[PATCH 0/3] KVM: SVM: Unregister GALog notifier on module exit

[PATCH 0/3] KVM: SVM: Unregister GALog notifier on module exit

[Sean Christopherson]

Unregister KVM's GALog notifier when kvm-amd.ko is being unloaded so that
a spurious GALog event, e.g. due to some other bug, doesn't escalate to a
use-after-free.

I deliberately didn't tag this for stable@, as shuffling the setup code
around could easily introduce more problems than it solves, e.g. the patch
might apply cleanly to an older kernel, but blow up at runtime due to the
ordering being wrong.

My thought/plan is to get the fix into 6.18, where avic is first enabled by
default, but not bother getting it into older LTS kernels.

Sean Christopherson (3):
  KVM: SVM: Initialize per-CPU svm_data at the end of hardware setup
  KVM: SVM: Unregister KVM's GALog notifier on kvm-amd.ko exit
  KVM: SVM: Make avic_ga_log_notifier() local to avic.c

 arch/x86/kvm/svm/avic.c |  8 +++++++-
 arch/x86/kvm/svm/svm.c  | 15 +++++++++------
 arch/x86/kvm/svm/svm.h  |  2 +-
 3 files changed, 17 insertions(+), 8 deletions(-)


base-commit: 6b36119b94d0b2bb8cea9d512017efafd461d6ac
-- 
2.51.0.858.gf9c4a03a3a-goog

[PATCH 1/3] KVM: SVM: Initialize per-CPU svm_data at the end of hardware setup

[Sean Christopherson]

Setup the per-CPU SVM data structures at the very end of hardware setup so
that svm_hardware_unsetup() can be used in svm_hardware_setup() to unwind
AVIC setup (for the GALog notifier).  Alternatively, the error path could
do an explicit, manual unwind, e.g. by adding a helper to free the per-CPU
structures.  But the per-CPU allocations have no interactions or
dependencies, i.e. can comfortably live at the end, and so converting to
a manual unwind would introduce churn and code without providing any
immediate advantage.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/svm/svm.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 153c12dbf3eb..efc3a7adebef 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -5386,12 +5386,6 @@ static __init int svm_hardware_setup(void)
 
 	svm_hv_hardware_setup();
 
-	for_each_possible_cpu(cpu) {
-		r = svm_cpu_init(cpu);
-		if (r)
-			goto err;
-	}
-
 	enable_apicv = avic_hardware_setup();
 	if (!enable_apicv) {
 		enable_ipiv = false;
@@ -5435,6 +5429,13 @@ static __init int svm_hardware_setup(void)
 	svm_set_cpu_caps();
 
 	kvm_caps.inapplicable_quirks &= ~KVM_X86_QUIRK_CD_NW_CLEARED;
+
+	for_each_possible_cpu(cpu) {
+		r = svm_cpu_init(cpu);
+		if (r)
+			goto err;
+	}
+
 	return 0;
 
 err:
-- 
2.51.0.858.gf9c4a03a3a-goog

[PATCH 2/3] KVM: SVM: Unregister KVM's GALog notifier on kvm-amd.ko exit

[Sean Christopherson]

Unregister the GALog notifier (used to get notified of wake events for
blocking vCPUs) on kvm-amd.ko exit so that a KVM or IOMMU driver bug that
results in a spurious GALog event "only" results in a spurious IRQ, and
doesn't trigger a use-after-free due to executing unloaded module code.

Fixes: 5881f73757cc ("svm: Introduce AMD IOMMU avic_ga_log_notifier")
Reported-by: Hou Wenlong <houwenlong.hwl@antgroup.com>
Closes: https://lore.kernel.org/all/20250918130320.GA119526@k08j02272.eu95sqa
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/svm/avic.c | 6 ++++++
 arch/x86/kvm/svm/svm.c  | 2 ++
 arch/x86/kvm/svm/svm.h  | 1 +
 3 files changed, 9 insertions(+)

diff --git a/arch/x86/kvm/svm/avic.c b/arch/x86/kvm/svm/avic.c
index f286b5706d7c..3ab74f2bd584 100644
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -1243,3 +1243,9 @@ bool __init avic_hardware_setup(void)
 
 	return true;
 }
+
+void avic_hardware_unsetup(void)
+{
+	if (avic)
+		amd_iommu_register_ga_log_notifier(NULL);
+}
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index efc3a7adebef..76055c0ba177 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -921,6 +921,8 @@ static void svm_hardware_unsetup(void)
 {
 	int cpu;
 
