From nobody Sun Feb  8 06:22:35 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0BB8BC7112B
	for <linux-kernel@archiver.kernel.org>; Thu, 17 Aug 2023 23:35:16 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1356098AbjHQXep (ORCPT
        <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 17 Aug 2023 19:34:45 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60372 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1356091AbjHQXeh (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 17 Aug 2023 19:34:37 -0400
Received: from mail-pf1-x44a.google.com (mail-pf1-x44a.google.com
 [IPv6:2607:f8b0:4864:20::44a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4C4FF35A4
        for <linux-kernel@vger.kernel.org>;
 Thu, 17 Aug 2023 16:34:36 -0700 (PDT)
Received: by mail-pf1-x44a.google.com with SMTP id
 d2e1a72fcca58-689fb672d41so194394b3a.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 17 Aug 2023 16:34:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1692315276; x=1692920076;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=iNsyygtCkxaRG/w4LzwwK4pPTj7xXCXneWqdoaGeIeQ=;
        b=2DXOAySptxOYbmlvUM/tAgN5Eb2QG8aBcujtmvvdDHchGbi3ioHIC7BrqR+5uyVxHp
         8cimBY/Cgyi5B85WehpXRY+spZ09SWs0efDl0WsRYWh0t0/fFem5IO4+0FBbHATibZ3w
         LyUmz0VwTI7OON7WM65RT9Ao7JHmrqvaJ3EAAAzcjyZpa7vXih4TaXwyDu6ESVrnRk3g
         XfuH3Db+1njF3BnVv8ASsuUBwtOWNCMjhwLFgSwYkpTaRH/6b/vTHe1URb/IWdOUQbbk
         cmFgAWwrff+YvATIOAsamEL9YKElLd4jyBqCsgGXgR8VMQjVuvnUqRwlITHJAQLf+ZMo
         lDfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1692315276; x=1692920076;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=iNsyygtCkxaRG/w4LzwwK4pPTj7xXCXneWqdoaGeIeQ=;
        b=MITw8s9m2xIorPMir5cwK27XMKShHcBeA/3ranZuQUtE8YsofeGR4B4xfENUbMM8d4
         4LIocceSimURnodYkCPjrgfhUNpKc3fFStKR0nYFiNkqqNgvJkxw0QxSDIjgNZfvthar
         zXYgbYvVENqw32AVgb9/3i1W6lqAy5BdG0Q+U0PqPN15NT5Ry0GOsq114TZZ/DWgDPdV
         VjZMMZVZ+kaAVZ9EaUZfXkP9Gpc7ghD9YmwepIz62yzh1n873Nu7zcsUKEFZOQ0WPBvU
         6b8qHT+f239xNU3Gsgna+u/zVq36z9mGkI6AuZsfSaT3+4tVbTNRW9O9x1E8q81QcMUZ
         ycZg==
X-Gm-Message-State: AOJu0YwUhhMvjNsLsh4jeczL6wX0Tc1SqrdjzmiKt5s18m0ZLAusi+3c
        HTxIda3aF0KypO7yk2zCfiF9YQahUDg=
X-Google-Smtp-Source: 
 AGHT+IGPb7xUAnqelzwy8bFGjkctwq5sz77pLCX7wc/RzVl/oFwqDVUkEZ5x5uw8aP5Z0q8mJ/733npteAY=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a05:6a00:808:b0:687:4fcf:8fd9 with SMTP id
 m8-20020a056a00080800b006874fcf8fd9mr554018pfk.1.1692315275871; Thu, 17 Aug
 2023 16:34:35 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Thu, 17 Aug 2023 16:34:29 -0700
In-Reply-To: <20230817233430.1416463-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230817233430.1416463-1-seanjc@google.com>
X-Mailer: git-send-email 2.42.0.rc1.204.g551eb34607-goog
Message-ID: <20230817233430.1416463-2-seanjc@google.com>
Subject: [PATCH 1/2] KVM: selftests: Reload "good" vCPU state if vCPU hits
 shutdown
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Michal Luczaj <mhal@rbox.co>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Reload known good vCPU state if the vCPU triple faults in any of the
race_sync_regs() subtests, e.g. if KVM successfully injects an exception
(the vCPU isn't configured to handle exceptions).  On Intel, the VMCS
is preserved even after shutdown, but AMD's APM states that the VMCB is
undefined after a shutdown and so KVM synthesizes an INIT to sanitize
vCPU/VMCB state, e.g. to guard against running with a garbage VMCB.

