| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/06/26 23:04 | flow | patch-triage |
0mArgs:null Results: {
"EnableConfigs": null,
"FocusSymbols": [],
"Reasoning": "The patch only adds tracepoints to the RISC-V KVM implementation and performs minor refactoring to support them. It does not make any functional changes to the execution flow.",
"WorthFuzzing": false
} |
| 1/1 | 2026/06/26 23:04 | action | read-patch-diff |
0mArgs:null Results: {
"PatchDiff": "commit 126db61e37ebf574b9f04b62954245ecd45e2bbe\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate: Fri Jun 26 23:04:40 2026 +0000\n\n syz-cluster: applied patch under review\n\ndiff --git a/arch/riscv/kvm/trace.h b/arch/riscv/kvm/trace.h\nindex 3d54175d805cbc..117e45ef397d16 100644\n--- a/arch/riscv/kvm/trace.h\n+++ b/arch/riscv/kvm/trace.h\n@@ -25,7 +25,7 @@ TRACE_EVENT(kvm_entry,\n \t\t__entry-\u003epc\t= vcpu-\u003earch.guest_context.sepc;\n \t),\n \n-\tTP_printk(\"PC: 0x016%lx\", __entry-\u003epc)\n+\tTP_printk(\"PC: 0x%016lx\", __entry-\u003epc)\n );\n \n TRACE_EVENT(kvm_exit,\n@@ -56,7 +56,187 @@ TRACE_EVENT(kvm_exit,\n \t\t__entry-\u003ehtinst)\n );\n \n-#endif /* _TRACE_RSICV_KVM_H */\n+TRACE_EVENT(kvm_guest_fault,\n+\tTP_PROTO(unsigned long vcpu_id, unsigned long sepc, unsigned long scause,\n+\t\t unsigned long stval, unsigned long htval,\n+\t\t unsigned long htinst, unsigned long fault_addr),\n+\tTP_ARGS(vcpu_id, sepc, scause, stval, htval, htinst, fault_addr),\n+\n+\tTP_STRUCT__entry(\n+\t\t__field(unsigned long, vcpu_id)\n+\t\t__field(unsigned long, sepc)\n+\t\t__field(unsigned long, scause)\n+\t\t__field(unsigned long, stval)\n+\t\t__field(unsigned long, htval)\n+\t\t__field(unsigned long, htinst)\n+\t\t__field(unsigned long, fault_addr)\n+\t),\n+\n+\tTP_fast_assign(\n+\t\t__entry-\u003evcpu_id\t= vcpu_id;\n+\t\t__entry-\u003esepc\t\t= sepc;\n+\t\t__entry-\u003escause\t\t= scause;\n+\t\t__entry-\u003estval\t\t= stval;\n+\t\t__entry-\u003ehtval\t\t= htval;\n+\t\t__entry-\u003ehtinst\t\t= htinst;\n+\t\t__entry-\u003efault_addr\t= fault_addr;\n+\t),\n+\n+\tTP_printk(\"VCPU: %lu, GPA: 0x%lx, SEPC: 0x%lx, SCAUSE: 0x%lx, STVAL: 0x%lx, HTVAL: 0x%lx, HTINST: 0x%lx\",\n+\t\t __entry-\u003evcpu_id, __entry-\u003efault_addr, __entry-\u003esepc,\n+\t\t __entry-\u003escause, __entry-\u003estval, __entry-\u003ehtval,\n+\t\t __entry-\u003ehtinst)\n+);\n+\n+TRACE_EVENT(kvm_irq_line,\n+\tTP_PROTO(int vcpu_id, unsigned int irq, int level),\n+\tTP_ARGS(vcpu_id, irq, level),\n+\n+\tTP_STRUCT__entry(\n+\t\t__field(int, vcpu_id)\n+\t\t__field(unsigned int, irq)\n+\t\t__field(int, level)\n+\t),\n+\n+\tTP_fast_assign(\n+\t\t__entry-\u003evcpu_id\t= vcpu_id;\n+\t\t__entry-\u003eirq\t\t= irq;\n+\t\t__entry-\u003elevel\t\t= level;\n+\t),\n+\n+\tTP_printk(\"VCPU: %d, IRQ: %u, level: %d\",\n+\t\t __entry-\u003evcpu_id, __entry-\u003eirq, __entry-\u003elevel)\n+);\n+\n+TRACE_EVENT(kvm_mmio_emulate,\n+\tTP_PROTO(unsigned long vcpu_id, unsigned long sepc, unsigned long insn,\n+\t\t unsigned long fault_addr, bool write, int len),\n+\tTP_ARGS(vcpu_id, sepc, insn, fault_addr, write, len),\n+\n+\tTP_STRUCT__entry(\n+\t\t__field(unsigned long, vcpu_id)\n+\t\t__field(unsigned long, sepc)\n+\t\t__field(unsigned long, insn)\n+\t\t__field(unsigned long, fault_addr)\n+\t\t__field(bool, write)\n+\t\t__field(int, len)\n+\t),\n+\n+\tTP_fast_assign(\n+\t\t__entry-\u003evcpu_id\t= vcpu_id;\n+\t\t__entry-\u003esepc\t\t= sepc;\n+\t\t__entry-\u003einsn\t\t= insn;\n+\t\t__entry-\u003efault_addr\t= fault_addr;\n+\t\t__entry-\u003ewrite\t\t= write;\n+\t\t__entry-\u003elen\t\t= len;\n+\t),\n+\n+\tTP_printk(\"VCPU: %lu, %s MMIO at 0x%lx, len %d, insn 0x%lx, sepc 0x%lx\",\n+\t\t __entry-\u003evcpu_id, __entry-\u003ewrite ? \"Store\" : \"Load\",\n+\t\t __entry-\u003efault_addr, __entry-\u003elen, __entry-\u003einsn,\n+\t\t __entry-\u003esepc)\n+);\n+\n+TRACE_EVENT(kvm_timer_update_irq,\n+\tTP_PROTO(unsigned long vcpu_id, unsigned int irq, int level),\n+\tTP_ARGS(vcpu_id, irq, level),\n+\n+\tTP_STRUCT__entry(\n+\t\t__field(unsigned long, vcpu_id)\n+\t\t__field(unsigned