From nobody Sun May 24 20:35:13 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A2DF383C76; Fri, 22 May 2026 20:45:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779482721; cv=none; b=Y+up0oHtu1Kvd3THFWa35Rsx5PtmCxapysM0ZqXcCPO4mZibM6UTV3Yo7/YAOGsKSjb5o2U8pDYwvvnQRbKExfJAaKO4fj2MZ5v+HSgbw324EWPTh8/T9ONzs+RBP6yS4IDo4IjUWXlWTpW6xmtO9U1KVJOE2WzcvJQHwYuYfQc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779482721; c=relaxed/simple; bh=25USkoSk+Sk/e140qXBRP/UoMXSNPLaBpkEe4Yd5BB8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=KwhK9C4OVzGP4/hzzpXOjiDJk7si++clDoGvKCwY9+0b+c7u3tABthH3Kkm8qt6QWp0tJn5DChuFdK4a0m6qf1+ayQ+1RpUSy4r3cFaCS48bj8ugk9H4se55C25gpkeMAYElk4euPEK608dLd3X+tZNpxXnbbFzlsmPZS1rjv1c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=NYHWaYM8; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="NYHWaYM8" Received: by smtp.kernel.org (Postfix) with ESMTPS id D732EC2BCB8; Fri, 22 May 2026 20:45:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1779482720; bh=25USkoSk+Sk/e140qXBRP/UoMXSNPLaBpkEe4Yd5BB8=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=NYHWaYM84EnmRPCIqDQ+4keNoCVk5BwmzYZ3AE2/EzGttpQg2HDN+k2g1GK94ErbZ +Ulw3omce/3Fcf/M1st73u18pPAgw/kThs72cI/0Vuo53yA5ZCljfmjnQuxs7S8MnG DeUMgdUvhbNgXjysKv8J3yUPQrW+znZ65qcMdxGemZfQcZgb82hEaDA8aTTBs4PUw1 aMsrrtlAEsNKBdOmMFHJejJvfPuoYC22mXkTfdNizzqC5fkd1q+aQXNOX80niurN0e 95SE28URDqcOfQV0T2X5VJVx2xEx/dgbyKNnFDwxu5Tt524ooT4Fe4DU/XdhMAsUUc MxYyw2j0UhKag== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C20F8CD5BB0; Fri, 22 May 2026 20:45:20 +0000 (UTC) From: Ackerley Tng via B4 Relay Date: Fri, 22 May 2026 13:45:07 -0700 Subject: [PATCH 1/3] KVM: guest_memfd: Use write permissions when GUP-ing source pages Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260522-fix-sev-gmem-post-populate-v1-1-9fc8d6437b65@google.com> References: <20260522-fix-sev-gmem-post-populate-v1-0-9fc8d6437b65@google.com> In-Reply-To: <20260522-fix-sev-gmem-post-populate-v1-0-9fc8d6437b65@google.com> To: Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Kiryl Shutsemau , Rick Edgecombe , Vishal Annapurve , Yan Zhao , Michael Roth , Isaku Yamahata , Chao Peng , Xiaoyao Li , Zongyao Chen Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev, Yu Zhang , Fuad Tabba , Ackerley Tng X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1779482720; l=3935; i=ackerleytng@google.com; s=20260225; h=from:subject:message-id; bh=NOLwc6JliC+gaSDhEKSTPHm5NB60r/tP961hWN1Pkhc=; b=aTFMJtLEvgVlBqEj5Dw/cTP/t3oH0sLd50f9WCEDOXRpyo6h3E0l/yR/Aedelcc/W4MjxhgxI FhV2a1zxUovBAq38H6gXfATIDzStJ/WiSglU0EdY3Zktm8kJI+h2q1s X-Developer-Key: i=ackerleytng@google.com; a=ed25519; pk=sAZDYXdm6Iz8FHitpHeFlCMXwabodTm7p8/3/8xUxuU= X-Endpoint-Received: by B4 Relay for ackerleytng@google.com/20260225 with auth_id=649 X-Original-From: Ackerley Tng Reply-To: ackerleytng@google.com From: Sean Christopherson sev_gmem_post_populate() may write to the source page if there was an error while performing SNP_LAUNCH_UPDATE. Since GUP requested only reads, there is a chance sev_gmem_post_populate() could be writing to some read-only page. sev_gmem_post_populate() will only ever write the