From: sashiko-bot@kernel.org
To: "Paolo Bonzini" <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH 16/24] KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA
Date: Sat, 30 May 2026 08:50:43 +0000 [thread overview]
Message-ID: <20260530085043.927231F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260529183549.1104619-17-pbonzini@redhat.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] kvm_write_guest() is called with preemption disabled, which can trigger a kernel warning or silent guest memory corruption.
--
commit 5732decf12690466d8d24cbb274489189ae7d7b2
Author: Sean Christopherson <seanjc@google.com>
KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA
This commit decouples synchronizing the GHCB scratch area from freeing and
unpinning it. This change allows the free and unpin path to be reused when
freeing a vCPU, and opportunistically adds a warning to prevent stomping over
an already-allocated scratch area.
> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
> index 437282f0ea943..11d46600cbdc0 100644
> --- a/arch/x86/kvm/svm/sev.c
> +++ b/arch/x86/kvm/svm/sev.c
> @@ -3560,20 +3560,17 @@ void sev_es_unmap_ghcb(struct vcpu_svm *svm)
> if (!svm->sev_es.ghcb)
> return;
>
> - if (svm->sev_es.ghcb_sa_free) {
> - /*
> - * The scratch area lives outside the GHCB, so there is a
> - * buffer that, depending on the operation performed, may
> - * need to be synced, then freed.
> - */
> - if (svm->sev_es.ghcb_sa_sync) {
> - kvm_write_guest(svm->vcpu.kvm,
> - svm->sev_es.sw_scratch,
> - svm->sev_es.ghcb_sa,
> - svm->sev_es.ghcb_sa_len);
> - svm->sev_es.ghcb_sa_sync = false;
> - }
> + /*
> + * If the scratch area lives outside the GHCB, there's a buffer that,
> + * depending on the operation performed, may need to be synced.
> + */
> + if (svm->sev_es.ghcb_sa_sync) {
> + kvm_write_guest(svm->vcpu.kvm, svm->sev_es.sw_scratch,
> + svm->sev_es.ghcb_sa, svm->sev_es.ghcb_sa_len);
> + svm->sev_es.ghcb_sa_sync = false;
> + }
[Severity: High]
This isn't a bug introduced by this patch, but can this call to
kvm_write_guest() trigger a warning or cause silent guest memory corruption?
In arch/x86/kvm/x86.c:vcpu_enter_guest(), KVM disables preemption before
calling prepare_switch_to_guest():
preempt_disable();
kvm_x86_call(prepare_switch_to_guest)(vcpu);
For SEV-ES guests, this invokes svm_prepare_switch_to_guest() ->
sev_es_unmap_ghcb(). Within sev_es_unmap_ghcb(), if svm->sev_es.ghcb_sa_sync is
true, KVM calls kvm_write_guest().
Since kvm_write_guest() is a sleepable function and preemption is disabled,
this could trigger a warning in might_fault(), potentially leading to a host
denial of service if panic_on_warn is set.
Additionally, if the user address faults, the page fault handler might detect
the atomic context and fail the fault, causing the copy to fail silently and
corrupting the guest's execution.
Could a guest using GHCB version 1 force ghcb_sa_sync to true by supplying a
scratch area outside the GHCB, thereby triggering this path?
