From: Greg Kroah-Hartman Date: Tue, 9 Jun 2026 07:42:07 +0000 (+0200) Subject: 7.0-stable patches X-Git-Tag: v6.12.93~1 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=ee04e4a4fad01e59907cc0d8f3ff1e0bd38eec71;p=thirdparty%2Fkernel%2Fstable-queue.git 7.0-stable patches added patches: kvm-arm64-reassign-nested_mmus-array-behind-mmu_lock.patch --- diff --git a/queue-7.0/kvm-arm64-reassign-nested_mmus-array-behind-mmu_lock.patch b/queue-7.0/kvm-arm64-reassign-nested_mmus-array-behind-mmu_lock.patch new file mode 100644 index 0000000000..38a3e5cfbf --- /dev/null +++ b/queue-7.0/kvm-arm64-reassign-nested_mmus-array-behind-mmu_lock.patch @@ -0,0 +1,77 @@ +From 70543358fa08e0f7cebc3447c3b70fe97ad7aaa8 Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Fri, 5 Jun 2026 17:27:01 +0900 +Subject: KVM: arm64: Reassign nested_mmus array behind mmu_lock + +From: Hyunwoo Kim + +commit 70543358fa08e0f7cebc3447c3b70fe97ad7aaa8 upstream. + +kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the +MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which +can run at any time. kvm_vcpu_init_nested() reallocates the array and frees +the old buffer while holding only kvm->arch.config_lock, so such a walker +can reference the freed array. + +Allocate the new array outside of mmu_lock, as the allocation can sleep. +Under the lock, copy the existing entries, fix up the back pointers and +reassign the array. Free the old buffer after dropping the lock, as +kvfree() can sleep as well. + +Fixes: 4f128f8e1aaac ("KVM: arm64: nv: Support multiple nested Stage-2 mmu structures") +Signed-off-by: Hyunwoo Kim +Reviewed-by: Oliver Upton +Link: https://patch.msgid.link/aiKIVVeIr1aAB1yp@v4bel +Signed-off-by: Marc Zyngier +Cc: stable@vger,kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/nested.c | 37 ++++++++++++++++++++++--------------- + 1 file changed, 22 insertions(+), 15 deletions(-) + +--- a/arch/arm64/kvm/nested.c ++++ b/arch/arm64/kvm/nested.c +@@ -89,21 +89,28 @@ int kvm_vcpu_init_nested(struct kvm_vcpu + * again, and there is no reason to affect the whole VM for this. + */ + num_mmus = atomic_read(&kvm->online_vcpus) * S2_MMU_PER_VCPU; +- tmp = kvrealloc(kvm->arch.nested_mmus, +- size_mul(sizeof(*kvm->arch.nested_mmus), num_mmus), +- GFP_KERNEL_ACCOUNT | __GFP_ZERO); +- if (!tmp) +- return -ENOMEM; +- +- swap(kvm->arch.nested_mmus, tmp); +- +- /* +- * If we went through a realocation, adjust the MMU back-pointers in +- * the previously initialised kvm_pgtable structures. +- */ +- if (kvm->arch.nested_mmus != tmp) +- for (int i = 0; i < kvm->arch.nested_mmus_size; i++) +- kvm->arch.nested_mmus[i].pgt->mmu = &kvm->arch.nested_mmus[i]; ++ ++ if (num_mmus > kvm->arch.nested_mmus_size) { ++ tmp = kvcalloc(num_mmus, sizeof(*tmp), GFP_KERNEL_ACCOUNT); ++ if (!tmp) ++ return -ENOMEM; ++ ++ write_lock(&kvm->mmu_lock); ++ ++ if (kvm->arch.nested_mmus_size) { ++ memcpy(tmp, kvm->arch.nested_mmus, ++ size_mul(sizeof(*tmp), kvm->arch.nested_mmus_size)); ++ ++ for (int i = 0; i < kvm->arch.nested_mmus_size; i++) ++ tmp[i].pgt->mmu = &tmp[i]; ++ } ++ ++ swap(kvm->arch.nested_mmus, tmp); ++ ++ write_unlock(&kvm->mmu_lock); ++ ++ kvfree(tmp); ++ } + + for (int i = kvm->arch.nested_mmus_size; !ret && i < num_mmus; i++) + ret = init_nested_s2_mmu(kvm, &kvm->arch.nested_mmus[i]); diff --git a/queue-7.0/series b/queue-7.0/series index 0626a4d3a7..a4b48ec312 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -330,3 +330,4 @@ mailbox-fix-null-message-support-in-mbox_send_message.patch usb-core-fix-superspeed-root-hub-wmaxpacketsize.patch tools-ynl-add-scope-qualifier-for-definitions.patch kvm-arm64-vgic-its-drop-the-translation-cache-reference-only-for-the-erased-entry.patch +kvm-arm64-reassign-nested_mmus-array-behind-mmu_lock.patch