From: Marc Zyngier <maz@kernel.org>
To: Miguel Luis <miguel.luis@oracle.com>
Cc: "kvmarm@lists.linux.dev" <kvmarm@lists.linux.dev>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
Joey Gouly <joey.gouly@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Oliver Upton <oliver.upton@linux.dev>,
Zenghui Yu <yuzenghui@huawei.com>
Subject: Re: [PATCH v2 1/4] KVM: arm64: Add assignment-specific sysreg accessor
Date: Wed, 04 Jun 2025 07:52:05 +0100 [thread overview]
Message-ID: <87ecw0dmne.wl-maz@kernel.org> (raw)
In-Reply-To: <84553621-E2B8-47A0-A812-FE273505ED47@oracle.com>
On Tue, 03 Jun 2025 19:01:34 +0100,
Miguel Luis <miguel.luis@oracle.com> wrote:
>
> Hi Marc,
>
> > On 3 Jun 2025, at 07:08, Marc Zyngier <maz@kernel.org> wrote:
> >
> > Assigning a value to a system register doesn't do what it is
> > supposed to be doing if that register is one that has RESx bits.
> >
> > The main problem is that we use __vcpu_sys_reg(), which can be used
> > both as a lvalue and rvalue. When used as a lvalue, the bit masking
> > occurs *before* the new value is assigned, meaning that we (1) do
> > pointless work on the old cvalue, and (2) potentially assign an
> > invalid value as we fail to apply the masks to it.
> >
> > Fix this by providing a new __vcpu_assign_sys_reg() that does
> > what it says on the tin, and sanitises the *new* value instead of
> > the old one. This comes with a significant amount of churn.
> >
> > Signed-off-by: Marc Zyngier <maz@kernel.org>
> > ---
> > arch/arm64/include/asm/kvm_host.h | 11 ++++++
> > arch/arm64/kvm/arch_timer.c | 16 ++++----
> > arch/arm64/kvm/hyp/exception.c | 4 +-
> > arch/arm64/kvm/hyp/include/hyp/switch.h | 4 +-
> > arch/arm64/kvm/hyp/include/hyp/sysreg-sr.h | 6 +--
> > arch/arm64/kvm/hyp/nvhe/hyp-main.c | 4 +-
> > arch/arm64/kvm/hyp/vhe/switch.c | 4 +-
> > arch/arm64/kvm/hyp/vhe/sysreg-sr.c | 44 +++++++++++-----------
> > arch/arm64/kvm/pmu-emul.c | 14 +++----
> > arch/arm64/kvm/sys_regs.c | 38 ++++++++++---------
> > arch/arm64/kvm/sys_regs.h | 4 +-
> > arch/arm64/kvm/vgic/vgic-v3-nested.c | 10 ++---
> > 12 files changed, 86 insertions(+), 73 deletions(-)
> >
> > diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h
> > index d941abc6b5eef..3b84ad91116b4 100644
> > --- a/arch/arm64/include/asm/kvm_host.h
> > +++ b/arch/arm64/include/asm/kvm_host.h
> > @@ -1107,6 +1107,17 @@ static inline u64 *___ctxt_sys_reg(const struct kvm_cpu_context *ctxt, int r)
> > #define ctxt_sys_reg(c,r) (*__ctxt_sys_reg(c,r))
> >
> > u64 kvm_vcpu_apply_reg_masks(const struct kvm_vcpu *, enum vcpu_sysreg, u64);
> > +
> > +#define __vcpu_assign_sys_reg(v, r, val) \
> > + do { \
> > + const struct kvm_cpu_context *ctxt = &(v)->arch.ctxt; \
> > + u64 __v = (val); \
> > + if (vcpu_has_nv((v)) && (r) >= __SANITISED_REG_START__) \
>
> Would it make sense to make it more strict by testing < NR_SYS_REGS too?
It is important to notice that you don't pass random integers here.
You pass something that is of an enum type, for which the maximum
value is NR_SYS_REGS. So as long as you pass a literal value, you're
100% safe. If you pass a constant value that goes over the limit, you
will hit the *existing* BUILD_BUG_ON().
You could fall into a trap by iterating over a base value and going
over the limit. But your check will only catch you going over the
array, and not the state corruption you will have introduced.
Finally, this is performance critical code, and I'd rather not add
extra checks that will only be a burden at runtime. If you want to
catch these overflows, using KASAN+UBSAN makes a lot more sense.
M.
--
Jazz isn't dead. It just smells funny.
next prev parent reply other threads:[~2025-06-04 6:54 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-03 7:08 [PATCH v2 0/4] KVM: arm64: vcpu sysreg accessor rework Marc Zyngier
2025-06-03 7:08 ` [PATCH v2 1/4] KVM: arm64: Add assignment-specific sysreg accessor Marc Zyngier
2025-06-03 18:01 ` Miguel Luis
2025-06-04 6:52 ` Marc Zyngier [this message]
2025-06-04 10:14 ` Miguel Luis
2025-06-03 7:08 ` [PATCH v2 2/4] KVM: arm64: Add RMW specific " Marc Zyngier
2025-06-03 7:08 ` [PATCH v2 3/4] KVM: arm64: Don't use __vcpu_sys_reg() to get the address of a sysreg Marc Zyngier
2025-06-03 7:08 ` [PATCH v2 4/4] KVM: arm64: Make __vcpu_sys_reg() a pure rvalue operand Marc Zyngier
2025-06-03 21:06 ` [PATCH v2 0/4] KVM: arm64: vcpu sysreg accessor rework Oliver Upton
2025-06-04 6:54 ` Marc Zyngier
2025-06-04 10:47 ` Miguel Luis
2025-06-04 15:17 ` Marc Zyngier
2025-06-04 15:53 ` Miguel Luis
2025-06-04 18:58 ` Marc Zyngier
2025-06-05 9:40 ` Miguel Luis
2025-06-05 13:34 ` Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ecw0dmne.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=joey.gouly@arm.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=miguel.luis@oracle.com \
--cc=oliver.upton@linux.dev \
--cc=suzuki.poulose@arm.com \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).