The synthetic INIT results in the vCPU never exiting to userspace, as it
gets put into Real Mode at the reset vector, which is full of zeros (as is
GPA 0 and beyond), and so executes ADD for a very, very long time.

Fixes: 60c4063b4752 ("KVM: selftests: Extend x86's sync_regs_test to check =
for event vector races")
Cc: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 .../testing/selftests/kvm/x86_64/sync_regs_test.c  | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/kvm/x86_64/sync_regs_test.c b/tools/te=
sting/selftests/kvm/x86_64/sync_regs_test.c
index 93fac74ca0a7..21e99dae2ff2 100644
--- a/tools/testing/selftests/kvm/x86_64/sync_regs_test.c
+++ b/tools/testing/selftests/kvm/x86_64/sync_regs_test.c
@@ -152,6 +152,7 @@ static noinline void *race_sregs_cr4(void *arg)
 static void race_sync_regs(void *racer)
 {
 	const time_t TIMEOUT =3D 2; /* seconds, roughly */
+	struct kvm_x86_state *state;
 	struct kvm_translation tr;
 	struct kvm_vcpu *vcpu;
 	struct kvm_run *run;
@@ -166,6 +167,9 @@ static void race_sync_regs(void *racer)
 	vcpu_run(vcpu);
 	run->kvm_valid_regs =3D 0;
=20
+	/* Save state *before* spawning the thread that mucks with vCPU state. */
+	state =3D vcpu_save_state(vcpu);
+
 	/*
 	 * Selftests run 64-bit guests by default, both EFER.LME and CR4.PAE
 	 * should already be set in guest state.
@@ -179,7 +183,14 @@ static void race_sync_regs(void *racer)
 	TEST_ASSERT_EQ(pthread_create(&thread, NULL, racer, (void *)run), 0);
=20
 	for (t =3D time(NULL) + TIMEOUT; time(NULL) < t;) {
-		__vcpu_run(vcpu);
+		/*
+		 * Reload known good state if the vCPU triple faults, e.g. due
+		 * to the unhandled #GPs being injected.  VMX preserves state
+		 * on shutdown, but SVM synthesizes an INIT as the VMCB state
+		 * is architecturally undefined on triple fault.
+		 */
+		if (!__vcpu_run(vcpu) && run->exit_reason =3D=3D KVM_EXIT_SHUTDOWN)
+			vcpu_load_state(vcpu, state);
=20
 		if (racer =3D=3D race_sregs_cr4) {
 			tr =3D (struct kvm_translation) { .linear_address =3D 0 };
@@ -190,6 +201,7 @@ static void race_sync_regs(void *racer)
 	TEST_ASSERT_EQ(pthread_cancel(thread), 0);
 	TEST_ASSERT_EQ(pthread_join(thread, NULL), 0);
=20
+	kvm_x86_state_cleanup(state);
 	kvm_vm_free(vm);
 }
=20
--=20
2.42.0.rc1.204.g551eb34607-goog
From nobody Sun Feb  8 06:22:35 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2BE4DC71130
	for <linux-kernel@archiver.kernel.org>; Thu, 17 Aug 2023 23:35:16 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1356103AbjHQXeq (ORCPT
        <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 17 Aug 2023 19:34:46 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60396 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1356093AbjHQXej (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 17 Aug 2023 19:34:39 -0400
Received: from mail-pg1-x54a.google.com (mail-pg1-x54a.google.com
 [IPv6:2607:f8b0:4864:20::54a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F56130D6
        for <linux-kernel@vger.kernel.org>;
 Thu, 17 Aug 2023 16:34:38 -0700 (PDT)
Received: by mail-pg1-x54a.google.com with SMTP id
 41be03b00d2f7-565aba2e397so523971a12.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 17 Aug 2023 16:34:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1692315278; x=1692920078;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=YpFMVDLsowSmpGWrptrxFQAXS4ajKEvJ2WJs4xhDDoI=;
        b=YhhQT8Lv8ANNNhYui/aJrAkfGeBj2c/dOfAdg2WRXptW2ITBe5CyUtscAkjyj2fxc4
         7bNfYQ8NEIH/nUt83jDhbSYtDgCVvw9zMSNVaPwUXjJsD0r4pF4Lk0wMB0XgABSejUh0
