From nobody Mon Feb 9 01:45:43 2026 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F56A313E30 for ; Tue, 3 Feb 2026 19:07:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770145636; cv=none; b=Ssiq9n17rIYIvNdFpB3T0koGSeT/ozzVAnKZYTnWupmB1lDqgagCjm/+jbHqeA7iWH+ozFXW8sC5fs758jH48B2lsHjq/+qah8B4XGk28SqiyVZIz8AY8X2IZt3qtg8hs6MNWyAR2Ql6KZA40UCcDTvk8vCCHqVw4B2fbVaGjM8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770145636; c=relaxed/simple; bh=Q7JmePnC1RMd9P2f6hE0m7tJA+CD5Jw/bgF7SVsHH2M=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=ESpXfwZLLLq/ok1zlWvp6nwu4k62ucT6hw/2Gx1gB71sM8aMXKf1I9clvVOm9gYF71AB1UZms8SZ8VEoijUOrJxWPO7MrbC8ykR7l+XMzZtj/ZvH2YIZGCuNqJAlQL1hh0N0+zUbWdqcqQ33TuXs3ZdnvYxnQpY7rBE3hQnb5Go= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=DpaubjBa; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="DpaubjBa" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-34c43f8ef9bso137507a91.1 for ; Tue, 03 Feb 2026 11:07:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1770145635; x=1770750435; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=QvN6OCBzjHoc41VsEIsReDOZdr5oWFs/Ny4TzyHdF0Q=; b=DpaubjBa9kDBz83+CYiUr8Cw2hGTqm3xARJShzlsvIMLRNsgMVmKC1QNEfOIW0inYS mc/XQv71CX+PKVp4s+WFcmrK7ErtuJL6OlgIc2kNMBDGWpVolOVPdp1/MD3Iy104wJJ2 f2yJSwlnX217PO4dnv3YQb2AUFE1OaPMLn+uXtSC/KPnet6ju3z6txAIMHdP6Ox5VLLq hBHjF7w4W7/hwUOJx5FartCMJwdrhGs8nNFc9JOF7T89V4KoDLMZrr8xL3b0Md1HWjhy j6SJ1xQumi5EUiQYMSf7BDAnDDQDWdsoDhQUSheXs8TlameRjZJ5C7v6rixS52rZ5S0/ TiSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770145635; x=1770750435; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QvN6OCBzjHoc41VsEIsReDOZdr5oWFs/Ny4TzyHdF0Q=; b=uaGJ3/NlkTdOtEyEUs077t0jOwYvi/J+UWbWkpoFS8dMuoqWW4/8N6RUGTn5341Fn3 DVpYF9GMvG1PoIBkrqnHtrDAYulb5cP9QRVGoYdsFZMEYK5qVqBVIiH7+EpVqR5vZatn q878dj1U/QP8q4UCuiD/Bp36FjT2o3NS1+mtmNCugV5TTokmLSG2QgOU9zKOWdGHpHhV Nk/z/ekUnP/UZSHf70LFXvlbEyGrATyhUmPNfEP29olR6MOY9zyI6qJcJ+HFrRo6P9zQ mB4yZ5TKUJGdtNRcFeJEj/QEcSmMYyDnKpD9kFMSPmoErlUjxbhXMV0QkgDCK7uHksub vyDg== X-Forwarded-Encrypted: i=1; AJvYcCVSoEgMeY8b0E3P/q1aiL2A1WND6cvEZUUywr5hY6zbO6HyDkRA8vo/6Bk+xueW+CyUz7iHNd72XuUHkao=@vger.kernel.org X-Gm-Message-State: AOJu0YzVGw+NG8VocAxGNxcJRjFri+2rlzbF1UZLRdrQLl+bzMJzQK8D 9aQVyfLEvuZwaRe16cDDceJBV/1VvlbfO3S+Ug6R3+WaE/4DG+qbQ7vcv0o1UEkwZnqg8Bt/b7p nRtTwMg== X-Received: from pjrz22.prod.google.com ([2002:a17:90a:bd96:b0:34c:fbee:f264]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:35c6:b0:34f:6ddc:d9de with SMTP id 98e67ed59e1d1-35477869e84mr3135301a91.16.1770145634624; Tue, 03 Feb 2026 11:07:14 -0800 (PST) Reply-To: Sean Christopherson Date: Tue, 3 Feb 2026 11:07:09 -0800 In-Reply-To: <20260203190711.458413-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260203190711.458413-1-seanjc@google.com> X-Mailer: git-send-email 2.53.0.rc2.204.g2597b5adb4-goog Message-ID: <20260203190711.458413-2-seanjc@google.com> Subject: [PATCH 1/2] KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Jim Mattson , Naveen N Rao , "Maciej S . Szmigiero" Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Initialize all per-vCPU AVIC control fields in the VMCB if AVIC is enabled in KVM and the VM has an in-kernel local APIC, i.e. if it's _possible_ the vCPU could activate AVIC at any point in its lifecycle. Configuring the VMCB if and only if AVIC is active "works" purely because of optimizations in kvm_create_lapic() to speculatively set apicv_active if AVIC is enabled *and* to defer updates until the first KVM_RUN. In quotes because KVM likely won't do the right thing if kvm_apicv_activated() is false, i.e. if a vCPU is created while APICv is inhibited at the VM level for whatever reason. E.g. if the inhibit is *removed* before KVM_REQ_APICV_UPDATE is handled in KVM_RUN, then __kvm_vcpu_update_apicv() will elide calls to vendor code due to seeing "apicv_active =3D=3D activate". Cleaning up the initialization code will also allow fixing a bug where KVM incorrectly leaves CR8 interception enabled when AVIC is activated without creating a mess with respect to whether AVIC is activated or not. Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Reviewed-by: Jim Mattson Reviewed-by: Naveen N Rao (AMD) --- arch/x86/kvm/svm/avic.c | 2 +- arch/x86/kvm/svm/svm.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/svm/avic.c b/arch/x86/kvm/svm/avic.c index f92214b1a938..44e07c27b190 100644 --- a/arch/x86/kvm/svm/avic.c +++ b/arch/x86/kvm/svm/avic.c @@ -368,7 +368,7 @@ void avic_init_vmcb(struct vcpu_svm *svm, struct vmcb *= vmcb) vmcb->control.avic_physical_id =3D __sme_set(__pa(kvm_svm->avic_physical_= id_table)); vmcb->control.avic_vapic_bar =3D APIC_DEFAULT_PHYS_BASE; =20 - if (kvm_apicv_activated(svm->vcpu.kvm)) + if (kvm_vcpu_apicv_active(&svm->vcpu)) avic_activate_vmcb(svm); else avic_deactivate_vmcb(svm); diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 5f0136dbdde6..e8313fdc5465 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -1189,7 +1189,7 @@ static void init_vmcb(struct kvm_vcpu *vcpu, bool ini= t_event) if (guest_cpu_cap_has(vcpu, X86_FEATURE_ERAPS)) svm->vmcb->control.erap_ctl |=3D ERAP_CONTROL_ALLOW_LARGER_RAP; =20 - if (kvm_vcpu_apicv_active(vcpu)) + if (enable_apicv && irqchip_in_kernel(vcpu->kvm)) avic_init_vmcb(svm, vmcb); =20 if (vnmi) --=20 2.53.0.rc2.204.g2597b5adb4-goog From nobody Mon Feb 9 01:45:43 2026 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8FB1B3002B6 for ; Tue, 3 Feb 2026 19:07:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770145639; cv=none; b=EJAHRc03uP4Z2xnPLHxKF/T/yLHklPpxehCvXVPXuw8zir8FeiUMCOex+OCzASNY6Sq2jSC+55gFjdCSKvCeda1X0/wm76yzQHpCZ0gsR87a57EKLwtvendaUG0lh+NJ2NJhkYKx33x85VFKwJU0II0sj/yRszcycguutJGEPG0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770145639; c=relaxed/simple; bh=9hyIXB/FNUlxKg1ThDH1maGsP4uK7gUz0rXhRQbPk1E=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=ryDntjieC5OEQav/oYMfZZ4QQSnd6YDBAuBvPESW6Ag8l3rw67qNa5ZMP/jF1gNspEgxW7aHK4eOVhnBYPRpkJZDooNGe5X7czBqda/kyCO4rROz6uvRNxpVdQeUXKH6pMBxv3bSISsRfSZqYONnLDPgEQBdXncPgQcbFoGmcEg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=wS8scghd; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="wS8scghd" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-3545cc84ab1so6951383a91.0 for ; Tue, 03 Feb 2026 11:07:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1770145638; x=1770750438; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=pGnImD+wgFSEc5hkJXl+UKRVx3rx9cNOjjp3chQhybs=; b=wS8scghdrK5AOFmWuR156e/iYAUyAnTEiOWIKM36GGBQCzcDUyKYkD8t+XayPj45E7 jYvuo1+pOi9GTU8pMV3B/6VjCBH7aafcIzda6I5gu6IanP+ZIn3EKT/LL9oAPIdsE216 vZSkFODXQ+y4OzFjqb4fHe4lCP2fisZ7QsfhhB9Jrgr8zLbJ42Mxewa4DOhaNVr5Ao27 cdCPwAHAvdOw5FomipR1pLwj9ZQq5PwemQn6zs+sKzUs12XOwJOYUQyLq68ISeEauoCB 4kw7BX/R0Eg0En5ok4KssFAIr9Eji6SIooUdwJDh7BjzJdGgH5thlajs5GWRVYtCnOBr sZMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770145638; x=1770750438; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=pGnImD+wgFSEc5hkJXl+UKRVx3rx9cNOjjp3chQhybs=; b=Ba6b8zyccjgZmt2Ae7MMDldWsjsvbvhDm2P1jyrVD2x/MTFNWxhbXUEAK7odHAu8O+ /bT4FJANT/74AudHt6p3WMq0J6ri0AzcRmq5E8l8Naqwn86YwRCQVLm+wcghdvXkEzcj A2AgXSiHL6XyLwS5MIB39OhGlwIZ7p6mSjdbvrO3nqEXT1PkgAPgVW2nRrfXIfFK1c3b JXqLJHBAVJVM0DuwmypOFIL3ZSGFxfTlwcR2vEaYdKhy82UZXpwZV0vaZ4qWeeYMxw20 aFmsyjn7avUoV797b50RMFaztnEBzOUPBJD3jTi3s7qSE3foJqkucmm5eETavj7ILRii BN2g== X-Forwarded-Encrypted: i=1; AJvYcCXcfd3wtVsNQBDlKWM+dSl5Embus7FX3JEz/bkq2Ou3C0fmz2AlfKv2A+tOmzlnGRiSAeSronJx92lyw3g=@vger.kernel.org X-Gm-Message-State: AOJu0YwUM6ssU3eIGcjttIQpPKloaJ7dncc7g5rZ65fKBIoOlMvc+Mzu Q6aWmIbuYn9bvSF7PM3AAmlFl8O1BGGXGo93nrV+nAliHC7jkA1QsTRHVwfCs0vPfoHLX5V+aPK Ha/AetA== X-Received: from pjzh18.prod.google.com ([2002:a17:90a:ea92:b0:352:ba50:2819]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:2cc6:b0:34c:2db6:57d6 with SMTP id 98e67ed59e1d1-3548717eeb4mr277122a91.19.1770145637977; Tue, 03 Feb 2026 11:07:17 -0800 (PST) Reply-To: Sean Christopherson Date: Tue, 3 Feb 2026 11:07:10 -0800 In-Reply-To: <20260203190711.458413-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260203190711.458413-1-seanjc@google.com> X-Mailer: git-send-email 2.53.0.rc2.204.g2597b5adb4-goog Message-ID: <20260203190711.458413-3-seanjc@google.com> Subject: [PATCH 2/2] KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Jim Mattson , Naveen N Rao , "Maciej S . Szmigiero" Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Explicitly set/clear CR8 write interception when AVIC is (de)activated to fix a bug where KVM leaves the interception enabled after AVIC is activated. E.g. if KVM emulates INIT=3D>WFS while AVIC is deactivated, CR8 will remain intercepted in perpetuity. On its own, the dangling CR8 intercept is "just" a performance issue, but combined with the TPR sync bug fixed by commit d02e48830e3f ("KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active"), the danging intercept is fatal to Windows guests as the TPR seen by hardware gets wildly out of sync with reality. Note, VMX isn't affected by the bug as TPR_THRESHOLD is explicitly ignored when Virtual Interrupt Delivery is enabled, i.e. when APICv is active in KVM's world. I.e. there's no need to trigger update_cr8_intercept(), this is firmly an SVM implementation flaw/detail. WARN if KVM gets a CR8 write #VMEXIT while AVIC is active, as KVM should never enter the guest with AVIC enabled and CR8 writes intercepted. Fixes: 3bbf3565f48c ("svm: Do not intercept CR8 when enable AVIC") Cc: stable@vger.kernel.org Cc: Jim Mattson Cc: Naveen N Rao (AMD) Cc: Maciej S. Szmigiero Signed-off-by: Sean Christopherson Reviewed-by: Jim Mattson Reviewed-by: Naveen N Rao (AMD) --- arch/x86/kvm/svm/avic.c | 6 ++++-- arch/x86/kvm/svm/svm.c | 9 +++++---- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/svm/avic.c b/arch/x86/kvm/svm/avic.c index 44e07c27b190..13a4a8949aba 100644 --- a/arch/x86/kvm/svm/avic.c +++ b/arch/x86/kvm/svm/avic.c @@ -189,12 +189,12 @@ static void avic_activate_vmcb(struct vcpu_svm *svm) struct kvm_vcpu *vcpu =3D &svm->vcpu; =20 vmcb->control.int_ctl &=3D ~(AVIC_ENABLE_MASK | X2APIC_MODE_MASK); - vmcb->control.avic_physical_id &=3D ~AVIC_PHYSICAL_MAX_INDEX_MASK; vmcb->control.avic_physical_id |=3D avic_get_max_physical_id(vcpu); - vmcb->control.int_ctl |=3D AVIC_ENABLE_MASK; =20 + svm_clr_intercept(svm, INTERCEPT_CR8_WRITE); + /* * Note: KVM supports hybrid-AVIC mode, where KVM emulates x2APIC MSR * accesses, while interrupt injection to a running vCPU can be @@ -226,6 +226,8 @@ static void avic_deactivate_vmcb(struct vcpu_svm *svm) vmcb->control.int_ctl &=3D ~(AVIC_ENABLE_MASK | X2APIC_MODE_MASK); vmcb->control.avic_physical_id &=3D ~AVIC_PHYSICAL_MAX_INDEX_MASK; =20 + svm_set_intercept(svm, INTERCEPT_CR8_WRITE); + /* * If running nested and the guest uses its own MSR bitmap, there * is no need to update L0's msr bitmap diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index e8313fdc5465..aa3ab22215f5 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -1077,8 +1077,7 @@ static void init_vmcb(struct kvm_vcpu *vcpu, bool ini= t_event) svm_set_intercept(svm, INTERCEPT_CR0_WRITE); svm_set_intercept(svm, INTERCEPT_CR3_WRITE); svm_set_intercept(svm, INTERCEPT_CR4_WRITE); - if (!kvm_vcpu_apicv_active(vcpu)) - svm_set_intercept(svm, INTERCEPT_CR8_WRITE); + svm_set_intercept(svm, INTERCEPT_CR8_WRITE); =20 set_dr_intercepts(svm); =20 @@ -2674,9 +2673,11 @@ static int dr_interception(struct kvm_vcpu *vcpu) =20 static int cr8_write_interception(struct kvm_vcpu *vcpu) { - int r; - u8 cr8_prev =3D kvm_get_cr8(vcpu); + int r; + + WARN_ON_ONCE(kvm_vcpu_apicv_active(vcpu)); + /* instruction emulation calls kvm_set_cr8() */ r =3D cr_interception(vcpu); if (lapic_in_kernel(vcpu)) --=20 2.53.0.rc2.204.g2597b5adb4-goog