From nobody Sun May 24 20:35:29 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 28E0E34EF05; Fri, 22 May 2026 22:46:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779489971; cv=none; b=hpdB5nj9joAh0qaR3BMYMQdUvT/BvusJqqNwAzfIYphwhvPve2b0RlJCgb+1A/HmYpSYsrROl69UcAbvxzaqwr0T9hR6/FHOEPyZIioqsr4LAYMFE4McPYj/ITs7vj9z/DiWJERZSGucgyXsU8k0x3QMfmFf6EJu289qudAYvRw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779489971; c=relaxed/simple; bh=25USkoSk+Sk/e140qXBRP/UoMXSNPLaBpkEe4Yd5BB8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=JRATNEJwn7TI+H6hnp9ILfWLm5NHC7PXie0UwM6ltMqaA0jWKubLdJgwxP9yDqtkvlCHirk3hp5aKMzJm0+IXJdABE6mZzmzwRUvp23/FSW8yv8y0il+2JXtY1juoRKN/3W78SUUnOmXALR6s89oHmT8vZyLhDfnhXwMQ01Ez04= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=SPEe7FVP; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="SPEe7FVP" Received: by smtp.kernel.org (Postfix) with ESMTPS id CF10CC2BCC4; Fri, 22 May 2026 22:46:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1779489970; bh=25USkoSk+Sk/e140qXBRP/UoMXSNPLaBpkEe4Yd5BB8=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=SPEe7FVPzKtMNUOhX6vpDzRS8/YpQyDZ23exQZ3U6j+CuXr0uH7juSi1xaT4jmRnM f91xb66h9OUXG9f7JaFShPhTlcnprINAEAnr8lF31ib1praRGzzAGO6VvYz41OQSHp G0YTNrDWLuFvCbFhmdD5V+U5H/b6nIo1tTQ3K6afXfgdNffgjV89w2RxhUdjH92gfG xA8CFai9AlB67oToyP/hY6AGyT6/Ry+5IdLhsjLUO58EPEGrjpQh5gm9kyoJkx0Glr vlF6UQFNLl+9zkPEdcVE1KwRmPA/fr3K68luAFTiQwMs59yszUtFJg2yUrIG7+BfIl 5LrqmsDEXg00w== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B11F1CD4F3D; Fri, 22 May 2026 22:46:10 +0000 (UTC) From: Ackerley Tng via B4 Relay Date: Fri, 22 May 2026 15:46:06 -0700 Subject: [PATCH v2 1/5] KVM: guest_memfd: Use write permissions when GUP-ing source pages Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260522-fix-sev-gmem-post-populate-v2-1-3f196bfad5a1@google.com> References: <20260522-fix-sev-gmem-post-populate-v2-0-3f196bfad5a1@google.com> In-Reply-To: <20260522-fix-sev-gmem-post-populate-v2-0-3f196bfad5a1@google.com> To: Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Kiryl Shutsemau , Rick Edgecombe , Vishal Annapurve , Yan Zhao , Michael Roth , Isaku Yamahata , Chao Peng , Xiaoyao Li , Zongyao Chen Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev, Yu Zhang , Fuad Tabba , Ackerley Tng X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1779489969; l=3935; i=ackerleytng@google.com; s=20260225; h=from:subject:message-id; bh=NOLwc6JliC+gaSDhEKSTPHm5NB60r/tP961hWN1Pkhc=; b=BxZIXb/NefSp8WorRdTvHMT6Acj2y9pAVHXgrqlFVnhH092phLGEkuD8WTHfd774O0KA7yxGb wLiXqiz/vp9AKNeuYlKQ0zrKSN1rS9wejDmzyeZ8GpSO1drNLsUhM1F X-Developer-Key: i=ackerleytng@google.com; a=ed25519; pk=sAZDYXdm6Iz8FHitpHeFlCMXwabodTm7p8/3/8xUxuU= X-Endpoint-Received: by B4 Relay for ackerleytng@google.com/20260225 with auth_id=649 X-Original-From: Ackerley Tng Reply-To: ackerleytng@google.com From: Sean Christopherson sev_gmem_post_populate() may write to the source page if there was an error while performing SNP_LAUNCH_UPDATE. Since GUP requested