From: sashiko-bot@kernel.org
To: "Wei-Lin Chang" <weilin.chang@arm.com>
Cc: kvmarm@lists.linux.dev, "Oliver Upton" <oupton@kernel.org>,
"Marc Zyngier" <maz@kernel.org>
Subject: Re: [PATCH 3/3] KVM: arm64: nv: Move to per nested mmu ptdump files
Date: Tue, 23 Jun 2026 14:41:01 +0000 [thread overview]
Message-ID: <20260623144102.4C4C81F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260623142443.648972-4-weilin.chang@arm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Kernel panic on error path due to kvm_free_stage2_pgd() being called on uninitialized kvm_s2_mmu elements.
--
commit b126bbf9b1139c4e5f8f15f1b55bdfca981c84c3
Author: Wei-Lin Chang <weilin.chang@arm.com>
KVM: arm64: nv: Move to per nested mmu ptdump files
Move the creation of shadow page table debugfs files to be per-nested-mmu
instance instead of recreating them on context binding, avoiding sleeping
operations while holding the mmu_lock.
Link: https://lore.kernel.org/kvmarm/aiuF0KSvvv-ZozI1@sm-arm-grace07/
> diff --git a/arch/arm64/kvm/nested.c b/arch/arm64/kvm/nested.c
> index fb54f6dad995c..07f94b8b82365 100644
> --- a/arch/arm64/kvm/nested.c
> +++ b/arch/arm64/kvm/nested.c
[ ... ]
> @@ -125,6 +130,9 @@ int kvm_vcpu_init_nested(struct kvm_vcpu *vcpu)
> return ret;
> }
>
[Severity: High]
This is a pre-existing issue, but does the error path cleanup loop just
above this return in kvm_vcpu_init_nested() cause a kernel panic if
init_nested_s2_mmu() fails?
The cleanup loop unconditionally calls kvm_free_stage2_pgd() on array
elements from kvm->arch.nested_mmus_size to num_mmus - 1:
if (ret) {
for (int i = kvm->arch.nested_mmus_size; i < num_mmus; i++)
kvm_free_stage2_pgd(&kvm->arch.nested_mmus[i]);
For any element that failed initialization or wasn't visited yet, the
kvm_s2_mmu element remains zero-initialized, meaning mmu->arch is NULL.
Inside arch/arm64/kvm/mmu.c:kvm_free_stage2_pgd(), it calls
kvm_s2_mmu_to_kvm(mmu) which derives the kvm pointer via container_of()
on mmu->arch. This yields an invalid pointer, and the subsequent
write_lock(&kvm->mmu_lock) dereferences it, crashing the kernel.
> + for (int i = kvm->arch.nested_mmus_size; i < num_mmus; i++)
> + kvm_nested_s2_ptdump_create_debugfs(&kvm->arch.nested_mmus[i]);
> +
> kvm->arch.nested_mmus_size = num_mmus;
>
> return 0;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260623142443.648972-1-weilin.chang@arm.com?part=3
next prev parent reply other threads:[~2026-06-23 14:41 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 14:24 [PATCH 0/3] KVM: arm64: nv: Shadow ptdump fixes Wei-Lin Chang
2026-06-23 14:24 ` [PATCH 1/3] KVM: arm64: nv: Print nested mmu info in kvm_ptdump_guest_show() Wei-Lin Chang
2026-06-23 14:40 ` sashiko-bot
2026-06-23 18:05 ` Wei-Lin Chang
2026-06-23 14:24 ` [PATCH 2/3] KVM: arm64: ptdump: Store both mmu and kvm pointers in kvm_ptdump_guest_state Wei-Lin Chang
2026-06-23 14:24 ` [PATCH 3/3] KVM: arm64: nv: Move to per nested mmu ptdump files Wei-Lin Chang
2026-06-23 14:41 ` sashiko-bot [this message]
2026-06-23 18:10 ` Wei-Lin Chang
2026-06-24 6:02 ` [PATCH 0/3] KVM: arm64: nv: Shadow ptdump fixes Itaru Kitayama
2026-06-25 7:47 ` Wei-Lin Chang
2026-06-25 9:54 ` Marc Zyngier
2026-06-26 9:37 ` Wei-Lin Chang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260623144102.4C4C81F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=maz@kernel.org \
--cc=oupton@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=weilin.chang@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.