From nobody Mon Jun  8 07:26:02 2026
Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A92353D4132;
	Fri,  5 Jun 2026 21:25:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=193.142.43.55
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780694722; cv=none;
 b=G9ZdceP7J5BR9C6syTrJV2hx9/V/UIBQPyZEAiRFNTH/yjwow4EZ8FGDVC4Q7XB20yzojWidKrMGVg3T4lj4r4hGXRBWOPCGj9l6p4lRB1Xjj0HD/Zavzw4H784LWByHlDnOJhn1NbGol2zdypw0AVcnzw1hIhm3mED1smQyi5A=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780694722; c=relaxed/simple;
	bh=pB7cUv5gpCvJYCZ/s3iMH32cQ/DzuCPCwtqd2JK0psk=;
	h=Date:From:To:Subject:Cc:In-Reply-To:References:MIME-Version:
	 Message-ID:Content-Type;
 b=TqxEml+Tr5e1TiwdR+ICnOBIrnpnbCr4RZM+IzmgipSNvYbscTFx1ZrN3snRs8Aw4oKY3B8Nsc1SnHjBIGcoUcACeVjvWc6Rkat4C8QSKbmvMGmgA6K7Lsg98cwjK0+h0DewQurpQsn9VmKr/GhNomzDPKjFOPz6FlXS8aWCuU8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linutronix.de;
 spf=pass smtp.mailfrom=linutronix.de;
 dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de
 header.b=GWW+zJj6;
 dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de
 header.b=FCgucNEv; arc=none smtp.client-ip=193.142.43.55
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linutronix.de
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linutronix.de
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de
 header.b="GWW+zJj6";
	dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de
 header.b="FCgucNEv"
Date: Fri, 05 Jun 2026 21:25:17 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de;
	s=2020; t=1780694719;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=a04Kej9wDRxSvgtndwIincdONz85kc+Y50QoPT/048c=;
	b=GWW+zJj6FCQ2+i0dNXnzq9Yu5HgQ0U/M8/sWriYnTV9q5e7i/0WZ4Lic7MIqPsc35iBj8X
	EOWAP5WmNjUnle5VQv7ne32WRjGYcESllKm5Aq2m956b1Sfx+qNUd/YNJcP9CM+oywIt9W
	g+Hr9StE4+/Yv5VDXmnh6u7lmgiZOVQ556tyHPWggRHodFyQ7SeY76rtkXXjrs51ZNMqo1
	WDTcbILp25trseDymbu8zChNqTEqgz8iWfiBQHinK6hNISu1498TSO6K/wMAkJMDwM6lFU
	nO6BW+JCKC9Mzv3bpvrcJhQWvLT/UylSfEwhUUBpdyiX4lm+LrsoCNK/b9FvjQ==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de;
	s=2020e; t=1780694719;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=a04Kej9wDRxSvgtndwIincdONz85kc+Y50QoPT/048c=;
	b=FCgucNEvOI2wlsjJxuTGdYUgebDEN+ZXiNTgjsLw2ppi8XULavtgs3WF5TDXSgy0a6ZzKd
	OH7AShrYmko+bMAw==
From: "tip-bot2 for Chao Gao" <tip-bot2@linutronix.de>
Sender: tip-bot2@linutronix.de
Reply-to: linux-kernel@vger.kernel.org
To: linux-tip-commits@vger.kernel.org
Subject: [tip: x86/tdx] x86/virt/seamldr: Abort updates after a failed step
Cc: Chao Gao <chao.gao@intel.com>, Dave Hansen <dave.hansen@linux.intel.com>,
 Xu Yilun <yilun.xu@linux.intel.com>,
 Tony Lindgren <tony.lindgren@linux.intel.com>,
 Kai Huang <kai.huang@intel.com>, "Kiryl Shutsemau (Meta)" <kas@kernel.org>,
 x86@kernel.org, linux-kernel@vger.kernel.org
In-Reply-To: <20260520133909.409394-16-chao.gao@intel.com>
References: <20260520133909.409394-16-chao.gao@intel.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Message-ID: <178069471784.710.9662338370517958871.tip-bot2@tip-bot2>
Robot-ID: <tip-bot2@linutronix.de>
Robot-Unsubscribe: 
 Contact <mailto:tglx@kernel.org> to get blacklisted from these emails
Precedence: bulk
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

The following commit has been merged into the x86/tdx branch of tip:

Commit-ID:     be4efe63c050be48961a5430c91e69f95af08b81
Gitweb:        https://git.kernel.org/tip/be4efe63c050be48961a5430c91e69f95=
af08b81
Author:        Chao Gao <chao.gao@intel.com>
AuthorDate:    Wed, 20 May 2026 15:29:04 -07:00
Committer:     Dave Hansen <dave.hansen@linux.intel.com>
CommitterDate: Wed, 03 Jun 2026 08:14:51 -07:00

x86/virt/seamldr: Abort updates after a failed step

A TDX module update is a multi-step process, and any step can fail.

The current update flow continues to later steps after an error.
Continuing after a failure can cause the TDX module to enter an
unrecoverable state.

But certain failures during the initial module shutdown step should
simply return an error to userspace, so the update can be retried
cleanly.

To preserve that recoverability, one option would be to abort the
update only for those failures, since they occur before any TDX module
state is changed. But special-casing specific failures in specific
steps would complicate the do-while() update loop for no benefit.

Simply abort update on any failure, at any step.

Track failures for each step, stop the update loop once a failure is
observed, and do not advance the state machine to the next step.

[ dhansen: style nits ]

Signed-off-by: Chao Gao <chao.gao@intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Xu Yilun <yilun.xu@linux.intel.com>
Reviewed-by: Tony Lindgren <tony.lindgren@linux.intel.com>
Reviewed-by: Kai Huang <kai.huang@intel.com>
Reviewed-by: Kiryl Shutsemau (Meta) <kas@kernel.org>
Link: https://lore.kernel.org/linux-coco/aQFmOZCdw64z14cJ@google.com/ # [1]
Link: https://patch.msgid.link/20260520133909.409394-16-chao.gao@intel.com
---
 arch/x86/virt/vmx/tdx/seamldr.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/arch/x86/virt/vmx/tdx/seamldr.c b/arch/x86/virt/vmx/tdx/seamld=
r.c
index ec45b85..b03dce2 100644
--- a/arch/x86/virt/vmx/tdx/seamldr.c
+++ b/arch/x86/virt/vmx/tdx/seamldr.c
@@ -202,6 +202,7 @@ enum module_update_state {
 static struct update_ctrl {
 	enum module_update_state state;
 	int num_ack;
+	int num_failed;
 	/*
 	 * Protect update_ctrl. Raw spinlock as it will be acquired from
 	 * interrupt-disabled contexts.
@@ -219,12 +220,13 @@ static void __set_target_state(struct update_ctrl *ct=
rl,
 }
=20
 /* Last one to ack a state moves to the next state. */
-static void ack_state(struct update_ctrl *ctrl)
+static void ack_state(struct update_ctrl *ctrl, int result)
 {
 	raw_spin_lock(&ctrl->lock);
=20
+	ctrl->num_failed +=3D !!result;
 	ctrl->num_ack++;
-	if (ctrl->num_ack =3D=3D num_online_cpus())
+	if (ctrl->num_ack =3D=3D num_online_cpus() && !ctrl->num_failed)
 		__set_target_state(ctrl, ctrl->state + 1);
=20
 	raw_spin_unlock(&ctrl->lock);
@@ -234,6 +236,7 @@ static void init_state(struct update_ctrl *ctrl)
 {
 	raw_spin_lock_init(&ctrl->lock);
 	__set_target_state(ctrl, MODULE_UPDATE_START + 1);
+	ctrl->num_failed =3D 0;
 }
=20
 /*
@@ -261,8 +264,9 @@ static int do_seamldr_install_module(void *seamldr_para=
ms)
 			break;
 		}
=20
-		ack_state(&update_ctrl);
-	} while (curstate !=3D MODULE_UPDATE_DONE);
+		ack_state(&update_ctrl, ret);
+	} while (curstate !=3D MODULE_UPDATE_DONE &&
+		 !READ_ONCE(update_ctrl.num_failed));
=20
 	return ret;
 }