Re: [PATCH v3 3/5] KVM: arm64: nv: Re-translate VNCR before injecting abort

[Oliver Upton <oupton@kernel.org>]

On Fri, Jun 19, 2026 at 12:00:33AM +0000, sashiko-bot@kernel.org wrote:
> > -			handle_vncr_perm(vcpu);
> > -			break;
> > -		case 0:
> > -			break;
> > -		}
> > -	} else {
> > -		WARN_ONCE(1, "Unhandled VNCR abort, ESR=%llx\n", esr);
> > +	case 0:
> > +		perm = kvm_is_write_fault(vcpu) ? vt->wr.pw && vt->hpa_writable : vt->wr.pr;
> > +		if (!perm)
> >  			handle_vncr_perm(vcpu);
> > +		break;
> >  	}
> >  
> >  	return 1;
> 
> [Severity: High]
> Does removing the -EPERM loop breaker introduce a host CPU livelock for
> Write-Only guest VNCR mappings?
> 
> If the guest configures a Write-Only mapping, kvm_map_l1_vncr() falls back
> to mapping it as PAGE_NONE. When the hardware accesses the fixmap, it triggers
> a Data Abort. KVM then traps and re-translates the mapping.
> 
> Because vt->wr.pw is true, the perm check evaluates to true, and KVM returns 1
> to resume the guest instead of injecting a fault. The hardware will then fault
> again indefinitely.

Advertising NV2 to the VM should've been conditioned on hiding S1PIE
because there's no way to fix this. As the access passes the guest
permission check, we have no fault that can be injected for stage-1.

> [Severity: High]
> Also, does calling kvm_translate_vncr() unconditionally request FOLL_WRITE
> on a write fault without verifying if the guest's own Stage-1 mapping
> actually permits writes?
> 
> In kvm_translate_vncr(), __kvm_faultin_pfn() is called with FOLL_WRITE if it's
> a write fault. If the host memslot happens to be read-only, __kvm_faultin_pfn()
> fails and returns -EFAULT.
> 
> This error bubbles up to the switch statement above, which injects an External
> Abort into the guest. Should the guest instead receive a Stage-1 Permission
> Fault if its own Stage-1 translation does not permit writes, regardless of the
> memslot permissions?

Again, this is below the bar of stable fixes (intent of this series).

Thanks,
Oliver