only reads, there is a chance sev_gmem_post_populate() could be writing to some read-only page. sev_gmem_post_populate() will only ever write the source page if the type of page being LAUNCH_UPDATEd is a CPUID page. Hence, request a writable page only when loading the CPUID page. Since TDX never writes to the source page, always pass false to kvm_gmem_populate(). With this, even if a read-only mapping or the global zero page was provided as the source page, GUP will do a copy-on-write, making it writable before the write happens in gvm_post_populate. Fixes: 2a62345b30529 ("KVM: guest_memfd: GUP source pages prior to populati= ng guest memory") Signed-off-by: Sean Christopherson Signed-off-by: Ackerley Tng --- arch/x86/kvm/svm/sev.c | 1 + arch/x86/kvm/vmx/tdx.c | 2 +- include/linux/kvm_host.h | 3 ++- virt/kvm/guest_memfd.c | 6 ++++-- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 940b97d4a8523..2f254c447923e 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -2469,6 +2469,7 @@ static int snp_launch_update(struct kvm *kvm, struct = kvm_sev_cmd *argp) sev_populate_args.type =3D params.type; =20 count =3D kvm_gmem_populate(kvm, params.gfn_start, src, npages, + params.type =3D=3D KVM_SEV_SNP_PAGE_TYPE_CPUID, sev_gmem_post_populate, &sev_populate_args); if (count < 0) { argp->error =3D sev_populate_args.fw_error; diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c index b8c3d3d8bbfe5..00dcfcbc47f68 100644 --- a/arch/x86/kvm/vmx/tdx.c +++ b/arch/x86/kvm/vmx/tdx.c @@ -3185,7 +3185,7 @@ static int tdx_vcpu_init_mem_region(struct kvm_vcpu *= vcpu, struct kvm_tdx_cmd *c }; gmem_ret =3D kvm_gmem_populate(kvm, gpa_to_gfn(region.gpa), u64_to_user_ptr(region.source_addr), - 1, tdx_gmem_post_populate, &arg); + 1, false, tdx_gmem_post_populate, &arg); if (gmem_ret < 0) { ret =3D gmem_ret; break; diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h index 4c14aee1fb063..2c5ad9a6d5ce8 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h @@ -2596,7 +2596,8 @@ int kvm_arch_gmem_prepare(struct kvm *kvm, gfn_t gfn,= kvm_pfn_t pfn, int max_ord typedef int (*kvm_gmem_populate_cb)(struct kvm *kvm, gfn_t gfn, kvm_pfn_t = pfn, struct page *page, void *opaque); =20 -long kvm_gmem_populate(struct kvm *kvm, gfn_t gfn, void __user *src, long = npages, +long kvm_gmem_populate(struct kvm *kvm, gfn_t start_gfn, void __user *src, + long npages, bool may_writeback_src, kvm_gmem_populate_cb post_populate, void *opaque); #endif =20 diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c index 69c9d6d546b28..07d8db344872b 100644 --- a/virt/kvm/guest_memfd.c +++ b/virt/kvm/guest_memfd.c @@ -858,7 +858,8 @@ static long __kvm_gmem_populate(struct kvm *kvm, struct= kvm_memory_slot *slot, return ret; } =20 -long kvm_gmem_populate(struct kvm *kvm, gfn_t start_gfn, void __user *src,= long npages, +long kvm_gmem_populate(struct kvm *kvm, gfn_t start_gfn, void __user *src, + long npages, bool may_writeback_src, kvm_gmem_populate_cb post_populate, void *opaque) { struct kvm_memory_slot *slot; @@ -892,8 +893,9 @@ long kvm_gmem_populate(struct kvm *kvm, gfn_t start_gfn= , void __user *src, long =20 if (src) { unsigned long uaddr =3D (unsigned long)src + i * PAGE_SIZE; + unsigned int flags =3D may_writeback_src ? FOLL_WRITE : 0; =20 - ret =3D get_user_pages_fast(uaddr, 1, 0, &src_page); + ret =3D get_user_pages_fast(uaddr, 1, flags, &src_page); if (ret < 0) break; if (ret !