* [PATCH v2] KVM: x86: synthesize CPUID bits only if CPU capability is set
@ 2026-02-09 15:31 Carlos López
2026-02-25 16:43 ` Nikolay Borisov
2026-03-05 17:07 ` Sean Christopherson
0 siblings, 2 replies; 3+ messages in thread
From: Carlos López @ 2026-02-09 15:31 UTC (permalink / raw)
To: seanjc, bp, kvm
Cc: linux-coco, jmattson, binbin.wu, Carlos López, Paolo Bonzini,
Thomas Gleixner, Ingo Molnar, Dave Hansen,
maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT), H. Peter Anvin,
open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)
KVM incorrectly synthesizes CPUID bits for KVM-only leaves, as the
following branch in kvm_cpu_cap_init() is never taken:
if (leaf < NCAPINTS)
kvm_cpu_caps[leaf] &= kernel_cpu_caps[leaf];
This means that bits set via SYNTHESIZED_F() for KVM-only leaves are
unconditionally set. This for example can cause issues for SEV-SNP
guests running on Family 19h CPUs, as TSA_SQ_NO and TSA_L1_NO are
always enabled by KVM in 80000021[ECX]. When userspace issues a
SNP_LAUNCH_UPDATE command to update the CPUID page for the guest, SNP
firmware will explicitly reject the command if the page sets sets these
bits on vulnerable CPUs.
To fix this, check in SYNTHESIZED_F() that the corresponding X86
capability is set before adding it to to kvm_cpu_cap_features.
Fixes: 31272abd5974 ("KVM: SVM: Advertise TSA CPUID bits to guests")
Link: https://lore.kernel.org/all/20260208164233.30405-1-clopez@suse.de/
Signed-off-by: Carlos López <clopez@suse.de>
---
v2: fix SYNTHESIZED_F() instead of using SCATTERED_F() for TSA bits
arch/x86/kvm/cpuid.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 88a5426674a1..5f41924987c7 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -770,7 +770,10 @@ do { \
#define SYNTHESIZED_F(name) \
({ \
kvm_cpu_cap_synthesized |= feature_bit(name); \
- F(name); \
+ \
+ BUILD_BUG_ON(X86_FEATURE_##name >= MAX_CPU_FEATURES); \
+ if (boot_cpu_has(X86_FEATURE_##name)) \
+ F(name); \
})
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] KVM: x86: synthesize CPUID bits only if CPU capability is set
2026-02-09 15:31 [PATCH v2] KVM: x86: synthesize CPUID bits only if CPU capability is set Carlos López
@ 2026-02-25 16:43 ` Nikolay Borisov
2026-03-05 17:07 ` Sean Christopherson
1 sibling, 0 replies; 3+ messages in thread
From: Nikolay Borisov @ 2026-02-25 16:43 UTC (permalink / raw)
To: Carlos López, seanjc, bp, kvm
Cc: linux-coco, jmattson, binbin.wu, Paolo Bonzini, Thomas Gleixner,
Ingo Molnar, Dave Hansen,
maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT), H. Peter Anvin,
open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)
On 9.02.26 г. 17:31 ч., Carlos López wrote:
> KVM incorrectly synthesizes CPUID bits for KVM-only leaves, as the
> following branch in kvm_cpu_cap_init() is never taken:
>
> if (leaf < NCAPINTS)
> kvm_cpu_caps[leaf] &= kernel_cpu_caps[leaf];
>
> This means that bits set via SYNTHESIZED_F() for KVM-only leaves are
> unconditionally set. This for example can cause issues for SEV-SNP
> guests running on Family 19h CPUs, as TSA_SQ_NO and TSA_L1_NO are
> always enabled by KVM in 80000021[ECX]. When userspace issues a
> SNP_LAUNCH_UPDATE command to update the CPUID page for the guest, SNP
> firmware will explicitly reject the command if the page sets sets these
> bits on vulnerable CPUs.
>
> To fix this, check in SYNTHESIZED_F() that the corresponding X86
> capability is set before adding it to to kvm_cpu_cap_features.
>
> Fixes: 31272abd5974 ("KVM: SVM: Advertise TSA CPUID bits to guests")
> Link: https://lore.kernel.org/all/20260208164233.30405-1-clopez@suse.de/
> Signed-off-by: Carlos López <clopez@suse.de>
Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
> ---
> v2: fix SYNTHESIZED_F() instead of using SCATTERED_F() for TSA bits
> arch/x86/kvm/cpuid.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
> index 88a5426674a1..5f41924987c7 100644
> --- a/arch/x86/kvm/cpuid.c
> +++ b/arch/x86/kvm/cpuid.c
> @@ -770,7 +770,10 @@ do { \
> #define SYNTHESIZED_F(name) \
> ({ \
> kvm_cpu_cap_synthesized |= feature_bit(name); \
> - F(name); \
> + \
> + BUILD_BUG_ON(X86_FEATURE_##name >= MAX_CPU_FEATURES); \
> + if (boot_cpu_has(X86_FEATURE_##name)) \
> + F(name); \
> })
>
> /*
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] KVM: x86: synthesize CPUID bits only if CPU capability is set
2026-02-09 15:31 [PATCH v2] KVM: x86: synthesize CPUID bits only if CPU capability is set Carlos López
2026-02-25 16:43 ` Nikolay Borisov
@ 2026-03-05 17:07 ` Sean Christopherson
1 sibling, 0 replies; 3+ messages in thread
From: Sean Christopherson @ 2026-03-05 17:07 UTC (permalink / raw)
To: Sean Christopherson, bp, kvm, Carlos López
Cc: linux-coco, jmattson, binbin.wu, Paolo Bonzini, Thomas Gleixner,
Ingo Molnar, Dave Hansen, x86, H. Peter Anvin, linux-kernel
On Mon, 09 Feb 2026 16:31:09 +0100, Carlos López wrote:
> KVM incorrectly synthesizes CPUID bits for KVM-only leaves, as the
> following branch in kvm_cpu_cap_init() is never taken:
>
> if (leaf < NCAPINTS)
> kvm_cpu_caps[leaf] &= kernel_cpu_caps[leaf];
>
> This means that bits set via SYNTHESIZED_F() for KVM-only leaves are
> unconditionally set. This for example can cause issues for SEV-SNP
> guests running on Family 19h CPUs, as TSA_SQ_NO and TSA_L1_NO are
> always enabled by KVM in 80000021[ECX]. When userspace issues a
> SNP_LAUNCH_UPDATE command to update the CPUID page for the guest, SNP
> firmware will explicitly reject the command if the page sets sets these
> bits on vulnerable CPUs.
>
> [...]
Applied to kvm-x86 fixes, thanks!
[1/1] KVM: x86: synthesize CPUID bits only if CPU capability is set
https://github.com/kvm-x86/linux/commit/6a5028d8f9f4
--
https://github.com/kvm-x86/linux/tree/next
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-03-05 17:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-09 15:31 [PATCH v2] KVM: x86: synthesize CPUID bits only if CPU capability is set Carlos López
2026-02-25 16:43 ` Nikolay Borisov
2026-03-05 17:07 ` Sean Christopherson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox