From nobody Mon Jun 8 05:25:47 2026 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 852F83859F3 for ; Tue, 2 Jun 2026 17:09:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780420167; cv=none; b=sLtuQ0MEmlOZ+WRVYDNqE3kZYQy20E6rEP5IxzKAn2e1HXXJUfsmdLk7FuxDQeJVB3FPJbaXq7pVWObtAUlStHwtMT6/oArsdwjiONUXSHtbcPN+JHDVK4BP3T6RQC90koWzdKOieHHmqdAMpX8t952vgGekgQlOQJz0MKygZU0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780420167; c=relaxed/simple; bh=zXVaPGZ4QHBBXBt4EQ+3Iyp8TBCruXvDKknQdm+GMz8=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=tJGvkYsKHQtxnW52IUoJtjTqnB8JR7BNbK7c9Fjh0BC/itQpVOnkYe4Wu6b2Yf6ChxQ9mDFmTVn/3cy4k4jgwrC6uHPpCIOGldrQlOqGnsLCMN60ebe4R4jocNmzyvVk0EpqMDWKZ4WH4JNVf+WmOYm9o8ek6Xl1x/cnqGxWfgE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=TVs0tCQJ; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="TVs0tCQJ" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-2bf30576aa3so27083125ad.3 for ; Tue, 02 Jun 2026 10:09:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1780420164; x=1781024964; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=G8m+N8ql2TMEshzUG0QqHbQGCheVGCGULcRY+JWxijg=; b=TVs0tCQJDUfRWcVUsMXLC6jT32/ZlA32NT9j1UKN7MOuvWgNMgiW1Ij2lpp/lT5+3V g8+WYIhC6eG5i2b6GBmNghi1UfNP8uUSFiyfVVOEhzGC9oi/xJF7Umr11DJhonS8V01N PLGYt+MAr9GinTSq/xhVbIULy53iRHgaRtAThv+aHHhb+fOuBkFLr2qiSNGDXy5D0H7j 4X5Hwb909GT4wiFhc0NXksKPQNKB4ThzXHxEjaTV/gTNmiPIwv96jdO1nUR1ryZYhszn 2XCe8bvFjuw9yd/fHEnJBc0qd9O9kgjGqsPzVogSne7Rlda3/b2sszZ4mEfVb8smzll7 /iLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780420164; x=1781024964; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=G8m+N8ql2TMEshzUG0QqHbQGCheVGCGULcRY+JWxijg=; b=Q6/MwiWy0rIW88VNGxPuRl7m6Dkk7KhLq/nPo98ekxrIiUkPlm8PMkOW6wSwIwxSTd rcXktnTeLsERIhLHd80hOoOY+UauhY5LbyA+lxfS7xkt6KGyILJs0xlkKdezsvuk8YfV 8TOPYg2FA0izPZEltsTo2C5TbZt76fjVgXoK2tZ/lX2VQFXPzCWYCIiDTtBwN/uH5TdV RRF8UYin9ljQU8LGe5GOauT05PjjPXVA90leLvtFsGnCAdKVM3F7OH9I4m7ZngeFJxTX m5rn8QfrmgYOcWquh8VzzpAbLJahp+ZksAKObM5BJBuhCQMpPnQXK3tQ6vhNz+rwc4Nu q4Fg== X-Forwarded-Encrypted: i=1; AFNElJ+rM4cQoa28SCZeiO0A5fhjlRM/tCP906qDHKFk/RLa0Uxq40PoyFW0IpPIDo3i8IjsyJK3Qqj4edmoj0s=@vger.kernel.org X-Gm-Message-State: AOJu0YylHUKkQfgnHe7Lm582A2JjriNadGubNODMw6rchXohYPfQIMYb UOxjeG3CweA/SOP7iRHedSpbd0JX0FTm43kiusTQ0Z/mErDI6u2itPArgVSDcVLzp6Xu9BA9Ec1 BUH5WEA== X-Received: from plry22.prod.google.com ([2002:a17:902:b496:b0:2bd:9e64:2df1]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:ce8d:b0:2c0:c625:4011 with SMTP id d9443c01a7336-2c0c62543ffmr134938685ad.4.1780420163529; Tue, 02 Jun 2026 10:09:23 -0700 (PDT) Reply-To: Sean Christopherson Date: Tue, 2 Jun 2026 10:09:19 -0700 In-Reply-To: <20260602170921.1304394-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260602170921.1304394-1-seanjc@google.com> X-Mailer: git-send-email 2.54.0.1013.g208068f2d8-goog Message-ID: <20260602170921.1304394-2-seanjc@google.com> Subject: [PATCH v4 1/3] KVM: guest_memfd: Treat memslot binding offset+size as unsigned values From: Sean Christopherson To: Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Ackerley Tng , Michael Roth , Sean Christopherson Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When binding a memslot to a guest_memfd file, treat the offset and size as unsigned values to fix a bug where the sum of the two can result in a false negative when checking for overflow against the size of the file. Passing unsigned values also avoids relying on somewhat obscure checks in other flows for safety, and tracks the offset and size as they are intended to be tracked, as unsigned values. On 64-bit kernels, the number of pages a memslot contains and thus the size (and offset) of its guest_memfd binding are unsigned 64-bit values. Taking the offset+size as an loff_t instead of a uoff_t inadvertently converts the unsigned value to a signed value if the offset and/or size is massive. Locally storing the offset and size as signed values is benign in and of itself (though even that is *extremely* difficult to discern), but operating on their sum is not. For the offset, KVM explicitly checks against a negative value, which might seem like a bug as KVM could incorrectly reject a legitimate binding, but that's not actually the case as KVM_CREATE_GUEST_MEMFD takes a signed value for its size, i.e. a would-be-negative offset is also greater than the maximum possible size of any guest_memfd file. Regarding the size, while KVM lacks an explicit check for a negative value, i.e. seemingly has a flawed overflow check, KVM restricts the number of pages in a single memslot to the largest positive signed 32-bit value: if (id < KVM_USER_MEM_SLOTS && (mem->memory_size >> PAGE_SHIFT) > KVM_MEM_MAX_NR_PAGES) return -EINVAL; and so that maximum "size" will ever be is 0x7fffffff000. The sum of the two is, however, problematic. While the size is restricted by KVM's memslot logic, the offset is not, i.e. the offset is completely unchecked until the "offset + size > i_size_read(inode)" check. If the offset is the (nearly) largest possible _positive_ value, then adding size to the offset can result in a signed, negative 64-bit value. When compared against the size of the file (guaranteed to be positive), the negative sum is always smaller, and KVM incorrectly allows the absurd offset. Opportunistically add missing includes in kvm_mm.h (instead of relying on its parents). Fixes: a7800aa80ea4 ("KVM: Add KVM_CREATE_GUEST_MEMFD ioctl() for guest-spe= cific backing memory") Cc: stable@vger.kernel.org Cc: Ackerley Tng Reviewed-by: Michael Roth Reviewed-by: Ackerley Tng Signed-off-by: Sean Christopherson --- virt/kvm/guest_memfd.c | 8 ++++---- virt/kvm/kvm_mm.h | 7 +++++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c index bf9659a7b0f6..a1cb72e66288 100644 --- a/virt/kvm/guest_memfd.c +++ b/virt/kvm/guest_memfd.c @@ -640,15 +640,16 @@ int kvm_gmem_create(struct kvm *kvm, struct kvm_creat= e_guest_memfd *args) } =20 int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot, - unsigned int fd, loff_t offset) + unsigned int fd, uoff_t offset) { - loff_t size =3D slot->npages << PAGE_SHIFT; + uoff_t size =3D slot->npages << PAGE_SHIFT; unsigned long start, end; struct gmem_file *f; struct inode *inode; struct file *file; int r =3D -EINVAL; =20 + BUILD_BUG_ON(sizeof(gpa_t) !=3D sizeof(offset)); BUILD_BUG_ON(sizeof(gfn_t) !=3D sizeof(slot->gmem.pgoff)); =20 file =3D fget(fd); @@ -664,8 +665,7 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_sl= ot *slot, =20 inode =3D file_inode(file); =20 - if (offset < 0 || !PAGE_ALIGNED(offset) || - offset + size > i_size_read(inode)) + if (!PAGE_ALIGNED(offset) || offset + size > i_size_read(inode)) goto err; =20 filemap_invalidate_lock(inode->i_mapping); diff --git a/virt/kvm/kvm_mm.h b/virt/kvm/kvm_mm.h index 9fcc5d5b7f8d..7510ca915dd1 100644 --- a/virt/kvm/kvm_mm.h +++ b/virt/kvm/kvm_mm.h @@ -3,6 +3,9 @@ #ifndef __KVM_MM_H__ #define __KVM_MM_H__ 1 =20 +#include +#include + /* * Architectures can choose whether to use an rwlock or spinlock * for the mmu_lock. These macros, for use in common code @@ -72,7 +75,7 @@ int kvm_gmem_init(struct module *module); void kvm_gmem_exit(void); int kvm_gmem_create(struct kvm *kvm, struct kvm_create_guest_memfd *args); int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot, - unsigned int fd, loff_t offset); + unsigned int fd, uoff_t offset); void kvm_gmem_unbind(struct kvm_memory_slot *slot); #else static inline int kvm_gmem_init(struct module *module) @@ -82,7 +85,7 @@ static inline int kvm_gmem_init(struct module *module) static inline void kvm_gmem_exit(void) {}; static inline int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot, - unsigned int fd, loff_t offset) + unsigned int fd, uoff_t offset) { WARN_ON_ONCE(1); return -EIO; --=20 2.54.0.929.g9b7fa37559-goog From nobody Mon Jun 8 05:25:47 2026 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A8A03F4DF8 for ; Tue, 2 Jun 2026 17:09:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780420166; cv=none; b=hL8IA87DfTlSihNRA7WhypH92LvNZRg2GHCyALX6ZDmu5d6ENONFxrNVJCtpyXDoyJViP1zZ80BYdrwbHxC7PbBpiMjf/eMOPcMTrvP7KWviYFpCB6Co3eeRJ77V4vpq7o6ovrsDKrGdlTif65VOuS7Z68ShblGg7zoGeCb9CiY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780420166; c=relaxed/simple; bh=3+kPv4TtW7jLOTZnSIcCHyq3wuntZsLYR6k0NapiTMA=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=FoyBIJl+WwW0hXLjpP/DO0t3/5p+Uw6ynGIz9UtGZPCyPdKwfWFJ8EWHyacqpsiKk47oPG9ALVnshRdus7z8s3m2NzNWsorWgsSN9vWswJhwOnJeJlP/bSEUA6bCGrs209DUNLOBUFzIF9AUpXY28SSm4EQCsvnMuMSy7TVJuZo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=jfyrqfL2; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="jfyrqfL2" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-36d98b76d12so2080999a91.2 for ; Tue, 02 Jun 2026 10:09:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1780420165; x=1781024965; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=8XTH9sU+N1YcSJPVOqX92NX4GFcg4rYmEDALS4TBQ9E=; b=jfyrqfL28VgIfz8b8gRfFgCoyf/7f59MgOwbUbVEDznqz1Shz/PnSNGPwW5Mh1ACY+ gxGvtLNey/uiawJ8lzYHYQlBOSQ/k9My+PZxaQwnMsw+9crZi64xhjllg83XtC/1QArj RAxwWWlWrWzzJX/2RcnqUPKVmKYkYy/+Ctspw4S8IbmykNlSQR28NjmEg65K4rXpw4pa pbD/t+UYexR13gud2nVgcyThzySe429jyQT8THfrBUH8o5j6wT/Pa5ARssyw0cOlo3yi BXq/cGRQMQ1Rg0631l4dkU9aWA+UGV6ZfJnvEcnnC83V7ryohxPE4z+6QaakEUq580ZF dvyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780420165; x=1781024965; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8XTH9sU+N1YcSJPVOqX92NX4GFcg4rYmEDALS4TBQ9E=; b=SCy6TByJvGvnNWU7mKjtyOtEx/R0Sg14V/2AZFkBJ+hzfLYSY3ILh9Wu3i9LkkPT+A MyFe/pvt7nma52t1YYZC/dxxvXctdJ/6wrjUybWs4iuxDPfVFuXfG/NTnDgthurwMz4O mWnl5efyRsnubEJWHGR+i+lcTY5CQljQypGU+imWoiN5fIpLYWexZlr+0ZL87HSu2r7d wKUk6r0O3dvPtY9//avqU7/bqM0Nci4gVCwIG9iY8J/7+NN8P29wZKSVwCWU97Tneo8L 5CgQsrL5dpUYDNjXPaDufn2XGOxy3S5rGyI7ua/jKrqNj6CpF+UCs/2/IyL88bKQXjR/ H3Cw== X-Forwarded-Encrypted: i=1; AFNElJ8eAAZimHLPs9E17I0WWVo/yVhme/wloKynZFIS2Pmxhr9bLHSiOhVh/fflzJa+kMGHFgE+qmdtaCGoz6E=@vger.kernel.org X-Gm-Message-State: AOJu0YzimmqCozE6fRVA+UfzYkZB1PGTFnnsEzWYqIS4ZCAHhZj+vHWa a/jOq/JVpcgJgY7+XZdcg58btloSlo/4gCoFj3zKYUxEEZIIRxL8flpXylPIw/r9PtCHUXjUAj2 mfHT0vg== X-Received: from pgnp18.prod.google.com ([2002:a63:7f52:0:b0:c85:a9c:435f]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:58a7:b0:36d:5dbe:2a0d with SMTP id 98e67ed59e1d1-36d5dbe2d91mr10061468a91.7.1780420164631; Tue, 02 Jun 2026 10:09:24 -0700 (PDT) Reply-To: Sean Christopherson Date: Tue, 2 Jun 2026 10:09:20 -0700 In-Reply-To: <20260602170921.1304394-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260602170921.1304394-1-seanjc@google.com> X-Mailer: git-send-email 2.54.0.1013.g208068f2d8-goog Message-ID: <20260602170921.1304394-3-seanjc@google.com> Subject: [PATCH v4 2/3] KVM: selftests: Expand the guest_memfd test macros to allow passing the VM From: Sean Christopherson To: Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Ackerley Tng , Michael Roth , Sean Christopherson Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Expand the gmem test macros to allow passing the VM to testcases, without needing to plumb the VM into _every_ testcase, as the vast majority of testcases only need the fd and size. No functional change intended. Reviewed-by: Ackerley Tng Tested-by: Ackerley Tng Signed-off-by: Sean Christopherson --- tools/testing/selftests/kvm/guest_memfd_test.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/kvm/guest_memfd_test.c b/tools/testing= /selftests/kvm/guest_memfd_test.c index 832ef4dfb99f..246bb408ecc0 100644 --- a/tools/testing/selftests/kvm/guest_memfd_test.c +++ b/tools/testing/selftests/kvm/guest_memfd_test.c @@ -408,17 +408,26 @@ static void test_guest_memfd_flags(struct kvm_vm *vm) } } =20 -#define __gmem_test(__test, __vm, __flags, __gmem_size) \ +#define ____gmem_test(__test, __vm, __flags, __gmem_size, args...) \ do { \ int fd =3D vm_create_guest_memfd(__vm, __gmem_size, __flags); \ \ - test_##__test(fd, __gmem_size); \ + test_##__test(args); \ close(fd); \ } while (0) =20 +#define __gmem_test(__test, __vm, __flags, __gmem_size) \ + ____gmem_test(__test, __vm, __flags, __gmem_size, fd, __gmem_size) + #define gmem_test(__test, __vm, __flags) \ __gmem_test(__test, __vm, __flags, page_size * 4) =20 +#define __gmem_test_vm(__test, __vm, __flags, __gmem_size) \ + ____gmem_test(__test, __vm, __flags, __gmem_size, __vm, fd, __gmem_size) + +#define gmem_test_vm(__test, __vm, __flags) \ + __gmem_test_vm(__test, __vm, __flags, page_size * 4) + static void __test_guest_memfd(struct kvm_vm *vm, u64 flags) { test_create_guest_memfd_multiple(vm); --=20 2.54.0.929.g9b7fa37559-goog From nobody Mon Jun 8 05:25:47 2026 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 908C73F44E9 for ; Tue, 2 Jun 2026 17:09:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780420168; cv=none; b=vEnl7oghHwCQWvVg0AkHtotBlvq3YiZ5iJqdEwTaQUJz5d0SkvpBeTMA0i8R2i9mqbkQPCGWlAw2HxX5UsBOvcjS22Kz4Trr2FeE6S2htK+sjr19yKCyl7KQjVsOf2+ggcGY4CxXyLIfuPv+wDc2u/v6nEX19xZD2Oajnm9w63Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780420168; c=relaxed/simple; bh=GCvi8QXTW/Z8JarQzo+uw0cj5SOI/3SJYgspvt0tyXg=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=YL/8e+aI1Q790s3mlsAbil8t2BJpoZ2WpYEL3y5oD7qvrvsznyP1os6RLIUbiz4DZajJ/4y+b3/Oos8W3JYIK2L8MCFZhKCaCzyLI6s+1Ye9kO05/WRXNgw94GDaLakBM7DyDVVNT/NRKQ9Yqw3xvvSAOF7ejWRwq8Mfu95TVgw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=f2h+H5dP; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="f2h+H5dP" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-2bf1845bddfso48960635ad.1 for ; Tue, 02 Jun 2026 10:09:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1780420166; x=1781024966; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=0n2TkN12qK2IJ7MEU6lVCJRDKh5l/P+Za+C9ZbB5kjM=; b=f2h+H5dPhhlqYa5bFCu2f2ZumDar4GBAx48QAdrxBva4f8rnqjsI5H3DRRZJOblpCO qAZqaS0Pu7OlA0Zl5Tdmy4hhrMP4ZppI97ZALLTFge/X/O0/Rb0UHMoxXP+xKrbM6Ekf SsO/XeZavH4UGk+YxObjYvtrsDM6OUFjRKRS0pRCk/AHFg/o3urMlgAnhc9Vd5JsMuA8 l762I+UBcepwPsN86+eBJM2zODHmhoxV4C/MPR8dPSj9Pb1S4HKZQCw7Su/hUhnNIIje qOkuxbS/WsEsjdf23iMEGxAjBDUvs7tXtZaF3/K9LvojxhBGvei+iIhYFSWKTvRa8Uyz dDBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780420166; x=1781024966; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0n2TkN12qK2IJ7MEU6lVCJRDKh5l/P+Za+C9ZbB5kjM=; b=T6S7fDOoQ+E5qFcVo0VOJRxjlVqTj4v1jSXjMAkyKFXQB1OEQ4aDx7VeEBr/ec68Gx j4FV/C3zI1QX++oRuLUzNSHaOAc2xdvTf+8rLR/NqG65YY7T2xWLEx7YeYpmjizyia1f mR1Ws3u0d+zLRU7+cEdsAs8VkKm7tyYVJ0L0ks3zWRAepDlj5j3sL+f2QYsE3A9x4KjX mnkxLEtDasz60P0CvAcDj2XD8S2lmIbIyWzL82uMXNucxMdWy9x28tHlgDiXLv6Llc2I vKS9kxKfinVqa0s3rZmCGZNlZpqyPEMNlT9ta6s4CcdQUgDe3aPK8oAfqDplFgShiGlU cNzQ== X-Forwarded-Encrypted: i=1; AFNElJ9825w29vgdBQXlSOv2PYsfInFxu/7ClNwqGTw5P44wJr6o3LlVjDy4maBgyFIuCjup9tg4ODUxMWiICJQ=@vger.kernel.org X-Gm-Message-State: AOJu0YxbTHcvkofr5FwbVtx4wOi4w489/lMqmhxeLpneujFxoZ691d2S 3jXcqRqZMvCyAdGQyOIhhyO/VEHGPZ5k8ZKAMDJi6I0kMhrYOK/IrbTlRzzOtT7SbYg7bQnAKiC ufPN4MA== X-Received: from pleb20.prod.google.com ([2002:a17:902:d414:b0:2ba:856e:d046]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:fc43:b0:2c0:a555:80e6 with SMTP id d9443c01a7336-2c0a555946cmr154631085ad.6.1780420165710; Tue, 02 Jun 2026 10:09:25 -0700 (PDT) Reply-To: Sean Christopherson Date: Tue, 2 Jun 2026 10:09:21 -0700 In-Reply-To: <20260602170921.1304394-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260602170921.1304394-1-seanjc@google.com> X-Mailer: git-send-email 2.54.0.1013.g208068f2d8-goog Message-ID: <20260602170921.1304394-4-seanjc@google.com> Subject: [PATCH v4 3/3] KVM: selftests: Add guest_memfd regression test signed offset+size bug From: Sean Christopherson To: Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Ackerley Tng , Michael Roth , Sean Christopherson Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a regression (and proof-of-bug) testcase to ensure KVM rejects an offset+size that would result in a negative value when computed as a signed 64-bit value. KVM had a flaw where it would allow binding a memslot to a guest_memfd instance even with a wildly out-of-range offset, if the offset and size were both positive values, but the combined offset+size was negative. Use "0x7fffffffffffffffull - page_size", i.e. "INT64_MAX - page_size", for the offset as the size of the guest_memfd file must be at least page_size (KVM requires memslots and gmem files to be host page-size aligned). I.e. "INT64_MAX - page_size + size" is guaranteed to generate an offset+size that is negative when converted to a signed 64-bit value *and* honors KVM's alignment requirements. Reviewed-by: Ackerley Tng Tested-by: Ackerley Tng Signed-off-by: Sean Christopherson --- tools/testing/selftests/kvm/guest_memfd_test.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tools/testing/selftests/kvm/guest_memfd_test.c b/tools/testing= /selftests/kvm/guest_memfd_test.c index 246bb408ecc0..2233d871a38f 100644 --- a/tools/testing/selftests/kvm/guest_memfd_test.c +++ b/tools/testing/selftests/kvm/guest_memfd_test.c @@ -345,6 +345,16 @@ static void test_invalid_punch_hole(int fd, size_t tot= al_size) } } =20 +static void test_invalid_binding(struct kvm_vm *vm, int fd, size_t size) +{ + int r; + + r =3D __vm_set_user_memory_region2(vm, 0, KVM_MEM_GUEST_MEMFD, 0, size, 0, + fd, ALIGN_DOWN(INT64_MAX, page_size)); + TEST_ASSERT(r && errno =3D=3D EINVAL, + "Memslot with out-of-range offset+size should fail"); +} + static void test_create_guest_memfd_invalid_sizes(struct kvm_vm *vm, u64 guest_memfd_flags) { @@ -456,6 +466,7 @@ static void __test_guest_memfd(struct kvm_vm *vm, u64 f= lags) gmem_test(file_size, vm, flags); gmem_test(fallocate, vm, flags); gmem_test(invalid_punch_hole, vm, flags); + gmem_test_vm(invalid_binding, vm, flags); } =20 static void test_guest_memfd(unsigned long vm_type) --=20 2.54.0.929.g9b7fa37559-goog