From nobody Mon Jun  8 16:28:54 2026
Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com
 [209.85.214.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AF4F02DECBA
	for <linux-kernel@vger.kernel.org>; Thu, 28 May 2026 02:11:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779934282; cv=none;
 b=IRJhX5wDDE5U3LcjjZOW8Bdei9tQ9qTweWDuzxtjWvI4Uo4OUcqlYsZlhbRTsREDxHey0U6UQD035gYxIJD0S447PAPH99FP7wqlPkidu5DOqm0BFY1bu7S+dxRQKkdH5iGAJIqA/7jtQpLAReqb1YwrSncON9ByoKvm0kKY3HI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779934282; c=relaxed/simple;
	bh=9ORIIIPjjw2AM0EjG4bGAqCl8hMp5MbkJ75KWEmuX2Q=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=MKf/tsoniceruO1ou0CfPwv4nRqchfcJ5sAbBZ/F+zmy8jjwR1uvOFBFz5yavj94N1gb7c0E4zC9OGYVry7BX49UVF/Sa8eyybVjDyNzKldhLMvnm/0RHkl23lM6eRt4E1UmYgcG97MxVfnx+q/iGnBnsBvH5XFjt7O2vMB8aN4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=C5XWVZ6Q; arc=none smtp.client-ip=209.85.214.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="C5XWVZ6Q"
Received: by mail-pl1-f201.google.com with SMTP id
 d9443c01a7336-2ba6fe41283so132386405ad.1
        for <linux-kernel@vger.kernel.org>;
 Wed, 27 May 2026 19:11:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1779934280; x=1780539080;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=09DnXFwxmloYaY3q9ixVHTqMxNXMN2GudCccAuHpU6A=;
        b=C5XWVZ6Q4/24pLz4HB1bcfykczUKpCjLuLMnra4uPcEzO2d08kCxF2mKI3P7DlaBc+
         WupJ3o+cgvRrsc2UexLkvd3M+bHhjOX6X0fMm8H29/FyJVfJwl4QNOz9QoW8IQznEPbF
         svEL2NbOl0XNF0ZpzJONozOo48sCQFF1CPPv0NTZgPfnLrj5LX4JqvaXT4XnadM3tgqR
         vtQkkMoD6AS9QKaoziG9r7/Qld7xouhnbjAziNSfXGKBS3UOb1u+ytkPNxuGIluuI+5j
         c7m5++LmzIThURWK4Mp+2fVhBstKa/imi5RQ1Se7rLDDvnqqOEYErBFw9dcQg3UyxdX+
         4rOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779934280; x=1780539080;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=09DnXFwxmloYaY3q9ixVHTqMxNXMN2GudCccAuHpU6A=;
        b=keRdnz9NLUhESBF7XycBZBTs9F3Ygdk8XW2KlIJPG1FSom2EzBwFJTv3o9XGudUNRj
         tDh0FAaVp4X5gqt7glBakycOVUNaFbLHBZF1MWsfKhDNFjNy7ZBJxZOzAhpv7xEhfa6i
         ftIlsVNkxjF0Y6Gj0yYnwHYDTfAPF/2yHwvqPHucVp9gdv4VTc3XQwRUiNDadUH9RJHo
         oCAXrAnHEKwi55aC4AVGy5zjoCl9A+g27YGU0VXL8J+ah0NUKthn9VC9C8/cRSCMEMwx
         GaZPi/Tcl9xXh5ak/W2p1sAt6+m872rukGsHXN1DymkrikfI2oXD71/g2F0+lghIRb16
         tVFg==
X-Forwarded-Encrypted: i=1;
 AFNElJ9d/c5muq49Aw9e/3oPdq+I2THrmIW2L+GbftcpEGiiUQQ+YymC8tKdZJw6za9QWtMoPPMBDfOaaj6J4EA=@vger.kernel.org
X-Gm-Message-State: AOJu0YxVKdXgzfnJWYdfA/DdM5TMzLo5ANVFaRNhP0c3PeBtGNfIoOtU
	OvqiuYXoHa8v6xM4RkUy5heEExqWZxecoTrj+Vyjguei2w/VuLZWrxBBTkaHxhQSqU37AufW1jQ
	a//QrMg==
X-Received: from plo18.prod.google.com ([2002:a17:902:ee52:b0:2bd:a0e6:1a81])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:902:fc85:b0:2bc:e2ed:fd03
 with SMTP id d9443c01a7336-2beb06a041emr278192465ad.39.1779934279990; Wed, 27
 May 2026 19:11:19 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Wed, 27 May 2026 19:11:15 -0700
In-Reply-To: <20260528021117.107984-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260528021117.107984-1-seanjc@google.com>
X-Mailer: git-send-email 2.54.0.794.g4f17f83d09-goog
Message-ID: <20260528021117.107984-2-seanjc@google.com>
Subject: [PATCH v3 1/3] KVM: guest_memfd: Treat memslot binding offset+size as
 unsigned values
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Ackerley Tng <ackerleytng@google.com>,
 Sean Christopherson <seanjc@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

When binding a memslot to a guest_memfd file, treat the offset and size as
unsigned values to fix a bug where the sum of the two can result in a false
negative when checking for overflow against the size of the file.  Passing
unsigned values also avoids relying on somewhat obscure checks in other
flows for safety, and tracks the offset and size as they are intended to be
tracked, as unsigned values.

On 64-bit kernels, the number of pages a memslot contains and thus the size
(and offset) of its guest_memfd binding are unsigned 64-bit values.  Taking
the offset+size as an loff_t instead of a uoff_t inadvertently converts
the unsigned value to a signed value if the offset and/or size is massive.

Locally storing the offset and size as signed values is benign in and of
itself (though even that is *extremely* difficult to discern), but
operating on their sum is not.

For the offset, KVM explicitly checks against a negative value, which might
seem like a bug as KVM could incorrectly reject a legitimate binding, but
that's not actually the case as KVM_CREATE_GUEST_MEMFD takes a signed value
for its size, i.e. a would-be-negative offset is also greater than the
maximum possible size of any guest_memfd file.

Regarding the size, while KVM lacks an explicit check for a negative value,
i.e. seemingly has a flawed overflow check, KVM restricts the number of
pages in a single memslot to the largest positive signed 32-bit value:

        if (id < KVM_USER_MEM_SLOTS &&
            (mem->memory_size >> PAGE_SHIFT) > KVM_MEM_MAX_NR_PAGES)
                return -EINVAL;

and so that maximum "size" will ever be is 0x7fffffff000.

The sum of the two is, however, problematic.  While the size is restricted
by KVM's memslot logic, the offset is not, i.e. the offset is completely
unchecked until the "offset + size > i_size_read(inode)" check.  If the
offset is the (nearly) largest possible _positive_ value, then adding size
to the offset can result in a signed, negative 64-bit value.  When compared
against the size of the file (guaranteed to be positive), the negative sum
is always smaller, and KVM incorrectly allows the absurd offset.

Opportunistically add missing includes in kvm_mm.h (instead of relying on
its parents).

Fixes: a7800aa80ea4 ("KVM: Add KVM_CREATE_GUEST_MEMFD ioctl() for guest-spe=
cific backing memory")
Cc: stable@vger.kernel.org
Cc: Ackerley Tng <ackerleytng@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Ackerley Tng <ackerleytng@google.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
---
 virt/kvm/guest_memfd.c | 8 ++++----
 virt/kvm/kvm_mm.h      | 7 +++++--
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c
index bf9659a7b0f6..a1cb72e66288 100644
--- a/virt/kvm/guest_memfd.c
+++ b/virt/kvm/guest_memfd.c
@@ -640,15 +640,16 @@ int kvm_gmem_create(struct kvm *kvm, struct kvm_creat=
e_guest_memfd *args)
 }
=20
 int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot,
-		  unsigned int fd, loff_t offset)
+		  unsigned int fd, uoff_t offset)
 {
-	loff_t size =3D slot->npages << PAGE_SHIFT;
+	uoff_t size =3D slot->npages << PAGE_SHIFT;
 	unsigned long start, end;
 	struct gmem_file *f;
 	struct inode *inode;
 	struct file *file;
 	int r =3D -EINVAL;
=20
+	BUILD_BUG_ON(sizeof(gpa_t) !=3D sizeof(offset));
 	BUILD_BUG_ON(sizeof(gfn_t) !=3D sizeof(slot->gmem.pgoff));
=20
 	file =3D fget(fd);
@@ -664,8 +665,7 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_sl=
ot *slot,
=20
 	inode =3D file_inode(file);
=20
-	if (offset < 0 || !PAGE_ALIGNED(offset) ||
-	    offset + size > i_size_read(inode))
+	if (!PAGE_ALIGNED(offset) || offset + size > i_size_read(inode))
 		goto err;
=20
 	filemap_invalidate_lock(inode->i_mapping);
diff --git a/virt/kvm/kvm_mm.h b/virt/kvm/kvm_mm.h
index 9fcc5d5b7f8d..7510ca915dd1 100644
--- a/virt/kvm/kvm_mm.h
+++ b/virt/kvm/kvm_mm.h
@@ -3,6 +3,9 @@
 #ifndef __KVM_MM_H__
 #define __KVM_MM_H__ 1
=20
+#include <linux/kvm.h>
+#include <linux/kvm_types.h>
+
 /*
  * Architectures can choose whether to use an rwlock or spinlock
  * for the mmu_lock.  These macros, for use in common code
@@ -72,7 +75,7 @@ int kvm_gmem_init(struct module *module);
 void kvm_gmem_exit(void);
 int kvm_gmem_create(struct kvm *kvm, struct kvm_create_guest_memfd *args);
 int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot,
-		  unsigned int fd, loff_t offset);
+		  unsigned int fd, uoff_t offset);
 void kvm_gmem_unbind(struct kvm_memory_slot *slot);
 #else
 static inline int kvm_gmem_init(struct module *module)
@@ -82,7 +85,7 @@ static inline int kvm_gmem_init(struct module *module)
 static inline void kvm_gmem_exit(void) {};
 static inline int kvm_gmem_bind(struct kvm *kvm,
 					 struct kvm_memory_slot *slot,
-					 unsigned int fd, loff_t offset)
+					 unsigned int fd, uoff_t offset)
 {
 	WARN_ON_ONCE(1);
 	return -EIO;
--=20
2.54.0.794.g4f17f83d09-goog
From nobody Mon Jun  8 16:28:54 2026
Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com
 [209.85.210.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81C4B2F49F6
	for <linux-kernel@vger.kernel.org>; Thu, 28 May 2026 02:11:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779934284; cv=none;
 b=g/XlsJPqww8ynw6zvS/CR7akNFZ0JHl8+IWylNKKjvQ5OUKPCzHRgAU5wiz/Suszr4IYNdq927pZG72BMgkLjPaZZIpVVIVeIH6TQjPaaSzvRpsQgoToI3EySejmJvgLKqa56HTOLtMXW52qmu+ngRxzzZPMRArmkFCOyIWmUm0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779934284; c=relaxed/simple;
	bh=OOoGlX9f6OSAiQ3GyqX+LpIZQEspF/7CtixMWwK8oVA=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=ZzBLVW2hv04DRHgs3EDarh3LQScUs/J+suFSEAb44Mk7ia3d9Y669JzOuLRndqnpw/rcE2IcV3qfmGr9yLjT/lJg/Ew0ZG0S5/Nj4NoMnHtu/PBwtIg1nw1pJHW1kzW3vJDyXfebz1gG+fD5/l8HsWvhQeV0iqjt1v6/YrFXnOg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=tXzG6kJC; arc=none smtp.client-ip=209.85.210.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="tXzG6kJC"
Received: by mail-pf1-f202.google.com with SMTP id
 d2e1a72fcca58-82f74bcfb86so14256788b3a.0
        for <linux-kernel@vger.kernel.org>;
 Wed, 27 May 2026 19:11:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1779934282; x=1780539082;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=EY3B0s+cLLSBGjN5PAA77gPX+Mj+wDNCxr2wXa+aBFE=;
        b=tXzG6kJCnqz0OL1shbPreiipKyflvDboCmnwRjPfNHTfMgghxeQLl5+5Xvm+WH9o4A
         mlMFcbyoy3vzyGM2GZ/r+a8c3jvppu/diIg2Q42GZ5gX0ZzDPiBRFRsnoJV7D1XPoAgn
         GCZKlXBOApvVi1H9znvMXhHOdB/SAOtJ9oPysOvcqJbXlIZ/7uIRnvAsQWbkLvSyWpK+
         6tnUwwlDv37RDbgV+xjBFyDCXA1NT5K9f2U4PnbP26NQx+YONgLn0sRaOCK539dz3Gtk
         znzUXaC+ofRbUhVZS2bUCD4easZrwVCA2cji3Tdy1xvYnI4z55BVSeQoMXDULbhGvLOq
         j7RA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779934282; x=1780539082;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=EY3B0s+cLLSBGjN5PAA77gPX+Mj+wDNCxr2wXa+aBFE=;
        b=PElA18GQXucRDyOzXs5i1v0EMc6OjVx9oQaRu140TtyDNcmY2jqJrEfjFnzu/y8w7m
         zH7oca5BAbGMrro0rLoNAOINfY/a2GU3YWi31x4avJ6jNmRTK4csw4d1KAc+ZTUkOXdE
         EjJ1smJGv2yPu+6XLOtO4WxJSXFJvtJDuAAo0Swvpx/tAcXNLGXuLc8UDtW3ie1xl3yf
         Sx/5bHEke3Ckt19e5IP2N3dlwbizrc8JUOeGii9TRPkc7DM9HI3j4Ztm4JeXw7hxRuuV
         OVaGTfuTZ+1tmZjcUXOAWgSokLjN/CxL+D/zU31GHcrOdAuUwKyjdlpcgfkta+tlKvNb
         /IIg==
X-Forwarded-Encrypted: i=1;
 AFNElJ8hvAjGjlwicQfdrP769fnsD8lijctYEBELchkHUwxE5S4L703qtvkhdBhzIrwTKIS9hsZdEUOKDPVWlDQ=@vger.kernel.org
X-Gm-Message-State: AOJu0YxIH6FWxRy+i4D4vyXx61/cb3fNiXoZroGCAe+NgPyW/sBi1vkl
	bFNu3FbfGxHCgvkDy3oew+10jEQuefUH/xV5lVeyseYVJEnY4GOrV9rf/EqZptGeqq0ASgbOc9Q
	cCn5iEQ==
X-Received: from pfau12.prod.google.com ([2002:a05:6a00:aa8c:b0:83f:24f:2ea7])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a00:ad02:b0:835:45bf:9659
 with SMTP id d2e1a72fcca58-8415f37e604mr26029378b3a.41.1779934281643; Wed, 27
 May 2026 19:11:21 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Wed, 27 May 2026 19:11:16 -0700
In-Reply-To: <20260528021117.107984-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260528021117.107984-1-seanjc@google.com>
X-Mailer: git-send-email 2.54.0.794.g4f17f83d09-goog
Message-ID: <20260528021117.107984-3-seanjc@google.com>
Subject: [PATCH v3 2/3] KVM: selftests: Expand the guest_memfd test macros to
 allow passing the VM
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Ackerley Tng <ackerleytng@google.com>,
 Sean Christopherson <seanjc@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Expand the gmem test macros to allow passing the VM to testcases, without
needing to plumb the VM into _every_ testcase, as the vast majority of
testcases only need the fd and size.

No functional change intended.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Ackerley Tng <ackerleytng@google.com>
Tested-by: Ackerley Tng <ackerleytng@google.com>
---
 tools/testing/selftests/kvm/guest_memfd_test.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/kvm/guest_memfd_test.c b/tools/testing=
/selftests/kvm/guest_memfd_test.c
index 832ef4dfb99f..246bb408ecc0 100644
--- a/tools/testing/selftests/kvm/guest_memfd_test.c
+++ b/tools/testing/selftests/kvm/guest_memfd_test.c
@@ -408,17 +408,26 @@ static void test_guest_memfd_flags(struct kvm_vm *vm)
 	}
 }
=20
-#define __gmem_test(__test, __vm, __flags, __gmem_size)			\
+#define ____gmem_test(__test, __vm, __flags, __gmem_size, args...)	\
 do {									\
 	int fd =3D vm_create_guest_memfd(__vm, __gmem_size, __flags);	\
 									\
-	test_##__test(fd, __gmem_size);					\
+	test_##__test(args);						\
 	close(fd);							\
 } while (0)
=20
+#define __gmem_test(__test, __vm, __flags, __gmem_size)			\
+	____gmem_test(__test, __vm, __flags, __gmem_size, fd, __gmem_size)
+
 #define gmem_test(__test, __vm, __flags)				\
 	__gmem_test(__test, __vm, __flags, page_size * 4)
=20
+#define __gmem_test_vm(__test, __vm, __flags, __gmem_size)		\
+	____gmem_test(__test, __vm, __flags, __gmem_size, __vm, fd, __gmem_size)
+
+#define gmem_test_vm(__test, __vm, __flags)				\
+	__gmem_test_vm(__test, __vm, __flags, page_size * 4)
+
 static void __test_guest_memfd(struct kvm_vm *vm, u64 flags)
 {
 	test_create_guest_memfd_multiple(vm);
--=20
2.54.0.794.g4f17f83d09-goog
From nobody Mon Jun  8 16:28:54 2026
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com
 [209.85.216.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 12A302F8E8D
	for <linux-kernel@vger.kernel.org>; Thu, 28 May 2026 02:11:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779934285; cv=none;
 b=gxlpDTfwxsVhj2iEuHQ7EgydYkpsxIm663bjjtxpOoqDqjFLkb5WImj+2WxmolbJVtbcMDLwn1P57234TrWZZWlQZUyZGhyODrPX2+b2U7apFPAsfuah+1VBrkX9Esrkoc0vPqvfaFxIyVZOTtfZBIim7Q2P3pZ6nVHR0q0a2N4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779934285; c=relaxed/simple;
	bh=/GCiy/tm/G4ZkgCJka9bR/R4dNIgVXEFKdxC7V9ENoM=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=k+6DRPFeTtEtc5Df3EuP7vXAgRzgKtpsMXL8xsuC9QPhkKKW5JchhyQspUYuGFemFo/m5qLsKKOaCT+mNj++i4Hhp2A/mOaIPkMtPQ/SId3lykW+Jt9k82qATpi7xuspiHhJEjbc9sPqsU9UdUccugOHm/U6THeL/ehQfvJcC9M=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=pGgLJfK/; arc=none smtp.client-ip=209.85.216.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="pGgLJfK/"
Received: by mail-pj1-f74.google.com with SMTP id
 98e67ed59e1d1-3692f395339so12651306a91.1
        for <linux-kernel@vger.kernel.org>;
 Wed, 27 May 2026 19:11:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1779934283; x=1780539083;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=ESmq56Dk7+y1RBHyu7MRGF2Md3GxO/5V3RO0BbZs0wM=;
        b=pGgLJfK/P/uv1/pdjQdwQUcEEYbqakVIP4IontBSlsSxgA4wuHUk2YOpuDPAF6I0XR
         aPuIMWZEoTKnisSNjqIDa2vBWrxWlnFmieSvkoqq7Y8kQzw76ZdPEsi1tO1bgYL70rcI
         2BHJJTNXXhXXO3YaN45Zqek8HTvE8hKsyG5aod8vfdqEMZzm7Ithtoz+dpo/cP+h4qBw
         KvWx9RzsX/qS+AkX+2Ge0KgSJzNn7rXhms6GDN528h2upCRObVcIMAZBJ3eE5bA7PFuj
         XUkOkEIb7JVEl6DnY3iVpxCYzRweNuCsqoJkcO7d2B+btU/8B5h/8Od5k5yZSQGJdmTI
         5PwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779934283; x=1780539083;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=ESmq56Dk7+y1RBHyu7MRGF2Md3GxO/5V3RO0BbZs0wM=;
        b=q7dktxsedHMyukRlN0Wh3LW5+ctpNHB/DI4uizYmTBcl8Qbkp93tkVDNsnCvy0+Dwe
         BaePDgHGgUUWu7jXqDXQnIy8DvQ1/v/fy5uiWlXJK8dVQLK7crHVpjLHUX7qJ2Hejdnf
         jdAbHX/6bMR+/lVWNAaRnaFhSoR75/aLQDk5LVndzSenDC5kWifYjSJDfz2DBgrPae8B
         t4kT3u26ogMYLp8BrymrC/EDmXMua9GBLc8fenTNGV1xr5uxpl+nmgtOe1WMPajbuOJp
         jVUe0bAODRbB2iUVyzi4nBbKY62xiDy4avuQv32ufJdJ1i+MzECzFGI0QiK0+xL/H2Nl
         Eu3g==
X-Forwarded-Encrypted: i=1;
 AFNElJ/f6ccrOEFcVSCLA7ggX28ymKG7YD76HrHw5nps6QIqqkRmI9lDkgrwcRGCdov0PIzvypz7jcsIDLo3/wM=@vger.kernel.org
X-Gm-Message-State: AOJu0YwzNaVJBAKFgih3UYHPrJmxkPi2uFCIGwwnaotxfpdEa0t9mv07
	uon8WBDP5avZj8hNz25nfbmbMAskEYjQ4CX/gTb18zzSwQCVf8tV+ZiyvEWBnblci1oK0K6neSl
	1qbqsDg==
X-Received: from pjbiq3.prod.google.com ([2002:a17:90a:fb43:b0:369:1c01:7065])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:3747:b0:36a:d419:9940
 with SMTP id 98e67ed59e1d1-36ad419e5f9mr9826485a91.27.1779934283194; Wed, 27
 May 2026 19:11:23 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Wed, 27 May 2026 19:11:17 -0700
In-Reply-To: <20260528021117.107984-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260528021117.107984-1-seanjc@google.com>
X-Mailer: git-send-email 2.54.0.794.g4f17f83d09-goog
Message-ID: <20260528021117.107984-4-seanjc@google.com>
Subject: [PATCH v3 3/3] KVM: selftests: Add guest_memfd regression test signed
 offset+size bug
From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Ackerley Tng <ackerleytng@google.com>,
 Sean Christopherson <seanjc@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add a regression (and proof-of-bug) testcase to ensure KVM rejects an
offset+size that would result in a negative value when computed as a signed
64-bit value.  KVM had a flaw where it would allow binding a memslot to a
guest_memfd instance even with a wildly out-of-range offset, if the offset
and size were both positive values, but the combined offset+size was
negative.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 tools/testing/selftests/kvm/guest_memfd_test.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tools/testing/selftests/kvm/guest_memfd_test.c b/tools/testing=
/selftests/kvm/guest_memfd_test.c
index 246bb408ecc0..95a6ddfd8023 100644
--- a/tools/testing/selftests/kvm/guest_memfd_test.c
+++ b/tools/testing/selftests/kvm/guest_memfd_test.c
@@ -345,6 +345,16 @@ static void test_invalid_punch_hole(int fd, size_t tot=
al_size)
 	}
 }
=20
+static void test_invalid_binding(struct kvm_vm *vm, int fd, size_t size)
+{
+	int r;
+
+	r =3D __vm_set_user_memory_region2(vm, 0, KVM_MEM_GUEST_MEMFD, 0, size, 0,
+					 fd, 0x7ffffffffffff000ull);
+	TEST_ASSERT(r && errno =3D=3D EINVAL,
+		    "Memslot with out-of-range offset+size should fail");
+}
+
 static void test_create_guest_memfd_invalid_sizes(struct kvm_vm *vm,
 						  u64 guest_memfd_flags)
 {
@@ -456,6 +466,7 @@ static void __test_guest_memfd(struct kvm_vm *vm, u64 f=
lags)
 	gmem_test(file_size, vm, flags);
 	gmem_test(fallocate, vm, flags);
 	gmem_test(invalid_punch_hole, vm, flags);
+	gmem_test_vm(invalid_binding, vm, flags);
 }
=20
 static void test_guest_memfd(unsigned long vm_type)
--=20
2.54.0.794.g4f17f83d09-goog