From nobody Mon Apr 6 09:12:08 2026 Received: from mail-oa1-f74.google.com (mail-oa1-f74.google.com [209.85.160.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 94B2E364040 for ; Thu, 5 Mar 2026 22:27:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772749622; cv=none; b=LqkJA4MRZpzpezof6idBRxUP26fOb4PJtoHFgGr255aX+fF2XyBf/zfBJhf0O7A6LpMwtuaD+VCsAbk/dONxzz3O0mfE9t1tPE6AUBmD1piYww5TLuimkbqzzTFz/tEd45BcyN3IC40juaQ83DEcbTsIOWEUzcyAoyDEk3bI6Qk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772749622; c=relaxed/simple; bh=xP/iS5QVF94jNMbdVYFiaGjI87jTGDeHWpLO9YL7fTo=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=SWC9AbbcYvd8eRU3v2uDjwgLBwoZqOIwyh72AdOEsH+FxcQJOc9J9g6iQAzKAFJV+LKyP66bbbUAP5hAoIS4w6/6e0kCrehw+PEyWwmbWkbFWXUi2/E6ErL4KxIjmThfcfJxKneJ+Fdudos5kE9q02ZAp4cmXDDs/wT7gH62/44= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--sagis.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=PF2MmO8E; arc=none smtp.client-ip=209.85.160.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--sagis.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="PF2MmO8E" Received: by mail-oa1-f74.google.com with SMTP id 586e51a60fabf-40f192cf4b6so13664388fac.1 for ; Thu, 05 Mar 2026 14:27:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1772749619; x=1773354419; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=R69U7cvCJ2oN4Tlbx4DilCOHnfyWmS9IA2pb8ys74rU=; b=PF2MmO8EyyrYFDzetqVAHWO8kYu3fXPCNZwpPQynokQ44hIpm4wjGj7/hSSVzIox6v Yte0Dn/E/ap/jGXytiermegr8VuypSpDmyC8qi5UP2ExiQTcoK2NiShcDvuobGYS+4DI ky1dxezZKkn1rwy31yAHdn/YUjF52blOVl0V33zLhD3ZoZBRaBNx4G6hr6kW150y0x2+ GZre4EuETSnO75MWtaPcOXtpgMZn5d9A/AgQFi4rb+RGrjgXDXbcI5ivEdn/2/4ZEd7C U/tpuY3T9YrsWQqLHq3GO5R+zCM5fVWuraYga3jR5z4wLxCjNozRFw654f312GZK1PKJ VUsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772749619; x=1773354419; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=R69U7cvCJ2oN4Tlbx4DilCOHnfyWmS9IA2pb8ys74rU=; b=RJ/BMa6FHiOE4Ut+W9u04O2+Sbgy4KYInw+6REjfMOs/aGVeUstvByQEHU7HQb4kHx AUSYiOpx5bnvNJRh+5WD5Tjh+jcba1SGFR/FxdaiEsgUO0iOWaS8rPSmMpZN1H00tOFF Bh7TifTJlt8GehAK9mj3S1v9T9a7pyltePhBm32V7VJNcdkpuRoeO2AK6t4SttkF92WM Qfsrs/xHilEoIIMuANuk5CFMZIHnB7ZQqYHc72RRm6HbRC6WhPF68bnGn/sN1HV3fGZu dRGN+shrtSZCl2iRZkKhY73i1CbwZL8hco8cavncnJJpXQLQP2EUuyvUon0dLp4WqdIP gSwA== X-Forwarded-Encrypted: i=1; AJvYcCX3HqIbmyMT31Q69ynv8IVyF5GltF0vOqhdu+n7GO41dcZhl4FEb3LWxq/aSu7+1Rc+BXzhfTIWtD1IjAw=@vger.kernel.org X-Gm-Message-State: AOJu0YyaNe4wGyyuiEm3PvpEkUxCXRpMUVe2df4QfbiLzk7ImIJu2ReK PGAFIdap85ZcDcnm2Rah6VoF/fVYM8Z3hKHu4j9xCFM/YjzThFEfybxHrOB4cJYO34LQXjSkMEo ZQA== X-Received: from jaqg20.prod.google.com ([2002:a02:cd14:0:b0:5ca:4040:79b5]) (user=sagis job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6820:618:b0:679:dd38:9946 with SMTP id 006d021491bc7-67b9bd1afe0mr76930eaf.47.1772749619233; Thu, 05 Mar 2026 14:26:59 -0800 (PST) Date: Thu, 5 Mar 2026 22:26:26 +0000 In-Reply-To: <20260305222627.4193305-1-sagis@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260305222627.4193305-1-sagis@google.com> X-Mailer: git-send-email 2.53.0.473.g4a7958ca14-goog Message-ID: <20260305222627.4193305-2-sagis@google.com> Subject: [PATCH v4 1/2] KVM: TDX: Allow userspace to return errors to guest for MAPGPA From: Sagi Shahar To: Vishal Annapurve , Sean Christopherson , Paolo Bonzini , Dave Hansen , Kiryl Shutsemau , Rick Edgecombe Cc: Thomas Gleixner , Borislav Petkov , "H. Peter Anvin" , Michael Roth , Tom Lendacky , x86@kernel.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev, Sagi Shahar Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Vishal Annapurve MAPGPA request from TDX VMs gets split into chunks by KVM using a loop of userspace exits until the complete range is handled. In some cases userspace VMM might decide to break the MAPGPA operation and continue it later. For example: in the case of intrahost migration userspace might decide to continue the MAPGPA operation after the migration is completed. Allow userspace to signal to TDX guests that the MAPGPA operation should be retried the next time the guest is scheduled. This is potentially a breaking change since if userspace sets hypercall.ret to a value other than EBUSY or EINVAL an EINVAL error code will be returned to userspace. As of now QEMU never sets hypercall.ret to a non-zero value after handling KVM_EXIT_HYPERCALL so this change should be safe. Reviewed-by: Michael Roth Signed-off-by: Vishal Annapurve Co-developed-by: Sagi Shahar Signed-off-by: Sagi Shahar --- Documentation/virt/kvm/api.rst | 3 +++ arch/x86/kvm/vmx/tdx.c | 28 +++++++++++++++++++++------- arch/x86/kvm/x86.h | 6 ++++++ 3 files changed, 30 insertions(+), 7 deletions(-) diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst index 6f85e1b321dd..027f7fadd757 100644 --- a/Documentation/virt/kvm/api.rst +++ b/Documentation/virt/kvm/api.rst @@ -8808,6 +8808,9 @@ block sizes is exposed in KVM_CAP_ARM_SUPPORTED_BLOCK= _SIZES as a =20 This capability, if enabled, will cause KVM to exit to userspace with KVM_EXIT_HYPERCALL exit reason to process some hypercalls. +Userspace may fail the hypercall by setting hypercall.ret to EINVAL +or may request the hypercall to be retried the next time the guest run +by setting hypercall.ret to EAGAIN. =20 Calling KVM_CHECK_EXTENSION for this capability will return a bitmask of hypercalls that can be configured to exit to userspace. diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c index c5065f84b78b..f47d5e34f3fc 100644 --- a/arch/x86/kvm/vmx/tdx.c +++ b/arch/x86/kvm/vmx/tdx.c @@ -1186,12 +1186,22 @@ static void __tdx_map_gpa(struct vcpu_tdx *tdx); =20 static int tdx_complete_vmcall_map_gpa(struct kvm_vcpu *vcpu) { + u64 hypercall_ret =3D READ_ONCE(vcpu->run->hypercall.ret); struct vcpu_tdx *tdx =3D to_tdx(vcpu); + long rc; =20 - if (vcpu->run->hypercall.ret) { - tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_INVALID_OPERAND); - tdx->vp_enter_args.r11 =3D tdx->map_gpa_next; - return 1; + switch (hypercall_ret) { + case 0: + break; + case EAGAIN: + rc =3D TDVMCALL_STATUS_RETRY; + goto propagate_error; + case EINVAL: + rc =3D TDVMCALL_STATUS_INVALID_OPERAND; + goto propagate_error; + default: + WARN_ON_ONCE(kvm_is_valid_map_gpa_range_ret(hypercall_ret)); + return -EINVAL; } =20 tdx->map_gpa_next +=3D TDX_MAP_GPA_MAX_LEN; @@ -1204,13 +1214,17 @@ static int tdx_complete_vmcall_map_gpa(struct kvm_v= cpu *vcpu) * TDVMCALL_MAP_GPA, see comments in tdx_protected_apic_has_interrupt(). */ if (kvm_vcpu_has_events(vcpu)) { - tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_RETRY); - tdx->vp_enter_args.r11 =3D tdx->map_gpa_next; - return 1; + rc =3D TDVMCALL_STATUS_RETRY; + goto propagate_error; } =20 __tdx_map_gpa(tdx); return 0; + +propagate_error: + tdvmcall_set_return_code(vcpu, rc); + tdx->vp_enter_args.r11 =3D tdx->map_gpa_next; + return 1; } =20 static void __tdx_map_gpa(struct vcpu_tdx *tdx) diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h index 94d4f07aaaa0..9dc6da955c2a 100644 --- a/arch/x86/kvm/x86.h +++ b/arch/x86/kvm/x86.h @@ -720,6 +720,12 @@ int kvm_sev_es_string_io(struct kvm_vcpu *vcpu, unsign= ed int size, unsigned int port, void *data, unsigned int count, int in); =20 +static inline bool kvm_is_valid_map_gpa_range_ret(u64 hypercall_ret) +{ + return !hypercall_ret || hypercall_ret =3D=3D EINVAL || + hypercall_ret =3D=3D EAGAIN; +} + static inline bool user_exit_on_hypercall(struct kvm *kvm, unsigned long h= c_nr) { return kvm->arch.hypercall_exit_enabled & BIT(hc_nr); --=20 2.53.0.473.g4a7958ca14-goog From nobody Mon Apr 6 09:12:08 2026 Received: from mail-oo1-f74.google.com (mail-oo1-f74.google.com [209.85.161.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AFA66364050 for ; Thu, 5 Mar 2026 22:27:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772749623; cv=none; b=fO4bGVbrG7gHFNa03sV7HVI7Lwn0T6Ly6xxYp7D7n8nSO+QBxw4GLOCsMJVV3SqfZLIO6QvpbEsm/fbC2alocXd2xQuo2LN9xqgudOGrpGU8ojaTBRBdeMKaYP4zb2OTYya7ay9zo2y92W+t8yTXxhUv78avKk/bTA90K4KHlwc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772749623; c=relaxed/simple; bh=QYpfE9Bp+VZ43WxgiWmgZ8DPxnJQhn/XjQ9FpmT4AHA=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=U44FuDwXiyAKMj0/IfPwDlnv6t8itm2G1LqK/GGQDyslo/P/mAmAkdaBc/5l1BQGZjOQHCM5wvSP/rvLg2zotHB5bwrULGr1SHFc1HWmVmtlwgz1+TU8r6YZakXS24BFZ5xy+vUP7Pjbur0d3JzCN18S5sHGYY+hN75+YOXYGes= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--sagis.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=cSj/KVfw; arc=none smtp.client-ip=209.85.161.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--sagis.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="cSj/KVfw" Received: by mail-oo1-f74.google.com with SMTP id 006d021491bc7-672c40f3873so141858445eaf.2 for ; Thu, 05 Mar 2026 14:27:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1772749621; x=1773354421; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=vwFpu8D3VQ5vH2ngB7YkgvdL0e7mIaS+4lfFZO8V8nI=; b=cSj/KVfwaguuIYi0WT+WmKj8d4s1DQVE+2B7PbSKx202YY+PkK5SmDOYeqdQAIQeM3 2OIXFbX8jZIp/jUyjV13T9nQa8KaNGM8LeWVdBmRwD3wWLt/+v5yiaMEh7h0ZngYh3z4 f0wp6d9YDBSMUskUAzT42VjViWDFvoeOJzuRydGe0pSzi8bv0g+ULg08/MNQFqzot2lB 3glIvBSLPtxrW7S8fRcJFOb7SimrMl5Ip9Q7x6w+yiUwBtk1BWG5Ad8Rot9hAcLLrWjk Na4ejN0LcPcyMhgM07r1xbcMtAGJh9nGKRFGe1Laa6uhNIi6Cgogkm6wa6TsAwYB45Fl