source page if the type of page being LAUNCH_UPDATEd is a CPUID page. Hence, request a writable page only when loading the CPUID page. Since TDX never writes to the source page, always pass false to kvm_gmem_populate(). With this, even if a read-only mapping or the global zero page was provided as the source page, GUP will do a copy-on-write, making it writable before the write happens in gvm_post_populate. Fixes: 2a62345b30529 ("KVM: guest_memfd: GUP source pages prior to populati= ng guest memory") Signed-off-by: Sean Christopherson Signed-off-by: Ackerley Tng --- arch/x86/kvm/svm/sev.c | 1 + arch/x86/kvm/vmx/tdx.c | 2 +- include/linux/kvm_host.h | 3 ++- virt/kvm/guest_memfd.c | 6 ++++-- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 940b97d4a8523..2f254c447923e 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -2469,6 +2469,7 @@ static int snp_launch_update(struct kvm *kvm, struct = kvm_sev_cmd *argp) sev_populate_args.type =3D params.type; =20 count =3D kvm_gmem_populate(kvm, params.gfn_start, src, npages, + params.type =3D=3D KVM_SEV_SNP_PAGE_TYPE_CPUID, sev_gmem_post_populate, &sev_populate_args); if (count < 0) { argp->error =3D sev_populate_args.fw_error; diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c index b8c3d3d8bbfe5..00dcfcbc47f68 100644 --- a/arch/x86/kvm/vmx/tdx.c +++ b/arch/x86/kvm/vmx/tdx.c @@ -3185,7 +3185,7 @@ static int tdx_vcpu_init_mem_region(struct kvm_vcpu *= vcpu, struct kvm_tdx_cmd *c }; gmem_ret =3D kvm_gmem_populate(kvm, gpa_to_gfn(region.gpa), u64_to_user_ptr(region.source_addr), - 1, tdx_gmem_post_populate, &arg); + 1, false, tdx_gmem_post_populate, &arg); if (gmem_ret < 0) { ret =3D gmem_ret; break; diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h index 4c14aee1fb063..2c5ad9a6d5ce8 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h @@ -2596,7 +2596,8 @@ int kvm_arch_gmem_prepare(struct kvm *kvm, gfn_t gfn,= kvm_pfn_t pfn, int max_ord typedef int (*kvm_gmem_populate_cb)(struct kvm *kvm, gfn_t gfn, kvm_pfn_t = pfn, struct page *page, void *opaque); =20 -long kvm_gmem_populate(struct kvm *kvm, gfn_t gfn, void __user *src, long = npages, +long kvm_gmem_populate(struct kvm *kvm, gfn_t start_gfn, void __user *src, + long npages, bool may_writeback_src, kvm_gmem_populate_cb post_populate, void *opaque); #endif =20 diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c index 69c9d6d546b28..07d8db344872b 100644 --- a/virt/kvm/guest_memfd.c +++ b/virt/kvm/guest_memfd.c @@ -858,7 +858,8 @@ static long __kvm_gmem_populate(struct kvm *kvm, struct= kvm_memory_slot *slot, return ret; } =20 -long kvm_gmem_populate(struct kvm *kvm, gfn_t start_gfn, void __user *src,= long npages, +long kvm_gmem_populate(struct kvm *kvm, gfn_t start_gfn, void __user *src, + long npages, bool may_writeback_src, kvm_gmem_populate_cb post_populate, void *opaque) { struct kvm_memory_slot *slot; @@ -892,8 +893,9 @@ long kvm_gmem_populate(struct kvm *kvm, gfn_t start_gfn= , void __user *src, long =20 if (src) { unsigned long uaddr =3D (unsigned long)src + i * PAGE_SIZE; + unsigned int flags =3D may_writeback_src ? FOLL_WRITE : 0; =20 - ret =3D get_user_pages_fast(uaddr, 1, 0, &src_page); + ret =3D get_user_pages_fast(uaddr, 1, flags, &src_page); if (ret < 0) break; if (ret !=3D 1) { --=20 2.54.0.794.g4f17f83d09-goog From nobody Sun May 24 20:35:13 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A0FB383338; Fri, 22 May 2026 20:45:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779482721; cv=none; b=AiBs7Tck/pUlb4cnDdiYHqUZyZEP/AnN/3h7rezJKvPkRqEIAQPcLuIYkMvdyfD/oD0/3AU2RfOy9zaNzYJgZR5z6PGqtMkoPeTKsAyY7Wn4djToHsURg4VOL2wSKH0Q/XdsHKy9X/rM3jqrXHcLDvaYcenFT4JtkJLIFmBuXXc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779482721; c=relaxed/simple; bh=TVMOILIkybDF4ZAoPGUr1TGPQPrSGZYxBbN5yDurWpw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=DSzpmZe5h/y3OcTtoMjFrQT/oS+92b5Zw1Mms1HK1hqj+BGSmGiP6NvnBhuX0YoaiDxLn3lF/6YR+OhA8SMQ10KGxXWCI8DZZfEHRhPrq1qxxyLiv2acuTe/M4pehHLt0GehwD3E6a5SsxdAjPtR8REUWL2b042jl5PkU4rABj0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=RzJl5n6Z; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="RzJl5n6Z" Received: by smtp.kernel.org (Postfix) with ESMTPS id E5A6AC2BCC4; Fri, 22 May 2026 20:45:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1779482721; bh=TVMOILIkybDF4ZAoPGUr1TGPQPrSGZYxBbN5yDurWpw=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=RzJl5n6ZhwXUoD4/Yi6W12D8sD2WeCO2cyOqm/81jVCYjFdB6ZbmnefTKfBPBF36Y hNZG8sTkJuknwqijXQkeXM6YE1aNZz8lVD1+LgznNQC5kC7OFIf+nhb0cQ7squ9kBb ZRYkBKzhLvhpXiF22XjlG21ZBc1wEcQVENc98fSdL01X++lEbmcss/3DZymZ4CfFND RqvNom9MmNRwpfGR67bfdd1DFc2FlzmINT/0sgZXTx6H2ER/LTlqgx3Wa22tzWI5PJ yaczHVgiRRTobIzqP2Oh2O6ItWfCxa/5qV/XpGgbwyT5EeEak7jYUMboZ9aT+9HVMT V/OIbArCY2ibw== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2207CD5BAC; Fri, 22 May 2026 20:45:20 +0000 (UTC) From: Ackerley Tng via B4 Relay Date: Fri, 22 May 2026 13:45:08 -0700 Subject: [PATCH 2/3] KVM: guest_memfd: Fix possible signed integer overflow Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260522-fix-sev-gmem-post-populate-v1-2-9fc8d6437b65@google.com> References: <20260522-fix-sev-gmem-post-populate-v1-0-9fc8d6437b65@google.com> In-Reply-To: <20260522-fix-sev-gmem-post-populate-v1-0-9fc8d6437b65@google.com> To: Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Kiryl Shutsemau , Rick Edgecombe , Vishal Annapurve , Yan Zhao , Michael Roth , Isaku Yamahata , Chao Peng , Xiaoyao Li , Zongyao Chen Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev, Yu Zhang , Fuad Tabba , Ackerley Tng X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1779482720; l=2333; i=ackerleytng@google.com; s=20260225; h=from:subject:message-id; bh=ofKqXIIrcexdOcp4E1N06pRFNz3oEbe3m6kkux6/laU=; b=SG32xTxrOUR3hqoEwkOB131em+YX++oBZh5F0nl7lNjx0k0vZB4nM12YJ7TKtw9JPbxVUT7fz b3RmdI6J4DRDbcJJPReO/gjYv5R8oRJ6WED/y7s+F1VstD5Q+HllT8r X-Developer-Key: i=ackerleytng@google.com; a=ed25519; pk=sAZDYXdm6Iz8FHitpHeFlCMXwabodTm7p8/3/8xUxuU= X-Endpoint-Received: by B4 Relay for ackerleytng@google.com/20260225 with auth_id=649 X-Original-From: Ackerley Tng Reply-To: ackerleytng@google.com From: Sean Christopherson The caller, kvm_set_memory_region(), checks for an overflow in an unsigned u64 guest_memfd_offset. When guest_memfd_offset is passed to kvm_gmem_bind, it is cast into a signed 64-bit integer. Hence, a large 64-bit offset could result in a negative loff_t, which could result in the overflow checks failing. Make kvm_gmem_bind() take u64 instead of loff_t to consistently deal with unsigned values to avoid this issue. Fixes: a7800aa80ea4d ("KVM: Add KVM_CREATE_GUEST_MEMFD ioctl() for guest-sp= ecific backing memory") Signed-off-by: Sean Christopherson [Use size_t for size instead of u64] Signed-off-by: Ackerley Tng --- virt/kvm/guest_memfd.c | 7 +++---- virt/kvm/kvm_mm.h | 2 +- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c index 07d8db344872b..d203135969d13 100644 --- a/virt/kvm/guest_memfd.c +++ b/virt/kvm/guest_memfd.c @@ -640,9 +640,9 @@ int kvm_gmem_create(struct kvm *kvm, struct kvm_create_= guest_memfd *args) } =20 int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot, - unsigned int fd, loff_t offset) + unsigned int fd, u64 offset) { - loff_t size =3D slot->npages << PAGE_SHIFT; + size_t size =3D slot->npages << PAGE_SHIFT; unsigned long start, end; struct gmem_file *f; struct inode *inode; @@ -664,8 +664,7 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_sl= ot *slot, =20 inode =3D file_inode(file); =20 - if (offset < 0 || !PAGE_ALIGNED(offset) || - offset + size > i_size_read(inode)) + if (!PAGE_ALIGNED(offset) || offset + size > i_size_read(inode)) goto err; =20 filemap_invalidate_lock(inode->i_mapping); diff --git a/virt/kvm/kvm_mm.h b/virt/kvm/kvm_mm.h index 9fcc5d5b7f8d0..23813d74ce709 100644 --- a/virt/kvm/kvm_mm.h +++ b/virt/kvm/kvm_mm.h @@ -72,7 +72,7 @@ int kvm_gmem_init(struct module *module); void kvm_gmem_exit(void); int kvm_gmem_create(struct kvm *kvm, struct kvm_create_guest_memfd *args); int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot, - unsigned int fd, loff_t offset); + unsigned int fd, u64 offset); void kvm_gmem_unbind(struct kvm_memory_slot *slot); #else static inline int kvm_gmem_init(struct module *module) --=20 2.54.0.794.g4f17f83d09-goog From nobody Sun May 24 20:35:13 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A06F383329; Fri, 22 May 2026 20:45:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779482721; cv=none; b=n4I+Mon/O4iLtCF/C224WyYpilPRsqprTENpxkJnu11u//Q3oNdmJ+IeHh0O3ZiMrJhnQBeLPa/NrcTKMj1DtNEJME9IyTvar/VW4bBryI4pa4WZWWq5BgYUuvVnYkCH4G4hJvDbLAgzlfOUJAIwlpMyRSMvte03hyU/IU37YV0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779482721; c=relaxed/simple; bh=VjzCzd1nFC0V+VspHRSm811yDhk2SVg8NJFOEp8BNQU=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=rJLZD6ZAhc56VwxCxFH6i7Zidu6Y5NFsVg16V6Gap87G4qN5emkqEga+XU8/tkuiTLWruRIF6VVVviaulVkdu8SBGeLH5jqBZAAyF16oF5wTcyFi4ym2XEO53X2aZeJESgFZXGnr2A/ZxmXBMXxVI1ampJYLAJ/0ZT1TPJXTT3Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=uRFyQShk; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="uRFyQShk" Received: by smtp.kernel.org (Postfix) with ESMTPS id F13CAC2BCC6; Fri, 22 May 2026 20:45:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1779482721; bh=VjzCzd1nFC0V+VspHRSm811yDhk2SVg8NJFOEp8BNQU=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=uRFyQShklzep8NxZ2OAADVrGtvknLWCj6uIgDGig54xBvGhyhrJp209JlmBmVLms7 IMISFyZYvoq+kRQutKSH+180AeZEAQCev3R5K/LhTVjJuEVya2UcJeT8bICwbILgvb 6UdPkVYaCpc/Ckik5lg9PqDlHxywzcd5Mpl7Mf9cA/5CnOS8yjlX/QB9H6iKtoUBIR qnMs/Dbf7YaHhPxbbjh2YoxoRQLIU0XcrKjQ74fAdTs+lQciDLwbGTnGaT6cWWSOs/ fQ1BsFXnj0APT1qgIjDHCmbJwIqR+El6AEBfkrqFEmk9hLaR5vaLTm6s6qb/ukIW+j s+LxmmLfLvQoQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E14ECCD5BB7; Fri, 22 May 2026 20:45:20 +0000 (UTC) From: Ackerley Tng via B4 Relay Date: Fri, 22 May 2026 13:45:09 -0700 Subject: [PATCH 3/3] KVM: guest_memfd: Handle errors from xa_store_range() when binding Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260522-fix-sev-gmem-post-populate-v1-3-9fc8d6437b65@google.com> References: <20260522-fix-sev-gmem-post-populate-v1-0-9fc8d6437b65@google.com> In-Reply-To: <20260522-fix-sev-gmem-post-populate-v1-0-9fc8d6437b65@google.com> To: Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Kiryl Shutsemau , Rick Edgecombe , Vishal Annapurve , Yan Zhao , Michael Roth , Isaku Yamahata , Chao Peng , Xiaoyao Li , Zongyao Chen Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev, Yu Zhang , Fuad Tabba , Ackerley Tng X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1779482720; l=1599; i=ackerleytng@google.com; s=20260225; h=from:subject:message-id; bh=ppXZ9n7Px9sWPfCeSXJF2Jv5JKohLthkttbhOhgzju8=; b=umbtB2eulJGonqQIEnj0i8tfpFY/JDZfh8iROfUqls2ag7+sahhvKQjHe1YuUZhxnsbzOG+Pg BRTn7AR84LPBWKSpCfIJoEkcbhsFvmOeRkHiyYN2FQYa0Jjf3STwOTj X-Developer-Key: i=ackerleytng@google.com; a=ed25519; pk=sAZDYXdm6Iz8FHitpHeFlCMXwabodTm7p8/3/8xUxuU= X-Endpoint-Received: by B4 Relay for ackerleytng@google.com/20260225 with auth_id=649 X-Original-From: Ackerley Tng Reply-To: ackerleytng@google.com From: Ackerley Tng Unhandled errors from xa_store_range() means kvm_gmem_bind() might falsely reporting success, leading to false assumptions in guest_memfd's lifecycle later. Handle these errors by checking and returning the error to the userspace. Fixes: a7800aa80ea4d ("KVM: Add KVM_CREATE_GUEST_MEMFD ioctl() for guest-sp= ecific backing memory") Signed-off-by: Ackerley Tng --- virt/kvm/guest_memfd.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c index d203135969d13..104f0f3d6a0b3 100644 --- a/virt/kvm/guest_memfd.c +++ b/virt/kvm/guest_memfd.c @@ -648,6 +648,7 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_sl= ot *slot, struct inode *inode; struct file *file; int r =3D -EINVAL; + void *result; =20 BUILD_BUG_ON(sizeof(gfn_t) !=3D sizeof(slot->gmem.pgoff)); =20 @@ -688,7 +689,7 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_sl= ot *slot, if (kvm_gmem_supports_mmap(inode)) slot->flags |=3D KVM_MEMSLOT_GMEM_ONLY; =20 - xa_store_range(&f->bindings, start, end - 1, slot, GFP_KERNEL); + result =3D xa_store_range(&f->bindings, start, end - 1, slot, GFP_KERNEL); filemap_invalidate_unlock(inode->i_mapping); =20 /* @@ -696,7 +697,7 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_sl= ot *slot, * not the other way 'round. Active bindings are invalidated if the * file is closed before memslots are destroyed. */ - r =3D 0; + r =3D xa_is_err(result) ? xa_err(result) : 0; err: fput(file); return r; --=20 2.54.0.794.g4f17f83d09-goog