[GIT PULL] KVM: x86: Changes for 6.15

[GIT PULL] KVM: x86: Changes for 6.15

[Sean Christopherson]

There are two conflicts between the PV clock pull request and the Xen
pull request.

1. The Xen branch moves Xen TSC leaf updates to CPUID emulation, and the PV
   clock branch renames the fields in kvm_vcpu_arch that are used to update
   the Xen leafs.  After the dust settles, kvm_cpuid() should look like:

   		} else if (IS_ENABLED(CONFIG_KVM_XEN) &&
			   kvm_xen_is_tsc_leaf(vcpu, function)) {
			/*
			 * Update guest TSC frequency information if necessary.
			 * Ignore failures, there is no sane value that can be
			 * provided if KVM can't get the TSC frequency.
			 */
			if (kvm_check_request(KVM_REQ_CLOCK_UPDATE, vcpu))
				kvm_guest_time_update(vcpu);

			if (index == 1) {
				*ecx = vcpu->arch.pvclock_tsc_mul;
				*edx = vcpu->arch.pvclock_tsc_shift;
			} else if (index == 2) {
				*eax = vcpu->arch.hw_tsc_khz;
			}
		}

2. The Xen branch moves and renames xen_hvm_config so that its xen.hvm_config,
   while PV clock branch shuffles use of xen_hvm_config/xen.hvm_config flags.
   The resulting code in kvm_guest_time_update() should look like:

#ifdef CONFIG_KVM_XEN
	/*
	 * For Xen guests we may need to override PVCLOCK_TSC_STABLE_BIT as unless
	 * explicitly told to use TSC as its clocksource Xen will not set this bit.
	 * This default behaviour led to bugs in some guest kernels which cause
	 * problems if they observe PVCLOCK_TSC_STABLE_BIT in the pvclock flags.
	 *
	 * Note!  Clear TSC_STABLE only for Xen clocks, i.e. the order matters!
	 */
	if (ka->xen.hvm_config.flags & KVM_XEN_HVM_CONFIG_PVCLOCK_TSC_UNSTABLE)
		hv_clock.flags &= ~PVCLOCK_TSC_STABLE_BIT;

	if (vcpu->xen.vcpu_info_cache.active)
		kvm_setup_guest_pvclock(&hv_clock, v, &vcpu->xen.vcpu_info_cache,
					offsetof(struct compat_vcpu_info, time));
	if (vcpu->xen.vcpu_time_info_cache.active)
		kvm_setup_guest_pvclock(&hv_clock, v, &vcpu->xen.vcpu_time_info_cache, 0);
#endif

[GIT PULL] KVM: x86: Misc changes for 6.15

[Sean Christopherson]

A variety of cleanups and minor fixes, and improved support (and fixes) for
honoring L1 intercepts when emulating instructions on behalf of L2.

FWIW, unless I'm missing something, the severity of the L2 emulation bugs means
that emulating instructions while L2 is active is _very_ rare for real world
use cases.  I.e. the fixes are not urgent.

The following changes since commit a64dcfb451e254085a7daee5fe51bf22959d52d3:

  Linux 6.14-rc2 (2025-02-09 12:45:03 -0800)

are available in the Git repository at:

  https://github.com/kvm-x86/linux.git tags/kvm-x86-misc-6.15

for you to fetch changes up to e6c8728a8e2d20b262209c70a8ca67719a628833:

  KVM: x86: Remove the unreachable case for 0x80000022 leaf in __do_cpuid_func() (2025-03-04 09:19:49 -0800)

----------------------------------------------------------------
KVM x86 misc changes for 6.15:

 - Fix a bug in PIC emulation that caused KVM to emit a spurious KVM_REQ_EVENT.

 - Add a helper to consolidate handling of mp_state transitions, and use it to
   clear pv_unhalted whenever a vCPU is made RUNNABLE.

 - Defer runtime CPUID updates until KVM emulates a CPUID instruction, to
   coalesce updates when multiple pieces of vCPU state are changing, e.g. as
   part of a nested transition.

 - Fix a variety of nested emulation bugs, and add VMX support for synthesizing
   nested VM-Exit on interception (instead of injecting #UD into L2).

 - Drop "support" for PV Async #PF with proctected guests without SEND_ALWAYS,
   as KVM can't get the current CPL.

 - Misc cleanups

----------------------------------------------------------------
Ethan Zhao (1):
      KVM: x86/cpuid: add type suffix to decimal const 48 fix building warning

Jim Mattson (2):
      KVM: x86: Introduce kvm_set_mp_state()
      KVM: x86: Clear pv_unhalted on all transitions to KVM_MP_STATE_RUNNABLE

Li RongQing (1):
      KVM: x86: Use kvfree_rcu() to free old optimized APIC map

Liam Ni (1):
      KVM: x86: Wake vCPU for PIC interrupt injection iff a valid IRQ was found

