From: sashiko-bot@kernel.org
To: "Paolo Bonzini" <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH 5.10.y 12/17] KVM: x86/mmu: Check PDPTRs before allocating PAE roots
Date: Fri, 26 Jun 2026 13:44:11 +0000 [thread overview]
Message-ID: <20260626134412.49C721F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260626112634.1778506-13-pbonzini@redhat.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Calling mmu->get_pdptr() (which can sleep) while holding the vcpu->kvm->mmu_lock spinlock, leading to sleep-in-atomic bugs.
--
commit f2009072d01cd7e9d707fa7cab9918b457bec0aa
Author: Sean Christopherson <seanjc@google.com>
KVM: x86/mmu: Check PDPTRs before allocating PAE roots
This commit adds a validity check for PDPTRs before allocating any of the PAE
roots. It iterates over the PDPTRs and checks if they are valid to prevent KVM
from leaking previously allocated roots when a bad PDPTR is encountered.
> diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
> --- a/arch/x86/kvm/mmu/mmu.c
> +++ b/arch/x86/kvm/mmu/mmu.c
> @@ -3308,7 +3308,7 @@ static int mmu_alloc_direct_roots(struct kvm_vcpu *vcpu)
> static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu)
> {
> struct kvm_mmu *mmu = vcpu->arch.mmu;
> - u64 pdptr, pm_mask;
> + u64 pdptrs[4], pm_mask;
> gfn_t root_gfn, root_pgd;
> int quadrant, i;
> hpa_t root;
> @@ -3319,6 +3319,17 @@ static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu)
> if (mmu_check_root(vcpu, root_gfn))
> return 1;
>
> + if (mmu->root_level == PT32E_ROOT_LEVEL) {
> + for (i = 0; i < 4; ++i) {
> + pdptrs[i] = mmu->get_pdptr(vcpu, i);
[Severity: High]
Does this sequence call mmu->get_pdptr() while holding a spinlock?
Looking at kvm_mmu_load(), it calls mmu_alloc_shadow_roots() while holding
vcpu->kvm->mmu_lock:
kvm_mmu_load()
spin_lock(&vcpu->kvm->mmu_lock);
...
r = mmu_alloc_shadow_roots(vcpu);
If the vCPU is running a nested guest (L2) with a 32-bit PAE NPT, the callback
for mmu->get_pdptr() is nested_svm_get_tdp_pdptr(). This function reads guest
memory via kvm_vcpu_read_guest_page(), which can sleep.
Can this lead to a sleep-in-atomic issue when the lock is held?
> + if (!(pdptrs[i] & PT_PRESENT_MASK))
> + continue;
> +
> + if (mmu_check_root(vcpu, pdptrs[i] >> PAGE_SHIFT))
> + return 1;
> + }
> + }
> +
> /*
> * Do we shadow a long mode page table? If so we need to
> * write-protect the guests page table root.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260626112634.1778506-1-pbonzini@redhat.com?part=12
next prev parent reply other threads:[~2026-06-26 13:44 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 11:26 [PATCH 5.10.y 00/17] KVM: fixes for CVE-2026-46113 and related issues Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.10.y 01/17] KVM: x86/mmu: Capture 'mmu' in a local variable when allocating roots Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.10.y 02/17] KVM: x86/mmu: Allocate the lm_root before allocating PAE roots Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.10.y 03/17] KVM: x86/mmu: Allocate pae_root and lm_root pages in dedicated helper Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.10.y 04/17] KVM: x86/mmu: Ensure MMU pages are available when allocating roots Paolo Bonzini
2026-06-26 12:26 ` sashiko-bot
2026-06-26 17:54 ` Sasha Levin
2026-06-26 11:26 ` [PATCH 5.10.y 05/17] KVM: x86/mmu: Use a bool for direct Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.10.y 06/17] KVM: x86/mmu: Stop passing "direct" to mmu_alloc_root() Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.10.y 07/17] KVM: x86/mmu: Refactor shadow walk in __direct_map() to reduce indentation Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.10.y 08/17] KVM: X86: Fix missed remote tlb flush in rmap_write_protect() Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.10.y 09/17] KVM: X86: Synchronize the shadow pagetable before link it Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.10.y 10/17] KVM: x86/mmu: Derive shadow MMU page role from parent Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.10.y 11/17] KVM: x86/mmu: Always pass 0 for @quadrant when gptes are 8 bytes Paolo Bonzini
2026-06-26 13:28 ` sashiko-bot
2026-06-26 11:26 ` [PATCH 5.10.y 12/17] KVM: x86/mmu: Check PDPTRs before allocating PAE roots Paolo Bonzini
2026-06-26 13:44 ` sashiko-bot [this message]
2026-06-26 11:26 ` [PATCH 5.10.y 13/17] KVM: x86/mmu: pull call to drop_large_spte() into __link_shadow_page() Paolo Bonzini
2026-06-26 14:01 ` sashiko-bot
2026-06-26 11:26 ` [PATCH 5.10.y 14/17] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.10.y 15/17] KVM: x86: Fix shadow paging use-after-free due to unexpected role Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.10.y 16/17] KVM: x86/mmu: Pass the memslot to the rmap callbacks Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.10.y 17/17] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level Paolo Bonzini
2026-06-26 14:53 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260626134412.49C721F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.