According to the RISC-V Privileged ISA specification, if henvcfg.PMM is changed from or to a value where (XLEN-PMLEN) is less than the GPA width supported by the hgatp translation mode of that guest, hypervisors must execute an HFENCE.GVMA with rs1=x0. Currently, when a guest dynamically changes pointer masking mode via the SBI FWFT extension, kvm_sbi_fwft_set_pointer_masking_pmlen() directly modifies the hardware CSR_HENVCFG from the non-one-reg-access path without issuing the required TLB invalidation Fix this by adding an unconditional HFENCE.GVMA after the CSR write. This vulnerability was discovered and reported by my SpecHunter, an AI-driven architecture specification analysis tool. Link: https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-isa-manual/pr-2494/linux.txt Fixes: 48d67106f4a7 ("RISC-V: KVM: Implement ONE_REG interface for SBI FWFT state") Assisted-by: DeepSeek:DeepSeek-V4-Pro Signed-off-by: Zishun Yi --- arch/riscv/kvm/vcpu_sbi_fwft.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/riscv/kvm/vcpu_sbi_fwft.c b/arch/riscv/kvm/vcpu_sbi_fwft.c index 2eab15339694..c2bd3ae699fd 100644 --- a/arch/riscv/kvm/vcpu_sbi_fwft.c +++ b/arch/riscv/kvm/vcpu_sbi_fwft.c @@ -186,8 +186,10 @@ static long kvm_sbi_fwft_set_pointer_masking_pmlen(struct kvm_vcpu *vcpu, * update here so that VCPU see's pointer masking mode change * immediately. */ - if (!one_reg_access) + if (!one_reg_access) { csr_write(CSR_HENVCFG, vcpu->arch.cfg.henvcfg); + kvm_riscv_local_hfence_gvma_all(); + } return SBI_SUCCESS; } -- 2.51.2