Commit effc0a39 authored May 01, 2026 by Fuad Tabba Committed by Marc Zyngier May 07, 2026

KVM: arm64: Pre-check vcpu memcache for host->guest donate



__pkvm_host_donate_guest() flips the host stage-2 PTE for the
donated page to a non-valid annotation via
host_stage2_set_owner_metadata_locked() and then calls
kvm_pgtable_stage2_map() to install the matching guest stage-2
mapping. The map's return value is wrapped in WARN_ON() and
otherwise discarded, asserting that the call cannot fail.

WARN_ON() at nVHE EL2 panics, so this assertion is only correct
if the call genuinely cannot fail. kvm_pgtable_stage2_map() can
fail with -ENOMEM even at PAGE_SIZE granularity: the donate path
verifies PKVM_NOPAGE for the guest IPA before the map, so the
walker must allocate fresh page-table pages from the vcpu
memcache, and the host controls the vcpu memcache via the topup
interface. An under-provisioned donation request would otherwise
turn a recoverable -ENOMEM into a fatal hyp panic.

Bound the worst-case walker allocation alongside the existing
__host_check_page_state_range() / __guest_check_page_state_range()
pre-checks, using the helper introduced for host->guest share. If
the vcpu memcache holds fewer pages than kvm_mmu_cache_min_pages(),
return -ENOMEM before any state mutation.

Fixes: 1e579adc ("KVM: arm64: Introduce __pkvm_host_donate_guest()")
Assisted-by: Gemini:gemini-3.1-pro review-prompts
Signed-off-by: Fuad Tabba <tabba@google.com>
Link: https://patch.msgid.link/20260501112149.2824881-7-tabba@google.com


Signed-off-by: Marc Zyngier <maz@kernel.org>

parent 8234409f

arch/arm64/kvm/hyp/nvhe/mem_protect.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -1425,6 +1425,10 @@ int __pkvm_host_donate_guest(u64 pfn, u64 gfn, struct pkvm_hyp_vcpu *vcpu)
		if (ret)
		goto unlock;

		ret = __guest_check_pgtable_memcache(vcpu);
		if (ret)
		goto unlock;

		meta = host_stage2_encode_gfn_meta(vm, gfn);
		WARN_ON(host_stage2_set_owner_metadata_locked(phys, PAGE_SIZE,
		PKVM_ID_GUEST, meta));