Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues: - [High] Using `kmalloc()` to allocate hypercall input/output pages violates the strict page-alignment requirements of `set_memory_decrypted()`, causing silent failures on ARM64 and exposing slab metadata to the untrusted host on x86. -- commit 02dd1b4271844f489855c82e06efdec7e95897e3 Author: Kameron Carr <[email protected]> Drivers: hv: Mark shared memory as decrypted for CCA Realms This commit extends the confidential VM shared memory decryption handling for hypercall input/output pages to support Arm CCA Realm guests. It also updates the memory allocation to round up to the nearest page size to satisfy decryption requirements. > diff --git a/drivers/hv/hv_common.c b/drivers/hv/hv_common.c > index 6b67ac6167891..17048a0a18729 100644 > --- a/drivers/hv/hv_common.c > +++ b/drivers/hv/hv_common.c [ ... ] > @@ -489,7 +490,7 @@ int hv_common_cpu_init(unsigned int cpu) > * online and then taken offline > */ > if (!*inputarg) { > - mem = kmalloc_array(pgcount, HV_HYP_PAGE_SIZE, flags); > + mem = kmalloc(alloc_size, flags); > if (!mem) > return -ENOMEM; > > @@ -499,14 +500,16 @@ int hv_common_cpu_init(unsigned int cpu) > } > > if (!ms_hyperv.paravisor_present && > - (hv_isolation_type_snp() || hv_isolation_type_tdx())) { > - ret = set_memory_decrypted((unsigned long)mem, pgcount); > + (hv_isolation_type_snp() || hv_isolation_type_tdx() || > + hv_isolation_type_cca())) { > + ret = set_memory_decrypted((unsigned > long)kasan_reset_tag(mem), > + alloc_size >> PAGE_SHIFT); [Severity: High] This is a pre-existing issue, but does using kmalloc() here guarantee the required page alignment for set_memory_decrypted()? When slub debugging (like redzoning) is enabled, kmalloc() can return an unaligned address due to prepended metadata. On arm64, set_memory_decrypted() requires a page-aligned address. If given an unaligned address, it warns and returns 0 without decrypting. This leaves the hypercall pages encrypted, which breaks guest-hypervisor communication for CCA Realms. On x86, set_memory_decrypted() masks the address to the page boundary. Because this memory is from a slab cache, decrypting the entire underlying physical page could expose other unrelated kernel slab objects on the same page to the untrusted hypervisor. > if (ret) { > /* It may be unsafe to free 'mem' */ > return ret; > } > > - memset(mem, 0x00, pgcount * HV_HYP_PAGE_SIZE); > + memset(mem, 0x00, alloc_size); > } -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=4
