Add a test to verify KVM correctly handles a variety of edge cases related
to APICv updates, and in particular updates that are triggered while L2 is
actively running.
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
tools/testing/selftests/kvm/Makefile.kvm | 1 +
.../testing/selftests/kvm/include/x86/apic.h | 4 +
.../kvm/x86/vmx_apicv_updates_test.c | 181 ++++++++++++++++++
3 files changed, 186 insertions(+)
create mode 100644 tools/testing/selftests/kvm/x86/vmx_apicv_updates_test.c
diff --git a/tools/testing/selftests/kvm/Makefile.kvm b/tools/testing/selftests/kvm/Makefile.kvm
index ba5c2b643efa..6f00bd8271c2 100644
--- a/tools/testing/selftests/kvm/Makefile.kvm
+++ b/tools/testing/selftests/kvm/Makefile.kvm
@@ -115,6 +115,7 @@ TEST_GEN_PROGS_x86 += x86/ucna_injection_test
TEST_GEN_PROGS_x86 += x86/userspace_io_test
TEST_GEN_PROGS_x86 += x86/userspace_msr_exit_test
TEST_GEN_PROGS_x86 += x86/vmx_apic_access_test
+TEST_GEN_PROGS_x86 += x86/vmx_apicv_updates_test
TEST_GEN_PROGS_x86 += x86/vmx_dirty_log_test
TEST_GEN_PROGS_x86 += x86/vmx_exception_with_invalid_guest_state
TEST_GEN_PROGS_x86 += x86/vmx_msrs_test
diff --git a/tools/testing/selftests/kvm/include/x86/apic.h b/tools/testing/selftests/kvm/include/x86/apic.h
index 80fe9f69b38d..d42a0998d868 100644
--- a/tools/testing/selftests/kvm/include/x86/apic.h
+++ b/tools/testing/selftests/kvm/include/x86/apic.h
@@ -32,6 +32,7 @@
#define APIC_SPIV 0xF0
#define APIC_SPIV_FOCUS_DISABLED (1 << 9)
#define APIC_SPIV_APIC_ENABLED (1 << 8)
+#define APIC_ISR 0x100
#define APIC_IRR 0x200
#define APIC_ICR 0x300
#define APIC_LVTCMCI 0x2f0
@@ -68,6 +69,9 @@
#define APIC_TMCCT 0x390
#define APIC_TDCR 0x3E0
+#define APIC_VECTOR_TO_BIT_NUMBER(v) ((unsigned int)(v) % 32)
+#define APIC_VECTOR_TO_REG_OFFSET(v) ((unsigned int)(v) / 32 * 0x10)
+
void apic_disable(void);
void xapic_enable(void);
void x2apic_enable(void);
diff --git a/tools/testing/selftests/kvm/x86/vmx_apicv_updates_test.c b/tools/testing/selftests/kvm/x86/vmx_apicv_updates_test.c
new file mode 100644
index 000000000000..907d226fd0fd
--- /dev/null
+++ b/tools/testing/selftests/kvm/x86/vmx_apicv_updates_test.c
@@ -0,0 +1,181 @@
+// SPDX-License-Identifier: GPL-2.0-only
+#include "test_util.h"
+#include "kvm_util.h"
+#include "processor.h"
+#include "vmx.h"
+
+#define GOOD_IPI_VECTOR 0xe0
+#define BAD_IPI_VECTOR 0xf0
+
+static volatile int good_ipis_received;
+
+static void good_ipi_handler(struct ex_regs *regs)
+{
+ good_ipis_received++;
+}
+
+static void bad_ipi_handler(struct ex_regs *regs)
+{
+ TEST_FAIL("Received \"bad\" IPI; ICR MMIO write should have been ignored");
+}
+
+static void l2_vmcall(void)
+{
+ /*
+ * Exit to L1. Assume all registers may be clobbered as selftests's
+ * VM-Enter code doesn't preserve L2 GPRs.
+ */
+ asm volatile("push %%rbp\n\t"
+ "push %%r15\n\t"
+ "push %%r14\n\t"
+ "push %%r13\n\t"
+ "push %%r12\n\t"
+ "push %%rbx\n\t"
+ "push %%rdx\n\t"
+ "push %%rdi\n\t"
+ "vmcall\n\t"
+ "pop %%rdi\n\t"
+ "pop %%rdx\n\t"
+ "pop %%rbx\n\t"
+ "pop %%r12\n\t"
+ "pop %%r13\n\t"
+ "pop %%r14\n\t"
+ "pop %%r15\n\t"
+ "pop %%rbp\n\t"
+ ::: "rax", "rcx", "rdx", "rsi", "rdx", "r8", "r9", "r10", "r11", "memory");
+}
+
+static void l2_guest_code(void)
+{
+ x2apic_enable();
+ l2_vmcall();
+
+ xapic_enable();
+ xapic_write_reg(APIC_ID, 1 << 24);
+ l2_vmcall();
+}
+
+static void l1_guest_code(struct vmx_pages *vmx_pages)
+{
+#define L2_GUEST_STACK_SIZE 64
+ unsigned long l2_guest_stack[L2_GUEST_STACK_SIZE];
+ uint32_t control;
+
+ GUEST_ASSERT(prepare_for_vmx_operation(vmx_pages));
+ GUEST_ASSERT(load_vmcs(vmx_pages));
+
+ /* Prepare the VMCS for L2 execution. */
+ prepare_vmcs(vmx_pages, l2_guest_code, &l2_guest_stack[L2_GUEST_STACK_SIZE]);
+ control = vmreadz(CPU_BASED_VM_EXEC_CONTROL);
+ control |= CPU_BASED_USE_MSR_BITMAPS;
+ vmwrite(CPU_BASED_VM_EXEC_CONTROL, control);
+
+ /* Modify APIC ID to coerce KVM into inhibiting APICv. */
+ xapic_enable();
+ xapic_write_reg(APIC_ID, 1 << 24);
+
+ /*
+ * Generate+receive an IRQ without doing EOI to get an IRQ set in vISR
+ * but not SVI. APICv should be inhibited due to running with a
+ * modified APIC ID.
+ */
+ xapic_write_reg(APIC_ICR, APIC_DEST_SELF | APIC_DM_FIXED | GOOD_IPI_VECTOR);
+ GUEST_ASSERT_EQ(xapic_read_reg(APIC_ID), 1 << 24);
+
+ /* Enable IRQs and verify the IRQ was received. */
+ sti_nop();
+ GUEST_ASSERT_EQ(good_ipis_received, 1);
+
+ /*
+ * Run L2 to switch to x2APIC mode, which in turn will uninhibit APICv,
+ * as KVM should force the APIC ID back to its default.
+ */
+ GUEST_ASSERT(!vmlaunch());
+ GUEST_ASSERT(vmreadz(VM_EXIT_REASON) == EXIT_REASON_VMCALL);
+ vmwrite(GUEST_RIP, vmreadz(GUEST_RIP) + vmreadz(VM_EXIT_INSTRUCTION_LEN));
+ GUEST_ASSERT(rdmsr(MSR_IA32_APICBASE) & MSR_IA32_APICBASE_EXTD);
+
+ /*
+ * Scribble the APIC access page to verify KVM disabled xAPIC
+ * virtualization in vmcs01, and to verify that KVM flushes L1's TLB
+ * when L2 switches back to accelerated xAPIC mode.
+ */
+ xapic_write_reg(APIC_ICR2, 0xdeadbeefu);
+ xapic_write_reg(APIC_ICR, APIC_DEST_SELF | APIC_DM_FIXED | BAD_IPI_VECTOR);
+
+ /*
+ * Verify the IRQ is still in-service and emit an EOI to verify KVM
+ * propagates the highest vISR vector to SVI when APICv is activated
+ * (and does so even if APICv was uninhibited while L2 was active).
+ */
+ GUEST_ASSERT_EQ(x2apic_read_reg(APIC_ISR + APIC_VECTOR_TO_REG_OFFSET(GOOD_IPI_VECTOR)),
+ BIT(APIC_VECTOR_TO_BIT_NUMBER(GOOD_IPI_VECTOR)));
+ x2apic_write_reg(APIC_EOI, 0);
+ GUEST_ASSERT_EQ(x2apic_read_reg(APIC_ISR + APIC_VECTOR_TO_REG_OFFSET(GOOD_IPI_VECTOR)), 0);
+
+ /*
+ * Run L2 one more time to switch back to xAPIC mode to verify that KVM
+ * handles the x2APIC => xAPIC transition and inhibits APICv while L2
+ * is active.