         4n0bFDToRA6Dz1vKaq6xm/ZKkznSnA5I597y4MUymv8nAlYP0eWunOfKpGrpXYTCHSiD
         QYE6m3jofRj++In4Kai4b0FqvGnItsyjlac6xBZo1d/JWba4ZWfCdn9EThyQH7MAjmnb
         jIc2ILIA3EDtcIK/n56lRDj0yO7N3tnwPgeJDcofjjg/A8vmTALZFXVz3YV/8QGR8m1B
         WHmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1692315278; x=1692920078;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=YpFMVDLsowSmpGWrptrxFQAXS4ajKEvJ2WJs4xhDDoI=;
        b=RwnzQ5cslW8ExFRjcRH/mkjOi7gHctllsuzatAvQI1iuHQrXkrMhVE6uKmo4mq3ky8
         xaLIX0u7w2Y04FX9TZHXAib0WG6XNb40mHQpIChAeXUvRFMb7cgy3Tg55EaSaYgVKXFV
         Fx9wcPSM59oSLI0eEh9MG/oVup67gwQPmKeHfzZstHOJnXhylQV6FgcMry8RWUDlXY/u
         T2dIQdvvxDr2hck3B78QYUpxGxbDQRD602S+I5lTd6FafSLi6VbOYHt1znFCMx3mU9lC
         727wLjRzJPkpoPEkAEsNHuY6YmopIvs4nwAFc4LOZh+0gg5W/lt1PqochGncXlOumexW
         2u6w==
X-Gm-Message-State: AOJu0YwPMks4FM4Sf+Cv+tAVtrinSmaC7Ck+B/iNhf+IuuteWJmkMtrl
        bamTaUfZcFgW7AelWUqOSoPXXTQzVgc=
X-Google-Smtp-Source: 
 AGHT+IEa+4IbiOaMkbL+znRevOCe3T15GMNjBwaL4EWX4Nf/t8zYxIVwGhKwNoi2vZANROkAJu/VIv8ow3s=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a63:715b:0:b0:567:c791:ce64 with SMTP id
 b27-20020a63715b000000b00567c791ce64mr122102pgn.8.1692315277840; Thu, 17 Aug
 2023 16:34:37 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Thu, 17 Aug 2023 16:34:30 -0700
In-Reply-To: <20230817233430.1416463-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230817233430.1416463-1-seanjc@google.com>
X-Mailer: git-send-email 2.42.0.rc1.204.g551eb34607-goog
Message-ID: <20230817233430.1416463-3-seanjc@google.com>
Subject: [PATCH 2/2] KVM: selftests: Explicit set #UD when *potentially*
 injecting exception
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Michal Luczaj <mhal@rbox.co>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Explicitly set the exception vector to #UD when potentially injecting an
exception in sync_regs_test's subtests that try to detect TOCTOU bugs
in KVM's handling of exceptions injected by userspace.  A side effect of
the original KVM bug was that KVM would clear the vector, but relying on
KVM to clear the vector (i.e. make it #DE) makes it less likely that the
test would ever find *new* KVM bugs, e.g. because only the first iteration
would run with a legal vector to start.

Explicitly inject #UD for race_events_inj_pen() as well, e.g. so that it
doesn't inherit the illegal 255 vector from race_events_exc(), which
currently runs first.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 tools/testing/selftests/kvm/x86_64/sync_regs_test.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tools/testing/selftests/kvm/x86_64/sync_regs_test.c b/tools/te=
sting/selftests/kvm/x86_64/sync_regs_test.c
index 21e99dae2ff2..00965ba33f73 100644
--- a/tools/testing/selftests/kvm/x86_64/sync_regs_test.c
+++ b/tools/testing/selftests/kvm/x86_64/sync_regs_test.c
@@ -91,6 +91,8 @@ static void *race_events_inj_pen(void *arg)
 	struct kvm_run *run =3D (struct kvm_run *)arg;
 	struct kvm_vcpu_events *events =3D &run->s.regs.events;
=20
+	WRITE_ONCE(events->exception.nr, UD_VECTOR);
+
 	for (;;) {
 		WRITE_ONCE(run->kvm_dirty_regs, KVM_SYNC_X86_EVENTS);
 		WRITE_ONCE(events->flags, 0);
@@ -115,6 +117,7 @@ static void *race_events_exc(void *arg)
 	for (;;) {
 		WRITE_ONCE(run->kvm_dirty_regs, KVM_SYNC_X86_EVENTS);
 		WRITE_ONCE(events->flags, 0);
+		WRITE_ONCE(events->exception.nr, UD_VECTOR);
 		WRITE_ONCE(events->exception.pending, 1);
 		WRITE_ONCE(events->exception.nr, 255);
=20
--=20
2.42.0.rc1.204.g551eb34607-goog