From nobody Sun Jun 14 07:35:01 2026 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6AC1C39D6C5 for ; Fri, 1 May 2026 11:21:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777634515; cv=none; b=A6ClFrCoO1DqB8taurASJ1UqmhI0YUV4GTBD3cLyPTpnh9iBpD8JZQSbIwdnuwhjdtlp6FO3C131hTvM+QvZmLtYPQr0gQ46oV6VbS6/QFKFiPU6rweasFOfTg30/WBZKYb2h4+khBPwMhLjKybQl3gEe4W1IJJQKXsTGPaIFQY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777634515; c=relaxed/simple; bh=zyuV3AiKNchX6U73Dh4EBSlCZOT6K6NOUGVwnjSVKJ0=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=rW6a+GIAv39Ta+49LpRV/TH4jUQdVrlzGDH+Ff7R6nW6N48BgDwY1srz5SjNgCWWo0F7f2PGLqHQl6wrfWiBpLjNLLvtZ3oKptGWz/pAwPil5RJ884Mmjxmne0J6JltCm09VDMp5mo1LwQGSlfCUx6eR736Grz2MRIYsqJt7Yws= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=InxzDZJA; arc=none smtp.client-ip=209.85.128.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="InxzDZJA" Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-488c2cc0cbaso15948365e9.3 for ; Fri, 01 May 2026 04:21:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1777634512; x=1778239312; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=hoZhqW+DbuvcNP5ZEEtFHwCo3yR5b+Lks488o9s6mbk=; b=InxzDZJAZ0mzlW4Tqv+rS5z97/6K28ATxhPbveGEv7gZCu2JGNnUcPYtfb0OcVAJRF uYAC5isXERMAD+3aCfTwNFosqu7eadgzqrmldY88FvPzKYBB65tMcqbBXfx8Yoze0U1E vaFYTVadLvu5ecrXWCtWTPvQhYhEmuz62d8TgalsZ00Xom7Z5VsIvLkGOBadn/Xse7YL 95YUFPUqfYc7JC1PuvPpacSUrqBduqt8awuf/TG9cyS9puupRdAaMaeXX3SS+ENYxtG1 czndlVAcZ1sW2TbVNHZ09o0dAOVg4LDjLjTNXTpRAztGmbFWs7bcFIT/fMP4UqYa2MWx ZAbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777634512; x=1778239312; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=hoZhqW+DbuvcNP5ZEEtFHwCo3yR5b+Lks488o9s6mbk=; b=pZKzEddkot0Sa/hinO+/1HAnrpJxe2UcxVJpqSqLWmQ9plpGOYqpDdvLzQrE7auBdO ZJS2bSLCCHBSX563YZpGu1awjfQoXWoehcYJ2k8PdfIvc0BduOMyPSSgiqwtRyMy5myA 9POIBA6TuUXT02qS7OJvCOcmvhVHZIVT5NSGqHF5+W9DSqRJLaNAwUfgN/xeFkh7Kf8d dApevor+2/dg8OpHM4oCuF0wWdLDxsWfWZmf75mbcGKMvm3WkXwL4XucoElYsXeQ7/88 RMPsEW+28+U1eVyXBEV3kvvlm4JvKXX0JB/mJLAgvKYQkEJUdkgU6rhPdkifx585e51W v1pQ== X-Forwarded-Encrypted: i=1; AFNElJ+Rhee6jv2vMnPEb3M/5lVK48cRR953bjjyFlrDz6k7RzfpxQgCz0+R4FEVpT3KNou5MI9IqQMihG/aQu0=@vger.kernel.org X-Gm-Message-State: AOJu0YwQvgxqEmltTPoyO3AcX/fzJ3Pw1/fHm/Mdd3TajvZpWn0Y75Ic SjgoFPCzEl6Z0Ygu6iD1Qy2FbfTMHn5fASjUcjgvrzcSsEqwCONItbgzdyGUq6GtJ+voGROtF5Y IhQ== X-Received: from wmbhu22.prod.google.com ([2002:a05:600c:a296:b0:48a:5c24:d305]) (user=tabba job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:a30b:b0:48a:58ae:993b with SMTP id 5b1f17b1804b1-48a8451cfe2mr82955875e9.16.1777634511757; Fri, 01 May 2026 04:21:51 -0700 (PDT) Date: Fri, 1 May 2026 12:21:44 +0100 In-Reply-To: <20260501112149.2824881-1-tabba@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260501112149.2824881-1-tabba@google.com> X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog Message-ID: <20260501112149.2824881-2-tabba@google.com> Subject: [PATCH v2 1/6] KVM: arm64: Make EL2 exception entry and exit context-synchronization events From: Fuad Tabba To: maz@kernel.org, oliver.upton@linux.dev Cc: james.morse@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com, qperret@google.com, vdonnefort@google.com, tabba@google.com, catalin.marinas@arm.com, will@kernel.org, yaoyuan@linux.alibaba.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" SCTLR_EL2.EIS and SCTLR_EL2.EOS control whether exception entry and exit at EL2 are Context Synchronisation Events (CSEs). Per ARM DDI 0487 M.b D24.2.175 (p. D24-9754): - !FEAT_ExS: the bit is RES1, so the entry/exit is unconditionally a CSE. - FEAT_ExS: the reset value is architecturally UNKNOWN; software must set the bit to make the entry/exit a CSE. INIT_SCTLR_EL2_MMU_ON in arch/arm64/include/asm/sysreg.h sets neither bit. KVM/arm64 hot paths rely on ERET from EL2 being a CSE, and on synchronous EL1->EL2 entry being a CSE, to elide explicit ISBs after MSRs to context-switching system registers (HCR_EL2, ZCR_EL2, ptrauth keys, etc.). On FEAT_ExS hardware those reliances are not architecturally backed unless EOS=3D1 (and, for entry, EIS=3D1). Until commit 0a35bd285f43 ("arm64: Convert SCTLR_EL2 to sysreg infrastructure"), SCTLR_EL2_RES1 was a hand-rolled mask that included BIT(11) (EOS) and BIT(22) (EIS), so INIT_SCTLR_EL2_MMU_ON was setting both unconditionally. The conversion made SCTLR_EL2_RES1 auto-generated; because the sysreg tooling only models unconditionally-RES1 fields and EIS/EOS are RES1 only when FEAT_ExS is absent, the auto-generated mask is UL(0). The seven other bits dropped from the old mask (positions 4, 5, 16, 18, 23, 28, 29) are unconditionally RES1 in the E2H=3D0 SCTLR_EL2 layout per DDI 0487 M.b D24.2.175, so dropping them is harmless. EIS and EOS are the only bits whose semantics changed for FEAT_ExS hardware and where the kernel relies on the value being 1. Make the guarantee explicit: include SCTLR_ELx_EIS | SCTLR_ELx_EOS in INIT_SCTLR_EL2_MMU_ON so that EL2 exception entry and exit are unconditionally CSEs regardless of whether FEAT_ExS is implemented. This matches the pairing in arch/arm64/kvm/config.c which treats EIS and EOS together as RES1 under !FEAT_ExS. Fixes: 0a35bd285f43 ("arm64: Convert SCTLR_EL2 to sysreg infrastructure") Reviewed-by: Yuan Yao Assisted-by: Gemini:gemini-3.1-pro review-prompts Signed-off-by: Fuad Tabba --- arch/arm64/include/asm/sysreg.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysre= g.h index 736561480f36..7aa08d59d494 100644 --- a/arch/arm64/include/asm/sysreg.h +++ b/arch/arm64/include/asm/sysreg.h @@ -844,7 +844,7 @@ #define INIT_SCTLR_EL2_MMU_ON \ (SCTLR_ELx_M | SCTLR_ELx_C | SCTLR_ELx_SA | SCTLR_ELx_I | \ SCTLR_ELx_IESB | SCTLR_ELx_WXN | ENDIAN_SET_EL2 | \ - SCTLR_ELx_ITFSB | SCTLR_EL2_RES1) + SCTLR_ELx_ITFSB | SCTLR_ELx_EIS | SCTLR_ELx_EOS | SCTLR_EL2_RES1) =20 #define INIT_SCTLR_EL2_MMU_OFF \ (SCTLR_EL2_RES1 | ENDIAN_SET_EL2) --=20 2.54.0.545.g6539524ca2-goog From nobody Sun Jun 14 07:35:01 2026 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A660539F162 for ; Fri, 1 May 2026 11:21:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777634516; cv=none; b=eghgUvGaXm5nW/YJP4HzxN2M/wQDH0yPA/UZeCNJzOHTfHQz+rF768EjgeQ46NtZq8UAb2Adbs2jb8H1WLjM8we2rVPUNn+w2uYS5PtbGdthPHdmSD/5MTbkeZkuJBSF1TxIXEPohw9JtCM56bSd56EXLXeFqGOxRqNoQWErtsA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777634516; c=relaxed/simple; bh=BzOwJo7tMtTnOiFbCf1do1lKh7xZTwBmNLgdzfBWFIc=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=B1yEzHvI5n9iTgWiyD0XFVCFZlH3sD7qhMv8Cil2RJLDhk1CNNjDkTog4R5dl/LaM6jTW8/yZlAB7h2El1lDgbVp2phEwKzUQJ5/dloncNlmBNtCcQD1qvXyZkamtEdlIlXdvL9FezgZnt9SSZ6JaW8rC/0lCoRaZ3LXgtKdWz8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Zvf3dQIV; arc=none smtp.client-ip=209.85.128.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Zvf3dQIV" Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-488d3eec9bcso11799005e9.3 for ; Fri, 01 May 2026 04:21:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1777634513; x=1778239313; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=llK0KM02OjlQ3dfGmbUJ3xamz2nXDZo+cJOrJzYBrAM=; b=Zvf3dQIV3LYO21yVthF5k4CucAc9DRmykSbnq9CR8Lg6Rur/7cxAV+yjBhtwDl9zkA 95pUhwkiINy6Im7IBrqLUQR6LKhpVQFZcX9Ip4vzM2sURC8WOC60Y3ctOfkkxAYmTFLE OuaA+2D2XN5iW8F/pHIq2zOSilKvB5ODTFwJBztBvaJy+nRwu0JvpLum/XMns92tFUwn yo5Cu/frBhRjS8kV9vO4CgJriUAy8XEx4vgp1QJCUjDtzeB/Ap0dT+xeblGeJrJfTJ51 OOzV6x4IvkkyFcyUjoCZi32h+l+rnX2WLUO/QL60V7kWSkL8HAzecsq+X495xFTqmwKt F3QQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777634513; x=1778239313; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=llK0KM02OjlQ3dfGmbUJ3xamz2nXDZo+cJOrJzYBrAM=; b=FAGrT4jrNC5wz2tHfA8E0TRA94xheJgfXG8txekiK5ju9a43znNFEVBfaqhJFVFX3w 1FbS/XVbbD+Wr0zW3q6dJcgDxG/Zjf/3cGu8K6DGN9YzAsDkrYs31VcLlPBpPNyzGEuZ hVU+qnVfA0yKt2FfXJUpAX6LOLa26bbAexPKd1FV1fKQISIMNUnjbRYjDEEhABdxrU9N mydpLrB4rDk9wxmyZMKHYemswDH8oJrp+nqsWMGvZpgoOyxe6FciFJQqad7CFfvK0yiS iZBgUXr0AYOjd7R6IIfWy/B5nc9zQFz8K9b8egVUBa80rlPJH6h8+43o+pJdptAdhCSS QhVw== X-Forwarded-Encrypted: i=1; AFNElJ+bq8107lzZSlxxil0Ei8HdEP1Ij55t2PhYP6khpBkUev9cmelzBCLBay9DBI67JRAeKMb9g5XmMS6NfVg=@vger.kernel.org X-Gm-Message-State: AOJu0YwygD+c6Htn2tdA5CqYnvMJRvoT/iUmgYUFgNiUPOEYJsm/2s7d 17toDm01ovt1OivhjaaXzgcw2xLe8DGQ8rRV1W6bVCkXfUx1nt5/UjZb7H6N+Uo5sT45QE3dw4q Jaw== X-Received: from wmee3.prod.google.com ([2002:a05:600c:2183:b0:48a:5547:c79e]) (user=tabba job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:19ce:b0:489:1c32:210d with SMTP id 5b1f17b1804b1-48a8eb8834fmr41657655e9.15.1777634513137; Fri, 01 May 2026 04:21:53 -0700 (PDT) Date: Fri, 1 May 2026 12:21:45 +0100 In-Reply-To: <20260501112149.2824881-1-tabba@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260501112149.2824881-1-tabba@google.com> X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog Message-ID: <20260501112149.2824881-3-tabba@google.com> Subject: [PATCH v2 2/6] KVM: arm64: Guard against NULL vcpu on VHE hyp panic path From: Fuad Tabba To: maz@kernel.org, oliver.upton@linux.dev Cc: james.morse@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com, qperret@google.com, vdonnefort@google.com, tabba@google.com, catalin.marinas@arm.com, will@kernel.org, yaoyuan@linux.alibaba.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" On VHE, __hyp_call_panic() unconditionally calls __deactivate_traps(vcpu) on the vcpu pointer read from host_ctxt->__hyp_running_vcpu. That pointer is cleared after every guest exit (and is never set when no guest is running), so an unexpected EL2 exception landing in _guest_exit_panic, e.g. via the el2t*_invalid / el2h_irq_invalid vectors - reaches this function with vcpu =3D=3D NULL. __deactivate_traps() then dereferences vcpu via ___deactivate_traps() -> vserror_state_is_nested() -> vcpu_has_nv() -> vcpu->arch.features, faulting inside the panic handler and obscuring the original failure. The nVHE counterpart (hyp_panic() in arch/arm64/kvm/hyp/nvhe/switch.c) already guards its vcpu-using cleanup with "if (vcpu)"; mirror that here. sysreg_restore_host_state_vhe() does not depend on vcpu and continues to run unconditionally, preserving panic forensics. The trailing panic("...VCPU:%p", vcpu) prints "(null)" safely via printk's %p handling. Fixes: 6a0259ed29bb ("KVM: arm64: Remove hyp_panic arguments") Assisted-by: Gemini:gemini-3.1-pro review-prompts Signed-off-by: Fuad Tabba --- arch/arm64/kvm/hyp/vhe/switch.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/arm64/kvm/hyp/vhe/switch.c b/arch/arm64/kvm/hyp/vhe/switc= h.c index 9db3f11a4754..1e8995add14f 100644 --- a/arch/arm64/kvm/hyp/vhe/switch.c +++ b/arch/arm64/kvm/hyp/vhe/switch.c @@ -663,7 +663,8 @@ static void __noreturn __hyp_call_panic(u64 spsr, u64 e= lr, u64 par) host_ctxt =3D host_data_ptr(host_ctxt); vcpu =3D host_ctxt->__hyp_running_vcpu; =20 - __deactivate_traps(vcpu); + if (vcpu) + __deactivate_traps(vcpu); sysreg_restore_host_state_vhe(host_ctxt); =20 panic("HYP panic:\nPS:%08llx PC:%016llx ESR:%08llx\nFAR:%016llx HPFAR:%01= 6llx PAR:%016llx\nVCPU:%p\n", --=20 2.54.0.545.g6539524ca2-goog From nobody Sun Jun 14 07:35:01 2026 Received: from mail-wr1-f73.google.com (mail-wr1-f73.google.com [209.85.221.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 726763A1D1B for ; Fri, 1 May 2026 11:21:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777634517; cv=none; b=DU45IGiS9Q4/Vt2x7WZTayQ0+Lgbxm/1EdSSkF7/bctYEeybjlUUR5CBzLdanIFVl/HBhqJNaa+4NJysn9EAH/nOB9OWdCAHKBncQPRuAlAO+6uQ671pGQ75uV10f/yVXG7Ez7FZHqXCWGvK40PVKxjanjpYNfN/glVPLs6Shtk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777634517; c=relaxed/simple; bh=W4DGq5FQ3yG9XVJf1X8noklkNaBHnhoJ5jehTTSaoHU=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=nYYr5jU+8Fs89xX72Ev9XwJfT2GrQZdqX7YO0snmHpTCMAWpqK/ttecT0PBLeFmzIDeLU/TPHaOs2hQ5jF/eE6KTTZrHubzyGi5hGtOXafzY6k4CSTmb+HoEHzICsXZPdiyrGAcGv82Pa+McdpgX5l0yFUG+jvRI/h/ymTdjthU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=vHfB7CXn; arc=none smtp.client-ip=209.85.221.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="vHfB7CXn" Received: by mail-wr1-f73.google.com with SMTP id ffacd0b85a97d-43ff19e54beso1246220f8f.2 for ; Fri, 01 May 2026 04:21:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1777634515; x=1778239315; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=pkGXruA+MAauMM9ApRELF9QcQ1O0uA1Qqp7VMYhHPII=; b=vHfB7CXnA6HLfD/TQSlsdnUza/QkrhrPkWjeLuLrUwN1rj3Ql5BWVHMNtfDNgFtWM/ mk8gzq6ZzILMF3Qmi/FB+RyjSqwXd2EcQa+xC2p7YIQPeN2dPBBzXfi6KUgnhPdGkzTJ R4cygR6MTJVgwD/vjj/4Rvf/z10Eon/uXTolBp0PKA5bZLxC03M15luMl3U0F/aXlLG5 /vTXLfq7Yn6bL/vbRNZlNXkj2PYFS7s17e2Bbe/rLWwU+X3x3Zxwq/t+caHgqHWoUGMD yaV128rNrKUBbqSCuDAAFy8blYpp+9Q+d7Jt58E4t6YeYbCl8P5fimfljiw7D3jKuExh OStQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777634515; x=1778239315; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=pkGXruA+MAauMM9ApRELF9QcQ1O0uA1Qqp7VMYhHPII=; b=TS6eDXpuB+xSTgc7zuMA0DjkDRSZzub+/SfsSb8luBlZlvcLuK04QqTzqUQSdSjR3+ wyY9N+A1eLCermhOze8NjAH3qAR0uyWi8/bCLmN4crx0RtiZnfvL/lkdxh6Do1ncE6nm KtUKRSpqsmO9RDL0VzhspdYKcqVbcjjbvGrChB832FXcl+8WqdNg3ZwOidLgi12dIF9J Yq8Wev0DLpLkg79ecrvJHvpbmXvUCX8zn91LaQ1gKEWAonyUkvY2qIEH0lJIacr2heCI VPHTdTo4fmRv4G1trfsnbPuDfQqTd1kyaZTwXIsh8+AZOO1n/7vqHV5Lf5WfuMOmCaSg WxnQ== X-Forwarded-Encrypted: i=1; AFNElJ9LQpDQg9NK4WfGsT3DclByGwl4fXzb/nDoG7HLGKNIH86BIhG/UFydeEazJlLpfNhyliDMIxd5YeS366I=@vger.kernel.org X-Gm-Message-State: AOJu0Ywco6gSAXBtyjdRR2P22zaL+0BjqxXBBS42k22ZDoZQ1ToiVMbU oGKNTcGJ/1qWl9qapvRSafuvT1/jyL29cY8xDoNqawRNm8k8jWHRU2+7c5VjZI6RDPc4ttqT283 Xbg== X-Received: from wrcz10.prod.google.com ([2002:a05:6000:454a:b0:44a:2a68:f4aa]) (user=tabba job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6000:24c5:b0:43d:71f4:7ed5 with SMTP id ffacd0b85a97d-4493cc3fdffmr11707041f8f.17.1777634514643; Fri, 01 May 2026 04:21:54 -0700 (PDT) Date: Fri, 1 May 2026 12:21:46 +0100 In-Reply-To: <20260501112149.2824881-1-tabba@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260501112149.2824881-1-tabba@google.com> X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog Message-ID: <20260501112149.2824881-4-tabba@google.com> Subject: [PATCH v2 3/6] KVM: arm64: Fix __deactivate_fgt macro parameter typo From: Fuad Tabba To: maz@kernel.org, oliver.upton@linux.dev Cc: james.morse@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com, qperret@google.com, vdonnefort@google.com, tabba@google.com, catalin.marinas@arm.com, will@kernel.org, yaoyuan@linux.alibaba.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" __deactivate_fgt() declares its first parameter as "htcxt" but the body references "hctxt". The parameter is unused; the macro silently captures "hctxt" from the enclosing scope. Both existing callers (__deactivate_traps_hfgxtr() and __deactivate_traps_ich_hfgxtr()) happen to define a local "struct kvm_cpu_context *hctxt", so the macro works by coincidence. A future caller without an "hctxt" local in scope, or naming it differently, would compile but bind to the wrong context. Align the parameter name with the sibling __activate_fgt() macro. The "vcpu" parameter remains unused in the body, kept for API symmetry with __activate_fgt() (which uses it). Fixes: f5a5a406b4b8 ("KVM: arm64: Propagate and handle Fine-Grained UNDEF b= its") Assisted-by: Gemini:gemini-3.1-pro review-prompts Signed-off-by: Fuad Tabba --- arch/arm64/kvm/hyp/include/hyp/switch.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/kvm/hyp/include/hyp/switch.h b/arch/arm64/kvm/hyp/i= nclude/hyp/switch.h index 98b2976837b1..bf0eb5e43427 100644 --- a/arch/arm64/kvm/hyp/include/hyp/switch.h +++ b/arch/arm64/kvm/hyp/include/hyp/switch.h @@ -245,7 +245,7 @@ static inline void __activate_traps_ich_hfgxtr(struct k= vm_vcpu *vcpu) __activate_fgt(hctxt, vcpu, ICH_HFGITR_EL2); } =20 -#define __deactivate_fgt(htcxt, vcpu, reg) \ +#define __deactivate_fgt(hctxt, vcpu, reg) \ do { \ write_sysreg_s(ctxt_sys_reg(hctxt, reg), \ SYS_ ## reg); \ --=20 2.54.0.545.g6539524ca2-goog From nobody Sun Jun 14 07:35:01 2026 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3F8843A2575 for ; Fri, 1 May 2026 