[PATCH v2 6.1.y 0/3] KVM: nVMX: backport virtual-APIC host NULL-deref fix

[Nicholas Dudar]

This series backports the fix for a guest-triggerable host NULL pointer
dereference in nested-VMX virtual-APIC handling. The bug is present in 6.1.y
and fixed in 6.6.y and later.

vmx_guest_apic_has_interrupt() tests vmx->nested.virtual_apic_map.gfn to
decide the virtual-APIC page is mapped, then reads through
vmx->nested.virtual_apic_map.hva. kvm_vcpu_unmap() clears .hva but not .gfn,
so after the page is unmapped an L1 guest using virtual-interrupt delivery
passes the .gfn check with .hva == NULL and the host faults reading
NULL + APIC_PROCPRI (CR2 = 0xa0). 96c66e87deee introduced the .gfn check.
The function is still present at 6.1.176.

The upstream fix, 321ef62b0c5f, deletes the function. It carries a stable tag
but did not apply to 6.1.y. The failed-apply notice [1] lists the SEV-SNP
series as a dependency, but that series is not required, and the backport builds
fine without it.

321ef62b0c5f edits the vmx_has_nested_events() body that 27c4fa42b11a adds,
and 27c4fa42b11a calls pi_find_highest_vector() from d83c36d822be. The series
is those three commits in that order. The rest of the June 2024 series is
already in 6.1.y.

Sean asked for the series to be backported rather than kvm_vcpu_unmap()
patched [2].

6.1.y predates the vmx main.c / x86_ops.h split, so patch 3 removes the hook
from vmx_x86_ops in vmx.c. The resulting vmx_has_nested_events() matches
6.6.y. The injection path is unchanged; only the wake path that reached the
dereference changes.

Reported by Taeyang Lee.

[1] https://lore.kernel.org/all/2024072925-straw-mashing-54f6@gregkh
[2] https://lore.kernel.org/all/CAH-2XvJo_JiyAnb21_LYxSz8xZ96oUVF25eTnDyALF+wnZw8ww@xxxxxxxxxxxxxx/

Changes since v1:
- v1 reached stable@ without this cover letter and with an incomplete Cc,
  due to a git send-email error on my end. No code changed.

Sean Christopherson (3):
  KVM: nVMX: Add a helper to get highest pending from Posted Interrupt
    vector
  KVM: nVMX: Check for pending posted interrupts when looking for nested
    events
  KVM: nVMX: Fold requested virtual interrupt check into
    has_nested_events()

 arch/x86/include/asm/kvm-x86-ops.h |  1 -
 arch/x86/include/asm/kvm_host.h    |  1 -
 arch/x86/kvm/vmx/nested.c          | 45 +++++++++++++++++++++++++++---
 arch/x86/kvm/vmx/posted_intr.h     | 10 +++++++
 arch/x86/kvm/vmx/vmx.c             | 21 --------------
 arch/x86/kvm/x86.c                 | 10 +------
 6 files changed, 52 insertions(+), 36 deletions(-)

--
2.34.1