[PATCH 0/5] KVM: x86/hyperv: Fix racy usage of vcpu->arch.hyperv

Next message: Sean Christopherson: "[PATCH 1/5] KVM: x86/hyperv: Get target FIFO in hv_tlb_flush_enqueue(), not caller"
Previous message: Marek Vasut: "Re: [PATCH] nvmem: core: eeprom: at24: Handle EEPROM with both read-only and wp-gpios"
Next in thread: Sean Christopherson: "[PATCH 1/5] KVM: x86/hyperv: Get target FIFO in hv_tlb_flush_enqueue(), not caller"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sean Christopherson

Date: Thu Apr 23 2026 - 10:10:51 EST

Fix a bug found by syzkaller (on a Google-internal kernel) where KVM consumes
a vCPU's HyperV structure before it's fully initialized, by concurrently
triggering PV TLB flushes (queues flushes into a vCPU's FIFO without holding
the vCPU's mutex) on a vCPU that is in the process of activating HyperV.

Harden against similar bugs by asserting the vcpu->mutex is held when using
the "normal" to_hv_vcpu(), same as we did for get_vmcs12() and
get_shadow_vmcs12() (also in response to cross-task races).

I'll reply with the C reproducer (which may or may not repro on an upstream
kernel; I was never able to reproduce the splat myself, and relied on syzbot
to test for me).

Sean Christopherson (5):
KVM: x86/hyperv: Get target FIFO in hv_tlb_flush_enqueue(), not caller
KVM: x86/hyperv: Check for NULL vCPU Hyper-V object in
kvm_hv_get_tlb_flush_fifo()
KVM: x86/hyperv: Ensure vCPU's Hyper-V object is initialized on
cross-vCPU accesses
KVM: x86/hyperv: Assert vCPU's mutex is held in to_hv_vcpu()
KVM: x86/hyperv: Use {READ,WRITE}_ONCE for cross-task synic->active
accesses

arch/x86/kvm/hyperv.c | 66 +++++++++++++++++++++++--------------------
arch/x86/kvm/hyperv.h | 26 +++++++++++++++--
2 files changed, 58 insertions(+), 34 deletions(-)

base-commit: 85f871f6ba46f20d7fbc0b016b4db648c33220dd
--
2.54.0.545.g6539524ca2-goog