From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-dy1-f201.google.com (mail-dy1-f201.google.com [74.125.82.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4E35A3D5246 for ; Mon, 9 Mar 2026 14:47:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773067660; cv=none; b=exFdO8sKRWQGA3VxfVEPXGpvv6sUNrPeygdXLjvqCSzkNxlyS4SnMpbiBxNWF0yg+ccwv0R2yMN4giZiy8/fQqnQu8LmRnux2TTcpsdN3ATdEZE+XrQGkqFA8w1J+FZWoBYMQ1u28f8l82rDCHAWyhi+HasCjTsnwnmA5gzR7WQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773067660; c=relaxed/simple; bh=BIM4Heb2uzUyQruP5xoLyEqYs2MA8E9GLjscLzPwHlo=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=rY4HKaUhqHkxFNgfiqZWhIkuUsyNqpe0KAqk3pP5IAE/xpuamAa5ZhhUyWsMjKWPkuRNW4lj0lvMx/VdQdrXqkzceTdIRl1Nx/YIL0Ck1BPuzsQTMdgXoxSwVGuzfXfTQ3Ng2DzXv/R9IKAN+yQA1It53PNeLemxHLU//n4/Ps0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=LXP9kBmJ; arc=none smtp.client-ip=74.125.82.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="LXP9kBmJ" Received: by mail-dy1-f201.google.com with SMTP id 5a478bee46e88-2be232ef3d3so70712529eec.1 for ; Mon, 09 Mar 2026 07:47:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1773067658; x=1773672458; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=hN9R5FLcgFk8CiIMd7b9HeLWPaKouwQ/dWho0PeKE1I=; b=LXP9kBmJnq/HSpJ7ANYVT8aJz9FYkkiKFPntPND03b3oVExwPJcZP2XjhwDbH2r8Ik 1JGEgV7LvrRnXsOCHntNkPjw43u6Zq1hIUkHUhNeWimUVPzlYIpOspBgLgbBLzc2lE4K vcwiaI707wP5a0eCucdVT+fmpSNR+e1eBKcOSJdqQmir1IqzES1+OyTfgS1F0z1c+eic o10Ga/Q7ZCGwrEk0FeFD2EtwXba+tpY7dZBX6y4XeNY+1wcqi3nDF2eC2O66BbdeCJG8 djaqW3jflt1HAx/+Ts8xwheFCDBXJnZUXTFKb24zaj76CznBJIIAjGiE7MKHmq8sKmLd rS5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773067658; x=1773672458; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=hN9R5FLcgFk8CiIMd7b9HeLWPaKouwQ/dWho0PeKE1I=; b=IutCPwEEXlEKv4dTNMLyEpcuhcpxY7GMVEwd7OJ4BoVBjsIPS7QAb61/2oc3MIzOxL rNO8Thm45dkuj88g8EDAHdxixRqO2DqxBci+smvIPc1lU6ef76SxizPNwNAliujCQREl 2iNTx72kI/TWFnP0bH5HnoC+Qog6OKf4XG1wiQ75iiTqZgdEpIiwI/2NH7f1gybJnqxP ZGeDHeOWW0Wxm8WAjVJyv5q9QdnyFkR7YvPe4WmP949dAgSckAPmQMRY/MuO6gX4x9de HkxaIm9+6qmO4gIHXnQ2K4BbUMndfnnnEdrkqoqwLcQRS2/mxy3zBi9XtnoSARxj2D83 zh+w== X-Forwarded-Encrypted: i=1; AJvYcCUJKua69g5PM9aQMK2kGlIwNW6xxs06Kwx4Bg4JSYPRmc4mjwWIcindw2VMMonEmxAFUTLdMgJo9C+q88s=@vger.kernel.org X-Gm-Message-State: AOJu0YyvAbgT72cRkR3nGcVDsbB44k2fj43MTZCIM8UoZtm40HFNcZ7n L5VJmJkZyXExnH+I7MJPVhq55PDpBS6EkMPWlG7/QtW7tbAVclOEUW9E9YjI3NnHbR8RJcXcvLs kRmmXhA== X-Received: from plblc5.prod.google.com ([2002:a17:902:fa85:b0:2ae:3a49:7600]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:182:b0:2ae:517a:6c28 with SMTP id d9443c01a7336-2ae8242d431mr121241785ad.29.1773067149822; Mon, 09 Mar 2026 07:39:09 -0700 (PDT) Date: Mon, 9 Mar 2026 07:39:08 -0700 In-Reply-To: <20260309075629.24569-2-phind.uet@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260309075629.24569-2-phind.uet@gmail.com> Message-ID: Subject: Re: [PATCH] KVM: pfncache: Fix uhva validity check in kvm_gpc_is_valid_len() From: Sean Christopherson To: phind.uet@gmail.com Cc: Paolo Bonzini , syzbot+cde12433b6c56f55d9ed@syzkaller.appspotmail.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="us-ascii" On Mon, Mar 09, 2026, phind.uet@gmail.com wrote: > From: Nguyen Dinh Phi > > In kvm_gpc_is_valid_len(), if the GPA is an error GPA, the function uses > uhva to calculate the page offset. However, if uhva is invalid, its value > can still be page-aligned (for example, PAGE_OFFSET) and this function will > still return true. The HVA really shouldn't be invalid in the first place. Ideally, Xen code wouldn't call kvm_gpc_refresh() on an inactive cache, but I suspect we'd end up with TOCTOU flaws even if we tried to add checks. The next best thing would be to explicitly check if the gpc is active. That should preserve the WARN if KVM tries to pass in a garbage address to __kvm_gpc_activate(). diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c index 728d2c1b488a..8372d1712471 100644 --- a/virt/kvm/pfncache.c +++ b/virt/kvm/pfncache.c @@ -369,6 +369,9 @@ int kvm_gpc_refresh(struct gfn_to_pfn_cache *gpc, unsigned long len) guard(mutex)(&gpc->refresh_lock); + if (!gpc->active) + return -EINVAL; + if (!kvm_gpc_is_valid_len(gpc->gpa, gpc->uhva, len)) return -EINVAL;