git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Ethan Yang <ethan.yang.kernel@gmail.com>
	Mon, 6 Apr 2026 22:53:56 +0000 (15:53 -0700)
committer	Sean Christopherson <seanjc@google.com>
	Wed, 13 May 2026 17:39:31 +0000 (10:39 -0700)
commit	923ca078f08cbdf526d1e8df9bbb824b14c8ed9d
tree	163fcec332b675e5ca8b489d1d6202ce9a535345	tree \| snapshot
parent	b21525756e8288560939bc2055218f3e2961db04	commit \| diff

KVM: x86: Don't leave APF half-enabled on bad APF data GPA

kvm_pv_enable_async_pf() updates vcpu->arch.apf.msr_en_val before
initializing the APF data gfn_to_hva cache. If userspace provides an
invalid GPA, kvm_gfn_to_hva_cache_init() fails, but msr_en_val stays
enabled and leaves APF state half-initialized.

Later APF paths can then try to use the empty cache and trigger
WARN_ON() in kvm_read_guest_offset_cached().

Determine the new APF enabled state from the incoming MSR value, do cache
initialization first on the enable path, and commit msr_en_val only after
successful initialization. Keep the disable path behavior unchanged.

Reported-by: syzbot+bc0e18379a290e5edfe4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bc0e18379a290e5edfe4
Fixes: 344d9588a9df ("KVM: Add PV MSR to enable asynchronous page faults delivery.")
Link: https://lore.kernel.org/r/aHfD3MczrDpzDX9O@google.com
Suggested-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Ethan Yang <ethan.yang.kernel@gmail.com>
[sean: don't bother with a local "enable" variable]
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Link: https://patch.msgid.link/20260406225359.1245490-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>