Re: [PATCH v2 2/2] KVM: arm64: Skip unreset vCPUs in MPIDR lookup table

[Marc Zyngier <maz@kernel.org>]

On Mon, 15 Jun 2026 05:20:35 +0100,
Oliver Upton <oupton@kernel.org> wrote:
> 
> On Sun, Jun 14, 2026 at 10:26:32AM +0100, Marc Zyngier wrote:
> > > diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
> > > index 3732ee9eb0d4..fccfa97370df 100644
> > > --- a/arch/arm64/kvm/arm.c
> > > +++ b/arch/arm64/kvm/arm.c
> > > @@ -887,8 +887,18 @@ static void kvm_init_mpidr_data(struct kvm *kvm)
> > >  	data->mpidr_mask = mask;
> > >  
> > >  	kvm_for_each_vcpu(c, vcpu, kvm) {
> > > -		u64 aff = kvm_vcpu_get_mpidr_aff(vcpu);
> > > -		u16 index = kvm_mpidr_index(data, aff);
> > > +		u64 aff;
> > > +		u16 index;
> > > +
> > > +		/*
> > > +		 * Skip vCPUs that haven't been reset yet; their MPIDR_EL1 is
> > > +		 * zero.
> > > +		 */
> > > +		if (!kvm_vcpu_mpidr_is_reset(vcpu))
> > > +			continue;
> > 
> > But what about the initial loop that computes the significant bits
> > amongst the vcpus?
> > 
> > > +
> > > +		aff = kvm_vcpu_get_mpidr_aff(vcpu);
> > > +		index = kvm_mpidr_index(data, aff);
> > 
> > In all honesty, I think this is a userspace bug more than anything
> > else, and checking for random bits in MPDR_EL1 to verify whether the
> > value is plausible is gross.
> 
> +1. Checking the MPIDR value is also broken because userspace can write
> whatever it wants to the register, which could even clear the RES1 bit
> that's getting tested here.
> 
> > Yhis isn't different from setting MPIDR_EL1 to the same value on all
> > vcpus, which we don't try to mitigate. Late setting of MPIDR_EL1 also
> > defeats the whole point of having a cache for the affinity to index
> > conversion, making SGIs pretty slow for late CPUs.
> > 
> > I really think that by not finalising your vcpus and start running the
> > guest, you have cornered yourself pretty badly, and we shouldn't try
> > to paper over it.
> 
> I generally agree, although I wouldn't be against a change that nuked
> any of the cached routings in case of userspace doing stupid things like
> collisions and whatnot.

Detecting collisions is difficult, as we have no idea of the overall
guest topology. All we can do is work out whether the computed mask
has enough bits to represent the number of online vcpus, but that's
not necessarily good enough.

One possibility would be to invalidate the cache on each update to any
MPIDR_EL1, including reset. People doing silly things by initialising
vcpus post first start will still suffer, but should we care?

Thanks,

	M.

-- 
Jazz isn't dead. It just smells funny.