+	avic_hardware_unsetup();
+
 	sev_hardware_unsetup();
 
 	for_each_possible_cpu(cpu)
diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h
index e4b04f435b3d..b0fe40c21728 100644
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -805,6 +805,7 @@ extern struct kvm_x86_nested_ops svm_nested_ops;
 )
 
 bool __init avic_hardware_setup(void);
+void avic_hardware_unsetup(void);
 int avic_ga_log_notifier(u32 ga_tag);
 void avic_vm_destroy(struct kvm *kvm);
 int avic_vm_init(struct kvm *kvm);
-- 
2.51.0.858.gf9c4a03a3a-goog

[PATCH 3/3] KVM: SVM: Make avic_ga_log_notifier() local to avic.c

[Sean Christopherson]

Make amd_iommu_register_ga_log_notifier() a local symbol now that it's
defined and used purely within avic.c.

No functional change intended.

Fixes: 4bdec12aa8d6 ("KVM: SVM: Detect X2APIC virtualization (x2AVIC) support")
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/svm/avic.c | 2 +-
 arch/x86/kvm/svm/svm.h  | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/arch/x86/kvm/svm/avic.c b/arch/x86/kvm/svm/avic.c
index 3ab74f2bd584..89864fee6e83 100644
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -216,7 +216,7 @@ static void avic_deactivate_vmcb(struct vcpu_svm *svm)
  * This function is called from IOMMU driver to notify
  * SVM to schedule in a particular vCPU of a particular VM.
  */
-int avic_ga_log_notifier(u32 ga_tag)
+static int avic_ga_log_notifier(u32 ga_tag)
 {
 	unsigned long flags;
 	struct kvm_svm *kvm_svm;
diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h
index b0fe40c21728..8c36ee0d67ef 100644
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -806,7 +806,6 @@ extern struct kvm_x86_nested_ops svm_nested_ops;
 
 bool __init avic_hardware_setup(void);
 void avic_hardware_unsetup(void);
-int avic_ga_log_notifier(u32 ga_tag);
 void avic_vm_destroy(struct kvm *kvm);
 int avic_vm_init(struct kvm *kvm);
 void avic_init_vmcb(struct vcpu_svm *svm, struct vmcb *vmcb);
-- 
2.51.0.858.gf9c4a03a3a-goog

Re: [PATCH 0/3] KVM: SVM: Unregister GALog notifier on module exit

[Sean Christopherson]

On Thu, 16 Oct 2025 12:06:40 -0700, Sean Christopherson wrote:
> Unregister KVM's GALog notifier when kvm-amd.ko is being unloaded so that
> a spurious GALog event, e.g. due to some other bug, doesn't escalate to a
> use-after-free.
> 
> I deliberately didn't tag this for stable@, as shuffling the setup code
> around could easily introduce more problems than it solves, e.g. the patch
> might apply cleanly to an older kernel, but blow up at runtime due to the
> ordering being wrong.
> 
> [...]

Applied to kvm-x86 fixes, thanks!

[1/3] KVM: SVM: Initialize per-CPU svm_data at the end of hardware setup
      https://github.com/kvm-x86/linux/commit/59a217ced3e7
[2/3] KVM: SVM: Unregister KVM's GALog notifier on kvm-amd.ko exit
      https://github.com/kvm-x86/linux/commit/adc6ae972971
[3/3] KVM: SVM: Make avic_ga_log_notifier() local to avic.c
      https://github.com/kvm-x86/linux/commit/aaac099459f9

--
https://github.com/kvm-x86/linux/tree/next