[PATCH v1] KVM: arm64: Revert accidental drop of kvm_uninit_stage2_mmu() for non-NV VMs

[PATCH v1] KVM: arm64: Revert accidental drop of kvm_uninit_stage2_mmu() for non-NV VMs

[Fuad Tabba]

Commit 0c4762e26879 ("KVM: arm64: nv: Avoid NV stage-2 code when NV is
not supported") added an early return to several functions in
arch/arm64/kvm/nested.c to prevent a UBSAN shift-out-of-bounds error
when accessing the pgt union for non-nested VMs.

However, this early return was inadvertently applied to
kvm_arch_flush_shadow_all() as well, causing it to skip the call to
kvm_uninit_stage2_mmu(kvm) for all non-nested VMs.

For pKVM, skipping this teardown means the host never unshares the
guest's memory with the EL2 hypervisor. When the host kernel later
recycles these leaked pages for a new VM, it attempts to re-share them.
The hypervisor correctly rejects this with -EPERM, triggering a host
WARN_ON and hanging the guest.

Fix this by dropping the early return from kvm_arch_flush_shadow_all().
The for-loop guarding the nested MMU cleanup already bounds itself when
nested_mmus_size == 0, allowing execution to proceed to
kvm_uninit_stage2_mmu() as intended.

Reported-by: Mark Brown <broonie@kernel.org>
Closes: https://lore.kernel.org/all/60916cb6-f460-4751-b910-f63c58700ad0@sirena.org.uk/
Fixes: 0c4762e26879 ("KVM: arm64: nv: Avoid NV stage-2 code when NV is not supported")
Signed-off-by: Fuad Tabba <tabba@google.com>
---
 arch/arm64/kvm/nested.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/arch/arm64/kvm/nested.c b/arch/arm64/kvm/nested.c
index eeea5e692370..7f1ea85dc67a 100644
--- a/arch/arm64/kvm/nested.c
+++ b/arch/arm64/kvm/nested.c
@@ -1154,9 +1154,6 @@ void kvm_arch_flush_shadow_all(struct kvm *kvm)
 {
 	int i;
 
-	if (!kvm->arch.nested_mmus_size)
-		return;
-
 	for (i = 0; i < kvm->arch.nested_mmus_size; i++) {
 		struct kvm_s2_mmu *mmu = &kvm->arch.nested_mmus[i];
 

base-commit: 8bf22c33e7a172fbc72464f4cc484d23a6b412ba
-- 
2.53.0.414.gf7e9f6c205-goog

Re: [PATCH v1] KVM: arm64: Revert accidental drop of kvm_uninit_stage2_mmu() for non-NV VMs

[Mark Brown]

[-- Attachment #1: Type: text/plain, Size: 592 bytes --]

On Sun, Feb 22, 2026 at 08:33:52AM +0000, Fuad Tabba wrote:
> Commit 0c4762e26879 ("KVM: arm64: nv: Avoid NV stage-2 code when NV is
> not supported") added an early return to several functions in
> arch/arm64/kvm/nested.c to prevent a UBSAN shift-out-of-bounds error
> when accessing the pgt union for non-nested VMs.

Thanks Fuad, that seems to have been it:

Tested-by: Mark Brown <broonie@kernel.org>

The patch also seems to address some spurious OOMs that I was able to
reproduce with qemu when running the kselftests on pKVM:

   https://lava.sirena.org.uk/scheduler/job/2482739#L2375

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH v1] KVM: arm64: Revert accidental drop of kvm_uninit_stage2_mmu() for non-NV VMs

[Marc Zyngier]

On Sun, 22 Feb 2026 08:33:52 +0000, Fuad Tabba wrote:
> Commit 0c4762e26879 ("KVM: arm64: nv: Avoid NV stage-2 code when NV is
> not supported") added an early return to several functions in
> arch/arm64/kvm/nested.c to prevent a UBSAN shift-out-of-bounds error
> when accessing the pgt union for non-nested VMs.
> 
> However, this early return was inadvertently applied to
> kvm_arch_flush_shadow_all() as well, causing it to skip the call to
> kvm_uninit_stage2_mmu(kvm) for all non-nested VMs.
> 
> [...]

Applied to fixes, thanks!

[1/1] KVM: arm64: Revert accidental drop of kvm_uninit_stage2_mmu() for non-NV VMs
      commit: ec197dca8735f7627e5cff7e3fa8839b53a28514

Cheers,

	M.
-- 
Without deviation from the norm, progress is not possible.