Re: [PATCH] KVM: VMX: Raise KVM_REQ_EVENT on TPR below threshold exit

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The patch successfully fixes the VM entry failure for hardware-induced TPR_BELOW_THRESHOLD exits but leaves the exact same vulnerability in software-emulated TPR writes (MMIO, MSR, or intercepted CR8 writes). If the guest lowers TPR such that VTPR falls below TPR_THRESHOLD, but PPR does not drop enough to unmask a pending interrupt (e.g., due to a higher-priority ISR), `apic_update_ppr()` will not raise KVM_REQ_EVENT. Consequently, `kvm_lapic_update_cr8_intercept()` is skipped, leaving a stale TPR_THRESHOLD in the VMCS that is strictly greater than VTPR[7:4]. On hardware without virtual-interrupt delivery, this directly violates SDM VM-entry constraints, causing the exact same hardware error 0x7 VM entry failure the patch was intended to fix.
--

commit 277f13148f7967e36731fd691e61fdaf6d48f638
Author: Carlos López <clopez@suse.de>

KVM: VMX: Raise KVM_REQ_EVENT on TPR below threshold exit

This commit fixes a VM entry failure with hardware error 0x7 on older
platforms or under nested virtualization by re-introducing an unconditional
KVM_REQ_EVENT when handling TPR-below-threshold exits. This ensures that
vmx_update_cr8_intercept() is called to re-evaluate TPR_THRESHOLD.

Link: https://github.com/coconut-svsm/svsm/issues/1081 [1]

> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> index c548f22375ad6..21a469d3ba211 100644
> --- a/arch/x86/kvm/vmx/vmx.c
> +++ b/arch/x86/kvm/vmx/vmx.c
> @@ -5824,6 +5824,7 @@ void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val)
>  static int handle_tpr_below_threshold(struct kvm_vcpu *vcpu)
>  {
>  	kvm_apic_update_ppr(vcpu);
> +	kvm_make_request(KVM_REQ_EVENT, vcpu);

[Severity: High]
This isn't a bug introduced by this patch, but does the same regression
still exist in the software-emulated TPR write paths?

Looking at apic_set_tpr() in arch/x86/kvm/lapic.c:

static void apic_set_tpr(struct kvm_lapic *apic, u32 tpr)
{
        kvm_lapic_set_reg(apic, APIC_TASKPRI, tpr);
        apic_update_ppr(apic);
}

If the guest lowers the TPR via MMIO, MSR, or an intercepted CR8 write such
that VTPR falls below TPR_THRESHOLD, but the PPR does not drop enough to
unmask a pending interrupt, apic_update_ppr() will not raise KVM_REQ_EVENT.

Consequently, kvm_lapic_update_cr8_intercept() would be skipped, leaving a
stale TPR_THRESHOLD in the VMCS that is strictly greater than VTPR[7:4].

Could this lead to the exact same hardware error 0x7 VM entry failure that
this patch aims to fix?

>  	return 1;
>  }

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260610185042.2810880-2-clopez@suse.de?part=1