From 9bca8be646e043d1fc6cd426fef05558c02de3df Mon Sep 17 00:00:00 2001 From: Fangyu Yu Date: Thu, 7 Aug 2025 15:07:29 +0800 Subject: [PATCH 1/3] RISC-V: KVM: Fix pte settings within kvm_riscv_gstage_ioremap() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently, kvm_riscv_gstage_ioremap() is used to map IMSIC gpa to the spa of IMSIC guest interrupt file. The PAGE_KERNEL_IO property includes global setting whereas it does not include user mode settings, so when accessing the IMSIC address in the virtual machine, a guest page fault will occur, this is not expected. According to the RISC-V Privileged Architecture Spec, for G-stage address translation, all memory accesses are considered to be user-level accesses as though executed in U-mode. Fixes: 659ad6d82c31 ("RISC-V: KVM: Use PAGE_KERNEL_IO in kvm_riscv_gstage_ioremap()") Signed-off-by: Fangyu Yu Reviewed-by: Radim Krčmář Reviewed-by: Nutty Liu Link: https://lore.kernel.org/r/20250807070729.89701-1-fangyu.yu@linux.alibaba.com Signed-off-by: Anup Patel --- arch/riscv/kvm/mmu.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/riscv/kvm/mmu.c b/arch/riscv/kvm/mmu.c index a1c3b2ec1dde..525fb5a330c0 100644 --- a/arch/riscv/kvm/mmu.c +++ b/arch/riscv/kvm/mmu.c @@ -39,6 +39,7 @@ int kvm_riscv_mmu_ioremap(struct kvm *kvm, gpa_t gpa, phys_addr_t hpa, unsigned long size, bool writable, bool in_atomic) { int ret = 0; + pgprot_t prot; unsigned long pfn; phys_addr_t addr, end; struct kvm_mmu_memory_cache pcache = { @@ -55,10 +56,12 @@ int kvm_riscv_mmu_ioremap(struct kvm *kvm, gpa_t gpa, phys_addr_t hpa, end = (gpa + size + PAGE_SIZE - 1) & PAGE_MASK; pfn = __phys_to_pfn(hpa); + prot = pgprot_noncached(PAGE_WRITE); for (addr = gpa; addr < end; addr += PAGE_SIZE) { map.addr = addr; - map.pte = pfn_pte(pfn, PAGE_KERNEL_IO); + map.pte = pfn_pte(pfn, prot); + map.pte = pte_mkdirty(map.pte); map.level = 0; if (!writable) From e61a12a4baf06a4c71e15f522bb5c4345c2ba198 Mon Sep 17 00:00:00 2001 From: Quan Zhou Date: Mon, 11 Aug 2025 10:18:29 +0800 Subject: [PATCH 2/3] RISC-V: KVM: Correct kvm_riscv_check_vcpu_requests() comment Correct `check_vcpu_requests` to `kvm_riscv_check_vcpu_requests` in comments. Fixes: f55ffaf89636 ("RISC-V: KVM: Enable ring-based dirty memory tracking") Signed-off-by: Quan Zhou Reviewed-by: Nutty Liu Reviewed-by: Andrew Jones Link: https://lore.kernel.org/r/49680363098c45516ec4b305283d662d26fa9386.1754326285.git.zhouquan@iscas.ac.cn Signed-off-by: Anup Patel --- arch/riscv/kvm/vcpu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/riscv/kvm/vcpu.c b/arch/riscv/kvm/vcpu.c index f001e56403f9..3ebcfffaa978 100644 --- a/arch/riscv/kvm/vcpu.c +++ b/arch/riscv/kvm/vcpu.c @@ -683,7 +683,7 @@ void kvm_arch_vcpu_put(struct kvm_vcpu *vcpu) } /** - * check_vcpu_requests - check and handle pending vCPU requests + * kvm_riscv_check_vcpu_requests - check and handle pending vCPU requests * @vcpu: the VCPU pointer * * Return: 1 if we should enter the guest From 799766208f09f95677a9ab111b93872d414fbad7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= Date: Tue, 5 Aug 2025 12:44:21 +0200 Subject: [PATCH 3/3] RISC-V: KVM: fix stack overrun when loading vlenb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The userspace load can put up to 2048 bits into an xlen bit stack buffer. We want only xlen bits, so check the size beforehand. Fixes: 2fa290372dfe ("RISC-V: KVM: add 'vlenb' Vector CSR") Cc: stable@vger.kernel.org Signed-off-by: Radim Krčmář Reviewed-by: Nutty Liu Reviewed-by: Daniel Henrique Barboza Link: https://lore.kernel.org/r/20250805104418.196023-4-rkrcmar@ventanamicro.com Signed-off-by: Anup Patel --- arch/riscv/kvm/vcpu_vector.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c index a5f88cb717f3..05f3cc2d8e31 100644 --- a/arch/riscv/kvm/vcpu_vector.c +++ b/arch/riscv/kvm/vcpu_vector.c @@ -182,6 +182,8 @@ int kvm_riscv_vcpu_set_reg_vector(struct kvm_vcpu *vcpu, struct kvm_cpu_context *cntx = &vcpu->arch.guest_context; unsigned long reg_val; + if (reg_size != sizeof(reg_val)) + return -EINVAL; if (copy_from_user(®_val, uaddr, reg_size)) return -EFAULT; if (reg_val != cntx->vector.vlenb)