From nobody Sat Feb 7 15:12:38 2026 Received: from out-188.mta0.migadu.com (out-188.mta0.migadu.com [91.218.175.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C2BEA44104E for ; Fri, 6 Feb 2026 19:09:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.188 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770404991; cv=none; b=Gr3omLXxFeV6IXij4txLtGpUX6U+eGxKeAA1i4qWDOiU7+mozSDsI9eBD63PFHwUyTu1JXhg7CZivk8ZkK4fFHVUa++lhdJVXUCP5BcjnB1kQuJIl2GXPOyx8giiTtUT7eGYMlZs8PNR1WyTAvgS1ZSUFaWSNnqe/rnu/6r7pxM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770404991; c=relaxed/simple; bh=tChEFl18ibAzaJ2GEzMTWsWRSgUzH5SqTZHdeomPuqI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=X7HSO5uQhMSrQt6GCLe0oY8dBYJAHxuDgmf/GdEDth3PuZ0mWLDH/36BcOPBdvr7j4w63nWvRFDmS1JZfO4Ft6+zKXVfFx3E+V98CYPkOJyvWphGgbKfKjAtUiUPTyoqpM8bgb1+ltXr4VegyT3rbpgA3NZ7Zcm9IavXYRexJV0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=NApjlN/g; arc=none smtp.client-ip=91.218.175.188 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="NApjlN/g" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1770404989; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ogj2BvymrjP7EHk/aTikaXPciJhAL1YMt9xpscARaOc=; b=NApjlN/g4iu2vmC3mVXQ9kED1ZA00hE/9PL1K4n0pNqyysf1X6dKzzaWhn8MUir80BLGbP xOeGtC8zeJt9mleG1tbQRnVzPH5O3nQn6UD6UquVm8an1rDZFRCnOFGPQAIee3HTN/E3PD ggH3kA2/IK+QCoAAAAjllRFzUpQHGT4= From: Yosry Ahmed To: Sean Christopherson Cc: Paolo Bonzini , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Yosry Ahmed Subject: [PATCH v5 24/26] KVM: nSVM: Restrict mapping VMCB12 on nested VMRUN Date: Fri, 6 Feb 2026 19:08:49 +0000 Message-ID: <20260206190851.860662-25-yosry.ahmed@linux.dev> In-Reply-To: <20260206190851.860662-1-yosry.ahmed@linux.dev> References: <20260206190851.860662-1-yosry.ahmed@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" All accesses to the VMCB12 in the guest memory on nested VMRUN are limited to nested_svm_vmrun() and nested_svm_failed_vmrun(). However, the VMCB12 remains mapped throughout nested_svm_vmrun(). Mapping and unmapping around usages is possible, but it becomes easy-ish to introduce bugs where 'vmcb12' is used after being unmapped. Move reading the VMCB12 and copying to cache from nested_svm_vmrun() into a new helper, nested_svm_copy_vmcb12_to_cache(), that maps the VMCB12, caches the needed fields, and unmaps it. Use kvm_vcpu_map_readonly() as only reading the VMCB12 is needed. Similarly, move mapping the VMCB12 on VMRUN failure into nested_svm_failed_vmrun(). Inject a triple fault if the mapping fails, similar to nested_svm_vmexit(). Signed-off-by: Yosry Ahmed --- arch/x86/kvm/svm/nested.c | 53 ++++++++++++++++++++++++++++----------- 1 file changed, 38 insertions(+), 15 deletions(-) diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c index b1f3e9df2cd5..0a7bb01f5404 100644 --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -1102,26 +1102,56 @@ static void __nested_svm_vmexit(struct vcpu_svm *sv= m, struct vmcb *vmcb12) kvm_queue_exception(vcpu, DB_VECTOR); } =20 -static void nested_svm_vmrun_error_vmexit(struct kvm_vcpu *vcpu, struct vm= cb *vmcb12) +static void nested_svm_vmrun_error_vmexit(struct kvm_vcpu *vcpu, u64 vmcb1= 2_gpa) { struct vcpu_svm *svm =3D to_svm(vcpu); + struct kvm_host_map map; + struct vmcb *vmcb12; + int r; =20 WARN_ON_ONCE(svm->vmcb =3D=3D svm->nested.vmcb02.ptr); =20 leave_guest_mode(vcpu); =20 + r =3D kvm_vcpu_map(vcpu, gpa_to_gfn(vmcb12_gpa), &map); + if (r) { + kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu); + return; + } + + vmcb12 =3D map.hva; vmcb12->control.exit_code =3D SVM_EXIT_ERR; vmcb12->control.exit_info_1 =3D 0; vmcb12->control.exit_info_2 =3D 0; __nested_svm_vmexit(svm, vmcb12); + + kvm_vcpu_unmap(vcpu, &map); +} + +static int nested_svm_copy_vmcb12_to_cache(struct kvm_vcpu *vcpu, u64 vmcb= 12_gpa) +{ + struct vcpu_svm *svm =3D to_svm(vcpu); + struct kvm_host_map map; + struct vmcb *vmcb12; + int r; + + r =3D kvm_vcpu_map_readonly(vcpu, gpa_to_gfn(vmcb12_gpa), &map); + if (r) + return r; + + vmcb12 =3D map.hva; + + nested_copy_vmcb_control_to_cache(svm, &vmcb12->control); + nested_copy_vmcb_save_to_cache(svm, &vmcb12->save); + + kvm_vcpu_unmap(vcpu, &map); + return 0; } =20 int nested_svm_vmrun(struct kvm_vcpu *vcpu) { struct vcpu_svm *svm =3D to_svm(vcpu); int ret; - struct vmcb *vmcb12; - struct kvm_host_map map; u64 vmcb12_gpa; struct vmcb *vmcb01 =3D svm->vmcb01.ptr; =20 @@ -1142,22 +1172,17 @@ int nested_svm_vmrun(struct kvm_vcpu *vcpu) return ret; } =20 + if (WARN_ON_ONCE(!svm->nested.initialized)) + return -EINVAL; + vmcb12_gpa =3D svm->vmcb->save.rax; - if (kvm_vcpu_map(vcpu, gpa_to_gfn(vmcb12_gpa), &map)) { + if (nested_svm_copy_vmcb12_to_cache(vcpu, vmcb12_gpa)) { kvm_inject_gp(vcpu, 0); return 1; } =20 ret =3D kvm_skip_emulated_instruction(vcpu); =20 - vmcb12 =3D map.hva; - - if (WARN_ON_ONCE(!svm->nested.initialized)) - return -EINVAL; - - nested_copy_vmcb_control_to_cache(svm, &vmcb12->control); - nested_copy_vmcb_save_to_cache(svm, &vmcb12->save); - /* * Since vmcb01 is not in use, we can use it to store some of the L1 * state. @@ -1178,11 +1203,9 @@ int nested_svm_vmrun(struct kvm_vcpu *vcpu) svm->nmi_l1_to_l2 =3D false; svm->soft_int_injected =3D false; =20 - nested_svm_vmrun_error_vmexit(vcpu, vmcb12); + nested_svm_vmrun_error_vmexit(vcpu, vmcb12_gpa); } =20 - kvm_vcpu_unmap(vcpu, &map); - return ret; } =20 --=20 2.53.0.rc2.204.g2597b5adb4-goog