11:21:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777634518; cv=none; b=eX0hRg4apGzmMPESFdT5a62QyLallq+Yny8sMrtUIOp5mQ4uDQPecVPVmrJx08q7KAh/TS8nZpYkkXLBxNy1uDYXrz1XFwBslfpHCKS1KsUAUe2Iuo2k1DIMLEflrqUgJY3zxECg04e+CpnQjFN4KqIitatpibrHc7ikKmTp+ug= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777634518; c=relaxed/simple; bh=WNOrRSdjW6v3MCflD6MesgXjVe7HTEIv6WOiAqLeuXs=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=eIg6jL/S7azFH/mTZMh7VK7Za2iW3enRt1+D7vL5vSj0Q2yiJ/eLCsxKlE9uj9o7e5WBHR1pv0X58OZ+oXcLnBZd7b97nWsOePst7oPcf0JiO8heOdv9z6TSQ+X5a52XULsvyGh0gjacW+dvNP+okJf2sr+u9lnjPlkeWRU4qu4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ZEiGNOFx; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ZEiGNOFx" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-4837bfcfe0dso19975345e9.1 for ; Fri, 01 May 2026 04:21:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1777634516; x=1778239316; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=aYwcKF+O9BRV6I0nh/EUmrDeLL0Ut6fk04SddS0PCXg=; b=ZEiGNOFxmeyWksOgyCaEDkowsKSIiloV/zAB44LYxbnkp2L3yLXjOyGTNb0zGZa2iY EgwRpsBxRBD7uYziDYXDeuR4wgJBIe+QrLN0NVzI5iXOOWzFYe83Up3p75mBimwjhwa5 xgj+WOTQrZvRR4sYKhTQzWNtVqW0T22DuXo1DkOxN9rLLKu4TeNsVJawN6vQmQnNamk3 c21HwxU+7mythsHQkSC4YGNw9qUfaNGpp4KLbN/BgkMDjr9EyaPFaHeTq643qZQbiUBg RexycvPhm4vWM5KcZpZ8oK83rGIJxmswZVh998L/wcUSDPltyTcDIcl/kz9noXY6oWTV WfsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777634516; x=1778239316; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=aYwcKF+O9BRV6I0nh/EUmrDeLL0Ut6fk04SddS0PCXg=; b=jyG5S6fh0zCTkg+8j4bBA4dss1Cwgbl88OJoFAX/YNERUk4M9EiM7iAxhpU4d2c/O+ r3kc/xmRDqTmBqPIs8pQx7orSRqxFg8JpNMtr/gX4ac32BZR0lxVVdB474GEfXIO5i6K L+JfYg+omR5TDFPHlWW4hCJbj8/75zkgMwAEIBtzKMgCFxC9kEdZzyX4/EnP6SqY9NQM pJ+y9jYYoB+u/3+UFhdBmieLu5M5mLYygjlKArEvSwJrbV9jsCzDxh+TUwwvy3ulmSku AJP+96wZxELLf4hCv6VA0XU4CpqBaPZX//jNwDZT8wZ0NmkM+RHsU7o0J3sIs3/CZhyT 6spQ== X-Forwarded-Encrypted: i=1; AFNElJ/N1k/v0lzrVd/GaLZc3qhu6lVwvgVt1oD5uelgZwcDtVWVnKG6pqz49xx3861IpR5k9xrfcB0r+IrGudM=@vger.kernel.org X-Gm-Message-State: AOJu0YyBMUDs5Dc6Ln6q5szu11jm2v0hsnpPMAEgSOD5t87bbkCX9/RH lTL+CKMPLz9Q+OjoYuruw5YoW5NA3l8n6TcdtYiGS4Eg4Hp8gJuyYGgep9CHbQnoizD1r/JCyY1 pbw== X-Received: from wmog7.prod.google.com ([2002:a05:600c:3107:b0:488:a71c:cf48]) (user=tabba job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:4594:b0:48a:52f2:a0f1 with SMTP id 5b1f17b1804b1-48a8444fac4mr110930795e9.18.1777634515632; Fri, 01 May 2026 04:21:55 -0700 (PDT) Date: Fri, 1 May 2026 12:21:47 +0100 In-Reply-To: <20260501112149.2824881-1-tabba@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260501112149.2824881-1-tabba@google.com> X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog Message-ID: <20260501112149.2824881-5-tabba@google.com> Subject: [PATCH v2 4/6] KVM: arm64: Seed pkvm_ownership_selftest vcpu memcache From: Fuad Tabba To: maz@kernel.org, oliver.upton@linux.dev Cc: james.morse@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com, qperret@google.com, vdonnefort@google.com, tabba@google.com, catalin.marinas@arm.com, will@kernel.org, yaoyuan@linux.alibaba.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The hypercall handlers call pkvm_refill_memcache() to top up the hyp_vcpu memcache before invoking __pkvm_host_{share,donate}_guest(). pkvm_ownership_selftest invokes those functions directly with a static selftest_vcpu that has an empty memcache. Seed selftest_vcpu's memcache from the prepopulated selftest pages, leaving the remainder for selftest_vm.pool. Required by the memcache-sufficiency pre-check added in the following patches. Assisted-by: Gemini:gemini-3.1-pro review-prompts Signed-off-by: Fuad Tabba --- arch/arm64/kvm/hyp/nvhe/pkvm.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/arch/arm64/kvm/hyp/nvhe/pkvm.c b/arch/arm64/kvm/hyp/nvhe/pkvm.c index 7ed96d64d611..deee7947d694 100644 --- a/arch/arm64/kvm/hyp/nvhe/pkvm.c +++ b/arch/arm64/kvm/hyp/nvhe/pkvm.c @@ -751,16 +751,30 @@ static struct pkvm_hyp_vcpu selftest_vcpu =3D { struct pkvm_hyp_vcpu *init_selftest_vm(void *virt) { struct hyp_page *p =3D hyp_virt_to_page(virt); + unsigned long min_pages, seeded =3D 0; int i; =20 selftest_vm.kvm.arch.mmu.vtcr =3D host_mmu.arch.mmu.vtcr; WARN_ON(kvm_guest_prepare_stage2(&selftest_vm, virt)); =20 + /* + * Mirror pkvm_refill_memcache() for the share/donate pre-checks; + * the selftest invokes those functions directly and would + * otherwise see an empty memcache. + */ + min_pages =3D kvm_mmu_cache_min_pages(&selftest_vm.kvm.arch.mmu); + for (i =3D 0; i < pkvm_selftest_pages(); i++) { if (p[i].refcount) continue; p[i].refcount =3D 1; - hyp_put_page(&selftest_vm.pool, hyp_page_to_virt(&p[i])); + if (seeded < min_pages) { + push_hyp_memcache(&selftest_vcpu.vcpu.arch.pkvm_memcache, + hyp_page_to_virt(&p[i]), hyp_virt_to_phys); + seeded++; + } else { + hyp_put_page(&selftest_vm.pool, hyp_page_to_virt(&p[i])); + } } =20 selftest_vm.kvm.arch.pkvm.handle =3D __pkvm_reserve_vm(); --=20 2.54.0.545.g6539524ca2-goog From nobody Sun Jun 14 07:35:01 2026 Received: from mail-ej1-f73.google.com (mail-ej1-f73.google.com [209.85.218.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 97FFA3A3E81 for ; Fri, 1 May 2026 11:21:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777634520; cv=none; b=QOg19FAuk1SXKy0/3dy9VwiMF4NwLBjPAORgbv/V8IVtccktR+rkmriHkuAA7qEaicVIwAP7aE0tTGkarEb9uElmxi7JQdf4vapxv3CSj3iN44FQ8uD5I7Ekd7X3G8wlAvB0CR33zVh/KfoHW/6OJLfmi1dm574NtXLwAUoglyE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777634520; c=relaxed/simple; bh=S7p3SvZAGgFaCzOgURZOrBYd5goc2tc8o7A1j2alrrE=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=aZSBHZI3e2PVe7Csp0/PgJmh0ff9kpn0uvLrSSZh1xLRWA9YCWTzSC3K9F0djWe3oJ1p9KzT1S0J8GONLwH3Ud1sb1n97AZCf0MCZfDrB0JQYsYgX7Rj5Nzm/fcBLAXIYgHZ4wGdb47hmGeI53nqrQakIFXMkVlPvfR+H0bAD1Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=GKNBNwlV; arc=none smtp.client-ip=209.85.218.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="GKNBNwlV" Received: by mail-ej1-f73.google.com with SMTP id a640c23a62f3a-ba78dfab8aaso169713466b.3 for ; Fri, 01 May 2026 04:21:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1777634517; x=1778239317; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=hX/U36pu+btUiKMTGpxWXuvgYMFqfHpYvSZt+8MNmUg=; b=GKNBNwlVnskJovghLZWRS1maoQxUAu3c4kwFZfTSiiI5rFxeUjwsNrhotkG1MomwAb Sa3+q0DQnIb0e/W0uOPBj7yrOPhSm+SNkSelQE9hQMpsbEbnDWUoEKJlVQLCfT2NzWku m38jgGxwpqrphfHskS51Uygr4eNgJlKk+nHODeMUPMuBNMwcNWPbIH+tUSRk6dGQ+6mA +L82v1ttQWIQYmnmuzwbJnyhgrlcrZFqsa/fw2WhF4y2JQWSKPKeuvuXBc7OU8GdkFCo rq9oL3zqLOqowYckbLR5LJhQ/Ri7yVWBSPfkS4FE4kOwqYcMQ+M4AH3aIjOPCxQG1rle Y7Kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777634517; x=1778239317; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=hX/U36pu+btUiKMTGpxWXuvgYMFqfHpYvSZt+8MNmUg=; b=jwuGgszCn49Oqw4DajWgXhTBp6Bt9i6DSfumsCHeMSeV8mzpEBEwPYUW879u8+s4Qg MshBlIDEYeuJr3VnS5YbXw7UJaQf9lqLDd/7ua4tx9B0teYLMqcO2DG3nKlTF1BUc4PX y+9IyCm1Hw9Qap9pcUFOXkpOBuAzJSMgEIbD38xLWoylxXvgXinkd4qv70bg90EGP1YI ao4CdtnpunK/idD3GYi4Ofic83WEJnshd7kognh8BZfoj9PTZrNyG57xgSpDLWszWdaB lWLE1oi7piRBm9tsjT1zo9oJSmtYTCREXmJxHFEWQrwtZmzjDWYcAcw4FLRHPslvHGfZ kz8Q== X-Forwarded-Encrypted: i=1; AFNElJ+3FdBjKfTItfyZ5VtCnizLExFL2JjvlwU62OaXK8eCQQFIsX1RL5kqzJ68H8TEfLlKHtPXQlZYVmWtx0g=@vger.kernel.org X-Gm-Message-State: AOJu0Yy6K1gbrzY8L9zBzEmKtrae4v8XkXWftOjPkNXWpDy3BdWk6gnh MdZDN16gMHtIY5U3JLT6gNNEVByRc0kD3mt9Q5ggAcXWLD8HvHKFiZna8HK5sacxj7Hwra/7Ipt y/w== X-Received: from ejbwt14.prod.google.com ([2002:a17:906:ee8e:b0:b98:23e7:c41]) (user=tabba job=prod-delivery.src-stubby-dispatcher) by 2002:a17:906:f58e:b0:bb7:be6a:7671 with SMTP id a640c23a62f3a-bbac5ac10c5mr381051166b.6.1777634516878; Fri, 01 May 2026 04:21:56 -0700 (PDT) Date: Fri, 1 May 2026 12:21:48 +0100 In-Reply-To: <20260501112149.2824881-1-tabba@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260501112149.2824881-1-tabba@google.com> X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog Message-ID: <20260501112149.2824881-6-tabba@google.com> Subject: [PATCH v2 5/6] KVM: arm64: Pre-check vcpu memcache for host->guest share From: Fuad Tabba To: maz@kernel.org, oliver.upton@linux.dev Cc: james.morse@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com, qperret@google.com, vdonnefort@google.com, tabba@google.com, catalin.marinas@arm.com, will@kernel.org, yaoyuan@linux.alibaba.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" __pkvm_host_share_guest() ends with kvm_pgtable_stage2_map() to install the guest stage-2 mapping, after a forward pass that mutates the host vmemmap (sets PKVM_PAGE_SHARED_OWNED and increments host_share_guest_count) for every page in the range. The map's return value is wrapped in WARN_ON() and otherwise discarded, asserting that the call cannot fail. WARN_ON() at nVHE EL2 panics, so this assertion is only correct if the call genuinely cannot fail. kvm_pgtable_stage2_map() can fail with -ENOMEM when the stage-2 walker exhausts the caller's memcache, and the host controls the vcpu memcache via the topup interface, so an under-provisioned share request would otherwise turn a recoverable -ENOMEM into a fatal hyp panic. Bound the worst-case walker allocation in the existing pre-check pass so that kvm_pgtable_stage2_map() cannot fail at the call site, using kvm_mmu_cache_min_pages() -- the same bound host EL1 uses for its own stage-2 maps. If the vcpu memcache holds fewer pages, return -ENOMEM before any state mutation. Fixes: d0bd3e6570ae ("KVM: arm64: Introduce __pkvm_host_share_guest()") Assisted-by: Gemini:gemini-3.1-pro review-prompts Signed-off-by: Fuad Tabba --- arch/arm64/kvm/hyp/nvhe/mem_protect.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/arch/arm64/kvm/hyp/nvhe/mem_protect.c b/arch/arm64/kvm/hyp/nvh= e/mem_protect.c index 28a471d1927c..e428304f94f2 100644 --- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c +++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c @@ -1369,6 +1369,22 @@ int __pkvm_host_reclaim_page_guest(u64 gfn, struct p= kvm_hyp_vm *vm) return ret && ret !=3D -EHWPOISON ? ret : 0; } =20 +/* + * share/donate install at most one stage-2 leaf (PAGE_SIZE, or one + * KVM_PGTABLE_LAST_LEVEL - 1 block for share). kvm_mmu_cache_min_pages() + * bounds the worst-case allocation: exact for the PAGE_SIZE leaf, + * conservative by one for the block. + */ +static int __guest_check_pgtable_memcache(struct pkvm_hyp_vcpu *vcpu) +{ + struct pkvm_hyp_vm *vm =3D pkvm_hyp_vcpu_to_hyp_vm(vcpu); + + if (vcpu->vcpu.arch.pkvm_memcache.nr_pages < kvm_mmu_cache_min_pages(vm->= pgt.mmu)) + return -ENOMEM; + + return 0; +} + int __pkvm_host_donate_guest(u64 pfn, u64 gfn, struct pkvm_hyp_vcpu *vcpu) { struct pkvm_hyp_vm *vm =3D pkvm_hyp_vcpu_to_hyp_vm(vcpu); @@ -1453,6 +1469,10 @@ int __pkvm_host_share_guest(u64 pfn, u64 gfn, u64 nr= _pages, struct pkvm_hyp_vcpu } } =20 + ret =3D __guest_check_pgtable_memcache(vcpu); + if (ret) + goto unlock; + for_each_hyp_page(page, phys, size) { set_host_state(page, PKVM_PAGE_SHARED_OWNED); page->host_share_guest_count++; --=20 2.54.0.545.g6539524ca2-goog From nobody Sun Jun 14 07:35:01 2026 Received: from mail-ej1-f74.google.com (mail-ej1-f74.google.com [209.85.218.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C970C3A4F3A for ; Fri, 1 May 2026 11:21:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777634521; cv=none; b=KZkAji+786csQfheYhq0sZsLoIKUkBgv8jTUVLY+/FsVqx9IVxTz/9vOcQdPl4sXsdjKhS+/KwtD6o57gfRxylU80bcgGnY0MKx77QPI+7FRdDUqvKyTl7FAyzjo7/cnKL7OX9VTzWjaaj3SjEvVRs6UW6FAxVffJZtjHZSJFJQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777634521; c=relaxed/simple; bh=wyLa8NKF6GhGuRRNf3zay2XeK8bwHhxV1DLSA58dF5s=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=XYucLNyMnY+QdtBBhzfJxhYhkMI/jQfcjAYgBNGDyrkbIdoi4mGkxN0mENWLrbbech/LfgRxOwZfe3rY0sohL4BzFR8rvR0SgybAA06tR4MORjjATqWE3CZEvsxeYG3zGmJ02gqoiRKU2bcRSN0gJ4mT/qlx4e+R6pjTrKGtB9o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ZrRsFzwD; arc=none smtp.client-ip=209.85.218.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--tabba.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ZrRsFzwD" Received: by mail-ej1-f74.google.com with SMTP id a640c23a62f3a-b9c0bdea9faso152869066b.2 for ; Fri, 01 May 2026 04:21:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1777634518; x=1778239318; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=ZrLinQWyFKg2m6ErNGuwXnFHhW5qOEbX3IE7Ywix0YI=; b=ZrRsFzwDkdbpTMXXINE42nMk04kGzwdGWnJHcC4jxRd+lDrf+w9igpn0UXofiDlRMt oXRtcVt46nIpmS8+HFE51p+xTP+GKkg/0IHQwfZROocmCLIzj60OMsZ0akFq5fH9d7ze NGB5EWuzQvHiQxPS6D+uLZWoNErNZdAugaLFQ321n9uFYytC2Io+VYLc6RQiEgGj4CnD h6sjHGDvzLdb7wPo/nCT8ZYhLd95n9Pr1PKsosMahFKf4dxrnbPPEkwXOQWnRgkFxY0z Xjw3LnojpZnPcX01VUH9yLvO80TOYPJidfQCvrREzegIoMejkuQwG83mibLcgF89Pu9T 9AoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777634518; x=1778239318; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ZrLinQWyFKg2m6ErNGuwXnFHhW5qOEbX3IE7Ywix0YI=; b=hET+D6goVYnXvRkqG4tCSb398FzHWILOEUeciNnuquOP+L0wdSw988CEImtL/tVj63 Z6c6ZdHHmdFC4hsKnEh7kuHxVUQbHiBupJb+BTRntaYVrhVSGieqPP2N6T+583RLDZF0 9nalVJXSNy04b0PJR/d69rtfOiIF9taCY7eapQ82AI/bae1ByFvBpodpbxiPjG6ziEPU sqiiG7I6/VUV6/9cle0LfsDCoA+kCubTDaRFveUHpbbgGJOZhotXPSFuEhz+p791k8tD L0r3eXNA15Z5KsaUz2b+0AwGjc1pF6Y3PJZoVjmLjIXsJuGuaY056LoSfWeSeR44XGkD mzlw== X-Forwarded-Encrypted: i=1; AFNElJ+a1Jg4pLFSf8Gx1ts/paax9kffjDRKYypNwrPKXL6Vt7FdeycQcRTfdntjDpSzgSn/gKF60lTSJKJkALA=@vger.kernel.org X-Gm-Message-State: AOJu0YyqNzvmTT28imUlC9zDuPDHXAtBUObBjCgvQY3N85vPjJP+zvfW 3OJunLSIea+MaXdFC3prmBP0k+QeAzuEZWkEW21ud5aRG6anI8xeBhL1ZtSw7zSRm6qgH4rlnrw 97w== X-Received: from ejcdn19.prod.google.com ([2002:a17:907:94d3:b0:b9c:aee9:a002]) (user=tabba job=prod-delivery.src-stubby-dispatcher) by 2002:a17:906:f588:b0:b9c:b069:8ab6 with SMTP id a640c23a62f3a-bbac47d4717mr450739666b.7.1777634517844; Fri, 01 May 2026 04:21:57 -0700 (PDT) Date: Fri, 1 May 2026 12:21:49 +0100 In-Reply-To: <20260501112149.2824881-1-tabba@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260501112149.2824881-1-tabba@google.com> X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog Message-ID: <20260501112149.2824881-7-tabba@google.com> Subject: [PATCH v2 6/6] KVM: arm64: Pre-check vcpu memcache for host->guest donate From: Fuad Tabba To: maz@kernel.org, oliver.upton@linux.dev Cc: james.morse@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com, qperret@google.com, vdonnefort@google.com, tabba@google.com, catalin.marinas@arm.com, will@kernel.org, yaoyuan@linux.alibaba.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" __pkvm_host_donate_guest() flips the host stage-2 PTE for the donated page to a non-valid annotation via host_stage2_set_owner_metadata_locked() and then calls kvm_pgtable_stage2_map() to install the matching guest stage-2 mapping. The map's return value is wrapped in WARN_ON() and otherwise discarded, asserting that the call cannot fail. WARN_ON() at nVHE EL2 panics, so this assertion is only correct if the call genuinely cannot fail. kvm_pgtable_stage2_map() can fail with -ENOMEM even at PAGE_SIZE granularity: the donate path verifies PKVM_NOPAGE for the guest IPA before the map, so the walker must allocate fresh page-table pages from the vcpu memcache, and the host controls the vcpu memcache via the topup interface. An under-provisioned donation request would otherwise turn a recoverable -ENOMEM into a fatal hyp panic. Bound the worst-case walker allocation alongside the existing __host_check_page_state_range() / __guest_check_page_state_range() pre-checks, using the helper introduced for host->guest share. If the vcpu memcache holds fewer pages than kvm_mmu_cache_min_pages(), return -ENOMEM before any state mutation. Fixes: 1e579adca177 ("KVM: arm64: Introduce __pkvm_host_donate_guest()") Assisted-by: Gemini:gemini-3.1-pro review-prompts Signed-off-by: Fuad Tabba --- arch/arm64/kvm/hyp/nvhe/mem_protect.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/arm64/kvm/hyp/nvhe/mem_protect.c b/arch/arm64/kvm/hyp/nvh= e/mem_protect.c index e428304f94f2..c7f7149c4796 100644 --- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c +++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c @@ -1404,6 +1404,10 @@ int __pkvm_host_donate_guest(u64 pfn, u64 gfn, struc= t pkvm_hyp_vcpu *vcpu) if (ret) goto unlock; =20 + ret =3D __guest_check_pgtable_memcache(vcpu); + if (ret) + goto unlock; + meta =3D host_stage2_encode_gfn_meta(vm, gfn); WARN_ON(host_stage2_set_owner_metadata_locked(phys, PAGE_SIZE, PKVM_ID_GUEST, meta)); --=20 2.54.0.545.g6539524ca2-goog