From: sashiko-bot@kernel.org
To: "Paolo Bonzini" <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH 5.15.y 5/8] KVM: x86/mmu: pull call to drop_large_spte() into __link_shadow_page()
Date: Fri, 26 Jun 2026 12:28:11 +0000 [thread overview]
Message-ID: <20260626122812.3284C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260626112606.1778248-6-pbonzini@redhat.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [Low] The newly introduced `__link_shadow_page` function declares a `cache` parameter that is never used.
Pre-existing issues:
- [High] `drop_large_spte` flushes the wrong guest physical address range when dropping a large SPTE, potentially leaving stale hardware TLB entries for the unmapped guest memory.
--
commit 9820244be6c2ac65ed2abfdc79a98053af6c7970
Author: Paolo Bonzini <pbonzini@redhat.com>
KVM: x86/mmu: pull call to drop_large_spte() into __link_shadow_page()
This patch consolidates the removal of existing large SPTEs by moving the
drop_large_spte() call from multiple caller sites directly into
__link_shadow_page(). It also updates kvm_mmu_get_child_sp() to return
-EEXIST if a non-large shadow page is already present, avoiding double
linking.
> diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
> --- a/arch/x86/kvm/mmu/mmu.c
> +++ b/arch/x86/kvm/mmu/mmu.c
[ ... ]
> -static void drop_large_spte(struct kvm_vcpu *vcpu, u64 *sptep)
> +static void drop_large_spte(struct kvm *kvm, u64 *sptep)
> {
> - if (__drop_large_spte(vcpu->kvm, sptep)) {
> - struct kvm_mmu_page *sp = sptep_to_sp(sptep);
> + struct kvm_mmu_page *sp;
>
> - kvm_flush_remote_tlbs_with_address(vcpu->kvm, sp->gfn,
> + sp = sptep_to_sp(sptep);
> + WARN_ON(sp->role.level == PG_LEVEL_4K);
>
> - }
> + drop_spte(kvm, sptep);
> + kvm_flush_remote_tlbs_with_address(kvm, sp->gfn,
> + KVM_PAGES_PER_HPAGE(sp->role.level));
> }
[Severity: High]
This is a pre-existing issue, but does drop_large_spte() flush the wrong
guest physical address range here?
By using sp->gfn, the flush targets the base GFN of the entire parent page
table, or the guest page directory itself for indirect mappings.
If the dropped SPTE is at an index greater than 0, wouldn't this flush the
0th index instead of the actual memory mapped by the dropped SPTE?
Could this leave stale hardware TLB entries for the unmapped guest memory
on environments supporting precise range-based TLB flushes? Should this
retrieve the exact GFN using the offset of sptep within sp->spt instead?
[ ... ]
> -static void link_shadow_page(struct kvm_vcpu *vcpu, u64 *sptep,
> - struct kvm_mmu_page *sp)
> +static void __link_shadow_page(struct kvm_vcpu *vcpu,
> + struct kvm_mmu_memory_cache *cache, u64 *sptep,
> + struct kvm_mmu_page *sp)
[Severity: Low]
Is the new cache parameter actually used in this function?
It appears the cache parameter is passed in but never referenced. The
underlying code seems to use the cache from the vcpu struct directly
when adding a parent PTE.
Could this parameter be removed to keep the signature clean?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260626112606.1778248-1-pbonzini@redhat.com?part=5
next prev parent reply other threads:[~2026-06-26 12:28 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 11:25 [PATCH 5.15.y 0/8] KVM: fixes for CVE-2026-46113 and related issues Paolo Bonzini
2026-06-26 11:25 ` [PATCH 5.15.y 1/8] KVM: x86/mmu: Use a bool for direct Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.15.y 2/8] KVM: x86/mmu: Stop passing "direct" to mmu_alloc_root() Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.15.y 3/8] KVM: x86/mmu: Derive shadow MMU page role from parent Paolo Bonzini
2026-06-26 12:01 ` sashiko-bot
2026-06-26 11:26 ` [PATCH 5.15.y 4/8] KVM: x86/mmu: Always pass 0 for @quadrant when gptes are 8 bytes Paolo Bonzini
2026-06-26 12:13 ` sashiko-bot
2026-06-26 11:26 ` [PATCH 5.15.y 5/8] KVM: x86/mmu: pull call to drop_large_spte() into __link_shadow_page() Paolo Bonzini
2026-06-26 12:28 ` sashiko-bot [this message]
2026-06-26 11:26 ` [PATCH 5.15.y 6/8] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.15.y 7/8] KVM: x86: Fix shadow paging use-after-free due to unexpected role Paolo Bonzini
2026-06-26 11:26 ` [PATCH 5.15.y 8/8] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level Paolo Bonzini
2026-06-26 12:57 ` sashiko-bot
2026-06-26 17:54 ` Sasha Levin
2026-06-26 19:11 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260626122812.3284C1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox