From nobody Tue Apr  7 14:36:36 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 77D632AD10;
	Fri, 13 Mar 2026 00:10:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773360643; cv=none;
 b=uuwXxjFuXudVWfEEF2y2BxgpTpVrevnXV5otRvUrmlcwZ+HWd+wlVA3JeIUN1e+cFYKjlxypW08JHM6qYsdPHWrGGZ8Mxy2NcR4PioFPTPd5JJr9YoWMJmelnzxhB3TY12rKOH6ia92X3HDCs79YB3HB38W7RRmQfJZwMS+ezLo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773360643; c=relaxed/simple;
	bh=UAdyxCiUsXu1PIVRQf8EE8YdAfuHGuHlsNtjZJARHlY=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=h7wpPW9CoMFxTrT822fdSkKr5uSF/qmTHAx/oLzPCDjByxMEZ2hhovuiIuKoBHXZ3r3zAAcu9GPlcXMNDtqXhQTIUZNZk2XELtL9YueT+lBqf0weWGnQpRPs2QtnoP89rIvUTZGA6zboOgiN9TkE6fyG9H3uxtGio/tJ4c1MyQ0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=CyCEH2wC; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="CyCEH2wC"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0B5B7C19424;
	Fri, 13 Mar 2026 00:10:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1773360643;
	bh=UAdyxCiUsXu1PIVRQf8EE8YdAfuHGuHlsNtjZJARHlY=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=CyCEH2wCrCSoWemgqEEXvmxKXbSz8H4E8JaxwGKdIYgj8PjQjgZJySMVQAnkKRktw
	 GYT5qQ2ZKhWdw+MoHSP9eL/MPabjX+qk3mPQvXYavHY4nBh8tFYDTwAqoBDP0eviPG
	 VTD9qaVKtdcn4OR+tJGQpDpJ84DkefcEOK2viPMC5H3SnfWbJH8S3MEJAK5N4pY2Hh
	 7V5NB5tu13NCOMbRWiMcy0bJC9mnobyXQWSnjPfdV7j0+fqWAjmwmxqvzSppGCxNMa
	 iHl7jQLdOz1bg1Mo3Kk95EGtjXeHM7VQoaREko7SLiEjloBZj8nryEl9drI4RKgug/
	 MDXQ5PGZSBCVg==
From: Yosry Ahmed <yosry@kernel.org>
To: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
	Jim Mattson <jmattson@google.com>,
	kvm@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Yosry Ahmed <yosry@kernel.org>
Subject: [PATCH v3 1/7] KVM: SVM: Drop RAX check for SVM instructions from the
 emulator
Date: Fri, 13 Mar 2026 00:10:18 +0000
Message-ID: <20260313001024.136619-2-yosry@kernel.org>
X-Mailer: git-send-email 2.53.0.851.ga537e3e6e9-goog
In-Reply-To: <20260313001024.136619-1-yosry@kernel.org>
References: <20260313001024.136619-1-yosry@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

The check for legal GPA in RAX hardcodes a mask for 48 bits of physical
address width. This incorrectly injects a #GP for valid 52-bit GPAs.
However, instead of fixing the check, remove it completely as it is
unnecessary.

If RAX contains an illegal GPA, the CPU should inject #GP. If KVM
intercepts #GP, the emulator is only used for decoding the instruction.
Otherwise, if RAX is illegal from the guest's perspective but not the
host's (due to allow_smaller_maxphyaddr), then KVM should always
intercept the instructions (as NPT and VLS should both be disabled). The
interception path for VMRUN/VMSAVE/VMLOAD also does not invoke the
emulator either. Hence, the emulator can never be invoked with an
actually illegal RAX.

Outside of forced emulation or code stream rewriting, the emulator
should only be invoked for these instructions in cases such as RAX
having a legal GPA that lies outside guest memory, as the #NPF
interception handler will try to emulate the instruction after failing
to create a proper mapping in the NPT. In this case, the emulator's
responsibility ends with checking pre-intercept exceptions and
intercepts, it does not actually emulate these instructions.

According to the APM, #GP due to invalid op happens after the
interception check:

  Generally, instruction intercepts are checked after simple exceptions
  (such as #GP=E2=80=94when CPL is incorrect=E2=80=94or #UD) have been chec=
ked, but
  before exceptions related to memory accesses (such as page faults) and
  exceptions based on specific operand values.

Arguably, the emulator's checks for EFER.SVME and intercepts are also
unnecessary. If EFER.SVME is cleared or if L1 intercepts
VMRUN/VMSAVE/VMLOAD (for nested), then KVM should always be intercepting
these instructions anyway, and the emulator should not be invoked (see
above). Leave dealing with that for later.

Fixes: 01de8b09e606 ("KVM: SVM: Add intercept checks for SVM instructions")
Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
---
 arch/x86/kvm/emulate.c | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 6145dac4a605a..a449a00555da1 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -3883,17 +3883,6 @@ static int check_svme(struct x86_emulate_ctxt *ctxt)
 	return X86EMUL_CONTINUE;
 }
=20
-static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
-{
-	u64 rax =3D reg_read(ctxt, VCPU_REGS_RAX);
-
-	/* Valid physical address? */
-	if (rax & 0xffff000000000000ULL)
-		return emulate_gp(ctxt, 0);
-
-	return check_svme(ctxt);
-}
-
 static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
 {
 	u64 cr4 =3D ctxt->ops->get_cr(ctxt, 4);
@@ -3997,10 +3986,10 @@ static const struct opcode group7_rm2[] =3D {
 };
=20
 static const struct opcode group7_rm3[] =3D {
-	DIP(SrcNone | Prot | Priv,		vmrun,		check_svme_pa),
+	DIP(SrcNone | Prot | Priv,		vmrun,		check_svme),
 	II(SrcNone  | Prot | EmulateOnUD,	em_hypercall,	vmmcall),
-	DIP(SrcNone | Prot | Priv,		vmload,		check_svme_pa),
-	DIP(SrcNone | Prot | Priv,		vmsave,		check_svme_pa),
+	DIP(SrcNone | Prot | Priv,		vmload,		check_svme),
+	DIP(SrcNone | Prot | Priv,		vmsave,		check_svme),
 	DIP(SrcNone | Prot | Priv,		stgi,		check_svme),
 	DIP(SrcNone | Prot | Priv,		clgi,		check_svme),
 	DIP(SrcNone | Prot | Priv,		skinit,		check_svme),
--=20
2.53.0.851.ga537e3e6e9-goog

