From nobody Sat Feb  7 07:24:35 2026
Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com
 [209.85.215.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 239B72C0F7C
	for <linux-kernel@vger.kernel.org>; Fri, 23 Jan 2026 22:15:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769206548; cv=none;
 b=mh6X3+bmrcD8LYyB0OvRqOg2biN7Z+aEtOCLVz0GT06tVgsLJwoy+CSFKsytjydWUjgNliivG1/KBO+Tp6qcIz0bnmnrc4qmJVZGIW1dLsMbfRQpJPag4MrGXVOUEMlCTr0YZhnOVsHZkhxIpC8Mr7NB2R/bwZl2OEWNfWneFc8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769206548; c=relaxed/simple;
	bh=wfgo8+EpcOGxMCSLVCKL4bvA9++d8AxEC+VcuzfO8WA=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=EmrW7O9IzKRbbw+6jQmqO3RYQP9/1oEgDJIlHDszhFdbMNBPcoH19Zx7AcUiWfsESYhfWt1J9skisoamXROdKKi5edcyvwN+n8zD5nujnUzgpLi4kXN4ttjea0t1qFKgV9mG0QZLaC9b1v8MsQtVrKUNCh7pAFOa7fvTqqLL4M0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=QgYxY8hn; arc=none smtp.client-ip=209.85.215.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="QgYxY8hn"
Received: by mail-pg1-f202.google.com with SMTP id
 41be03b00d2f7-c5454bf50e0so4407538a12.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 23 Jan 2026 14:15:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1769206546; x=1769811346;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=IKoRiscRvqZSUVfirtAlpZBQ7vM24W6FKDPHYfN9E+0=;
        b=QgYxY8hnNWjXvhJN1+Os9uAXFBZLXh/oYF119Izqj9vd7DG9WA6N3bwb49hHW9M+N/
         YChbnCYMbp5BxQIjVLaC9yCnz5CGZN2F94dfIoS62Yvu4xcejU09rqLLWfJUyLCsdIoD
         JvRRI/fRN/BJHbAxJhvoRVHsDWSzzklvlhIlXzlS71sgSqCoWIt4CZV7lua3M9QnCmQE
         Yb4HkwOWgSgbd8ZTTa3cepHtQ8rjzPlhWA6MRtlbTKS0yBuJGn5kSGSZWUjTegxuC3Ti
         vW/4z1NG5azdtKdamBJmWx8oVRBxCllvXlz5pmElBnQ1qNRLUc/KuFP/PVZ/vOqDlJRG
         NnEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769206546; x=1769811346;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=IKoRiscRvqZSUVfirtAlpZBQ7vM24W6FKDPHYfN9E+0=;
        b=XO4QkORksPzvfw2GaTsiIyxkhdg1CxyUlg4dTn4wX81ixlHuLdj9U/H3BUr1oYFOsa
         nOZ0Ah7kNag8RY4VfwsWJREX7OLF5HbkxfjY2ra9mWXF55yeN0UKuUHnZejSVYT4Zsi7
         oZqSqOQqBNYi/FJvp3/OuFlxDMTUjOw1ps0CMvrEGkSv9MuvrOiCfZ5W15bWk2qJjNsG
         bBf2fLkZZNMPoEj1o+FDE2/3RGTszKwXqfu2Sj0nccTqPl/QUQ7W1Pz9JCHMcj559loT
         XYtKS3l+UIpZX8MsSxkRUObXvpg24rY1bhCeuZ7vCsrrxZ3/nTGIFZ+DWn5eod7l+f14
         owQA==
X-Forwarded-Encrypted: i=1;
 AJvYcCV+7xyCy7HCNG4Q65dqBklOi+w12P87P5DyMvuM/wnonRCL9ujyU8E+b81FE8VI+45buDozFHHOZv12eMg=@vger.kernel.org
X-Gm-Message-State: AOJu0Yxx9H9Sh2/L1XeTRvKd+P8hy51KT7H2ND6GnUyMtHaszQpJnm6H
	RwRVa5EnAGmxID3GYofUZnkueFdp7FSYge/R+0yUwC+pbJjj5DYD6TGy2ldc3AXVn3/tKNAIg9u
	0/tLQRQ==
X-Received: from pgbfy24.prod.google.com
 ([2002:a05:6a02:2a98:b0:c16:a39f:5b40])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a21:610e:b0:38d:b865:3a2a
 with SMTP id adf61e73a8af0-38e6f7ce40fmr4498697637.40.1769206546472; Fri, 23
 Jan 2026 14:15:46 -0800 (PST)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 23 Jan 2026 14:15:40 -0800
In-Reply-To: <20260123221542.2498217-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260123221542.2498217-1-seanjc@google.com>
X-Mailer: git-send-email 2.52.0.457.g6b5491de43-goog
Message-ID: <20260123221542.2498217-2-seanjc@google.com>
Subject: [PATCH 1/3] KVM: x86: Finalize kvm_cpu_caps setup from
 {svm,vmx}_set_cpu_caps()
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Mathias Krause <minipli@grsecurity.net>, John Allen <john.allen@amd.com>,
	Rick Edgecombe <rick.p.edgecombe@intel.com>, Chao Gao <chao.gao@intel.com>,
	Binbin Wu <binbin.wu@linux.intel.com>, Xiaoyao Li <xiaoyao.li@intel.com>,
	Jim Mattson <jmattson@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Explicitly finalize kvm_cpu_caps as part of each vendor's setup flow to
fix a bug where clearing SHSTK and IBT due to lack of CET XFEATURE support
makes kvm-intel.ko unloadable when nested=3D1.  The late clearing results in
nested_vmx_setup_{entry,exit}_ctls() clearing VM_{ENTRY,EXIT}_LOAD_CET_STATE
when nested_vmx_setup_ctls_msrs() runs during the CPU compatibility checks,
ultimately leading to a mismatched VMCS config due to the reference config
having the CET bits set, but every CPU's "local" config having the bits
cleared.

Note, kvm_caps.supported_{xcr0,xss} are unconditionally initialized by
kvm_x86_vendor_init(), before calling into vendor code, and not referenced
between ops->hardware_setup() and their current/old location.

Fixes: 69cc3e886582 ("KVM: x86: Add XSS support for CET_KERNEL and CET_USER=
")
Cc: stable@vger.kernel.org
Cc: Mathias Krause <minipli@grsecurity.net>
Cc: John Allen <john.allen@amd.com>
Cc: Rick Edgecombe <rick.p.edgecombe@intel.com>
Cc: Chao Gao <chao.gao@intel.com>
Cc: Binbin Wu <binbin.wu@linux.intel.com>
Cc: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
---
 arch/x86/kvm/cpuid.c   | 21 +++++++++++++++++++--
 arch/x86/kvm/cpuid.h   |  3 ++-
 arch/x86/kvm/svm/svm.c |  4 +++-
 arch/x86/kvm/vmx/vmx.c |  4 +++-
 arch/x86/kvm/x86.c     | 14 --------------
 arch/x86/kvm/x86.h     |  2 ++
 6 files changed, 29 insertions(+), 19 deletions(-)

diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 575244af9c9f..267e59b405c1 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -826,7 +826,7 @@ do {									\
 /* DS is defined by ptrace-abi.h on 32-bit builds. */
 #undef DS
=20
-void kvm_set_cpu_caps(void)
+void kvm_initialize_cpu_caps(void)
 {
 	memset(kvm_cpu_caps, 0, sizeof(kvm_cpu_caps));
=20
@@ -1289,7 +1289,24 @@ void kvm_set_cpu_caps(void)
 		kvm_cpu_cap_clear(X86_FEATURE_RDPID);
 	}
 }
-EXPORT_SYMBOL_FOR_KVM_INTERNAL(kvm_set_cpu_caps);
+EXPORT_SYMBOL_FOR_KVM_INTERNAL(kvm_initialize_cpu_caps);
+
+void kvm_finalize_cpu_caps(void)
+{
+	if (!kvm_cpu_cap_has(X86_FEATURE_XSAVES))
+		kvm_caps.supported_xss =3D 0;
+
+	if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK) &&
+	    !kvm_cpu_cap_has(X86_FEATURE_IBT))
+		kvm_caps.supported_xss &=3D ~XFEATURE_MASK_CET_ALL;
+
+	if ((kvm_caps.supported_xss & XFEATURE_MASK_CET_ALL) !=3D XFEATURE_MASK_C=
ET_ALL) {
+		kvm_cpu_cap_clear(X86_FEATURE_SHSTK);
+		kvm_cpu_cap_clear(X86_FEATURE_IBT);
+		kvm_caps.supported_xss &=3D ~XFEATURE_MASK_CET_ALL;
+	}
+}
+EXPORT_SYMBOL_FOR_KVM_INTERNAL(kvm_finalize_cpu_caps);
=20
 #undef F
 #undef SCATTERED_F
diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
index d3f5ae15a7ca..3b0b4b1adb97 100644
--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
@@ -8,7 +8,8 @@
 #include <uapi/asm/kvm_para.h>
=20
 extern u32 kvm_cpu_caps[NR_KVM_CPU_CAPS] __read_mostly;
-void kvm_set_cpu_caps(void);
+void kvm_initialize_cpu_caps(void);
+void kvm_finalize_cpu_caps(void);
=20
 void kvm_vcpu_after_set_cpuid(struct kvm_vcpu *vcpu);
 struct kvm_cpuid_entry2 *kvm_find_cpuid_entry2(struct kvm_cpuid_entry2 *en=
tries,
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 7803d2781144..0c23fcaedcc5 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -5305,7 +5305,7 @@ static __init void svm_adjust_mmio_mask(void)
=20
 static __init void svm_set_cpu_caps(void)
 {
-	kvm_set_cpu_caps();
+	kvm_initialize_cpu_caps();
=20
 	kvm_caps.supported_perf_cap =3D 0;
=20
@@ -5387,6 +5387,8 @@ static __init void svm_set_cpu_caps(void)
 	 */
 	kvm_cpu_cap_clear(X86_FEATURE_BUS_LOCK_DETECT);
 	kvm_cpu_cap_clear(X86_FEATURE_MSR_IMM);
+
+	kvm_finalize_cpu_caps();
 }
=20
 static __init int svm_hardware_setup(void)
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 27acafd03381..7d373e32ea9c 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -8173,7 +8173,7 @@ static __init u64 vmx_get_perf_capabilities(void)
=20
 static __init void vmx_set_cpu_caps(void)
 {
-	kvm_set_cpu_caps();
+	kvm_initialize_cpu_caps();
=20
 	/* CPUID 0x1 */
 	if (nested)
@@ -8230,6 +8230,8 @@ static __init void vmx_set_cpu_caps(void)
 		kvm_cpu_cap_clear(X86_FEATURE_SHSTK);
 		kvm_cpu_cap_clear(X86_FEATURE_IBT);
 	}
+
+	kvm_finalize_cpu_caps();
 }
=20
 static bool vmx_is_io_intercepted(struct kvm_vcpu *vcpu,
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 8acfdfc583a1..36385e6aebfa 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -220,7 +220,6 @@ static DEFINE_PER_CPU(struct kvm_user_return_msrs, user=
_return_msrs);
 				| XFEATURE_MASK_BNDCSR | XFEATURE_MASK_AVX512 \
 				| XFEATURE_MASK_PKRU | XFEATURE_MASK_XTILE)
=20
-#define XFEATURE_MASK_CET_ALL	(XFEATURE_MASK_CET_USER | XFEATURE_MASK_CET_=
KERNEL)
 /*
  * Note, KVM supports exposing PT to the guest, but does not support conte=
xt
  * switching PT via XSTATE (KVM's PT virtualization relies on perf; swappi=
ng
@@ -10138,19 +10137,6 @@ int kvm_x86_vendor_init(struct kvm_x86_init_ops *o=
ps)
 	if (!tdp_enabled)
 		kvm_caps.supported_quirks &=3D ~KVM_X86_QUIRK_IGNORE_GUEST_PAT;
=20
-	if (!kvm_cpu_cap_has(X86_FEATURE_XSAVES))
-		kvm_caps.supported_xss =3D 0;
-
-	if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK) &&
-	    !kvm_cpu_cap_has(X86_FEATURE_IBT))
-		kvm_caps.supported_xss &=3D ~XFEATURE_MASK_CET_ALL;
-
-	if ((kvm_caps.supported_xss & XFEATURE_MASK_CET_ALL) !=3D XFEATURE_MASK_C=
ET_ALL) {
-		kvm_cpu_cap_clear(X86_FEATURE_SHSTK);
-		kvm_cpu_cap_clear(X86_FEATURE_IBT);
-		kvm_caps.supported_xss &=3D ~XFEATURE_MASK_CET_ALL;
-	}
-
 	if (kvm_caps.has_tsc_control) {
 		/*
 		 * Make sure the user can only configure tsc_khz values that
diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
index 70e81f008030..9edfac5d5ffb 100644
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -483,6 +483,8 @@ extern struct kvm_host_values kvm_host;
 extern bool enable_pmu;
 extern bool enable_mediated_pmu;
=20
+#define XFEATURE_MASK_CET_ALL	(XFEATURE_MASK_CET_USER | XFEATURE_MASK_CET_=
KERNEL)
+
 /*
  * Get a filtered version of KVM's supported XCR0 that strips out dynamic
  * features for which the current process doesn't (yet) have permission to=
 use.
--=20
2.52.0.457.g6b5491de43-goog
From nobody Sat Feb  7 07:24:35 2026
Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com
 [209.85.215.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C62AE2D8393
	for <linux-kernel@vger.kernel.org>; Fri, 23 Jan 2026 22:15:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769206550; cv=none;
 b=F+oLcVL8FFVR4qWE7f46mmjePzjDYQ8G/Pu1ip+6V7CQny7Wt4wgtJbmLmmqiHPuUT4l2jYNvEHqMsxCRq3kg8mOjj3yT8J08vA4RXYc/kuMhDqEptmBFMmEHtehLLsj3upbLhLmbB3AsggyA+9/NYNRErJCjpPkNVweToEciFs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769206550; c=relaxed/simple;
	bh=GcPhUtbSFZCZfML8EMxJfn4YTnBjv127XlcIPdiHxu4=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=Qucy5WaV/4vNItbwlMBP1xZ0J1HnEpdFzeYzh2Cl21l6c+YOG7GglhrNafSGVQk6NiA95VGuK0nG3i5swztv2Ltw+aJA4cQz1/KVXmN5R1KOqLt0NcQseGCtWYPisUlFl9tsCIAeA1q75qUnmNC9lJqj4iXoPATuramvmXSrhIM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=zbHL5iZd; arc=none smtp.client-ip=209.85.215.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="zbHL5iZd"
Received: by mail-pg1-f202.google.com with SMTP id
 41be03b00d2f7-c613929d317so1477954a12.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 23 Jan 2026 14:15:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1769206548; x=1769811348;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=CGdd8BKfTwRMHvUG+hG2z6R5W0TDHrveqU9uM1M3OZY=;
        b=zbHL5iZd3fqHidAh0+LZIy8gpa97f2PNQ/7EluMjVNwPnII6LLn17VDwA2i+Czd5oi
         HFRHBFVK/P1HKQTm5FP1xcZ8ozSLOd4YRgJLwIquqdgzW057XPBFpgTTLbI51/OT3Umb
         EIPuIrAGgLyq9TYBgFvdqcxcA3uTUX+5sGo+WRo7cnQmbWsuMIRMJOQ4gxxp/gs3WV+Y
         xbSMbQdPTUTfFuKXHTWKgnR6HsA6QhMgg0kpbbXUfsriotOfJtZ83bPQt6YC7nZG1yJ7
         Ioq9OPAPKHRWwOYWXP5kKyRMLGsS5NmcykGLycuDuwUve/hpgL9XFDC4FMwAYAehvwWl
         11xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769206548; x=1769811348;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=CGdd8BKfTwRMHvUG+hG2z6R5W0TDHrveqU9uM1M3OZY=;
        b=lrubNGGLX0tREnHlBn/Qdb044Ez71Wef+qO5JLGnCUgrl2y5v2RoR1JI7VgL5XRFrg
         //bP4E8ZBME3QkPF/KGACnR4NsYOOj1D/aIAtURYPz0xd9mA0GvzouvFLjee8JOOPigD
         LgVjhbWqEDS7wIAggqx6p1DHpY0gbtsrJz3j/TTkAK8NHZYt7FQIS2wiT0aw1DJ82Bf/
         vC3V9eWopmTgBD6cmROwbCKwM2byd9ykaUrmtJWnugbJotTwNfDSDLW3ijDatqiqNAY0
         ouH6uvSfUKzra8r1qGbFD+t67aZYlW1Jhh30U8KC7d4V5rhlviBq8VH0tu4WfJuhm4+y
         rOLQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCV1+I65h2s5UghL7JOfTha3sO/MEjX5+DR59ghmbDGbrMWWsQnbXpUd8viO/Ki6wSELV5bbZQQRO3xwVuU=@vger.kernel.org
X-Gm-Message-State: AOJu0YzaQEehi3gnAvpftESALfQtH90eKyoh8ZrFQGKWxBrKzTlA9UCi
	G/EmqNxfMdCzC+AuUBPjpr32G8tFc1pPnEWFu4/CbyNymkMklY9PREt5FRK/dFohNxt29cFVVO9
	KkofV1A==
X-Received: from pgct22.prod.google.com
 ([2002:a05:6a02:5296:b0:c63:3c6b:9ab6])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:7284:b0:38d:f80d:1bc0
 with SMTP id adf61e73a8af0-38e6f7f1025mr4952983637.55.1769206548098; Fri, 23
 Jan 2026 14:15:48 -0800 (PST)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 23 Jan 2026 14:15:41 -0800
In-Reply-To: <20260123221542.2498217-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260123221542.2498217-1-seanjc@google.com>
