From: Sean Christopherson <seanjc@google.com>
To: Michael Roth <michael.roth@amd.com>
Cc: Hyunwoo Kim <imv4bel@gmail.com>,
pbonzini@redhat.com, tglx@kernel.org, mingo@redhat.com,
bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org,
hpa@zytor.com, kvm@vger.kernel.org
Subject: Re: [PATCH] KVM: SEV: Don't return a still-assigned gmem page to the host
Date: Thu, 11 Jun 2026 17:10:00 -0700 [thread overview]
Message-ID: <aitOWNQk8KfUdp5x@google.com> (raw)
In-Reply-To: <sbub77galgn2zcecmeiznzi7nvgykby5lyqbebimfpd3wmsxgc@gxfth3taum3p>
On Thu, Jun 11, 2026, Michael Roth wrote:
> On Thu, Jun 11, 2026 at 08:23:00AM -0700, Sean Christopherson wrote:
> > On Thu, Jun 11, 2026, Hyunwoo Kim wrote:
> > > and if that gfn is then hole-punched, a page that is still assigned to the
> > > guest is returned to the host in sev_gmem_invalidate(), which looked like it
> > > could lead to a host RMP PF, so I sent the patch.
> >
> > Yeah, I suspect you're right. But leaking the page doesn't fix the underlying
> > problem, which is that it's possible to free a page that's being used as a VMSA.
> >
> > We can't simply pin the page, because IIUC ->free_folio() is called when the page
> > is removed from the filemap, not when the folio/page is free back to the allocator.
>
> If free_folio() triggers, it would call into the
> kvm_gmem_invalidate()/rmp_make_shared() path and clear VMSA bit, which I
> think would cause a subsequent vcpu_run() to error cleanly. So that part
> maybe isn't the issue, so much as the stale VMSA reference we have once
> the hole-punched finished at folio actually gets freed to allocator..
What if the vCPU that's associated with the VMSA is actively running? I assume
trying to reclaim a VMSA page will fail with FAIL_INUSE or FAIL_PERMISSION;
that's the scenario I'm worried about.
> But KVM would never be accessing it directly while it's allocated for a
> vCPU (it would be garbage on the host-side anyway), and I think the CPU
> should only be able to write to it as part of VMRUN/exit, but those
> should immediately fail since it's not a VMSA page any more at that
> point.
>
> It's sort of a precarious state, but I think we might hold up okay
> there.. so I'm not sure we actually need the changes below, unless I'm
> missing something.
>
> ..but on the VM cleanup side, we'd end up doing a double-free in that
> case, so we would need still need the elevated reference to handle that.
I don't think so? KVM doesn't free vmcb->control.vmsa_pa when tearing down the
vCPU, KVM only explicitly frees svm->sev_es.vmsa.
next prev parent reply other threads:[~2026-06-12 0:10 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 16:10 [PATCH] KVM: SEV: Don't return a still-assigned gmem page to the host Hyunwoo Kim
2026-06-10 16:26 ` sashiko-bot
2026-06-10 18:25 ` Sean Christopherson
2026-06-10 22:16 ` Michael Roth
2026-06-11 10:26 ` Hyunwoo Kim
2026-06-11 12:47 ` Sean Christopherson
2026-06-11 14:05 ` Hyunwoo Kim
2026-06-11 15:23 ` Sean Christopherson
2026-06-11 17:07 ` Hyunwoo Kim
2026-06-11 17:32 ` Sean Christopherson
2026-06-11 17:34 ` Hyunwoo Kim
2026-06-11 23:15 ` Michael Roth
2026-06-12 0:10 ` Sean Christopherson [this message]
2026-06-11 16:47 ` Michael Roth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aitOWNQk8KfUdp5x@google.com \
--to=seanjc@google.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=imv4bel@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=michael.roth@amd.com \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=tglx@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.