Commit e07fc9e2 authored Mar 04, 2026 by Fuad Tabba Committed by Marc Zyngier Mar 05, 2026

KVM: arm64: Fix page leak in user_mem_abort() on atomic fault

When a guest performs an atomic/exclusive operation on memory lacking
the required attributes, user_mem_abort() injects a data abort and
returns early. However, it fails to release the reference to the
host page acquired via __kvm_faultin_pfn().

A malicious guest could repeatedly trigger this fault, leaking host
page references and eventually causing host memory exhaustion (OOM).

Fix this by consolidating the early error returns to a new out_put_page
label that correctly calls kvm_release_page_unused().

Fixes: 2937aeec ("KVM: arm64: Handle DABT caused by LS64* instructions on unsupported memory")
Signed-off-by: Fuad Tabba <tabba@google.com>
Reviewed-by: Yuan Yao <yaoyuan@linux.alibaba.com>
Link: https://patch.msgid.link/20260304162222.836152-2-tabba@google.com

Signed-off-by: Marc Zyngier <maz@kernel.org>

parent eb54fa10

arch/arm64/kvm/mmu.c

+8 −5

Original line number	Diff line number	Diff line
		@@ -1837,10 +1837,8 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
		if (exec_fault && s2_force_noncacheable)
		ret = -ENOEXEC;

		if (ret) {
		kvm_release_page_unused(page);
		return ret;
		}
		if (ret)
		goto out_put_page;

		/*
		* Guest performs atomic/exclusive operations on memory with unsupported
		@@ -1850,7 +1848,8 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
		*/
		if (esr_fsc_is_excl_atomic_fault(kvm_vcpu_get_esr(vcpu))) {
		kvm_inject_dabt_excl_atomic(vcpu, kvm_vcpu_get_hfar(vcpu));
		return 1;
		ret = 1;
		goto out_put_page;
		}

		if (nested)
		@@ -1936,6 +1935,10 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
		mark_page_dirty_in_slot(kvm, memslot, gfn);

		return ret != -EAGAIN ? ret : 0;

		out_put_page:
		kvm_release_page_unused(page);
		return ret;
		}

		/* Resolve the access fault by making the page young again. */