Sean Christopherson (19):
      KVM: x86: Use for-loop to iterate over XSTATE size entries
      KVM: x86: Apply TSX_CTRL_CPUID_CLEAR if and only if the vCPU has RTM or HLE
      KVM: x86: Query X86_FEATURE_MWAIT iff userspace owns the CPUID feature bit
      KVM: x86: Defer runtime updates of dynamic CPUID bits until CPUID emulation
      KVM: nVMX: Check PAUSE_EXITING, not BUS_LOCK_DETECTION, on PAUSE emulation
      KVM: nSVM: Pass next RIP, not current RIP, for nested VM-Exit on emulation
      KVM: nVMX: Allow emulating RDPID on behalf of L2
      KVM: nVMX: Emulate HLT in L2 if it's not intercepted
      KVM: nVMX: Consolidate missing X86EMUL_INTERCEPTED logic in L2 emulation
      KVM: x86: Plumb the src/dst operand types through to .check_intercept()
      KVM: x86: Plumb the emulator's starting RIP into nested intercept checks
      KVM: x86: Add a #define for the architectural max instruction length
      KVM: nVMX: Allow the caller to provide instruction length on nested VM-Exit
      KVM: nVMX: Synthesize nested VM-Exit for supported emulation intercepts
      KVM: selftests: Add a nested (forced) emulation intercept test for x86
      KVM: x86: Don't inject PV async #PF if SEND_ALWAYS=0 and guest state is protected
      KVM: x86: Rename and invert async #PF's send_user_only flag to send_always
      KVM: x86: Use a dedicated flow for queueing re-injected exceptions
      KVM: x86: Always set mp_state to RUNNABLE on wakeup from HLT

Ted Chen (1):
      KVM: x86: Remove unused iommu_domain and iommu_noncoherent from kvm_arch

Xiaoyao Li (1):
      KVM: x86: Remove the unreachable case for 0x80000022 leaf in __do_cpuid_func()

 arch/x86/include/asm/kvm_host.h                    |   9 +-
 arch/x86/kvm/cpuid.c                               |  52 ++++----
 arch/x86/kvm/cpuid.h                               |   9 +-
 arch/x86/kvm/emulate.c                             |   5 +-
 arch/x86/kvm/i8259.c                               |   2 +-
 arch/x86/kvm/kvm_emulate.h                         |   7 +-
 arch/x86/kvm/lapic.c                               |  17 +--
 arch/x86/kvm/smm.c                                 |   2 +-
 arch/x86/kvm/svm/nested.c                          |   2 +-
 arch/x86/kvm/svm/sev.c                             |   7 +-
 arch/x86/kvm/svm/svm.c                             |  17 ++-
 arch/x86/kvm/trace.h                               |  14 +-
 arch/x86/kvm/vmx/nested.c                          |  18 +--
 arch/x86/kvm/vmx/nested.h                          |  22 +++-
 arch/x86/kvm/vmx/vmx.c                             | 120 ++++++++++++-----
 arch/x86/kvm/x86.c                                 | 136 +++++++++----------
 arch/x86/kvm/x86.h                                 |   7 +
 arch/x86/kvm/xen.c                                 |   4 +-
 tools/testing/selftests/kvm/Makefile.kvm           |   1 +
 .../selftests/kvm/x86/nested_emulation_test.c      | 146 +++++++++++++++++++++
 20 files changed, 416 insertions(+), 181 deletions(-)
 create mode 100644 tools/testing/selftests/kvm/x86/nested_emulation_test.c

[GIT PULL] KVM: x86: MMU changes for 6.15

[Sean Christopherson]

Except for a minor cleanup, the MMU changes for 6.15 are all about adding
support for aging SPTEs without holding mmu_lock.  Details in the tag.

The following changes since commit a64dcfb451e254085a7daee5fe51bf22959d52d3:

  Linux 6.14-rc2 (2025-02-09 12:45:03 -0800)

are available in the Git repository at:

  https://github.com/kvm-x86/linux.git tags/kvm-x86-mmu-6.15

for you to fetch changes up to 0dab791f05ce2c9f0215f50cb46ed0c3126fe211:

  KVM: x86/tdp_mmu: Remove tdp_mmu_for_each_pte() (2025-02-28 09:14:20 -0800)

----------------------------------------------------------------
KVM x86/mmu changes for 6.15

Add support for "fast" aging of SPTEs in both the TDP MMU and Shadow MMU, where
"fast" means "without holding mmu_lock".  Not taking mmu_lock allows multiple
aging actions to run in parallel, and more importantly avoids stalling vCPUs,
e.g. due to holding mmu_lock for an extended duration while a vCPU is faulting
in memory.

For the TDP MMU, protect aging via RCU; the page tables are RCU-protected and
KVM doesn't need to access any metadata to age SPTEs.

For the Shadow MMU, use bit 1 of rmap pointers (bit 0 is used to terminate a
list of rmaps) to implement a per-rmap single-bit spinlock.  When aging a gfn,
acquire the rmap's spinlock with read-only permissions, which allows hardening
and optimizing the locking and aging, e.g. locking an rmap for write requires
mmu_lock to also be held.  The lock is NOT a true R/W spinlock, i.e. multiple
concurrent readers aren't supported.

To avoid forcing all SPTE updates to use atomic operations (clearing the
Accessed bit out of mmu_lock makes it inherently volatile), rework and rename
spte_has_volatile_bits() to spte_needs_atomic_update() and deliberately exclude
the Accessed bit.  KVM (and mm/) already tolerates false positives/negatives
for Accessed information, and all testing has shown that reducing the latency
of aging is far more beneficial to overall system performance than providing
"perfect" young/old information.

----------------------------------------------------------------
James Houghton (6):
      KVM: Rename kvm_handle_hva_range()
      KVM: Allow lockless walk of SPTEs when handing aging mmu_notifier event
      KVM: x86/mmu: Factor out spte atomic bit clearing routine
      KVM: x86/mmu: Don't force atomic update if only the Accessed bit is volatile
      KVM: x86/mmu: Skip shadow MMU test_young if TDP MMU reports page as young
      KVM: x86/mmu: Only check gfn age in shadow MMU if indirect_shadow_pages > 0

Nikolay Borisov (1):
      KVM: x86/tdp_mmu: Remove tdp_mmu_for_each_pte()

Sean Christopherson (6):
      KVM: x86/mmu: Always update A/D-disabled SPTEs atomically
      KVM: x86/mmu: Age TDP MMU SPTEs without holding mmu_lock
      KVM: x86/mmu: Refactor low level rmap helpers to prep for walking w/o mmu_lock
      KVM: x86/mmu: Add infrastructure to allow walking rmaps outside of mmu_lock
      KVM: x86/mmu: Add support for lockless walks of rmap SPTEs
      KVM: x86/mmu: Walk rmaps (shadow MMU) without holding mmu_lock when aging gfns

 Documentation/virt/kvm/locking.rst |   4 +-
 arch/x86/include/asm/kvm_host.h    |   4 +-
 arch/x86/kvm/Kconfig               |   1 +
 arch/x86/kvm/mmu/mmu.c             | 363 +++++++++++++++++++++++++++----------
 arch/x86/kvm/mmu/spte.c            |  31 ++--
 arch/x86/kvm/mmu/spte.h            |   2 +-
 arch/x86/kvm/mmu/tdp_iter.h        |  34 ++--
 arch/x86/kvm/mmu/tdp_mmu.c         |  45 +++--
 include/linux/kvm_host.h           |   1 +
 virt/kvm/Kconfig                   |   4 +
 virt/kvm/kvm_main.c                |  53 +++---
 11 files changed, 373 insertions(+), 169 deletions(-)

[GIT PULL] KVM: x86: PV clock changes for 6.15

[Sean Christopherson]

Fix a variety of bugs, flaws, and warts related to KVM's handling of PV clocks
and the associated PVCLOCK_GUEST_STOPPED flag.  Note, there are still a pile of
issues with KVM's PV clock code; hopefully the next version of those changes[*]
comes along sooner than later.

[*] https://lore.kernel.org/all/20240522001817.619072-1-dwmw2@infradead.org

The following changes since commit a64dcfb451e254085a7daee5fe51bf22959d52d3:

  Linux 6.14-rc2 (2025-02-09 12:45:03 -0800)

are available in the Git repository at:

  https://github.com/kvm-x86/linux.git tags/kvm-x86-pvclock-6.15

for you to fetch changes up to 1b3c38050b5cc07f6873f244f845fb6c8549ce85:

  KVM: x86: Override TSC_STABLE flag for Xen PV clocks in kvm_guest_time_update() (2025-02-12 10:45:55 -0800)

----------------------------------------------------------------
KVM PV clock changes for 6.15:

 - Don't take kvm->lock when iterating over vCPUs in the suspend notifier to
   fix a largely theoretical deadlock.

 - Use the vCPU's actual Xen PV clock information when starting the Xen timer,
   as the cached state in arch.hv_clock can be stale/bogus.

 - Fix a bug where KVM could bleed PVCLOCK_GUEST_STOPPED across different
   PV clocks.

 - Restrict PVCLOCK_GUEST_STOPPED to kvmclock, as KVM's suspend notifier only
   accounts for kvmclock, and there's no evidence that the flag is actually
   supported by Xen guests.

 - Clean up the per-vCPU "cache" of its reference pvclock, and instead only
   track the vCPU's TSC scaling (multipler+shift) metadata (which is moderately
   expensive to compute, and rarely changes for modern setups).

----------------------------------------------------------------
Sean Christopherson (11):
      KVM: x86: Don't take kvm->lock when iterating over vCPUs in suspend notifier
      KVM: x86: Eliminate "handling" of impossible errors during SUSPEND
      KVM: x86: Drop local pvclock_flags variable in kvm_guest_time_update()
      KVM: x86: Process "guest stopped request" once per guest time update
      KVM: x86/xen: Use guest's copy of pvclock when starting timer
      KVM: x86: Don't bleed PVCLOCK_GUEST_STOPPED across PV clocks
      KVM: x86: Set PVCLOCK_GUEST_STOPPED only for kvmclock, not for Xen PV clock
      KVM: x86: Pass reference pvclock as a param to kvm_setup_guest_pvclock()
      KVM: x86: Remove per-vCPU "cache" of its reference pvclock
      KVM: x86: Setup Hyper-V TSC page before Xen PV clocks (during clock update)
      KVM: x86: Override TSC_STABLE flag for Xen PV clocks in kvm_guest_time_update()

 arch/x86/include/asm/kvm_host.h |   3 +-
 arch/x86/kvm/x86.c              | 115 ++++++++++++++++++++--------------------
 arch/x86/kvm/xen.c              |  69 +++++++++++++++++++++---
 3 files changed, 121 insertions(+), 66 deletions(-)

