ANDROID: KVM: arm64: Do not allow memslot modifications once a PVM has run

Currently trying to move or delete a memslot results in a warning and a failure. Userspace shouldn't be able to trigger kernel warnings. The cause is that in protected mode, stage-2 is managed by hyp. Modifying a memslot flushes the shadow memslot, which tries to unmap any stage-2 mapped pages. Bug: 226890762 Signed-off-by: Fuad Tabba <tabba@google.com> Change-Id: Icc6a0aada76e8492285cd5509bad1ee57700af7c
2026-03-25 12:00:22 +09:00 · 2022-04-07 16:12:41 +01:00
parent 8be6e93244
commit 0a227f89cf
1 changed files with 11 additions and 0 deletions
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -1857,6 +1857,13 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
 			change != KVM_MR_FLAGS_ONLY)
 		return 0;

+	/* In protected mode, cannot modify memslots once a VM has run. */
+	if (is_protected_kvm_enabled() &&
+	    (change == KVM_MR_DELETE || change == KVM_MR_MOVE) &&
+	    kvm->arch.pkvm.shadow_handle) {
+		return -EPERM;
+	}
+
 	/*
 	 * Prevent userspace from creating a memory region outside of the IPA
 	 * space addressable by the KVM guest IPA space.
@@ -1926,6 +1933,10 @@ void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
 	gpa_t gpa = slot->base_gfn << PAGE_SHIFT;
 	phys_addr_t size = slot->npages << PAGE_SHIFT;

+	/* Stage-2 is managed by hyp in protected mode. */
+	if (is_protected_kvm_enabled())
+		return;
+
 	spin_lock(&kvm->mmu_lock);
 	unmap_stage2_range(&kvm->arch.mmu, gpa, size);
 	spin_unlock(&kvm->mmu_lock);