On 9/22/25 00:52, gregkh@linuxfoundation.org wrote:
This is a note to let you know that I've just added the patch titled
x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT
to the 6.12-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is: x86-sev-guard-sev_evict_cache-with-config_amd_mem_encrypt.patch and it can be found in the queue-6.12 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@vger.kernel.org know about it.
Maybe I didn't use the tag correctly, but I put 6.16.x on the stable tag to indicate that the patch only applied to 6.16 and above. Before 6.16, there isn't a stub version of the function, so all off those releases are fine.
So this patch doesn't need to be part of the 6.12 stable tree.
Thanks, Tom
From stable+bounces-180849-greg=kroah.com@vger.kernel.org Mon Sep 22 01:18:07 2025 From: Sasha Levin sashal@kernel.org Date: Sun, 21 Sep 2025 19:17:59 -0400 Subject: x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT To: stable@vger.kernel.org Cc: Tom Lendacky thomas.lendacky@amd.com, "Borislav Petkov (AMD)" bp@alien8.de, stable@kernel.org, Sasha Levin sashal@kernel.org Message-ID: 20250921231759.3033314-1-sashal@kernel.org
From: Tom Lendacky thomas.lendacky@amd.com
[ Upstream commit 7f830e126dc357fc086905ce9730140fd4528d66 ]
The sev_evict_cache() is guest-related code and should be guarded by CONFIG_AMD_MEM_ENCRYPT, not CONFIG_KVM_AMD_SEV.
CONFIG_AMD_MEM_ENCRYPT=y is required for a guest to run properly as an SEV-SNP guest, but a guest kernel built with CONFIG_KVM_AMD_SEV=n would get the stub function of sev_evict_cache() instead of the version that performs the actual eviction. Move the function declarations under the appropriate #ifdef.
Fixes: 7b306dfa326f ("x86/sev: Evict cache lines during SNP memory validation") Signed-off-by: Tom Lendacky thomas.lendacky@amd.com Signed-off-by: Borislav Petkov (AMD) bp@alien8.de Cc: stable@kernel.org # 6.16.x Link: https://lore.kernel.org/r/70e38f2c4a549063de54052c9f64929705313526.175770895... [ Move sev_evict_cache() out of shared.c ] Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
arch/x86/coco/sev/shared.c | 18 ------------------ arch/x86/include/asm/sev.h | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 18 deletions(-)
--- a/arch/x86/coco/sev/shared.c +++ b/arch/x86/coco/sev/shared.c @@ -1243,24 +1243,6 @@ static void svsm_pval_terminate(struct s __pval_terminate(pfn, action, page_size, ret, svsm_ret); } -static inline void sev_evict_cache(void *va, int npages) -{
- volatile u8 val __always_unused;
- u8 *bytes = va;
- int page_idx;
- /*
* For SEV guests, a read from the first/last cache-lines of a 4K page
* using the guest key is sufficient to cause a flush of all cache-lines
* associated with that 4K page without incurring all the overhead of a
* full CLFLUSH sequence.
*/
- for (page_idx = 0; page_idx < npages; page_idx++) {
val = bytes[page_idx * PAGE_SIZE];
val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1];
- }
-}
static void svsm_pval_4k_page(unsigned long paddr, bool validate) { struct svsm_pvalidate_call *pc; --- a/arch/x86/include/asm/sev.h +++ b/arch/x86/include/asm/sev.h @@ -400,6 +400,24 @@ u64 sev_get_status(void); void sev_show_status(void); void snp_update_svsm_ca(void); +static inline void sev_evict_cache(void *va, int npages) +{
- volatile u8 val __always_unused;
- u8 *bytes = va;
- int page_idx;
- /*
* For SEV guests, a read from the first/last cache-lines of a 4K page
* using the guest key is sufficient to cause a flush of all cache-lines
* associated with that 4K page without incurring all the overhead of a
* full CLFLUSH sequence.
*/
- for (page_idx = 0; page_idx < npages; page_idx++) {
val = bytes[page_idx * PAGE_SIZE];
val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1];
- }
+}
#else /* !CONFIG_AMD_MEM_ENCRYPT */ #define snp_vmpl 0 @@ -435,6 +453,7 @@ static inline u64 snp_get_unsupported_fe static inline u64 sev_get_status(void) { return 0; } static inline void sev_show_status(void) { } static inline void snp_update_svsm_ca(void) { } +static inline void sev_evict_cache(void *va, int npages) {} #endif /* CONFIG_AMD_MEM_ENCRYPT */
Patches currently in stable-queue which might be from sashal@kernel.org are
queue-6.12/mptcp-tfo-record-deny-join-id0-info.patch queue-6.12/crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch queue-6.12/asoc-wm8940-correct-pll-rate-rounding.patch queue-6.12/um-virtio_uml-fix-use-after-free-after-put_device-in.patch queue-6.12/x86-sev-guard-sev_evict_cache-with-config_amd_mem_encrypt.patch queue-6.12/mptcp-pm-nl-announce-deny-join-id0-flag.patch queue-6.12/drm-bridge-anx7625-fix-null-pointer-dereference-with.patch queue-6.12/asoc-sof-intel-hda-stream-fix-incorrect-variable-use.patch queue-6.12/qed-don-t-collect-too-many-protection-override-grc-e.patch queue-6.12/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch queue-6.12/nvme-fix-pi-insert-on-write.patch queue-6.12/xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch queue-6.12/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch queue-6.12/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch queue-6.12/wifi-mac80211-increase-scan_ies_len-for-s1g.patch queue-6.12/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch queue-6.12/usb-xhci-remove-option-to-change-a-default-ring-s-trb-cycle-bit.patch queue-6.12/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch queue-6.12/io_uring-fix-incorrect-io_kiocb-reference-in-io_link.patch queue-6.12/ice-fix-rx-page-leak-on-multi-buffer-frames.patch queue-6.12/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch queue-6.12/drm-xe-tile-release-kobject-for-the-failure-path.patch queue-6.12/wifi-mac80211-fix-incorrect-type-for-ret.patch queue-6.12/smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch queue-6.12/net-mlx5e-harden-uplink-netdev-access-against-device.patch queue-6.12/usb-xhci-introduce-macro-for-ring-segment-list-iteration.patch queue-6.12/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch queue-6.12/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch queue-6.12/net-tcp-fix-a-null-pointer-dereference-when-using-tc.patch queue-6.12/drm-bridge-cdns-mhdp8546-fix-missing-mutex-unlock-on.patch queue-6.12/ice-store-max_frame-and-rx_buf_len-only-in-ice_rx_ri.patch queue-6.12/selftests-mptcp-userspace-pm-validate-deny-join-id0-.patch queue-6.12/bonding-set-random-address-only-when-slaves-already-.patch queue-6.12/drm-xe-fix-a-null-vs-is_err-in-xe_vm_add_compute_exe.patch queue-6.12/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch queue-6.12/mm-gup-check-ref_count-instead-of-lru-before-migration.patch queue-6.12/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch queue-6.12/um-fix-fd-copy-size-in-os_rcv_fd_msg.patch queue-6.12/smb-client-let-smbd_destroy-call-disable_work_sync-i.patch queue-6.12/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch queue-6.12/xhci-dbc-decouple-endpoint-allocation-from-initialization.patch queue-6.12/mptcp-set-remote_deny_join_id0-on-syn-recv.patch queue-6.12/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch queue-6.12/smb-client-fix-filename-matching-of-deferred-files.patch queue-6.12/igc-don-t-fail-igc_probe-on-led-setup-error.patch queue-6.12/octeon_ep-fix-vf-mac-address-lifecycle-handling.patch queue-6.12/selftests-mptcp-sockopt-fix-error-messages.patch queue-6.12/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch queue-6.12/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch queue-6.12/asoc-wm8974-correct-pll-rate-rounding.patch queue-6.12/mm-add-folio_expected_ref_count-for-reference-count-calculation.patch queue-6.12/wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch queue-6.12/asoc-intel-catpt-expose-correct-bit-depth-to-userspa.patch queue-6.12/asoc-wm8940-correct-typo-in-control-name.patch queue-6.12/perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch