Re: [PATCH 1/5] KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel

[Vitaly Kuznetsov <vkuznets@redhat.com>]

Sean Christopherson <seanjc@google.com> writes:

> Advertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and
> only if the local API is emulated/virtualized by KVM, and explicitly reject
> said hypercalls if the local APIC is emulated in userspace, i.e. don't rely
> on userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID.
>
> Rejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if
> Hyper-V enlightenments are exposed to the guest without an in-kernel local
> APIC:
>
>   dump_stack+0xbe/0xfd
>   __kasan_report.cold+0x34/0x84
>   kasan_report+0x3a/0x50
>   __apic_accept_irq+0x3a/0x5c0
>   kvm_hv_send_ipi.isra.0+0x34e/0x820
>   kvm_hv_hypercall+0x8d9/0x9d0
>   kvm_emulate_hypercall+0x506/0x7e0
>   __vmx_handle_exit+0x283/0xb60
>   vmx_handle_exit+0x1d/0xd0
>   vcpu_enter_guest+0x16b0/0x24c0
>   vcpu_run+0xc0/0x550
>   kvm_arch_vcpu_ioctl_run+0x170/0x6d0
>   kvm_vcpu_ioctl+0x413/0xb20
>   __se_sys_ioctl+0x111/0x160
>   do_syscal1_64+0x30/0x40
>   entry_SYSCALL_64_after_hwframe+0x67/0xd1
>
> Note, checking the sending vCPU is sufficient, as the per-VM irqchip_mode
> can't be modified after vCPUs are created, i.e. if one vCPU has an
> in-kernel local APIC, then all vCPUs have an in-kernel local APIC.
>
> Reported-by: Dongjie Zou <zoudongjie@huawei.com>
> Fixes: 214ff83d4473 ("KVM: x86: hyperv: implement PV IPI send hypercalls")
> Fixes: 2bc39970e932 ("x86/kvm/hyper-v: Introduce KVM_GET_SUPPORTED_HV_CPUID")
> Cc: stable@vger.kernel

.org, as mentioned already

> Signed-off-by: Sean Christopherson <seanjc@google.com>
> ---
>  arch/x86/kvm/hyperv.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c
> index 4f0a94346d00..44c88537448c 100644
> --- a/arch/x86/kvm/hyperv.c
> +++ b/arch/x86/kvm/hyperv.c
> @@ -2226,6 +2226,9 @@ static u64 kvm_hv_send_ipi(struct kvm_vcpu *vcpu, struct kvm_hv_hcall *hc)
>  	u32 vector;
>  	bool all_cpus;
>  
> +	if (!lapic_in_kernel(vcpu))
> +		return HV_STATUS_INVALID_HYPERCALL_INPUT;
> +
>  	if (hc->code == HVCALL_SEND_IPI) {
>  		if (!hc->fast) {
>  			if (unlikely(kvm_read_guest(kvm, hc->ingpa, &send_ipi,
> @@ -2852,7 +2855,8 @@ int kvm_get_hv_cpuid(struct kvm_vcpu *vcpu, struct kvm_cpuid2 *cpuid,
>  			ent->eax |= HV_X64_REMOTE_TLB_FLUSH_RECOMMENDED;
>  			ent->eax |= HV_X64_APIC_ACCESS_RECOMMENDED;
>  			ent->eax |= HV_X64_RELAXED_TIMING_RECOMMENDED;
> -			ent->eax |= HV_X64_CLUSTER_IPI_RECOMMENDED;
> +			if (!vcpu || lapic_in_kernel(vcpu))
> +				ent->eax |= HV_X64_CLUSTER_IPI_RECOMMENDED;
>  			ent->eax |= HV_X64_EX_PROCESSOR_MASKS_RECOMMENDED;
>  			if (evmcs_ver)
>  				ent->eax |= HV_X64_ENLIGHTENED_VMCS_RECOMMENDED;

Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>

-- 
Vitaly