On Mon, Sep 01, 2025 at 11:15:51PM +0900, Gyujeong Jin wrote:
From: gyutrange wlsrbwjd643@naver.com
VNCR/TLBI VA reconstruction currently uses bit 48 as the sign bit, but for 48-bit virtual addresses the correct sign bit is bit 47. Using 48 can mis-canonicalize addresses in the negative half and may cause missed invalidations.
Although VNCR_EL2 encodes other architectural fields (RESS, BADDR; see Arm ARM D24.2.206), sign_extend64() interprets its second argument as the index of the sign bit. Passing 48 prevents propagation of the canonical sign bit for 48-bit VAs.
Impact:
- Incorrect canonicalization of VAs with bit47=1
- Potential stale VNCR pseudo-TLB entries after TLBI or MMU notifier
- Possible incorrect translation/permissions or DoS when combined with other issues
Fixes: 667304740537 ("KVM: arm64: Mask out non-VA bits from TLBI VA* on VNCR invalidation") Cc: stable@vger.kernel.org Reported-by: DongHa Lee gap-dev@example.com Reported-by: Gyujeong Jin wlsrbwjd7232@gmail.com Reported-by: Daehyeon Ko 4ncient@example.com Reported-by: Geonha Lee leegn4a@example.com Reported-by: Hyungyu Oh dqpc_lover@example.com Reported-by: Jaewon Yang r4mbb1@example.com
Please do not use fake email addresses.