Re: [PATCH v2 2/2] KVM: arm64: Bound used_lrs when flushing the pKVM hyp vCPU

[Marc Zyngier <maz@kernel.org>]

On Thu, 04 Jun 2026 16:12:03 +0100,
Hyunwoo Kim <imv4bel@gmail.com> wrote:
> 
> flush_hyp_vcpu() copies the host vGIC state into the hyp's private vCPU
> on every run. The vGIC list register save and restore use used_lrs as
> their loop bound and expect it to stay within the number of implemented
> list registers. While this is generally the case, flush_hyp_vcpu()
> copies vgic_v3 verbatim and does not enforce this, so a value provided
> by the host is used at EL2 to index vgic_lr[] and access ICH_LR<n>_EL2
> (host -> EL2).
> 
> Fix by clamping used_lrs to the number of implemented list registers
> after the copy, as the trusted path already does in
> vgic_flush_lr_state().
> 
> Fixes: be66e67f1750 ("KVM: arm64: Use the pKVM hyp vCPU structure in handle___kvm_vcpu_run()")
> Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
> ---
>  arch/arm64/kvm/hyp/nvhe/hyp-main.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/arch/arm64/kvm/hyp/nvhe/hyp-main.c b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
> index 02c5d6e5abcbf..cd807fdb11ba8 100644
> --- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c
> +++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
> @@ -7,6 +7,7 @@
>  #include <hyp/adjust_pc.h>
>  #include <hyp/switch.h>
>  
> +#include <asm/arch_gicv3.h>
>  #include <asm/pgtable-types.h>
>  #include <asm/kvm_asm.h>
>  #include <asm/kvm_emulate.h>
> @@ -142,6 +143,13 @@ static void flush_hyp_vcpu(struct pkvm_hyp_vcpu *hyp_vcpu)
>  
>  	hyp_vcpu->vcpu.arch.vgic_cpu.vgic_v3 = host_vcpu->arch.vgic_cpu.vgic_v3;
>  
> +	/* Bound used_lrs by the number of implemented list registers. */
> +	if (static_branch_unlikely(&kvm_vgic_global_state.gicv3_cpuif))

There is no pKVM support without a GICv3 CPU interface, and absolutely
everything already assumes it. Why do we need this extra check?

> +		hyp_vcpu->vcpu.arch.vgic_cpu.vgic_v3.used_lrs =
> +			min_t(unsigned int,
> +			      hyp_vcpu->vcpu.arch.vgic_cpu.vgic_v3.used_lrs,
> +			      (read_gicreg(ICH_VTR_EL2) & 0xf) + 1);
> +

Reading ICH_VTR_EL2 on each entry is going to cause some really heavy
trapping under NV, and we should avoid this.

kvm_vgic_global_state.nr_lr contains this information, and it should
only be a matter of replicating it (or compute it once) at init time.

Thanks,

	M.

-- 
Without deviation from the norm, progress is not possible.