From nobody Thu Apr  2 06:27:04 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AFF31361665;
	Tue,  3 Mar 2026 00:34:38 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772498078; cv=none;
 b=N3VjLStFa8E8vzQQc1RjZuLdly5cEfgWOpEB7gy9e0e9XYC/b04/9/RxXWIWY9+LuMsasLJsPvfxp35lhb6meX7Hmhd3zlLN5HGxjGYTwLniGQnzm0u4MJtfcyQYtZcIq8YxOSN0YKG63sb8ES1NmgBQE4rmiYI4nhhLohXnJ88=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772498078; c=relaxed/simple;
	bh=+NotC64fi+InO3KYnZm6GKz1dnXRMKaYF+e8gDrnpC0=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=MOd/j1bJnBEdVEFtVBXkw5NlVDpwlWNf1BogX7OCCq2xTUwab/7avlddYt8XglR8foG8d67Qbw2sG9AWZFPmUOXAOTVIQnNpLC6aKQan2ErHwWqM+JeEvpUMoltJsjJRzuo28RvKdhF+itN3esbUGO+MwURFkNomT6p2K8Ru74w=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=pBkVVj7Y; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="pBkVVj7Y"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4C320C2BC86;
	Tue,  3 Mar 2026 00:34:38 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1772498078;
	bh=+NotC64fi+InO3KYnZm6GKz1dnXRMKaYF+e8gDrnpC0=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=pBkVVj7Yn8LeW/WCuO0TxQmSBDKkmwqPvyHfNz7ByCoSt4mWAbOrh3gquSPqEgbHD
	 h4SdUHFhsP3UniBynOuudwAzUu54UkEaehD5QeA3Hl8mxuVBali4xviFvlU+WD0kb/
	 hYmFI/b3a7smE6GQ9h2JUT74bY7KLE3s8Urs5iPQnmClohYg3NY7AvIS0LtyyGCy7C
	 K0iYeLJJGMQUSSu/NJqvlLW0myz/e26Q18FcE41q0k612erdjwVfhIikkWeWcOAHgX
	 wKJafACbMH+q0yXQXwdrYR89+CJxz/i85MW4tHktCBAA/CtUEfD1FpwMukJeW/9gbr
	 /Nl22OdcozeqQ==
From: Yosry Ahmed <yosry@kernel.org>
To: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
	kvm@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Yosry Ahmed <yosry@kernel.org>,
	stable@vger.kernel.org
Subject: [PATCH v7 17/26] KVM: nSVM: Add missing consistency check for
 EVENTINJ
Date: Tue,  3 Mar 2026 00:34:11 +0000
Message-ID: <20260303003421.2185681-18-yosry@kernel.org>
X-Mailer: git-send-email 2.53.0.473.g4a7958ca14-goog
In-Reply-To: <20260303003421.2185681-1-yosry@kernel.org>
References: <20260303003421.2185681-1-yosry@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

According to the APM Volume #2, 15.20 (24593=E2=80=94Rev. 3.42=E2=80=94Marc=
h 2024):

  VMRUN exits with VMEXIT_INVALID error code if either:
  =E2=80=A2 Reserved values of TYPE have been specified, or
  =E2=80=A2 TYPE =3D 3 (exception) has been specified with a vector that do=
es not
    correspond to an exception (this includes vector 2, which is an NMI,
    not an exception).

Add the missing consistency checks to KVM. For the second point, inject
VMEXIT_INVALID if the vector is anything but the vectors defined by the
APM for exceptions. Reserved vectors are also considered invalid, which
matches the HW behavior. Vector 9 (i.e. #CSO) is considered invalid
because it is reserved on modern CPUs, and according to LLMs no CPUs
exist supporting SVM and producing #CSOs.

Defined exceptions could be different between virtual CPUs as new CPUs
define new vectors. In a best effort to dynamically define the valid
vectors, make all currently defined vectors as valid except those
obviously tied to a CPU feature: SHSTK -> #CP and SEV-ES -> #VC. As new
vectors are defined, they can similarly be tied to corresponding CPU
features.

Invalid vectors on specific (e.g. old) CPUs that are missed by KVM
should be rejected by HW anyway.

Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
CC: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
---
 arch/x86/kvm/svm/nested.c | 51 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
index 93b3fab9b415d..15f483fac28a0 100644
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -339,6 +339,54 @@ static bool nested_svm_check_bitmap_pa(struct kvm_vcpu=
 *vcpu, u64 pa, u32 size)
 	    kvm_vcpu_is_legal_gpa(vcpu, addr + size - 1);
 }
=20
+static bool nested_svm_event_inj_valid_exept(struct kvm_vcpu *vcpu, u8 vec=
tor)
+{
+	/*
+	 * Vectors that do not correspond to a defined exception are invalid
+	 * (including #NMI and reserved vectors). In a best effort to define
+	 * valid exceptions based on the virtual CPU, make all exceptions always
+	 * valid except those obviously tied to a CPU feature.
+	 */
+	switch (vector) {
+	case DE_VECTOR: case DB_VECTOR: case BP_VECTOR: case OF_VECTOR:
+	case BR_VECTOR: case UD_VECTOR: case NM_VECTOR: case DF_VECTOR:
+	case TS_VECTOR: case NP_VECTOR: case SS_VECTOR: case GP_VECTOR:
+	case PF_VECTOR: case MF_VECTOR: case AC_VECTOR: case MC_VECTOR:
+	case XM_VECTOR: case HV_VECTOR: case SX_VECTOR:
+		return true;
+	case CP_VECTOR:
+		return guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK);
+	case VC_VECTOR:
+		return guest_cpu_cap_has(vcpu, X86_FEATURE_SEV_ES);
+	}
+	return false;
+}
+
+/*
+ * According to the APM, VMRUN exits with SVM_EXIT_ERR if SVM_EVTINJ_VALID=
 is
+ * set and:
+ * - The type of event_inj is not one of the defined values.
+ * - The type is SVM_EVTINJ_TYPE_EXEPT, but the vector is not a valid exce=
ption.
+ */
+static bool nested_svm_check_event_inj(struct kvm_vcpu *vcpu, u32 event_in=
j)
+{
+	u32 type =3D event_inj & SVM_EVTINJ_TYPE_MASK;
+	u8 vector =3D event_inj & SVM_EVTINJ_VEC_MASK;
+
+	if (!(event_inj & SVM_EVTINJ_VALID))
+		return true;
+
+	if (type !=3D SVM_EVTINJ_TYPE_INTR && type !=3D SVM_EVTINJ_TYPE_NMI &&
+	    type !=3D SVM_EVTINJ_TYPE_EXEPT && type !=3D SVM_EVTINJ_TYPE_SOFT)
+		return false;
+
+	if (type =3D=3D SVM_EVTINJ_TYPE_EXEPT &&
+	    !nested_svm_event_inj_valid_exept(vcpu, vector))
+		return false;
+
+	return true;
+}
+
 static bool nested_vmcb_check_controls(struct kvm_vcpu *vcpu,
 				       struct vmcb_ctrl_area_cached *control)
 {
@@ -365,6 +413,9 @@ static bool nested_vmcb_check_controls(struct kvm_vcpu =
*vcpu,
 		return false;
 	}
=20
+	if (CC(!nested_svm_check_event_inj(vcpu, control->event_inj)))
+		return false;
+
 	return true;
 }
=20
--=20
2.53.0.473.g4a7958ca14-goog