[PATCH] KVM: x86: Don't leave APF half-enabled on bad APF data GPA

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ethan Yang <ethan.yang.kernel@gmail.com>
To: kvm@vger.kernel.org
Cc: seanjc@google.com, pbonzini@redhat.com,
	syzbot+bc0e18379a290e5edfe4@syzkaller.appspotmail.com,
	linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	x86@kernel.org, tglx@kernel.org, mingo@redhat.com, bp@alien8.de,
	dave.hansen@linux.intel.com, hpa@zytor.com, glider@google.com
Subject: [PATCH] KVM: x86: Don't leave APF half-enabled on bad APF data GPA
Date: Fri,  3 Apr 2026 03:11:11 +0000	[thread overview]
Message-ID: <20260403031111.3171-1-ethan.yang.kernel@gmail.com> (raw)
In-Reply-To: <6877331d.a00a0220.3af5df.000c.GAE@google.com>

kvm_pv_enable_async_pf() updates vcpu->arch.apf.msr_en_val before
initializing the APF data gfn_to_hva cache. If userspace provides an
invalid GPA, kvm_gfn_to_hva_cache_init() fails, but msr_en_val stays
enabled and leaves APF state half-initialized.

Later APF paths can then try to use the empty cache and trigger
WARN_ON() in kvm_read_guest_offset_cached().

Determine the new APF enabled state from the incoming MSR value, do cache
initialization first on the enable path, and commit msr_en_val only after
successful initialization. Keep the disable path behavior unchanged.

Reported-by: syzbot+bc0e18379a290e5edfe4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bc0e18379a290e5edfe4
Link: https://lore.kernel.org/r/aHfD3MczrDpzDX9O@google.com
Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Ethan Yang <ethan.yang.kernel@gmail.com>
---
 arch/x86/kvm/x86.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index fd1c4a36b59..c355bbd36c3 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1041,11 +1041,15 @@ bool kvm_require_dr(struct kvm_vcpu *vcpu, int dr)
 }
 EXPORT_SYMBOL_FOR_KVM_INTERNAL(kvm_require_dr);
 
-static bool kvm_pv_async_pf_enabled(struct kvm_vcpu *vcpu)
+static bool kvm_pv_async_pf_enabled_data(u64 data)
 {
 	u64 mask = KVM_ASYNC_PF_ENABLED | KVM_ASYNC_PF_DELIVERY_AS_INT;
+	return (data & mask) == mask;
+}
 
-	return (vcpu->arch.apf.msr_en_val & mask) == mask;
+static bool kvm_pv_async_pf_enabled(struct kvm_vcpu *vcpu)
+{
+	return kvm_pv_async_pf_enabled_data(vcpu->arch.apf.msr_en_val);
 }
 
 static inline u64 pdptr_rsvd_bits(struct kvm_vcpu *vcpu)
@@ -3645,17 +3649,20 @@ static int kvm_pv_enable_async_pf(struct kvm_vcpu *vcpu, u64 data)
 	if (!lapic_in_kernel(vcpu))
 		return data ? 1 : 0;
 
+	bool new_enabled = kvm_pv_async_pf_enabled_data(data);
+
+	if (new_enabled &&
+		kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.apf.data, gpa,
+			sizeof(u64)))
+		return 1;
 	vcpu->arch.apf.msr_en_val = data;
 
-	if (!kvm_pv_async_pf_enabled(vcpu)) {
+	if (!new_enabled) {
 		kvm_clear_async_pf_completion_queue(vcpu);
 		kvm_async_pf_hash_reset(vcpu);
 		return 0;
 	}
 
-	if (kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.apf.data, gpa,
-					sizeof(u64)))
-		return 1;
 
 	vcpu->arch.apf.send_always = (data & KVM_ASYNC_PF_SEND_ALWAYS);
 	vcpu->arch.apf.delivery_as_pf_vmexit = data & KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT;
-- 
2.47.3

next prev parent reply	other threads:[~2026-04-03  3:11 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-16  5:05 [syzbot] [kvm?] WARNING in kvm_read_guest_offset_cached syzbot
2025-07-16 15:23 ` Sean Christopherson
2026-02-10  9:21   ` Alexander Potapenko
2026-02-26  1:47     ` Sean Christopherson
2026-04-03  3:11 ` Ethan Yang [this message]
2026-04-03  8:11   ` [PATCH] KVM: x86: Don't leave APF half-enabled on bad APF data GPA Xiaoyao Li
2026-04-03 10:01   ` [PATCH v2] " Ethan Yang
2026-04-06 16:18     ` Sean Christopherson

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:fd1c4a36b5 dfblob:c355bbd36c )
 OR (
bs:"[PATCH] KVM: x86: Don't leave APF half-enabled on bad APF data GPA" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260403031111.3171-1-ethan.yang.kernel@gmail.com \
    --to=ethan.yang.kernel@gmail.com \
    --cc=bp@alien8.de \
    --cc=dave.hansen@linux.intel.com \
    --cc=glider@google.com \
    --cc=hpa@zytor.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=seanjc@google.com \
    --cc=syzbot+bc0e18379a290e5edfe4@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tglx@kernel.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.