From: Oliver Upton <oliver.upton@linux.dev>
To: Marc Zyngier <maz@kernel.org>
Cc: kvmarm@lists.linux.dev, kvm@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
Nina Schoetterl-Glausch <nsg@linux.ibm.com>,
James Morse <james.morse@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Zenghui Yu <yuzenghui@huawei.com>,
stable@vger.kernel.org
Subject: Re: [PATCH 1/3] KVM: arm64: Fix AArch32 register narrowing on userspace write
Date: Fri, 24 May 2024 12:11:20 -0700 [thread overview]
Message-ID: <ZlDmWMtHMyOq5CLC@linux.dev> (raw)
In-Reply-To: <20240524141956.1450304-2-maz@kernel.org>
On Fri, May 24, 2024 at 03:19:54PM +0100, Marc Zyngier wrote:
> When userspace writes to once of the core registers, we make
s/once/one/
> sure to narrow the corresponding GPRs if PSTATE indicates
> an AArch32 context.
>
> The code tries to check whether the context is EL0 or EL1 so
> that it narrows the correct registers. But it does so by checking
> the full PSTATE instead of PSTATE.M.
>
> As a consequence, and if we are restoring an AArch32 EL0 context
> in a 64bit guest, and that PSTATE has *any* bit set outside of
> PSTATE.M, we narrow *all* registers instead of only the first 15,
> destroying the 64bit state.
>
> Obviously, this is not something the guest is likely to enjoy.
>
> Correctly masking PSTATE to only evaluate PSTATE.M fixes it.
>
> Fixes: 90c1f934ed71 ("KVM: arm64: Get rid of the AArch32 register mapping code")
> Reported-by: Nina Schoetterl-Glausch <nsg@linux.ibm.com>
> Signed-off-by: Marc Zyngier <maz@kernel.org>
> Cc: stable@vger.kernel.org
> ---
> arch/arm64/kvm/guest.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
> index e2f762d959bb..d9617b11f7a8 100644
> --- a/arch/arm64/kvm/guest.c
> +++ b/arch/arm64/kvm/guest.c
> @@ -276,7 +276,7 @@ static int set_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
> if (*vcpu_cpsr(vcpu) & PSR_MODE32_BIT) {
> int i, nr_reg;
>
> - switch (*vcpu_cpsr(vcpu)) {
> + switch (*vcpu_cpsr(vcpu) & PSR_AA32_MODE_MASK) {
> /*
> * Either we are dealing with user mode, and only the
> * first 15 registers (+ PC) must be narrowed to 32bit.
> --
> 2.39.2
>
WARNING: multiple messages have this Message-ID (diff)
From: Oliver Upton <oliver.upton@linux.dev>
To: Marc Zyngier <maz@kernel.org>
Cc: kvmarm@lists.linux.dev, kvm@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
Nina Schoetterl-Glausch <nsg@linux.ibm.com>,
James Morse <james.morse@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Zenghui Yu <yuzenghui@huawei.com>,
stable@vger.kernel.org
Subject: Re: [PATCH 1/3] KVM: arm64: Fix AArch32 register narrowing on userspace write
Date: Fri, 24 May 2024 12:11:20 -0700 [thread overview]
Message-ID: <ZlDmWMtHMyOq5CLC@linux.dev> (raw)
In-Reply-To: <20240524141956.1450304-2-maz@kernel.org>
On Fri, May 24, 2024 at 03:19:54PM +0100, Marc Zyngier wrote:
> When userspace writes to once of the core registers, we make
s/once/one/
> sure to narrow the corresponding GPRs if PSTATE indicates
> an AArch32 context.
>
> The code tries to check whether the context is EL0 or EL1 so
> that it narrows the correct registers. But it does so by checking
> the full PSTATE instead of PSTATE.M.
>
> As a consequence, and if we are restoring an AArch32 EL0 context
> in a 64bit guest, and that PSTATE has *any* bit set outside of
> PSTATE.M, we narrow *all* registers instead of only the first 15,
> destroying the 64bit state.
>
> Obviously, this is not something the guest is likely to enjoy.
>
> Correctly masking PSTATE to only evaluate PSTATE.M fixes it.
>
> Fixes: 90c1f934ed71 ("KVM: arm64: Get rid of the AArch32 register mapping code")
> Reported-by: Nina Schoetterl-Glausch <nsg@linux.ibm.com>
> Signed-off-by: Marc Zyngier <maz@kernel.org>
> Cc: stable@vger.kernel.org
> ---
> arch/arm64/kvm/guest.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
> index e2f762d959bb..d9617b11f7a8 100644
> --- a/arch/arm64/kvm/guest.c
> +++ b/arch/arm64/kvm/guest.c
> @@ -276,7 +276,7 @@ static int set_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
> if (*vcpu_cpsr(vcpu) & PSR_MODE32_BIT) {
> int i, nr_reg;
>
> - switch (*vcpu_cpsr(vcpu)) {
> + switch (*vcpu_cpsr(vcpu) & PSR_AA32_MODE_MASK) {
> /*
> * Either we are dealing with user mode, and only the
> * first 15 registers (+ PC) must be narrowed to 32bit.
> --
> 2.39.2
>
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2024-05-24 19:11 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-24 14:19 [PATCH 0/3] KVM/arm64 fixes for AArch32 handling Marc Zyngier
2024-05-24 14:19 ` Marc Zyngier
2024-05-24 14:19 ` [PATCH 1/3] KVM: arm64: Fix AArch32 register narrowing on userspace write Marc Zyngier
2024-05-24 14:19 ` Marc Zyngier
2024-05-24 17:18 ` Nina Schoetterl-Glausch
2024-05-24 17:18 ` Nina Schoetterl-Glausch
2024-05-24 19:11 ` Oliver Upton [this message]
2024-05-24 19:11 ` Oliver Upton
2024-05-24 14:19 ` [PATCH 2/3] KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode Marc Zyngier
2024-05-24 14:19 ` Marc Zyngier
2024-05-24 19:11 ` Oliver Upton
2024-05-24 19:11 ` Oliver Upton
2024-05-24 14:19 ` [PATCH 3/3] KVM: arm64: AArch32: Fix spurious trapping of conditional instructions Marc Zyngier
2024-05-24 14:19 ` Marc Zyngier
2024-05-24 19:13 ` [PATCH 0/3] KVM/arm64 fixes for AArch32 handling Oliver Upton
2024-05-24 19:13 ` Oliver Upton
2024-05-27 16:48 ` Marc Zyngier
2024-05-27 16:48 ` Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZlDmWMtHMyOq5CLC@linux.dev \
--to=oliver.upton@linux.dev \
--cc=james.morse@arm.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=maz@kernel.org \
--cc=nsg@linux.ibm.com \
--cc=stable@vger.kernel.org \
--cc=suzuki.poulose@arm.com \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.