From: Sean Christopherson <seanjc@google.com>
To: Xiaoyao Li <xiaoyao.li@intel.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
Chao Gao <chao.gao@intel.com>, Xin Li <xin@zytor.com>,
Yosry Ahmed <yosry.ahmed@linux.dev>
Subject: Re: [PATCH v3 3/4] KVM: nVMX: Disallow access to vmcs12 fields that aren't supported by "hardware"
Date: Fri, 9 Jan 2026 07:17:37 -0800 [thread overview]
Message-ID: <aWEcEQzHFQOeJnU4@google.com> (raw)
In-Reply-To: <aWEUTQeNXugBYAZA@google.com>
On Fri, Jan 09, 2026, Sean Christopherson wrote:
> On Fri, Jan 09, 2026, Xiaoyao Li wrote:
> > On 1/9/2026 12:15 PM, Sean Christopherson wrote:
> > > diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> > > index 61113ead3d7b..ac7a17560c8f 100644
> > > --- a/arch/x86/kvm/vmx/nested.c
> > > +++ b/arch/x86/kvm/vmx/nested.c
> > > @@ -111,6 +111,9 @@ static void init_vmcs_shadow_fields(void)
> > > field <= GUEST_TR_AR_BYTES,
> > > "Update vmcs12_write_any() to drop reserved bits from AR_BYTES");
> > > + if (get_vmcs12_field_offset(field) < 0)
> > > + continue;
> > > +
> >
> > why shadow_read_only_fields[] doesn't need such guard?
> >
> > IIUC, copy_vmcs12_to_shadow() will VMWRITE shadowed readonly field even if
> > it doesn't exist on the hardware?
>
> Because I fixated on the existing checks and didn't look at the first for-loop.
>
> This time around I'll test by hacking in shadowed fields arbitrary shadow fields.
And with the RO fields handled, the below doesn't explode (I verified there failures
aplenty if either of the RO or RW checks are commented out).
diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
index c85c50019523..7d9bedd06afd 100644
--- a/arch/x86/include/asm/vmx.h
+++ b/arch/x86/include/asm/vmx.h
@@ -262,8 +262,12 @@ enum vmcs_field {
SHARED_EPT_POINTER = 0x0000203C,
PID_POINTER_TABLE = 0x00002042,
PID_POINTER_TABLE_HIGH = 0x00002043,
+ INJECTED_EVENT_DATA = 0x00002052,
+ INJECTED_EVENT_DATA_HIGH = 0x00002053,
GUEST_PHYSICAL_ADDRESS = 0x00002400,
GUEST_PHYSICAL_ADDRESS_HIGH = 0x00002401,
+ ORIGINAL_EVENT_DATA = 0x00002404,
+ ORIGINAL_EVENT_DATA_HIGH = 0x00002405,
VMCS_LINK_POINTER = 0x00002800,
VMCS_LINK_POINTER_HIGH = 0x00002801,
GUEST_IA32_DEBUGCTL = 0x00002802,
diff --git a/arch/x86/kvm/vmx/vmcs12.c b/arch/x86/kvm/vmx/vmcs12.c
index 1ebe67c384ad..7952d58fb2d8 100644
--- a/arch/x86/kvm/vmx/vmcs12.c
+++ b/arch/x86/kvm/vmx/vmcs12.c
@@ -157,6 +157,8 @@ static const u16 kvm_supported_vmcs12_field_offsets[] __initconst = {
FIELD(HOST_S_CET, host_s_cet),
FIELD(HOST_SSP, host_ssp),
FIELD(HOST_INTR_SSP_TABLE, host_ssp_tbl),
+ FIELD64(INJECTED_EVENT_DATA, injected_event_data),
+ FIELD64(ORIGINAL_EVENT_DATA, original_event_data),
};
u16 vmcs12_field_offsets[ARRAY_SIZE(kvm_supported_vmcs12_field_offsets)] __ro_after_init;
