1. Patchew
  2. linux
  3. View series

[PATCH v4 0/3] KVM: guest_memfd: Fix signed offset+size goof

Sean Christopherson posted 3 patches 5 days, 11 hours ago 
.../testing/selftests/kvm/guest_memfd_test.c  | 24 +++++++++++++++++--
virt/kvm/guest_memfd.c                        |  8 +++----
virt/kvm/kvm_mm.h                             |  7 ++++--
3 files changed, 31 insertions(+), 8 deletions(-)
[PATCH v4 0/3] KVM: guest_memfd: Fix signed offset+size goof
Posted by Sean Christopherson 5 days, 11 hours ago 
Fix a bug where KVM fails to reject a comically large offset into guest_memfd
if offset+size results in a signed, negative value.  Add a testcase to prove
the bug, and to serve as a regression test.

Note, v1 and v2 was part of larger series.

v4:
 - Collect tags. [Mike, Ackerley]
 - Use "INT64_MAX - page_size" instead of hardcoded literal. [Sashiko, Ackerley]

v3:
 - Use uoff_t, not u64. [the combined might of Sean and Ackerley]
 - Explaining exactly what is broken. [Ackerley]
 - Add a regression test.

v2: https://lore.kernel.org/all/20260522-fix-sev-gmem-post-populate-v2-0-3f196bfad5a1@google.com
v1: https://lore.kernel.org/r/20260522-fix-sev-gmem-post-populate-v1-0-9fc8d6437b65@google.com

Sean Christopherson (3):
  KVM: guest_memfd: Treat memslot binding offset+size as unsigned values
  KVM: selftests: Expand the guest_memfd test macros to allow passing
    the VM
  KVM: selftests: Add guest_memfd regression test signed offset+size bug

 .../testing/selftests/kvm/guest_memfd_test.c  | 24 +++++++++++++++++--
 virt/kvm/guest_memfd.c                        |  8 +++----
 virt/kvm/kvm_mm.h                             |  7 ++++--
 3 files changed, 31 insertions(+), 8 deletions(-)


base-commit: d1568b1332b6b3b36b222c2868fc102727c12a34
-- 
2.54.0.929.g9b7fa37559-goog
Re: [PATCH v4 0/3] KVM: guest_memfd: Fix signed offset+size goof
Posted by Sean Christopherson 2 days, 9 hours ago 
On Tue, 02 Jun 2026 10:09:18 -0700, Sean Christopherson wrote:
> Fix a bug where KVM fails to reject a comically large offset into guest_memfd
> if offset+size results in a signed, negative value.  Add a testcase to prove
> the bug, and to serve as a regression test.
> 
> Note, v1 and v2 was part of larger series.
> 
> v4:
>  - Collect tags. [Mike, Ackerley]
>  - Use "INT64_MAX - page_size" instead of hardcoded literal. [Sashiko, Ackerley]
> 
> [...]

Applied to kvm-x86 gmem, thanks!

[1/3] KVM: guest_memfd: Treat memslot binding offset+size as unsigned values
      https://github.com/kvm-x86/linux/commit/eba85fee7fc6
[2/3] KVM: selftests: Expand the guest_memfd test macros to allow passing the VM
      https://github.com/kvm-x86/linux/commit/b7a23fb0ed7e
[3/3] KVM: selftests: Add guest_memfd regression test signed offset+size bug
      https://github.com/kvm-x86/linux/commit/b408b52e7111

--
https://github.com/kvm-x86/linux/tree/next

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.