq6hDXB2mu9gU/aS63
         ejHyJ1u2N7teU6ddCFIof77d3Vc5+Q9Z+ohgMgkFhq0BiPG6uSZn1ipuC/s411KVb57a
         RsT/GnVVqf3qrJuwT2I7f/rPvaJicLUDzlttqdlyRaQNppbo7aAGRUe80XO1oYe7ydxo
         8KyO5+3Mg6XPGiSVKk2qWyGQnGgq7etQanhl0GolGlGWnz3W53h1X5HB3IRHHmod7ha+
         IlK8sGg1en+VeHFZ59KRz8g46N+WgPcrSttxZYu9n5xiPqxGvhtzo6bDM4LdXgRhhC3O
         XDQQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCWNy6d4WeL0Pa0PXx4b2qV0vcVFRjkLy+cD9Aocd40141kh52BV2O0ZbT1R8H7Doz7ajnCZnexDrWtU5hY=@vger.kernel.org
X-Gm-Message-State: AOJu0Yz3U2U6i1CiQCtZzvU/m9ByDh0sBDHqyotXMHb5FkMdr7JoP+/x
	162J0XlcmLi4HwFoVIdnRdLpId+xK3iUyOgeVqaaeKXKKqUkLNfz/Rb25clTJCQzUet4UKRRiNM
	cvHTuiw==
X-Received: from pglf22.prod.google.com ([2002:a63:1016:0:b0:c73:8240:7190])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a21:700d:b0:398:8e97:ea7a
 with SMTP id adf61e73a8af0-398ecdaa227mr962922637.60.1773361991488; Thu, 12
 Mar 2026 17:33:11 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Thu, 12 Mar 2026 17:33:01 -0700
In-Reply-To: <20260313003302.3136111-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260313003302.3136111-1-seanjc@google.com>
X-Mailer: git-send-email 2.53.0.851.ga537e3e6e9-goog
Message-ID: <20260313003302.3136111-5-seanjc@google.com>
Subject: [PATCH 4/5] KVM: SEV: Use PFN_DOWN() to simplify "number of pages"
 math when pinning memory
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Liam Merwick <liam.merwick@oracle.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Use PFN_DOWN() instead of open coded equivalents in sev_pin_memory() to
simplify the code and make it easier to read.

No functional change intended (verified before and after versions of the
generated code are identical).

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
Tested-by: Liam Merwick <liam.merwick@oracle.com>
---
 arch/x86/kvm/svm/sev.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index bd94c64a9783..ae5b370db9ed 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -682,7 +682,6 @@ static struct page **sev_pin_memory(struct kvm *kvm, un=
signed long uaddr,
 	int npinned;
 	unsigned long total_npages, lock_limit;
 	struct page **pages;
-	unsigned long first, last;
 	int ret;
=20
 	lockdep_assert_held(&kvm->lock);
@@ -692,12 +691,10 @@ static struct page **sev_pin_memory(struct kvm *kvm, =
unsigned long uaddr,
=20
 	/*
 	 * Calculate the number of pages that need to be pinned to cover the
-	 * entire range.  Note!  This isn't simply ulen >> PAGE_SHIFT, as KVM
+	 * entire range.  Note!  This isn't simply PFN_DOWN(ulen), as KVM
 	 * doesn't require the incoming address+size to be page aligned!
 	 */
-	first =3D (uaddr & PAGE_MASK) >> PAGE_SHIFT;
-	last =3D ((uaddr + ulen - 1) & PAGE_MASK) >> PAGE_SHIFT;
-	npages =3D (last - first + 1);
+	npages =3D PFN_DOWN(uaddr + ulen - 1) - PFN_DOWN(uaddr) + 1;
 	if (npages > INT_MAX)
 		return ERR_PTR(-EINVAL);
=20
--=20
2.53.0.851.ga537e3e6e9-goog
From nobody Tue Apr  7 13:02:01 2026
Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com
 [209.85.214.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 38D213054EB
	for <linux-kernel@vger.kernel.org>; Fri, 13 Mar 2026 00:33:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773361995; cv=none;
 b=JteZg335jW4QcchUPsVxNfjALjWmgES9uovcxjfUmzN/6IIeAHi1EeDm6NL+/axycBFInNdAQ62rKpCvamVNSfLECIRlfRNsDGNxboJ2rudpq8QRpukG68HdMZPXVa1xeuF9mJp0GtuPK18CATaBM3Y3T2tPzZj3V1ZZS442vGs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773361995; c=relaxed/simple;
	bh=WpScRbMBDqAkQTX9pKjjHvsZHNQmjSLgOiqTCexwbcA=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=UJTxnN3O0d4jYTYyjFUALk7EwSPz28qYMN9Cd72M/YR+vmw97ebCYPyS9xIgO37yeuwoLZq9Y97rZuE9gc1uQorhcIjueJMqmYUkWPYPm90pE5iOJBzmC4JvubQqU4Nw8IQDy8g2lOPs2uTgUlUmmFweJW8VyQ9yRc6IVuOOhGc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=A69zCeLN; arc=none smtp.client-ip=209.85.214.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="A69zCeLN"
Received: by mail-pl1-f201.google.com with SMTP id
 d9443c01a7336-2aeaabedbc3so114559305ad.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 12 Mar 2026 17:33:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1773361993; x=1773966793;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=l7XObWvGBTdVwmSkFItE9kmFO92BHNR0Spc7XRnM3nI=;
        b=A69zCeLNadIm6F6gU2RJzsj81wAEnwHYiRJDC2YbSfL+bJ5XISVmvOO1ya6icIMQqA
         GZA4SRruhdaqHzBqKkBFlcgX/UBzYue8vEwc09LiKLWlTfRNwkDm8204MwbXkzUxBQ/a
         IXsI+W8rb6dgVqnPHWu03nNzwu9hufUWSR00bcJNYD3Qu2vTZ5IyixEpqmgEZscDvdN7
         T/oBAgf0iSK1RqhndCywkzn420jwVAL6ghCRUh61Iwu+kJoGtPlev2K0NF5d2cith1pi
         3URIsj9glE2tEbwIjF3d4hEjNsPH3ZRHFq5Z43YioLO0BoLRP5wu/S+T7+4y9aBKvQKx
         ZjLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773361993; x=1773966793;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=l7XObWvGBTdVwmSkFItE9kmFO92BHNR0Spc7XRnM3nI=;
        b=UDGL7hGhUKsFDJ5YPsq3Lm0SZLw1Q3Me6HyN/DCEOx68YEVqeVqt7zsVzj/2+bZm8t
         xsDA7iEH78wd/bKCJWaAChOGQ6OGTJMo1ohewo0GnnTg4xKHIdjMS6iN7VfeBKEaublR
         2fb7WxZYaP8/YuJo87AHb7SQxGDmUVJAqbgu99NH5jHQy0Q1Ri4QEQJUYHpiuGImf8NI
         qo2+noLj/R8xUOBHsXb+pSn5+cSevjJgStx7+Ry17rXeyKdNKC8vpx16Tz1osvQT1LpS
         0kAKABSBz+Hxi0L+gzTLwLDoN8D+spwvV2YM0qU7ShFdmIx89EX8ni+nxDby2uRcDbur
         69Xw==
X-Forwarded-Encrypted: i=1;
 AJvYcCUK/DVMtpY0h5GrzM4iBuJh16CmbdJ5lO7QqekXbC99vnm9J9v+hr3RZMAtdm/726cEji/8E8sxLm2hWTA=@vger.kernel.org
X-Gm-Message-State: AOJu0YzUjngHK8MBXarS7KLe4zJ50dNrj6Ak7r/E69ljXrYGxZRbXtNv
	9mBxpELbMvAB4OZ37WYi0NoxrXJz487yIHn69BNhesATbYW4TIPc0zqyaxd2DvPzBV7PbDAwlS9
	rzaZAYA==
X-Received: from plwg11.prod.google.com ([2002:a17:902:f74b:b0:2ae:c871:d739])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:903:19e3:b0:2ae:aa16:ad13
 with SMTP id d9443c01a7336-2aecab2f6c1mr11486895ad.45.1773361993347; Thu, 12
 Mar 2026 17:33:13 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Thu, 12 Mar 2026 17:33:02 -0700
In-Reply-To: <20260313003302.3136111-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260313003302.3136111-1-seanjc@google.com>
X-Mailer: git-send-email 2.53.0.851.ga537e3e6e9-goog
Message-ID: <20260313003302.3136111-6-seanjc@google.com>
Subject: [PATCH 5/5] KVM: SEV: Use kvzalloc_objs() when pinning userpages
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Liam Merwick <liam.merwick@oracle.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Use kvzalloc_objs() instead of sev_pin_memory()'s open coded (rough)
equivalent to harden the code and

