[PATCH v2 3/3] KVM: arm64: Roll back partial shares on kvm_share_hyp() failure

public inbox for linux-arm-kernel@lists.infradead.org 
 help / color / mirror / Atom feed

From: tabba@google•com
To: Marc Zyngier <maz@kernel•org>, Oliver Upton <oupton@kernel•org>,
	Joey Gouly <joey.gouly@arm•com>,
	 Suzuki K Poulose <suzuki.poulose@arm•com>,
	Zenghui Yu <yuzenghui@huawei•com>,
	 Catalin Marinas <catalin.marinas@arm•com>,
	Will Deacon <will@kernel•org>,
	 Quentin Perret <qperret@google•com>,
	Vincent Donnefort <vdonnefort@google•com>
Cc: linux-arm-kernel@lists•infradead.org, kvmarm@lists•linux.dev,
	 linux-kernel@vger•kernel.org
Subject: [PATCH v2 3/3] KVM: arm64: Roll back partial shares on kvm_share_hyp() failure
Date: Fri, 29 May 2026 13:17:55 +0100	[thread overview]
Message-ID: <20260529121755.2923500-4-tabba@google.com> (raw)
In-Reply-To: <20260529121755.2923500-1-tabba@google.com>

kvm_share_hyp() shares a range one page at a time. If share_pfn_hyp()
fails partway through, the pages already shared by this call are left
shared, while the caller treats the whole range as failed and never
unshares them.

Unshare those pages before returning the error. If an unshare itself
fails the page is leaked: it stays shared with the hypervisor and is
no longer reusable for pKVM, but no isolation guarantee is broken, so
WARN and continue. Not expected in practice.

Fixes: a83e2191b7f1 ("KVM: arm64: pkvm: Refcount the pages shared with EL2")
Suggested-by: Vincent Donnefort <vdonnefort@google•com>
Signed-off-by: Fuad Tabba <tabba@google•com>
---
 arch/arm64/kvm/mmu.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
index e08503e89fc4..8811ad60cf72 100644
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -544,8 +544,8 @@ static int unshare_pfn_hyp(u64 pfn)
 int kvm_share_hyp(void *from, void *to)
 {
 	phys_addr_t start, end, cur;
+	int ret = 0;
 	u64 pfn;
-	int ret;
 
 	if (is_kernel_in_hyp_mode())
 		return 0;
@@ -567,10 +567,24 @@ int kvm_share_hyp(void *from, void *to)
 		pfn = __phys_to_pfn(cur);
 		ret = share_pfn_hyp(pfn);
 		if (ret)
-			return ret;
+			break;
 	}
 
-	return 0;
+	if (!ret)
+		return 0;
+
+	/*
+	 * Roll back the pages shared by this call. A failed unshare leaks
+	 * the page (it stays shared with the hypervisor and is no longer
+	 * reusable for pKVM) but breaks no isolation guarantee, so warn and
+	 * continue. Not expected in practice.
+	 */
+	for (end = cur, cur = start; cur < end; cur += PAGE_SIZE) {
+		pfn = __phys_to_pfn(cur);
+		WARN_ON(unshare_pfn_hyp(pfn));
+	}
+
+	return ret;
 }
 
 void kvm_unshare_hyp(void *from, void *to)
-- 
2.54.0.929.g9b7fa37559-goog

next prev parent reply	other threads:[~2026-05-29 12:18 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-29 12:17 [PATCH v2 0/3] KVM: arm64: Fix host/hyp tracking on share/unshare hypercall failure tabba
2026-05-29 12:17 ` [PATCH v2 1/3] KVM: arm64: Free hyp-share tracking node when share hypercall fails tabba
2026-05-29 12:17 ` [PATCH v2 2/3] KVM: arm64: Avoid host/hyp share desync on unshare hypercall failure tabba
2026-05-29 12:17 ` tabba [this message]
2026-06-03 10:12 ` [PATCH v2 0/3] KVM: arm64: Fix host/hyp tracking on share/unshare " Vincent Donnefort

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e08503e89fc dfblob:8811ad60cf7 )
 OR (
bs:"[PATCH v2 3/3] KVM: arm64: Roll back partial shares on kvm_share_hyp() failure" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260529121755.2923500-4-tabba@google.com \
    --to=tabba@google$(echo .)com \
    --cc=catalin.marinas@arm$(echo .)com \
    --cc=joey.gouly@arm$(echo .)com \
    --cc=kvmarm@lists$(echo .)linux.dev \
    --cc=linux-arm-kernel@lists$(echo .)infradead.org \
    --cc=linux-kernel@vger$(echo .)kernel.org \
    --cc=maz@kernel$(echo .)org \
    --cc=oupton@kernel$(echo .)org \
    --cc=qperret@google$(echo .)com \
    --cc=suzuki.poulose@arm$(echo .)com \
    --cc=vdonnefort@google$(echo .)com \
    --cc=will@kernel$(echo .)org \
    --cc=yuzenghui@huawei$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox