From: sashiko-bot@kernel.org
To: "Sean Christopherson" <seanjc@google.com>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH 5/7] KVM: SEV: Forcefully invalidate SNP VMSA if its backing gmem page is zapped
Date: Thu, 25 Jun 2026 22:45:17 +0000 [thread overview]
Message-ID: <20260625224517.6BB7D1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260625222229.3367197-6-seanjc@google.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Deleting a guest_memfd-backed memslot severs invalidation callbacks but leaves the VMSA loaded in hardware, allowing the pages to be freed while in-use and crashing the host.
--
commit 1d8649cc04198822af1b4661735a4bc1d852fe1f
Author: Sean Christopherson <seanjc@google.com>
KVM: SEV: Forcefully invalidate SNP VMSA if its backing gmem page is zapped
This commit wires up a gmem_invalidate_range() call for SNP VMs. It forces
vCPUs to reload or recheck their guest-provided VMSA if the backing
guest_memfd page is being invalidated.
Closes: https://lore.kernel.org/all/aimMWzAf5b3luM0b@v4bel
> diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c
> index 1618acc3ca647..8ec5041934dbc 100644
> --- a/virt/kvm/guest_memfd.c
> +++ b/virt/kvm/guest_memfd.c
> @@ -185,6 +185,10 @@ static void __kvm_gmem_invalidate_start(struct gmem_file *f, pgoff_t start,
> }
>
> flush |= kvm_mmu_unmap_gfn_range(kvm, &gfn_range);
> +
> +#ifdef CONFIG_HAVE_KVM_ARCH_GMEM_INVALIDATE
> + kvm_arch_gmem_invalidate_range(kvm, &gfn_range);
> +#endif
> }
>
> if (flush)
[Severity: Critical]
Does this invalidation path cover the case where the memslot is unbound before
the guest_memfd pages are freed?
If userspace deletes the memslot (e.g., via KVM_SET_USER_MEMORY_REGION2),
kvm_gmem_unbind() removes the slot from the f->bindings xarray.
If userspace then closes the guest_memfd file descriptor,
__kvm_gmem_invalidate_start() will iterate over f->bindings here, find it
empty, and skip calling kvm_arch_gmem_invalidate_range().
Since the vCPU is never kicked to reload the VMSA, the hardware could still be
actively using the page. When sev_gmem_free_folio() attempts to transition the
pages to shared via rmp_make_shared(), the hardware will reject it with
FAIL_INUSE.
Could this leak the encrypted page to the host allocator and subsequently
cause an RMP violation #PF?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260625222229.3367197-1-seanjc@google.com?part=5
next prev parent reply other threads:[~2026-06-25 22:45 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 22:22 [PATCH 0/7] KVM: SEV: Fix RMP #PF due freeing in-use VMSA Sean Christopherson
2026-06-25 22:22 ` [PATCH 1/7] KVM: SEV: Track the GPA of the guest-controlled VMSA used for SNP guests Sean Christopherson
2026-06-25 22:22 ` [PATCH 2/7] KVM: SEV: Extract loading of guest-provided VMSA to a separate helper Sean Christopherson
2026-06-25 22:22 ` [PATCH 3/7] KVM: SEV: Mark vCPU RUNNABLE after AP_CREATE, even if VMSA is unusable Sean Christopherson
2026-06-25 22:22 ` [PATCH 4/7] KVM: Rework .gmem_invalidate() into .gmem_free_folio() Sean Christopherson
2026-06-25 22:39 ` sashiko-bot
2026-06-25 22:22 ` [PATCH 5/7] KVM: SEV: Forcefully invalidate SNP VMSA if its backing gmem page is zapped Sean Christopherson
2026-06-25 22:45 ` sashiko-bot [this message]
2026-06-25 23:28 ` Sean Christopherson
2026-06-25 22:22 ` [PATCH 6/7] KVM: x86: Guard .gmem_prepare() declarations with HAVE_KVM_GMEM_PREPARE=y Sean Christopherson
2026-06-25 22:22 ` [PATCH 7/7] KVM: SEV: Mark vCPU has having guest-provided VMSA even if its invalid Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260625224517.6BB7D1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox