From: sashiko-bot@kernel.org
To: "Yosry Ahmed" <yosry@kernel.org>
Cc: kvm@vger.kernel.org
Subject: Re: [RFC PATCH v2 08/25] KVM: SEV: Stop using per-vCPU ASID for SEV VMs
Date: Tue, 16 Jun 2026 01:06:03 +0000 [thread overview]
Message-ID: <20260616010604.ACC021F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260616004155.1435766-9-yosry@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] A malicious SEV guest or an unprivileged host-userspace process can trigger a host WARN_ON_ONCE by executing VMRUN (entering nested virtualization) or via KVM_SET_NESTED_STATE.
--
commit c3ac1dbd3331e2991b6bd808b207ce3395a73130
Author: Yosry Ahmed <yosry@kernel.org>
KVM: SEV: Stop using per-vCPU ASID for SEV VMs
This commit updates KVM to initialize the SEV VM ASID once in
sev_init_vmcb() instead of checking and setting it on every vCPU run. It
replaces the run-time assignment check in pre_sev_run() with a warning.
> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> --- a/arch/x86/kvm/svm/sev.c
> +++ b/arch/x86/kvm/svm/sev.c
> @@ -3555,10 +3555,7 @@ int pre_sev_run(struct vcpu_svm *svm, int cpu)
> if (!cpumask_test_cpu(cpu, to_kvm_sev_info(kvm)->have_run_cpus))
> cpumask_set_cpu(cpu, to_kvm_sev_info(kvm)->have_run_cpus);
>
> - /* Assign the asid allocated with this SEV guest */
> - svm->asid = asid;
> -
> - if (unlikely(svm->asid != svm->vmcb->control.asid)) {
> + if (WARN_ON_ONCE(asid != svm->vmcb->control.asid)) {
[Severity: High]
Can a malicious SEV guest or an unprivileged host-userspace process trigger
this warning by entering nested virtualization or via KVM_SET_NESTED_STATE?
KVM does not strictly prohibit userspace from exposing CPUID.SVM to an SEV
guest. If an SEV guest sets EFER.SVME and executes VMRUN, KVM intercepts it
and handles the nested transition via nested_svm_vmrun(), which switches the
active VMCB pointer to the nested vmcb02.
The nested vmcb02 does not inherit the SEV ASID assignment from
sev_init_vmcb(), and its control.asid is initialized separately. During the
subsequent svm_vcpu_run() -> pre_sev_run() call, the VM's valid SEV ASID will
no longer match the nested vmcb02's ASID, causing this warning to trigger.
Since this condition is guest-reachable and controllable by userspace, does
this create a host denial of service vector when panic_on_warn is set?
> svm->vmcb->control.asid = asid;
> vmcb_mark_dirty(svm->vmcb, VMCB_ASID);
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260616004155.1435766-1-yosry@kernel.org?part=8
next prev parent reply other threads:[~2026-06-16 1:06 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 0:41 [RFC PATCH v2 00/25] Optimize nSVM TLB flushes Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 01/25] KVM: nSVM: Flush the TLB after forcefully leaving nested Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 02/25] KVM: SVM: Passthrough the number of supported ASIDs Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 03/25] KVM: VMX: Generalize VPID allocation to be vendor-neutral Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 04/25] KVM: x86/mmu: Support specifying a minimum TLB tag Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 05/25] KVM: SVM: Add helpers to set/clear ASID flush in VMCB Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 06/25] KVM: SVM: Fallback to flush everything if FLUSHBYASID is not available Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 07/25] KVM: SVM: Duplicate pre-run ASID check for SEV and non-SEV guests Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 08/25] KVM: SEV: Stop using per-vCPU ASID for SEV VMs Yosry Ahmed
2026-06-16 1:06 ` sashiko-bot [this message]
2026-06-16 0:41 ` [RFC PATCH v2 09/25] KVM: SVM: Use a static ASID per vCPU Yosry Ahmed
2026-06-16 1:08 ` sashiko-bot
2026-06-16 0:41 ` [RFC PATCH v2 10/25] KVM: nSVM: Add a placeholder ASID for L2 Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 11/25] KVM: x86: hyper-v: Rename kvm_hv_vcpu_purge_flush_tlb() Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 12/25] KVM: x86: hyper-v: Allow puring all TLB flush FIFOs Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 13/25] KVM: nSVM: Flush both L1 and L2 ASIDs on KVM_REQ_TLB_FLUSH Yosry Ahmed
2026-06-16 1:05 ` sashiko-bot
2026-06-16 0:41 ` [RFC PATCH v2 14/25] KVM: nSVM: Move svm_switch_vmcb() to nested.c Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 15/25] KVM: nSVM: Call nested_svm_transition_tlb_flush() on every VMCB switch Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 16/25] KVM: nSVM: Split nested_svm_transition_tlb_flush() into entry/exit fns Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 17/25] KVM: nSVM: Service local TLB flushes before nested transitions Yosry Ahmed
2026-06-16 1:20 ` sashiko-bot
2026-06-16 0:41 ` [RFC PATCH v2 18/25] KVM: nSVM: Handle nested TLB flush requests through TLB_CONTROL Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 19/25] KVM: nSVM: Flush the TLB if L1 changes L2's ASID in vmcb12 Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 20/25] KVM: nSVM: Do not reset TLB_CONTROL in vmcb02 on nested VM-Enter Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 21/25] KVM: x86/mmu: rename __kvm_mmu_invalidate_addr() Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 22/25] KVM: x86/mmu: Refactor kvm_mmu_invlpg() to allow skipping the gva flush Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 23/25] KVM: nSVM: Flush L2's ASID when emulating INVLPGA Yosry Ahmed
2026-06-16 0:41 ` [RFC PATCH v2 24/25] KVM: nSVM: Use different ASIDs for L1 and L2 Yosry Ahmed
2026-06-16 1:30 ` sashiko-bot
2026-06-16 0:41 ` [RFC PATCH v2 25/25] DO NOT MERGE: Add nested_tlb_force_flush Yosry Ahmed
2026-06-16 1:21 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616010604.ACC021F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=yosry@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.