Re: [PATCH 00/24] KVM: x86: fix various GHCB issues

[Paolo Bonzini]

I think patches 11-13 should also be included in 7.1.  Any other opinions?

Paolo

On Fri, May 29, 2026 at 8:35 PM Paolo Bonzini <pbonzini@xxxxxxxxxx> wrote:
>
> The PSC code has a variety of bugs, several of which have to do with
> not following the spec.  It took a while to disentagle and root cause
> everything (the GHCB ain't exactly the easiest spec to decipher), but
> here it is.  The first 10 patches have just been sent to Linus.
>
> For the rest we decided to handle it on-list for 7.2, but it is possible
> that a clever guest could abuse the bugs to cause the host to leak a
> pile of pages (limited by how fast the VM can get recreated).
>
> This can also be found in a sev-for-7.2 branch of kvm.git
>
> Thanks,
>
> Paolo, Sean, Mike, Tom
>
> Michael Roth (1):
>   KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use
>
> Sean Christopherson (23):
>   KVM: SEV: Ignore MMIO requests of length '0'
>   KVM: SEV: Reject MMIO requests larger than 8 bytes with GHCB v2+
>   KVM: SEV: Ignore Port I/O requests of length '0'
>   KVM: SEV: Use the size of the PSC header as the minimum size for PSC
>     requests
>   KVM: SEV: Compute the correct max length of the in-GHCB scratch area
>   KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0
>   KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc()
>   KVM: SEV: Check PSC request indices against the actual size of the
>     buffer
>   KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer
>   KVM: SEV: Make it more obvious when KVM is writing back the current
>     PSC index
>   KVM: SEV: Add an anonymous "psc" struct to track current PSC metadata
>   KVM: SEV: Read start/end indices of PSC requests exactly once per
>     #VMGEXIT
>   KVM: Don't WARN if memory is dirtied without a vCPU when the VM is
>     dying
>   KVM: SEV: Move sev_free_vcpu() down below sev_es_unmap_ghcb()
>   KVM: SEV: Decouple the need to sync the GHCB SA from the need to free
>     the SA
>   KVM: SEV: Unmap and unpin the GHCB as needed on vCPU free
>   KVM: SEV: Don't terminate SNP VMs on #VMGEXIT without a registered
>     GHCB
>   KVM: SEV: Move GHCB "usage" check out of sev_es_validate_vmgexit()
>   KVM: SEV: Return INVALID_EVENT for SNP-only #VMGEXIT from non-SNP
>     guest
>   KVM: SEV: Return INVALID_INPUT, not MISSING_INPUT, for bad
>     GUEST_REQUEST input(s)
>   KVM: SEV: Handle unknown #VMGEXIT reasons in sev_handle_vmgexit()
>   KVM: SEV: Turn sev_es_validate_vmgexit() into a dedicated predicate
>   KVM: SEV: Remove sometimes-used function-scoped "ret" from #VMGEXIT
>     handler
>
>  arch/x86/kvm/svm/sev.c | 554 ++++++++++++++++++++++-------------------
>  arch/x86/kvm/svm/svm.h |   9 +-
>  virt/kvm/kvm_main.c    |   3 +-
>  3 files changed, 302 insertions(+), 264 deletions(-)
>
> --
> 2.54.0