From: Michael Roth <michael.roth@amd.com>
To: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Sagi Shahar <sagis@google.com>,
Sean Christopherson <seanjc@google.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Kiryl Shutsemau <kas@kernel.org>,
"Rick Edgecombe" <rick.p.edgecombe@intel.com>,
Thomas Gleixner <tglx@kernel.org>, Borislav Petkov <bp@alien8.de>,
"H. Peter Anvin" <hpa@zytor.com>, <x86@kernel.org>,
<kvm@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<linux-coco@lists.linux.dev>,
Vishal Annapurve <vannapurve@google.com>
Subject: Re: [PATCH v3 1/2] KVM: TDX: Allow userspace to return errors to guest for MAPGPA
Date: Tue, 17 Feb 2026 13:16:35 -0600 [thread overview]
Message-ID: <20260217191635.swit2awsmwrj57th@amd.com> (raw)
In-Reply-To: <037084a1-2019-4bd2-b1ed-7f34f9128e37@amd.com>
On Tue, Feb 17, 2026 at 12:45:52PM -0600, Tom Lendacky wrote:
> On 2/17/26 12:05, Michael Roth wrote:
> > On Fri, Feb 06, 2026 at 10:28:28PM +0000, Sagi Shahar wrote:
> >> From: Vishal Annapurve <vannapurve@google.com>
> >>
> >> MAPGPA request from TDX VMs gets split into chunks by KVM using a loop
> >> of userspace exits until the complete range is handled.
> >>
> >> In some cases userspace VMM might decide to break the MAPGPA operation
> >> and continue it later. For example: in the case of intrahost migration
> >> userspace might decide to continue the MAPGPA operation after the
> >> migration is completed.
> >>
> >> Allow userspace to signal to TDX guests that the MAPGPA operation should
> >> be retried the next time the guest is scheduled.
> >>
> >> This is potentially a breaking change since if userspace sets
> >> hypercall.ret to a value other than EBUSY or EINVAL an EINVAL error code
> >> will be returned to userspace. As of now QEMU never sets hypercall.ret
> >> to a non-zero value after handling KVM_EXIT_HYPERCALL so this change
> >> should be safe.
> >>
> >> Signed-off-by: Vishal Annapurve <vannapurve@google.com>
> >> Co-developed-by: Sagi Shahar <sagis@google.com>
> >> Signed-off-by: Sagi Shahar <sagis@google.com>
> >> ---
> >> Documentation/virt/kvm/api.rst | 3 +++
> >> arch/x86/kvm/vmx/tdx.c | 15 +++++++++++++--
> >> arch/x86/kvm/x86.h | 6 ++++++
> >> 3 files changed, 22 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst
> >> index 01a3abef8abb..9978cd9d897e 100644
> >> --- a/Documentation/virt/kvm/api.rst
> >> +++ b/Documentation/virt/kvm/api.rst
> >> @@ -8679,6 +8679,9 @@ block sizes is exposed in KVM_CAP_ARM_SUPPORTED_BLOCK_SIZES as a
> >>
> >> This capability, if enabled, will cause KVM to exit to userspace
> >> with KVM_EXIT_HYPERCALL exit reason to process some hypercalls.
> >> +Userspace may fail the hypercall by setting hypercall.ret to EINVAL
> >> +or may request the hypercall to be retried the next time the guest run
> >> +by setting hypercall.ret to EAGAIN.
> >>
> >> Calling KVM_CHECK_EXTENSION for this capability will return a bitmask
> >> of hypercalls that can be configured to exit to userspace.
> >> diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
> >> index 2d7a4d52ccfb..056a44b9d78b 100644
> >> --- a/arch/x86/kvm/vmx/tdx.c
> >> +++ b/arch/x86/kvm/vmx/tdx.c
> >> @@ -1186,10 +1186,21 @@ static void __tdx_map_gpa(struct vcpu_tdx *tdx);
> >>
> >> static int tdx_complete_vmcall_map_gpa(struct kvm_vcpu *vcpu)
> >> {
> >> + u64 hypercall_ret = READ_ONCE(vcpu->run->hypercall.ret);
> >> struct vcpu_tdx *tdx = to_tdx(vcpu);
> >>
> >> - if (vcpu->run->hypercall.ret) {
> >> - tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_INVALID_OPERAND);
> >> + if (hypercall_ret) {
> >> + if (hypercall_ret == EAGAIN) {
> >> + tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_RETRY);
> >> + } else if (vcpu->run->hypercall.ret == EINVAL) {
> >> + tdvmcall_set_return_code(
> >> + vcpu, TDVMCALL_STATUS_INVALID_OPERAND);
> >> + } else {
> >> + WARN_ON_ONCE(
> >> + kvm_is_valid_map_gpa_range_ret(hypercall_ret));
> >> + return -EINVAL;
> >> + }
> >> +
> >> tdx->vp_enter_args.r11 = tdx->map_gpa_next;
> >> return 1;
> >> }
> >
> > Maybe slightly more readable?
