Xen project Mailing List

Re: [PATCH v3] xen/riscv: add p2m context switch handling for VSATP and HGATP

To: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>

Date: Thu, 19 Feb 2026 07:29:34 +0100

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: Romain Caritey <Romain.Caritey@xxxxxxxxxxxxx>, Alistair Francis <alistair.francis@xxxxxxx>, Connor Davis <connojdavis@xxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Stefano Stabellini <sstabellini@xxxxxxxxxx>

Delivery-date: Thu, 19 Feb 2026 06:29:41 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 18.02.2026 17:58, Oleksii Kurochko wrote: > > On 2/13/26 5:29 PM, Oleksii Kurochko wrote: >> Introduce helpers to manage VS-stage and G-stage translation state during >> vCPU context switches. >> >> As VSATP and HGATP cannot be updated atomically, clear VSATP on context >> switch-out to prevent speculative VS-stage translations from being associated >> with an incorrect VMID. On context switch-in, restore HGATP and VSATP in the >> required order. >> >> Add p2m_handle_vmenter() to perform VMID management and issue TLB flushes >> only when required (e.g. on VMID reuse or generation change). >> >> This provides the necessary infrastructure for correct p2m context switching >> on RISC-V. >> >> Signed-off-by: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx> >> --- >> Changes in v3: >> - Add comment above p2m_ctxt_switch_{to, from}(). >> - Code style fixes. >> - Refactor p2m_ctxt_switch_to(). >> - Update the comment at the end of p2m_ctxt_switch_from(). >> - Refactor the code of p2m_handle_vmenter(). >> --- >> Changes in v2: >> - Add vsatp field declaration to arch_vcpu. >> - s/p2m_ctx_switch_{from,to}/p2m_ctxt_switch_{from,to}. >> - Introduce p2m_handle_vmenter() for proper handling of VMID, >> hgatp and vsatp updates. >> - Introduce is_p2m_switch_finished and init it inisde >> p2m_ctx_switch_to() for furhter handling in p2m_handle_vmenter(). >> - Code style fixes. >> - Add is_idle_vcpu() check in p2m_ctxt_switch_from(). >> - use csr_swap() in p2m_ctxt_switch_from(). >> - move flush_tlb_guest_local() to the end if p2m_handle_vmenter() and >> drop unnessary anymore comments. >> - Correct printk()'s arguments in p2m_handle_vmenter(). >> --- >> xen/arch/riscv/include/asm/domain.h | 1 + >> xen/arch/riscv/include/asm/p2m.h | 4 ++ >> xen/arch/riscv/p2m.c | 79 +++++++++++++++++++++++++++++ >> xen/arch/riscv/traps.c | 2 + >> 4 files changed, 86 insertions(+) >> >> diff --git a/xen/arch/riscv/include/asm/domain.h >> b/xen/arch/riscv/include/asm/domain.h >> index 3da2387cb197..42bb678fcbf9 100644 >> --- a/xen/arch/riscv/include/asm/domain.h >> +++ b/xen/arch/riscv/include/asm/domain.h >> @@ -59,6 +59,7 @@ struct arch_vcpu { >> register_t hstateen0; >> register_t hvip; >> + register_t vsatp; >> register_t vsie; >> /* >> diff --git a/xen/arch/riscv/include/asm/p2m.h >> b/xen/arch/riscv/include/asm/p2m.h >> index f63b5dec99b1..60f27f9b347e 100644 >> --- a/xen/arch/riscv/include/asm/p2m.h >> +++ b/xen/arch/riscv/include/asm/p2m.h >> @@ -255,6 +255,10 @@ static inline bool p2m_is_locked(const struct >> p2m_domain *p2m) >> struct page_info *p2m_get_page_from_gfn(struct p2m_domain *p2m, gfn_t gfn, >> p2m_type_t *t); >> +void p2m_ctxt_switch_from(struct vcpu *p); >> +void p2m_ctxt_switch_to(struct vcpu *n); >> +void p2m_handle_vmenter(void); >> + >> #endif /* ASM__RISCV__P2M_H */ >> /* >> diff --git a/xen/arch/riscv/p2m.c b/xen/arch/riscv/p2m.c >> index 0abeb374c110..7ae854707174 100644 >> --- a/xen/arch/riscv/p2m.c >> +++ b/xen/arch/riscv/p2m.c >> @@ -1434,3 +1434,82 @@ struct page_info *p2m_get_page_from_gfn(struct >> p2m_domain *p2m, gfn_t gfn, >> return get_page(page, p2m->domain) ? page : NULL; >> } >> + >> +/* Should be called before other CSRs are stored to avoid speculation */ >> +void p2m_ctxt_switch_from(struct vcpu *p) >> +{ >> + if ( is_idle_vcpu(p) ) >> + return; >> + >> + /* >> + * No mechanism is provided to atomically change vsatp and hgatp >> + * together. Hence, to prevent speculative execution causing one >> + * guest’s VS-stage translations to be cached under another guest’s >> + * VMID, world-switch code should zero vsatp, then swap hgatp, then >> + * finally write the new vsatp value what will be done in >> + * p2m_handle_vmenter(). >> + */ >> + p->arch.vsatp = csr_swap(CSR_VSATP, 0); >> + >> + /* >> + * Nothing to do with HGATP as it will be update in p2m_ctxt_switch_to() >> + * or/and in p2m_handle_vmenter(). >> + */ >> +} >> + >> +/* Should be called after other CSRs are restored to avoid speculation */ >> +void p2m_ctxt_switch_to(struct vcpu *n) >> +{ >> + struct p2m_domain *p2m = p2m_get_hostp2m(n->domain); >> + >> + if ( is_idle_vcpu(n) ) >> + return; >> + >> + csr_write(CSR_HGATP, construct_hgatp(p2m, n->arch.vmid.vmid)); >> + /* >> + * As VMID is unique per vCPU and just re-used here thereby there is no >> + * need for G-stage TLB flush here. >> + */ >> + >> + csr_write(CSR_VSATP, n->arch.vsatp); >> + /* >> + * As at the start of context switch VSATP were set to 0, so no >> speculation >> + * could happen thereby there is no need for VS TLB flush here. >> + */ >> +} > > I think we need to flush the VS-stage TLB unconditionally here. It is possible > that `p->arch.vsatp.ASID == n->arch.vsatp.ASID`, in which case the new vCPU > could reuse stale VS-stage TLB entries that do not belong to it. > > I considered performing the flush conditionally, but that would require > checking > not only the ASID, but also whether the PPN differs. In addition, we would > need > to verify that the old and new vCPUs do not belong to different domains, since > the same VSATP PPN value could appear in different domains. > > This starts to look like overcomplication for a marginal optimization, so an > unconditional VS-stage TLB flush seems simpler and safer. > > Do you think this optimization is worth pursuing at this stage? Let's start simple and optimize later. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.