From nobody Mon Feb 9 19:30:54 2026 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A2CA8277017 for ; Wed, 21 Jan 2026 00:49:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768956554; cv=none; b=a4GnMrbSDLspbjGz3AgVIi+MKrr1CGTiaqvGnGPW9v7A4Ov10CNkhNdWtIf5auGALNl1XZ2v0Y/5o2WX+YpnFJ+I3DGNVpoE/ZjPjZGfS2W6rKqN2l06hS7TzkTC8jMV5ou7l0/gBYPyAfPKrrNG6SwW/jiQEW/TyLYa6i6rL8g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768956554; c=relaxed/simple; bh=YRfX9Q0a0jQNu704pRguyi2Mmku9HkppIDZwldLPdlo=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=W7IxVEB4PseMCmBdzk7k0kjnZb0Z8UluhNEschBXOuwC0eFvjeDLdaD1us9H5dDKZ1k1YUgD1wdtEFVa1YPp6tqusiT1E2vul2JA9xkcoKJ6VxuAbBNVMv5dOBw457efLDVXzyRY1NsfFSs4oVP+LBOugj5JnY6aqKlzqgQSMho= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--chengkev.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=371Bvvnt; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--chengkev.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="371Bvvnt" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-2a0e952f153so127623245ad.0 for ; Tue, 20 Jan 2026 16:49:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1768956552; x=1769561352; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=Si4ixKO/dBgwRmsNU8E+S8GgZCzFW5296/aB45rRxK8=; b=371Bvvnt4UJIdt5MguXnWvGhJiHZFXPEoEY4qb/bj3iHp+qQN5pu2Kg+n3tsX/dgKk Z1bB3B3Fiy35i+VlQVS5u6G0c9zdfvBLu0mLWjNaLVdE02EvgdboycAkRfc37YR4Xcxm F+h8QAp26jwrm/+ViT1CkQVc6GxhlNCUaBd6XuREVzP5dIrnJBhrM86q08zUteUI6LZC X5QeGAKuxpqIQZTugYtpOzIiqWYZ6biVUyeySibhMuAIw2Ij/VQcmzgC0VEp2cZmmf5g glg32m3wglZh7pL9i0SPmjKAUp2dV54UI0Itn5SFzAOaYLh4SnHvX751HuwHxHOBqzQG pW4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768956552; x=1769561352; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Si4ixKO/dBgwRmsNU8E+S8GgZCzFW5296/aB45rRxK8=; b=AimH+F79IODJmD9IUXYs0KtJ0kb85oCS1xdspQk6GDLzZJZKVB7tH1N9MfaBbfTCiA oD8zUOPazcR7qVUlgjUZD3V1x5wfU8jTPdG7jta+jfvn0pPw7mva9AGivpQM/VRhXkw4 p91xUtL4hkUn7Ez4DBENX37vjehfzFJX5ANB1oy2yB+DMHTiOptxYpTcO0PS9lD0YYMn qZR9/ZKcQUfBPNSkjSQyY2+E2ZEpUFG4Zqjcq+7rcFgKlknCT06OuKYHQ8uQ+c5zS4u/ sYZGfRob9/AXQofYqWhs6eMAvHC6K2F8O9FDrnTSkZ4kgXW5kqfgNIzRNFLSueDEEn4m g4Bg== X-Forwarded-Encrypted: i=1; AJvYcCWQYe1g99/Rb08eYdFgVr/3oso/842dSCiHMgXRUew3UhZUbOIm9NM0oGpxzaSIeR52e5Lv0RQBMe5LQSA=@vger.kernel.org X-Gm-Message-State: AOJu0YxONtCzFFZ62tlB6UuW1shXSAwXp8zXWqDmPTxMg3Qb5M1W7Hab n7/Di7bFiuaOl/phDVVucdTHoi2bq3DM8IkP7xTIWxnFPz2FTkTMQjm9kTaqLt+TjySbMN5SgfL 4pSzlZzD8Cqq9ag== X-Received: from plse9.prod.google.com ([2002:a17:902:b789:b0:2a7:63e0:6039]) (user=chengkev job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:22d1:b0:2a0:d05d:e4f with SMTP id d9443c01a7336-2a76b055c8cmr33982245ad.45.1768956551900; Tue, 20 Jan 2026 16:49:11 -0800 (PST) Date: Wed, 21 Jan 2026 00:49:04 +0000 In-Reply-To: <20260121004906.2373989-1-chengkev@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260121004906.2373989-1-chengkev@google.com> X-Mailer: git-send-email 2.52.0.457.g6b5491de43-goog Message-ID: <20260121004906.2373989-2-chengkev@google.com> Subject: [PATCH 1/3] KVM: SVM: Fix nested NPF injection to set PFERR_GUEST_{PAGE,FINAL}_MASK From: Kevin Cheng To: seanjc@google.com, pbonzini@redhat.com Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, yosry.ahmed@linux.dev, Kevin Cheng Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When KVM emulates an instruction for L2 and encounters a nested page fault (e.g., during string I/O emulation), nested_svm_inject_npf_exit() injects an NPF to L1. However, the code incorrectly hardcodes (1ULL << 32) for exit_info_1's upper bits when the original exit was not an NPF. This always sets PFERR_GUEST_FINAL_MASK even when the fault occurred on a page table page, preventing L1 from correctly identifying the cause of the fault. Set PFERR_GUEST_PAGE_MASK in the error code when a nested page fault occurs during a guest page table walk, and PFERR_GUEST_FINAL_MASK when the fault occurs on the final GPA-to-HPA translation. Widen error_code in struct x86_exception from u16 to u64 to accommodate the PFERR_GUEST_* bits (bits 32 and 33). Update nested_svm_inject_npf_exit() to use fault->error_code directly instead of hardcoding the upper bits. Also add a WARN_ON_ONCE if neither PFERR_GUEST_FINAL_MASK nor PFERR_GUEST_PAGE_MASK is set, as this would indicate a bug in the page fault handling code. Signed-off-by: Kevin Cheng --- arch/x86/kvm/kvm_emulate.h | 2 +- arch/x86/kvm/mmu/paging_tmpl.h | 22 ++++++++++------------ arch/x86/kvm/svm/nested.c | 11 +++++------ 3 files changed, 16 insertions(+), 19 deletions(-) diff --git a/arch/x86/kvm/kvm_emulate.h b/arch/x86/kvm/kvm_emulate.h index fb3dab4b5a53e..ff4f9b0a01ff7 100644 --- a/arch/x86/kvm/kvm_emulate.h +++ b/arch/x86/kvm/kvm_emulate.h @@ -22,7 +22,7 @@ enum x86_intercept_stage; struct x86_exception { u8 vector; bool error_code_valid; - u16 error_code; + u64 error_code; bool nested_page_fault; u64 address; /* cr2 or nested page fault gpa */ u8 async_page_fault; diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h index 901cd2bd40b84..923179bfd5c74 100644 --- a/arch/x86/kvm/mmu/paging_tmpl.h +++ b/arch/x86/kvm/mmu/paging_tmpl.h @@ -379,18 +379,12 @@ static int FNAME(walk_addr_generic)(struct guest_walk= er *walker, real_gpa =3D kvm_translate_gpa(vcpu, mmu, gfn_to_gpa(table_gfn), nested_access, &walker->fault); =20 - /* - * FIXME: This can happen if emulation (for of an INS/OUTS - * instruction) triggers a nested page fault. The exit - * qualification / exit info field will incorrectly have - * "guest page access" as the nested page fault's cause, - * instead of "guest page structure access". To fix this, - * the x86_exception struct should be augmented with enough - * information to fix the exit_qualification or exit_info_1 - * fields. - */ - if (unlikely(real_gpa =3D=3D INVALID_GPA)) + if (unlikely(real_gpa =3D=3D INVALID_GPA)) { +#if PTTYPE !=3D PTTYPE_EPT + walker->fault.error_code |=3D PFERR_GUEST_PAGE_MASK; +#endif return 0; + } =20 slot =3D kvm_vcpu_gfn_to_memslot(vcpu, gpa_to_gfn(real_gpa)); if (!kvm_is_visible_memslot(slot)) @@ -446,8 +440,12 @@ static int FNAME(walk_addr_generic)(struct guest_walke= r *walker, #endif =20 real_gpa =3D kvm_translate_gpa(vcpu, mmu, gfn_to_gpa(gfn), access, &walke= r->fault); - if (real_gpa =3D=3D INVALID_GPA) + if (real_gpa =3D=3D INVALID_GPA) { +#if PTTYPE !=3D PTTYPE_EPT + walker->fault.error_code |=3D PFERR_GUEST_FINAL_MASK; +#endif return 0; + } =20 walker->gfn =3D real_gpa >> PAGE_SHIFT; =20 diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c index de90b104a0dd5..f8dfd5c333023 100644 --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -40,18 +40,17 @@ static void nested_svm_inject_npf_exit(struct kvm_vcpu = *vcpu, struct vmcb *vmcb =3D svm->vmcb; =20 if (vmcb->control.exit_code !=3D SVM_EXIT_NPF) { - /* - * TODO: track the cause of the nested page fault, and - * correctly fill in the high bits of exit_info_1. - */ - vmcb->control.exit_code =3D SVM_EXIT_NPF; - vmcb->control.exit_info_1 =3D (1ULL << 32); + vmcb->control.exit_info_1 =3D fault->error_code; vmcb->control.exit_info_2 =3D fault->address; } =20 + vmcb->control.exit_code =3D SVM_EXIT_NPF; vmcb->control.exit_info_1 &=3D ~0xffffffffULL; vmcb->control.exit_info_1 |=3D fault->error_code; =20 + WARN_ON_ONCE(!(vmcb->control.exit_info_1 & + (PFERR_GUEST_FINAL_MASK | PFERR_GUEST_PAGE_MASK))); + nested_svm_vmexit(svm); } =20 --=20 2.52.0.457.g6b5491de43-goog From nobody Mon Feb 9 19:30:54 2026 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 188932D6E5C for ; Wed, 21 Jan 2026 00:49:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768956555; cv=none; b=CiBwnoNQsuljrKnTY9lDOoJo6JrwootwDXa1CodGGFFI2RaRtr1pKdNgetTs/UaBBQzP+XVzFuyGmcD1mMwSqstmGc4ctKAgimHa8SI+Lfxm3rv+Q/pTpL2C+iaaM+b5HGLEVtiXpWraD0CczZ4nylAD6xIZuEDxN2tXAMPgSnE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768956555; c=relaxed/simple; bh=8+uIZSqlXXQKdn+9D43f0JkLNHcfQpFz3iTtSwts8F4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=aizlK9LrRtylfFvBPC2oiKB6Pp/s53Ca7bxMOoJmJ0mog7kxxnyRcAS/Oxrrqj7ZNiouSkIjBl4NgKG/a97HaEl02RvkaFpMIDaYuPvjfxvBF6TJXp5Ymdv1ckBWcab7k3cT0llSOplVkzXhGyJKdw8uLOn+0nI+Oheo9XU7FeA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--chengkev.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=MdXI6nFo; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--chengkev.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="MdXI6nFo" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-2a0d43fcb2fso134037655ad.3 for ; Tue, 20 Jan 2026 16:49:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1768956553; x=1769561353; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=B9A0uaN2rgkGfdKNQFfg8E7Wg30wKU7IVFo7DdNgHmw=; b=MdXI6nFo7suXV/eDwFF6xFtMlUF/A0aULQMVvEewTIfBQULOap73YsKgn0C1f2Tprx 2tDzZhNxxvf+QpGtp5e+CeJ4RnlScARcxFE6bXf95QxNTDSgeOpXM7OEOazI6wYyPBi6 VREydTn7+C1KCtIM+HnkuW66mVN/ZzJp49LUhv/L4jyoU98SFmGQIYBBOBaWUIVSZyP0 4l+rmkuKlixhWFiY9435MvtZIB425wfWkd/d178t25jtkZMwArTpEKCorkCmyuwPC8jD PVVN9ZmpVsWC/FJMe1rLyq8SMouf+WCJWk5vS2t98cy0JTbfGNXOuizyQF46Qhh0az3s G2zA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768956553; x=1769561353; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=B9A0uaN2rgkGfdKNQFfg8E7Wg30wKU7IVFo7DdNgHmw=; b=qkhik7s4FJskRxiDzlmV0YzQnfv7THtcZIjgFA4P/f6KMO7LqDxQ5pyP5VmkJT3bAO eERg0nh9b+1MzhbHeU5M/zwYaRP2TgpjvMw/iYpj1oqRHtK4FIGj7tvlrPIbxmGWDsDp 0tB+fzhyj95oZrwr0To76zOKUB0LbIVC7spLgNsFRrGJhgMu3EPBjdGIb2fM77Q/eaqt ZsAzQzceJ3gafhlVikwVSfQS6UKn4RbDB3mmMDYxKjtqqauAhqIvPVw5vn53rFYbOnv8 aU35qZi/yrVCCVieaH5/QgGJE+nQpgQCN5eru+KGLop9EhchklKWTx6eUUzWZZAbxS+u E3bQ== X-Forwarded-Encrypted: i=1; AJvYcCVX1Iy6EeT6FKeIgnM6Z38OJPHYa07cSF+4Jg8rlsu3WwBi1Xa3vxvz/ZeW5gTe/nBzJZe1qWo5gGvL91Y=@vger.kernel.org X-Gm-Message-State: AOJu0YzIWN8nz3KLEIHYdWR5mdWyC49blaF6gPeJArsu4K8i6oZ+rWij ALcN+Ms8JfpZRz+kEIRP0A8owBWr5hIlTp9My/5yHZ/d19Flr+rWQxEGDWOiTmIYYFA560iV8cx m1shuWBe1TUGifg== X-Received: from plgu10.prod.google.com ([2002:a17:902:e80a:b0:2a0:7f81:6066]) (user=chengkev job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:178e:b0:2a0:d692:5681 with SMTP id d9443c01a7336-2a7698f6d19mr28698605ad.24.1768956553486; Tue, 20 Jan 2026 16:49:13 -0800 (PST) Date: Wed, 21 Jan 2026 00:49:05 +0000 In-Reply-To: <20260121004906.2373989-1-chengkev@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260121004906.2373989-1-chengkev@google.com> X-Mailer: git-send-email 2.52.0.457.g6b5491de43-goog Message-ID: <20260121004906.2373989-3-chengkev@google.com> Subject: [PATCH 2/3] KVM: selftests: Add TDP unmap helpers From: Kevin Cheng To: seanjc@google.com, pbonzini@redhat.com Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, yosry.ahmed@linux.dev, Kevin Cheng Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add __virt_pg_unmap(), __tdp_unmap(), and tdp_unmap() as counterparts to the existing __virt_pg_map(), __tdp_map(), and tdp_map() functions. These helpers allow tests to selectively unmap pages from the TDP/NPT, enabling testing of NPT faults for unmapped pages. Signed-off-by: Kevin Cheng --- .../selftests/kvm/include/x86/processor.h | 6 +++ .../testing/selftests/kvm/lib/x86/processor.c | 53 +++++++++++++++++++ 2 files changed, 59 insertions(+) diff --git a/tools/testing/selftests/kvm/include/x86/processor.h b/tools/te= sting/selftests/kvm/include/x86/processor.h index 6bfffc3b0a332..23ec5030a1d1f 100644 --- a/tools/testing/selftests/kvm/include/x86/processor.h +++ b/tools/testing/selftests/kvm/include/x86/processor.h @@ -1487,6 +1487,12 @@ void tdp_map(struct kvm_vm *vm, uint64_t nested_padd= r, uint64_t paddr, uint64_t void tdp_identity_map_default_memslots(struct kvm_vm *vm); void tdp_identity_map_1g(struct kvm_vm *vm, uint64_t addr, uint64_t size); =20 +void __virt_pg_unmap(struct kvm_vm *vm, struct kvm_mmu *mmu, uint64_t vadd= r, + int level); +void __tdp_unmap(struct kvm_vm *vm, uint64_t nested_paddr, uint64_t size, + int level); +void tdp_unmap(struct kvm_vm *vm, uint64_t nested_paddr, uint64_t size); + /* * Basic CPU control in CR0 */ diff --git a/tools/testing/selftests/kvm/lib/x86/processor.c b/tools/testin= g/selftests/kvm/lib/x86/processor.c index ab869a98bbdce..8cb0d74aaa41e 100644 --- a/tools/testing/selftests/kvm/lib/x86/processor.c +++ b/tools/testing/selftests/kvm/lib/x86/processor.c @@ -338,6 +338,40 @@ void virt_map_level(struct kvm_vm *vm, uint64_t vaddr,= uint64_t paddr, } } =20 +void __virt_pg_unmap(struct kvm_vm *vm, struct kvm_mmu *mmu, uint64_t vadd= r, + int level) +{ + uint64_t *pte =3D &mmu->pgd; + int current_level; + + TEST_ASSERT(level >=3D PG_LEVEL_4K && level <=3D mmu->pgtable_levels, + "Invalid level %d", level); + + /* Walk down to target level */ + for (current_level =3D mmu->pgtable_levels; + current_level > level; + current_level--) { + pte =3D virt_get_pte(vm, mmu, pte, vaddr, current_level); + + TEST_ASSERT(is_present_pte(mmu, pte), + "Entry not present at level %d for vaddr 0x%lx", + current_level, vaddr); + TEST_ASSERT(!is_huge_pte(mmu, pte), + "Unexpected huge page at level %d for vaddr 0x%lx", + current_level, vaddr); + } + + /* Get the PTE at target level */ + pte =3D virt_get_pte(vm, mmu, pte, vaddr, level); + + TEST_ASSERT(is_present_pte(mmu, pte), + "Entry not present at level %d for vaddr 0x%lx", + level, vaddr); + + /* Clear the PTE */ + *pte =3D 0; +} + static bool vm_is_target_pte(struct kvm_mmu *mmu, uint64_t *pte, int *level, int current_level) { @@ -541,6 +575,25 @@ void tdp_identity_map_1g(struct kvm_vm *vm, uint64_t a= ddr, uint64_t size) __tdp_map(vm, addr, addr, size, PG_LEVEL_1G); } =20 +void __tdp_unmap(struct kvm_vm *vm, uint64_t nested_paddr, uint64_t size, + int level) +{ + size_t page_size =3D PG_LEVEL_SIZE(level); + size_t npages =3D size / page_size; + + TEST_ASSERT(nested_paddr + size > nested_paddr, "Address overflow"); + + while (npages--) { + __virt_pg_unmap(vm, &vm->stage2_mmu, nested_paddr, level); + nested_paddr +=3D page_size; + } +} + +void tdp_unmap(struct kvm_vm *vm, uint64_t nested_paddr, uint64_t size) +{ + __tdp_unmap(vm, nested_paddr, size, PG_LEVEL_4K); +} + /* * Set Unusable Segment * --=20 2.52.0.457.g6b5491de43-goog From nobody Mon Feb 9 19:30:54 2026 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F59C2DCBF4 for ; Wed, 21 Jan 2026 00:49:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768956557; cv=none; b=awBqO8peUjATy5nQ1yXfu0isgV7BJFfQbrq7xhWNLJ04aJap9NRnFzQIpGjc7yFunkb5+P3RiwNlayNs8MVjc+Jsq83uXbfvxr9efJcaIwB6HAbNjUGvCkDCrPMOF8gOZLHuJkTyQUPhq8RtKln5ub9IjqT8GszGwpYERsD/BNY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768956557; c=relaxed/simple; bh=BRZcgfr+vwJSytNzuLiWTzJvK7xnpQg5CcPjRZYb3hQ=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=R3OWgk8pjI87+4kXJHskybcY12YMvDzFy1FDi535AUvM03hO75mULA8VRGI/oioqepL5HWMvx6eBQTYGjAsBJnSOXwDH5v5DmhDaq1EhKzcRHaRzpD4McT7+BGFfDzB0G36Qg5mJwb0yHD3pE/Ib9a7SztpjwTRnXPo+2onn8pY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--chengkev.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=yMeaxjNP; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--chengkev.