[PATCH v1 2/4] KVM: arm64: Add compile-time type check for register in __vcpu_assign_sys_reg()

Fuad Tabba tabba at google.com
Mon Oct 27 04:39:41 PDT 2025 

The 'r' (register) and 'val' (value) parameters in
__vcpu_assign_sys_reg() can be easily transposed. The register ID is an
enum, whereas the value is a u64. This has led to bugs in the past, and
the risk was increased by the historically inconsistent parameter
ordering of the vcpu_write_sys_reg() function.

To prevent this class of bugs, add a compile-time type compatibility check
to prevent the 'r' parameter from having a 'u64' type.

This directly catches the erroneous transposition (passing the 'u64'
value as 'r') while remaining flexible, as it does not force 'r' to
be a specific enum type.

This patch also updates several local variables in
arch/arm64/kvm/pmu-emul.c from 'u64' to 'enum vcpu_sysreg' to fix
build failures caused by the new check.

No functional change intended.

Signed-off-by: Fuad Tabba <tabba at google.com>
---
NOTE: In practice, 'enum vcpu_sysreg' cannot grow to become compatabile
with u64 since we are limited by the size of arrays that index sysregs.
If it does grow, other compile-time issues show up before this check
becomes an issue.

I verified that this would catch the bug that commit 798eb5978700
("KVM: arm64: Sync protected guest VBAR_EL1 on injecting an undef
exception") introduced, which was fixed later.
---
 arch/arm64/include/asm/kvm_host.h | 17 +++++++++--------
 arch/arm64/kvm/pmu-emul.c         |  7 ++++---
 2 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h
index 1b8a420f9add..2c33ea5fdb1c 100644
--- a/arch/arm64/include/asm/kvm_host.h
+++ b/arch/arm64/include/asm/kvm_host.h
@@ -1136,14 +1136,15 @@ static inline u64 *___ctxt_sys_reg(const struct kvm_cpu_context *ctxt, int r)
 
 u64 kvm_vcpu_apply_reg_masks(const struct kvm_vcpu *, enum vcpu_sysreg, u64);
 
-#define __vcpu_assign_sys_reg(v, r, val)				\
-	do {								\
-		const struct kvm_cpu_context *ctxt = &(v)->arch.ctxt;	\
-		u64 __v = (val);					\
-		if (vcpu_has_nv((v)) && (r) >= __SANITISED_REG_START__)	\
-			__v = kvm_vcpu_apply_reg_masks((v), (r), __v);	\
-									\
-		ctxt_sys_reg(ctxt, (r)) = __v;				\
+#define __vcpu_assign_sys_reg(v, r, val)					\
+	do {									\
+		const struct kvm_cpu_context *ctxt = &(v)->arch.ctxt;		\
+		u64 __v = (val);						\
+		BUILD_BUG_ON_ZERO(__builtin_types_compatible_p(typeof(r), u64));\
+		if (vcpu_has_nv((v)) && (r) >= __SANITISED_REG_START__)		\
+			__v = kvm_vcpu_apply_reg_masks((v), (r), __v);		\
+										\
+		ctxt_sys_reg(ctxt, (r)) = __v;					\
 	} while (0)
 
 #define __vcpu_rmw_sys_reg(v, r, op, val)				\
diff --git a/arch/arm64/kvm/pmu-emul.c b/arch/arm64/kvm/pmu-emul.c
index b03dbda7f1ab..c7e2d9be77ae 100644
--- a/arch/arm64/kvm/pmu-emul.c
+++ b/arch/arm64/kvm/pmu-emul.c
@@ -160,7 +160,7 @@ u64 kvm_pmu_get_counter_value(struct kvm_vcpu *vcpu, u64 select_idx)
 static void kvm_pmu_set_pmc_value(struct kvm_pmc *pmc, u64 val, bool force)
 {
 	struct kvm_vcpu *vcpu = kvm_pmc_to_vcpu(pmc);
-	u64 reg;
+	enum vcpu_sysreg reg;
 
 	kvm_pmu_release_perf_event(pmc);
 
@@ -230,7 +230,8 @@ static void kvm_pmu_release_perf_event(struct kvm_pmc *pmc)
 static void kvm_pmu_stop_counter(struct kvm_pmc *pmc)
 {
 	struct kvm_vcpu *vcpu = kvm_pmc_to_vcpu(pmc);
-	u64 reg, val;
+	enum vcpu_sysreg reg;
+	u64 val;
 
 	if (!pmc->perf_event)
 		return;
@@ -776,7 +777,7 @@ void kvm_pmu_set_counter_event_type(struct kvm_vcpu *vcpu, u64 data,
 				    u64 select_idx)
 {
 	struct kvm_pmc *pmc = kvm_vcpu_idx_to_pmc(vcpu, select_idx);
-	u64 reg;
+	enum vcpu_sysreg reg;
 
 	reg = counter_index_to_evtreg(pmc->idx);
 	__vcpu_assign_sys_reg(vcpu, reg, (data & kvm_pmu_evtyper_mask(vcpu->kvm)));
-- 
2.51.1.838.g19442a804e-goog

More information about the linux-arm-kernel mailing list