Re: [GIT PULL v1 07/17] KVM: s390: Add capability to support 2G hugepages

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Userspace can simultaneously enable both CMMA and huge pages (1M and 2G), bypassing mutual exclusivity, because KVM_S390_VM_MEM_ENABLE_CMMA does not check if huge pages are already enabled.
--

commit 98eba733f54412a163121c369883f11ed5ca35db
Author: Claudio Imbrenda <imbrenda@linux.ibm.com>

KVM: s390: Add capability to support 2G hugepages

This commit adds the KVM_CAP_S390_HPAGE_2G capability to signal to userspace
that 2G hugepages may be used to back the guest. It also implements the
necessary gmap flag enablement and propagation for the new hugepage size.

> diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
> index 49c330580dc88..35e5971a474f6 100644
> --- a/arch/s390/kvm/kvm-s390.c
> +++ b/arch/s390/kvm/kvm-s390.c
[ ... ]
> @@ -902,6 +907,27 @@ int kvm_vm_ioctl_enable_cap(struct kvm *kvm, struct kvm_enable_cap *cap)
>  		VM_EVENT(kvm, 3, "ENABLE: CAP_S390_HPAGE %s",
>  			 r ? "(not available)" : "(success)");
>  		break;
> +	case KVM_CAP_S390_HPAGE_2G:
> +		mutex_lock(&kvm->lock);
> +		if (kvm->created_vcpus) {
> +			r = -EBUSY;
> +		} else if (!hpage_2g || kvm->arch.use_cmma || kvm_is_ucontrol(kvm)) {

[Severity: High]
This is a pre-existing issue, but could userspace bypass this mutual
exclusivity check between CMMA and huge pages?

When enabling huge pages via KVM_CAP_S390_HPAGE_1M or KVM_CAP_S390_HPAGE_2G,
KVM correctly rejects the operation if kvm->arch.use_cmma is already set.

However, if userspace enables huge pages first, and then enables CMMA,
kvm_s390_set_mem_control() does not appear to verify if huge pages are
already active:

arch/s390/kvm/kvm-s390.c:kvm_s390_set_mem_control() {
    ...
    case KVM_S390_VM_MEM_ENABLE_CMMA:
        ...
        mutex_lock(&kvm->lock);
        if (kvm->created_vcpus)
            ret = -EBUSY;
        else {
            kvm->arch.use_cmma = 1;
            /* Not compatible with cmma. */
            kvm->arch.use_pfmfi = 0;
            ret = 0;
        }
        mutex_unlock(&kvm->lock);
    ...
}

Does this sequence allow the guest to run with both kvm->arch.use_cmma
and GMAP_FLAG_ALLOW_HPAGE_2G (or 1M) enabled simultaneously?

If so, and the guest executes the ESSA instruction on a huge page, would
this lead to KVM entering an infinite intercept loop that stalls the vCPU,
or cause undefined hardware behavior if migration mode is inactive?

> +			r = -EINVAL;
> +		} else {
> +			r = 0;
> +			set_bit(GMAP_FLAG_ALLOW_HPAGE_2G, &kvm->arch.gmap->flags);
> +			/*
> +			 * We might have to create fake 4k page
> +			 * tables. To avoid that the hardware works on
> +			 * stale PGSTEs, we emulate these instructions.
> +			 */
> +			kvm->arch.use_skf = 0;
> +			kvm->arch.use_pfmfi = 0;
> +		}
> +		mutex_unlock(&kvm->lock);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260615124243.187614-1-imbrenda@linux.ibm.com?part=7