From: sashiko-bot@kernel.org
To: "Marc Zyngier" <maz@kernel.org>
Cc: kvm@vger.kernel.org, kvmarm@lists.linux.dev,
"Oliver Upton" <oupton@kernel.org>
Subject: Re: [PATCH 25/28] KVM: arm64: Engage NV3 TLBI trap elision
Date: Thu, 02 Jul 2026 16:45:14 +0000 [thread overview]
Message-ID: <20260702164514.C41EF1F00A3D@smtp.kernel.org> (raw)
In-Reply-To: <20260702160248.1377250-26-maz@kernel.org>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
New issues:
- [Critical] Enabling FEAT_NV3 TLBI elision (NVnTTLB) breaks KVM's nested S2 MMU caching, leaving stale L2 guest S1 TLB entries across cached physical VMIDs.
- [High] TLBI trap elision for NV1 guests is nested inside a check requiring the guest to use VHE, rendering the optimization dead code.
- [Medium] NV3 TLBI trap elision is incomplete because HCRX_EL2_NVnTTLBOS is omitted from the TLBI elision mask.
Pre-existing issues:
- [High] vcpu_set_hcrx() statically evaluates the guest's dynamic HCR_EL2.E2H state at boot, permanently disabling HCRX_EL2_NVTGE even if the guest later enables VHE.
--
commit e34c9c8b4a16d0026abc090c888c49e7f1c66d8a
Author: Marc Zyngier <maz@kernel.org>
KVM: arm64: Engage NV3 TLBI trap elision
This commit enables FEAT_NV3 TLBI trap elision for guests that are not
NV2-aware. It relaxes TLBI traps to only TGE=0 using HCRX_EL2 bits.
> diff --git a/arch/arm64/include/asm/kvm_emulate.h b/arch/arm64/include/asm/kvm_emulate.h
> index b32870a5e1236..d6f432b1558f5 100644
> --- a/arch/arm64/include/asm/kvm_emulate.h
> +++ b/arch/arm64/include/asm/kvm_emulate.h
> @@ -715,6 +715,15 @@ static inline void vcpu_set_hcrx(struct kvm_vcpu *vcpu)
> if (cpus_have_final_cap(ARM64_HAS_NV3) &&
> vcpu_has_nv(vcpu) && vcpu_el2_e2h_is_set(vcpu)) {
[Severity: High]
This isn't a bug introduced by this patch, but because vcpu_set_hcrx is
called once during kvm_calculate_traps at the first VCPU run, the guest
has not yet executed and its virtual HCR_EL2.E2H is 0.
Since vcpu_el2_e2h_is_set checks the dynamic HCR_EL2 register, does this
evaluate to false and permanently disable HCRX_EL2_NVTGE even if the guest
later sets HCR_EL2.E2H at runtime?
[Severity: High]
Does checking vcpu_el2_e2h_is_set here prevent the NV1 TLBI elision
optimization from ever being reached?
Since an NV1 guest does not have VHE enabled (E2H=0), this outer condition
will evaluate to false, meaning the inner !kvm_has_nv2(vcpu->kvm) block
added below will be skipped.
> vcpu->arch.hcrx_el2 |= HCRX_EL2_NVTGE;
> +
> + /*
> + * If the guest is NV2-capable, then we need to see
> + * all the TLBIs, as configured in HCR_EL2.
> + * Otherwise, relax the TLBI traps to only TGE=0.
> + */
> + if (!kvm_has_nv2(vcpu->kvm))
> + vcpu->arch.hcrx_el2 |= (HCRX_EL2_NVnTTLB |
> + HCRX_EL2_NVnTTLBIS);
[Severity: Medium]
Does this mask omit the Outer Shareable S1 TLBI elision bit
(HCRX_EL2_NVnTTLBOS)?
Without it, will Outer Shareable S1 TLBI instructions continue to
trap to KVM, missing out on the intended performance optimization?
[Severity: Critical]
Does enabling hardware TLBI elision here break KVM's nested S2 MMU
caching?
KVM caches multiple S2 MMU contexts (with distinct physical VMIDs) for
the same virtual VMID, and defers physical VMID switches until guest entry.
If a guest hypervisor writes to VTTBR_EL2 and executes an S1 TLBI natively,
hardware will only invalidate the currently active physical VMID.
Could this cause the hardware to invalidate the wrong context (the
hypervisor's own S1 TLB instead of the L2 guest's) and miss other cached
physical VMIDs sharing the virtual VMID, potentially leading to stale
TLB entries?
> }
> }
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260702160248.1377250-1-maz@kernel.org?part=25
next prev parent reply other threads:[~2026-07-02 16:45 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 16:02 [PATCH 00/28] KVM: arm64: Add support for FEAT_NV2p1 and FEAT_NV3 Marc Zyngier
2026-07-02 16:02 ` [PATCH 01/28] arm64: sysreg: Emit RESx/UNKN values for Mapping definitions Marc Zyngier
2026-07-02 16:19 ` sashiko-bot
2026-07-02 17:41 ` Marc Zyngier
2026-07-02 16:02 ` [PATCH 02/28] arm64: Update ID_AA64MMFR4_EL1 description to 2026-03 JSON release Marc Zyngier
2026-07-02 16:02 ` [PATCH 03/28] KVM: arm64: Merge guest's HCRX_EL2 using NV_HCRX_GUEST_EXCLUDE Marc Zyngier
2026-07-02 16:34 ` sashiko-bot
2026-07-02 18:29 ` Marc Zyngier
2026-07-02 16:02 ` [PATCH 04/28] KVM: arm64: Drop __HCRX_EL2_* masks Marc Zyngier
2026-07-02 18:34 ` sashiko-bot
2026-07-02 21:10 ` Marc Zyngier
2026-07-02 16:02 ` [PATCH 05/28] KVM: arm64: Plumb HCRX_EL2.SRMASKEn in HCRX_EL2 sanitisation Marc Zyngier
2026-07-02 16:28 ` sashiko-bot
2026-07-02 18:18 ` Marc Zyngier
2026-07-02 16:02 ` [PATCH 06/28] KVM: arm64: Classify CPTR_EL2 as a SR_LOC_SPECIAL register Marc Zyngier
2026-07-02 16:02 ` [PATCH 07/28] KVM: arm64: Don't evaluate HCR_EL2.NV on ERET fast path Marc Zyngier
2026-07-02 16:24 ` sashiko-bot
2026-07-02 17:57 ` Marc Zyngier
2026-07-02 16:02 ` [PATCH 08/28] arm64: Add ARM64_HAS_NV2P1 capability Marc Zyngier
2026-07-02 16:02 ` [PATCH 09/28] KVM: arm64: Relax CPTR_EL2 handling when FEAT_NV2p1 is present Marc Zyngier
2026-07-02 16:02 ` [PATCH 10/28] KVM: arm64: Relax CNTHCTL_EL2 " Marc Zyngier
2026-07-02 16:21 ` sashiko-bot
2026-07-02 17:46 ` Marc Zyngier
2026-07-02 16:02 ` [PATCH 11/28] KVM: arm64: Expose FEAT_NV2p1 to NV guests Marc Zyngier
2026-07-02 16:28 ` sashiko-bot
2026-07-02 18:23 ` Marc Zyngier
2026-07-02 16:02 ` [PATCH 12/28] arm64: Add FEAT_NV2p1 detection Marc Zyngier
2026-07-02 16:02 ` [PATCH 13/28] arm64: sysreg: Add NVHCR_EL2 description as a mirror of HCR_EL2 Marc Zyngier
2026-07-02 16:02 ` [PATCH 14/28] arm64: sysreg: Add HCRX_EL2 bits related to FEAT_NV3 Marc Zyngier
2026-07-02 16:02 ` [PATCH 15/28] arm64: Add ARM64_HAS_NV3 capability Marc Zyngier
2026-07-02 16:02 ` [PATCH 16/28] KVM: arm64: Split NV-specific exit fixups from the non-NV handling Marc Zyngier
2026-07-02 16:02 ` [PATCH 17/28] KVM: arm64: Add NV3 control bits to HCRX_EL2 sanitisation Marc Zyngier
2026-07-02 16:02 ` [PATCH 18/28] KVM: arm64: Add kvm_has_nv{2,3}() predicates Marc Zyngier
2026-07-02 16:25 ` sashiko-bot
2026-07-02 18:01 ` Marc Zyngier
2026-07-02 16:02 ` [PATCH 19/28] KVM: arm64: Make HCR_EL2 a non-VNCR register Marc Zyngier
2026-07-02 16:02 ` [PATCH 20/28] KVM: arm64: Add sanitisation for NVHCR_EL2 Marc Zyngier
2026-07-02 16:02 ` [PATCH 21/28] KVM: arm64: Add NVHCR_EL2 handling to the sysreg array Marc Zyngier
2026-07-02 16:02 ` [PATCH 22/28] KVM: arm64: Add routing for NVHCR_EL2 trap Marc Zyngier
2026-07-02 16:26 ` sashiko-bot
2026-07-02 18:14 ` Marc Zyngier
2026-07-02 16:02 ` [PATCH 23/28] KVM: arm64: Add NVHCR_EL2 context switching Marc Zyngier
2026-07-02 16:43 ` sashiko-bot
2026-07-02 20:28 ` Marc Zyngier
2026-07-02 16:02 ` [PATCH 24/28] KVM: arm64: Engage NV3 ERET trap elision Marc Zyngier
2026-07-02 16:02 ` [PATCH 25/28] KVM: arm64: Engage NV3 TLBI " Marc Zyngier
2026-07-02 16:45 ` sashiko-bot [this message]
2026-07-02 21:04 ` Marc Zyngier
2026-07-02 16:02 ` [PATCH 26/28] KVM: arm64: Add FEAT_NV3 detection Marc Zyngier
2026-07-02 16:39 ` sashiko-bot
2026-07-02 20:03 ` Marc Zyngier
2026-07-02 16:02 ` [PATCH 27/28] KVM: arm64: Expose FEAT_NV3 to guests Marc Zyngier
2026-07-02 16:39 ` sashiko-bot
2026-07-02 20:01 ` Marc Zyngier
2026-07-02 16:02 ` [PATCH 28/28] arm64: Add override for ID_AA64MMFR4_EL1.NV_frac Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702164514.C41EF1F00A3D@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=maz@kernel.org \
--cc=oupton@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox