Hi David,
On Thu, Sep 26, 2024 at 07:37:57PM +0100, David Woodhouse wrote:
> @@ -392,6 +403,32 @@ static int kvm_psci_1_x_call(struct kvm_vcpu *vcpu, u32
> minor)
> break;
> }
> break;
> + case PSCI_1_3_FN_SYSTEM_OFF2:
> + kvm_psci_narrow_to_32bit(vcpu);
> + fallthrough;
> + case PSCI_1_3_FN64_SYSTEM_OFF2:
> + if (minor < 3)
> + break;
> +
> + arg = smccc_get_arg1(vcpu);
> + if (arg != PSCI_1_3_HIBERNATE_TYPE_OFF) {
> + val = PSCI_RET_INVALID_PARAMS;
> + break;
> + }
This is missing a check that arg2 must be zero.
> + kvm_psci_system_off2(vcpu);
> + /*
> + * We shouldn't be going back to guest VCPU after
> + * receiving SYSTEM_OFF2 request.
> + *
> + * If user space accidentally/deliberately resumes
> + * guest VCPU after SYSTEM_OFF2 request then guest
> + * VCPU should see internal failure from PSCI return
> + * value. To achieve this, we preload r0 (or x0) with
> + * PSCI return value INTERNAL_FAILURE.
> + */
> + val = PSCI_RET_INTERNAL_FAILURE;
> + ret = 0;
> + break;
> default:
> return kvm_psci_0_2_call(vcpu);
> }
> --
> 2.44.0
>
--
Thanks,
Oliver