[GIT PULL] KVM: Selftests changes for 6.15, part 2

[Sean Christopherson]

Second selftests pull requests, i.e. the "real" 6.15 selftest pull request :-)

The following changes since commit a64dcfb451e254085a7daee5fe51bf22959d52d3:

  Linux 6.14-rc2 (2025-02-09 12:45:03 -0800)

are available in the Git repository at:

  https://github.com/kvm-x86/linux.git tags/kvm-x86-selftests-6.15

for you to fetch changes up to 62838fa5eade1b23d546e81e7aab6d4c92ec12f2:

  KVM: selftests: Relax assertion on HLT exits if CPU supports Idle HLT (2025-02-28 15:42:28 -0800)

----------------------------------------------------------------
KVM selftests changes for 6.15, part 2

 - Fix a variety of flaws, bugs, and false failures/passes dirty_log_test, and
   improve its coverage by collecting all dirty entries on each iteration.

 - Fix a few minor bugs related to handling of stats FDs.

 - Add infrastructure to make vCPU and VM stats FDs available to tests by
   default (open the FDs during VM/vCPU creation).

 - Relax an assertion on the number of HLT exits in the xAPIC IPI test when
   running on a CPU that supports AMD's Idle HLT (which elides interception of
   HLT if a virtual IRQ is pending and unmasked).

 - Misc cleanups and fixes.

----------------------------------------------------------------
Colin Ian King (1):
      KVM: selftests: Fix spelling mistake "UFFDIO_CONINUE" -> "UFFDIO_CONTINUE"

Maxim Levitsky (2):
      KVM: selftests: Support multiple write retires in dirty_log_test
      KVM: selftests: Limit dirty_log_test's s390x workaround to s390x

Sean Christopherson (28):
      KVM: selftests: Actually emit forced emulation prefix for kvm_asm_safe_fep()
      KVM: selftests: Sync dirty_log_test iteration to guest *before* resuming
      KVM: selftests: Drop signal/kick from dirty ring testcase
      KVM: selftests: Drop stale srandom() initialization from dirty_log_test
      KVM: selftests: Precisely track number of dirty/clear pages for each iteration
      KVM: selftests: Read per-page value into local var when verifying dirty_log_test
      KVM: selftests: Continuously reap dirty ring while vCPU is running
      KVM: selftests: Honor "stop" request in dirty ring test
      KVM: selftests: Keep dirty_log_test vCPU in guest until it needs to stop
      KVM: selftests: Post to sem_vcpu_stop if and only if vcpu_stop is true
      KVM: selftests: Use continue to handle all "pass" scenarios in dirty_log_test
      KVM: selftests: Print (previous) last_page on dirty page value mismatch
      KVM: selftests: Collect *all* dirty entries in each dirty_log_test iteration
      KVM: sefltests: Verify value of dirty_log_test last page isn't bogus
      KVM: selftests: Ensure guest writes min number of pages in dirty_log_test
      KVM: selftests: Tighten checks around prev iter's last dirty page in ring
      KVM: selftests: Set per-iteration variables at the start of each iteration
      KVM: selftests: Fix an off-by-one in the number of dirty_log_test iterations
      KVM: selftests: Allow running a single iteration of dirty_log_test
      KVM: selftests: Fix mostly theoretical leak of VM's binary stats FD
      KVM: selftests: Close VM's binary stats FD when releasing VM
      KVM: selftests: Assert that __vm_get_stat() actually finds a stat
      KVM: selftests: Macrofy vm_get_stat() to auto-generate stat name string
      KVM: selftests: Add struct and helpers to wrap binary stats cache
      KVM: selftests: Get VM's binary stats FD when opening VM
      KVM: selftests: Adjust number of files rlimit for all "standard" VMs
      KVM: selftests: Add infrastructure for getting vCPU binary stats
      KVM: selftests: Relax assertion on HLT exits if CPU supports Idle HLT

 tools/testing/selftests/kvm/dirty_log_test.c       | 521 ++++++++++-----------
 tools/testing/selftests/kvm/include/kvm_util.h     |  33 +-
 .../testing/selftests/kvm/include/x86/processor.h  |   3 +-
 tools/testing/selftests/kvm/kvm_create_max_vcpus.c |  28 +-
 tools/testing/selftests/kvm/lib/kvm_util.c         | 114 +++--
 tools/testing/selftests/kvm/lib/userfaultfd_util.c |   2 +-
 .../kvm/x86/dirty_log_page_splitting_test.c        |   6 +-
 .../testing/selftests/kvm/x86/nx_huge_pages_test.c |   4 +-
 tools/testing/selftests/kvm/x86/xapic_ipi_test.c   |  13 +
 9 files changed, 369 insertions(+), 355 deletions(-)

[GIT PULL] KVM: Selftests changes for 6.15, part 1

[Sean Christopherson]

These are the selftests changes that were originally slated for 6.14, but got
omitted because of the mess with the Intel PMU counters failing due to the test
trying to validate architectural events on unsupported hardware.

