From: James Houghton <jthoughton@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
Sean Christopherson <seanjc@google.com>
Cc: Akinobu Mita <akinobu.mita@gmail.com>,
David Matlack <dmatlack@google.com>,
James Houghton <jthoughton@google.com>,
kvm@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 0/2] KVM: Fault injection
Date: Wed, 6 Aug 2025 21:51:30 +0000 [thread overview]
Message-ID: <20250806215133.43475-1-jthoughton@google.com> (raw)
Hi Sean and Paolo,
I've prepared a patch that adds some fault injection points into KVM MMU
code to better catch bugs in the future. I put the documentation changes
in their own patch; I'm happy to squash them if you want.
The three points I've added here are:
1. Make KVM think that MMU invalidations happen more often.
2. Make KVM think that cmpxchg for TDP MMU is failing more often.
3. Make KVM think that the MMU lock is contended while iterating over
TDP MMU SPTEs.
Unfortunately I haven't caught any bugs with this yet, but a while ago
we added something like this to consistently reproduce a bug in the
Direct MMU (the old, Google-internal implementation of TDP MMU).
I tried putting a WARN in when the TDP MMU cmpxchg fails to simulate a
bug when cmpxchg fails (this was the case for us with Direct MMU :)),
and running a few of the selftests, I get a few cmpxchg failures at the
beginning of the test, but even with several vCPUs, they only appear at
the beginning of the test. With fault injection, we can get them
constantly, exposing more code paths to cmpxchg failures.
It would be really great if this could be hooked into syzkaller for
better coverage; not sure what's needed for that.
Also if you have any ideas for what other fault injection points make
sense, I'd be happy to add them.
Please let me know what you think. Thanks!
This patch is based on the tip of Linus's tree.
James Houghton (2):
KVM: Add fault injection for some MMU operations
Documentation: fault-injection: Add entries for KVM fault injection
points
.../fault-injection/fault-injection.rst | 12 +++++++
arch/x86/kvm/Makefile | 1 +
arch/x86/kvm/debugfs.c | 6 ++++
arch/x86/kvm/mmu/fault_injection.c | 36 +++++++++++++++++++
arch/x86/kvm/mmu/fault_injection.h | 31 ++++++++++++++++
arch/x86/kvm/mmu/mmu.c | 1 +
arch/x86/kvm/mmu/tdp_mmu.c | 10 ++++--
include/linux/kvm_host.h | 19 ++++++++--
lib/Kconfig.debug | 8 +++++
virt/kvm/kvm_main.c | 25 +++++++++++++
10 files changed, 143 insertions(+), 6 deletions(-)
create mode 100644 arch/x86/kvm/mmu/fault_injection.c
create mode 100644 arch/x86/kvm/mmu/fault_injection.h
base-commit: cca7a0aae8958c9b1cd14116cb8b2f22ace2205e
--
2.50.1.703.g449372360f-goog
next reply other threads:[~2025-08-06 21:51 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-06 21:51 James Houghton [this message]
2025-08-06 21:51 ` [PATCH 1/2] KVM: Add fault injection for some MMU operations James Houghton
2026-03-04 15:39 ` Sean Christopherson
2025-08-06 21:51 ` [PATCH 2/2] Documentation: fault-injection: Add entries for KVM fault injection points James Houghton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250806215133.43475-1-jthoughton@google.com \
--to=jthoughton@google.com \
--cc=akinobu.mita@gmail.com \
--cc=dmatlack@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox