Re: [PATCH 6.12] KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Stage-2 translation table walk failures (e.g., unbacked memory) return negative error codes without populating the ESR or updating PAR_EL1, leaving the stage-1 IPA in PAR_EL1 as a false success.
--

commit 6d7bd74abe7bde3942c024259e9d4015f378779c
Author: Hyunwoo Kim <imv4bel@gmail.com>
Date:   Fri Jun 26 13:42:07 2026 +0000

KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation

This commit fixes missing SRCU lock acquisitions during page table walks in
AT emulation and fault injection. It wraps the calls to kvm_walk_nested_s2
and __kvm_find_s1_desc_level with scoped_guard to ensure they are protected.

Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel

> diff --git a/arch/arm64/kvm/at.c b/arch/arm64/kvm/at.c
> index 39f0e87a340e8..8192bc0bbc87b 100644
> --- a/arch/arm64/kvm/at.c
> +++ b/arch/arm64/kvm/at.c

[ ... ]

> @@ -1087,7 +1087,8 @@ void __kvm_at_s12(struct kvm_vcpu *vcpu, u32 op, u64 vaddr)
>  	/* Do the stage-2 translation */
>  	ipa = (par & GENMASK_ULL(47, 12)) | (vaddr & GENMASK_ULL(11, 0));
>  	out.esr = 0;
> -	ret = kvm_walk_nested_s2(vcpu, ipa, &out);
> +	scoped_guard(srcu, &vcpu->kvm->srcu)
> +		ret = kvm_walk_nested_s2(vcpu, ipa, &out);
>  	if (ret < 0)
>  		return;

[Severity: High]
This is a pre-existing issue, but does this early return incorrectly skip
updating PAR_EL1 with a translation fault?

If a nested guest (L1) executes an AT S12E1R instruction pointing to an
unmapped IPA, __kvm_at_s1e01() successfully translates stage-1 and sets
PAR_EL1 to the IPA. Then, when kvm_walk_nested_s2() attempts to read the
stage-2 descriptor, it can fail (e.g., returning -EFAULT from unbacked
memory in walk_nested_s2_pgd()):

walk_nested_s2_pgd() {
        ...
        ret = wi->read_desc(paddr, &desc, wi->data);
        if (ret < 0)
                return ret;
        ...
}

When this negative error code propagates back here to __kvm_at_s12(), we
return immediately. Because compute_par_s12() is bypassed, PAR_EL1 is never
updated with the fault status.

Could this leave the L1 guest to incorrectly observe a successful translation,
mistaking the IPA for the final PA? Should this path populate the ESR and
update PAR_EL1 before returning?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260626134210.228892-1-alexevgmart@gmail.com?part=1