The following changes since commit 10b2c8a67c4b8ec15f9d07d177f63b563418e948:

  Merge tag 'kvm-x86-fixes-6.13-rcN' of https://github.com/kvm-x86/linux into HEAD (2024-12-22 12:59:33 -0500)

are available in the Git repository at:

  https://github.com/kvm-x86/linux.git tags/kvm-x86-selftests_6.15-1

for you to fetch changes up to 54108e73344480c3e5f3799129970009f52c59f4:

  KVM: selftests: Print out the actual Top-Down Slots count on failure (2025-02-12 08:34:56 -0800)

----------------------------------------------------------------
KVM selftests changes for 6.15, part 1

 - Misc cleanups and prep work.

 - Annotate _no_printf() with "printf" so that pr_debug() statements are
   checked by the compiler for default builds (and pr_info() when QUIET).

 - Attempt to whack the last LLC references/misses mole in the Intel PMU
   counters test by adding a data load and doing CLFLUSH{OPT} on the data
   instead of the code being executed.  The theory is that modern Intel CPUs
   have learned new code prefetching tricks that bypass the PMU counters.

 - Fix a flaw in the Intel PMU counters test where it asserts that an event is
   counting correctly without actually knowing what the event counts on the
   underlying hardware.

----------------------------------------------------------------
Chen Ni (1):
      KVM: selftests: Remove unneeded semicolon

Colton Lewis (2):
      KVM: selftests: Fix typos in x86's PMU counter test's macro variable use
      KVM: selftests: Add defines for AMD PMU CPUID features and properties

Isaku Yamahata (1):
      KVM: selftests: Add printf attribute to _no_printf()

Sean Christopherson (7):
      KVM: selftests: Use data load to trigger LLC references/misses in Intel PMU
      KVM: selftests: Add helpers for locally (un)blocking IRQs on x86
      KVM: selftests: Make Intel arch events globally available in PMU counters test
      KVM: selftests: Only validate counts for hardware-supported arch events
      KVM: selftests: Remove dead code in Intel PMU counters test
      KVM: selftests: Drop the "feature event" param from guest test helpers
      KVM: selftests: Print out the actual Top-Down Slots count on failure

 .../selftests/kvm/access_tracking_perf_test.c      |   2 +-
 tools/testing/selftests/kvm/include/test_util.h    |   2 +-
 .../testing/selftests/kvm/include/x86/processor.h  |  47 ++++++
 tools/testing/selftests/kvm/x86/hyperv_ipi.c       |   6 +-
 .../testing/selftests/kvm/x86/pmu_counters_test.c  | 158 ++++++++++++---------
 tools/testing/selftests/kvm/x86/svm_int_ctl_test.c |   5 +-
 .../selftests/kvm/x86/ucna_injection_test.c        |   2 +-
 tools/testing/selftests/kvm/x86/xapic_ipi_test.c   |   3 +-
 tools/testing/selftests/kvm/x86/xapic_state_test.c |   4 +-
 tools/testing/selftests/kvm/x86/xen_shinfo_test.c  |   5 +-
 10 files changed, 151 insertions(+), 83 deletions(-)

[GIT PULL] KVM: x86: SVM changes for 6.15

[Sean Christopherson]

Misc cleanups, a pile of fixes related to SNP's AP Creation hypercall, and
support for Idle HLT interception.

Note, Manali wrote a selftest for Idle HLT, but unfortunately it can't be
merged at this time as the test has no way to know if _KVM_ support Idle HLT;
the CPUID feature bit enumerates KVM emulation of Idle HLT for nested VMs,
and there was no strong reason to expose a module param, let alone a capability.

The following changes since commit a64dcfb451e254085a7daee5fe51bf22959d52d3:

  Linux 6.14-rc2 (2025-02-09 12:45:03 -0800)

are available in the Git repository at:

  https://github.com/kvm-x86/linux.git tags/kvm-x86-svm-6.15

for you to fetch changes up to 4e96f010afb2815e33c9b15a695e0e0b4cb3cea6:

  KVM: SVM: Invalidate "next" SNP VMSA GPA even on failure (2025-03-03 07:34:56 -0800)

----------------------------------------------------------------
KVM SVM changes for 6.15

 - Ensure the PSP driver is initialized when both the PSP and KVM modules are
   built-in (the initcall framework doesn't handle dependencies).

 - Use long-term pins when registering encrypted memory regions, so that the
   pages are migrated out of MIGRATE_CMA/ZONE_MOVABLE and don't lead to
   excessive fragmentation.

 - Add macros and helpers for setting GHCB return/error codes.

 - Add support for Idle HLT interception, which elides interception if the vCPU
   has a pending, unmasked virtual IRQ when HLT is executed.

