From: Marc Zyngier <maz@kernel.org>
To: Fuad Tabba <tabba@google.com>
Cc: kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
oliver.upton@linux.dev, mark.rutland@arm.com, will@kernel.org,
joey.gouly@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com,
catalin.marinas@arm.com, broonie@kernel.org, qperret@google.com,
vdonnefort@google.com
Subject: Re: [PATCH v2 4/4] KVM: arm64: Create each pKVM hyp vcpu after its corresponding host vcpu
Date: Thu, 27 Feb 2025 12:09:26 +0000 [thread overview]
Message-ID: <8634fzr3m1.wl-maz@kernel.org> (raw)
In-Reply-To: <20250226215520.1759218-5-tabba@google.com>
On Wed, 26 Feb 2025 21:55:20 +0000,
Fuad Tabba <tabba@google.com> wrote:
>
> Instead of creating and initializing _all_ hyp vcpus in pKVM when
> the first host vcpu runs for the first time, initialize _each_
> hyp vcpu in conjunction with its corresponding host vcpu.
>
> Some of the host vcpu state (e.g., system registers and traps
> values) is not initialized until the first time the host vcpu is
> run. Therefore, initializing a hyp vcpu before its corresponding
> host vcpu has run for the first time might not view the complete
> host state of these vcpus.
>
> Additionally, this behavior is inline with non-protected modes.
>
> Signed-off-by: Fuad Tabba <tabba@google.com>
> ---
> arch/arm64/include/asm/kvm_host.h | 2 +
> arch/arm64/include/asm/kvm_pkvm.h | 1 +
> arch/arm64/kvm/arm.c | 4 ++
> arch/arm64/kvm/hyp/include/nvhe/pkvm.h | 6 ---
> arch/arm64/kvm/hyp/nvhe/pkvm.c | 54 +++++++++++++++-----------
> arch/arm64/kvm/pkvm.c | 28 ++++++-------
> 6 files changed, 53 insertions(+), 42 deletions(-)
>
> diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h
> index 3a7ec98ef123..4a0e522f6001 100644
> --- a/arch/arm64/include/asm/kvm_host.h
> +++ b/arch/arm64/include/asm/kvm_host.h
> @@ -869,6 +869,8 @@ struct kvm_vcpu_arch {
> #define VCPU_INITIALIZED __vcpu_single_flag(cflags, BIT(0))
> /* SVE config completed */
> #define VCPU_SVE_FINALIZED __vcpu_single_flag(cflags, BIT(1))
> +/* pKVM VCPU setup completed */
> +#define VCPU_PKVM_FINALIZED __vcpu_single_flag(cflags, BIT(2))
>
> /* Exception pending */
> #define PENDING_EXCEPTION __vcpu_single_flag(iflags, BIT(0))
> diff --git a/arch/arm64/include/asm/kvm_pkvm.h b/arch/arm64/include/asm/kvm_pkvm.h
> index eb65f12e81d9..abd693ce5b93 100644
> --- a/arch/arm64/include/asm/kvm_pkvm.h
> +++ b/arch/arm64/include/asm/kvm_pkvm.h
> @@ -19,6 +19,7 @@
> int pkvm_init_host_vm(struct kvm *kvm);
> int pkvm_create_hyp_vm(struct kvm *kvm);
> void pkvm_destroy_hyp_vm(struct kvm *kvm);
> +int pkvm_create_hyp_vcpu(struct kvm_vcpu *vcpu);
>
> /*
> * This functions as an allow-list of protected VM capabilities.
> diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
> index b8e55a441282..cd7a808eeb64 100644
> --- a/arch/arm64/kvm/arm.c
> +++ b/arch/arm64/kvm/arm.c
> @@ -833,6 +833,10 @@ int kvm_arch_vcpu_run_pid_change(struct kvm_vcpu *vcpu)
> ret = pkvm_create_hyp_vm(kvm);
> if (ret)
> return ret;
> +
> + ret = pkvm_create_hyp_vcpu(vcpu);
> + if (ret)
> + return ret;
> }
>
> mutex_lock(&kvm->arch.config_lock);
> diff --git a/arch/arm64/kvm/hyp/include/nvhe/pkvm.h b/arch/arm64/kvm/hyp/include/nvhe/pkvm.h
> index e42bf68c8848..ce31d3b73603 100644
> --- a/arch/arm64/kvm/hyp/include/nvhe/pkvm.h
> +++ b/arch/arm64/kvm/hyp/include/nvhe/pkvm.h
> @@ -43,12 +43,6 @@ struct pkvm_hyp_vm {
> struct hyp_pool pool;
> hyp_spinlock_t lock;
>
> - /*
> - * The number of vcpus initialized and ready to run.
> - * Modifying this is protected by 'vm_table_lock'.
> - */
> - unsigned int nr_vcpus;
> -
> /* Array of the hyp vCPU structures for this VM. */
> struct pkvm_hyp_vcpu *vcpus[];
> };
> diff --git a/arch/arm64/kvm/hyp/nvhe/pkvm.c b/arch/arm64/kvm/hyp/nvhe/pkvm.c
> index 6efb9bf56180..4ef3748dc660 100644
> --- a/arch/arm64/kvm/hyp/nvhe/pkvm.c
> +++ b/arch/arm64/kvm/hyp/nvhe/pkvm.c
> @@ -245,10 +245,12 @@ struct pkvm_hyp_vcpu *pkvm_load_hyp_vcpu(pkvm_handle_t handle,
>
> hyp_spin_lock(&vm_table_lock);
> hyp_vm = get_vm_by_handle(handle);
> - if (!hyp_vm || hyp_vm->nr_vcpus <= vcpu_idx)
> + if (!hyp_vm || hyp_vm->kvm.created_vcpus <= vcpu_idx)
Why is it reasonable to trust kvm.created_vcpus here? It looks like
something that is under direct control of the host, and that could be
arbitrarily changed to allow dereferencing the vcpus[] array past its
actual boundaries.
What guarantees that it is stable at load-time?
I have similar misgivings about the init and teardown paths.
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2025-02-27 12:09 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-26 21:55 [PATCH v2 0/4] KVM: arm64: Fix initializing HCRX_EL2 and other traps in pKVM Fuad Tabba
2025-02-26 21:55 ` [PATCH v2 1/4] KVM: arm64: Factor out setting HCRX_EL2 traps into separate function Fuad Tabba
2025-02-26 21:55 ` [PATCH v2 2/4] KVM: arm64: Initialize HCRX_EL2 traps in pKVM Fuad Tabba
2025-02-26 21:55 ` [PATCH v2 3/4] KVM: arm64: Factor out pKVM hyp vcpu creation to separate function Fuad Tabba
2025-02-28 19:44 ` Quentin Perret
2025-03-03 7:57 ` Fuad Tabba
2025-03-03 19:18 ` Will Deacon
2025-03-03 19:21 ` Fuad Tabba
2025-03-03 21:49 ` Will Deacon
2025-03-04 12:33 ` Fuad Tabba
2025-03-12 15:29 ` Will Deacon
2025-03-12 15:31 ` Fuad Tabba
2025-03-14 11:14 ` Will Deacon
2025-02-26 21:55 ` [PATCH v2 4/4] KVM: arm64: Create each pKVM hyp vcpu after its corresponding host vcpu Fuad Tabba
2025-02-27 12:09 ` Marc Zyngier [this message]
2025-02-27 12:47 ` Fuad Tabba
2025-02-27 14:13 ` Marc Zyngier
2025-02-27 14:13 ` [PATCH v2 0/4] KVM: arm64: Fix initializing HCRX_EL2 and other traps in pKVM Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8634fzr3m1.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=joey.gouly@arm.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=mark.rutland@arm.com \
--cc=oliver.upton@linux.dev \
--cc=qperret@google.com \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
--cc=vdonnefort@google.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.