From nobody Tue Apr  7 14:36:36 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C3B19182D0;
	Fri, 13 Mar 2026 00:10:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773360643; cv=none;
 b=RU28coma+Y8XUED7jgGP5T1vOpvyuvDjgq4634D0Dq0VVVDkAr7lERFdw1ZfH2nhmT+m0AHSyvrr8+jKeqj7o1eVTkgz0F4i+Zt6c6xJPg3OXXrd9mVgkmsiD1ICxPPnd3GNQXcyXL1edHtXvIO9lswGncttR/xiBilVT7NmYqM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773360643; c=relaxed/simple;
	bh=uSYzyoDiDO9EMcoYDi6QAbGw1/2SBApLvZxUUi5H+MI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=D72OhChUeaOuFZfsmGUVNxxA8nKWV8VyYqcCvJdJtnWTKS4UhHDWNTELKWO1pvAngpSA0FCFefutABjnevszKv63LmSMYrbtUgBbSDaXAe7v2CNGVsa4o4J8wFOwMj5S2dtU5vJkFMMc6K5m+hrQINyIlPMUBgJ+In2GJcez9Wc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=PQjzrvfX; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="PQjzrvfX"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6C6DBC2BC87;
	Fri, 13 Mar 2026 00:10:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1773360643;
	bh=uSYzyoDiDO9EMcoYDi6QAbGw1/2SBApLvZxUUi5H+MI=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=PQjzrvfXCDOyJjFVNU63TzXV3w4tEHUirwO4IkcBO1xgur8B3mkOny/Xu+k0lm9Wa
	 7m8MlYao2yC9NAeDFe2hGE/2MBrkWoaagCtWdPqjOpHNgvtgEW1zYv5KlrI0w2ep9O
	 +AYNyCTApFV3/FXmX+4NqIBJK39rcYQX2c1W/E3v+ex2ZDzZ2cBpP4YbM9MMr6DBSf
	 5xTVDDYim61oulrrVF6hAISB0ngRnojkLa1CglOTxjK8ZZoOBM7lr4TthcDhELgmgi
	 d+hjdEq6hVwVDKhpC2mr7MyCTPIhs9DaUsX9nL1UM9bp26kMwVrQfWamGBtYur8Y+Q
	 5nElhDF3EMkCQ==
From: Yosry Ahmed <yosry@kernel.org>
To: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
	Jim Mattson <jmattson@google.com>,
	kvm@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Yosry Ahmed <yosry@kernel.org>
Subject: [PATCH v3 2/7] KVM: SVM: Check that RAX has legal GPA on #GP
 interception of SVM insns
Date: Fri, 13 Mar 2026 00:10:19 +0000
Message-ID: <20260313001024.136619-3-yosry@kernel.org>
X-Mailer: git-send-email 2.53.0.851.ga537e3e6e9-goog
In-Reply-To: <20260313001024.136619-1-yosry@kernel.org>
References: <20260313001024.136619-1-yosry@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

KVM intercepts #GP when EFER.SVME is set if the CPU does not have
X86_FEATURE_SVME_ADDR_CHK to work around an erratum where some CPUs
check EAX against reserved memory regions. KVM re-injects the #GP if an
SVM instruction was executed with mis-aligned RAX, and it otherwise
emulates it.

However, a #GP should also be reinjected if RAX contains an illegal GPA,
according to the APM, one of #GP conditions is:

  rAX referenced a physical address above the maximum
  supported physical address.

Replace the PAGE_MASK check with page_address_valid(), which checks both
page-alignment as well as the legality of the GPA based on the vCPU's
MAXPHYADDR.

Note that this is currently not a problem, because kvm_vcpu_map() should
fail on illegal GPAs and inject a #GP anyway. However, following patches
will change the failure behavior of kvm_vcpu_map(), so make sure the #GP
interception handler does this appropriately.

Fixes: 82a11e9c6fa2 ("KVM: SVM: Add emulation support for #GP triggered by =
SVM instructions")
Fixes: d1cba6c92237 ("KVM: x86: nSVM: test eax for 4K alignment for GP erra=
ta workaround")
Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
---
 arch/x86/kvm/svm/svm.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index d98fbc0e58e8f..796a6887305d6 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -2319,8 +2319,7 @@ static int gp_interception(struct kvm_vcpu *vcpu)
 			return kvm_emulate_instruction(vcpu,
 				EMULTYPE_VMWARE_GP | EMULTYPE_NO_DECODE);
 	} else {
-		/* All SVM instructions expect page aligned RAX */
-		if (svm->vmcb->save.rax & ~PAGE_MASK)
+		if (!page_address_valid(vcpu, svm->vmcb->save.rax))
 			goto reinject;
=20
 		return emulate_svm_instr(vcpu, opcode);
--=20
2.53.0.851.ga537e3e6e9-goog
From nobody Tue Apr  7 14:36:36 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 45E095B1EB;
	Fri, 13 Mar 2026 00:10:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773360644; cv=none;
 b=YAX8gU2Ift/flqG8hLA5JqmZYW7MyVJOVjIPsmsFOXjb0SV5kVQGyCs40rkhv3j7XdvwR8MA7YRICH14WkvCVlwP0dR/z9G8EG2u8FarvBzJVnLlYFbVyLdzBs2Rz4j7xFBQsd1g4+T18+Ti/QuaTfoqlXkuolmJzusIIGzuCes=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773360644; c=relaxed/simple;
	bh=/zXmpfg4Hgv7+5B7YMww2chChhal4Xauwbnqj5TACsU=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=dA9tqW4RE68p/z8lnjD1y4kMr63HbeKsrVmKcZFiYDdr1Lh6iBXyBrGfSYT4NP9GXvoTcm+yK0cvNeMaB2ACBh5P5USeOuzIEd4ktfVAhVm5JFfcMqKt+XJQJI3GUrWNnZcVW8YBmLBcVmCufur/BFJ0XmfYlMapKd3GMnxFH+8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=jKuxEngQ; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="jKuxEngQ"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id CF833C2BC9E;
	Fri, 13 Mar 2026 00:10:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1773360644;
	bh=/zXmpfg4Hgv7+5B7YMww2chChhal4Xauwbnqj5TACsU=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=jKuxEngQiN8DAKpBzSgu0PBFDVYWpUSPnP7Okp0klQA5ZjuzsEVEQgkUx76pCp5Wh
	 7K4GYShWzHLw9yw0QQHglm79VLt1WrlMOMNKQEV13QibXH0bjc/25ff/YfnWFtsUfl
	 2SOH+cLIPYPtmHYw82s8yqCSEtBBijd8ykQGxzujvwYtOHUSr60A7QVtAOdAzxxFRW
	 zEqwyfM8VXkr/xw8YnTEoIJFa76wmi3HUTtvMSDKmUkMjmtct0YcsuBHZZL22eSWpr
	 BAnWHWZq2reJZH69JnbC2IFti5B9Lp5h/a9kMuGIyapnkL0pBc7D5cyMKo76FEPyj8
	 xL772pWwAuWNg==
From: Yosry Ahmed <yosry@kernel.org>
To: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
	Jim Mattson <jmattson@google.com>,
	kvm@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Yosry Ahmed <yosry@kernel.org>
Subject: [PATCH v3 3/7] KVM: SVM: Move RAX legality check to SVM insn
 interception handlers
Date: Fri, 13 Mar 2026 00:10:20 +0000
Message-ID: <20260313001024.136619-4-yosry@kernel.org>
X-Mailer: git-send-email 2.53.0.851.ga537e3e6e9-goog
In-Reply-To: <20260313001024.136619-1-yosry@kernel.org>
References: <20260313001024.136619-1-yosry@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

When #GP is intercepted by KVM, the #GP interception handler checks
whether the GPA in RAX is legal and reinjects the #GP accordingly.
Otherwise, it calls into the appropriate interception handler for
VMRUN/VMLOAD/VMSAVE. The intercept handlers do not check RAX.

However, according to the APM, the interception takes precedence
over #GP due to an invalid operand:

  Generally, instruction intercepts are checked after simple exceptions
  (such as #GP=E2=80=94when CPL is incorrect=E2=80=94or #UD) have been chec=
ked, but
  before exceptions related to memory accesses (such as page faults) and
  exceptions based on specific operand values.

Move the check into the interception handlers for VMRUN/VMLOAD/VMSAVE as
the CPU does not check RAX before the interception.

Opportunisitically make the non-SVM insn path in gp_interception() do an
early return to reduce intendation.

Signed-off-by: Yosry Ahmed <yosry@kernel.org>
---
 arch/x86/kvm/svm/nested.c |  5 +++++
 arch/x86/kvm/svm/svm.c    | 34 +++++++++++++++++-----------------
 2 files changed, 22 insertions(+), 17 deletions(-)

diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
index 5ff01d2ac85e4..016bf88ec2def 100644
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -1115,6 +1115,11 @@ int nested_svm_vmrun(struct kvm_vcpu *vcpu)
=20
 	vmcb12_gpa =3D svm->vmcb->save.rax;
=20
+	if (!page_address_valid(vcpu, vmcb12_gpa)) {
+		kvm_inject_gp(vcpu, 0);
+		return 1;
+	}
+
 	ret =3D nested_svm_copy_vmcb12_to_cache(vcpu, vmcb12_gpa);
 	if (ret) {
 		if (ret =3D=3D -EFAULT) {
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 796a6887305d6..f019a3f7705ae 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -2183,6 +2183,7 @@ static int intr_interception(struct kvm_vcpu *vcpu)
 static int vmload_vmsave_interception(struct kvm_vcpu *vcpu, bool vmload)
 {
 	struct vcpu_svm *svm =3D to_svm(vcpu);
+	u64 vmcb12_gpa =3D svm->vmcb->save.rax;
 	struct vmcb *vmcb12;
 	struct kvm_host_map map;
 	int ret;
@@ -2190,7 +2191,12 @@ static int vmload_vmsave_interception(struct kvm_vcp=
u *vcpu, bool vmload)
 	if (nested_svm_check_permissions(vcpu))
 		return 1;
=20
-	ret =3D kvm_vcpu_map(vcpu, gpa_to_gfn(svm->vmcb->save.rax), &map);
+	if (!page_address_valid(vcpu, vmcb12_gpa)) {
+		kvm_inject_gp(vcpu, 0);
+		return 1;
+	}
+
+	ret =3D kvm_vcpu_map(vcpu, gpa_to_gfn(vmcb12_gpa), &map);
 	if (ret) {
 		if (ret =3D=3D -EINVAL)
 			kvm_inject_gp(vcpu, 0);
@@ -2306,24 +2312,18 @@ static int gp_interception(struct kvm_vcpu *vcpu)
 		goto reinject;
=20
 	opcode =3D svm_instr_opcode(vcpu);
+	if (opcode !=3D NONE_SVM_INSTR)
+		return emulate_svm_instr(vcpu, opcode);
=20
-	if (opcode =3D=3D NONE_SVM_INSTR) {
-		if (!enable_vmware_backdoor)
-			goto reinject;
-
-		/*
-		 * VMware backdoor emulation on #GP interception only handles
-		 * IN{S}, OUT{S}, and RDPMC.
-		 */
-		if (!is_guest_mode(vcpu))
-			return kvm_emulate_instruction(vcpu,
-				EMULTYPE_VMWARE_GP | EMULTYPE_NO_DECODE);
-	} else {
-		if (!page_address_valid(vcpu, svm->vmcb->save.rax))
-			goto reinject;
+	if (!enable_vmware_backdoor)
+		goto reinject;
=20
-		return emulate_svm_instr(vcpu, opcode);
-	}
+	/*
+	 * VMware backdoor emulation on #GP interception only handles
+	 * IN{S}, OUT{S}, and RDPMC.
+	 */
+	if (!is_guest_mode(vcpu))
+		return kvm_emulate_instruction(vcpu, EMULTYPE_VMWARE_GP | EMULTYPE_NO_DE=
CODE);
=20
 reinject:
 	kvm_queue_exception_e(vcpu, GP_VECTOR, error_code);
--=20
2.53.0.851.ga537e3e6e9-goog

From nobody Tue Apr  7 14:36:36 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F44E1509AB;
	Fri, 13 Mar 2026 00:10:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773360644; cv=none;
 b=hUC+c77T+s30vsru3XTEHCzJFwm6Dpg17Ljn/bhCAJCGvNA5YOlMh179VoYGtt7qqyfn/0bZNHa/UJ9fd2CPKKIqWKA6JWPowjxiHBqsS+i3teH81EJUyUXilpMRBNScNAz6RziF68ZaCBemEv+PgyEsr/5RfwLR9wBzwlBEbIY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773360644; c=relaxed/simple;
	bh=tOmuDE/3A9OQe9ynRNYbm8QoWd1HM+6aHE0JMfAxyyA=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=ASI+ecp/uGhVYSq1oVS2hl7+bjgmdADW+frobulOaao5GSa+uuTIG94nkrVOgKDBqwV7hFzdCoFQbc4pGfPQLEYpd9/xREaidA6VQNcT1cob/uqEt1hYlHmIkdMsxAaROKktbnXmHwVlL3u0LhtuHNoN4dsceuR8E1woPSiP9Tk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=tyoMNgle; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="tyoMNgle"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3C7A4C4AF09;
	Fri, 13 Mar 2026 00:10:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1773360644;
	bh=tOmuDE/3A9OQe9ynRNYbm8QoWd1HM+6aHE0JMfAxyyA=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=tyoMNgle1Rz6FC/QebyjYvCEaXiRoky4dd97Ietf4ZxsS3pubDzCxtzfdJcA4T7jf
	 y7DxN/2GyTUYUvifMBWEO68MLdTvhG8r36df7sQEUFPz/4LBCRS7jAGoF/inOfg4ND
	 IHDR6L99dpaDTnIQDwnk6Ehy1cGmQDpsCy1YYubj3TpxCq/aMDoDcNKX2b7Xp2IpLE
	 TQMv/bu2Z417i+7SAUiQuAQZwsuMXX5DOv2AJZqm16ropLfqFBwi4LaBNBstTthZ1g
	 ewcr/kBemZ0iJAq7pbk7P8ixXXdFab+AvWy6kLWHKs4KHaOC5evkA+pCSQAiEFTxf4
	 7FS4pUtekFpWw==
From: Yosry Ahmed <yosry@kernel.org>
To: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
	Jim Mattson <jmattson@google.com>,
	kvm@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Yosry Ahmed <yosry@kernel.org>
Subject: [PATCH v3 4/7] KVM: SVM: Treat mapping failures equally in
 VMLOAD/VMSAVE emulation
Date: Fri, 13 Mar 2026 00:10:21 +0000
Message-ID: <20260313001024.136619-5-yosry@kernel.org>
X-Mailer: git-send-email 2.53.0.851.ga537e3e6e9-goog
In-Reply-To: <20260313001024.136619-1-yosry@kernel.org>
References: <20260313001024.136619-1-yosry@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Currently, a #GP is only injected if kvm_vcpu_map() fails with -EINVAL.
But it could also fail with -EFAULT if creating a host mapping failed.
Inject a #GP in all cases, no reason to treat failure modes differently.

Similar to commit 01ddcdc55e09 ("KVM: nSVM: Always inject a #GP if
mapping VMCB12 fails on nested VMRUN"), treat all failures equally.

Fixes: 8c5fbf1a7231 ("KVM/nSVM: Use the new mapping API for mapping guest m=
emory")
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
---
 arch/x86/kvm/svm/svm.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index f019a3f7705ae..3b1516ea45d4f 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -2196,10 +2196,8 @@ static int vmload_vmsave_interception(struct kvm_vcp=
u *vcpu, bool vmload)
 		return 1;
 	}
=20
-	ret =3D kvm_vcpu_map(vcpu, gpa_to_gfn(vmcb12_gpa), &map);
-	if (ret) {
-		if (ret =3D=3D -EINVAL)
-			kvm_inject_gp(vcpu, 0);
+	if (kvm_vcpu_map(vcpu, gpa_to_gfn(svm->vmcb->save.rax), &map)) {
+		kvm_inject_gp(vcpu, 0);
 		return 1;
 	}
=20
--=20
2.53.0.851.ga537e3e6e9-goog
From nobody Tue Apr  7 14:36:36 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 132C428690;
	Fri, 13 Mar 2026 00:10:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773360645; cv=none;
 b=R+DO+D4r3LTGO0n8ezuKhAqAs2HOSZD8dKe8iTdKdMiDXM8c6jq45EMYmScyhuajTAQUY6XBXBdnGyiuWaoNCytQFwM8XraXuDPlSXKbaL7SfBIjFlnwu2yEmNm1fSkhZxAxVeqM/NGzl4hagTvTsuYvGoj/7RP/wnVPSd4bj7w=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773360645; c=relaxed/simple;
	bh=iT7ytVgEpQbRU1hUnmwIaSYlLLEpefPIQyU87UhnxmU=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Dyo4FlMO+o+VrjxTkGwIPka6Mtq68YST/R5p2oeNhl+cCNu7qWgElsasrvVlO9hSrOF9pLJSJnmoXGcf6jMfYyREgIFnfEikIqHNmXvpwHYYdnuAgx12JP2ytlj6r0mvwVQ4a68ni5dRP3a+xt1yAdUPXlBo+HITNHkMEmhFbgE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=a7wMqaZ3; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="a7wMqaZ3"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9DC57C2BC86;
	Fri, 13 Mar 2026 00:10:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1773360644;
	bh=iT7ytVgEpQbRU1hUnmwIaSYlLLEpefPIQyU87UhnxmU=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=a7wMqaZ3KBW4J+jLyepP82QkOAlxwoDXhQZ4MRXmrQoZh1OcRRc3Mq15EEeIsSyP2
	 wrKJTHVtql0lWlTUADU+fU6WpJiKBI8kEDXgr5CDIb89A3laZwDVJrjo4/9A/T8NZF
	 4wcfvh5tgfIUIkk6VZm2RcmKzbV5L3gH3Gqlb04zqGw9GBBPW35zsgDftuFHo4euQ9
	 pCjfamJcQMMytNISEO84OCwASbt/XahgBLkwUnjPGDA/yJ0fyz+cJ97jUUKQc20jME
	 f4I+0o3jjxrPLX2KwPsFKDdtxFxQ0gIzANiyYVfTGniVrUG9HO0H1XTRcIbg05iyru
	 u+vbJwinCr7XQ==
From: Yosry Ahmed <yosry@kernel.org>
To: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
	Jim Mattson <jmattson@google.com>,
	kvm@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Yosry Ahmed <yosry@kernel.org>
Subject: [PATCH v3 5/7] KVM: nSVM: Fail emulation of VMRUN/VMLOAD/VMSAVE if
 mapping vmcb12 fails
Date: Fri, 13 Mar 2026 00:10:22 +0000
Message-ID: <20260313001024.136619-6-yosry@kernel.org>
X-Mailer: git-send-email 2.53.0.851.ga537e3e6e9-goog
In-Reply-To: <20260313001024.136619-1-yosry@kernel.org>
References: <20260313001024.136619-1-yosry@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

KVM currently injects a #GP if mapping vmcb12 fails when emulating
VMRUN/VMLOAD/VMSAVE. This is not architectural behavior, as #GP should
only be injected if the physical address is not supported or not
aligned. Instead, handle it as an emulation failure, similar to how nVMX
handles failures to read/write guest memory in several emulation paths.

When virtual VMLOAD/VMSAVE is enabled, if vmcb12's GPA is not mapped in
the NPTs a VMEXIT(#NPF) will be generated, and KVM will install an MMIO
SPTE and emulate the instruction if there is no corresponding memslot.
x86_emulate_insn() will return EMULATION_FAILED as VMLOAD/VMSAVE are not
handled as part of the twobyte_insn cases.

Even though this will also result in an emulation failure, it will only
result in a straight return to userspace if
KVM_CAP_EXIT_ON_EMULATION_FAILURE is set. Otherwise, it would inject #UD
and only exit to userspace if not in guest mode. So the behavior is
slightly different if virtual VMLOAD/VMSAVE is enabled.

Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
Reported-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
---
 arch/x86/kvm/svm/nested.c | 6 ++----
 arch/x86/kvm/svm/svm.c    | 6 ++----
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
index 016bf88ec2def..8320c98b704ce 100644
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -1122,10 +1122,8 @@ int nested_svm_vmrun(struct kvm_vcpu *vcpu)
=20
 	ret =3D nested_svm_copy_vmcb12_to_cache(vcpu, vmcb12_gpa);
 	if (ret) {
-		if (ret =3D=3D -EFAULT) {
-			kvm_inject_gp(vcpu, 0);
-			return 1;
-		}
+		if (ret =3D=3D -EFAULT)
+			return kvm_handle_memory_failure(vcpu, X86EMUL_IO_NEEDED, NULL);
=20
 		/* Advance RIP past VMRUN as part of the nested #VMEXIT. */
 		return kvm_skip_emulated_instruction(vcpu);
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 3b1516ea45d4f..a0dacbeaa3c5a 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -2196,10 +2196,8 @@ static int vmload_vmsave_interception(struct kvm_vcp=
u *vcpu, bool vmload)
 		return 1;
 	}
=20
-	if (kvm_vcpu_map(vcpu, gpa_to_gfn(svm->vmcb->save.rax), &map)) {
-		kvm_inject_gp(vcpu, 0);
-		return 1;
-	}
+	if (kvm_vcpu_map(vcpu, gpa_to_gfn(svm->vmcb->save.rax), &map))
+		return kvm_handle_memory_failure(vcpu, X86EMUL_IO_NEEDED, NULL);
=20
 	vmcb12 =3D map.hva;
=20
--=20
2.53.0.851.ga537e3e6e9-goog
From nobody Tue Apr  7 14:36:36 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 671A91A9F82;
	Fri, 13 Mar 2026 00:10:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773360645; cv=none;
 b=gjTm3etdWFZBwlpuw3JSsSpj/RwXNjGKLed4XJPBU2NnbT6tGI6MH3w4mzYZ3rMvxqVie9ZgPm6t1gc1ELlE+40uFZZfTZ+0ZPD8GNrrfFD0Cjcqa2WT3gfHtlWBQ6C3mX+J7CLeYGIc0ycNTxotOjPRi+YwronVbJ87icItZkE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773360645; c=relaxed/simple;
	bh=tlh7ifo/n8LjV6/9uJFZgNWsW1oJxUUzEZm2c7dRu7w=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=PgpBO+0wMNV4Q0bkTfDTYxHNooMxwmpvRY4EMCrNU8gJlukWv7JiUlsYog4E0f2M1JPm1ZpbZFhq+SOJsPUS0jRxrganJjpmJVbjAz4zHPm/oV0Luro1dNDIwTvd3rIroj4eCMLAF04vO5hOQOcoOfhCyugeHsAz7PGrB87IqGI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=PSbb7SaG; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="PSbb7SaG"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0AA7BC2BCAF;
	Fri, 13 Mar 2026 00:10:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1773360645;
	bh=tlh7ifo/n8LjV6/9uJFZgNWsW1oJxUUzEZm2c7dRu7w=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=PSbb7SaG0qB/zHNm9oP/a7pk+nbWo1OZV3GrwquWAz5EcqGA6AQ68xKz6hqIe86xI
	 Jic3UmHg+ru/IoAnqQKiyp/9o77u/+VTUSbO7rq1fgPdLpH+MCiCvzrzstepMOJ8Xf
	 y8WzTMhphzJArODK4e7TrWm498yccIJfnbDROUMcml9YFjcBH5l/5YQuLi/SvjKLJC
	 Y77RsdFADgkY6rHo+8nWtF6y4XpCoWqAYg3+9vtEr0w3meqZVJxeDRvRyli+0xCCEM
	 ABGeQS+I9NQk0Hz4c0SQ6oxjhF+yQSBuAT39EJjL7a3ciKwfBXzXfKKyolYRTu5At2
	 w6B4LpYHm4bzQ==
From: Yosry Ahmed <yosry@kernel.org>
To: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
	Jim Mattson <jmattson@google.com>,
	kvm@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Yosry Ahmed <yosry@kernel.org>
Subject: [PATCH v3 6/7] KVM: selftests: Rework svm_nested_invalid_vmcb12_gpa
Date: Fri, 13 Mar 2026 00:10:23 +0000
Message-ID: <20260313001024.136619-7-yosry@kernel.org>
X-Mailer: git-send-email 2.53.0.851.ga537e3e6e9-goog
In-Reply-To: <20260313001024.136619-1-yosry@kernel.org>
References: <20260313001024.136619-1-yosry@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The test currently allegedly makes sure that VMRUN causes a #GP in
vmcb12 GPA is valid but unmappable. However, it calls run_guest() with
an the test vmcb12 GPA, and the #GP is produced from VMLOAD, not VMRUN.