@@ -204,6 +206,12 @@ static __init bool cpu_has_vmcs12_field(unsigned int idx)
case HOST_INTR_SSP_TABLE:
return cpu_has_load_cet_ctrl();
+ case ORIGINAL_EVENT_DATA:
+ case ORIGINAL_EVENT_DATA_HIGH:
+ case INJECTED_EVENT_DATA:
+ case INJECTED_EVENT_DATA_HIGH:
+ return false;
+
/* KVM always emulates PML and the VMX preemption timer in software. */
case GUEST_PML_INDEX:
case VMX_PREEMPTION_TIMER_VALUE:
diff --git a/arch/x86/kvm/vmx/vmcs12.h b/arch/x86/kvm/vmx/vmcs12.h
index 21cd1b75e4fd..56565722f527 100644
--- a/arch/x86/kvm/vmx/vmcs12.h
+++ b/arch/x86/kvm/vmx/vmcs12.h
@@ -191,6 +191,9 @@ struct __packed vmcs12 {
u16 host_gs_selector;
u16 host_tr_selector;
u16 guest_pml_index;
+
+ u64 injected_event_data;
+ u64 original_event_data;
};
/*
diff --git a/arch/x86/kvm/vmx/vmcs_shadow_fields.h b/arch/x86/kvm/vmx/vmcs_shadow_fields.h
index cad128d1657b..d23ffedaf25b 100644
--- a/arch/x86/kvm/vmx/vmcs_shadow_fields.h
+++ b/arch/x86/kvm/vmx/vmcs_shadow_fields.h
@@ -75,5 +75,10 @@ SHADOW_FIELD_RW(HOST_GS_BASE, host_gs_base)
SHADOW_FIELD_RO(GUEST_PHYSICAL_ADDRESS, guest_physical_address)
SHADOW_FIELD_RO(GUEST_PHYSICAL_ADDRESS_HIGH, guest_physical_address)
+SHADOW_FIELD_RO(ORIGINAL_EVENT_DATA, original_event_data)
+SHADOW_FIELD_RO(ORIGINAL_EVENT_DATA_HIGH, original_event_data)
+SHADOW_FIELD_RW(INJECTED_EVENT_DATA, injected_event_data)
+SHADOW_FIELD_RW(INJECTED_EVENT_DATA_HIGH, injected_event_data)
+
#undef SHADOW_FIELD_RO
#undef SHADOW_FIELD_RW
next prev parent reply other threads:[~2026-01-09 15:17 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-09 4:15 [PATCH v3 0/4] KVM: nVMX: Disallow access to vmcs12 fields that aren't supported by "hardware" Sean Christopherson
2026-01-09 4:15 ` [PATCH v3 1/4] KVM: nVMX: Setup VMX MSRs on loading CPU during nested_vmx_hardware_setup() Sean Christopherson
2026-01-09 11:24 ` Xiaoyao Li
2026-01-09 4:15 ` [PATCH v3 2/4] KVM: VMX: Add a wrapper around ROL16() to get a vmcs12 from a field encoding Sean Christopherson
2026-01-09 11:34 ` Xiaoyao Li
2026-01-09 4:15 ` [PATCH v3 3/4] KVM: nVMX: Disallow access to vmcs12 fields that aren't supported by "hardware" Sean Christopherson
2026-01-09 14:08 ` Xiaoyao Li
2026-01-09 14:44 ` Sean Christopherson
2026-01-09 15:17 ` Sean Christopherson [this message]
2026-01-09 4:15 ` [PATCH v3 4/4] KVM: nVMX: Remove explicit filtering of GUEST_INTR_STATUS from shadow VMCS fields Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aWEcEQzHFQOeJnU4@google.com \
--to=seanjc@google.com \
--cc=chao.gao@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=xiaoyao.li@intel.com \
--cc=xin@zytor.com \
--cc=yosry.ahmed@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox