KVM: Don't re-use inodes when creating guest_memfd files

anon_inode_getfile() uses a singleton inode, which results in the inode size changing based with each new KVM_CREATE_GUEST_MEMFD call, which can later lead to previously-created guest_memfd files failing bounds checks that are later performed when memslots are bound to them. More generally, the inode may be associated with other state that cannot be shared across multiple guest_memfd instances. Revert back to having 1 inode per guest_memfd instance by using the "secure" variant of anon_inode_getfile(). Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Sean Christopherson <seanjc@google.com> Fixes: 0f7e60a ("kvm: guestmem: do not use a file system") Signed-off-by: Michael Roth <michael.roth@amd.com> Link: https://lore.kernel.org/r/20231002133230.195738-1-michael.roth@amd.com [sean: add a comment] Signed-off-by: Sean Christopherson <seanjc@google.com>
kvm-x86 · Oct 5, 2023 · b3bf68b · b3bf68b
1 parent 0f7e60a
commit b3bf68b
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
@@ -176,6 +176,7 @@ struct file *anon_inode_getfile_secure(const char *name,
 	return __anon_inode_getfile(name, fops, priv, flags,
 				    context_inode, true);
 }
+EXPORT_SYMBOL_GPL(anon_inode_getfile_secure);
 
 static int __anon_inode_getfd(const char *name,
 			      const struct file_operations *fops,

diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c
@@ -378,8 +378,13 @@ static int __kvm_gmem_create(struct kvm *kvm, loff_t size, u64 flags)
 		goto err_fd;
 	}
 
-	file = anon_inode_getfile(anon_name, &kvm_gmem_fops, gmem,
-				  O_RDWR);
+	/*
+	 * Use the so called "secure" variant, which creates a unique inode
+	 * instead of reusing a single inode.  Each guest_memfd instance needs
+	 * its own inode to track the size, flags, etc.
+	 */
+	file = anon_inode_getfile_secure(anon_name, &kvm_gmem_fops, gmem,
+					 O_RDWR, NULL);
 	if (IS_ERR(file)) {
 		err = PTR_ERR(file);
 		goto err_gmem;