Additionally, the underlying just changed to match architectural
behavior, and all of VMRUN/VMLOAD/VMSAVE fail emulation if vmcb12 cannot
be mapped. The CPU still injects a #GP if the vmcb12 GPA exceeds
maxphyaddr.

Rework the test such to use the KVM_ONE_VCPU_TEST[_SUITE] harness, and
test all of VMRUN/VMLOAD/VMSAVE with both an invalid GPA (-1ULL) causing
a #GP, and a valid but unmappable GPA causing emulation failure. Execute
the instructions directly from L1 instead of run_guest() to make sure
the #GP or emulation failure is produced by the right instruction.

Leave the #VMEXIT with unmappable GPA test case as-is, but wrap it with
a test harness as well.

Opportunisitically drop gp_triggered, as the test already checks that
a #GP was injected through a SYNC, and add an assertion that the max
legal GPA is in fact not mapped by userspace (i.e. KVM cannot map it).

Signed-off-by: Yosry Ahmed <yosry@kernel.org>
---
 .../kvm/x86/svm_nested_invalid_vmcb12_gpa.c   | 152 +++++++++++++-----
 1 file changed, 115 insertions(+), 37 deletions(-)

diff --git a/tools/testing/selftests/kvm/x86/svm_nested_invalid_vmcb12_gpa.=
c b/tools/testing/selftests/kvm/x86/svm_nested_invalid_vmcb12_gpa.c
index c6d5f712120d1..569869bed20b5 100644
--- a/tools/testing/selftests/kvm/x86/svm_nested_invalid_vmcb12_gpa.c
+++ b/tools/testing/selftests/kvm/x86/svm_nested_invalid_vmcb12_gpa.c
@@ -6,6 +6,8 @@
 #include "vmx.h"
 #include "svm_util.h"
 #include "kselftest.h"
+#include "kvm_test_harness.h"
+#include "test_util.h"
=20
=20
 #define L2_GUEST_STACK_SIZE 64
@@ -13,86 +15,162 @@
 #define SYNC_GP 101
 #define SYNC_L2_STARTED 102
=20
-u64 valid_vmcb12_gpa;
-int gp_triggered;
+static unsigned long l2_guest_stack[L2_GUEST_STACK_SIZE];
=20
 static void guest_gp_handler(struct ex_regs *regs)
 {
-	GUEST_ASSERT(!gp_triggered);
 	GUEST_SYNC(SYNC_GP);
-	gp_triggered =3D 1;
-	regs->rax =3D valid_vmcb12_gpa;
 }
=20
-static void l2_guest_code(void)
+static void l2_code(void)
 {
 	GUEST_SYNC(SYNC_L2_STARTED);
 	vmcall();
 }
=20
-static void l1_guest_code(struct svm_test_data *svm, u64 invalid_vmcb12_gp=
a)
+static void l1_vmrun(struct svm_test_data *svm, u64 gpa)
 {
-	unsigned long l2_guest_stack[L2_GUEST_STACK_SIZE];
+	generic_svm_setup(svm, l2_code, &l2_guest_stack[L2_GUEST_STACK_SIZE]);
=20
-	generic_svm_setup(svm, l2_guest_code,
-			  &l2_guest_stack[L2_GUEST_STACK_SIZE]);
+	asm volatile ("vmrun %[gpa]" : : [gpa] "a" (gpa) : "memory");
+}
=20
-	valid_vmcb12_gpa =3D svm->vmcb_gpa;
+static void l1_vmload(struct svm_test_data *svm, u64 gpa)
+{
+	generic_svm_setup(svm, l2_code, &l2_guest_stack[L2_GUEST_STACK_SIZE]);
=20
-	run_guest(svm->vmcb, invalid_vmcb12_gpa); /* #GP */
+	asm volatile ("vmload %[gpa]" : : [gpa] "a" (gpa) : "memory");
+}
+
+static void l1_vmsave(struct svm_test_data *svm, u64 gpa)
+{
+	generic_svm_setup(svm, l2_code, &l2_guest_stack[L2_GUEST_STACK_SIZE]);
+
+	asm volatile ("vmsave %[gpa]" : : [gpa] "a" (gpa) : "memory");
+}
+
+static void l1_vmexit(struct svm_test_data *svm, u64 gpa)
+{
+	generic_svm_setup(svm, l2_code, &l2_guest_stack[L2_GUEST_STACK_SIZE]);
=20
-	/* GP handler should jump here */
+	run_guest(svm->vmcb, svm->vmcb_gpa);
 	GUEST_ASSERT(svm->vmcb->control.exit_code =3D=3D SVM_EXIT_VMMCALL);
 	GUEST_DONE();
 }
=20
-int main(int argc, char *argv[])
+static u64 unmappable_gpa(struct kvm_vcpu *vcpu)
+{
+	struct userspace_mem_region *region;
+	u64 region_gpa_end, vm_gpa_end =3D 0;
+	int i;
+
+	hash_for_each(vcpu->vm->regions.slot_hash, i, region, slot_node) {
+		region_gpa_end =3D region->region.guest_phys_addr + region->region.memor=
y_size;
+		vm_gpa_end =3D max(vm_gpa_end, region_gpa_end);
+	}
+
+	return vm_gpa_end;
+}
+
+static void test_invalid_vmcb12(struct kvm_vcpu *vcpu)
 {
-	struct kvm_x86_state *state;
 	vm_vaddr_t nested_gva =3D 0;
-	struct kvm_vcpu *vcpu;
-	uint32_t maxphyaddr;
-	u64 max_legal_gpa;
-	struct kvm_vm *vm;
 	struct ucall uc;
=20
-	TEST_REQUIRE(kvm_cpu_has(X86_FEATURE_SVM));
=20
-	vm =3D vm_create_with_one_vcpu(&vcpu, l1_guest_code);
 	vm_install_exception_handler(vcpu->vm, GP_VECTOR, guest_gp_handler);
-
-	/*
-	 * Find the max legal GPA that is not backed by a memslot (i.e. cannot
-	 * be mapped by KVM).
-	 */
-	maxphyaddr =3D kvm_cpuid_property(vcpu->cpuid, X86_PROPERTY_MAX_PHY_ADDR);
-	max_legal_gpa =3D BIT_ULL(maxphyaddr) - PAGE_SIZE;
-	vcpu_alloc_svm(vm, &nested_gva);
-	vcpu_args_set(vcpu, 2, nested_gva, max_legal_gpa);
-
-	/* VMRUN with max_legal_gpa, KVM injects a #GP */
+	vcpu_alloc_svm(vcpu->vm, &nested_gva);
+	vcpu_args_set(vcpu, 2, nested_gva, -1ULL);
 	vcpu_run(vcpu);
+
 	TEST_ASSERT_KVM_EXIT_REASON(vcpu, KVM_EXIT_IO);
 	TEST_ASSERT_EQ(get_ucall(vcpu, &uc), UCALL_SYNC);
 	TEST_ASSERT_EQ(uc.args[1], SYNC_GP);
+}
+
+static void test_unmappable_vmcb12(struct kvm_vcpu *vcpu)
+{
+	vm_vaddr_t nested_gva =3D 0;
+
+	vcpu_alloc_svm(vcpu->vm, &nested_gva);
+	vcpu_args_set(vcpu, 2, nested_gva, unmappable_gpa(vcpu));
+	vcpu_run(vcpu);
+
+	TEST_ASSERT_KVM_EXIT_REASON(vcpu, KVM_EXIT_INTERNAL_ERROR);
+	TEST_ASSERT_EQ(vcpu->run->emulation_failure.suberror, KVM_INTERNAL_ERROR_=
EMULATION);
+}
+
+static void test_unmappable_vmcb12_vmexit(struct kvm_vcpu *vcpu)
+{
+	struct kvm_x86_state *state;
+	vm_vaddr_t nested_gva =3D 0;
+	struct ucall uc;
=20
 	/*
-	 * Enter L2 (with a legit vmcb12 GPA), then overwrite vmcb12 GPA with
-	 * max_legal_gpa. KVM will fail to map vmcb12 on nested VM-Exit and
+	 * Enter L2 (with a legit vmcb12 GPA), then overwrite vmcb12 GPA with an
+	 * unmappable GPA. KVM will fail to map vmcb12 on nested VM-Exit and
 	 * cause a shutdown.
 	 */
+	vcpu_alloc_svm(vcpu->vm, &nested_gva);
+	vcpu_args_set(vcpu, 2, nested_gva, unmappable_gpa(vcpu));
 	vcpu_run(vcpu);
 	TEST_ASSERT_KVM_EXIT_REASON(vcpu, KVM_EXIT_IO);
 	TEST_ASSERT_EQ(get_ucall(vcpu, &uc), UCALL_SYNC);
 	TEST_ASSERT_EQ(uc.args[1], SYNC_L2_STARTED);
=20
 	state =3D vcpu_save_state(vcpu);
-	state->nested.hdr.svm.vmcb_pa =3D max_legal_gpa;
+	state->nested.hdr.svm.vmcb_pa =3D unmappable_gpa(vcpu);
 	vcpu_load_state(vcpu, state);
 	vcpu_run(vcpu);
 	TEST_ASSERT_KVM_EXIT_REASON(vcpu, KVM_EXIT_SHUTDOWN);
=20
 	kvm_x86_state_cleanup(state);
-	kvm_vm_free(vm);
-	return 0;
+}
+
+KVM_ONE_VCPU_TEST_SUITE(vmcb12_gpa);
+
+KVM_ONE_VCPU_TEST(vmcb12_gpa, vmrun_invalid, l1_vmrun)
+{
+	test_invalid_vmcb12(vcpu);
+}
+
+KVM_ONE_VCPU_TEST(vmcb12_gpa, vmload_invalid, l1_vmload)
+{
+	test_invalid_vmcb12(vcpu);
+}
+
+KVM_ONE_VCPU_TEST(vmcb12_gpa, vmsave_invalid, l1_vmsave)
+{
+	test_invalid_vmcb12(vcpu);
+}
+
+KVM_ONE_VCPU_TEST(vmcb12_gpa, vmrun_unmappable, l1_vmrun)
+{
+	test_unmappable_vmcb12(vcpu);
+}
+
+KVM_ONE_VCPU_TEST(vmcb12_gpa, vmload_unmappable, l1_vmload)
+{
+	test_unmappable_vmcb12(vcpu);
+}
+
+KVM_ONE_VCPU_TEST(vmcb12_gpa, vmsave_unmappable, l1_vmsave)
+{
+	test_unmappable_vmcb12(vcpu);
+}
+
+/*
+ * Invalid vmcb12_gpa cannot be test for #VMEXIT as KVM_SET_NESTED_STATE w=
ill
+ * reject it.
+ */
+KVM_ONE_VCPU_TEST(vmcb12_gpa, vmexit_unmappable, l1_vmexit)
+{
+	test_unmappable_vmcb12_vmexit(vcpu);
+}
+
+int main(int argc, char *argv[])
+{
+	TEST_REQUIRE(kvm_cpu_has(X86_FEATURE_SVM));
+
+	return test_harness_run(argc, argv);
 }
--=20
2.53.0.851.ga537e3e6e9-goog
From nobody Tue Apr  7 14:36:36 2026
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C241F1DF75B;
	Fri, 13 Mar 2026 00:10:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773360645; cv=none;
 b=mbksqhywXSYAgTtcmemK+vr0RG20MfUvClVorzmyRc1jEVUPnk1QxMBBzxIUL7WjRYHMfmgbF76qntTim4O3UBjOrUmr8aJT3figK4q9qYw9RV1y86F7bZuE5mbCCm60vq7+x7+yntc/xZZAd0/KHjMnmPeGUY6WnsTdV3ZuxPs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773360645; c=relaxed/simple;
	bh=1GBVDpxhiKQR9Qr5dCENGk8SY6ddmFWjDrNwoXXxb+I=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Qzr1RosboBeVIrlPiJdll2yYqnieytbuAK17Gpod9Yuro+mrNWWvW4vEGmdO5H60ZiOWsbWoHIT8qYmtGpPq2ZhvNvxbsi/jZtvGmRJSidRObsTFhlQZdgh77ogUS96tT2CHdYVGb7O+1k+GwcsRcJhPP7sOZqswiuc0tAA11dU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=GtLHlbOE; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="GtLHlbOE"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6C04FC4CEF7;
	Fri, 13 Mar 2026 00:10:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1773360645;
	bh=1GBVDpxhiKQR9Qr5dCENGk8SY6ddmFWjDrNwoXXxb+I=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=GtLHlbOEnBBpOgijPac5XFymq+uCqVPsP2/FHyp7MHjcZXMCVv9KJYbbTbHnsnvgf
	 kwYJTF3ErVGjygNMtuPNVBfFnam8Tqru6LaOnI1W10LmxqCulSiePzkRSXIx4BeWQG
	 y+AG3kmk+i3BNxbW2hEEOdGpbeYAbODtLa4DkFUzRxTN90N0zQ81iHWVFQ+6qmIGUr
	 sZ1J+LKGGVUG7stgJa7Hv+vINr7LoAs8pjG0s9O0+YPZNekv726EobAbCrZdmDIGD8
	 3nMOV2SeX3rmkSfbugIB5Us2g6Gygaq7l4NO4pquk+1zUouUDtNRdlKqIxE4ZKtcqx
	 p+LSfPf2WlNQQ==
From: Yosry Ahmed <yosry@kernel.org>
To: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
	Jim Mattson <jmattson@google.com>,
	kvm@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Yosry Ahmed <yosry@kernel.org>
Subject: [PATCH v3 7/7] KVM: selftests: Drop 'invalid' from
 svm_nested_invalid_vmcb12_gpa's name
Date: Fri, 13 Mar 2026 00:10:24 +0000
Message-ID: <20260313001024.136619-8-yosry@kernel.org>
X-Mailer: git-send-email 2.53.0.851.ga537e3e6e9-goog
In-Reply-To: <20260313001024.136619-1-yosry@kernel.org>
References: <20260313001024.136619-1-yosry@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The test checks both invalid GPAs as well as unmappable GPAs, so drop
'invalid' from its name.

Signed-off-by: Yosry Ahmed <yosry@kernel.org>
---
 tools/testing/selftests/kvm/Makefile.kvm                        | 2 +-
 ...{svm_nested_invalid_vmcb12_gpa.c =3D> svm_nested_vmcb12_gpa.c} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename tools/testing/selftests/kvm/x86/{svm_nested_invalid_vmcb12_gpa.c =
=3D> svm_nested_vmcb12_gpa.c} (100%)

diff --git a/tools/testing/selftests/kvm/Makefile.kvm b/tools/testing/selft=
ests/kvm/Makefile.kvm
index 3d372d78a2756..02fa13d4ad4f1 100644
--- a/tools/testing/selftests/kvm/Makefile.kvm
+++ b/tools/testing/selftests/kvm/Makefile.kvm
@@ -112,9 +112,9 @@ TEST_GEN_PROGS_x86 +=3D x86/vmx_preemption_timer_test
 TEST_GEN_PROGS_x86 +=3D x86/svm_vmcall_test
 TEST_GEN_PROGS_x86 +=3D x86/svm_int_ctl_test
 TEST_GEN_PROGS_x86 +=3D x86/svm_nested_clear_efer_svme
-TEST_GEN_PROGS_x86 +=3D x86/svm_nested_invalid_vmcb12_gpa
 TEST_GEN_PROGS_x86 +=3D x86/svm_nested_shutdown_test
 TEST_GEN_PROGS_x86 +=3D x86/svm_nested_soft_inject_test
+TEST_GEN_PROGS_x86 +=3D x86/svm_nested_vmcb12_gpa
 TEST_GEN_PROGS_x86 +=3D x86/svm_lbr_nested_state
 TEST_GEN_PROGS_x86 +=3D x86/tsc_scaling_sync
 TEST_GEN_PROGS_x86 +=3D x86/sync_regs_test
diff --git a/tools/testing/selftests/kvm/x86/svm_nested_invalid_vmcb12_gpa.=
c b/tools/testing/selftests/kvm/x86/svm_nested_vmcb12_gpa.c
similarity index 100%
rename from tools/testing/selftests/kvm/x86/svm_nested_invalid_vmcb12_gpa.c
rename to tools/testing/selftests/kvm/x86/svm_nested_vmcb12_gpa.c
--=20
2.53.0.851.ga537e3e6e9-goog