+ */
+ GUEST_ASSERT(!vmresume());
+ GUEST_ASSERT(vmreadz(VM_EXIT_REASON) == EXIT_REASON_VMCALL);
+ GUEST_ASSERT(!(rdmsr(MSR_IA32_APICBASE) & MSR_IA32_APICBASE_EXTD));
+
+ xapic_write_reg(APIC_ICR, APIC_DEST_SELF | APIC_DM_FIXED | GOOD_IPI_VECTOR);
+ /* Re-enable IRQs, as VM-Exit clears RFLAGS.IF. */
+ sti_nop();
+ GUEST_ASSERT_EQ(good_ipis_received, 2);
+
+ GUEST_ASSERT_EQ(xapic_read_reg(APIC_ISR + APIC_VECTOR_TO_REG_OFFSET(GOOD_IPI_VECTOR)),
+ BIT(APIC_VECTOR_TO_BIT_NUMBER(GOOD_IPI_VECTOR)));
+ xapic_write_reg(APIC_EOI, 0);
+ GUEST_ASSERT_EQ(xapic_read_reg(APIC_ISR + APIC_VECTOR_TO_REG_OFFSET(GOOD_IPI_VECTOR)), 0);
+ GUEST_DONE();
+}
+
+int main(int argc, char *argv[])
+{
+ vm_vaddr_t vmx_pages_gva;
+ struct vmx_pages *vmx;
+ struct kvm_vcpu *vcpu;
+ struct kvm_vm *vm;
+ struct ucall uc;
+
+ TEST_REQUIRE(kvm_cpu_has(X86_FEATURE_VMX));
+
+ vm = vm_create_with_one_vcpu(&vcpu, l1_guest_code);
+
+ vmx = vcpu_alloc_vmx(vm, &vmx_pages_gva);
+ prepare_virtualize_apic_accesses(vmx, vm);
+ vcpu_args_set(vcpu, 2, vmx_pages_gva);
+
+ virt_pg_map(vm, APIC_DEFAULT_GPA, APIC_DEFAULT_GPA);
+ vm_install_exception_handler(vm, BAD_IPI_VECTOR, bad_ipi_handler);
+ vm_install_exception_handler(vm, GOOD_IPI_VECTOR, good_ipi_handler);
+
+ vcpu_run(vcpu);
+ TEST_ASSERT_KVM_EXIT_REASON(vcpu, KVM_EXIT_IO);
+
+ switch (get_ucall(vcpu, &uc)) {
+ case UCALL_ABORT:
+ REPORT_GUEST_ASSERT(uc);
+ /* NOT REACHED */
+ case UCALL_DONE:
+ break;
+ default:
+ TEST_FAIL("Unexpected ucall %lu", uc.cmd);
+ }
+
+ /*
+ * Verify at least two IRQs were injected. Unfortunately, KVM counts
+ * re-injected IRQs (e.g. if delivering the IRQ hits an EPT violation),
+ * so being more precise isn't possible given the current stats.
+ */
+ TEST_ASSERT(vcpu_get_stat(vcpu, irq_injections) >= 2,
+ "Wanted at least 2 IRQ injections, got %lu\n",
+ vcpu_get_stat(vcpu, irq_injections));
+
+ kvm_vm_free(vm);
+ return 0;
+}
--
2.52.0.223.gf5cc29aaa4-googOn Fri, Dec 05, 2025 at 03:19:06PM -0800, Sean Christopherson wrote:
>Add a test to verify KVM correctly handles a variety of edge cases related
>to APICv updates, and in particular updates that are triggered while L2 is
>actively running.
>
>Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
A few nits below:
>--- /dev/null
>+++ b/tools/testing/selftests/kvm/x86/vmx_apicv_updates_test.c
>@@ -0,0 +1,181 @@
>+// SPDX-License-Identifier: GPL-2.0-only
>+#include "test_util.h"
>+#include "kvm_util.h"
>+#include "processor.h"
>+#include "vmx.h"
>+
>+#define GOOD_IPI_VECTOR 0xe0
>+#define BAD_IPI_VECTOR 0xf0
>+
>+static volatile int good_ipis_received;
>+
>+static void good_ipi_handler(struct ex_regs *regs)
>+{
>+ good_ipis_received++;
>+}
>+
>+static void bad_ipi_handler(struct ex_regs *regs)
>+{
>+ TEST_FAIL("Received \"bad\" IPI; ICR MMIO write should have been ignored");
is it ok to use TEST_FAIL() in guest code?
>+}
>+
>+static void l2_vmcall(void)
>+{
>+ /*
>+ * Exit to L1. Assume all registers may be clobbered as selftests's
>+ * VM-Enter code doesn't preserve L2 GPRs.
>+ */
>+ asm volatile("push %%rbp\n\t"
>+ "push %%r15\n\t"
>+ "push %%r14\n\t"
>+ "push %%r13\n\t"
>+ "push %%r12\n\t"
>+ "push %%rbx\n\t"
>+ "push %%rdx\n\t"
>+ "push %%rdi\n\t"
>+ "vmcall\n\t"
>+ "pop %%rdi\n\t"
>+ "pop %%rdx\n\t"
>+ "pop %%rbx\n\t"
>+ "pop %%r12\n\t"
>+ "pop %%r13\n\t"
>+ "pop %%r14\n\t"
>+ "pop %%r15\n\t"
>+ "pop %%rbp\n\t"
>+ ::: "rax", "rcx", "rdx", "rsi", "rdx", "r8", "r9", "r10", "r11", "memory");
>+}
There's already a vmcall() helper in vmx.h. Why add a new one?
>+int main(int argc, char *argv[])
>+{
>+ vm_vaddr_t vmx_pages_gva;
>+ struct vmx_pages *vmx;
>+ struct kvm_vcpu *vcpu;
>+ struct kvm_vm *vm;
>+ struct ucall uc;
>+
>+ TEST_REQUIRE(kvm_cpu_has(X86_FEATURE_VMX));
>+
>+ vm = vm_create_with_one_vcpu(&vcpu, l1_guest_code);
>+
>+ vmx = vcpu_alloc_vmx(vm, &vmx_pages_gva);
>+ prepare_virtualize_apic_accesses(vmx, vm);
>+ vcpu_args_set(vcpu, 2, vmx_pages_gva);
s/2/1
only one argument here.
On Fri, Dec 12, 2025, Chao Gao wrote:
> On Fri, Dec 05, 2025 at 03:19:06PM -0800, Sean Christopherson wrote:
> >+static void bad_ipi_handler(struct ex_regs *regs)
> >+{
> >+ TEST_FAIL("Received \"bad\" IPI; ICR MMIO write should have been ignored");
>
> is it ok to use TEST_FAIL() in guest code?
Doh. Good point. It'll definitely generate a failure, but not a very helpful one.
> >+static void l2_vmcall(void)
> >+{
> >+ /*
> >+ * Exit to L1. Assume all registers may be clobbered as selftests's
> >+ * VM-Enter code doesn't preserve L2 GPRs.
> >+ */
> >+ asm volatile("push %%rbp\n\t"
> >+ "push %%r15\n\t"
> >+ "push %%r14\n\t"
> >+ "push %%r13\n\t"
> >+ "push %%r12\n\t"
> >+ "push %%rbx\n\t"
> >+ "push %%rdx\n\t"
> >+ "push %%rdi\n\t"
> >+ "vmcall\n\t"
> >+ "pop %%rdi\n\t"
> >+ "pop %%rdx\n\t"
> >+ "pop %%rbx\n\t"
> >+ "pop %%r12\n\t"
> >+ "pop %%r13\n\t"
> >+ "pop %%r14\n\t"
> >+ "pop %%r15\n\t"
> >+ "pop %%rbp\n\t"
> >+ ::: "rax", "rcx", "rdx", "rsi", "rdx", "r8", "r9", "r10", "r11", "memory");
> >+}
>
> There's already a vmcall() helper in vmx.h. Why add a new one?
Oh, nice, I somehow missed that.
> >+int main(int argc, char *argv[])
> >+{
> >+ vm_vaddr_t vmx_pages_gva;
> >+ struct vmx_pages *vmx;
> >+ struct kvm_vcpu *vcpu;
> >+ struct kvm_vm *vm;
> >+ struct ucall uc;
> >+
> >+ TEST_REQUIRE(kvm_cpu_has(X86_FEATURE_VMX));
> >+
> >+ vm = vm_create_with_one_vcpu(&vcpu, l1_guest_code);
> >+
> >+ vmx = vcpu_alloc_vmx(vm, &vmx_pages_gva);
> >+ prepare_virtualize_apic_accesses(vmx, vm);
> >+ vcpu_args_set(vcpu, 2, vmx_pages_gva);
>
> s/2/1
>
> only one argument here.
Gah. Thank you!
© 2016 - 2025 Red Hat, Inc.