1. Patchew
  2. linux
  3. [PATCH v3 0/3] riscv: fix timer update hazards on RV32
  4. View patch

[PATCH v3 2/3] riscv: kvm: Fix vstimecmp update hazard on RV32

Naohiko Shimizu posted 3 patches 1 month ago
[PATCH v3 2/3] riscv: kvm: Fix vstimecmp update hazard on RV32
Posted by Naohiko Shimizu 1 month ago 
On RV32, updating the 64-bit stimecmp (or vstimecmp) CSR requires two
separate 32-bit writes. A race condition exists if the timer triggers
during these two writes.

The RISC-V Privileged Specification (e.g., Section 3.2.1 for mtimecmp)
recommends a specific 3-step sequence to avoid spurious interrupts
when updating 64-bit comparison registers on 32-bit systems:

1. Set the low-order bits (stimecmp) to all ones (ULONG_MAX).
2. Set the high-order bits (stimecmph) to the desired value.
3. Set the low-order bits (stimecmp) to the desired value.

Current implementation writes the LSB first without ensuring a future
value, which may lead to a transient state where the 64-bit comparison
is incorrectly evaluated as "expired" by the hardware. This results in
spurious timer interrupts.

This patch adopts the spec-recommended 3-step sequence to ensure the
intermediate 64-bit state is never smaller than the current time.

Fixes: 8f5cb44b1bae ("RISC-V: KVM: Support sstc extension")
Signed-off-by: Naohiko Shimizu <naohiko.shimizu@gmail.com>
---
 arch/riscv/kvm/vcpu_timer.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/arch/riscv/kvm/vcpu_timer.c b/arch/riscv/kvm/vcpu_timer.c
index 85a7262115e1..f36247e4c783 100644
--- a/arch/riscv/kvm/vcpu_timer.c
+++ b/arch/riscv/kvm/vcpu_timer.c
@@ -72,8 +72,9 @@ static int kvm_riscv_vcpu_timer_cancel(struct kvm_vcpu_timer *t)
 static int kvm_riscv_vcpu_update_vstimecmp(struct kvm_vcpu *vcpu, u64 ncycles)
 {
 #if defined(CONFIG_32BIT)
-	ncsr_write(CSR_VSTIMECMP, ncycles & 0xFFFFFFFF);
+	ncsr_write(CSR_VSTIMECMP,  ULONG_MAX);
 	ncsr_write(CSR_VSTIMECMPH, ncycles >> 32);
+	ncsr_write(CSR_VSTIMECMP, (u32)ncycles);
 #else
 	ncsr_write(CSR_VSTIMECMP, ncycles);
 #endif
@@ -307,8 +308,9 @@ void kvm_riscv_vcpu_timer_restore(struct kvm_vcpu *vcpu)
 		return;
 
 #if defined(CONFIG_32BIT)
-	ncsr_write(CSR_VSTIMECMP, (u32)t->next_cycles);
+	ncsr_write(CSR_VSTIMECMP, ULONG_MAX);
 	ncsr_write(CSR_VSTIMECMPH, (u32)(t->next_cycles >> 32));
+	ncsr_write(CSR_VSTIMECMP, (u32)(t->next_cycles));
 #else
 	ncsr_write(CSR_VSTIMECMP, t->next_cycles);
 #endif
-- 
2.39.5
Re: [PATCH v3 2/3] riscv: kvm: Fix vstimecmp update hazard on RV32
Posted by Anup Patel 1 month ago 
On Sun, Jan 4, 2026 at 7:30 PM Naohiko Shimizu
<naohiko.shimizu@gmail.com> wrote:
>
> On RV32, updating the 64-bit stimecmp (or vstimecmp) CSR requires two
> separate 32-bit writes. A race condition exists if the timer triggers
> during these two writes.
>
> The RISC-V Privileged Specification (e.g., Section 3.2.1 for mtimecmp)
> recommends a specific 3-step sequence to avoid spurious interrupts
> when updating 64-bit comparison registers on 32-bit systems:
>
> 1. Set the low-order bits (stimecmp) to all ones (ULONG_MAX).
> 2. Set the high-order bits (stimecmph) to the desired value.
> 3. Set the low-order bits (stimecmp) to the desired value.
>
> Current implementation writes the LSB first without ensuring a future
> value, which may lead to a transient state where the 64-bit comparison
> is incorrectly evaluated as "expired" by the hardware. This results in
> spurious timer interrupts.
>
> This patch adopts the spec-recommended 3-step sequence to ensure the
> intermediate 64-bit state is never smaller than the current time.
>
> Fixes: 8f5cb44b1bae ("RISC-V: KVM: Support sstc extension")
> Signed-off-by: Naohiko Shimizu <naohiko.shimizu@gmail.com>

LGTM.

Reviewed-by: Anup Patel <anup@brainfault.org>

Queued this as fixes for Linux-6.19.

Thanks,
Anup

> ---
>  arch/riscv/kvm/vcpu_timer.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/arch/riscv/kvm/vcpu_timer.c b/arch/riscv/kvm/vcpu_timer.c
> index 85a7262115e1..f36247e4c783 100644
> --- a/arch/riscv/kvm/vcpu_timer.c
> +++ b/arch/riscv/kvm/vcpu_timer.c
> @@ -72,8 +72,9 @@ static int kvm_riscv_vcpu_timer_cancel(struct kvm_vcpu_timer *t)
>  static int kvm_riscv_vcpu_update_vstimecmp(struct kvm_vcpu *vcpu, u64 ncycles)
>  {
>  #if defined(CONFIG_32BIT)
> -       ncsr_write(CSR_VSTIMECMP, ncycles & 0xFFFFFFFF);
> +       ncsr_write(CSR_VSTIMECMP,  ULONG_MAX);
>         ncsr_write(CSR_VSTIMECMPH, ncycles >> 32);
> +       ncsr_write(CSR_VSTIMECMP, (u32)ncycles);
>  #else
>         ncsr_write(CSR_VSTIMECMP, ncycles);
>  #endif
> @@ -307,8 +308,9 @@ void kvm_riscv_vcpu_timer_restore(struct kvm_vcpu *vcpu)
>                 return;
>
>  #if defined(CONFIG_32BIT)
> -       ncsr_write(CSR_VSTIMECMP, (u32)t->next_cycles);
> +       ncsr_write(CSR_VSTIMECMP, ULONG_MAX);
>         ncsr_write(CSR_VSTIMECMPH, (u32)(t->next_cycles >> 32));
> +       ncsr_write(CSR_VSTIMECMP, (u32)(t->next_cycles));
>  #else
>         ncsr_write(CSR_VSTIMECMP, t->next_cycles);
>  #endif
> --
> 2.39.5
>
Re: [PATCH v3 2/3] riscv: kvm: Fix vstimecmp update hazard on RV32
Posted by Naohiko Shimizu 3 weeks, 4 days ago 
Thank you very much, Anup.
I appreciate your review and queuing this as fixes for v6.19.

Naohiko


On Mon, Jan 5, 2026 at 1:31 PM Anup Patel <anup@brainfault.org> wrote:
>
> On Sun, Jan 4, 2026 at 7:30 PM Naohiko Shimizu
> <naohiko.shimizu@gmail.com> wrote:
> >
> > On RV32, updating the 64-bit stimecmp (or vstimecmp) CSR requires two
> > separate 32-bit writes. A race condition exists if the timer triggers
> > during these two writes.
> >
> > The RISC-V Privileged Specification (e.g., Section 3.2.1 for mtimecmp)
> > recommends a specific 3-step sequence to avoid spurious interrupts
> > when updating 64-bit comparison registers on 32-bit systems:
> >
> > 1. Set the low-order bits (stimecmp) to all ones (ULONG_MAX).
> > 2. Set the high-order bits (stimecmph) to the desired value.
> > 3. Set the low-order bits (stimecmp) to the desired value.
> >
> > Current implementation writes the LSB first without ensuring a future
> > value, which may lead to a transient state where the 64-bit comparison
> > is incorrectly evaluated as "expired" by the hardware. This results in
> > spurious timer interrupts.
> >
> > This patch adopts the spec-recommended 3-step sequence to ensure the
> > intermediate 64-bit state is never smaller than the current time.
> >
> > Fixes: 8f5cb44b1bae ("RISC-V: KVM: Support sstc extension")
> > Signed-off-by: Naohiko Shimizu <naohiko.shimizu@gmail.com>
>
> LGTM.
>
> Reviewed-by: Anup Patel <anup@brainfault.org>
>
> Queued this as fixes for Linux-6.19.
>
> Thanks,
> Anup
>
> > ---
> >  arch/riscv/kvm/vcpu_timer.c | 6 ++++--
> >  1 file changed, 4 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/riscv/kvm/vcpu_timer.c b/arch/riscv/kvm/vcpu_timer.c
> > index 85a7262115e1..f36247e4c783 100644
> > --- a/arch/riscv/kvm/vcpu_timer.c
> > +++ b/arch/riscv/kvm/vcpu_timer.c
> > @@ -72,8 +72,9 @@ static int kvm_riscv_vcpu_timer_cancel(struct kvm_vcpu_timer *t)
> >  static int kvm_riscv_vcpu_update_vstimecmp(struct kvm_vcpu *vcpu, u64 ncycles)
> >  {
> >  #if defined(CONFIG_32BIT)
> > -       ncsr_write(CSR_VSTIMECMP, ncycles & 0xFFFFFFFF);
> > +       ncsr_write(CSR_VSTIMECMP,  ULONG_MAX);
> >         ncsr_write(CSR_VSTIMECMPH, ncycles >> 32);
> > +       ncsr_write(CSR_VSTIMECMP, (u32)ncycles);
> >  #else
> >         ncsr_write(CSR_VSTIMECMP, ncycles);
> >  #endif
> > @@ -307,8 +308,9 @@ void kvm_riscv_vcpu_timer_restore(struct kvm_vcpu *vcpu)
> >                 return;
> >
> >  #if defined(CONFIG_32BIT)
> > -       ncsr_write(CSR_VSTIMECMP, (u32)t->next_cycles);
> > +       ncsr_write(CSR_VSTIMECMP, ULONG_MAX);
> >         ncsr_write(CSR_VSTIMECMPH, (u32)(t->next_cycles >> 32));
> > +       ncsr_write(CSR_VSTIMECMP, (u32)(t->next_cycles));
> >  #else
> >         ncsr_write(CSR_VSTIMECMP, t->next_cycles);
> >  #endif
> > --
> > 2.39.5
> >

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.