* [PATCH v1] riscv: kvm: Use endian-specific __lelong for NACL shared memory
@ 2026-06-08 15:52 Sean Chang
2026-06-08 16:08 ` sashiko-bot
0 siblings, 1 reply; 2+ messages in thread
From: Sean Chang @ 2026-06-08 15:52 UTC (permalink / raw)
To: Anup Patel, Palmer Dabbelt
Cc: Atish Patra, Paul Walmsley, Albert Ou, Alexandre Ghiti, kvm,
kvm-riscv, linux-riscv, linux-kernel, Sean Chang
When compiling with sparse enabled (C=2), bitwise type warnings are
triggered in the RISC-V KVM implementation. This occurs because the
user-space data unboxing macro '__get_user_asm' performs implicit
casting on restricted types without forcing the compiler's compliance.
Additionally, raw 'unsigned long *' pointers are used to access the
SBI NACL shared memory, whereas the RISC-V SBI specification mandates
that these structures must follow little-endian byte ordering.
Fix these by:
1. Adding a '__force' cast to '__get_user_asm()' to safely suppress
implicit cast warnings during user-space data fetching.
2. Introducing the '__lelong' type macro, which dynamically resolves to
'__le32' or '__le64' depending on XLEN, and replacing 'unsigned long *'
with '__lelong *' to enforce proper compile-time endianness checks.
Signed-off-by: Sean Chang <seanwascoding@gmail.com>
---
arch/riscv/include/asm/kvm_nacl.h | 14 ++++++++------
arch/riscv/include/asm/uaccess.h | 2 +-
arch/riscv/kvm/nacl.c | 2 +-
3 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/arch/riscv/include/asm/kvm_nacl.h b/arch/riscv/include/asm/kvm_nacl.h
index 4124d5e06a0f..f45407bcaa26 100644
--- a/arch/riscv/include/asm/kvm_nacl.h
+++ b/arch/riscv/include/asm/kvm_nacl.h
@@ -60,9 +60,11 @@ int kvm_riscv_nacl_init(void);
#ifdef CONFIG_32BIT
#define lelong_to_cpu(__x) le32_to_cpu(__x)
#define cpu_to_lelong(__x) cpu_to_le32(__x)
+#define __lelong __le32
#else
#define lelong_to_cpu(__x) le64_to_cpu(__x)
#define cpu_to_lelong(__x) cpu_to_le64(__x)
+#define __lelong __le64
#endif
#define nacl_shmem() \
@@ -70,7 +72,7 @@ int kvm_riscv_nacl_init(void);
#define nacl_scratch_read_long(__shmem, __offset) \
({ \
- unsigned long *__p = (__shmem) + \
+ __lelong *__p = (__shmem) + \
SBI_NACL_SHMEM_SCRATCH_OFFSET + \
(__offset); \
lelong_to_cpu(*__p); \
@@ -78,7 +80,7 @@ int kvm_riscv_nacl_init(void);
#define nacl_scratch_write_long(__shmem, __offset, __val) \
do { \
- unsigned long *__p = (__shmem) + \
+ __lelong *__p = (__shmem) + \
SBI_NACL_SHMEM_SCRATCH_OFFSET + \
(__offset); \
*__p = cpu_to_lelong(__val); \
@@ -87,7 +89,7 @@ do { \
#define nacl_scratch_write_longs(__shmem, __offset, __array, __count) \
do { \
unsigned int __i; \
- unsigned long *__p = (__shmem) + \
+ __lelong *__p = (__shmem) + \
SBI_NACL_SHMEM_SCRATCH_OFFSET + \
(__offset); \
for (__i = 0; __i < (__count); __i++) \
@@ -168,7 +170,7 @@ __kvm_riscv_nacl_hfence(__shmem, \
#define nacl_csr_read(__shmem, __csr) \
