From nobody Mon Jun 8 12:12:35 2026 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5C6963E1209 for ; Fri, 29 May 2026 12:18:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780057084; cv=none; b=CHvJ9uNZpQ5PDN7RfVnKjiSqhrEzpGnuotL4g5E5gO3o9XEtjZJ7naG+E2/0n5nEcx3rlzp2SaNpaYvUZuvAOKg5ysYEBKGLXbAWBcvlH683Bl+X1J7ihNtCLvk+br3tR8l74tyYxepN/1guy2B4DRg5XDmyjdLAjse/ZdG9nH0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780057084; c=relaxed/simple; bh=fdzmWxJGLz9AlLzramjJVHM/pqkHYN7czqaULpgkQ/M=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=UL33tXWr0iNiy0P0uCktXz/Nf1m7PhmfczrEW8ETeGpM4O19/Uba2ifNoArcfvfOOju/rB5+UUAUJqa/14SmS51kpW5Tx7Lwp5NtP64rA6TTVQ1NQX+FZRbsABJKmkJdUqJpJ4HJVNtiMaveo7AMM6VYJxkrvpDH7sc8gNgfMIY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=X5/5sNO5; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="X5/5sNO5" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-49041d39887so56636425e9.2 for ; Fri, 29 May 2026 05:18:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1780057079; x=1780661879; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=OefBi9Ucl75C903M9JEhzfF/8vc9lZTl6eXKcY7A1xo=; b=X5/5sNO5wpYD6YVjbaNq4JGyOSRFvMIpKlP4tKmoYKoqyXVOkmTbqfwQ0XRAQRAOt/ mV7l9z1vwTElRBsMzirsgXdP6/FXKJPwpdVx4BVBwnnOMiuLggMaJf60xGUwPoh/t0VG /99Nru0Pxl7EROWfL5FfLm343oJlwhpSgsg6s2dsvamiytsq2Pa8L63vwozW4ObsiBBY F1w6UOK6a6NM8YXISHZvAfV4tUpDm1rZk4xWGOQ28zeipX2dBfJUeub62VrA+8N3WlC+ NYol8srCimec4REJMT8Wsa2SG9U+PUAkCTupvXsna4cIsd+bkXLg5jUojfIFY1t91xwj 4E4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780057079; x=1780661879; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=OefBi9Ucl75C903M9JEhzfF/8vc9lZTl6eXKcY7A1xo=; b=HyJVISDISO3UmCuOrH0xqh9N0HPcmtT0294j1BQ7onqHGTXVF972ZKdjqRISnhIVPM kBe35+Jr9wdka4SshsTVI0ve086Y1Qhdo3zKfmvfsTqEUeAuXbEMew0q2GwzJgobOTBk nnjKH5H3USBqk2aZkDSJWP8EhoUxOwjKdPje2AKEVikXnU5PzH7ElNG5k0W7b/3lRLbC fh9hOzMHSpfPiNV2KGJFYmBMpoXvdL15/o08GhRTrVYw7zhxT9/EYcN1lYfZMNlcmB8Q 3+mxxuzBr+P++Zoa/9ox9tKtYkuuBq2L0xANyFBJxi0v9R0EG9BSURDFZm7O4yeRH4o+ wSaQ== X-Forwarded-Encrypted: i=1; AFNElJ/V8t4mKrrgf5IfC0WrOluKZFYDlR9rWFqG0MIqRIPyeUEdKxRGHh91qrNb/GT1HU6Q+TTW0E2pjPbkEmE=@vger.kernel.org X-Gm-Message-State: AOJu0YxqrUj8rAOrLt9PKrucVj0jrtmAXhDz1UaDOS4XLEAh6zK0Nmk/ OMnaS1SM7uVKAeWOZFNSiPgY450wS4J+phb959nU7h4QKaOAJvA1CUwcVDfbbDr4w/InWlMGc1H iXA== X-Received: from wmbgx17.prod.google.com ([2002:a05:600c:8591:b0:490:11e5:b5aa]) (user=tabba job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:6008:b0:490:44eb:c1e0 with SMTP id 5b1f17b1804b1-4909c0ac911mr37129365e9.21.1780057078508; Fri, 29 May 2026 05:17:58 -0700 (PDT) Date: Fri, 29 May 2026 13:17:53 +0100 In-Reply-To: <20260529121755.2923500-1-tabba@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260529121755.2923500-1-tabba@google.com> X-Mailer: git-send-email 2.54.0.929.g9b7fa37559-goog Message-ID: <20260529121755.2923500-2-tabba@google.com> Subject: [PATCH v2 1/3] KVM: arm64: Free hyp-share tracking node when share hypercall fails From: tabba@google.com To: Marc Zyngier , Oliver Upton , Joey Gouly , Suzuki K Poulose , Zenghui Yu , Catalin Marinas , Will Deacon , Quentin Perret , Vincent Donnefort Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" share_pfn_hyp() inserts a tracking node into hyp_shared_pfns and then invokes __pkvm_host_share_hyp. If the hypercall rejects the share (page-state mismatch at EL2), the node stays in the tree with refcount 1: a phantom share that leaks the allocation and that a later unshare will trust. Erase the node and free it on hypercall failure. Fixes: a83e2191b7f1 ("KVM: arm64: pkvm: Refcount the pages shared with EL2") Reported-by: Sashiko (local):gemini-3.1-pro Suggested-by: Vincent Donnefort Signed-off-by: Fuad Tabba Reviewed-by: Vincent Donnefort --- arch/arm64/kvm/mmu.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c index 4da9281312eb..4a928fb003ff 100644 --- a/arch/arm64/kvm/mmu.c +++ b/arch/arm64/kvm/mmu.c @@ -501,6 +501,10 @@ static int share_pfn_hyp(u64 pfn) rb_link_node(&this->node, parent, node); rb_insert_color(&this->node, &hyp_shared_pfns); ret =3D kvm_call_hyp_nvhe(__pkvm_host_share_hyp, pfn); + if (ret) { + rb_erase(&this->node, &hyp_shared_pfns); + kfree(this); + } unlock: mutex_unlock(&hyp_shared_pfns_lock); =20 --=20 2.54.0.929.g9b7fa37559-goog From nobody Mon Jun 8 12:12:35 2026 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 804913E0240 for ; Fri, 29 May 2026 12:18:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780057085; cv=none; b=VotG0j+HzEvAzfyHINBCSD+MGci/igs/wYyRVPTBPfJXqbYHR8DOKgq4JZHU7qfd7vDMVkqyYOwHQRvZCE0UdksZfDFboFqo+kj4Y1WYOc8HoNlmLeBlFSS3wD/d4v9EyiYU8BX8YLzPi1qVEyxO1mJ4dtPFXghNnKATeioYrh0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780057085; c=relaxed/simple; bh=XKVmY0P3IzoFeX03y+LKtJHuMV/YCFLbyf+QtduVf8E=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=SfZxMqMxf6MNTRiV5p9/fPFHIyXP74jIImA9MGyG9d23sohow3nJcoHOF7MlDB2gzhU80YCuN/qzCwyJsTf0N9Mx4lxD0alS0LYjNbPW4piV23AsfEQzxECcXew+IEaWwDFeeX9WFwSiKMRQwGrl9Q20OtsdNLemn9JeamSNutc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=rTdXcFku; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="rTdXcFku" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-4903dcb32f8so68477785e9.0 for ; Fri, 29 May 2026 05:18:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1780057080; x=1780661880; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=P7DIYy/NA1CowFMUedyn+8E7FgwfAdykU+tJsf37FuI=; b=rTdXcFku4BM08H2y/95LwSqYd3ru2eN2WPJrCXVmgx1etZ3T+YKLJfINr8Ve8TFBpL VLMSsw+jdXlKltoz1sijpXkq6vs7byWlG308mQfwhW0XGcx9Uy4Y4lr+pgQA5xzMemd9 BooS6mZ/3YsmL/QQBiPsUz7ocFUiak2KoTcAVFDne5RqNZT71u1xULhKL6+DlgYNyVu1 fJTs1Vj7JYf2TfJdnwmz8wLqJ1AlNJSOiHcavC4hoO36FNY3Gqxff5pON1C/JfIIszy9 