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260529183549.1104619-1-pbonzini@redhat.com?part=16
next prev parent reply other threads:[~2026-05-30 8:50 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 18:35 [PATCH 00/24] KVM: x86: fix various GHCB issues Paolo Bonzini
2026-05-29 18:35 ` [PATCH 01/24] KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use Paolo Bonzini
2026-05-29 18:35 ` [PATCH 02/24] KVM: SEV: Ignore MMIO requests of length '0' Paolo Bonzini
2026-05-29 19:29 ` sashiko-bot
2026-05-29 18:35 ` [PATCH 03/24] KVM: SEV: Reject MMIO requests larger than 8 bytes with GHCB v2+ Paolo Bonzini
2026-05-29 19:54 ` sashiko-bot
2026-05-29 18:35 ` [PATCH 04/24] KVM: SEV: Ignore Port I/O requests of length '0' Paolo Bonzini
2026-05-29 18:35 ` [PATCH 05/24] KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests Paolo Bonzini
2026-05-29 20:49 ` sashiko-bot
2026-05-29 18:35 ` [PATCH 06/24] KVM: SEV: Compute the correct max length of the in-GHCB scratch area Paolo Bonzini
2026-05-29 18:35 ` [PATCH 07/24] KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 Paolo Bonzini
2026-05-29 21:32 ` sashiko-bot
2026-05-29 18:35 ` [PATCH 08/24] KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc() Paolo Bonzini
2026-05-29 18:35 ` [PATCH 09/24] KVM: SEV: Check PSC request indices against the actual size of the buffer Paolo Bonzini
2026-05-29 18:35 ` [PATCH 10/24] KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer Paolo Bonzini
2026-05-29 22:28 ` sashiko-bot
2026-05-29 18:35 ` [PATCH 11/24] KVM: SEV: Make it more obvious when KVM is writing back the current PSC index Paolo Bonzini
2026-05-29 23:21 ` sashiko-bot
2026-06-01 16:20 ` Sean Christopherson
2026-05-29 18:35 ` [PATCH 12/24] KVM: SEV: Add an anonymous "psc" struct to track current PSC metadata Paolo Bonzini
2026-05-30 8:07 ` sashiko-bot
2026-05-29 18:35 ` [PATCH 13/24] KVM: SEV: Read start/end indices of PSC requests exactly once per #VMGEXIT Paolo Bonzini
2026-05-29 18:35 ` [PATCH 14/24] KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying Paolo Bonzini
2026-05-29 18:35 ` [PATCH 15/24] KVM: SEV: Move sev_free_vcpu() down below sev_es_unmap_ghcb() Paolo Bonzini
2026-05-30 8:36 ` sashiko-bot
2026-05-29 18:35 ` [PATCH 16/24] KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA Paolo Bonzini
2026-05-30 8:50 ` sashiko-bot [this message]
2026-06-01 16:02 ` Sean Christopherson
2026-05-29 18:35 ` [PATCH 17/24] KVM: SEV: Unmap and unpin the GHCB as needed on vCPU free Paolo Bonzini
2026-05-30 9:06 ` sashiko-bot
2026-05-29 18:35 ` [PATCH 18/24] KVM: SEV: Don't terminate SNP VMs on #VMGEXIT without a registered GHCB Paolo Bonzini
2026-05-29 18:35 ` [PATCH 19/24] KVM: SEV: Move GHCB "usage" check out of sev_es_validate_vmgexit() Paolo Bonzini
2026-05-29 18:35 ` [PATCH 20/24] KVM: SEV: Return INVALID_EVENT for SNP-only #VMGEXIT from non-SNP guest Paolo Bonzini
2026-05-30 9:29 ` sashiko-bot
2026-06-01 16:18 ` Sean Christopherson
2026-05-29 18:35 ` [PATCH 21/24] KVM: SEV: Return INVALID_INPUT, not MISSING_INPUT, for bad GUEST_REQUEST input(s) Paolo Bonzini
2026-05-29 18:35 ` [PATCH 22/24] KVM: SEV: Handle unknown #VMGEXIT reasons in sev_handle_vmgexit() Paolo Bonzini
2026-05-29 18:35 ` [PATCH 23/24] KVM: SEV: Turn sev_es_validate_vmgexit() into a dedicated predicate Paolo Bonzini
2026-05-29 18:35 ` [PATCH 24/24] KVM: SEV: Remove sometimes-used function-scoped "ret" from #VMGEXIT handler Paolo Bonzini
2026-05-30 16:27 ` [PATCH 00/24] KVM: x86: fix various GHCB issues Paolo Bonzini
2026-06-03 12:52 ` Sean Christopherson
2026-06-03 15:06 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260530085043.927231F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox