From 579e21a96cfd2ba4e48b9f6aa2d785d4a4da9a58 Mon Sep 17 00:00:00 2001
From: Fuad Tabba <tabba@google.com>
Date: Mon, 14 Feb 2022 10:12:54 +0000
Subject: [PATCH] ANDROID: KVM: arm64: Do not pass host struct pointers to
 pkvm_host_donate_guest()

This function only works for loaded vcpus and no more information
is needed by hyp. This removes the need to access potentially
unsafe host memory.

Bug: 220830416
Signed-off-by: Fuad Tabba <tabba@google.com>
Change-Id: I2dae77b900139bd61e91fcff52beedffa2746d9b
---
 arch/arm64/kvm/hyp/nvhe/hyp-main.c | 7 ++++---
 arch/arm64/kvm/mmu.c               | 6 +++---
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/arch/arm64/kvm/hyp/nvhe/hyp-main.c b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
index 2b23cbf3c3e2..2e85ee068bb2 100644
--- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c
+++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
@@ -727,20 +727,21 @@ static void handle___pkvm_host_donate_guest(struct kvm_cpu_context *host_ctxt)
 {
 	DECLARE_REG(u64, pfn, host_ctxt, 1);
 	DECLARE_REG(u64, gfn, host_ctxt, 2);
-	DECLARE_REG(struct kvm_vcpu *, vcpu, host_ctxt, 3);
+	struct kvm_vcpu *host_vcpu;
 	struct pkvm_loaded_state *state;
 	int ret = -EINVAL;
 
 	if (!is_protected_kvm_enabled())
 		goto out;
 
-	vcpu = kern_hyp_va(vcpu);
 	state = this_cpu_ptr(&loaded_state);
 	if (!state->vcpu)
 		goto out;
 
+	host_vcpu = state->vcpu->arch.pkvm.host_vcpu;
+
 	/* Topup shadow memcache with the host's */
-	ret = pkvm_refill_memcache(state->vcpu, vcpu);
+	ret = pkvm_refill_memcache(state->vcpu, host_vcpu);
 	if (!ret) {
 		if (state->is_protected)
 			ret = __pkvm_host_donate_guest(pfn, gfn, state->vcpu);
diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
index f4bef1e97f1f..c5855bf53446 100644
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -1143,12 +1143,12 @@ static int sanitise_mte_tags(struct kvm *kvm, kvm_pfn_t pfn,
 	return 0;
 }
 
-static int pkvm_host_donate_guest(u64 pfn, u64 gfn, struct kvm_vcpu *vcpu)
+static int pkvm_host_donate_guest(u64 pfn, u64 gfn)
 {
 	struct arm_smccc_res res;
 
 	arm_smccc_1_1_hvc(KVM_HOST_SMCCC_FUNC(__pkvm_host_donate_guest),
-			  pfn, gfn, vcpu, &res);
+			  pfn, gfn, &res);
 	WARN_ON(res.a0 != SMCCC_RET_SUCCESS);
 
 	/*
@@ -1200,7 +1200,7 @@ static int pkvm_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
 
 	spin_lock(&kvm->mmu_lock);
 	pfn = page_to_pfn(page);
-	ret = pkvm_host_donate_guest(pfn, fault_ipa >> PAGE_SHIFT, vcpu);
+	ret = pkvm_host_donate_guest(pfn, fault_ipa >> PAGE_SHIFT);
 	if (ret) {
 		if (ret == -EAGAIN)
 			ret = 0;