[PATCH 0/2] lib: sbi: sse: fix interrupted context corruption

Zhanpeng Zhang zhangzhanpeng.jasper at bytedance.com
Thu Apr 30 03:23:11 PDT 2026 

SSE `inject` builds a synthetic S-mode context to enter the registered
S-mode handler. After the handler calls `complete`, OpenSBI resumes the
context that was interrupted by the SSE event. That makes the SSE
entry/completion path different from a normal interrupt path: the state
visible while the handler is running is not necessarily the state that
should be restored when the handler completes.

The current code reconstructs part of the interrupted state from the
handler-visible trap state and from the ABI-visible interrupted flags.
That exposes two bugs:

  - KVM Context Corruption

    If SSE interrupts KVM guest execution, OpenSBI must restore the
    virtualization state that was active before it entered the S-mode
    handler context. Restoring only hstatus SPV/SPVP is insufficient on
    a virtualization-enabled system because hstatus carries more H-mode
    state. Likewise, MPV must come from the state captured before
    OpenSBI rewrites the trap state for handler entry. Reconstructing
    these values from handler-visible state can corrupt the KVM resume
    context.
    This follows the earlier discussion [1].

  - SSE Handler's SSTATUS Leakage

    SSE can interrupt kernel execution at any point and run a complex
    handler. PMU-SSE is a real-world example: with PMU-SSE
    enabled, `perf top` repeatedly enters the SSE handler and completion
    paths at a high frequency. Any synthetic handler SIE/SPIE/SPP state
    that leaks into the SSE-interrupted context is quickly exposed. With
    the previous version, this could resume with mismatched privilege and
    interrupt state and lead to an "environment call from U-mode" panic.

Fix this by adding OpenSBI's private resume-state to `sbi_sse_event`.
This state must persist from `inject` to `complete`, but it must not be
stored in the SSE attributes: the attributes are ABI-visible and can be
updated by the S-mode handler. Patch 1 saves and restores hstatus and
the interrupted virtualization state. Patch 2 saves and restores the
interrupted S-mode SIE/SPIE/SPP bits as a unit.

PATCH 1 is the OpenSBI side of the KVM context corruption fix. The
related Linux side should preserve the kernel stvec in do_sse() to help
protect the virtualization context. I will send the relevant Linux
patchset updates in the near future.

[1] https://lore.kernel.org/r/9290f53d-3545-4299-9781-c1c558f71158@rivosinc.com

Zhanpeng Zhang (2):
  lib: sbi: sse: fix KVM context corruption
  lib: sbi: sse: fix SSE handler sstatus leakage

 lib/sbi/sbi_sse.c | 80 ++++++++++++++++++++++++++++++++-----------------------
 1 file changed, 47 insertions(+), 33 deletions(-)

-- 
2.50.1 (Apple Git-155)

More information about the opensbi mailing list