({ \
- unsigned long *__a = (__shmem) + SBI_NACL_SHMEM_CSR_OFFSET; \
+ __lelong *__a = (__shmem) + SBI_NACL_SHMEM_CSR_OFFSET; \
lelong_to_cpu(__a[SBI_NACL_SHMEM_CSR_INDEX(__csr)]); \
})
@@ -176,7 +178,7 @@ __kvm_riscv_nacl_hfence(__shmem, \
do { \
void *__s = (__shmem); \
unsigned int __i = SBI_NACL_SHMEM_CSR_INDEX(__csr); \
- unsigned long *__a = (__s) + SBI_NACL_SHMEM_CSR_OFFSET; \
+ __lelong *__a = (__s) + SBI_NACL_SHMEM_CSR_OFFSET; \
u8 *__b = (__s) + SBI_NACL_SHMEM_DBITMAP_OFFSET; \
__a[__i] = cpu_to_lelong(__val); \
__b[__i >> 3] |= 1U << (__i & 0x7); \
@@ -186,7 +188,7 @@ do { \
({ \
void *__s = (__shmem); \
unsigned int __i = SBI_NACL_SHMEM_CSR_INDEX(__csr); \
- unsigned long *__a = (__s) + SBI_NACL_SHMEM_CSR_OFFSET; \
+ __lelong *__a = (__s) + SBI_NACL_SHMEM_CSR_OFFSET; \
u8 *__b = (__s) + SBI_NACL_SHMEM_DBITMAP_OFFSET; \
unsigned long __r = lelong_to_cpu(__a[__i]); \
__a[__i] = cpu_to_lelong(__val); \
diff --git a/arch/riscv/include/asm/uaccess.h b/arch/riscv/include/asm/uaccess.h
index 11c9886c3b70..5d4ec15584cf 100644
--- a/arch/riscv/include/asm/uaccess.h
+++ b/arch/riscv/include/asm/uaccess.h
@@ -112,7 +112,7 @@ do { \
_ASM_EXTABLE_UACCESS_ERR(1b, %l2, %0) \
: "=&r" (__tmp) \
: "m" (*(ptr)) : : label); \
- (x) = (__typeof__(x))(unsigned long)__tmp; \
+ (x) = (__force __typeof__(x))(unsigned long)__tmp; \
} while (0)
#else /* !CONFIG_CC_HAS_ASM_GOTO_OUTPUT */
#define __get_user_asm(insn, x, ptr, label) \
diff --git a/arch/riscv/kvm/nacl.c b/arch/riscv/kvm/nacl.c
index 08a95ad9ada2..6f9f8963e9dd 100644
--- a/arch/riscv/kvm/nacl.c
+++ b/arch/riscv/kvm/nacl.c
@@ -20,7 +20,7 @@ void __kvm_riscv_nacl_hfence(void *shmem,
unsigned long page_count)
{
int i, ent = -1, try_count = 5;
- unsigned long *entp;
+ __lelong *entp;
again:
for (i = 0; i < SBI_NACL_SHMEM_HFENCE_ENTRY_MAX; i++) {
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v1] riscv: kvm: Use endian-specific __lelong for NACL shared memory
2026-06-08 15:52 [PATCH v1] riscv: kvm: Use endian-specific __lelong for NACL shared memory Sean Chang
@ 2026-06-08 16:08 ` sashiko-bot
0 siblings, 0 replies; 2+ messages in thread
From: sashiko-bot @ 2026-06-08 16:08 UTC (permalink / raw)
To: Sean Chang; +Cc: kvm
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] Infinite loop in `__kvm_riscv_nacl_hfence` due to missing `try_count` decrement.
- [High] Race condition and memory ordering bugs in NACL shared memory updates.
--
commit 041fd3e0bc4c133e6f04a198d4795da99daa15bb
Author: Sean Chang <seanwascoding@gmail.com>
riscv: kvm: Use endian-specific __lelong for NACL shared memory
This patch fixes bitwise type warnings from sparse by introducing __lelong
and replacing raw unsigned long pointers in SBI NACL shared memory. It also
adds a __force cast to __get_user_asm to safely suppress implicit cast
warnings.
