From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D9297C3ABC9 for ; Tue, 13 May 2025 20:31:19 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6FB4A6B00D1; Tue, 13 May 2025 16:31:18 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 680386B00DD; Tue, 13 May 2025 16:31:18 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4FC456B00DE; Tue, 13 May 2025 16:31:18 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 276636B00D1 for ; Tue, 13 May 2025 16:31:18 -0400 (EDT) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 45EC516173F for ; Tue, 13 May 2025 20:31:18 +0000 (UTC) X-FDA: 83439029436.09.598C93C Received: from mail-yb1-f181.google.com (mail-yb1-f181.google.com [209.85.219.181]) by imf05.hostedemail.com (Postfix) with ESMTP id 51035100017 for ; Tue, 13 May 2025 20:31:16 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=fgHwCB3r; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf05.hostedemail.com: domain of jthoughton@google.com designates 209.85.219.181 as permitted sender) smtp.mailfrom=jthoughton@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1747168276; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=wndENPomq86wkRuZwYmTmMXKU/XseQeSKbjljEbFCQw=; b=CJnih/INzXOq/ehVjiey6EnAopz2EG0FILWzfVEbgVX7C9YA+6IWLUExaFd6tnpb9phdji gcL9xu6Mi3VWF2L5EFNBveFSJCp6KP/RvMvyLYUSqfm7/PwCC4cyrORe71lePYc/RPEP00 YCeO/yTP1ueaPXkFDCOv08lu/yh7krE= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1747168276; a=rsa-sha256; cv=none; b=17ytv9BysjLKpdmglJQAsP/P88V+8NUaKwZQzk9DdG6mrrbWC79mFjnz+X/qxjGQrh1GYM EK+DeB2LFMxsFGNes0XP3QrXu576HQwqywCHbTeejmMgEB9WPN1nYbBniRgaNGd1S6JLLp KUZ8PdrJGK8xzFFsFSlxvkOesv9ANTU= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=fgHwCB3r; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf05.hostedemail.com: domain of jthoughton@google.com designates 209.85.219.181 as permitted sender) smtp.mailfrom=jthoughton@google.com Received: by mail-yb1-f181.google.com with SMTP id 3f1490d57ef6-e78fc91f30dso5169499276.3 for ; Tue, 13 May 2025 13:31:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1747168275; x=1747773075; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=wndENPomq86wkRuZwYmTmMXKU/XseQeSKbjljEbFCQw=; b=fgHwCB3rYvDQaGfG80jqraJ3pkjUbcMlshUhShjU+gH5LsOlc1V1RrvztNrSuSdqDs hzBREqNJTPlveNgtx//6h70/5hDLWrpO/9U6JOBLZzFLV3YTf8A7AuL6cVYjwcv1Abf1 Dt4dhicQflmjyWI9d8sS74OetQKfvbxlmPGxRiDplw0YSgVFNrzBAUc6OcpIgywD2HW5 UpC3DGACG1x032yKTepd34Bd8Y/22pYYuXqzmAnxfMROX2Rwu2AK/I+wUaepajeKBIY5 AOk20mzmh8yP2lPRx4LnVsu8U6+TBFAQR6aG0xygQ3AQQJJJi3lHwIPjGpNli6Hrak72 X/ew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747168275; x=1747773075; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wndENPomq86wkRuZwYmTmMXKU/XseQeSKbjljEbFCQw=; b=QKxn9OkKxG8yb441HFetE0mcvcrMdQUYpOG/hLCrVfmY3ehfuzFHN4PKm6KGkWpkNR LXUKJKpc02ZliwZ+KPOdyXVAz00DbVq17/HYfeNqVJCb8RHpuSmBbSWytY/PHs865EE9 FAQDwoPVQiEIXTfUSlazfkNupUrVWuchoG2Re1sEk72XKfc2zqW1ek/UiwOk/Wt7vh1n oz+u/j7nIbS8Kt0AtP8B4iWQIKoPMr7TKp5cwcas3cdsqL3cg0hqdRhWVZwEA1cstm1P Wf9eg3tQELQ+pRnoMeZFvDufE8vdbTFmPi9ZFa+KJepdTT9sk7pq2s3UGDR3oD5KbQDK Ankg== X-Forwarded-Encrypted: i=1; AJvYcCUMuUJYvaw2SHN3NRTEcSYyx6UfZSNFvUB+nlFv4xH8o46cSrI3q8E/8azYPAwJf95lU9pw5vBcrw==@kvack.org X-Gm-Message-State: AOJu0YyMj+6+QVC9dtGx83wduepxOcJp9iXimJk7Oj7uLM6Ek+h1Gzqd POKw4xsfTBnMugyJ7yRMVPdYLGK7PoeWPCVY1QSdym4RfLSR1K7d7dsjvn1RzNF8AWd6kcagNTI JrIxgRs5BLexVhN0O9ITM1XgjHgUiXrsewkWn X-Gm-Gg: ASbGncsXsldeYgqP9oj92fOyy9c8aALBLjAX1PI12ocFTeVKa4eYsbDLdzN58u3OIUL 0xpj8Dm3zraj3dWwjiFzdIwmKSkgTLZe2/y5UbKqSb4+786etWmW55eL2qLsLZ75+FoEPcK542W t0XmIDvfdlFdtoWi8HCjhNepsFq2pge8d18LALbVk+7L4mCwB9Zcf5pkMB/bekcBc= X-Google-Smtp-Source: AGHT+IEJ//qlNq1IfQ8rszc1Uy0wYOfxOKqHuRzaKHQXJfYeS586E36Upwbf5PhuHR4JTdlQ6vVkRXVhxuhmBC3Wnz8= X-Received: by 2002:a05:690c:650e:b0:709:1dc6:7b9e with SMTP id 00721157ae682-70c7f14430fmr14931947b3.19.1747168274750; Tue, 13 May 2025 13:31:14 -0700 (PDT) MIME-Version: 1.0 References: <20250513163438.3942405-1-tabba@google.com> <20250513163438.3942405-9-tabba@google.com> In-Reply-To: <20250513163438.3942405-9-tabba@google.com> From: James Houghton Date: Tue, 13 May 2025 13:30:39 -0700 X-Gm-Features: AX0GCFt3Ej-rtuSDxZfEtQ8esrXhZrxKtQ6g_vg8HorUwKkG7FEfYYyIODDgNRk Message-ID: Subject: Re: [PATCH v9 08/17] KVM: guest_memfd: Check that userspace_addr and fd+offset refer to same range To: Fuad Tabba Cc: kvm@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-mm@kvack.org, pbonzini@redhat.com, chenhuacai@kernel.org, mpe@ellerman.id.au, anup@brainfault.org, paul.walmsley@sifive.com, palmer@dabbelt.com, aou@eecs.berkeley.edu, seanjc@google.com, viro@zeniv.linux.org.uk, brauner@kernel.org, willy@infradead.org, akpm@linux-foundation.org, xiaoyao.li@intel.com, yilun.xu@intel.com, chao.p.peng@linux.intel.com, jarkko@kernel.org, amoorthy@google.com, dmatlack@google.com, isaku.yamahata@intel.com, mic@digikod.net, vbabka@suse.cz, vannapurve@google.com, ackerleytng@google.com, mail@maciej.szmigiero.name, david@redhat.com, michael.roth@amd.com, wei.w.wang@intel.com, liam.merwick@oracle.com, isaku.yamahata@gmail.com, kirill.shutemov@linux.intel.com, suzuki.poulose@arm.com, steven.price@arm.com, quic_eberman@quicinc.com, quic_mnalajal@quicinc.com, quic_tsoni@quicinc.com, quic_svaddagi@quicinc.com, quic_cvanscha@quicinc.com, quic_pderrin@quicinc.com, quic_pheragu@quicinc.com, catalin.marinas@arm.com, james.morse@arm.com, yuzenghui@huawei.com, oliver.upton@linux.dev, maz@kernel.org, will@kernel.org, qperret@google.com, keirf@google.com, roypat@amazon.co.uk, shuah@kernel.org, hch@infradead.org, jgg@nvidia.com, rientjes@google.com, jhubbard@nvidia.com, fvdl@google.com, hughd@google.com, peterx@redhat.com, pankaj.gupta@amd.com, ira.weiny@intel.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Stat-Signature: 1q6bx6zetikzzg91n5xwksxw74r3a8oz X-Rspam-User: X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 51035100017 X-HE-Tag: 1747168276-739412 X-HE-Meta: U2FsdGVkX1+MljZY6faGj9Jj8qlpBjVct1a+5Rk3wxDFECECOxGPWmo3XlgE5fpiYxEbvpCp0pz70zoIQg5rob1VUhCL1nJOqzeQqdZX2uwHYmGfdJtYcR5FsVz9i/WNvd7yrBTyjuLQRLo8Ex/6rSvWr0RuFOqahzTcaZG++WA6SaF8JYrRRg/VwSG4EWLbpe0/5m/uESD+Q2xS3qCV0vGP/K5u3Gea+9LpLLC+rWb2TDQ7CstMLJRT1Wf47S+q/LgfUEUfXdoP3GRYQLOQAhDWYPhnDPJqtPF0BOxEFJ7RMNURlYU9KXLv2N+MU+w8WIDa+w5mRhWJ7Z8UA1F/ro9lHEHNfkzIj3W2H4tZ38gc58cRCl8K4q8ExKgPI/BJEXIR+LJ2fhZYeIFN5SiPeDz8bJ31kNRvCNKpKNeePHgDnEUdS5l/hLt2zUJHzGIU9eXufIxSgkXC+b3Q+8v+Byp6cmFlAj+u5p5ufMxZh4Shxcb4rV21cw2TlOPv9FGbK4W6EuG078Uma3rbQkUNEJgYEv2knSWZmrsdXH6zlbGtS+jZNoMk6c/gDHlhSPSaeRdX8ehByYCiPnCNBhfRKrnXpofhwViVKUK1Ia/MM7YPq0VhzqniB9xJhHcCQ7sY2D6Jmpr54Ta0hZdNt6AtYB607oxTezUZX+i8+GjjXtoWVUI0Urt4qsP0M6wp0dk7ZWplT22iJCqmwfS8qLpsQGas9EZNgXDHrmNdxXhWo19BfnwYr+YOslNP0rTMtk7s1mA3Z6hiHSCpnCMS0H6CKq+Cq/0ATjL0jpSzff8a2SZYV4ZA5yiaKOu1g+LnZIL92zqkh2eDujh3rOS3iuKfxyqkJAvbxRDdPy5WDEmHD70qHNC7ZbP7fYBte4GUoorkCse5LrsmtL+VbNYxqNGV4JSgXzV1+r+V830aHHcwIQQZ3kCHO6hY7t/4BIZdd1wXGQS44EdTEF3bIwTmHUC