Note!  This sanity check in __kvmalloc_node_noprof()

  /* Don't even allow crazy sizes */
  if (unlikely(size > INT_MAX)) {
          WARN_ON_ONCE(!(flags & __GFP_NOWARN));
          return NULL;
  }

will artificially limit the maximum size of any single pinned region to
just under 1TiB.  While there do appear to be providers that support SEV
VMs with more than 1TiB of _total_ memory, it's unlikely any KVM-based
providers pin 1TiB in a single request.

Allocate with NOWARN so that fuzzers can't trip the WARN_ON_ONCE() when
they inevitably run on systems with copious amounts of RAM, i.e. when they
can get by KVM's "total_npages > totalram_pages()" restriction.

Note #2, KVM's usage of vmalloc()+kmalloc() instead of kvmalloc() predates
commit 7661809d493b ("mm: don't allow oversized kvmalloc() calls") by 4+
years (see commit 89c505809052 ("KVM: SVM: Add support for
KVM_SEV_LAUNCH_UPDATE_DATA command").  I.e. the open coded behavior wasn't
intended to avoid the aforementioned sanity check.  The implementation
appears to be pure oversight at the time the code was written, as it showed
up in v3[1] of the early RFCs, whereas as v2[2] simply used kmalloc().

Cc: Liam Merwick <liam.merwick@oracle.com>
Link: https://lore.kernel.org/all/20170724200303.12197-17-brijesh.singh@amd=
.com [1]
Link: https://lore.kernel.org/all/148846786714.2349.17724971671841396908.st=
git__25299.4950431914$1488470940$gmane$org@brijesh-build-machine [2]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
Tested-by: Liam Merwick <liam.merwick@oracle.com>
---
 arch/x86/kvm/svm/sev.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index ae5b370db9ed..4e4adab8d309 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -678,11 +678,9 @@ static struct page **sev_pin_memory(struct kvm *kvm, u=
nsigned long uaddr,
 				    unsigned int flags)
 {
 	struct kvm_sev_info *sev =3D to_kvm_sev_info(kvm);
-	unsigned long npages, size;
-	int npinned;
-	unsigned long total_npages, lock_limit;
+	unsigned long npages, total_npages, lock_limit;
 	struct page **pages;
-	int ret;
+	int npinned, ret;
=20
 	lockdep_assert_held(&kvm->lock);
=20
@@ -709,13 +707,13 @@ static struct page **sev_pin_memory(struct kvm *kvm, =
unsigned long uaddr,
 		return ERR_PTR(-ENOMEM);
 	}
=20
-	/* Avoid using vmalloc for smaller buffers. */
-	size =3D npages * sizeof(struct page *);
-	if (size > PAGE_SIZE)
-		pages =3D __vmalloc(size, GFP_KERNEL_ACCOUNT);
-	else
-		pages =3D kmalloc(size, GFP_KERNEL_ACCOUNT);
-
+	/*
+	 * Don't WARN if the kernel (rightly) thinks the total size is absurd,
+	 * i.e. rely on the kernel to reject outrageous range sizes.  The above
+	 * check on the number of pages is purely to avoid truncation as
+	 * pin_user_pages_fast() takes the number of pages as a 32-bit int.
+	 */
+	pages =3D kvzalloc_objs(*pages, npages, GFP_KERNEL_ACCOUNT | __GFP_NOWARN=
);
 	if (!pages)
 		return ERR_PTR(-ENOMEM);
=20
--=20
2.53.0.851.ga537e3e6e9-goog