[PATCH RFC v5 27/53] KVM: x86: Bug CoCo VM on page fault before finalizing

Next message: Ackerley Tng via B4 Relay: "[PATCH RFC v5 25/53] KVM: TDX: Make source page optional for KVM_TDX_INIT_MEM_REGION"
Previous message: Ackerley Tng via B4 Relay: "[PATCH RFC v5 53/53] KVM: selftests: Update private memory exits test to work with per-gmem attributes"
In reply to: Ackerley Tng via B4 Relay: "[PATCH RFC v5 53/53] KVM: selftests: Update private memory exits test to work with per-gmem attributes"
Next in thread: Ackerley Tng via B4 Relay: "[PATCH RFC v5 25/53] KVM: TDX: Make source page optional for KVM_TDX_INIT_MEM_REGION"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ackerley Tng via B4 Relay

Date: Tue Apr 28 2026 - 19:50:44 EST

From: Ackerley Tng <ackerleytng@xxxxxxxxxx>

In-place conversion of guest_memfd memory to private is allowed with the
PRESERVE flag to enable populating guest memory only before CoCo VMs are
finalized.

Allowing CoCo VMs to fault memory could mess up memory contents. Hence, as
a second layer check, bug CoCo VMs if they try to fault in memory from
guest_memfd before the VMs are finalized.

Suggested-by: Sean Christopherson <seanjc@xxxxxxxxxx>
Signed-off-by: Ackerley Tng <ackerleytng@xxxxxxxxxx>
---
arch/x86/kvm/mmu/mmu.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index d3da387340a9d..8c5a3d2a7470b 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -4599,6 +4599,13 @@ static int kvm_mmu_faultin_pfn_gmem(struct kvm_vcpu *vcpu,
return -EFAULT;
}

+ /* Cannot fault from guest_memfd before CoCo VM is finalized. */
+ if (KVM_BUG_ON(vcpu->kvm->arch.has_protected_state &&
+ !vcpu->kvm->arch.pre_fault_allowed,
+ vcpu->kvm)) {
+ return -EFAULT;
+ }
+
r = kvm_gmem_get_pfn(vcpu->kvm, fault->slot, fault->gfn, &fault->pfn,
&fault->refcounted_page, &max_order);
if (r) {

--
2.54.0.545.g6539524ca2-goog