Re: [PATCH v2 7/8] KVM: arm64: Add primitives to flush/sync the VGIC state at EL2

[Marc Zyngier <maz@kernel.org>]

On Fri, 19 Jun 2026 08:21:20 +0100,
sashiko-bot@kernel.org wrote:
> 
> Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
> 
> New issues:
> - [High] flush_hyp_vgic_state() fails to copy vgic_vmcr from the host vCPU to the hyp vCPU, causing host-side VMCR updates to be silently lost and subsequently clobbered.
> 
> Pre-existing issues:
> - [High] flush_hyp_vcpu() unconditionally copies mdcr_el2 from the untrusted host vCPU, allowing the host to control debug trap configurations for protected VMs.
> --
> 
> commit 5eaa1440f7e2f022736f913bec34aaa0cbd53a5d
> Author: Marc Zyngier <maz@kernel.org>
> 
> KVM: arm64: Add primitives to flush/sync the VGIC state at EL2
> 
> pKVM performs its own world switch for protected VMs but has no primitives
> to move the per-vCPU VGIC state between the host and hypervisor vCPU
> contexts. Add flush_hyp_vgic_state() and sync_hyp_vgic_state() to handle
> the required copying.
> 
> > diff --git a/arch/arm64/kvm/hyp/nvhe/hyp-main.c b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
> > index f3233ee343a39..2db56146ec493 100644
> > --- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c
> > +++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
> [ ... ]
> > @@ -104,6 +104,45 @@ static void fpsimd_sve_sync(struct kvm_vcpu *vcpu)
> >  	*host_data_ptr(fp_owner) = FP_STATE_HOST_OWNED;
> >  }
> >  
> > +static void flush_hyp_vgic_state(struct pkvm_hyp_vcpu *hyp_vcpu)
> > +{
> > +	struct kvm_vcpu *host_vcpu = hyp_vcpu->host_vcpu;
> > +	struct vgic_v3_cpu_if *host_cpu_if, *hyp_cpu_if;
> > +	unsigned int used_lrs, i;
> > +
> > +	host_cpu_if	= &host_vcpu->arch.vgic_cpu.vgic_v3;
> > +	hyp_cpu_if	= &hyp_vcpu->vcpu.arch.vgic_cpu.vgic_v3;
> > +
> > +	used_lrs	= host_cpu_if->used_lrs;
> > +	used_lrs	= min(used_lrs, hyp_gicv3_nr_lr);
> > +
> > +	hyp_cpu_if->vgic_hcr	= host_cpu_if->vgic_hcr;
> > +	/* Should be a one-off */
> 
> [Severity: High]
> Does flush_hyp_vgic_state() need to copy vgic_vmcr from the host vCPU to the
> hyp vCPU here?
> 
> For GICv2-on-GICv3 emulation, guest writes to GICC_VMCR and GICC_CTLR trap
> to the host (EL1) as MMIO.

GICC_VMCR doesn't exist, so the guest can't write to it. There is no
MMIO involved with pKVM, since it is GICv3 only. And the whole point
of having a VGIC is to avoid trapping on each access.

More importantly, VMCR is not allowed to change behind the guest's
back, because it contains the state that the *guest* has programmed
there.

Can someone *please* unplug Sashiko? I've had enough of it.

	M.

-- 
Without deviation from the norm, progress is not possible.