int, irq)\n+\t\t__field(int, level)\n+\t),\n+\n+\tTP_fast_assign(\n+\t\t__entry-\u003evcpu_id\t= vcpu_id;\n+\t\t__entry-\u003eirq\t\t= irq;\n+\t\t__entry-\u003elevel\t\t= level;\n+\t),\n+\n+\tTP_printk(\"VCPU: %lu, IRQ: %u, level: %d\",\n+\t\t __entry-\u003evcpu_id, __entry-\u003eirq, __entry-\u003elevel)\n+);\n+\n+TRACE_EVENT(kvm_wait_riscv,\n+\tTP_PROTO(unsigned long vcpu_id, unsigned long sepc, bool is_wfi),\n+\tTP_ARGS(vcpu_id, sepc, is_wfi),\n+\n+\tTP_STRUCT__entry(\n+\t\t__field(unsigned long, vcpu_id)\n+\t\t__field(unsigned long, sepc)\n+\t\t__field(bool, is_wfi)\n+\t),\n+\n+\tTP_fast_assign(\n+\t\t__entry-\u003evcpu_id\t= vcpu_id;\n+\t\t__entry-\u003esepc\t\t= sepc;\n+\t\t__entry-\u003eis_wfi\t\t= is_wfi;\n+\t),\n+\n+\tTP_printk(\"VCPU: %lu, guest executed %s at: 0x%lx\",\n+\t\t __entry-\u003evcpu_id, __entry-\u003eis_wfi ? \"wfi\" : \"wrs\",\n+\t\t __entry-\u003esepc)\n+);\n+\n+TRACE_EVENT(kvm_sbi_ecall,\n+\tTP_PROTO(unsigned long vcpu_id, unsigned long sepc, unsigned long ext_id,\n+\t\t unsigned long func_id, unsigned long a0),\n+\tTP_ARGS(vcpu_id, sepc, ext_id, func_id, a0),\n+\n+\tTP_STRUCT__entry(\n+\t\t__field(unsigned long, vcpu_id)\n+\t\t__field(unsigned long, sepc)\n+\t\t__field(unsigned long, ext_id)\n+\t\t__field(unsigned long, func_id)\n+\t\t__field(unsigned long, a0)\n+\t),\n+\n+\tTP_fast_assign(\n+\t\t__entry-\u003evcpu_id\t= vcpu_id;\n+\t\t__entry-\u003esepc\t\t= sepc;\n+\t\t__entry-\u003eext_id\t\t= ext_id;\n+\t\t__entry-\u003efunc_id\t= func_id;\n+\t\t__entry-\u003ea0\t\t= a0;\n+\t),\n+\n+\tTP_printk(\"VCPU: %lu, SBI ecall at 0x%lx, ext 0x%lx, fid 0x%lx, a0 0x%lx\",\n+\t\t __entry-\u003evcpu_id, __entry-\u003esepc, __entry-\u003eext_id,\n+\t\t __entry-\u003efunc_id, __entry-\u003ea0)\n+);\n+\n+TRACE_EVENT(kvm_csr_access,\n+\tTP_PROTO(unsigned long vcpu_id, unsigned long sepc, unsigned long insn,\n+\t\t unsigned int csr_num, bool write, unsigned long new_val,\n+\t\t unsigned long write_mask),\n+\tTP_ARGS(vcpu_id, sepc, insn, csr_num, write, new_val, write_mask),\n+\n+\tTP_STRUCT__entry(\n+\t\t__field(unsigned long, vcpu_id)\n+\t\t__field(unsigned long, sepc)\n+\t\t__field(unsigned long, insn)\n+\t\t__field(unsigned int, csr_num)\n+\t\t__field(bool, write)\n+\t\t__field(unsigned long, new_val)\n+\t\t__field(unsigned long, write_mask)\n+\t),\n+\n+\tTP_fast_assign(\n+\t\t__entry-\u003evcpu_id\t= vcpu_id;\n+\t\t__entry-\u003esepc\t\t= sepc;\n+\t\t__entry-\u003einsn\t\t= insn;\n+\t\t__entry-\u003ecsr_num\t= csr_num;\n+\t\t__entry-\u003ewrite\t\t= write;\n+\t\t__entry-\u003enew_val\t= new_val;\n+\t\t__entry-\u003ewrite_mask\t= write_mask;\n+\t),\n+\n+\tTP_printk(\"VCPU: %lu, SEPC: 0x%lx, CSR: 0x%x, insn: 0x%lx, %s, new_val: 0x%lx, write_mask: 0x%lx\",\n+\t\t __entry-\u003evcpu_id, __entry-\u003esepc, __entry-\u003ecsr_num,\n+\t\t __entry-\u003einsn, __entry-\u003ewrite ? \"write\" : \"read\",\n+\t\t __entry-\u003enew_val, __entry-\u003ewrite_mask)\n+);\n+\n+#endif /* _TRACE_KVM_H */\n \n #undef TRACE_INCLUDE_PATH\n #define TRACE_INCLUDE_PATH .\ndiff --git a/arch/riscv/kvm/vcpu.c b/arch/riscv/kvm/vcpu.c\nindex a73690eda84b5a..fda118c7f2cbd0 100644\n--- a/arch/riscv/kvm/vcpu.c\n+++ b/arch/riscv/kvm/vcpu.c\n@@ -254,6 +254,9 @@ long kvm_arch_vcpu_unlocked_ioctl(struct file *filp, unsigned int ioctl,\n \t\tif (copy_from_user(\u0026irq, argp, sizeof(irq)))\n \t\t\treturn -EFAULT;\n \n+\t\ttrace_kvm_irq_line(vcpu-\u003evcpu_id, IRQ_VS_EXT,\n+\t\t\t\t irq.irq == KVM_INTERRUPT_SET);\n+\n \t\tif (irq.irq == KVM_INTERRUPT_SET)\n \t\t\treturn kvm_riscv_vcpu_set_interrupt(vcpu, IRQ_VS_EXT);\n \t\telse\ndiff --git a/arch/riscv/kvm/vcpu_exit.c b/arch/riscv/kvm/vcpu_exit.c\nindex 0bb0c51e3c8907..fc10343e214483 100644\n--- a/arch/riscv/kvm/vcpu_exit.c\n+++ b/arch/riscv/kvm/vcpu_exit.c\n@@ -11,6 +11,7 @@\n #include \u003casm/insn-def.h\u003e\n #include \u003casm/kvm_mmu.h\u003e\n #include \u003casm/kvm_nacl.h\u003e\n+#include \"trace.h\"\n \n static int gstage_page_fault(struct kvm_vcpu *vcpu, struct kvm_run *run,\n \t\t\t struct kvm_cpu_trap *trap)\n@@ -23,6 +24,9 @@ static int gstage_page_fault(struct kvm_vcpu *vcpu, struct kvm_run *run,\n \tint ret;\n \n \tfault_addr = (trap-\u003ehtval \u003c\u003c 2) | (trap-\u003estval \u0026 0x3);\n+\ttrace_kvm_guest_fault(vcpu-\u003evcpu_id, vcpu-\u003earch.guest_context.sepc,\n+\t\t\t trap-\u003escause, trap-\u003estval, trap-\u003ehtval,\n+\t\t\t trap-\u003ehtinst, fault_addr);\n \tgfn = fault_addr \u003e\u003e PAGE_SHIFT;\n \tmemslot = gfn_to_memslot(vcpu-\u003ekvm, gfn);\n \thva = gfn_to_hva_memslot_prot(memslot, gfn, \u0026writable);\ndiff --git a/arch/riscv/kvm/vcpu_insn.c b/arch/riscv/kvm/vcpu_insn.c\nindex f09f9251d1f0a0..dc90d059a2e92c 100644\n--- a/arch/riscv/kvm/vcpu_insn.c\n+++ b/arch/riscv/kvm/vcpu_insn.c\n@@ -9,6 +9,7 @@\n \n #include \u003casm/cpufeature.h\u003e\n #include \u003casm/insn.h\u003e\n+#include \"trace.h\"\n \n struct insn_func {\n \tunsigned long mask;\n@@ -75,6 +76,7 @@ void kvm_riscv_vcpu_wfi(struct kvm_vcpu *vcpu)\n \n static int wfi_insn(struct kvm_vcpu *vcpu, struct kvm_run *run, ulong insn)\n {\n+\ttrace_kvm_wait_riscv(vcpu-\u003evcpu_id, vcpu-\u003earch.guest_context.sepc, true);\n \tvcpu-\u003estat.wfi_exit_stat++;\n \tkvm_riscv_vcpu_wfi(vcpu);\n \treturn KVM_INSN_CONTINUE_NEXT_SEPC;\n@@ -82,6 +84,7 @@ static int wfi_insn(struct kvm_vcpu *vcpu, struct kvm_run *run, ulong insn)\n \n static int wrs_insn(struct kvm_vcpu *vcpu, struct kvm_run *run, ulong insn)\n {\n+\ttrace_kvm_wait_riscv(vcpu-\u003evcpu_id, vcpu-\u003earch.guest_context.sepc, false);\n \tvcpu-\u003estat.wrs_exit_stat++;\n \tkvm_vcpu_on_spin(vcpu, vcpu-\u003earch.guest_context.sstatus \u0026 SR_SPP);\n \treturn KVM_INSN_CONTINUE_NEXT_SEPC;\n@@ -187,6 +190,9 @@ static int csr_insn(struct kvm_vcpu *vcpu, struct kvm_run *run, ulong insn)\n \tvcpu-\u003earch.csr_decode.insn = insn;\n \tvcpu-\u003earch.csr_decode.return_handled = 0;\n \n+\ttrace_kvm_csr_access(vcpu-\u003evcpu_id, vcpu-\u003earch.guest_context.sepc,\n+\t\t\t insn, csr_num, !!wr_mask, new_val, wr_mask);\n+\n \t/* Update CSR details in kvm_run struct */\n \trun-\u003eriscv_csr.csr_num = csr_num;\n \trun-\u003eriscv_csr.new_value = new_val;\n@@ -375,7 +381,7 @@ int kvm_riscv_vcpu_mmio_load(struct kvm_vcpu *vcpu, struct kvm_run *run,\n \t\t\t unsigned long htinst)\n {\n \tu8 data_buf[8];\n-\tunsigned long insn;\n+\tunsigned long insn, raw_insn;\n \tint shift = 0, len = 0, insn_len = 0;\n \tstruct kvm_cpu_trap utrap = { 0 };\n \tstruct kvm_cpu_context *ct = \u0026vcpu-\u003earch.guest_context;\n@@ -405,6 +411,7 @@ int kvm_riscv_vcpu_mmio_load(struct kvm_vcpu *vcpu, struct kvm_run *run,\n \t\t}\n \t\tinsn_len = INSN_LEN(insn);\n \t}\n+\traw_insn = insn;\n \n \t/* Decode length of MMIO and shift */\n \tif ((insn \u0026 INSN_MASK_LW) == INSN_MATCH_LW) {\n@@ -453,6 +460,9 @@ int kvm_riscv_vcpu_mmio_load(struct kvm_vcpu *vcpu, struct kvm_run *run,\n \tif (fault_addr \u0026 (len - 1))\n \t\treturn -EIO;\n \n+\ttrace_kvm_mmio_emulate(vcpu-\u003evcpu_id, ct-\u003esepc, raw_insn, fault_addr,\n+\t\t\t false, len);\n+\n \t/* Save instruction decode info */\n \tvcpu-\u003earch.mmio_decode.insn = insn;\n \tvcpu-\u003earch.mmio_decode.insn_len = insn_len;\n@@ -502,7 +512,7 @@ int kvm_riscv_vcpu_mmio_store(struct kvm_vcpu *vcpu, struct kvm_run *run,\n \tu32 data32;\n \tu64 data64;\n \tulong data;\n-\tunsigned long insn;\n+\tunsigned long insn, raw_insn;\n \tint len = 0, insn_len = 0;\n \tstruct kvm_cpu_trap utrap = { 0 };\n \tstruct kvm_cpu_context *ct = \u0026vcpu-\u003earch.guest_context;\n@@ -532,6 +542,7 @@ int kvm_riscv_vcpu_mmio_store(struct kvm_vcpu *vcpu, struct kvm_run *run,\n \t\t}\n \t\tinsn_len = INSN_LEN(insn);\n \t}\n+\traw_insn = insn;\n \n \tdata = GET_RS2(insn, \u0026vcpu-\u003earch.guest_context);\n \tdata8 = data16 = data32 = data64 = data;\n@@ -570,6 +581,9 @@ int kvm_riscv_vcpu_mmio_store(struct kvm_vcpu *vcpu, struct kvm_run *run,\n \tif (fault_addr \u0026 (len - 1))\n \t\treturn -EIO;\n \n+\ttrace_kvm_mmio_emulate(vcpu-\u003evcpu_id, ct-\u003esepc, raw_insn, fault_addr,\n+\t\t\t true, len);\n+\n \t/* Save instruction decode info */\n \tvcpu-\u003earch.mmio_decode.insn = insn;\n \tvcpu-\u003earch.mmio_decode.insn_len = insn_len;\ndiff --git a/arch/riscv/kvm/vcpu_sbi.c b/arch/riscv/kvm/vcpu_sbi.c\nindex 46ab7b989432b9..8aecdb1cecb567 100644\n--- a/arch/riscv/kvm/vcpu_sbi.c\n+++ b/arch/riscv/kvm/vcpu_sbi.c\n@@ -11,6 +11,7 @@\n #include \u003clinux/kvm_host.h\u003e\n #include \u003casm/sbi.h\u003e\n #include \u003casm/kvm_vcpu_sbi.h\u003e\n+#include \"trace.h\"\n \n #ifndef CONFIG_RISCV_SBI_V01\n static const struct kvm_vcpu_sbi_extension vcpu_sbi_ext_v01 = {\n@@ -598,6 +599,8 @@ int kvm_riscv_vcpu_sbi_ecall(struct kvm_vcpu *vcpu, struct kvm_run *run)\n \t};\n \tbool ext_is_v01 = false;\n \n+\ttrace_kvm_sbi_ecall(vcpu-\u003evcpu_id, cp-\u003esepc, cp-\u003ea7, cp-\u003ea6, cp-\u003ea0);\n+\n \tsbi_ext = kvm_vcpu_sbi_find_ext(vcpu, cp-\u003ea7);\n \tif (sbi_ext \u0026\u0026 sbi_ext-\u003ehandler) {\n #ifdef CONFIG_RISCV_SBI_V01\ndiff --git a/arch/riscv/kvm/vcpu_timer.c b/arch/riscv/kvm/vcpu_timer.c\nindex 9817ff80282160..7aeea50b5b95d6 100644\n--- a/arch/riscv/kvm/vcpu_timer.c\n+++ b/arch/riscv/kvm/vcpu_timer.c\n@@ -15,12 +15,23 @@\n #include \u003casm/kvm_isa.h\u003e\n #include \u003casm/kvm_nacl.h\u003e\n #include \u003casm/kvm_vcpu_timer.h\u003e\n+#include \"trace.h\"\n \n static u64 kvm_riscv_current_cycles(struct kvm_guest_timer *gt)\n {\n \treturn get_cycles64() + gt-\u003etime_delta;\n }\n \n+static void kvm_riscv_vcpu_timer_update_irq(struct kvm_vcpu *vcpu, bool level)\n+{\n+\ttrace_kvm_timer_update_irq(vcpu-\u003evcpu_id, IRQ_VS_TIMER, level);\n+\n+\tif (level)\n+\t\tkvm_riscv_vcpu_set_interrupt(vcpu, IRQ_VS_TIMER);\n+\telse\n+\t\tkvm_riscv_vcpu_unset_interrupt(vcpu, IRQ_VS_TIMER);\n+}\n+\n static u64 kvm_riscv_delta_cycles2ns(u64 cycles,\n \t\t\t\t struct kvm_guest_timer *gt,\n \t\t\t\t struct kvm_vcpu_timer *t)\n@@ -54,7 +65,7 @@ static enum hrtimer_restart kvm_riscv_vcpu_hrtimer_expired(struct hrtimer *h)\n \t}\n \n \tt-\u003enext_set = false;\n-\tkvm_riscv_vcpu_set_interrupt(vcpu, IRQ_VS_TIMER);\n+\tkvm_riscv_vcpu_timer_update_irq(vcpu, true);\n \n \treturn HRTIMER_NORESTART;\n }\n@@ -91,7 +102,7 @@ static int kvm_riscv_vcpu_update_hrtimer(struct kvm_vcpu *vcpu, u64 ncycles)\n \tif (!t-\u003einit_done)\n \t\treturn -EINVAL;\n \n-\tkvm_riscv_vcpu_unset_interrupt(vcpu, IRQ_VS_TIMER);\n+\tkvm_riscv_vcpu_timer_update_irq(vcpu, false);\n \n \tdelta_ns = kvm_riscv_delta_cycles2ns(ncycles, gt, t);\n \tt-\u003enext_cycles = ncycles;\ndiff --git a/arch/riscv/kvm/vm.c b/arch/riscv/kvm/vm.c\nindex a9f083feeb7671..db4c3f0dc3cc6c 100644\n--- a/arch/riscv/kvm/vm.c\n+++ b/arch/riscv/kvm/vm.c\n@@ -12,6 +12,7 @@\n #include \u003clinux/uaccess.h\u003e\n #include \u003clinux/kvm_host.h\u003e\n #include \u003casm/kvm_mmu.h\u003e\n+#include \"trace.h\"\n \n const struct kvm_stats_desc kvm_vm_stats_desc[] = {\n \tKVM_GENERIC_VM_STATS()\n@@ -62,6 +63,8 @@ int kvm_vm_ioctl_irq_line(struct kvm *kvm, struct kvm_irq_level *irql,\n \tif (!irqchip_in_kernel(kvm))\n \t\treturn -ENXIO;\n \n+\ttrace_kvm_irq_line(-1, irql-\u003eirq, irql-\u003elevel);\n+\n \treturn kvm_riscv_aia_inject_irq(kvm, irql-\u003eirq, irql-\u003elevel);\n }\n \n"
} |
| 2/1 | 2026/06/26 23:04 | agent | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: {
"EnableConfigs": null,
"FocusSymbols": [],
"Reasoning": "The patch only adds tracepoints to the RISC-V KVM implementation and performs minor refactoring to support them. It does not make any functional changes to the execution flow.",
"WorthFuzzing": false
}Instruction: You are an expert Linux kernel maintainer. Your job is to review a provided patch series and determine if it makes functional changes to the kernel that should be fuzzed. IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively use your code access tools to examine the actual source code and confirm any assumptions. Return WorthFuzzing=false if the patch only contains: - Modifications to Documentation/, Kconfig files, or code comments. - Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints. - Changes to numeric constants or macros that do not functionally alter execution flow. - Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim). If it modifies reachable core kernel logic, drivers, or architectures, use your code search tools to verify the code can be executed, then return WorthFuzzing=true. When returning WorthFuzzing=true, you MUST ALSO: 1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols. Avoid listing generic hot-path functions to prevent skewed test distributions. 2. Identify any specific CONFIG_ options required to properly test this new/modified feature. Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions. Do not list too generic configs (we already have them enabled). Only list those that specifically cover the modified code. List them in the EnableConfigs output array, and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4"). Prefer calling several tools at the same time to save round-trips. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: For your convenience, here is the diff of the changes:
commit 126db61e37ebf574b9f04b62954245ecd45e2bbe
Author: syz-cluster <triage@syzkaller.com>
Date: Fri Jun 26 23:04:40 2026 +0000
syz-cluster: applied patch under review
diff --git a/arch/riscv/kvm/trace.h b/arch/riscv/kvm/trace.h
index 3d54175d805cbc..117e45ef397d16 100644
--- a/arch/riscv/kvm/trace.h
+++ b/arch/riscv/kvm/trace.h
@@ -25,7 +25,7 @@ TRACE_EVENT(kvm_entry,
__entry->pc = vcpu->arch.guest_context.sepc;
),
- TP_printk("PC: 0x016%lx", __entry->pc)
+ TP_printk("PC: 0x%016lx", __entry->pc)
);
TRACE_EVENT(kvm_exit,
@@ -56,7 +56,187 @@ TRACE_EVENT(kvm_exit,
__entry->htinst)
);
-#endif /* _TRACE_RSICV_KVM_H */
+TRACE_EVENT(kvm_guest_fault,
+ TP_PROTO(unsigned long vcpu_id, unsigned long sepc, unsigned long scause,
+ unsigned long stval, unsigned long htval,
+ unsigned long htinst, unsigned long fault_addr),
+ TP_ARGS(vcpu_id, sepc, scause, stval, htval, htinst, fault_addr),
+
+ TP_STRUCT__entry(
+ __field(unsigned long, vcpu_id)
+ __field(unsigned long, sepc)
+ __field(unsigned long, scause)
+ __field(unsigned long, stval)
+ __field(unsigned long, htval)
+ __field(unsigned long, htinst)
+ __field(unsigned long, fault_addr)
+ ),
+
+ TP_fast_assign(
+ __entry->vcpu_id = vcpu_id;
+ __entry->sepc = sepc;
+ __entry->scause = scause;
+ __entry->stval = stval;
+ __entry->htval = htval;
+ __entry->htinst = htinst;
+ __entry->fault_addr = fault_addr;
+ ),
+
+ TP_printk("VCPU: %lu, GPA: 0x%lx, SEPC: 0x%lx, SCAUSE: 0x%lx, STVAL: 0x%lx, HTVAL: 0x%lx, HTINST: 0x%lx",
+ __entry->vcpu_id, __entry->fault_addr, __entry->sepc,
+ __entry->scause, __entry->stval, __entry->htval,
+ __entry->htinst)
+);
+
+TRACE_EVENT(kvm_irq_line,
+ TP_PROTO(int vcpu_id, unsigned int irq, int level),
+ TP_ARGS(vcpu_id, irq, level),
+
+ TP_STRUCT__entry(
+ __field(int, vcpu_id)
+ __field(unsigned int, irq)
+ __field(int, level)
+ ),
+
+ TP_fast_assign(
+ __entry->vcpu_id = vcpu_id;
+ __entry->irq = irq;
+ __entry->level = level;
+ ),
+
+ TP_printk("VCPU: %d, IRQ: %u, level: %d",
+ __entry->vcpu_id, __entry->irq, __entry->level)
+);
+
+TRACE_EVENT(kvm_mmio_emulate,
+ TP_PROTO(unsigned long vcpu_id, unsigned long sepc, unsigned long insn,
+ unsigned long fault_addr, bool write, int len),
+ TP_ARGS(vcpu_id, sepc, insn, fault_addr, write, len),
+
+ TP_STRUCT__entry(
+ __field(unsigned long, vcpu_id)
+ __field(unsigned long, sepc)
+ __field(unsigned long, insn)
+ __field(unsigned long, fault_addr)
+ __field(bool, write)
+ __field(int, len)
+ ),
+
+ TP_fast_assign(
+ __entry->vcpu_id = vcpu_id;
+ __entry->sepc = sepc;
+ __entry->insn = insn;
+ __entry->fault_addr = fault_addr;
+ __entry->write = write;
+ __entry->len = len;
+ ),
+
+ TP_printk("VCPU: %lu, %s MMIO at 0x%lx, len %d, insn 0x%lx, sepc 0x%lx",
+ __entry->vcpu_id, __entry->write ? "Store" : "Load",
+ __entry->fault_addr, __entry->len, __entry->insn,
+ __entry->sepc)
+);
+
+TRACE_EVENT(kvm_timer_update_irq,
+ TP_PROTO(unsigned long vcpu_id, unsigned int irq, int level),
+ TP_ARGS(vcpu_id, irq, level),
+
+ TP_STRUCT__entry(
+ __field(unsigned long, vcpu_id)
+ __field(unsigned int, irq)
+ __field(int, level)
+ ),
+
+ TP_fast_assign(
+ __entry->vcpu_id = vcpu_id;
+ __entry->irq = irq;
+ __entry->level = level;
+ ),
+
+ TP_printk("VCPU: %lu, IRQ: %u, level: %d",
+ __entry->vcpu_id, __entry->irq, __entry->level)
+);
+
+TRACE_EVENT(kvm_wait_riscv,
+ TP_PROTO(unsigned long vcpu_id, unsigned long sepc, bool is_wfi),
+ TP_ARGS(vcpu_id, sepc, is_wfi),
+
+ TP_STRUCT__entry(
+ __field(unsigned long, vcpu_id)
+ __field(unsigned long, sepc)
+ __field(bool, is_wfi)
+ ),
+
+ TP_fast_assign(
+ __entry->vcpu_id = vcpu_id;
+ __entry->sepc = sepc;
+ __entry->is_wfi = is_wfi;
+ ),
+
+ TP_printk("VCPU: %lu, guest executed %s at: 0x%lx",
+ __entry->vcpu_id, __entry->is_wfi ? "wfi" : "wrs",
+ __entry->sepc)
+);
+
+TRACE_EVENT(kvm_sbi_ecall,
+ TP_PROTO(unsigned long vcpu_id, unsigned long sepc, unsigned long ext_id,
+ unsigned long func_id, unsigned long a0),
+ TP_ARGS(vcpu_id, sepc, ext_id, func_id, a0),
+
+ TP_STRUCT__entry(
+ __field(unsigned long, vcpu_id)
+ __field(unsigned long, sepc)
+ __field(unsigned long, ext_id)
+ __field(unsigned long, func_id)
+ __field(unsigned long, a0)
+ ),
+
+ TP_fast_assign(
+ __entry->vcpu_id = vcpu_id;
+ __entry->sepc = sepc;
+ __entry->ext_id = ext_id;
+ __entry->func_id = func_id;
+ __entry->a0 = a0;
+ ),
+
+ TP_printk("VCPU: %lu, SBI ecall at 0x%lx, ext 0x%lx, fid 0x%lx, a0 0x%lx",
+ __entry->vcpu_id, __entry->sepc, __entry->ext_id,
+ __entry->func_id, __entry->a0)
+);
+
+TRACE_EVENT(kvm_csr_access,
+ TP_PROTO(unsigned long vcpu_id, unsigned long sepc, unsigned long insn,
+ unsigned int csr_num, bool write, unsigned long new_val,
+ unsigned long write_mask),
+ TP_ARGS(vcpu_id, sepc, insn, csr_num, write, new_val, write_mask),
+
+ TP_STRUCT__entry(
+ __field(unsigned long, vcpu_id)
+ __field(unsigned long, sepc)
+ __field(unsigned long, insn)
+ __field(unsigned int, csr_num)
+ __field(bool, write)
+ __field(unsigned long, new_val)
+ __field(unsigned long, write_mask)
+ ),
+
+ TP_fast_assign(
+ __entry->vcpu_id = vcpu_id;
+ __entry->sepc = sepc;
+ __entry->insn = insn;
+ __entry->csr_num = csr_num;
+ __entry->write = write;
+ __entry->new_val = new_val;
+ __entry->write_mask = write_mask;
+ ),
+
+ TP_printk("VCPU: %lu, SEPC: 0x%lx, CSR: 0x%x, insn: 0x%lx, %s, new_val: 0x%lx, write_mask: 0x%lx",
+ __entry->vcpu_id, __entry->sepc, __entry->csr_num,
+ __entry->insn, __entry->write ? "write" : "read",
+ __entry->new_val, __entry->write_mask)
+);
+
+#endif /* _TRACE_KVM_H */
#undef TRACE_INCLUDE_PATH
#define TRACE_INCLUDE_PATH .
diff --git a/arch/riscv/kvm/vcpu.c b/arch/riscv/kvm/vcpu.c
index a73690eda84b5a..fda118c7f2cbd0 100644
--- a/arch/riscv/kvm/vcpu.c
+++ b/arch/riscv/kvm/vcpu.c
@@ -254,6 +254,9 @@ long kvm_arch_vcpu_unlocked_ioctl(struct file *filp, unsigned int ioctl,
if (copy_from_user(&irq, argp, sizeof(irq)))
return -EFAULT;
+ trace_kvm_irq_line(vcpu->vcpu_id, IRQ_VS_EXT,
+ irq.irq == KVM_INTERRUPT_SET);
+
if (irq.irq == KVM_INTERRUPT_SET)
return kvm_riscv_vcpu_set_interrupt(vcpu, IRQ_VS_EXT);
else
diff --git a/arch/riscv/kvm/vcpu_exit.c b/arch/riscv/kvm/vcpu_exit.c
index 0bb0c51e3c8907..fc10343e214483 100644
--- a/arch/riscv/kvm/vcpu_exit.c
+++ b/arch/riscv/kvm/vcpu_exit.c
@@ -11,6 +11,7 @@
#include <asm/insn-def.h>
#include <asm/kvm_mmu.h>
#include <asm/kvm_nacl.h>
+#include "trace.h"
static int gstage_page_fault(struct kvm_vcpu *vcpu, struct kvm_run *run,
struct kvm_cpu_trap *trap)
@@ -23,6 +24,9 @@ static int gstage_page_fault(struct kvm_vcpu *vcpu, struct kvm_run *run,
int ret;
fault_addr = (trap->htval << 2) | (trap->stval & 0x3);
+ trace_kvm_guest_fault(vcpu->vcpu_id, vcpu->arch.guest_context.sepc,
+ trap->scause, trap->stval, trap->htval,
+ trap->htinst, fault_addr);
gfn = fault_addr >> PAGE_SHIFT;
memslot = gfn_to_memslot(vcpu->kvm, gfn);
hva = gfn_to_hva_memslot_prot(memslot, gfn, &writable);
diff --git a/arch/riscv/kvm/vcpu_insn.c b/arch/riscv/kvm/vcpu_insn.c
index f09f9251d1f0a0..dc90d059a2e92c 100644
--- a/arch/riscv/kvm/vcpu_insn.c
+++ b/arch/riscv/kvm/vcpu_insn.c
@@ -9,6 +9,7 @@
#include <asm/cpufeature.h>
#include <asm/insn.h>
+#include "trace.h"
struct insn_func {
unsigned long mask;
@@ -75,6 +76,7 @@ void kvm_riscv_vcpu_wfi(struct kvm_vcpu *vcpu)
static int wfi_insn(struct kvm_vcpu *vcpu, struct kvm_run *run, ulong insn)
{
+ trace_kvm_wait_riscv(vcpu->vcpu_id, vcpu->arch.guest_context.sepc, true);
vcpu->stat.wfi_exit_stat++;
kvm_riscv_vcpu_wfi(vcpu);
return KVM_INSN_CONTINUE_NEXT_SEPC;
@@ -82,6 +84,7 @@ static int wfi_insn(struct kvm_vcpu *vcpu, struct kvm_run *run, ulong insn)
static int wrs_insn(struct kvm_vcpu *vcpu, struct kvm_run *run, ulong insn)
{
+ trace_kvm_wait_riscv(vcpu->vcpu_id, vcpu->arch.guest_context.sepc, false);
vcpu->stat.wrs_exit_stat++;
kvm_vcpu_on_spin(vcpu, vcpu->arch.guest_context.sstatus & SR_SPP);
return KVM_INSN_CONTINUE_NEXT_SEPC;
@@ -187,6 +190,9 @@ static int csr_insn(struct kvm_vcpu *vcpu, struct kvm_run *run, ulong insn)
vcpu->arch.csr_decode.insn = insn;
vcpu->arch.csr_decode.return_handled = 0;
+ trace_kvm_csr_access(vcpu->vcpu_id, vcpu->arch.guest_context.sepc,
+ insn, csr_num, !!wr_mask, new_val, wr_mask);
+
/* Update CSR details in kvm_run struct */
run->riscv_csr.csr_num = csr_num;
run->riscv_csr.new_value = new_val;
@@ -375,7 +381,7 @@ int kvm_riscv_vcpu_mmio_load(struct kvm_vcpu *vcpu, struct kvm_run *run,
unsigned long htinst)
{
u8 data_buf[8];
- unsigned long insn;
+ unsigned long insn, raw_insn;
int shift = 0, len = 0, insn_len = 0;
struct kvm_cpu_trap utrap = { 0 };
struct kvm_cpu_context *ct = &vcpu->arch.guest_context;
@@ -405,6 +411,7 @@ int kvm_riscv_vcpu_mmio_load(struct kvm_vcpu *vcpu, struct kvm_run *run,
}
insn_len = INSN_LEN(insn);
}
+ raw_insn = insn;
/* Decode length of MMIO and shift */
if ((insn & INSN_MASK_LW) == INSN_MATCH_LW) {
@@ -453,6 +460,9 @@ int kvm_riscv_vcpu_mmio_load(struct kvm_vcpu *vcpu, struct kvm_run *run,
if (fault_addr & (len - 1))
return -EIO;
+ trace_kvm_mmio_emulate(vcpu->vcpu_id, ct->sepc, raw_insn, fault_addr,
+ false, len);
+
/* Save instruction decode info */
vcpu->arch.mmio_decode.insn = insn;
vcpu->arch.mmio_decode.insn_len = insn_len;
@@ -502,7 +512,7 @@ int kvm_riscv_vcpu_mmio_store(struct kvm_vcpu *vcpu, struct kvm_run *run,
u32 data32;
u64 data64;
ulong data;
- unsigned long insn;
+ unsigned long insn, raw_insn;
int len = 0, insn_len = 0;
struct kvm_cpu_trap utrap = { 0 };
struct kvm_cpu_context *ct = &vcpu->arch.guest_context;
@@ -532,6 +542,7 @@ int kvm_riscv_vcpu_mmio_store(struct kvm_vcpu *vcpu, struct kvm_run *run,
}
insn_len = INSN_LEN(insn);
}
+ raw_insn = insn;
data = GET_RS2(insn, &vcpu->arch.guest_context);
data8 = data16 = data32 = data64 = data;
@@ -570,6 +581,9 @@ int kvm_riscv_vcpu_mmio_store(struct kvm_vcpu *vcpu, struct kvm_run *run,
if (fault_addr & (len - 1))
return -EIO;
+ trace_kvm_mmio_emulate(vcpu->vcpu_id, ct->sepc, raw_insn, fault_addr,
+ true, len);
+
/* Save instruction decode info */
vcpu->arch.mmio_decode.insn = insn;
vcpu->arch.mmio_decode.insn_len = insn_len;
diff --git a/arch/riscv/kvm/vcpu_sbi.c b/arch/riscv/kvm/vcpu_sbi.c
index 46ab7b989432b9..8aecdb1cecb567 100644
--- a/arch/riscv/kvm/vcpu_sbi.c
+++ b/arch/riscv/kvm/vcpu_sbi.c
@@ -11,6 +11,7 @@
#include <linux/kvm_host.h>
#include <asm/sbi.h>
#include <asm/kvm_vcpu_sbi.h>
+#include "trace.h"
#ifndef CONFIG_RISCV_SBI_V01
static const struct kvm_vcpu_sbi_extension vcpu_sbi_ext_v01 = {
@@ -598,6 +599,8 @@ int kvm_riscv_vcpu_sbi_ecall(struct kvm_vcpu *vcpu, struct kvm_run *run)
};
bool ext_is_v01 = false;
+ trace_kvm_sbi_ecall(vcpu->vcpu_id, cp->sepc, cp->a7, cp->a6, cp->a0);
+
sbi_ext = kvm_vcpu_sbi_find_ext(vcpu, cp->a7);
if (sbi_ext && sbi_ext->handler) {
#ifdef CONFIG_RISCV_SBI_V01
diff --git a/arch/riscv/kvm/vcpu_timer.c b/arch/riscv/kvm/vcpu_timer.c
index 9817ff80282160..7aeea50b5b95d6 100644
--- a/arch/riscv/kvm/vcpu_timer.c
+++ b/arch/riscv/kvm/vcpu_timer.c
@@ -15,12 +15,23 @@
#include <asm/kvm_isa.h>
#include <asm/kvm_nacl.h>
#include <asm/kvm_vcpu_timer.h>
+#include "trace.h"
static u64 kvm_riscv_current_cycles(struct kvm_guest_timer *gt)
{
return get_cycles64() + gt->time_delta;
}
+static void kvm_riscv_vcpu_timer_update_irq(struct kvm_vcpu *vcpu, bool level)
+{
+ trace_kvm_timer_update_irq(vcpu->vcpu_id, IRQ_VS_TIMER, level);
+
+ if (level)
+ kvm_riscv_vcpu_set_interrupt(vcpu, IRQ_VS_TIMER);
+ else
+ kvm_riscv_vcpu_unset_interrupt(vcpu, IRQ_VS_TIMER);
+}
+
static u64 kvm_riscv_delta_cycles2ns(u64 cycles,
struct kvm_guest_timer *gt,
struct kvm_vcpu_timer *t)
@@ -54,7 +65,7 @@ static enum hrtimer_restart kvm_riscv_vcpu_hrtimer_expired(struct hrtimer *h)
}
t->next_set = false;
- kvm_riscv_vcpu_set_interrupt(vcpu, IRQ_VS_TIMER);
+ kvm_riscv_vcpu_timer_update_irq(vcpu, true);
return HRTIMER_NORESTART;
}
@@ -91,7 +102,7 @@ static int kvm_riscv_vcpu_update_hrtimer(struct kvm_vcpu *vcpu, u64 ncycles)
if (!t->init_done)
return -EINVAL;
- kvm_riscv_vcpu_unset_interrupt(vcpu, IRQ_VS_TIMER);
+ kvm_riscv_vcpu_timer_update_irq(vcpu, false);
delta_ns = kvm_riscv_delta_cycles2ns(ncycles, gt, t);
t->next_cycles = ncycles;
diff --git a/arch/riscv/kvm/vm.c b/arch/riscv/kvm/vm.c
index a9f083feeb7671..db4c3f0dc3cc6c 100644
--- a/arch/riscv/kvm/vm.c
+++ b/arch/riscv/kvm/vm.c
@@ -12,6 +12,7 @@
#include <linux/uaccess.h>
#include <linux/kvm_host.h>
#include <asm/kvm_mmu.h>
+#include "trace.h"
const struct kvm_stats_desc kvm_vm_stats_desc[] = {
KVM_GENERIC_VM_STATS()
@@ -62,6 +63,8 @@ int kvm_vm_ioctl_irq_line(struct kvm *kvm, struct kvm_irq_level *irql,
if (!irqchip_in_kernel(kvm))
return -ENXIO;
+ trace_kvm_irq_line(-1, irql->irq, irql->level);
+
return kvm_riscv_aia_inject_irq(kvm, irql->irq, irql->level);
}
|
| 3/2 | 2026/06/26 23:04 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 7869 output: 67 thoughts: 804 Thoughts: **Analyzing the RISC-V KVM Tracepoint Patch** Alright, let's break this down. I've got a patch here that's introducing a slew of new tracepoints into the RISC-V KVM implementation. It looks like the core of the changes revolve around `arch/riscv/kvm/trace.h`, where they've defined the new trace events: `kvm_guest_fault`, `kvm_irq_line`, `kvm_mmio_emulate`, `kvm_timer_update_irq`, `kvm_wait_riscv`, `kvm_sbi_ecall`, and `kvm_csr_access`. Standard practice, adding the definitions in the header. Now, the patch then modifies a bunch of C files: `vcpu.c`, `vcpu_exit.c`, `vcpu_insn.c`, `vcpu_sbi.c`, `vcpu_timer.c`, and `vm.c`, to actually *call* these tracepoints. Which makes sense. I see the pattern. Okay, let's step back and remember the instructions. We're looking for whether this patch is "WorthFuzzing". The key here is the rule: "Return WorthFuzzing=false if the patch only contains: - Modifications to Documentation/, Kconfig files, or code comments. - Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints." This patch... it *only* adds tracepoints. It defines them, and it calls them. There isn't any actual modification to the code execution. No functional changes, nothing that modifies the guest's behavior or interacts with the host in a new way. I need to make sure, let's double check. Let's look more closely at that `vcpu_timer.c` change. It looks like it's wrapping interrupt set/unset with that new `trace_kvm_timer_update_irq`. Specifically, this is the original change: ```c - kvm_riscv_vcpu_set_interrupt(vcpu, IRQ_VS_TIMER); + kvm_riscv_vcpu_timer_update_irq(vcpu, true); ``` and ```c - kvm_riscv_vcpu_unset_interrupt(vcpu, IRQ_VS_TIMER); + kvm_riscv_vcpu_timer_update_irq(vcpu, false); ``` Ah-ha. It's a refactoring, effectively. The logic flow is identical; the new function is just an abstraction and a tracepoint call. That's a good example of "purely decorative changes." Then, checking `vcpu_insn.c`, I see a similar pattern. Just saving an instruction to be passed to the tracepoint. No change in functionality, just more debug/trace information. Therefore, since this patch solely adds tracepoints and has no functional impact, the verdict is clear. **WorthFuzzing=false**. I'll go ahead and set the results accordingly. |
| 4/2 | 2026/06/26 23:04 | tool | set-results |
0mArgs:{
"EnableConfigs": [],
"FocusSymbols": [],
"Reasoning": "The patch only adds tracepoints to the RISC-V KVM implementation and performs minor refactoring to support them. It does not make any functional changes to the execution flow.",
"WorthFuzzing": false
}Results: {
"EnableConfigs": null,
"FocusSymbols": [],
"Reasoning": "The patch only adds tracepoints to the RISC-V KVM implementation and performs minor refactoring to support them. It does not make any functional changes to the execution flow.",
"WorthFuzzing": false
} |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|