From nobody Sun Feb 8 17:21:49 2026 Received: from out-184.mta0.migadu.com (out-184.mta0.migadu.com [91.218.175.184]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2633B2EB5B8 for ; Thu, 15 Jan 2026 01:14:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.184 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768439653; cv=none; b=SrGTPs5/w7VMc+yA5Fa3c56V+3ygPY9StD0QXahnnmGeCOSqAgp7yX1LBY5Ax9jKdjChXOp2XYoLLut3ctruHsPsfexjLayuVhysnV6Vmmvoqtr11hpUZz2xNo7JQxE2KkCa24uoH2uINeKrjGiuHQZuq3t1ksnMsBEOlWU7bWo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768439653; c=relaxed/simple; bh=Qlu3Lp54f4zFWXD5cf4zC5yJctkRtLqm+EfogPn9oaU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=exVxUUqJdUMfO9tpHKYKXzjRHbXKs8io03xe2SRhCo81rxd1IKrEPDjMf+ULKtEVf4q5UZDl6huxZ0vcE1o/PdSifR4xeD1cdLUrgZKUoGaQm8LDqNLNTAWqqfAHg7M3wjZHDABen+NAzJVSQhN6mdo0m4sbBhCv3S10e3zwhBs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=qUgFLV2r; arc=none smtp.client-ip=91.218.175.184 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="qUgFLV2r" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1768439649; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AP1xGvQmyw2BkX2nyvuRJpthBoydAPRLydd8FnGb970=; b=qUgFLV2rfN8FQvuqAxEyNeoCsDBwWD4PNDf/mFrtR7JZCJDDwx0mvY7MOmqWz+Ex+m8vQB vytmCx/8iXvVUyeyn3LCdc57pAwX2+eWx64g0ljzZ64jizqouhi2y6Na6LTzRT7xvruuPH KtZVaZYqSTn/YsfkvlcEGE+ptzzUy+A= From: Yosry Ahmed To: Sean Christopherson Cc: Paolo Bonzini , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Yosry Ahmed Subject: [PATCH v4 24/26] KVM: nSVM: Restrict mapping VMCB12 on nested VMRUN Date: Thu, 15 Jan 2026 01:13:10 +0000 Message-ID: <20260115011312.3675857-25-yosry.ahmed@linux.dev> In-Reply-To: <20260115011312.3675857-1-yosry.ahmed@linux.dev> References: <20260115011312.3675857-1-yosry.ahmed@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" All accesses to the VMCB12 in the guest memory on nested VMRUN are limited to nested_svm_vmrun() and nested_svm_failed_vmrun(). However, the VMCB12 remains mapped throughout nested_svm_vmrun(). Mapping and unmapping around usages is possible, but it becomes easy-ish to introduce bugs where 'vmcb12' is used after being unmapped. Move reading the VMCB12 and copying to cache from nested_svm_vmrun() into a new helper, nested_svm_copy_vmcb12_to_cache(), that maps the VMCB12, caches the needed fields, and unmaps it. Use kvm_vcpu_map_readonly() as only reading the VMCB12 is needed. Similarly, move mapping the VMCB12 on VMRUN failure into nested_svm_failed_vmrun(). Inject a triple fault if the mapping fails, similar to nested_svm_vmexit(). Signed-off-by: Yosry Ahmed --- arch/x86/kvm/svm/nested.c | 55 ++++++++++++++++++++++++++++----------- 1 file changed, 40 insertions(+), 15 deletions(-) diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c index 7209bbe19548..ffb741f401d0 100644 --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -1106,25 +1106,57 @@ static void __nested_svm_vmexit(struct vcpu_svm *sv= m, struct vmcb *vmcb12) kvm_queue_exception(vcpu, DB_VECTOR); } =20 -static void nested_svm_failed_vmrun(struct vcpu_svm *svm, struct vmcb *vmc= b12) +static void nested_svm_failed_vmrun(struct vcpu_svm *svm, u64 vmcb12_gpa) { + struct kvm_vcpu *vcpu =3D &svm->vcpu; + struct kvm_host_map map; + struct vmcb *vmcb12; + int r; + WARN_ON(svm->vmcb =3D=3D svm->nested.vmcb02.ptr); =20 leave_guest_mode(vcpu); =20 + r =3D kvm_vcpu_map(vcpu, gpa_to_gfn(vmcb12_gpa), &map); + if (r) { + kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu); + return; + } + + vmcb12 =3D map.hva; vmcb12->control.exit_code =3D SVM_EXIT_ERR; vmcb12->control.exit_code_hi =3D -1u; vmcb12->control.exit_info_1 =3D 0; vmcb12->control.exit_info_2 =3D 0; __nested_svm_vmexit(svm, vmcb12); + + kvm_vcpu_unmap(vcpu, &map); +} + +static int nested_svm_copy_vmcb12_to_cache(struct kvm_vcpu *vcpu, u64 vmcb= 12_gpa) +{ + struct vcpu_svm *svm =3D to_svm(vcpu); + struct kvm_host_map map; + struct vmcb *vmcb12; + int r; + + r =3D kvm_vcpu_map_readonly(vcpu, gpa_to_gfn(vmcb12_gpa), &map); + if (r) + return r; + + vmcb12 =3D map.hva; + + nested_copy_vmcb_control_to_cache(svm, &vmcb12->control); + nested_copy_vmcb_save_to_cache(svm, &vmcb12->save); + + kvm_vcpu_unmap(vcpu, &map); + return 0; } =20 int nested_svm_vmrun(struct kvm_vcpu *vcpu) { struct vcpu_svm *svm =3D to_svm(vcpu); int ret; - struct vmcb *vmcb12; - struct kvm_host_map map; u64 vmcb12_gpa; struct vmcb *vmcb01 =3D svm->vmcb01.ptr; =20 @@ -1145,22 +1177,17 @@ int nested_svm_vmrun(struct kvm_vcpu *vcpu) return ret; } =20 + if (WARN_ON_ONCE(!svm->nested.initialized)) + return -EINVAL; + vmcb12_gpa =3D svm->vmcb->save.rax; - if (kvm_vcpu_map(vcpu, gpa_to_gfn(vmcb12_gpa), &map)) { + if (nested_svm_copy_vmcb12_to_cache(vcpu, vmcb12_gpa)) { kvm_inject_gp(vcpu, 0); return 1; } =20 ret =3D kvm_skip_emulated_instruction(vcpu); =20 - vmcb12 =3D map.hva; - - if (WARN_ON_ONCE(!svm->nested.initialized)) - return -EINVAL; - - nested_copy_vmcb_control_to_cache(svm, &vmcb12->control); - nested_copy_vmcb_save_to_cache(svm, &vmcb12->save); - /* * Since vmcb01 is not in use, we can use it to store some of the L1 * state. @@ -1181,11 +1208,9 @@ int nested_svm_vmrun(struct kvm_vcpu *vcpu) svm->nmi_l1_to_l2 =3D false; svm->soft_int_injected =3D false; =20 - nested_svm_failed_vmrun(svm, vmcb12); + nested_svm_failed_vmrun(svm, vmcb12_gpa); } =20 - kvm_vcpu_unmap(vcpu, &map); - return ret; } =20 --=20 2.52.0.457.g6b5491de43-goog