[PATCH 6.12] KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 6.12] KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation
@ 2026-06-26 13:42 Alexander Martyniuk
  2026-06-26 13:58 ` sashiko-bot
  2026-06-26 14:20 ` Marc Zyngier
  0 siblings, 2 replies; 3+ messages in thread
From: Alexander Martyniuk @ 2026-06-26 13:42 UTC (permalink / raw)
  To: stable, Greg Kroah-Hartman
  Cc: Alexander Martyniuk, Marc Zyngier, Oliver Upton, Joey Gouly,
	Suzuki K Poulose, Zenghui Yu, Catalin Marinas, Will Deacon,
	linux-arm-kernel, kvmarm, linux-kernel, Oliver Upton, Hyunwoo Kim

From: Hyunwoo Kim <imv4bel@gmail.com>

commit f2ca45b50d4216c9cc7ffabf50d9ad1932209251 upstream.

walk_s1() and kvm_walk_nested_s2() expect to be called while holding
kvm->srcu to guard against memslot changes. While this is generally
the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the
respective walkers without taking kvm->srcu.

Fix by acquiring kvm->srcu prior to the table walk in both instances.

Cc: stable@vger.kernel.org
Fixes: 50f77dc87f13 ("KVM: arm64: Populate level on S1PTW SEA injection")
Fixes: be04cebf3e78 ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}")
Suggested-by: Oliver Upton <oupton@kernel.org>
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reviewed-by: Oliver Upton <oupton@kernel.org>
Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel
Signed-off-by: Marc Zyngier <maz@kernel.org>
[Alexander: __kvm_find_s1_desc_level() not present, patching only __kvm_at_s12()]
Signed-off-by: Alexander Martyniuk <alexevgmart@gmail.com>
---
 arch/arm64/kvm/at.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/kvm/at.c b/arch/arm64/kvm/at.c
index 39f0e87a340e..8192bc0bbc87 100644
--- a/arch/arm64/kvm/at.c
+++ b/arch/arm64/kvm/at.c
@@ -1087,7 +1087,8 @@ void __kvm_at_s12(struct kvm_vcpu *vcpu, u32 op, u64 vaddr)
 	/* Do the stage-2 translation */
 	ipa = (par & GENMASK_ULL(47, 12)) | (vaddr & GENMASK_ULL(11, 0));
 	out.esr = 0;
-	ret = kvm_walk_nested_s2(vcpu, ipa, &out);
+	scoped_guard(srcu, &vcpu->kvm->srcu)
+		ret = kvm_walk_nested_s2(vcpu, ipa, &out);
 	if (ret < 0)
 		return;
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH 6.12] KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation
  2026-06-26 13:42 [PATCH 6.12] KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation Alexander Martyniuk
@ 2026-06-26 13:58 ` sashiko-bot
  2026-06-26 14:20 ` Marc Zyngier
  1 sibling, 0 replies; 3+ messages in thread
From: sashiko-bot @ 2026-06-26 13:58 UTC (permalink / raw)
  To: Alexander Martyniuk; +Cc: Oliver Upton, Marc Zyngier, kvmarm

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Stage-2 translation table walk failures (e.g., unbacked memory) return negative error codes without populating the ESR or updating PAR_EL1, leaving the stage-1 IPA in PAR_EL1 as a false success.
--

commit 6d7bd74abe7bde3942c024259e9d4015f378779c
Author: Hyunwoo Kim <imv4bel@gmail.com>
Date:   Fri Jun 26 13:42:07 2026 +0000

KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation

This commit fixes missing SRCU lock acquisitions during page table walks in
AT emulation and fault injection. It wraps the calls to kvm_walk_nested_s2
and __kvm_find_s1_desc_level with scoped_guard to ensure they are protected.

Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel

> diff --git a/arch/arm64/kvm/at.c b/arch/arm64/kvm/at.c
> index 39f0e87a340e8..8192bc0bbc87b 100644
> --- a/arch/arm64/kvm/at.c
> +++ b/arch/arm64/kvm/at.c

[ ... ]

> @@ -1087,7 +1087,8 @@ void __kvm_at_s12(struct kvm_vcpu *vcpu, u32 op, u64 vaddr)
>  	/* Do the stage-2 translation */
>  	ipa = (par & GENMASK_ULL(47, 12)) | (vaddr & GENMASK_ULL(11, 0));
>  	out.esr = 0;
> -	ret = kvm_walk_nested_s2(vcpu, ipa, &out);
> +	scoped_guard(srcu, &vcpu->kvm->srcu)
> +		ret = kvm_walk_nested_s2(vcpu, ipa, &out);
>  	if (ret < 0)
>  		return;

[Severity: High]
This is a pre-existing issue, but does this early return incorrectly skip
updating PAR_EL1 with a translation fault?

If a nested guest (L1) executes an AT S12E1R instruction pointing to an
unmapped IPA, __kvm_at_s1e01() successfully translates stage-1 and sets
PAR_EL1 to the IPA. Then, when kvm_walk_nested_s2() attempts to read the
stage-2 descriptor, it can fail (e.g., returning -EFAULT from unbacked
memory in walk_nested_s2_pgd()):

walk_nested_s2_pgd() {
        ...
        ret = wi->read_desc(paddr, &desc, wi->data);
        if (ret < 0)
                return ret;
        ...
}

When this negative error code propagates back here to __kvm_at_s12(), we
return immediately. Because compute_par_s12() is bypassed, PAR_EL1 is never
updated with the fault status.

Could this leave the L1 guest to incorrectly observe a successful translation,
mistaking the IPA for the final PA? Should this path populate the ESR and
update PAR_EL1 before returning?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260626134210.228892-1-alexevgmart@gmail.com?part=1

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH 6.12] KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation
  2026-06-26 13:42 [PATCH 6.12] KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation Alexander Martyniuk
  2026-06-26 13:58 ` sashiko-bot
@ 2026-06-26 14:20 ` Marc Zyngier
  1 sibling, 0 replies; 3+ messages in thread
From: Marc Zyngier @ 2026-06-26 14:20 UTC (permalink / raw)
  To: Alexander Martyniuk
  Cc: stable, Greg Kroah-Hartman, Oliver Upton, Joey Gouly,
	Suzuki K Poulose, Zenghui Yu, Catalin Marinas, Will Deacon,
	linux-arm-kernel, kvmarm, linux-kernel, Oliver Upton, Hyunwoo Kim

On Fri, 26 Jun 2026 14:42:07 +0100,
Alexander Martyniuk <alexevgmart@gmail.com> wrote:
> 
> From: Hyunwoo Kim <imv4bel@gmail.com>
> 
> commit f2ca45b50d4216c9cc7ffabf50d9ad1932209251 upstream.
> 
> walk_s1() and kvm_walk_nested_s2() expect to be called while holding
> kvm->srcu to guard against memslot changes. While this is generally
> the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the
> respective walkers without taking kvm->srcu.
> 
> Fix by acquiring kvm->srcu prior to the table walk in both instances.
> 
> Cc: stable@vger.kernel.org
> Fixes: 50f77dc87f13 ("KVM: arm64: Populate level on S1PTW SEA injection")
> Fixes: be04cebf3e78 ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}")
> Suggested-by: Oliver Upton <oupton@kernel.org>
> Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
> Reviewed-by: Oliver Upton <oupton@kernel.org>
> Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel
> Signed-off-by: Marc Zyngier <maz@kernel.org>
> [Alexander: __kvm_find_s1_desc_level() not present, patching only __kvm_at_s12()]
> Signed-off-by: Alexander Martyniuk <alexevgmart@gmail.com>

See thread at [1], which explains why this is not needed.

	M.

[1] https://lore.kernel.org/all/aifnUC7gmeniiYPv@v4bel/

-- 
Without deviation from the norm, progress is not possible.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-26 14:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-26 13:42 [PATCH 6.12] KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation Alexander Martyniuk
2026-06-26 13:58 ` sashiko-bot
2026-06-26 14:20 ` Marc Zyngier

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.