Kernel KVM virtualization development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Inochi Amaoto" <inochiama@gmail.com>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH v4 5/8] RISC-V: KVM: Handle software-check exits for VCPU
Date: Wed, 01 Jul 2026 02:31:38 +0000	[thread overview]
Message-ID: <20260701023138.DBAC91F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701020746.170157-6-inochiama@gmail.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] `vcpu_redirect` unconditionally sets `VSSTATUS.SPP` to 1 and fails to set `HSTATUS.SPVP` to 1, causing guest user-to-kernel privilege escalation or fatal guest crashes.
--

commit b591989d8fd2e996d0f963c15186f3a08e706f56
Author: Inochi Amaoto <inochiama@gmail.com>

RISC-V: KVM: Handle software-check exits for VCPU

The patch introduces handling for EXC_SOFTWARE_CHECK in RISC-V KVM to support
Zicfiss/Zicfilp extensions. It delegates these exceptions to VS mode via
vcpu_redirect().

> diff --git a/arch/riscv/kvm/vcpu_exit.c b/arch/riscv/kvm/vcpu_exit.c
> index 0bb0c51e3c890..12eebeabdf146 100644
> --- a/arch/riscv/kvm/vcpu_exit.c
> +++ b/arch/riscv/kvm/vcpu_exit.c
[ ... ]
> @@ -243,6 +243,10 @@ int kvm_riscv_vcpu_exit(struct kvm_vcpu *vcpu, struct kvm_run *run,
>  		run->exit_reason = KVM_EXIT_DEBUG;
>  		ret = 0;
>  		break;
> +	case EXC_SOFTWARE_CHECK:
> +		if (vcpu->arch.cfg.henvcfg & (ENVCFG_LPE | ENVCFG_SSE))
> +			ret = vcpu_redirect(vcpu, trap);
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[Severity: High]
This is a pre-existing issue, but using vcpu_redirect() here exposes an
underlying architectural flaw in KVM RISC-V's exception redirection logic.

When KVM redirects a trap to the guest, kvm_riscv_vcpu_trap_redirect() attempts
to copy the host's sstatus.SPP bit into the guest's VSSTATUS.SPP:

arch/riscv/kvm/vcpu_exit.c:kvm_riscv_vcpu_trap_redirect() {
    ...
	/* Change Guest SSTATUS.SPP bit */
	vsstatus &= ~SR_SPP;
	if (vcpu->arch.guest_context.sstatus & SR_SPP)
		vsstatus |= SR_SPP;
    ...

Since taking a trap from V=1 to HS-mode always sets the host's sstatus.SPP to 1,
VSSTATUS.SPP is unconditionally set to 1. This falsely tells the guest OS that
the exception originated in supervisor mode, even if it actually occurred in
user mode (VU-mode).

Additionally, kvm_riscv_vcpu_trap_redirect() fails to update HSTATUS.SPVP:

    ...
	/* Set Guest privilege mode to supervisor */
	vcpu->arch.guest_context.sstatus |= SR_SPP;
}

Because sret from HS-mode uses HSTATUS.SPVP to determine the return privilege
mode for the guest, the guest will resume in VU-mode at the supervisor
exception vector (vstvec).

Does this enable guest user space to execute the kernel's trap handler with
user privileges, leading to privilege escalation or fatal guest crashes?

> +		break;
>  	default:
>  		break;
>  	}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701020746.170157-1-inochiama@gmail.com?part=5

  reply	other threads:[~2026-07-01  2:31 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01  2:07 [PATCH v4 0/8] RISC-V: KVM: Add Svadu/Zicfiss/Zicfilp FWFT support Inochi Amaoto
2026-07-01  2:07 ` [PATCH v4 1/8] RISC-V: KVM: Add support for Svadu FWFT features Inochi Amaoto
2026-07-01  2:30   ` sashiko-bot
2026-07-01  2:07 ` [PATCH v4 2/8] KVM: riscv: selftests: add Svadu FWFT extension to get-reg-list test Inochi Amaoto
2026-07-01  2:07 ` [PATCH v4 3/8] RISC-V: KVM: Allow Zicfiss/Zicfilp extensions for Guest/VM Inochi Amaoto
2026-07-01  2:07 ` [PATCH v4 4/8] RISC-V: KVM: Add ssp context save/restore Inochi Amaoto
2026-07-01  2:28   ` sashiko-bot
2026-07-01  2:07 ` [PATCH v4 5/8] RISC-V: KVM: Handle software-check exits for VCPU Inochi Amaoto
2026-07-01  2:31   ` sashiko-bot [this message]
2026-07-01  2:07 ` [PATCH v4 6/8] RISC-V: KVM: Delegate SPELP bit to VS/VU mode if landing pad is enabled Inochi Amaoto
2026-07-01  2:20   ` sashiko-bot
2026-07-01  2:07 ` [PATCH v4 7/8] RISC-V: KVM: Add support for control-flow integrity FWFT features Inochi Amaoto
2026-07-01  2:33   ` sashiko-bot
2026-07-01  2:07 ` [PATCH v4 8/8] KVM: riscv: selftests: add Zicfiss/Zicfilp extension to get-reg-list test Inochi Amaoto
2026-07-01  2:23   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701023138.DBAC91F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=inochiama@gmail.com \
    --cc=kvm@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox