Re: [PATCH] KVM: pfncache: Fix uhva validity check in kvm_gpc_is_valid_len()

Next message: Helge Deller: "Re: [PATCH v3 00/13] vc,fbcon,fonts: Proper handling of font data"
Previous message: Abel Vesa: "[PATCH] arm64: dts: qcom: hamoa: Fix OPP tables for all DisplayPort controllers"
In reply to: phind . uet: "[PATCH] KVM: pfncache: Fix uhva validity check in kvm_gpc_is_valid_len()"
Next in thread: Phi Nguyen: "Re: [PATCH] KVM: pfncache: Fix uhva validity check in kvm_gpc_is_valid_len()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sean Christopherson

Date: Mon Mar 09 2026 - 10:50:43 EST

On Mon, Mar 09, 2026, phind.uet@xxxxxxxxx wrote:
> From: Nguyen Dinh Phi <phind.uet@xxxxxxxxx>
>
> In kvm_gpc_is_valid_len(), if the GPA is an error GPA, the function uses
> uhva to calculate the page offset. However, if uhva is invalid, its value
> can still be page-aligned (for example, PAGE_OFFSET) and this function will
> still return true.

The HVA really shouldn't be invalid in the first place. Ideally, Xen code wouldn't
call kvm_gpc_refresh() on an inactive cache, but I suspect we'd end up with TOCTOU
flaws even if we tried to add checks.

The next best thing would be to explicitly check if the gpc is active. That should
preserve the WARN if KVM tries to pass in a garbage address to __kvm_gpc_activate().

diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c
index 728d2c1b488a..8372d1712471 100644
--- a/virt/kvm/pfncache.c
+++ b/virt/kvm/pfncache.c
@@ -369,6 +369,9 @@ int kvm_gpc_refresh(struct gfn_to_pfn_cache *gpc, unsigned long len)

guard(mutex)(&gpc->refresh_lock);

+ if (!gpc->active)
+ return -EINVAL;
+
if (!kvm_gpc_is_valid_len(gpc->gpa, gpc->uhva, len))
return -EINVAL;