[PATCH] riscv: KVM: Fix missing TLB flush on HENVCFG.PMM updates

[Zishun Yi]

According to the RISC-V Privileged ISA specification, if henvcfg.PMM is
changed from or to a value where (XLEN-PMLEN) is less than the GPA width
supported by the hgatp translation mode of that guest, hypervisors must
execute an HFENCE.GVMA with rs1=x0.

Currently, when a guest dynamically changes pointer masking mode via the
SBI FWFT extension, kvm_sbi_fwft_set_pointer_masking_pmlen() directly
modifies the hardware CSR_HENVCFG from the non-one-reg-access path
without issuing the required TLB invalidation

Fix this by adding an unconditional HFENCE.GVMA after the CSR write.

This vulnerability was discovered and reported by my SpecHunter, an
AI-driven architecture specification analysis tool.

Link: https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-isa-manual/pr-2494/linux.txt
Fixes: 48d67106f4a7 ("RISC-V: KVM: Implement ONE_REG interface for SBI FWFT state")
Assisted-by: DeepSeek:DeepSeek-V4-Pro
Signed-off-by: Zishun Yi <vulab at iscas.ac.cn>
---
 arch/riscv/kvm/vcpu_sbi_fwft.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/riscv/kvm/vcpu_sbi_fwft.c b/arch/riscv/kvm/vcpu_sbi_fwft.c
index 2eab15339694..c2bd3ae699fd 100644
--- a/arch/riscv/kvm/vcpu_sbi_fwft.c
+++ b/arch/riscv/kvm/vcpu_sbi_fwft.c
@@ -186,8 +186,10 @@ static long kvm_sbi_fwft_set_pointer_masking_pmlen(struct kvm_vcpu *vcpu,
 	 * update here so that VCPU see's pointer masking mode change
 	 * immediately.
 	 */
-	if (!one_reg_access)
+	if (!one_reg_access) {
 		csr_write(CSR_HENVCFG, vcpu->arch.cfg.henvcfg);
+		kvm_riscv_local_hfence_gvma_all();
+	}
 
 	return SBI_SUCCESS;
 }
-- 
2.51.2