From: sashiko-bot@kernel.org
To: "Fuad Tabba" <tabba@google.com>
Cc: "Marc Zyngier" <maz@kernel.org>,
kvmarm@lists.linux.dev, "Oliver Upton" <oupton@kernel.org>
Subject: Re: [PATCH 3/3] KVM: arm64: Drop redundant READ_ONCE() in pkvm_hyp_vm_is_created()
Date: Thu, 18 Jun 2026 09:22:22 +0000 [thread overview]
Message-ID: <20260618092223.45D231F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260618090128.3913688-4-tabba@google.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Teardown sequence inversion in `kvm_arch_destroy_vm()` causes memory leak of protected guest pages.
--
commit 3c4352fb45fd315836f7f7aa2ad63af580a902d7
Author: Fuad Tabba <tabba@google.com>
KVM: arm64: Drop redundant READ_ONCE() in pkvm_hyp_vm_is_created()
This patch removes an unnecessary READ_ONCE() around the read of
kvm->arch.pkvm.is_created. The read is already serialised against concurrent
writers by either config_lock, slots_lock, or the teardown VM lifecycle.
> diff --git a/arch/arm64/kvm/pkvm.c b/arch/arm64/kvm/pkvm.c
> index 67b90a58fbea2..008766273912e 100644
> --- a/arch/arm64/kvm/pkvm.c
> +++ b/arch/arm64/kvm/pkvm.c
> @@ -185,7 +185,11 @@ static int __pkvm_create_hyp_vm(struct kvm *kvm)
>
> bool pkvm_hyp_vm_is_created(struct kvm *kvm)
> {
> - return READ_ONCE(kvm->arch.pkvm.is_created);
> + /*
> + * Serialised by config_lock/slots_lock, or by VM lifecycle at
> + * teardown, so a plain read suffices.
> + */
[Severity: High]
This isn't a bug introduced by this patch, but since the comment mentions the
teardown lifecycle, is there a teardown sequence inversion in
kvm_arch_destroy_vm() that leaks protected guest pages?
Looking at kvm_arch_destroy_vm() in arch/arm64/kvm/arm.c, it calls
pkvm_destroy_hyp_vm() before kvm_uninit_stage2_mmu().
Because kvm_uninit_stage2_mmu() hasn't run yet, __pkvm_start_teardown_vm()
is not invoked. This causes the __pkvm_finalize_teardown_vm hypercall inside
pkvm_destroy_hyp_vm() to be rejected by the hypervisor, and the host clears
the handle via __pkvm_destroy_hyp_vm():
arch/arm64/kvm/pkvm.c:__pkvm_destroy_hyp_vm() {
...
kvm->arch.pkvm.handle = 0;
}
Subsequently, when kvm_uninit_stage2_mmu() does run, it eventually calls
pkvm_pgtable_stage2_destroy_range(), which returns early due to the cleared
handle:
arch/arm64/kvm/pkvm.c:pkvm_pgtable_stage2_destroy_range() {
if (!handle)
return;
...
}
Does this sequence skip page reclamation and unsharing, permanently leaking
all memory donated to the protected guest?
> + return kvm->arch.pkvm.is_created;
> }
>
> int pkvm_create_hyp_vm(struct kvm *kvm)
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260618090128.3913688-1-tabba@google.com?part=3
next prev parent reply other threads:[~2026-06-18 9:22 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 9:01 [PATCH 0/3] KVM: arm64: pKVM is_created cleanup Fuad Tabba
2026-06-18 9:01 ` [PATCH 1/3] KVM: arm64: Drop the unused EL2-side is_created write Fuad Tabba
2026-06-18 9:01 ` [PATCH 2/3] KVM: arm64: Remove unreachable early checks in pkvm_init_host_vm() Fuad Tabba
2026-06-18 9:01 ` [PATCH 3/3] KVM: arm64: Drop redundant READ_ONCE() in pkvm_hyp_vm_is_created() Fuad Tabba
2026-06-18 9:22 ` sashiko-bot [this message]
2026-06-18 9:40 ` Fuad Tabba
2026-06-18 10:06 ` [PATCH 0/3] KVM: arm64: pKVM is_created cleanup Keir Fraser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260618092223.45D231F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=maz@kernel.org \
--cc=oupton@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tabba@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.