From 1a35c808ca8a1fb0bfcf90978d01896a203618be Mon Sep 17 00:00:00 2001
From: Vincent Donnefort <vdonnefort@google.com>
Date: Fri, 14 Feb 2025 09:01:18 +0000
Subject: [PATCH] ANDROID: KVM: arm64: Check for host provided order in
 refill_hyp_pool()

The order is a host provided value which we have to validate first
before we can use.

Bug: 396116895
Bug: 277989609
Bug: 357781595
Change-Id: I0a8b46db382c9bdb4fec76633d9d8c3abfdde568
Signed-off-by: Vincent Donnefort <vdonnefort@google.com>
---
 arch/arm64/kvm/hyp/nvhe/mm.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/arm64/kvm/hyp/nvhe/mm.c b/arch/arm64/kvm/hyp/nvhe/mm.c
index f983e6aea0dd..62d0f6ee1936 100644
--- a/arch/arm64/kvm/hyp/nvhe/mm.c
+++ b/arch/arm64/kvm/hyp/nvhe/mm.c
@@ -598,10 +598,14 @@ phys_addr_t __pkvm_private_range_pa(void *va)
 int refill_hyp_pool(struct hyp_pool *pool, struct kvm_hyp_memcache *host_mc)
 {
 	unsigned long order;
+	u64 nr_pages;
 	void *p;
 
 	while (host_mc->nr_pages) {
 		order = FIELD_GET(~PAGE_MASK, host_mc->head);
+		if (check_shl_overflow(1UL, order, &nr_pages))
+			return -EINVAL;
+
 		p = admit_host_page(host_mc, order);
 		if (!p)
 			return -EINVAL;