KVM: arm64: nv: Avoid dereferencing NULL VNCR pseudo-TLB

VNCR TLB invalidation occurs from MMU notifiers or TLBI instructions,
and either can race against a vcpu not being onlined yet (no pseudo-TLB
allocated). Similarly, the TLB might be invalid, and the invalidation
should be skipped in this case.

Both kvm_invalidate_vncr_ipa() and kvm_invalidate_vncr_va() are
expected to perform the same checks, except that the latter doesn't
check for the allocation and blindly dereferences the pointer.

Solve this by introducing a new iterator built on top of the usual
kvm_for_each_vcpu() that checks for both of the above conditions,
and convert the two users to it.

Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Link: https://lore.kernel.org/r/aiUvSbrWndQeUPc8@v4bel
Fixes: 4ffa72ad8f37 ("KVM: arm64: nv: Add S1 TLB invalidation primitive for VNCR_EL2")
Cc: stable@vger.kernel.org
Reviewed-by: Oliver Upton <oupton@kernel.org>
Link: https://patch.msgid.link/20260607175745.297793-1-maz@kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>

diff --git a/arch/arm64/kvm/nested.c b/arch/arm64/kvm/nested.c
index f8d3f3a723282cc65511e8ca883cf9698d261943..690b8e8564166580950760e5e8bb125ef3553da9 100644 (file)
--- a/arch/arm64/kvm/nested.c
+++ b/arch/arm64/kvm/nested.c
@@ -908,9 +908,21 @@ static void invalidate_vncr(struct vncr_tlb *vt)
                clear_fixmap(vncr_fixmap(vt->cpu));
 }
 
+/*
+ * VNCR TLB invalidation occurs from MMU notifiers or TLBI instructions, and
+ * either can race against a vcpu not being onlined yet (no pseudo-TLB
+ * allocated). Similarly, the TLB might be invalid.  Skip those, as they
+ * obviously don't participate in the invalidation at this stage.
+ */
+#define kvm_for_each_vncr_tlb(idx, vcpup, tlbp, kvm)   \
+       kvm_for_each_vcpu(idx, vcpup, kvm)              \
+               if (((tlbp) = vcpup->arch.vncr_tlb) &&  \
+                   (tlbp)->valid)
+
 static void kvm_invalidate_vncr_ipa(struct kvm *kvm, u64 start, u64 end)
 {
        struct kvm_vcpu *vcpu;
+       struct vncr_tlb *vt;
        unsigned long i;
 
        lockdep_assert_held_write(&kvm->mmu_lock);
@@ -918,24 +930,9 @@ static void kvm_invalidate_vncr_ipa(struct kvm *kvm, u64 start, u64 end)
        if (!kvm_has_feat(kvm, ID_AA64MMFR4_EL1, NV_frac, NV2_ONLY))
                return;
 
-       kvm_for_each_vcpu(i, vcpu, kvm) {
-               struct vncr_tlb *vt = vcpu->arch.vncr_tlb;
+       kvm_for_each_vncr_tlb(i, vcpu, vt, kvm) {
                u64 ipa_start, ipa_end, ipa_size;
 
-               /*
-                * Careful here: We end-up here from an MMU notifier,
-                * and this can race against a vcpu not being onlined
-                * yet, without the pseudo-TLB being allocated.
-                *
-                * Skip those, as they obviously don't participate in
-                * the invalidation at this stage.
-                */
-               if (!vt)
-                       continue;
-
-               if (!vt->valid)
-                       continue;
-
                ipa_size = ttl_to_size(pgshift_level_to_ttl(vt->wi.pgshift,
                                                            vt->wr.level));
                ipa_start = vt->wr.pa & ~(ipa_size - 1);
@@ -965,17 +962,14 @@ static void invalidate_vncr_va(struct kvm *kvm,
                               struct s1e2_tlbi_scope *scope)
 {
        struct kvm_vcpu *vcpu;
+       struct vncr_tlb *vt;
        unsigned long i;
 
        lockdep_assert_held_write(&kvm->mmu_lock);
 
-       kvm_for_each_vcpu(i, vcpu, kvm) {
-               struct vncr_tlb *vt = vcpu->arch.vncr_tlb;
+       kvm_for_each_vncr_tlb(i, vcpu, vt, kvm) {
                u64 va_start, va_end, va_size;
 
-               if (!vt->valid)
-                       continue;
-
                va_size = ttl_to_size(pgshift_level_to_ttl(vt->wi.pgshift,
                                                           vt->wr.level));
                va_start = vt->gva & ~(va_size - 1);