From nobody Tue Apr  7 14:36:45 2026
Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com
 [209.85.214.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 62D502E06E4
	for <linux-kernel@vger.kernel.org>; Fri, 13 Mar 2026 00:33:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773361993; cv=none;
 b=bbVBRDLM7tJQ0Joe4slQg4jwDsnwu1zdkWlgz3szIkn0o6BecebLC3ewW3dYY5QHdhtX+wDQYU1WmCNt+Xdk+8+F3QCfIbeadfU5aLYe84euwdG53Dop8BxHd4SgCBBYjiL52huPg7GLPiwDgRcjFWDG09YdaMUpmyd/o1xNi3s=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773361993; c=relaxed/simple;
	bh=ncwO479Ti98I8zSlwhrWIMZzmBm9etfHe57WTf4Gajo=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=WUzDEcJJjUYzzYZwYLxES1XWxZQKs4KnRn88YghC6VFRDsoFCpeqY5tey903/3YhhQIJasC2AG+s6R19PWAbK+EwKaI3OAdrml0KdvpKrug5FbYYIKDEie/Im73Ji3og54gIaLeHDYjHXr8XQYusMwvCk3JcSvHedkzwLdK6pWw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=KDBrSqpL; arc=none smtp.client-ip=209.85.214.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="KDBrSqpL"
Received: by mail-pl1-f201.google.com with SMTP id
 d9443c01a7336-2ae57228f64so16000475ad.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 12 Mar 2026 17:33:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1773361990; x=1773966790;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=gb1zr6ZxdKV2CmAeJFzlikcGZHx46idh5fE52X1mFZ4=;
        b=KDBrSqpLB6eJq0WkUuVDvBM9FT0UcKGQVyz3Q/vQrUnf2wJN223UgoblIIsUMC0xUC
         M8nSSgv4sIFJSRO0jCmFD5W/XmfPu3QS8TKikdpFqfv4AJYva+X2BnbW72fdVC9axcRL
         aySyYGl6aHpUu87FmOHYkYjHMTB6tkPiulNRm+haD7eKVxueYbs0iGaPM5RgJpW4jQAa
         QpSKg2oNtj9H90DQD/HhMZrxZrd6vkqO7KkeIB2p9kN2JnYpognkJP0oswdRk3hYfmWj
         mDWmq+uoNJ9M5N6kKCeutk2b1Nidoa0mBOMVO0NOARLcH/BKjhNXbZ4188Tkz52RB/5z
         ePYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1773361990; x=1773966790;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=gb1zr6ZxdKV2CmAeJFzlikcGZHx46idh5fE52X1mFZ4=;
        b=hCEAa3WL4nxHNqNYrNZhu9+QT5h4uHDRSVRXpTE0r6VhYSSeoRpoUpkXXWHk9GRIhg
         kkSYUQkvYjA1JF7gzq2DpdZltYz8BgzOOR30IBUUQ4rCAzS9NjaWRLZ6iflGl8BgGCnd
         Zd5REGpHPd28RM2k9xfCDdW0LkNu4sG2iCs+vuhL4RKI0+cAzfqh8v+Ba+dva5dgJ6G/
         jsB4WFXjqKOlqM0WHL0d33JZvz4+kYYxUnDSlERGnvkGzUwOfnp+t9npzxDxIwyjd7FU
         Rf3VQBgjIdRO4bD1dR+rNAQX90WPjgpT7ZG6mAtscd2Vzgs0lR0+obKX108qjuJ58eTj
         am4A==
X-Forwarded-Encrypted: i=1;
 AJvYcCWor/wuNqIBptQ+/R8inoasvCDEM0bm55OfdUjfHcVnvlLQz5oGooJPm0yrWaty8sPL0wmmZHmqcIomAVM=@vger.kernel.org
X-Gm-Message-State: AOJu0YzHjNTllEMsULKvUNpQil8OgefyK7gUn+K2UJxyn1x/kESrM7iN
	Vbfls7CcNANuYtdvk8W7ODmwL+d5l5ZWYr39pR4ceZcX+RPRVJvwPlTF0Sy5PLmIHdE+wkjunY0
	QZEGbcA==
X-Received: from plzu6.prod.google.com ([2002:a17:902:82c6:b0:2ae:3d74:7993])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:902:ce08:b0:2ae:69d3:5b9f
 with SMTP id d9443c01a7336-2aecac3d018mr12176195ad.52.1773361989553; Thu, 12
 Mar 2026 17:33:09 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Thu, 12 Mar 2026 17:33:00 -0700
In-Reply-To: <20260313003302.3136111-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260313003302.3136111-1-seanjc@google.com>
X-Mailer: git-send-email 2.53.0.851.ga537e3e6e9-goog
Message-ID: <20260313003302.3136111-4-seanjc@google.com>
Subject: [PATCH 3/5] KVM: SEV: Disallow pinning more pages than exist in the
 system
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Liam Merwick <liam.merwick@oracle.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Explicitly disallow pinning more pages for an SEV VM than exist in the
system to defend against absurd userspace requests without relying on
somewhat arbitrary kernel functionality to prevent truly stupid KVM
behavior.  E.g. even with the INT_MAX check, userspace can request that
KVM pin nearly 8TiB of memory, regardless of how much RAM exists in the
system.

Opportunistically rename "locked" to a more descriptive "total_npages".

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/svm/sev.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index 857771586f16..bd94c64a9783 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -680,7 +680,7 @@ static struct page **sev_pin_memory(struct kvm *kvm, un=
signed long uaddr,
 	struct kvm_sev_info *sev =3D to_kvm_sev_info(kvm);
 	unsigned long npages, size;
 	int npinned;
-	unsigned long locked, lock_limit;
+	unsigned long total_npages, lock_limit;
 	struct page **pages;
 	unsigned long first, last;
 	int ret;
@@ -701,10 +701,14 @@ static struct page **sev_pin_memory(struct kvm *kvm, =
unsigned long uaddr,
 	if (npages > INT_MAX)
 		return ERR_PTR(-EINVAL);
=20
-	locked =3D sev->pages_locked + npages;
+	total_npages =3D sev->pages_locked + npages;
+	if (total_npages > totalram_pages())
+		return ERR_PTR(-EINVAL);
+
 	lock_limit =3D rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
-	if (locked > lock_limit && !capable(CAP_IPC_LOCK)) {
-		pr_err("SEV: %lu locked pages exceed the lock limit of %lu.\n", locked, =
lock_limit);
+	if (total_npages > lock_limit && !capable(CAP_IPC_LOCK)) {
+		pr_err("SEV: %lu total pages would exceed the lock limit of %lu.\n",
+		       total_npages, lock_limit);
 		return ERR_PTR(-ENOMEM);
 	}
=20
@@ -727,7 +731,7 @@ static struct page **sev_pin_memory(struct kvm *kvm, un=
signed long uaddr,
 	}
=20
 	*n =3D npages;
-	sev->pages_locked =3D locked;
+	sev->pages_locked =3D total_npages;
=20
 	return pages;
=20
--=20
2.53.0.851.ga537e3e6e9-goog