[PATCH 2/2] KVM: arm64: Add fail-safe for refcounted pages in __pkvm_hyp_donate_host

public inbox for linux-arm-kernel@lists.infradead.org 
 help / color / mirror / Atom feed

From: Vincent Donnefort <vdonnefort@google•com>
To: maz@kernel•org, oliver.upton@linux•dev, joey.gouly@arm•com,
	 suzuki.poulose@arm•com, yuzenghui@huawei•com,
	catalin.marinas@arm•com,  will@kernel•org
Cc: linux-arm-kernel@lists•infradead.org, kvmarm@lists•linux.dev,
	 kernel-team@android•com, qperret@google•com, tabba@google•com,
	 Vincent Donnefort <vdonnefort@google•com>
Subject: [PATCH 2/2] KVM: arm64: Add fail-safe for refcounted pages in __pkvm_hyp_donate_host
Date: Thu, 21 May 2026 09:12:50 +0100	[thread overview]
Message-ID: <20260521081250.655226-3-vdonnefort@google.com> (raw)
In-Reply-To: <20260521081250.655226-1-vdonnefort@google.com>

A previous bug in __pkvm_init_vm error path showed that the hypervisor
could leak refcounted pages, (i.e. losing access to a page while its
refcount is still elevated). This poses a threat to the pKVM state
machine.

Address this by introducing a fail-safe in n __pkvm_hyp_donate_host.
Transitions are not a hot path so added security is worth the extra
check.

Signed-off-by: Vincent Donnefort <vdonnefort@google•com>

diff --git a/arch/arm64/kvm/hyp/nvhe/mem_protect.c b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
index 1e17973f24bb..dd168879431f 100644
--- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c
+++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
@@ -856,6 +856,16 @@ static int __hyp_check_page_state_range(phys_addr_t phys, u64 size, enum pkvm_pa
 	return 0;
 }
 
+static int __hyp_check_page_count_range(phys_addr_t phys, u64 size)
+{
+	for_each_hyp_page(page, phys, size) {
+		if (page->refcount)
+			return -EBUSY;
+	}
+
+	return 0;
+}
+
 static bool guest_pte_is_poisoned(kvm_pte_t pte)
 {
 	if (kvm_pte_valid(pte))
@@ -1054,7 +1064,6 @@ int __pkvm_guest_unshare_host(struct pkvm_hyp_vcpu *vcpu, u64 gfn)
 int __pkvm_host_unshare_hyp(u64 pfn)
 {
 	u64 phys = hyp_pfn_to_phys(pfn);
-	u64 virt = (u64)__hyp_va(phys);
 	u64 size = PAGE_SIZE;
 	int ret;
 
@@ -1067,10 +1076,9 @@ int __pkvm_host_unshare_hyp(u64 pfn)
 	ret = __hyp_check_page_state_range(phys, size, PKVM_PAGE_SHARED_BORROWED);
 	if (ret)
 		goto unlock;
-	if (hyp_page_count((void *)virt)) {
-		ret = -EBUSY;
+	ret = __hyp_check_page_count_range(phys, size);
+	if (ret)
 		goto unlock;
-	}
 
 	__hyp_set_page_state_range(phys, size, PKVM_NOPAGE);
 	WARN_ON(__host_set_page_state_range(phys, size, PKVM_PAGE_OWNED));
@@ -1133,6 +1141,10 @@ int __pkvm_hyp_donate_host(u64 pfn, u64 nr_pages)
 	if (ret)
 		goto unlock;
 
+	ret = __hyp_check_page_count_range(phys, size);
+	if (ret)
+		goto unlock;
+
 	__hyp_set_page_state_range(phys, size, PKVM_NOPAGE);
 	WARN_ON(kvm_pgtable_hyp_unmap(&pkvm_pgtable, virt, size) != size);
 	WARN_ON(host_stage2_set_owner_locked(phys, size, PKVM_ID_HOST));
-- 
2.54.0.746.g67dd491aae-goog

     prev parent reply	other threads:[~2026-05-21  8:13 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-21  8:12 [PATCH 0/2] Fix __pkvm_init_vm error path Vincent Donnefort
2026-05-21  8:12 ` [PATCH 1/2] KVM: arm64: " Vincent Donnefort
2026-05-21  8:12 ` Vincent Donnefort [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1e17973f24b dfblob:dd168879431 )
 OR (
bs:"[PATCH 2/2] KVM: arm64: Add fail-safe for refcounted pages in __pkvm_hyp_donate_host" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260521081250.655226-3-vdonnefort@google.com \
    --to=vdonnefort@google$(echo .)com \
    --cc=catalin.marinas@arm$(echo .)com \
    --cc=joey.gouly@arm$(echo .)com \
    --cc=kernel-team@android$(echo .)com \
    --cc=kvmarm@lists$(echo .)linux.dev \
    --cc=linux-arm-kernel@lists$(echo .)infradead.org \
    --cc=maz@kernel$(echo .)org \
    --cc=oliver.upton@linux$(echo .)dev \
    --cc=qperret@google$(echo .)com \
    --cc=suzuki.poulose@arm$(echo .)com \
    --cc=tabba@google$(echo .)com \
    --cc=will@kernel$(echo .)org \
    --cc=yuzenghui@huawei$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox