Re: [PATCH v3 1/3] KVM: x86: Don't leave APF half-enabled on bad APF data GPA

Next message: Troy Mitchell: "Re: [PATCH v6 5/9] riscv: dts: spacemit: k1: add SD card controller and pinctrl support"
Previous message: Eric Dumazet: "Re: [PATCH net] net: fix __this_cpu_add() in preemptible code in dev_xmit_recursion_inc/dec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Binbin Wu

Date: Thu Apr 09 2026 - 03:19:24 EST

On 4/7/2026 6:53 AM, Sean Christopherson wrote:
> From: Ethan Yang <ethan.yang.kernel@xxxxxxxxx>
>
> kvm_pv_enable_async_pf() updates vcpu->arch.apf.msr_en_val before
> initializing the APF data gfn_to_hva cache. If userspace provides an
> invalid GPA, kvm_gfn_to_hva_cache_init() fails, but msr_en_val stays
> enabled and leaves APF state half-initialized.
>
> Later APF paths can then try to use the empty cache and trigger
> WARN_ON() in kvm_read_guest_offset_cached().
>
> Determine the new APF enabled state from the incoming MSR value, do cache
> initialization first on the enable path, and commit msr_en_val only after
> successful initialization. Keep the disable path behavior unchanged.
>
> Reported-by: syzbot+bc0e18379a290e5edfe4@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=bc0e18379a290e5edfe4
> Fixes: 344d9588a9df ("KVM: Add PV MSR to enable asynchronous page faults delivery.")
> Link: https://lore.kernel.org/r/aHfD3MczrDpzDX9O@xxxxxxxxxx
> Suggested-by: Sean Christopherson <seanjc@xxxxxxxxxx>
> Reviewed-by: Xiaoyao Li <xiaoyao.li@xxxxxxxxx>
> Signed-off-by: Ethan Yang <ethan.yang.kernel@xxxxxxxxx>
> [sean: don't bother with a local "enable" variable]
> Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>

Reviewed-by: Binbin Wu <binbin.wu@xxxxxxxxxxxxxxx>