Re: [PATCH] KVM: arm64: Sanitise host vCPU fields in flush_hyp_vcpu()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Hyunwoo Kim <imv4bel@gmail.com>
To: Fuad Tabba <tabba@google.com>
Cc: maz@kernel.org, oupton@kernel.org, joey.gouly@arm.com,
	seiden@linux.ibm.com, suzuki.poulose@arm.com,
	yuzenghui@huawei.com, catalin.marinas@arm.com, will@kernel.org,
	linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev,
	imv4bel@gmail.com
Subject: Re: [PATCH] KVM: arm64: Sanitise host vCPU fields in flush_hyp_vcpu()
Date: Thu, 4 Jun 2026 22:35:20 +0900	[thread overview]
Message-ID: <aiF_GLmaDdD5i1Cp@v4bel> (raw)
In-Reply-To: <CA+EHjTwgPFbbp7khcy+DZ9HZWCX-OWPfO78Gj_eQuCoj+SA90g@mail.gmail.com>

On Thu, Jun 04, 2026 at 02:01:17PM +0100, Fuad Tabba wrote:
> Hi Hyunwoo,
> 
> On Thu, 4 Jun 2026 at 12:18, Hyunwoo Kim <imv4bel@gmail.com> wrote:
> >
> > flush_hyp_vcpu() copies the host vCPU context and vGIC state into the
> > hyp's private vCPU on every run. ctxt_to_vcpu() expects a guest context
> > to have a NULL __hyp_running_vcpu, which is only ever set on the host
> > context, so that it resolves the vCPU via container_of(). The vGIC list
> > register save and restore expect used_lrs to stay within the number of
> > implemented list registers. While this is generally the case,
> > flush_hyp_vcpu() copies both fields verbatim from the host vCPU and
> > enforces neither expectation.
> >
> > Fix by clearing __hyp_running_vcpu and clamping used_lrs after the copy.
> 
> Nice catch, both fixes are correct.

Thanks for the review.

> 
> Please split this into two patches, one per field. They are independent
> bugs that just happen to share a Fixes: tag and the function. Both are
> host -> EL2, so worth stating that in the commit messages.

I'll split this into two patches and resend it as a series.

> 
> Otherwise this looks right to me.
> 
> Cheers,
> /fuad
> 
> 
> >
> > Fixes: be66e67f1750 ("KVM: arm64: Use the pKVM hyp vCPU structure in handle___kvm_vcpu_run()")
> > Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
> > ---
> >  arch/arm64/kvm/hyp/nvhe/hyp-main.c | 11 +++++++++++
> >  1 file changed, 11 insertions(+)
> >
> > diff --git a/arch/arm64/kvm/hyp/nvhe/hyp-main.c b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
> > index 06db299c37a89..ef9318ff0c25e 100644
> > --- a/arch/arm64/kvm/hyp/nvhe/hyp-main.c
> > +++ b/arch/arm64/kvm/hyp/nvhe/hyp-main.c
> > @@ -7,6 +7,7 @@
> >  #include <hyp/adjust_pc.h>
> >  #include <hyp/switch.h>
> >
> > +#include <asm/arch_gicv3.h>
> >  #include <asm/pgtable-types.h>
> >  #include <asm/kvm_asm.h>
> >  #include <asm/kvm_emulate.h>
> > @@ -128,6 +129,9 @@ static void flush_hyp_vcpu(struct pkvm_hyp_vcpu *hyp_vcpu)
> >
> >         hyp_vcpu->vcpu.arch.ctxt        = host_vcpu->arch.ctxt;
> >
> > +       /* A guest context must keep a NULL __hyp_running_vcpu. */
> > +       hyp_vcpu->vcpu.arch.ctxt.__hyp_running_vcpu = NULL;
> > +
> >         hyp_vcpu->vcpu.arch.mdcr_el2    = host_vcpu->arch.mdcr_el2;
> >         hyp_vcpu->vcpu.arch.hcr_el2 &= ~(HCR_TWI | HCR_TWE);
> >         hyp_vcpu->vcpu.arch.hcr_el2 |= READ_ONCE(host_vcpu->arch.hcr_el2) &
> > @@ -139,6 +143,13 @@ static void flush_hyp_vcpu(struct pkvm_hyp_vcpu *hyp_vcpu)
> >
> >         hyp_vcpu->vcpu.arch.vgic_cpu.vgic_v3 = host_vcpu->arch.vgic_cpu.vgic_v3;
> >
> > +       /* Bound the host-provided used_lrs by the implemented list registers. */
> > +       if (static_branch_unlikely(&kvm_vgic_global_state.gicv3_cpuif))
> > +               hyp_vcpu->vcpu.arch.vgic_cpu.vgic_v3.used_lrs =
> > +                       min_t(unsigned int,
> > +                             hyp_vcpu->vcpu.arch.vgic_cpu.vgic_v3.used_lrs,
> > +                             (read_gicreg(ICH_VTR_EL2) & 0xf) + 1);
> > +
> >         hyp_vcpu->vcpu.arch.pid = host_vcpu->arch.pid;
> >  }
> >
> > --
> > 2.43.0
> >
> >


Best regards,
Hyunwoo Kim

     prev parent reply	other threads:[~2026-06-04 13:35 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-04 11:18 [PATCH] KVM: arm64: Sanitise host vCPU fields in flush_hyp_vcpu() Hyunwoo Kim
2026-06-04 13:01 ` Fuad Tabba
2026-06-04 13:35   ` Hyunwoo Kim [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aiF_GLmaDdD5i1Cp@v4bel \
    --to=imv4bel@gmail.com \
    --cc=catalin.marinas@arm.com \
    --cc=joey.gouly@arm.com \
    --cc=kvmarm@lists.linux.dev \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=maz@kernel.org \
    --cc=oupton@kernel.org \
    --cc=seiden@linux.ibm.com \
    --cc=suzuki.poulose@arm.com \
    --cc=tabba@google.com \
    --cc=will@kernel.org \
    --cc=yuzenghui@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.