 - Fix a bug in INVPCID emulation where KVM fails to check for a non-canonical
   address.

 - Don't attempt VMRUN for SEV-ES+ guests if the vCPU's VMSA is invalid, e.g.
   because the vCPU was "destroyed" via SNP's AP Creation hypercall.

 - Reject SNP AP Creation if the requested SEV features for the vCPU don't
   match the VM's configured set of features.

 - Misc cleanups

----------------------------------------------------------------
Ge Yang (1):
      KVM: SEV: Use long-term pin when registering encrypted memory regions

Manali Shukla (2):
      x86/cpufeatures: Add CPUID feature bit for Idle HLT intercept
      KVM: SVM: Add Idle HLT intercept support

Melody Wang (2):
      KVM: SVM: Convert plain error code numbers to defines
      KVM: SVM: Provide helpers to set the error code

Nikunj A Dadhania (1):
      KVM: SEV: Use to_kvm_sev_info() for fetching kvm_sev_info struct

Sean Christopherson (11):
      crypto: ccp: Add external API interface for PSP module initialization
      KVM: SVM: Ensure PSP module is initialized if KVM module is built-in
      KVM: SVM: Inject #GP if memory operand for INVPCID is non-canonical
      KVM: SVM: Refuse to attempt VRMUN if an SEV-ES+ guest has an invalid VMSA
      KVM: SVM: Don't change target vCPU state on AP Creation VMGEXIT error
      KVM: SVM: Require AP's "requested" SEV_FEATURES to match KVM's view
      KVM: SVM: Simplify request+kick logic in SNP AP Creation handling
      KVM: SVM: Use guard(mutex) to simplify SNP AP Creation error handling
      KVM: SVM: Mark VMCB dirty before processing incoming snp_vmsa_gpa
      KVM: SVM: Use guard(mutex) to simplify SNP vCPU state updates
      KVM: SVM: Invalidate "next" SNP VMSA GPA even on failure

 arch/x86/include/asm/cpufeatures.h |   1 +
 arch/x86/include/asm/sev-common.h  |  12 +-
 arch/x86/include/asm/svm.h         |   5 +-
 arch/x86/include/uapi/asm/svm.h    |   2 +
 arch/x86/kvm/svm/sev.c             | 380 +++++++++++++++++--------------------
 arch/x86/kvm/svm/svm.c             |  39 +++-
 arch/x86/kvm/svm/svm.h             |  39 +++-
 drivers/crypto/ccp/sp-dev.c        |  14 ++
 include/linux/psp-sev.h            |   9 +
 9 files changed, 269 insertions(+), 232 deletions(-)

[GIT PULL] KVM: x86: VMX changes for 6.15

[Sean Christopherson]

Nothing major for VMX, mostly prep work for FRED virtualization.

The following changes since commit a64dcfb451e254085a7daee5fe51bf22959d52d3:

  Linux 6.14-rc2 (2025-02-09 12:45:03 -0800)

are available in the Git repository at:

  https://github.com/kvm-x86/linux.git tags/kvm-x86-vmx-6.15

for you to fetch changes up to 0c3566b63de860f6d42e3d9254890c00ac0970d7:

  KVM: VMX: Extract checks on entry/exit control pairs to a helper macro (2025-03-03 07:45:54 -0800)

----------------------------------------------------------------
KVM VMX changes for 6.15

 - Fix a bug where KVM unnecessarily reads XFD_ERR from hardware and thus
   modifies the vCPU's XFD_ERR on a #NM due to CR0.TS=1.

 - Pass XFD_ERR as a psueo-payload when injecting #NM as a preparatory step
   for upcoming FRED virtualization support.

 - Decouple the EPT entry RWX protection bit macros from the EPT Violation bits
   as a general cleanup, and in anticipation of adding support for emulating
   Mode-Based Execution (MBEC).

 - Reject KVM_RUN if userspace manages to gain control and stuff invalid guest
   state while KVM is in the middle of emulating nested VM-Enter.

 - Add a macro to handle KVM's sanity checks on entry/exit VMCS control pairs
   in anticipation of adding sanity checks for secondary exit controls (the
   primary field is out of bits).

----------------------------------------------------------------
Nikolay Borisov (1):
      KVM: VMX: Remove EPT_VIOLATIONS_ACC_*_BIT defines

Sean Christopherson (5):
      KVM: VMX: Don't modify guest XFD_ERR if CR0.TS=1
      KVM: VMX: Pass XFD_ERR as pseudo-payload when injecting #NM
      KVM: nVMX: Decouple EPT RWX bits from EPT Violation protection bits
      KVM: VMX: Reject KVM_RUN if userspace forces emulation during nested VM-Enter
      KVM: VMX: Extract checks on entry/exit control pairs to a helper macro

 arch/x86/include/asm/vmx.h     |  28 ++++++-----
 arch/x86/kvm/mmu/paging_tmpl.h |   3 +-
 arch/x86/kvm/vmx/vmx.c         | 106 +++++++++++++++++++++++++++++------------
 3 files changed, 92 insertions(+), 45 deletions(-)

[GIT PULL] KVM: x86: Xen changes for 6.15

[Sean Christopherson]

Harden and optimize KVM's handling of the Xen hypercall MSR; syzkaller discovered
that setting the userspace-configurable index to collide with XSS could coerce
KVM into writing guest memory during vCPU creation.

The other change is to fix a flaw related to Xen TSC CPUID emulation.

The following changes since commit a64dcfb451e254085a7daee5fe51bf22959d52d3:

  Linux 6.14-rc2 (2025-02-09 12:45:03 -0800)

are available in the Git repository at:

  https://github.com/kvm-x86/linux.git tags/kvm-x86-xen-6.15

for you to fetch changes up to a2b00f85d7839d74a2f6fcbf547d4bf2e82c34e5:

  KVM: x86: Update Xen TSC leaves during CPUID emulation (2025-02-25 07:09:55 -0800)

----------------------------------------------------------------
KVM Xen changes for 6.15

 - Don't write to the Xen hypercall page on MSR writes that are initiated by
   the host (userspace or KVM) to fix a class of bugs where KVM can write to
   guest memory at unexpected times, e.g. during vCPU creation if userspace has
   set the Xen hypercall MSR index to collide with an MSR that KVM emulates.

 - Restrict the Xen hypercall MSR indx to the unofficial synthetic range to
   reduce the set of possible collisions with MSRs that are emulated by KVM
   (collisions can still happen as KVM emulates Hyper-V MSRs, which also reside
   in the synthetic range).

 - Clean up and optimize KVM's handling of Xen MSR writes and xen_hvm_config.

 - Update Xen TSC leaves during CPUID emulation instead of modifying the CPUID
   entries when updating PV clocks, as there is no guarantee PV clocks will be
   updated between TSC frequency changes and CPUID emulation, and guest reads
   of Xen TSC should be rare, i.e. are not a hot path.

----------------------------------------------------------------
David Woodhouse (1):
      KVM: x86/xen: Only write Xen hypercall page for guest writes to MSR

Fred Griffoul (1):
      KVM: x86: Update Xen TSC leaves during CPUID emulation

Sean Christopherson (5):
      KVM: x86/xen: Restrict hypercall MSR to unofficial synthetic range
      KVM: x86/xen: Add an #ifdef'd helper to detect writes to Xen MSR
      KVM: x86/xen: Consult kvm_xen_enabled when checking for Xen MSR writes
      KVM: x86/xen: Bury xen_hvm_config behind CONFIG_KVM_XEN=y
      KVM: x86/xen: Move kvm_xen_hvm_config field into kvm_xen

 Documentation/virt/kvm/api.rst  |  4 ++++
 arch/x86/include/asm/kvm_host.h |  4 ++--
 arch/x86/include/uapi/asm/kvm.h |  3 +++
 arch/x86/kvm/cpuid.c            | 16 +++++++++++++
 arch/x86/kvm/x86.c              | 13 +++++++----
 arch/x86/kvm/x86.h              |  1 +
 arch/x86/kvm/xen.c              | 52 +++++++++++++++--------------------------
 arch/x86/kvm/xen.h              | 30 ++++++++++++++++++++----
 8 files changed, 80 insertions(+), 43 deletions(-)

Re: [GIT PULL] KVM: x86: Changes for 6.15

[Paolo Bonzini]

On Tue, Mar 18, 2025 at 7:03 PM Sean Christopherson <seanjc@google.com> wrote:
> There are two conflicts between the PV clock pull request and the Xen
> pull request.
>
> 1. The Xen branch moves Xen TSC leaf updates to CPUID emulation, and the PV
>    clock branch renames the fields in kvm_vcpu_arch that are used to update
>    the Xen leafs.  After the dust settles, kvm_cpuid() should look like:
>
>                 } else if (IS_ENABLED(CONFIG_KVM_XEN) &&
>                            kvm_xen_is_tsc_leaf(vcpu, function)) {
>                         /*
>                          * Update guest TSC frequency information if necessary.
>                          * Ignore failures, there is no sane value that can be
>                          * provided if KVM can't get the TSC frequency.
>                          */
>                         if (kvm_check_request(KVM_REQ_CLOCK_UPDATE, vcpu))
>                                 kvm_guest_time_update(vcpu);
>
>                         if (index == 1) {
>                                 *ecx = vcpu->arch.pvclock_tsc_mul;
>                                 *edx = vcpu->arch.pvclock_tsc_shift;
>                         } else if (index == 2) {
>                                 *eax = vcpu->arch.hw_tsc_khz;
>                         }
>                 }
>
> 2. The Xen branch moves and renames xen_hvm_config so that its xen.hvm_config,
>    while PV clock branch shuffles use of xen_hvm_config/xen.hvm_config flags.
>    The resulting code in kvm_guest_time_update() should look like:
>
> #ifdef CONFIG_KVM_XEN
>         /*
>          * For Xen guests we may need to override PVCLOCK_TSC_STABLE_BIT as unless
>          * explicitly told to use TSC as its clocksource Xen will not set this bit.
>          * This default behaviour led to bugs in some guest kernels which cause
>          * problems if they observe PVCLOCK_TSC_STABLE_BIT in the pvclock flags.
>          *
>          * Note!  Clear TSC_STABLE only for Xen clocks, i.e. the order matters!
>          */
>         if (ka->xen.hvm_config.flags & KVM_XEN_HVM_CONFIG_PVCLOCK_TSC_UNSTABLE)
>                 hv_clock.flags &= ~PVCLOCK_TSC_STABLE_BIT;
>
>         if (vcpu->xen.vcpu_info_cache.active)
>                 kvm_setup_guest_pvclock(&hv_clock, v, &vcpu->xen.vcpu_info_cache,
>                                         offsetof(struct compat_vcpu_info, time));
>         if (vcpu->xen.vcpu_time_info_cache.active)
>                 kvm_setup_guest_pvclock(&hv_clock, v, &vcpu->xen.vcpu_time_info_cache, 0);
> #endif

