From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 5314CCD6E45 for ; Fri, 29 May 2026 09:22:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Type:MIME-Version: References:In-Reply-To:Subject:Cc:To:From:Message-ID:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=TmeAf3Ybvh22BotVc9J8HU5aFJTBYRisynSo9SzTQqs=; b=2eYQxMKqf0xdRa6cOEYPmWKP9/ Kxr9z7MRpVYoclaf+nYBpKTZjhQaFnYW76kpG1N9c+uDu5ZWAGeP4jzAt5OtuXTnY9fyRDrNImvak Zuktd7tK0BFqCIcZTJ+w+1WRkXJdTGbZHpHP0Uek32O55mKLytSaB6T7kCGffFb03OmjFylX5M1rj GJU302UenQbNa6PAQW83QmwNoobVrWerWh3xoWVdsplk94QH01JpOYlThfGb3qua8Rj3r5cXteeP1 OwiM60dpfvQ3iT2F1TxD3MilAVZDb7jXgF33Cj5vMtL1JmgvCbUt0bVXk+FY+EBrd3dvD7Lf/ESO8 LjqW00sA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux)) id 1wStQU-000000073RF-1CmN; Fri, 29 May 2026 09:22:46 +0000 Received: from tor.source.kernel.org ([2600:3c04:e001:324:0:1991:8:25]) by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux)) id 1wStQT-000000073Qm-07mr for linux-arm-kernel@lists.infradead.org; Fri, 29 May 2026 09:22:45 +0000 Received: from smtp.kernel.org (quasi.space.kernel.org [100.103.45.18]) by tor.source.kernel.org (Postfix) with ESMTP id 0F3AA60565; Fri, 29 May 2026 09:22:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B9B271F00893; Fri, 29 May 2026 09:22:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780046563; bh=TmeAf3Ybvh22BotVc9J8HU5aFJTBYRisynSo9SzTQqs=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=Jv2cf8dIg3u3/4h/MRPg7XZ9u6bG0aIX7EubS3mCH9+OW+uvRtM27zzQvthavml7O GzwhrpWPWTW8OvkGKTCIsupp/sZ2rRElbG3fQVInBqESrt/r7qVINXCcNfBs85uMCI IRj8mj9S7qzrltVb8FjBliVdnzCjMvAXjjj95tE9c5ZGzeQwy1dzXVoZi/R6xeRRNV EVDhdBkz7npRtn5sWDbSZKTjIUKPUImMUfqderLN1S4phongLqNHQpciBCrfyEKzKk Gr+eUMn0lR/bLYY00uRajpfL2/av/X1pO+EeDRcoFiXomdXAuiMYea39M6vvVRTubS uVLrOgND86mrw== Received: from sofa.misterjones.org ([185.219.108.64] helo=goblin-girl.misterjones.org) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wStQP-00000007LU9-2NUG; Fri, 29 May 2026 09:22:41 +0000 Date: Fri, 29 May 2026 10:22:41 +0100 Message-ID: <868q92vace.wl-maz@kernel.org> From: Marc Zyngier To: Mark Brown Cc: Oliver Upton , Joey Gouly , Steffen Eiden , Suzuki K Poulose , Catalin Marinas , Will Deacon , Mark Rutland , linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v2] KVM: arm64: Preserve all guest ZCR_EL2.LEN values In-Reply-To: <20260529-kvm-arm64-fix-zcr-len-nv-v2-1-86cad51992bd@kernel.org> References: <20260529-kvm-arm64-fix-zcr-len-nv-v2-1-86cad51992bd@kernel.org> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/30.1 (aarch64-unknown-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-SA-Exim-Connect-IP: 185.219.108.64 X-SA-Exim-Rcpt-To: broonie@kernel.org, oupton@kernel.org, joey.gouly@arm.com, seiden@linux.ibm.com, suzuki.poulose@arm.com, catalin.marinas@arm.com, will@kernel.org, mark.rutland@arm.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Thanks for respinning this patch quickly. On Fri, 29 May 2026 00:01:44 +0100, Mark Brown wrote: > > Since commit b3d29a823099 ("KVM: arm64: nv: Handle ZCR_EL2 traps") when > guests write to ZCR_EL2 we have clamped the value of ZCR_EL2.LEN to be > at most that configuring the maximum guest VL when accessed directly as > ZCR_EL2. This is not clearly the behaviour the architecture documents > for ZCR_EL2.LEN, while things are a little ambiguous currently there is > a fairly direct reading that suggests values will be read as written. > Further, the documented procedure for enumerating vector lengths means > that it is expected that values larger than the largest supported vector > length will be written in practice. Honestly, that's not the core issue. And even $SUBJECT fails to capture what is at stake here. > > The reasoning for the current behaviour is not specifically articulated, my I don't think there is a reasoning behind each and every bug. > best guess is that it is intended to ensure that the guest can not see an > effective VL greater than the maximum that has been configured, though > this will be ineffective when a VHE guest uses the ZCR_EL1 accessor. This last point *IS* the core problem. It is that the guest can access VLs beyond what is intended by the VM configuration. Not getting the read-as-written behaviour really is secondary compared to that issue. [...] I've rewritten the commit message to make it plain what the problem is, see below. I've also slightly tidied up access_zcr_el2(), but the fix otherwise looks good. Thanks, M. KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor ZCR_EL2 can be updated by a VHE guest hypervisor either using ZCR_EL2 (which traps) or ZCR_EL1 (which does not trap). KVM handles both in different way: - on ZCR_EL2 trap, ZCR_EL2.LEN is immediately capped at the VM's own VL limit. This has the potential to break existing SW that relies on the full LEN field to be stateful. - on ZCR_EL1 access, we do absolutely nothing. On restoring the SVE context for an L2 guest, we directly restore the guest hypervisor's view of ZCR_EL2 into the physical ZCR_EL2. If the guest's view of the register was updated using the ZCR_EL2 accessor, the value has already been sanitised (with the caveat mentioned above). But if the guest used ZCR_EL1, the raw value is written into the HW, and the L2 guest can now access VLs that it shouldn't. Fix all the above by moving the VL capping to the restore points, ensuring that: - the HW is always programmed with a capped value, irrespective of the accessor being used, - the ZCR_EL2.LEN field is always completely stateful, irrespective of the accessor being used. Additionally, move ZCR_EL2 to be a sanitised register, ensuring that only the LEN field is actually stateful. This requires some creative construction of the RES0 mask, as the sysreg generation script does not yet generate RAZ/WI fields. -- Without deviation from the norm, progress is not possible.