From nobody Thu Apr 16 17:40:03 2026 Received: from mx-2023-1.gwdg.de (mx-2023-1.gwdg.de [134.76.10.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2AC82374174; Thu, 26 Feb 2026 14:20:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=134.76.10.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772115630; cv=none; b=jN2+CTt+qlDz83TGV3VC7JrJNV+bqkZ34gfPC0XR+nCavCMnM4cpagdnFE3MK2YCkdo/tRUmAz+LvkAt+4QO7IQ7IaphI/1Rv4cOqn6oidlaQpwzIFhtBOqbQTf6kP90zwC53npKHdJGvvCOVVpsp301sgCjh3QZE9Hzw7y0XNQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772115630; c=relaxed/simple; bh=pjzrvKEuoSjY816OWcjYa5SX1DBMtRpisKeOqvc4J74=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=oK7s16Qu0883t3fOYU9EhOBkHLQHNBgqOv9/IOXLvBNQEsp3Ze4yDeIEm9CA229GAW4R0zsLN0lxwsVkmKRnu268ZOYtP8pCM4F0RPvHuiaMvhUbDSRgtijuYkma8XrD6o70XUxOsK8yIhYMERuixisOiCxc6Su2KiHC00oFOZk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cispa.de; spf=pass smtp.mailfrom=cispa.de; dkim=pass (2048-bit key) header.d=cispa.de header.i=@cispa.de header.b=Tg5qcR4Q; arc=none smtp.client-ip=134.76.10.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cispa.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cispa.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cispa.de header.i=@cispa.de header.b="Tg5qcR4Q" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cispa.de; s=2023-rsa; h=CC:To:In-Reply-To:References:Message-ID: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ZFcl30SuXm+JwQ5EbT5XB2vzMzMRZ5Ig39tXZ+wAMMU=; b=Tg5qcR4Q3rz50AyY0MXi6UFXA2 95a3R//Uyh6GL/HtfEy57b5I9SYP09nQTFnCvHXS4XD9y9XMaGArAsj8pkZ8rug4tq/foH/UexPj7 FNQK3GnWkECgm+YLBDjW8dKZih203aRH/Rs0H0CiubkBTsRp9i0p92pQ/XCuUhJiD8DOkDN7mc6oX Tb+V7G+xPdBy3we8GQgG5UFpE7ZwGdv9e7RTXHpGLm/r4+Lg5xma0eq+3ZYrG0deauO3VdysDEfGW zibiiAbTqpcHYyeoAcj+gytnA7MD1AgcnUFybDPm5Dws3TsFANQLRKi0eFX7OebNzkvLxmPnCAPhy wrvwN2eA==; Received: from mailer.gwdg.de ([134.76.10.26]:36710) by mailer.gwdg.de with esmtp (GWDG Mailer) (envelope-from ) id 1vvcD6-006EFr-08; Thu, 26 Feb 2026 15:19:29 +0100 Received: from mbx19-sub-05.um.gwdg.de ([10.108.142.70] helo=email.gwdg.de) by mailer.gwdg.de with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (GWDG Mailer) (envelope-from ) id 1vvcD6-0009ur-1r; Thu, 26 Feb 2026 15:19:24 +0100 Received: from 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa (10.250.9.200) by MBX19-SUB-05.um.gwdg.de (10.108.142.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.2562.37; Thu, 26 Feb 2026 15:19:23 +0100 From: Lukas Gerlach Date: Thu, 26 Feb 2026 15:18:58 +0100 Subject: [PATCH 1/4] KVM: riscv: Fix Spectre-v1 in ONE_REG register access Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260226-kvm-riscv-spectre-v1-v1-1-5f930ea16691@cispa.de> References: <20260226-kvm-riscv-spectre-v1-v1-0-5f930ea16691@cispa.de> In-Reply-To: <20260226-kvm-riscv-spectre-v1-v1-0-5f930ea16691@cispa.de> To: Anup Patel , Atish Patra , Paul Walmsley , Palmer Dabbelt , Albert Ou , Alexandre Ghiti , Andrew Jones CC: , , , , Daniel Weber , Michael Schwarz , Marton Bognar , Jo Van Bulck , Lukas Gerlach X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=4768; i=lukas.gerlach@cispa.de; h=from:subject:message-id; bh=pjzrvKEuoSjY816OWcjYa5SX1DBMtRpisKeOqvc4J74=; b=owGbwMvMwCGWoTIjqP/42kTG02pJDJkLwuK9un98mr7lp8Cs9AbmJ7zn3Ir/bZCK/9uoJ+18I qT8H8/PjlIWBjEOBlkxRZapgq8Z+/Y48CRlHj4HM4eVCWQIAxenAEykRp3hf2XH8l1vN/t/yUxb MNfgcIjij8XvQ26xaH0XDOjuMNxva8fIsHGihnWni7bCBZnSneGuq/m/CN5qS56zfpXfBOEbPp0 dPAA= X-Developer-Key: i=lukas.gerlach@cispa.de; a=openpgp; fpr=9511EB018EBC400C6269C3CE682498528FC7AD61 X-ClientProxiedBy: mbx19-sub-02.um.gwdg.de (10.108.142.55) To MBX19-SUB-05.um.gwdg.de (10.108.142.70) X-Virus-Scanned: (clean) by clamav X-Spam-Level: - User-controlled register indices from the ONE_REG ioctl are used to index into arrays of register values. Sanitize them with array_index_nospec() to prevent speculative out-of-bounds access. Signed-off-by: Lukas Gerlach --- arch/riscv/kvm/vcpu_onereg.c | 36 ++++++++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/arch/riscv/kvm/vcpu_onereg.c b/arch/riscv/kvm/vcpu_onereg.c index e7ab6cb00646..a4c8703a96a9 100644 --- a/arch/riscv/kvm/vcpu_onereg.c +++ b/arch/riscv/kvm/vcpu_onereg.c @@ -10,6 +10,7 @@ #include #include #include +#include #include #include #include @@ -127,6 +128,7 @@ static int kvm_riscv_vcpu_isa_check_host(unsigned long = kvm_ext, unsigned long *g kvm_ext >=3D ARRAY_SIZE(kvm_isa_ext_arr)) return -ENOENT; =20 + kvm_ext =3D array_index_nospec(kvm_ext, ARRAY_SIZE(kvm_isa_ext_arr)); *guest_ext =3D kvm_isa_ext_arr[kvm_ext]; switch (*guest_ext) { case RISCV_ISA_EXT_SMNPM: @@ -443,13 +445,16 @@ static int kvm_riscv_vcpu_get_reg_core(struct kvm_vcp= u *vcpu, unsigned long reg_num =3D reg->id & ~(KVM_REG_ARCH_MASK | KVM_REG_SIZE_MASK | KVM_REG_RISCV_CORE); + unsigned long regs_max =3D sizeof(struct kvm_riscv_core) / sizeof(unsigne= d long); unsigned long reg_val; =20 if (KVM_REG_SIZE(reg->id) !=3D sizeof(unsigned long)) return -EINVAL; - if (reg_num >=3D sizeof(struct kvm_riscv_core) / sizeof(unsigned long)) + if (reg_num >=3D regs_max) return -ENOENT; =20 + reg_num =3D array_index_nospec(reg_num, regs_max); + if (reg_num =3D=3D KVM_REG_RISCV_CORE_REG(regs.pc)) reg_val =3D cntx->sepc; else if (KVM_REG_RISCV_CORE_REG(regs.pc) < reg_num && @@ -476,13 +481,16 @@ static int kvm_riscv_vcpu_set_reg_core(struct kvm_vcp= u *vcpu, unsigned long reg_num =3D reg->id & ~(KVM_REG_ARCH_MASK | KVM_REG_SIZE_MASK | KVM_REG_RISCV_CORE); + unsigned long regs_max =3D sizeof(struct kvm_riscv_core) / sizeof(unsigne= d long); unsigned long reg_val; =20 if (KVM_REG_SIZE(reg->id) !=3D sizeof(unsigned long)) return -EINVAL; - if (reg_num >=3D sizeof(struct kvm_riscv_core) / sizeof(unsigned long)) + if (reg_num >=3D regs_max) return -ENOENT; =20 + reg_num =3D array_index_nospec(reg_num, regs_max); + if (copy_from_user(®_val, uaddr, KVM_REG_SIZE(reg->id))) return -EFAULT; =20 @@ -507,10 +515,13 @@ static int kvm_riscv_vcpu_general_get_csr(struct kvm_= vcpu *vcpu, unsigned long *out_val) { struct kvm_vcpu_csr *csr =3D &vcpu->arch.guest_csr; + unsigned long regs_max =3D sizeof(struct kvm_riscv_csr) / sizeof(unsigned= long); =20 - if (reg_num >=3D sizeof(struct kvm_riscv_csr) / sizeof(unsigned long)) + if (reg_num >=3D regs_max) return -ENOENT; =20 + reg_num =3D array_index_nospec(reg_num, regs_max); + if (reg_num =3D=3D KVM_REG_RISCV_CSR_REG(sip)) { kvm_riscv_vcpu_flush_interrupts(vcpu); *out_val =3D (csr->hvip >> VSIP_TO_HVIP_SHIFT) & VSIP_VALID_MASK; @@ -526,10 +537,13 @@ static int kvm_riscv_vcpu_general_set_csr(struct kvm_= vcpu *vcpu, unsigned long reg_val) { struct kvm_vcpu_csr *csr =3D &vcpu->arch.guest_csr; + unsigned long regs_max =3D sizeof(struct kvm_riscv_csr) / sizeof(unsigned= long); =20 - if (reg_num >=3D sizeof(struct kvm_riscv_csr) / sizeof(unsigned long)) + if (reg_num >=3D regs_max) return -ENOENT; =20 + reg_num =3D array_index_nospec(reg_num, regs_max); + if (reg_num =3D=3D KVM_REG_RISCV_CSR_REG(sip)) { reg_val &=3D VSIP_VALID_MASK; reg_val <<=3D VSIP_TO_HVIP_SHIFT; @@ -548,11 +562,14 @@ static inline int kvm_riscv_vcpu_smstateen_set_csr(st= ruct kvm_vcpu *vcpu, unsigned long reg_val) { struct kvm_vcpu_smstateen_csr *csr =3D &vcpu->arch.smstateen_csr; + unsigned long regs_max =3D sizeof(struct kvm_riscv_smstateen_csr) / + sizeof(unsigned long); =20 - if (reg_num >=3D sizeof(struct kvm_riscv_smstateen_csr) / - sizeof(unsigned long)) + if (reg_num >=3D regs_max) return -EINVAL; =20 + reg_num =3D array_index_nospec(reg_num, regs_max); + ((unsigned long *)csr)[reg_num] =3D reg_val; return 0; } @@ -562,11 +579,14 @@ static int kvm_riscv_vcpu_smstateen_get_csr(struct kv= m_vcpu *vcpu, unsigned long *out_val) { struct kvm_vcpu_smstateen_csr *csr =3D &vcpu->arch.smstateen_csr; + unsigned long regs_max =3D sizeof(struct kvm_riscv_smstateen_csr) / + sizeof(unsigned long); =20 - if (reg_num >=3D sizeof(struct kvm_riscv_smstateen_csr) / - sizeof(unsigned long)) + if (reg_num >=3D regs_max) return -EINVAL; =20 + reg_num =3D array_index_nospec(reg_num, regs_max); + *out_val =3D ((unsigned long *)csr)[reg_num]; return 0; } --=20 2.51.0 From nobody Thu Apr 16 17:40:03 2026 Received: from mx-2023-1.gwdg.de (mx-2023-1.gwdg.de [134.76.10.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 051DC389E06; Thu, 26 Feb 2026 14:40:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=134.76.10.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772116819; cv=none; b=nyitJQZ+FCtolvdsPaId4ABjV1skxl90UUsJvWndPFTdArDjSP5RcH5hsfLHgHXJeGk0hI4oxDBjme5DLEbfw8TPRhN0qoofFR/xOxdy8xlkNVObLETqHfju5wxl+ePikoAsfyqTTH7A+j+4F/kH6sJEPx1LHCFS12wpFD6Gj80= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772116819; c=relaxed/simple; bh=GFfVWFqoNPRvvXxOXJ4Garf8GrDfVffFbdN0xbFwWQM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=d6F09Ltw4jBz61w2EPBkcGZH7TyNABUXFgkBzpJT3f4DztQ7w8llUCq2t+/yMugfjVQDmRiVI8PTwZCZRixNbZg98FE04UcVMNYHs5tMHkSgvaPw6P85u9tHD9R5i+xgR0BayGUiwV7n8XuA770LuXHGN+tgxOVVbqzmOfCKw14= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cispa.de; spf=pass smtp.mailfrom=cispa.de; dkim=pass (2048-bit key) header.d=cispa.de header.i=@cispa.de header.b=U/Xd5ZKk; arc=none smtp.client-ip=134.76.10.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cispa.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cispa.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cispa.de header.i=@cispa.de header.b="U/Xd5ZKk" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cispa.de; s=2023-rsa; h=CC:To:In-Reply-To:References:Message-ID: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=jAeCECNlZO1euMlCtdN550hykLYZFsNroN+0wfjKXiE=; b=U/Xd5ZKkugLw4jKH46vDneAvZt thgWfeRlQiGg57cm5hQq1sFPZpOyeZpwDSvQHndFDsW8VhO1wCSNRxq2NKDBKTqGC2UR87ky/toI0 sv2v3QzTEeCIMwbHaRQO4JcyJXh7V2nYbFX9JGgHtgzOGaKu2KjHwz7Sy3S9L4ztcv40rHoeOm7g9 rhfAuT1aaHG78sjRl9Ji6OcEQSjjVO11rd4K6ltPFL5CssSp7DWii4qjvtthmWh4dWhOUY/C/igou IHrMhsZ22Zw+SjzyLhpU3dNjMnuZlzvKgkoByFEBkytskW1PWxV0G5zZcT6eI8WbVhJ9BXrA25EI3 7pEMUIyQ==; Received: from mailer.gwdg.de ([134.76.10.26]:60674) by mailer.gwdg.de with esmtp (GWDG Mailer) (envelope-from ) id 1vvcDC-006EG9-09; Thu, 26 Feb 2026 15:19:30 +0100 Received: from mbx19-sub-05.um.gwdg.de ([10.108.142.70] helo=email.gwdg.de) by mailer.gwdg.de with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (GWDG Mailer) (envelope-from ) id 1vvcDC-0009wl-1u; Thu, 26 Feb 2026 15:19:30 +0100 Received: from 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa (10.250.9.200) by MBX19-SUB-05.um.gwdg.de (10.108.142.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.2562.37; Thu, 26 Feb 2026 15:19:24 +0100 From: Lukas Gerlach Date: Thu, 26 Feb 2026 15:18:59 +0100 Subject: [PATCH 2/4] KVM: riscv: Fix Spectre-v1 in AIA CSR access Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260226-kvm-riscv-spectre-v1-v1-2-5f930ea16691@cispa.de> References: <20260226-kvm-riscv-spectre-v1-v1-0-5f930ea16691@cispa.de> In-Reply-To: <20260226-kvm-riscv-spectre-v1-v1-0-5f930ea16691@cispa.de> To: Anup Patel , Atish Patra , Paul Walmsley , Palmer Dabbelt , Albert Ou , Alexandre Ghiti , Andrew Jones CC: , , , , Daniel Weber , Michael Schwarz , Marton Bognar , Jo Van Bulck , Lukas Gerlach X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=2015; i=lukas.gerlach@cispa.de; h=from:subject:message-id; bh=GFfVWFqoNPRvvXxOXJ4Garf8GrDfVffFbdN0xbFwWQM=; b=owGbwMvMwCGWoTIjqP/42kTG02pJDJkLwuIfLzVcePOR7OkbR7qXJLL5P7wzzfT4Pc9ZSyb8Z g1+mqH3rqOUhUGMg0FWTJFlquBrxr49DjxJmYfPwcxhZQIZwsDFKQATyXrHyHC74nK1qUAi67n9 K6pE1sinnhXMZouL+RNyir+l+IfpV12G/xEpN+e9u7Pni+8smeeh8m0Ppr0MzihVuLpZoM64eGd GEzcA X-Developer-Key: i=lukas.gerlach@cispa.de; a=openpgp; fpr=9511EB018EBC400C6269C3CE682498528FC7AD61 X-ClientProxiedBy: mbx19-sub-02.um.gwdg.de (10.108.142.55) To MBX19-SUB-05.um.gwdg.de (10.108.142.70) X-Virus-Scanned: (clean) by clamav X-Spam-Level: - User-controlled indices are used to access AIA CSR registers. Sanitize them with array_index_nospec() to prevent speculative out-of-bounds access. Similar to x86 commit 8c86405f606c ("KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks") and arm64 commit 41b87599c743 ("KVM: arm/arm64: vgic: fix possible spectre-v1 in vgic_get_irq()"). Signed-off-by: Lukas Gerlach --- arch/riscv/kvm/aia.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/arch/riscv/kvm/aia.c b/arch/riscv/kvm/aia.c index cac3c2b51d72..38de97d2f5b8 100644 --- a/arch/riscv/kvm/aia.c +++ b/arch/riscv/kvm/aia.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include @@ -182,10 +183,13 @@ int kvm_riscv_vcpu_aia_get_csr(struct kvm_vcpu *vcpu, unsigned long *out_val) { struct kvm_vcpu_aia_csr *csr =3D &vcpu->arch.aia_context.guest_csr; + unsigned long regs_max =3D sizeof(struct kvm_riscv_aia_csr) / sizeof(unsi= gned long); =20 - if (reg_num >=3D sizeof(struct kvm_riscv_aia_csr) / sizeof(unsigned long)) + if (reg_num >=3D regs_max) return -ENOENT; =20 + reg_num =3D array_index_nospec(reg_num, regs_max); + *out_val =3D 0; if (kvm_riscv_aia_available()) *out_val =3D ((unsigned long *)csr)[reg_num]; @@ -198,10 +202,13 @@ int kvm_riscv_vcpu_aia_set_csr(struct kvm_vcpu *vcpu, unsigned long val) { struct kvm_vcpu_aia_csr *csr =3D &vcpu->arch.aia_context.guest_csr; + unsigned long regs_max =3D sizeof(struct kvm_riscv_aia_csr) / sizeof(unsi= gned long); =20 - if (reg_num >=3D sizeof(struct kvm_riscv_aia_csr) / sizeof(unsigned long)) + if (reg_num >=3D regs_max) return -ENOENT; =20 + reg_num =3D array_index_nospec(reg_num, regs_max); + if (kvm_riscv_aia_available()) { ((unsigned long *)csr)[reg_num] =3D val; =20 --=20 2.51.0 From nobody Thu Apr 16 17:40:03 2026 Received: from mx-2023-1.gwdg.de (mx-2023-1.gwdg.de [134.76.10.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9944F3D412A; Thu, 26 Feb 2026 14:20:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=134.76.10.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772115607; cv=none; b=aZ9CQ3nmCK0mFu/AbWtadhltgOTG49R51hgDBLwuv6CZnoLt7X14wp5cVOtIELPm5j73zqbaiRnHpIAjVW9ifQEQryTyyDZvsJmluMI4G5NkdSxvVCbRno2wek+/Qu7/9edFl3r8RlksODjFLvi99WXZXnzNj3+Tj4yY5Odq8es= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772115607; c=relaxed/simple; bh=QO6W13mYtTFxnI3cEgo5wylvGnvsvcChLTvNH02DBEI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=R7Jd1LZ8T1tLTwW0QD+xrENvRXRkPLktW4GQAnh4gf0I/ay1llMIHiyOx0KiW4YzJIWrnSq6TYPT/AgyKkqjp9IstrT4fjEGIYkolV2PFXW3CmuaLDx71YJapvhO3Wl245TkfmcxIrX1CBwZcB1amAGpE4W3GnWPf7NbZXkplXE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cispa.de; spf=pass smtp.mailfrom=cispa.de; dkim=pass (2048-bit key) header.d=cispa.de header.i=@cispa.de header.b=g0biczdi; arc=none smtp.client-ip=134.76.10.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cispa.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cispa.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cispa.de header.i=@cispa.de header.b="g0biczdi" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cispa.de; s=2023-rsa; h=CC:To:In-Reply-To:References:Message-ID: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=y2EV8E69I5jJrpaeHXHly91RKfTm2Mt/UXnHLNf1qIo=; b=g0biczdiy3N2TWnxwivxJ+2VuE nlkN4XrKRP7q3LAV4Zfn4TLawUMxvEI/t+nHLBBnNEaxpE6YOMlThtTN//WJPZUr8srjTjIdLUrVY Vy1Oyk2v1hXXWdUiOQJXIZfqMiD6Gggjrj6pY0eO70pqsD0ZLmfpQjeM+K4WALV74Mcy6ZVf2gRxl dnEAn+nOQk6UvjtiypXNeVlmfKHTz7XgK8rUD+gKMhBP7Ts2ixJcLVDiJmJ+eIIu5xlt5IfQKWmz8 PuAm9/Jca7A3VxX2hUrD1HDYCOnL1xyH75N7j766hst81T+HS9kdJ/CUYz59MsEX0i59En1v38zH2 79jE7vAw==; Received: from mailer.gwdg.de ([134.76.10.26]:41130) by mailer.gwdg.de with esmtp (GWDG Mailer) (envelope-from ) id 1vvcDd-006EHN-36; Thu, 26 Feb 2026 15:19:58 +0100 Received: from mbx19-sub-05.um.gwdg.de ([10.108.142.70] helo=email.gwdg.de) by mailer.gwdg.de with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (GWDG Mailer) (envelope-from ) id 1vvcDe-000AAN-1W; Thu, 26 Feb 2026 15:19:58 +0100 Received: from 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa (10.250.9.200) by MBX19-SUB-05.um.gwdg.de (10.108.142.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.2562.37; Thu, 26 Feb 2026 15:19:30 +0100 From: Lukas Gerlach Date: Thu, 26 Feb 2026 15:19:00 +0100 Subject: [PATCH 3/4] KVM: riscv: Fix Spectre-v1 in floating-point register access Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260226-kvm-riscv-spectre-v1-v1-3-5f930ea16691@cispa.de> References: <20260226-kvm-riscv-spectre-v1-v1-0-5f930ea16691@cispa.de> In-Reply-To: <20260226-kvm-riscv-spectre-v1-v1-0-5f930ea16691@cispa.de> To: Anup Patel , Atish Patra , Paul Walmsley , Palmer Dabbelt , Albert Ou , Alexandre Ghiti , Andrew Jones CC: , , , , Daniel Weber , Michael Schwarz , Marton Bognar , Jo Van Bulck , Lukas Gerlach X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=2543; i=lukas.gerlach@cispa.de; h=from:subject:message-id; bh=QO6W13mYtTFxnI3cEgo5wylvGnvsvcChLTvNH02DBEI=; b=owGbwMvMwCGWoTIjqP/42kTG02pJDJkLwuJTLbtiFk9ImH6Me/FHrZCV37W+bm/6n+idPUty7 qY2iz1OHaUsDGIcDLJiiixTBV8z9u1x4EnKPHwOZg4rE8gQBi5OAZjIsX5Ghk9fC55YbCkLCTDq ulca9mvdym3sKnxsTpo8W2tVXzXVqjH897JfuWPL577733quJYuw9Gbq77B5brVz6yKxk7kufO8 TmQA= X-Developer-Key: i=lukas.gerlach@cispa.de; a=openpgp; fpr=9511EB018EBC400C6269C3CE682498528FC7AD61 X-ClientProxiedBy: mbx19-sub-02.um.gwdg.de (10.108.142.55) To MBX19-SUB-05.um.gwdg.de (10.108.142.70) X-Virus-Scanned: (clean) by clamav X-Spam-Level: - User-controlled indices are used to index into floating-point registers. Sanitize them with array_index_nospec() to prevent speculative out-of-bounds access. Signed-off-by: Lukas Gerlach --- arch/riscv/kvm/vcpu_fp.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/arch/riscv/kvm/vcpu_fp.c b/arch/riscv/kvm/vcpu_fp.c index 030904d82b58..bd5a9e7e7165 100644 --- a/arch/riscv/kvm/vcpu_fp.c +++ b/arch/riscv/kvm/vcpu_fp.c @@ -10,6 +10,7 @@ #include #include #include +#include #include #include =20 @@ -93,9 +94,11 @@ int kvm_riscv_vcpu_get_reg_fp(struct kvm_vcpu *vcpu, if (reg_num =3D=3D KVM_REG_RISCV_FP_F_REG(fcsr)) reg_val =3D &cntx->fp.f.fcsr; else if ((KVM_REG_RISCV_FP_F_REG(f[0]) <=3D reg_num) && - reg_num <=3D KVM_REG_RISCV_FP_F_REG(f[31])) + reg_num <=3D KVM_REG_RISCV_FP_F_REG(f[31])) { + reg_num =3D array_index_nospec(reg_num, + ARRAY_SIZE(cntx->fp.f.f)); reg_val =3D &cntx->fp.f.f[reg_num]; - else + } else return -ENOENT; } else if ((rtype =3D=3D KVM_REG_RISCV_FP_D) && riscv_isa_extension_available(vcpu->arch.isa, d)) { @@ -107,6 +110,8 @@ int kvm_riscv_vcpu_get_reg_fp(struct kvm_vcpu *vcpu, reg_num <=3D KVM_REG_RISCV_FP_D_REG(f[31])) { if (KVM_REG_SIZE(reg->id) !=3D sizeof(u64)) return -EINVAL; + reg_num =3D array_index_nospec(reg_num, + ARRAY_SIZE(cntx->fp.d.f)); reg_val =3D &cntx->fp.d.f[reg_num]; } else return -ENOENT; @@ -138,9 +143,11 @@ int kvm_riscv_vcpu_set_reg_fp(struct kvm_vcpu *vcpu, if (reg_num =3D=3D KVM_REG_RISCV_FP_F_REG(fcsr)) reg_val =3D &cntx->fp.f.fcsr; else if ((KVM_REG_RISCV_FP_F_REG(f[0]) <=3D reg_num) && - reg_num <=3D KVM_REG_RISCV_FP_F_REG(f[31])) + reg_num <=3D KVM_REG_RISCV_FP_F_REG(f[31])) { + reg_num =3D array_index_nospec(reg_num, + ARRAY_SIZE(cntx->fp.f.f)); reg_val =3D &cntx->fp.f.f[reg_num]; - else + } else return -ENOENT; } else if ((rtype =3D=3D KVM_REG_RISCV_FP_D) && riscv_isa_extension_available(vcpu->arch.isa, d)) { @@ -152,6 +159,8 @@ int kvm_riscv_vcpu_set_reg_fp(struct kvm_vcpu *vcpu, reg_num <=3D KVM_REG_RISCV_FP_D_REG(f[31])) { if (KVM_REG_SIZE(reg->id) !=3D sizeof(u64)) return -EINVAL; + reg_num =3D array_index_nospec(reg_num, + ARRAY_SIZE(cntx->fp.d.f)); reg_val =3D &cntx->fp.d.f[reg_num]; } else return -ENOENT; --=20 2.51.0 From nobody Thu Apr 16 17:40:03 2026 Received: from mx-2023-1.gwdg.de (mx-2023-1.gwdg.de [134.76.10.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 223163D3490; Thu, 26 Feb 2026 14:20:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=134.76.10.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772115603; cv=none; b=BW+d10DsLvbS1Gf698o4GAFJM/j8VspLms9C4HodkXhWrjRr/V8fn7gpsBaJPP5yBadVAsvJHTNwVURVu2K1eCvX+WHzE1UFmh9+MPrMFFwZvQ5xN3M+rB43666ib5pTx9o56usifei7xE/epJ50SXwlUs5R6GXzSAit8/k2vl0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772115603; c=relaxed/simple; bh=YZqp1yUGYjA7iib6n3620o4zfE8Rd3Vv7AqvASBWfHE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References: In-Reply-To:To:CC; b=U55wzPc3KGN1XiHHJMFlwb/vwbFi8RmAHQmFmYDIyMJcg1HpOMf2UGwTERgBC23/KXevHji/bFojkLeOCoQRgyE6qm+QtwQD1bUk5Kpkz2M7XTYTIZGNd1LFPwP79jJYtVEmlnBi8EZL8Wk2YpXW2lIATxuqhS0KXNIpMiZavdc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cispa.de; spf=pass smtp.mailfrom=cispa.de; dkim=pass (2048-bit key) header.d=cispa.de header.i=@cispa.de header.b=kFRAjPxJ; arc=none smtp.client-ip=134.76.10.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cispa.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cispa.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cispa.de header.i=@cispa.de header.b="kFRAjPxJ" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cispa.de; s=2023-rsa; h=CC:To:In-Reply-To:References:Message-ID: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Xs8FqUyiDcrl0oz5B+yrANDPYmzquqmYyOAUxwBeuIY=; b=kFRAjPxJwJjd0qXf13kaowAQKz HiQEUqbA0ZYt14X0+5udRC0jEXqFp/RzBHKYyVT/dBe12a/BhyLM5sBvyYFOeG8QZHJdIgAVub6MZ 22W1dhDLHaphiQjf5c7qD3ZaryOWIIJovDSUYFUTMDPsNYFqVBuZ8PFX4H4yXyyN3YLf6LulPlcKJ jMzVjGEiqc6YTi9w6H6IwQBsRKksNpxmauAyl3XQvLDyhpvDIMq8hfWfnHO8+sKKnu9MvKPBxxH+U kdEtlqe/JYaFj9qK5KClSqWauMfkhpxV49GFlYNIcielf6w70Pr2CRYcCRBoc8hUEhUO8DhmuZyhV Ijv76jeA==; Received: from mailer.gwdg.de ([134.76.10.26]:47859) by mailer.gwdg.de with esmtp (GWDG Mailer) (envelope-from ) id 1vvcDe-006EHW-1b; Thu, 26 Feb 2026 15:19:59 +0100 Received: from mbx19-sub-05.um.gwdg.de ([10.108.142.70] helo=email.gwdg.de) by mailer.gwdg.de with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (GWDG Mailer) (envelope-from ) id 1vvcDf-000AAd-09; Thu, 26 Feb 2026 15:19:59 +0100 Received: from 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa (10.250.9.200) by MBX19-SUB-05.um.gwdg.de (10.108.142.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.2562.37; Thu, 26 Feb 2026 15:19:58 +0100 From: Lukas Gerlach Date: Thu, 26 Feb 2026 15:19:01 +0100 Subject: [PATCH 4/4] KVM: riscv: Fix Spectre-v1 in PMU counter access Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20260226-kvm-riscv-spectre-v1-v1-4-5f930ea16691@cispa.de> References: <20260226-kvm-riscv-spectre-v1-v1-0-5f930ea16691@cispa.de> In-Reply-To: <20260226-kvm-riscv-spectre-v1-v1-0-5f930ea16691@cispa.de> To: Anup Patel , Atish Patra , Paul Walmsley , Palmer Dabbelt , Albert Ou , Alexandre Ghiti , Andrew Jones CC: , , , , Daniel Weber , Michael Schwarz , Marton Bognar , Jo Van Bulck , Lukas Gerlach X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=1687; i=lukas.gerlach@cispa.de; h=from:subject:message-id; bh=YZqp1yUGYjA7iib6n3620o4zfE8Rd3Vv7AqvASBWfHE=; b=owGbwMvMwCGWoTIjqP/42kTG02pJDJkLwuLnTzq5/x/L7easB2G+e5TrrqjMOON1av0iPe6DY n0fwnwNO0pZGMQ4GGTFFFmmCr5m7NvjwJOUefgczBxWJpAhDFycAjCRIlVGhv7fGxdd2smhEvNV al/AxIDu0CQOgTx+uSNia61n6Src52b477nhm07Xu5lrvjLaB8asNu69tMX9wf5P515qtO19sl5 7GysA X-Developer-Key: i=lukas.gerlach@cispa.de; a=openpgp; fpr=9511EB018EBC400C6269C3CE682498528FC7AD61 X-ClientProxiedBy: mbx19-sub-02.um.gwdg.de (10.108.142.55) To MBX19-SUB-05.um.gwdg.de (10.108.142.70) X-Virus-Scanned: (clean) by clamav X-Spam-Level: - Guest-controlled counter indices received via SBI ecalls are used to index into the PMC array. Sanitize them with array_index_nospec() to prevent speculative out-of-bounds access. Similar to x86 commit 13c5183a4e64 ("KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks"). Fixes: 8f0153ecd3bf ("RISC-V: KVM: Add skeleton support for perf") Signed-off-by: Lukas Gerlach Reviewed-by: Radim Kr=C4=8Dm=C3=A1=C5=99 --- arch/riscv/kvm/vcpu_pmu.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c index 4d8d5e9aa53d..fd891750c31f 100644 --- a/arch/riscv/kvm/vcpu_pmu.c +++ b/arch/riscv/kvm/vcpu_pmu.c @@ -10,6 +10,7 @@ #include #include #include +#include #include #include #include @@ -218,6 +219,7 @@ static int pmu_fw_ctr_read_hi(struct kvm_vcpu *vcpu, un= signed long cidx, return -EINVAL; } =20 + cidx =3D array_index_nospec(cidx, RISCV_KVM_MAX_COUNTERS); pmc =3D &kvpmu->pmc[cidx]; =20 if (pmc->cinfo.type !=3D SBI_PMU_CTR_TYPE_FW) @@ -244,6 +246,7 @@ static int pmu_ctr_read(struct kvm_vcpu *vcpu, unsigned= long cidx, return -EINVAL; } =20 + cidx =3D array_index_nospec(cidx, RISCV_KVM_MAX_COUNTERS); pmc =3D &kvpmu->pmc[cidx]; =20 if (pmc->cinfo.type =3D=3D SBI_PMU_CTR_TYPE_FW) { @@ -525,6 +528,7 @@ int kvm_riscv_vcpu_pmu_ctr_info(struct kvm_vcpu *vcpu, = unsigned long cidx, return 0; } =20 + cidx =3D array_index_nospec(cidx, RISCV_KVM_MAX_COUNTERS); retdata->out_val =3D kvpmu->pmc[cidx].cinfo.value; =20 return 0; --=20 2.51.0