From: sashiko-bot@kernel.org
To: "Wang Yechao" <wang.yechao255@zte.com.cn>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH v3 4/5] RISC-V: KVM: Split huge pages during KVM_CLEAR_DIRTY_LOG
Date: Tue, 23 Jun 2026 12:33:31 +0000 [thread overview]
Message-ID: <20260623123331.7F8611F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260623121332.78514-5-wang.yechao255@zte.com.cn>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Dropping kvm->mmu_lock before flushing TLBs leads to lost dirty page tracking and silent data corruption.
--
commit ea1e9d47d599e24f8216769c511d82126690b4ec
Author: Wang Yechao <wang.yechao255@zte.com.cn>
RISC-V: KVM: Split huge pages during KVM_CLEAR_DIRTY_LOG
Split huge pages on the range specified using KVM_CLEAR_DIRTY_LOG.
And do not split when enabling dirty logging if
KVM_DIRTY_LOG_INITIALLY_SET is set.
> diff --git a/arch/riscv/kvm/mmu.c b/arch/riscv/kvm/mmu.c
> index 8220efadb8713..d2d36a9dca06f 100644
> --- a/arch/riscv/kvm/mmu.c
> +++ b/arch/riscv/kvm/mmu.c
> @@ -164,6 +164,9 @@ void kvm_arch_mmu_enable_log_dirty_pt_masked(struct kvm *kvm,
> kvm_riscv_gstage_init(&gstage, kvm);
>
> kvm_riscv_gstage_wp_range(&gstage, start, end);
> +
> + if (kvm_dirty_log_manual_protect_and_init_set(kvm))
> + mmu_split_huge_pages(&gstage, start, end);
[Severity: Critical]
Does this code inadvertently drop kvm->mmu_lock while there are pending
deferred TLB flushes?
When userspace calls KVM_CLEAR_DIRTY_LOG, virt/kvm/kvm_main.c clears bits
in the software dirty bitmap and calls
kvm_arch_mmu_enable_log_dirty_pt_masked() to write-protect the pages. The
TLB flush is intentionally deferred across the batch loop:
virt/kvm/kvm_main.c:kvm_clear_dirty_log_protect() {
...
kvm_arch_mmu_enable_log_dirty_pt_masked(kvm, memslot, offset, mask);
...
}
However, mmu_split_huge_pages() drops the lock:
arch/riscv/kvm/mmu.c:mmu_split_huge_pages() {
...
write_unlock(&kvm->mmu_lock);
cond_resched();
...
}
Because the lock is dropped before the deferred TLB flush completes, guest
vCPUs can resume and write to memory using stale, writable TLB entries.
Since the software dirty bitmap was already cleared and these writes bypass
KVM's write-protection faults, can this result in permanently lost dirty
page tracking and memory corruption during live migration?
> }
>
> void kvm_arch_sync_dirty_log(struct kvm *kvm, struct kvm_memory_slot *memslot)
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260623121332.78514-1-wang.yechao255@zte.com.cn?part=4
next prev parent reply other threads:[~2026-06-23 12:33 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 12:13 [PATCH v3 0/5] Implement Eager Page Splitting for RISC-V Wang Yechao
2026-06-23 12:13 ` [PATCH v3 1/5] RISC-V: KVM: Add the split page cache for ioctl context Wang Yechao
2026-06-23 12:34 ` sashiko-bot
2026-06-23 12:13 ` [PATCH v3 2/5] RISC-V: KVM: Split huge pages when dirty logging is enabled Wang Yechao
2026-06-23 12:33 ` sashiko-bot
2026-06-23 12:13 ` [PATCH v3 3/5] RISC-V: KVM: Remove redundant TLB flush operations Wang Yechao
2026-06-23 12:13 ` [PATCH v3 4/5] RISC-V: KVM: Split huge pages during KVM_CLEAR_DIRTY_LOG Wang Yechao
2026-06-23 12:33 ` sashiko-bot [this message]
2026-06-23 12:13 ` [PATCH v3 5/5] RISC-V: KVM: Add the eager_page_split module parameter Wang Yechao
2026-06-23 12:31 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260623123331.7F8611F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=wang.yechao255@zte.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox