Re: Patch "x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT" has been added to the 6.12-stable tree

Re: Patch "x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT" has been added to the 6.12-stable tree

[Tom Lendacky]

On 9/22/25 00:52, gregkh@linuxfoundation.org wrote:
> 
> This is a note to let you know that I've just added the patch titled
> 
>     x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT
> 
> to the 6.12-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      x86-sev-guard-sev_evict_cache-with-config_amd_mem_encrypt.patch
> and it can be found in the queue-6.12 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.

Maybe I didn't use the tag correctly, but I put 6.16.x on the stable tag
to indicate that the patch only applied to 6.16 and above. Before 6.16,
there isn't a stub version of the function, so all off those releases
are fine.

So this patch doesn't need to be part of the 6.12 stable tree.

Thanks,
Tom

> 
> 
> From stable+bounces-180849-greg=kroah.com@vger.kernel.org Mon Sep 22 01:18:07 2025
> From: Sasha Levin <sashal@kernel.org>
> Date: Sun, 21 Sep 2025 19:17:59 -0400
> Subject: x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT
> To: stable@vger.kernel.org
> Cc: Tom Lendacky <thomas.lendacky@amd.com>, "Borislav Petkov (AMD)" <bp@alien8.de>, stable@kernel.org, Sasha Levin <sashal@kernel.org>
> Message-ID: <20250921231759.3033314-1-sashal@kernel.org>
> 
> From: Tom Lendacky <thomas.lendacky@amd.com>
> 
> [ Upstream commit 7f830e126dc357fc086905ce9730140fd4528d66 ]
> 
> The sev_evict_cache() is guest-related code and should be guarded by
> CONFIG_AMD_MEM_ENCRYPT, not CONFIG_KVM_AMD_SEV.
> 
> CONFIG_AMD_MEM_ENCRYPT=y is required for a guest to run properly as an SEV-SNP
> guest, but a guest kernel built with CONFIG_KVM_AMD_SEV=n would get the stub
> function of sev_evict_cache() instead of the version that performs the actual
> eviction. Move the function declarations under the appropriate #ifdef.
> 
> Fixes: 7b306dfa326f ("x86/sev: Evict cache lines during SNP memory validation")
> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
> Cc: stable@kernel.org # 6.16.x
> Link: https://lore.kernel.org/r/70e38f2c4a549063de54052c9f64929705313526.1757708959.git.thomas.lendacky@amd.com
> [ Move sev_evict_cache() out of shared.c ]
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  arch/x86/coco/sev/shared.c |   18 ------------------
>  arch/x86/include/asm/sev.h |   19 +++++++++++++++++++
>  2 files changed, 19 insertions(+), 18 deletions(-)
> 
> --- a/arch/x86/coco/sev/shared.c
> +++ b/arch/x86/coco/sev/shared.c
> @@ -1243,24 +1243,6 @@ static void svsm_pval_terminate(struct s
>  	__pval_terminate(pfn, action, page_size, ret, svsm_ret);
>  }
>  
> -static inline void sev_evict_cache(void *va, int npages)
> -{
> -	volatile u8 val __always_unused;
> -	u8 *bytes = va;
> -	int page_idx;
> -
> -	/*
> -	 * For SEV guests, a read from the first/last cache-lines of a 4K page
> -	 * using the guest key is sufficient to cause a flush of all cache-lines
> -	 * associated with that 4K page without incurring all the overhead of a
> -	 * full CLFLUSH sequence.
> -	 */
> -	for (page_idx = 0; page_idx < npages; page_idx++) {
> -		val = bytes[page_idx * PAGE_SIZE];
> -		val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1];
> -	}
> -}
> -
>  static void svsm_pval_4k_page(unsigned long paddr, bool validate)
>  {
>  	struct svsm_pvalidate_call *pc;
> --- a/arch/x86/include/asm/sev.h
> +++ b/arch/x86/include/asm/sev.h
> @@ -400,6 +400,24 @@ u64 sev_get_status(void);
>  void sev_show_status(void);
>  void snp_update_svsm_ca(void);
>  
> +static inline void sev_evict_cache(void *va, int npages)
> +{
> +	volatile u8 val __always_unused;
> +	u8 *bytes = va;
> +	int page_idx;
> +
> +	/*
> +	 * For SEV guests, a read from the first/last cache-lines of a 4K page
> +	 * using the guest key is sufficient to cause a flush of all cache-lines
> +	 * associated with that 4K page without incurring all the overhead of a
> +	 * full CLFLUSH sequence.
> +	 */
> +	for (page_idx = 0; page_idx < npages; page_idx++) {
> +		val = bytes[page_idx * PAGE_SIZE];
> +		val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1];
> +	}
> +}
> +
>  #else	/* !CONFIG_AMD_MEM_ENCRYPT */
>  
>  #define snp_vmpl 0
> @@ -435,6 +453,7 @@ static inline u64 snp_get_unsupported_fe
>  static inline u64 sev_get_status(void) { return 0; }
>  static inline void sev_show_status(void) { }
>  static inline void snp_update_svsm_ca(void) { }
> +static inline void sev_evict_cache(void *va, int npages) {}
>  
>  #endif	/* CONFIG_AMD_MEM_ENCRYPT */
>  
> 
> 
> Patches currently in stable-queue which might be from sashal@kernel.org are
> 
> queue-6.12/mptcp-tfo-record-deny-join-id0-info.patch
> queue-6.12/crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch
> queue-6.12/asoc-wm8940-correct-pll-rate-rounding.patch
> queue-6.12/um-virtio_uml-fix-use-after-free-after-put_device-in.patch
> queue-6.12/x86-sev-guard-sev_evict_cache-with-config_amd_mem_encrypt.patch
> queue-6.12/mptcp-pm-nl-announce-deny-join-id0-flag.patch
> queue-6.12/drm-bridge-anx7625-fix-null-pointer-dereference-with.patch
> queue-6.12/asoc-sof-intel-hda-stream-fix-incorrect-variable-use.patch
> queue-6.12/qed-don-t-collect-too-many-protection-override-grc-e.patch
> queue-6.12/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch
> queue-6.12/nvme-fix-pi-insert-on-write.patch
> queue-6.12/xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch
> queue-6.12/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch
> queue-6.12/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch
> queue-6.12/wifi-mac80211-increase-scan_ies_len-for-s1g.patch
> queue-6.12/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch
> queue-6.12/usb-xhci-remove-option-to-change-a-default-ring-s-trb-cycle-bit.patch
> queue-6.12/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch
> queue-6.12/io_uring-fix-incorrect-io_kiocb-reference-in-io_link.patch
> queue-6.12/ice-fix-rx-page-leak-on-multi-buffer-frames.patch
> queue-6.12/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch
> queue-6.12/drm-xe-tile-release-kobject-for-the-failure-path.patch
> queue-6.12/wifi-mac80211-fix-incorrect-type-for-ret.patch
> queue-6.12/smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch
> queue-6.12/net-mlx5e-harden-uplink-netdev-access-against-device.patch
> queue-6.12/usb-xhci-introduce-macro-for-ring-segment-list-iteration.patch
> queue-6.12/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch
> queue-6.12/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch
> queue-6.12/net-tcp-fix-a-null-pointer-dereference-when-using-tc.patch
> queue-6.12/drm-bridge-cdns-mhdp8546-fix-missing-mutex-unlock-on.patch
> queue-6.12/ice-store-max_frame-and-rx_buf_len-only-in-ice_rx_ri.patch
> queue-6.12/selftests-mptcp-userspace-pm-validate-deny-join-id0-.patch
> queue-6.12/bonding-set-random-address-only-when-slaves-already-.patch
> queue-6.12/drm-xe-fix-a-null-vs-is_err-in-xe_vm_add_compute_exe.patch
> queue-6.12/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch
> queue-6.12/mm-gup-check-ref_count-instead-of-lru-before-migration.patch
> queue-6.12/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch
> queue-6.12/um-fix-fd-copy-size-in-os_rcv_fd_msg.patch
> queue-6.12/smb-client-let-smbd_destroy-call-disable_work_sync-i.patch
> queue-6.12/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch
> queue-6.12/xhci-dbc-decouple-endpoint-allocation-from-initialization.patch
> queue-6.12/mptcp-set-remote_deny_join_id0-on-syn-recv.patch
> queue-6.12/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch
> queue-6.12/smb-client-fix-filename-matching-of-deferred-files.patch
> queue-6.12/igc-don-t-fail-igc_probe-on-led-setup-error.patch
> queue-6.12/octeon_ep-fix-vf-mac-address-lifecycle-handling.patch
> queue-6.12/selftests-mptcp-sockopt-fix-error-messages.patch
> queue-6.12/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch
> queue-6.12/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch
> queue-6.12/asoc-wm8974-correct-pll-rate-rounding.patch
> queue-6.12/mm-add-folio_expected_ref_count-for-reference-count-calculation.patch
> queue-6.12/wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch
> queue-6.12/asoc-intel-catpt-expose-correct-bit-depth-to-userspa.patch
> queue-6.12/asoc-wm8940-correct-typo-in-control-name.patch
> queue-6.12/perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch

Re: Patch "x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT" has been added to the 6.12-stable tree

[Greg KH]

On Mon, Sep 22, 2025 at 08:37:51AM -0500, Tom Lendacky wrote:
> On 9/22/25 00:52, gregkh@linuxfoundation.org wrote:
> > 
> > This is a note to let you know that I've just added the patch titled
> > 
> >     x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT
> > 
> > to the 6.12-stable tree which can be found at:
> >     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> > 
> > The filename of the patch is:
> >      x86-sev-guard-sev_evict_cache-with-config_amd_mem_encrypt.patch
> > and it can be found in the queue-6.12 subdirectory.
> > 
> > If you, or anyone else, feels it should not be added to the stable tree,
> > please let <stable@vger.kernel.org> know about it.
> 
> Maybe I didn't use the tag correctly, but I put 6.16.x on the stable tag
> to indicate that the patch only applied to 6.16 and above. Before 6.16,
> there isn't a stub version of the function, so all off those releases
> are fine.
> 
> So this patch doesn't need to be part of the 6.12 stable tree.

Thanks for letting me know, I've now dropped this.  I was triggering off
of the "Fixes:" tag, which shows it was needed back to the 6.1.y tree.

thanks,

greg k-h