From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9392B31F9BE; Fri, 19 Jun 2026 07:41:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781854893; cv=none; b=TKSBPZhNmkGuGSJhUn/yJP79GEW2xSiBTYs+Y3vTBnQLOziqNM76qjR4OHlW/tGH8kXCbSfg8PD3SPlCVbLUgI0Cz6ku7XXL4QmLoyZfzAXVhHMmS8rDowH+Y7O0ilnvjgv5HAlCnGMtvVh1ytLpLMSJrZKICHzh2ZDMmQ4tLIY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781854893; c=relaxed/simple; bh=03dTMhHUz0BptDVSox4eb088l0EXtxQEahtAkIt5gds=; h=Date:Message-ID:From:To:Cc:Subject:In-Reply-To:References: MIME-Version:Content-Type; b=JSSvSn9UiPdQJbZj9XpqDtRVpd6eQs7DWb++i02ABrB55XT2xzs17f8MxBTR4BzcWtvR+3VmZMMN79KvEVXCz3P9rQ8kkM3AfIvmL8AyWnchV9ZaSMt6e4712zxlgbr2vjcgJLKnSr0WC3eEFeN/qvt2XUBWD72CAOGmz9sf3Bs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=WfhmMpPP; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="WfhmMpPP" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 689EB1F000E9; Fri, 19 Jun 2026 07:41:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1781854892; bh=rB/YMMeg58IuhdmmmrdNgdM49GSiVFoA7awH44jUEs4=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=WfhmMpPPVcTUPiURLjnQQvaEFV0OHq7K5iX5z/6xC0bN5cuOG+1z42OJf4O2FDylI +Bba0ipDDNuRmCvzd3UAK/Yv1Dsg2C4Xy5jNiN5Yu69vq1oTubKhyEbknSP8Wx2pFX CfqyeM2iIWYUFD+a13vwmRT2F/4AEVtct9gTCvJ89SP6ZWV3R/k0KqiyzhPptCMiSf gMI/eYThyT6/SsU2BBTh0KfOKbYkjVSduSwCKEFJQaGz9p+XGFNSTp4CHJd1PqZXFl 5/aO9OdlUpI5ejCQKSptHX3P58HfgkElbTd8ZUTvfjXvGZHupwHD1Sf6LVoglhO9Cv EwyDAUw+11QHQ== Received: from sofa.misterjones.org ([185.219.108.64] helo=goblin-girl.misterjones.org) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1waTr0-0000000EFK7-0OYh; Fri, 19 Jun 2026 07:41:30 +0000 Date: Fri, 19 Jun 2026 08:41:29 +0100 Message-ID: <86bjd7rn86.wl-maz@kernel.org> From: Marc Zyngier To: sashiko-reviews@lists.linux.dev Cc: "Fuad Tabba" , kvmarm@lists.linux.dev, "Oliver Upton" Subject: Re: [PATCH v2 7/8] KVM: arm64: Add primitives to flush/sync the VGIC state at EL2 In-Reply-To: <20260619072121.395E71F000E9@smtp.kernel.org> References: <20260619070719.812227-1-tabba@google.com> <20260619070719.812227-8-tabba@google.com> <20260619072121.395E71F000E9@smtp.kernel.org> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/30.1 (aarch64-unknown-linux-gnu) MULE/6.0 (HANACHIRUSATO) Precedence: bulk X-Mailing-List: kvmarm@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-SA-Exim-Connect-IP: 185.219.108.64 X-SA-Exim-Rcpt-To: sashiko-reviews@lists.linux.dev, tabba@google.com, kvmarm@lists.linux.dev, oupton@kernel.org X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false On Fri, 19 Jun 2026 08:21:20 +0100, sashiko-bot@kernel.org wrote: > > Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider: > > New issues: > - [High] flush_hyp_vgic_state() fails to copy vgic_vmcr from the host vCPU to the hyp vCPU, causing host-side VMCR updates to be silently lost and subsequently clobbered. > > Pre-existing issues: > - [High] flush_hyp_vcpu() unconditionally copies mdcr_el2 from the untrusted host vCPU, allowing the host to control debug trap configurations for protected VMs. > -- > > commit 5eaa1440f7e2f022736f913bec34aaa0cbd53a5d > Author: Marc Zyngier > > KVM: arm64: Add primitives to flush/sync the VGIC state at EL2 > > pKVM performs its own world switch for protected VMs but has no primitives > to move the per-vCPU VGIC state between the host and hypervisor vCPU > contexts. Add flush_hyp_vgic_state() and sync_hyp_vgic_state() to handle > the required copying. > > > diff --git a/arch/arm64/kvm/hyp/nvhe/hyp-main.c b/arch/arm64/kvm/hyp/nvhe/hyp-main.c > > index f3233ee343a39..2db56146ec493 100644 > > --- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c > > +++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c > [ ... ] > > @@ -104,6 +104,45 @@ static void fpsimd_sve_sync(struct kvm_vcpu *vcpu) > > *host_data_ptr(fp_owner) = FP_STATE_HOST_OWNED; > > } > > > > +static void flush_hyp_vgic_state(struct pkvm_hyp_vcpu *hyp_vcpu) > > +{ > > + struct kvm_vcpu *host_vcpu = hyp_vcpu->host_vcpu; > > + struct vgic_v3_cpu_if *host_cpu_if, *hyp_cpu_if; > > + unsigned int used_lrs, i; > > + > > + host_cpu_if = &host_vcpu->arch.vgic_cpu.vgic_v3; > > + hyp_cpu_if = &hyp_vcpu->vcpu.arch.vgic_cpu.vgic_v3; > > + > > + used_lrs = host_cpu_if->used_lrs; > > + used_lrs = min(used_lrs, hyp_gicv3_nr_lr); > > + > > + hyp_cpu_if->vgic_hcr = host_cpu_if->vgic_hcr; > > + /* Should be a one-off */ > > [Severity: High] > Does flush_hyp_vgic_state() need to copy vgic_vmcr from the host vCPU to the > hyp vCPU here? > > For GICv2-on-GICv3 emulation, guest writes to GICC_VMCR and GICC_CTLR trap > to the host (EL1) as MMIO. GICC_VMCR doesn't exist, so the guest can't write to it. There is no MMIO involved with pKVM, since it is GICv3 only. And the whole point of having a VGIC is to avoid trapping on each access. More importantly, VMCR is not allowed to change behind the guest's back, because it contains the state that the *guest* has programmed there. Can someone *please* unplug Sashiko? I've had enough of it. M. -- Without deviation from the norm, progress is not possible.