kvm_vcpu_unmap() clears map->hva and map->page but leaves map->gfn with
its previous value. This creates an inconsistent state: callers that
check gfn != 0 as a proxy for map validity will believe the map is still
valid when hva is already NULL.

This pattern caused a null pointer dereference in the 6.1.x LTS branch,
where vmx_guest_apic_has_interrupt() checked virtual_apic_map.gfn but
dereferenced virtual_apic_map.hva unconditionally. That specific call
site no longer exists in mainline due to the gfn_to_pfn_cache
refactoring, but the inconsistency in kvm_vcpu_unmap() remains and could
affect future kvm_host_map users that rely on gfn for validity.

Similarly, kvm_vcpu_map() does not modify the map struct on failure, so
stale gfn values from a previous successful mapping survive a failed
remap attempt. Clearing gfn in kvm_vcpu_unmap() ensures that after an
unmap-then-failed-remap sequence, gfn correctly reflects that no valid
mapping exists.

Clear map->gfn in kvm_vcpu_unmap().

Reported-by: Taeyang Lee <0wn@theori.io>
Fixes: e45adf665a53 ("KVM: Introduce a new guest mapping API")
Signed-off-by: Taeyang Lee <0wn@theori.io>
---
 virt/kvm/kvm_main.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 7a4fd1dbe0d7..88fc8b20aa8f 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -2887,6 +2887,7 @@ void kvm_vcpu_unmap(struct kvm_vcpu *vcpu, struct kvm_host_map *map, bool dirty)
 
 	map->hva = NULL;
 	map->page = NULL;
+	map->gfn = 0;
 }
 EXPORT_SYMBOL_GPL(kvm_vcpu_unmap);
 
-- 
2.39.5 (Apple Git-154)