* [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker
@ 2026-02-25 17:35 Zenghui Yu
2026-02-25 17:35 ` [PATCH 1/3] KVM: arm64: nv: Check S2 limits based on implemented PA size Zenghui Yu
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Zenghui Yu @ 2026-02-25 17:35 UTC (permalink / raw)
To: kvmarm, linux-arm-kernel
Cc: maz, oupton, joey.gouly, suzuki.poulose, Zenghui Yu (Huawei)
From: "Zenghui Yu (Huawei)" <zenghui.yu@linux.dev>
A small step towards fixing the issues discussed in
https://lore.kernel.org/all/3f88cd49-68f1-4276-a067-b7c6beadb27c@linux.dev .
Zenghui Yu (Huawei) (3):
KVM: arm64: nv: Check S2 limits based on implemented PA size
KVM: arm64: nv: Report addrsz fault at level 0 with a bad VTTBR.BADDR
KVM: arm64: nv: Inject a SEA if failed to read the descriptor
arch/arm64/kvm/nested.c | 27 ++++++++++++++++-----------
1 file changed, 16 insertions(+), 11 deletions(-)
--
2.53.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/3] KVM: arm64: nv: Check S2 limits based on implemented PA size
2026-02-25 17:35 [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker Zenghui Yu
@ 2026-02-25 17:35 ` Zenghui Yu
2026-02-25 17:35 ` [PATCH 2/3] KVM: arm64: nv: Report addrsz fault at level 0 with a bad VTTBR.BADDR Zenghui Yu
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Zenghui Yu @ 2026-02-25 17:35 UTC (permalink / raw)
To: kvmarm, linux-arm-kernel
Cc: maz, oupton, joey.gouly, suzuki.poulose, Zenghui Yu (Huawei)
From: "Zenghui Yu (Huawei)" <zenghui.yu@linux.dev>
check_base_s2_limits() checks the validity of SL0 and inputsize against
ia_size (inputsize again!) but the pseudocode from DDI0487 G.a
AArch64.TranslationTableWalk() says that we should check against the
implemented PA size.
We would otherwise fail to walk S2 with a valid configuration. E.g.,
granule size = 4KB, inputsize = 40 bits, initial lookup level = 0 (no
concatenation) on a system with 48 bits PA range supported is allowed by
architecture.
Fix it by obtaining PA size by kvm_get_pa_bits(). Note that
kvm_get_pa_bits() returns the fixed limit now and should eventually reflect
the per VM PARange (one day!). Given that the configured PARange should not
be greater that kvm_ipa_limit, it at least fixes the problem described
above.
While at it, inject a level 0 translation fault to guest if
check_base_s2_limits() fails, as per the pseudocode.
Fixes: 61e30b9eef7f ("KVM: arm64: nv: Implement nested Stage-2 page table walk logic")
Signed-off-by: Zenghui Yu (Huawei) <zenghui.yu@linux.dev>
---
arch/arm64/kvm/nested.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/arch/arm64/kvm/nested.c b/arch/arm64/kvm/nested.c
index 620126d1f0dc..44ed3915b961 100644
--- a/arch/arm64/kvm/nested.c
+++ b/arch/arm64/kvm/nested.c
@@ -152,31 +152,31 @@ static int get_ia_size(struct s2_walk_info *wi)
return 64 - wi->t0sz;
}
-static int check_base_s2_limits(struct s2_walk_info *wi,
+static int check_base_s2_limits(struct kvm_vcpu *vcpu, struct s2_walk_info *wi,
int level, int input_size, int stride)
{
- int start_size, ia_size;
+ int start_size, pa_max;
- ia_size = get_ia_size(wi);
+ pa_max = kvm_get_pa_bits(vcpu->kvm);
/* Check translation limits */
switch (BIT(wi->pgshift)) {
case SZ_64K:
- if (level == 0 || (level == 1 && ia_size <= 42))
+ if (level == 0 || (level == 1 && pa_max <= 42))
return -EFAULT;
break;
case SZ_16K:
- if (level == 0 || (level == 1 && ia_size <= 40))
+ if (level == 0 || (level == 1 && pa_max <= 40))
return -EFAULT;
break;
case SZ_4K:
- if (level < 0 || (level == 0 && ia_size <= 42))
+ if (level < 0 || (level == 0 && pa_max <= 42))
return -EFAULT;
break;
}
/* Check input size limits */
- if (input_size > ia_size)
+ if (input_size > pa_max)
return -EFAULT;
/* Check number of entries in starting level table */
@@ -269,9 +269,11 @@ static int walk_nested_s2_pgd(struct kvm_vcpu *vcpu, phys_addr_t ipa,
if (input_size > 48 || input_size < 25)
return -EFAULT;
- ret = check_base_s2_limits(wi, level, input_size, stride);
- if (WARN_ON(ret))
+ ret = check_base_s2_limits(vcpu, wi, level, input_size, stride);
+ if (WARN_ON(ret)) {
+ out->esr = compute_fsc(0, ESR_ELx_FSC_FAULT);
return ret;
+ }
base_lower_bound = 3 + input_size - ((3 - level) * stride +
wi->pgshift);
--
2.53.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/3] KVM: arm64: nv: Report addrsz fault at level 0 with a bad VTTBR.BADDR
2026-02-25 17:35 [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker Zenghui Yu
2026-02-25 17:35 ` [PATCH 1/3] KVM: arm64: nv: Check S2 limits based on implemented PA size Zenghui Yu
@ 2026-02-25 17:35 ` Zenghui Yu
2026-02-25 17:35 ` [PATCH 3/3] KVM: arm64: nv: Inject a SEA if failed to read the descriptor Zenghui Yu
2026-03-06 10:48 ` [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker Marc Zyngier
3 siblings, 0 replies; 5+ messages in thread
From: Zenghui Yu @ 2026-02-25 17:35 UTC (permalink / raw)
To: kvmarm, linux-arm-kernel
Cc: maz, oupton, joey.gouly, suzuki.poulose, Zenghui Yu (Huawei)
From: "Zenghui Yu (Huawei)" <zenghui.yu@linux.dev>
As per R_BFHQH,
" When an Address size fault is generated, the reported fault code
indicates one of the following:
If the fault was generated due to the TTBR_ELx used in the translation
having nonzero address bits above the OA size, then a fault at level 0. "
Fix the reported Address size fault level as being 0 if the base address is
wrongly programmed by L1.
Fixes: 61e30b9eef7f ("KVM: arm64: nv: Implement nested Stage-2 page table walk logic")
Signed-off-by: Zenghui Yu (Huawei) <zenghui.yu@linux.dev>
---
arch/arm64/kvm/nested.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/kvm/nested.c b/arch/arm64/kvm/nested.c
index 44ed3915b961..a957542ae3c2 100644
--- a/arch/arm64/kvm/nested.c
+++ b/arch/arm64/kvm/nested.c
@@ -280,7 +280,8 @@ static int walk_nested_s2_pgd(struct kvm_vcpu *vcpu, phys_addr_t ipa,
base_addr = wi->baddr & GENMASK_ULL(47, base_lower_bound);
if (check_output_size(wi, base_addr)) {
- out->esr = compute_fsc(level, ESR_ELx_FSC_ADDRSZ);
+ /* R_BFHQH */
+ out->esr = compute_fsc(0, ESR_ELx_FSC_ADDRSZ);
return 1;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/3] KVM: arm64: nv: Inject a SEA if failed to read the descriptor
2026-02-25 17:35 [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker Zenghui Yu
2026-02-25 17:35 ` [PATCH 1/3] KVM: arm64: nv: Check S2 limits based on implemented PA size Zenghui Yu
2026-02-25 17:35 ` [PATCH 2/3] KVM: arm64: nv: Report addrsz fault at level 0 with a bad VTTBR.BADDR Zenghui Yu
@ 2026-02-25 17:35 ` Zenghui Yu
2026-03-06 10:48 ` [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker Marc Zyngier
3 siblings, 0 replies; 5+ messages in thread
From: Zenghui Yu @ 2026-02-25 17:35 UTC (permalink / raw)
To: kvmarm, linux-arm-kernel
Cc: maz, oupton, joey.gouly, suzuki.poulose, Zenghui Yu (Huawei)
From: "Zenghui Yu (Huawei)" <zenghui.yu@linux.dev>
Failure to read the descriptor (because it is outside of a memslot) should
result in a SEA being injected in the guest.
Suggested-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/86ms1m9lp3.wl-maz@kernel.org
Signed-off-by: Zenghui Yu (Huawei) <zenghui.yu@linux.dev>
---
arch/arm64/kvm/nested.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/kvm/nested.c b/arch/arm64/kvm/nested.c
index a957542ae3c2..79e6091b738f 100644
--- a/arch/arm64/kvm/nested.c
+++ b/arch/arm64/kvm/nested.c
@@ -296,8 +296,10 @@ static int walk_nested_s2_pgd(struct kvm_vcpu *vcpu, phys_addr_t ipa,
paddr = base_addr | index;
ret = read_guest_s2_desc(vcpu, paddr, &desc, wi);
- if (ret < 0)
+ if (ret < 0) {
+ out->esr = ESR_ELx_FSC_SEA_TTW(level);
return ret;
+ }
new_desc = desc;
--
2.53.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker
2026-02-25 17:35 [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker Zenghui Yu
` (2 preceding siblings ...)
2026-02-25 17:35 ` [PATCH 3/3] KVM: arm64: nv: Inject a SEA if failed to read the descriptor Zenghui Yu
@ 2026-03-06 10:48 ` Marc Zyngier
3 siblings, 0 replies; 5+ messages in thread
From: Marc Zyngier @ 2026-03-06 10:48 UTC (permalink / raw)
To: kvmarm, linux-arm-kernel, Zenghui Yu; +Cc: oupton, joey.gouly, suzuki.poulose
On Thu, 26 Feb 2026 01:35:12 +0800, Zenghui Yu wrote:
> From: "Zenghui Yu (Huawei)" <zenghui.yu@linux.dev>
>
> A small step towards fixing the issues discussed in
> https://lore.kernel.org/all/3f88cd49-68f1-4276-a067-b7c6beadb27c@linux.dev .
>
> Zenghui Yu (Huawei) (3):
> KVM: arm64: nv: Check S2 limits based on implemented PA size
> KVM: arm64: nv: Report addrsz fault at level 0 with a bad VTTBR.BADDR
> KVM: arm64: nv: Inject a SEA if failed to read the descriptor
>
> [...]
Applied to fixes, thanks!
[1/3] KVM: arm64: nv: Check S2 limits based on implemented PA size
commit: 4c2264ecdf39ddbdb62e37b156015aacf05d0dcb
[2/3] KVM: arm64: nv: Report addrsz fault at level 0 with a bad VTTBR.BADDR
commit: 99a339377f3c1bdf6edd5614d36893ab1806f9e6
[3/3] KVM: arm64: nv: Inject a SEA if failed to read the descriptor
commit: eb54fa1025f8b520f0e83a807d76e35e4587c5ff
Cheers,
M.
--
Without deviation from the norm, progress is not possible.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-03-06 10:48 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-25 17:35 [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker Zenghui Yu
2026-02-25 17:35 ` [PATCH 1/3] KVM: arm64: nv: Check S2 limits based on implemented PA size Zenghui Yu
2026-02-25 17:35 ` [PATCH 2/3] KVM: arm64: nv: Report addrsz fault at level 0 with a bad VTTBR.BADDR Zenghui Yu
2026-02-25 17:35 ` [PATCH 3/3] KVM: arm64: nv: Inject a SEA if failed to read the descriptor Zenghui Yu
2026-03-06 10:48 ` [PATCH 0/3] KVM: arm64: minor fixes about S2 page table walker Marc Zyngier
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox