Re: Patch "x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT" has been added to the 6.12-stable tree
On 9/22/25 00:52, gregkh@linuxfoundation.org wrote:
This is a note to let you know that I've just added the patch titled
x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPTto the 6.12-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is: x86-sev-guard-sev_evict_cache-with-config_amd_mem_encrypt.patch and it can be found in the queue-6.12 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@vger.kernel.org know about it.
Maybe I didn't use the tag correctly, but I put 6.16.x on the stable tag to indicate that the patch only applied to 6.16 and above. Before 6.16, there isn't a stub version of the function, so all off those releases are fine.
So this patch doesn't need to be part of the 6.12 stable tree.
Thanks, Tom
From stable+bounces-180849-greg=kroah.com@vger.kernel.org Mon Sep 22 01:18:07 2025 From: Sasha Levin sashal@kernel.org Date: Sun, 21 Sep 2025 19:17:59 -0400 Subject: x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT To: stable@vger.kernel.org Cc: Tom Lendacky thomas.lendacky@amd.com, "Borislav Petkov (AMD)" bp@alien8.de, stable@kernel.org, Sasha Levin sashal@kernel.org Message-ID: 20250921231759.3033314-1-sashal@kernel.org
From: Tom Lendacky thomas.lendacky@amd.com
[ Upstream commit 7f830e126dc357fc086905ce9730140fd4528d66 ]
The sev_evict_cache() is guest-related code and should be guarded by CONFIG_AMD_MEM_ENCRYPT, not CONFIG_KVM_AMD_SEV.
CONFIG_AMD_MEM_ENCRYPT=y is required for a guest to run properly as an SEV-SNP guest, but a guest kernel built with CONFIG_KVM_AMD_SEV=n would get the stub function of sev_evict_cache() instead of the version that performs the actual eviction. Move the function declarations under the appropriate #ifdef.
Fixes: 7b306dfa326f ("x86/sev: Evict cache lines during SNP memory validation") Signed-off-by: Tom Lendacky thomas.lendacky@amd.com Signed-off-by: Borislav Petkov (AMD) bp@alien8.de Cc: stable@kernel.org # 6.16.x Link: https://lore.kernel.org/r/70e38f2c4a549063de54052c9f64929705313526.175770895... [ Move sev_evict_cache() out of shared.c ] Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
arch/x86/coco/sev/shared.c | 18 ------------------ arch/x86/include/asm/sev.h | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 18 deletions(-)
--- a/arch/x86/coco/sev/shared.c +++ b/arch/x86/coco/sev/shared.c @@ -1243,24 +1243,6 @@ static void svsm_pval_terminate(struct s __pval_terminate(pfn, action, page_size, ret, svsm_ret); } -static inline void sev_evict_cache(void *va, int npages) -{
- volatile u8 val __always_unused;
- u8 *bytes = va;
- int page_idx;
- /*
* For SEV guests, a read from the first/last cache-lines of a 4K page* using the guest key is sufficient to cause a flush of all cache-lines* associated with that 4K page without incurring all the overhead of a* full CLFLUSH sequence.*/- for (page_idx = 0; page_idx < npages; page_idx++) {
val = bytes[page_idx * PAGE_SIZE];val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1];- }
-}
static void svsm_pval_4k_page(unsigned long paddr, bool validate) { struct svsm_pvalidate_call *pc; --- a/arch/x86/include/asm/sev.h +++ b/arch/x86/include/asm/sev.h @@ -400,6 +400,24 @@ u64 sev_get_status(void); void sev_show_status(void); void snp_update_svsm_ca(void); +static inline void sev_evict_cache(void *va, int npages) +{
- volatile u8 val __always_unused;
- u8 *bytes = va;
- int page_idx;
- /*
* For SEV guests, a read from the first/last cache-lines of a 4K page* using the guest key is sufficient to cause a flush of all cache-lines* associated with that 4K page without incurring all the overhead of a* full CLFLUSH sequence.*/- for (page_idx = 0; page_idx < npages; page_idx++) {
val = bytes[page_idx * PAGE_SIZE];val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1];- }
+}
#else /* !CONFIG_AMD_MEM_ENCRYPT */ #define snp_vmpl 0 @@ -435,6 +453,7 @@ static inline u64 snp_get_unsupported_fe static inline u64 sev_get_status(void) { return 0; } static inline void sev_show_status(void) { } static inline void snp_update_svsm_ca(void) { } +static inline void sev_evict_cache(void *va, int npages) {} #endif /* CONFIG_AMD_MEM_ENCRYPT */
Patches currently in stable-queue which might be from sashal@kernel.org are
queue-6.12/mptcp-tfo-record-deny-join-id0-info.patch queue-6.12/crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch queue-6.12/asoc-wm8940-correct-pll-rate-rounding.patch queue-6.12/um-virtio_uml-fix-use-after-free-after-put_device-in.patch queue-6.12/x86-sev-guard-sev_evict_cache-with-config_amd_mem_encrypt.patch queue-6.12/mptcp-pm-nl-announce-deny-join-id0-flag.patch queue-6.12/drm-bridge-anx7625-fix-null-pointer-dereference-with.patch queue-6.12/asoc-sof-intel-hda-stream-fix-incorrect-variable-use.patch queue-6.12/qed-don-t-collect-too-many-protection-override-grc-e.patch queue-6.12/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch queue-6.12/nvme-fix-pi-insert-on-write.patch queue-6.12/xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch queue-6.12/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch queue-6.12/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch queue-6.12/wifi-mac80211-increase-scan_ies_len-for-s1g.patch queue-6.12/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch queue-6.12/usb-xhci-remove-option-to-change-a-default-ring-s-trb-cycle-bit.patch queue-6.12/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch queue-6.12/io_uring-fix-incorrect-io_kiocb-reference-in-io_link.patch queue-6.12/ice-fix-rx-page-leak-on-multi-buffer-frames.patch queue-6.12/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch queue-6.12/drm-xe-tile-release-kobject-for-the-failure-path.patch queue-6.12/wifi-mac80211-fix-incorrect-type-for-ret.patch queue-6.12/smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch queue-6.12/net-mlx5e-harden-uplink-netdev-access-against-device.patch queue-6.12/usb-xhci-introduce-macro-for-ring-segment-list-iteration.patch queue-6.12/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch queue-6.12/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch queue-6.12/net-tcp-fix-a-null-pointer-dereference-when-using-tc.patch queue-6.12/drm-bridge-cdns-mhdp8546-fix-missing-mutex-unlock-on.patch queue-6.12/ice-store-max_frame-and-rx_buf_len-only-in-ice_rx_ri.patch queue-6.12/selftests-mptcp-userspace-pm-validate-deny-join-id0-.patch queue-6.12/bonding-set-random-address-only-when-slaves-already-.patch queue-6.12/drm-xe-fix-a-null-vs-is_err-in-xe_vm_add_compute_exe.patch queue-6.12/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch queue-6.12/mm-gup-check-ref_count-instead-of-lru-before-migration.patch queue-6.12/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch queue-6.12/um-fix-fd-copy-size-in-os_rcv_fd_msg.patch queue-6.12/smb-client-let-smbd_destroy-call-disable_work_sync-i.patch queue-6.12/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch queue-6.12/xhci-dbc-decouple-endpoint-allocation-from-initialization.patch queue-6.12/mptcp-set-remote_deny_join_id0-on-syn-recv.patch queue-6.12/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch queue-6.12/smb-client-fix-filename-matching-of-deferred-files.patch queue-6.12/igc-don-t-fail-igc_probe-on-led-setup-error.patch queue-6.12/octeon_ep-fix-vf-mac-address-lifecycle-handling.patch queue-6.12/selftests-mptcp-sockopt-fix-error-messages.patch queue-6.12/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch queue-6.12/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch queue-6.12/asoc-wm8974-correct-pll-rate-rounding.patch queue-6.12/mm-add-folio_expected_ref_count-for-reference-count-calculation.patch queue-6.12/wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch queue-6.12/asoc-intel-catpt-expose-correct-bit-depth-to-userspa.patch queue-6.12/asoc-wm8940-correct-typo-in-control-name.patch queue-6.12/perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch
On Mon, Sep 22, 2025 at 08:37:51AM -0500, Tom Lendacky wrote:
On 9/22/25 00:52, gregkh@linuxfoundation.org wrote:
This is a note to let you know that I've just added the patch titled
x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPTto the 6.12-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is: x86-sev-guard-sev_evict_cache-with-config_amd_mem_encrypt.patch and it can be found in the queue-6.12 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@vger.kernel.org know about it.
Maybe I didn't use the tag correctly, but I put 6.16.x on the stable tag to indicate that the patch only applied to 6.16 and above. Before 6.16, there isn't a stub version of the function, so all off those releases are fine.
So this patch doesn't need to be part of the 6.12 stable tree.
Thanks for letting me know, I've now dropped this. I was triggering off of the "Fixes:" tag, which shows it was needed back to the 6.1.y tree.
thanks,
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg KH -
Tom Lendacky