From nobody Mon Feb 9 07:20:08 2026 Received: from out-185.mta0.migadu.com (out-185.mta0.migadu.com [91.218.175.185]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7C74C242925 for ; Thu, 15 Jan 2026 01:13:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.185 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768439625; cv=none; b=JaW67Eaze8V/s264yFSDt2JszzoUnlS17klPPimkIoiEpEej/3gQ+5FEjYmX85uXOf33GEdSfj/tzglssFOSgnkC3KUUSzjz0/ypVDqdTnJwIxSPvEJZh+rmN3XDkaaXU6I8Ia7fYl9CApsoF2mOLK+RgCCcp0Dnb4UN6vYjVFk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768439625; c=relaxed/simple; bh=kPBEhtet7msW97U1UtkWQGIvip99lcuempTwCIzWZFo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OFXH92sTVnKVDIebg48PAqKen2K9mQuTbEnyANQYhU9qMbVy7aA6BJ69MC6R84cQf7mbGojZGkb4g/GuT2T4juazqGxWOjVtc820cOLrVgXuKr+sir7ilIT/HO3KRqn4exejhLQp6ApMnXsN62VDabmP+DUw11aN8fZQUFVZVPY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=N2DwNffe; arc=none smtp.client-ip=91.218.175.185 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="N2DwNffe" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1768439615; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mt6kDFRpZShd33pI8JsOKS60v65HU+EMybZ/DpWM4YU=; b=N2DwNffeDX8lNt2584gxr5RQ79K63tB9QilojzNKYGwzioxI0GJigiS6aDCvCYJQTkcVyw Q9bESgh338IFnK5aokx2z8wOQ+x3FSEDg/h9BANRwGEOGQAlThbiWzalzwMQVY5+Ekkk6y 077Daxj+aswBnkH/7zplP79LkAlRm5Y= From: Yosry Ahmed To: Sean Christopherson Cc: Paolo Bonzini , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Yosry Ahmed , stable@vger.kernel.org Subject: [PATCH v4 05/26] KVM: nSVM: Triple fault if mapping VMCB12 fails on nested #VMEXIT Date: Thu, 15 Jan 2026 01:12:51 +0000 Message-ID: <20260115011312.3675857-6-yosry.ahmed@linux.dev> In-Reply-To: <20260115011312.3675857-1-yosry.ahmed@linux.dev> References: <20260115011312.3675857-1-yosry.ahmed@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" KVM currently injects a #GP and hopes for the best if mapping VMCB12 fails on nested #VMEXIT, and only if the failure mode is -EINVAL. Mapping the VMCB12 could also fail if creating host mappings fails. After the #GP is injected, nested_svm_vmexit() bails early, without cleaning up (e.g. KVM_REQ_GET_NESTED_STATE_PAGES is set, is_guest_mode() is true, etc). Move mapping VMCB12 a bit later, after leaving guest mode and clearing KVM_REQ_GET_NESTED_STATE_PAGES, right before the VMCB12 is actually used. Instead of optionally injecting a #GP, triple fault the guest if mapping VMCB12 fails since KVM cannot make a sane recovery. The APM states that a #VMEXIT will triple fault if host state is illegal or an exception occurs while loading host state, so the behavior is not entirely made up. Also update the WARN_ON() in svm_get_nested_state_pages() to WARN_ON_ONCE() to avoid future user-triggeable bugs spamming kernel logs and potentially causing issues. Fixes: cf74a78b229d ("KVM: SVM: Add VMEXIT handler and intercepts") CC: stable@vger.kernel.org Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson Signed-off-by: Yosry Ahmed --- arch/x86/kvm/svm/nested.c | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c index 5f9c5ccc4783..593f7005cdc7 100644 --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -1127,24 +1127,14 @@ void svm_copy_vmloadsave_state(struct vmcb *to_vmcb= , struct vmcb *from_vmcb) int nested_svm_vmexit(struct vcpu_svm *svm) { struct kvm_vcpu *vcpu =3D &svm->vcpu; + gpa_t vmcb12_gpa =3D svm->nested.vmcb12_gpa; struct vmcb *vmcb01 =3D svm->vmcb01.ptr; struct vmcb *vmcb02 =3D svm->nested.vmcb02.ptr; struct vmcb *vmcb12; struct kvm_host_map map; - int rc; - - rc =3D kvm_vcpu_map(vcpu, gpa_to_gfn(svm->nested.vmcb12_gpa), &map); - if (rc) { - if (rc =3D=3D -EINVAL) - kvm_inject_gp(vcpu, 0); - return 1; - } - - vmcb12 =3D map.hva; =20 /* Exit Guest-Mode */ leave_guest_mode(vcpu); - svm->nested.vmcb12_gpa =3D 0; WARN_ON_ONCE(svm->nested.nested_run_pending); =20 kvm_clear_request(KVM_REQ_GET_NESTED_STATE_PAGES, vcpu); @@ -1152,8 +1142,16 @@ int nested_svm_vmexit(struct vcpu_svm *svm) /* in case we halted in L2 */ kvm_set_mp_state(vcpu, KVM_MP_STATE_RUNNABLE); =20 + svm->nested.vmcb12_gpa =3D 0; + + if (kvm_vcpu_map(vcpu, gpa_to_gfn(vmcb12_gpa), &map)) { + kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu); + return 1; + } + /* Give the current vmcb to the guest */ =20 + vmcb12 =3D map.hva; vmcb12->save.es =3D vmcb02->save.es; vmcb12->save.cs =3D vmcb02->save.cs; vmcb12->save.ss =3D vmcb02->save.ss; @@ -1311,8 +1309,7 @@ int nested_svm_vmexit(struct vcpu_svm *svm) =20 nested_svm_uninit_mmu_context(vcpu); =20 - rc =3D nested_svm_load_cr3(vcpu, vmcb01->save.cr3, false, true); - if (rc) + if (nested_svm_load_cr3(vcpu, vmcb01->save.cr3, false, true)) return 1; =20 /* @@ -1947,7 +1944,7 @@ static int svm_set_nested_state(struct kvm_vcpu *vcpu, =20 static bool svm_get_nested_state_pages(struct kvm_vcpu *vcpu) { - if (WARN_ON(!is_guest_mode(vcpu))) + if (WARN_ON_ONCE(!is_guest_mode(vcpu))) return true; =20 if (!vcpu->arch.pdptrs_from_userspace && --=20 2.52.0.457.g6b5491de43-goog