From nobody Fri Jun 19 18:35:26 2026 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7ABD63D413A for ; Fri, 12 Jun 2026 23:06:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305588; cv=none; b=CYAl9qSKb96TZ50co2FfUQ+bq1e4hRfNHk2UvXzyM6Ch4SmasEV3WqNjwvfnzxzADHmcpVcVJ7COslEDcwY7Vt0CUEeOhbbJB6DSys6crX/CLK7LSon5C4+U30gp4tu2vhpMujUe2qVACU9+MZfZEVk4FzpRwCq97I6Bsolz6AA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305588; c=relaxed/simple; bh=Me0Bhs5/EQQZjcTAZ/V1yRJ2/LW8GnZyPuXt9LJK+oQ=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=sGwZx/J8WvzMHXy0NmbTzG1qHC95S9bZpZQVStklI6P/945I48R7QVDoY05JLC6GELLOPIKyCmvirMqlIM6JujIgGGQbU2cDS/gd/woI5xpIJ8gjFPaDVQ+brB+eK38TEuW2e477bEackppZx+2uZt+5PSmgRqk9yMM6QRQe+kc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=lpubkjuN; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="lpubkjuN" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-2bf243973c2so10132015ad.1 for ; Fri, 12 Jun 2026 16:06:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1781305587; x=1781910387; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=/Hg8GhN12QlOv0K4ONCzUqIsw11l/FiOwKl0Rw2yUVA=; b=lpubkjuNsILIbU8jPPILJcr3UxUo+jOfksrzD6QNIe7wtue0twuS8RaRelVwwxCIzD G4ZcpDmt04x4ukEuEeadwIcr8+6Z62megymXlj8SdW4weQPpYHANxHksRVfwbN7LYWa0 IBiu2njHQ/iLQckwYJI1ISvGxtOaHr4Js+xy0upv5KE0aAnU8WxrI8yb4qaMOUqH4S4U CKsfhAfuP8BJxnlG8NTNF5gwgxcqW6VbZ7+2Zp9GxXmRu7pTy5Cmj6Nz5WBeVeIjEB+N BQKKToz/+zbA2k3+NFcsbFYzIq5mrXIxbYdmCpzInxMXP0SwjOCZ73GDsBsPn8K6XgIH CfeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781305587; x=1781910387; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/Hg8GhN12QlOv0K4ONCzUqIsw11l/FiOwKl0Rw2yUVA=; b=Ua45SJKPhXaJcqlIiGoVTSODtmW0S/1TRBbnbdILhz6u6fu6zjmDBGzV3ykuCg46ai ARQFJMJsOxDdUGUbLVbxPnIRc1U2N2KJLsOJPLYBRcLd7y4yeqHQMnTbhgYV8ULFmIUG OjYkXZCTuoE08hkysrlRj5KVVoiTN7HaezM3w6hbQQpjxaGVQk1hK7q5jX8HvkjMx5uH atSa5UJs2ETLNfIzdOBd8/7iU4LGUCTJmxy03+qYkal8V5D/j7PWO+fppgXpwBo5F513 t/dgR2uep5UxWVk9C6oGNd3BObghd5m9hWzfqVTCPxx+kBx2TWvu+d+PZnzRNofJLC95 gzPA== X-Forwarded-Encrypted: i=1; AFNElJ8YfkTl0r4B2rEHg/eW/LbeBaBG9gx7qtb43Ke/gCeGdXhhztFlz8BuncILfV1OyjTEfoLP1Pql/3LGfrI=@vger.kernel.org X-Gm-Message-State: AOJu0YxJTtOy+IjafOXiXKaHiK2ahsPhhXanFkaNzmUutmpsryMUP85q pjSgka5oZPdVrkG//Q/DgeANSeYscPLpDLerni2A/ahh9KdypePIu+t+0q49MzdYc017XCC+YX5 h8EoILg== X-Received: from pllh1.prod.google.com ([2002:a17:902:7481:b0:2b0:b22a:e6ef]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:234b:b0:2bf:bd17:90d4 with SMTP id d9443c01a7336-2c411d79937mr55905765ad.28.1781305586571; Fri, 12 Jun 2026 16:06:26 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Jun 2026 16:06:15 -0700 In-Reply-To: <20260612230622.687665-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260612230622.687665-1-seanjc@google.com> X-Mailer: git-send-email 2.54.0.1136.gdb2ca164c4-goog Message-ID: <20260612230622.687665-2-seanjc@google.com> Subject: [PATCH v2 1/8] KVM: x86/hyperv: Get target FIFO in hv_tlb_flush_enqueue(), not caller From: Sean Christopherson To: Vitaly Kuznetsov , Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+5b32c49cd8f005e65654@syzkaller.appspotmail.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When handling Hyper-V PV TLB flushes, retrieve the to-be-used FIFO in hv_tlb_flush_enqueue() instead of having the caller pass in the FIFO. This will make it easier to fix a cross-vCPU race where KVM can access a vCPU's FIFO before it's fully initialized. No functional change intended. Signed-off-by: Sean Christopherson --- arch/x86/kvm/hyperv.c | 24 +++++++++--------------- 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c index fd4eb1e561f7..a894e3d2e594 100644 --- a/arch/x86/kvm/hyperv.c +++ b/arch/x86/kvm/hyperv.c @@ -1935,16 +1935,18 @@ static int kvm_hv_get_tlb_flush_entries(struct kvm = *kvm, struct kvm_hv_hcall *hc return kvm_hv_get_hc_data(kvm, hc, hc->rep_cnt, hc->rep_cnt, entries); } =20 -static void hv_tlb_flush_enqueue(struct kvm_vcpu *vcpu, - struct kvm_vcpu_hv_tlb_flush_fifo *tlb_flush_fifo, - u64 *entries, int count) +static void hv_tlb_flush_enqueue(struct kvm_vcpu *vcpu, u64 *entries, int = count, + bool is_guest_mode) { + struct kvm_vcpu_hv_tlb_flush_fifo *tlb_flush_fifo; struct kvm_vcpu_hv *hv_vcpu =3D to_hv_vcpu(vcpu); u64 flush_all_entry =3D KVM_HV_TLB_FLUSHALL_ENTRY; =20 if (!hv_vcpu) return; =20 + tlb_flush_fifo =3D kvm_hv_get_tlb_flush_fifo(vcpu, is_guest_mode); + spin_lock(&tlb_flush_fifo->write_lock); =20 /* @@ -2017,7 +2019,6 @@ static u64 kvm_hv_flush_tlb(struct kvm_vcpu *vcpu, st= ruct kvm_hv_hcall *hc) struct kvm *kvm =3D vcpu->kvm; struct hv_tlb_flush_ex flush_ex; struct hv_tlb_flush flush; - struct kvm_vcpu_hv_tlb_flush_fifo *tlb_flush_fifo; /* * Normally, there can be no more than 'KVM_HV_TLB_FLUSH_FIFO_SIZE' * entries on the TLB flush fifo. The last entry, however, needs to be @@ -2145,11 +2146,8 @@ static u64 kvm_hv_flush_tlb(struct kvm_vcpu *vcpu, s= truct kvm_hv_hcall *hc) * analyze it here, flush TLB regardless of the specified address space. */ if (all_cpus && !is_guest_mode(vcpu)) { - kvm_for_each_vcpu(i, v, kvm) { - tlb_flush_fifo =3D kvm_hv_get_tlb_flush_fifo(v, false); - hv_tlb_flush_enqueue(v, tlb_flush_fifo, - tlb_flush_entries, hc->rep_cnt); - } + kvm_for_each_vcpu(i, v, kvm) + hv_tlb_flush_enqueue(v, tlb_flush_entries, hc->rep_cnt, false); =20 kvm_make_all_cpus_request(kvm, KVM_REQ_HV_TLB_FLUSH); } else if (!is_guest_mode(vcpu)) { @@ -2159,9 +2157,7 @@ static u64 kvm_hv_flush_tlb(struct kvm_vcpu *vcpu, st= ruct kvm_hv_hcall *hc) v =3D kvm_get_vcpu(kvm, i); if (!v) continue; - tlb_flush_fifo =3D kvm_hv_get_tlb_flush_fifo(v, false); - hv_tlb_flush_enqueue(v, tlb_flush_fifo, - tlb_flush_entries, hc->rep_cnt); + hv_tlb_flush_enqueue(v, tlb_flush_entries, hc->rep_cnt, false); } =20 kvm_make_vcpus_request_mask(kvm, KVM_REQ_HV_TLB_FLUSH, vcpu_mask); @@ -2192,9 +2188,7 @@ static u64 kvm_hv_flush_tlb(struct kvm_vcpu *vcpu, st= ruct kvm_hv_hcall *hc) continue; =20 __set_bit(i, vcpu_mask); - tlb_flush_fifo =3D kvm_hv_get_tlb_flush_fifo(v, true); - hv_tlb_flush_enqueue(v, tlb_flush_fifo, - tlb_flush_entries, hc->rep_cnt); + hv_tlb_flush_enqueue(v, tlb_flush_entries, hc->rep_cnt, true); } =20 kvm_make_vcpus_request_mask(kvm, KVM_REQ_HV_TLB_FLUSH, vcpu_mask); --=20 2.54.0.1136.gdb2ca164c4-goog From nobody Fri Jun 19 18:35:26 2026 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A07F63D6CBA for ; Fri, 12 Jun 2026 23:06:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305591; cv=none; b=f35o9wHzL3aO+acNVrZFgH3RxWONtw9CT39CZO9fFn8Qe2skXGokTbwKiWaPqJvh0SWEuFRYd7p60WKt57yOzF1a29fGHNXP/l5wJ0yjB+uzrEbYFuzEyr5hCJgsxNzuDf61jjIocpDzZFWVgnqhQGjggTTwg5GMlMK9arjS1XE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305591; c=relaxed/simple; bh=cLoeO8KfiClGgJNI08IgErFX/9v34pzll+2dbsgolRw=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=m8GelArh5ZYnSuqDcU1UAXJBfYhdyUTF4c5pYJc772TnmuY/c3EyQ8NjSMQ/x/8cuOxAyaKsXYhahRAIXVfy8NHYIoTEl+mRdsDtzms6NlGYEYYu5y4puvrkODzANvOjMOe/DaD8UViUmbzKBPxz3U8xC5NAVKL1ducb7+5CF6M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=UDLVx86w; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="UDLVx86w" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-36b934a336eso1165960a91.2 for ; Fri, 12 Jun 2026 16:06:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1781305588; x=1781910388; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=m5kR/3woI3rfb1R3e3eUF/PdaX7A3Ic+8QINcyng7RQ=; b=UDLVx86wl8Oc3D3RsC4mkmbsy+FJtRh/+UiiGx1DP9lrZYeE2/QyLU6CXHA7oNMD1y KLfCJltihfJsKXbuvDVuPpi4yDE6o2Ctof4HYwV+/iyw7sac3HQbXh0H6bD7IKFWmnj+ kaEZ9YxSQF/lbE3dsZET44NFRcwfhVRGQ56tXXsbkdyHp8uOFdMhHTNIVJGXlOYN99JU RWPPnOsqIpcqGkhYoEeoV4yfZ872fWWO6rtEfeUONj3s7YJaZbYCMzoXI4XViJxzQjJs dLPZwtkjF2XYWLcu3PVc5TtfQshmS6knHktgHr6Hkb5VuNKt6k22felzCGJP6QRPe/Rq eGgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781305588; x=1781910388; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=m5kR/3woI3rfb1R3e3eUF/PdaX7A3Ic+8QINcyng7RQ=; b=A+/ITYkV5HL8BcxkUWbtU7komKsstk3Jh7kCI50CCYiG0VeQa5acS9Wb/eS5ATVW0t MvUE0yowjCTJ4ZfkyRHiCVCXYkx5cD09Bd6TIm9gjnwc4r3ptyQRZwR3V3qsyjRZGifm +cQZnKA17hoigDlPm26UtG2XeDRq78T8k2UzCaN093NhG0TA3ZRxOrddZyQdh3N0RCBw tXzSkMAeAM5/ov8wSShE0GCxYPF5eUwekcGmA8BE2o8LYbPwmcBmZ44u3ht3DiODH9vc s3eisuqgTtKhJhg6u3S888iUINfMtm+4HYTbn5i/azUusDAuYjUNAOuPggtPMc17FUL+ AkEw== X-Forwarded-Encrypted: i=1; AFNElJ+MK17yDxNDaNs6Jxv8DPjou633QS8+GSvfDIvJZ1MoxPELhhsblaxnjDFdf+PqYiXwcuRAvdSqg4wDdgY=@vger.kernel.org X-Gm-Message-State: AOJu0YydOCWQ/dwvp2EgWkMsKYPP4YgUxIPXDkM1vV51W8F59aMTFp7f /ulFtEOYqL80LvQeZdFroUxhWkQdigxZyNk/RK/fmCdiAjD3L65PDclDvACb7HfHwQwlg4VIrFD BDROR5g== X-Received: from pjyf13.prod.google.com ([2002:a17:90a:ec8d:b0:369:3e28:9233]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:4ac4:b0:367:bf0c:54e9 with SMTP id 98e67ed59e1d1-37c2bd1244dmr1139509a91.21.1781305587712; Fri, 12 Jun 2026 16:06:27 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Jun 2026 16:06:16 -0700 In-Reply-To: <20260612230622.687665-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260612230622.687665-1-seanjc@google.com> X-Mailer: git-send-email 2.54.0.1136.gdb2ca164c4-goog Message-ID: <20260612230622.687665-3-seanjc@google.com> Subject: [PATCH v2 2/8] KVM: x86/hyperv: Check for NULL vCPU Hyper-V object in kvm_hv_get_tlb_flush_fifo() From: Sean Christopherson To: Vitaly Kuznetsov , Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+5b32c49cd8f005e65654@syzkaller.appspotmail.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Check for a NULL Hyper-V object in kvm_hv_get_tlb_flush_fifo() instead of relying on the caller to do so. This will allow fixing a cross-vCPU race where KVM can access a vCPU's FIFO before it's fully initialized, without having to jump through too many cognitive hoops to reason about the correctness of the logic. Ignoring changes in ordering that only affect the aforementioned race, no functional change intended. Signed-off-by: Sean Christopherson --- arch/x86/kvm/hyperv.c | 11 +++++------ arch/x86/kvm/hyperv.h | 7 ++++++- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c index a894e3d2e594..ecd344b91739 100644 --- a/arch/x86/kvm/hyperv.c +++ b/arch/x86/kvm/hyperv.c @@ -1939,13 +1939,11 @@ static void hv_tlb_flush_enqueue(struct kvm_vcpu *v= cpu, u64 *entries, int count, bool is_guest_mode) { struct kvm_vcpu_hv_tlb_flush_fifo *tlb_flush_fifo; - struct kvm_vcpu_hv *hv_vcpu =3D to_hv_vcpu(vcpu); u64 flush_all_entry =3D KVM_HV_TLB_FLUSHALL_ENTRY; =20 - if (!hv_vcpu) - return; - tlb_flush_fifo =3D kvm_hv_get_tlb_flush_fifo(vcpu, is_guest_mode); + if (!tlb_flush_fifo) + return; =20 spin_lock(&tlb_flush_fifo->write_lock); =20 @@ -1972,15 +1970,16 @@ static void hv_tlb_flush_enqueue(struct kvm_vcpu *v= cpu, u64 *entries, int count, int kvm_hv_vcpu_flush_tlb(struct kvm_vcpu *vcpu) { struct kvm_vcpu_hv_tlb_flush_fifo *tlb_flush_fifo; - struct kvm_vcpu_hv *hv_vcpu =3D to_hv_vcpu(vcpu); u64 entries[KVM_HV_TLB_FLUSH_FIFO_SIZE]; int i, j, count; gva_t gva; =20 - if (!tdp_enabled || !hv_vcpu) + if (!tdp_enabled) return -EINVAL; =20 tlb_flush_fifo =3D kvm_hv_get_tlb_flush_fifo(vcpu, is_guest_mode(vcpu)); + if (!tlb_flush_fifo) + return -EINVAL; =20 count =3D kfifo_out(&tlb_flush_fifo->entries, entries, KVM_HV_TLB_FLUSH_F= IFO_SIZE); =20 diff --git a/arch/x86/kvm/hyperv.h b/arch/x86/kvm/hyperv.h index 65e89ed65349..e6c74cfbb1cb 100644 --- a/arch/x86/kvm/hyperv.h +++ b/arch/x86/kvm/hyperv.h @@ -201,6 +201,9 @@ static inline struct kvm_vcpu_hv_tlb_flush_fifo *kvm_hv= _get_tlb_flush_fifo(struc int i =3D is_guest_mode ? HV_L2_TLB_FLUSH_FIFO : HV_L1_TLB_FLUSH_FIFO; =20 + if (!hv_vcpu) + return NULL; + return &hv_vcpu->tlb_flush_fifo[i]; } =20 @@ -208,10 +211,12 @@ static inline void kvm_hv_vcpu_purge_flush_tlb(struct= kvm_vcpu *vcpu) { struct kvm_vcpu_hv_tlb_flush_fifo *tlb_flush_fifo; =20 - if (!to_hv_vcpu(vcpu) || !kvm_check_request(KVM_REQ_HV_TLB_FLUSH, vcpu)) + if (!kvm_check_request(KVM_REQ_HV_TLB_FLUSH, vcpu)) return; =20 tlb_flush_fifo =3D kvm_hv_get_tlb_flush_fifo(vcpu, is_guest_mode(vcpu)); + if (!tlb_flush_fifo) + return; =20 kfifo_reset_out(&tlb_flush_fifo->entries); } --=20 2.54.0.1136.gdb2ca164c4-goog From nobody Fri Jun 19 18:35:26 2026 Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com [209.85.210.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D743C3D669A for ; Fri, 12 Jun 2026 23:06:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305593; cv=none; b=arCgy3qKoEQRVfilgN4UA+z3EAVdKuLd/wMklD+DRt0brD4Yj3XKNOf7WlIPGqSIGS4j4mXfbN011Q2VfYFdVRfDubsj30foLBIay2TgeYbIi37puHmd1A2nX1Y2q9cyFeeGkb9zzllJH6Um4f/rUgrVI4WH/xf4P0KqTT2FifY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305593; c=relaxed/simple; bh=ahTuH3NgpLKhsp7+7EDi8H+OFcF6qnTnFS+SEGqyZ58=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=COp0glrk5Hb/XWzZbnCD4wa+7K4Yvwu4nUhRpaeKRbpEg3lCwMKjtVYqgoCMSjMsctZ+hZPkJ95yrM9pHhnP5SJtbwH1jae5D7kHwjCY7Rr5kQgy9kBOD8aNaf721dUfub4Wqrajj8rXwivBA3Rx//7ZCNyD9kmL8HoXWvsrDyE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=S+qJ7Myt; arc=none smtp.client-ip=209.85.210.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="S+qJ7Myt" Received: by mail-pf1-f201.google.com with SMTP id d2e1a72fcca58-8421ffff8a3so1856738b3a.2 for ; Fri, 12 Jun 2026 16:06:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1781305590; x=1781910390; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=nNOCXVI1belceCflWgR3ReJ/ENbvUtfVA/ywdxNpwW8=; b=S+qJ7MytaGiWAuKKQgE+ReATljkfM7iwwUTs7O2WkvLASzmHagtqTCYF6sK++17cHy 7J6n0x8OzBa9KbZcKf6BqX3HAUpvG0J5EBPdAXFgwtxlBUBzajN7bjQ7Oah+M2Ls9CN+ WG04pJAcMldA2z0ClYMU7CJaLWfAw4ZTIj1jaD5n6GqJKzFYrg4B/Y5gFpCLmG5qCaPv dyL9KH5GMjkZQExiewU1StXN3mIc2s+RCouoRZn362+Dyw1v5LnH+8hZ69KNL4Gjnh9K ycSL7Yizvn/DnmZ1JNAlP8zlR184CYtHSi30yIO2MxgD5bZPln2QzZUCC4bm3abo0IQX Lqjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781305590; x=1781910390; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nNOCXVI1belceCflWgR3ReJ/ENbvUtfVA/ywdxNpwW8=; b=ZdBLXmpA3cVnEB3BdDLVzX/HKKm0Q5bxJpsQTaJGyT1kVZSEVAI4BIpv6p25sunPKu dkxxKUSp6R/zJxCs3nTgHOF+//ZhgOk2llRlSNRMqqCNslm8gNNhItubvzN9ValwFYnZ FGpbCfH9skTOd63Li60igzInTD4plAKYWBKgYgubbbgfzDuuhd3VA00adNRBqY0uFdxy oc9s7KRjh4A4Ukf5MtuGeV/g+yVC3K2bLJhkFDrTV3/WbOcqT0cLIWajJHYIZLApOohy /VVuSzbSJ3SSckjEP5Tj4d/8dCGEPI0FhQ1P0vglWmlPzQp2s2Da/mkwHRThDfOY3ker UZHQ== X-Forwarded-Encrypted: i=1; AFNElJ/cf826kLs+ydTKVlc7cZD/e2BBkd36JSJao3U3yEjjt8Hh29FoUn98m9CcxR3MpTU1Xrmfm8tuTd0XbH0=@vger.kernel.org X-Gm-Message-State: AOJu0YznXqVGToWKaAErh4VPrhBy+1lHyzJ6DOgUvJQ+o6EWHcdWUEqU Z3+TuI4koL7lK1tjzw7Zli4eiNeZ/LJGs7aDqTD4hHnYP3ewx5IpuhJ+jm3AUQrylVtmFNsZlGo noerB+Q== X-Received: from pfbhu47.prod.google.com ([2002:a05:6a00:69af:b0:842:301:313e]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a00:1d99:b0:83f:a040:a3d3 with SMTP id d2e1a72fcca58-8434cec7839mr4743675b3a.43.1781305589970; Fri, 12 Jun 2026 16:06:29 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Jun 2026 16:06:17 -0700 In-Reply-To: <20260612230622.687665-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260612230622.687665-1-seanjc@google.com> X-Mailer: git-send-email 2.54.0.1136.gdb2ca164c4-goog Message-ID: <20260612230622.687665-4-seanjc@google.com> Subject: [PATCH v2 3/8] KVM: x86/hyperv: Ensure vCPU's Hyper-V object is initialized on cross-vCPU accesses From: Sean Christopherson To: Vitaly Kuznetsov , Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+5b32c49cd8f005e65654@syzkaller.appspotmail.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When initializing a vCPU's Hyper-V object, ensure the object is fully initialized prior to exposing it through the vCPU, and ensure accesses from other tasks (e.g. other vCPUs) see the fully initialized object if vcpu->arch.hyperv is non-NULL. Lack of ordering manifests as a lockdep splat due to attempting to lock a TLB flush FIFO before the spinlock is initialized. INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 1 PID: 5005 Comm: syz-executor189 Not tainted 6.6.120-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS G= oogle 03/18/2026 Call Trace: [] dump_stack_lvl+0xcc/0x130 lib/dump_stack.c:106 [] assign_lock_key+0x1fd/0x230 kernel/locking/lockdep= .c:977 [] register_lock_class+0x187/0x7a0 kernel/locking/loc= kdep.c:1291 [] __lock_acquire+0x179/0x7650 kernel/locking/lockdep= .c:5016 [] lock_acquire+0x13f/0x3d0 kernel/locking/lockdep.c:= 5756 [] __raw_spin_lock include/linux/spinlock_api_smp.h:1= 33 [inline] [] _raw_spin_lock+0x2b/0x40 kernel/locking/spinlock.c= :154 [] spin_lock include/linux/spinlock.h:351 [inline] [] hv_tlb_flush_enqueue+0xb4/0x270 arch/x86/kvm/hyper= v.c:1946 [] kvm_hv_flush_tlb+0xa96/0x1dc0 arch/x86/kvm/hyperv.= c:2145 [] kvm_hv_hypercall+0x103b/0x1fe0 arch/x86/kvm/hyperv= .c:-1 [] __vmx_handle_exit arch/x86/kvm/vmx/vmx.c:6624 [inl= ine] [] vmx_handle_exit+0x12e3/0x21f0 arch/x86/kvm/vmx/vmx= .c:6641 [] vcpu_enter_guest arch/x86/kvm/x86.c:11649 [inline] [] vcpu_run+0x4d01/0x79c0 arch/x86/kvm/x86.c:11832 [] kvm_arch_vcpu_ioctl_run+0xb49/0x1c80 arch/x86/kvm/= x86.c:12179 [] kvm_vcpu_ioctl+0xc80/0xff0 virt/kvm/kvm_main.c:6029 [] vfs_ioctl fs/ioctl.c:52 [inline] [] __do_sys_ioctl fs/ioctl.c:872 [inline] [] __se_sys_ioctl+0xfd/0x170 fs/ioctl.c:858 [] do_syscall_x64 arch/x86/entry/common.c:52 [inline] [] do_syscall_64+0x69/0xb0 arch/x86/entry/common.c:93 [] entry_SYSCALL_64_after_hwframe+0x68/0xd2 Use the "safe" variant in all paths that are known to access the Hyper-V object, as detected by an upcoming lockdep assertion. Fixes: 0823570f0198 ("KVM: x86: hyper-v: Introduce TLB flush fifo") Fixes: fc08b628d7c9 ("KVM: x86: hyper-v: Allocate Hyper-V context lazily") Reported-by: syzbot+5b32c49cd8f005e65654@syzkaller.appspotmail.com Signed-off-by: Sean Christopherson --- arch/x86/kvm/hyperv.c | 23 ++++++++++++++++++----- arch/x86/kvm/hyperv.h | 16 ++++++++++++++-- 2 files changed, 32 insertions(+), 7 deletions(-) diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c index ecd344b91739..107eb7df20f1 100644 --- a/arch/x86/kvm/hyperv.c +++ b/arch/x86/kvm/hyperv.c @@ -206,13 +206,19 @@ static struct kvm_vcpu *get_vcpu_by_vpidx(struct kvm = *kvm, u32 vpidx) =20 static struct kvm_vcpu_hv_synic *synic_get(struct kvm *kvm, u32 vpidx) { - struct kvm_vcpu *vcpu; struct kvm_vcpu_hv_synic *synic; + struct kvm_vcpu_hv *hv_vcpu; + struct kvm_vcpu *vcpu; =20 vcpu =3D get_vcpu_by_vpidx(kvm, vpidx); - if (!vcpu || !to_hv_vcpu(vcpu)) + if (!vcpu) return NULL; - synic =3D to_hv_synic(vcpu); + + hv_vcpu =3D to_hv_vcpu_safe(vcpu); + if (!hv_vcpu) + return NULL; + + synic =3D &hv_vcpu->synic; return (synic->active) ? synic : NULL; } =20 @@ -972,7 +978,6 @@ int kvm_hv_vcpu_init(struct kvm_vcpu *vcpu) if (!hv_vcpu) return -ENOMEM; =20 - vcpu->arch.hyperv =3D hv_vcpu; hv_vcpu->vcpu =3D vcpu; =20 synic_init(&hv_vcpu->synic); @@ -988,6 +993,14 @@ int kvm_hv_vcpu_init(struct kvm_vcpu *vcpu) spin_lock_init(&hv_vcpu->tlb_flush_fifo[i].write_lock); } =20 + /* + * Ensure the structure is fully initialized before it's visible to + * other tasks, as much of the state can be legally accessed without + * holding vcpu->mutex. + * + * Pairs with the smp_load_acquire() in to_hv_vcpu_safe(). + */ + smp_store_release(&vcpu->arch.hyperv, hv_vcpu); return 0; } =20 @@ -2166,7 +2179,7 @@ static u64 kvm_hv_flush_tlb(struct kvm_vcpu *vcpu, st= ruct kvm_hv_hcall *hc) bitmap_zero(vcpu_mask, KVM_MAX_VCPUS); =20 kvm_for_each_vcpu(i, v, kvm) { - hv_v =3D to_hv_vcpu(v); + hv_v =3D to_hv_vcpu_safe(v); =20 /* * The following check races with nested vCPUs entering/exiting diff --git a/arch/x86/kvm/hyperv.h b/arch/x86/kvm/hyperv.h index e6c74cfbb1cb..821b586ed746 100644 --- a/arch/x86/kvm/hyperv.h +++ b/arch/x86/kvm/hyperv.h @@ -61,6 +61,18 @@ static inline struct kvm_hv *to_kvm_hv(struct kvm *kvm) return &kvm->arch.hyperv; } =20 +static inline struct kvm_vcpu_hv *to_hv_vcpu_safe(struct kvm_vcpu *vcpu) +{ + /* + * Ensure the HyperV structure is fully initialized when accessing it + * without holding vcpu->mutex (or some other guarantee that KVM can't + * concurrently instantiate the structure). + * + * Pairs with the smp_store_release() in kvm_hv_vcpu_init(). + */ + return smp_load_acquire(&vcpu->arch.hyperv); +} + static inline struct kvm_vcpu_hv *to_hv_vcpu(struct kvm_vcpu *vcpu) { return vcpu->arch.hyperv; @@ -87,7 +99,7 @@ static inline struct kvm_hv_syndbg *to_hv_syndbg(struct k= vm_vcpu *vcpu) =20 static inline u32 kvm_hv_get_vpindex(struct kvm_vcpu *vcpu) { - struct kvm_vcpu_hv *hv_vcpu =3D to_hv_vcpu(vcpu); + struct kvm_vcpu_hv *hv_vcpu =3D to_hv_vcpu_safe(vcpu); =20 return hv_vcpu ? hv_vcpu->vp_index : vcpu->vcpu_idx; } @@ -197,7 +209,7 @@ int kvm_get_hv_cpuid(struct kvm_vcpu *vcpu, struct kvm_= cpuid2 *cpuid, static inline struct kvm_vcpu_hv_tlb_flush_fifo *kvm_hv_get_tlb_flush_fifo= (struct kvm_vcpu *vcpu, bool is_guest_mode) { - struct kvm_vcpu_hv *hv_vcpu =3D to_hv_vcpu(vcpu); + struct kvm_vcpu_hv *hv_vcpu =3D to_hv_vcpu_safe(vcpu); int i =3D is_guest_mode ? HV_L2_TLB_FLUSH_FIFO : HV_L1_TLB_FLUSH_FIFO; =20 --=20 2.54.0.1136.gdb2ca164c4-goog From nobody Fri Jun 19 18:35:26 2026 Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com [209.85.210.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EBBDD3DBD7F for ; Fri, 12 Jun 2026 23:06:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305593; cv=none; b=uNxRqIpZjv7Glr2xdCRrR1iwNMK/oL5EfQMSf5sEZkpXLld7eHfwXY7NGnibivKHCyX2VvvB5kPAGxoYXigLE62wXScm90lUzVPJv/x25pLHmuVNf3YGKLkffM8hDDRViOo9+JIpJBHL6phJO+vCGLDIEKYRnS9mbP1nAP3pdqk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305593; c=relaxed/simple; bh=6eQiEssKQC2c4js1UbQi49lxWZxkjELs+LqLjtbU2Uo=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=JsYIkwKATa0CD7JJjW1/rr3uT/dMnEnVN7NH7v32NF/FsSZIZOfyWp3Q5VtjBgMNx4kIULQreD2cL3ZWTRjzAhE51ZDvZ/1pFasNHJ0x3gSP+7GWaimFFwJcXPpEU5yC6T7fC/6s3+zpdf5byka1DoH0jhgYlJ0SgKXu6kc1Qn4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=SHJZDT7d; arc=none smtp.client-ip=209.85.210.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="SHJZDT7d" Received: by mail-pf1-f201.google.com with SMTP id d2e1a72fcca58-8423970cb30so1044759b3a.2 for ; Fri, 12 Jun 2026 16:06:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1781305591; x=1781910391; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=qhTktuVCXULSuX/UFAv1vCF49/raqu6/3zhwlwCn86w=; b=SHJZDT7dOoflOP5nZwVxND/NnMTp9jcaAJEP5MvM3bNVDKWi9Xs0z66L2VzzvUhCUb LEoVvMvHJVAYL19CvXwexiBFEE1ScIwcNvtgurZFempoViu/+nTJyiddRLsHDWuwNYJB HTuEyTWTVy3jAtRupqEmwINxtCKG2iPRaL1d0sjyFLBcfCbHjXDb+Vn5PbBExJLGnSpv rCpZHdARfrIFXAa18YRpAlOkiGcAAB8QDR/hQDTdZNiv9Nn1ONRZK10jXhJugiPGb6eN NCLrJJSRdPOtZII173ZtbewsUPJylFhdP0maHe9Odc1z/Gcgt9mRpRU3WE1y9wpWz5Wi 5xZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781305591; x=1781910391; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qhTktuVCXULSuX/UFAv1vCF49/raqu6/3zhwlwCn86w=; b=MXXw9UDHFIC2qd9wbFJB7E3MvKcsVDMOzCAnkm67/x9xgF3wV+BHEAibFDeq1UUshF MwBfbSr9h43Sdyc2AmqTrhU2IZrAD1xXS/EbX2c0grc+9ulTyZYrvGdSVZyULNxTwQ7a VfZIL45CrwPGxxhF3DVXNMPU/1C7i1ui5hwusG2uK7uO1SufCofpHWa1yH1pQ4kj6gUE CfqVYnRtNmRWktFveEIeAUtgAfjvBRwRx0v4hzejwsUsstApY/yOZzsBQbbMHa0KJBe2 nnC9ZV0HdSMngT11uizYvjAyLFx0noUb+Vx7Yz9WCaL8A35YIu538+jmL0t8Q8lnC1lm mjVA== X-Forwarded-Encrypted: i=1; AFNElJ8kGV92fqBMKmfW/tFOJDQ8HR0nWNN53gKYuzkQvfQ+vlhRO11BuN8dP1F9GkL6ZOOp5gSePtHViLuhofo=@vger.kernel.org X-Gm-Message-State: AOJu0Yy3SfwzaMkgcNj5hVniunCGFW2oN0iyIwxz2vUigvapB3I5tQ6Z wSCsXsirCmBYWuRl7IKLhJ7cn0pXl2+G/VMcl2u3ARbUn/MXs79dyeK4bSHNgRdyF7TKkY63xXe lCzAwSA== X-Received: from pfjq17.prod.google.com ([2002:a05:6a00:891:b0:82f:473b:a2d5]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a00:2e12:b0:83c:928:6e5a with SMTP id d2e1a72fcca58-844e196615bmr1794416b3a.13.1781305591149; Fri, 12 Jun 2026 16:06:31 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Jun 2026 16:06:18 -0700 In-Reply-To: <20260612230622.687665-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260612230622.687665-1-seanjc@google.com> X-Mailer: git-send-email 2.54.0.1136.gdb2ca164c4-goog Message-ID: <20260612230622.687665-5-seanjc@google.com> Subject: [PATCH v2 4/8] KVM: Initialize a vCPU's index to '-1' while it's being created From: Sean Christopherson To: Vitaly Kuznetsov , Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+5b32c49cd8f005e65654@syzkaller.appspotmail.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Invalidate a vCPU's index immediately after allocating storage for the vCPU so that KVM doesn't incorrectly treat a vCPU that is the process of being created as being vCPU0. This will also allow detecting that a vCPU is in the process of being created and thus otherwise unreachable, which is useful for avoiding false positives in lockdep assertions on vcpu->mutex. Note, kvm_wait_for_vcpu_online() naturally does the right thing thanks to vcpu->vcpu_idx and kvm->online_vcpus being signed values. Signed-off-by: Sean Christopherson --- virt/kvm/kvm_main.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index e44c20c04961..b3d2a678210c 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4188,6 +4188,8 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, = unsigned long id) goto vcpu_decrement; } =20 + vcpu->vcpu_idx =3D -1; + BUILD_BUG_ON(sizeof(struct kvm_run) > PAGE_SIZE); page =3D alloc_page(GFP_KERNEL_ACCOUNT | __GFP_ZERO); if (!page) { --=20 2.54.0.1136.gdb2ca164c4-goog From nobody Fri Jun 19 18:35:26 2026 Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com [209.85.210.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65F083D669A for ; Fri, 12 Jun 2026 23:06:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305598; cv=none; b=PZUbHjFeJiDDahU69/KIIaOmlE1DNtDvtKpkdWWOj26hX6KlbW914sitW5dNrqLenAoB2m0117b0O/LVCnWaolLsMWQE/1/59I5u3IZpod83tGnfp3rYa7Eacx11cwcEeLDedrb5paS+/9mt+QfSDMfvDw36UIPUBdIM0A6EBDo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305598; c=relaxed/simple; bh=m6dVurRgYnxp0sE8HOQaFVvKBubpdu74b/5Ww1K0kT4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=ELAPQ2OPAYNwbWb93WmLDLqaud/IuI0q9+Bs7G0Exrw22B51h1Dz620Gd/AhivA19Nc1Hvm6698x6EvTN+Aco2YIz/xl22uL/bHjBAhMfMeHeU6/6y0KWBpXuXAxJvwjHY5IjJX6ItwYQB62KFQJ/glireYvz446SgcwIwtA4t4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ly5Th6li; arc=none smtp.client-ip=209.85.210.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ly5Th6li" Received: by mail-pf1-f202.google.com with SMTP id d2e1a72fcca58-8423f544944so1093134b3a.3 for ; Fri, 12 Jun 2026 16:06:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1781305597; x=1781910397; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=c1HJ7r3naWN/gXYFxqoncE94o9SKi21l/ZVbf+vfGC0=; b=ly5Th6li2IcArhawrKBMhhEQ8tUaAU2CAY+uvHAUOx2qh8epVyEJfsCpP0nSdE1Fhc 9CYZB4QYMfRlbLBVsk7Cid1HRdsVBT2vTkWsSQpozWqDHhzZJREZswPAFiuk664/yJgF qynOiXyVJqqAPlyq+nneRAuSFef+3rltDJUAAoyShjvaF30e1bRuMxv4csM9JfzrZJYJ nNEymy3GopACoBymoxZ83KpA33OwiS3UnJuLKSI/xGmDnc/DeFrutWXX3GkyzH/myF9w QP5qPx1TuWW0aabG0y8DOOUCjUftXOv4m93vbAY6XcXSB9sJvDXM+zBAJBr7R1rgJiG9 YXIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781305597; x=1781910397; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=c1HJ7r3naWN/gXYFxqoncE94o9SKi21l/ZVbf+vfGC0=; b=E65ufm7ULQUNdIVAmaPlYJ4kOJLbINs+HLj1hcXymI9NMz+LKGpYpov1Aw6g6kbx71 TSBlDw2ng6zEfmCk2eVqZbnJRGfSIRLuSUMJRat5sz38bs1eo56dJVvpEzZwwDkGfuN8 aCE/QI+beb7YI3L3ctmFE8QrFsruVsIUjZNjTbPcJUX8hjL2uRBJo0rH4KE+Hd1i/Z8q HWrjZXjKstoqME2Vvo/DVsOhGmtimEh/sPCT9I8uaxbaWtjyax9rex47bpjRFAYl2nTZ JjYTCfeBgf7W47rAx3CwQ0g7Z2hw5NPQu3/Mbzho06T74FwQXAWPwYDEZ9N99BP5tUGG bwDA== X-Forwarded-Encrypted: i=1; AFNElJ/Aw5BQnHqHmDuVdy8odvX5ZMWfhamLLDS6B2HhGb3m55hrJaQPuzqTnIhS5iBrpbn6/79HVvr54grJtFo=@vger.kernel.org X-Gm-Message-State: AOJu0Yxk2nlVubyH6mmR5Bd1nyJy3ppqWNnP2nXalwjdMZJiGh1YWKiy JXfUbEfLoX43vkdKzuT8c5nnjVhrUB0cr4g54kRuspc/1JhJFnTjaQDZRrDr8BBBDqFPIPXQfTP zdsTR0A== X-Received: from pfnj4.prod.google.com ([2002:aa7:83c4:0:b0:842:4a9c:2fd3]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a00:993:b0:839:9ad:ee31 with SMTP id d2e1a72fcca58-8434cdcadcfmr5403349b3a.8.1781305596569; Fri, 12 Jun 2026 16:06:36 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Jun 2026 16:06:19 -0700 In-Reply-To: <20260612230622.687665-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260612230622.687665-1-seanjc@google.com> X-Mailer: git-send-email 2.54.0.1136.gdb2ca164c4-goog Message-ID: <20260612230622.687665-6-seanjc@google.com> Subject: [PATCH v2 5/8] KVM: Move nVMX's lockdep logic for vcpu->mutex to a common helper From: Sean Christopherson To: Vitaly Kuznetsov , Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+5b32c49cd8f005e65654@syzkaller.appspotmail.