From nobody Sat Feb 7 17:04:36 2026 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B3DC6252903 for ; Mon, 2 Jun 2025 22:45:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1748904309; cv=none; b=X5hGcpXM9QRRQtWV+xG6FYQ5tl5AgTY9m/gZkUgmmpzBXlK/yL/5qwR2tvUPY+eidVodCIOBP+Hpb7oFf27b8Lf/RjaOupnY91ZxNN0K8DxHWk11pWtxXL/k4rJPCcqMeBk8Xg5fAQTSsXhN9CEc67njub5eQztUSTWso7Y+/tM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1748904309; c=relaxed/simple; bh=cHJ+n8+ixzML87cQwRjrwn9HWLqbtUUZBNZACj+qBTA=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=SCqRq3OGG9kLQl+M6SeDCb0wbnGg7wq2CuDZZNI53Rn85/Mk/xM7ynGGIsCB+sfqSv4iJncORiKUe78dhMK7WWOWOxlU4gdHZpPUsBRU3eNYLlW2+kZtW+YKzJIzuPo6lSkrMWHwyZNec/hYSI7h78nyX1x0t2MI7v/w4VlkIfI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Fldt5TQv; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Fldt5TQv" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-2349498f00eso44260345ad.0 for ; Mon, 02 Jun 2025 15:45:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1748904305; x=1749509105; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=es5D/XIQXmP5Ejw8maAr25agbXq6WSuGhw7Rb+o7DrM=; b=Fldt5TQvn4GA+GzOqyovaT6IzuEw4G5USUwfN29fhP/cwUARAhTDvcJSoUQ4A5dbtO Aj2ivS6zoJp3+wpKM/uD/PvioGdQA/Zaz2MBhkU+HaaWIGXNw8TVHOPLD9kn8Fz5u5Qr VkXCydonxDQ/akHFcVwyP/6NUDAeE5UCSqrk08ITXdE+1/o+oISpS4zO0QQordPpko5w Nfq3RkPJQNeTCftCRUhMILB+GOrzp8xyy+YGawILyNHHQqIzKAbwGNJPxVMxIXWbyHN4 cQIzxjZN9GBL3eEErmYiXcL54GJbgXPzCgpuFjqLnx8eQZitH7i94GDOAqGVCvNbgLCP JQfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748904305; x=1749509105; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=es5D/XIQXmP5Ejw8maAr25agbXq6WSuGhw7Rb+o7DrM=; b=S53gBGnU32+INZ591XxAFRLw5C6UfohLg/eF+rnPtC5KC56tHKPznqFHWvcHM8LWK6 jT3u8J8vfIIjq43SEgr2i/HAVUN2ZsQoCVZZoOk6znch6ZFIFMGX9Zgzl4whiDsXfYYs lXN9U3K3y6zCME7D4H8rr1vX9aHO13zPvuuTqK3InMLswEf1efFDKEGiBPJz858ywdBv a4oqW8ahdNMEqXlivUA1ap10+UFzU39VBWdsJ6hlpzgAek1LGAW0+bZJkC/P/aZpKNPH TKoFbY/sUMyhfWgIqlE4gu1ELL99cFaL2Pbkz73VaYP1lXEtvXr/aFrbZhxC+HYJuHM/ HoYw== X-Forwarded-Encrypted: i=1; AJvYcCXjyza/DPD5QlrwDrLaIYaZdp/lQtDtpw9o3wHHyiVU/5dSbTITL0d7uWTKEgX2oBvs4/bMAHCJFqXVfVQ=@vger.kernel.org X-Gm-Message-State: AOJu0YzxSmCpYxFe8Gm6R9bs0aASveJo0+PQxkr2yRmSp29dG1mZm6cv AwlPlWMqNonFiRCm3BHRmARkdfCkW+u3aA7sC2qDK0sryHsFCFFrwN3pz24TUZQQ/16/Zs1gZba zA2czWA== X-Google-Smtp-Source: AGHT+IE5DKMTZ/Y1JF/S+V7Q6g/TvZjqYCJtT/RyfdfuMTJoNC4s3Q+8zpU/RDdVs0vFu6gjt1uFaFkf04U= X-Received: from ploz16.prod.google.com ([2002:a17:902:8f90:b0:234:aa6d:999d]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:e74a:b0:215:ba2b:cd55 with SMTP id d9443c01a7336-235c9d68357mr3835205ad.2.1748904304932; Mon, 02 Jun 2025 15:45:04 -0700 (PDT) Reply-To: Sean Christopherson Date: Mon, 2 Jun 2025 15:44:58 -0700 In-Reply-To: <20250602224459.41505-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250602224459.41505-1-seanjc@google.com> X-Mailer: git-send-email 2.49.0.1204.g71687c7c1d-goog Message-ID: <20250602224459.41505-2-seanjc@google.com> Subject: [PATCH 1/2] KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Alexander Potapenko , James Houghton , Peter Gonda , Tom Lendacky Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Reject migration of SEV{-ES} state if either the source or destination VM is actively creating a vCPU, i.e. if kvm_vm_ioctl_create_vcpu() is in the section between incrementing created_vcpus and online_vcpus. The bulk of vCPU creation runs _outside_ of kvm->lock to allow creating multiple vCPUs in parallel, and so sev_info.es_active can get toggled from false=3D>true in the destination VM after (or during) svm_vcpu_create(), resulting in an SEV{-ES} VM effectively having a non-SEV{-ES} vCPU. The issue manifests most visibly as a crash when trying to free a vCPU's NULL VMSA page in an SEV-ES VM, but any number of things can go wrong. BUG: unable to handle page fault for address: ffffebde00000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP KASAN NOPTI CPU: 227 UID: 0 PID: 64063 Comm: syz.5.60023 Tainted: G U O = 6.15.0-smp-DEV #2 NONE Tainted: [U]=3DUSER, [O]=3DOOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 1= 0/28/2024 RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:206 [inline] RIP: 0010:arch_test_bit arch/x86/include/asm/bitops.h:238 [inline] RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:= 142 [inline] RIP: 0010:PageHead include/linux/page-flags.h:866 [inline] RIP: 0010:___free_pages+0x3e/0x120 mm/page_alloc.c:5067 Code: <49> f7 06 40 00 00 00 75 05 45 31 ff eb 0c 66 90 4c 89 f0 4c 39 f0 RSP: 0018:ffff8984551978d0 EFLAGS: 00010246 RAX: 0000777f80000001 RBX: 0000000000000000 RCX: ffffffff918aeb98 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffebde00000000 RBP: 0000000000000000 R08: ffffebde00000007 R09: 1ffffd7bc0000000 R10: dffffc0000000000 R11: fffff97bc0000001 R12: dffffc0000000000 R13: ffff8983e19751a8 R14: ffffebde00000000 R15: 1ffffd7bc0000000 FS: 0000000000000000(0000) GS:ffff89ee661d3000(0000) knlGS:0000000000000= 000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffebde00000000 CR3: 000000793ceaa000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000b5f DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Call Trace: sev_free_vcpu+0x413/0x630 arch/x86/kvm/svm/sev.c:3169 svm_vcpu_free+0x13a/0x2a0 arch/x86/kvm/svm/svm.c:1515 kvm_arch_vcpu_destroy+0x6a/0x1d0 arch/x86/kvm/x86.c:12396 kvm_vcpu_destroy virt/kvm/kvm_main.c:470 [inline] kvm_destroy_vcpus+0xd1/0x300 virt/kvm/kvm_main.c:490 kvm_arch_destroy_vm+0x636/0x820 arch/x86/kvm/x86.c:12895 kvm_put_kvm+0xb8e/0xfb0 virt/kvm/kvm_main.c:1310 kvm_vm_release+0x48/0x60 virt/kvm/kvm_main.c:1369 __fput+0x3e4/0x9e0 fs/file_table.c:465 task_work_run+0x1a9/0x220 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x7f0/0x25b0 kernel/exit.c:953 do_group_exit+0x203/0x2d0 kernel/exit.c:1102 get_signal+0x1357/0x1480 kernel/signal.c:3034 arch_do_signal_or_restart+0x40/0x690 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x67/0xb0 kernel/entry/common.c:218 do_syscall_64+0x7c/0x150 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f87a898e969 Modules linked in: gq(O) gsmi: Log Shutdown Reason 0x03 CR2: ffffebde00000000 ---[ end trace 0000000000000000 ]--- Deliberately don't check for a NULL VMSA when freeing the vCPU, as crashing the host is likely desirable due to the VMSA being consumed by hardware. E.g. if KVM manages to allow VMRUN on the vCPU, hardware may read/write a bogus VMSA page. Accessing PFN 0 is "fine"-ish now that it's sequestered away thanks to L1TF, but panicking in this scenario is preferable to potentially running with corrupted state. Reported-by: Alexander Potapenko Tested-by: Alexander Potapenko Fixes: 0b020f5af092 ("KVM: SEV: Add support for SEV-ES intra host migration= ") Fixes: b56639318bb2 ("KVM: SEV: Add support for SEV intra host migration") Cc: stable@vger.kernel.org Cc: James Houghton Cc: Peter Gonda Signed-off-by: Sean Christopherson Reviewed-by: James Houghton Reviewed-by: Liam Merwick Tested-by: Liam Merwick --- arch/x86/kvm/svm/sev.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index a7a7dc507336..93d899454535 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -2032,6 +2032,10 @@ static int sev_check_source_vcpus(struct kvm *dst, s= truct kvm *src) struct kvm_vcpu *src_vcpu; unsigned long i; =20 + if (src->created_vcpus !=3D atomic_read(&src->online_vcpus) || + dst->created_vcpus !=3D atomic_read(&dst->online_vcpus)) + return -EINVAL; + if (!sev_es_guest(src)) return 0; =20 --=20 2.49.0.1204.g71687c7c1d-goog From nobody Sat Feb 7 17:04:36 2026 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 30AF315ECD7 for ; Mon, 2 Jun 2025 22:45:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1748904308; cv=none; b=IaAqwMoOzJOnhkr0dTE7PpqyUP37BqfO0sOXotSBuJJZU8qAegH7sVpewyE5lPtJcpkV2Dlp8y7D/Yr18w+aJ9WBqqU/X8jMBB5KXXJuMd17bfRM8qBr3Kv2hTxoCarOtMvVjUsKtgXjiulpoqzsZy+6veq+KFoNotgrb2gc+Xw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1748904308; c=relaxed/simple; bh=wgFrKfdNqxvptwJ0dkv/Tz2GZ8THxGEKBjjrVCTNsvQ=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=O0LnTzF/MA5tI/kkIN2NF59yXVbdi1tRKM8/FYKdQMQM3Y8LS2wMFsGnoq3sYeIOJvmbtfuMonqCMD+hIMg0YomsEa0sEieVczJNZ2abGwSs9WZhtBLXbVZ2q/nGrDN6WaiqqZpl3zEtIHLb3HE3aX0umQkzyF8HHXuAeIFfRxU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=AVchAOUB; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="AVchAOUB" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-2350804a43eso69875085ad.0 for ; Mon, 02 Jun 2025 15:45:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1748904306; x=1749509106; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=uYBueFv/pVEZ7QUV21+wkLlBlHK3mqlshK0YqFmhI5s=; b=AVchAOUBH8ctkwJCLzTBu7K26UZkkhAQV3HLIRf7mWNu3woZPT7OltF1L0Tlh51HDg B3mkgt9oOiJx69pjMcFmsRWWDXAv2ubXy12QOWguQgra70vv1zC0eGVUUQmLxF4BwOTv ltlpqvxeKF7YtrHAnAV7lBAfy8tMrw1uiDZAhG565pMaZSDVjUFcheSnFkXdTEuelUPH sVDdKs/De72Gg/bt8RSOb09MRgnsUmiSKeXcPo9ec4xIZLGqSKyG2aTOBO13wbOrD/Gs FL/GRVIqg55mdQHHErcWHhzBp/ypTmnqT3ZrM7iLTlEDRC8cA4IWSZJcWnxccmfuNAYG CtjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748904306; x=1749509106; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uYBueFv/pVEZ7QUV21+wkLlBlHK3mqlshK0YqFmhI5s=; b=Q+7D4btghBRReIKMUGMmWAREi7/u19CymH7A0BG1ZliRdyEWdQgj+iZbwRuYqaHGBB g0VJ0QD4hkG+HRNC0jcKuDwZK3P9lc8r9gHwhzvyX26kQ0y0ZNT2aeiKkGUYEML6O5B2 HuyBXtRmZUL4Lyc+XOJX8G5Vd2iVS/qxkump5IGBk12bLzHHOqTf8hJdQtksFFe9Tx+v lCECSrOMh2TBfKODPcqOqDwxbOALxJxr87tCqX2+y2/vNhjxUW3+Tvx7qGksT4+Uwsu7 ps4xD9gKTbDYMYuIzgKxNmkviGdwm935kd65b4XaQ9Hq/ad5JrDxgB9ZXZWsq18UoIql 9Cug== X-Forwarded-Encrypted: i=1; AJvYcCXDSmzXB9emmnKgZoUaBr4+ZHzcmec302jL1JN8WReQXNjeThEv0FXuPK7Vhkt+IiaFOyrLlfgqANnnGFw=@vger.kernel.org X-Gm-Message-State: AOJu0YxAZekB3HTtK+UyCYcxKUetPElD4zqEZ5Gl/V94l4bMN6g5BKi3 9wPMEGokXy4AnJfCG08oxWAjojM7SX6dEwvDYihnoFTx/38l8Ptsz5yKkneeO2cZ33HTbhm/Jeo NwjX5jQ== X-Google-Smtp-Source: AGHT+IExJZgimPIbe4xzxtu5I+efDW8e+vVzSbLlqkjYo9jNvakiMZHwiNPe4gJj71w/WgjG5NU7oimXGs4= X-Received: from pjbpm8.prod.google.com ([2002:a17:90b:3c48:b0:312:14e5:174b]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:2346:b0:235:15f5:cc30 with SMTP id d9443c01a7336-2355f783078mr133507935ad.16.1748904306524; Mon, 02 Jun 2025 15:45:06 -0700 (PDT) Reply-To: Sean Christopherson Date: Mon, 2 Jun 2025 15:44:59 -0700 In-Reply-To: <20250602224459.41505-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250602224459.41505-1-seanjc@google.com> X-Mailer: git-send-email 2.49.0.1204.g71687c7c1d-goog Message-ID: <20250602224459.41505-3-seanjc@google.com> Subject: [PATCH 2/2] KVM: SVM: Initialize vmsa_pa in VMCB to INVALID_PAGE if VMSA page is NULL From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Alexander Potapenko , James Houghton , Peter Gonda , Tom Lendacky Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When creating an SEV-ES vCPU for intra-host migration, set its vmsa_pa to INVALID_PAGE to harden against doing VMRUN with a bogus VMSA (KVM checks for a valid VMSA page in pre_sev_run()). Cc: Tom Lendacky Signed-off-by: Sean Christopherson Reviewed-by: Liam Merwick Tested-by: Liam Merwick --- arch/x86/kvm/svm/sev.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 93d899454535..5ebb265f2075 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -4471,8 +4471,12 @@ static void sev_es_init_vmcb(struct vcpu_svm *svm) * the VMSA will be NULL if this vCPU is the destination for intrahost * migration, and will be copied later. */ - if (svm->sev_es.vmsa && !svm->sev_es.snp_has_guest_vmsa) - svm->vmcb->control.vmsa_pa =3D __pa(svm->sev_es.vmsa); + if (!svm->sev_es.snp_has_guest_vmsa) { + if (svm->sev_es.vmsa) + svm->vmcb->control.vmsa_pa =3D __pa(svm->sev_es.vmsa); + else + svm->vmcb->control.vmsa_pa =3D INVALID_PAGE; + } =20 /* Can't intercept CR register access, HV can't modify CR registers */ svm_clr_intercept(svm, INTERCEPT_CR0_READ); --=20 2.49.0.1204.g71687c7c1d-goog