=3D 1) { --=20 2.54.0.794.g4f17f83d09-goog From nobody Sun May 24 20:35:29 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 28D7333F8B1; Fri, 22 May 2026 22:46:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779489971; cv=none; b=hwpOPjx3l4VZiYOAincO2t4UZSSiXARQiwWZNDY6Wbb2Sr5aQxO1jV8041SJGbB/klsaeoMRarIONnvRoMRPFHol39y4c/Ginfl3WfA4WGGkxGZQP/W3RqkQ5VJ0E2nQusWCYCqbm44aSsmOxD0a7i8Y/VlTOjlfgfW2kDoHrNQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779489971; c=relaxed/simple; bh=c45Qu9zhd/kLsBjDSXT1r99pYvcHsGhiUHC17F6IgIk=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=h8ewdm3ETrB8LPWDPJ17puHp6xTWHvVOZzZ7VkDCkre6OYEDOGLAlo1oNCTjhVkhE7qdE6BpSPaJPTaBGHxXv36GqT5qd/fBjEqD6jI/VKFDTfl06FIS7pGVOgHNObop7GhjAhNySJu63+S9xKWPIUoJv0mGJjHH4atOQl3fQKg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ZQm3vKdK; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ZQm3vKdK" Received: by smtp.kernel.org (Postfix) with ESMTPS id DDA9BC2BCC6; Fri, 22 May 2026 22:46:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1779489970; bh=c45Qu9zhd/kLsBjDSXT1r99pYvcHsGhiUHC17F6IgIk=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=ZQm3vKdKrBlfGUsCqL5g2PmZCw/X4kc+bErykp1iUB070afeN5zDiMSJvhje3De31 eQYka4HUIOqlQTR45iAL+FTgAlTz+4olBOIm0KnrAmRK6evzV3Syf3dA3RTnCnzdnL RI2gxZQ1MA4n88oWkxycJm7vKjbQKt5zZh8NDCHExWKAWjbGmj/qcrGyGXJeqv+PKK dd2J387c4YvXI2+NJFst72EDKrq6+Qml6em8ZM0UUeVkN2m3sTU5tL4bA5q3S+uirg wrrZV5Iq/eg8CQmGHrMo05uLvG6SZCLnOnOkJuUJ0+xvz7u+GxdgFdTXwZRxwficpe Aujxz6dsrP3gA== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C9F07CD5BB8; Fri, 22 May 2026 22:46:10 +0000 (UTC) From: Ackerley Tng via B4 Relay Date: Fri, 22 May 2026 15:46:07 -0700 Subject: [PATCH v2 2/5] KVM: guest_memfd: Fix possible signed integer overflow Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260522-fix-sev-gmem-post-populate-v2-2-3f196bfad5a1@google.com> References: <20260522-fix-sev-gmem-post-populate-v2-0-3f196bfad5a1@google.com> In-Reply-To: <20260522-fix-sev-gmem-post-populate-v2-0-3f196bfad5a1@google.com> To: Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Kiryl Shutsemau , Rick Edgecombe , Vishal Annapurve , Yan Zhao , Michael Roth , Isaku Yamahata , Chao Peng , Xiaoyao Li , Zongyao Chen Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev, Yu Zhang , Fuad Tabba , Ackerley Tng X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1779489969; l=2660; i=ackerleytng@google.com; s=20260225; h=from:subject:message-id; bh=JSPTTpIiKhOV4/yLuJbPtjKeCwvKRuWpCoRD+oLFQ+A=; b=AA88AAu05doKQquAzIDYtyyam8SZULnS5IFyEpEaYGxnquksBYuk/Ysn0gde/LkEL9n4skFB6 gYqrrO2va7fCjZstWWS5+ZNBhlrAL6zj9Ybe/BcOTmeLUOE7rfGIm7D X-Developer-Key: i=ackerleytng@google.com; a=ed25519; pk=sAZDYXdm6Iz8FHitpHeFlCMXwabodTm7p8/3/8xUxuU= X-Endpoint-Received: by B4 Relay for ackerleytng@google.com/20260225 with auth_id=649 X-Original-From: Ackerley Tng Reply-To: ackerleytng@google.com From: Sean Christopherson The caller, kvm_set_memory_region(), checks for an overflow in an unsigned u64 guest_memfd_offset. When guest_memfd_offset is passed to kvm_gmem_bind, it is cast into a signed 64-bit integer. Hence, a large 64-bit offset could result in a negative loff_t, which could result in the overflow checks failing. Make kvm_gmem_bind() take u64 instead of loff_t to consistently deal with unsigned values to avoid this issue. Fixes: a7800aa80ea4d ("KVM: Add KVM_CREATE_GUEST_MEMFD ioctl() for guest-sp= ecific backing memory") Signed-off-by: Sean Christopherson [Use size_t for size instead of u64] Signed-off-by: Ackerley Tng --- virt/kvm/guest_memfd.c | 7 +++---- virt/kvm/kvm_mm.h | 4 ++-- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c index 07d8db344872b..d203135969d13 100644 --- a/virt/kvm/guest_memfd.c +++ b/virt/kvm/guest_memfd.c @@ -640,9 +640,9 @@ int kvm_gmem_create(struct kvm *kvm, struct kvm_create_= guest_memfd *args) } =20 int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot, - unsigned int fd, loff_t offset) + unsigned int fd, u64 offset) { - loff_t size =3D slot->npages << PAGE_SHIFT; + size_t size =3D slot->npages << PAGE_SHIFT; unsigned long start, end; struct gmem_file *f; struct inode *inode; @@ -664,8 +664,7 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_sl= ot *slot, =20 inode =3D file_inode(file); =20 - if (offset < 0 || !PAGE_ALIGNED(offset) || - offset + size > i_size_read(inode)) + if (!PAGE_ALIGNED(offset) || offset + size > i_size_read(inode)) goto err; =20 filemap_invalidate_lock(inode->i_mapping); diff --git a/virt/kvm/kvm_mm.h b/virt/kvm/kvm_mm.h index 9fcc5d5b7f8d0..8c2bbfba63424 100644 --- a/virt/kvm/kvm_mm.h +++ b/virt/kvm/kvm_mm.h @@ -72,7 +72,7 @@ int kvm_gmem_init(struct module *module); void kvm_gmem_exit(void); int kvm_gmem_create(struct kvm *kvm, struct kvm_create_guest_memfd *args); int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot, - unsigned int fd, loff_t offset); + unsigned int fd, u64 offset); void kvm_gmem_unbind(struct kvm_memory_slot *slot); #else static inline int kvm_gmem_init(struct module *module) @@ -82,7 +82,7 @@ static inline int kvm_gmem_init(struct module *module) static inline void kvm_gmem_exit(void) {}; static inline int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot, - unsigned int fd, loff_t offset) + unsigned int fd, u64 offset) { WARN_ON_ONCE(1); return -EIO; --=20 2.54.0.794.g4f17f83d09-goog From nobody Sun May 24 20:35:29 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 28C3F25A642; Fri, 22 May 2026 22:46:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779489971; cv=none; b=Fj7eRYuGIEEgphUC79wOV/Dqk0n0xS2SL3QhF5iRexkzR91prC897tHxFv5sgyHfsuY0F+o+QxJuHtUG/lwn40nydAlMvC+VYy7Is65S9lI6rEY23gE83qFRyv+EqHKt2RJzZPTeMHkx/mL0S4KJA4V5mqggKoTwuzmIjersgTg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779489971; c=relaxed/simple; bh=L5lGUM9V9NHInUfTp0WXgOv5dlcW63soO6U7JNmT904=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=jvDNNnMEp0Io67rGVkHLb/CUyQYeGMYqvczQgsvJ5P8x1tco5iJK82HaCxNM4pQvx3+GT9LMFz8pF+kaytHOSRASbp0Gr7YI0t8H0Rk8R8gGxIhjNOJYw/L/yFHHAQa8gNQ7TbfqTVWL6PRWBjbjz5PDBEk3QW8qk3YjbQZ2igA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=b9CfoA6N; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="b9CfoA6N" Received: by smtp.kernel.org (Postfix) with ESMTPS id EF84BC4AF0C; Fri, 22 May 2026 22:46:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1779489971; bh=L5lGUM9V9NHInUfTp0WXgOv5dlcW63soO6U7JNmT904=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=b9CfoA6NNqXEnnusnIbfbUfPTLoZLO+UUs08bkLc/uKDurUN1lsMmDk3kJ3WonkXE lL3Kjds2sq4eksQcRI0xHe7CaIxXNmsYvnCMfiF14NIG9hySrOkvZJ7r03GxPqpLaK DDc4UPbWRw678pYnQvaUvNS8re0kKlP1Bu0KsXh5WTVEb1P4p7YmlIUZK27QcbM2Ht 9FByI/4++aO4dAxxrg7qdN0DFHif/9T1mDU3EMSTgAR/0J8WuZo3sBXys8wLN2jjWY XuYP2qFSDM7608Xg/7iGX3uf1DiqhG4Sg1/gK8NHY8R31K3dzHl+s2TRPOIw2cS7yg NXObQEsjFTvfQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E237ACD5BB0; Fri, 22 May 2026 22:46:10 +0000 (UTC) From: Ackerley Tng via B4 Relay Date: Fri, 22 May 2026 15:46:08 -0700 Subject: [PATCH v2 3/5] KVM: guest_memfd: Handle errors from xa_store_range() when binding Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260522-fix-sev-gmem-post-populate-v2-3-3f196bfad5a1@google.com> References: <20260522-fix-sev-gmem-post-populate-v2-0-3f196bfad5a1@google.com> In-Reply-To: <20260522-fix-sev-gmem-post-populate-v2-0-3f196bfad5a1@google.com> To: Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Kiryl Shutsemau , Rick Edgecombe , Vishal Annapurve , Yan Zhao , Michael Roth , Isaku Yamahata , Chao Peng , Xiaoyao Li , Zongyao Chen Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev, Yu Zhang , Fuad Tabba , Ackerley Tng X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1779489969; l=1708; i=ackerleytng@google.com; s=20260225; h=from:subject:message-id; bh=IUci/DrJoi/pXPstnReU0IiJiRojPWLPI0HoQxzkXfg=; b=Amt1w5AFQnzejoJxCw29NWfrlwfW6wOUsNMYv7ermZIU5gGfnwJSb+05ToXZTdPKj+VforE4J AAZgTZ0DIT/Bn4PsYTeG5+piXbBgrdlMgmGl0ENRjiDP3UlybUnTtV7 X-Developer-Key: i=ackerleytng@google.com; a=ed25519; pk=sAZDYXdm6Iz8FHitpHeFlCMXwabodTm7p8/3/8xUxuU= X-Endpoint-Received: by B4 Relay for ackerleytng@google.com/20260225 with auth_id=649 X-Original-From: Ackerley Tng Reply-To: ackerleytng@google.com From: Ackerley Tng Unhandled errors from xa_store_range() means kvm_gmem_bind() might falsely reporting success, leading to false assumptions in guest_memfd's lifecycle later. On error, restore the unbound state and return the error to userspace. Fixes: a7800aa80ea4d ("KVM: Add KVM_CREATE_GUEST_MEMFD ioctl() for guest-sp= ecific backing memory") Signed-off-by: Ackerley Tng --- virt/kvm/guest_memfd.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c index d203135969d13..5b4911ffa208a 100644 --- a/virt/kvm/guest_memfd.c +++ b/virt/kvm/guest_memfd.c @@ -648,6 +648,7 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_sl= ot *slot, struct inode *inode; struct file *file; int r =3D -EINVAL; + void *result; =20 BUILD_BUG_ON(sizeof(gfn_t) !=3D sizeof(slot->gmem.pgoff)); =20 @@ -688,7 +689,14 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_s= lot *slot, if (kvm_gmem_supports_mmap(inode)) slot->flags |=3D KVM_MEMSLOT_GMEM_ONLY; =20 - xa_store_range(&f->bindings, start, end - 1, slot, GFP_KERNEL); + result =3D xa_store_range(&f->bindings, start, end - 1, slot, GFP_KERNEL); + if (xa_is_err(result)) { + r =3D xa_err(result); + xa_store_range(&f->bindings, start, end - 1, NULL, GFP_KERNEL); + } else { + r =3D 0; + } + filemap_invalidate_unlock(inode->i_mapping); =20 /* @@ -696,7 +704,6 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_sl= ot *slot, * not the other way 'round. Active bindings are invalidated if the * file is closed before memslots are destroyed. */ - r =3D 0; err: fput(file); return r; --=20 2.54.0.794.g4f17f83d09-goog From nobody Sun May 24 20:35:29 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 41002352F87; Fri, 22 May 2026 22:46:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779489971; cv=none; b=pkT0z5eohv4uwvnwSH2cL/E1vyrZ7N2HyR89DxMkjaTgxatWNOrEagxWUzR9sIdjzn50eb8xZ5qvl0QyaU/UQ2fR9pEbwRjpCf+exE8qSBGVIwyoByeZm7IyA8kNUs8YilautJKxRwOHqcRfX6BwlUmPEAAGpV8ddCYtvyPpslk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779489971; c=relaxed/simple; bh=GQD1jANZIEUF0wkpByeG4W13XuLx6L3WkE4M7CHEPjo=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Aj+HcAhpIEqIqtSClBoSYBt5yDydHXhMCruzvcMe4O/DXnGxT59uy0nefOh8+C8uyKfSFjqiRsJeo7ZM3Kg+rNAgubzcn0oBdZao/0rTPk+PHF6kKITDwdfaTmUm46TwE0tvQxJcGmQkKVs0frgj2qpFnhagrVTFZvt3djKA39Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=iThYzAxu; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="iThYzAxu" Received: by smtp.kernel.org (Postfix) with ESMTPS id 0DF4BC2BCF4; Fri, 22 May 2026 22:46:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1779489971; bh=GQD1jANZIEUF0wkpByeG4W13XuLx6L3WkE4M7CHEPjo=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=iThYzAxuPLvLXhyoySLZWIK5GekVA5X0j1kuQuMeqI5Lbjm5GyLYkNPIzUx2DblEX LrqqrUTLzKEDRkhvZIN9psWJsDqiKubLpW8S7EdSO74O2BJFtMmK0Umtkmdf99+NKg dsCOMEDoSUUZO8N/mqklqIDAUR+0lZjxUXEYtKarvNeeVeHsl0DRGxglsit6Gu7jIp /o+DrfMhRBiMPuBM4yzSv5n2YFp914DycsKmlFfGlceXda+J0cxnwZAvFElb8AJ8W7 5+0Q34TUveCYie9LHjGrhqqHMaW3D9PsK/53Gspyh5CmB7KKEtNOkYSNO999NUy/yv 0YOAiZhmJZdZg== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02DBCCD5BB8; Fri, 22 May 2026 22:46:11 +0000 (UTC) From: Ackerley Tng via B4 Relay Date: Fri, 22 May 2026 15:46:09 -0700 Subject: [PATCH v2 4/5] KVM: SNP: Fix kunmap_local() unmapping order Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260522-fix-sev-gmem-post-populate-v2-4-3f196bfad5a1@google.com> References: <20260522-fix-sev-gmem-post-populate-v2-0-3f196bfad5a1@google.com> In-Reply-To: <20260522-fix-sev-gmem-post-populate-v2-0-3f196bfad5a1@google.com> To: Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Kiryl Shutsemau , Rick Edgecombe , Vishal Annapurve , Yan Zhao , Michael Roth , Isaku Yamahata , Chao Peng , Xiaoyao Li , Zongyao Chen Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev, Yu Zhang , Fuad Tabba , Ackerley Tng X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1779489969; l=1450; i=ackerleytng@google.com; s=20260225; h=from:subject:message-id; bh=VX9xGFMfWmL5HGm1mHjTtC4xZdzEbomljfer0iqVaEQ=; b=FqRXMgrQiAATjkjhq9UmxaSoOh/KdH1pj4wJC6/RV9QZBUUylr1KVoYNH10wJ+vMYjySGY31T vsuLxRE2R4rB46qc+v+yCu6HlrhMPWNheqkAo+RrKYcFSmJtFBBLGKU X-Developer-Key: i=ackerleytng@google.com; a=ed25519; pk=sAZDYXdm6Iz8FHitpHeFlCMXwabodTm7p8/3/8xUxuU= X-Endpoint-Received: by B4 Relay for ackerleytng@google.com/20260225 with auth_id=649 X-Original-From: Ackerley Tng Reply-To: ackerleytng@google.com From: Ackerley Tng Mappings created with kmap_local_page() or kmap_local_pfn() must be unmapped in the reverse order they were acquired, following a LIFO (last-in, first-out) stack-based approach. In sev_gmem_post_populate(), src_vaddr is mapped first and dst_vaddr is mapped second. The current code incorrectly calls kunmap_local() for src_vaddr before dst_vaddr. Swap the kunmap_local() calls to ensure the mappings are released in the correct order. Fixes: 2a62345b3052 ("KVM: guest_memfd: GUP source pages prior to populatin= g guest memory") Signed-off-by: Ackerley Tng --- arch/x86/kvm/svm/sev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 2f254c447923e..dbf75326a40f4 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -2360,8 +2360,8 @@ static int sev_gmem_post_populate(struct kvm *kvm, gf= n_t gfn, kvm_pfn_t pfn, =20 memcpy(dst_vaddr, src_vaddr, PAGE_SIZE); =20 - kunmap_local(src_vaddr); kunmap_local(dst_vaddr); + kunmap_local(src_vaddr); } =20 ret =3D rmp_make_private(pfn, gfn << PAGE_SHIFT, PG_LEVEL_4K, @@ -2396,8 +2396,8 @@ static int sev_gmem_post_populate(struct kvm *kvm, gf= n_t gfn, kvm_pfn_t pfn, =20 memcpy(src_vaddr, dst_vaddr, PAGE_SIZE); =20 - kunmap_local(src_vaddr); kunmap_local(dst_vaddr); + kunmap_local(src_vaddr); } =20 out: --=20 2.54.0.794.g4f17f83d09-goog From nobody Sun May 24 20:35:29 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 52EF837BE8A; Fri, 22 May 2026 22:46:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779489971; cv=none; b=T+qHgjw42HTJu4WMby6U3VhKGun+cFQ94lSQVMRKc7H233n7UJ3l8oz6lv/pdHdoDJcaOBsFodOV+2ILvaPg87hNFupGt8foQ1vvEey0nixooCKoY1Sv1UQnrPbIxEbCQ0qAsWFeMOPticgxHr/NU0l0vAXNbaNoy0IpMmIkCuA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779489971; c=relaxed/simple; bh=YNRFS+xNlcjpm/sx7G4ACAHdbEoGRiXLbvI7lxlSWRM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=tQMLqr8OJuUWPeq2YyG9WDEgd6MXnS2/SK0qIG/hiFIu/mhAeo0QbYEMbQSJ1+1i7DldYxAE3G2zjcsWFK5gB/7x+ha3sLKWQ9vNZQTJj+IGKIx7nZXGpD/cZSdI9IsuM9hoKmuK7Kl6EQLOAtF9j2I08+Ye7byQCqwAeVVUm+U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=cM2q4Zfr; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="cM2q4Zfr" Received: by smtp.kernel.org (Postfix) with ESMTPS id 29285C2BCF5; Fri, 22 May 2026 22:46:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1779489971; bh=YNRFS+xNlcjpm/sx7G4ACAHdbEoGRiXLbvI7lxlSWRM=; h=From:Date:Subject:References:In-Reply-To:To:Cc:Reply-To:From; b=cM2q4ZfrSFblOrURFt8qXcVgCWRoe6Fx7ITMMY82ywwYF07wKcugcW6qc4SbJ4JqZ YGMXEVSGe1Id+aPXgCJn1wG8ArMykcRhqPlQVV+twrD7MujralrSlbR6FXHZh1Hih8 JZJwgco5sSg6psdVW/Y/DfSce2HnSzCuuAm0dGx1+ZUNkMCd+g0iKoC0errNaNPYKJ wnWat0gL1xbqAC5ThPQkSXqDO4q4bk4z0TXxN8eJKfHCBVMinOQiZQuDZFkqIJGJBj fkHrf20icvMvxSi0Hq0h0yGgLP1MQrZZpdXhmY7LU+P2G1DHiW1DkPZJ2GGcy8snjh Cd1FUvAPvmNsQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19445CD5BB3; Fri, 22 May 2026 22:46:11 +0000 (UTC) From: Ackerley Tng via B4 Relay Date: Fri, 22 May 2026 15:46:10 -0700 Subject: [PATCH v2 5/5] KVM: SNP: Mark source page dirty in sev_gmem_post_populate Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260522-fix-sev-gmem-post-populate-v2-5-3f196bfad5a1@google.com> References: <20260522-fix-sev-gmem-post-populate-v2-0-3f196bfad5a1@google.com> In-Reply-To: <20260522-fix-sev-gmem-post-populate-v2-0-3f196bfad5a1@google.com> To: Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Kiryl Shutsemau , Rick Edgecombe , Vishal Annapurve , Yan Zhao , Michael Roth , Isaku Yamahata , Chao Peng , Xiaoyao Li , Zongyao Chen Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev, Yu Zhang , Fuad Tabba , Ackerley Tng X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1779489970; l=999; i=ackerleytng@google.com; s=20260225; h=from:subject:message-id; bh=LfALjZ80Yk9kfCpLRVu+g0s9OqQ+gOlMtaZvVRsk/ck=; b=GEvW3wsn10j8zAhuQEAtZjZZr7f320zjDpAJLa/xYdWJ5edUckXZrWHguQJheAgL3hhg1hQDP UIb2XQ1PfF5BwMn3xV7FRKSQG76irMpwNWB2RteEFhTtauw2Q+EYFuZ X-Developer-Key: i=ackerleytng@google.com; a=ed25519; pk=sAZDYXdm6Iz8FHitpHeFlCMXwabodTm7p8/3/8xUxuU= X-Endpoint-Received: by B4 Relay for ackerleytng@google.com/20260225 with auth_id=649 X-Original-From: Ackerley Tng Reply-To: ackerleytng@google.com From: Ackerley Tng Mark the folio as dirty after copying data into the source page in sev_gmem_post_populate. After the memcpy, failing to mark the page dirty can lead to the memory management subsystem discarding the changes if the page is reclaimed or otherwise processed by the swap subsystem. Fixes: 2a62345b3052 ("KVM: guest_memfd: GUP source pages prior to populatin= g guest memory") Signed-off-by: Ackerley Tng --- arch/x86/kvm/svm/sev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index dbf75326a40f4..1a361f08c7a3d 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -2395,6 +2395,7 @@ static int sev_gmem_post_populate(struct kvm *kvm, gf= n_t gfn, kvm_pfn_t pfn, void *dst_vaddr =3D kmap_local_pfn(pfn); =20 memcpy(src_vaddr, dst_vaddr, PAGE_SIZE); + folio_mark_dirty(page_folio(src_page)); =20 kunmap_local(dst_vaddr); kunmap_local(src_vaddr); --=20 2.54.0.794.g4f17f83d09-goog