arch/riscv/kvm/vcpu_sbi_system.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
The SUSP handler checks that all other vCPUs are stopped before
entering system suspend, but a concurrent HSM HART_START can start
a vCPU after it has already passed the check.
This is a known TOCTOU race. We do not fix it because:
1. Triggering it requires a pathological guest.
2. Only guest state is at risk, not host integrity.
3. Userspace can double-check vCPU states before suspend.
Add a comment documenting the race and the rationale for not fixing it.
Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
Assisted-by: YuanSheng:DeepSeek-V3.2
---
V1 -> V2:
- Replaced the fix with a comment.
Link: https://lore.kernel.org/linux-riscv/20260521142030.1560861-1-xujiakai2025@iscas.ac.cn/t/#u
---
arch/riscv/kvm/vcpu_sbi_system.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/arch/riscv/kvm/vcpu_sbi_system.c b/arch/riscv/kvm/vcpu_sbi_system.c
index c6f7e609ac794..6f64a59e5d3c4 100644
--- a/arch/riscv/kvm/vcpu_sbi_system.c
+++ b/arch/riscv/kvm/vcpu_sbi_system.c
@@ -35,6 +35,20 @@ static int kvm_sbi_ext_susp_handler(struct kvm_vcpu *vcpu, struct kvm_run *run,
return 0;
}
+ /*
+ * Check that all other vCPUs are stopped before entering
+ * system suspend.
+ *
+ * There is a known TOCTOU race here: a concurrent HSM
+ * HART_START on another vCPU can start a vCPU after it
+ * has already passed this check, violating the invariant.
+ *
+ * We do not fix this because:
+ * 1. Triggering the race requires a pathological guest.
+ * 2. Only guest state is at risk, not host integrity.
+ * 3. Userspace can double-check vCPU states before
+ * proceeding with suspend.
+ */
kvm_for_each_vcpu(i, tmp, vcpu->kvm) {
if (tmp == vcpu)
continue;
--
2.34.1On Mon, May 25, 2026 at 7:06 AM Jiakai Xu <xujiakai2025@iscas.ac.cn> wrote:
>
> The SUSP handler checks that all other vCPUs are stopped before
> entering system suspend, but a concurrent HSM HART_START can start
> a vCPU after it has already passed the check.
>
> This is a known TOCTOU race. We do not fix it because:
> 1. Triggering it requires a pathological guest.
> 2. Only guest state is at risk, not host integrity.
> 3. Userspace can double-check vCPU states before suspend.
>
> Add a comment documenting the race and the rationale for not fixing it.
>
> Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
> Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
> Assisted-by: YuanSheng:DeepSeek-V3.2
Queued this patch for Linux-7.2
Thanks,
Anup
> ---
> V1 -> V2:
> - Replaced the fix with a comment.
> Link: https://lore.kernel.org/linux-riscv/20260521142030.1560861-1-xujiakai2025@iscas.ac.cn/t/#u
> ---
> arch/riscv/kvm/vcpu_sbi_system.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/arch/riscv/kvm/vcpu_sbi_system.c b/arch/riscv/kvm/vcpu_sbi_system.c
> index c6f7e609ac794..6f64a59e5d3c4 100644
> --- a/arch/riscv/kvm/vcpu_sbi_system.c
> +++ b/arch/riscv/kvm/vcpu_sbi_system.c
> @@ -35,6 +35,20 @@ static int kvm_sbi_ext_susp_handler(struct kvm_vcpu *vcpu, struct kvm_run *run,
> return 0;
> }
>
> + /*
> + * Check that all other vCPUs are stopped before entering
> + * system suspend.
> + *
> + * There is a known TOCTOU race here: a concurrent HSM
> + * HART_START on another vCPU can start a vCPU after it
> + * has already passed this check, violating the invariant.
> + *
> + * We do not fix this because:
> + * 1. Triggering the race requires a pathological guest.
> + * 2. Only guest state is at risk, not host integrity.
> + * 3. Userspace can double-check vCPU states before
> + * proceeding with suspend.
> + */
> kvm_for_each_vcpu(i, tmp, vcpu->kvm) {
> if (tmp == vcpu)
> continue;
> --
> 2.34.1
>
On Mon, May 25, 2026 at 01:36:42AM +0000, Jiakai Xu wrote:
> The SUSP handler checks that all other vCPUs are stopped before
> entering system suspend, but a concurrent HSM HART_START can start
> a vCPU after it has already passed the check.
>
> This is a known TOCTOU race. We do not fix it because:
> 1. Triggering it requires a pathological guest.
> 2. Only guest state is at risk, not host integrity.
> 3. Userspace can double-check vCPU states before suspend.
>
> Add a comment documenting the race and the rationale for not fixing it.
>
> Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
> Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
> Assisted-by: YuanSheng:DeepSeek-V3.2
> ---
> V1 -> V2:
> - Replaced the fix with a comment.
> Link: https://lore.kernel.org/linux-riscv/20260521142030.1560861-1-xujiakai2025@iscas.ac.cn/t/#u
> ---
> arch/riscv/kvm/vcpu_sbi_system.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/arch/riscv/kvm/vcpu_sbi_system.c b/arch/riscv/kvm/vcpu_sbi_system.c
> index c6f7e609ac794..6f64a59e5d3c4 100644
> --- a/arch/riscv/kvm/vcpu_sbi_system.c
> +++ b/arch/riscv/kvm/vcpu_sbi_system.c
> @@ -35,6 +35,20 @@ static int kvm_sbi_ext_susp_handler(struct kvm_vcpu *vcpu, struct kvm_run *run,
> return 0;
> }
>
> + /*
> + * Check that all other vCPUs are stopped before entering
> + * system suspend.
> + *
> + * There is a known TOCTOU race here: a concurrent HSM
> + * HART_START on another vCPU can start a vCPU after it
> + * has already passed this check, violating the invariant.
> + *
> + * We do not fix this because:
> + * 1. Triggering the race requires a pathological guest.
> + * 2. Only guest state is at risk, not host integrity.
> + * 3. Userspace can double-check vCPU states before
> + * proceeding with suspend.
> + */
> kvm_for_each_vcpu(i, tmp, vcpu->kvm) {
> if (tmp == vcpu)
> continue;
> --
> 2.34.1
>
Reviewed-by: Andrew Jones <andrew.jones@oss.qualcomm.com>
© 2016 - 2026 Red Hat, Inc.