B7iPvl2M Vo8zDLWEvWG0TA8vJzqtueF1SFqSgRjIZxNliDjMOb1EtRMAKL7wTTylQJetcqm08Xc/wHP4i7wRY3zfKL5b/qL0AZnb+z5UHrQYEGi5u24kT9QDez8ct+IlVRUhq0W164ooq1pxzU6axouUhbw/SqAoFtwYpXdtR2uI6lPVX+P+EBfXHlFeuNVr7fZi+qdRmkjXYvdEg5gX6SaduwYWUKcuMl1Gn4UkHD2+nN+92kHTl9ACeDUX4WetpZXRKX5ctuZUwXeOxzr2ZBzt496JwrDSfq3j2HjWCzUMjml7sImipTnCcHeBmMtCSC6L4Vf/BlmVhi6iE5e0B5PrderPmeol9dCrtIBt+EOVoPDn68qmYfs7wIZCBdeNFbWFUcNsW4T9X X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, May 13, 2025 at 9:34=E2=80=AFAM Fuad Tabba wrote= : > > From: Ackerley Tng > > On binding of a guest_memfd with a memslot, check that the slot's > userspace_addr and the requested fd and offset refer to the same memory > range. > > This check is best-effort: nothing prevents userspace from later mapping > other memory to the same provided in slot->userspace_addr and breaking > guest operation. > > Suggested-by: David Hildenbrand > Suggested-by: Sean Christopherson > Suggested-by: Yan Zhao > Signed-off-by: Ackerley Tng > Signed-off-by: Fuad Tabba > --- > virt/kvm/guest_memfd.c | 37 ++++++++++++++++++++++++++++++++++--- > 1 file changed, 34 insertions(+), 3 deletions(-) > > diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c > index 8e6d1866b55e..2f499021df66 100644 > --- a/virt/kvm/guest_memfd.c > +++ b/virt/kvm/guest_memfd.c > @@ -556,6 +556,32 @@ int kvm_gmem_create(struct kvm *kvm, struct kvm_crea= te_guest_memfd *args) > return __kvm_gmem_create(kvm, size, flags); > } > > +static bool kvm_gmem_is_same_range(struct kvm *kvm, > + struct kvm_memory_slot *slot, > + struct file *file, loff_t offset) > +{ > + struct mm_struct *mm =3D kvm->mm; > + loff_t userspace_addr_offset; > + struct vm_area_struct *vma; > + bool ret =3D false; > + > + mmap_read_lock(mm); > + > + vma =3D vma_lookup(mm, slot->userspace_addr); > + if (!vma) > + goto out; > + > + if (vma->vm_file !=3D file) > + goto out; > + > + userspace_addr_offset =3D slot->userspace_addr - vma->vm_start; > + ret =3D userspace_addr_offset + (vma->vm_pgoff << PAGE_SHIFT) =3D= =3D offset; > +out: > + mmap_read_unlock(mm); > + > + return ret; > +} > + > int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot, > unsigned int fd, loff_t offset) > { > @@ -585,9 +611,14 @@ int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory= _slot *slot, > offset + size > i_size_read(inode)) > goto err; > > - if (kvm_gmem_supports_shared(inode) && > - !kvm_arch_vm_supports_gmem_shared_mem(kvm)) > - goto err; > + if (kvm_gmem_supports_shared(inode)) { > + if (!kvm_arch_vm_supports_gmem_shared_mem(kvm)) > + goto err; > + > + if (slot->userspace_addr && > + !kvm_gmem_is_same_range(kvm, slot, file, offset)) > + goto err; This is very nit-picky, but I would rather this not be -EINVAL, maybe -EIO instead? Or maybe a pr_warn_once() and let the call proceed? The userspace_addr we got isn't invalid per se, we're just trying to give a hint to the user that their VMAs (or the userspace address they gave us) are messed up. I don't really like lumping this in with truly invalid arguments. > + } > > filemap_invalidate_lock(inode->i_mapping); > > -- > 2.49.0.1045.g170613ef41-goog >