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="yMeaxjNP" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-2a351686c17so55688685ad.0 for ; Tue, 20 Jan 2026 16:49:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1768956555; x=1769561355; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=iJ8F6Hu1eVVgcWN2Mt/1/ZMjoPZCdsge8X3jwhZPFZY=; b=yMeaxjNPsKrMvZBKBGCvdOTnNLb15BK/Y7/GU5tZJz9joEmX1Hhqu101+c33tndOGR xZ29DNnwTAY/wZjt/E1pvrU0fmK1A4L0OKAo6hTwIj12am//NzgtmF3erfHTCGfne9bg g0pW6rKZoP6f7bDeB3U2AuwhBznfO1k2FjXKK4C6g/bwgJtYw4z1N/NKL+wpL/PHHhqn 6rCCgW69JYVanIQsNmnzpGwqkAle7MvsDQ5pviuPihoEodkZqLGFvoxBDUfRE6c3LGDs 5axoev6PMBt1Wl3gtRW4JsD3WMHxFK89SvSawgvVY6lu45ouxK3OqLxnDH69riyLj2Rd QOFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768956555; x=1769561355; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=iJ8F6Hu1eVVgcWN2Mt/1/ZMjoPZCdsge8X3jwhZPFZY=; b=Hm7Mv3F87x07nbkiXMj/Fj4O6ZpWBOeTHRRlYkDErsDQDeO8TAo9YrmLiRelkj9WBx AB93E7/C2r7j/MwYwQRzfwgrGe3vte3TY96Phu4hiQTqHcyWOu6EtxyOPfVNaboJKnRN sHFTCgdnCjhuXgEYVoiVXWHtZzK3wCb+1jOUXDa7YPY9FeC1lSauwsUPNFZodIFj7LGV CS+XP2VPaGTrSrMQaH9/qbGRSWJ6uJTm8OA20EcC18g9h5/EmR7p1ta8AiweavsxuoSD CiQaYjXJKhWJ0/1iKvsbjNP6C04wSzRVZPRVoonWNpfDt+AwTZVyINt2Zp4dn+FhPJMW IMgw== X-Forwarded-Encrypted: i=1; AJvYcCWDjSjJEFpTtQWCLpBrNk41ZCVi3CsJVJ+drCGoazCIsswt91kEAnmFCYOcQxx/Mg7dO6aLeo54em1YfwM=@vger.kernel.org X-Gm-Message-State: AOJu0YxvN428qzAC80qlpgfIm4eKZBufywzqGmr3HWt1QW4bkz9BjSV+ Cq/Wq0aw4mkCBQ0LMEbdgifZImeWEeiSSekgoR+Zho6tVqBjfGLFJONqtoWLo0lkc6Zz7pMYB8D QB1j7qAdqKEdQaQ== X-Received: from pjbnd9.prod.google.com ([2002:a17:90b:4cc9:b0:352:e5f6:780a]) (user=chengkev job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:1c01:b0:340:c261:f9f3 with SMTP id 98e67ed59e1d1-35272f1a478mr13041032a91.14.1768956554712; Tue, 20 Jan 2026 16:49:14 -0800 (PST) Date: Wed, 21 Jan 2026 00:49:06 +0000 In-Reply-To: <20260121004906.2373989-1-chengkev@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260121004906.2373989-1-chengkev@google.com> X-Mailer: git-send-email 2.52.0.457.g6b5491de43-goog Message-ID: <20260121004906.2373989-4-chengkev@google.com> Subject: [PATCH 3/3] KVM: selftests: Add nested NPF injection test for SVM From: Kevin Cheng To: seanjc@google.com, pbonzini@redhat.com Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, yosry.ahmed@linux.dev, Kevin Cheng Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a test that exercises nested NPF injection when the original VM exit was not an NPF. This tests the code path in nested_svm_inject_npf_exit() where exit_code !=3D SVM_EXIT_NPF. L2 executes an OUTS instruction with the source address mapped in L2's page tables but not in L1's NPT. KVM emulates the string I/O, and when it tries to read the source operand, the GPA->HPA translation fails. KVM then injects an NPF to L1 even though the original exit was IOIO. The test verifies that: - The exit code is converted to SVM_EXIT_NPF - exit_info_1 has the appropriate PFERR_GUEST_* bit set - exit_info_2 contains the correct faulting GPA Two test cases are implemented: - Test 1: Unmap the final data page from NPT (PFERR_GUEST_FINAL_MASK) - Test 2: Unmap a PT page from NPT (PFERR_GUEST_PAGE_MASK) Signed-off-by: Kevin Cheng --- tools/testing/selftests/kvm/Makefile.kvm | 1 + .../selftests/kvm/x86/svm_nested_npf_test.c | 154 ++++++++++++++++++ 2 files changed, 155 insertions(+) create mode 100644 tools/testing/selftests/kvm/x86/svm_nested_npf_test.c diff --git a/tools/testing/selftests/kvm/Makefile.kvm b/tools/testing/selft= ests/kvm/Makefile.kvm index e88699e227ddf..8babe6e228e11 100644 --- a/tools/testing/selftests/kvm/Makefile.kvm +++ b/tools/testing/selftests/kvm/Makefile.kvm @@ -112,6 +112,7 @@ TEST_GEN_PROGS_x86 +=3D x86/svm_vmcall_test TEST_GEN_PROGS_x86 +=3D x86/svm_int_ctl_test TEST_GEN_PROGS_x86 +=3D x86/svm_nested_shutdown_test TEST_GEN_PROGS_x86 +=3D x86/svm_nested_soft_inject_test +TEST_GEN_PROGS_x86 +=3D x86/svm_nested_npf_test TEST_GEN_PROGS_x86 +=3D x86/tsc_scaling_sync TEST_GEN_PROGS_x86 +=3D x86/sync_regs_test TEST_GEN_PROGS_x86 +=3D x86/ucna_injection_test diff --git a/tools/testing/selftests/kvm/x86/svm_nested_npf_test.c b/tools/= testing/selftests/kvm/x86/svm_nested_npf_test.c new file mode 100644 index 0000000000000..c0a894acbc483 --- /dev/null +++ b/tools/testing/selftests/kvm/x86/svm_nested_npf_test.c @@ -0,0 +1,154 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * svm_nested_npf_test + * + * Test nested NPF injection when the original VM exit was not an NPF. + * This exercises nested_svm_inject_npf_exit() with exit_code !=3D SVM_EXI= T_NPF. + * + * L2 executes OUTS with the source address mapped in L2's page tables but + * not in L1's NPT. KVM emulates the string I/O instruction, and when it + * tries to read the source operand, the GPA->HPA translation fails. KVM + * then injects an NPF to L1 even though the original exit was IOIO. + * + * Test 1: Final data page GPA not in NPT (PFERR_GUEST_FINAL_MASK) + * Test 2: Page table page GPA not in NPT (PFERR_GUEST_PAGE_MASK) + * + * Copyright (C) 2025, Google, Inc. + */ + +#include "test_util.h" +#include "kvm_util.h" +#include "processor.h" +#include "svm_util.h" + +#define L2_GUEST_STACK_SIZE 64 + +enum test_type { + TEST_FINAL_PAGE_UNMAPPED, /* Final data page GPA not in NPT */ + TEST_PT_PAGE_UNMAPPED, /* Page table page GPA not in NPT */ +}; + +static void *l2_test_page; + +#define TEST_IO_PORT 0x80 +#define TEST1_VADDR 0x8000000ULL +#define TEST2_VADDR 0x10000000ULL + +/* + * L2 executes OUTS with source at l2_test_page, triggering a nested NPF. + * The address is mapped in L2's page tables, but either the data page or + * a PT page is unmapped from L1's NPT, causing the fault. + */ +static void l2_guest_code(void *unused) +{ + asm volatile("outsb" ::"S"(l2_test_page), "d"(TEST_IO_PORT) : "memory"); + GUEST_ASSERT(0); +} + +static void l1_guest_code(struct svm_test_data *svm, void *expected_fault_= gpa, + uint64_t exit_info_1_mask) +{ + unsigned long l2_guest_stack[L2_GUEST_STACK_SIZE]; + struct vmcb *vmcb =3D svm->vmcb; + + generic_svm_setup(svm, l2_guest_code, + &l2_guest_stack[L2_GUEST_STACK_SIZE]); + + run_guest(vmcb, svm->vmcb_gpa); + + /* Verify we got an NPF exit (converted from IOIO by KVM) */ + __GUEST_ASSERT(vmcb->control.exit_code =3D=3D SVM_EXIT_NPF, + "Expected NPF exit (0x%x), got 0x%lx", SVM_EXIT_NPF, + vmcb->control.exit_code); + + /* Check for PFERR_GUEST_FINAL_MASK or PFERR_GUEST_PAGE_MASK */ + __GUEST_ASSERT(vmcb->control.exit_info_1 & exit_info_1_mask, + "Expected exit_info_1 to have 0x%lx set, got 0x%lx", + (unsigned long)exit_info_1_mask, + (unsigned long)vmcb->control.exit_info_1); + + __GUEST_ASSERT(vmcb->control.exit_info_2 =3D=3D (u64)expected_fault_gpa, + "Expected exit_info_2 =3D 0x%lx, got 0x%lx", + (unsigned long)expected_fault_gpa, + (unsigned long)vmcb->control.exit_info_2); + + GUEST_DONE(); +} + +/* Returns the GPA of the PT page that maps @vaddr. */ +static uint64_t get_pt_gpa_for_vaddr(struct kvm_vm *vm, uint64_t vaddr) +{ + uint64_t *pte; + + pte =3D vm_get_pte(vm, vaddr); + TEST_ASSERT(pte && (*pte & 0x1), "PTE not present for vaddr 0x%lx", + (unsigned long)vaddr); + + return addr_hva2gpa(vm, (void *)((uint64_t)pte & ~0xFFFULL)); +} + +static void run_test(enum test_type type) +{ + vm_paddr_t expected_fault_gpa; + uint64_t exit_info_1_mask; + vm_vaddr_t svm_gva; + + struct kvm_vcpu *vcpu; + struct kvm_vm *vm; + struct ucall uc; + + vm =3D vm_create_with_one_vcpu(&vcpu, l1_guest_code); + vm_enable_npt(vm); + vcpu_alloc_svm(vm, &svm_gva); + + if (type =3D=3D TEST_FINAL_PAGE_UNMAPPED) { + /* + * Test 1: Unmap the final data page from NPT. The page table + * walk succeeds, but the final GPA->HPA translation fails. + */ + l2_test_page =3D + (void *)vm_vaddr_alloc(vm, vm->page_size, TEST1_VADDR); + expected_fault_gpa =3D addr_gva2gpa(vm, (vm_vaddr_t)l2_test_page); + exit_info_1_mask =3D PFERR_GUEST_FINAL_MASK; + } else { + /* + * Test 2: Unmap a PT page from NPT. The hardware page table + * walk fails when translating the PT page's GPA through NPT. + */ + l2_test_page =3D + (void *)vm_vaddr_alloc(vm, vm->page_size, TEST2_VADDR); + expected_fault_gpa =3D + get_pt_gpa_for_vaddr(vm, (vm_vaddr_t)l2_test_page); + exit_info_1_mask =3D PFERR_GUEST_PAGE_MASK; + } + + tdp_identity_map_default_memslots(vm); + tdp_unmap(vm, expected_fault_gpa, vm->page_size); + + sync_global_to_guest(vm, l2_test_page); + vcpu_args_set(vcpu, 3, svm_gva, expected_fault_gpa, exit_info_1_mask); + + vcpu_run(vcpu); + + switch (get_ucall(vcpu, &uc)) { + case UCALL_DONE: + break; + case UCALL_ABORT: + REPORT_GUEST_ASSERT(uc); + default: + TEST_FAIL("Unexpected exit reason: %d", vcpu->run->exit_reason); + } + + kvm_vm_free(vm); +} + +int main(int argc, char *argv[]) +{ + TEST_REQUIRE(kvm_cpu_has(X86_FEATURE_SVM)); + TEST_REQUIRE(kvm_cpu_has_npt()); + + run_test(TEST_FINAL_PAGE_UNMAPPED); + run_test(TEST_PT_PAGE_UNMAPPED); + + return 0; +} --=20 2.52.0.457.g6b5491de43-goog