Thanks, pulled everything to kvm/queue. I assume you want me to put
the following on top:

* KVM: Drop kvm_arch_sync_events() now that all implementations are nops
* KVM: x86: Fold guts of kvm_arch_sync_events() into kvm_arch_pre_destroy_vm()
* KVM: x86: Unload MMUs during vCPU destruction, not before
* KVM: Assert that a destroyed/freed vCPU is no longer visible
* KVM: x86: Don't load/put vCPU when unloading its MMU during teardown

Paolo

Re: [GIT PULL] KVM: x86: Changes for 6.15

[Sean Christopherson]

On Wed, Mar 19, 2025, Paolo Bonzini wrote:
> On Tue, Mar 18, 2025 at 7:03 PM Sean Christopherson <seanjc@google.com> wrote:
> > There are two conflicts between the PV clock pull request and the Xen
> > pull request.
> >
> > 1. The Xen branch moves Xen TSC leaf updates to CPUID emulation, and the PV
> >    clock branch renames the fields in kvm_vcpu_arch that are used to update
> >    the Xen leafs.  After the dust settles, kvm_cpuid() should look like:
> >
> >                 } else if (IS_ENABLED(CONFIG_KVM_XEN) &&
> >                            kvm_xen_is_tsc_leaf(vcpu, function)) {
> >                         /*
> >                          * Update guest TSC frequency information if necessary.
> >                          * Ignore failures, there is no sane value that can be
> >                          * provided if KVM can't get the TSC frequency.
> >                          */
> >                         if (kvm_check_request(KVM_REQ_CLOCK_UPDATE, vcpu))
> >                                 kvm_guest_time_update(vcpu);
> >
> >                         if (index == 1) {
> >                                 *ecx = vcpu->arch.pvclock_tsc_mul;
> >                                 *edx = vcpu->arch.pvclock_tsc_shift;
> >                         } else if (index == 2) {
> >                                 *eax = vcpu->arch.hw_tsc_khz;
> >                         }
> >                 }
> >
> > 2. The Xen branch moves and renames xen_hvm_config so that its xen.hvm_config,
> >    while PV clock branch shuffles use of xen_hvm_config/xen.hvm_config flags.
> >    The resulting code in kvm_guest_time_update() should look like:
> >
> > #ifdef CONFIG_KVM_XEN
> >         /*
> >          * For Xen guests we may need to override PVCLOCK_TSC_STABLE_BIT as unless
> >          * explicitly told to use TSC as its clocksource Xen will not set this bit.
> >          * This default behaviour led to bugs in some guest kernels which cause
> >          * problems if they observe PVCLOCK_TSC_STABLE_BIT in the pvclock flags.
> >          *
> >          * Note!  Clear TSC_STABLE only for Xen clocks, i.e. the order matters!
> >          */
> >         if (ka->xen.hvm_config.flags & KVM_XEN_HVM_CONFIG_PVCLOCK_TSC_UNSTABLE)
> >                 hv_clock.flags &= ~PVCLOCK_TSC_STABLE_BIT;
> >
> >         if (vcpu->xen.vcpu_info_cache.active)
> >                 kvm_setup_guest_pvclock(&hv_clock, v, &vcpu->xen.vcpu_info_cache,
> >                                         offsetof(struct compat_vcpu_info, time));
> >         if (vcpu->xen.vcpu_time_info_cache.active)
> >                 kvm_setup_guest_pvclock(&hv_clock, v, &vcpu->xen.vcpu_time_info_cache, 0);
> > #endif
> 
> Thanks, pulled everything to kvm/queue. I assume you want me to put
> the following on top:
> 
> * KVM: Drop kvm_arch_sync_events() now that all implementations are nops
> * KVM: x86: Fold guts of kvm_arch_sync_events() into kvm_arch_pre_destroy_vm()
> * KVM: x86: Unload MMUs during vCPU destruction, not before
> * KVM: Assert that a destroyed/freed vCPU is no longer visible
> * KVM: x86: Don't load/put vCPU when unloading its MMU during teardown

Sure, or wait until 6.16.  The urgent changes in that series already got into
6.14.  AFAIK there's no need to get the rest into 6.15 (not sure if waiting would
make TDX enabling more annoying).