From: Sean Christopherson <seanjc@google.com>
To: Ackerley Tng <ackerleytng@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Thomas Gleixner <tglx@kernel.org>, Ingo Molnar <mingo@redhat.com>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
Kiryl Shutsemau <kas@kernel.org>,
Rick Edgecombe <rick.p.edgecombe@intel.com>,
Vishal Annapurve <vannapurve@google.com>,
Yan Zhao <yan.y.zhao@intel.com>,
Michael Roth <michael.roth@amd.com>,
Isaku Yamahata <isaku.yamahata@intel.com>,
Chao Peng <chao.p.peng@linux.intel.com>,
Xiaoyao Li <xiaoyao.li@intel.com>,
Zongyao Chen <ZongYao.Chen@linux.alibaba.com>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-coco@lists.linux.dev,
Yu Zhang <yu.c.zhang@linux.intel.com>,
Fuad Tabba <tabba@google.com>
Subject: Re: [PATCH v2 3/5] KVM: guest_memfd: Handle errors from xa_store_range() when binding
Date: Tue, 26 May 2026 09:39:40 -0700 [thread overview]
Message-ID: <ahXMzPz1cQl6kZge@google.com> (raw)
In-Reply-To: <20260522-fix-sev-gmem-post-populate-v2-3-3f196bfad5a1@google.com>
On Fri, May 22, 2026, Ackerley Tng wrote:
> Unhandled errors from xa_store_range() means kvm_gmem_bind() might falsely
> reporting success, leading to false assumptions in guest_memfd's lifecycle
> later.
>
> On error, restore the unbound state and return the error to userspace.
>
> Fixes: a7800aa80ea4d ("KVM: Add KVM_CREATE_GUEST_MEMFD ioctl() for guest-specific backing memory")
> Signed-off-by: Ackerley Tng <ackerleytng@google.com>
> ---
> virt/kvm/guest_memfd.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c
> index d203135969d13..5b4911ffa208a 100644
> --- a/virt/kvm/guest_memfd.c
> +++ b/virt/kvm/guest_memfd.c
> @@ -648,6 +648,7 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot,
> struct inode *inode;
> struct file *file;
> int r = -EINVAL;
> + void *result;
I would rather go with "xr". "result" is too generic, e.g. begs the question of
"result of what?"
Actually, I don't think we even need an intermediate variable.
> BUILD_BUG_ON(sizeof(gfn_t) != sizeof(slot->gmem.pgoff));
>
> @@ -688,7 +689,14 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot,
> if (kvm_gmem_supports_mmap(inode))
> slot->flags |= KVM_MEMSLOT_GMEM_ONLY;
>
> - xa_store_range(&f->bindings, start, end - 1, slot, GFP_KERNEL);
> + result = xa_store_range(&f->bindings, start, end - 1, slot, GFP_KERNEL);
> + if (xa_is_err(result)) {
> + r = xa_err(result);
> + xa_store_range(&f->bindings, start, end - 1, NULL, GFP_KERNEL);
I'm not convinced this is necessary. Sashiko "asked" the question:
: If xa_store_range() fails midway through storing a large range (for example,
: returning -ENOMEM), does it leave the already-processed entries in the
: f->bindings XArray?
:
: When this error is propagated back, the caller __kvm_set_memory_region()
: will abort the operation and free the memslot without calling
: kvm_gmem_unbind().
:
: Since the partial XArray updates aren't rolled back here, could this leave
: dangling pointers to the freed memslot in f->bindings? If so, when the file
: is eventually closed, kvm_gmem_release() might iterate over these dangling
: pointers and write to slot->gmem.file, resulting in a use-after-free.
but I think Sashiko is hallicunating.
If @entry is non-NULL, xa_store_range() pre-creates the entire range, before
storing anything into the range:
if (entry) {
unsigned int order = BITS_PER_LONG;
if (last + 1)
order = __ffs(last + 1);
xas_set_order(&xas, last, order);
xas_create(&xas, true);
if (xas_error(&xas))
goto unlock;
}
Yes, the API handles failure on the subsequent xas_store(), but I can't imagine
that failure is actually, barring garbage input from KVM:
do {
xas_set_range(&xas, first, last);
xas_store(&xas, entry);
if (xas_error(&xas))
goto unlock;
first += xas_size(&xas);
} while (first <= last);
Purely from a design perspective, providing an API that can fail partway through
under normal operation, with no indication of where failure occured (AFAICT),
would be awful.
> + } else {
> + r = 0;
> + }
> +
> filemap_invalidate_unlock(inode->i_mapping);
>
> /*
> @@ -696,7 +704,6 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot,
> * not the other way 'round. Active bindings are invalidated if the
> * file is closed before memslots are destroyed.
> */
> - r = 0;
All in all, unless someone proves with a test that I'm wrong, just this?
diff --git virt/kvm/guest_memfd.c virt/kvm/guest_memfd.c
index 0c923fd603fd..c0f5b9565be2 100644
--- virt/kvm/guest_memfd.c
+++ virt/kvm/guest_memfd.c
@@ -688,7 +688,7 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot,
if (kvm_gmem_supports_mmap(inode))
slot->flags |= KVM_MEMSLOT_GMEM_ONLY;
- xa_store_range(&f->bindings, start, end - 1, slot, GFP_KERNEL);
+ r = xa_err(xa_store_range(&f->bindings, start, end - 1, slot, GFP_KERNEL));
filemap_invalidate_unlock(inode->i_mapping);
/*
@@ -696,7 +696,6 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot,
* not the other way 'round. Active bindings are invalidated if the
* file is closed before memslots are destroyed.
*/
- r = 0;
err:
fput(file);
return r;
next prev parent reply other threads:[~2026-05-26 16:39 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-22 22:46 [PATCH v2 0/5] guest_memfd fixes for bind and populate Ackerley Tng via B4 Relay
2026-05-22 22:46 ` Ackerley Tng
2026-05-22 22:46 ` [PATCH v2 1/5] KVM: guest_memfd: Use write permissions when GUP-ing source pages Ackerley Tng via B4 Relay
2026-05-22 22:46 ` Ackerley Tng
2026-05-22 23:47 ` sashiko-bot
2026-05-26 16:13 ` Sean Christopherson
2026-05-22 22:46 ` [PATCH v2 2/5] KVM: guest_memfd: Fix possible signed integer overflow Ackerley Tng via B4 Relay
2026-05-22 22:46 ` Ackerley Tng
2026-05-26 15:53 ` Sean Christopherson
2026-05-27 18:26 ` Ackerley Tng
2026-05-27 19:26 ` Sean Christopherson
2026-05-27 20:17 ` Ackerley Tng
2026-05-27 22:08 ` Sean Christopherson
2026-05-22 22:46 ` [PATCH v2 3/5] KVM: guest_memfd: Handle errors from xa_store_range() when binding Ackerley Tng via B4 Relay
2026-05-22 22:46 ` Ackerley Tng
2026-05-26 16:39 ` Sean Christopherson [this message]
2026-05-27 19:11 ` Ackerley Tng
2026-05-27 22:43 ` Sean Christopherson
2026-05-22 22:46 ` [PATCH v2 4/5] KVM: SNP: Fix kunmap_local() unmapping order Ackerley Tng via B4 Relay
2026-05-22 22:46 ` Ackerley Tng
2026-05-26 15:55 ` Sean Christopherson
2026-05-22 22:46 ` [PATCH v2 5/5] KVM: SNP: Mark source page dirty in sev_gmem_post_populate Ackerley Tng via B4 Relay
2026-05-22 22:46 ` Ackerley Tng
2026-05-26 16:47 ` Sean Christopherson
2026-05-27 19:14 ` Ackerley Tng
2026-05-26 16:55 ` [PATCH v2 0/5] guest_memfd fixes for bind and populate Sean Christopherson
2026-05-27 18:19 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahXMzPz1cQl6kZge@google.com \
--to=seanjc@google.com \
--cc=ZongYao.Chen@linux.alibaba.com \
--cc=ackerleytng@google.com \
--cc=bp@alien8.de \
--cc=chao.p.peng@linux.intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=isaku.yamahata@intel.com \
--cc=kas@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=michael.roth@amd.com \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=tabba@google.com \
--cc=tglx@kernel.org \
--cc=vannapurve@google.com \
--cc=x86@kernel.org \
--cc=xiaoyao.li@intel.com \
--cc=yan.y.zhao@intel.com \
--cc=yu.c.zhang@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.