Re: [PATCH] KVM: x86: Add support for cmpxchg16b emulation

[Sean Christopherson <seanjc@google.com>]

On Fri, Mar 06, 2026, Sairaj Kodilkar wrote:
> AMD and Intel both provides support for 128 bit cmpxchg operands using
> cmpxchg8b/cmpxchg16b instructions (opcode 0FC7). However, kvm does not
> support emulating cmpxchg16b (i.e when destination memory is 128 bit and
> REX.W = 1) which causes emulation failure when QEMU guest performs a
> cmpxchg16b on a memory region setup as a IO.
> 
> Hence extend cmpxchg8b to perform cmpxchg16b when the destination memory
> is 128 bit.
> 
> Signed-off-by: Sairaj Kodilkar <sarunkod@amd.com>
> ---
> Background:
> 
> The AMD IOMMU driver writes 256-bit device table entries with two
> 128-bit cmpxchg operations. For guests using hardware-accelerated
> vIOMMU (still in progress), QEMU traps device table accesses to set up
> nested page tables. Without 128-bit cmpxchg emulation, KVM cannot
> handle these traps and DTE access emulation fails.

Please put this paragraph in the changelog proper, the "why" matters greatly here.

> QEMU implementation that traps DTE accesses:
> https://github.com/AMDESE/qemu-iommu/blob/wip/for_iommufd_hw_queue-v8_amd_viommu_20260106/hw/i386/amd_viommu.c#L517
> ---
>  arch/x86/kvm/emulate.c     | 48 +++++++++++++++++++++++++++++++-------
>  arch/x86/kvm/kvm_emulate.h |  1 +
>  2 files changed, 41 insertions(+), 8 deletions(-)
> 
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index c8e292e9a24d..e1a08cd3274b 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -2188,17 +2188,18 @@ static int em_call_near_abs(struct x86_emulate_ctxt *ctxt)
>  	return rc;
>  }
>  
> -static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
> +static int __handle_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
>  {
> -	u64 old = ctxt->dst.orig_val64;
> +	u64 old64 = ctxt->dst.orig_val64;
>  
> -	if (ctxt->dst.bytes == 16)
> +	/* Use of the REX.W prefix promotes operation to 128 bits */
> +	if (ctxt->rex_bits & REX_W)

Uh, yeah, and the caller specifically pivoted on this size.  I'm a-ok with a
sanity check, but it should be exactly that, e.g.

	if (WARN_ON_ONCE(8 + (ctxt->rex_bits & REX_W) * 8 != ctxt->dst.bytes))
		return X86EMUL_UNHANDLEABLE;

>  		return X86EMUL_UNHANDLEABLE;
>  
> -	if (((u32) (old >> 0) != (u32) reg_read(ctxt, VCPU_REGS_RAX)) ||
> -	    ((u32) (old >> 32) != (u32) reg_read(ctxt, VCPU_REGS_RDX))) {
> -		*reg_write(ctxt, VCPU_REGS_RAX) = (u32) (old >> 0);
> -		*reg_write(ctxt, VCPU_REGS_RDX) = (u32) (old >> 32);
> +	if (((u32) (old64 >> 0) != (u32) reg_read(ctxt, VCPU_REGS_RAX)) ||
> +	    ((u32) (old64 >> 32) != (u32) reg_read(ctxt, VCPU_REGS_RDX))) {
> +		*reg_write(ctxt, VCPU_REGS_RAX) = (u32) (old64 >> 0);
> +		*reg_write(ctxt, VCPU_REGS_RDX) = (u32) (old64 >> 32);
>  		ctxt->eflags &= ~X86_EFLAGS_ZF;
>  	} else {
>  		ctxt->dst.val64 = ((u64)reg_read(ctxt, VCPU_REGS_RCX) << 32) |
> @@ -2209,6 +2210,37 @@ static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
>  	return X86EMUL_CONTINUE;
>  }
>  
> +static int __handle_cmpxchg16b(struct x86_emulate_ctxt *ctxt)
> +{
> +	__uint128_t old128 = ctxt->dst.val128;

There is zero chance you properly tested this patch.  Please write comprehensive
testcases in KUT's emulator64.c before posting the next version.

