From nobody Sat Feb  7 15:15:18 2026
Received: from mail-oo1-f73.google.com (mail-oo1-f73.google.com
 [209.85.161.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 05E90311C2E
	for <linux-kernel@vger.kernel.org>; Fri,  6 Feb 2026 22:28:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.73
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770416925; cv=none;
 b=fS+cKkJ9PpvjIeRtp7ByCB4XjVClNj8M87fjAl3rYhxV8Os1A8lVgQs+DnSCg1bg24YGJFVbGykXtwIDsBXYT1/b6i/qDJw7UXe4JiDe3GK3oVJvwiPwqhGfC/ud44FbwFeuWe5pxURLwiiiwjsK1at8KYU0c5OAbh85LXkYlaw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770416925; c=relaxed/simple;
	bh=RD3ghT3BYR07kk+VT4kAGdDg0rE+/olup8G6vjo9ymA=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=L65FVHaoFDBofnZz4eHMgquRWanpFrLRdYcCo/sl2+p/l4F8EYkL7rtgfuKAIUFAnwJcMw7chNHHN7Mrx3uznTrcc30VPrcbaidUzlyT74KemUc6K1LLzlLYtUZSVAoRQH0fK8KhSzUDTPwI+N2Rr4tbF4d9DsuXucpm2xWectY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--sagis.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=T64y+4nS; arc=none smtp.client-ip=209.85.161.73
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--sagis.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="T64y+4nS"
Received: by mail-oo1-f73.google.com with SMTP id
 006d021491bc7-6630b0a016aso10718658eaf.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 06 Feb 2026 14:28:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1770416924; x=1771021724;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=pUeR5gi86sqwVMcWfnpHhKWd8lA2xF2m2Gxy4doTFyc=;
        b=T64y+4nS7LzF4K0YhObHwNT9RI/kt304C4ts67ztuhy1yznLd6LMpkHXg4mjTTcJus
         A8CPy43MTpRgY1nJHFod9T52lBlr286v/nqOk5T9f0VsYtXK9ZS5dnctBg7gyoxTyFC8
         rsQWxsSHZY7EaUpHywl9A3Q4FGKjYYLD194Chuk6xslPA+zCXj9mBJlhHJa+n8f8Gxzy
         8Uum0P+SUMT4O3BFoZb6mb+xQq7tmeWxsB5UyBtqlksAMPQzU0UfJRB6Lf8bj93EhFOs
         rvYTCrdZZ6fAdwOMwWxenB4grTj4R5qyVVUDJ0ZeOqGPPQJQIkho/hs7tBYhyPeMEQhU
         HxhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770416924; x=1771021724;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=pUeR5gi86sqwVMcWfnpHhKWd8lA2xF2m2Gxy4doTFyc=;
        b=bkpcMlkGqJ45sLRqfFQd1R+JiICahQwtuy7mHfy/DCVDAAEoafeV8rnkpp7vCRaU4l
         agvxKgTQ+ktGk0/wAUVE7saEUJAn8xfPcehy+mh8Ek+6zRsRutD6/akvoU4bFH6JORnn
         dh2ogzqXPEZReHCo4bskwGa803cpPvD8usKOvxb2Hx6FR14fyIMfBolPGIOpjAh5aUU5
         gpInbUJ5echhUvobAURMH5Hv+nKbjLF1Jqzpb7NjY8PfRE4qStbxuTdPuzTFtFpY0Osk
         izUqWtKDu1KgABF5kUa8/Rryx7xQt9SJkiitPeJBsOcvepZ1HWhJsFsWhsDbEypBK4md
         MCAw==
X-Forwarded-Encrypted: i=1;
 AJvYcCWJddyI+ApUE99uIciqoCgLE1LgSOVBFJAmnTwfliJ1i8SGwYVQEd7y3T+ydJ8BFRwE6c6HieIG/He684Q=@vger.kernel.org
X-Gm-Message-State: AOJu0YxuS3Amg1Ji9gS5tJIu41Sir8SFkcHPyT574wURS+YvPE6Wn04t
	GKl8Xn6d8JEgjusmaymEvBtj004nZK83Q5e6U+c2G0jS4Qp44vmnspTxQQ/NuACBusDvheLBkjP
	atw==
X-Received: from iobif47.prod.google.com
 ([2002:a05:6602:1e2f:b0:957:66a7:af96])
 (user=sagis job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6820:81ca:b0:663:46f:603f
 with SMTP id 006d021491bc7-66d0a4782bemr1878081eaf.22.1770416923905; Fri, 06
 Feb 2026 14:28:43 -0800 (PST)
Date: Fri,  6 Feb 2026 22:28:28 +0000
In-Reply-To: <20260206222829.3758171-1-sagis@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260206222829.3758171-1-sagis@google.com>
X-Mailer: git-send-email 2.53.0.rc2.204.g2597b5adb4-goog
Message-ID: <20260206222829.3758171-2-sagis@google.com>
Subject: [PATCH v3 1/2] KVM: TDX: Allow userspace to return errors to guest
 for MAPGPA
From: Sagi Shahar <sagis@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>,
	Dave Hansen <dave.hansen@linux.intel.com>, Kiryl Shutsemau <kas@kernel.org>,
	Rick Edgecombe <rick.p.edgecombe@intel.com>
Cc: Thomas Gleixner <tglx@kernel.org>, Borislav Petkov <bp@alien8.de>,
 "H. Peter Anvin" <hpa@zytor.com>,
	Michael Roth <michael.roth@amd.com>, Tom Lendacky <thomas.lendacky@amd.com>,
 x86@kernel.org,
	kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
 linux-coco@lists.linux.dev,
	Vishal Annapurve <vannapurve@google.com>, Sagi Shahar <sagis@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Vishal Annapurve <vannapurve@google.com>

MAPGPA request from TDX VMs gets split into chunks by KVM using a loop
of userspace exits until the complete range is handled.

In some cases userspace VMM might decide to break the MAPGPA operation
and continue it later. For example: in the case of intrahost migration
userspace might decide to continue the MAPGPA operation after the
migration is completed.

Allow userspace to signal to TDX guests that the MAPGPA operation should
be retried the next time the guest is scheduled.

This is potentially a breaking change since if userspace sets
hypercall.ret to a value other than EBUSY or EINVAL an EINVAL error code
will be returned to userspace. As of now QEMU never sets hypercall.ret
to a non-zero value after handling KVM_EXIT_HYPERCALL so this change
should be safe.

Signed-off-by: Vishal Annapurve <vannapurve@google.com>
Co-developed-by: Sagi Shahar <sagis@google.com>
Signed-off-by: Sagi Shahar <sagis@google.com>
---
 Documentation/virt/kvm/api.rst |  3 +++
 arch/x86/kvm/vmx/tdx.c         | 15 +++++++++++++--
 arch/x86/kvm/x86.h             |  6 ++++++
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst
index 01a3abef8abb..9978cd9d897e 100644
--- a/Documentation/virt/kvm/api.rst
+++ b/Documentation/virt/kvm/api.rst
@@ -8679,6 +8679,9 @@ block sizes is exposed in KVM_CAP_ARM_SUPPORTED_BLOCK=
_SIZES as a
=20
 This capability, if enabled, will cause KVM to exit to userspace
 with KVM_EXIT_HYPERCALL exit reason to process some hypercalls.
+Userspace may fail the hypercall by setting hypercall.ret to EINVAL
+or may request the hypercall to be retried the next time the guest run
+by setting hypercall.ret to EAGAIN.
=20
 Calling KVM_CHECK_EXTENSION for this capability will return a bitmask
 of hypercalls that can be configured to exit to userspace.
diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
index 2d7a4d52ccfb..056a44b9d78b 100644
--- a/arch/x86/kvm/vmx/tdx.c
+++ b/arch/x86/kvm/vmx/tdx.c
@@ -1186,10 +1186,21 @@ static void __tdx_map_gpa(struct vcpu_tdx *tdx);
=20
 static int tdx_complete_vmcall_map_gpa(struct kvm_vcpu *vcpu)
 {
+	u64 hypercall_ret =3D READ_ONCE(vcpu->run->hypercall.ret);
 	struct vcpu_tdx *tdx =3D to_tdx(vcpu);
=20
-	if (vcpu->run->hypercall.ret) {
-		tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_INVALID_OPERAND);
+	if (hypercall_ret) {
+		if (hypercall_ret =3D=3D EAGAIN) {
+			tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_RETRY);
+		} else if (vcpu->run->hypercall.ret =3D=3D EINVAL) {
+			tdvmcall_set_return_code(
+				vcpu, TDVMCALL_STATUS_INVALID_OPERAND);
+		} else {
+			WARN_ON_ONCE(
+				kvm_is_valid_map_gpa_range_ret(hypercall_ret));
+			return -EINVAL;
+		}
+
 		tdx->vp_enter_args.r11 =3D tdx->map_gpa_next;
 		return 1;
 	}
diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
index fdab0ad49098..3d464d12423a 100644
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -706,6 +706,12 @@ int kvm_sev_es_string_io(struct kvm_vcpu *vcpu, unsign=
ed int size,
 			 unsigned int port, void *data,  unsigned int count,
 			 int in);
=20
+static inline bool kvm_is_valid_map_gpa_range_ret(u64 hypercall_ret)
+{
+	return !hypercall_ret || hypercall_ret =3D=3D EINVAL ||
+	       hypercall_ret =3D=3D EAGAIN;
+}
+
 static inline bool user_exit_on_hypercall(struct kvm *kvm, unsigned long h=
c_nr)
 {
 	return kvm->arch.hypercall_exit_enabled & BIT(hc_nr);
--=20
2.53.0.rc2.204.g2597b5adb4-goog
From nobody Sat Feb  7 15:15:18 2026
Received: from mail-ot1-f74.google.com (mail-ot1-f74.google.com
 [209.85.210.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA3F6313550
	for <linux-kernel@vger.kernel.org>; Fri,  6 Feb 2026 22:28:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770416926; cv=none;
 b=prkALBF2qQi3KhIj2OhIg37b+CkHMWQaN7rrwuwku5YHPc6rbF23BospPEzluZQADnGlkJMpB4wf5lPiZE/GtlQOKwtmC6i+EKrUBJiH0T/NdzUd11ci6baFI/0+K8IKqcOuRcW+uim/Z/ZQ1sJ/Zd6siyDcNuXnc30JKnYoAew=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770416926; c=relaxed/simple;
	bh=BZpL1RE9XfDIgFESeYrbtsYlln4FTRDnK6vMRKcrB4s=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=WgMcJGZGOuMZw+Y3RYx5PB6pvbADNBHbyUBad7tPP5Fvx89h9c1zxyTNQ2vu1WleyJmAhsyhLRdJkgndCqyfMAn7mR8bONOT6FUjv/ZCw6pudgp7JP0fLHwi47cxY85GcOmyjhRfK3kqBVQgNzjgDIeVA1/4OtCIz+u/W/2+vj0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--sagis.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=ECyf30SX; arc=none smtp.client-ip=209.85.210.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--sagis.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="ECyf30SX"
Received: by mail-ot1-f74.google.com with SMTP id
 46e09a7af769-7cfd12d8245so2808671a34.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 06 Feb 2026 14:28:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1770416925; x=1771021725;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=sPoqEhUMmdDPahIwHzxtMUXZ8ToMdzI8JESAi3VAuZ4=;
        b=ECyf30SXfnbDrAsm2d9JaAmd1cS0YS8eSkvmGyqH01syNolvs+g9Bd1r6NrXy3+alr
         K2fW3to9Mq9jSQoVFDNoQBYTNrX0gCO2vsEgHJZ+lBm1g1+K/lJ2ierqJste6DqxpNsO
         +m6cBcIGIoUA+X/PPQkj3ATQkEnF3jkLppHuqpIGm/reQg1yLXOaKog84p5kPd1c7Fxg
         joGNmkq4Cavw1zZF6aLVkWG/OVnZvqSENxqe9GH5B3TehRGHdiSF27K+CRu1No4PNkfa
         3zhKdQ8Q7WlZksFQL1PPpMOJ+AoZZpnCVfBTCAQvpRnAB5kPIgzRj4HSfBsDiCgvWWAZ
         yCpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770416925; x=1771021725;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=sPoqEhUMmdDPahIwHzxtMUXZ8ToMdzI8JESAi3VAuZ4=;
        b=Xf6+FjjZ3ktjvVwStSsDXnoONMM/7UwJoqSb4Q624i1i5/b61gIdPH3m66Hd2JPm9/
         pB41v7Rp36ZOMu1q8CnZqUX40PbO0aMrMUVyoGVo+Bu6ajVLX0+8gYhE16ObMomhKYWl
         IdL8cmw9R3029qhj+tGCzRcusbjqkEMR1jBR9GI8fv4obNi2RV7Jv3Af1vhMwh7HEZF/
         TLFzYKjrVk2HpZog8dzfVN1xZqCwroE9QcSCEF/n2ONbaGI3kheQoplW6+MH6ge3zM8H
         UCEBKkf7jt3y6oNYj6IdciVw08JKv9YzNSEKVwqVMmLKuJubCwfrYVdoKpiCJxiUKuHd
         dANQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCU83ADcN4L+gAbEkcR5ZmqCcGS+c2foErhzVlLVSNvoZ2hlHRsHzM0G8Jh+rZWKFyLj8NVrpHSUQTqTays=@vger.kernel.org
X-Gm-Message-State: AOJu0YxNLnDa237VqTx3TaUyTOzzzxC9p2OH1xREjbJaI9OpggxrL3c7
	VooL5613hZkUusivnfNMsQXDiccCwPbUtzEAI85TlIlggl51/nigBZokbW6SHhChuZATzunC468
	0Vw==
X-Received: from iofm8-n2.prod.google.com
 ([2002:a05:6602:83c8:20b0:957:7451:a858])
 (user=sagis job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6820:2910:b0:663:23a:caf6
 with SMTP id 006d021491bc7-66d09ac270bmr2203902eaf.5.1770416924752; Fri, 06
 Feb 2026 14:28:44 -0800 (PST)
Date: Fri,  6 Feb 2026 22:28:29 +0000
In-Reply-To: <20260206222829.3758171-1-sagis@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260206222829.3758171-1-sagis@google.com>
X-Mailer: git-send-email 2.53.0.rc2.204.g2597b5adb4-goog
Message-ID: <20260206222829.3758171-3-sagis@google.com>
Subject: [PATCH v3 2/2] KVM: SEV: Restrict userspace return codes for
 KVM_HC_MAP_GPA_RANGE
From: Sagi Shahar <sagis@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>,
	Dave Hansen <dave.hansen@linux.intel.com>, Kiryl Shutsemau <kas@kernel.org>,
	Rick Edgecombe <rick.p.edgecombe@intel.com>
Cc: Thomas Gleixner <tglx@kernel.org>, Borislav Petkov <bp@alien8.de>,
 "H. Peter Anvin" <hpa@zytor.com>,
	Michael Roth <michael.roth@amd.com>, Tom Lendacky <thomas.lendacky@amd.com>,
 x86@kernel.org,
	kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
 linux-coco@lists.linux.dev,
	Sagi Shahar <sagis@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

To align with the updated TDX api that allows userspace to request
that guests retry MAP_GPA operations, make sure that userspace is only
returning EINVAL or EAGAIN as possible error codes.

Signed-off-by: Sagi Shahar <sagis@google.com>
---
 arch/x86/kvm/svm/sev.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
index f59c65abe3cf..5f78e4c3eb5d 100644
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3722,9 +3722,13 @@ static int snp_rmptable_psmash(kvm_pfn_t pfn)
=20
 static int snp_complete_psc_msr(struct kvm_vcpu *vcpu)
 {
+	u64 hypercall_ret =3D READ_ONCE(vcpu->run->hypercall.ret);
 	struct vcpu_svm *svm =3D to_svm(vcpu);
=20
-	if (vcpu->run->hypercall.ret)
+	if (!kvm_is_valid_map_gpa_range_ret(hypercall_ret))
+		return -EINVAL;
+
+	if (hypercall_ret)
 		set_ghcb_msr(svm, GHCB_MSR_PSC_RESP_ERROR);
 	else
 		set_ghcb_msr(svm, GHCB_MSR_PSC_RESP);
@@ -3815,10 +3819,14 @@ static void __snp_complete_one_psc(struct vcpu_svm =
*svm)
=20
 static int snp_complete_one_psc(struct kvm_vcpu *vcpu)
 {
+	u64 hypercall_ret =3D READ_ONCE(vcpu->run->hypercall.ret);
 	struct vcpu_svm *svm =3D to_svm(vcpu);
 	struct psc_buffer *psc =3D svm->sev_es.ghcb_sa;
=20
-	if (vcpu->run->hypercall.ret) {
+	if (!kvm_is_valid_map_gpa_range_ret(hypercall_ret))
+		return -EINVAL;
+
+	if (hypercall_ret) {
 		snp_complete_psc(svm, VMGEXIT_PSC_ERROR_GENERIC);
 		return 1; /* resume guest */
 	}
--=20
2.53.0.rc2.204.g2597b5adb4-goog