* [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker
@ 2026-02-25 17:35 Zenghui Yu
2026-02-25 17:35 ` [PATCH 1/3] KVM: arm64: nv: Check S2 limits based on implemented PA size Zenghui Yu
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Zenghui Yu @ 2026-02-25 17:35 UTC (permalink / raw)
To: kvmarm, linux-arm-kernel
Cc: maz, oupton, joey.gouly, suzuki.poulose, Zenghui Yu (Huawei)
From: "Zenghui Yu (Huawei)" <zenghui.yu@linux.dev>
A small step towards fixing the issues discussed in
https://lore.kernel.org/all/3f88cd49-68f1-4276-a067-b7c6beadb27c@linux.dev .
Zenghui Yu (Huawei) (3):
KVM: arm64: nv: Check S2 limits based on implemented PA size
KVM: arm64: nv: Report addrsz fault at level 0 with a bad VTTBR.BADDR
KVM: arm64: nv: Inject a SEA if failed to read the descriptor
arch/arm64/kvm/nested.c | 27 ++++++++++++++++-----------
1 file changed, 16 insertions(+), 11 deletions(-)
--
2.53.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/3] KVM: arm64: nv: Check S2 limits based on implemented PA size
2026-02-25 17:35 [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker Zenghui Yu
@ 2026-02-25 17:35 ` Zenghui Yu
2026-02-25 17:35 ` [PATCH 2/3] KVM: arm64: nv: Report addrsz fault at level 0 with a bad VTTBR.BADDR Zenghui Yu
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Zenghui Yu @ 2026-02-25 17:35 UTC (permalink / raw)
To: kvmarm, linux-arm-kernel
Cc: maz, oupton, joey.gouly, suzuki.poulose, Zenghui Yu (Huawei)
From: "Zenghui Yu (Huawei)" <zenghui.yu@linux.dev>
check_base_s2_limits() checks the validity of SL0 and inputsize against
ia_size (inputsize again!) but the pseudocode from DDI0487 G.a
AArch64.TranslationTableWalk() says that we should check against the
implemented PA size.
We would otherwise fail to walk S2 with a valid configuration. E.g.,
granule size = 4KB, inputsize = 40 bits, initial lookup level = 0 (no
concatenation) on a system with 48 bits PA range supported is allowed by
architecture.
Fix it by obtaining PA size by kvm_get_pa_bits(). Note that
kvm_get_pa_bits() returns the fixed limit now and should eventually reflect
the per VM PARange (one day!). Given that the configured PARange should not
be greater that kvm_ipa_limit, it at least fixes the problem described
above.
While at it, inject a level 0 translation fault to guest if
check_base_s2_limits() fails, as per the pseudocode.
Fixes: 61e30b9eef7f ("KVM: arm64: nv: Implement nested Stage-2 page table walk logic")
Signed-off-by: Zenghui Yu (Huawei) <zenghui.yu@linux.dev>
---
arch/arm64/kvm/nested.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/arch/arm64/kvm/nested.c b/arch/arm64/kvm/nested.c
index 620126d1f0dc..44ed3915b961 100644
--- a/arch/arm64/kvm/nested.c
+++ b/arch/arm64/kvm/nested.c
@@ -152,31 +152,31 @@ static int get_ia_size(struct s2_walk_info *wi)
return 64 - wi->t0sz;
}
-static int check_base_s2_limits(struct s2_walk_info *wi,
+static int check_base_s2_limits(struct kvm_vcpu *vcpu, struct s2_walk_info *wi,
int level, int input_size, int stride)
{
- int start_size, ia_size;
+ int start_size, pa_max;
- ia_size = get_ia_size(wi);
+ pa_max = kvm_get_pa_bits(vcpu->kvm);
/* Check translation limits */
switch (BIT(wi->pgshift)) {
case SZ_64K:
- if (level == 0 || (level == 1 && ia_size <= 42))
+ if (level == 0 || (level == 1 && pa_max <= 42))
return -EFAULT;
break;
case SZ_16K:
- if (level == 0 || (level == 1 && ia_size <= 40))
+ if (level == 0 || (level == 1 && pa_max <= 40))
return -EFAULT;
break;
case SZ_4K:
- if (level < 0 || (level == 0 && ia_size <= 42))
+ if (level < 0 || (level == 0 && pa_max <= 42))
return -EFAULT;
break;
}
/* Check input size limits */
- if (input_size > ia_size)
+ if (input_size > pa_max)
return -EFAULT;
/* Check number of entries in starting level table */
@@ -269,9 +269,11 @@ static int walk_nested_s2_pgd(struct kvm_vcpu *vcpu, phys_addr_t ipa,
if (input_size > 48 || input_size < 25)
return -EFAULT;
- ret = check_base_s2_limits(wi, level, input_size, stride);
- if (WARN_ON(ret))
+ ret = check_base_s2_limits(vcpu, wi, level, input_size, stride);
+ if (WARN_ON(ret)) {
+ out->esr = compute_fsc(0, ESR_ELx_FSC_FAULT);
return ret;
+ }
base_lower_bound = 3 + input_size - ((3 - level) * stride +
wi->pgshift);
--
2.53.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/3] KVM: arm64: nv: Report addrsz fault at level 0 with a bad VTTBR.BADDR
2026-02-25 17:35 [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker Zenghui Yu
2026-02-25 17:35 ` [PATCH 1/3] KVM: arm64: nv: Check S2 limits based on implemented PA size Zenghui Yu
@ 2026-02-25 17:35 ` Zenghui Yu
2026-02-25 17:35 ` [PATCH 3/3] KVM: arm64: nv: Inject a SEA if failed to read the descriptor Zenghui Yu
2026-03-06 10:48 ` [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker Marc Zyngier
3 siblings, 0 replies; 5+ messages in thread
From: Zenghui Yu @ 2026-02-25 17:35 UTC (permalink / raw)
To: kvmarm, linux-arm-kernel
Cc: maz, oupton, joey.gouly, suzuki.poulose, Zenghui Yu (Huawei)
From: "Zenghui Yu (Huawei)" <zenghui.yu@linux.dev>
As per R_BFHQH,
" When an Address size fault is generated, the reported fault code
indicates one of the following:
If the fault was generated due to the TTBR_ELx used in the translation
having nonzero address bits above the OA size, then a fault at level 0. "
Fix the reported Address size fault level as being 0 if the base address is
wrongly programmed by L1.
Fixes: 61e30b9eef7f ("KVM: arm64: nv: Implement nested Stage-2 page table walk logic")
Signed-off-by: Zenghui Yu (Huawei) <zenghui.yu@linux.dev>
---
arch/arm64/kvm/nested.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/kvm/nested.c b/arch/arm64/kvm/nested.c
index 44ed3915b961..a957542ae3c2 100644
--- a/arch/arm64/kvm/nested.c
+++ b/arch/arm64/kvm/nested.c
@@ -280,7 +280,8 @@ static int walk_nested_s2_pgd(struct kvm_vcpu *vcpu, phys_addr_t ipa,
base_addr = wi->baddr & GENMASK_ULL(47, base_lower_bound);
if (check_output_size(wi, base_addr)) {
- out->esr = compute_fsc(level, ESR_ELx_FSC_ADDRSZ);
+ /* R_BFHQH */
+ out->esr = compute_fsc(0, ESR_ELx_FSC_ADDRSZ);
return 1;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/3] KVM: arm64: nv: Inject a SEA if failed to read the descriptor
2026-02-25 17:35 [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker Zenghui Yu
2026-02-25 17:35 ` [PATCH 1/3] KVM: arm64: nv: Check S2 limits based on implemented PA size Zenghui Yu
2026-02-25 17:35 ` [PATCH 2/3] KVM: arm64: nv: Report addrsz fault at level 0 with a bad VTTBR.BADDR Zenghui Yu
@ 2026-02-25 17:35 ` Zenghui Yu
2026-03-06 10:48 ` [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker Marc Zyngier
3 siblings, 0 replies; 5+ messages in thread
From: Zenghui Yu @ 2026-02-25 17:35 UTC (permalink / raw)
To: kvmarm, linux-arm-kernel
Cc: maz, oupton, joey.gouly, suzuki.poulose, Zenghui Yu (Huawei)
From: "Zenghui Yu (Huawei)" <zenghui.yu@linux.dev>
Failure to read the descriptor (because it is outside of a memslot) should
result in a SEA being injected in the guest.
Suggested-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/86ms1m9lp3.wl-maz@kernel.org
Signed-off-by: Zenghui Yu (Huawei) <zenghui.yu@linux.dev>
---
arch/arm64/kvm/nested.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/kvm/nested.c b/arch/arm64/kvm/nested.c
index a957542ae3c2..79e6091b738f 100644
--- a/arch/arm64/kvm/nested.c
+++ b/arch/arm64/kvm/nested.c
@@ -296,8 +296,10 @@ static int walk_nested_s2_pgd(struct kvm_vcpu *vcpu, phys_addr_t ipa,
paddr = base_addr | index;
ret = read_guest_s2_desc(vcpu, paddr, &desc, wi);
- if (ret < 0)
+ if (ret < 0) {
+ out->esr = ESR_ELx_FSC_SEA_TTW(level);
return ret;
+ }
new_desc = desc;
--
2.53.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker
2026-02-25 17:35 [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker Zenghui Yu
` (2 preceding siblings ...)
2026-02-25 17:35 ` [PATCH 3/3] KVM: arm64: nv: Inject a SEA if failed to read the descriptor Zenghui Yu
@ 2026-03-06 10:48 ` Marc Zyngier
3 siblings, 0 replies; 5+ messages in thread
From: Marc Zyngier @ 2026-03-06 10:48 UTC (permalink / raw)
To: kvmarm, linux-arm-kernel, Zenghui Yu; +Cc: oupton, joey.gouly, suzuki.poulose
On Thu, 26 Feb 2026 01:35:12 +0800, Zenghui Yu wrote:
> From: "Zenghui Yu (Huawei)" <zenghui.yu@linux.dev>
>
> A small step towards fixing the issues discussed in
> https://lore.kernel.org/all/3f88cd49-68f1-4276-a067-b7c6beadb27c@linux.dev .
>
> Zenghui Yu (Huawei) (3):
> KVM: arm64: nv: Check S2 limits based on implemented PA size
> KVM: arm64: nv: Report addrsz fault at level 0 with a bad VTTBR.BADDR
> KVM: arm64: nv: Inject a SEA if failed to read the descriptor
>
> [...]
Applied to fixes, thanks!
[1/3] KVM: arm64: nv: Check S2 limits based on implemented PA size
commit: 4c2264ecdf39ddbdb62e37b156015aacf05d0dcb
[2/3] KVM: arm64: nv: Report addrsz fault at level 0 with a bad VTTBR.BADDR
commit: 99a339377f3c1bdf6edd5614d36893ab1806f9e6
[3/3] KVM: arm64: nv: Inject a SEA if failed to read the descriptor
commit: eb54fa1025f8b520f0e83a807d76e35e4587c5ff
Cheers,
M.
--
Without deviation from the norm, progress is not possible.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-03-06 10:48 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-25 17:35 [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker Zenghui Yu
2026-02-25 17:35 ` [PATCH 1/3] KVM: arm64: nv: Check S2 limits based on implemented PA size Zenghui Yu
2026-02-25 17:35 ` [PATCH 2/3] KVM: arm64: nv: Report addrsz fault at level 0 with a bad VTTBR.BADDR Zenghui Yu
2026-02-25 17:35 ` [PATCH 3/3] KVM: arm64: nv: Inject a SEA if failed to read the descriptor Zenghui Yu
2026-03-06 10:48 ` [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker Marc Zyngier
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.