p7oqMnLBWe869Sxx/wDt1ynee7yUxEmBuF9uvCMpCzrK5IuG2XgFE2b3aKKW80xfVyH7 PBmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780057080; x=1780661880; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=P7DIYy/NA1CowFMUedyn+8E7FgwfAdykU+tJsf37FuI=; b=lK7t8Et0fL1wWZ+xU1jLQxFzIciIAFtfymvJeqms8l7H/W+ZiJHS6WPmNT/PeVX8TG nmcmfJZ/E394/Vl4xbH1KvDI2WqxLa3N/lmnaErMZmTQfr7JulQnn/yinVF6Af/XRe9G 3hXCYxEiocRaPqnaB5OY74HXGzcwAUB2rp09/fv1ZZlgrlInqNSU3KU8djnGjWZ2rhTM ALFyNMtwZ5m2JXx1L2S4qOhNfL63IzMgmdLNlAfmqUtkOdrTzcqmkmZkrqAQUiXQtgz9 1Wcia0M4tFlitR7UqDQPNq1g/Le7AzroEtWhWj4DfgsKMmOdLUhbPohqUvvHZOeG36sP yKOQ== X-Forwarded-Encrypted: i=1; AFNElJ981udFqVVQI0ulNZhz4MFM9h6epSku6nZEeWCh4Jkk48Fg+rAfpg6Zm9+OU02VdI1Zc7afZx8xd1MdJhI=@vger.kernel.org X-Gm-Message-State: AOJu0YxdWg0DMu1iMM83gLpvr0igMoaGNtrMIo3SftsFOeZX2zkehRTd gM2hlil0ntdV0aH6Yle0xXJUEJYyTTje1tSFiSrXwiyyo9CU+Vk1Xf2KJDm1C8EmswaxYBkoNLU jtA== X-Received: from wmjt12.prod.google.com ([2002:a7b:c3cc:0:b0:490:3974:b74f]) (user=tabba job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:1d09:b0:490:a1a6:6f24 with SMTP id 5b1f17b1804b1-490a1a67021mr16515805e9.15.1780057079441; Fri, 29 May 2026 05:17:59 -0700 (PDT) Date: Fri, 29 May 2026 13:17:54 +0100 In-Reply-To: <20260529121755.2923500-1-tabba@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260529121755.2923500-1-tabba@google.com> X-Mailer: git-send-email 2.54.0.929.g9b7fa37559-goog Message-ID: <20260529121755.2923500-3-tabba@google.com> Subject: [PATCH v2 2/3] KVM: arm64: Avoid host/hyp share desync on unshare hypercall failure From: tabba@google.com To: Marc Zyngier , Oliver Upton , Joey Gouly , Suzuki K Poulose , Zenghui Yu , Catalin Marinas , Will Deacon , Quentin Perret , Vincent Donnefort Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" unshare_pfn_hyp() erases the tracking node from hyp_shared_pfns and frees it before invoking __pkvm_host_unshare_hyp. If the hypercall fails (e.g. EL2 refcount still held, or page-state mismatch), the host loses its record while EL2 still holds the share, breaking later share/unshare attempts on the same pfn. Invoke the hypercall first; erase and free only on success. Document at the kvm_unshare_hyp() call site that the WARN_ON() is left non-fatal: a failed unshare leaks the page (it stays shared with the hypervisor) but breaks no isolation guarantee. Fixes: 52b28657ebd7 ("KVM: arm64: pkvm: Unshare guest structs during teardo= wn") Reported-by: Sashiko (local):gemini-3.1-pro Suggested-by: Vincent Donnefort Signed-off-by: Fuad Tabba Reviewed-by: Vincent Donnefort --- arch/arm64/kvm/mmu.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c index 4a928fb003ff..e08503e89fc4 100644 --- a/arch/arm64/kvm/mmu.c +++ b/arch/arm64/kvm/mmu.c @@ -524,13 +524,17 @@ static int unshare_pfn_hyp(u64 pfn) goto unlock; } =20 - this->count--; - if (this->count) + if (this->count > 1) { + this->count--; + goto unlock; + } + + ret =3D kvm_call_hyp_nvhe(__pkvm_host_unshare_hyp, pfn); + if (ret) goto unlock; =20 rb_erase(&this->node, &hyp_shared_pfns); kfree(this); - ret =3D kvm_call_hyp_nvhe(__pkvm_host_unshare_hyp, pfn); unlock: mutex_unlock(&hyp_shared_pfns_lock); =20 @@ -581,6 +585,11 @@ void kvm_unshare_hyp(void *from, void *to) end =3D PAGE_ALIGN(__pa(to)); for (cur =3D start; cur < end; cur +=3D PAGE_SIZE) { pfn =3D __phys_to_pfn(cur); + /* + * A failed unshare leaks the page: it stays shared with the + * hypervisor and is no longer reusable for pKVM. No isolation + * guarantee is broken, and this is not expected in practice. + */ WARN_ON(unshare_pfn_hyp(pfn)); } } --=20 2.54.0.929.g9b7fa37559-goog From nobody Mon Jun 8 12:12:35 2026 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD15B3CEBA7 for ; Fri, 29 May 2026 12:18:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780057085; cv=none; b=OrQct4TmJM9jc989vAMSCsxzXs3eIW14d7fClk8akRdxWEhxR/c+0O8xGgkuu1bf18WIGCWLyvD9OjqE7KrTUuYi+vZmqFok6RN2eR/yuOPdo8wnYYJFNwbpp7OVnMuLRd8GHZiZi3CtGtoTygUaOmS4f25U91FfQruusDSFdi4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780057085; c=relaxed/simple; bh=8w8KTrWj55Nni7jeJZogBJiEHTgA+V61G6RhH1ALm3Q=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=CNvaYHGRxop7YMEeEV3Wppt8QS+GWsYj7ie9BYNx+oCziDQ2rE3TwId1/aBr+OXX7eKsV9jb43ztUqdJ7tgHEdxJ5nX8+2Jx8DVoqHVOnFy/5h1I9yQgJbn7SIgH+w/dPNs0p83JgB0Ur2ZhtJ8MjuGRHCjrZupPCswQhNay75Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=KQHWoudN; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="KQHWoudN" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-4903dcb32f8so68477895e9.0 for ; Fri, 29 May 2026 05:18:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1780057081; x=1780661881; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=YSXsbIdnWInVilAPlZA6JhRFyCgRtF4/KyoHf0/oPWY=; b=KQHWoudNsbS/9ibQtxhmbvayu8qzGvfehulf8Qu6yxpkTtVwfKch41ex26lUjNi2NT HQpmiS0vWQtc1gcdtOnuhK4LSc05GtUk9MqqfmmPivTHwrHA13x+hvxIzsdD7nHKnp2W xQ9g4Tl3P42kO+N89Wdr99YJl2Rfu+zh5b1OtjXh2m8KqMey3wpkfYGHa64ljOBW997E bT7QK0O56vkewXdt98cskNHMGRaphGsuZA47drBx1ZSbtJdZ8P7XPaiPpPysdY0I8IFQ n/LP4fukfr0YfpaL7JimlniD29tVkUrtarpHUquDUoJ6vYxOcIENXcVfyDXWTbjusW4T 9DZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780057081; x=1780661881; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=YSXsbIdnWInVilAPlZA6JhRFyCgRtF4/KyoHf0/oPWY=; b=Ju64BXLRiRU6/5njtgAFASp/Hn8LPf9A7eDqVodnf3Nuc/uexQEeYNda7QapvdFRKk b18qtqabMnU8e26BgyBlJ+Z87rJA5bKiF7WC3tU7w+jRIklHd3bpUyIzXVGldgwMIleM iNulL3Zq4tzllxIJ+kQGIByw+g3SRn8mM5D9BB28TULZQfQmduqA9o7TdPfJJV/83n5k MCPySlCrK1Y0DXup5sRh0r+1d2VcbUy/l5EsPMc9YQA/cuw7oXM/YiCcGUf/U2HZ8Ps5 9P/Q490ajuPW7HBsGWrjsI+zKXujYZeocRPyBAS5h5LbmwLbxBR5k30PaoaZazzvDCZN 0Q5g== X-Forwarded-Encrypted: i=1; AFNElJ/+UnATGq346uZ1Z3oKR7HkO957+C9Q4BfZm18biDC9WvPKyX6w20jrqO0IS6p7QN2ZQ106rvvruFffb3g=@vger.kernel.org X-Gm-Message-State: AOJu0Yxbh2KzJjPqk8RlSzmeFCtRm7P20KIbImAb0s01ZnAOEI2N3PMa 3Y686GJSP00oRVEk1GHrjya1ggI2W+x2VKJ39123hx7V9DCeuwsVfRGQR3DknU93Uba1eTb56W0 VuQ== X-Received: from wmqa18.prod.google.com ([2002:a05:600c:3492:b0:490:538a:ee3a]) (user=tabba job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:a00a:b0:490:9d5c:a3e0 with SMTP id 5b1f17b1804b1-4909d5ca570mr41853905e9.9.1780057080700; Fri, 29 May 2026 05:18:00 -0700 (PDT) Date: Fri, 29 May 2026 13:17:55 +0100 In-Reply-To: <20260529121755.2923500-1-tabba@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260529121755.2923500-1-tabba@google.com> X-Mailer: git-send-email 2.54.0.929.g9b7fa37559-goog Message-ID: <20260529121755.2923500-4-tabba@google.com> Subject: [PATCH v2 3/3] KVM: arm64: Roll back partial shares on kvm_share_hyp() failure From: tabba@google.com To: Marc Zyngier , Oliver Upton , Joey Gouly , Suzuki K Poulose , Zenghui Yu , Catalin Marinas , Will Deacon , Quentin Perret , Vincent Donnefort Cc: linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" kvm_share_hyp() shares a range one page at a time. If share_pfn_hyp() fails partway through, the pages already shared by this call are left shared, while the caller treats the whole range as failed and never unshares them. Unshare those pages before returning the error. If an unshare itself fails the page is leaked: it stays shared with the hypervisor and is no longer reusable for pKVM, but no isolation guarantee is broken, so WARN and continue. Not expected in practice. Fixes: a83e2191b7f1 ("KVM: arm64: pkvm: Refcount the pages shared with EL2") Suggested-by: Vincent Donnefort Signed-off-by: Fuad Tabba Reviewed-by: Vincent Donnefort --- arch/arm64/kvm/mmu.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c index e08503e89fc4..8811ad60cf72 100644 --- a/arch/arm64/kvm/mmu.c +++ b/arch/arm64/kvm/mmu.c @@ -544,8 +544,8 @@ static int unshare_pfn_hyp(u64 pfn) int kvm_share_hyp(void *from, void *to) { phys_addr_t start, end, cur; + int ret =3D 0; u64 pfn; - int ret; =20 if (is_kernel_in_hyp_mode()) return 0; @@ -567,10 +567,24 @@ int kvm_share_hyp(void *from, void *to) pfn =3D __phys_to_pfn(cur); ret =3D share_pfn_hyp(pfn); if (ret) - return ret; + break; } =20 - return 0; + if (!ret) + return 0; + + /* + * Roll back the pages shared by this call. A failed unshare leaks + * the page (it stays shared with the hypervisor and is no longer + * reusable for pKVM) but breaks no isolation guarantee, so warn and + * continue. Not expected in practice. + */ + for (end =3D cur, cur =3D start; cur < end; cur +=3D PAGE_SIZE) { + pfn =3D __phys_to_pfn(cur); + WARN_ON(unshare_pfn_hyp(pfn)); + } + + return ret; } =20 void kvm_unshare_hyp(void *from, void *to) --=20 2.54.0.929.g9b7fa37559-goog