[PATCH 0/2] KVM: arm64: Tentative fixes for page-table lifetime issues

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 0/2] KVM: arm64: Tentative fixes for page-table lifetime issues
@ 2026-03-27 19:27 Will Deacon
  2026-03-27 19:27 ` [PATCH 1/2] KVM: arm64: Don't leave mmu->pgt dangling on kvm_init_stage2_mmu() error Will Deacon
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Will Deacon @ 2026-03-27 19:27 UTC (permalink / raw)
  To: kvmarm
  Cc: linux-arm-kernel, Will Deacon, Marc Zyngier, Oliver Upton,
	Joey Gouly, Suzuki K Poulose, Zenghui Yu

Hi all,

Sashiko highlighted a couple of potential page-table lifetime issues
in the upstream code while it was reviewing the pKVM protected memory
series. They make sense to me so I've had a crack at fixing them and
writing a better description of the problem in the commit message.

For the second issue, I've tested it by forcing the notifier
registration to fail and then watching the SecPageTables line in
/proc/meminfo after attempting to create VMs.

Cheers,

Will

Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oupton@kernel.org>
Cc: Joey Gouly <joey.gouly@arm.com>
Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: Zenghui Yu <yuzenghui@huawei.com>

--->8

Will Deacon (2):
  KVM: arm64: Don't leave mmu->pgt dangling on kvm_init_stage2_mmu()
    error
  KVM: arm64: Destroy stage-2 page-table in kvm_arch_destroy_vm()

 arch/arm64/kvm/arm.c | 1 +
 arch/arm64/kvm/mmu.c | 1 +
 2 files changed, 2 insertions(+)

-- 
2.53.0.1018.g2bb0e51243-goog

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 1/2] KVM: arm64: Don't leave mmu->pgt dangling on kvm_init_stage2_mmu() error
  2026-03-27 19:27 [PATCH 0/2] KVM: arm64: Tentative fixes for page-table lifetime issues Will Deacon
@ 2026-03-27 19:27 ` Will Deacon
  2026-03-27 19:27 ` [PATCH 2/2] KVM: arm64: Destroy stage-2 page-table in kvm_arch_destroy_vm() Will Deacon
  2026-04-02 13:36 ` [PATCH 0/2] KVM: arm64: Tentative fixes for page-table lifetime issues Marc Zyngier
  2 siblings, 0 replies; 4+ messages in thread
From: Will Deacon @ 2026-03-27 19:27 UTC (permalink / raw)
  To: kvmarm
  Cc: linux-arm-kernel, Will Deacon, Marc Zyngier, Oliver Upton,
	Joey Gouly, Suzuki K Poulose, Zenghui Yu

If kvm_init_stage2_mmu() fails to allocate 'mmu->last_vcpu_ran', it
destroys the newly allocated stage-2 page-table before returning ENOMEM.

Unfortunately, it also leaves a dangling pointer in 'mmu->pgt' which
points at the freed 'kvm_pgtable' structure. This is likely to confuse
the kvm_vcpu_init_nested() failure path which can double-free the
structure if it finds it via kvm_free_stage2_pgd().

Ensure that the dangling 'mmu->pgt' pointer is cleared when returning an
error from kvm_init_stage2_mmu().

Link: https://sashiko.dev/#/patchset/20260327140039.21228-1-will%40kernel.org?patch=12265
Signed-off-by: Will Deacon <will@kernel.org>
---
 arch/arm64/kvm/mmu.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
index 17d64a1e11e5..34e9d897d08b 100644
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -1013,6 +1013,7 @@ int kvm_init_stage2_mmu(struct kvm *kvm, struct kvm_s2_mmu *mmu, unsigned long t
 
 out_destroy_pgtable:
 	kvm_stage2_destroy(pgt);
+	mmu->pgt = NULL;
 out_free_pgtable:
 	kfree(pgt);
 	return err;
-- 
2.53.0.1018.g2bb0e51243-goog


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/2] KVM: arm64: Destroy stage-2 page-table in kvm_arch_destroy_vm()
  2026-03-27 19:27 [PATCH 0/2] KVM: arm64: Tentative fixes for page-table lifetime issues Will Deacon
  2026-03-27 19:27 ` [PATCH 1/2] KVM: arm64: Don't leave mmu->pgt dangling on kvm_init_stage2_mmu() error Will Deacon
@ 2026-03-27 19:27 ` Will Deacon
  2026-04-02 13:36 ` [PATCH 0/2] KVM: arm64: Tentative fixes for page-table lifetime issues Marc Zyngier
  2 siblings, 0 replies; 4+ messages in thread
From: Will Deacon @ 2026-03-27 19:27 UTC (permalink / raw)
  To: kvmarm
  Cc: linux-arm-kernel, Will Deacon, Marc Zyngier, Oliver Upton,
	Joey Gouly, Suzuki K Poulose, Zenghui Yu

kvm_arch_destroy_vm() can be called on the kvm_create_vm() error path
after we have failed to register the MMU notifiers for the new VM. In
this case, we cannot rely on the MMU ->release() notifier to call
kvm_arch_flush_shadow_all() and so the stage-2 page-table allocated in
kvm_arch_init_vm() will be leaked.

Explicitly destroy the stage-2 page-table in kvm_arch_destroy_vm(), so
that we clean up after kvm_arch_destroy_vm() without relying on the MMU
notifiers.

Link: https://sashiko.dev/#/patchset/20260327140039.21228-1-will%40kernel.org?patch=12265
Signed-off-by: Will Deacon <will@kernel.org>
---
 arch/arm64/kvm/arm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
index 410ffd41fd73..29bfa79555b2 100644
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -301,6 +301,7 @@ void kvm_arch_destroy_vm(struct kvm *kvm)
 	if (is_protected_kvm_enabled())
 		pkvm_destroy_hyp_vm(kvm);
 
+	kvm_uninit_stage2_mmu(kvm);
 	kvm_destroy_mpidr_data(kvm);
 
 	kfree(kvm->arch.sysreg_masks);
-- 
2.53.0.1018.g2bb0e51243-goog


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 0/2] KVM: arm64: Tentative fixes for page-table lifetime issues
  2026-03-27 19:27 [PATCH 0/2] KVM: arm64: Tentative fixes for page-table lifetime issues Will Deacon
  2026-03-27 19:27 ` [PATCH 1/2] KVM: arm64: Don't leave mmu->pgt dangling on kvm_init_stage2_mmu() error Will Deacon
  2026-03-27 19:27 ` [PATCH 2/2] KVM: arm64: Destroy stage-2 page-table in kvm_arch_destroy_vm() Will Deacon
@ 2026-04-02 13:36 ` Marc Zyngier
  2 siblings, 0 replies; 4+ messages in thread
From: Marc Zyngier @ 2026-04-02 13:36 UTC (permalink / raw)
  To: kvmarm, Will Deacon
  Cc: linux-arm-kernel, Oliver Upton, Joey Gouly, Suzuki K Poulose,
	Zenghui Yu

On Fri, 27 Mar 2026 19:27:55 +0000, Will Deacon wrote:
> Sashiko highlighted a couple of potential page-table lifetime issues
> in the upstream code while it was reviewing the pKVM protected memory
> series. They make sense to me so I've had a crack at fixing them and
> writing a better description of the problem in the commit message.
> 
> For the second issue, I've tested it by forcing the notifier
> registration to fail and then watching the SecPageTables line in
> /proc/meminfo after attempting to create VMs.
> 
> [...]

Applied to next, thanks!

[1/2] KVM: arm64: Don't leave mmu->pgt dangling on kvm_init_stage2_mmu() error
      commit: 2fc0f3e2b9a9f397554ffe86e8f6eb0e2507ec6e
[2/2] KVM: arm64: Destroy stage-2 page-table in kvm_arch_destroy_vm()
      commit: a3ca3bfd01b7ee9f54ed85718a6d553cdd87050e

Cheers,

	M.
-- 
Without deviation from the norm, progress is not possible.



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-04-02 13:37 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-27 19:27 [PATCH 0/2] KVM: arm64: Tentative fixes for page-table lifetime issues Will Deacon
2026-03-27 19:27 ` [PATCH 1/2] KVM: arm64: Don't leave mmu->pgt dangling on kvm_init_stage2_mmu() error Will Deacon
2026-03-27 19:27 ` [PATCH 2/2] KVM: arm64: Destroy stage-2 page-table in kvm_arch_destroy_vm() Will Deacon
2026-04-02 13:36 ` [PATCH 0/2] KVM: arm64: Tentative fixes for page-table lifetime issues Marc Zyngier

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.