[PATCH 0/2] KVM: x86: Do runtime updates during KVM_SET_CPUID2

[PATCH 0/2] KVM: x86: Do runtime updates during KVM_SET_CPUID2

[Sean Christopherson]

Do runtime updates (if necessary) when userspace sets CPUID to fix a bug
where KVM drops a pending update (KVM will clear the dirty flag when doing
updates on the new/incoming CPUID).  The bug most visibly manifests as an
-EINVAL failure on KVM_SET_CPUID{,2} due to the old/current CPUID not
matching the new/incoming CPUID, but if userspace were to continue running
past the failure, the vCPU would run with stale CPUID/caps.

Sean Christopherson (2):
  KVM: x86: Apply runtime updates to current CPUID during
    KVM_SET_CPUID{,2}
  KVM: selftests: Add a CPUID testcase for KVM_SET_CPUID2 with runtime
    updates

 arch/x86/kvm/cpuid.c                         | 11 +++++++++--
 tools/testing/selftests/kvm/x86/cpuid_test.c | 15 +++++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)


base-commit: 115d5de2eef32ac5cd488404b44b38789362dbe6
-- 
2.52.0.107.ga0afd4fd5b-goog

[PATCH 1/2] KVM: x86: Apply runtime updates to current CPUID during KVM_SET_CPUID{,2}

[Sean Christopherson]

When handling KVM_SET_CPUID{,2}, do runtime CPUID updates on the vCPU's
current CPUID (and caps) prior to swapping in the incoming CPUID state so
that KVM doesn't lose pending updates if the incoming CPUID is rejected,
and to prevent a false failure on the equality check.

Note, runtime updates are unconditionally performed on the incoming/new
CPUID (and associated caps), i.e. clearing the dirty flag won't negatively
affect the new CPUID.

Fixes: 93da6af3ae56 ("KVM: x86: Defer runtime updates of dynamic CPUID bits until CPUID emulation")
Reported-by: Igor Mammedov <imammedo@redhat.com>
Closes: https://lore.kernel.org/all/20251128123202.68424a95@imammedo
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/cpuid.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index d563a948318b..88a5426674a1 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -509,11 +509,18 @@ static int kvm_set_cpuid(struct kvm_vcpu *vcpu, struct kvm_cpuid_entry2 *e2,
 	u32 vcpu_caps[NR_KVM_CPU_CAPS];
 	int r;
 
+	/*
+	 * Apply pending runtime CPUID updates to the current CPUID entries to
+	 * avoid false positives due to mismatches on KVM-owned feature flags.
+	 */
+	if (vcpu->arch.cpuid_dynamic_bits_dirty)
+		kvm_update_cpuid_runtime(vcpu);
+
 	/*
 	 * Swap the existing (old) entries with the incoming (new) entries in
 	 * order to massage the new entries, e.g. to account for dynamic bits
-	 * that KVM controls, without clobbering the current guest CPUID, which
-	 * KVM needs to preserve in order to unwind on failure.
+	 * that KVM controls, without losing the current guest CPUID, which KVM
+	 * needs to preserve in order to unwind on failure.
 	 *
 	 * Similarly, save the vCPU's current cpu_caps so that the capabilities
 	 * can be updated alongside the CPUID entries when performing runtime
-- 
2.52.0.107.ga0afd4fd5b-goog

[PATCH 2/2] KVM: selftests: Add a CPUID testcase for KVM_SET_CPUID2 with runtime updates

[Sean Christopherson]

Add a CPUID testcase to verify that KVM allows KVM_SET_CPUID2 after (or in
conjunction with) runtime updates.  This is a regression test for the bug
introduced by commit 93da6af3ae56 ("KVM: x86: Defer runtime updates of
dynamic CPUID bits until CPUID emulation"), where KVM would incorrectly
reject KVM_SET_CPUID due to a not handling a pending runtime update on the
current CPUID, resulting in a false mismatch between the "old" and "new"
CPUID entries.

Link: https://lore.kernel.org/all/20251128123202.68424a95@imammedo
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 tools/testing/selftests/kvm/x86/cpuid_test.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/tools/testing/selftests/kvm/x86/cpuid_test.c b/tools/testing/selftests/kvm/x86/cpuid_test.c
index 7b3fda6842bc..f9ed14996977 100644
--- a/tools/testing/selftests/kvm/x86/cpuid_test.c
+++ b/tools/testing/selftests/kvm/x86/cpuid_test.c
@@ -155,6 +155,7 @@ struct kvm_cpuid2 *vcpu_alloc_cpuid(struct kvm_vm *vm, vm_vaddr_t *p_gva, struct
 static void set_cpuid_after_run(struct kvm_vcpu *vcpu)
 {
 	struct kvm_cpuid_entry2 *ent;
+	struct kvm_sregs sregs;
 	int rc;
 	u32 eax, ebx, x;
 
@@ -162,6 +163,20 @@ static void set_cpuid_after_run(struct kvm_vcpu *vcpu)
 	rc = __vcpu_set_cpuid(vcpu);
 	TEST_ASSERT(!rc, "Setting unmodified CPUID after KVM_RUN failed: %d", rc);
 
+	/*
+	 * Toggle CR4 bits that affect dynamic CPUID feature flags to verify
+	 * setting unmodified CPUID succeeds with runtime CPUID updates.
+	 */
+	vcpu_sregs_get(vcpu, &sregs);
+	if (kvm_cpu_has(X86_FEATURE_XSAVE))
+		sregs.cr4 ^= X86_CR4_OSXSAVE;
+	if (kvm_cpu_has(X86_FEATURE_PKU))
+		sregs.cr4 ^= X86_CR4_PKE;
+	vcpu_sregs_set(vcpu, &sregs);
+
+	rc = __vcpu_set_cpuid(vcpu);
+	TEST_ASSERT(!rc, "Setting unmodified CPUID after KVM_RUN failed: %d", rc);
+
 	/* Changing CPU features is forbidden */
 	ent = vcpu_get_cpuid_entry(vcpu, 0x7);
 	ebx = ent->ebx;
-- 
2.52.0.107.ga0afd4fd5b-goog

Re: [PATCH 1/2] KVM: x86: Apply runtime updates to current CPUID during KVM_SET_CPUID{,2}

[Igor Mammedov]

On Mon,  1 Dec 2025 17:50:48 -0800
Sean Christopherson <seanjc@google.com> wrote:

> When handling KVM_SET_CPUID{,2}, do runtime CPUID updates on the vCPU's
> current CPUID (and caps) prior to swapping in the incoming CPUID state so
> that KVM doesn't lose pending updates if the incoming CPUID is rejected,
> and to prevent a false failure on the equality check.
> 
> Note, runtime updates are unconditionally performed on the incoming/new
> CPUID (and associated caps), i.e. clearing the dirty flag won't negatively
> affect the new CPUID.
> 
> Fixes: 93da6af3ae56 ("KVM: x86: Defer runtime updates of dynamic CPUID bits until CPUID emulation")
> Reported-by: Igor Mammedov <imammedo@redhat.com>
> Closes: https://lore.kernel.org/all/20251128123202.68424a95@imammedo
> Cc: stable@vger.kernel.org
> Signed-off-by: Sean Christopherson <seanjc@google.com>

Acked-by: Igor Mammedov <imammedo@redhat.com>
Tested-by: Igor Mammedov <imammedo@redhat.com>

> ---
>  arch/x86/kvm/cpuid.c | 11 +++++++++--
>  1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
> index d563a948318b..88a5426674a1 100644
> --- a/arch/x86/kvm/cpuid.c
> +++ b/arch/x86/kvm/cpuid.c
> @@ -509,11 +509,18 @@ static int kvm_set_cpuid(struct kvm_vcpu *vcpu, struct kvm_cpuid_entry2 *e2,
>  	u32 vcpu_caps[NR_KVM_CPU_CAPS];
>  	int r;
>  
> +	/*
> +	 * Apply pending runtime CPUID updates to the current CPUID entries to
> +	 * avoid false positives due to mismatches on KVM-owned feature flags.
> +	 */
> +	if (vcpu->arch.cpuid_dynamic_bits_dirty)
> +		kvm_update_cpuid_runtime(vcpu);
> +
>  	/*
>  	 * Swap the existing (old) entries with the incoming (new) entries in
>  	 * order to massage the new entries, e.g. to account for dynamic bits
> -	 * that KVM controls, without clobbering the current guest CPUID, which
> -	 * KVM needs to preserve in order to unwind on failure.
> +	 * that KVM controls, without losing the current guest CPUID, which KVM
> +	 * needs to preserve in order to unwind on failure.
>  	 *
>  	 * Similarly, save the vCPU's current cpu_caps so that the capabilities
>  	 * can be updated alongside the CPUID entries when performing runtime

Re: [PATCH 0/2] KVM: x86: Do runtime updates during KVM_SET_CPUID2

[Sean Christopherson]

On Mon, 01 Dec 2025 17:50:47 -0800, Sean Christopherson wrote:
> Do runtime updates (if necessary) when userspace sets CPUID to fix a bug
> where KVM drops a pending update (KVM will clear the dirty flag when doing
> updates on the new/incoming CPUID).  The bug most visibly manifests as an
> -EINVAL failure on KVM_SET_CPUID{,2} due to the old/current CPUID not
> matching the new/incoming CPUID, but if userspace were to continue running
> past the failure, the vCPU would run with stale CPUID/caps.
> 
> [...]

Applied to kvm-x86 fixes, thanks!

[1/2] KVM: x86: Apply runtime updates to current CPUID during KVM_SET_CPUID{,2}
      https://github.com/kvm-x86/linux/commit/e2b43fb25243
[2/2] KVM: selftests: Add a CPUID testcase for KVM_SET_CPUID2 with runtime updates
      https://github.com/kvm-x86/linux/commit/824d227324dc

--
https://github.com/kvm-x86/linux/tree/next