From 606faee906ae8f794e4ec3e53d7b9738a760c3ab Mon Sep 17 00:00:00 2001
From: Fuad Tabba <tabba@google.com>
Date: Fri, 28 Jan 2022 13:37:28 +0000
Subject: [PATCH] ANDROID: KVM: arm64: Do not pass host struct pointers to
 __pkvm_teardown_shadow()

Pass the handle and other safe data instead for hyp to use to
lookup the shadow vcpu. This removes the need to access
potentially unsafe host memory.

Bug: 220830416
Signed-off-by: Fuad Tabba <tabba@google.com>
Change-Id: Iff01f981aad8f1a064f8a8147e5443807558884c
---
 arch/arm64/kvm/hyp/include/nvhe/pkvm.h | 2 +-
 arch/arm64/kvm/hyp/nvhe/hyp-main.c     | 4 ++--
 arch/arm64/kvm/hyp/nvhe/pkvm.c         | 8 ++------
 arch/arm64/kvm/pkvm.c                  | 3 ++-
 4 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/arch/arm64/kvm/hyp/include/nvhe/pkvm.h b/arch/arm64/kvm/hyp/include/nvhe/pkvm.h
index 05bd6c2d04af..9e9615a061aa 100644
--- a/arch/arm64/kvm/hyp/include/nvhe/pkvm.h
+++ b/arch/arm64/kvm/hyp/include/nvhe/pkvm.h
@@ -66,7 +66,7 @@ extern phys_addr_t pvmfw_base;
 extern phys_addr_t pvmfw_size;
 
 int __pkvm_init_shadow(struct kvm *kvm, void *shadow_va, size_t size, void *pgd);
-int __pkvm_teardown_shadow(struct kvm *kvm);
+int __pkvm_teardown_shadow(int shadow_handle);
 struct kvm_vcpu *get_shadow_vcpu(int shadow_handle, int vcpu_idx);
 void put_shadow_vcpu(struct kvm_vcpu *vcpu);
 
diff --git a/arch/arm64/kvm/hyp/nvhe/hyp-main.c b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
index 5946fb5462c0..2b23cbf3c3e2 100644
--- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c
+++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
@@ -966,9 +966,9 @@ static void handle___pkvm_init_shadow(struct kvm_cpu_context *host_ctxt)
 
 static void handle___pkvm_teardown_shadow(struct kvm_cpu_context *host_ctxt)
 {
-	DECLARE_REG(struct kvm *, host_kvm, host_ctxt, 1);
+	DECLARE_REG(int, shadow_handle, host_ctxt, 1);
 
-	cpu_reg(host_ctxt, 1) = __pkvm_teardown_shadow(host_kvm);
+	cpu_reg(host_ctxt, 1) = __pkvm_teardown_shadow(shadow_handle);
 }
 
 typedef void (*hcall_t)(struct kvm_cpu_context *);
diff --git a/arch/arm64/kvm/hyp/nvhe/pkvm.c b/arch/arm64/kvm/hyp/nvhe/pkvm.c
index 13c72b1b6b9c..b69f61ce7db3 100644
--- a/arch/arm64/kvm/hyp/nvhe/pkvm.c
+++ b/arch/arm64/kvm/hyp/nvhe/pkvm.c
@@ -637,21 +637,17 @@ err:
 	return ret;
 }
 
-int __pkvm_teardown_shadow(struct kvm *kvm)
+int __pkvm_teardown_shadow(int shadow_handle)
 {
 	struct kvm_hyp_memcache *mc;
 	struct kvm_shadow_vm *vm;
 	struct kvm *host_kvm;
 	size_t shadow_size;
-	int err, shadow_handle;
+	int err;
 	u64 pfn;
 	u64 nr_pages;
 	void *addr;
 
-	kvm = kern_hyp_va(kvm);
-
-	shadow_handle = kvm->arch.pkvm.shadow_handle;
-
 	/* Lookup then remove entry from the shadow table. */
 	hyp_spin_lock(&shadow_lock);
 	vm = find_shadow_by_handle(shadow_handle);
diff --git a/arch/arm64/kvm/pkvm.c b/arch/arm64/kvm/pkvm.c
index 0d926503cd6a..ed9d9b189bb8 100644
--- a/arch/arm64/kvm/pkvm.c
+++ b/arch/arm64/kvm/pkvm.c
@@ -206,7 +206,8 @@ void kvm_shadow_destroy(struct kvm *kvm)
 	struct list_head *ppages;
 
 	if (kvm->arch.pkvm.shadow_handle)
-		WARN_ON(kvm_call_hyp_nvhe(__pkvm_teardown_shadow, kvm));
+		WARN_ON(kvm_call_hyp_nvhe(__pkvm_teardown_shadow,
+					  kvm->arch.pkvm.shadow_handle));
 
 	free_hyp_memcache(&kvm->arch.pkvm.teardown_mc);