From: Marc Zyngier <maz@kernel.org>
To: Fuad Tabba <tabba@google.com>
Cc: kvm@vger.kernel.org, kvmarm@lists.linux.dev,
linux-arm-kernel@lists.infradead.org, oliver.upton@linux.dev,
joey.gouly@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com,
catalin.marinas@arm.com, will@kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH v1 1/3] KVM: arm64: Hide S1POE from guests when not supported by the host
Date: Thu, 12 Feb 2026 09:29:37 +0000 [thread overview]
Message-ID: <86jywib98e.wl-maz@kernel.org> (raw)
In-Reply-To: <20260212090252.158689-2-tabba@google.com>
Hi Fuad,
On Thu, 12 Feb 2026 09:02:50 +0000,
Fuad Tabba <tabba@google.com> wrote:
>
> When CONFIG_ARM64_POE is disabled, KVM does not save/restore POR_EL1.
> However, ID_AA64MMFR3_EL1 sanitisation currently exposes the feature to
> guests whenever the hardware supports it, ignoring the host kernel
> configuration.
This is the umpteenth time we get caught by this. PAN was the latest
instance until this one. Maybe an approach would be to have a default
override when a config option is not enabled, so that KVM is
consistent with the rest of the kernel?
>
> If a guest detects this feature and attempts to use it, the host will
> fail to context-switch POR_EL1, potentially leading to state corruption.
>
> Fix this by masking ID_AA64MMFR3_EL1.S1POE and preventing KVM from
> advertising the feature when the host does not support it, i.e.,
> system_supports_poe() is false.
>
> Fixes: 70ed7238297f ("KVM: arm64: Sanitise ID_AA64MMFR3_EL1")
> Signed-off-by: Fuad Tabba <tabba@google.com>
> ---
> arch/arm64/include/asm/kvm_host.h | 3 ++-
> arch/arm64/kvm/sys_regs.c | 3 +++
> 2 files changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h
> index ac7f970c7883..7af72ca749a6 100644
> --- a/arch/arm64/include/asm/kvm_host.h
> +++ b/arch/arm64/include/asm/kvm_host.h
> @@ -1592,7 +1592,8 @@ void kvm_set_vm_id_reg(struct kvm *kvm, u32 reg, u64 val);
> (kvm_has_feat((k), ID_AA64MMFR3_EL1, S1PIE, IMP))
>
> #define kvm_has_s1poe(k) \
> - (kvm_has_feat((k), ID_AA64MMFR3_EL1, S1POE, IMP))
> + (system_supports_poe() && \
> + kvm_has_feat((k), ID_AA64MMFR3_EL1, S1POE, IMP))
Why do we need to further key this on system_supports_poe()? I can see
this is a potential optimisation, but I don't think this is part of
the minimal fix.
>
> #define kvm_has_ras(k) \
> (kvm_has_feat((k), ID_AA64PFR0_EL1, RAS, IMP))
> diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
> index 88a57ca36d96..237e8bd1cf29 100644
> --- a/arch/arm64/kvm/sys_regs.c
> +++ b/arch/arm64/kvm/sys_regs.c
> @@ -1816,6 +1816,9 @@ static u64 __kvm_read_sanitised_id_reg(const struct kvm_vcpu *vcpu,
> ID_AA64MMFR3_EL1_SCTLRX |
> ID_AA64MMFR3_EL1_S1POE |
> ID_AA64MMFR3_EL1_S1PIE;
> +
> + if (!system_supports_poe())
> + val &= ~ID_AA64MMFR3_EL1_S1POE;
How about S1PIE? It seems to have a similar problem, in the sense that
it has extra state. But I guess because we don't put it behind a
config option, we context-switch it anyway and all is good?
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2026-02-12 9:29 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-12 9:02 [PATCH v1 0/3] KVM: arm64: Fix guest feature sanitization and pKVM state synchronization Fuad Tabba
2026-02-12 9:02 ` [PATCH v1 1/3] KVM: arm64: Hide S1POE from guests when not supported by the host Fuad Tabba
2026-02-12 9:29 ` Marc Zyngier [this message]
2026-02-12 9:41 ` Fuad Tabba
2026-02-12 15:35 ` Marc Zyngier
2026-02-12 18:53 ` Fuad Tabba
2026-02-13 10:40 ` Marc Zyngier
2026-02-12 9:02 ` [PATCH v1 2/3] KVM: arm64: Fix ID register initialization for non-protected pKVM guests Fuad Tabba
2026-02-13 11:03 ` Marc Zyngier
2026-02-13 11:07 ` Fuad Tabba
2026-02-12 9:02 ` [PATCH v1 3/3] KVM: arm64: Remove redundant kern_hyp_va() in unpin_host_sve_state() Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86jywib98e.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=joey.gouly@arm.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=oliver.upton@linux.dev \
--cc=stable@vger.kernel.org \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.