From: syzbot <syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] KVM: guest_memfd: Reject large folios until support is implemented
Date: Mon, 02 Feb 2026 07:11:51 -0800 [thread overview]
Message-ID: <6980beb7.a00a0220.488d7.000c.GAE@google.com> (raw)
In-Reply-To: <697d115a.050a0220.1d61ec.0004.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] KVM: guest_memfd: Reject large folios until support is implemented
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Large folios are not yet supported in guest_memfd (see TODO comment
in kvm_gmem_get_folio()), but can still be allocated if userspace
uses madvise(MADV_HUGEPAGE), which overrides the folio order
restrictions set by mapping_set_folio_order_range().
When a large folio is allocated, it triggers WARN_ON_ONCE() at line
416 in kvm_gmem_fault_user_mapping(), causing a kernel panic if
panic_on_warn is enabled.
Add mapping_set_folio_order_range(0, 0) as defense in depth, and
actively check for large folios in kvm_gmem_get_folio() on both
the fast-path (existing folio) and slow-path (newly created folio).
If a large folio is found, unlock it, drop the reference, and return
-E2BIG to prevent the WARNING from triggering.
This avoids kernel panics when panic_on_warn is enabled.
Reported-by: syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
virt/kvm/guest_memfd.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c
index fdaea3422c30..ee5bcf238f98 100644
--- a/virt/kvm/guest_memfd.c
+++ b/virt/kvm/guest_memfd.c
@@ -143,13 +143,29 @@ static struct folio *kvm_gmem_get_folio(struct inode *inode, pgoff_t index)
folio = __filemap_get_folio(inode->i_mapping, index,
FGP_LOCK | FGP_ACCESSED, 0);
if (!IS_ERR(folio))
- return folio;
+ goto check_folio;
policy = mpol_shared_policy_lookup(&GMEM_I(inode)->policy, index);
folio = __filemap_get_folio_mpol(inode->i_mapping, index,
FGP_LOCK | FGP_ACCESSED | FGP_CREAT,
mapping_gfp_mask(inode->i_mapping), policy);
mpol_cond_put(policy);
+ if (IS_ERR(folio))
+ return folio;
+check_folio:
+ /*
+ * Large folios are not supported yet. This can still happen
+ * despite mapping_set_folio_order_range() if userspace uses
+ * madvise(MADV_HUGEPAGE) which can override the folio order
+ * restrictions. Reject the large folio and remove it from
+ * the page cache so the next fault can allocate a order-0
+ * page instead.
+ */
+ if (folio_test_large(folio)) {
+ folio_unlock(folio);
+ folio_put(folio);
+ return ERR_PTR(-E2BIG);
+ }
return folio;
}
@@ -596,6 +612,7 @@ static int __kvm_gmem_create(struct kvm *kvm, loff_t size, u64 flags)
inode->i_mode |= S_IFREG;
inode->i_size = size;
mapping_set_gfp_mask(inode->i_mapping, GFP_HIGHUSER);
+ mapping_set_folio_order_range(inode->i_mapping, 0, 0);
mapping_set_inaccessible(inode->i_mapping);
/* Unmovable mappings are supposed to be marked unevictable as well. */
WARN_ON_ONCE(!mapping_unevictable(inode->i_mapping));
--
2.43.0
next prev parent reply other threads:[~2026-02-02 15:11 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-30 20:15 [syzbot] [kvm?] WARNING in kvm_gmem_fault_user_mapping syzbot
2026-02-01 4:57 ` Forwarded: [PATCH] KVM: guest_memfd: Restrict to order-0 folios until large folio support is implemented syzbot
2026-02-01 5:48 ` syzbot
2026-02-01 7:48 ` syzbot
2026-02-01 11:08 ` syzbot
2026-02-02 8:34 ` Forwarded: [PATCH] KVM: guest_memfd: Reject large folios until " syzbot
2026-02-02 15:11 ` syzbot [this message]
2026-02-03 20:06 ` Forwarded: [PATCH 1/2] KVM: guest_memfd: Always use order 0 when allocating for guest_memfd syzbot
2026-02-04 17:01 ` [PATCH] KVM: guest_memfd: Disable VMA merging with VM_DONTEXPAND Ackerley Tng
2026-02-04 18:21 ` [syzbot] [kvm?] WARNING in kvm_gmem_fault_user_mapping syzbot
2026-02-04 19:10 ` [PATCH] KVM: guest_memfd: Disable VMA merging with VM_DONTEXPAND Ackerley Tng
2026-02-04 21:37 ` Sean Christopherson
2026-02-04 21:45 ` David Hildenbrand (arm)
2026-02-04 23:17 ` Ackerley Tng
2026-02-08 17:34 ` Ackerley Tng
2026-02-09 3:40 ` Deepanshu Kartikey
2026-02-09 10:38 ` David Hildenbrand (Arm)
2026-02-09 18:24 ` Ackerley Tng
2026-02-09 19:38 ` David Hildenbrand (Arm)
2026-02-09 1:55 ` Forwarded: [PATCH] KVM: guest_memfd: Prevent THP collapse of guest_memfd pages syzbot
2026-02-09 2:02 ` Forwarded: [PATCH] mm: thp: Deny THP for guest_memfd and secretmem in file_thp_enabled() syzbot
2026-02-09 13:11 ` syzbot
2026-02-13 15:43 ` Forwarded: [PATCH] mm: thp: deny THP for files on anonymous inodes syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6980beb7.a00a0220.488d7.000c.GAE@google.com \
--to=syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.