X-Mailer: git-send-email 2.52.0.457.g6b5491de43-goog
Message-ID: <20260123221542.2498217-3-seanjc@google.com>
Subject: [PATCH 2/3] KVM: x86: Harden against unexpected adjustments to
 kvm_cpu_caps
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Mathias Krause <minipli@grsecurity.net>, John Allen <john.allen@amd.com>,
	Rick Edgecombe <rick.p.edgecombe@intel.com>, Chao Gao <chao.gao@intel.com>,
	Binbin Wu <binbin.wu@linux.intel.com>, Xiaoyao Li <xiaoyao.li@intel.com>,
	Jim Mattson <jmattson@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add a flag to track when KVM is actively configuring its CPU caps, and
WARN if a cap is set or cleared if KVM isn't in its configuration stage.
Modifying CPU caps after {svm,vmx}_set_cpu_caps() can be fatal to KVM, as
vendor setup code expects the CPU caps to be frozen at that point, e.g.
will do additional configuration based on the caps.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
---
 arch/x86/kvm/cpuid.c | 8 ++++++++
 arch/x86/kvm/cpuid.h | 4 ++++
 2 files changed, 12 insertions(+)

diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 267e59b405c1..2f01511135c2 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -36,6 +36,9 @@
 u32 kvm_cpu_caps[NR_KVM_CPU_CAPS] __read_mostly;
 EXPORT_SYMBOL_FOR_KVM_INTERNAL(kvm_cpu_caps);
=20
+bool kvm_is_configuring_cpu_caps __read_mostly;
+EXPORT_SYMBOL_FOR_KVM_INTERNAL(kvm_is_configuring_cpu_caps);
+
 struct cpuid_xstate_sizes {
 	u32 eax;
 	u32 ebx;
@@ -830,6 +833,9 @@ void kvm_initialize_cpu_caps(void)
 {
 	memset(kvm_cpu_caps, 0, sizeof(kvm_cpu_caps));
=20
+	WARN_ON_ONCE(kvm_is_configuring_cpu_caps);
+	kvm_is_configuring_cpu_caps =3D true;
+
 	BUILD_BUG_ON(sizeof(kvm_cpu_caps) - (NKVMCAPINTS * sizeof(*kvm_cpu_caps))=
 >
 		     sizeof(boot_cpu_data.x86_capability));
=20
@@ -1305,6 +1311,8 @@ void kvm_finalize_cpu_caps(void)
 		kvm_cpu_cap_clear(X86_FEATURE_IBT);
 		kvm_caps.supported_xss &=3D ~XFEATURE_MASK_CET_ALL;
 	}
+
+	kvm_is_configuring_cpu_caps =3D false;
 }
 EXPORT_SYMBOL_FOR_KVM_INTERNAL(kvm_finalize_cpu_caps);
=20
diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
index 3b0b4b1adb97..07175dff24d6 100644
--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
@@ -8,6 +8,8 @@
 #include <uapi/asm/kvm_para.h>
=20
 extern u32 kvm_cpu_caps[NR_KVM_CPU_CAPS] __read_mostly;
+extern bool kvm_is_configuring_cpu_caps __read_mostly;
+
 void kvm_initialize_cpu_caps(void);
 void kvm_finalize_cpu_caps(void);
=20
@@ -189,6 +191,7 @@ static __always_inline void kvm_cpu_cap_clear(unsigned =
int x86_feature)
 {
 	unsigned int x86_leaf =3D __feature_leaf(x86_feature);
=20
+	WARN_ON_ONCE(!kvm_is_configuring_cpu_caps);
 	kvm_cpu_caps[x86_leaf] &=3D ~__feature_bit(x86_feature);
 }
=20
@@ -196,6 +199,7 @@ static __always_inline void kvm_cpu_cap_set(unsigned in=
t x86_feature)
 {
 	unsigned int x86_leaf =3D __feature_leaf(x86_feature);
=20
+	WARN_ON_ONCE(!kvm_is_configuring_cpu_caps);
 	kvm_cpu_caps[x86_leaf] |=3D __feature_bit(x86_feature);
 }
=20
--=20
2.52.0.457.g6b5491de43-goog
From nobody Sat Feb  7 07:24:35 2026
Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com
 [209.85.210.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A226E25B663
	for <linux-kernel@vger.kernel.org>; Fri, 23 Jan 2026 22:15:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769206553; cv=none;
 b=C+btUNanwD/Kl1RdjEbg9lVfgjijYHEkzM2PPruqVBuNLKvWurgivcBPnccTPPDig8/6YeJR1WsBvlgKBTlDf94coi7Cv96Vbc3RHbtsw13eZFvG8RkGUI7Ppv1UiH3WmWXj9nby/S5c9ErlfNIW4SDEfGheP65uavLWK6pIIsk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769206553; c=relaxed/simple;
	bh=46gVXhJmvDN4ENPIvVKEe8ZMPqDeAwPrwixf5xf7Oes=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=uMEetbl6x6mG/zc5FnxrwqW4i9PnHPON/s/Jigo8bSash0NAPRvNs7TJ+kSDQCVWSZOig/YAY6RYXg3tn982eXQTPm4g7Rn9PyVcgo2wbCfZpZLuveJWCVebdQBe3XKiKD6yCFhUcvYPV98GU+rrnqx21tW0xijSIb08Fv5WP9Q=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=aIMP9JjC; arc=none smtp.client-ip=209.85.210.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="aIMP9JjC"
Received: by mail-pf1-f202.google.com with SMTP id
 d2e1a72fcca58-81e81fbbb8cso2649733b3a.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 23 Jan 2026 14:15:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1769206550; x=1769811350;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=YMN/+EmMPsPAQZ8tSzzUwRBwXKzIBVH9d7FNpF2H/to=;
        b=aIMP9JjCKsTlX0JQ5UGgqQj394P1girbl11S2SVAeZTVjT0V7ELuVmDWet2wMSjYJG
         mNfikb0BI7RCIOuNmhMSG7zWicVMtk6MjeKXcQ+XFN/RcFXfp3swE0Iz/nqD8FSZFij9
         TSpiac2/P0BCT2gx/4y5uJp92BNHOKJCJDvxPJ9i492I98ZjNxLV58ghyP7Hvuiovn0H
         E3tzIE2Rz2rlYt1gtVhfHyrUbdCCfdVGNHVUyo+490vGZx57eWEjHNpv2te229/OCJj+
         q2yXl7sIYWWZUWhfeWkOm3Zi3/i+EZfilWGOtH774cujcZn+TQl3lvS9DwOoIfHjVQVa
         FOWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769206550; x=1769811350;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=YMN/+EmMPsPAQZ8tSzzUwRBwXKzIBVH9d7FNpF2H/to=;
        b=njw0N6YZg3KzFtMHX4uLZPxCKX2IZWpFTJZ0fWEuxh5VJlI2AXTFtYLwK939QGTcnT
         H9Y3AjvZW1yoRV1YELkc2POoGyKa9hl08fQmHwKnr865TN77gSKOXIGKsv3dfe+4G2Tz
         4VTj4LdPbqfWOg1W/EyUSde9W3ONO57uaChMhPRrx7Rac1wEe5atz8okxNxNjjBGVzSb
         FGDWzbd8tUYr8QbEKj33jXnCbd5AopqCwtU/KRkl/+FQsl3tNFSFSO3lCAMSv5cjE8LK
         YYHVVrgd6dMEXVNGwDHvKCzj1gD3TtLok16+TqYMcsuWvilfZLh9sbB6txRtUtxIc54l
         4C9w==
X-Forwarded-Encrypted: i=1;
 AJvYcCVYh1G8jMmQRiMqhLiBCpRyUweu26T8GGOx2Zhlz56gKASHXQV/7IahqWfIzSfotZWBW8WcQvlduZ4Vixc=@vger.kernel.org
X-Gm-Message-State: AOJu0YzR0lmgQiAT0Mk2tWwES1Y83Fc2zBjuoq0qsL7nmxqUD24sdZ0P
	vd7AGmXgV5QL2vthLMwxOIqR80ipFc/IZdTXtGvH91psIYjVmObjYGWHbHGXm2Kk3dmX0jrhwku
	g7nSZFQ==
X-Received: from pfbgu11.prod.google.com
 ([2002:a05:6a00:4e4b:b0:7dd:8bba:6394])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a00:80b:b0:823:1276:9a86
 with SMTP id d2e1a72fcca58-82317e09c62mr3960900b3a.39.1769206549876; Fri, 23
 Jan 2026 14:15:49 -0800 (PST)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 23 Jan 2026 14:15:42 -0800
In-Reply-To: <20260123221542.2498217-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260123221542.2498217-1-seanjc@google.com>
X-Mailer: git-send-email 2.52.0.457.g6b5491de43-goog
Message-ID: <20260123221542.2498217-4-seanjc@google.com>
Subject: [PATCH 3/3] KVM: VMX: Print out "bad" offsets+value on VMCS config
 mismatch
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Mathias Krause <minipli@grsecurity.net>, John Allen <john.allen@amd.com>,
	Rick Edgecombe <rick.p.edgecombe@intel.com>, Chao Gao <chao.gao@intel.com>,
	Binbin Wu <binbin.wu@linux.intel.com>, Xiaoyao Li <xiaoyao.li@intel.com>,
	Jim Mattson <jmattson@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

When kvm-intel.ko refuses to load due to a mismatched VMCS config, print
all mismatching offsets+values to make it easier to debug goofs during
development, and it to make it at least feasible to triage failures that
occur during production.  E.g. if a physical core is flaky or is running
with the "wrong" microcode patch loaded, then a CPU can get a legitimate
mismatch even without KVM bugs.

Print the mismatches as 32-bit values as a compromise between hand coding
every field (to provide precise information) and printing individual bytes
(requires more effort to deduce the mismatch bit(s)).  All fields in the
VMCS config are either 32-bit or 64-bit values, i.e. in many cases,
printing 32-bit values will be 100% precise, and in the others it's close
enough, especially when considering that MSR values are split into EDX:EAX
anyways.

E.g. on mismatch CET entry/exit controls, KVM will print:

  kvm_intel: VMCS config on CPU 0 doesn't match reference config:
    Offset 76 REF =3D 0x107fffff, CPU0 =3D 0x007fffff, mismatch =3D 0x10000=
000
    Offset 84 REF =3D 0x0010f3ff, CPU0 =3D 0x0000f3ff, mismatch =3D 0x00100=
000

Opportunistically tweak the wording on the initial error message to say
"mismatch" instead of "inconsistent", as the VMCS config itself isn't
inconsistent, and the wording conflates the cross-CPU compatibility check
with the error_on_inconsistent_vmcs_config knob that treats inconsistent
VMCS configurations as errors (e.g. if a CPU supports CET entry controls
but no CET exit controls).

Cc: Jim Mattson <jmattson@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
---
 arch/x86/kvm/vmx/vmx.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 7d373e32ea9c..700a8c47b4ca 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -2962,8 +2962,22 @@ int vmx_check_processor_compat(void)
 	}
 	if (nested)
 		nested_vmx_setup_ctls_msrs(&vmcs_conf, vmx_cap.ept);
+
 	if (memcmp(&vmcs_config, &vmcs_conf, sizeof(struct vmcs_config))) {
-		pr_err("Inconsistent VMCS config on CPU %d\n", cpu);
+		u32 *gold =3D (void *)&vmcs_config;
+		u32 *mine =3D (void *)&vmcs_conf;
+		int i;
+
+		BUILD_BUG_ON(sizeof(struct vmcs_config) % sizeof(u32));
+
+		pr_err("VMCS config on CPU %d doesn't match reference config:\n", cpu);
+		for (i =3D 0; i < sizeof(struct vmcs_config) / sizeof(u32); i++) {
+			if (gold[i] =3D=3D mine[i])
+				continue;
+
+			pr_cont("  Offset %lu REF =3D 0x%08x, CPU%u =3D 0x%08x, mismatch =3D 0x=
%08x\n",
+				i * sizeof(u32), gold[i], cpu, mine[i], gold[i] ^ mine[i]);
+		}
 		return -EIO;
 	}
 	return 0;
--=20
2.52.0.457.g6b5491de43-goog