x86/hyper-v: Filter non-canonical addresses passed via HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST(_EX)

styxs · intel-lab-lkp · commit 881e2200a451 · 2025-06-25T22:01:41.000+08:00
In KVM guests with Hyper-V hypercalls enabled, the hypercalls HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX allow a guest to request invalidation of portions of a virtual TLB. For this, the hypercall parameter includes a list of GVAs that are supposed to be invalidated. However, when non-canonical GVAs are passed, there is currently no filtering in place and they are eventually passed to checked invocations of INVVPID on Intel / INVLPGA on AMD. While the AMD variant (INVLPGA) will silently ignore the non-canonical address and perform a no-op, the Intel variant (INVVPID) will fail and end up in invvpid_error, where a WARN_ONCE is triggered: invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000 WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482 invvpid_error+0x91/0xa0 [kvm_intel] Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 torvalds#14 PREEMPT(voluntary) RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel] Call Trace: <TASK> vmx_flush_tlb_gva+0x320/0x490 [kvm_intel] ? __pfx_vmx_flush_tlb_gva+0x10/0x10 [kvm_intel] ? kfifo_copy_out+0xcf/0x120 kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm] ? __pfx_kvm_hv_vcpu_flush_tlb+0x10/0x10 [kvm] ? kvm_pmu_is_valid_msr+0x6e/0x80 [kvm] ? kvm_get_msr_common+0x219/0x20f0 [kvm] kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm] /* ... */ Hyper-V documents that invalid GVAs (those that are beyond a partition's GVA space) are to be ignored. While not completely clear whether this ruling also applies to non-canonical GVAs, it is likely fine to make that assumption. The following patch addresses the issue by skipping non-canonical GVAs before calling the architecture-specific invalidation primitive. I've validated it against a PoC and the issue seems to be fixed. Signed-off-by: Manuel Andreas <manuel.andreas@tum.de> Suggested-by: Vitaly Kuznetsov <vkuznets@redhat.com>
diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c
@@ -1979,6 +1979,9 @@ int kvm_hv_vcpu_flush_tlb(struct kvm_vcpu *vcpu)
 		if (entries[i] == KVM_HV_TLB_FLUSHALL_ENTRY)
 			goto out_flush_all;
 
+                if (is_noncanonical_invlpg_address(entries[i], vcpu))
+                        continue;
+
 		/*
 		 * Lower 12 bits of 'address' encode the number of additional
 		 * pages to flush.
