From: Jiakai Xu Date: Mon, 25 May 2026 01:36:42 +0000 (+0000) Subject: RISC-V: KVM: Document a TOCTOU race in SBI system suspend handler X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ce31a1ee2a1ed61f6d42308633f9bed717f5348b;p=thirdparty%2Fkernel%2Flinux.git RISC-V: KVM: Document a TOCTOU race in SBI system suspend handler The SUSP handler checks that all other vCPUs are stopped before entering system suspend, but a concurrent HSM HART_START can start a vCPU after it has already passed the check. This is a known TOCTOU race. We do not fix it because: 1. Triggering it requires a pathological guest. 2. Only guest state is at risk, not host integrity. 3. Userspace can double-check vCPU states before suspend. Add a comment documenting the race and the rationale for not fixing it. Signed-off-by: Jiakai Xu Signed-off-by: Jiakai Xu Assisted-by: YuanSheng:DeepSeek-V3.2 Reviewed-by: Andrew Jones Link: https://lore.kernel.org/r/20260525013642.999187-1-xujiakai2025@iscas.ac.cn Signed-off-by: Anup Patel --- diff --git a/arch/riscv/kvm/vcpu_sbi_system.c b/arch/riscv/kvm/vcpu_sbi_system.c index c6f7e609ac79..6f64a59e5d3c 100644 --- a/arch/riscv/kvm/vcpu_sbi_system.c +++ b/arch/riscv/kvm/vcpu_sbi_system.c @@ -35,6 +35,20 @@ static int kvm_sbi_ext_susp_handler(struct kvm_vcpu *vcpu, struct kvm_run *run, return 0; } + /* + * Check that all other vCPUs are stopped before entering + * system suspend. + * + * There is a known TOCTOU race here: a concurrent HSM + * HART_START on another vCPU can start a vCPU after it + * has already passed this check, violating the invariant. + * + * We do not fix this because: + * 1. Triggering the race requires a pathological guest. + * 2. Only guest state is at risk, not host integrity. + * 3. Userspace can double-check vCPU states before + * proceeding with suspend. + */ kvm_for_each_vcpu(i, tmp, vcpu->kvm) { if (tmp == vcpu) continue;