From: sashiko-bot@kernel.org
To: "Inochi Amaoto" <inochiama@gmail.com>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH v4 4/8] RISC-V: KVM: Add ssp context save/restore
Date: Wed, 01 Jul 2026 02:28:30 +0000 [thread overview]
Message-ID: <20260701022830.DDFF21F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701020746.170157-5-inochiama@gmail.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] Missing addition of the ZICFISS register count in `num_csr_regs()` causes KVM to under-calculate the required register list size, leading to an out-of-bounds write during the `KVM_GET_REG_LIST` ioctl.
- [Medium] Modifying CSR_SSP in C code before entering the VCPU assembly loop, and zeroing it upon return, overwrites the host's active Shadow Stack Pointer, potentially causing a host kernel panic if the host utilizes Supervisor-mode shadow stacks.
- [Medium] The guest's ZICFISS Shadow Stack Pointer (`zicfiss_csr`) is not cleared during VCPU context reset, leading to guest state leakage across reboots.
--
commit 3d9e79d289458c01fff126fe0b09e2d1859aeecc
Author: Inochi Amaoto <inochiama@gmail.com>
RISC-V: KVM: Add ssp context save/restore
This commit adds ssp context save/restore for guest VCPUs. It also adds the
Zicfiss registers to the ONE_REG interface to allow access from user space.
> diff --git a/arch/riscv/include/asm/kvm_host.h b/arch/riscv/include/asm/kvm_host.h
> index 60017ceec9d2a..e5ed3b0e5a55b 100644
> --- a/arch/riscv/include/asm/kvm_host.h
> +++ b/arch/riscv/include/asm/kvm_host.h
[ ... ]
> @@ -203,6 +207,9 @@ struct kvm_vcpu_arch {
> /* CPU Smstateen CSR context of Guest VCPU */
> struct kvm_vcpu_smstateen_csr smstateen_csr;
>
> + /* CPU Zicfiss CSR context of Guest VCPU */
> + struct kvm_vcpu_zicfiss_csr zicfiss_csr;
> +
[Severity: Medium]
Is the zicfiss_csr structure cleared during a VCPU reset?
Looking at kvm_riscv_vcpu_context_reset() in arch/riscv/kvm/vcpu.c,
it doesn't appear to be zeroed:
memset(cntx, 0, sizeof(*cntx));
memset(csr, 0, sizeof(*csr));
memset(&vcpu->arch.smstateen_csr, 0, sizeof(vcpu->arch.smstateen_csr));
Could this lead to the guest's shadow stack pointer being preserved
across warm reboots or kexec, leaking architectural state?
> /* CPU reset state of Guest VCPU */
> struct kvm_vcpu_reset_state reset_state;
>
> diff --git a/arch/riscv/kvm/vcpu.c b/arch/riscv/kvm/vcpu.c
> index cf6e231e76e25..1c2775a4834eb 100644
> --- a/arch/riscv/kvm/vcpu.c
> +++ b/arch/riscv/kvm/vcpu.c
> @@ -720,6 +720,7 @@ static void kvm_riscv_update_hvip(struct kvm_vcpu *vcpu)
>
> static __always_inline void kvm_riscv_vcpu_swap_in_guest_state(struct kvm_vcpu *vcpu)
> {
> + struct kvm_vcpu_zicfiss_csr *zicficsr = &vcpu->arch.zicfiss_csr;
> struct kvm_vcpu_smstateen_csr *smcsr = &vcpu->arch.smstateen_csr;
> struct kvm_vcpu_csr *csr = &vcpu->arch.guest_csr;
>
> @@ -727,10 +728,13 @@ static __always_inline void kvm_riscv_vcpu_swap_in_guest_state(struct kvm_vcpu *
> vcpu->arch.host_senvcfg = csr_swap(CSR_SENVCFG, csr->senvcfg);
> if (riscv_has_extension_unlikely(RISCV_ISA_EXT_SMSTATEEN))
> vcpu->arch.host_sstateen0 = csr_swap(CSR_SSTATEEN0, smcsr->sstateen0);
> + if (riscv_has_extension_unlikely(RISCV_ISA_EXT_ZICFISS))
> + csr_write(CSR_SSP, zicficsr->ssp);
[Severity: Medium]
Since this modifies the host's CSR_SSP while still executing host C code,
will this cause any subsequent host function returns (before entering
assembly) to use the guest's shadow stack?
If the host kernel utilizes hardware shadow stacks for Supervisor mode,
this could result in a host kernel panic from an sspopchk failure.
> }
>
> static __always_inline void kvm_riscv_vcpu_swap_in_host_state(struct kvm_vcpu *vcpu)
> {
> + struct kvm_vcpu_zicfiss_csr *zicficsr = &vcpu->arch.zicfiss_csr;
> struct kvm_vcpu_smstateen_csr *smcsr = &vcpu->arch.smstateen_csr;
> struct kvm_vcpu_csr *csr = &vcpu->arch.guest_csr;
>
> @@ -738,6 +742,8 @@ static __always_inline void kvm_riscv_vcpu_swap_in_host_state(struct kvm_vcpu *v
> csr->senvcfg = csr_swap(CSR_SENVCFG, vcpu->arch.host_senvcfg);
> if (riscv_has_extension_unlikely(RISCV_ISA_EXT_SMSTATEEN))
> smcsr->sstateen0 = csr_swap(CSR_SSTATEEN0, vcpu->arch.host_sstateen0);
> + if (riscv_has_extension_unlikely(RISCV_ISA_EXT_ZICFISS))
> + zicficsr->ssp = csr_swap(CSR_SSP, 0);
[Severity: Medium]
Will hardcoding CSR_SSP to 0 here overwrite the host's shadow stack pointer
rather than correctly restoring the saved host state?
> }
>
> /*
> diff --git a/arch/riscv/kvm/vcpu_onereg.c b/arch/riscv/kvm/vcpu_onereg.c
> index bb920e8923c93..bd59aebc8b2e9 100644
> --- a/arch/riscv/kvm/vcpu_onereg.c
> +++ b/arch/riscv/kvm/vcpu_onereg.c
[ ... ]
> @@ -688,7 +732,7 @@ static int copy_csr_reg_indices(const struct kvm_vcpu *vcpu,
> u64 __user *uindices)
> {
> int n1 = sizeof(struct kvm_riscv_csr) / sizeof(unsigned long);
> - int n2 = 0, n3 = 0;
> + int n2 = 0, n3 = 0, n4 = 0;
>
> /* copy general csr regs */
> for (int i = 0; i < n1; i++) {
> @@ -740,7 +784,25 @@ static int copy_csr_reg_indices(const struct kvm_vcpu *vcpu,
> }
> }
>
> - return n1 + n2 + n3;
> + /* copy Zicfiss csr regs */
> + if (riscv_isa_extension_available(vcpu->arch.isa, ZICFISS)) {
> + n4 = sizeof(struct kvm_riscv_zicfiss_csr) / sizeof(unsigned long);
> +
> + for (int i = 0; i < n4; i++) {
> + u64 size = IS_ENABLED(CONFIG_32BIT) ?
> + KVM_REG_SIZE_U32 : KVM_REG_SIZE_U64;
> + u64 reg = KVM_REG_RISCV | size | KVM_REG_RISCV_CSR |
> + KVM_REG_RISCV_CSR_ZICFISS | i;
> +
> + if (uindices) {
> + if (put_user(reg, uindices))
> + return -EFAULT;
> + uindices++;
> + }
> + }
> + }
> +
> + return n1 + n2 + n3 + n4;
> }
[Severity: High]
Does num_csr_regs() also need to be updated to include the ZICFISS register
count?
If num_csr_regs() doesn't include the ZICFISS registers, userspace might
allocate a smaller array for KVM_GET_REG_LIST, causing the put_user()
calls above to write past the end of the userspace array.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260701020746.170157-1-inochiama@gmail.com?part=4
next prev parent reply other threads:[~2026-07-01 2:28 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 2:07 [PATCH v4 0/8] RISC-V: KVM: Add Svadu/Zicfiss/Zicfilp FWFT support Inochi Amaoto
2026-07-01 2:07 ` [PATCH v4 1/8] RISC-V: KVM: Add support for Svadu FWFT features Inochi Amaoto
2026-07-01 2:30 ` sashiko-bot
2026-07-01 2:07 ` [PATCH v4 2/8] KVM: riscv: selftests: add Svadu FWFT extension to get-reg-list test Inochi Amaoto
2026-07-01 2:07 ` [PATCH v4 3/8] RISC-V: KVM: Allow Zicfiss/Zicfilp extensions for Guest/VM Inochi Amaoto
2026-07-01 2:07 ` [PATCH v4 4/8] RISC-V: KVM: Add ssp context save/restore Inochi Amaoto
2026-07-01 2:28 ` sashiko-bot [this message]
2026-07-01 2:07 ` [PATCH v4 5/8] RISC-V: KVM: Handle software-check exits for VCPU Inochi Amaoto
2026-07-01 2:31 ` sashiko-bot
2026-07-01 2:07 ` [PATCH v4 6/8] RISC-V: KVM: Delegate SPELP bit to VS/VU mode if landing pad is enabled Inochi Amaoto
2026-07-01 2:20 ` sashiko-bot
2026-07-01 2:07 ` [PATCH v4 7/8] RISC-V: KVM: Add support for control-flow integrity FWFT features Inochi Amaoto
2026-07-01 2:33 ` sashiko-bot
2026-07-01 2:07 ` [PATCH v4 8/8] KVM: riscv: selftests: add Zicfiss/Zicfilp extension to get-reg-list test Inochi Amaoto
2026-07-01 2:23 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260701022830.DDFF21F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=inochiama@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox