Re: [PATCH 20/24] KVM: SEV: Return INVALID_EVENT for SNP-only #VMGEXIT from non-SNP guest

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sean Christopherson <seanjc@google.com>
To: sashiko-reviews@lists.linux.dev
Cc: Paolo Bonzini <pbonzini@redhat.com>, kvm@vger.kernel.org
Subject: Re: [PATCH 20/24] KVM: SEV: Return INVALID_EVENT for SNP-only #VMGEXIT from non-SNP guest
Date: Mon, 1 Jun 2026 09:18:12 -0700	[thread overview]
Message-ID: <ah2wxOMC1lqyJ5UD@google.com> (raw)
In-Reply-To: <20260530092947.490971F00893@smtp.kernel.org>

On Sat, May 30, 2026, sashiko-bot@kernel.org wrote:
> > diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> > index 880a2acd77bff..b59adddfdbccb 100644
> > --- a/arch/x86/kvm/svm/sev.c
> > +++ b/arch/x86/kvm/svm/sev.c
> [ ... ]
> > @@ -4527,6 +4537,13 @@ int sev_handle_vmgexit(struct kvm_vcpu *vcpu)
> >  		return 1;
> >  	}
> >  
> > +	if (is_snp_only_vmgexit(control->exit_code) && !is_sev_snp_guest(vcpu)) {
> > +		vcpu_unimpl(vcpu, "vmgexit: exit code %#llx is SNP-only\n",
> > +			    control->exit_code);
> > +		svm_vmgexit_bad_input(svm, GHCB_ERR_INVALID_EVENT);
> > +		return 1;
> > +	}
> > +
> >  	ret = sev_es_validate_vmgexit(svm);
> >  	if (ret)
> >  		return ret;
> 
> [Severity: Low]
> Does this consume the GHCB sw_exit_code field before verifying that the
> guest actually marked it as valid?
> 
> By moving the is_snp_only_vmgexit(control->exit_code) check before the
> call to sev_es_validate_vmgexit(), KVM evaluates the exit code before
> kvm_ghcb_sw_exit_code_is_valid() is checked.
> 
> If a non-SNP guest provides a GHCB without setting the valid bit for the
> exit code, but the uninitialized memory coincidentally matches an SNP-only
> exit code, will KVM incorrectly return GHCB_ERR_INVALID_EVENT instead of
> the required GHCB_ERR_MISSING_INPUT?

Super duper technically, yes.  We can't simply swap the order, because exits
like SVM_VMGEXIT_PSC shouldn't exist for non-SNP guests.  But I guess it would
be easy and safe enough to do:

	if (kvm_ghcb_sw_exit_code_is_valid(svm) &&
	    is_snp_only_vmgexit(control->exit_code) && !is_sev_snp_guest(vcpu)) {
		vcpu_unimpl(vcpu, "vmgexit: exit code %#llx is SNP-only\n",
			    control->exit_code);
		svm_vmgexit_bad_input(svm, GHCB_ERR_INVALID_EVENT);
		return 1;
	}

Hmm, I guess the other option would be to split out the "always mandatory" checks


	if (!kvm_ghcb_sw_exit_code_is_valid(svm) ||
	    !kvm_ghcb_sw_exit_info_1_is_valid(svm) ||
	    !kvm_ghcb_sw_exit_info_2_is_valid(svm))
		return false;

e.g. end up with:

	if (!kvm_ghcb_sw_exit_code_is_valid(svm) ||
	    !kvm_ghcb_sw_exit_info_1_is_valid(svm) ||
	    !kvm_ghcb_sw_exit_info_2_is_valid(svm)) {
		/*
		 * Print the exit code even though it may not be marked valid
		 * as it could help with debugging.
		 */
		vcpu_unimpl(vcpu, "vmgexit: exit code %#llx input is not valid\n",
			    control->exit_code);
		dump_ghcb(svm);
		svm_vmgexit_bad_input(svm, GHCB_ERR_MISSING_INPUT);
		return 1;
	}

	if (is_snp_only_vmgexit(control->exit_code) && !is_sev_snp_guest(vcpu)) {
		vcpu_unimpl(vcpu, "vmgexit: exit code %#llx is SNP-only\n",
			    control->exit_code);
		svm_vmgexit_bad_input(svm, GHCB_ERR_INVALID_EVENT);
		return 1;
	}

	if (!sev_es_are_required_ghcb_fields_valid(svm)) {
		vcpu_unimpl(vcpu, "vmgexit: exit code %#llx input is not valid\n",
			    control->exit_code);
		dump_ghcb(svm);
		svm_vmgexit_bad_input(svm, GHCB_ERR_MISSING_INPUT);
		return 1;
	}

Hmm, and if we go with the second option, maybe rename sev_es_are_required_ghcb_fields_valid()
to sev_es_are_ancillary_ghcb_fields_valid()?

I don't particularly love either option, but I think I have a slight (very slight)
preference for this?

	if (!kvm_ghcb_sw_exit_code_is_valid(svm) ||
	    !kvm_ghcb_sw_exit_info_1_is_valid(svm) ||
	    !kvm_ghcb_sw_exit_info_2_is_valid(svm)) {
		/*
		 * Print the exit code even though it may not be marked valid
		 * as it could help with debugging.
		 */
		vcpu_unimpl(vcpu, "vmgexit: exit code %#llx input is not valid\n",
			    control->exit_code);
		dump_ghcb(svm);
		svm_vmgexit_bad_input(svm, GHCB_ERR_MISSING_INPUT);
		return 1;
	}

	if (is_snp_only_vmgexit(control->exit_code) && !is_sev_snp_guest(vcpu)) {
		vcpu_unimpl(vcpu, "vmgexit: exit code %#llx is SNP-only\n",
			    control->exit_code);
		svm_vmgexit_bad_input(svm, GHCB_ERR_INVALID_EVENT);
		return 1;
	}

	if (!sev_es_are_ancillary_ghcb_fields_valid(svm)) {
		vcpu_unimpl(vcpu, "vmgexit: exit code %#llx input is not valid\n",
			    control->exit_code);
		dump_ghcb(svm);
		svm_vmgexit_bad_input(svm, GHCB_ERR_MISSING_INPUT);
		return 1;
	}

next prev parent reply	other threads:[~2026-06-01 16:18 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-29 18:35 [PATCH 00/24] KVM: x86: fix various GHCB issues Paolo Bonzini
2026-05-29 18:35 ` [PATCH 01/24] KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use Paolo Bonzini
2026-05-29 18:35 ` [PATCH 02/24] KVM: SEV: Ignore MMIO requests of length '0' Paolo Bonzini
2026-05-29 19:29   ` sashiko-bot
2026-05-29 18:35 ` [PATCH 03/24] KVM: SEV: Reject MMIO requests larger than 8 bytes with GHCB v2+ Paolo Bonzini
2026-05-29 19:54   ` sashiko-bot
2026-05-29 18:35 ` [PATCH 04/24] KVM: SEV: Ignore Port I/O requests of length '0' Paolo Bonzini
2026-05-29 18:35 ` [PATCH 05/24] KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests Paolo Bonzini
2026-05-29 20:49   ` sashiko-bot
2026-05-29 18:35 ` [PATCH 06/24] KVM: SEV: Compute the correct max length of the in-GHCB scratch area Paolo Bonzini
2026-05-29 18:35 ` [PATCH 07/24] KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 Paolo Bonzini
2026-05-29 21:32   ` sashiko-bot
2026-05-29 18:35 ` [PATCH 08/24] KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc() Paolo Bonzini
2026-05-29 18:35 ` [PATCH 09/24] KVM: SEV: Check PSC request indices against the actual size of the buffer Paolo Bonzini
2026-05-29 18:35 ` [PATCH 10/24] KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer Paolo Bonzini
2026-05-29 22:28   ` sashiko-bot
2026-05-29 18:35 ` [PATCH 11/24] KVM: SEV: Make it more obvious when KVM is writing back the current PSC index Paolo Bonzini
2026-05-29 23:21   ` sashiko-bot
2026-06-01 16:20     ` Sean Christopherson
2026-05-29 18:35 ` [PATCH 12/24] KVM: SEV: Add an anonymous "psc" struct to track current PSC metadata Paolo Bonzini
2026-05-30  8:07   ` sashiko-bot
2026-05-29 18:35 ` [PATCH 13/24] KVM: SEV: Read start/end indices of PSC requests exactly once per #VMGEXIT Paolo Bonzini
2026-05-29 18:35 ` [PATCH 14/24] KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying Paolo Bonzini
2026-05-29 18:35 ` [PATCH 15/24] KVM: SEV: Move sev_free_vcpu() down below sev_es_unmap_ghcb() Paolo Bonzini
2026-05-30  8:36   ` sashiko-bot
2026-05-29 18:35 ` [PATCH 16/24] KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA Paolo Bonzini
2026-05-30  8:50   ` sashiko-bot
2026-06-01 16:02     ` Sean Christopherson
2026-05-29 18:35 ` [PATCH 17/24] KVM: SEV: Unmap and unpin the GHCB as needed on vCPU free Paolo Bonzini
2026-05-30  9:06   ` sashiko-bot
2026-05-29 18:35 ` [PATCH 18/24] KVM: SEV: Don't terminate SNP VMs on #VMGEXIT without a registered GHCB Paolo Bonzini
2026-05-29 18:35 ` [PATCH 19/24] KVM: SEV: Move GHCB "usage" check out of sev_es_validate_vmgexit() Paolo Bonzini
2026-05-29 18:35 ` [PATCH 20/24] KVM: SEV: Return INVALID_EVENT for SNP-only #VMGEXIT from non-SNP guest Paolo Bonzini
2026-05-30  9:29   ` sashiko-bot
2026-06-01 16:18     ` Sean Christopherson [this message]
2026-05-29 18:35 ` [PATCH 21/24] KVM: SEV: Return INVALID_INPUT, not MISSING_INPUT, for bad GUEST_REQUEST input(s) Paolo Bonzini
2026-05-29 18:35 ` [PATCH 22/24] KVM: SEV: Handle unknown #VMGEXIT reasons in sev_handle_vmgexit() Paolo Bonzini
2026-05-29 18:35 ` [PATCH 23/24] KVM: SEV: Turn sev_es_validate_vmgexit() into a dedicated predicate Paolo Bonzini
2026-05-29 18:35 ` [PATCH 24/24] KVM: SEV: Remove sometimes-used function-scoped "ret" from #VMGEXIT handler Paolo Bonzini
2026-05-30 16:27 ` [PATCH 00/24] KVM: x86: fix various GHCB issues Paolo Bonzini
2026-06-03 12:52   ` Sean Christopherson
2026-06-03 15:06     ` Paolo Bonzini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ah2wxOMC1lqyJ5UD@google.com \
    --to=seanjc@google.com \
    --cc=kvm@vger.kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.