From: Marc Zyngier <maz@kernel.org>
To: p@sswd.pw
Cc: kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
Oliver Upton <oliver.upton@linux.dev>,
Joey Gouly <joey.gouly@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Zenghui Yu <yuzenghui@huawei.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>, leedongha <gapdev2004@gmail.com>
Subject: Re: [PATCH] arm64: kvm: Fix incorrect VNCR invalidation range calculation
Date: Thu, 04 Sep 2025 10:29:09 +0100 [thread overview]
Message-ID: <87wm6ezhui.wl-maz@kernel.org> (raw)
In-Reply-To: <20250903123949.24858-1-p@sswd.pw>
On Wed, 03 Sep 2025 13:39:49 +0100,
p@sswd.pw wrote:
>
> From: leedongha <gapdev2004@gmail.com>
>
> The code for invalidating VNCR entries in both kvm_invalidate_vncr_ipa()
> and invalidate_vncr_va() incorrectly uses a bitwise AND with `(size - 1)`
> instead of `~(size - 1)` to align the start address. This results
> in masking the address bits instead of aligning them down to the start
> of the block.
>
> This bug may cause stale VNCR TLB entries to remain valid even after a
> TLBI or MMU notifier, leading to incorrect memory translation and
> unexpected guest behavior.
>
> Credit
> Team 0xB6 in bob14:
> DongHa Lee (@GAP-dev)
> Gyujeong Jin (@G1uN4sh)
> Daehyeon Ko (@4ncienth)
> Geonha Lee (@leegn4a)
> Hyungyu Oh (@DQPC_lover)
> Jaewon Yang (@R4mbb1)
>
> Signed-off-by: leedongha <gapdev2004@gmail.com>
The SoB of the person sending the patch is required.
> ---
> arch/arm64/kvm/nested.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/arm64/kvm/nested.c b/arch/arm64/kvm/nested.c
> index 77db81bae86f..d0ddce877b5d 100644
> --- a/arch/arm64/kvm/nested.c
> +++ b/arch/arm64/kvm/nested.c
> @@ -847,7 +847,7 @@ static void kvm_invalidate_vncr_ipa(struct kvm *kvm, u64 start, u64 end)
>
> ipa_size = ttl_to_size(pgshift_level_to_ttl(vt->wi.pgshift,
> vt->wr.level));
> - ipa_start = vt->wr.pa & (ipa_size - 1);
> + ipa_start = vt->wr.pa & ~(ipa_size - 1);
> ipa_end = ipa_start + ipa_size;
>
> if (ipa_end <= start || ipa_start >= end)
> @@ -887,7 +887,7 @@ static void invalidate_vncr_va(struct kvm *kvm,
>
> va_size = ttl_to_size(pgshift_level_to_ttl(vt->wi.pgshift,
> vt->wr.level));
> - va_start = vt->gva & (va_size - 1);
> + va_start = vt->gva & ~(va_size - 1);
> va_end = va_start + va_size;
>
> switch (scope->type) {
Yup, absolutely correct. Thanks a lot for spotting this.
With the above nit addressed:
Reviewed-by: Marc Zyngier <maz@kernel.org>
M.
--
Jazz isn't dead. It just smells funny.
next prev parent reply other threads:[~2025-09-04 9:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-03 12:39 [PATCH] arm64: kvm: Fix incorrect VNCR invalidation range calculation p
2025-09-04 9:29 ` Marc Zyngier [this message]
2025-09-05 8:30 ` [PATCH v2] KVM: arm64: nv: " p
2025-09-05 8:16 ` Oliver Upton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wm6ezhui.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=gapdev2004@gmail.com \
--cc=joey.gouly@arm.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oliver.upton@linux.dev \
--cc=p@sswd.pw \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.