[{"id":3685027,"web_url":"http://patchwork.ozlabs.org/comment/3685027/","msgid":"<CAAhSdy2q0NZGnXmtKpFX8LtX4GeP3NYBbP2JtRPWkHO3=R8kpQ@mail.gmail.com>","list_archive_url":null,"date":"2026-05-01T04:57:22","subject":"Re: [PATCH 1/2] lib: sbi: sse: fix KVM context corruption","submitter":{"id":33417,"url":"http://patchwork.ozlabs.org/api/people/33417/","name":"Anup Patel","email":"anup@brainfault.org"},"content":"On Thu, Apr 30, 2026 at 3:53 PM Zhanpeng Zhang\n<zhangzhanpeng.jasper@bytedance.com> wrote:\n>\n> SSE injection builds a synthetic S-mode context to enter the registered\n> S-mode handler. If the interrupted context belongs to KVM guest\n> execution, OpenSBI must not let that synthetic context overwrite the\n> virtualization state needed to resume the interrupted context.\n>\n> KVM Context Corruption happens because the old complete path rebuilt\n> hstatus SPV/SPVP from interrupted flags and derived MPV from\n> handler-visible hstatus. However, this is insufficient on\n> virtualization-enabled systems: hstatus carries more H-mode state, and\n> MPV must come from the state captured before OpenSBI prepares the\n> synthetic handler-entry context. Reconstructing these values from\n> handler-visible state can corrupt the KVM resume context.\n>\n> Save the complete hstatus value and the interrupted MPV state in\n> OpenSBI's private SSE resume state before constructing the handler\n> context. The state is stored in sbi_sse_event because it should persist\n> from injection to completion, but it must not be part of the ABI-visible\n> SSE attributes that the S-mode handler can update.\n>\n> This is the OpenSBI side of the KVM context corruption fix. The related\n> Linux side should preserve the kernel stvec in do_sse() to help protect\n> the virtualization context.\n>\n> Link: https://lore.kernel.org/r/9290f53d-3545-4299-9781-c1c558f71158@rivosinc.com\n> Fixes: c8cdf01d8f3a (\"lib: sbi: Add support for Supervisor Software Events extension\")\n> Signed-off-by: Zhanpeng Zhang <zhangzhanpeng.jasper@bytedance.com>\n> ---\n>  lib/sbi/sbi_sse.c | 53 ++++++++++++++++++++++++++++-------------------\n>  1 file changed, 32 insertions(+), 21 deletions(-)\n>\n> diff --git a/lib/sbi/sbi_sse.c b/lib/sbi/sbi_sse.c\n> index 818afb87..0544449d 100644\n> --- a/lib/sbi/sbi_sse.c\n> +++ b/lib/sbi/sbi_sse.c\n> @@ -70,6 +70,19 @@ struct sse_ipi_inject_data {\n>         uint32_t event_id;\n>  };\n>\n> +/*\n> + * OpenSBI-private state used to resume the interrupted context after the SSE\n> + * event handler completes. Keep this separate from SSE attributes: S-mode can\n> + * update attributes before completion, while these fields preserve\n> + * M-mode-owned state.\n> + */\n> +struct sse_resume_state {\n> +       /* Complete hstatus value, used to restore H-mode virtualization state. */\n> +       unsigned long hstatus;\n> +       /* MPV bit from mstatus/mstatusH, used to restore virtualization state. */\n> +       bool prev_virt;\n> +};\n> +\n>  struct sbi_sse_event_attrs {\n>         unsigned long status;\n>         unsigned long prio;\n> @@ -100,6 +113,7 @@ assert_field_offset(interrupted.a7, SBI_SSE_ATTR_INTERRUPTED_A7);\n>\n>  struct sbi_sse_event {\n>         struct sbi_sse_event_attrs attrs;\n> +       struct sse_resume_state resume;\n>         uint32_t event_id;\n>         u32 hartindex;\n>         struct sse_event_info *info;\n> @@ -545,6 +559,7 @@ static void sse_event_inject(struct sbi_sse_event *e,\n>                              struct sbi_trap_regs *regs)\n>  {\n>         struct sse_interrupted_state *i_ctx = &e->attrs.interrupted;\n> +       struct sse_resume_state *r_ctx = &e->resume;\n>\n>         sse_event_set_state(e, SBI_SSE_STATE_RUNNING);\n>\n> @@ -552,9 +567,10 @@ static void sse_event_inject(struct sbi_sse_event *e,\n>\n>         i_ctx->a6 = regs->a6;\n>         i_ctx->a7 = regs->a7;\n> -       i_ctx->flags = sse_interrupted_flags(regs->mstatus);\n\nThis is plain wrong and does not align with the SBI SSE spec.\nThe SSE interrupted flags must be saved before hstatus\nand sstatus bits are modified.\n\nIf you want to save restore whole hstatus CSR then right place\nto do that is do_sse() function at <linux>/arch/riscv/kernel/sbi_sse.c\n\nThe responsibility of SBI implementation (OpenSBI) is save/restore\nonly minimal possible state upon SSE entry/exit. In addition, the\nSBI implementation must also allow supervisor software to update\nany save/restore state using SSE attributes.\n\n>         i_ctx->sepc = csr_read(CSR_SEPC);\n>\n> +       r_ctx->prev_virt = sbi_regs_from_virt(regs);\n> +\n>         regs->mstatus &= ~(MSTATUS_SPP | SSTATUS_SPIE);\n>         if (regs->mstatus & MSTATUS_MPP)\n>                 regs->mstatus |= MSTATUS_SPP;\n> @@ -563,22 +579,24 @@ static void sse_event_inject(struct sbi_sse_event *e,\n>\n>         if (misa_extension('H')) {\n>                 unsigned long hstatus = csr_read(CSR_HSTATUS);\n> +               unsigned long prev_mode = (regs->mstatus & MSTATUS_MPP) >>\n> +                                         MSTATUS_MPP_SHIFT;\n>\n> -#if __riscv_xlen == 64\n> -               if (regs->mstatus & MSTATUS_MPV)\n> -#elif __riscv_xlen == 32\n> -               if (regs->mstatusH & MSTATUSH_MPV)\n> -#else\n> -#error \"Unexpected __riscv_xlen\"\n> -#endif\n> +               r_ctx->hstatus = hstatus;\n> +\n> +               if (r_ctx->prev_virt)\n>                         hstatus |= HSTATUS_SPV;\n> +               else\n> +                       hstatus &= ~HSTATUS_SPV;\n>\n>                 hstatus &= ~HSTATUS_SPVP;\n> -               if (hstatus & HSTATUS_SPV && regs->mstatus & SSTATUS_SPP)\n> -                               hstatus |= HSTATUS_SPVP;\n> +               if ((hstatus & HSTATUS_SPV) && prev_mode == PRV_S)\n> +                       hstatus |= HSTATUS_SPVP;\n>\n>                 csr_write(CSR_HSTATUS, hstatus);\n>         }\n> +\n> +       i_ctx->flags = sse_interrupted_flags(regs->mstatus);\n>         csr_write(CSR_SEPC, regs->mepc);\n>\n>         /* Setup entry context */\n> @@ -608,6 +626,7 @@ static void sse_event_resume(struct sbi_sse_event *e,\n>                              struct sbi_trap_regs *regs)\n>  {\n>         struct sse_interrupted_state *i_ctx = &e->attrs.interrupted;\n> +       struct sse_resume_state *r_ctx = &e->resume;\n>\n>         regs->mepc = csr_read(CSR_SEPC);\n>\n> @@ -616,26 +635,18 @@ static void sse_event_resume(struct sbi_sse_event *e,\n>                 regs->mstatus |= (PRV_S << MSTATUS_MPP_SHIFT);\n>\n>         if (misa_extension('H')) {\n> -               unsigned long hstatus = csr_read(CSR_HSTATUS);\n>  #if __riscv_xlen == 64\n>                 regs->mstatus &= ~MSTATUS_MPV;\n> -               if (hstatus & HSTATUS_SPV)\n> +               if (r_ctx->prev_virt)\n>                         regs->mstatus |= MSTATUS_MPV;\n>  #elif __riscv_xlen == 32\n>                 regs->mstatusH &= ~MSTATUSH_MPV;\n> -               if (hstatus & HSTATUS_SPV)\n> +               if (r_ctx->prev_virt)\n>                         regs->mstatusH |= MSTATUSH_MPV;\n>  #else\n>  #error \"Unexpected __riscv_xlen\"\n>  #endif\n> -               hstatus &= ~(HSTATUS_SPV | HSTATUS_SPVP);\n> -               if (i_ctx->flags & SBI_SSE_ATTR_INTERRUPTED_FLAGS_HSTATUS_SPV)\n> -                       hstatus |= HSTATUS_SPV;\n> -\n> -               if (i_ctx->flags & SBI_SSE_ATTR_INTERRUPTED_FLAGS_HSTATUS_SPVP)\n> -                       hstatus |= HSTATUS_SPVP;\n> -\n> -               csr_write(CSR_HSTATUS, hstatus);\n> +               csr_write(CSR_HSTATUS, r_ctx->hstatus);\n>         }\n>\n>         regs->mstatus &= ~MSTATUS_SIE;\n> --\n> 2.50.1 (Apple Git-155)\n>\n\nRegards,\nAnup","headers":{"Return-Path":"\n <opensbi-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=NaEMIaxm;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=brainfault-org.20251104.gappssmtp.com\n header.i=@brainfault-org.20251104.gappssmtp.com header.a=rsa-sha256\n header.s=20251104 header.b=iWqp3BhW;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=opensbi-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g6Jgx5Qhkz1y04\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 01 May 2026 14:57:45 +1000 (AEST)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wIfwY-00000006MUR-1Vkk;\n\tFri, 01 May 2026 04:57:38 +0000","from mail-ot1-x334.google.com ([2607:f8b0:4864:20::334])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wIfwV-00000006MU1-1I9O\n\tfor opensbi@lists.infradead.org;\n\tFri, 01 May 2026 04:57:36 +0000","by mail-ot1-x334.google.com with SMTP id\n 46e09a7af769-7dea1272943so942494a34.0\n        for <opensbi@lists.infradead.org>;\n Thu, 30 Apr 2026 21:57:34 -0700 (PDT)"],"DKIM-Signature":["v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:Cc:To:Subject:Message-ID:Date:From:\n\tIn-Reply-To:References:MIME-Version:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=Q/ip208lMCRUeQv9Tn3nqAGvj1vc6FN8pQyeiuODHb0=; b=NaEMIaxmLWL/AH\n\tvJSk/TCV5WqveLW3aF7nLzBKgoKSN6UCvcZ9818i9317HWt8jlPo53I3/m+jQNaZxp/oX5NTI1CIK\n\tJMkWwstJWjokqVMGCjfNACcJVX8Q+k8JG2hNch5sZlIUW8Nf/QeEHwQ60mn665XGMWYYgQpXKjvJw\n\tKdJREZsqJ6dRfqZx8HreQ8Jfh7chHHIwbOwN/6a5MssD3vpxClp23tx+uSPJXwHIR05C/Z82yBOqD\n\tPZVKlQO5CdvLGTpxbYpLS69qfBkj4sOq0zvKXp70g+A5AHkbWV1aE2zvUxg1rqEZAlBgqqm5yIaNl\n\tn/XQQLcWvpoKqve2e/5g==;","v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=brainfault-org.20251104.gappssmtp.com; s=20251104; t=1777611453;\n x=1778216253; darn=lists.infradead.org;\n        h=content-transfer-encoding:cc:to:subject:message-id:date:from\n         :in-reply-to:references:mime-version:from:to:cc:subject:date\n         :message-id:reply-to;\n        bh=eLl+W3VSFanPEAXVwDCNEqr2YbmWrTDUTu+x5wHEo5g=;\n        b=iWqp3BhWxGES77SeME/IgiEVe1I7w/AkLPWFNzKNoHWToPPCsfQR8Fg+8MmwsjrPxx\n         qVBzH31/KoxPRBXFdA2DxUSkaSNCBuKGfBS5u1gTJRRzo8qomdxwc+bwViPkqCSKvJHT\n         zeSyGdxVBZKpSEYAiytI1OA5XjAV/ljhEqHPa9GJ1x/cZVlpqr4nDaO9igjl1Atb2iSA\n         2oBEFPl9A+s+bWa/Z95y/tXQfYSO2APIU6F4mvfd9lLHurlrM3v6QYOpXiRUfEQg9cwh\n         GXVJIrS+wZB4lhEsiJNQQBP9h30CuWWX8ozBSKMJe+pDNrI72fV6R6ycme3iqjPUuIqG\n         gzbg=="],"ARC-Seal":"i=1; a=rsa-sha256; t=1777611453; cv=none;\n        d=google.com; s=arc-20240605;\n        b=kvAH3v46zn9gDolrGguo2GjLr1F2JMMvDGhAZYH1sZH4/vTGWJJvy0CtPKwTQ/lSos\n         DLm0iX2pOJpNH+W+NeoM9G3+xXQW7snPkIIKpkZ6lxotsV3GlfOtBPz4Y/jNCWoFlRKJ\n         X6bAYR9gLdl9dbKDXXl7i2I86r4TYwaDRkNIBABqqRFBv17XSBdEU4lDGfvX9cZU2Sm2\n         iOa/BQnJvj1adWQkcAzxDSvzQaXLK3kV5LoSMEsQX/fVH/ZHtfCbfjP7MS0Dml9Z7Swd\n         OjIsMIrfESwDod7lbtt6Y/B3t3XI8JTepgylXl2tO8lfX+P82xvWa3MIUROEvGw/wq0B\n         ElAw==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n        h=content-transfer-encoding:cc:to:subject:message-id:date:from\n         :in-reply-to:references:mime-version:dkim-signature;\n        bh=eLl+W3VSFanPEAXVwDCNEqr2YbmWrTDUTu+x5wHEo5g=;\n        fh=0pEOO3D4y0s6z7xFVSlY9efTCsIzLJx0/EMPPyx++SM=;\n        b=InMatad4GLdZUvm2bz10xmkIt5jsJKhCs/1ThgJu9h8HT8Xlw1InqrDnW54Lu40Pgl\n         wweUhIVd4XD/Mb+wGl8kasoS2qZ5wKwsG5tZb3bmfb+07EH0WqRfQrTMeGAehnK0UREq\n         7vfpns/PXkgEa/Zp9Cu+3hOZdvC1nyAHjgm9acALRrKSodnVxJpjDfeI0rteMrc8YtTq\n         ZVdGq30g8rE0+oMjh/NVLgA4bYEQOOFNyZjzfOaMwckOzS9B0GShDUOQB9HDUmAjt+F3\n         L7WKBeOS5trbb6hA+7cEKqVAS1ltNLfXGnFfDSw2RbGSQ8rKbGN+yLje6oZKVGpT14yJ\n         k69Q==;\n        darn=lists.infradead.org","ARC-Authentication-Results":"i=1; mx.google.com; arc=none","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=1e100.net; s=20251104; t=1777611453; x=1778216253;\n        h=content-transfer-encoding:cc:to:subject:message-id:date:from\n         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from\n         :to:cc:subject:date:message-id:reply-to;\n        bh=eLl+W3VSFanPEAXVwDCNEqr2YbmWrTDUTu+x5wHEo5g=;\n        b=fbpvVFgSplkAy3KfDdd7Ia7gGBLA7hkpMtacKRZe/1LFkVaVDf5gvUOqory/IKcpwc\n         7JlOHvaXOMYFmtrNPNjudvQddBtFJRcksfIBIzIZRqPCZpUXgrADf0sYXYALx+DynUGQ\n         DiX38jJiekr7k6O2nkOsljne23ZjrgreyfZHuXKjaSzjcBnQ0l5YStpEdn54EbHi4hi6\n         di3tBHrpFXQmBlfmz9llZEq3AZmQHdaVB5zy2e4eAs2jmrJtVvTttbhNeO6fz/h0zO5X\n         eUWid9bXI9nj9q5tbFw8mzRauwh4Cop0D+0oTDM+IzoIJrj99hTnXC1scoCxim3cw4NT\n         glvQ==","X-Gm-Message-State":"AOJu0YxfOocunw1gNfR2Lx/sBuiKAmQXcZ9LkFbOfUFI88K/3ZMdheDY\n\t+iIsH4grsTHptEZd55vf5Iprht6r9I0O7XWGsNyRVVTgP3zwlMvzWxpuK+TGy4iy1ghf9ALKbXb\n\tXwTVjELMBS7n20jK7BJ9AmPrYDz63gflB+Jkyk8Eu+g==","X-Gm-Gg":"AeBDiet1jnwKGIF23Hv5RbHn6AJiiczZMYEnNToHhuBgPS9hKXfz8dlvg94TH/z9CAQ\n\tgJOKR3k6xrJPLTjg4B6dMQo+ugC32vOi2PbjQ3X/6rYr2K7lPpys4tH+/q3ZLR+r2F306iHd/eq\n\tjWgmXIFCeYVgZBQde3eQpUYyYd0DJAEIITpptYKXikZhxa0jQaJTWBzMwtesLnLBsH6/nBLJCsy\n\tcAS94S9BtjTrJtCAe+nVP7U1YQ9MUJSVqp0QCIgFuXWjk/x/HDdt/ElRl8CFmHztVNs2iEUSFrV\n\t26nZTrP9yf0YCA1SsxaDh2IyH9nPmU9LgQBqo+dZskmt73bghDidiPT5ch0MNI4fhnGzdKISmSH\n\tuFNWNQMqK9aCG9zoLjMa+ML5CZ/cggNJg5U7CQQ==","X-Received":"by 2002:a05:6820:1690:b0:696:77e2:a8c with SMTP id\n 006d021491bc7-6967a4e1f0emr2804038eaf.16.1777611453469; Thu, 30 Apr 2026\n 21:57:33 -0700 (PDT)","MIME-Version":"1.0","References":"<20260430102313.95249-1-zhangzhanpeng.jasper@bytedance.com>\n <20260430102313.95249-2-zhangzhanpeng.jasper@bytedance.com>","In-Reply-To":"<20260430102313.95249-2-zhangzhanpeng.jasper@bytedance.com>","From":"Anup Patel <anup@brainfault.org>","Date":"Fri, 1 May 2026 10:27:22 +0530","X-Gm-Features":"AVHnY4JvVDplDyzD4lANBPdANCCmix92-EEqwNdtVdfRYSmqVSYxUBbxqNITQp4","Message-ID":"\n <CAAhSdy2q0NZGnXmtKpFX8LtX4GeP3NYBbP2JtRPWkHO3=R8kpQ@mail.gmail.com>","Subject":"Re: [PATCH 1/2] lib: sbi: sse: fix KVM context corruption","To":"Zhanpeng Zhang <zhangzhanpeng.jasper@bytedance.com>","Cc":"opensbi@lists.infradead.org, cleger@rivosinc.com, atishp@atishpatra.org,\n\tcuiyunhui@bytedance.com, yuanzhu@bytedance.com","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260430_215735_626621_74C73F56 ","X-CRM114-Status":"GOOD (  26.74  )","X-Spam-Score":"-1.9 (-)","X-Spam-Report":"Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam.  The original\n message has been attached to this so you can view it or label\n similar future email.  If you have any questions, see\n the administrator of that system for details.\n Content preview:  On Thu, Apr 30,\n 2026 at 3:53 PM Zhanpeng Zhang <zhangzhanpeng.jasper@bytedance.com>\n    wrote: > > SSE injection builds a synthetic S-mode context to enter the\n registered\n    > S-mode handler. If the interrup [...]\n Content analysis details:   (-1.9 points, 5.0 required)\n  pts rule name              description\n ---- ----------------------\n --------------------------------------------------\n -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/, no\n                             trust\n                             [2607:f8b0:4864:20:0:0:0:334 listed in]\n                             [list.dnswl.org]\n  0.0 SPF_NONE               SPF: sender does not publish an SPF Record\n  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record\n -0.1 DKIM_VALID             Message has at least one valid DKIM or DK\n signature\n  0.1 DKIM_SIGNED            Message has a DKIM or DK signature,\n not necessarily valid\n -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%\n                             [score: 0.0000]","X-BeenThere":"opensbi@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"<opensbi.lists.infradead.org>","List-Unsubscribe":"<http://lists.infradead.org/mailman/options/opensbi>,\n <mailto:opensbi-request@lists.infradead.org?subject=unsubscribe>","List-Archive":"<http://lists.infradead.org/pipermail/opensbi/>","List-Post":"<mailto:opensbi@lists.infradead.org>","List-Help":"<mailto:opensbi-request@lists.infradead.org?subject=help>","List-Subscribe":"<http://lists.infradead.org/mailman/listinfo/opensbi>,\n <mailto:opensbi-request@lists.infradead.org?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Sender":"\"opensbi\" <opensbi-bounces@lists.infradead.org>","Errors-To":"opensbi-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"}}]