[PATCH v2] RISC-V: KVM: Document a TOCTOU race in SBI system suspend handler
Jiakai Xu
xujiakai2025 at iscas.ac.cn
Sun May 24 18:36:42 PDT 2026
The SUSP handler checks that all other vCPUs are stopped before
entering system suspend, but a concurrent HSM HART_START can start
a vCPU after it has already passed the check.
This is a known TOCTOU race. We do not fix it because:
1. Triggering it requires a pathological guest.
2. Only guest state is at risk, not host integrity.
3. Userspace can double-check vCPU states before suspend.
Add a comment documenting the race and the rationale for not fixing it.
Signed-off-by: Jiakai Xu <jiakaiPeanut at gmail.com>
Signed-off-by: Jiakai Xu <xujiakai2025 at iscas.ac.cn>
Assisted-by: YuanSheng:DeepSeek-V3.2
---
V1 -> V2:
- Replaced the fix with a comment.
Link: https://lore.kernel.org/linux-riscv/20260521142030.1560861-1-xujiakai2025@iscas.ac.cn/t/#u
---
arch/riscv/kvm/vcpu_sbi_system.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/arch/riscv/kvm/vcpu_sbi_system.c b/arch/riscv/kvm/vcpu_sbi_system.c
index c6f7e609ac794..6f64a59e5d3c4 100644
--- a/arch/riscv/kvm/vcpu_sbi_system.c
+++ b/arch/riscv/kvm/vcpu_sbi_system.c
@@ -35,6 +35,20 @@ static int kvm_sbi_ext_susp_handler(struct kvm_vcpu *vcpu, struct kvm_run *run,
return 0;
}
+ /*
+ * Check that all other vCPUs are stopped before entering
+ * system suspend.
+ *
+ * There is a known TOCTOU race here: a concurrent HSM
+ * HART_START on another vCPU can start a vCPU after it
+ * has already passed this check, violating the invariant.
+ *
+ * We do not fix this because:
+ * 1. Triggering the race requires a pathological guest.
+ * 2. Only guest state is at risk, not host integrity.
+ * 3. Userspace can double-check vCPU states before
+ * proceeding with suspend.
+ */
kvm_for_each_vcpu(i, tmp, vcpu->kvm) {
if (tmp == vcpu)
continue;
--
2.34.1
More information about the kvm-riscv
mailing list