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Extract nVMX's lockdep assertion that a vCPU is locked or otherwise unreachable into a common helper, as KVM x86 is about to gain another user, but there is nothing x86-specific about the logic, i.e. the assertion may be useful for other architectures. No functional change intended. Signed-off-by: Sean Christopherson --- arch/x86/kvm/vmx/nested.h | 6 ++---- include/linux/kvm_host.h | 6 ++++++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/vmx/nested.h b/arch/x86/kvm/vmx/nested.h index 6d6cd5904ddf..c6de848bd9ce 100644 --- a/arch/x86/kvm/vmx/nested.h +++ b/arch/x86/kvm/vmx/nested.h @@ -57,16 +57,14 @@ bool nested_vmx_check_io_bitmaps(struct kvm_vcpu *vcpu,= unsigned int port, =20 static inline struct vmcs12 *get_vmcs12(struct kvm_vcpu *vcpu) { - lockdep_assert_once(lockdep_is_held(&vcpu->mutex) || - !refcount_read(&vcpu->kvm->users_count)); + kvm_lockdep_assert_vcpu_is_locked_or_unreachable(vcpu); =20 return to_vmx(vcpu)->nested.cached_vmcs12; } =20 static inline struct vmcs12 *get_shadow_vmcs12(struct kvm_vcpu *vcpu) { - lockdep_assert_once(lockdep_is_held(&vcpu->mutex) || - !refcount_read(&vcpu->kvm->users_count)); + kvm_lockdep_assert_vcpu_is_locked_or_unreachable(vcpu); =20 return to_vmx(vcpu)->nested.cached_shadow_vmcs12; } diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h index 27498e990dff..82696b27b145 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h @@ -989,6 +989,12 @@ static inline struct kvm_io_bus *kvm_get_bus(struct kv= m *kvm, enum kvm_bus idx) lockdep_is_held(&kvm->slots_lock)); } =20 +static inline void kvm_lockdep_assert_vcpu_is_locked_or_unreachable(struct= kvm_vcpu *vcpu) +{ + lockdep_assert_once(lockdep_is_held(&vcpu->mutex) || + !refcount_read(&vcpu->kvm->users_count)); +} + static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i) { int num_vcpus =3D atomic_read(&kvm->online_vcpus); --=20 2.54.0.1136.gdb2ca164c4-goog From nobody Fri Jun 19 18:35:26 2026 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A56C03D9674 for ; Fri, 12 Jun 2026 23:06:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305599; cv=none; b=OzBQSgqmtZuCBLZhqpKCgDs+YGpcy4gRf2GAy6uzorFbWER15oLP8EELcfoqo2CWL1Sl7OSi8toOgxTyOtlsIm6K5L12lbgSzegpJJh6Gb3t4c96bzBG02Ji8OGVti7d39R9f9XCb+ktP5XuaP+tWN+8D/gljXzZRKXlfRV/sqs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305599; c=relaxed/simple; bh=oBIfhx1eD1oG6TNml3LN88l4z3IF/+8mB6ZvmmLEt/Q=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Y30W0F0gOzjuepzvlmUiCeZVUX8fluo73Ey8PIs4viB7p4Wz23hWPER7X1m8Gv3eWdnuElJkhd0Y/27h8uolKc3tLkiO85CEbXeHZ6/ZI7YUdA78V5ojXGtD6Byd7A4Rz6zXBFSGYwOODDuOLRYgoIsypwOsIuxWzIhkF69N/5Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=jEzPkN/y; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="jEzPkN/y" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-36d982d932aso1834832a91.0 for ; Fri, 12 Jun 2026 16:06:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1781305598; x=1781910398; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=haqxDO4AWR8DqhXQ2Hj6K8MAQPjcpaYt9KY7NTbug7A=; b=jEzPkN/yFVD7geRgZxWXDnMofwJGw1oBD/lUN9D0iPND2LY+FQEXisgybdUsdXZhQD DBJyiArDDFQ2RRSKmWBQEDpuwJ3jKhDI+53RerOIZbVAc2xT4IpTf1nF1CvvqpUVSyMg jksc7am8Zza1LZZ4MKUdEZ+ShxkHfdIP5i8s0YjqdaXlJmEYAljnGud3qBeprdcygiyN 48mIofP/58uSeKZeluJk8Gn7gAhhvzMQw23klJJtSEhPFzJvOCL+Pruhwh/FPd7wqP8F nFRabaFaNZmvihqs67qETvcpmiCOGSBODjAkcgURcxR92l3GNUgKftDtvRZe2TCcLsdr 1r1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781305598; x=1781910398; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=haqxDO4AWR8DqhXQ2Hj6K8MAQPjcpaYt9KY7NTbug7A=; b=qWcdOIcT9xH9cwP89YZjA0moEDOZN0f6H1deFiwNVFHnVj6a7rcJrwbb5aybX3r8MA cu9q2TSitgAMzc+Eti/ImpZDSqkFRvPmQ7JKC82jZdoMDXzCuhIxzmb+rI7iszy+uVrX yIfb4aGFxI4C6JUPFGFMy4Uxp2feoixbW3uXpzWvNj3VGBvxmRP5q9ieBZYHKlIeIkJS o/uCddg8KEKzFzCiLJrBxSJuK4tFnNcRETxbKGNkWtnMVJzwYKyGn02GGMHJH+DbIC2B BQUvZkwJbfxkpicF4XruF78+VwlpOwFM2rcWMaIrITCM6Vbxf6qN4gV6WRiUNR01TWXk szig== X-Forwarded-Encrypted: i=1; AFNElJ86FWN2nJQKZPLKqjkiAnnGk2wu66rteAPF3btvGV1x+Rg8DyQxIZ8oa178haa7Otu2kt0z5G1HGJj2PBI=@vger.kernel.org X-Gm-Message-State: AOJu0YwsC2FG+haTRkxZORqIMVXgcjTp3QFDYiedAFI5vinnXhIiiVQW uxw+3StGikQhI+NhrOcX8SjYOvm5cSZ8ijsAUx4i0Gkf+gOX9QZtfdpBcaNGvnkLITp+nGfaUgD zJd7iWQ== X-Received: from plhu5.prod.google.com ([2002:a17:903:1245:b0:2ba:2863:4c3f]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:2285:b0:2c0:db23:4a4 with SMTP id d9443c01a7336-2c412d25493mr54668975ad.36.1781305597771; Fri, 12 Jun 2026 16:06:37 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Jun 2026 16:06:20 -0700 In-Reply-To: <20260612230622.687665-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260612230622.687665-1-seanjc@google.com> X-Mailer: git-send-email 2.54.0.1136.gdb2ca164c4-goog Message-ID: <20260612230622.687665-7-seanjc@google.com> Subject: [PATCH v2 6/8] KVM: x86: Treat a vCPU as unreachable if its index is invalid From: Sean Christopherson To: Vitaly Kuznetsov , Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+5b32c49cd8f005e65654@syzkaller.appspotmail.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In the "vCPU locked or unreachable" lockdep assertion, treat a vCPU as unreachable if its index is invalid, i.e. if the vCPU is in the process of being created. Until the vCPU is inserted into the array of vCPUs, the only way to get at the vCPU is via kvm_vm_ioctl_create_vcpu(). Note, the actual index is set _before_ adding the vCPU to the array, i.e. there's no risk of a false negative on the lockdep assertion. Signed-off-by: Sean Christopherson --- include/linux/kvm_host.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h index 82696b27b145..017070b81108 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h @@ -992,6 +992,7 @@ static inline struct kvm_io_bus *kvm_get_bus(struct kvm= *kvm, enum kvm_bus idx) static inline void kvm_lockdep_assert_vcpu_is_locked_or_unreachable(struct= kvm_vcpu *vcpu) { lockdep_assert_once(lockdep_is_held(&vcpu->mutex) || + vcpu->vcpu_idx < 0 || !refcount_read(&vcpu->kvm->users_count)); } =20 --=20 2.54.0.1136.gdb2ca164c4-goog From nobody Fri Jun 19 18:35:26 2026 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CCF9B3FB7F3 for ; Fri, 12 Jun 2026 23:06:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305601; cv=none; b=WCujMl6rZsQNLZyxr5bIom3E8KMe1+ilzk+EZm22as6hj/Pyad6fgDEFcqee0OwjcVylOX8QbrR8fje726W8CyxTkwn/SUJuMFvlALF/YWJKHDomUQhpSSKOFu9PvKoCpFmwCN9f0iC4jBjWRxdb4lCT9E9dalp7gMePvCMIBFg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305601; c=relaxed/simple; bh=IsZj3GCjbyKgtlPYUFvawVO77VGZHPyAp0mIzBAb3tw=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=aqDYpx0pIkAPQ7rX4OJ3CmGnNtAdw7MjQnlvASbwZpsLqbEK2wMxDtRlf9Twwwv8rgKSUzYxPmm7uRyMvPtS1VqR8mDdiRKxCKDrs4fLqiUVYKm+jTSTOwZ7EyhyV44H/ivsNV2SGhgNbuaxE9MWS6qygH9auhvzr6elrJKAVHs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=A/atfnRT; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="A/atfnRT" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-2bf1dece2ecso15411345ad.1 for ; Fri, 12 Jun 2026 16:06:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1781305599; x=1781910399; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=Xzf6kQdtL42DvWCKAV6DWM3aXCjqzDNCsirfABQj8mg=; b=A/atfnRT3DoPDBN+s2sjjff32+TUFJViK43cZNbDbUNb7+LrGVxewzEOiyy0vhANG3 RxQeicXz4tXQAkidCNPQOti5kM/OpvUoQSn/7VMBLJV/+/CElC7jtcpo0J4hdFUC8G6E s4c2wBdv8ZL5oGGLjdae1vdPG9TzpGvjjJvKd2jvmu8gUgi6t/MBokTGU5ddD1xTeiNW wuJkiE/PhumxNRhgkRZtOyUcLuZkh+m95o4lJVqB+ecI1Tcp75/iGEbV1gdYR00YLucR v9O8mpdyrzJ09iE7Wak3NUGAERP0wQiYulrtXbk8a73ICY2I39Q8WKTpt1rDz2/if5cY Z6hQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781305599; x=1781910399; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Xzf6kQdtL42DvWCKAV6DWM3aXCjqzDNCsirfABQj8mg=; b=Uu1Q4typZlPMFfy3c44kSA95eXgBzNd39jsiClIq93V3P6Ik+7fqei4l3s4Z+vx+ka yh5T1W5YPSvD5XsIO/hwBaHvNzQzBPS6HTbfCNPxSYOUoJt0P9U8bwlET4bYMmeNUCYM 3cTxz32lo9aGilcQ7Hf8ns4903i00nOt2/LuKjPc/KiocQFpd38yim1pM1E6PK+5VV3U QvMsmqPCgwio+MFJ/bplwwKHGetwV3d1RiLTBEu2JZjYME/Fausg8nrbot/hHTM8H+tR cq3GldY2QBK+KjfaYlrBzECNFJEDMzsYbXcaLxmkSOygSVq4SFpYxqkct+SZWqB3LKLK Ie4A== X-Forwarded-Encrypted: i=1; AFNElJ+BC6KSqR3WNbW69+kJ4I/tEv3rKyC6KHCYry9942OJpLkjjDBgtt0HnlJn/jJ18hi0T6tcGKZ+qRcGlcQ=@vger.kernel.org X-Gm-Message-State: AOJu0YwXy0a9/JkLVOgFwLKApu+r4rg/ArOOilq0uqcDWYtBnk0Y+iyX pc9UnE7Xm3HEWMwXqUKeBh3RoL+al2ed3e7oLqCEWIVD8Mvfn/tmugf1RvB3yfm42QptNZI6HY0 2FmAbSA== X-Received: from plbku11.prod.google.com ([2002:a17:903:288b:b0:2b2:51df:a515]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:ccd0:b0:2c2:50c7:58a0 with SMTP id d9443c01a7336-2c6642743ddmr15600155ad.23.1781305598994; Fri, 12 Jun 2026 16:06:38 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Jun 2026 16:06:21 -0700 In-Reply-To: <20260612230622.687665-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260612230622.687665-1-seanjc@google.com> X-Mailer: git-send-email 2.54.0.1136.gdb2ca164c4-goog Message-ID: <20260612230622.687665-8-seanjc@google.com> Subject: [PATCH v2 7/8] KVM: x86/hyperv: Assert vCPU's mutex is held in to_hv_vcpu() From: Sean Christopherson To: Vitaly Kuznetsov , Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+5b32c49cd8f005e65654@syzkaller.appspotmail.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Assert that either vcpu->mutex is held or the VM is otherwise unreachable when using the normal vCPU =3D> HyperV accessor to help detect improper cross-task usage of the HyperV structure. When accessing the structure without holding the vCPU's mutex, e.g. to send interrupts or to queue TLB flushes, KVM needs to use the more paranoid to_hv_vcpu_safe() to guarantee that it can't see a half-baked structure. To avoid false positives, open code accesses to vcpu->arch.hyperv in the Synthetic Timer callbacks (can be reached if and only if HyperV state is fully initialized). Signed-off-by: Sean Christopherson --- arch/x86/kvm/hyperv.c | 6 ++---- arch/x86/kvm/hyperv.h | 2 ++ 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c index 107eb7df20f1..7efe2907148f 100644 --- a/arch/x86/kvm/hyperv.c +++ b/arch/x86/kvm/hyperv.c @@ -599,8 +599,7 @@ static void stimer_mark_pending(struct kvm_vcpu_hv_stim= er *stimer, { struct kvm_vcpu *vcpu =3D hv_stimer_to_vcpu(stimer); =20 - set_bit(stimer->index, - to_hv_vcpu(vcpu)->stimer_pending_bitmap); + set_bit(stimer->index, vcpu->arch.hyperv->stimer_pending_bitmap); kvm_make_request(KVM_REQ_HV_STIMER, vcpu); if (vcpu_kick) kvm_vcpu_kick(vcpu); @@ -614,8 +613,7 @@ static void stimer_cleanup(struct kvm_vcpu_hv_stimer *s= timer) stimer->index); =20 hrtimer_cancel(&stimer->timer); - clear_bit(stimer->index, - to_hv_vcpu(vcpu)->stimer_pending_bitmap); + clear_bit(stimer->index, vcpu->arch.hyperv->stimer_pending_bitmap); stimer->msg_pending =3D false; stimer->exp_time =3D 0; } diff --git a/arch/x86/kvm/hyperv.h b/arch/x86/kvm/hyperv.h index 821b586ed746..f78ab3c8d11a 100644 --- a/arch/x86/kvm/hyperv.h +++ b/arch/x86/kvm/hyperv.h @@ -75,6 +75,8 @@ static inline struct kvm_vcpu_hv *to_hv_vcpu_safe(struct = kvm_vcpu *vcpu) =20 static inline struct kvm_vcpu_hv *to_hv_vcpu(struct kvm_vcpu *vcpu) { + kvm_lockdep_assert_vcpu_is_locked_or_unreachable(vcpu); + return vcpu->arch.hyperv; } =20 --=20 2.54.0.1136.gdb2ca164c4-goog From nobody Fri Jun 19 18:35:26 2026 Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com [209.85.210.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E0BAE4028F4 for ; Fri, 12 Jun 2026 23:06:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305602; cv=none; b=uZ1YmTXPpx+otmhud9QpaS4jxNP4e0l0XhAdezyEg+VrnxEKkHvoyqewa+uGa5liPCw4sviwGau7JafQKVHN0nneO2D8hLGaGcafaGfIUUeEQCVM/c+owyZ7GMb6cXovbn/dNbSXeHAx/CY8ThMON+23musBBp1GNjjfu+qpjok= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305602; c=relaxed/simple; bh=aR8aSM3blKEoYPh5VlsmJ3gSg4L4aDUcPmqNAKdGzYA=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=UTSBu0kNfg2hJub1RlGLM6r/V+cu9N2j4YvFYabRZE00JWJr8pTdZiFXjCTco0Mq1gpVw4Bb4Dz7RYFb6aEX109TcpMwhqm0tVk09hrCvzRUuEjzft3Fr3O8ohxOz5ujD7Z2wVDz8TYsS5p691rlx5sCXitl/XoFCTGqR6fRcVo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=S7TujKIO; arc=none smtp.client-ip=209.85.210.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="S7TujKIO" Received: by mail-pf1-f201.google.com with SMTP id d2e1a72fcca58-84235f9b91fso1151271b3a.2 for ; Fri, 12 Jun 2026 16:06:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1781305600; x=1781910400; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=DVS1qeM4e/fq+IMjcgwSKvsqG9BdLxQ2xhFJGu2W9Ks=; b=S7TujKIOSFWuOLQxsF/w8Bc27csrRJyRSFeaTHgu0pOpZ55DVKj/Vj7crXClWPC3J8 9xiRYLLR73Goo23UcL5QItzutCrqqLfTUOa6A98ZQOQrlaaFmH9SMzBXj7r+rUW5fZhi 4x9tqFe272maAmclqdIrhkDf+kqdbbM0VxRt+slO2cAwpQIk7ojBndIk47gm1pmd3glO mCNPI9zz68LfPnu0KH3DU4GoDxOOSrvhG3gW7g8rGAtNtXr4vNwipTPGlu2BVrdCfZ6H vXYHNwVkuE/07gMJAvuGp5C7JSNJCI2900e8I/tYLlZ3zlHalcXkU1wE3D55yRhGNrD2 6aOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781305600; x=1781910400; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DVS1qeM4e/fq+IMjcgwSKvsqG9BdLxQ2xhFJGu2W9Ks=; b=f9IHVYHodGN0LWTfgHnVEwoEbWfmso3/r7pHFdFT65ElHg6c6uHDSeHiMv6b69jsDT Egl8l4MB7+12oRLCYnMbOSCVfTb9aseeIT3cU7x/EvGnRClgIKOkbT/3HNZavB44xHjZ d+it+SnxAUJgJ9rr4TsJXLOHwrZKN0RsGKN9KmEqMz1E8tX17CdRde2PCYOuKXSEQnCh KiOek4KJmDTzZ0CFdrDIHgteqttXGNT2AMvzm+GmDLQnRkjdOfZFQZ3+7BuWltnL9M8u +adxovMOz5+mNJWvYDREH+7j+byHLJu1WIHNqVpftc7PUFlR/Z6I73EIh25BGmBfJpH6 603g== X-Forwarded-Encrypted: i=1; AFNElJ8JV2Um6pF32kP6ZmeB4ee7TcloYAmmXxtAH/WyHyqmccNeuAnui4iLMDVu81iTSXMeyQD92h6i6R/z0Oo=@vger.kernel.org X-Gm-Message-State: AOJu0YzVNnxwhOQ2DJLJUSaMURRf1CwvekthHalfJUr1GHq6glrOxzsB +pXEtq0AeviMhngRgf6qHQbGlq/xaGUJpQLbvxb2GRLMnxa26IlFLEhBFcesfzy+/BFAIzY1tGB kbPzzGg== X-Received: from pgkb1.prod.google.com ([2002:a63:eb41:0:b0:c82:2d14:39c8]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a21:35c9:b0:3b4:b24e:27b4 with SMTP id adf61e73a8af0-3b783b23756mr4266456637.1.1781305600106; Fri, 12 Jun 2026 16:06:40 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 12 Jun 2026 16:06:22 -0700 In-Reply-To: <20260612230622.687665-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260612230622.687665-1-seanjc@google.com> X-Mailer: git-send-email 2.54.0.1136.gdb2ca164c4-goog Message-ID: <20260612230622.687665-9-seanjc@google.com> Subject: [PATCH v2 8/8] KVM: x86/hyperv: Use {READ,WRITE}_ONCE for cross-task synic->active accesses From: Sean Christopherson To: Vitaly Kuznetsov , Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+5b32c49cd8f005e65654@syzkaller.appspotmail.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When activating Hyper-V's Synthetic Interrupt Controller (SynIC), mark it active with WRITE_ONCE() and query it using READ_ONCE() in synic_get(), the only known cross-task reader, to document that the flag is accessed without holding the vCPU's mutex. Note, there are no data dependencies on the SynIC being marked active, e.g. the vector read by synic_set_irq() is set (usually in response to guest activity) long after the SynIC is initially activated, and a false negative on the SynIC being active would be benign (ignoring that such a race is likely to be problematic for the guest irrespective of what KVM does). Signed-off-by: Sean Christopherson --- arch/x86/kvm/hyperv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c index 7efe2907148f..63754a62dc87 100644 --- a/arch/x86/kvm/hyperv.c +++ b/arch/x86/kvm/hyperv.c @@ -219,7 +219,7 @@ static struct kvm_vcpu_hv_synic *synic_get(struct kvm *= kvm, u32 vpidx) return NULL; =20 synic =3D &hv_vcpu->synic; - return (synic->active) ? synic : NULL; + return READ_ONCE(synic->active) ? synic : NULL; } =20 static void kvm_hv_notify_acked_sint(struct kvm_vcpu *vcpu, u32 sint) @@ -1013,7 +1013,7 @@ int kvm_hv_activate_synic(struct kvm_vcpu *vcpu, bool= dont_zero_synic_pages) =20 synic =3D to_hv_synic(vcpu); =20 - synic->active =3D true; + WRITE_ONCE(synic->active, true); synic->dont_zero_synic_pages =3D dont_zero_synic_pages; synic->control =3D HV_SYNIC_CONTROL_ENABLE; return 0; --=20 2.54.0.1136.gdb2ca164c4-goog