From: sashiko-bot@kernel.org
To: "Charlie Jenkins via B4 Relay"
<devnull+thecharlesjenkins.gmail.com@kernel.org>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH v2 08/16] riscv: kvm: Use generated instruction headers for csr code
Date: Mon, 22 Jun 2026 04:18:20 +0000 [thread overview]
Message-ID: <20260622041820.5410D1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260621-riscv_insn_table-v2-8-7f0810ee2274@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] KVM's `guest_context.zero` can be overwritten by MMIO reads with `rd=x0`, corrupting subsequent emulated instructions that read `x0`.
--
commit 6e0c9adf0592e2c6310d9a0a01fa605f82581d3e
Author: Charlie Jenkins <thecharlesjenkins@gmail.com>
riscv: kvm: Use generated instruction headers for csr code
Migrate the csr parsing code to use the generated instruction headers
instead of the hand-written instruction composition functions.
> diff --git a/arch/riscv/kvm/vcpu_insn.c b/arch/riscv/kvm/vcpu_insn.c
> index f09f9251d1f0a..8ccf6ec722f03 100644
> --- a/arch/riscv/kvm/vcpu_insn.c
> +++ b/arch/riscv/kvm/vcpu_insn.c
> @@ -146,43 +146,44 @@ int kvm_riscv_vcpu_csr_return(struct kvm_vcpu *vcpu, struct kvm_run *run)
>
> static int csr_insn(struct kvm_vcpu *vcpu, struct kvm_run *run, ulong insn)
> {
> + #define GET_REG(_rd) (*((unsigned long *)(&vcpu->arch.guest_context) + _rd))
[Severity: High]
This isn't a bug introduced by this patch, but KVM's software copy of the
zero register (which this GET_REG macro can read) can be permanently
corrupted by a pre-existing issue in MMIO emulation.
When an MMIO load uses x0 as the destination register (e.g., lw x0, (a0)),
kvm_riscv_vcpu_mmio_return() in arch/riscv/kvm/vcpu_insn.c unconditionally
stores the result:
*((ulong *)(&vcpu->arch.guest_context) + vcpu->arch.mmio_decode.rd) =
(long)data << shift >> shift;
Because rd is 0, this overwrites guest_context.zero at index 0.
Unlike kvm_riscv_vcpu_csr_return() which checks if (vcpu->arch.csr_decode.rd)
before writing, the MMIO return path lacks this guard.
Since instruction emulation like the CSR emulation here uses x0 as an
operand and reads from guest_context via GET_REG(), could the corrupted
non-zero value be used instead of the hardware-mandated 0, leading to
incorrect guest execution?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260621-riscv_insn_table-v2-0-7f0810ee2274@gmail.com?part=8
next prev parent reply other threads:[~2026-06-22 4:18 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-22 4:01 [PATCH v2 00/16] riscv: Generate riscv instruction functions Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` [PATCH v2 01/16] riscv: Introduce instruction table generation Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:13 ` sashiko-bot
2026-06-22 4:01 ` [PATCH v2 02/16] riscv: alternatives: Use generated instruction headers for patching code Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:28 ` sashiko-bot
2026-06-22 4:01 ` [PATCH v2 03/16] riscv: kgdb: Use generated instruction headers Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` [PATCH v2 04/16] riscv: Add kprobes instruction simulation KUnit Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:19 ` sashiko-bot
2026-06-22 4:01 ` [PATCH v2 05/16] riscv: kprobes: Use generated instruction headers Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` [PATCH v2 06/16] riscv: cfi: " Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:35 ` sashiko-bot
2026-06-22 4:01 ` [PATCH v2 07/16] riscv: Use generated instruction headers for misaligned loads/stores Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:18 ` sashiko-bot
2026-06-22 4:01 ` [PATCH v2 08/16] riscv: kvm: Use generated instruction headers for csr code Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:18 ` sashiko-bot [this message]
2026-06-22 4:01 ` [PATCH v2 09/16] KVM: device: Add test device Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:13 ` sashiko-bot
2026-06-22 4:01 ` [PATCH v2 10/16] KVM: riscv: selftests: Add mmio test Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:18 ` sashiko-bot
2026-06-22 4:01 ` [PATCH v2 11/16] riscv: kvm: Use generated instruction headers for mmio emulation Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:27 ` sashiko-bot
2026-06-22 4:01 ` [PATCH v2 12/16] riscv: kvm: Add emulated test csr Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:23 ` sashiko-bot
2026-06-22 4:01 ` [PATCH v2 13/16] KVM: riscv: selftests: Add csr emulation test Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:24 ` sashiko-bot
2026-06-22 4:01 ` [PATCH v2 14/16] riscv: kvm: Use generated instruction headers for csr emulation Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:30 ` sashiko-bot
2026-06-22 4:01 ` [PATCH v2 15/16] riscv: kexec: Use generated instruction headers for kexec relocations Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` [PATCH v2 16/16] riscv: Remove unused instruction headers Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
2026-06-22 4:01 ` Charlie Jenkins via B4 Relay
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260622041820.5410D1F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=devnull+thecharlesjenkins.gmail.com@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.