From: Yosry Ahmed <yosry@kernel.org>
To: Sean Christopherson <seanjc@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Jim Mattson <jmattson@google.com>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
Yosry Ahmed <yosry@kernel.org>
Subject: [PATCH v4 1/9] KVM: SVM: Properly check RAX in the emulator for SVM instructions
Date: Mon, 16 Mar 2026 20:27:24 +0000 [thread overview]
Message-ID: <20260316202732.3164936-2-yosry@kernel.org> (raw)
In-Reply-To: <20260316202732.3164936-1-yosry@kernel.org>
Architecturally, VMRUN/VMLOAD/VMSAVE should generate a #GP if the
physical address in RAX is not supported. check_svme_pa() hardcodes this
to checking that bits 63-48 are not set. This is incorrect on HW
supporting 52 bits of physical address space. Additionally, the emulator
does not check if the address is not aligned, which should also result
in #GP.
Use page_address_valid() which properly checks alignment and the address
legality based on the guest's MAXPHYADDR. Plumb it through
x86_emulate_ops, similar to is_canonical_addr(), to avoid directly
accessing the vCPU object in emulator code.
Fixes: 01de8b09e606 ("KVM: SVM: Add intercept checks for SVM instructions")
Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
---
arch/x86/kvm/emulate.c | 3 +--
arch/x86/kvm/kvm_emulate.h | 2 ++
arch/x86/kvm/x86.c | 6 ++++++
3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 6145dac4a605a..c8c6cc0406d6d 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -3887,8 +3887,7 @@ static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
{
u64 rax = reg_read(ctxt, VCPU_REGS_RAX);
- /* Valid physical address? */
- if (rax & 0xffff000000000000ULL)
+ if (!ctxt->ops->page_address_valid(ctxt, rax))
return emulate_gp(ctxt, 0);
return check_svme(ctxt);
diff --git a/arch/x86/kvm/kvm_emulate.h b/arch/x86/kvm/kvm_emulate.h
index fb3dab4b5a53e..0abff36d09942 100644
--- a/arch/x86/kvm/kvm_emulate.h
+++ b/arch/x86/kvm/kvm_emulate.h
@@ -245,6 +245,8 @@ struct x86_emulate_ops {
bool (*is_canonical_addr)(struct x86_emulate_ctxt *ctxt, gva_t addr,
unsigned int flags);
+
+ bool (*page_address_valid)(struct x86_emulate_ctxt *ctxt, gpa_t gpa);
};
/* Type, address-of, and value of an instruction's operand. */
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 0b5d48e75b657..11d5bd84e323d 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -8916,6 +8916,11 @@ static bool emulator_is_canonical_addr(struct x86_emulate_ctxt *ctxt,
return !is_noncanonical_address(addr, emul_to_vcpu(ctxt), flags);
}
+static bool emulator_page_address_valid(struct x86_emulate_ctxt *ctxt, gpa_t gpa)
+{
+ return page_address_valid(emul_to_vcpu(ctxt), gpa);
+}
+
static const struct x86_emulate_ops emulate_ops = {
.vm_bugged = emulator_vm_bugged,
.read_gpr = emulator_read_gpr,
@@ -8963,6 +8968,7 @@ static const struct x86_emulate_ops emulate_ops = {
.set_xcr = emulator_set_xcr,
.get_untagged_addr = emulator_get_untagged_addr,
.is_canonical_addr = emulator_is_canonical_addr,
+ .page_address_valid = emulator_page_address_valid,
};
static void toggle_interruptibility(struct kvm_vcpu *vcpu, u32 mask)
--
2.53.0.851.ga537e3e6e9-goog
next prev parent reply other threads:[~2026-03-16 20:27 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-16 20:27 [PATCH v4 0/9] KVM: SVM: Fixes for VMCB12 checks and mapping Yosry Ahmed
2026-03-16 20:27 ` Yosry Ahmed [this message]
2026-03-16 20:56 ` [PATCH v4 1/9] KVM: SVM: Properly check RAX in the emulator for SVM instructions Yosry Ahmed
2026-03-16 20:27 ` [PATCH v4 2/9] KVM: SVM: Refactor SVM instruction handling on #GP intercept Yosry Ahmed
2026-04-03 18:18 ` Sean Christopherson
2026-04-03 21:45 ` Yosry Ahmed
2026-03-16 20:27 ` [PATCH v4 3/9] KVM: SVM: Properly check RAX on #GP intercept of SVM instructions Yosry Ahmed
2026-04-03 17:39 ` Sean Christopherson
2026-04-03 19:00 ` Sean Christopherson
2026-04-03 21:43 ` Yosry Ahmed
2026-04-03 22:16 ` Sean Christopherson
2026-03-16 20:27 ` [PATCH v4 4/9] KVM: SVM: Move RAX legality check to SVM insn interception handlers Yosry Ahmed
2026-03-16 20:27 ` [PATCH v4 5/9] KVM: SVM: Check EFER.SVME and CPL on #GP intercept of SVM instructions Yosry Ahmed
2026-03-16 20:27 ` [PATCH v4 6/9] KVM: SVM: Treat mapping failures equally in VMLOAD/VMSAVE emulation Yosry Ahmed
2026-03-16 20:27 ` [PATCH v4 7/9] KVM: nSVM: Fail emulation of VMRUN/VMLOAD/VMSAVE if mapping vmcb12 fails Yosry Ahmed
2026-03-16 20:27 ` [PATCH v4 8/9] KVM: selftests: Rework svm_nested_invalid_vmcb12_gpa Yosry Ahmed
2026-03-16 20:27 ` [PATCH v4 9/9] KVM: selftests: Drop 'invalid' from svm_nested_invalid_vmcb12_gpa's name Yosry Ahmed
2026-04-03 19:05 ` [PATCH v4 0/9] KVM: SVM: Fixes for VMCB12 checks and mapping Sean Christopherson
2026-04-03 21:45 ` Yosry Ahmed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260316202732.3164936-2-yosry@kernel.org \
--to=yosry@kernel.org \
--cc=jmattson@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox