[PATCH] riscv: KVM: Fix missing TLB flush on HENVCFG.PMM updates
Anup Patel
anup at brainfault.org
Thu May 14 08:56:27 PDT 2026
On Sat, May 9, 2026 at 5:11 PM Zishun Yi <vulab at iscas.ac.cn> wrote:
>
> According to the RISC-V Privileged ISA specification, if henvcfg.PMM is
> changed from or to a value where (XLEN-PMLEN) is less than the GPA width
> supported by the hgatp translation mode of that guest, hypervisors must
> execute an HFENCE.GVMA with rs1=x0.
The change below is unconditionally doing local HFENCE without checking
if (XLEN-PMLEN) is less than the GPA.
>
> Currently, when a guest dynamically changes pointer masking mode via the
> SBI FWFT extension, kvm_sbi_fwft_set_pointer_masking_pmlen() directly
> modifies the hardware CSR_HENVCFG from the non-one-reg-access path
> without issuing the required TLB invalidation
>
> Fix this by adding an unconditional HFENCE.GVMA after the CSR write.
>
> This vulnerability was discovered and reported by my SpecHunter, an
> AI-driven architecture specification analysis tool.
>
> Link: https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-isa-manual/pr-2494/linux.txt
> Fixes: 48d67106f4a7 ("RISC-V: KVM: Implement ONE_REG interface for SBI FWFT state")
> Assisted-by: DeepSeek:DeepSeek-V4-Pro
> Signed-off-by: Zishun Yi <vulab at iscas.ac.cn>
> ---
> arch/riscv/kvm/vcpu_sbi_fwft.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/arch/riscv/kvm/vcpu_sbi_fwft.c b/arch/riscv/kvm/vcpu_sbi_fwft.c
> index 2eab15339694..c2bd3ae699fd 100644
> --- a/arch/riscv/kvm/vcpu_sbi_fwft.c
> +++ b/arch/riscv/kvm/vcpu_sbi_fwft.c
> @@ -186,8 +186,10 @@ static long kvm_sbi_fwft_set_pointer_masking_pmlen(struct kvm_vcpu *vcpu,
> * update here so that VCPU see's pointer masking mode change
> * immediately.
> */
> - if (!one_reg_access)
> + if (!one_reg_access) {
> csr_write(CSR_HENVCFG, vcpu->arch.cfg.henvcfg);
> + kvm_riscv_local_hfence_gvma_all();
> + }
>
> return SBI_SUCCESS;
> }
> --
> 2.51.2
>
Regards,
Anup
More information about the kvm-riscv
mailing list