From: Oliver Upton <oupton@kernel.org>
To: sashiko-reviews@lists.linux.dev
Cc: kvmarm@lists.linux.dev, Marc Zyngier <maz@kernel.org>
Subject: Re: [PATCH 08/22] KVM: arm64: nv: Treat DBM as writable at stage-2
Date: Tue, 23 Jun 2026 13:08:46 -0700 [thread overview]
Message-ID: <ajrnzgRRb4SK673x@kernel.org> (raw)
In-Reply-To: <20260623185533.79A841F000E9@smtp.kernel.org>
On Tue, Jun 23, 2026 at 06:55:33PM +0000, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [Critical] DBM incorrectly grants write permission to "No access" stage-2 pages, breaking nested guest isolation.
> --
>
> commit 99b59d5177f5650f344f4c618e4c4dcd2d5d6d1c
> Author: Oliver Upton <oupton@kernel.org>
>
> KVM: arm64: nv: Treat DBM as writable at stage-2
>
> This commit modifies the stage-2 permission computation to treat the DBM bit
> as granting write permission when hardware dirty state is enabled.
>
> > diff --git a/arch/arm64/kvm/nested.c b/arch/arm64/kvm/nested.c
> > --- a/arch/arm64/kvm/nested.c
> > +++ b/arch/arm64/kvm/nested.c
> [ ... ]
> > @@ -305,6 +305,17 @@ static void compute_s2_permissions(struct kvm_vcpu *vcpu, struct s2_walk_info *w
> > break;
> > }
> >
> > + /*
> > + * Descriptors with the DBM bit set while hardware dirty state are
> > + * considered writable, even though certain accesses (like AT instructions)
> > + * don't actually update the dirty state.
> > + *
> > + * Assume that walk_nestd_s2_pgd() made the necessary descriptor updates
> > + * for the access and just treat DBM as writable here.
> > + */
> > + if (wi->hd && ws->desc & KVM_PTE_LEAF_ATTR_HI_S2_DBM)
> > + s2ap |= BIT(1);
>
> [Severity: Critical]
> If s2ap is initially 0b00 (No access), this unconditional OR operation will
> upgrade it to 0b10 (Write-only) in compute_s2_permissions(). Does this
> inadvertently bypass stage-2 memory protections if an L1 hypervisor maps a
> page as No access but leaves the DBM bit set?
>
> Without verifying that read access is already granted via s2ap & BIT(0),
> this logic grants write permission to a No access page, allowing an L2 guest
> to write to memory explicitly protected by the L1 hypervisor.
This is wrong.
R_XZFQH defines a descriptor with DBM set that would otherwise generate
a write permission fault as writable-clean. That means the descriptor
grants write permission and hardware can relax it to writable-dirty
depending on the access.
Thanks,
Oliver
next prev parent reply other threads:[~2026-06-23 20:08 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 18:41 [PATCH 00/22] KVM: arm64: nv: Implement FEAT_HAFDBS, FEAT_HAFT Oliver Upton
2026-06-23 18:41 ` [PATCH 01/22] KVM: arm64: nv: Introduce struct for stage-2 walk step Oliver Upton
2026-06-23 18:41 ` [PATCH 02/22] KVM: arm64: nv: Consolidate computation of stage-2 permissions Oliver Upton
2026-06-23 18:57 ` sashiko-bot
2026-06-23 18:41 ` [PATCH 03/22] KVM: arm64: nv: Get rid of kvm_s2_trans*() accessors Oliver Upton
2026-06-23 18:41 ` [PATCH 04/22] KVM: arm64: nv: Only shadow writable-dirty guest descs as writable Oliver Upton
2026-06-23 18:58 ` sashiko-bot
2026-06-23 20:05 ` Oliver Upton
2026-06-23 18:41 ` [PATCH 05/22] KVM: arm64: nv: Pass an access descriptor for stage-2 walks Oliver Upton
2026-06-23 19:06 ` sashiko-bot
2026-06-23 18:41 ` [PATCH 06/22] KVM: arm64: nv: Use a helper for stage-2 descriptor updates Oliver Upton
2026-06-23 18:41 ` [PATCH 07/22] KVM: arm64: nv: Set dirty state at stage-2 Oliver Upton
2026-06-23 19:03 ` sashiko-bot
2026-06-23 18:41 ` [PATCH 08/22] KVM: arm64: nv: Treat DBM as writable " Oliver Upton
2026-06-23 18:55 ` sashiko-bot
2026-06-23 20:08 ` Oliver Upton [this message]
2026-06-23 18:41 ` [PATCH 09/22] KVM: arm64: Compute S1 permissions as part of s1_walk() Oliver Upton
2026-06-23 18:41 ` [PATCH 10/22] KVM: arm64: Plumb through access descriptor for stage-1 Oliver Upton
2026-06-23 18:41 ` [PATCH 11/22] KVM: arm64: Use a struct for stage-1 walk context Oliver Upton
2026-06-23 18:41 ` [PATCH 12/22] KVM: arm64: Create helper for stage-1 descriptor updates Oliver Upton
2026-06-23 18:55 ` sashiko-bot
2026-06-23 18:41 ` [PATCH 13/22] KVM: arm64: Set dirty state at stage-1 Oliver Upton
2026-06-23 18:54 ` sashiko-bot
2026-06-23 18:41 ` [PATCH 14/22] KVM: arm64: Grant write permission when DBM is set at S1 Oliver Upton
2026-06-23 18:57 ` sashiko-bot
2026-06-23 18:41 ` [PATCH 15/22] KVM: arm64: Don't update descriptors for "non-arch" access Oliver Upton
2026-06-23 18:41 ` [PATCH 16/22] KVM: arm64: nv: Expose FEAT_HAFDBS Oliver Upton
2026-06-23 19:01 ` sashiko-bot
2026-06-23 18:41 ` [PATCH 17/22] KVM: arm64: Set Access flag on table descriptors at stage-1 Oliver Upton
2026-06-23 20:56 ` sashiko-bot
2026-06-23 18:41 ` [PATCH 18/22] KVM: arm64: nv: Set access flag on table descriptors at stage-2 Oliver Upton
2026-06-23 19:05 ` sashiko-bot
2026-06-23 20:14 ` Oliver Upton
2026-06-23 18:41 ` [PATCH 19/22] KVM: arm64: nv: Expose FEAT_HAFT Oliver Upton
2026-06-23 19:05 ` sashiko-bot
2026-06-23 18:41 ` [PATCH 20/22] KVM: arm64: selftests: Only test AF behavior for emulated AT insns Oliver Upton
2026-06-23 18:42 ` [PATCH 21/22] KVM: arm64: selftests: Test AT emulation for FEAT_HAFT Oliver Upton
2026-06-23 19:05 ` sashiko-bot
2026-06-23 20:17 ` Oliver Upton
2026-06-23 18:42 ` [PATCH 22/22] HACK: KVM: arm64: nv: Set the dirty state for CMOs that fetch for write Oliver Upton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajrnzgRRb4SK673x@kernel.org \
--to=oupton@kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=maz@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.