BACKPORT: FROMGIT: KVM: arm64: Sync protected guest VBAR_EL1 on injecting an undef exception

Fuad Tabba · winzkh · commit b510ef20a600 · 2025-09-24T12:54:04.000+08:00
In pKVM, a race condition can occur if a guest updates its VBAR_EL1 register and, before a vCPU exit synchronizes this change, the hypervisor needs to inject an undefined exception into a protected guest. In this scenario, the vCPU still holds the stale VBAR_EL1 value from before the guest's update. When pKVM injects the exception, it ends up using the stale value. Explicitly read the live value of VBAR_EL1 from the guest and update the vCPU value immediately before pending the exception. This ensures the vCPU's value is the same as the guest's and that the exception will be handled at the correct address upon resuming the guest. Bug: 435160789 (cherry picked from commit 798eb597870064bff28d8a41cb5197725f7dc6f2 https://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git fixes) Reported-by: Keir Fraser <keirf@google.com> Change-Id: I85a6106392e4af581f1cb57813f3fc1acd6b0463 Signed-off-by: Fuad Tabba <tabba@google.com> Link: https://lore.kernel.org/r/20250807120133.871892-3-tabba@google.com Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
diff --git a/arch/arm64/kvm/hyp/nvhe/sys_regs.c b/arch/arm64/kvm/hyp/nvhe/sys_regs.c
@@ -38,6 +38,7 @@ static void inject_undef64(struct kvm_vcpu *vcpu)
 
 	*vcpu_pc(vcpu) = read_sysreg_el2(SYS_ELR);
 	*vcpu_cpsr(vcpu) = read_sysreg_el2(SYS_SPSR);
+	__vcpu_sys_reg(vcpu, VBAR_EL1) = read_sysreg_el1(SYS_VBAR);
 
 	kvm_pend_exception(vcpu, EXCEPT_AA64_EL1_SYNC);
 
