tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

KVM: arm64: Fix page leak in user_mem_abort() on atomic fault

When a guest performs an atomic/exclusive operation on memory lacking
the required attributes, user_mem_abort() injects a data abort and
returns early. However, it fails to release the reference to the
host page acquired via __kvm_faultin_pfn().

A malicious guest could repeatedly trigger this fault, leaking host
page references and eventually causing host memory exhaustion (OOM).

Fix this by consolidating the early error returns to a new out_put_page
label that correctly calls kvm_release_page_unused().

Fixes: 2937aeec9dc5 ("KVM: arm64: Handle DABT caused by LS64* instructions on unsupported memory")
Signed-off-by: Fuad Tabba <tabba@google.com>
Reviewed-by: Yuan Yao <yaoyuan@linux.alibaba.com>
Link: https://patch.msgid.link/20260304162222.836152-2-tabba@google.com
Signed-off-by: Marc Zyngier <maz@kernel.org>

authored by

Fuad Tabba and committed by
Marc Zyngier e07fc9e2 eb54fa10

+8 -5
+8 -5
arch/arm64/kvm/mmu.c
··· 1837 1837 if (exec_fault && s2_force_noncacheable) 1838 1838 ret = -ENOEXEC; 1839 1839 1840 - if (ret) { 1841 - kvm_release_page_unused(page); 1842 - return ret; 1843 - } 1840 + if (ret) 1841 + goto out_put_page; 1844 1842 1845 1843 /* 1846 1844 * Guest performs atomic/exclusive operations on memory with unsupported ··· 1848 1850 */ 1849 1851 if (esr_fsc_is_excl_atomic_fault(kvm_vcpu_get_esr(vcpu))) { 1850 1852 kvm_inject_dabt_excl_atomic(vcpu, kvm_vcpu_get_hfar(vcpu)); 1851 - return 1; 1853 + ret = 1; 1854 + goto out_put_page; 1852 1855 } 1853 1856 1854 1857 if (nested) ··· 1935 1936 mark_page_dirty_in_slot(kvm, memslot, gfn); 1936 1937 1937 1938 return ret != -EAGAIN ? ret : 0; 1939 + 1940 + out_put_page: 1941 + kvm_release_page_unused(page); 1942 + return ret; 1938 1943 } 1939 1944 1940 1945 /* Resolve the access fault by making the page young again. */