From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF8BCC3ABCC for ; Tue, 13 May 2025 16:35:09 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4E9246B00DA; Tue, 13 May 2025 12:34:59 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 443F46B00DB; Tue, 13 May 2025 12:34:59 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2714C6B00DC; Tue, 13 May 2025 12:34:59 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 04E7C6B00DA for ; Tue, 13 May 2025 12:34:58 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 5E4E8BF60C for ; Tue, 13 May 2025 16:35:00 +0000 (UTC) X-FDA: 83438433960.13.E1AA21C Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) by imf19.hostedemail.com (Postfix) with ESMTP id 8E2181A0005 for ; Tue, 13 May 2025 16:34:58 +0000 (UTC) Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=OCt9dSHF; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf19.hostedemail.com: domain of 3sXQjaAUKCHAhOPPOUccUZS.QcaZWbil-aaYjOQY.cfU@flex--tabba.bounces.google.com designates 209.85.128.73 as permitted sender) smtp.mailfrom=3sXQjaAUKCHAhOPPOUccUZS.QcaZWbil-aaYjOQY.cfU@flex--tabba.bounces.google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1747154098; a=rsa-sha256; cv=none; b=7muMakwXeO9FliiQ+Un2l0cLWz/Q3Yps4EdJ3rWsqqQszpMtMsFjh+aL3yjBdm2KWXR7ce +z13o5VoYp6hifVF3Q0A1DuIjlYFtPOEp1tIYfrhFw6OnKncbbuEKO/m23T9eqrC3dkhCy KHeY1FmRUTt1lztEH2KC/s8n9MSM4jw= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=OCt9dSHF; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf19.hostedemail.com: domain of 3sXQjaAUKCHAhOPPOUccUZS.QcaZWbil-aaYjOQY.cfU@flex--tabba.bounces.google.com designates 209.85.128.73 as permitted sender) smtp.mailfrom=3sXQjaAUKCHAhOPPOUccUZS.QcaZWbil-aaYjOQY.cfU@flex--tabba.bounces.google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1747154098; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=sUPX/y9AGDBrl/3DZ/v5doAtXHf0jW3cIL5MwdsoRE0=; b=pD4wEbgw8TuzyKjQIcPtobpv0OtPky6U2CC4p6vPH65+qw7ykNH65fGjoZPlXtDCjwRcbI BfSh7g1e/GIVGzB19qr6mVRxS7Ry0hv84NX2XMnJtYrBzXmlPi4x47CcVU+qv8Lr2wShdd A6j+J2Qt0q/hlDPVcot20uwXjgtjQF8= Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-43cf3168b87so26067485e9.2 for ; Tue, 13 May 2025 09:34:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1747154097; x=1747758897; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=sUPX/y9AGDBrl/3DZ/v5doAtXHf0jW3cIL5MwdsoRE0=; b=OCt9dSHFBXwgz/Sh0GoP5ykCXk/V1ejmDnHlgmGaZ4pUXwFbNvySLvtJSpk//VT7zs BicuFd000OA4QimVMkYEkefxoI+3iPxcx8+vpRMtS0ri4X8+duhUeunOV1EOxD4cUiPP L/pOT7KLiT9VNqSniplzw1N63l7Wts+dOjueUjJcqrEveSmHLgGP9JVfqkZWsZVFrZyH EC8ZO+SXipnLw2Ajyy8owjNo8IpAr59IUfwKWA30V+jPZG1EwrcSJX7cBGPOcKZ1tE/M xnNElsvQ+hrisQDPWExTpJuv593hotT6+tnFKWIrdU7nMXFLtS/LPYJYdPz5aT2HA4Lq 09GQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747154097; x=1747758897; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=sUPX/y9AGDBrl/3DZ/v5doAtXHf0jW3cIL5MwdsoRE0=; b=vLg7i6P0rtKbyWXPUX99/LZ+OLw6qgKV0D8VbOljkjyeSRcWsAvaafMIq95L9mONdF NlaFQ/KXU10J3fqHdo6B934MhxiXuR7tglNwmwgP/KMnt69Sa0E5YlP4a7/vugd2qN4a BWLTOGaE1COYNAbUcXnX5FRDfCpKZ7c1n0ABY7e3NGYxI8kc/kxXeBkjfDN28ofQk9yB uXutgw4bLMhxQu2aWGpoHqbYlk8eStUtkWideY1TVdGuhsBy4Mz2GMig5ELjNzbtdMsM H7Ngg9vfWhfWosesF9O2NSP1u4Z0X5NsyNBWgd2oB6jpjGnamRC/F/RZSeEl53QJPbs0 d1ng== X-Forwarded-Encrypted: i=1; AJvYcCUZLjkfL7yj/wpC/CQiXrkdsaMLST/BRTeGi+ycVjIQOAX/PWb+LBxqiJihsh3ywoQR8WpCxR/CJA==@kvack.org X-Gm-Message-State: AOJu0Yz+rxLPYcGcxujHft116GXaKxfWT14tXCEg53TYpJIQRwL74k8X wkFB0hvhJP53+sWOHYYEjMym9l4UDa592FM/5BksS1f3GiA5kGXpQg9HU42+T9XyIekNNHMZeg= = X-Google-Smtp-Source: AGHT+IHPBFphMwR0/rLp+gySy0dxBabpKT4zkEgWC/5U+nwhKCMIpmmhaC+Hj2shZb3rzwt63hBboV4t6w== X-Received: from wmbep21.prod.google.com ([2002:a05:600c:8415:b0:440:5e01:286b]) (user=tabba job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:37cd:b0:43c:e6d1:efe7 with SMTP id 5b1f17b1804b1-442d6dd21e9mr126542875e9.26.1747154097178; Tue, 13 May 2025 09:34:57 -0700 (PDT) Date: Tue, 13 May 2025 17:34:29 +0100 In-Reply-To: <20250513163438.3942405-1-tabba@google.com> Mime-Version: 1.0 References: <20250513163438.3942405-1-tabba@google.com> X-Mailer: git-send-email 2.49.0.1045.g170613ef41-goog Message-ID: <20250513163438.3942405-9-tabba@google.com> Subject: [PATCH v9 08/17] KVM: guest_memfd: Check that userspace_addr and fd+offset refer to same range From: Fuad Tabba To: kvm@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-mm@kvack.org Cc: pbonzini@redhat.com, chenhuacai@kernel.org, mpe@ellerman.id.au, anup@brainfault.org, paul.walmsley@sifive.com, palmer@dabbelt.com, aou@eecs.berkeley.edu, seanjc@google.com, viro@zeniv.linux.org.uk, brauner@kernel.org, willy@infradead.org, akpm@linux-foundation.org, xiaoyao.li@intel.com, yilun.xu@intel.com, chao.p.peng@linux.intel.com, jarkko@kernel.org, amoorthy@google.com, dmatlack@google.com, isaku.yamahata@intel.com, mic@digikod.net, vbabka@suse.cz, vannapurve@google.com, ackerleytng@google.com, mail@maciej.szmigiero.name, david@redhat.com, michael.roth@amd.com, wei.w.wang@intel.com, liam.merwick@oracle.com, isaku.yamahata@gmail.com, kirill.shutemov@linux.intel.com, suzuki.poulose@arm.com, steven.price@arm.com, quic_eberman@quicinc.com, quic_mnalajal@quicinc.com, quic_tsoni@quicinc.com, quic_svaddagi@quicinc.com, quic_cvanscha@quicinc.com, quic_pderrin@quicinc.com, quic_pheragu@quicinc.com, catalin.marinas@arm.com, james.morse@arm.com, yuzenghui@huawei.com, oliver.upton@linux.dev, maz@kernel.org, will@kernel.org, qperret@google.com, keirf@google.com, roypat@amazon.co.uk, shuah@kernel.org, hch@infradead.org, jgg@nvidia.com, rientjes@google.com, jhubbard@nvidia.com, fvdl@google.com, hughd@google.com, jthoughton@google.com, peterx@redhat.com, pankaj.gupta@amd.com, ira.weiny@intel.com, tabba@google.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 8E2181A0005 X-Rspam-User: X-Stat-Signature: rzjjjxm6eu4gugjhesdcy4pdnskep6fh X-HE-Tag: 1747154098-51348 X-HE-Meta: U2FsdGVkX18ajVvy3mjA190516r0fiOzL9laXJM81NO+kwwKOQpnHJMOFhXGORi1J3TguG6SrPY/rE1UMsUXPNy+aV8AD9vJ6YLov48wk0Zzdd9RdoB8fHnzRnLEdXOefn7W6gEKOe7xNZP7c5XPwuglacuxODyRiF/1o3Yp1X1KxJHqx6KVasBlcDYtplGc1ZFFpY2WkgNLcsOx49iLDfOA0JcpL2rhYcdSDoIrJ43p0jekm4J7IbwOQT0uM2YCKnnoCZ5+nxF4nut9CHVXzwDiio96yi4OWetT6ZQj2ac4uDmnLswkI0cfhTKzv9CHeH+wzohXk1Kxy8vdjIHccOXvtNFsfxOhtgAcrK8aB1FFiZxXcZqaA6lKa+TZY7ka4OdDSl2vJInmiu2PzdP6gz2sUuJhPC1xIjKVnHA07CKXhiXKL+qNAgxgpe0zgvTA7/juDnQARPuDYKfv8ZR/9I1oBcrQM0UlIvzZmEALso1P6bRP0svLq9l8dpbyqyybmR1oB5gJUf+lK3v6PlRDRmBya5yl7YhveRhg1JKCZcbjccVyN297uK3GRR9wb9/AYkm7RRQM3FUYJNWIV4kbiA994N/quvI4Fn91ANwHzrZKpaAzVt4pP0ZuFNb36TZErx4qooW512/AmEvIwTzWv0u8tyR55ajwpttC6Ku26onDp45XMz5Py3ihnyt3Qwa9VrddPS+zHG6FKZol6/5ZxbdScNUI81NyRPx60fKjWcB0LdeA66GmOkDP4Sr8MxaU6jiMW4yMPDQMOT7Xt1Hhku6dJ9JQMVQKEbtbTntY4Puj4P1F4BcxerXN8pa+NDJuVWs9gOj018NBdqsRj9o+WrNNLnKp3XMr0uVj6NXfjNDBD9fAvwCa2QDdZlFUCVqZCjNxWrufbGuFGerslLxIzB/kHHOKfesX/5a70NUKcL6+bR7qQlmbkLUOTDzGoQbKgTqqUq4k7NelR3qGFic YCflRQ3V 9ExQp6t+BgEwVLbIvtYAOSwtmAmW5WxECjwq1baRPdJB1yvlOnwBg024r9nBiysHN1qmfYJMpUoLN0j/yMoh32hsX4osZ2gkKvy8NhHsSIXfwDcWHqN2EbhInkHN5X2EMHWopdR5fKO5w2mOh21ymNNjH2YcyPNp6TNYcMm6kfBvNkVAmAc1R7Q9xHSMArmviqgQcBoC05Po1D4nwB2Lnz2sjnz+Uu7b8QzxnJx+6sl0xieQRuN0l8QAHjRWcY1HYVmxooXe98RaJeVTiG9TpybKWVU1SkJvNBVX5cVNd5mGDtVbt5Q5W+hnV9f9EIQ2geyQR+U/N8HFY7sbms4bV3vphzziZXtEusZcPrADAOSzQ1dumpadZJDaHQaKKLAcaCU17F016f4COPOVRFCedCvktqbTk7VIL2FeKrIWYec3GvnMl60WJkUGoqFFhamplr/eFYkHZDd7N4ioIrfJHscfDdy3ouxRPj2gYjDUVmjQlL8LiVOGqyuzpcaSexsIH4K5wGfndh6eemsMyAqUOl8dsshrllOEm3tytP/HAvzMZmcOwNuxsOGQuSM9TvktiiCjh6Gb8/yu5nwcWdFT/JZGZR+7GUqu7S+gxzDJVU+F6Vr/tIRaIIdZsMVIOqr0aTzg8F+Zm0Tp35R0sF+ZGnsvUW0II6MiuIXzb2sRicF84WrGJ3/1ZDQ/8frGwBItOiEkj X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Ackerley Tng On binding of a guest_memfd with a memslot, check that the slot's userspace_addr and the requested fd and offset refer to the same memory range. This check is best-effort: nothing prevents userspace from later mapping other memory to the same provided in slot->userspace_addr and breaking guest operation. Suggested-by: David Hildenbrand Suggested-by: Sean Christopherson Suggested-by: Yan Zhao Signed-off-by: Ackerley Tng Signed-off-by: Fuad Tabba --- virt/kvm/guest_memfd.c | 37 ++++++++++++++++++++++++++++++++++--- 1 file changed, 34 insertions(+), 3 deletions(-) diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c index 8e6d1866b55e..2f499021df66 100644 --- a/virt/kvm/guest_memfd.c +++ b/virt/kvm/guest_memfd.c @@ -556,6 +556,32 @@ int kvm_gmem_create(struct kvm *kvm, struct kvm_create_guest_memfd *args) return __kvm_gmem_create(kvm, size, flags); } +static bool kvm_gmem_is_same_range(struct kvm *kvm, + struct kvm_memory_slot *slot, + struct file *file, loff_t offset) +{ + struct mm_struct *mm = kvm->mm; + loff_t userspace_addr_offset; + struct vm_area_struct *vma; + bool ret = false; + + mmap_read_lock(mm); + + vma = vma_lookup(mm, slot->userspace_addr); + if (!vma) + goto out; + + if (vma->vm_file != file) + goto out; + + userspace_addr_offset = slot->userspace_addr - vma->vm_start; + ret = userspace_addr_offset + (vma->vm_pgoff << PAGE_SHIFT) == offset; +out: + mmap_read_unlock(mm); + + return ret; +} + int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot, unsigned int fd, loff_t offset) { @@ -585,9 +611,14 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot, offset + size > i_size_read(inode)) goto err; - if (kvm_gmem_supports_shared(inode) && - !kvm_arch_vm_supports_gmem_shared_mem(kvm)) - goto err; + if (kvm_gmem_supports_shared(inode)) { + if (!kvm_arch_vm_supports_gmem_shared_mem(kvm)) + goto err; + + if (slot->userspace_addr && + !kvm_gmem_is_same_range(kvm, slot, file, offset)) + goto err; + } filemap_invalidate_lock(inode->i_mapping); -- 2.49.0.1045.g170613ef41-goog