Re: [PATCH v3 08/10] KVM: s390: Prevent memslots outside the ASCE range

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Asymmetric and Order-Dependent Limit Validation
--

commit 7a66168c52b7a30030450cbbdcd5db0e9145bbfe
Author: Claudio Imbrenda <imbrenda@linux.ibm.com>

KVM: s390: Prevent memslots outside the ASCE range

This patch aims to prevent userspace from creating memslots above the
maximum allowed VM address, and prevents reducing the maximum address
below existing memslots.

> diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
> index e09960c2e6ed1..ffb20a64d328f 100644
> --- a/arch/s390/kvm/kvm-s390.c
> +++ b/arch/s390/kvm/kvm-s390.c
> @@ -999,7 +999,10 @@ static int kvm_s390_set_mem_control(struct kvm *kvm, struct kvm_device_attr *att
>  		break;
>  	}
>  	case KVM_S390_VM_MEM_LIMIT_SIZE: {
> +		struct kvm_memslots *slots;
> +		struct kvm_memory_slot *ms;
>  		unsigned long new_limit;
> +		int bkt;

[ ... ]

> +		ret = 0;
> +		scoped_guard(mutex, &kvm->slots_lock) {
> +			slots = kvm_memslots(kvm);
> +			if (slots && !kvm_memslots_empty(slots)) {
> +				kvm_for_each_memslot(ms, bkt, slots) {
> +					if (gpa_to_gfn(new_limit) < ms->base_gfn + ms->npages) {
> +						ret = -EBUSY;
> +						break;
> +					}
> +				}
> +			}
> +			if (!ret)
> +				ret = gmap_set_limit(kvm->arch.gmap, gpa_to_gfn(new_limit));
> +		}

[ ... ]

> @@ -5672,6 +5693,8 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
>  			return -EINVAL;
>  		if ((new->base_gfn + new->npages) * PAGE_SIZE > kvm->arch.mem_limit)
>  			return -EINVAL;
> +		if (!asce_contains_gfn(kvm->arch.gmap->asce, new->base_gfn + new->npages - 1))
> +			return -EINVAL;
>  	}

[Severity: Medium]
Is this creating an asymmetric and order-dependent limit validation?

When KVM_S390_VM_MEM_LIMIT_SIZE is called, the exact new_limit is strictly
checked against existing memslots (e.g., rejecting a 4GB limit if a 3TB
memslot exists). However, new_limit is never saved back to
kvm->arch.mem_limit.

When a new memslot is added later, it is only validated against the old
kvm->arch.mem_limit and the rounded-up ASCE capacity here in
asce_contains_gfn().

For example, setting a 4GB limit configures a TABLE_TYPE_REGION3 ASCE with
a 4TB capacity. Because the exact 4GB limit was not saved, userspace can
successfully add a 3TB memslot later since 3TB < 4TB.

Should kvm->arch.mem_limit be updated during KVM_S390_VM_MEM_LIMIT_SIZE to
enforce the exact limit symmetrically?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260602142356.169458-1-imbrenda@linux.ibm.com?part=8