In writeback(), the OP_MEM case quite clearly operates on "unsigned long" values
*and* consumes orig_val in the locked case.

	case OP_MEM:
		if (ctxt->lock_prefix)
			return segmented_cmpxchg(ctxt,
						 op->addr.mem,
						 &op->orig_val,
						 &op->val,
						 op->bytes);
		else
			return segmented_write(ctxt,
					       op->addr.mem,
					       &op->val,
					       op->bytes);

And then emulator_cmpxchg_emulated() should be taught to do cmpxchg16b itself:

	/* guests cmpxchg8b have to be emulated atomically */
	if (bytes > 8 || (bytes & (bytes - 1)))
		goto emul_write;

That might be a big lift, e.g. to get a 16-byte uaccess version.  If it's
unreasonably difficult, we should reject emulation of LOCK CMPXCHG16B.

And this code would also need to be updated to copy the full 128-bit value.

	/* Copy full 64-bit value for CMPXCHG8B.  */
	ctxt->dst.orig_val64 = ctxt->dst.val64;

Maybe something like this?  Or maybe just copy 128 bits unconditionally (I'm not
sure if that could read uninitiatlized data or not).

	/* Copy the full 64/128-bit value for CMPXCHG8B/16B.  */
	if (IS_ENABLED(CONFIG_X86_64) && ctxt->dst.bytes == 16)
		ctxt->dst.orig_val128 = ctxt->dst.val128;
	else
		ctxt->dst.orig_val64 = ctxt->dst.val64;

> +
> +	/* Use of the REX.W prefix promotes operation to 128 bits */
> +	if (!(ctxt->rex_bits & REX_W))
> +		return X86EMUL_UNHANDLEABLE;
> +
> +	if (((u64) (old128 >> 0) != (u64) reg_read(ctxt, VCPU_REGS_RAX)) ||
> +	    ((u64) (old128 >> 64) != (u64) reg_read(ctxt, VCPU_REGS_RDX))) {
> +		*reg_write(ctxt, VCPU_REGS_RAX) = (u64) (old128 >> 0);
> +		*reg_write(ctxt, VCPU_REGS_RDX) = (u64) (old128 >> 64);
> +		ctxt->eflags &= ~X86_EFLAGS_ZF;
> +	} else {
> +		ctxt->dst.val128 =
> +			((__uint128_t) reg_read(ctxt, VCPU_REGS_RCX) << 64) |
> +			(u64) reg_read(ctxt, VCPU_REGS_RBX);
> +
> +		ctxt->eflags |= X86_EFLAGS_ZF;

IMO we should use a macro to handle 8b vs. 16b.  The code is going to be heinous
no matter what, and so to me, duplicating everything makes it twice as ugly,
whereas a macro makes it like 10% more ugly.

> +	}
> +	return X86EMUL_CONTINUE;
> +}
> +
> +static int em_cmpxchgxb(struct x86_emulate_ctxt *ctxt)
> +{
> +	if (ctxt->dst.bytes == 16)
> +		return __handle_cmpxchg16b(ctxt);
> +
> +	return __handle_cmpxchg8b(ctxt);
> +}
> +
>  static int em_ret(struct x86_emulate_ctxt *ctxt)
>  {
>  	int rc;
> @@ -4097,7 +4129,7 @@ static const struct gprefix pfx_0f_c7_7 = {
>  
>  
>  static const struct group_dual group9 = { {
> -	N, I(DstMem64 | Lock | PageTable, em_cmpxchg8b), N, N, N, N, N, N,
> +	N, I(DstMem64 | Lock | PageTable, em_cmpxchgxb), N, N, N, N, N, N,

Eh, I vote to keep it em_cmpxchg8b.  _If_ we want to capture that its size is
variable, maybe em_cmpxchg8b_16b?  em_cmpxchgxb just looks like a typo.

