From nobody Thu Apr 2 06:31:34 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2EAF9214813; Tue, 3 Mar 2026 00:34:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772498076; cv=none; b=JtcvHooXkyyvah8vaqNhen4e8/jOyzGLgxwGdfgnpm7T/7lvN8D2QmuNwzY+EFcpG04PR9mAgVAA6qTiJDbOQ6Yo/lhgruxoZLPIvdw0vkazs4DxRuW3SjdQglyY6bXm7vi05emaBIk1UQ+aEL1HWMwSt1rVxCO/AlhBkfg7leU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772498076; c=relaxed/simple; bh=RVd07MvedhdIEW5JrYAtzB9IAWdTFtLD3Zt8Ivq+zBs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=dokDEfbREL/ivorfZlLawEq20wtS33sjJtEzGy1d0DhROVpUDtIThpn9PkcvLQCHqOFpnqWLvwQ2dgjk/tvcQveTSwvtu749ipjAAc1GcqPtcIVRIa2eYzpCCBjJnov4ro1iFy6ZHWMyUSZqHZnG/+G8bIdU3457qQgaLZn6A0Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=RKQ93PZU; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="RKQ93PZU" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C863DC2BC86; Tue, 3 Mar 2026 00:34:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1772498076; bh=RVd07MvedhdIEW5JrYAtzB9IAWdTFtLD3Zt8Ivq+zBs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RKQ93PZU5kLqmJzX3yil87QdK6Ye+IdGZzTw8gWUTn8wV0DFl8GrXS1fwe6gPJLAc 7FPkGLed1Ehwrs7wm0BwQ6qskTAXr2YwDpNb2EV2jfEBCIfe3Y8weI5AJdOHw97Uxg XvGIevqogYN3rjTOPMU0mzaMiNLOyFl61V7gzB6d9O1WYH3q+tT93AVN4OSamGNCEn XMY8ZQr6pe52hgC1HirXWHtj+OK5G5pDxOlRrwi56lywUKmzWfJHtO+wAmsnkHY1WM lgT9W+2EVFP4ZwoJVbtwKUUsWmg4dX3eaDGbrkSte68Fpm26FnId8XjF9y5f1aNN+W SotJzmxKVb3Xg== From: Yosry Ahmed To: Sean Christopherson Cc: Paolo Bonzini , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Yosry Ahmed , stable@vger.kernel.org Subject: [PATCH v7 11/26] KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT Date: Tue, 3 Mar 2026 00:34:05 +0000 Message-ID: <20260303003421.2185681-12-yosry@kernel.org> X-Mailer: git-send-email 2.53.0.473.g4a7958ca14-goog In-Reply-To: <20260303003421.2185681-1-yosry@kernel.org> References: <20260303003421.2185681-1-yosry@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" According to the APM, from the reference of the VMRUN instruction: Upon #VMEXIT, the processor performs the following actions in order to return to the host execution context: ... clear EVENTINJ field in VMCB KVM syncs EVENTINJ fields from vmcb02 to cached vmcb12 on every L2->L0 #VMEXIT. Since these fields are zeroed by the CPU on #VMEXIT, they will mostly be zeroed in vmcb12 on nested #VMEXIT by nested_svm_vmexit(). However, this is not the case when: 1. Consistency checks fail, as nested_svm_vmexit() is not called. 2. Entering guest mode fails before L2 runs (e.g. due to failed load of CR3). (2) was broken by commit 2d8a42be0e2b ("KVM: nSVM: synchronize VMCB controls updated by the processor on every vmexit"), as prior to that nested_svm_vmexit() always zeroed EVENTINJ fields. Explicitly clear the fields all nested #VMEXIT code paths. Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler") Fixes: 2d8a42be0e2b ("KVM: nSVM: synchronize VMCB controls updated by the p= rocessor on every vmexit") Cc: stable@vger.kernel.org Signed-off-by: Yosry Ahmed --- arch/x86/kvm/svm/nested.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c index 04ccab887c5ec..f0ed352a3e901 100644 --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -1036,6 +1036,8 @@ int nested_svm_vmrun(struct kvm_vcpu *vcpu) vmcb12->control.exit_code =3D SVM_EXIT_ERR; vmcb12->control.exit_info_1 =3D 0; vmcb12->control.exit_info_2 =3D 0; + vmcb12->control.event_inj =3D 0; + vmcb12->control.event_inj_err =3D 0; svm_set_gif(svm, false); goto out; } @@ -1179,9 +1181,9 @@ static int nested_svm_vmexit_update_vmcb12(struct kvm= _vcpu *vcpu) if (nested_vmcb12_has_lbrv(vcpu)) svm_copy_lbrs(&vmcb12->save, &vmcb02->save); =20 + vmcb12->control.event_inj =3D 0; + vmcb12->control.event_inj_err =3D 0; vmcb12->control.int_ctl =3D svm->nested.ctl.int_ctl; - vmcb12->control.event_inj =3D svm->nested.ctl.event_inj; - vmcb12->control.event_inj_err =3D svm->nested.ctl.event_inj_err; =20 trace_kvm_nested_vmexit_inject(vmcb12->control.exit_code, vmcb12->control.exit_info_1, --=20 2.53.0.473.g4a7958ca14-goog