From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2DC524219FD for ; Fri, 29 May 2026 18:35:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079762; cv=none; b=oRcwipKzSxe92zutRS6hOo0lQlajOj7S+/wrowV9oFgp7DefLDno998QiNor96EauT2pEyeR+4JRtofnT9L7hyComNnj9Wwh2g6KGoUAbvOKsCFoOQpOii6RsVkKUdmXYTXS5x8codzUo1O4OCNdmN5RuYaYYyF/UaHcUae3TZM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079762; c=relaxed/simple; bh=d9xvjs+tTx/sVZNCwndNXY07gix+BakluyzBTGottoM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gCCQdohzXjcGZA2CU0DUQBb3TykyAjQDdJHM2vWPxctQLViraclDniLgcOSNypJcMDx7+waZT0YN8eJOkDbmEiJNIUIUleAS4+IalV3l3OpsrefkVIPq8tgNc3DLbHWzBtQMcP3RaWvqLSeUpVPwxD46r9jTq6jq9F3oZSoxPPQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Ka5a/O6h; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=NbgtCbQ0; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Ka5a/O6h"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="NbgtCbQ0" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079756; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bItx102/eY014jSvfKnVDtrZQixF/uHwn/vTfUZ9ulM=; b=Ka5a/O6hURURRfck86omhX0On33avbU68gRZKtnXdod6jGtm4bJxUDAsh2vMy3NSTKDAev sz22WWxiDZFtEgZeTD81XjkMUtSPC3X2cBi+azFZ1X3SKU6DEStw3214tGMSULhKphJRw4 drZd9dvrQiqrA3fCRTsfqJdBhQNvkpg= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-677-c2UTSeP6OjGGfmdrKijJsg-1; Fri, 29 May 2026 14:35:54 -0400 X-MC-Unique: c2UTSeP6OjGGfmdrKijJsg-1 X-Mimecast-MFC-AGG-ID: c2UTSeP6OjGGfmdrKijJsg_1780079753 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-4909c0f0ba2so7785445e9.3 for ; Fri, 29 May 2026 11:35:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079753; x=1780684553; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bItx102/eY014jSvfKnVDtrZQixF/uHwn/vTfUZ9ulM=; b=NbgtCbQ010XyI1gQ6VOPWKSPEcwOXucv/uB6U+6QjR1MsGeSBmCyv4fgwID7Qd9RlC hOeHuKyLTt19NVFFDp0dfnH7pS7IPVzs/U0gCpRLWD469fId6MWP5iA9vC3Nxt+rVpSs X5GtCiTY1Uhx13L5yZESp/2Y/9rvIfetDZAzGTF0f+ypJUWRWPia9WD/2jWqKsyR7T7c 9/KYr8zMNWwhifwJSEZPl94Q5b41J5JX/RkLfJ2mtonRK0VO77suVjZhKaEL+HXRHdDE 0nUukwyQko41cI9h5gj8W0sFvqNolZv9nu4fwoWvLWpZeh9knrCTzed6ghlT9yk99fgx LG4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079753; x=1780684553; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=bItx102/eY014jSvfKnVDtrZQixF/uHwn/vTfUZ9ulM=; b=DyAKV0z2IoQZ7KgtOzLa+3lEraT/8Sff2SzSHZdHs60BWv1x1IsN98bHjFF8aconDc LzX9MelO8nkqNJeI7ZqDnScc6cMCV6AFxRJTzsn44EUzckTS14rGgIfY5mqiWZkYKyLm jzMKKX+BQf1HL1nYHsx5wHND4vptzM3IJnoCquzzd49FRbkWIofXYS1etrVhgSOUdAcA Yv9M8mjmK9wcCjD5dwb7gjQy8U9SUZRUa7R16o80l8f7ytnaYO/jVQ7rFd/J1Mt/Hicp 5h701sKUJmrZjAsybHTrTEdYHlSC0iXZbCFj023U0hgClxjF2BQsig4rtLC8PVi1UbCr t57g== X-Gm-Message-State: AOJu0YxQG4/fJL0hyldPDekD38MgZ+numfw4d0YcjyjTURYM8f/zALZg 8zOR7dGuvjd9xkORX/5f9ugTeZWocLuloDOaw+KluFN4Pn1/W+aHT5qhmQ/+HGZ4+CIqHWdA41K fKPzlDD8VET9UkNCuJwMM8zFedusnP2pb883n0XSfJOY3VdvrUTh1tJEeUNM8KHgpuDUXD2Ekh+ QlBlG8YgIEo6Kge82T+OTD+3KUwKiLKLNgLXPrFOYX0XrV96RN1A== X-Gm-Gg: Acq92OEGLtB5ioyElpSS3Xx5YrrS3uPQIiiXmo688PY/8ANN8gK56jD8kGpHVqxLGtg ZKA//BlW4xDfxKU74iCcQ9skpvRBmxI8uEqXCjTCMETOcaoQ7QW/LnWzO6XvmTtMIcEVPEXfK5x ipgAzwrp8w/AJ2KbsgUgLcX/n9Rg7oV4jE/D5qNQpcpT+YWAF0VIWrJ3DJjs+Pjkg1FjvtxeRIm 2/KUXcoK/xGvoKTM6Zsa1NebiVq5HAZqucgKbLyjYzCFHA04yiGOxSfTZoAWO2bR0PhLtYf98Ct VGJfiVXUZn84ZB1mIK4Q3NY7Cdqf/EPPz3GD1ENdIs5goS4XrzGQZV8xPs9i8ecIbapS+asoYoN GbrPV1hgecfRjsluzhY6XwHidaNrso7eAwJzWREMLKOV8D61wnvHfGL180hZ+VTSJnpafFmZiPt Z0Taman+i4laqlxMH9WrKnm1XXVUyzmZZ2pcxV9Q== X-Received: by 2002:a05:600c:6287:b0:490:a1a6:6f24 with SMTP id 5b1f17b1804b1-490a29338a8mr12422105e9.15.1780079753360; Fri, 29 May 2026 11:35:53 -0700 (PDT) X-Received: by 2002:a05:600c:6287:b0:490:a1a6:6f24 with SMTP id 5b1f17b1804b1-490a29338a8mr12421485e9.15.1780079752861; Fri, 29 May 2026 11:35:52 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45ef3559645sm5101632f8f.26.2026.05.29.11.35.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:35:52 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth , Stan Shaw , Peter Gonda , Jacky Li , stable@vger.kernel.org Subject: [PATCH 01/24] KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use Date: Fri, 29 May 2026 20:35:26 +0200 Message-ID: <20260529183549.1104619-2-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Michael Roth As per the GHCB spec, when using GHCB v2+ require the software scratch area to reside in the GHCB's shared buffer. Note, things like Page State Change (PSC) requests _rely_ on this behavior, as the guest can't provide a length when making the request, i.e. the size of the guest payload is bounded by the size of the shared buffer. Failure to force usage of the GHCB, and a slew of other flaws, lets a malicious SNP guest corrupt host kernel heap memory, and leak host heap layout information. setup_vmgexit_scratch() allocates a buffer via kvzalloc(exit_info_2), where exit_info_2 is guest-controlled. With exit_info_2=3D24, this yields a 24-byte allocation in kmalloc-cg-32 (32-byte slab objects). The buffer holds an 8-byte psc_hdr followed by 8-byte psc_entry structs, so only entries[0] and entries[1] are in-bounds. snp_begin_psc() validates end_entry against VMGEXIT_PSC_MAX_COUNT (253) but NOT against the actual buffer size: idx_end =3D hdr->end_entry; if (idx_end >=3D VMGEXIT_PSC_MAX_COUNT) { // checks 253, not buffer snp_complete_psc(svm, ...); return 1; } for (idx =3D idx_start; idx <=3D idx_end; idx++) { entry_start =3D entries[idx]; // OOB when idx >=3D 2 The guest sets end_entry=3D10+, causing the host to iterate entries[2+] which are OOB into adjacent slab objects. For each OOB entry: - The host reads 8 bytes (OOB READ / info leak oracle) - If the data passes PSC validation, __snp_complete_one_psc() writes cur_page =3D 1 or 512 into the entry (OOB WRITE, sev.c:3806) - If validation fails, the error response reveals whether adjacent memory is zero vs non-zero (information disclosure to guest) The guest controls allocation size (exit_info_2), entry range (cur_entry/end_entry), and can fire unlimited VMGEXITs to repeatedly hit different slab positions. By exploiting the variety of bugs, a malicious SEV-SNP guest can: - OOB read adjacent kmalloc-cg-32 objects (heap layout disclosure) - OOB write cur_page bits into adjacent objects (heap corruption) - Trigger use-after-free conditions across VMGEXITs E.g. with KASAN enabled, a single insmod of the PoC guest module produces 73 KASAN reports: BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x126/0x890 Read of size 8 at addr ffff888219ffb5e0 by task qemu-system-x86/2199 BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x468/0x890 Write of size 8 at addr ffff888351566648 by task qemu-system-x86/2199 The buggy address belongs to the object at ffff888XXXXXXXXX which belongs to the cache kmalloc-cg-32 of size 32 The buggy address is located N bytes to the right of allocated 32-byte region [ffff888XXXXXXXXX, ffff888XXXXXXXXX) Breakdown: 62 slab-out-of-bounds (reads + writes past allocation) 7 slab-use-after-free 4 use-after-free All credit to Stan for the wonderful description and reproducer! Reported-by: Stan Shaw Cc: Michael Roth Cc: Tom Lendacky Cc: Peter Gonda Cc: Jacky Li Fixes: 4af663c2f64a ("KVM: SEV: Allow per-guest configuration of GHCB proto= col version") Cc: stable@vger.kernel.org Signed-off-by: Michael Roth [sean: write changelog] Reviewed-by: Tom Lendacky Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-2-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index c2126b3c3072..23170b64f4a3 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3703,6 +3703,10 @@ static int setup_vmgexit_scratch(struct vcpu_svm *sv= m, bool sync, u64 len) scratch_va =3D (void *)svm->sev_es.ghcb; scratch_va +=3D (scratch_gpa_beg - control->ghcb_gpa); } else { + /* GHCB v2 requires the scratch area to be within the GHCB. */ + if (to_kvm_sev_info(svm->vcpu.kvm)->ghcb_version >=3D 2) + goto e_scratch; + /* * The guest memory must be read into a kernel buffer, so * limit the size --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B5FBC42188B for ; Fri, 29 May 2026 18:36:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079763; cv=none; b=MlACfHeR1ouns3zdpRDv9mAGc2XRUgu9B5urqWPvjE7SJF/AhEKh6SZGQUiH+goKRGj9UcXNgDaOnLQtPgR9F1MX+5XZ4V2JdVAkw6xnt+nrb43o0RhhsEXn89SR4CvEjMmyPi6iWo79lxz28TTjBR2bqu7Y6ahq/2RyyokC3J4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079763; c=relaxed/simple; bh=6zMHgUTz910HkRMjPhK2mmo0fhUkyV7gKB3rHBzUOyg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=juckdSb/FpuKn2sKIE6xoNDDoZbDoerYR/EOe5OvsKZZ9xSMcX8eMQuePl8aK9S8t22NeEf8z5vqEs4fiAiysODKqu1oI8dTi5g5M6iZAI8ARLplRtI+H38UeIz7l8eyzfwjpAM37DSY4G5xRcpdVAQj5tSe9IzXmXtl3b0EVGo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=KKhe30fD; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=Odrs88SN; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="KKhe30fD"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="Odrs88SN" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079759; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TLsVryKtB+qjzmc5R5Imnpvup6JXosbAAkLD7ck1kGs=; b=KKhe30fDkcLH43ypUdQEMdph1D8OzXkjZ821+Zz7EBeRS1fJmxbXL2bQxai2LPrIXZXFLU m01OkeXZY9SnrB1WGE/llaZU7a/WUmQbeBCro2uuo76wwczwnpzXhTzzd3Vs8S1R31AcRt /LYBMXG9g/LAkpm2JOW+l17R8bUWRF8= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-607-RNGowOJ_MVyhoQBcEcwP4Q-1; Fri, 29 May 2026 14:35:58 -0400 X-MC-Unique: RNGowOJ_MVyhoQBcEcwP4Q-1 X-Mimecast-MFC-AGG-ID: RNGowOJ_MVyhoQBcEcwP4Q_1780079757 Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-44f65835b77so9487186f8f.2 for ; Fri, 29 May 2026 11:35:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079757; x=1780684557; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TLsVryKtB+qjzmc5R5Imnpvup6JXosbAAkLD7ck1kGs=; b=Odrs88SNfevg2mv2ZMTP9n9aCtXvxx8mnFL/YAU/q6DwX3A8bf88LwDAgfWEtQwIlv /Tu3QzO4eelmRw8nIf5NdE7CYOposgPLmI3UctrLiGylsI/BG9MMAc6ynLIikYuG+Zk/ e9P+2aWpWJq4fITpeaOEE0NAyI750CgbOitfJOGPvfoA0iph8CrVuZDyBJ0Ttbg/ozTJ 6nF9RcdBS90EyKyVsriaoN9vpa2K3wNQJdDrCN4P5PuE5N0cHN4TQTGiOendv7AdzjLX 5stkpe6vWIuvT0dRwh4X+Km87e2Tysi+PXcePPxtGVlItS1j+0i9wG32F6Il2UKvQoG9 nn2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079757; x=1780684557; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=TLsVryKtB+qjzmc5R5Imnpvup6JXosbAAkLD7ck1kGs=; b=POY1+q2wmU5x5UVq1DM+4g8BHJXuf8zoOoEdEI5MT4fo4ieO87tkL+q8nd8tapHgb8 cY2AiwG6VOP4RbY6WXAJdBD/1XgyfBUXGZQesE0B6rpwcf3sVcBV0RN9i2HAxZ0NziRI dqm8zJZMzdCC+fnWztO5iWtv2yoht4NHScYwt57yHUhjJvy71RkmpRX5iOlBWikxH/LT R9zE6exYoBgYXHQKopHdoth5WLDmhupc/YCbe6ZzGVWjclxiLSaaLKoJ3QBIrFxpdshV 2hE4iP4H7qzaN/wOc6c9VkKCSGIvRBeF0VMSdnQrzzq7XDrjSo8FTPDFC7ZZls4oOQW/ TJog== X-Gm-Message-State: AOJu0YyJbtlZEaiYSdLLOvr7/yBFf+Ib+Y5riUxB+a+CIz2KQZq43WGS 2NJxV9zLfyEd3aOtuGRkaF2DFW/8oKCHwrsEC8HgxqW+4J5ilEwbP/2WRD933v+MEKdFaiMB6D2 OKWkMr/VHKjRLlrtF5DUp1/HEOFcnSy7oNyVv7AeBoGP/lFezymQmqOy1fNFDQ/87A4tHKyzEb6 tO1NJxxVpUpNCH04Y7KljUHoNYN4wrWhObC7w5SF5q+g9emMVgbA== X-Gm-Gg: Acq92OGSXnNM1AyObzJEKmXyRKExnMACHpCXtBQZQ79pCxpZWStOUscHMhe+91SncjH uR7gcXEGL4sJi+5SjWWVneNH23Tl/j7FFCpD2uJSkbDbYvNG3NgosuQDdlnoyeBzbbMuHjt2Gc7 MC8mKkdCD6Ur4YHs2FrjXgiS+3VdKvFLNdSaFzExuSsAii/yhXVS7hJfontJUVqr2r1GG1eU6RX NQeLMYGp2kPufMlZifG0rBTpQ1p04KSX2raClEX0zYnDLliQnWpKlskNgSJl7tMdQ2V6PrglYUh ZzVlQ3dqNfEzBnARG/BF7/BxlJ+De/xgmhadY7FKgjYFSIIiXztdbxrawUjCfF3EFyWdTuf8E2d n9qEdu9V/FpkVFtnWKFfnfPosJw0kH+182ZVFVn1MI1HFDu4l52Xa2MIDIqFM5a5FDgOyQSYB0V XJc1UiHu2+kh8b3VYYsamGOFExwz1rYYERb6D0ZA== X-Received: by 2002:adf:fe90:0:b0:45e:ee20:b897 with SMTP id ffacd0b85a97d-45ef6aeccb9mr1198550f8f.6.1780079757139; Fri, 29 May 2026 11:35:57 -0700 (PDT) X-Received: by 2002:adf:fe90:0:b0:45e:ee20:b897 with SMTP id ffacd0b85a97d-45ef6aeccb9mr1198515f8f.6.1780079756760; Fri, 29 May 2026 11:35:56 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45ef354b7edsm5206450f8f.22.2026.05.29.11.35.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:35:53 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth , stable@vger.kernel.org Subject: [PATCH 02/24] KVM: SEV: Ignore MMIO requests of length '0' Date: Fri, 29 May 2026 20:35:27 +0200 Message-ID: <20260529183549.1104619-3-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Explicitly ignore MMIO requests of length '0', so that setting up the software scratch area (and other code) doesn't have to worry about underflowing the length, and to allow for special casing '0' in the future. Fixes: 8f423a80d299 ("KVM: SVM: Support MMIO for an SEV-ES guest") Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-3-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 23170b64f4a3..fb2174b6d1ba 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -4497,13 +4497,17 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) case SVM_VMGEXIT_MMIO_READ: case SVM_VMGEXIT_MMIO_WRITE: { bool is_write =3D control->exit_code =3D=3D SVM_VMGEXIT_MMIO_WRITE; + u64 len =3D control->exit_info_2; =20 - ret =3D setup_vmgexit_scratch(svm, !is_write, control->exit_info_2); + if (!len) + return 1; + + ret =3D setup_vmgexit_scratch(svm, !is_write, len); if (ret) break; =20 - ret =3D kvm_sev_es_mmio(vcpu, is_write, control->exit_info_1, - control->exit_info_2, svm->sev_es.ghcb_sa); + ret =3D kvm_sev_es_mmio(vcpu, is_write, control->exit_info_1, len, + svm->sev_es.ghcb_sa); break; } case SVM_VMGEXIT_NMI_COMPLETE: --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AB168426697 for ; Fri, 29 May 2026 18:36:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079769; cv=none; b=KRlVAxz2uRnhY60TUaSOsfFiwJ3aPoH84g0JjCYKD8T+M+2Y3VC4DQWeq690YY4ELBYj9uhlxBzscsGQ1UwLd+BplHDD5RQH+CLH/b6Ogv9Zups+otZaSxA9KpjzPY9j3e3Hc395SOfHaJ8M/3av+fkBNBR89FgpAJl7By1TlL8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079769; c=relaxed/simple; bh=Ic42NJxjVTuyyhMYhy6XU5l/gYDKkJGnaGzHHnNqay0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=W8M3ve8t+YqGjz/8IRt8ydjuPGYtE8Uhp70P2A/nNUyA7mhtR/lqb07wdXfFbWY8Z9N5M7XfxWSKNBN1jG29ROndC679OYKOZ7BW4X/SpYE6WoZqWXCYAyxZA4veNNcU3KkrjmV9w1+DpuTGygGJ6WtLo4hbkLfkVYUed8afvR0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=W5aGWrLk; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=ISL1fgGN; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="W5aGWrLk"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="ISL1fgGN" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079761; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oaDspuaK+51kNrKIJDmVaTpEzuF1DrT0Ap9tU5k1194=; b=W5aGWrLkNyBCswg4maOjNyaCb7IuQ4oYivDIqZs/NErKpmgJ+8gZoZhI4WmHcG6Naq+byY tO2iSeNpkE2r5Zt1rRTiV4OWKuyR28xz/6VPYsJXEYroKWsMNlmkTLhYC1EmoPGcN3F07Z IwXrb7E0d5D1L432VD80O7JmysEr0aY= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-683-b9uT6MGJMnibF4aYvXR7bw-1; Fri, 29 May 2026 14:36:00 -0400 X-MC-Unique: b9uT6MGJMnibF4aYvXR7bw-1 X-Mimecast-MFC-AGG-ID: b9uT6MGJMnibF4aYvXR7bw_1780079759 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-490261c79fcso56607645e9.0 for ; Fri, 29 May 2026 11:36:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079759; x=1780684559; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oaDspuaK+51kNrKIJDmVaTpEzuF1DrT0Ap9tU5k1194=; b=ISL1fgGNShxnQjGfQF2kQ7B/utyID71pnDqI5ctnmKMnLPWhl0v5/AZ26TygE50CIQ o3VGT/Iof0LL9/c+H8RDCRDW9HXa8RSLV/CmUjMqwMYCKfvDRAF2zPz9OE+zEAEDhqQD rImawR8DEYDvjnFw9Bb7DcB6tJUahKaO8rax+kT4eL5V4rIrHbsTo/PW4Fc8mDfmT/uS W3Spib4Mh9kMeKSlwXp4h7TwORZITWSu6OaTGLYw+bQzj6K3uFMf19lXznTxJtKCtNww C299CHBLK8uHLRlFZdOgKG5Jspv8R/nTAQpz7EOjJy+YBo5id9ybssMOFGKhfT/g2pUA 9hnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079759; x=1780684559; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=oaDspuaK+51kNrKIJDmVaTpEzuF1DrT0Ap9tU5k1194=; b=NIDqkkQ1dZyQEJbmp8F7jKyF+A9IPFOPqwFqLmBWfHj3dnto5cE5vXXrqQYaYlYzUD l5LF5olkQ1V7d7LaOIeT3VWkdAtBiBoLqw9ABpXNZpDZJlXGo3O2TvZqbVpO+PFzrSar YtswodXDTK5eSjACTnOmfJ6LeZEdsuBNuF63MCVy3DOqJScHy458Gm5QZXpTT6bh8vjW S6USp2IQOHKorhgIQ9ufCvIe1G8lbtS2M6adsaBd3hlfdUoy5mK1hg8Fhafp8FtZrbZ2 hH34TCJhykZrDTbOFO1FhjZNPZrTNeOwQu5Y5HUTAigSf1NkSxeVOkxIphWEtfEMCC6v kShw== X-Gm-Message-State: AOJu0Yyz6zeMnqBkIITytB1h9dThSd7DtycBybWHsv4I+pif1Eq8t3+o UkJJBODgmrxBN6lN8Aa3uMhtOZBEzYt81gxIq7QaKMe1rA1mEyJppkT6PEY3nAYSGAHXG3LrOzW ylf/UXICZhSOPlL30OUvUdVMncnUcUQHu6piaZW5wbVfpqai1PJKLjjrxegEHlpOVd1wPXscmwy ZckMu/ArYyGVIAMDYvjzCT4XsV29147f5580v+OK18T5dAKeB0Ew== X-Gm-Gg: Acq92OFh+f7dXMR6CDzPjhokNavVZ4diKZrYJd8naVwp0116X4G4P6wXyS+yVe8AU6v khFIwFz8I4i50buwFzuIkhovfNXT4kMkJtxMkdN3yDJQ2uUbXRjJUn/spjSPgp+TxxOAaeI+C9/ LLTWjXOR/zELYY3ur7gAr8mVz/Oglz9nAGcvfPkDTusXATe4eqQzgAulWGV8UIu3m+1YZyQcVMV vpUHEx+/FbcBRUYK0SP7dl6NgwF54omgxoehLwGo413fmT/TSk+f0Ol6Zvjc6no3rOGzYDbdTIa U+Mf8TOoXKsXGpD4ICA2ERdE0cH0MlysZkblwPgV85dFR4nThwECmg0Ul0/2qU+T3bLCKNxjcRy R9uZVRtjqXrMNuvsGIpxDLheXlKUELVpzJWwODraZ5+E+Y31ALSK9g+8STOaJ+e480O+/2jgdlg ouB5F8D2E4NYLRHUOVA30emiQ/RsGtpfHHHeoa4g== X-Received: by 2002:a05:600c:45c9:b0:490:8b0b:d3b1 with SMTP id 5b1f17b1804b1-490a2a4bac0mr7346715e9.12.1780079759106; Fri, 29 May 2026 11:35:59 -0700 (PDT) X-Received: by 2002:a05:600c:45c9:b0:490:8b0b:d3b1 with SMTP id 5b1f17b1804b1-490a2a4bac0mr7346335e9.12.1780079758656; Fri, 29 May 2026 11:35:58 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909c114e99sm19737625e9.25.2026.05.29.11.35.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:35:58 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth , stable@vger.kernel.org Subject: [PATCH 03/24] KVM: SEV: Reject MMIO requests larger than 8 bytes with GHCB v2+ Date: Fri, 29 May 2026 20:35:28 +0200 Message-ID: <20260529183549.1104619-4-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson When using GHCB v2+, reject MMIO requests that are larger than 8 bytes. Per the GHCB spec: SW_EXITINFO2 must be less than or equal to 0x7fffffff for version 1 and less than or equal to 0x8 for all other versions. Fixes: 4af663c2f64a ("KVM: SEV: Allow per-guest configuration of GHCB proto= col version") Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-4-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index fb2174b6d1ba..e6579ca9f364 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -4502,6 +4502,11 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) if (!len) return 1; =20 + if (to_kvm_sev_info(vcpu->kvm)->ghcb_version >=3D 2 && len > 8) { + svm_vmgexit_bad_input(svm, GHCB_ERR_INVALID_INPUT); + return 1; + } + ret =3D setup_vmgexit_scratch(svm, !is_write, len); if (ret) break; --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C8769421F00 for ; Fri, 29 May 2026 18:36:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079772; cv=none; b=mikBNF/EricVRmhbFy0c/gyU97SjiEGsHLyJ+tybQyVVWlbfO4aOReuGQb2Qbdr5sqvHVVsi22gBdOxsA+zUdYGbZXaDSjT4BOleKaIjyF00UG//HzpqPtvU9Uhmtm6dHEzjFkbXqh3Ge+1dbiNfyfgSJBtg0JZYGMKDLNIPDFE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079772; c=relaxed/simple; bh=f+nkgUwG6A0jJd/pAJCpY6wq36Ry3jzJBqYji69OyE0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EIrX936rBiCm7PIdDP043nZLPicE6GyfJJoPNz6AzMVW6A5xsOWCls992NEV6m/FhiT/TFbqrwV8zz9TL3z9jU+FiflHvLRVif0MdZxkay433xjyjjePaDOKyok+4a9OzzBEs905OVYYYIfuZ5jFOjyqXiBcfs8nDbQPbHtg39o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=ZJjXHS7e; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=t9V0BPG8; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="ZJjXHS7e"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="t9V0BPG8" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079764; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XndtQXgYoKhYp0VgWVa9fVm5ME+RcvJYRIMg+5FuNQc=; b=ZJjXHS7eeUAEi+rJVgMrE3PaLyzPnHax7jtt2HCX6TGGTSq/l5JMxs0PD0mm5eCVl2ZHPl aJFW7ZTotBAsDUxHreXILnQM4787HSJ8CBVf1yVlLk2GQX06/w1nZf+RZt7N1LPjDJlkgh 7CllZtIBqismyalprbuhmGjQRe3C6uw= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-664-hc7nUPA4OuCgZXGuQw_fmA-1; Fri, 29 May 2026 14:36:03 -0400 X-MC-Unique: hc7nUPA4OuCgZXGuQw_fmA-1 X-Mimecast-MFC-AGG-ID: hc7nUPA4OuCgZXGuQw_fmA_1780079762 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-49058e91639so47813185e9.3 for ; Fri, 29 May 2026 11:36:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079762; x=1780684562; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=XndtQXgYoKhYp0VgWVa9fVm5ME+RcvJYRIMg+5FuNQc=; b=t9V0BPG8z0yZJ0ofqSQ5ekHVrS4blBDJPDjq1ihIhDlxc9OyT/1UZoUctnB9g4xsT6 JsnySDSL1lRIhzQyPGDx9D0ZCPe0eb6FTr05Dt41WoUd+MXx2PRpDYOqf+QLbvIrTynA JmBnYA9Jz+C6+4j5/kooQt5c9gIzISiMHttZZNIqHU/9ZCZ0hdzwTkHfwSKj+dgL2x7s xlj9TKDWUKSNk1/6Jrhi9hSwCCmvcET4XjwvD5W3FWKfw6LDw0oJlwZB1uKFH6vVTWAY SfEUYd5BAbxuQlO12YKKmy8lIITU0MRmhsfhDyK5fq1WDOEZa0Vk14c9ot9GSOLFmASv rIEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079762; x=1780684562; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=XndtQXgYoKhYp0VgWVa9fVm5ME+RcvJYRIMg+5FuNQc=; b=Dckl60uibOmQcXkUtukRomCeWnonvkrf2MjmXZHxkjXMPTWq01XJqStzNAXMSbu4qd ABfAbc1TZWgzCF3EQ8Ggz6G1beXm0DnE4cjp4M2LykeiQT+BQw4yvQlS3e2DfIZJVDYr bILdWMsY59/9akVDqwVWNYV9vBuf4x1ajI2mhFANF6TgovykGJGSCU0ius1WHB/7wQud wAJyKxDYfakRqnMTVQV+Bg3qOi6kw3lql2i/1xBZIeW8fP5nrP9NZKgo5FdsOGKG/lef wY66mDYcw8ZZNJ53/rJayyKfge+qDhL1CsEP1gogxRxscsVSdnmQwMBUC7LDDPstpzPS ZJ8g== X-Gm-Message-State: AOJu0YyCPhEaT6ZbW6wQAHiL2n3UaSkFrAW1qVBNRj7uroiS078ZPloX 7WqPPVh8LZE2eWH0/KJGrbQkp/kr2Y0MSspFQoltPht26YdFTaEyeRux8AIwTlHmTlvcYo+EOkN dnXw+GRSos4mZCldLMhd55/Ms28YcYEp0/MmH85I7ubZR3KCZwCcYKEhbEP5YZ5Kz3bXRRNXoQ4 mJ0eMtM66rTbuBmnar+MeGXRWssl/hiwDYqowI6liKs5kD15QXww== X-Gm-Gg: Acq92OEG177R/FQDsr+sKaobhC9+9lrF2MRTWVvLv8mIF/3Vcuwc5PuR1xKYjPta0hL hpkuigEEHGQWn7H3myrwi8aC+qZRicjQI2ZyYQbt7iBO8tSewJk7A4/iJXYgllf0A3MVTkY5iCX uhpyehXHrwe+MHJMzUxmTPj31XG8upUO79LfVlRm+I5RjWwBkVAFlXgvj+ISq5qNjWFXHbSQnjK 9LobVGEO0u4bkkeRDUMiq1FnI3Fj+YQANfWTgqzyupgXzr6hGRRw9LgzUMUp4ZpSSRvL+ELqNt5 KR60U9rdl4DJ4Qwmhx1BRCd1ZpeSKE882n9X7KnKWk/4git/U2HUbMBMcMvG1pImaGHk53ftO70 W7MbkThqoPpxDPGOmnuFnsJbE/oiVUGSC9wUVZvmyWVFRwXBzdW6s7v8GxveBX2/xQSH78KwFZX A7A2ONJ+3CC5t9Cq5dXn9NpqLF+0iPjBySk1hhbQ== X-Received: by 2002:a05:600c:a305:b0:490:7227:100 with SMTP id 5b1f17b1804b1-490a2933b22mr9949155e9.18.1780079761617; Fri, 29 May 2026 11:36:01 -0700 (PDT) X-Received: by 2002:a05:600c:a305:b0:490:7227:100 with SMTP id 5b1f17b1804b1-490a2933b22mr9948755e9.18.1780079761169; Fri, 29 May 2026 11:36:01 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909d6a0a89sm73788825e9.7.2026.05.29.11.35.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:35:59 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth , stable@vger.kernel.org Subject: [PATCH 04/24] KVM: SEV: Ignore Port I/O requests of length '0' Date: Fri, 29 May 2026 20:35:29 +0200 Message-ID: <20260529183549.1104619-5-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Explicitly ignore Port I/O requests of length '0' (or count '0'), so that setting up the software scratch area (and other code) doesn't have to worry about underflowing the length, and to allow for WARNing on trying to configure the scratch area with len=3D=3D0. Fixes: 291bd20d5d88 ("KVM: SVM: Add initial support for a VMGEXIT VMEXIT") Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-5-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index e6579ca9f364..52703c954856 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -4585,6 +4585,11 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) control->exit_info_1, control->exit_info_2); ret =3D -EINVAL; break; + case SVM_EXIT_IOIO: + if (!((control->exit_info_1 & SVM_IOIO_SIZE_MASK) >> SVM_IOIO_SIZE_SHIFT= )) + return 1; + + fallthrough; default: ret =3D svm_invoke_exit_handler(vcpu, control->exit_code); } @@ -4605,6 +4610,9 @@ int sev_es_string_io(struct vcpu_svm *svm, int size, = unsigned int port, int in) if (unlikely(check_mul_overflow(count, size, &bytes))) return -EINVAL; =20 + if (!bytes) + return 1; + r =3D setup_vmgexit_scratch(svm, in, bytes); if (r) return r; --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4AF43428495 for ; Fri, 29 May 2026 18:36:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079774; cv=none; b=LD6isTE6SH0RE7TXczxrgB1wT6FuYQaOj0u+jRmy12ReUMVmRs+9rHpybqSby80T+/xP1CSuWkk90HYSweTtE/dHcQtrNZ92flk5QFxeWn3VM0a81ISF4MggdF/TUFLqvFH/69ixqa7xR8OX+H8xkyABWY27ASyfhJLFYeSTD3U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079774; c=relaxed/simple; bh=JLl8YjbHuCGzOk/HWi0SHb1/V1UT/hbE1I30zoZy6kU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=a/L46OS1uBhlDupi2Nz2jKg9KOSXkI8OTLGFORk/z6NYTRYKbkZPJTTtGRB8nq1CA+RWohBz9vEDqaZlBfLqlHeiUZVZJVj82kPrjVwq8WHZ9IPWAJBsuNY5EAxbjbJtf39GHEHNyuKbFR4unCJa19ywoqJgk1ftbn9xD4/hR4o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=gfJ5Qi77; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=D1JckBS2; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="gfJ5Qi77"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="D1JckBS2" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079766; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pyh3yBei2dvCuDBWuVl4/7h8CqM5bAYkcfDKwxMNYFY=; b=gfJ5Qi77GU6q+D8J/1zmlnVF9041YWBtpyXueQ/HsKeoM4cCGTeyS5FCllOtCNKt07oy0o wwZY6wm8km2RthwTb81/DnNJRtxA0e08TL2G8bgD+guDCuJi3KJCHs1QZe6j9IjCgRP7ix s3xV+JVNK7wnTPpt0QrEs+IlfVIyfUI= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-325-jSPq9W7HPE-lZrVvAza2Xg-1; Fri, 29 May 2026 14:36:04 -0400 X-MC-Unique: jSPq9W7HPE-lZrVvAza2Xg-1 X-Mimecast-MFC-AGG-ID: jSPq9W7HPE-lZrVvAza2Xg_1780079764 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-4909deb82d0so6963755e9.1 for ; Fri, 29 May 2026 11:36:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079763; x=1780684563; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pyh3yBei2dvCuDBWuVl4/7h8CqM5bAYkcfDKwxMNYFY=; b=D1JckBS2XzRV+n15PHnq310NJ2gag4jWWhD9JkmsOOjMLSSt63lHDytzyBCH93LBCY ol8oeq5CsraepLtFoKUV8fFGSSzkaleJUDCQJ+7jiLDE7+7KTyOmLSn9yrEC8n1dzK6+ G8yYC1YeemsL4RqkQdSfzsNarpFJUC8cTNM8tO6rKj8Qxkd1jXy+8wtadnIbCqq8K/SU MqdBDg5oYdMAhFKgzPsEYSEVY30O4SDyB26vNQba4N+MAUDBZKLHslkA2L1mMVGINgbK sjyPYVfWaUefePg30OeKADeJEut15bpu1to7dk0YHcZ40UNNvYLb0498/VCWtTUEz1tu FLZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079763; x=1780684563; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=pyh3yBei2dvCuDBWuVl4/7h8CqM5bAYkcfDKwxMNYFY=; b=mwLG7cymEDCDdYYzLBOVP5yM43+EaY3uWzfNLigMfen0+o2pzL8Q9rvQa5d/PP8HaK 4Sv+GjZey6iNyEueoYvBvUUnKKUSHiVQ31g7jSNKfV+sai0jPwspjco4d9JEwtjgxJSw yNhpLSZm6BNHas3jxa0JDm+vtll97Lnr97hF93UvbES8+Vb5A5xIEb1OfRZAE0Bo/gHs z0sSVZefNBwMXVmmZZp6nk+OZdiVR3hcMD9Abl76HPYu4t7GykEXbJxHpN+n7KWZVxH7 noKsu85P68nFZpg/iL2QApHNtRuiTo845VGEZamCM9WjicREho4T/k6MMoWE5nL9OSj+ tnAg== X-Gm-Message-State: AOJu0YzGC/wRoFjEIjeNSH8NSVLYv6b6GaGsDCN8TcPnEfwpeIOvrcHb AwKC2mTm6OxZ83SB3GY/f5qDysTf19Ykn88hrm7J7zj2ASYz4tYk6KIarmm4K5P14+bIGUUq0Q5 NVj3nT/nZhv4Rt7NsXT4M3+7UYAI1sZGfI8DOV3Uk+YT3Kq8zK4dr1393AhJeqRlcwR/lNK1MhI QbLmwpGwV1XSpRrnlK52YW4EfWNLdqR7xQ8SIiBRzCY1tar6M69g== X-Gm-Gg: Acq92OF/khs1A5zefFOR2h/1ssYieUyyNc6s5VHmZaD2vzIU+OaIM7QGh/YDCZyse1E UCECBBQCl9qMvACzYHz5qNm8jmcpCerj0OM+yHcxpzUVpT58YWkXxujf/AKiBkVoLrt8XC8P8ws 2K065LXr27+X72Zcwr/J0tHYc5os/YjGe/9rhuLqZOm15iPR47lT7w/yeXhB3gBgKsb06GWcwLt 1wwefA0/bf+dSH6hf9UP6Sw8sA3nkxxPChjMEhsPKkK2DXsi0+Y8e9AXrHBCGn2vdShOxXjnKzI ABBH/65BRe8uCEE2BCmZmx7QH0dg2/jidQAd53MMYnLorZ+5vBhWXGJEIjdI01aLrHMhYc9p77U yRHbE3UsT8pQwFgozkrFDSIMzcZEZKaIyykAx2v6yt7K2RU8ouWouFAiT1z1cXPGY1+klM8eI+U TWtsLgTddfItMcgu1JIa1mGW/Gm7zoAS6XuPUmqA== X-Received: by 2002:a05:600c:314e:b0:48f:e518:d110 with SMTP id 5b1f17b1804b1-490a2968857mr11860115e9.32.1780079763525; Fri, 29 May 2026 11:36:03 -0700 (PDT) X-Received: by 2002:a05:600c:314e:b0:48f:e518:d110 with SMTP id 5b1f17b1804b1-490a2968857mr11859665e9.32.1780079763049; Fri, 29 May 2026 11:36:03 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909d6f35f8sm49675745e9.13.2026.05.29.11.36.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:01 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth , stable@vger.kernel.org Subject: [PATCH 05/24] KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests Date: Fri, 29 May 2026 20:35:30 +0200 Message-ID: <20260529183549.1104619-6-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson When handling a Page State Change (PSC) #VMGEXIT use the size of the PSC header as the minimum size for the scratch area. Per the GHCB spec, PSC requests do NOT provide the length, i.e. using control->exit_info_2 for the length is completely made up behavior. The existing code "works", e.g. even though Linux-as-a-guest always passes '0', because KVM doesn't do anything with the length when the request is in the GHCB's shared buffer. Use the header as the min length. Once the header is retrieved, KVM can use the specified indices to compute the full size of the request. Fixes: 9b54e248d264 ("KVM: SEV: Add support to handle Page State Change VMG= EXIT") Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky Reviewed-by: Michael Roth Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-6-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 52703c954856..cbb3040e0778 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -4559,7 +4559,7 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) vcpu->run->system_event.data[0] =3D control->ghcb_gpa; break; case SVM_VMGEXIT_PSC: - ret =3D setup_vmgexit_scratch(svm, true, control->exit_info_2); + ret =3D setup_vmgexit_scratch(svm, true, sizeof(struct psc_hdr)); if (ret) break; =20 --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5BE38423A85 for ; Fri, 29 May 2026 18:36:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079773; cv=none; b=Svm4X1mnJM1TiZCJCGcjf+pTz46zaHRPIqbVLRlZSzdbeKQKiqOFA7uYUOzGa8zrDarg97Bh6gxhU5HDghn93dF0QuNQ4L5QfxvrypI62UJWN7zTsSIdzKpVAlwXeR7vl4oAeFMbGqzC7At5yAAeEjbtqvblZeo5/pm4KsoJKU0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079773; c=relaxed/simple; bh=kCJYzqXTAo2sSN8mAzbW86qeCbAgWhHaLeZkmv0/cPQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tivlT+oRN4EXuSRacvYxIZh9BxSG28qzTQq61fbO6p50aTfcO/BwpX98OLjtIoo1ThMp0405NL1xfKWGoJnwm3xDUmcn2mnX51GhL2WWviphUClFAZ9YtUqnw9DxbsoU6VGDMPissftdfjPZFmCINx8RkDSSN/qozwg4bcCrfcM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=ZAYudX1t; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=d14oMkgE; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="ZAYudX1t"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="d14oMkgE" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079769; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yqaeQPheI7We5TEAetxbjBel6Xe0oWr5Lp01EOcbc/I=; b=ZAYudX1tL1ojQq3lLChOgxhi/qpqLosOsueM8UBg2RMGUbNUXvJHw0CHVOW1uxH4tfQ/v+ rJpWcZotCyBy7GYOMdxn4vlObw9Q74XSxnBxPRngHK7ZfjcFgJJybmdp2CPHzu72BQ5Co5 lw5bTm0dcuC5RTu0XRuzr3P8YLEZvgE= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-353-nHNgaAcBOBOJEfOu3g9y6w-1; Fri, 29 May 2026 14:36:07 -0400 X-MC-Unique: nHNgaAcBOBOJEfOu3g9y6w-1 X-Mimecast-MFC-AGG-ID: nHNgaAcBOBOJEfOu3g9y6w_1780079767 Received: by mail-wm1-f72.google.com with SMTP id 5b1f17b1804b1-4909c0f0ba2so7786165e9.3 for ; Fri, 29 May 2026 11:36:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079766; x=1780684566; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=yqaeQPheI7We5TEAetxbjBel6Xe0oWr5Lp01EOcbc/I=; b=d14oMkgEicC91GzBTA3BJGipjZaVOMh3Zytx7RoIE4UWVkxrHbNaRchzLJ/n53OzgP CCsaaw3jxTnJO3eELDpJlFjvx2AHa+wGFz8zac+VyWeeVyTDIEPeGFBwNEguo1tM6evQ l3NuBmmzUcpf55dVkIuZvqJfTpoNV0BKkj81C2Hhz9dz1qU8aH3HVwJBsfE69Nvj+Sck 72RZnIvzkZ+s6lZWUG6ykgPTp2dKxrc5I2tHv0/YNyT/3joWh7DI8RPCph6hw0+WZhCP +rEla6Gu9d34WedPSp0yCUwbi8h6PflfmQqAQFh21YQpqk0xJzl9zfjVLX/3VFYZIyJi cxPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079766; x=1780684566; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=yqaeQPheI7We5TEAetxbjBel6Xe0oWr5Lp01EOcbc/I=; b=oUQ9MDlnjdu6PAQRVXzdGvv0oZiE4tSJVKhokqNykq6YEQwPn1tSWwHNSpRhNUdD1n aeD+TEajlu13yiQ4WGMcqC/VcqJgrc1RiPPJWedmbO1oAZz4s8O1WW7Rcv7N0Q5SJFxL gaLUvsaOFSBc8Hpp8/LLT2WBquDCfwDcSZCuMiTmeCwIZqOHoNOUAWuHEhyBPKjKaH+j gJVmBpXaG37OUC5eqvETABQay7DwHcibUQs/sqsiBy6iU9F53/d/0pkezD+2b39EWIIh Pi+kfjMUzL59Cma6ww8cJeYAUWUU2hnNJhfeAjGwPm1XXwNnskHx6NDRi5Znp/6duQe9 CkDw== X-Gm-Message-State: AOJu0YwMwUflqOAlG5kyUjMQd3UfaMim3B2skj49xIUskGXCS3MF7dd+ ADE4mKJt4pRiDHqIAwtPtsxDWL109Kfe0r5YniFQjbfrhvVfy2q9JSx2J9yq7aiUZafwnHcwajT Ut7wAj+i1jgWhctUrCCEMwPYLVpvDm71ub1LuY7KsucCHM9wzK4Z2WRQAJVKUdVpVJPDhmdTgaW uj6Fe6Clbcm4dD3w8QFK5v7fE9dFZIvInyK3YnMv5NoxMbmtmmJw== X-Gm-Gg: Acq92OEMQ2O+74fFP3+NPsQjMp8zaxwlc+N5nQ5zZnXOT4S22Jcwus4lbkqJ/sVwXsq cxbBy6KkPPM6mp6FtcvPUXkoxtrbJ0XriyQsrawQfvdc+BX8gHgz0tVt09WZtX4vwGi0a3KEsNX J0n4x0OEgLwQOzVOI8EfukQmOo5QZxUrCZUY9yjbEl47VuPcn3f88fopPBEfSK1KnQ6x7qElU+O /K0CuuI0g9ndjFVnD3Rfhr5wwoOPgyDUneoJ0vfOMX879tuMnbbOmpAbOekEKzKuyvHdUASXL1s CiDVijjqY9fXf3j3XajL3wKRvvTSqd4v+OWjjDNwNbGhEpQtPkXVelqzfS8FBFH7thSCtf7N9Bo eOTCugv67Bibh1r7AOa6GpMdKYHX6sTVZH8gXUfY3borMWfjBK89wYx0r4tJWpjnhV5W7ieAdto O+fGoDYC8Dh7TdnWlFYsEQU8eDqWxtTw7bljs8SA== X-Received: by 2002:a05:600d:6446:10b0:48f:eb8b:997a with SMTP id 5b1f17b1804b1-490a2965784mr10247195e9.31.1780079766425; Fri, 29 May 2026 11:36:06 -0700 (PDT) X-Received: by 2002:a05:600d:6446:10b0:48f:eb8b:997a with SMTP id 5b1f17b1804b1-490a2965784mr10246445e9.31.1780079765370; Fri, 29 May 2026 11:36:05 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909c0a4dc0sm30754325e9.2.2026.05.29.11.36.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:03 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth , stable@vger.kernel.org Subject: [PATCH 06/24] KVM: SEV: Compute the correct max length of the in-GHCB scratch area Date: Fri, 29 May 2026 20:35:31 +0200 Message-ID: <20260529183549.1104619-7-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson When setting the length of the GHCB scratch area, and the area is in the GHCB shared buffer, set the effective length of the scratch area to the max possible size given the start of the guest-provided pointer, and the end of the shared buffer. The code was "fine" when first introduced, as KVM doesn't consult the length of the buffer when emulating MMIO, because the passed in @len always specifies the *max* size required. But for PSC requests, the incoming @len is just the minimum length (to process the header), and KVM needs to know the full size of the scratch area to avoid buffer overflows (spoiler alert). Opportunistically rename @len =3D> @min_len to better reflect its role. Fixes: 9b54e248d264 ("KVM: SEV: Add support to handle Page State Change VMG= EXIT") Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky Reviewed-by: Michael Roth Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-7-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index cbb3040e0778..6072fecfe994 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3662,7 +3662,7 @@ int pre_sev_run(struct vcpu_svm *svm, int cpu) } =20 #define GHCB_SCRATCH_AREA_LIMIT (16ULL * PAGE_SIZE) -static int setup_vmgexit_scratch(struct vcpu_svm *svm, bool sync, u64 len) +static int setup_vmgexit_scratch(struct vcpu_svm *svm, bool sync, u64 min_= len) { struct vmcb_control_area *control =3D &svm->vmcb->control; u64 ghcb_scratch_beg, ghcb_scratch_end; @@ -3675,10 +3675,10 @@ static int setup_vmgexit_scratch(struct vcpu_svm *s= vm, bool sync, u64 len) goto e_scratch; } =20 - scratch_gpa_end =3D scratch_gpa_beg + len; + scratch_gpa_end =3D scratch_gpa_beg + min_len; if (scratch_gpa_end < scratch_gpa_beg) { pr_err("vmgexit: scratch length (%#llx) not valid for scratch address (%= #llx)\n", - len, scratch_gpa_beg); + min_len, scratch_gpa_beg); goto e_scratch; } =20 @@ -3702,6 +3702,8 @@ static int setup_vmgexit_scratch(struct vcpu_svm *svm= , bool sync, u64 len) =20 scratch_va =3D (void *)svm->sev_es.ghcb; scratch_va +=3D (scratch_gpa_beg - control->ghcb_gpa); + + svm->sev_es.ghcb_sa_len =3D ghcb_scratch_end - scratch_gpa_beg; } else { /* GHCB v2 requires the scratch area to be within the GHCB. */ if (to_kvm_sev_info(svm->vcpu.kvm)->ghcb_version >=3D 2) @@ -3711,16 +3713,16 @@ static int setup_vmgexit_scratch(struct vcpu_svm *s= vm, bool sync, u64 len) * The guest memory must be read into a kernel buffer, so * limit the size */ - if (len > GHCB_SCRATCH_AREA_LIMIT) { + if (min_len > GHCB_SCRATCH_AREA_LIMIT) { pr_err("vmgexit: scratch area exceeds KVM limits (%#llx requested, %#ll= x limit)\n", - len, GHCB_SCRATCH_AREA_LIMIT); + min_len, GHCB_SCRATCH_AREA_LIMIT); goto e_scratch; } - scratch_va =3D kvzalloc(len, GFP_KERNEL_ACCOUNT); + scratch_va =3D kvzalloc(min_len, GFP_KERNEL_ACCOUNT); if (!scratch_va) return -ENOMEM; =20 - if (kvm_read_guest(svm->vcpu.kvm, scratch_gpa_beg, scratch_va, len)) { + if (kvm_read_guest(svm->vcpu.kvm, scratch_gpa_beg, scratch_va, min_len))= { /* Unable to copy scratch area from guest */ pr_err("vmgexit: kvm_read_guest for scratch area failed\n"); =20 @@ -3736,11 +3738,10 @@ static int setup_vmgexit_scratch(struct vcpu_svm *s= vm, bool sync, u64 len) */ svm->sev_es.ghcb_sa_sync =3D sync; svm->sev_es.ghcb_sa_free =3D true; + svm->sev_es.ghcb_sa_len =3D min_len; } =20 svm->sev_es.ghcb_sa =3D scratch_va; - svm->sev_es.ghcb_sa_len =3D len; - return 0; =20 e_scratch: --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3807442EEAD for ; Fri, 29 May 2026 18:36:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079777; cv=none; b=hwN92anpJ1tYNvuVxNRR2VF8jH1CfvMMGctg2xk7dwPVd1LjeCsWZ0hjAaeqlHcJuZ+gTFM7zoX+sfJD60vWewe58gLHQ6xvscLnUn038AnE6dWKyL6UEqg3AgZ2K2PzXsvYlt36+rRjKuXBOnxsDC9RPmgwyybwsDmLsFi/6pk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079777; c=relaxed/simple; bh=OJPzTAm4OBNQKBdHA8sxYljhi4riTjeTUbJrve7Bw2s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=J6mjmAFMx32W2znlgDffItFg0FNEpWcr6l/egc1or7V/P2gCt/2KE7GQgew0EDsHrCiI5n9qwmvvYRSvnoZ0GM5tiuEZb9KXx7iU4Q08aJnLdZ1duuaFH7GwVkbPFrldOTL95KAK9LfbU+kgPAGfD95hczc8Di2LSpE5FOvHE2w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=WEk4wLHu; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=jSWAkN7D; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="WEk4wLHu"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="jSWAkN7D" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079771; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sbzkUA9BmnyEtGSi/a9eH75seLkm5VdEusAeKn8m7RA=; b=WEk4wLHuVzsPpIzStqGm31MnDr0ypAMoLwBjDIaph7NI4Q4TTJPook/+LANU53zvGqFvfU d1hQPtMc9fp9oaBDxjdHOcwWQeT3u8PFFjbkqKlWphncAEB34UfoE/dCK21kRPpZV1UwuG ANtMyFwCm3zbg0CLm1vXM9NGxoekX9c= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-116-AUfpmo7XOOWr7q_SCsBEfg-1; Fri, 29 May 2026 14:36:09 -0400 X-MC-Unique: AUfpmo7XOOWr7q_SCsBEfg-1 X-Mimecast-MFC-AGG-ID: AUfpmo7XOOWr7q_SCsBEfg_1780079768 Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-43fe791a398so10499443f8f.0 for ; Fri, 29 May 2026 11:36:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079768; x=1780684568; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=sbzkUA9BmnyEtGSi/a9eH75seLkm5VdEusAeKn8m7RA=; b=jSWAkN7DfB6x1Vcxolq+TqWu77MFOxhj6pUgpOynzulOAEj7xXvfECp78ZkUrtwJi7 euHl/POuu80ZgN04lxmNE60+l4HYRcj+Kkt1Pg2yEMGH/y09rLTFCPsx3RhSsv/rgNVh 1ix/ACTdxLHxnJeshPAHpjcoG8CKU7H8kRq+GTy1RfxU4VCiSGpgYZn9CEUoPuGENKnD rPC2oLBhPo/g5dvi33ooL6iWIvZ2Pj/ghUhpXCzKGLebyrn9jrtGMAv42gUwZ6LYlzmN C2oCTTxe/z8SU4miXKdp0U7tdVghIXgH13t85wvFiMMF2+7enK4eI2VIjCQxZllWlmMv i4Lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079768; x=1780684568; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=sbzkUA9BmnyEtGSi/a9eH75seLkm5VdEusAeKn8m7RA=; b=WsYVaL3ddKn0WUAKzP2jrt7SWGZAs46VixCBRXVZL7MRBd8ETYxCYkxln0Xlg8+37k Xj9FxvZRlDDvdvpkPwrif8RhUCoRKKYjGOc+2g0x3WDx8oUmPdJxelIY9YcWR+CVrKdT BG7zWgWm9WZaReaBrpXFZyLy82cYqM4x3iUC0pFTyXUazVCznVsidmm5X/HM1y6Edvm1 vDwF+Iw29eT6eVFnHFs/v7XIVFEvTg1hrWUFFSaiuCw5onxMvBtjMD0LEV6RXZEpAjsE DsKua5rGV8R4XVZZz7CdAYOR8FtnsLNf6eyMWFT/Fp+8K9W4pTp1RzlhXVvj/B2LO612 quHA== X-Gm-Message-State: AOJu0YwBGR53C8JstHC87u9jS4SH9LJq9vvKUvhYQHNSwDfMuI3HORGI nnI4um6K9i2DRPCQ0IMTThnIWH6E3yD1o6dPC76uKyXW68QvhxJWOY3QfrvpAuuc+pt9RD8iCqo jPugOtGEtgjDfqpf5TaHe5XNczFLnaiPwMefOIdTSA6uNODOWYuki5BrfzSUYYYC44l3PB/lHYd AXbGFCRGNBs5rCXiKAfmGFPVxbxkDtKsqMFDFc1f/ZjzF8Qigpjw== X-Gm-Gg: Acq92OHP4zbLye+2hL5v5x8XyJJzTQWLmEzhI1TD/biQR7nJib6Pw15c01t9oaVF9nT 54jX0QT9HxBqht0VYxZFM8m5xf2GzKmiRfibeWQcQP4zilcmEixyIa3xU8rj4aUO7vqlsiYqxsc 7Vw3UtPs7sFABVqTvGy/q5XQzV0iUSOUsd99y6MydwySvoFSGqnPkAmgVaiV5GJki3kYxSzyvow RtpmJRegoUzO3nHY4aFb+XJz1i5e4xHCiKTQvAPmGoBoVVv2tsySMnnVq6K8qdLyJWxkEgIF+zk 4j1nK7nLBuyf416wIJ/2pVHcsiPGEJghFDRwPdhMzi/aZda7zvcDUcR1JHeyyEWKJBxn+RBPG0K K37iL05LsmoR2nwImbIKx/ZRoJc9g86Ki6CXhJrNuZGklm6g+FreEuabuQgwfc9SFg1Nl/vDqVJ mqyDIkkUKSakQkiTzjwVQND74YMjG/pHLYa2JDBw== X-Received: by 2002:a05:600c:8b53:b0:490:5380:f2cb with SMTP id 5b1f17b1804b1-490a28d390emr15119075e9.0.1780079768399; Fri, 29 May 2026 11:36:08 -0700 (PDT) X-Received: by 2002:a05:600c:8b53:b0:490:5380:f2cb with SMTP id 5b1f17b1804b1-490a28d390emr15118485e9.0.1780079767918; Fri, 29 May 2026 11:36:07 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909c967c6csm64118605e9.2.2026.05.29.11.36.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:06 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth , stable@vger.kernel.org Subject: [PATCH 07/24] KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 Date: Fri, 29 May 2026 20:35:32 +0200 Message-ID: <20260529183549.1104619-8-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Now that all paths in KVM properly validate the length needed for the scratch area, and are guaranteed to pass in a non-zero length, WARN if KVM attempts to configured the scratch area with min_len=3D=3D0 to guard against future bugs. Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky Reviewed-by: Michael Roth Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-8-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 6072fecfe994..a3e85348ace9 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3669,6 +3669,9 @@ static int setup_vmgexit_scratch(struct vcpu_svm *svm= , bool sync, u64 min_len) u64 scratch_gpa_beg, scratch_gpa_end; void *scratch_va; =20 + if (WARN_ON_ONCE(!min_len)) + goto e_scratch; + scratch_gpa_beg =3D svm->sev_es.sw_scratch; if (!scratch_gpa_beg) { pr_err("vmgexit: scratch gpa not provided\n"); --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 18969436352 for ; Fri, 29 May 2026 18:36:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079780; cv=none; b=QKi5mXbDgKd3weEJHPByFHs3FZagkq3eClmVWGY2UeISWlUGBuVVI6fqGaUpHchzwK9IpceahTrxHZRsbmItkzXZpzalOBCIwAL7tSWylyOy9d9iowPlrr1e4cBcAdfkqo7q/VkTTGjUK4rhWwHpvvtjmmUnw7zKt1DklL5biww= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079780; c=relaxed/simple; bh=tQ9+tE+DbULo1I89vDeIy9JMoLMUcQfgtStrqd9V650=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=LxdeeIt0xFRvudMzAJbbO8pqiJXeukc091QpW7Gc2MYvzn1N1zcYOK9CHt7NGDQdR0URoNcEj1SpjTvmj0Tl7n5+V5yMc3KdM53ScMHDVwASiuA0BNpdxHcC0Aj8A7D9csRnaQE7g5sP5IEUhk9KrmPs4N2kwX9sfT4Thot6ieE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Upz+3qUr; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=gI3FInmS; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Upz+3qUr"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="gI3FInmS" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079773; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=R0u/shZrwVj4PqbRgkkyXanK2+FAoAVtVPTTfQ581C8=; b=Upz+3qUru6L6HTlgRck3piMjRoIw1Kn97ZuA/DXiqVHvqYi25HarQlBQegJNL1OKH0031M pJWqmlGU/kXkGvRtJ+40Reb/yz/ZXnRigV9jfucPj62tFuKprh2Dof2B97nrs7Angi3/xR 2h1TSwMEQtuE6PIWzVqet9J+Zxv8OY0= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-47-KgOHXAk6NhucK87UpVJ59A-1; Fri, 29 May 2026 14:36:11 -0400 X-MC-Unique: KgOHXAk6NhucK87UpVJ59A-1 X-Mimecast-MFC-AGG-ID: KgOHXAk6NhucK87UpVJ59A_1780079771 Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-45eef10d5ebso772040f8f.0 for ; Fri, 29 May 2026 11:36:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079770; x=1780684570; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=R0u/shZrwVj4PqbRgkkyXanK2+FAoAVtVPTTfQ581C8=; b=gI3FInmSyyh0mZ5QbmzJOwcWEdDuLaNUuOpCUGVsiL4xWLx11BctQ0sHc4aFEDu1s8 KclzuBNatRgS/y3UnQOwGgWmjslMhI62eBrw0tl0XYQWOzCSGa8k9dsyvcYwN2yHN+GN uNE2xfmeX39T2glce1gMUELLs0DbrDkinzFtfRq0KhWELDaUA5caVmqNBcHh9NE8jf0l a+KfD0C8Ksxpfyf882jmXRH+7+cgdQyDud7XoMhnYgrRsRPjOd/nPWJALWIuykhBsfNh Tx38lru3CssFg6RCNmqaPXeZB/1awxBcQB93zmFMEo4ZP/yar9Z7sylOi/JfRt5IPLFt hg4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079770; x=1780684570; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=R0u/shZrwVj4PqbRgkkyXanK2+FAoAVtVPTTfQ581C8=; b=odfN5d2Bc2Rhu5PuwEoAND3sZF8X7EvWXCd/9Izr/DReTsJO3RSQ2twoVwo3UekbO4 06/BwFghHx7pnyRbdZWhywGqlY3WIT9L1Nc8prDC4DhuSJdprlFB9OFL7Yx6ScXxF3vM /hGF0WA+Ew//hUDwG/XiEZANixUjPSi+5AXrIBiciGUDTeC3+a1vmoIVxA8YVma6TFqZ ue3U26tPSz14cUJBJeVS+rS9LfWuDLUmtuoG3/I78I7BFA135if/App0Grxbj4tqzgcc 7V+7W1WO7rJxXVm/tn43CGGlxYyG0RzbvHS33qD0rvVNHdOIDPFL1fKydMVGo3IU+tq1 Mkig== X-Gm-Message-State: AOJu0YwS5Yrn+Z4HfGTkZXRTGwkNRQi/8Z67qZal6fczrSG603LH3fyk 9tGjXT1eS26yUqjMKnoNJMIvEi9m1epELMNacMCf1+qCoKnXwF0azXtRPja77g1UWdfYxNn/Qdr /RmBMxh0dTpVSKK19LYOboHzZTCQ16ERl+YDoYzF0414DwVnyVtmB7YOnrxE88i5YR6V1sXxoal 61aOx+dw84oF3rcVw/MEOORIoJVdPdQb78Y/eG1eEMhLfuf2YquQ== X-Gm-Gg: Acq92OHVINHQ0+7DBjHgz4LoqbfbaBVPAMwLxpg9liRfIqpE9FBC3QHkt332gylizYx zlkjm1M9HHdNl3vYQWr1Rf6rdeBGdG0Zq0lLxaJ/Klt9PhxTZvff8wmBK6NbrSm6Xn2ya/UYb+d oFyE3PbKjWDLkFEwZE2fGyXIVWPh3KM9BeQe5J9rRKi+kQ/WNQkPkGcSD/Ic38eMoix0NJ8wk1M Y0A9Tfj22ohd/czoVphkPKy8ooIA1MT8OKSW6+Sru5oSA2iFrjwvtKbVUKbNL0KqII7FNCa8mzN KujJMZfWg6n6DgMylUlUAuw38hdXp6WWtHFvpsmvqZPdDsG54SQZtt1W3UVBg4AJhZYUVENeaYt QUH8avlI13+MTqxIjEaOrwVCG7Z2F8//qDQsjTj992/ooi1ppGYdh/8azZX5m5FM+h1S/OiBWNd DsaRENTkqhUWrBQxXpP+RBrESxT5q1xINUKop+Zw== X-Received: by 2002:a5d:698b:0:b0:441:1e1e:a050 with SMTP id ffacd0b85a97d-45ef6b3e21cmr1332781f8f.16.1780079770612; Fri, 29 May 2026 11:36:10 -0700 (PDT) X-Received: by 2002:a5d:698b:0:b0:441:1e1e:a050 with SMTP id ffacd0b85a97d-45ef6b3e21cmr1332738f8f.16.1780079770148; Fri, 29 May 2026 11:36:10 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45ef34bcc30sm5367936f8f.12.2026.05.29.11.36.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:08 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth , stable@vger.kernel.org Subject: [PATCH 08/24] KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc() Date: Fri, 29 May 2026 20:35:33 +0200 Message-ID: <20260529183549.1104619-9-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Stop explicitly passing the PSC buffer to snp_begin_psc(): it *must* be the scratch area. This will allow fixing a variety of bugs without further complicating the code. No functional change intended. Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky Reviewed-by: Michael Roth Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-9-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index a3e85348ace9..8577451b82b2 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3841,7 +3841,7 @@ struct psc_buffer { struct psc_entry entries[]; } __packed; =20 -static int snp_begin_psc(struct vcpu_svm *svm, struct psc_buffer *psc); +static int snp_begin_psc(struct vcpu_svm *svm); =20 static void snp_complete_psc(struct vcpu_svm *svm, u64 psc_ret) { @@ -3883,7 +3883,6 @@ static void __snp_complete_one_psc(struct vcpu_svm *s= vm) static int snp_complete_one_psc(struct kvm_vcpu *vcpu) { struct vcpu_svm *svm =3D to_svm(vcpu); - struct psc_buffer *psc =3D svm->sev_es.ghcb_sa; =20 if (vcpu->run->hypercall.ret) { snp_complete_psc(svm, VMGEXIT_PSC_ERROR_GENERIC); @@ -3893,11 +3892,13 @@ static int snp_complete_one_psc(struct kvm_vcpu *vc= pu) __snp_complete_one_psc(svm); =20 /* Handle the next range (if any). */ - return snp_begin_psc(svm, psc); + return snp_begin_psc(svm); } =20 -static int snp_begin_psc(struct vcpu_svm *svm, struct psc_buffer *psc) +static int snp_begin_psc(struct vcpu_svm *svm) { + struct vcpu_sev_es_state *sev_es =3D &svm->sev_es; + struct psc_buffer *psc =3D sev_es->ghcb_sa; struct psc_entry *entries =3D psc->entries; struct kvm_vcpu *vcpu =3D &svm->vcpu; struct psc_hdr *hdr =3D &psc->hdr; @@ -4567,7 +4568,7 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) if (ret) break; =20 - ret =3D snp_begin_psc(svm, svm->sev_es.ghcb_sa); + ret =3D snp_begin_psc(svm); break; case SVM_VMGEXIT_AP_CREATION: ret =3D sev_snp_ap_creation(svm); --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3D62C439001 for ; Fri, 29 May 2026 18:36:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079782; cv=none; b=RdBgO1/b5/DVm+7viFnhbubWlWFwv8lejKxVyKrKv2PW4U3qFoPHU9gGwHjIwwkmiRqwR1J5NYLD9nJ/uSE1U15OEgn9ecxwRNCQBTkOKGjqAup3Tztn7s3HfS7ShTLZpysOH/pjHYfTVy7WR7C8Jn+LpGWcy+uJL/4ghg/tfdo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079782; c=relaxed/simple; bh=ocrp7UiS1WanCwFhsgzTGR2ip9lAk7udP5dDEIw2HFE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=RNS1lBKfSUfrQDSRM0CKCwxUXzS9DVx/KBUrs+l5JmBBFkaNPzom15QlsPnLVzPAxkzqBp9tW+lEhnsWWAxAu3RdDeOsHMNyZKXTOllCOp7ZLxyYYnclb1lSV7Kb7zuDBCxQDh2sgttxbTKHxQda80mls9JFnKVdJscmbfIo4bE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=e+qttPKx; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=NGH+xCF4; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="e+qttPKx"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="NGH+xCF4" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079775; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ku/ngyswLIZ+ZhY/zg7dChYo6WlT7EL2y3Avs5NIsP0=; b=e+qttPKxT3DW7pTEWTJxL80biBALNS+OPOwi84PGMCjZZOVyz2c2jMAZXtDuTzOkUvcqx0 dnIZhHpy4jeKlGsV6OniCCfc7AZ5pdGKlaTS8H93ZlLRME6SfW/3FilKX4GZknevqaXSpo OJ0NQ8++qG976U/nej7zxP8JaPqSm6k= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-354-MnRhGIXwOOa6IbrCQttQtA-1; Fri, 29 May 2026 14:36:14 -0400 X-MC-Unique: MnRhGIXwOOa6IbrCQttQtA-1 X-Mimecast-MFC-AGG-ID: MnRhGIXwOOa6IbrCQttQtA_1780079773 Received: by mail-wr1-f70.google.com with SMTP id ffacd0b85a97d-45ef4931de5so410634f8f.1 for ; Fri, 29 May 2026 11:36:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079773; x=1780684573; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ku/ngyswLIZ+ZhY/zg7dChYo6WlT7EL2y3Avs5NIsP0=; b=NGH+xCF4jFJnHxhlOunyscmGKYEc7DaPRYcJnSW9J5nzB04PqiFqprrTaTDMB/6Xyw 9frEclL06kyjdRtgzhiNPBgtsSEOulkatCPrxI08ETs+Hyuu4CSFS/XAELyfBnWJcbwc rBZyE0TjD4eCGbtPxFkGLPCcZpkWgv2r8E4f5MtG1Zp4zcyVzvTQitjWoOFKkWAJZUip dk0MsMY+kkWj+4A0zXxx8H0SGqTtvyakYWqg9O9DG7XaCjaRb0oKpAZH2eLXo5VZnvAd Hl6UKNnLog8kcp5XMUHW7nRLXL29XblFZkb8NLbPAksgqX4ara1kJ8CItlwOVb6Nbzfh xNFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079773; x=1780684573; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ku/ngyswLIZ+ZhY/zg7dChYo6WlT7EL2y3Avs5NIsP0=; b=AOxW7zOHVtpk05u3tn5c1mcj7HHYPtaVfIPD6oJFwLkt7mj7ZTvFazRoKYt3y8Tnyt n5lNs1S5j+9S7SBr8rj9KS/02CidOTCEY0gFUhHLb5K1n3Hsse+x+Zph4305N7MKYjG/ ZVjwKTHBCNEu3z7Hvn7uPimmcRF1XzSwfW+unvRUy7FWubVsR+IZuDQkTKSDFZwN55im Mq3xFkiAGUnafF8Mo2chP99KIHi/9w+M/bT6Va7wBPmLim0FITqDn+9F8/OKalqT8k/Y nbyb2WwQ6NGyqEFQVoaLlHfPhokveQ2x+yn09vBadxM6fLylooRcyV5LQoV6Y4r3s1bE 0AVA== X-Gm-Message-State: AOJu0YyReSFKpK+vtIezomH6l4NzsbiN+4fHufOxqWSA7rzVhuBbDl2w 9ljBlG++GAlGOMDnV44xI1f7tyiyg9Wsi5wy41ZPEOFqHNXB+tslHGP1rPqkQW4TuEG3zJOziMh 7Ph+v8BNxb1DVI6upT57c3Xzmq7CZoo++kPqhswHU2pqd68joLWpgkkEIUvKQG6qKbfhdEa/30F S4ub90OkjAFncUqidWaK6DE8TXOljPbzK/+YIaeaRLs5RVvh2N8w== X-Gm-Gg: Acq92OGxxi3RrbAMnf1AS1Ya/72dksIo2QsCU6OvF/musRpZ/SZwiIjXr5Gc2G7Gd2x PCNieAcBfJe5CTDxXXt4E7Yrx0Qf8skEirxiMWX9xUmxRHa1HnZZ9CSoUA8v8QjewnwpFNz0Thy +LpveaCkoXpR44HeB6PvSPjo0j48tbLdCsAyqlAp/ENO6HGKr8OsagUUUNhoDO4cduJ6w6uL0Ua 3w5axuMefwyPLC1IPdwRh/BwbUQdsfVo1ini5oG2UstOzDsFu8HcYdXPbjbeH/OLRiFLDyd4KMD 6fmmT16BjM8HkPnNb9khMG0OPJxabYeafuK1sIk1xaCWyfNkox2862UCVfZch69fBraxfrz4MNr qcYz5t4wAhgszCswYn1qoXvUDZjCTDTGTSFRXiMoslCYK1y4JXcCNC+pFaDAcj4yUMeGZ3tDrTJ ezlg13IKBH+nMl2tIbJL9FKYeCE+CZ64NZWOdaHQ== X-Received: by 2002:a05:6000:40c5:b0:45a:5392:3a19 with SMTP id ffacd0b85a97d-45ef13794fcmr7448006f8f.16.1780079772862; Fri, 29 May 2026 11:36:12 -0700 (PDT) X-Received: by 2002:a05:6000:40c5:b0:45a:5392:3a19 with SMTP id ffacd0b85a97d-45ef13794fcmr7447963f8f.16.1780079772417; Fri, 29 May 2026 11:36:12 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45ef354b7edsm5207945f8f.22.2026.05.29.11.36.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:11 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth , stable@vger.kernel.org Subject: [PATCH 09/24] KVM: SEV: Check PSC request indices against the actual size of the buffer Date: Fri, 29 May 2026 20:35:34 +0200 Message-ID: <20260529183549.1104619-10-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson When processing Page State Change (PSC) requests, validate the PSC buffer against the effective size of the scratch area, which could be less than the maximum size if the guest provided a pointer that isn't exactly at the start of the GHCB shared buffer. Fixes: 9b54e248d264 ("KVM: SEV: Add support to handle Page State Change VMG= EXIT") Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky Reviewed-by: Michael Roth Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-10-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 8577451b82b2..6e8cbae2135a 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3903,7 +3903,7 @@ static int snp_begin_psc(struct vcpu_svm *svm) struct kvm_vcpu *vcpu =3D &svm->vcpu; struct psc_hdr *hdr =3D &psc->hdr; struct psc_entry entry_start; - u16 idx, idx_start, idx_end; + u16 idx, idx_start, idx_end, max_nr_entries; int npages; bool huge; u64 gfn; @@ -3913,6 +3913,19 @@ static int snp_begin_psc(struct vcpu_svm *svm) return 1; } =20 + /* + * GHCB v2 requires the scratch area to reside within the GHCB itself, + * and PSC requests are only supported for GHCB v2+. Thus it should be + * impossible to exceed the max PSC entry count (which is derived from + * the size of the shared GHCB buffer). + */ + max_nr_entries =3D (sev_es->ghcb_sa_len - sizeof(struct psc_hdr)) / + sizeof(struct psc_entry); + if (WARN_ON_ONCE(max_nr_entries > VMGEXIT_PSC_MAX_COUNT)) { + snp_complete_psc(svm, VMGEXIT_PSC_ERROR_GENERIC); + return 1; + } + next_range: /* There should be no other PSCs in-flight at this point. */ if (WARN_ON_ONCE(svm->sev_es.psc_inflight)) { @@ -3928,7 +3941,7 @@ static int snp_begin_psc(struct vcpu_svm *svm) idx_start =3D hdr->cur_entry; idx_end =3D hdr->end_entry; =20 - if (idx_end >=3D VMGEXIT_PSC_MAX_COUNT) { + if (idx_end >=3D max_nr_entries) { snp_complete_psc(svm, VMGEXIT_PSC_ERROR_INVALID_HDR); return 1; } --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0538A43C06C for ; Fri, 29 May 2026 18:36:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079787; cv=none; b=arqe7EMXP+rwGKqSIWbyeqgOirZ+o7MDs2f1T2PZQ36n9Ebb7S8gW3Z8vmSzPucYngpZy0YclavocYA77TIw0cclZToj6iHE+GU67T9sA4KNbUwIBXr0nfA6MAwTf268IKVz7PxoG+Al2AOB102sDSs5qkZWZvFElM3P0wnEeyY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079787; c=relaxed/simple; bh=Rdf4N65bOt7x8Nwrw5ueMoXtOuEXS+ZMINlCI3t8Sys=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sEc7rKjtDE8+hwkoYlfnjGeMxyWWkJBMp8AsJzZ54QQchNUFmUKnsXoKWBFwqQ9RvhNTCY9+z1Pl+gHH3KlDIcJPk/LdiJCWCsZAmCLoUeyQaCt8hu6KpUfZMEDYmsBIplPNs9h33Xvpd29/uJ+w/g0rvaf5hXM2dQBiO27E4V8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=ex0p/+tv; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=hIeMoaCF; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="ex0p/+tv"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="hIeMoaCF" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079778; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=S6iAVB9mfQ/7q9K71+HvMK+Lw89cTkPEsSBKbCzolaQ=; b=ex0p/+tvLSJQH3k13Yqr/9jvyUUhSd4ON95Rhr7udVCusUl8rHCFj3wmNzjzi+L5wt1BkO TMxLyk1H5cWkAZr2WQ8HRcYh/BPFjJQhU88ufp2MpxkpTHMZmYpke608wLyVc2tI+HUBZD g3+piUtU/or5cCVY2l0bwYOkxjArXvs= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-349-kxJs1R7zMM-iJw31i69oAQ-1; Fri, 29 May 2026 14:36:16 -0400 X-MC-Unique: kxJs1R7zMM-iJw31i69oAQ-1 X-Mimecast-MFC-AGG-ID: kxJs1R7zMM-iJw31i69oAQ_1780079775 Received: by mail-wm1-f72.google.com with SMTP id 5b1f17b1804b1-490a060eb84so4724305e9.0 for ; Fri, 29 May 2026 11:36:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079775; x=1780684575; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=S6iAVB9mfQ/7q9K71+HvMK+Lw89cTkPEsSBKbCzolaQ=; b=hIeMoaCFudUrTMHCPGwG+QndgOsetPGNO8qbXkR91riPOic+wxJnAOu5qOa0GG/dBO LZgRoXg7GIfXhFAmMzwgAsojlnrGvImh2/VZTGmGU48rB+tE4vKA/+ekFd5VRKSz0wNL 4rZxex9GMu9Uz/y1TEaratSKS/faooYyuku46BRZCOS2Ly527X0PL9t7iAeOI1GIlx8l xER4arrSzTHuk18kJiUZb1Js2tvykIfRSA63ezctGCCRYJ0k/HUUzPfD4l444/elyTa/ MesRxhpJKCP47xwrvTP3QEdX0iLB+jp1U02LepTltRgga2Dmot59YeFmoDxyaW7wplp5 +h7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079775; x=1780684575; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=S6iAVB9mfQ/7q9K71+HvMK+Lw89cTkPEsSBKbCzolaQ=; b=CQS4PNxJJcDd8RWXk100WrskwrLwRfNUWH5n1aUDfOIYyPv7eES0HUtG3mPufOuFgg cd1jelcO1j4zSBwRaijemYA/smBM2D5xMuTDcEF5+6KjsKkJMvVcZlISVQUXnfHTw9oP etiHOnObFC6ugncVKt8PPemz0fmgXW/aCCXP1wu6dT1nlp5UYQCLjaGFTNO/WxwzHFFM tyF6UF13Dv0b2UHTZhUU3OS9YIlHOH+HMeUhdb9t9fCkQfi1qm5sV41kH2STI3v/q3Tp GHYAbI891hNWL/Em2F/NKCavgrYsS1vGa+b1l4PNW7vTF+sZLke0VoW/q9xpPy+SDI4a GXqw== X-Gm-Message-State: AOJu0YxnKhF7qh+qRL7bQQgatEq/LssE17QGhoGB31cS+zQkaJiGmGnB z69cPsdlQE5d4wzh6mKadV/uShh3fT2jDeJ0oy/PjQ4ayE/UezZO+sEbnMZul9Nom8iUKFblRdh 9+rnqhgc4PXFxbron5UdKdnWhzZwBkzdqt7hvM0VXH6W2Qr03NHi2srfuSiYCNHuK7fabSx1CfQ Cf5qVolmMLeHSy91UHX/fRgulLqYsmDEwwSgVwvmaSScLxm+Vibw== X-Gm-Gg: Acq92OGjrMkF5nJbw7hdAbpFkk9oU/D5+S7OppIf/RqCuGmL2zBSn3mcdREChR8EfUe t6KEoknWt68t8HamADMXL6EZpU9+P8PEzR6bhnpIain1p3ugxuGLk+uig/pfUixtLY98XlRtpFQ LIeHUM1QRsQ9ETnezL1J7P7QoEGz9+sO0E2bcoxWrI0xmlS6+G8feq+qPJ2ij3J/iiblQSZAPOS M3ic+E0wWheS+NCrqYZUEdXxh7LJQ6ZlmWq4uMgxr7dBtPAzZB2bBIlP/523/p2UXMpSvqY7di2 qOQUfxpPbrTVjNPapgj/nHSnEyqQLyBbp5L76bCrH+s7zWne3MONfuWl7rdDghE09kQhDsjC8pm Agtl56Yr2MfN8Vgc8H6ClF7UHqu0HODbuGAqvMWLwelV4axN4Zve5QCx4iJ9wQCnqHhOKsISm6K EHppG/llTREy8dG0QC2+TDKLqEMh/kGw/IyyXHGQ== X-Received: by 2002:a05:600c:3b14:b0:490:4b89:5361 with SMTP id 5b1f17b1804b1-490a2904d7fmr14591415e9.7.1780079775292; Fri, 29 May 2026 11:36:15 -0700 (PDT) X-Received: by 2002:a05:600c:3b14:b0:490:4b89:5361 with SMTP id 5b1f17b1804b1-490a2904d7fmr14590955e9.7.1780079774772; Fri, 29 May 2026 11:36:14 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909c110243sm29636005e9.6.2026.05.29.11.36.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:13 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth , stable@vger.kernel.org Subject: [PATCH 10/24] KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer Date: Fri, 29 May 2026 20:35:35 +0200 Message-ID: <20260529183549.1104619-11-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Use READ_ONCE() when reading entries/indices from the guest-accessible Page State Change buffer to defend against TOCTOU bugs. Don't bother with READ_ONCE()/WRITE_ONCE() for cases where KVM is writing (and not consuming the result!), as the guest isn't supposed to touch the buffer while it's being processed. I.e. using READ_ONCE() is all about protecting against misbehaving guests. Fixes: 9b54e248d264 ("KVM: SEV: Add support to handle Page State Change VMG= EXIT") Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-11-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 6e8cbae2135a..62b5befe0eed 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3872,9 +3872,9 @@ static void __snp_complete_one_psc(struct vcpu_svm *s= vm) */ for (idx =3D svm->sev_es.psc_idx; svm->sev_es.psc_inflight; svm->sev_es.psc_inflight--, idx++) { - struct psc_entry *entry =3D &entries[idx]; + struct psc_entry entry =3D READ_ONCE(entries[idx]); =20 - entry->cur_page =3D entry->pagesize ? 512 : 1; + entries[idx].cur_page =3D entry.pagesize ? 512 : 1; } =20 hdr->cur_entry =3D idx; @@ -3938,8 +3938,8 @@ static int snp_begin_psc(struct vcpu_svm *svm) * validation, so take care to only use validated copies of values used * for things like array indexing. */ - idx_start =3D hdr->cur_entry; - idx_end =3D hdr->end_entry; + idx_start =3D READ_ONCE(hdr->cur_entry); + idx_end =3D READ_ONCE(hdr->end_entry); =20 if (idx_end >=3D max_nr_entries) { snp_complete_psc(svm, VMGEXIT_PSC_ERROR_INVALID_HDR); @@ -3948,7 +3948,7 @@ static int snp_begin_psc(struct vcpu_svm *svm) =20 /* Find the start of the next range which needs processing. */ for (idx =3D idx_start; idx <=3D idx_end; idx++, hdr->cur_entry++) { - entry_start =3D entries[idx]; + entry_start =3D READ_ONCE(entries[idx]); =20 gfn =3D entry_start.gfn; huge =3D entry_start.pagesize; @@ -3992,7 +3992,7 @@ static int snp_begin_psc(struct vcpu_svm *svm) * KVM_HC_MAP_GPA_RANGE exit. */ while (++idx <=3D idx_end) { - struct psc_entry entry =3D entries[idx]; + struct psc_entry entry =3D READ_ONCE(entries[idx]); =20 if (entry.operation !=3D entry_start.operation || entry.gfn !=3D entry_start.gfn + npages || --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5ED5143D4EC for ; Fri, 29 May 2026 18:36:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079786; cv=none; b=ZhG1/HaME03oA+hI6kAw8ghKkxWCLXbT344juE+jpEPjz7PS/b97u0fbDvKk4bkPxoACnVvVdhQ8w/P7KkMJ7gtKm3JE/K9u0EvB+yqNyptFqVwln7sK+xbls27iF7ScliCXAH/AtrFTLVyv3jZg0B8zpoWmkX6tGGNoHtmSGtE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079786; c=relaxed/simple; bh=LiFc3B/oCWIx4bWkwIOcLZN3wPQ0d5KDRXuPzPzV/wQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XQkhns6FsQr7qan2odUfhaGIRvrwLd6Z9lB0I/rkPQ+rM1Z2I7KI+AZupBz2/qfrwr4KEqOhUu5s/LTlQGKHQBheV3P9WidcOubQUdwqS06bUqbg4Mh1E9rNRsyiFZzkkE031QUrtPm1ugvMB2Uz19hq86hwnVCoWP812sfHh4k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=DtrxmLnR; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=szCbCDq1; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="DtrxmLnR"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="szCbCDq1" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=elPT0XXkTpOYA/RUY63VmCp9ekxpXBo6/F+wCh3tfvk=; b=DtrxmLnRkUyIbklr7aNBl+0BJ+ZwlIMpXR9Et1YSMYcTzPeuYionBpWAMgXzBzE6p07QCF 2wp/SPfrB+aO/m6I236UJtnPM63qIWYMMliowj77aW54mwgTPMSjWFf5s0DX+Tt08X2hKr L6gcfhWhCAp53NvxxGQXshfAAxRWoQE= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-148-CHKuQ5TKPwaUYAlrkjByxA-1; Fri, 29 May 2026 14:36:21 -0400 X-MC-Unique: CHKuQ5TKPwaUYAlrkjByxA-1 X-Mimecast-MFC-AGG-ID: CHKuQ5TKPwaUYAlrkjByxA_1780079780 Received: by mail-wr1-f70.google.com with SMTP id ffacd0b85a97d-45eea62dc50so1598226f8f.1 for ; Fri, 29 May 2026 11:36:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079780; x=1780684580; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=elPT0XXkTpOYA/RUY63VmCp9ekxpXBo6/F+wCh3tfvk=; b=szCbCDq1PPjPEr3MTX/GoP34ulnvKDuiCQOuYsdBw9tAjufAC9TiyYOR3ddHP93qms 7Tjp2m7DHObytuDAb3jnfkTw3vyNSVub16fY6ikNpiowhJx3ysLXljozqeHlrkKi50Pt rjQBGroNc8OgwN9VXkMZOTNylBuyG1DIyDe4G0LkLWC97DJ1Z3OrPxVE/CxzxBadKdNQ TyGQqF65TNcw7vsPWZPcjgKoMz1xoXb/AYnaKtwDw7Ow9NKEXuYrGficVFapkkWThoMm L2YPJPawFybz8SAeWwS5T9JquLSzF+Shmsz4IN+8VL3RGv5NK6hJKwpsXSPe8tNfVyYK j/Eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079780; x=1780684580; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=elPT0XXkTpOYA/RUY63VmCp9ekxpXBo6/F+wCh3tfvk=; b=bqDt0v9loJjrwwDuKSOhxxa5Y7fEYH7HycsfRW4HtmvMoUpWqLY4RpF0fSal+JpShL thYMAu2Yu8he8dkFA0eZchG0TYYtkOaYL/zb7h5E1y3B/YAq967HHpq1n7fEVuXytcjK 09/i4Z/oVG5bYftwunCHr0kU94o+siMm5uQtbdqXrABYIu67/kvyvpy7myaW2EmdquJs eUpIa8hneDFrfbvgtdqoz2BtMZtYSTb0vxZatxfsVaiDNXsNP5uf2HFpYEnK4mfSjClc 4Y4x/qFQb4gizqf6l82jOVKilCUUFCnPWZj4BWyUIzh2A6+73HMjIyS619ZVy+r3fgT6 dcbg== X-Gm-Message-State: AOJu0Yy4sNGpapn5wptW4KPM0KncT8qqiV+bn4KhPlYhCZkXTc1OXIkH vu0GTT590WlKnjYNzk2CtqJMU3wo2IwQGS7U7QB6SYTFdukD4LxvoG2uNyK2trzw2zyZBaIYxa1 lItatQBj8fFClkc3wpSpj62zeD70NyEJIt6/OpUm7dYFJ0wuBpdLBIwVPA2wrXRUsTca2rquaRO yO7ryJvSFsckwEg9kB/dfKbW3teen1qpuCK5AyMc+SwK0zJTLwMA== X-Gm-Gg: Acq92OHNeG9hz7qxuxkLyjBgK6ILxoGfIX4fbpJIs0KTn3yR9pTHsxMs/L36lgh0hqO RA9roz7HUpNJ3Kc4L9x9+Fpkg3I6mC1KVH9fBa/+MVGlUWQ1ur3O4gi+wFR9mwPZiLIqYBDvoKd /Rz6+IPa4uTqyTAqBittMDHgx930LaO7NRyFrvvNC9RnRBo1xKTCsISgTVzqhYl030mtU/KwoxF TIQpb97y3oWzCnmL0OJtZ+5JS15zhzpeLB7Euz6MS0hnVSagowh2iI0xaZ7iKhyGFF15T+a8Wam T6VOm3Z68NbbFccqcOHML+SuqZjew3Sfz8fPr1/Orz/XnwdRbFhNrBO0LnmnCoJSgGSTMugflme waRIuDBFUSBT9/HjnO53bXIPgCzML2JuOliz2CLPyIjtHJk1e60ayIYpaRwV5GzvNGZXoK0dfFf n4u/5ZofJsWXlx7VbpjJyJHLhYewCzB3KBEs1uQw== X-Received: by 2002:a05:600d:6447:20b0:490:6e12:542d with SMTP id 5b1f17b1804b1-490a292fdb8mr10523165e9.19.1780079779830; Fri, 29 May 2026 11:36:19 -0700 (PDT) X-Received: by 2002:a05:600d:6447:20b0:490:6e12:542d with SMTP id 5b1f17b1804b1-490a292fdb8mr10522675e9.19.1780079779424; Fri, 29 May 2026 11:36:19 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909c967c6csm64129235e9.2.2026.05.29.11.36.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:15 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth Subject: [PATCH 11/24] KVM: SEV: Make it more obvious when KVM is writing back the current PSC index Date: Fri, 29 May 2026 20:35:36 +0200 Message-ID: <20260529183549.1104619-12-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Increment the guest-visible "cur_entry" index outside of the for-loop when processing Page State Change entries, and add a comment to make it more obvious which code is operating on trusted data, and which code is touching guest-accessible data. No functional change intended. Reviewed-by: Tom Lendacky Reviewed-by: Michael Roth Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-12-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 62b5befe0eed..1982d13e71d9 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3947,7 +3947,7 @@ static int snp_begin_psc(struct vcpu_svm *svm) } =20 /* Find the start of the next range which needs processing. */ - for (idx =3D idx_start; idx <=3D idx_end; idx++, hdr->cur_entry++) { + for (idx =3D idx_start; idx <=3D idx_end; idx++) { entry_start =3D READ_ONCE(entries[idx]); =20 gfn =3D entry_start.gfn; @@ -3974,6 +3974,14 @@ static int snp_begin_psc(struct vcpu_svm *svm) =20 if (npages) break; + + /* + * Increment the guest-visible index to communicate the current + * entry back to the guest, e.g. in case of failure. No need + * for READ_ONCE() as KVM doesn't consume the field, i.e. a + * misbehaving guest can only break itself. + */ + hdr->cur_entry++; } =20 if (idx > idx_end) { --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E7C7943D504 for ; Fri, 29 May 2026 18:36:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079787; cv=none; b=DLIXkt9oWqRDViz3K7DeBbgd1tti7Y4fSn/M+fchEa4rroBxX1k41lUUKJEYRGNLZwFwK4GPs68mhnFX/J7squrhwuYq1/Dn0WfcvJHxhpDgZiobIOgCzJEc/LPiE2rCNHqNadp+xn38Lvbk1/C47zH7O6UcksjLdbnLNRFiM9U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079787; c=relaxed/simple; bh=m/pvpCaBC3h93498zeO1pRjVuNqRfnOpOUwLMGrQfvM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YquxwXtuSdMGP2bOxAUy0jg0itK9hlCJXejWiALLEmsu8uu5dsLpsDJPxou+MVFgdIF6nOUqy6JRDTKCg5F1GoWlZSfQkjwUtROXvs7mdk7z1FWOpy+SQlxGTIZdLQzbKBArIiXKSvlQ7zt5Nt73JHYDzbrs+2EHWxXgmlFt/sU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=BdwuQwTn; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=Oeth7Mtq; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="BdwuQwTn"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="Oeth7Mtq" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079784; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oGX8HV+j3qIlq8encb16lzDWVML/br9GjtwZC+22G7c=; b=BdwuQwTn71SZdoCB4VRZvcMrVw8AMruWcr9nxBp3RvtqCr2uQ+eXDxDtDgf/cjFn1lBxoh aMBAXtcbbn0RjzZdFCbxFMTArF4oYlAfeBLmhG3S8JhXlrGemUz31fMR16EyWCiDp/lyVR JtS8g6j+GwUqNQqargyIjK5Fh7JpuDI= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-346-Qgl1SEH5MXOc1ejj9dn-fA-1; Fri, 29 May 2026 14:36:22 -0400 X-MC-Unique: Qgl1SEH5MXOc1ejj9dn-fA-1 X-Mimecast-MFC-AGG-ID: Qgl1SEH5MXOc1ejj9dn-fA_1780079782 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-49048e21ea7so40365025e9.1 for ; Fri, 29 May 2026 11:36:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079781; x=1780684581; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oGX8HV+j3qIlq8encb16lzDWVML/br9GjtwZC+22G7c=; b=Oeth7MtqQ8d7pooPKXxivUHDjaKgL6PZexSduurK7Caw2benKFUPGokkkoKJkCMeM4 Tsr6drZC+iz4CLodNAPCU9aOGuwcLMRiFTqXp5FHuLDm3JbcKG12Pu6D9bK2iXDdGxVe yGCN2tt9sV8V2bhbnfKf8mVaefncRdqtHdjlr9LCVpxaug+o+LtWk3nUgs1725fGeAwJ 0MJqoz7uQtTYn9BRVzeleUXh/9VXVtaJMlfsb2P2LnR2LoO8QWi6hMwAUY36nnFwhUey 7jWDp0zK5KUJYTI0XZA4ktIUrRBqk+ZHpiivk8S9ByS0CNyN1jzxcIS0TfphSzUFLgFx KdPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079781; x=1780684581; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=oGX8HV+j3qIlq8encb16lzDWVML/br9GjtwZC+22G7c=; b=f5uXViv7Pf02i0SXMY/iVMWUEIFHE+2s6FME0XKMOwXDstPn8o6miwZaaacUBpt9Rz Dl2j89Smuv51Ku5uS+eetY+rOlgzrnbAwIvBZojaxDC1dvSivuDN7m0toXcUZ+SNSlu8 4Zso/YKS8UmrNrBZKUQJsFosKQl6f5iy4U0J8+N7bTNqK2Y5BzF6IVNbgbAPAUOhsBCn THaKyfcHi4AqmYVKz14CqFa2+cklGel9zo3CqASSQQbkP9uUVXAhTaEYGy1+tuEwbEr3 EPfcll6+eAoS6FSNwEYQiLFH/qwS8ba7o+E4vmF02ckjjO+2LPmqHVQNuC253exK9Xwd AuMA== X-Gm-Message-State: AOJu0Yx8iywpLzxPkNRzaNcjraSAh21IyJN/n1HDczJtEAX0ZcyVEMMe 3VELLXHb7EjFvxqOfNvMACmd+lodh1vq4ekdIRVS4dOODRlR7hThgQTyCyXGNW2tLCJ8WZy1MzV IaCjx7Fhk6pcGsX0ouyzKCDJ5cDORZiilBTN3/aJeD87Ev9DJnDNH5k6k5NzmqL2N140JoKw+Dy S+MaeqeEQywty2i0SGEvwtXun3tMEOm7X1m9cSDsT2h/q0173EJw== X-Gm-Gg: Acq92OGBRljXIpYDkMTrfBj65stb3iJXTK3brM89eQTQkLyGXOYf8aRda1QHsp8CmUu Fc8IF7Mytyv0EBN+A+5c3Lb2oIE6+233XDEOu0zfWvzs11ahLo6uBNvdrIXhjBz0B2teR+LkBvL hjhIhnmzNNlHHseVM0gBTC/ci/U+iEQBehyaoOl4hpxEXYUr0vuHazfaI4kFys/Sp5t0EETR7Lu ZagpU4dvhozgpPBaJjTr3kUsuc8HAyiUABMJ0VmFuWD5w+Wdpm16E/4zZg5fI/L63hbGtVnpHtV THD+X6J9BQGwcuD3vsTdK2t1bZ8BCsjDA7Q6tt/OvFSz6OSMuce+v2IDBK+l/Q5QvCq25hpojmC WnxFiKnIuN5s4lB5fAhq0VQql0sxeaSh8seezVorZx5kzJsUz4Sy2hTaKkMfz+SzhwLEmYrwZHy hIaZ7Ip2+yhvCrHrUM2MALNK23gK2c3h1iZgkmEg== X-Received: by 2002:a05:600c:37c3:b0:48a:79d8:a8d6 with SMTP id 5b1f17b1804b1-490a2a2713bmr7298425e9.7.1780079781412; Fri, 29 May 2026 11:36:21 -0700 (PDT) X-Received: by 2002:a05:600c:37c3:b0:48a:79d8:a8d6 with SMTP id 5b1f17b1804b1-490a2a2713bmr7297935e9.7.1780079780823; Fri, 29 May 2026 11:36:20 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909d68b853sm59239705e9.3.2026.05.29.11.36.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:20 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth Subject: [PATCH 12/24] KVM: SEV: Add an anonymous "psc" struct to track current PSC metadata Date: Fri, 29 May 2026 20:35:37 +0200 Message-ID: <20260529183549.1104619-13-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Add a "psc" struct to vcpu_sev_es_state to avoid having to prefix all of the fields with "psc_". Take advantage of the code churn to opportunistically rename local variables to "guest_psc" to make it more obvious that the buffer is guest data, and more importantly, guest accessible! Opportunistically rename inflight =3D> batch_size as well, because there can really only be one operation in-flight (per-vCPU), i.e. "inflight" _looks_ like a boolean, but in actuality is an integer tracking how many pages are being handled by the current operation. No functional change intended. Reviewed-by: Tom Lendacky Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-13-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 43 +++++++++++++++++++----------------------- arch/x86/kvm/svm/svm.h | 8 +++++--- 2 files changed, 24 insertions(+), 27 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 1982d13e71d9..9f6543cebedf 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3845,9 +3845,7 @@ static int snp_begin_psc(struct vcpu_svm *svm); =20 static void snp_complete_psc(struct vcpu_svm *svm, u64 psc_ret) { - svm->sev_es.psc_inflight =3D 0; - svm->sev_es.psc_idx =3D 0; - svm->sev_es.psc_2m =3D false; + memset(&svm->sev_es.psc, 0, sizeof(svm->sev_es.psc)); =20 /* * PSC requests always get a "no action" response in SW_EXITINFO1, with @@ -3860,9 +3858,8 @@ static void snp_complete_psc(struct vcpu_svm *svm, u6= 4 psc_ret) =20 static void __snp_complete_one_psc(struct vcpu_svm *svm) { - struct psc_buffer *psc =3D svm->sev_es.ghcb_sa; - struct psc_entry *entries =3D psc->entries; - struct psc_hdr *hdr =3D &psc->hdr; + struct vcpu_sev_es_state *sev_es =3D &svm->sev_es; + struct psc_buffer *guest_psc =3D sev_es->ghcb_sa; __u16 idx; =20 /* @@ -3870,14 +3867,14 @@ static void __snp_complete_one_psc(struct vcpu_svm = *svm) * corresponding entries in the guest's PSC buffer and zero out the * count of in-flight PSC entries. */ - for (idx =3D svm->sev_es.psc_idx; svm->sev_es.psc_inflight; - svm->sev_es.psc_inflight--, idx++) { - struct psc_entry entry =3D READ_ONCE(entries[idx]); + for (idx =3D sev_es->psc.cur_idx; sev_es->psc.batch_size; + sev_es->psc.batch_size--, idx++) { + struct psc_entry entry =3D READ_ONCE(guest_psc->entries[idx]); =20 - entries[idx].cur_page =3D entry.pagesize ? 512 : 1; + guest_psc->entries[idx].cur_page =3D entry.pagesize ? 512 : 1; } =20 - hdr->cur_entry =3D idx; + guest_psc->hdr.cur_entry =3D idx; } =20 static int snp_complete_one_psc(struct kvm_vcpu *vcpu) @@ -3898,10 +3895,8 @@ static int snp_complete_one_psc(struct kvm_vcpu *vcp= u) static int snp_begin_psc(struct vcpu_svm *svm) { struct vcpu_sev_es_state *sev_es =3D &svm->sev_es; - struct psc_buffer *psc =3D sev_es->ghcb_sa; - struct psc_entry *entries =3D psc->entries; + struct psc_buffer *guest_psc =3D sev_es->ghcb_sa; struct kvm_vcpu *vcpu =3D &svm->vcpu; - struct psc_hdr *hdr =3D &psc->hdr; struct psc_entry entry_start; u16 idx, idx_start, idx_end, max_nr_entries; int npages; @@ -3928,7 +3923,7 @@ static int snp_begin_psc(struct vcpu_svm *svm) =20 next_range: /* There should be no other PSCs in-flight at this point. */ - if (WARN_ON_ONCE(svm->sev_es.psc_inflight)) { + if (WARN_ON_ONCE(svm->sev_es.psc.batch_size)) { snp_complete_psc(svm, VMGEXIT_PSC_ERROR_GENERIC); return 1; } @@ -3938,8 +3933,8 @@ static int snp_begin_psc(struct vcpu_svm *svm) * validation, so take care to only use validated copies of values used * for things like array indexing. */ - idx_start =3D READ_ONCE(hdr->cur_entry); - idx_end =3D READ_ONCE(hdr->end_entry); + idx_start =3D READ_ONCE(guest_psc->hdr.cur_entry); + idx_end =3D READ_ONCE(guest_psc->hdr.end_entry); =20 if (idx_end >=3D max_nr_entries) { snp_complete_psc(svm, VMGEXIT_PSC_ERROR_INVALID_HDR); @@ -3948,7 +3943,7 @@ static int snp_begin_psc(struct vcpu_svm *svm) =20 /* Find the start of the next range which needs processing. */ for (idx =3D idx_start; idx <=3D idx_end; idx++) { - entry_start =3D READ_ONCE(entries[idx]); + entry_start =3D READ_ONCE(guest_psc->entries[idx]); =20 gfn =3D entry_start.gfn; huge =3D entry_start.pagesize; @@ -3981,7 +3976,7 @@ static int snp_begin_psc(struct vcpu_svm *svm) * for READ_ONCE() as KVM doesn't consume the field, i.e. a * misbehaving guest can only break itself. */ - hdr->cur_entry++; + guest_psc->hdr.cur_entry++; } =20 if (idx > idx_end) { @@ -3990,9 +3985,9 @@ static int snp_begin_psc(struct vcpu_svm *svm) return 1; } =20 - svm->sev_es.psc_2m =3D huge; - svm->sev_es.psc_idx =3D idx; - svm->sev_es.psc_inflight =3D 1; + sev_es->psc.is_2m =3D huge; + sev_es->psc.cur_idx =3D idx; + sev_es->psc.batch_size =3D 1; =20 /* * Find all subsequent PSC entries that contain adjacent GPA @@ -4000,14 +3995,14 @@ static int snp_begin_psc(struct vcpu_svm *svm) * KVM_HC_MAP_GPA_RANGE exit. */ while (++idx <=3D idx_end) { - struct psc_entry entry =3D READ_ONCE(entries[idx]); + struct psc_entry entry =3D READ_ONCE(guest_psc->entries[idx]); =20 if (entry.operation !=3D entry_start.operation || entry.gfn !=3D entry_start.gfn + npages || entry.cur_page || !!entry.pagesize !=3D huge) break; =20 - svm->sev_es.psc_inflight++; + sev_es->psc.batch_size++; npages +=3D huge ? 512 : 1; } =20 diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index a10668d17a16..06192bc9c107 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -257,9 +257,11 @@ struct vcpu_sev_es_state { bool ghcb_sa_free; =20 /* SNP Page-State-Change buffer entries currently being processed */ - u16 psc_idx; - u16 psc_inflight; - bool psc_2m; + struct { + u16 cur_idx; + u16 batch_size; + bool is_2m; + } psc; =20 u64 ghcb_registered_gpa; =20 --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B7AB6449EA4 for ; Fri, 29 May 2026 18:36:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079794; cv=none; b=bB55G8/dpWvZMd7aonBV7BAFNQeHGPcT9/OdRVTDr6qvEJP6emKDIeymD2B28yLTo1sSc1gfo3DxT0XhSc3tEwxIeaL/8+26uzxHqfLcT488KKpFQ5C/MrJ78kin7sDE17TsL6yvVWTncHJLncxVbmTMVzJvdmHjqthmKrhsI5E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079794; c=relaxed/simple; bh=ALykjJLg0jwTLlECqz7GyV15Ngx/tKSeHMUCtZHEuSQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Nj8iIkHcaVOmA2/IyFnn/zvXX3pfnviY5OrMiJHxD4LegTyUkdxcB33TZqIaa0OLOtvFS5T6JtINl8NakHjxjSu5BzUt/CrkcOs3qTihDE7F9YBNTuH5bFAbKHash81XdtO3k3Ah32DulrpjJhl9Ky1fYpDHybfkyIQJx2qQjzY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Jcup0MWs; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=cjVlU2AJ; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Jcup0MWs"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="cjVlU2AJ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079788; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=47mo1Ny6jZGBCjDoJJxdvUaA6xkQu52qjPdgKSzkiu4=; b=Jcup0MWsTOcMFZvN7ajxQwuvLHbqwPJqQ3dmhRl5meT1qbGLs0NI2C7XIMxlcCw4JZfyBA BZBQcbAIMXjtDAziKaMaZxgez7KVBWqHIxH3bFrfAUHLCOt0DA/ZUpuyzfYFyHfwh/3Nsq 30Z9lot/zMoZgf8njayOJq7q6bYtLBI= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-460-ByA2VmfOPWWgSazM_tmnmg-1; Fri, 29 May 2026 14:36:27 -0400 X-MC-Unique: ByA2VmfOPWWgSazM_tmnmg-1 X-Mimecast-MFC-AGG-ID: ByA2VmfOPWWgSazM_tmnmg_1780079786 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-49045243094so103753025e9.2 for ; Fri, 29 May 2026 11:36:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079786; x=1780684586; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=47mo1Ny6jZGBCjDoJJxdvUaA6xkQu52qjPdgKSzkiu4=; b=cjVlU2AJPFnG3Pkws83xefQGcA/95z38aRVYiuvC16ksvL8hJxI7/gVEUCNXASAIwY 7WTg4mvIzSWuJwhi3+1q91jwMJMX/5P3bKvs/rp5xlddL//+m8uKrAvuivquc1k32C6S cQWyK9C9Y0XF+RQHwAj3PtsEI9CWdzqKe0McNeWwm1xqJomERuLmzttbFa8DfshDnNk4 DmM2iot9nOJ9rglJ0g2P4dNFeimOv+mHIXuaCLJJ51RsGK+8pjZR1KdBCwPIUOzV+95B aK8FwomIuhTW0HxrWH5/e/8hJzV/JxUiMtQ6609zy578obIEAOs1VTohsM+HIp+OnMr5 wdig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079786; x=1780684586; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=47mo1Ny6jZGBCjDoJJxdvUaA6xkQu52qjPdgKSzkiu4=; b=JP39MMvDnLLt6M3CToeZG09ye3/E1JrBqU6gTjMwC5KSRnsn5ZJV8jE4jzQQ/x0aAg zQEBXDONHOZvBcBlqTVQWmOdeVNKbeKgD0PIpj+JIk0mKlZz3iY4pJ2b79LRR00DcUM/ Ae8PFAT0BYtYUvs+hYsQTZ8JE7IERhSl8BeTU1emG0SIyTWpIfodLXj/L161TmS2h2St UzyrEc01bnMAbbPBSRej7OnOgC988bk+cPYdtxd+q4VuztKvTH4xdGx8bGah6+vVgc1n XtU4Ip0us6vlZWdjnh4HSE6yd1ePXkGEEQUArbxoAFNxcSFb8aUFIwm/pB+jRNxKA/i+ yZgw== X-Gm-Message-State: AOJu0YweRDqqi8CN4yTV6TKAZZGqWFKPb4VqH9YzCOcLiBXFCkofxef/ j7wb5/3sMjQaLiamKEQ9GJaDoqjYKz6Zjve6UXySzrBlQkQVAOU90MpktKtfTE6pOEpEKc33LeQ vkFbvphUN691CENZLVdRMJCQJTU7f9Ur9KSc1Qk0WO3Q25PJUxo5P3e6mUzzbqZQbpy+0oIl5X5 sJmVj7XxE/TwSgHiAvYkUJJFYizZvq7neGBXdgtGkURTgSTFvggQ== X-Gm-Gg: Acq92OFRF+zsFlJls2xAMkDQaV3cr0w0B7g93pU/CA0XuzYO0cWfr+ARUKvWJVD6SQC RbTN0fVAa0xT0+baUTnvnS06JEddoLPsziQIFKb01Byatmi2fSjftFNTigvqcbZI8Z/tqXvqL8R MaavvtnWOIlCshleUzPh59iQyBLKXeV3SCQmVHlwB7Fsk4l6eJBtb93Y9lBsMhdcnes1poJ8yo+ ajDgZGj0gaW9E7tyjPLPVbX+g4U2ucKyEeSFIlh0+79y5NFnb+khUb2TLa6LBvJC18DA01c+ws/ xH90cV7TADXQ5sClbI5nwjb7zLvUvD+0wtdSzmbJLUA2b+G9kHKtujSRhIilcEQrJMSxW0M4m9X oU//O7I07wBj5KAmLPJGScdn4PqB2CMI52Lr5Qtq9SEm5gkp3/3qIJArdhQ8t7XRfW5+VIZugdX HYw80obDmdj1UNIYj41ruq0/Bbt0GxORy4fPN89w== X-Received: by 2002:a05:600d:8498:20b0:490:484b:bf41 with SMTP id 5b1f17b1804b1-490a2923b7fmr10955455e9.6.1780079786126; Fri, 29 May 2026 11:36:26 -0700 (PDT) X-Received: by 2002:a05:600d:8498:20b0:490:484b:bf41 with SMTP id 5b1f17b1804b1-490a2923b7fmr10955055e9.6.1780079785646; Fri, 29 May 2026 11:36:25 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909ca72cfbsm62005255e9.8.2026.05.29.11.36.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:21 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth Subject: [PATCH 13/24] KVM: SEV: Read start/end indices of PSC requests exactly once per #VMGEXIT Date: Fri, 29 May 2026 20:35:38 +0200 Message-ID: <20260529183549.1104619-14-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Rework Page State Change (PSC) handling to read the guest-provided start and end indices exactly once, at the beginning of the request. Re-reading the indices is "fine", _if_ the guest is well-behaved. KVM _should_ be safe against concurrent guest modification of the indices, but there is zero reason to introduce unnecessary risk. Reviewed-by: Tom Lendacky Reviewed-by: Michael Roth Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-14-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 86 +++++++++++++++++++++++------------------- arch/x86/kvm/svm/svm.h | 1 + 2 files changed, 49 insertions(+), 38 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 9f6543cebedf..4ebe0d449789 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3841,7 +3841,7 @@ struct psc_buffer { struct psc_entry entries[]; } __packed; =20 -static int snp_begin_psc(struct vcpu_svm *svm); +static int snp_do_psc(struct vcpu_svm *svm); =20 static void snp_complete_psc(struct vcpu_svm *svm, u64 psc_ret) { @@ -3874,6 +3874,7 @@ static void __snp_complete_one_psc(struct vcpu_svm *s= vm) guest_psc->entries[idx].cur_page =3D entry.pagesize ? 512 : 1; } =20 + sev_es->psc.cur_idx =3D idx; guest_psc->hdr.cur_entry =3D idx; } =20 @@ -3889,37 +3890,19 @@ static int snp_complete_one_psc(struct kvm_vcpu *vc= pu) __snp_complete_one_psc(svm); =20 /* Handle the next range (if any). */ - return snp_begin_psc(svm); + return snp_do_psc(svm); } =20 -static int snp_begin_psc(struct vcpu_svm *svm) +static int snp_do_psc(struct vcpu_svm *svm) { struct vcpu_sev_es_state *sev_es =3D &svm->sev_es; struct psc_buffer *guest_psc =3D sev_es->ghcb_sa; struct kvm_vcpu *vcpu =3D &svm->vcpu; struct psc_entry entry_start; - u16 idx, idx_start, idx_end, max_nr_entries; int npages; bool huge; u64 gfn; - - if (!user_exit_on_hypercall(vcpu->kvm, KVM_HC_MAP_GPA_RANGE)) { - snp_complete_psc(svm, VMGEXIT_PSC_ERROR_GENERIC); - return 1; - } - - /* - * GHCB v2 requires the scratch area to reside within the GHCB itself, - * and PSC requests are only supported for GHCB v2+. Thus it should be - * impossible to exceed the max PSC entry count (which is derived from - * the size of the shared GHCB buffer). - */ - max_nr_entries =3D (sev_es->ghcb_sa_len - sizeof(struct psc_hdr)) / - sizeof(struct psc_entry); - if (WARN_ON_ONCE(max_nr_entries > VMGEXIT_PSC_MAX_COUNT)) { - snp_complete_psc(svm, VMGEXIT_PSC_ERROR_GENERIC); - return 1; - } + u16 idx; =20 next_range: /* There should be no other PSCs in-flight at this point. */ @@ -3928,21 +3911,8 @@ static int snp_begin_psc(struct vcpu_svm *svm) return 1; } =20 - /* - * The PSC descriptor buffer can be modified by a misbehaved guest after - * validation, so take care to only use validated copies of values used - * for things like array indexing. - */ - idx_start =3D READ_ONCE(guest_psc->hdr.cur_entry); - idx_end =3D READ_ONCE(guest_psc->hdr.end_entry); - - if (idx_end >=3D max_nr_entries) { - snp_complete_psc(svm, VMGEXIT_PSC_ERROR_INVALID_HDR); - return 1; - } - /* Find the start of the next range which needs processing. */ - for (idx =3D idx_start; idx <=3D idx_end; idx++) { + for (idx =3D sev_es->psc.cur_idx; idx <=3D sev_es->psc.end_idx; idx++) { entry_start =3D READ_ONCE(guest_psc->entries[idx]); =20 gfn =3D entry_start.gfn; @@ -3979,7 +3949,7 @@ static int snp_begin_psc(struct vcpu_svm *svm) guest_psc->hdr.cur_entry++; } =20 - if (idx > idx_end) { + if (idx > sev_es->psc.end_idx) { /* Nothing more to process. */ snp_complete_psc(svm, 0); return 1; @@ -3994,7 +3964,7 @@ static int snp_begin_psc(struct vcpu_svm *svm) * ranges/operations and can be combined into a single * KVM_HC_MAP_GPA_RANGE exit. */ - while (++idx <=3D idx_end) { + while (++idx <=3D sev_es->psc.end_idx) { struct psc_entry entry =3D READ_ONCE(guest_psc->entries[idx]); =20 if (entry.operation !=3D entry_start.operation || @@ -4044,6 +4014,46 @@ static int snp_begin_psc(struct vcpu_svm *svm) BUG(); } =20 +static int snp_begin_psc(struct vcpu_svm *svm) +{ + struct vcpu_sev_es_state *sev_es =3D &svm->sev_es; + struct psc_buffer *guest_psc =3D sev_es->ghcb_sa; + u16 max_nr_entries; + + if (!user_exit_on_hypercall(svm->vcpu.kvm, KVM_HC_MAP_GPA_RANGE)) { + snp_complete_psc(svm, VMGEXIT_PSC_ERROR_GENERIC); + return 1; + } + + /* + * GHCB v2 requires the scratch area to reside within the GHCB itself, + * and PSC requests are only supported for GHCB v2+. Thus it should be + * impossible to exceed the max PSC entry count (which is derived from + * the size of the shared GHCB buffer). + */ + max_nr_entries =3D (sev_es->ghcb_sa_len - sizeof(struct psc_hdr)) / + sizeof(struct psc_entry); + if (WARN_ON_ONCE(max_nr_entries > VMGEXIT_PSC_MAX_COUNT)) { + snp_complete_psc(svm, VMGEXIT_PSC_ERROR_GENERIC); + return 1; + } + + /* + * The PSC descriptor buffer can be modified by a misbehaved guest after + * validation, so take care to only use validated copies of values used + * for things like array indexing. + */ + sev_es->psc.cur_idx =3D READ_ONCE(guest_psc->hdr.cur_entry); + sev_es->psc.end_idx =3D READ_ONCE(guest_psc->hdr.end_entry); + + if (sev_es->psc.end_idx >=3D max_nr_entries) { + snp_complete_psc(svm, VMGEXIT_PSC_ERROR_INVALID_HDR); + return 1; + } + + return snp_do_psc(svm); +} + /* * Invoked as part of svm_vcpu_reset() processing of an init event. */ diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index 06192bc9c107..5137416be593 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -259,6 +259,7 @@ struct vcpu_sev_es_state { /* SNP Page-State-Change buffer entries currently being processed */ struct { u16 cur_idx; + u16 end_idx; u16 batch_size; bool is_2m; } psc; --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 97848423A66 for ; Fri, 29 May 2026 18:36:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079796; cv=none; b=YbBUEH1cefZWt7DqfPKzgL+iHYIqajS0rtpzDhydiWQYDYCyRqj0o9keVK+5yjd/pHPNOu68H7hAR+f67wXbXA7WYTIyGiEOULBjWHpNKSqlR2+5QmRI5lFMazl0ZolN8pzMsJ60oSG2gpZ5ffXdPZCaH4I1qORYTRmKLEy08XI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079796; c=relaxed/simple; bh=ulXu0NlgwaVVwx3zWk7XuRF/3f9bu/79QRsDBDGWEjo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=JZ0C+COyBPFLC+eGccxE9pX9LXvxbjdP++h+oWhTYJ/pL+El2g+KcHF+mYudH4OTKVxyEzys8R4d8MW6FkChrBlYV9Emla6V89N/iFTlfDcdS11dA01aO0woKMpnr6L7G+zyaaTHAcgvRPLxlWp/cNKcDubrhIDL2uzk5SZbmYA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=hpMYdvI1; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=XT41YxNM; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="hpMYdvI1"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="XT41YxNM" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079790; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+/A1VY1s6jcVoa3c05BPgiOhjQWKntgd+9grtxQ/UaE=; b=hpMYdvI1rd1LAhmvjOV0+PMxQukzbBtd1AYuQ1fu+C9k4vjLsX8tZcMSKSAHTKqIwX6xJl Z9uEa1WrNKJZ6lvpTEiSL1F2SkyaxJ/FgJfouR+dlhAZ2zX3ozRc4PAalh2sIRW/UQ0ugc vR7x/vkrUyuI6epBqrCPwIaSvkwSyIA= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-466-8ahqLvo-PNGhtBplIYqjdw-1; Fri, 29 May 2026 14:36:29 -0400 X-MC-Unique: 8ahqLvo-PNGhtBplIYqjdw-1 X-Mimecast-MFC-AGG-ID: 8ahqLvo-PNGhtBplIYqjdw_1780079788 Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-45e73a4f1dfso10095376f8f.0 for ; Fri, 29 May 2026 11:36:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079788; x=1780684588; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+/A1VY1s6jcVoa3c05BPgiOhjQWKntgd+9grtxQ/UaE=; b=XT41YxNMUCIAu7hgtAXY7IT66gfTWDAbjEbeSqaIADMqFcV08Awt5YUyfl8apmCNZA wRcGK6jQiAWeGH9XC3bGYwgDzWaHumTivIvjASA/C9X8ebEWBlaErnszrHGn3Ukp0vSu qMEEA3tTVnJ3+fWnRr4gTg4ysDVUl3bu2OdsuLCkefIYUZj6q95mkTLqK+0FfX2UoDMX YS7vkR8Pt/O0jbJ0K9bNTkE+hKn9Siel7/ggsrvnrdSh6tn1bEEUxAf7M+Lx6eNQqHGz nxRI0Y6ZwPXIhAcJYV/G9uH0cBQ1byEttzdw1AG1DQbVxBWEB99kmo+1UkOX+8ALxM5T m5OQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079788; x=1780684588; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=+/A1VY1s6jcVoa3c05BPgiOhjQWKntgd+9grtxQ/UaE=; b=VTcgsfIKaFnbOz6JxV9uOAiGUeL2LUaWe8HWJWo8pGT3ii0Qeq+UVCDxZ3ekcoxWZV ja2KUZs9tas5q8/IFhM2VIm4bM2gvC10UAkffHcLV6FMBXB0diStHuXjh9j9TmQJf1GM ulb3Qbop5aVxJHo6iJsnH3pzNOd4ksKBrbzxe9f8ju4FRfDtwGs65z68qV1zkbHS7tWG 0nmPtu58jIk5s0mYdPKMVmGCaB+13S7OmlikV4TISEmqCDw++WdR1RGEMsiH7Qzak8Js pC+AkndD7xtO+jJxGONMdjHjC0FPDpPWTA/+5A8M1QX+x7givjyQYYG8BdldalM/MGv9 Vmlw== X-Gm-Message-State: AOJu0Yz8oZ0NINUexkpO0HVJil0XDVD469QlGJ9WyNWCUen6ET2YlTHg i/Bjb/1rH6SkXvjbatpPWqZRAHb0Iu9QZouZB+UDRXZvz/aI+G0f2sBG2M9HhLL99F8voWHM7bc FyXP1yfJlEQnBwmO/VHAsaWH9FDZzpc1nVg4EO/Z4S00VZfO2O42k9MBKBcYVJ1Ulxe7hbbpnJY BwKIokT/m0RqKfC5tKfjXjlre2mkYbb4ROSrCFldmWOXZZJKCUSA== X-Gm-Gg: Acq92OHMmYE/klJnFDItOy7tvNCX4/u47C1NF2uhh32MhkrwSzSNJlVK1fXYvatMuyU 5vcLapdHAfLpS8Pc91hbiyW8g88HYTFFCOzJbQNg+zOhB1LBvSKdMrpJ6l+1ZRQmZ5bZ2MJeoQS WmNuHcLrgqVpigC2+q5OOZcn5MbiH+q2b9HAp6MtsAU6A7CLcuR4jmXD58EJWMgFPgl3YnliXBc ICGq/R3yTuBIeYFNMX/neIvdCoIfIR5/G9B2msH9ndM+Hmnw0K4Z4wGuC4vezHPlqerpdxV69cj 3TB21JFCZq/AZRQiOINykVwQJ7ziD63IS/pO5vPzzDwsYcxbINqaYzicKUDumnytQdWOM7/cN4H cfc0S+AMmI6TEXqJ6yIe1W8SVjzuFtaE9xpXWuiV9wppvPSK3ptTR7lZfmXmxaorw0mLxVz0HWj bK+LPcJanBoghtl+JbaOCy/Ppw7tWimvuo1bGkOA== X-Received: by 2002:a05:6000:1376:b0:45e:f52b:f4b7 with SMTP id ffacd0b85a97d-45ef6b20038mr1460696f8f.17.1780079787948; Fri, 29 May 2026 11:36:27 -0700 (PDT) X-Received: by 2002:a05:6000:1376:b0:45e:f52b:f4b7 with SMTP id ffacd0b85a97d-45ef6b20038mr1460639f8f.17.1780079787478; Fri, 29 May 2026 11:36:27 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45ef356b129sm6889251f8f.32.2026.05.29.11.36.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:26 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth , stable@vger.kernel.org Subject: [PATCH 14/24] KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying Date: Fri, 29 May 2026 20:35:39 +0200 Message-ID: <20260529183549.1104619-15-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson When marking a page dirty, complain about not having a running/loaded vCPU if and only if the VM is still alive, i.e. its refcount is non-zero. This will allow fixing a memory leak for x86 SEV-ES guests without hitting what is effectively a false positive on the WARN. For some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page across an exit to userspace, and typically unmaps the page on the next KVM_RUN. But if userspace never calls KVM_RUN after such an exit, then KVM needs to unmap the page when the vCPU is destroyed, which in turn triggers the WARN about not having a running vCPU. Alternatively, SEV-ES could temporarily load the vCPU to suppress the WARN, as is done in nested_vmx_free_vcpu() (but for completely unrelated reasons; suppressing WARN from nested_put_vmcs12_pages() is pure happenstance). But loading a vCPU during destruction is gross (ideally nVMX code would be cleaned up), risks complicating the SEV-ES code (KVM would need to ensure the temporarily load()+put() only runs when the vCPU isn't already loaded), and is ultimately pointless. The motivation for the WARN is to guard against KVM dirtying guest memory without pushing the corresponding GFN to the active vCPU's dirty ring, e.g. to ensure userspace doesn't miss a dirty page. But for the VM's refcount to reach zero, there can't be _any_ userspace mappings to the dirty ring, as mapping the dirty ring requires doing mmap() on the vCPU FD. I.e. if userspace had a valid mapping for the dirty ring, then the vCPU file and thus the owning VM would still be alive. And so since userspace can't possibly reach the dirty ring, whether or not KVM technically "misses" a push to the dirty ring is irrelevant. Reported-by: Michael Roth Cc: stable@vger.kernel.org Reviewed-by: Michael Roth Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-15-seanjc@google.com> Signed-off-by: Paolo Bonzini --- virt/kvm/kvm_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 89489996fbc1..881f92d7a469 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -3520,7 +3520,8 @@ void mark_page_dirty_in_slot(struct kvm *kvm, if (WARN_ON_ONCE(vcpu && vcpu->kvm !=3D kvm)) return; =20 - WARN_ON_ONCE(!vcpu && !kvm_arch_allow_write_without_running_vcpu(kvm)); + WARN_ON_ONCE(!vcpu && refcount_read(&kvm->users_count) && + !kvm_arch_allow_write_without_running_vcpu(kvm)); #endif =20 if (memslot && kvm_slot_dirty_track_enabled(memslot)) { --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A3B9544CF29 for ; Fri, 29 May 2026 18:36:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079801; cv=none; b=MK6B8Qwzw4KSF0G3qScA+bQWo+DuFPWQzyXD7mWAjjw751rGvzQrut7UDqO0jLaLNChza/T/mXTjK7h1jWjZpiYkaIZYxoh99QVRCkEFv5tpfSRp+ptYiiSYajb4iE/XdmSS+lTF25I9bTNHBS0zXBJ6UcjdUtkR582H2dNjrWE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079801; c=relaxed/simple; bh=uPrLLFpnM8Cq5g9SQ/Bg0EXnQw4Blqrquvukdubo07Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gbQY9WxeuIoiefs5Fc/A8zVQHCYNZ0EDtCQUfDmRxWzcm69DKml8W5fdKVO+ZmuTJgeBY0jkU/GVRwjddIbM7sUWEvSEkcW1tKDt79J72wgPV0qfGvkeQBb5ynpmxCHYXfNQfdItVViQt23yo7WWnrcg7ga/xeTIBCP66GWyE4M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=EDM7sKTC; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=lmuzDQVP; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="EDM7sKTC"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="lmuzDQVP" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079794; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QzdB3vH88hWItfqET6Kq/ww0ZBgTZnqEkBTrvkfNvAo=; b=EDM7sKTCs59xXR+jwsMmk7PiBn9mOkmfrdgQFaDOo5jpQ2W/Vts2Lx7N96CH3nT57eALCT T5VgSG7FAT4VUDY4U/1whXuI3k2nWmKJso4KWpTJEMz5jGNM7B45Uge4nOKPRs6TkIc8wR o7TpUh3fvAc/5GbVTwxF+hWmlP0Sam0= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-150-yMaqYeNwOkmbd_nQpk3GFw-1; Fri, 29 May 2026 14:36:33 -0400 X-MC-Unique: yMaqYeNwOkmbd_nQpk3GFw-1 X-Mimecast-MFC-AGG-ID: yMaqYeNwOkmbd_nQpk3GFw_1780079792 Received: by mail-wm1-f72.google.com with SMTP id 5b1f17b1804b1-48fe6894f3fso88629705e9.2 for ; Fri, 29 May 2026 11:36:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079792; x=1780684592; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=QzdB3vH88hWItfqET6Kq/ww0ZBgTZnqEkBTrvkfNvAo=; b=lmuzDQVPfafPKGEnB1b1mwbVpBx6pfxrwhOlGMm3O9z5pse8kyQmz6BpbuLvVjle9/ +8UoDQojRSE+YUPpCdeKowh8cx1HyaaiV0g3MDbT02Rip63bLbYOYzlxkba/BPn00axp XI8vs2b0C6LMzn/lmrGcz3UsN1EHP7cBElGlsRgL9giHPkLnFVxEnHvREJf+NCQtkSJR lpa11albLsruBEdEfRPA5mbkwuK+mr3bqOHVDje+WDjDD5IBn6B2mzQk0ENX/Gw9FNHd Jc19OyVAc9cjgoqmMNzRA6Ow9slYOdwd3tJwGX9+eCeMB48ZbZYaqsvetNtkTw3gHE/R bkzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079792; x=1780684592; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=QzdB3vH88hWItfqET6Kq/ww0ZBgTZnqEkBTrvkfNvAo=; b=LCw0ygWu+XLymc6hJGxb1DRr0M5IjrFoaG+Nntrjw64hxWFUSKAHfy+ZHgNdARpNfU SAfg6zNVaKIw9rapRMgWYqs3TqRWj88KXw6R37eomoOap/xY8+S3FrVwIovsNTRcTyy0 EPG261IKr8a5Bbb7xcIN2i6PfQJQ++em+bY5d6DOf+1OEwK7ABJNdR69Ys9dIASIP4DH FuCjwqJy2YwhaeSSvat+zNjV9jevB+6cJU8N/Amshrl4YOR4Tr+BeRh6iEFXtnCdQr74 zFcDmLz/58YM8azdnQFHTHlTrMHZyasUFTx3E1Q8a2v7s7F11Ta7R6LmMjWi0Jtr/4LD 70oQ== X-Gm-Message-State: AOJu0YyJh60qSGXQgabBX1zL2HOD7fRyNnsTFrTRzsfs2KB/KjX+Mcp6 xm4ILt/tj9tkBYm1GD3L44iWSXp7/Zdx/cQNWyKhZi76YW3PVpn86r74UYH61N0nQ37odWMLWmg oZ5bl94nEbDL1gZX+5ag8b34TG0APE3pBUNZcxKNfAUxB3dEfEOzx8oACRptM4ebSaz4ACPH2ZY N7RWOfQQukpCfA2uwAaUtfFYLLI7XeJ7rChSLubRd5Sf9XiyD4VA== X-Gm-Gg: Acq92OFxjkTNlJTv+20N6jCvuDeVtlBH/hFY5CalSHL8qGLfWGuisjE8Nbtp8l6+P/C JZpCH2gv+GQXSKhlMZ3lkv4e4phgUBiYjilhVIsRmBsfMay8ZO8u66qd1HwFDOpIX7FDX98iMbu 7AQ6+GNVue1/CX7YKJ/LqQQQvda/Qh4yIJSLGAy2JX9z1cHhhEQjC+rh8XRNMVf+G3yorCSGBPU wv7o+CcpdG7kyWCJqnQ/33+FTG3A/doq7AbeLgQOhwK5fuZN132DU0KdiI2DMKZpxMHdax4QH1B AEo1d9Mft/1rX2cTMwyd+K7tF6rMLsWvU92v+8IDGlswHy28PnUWj2A8yISt2GE2g5OIZvWbQY2 DjTj1l5H9fGBJsonDRNeCOmft88J4eVEUIHawVg8zlHTWulkTv4tOnY1lvliBmEEyK0cCSfjnrI PMwPB3eu2KiPBdk/ZJ4r6rAaletCb89BZZZtD1iA== X-Received: by 2002:a05:600c:e48a:b0:490:9804:afdc with SMTP id 5b1f17b1804b1-490a2939daamr8888875e9.23.1780079792171; Fri, 29 May 2026 11:36:32 -0700 (PDT) X-Received: by 2002:a05:600c:e48a:b0:490:9804:afdc with SMTP id 5b1f17b1804b1-490a2939daamr8888545e9.23.1780079791719; Fri, 29 May 2026 11:36:31 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909c967c77sm71199315e9.1.2026.05.29.11.36.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:28 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth , stable@vger.kernel.org Subject: [PATCH 15/24] KVM: SEV: Move sev_free_vcpu() down below sev_es_unmap_ghcb() Date: Fri, 29 May 2026 20:35:40 +0200 Message-ID: <20260529183549.1104619-16-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Relocate sev_free_vcpu() down in sev.c so that it's definition comes after sev_es_unmap_ghcb(). This will allow sharing unmap functionality between the two functions without needing a forward declaration (or weird placement of the common code). No functional change intended. Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky Reviewed-by: Michael Roth Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-16-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 62 +++++++++++++++++++++--------------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 4ebe0d449789..437282f0ea94 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3313,37 +3313,6 @@ void sev_guest_memory_reclaimed(struct kvm *kvm) sev_writeback_caches(kvm); } =20 -void sev_free_vcpu(struct kvm_vcpu *vcpu) -{ - struct vcpu_svm *svm; - - if (!is_sev_es_guest(vcpu)) - return; - - svm =3D to_svm(vcpu); - - /* - * If it's an SNP guest, then the VMSA was marked in the RMP table as - * a guest-owned page. Transition the page to hypervisor state before - * releasing it back to the system. - */ - if (is_sev_snp_guest(vcpu)) { - u64 pfn =3D __pa(svm->sev_es.vmsa) >> PAGE_SHIFT; - - if (kvm_rmp_make_shared(vcpu->kvm, pfn, PG_LEVEL_4K)) - goto skip_vmsa_free; - } - - if (vcpu->arch.guest_state_protected) - sev_flush_encrypted_page(vcpu, svm->sev_es.vmsa); - - __free_page(virt_to_page(svm->sev_es.vmsa)); - -skip_vmsa_free: - if (svm->sev_es.ghcb_sa_free) - kvfree(svm->sev_es.ghcb_sa); -} - static void dump_ghcb(struct vcpu_svm *svm) { struct vmcb_control_area *control =3D &svm->vmcb->control; @@ -3618,6 +3587,37 @@ void sev_es_unmap_ghcb(struct vcpu_svm *svm) svm->sev_es.ghcb =3D NULL; } =20 +void sev_free_vcpu(struct kvm_vcpu *vcpu) +{ + struct vcpu_svm *svm; + + if (!is_sev_es_guest(vcpu)) + return; + + svm =3D to_svm(vcpu); + + /* + * If it's an SNP guest, then the VMSA was marked in the RMP table as + * a guest-owned page. Transition the page to hypervisor state before + * releasing it back to the system. + */ + if (is_sev_snp_guest(vcpu)) { + u64 pfn =3D __pa(svm->sev_es.vmsa) >> PAGE_SHIFT; + + if (kvm_rmp_make_shared(vcpu->kvm, pfn, PG_LEVEL_4K)) + goto skip_vmsa_free; + } + + if (vcpu->arch.guest_state_protected) + sev_flush_encrypted_page(vcpu, svm->sev_es.vmsa); + + __free_page(virt_to_page(svm->sev_es.vmsa)); + +skip_vmsa_free: + if (svm->sev_es.ghcb_sa_free) + kvfree(svm->sev_es.ghcb_sa); +} + int pre_sev_run(struct vcpu_svm *svm, int cpu) { struct svm_cpu_data *sd =3D per_cpu_ptr(&svm_data, cpu); --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F2EB423141 for ; Fri, 29 May 2026 18:36:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079801; cv=none; b=rcUfiRLlTgz9VODzvMO4G0DqqDVpZcdp2OBPM9NG0h9IH/Rr72ZJusjtkMHgBorqS4mLA0gMIcFT34MFKTVAryFwT+3KUBx/F9XrxC7WKJlA28JeWcyi8H2yZa9qGPJPbSYWYkC1eKEwbhx9i8wgZKUCl1UHQN5gugAkbp1ml+w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079801; c=relaxed/simple; bh=HFan/JApmEWnmTSuXMk9cfG+lv/KHWfT+K+r0sq3rN0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YMViu1q0bg2TOZcKBUEOgH61QHKe12RnXqBxjH4d+puZRv9Iz+6bFcbqPXxgkqggROmGGv/3gKho83rjgTHh2Ftc69Wd64EFoDluuClkJj06O1HYrhRRW3+35HgXK6CMMeXMQYqGiBtfHl7f8WxbAV265HJ5ZsDs0zv+fJP4Vtk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=WXGGkklJ; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=U/qGFlu/; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="WXGGkklJ"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="U/qGFlu/" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079796; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JgVglsrid7Bemu25RQaHLDDenSgALocYZBi9heN+Y3M=; b=WXGGkklJacmAJy7kaqkoU72tx8MiHf57WEkuCiLyvDBupys6JyS9Rna2A+ewyttHN8ZGZK tHXlDM1tdFoNiS7tcHCk9EGgmTIQsbKvZXEilKUGqlqt5k29MbTnZPr43Em1i4s2+FylPf MwYOXRmwCjZZ/jgzzU35hTEcFOCu1+4= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-511-1fHe-dl0P8G0tNiQsEYDww-1; Fri, 29 May 2026 14:36:35 -0400 X-MC-Unique: 1fHe-dl0P8G0tNiQsEYDww-1 X-Mimecast-MFC-AGG-ID: 1fHe-dl0P8G0tNiQsEYDww_1780079794 Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-45ef6ad76bfso164582f8f.0 for ; Fri, 29 May 2026 11:36:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079794; x=1780684594; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=JgVglsrid7Bemu25RQaHLDDenSgALocYZBi9heN+Y3M=; b=U/qGFlu/GNXkfTSuhY7P6KYkCDcvglHTPmhF5Z3ANAfSCTfVL+gP4Lh4Kyx7bAReM9 ElLpHWc+4f7Ghsda6UFXFa3IV2gnotG7EnDNXtTD0BGc7umwjZbGEBOdMKGrx84UvMv3 tb3QrOSb8VndAGitzUcwnYbW5xWXHt54uwRcWh+WFdPeFxJs2+AwEOTPLABZipSOgOc+ AjT+tBk2SJf7/7GsHSu+RZHcsHuNIhSFxeDTnfIpRdRGiRF6RjcaTwYdcXRsUzdC4TbI kKPAjabXrQg7IEcC9dVjCkPuEehysplSQrmOy33KJRr+H1yPQEiO5UND/TPl8aovp0FM 9wIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079794; x=1780684594; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=JgVglsrid7Bemu25RQaHLDDenSgALocYZBi9heN+Y3M=; b=NOUshkr9lj5PgKdcfBj98+tZKtWcY2JkdaeJZ6v/uKVs799tGx6JLCa6OWThnZfwbu RPjbCfgeD3uG71agCLu+f/q2vriovAqJdVHwwGzyzzi211Gvm9OrBz6Rx2f6qvEui7U0 i8MyrBprAf7g1URjbdfTqmqSs4RtMmPPooRGwQ4Kbhi0GxPESEbQMt4jxES8iPCqIDnc NvpQzryQtN9bskS3i0G1OtKkCfUlUsu7h2rhMpRK2gwuST0kk78v2F88+cgYXvkXlhin gyragTcJLIVUbKQ6fegw855wxhVAzoaT4dkWfG66hHWYMe0yVRyhwDf0Rou7T7jrBICb wXlA== X-Gm-Message-State: AOJu0Yzvadz/UtfrUGc2DjjqimjAL7MBrfG0ppmWWaFitJk19akf+Trk LyCRHAq31dk1eB7G4GE+JxE9y5fUWsSSUrRmLG3xQPpTsmGKXy6t25dNBRGxmILQp6s+hK1f4Nv MR9ObGGbKYXdZdvKkMHfiaxtZlkoxRz40kpEYnXjd/aTxae3OLS48y89mRzxisipDN0ZvR7hLmH PFRowPLzdUvxcw/I6ehZ92z2G2PRI2Gx36o07OpwkMWfyfeAa9sA== X-Gm-Gg: Acq92OGB03gaNHuPLFRDkFwcFn5IqSDuOGVA90HUv4f66sgGgLU+PyMMYXVLsmgmfM4 b0LZ9TKG843jmVthyACQyN10gOsAPqRlQ06hElJisVjZ934sdYsFZpYgcF5z9uvbk48EI+jj9LD YA1Q4u2+VfN9YRKTYmxpmx1T3HDgoqFCMGZ3AYdVnYM4PjJ2cKF0zsGfN1UPcX+bYUImWySbWB4 ht/NiJMQrAxLv6SzyPLiE5r8n9ntpdY4x6w7LQmqu4Y4SHXPEiL3/2d1MyL8QC07L5NjvJ32L3n vu8KVSuyfHhQJdfC4xDhAyDwGQhK3a7S8nl1u4jVWZsbJtDvj0Iq7DJTjgwLYdrN7oPBfhMY0UJ kdKG01IjMx7F1oXOzv910mulaDItS/iDfI4J2ixMn8P+5kBB9PXCg3Hg8o14GHgKmarc9e3fzL6 fbq1FlDE1YGkx2znqFdICgdY8vC25FDSWukIORjw== X-Received: by 2002:a05:600c:a111:b0:490:469c:556b with SMTP id 5b1f17b1804b1-490a2933355mr11002595e9.12.1780079793732; Fri, 29 May 2026 11:36:33 -0700 (PDT) X-Received: by 2002:a05:600c:a111:b0:490:469c:556b with SMTP id 5b1f17b1804b1-490a2933355mr11002175e9.12.1780079793305; Fri, 29 May 2026 11:36:33 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909c116e2bsm20236265e9.28.2026.05.29.11.36.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:32 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth , stable@vger.kernel.org Subject: [PATCH 16/24] KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA Date: Fri, 29 May 2026 20:35:41 +0200 Message-ID: <20260529183549.1104619-17-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Decouple synchronizing the GHCB SA from freeing/unpinning the SA, so that the free/unpin path can be reused when freeing a vCPU. Opportunistically add a WARN to harden KVM against stomping over (and thus leaking) an already-allocated scratch area. Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky Reviewed-by: Michael Roth Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-17-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 437282f0ea94..11d46600cbdc 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3560,20 +3560,17 @@ void sev_es_unmap_ghcb(struct vcpu_svm *svm) if (!svm->sev_es.ghcb) return; =20 - if (svm->sev_es.ghcb_sa_free) { - /* - * The scratch area lives outside the GHCB, so there is a - * buffer that, depending on the operation performed, may - * need to be synced, then freed. - */ - if (svm->sev_es.ghcb_sa_sync) { - kvm_write_guest(svm->vcpu.kvm, - svm->sev_es.sw_scratch, - svm->sev_es.ghcb_sa, - svm->sev_es.ghcb_sa_len); - svm->sev_es.ghcb_sa_sync =3D false; - } + /* + * If the scratch area lives outside the GHCB, there's a buffer that, + * depending on the operation performed, may need to be synced. + */ + if (svm->sev_es.ghcb_sa_sync) { + kvm_write_guest(svm->vcpu.kvm, svm->sev_es.sw_scratch, + svm->sev_es.ghcb_sa, svm->sev_es.ghcb_sa_len); + svm->sev_es.ghcb_sa_sync =3D false; + } =20 + if (svm->sev_es.ghcb_sa_free) { kvfree(svm->sev_es.ghcb_sa); svm->sev_es.ghcb_sa =3D NULL; svm->sev_es.ghcb_sa_free =3D false; @@ -3685,6 +3682,8 @@ static int setup_vmgexit_scratch(struct vcpu_svm *svm= , bool sync, u64 min_len) goto e_scratch; } =20 + WARN_ON_ONCE(svm->sev_es.ghcb_sa_sync || svm->sev_es.ghcb_sa_free); + if ((scratch_gpa_beg & PAGE_MASK) =3D=3D control->ghcb_gpa) { /* Scratch area begins within GHCB */ ghcb_scratch_beg =3D control->ghcb_gpa + @@ -3706,6 +3705,8 @@ static int setup_vmgexit_scratch(struct vcpu_svm *svm= , bool sync, u64 min_len) scratch_va =3D (void *)svm->sev_es.ghcb; scratch_va +=3D (scratch_gpa_beg - control->ghcb_gpa); =20 + svm->sev_es.ghcb_sa_sync =3D false; + svm->sev_es.ghcb_sa_free =3D false; svm->sev_es.ghcb_sa_len =3D ghcb_scratch_end - scratch_gpa_beg; } else { /* GHCB v2 requires the scratch area to be within the GHCB. */ --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5648644E055 for ; Fri, 29 May 2026 18:36:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079807; cv=none; b=rvyjegw8lSdmQV5OyQDM/AjPX1VUY2jP2dUvUFk5+xhWAbkEhxNUOeRbgoEVBWIdpI9gZfkM1nCvnvJvbETcuEfn/o10bKRzZo8uM6MjtMN8K6JmcPiU3wr/O5U65KiTj/c/Mwn4Mthwdhn8o4SDmX2UoOskZcjrOf0aQFODZuM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079807; c=relaxed/simple; bh=DW2PUzvZkPeDxrXgPu51jPm/Jji/jDPOTkA5AbO8VMs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=F+cIRvKKCZX6SuG2dLcaRxaWv4jLJz8szcYtWfJ1dMQMRVhKc99EzIoz8/fhhhNwnpteJgUWwwxM/kHhvGeOHGooY/vIs/Oa46nn+b/aGNuFRuEyiMVEuejxsIQ6nsr5nk27jtdIgtRk5afzkivqvPmiPY755aRpGVEa1c4vpp4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=TNxGZ/Me; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=axP4LoCi; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="TNxGZ/Me"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="axP4LoCi" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079803; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RYkh8jiq7SEyEfVyi04hmQY3u+cvHZraHKSEMFmK1TQ=; b=TNxGZ/MeCOu6jDdL/iXYEfRyFGfnulqZOz1TmOOBD/47kRAXCmH8WOOsQclHrTxdVXaZC5 i+nP0I2BJbV8Td1F73trI7cDa34zIF3tMvYPvNb3VIU/7wXCgW2PQvl2lVIYZkHVH8Eylt Ni94YxU43iV7p65n9jj5ZkOgS9h09ms= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-634-2QjQYlWdPte6eCpPLN07uQ-1; Fri, 29 May 2026 14:36:39 -0400 X-MC-Unique: 2QjQYlWdPte6eCpPLN07uQ-1 X-Mimecast-MFC-AGG-ID: 2QjQYlWdPte6eCpPLN07uQ_1780079798 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-48fd33b4921so91978835e9.2 for ; Fri, 29 May 2026 11:36:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079798; x=1780684598; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RYkh8jiq7SEyEfVyi04hmQY3u+cvHZraHKSEMFmK1TQ=; b=axP4LoCifqBoHeS36wfwxevGyK0R4eL6iHCZRh9F0iyeibQBAE6F09u4Go0/NviPfT x55aAtwKMOlh5A5HXGXzqMrUw4tArfu3JaO9aVdWKtou13vADQvDhN3tKjOhChLZnXGZ I0WexmIA4cS7U10n3X2Q0XIYZZk5qNdHRXlAjJj3FDL+ztjc0uuRh1gI2Izh2Q2g29SH yiz5PbDZdOpJZ28su7DLiWlRWe+QsBM9igfdlE0W4vV3kQfpKpuuVedu3kkbyGDHssrE k+33yQvpSo1Q/6za2NkjG4kBXnmAzbjagUSA4Vn5DOPA0pdKkAt4YBXQKyy4tg4M+20J 0djg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079798; x=1780684598; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=RYkh8jiq7SEyEfVyi04hmQY3u+cvHZraHKSEMFmK1TQ=; b=EA4sVMoEyMv+4B7HJANsecIXAK1tS6HT1K7BjIjysiWXrMLKBXN4e5/MxICAEJFwmK pIuJ3vxvzSzK954RiIqXrAKOYsdSrVb0CApqiOFfIQ+RFyqR7e/tAiTtU+lASYag5VRN rsoYKlLn03jnoslvQK4CC4RROb6JaO98V4FI3siT+fWfysyNVKGIvhYai/tQF0T4rGEa gp5p9uMPEr3JlYaYKCuGQiYeqxGgsAZOG0Gowiku1oAJFxtj400/WgG7maxcMUGiIzY1 7W0zZIjxm5nG2JGa63TxhZ3T1cIaf1ac/7sHzGxw5mSL86dJqEpnoWqLxtKObWpxMCAT oAxA== X-Gm-Message-State: AOJu0YzWYgi4QD99Qd162hsLcCXvSHrfYL9reFGlwolnLYhplXxk63RL dJwTE1dpWyFiE3WucQhzHXq/rvk/0i3Qx3v1A4DYfUHCocwjDKDDW1RFAhit0QzYHGnO4FcToqD K5Ndpoy/1dsqb90YOB8dm4SyYSYJesqe2bX9mLvYTM7oaGIy4UUaYMaHEarq5Fy6slgpIsFfnJW fQWm4o9SXIEXGHBy3Yig8+7g0dUQHRcH4A4YGtEoC7kPPA6fVq0Q== X-Gm-Gg: Acq92OFC5KVDQtwHC/DyIb+mKCcGSKLGlptWU1MnQOUHgPFV2xljq++j3PBT6Jza5Xa 6uwZPLxyFOOoZPmAv1kUP5Clsj+WEfpAYEun84WVLZw+IrFXJhulUAv0OvfEWQAMVki0iCYxifG K7qz83oAn1VRNoxBGCqQN/McCcnaeOmA3w0jpKMol3xd+dKdtdADWc+mcPrVlai8aiP1R64/ryG zn9OwAprxOYPWJjPIWyswVAUfik4HIqcPs2MfUjBHDvszSSzmIERD/SzmftWBrFp3on8AqG6DCx w6GYvr3yRGDpwqgglgNv3XNQzYgxi7TCBd4vXGNvk10bJUcGJ21VbpNZKuQpFfsvLycp/Wm3oaq MfTbCW1GQ6QiOCTJdbedZ+axDEPUWbAFuwKMxtVBEXJlE3cR3ZSdIi4I6mdKKrVKKwAqgr04LpS mCLuwWS1R7ZbV+RfqqUhOUnJBtQoF+eC8kwvLXQw== X-Received: by 2002:a05:600c:818c:b0:490:48df:2793 with SMTP id 5b1f17b1804b1-490a296df9amr12285385e9.26.1780079798522; Fri, 29 May 2026 11:36:38 -0700 (PDT) X-Received: by 2002:a05:600c:818c:b0:490:48df:2793 with SMTP id 5b1f17b1804b1-490a296df9amr12284925e9.26.1780079797965; Fri, 29 May 2026 11:36:37 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45ef3587072sm5633245f8f.34.2026.05.29.11.36.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:34 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth , stable@vger.kernel.org Subject: [PATCH 17/24] KVM: SEV: Unmap and unpin the GHCB as needed on vCPU free Date: Fri, 29 May 2026 20:35:42 +0200 Message-ID: <20260529183549.1104619-18-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Unmap and unpin the GHCB as needed when freeing a vCPU. If the VM is destroyed after mapping+pinning the GHCB on #VMGEXIT, without re-running the vCPU, KVM will effectively leak the GHCB and any mappings created for the GHCB. Fixes: 291bd20d5d88 ("KVM: SVM: Add initial support for a VMGEXIT VMEXIT") Cc: stable@vger.kernel.org Tested-by: Michael Roth Reviewed-by: Tom Lendacky Reviewed-by: Michael Roth Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-18-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 11d46600cbdc..6c6a6d663e29 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3552,6 +3552,20 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *= svm) return 1; } =20 +static void __sev_es_unmap_ghcb(struct vcpu_svm *svm) +{ + if (svm->sev_es.ghcb_sa_free) { + kvfree(svm->sev_es.ghcb_sa); + svm->sev_es.ghcb_sa =3D NULL; + svm->sev_es.ghcb_sa_free =3D false; + } + + if (svm->sev_es.ghcb) { + kvm_vcpu_unmap(&svm->vcpu, &svm->sev_es.ghcb_map); + svm->sev_es.ghcb =3D NULL; + } +} + void sev_es_unmap_ghcb(struct vcpu_svm *svm) { /* Clear any indication that the vCPU is in a type of AP Reset Hold */ @@ -3570,18 +3584,11 @@ void sev_es_unmap_ghcb(struct vcpu_svm *svm) svm->sev_es.ghcb_sa_sync =3D false; } =20 - if (svm->sev_es.ghcb_sa_free) { - kvfree(svm->sev_es.ghcb_sa); - svm->sev_es.ghcb_sa =3D NULL; - svm->sev_es.ghcb_sa_free =3D false; - } - trace_kvm_vmgexit_exit(svm->vcpu.vcpu_id, svm->sev_es.ghcb); =20 sev_es_sync_to_ghcb(svm); =20 - kvm_vcpu_unmap(&svm->vcpu, &svm->sev_es.ghcb_map); - svm->sev_es.ghcb =3D NULL; + __sev_es_unmap_ghcb(svm); } =20 void sev_free_vcpu(struct kvm_vcpu *vcpu) @@ -3611,8 +3618,7 @@ void sev_free_vcpu(struct kvm_vcpu *vcpu) __free_page(virt_to_page(svm->sev_es.vmsa)); =20 skip_vmsa_free: - if (svm->sev_es.ghcb_sa_free) - kvfree(svm->sev_es.ghcb_sa); + __sev_es_unmap_ghcb(svm); } =20 int pre_sev_run(struct vcpu_svm *svm, int cpu) --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 41EA545348A for ; Fri, 29 May 2026 18:36:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079808; cv=none; b=iUQowZWfMu6pGX6Rs+uSuG0dcwtTkDqipl5lBdmtC/tf5IHPmxjSXHmc6pkqBqZrnGO4jDcqNdzNe3BoifxP2C70NAkRgr/D1IPLLaUOIlqJ1NmArIKekeUsDSqkj5jNZE7X8o70ccVmwfLm2lsQH9sHFr5y6W5MVBTol+WI1C0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079808; c=relaxed/simple; bh=qhNRXPjJiLrNoLYnZFebbOWX1YrMRfkvrSsBcG3U8go=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nHOMMVkkwJYtQQ3MVrOQ3o7uGzGdbLjQLUcXFPxlSoQV1FFeOdQ6g9pLjWNtiBQyQ4eWqIwQh6h3Ch8fnVbQ/xNkfyFff7NOs4/g+uHySNAX5B2bZ4N7LP+/VLCgQ/YwJzYrYp3dtetaoZRS1mwclg7GbTGOQAi0Fk3ZI5w4vl8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=QUEE2exu; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=FXEG7KX/; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="QUEE2exu"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="FXEG7KX/" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079802; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+1XJAuHtEwSrf2OyC4wSiD7WDpcF6b/VSFdi0YQ2gfw=; b=QUEE2exuqbF/Rb5maPz9hGt6tCUrm4mrqeuC5JsuFCJeCqmmNuTDhqpWxTfu3llAn0aIN4 t9QJZV1MLhk74vrFfmPRu5Dxn+RR2h6EmxT7QCdPWOiF17HPLsg8KEakdgg/rakpTbn/HI ehCV25m4n0uGK9cvkN5AReGrrbuXLtE= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-540-PCCZPRvCPweZbDnRgbBsVA-1; Fri, 29 May 2026 14:36:41 -0400 X-MC-Unique: PCCZPRvCPweZbDnRgbBsVA-1 X-Mimecast-MFC-AGG-ID: PCCZPRvCPweZbDnRgbBsVA_1780079800 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-48fd33b4921so91978875e9.2 for ; Fri, 29 May 2026 11:36:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079800; x=1780684600; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+1XJAuHtEwSrf2OyC4wSiD7WDpcF6b/VSFdi0YQ2gfw=; b=FXEG7KX/dCeQdfM8fDrgMQMqAQTjx+aTJFMux/gQ193edRiRQEknx2gTeZsYUza353 MK0qoy4SeAUSK9PE9Fy2xXgSY4YOjmGU7Zx/TfyW4n+mU5r3lEO5hLa/Q3hmxNOcI/te n49EMDbfPPfsJb9sdNDjttnWcSvL/ioefdBMGJKqvoqFZZvIvrAHjQGSVQpcspFlw4qq LDBgOBl5LR7AB8K4fz0HzlJQPRKOjfjJ6QvtXDvX0KGUL4lfFF5apslua32OQRxf1SNg IZR/MtHiLTDV2yTmkCHRTKS59xIkADpHXBQx9SkGk3NmgPNfYOg2dzI8teqDWAKGVsUR iWRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079800; x=1780684600; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=+1XJAuHtEwSrf2OyC4wSiD7WDpcF6b/VSFdi0YQ2gfw=; b=ohPrlRWsCvG+TOF1RbM6eWMXN/ISBKmulhaAzC/k7952XSGmfNIrmEWOgd7HT0lFfk nF35krnIzc7E/9qq4LjOIj72O92ByfleSqy5uXAu4xIr8GrA5lqJ3zG8Uj3QPZvq6FoD o9sFX+fP5WTtmLdGK9dWkihLlrh/0ziQIr9UtJImlxNMh3MHTYtyf+dX/rUyc3wrDLYp mggZdBoxI0w30n0VLep9Y7IjKFpohPZwWnrAxkXvDVhbJ2B6jeFLZXOUcNBh+z2FHXRk egwv2C8X8YkoKr7Zi6j0fVJRXRqMJF9gDcMEiDxLWXkKUsfrpsrgMt3lXs38s1kIb8/T C00w== X-Gm-Message-State: AOJu0YwDQHw+jumd8s2CdK+JEo8r54gVsg0BuKCO1rM+DBbnVYPQDd5f 1yTgrQr3oK02lUgL2E9G9VayEtBRqi93QVR2IjIXwujEtp28+FAS96a83AyqhC2rmnCwfoRNnMp Og+gZ07kAzY4phyuv3CkqJQKEMkJL1hxLN6aGCWnCjFzDu8DMoFNKSMX0BbfrBW/a6/Wa6Hwy/J Wc4/xxME+npDbX/JExU6mhFVXfd+aTF8qq52aT6VTcM6A+oT363A== X-Gm-Gg: Acq92OHmlg2bXMxQBu5A7ChBz5T2qY+fZl0p1pgqnI6TaCVvMEO9YHolSLKXrVhoGUR yIifBFeNAFlMGCC6x2dkYHmBZx/qD2aL/fdpAnybt80ufHltsqRdflU59w76xMUJQDyJAukkm8X 76Jg+DK01AsdKwvoJgYqsWX/SwWehTTuhM+lpsRmw6Nc1v9pyRWBKqayU2G+8puyxtKv70iOe8Z fOuUKGx2so+VygvgoGDc62rpeltZyU8gZoI5oDMlIQRNCP3eQ4FVVlXe/aNo0NMqjXM84BusEey 4F9appF1EJ8kBkbfDw/BLr7oAbLVljOgY+EsmIEX7Rwhee56ki4F+sZ2hnWLcfBGXHNzHU+De8O 18dKq8+aAbEVX47BBwbAzAYFA4ZRxJHPNkyIarFAxJO/wjJNRIqHYXHvgBpIcaQ8CrPc3eQQH3c eN4Kk4IyLwjeB8OT4h4fpDUhRuESJBXjoR++iIfg== X-Received: by 2002:a05:600d:8492:b0:490:51e2:d992 with SMTP id 5b1f17b1804b1-490a293fa59mr7911405e9.13.1780079800017; Fri, 29 May 2026 11:36:40 -0700 (PDT) X-Received: by 2002:a05:600d:8492:b0:490:51e2:d992 with SMTP id 5b1f17b1804b1-490a293fa59mr7911005e9.13.1780079799550; Fri, 29 May 2026 11:36:39 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45ef354b5bdsm4989755f8f.21.2026.05.29.11.36.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:38 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth , stable@vger.kernel.org Subject: [PATCH 18/24] KVM: SEV: Don't terminate SNP VMs on #VMGEXIT without a registered GHCB Date: Fri, 29 May 2026 20:35:43 +0200 Message-ID: <20260529183549.1104619-19-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson If the guest attempts a non-MSR #VMGEXIT without the registered GHCB, return a GHCB_HV_RESP_MALFORMED_INPUT+GHCB_ERR_NOT_REGISTERED error to the guest instead of exiting KVM_RUN with -EINVAL (and in likelihood killing the VM). KVM has already mapped the requested GHCB, i.e. can cleanly report an error, and so exiting with -EINVAL is completely unjustified. Fixes: 0c76b1d08280 ("KVM: SEV: Add support to handle GHCB GPA register VMG= EXIT") Cc: stable@vger.kernel.org Reviewed-by: Tom Lendacky Reviewed-by: Michael Roth Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-19-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 6c6a6d663e29..7c2ebc81306f 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -4520,9 +4520,12 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) sev_es_sync_from_ghcb(svm); =20 /* SEV-SNP guest requires that the GHCB GPA must be registered */ - if (is_sev_snp_guest(vcpu) && !ghcb_gpa_is_registered(svm, ghcb_gpa)) { - vcpu_unimpl(&svm->vcpu, "vmgexit: GHCB GPA [%#llx] is not registered.\n"= , ghcb_gpa); - return -EINVAL; + if (is_sev_snp_guest(vcpu) && + !ghcb_gpa_is_registered(svm, control->ghcb_gpa)) { + vcpu_unimpl(vcpu, "vmgexit: GHCB GPA [%#llx] is not registered.\n", + control->ghcb_gpa); + svm_vmgexit_bad_input(svm, GHCB_ERR_NOT_REGISTERED); + return 1; } =20 ret =3D sev_es_validate_vmgexit(svm); --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B298B451047 for ; Fri, 29 May 2026 18:36:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079813; cv=none; b=lr1tia1nLVO14+1apOrNCMvj+MFm95FNOMxeUENVMZjEs5nFRMEa9rRuaVgI1C8cb+KXcneKUa6gp5AjwJk4OraUYB60/f+5C0T6FNwOKGXG1dVc8/3EUI1KbrmRtPAJdk5G5zIQvwDeGzkWl6gxhdfSNmj/8Kc1C8yE1e0/ONQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079813; c=relaxed/simple; bh=GPVgJwMV79jQCtFTmJHYFUk8lo/Ze/eyh7yu+TUXh1Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=BA5XuFmKzj2V9FNI31w72UarSId5X5qQ1Cymjak2txBQ8Ng8hCL+EMRC7tuSCp1f6xj7U1wfYvkg5Xh+m185tv8CiRSB3U4uXa4uTY9Jju3Y3z5HDtUcscedHDVQq/ycOeSy7WPIDUMEcAEuurTJO9mrdVGe+5zLaRxNx7671PU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Qx/E7gKJ; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=XmrJ1qRt; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Qx/E7gKJ"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="XmrJ1qRt" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079807; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=f+Twr8CVFouDlcQRM41p6WqaCoEvHfdFFepauY7rVzw=; b=Qx/E7gKJoJbPC49ive18gqRQ+4h+4l6bhtZQeeyqeQvqRUH4S71N8Ofkb3K6huOSbCu9G6 SiTnaHd3Zmt4pfo+4DSR0iNvqUoDSaQcupypG4QR//HqM8zhveRG8s34k1B2TgMfdnRUkM +iBAyYXJWyavbkSXDYKd1rH6fP7obgw= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-651-01v6rmU4PreunltBIahfHg-1; Fri, 29 May 2026 14:36:46 -0400 X-MC-Unique: 01v6rmU4PreunltBIahfHg-1 X-Mimecast-MFC-AGG-ID: 01v6rmU4PreunltBIahfHg_1780079805 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-4909c0f0ba2so7789945e9.3 for ; Fri, 29 May 2026 11:36:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079805; x=1780684605; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=f+Twr8CVFouDlcQRM41p6WqaCoEvHfdFFepauY7rVzw=; b=XmrJ1qRtclkBVtUdd0hjMUclYTFZQaohG39KCMCjZcdialsGQJaCtFt+SkKLCPhu95 vovHwXH+Oj1opglbZ7TS2lL1prDoKrtbPzfUQGiNIYPrNbzW4ouxS4KS9ZNtE4BEjq4/ 1I+DE+ZI4wy56kq7wEoxzFns8cdMM3xcScOuX1qvGvgrHUBxcqJ4om3TZNvf++HrbYzy cBiCIbOIhTHbAdE0/laFzgrUh9wExDe62nOCLaOXWS8asJ070CyX45/JzD3QU1C0bnpb wOVDbA4MU1ZsB4bsSuFzqX3S6zdm6A0MtWzM5VixYUvk25f0B/+1a+ZJe68jVil19gBN rnrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079805; x=1780684605; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=f+Twr8CVFouDlcQRM41p6WqaCoEvHfdFFepauY7rVzw=; b=EQFF6DDBjtTVsOx2W8VNss8bNZIMGq4cotw/TU3jncB3ducZJ15SG+9ZesvbVlrK4D AuYrNUHjBs2jCCqYeQP1UzzOJv4KHgknK1IBPjILlWZbqdELauD3D+xc8NFKDk/3klqy IvZgwcA3DzgWM1L2h/NftTe7BCq1i73Ry5Fv8d04pUwDNs5uHRsD9MOzpcGi0xGuv6rK b1cF+wcnGMemFmQDIp4OAgmbofXqFJZ3f/xl6K2brH9axey+ZJGXCFWzjtH49xAQ/TTb AV1MtnJ2KDspnRjFwuilun4JZDBjvmOXgRLbXSo8UcUGlcVynk4jllTJl6tNusfbyN+a EwGw== X-Gm-Message-State: AOJu0YyGPOx9ZlEISfuU+ju0T1f+xEEkqYUpHLq5bJOkoycVWX5fSlsS hLDptBn8hwnEazlmgU65t7FWLDwszp+dauv3s8BOIICgOi9N2uuDA0a7cHnDHfVPfjA5AoXujAG TNattpLqabjBsL4axO2gdkL/5X6YR/bQ2EU5E92Z28UFm1O5v3qlsMKPDakzdgRs9sm+BDUdOSB aO5fyRW4WzXUdyu3FZTZCKHiF4e/yJZcRqDKIm2xq7wp6XUyU1Ww== X-Gm-Gg: Acq92OGH3gPqk+dUT7FWVNPyxwXxYY+9J7f4qpSFTlFRschudHzNTuZ9IrTwtKe66O3 h63TIvYfl/RRVRJuETTP3TViLXztJFagHCFdC6/gtulOnl4EB1NQlECcOpmI6PuUjDHCUoBC1m+ YCBr1QT7LRb53JjC9J/rL12pWErz9GMYbW54DVnvPlgpnLX1hXZ6xEJnkZRa1IoiW6ohH8IoKwQ C1MJdlGpTH5D3Lc1mYkdTnlUlTpNChNHUX/z2l99NS7m3mdXy/zVcMfnL7SPOIa4s/sG8DMOhlU fw/QkktlWP2jIpKmc6bC6JMr1t92BBQshZCYmO9B9lqgWadvUCU1rE4ae3hhVYqh1s9JNrrVVO1 d7Hng/zDZfeoIpjOJwjTxXjWL4e5Xjt+B/YD1uJnqGfqvLcJEOpDEEMWo/IoAQISWULA8MpUUUb 2Gg9ZxRv8EdbMR6n4T3METYXNNhAX7ktMO41/AFg== X-Received: by 2002:a05:600c:400f:b0:48a:5821:5ff2 with SMTP id 5b1f17b1804b1-490a2919a2emr9350415e9.8.1780079805262; Fri, 29 May 2026 11:36:45 -0700 (PDT) X-Received: by 2002:a05:600c:400f:b0:48a:5821:5ff2 with SMTP id 5b1f17b1804b1-490a2919a2emr9349965e9.8.1780079804757; Fri, 29 May 2026 11:36:44 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909c121d63sm19041295e9.29.2026.05.29.11.36.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:40 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth Subject: [PATCH 19/24] KVM: SEV: Move GHCB "usage" check out of sev_es_validate_vmgexit() Date: Fri, 29 May 2026 20:35:44 +0200 Message-ID: <20260529183549.1104619-20-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Move the check to verify the guest's requested GHCB out of sev_es_validate_vmgexit() as the first step towards making said helper a predicate whose sole purpose is to verify the guest has marked required GHCB fields as valid. Using a single "validate" helper sounds good on paper, but in practice it's difficult to verify that KVM is performing the necessary sanity checks (the usage of state is far removed from the relevant checks), makes it difficult to understand that "legacy" exits are simply routed to KVM's existing exit handlers, and most importantly, has directly contributed to a number of bugs as adding case-statements to the validation subtly removes them from the default path that rejects unknown exit codes with INVALID_EVENT. Deliberately extract the usage code check first so as to preserve the order of KVM's checks, even though future code extraction will technically fix bugs. No functional change intended. Reviewed-by: Tom Lendacky Reviewed-by: Michael Roth Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-20-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 7c2ebc81306f..880a2acd77bf 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3416,12 +3416,6 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *= svm) struct kvm_vcpu *vcpu =3D &svm->vcpu; u64 reason; =20 - /* Only GHCB Usage code 0 is supported */ - if (svm->sev_es.ghcb->ghcb_usage) { - reason =3D GHCB_ERR_INVALID_USAGE; - goto vmgexit_err; - } - reason =3D GHCB_ERR_MISSING_INPUT; =20 if (!kvm_ghcb_sw_exit_code_is_valid(svm) || @@ -3534,10 +3528,7 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *= svm) * Print the exit code even though it may not be marked valid as it * could help with debugging. */ - if (reason =3D=3D GHCB_ERR_INVALID_USAGE) { - vcpu_unimpl(vcpu, "vmgexit: ghcb usage %#x is not valid\n", - svm->sev_es.ghcb->ghcb_usage); - } else if (reason =3D=3D GHCB_ERR_INVALID_EVENT) { + if (reason =3D=3D GHCB_ERR_INVALID_EVENT) { vcpu_unimpl(vcpu, "vmgexit: exit code %#llx is not valid\n", control->exit_code); } else { @@ -4528,6 +4519,14 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) return 1; } =20 + /* Only GHCB Usage code 0 is supported */ + if (svm->sev_es.ghcb->ghcb_usage) { + vcpu_unimpl(vcpu, "vmgexit: ghcb usage %#x is not valid\n", + svm->sev_es.ghcb->ghcb_usage); + svm_vmgexit_bad_input(svm, GHCB_ERR_INVALID_USAGE); + return 1; + } + ret =3D sev_es_validate_vmgexit(svm); if (ret) return ret; --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A0D3B466B7B for ; Fri, 29 May 2026 18:36:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079813; cv=none; b=g+M2HMxKPPDw8XyHy1ATnm7qXkmsa8ygiBOR2YMZ7ZIOsHqP3oKKxAEHybCM/wkMcTCP+pQ6CI8gFkTxQP2x/avsncO4sHrVKzaVIGxvvJF/zpKQXJs4mqcidxuFfDInEtepgteTN3TE8g8eO6D9AuMwxsApp+enKJRwwyoYzqU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079813; c=relaxed/simple; bh=Gs0LUEJH0VfnDiZiVYYAXOxGvbwDeDdsb7rBc4+0oUA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=n6kA4ylmjMnO6JJqu/Fy5JBdsq5PFARKgEigCY/eAyRyxBD6YQCVF3DilFW23xRR7orgTONcgsF6hZDWop0kOXeopRlYIjdw1Ji25otknupM4HLmokn2aSQCqY4m/4jmFNEh/0pt/dMwMTnPdo0UpFe625R8QahK765GTL4GMt0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=LweQTF9j; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=mjGyhQxi; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="LweQTF9j"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="mjGyhQxi" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079809; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PMxep7AfURhp5jLM/CGXWdIbroUSuDElEQcy5Ibtd84=; b=LweQTF9j4/Jd/u1rQzhZ9lw6N6VIeFbk6jHL7s5rIuVyvqysv0YGjCGTrEjDv+Z/vLxdDe HLbuTygIAkWC9C0KEjZfFByj+gze92WQ5MDn6KaYblMixV/Nkd32OwmH9eG6Cwbq713pgT bz6CIlTgsaSkfNVrXoHT+dbYhAVAp9U= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-623-Kze_7DyJOLyQvDcI64xZJw-1; Fri, 29 May 2026 14:36:48 -0400 X-MC-Unique: Kze_7DyJOLyQvDcI64xZJw-1 X-Mimecast-MFC-AGG-ID: Kze_7DyJOLyQvDcI64xZJw_1780079807 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-48fd33b4921so91979205e9.2 for ; Fri, 29 May 2026 11:36:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079807; x=1780684607; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PMxep7AfURhp5jLM/CGXWdIbroUSuDElEQcy5Ibtd84=; b=mjGyhQxiGRuQ4JiDLuwJJeQX8vtIBcuoP4AdyxabGm+Awg8mHrlPkOIZUwMv0V5jJp T35D+OmnWMdjzc7idinFY7MCkLeAUH9tt9ikSMgskDCl8HFuhVOdjFDOf+5gbdxbUsnP qfW+B5DtWkEEUu2lSThhhpL77OBNbVMQLvwDfA2Uj7rkaAzLJmk1olmLQGMihUOjEGg6 w2Enk0yA5AB1qqPBtNCwgeWjZs20Pg+22tggbBC8Qz2ZAE0++QY4oWGBwjOlupVhgxp7 304iZ0n/xUPp7VlSHUgt1cHqKeQy2QSkjGl5cwNt91y9fFU/N6sr5Dg+9AaZQ5slk7n/ tmSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079807; x=1780684607; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=PMxep7AfURhp5jLM/CGXWdIbroUSuDElEQcy5Ibtd84=; b=Wl0udSQ8z2RYCpOVCZJcSe4qfjq+SwUBWePDD31AsC87Ct6FXWj5tA1lPtuDepc63r 58FfZOLBG+lSIBBJH/vwPfUxcSm4kxbM7aqlgda7kgbTd7h5bLK4s8dKs2wAxtPG4S43 Kugfqm7oY/mIxkWgZ44YAstl4h5POKDLuL74nRdnjIf9ciVQKSqw1xP1BhReJewzNHcE PZHNZleMRkZ9JPbtBjvfed+QAoAPseTdVrEj1xOC19peH5BpoEkKR4EPGtWxch3le/dy 8fR2R0n7n6sjaf36i4IBBwmKulRuTOkpTddEipPRrjNOqkY7MkzN0AaqkCmQdpyPr5ah RSng== X-Gm-Message-State: AOJu0YxTI3tnFjJptDyFe1/js/u+jCVkJiiNJZbPcNuLSHwtfJt85We9 XL296vOvQVNAu8Qlu8zeO9onnrx5VvgcvXcb0lzQ7g57IhEwege9agTMaCBZOWqSyA+yDu53fPL nhEDGZslvmtk9W3rZZVrwsHLYfO2xrtRqWyeP6Bmg0d7dvHEz5cZhWGCzpy5ulmpVXgQAlO6r7D fVvUHxGlPeukqs7p+gd5bz7MCABrGjsRrJ3PeDt4aH0sZJy8vlrA== X-Gm-Gg: Acq92OE1SlVcr96ZrA5mFjUj6qcf/sSg/YnMdhG/IR6qVYB2TbkgGpT91+QsfojWGwI vEMbDnhQ6lfA59ulfwvzq82htVUtZUchOc7r63M/y/HyuLcZNmODO5VitNyjPDi0SE1VBJJExog xO0A9MsQTIboxM3ec578AthVfh3iSNrO4bvi7LQYJIszDdctmaQSL3uK6GElU8HEfVUx7eAaTrm 5AOhCvNhH0ZJo8+F3VNX0W8eLfbZluwUq/c0FRyL3EHJ/BXe5/pE+UAhbJ2ft9j0yI22xnlk7Lg rZp2rDjInLDMnGmW7/FE71jpsMvpluVcRHa6DbdyT3avoe4r0Sy12hHxUPe5hXSihP4ajZyIrwq 7cHZ6p4PBP9S45wyTdNukS+TqX3h2GUjfg8UovedZnuCqvvsklwbKt0xcfEN83EpO9N+LouuJfR kdgwxR6qriAZUcJBGIqBohL0k/IcIg+pl03IWVqQ== X-Received: by 2002:a05:600d:8497:10b0:490:6869:9601 with SMTP id 5b1f17b1804b1-490a292a48fmr9986945e9.6.1780079806824; Fri, 29 May 2026 11:36:46 -0700 (PDT) X-Received: by 2002:a05:600d:8497:10b0:490:6869:9601 with SMTP id 5b1f17b1804b1-490a292a48fmr9986575e9.6.1780079806451; Fri, 29 May 2026 11:36:46 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909c0d5dc2sm27451735e9.2.2026.05.29.11.36.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:45 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth Subject: [PATCH 20/24] KVM: SEV: Return INVALID_EVENT for SNP-only #VMGEXIT from non-SNP guest Date: Fri, 29 May 2026 20:35:45 +0200 Message-ID: <20260529183549.1104619-21-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Signal INVALID_EVENT, not MISSING_INPUT, if a non-SNP guest attempts to invoke an SNP-only #VMGEXIT. Opportunistically move the checks out of sev_es_validate_vmgexit() to continue the march towards making said helper a predicate whose sole purpose is to verify the guest has marked required GHCB fields as valid. Fixes: e366f92ea99e ("KVM: SEV: Support SEV-SNP AP Creation NAE event") Fixes: 9b54e248d264 ("KVM: SEV: Add support to handle Page State Change VMG= EXIT") Fixes: 88caf544c930 ("KVM: SEV: Provide support for SNP_GUEST_REQUEST NAE e= vent") Fixes: 74458e4859d8 ("KVM: SEV: Provide support for SNP_EXTENDED_GUEST_REQU= EST NAE event") Reviewed-by: Tom Lendacky Reviewed-by: Michael Roth Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-21-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 880a2acd77bf..b59adddfdbcc 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3491,8 +3491,6 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *s= vm) goto vmgexit_err; break; case SVM_VMGEXIT_AP_CREATION: - if (!is_sev_snp_guest(vcpu)) - goto vmgexit_err; if (lower_32_bits(control->exit_info_1) !=3D SVM_VMGEXIT_AP_DESTROY) if (!kvm_ghcb_rax_is_valid(svm)) goto vmgexit_err; @@ -3505,13 +3503,12 @@ static int sev_es_validate_vmgexit(struct vcpu_svm = *svm) case SVM_VMGEXIT_TERM_REQUEST: break; case SVM_VMGEXIT_PSC: - if (!is_sev_snp_guest(vcpu) || !kvm_ghcb_sw_scratch_is_valid(svm)) + if (!kvm_ghcb_sw_scratch_is_valid(svm)) goto vmgexit_err; break; case SVM_VMGEXIT_GUEST_REQUEST: case SVM_VMGEXIT_EXT_GUEST_REQUEST: - if (!is_sev_snp_guest(vcpu) || - !PAGE_ALIGNED(control->exit_info_1) || + if (!PAGE_ALIGNED(control->exit_info_1) || !PAGE_ALIGNED(control->exit_info_2) || control->exit_info_1 =3D=3D control->exit_info_2) goto vmgexit_err; @@ -4476,6 +4473,19 @@ static int sev_handle_vmgexit_msr_protocol(struct vc= pu_svm *svm) return 0; } =20 +static bool is_snp_only_vmgexit(u64 exit_code) +{ + switch (exit_code) { + case SVM_VMGEXIT_AP_CREATION: + case SVM_VMGEXIT_GUEST_REQUEST: + case SVM_VMGEXIT_EXT_GUEST_REQUEST: + case SVM_VMGEXIT_PSC: + return true; + default: + return false; + } +} + int sev_handle_vmgexit(struct kvm_vcpu *vcpu) { struct vcpu_svm *svm =3D to_svm(vcpu); @@ -4527,6 +4537,13 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) return 1; } =20 + if (is_snp_only_vmgexit(control->exit_code) && !is_sev_snp_guest(vcpu)) { + vcpu_unimpl(vcpu, "vmgexit: exit code %#llx is SNP-only\n", + control->exit_code); + svm_vmgexit_bad_input(svm, GHCB_ERR_INVALID_EVENT); + return 1; + } + ret =3D sev_es_validate_vmgexit(svm); if (ret) return ret; --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D019446AF3F for ; Fri, 29 May 2026 18:36:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079821; cv=none; b=Bi/RFch0CdQ67IMKRu/Jjrofc966Mxnw1UX4siEtjil8deX/lx5QnQenKbvC71N/ZgvKEe3pOkqkbN1fchVP8AOBDmBxWXRd6fQ6BxLNYDqxChe/jsPjxEuVcGcJi4iJ9Ip6MEYgXZJQEFxmvCCRSrHAC62moae81qFdYW4A5CY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079821; c=relaxed/simple; bh=cLlmujmrIgemvQsPSTY1GTNh15IlTa3nEz3RTFfzlBU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=pwmusjOV/PGXHpXbxxwEBsL6qmV8ck3Y/JKFly8YofSf47Ehh6gGQw1WldH1+doE/GEQaad6SzjaaBn0IfjI1hNHCW3EGRCO6bPihJW5WPKGIQtRrDmsRCwARkW5PI+m3d2/QQHIPx4fIH6WxUKI3qAUEE9z5RNUmvbOjkNbK0M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=YpNISdGJ; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=AkJwmpoO; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="YpNISdGJ"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="AkJwmpoO" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079816; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aP7hMfcyuwDfmzm6MvxteCiSc9hEWi4a0ARiKg8JNrs=; b=YpNISdGJoiaeLUxRUz8pFvYSxDuSp2ZidOCXB0JJHl3Hc2jjvV3U5xMzt6ZbTODMFDXOyN uZMtTpS/Xim2WYH81znSHgfvQy/wLa6uyI2nuVvgIIqhaMMSq7avYULCbB+sXwomqmowiy FnIVo69T8pAdmqgGj4ocUb7hprgVRzc= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-17-zuxwNBH0NJqsKa2eiUGm3A-1; Fri, 29 May 2026 14:36:52 -0400 X-MC-Unique: zuxwNBH0NJqsKa2eiUGm3A-1 X-Mimecast-MFC-AGG-ID: zuxwNBH0NJqsKa2eiUGm3A_1780079811 Received: by mail-wm1-f71.google.com with SMTP id 5b1f17b1804b1-49058e91639so47817945e9.3 for ; Fri, 29 May 2026 11:36:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079811; x=1780684611; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=aP7hMfcyuwDfmzm6MvxteCiSc9hEWi4a0ARiKg8JNrs=; b=AkJwmpoOPc357MHSF49AtL95SF0S0jLsrcFBHnyP/WmNW6INEvKQ78PlIu6NdCDq6l U1ClyiJZuY8Dhzy9T95VyfceWwPwqusUZPvSwNQUjAYHwgdcxFGGkxqxdK/13mSyy7Lv e7kkIiosnlzDDuCELvODCsOZvPP/c4GwKtJbFywpWbHUGabwnta6VXhAsqBIfiMZvSDk yPFzv8Pmg6SaDK70+tLXDKxzwcLw4H8n7cB0hl7vS+09pWPKoI+6HsUeiLe6e6ki+A1p l1BufiTKoCnmZHvdcsLJtMPqTWvEfn3JTeIQwC2+8eNpouULAg3z4V/u4O5KgbXhBAX0 pWcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079811; x=1780684611; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=aP7hMfcyuwDfmzm6MvxteCiSc9hEWi4a0ARiKg8JNrs=; b=PegQf7ub7gZ8AWgyTQ7IvbFPA5G+Ed7xBz3q5qWmmCd0mRp9Ll7RZVMWgVE9a+HWQ+ Kn4j4S7wNpoVz+BhALZ/BoP2mXiIpXGAEVIg/BVf8KFGTh/1A3geTc1u4rYGtP/mfBaE T9YKx2iuAyrAH1JTOvukqVr2YqD+bDINdQlCOY7IDq0IQYIDNMHuSlLTj7iuzs9vUk/T Xi7XmXembI7YuBIo/zvEe6IF8D3KSRLYJ/QT/Xb9FB7wvTeb368LEPhi1P/wCl03VmwW 64vmKokcBVKaNcrNu3Eje4zI5asWAB6Kon0esHohIZtt/4sg90e1zi7hBoui9dRleqR7 vrSw== X-Gm-Message-State: AOJu0Yzj9X+pGYd3dgIV6ZDbX46O0xWmKoVzobhlrKcySVk/Udu0AA6y PBFpIMCy5mkB5MLp5vOfKa3WwABcOyDsfgxr0pY21Jwlwsm7PKAFj3C4GKrnPpSQbPFE0vG588Q LlArbiTTxBJCV4887EN+fJATgr4KWDhOuBrCpYOaaW1AIFLsA924L1lpD2tQB5MmnZGBjJxwYDR iDDyVh3B2bhuATHElp51XsYBmXUb7kLwek2sa49FILP2p55xdTDQ== X-Gm-Gg: Acq92OGS1E2uaKELYnTszxNFZIq9q9gH2P1uRNoOquPR5qRvB+nI1Ctchb8N3E7hL+A 68+2B6jMn55JLN/q4PUb9yXgQEse59wtal7HTzwXg/AdNzxgMvq/b5y0azEIbgSPe0W1ZatVZEG 5KvwiuzcUiWvCGU0Z9OOwZ+p/kxJsfl5IrMN5Eu2W0/MUNFlHfvJbFPP9UD51xaQ/O7dsELFS/T DtbjZiw4lEsHTApdqPhYteauk4+UjyKyEV3zNqIyvW83YVygemR8cjKromdszGzVcDwjZfh20Vm 4fdLvWUQHe0qNqzi+oIukZ7BdOjRQzJ+jCskm1o0N0qmTkeH0JtOH8km/tMnYKsatLiyT/IS6QK n92Jnqm4TIbjHRpPljFyoklcBo7GIy9wDsUHKaydmhRJ2E3SmMttyJkKczjr6ZY10yjd+vnqOL8 JlZB2zRXdjJQ/TEZOFu/SkNCgklNQOvwhAtmhj4Q== X-Received: by 2002:a05:600c:a00c:b0:489:1f04:96c3 with SMTP id 5b1f17b1804b1-490a2904aa4mr15849805e9.2.1780079811076; Fri, 29 May 2026 11:36:51 -0700 (PDT) X-Received: by 2002:a05:600c:a00c:b0:489:1f04:96c3 with SMTP id 5b1f17b1804b1-490a2904aa4mr15849275e9.2.1780079810665; Fri, 29 May 2026 11:36:50 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909d6f3027sm51965255e9.14.2026.05.29.11.36.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:47 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth Subject: [PATCH 21/24] KVM: SEV: Return INVALID_INPUT, not MISSING_INPUT, for bad GUEST_REQUEST input(s) Date: Fri, 29 May 2026 20:35:46 +0200 Message-ID: <20260529183549.1104619-22-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Return INVALID_INPUT, not MISSING_INPUT, if the guest provides an unaligned address for a GUEST_REQUEST, and/or attempts to use the same page for the source and destination. The inputs are obviously invalid, not missing. Opportunistically move the checks out of sev_es_validate_vmgexit(), to continue the march towards reducing the scope of the helper, and to help guide future changes into correctly handling bad input. Fixes: 88caf544c930 ("KVM: SEV: Provide support for SNP_GUEST_REQUEST NAE e= vent") Fixes: 74458e4859d8 ("KVM: SEV: Provide support for SNP_EXTENDED_GUEST_REQU= EST NAE event") Reviewed-by: Tom Lendacky Reviewed-by: Michael Roth Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-22-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index b59adddfdbcc..84421d9a116b 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3508,10 +3508,6 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *= svm) break; case SVM_VMGEXIT_GUEST_REQUEST: case SVM_VMGEXIT_EXT_GUEST_REQUEST: - if (!PAGE_ALIGNED(control->exit_info_1) || - !PAGE_ALIGNED(control->exit_info_2) || - control->exit_info_1 =3D=3D control->exit_info_2) - goto vmgexit_err; break; default: reason =3D GHCB_ERR_INVALID_EVENT; @@ -4631,10 +4627,20 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) ret =3D 1; break; case SVM_VMGEXIT_GUEST_REQUEST: - ret =3D snp_handle_guest_req(svm, control->exit_info_1, control->exit_in= fo_2); - break; case SVM_VMGEXIT_EXT_GUEST_REQUEST: - ret =3D snp_handle_ext_guest_req(svm, control->exit_info_1, control->exi= t_info_2); + if (!PAGE_ALIGNED(control->exit_info_1) || + !PAGE_ALIGNED(control->exit_info_2) || + control->exit_info_1 =3D=3D control->exit_info_2) { + svm_vmgexit_bad_input(svm, GHCB_ERR_INVALID_INPUT); + return 1; + } + + if (control->exit_code =3D=3D SVM_VMGEXIT_GUEST_REQUEST) + ret =3D snp_handle_guest_req(svm, control->exit_info_1, + control->exit_info_2); + else + ret =3D snp_handle_ext_guest_req(svm, control->exit_info_1, + control->exit_info_2); break; case SVM_VMGEXIT_UNSUPPORTED_EVENT: vcpu_unimpl(vcpu, --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 47B0C46AEE8 for ; Fri, 29 May 2026 18:36:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079819; cv=none; b=nsnuzYGbjgmDY5ESNGiXsAmA5ai2+pzw3T1rZyZGcT5dClyDydflb+Ebp4JGkbUVpk2M5r2+DTr0AnimTMD+vS0eMYDILzE89TAaDwYySzEDtT8epIi+2Iv4ezR8fIaOZuuXbq1zMRj0E+BGpW4K06H8LjYOJLG+4kxJ9RxIxlo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079819; c=relaxed/simple; bh=7gTKTWT1Lchsb/Z3dfump3Pz5JO6jhXvzUWfg2Nn1O0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=uhzeIaaZFU27DZ58Y1yqw07IKVi2lTXS07W5ADAxmsF6/Zz7bGL0u32OInTVkKvFnbf0fNruIXdMdqaxQRmIizvSzKhnqK6DYQ7O3UFyYCKCnNZzXNu2CmPURxa1c20jNKZC45YRW1hpWNswEg2a7sWoloigGm5TXqFyHuo+oyU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=F3luuG1q; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=N5mYMH3v; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="F3luuG1q"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="N5mYMH3v" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079815; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zYgJqK8ObqKkOVttmt0YkpLK2Sa2oRcDa7IpTgVfKT0=; b=F3luuG1qk2/VCcXToO3Qp/OOkoL2socSmuszs5LG+EgutjM5bEzgl88+jpZsXa6/S2t5st wPbBGBYTxsb/M/lqxiTWyrhfm40Hi5Gk/z1NNxoVUku3rJR73RXwtIYNv/OgwMz/8InD7v Y2djjykdGI0L2PWXNcLc1PdTct24bUc= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-155-4_WficSvPviucBHlcZzCQQ-1; Fri, 29 May 2026 14:36:53 -0400 X-MC-Unique: 4_WficSvPviucBHlcZzCQQ-1 X-Mimecast-MFC-AGG-ID: 4_WficSvPviucBHlcZzCQQ_1780079813 Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-45e81291d62so12002458f8f.1 for ; Fri, 29 May 2026 11:36:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079813; x=1780684613; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zYgJqK8ObqKkOVttmt0YkpLK2Sa2oRcDa7IpTgVfKT0=; b=N5mYMH3vPlyowQggTi1yaaSCHAymYxxOdzZCQ8ehKusKfxAT0uwjc5cw2JkyPT8XGu xHx5w2hgS1WYJQf299nmUEwgnKP6DSGiZG8mzoLgiyShd8ygtUUftI9n7JWaCZpveIJu KXQlrJw6l230Kse0fv238M491tir6J7WHfFtXOYZuDFknTHQUjB3xli4mt6u4MyBRYbv DkVbtIpMQfmopufn49rh82KNcG0no7F5D3muRqQyqfjilrAP18VNa8bETMEFMQ6ZAlYr CkdV3D/FLIL39g9m54l6mHJ17TaVv77FI0EpicKsjFCc1L3SbFXuLNvNRVBUd/U/GgXv +t9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079813; x=1780684613; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=zYgJqK8ObqKkOVttmt0YkpLK2Sa2oRcDa7IpTgVfKT0=; b=g94S5+72EDIFH7X9JXKIqUjVRuCEd7xfDNR8D2tVwwY2z/+gEvoHqcdqkDNcM8gXWn PtmuriqQuKQ+thA8dYHQbgmfJ26yJW0KsUGI7Fl2bGYRMZazDLmMaWEz3pTNfG5vM4d7 tlPiRNaVUiuyjA5GMBR50aBL2rRnFD1O//yg5RI8tZigRdXYn0Z2ApQEZByhfk+0x0Zn nEQVag9zjZ0qMn00F+6/ohK2BU5Kn6qFSj1Baok+esVKUc0L+NaD8JzIV/mydJPe91Pk PkQd/PYrOYRrRJ/hcO134c6EVNtG/w3UDpwZV1dyZP5qYs+0mCdSAV7rzssh+dfiyunj VDIQ== X-Gm-Message-State: AOJu0Yw3/jFw1twgURzdoOXh3AJpFliHe1HpnKv42VRaW9a3VzeBZeBd ryWDUA/G6Jj2Wb1W73ulP177RqIugoEJKAgg5S5ECB9PfTYHXLGODwCWl3ED3XwCoNjCf7q5h5T vegHFmTn5JzpLGyzDtNT0Uvlb5B1LsdvecJEELm6r3qsRl1RwTEWid3fl2vsy+wagy/piC9PwkX j2NkeeTAcUCFcxgm1wzmkOeUtyYM4dV3F7QbZIOPmN4it8xQ6jsw== X-Gm-Gg: Acq92OFzaY8k0fUi+L1JkhGeQBNpBixzMoqkT+XjOMzCeakHlSE3OAKAROL5aTb8I3w 56Je7+dAvo8ZNWvfgToLk/PKP46m9/VgkgyxoCSpptfeIQqhHn3NW1TZVg1+tgqqRk1r+PbdGwG VDMMdvsQib0Le6oZ7BALT8Eda1GKO8TZF1EP0X5ex8C6LcOiWkmm6cvREdMbS+JgXb8MW89o9xe ZvzJ/ghczAluFBrm+sNVqHUg6Siu7dxyYrR4mc/D+TBHXlSn5IYJ5M0DO1qJ3HvVNq0w96A5Mw0 AIC6BI89g9M38E4L/QXvkUmKXqdu0iO9LkFM9yznWjRiwfV/mAlwvUUpJufGsj67eEW2/Vu5i8o 6dTesJs/m1omxryC7yVkucX1vXaAz933dsC+tbS+9DZjBJ9ITifnrcPF13TZZv9z+ewilXcnGzC 0Cp65sDT1WYIbhcDLchOIs2n3tHap75CULhXqmPw== X-Received: by 2002:a05:6000:22c7:b0:45e:ed10:8e0c with SMTP id ffacd0b85a97d-45ef6b19bedmr1756101f8f.14.1780079812604; Fri, 29 May 2026 11:36:52 -0700 (PDT) X-Received: by 2002:a05:6000:22c7:b0:45e:ed10:8e0c with SMTP id ffacd0b85a97d-45ef6b19bedmr1756050f8f.14.1780079812120; Fri, 29 May 2026 11:36:52 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45ef35598e5sm5051062f8f.27.2026.05.29.11.36.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:51 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth Subject: [PATCH 22/24] KVM: SEV: Handle unknown #VMGEXIT reasons in sev_handle_vmgexit() Date: Fri, 29 May 2026 20:35:47 +0200 Message-ID: <20260529183549.1104619-23-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Handle unknown #VMGEXIT reasons in sev_handle_vmgexit(), not in sev_es_validate_vmgexit(). This makes it _much_ more obvious that KVM simply funnels "legacy" exits to the standard SVM interception handlers, and is the final preparatory change needed to reduce the scope of sev_es_validate_vmgexit(). No functional change intended. Reviewed-by: Tom Lendacky Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-23-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 74 +++++++++++++++++++----------------------- 1 file changed, 33 insertions(+), 41 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 84421d9a116b..864d6aea544b 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3414,9 +3414,6 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *s= vm) { struct vmcb_control_area *control =3D &svm->vmcb->control; struct kvm_vcpu *vcpu =3D &svm->vcpu; - u64 reason; - - reason =3D GHCB_ERR_MISSING_INPUT; =20 if (!kvm_ghcb_sw_exit_code_is_valid(svm) || !kvm_ghcb_sw_exit_info_1_is_valid(svm) || @@ -3424,14 +3421,10 @@ static int sev_es_validate_vmgexit(struct vcpu_svm = *svm) goto vmgexit_err; =20 switch (control->exit_code) { - case SVM_EXIT_READ_DR7: - break; case SVM_EXIT_WRITE_DR7: if (!kvm_ghcb_rax_is_valid(svm)) goto vmgexit_err; break; - case SVM_EXIT_RDTSC: - break; case SVM_EXIT_RDPMC: if (!kvm_ghcb_rcx_is_valid(svm)) goto vmgexit_err; @@ -3444,8 +3437,6 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *s= vm) if (!kvm_ghcb_xcr0_is_valid(svm)) goto vmgexit_err; break; - case SVM_EXIT_INVD: - break; case SVM_EXIT_IOIO: if (control->exit_info_1 & SVM_IOIO_STR_MASK) { if (!kvm_ghcb_sw_scratch_is_valid(svm)) @@ -3470,10 +3461,6 @@ static int sev_es_validate_vmgexit(struct vcpu_svm *= svm) !kvm_ghcb_cpl_is_valid(svm)) goto vmgexit_err; break; - case SVM_EXIT_RDTSCP: - break; - case SVM_EXIT_WBINVD: - break; case SVM_EXIT_MONITOR: if (!kvm_ghcb_rax_is_valid(svm) || !kvm_ghcb_rcx_is_valid(svm) || @@ -3495,23 +3482,12 @@ static int sev_es_validate_vmgexit(struct vcpu_svm = *svm) if (!kvm_ghcb_rax_is_valid(svm)) goto vmgexit_err; break; - case SVM_VMGEXIT_NMI_COMPLETE: - case SVM_VMGEXIT_AP_HLT_LOOP: - case SVM_VMGEXIT_AP_JUMP_TABLE: - case SVM_VMGEXIT_UNSUPPORTED_EVENT: - case SVM_VMGEXIT_HV_FEATURES: - case SVM_VMGEXIT_TERM_REQUEST: - break; case SVM_VMGEXIT_PSC: if (!kvm_ghcb_sw_scratch_is_valid(svm)) goto vmgexit_err; break; - case SVM_VMGEXIT_GUEST_REQUEST: - case SVM_VMGEXIT_EXT_GUEST_REQUEST: - break; default: - reason =3D GHCB_ERR_INVALID_EVENT; - goto vmgexit_err; + break; } =20 return 0; @@ -3521,16 +3497,10 @@ static int sev_es_validate_vmgexit(struct vcpu_svm = *svm) * Print the exit code even though it may not be marked valid as it * could help with debugging. */ - if (reason =3D=3D GHCB_ERR_INVALID_EVENT) { - vcpu_unimpl(vcpu, "vmgexit: exit code %#llx is not valid\n", - control->exit_code); - } else { - vcpu_unimpl(vcpu, "vmgexit: exit code %#llx input is not valid\n", - control->exit_code); - dump_ghcb(svm); - } - - svm_vmgexit_bad_input(svm, reason); + vcpu_unimpl(vcpu, "vmgexit: exit code %#llx input is not valid\n", + control->exit_code); + dump_ghcb(svm); + svm_vmgexit_bad_input(svm, GHCB_ERR_MISSING_INPUT); =20 /* Resume the guest to "return" the error code. */ return 1; @@ -4547,6 +4517,25 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) svm_vmgexit_success(svm, 0); =20 switch (control->exit_code) { + case SVM_EXIT_IOIO: + if (!((control->exit_info_1 & SVM_IOIO_SIZE_MASK) >> SVM_IOIO_SIZE_SHIFT= )) + return 1; + + fallthrough; + case SVM_EXIT_READ_DR7: + case SVM_EXIT_WRITE_DR7: + case SVM_EXIT_RDTSC: + case SVM_EXIT_RDTSCP: + case SVM_EXIT_RDPMC: + case SVM_EXIT_CPUID: + case SVM_EXIT_INVD: + case SVM_EXIT_MSR: + case SVM_EXIT_VMMCALL: + case SVM_EXIT_WBINVD: + case SVM_EXIT_MONITOR: + case SVM_EXIT_MWAIT: + ret =3D svm_invoke_exit_handler(vcpu, control->exit_code); + break; case SVM_VMGEXIT_MMIO_READ: case SVM_VMGEXIT_MMIO_WRITE: { bool is_write =3D control->exit_code =3D=3D SVM_VMGEXIT_MMIO_WRITE; @@ -4643,18 +4632,21 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) control->exit_info_2); break; case SVM_VMGEXIT_UNSUPPORTED_EVENT: + /* + * Note, the _guest_ is reporting an unsupported #VC, i.e. this + * isn't the same thing as KVM getting an unsupported #VMGEXIT. + */ vcpu_unimpl(vcpu, "vmgexit: unsupported event - exit_info_1=3D%#llx, exit_info_2=3D%#= llx\n", control->exit_info_1, control->exit_info_2); ret =3D -EINVAL; break; - case SVM_EXIT_IOIO: - if (!((control->exit_info_1 & SVM_IOIO_SIZE_MASK) >> SVM_IOIO_SIZE_SHIFT= )) - return 1; - - fallthrough; default: - ret =3D svm_invoke_exit_handler(vcpu, control->exit_code); + vcpu_unimpl(vcpu, "vmgexit: exit code %#llx is not valid\n", + control->exit_code); + svm_vmgexit_bad_input(svm, GHCB_ERR_INVALID_EVENT); + ret =3D 1; + break; } =20 return ret; --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F0A05477991 for ; Fri, 29 May 2026 18:37:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079827; cv=none; b=MOiunEObQFlOz9kymwEy/JhiBZ4/JmcwpLojHsHt0t9bGeGX0Y5ZTR6efzv75zaFAVbBRbq6t2uEG25DMoeyr1hzA7mYL9KdYh7AoRtdooZP+wi7/2a95akYeXBqNRBFnIOpYtYM+HWgXcy4j1TyZLWz51/sklCRavVAwrbGQXc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079827; c=relaxed/simple; bh=tjfpEUwp7NjqnZssVekMLaSUU2OL7s9j2o+WE02R+2c=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tPWEZJeYkC/rIpz9sDQdAti4WUOxE1uGguB9mhIewguhCDWs1seYtCEEzT8qnk75sQhYyJZqlMvjpxDF4pVB5U8jB9+UGpbh8oOzgi3HF5incHIpre+l4cKLMiKKtyb7qgGzSpxMb59Qx0cAhXBbZlc4w7KLmeF1wpnS8EiS8k8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=XnGxdurI; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=iwUm9wQq; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="XnGxdurI"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="iwUm9wQq" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079820; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iVKpEBiTR4taCtQY2hcoVT0Go0ezbWRb/8iyh1YmSZw=; b=XnGxdurIEcewbQs06KurZMcW/xlpK6SJqaPA6dDcO69zP6xoqjBIILtG5puDqlBwEYYQEB 4uJstYChBGQXmi3I9beIsDnMj3ORWVBfTlO3XKsYBhdQVMwlEHhPm8/iYyuVCeR2Zmm18p V34taj7hEqHq+ev4eVCsL1jvj/sTB/Y= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-203-6nU9-sgdMoCrrFsSvhu35w-1; Fri, 29 May 2026 14:36:58 -0400 X-MC-Unique: 6nU9-sgdMoCrrFsSvhu35w-1 X-Mimecast-MFC-AGG-ID: 6nU9-sgdMoCrrFsSvhu35w_1780079817 Received: by mail-wm1-f72.google.com with SMTP id 5b1f17b1804b1-4909c0f0ba2so7792515e9.3 for ; Fri, 29 May 2026 11:36:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079817; x=1780684617; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iVKpEBiTR4taCtQY2hcoVT0Go0ezbWRb/8iyh1YmSZw=; b=iwUm9wQqWrNE+0Ouc1xGrguToDSAA5/i7R+DDf1BceM8t4yxmjV7nFWGwz9JOtnpNx Lxufw6v5oDF8Qmweb2bEiKKlco4EVLvk3SqHckGcIgu0PQbpf7YXIicHQg8bp/bKCCS8 /VHgvRgA/asrzuVef4e9Tn1dIAmNx93CTQhVeu2eE1zd8OiQquPMqTW4e65o4RXJi+Q3 r6AWYTsCxkciUgDcxmikKwpC2HhBd7F9+Rnh7AEJrYXU8DcTEMcCCayouEtVDl1qzg4i LFc3DKpGeKHV7OzTcAEuCxFGlG9U6sw/bljlV2TCcuM/XOzijs80Lvaj5WTeAYlRKBLm eUNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079817; x=1780684617; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=iVKpEBiTR4taCtQY2hcoVT0Go0ezbWRb/8iyh1YmSZw=; b=TxRlw7EGdb+VaHvzuy9DLf/NXp5TGtqRw8L5mRX+Kkg35zYO9Mz3HRQIbaJKp7N0W6 k25AHZUbHLL0N6HMrMrWbvXfEbAn3i4dep9j9Uf+ID5rPnDqBvolw1HxtZHqPvSC1zcc Ps+FtjiRZu96kEAXPfj2oqJvKpmMq04RMMZPRjYdfPoPGZJuaKSExR41LUMXj5a7YzMv zP8d/hp0wrl7LOsq9laf/w2c/iXTG1yjBf9b2cvvxh79YPVBv8XVprnTs2PRKkZoVwW1 Q3RmANgFScBnAHH1UguMoTJ0rDnWwI2uH8ZqdT0WYxtFLh/OvhKEO/ZzPayZjoLMrtNd 3L4A== X-Gm-Message-State: AOJu0YxysROZfoBDP8/DXiSrjd10jw+FsDQfPHngAmZTPuylxncOOFUh 1efZ3fOI/JATQqnRLowvQYy4EKQm4uklTAhRokmzhVCLTD27WbBPwZtpg2JgjXxcF0xTESjreTQ C82yxpIjhRPVEnls8N0kAFsA+Fv5dQ2Aq/4lehjy7FQ5jHO47YfSn3ToH7kyghqoaW0FUiUi/Lj +6NcmAMQP5E9YwZaatDamcNO3OhzFtfmEIOE72+CX6ER4biLUeWw== X-Gm-Gg: Acq92OHSD2cAfJjjQin/ktAeVl3jG2iB88cg/xVfrrRlz0B5xHs+/GlhSEoHXsDfsRq mxUGud3JWC7d00pqHE/kD7ODKALJGH9iMWbYDD10LN0+JWWrDQhoab+6iLVD+SYiG1Nq+xCZeV5 E+8Qp7ftxJJ1XxAd4ZstMg1ukLLrbO6kEfYFGKYHLstpqGbxpoTrHUBc3qBMhm3mYECHdctldi4 3TLNqRqeTu+2euUPrVqG4D0z8N7e5XHtbMHfYjBv3RXGceK0nTTqhUuK3hOmGLdVzklMn93nYEo /YQjFEtSnfpZj9e78GH/1dpuScYHdI+TIfrJW7G13+YNgw96XFFwwld8kQOZF8IiKt6t1M8EcJK hCycmOyqM642p3gQY5dmODiM5QeRtKpk91Y/jik19hrlNKQ8lzlplMAkzTo81s2AGa+CcUcit+G /QXYpgYJ7JAVNymIjDLGEsGmjJDYggB+tvVA9fKw== X-Received: by 2002:a05:600c:6287:b0:490:9d1b:f068 with SMTP id 5b1f17b1804b1-490a295d9c6mr13787415e9.29.1780079816797; Fri, 29 May 2026 11:36:56 -0700 (PDT) X-Received: by 2002:a05:600c:6287:b0:490:9d1b:f068 with SMTP id 5b1f17b1804b1-490a295d9c6mr13786835e9.29.1780079816338; Fri, 29 May 2026 11:36:56 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45ef354cf0dsm5290792f8f.17.2026.05.29.11.36.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:52 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth Subject: [PATCH 23/24] KVM: SEV: Turn sev_es_validate_vmgexit() into a dedicated predicate Date: Fri, 29 May 2026 20:35:48 +0200 Message-ID: <20260529183549.1104619-24-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Now that sev_es_validate_vmgexit() is only responsible for checking that all required GHCB fields are marked valid, turn it into a predicate whose name reflects exactly that. No functional change intended. Reviewed-by: Tom Lendacky Reviewed-by: Michael Roth Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-24-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 112 +++++++++++++++-------------------------- 1 file changed, 41 insertions(+), 71 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 864d6aea544b..bb70df2bf1a4 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3410,7 +3410,7 @@ static void sev_es_sync_from_ghcb(struct vcpu_svm *sv= m) memset(ghcb->save.valid_bitmap, 0, sizeof(ghcb->save.valid_bitmap)); } =20 -static int sev_es_validate_vmgexit(struct vcpu_svm *svm) +static bool sev_es_are_required_ghcb_fields_valid(struct vcpu_svm *svm) { struct vmcb_control_area *control =3D &svm->vmcb->control; struct kvm_vcpu *vcpu =3D &svm->vcpu; @@ -3418,92 +3418,53 @@ static int sev_es_validate_vmgexit(struct vcpu_svm = *svm) if (!kvm_ghcb_sw_exit_code_is_valid(svm) || !kvm_ghcb_sw_exit_info_1_is_valid(svm) || !kvm_ghcb_sw_exit_info_2_is_valid(svm)) - goto vmgexit_err; + return false; =20 switch (control->exit_code) { case SVM_EXIT_WRITE_DR7: - if (!kvm_ghcb_rax_is_valid(svm)) - goto vmgexit_err; - break; + return kvm_ghcb_rax_is_valid(svm); case SVM_EXIT_RDPMC: - if (!kvm_ghcb_rcx_is_valid(svm)) - goto vmgexit_err; - break; + return kvm_ghcb_rcx_is_valid(svm); case SVM_EXIT_CPUID: if (!kvm_ghcb_rax_is_valid(svm) || !kvm_ghcb_rcx_is_valid(svm)) - goto vmgexit_err; - if (vcpu->arch.regs[VCPU_REGS_RAX] =3D=3D 0xd) - if (!kvm_ghcb_xcr0_is_valid(svm)) - goto vmgexit_err; - break; + return false; + + return vcpu->arch.regs[VCPU_REGS_RAX] !=3D 0xd || + kvm_ghcb_xcr0_is_valid(svm); case SVM_EXIT_IOIO: - if (control->exit_info_1 & SVM_IOIO_STR_MASK) { - if (!kvm_ghcb_sw_scratch_is_valid(svm)) - goto vmgexit_err; - } else { - if (!(control->exit_info_1 & SVM_IOIO_TYPE_MASK)) - if (!kvm_ghcb_rax_is_valid(svm)) - goto vmgexit_err; - } - break; + if (control->exit_info_1 & SVM_IOIO_STR_MASK) + return kvm_ghcb_sw_scratch_is_valid(svm); + + if (!(control->exit_info_1 & SVM_IOIO_TYPE_MASK)) + return kvm_ghcb_rax_is_valid(svm); + + return true; case SVM_EXIT_MSR: if (!kvm_ghcb_rcx_is_valid(svm)) - goto vmgexit_err; - if (control->exit_info_1) { - if (!kvm_ghcb_rax_is_valid(svm) || - !kvm_ghcb_rdx_is_valid(svm)) - goto vmgexit_err; - } - break; + return false; + + return !control->exit_info_1 || + (kvm_ghcb_rax_is_valid(svm) && kvm_ghcb_rdx_is_valid(svm)); case SVM_EXIT_VMMCALL: - if (!kvm_ghcb_rax_is_valid(svm) || - !kvm_ghcb_cpl_is_valid(svm)) - goto vmgexit_err; - break; + return kvm_ghcb_rax_is_valid(svm) && kvm_ghcb_cpl_is_valid(svm); case SVM_EXIT_MONITOR: - if (!kvm_ghcb_rax_is_valid(svm) || - !kvm_ghcb_rcx_is_valid(svm) || - !kvm_ghcb_rdx_is_valid(svm)) - goto vmgexit_err; - break; + return kvm_ghcb_rax_is_valid(svm) && + kvm_ghcb_rcx_is_valid(svm) && + kvm_ghcb_rdx_is_valid(svm); case SVM_EXIT_MWAIT: - if (!kvm_ghcb_rax_is_valid(svm) || - !kvm_ghcb_rcx_is_valid(svm)) - goto vmgexit_err; + return kvm_ghcb_rax_is_valid(svm) && kvm_ghcb_rcx_is_valid(svm); + case SVM_VMGEXIT_AP_CREATION: + return kvm_ghcb_rax_is_valid(svm) || + lower_32_bits(control->exit_info_1) =3D=3D SVM_VMGEXIT_AP_DESTROY; break; case SVM_VMGEXIT_MMIO_READ: case SVM_VMGEXIT_MMIO_WRITE: - if (!kvm_ghcb_sw_scratch_is_valid(svm)) - goto vmgexit_err; - break; - case SVM_VMGEXIT_AP_CREATION: - if (lower_32_bits(control->exit_info_1) !=3D SVM_VMGEXIT_AP_DESTROY) - if (!kvm_ghcb_rax_is_valid(svm)) - goto vmgexit_err; - break; case SVM_VMGEXIT_PSC: - if (!kvm_ghcb_sw_scratch_is_valid(svm)) - goto vmgexit_err; - break; + return kvm_ghcb_sw_scratch_is_valid(svm); default: - break; + return true; } - - return 0; - -vmgexit_err: - /* - * Print the exit code even though it may not be marked valid as it - * could help with debugging. - */ - vcpu_unimpl(vcpu, "vmgexit: exit code %#llx input is not valid\n", - control->exit_code); - dump_ghcb(svm); - svm_vmgexit_bad_input(svm, GHCB_ERR_MISSING_INPUT); - - /* Resume the guest to "return" the error code. */ - return 1; } =20 static void __sev_es_unmap_ghcb(struct vcpu_svm *svm) @@ -4510,9 +4471,17 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) return 1; } =20 - ret =3D sev_es_validate_vmgexit(svm); - if (ret) - return ret; + if (!sev_es_are_required_ghcb_fields_valid(svm)) { + /* + * Print the exit code even though it may not be marked valid + * as it could help with debugging. + */ + vcpu_unimpl(vcpu, "vmgexit: exit code %#llx input is not valid\n", + control->exit_code); + dump_ghcb(svm); + svm_vmgexit_bad_input(svm, GHCB_ERR_MISSING_INPUT); + return 1; + } =20 svm_vmgexit_success(svm, 0); =20 @@ -4599,6 +4568,7 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) vcpu->run->system_event.type =3D KVM_SYSTEM_EVENT_SEV_TERM; vcpu->run->system_event.ndata =3D 1; vcpu->run->system_event.data[0] =3D control->ghcb_gpa; + ret =3D 0; break; case SVM_VMGEXIT_PSC: ret =3D setup_vmgexit_scratch(svm, true, sizeof(struct psc_hdr)); --=20 2.54.0 From nobody Mon Jun 8 11:02:52 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D4F67472784 for ; Fri, 29 May 2026 18:37:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079826; cv=none; b=NCsyntQqKkTVZJ0jpo5MtgwjUQ9WzwaKiWy635xHXyLaJjMyAgLeqAgri/aEb9UK5TR9oJkrWDFHmZ+TTvvwfRq8fx5J9YVjhwQ+5SlMJhbyACnH16Z0x8ZrhkJviWv7f8jKGX+cJnuDhqJRbxIJC+RJl0Rm47PdPnA0T16aB7k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780079826; c=relaxed/simple; bh=XMgSUVd06jABBSWfczQttemRZ67nF8LRt692DiWCkcQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TVEt/WERfOBPZVcHrKHd7WnAgEmaW02tN7I/4pbVnzpQnMPS1TOMmxgDJmM9D1NL8EezjNmFKA6FxsDOMbq/eTpoApcrZ2yBHmUXLB01UpHGlLBwi2y2GdDNcvzyg6/mD7zDciyJQOi9EZkNOFI5t9StgMJnpHKdGl5VARynSqM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=VNpQjzeH; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=Umo0Xg2+; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="VNpQjzeH"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="Umo0Xg2+" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1780079821; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=T9sAUXk/eVKAgtInIqwXX6aN0giUoEB/mKNSTu4u0gM=; b=VNpQjzeHw1xXVBHuCLdAA6GxHugeqjvCOU9+5BLJv7HWpvngvf6nd0dpCDb56uLcpxL3v2 tT2f3dRZIH2OLd0iSrdrROda2/Hy6rJXrw22YL6bVg9/EUfiyuqCqKAnx8/X9GQbrjkrCW tmBXw5ytf9HfddUZoVYT5Umy0OL1x7M= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-502-JsPAZK6YMcizjVe87Rw23Q-1; Fri, 29 May 2026 14:37:00 -0400 X-MC-Unique: JsPAZK6YMcizjVe87Rw23Q-1 X-Mimecast-MFC-AGG-ID: JsPAZK6YMcizjVe87Rw23Q_1780079819 Received: by mail-wr1-f70.google.com with SMTP id ffacd0b85a97d-45eebc943bfso1030410f8f.0 for ; Fri, 29 May 2026 11:36:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1780079819; x=1780684619; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=T9sAUXk/eVKAgtInIqwXX6aN0giUoEB/mKNSTu4u0gM=; b=Umo0Xg2+W257Q7fmxP0kvwkTiJXB0hOjX440iIdmLNVQqgohKXqkMn2FowcKLgpRiO 3D6CtfXVPWLhoGhVsPFOCrWuOOqN1NW/CuN0K4Qc2uI6c5hvFDOkiS9UGAL85/W6TcJ0 ScajmGQ/WXBk7uDBET9O+D6pJiGCPWpOVXzOztJr3MNZqbW4fy1j4iLoaP9crEsSLLIG nIvEz/v+KX8ItA8gSieR2T3fQCip4tSnoLfkj+9CV6SRUXVLCAILA/72fLCqR55bDciG zh/BstJ6x8LFvaymyPk9Dkiae9lYRZe0z0Iw5MNM3Oarrbub7tNuHHfmGRQa94hOsuCx g3rQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780079819; x=1780684619; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=T9sAUXk/eVKAgtInIqwXX6aN0giUoEB/mKNSTu4u0gM=; b=MiSa8VeBaI25tBWMHzKwDxeVu1tnqDZd8yWy4FBCApadNh45v6WTMrw0oxvaE9msAS YWnwCYnJYk8QG2ebPnf2Xi0ChYEMljyejb4zQ1wuPtN4rhGNHxi5EO/8eCPos9rPq0tT +hQXbT6cqjXetSCyJgkR6xZegytDnujvTl3l/+qnoQJiSSAWmcFn9QstP+ZrGZ7MCnfb AwqKOI2/aaQpbVc2LgS4l6LARKfGEugT45tyMiOZh8YFTucNG/2xtwT77yW27p87wSRV 72F9sNYvKUyKGFUIvrYtFjM9DjXX7PZ5xlgNQp1zXzyAZuR7BPgzZbldD4ZYWEDzlaoe m8Tg== X-Gm-Message-State: AOJu0Yw07znVekvFZecBl0dlfunY8vyG3b4rrrL4ROsvtfmYysdj9m1O veuigCBZmFl0FvM+HFynxKvLUmxFb1lZoo5O7IjIFj+qM1rFnR0/aSL8I0W0Lc5h6WVlJndWUCa R8qZ69hN2gYZSrR7+D3XParIRWEhap3mRjqhVd6twv5yUpca9LcbpdV7g0DT/8M5GyrcesnLXif Zg7r2Nq8ynrx7mS3Kh8q+8VE3d7I0Ne2WIw0AeAO8ObsfIZvMXow== X-Gm-Gg: Acq92OFSzGHw563fiZCZOuWd0TslIWVS6Dsq9OS5fcI0ev/6pginwq45MfqR1xgDILv KIg2U+Um7Gfj0vOHHKglGvLYEYAzavat+x+YUtzGtxTkKNMrCV+8xF0BLm79orS/AcoEaNKtEFZ nQU9Y9D1QRc/WUpfqGDBkCcY+Li6WVfjOAZHTS5TqEt3bkYOU+tMWt/48bWHKCCcWZRasUPcTSe t9F6l6ZVDOEglDBBqLh7eP0QczigJyt68cxB2B2jW8VmqHQ+DTkgyK962TEF0udxaWJ9e1GS5lN JNgF0v7njujpEaTsWBF1BGSzjxu8W79NzvvblSLes18PiXPybpMhYfqVRUGU2iCyNqtAcwM9sj7 cT5PxW9lOx5zBrz8onuENhblxPIBB6A95FZfDRcsWnxPNkNgTUX/k/CMtEEQH6PLNghsyFGQB8R WQvTFRTucTYp4BMMG9Za86ba2pjjB20jbEuN0iXA== X-Received: by 2002:a05:600c:c168:b0:490:5000:917 with SMTP id 5b1f17b1804b1-490a2a02ad9mr8878485e9.1.1780079818581; Fri, 29 May 2026 11:36:58 -0700 (PDT) X-Received: by 2002:a05:600c:c168:b0:490:5000:917 with SMTP id 5b1f17b1804b1-490a2a02ad9mr8878065e9.1.1780079818030; Fri, 29 May 2026 11:36:58 -0700 (PDT) Received: from [192.168.10.48] ([151.49.251.208]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909dff2a80sm61952865e9.3.2026.05.29.11.36.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 11:36:57 -0700 (PDT) From: Paolo Bonzini To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: seanjc@google.com, Tom Lendacky , Michael Roth Subject: [PATCH 24/24] KVM: SEV: Remove sometimes-used function-scoped "ret" from #VMGEXIT handler Date: Fri, 29 May 2026 20:35:49 +0200 Message-ID: <20260529183549.1104619-25-pbonzini@redhat.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260529183549.1104619-1-pbonzini@redhat.com> References: <20260529183549.1104619-1-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Sean Christopherson Now that only two case-statements actually need a local "ret" variable, refactor sev_handle_vmgexit() to have all flows return directly when possible, and bury "ret" as "r" in the two paths that need to propagate a return value from a helper. No functional change intended. Signed-off-by: Sean Christopherson Message-ID: <20260501202250.2115252-25-seanjc@google.com> Signed-off-by: Paolo Bonzini --- arch/x86/kvm/svm/sev.c | 74 ++++++++++++++++++------------------------ 1 file changed, 31 insertions(+), 43 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index bb70df2bf1a4..bc9dd39778a1 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -4418,7 +4418,6 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) struct vcpu_svm *svm =3D to_svm(vcpu); struct vmcb_control_area *control =3D &svm->vmcb->control; u64 ghcb_gpa; - int ret; =20 /* Validate the GHCB */ ghcb_gpa =3D control->ghcb_gpa; @@ -4503,12 +4502,12 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) case SVM_EXIT_WBINVD: case SVM_EXIT_MONITOR: case SVM_EXIT_MWAIT: - ret =3D svm_invoke_exit_handler(vcpu, control->exit_code); - break; + return svm_invoke_exit_handler(vcpu, control->exit_code); case SVM_VMGEXIT_MMIO_READ: case SVM_VMGEXIT_MMIO_WRITE: { bool is_write =3D control->exit_code =3D=3D SVM_VMGEXIT_MMIO_WRITE; u64 len =3D control->exit_info_2; + int r; =20 if (!len) return 1; @@ -4518,24 +4517,21 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) return 1; } =20 - ret =3D setup_vmgexit_scratch(svm, !is_write, len); - if (ret) - break; + r =3D setup_vmgexit_scratch(svm, !is_write, len); + if (r) + return r; =20 - ret =3D kvm_sev_es_mmio(vcpu, is_write, control->exit_info_1, len, - svm->sev_es.ghcb_sa); - break; + return kvm_sev_es_mmio(vcpu, is_write, control->exit_info_1, len, + svm->sev_es.ghcb_sa); } case SVM_VMGEXIT_NMI_COMPLETE: ++vcpu->stat.nmi_window_exits; svm->nmi_masked =3D false; kvm_make_request(KVM_REQ_EVENT, vcpu); - ret =3D 1; - break; + return 1; case SVM_VMGEXIT_AP_HLT_LOOP: svm->sev_es.ap_reset_hold_type =3D AP_RESET_HOLD_NAE_EVENT; - ret =3D kvm_emulate_ap_reset_hold(vcpu); - break; + return kvm_emulate_ap_reset_hold(vcpu); case SVM_VMGEXIT_AP_JUMP_TABLE: { struct kvm_sev_info *sev =3D to_kvm_sev_info(vcpu->kvm); =20 @@ -4553,14 +4549,11 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) control->exit_info_1); svm_vmgexit_bad_input(svm, GHCB_ERR_INVALID_INPUT); } - - ret =3D 1; - break; + return 1; } case SVM_VMGEXIT_HV_FEATURES: svm_vmgexit_success(svm, GHCB_HV_FT_SUPPORTED); - ret =3D 1; - break; + return 1; case SVM_VMGEXIT_TERM_REQUEST: pr_info("SEV-ES guest requested termination: reason %#llx info %#llx\n", control->exit_info_1, control->exit_info_2); @@ -4568,23 +4561,20 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) vcpu->run->system_event.type =3D KVM_SYSTEM_EVENT_SEV_TERM; vcpu->run->system_event.ndata =3D 1; vcpu->run->system_event.data[0] =3D control->ghcb_gpa; - ret =3D 0; - break; - case SVM_VMGEXIT_PSC: - ret =3D setup_vmgexit_scratch(svm, true, sizeof(struct psc_hdr)); - if (ret) - break; + return 0; + case SVM_VMGEXIT_PSC: { + int r; =20 - ret =3D snp_begin_psc(svm); - break; + r =3D setup_vmgexit_scratch(svm, true, sizeof(struct psc_hdr)); + if (r) + return r; + + return snp_begin_psc(svm); + } case SVM_VMGEXIT_AP_CREATION: - ret =3D sev_snp_ap_creation(svm); - if (ret) { + if (sev_snp_ap_creation(svm)) svm_vmgexit_bad_input(svm, GHCB_ERR_INVALID_INPUT); - } - - ret =3D 1; - break; + return 1; case SVM_VMGEXIT_GUEST_REQUEST: case SVM_VMGEXIT_EXT_GUEST_REQUEST: if (!PAGE_ALIGNED(control->exit_info_1) || @@ -4595,12 +4585,11 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) } =20 if (control->exit_code =3D=3D SVM_VMGEXIT_GUEST_REQUEST) - ret =3D snp_handle_guest_req(svm, control->exit_info_1, - control->exit_info_2); - else - ret =3D snp_handle_ext_guest_req(svm, control->exit_info_1, - control->exit_info_2); - break; + return snp_handle_guest_req(svm, control->exit_info_1, + control->exit_info_2); + + return snp_handle_ext_guest_req(svm, control->exit_info_1, + control->exit_info_2); case SVM_VMGEXIT_UNSUPPORTED_EVENT: /* * Note, the _guest_ is reporting an unsupported #VC, i.e. this @@ -4609,17 +4598,16 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu) vcpu_unimpl(vcpu, "vmgexit: unsupported event - exit_info_1=3D%#llx, exit_info_2=3D%#= llx\n", control->exit_info_1, control->exit_info_2); - ret =3D -EINVAL; - break; + return -EINVAL; default: vcpu_unimpl(vcpu, "vmgexit: exit code %#llx is not valid\n", control->exit_code); svm_vmgexit_bad_input(svm, GHCB_ERR_INVALID_EVENT); - ret =3D 1; - break; + return 1; } =20 - return ret; + KVM_BUG_ON(1, vcpu->kvm); + return -EIO; } =20 int sev_es_string_io(struct vcpu_svm *svm, int size, unsigned int port, in= t in) --=20 2.54.0