Sans correct writeback() handling, something like so:

---
 arch/x86/kvm/emulate.c     | 44 ++++++++++++++++++++++++--------------
 arch/x86/kvm/kvm_emulate.h |  2 ++
 2 files changed, 30 insertions(+), 16 deletions(-)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 6145dac4a605..3ec4555571fa 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -2201,24 +2201,33 @@ static int em_call_near_abs(struct x86_emulate_ctxt *ctxt)
 	return rc;
 }
 
+#define em_cmpxchg8b_16b(__c, rbits, mbits)						  \
+do {											  \
+	u##mbits old = __c->dst.orig_val##mbits;					  \
+											  \
+	BUILD_BUG_ON(rbits * 2 != mbits);						  \
+											  \
+	if (((u##rbits)(old >> 0)     != (u##rbits)reg_read(__c, VCPU_REGS_RAX)) ||	  \
+	    ((u##rbits)(old >> rbits) != (u##rbits)reg_read(__c, VCPU_REGS_RDX))) {	  \
+		*reg_write(__c, VCPU_REGS_RAX) = (u##rbits)(old >> 0);			  \
+		*reg_write(__c, VCPU_REGS_RDX) = (u##rbits)(old >> rbits);		  \
+		__c->eflags &= ~X86_EFLAGS_ZF;						  \
+	} else {									  \
+		__c->dst.val##mbits = ((u##mbits)reg_read(__c, VCPU_REGS_RCX) << rbits) | \
+				       (u##rbits)reg_read(__c, VCPU_REGS_RBX);		  \
+		__c->eflags |= X86_EFLAGS_ZF;						  \
+	}										  \
+} while (0)
+
 static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
 {
-	u64 old = ctxt->dst.orig_val64;
-
-	if (ctxt->dst.bytes == 16)
+	if (WARN_ON_ONCE(8 + (ctxt->rex_bits & REX_W) * 8 != ctxt->dst.bytes))
 		return X86EMUL_UNHANDLEABLE;
 
-	if (((u32) (old >> 0) != (u32) reg_read(ctxt, VCPU_REGS_RAX)) ||
-	    ((u32) (old >> 32) != (u32) reg_read(ctxt, VCPU_REGS_RDX))) {
-		*reg_write(ctxt, VCPU_REGS_RAX) = (u32) (old >> 0);
-		*reg_write(ctxt, VCPU_REGS_RDX) = (u32) (old >> 32);
-		ctxt->eflags &= ~X86_EFLAGS_ZF;
-	} else {
-		ctxt->dst.val64 = ((u64)reg_read(ctxt, VCPU_REGS_RCX) << 32) |
-			(u32) reg_read(ctxt, VCPU_REGS_RBX);
-
-		ctxt->eflags |= X86_EFLAGS_ZF;
-	}
+	if (!(ctxt->rex_bits & REX_W))
+		em_cmpxchg8b_16b(ctxt, 32, 64);
+	else
+		em_cmpxchg8b_16b(ctxt, 64, 128);
 	return X86EMUL_CONTINUE;
 }
 
@@ -5418,8 +5427,11 @@ int x86_emulate_insn(struct x86_emulate_ctxt *ctxt, bool check_intercepts)
 			goto done;
 		}
 	}
-	/* Copy full 64-bit value for CMPXCHG8B.  */
-	ctxt->dst.orig_val64 = ctxt->dst.val64;
+	/* Copy the full 64/128-bit value for CMPXCHG8B/16B.  */
+	if (IS_ENABLED(CONFIG_X86_64) && ctxt->dst.bytes == 16)
+		ctxt->dst.orig_val128 = ctxt->dst.val128;
+	else
+		ctxt->dst.orig_val64 = ctxt->dst.val64;
 
 special_insn:
 
diff --git a/arch/x86/kvm/kvm_emulate.h b/arch/x86/kvm/kvm_emulate.h
index fb3dab4b5a53..0e9968319343 100644
--- a/arch/x86/kvm/kvm_emulate.h
+++ b/arch/x86/kvm/kvm_emulate.h
@@ -255,6 +255,7 @@ struct operand {
 	union {
 		unsigned long orig_val;
 		u64 orig_val64;
+		u64 orig_val128;
 	};
 	union {
 		unsigned long *reg;
@@ -268,6 +269,7 @@ struct operand {
 	union {
 		unsigned long val;
 		u64 val64;
+		__uint128_t val128;
 		char valptr[sizeof(avx256_t)];
 		sse128_t vec_val;
 		avx256_t vec_val2;

base-commit: 5128b972fb2801ad9aca54d990a75611ab5283a9
--