P3mg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772749621; x=1773354421; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=vwFpu8D3VQ5vH2ngB7YkgvdL0e7mIaS+4lfFZO8V8nI=; b=ad0uvpMkAaUAHemLW6QSqdDhlq4me+WyBPk1NJftviWlOVN7sI1/Kp77vsjmklahD9 5ZUO87txib31JF+rILaBXD035FIUNGBUZ27K93lEBI8TJ6hwfQNbZID6YB3C2l7d/xI+ wbxrkKuZlptI2gs+sDRyqhYcCoijYatKZCJ04/aYZ2wsLXRKE3BaSokbRYfghGpPZuOJ RAHpoOeDGR9jYB/2BT1YVjNqZ2KU1KRCzm/8rGvW45lbkK7LQNKDijv0A0B6sabgXqJT X7gG484sFCWX3EJwVrZoROavLre7EPQUp+zQ1fOdJ4HJCHPJgI+WDgmoBl8nRJCg3pZv xUug== X-Forwarded-Encrypted: i=1; AJvYcCUdvSigglvxVufV8FSoiwXWFexZYS6GnDxQj9BPSrldOS479mUHkEHWhN4XGmPvI2r8+M4oyRcByZU8plc=@vger.kernel.org X-Gm-Message-State: AOJu0YymQuEz9+JNkXQNb/SPrCWgOk9XtJx76Fd+Z0iOSzPyrJwc13L4 MPrQxqL1BHki8juIApf7UwE7N5zMg4ngEIW3wJZq5fjluAILy9XOvhmV2L9/4Vm/O07TMsJO0Cd yiw== X-Received: from jagg2-n2.prod.google.com ([2002:a05:6638:c702:20b0:5ce:ce5a:92a8]) (user=sagis job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6820:179b:b0:67a:4fe9:a4b0 with SMTP id 006d021491bc7-67b9bc6ad75mr110144eaf.15.1772749620561; Thu, 05 Mar 2026 14:27:00 -0800 (PST) Date: Thu, 5 Mar 2026 22:26:27 +0000 In-Reply-To: <20260305222627.4193305-1-sagis@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260305222627.4193305-1-sagis@google.com> X-Mailer: git-send-email 2.53.0.473.g4a7958ca14-goog Message-ID: <20260305222627.4193305-3-sagis@google.com> Subject: [PATCH v4 2/2] KVM: SEV: Restrict userspace return codes for KVM_HC_MAP_GPA_RANGE From: Sagi Shahar To: Vishal Annapurve , Sean Christopherson , Paolo Bonzini , Dave Hansen , Kiryl Shutsemau , Rick Edgecombe Cc: Thomas Gleixner , Borislav Petkov , "H. Peter Anvin" , Michael Roth , Tom Lendacky , x86@kernel.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev, Sagi Shahar Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" To align with the updated TDX api that allows userspace to request that guests retry MAP_GPA operations, make sure that userspace is only returning EINVAL or EAGAIN as possible error codes. Reviewed-by: Michael Roth Signed-off-by: Sagi Shahar --- arch/x86/kvm/svm/sev.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 3f9c1aa39a0a..04076262f087 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -3718,9 +3718,13 @@ static int snp_rmptable_psmash(kvm_pfn_t pfn) =20 static int snp_complete_psc_msr(struct kvm_vcpu *vcpu) { + u64 hypercall_ret =3D READ_ONCE(vcpu->run->hypercall.ret); struct vcpu_svm *svm =3D to_svm(vcpu); =20 - if (vcpu->run->hypercall.ret) + if (!kvm_is_valid_map_gpa_range_ret(hypercall_ret)) + return -EINVAL; + + if (hypercall_ret) set_ghcb_msr(svm, GHCB_MSR_PSC_RESP_ERROR); else set_ghcb_msr(svm, GHCB_MSR_PSC_RESP); @@ -3811,10 +3815,14 @@ static void __snp_complete_one_psc(struct vcpu_svm = *svm) =20 static int snp_complete_one_psc(struct kvm_vcpu *vcpu) { + u64 hypercall_ret =3D READ_ONCE(vcpu->run->hypercall.ret); struct vcpu_svm *svm =3D to_svm(vcpu); struct psc_buffer *psc =3D svm->sev_es.ghcb_sa; =20 - if (vcpu->run->hypercall.ret) { + if (!kvm_is_valid_map_gpa_range_ret(hypercall_ret)) + return -EINVAL; + + if (hypercall_ret) { snp_complete_psc(svm, VMGEXIT_PSC_ERROR_GENERIC); return 1; /* resume guest */ } --=20 2.53.0.473.g4a7958ca14-goog