The SUSP handler checks that all other vCPUs are stopped before
entering system suspend, but a concurrent HSM HART_START can start
a vCPU after it has already passed the check.
This is a known TOCTOU race. We do not fix it because:
1. Triggering it requires a pathological guest.
2. Only guest state is at risk, not host integrity.
3. Userspace can double-check vCPU states before suspend.
Add a comment documenting the race and the rationale for not fixing it.
Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
Assisted-by: YuanSheng:DeepSeek-V3.2
Reviewed-by: Andrew Jones <andrew.jones@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260525013642.999187-1-xujiakai2025@iscas.ac.cn
Signed-off-by: Anup Patel <anup@brainfault.org>
return 0;
}
+ /*
+ * Check that all other vCPUs are stopped before entering
+ * system suspend.
+ *
+ * There is a known TOCTOU race here: a concurrent HSM
+ * HART_START on another vCPU can start a vCPU after it
+ * has already passed this check, violating the invariant.
+ *
+ * We do not fix this because:
+ * 1. Triggering the race requires a pathological guest.
+ * 2. Only guest state is at risk, not host integrity.
+ * 3. Userspace can double-check vCPU states before
+ * proceeding with suspend.
+ */
kvm_for_each_vcpu(i, tmp, vcpu->kvm) {
if (tmp == vcpu)
continue;
projects / thirdparty / kernel / linux.git / commitdiff