> diff --git a/arch/riscv/include/asm/kvm_nacl.h b/arch/riscv/include/asm/kvm_nacl.h
> index 4124d5e06a0ff..f45407bcaa26a 100644
> --- a/arch/riscv/include/asm/kvm_nacl.h
> +++ b/arch/riscv/include/asm/kvm_nacl.h
[ ... ]
> @@ -176,7 +178,7 @@ __kvm_riscv_nacl_hfence(__shmem, \
> do { \
> void *__s = (__shmem); \
> unsigned int __i = SBI_NACL_SHMEM_CSR_INDEX(__csr); \
> - unsigned long *__a = (__s) + SBI_NACL_SHMEM_CSR_OFFSET; \
> + __lelong *__a = (__s) + SBI_NACL_SHMEM_CSR_OFFSET; \
> u8 *__b = (__s) + SBI_NACL_SHMEM_DBITMAP_OFFSET; \
> __a[__i] = cpu_to_lelong(__val); \
> __b[__i >> 3] |= 1U << (__i & 0x7); \
[Severity: High]
This is a pre-existing issue, but does the lack of a memory barrier between
the CSR value update and the dirty bit update risk a race condition?
On RISC-V's relaxed memory model, these stores could be reordered without an
smp_wmb(), potentially allowing the hardware or firmware to observe the
dirty bit before the payload is visible in nacl_csr_write.
> @@ -186,7 +188,7 @@ do { \
> ({ \
> void *__s = (__shmem); \
> unsigned int __i = SBI_NACL_SHMEM_CSR_INDEX(__csr); \
> - unsigned long *__a = (__s) + SBI_NACL_SHMEM_CSR_OFFSET; \
> + __lelong *__a = (__s) + SBI_NACL_SHMEM_CSR_OFFSET; \
> u8 *__b = (__s) + SBI_NACL_SHMEM_DBITMAP_OFFSET; \
> unsigned long __r = lelong_to_cpu(__a[__i]); \
> __a[__i] = cpu_to_lelong(__val); \
> __b[__i >> 3] |= 1U << (__i & 0x7); \
[Severity: High]
This isn't a bug introduced by this patch, but similar to nacl_csr_write,
could these writes be reordered by the CPU in the nacl_csr_swap macro?
[ ... ]
> diff --git a/arch/riscv/kvm/nacl.c b/arch/riscv/kvm/nacl.c
> index 08a95ad9ada2c..6f9f8963e9ddc 100644
> --- a/arch/riscv/kvm/nacl.c
> +++ b/arch/riscv/kvm/nacl.c
> @@ -20,7 +20,7 @@ void __kvm_riscv_nacl_hfence(void *shmem,
> unsigned long page_count)
> {
> int i, ent = -1, try_count = 5;
> - unsigned long *entp;
> + __lelong *entp;
>
> again:
> for (i = 0; i < SBI_NACL_SHMEM_HFENCE_ENTRY_MAX; i++) {
[Severity: High]
This is also a pre-existing issue, but does this retry loop run infinitely
if the queue remains full?
Looking at __kvm_riscv_nacl_hfence(), it appears try_count is never
decremented before taking the goto:
if (ent < 0) {
if (try_count) {
nacl_sync_hfence(-1UL);
goto again;
} else {
pr_warn("KVM: No free entry in NACL shared memory\n");
return;
}
}
Additionally, there seems to be a pre-existing ordering hazard when writing
the entry payload further down in __kvm_riscv_nacl_hfence():
entp = shmem + SBI_NACL_SHMEM_HFENCE_ENTRY_CONFIG(i);
*entp = cpu_to_lelong(control);
entp = shmem + SBI_NACL_SHMEM_HFENCE_ENTRY_PNUM(i);
*entp = cpu_to_lelong(page_num);
entp = shmem + SBI_NACL_SHMEM_HFENCE_ENTRY_PCOUNT(i);
*entp = cpu_to_lelong(page_count);
Since the CONFIG element contains the valid bit, writing it before PNUM and
PCOUNT could allow another vCPU on the same physical CPU to trigger
nacl_sync_hfence() if KVM is preempted right after the CONFIG write. Would
this cause the firmware to process uninitialized payload data?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260608155252.4292-1-seanwascoding@gmail.com?part=1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-08 16:08 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-08 15:52 [PATCH v1] riscv: kvm: Use endian-specific __lelong for NACL shared memory Sean Chang
2026-06-08 16:08 ` sashiko-bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox