* Re: [PATCH 0/2] tracing: Move trace_printk.h out of kernel.h
From: Christophe Leroy (CS GROUP) @ 2026-06-22 8:05 UTC (permalink / raw)
To: Steven Rostedt, linux-kernel, linux-trace-kernel
Cc: Masami Hiramatsu, Mark Rutland, Mathieu Desnoyers, Andrew Morton,
Linus Torvalds, Sebastian Andrzej Siewior, John Ogness,
Thomas Gleixner, Peter Zijlstra, Julia Lawall, Yury Norov,
linux-doc, linux-kbuild, linuxppc-dev, dri-devel, linux-stm32,
linux-arm-kernel, linux-rdma, linux-usb, linux-ext4, linux-nfs,
kvm, intel-gfx
In-Reply-To: <20260621093430.264983361@kernel.org>
Le 21/06/2026 à 11:34, Steven Rostedt a écrit :
> There's been complaints about trace_printk() being defined in kernel.h as it
> can increase the compilation time. As it is only used by some developers for
> debugging purposes, it should not be in kernel.h causing lots of wasted CPU
> cycles for those that do not ever care about it.
Do we have a measurement of the increased compilation time ?
Christophe
>
> Instead, add a CONFIG_TRACE_PRINTK_DEBUGGING option that developers that do
> use it can set and not have to always remember to add #include <linux/trace_printk.h>
> to the files they add trace_printk() while debugging. It also means that
> those that do not have that config set will not have to worry about wasted
> CPU cycles as it is only include in the CFLAGS when the option is set, and
> its completely ignored otherwise.
>
> Steven Rostedt (2):
> tracing: Move non-trace_printk prototypes back to kernel.h
> tracing: Add CONFIG_TRACE_PRINTK_DEBUGGING to clean up kernel.h
>
> ----
> .../driver_development_debugging_guide.rst | 2 +-
> Makefile | 5 +++++
> arch/powerpc/kvm/book3s_xics.c | 1 +
> drivers/gpu/drm/i915/gt/intel_gtt.h | 1 +
> drivers/gpu/drm/i915/i915_gem.h | 1 +
> drivers/hwtracing/stm/dummy_stm.c | 4 ++++
> drivers/infiniband/hw/hfi1/trace_dbg.h | 1 +
> drivers/usb/early/xhci-dbc.c | 1 +
> fs/ext4/inline.c | 1 +
> include/linux/kernel.h | 19 ++++++++++++++++++-
> include/linux/sunrpc/debug.h | 1 +
> include/linux/trace_printk.h | 22 +++-------------------
> kernel/trace/Kconfig | 10 ++++++++++
> kernel/trace/ring_buffer_benchmark.c | 1 +
> kernel/trace/trace.h | 1 +
> samples/fprobe/fprobe_example.c | 1 +
> samples/ftrace/ftrace-direct-modify.c | 1 +
> samples/ftrace/ftrace-direct-multi-modify.c | 1 +
> samples/ftrace/ftrace-direct-multi.c | 2 +-
> samples/ftrace/ftrace-direct-too.c | 2 +-
> samples/ftrace/ftrace-direct.c | 2 +-
> 21 files changed, 56 insertions(+), 24 deletions(-)
>
^ permalink raw reply
* Re: [PATCH v8 23/46] KVM: TDX: Make source page optional for KVM_TDX_INIT_MEM_REGION
From: Yan Zhao @ 2026-06-22 7:18 UTC (permalink / raw)
To: Fuad Tabba
Cc: ackerleytng, aik, andrew.jones, binbin.wu, brauner, chao.p.peng,
david, jmattson, jthoughton, michael.roth, oupton, pankaj.gupta,
qperret, rick.p.edgecombe, rientjes, shivankg, steven.price,
willy, wyihan, forkloop, pratyush, suzuki.poulose, aneesh.kumar,
liam, Paolo Bonzini, Sean Christopherson, Thomas Gleixner,
Ingo Molnar, Borislav Petkov, Dave Hansen, x86, H. Peter Anvin,
Steven Rostedt, Masami Hiramatsu, Mathieu Desnoyers,
Jonathan Corbet, Shuah Khan, Shuah Khan, Vishal Annapurve,
Andrew Morton, Chris Li, Kairui Song, Kemeng Shi, Nhat Pham,
Barry Song, Axel Rasmussen, Yuanchu Xie, Wei Xu, Youngjun Park,
Qi Zheng, Shakeel Butt, Kiryl Shutsemau, Baoquan He,
Jason Gunthorpe, Vlastimil Babka, kvm, linux-kernel,
linux-trace-kernel, linux-doc, linux-kselftest, linux-mm,
linux-coco
In-Reply-To: <CA+EHjTyj-JdW8H0ii2j3dayqnT2s3VV+brSG++p335=FGd2GXg@mail.gmail.com>
On Fri, Jun 19, 2026 at 12:09:54PM +0100, Fuad Tabba wrote:
> Sashiko flagged that when src_page = pfn_to_page(pfn),
> tdh_mem_page_add gets identical physical addresses for r8
> (destination) and r9 (source), reading with host KeyID and writing
> with TD KeyID on the same address.
This is allowed :)
See below description in the spec [1].
In-Place Add:
It is allowed to set the TD page HPA in R8 to the same address as the source
page HPA in R9. In this case the source page is converted to be a TD private
page.
[1] https://www.intel.com/content/www/us/en/content-details/853294/intel-trust-domain-extensions-intel-tdx-module-base-architecture-specification.html
^ permalink raw reply
* [PATCH] KVM: Nullify irqfd->producer when add_producer() fails
From: leixiang @ 2026-06-22 7:51 UTC (permalink / raw)
Cc: leixiang, stable, Madhavan Srinivasan, Nicholas Piggin,
Michael Ellerman, Christophe Leroy (CS GROUP),
Sean Christopherson, Paolo Bonzini, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Dave Hansen, x86, H. Peter Anvin, Paul Mackerras,
Suresh Warrier, linuxppc-dev, kvm, linux-kernel
The x86 and powerpc add_producer() callbacks set irqfd->producer before the
fallible setup and never clear it on error. The bypass manager doesn't
register a producer whose add_producer() failed -- producer->eventfd is
left NULL, so the later unregister early-returns and del_producer() is
never called -- so nothing ever drops the pointer.
For VFIO PCI the producer is embedded in struct vfio_pci_irq_ctx and freed
when the vector is disabled, after which a routing update dereferences the
dangling pointer via kvm_arch_update_irqfd_routing().
Nullify irqfd->producer on the error paths.
Fixes: 77e1b8332d1d ("KVM: x86: Decouple device assignment from IRQ bypass")
Fixes: c57875f5f9be ("KVM: PPC: Book3S HV: Enable IRQ bypass")
Cc: stable@vger.kernel.org
Signed-off-by: leixiang <leixiang@kylinos.cn>
---
arch/powerpc/kvm/book3s_hv.c | 4 +++-
arch/x86/kvm/irq.c | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
index 61dbeea317f3..14919b76fb32 100644
--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -6114,9 +6114,11 @@ static int kvmppc_irq_bypass_add_producer_hv(struct irq_bypass_consumer *cons,
irqfd->producer = prod;
ret = kvmppc_set_passthru_irq(irqfd->kvm, prod->irq, irqfd->gsi);
- if (ret)
+ if (ret) {
pr_info("kvmppc_set_passthru_irq (irq %d, gsi %d) fails: %d\n",
prod->irq, irqfd->gsi, ret);
+ irqfd->producer = NULL;
+ }
return ret;
}
diff --git a/arch/x86/kvm/irq.c b/arch/x86/kvm/irq.c
index 8c62c6d4d5c1..cb8ac4b9b0d7 100644
--- a/arch/x86/kvm/irq.c
+++ b/arch/x86/kvm/irq.c
@@ -488,8 +488,10 @@ int kvm_arch_irq_bypass_add_producer(struct irq_bypass_consumer *cons,
if (irqfd->irq_entry.type == KVM_IRQ_ROUTING_MSI) {
ret = kvm_pi_update_irte(irqfd, &irqfd->irq_entry);
- if (ret)
+ if (ret) {
kvm->arch.nr_possible_bypass_irqs--;
+ irqfd->producer = NULL;
+ }
}
spin_unlock_irq(&kvm->irqfds.lock);
--
2.45.0
^ permalink raw reply related
* [PATCH v18 10/12] vfio/pci: Add TPH_ENABLE feature skeleton and unsafe module parameter
From: Chengwen Feng @ 2026-06-22 7:45 UTC (permalink / raw)
To: alex, jgg, helgaas
Cc: wathsala.vithanage, wei.huang2, zhipingz, wangzhou1, wangyushan12,
liuyonglong, kvm, linux-pci
In-Reply-To: <20260622074523.38473-1-fengchengwen@huawei.com>
Introduce module param enable_unsafe_tph to gate all TPH related features,
and add VFIO_DEVICE_FEATURE_TPH_ENABLE uapi together with per-device
tph_permit flag.
This is a preparatory implementation: only feature framework is added
for now, actual TPH_CTRL register permission control and steering tag
features (TPH_CPU_ST / TPH_ST_CONFIG) will be attached in subsequent
TPH capability virtualization commits.
Signed-off-by: Chengwen Feng <fengchengwen@huawei.com>
---
drivers/vfio/pci/vfio_pci.c | 13 ++++++++++++-
drivers/vfio/pci/vfio_pci_config.c | 1 +
drivers/vfio/pci/vfio_pci_core.c | 25 ++++++++++++++++++++++++-
include/linux/vfio_pci_core.h | 4 +++-
include/uapi/linux/vfio.h | 7 +++++++
5 files changed, 47 insertions(+), 3 deletions(-)
diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
index 0c771064c0b8..6d73668459cf 100644
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -60,6 +60,12 @@ static bool disable_denylist;
module_param(disable_denylist, bool, 0444);
MODULE_PARM_DESC(disable_denylist, "Disable use of device denylist. Disabling the denylist allows binding to devices with known errata that may lead to exploitable stability or security issues when accessed by untrusted users.");
+#ifdef CONFIG_PCIE_TPH
+static bool enable_unsafe_tph;
+module_param(enable_unsafe_tph, bool, 0444);
+MODULE_PARM_DESC(enable_unsafe_tph, "Enable PCIe TPH (Transaction Processing Hints) support. It may break platform isolation. If you do not know what this is for, step away. (default: false)");
+#endif
+
static bool vfio_pci_dev_in_denylist(struct pci_dev *pdev)
{
switch (pdev->vendor) {
@@ -257,12 +263,17 @@ static int __init vfio_pci_init(void)
{
int ret;
bool is_disable_vga = true;
+ bool is_enable_unsafe_tph = false;
#ifdef CONFIG_VFIO_PCI_VGA
is_disable_vga = disable_vga;
#endif
+#ifdef CONFIG_PCIE_TPH
+ is_enable_unsafe_tph = enable_unsafe_tph;
+#endif
- vfio_pci_core_set_params(nointxmask, is_disable_vga, disable_idle_d3);
+ vfio_pci_core_set_params(nointxmask, is_disable_vga, disable_idle_d3,
+ is_enable_unsafe_tph);
/* Register and scan for devices */
ret = pci_register_driver(&vfio_pci_driver);
diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
index 5c6ab172df6c..251d3ec7fdd4 100644
--- a/drivers/vfio/pci/vfio_pci_config.c
+++ b/drivers/vfio/pci/vfio_pci_config.c
@@ -1783,6 +1783,7 @@ int vfio_config_init(struct vfio_pci_core_device *vdev)
goto out;
vdev->bardirty = true;
+ vdev->tph_permit = false;
/*
* XXX can we just pci_load_saved_state/pci_restore_state?
diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
index a28f1e99362c..b0193afca875 100644
--- a/drivers/vfio/pci/vfio_pci_core.c
+++ b/drivers/vfio/pci/vfio_pci_core.c
@@ -41,6 +41,7 @@
static bool nointxmask;
static bool disable_vga;
static bool disable_idle_d3;
+static bool enable_unsafe_tph;
static void vfio_pci_eventfd_rcu_free(struct rcu_head *rcu)
{
@@ -1554,6 +1555,24 @@ static int vfio_pci_core_feature_token(struct vfio_pci_core_device *vdev,
return 0;
}
+static int vfio_pci_core_feature_tph_enable(struct vfio_pci_core_device *vdev,
+ u32 flags, size_t argsz)
+{
+ int ret;
+
+ if (!enable_unsafe_tph)
+ return -EOPNOTSUPP;
+
+ ret = vfio_check_feature(flags, argsz, VFIO_DEVICE_FEATURE_SET, 0);
+ if (ret <= 0)
+ return ret;
+
+ if (!vdev->tph_permit)
+ vdev->tph_permit = 1;
+
+ return 0;
+}
+
int vfio_pci_core_ioctl_feature(struct vfio_device *device, u32 flags,
void __user *arg, size_t argsz)
{
@@ -1572,6 +1591,8 @@ int vfio_pci_core_ioctl_feature(struct vfio_device *device, u32 flags,
return vfio_pci_core_feature_token(vdev, flags, arg, argsz);
case VFIO_DEVICE_FEATURE_DMA_BUF:
return vfio_pci_core_feature_dma_buf(vdev, flags, arg, argsz);
+ case VFIO_DEVICE_FEATURE_TPH_ENABLE:
+ return vfio_pci_core_feature_tph_enable(vdev, flags, argsz);
default:
return -ENOTTY;
}
@@ -2615,11 +2636,13 @@ static void vfio_pci_dev_set_try_reset(struct vfio_device_set *dev_set)
}
void vfio_pci_core_set_params(bool is_nointxmask, bool is_disable_vga,
- bool is_disable_idle_d3)
+ bool is_disable_idle_d3,
+ bool is_enable_unsafe_tph)
{
nointxmask = is_nointxmask;
disable_vga = is_disable_vga;
disable_idle_d3 = is_disable_idle_d3;
+ enable_unsafe_tph = is_enable_unsafe_tph;
}
EXPORT_SYMBOL_GPL(vfio_pci_core_set_params);
diff --git a/include/linux/vfio_pci_core.h b/include/linux/vfio_pci_core.h
index 5fc6ce4dd786..d551e530dd86 100644
--- a/include/linux/vfio_pci_core.h
+++ b/include/linux/vfio_pci_core.h
@@ -128,6 +128,7 @@ struct vfio_pci_core_device {
bool pm_intx_masked:1;
bool pm_runtime_engaged:1;
bool sriov_active;
+ bool tph_permit;
struct pci_saved_state *pci_saved_state;
struct pci_saved_state *pm_save;
int ioeventfds_nr;
@@ -158,7 +159,8 @@ int vfio_pci_core_register_dev_region(struct vfio_pci_core_device *vdev,
const struct vfio_pci_regops *ops,
size_t size, u32 flags, void *data);
void vfio_pci_core_set_params(bool nointxmask, bool is_disable_vga,
- bool is_disable_idle_d3);
+ bool is_disable_idle_d3,
+ bool is_enable_unsafe_tph);
void vfio_pci_core_close_device(struct vfio_device *core_vdev);
int vfio_pci_core_init_dev(struct vfio_device *core_vdev);
void vfio_pci_core_release_dev(struct vfio_device *core_vdev);
diff --git a/include/uapi/linux/vfio.h b/include/uapi/linux/vfio.h
index 5de618a3a5ee..e5a4d1d7091b 100644
--- a/include/uapi/linux/vfio.h
+++ b/include/uapi/linux/vfio.h
@@ -1534,6 +1534,13 @@ struct vfio_device_feature_dma_buf {
*/
#define VFIO_DEVICE_FEATURE_MIG_PRECOPY_INFOv2 12
+/*
+ * Device-level opt-in for TPH (Transaction Processing Hints) support.
+ * When set, allows access to TPH_CPU_ST and TPH_ST_CONFIG features.
+ * Requires global enable_unsafe_tph module parameter to be enabled.
+ */
+#define VFIO_DEVICE_FEATURE_TPH_ENABLE 13
+
/* -------- API for Type1 VFIO IOMMU -------- */
/**
--
2.17.1
^ permalink raw reply related
* [PATCH v18 11/12] vfio/pci: Add TPH_ST_CONFIG for PCIe TPH ST configuration
From: Chengwen Feng @ 2026-06-22 7:45 UTC (permalink / raw)
To: alex, jgg, helgaas
Cc: wathsala.vithanage, wei.huang2, zhipingz, wangzhou1, wangyushan12,
liuyonglong, kvm, linux-pci
In-Reply-To: <20260622074523.38473-1-fengchengwen@huawei.com>
Add a new VFIO device feature VFIO_DEVICE_FEATURE_TPH_ST_CONFIG to allow
userspace to configure PCIe TPH Steering Tag table entries. This interface
supports only configuration writes, read operations are not permitted.
Implement shadow ST table to cache entries, paired with per-device mutex
for concurrent access protection. Batch write failure triggers entry
rollback to guarantee hardware and shadow table consistency.
The feature is double gated:
1. Global enable_unsafe_tph module parameter must be enabled;
2. Userspace needs to firstly SET VFIO_DEVICE_FEATURE_TPH_ENABLE
to set per-device tph_permit flag before using TPH_CPU_CONFIG.
Design note for Sashiko reset shadow table warning:
Do not clear tph_st_shadow on FLR/device reset. Userspace VFIO application
can detect hardware reset events and re-initialize full ST table
configuration to sync shadow cache with hardware state afterward. Retain
cached ST entries to support offline error diagnosis and post-reset
recovery.
Signed-off-by: Chengwen Feng <fengchengwen@huawei.com>
---
drivers/vfio/pci/vfio_pci_config.c | 1 -
drivers/vfio/pci/vfio_pci_core.c | 128 +++++++++++++++++++++++++++++
include/linux/vfio_pci_core.h | 2 +
include/uapi/linux/vfio.h | 22 +++++
4 files changed, 152 insertions(+), 1 deletion(-)
diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
index 251d3ec7fdd4..5c6ab172df6c 100644
--- a/drivers/vfio/pci/vfio_pci_config.c
+++ b/drivers/vfio/pci/vfio_pci_config.c
@@ -1783,7 +1783,6 @@ int vfio_config_init(struct vfio_pci_core_device *vdev)
goto out;
vdev->bardirty = true;
- vdev->tph_permit = false;
/*
* XXX can we just pci_load_saved_state/pci_restore_state?
diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
index b0193afca875..c327eff8e9cc 100644
--- a/drivers/vfio/pci/vfio_pci_core.c
+++ b/drivers/vfio/pci/vfio_pci_core.c
@@ -29,6 +29,7 @@
#include <linux/sched/mm.h>
#include <linux/iommufd.h>
#include <linux/pci-p2pdma.h>
+#include <linux/pci-tph.h>
#if IS_ENABLED(CONFIG_EEH)
#include <asm/eeh.h>
#endif
@@ -532,6 +533,52 @@ static const struct dev_pm_ops vfio_pci_core_pm_ops = {
NULL)
};
+static int vfio_pci_tph_st_shadow_size(struct vfio_pci_core_device *vdev)
+{
+ struct pci_dev *pdev = vdev->pdev;
+ u32 loc = pcie_tph_get_st_table_loc(pdev);
+ int ret;
+
+ if (loc == PCI_TPH_LOC_CAP) {
+ return pcie_tph_get_st_table_size(pdev);
+ } else if (loc == PCI_TPH_LOC_MSIX) {
+ ret = pci_msix_vec_count(pdev);
+ if (ret < 0)
+ return 0;
+ return ret;
+ } else {
+ return 0;
+ }
+}
+
+static int vfio_pci_tph_init(struct vfio_pci_core_device *vdev)
+{
+ vdev->tph_st_entries = 0;
+ vdev->tph_st_shadow = NULL;
+ vdev->tph_permit = false;
+
+ if (!enable_unsafe_tph)
+ return 0;
+
+ vdev->tph_st_entries = vfio_pci_tph_st_shadow_size(vdev);
+ if (vdev->tph_st_entries) {
+ vdev->tph_st_shadow = kcalloc(vdev->tph_st_entries, sizeof(u16),
+ GFP_KERNEL_ACCOUNT);
+ if (!vdev->tph_st_shadow)
+ return -ENOMEM;
+ }
+
+ return 0;
+}
+
+static void vfio_pci_tph_deinit(struct vfio_pci_core_device *vdev)
+{
+ kfree(vdev->tph_st_shadow);
+ vdev->tph_st_shadow = NULL;
+ vdev->tph_st_entries = 0;
+ vdev->tph_permit = false;
+}
+
int vfio_pci_core_enable(struct vfio_pci_core_device *vdev)
{
struct pci_dev *pdev = vdev->pdev;
@@ -558,6 +605,11 @@ int vfio_pci_core_enable(struct vfio_pci_core_device *vdev)
goto out_disable_device;
vdev->reset_works = !ret;
+
+ ret = vfio_pci_tph_init(vdev);
+ if (ret)
+ goto out_disable_device;
+
pci_save_state(pdev);
vdev->pci_saved_state = pci_store_saved_state(pdev);
if (!vdev->pci_saved_state)
@@ -615,6 +667,7 @@ int vfio_pci_core_enable(struct vfio_pci_core_device *vdev)
out_free_state:
kfree(vdev->pci_saved_state);
vdev->pci_saved_state = NULL;
+ vfio_pci_tph_deinit(vdev);
out_disable_device:
pci_disable_device(pdev);
out_power:
@@ -683,6 +736,7 @@ void vfio_pci_core_disable(struct vfio_pci_core_device *vdev)
kfree(vdev->region);
vdev->region = NULL; /* don't krealloc a freed pointer */
+ vfio_pci_tph_deinit(vdev);
vfio_config_free(vdev);
for (i = 0; i < PCI_STD_NUM_BARS; i++) {
@@ -1573,6 +1627,77 @@ static int vfio_pci_core_feature_tph_enable(struct vfio_pci_core_device *vdev,
return 0;
}
+static int vfio_pci_core_feature_tph_st_config(
+ struct vfio_pci_core_device *vdev,
+ u32 flags,
+ struct vfio_device_feature_tph_st_config __user *arg,
+ size_t argsz)
+{
+ struct vfio_device_feature_tph_st_config config;
+ struct pci_dev *pdev = vdev->pdev;
+ void __user *uptr;
+ int i, idx, ret;
+ size_t sz;
+ u16 *sts;
+
+ if (!enable_unsafe_tph)
+ return -EOPNOTSUPP;
+
+ ret = vfio_check_feature(flags, argsz, VFIO_DEVICE_FEATURE_SET,
+ sizeof(config));
+ if (ret <= 0)
+ return ret;
+
+ if (!vdev->tph_permit || !vdev->tph_st_shadow)
+ return -EINVAL;
+
+ if (copy_from_user(&config, arg, sizeof(config)))
+ return -EFAULT;
+
+ if (config.count == 0 || config.reserved != 0 ||
+ config.index >= vdev->tph_st_entries ||
+ config.count > vdev->tph_st_entries - config.index)
+ return -EINVAL;
+
+ uptr = u64_to_user_ptr(config.data_uptr);
+ sts = memdup_array_user(uptr, config.count, sizeof(u16));
+ sz = config.count * sizeof(u16);
+ if (IS_ERR(sts))
+ return PTR_ERR(sts);
+
+ down_write(&vdev->memory_lock);
+ ret = vfio_pci_set_power_state(vdev, PCI_D0);
+ if (ret)
+ goto out_unlock_memory;
+
+ if (pcie_tph_enabled_req_type(pdev) == PCI_TPH_REQ_DISABLE)
+ goto update_shadow;
+
+ for (i = 0; i < config.count; i++) {
+ idx = config.index + i;
+ ret = pcie_tph_set_st_entry(pdev, idx, sts[i]);
+ if (ret)
+ goto rollback;
+ }
+
+update_shadow:
+ memcpy(&vdev->tph_st_shadow[config.index], sts, sz);
+ ret = 0;
+ goto out_unlock_memory;
+
+rollback:
+ while (i-- > 0) {
+ idx = config.index + i;
+ pcie_tph_set_st_entry(pdev, idx, vdev->tph_st_shadow[idx]);
+ }
+
+out_unlock_memory:
+ up_write(&vdev->memory_lock);
+
+ kfree(sts);
+ return ret;
+}
+
int vfio_pci_core_ioctl_feature(struct vfio_device *device, u32 flags,
void __user *arg, size_t argsz)
{
@@ -1593,6 +1718,9 @@ int vfio_pci_core_ioctl_feature(struct vfio_device *device, u32 flags,
return vfio_pci_core_feature_dma_buf(vdev, flags, arg, argsz);
case VFIO_DEVICE_FEATURE_TPH_ENABLE:
return vfio_pci_core_feature_tph_enable(vdev, flags, argsz);
+ case VFIO_DEVICE_FEATURE_TPH_ST_CONFIG:
+ return vfio_pci_core_feature_tph_st_config(vdev, flags,
+ arg, argsz);
default:
return -ENOTTY;
}
diff --git a/include/linux/vfio_pci_core.h b/include/linux/vfio_pci_core.h
index d551e530dd86..527c84f042aa 100644
--- a/include/linux/vfio_pci_core.h
+++ b/include/linux/vfio_pci_core.h
@@ -144,6 +144,8 @@ struct vfio_pci_core_device {
struct notifier_block nb;
struct rw_semaphore memory_lock;
struct list_head dmabufs;
+ u16 *tph_st_shadow;
+ u16 tph_st_entries;
};
enum vfio_pci_io_width {
diff --git a/include/uapi/linux/vfio.h b/include/uapi/linux/vfio.h
index e5a4d1d7091b..61079594a91f 100644
--- a/include/uapi/linux/vfio.h
+++ b/include/uapi/linux/vfio.h
@@ -1541,6 +1541,28 @@ struct vfio_device_feature_dma_buf {
*/
#define VFIO_DEVICE_FEATURE_TPH_ENABLE 13
+/**
+ * VFIO_DEVICE_FEATURE_TPH_ST_CONFIG - Configure PCIe TPH Steering Tag entries
+ *
+ * Provides userspace interface to configure PCIe TPH ST table entries.
+ *
+ * @index: Start entry offset within ST table
+ * @count: Number of consecutive entries to configure
+ * @data_uptr: Userspace data buffer for 16-bit raw ST values
+ *
+ * This feature requires two preconditions:
+ * 1. Global enable_unsafe_tph module parameter is enabled;
+ * 2. VFIO_DEVICE_FEATURE_TPH_ENABLE has been SET on the device beforehand.
+ */
+#define VFIO_DEVICE_FEATURE_TPH_ST_CONFIG 14
+
+struct vfio_device_feature_tph_st_config {
+ __u16 index;
+ __u16 count;
+ __u32 reserved; /* Reserved for future use, must be zero */
+ __aligned_u64 data_uptr;
+};
+
/* -------- API for Type1 VFIO IOMMU -------- */
/**
--
2.17.1
^ permalink raw reply related
* [PATCH v18 05/12] PCI/TPH: Refactor pcie_tph_get_cpu_st & add explicit variant
From: Chengwen Feng @ 2026-06-22 7:45 UTC (permalink / raw)
To: alex, jgg, helgaas
Cc: wathsala.vithanage, wei.huang2, zhipingz, wangzhou1, wangyushan12,
liuyonglong, kvm, linux-pci
In-Reply-To: <20260622074523.38473-1-fengchengwen@huawei.com>
Refactor pcie_tph_get_cpu_st(): extract core logic into static internal
get_cpu_st() helper accepting explicit requester type parameter.
- Preserve original pcie_tph_get_cpu_st() unchanged as auto wrapper; it
uses existing pdev->tph_req_type automatically, existing callers require
no change.
- Add exported pcie_tph_get_cpu_st_explicit() with bool 'extended'
parameter for manual STD/EXT requester selection, consumed by upcoming
VFIO TPH code.
- Add capability check: reject explicit EXT request when device does not
support extended TPH requester.
Signed-off-by: Chengwen Feng <fengchengwen@huawei.com>
---
drivers/pci/tph.c | 68 ++++++++++++++++++++++++++++++-----------
include/linux/pci-tph.h | 7 +++++
2 files changed, 57 insertions(+), 18 deletions(-)
diff --git a/drivers/pci/tph.c b/drivers/pci/tph.c
index 51009ac9b379..aca08671fdfe 100644
--- a/drivers/pci/tph.c
+++ b/drivers/pci/tph.c
@@ -231,21 +231,8 @@ static int write_tag_to_st_table(struct pci_dev *pdev, int index, u16 tag)
return pci_write_config_word(pdev, offset, tag);
}
-/**
- * pcie_tph_get_cpu_st() - Retrieve Steering Tag for a target memory associated
- * with a specific CPU
- * @pdev: PCI device
- * @mem_type: target memory type (volatile or persistent RAM)
- * @cpu: associated CPU id
- * @tag: Steering Tag to be returned
- *
- * Return the Steering Tag for a target memory that is associated with a
- * specific CPU as indicated by cpu.
- *
- * Return: 0 if success, otherwise negative value (-errno)
- */
-int pcie_tph_get_cpu_st(struct pci_dev *pdev, enum tph_mem_type mem_type,
- unsigned int cpu, u16 *tag)
+static int get_cpu_st(struct pci_dev *pdev, enum tph_mem_type mem_type,
+ u8 req_type, unsigned int cpu, u16 *tag)
{
#ifdef CONFIG_ACPI
struct pci_dev *rp;
@@ -269,19 +256,64 @@ int pcie_tph_get_cpu_st(struct pci_dev *pdev, enum tph_mem_type mem_type,
return -EINVAL;
}
- *tag = tph_extract_tag(mem_type, pdev->tph_req_type, &info);
+ *tag = tph_extract_tag(mem_type, req_type, &info);
- pci_dbg(pdev, "get steering tag: mem_type=%s, cpu=%d, tag=%#04x\n",
+ pci_dbg(pdev, "get steering tag: mem_type=%s, req_type=%u, cpu=%d, tag=%#04x\n",
(mem_type == TPH_MEM_TYPE_VM) ? "volatile" : "persistent",
- cpu, *tag);
+ req_type, cpu, *tag);
return 0;
#else
return -ENODEV;
#endif
}
+
+/**
+ * pcie_tph_get_cpu_st() - Retrieve Steering Tag for a target memory associated
+ * with a specific CPU
+ * @pdev: PCI device
+ * @mem_type: target memory type (volatile or persistent RAM)
+ * @cpu: associated CPU id
+ * @tag: Steering Tag to be returned
+ *
+ * Return the Steering Tag for a target memory that is associated with a
+ * specific CPU as indicated by cpu.
+ *
+ * Return: 0 if success, otherwise negative value (-errno)
+ */
+int pcie_tph_get_cpu_st(struct pci_dev *pdev, enum tph_mem_type mem_type,
+ unsigned int cpu, u16 *tag)
+{
+ return get_cpu_st(pdev, mem_type, pdev->tph_req_type, cpu, tag);
+}
EXPORT_SYMBOL(pcie_tph_get_cpu_st);
+/**
+ * pcie_tph_get_cpu_st_explicit - Get ST with explicit requester type
+ * @pdev: PCI device
+ * @mem_type: target memory type (volatile or persistent RAM)
+ * @extended: true=EXT_TPH, false=standard TPH only
+ * @cpu: associated CPU id
+ * @tag: output steering tag pointer
+ *
+ * Unlike auto pcie_tph_get_cpu_st(), caller manually picks requester type.
+ * Rejects EXT request if device lacks extended requester capability.
+ *
+ * Return: 0 on success, negative errno on failure.
+ */
+int pcie_tph_get_cpu_st_explicit(struct pci_dev *pdev,
+ enum tph_mem_type mem_type,
+ bool extended, unsigned int cpu, u16 *tag)
+{
+ u8 req_type = extended ? PCI_TPH_REQ_EXT_TPH : PCI_TPH_REQ_TPH_ONLY;
+
+ if (extended && !pdev->tph_ext_support)
+ return -EINVAL;
+
+ return get_cpu_st(pdev, mem_type, req_type, cpu, tag);
+}
+EXPORT_SYMBOL(pcie_tph_get_cpu_st_explicit);
+
/**
* pcie_tph_set_st_entry() - Set Steering Tag in the ST table entry
* @pdev: PCI device
diff --git a/include/linux/pci-tph.h b/include/linux/pci-tph.h
index ca0faa98afac..1a508b3d511f 100644
--- a/include/linux/pci-tph.h
+++ b/include/linux/pci-tph.h
@@ -27,6 +27,9 @@ int pcie_tph_set_st_entry(struct pci_dev *pdev,
int pcie_tph_get_cpu_st(struct pci_dev *dev,
enum tph_mem_type mem_type,
unsigned int cpu, u16 *tag);
+int pcie_tph_get_cpu_st_explicit(struct pci_dev *pdev,
+ enum tph_mem_type mem_type,
+ bool extended, unsigned int cpu, u16 *tag);
void pcie_disable_tph(struct pci_dev *pdev);
int pcie_enable_tph(struct pci_dev *pdev, int mode);
int pcie_enable_tph_explicit(struct pci_dev *pdev, int mode, bool extended);
@@ -40,6 +43,10 @@ static inline int pcie_tph_get_cpu_st(struct pci_dev *dev,
enum tph_mem_type mem_type,
unsigned int cpu, u16 *tag)
{ return -EINVAL; }
+static inline int pcie_tph_get_cpu_st_explicit(struct pci_dev *pdev,
+ enum tph_mem_type mem_type,
+ bool extended, unsigned int cpu, u16 *tag)
+{ return -EINVAL; }
static inline void pcie_disable_tph(struct pci_dev *pdev) { }
static inline int pcie_enable_tph(struct pci_dev *pdev, int mode)
{ return -EINVAL; }
--
2.17.1
^ permalink raw reply related
* [PATCH v18 01/12] PCI/TPH: Fix pcie_tph_get_st_table_loc() field extraction
From: Chengwen Feng @ 2026-06-22 7:45 UTC (permalink / raw)
To: alex, jgg, helgaas
Cc: wathsala.vithanage, wei.huang2, zhipingz, wangzhou1, wangyushan12,
liuyonglong, kvm, linux-pci
In-Reply-To: <20260622074523.38473-1-fengchengwen@huawei.com>
pcie_tph_get_st_table_loc() incorrectly uses FIELD_GET(), which shifts the
field value to bit 0. But the function is designed to return raw
PCI_TPH_LOC_* values as defined in the function comment.
This causes incorrect ST table location detection. Fix it by using bitwise
AND with PCI_TPH_CAP_LOC_MASK to return the unshifted field value matching
the function specification.
This doesn't make a difference to mlx5_st_create(), the lone external
caller, because it only checks for PCI_TPH_LOC_NONE (0), but will be needed
for callers that check for PCI_TPH_LOC_CAP or PCI_TPH_LOC_MSIX.
Also add tph_cap validation for pcie_tph_get_st_table_loc() to prevent
invalid PCI configuration space access when TPH is not supported. Add stub
functions for pcie_tph_get_st_table_size() and pcie_tph_get_st_table_loc()
when !CONFIG_PCIE_TPH.
Fixes: d2e8a34876ce ("PCI/TPH: Add Steering Tag support")
Cc: stable@vger.kernel.org
Signed-off-by: Chengwen Feng <fengchengwen@huawei.com>
Reviewed-by: Alex Williamson <alex.williamson@nvidia.com>
Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
---
drivers/pci/tph.c | 12 +++++-------
include/linux/pci-tph.h | 5 +++++
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/drivers/pci/tph.c b/drivers/pci/tph.c
index 91145e8d9d95..bef3a55539c4 100644
--- a/drivers/pci/tph.c
+++ b/drivers/pci/tph.c
@@ -166,11 +166,14 @@ static u8 get_st_modes(struct pci_dev *pdev)
*/
u32 pcie_tph_get_st_table_loc(struct pci_dev *pdev)
{
- u32 reg;
+ u32 reg = 0;
+
+ if (!pdev->tph_cap)
+ return PCI_TPH_LOC_NONE;
pci_read_config_dword(pdev, pdev->tph_cap + PCI_TPH_CAP, ®);
- return FIELD_GET(PCI_TPH_CAP_LOC_MASK, reg);
+ return reg & PCI_TPH_CAP_LOC_MASK;
}
EXPORT_SYMBOL(pcie_tph_get_st_table_loc);
@@ -185,9 +188,6 @@ u16 pcie_tph_get_st_table_size(struct pci_dev *pdev)
/* Check ST table location first */
loc = pcie_tph_get_st_table_loc(pdev);
-
- /* Convert loc to match with PCI_TPH_LOC_* defined in pci_regs.h */
- loc = FIELD_PREP(PCI_TPH_CAP_LOC_MASK, loc);
if (loc != PCI_TPH_LOC_CAP)
return 0;
@@ -316,8 +316,6 @@ int pcie_tph_set_st_entry(struct pci_dev *pdev, unsigned int index, u16 tag)
set_ctrl_reg_req_en(pdev, PCI_TPH_REQ_DISABLE);
loc = pcie_tph_get_st_table_loc(pdev);
- /* Convert loc to match with PCI_TPH_LOC_* */
- loc = FIELD_PREP(PCI_TPH_CAP_LOC_MASK, loc);
switch (loc) {
case PCI_TPH_LOC_MSIX:
diff --git a/include/linux/pci-tph.h b/include/linux/pci-tph.h
index be68cd17f2f8..6f02b020d7d7 100644
--- a/include/linux/pci-tph.h
+++ b/include/linux/pci-tph.h
@@ -8,6 +8,7 @@
*/
#ifndef LINUX_PCI_TPH_H
#define LINUX_PCI_TPH_H
+#include <linux/pci.h>
/*
* According to the ECN for PCI Firmware Spec, Steering Tag can be different
@@ -41,6 +42,10 @@ static inline int pcie_tph_get_cpu_st(struct pci_dev *dev,
static inline void pcie_disable_tph(struct pci_dev *pdev) { }
static inline int pcie_enable_tph(struct pci_dev *pdev, int mode)
{ return -EINVAL; }
+static inline u16 pcie_tph_get_st_table_size(struct pci_dev *pdev)
+{ return 0; }
+static inline u32 pcie_tph_get_st_table_loc(struct pci_dev *pdev)
+{ return PCI_TPH_LOC_NONE; }
#endif
#endif /* LINUX_PCI_TPH_H */
--
2.17.1
^ permalink raw reply related
* [PATCH v18 09/12] vfio/pci: Hide TPH capability when TPH is unsupported
From: Chengwen Feng @ 2026-06-22 7:45 UTC (permalink / raw)
To: alex, jgg, helgaas
Cc: wathsala.vithanage, wei.huang2, zhipingz, wangzhou1, wangyushan12,
liuyonglong, kvm, linux-pci
In-Reply-To: <20260622074523.38473-1-fengchengwen@huawei.com>
Check the device negotiated TPH support status before parsing the TPH
extended capability. Return zero length to hide the capability from
userspace if TPH is disabled during topology negotiation.
Signed-off-by: Chengwen Feng <fengchengwen@huawei.com>
---
drivers/vfio/pci/vfio_pci_config.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
index a10ed733f0e3..5c6ab172df6c 100644
--- a/drivers/vfio/pci/vfio_pci_config.c
+++ b/drivers/vfio/pci/vfio_pci_config.c
@@ -22,6 +22,7 @@
#include <linux/fs.h>
#include <linux/pci.h>
+#include <linux/pci-tph.h>
#include <linux/uaccess.h>
#include <linux/vfio.h>
#include <linux/slab.h>
@@ -1450,6 +1451,8 @@ static int vfio_ext_cap_len(struct vfio_pci_core_device *vdev, u16 ecap, u16 epo
byte &= PCI_DPA_CAP_SUBSTATE_MASK;
return PCI_DPA_BASE_SIZEOF + byte + 1;
case PCI_EXT_CAP_ID_TPH:
+ if (!pcie_tph_supported(pdev, false))
+ return 0;
ret = pci_read_config_dword(pdev, epos + PCI_TPH_CAP, &dword);
if (ret)
return pcibios_err_to_errno(ret);
--
2.17.1
^ permalink raw reply related
* [PATCH v18 07/12] PCI/TPH: Add pcie_tph_supported() helper to check TPH capability attributes
From: Chengwen Feng @ 2026-06-22 7:45 UTC (permalink / raw)
To: alex, jgg, helgaas
Cc: wathsala.vithanage, wei.huang2, zhipingz, wangzhou1, wangyushan12,
liuyonglong, kvm, linux-pci
In-Reply-To: <20260622074523.38473-1-fengchengwen@huawei.com>
Add new helper pcie_tph_supported() with want_ext parameter:
- want_ext = false: Check if device has valid TPH capability;
- want_ext = true: Check hardware Extended TPH support.
This helper is prepared for follow-up VFIO TPH virtualization patches to
uniformly query basic TPH existence and Extended TPH capability.
Signed-off-by: Chengwen Feng <fengchengwen@huawei.com>
---
drivers/pci/tph.c | 19 +++++++++++++++++++
include/linux/pci-tph.h | 3 +++
2 files changed, 22 insertions(+)
diff --git a/drivers/pci/tph.c b/drivers/pci/tph.c
index 6c4623cacc85..95280aab4fb5 100644
--- a/drivers/pci/tph.c
+++ b/drivers/pci/tph.c
@@ -600,3 +600,22 @@ void pci_tph_init(struct pci_dev *pdev)
save_size = sizeof(u32) + num_entries * sizeof(u16);
pci_add_ext_cap_save_buffer(pdev, PCI_EXT_CAP_ID_TPH, save_size);
}
+
+/**
+ * pcie_tph_supported - Check TPH capability attribute
+ * @pdev: PCI device to query
+ * @want_ext: false - check TPH cap exists; true - check EXT_TPH support
+ *
+ * Return: true on matched condition, false otherwise
+ */
+bool pcie_tph_supported(struct pci_dev *pdev, bool want_ext)
+{
+ if (!pdev->tph_cap)
+ return false;
+
+ if (!want_ext)
+ return true;
+
+ return pdev->tph_ext_support;
+}
+EXPORT_SYMBOL(pcie_tph_supported);
diff --git a/include/linux/pci-tph.h b/include/linux/pci-tph.h
index e4f7045fc152..5917a0694c1d 100644
--- a/include/linux/pci-tph.h
+++ b/include/linux/pci-tph.h
@@ -36,6 +36,7 @@ int pcie_enable_tph_explicit(struct pci_dev *pdev, int mode, bool extended);
u8 pcie_tph_enabled_req_type(struct pci_dev *pdev);
u16 pcie_tph_get_st_table_size(struct pci_dev *pdev);
u32 pcie_tph_get_st_table_loc(struct pci_dev *pdev);
+bool pcie_tph_supported(struct pci_dev *pdev, bool want_ext);
#else
static inline int pcie_tph_set_st_entry(struct pci_dev *pdev,
unsigned int index, u16 tag)
@@ -60,6 +61,8 @@ static inline u16 pcie_tph_get_st_table_size(struct pci_dev *pdev)
{ return 0; }
static inline u32 pcie_tph_get_st_table_loc(struct pci_dev *pdev)
{ return PCI_TPH_LOC_NONE; }
+static inline bool pcie_tph_supported(struct pci_dev *pdev, bool want_ext)
+{ return false; }
#endif
#endif /* LINUX_PCI_TPH_H */
--
2.17.1
^ permalink raw reply related
* [PATCH v18 12/12] vfio/pci: Virtualize PCIe TPH capability registers
From: Chengwen Feng @ 2026-06-22 7:45 UTC (permalink / raw)
To: alex, jgg, helgaas
Cc: wathsala.vithanage, wei.huang2, zhipingz, wangzhou1, wangyushan12,
liuyonglong, kvm, linux-pci
In-Reply-To: <20260622074523.38473-1-fengchengwen@huawei.com>
Virtualize TPH extended capability config space registers:
- Original TPH capability was fully read-only; now split permission:
TPH_CAP header remains read-only, TPH_CTRL register supports write to
toggle TPH requester enable mode.
- Block direct ST-table programming via config space write access: all ST
entry configuration is restricted to VFIO_DEVICE_FEATURE_TPH_ST_CONFIG
feature exclusively after userspace SET TPH_ENABLE opt-in.
- Backup original virtual config value and revert vconfig if hardware TPH
enable operation fails or invalid requester mode is configured.
- After TPH requester gets enabled via CTRL write, sync cached shadow ST
table down to physical hardware with memory_lock protection and PCI D0
power check.
Add vconfig masking to hide EXT_TPH capability bit if underlying hardware
does not support extended TPH via new vfio_tph_mask_ext_tph_bit helper.
Reset hardware TPH state on device open/close to eliminate cross-session
TPH configuration leakage between different VM lifecycles.
Signed-off-by: Chengwen Feng <fengchengwen@huawei.com>
---
drivers/vfio/pci/vfio_pci_config.c | 117 +++++++++++++++++++++++++++++
drivers/vfio/pci/vfio_pci_core.c | 4 +
2 files changed, 121 insertions(+)
diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
index 5c6ab172df6c..10f4e9fabea7 100644
--- a/drivers/vfio/pci/vfio_pci_config.c
+++ b/drivers/vfio/pci/vfio_pci_config.c
@@ -1086,6 +1086,118 @@ static int __init init_pci_ext_cap_pwr_perm(struct perm_bits *perm)
return 0;
}
+/* Permissions for TPH extended capability */
+static int __init init_pci_ext_cap_tph_perm(struct perm_bits *perm)
+{
+ int i;
+
+ if (alloc_perm_bits(perm, pci_ext_cap_length[PCI_EXT_CAP_ID_TPH]))
+ return -ENOMEM;
+
+ p_setd(perm, 0, ALL_VIRT, NO_WRITE);
+ p_setd(perm, PCI_TPH_CAP, ALL_VIRT, NO_WRITE);
+
+ p_setd(perm, PCI_TPH_CTRL, ALL_VIRT, ALL_WRITE);
+
+ /* Per PCI specification: There is an upper limit of 64 entries
+ * when the ST table is located in the TPH Requester Extended
+ * Capability structure.
+ * And the pci_ext_cap_length[PCI_EXT_CAP_ID_TPH] is 0xFF, so the
+ * following operation is fine.
+ */
+ for (i = 0; i < 64; i++)
+ p_setw(perm, PCI_TPH_BASE_SIZEOF + i * sizeof(u16),
+ (u16)ALL_VIRT, (u16)ALL_WRITE);
+
+ return 0;
+}
+
+static void vfio_tph_mask_ext_tph_bit(struct vfio_pci_core_device *vdev,
+ int pos)
+{
+ __le32 *vptr = (__le32 *)&vdev->vconfig[pos + PCI_TPH_CAP];
+ struct pci_dev *pdev = vdev->pdev;
+ u32 val;
+
+ if (!pcie_tph_supported(pdev, true)) {
+ val = le32_to_cpu(*vptr);
+ val &= ~PCI_TPH_CAP_EXT_TPH;
+ *vptr = cpu_to_le32(val);
+ }
+}
+
+static int vfio_find_cap_start(struct vfio_pci_core_device *vdev, int pos);
+static int vfio_tph_config_write(struct vfio_pci_core_device *vdev, int pos,
+ int count, struct perm_bits *perm,
+ int offset, __le32 val)
+{
+ int req_en_byte = PCI_TPH_CTRL + 1;
+ struct pci_dev *pdev = vdev->pdev;
+ __le32 org_val = 0;
+ bool extended;
+ u8 mode, req;
+ int i, ret;
+ u16 start;
+ u32 data;
+
+ if (!vdev->tph_permit)
+ return count;
+
+ down_write(&vdev->memory_lock);
+
+ /* Back up the original values in order rollback when fail */
+ if (offset <= req_en_byte && offset + count > req_en_byte)
+ vfio_default_config_read(vdev, pos, count, perm, offset,
+ &org_val);
+
+ ret = vfio_default_config_write(vdev, pos, count, perm, offset, val);
+ if (ret != count) {
+ up_write(&vdev->memory_lock);
+ return ret;
+ }
+
+ /* Skip if write range does not cover Requester Enable byte */
+ if (offset > req_en_byte || offset + count <= req_en_byte) {
+ up_write(&vdev->memory_lock);
+ return count;
+ }
+
+ ret = vfio_pci_set_power_state(vdev, PCI_D0);
+ if (ret) {
+ vfio_default_config_write(vdev, pos, count, perm, offset,
+ org_val);
+ up_write(&vdev->memory_lock);
+ return count;
+ }
+
+ start = vfio_find_cap_start(vdev, pos);
+ data = le32_to_cpu(*(__le32 *)&vdev->vconfig[start + PCI_TPH_CTRL]);
+ mode = FIELD_GET(PCI_TPH_CTRL_MODE_SEL_MASK, data);
+ req = FIELD_GET(PCI_TPH_CTRL_REQ_EN_MASK, data);
+
+ if (req == PCI_TPH_REQ_TPH_ONLY || req == PCI_TPH_REQ_EXT_TPH) {
+ extended = !!(req == PCI_TPH_REQ_EXT_TPH);
+ ret = pcie_enable_tph_explicit(pdev, mode, extended);
+ if (!ret && vdev->tph_st_shadow) {
+ for (i = 0; i < vdev->tph_st_entries; i++)
+ pcie_tph_set_st_entry(pdev, i,
+ vdev->tph_st_shadow[i]);
+ }
+ if (ret)
+ vfio_default_config_write(vdev, pos, count, perm,
+ offset, org_val);
+ } else if (req == PCI_TPH_REQ_DISABLE) {
+ pcie_disable_tph(vdev->pdev);
+ } else {
+ vfio_default_config_write(vdev, pos, count, perm, offset,
+ org_val);
+ }
+
+ up_write(&vdev->memory_lock);
+
+ return count;
+}
+
/*
* Initialize the shared permission tables
*/
@@ -1101,6 +1213,7 @@ void vfio_pci_uninit_perm_bits(void)
free_perm_bits(&ecap_perms[PCI_EXT_CAP_ID_ERR]);
free_perm_bits(&ecap_perms[PCI_EXT_CAP_ID_PWR]);
+ free_perm_bits(&ecap_perms[PCI_EXT_CAP_ID_TPH]);
}
int __init vfio_pci_init_perm_bits(void)
@@ -1121,6 +1234,8 @@ int __init vfio_pci_init_perm_bits(void)
/* Extended capabilities */
ret |= init_pci_ext_cap_err_perm(&ecap_perms[PCI_EXT_CAP_ID_ERR]);
ret |= init_pci_ext_cap_pwr_perm(&ecap_perms[PCI_EXT_CAP_ID_PWR]);
+ ret |= init_pci_ext_cap_tph_perm(&ecap_perms[PCI_EXT_CAP_ID_TPH]);
+ ecap_perms[PCI_EXT_CAP_ID_TPH].writefn = vfio_tph_config_write;
ecap_perms[PCI_EXT_CAP_ID_VNDR].writefn = vfio_raw_config_write;
ecap_perms[PCI_EXT_CAP_ID_DVSEC].writefn = vfio_raw_config_write;
@@ -1704,6 +1819,8 @@ static int vfio_ecap_init(struct vfio_pci_core_device *vdev)
ret = vfio_fill_vconfig_bytes(vdev, epos, len);
if (ret)
return ret;
+ if (ecap == PCI_EXT_CAP_ID_TPH && !hidden)
+ vfio_tph_mask_ext_tph_bit(vdev, epos);
/*
* If we're just using this capability to anchor the list,
diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c
index c327eff8e9cc..1e706a690dbd 100644
--- a/drivers/vfio/pci/vfio_pci_core.c
+++ b/drivers/vfio/pci/vfio_pci_core.c
@@ -606,6 +606,8 @@ int vfio_pci_core_enable(struct vfio_pci_core_device *vdev)
vdev->reset_works = !ret;
+ /* Reset TPH status on new user session */
+ pcie_disable_tph(vdev->pdev);
ret = vfio_pci_tph_init(vdev);
if (ret)
goto out_disable_device;
@@ -736,6 +738,8 @@ void vfio_pci_core_disable(struct vfio_pci_core_device *vdev)
kfree(vdev->region);
vdev->region = NULL; /* don't krealloc a freed pointer */
+ /* Reset TPH status on session exit */
+ pcie_disable_tph(vdev->pdev);
vfio_pci_tph_deinit(vdev);
vfio_config_free(vdev);
--
2.17.1
^ permalink raw reply related
* [PATCH v18 06/12] PCI/TPH: Expose the enabled TPH requester type
From: Chengwen Feng @ 2026-06-22 7:45 UTC (permalink / raw)
To: alex, jgg, helgaas
Cc: wathsala.vithanage, wei.huang2, zhipingz, wangzhou1, wangyushan12,
liuyonglong, kvm, linux-pci
In-Reply-To: <20260622074523.38473-1-fengchengwen@huawei.com>
From: Zhiping Zhang <zhipingz@meta.com>
Add pcie_tph_enabled_req_type() so drivers can query the enabled TPH
requester mode without reaching into pci_dev internals.
Signed-off-by: Zhiping Zhang <zhipingz@meta.com>
Signed-off-by: Chengwen Feng <fengchengwen@huawei.com>
---
drivers/pci/tph.c | 12 ++++++++++++
include/linux/pci-tph.h | 3 +++
2 files changed, 15 insertions(+)
diff --git a/drivers/pci/tph.c b/drivers/pci/tph.c
index aca08671fdfe..6c4623cacc85 100644
--- a/drivers/pci/tph.c
+++ b/drivers/pci/tph.c
@@ -483,6 +483,18 @@ int pcie_enable_tph_explicit(struct pci_dev *pdev, int mode, bool extended)
}
EXPORT_SYMBOL(pcie_enable_tph_explicit);
+/**
+ * pcie_tph_enabled_req_type - Return the device's enabled TPH requester type
+ * @pdev: PCI device to query
+ *
+ * Return: PCI_TPH_REQ_DISABLE, PCI_TPH_REQ_TPH_ONLY or PCI_TPH_REQ_EXT_TPH.
+ */
+u8 pcie_tph_enabled_req_type(struct pci_dev *pdev)
+{
+ return pdev->tph_req_type;
+}
+EXPORT_SYMBOL(pcie_tph_enabled_req_type);
+
void pci_restore_tph_state(struct pci_dev *pdev)
{
struct pci_cap_saved_state *save_state;
diff --git a/include/linux/pci-tph.h b/include/linux/pci-tph.h
index 1a508b3d511f..e4f7045fc152 100644
--- a/include/linux/pci-tph.h
+++ b/include/linux/pci-tph.h
@@ -33,6 +33,7 @@ int pcie_tph_get_cpu_st_explicit(struct pci_dev *pdev,
void pcie_disable_tph(struct pci_dev *pdev);
int pcie_enable_tph(struct pci_dev *pdev, int mode);
int pcie_enable_tph_explicit(struct pci_dev *pdev, int mode, bool extended);
+u8 pcie_tph_enabled_req_type(struct pci_dev *pdev);
u16 pcie_tph_get_st_table_size(struct pci_dev *pdev);
u32 pcie_tph_get_st_table_loc(struct pci_dev *pdev);
#else
@@ -47,6 +48,8 @@ static inline int pcie_tph_get_cpu_st_explicit(struct pci_dev *pdev,
enum tph_mem_type mem_type,
bool extended, unsigned int cpu, u16 *tag)
{ return -EINVAL; }
+static inline u8 pcie_tph_enabled_req_type(struct pci_dev *pdev)
+{ return PCI_TPH_REQ_DISABLE; }
static inline void pcie_disable_tph(struct pci_dev *pdev) { }
static inline int pcie_enable_tph(struct pci_dev *pdev, int mode)
{ return -EINVAL; }
--
2.17.1
^ permalink raw reply related
* [PATCH v18 08/12] PCI/TPH: Add sysfs binary file to export CPU to steering-tag mapping
From: Chengwen Feng @ 2026-06-22 7:45 UTC (permalink / raw)
To: alex, jgg, helgaas
Cc: wathsala.vithanage, wei.huang2, zhipingz, wangzhou1, wangyushan12,
liuyonglong, kvm, linux-pci
In-Reply-To: <20260622074523.38473-1-fengchengwen@huawei.com>
Add per-Root-Port-only sysfs binary attribute tph_cpu_st to expose ACPI
DSM CPU-to-ST mapping to userspace, addressing concerns that VFIO should
not host CPU steering tag translation interfaces.
ABI: /sys/bus/pci/devices/<root-port-bdf>/tph_cpu_st
- Read-only root-only (0400) binary blob;
- Each entry is packed 8-byte struct pci_tph_cpu_st defined in uapi/pci.h;
- Support arbitrary offset partial read/sub-field extraction;
- Non-present/impossible CPUs return zero-filled entries to avoid
sequential read abort on sparse CPU topology;
- Insert cond_resched() in read loop to avoid soft lockup when dumping full
blob.
Dynamic visibility rules enforced via is_bin_visible:
1. Only expose file on PCIe Root Port devices, hide on all endpoints;
2. Root Port must implement TPH Completer capability in DevCap2;
3. Platform must provide valid ACPI DSM for CPU-to-ST mapping.
Signed-off-by: Chengwen Feng <fengchengwen@huawei.com>
---
Documentation/ABI/testing/sysfs-bus-pci | 24 ++++
drivers/pci/pci-sysfs.c | 3 +
drivers/pci/pci.h | 4 +
drivers/pci/tph.c | 151 +++++++++++++++++++++---
include/uapi/linux/pci.h | 16 +++
5 files changed, 183 insertions(+), 15 deletions(-)
diff --git a/Documentation/ABI/testing/sysfs-bus-pci b/Documentation/ABI/testing/sysfs-bus-pci
index b767db2c52cb..edc64e4e5640 100644
--- a/Documentation/ABI/testing/sysfs-bus-pci
+++ b/Documentation/ABI/testing/sysfs-bus-pci
@@ -702,3 +702,27 @@ Description:
When present and the tsm/ attribute directory is present, the
authenticated attribute is an alias for the device 'connect'
state. See the 'tsm/connect' attribute for more details.
+
+What: /sys/bus/pci/devices/<root-port-bdf>/tph_cpu_st
+Contact: linux-pci@vger.kernel.org
+Description:
+ Read-only binary attribute only exposed on PCIe Root Ports that
+ support TPH Completer capability and implement the ACPI DSM
+ method for CPU-to-ST mapping. File permission is root-only
+ (0400).
+
+ The blob is a sequence of fixed-size 8-byte entries defined by
+ struct pci_tph_cpu_st in uapi/linux/pci.h:
+ __u8 vm_st;
+ __u8 pm_st;
+ __u16 vm_xst;
+ __u16 pm_xst;
+ __u16 reserved;
+
+ Each entry corresponds to a logical CPU index. Seek offset =
+ cpu_id * PCI_TPH_CPU_ST_ENTRY_SZ. Arbitrary unaligned partial
+ reads are supported; no alignment restriction enforced.
+
+ For CPUs outside cpu_possible_mask or offline CPUs, the entry
+ is filled with all zeros to avoid breaking sequential dump tools
+ like cat/hexdump on sparse CPU topologies.
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
index d37860841260..ad9e4e8d320b 100644
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -1832,6 +1832,9 @@ const struct attribute_group *pci_dev_attr_groups[] = {
#ifdef CONFIG_PCI_TSM
&pci_tsm_auth_attr_group,
&pci_tsm_attr_group,
+#endif
+#ifdef CONFIG_PCIE_TPH
+ &pcie_tph_cpu_st_attr_group,
#endif
NULL,
};
diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
index e8ad27abb1cf..1abe7fa1fcc7 100644
--- a/drivers/pci/pci.h
+++ b/drivers/pci/pci.h
@@ -1375,6 +1375,10 @@ static inline pci_power_t acpi_pci_choose_state(struct pci_dev *pdev)
extern const struct attribute_group aspm_ctrl_attr_group;
#endif
+#ifdef CONFIG_PCIE_TPH
+extern const struct attribute_group pcie_tph_cpu_st_attr_group;
+#endif
+
#ifdef CONFIG_X86_INTEL_MID
bool pci_use_mid_pm(void);
int mid_pci_set_power_state(struct pci_dev *pdev, pci_power_t state);
diff --git a/drivers/pci/tph.c b/drivers/pci/tph.c
index 95280aab4fb5..47402d4b8899 100644
--- a/drivers/pci/tph.c
+++ b/drivers/pci/tph.c
@@ -11,6 +11,7 @@
#include <linux/msi.h>
#include <linux/bitfield.h>
#include <linux/pci-tph.h>
+#include <linux/sched.h>
#include "pci.h"
@@ -130,8 +131,47 @@ static acpi_status tph_invoke_dsm(acpi_handle handle, u32 cpu_uid,
return AE_OK;
}
+
+static int tph_get_cpu_st_info(struct pci_dev *pdev, unsigned int cpu,
+ union st_info *info)
+{
+ acpi_handle rp_acpi_handle;
+ struct pci_dev *rp;
+ u32 cpu_uid;
+ int ret;
+
+ ret = acpi_get_cpu_uid(cpu, &cpu_uid);
+ if (ret != 0)
+ return ret;
+
+ rp = pcie_find_root_port(pdev);
+ if (!rp || !rp->bus || !rp->bus->bridge)
+ return -ENODEV;
+
+ rp_acpi_handle = ACPI_HANDLE(rp->bus->bridge);
+ if (tph_invoke_dsm(rp_acpi_handle, cpu_uid, info) != AE_OK)
+ return -EINVAL;
+
+ return 0;
+}
#endif
+static bool tph_dsm_supported(struct pci_dev *pdev)
+{
+#ifdef CONFIG_ACPI
+ struct pci_dev *rp = pcie_find_root_port(pdev);
+ acpi_handle rp_acpi_handle;
+
+ if (!rp || !rp->bus || !rp->bus->bridge)
+ return false;
+
+ rp_acpi_handle = ACPI_HANDLE(rp->bus->bridge);
+ return acpi_check_dsm(rp_acpi_handle, &pci_acpi_dsm_guid, 7,
+ BIT(TPH_ST_DSM_FUNC_INDEX));
+#endif
+ return false;
+}
+
/* Update the TPH Requester Enable field of TPH Control Register */
static void set_ctrl_reg_req_en(struct pci_dev *pdev, u8 req_type)
{
@@ -231,31 +271,37 @@ static int write_tag_to_st_table(struct pci_dev *pdev, int index, u16 tag)
return pci_write_config_word(pdev, offset, tag);
}
+static int get_cpu_all_st(struct pci_dev *pdev, unsigned int cpu,
+ struct pci_tph_cpu_st *st)
+{
+#ifdef CONFIG_ACPI
+ union st_info info;
+ int ret;
+
+ ret = tph_get_cpu_st_info(pdev, cpu, &info);
+ if (ret == 0) {
+ st->vm_st = info.vm_st_valid ? info.vm_st : 0;
+ st->pm_st = info.pm_st_valid ? info.pm_st : 0;
+ st->vm_xst = info.vm_xst_valid ? info.vm_xst : 0;
+ st->pm_xst = info.pm_xst_valid ? info.pm_xst : 0;
+ }
+
+ return ret;
+#endif
+ return -ENODEV;
+}
+
static int get_cpu_st(struct pci_dev *pdev, enum tph_mem_type mem_type,
u8 req_type, unsigned int cpu, u16 *tag)
{
#ifdef CONFIG_ACPI
- struct pci_dev *rp;
- acpi_handle rp_acpi_handle;
union st_info info;
- u32 cpu_uid;
int ret;
- ret = acpi_get_cpu_uid(cpu, &cpu_uid);
+ ret = tph_get_cpu_st_info(pdev, cpu, &info);
if (ret != 0)
return ret;
- rp = pcie_find_root_port(pdev);
- if (!rp || !rp->bus || !rp->bus->bridge)
- return -ENODEV;
-
- rp_acpi_handle = ACPI_HANDLE(rp->bus->bridge);
-
- if (tph_invoke_dsm(rp_acpi_handle, cpu_uid, &info) != AE_OK) {
- *tag = 0;
- return -EINVAL;
- }
-
*tag = tph_extract_tag(mem_type, req_type, &info);
pci_dbg(pdev, "get steering tag: mem_type=%s, req_type=%u, cpu=%d, tag=%#04x\n",
@@ -619,3 +665,78 @@ bool pcie_tph_supported(struct pci_dev *pdev, bool want_ext)
return pdev->tph_ext_support;
}
EXPORT_SYMBOL(pcie_tph_supported);
+
+static ssize_t tph_cpu_st_read(struct file *filp, struct kobject *kobj,
+ const struct bin_attribute *bin_attr, char *buf,
+ loff_t off, size_t count)
+{
+ struct pci_dev *pdev = to_pci_dev(kobj_to_dev(kobj));
+ const size_t entry_sz = PCI_TPH_CPU_ST_ENTRY_SZ;
+ const size_t total_size = nr_cpu_ids * entry_sz;
+ size_t copied = 0;
+ loff_t pos = off;
+
+ if (pos >= total_size)
+ return 0;
+
+ count = min_t(size_t, count, total_size - pos);
+
+ while (copied < count) {
+ unsigned int cpu_idx = pos / entry_sz;
+ size_t entry_off = pos % entry_sz;
+ size_t remain = entry_sz - entry_off;
+ size_t chunk = min_t(size_t, remain, count - copied);
+ struct pci_tph_cpu_st st = {0};
+
+ if (cpu_possible(cpu_idx))
+ get_cpu_all_st(pdev, cpu_idx, &st);
+
+ memcpy(buf + copied, (char *)&st + entry_off, chunk);
+
+ copied += chunk;
+ pos += chunk;
+
+ cond_resched();
+ }
+
+ return copied;
+}
+static BIN_ATTR(tph_cpu_st, 0400, tph_cpu_st_read, NULL, 0);
+
+static const struct bin_attribute *const tph_cpu_st_bin_attrs[] = {
+ &bin_attr_tph_cpu_st,
+ NULL,
+};
+
+static size_t tph_cpu_st_bin_size(struct kobject *kobj,
+ const struct bin_attribute *a, int n)
+{
+ return nr_cpu_ids * PCI_TPH_CPU_ST_ENTRY_SZ;
+}
+
+static umode_t tph_cpu_st_attr_is_visible(struct kobject *kobj,
+ const struct bin_attribute *a, int n)
+{
+ struct pci_dev *pdev = to_pci_dev(kobj_to_dev(kobj));
+ bool is_root_port = pci_is_pcie(pdev) &&
+ pci_pcie_type(pdev) == PCI_EXP_TYPE_ROOT_PORT;
+ u32 devcap2 = 0;
+
+ if (!is_root_port)
+ return 0;
+
+ pci_read_config_dword(pdev, PCI_EXP_DEVCAP2, &devcap2);
+ if (!(devcap2 & PCI_EXP_DEVCAP2_TPH_COMP_MASK))
+ return 0;
+
+ if (!tph_dsm_supported(pdev))
+ return 0;
+
+ return a->attr.mode;
+}
+
+const struct attribute_group pcie_tph_cpu_st_attr_group = {
+ .bin_attrs = tph_cpu_st_bin_attrs,
+ .bin_size = tph_cpu_st_bin_size,
+ .is_bin_visible = tph_cpu_st_attr_is_visible,
+};
diff --git a/include/uapi/linux/pci.h b/include/uapi/linux/pci.h
index 4f150028965d..5c4ea44d66d2 100644
--- a/include/uapi/linux/pci.h
+++ b/include/uapi/linux/pci.h
@@ -19,6 +19,7 @@
#define _UAPILINUX_PCI_H
#include <linux/pci_regs.h> /* The pci register defines */
+#include <linux/types.h>
/*
* The PCI interface treats multi-function devices as independent
@@ -46,4 +47,19 @@ enum pci_hotplug_event {
PCI_HOTPLUG_CARD_NOT_PRESENT,
};
+/*
+ * PCIe TPH sysfs binary entry for CPU-to-ST mapping
+ * Sysfs file: /sys/bus/pci/devices/<BDF>/tph_cpu_st
+ * Each entry is 8 bytes aligned, seek offset = cpu_id * PCI_TPH_CPU_ST_ENTRY_SZ
+ */
+struct pci_tph_cpu_st {
+ __u8 vm_st; /* Volatile Memory Steering Tag (1 byte) */
+ __u8 pm_st; /* Persistent Memory Steering Tag (1 byte) */
+ __u16 vm_xst; /* Volatile Memory Extended Steering Tag (2 bytes) */
+ __u16 pm_xst; /* Persistent Memory Extended Steering Tag (2 bytes) */
+ __u16 reserved; /* Padding to 8 bytes for aligned offset lookup */
+} __packed;
+
+#define PCI_TPH_CPU_ST_ENTRY_SZ sizeof(struct pci_tph_cpu_st)
+
#endif /* _UAPILINUX_PCI_H */
--
2.17.1
^ permalink raw reply related
* [PATCH v18 03/12] PCI/TPH: Cache TPH requester capability at probe time
From: Chengwen Feng @ 2026-06-22 7:45 UTC (permalink / raw)
To: alex, jgg, helgaas
Cc: wathsala.vithanage, wei.huang2, zhipingz, wangzhou1, wangyushan12,
liuyonglong, kvm, linux-pci
In-Reply-To: <20260622074523.38473-1-fengchengwen@huawei.com>
Calculate the negotiated TPH requester type from device and root port
capabilities once in pci_tph_init().
Add tph_ext_support flag to cache whether the device is allowed to
issue Extended TPH requests after topology negotiation. If the final
requester type is disabled, clear TPH capability to prevent usage.
Simplify pcie_enable_tph() by using the cached requester capability
instead of recalculating every time.
Signed-off-by: Chengwen Feng <fengchengwen@huawei.com>
---
drivers/pci/tph.c | 43 +++++++++++++++++++++++++------------------
include/linux/pci.h | 4 +++-
2 files changed, 28 insertions(+), 19 deletions(-)
diff --git a/drivers/pci/tph.c b/drivers/pci/tph.c
index bef3a55539c4..951f0a33ff66 100644
--- a/drivers/pci/tph.c
+++ b/drivers/pci/tph.c
@@ -384,7 +384,6 @@ int pcie_enable_tph(struct pci_dev *pdev, int mode)
{
u32 reg;
u8 dev_modes;
- u8 rp_req_type;
/* Honor "notph" kernel parameter */
if (pci_tph_disabled)
@@ -404,23 +403,8 @@ int pcie_enable_tph(struct pci_dev *pdev, int mode)
pdev->tph_mode = mode;
- /* Get req_type supported by device and its Root Port */
- pci_read_config_dword(pdev, pdev->tph_cap + PCI_TPH_CAP, ®);
- if (FIELD_GET(PCI_TPH_CAP_EXT_TPH, reg))
- pdev->tph_req_type = PCI_TPH_REQ_EXT_TPH;
- else
- pdev->tph_req_type = PCI_TPH_REQ_TPH_ONLY;
-
- /* Check if the device is behind a Root Port */
- if (pci_pcie_type(pdev) != PCI_EXP_TYPE_RC_END) {
- rp_req_type = get_rp_completer_type(pdev);
-
- /* Final req_type is the smallest value of two */
- pdev->tph_req_type = min(pdev->tph_req_type, rp_req_type);
- }
-
- if (pdev->tph_req_type == PCI_TPH_REQ_DISABLE)
- return -EINVAL;
+ pdev->tph_req_type = pdev->tph_ext_support ? PCI_TPH_REQ_EXT_TPH :
+ PCI_TPH_REQ_TPH_ONLY;
/* Write them into TPH control register */
pci_read_config_dword(pdev, pdev->tph_cap + PCI_TPH_CTRL, ®);
@@ -510,13 +494,36 @@ void pci_no_tph(void)
void pci_tph_init(struct pci_dev *pdev)
{
+ u8 tph_req_type, rp_req_type;
int num_entries;
u32 save_size;
+ u32 reg = 0;
pdev->tph_cap = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_TPH);
if (!pdev->tph_cap)
return;
+ /* Get req_type supported by device and its Root Port */
+ pci_read_config_dword(pdev, pdev->tph_cap + PCI_TPH_CAP, ®);
+ if (FIELD_GET(PCI_TPH_CAP_EXT_TPH, reg))
+ tph_req_type = PCI_TPH_REQ_EXT_TPH;
+ else
+ tph_req_type = PCI_TPH_REQ_TPH_ONLY;
+
+ /* Check if the device is behind a Root Port */
+ if (pci_pcie_type(pdev) != PCI_EXP_TYPE_RC_END) {
+ rp_req_type = get_rp_completer_type(pdev);
+ /* Final req_type is the smallest value of two */
+ tph_req_type = min(tph_req_type, rp_req_type);
+ }
+
+ if (tph_req_type == PCI_TPH_REQ_DISABLE) {
+ pdev->tph_cap = 0;
+ return;
+ }
+
+ pdev->tph_ext_support = !!(tph_req_type == PCI_TPH_REQ_EXT_TPH);
+
num_entries = pcie_tph_get_st_table_size(pdev);
save_size = sizeof(u32) + num_entries * sizeof(u16);
pci_add_ext_cap_save_buffer(pdev, PCI_EXT_CAP_ID_TPH, save_size);
diff --git a/include/linux/pci.h b/include/linux/pci.h
index 109182658f76..285c0f00882e 100644
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -588,7 +588,9 @@ struct pci_dev {
u8 reset_methods[PCI_NUM_RESET_METHODS]; /* In priority order */
#ifdef CONFIG_PCIE_TPH
- u16 tph_cap:15; /* TPH capability offset */
+ u16 tph_cap:14; /* TPH capability offset */
+ u16 tph_ext_support:1; /* Indicate whether Extended TPH
+ * requester is supported */
u16 tph_enabled:1; /* Whether TPH is enabled */
u8 tph_mode; /* TPH mode */
u8 tph_req_type; /* TPH requester type */
--
2.17.1
^ permalink raw reply related
* [PATCH v18 04/12] PCI/TPH: Refactor pcie_enable_tph & add explicit requester variant
From: Chengwen Feng @ 2026-06-22 7:45 UTC (permalink / raw)
To: alex, jgg, helgaas
Cc: wathsala.vithanage, wei.huang2, zhipingz, wangzhou1, wangyushan12,
liuyonglong, kvm, linux-pci
In-Reply-To: <20260622074523.38473-1-fengchengwen@huawei.com>
Refactor pcie_enable_tph implementation: extract core logic into static
internal enable_tph() helper accepting explicit requester type.
- Preserve original pcie_enable_tph() unchanged as auto wrapper; it
auto-selects EXT/standard TPH requester per device capability, existing
bnxt/mlx5 callers require zero modification.
- Add exported pcie_enable_tph_explicit() with bool 'extended' parameter
for explicit STD/EXT selection, used by upcoming VFIO TPH support.
Input validation for EXT_TPH availability is retained inside helper to
reject invalid explicit EXT request if hardware does not support extended
requester.
Signed-off-by: Chengwen Feng <fengchengwen@huawei.com>
---
drivers/pci/tph.c | 70 ++++++++++++++++++++++++++++-------------
include/linux/pci-tph.h | 4 +++
2 files changed, 53 insertions(+), 21 deletions(-)
diff --git a/drivers/pci/tph.c b/drivers/pci/tph.c
index 951f0a33ff66..51009ac9b379 100644
--- a/drivers/pci/tph.c
+++ b/drivers/pci/tph.c
@@ -364,23 +364,7 @@ void pcie_disable_tph(struct pci_dev *pdev)
}
EXPORT_SYMBOL(pcie_disable_tph);
-/**
- * pcie_enable_tph - Enable TPH support for device using a specific ST mode
- * @pdev: PCI device
- * @mode: ST mode to enable. Current supported modes include:
- *
- * - PCI_TPH_ST_NS_MODE: NO ST Mode
- * - PCI_TPH_ST_IV_MODE: Interrupt Vector Mode
- * - PCI_TPH_ST_DS_MODE: Device Specific Mode
- *
- * Check whether the mode is actually supported by the device before enabling
- * and return an error if not. Additionally determine what types of requests,
- * TPH or extended TPH, can be issued by the device based on its TPH requester
- * capability and the Root Port's completer capability.
- *
- * Return: 0 on success, otherwise negative value (-errno)
- */
-int pcie_enable_tph(struct pci_dev *pdev, int mode)
+static int enable_tph(struct pci_dev *pdev, int mode, u8 req_type)
{
u32 reg;
u8 dev_modes;
@@ -401,10 +385,11 @@ int pcie_enable_tph(struct pci_dev *pdev, int mode)
if (!((1 << mode) & dev_modes))
return -EINVAL;
- pdev->tph_mode = mode;
+ if (req_type == PCI_TPH_REQ_EXT_TPH && !pdev->tph_ext_support)
+ return -EINVAL;
- pdev->tph_req_type = pdev->tph_ext_support ? PCI_TPH_REQ_EXT_TPH :
- PCI_TPH_REQ_TPH_ONLY;
+ pdev->tph_mode = mode;
+ pdev->tph_req_type = req_type;
/* Write them into TPH control register */
pci_read_config_dword(pdev, pdev->tph_cap + PCI_TPH_CTRL, ®);
@@ -413,7 +398,7 @@ int pcie_enable_tph(struct pci_dev *pdev, int mode)
reg |= FIELD_PREP(PCI_TPH_CTRL_MODE_SEL_MASK, pdev->tph_mode);
reg &= ~PCI_TPH_CTRL_REQ_EN_MASK;
- reg |= FIELD_PREP(PCI_TPH_CTRL_REQ_EN_MASK, pdev->tph_req_type);
+ reg |= FIELD_PREP(PCI_TPH_CTRL_REQ_EN_MASK, req_type);
pci_write_config_dword(pdev, pdev->tph_cap + PCI_TPH_CTRL, reg);
@@ -421,8 +406,51 @@ int pcie_enable_tph(struct pci_dev *pdev, int mode)
return 0;
}
+
+/**
+ * pcie_enable_tph - Enable TPH support for device using a specific ST mode
+ * @pdev: PCI device
+ * @mode: ST mode to enable. Current supported modes include:
+ *
+ * - PCI_TPH_ST_NS_MODE: NO ST Mode
+ * - PCI_TPH_ST_IV_MODE: Interrupt Vector Mode
+ * - PCI_TPH_ST_DS_MODE: Device Specific Mode
+ *
+ * Check whether the mode is actually supported by the device before enabling
+ * and return an error if not. Additionally determine what types of requests,
+ * TPH or extended TPH, can be issued by the device based on its TPH requester
+ * capability and the Root Port's completer capability.
+ *
+ * Return: 0 on success, otherwise negative value (-errno)
+ */
+int pcie_enable_tph(struct pci_dev *pdev, int mode)
+{
+ u8 req_type = pdev->tph_ext_support ? PCI_TPH_REQ_EXT_TPH :
+ PCI_TPH_REQ_TPH_ONLY;
+ return enable_tph(pdev, mode, req_type);
+}
EXPORT_SYMBOL(pcie_enable_tph);
+/**
+ * pcie_enable_tph_explicit - Enable TPH with explicit requester selection
+ * @pdev: PCI device to operate
+ * @mode: ST table operating mode (NS/IV/DS)
+ * @extended: true = EXT_TPH, false = standard TPH only
+ *
+ * Unlike auto-detecting pcie_enable_tph(), caller selects requester type
+ * manually instead of hardware auto-selection. Rejects EXT_TPH request
+ * if device lacks extended requester capability.
+ *
+ * Return: 0 on success, negative errno on failure.
+ */
+int pcie_enable_tph_explicit(struct pci_dev *pdev, int mode, bool extended)
+{
+ u8 req_type = extended ? PCI_TPH_REQ_EXT_TPH : PCI_TPH_REQ_TPH_ONLY;
+
+ return enable_tph(pdev, mode, req_type);
+}
+EXPORT_SYMBOL(pcie_enable_tph_explicit);
+
void pci_restore_tph_state(struct pci_dev *pdev)
{
struct pci_cap_saved_state *save_state;
diff --git a/include/linux/pci-tph.h b/include/linux/pci-tph.h
index 6f02b020d7d7..ca0faa98afac 100644
--- a/include/linux/pci-tph.h
+++ b/include/linux/pci-tph.h
@@ -29,6 +29,7 @@ int pcie_tph_get_cpu_st(struct pci_dev *dev,
unsigned int cpu, u16 *tag);
void pcie_disable_tph(struct pci_dev *pdev);
int pcie_enable_tph(struct pci_dev *pdev, int mode);
+int pcie_enable_tph_explicit(struct pci_dev *pdev, int mode, bool extended);
u16 pcie_tph_get_st_table_size(struct pci_dev *pdev);
u32 pcie_tph_get_st_table_loc(struct pci_dev *pdev);
#else
@@ -42,6 +43,9 @@ static inline int pcie_tph_get_cpu_st(struct pci_dev *dev,
static inline void pcie_disable_tph(struct pci_dev *pdev) { }
static inline int pcie_enable_tph(struct pci_dev *pdev, int mode)
{ return -EINVAL; }
+static inline int pcie_enable_tph_explicit(struct pci_dev *pdev, int mode,
+ bool extended)
+{ return -EINVAL; }
static inline u16 pcie_tph_get_st_table_size(struct pci_dev *pdev)
{ return 0; }
static inline u32 pcie_tph_get_st_table_loc(struct pci_dev *pdev)
--
2.17.1
^ permalink raw reply related
* [PATCH v18 02/12] PCI/TPH: Fix tph_enabled concurrent update race by bitfield packing
From: Chengwen Feng @ 2026-06-22 7:45 UTC (permalink / raw)
To: alex, jgg, helgaas
Cc: wathsala.vithanage, wei.huang2, zhipingz, wangzhou1, wangyushan12,
liuyonglong, kvm, linux-pci
In-Reply-To: <20260622074523.38473-1-fengchengwen@huawei.com>
Split tph_enabled from shared pci_dev bitfield into spare bit of tph_cap's
u16: tph_cap is immutable post-enumeration (15 bits for offset), remaining
1 bit stores tph_enabled. Removes cross-bitfield concurrent write hazards
highlighted by Sashiko after VFIO TPH exposure. No functional changes.
Signed-off-by: Chengwen Feng <fengchengwen@huawei.com>
---
include/linux/pci.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/pci.h b/include/linux/pci.h
index 2c4454583c11..109182658f76 100644
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -471,7 +471,6 @@ struct pci_dev {
unsigned int ats_enabled:1; /* Address Translation Svc */
unsigned int pasid_enabled:1; /* Process Address Space ID */
unsigned int pri_enabled:1; /* Page Request Interface */
- unsigned int tph_enabled:1; /* TLP Processing Hints */
unsigned int fm_enabled:1; /* Flit Mode (segment captured) */
unsigned int is_managed:1; /* Managed via devres */
unsigned int is_msi_managed:1; /* MSI release via devres installed */
@@ -589,7 +588,8 @@ struct pci_dev {
u8 reset_methods[PCI_NUM_RESET_METHODS]; /* In priority order */
#ifdef CONFIG_PCIE_TPH
- u16 tph_cap; /* TPH capability offset */
+ u16 tph_cap:15; /* TPH capability offset */
+ u16 tph_enabled:1; /* Whether TPH is enabled */
u8 tph_mode; /* TPH mode */
u8 tph_req_type; /* TPH requester type */
#endif
--
2.17.1
^ permalink raw reply related
* [PATCH v18 00/12] vfio/pci: Add PCIe TPH support
From: Chengwen Feng @ 2026-06-22 7:45 UTC (permalink / raw)
To: alex, jgg, helgaas
Cc: wathsala.vithanage, wei.huang2, zhipingz, wangzhou1, wangyushan12,
liuyonglong, kvm, linux-pci
This patchset enables full userspace configurable PCIe TPH support for
VFIO, which brings performance benefits for userspace workloads such as
DPDK and SPDK.
Currently VFIO only exposes read-only TPH capability registers to
userspace, while all write operations are silently discarded. This
prevents userspace from enabling and configuring TPH, limiting performance
optimization opportunities.
Per PCIe spec 7.5.3.15: TPH Completer support is applicable to Root Ports
and Endpoints, allowing Steering Tags to target host CPUs or peer devices
for P2P transactions.
TPH usage model can be divided into three fundamental parts:
1. Retrieve Steering Tag:
- Tags targeting host CPUs are obtained via platform methods (ACPI _DSM)
wrapped in pcie_tph_get_cpu_st(). Userspace requires a generic
interface to query these CPU-associated ST values.
- Tags targeting peer devices are managed by userspace drivers.
2. Program Steering Tag table:
- For devices with standard ST table structures (in capability space or
MSI-X table), userspace needs a unified interface to configure ST
entries.
- Devices without standard ST tables are handled by userspace itself.
3. Toggle device TPH Requester enable/disable state.
To support the above scenarios, this series extends PCI and VFIO with
complete TPH virtualization features:
- [*PCI*] Support sysfs binary file [under root-port which support TPH
completor and _DSM] to export CPU to steering-tag mapping, so that
userspace could retrieve CPU's ST by read.
- [*VFIO*] New device feature TPH_ST_CONFIG: Batch configure interface for
device ST table entries, with shadow cache and atomic rollback support.
- [*VFIO*] Full TPH capability register virtualization: allow userspace to
toggle TPH Requester state via TPH_CTRL register writes.
To guarantee isolation and security, this patchset adopts a two-level
safety gate design with careful ABI considerations:
1. Global unsafe gate:
TPH caching behavior may cross isolation domains and impact shared
platform resources. A new module parameter `enable_unsafe_tph` is
introduced (default off) to globally gate all VFIO TPH functionalities.
2. Per-device opt-in gate:
To preserve strict ABI compatibility and avoid unexpected hardware
state changes for existing users, a new VFIO device feature TPH_ENABLE
is added. TPH capabilities are only available after userspace explicitly
enables it per-device.
Because Kernel PCI TPH implementation requires TPH Requester to be enabled
before programming ST entries. To support userspace configuring ST table
in arbitrary order, a shadow ST table is introduced to buffer ST writes
before TPH is enabled. All cached entries are flushed to hardware when
TPH Requester turns on. This also provides atomic batch rollback capability
for reliable configuration.
The patchset is split into two logical parts: the first eight patches fix
and refactor core PCI/TPH kernel code to export required helper interfaces
and CPU to ST mapping, the remaining four patches implement corresponding
VFIO TPH virtualization layer step by step.
Based on earlier RFC work by Wathsala Vithanage
---
v18:
- Address all comments of [08/12] commit from Alex
- Add document in sysfs-bus-pci
- Place the new field at the root port
- Add new filed only when root port support TPH completer and _DSM
method
- Support random offset read, return zero if cpu is offline
- Zero-initialize the buffer rather than memset and reserved = 0
- Fix git am fail for [10/12] commit
- Fix folloing Sashiko review comments of [11/12] commit:
- Add __GFP_ACCOUNT in thp_st_shadow allocation
- Move reset tph_permit in vfio_pci_tph_init/deinit
- Refine feature PROBE for `TPH_ST_CONFIG`, make sure probe OK when
enable_unsafe_tph is set
- Add commit-log about why TPH ST shadow table is not cleared when the
VFIO device is reset
-
v17:
- Move retrieve CPU to ST mapping logic from VFIO to PCI subsystem
- Remove tph_lock which seemed not use
- Fix Sashiko review comment of v16:
- tph_permit is bit field which has concurrent problem
- Fix tph_permit not reset when re-open device
- TPH capability virtualization write has concurrent, don't rollback
original value problems.
- Missing virtualization of TPH Capability Header leaks the physical
Next Capability Pointer to the guest
Chengwen Feng (11):
PCI/TPH: Fix pcie_tph_get_st_table_loc() field extraction
PCI/TPH: Fix tph_enabled concurrent update race by bitfield packing
PCI/TPH: Cache TPH requester capability at probe time
PCI/TPH: Refactor pcie_enable_tph & add explicit requester variant
PCI/TPH: Refactor pcie_tph_get_cpu_st & add explicit variant
PCI/TPH: Add pcie_tph_supported() helper to check TPH capability
attributes
PCI/TPH: Add sysfs binary file to export CPU to steering-tag mapping
vfio/pci: Hide TPH capability when TPH is unsupported
vfio/pci: Add TPH_ENABLE feature skeleton and unsafe module parameter
vfio/pci: Add TPH_ST_CONFIG for PCIe TPH ST configuration
vfio/pci: Virtualize PCIe TPH capability registers
Zhiping Zhang (1):
PCI/TPH: Expose the enabled TPH requester type
Documentation/ABI/testing/sysfs-bus-pci | 24 ++
drivers/pci/pci-sysfs.c | 3 +
drivers/pci/pci.h | 4 +
drivers/pci/tph.c | 363 +++++++++++++++++++-----
drivers/vfio/pci/vfio_pci.c | 13 +-
drivers/vfio/pci/vfio_pci_config.c | 120 ++++++++
drivers/vfio/pci/vfio_pci_core.c | 157 +++++++++-
include/linux/pci-tph.h | 22 ++
include/linux/pci.h | 6 +-
include/linux/vfio_pci_core.h | 6 +-
include/uapi/linux/pci.h | 16 ++
include/uapi/linux/vfio.h | 29 ++
12 files changed, 685 insertions(+), 78 deletions(-)
--
2.17.1
^ permalink raw reply
* Re: [PATCH v8 23/46] KVM: TDX: Make source page optional for KVM_TDX_INIT_MEM_REGION
From: Yan Zhao @ 2026-06-22 6:57 UTC (permalink / raw)
To: ackerleytng
Cc: aik, andrew.jones, binbin.wu, brauner, chao.p.peng, david,
jmattson, jthoughton, michael.roth, oupton, pankaj.gupta, qperret,
rick.p.edgecombe, rientjes, shivankg, steven.price, tabba, willy,
wyihan, forkloop, pratyush, suzuki.poulose, aneesh.kumar, liam,
Paolo Bonzini, Sean Christopherson, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Dave Hansen, x86, H. Peter Anvin, Steven Rostedt,
Masami Hiramatsu, Mathieu Desnoyers, Jonathan Corbet, Shuah Khan,
Shuah Khan, Vishal Annapurve, Andrew Morton, Chris Li,
Kairui Song, Kemeng Shi, Nhat Pham, Barry Song, Axel Rasmussen,
Yuanchu Xie, Wei Xu, Youngjun Park, Qi Zheng, Shakeel Butt,
Kiryl Shutsemau, Baoquan He, Jason Gunthorpe, Vlastimil Babka,
kvm, linux-kernel, linux-trace-kernel, linux-doc, linux-kselftest,
linux-mm, linux-coco
In-Reply-To: <20260618-gmem-inplace-conversion-v8-23-9d2959357853@google.com>
On Thu, Jun 18, 2026 at 05:32:00PM -0700, Ackerley Tng via B4 Relay wrote:
> From: Ackerley Tng <ackerleytng@google.com>
>
> Update tdx_gmem_post_populate() to handle cases where a source page is
> not explicitly provided. Instead of returning -EOPNOTSUPP when src_page
> is NULL, default to using the page associated with the destination PFN.
>
> This change allows for in-place memory conversion where the data is
> already present in the target PFN, ensuring the TDX module has a valid
> source page reference for the TDH.MEM.PAGE.ADD operation.
>
> Signed-off-by: Ackerley Tng <ackerleytng@google.com>
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> ---
> Documentation/virt/kvm/x86/intel-tdx.rst | 4 ++++
> arch/x86/kvm/vmx/tdx.c | 11 ++++++++---
> 2 files changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/Documentation/virt/kvm/x86/intel-tdx.rst b/Documentation/virt/kvm/x86/intel-tdx.rst
> index 6a222e9d09541..74357fe87f9ec 100644
> --- a/Documentation/virt/kvm/x86/intel-tdx.rst
> +++ b/Documentation/virt/kvm/x86/intel-tdx.rst
> @@ -158,6 +158,10 @@ KVM_TDX_INIT_MEM_REGION
> Initialize @nr_pages TDX guest private memory starting from @gpa with userspace
> provided data from @source_addr. @source_addr must be PAGE_SIZE-aligned.
>
> +If guest_memfd in-place conversion is enabled, pass NULL for @source_addr to
> +initialize the memory region using memory contents already populated in
> +guest_memfd memory.
> +
> Note, before calling this sub command, memory attribute of the range
> [gpa, gpa + nr_pages] needs to be private. Userspace can use
> KVM_SET_MEMORY_ATTRIBUTES to set the attribute.
> diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
> index ffe9d0db58c59..56d10333c61a7 100644
> --- a/arch/x86/kvm/vmx/tdx.c
> +++ b/arch/x86/kvm/vmx/tdx.c
> @@ -3198,8 +3198,12 @@ static int tdx_gmem_post_populate(struct kvm *kvm, gfn_t gfn, kvm_pfn_t pfn,
> if (KVM_BUG_ON(kvm_tdx->page_add_src, kvm))
> return -EIO;
>
> - if (!src_page)
> - return -EOPNOTSUPP;
> + if (!src_page) {
> + if (!gmem_in_place_conversion)
When userspace turns on gmem_in_place_conversion while creating guest_memfd
without the MMAP flag, the absence of src_page should still be treated as an
error.
Additionally, to properly enable in-place copying for the TDX initial memory
region, userspace must not only specify source_addr to NULL, but also follow
a specific sequence (where steps 1/2/3/7 are required only for in-place copy):
1. create guest_memfd with MMAP flag
2. mmap the guest_memfd.
3. convert the initial memory range to shared.
4. copy initial content to the source page.
5. convert the initial memory range to private
6. invoke ioctl KVM_TDX_INIT_MEM_REGION.
7. do not unmap the source backend.
So, would it be reasonable to introduce a dedicated flag that allows userspace
to explicitly opt into the in-place copy functionality? e.g.,
diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kvm.h
index 1585ec804066..d047a6efc728 100644
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -1043,6 +1043,9 @@ struct kvm_tdx_init_vm {
};
#define KVM_TDX_MEASURE_MEMORY_REGION _BITULL(0)
+#define KVM_TDX_IN_PLACE_COPY_INITIAL_MEMORY_REGION _BITULL(1)
+#define KVM_TDX_INIT_MEM_VALID_FLAGS (KVM_TDX_MEASURE_MEMORY_REGION | \
+ KVM_TDX_IN_PLACE_COPY_INITIAL_MEMORY_REGION)
struct kvm_tdx_init_mem_region {
__u64 source_addr;
diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
index 56d10333c61a..6072b38ceb37 100644
--- a/arch/x86/kvm/vmx/tdx.c
+++ b/arch/x86/kvm/vmx/tdx.c
@@ -3190,6 +3190,7 @@ static int tdx_gmem_post_populate(struct kvm *kvm, gfn_t gfn, kvm_pfn_t pfn,
struct page *src_page, void *_arg)
{
struct tdx_gmem_post_populate_arg *arg = _arg;
+ bool in_place_copy = arg->flags & KVM_TDX_IN_PLACE_COPY_INITIAL_MEMORY_REGION;
struct kvm_tdx *kvm_tdx = to_kvm_tdx(kvm);
u64 err, entry, level_state;
gpa_t gpa = gfn_to_gpa(gfn);
@@ -3199,7 +3200,7 @@ static int tdx_gmem_post_populate(struct kvm *kvm, gfn_t gfn, kvm_pfn_t pfn,
return -EIO;
if (!src_page) {
- if (!gmem_in_place_conversion)
+ if (!in_place_copy)
return -EOPNOTSUPP;
src_page = pfn_to_page(pfn);
@@ -3245,7 +3246,7 @@ static int tdx_vcpu_init_mem_region(struct kvm_vcpu *vcpu, struct kvm_tdx_cmd *c
if (kvm_tdx->state == TD_STATE_RUNNABLE)
return -EINVAL;
- if (cmd->flags & ~KVM_TDX_MEASURE_MEMORY_REGION)
+ if (cmd->flags & ~KVM_TDX_INIT_MEM_VALID_FLAGS)
return -EINVAL;
> + return -EOPNOTSUPP;
> +
> + src_page = pfn_to_page(pfn);
> + }
>
> kvm_tdx->page_add_src = src_page;
> ret = kvm_tdp_mmu_map_private_pfn(arg->vcpu, gfn, pfn);
> @@ -3278,7 +3282,8 @@ static int tdx_vcpu_init_mem_region(struct kvm_vcpu *vcpu, struct kvm_tdx_cmd *c
> break;
> }
>
> - region.source_addr += PAGE_SIZE;
> + if (region.source_addr)
> + region.source_addr += PAGE_SIZE;
> region.gpa += PAGE_SIZE;
> region.nr_pages--;
>
>
> --
> 2.55.0.rc0.738.g0c8ab3ebcc-goog
>
>
^ permalink raw reply related
* Re: [RFC PATCH v2 0/4] KVM: x86: TDX: Validate directly configurable CPUID bits
From: Binbin Wu @ 2026-06-22 6:32 UTC (permalink / raw)
To: seanjc
Cc: kvm, linux-kernel, pbonzini, rick.p.edgecombe, xiaoyao.li,
chao.gao, kai.huang
In-Reply-To: <20260604023314.3907511-1-binbin.wu@linux.intel.com>
On 6/4/2026 10:33 AM, Binbin Wu wrote:
> Hi,
>
> A host state clobbering feature on new TDX modules/platforms can lead
> to host state corruption if KVM does not explicitly save and restore
> the related MSR(s) during host/guest transitions. If such a feature is
> blindly exposed to and used by TDs, it will result in unexpected behavior
> on the host.
>
> The v1 RFC [1] attempted to solve this by introducing a comprehensive
> CPUID paranoid verification framework across VMX, SVM, and TDX. However,
> as Sean pointed out in [2] and the discussion in the PUCK meeting, this
> approach was overly complex and bled too many TDX-specific details into
> common KVM code, creating an unnecessary maintenance burden.
>
> This v2 takes a significantly simpler, TDX-contained approach. It strictly
> validates only the TDX directly configurable CPUID bits—those reported by
> the TDX module in CPUID_CONFIG fields that the VMM can configure for a TD.
> This is sufficient to address the host clobbering issue, as no new host
> state clobbering features will be fixed-1. All filtering and validation
> logic is entirely isolated within TDX code.
>
> Feedback is highly appreciated, particularly on whether this contained
> approach strikes an acceptable balance regarding complexity.
Hi Sean,
Do you think this proposal is the direction to go?
>
> Specifically, this series builds a KVM-side allowlist of supported TDX
> directly configurable CPUID bits to:
> - Filter KVM_TDX_CAPABILITIES:
> Replace the hardcoded denylist to only report configurable bits that
> KVM explicitly supports.
> - Validate KVM_TDX_INIT_VM:
> Reject any configurable bit that the TDX module allows but KVM does
> not yet support.
>
> With this allowlist, newly added TDX configurable CPUID bits will not be
> exposed to userspace until KVM explicitly opts-in after fulfilling the
> necessary virtualization requirements.
>
> Open:
> - This series doesn't implement validation for KVM_SET_CPUID2.
> TDX has two interfaces for userspace to set CPUID bits: KVM_TDX_INIT_VM
> and KVM_SET_CPUID2. A malicious userspace VMM could lie to KVM through
> KVM_SET_CPUID2 by setting a TDX directly configurable CPUID bit to a
> different value than what it set via KVM_TDX_INIT_VM. KVM does not
> currently use its own view of vCPU capabilities to manage host clobbering
> features for TDs. The consistency check is not a must have action so
> far. It could be added later if KVM really relies on its own view
> to make decisions to manage host clobbering features for TDX.
>
> Changes from v1:
> - Dropped the overarching CPUID paranoid verification framework across
> VMX/SVM/TDX and the opt-in interface. (Sean)
> - Shifted focus entirely to isolating and validating TDX directly
> configurable CPUID bits.
>
> [1] https://lore.kernel.org/kvm/20260417073610.3246316-1-binbin.wu@linux.intel.com/
> [2] https://lore.kernel.org/kvm/agsiQGikhZA0CGTY@google.com/
>
> Binbin Wu (4):
> KVM: x86: TDX: Track supported configurable CPUID bits
> KVM: x86: TDX: Hide unsupported configurable CPUID bits
> KVM: x86: TDX: Validate userspace CPUID input for KVM_TDX_INIT_VM
> KVM: x86: TDX: Report CORE_CAPABILITIES as supported
>
> arch/x86/kvm/vmx/tdx.c | 251 +++++++++++++++++++++++++++++++++++------
> 1 file changed, 214 insertions(+), 37 deletions(-)
>
>
> base-commit: d4bfaa66fa171089b9b9fb2dc17af9245f2b9b34
^ permalink raw reply
* Re: [PATCH v3 13/18] iommu/vt-d: preserve PASID table of preserved device
From: Baolu Lu @ 2026-06-22 6:01 UTC (permalink / raw)
To: Samiullah Khawaja, David Woodhouse, Joerg Roedel, Will Deacon,
Jason Gunthorpe
Cc: Robin Murphy, Kevin Tian, Alex Williamson, Shuah Khan, iommu,
linux-kernel, kvm, Pratyush Yadav, Pasha Tatashin, David Matlack,
Andrew Morton, Pranjal Shrivastava, Vipin Sharma
In-Reply-To: <20260614233728.2212104-14-skhawaja@google.com>
On 6/15/26 07:37, Samiullah Khawaja wrote:
> diff --git a/drivers/iommu/intel/pasid.c b/drivers/iommu/intel/pasid.c
> index 89541b74ab8c..5cac8e95f73b 100644
> --- a/drivers/iommu/intel/pasid.c
> +++ b/drivers/iommu/intel/pasid.c
> @@ -60,8 +60,11 @@ int intel_pasid_alloc_table(struct device *dev)
>
> size = max_pasid >> (PASID_PDE_SHIFT - 3);
> order = size ? get_order(size) : 0;
> - dir = iommu_alloc_pages_node_sz(info->iommu->node, GFP_KERNEL,
> - 1 << (order + PAGE_SHIFT));
> +
> + dir = intel_pasid_try_restore_table(dev, 1 << (order + PAGE_SHIFT + 3));
> + if (!dir)
> + dir = iommu_alloc_pages_node_sz(info->iommu->node, GFP_KERNEL,
> + 1 << (order + PAGE_SHIFT));
> if (!dir) {
> kfree(pasid_table);
> return -ENOMEM;
This reads as if PASID table restoration fails, it tries to allocate a
native PASID table instead. This doesn't match my understanding. It
would be a disaster, and the system should panic if the table
restoration fails. Or is there something I'm overlooking?
Thanks,
baolu
^ permalink raw reply
* Re: [PATCH v3 12/18] iommu/vt-d: Handle reattach of the restored domain
From: Baolu Lu @ 2026-06-22 5:44 UTC (permalink / raw)
To: Samiullah Khawaja, David Woodhouse, Joerg Roedel, Will Deacon,
Jason Gunthorpe
Cc: Robin Murphy, Kevin Tian, Alex Williamson, Shuah Khan, iommu,
linux-kernel, kvm, Pratyush Yadav, Pasha Tatashin, David Matlack,
Andrew Morton, Pranjal Shrivastava, Vipin Sharma
In-Reply-To: <20260614233728.2212104-13-skhawaja@google.com>
On 6/15/26 07:37, Samiullah Khawaja wrote:
> Reattach the restored domain to the preserved device using restored
> domain ID. While reattaching do not setup the context and PASID entries
> as those are preserved during liveupdate.
>
> Signed-off-by: Samiullah Khawaja<skhawaja@google.com>
> ---
> drivers/iommu/intel/iommu.c | 46 ++++++++++---
> drivers/iommu/intel/iommu.h | 17 +++++
> drivers/iommu/intel/liveupdate.c | 111 +++++++++++++++++++++++++++++++
> 3 files changed, 163 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
> index cd40e274482b..91b67ccba011 100644
> --- a/drivers/iommu/intel/iommu.c
> +++ b/drivers/iommu/intel/iommu.c
> @@ -1311,10 +1311,16 @@ static int dmar_domain_attach_device(struct dmar_domain *domain,
> {
> struct device_domain_info *info = dev_iommu_priv_get(dev);
> struct intel_iommu *iommu = info->iommu;
> + struct iommu_device_ser *device_ser;
> unsigned long flags;
> int ret;
>
> - ret = domain_attach_iommu(domain, iommu);
> + device_ser = dev_iommu_restored_state(dev);
> + if (!device_ser)
> + ret = domain_attach_iommu(domain, iommu);
> + else
> + ret = intel_iommu_domain_reattach_iommu(domain,
> + iommu, device_ser);
> if (ret)
> return ret;
>
> @@ -1327,16 +1333,20 @@ static int dmar_domain_attach_device(struct dmar_domain *domain,
> if (dev_is_real_dma_subdevice(dev))
> return 0;
>
> - if (!sm_supported(iommu))
> - ret = domain_context_mapping(domain, dev);
> - else if (intel_domain_is_fs_paging(domain))
> - ret = domain_setup_first_level(iommu, domain, dev,
> - IOMMU_NO_PASID, NULL);
> - else if (intel_domain_is_ss_paging(domain))
> - ret = domain_setup_second_level(iommu, domain, dev,
> - IOMMU_NO_PASID, NULL);
> - else if (WARN_ON(true))
> - ret = -EINVAL;
> + if (!device_ser) {
> + if (!sm_supported(iommu))
> + ret = domain_context_mapping(domain, dev);
> + else if (intel_domain_is_fs_paging(domain))
> + ret = domain_setup_first_level(iommu, domain, dev,
> + IOMMU_NO_PASID, NULL);
> + else if (intel_domain_is_ss_paging(domain))
> + ret = domain_setup_second_level(iommu, domain, dev,
> + IOMMU_NO_PASID, NULL);
> + else if (WARN_ON(true))
> + ret = -EINVAL;
> + } else if (!sm_supported(iommu)) {
> + iommu_enable_pci_ats(info);
> + }
Instead of merging domain restoration into the attach_dev path, how
about adding a new callback to restore a preserved domain for a device?
Something like:
diff --git a/include/linux/iommu.h b/include/linux/iommu.h
index b2f614367074..e61409f2d9fc 100644
--- a/include/linux/iommu.h
+++ b/include/linux/iommu.h
@@ -748,6 +748,8 @@ struct iommu_ops {
* * <others> - treated as ENODEV by the caller. Use is discouraged
* @set_dev_pasid: set or replace an iommu domain to a pasid of
device. The pasid of
* the device should be left in the old config in
error case.
+ * @restore_dev: Set a domain that is restored from the previous
live-updated
+ * kernel to a device.
* @map_pages: map a physically contiguous set of pages of the same
size to
* an iommu domain.
* @unmap_pages: unmap a number of pages of the same size from an
iommu domain
@@ -772,6 +774,9 @@ struct iommu_ops {
struct iommu_domain_ops {
int (*attach_dev)(struct iommu_domain *domain, struct device *dev,
struct iommu_domain *old);
+#ifdef CONFIG_IOMMU_LIVEUPDATE
+ int (*restore_dev)(struct iommu_domain *domain, struct device *dev);
+#endif
int (*set_dev_pasid)(struct iommu_domain *domain, struct device
*dev,
ioasid_t pasid, struct iommu_domain *old);
Thanks,
baolu
^ permalink raw reply related
* Re: [PATCH v8 24/46] KVM: guest_memfd: Make in-place conversion the default
From: Yan Zhao @ 2026-06-22 4:53 UTC (permalink / raw)
To: ackerleytng
Cc: aik, andrew.jones, binbin.wu, brauner, chao.p.peng, david,
jmattson, jthoughton, michael.roth, oupton, pankaj.gupta, qperret,
rick.p.edgecombe, rientjes, shivankg, steven.price, tabba, willy,
wyihan, forkloop, pratyush, suzuki.poulose, aneesh.kumar, liam,
Paolo Bonzini, Sean Christopherson, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Dave Hansen, x86, H. Peter Anvin, Steven Rostedt,
Masami Hiramatsu, Mathieu Desnoyers, Jonathan Corbet, Shuah Khan,
Shuah Khan, Vishal Annapurve, Andrew Morton, Chris Li,
Kairui Song, Kemeng Shi, Nhat Pham, Barry Song, Axel Rasmussen,
Yuanchu Xie, Wei Xu, Youngjun Park, Qi Zheng, Shakeel Butt,
Kiryl Shutsemau, Baoquan He, Jason Gunthorpe, Vlastimil Babka,
kvm, linux-kernel, linux-trace-kernel, linux-doc, linux-kselftest,
linux-mm, linux-coco
In-Reply-To: <20260618-gmem-inplace-conversion-v8-24-9d2959357853@google.com>
On Thu, Jun 18, 2026 at 05:32:01PM -0700, Ackerley Tng via B4 Relay wrote:
> From: Ackerley Tng <ackerleytng@google.com>
>
> Make in-place conversion the default if the arch has private mem.
>
> The default can be overridden at compile type by enabling
> CONFIG_KVM_VM_MEMORY_ATTRIBUTES, or at KVM load time through a module
> parameter.
>
> In-place conversion also implies tracking a guest's private/shared state in
> guest_memfd. To avoid inconsistencies in the way memory attributes are
> tracked between the per-VM or by guest_memfd, make the module_param
> read-only (0444).
>
> Document that using per-VM attributes for tracking private/shared state of
> guest memory is deprecated in favor of tracking in guest_memfd.
>
> Warn if the admin sets gmem_in_place_conversion as false when
> CONFIG_KVM_VM_MEMORY_ATTRIBUTES is not enabled. Add warning in the code
> path where guest memory is populated for a CoCo VM, since that's the
> earliest point in a CoCo VM's lifecycle where memory attributes are
> queried. Unlike other query sites, this site is exclusively used by CoCo
> VMs.
>
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> ---
> arch/x86/kvm/Kconfig | 7 ++++++-
> virt/kvm/guest_memfd.c | 5 +++++
> virt/kvm/kvm_main.c | 3 ++-
> 3 files changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig
> index c28393dc664eb..a3c189d765150 100644
> --- a/arch/x86/kvm/Kconfig
> +++ b/arch/x86/kvm/Kconfig
> @@ -85,7 +85,12 @@ config KVM_VM_MEMORY_ATTRIBUTES
> bool "Enable per-VM PRIVATE vs. SHARED attributes (for CoCo VMs)"
> help
> Enable support for tracking PRIVATE vs. SHARED memory using per-VM
> - memory attributes.
> + memory attributes. Using per-VM attributes are deprecated in favor
> + of tracking PRIVATE state in guest_memfd. Select this if you need
> + to run CoCo VMs using a VMM that doesn't support guest_memfd memory
> + attributes.
> +
> + If unsure, say N.
>
> config KVM_SW_PROTECTED_VM
> bool "Enable support for KVM software-protected VMs"
> diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c
> index 86c9f5b0863cb..5cb73543c03c8 100644
> --- a/virt/kvm/guest_memfd.c
> +++ b/virt/kvm/guest_memfd.c
> @@ -1193,10 +1193,15 @@ static bool kvm_gmem_range_is_private(struct file *file, pgoff_t index,
> {
> struct maple_tree *mt = &GMEM_I(file_inode(file))->attributes;
>
> +#ifdef CONFIG_KVM_VM_MEMORY_ATTRIBUTES
> if (!gmem_in_place_conversion)
> return kvm_range_has_vm_memory_attributes(kvm, gfn, gfn + nr_pages,
> KVM_MEMORY_ATTRIBUTE_PRIVATE,
> KVM_MEMORY_ATTRIBUTE_PRIVATE);
> +#else
> + if (WARN_ON_ONCE(!gmem_in_place_conversion))
> + return false;
> +#endif
>
> return kvm_gmem_range_has_attributes(mt, index, nr_pages,
> KVM_MEMORY_ATTRIBUTE_PRIVATE);
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index dd1d18a1d2f68..46e92b5dc3804 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -102,7 +102,8 @@ static bool __ro_after_init allow_unsafe_mappings;
> module_param(allow_unsafe_mappings, bool, 0444);
>
> #ifdef kvm_arch_has_private_mem
> -bool __ro_after_init gmem_in_place_conversion = false;
> +bool __ro_after_init gmem_in_place_conversion = !IS_ENABLED(CONFIG_KVM_VM_MEMORY_ATTRIBUTES);
> +module_param(gmem_in_place_conversion, bool, 0444);
With gmem_in_place_conversion=true, userspace can create guest_memfd without the
MMAP flag. In such cases, shared memory is allocated from different backends.
This means this module parameter only enables per-gmem memory attribute and does
not guarantee that gmem in-place conversion will actually occur.
To avoid confusion, could we rename this module parameter to something more
accurate, such as gmem_memory_attribute?
> EXPORT_SYMBOL_FOR_KVM_INTERNAL(gmem_in_place_conversion);
> #endif
>
>
> --
> 2.55.0.rc0.738.g0c8ab3ebcc-goog
>
>
^ permalink raw reply
* Re: [PATCH v3 10/18] iommu/vt-d: Restore IOMMU state and reclaimed domain ids
From: Baolu Lu @ 2026-06-22 5:14 UTC (permalink / raw)
To: Samiullah Khawaja, David Woodhouse, Joerg Roedel, Will Deacon,
Jason Gunthorpe
Cc: Robin Murphy, Kevin Tian, Alex Williamson, Shuah Khan, iommu,
linux-kernel, kvm, Pratyush Yadav, Pasha Tatashin, David Matlack,
Andrew Morton, Pranjal Shrivastava, Vipin Sharma
In-Reply-To: <20260614233728.2212104-11-skhawaja@google.com>
On 6/15/26 07:37, Samiullah Khawaja wrote:
> During boot fetch the preserved state of IOMMU unit and if found then
> restore the state.
>
> - Reuse the root_table that was preserved in the previous kernel.
> - Reclaim the domain ids of the preserved domains for each preserved
> devices so these are not acquired by another domain.
>
> Signed-off-by: Samiullah Khawaja<skhawaja@google.com>
> ---
> drivers/iommu/intel/iommu.c | 87 +++++++++++++++++++++++---------
> drivers/iommu/intel/iommu.h | 7 +++
> drivers/iommu/intel/liveupdate.c | 60 ++++++++++++++++++++++
> 3 files changed, 130 insertions(+), 24 deletions(-)
>
> diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
> index 26258861e3bf..cd40e274482b 100644
> --- a/drivers/iommu/intel/iommu.c
> +++ b/drivers/iommu/intel/iommu.c
> @@ -990,15 +990,16 @@ static void disable_dmar_iommu(struct intel_iommu *iommu)
> iommu_disable_translation(iommu);
> }
>
> -static void free_dmar_iommu(struct intel_iommu *iommu)
> +static void free_dmar_iommu(struct intel_iommu *iommu, struct iommu_hw_ser *iommu_ser)
> {
> if (iommu->copied_tables) {
> bitmap_free(iommu->copied_tables);
> iommu->copied_tables = NULL;
> }
>
> - /* free context mapping */
> - free_context_table(iommu);
> + /* free context mapping if there is no serialized state. */
> + if (!iommu_ser)
> + free_context_table(iommu);
>
> if (ecap_prs(iommu->ecap))
> intel_iommu_finish_prq(iommu);
disable_dmar_iommu() and free_dmar_iommu() are always paired in the
code. How about merging them into a single helper that is aware of iommu
preservation? Something like the following?
static void release_dmar_iommu(struct intel_iommu *iommu)
{
struct iommu_hw_ser *iommu_ser =
iommu_get_preserved_data(iommu->reg_phys,
IOMMU_INTEL);
/*
* All iommu domains must have been detached from the devices,
* hence there should be no domain IDs in use.
*/
if (WARN_ON(!ida_is_empty(&iommu->domain_ida)))
return;
if ((iommu->gcmd & DMA_GCMD_TE) && !iommu_ser)
iommu_disable_translation(iommu);
if (iommu->copied_tables) {
bitmap_free(iommu->copied_tables);
iommu->copied_tables = NULL;
}
/* free context mapping if there is no serialized state. */
if (!iommu_ser)
free_context_table(iommu);
if (ecap_prs(iommu->ecap))
intel_iommu_finish_prq(iommu);
}
Thanks,
baolu
^ permalink raw reply
* Re: [PATCH v2 06/16] riscv: cfi: Use generated instruction headers
From: sashiko-bot @ 2026-06-22 4:35 UTC (permalink / raw)
To: Charlie Jenkins via B4 Relay; +Cc: kvm
In-Reply-To: <20260621-riscv_insn_table-v2-6-7f0810ee2274@gmail.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [Critical] Incorrect target address calculation for auipc+jalr pairs during alternative patching.
Pre-existing issues:
- [High] KCFI failure handler extracts the actual type instead of the expected type, leading to a misleading log and a potential arbitrary kernel memory leak.
--
commit fc627870b9c3f0a09b99b862169f28fa7f3bcda2
Author: Charlie Jenkins <thecharlesjenkins@gmail.com>
riscv: cfi: Use generated instruction headers
Migrate the code that is decoding cfi instructions to use the generated
instruction headers. This is part of a broader series that updates
instruction decoding and patching across alternative, kprobe, kgdb, and
cfi subsystems to use the newly generated instruction tables.
> diff --git a/arch/riscv/kernel/alternative.c b/arch/riscv/kernel/alternative.c
> index 7642704c7f184..b26a90eb65cca 100644
> --- a/arch/riscv/kernel/alternative.c
> +++ b/arch/riscv/kernel/alternative.c
[ ... ]
> @@ -78,14 +79,24 @@ static void riscv_alternative_fix_auipc_jalr(void *ptr, u32 auipc_insn,
> u32 jalr_insn, int patch_offset)
> {
> u32 call[2] = { auipc_insn, jalr_insn };
> + u32 auipc_imm;
> s32 imm;
>
> /* get and adjust new target address */
> - imm = riscv_insn_extract_utype_itype_imm(auipc_insn, jalr_insn);
> + imm = riscv_insn_auipc_extract_imm(auipc_insn) + riscv_insn_jalr_extract_imm(jalr_insn);
> imm -= patch_offset;
>
> + /*
> + * When the 32-bit immediate is split across auipc and jalr, the
> + * constructed immediates need to be treated as individually sign
> + * extended numbers. Add the sign bit of the lower 12 bits to the upper
> + * 20 bits to undo the bleeding of the sign.
> + */
> + auipc_imm = imm + (BIT(11) << 1);
[Severity: Critical]
Does this calculation unconditionally add 4096 to the immediate?
Since BIT(11) << 1 evaluates to a constant 4096 (0x1000), it looks like
this regression adds 4096 regardless of whether bit 11 is actually set
in the immediate.
For any jump where bit 11 of the offset is 0, won't the auipc instruction
be patched with a value that is 0x1000 too large, causing the execution to
jump to an unintended address?
> +
> /* update instructions */
> - riscv_insn_insert_utype_itype_imm(&call[0], &call[1], imm);
> + riscv_insn_auipc_insert_imm(&call[0], auipc_imm);
> + riscv_insn_jalr_insert_imm(&call[1], imm);
>
> /* patch the call place again */
> patch_text_nosync(ptr, call, sizeof(u32) * 2);
> diff --git a/arch/riscv/kernel/cfi.c b/arch/riscv/kernel/cfi.c
> index 6ec9dbd7292ee..e38d5f863747a 100644
> --- a/arch/riscv/kernel/cfi.c
> +++ b/arch/riscv/kernel/cfi.c
> @@ -40,16 +40,16 @@ static bool decode_cfi_insn(struct pt_regs *regs, unsigned long *target,
> if (!riscv_insn_is_beq(insn))
> return false;
>
> - *type = (u32)regs_ptr[RV_EXTRACT_RS1_REG(insn)];
> + *type = (u32)regs_ptr[riscv_insn_beq_extract_xs1(insn)];
[Severity: High]
This is a pre-existing issue, but does this extract the actual type
instead of the expected type?
The compiler sequence for indirect call checks places the actual type in
t1 (rs1) and the expected type in t2 (rs2). By extracting xs1 here, the
KCFI failure handler appears to retrieve the actual type loaded from memory.
Since the actual type is read from -4(<reg>) where <reg> could be an
attacker-controlled function pointer, could this allow leaking arbitrary
kernel memory if CONFIG_CFI_PERMISSIVE is enabled and the warning is printed
to dmesg?
Should this extract xs2 instead to get the expected type?
>
> if (get_kernel_nofault(insn, (void *)regs->epc) ||
> get_kernel_nofault(insn, (void *)regs->epc + GET_INSN_LENGTH(insn)))
> return false;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260621-riscv_insn_table-v2-0-7f0810ee2274@gmail.com?part=6
^ permalink raw reply
* Re: [PATCH v2 14/16] riscv: kvm: Use generated instruction headers for csr emulation
From: sashiko-bot @ 2026-06-22 4:30 UTC (permalink / raw)
To: Charlie Jenkins via B4 Relay; +Cc: kvm
In-Reply-To: <20260621-riscv_insn_table-v2-14-7f0810ee2274@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] KVM's MMIO emulation unconditionally overwrites the hardwired `x0` register within the guest's context, causing subsequent KVM-emulated instructions to use non-zero garbage values for `x0`.
--
commit 7feea165a4c11a607fc4f7aca428cb92288c4147
Author: Charlie Jenkins <thecharlesjenkins@gmail.com>
riscv: kvm: Use generated instruction headers for csr emulation
Migrate the csr emulation code to use the generated instruction headers
instead of the hand-written instruction composition functions.
> diff --git a/arch/riscv/kvm/vcpu_insn.c b/arch/riscv/kvm/vcpu_insn.c
> index c5a70de4a5790..d666cd24f8c0e 100644
> --- a/arch/riscv/kvm/vcpu_insn.c
> +++ b/arch/riscv/kvm/vcpu_insn.c
[ ... ]
> @@ -154,7 +150,7 @@ static int csr_insn(struct kvm_vcpu *vcpu, struct kvm_run *run, ulong insn)
> #define GET_REG(_rd) (*((unsigned long *)(&vcpu->arch.guest_context) + _rd))
>
> int i, rc = KVM_INSN_ILLEGAL_TRAP;
> - unsigned int csr_num;
> + unsigned int csr_num, rd;
> const struct csr_func *tcfn, *cfn = NULL;
> ulong val = 0, wr_mask = 0, new_val = 0;
>
> @@ -163,26 +159,32 @@ static int csr_insn(struct kvm_vcpu *vcpu, struct kvm_run *run, ulong insn)
> wr_mask = -1UL;
> new_val = GET_REG(riscv_insn_csrrw_extract_xs1(insn));
[Severity: High]
This isn't a bug introduced by this patch, but does the newly introduced
GET_REG macro expose a pre-existing corruption of guest_context.zero?
In RISC-V, the x0 register is hardwired to 0. If a guest executes an MMIO
load with destination register x0, KVM unconditionally writes the loaded data
to guest_context.zero:
arch/riscv/kvm/vcpu_insn.c:kvm_riscv_vcpu_mmio_return() {
...
*((ulong *)(&vcpu->arch.guest_context) + vcpu->arch.mmio_decode.rd) =
(long)data << shift >> shift;
...
}
This patch changes csr_insn() to unconditionally read the source register
using GET_REG() without verifying if the register is x0.
If a guest triggers an MMIO load to x0, and then executes a CSR instruction
such as csrrw x0, sscratch, x0, will KVM read the corrupted non-zero value
from guest_context.zero and write it into the guest's CSR?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260621-riscv_insn_table-v2-0-7f0810ee2274@gmail.com?part=14
^ permalink raw reply
* Re: [PATCH v2 02/16] riscv: alternatives: Use generated instruction headers for patching code
From: sashiko-bot @ 2026-06-22 4:28 UTC (permalink / raw)
To: Charlie Jenkins via B4 Relay; +Cc: kvm
In-Reply-To: <20260621-riscv_insn_table-v2-2-7f0810ee2274@gmail.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Incorrect immediate calculation for auipc unconditionally adds 4096, breaking alternative patching for jumps where bit 11 is 0.
- [Low] Using a jalr-specific extraction function on an auipc instruction.
--
commit 67f209569c2cc2afe918708c4cf86d391c4abcd2
Author: Charlie Jenkins <thecharlesjenkins@gmail.com>
Subject: riscv: alternatives: Use generated instruction headers for patching code
This commit migrates the alternative patching code to use generated
instruction headers instead of hand-written composition functions.
> diff --git a/arch/riscv/kernel/alternative.c b/arch/riscv/kernel/alternative.c
> --- a/arch/riscv/kernel/alternative.c
> +++ b/arch/riscv/kernel/alternative.c
[ ... ]
> @@ -78,14 +79,24 @@ static void riscv_alternative_fix_auipc_jalr(void *ptr, u32 auipc_insn,
> u32 jalr_insn, int patch_offset)
> {
> u32 call[2] = { auipc_insn, jalr_insn };
> + u32 auipc_imm;
> s32 imm;
>
> /* get and adjust new target address */
> - imm = riscv_insn_extract_utype_itype_imm(auipc_insn, jalr_insn);
> + imm = riscv_insn_auipc_extract_imm(auipc_insn) + riscv_insn_jalr_extract_imm(jalr_insn);
> imm -= patch_offset;
>
> + /*
> + * When the 32-bit immediate is split across auipc and jalr, the
> + * constructed immediates need to be treated as individually sign
> + * extended numbers. Add the sign bit of the lower 12 bits to the upper
> + * 20 bits to undo the bleeding of the sign.
> + */
> + auipc_imm = imm + (BIT(11) << 1);
[Severity: High]
Does this unconditionally add 4096 to the immediate?
The original code conditionally added the offset using (imm & BIT(11)) << 1,
but the new code appears to evaluate to a constant BIT(11) << 1. If imm
has bit 11 set to 0, won't this corrupt the target jump address by 4096 bytes?
> +
> /* update instructions */
> - riscv_insn_insert_utype_itype_imm(&call[0], &call[1], imm);
> + riscv_insn_auipc_insert_imm(&call[0], auipc_imm);
> + riscv_insn_jalr_insert_imm(&call[1], imm);
[ ... ]
> @@ -127,7 +138,7 @@ void riscv_alternative_fix_offsets(void *alt_ptr, unsigned int len,
> continue;
>
> /* if instruction pair is a call, it will use the ra register */
> - if (RV_EXTRACT_RD_REG(insn) != 1)
> + if (riscv_insn_jalr_extract_xd(insn) != 1)
[Severity: Low]
Since insn is verified to be an auipc instruction just above this block,
should this be using riscv_insn_auipc_extract_xd(insn) instead?
While they both extract the destination register at bits 11:7 and work
mathematically, using the jalr helper on an auipc instruction seems
to break the abstraction provided by the new headers.
> continue;
>
> riscv_alternative_fix_auipc_jalr(alt_ptr + i * sizeof(u32),
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260621-riscv_insn_table-v2-0-7f0810ee2274@gmail.com?part=2
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox