Re: [PATCH v1 2/2] KVM: arm64: Fix vma_shift staleness on nested hwpoison path

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Marc Zyngier <maz@kernel.org>
To: Fuad Tabba <tabba@google.com>
Cc: kvm@vger.kernel.org, kvmarm@lists.linux.dev,
	linux-arm-kernel@lists.infradead.org, oliver.upton@linux.dev,
	joey.gouly@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com,
	catalin.marinas@arm.com, will@kernel.org,
	yangyicong@hisilicon.com, wangzhou1@hisilicon.com
Subject: Re: [PATCH v1 2/2] KVM: arm64: Fix vma_shift staleness on nested hwpoison path
Date: Thu, 05 Mar 2026 16:22:01 +0000	[thread overview]
Message-ID: <86ldg66yc6.wl-maz@kernel.org> (raw)
In-Reply-To: <CA+EHjTwQP=sXJ=SJE3OqByHKm7Si3S41BfuFO827_ZVwaygC9g@mail.gmail.com>

On Thu, 05 Mar 2026 16:13:43 +0000,
Fuad Tabba <tabba@google.com> wrote:
> 
> On Thu, 5 Mar 2026 at 16:08, Marc Zyngier <maz@kernel.org> wrote:
> >
> > Hi Fuad,
> >
> > On Wed, 04 Mar 2026 16:22:22 +0000,
> > Fuad Tabba <tabba@google.com> wrote:
> > >
> > > When user_mem_abort() handles a nested stage-2 fault, it truncates
> > > vma_pagesize to respect the guest's mapping size. However, the local
> > > variable vma_shift is never updated to match this new size.
> > >
> > > If the underlying host page turns out to be hardware poisoned,
> > > kvm_send_hwpoison_signal() is called with the original, larger
> > > vma_shift instead of the actual mapping size. This signals incorrect
> > > poison boundaries to userspace and breaks hugepage memory poison
> > > containment for nested VMs.
> > >
> > > Update vma_shift to match the truncated vma_pagesize when operating
> > > on behalf of a nested hypervisor.
> > >
> > > Fixes: fd276e71d1e7 ("KVM: arm64: nv: Handle shadow stage 2 page faults")
> > > Signed-off-by: Fuad Tabba <tabba@google.com>
> > > ---
> > >  arch/arm64/kvm/mmu.c | 1 +
> > >  1 file changed, 1 insertion(+)
> > >
> > > diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
> > > index e1d6a4f591a9..b08240e0cab1 100644
> > > --- a/arch/arm64/kvm/mmu.c
> > > +++ b/arch/arm64/kvm/mmu.c
> > > @@ -1751,6 +1751,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
> > >
> > >               force_pte = (max_map_size == PAGE_SIZE);
> > >               vma_pagesize = min_t(long, vma_pagesize, max_map_size);
> > > +             vma_shift = force_pte ? PAGE_SHIFT : __ffs(vma_pagesize);
> >
> > If force_pte is set, then we know that max_map_size == PAGE_SIZE. From
> > there, vma_pagesize == PAGE_SIZE, since nothing can be smaller.
> >
> > Is there anything preventing us from having:
> >
> >                 vma_shift = __ffs(vma_pagesize);
> >
> > and be done with it?
> 
> Nope, nothing prevents that. Even simpler and better.
> 
> Would you like me to respin it?

Nah, I'll fix that locally. Thanks for having given it a look.

	M.

-- 
Without deviation from the norm, progress is not possible.

next prev parent reply	other threads:[~2026-03-05 16:22 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-04 16:22 [PATCH v1 0/2] KVM: arm64: Fix a couple of latent bugs in user_mem_abort() Fuad Tabba
2026-03-04 16:22 ` [PATCH v1 1/2] KVM: arm64: Fix page leak in user_mem_abort() on atomic fault Fuad Tabba
2026-03-05  1:57   ` Yao Yuan
2026-03-04 16:22 ` [PATCH v1 2/2] KVM: arm64: Fix vma_shift staleness on nested hwpoison path Fuad Tabba
2026-03-05 16:07   ` Marc Zyngier
2026-03-05 16:13     ` Fuad Tabba
2026-03-05 16:22       ` Marc Zyngier [this message]
2026-03-05 16:51 ` [PATCH v1 0/2] KVM: arm64: Fix a couple of latent bugs in user_mem_abort() Marc Zyngier
2026-03-05 16:55   ` Fuad Tabba
2026-03-06 10:48 ` Marc Zyngier

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=86ldg66yc6.wl-maz@kernel.org \
    --to=maz@kernel.org \
    --cc=catalin.marinas@arm.com \
    --cc=joey.gouly@arm.com \
    --cc=kvm@vger.kernel.org \
    --cc=kvmarm@lists.linux.dev \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=oliver.upton@linux.dev \
    --cc=suzuki.poulose@arm.com \
    --cc=tabba@google.com \
    --cc=wangzhou1@hisilicon.com \
    --cc=will@kernel.org \
    --cc=yangyicong@hisilicon.com \
    --cc=yuzenghui@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.