> >
> > switch (hypercall_ret) {
> > case EAGAIN:
> > tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_RETRY);
> > /* fallthrough */
>
> I think you want a break here, not a fallthrough, so that you don't set
> the return code twice with the last one not being correct for EAGAIN.
Doh, thanks for the catch. I guess a break for the EINVAL case as well would
be more consistent then.
switch (hypercall_ret) {
case EAGAIN:
tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_RETRY);
break;
case EINVAL:
tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_INVALID_OPERAND);
break;
case 0:
break;
case default:
WARN_ON_ONCE(kvm_is_valid_map_gpa_range_ret(hypercall_ret));
return -EINVAL;
}
tdx->vp_enter_args.r11 = tdx->map_gpa_next;
return 1;
Thanks,
Mike
> > switch (hypercall_ret) {
> > case EAGAIN:
> > tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_RETRY);
> > /* fallthrough */
>
> I think you want a break here, not a fallthrough, so that you don't set
> the return code twice with the last one not being correct for EAGAIN.
>
> Thanks,
> Tom
>
> > case EINVAL:
> > tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_INVALID_OPERAND);
> > /* fallthrough */
> > case 0:
> > break;
> > case default:
> > WARN_ON_ONCE(kvm_is_valid_map_gpa_range_ret(hypercall_ret));
> > return -EINVAL;
> > }
> >
> > tdx->vp_enter_args.r11 = tdx->map_gpa_next;
> > return 1;
>
> Thanks,
> Tom
>
> > case EINVAL:
> > tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_INVALID_OPERAND);
> > /* fallthrough */
> > case 0:
> > break;
> > case default:
> > WARN_ON_ONCE(kvm_is_valid_map_gpa_range_ret(hypercall_ret));
> > return -EINVAL;
> > }
> >
> > tdx->vp_enter_args.r11 = tdx->map_gpa_next;
> > return 1;
> >
> > Either way:
> >
> > Reviewed-by: Michael Roth <michael.roth@amd.com>
> >
> >> diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
> >> index fdab0ad49098..3d464d12423a 100644
> >> --- a/arch/x86/kvm/x86.h
> >> +++ b/arch/x86/kvm/x86.h
> >> @@ -706,6 +706,12 @@ int kvm_sev_es_string_io(struct kvm_vcpu *vcpu, unsigned int size,
> >> unsigned int port, void *data, unsigned int count,
> >> int in);
> >>
> >> +static inline bool kvm_is_valid_map_gpa_range_ret(u64 hypercall_ret)
> >> +{
> >> + return !hypercall_ret || hypercall_ret == EINVAL ||
> >> + hypercall_ret == EAGAIN;
> >> +}
> >> +
> >> static inline bool user_exit_on_hypercall(struct kvm *kvm, unsigned long hc_nr)
> >> {
> >> return kvm->arch.hypercall_exit_enabled & BIT(hc_nr);
> >> --
> >> 2.53.0.rc2.204.g2597b5adb4-goog
> >>
>
next prev parent reply other threads:[~2026-02-17 19:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-06 22:28 [PATCH v3 0/2] Extend KVM_HC_MAP_GPA_RANGE api to allow retry Sagi Shahar
2026-02-06 22:28 ` [PATCH v3 1/2] KVM: TDX: Allow userspace to return errors to guest for MAPGPA Sagi Shahar
2026-02-17 18:05 ` Michael Roth
2026-02-17 18:45 ` Tom Lendacky
2026-02-17 19:16 ` Michael Roth [this message]
2026-02-17 19:20 ` Sean Christopherson
2026-03-05 22:27 ` Sagi Shahar
2026-02-06 22:28 ` [PATCH v3 2/2] KVM: SEV: Restrict userspace return codes for KVM_HC_MAP_GPA_RANGE Sagi Shahar
2026-02-17 18:19 ` Michael Roth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260217191635.swit2awsmwrj57th@amd.com \
--to=michael.roth@amd.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=kas@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=sagis@google.com \
--cc=seanjc@google.com \
--cc=tglx@kernel.org \
--cc=thomas.lendacky@amd.com \
--cc=vannapurve@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox