From nobody Mon Jun  8 14:38:14 2026
Received: from out-176.mta1.migadu.com (out-176.mta1.migadu.com
 [95.215.58.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 49441367F36
	for <linux-kernel@vger.kernel.org>; Thu, 28 May 2026 23:12:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=95.215.58.176
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780009924; cv=none;
 b=rsd+PIfMdTUhr/BvWH38dq2voMWVwDSZJFhgwL5ckv3g4ObOxDA5cRg6xKh2NsV8G11T9hTK6fOJw76fWJEJaS30iGd23zYHC6c7jwq+MdtMAwQe+dx5mhE6svgJmo6tek6sPQULetKoRGyaMscE3JMo0ctLvg9adzvKQLzkNvE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780009924; c=relaxed/simple;
	bh=0SRtLywbtSurzeqEFPiQwtA3Ef8TPShnXFjpjQsg7GY=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=ImHWET3XdYW3rIImbzod2H+7iVhi4AtXv5U8qx91wI8lqYRf+7hCjZ8/lmycWCIu2xa10WD+rMBCt2unaAVtJBwMMK3fGxRyI8owBOSKG+8okOLqmR5m/1jqIlFPTzIYn7x5zuGDuE/BElw1k/fihQ1JqN8hPPR1WL8Md32DzBY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.dev;
 spf=pass smtp.mailfrom=linux.dev;
 dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev
 header.b=I6nQSKE/; arc=none smtp.client-ip=95.215.58.176
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.dev
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linux.dev
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev
 header.b="I6nQSKE/"
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and
 include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
	t=1780009921;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=r1750RrUr2OSKFkOGW1fGK+AkRlnCbVk2rTP6i3DUa0=;
	b=I6nQSKE/nhSSsap75tS7Ny4/d1LzbZQE4GXX3Tbdjctlphwrq0/BUk2ZiKi58y/+HUghgN
	vxjfKN/0W7noMmIUF8sSMDDU3BgcYnP4JWzYViZvUPb18AFI+z9qK+PqKqBjkttMgXFKml
	BsoQwhYHUvVF3m95+3/NAhECNOE7MsI=
From: Atish Patra <atish.patra@linux.dev>
Date: Thu, 28 May 2026 16:11:38 -0700
Subject: [PATCH 1/2] KVM: SEV: Do not allow SEV-SNP VMs from intra-host
 migration
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260528-sev_snp_fixes-v1-1-d67a08151779@meta.com>
References: <20260528-sev_snp_fixes-v1-0-d67a08151779@meta.com>
In-Reply-To: <20260528-sev_snp_fixes-v1-0-d67a08151779@meta.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>, Borislav Petkov <bp@alien8.de>,
 Dave Hansen <dave.hansen@linux.intel.com>, x86@kernel.org,
 "H. Peter Anvin" <hpa@zytor.com>, Tom Lendacky <thomas.lendacky@amd.com>,
 Marc Orr <marcorr@google.com>, Peter Gonda <pgonda@google.com>,
 Brijesh Singh <brijesh.singh@amd.com>, Youngjae Lee <youngjaelee@meta.com>,
 Ashish Kalra <ashish.kalra@amd.com>, Michael Roth <michael.roth@amd.com>,
 John Allen <john.allen@amd.com>, Herbert Xu <herbert@gondor.apana.org.au>
Cc: clm@meta.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
 linux-crypto@vger.kernel.org, stable@vger.kernel.org,
 Atish Patra <atishp@meta.com>
X-Migadu-Flow: FLOW_OUT

From: Atish Patra <atishp@meta.com>

The intra-host migration feature is not fully implemented for SEV-SNP
VMs which require additional SNP-specific state such as guest_req_mutex,
guest_req_buf, and guest_resp_buf to be transferred or initialized on
the destination.

Reject SNP source VMs in sev_vm_move_enc_context_from() until proper
SNP state transfer is implemented.

Fixes: 0b020f5af092 ("KVM: SEV: Add support for SEV-ES intra host migration=
")

Reported-by: Chris Mason <clm@meta.com>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Atish Patra <atishp@meta.com>
---
 arch/x86/kvm/svm/sev.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index c2126b3c3072..aff6a0cf5bfe 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -2142,7 +2142,8 @@ int sev_vm_move_enc_context_from(struct kvm *kvm, uns=
igned int source_fd)
 		return ret;
=20
 	if (kvm->arch.vm_type !=3D source_kvm->arch.vm_type ||
-	    sev_guest(kvm) || !sev_guest(source_kvm)) {
+	    sev_guest(kvm) || !sev_guest(source_kvm) ||
+	    sev_snp_guest(source_kvm)) {
 		ret =3D -EINVAL;
 		goto out_unlock;
 	}

--=20
2.53.0-Meta
From nobody Mon Jun  8 14:38:14 2026
Received: from out-172.mta0.migadu.com (out-172.mta0.migadu.com
 [91.218.175.172])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AD72F35A3AF
	for <linux-kernel@vger.kernel.org>; Thu, 28 May 2026 23:12:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=91.218.175.172
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780009942; cv=none;
 b=arCncs/f6kM5E6xQVg1aLf61C5syUvXx3lg8Q2UAHfY3r4r3KR943pjjkca/OfKTlISQCIhi/A5rI31v7RmEs9c0ipBcCOD0EuX43v42QrpHl7P2AQrsqXCz9kwgRO4kwtRjUDffjCykKUKfqp5NPJHQPMG6NElA6DSYBrhLn00=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780009942; c=relaxed/simple;
	bh=bVPsmHC32xMRnbCUQzo2sQikrGCF693UprcC5PbkroU=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=c2H0l4qj4rpXRZcLNTjQve8r0dcLnvKzRs4xjNecpDwqAlO3hVQZA60Aq03rRaZeREAqTji5iuJCHfJTUZMLFwhEpTumv4Z7YLJ71UCqyGES3rCZsbdygPW5HqBefdg0Fz9JUkTs6IPnZuwoTwftLTL/Cv5kNYHtzF/646dxCFw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.dev;
 spf=pass smtp.mailfrom=linux.dev;
 dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev
 header.b=fhbku1QA; arc=none smtp.client-ip=91.218.175.172
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.dev
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linux.dev
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev
 header.b="fhbku1QA"
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and
 include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
	t=1780009928;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Ee5LGH1mkBrJOdssFnEtVdpG6R6AtAmt3hnR2uiZ+kU=;
	b=fhbku1QAuBnhIqfvm5s0FPPQK3B6XIFAoLV/zwOcoCLIgFb0DZjJoPBF/PNCIsj5HU3unC
	LoRMInPlcITIuutgWFavAu+v1eNnFS+JcGcNjV76d7bBtGwbTvI7USqkJZWsN9keo+LhEo
	j8XEs+xq13SPdSHCbmm6xAggUzbJyKk=
From: Atish Patra <atish.patra@linux.dev>
Date: Thu, 28 May 2026 16:11:39 -0700
Subject: [PATCH 2/2] crypto: ccp: Fix possible deadlock in SEV init failure
 path
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260528-sev_snp_fixes-v1-2-d67a08151779@meta.com>
References: <20260528-sev_snp_fixes-v1-0-d67a08151779@meta.com>
In-Reply-To: <20260528-sev_snp_fixes-v1-0-d67a08151779@meta.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>, Borislav Petkov <bp@alien8.de>,
 Dave Hansen <dave.hansen@linux.intel.com>, x86@kernel.org,
 "H. Peter Anvin" <hpa@zytor.com>, Tom Lendacky <thomas.lendacky@amd.com>,
 Marc Orr <marcorr@google.com>, Peter Gonda <pgonda@google.com>,
 Brijesh Singh <brijesh.singh@amd.com>, Youngjae Lee <youngjaelee@meta.com>,
 Ashish Kalra <ashish.kalra@amd.com>, Michael Roth <michael.roth@amd.com>,
 John Allen <john.allen@amd.com>, Herbert Xu <herbert@gondor.apana.org.au>
Cc: clm@meta.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
 linux-crypto@vger.kernel.org, stable@vger.kernel.org,
 Atish Patra <atishp@meta.com>
X-Migadu-Flow: FLOW_OUT

From: Atish Patra <atishp@meta.com>

__sev_platform_init_handle_init_ex_path() called
rmp_mark_pages_firmware() with locked=3Dfalse but while the parent
function of init_ex_path already acquired the sev_cmd_mutex.
In case of a rmpupdate failure for any page after the first, the cleanup
path would invoke reclaim pages which would result in a deadlock in
sev_do_cmd.

Pass locked=3Dtrue to honor the lock status of the parent function.

Fixes: 7364a6fbca45 ("crypto: ccp: Handle non-volatile INIT_EX data when SN=
P is enabled")

Reported-by: Chris Mason <clm@meta.com>
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Atish Patra <atishp@meta.com>
---
 drivers/crypto/ccp/sev-dev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
index d1e9e0ac63b6..3d4793e8e34b 100644
--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -1557,7 +1557,7 @@ static int __sev_platform_init_handle_init_ex_path(st=
ruct sev_device *sev)
 		unsigned long npages;
=20
 		npages =3D 1UL << get_order(NV_LENGTH);
-		if (rmp_mark_pages_firmware(__pa(sev_init_ex_buffer), npages, false)) {
+		if (rmp_mark_pages_firmware(__pa(sev_init_ex_buffer), npages, true)) {
 			dev_err(sev->dev, "SEV: INIT_EX NV memory page state change failed.\n");
 			return -ENOMEM;
 		}

--=20
2.53.0-Meta