From: Binbin Wu <binbin.wu@linux.intel.com>
To: pbonzini@redhat.com, xiaoyao.li@intel.com, qemu-devel@nongnu.org
Cc: seanjc@google.com, michael.roth@amd.com,
rick.p.edgecombe@intel.com, isaku.yamahata@intel.com,
farrah.chen@intel.com, kvm@vger.kernel.org,
binbin.wu@linux.intel.com
Subject: [PATCH] i386/kvm: Set return value after handling KVM_EXIT_HYPERCALL
Date: Thu, 12 Dec 2024 11:26:28 +0800 [thread overview]
Message-ID: <20241212032628.475976-1-binbin.wu@linux.intel.com> (raw)
Userspace should set the ret field of hypercall after handling
KVM_EXIT_HYPERCALL. Otherwise, a stale value could be returned to KVM.
Fixes: 47e76d03b15 ("i386/kvm: Add KVM_EXIT_HYPERCALL handling for KVM_HC_MAP_GPA_RANGE")
Reported-by: Farrah Chen <farrah.chen@intel.com>
Signed-off-by: Binbin Wu <binbin.wu@linux.intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
---
To test the TDX code in kvm-coco-queue, please apply the patch to the QEMU,
otherwise, TDX guest boot could fail.
A matching QEMU tree including this patch is here:
https://github.com/intel-staging/qemu-tdx/releases/tag/tdx-qemu-upstream-v6.1-fix_kvm_hypercall_return_value
Previously, the issue was not triggered because no one would modify the ret
value. But with the refactor patch for __kvm_emulate_hypercall() in KVM,
https://lore.kernel.org/kvm/20241128004344.4072099-7-seanjc@google.com/, the
value could be modified.
---
target/i386/kvm/kvm.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
index 8e17942c3b..4bcccb48d1 100644
--- a/target/i386/kvm/kvm.c
+++ b/target/i386/kvm/kvm.c
@@ -6005,10 +6005,14 @@ static int kvm_handle_hc_map_gpa_range(struct kvm_run *run)
static int kvm_handle_hypercall(struct kvm_run *run)
{
+ int ret = -EINVAL;
+
if (run->hypercall.nr == KVM_HC_MAP_GPA_RANGE)
- return kvm_handle_hc_map_gpa_range(run);
+ ret = kvm_handle_hc_map_gpa_range(run);
+
+ run->hypercall.ret = ret;
- return -EINVAL;
+ return ret;
}
#define VMX_INVALID_GUEST_STATE 0x80000021
base-commit: ae35f033b874c627d81d51070187fbf55f0bf1a7
--
2.46.0
next reply other threads:[~2024-12-12 3:25 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-12 3:26 Binbin Wu [this message]
2024-12-12 3:41 ` [PATCH] i386/kvm: Set return value after handling KVM_EXIT_HYPERCALL Yao Yuan
2024-12-12 3:44 ` Xiaoyao Li
2024-12-12 5:18 ` Binbin Wu
2024-12-12 7:09 ` Xiaoyao Li
2024-12-12 7:24 ` Binbin Wu
2024-12-12 8:07 ` Zhao Liu
2024-12-12 16:03 ` Paolo Bonzini
2024-12-12 19:13 ` Sean Christopherson
2024-12-12 21:28 ` Paolo Bonzini
2024-12-12 22:11 ` Sean Christopherson
2024-12-13 1:46 ` Binbin Wu
2024-12-13 1:52 ` Binbin Wu
2024-12-13 1:56 ` Binbin Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241212032628.475976-1-binbin.wu@linux.intel.com \
--to=binbin.wu@linux.intel.com \
--cc=farrah.chen@intel.com \
--cc=isaku.yamahata@intel.com \
--cc=kvm@vger.kernel.org \
--cc=michael.roth@amd.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rick.p.edgecombe@intel.com \
--cc=seanjc@google.com \
--cc=xiaoyao.li@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.