From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 14EE91A6827; Mon, 4 May 2026 14:15:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777904106; cv=none; b=PYPVh94o26HjYVy2INpj86dPTaUzvtZ5uosSMezFReosS04ESbsXhiy5mXBB5fdv+QEnrx1+bItZA1HQA1P+r1gKql6zvgSP4GfWpWOtnHu1ig8aUYuIuimjsCiZ/7cK4UF3Gi/DSW8va99RX6hQcBQq5cllX+i6j20B/kMENG0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777904106; c=relaxed/simple; bh=kURQAQM84F660njlrQ7DHUem5SL08avZFZxynpwrbnc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=eT+4i65GkFqPXZMaRV3q9JKtHitNzf8GAtVM+VJXJuoy55WJKADSN1X3PuKqurMN/JEPhz5D57lWB9r6LOylpUgHUPN6igEkbEbJEQcu64eC9cwXiECQK//fn0yMooqSeE2Zxye0SSD2//s01VVCmksYo3fhLJXm+Q64KlLADGc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=fmkz+HWp; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="fmkz+HWp" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6B88EC2BCB8; Mon, 4 May 2026 14:15:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1777904105; bh=kURQAQM84F660njlrQ7DHUem5SL08avZFZxynpwrbnc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fmkz+HWp4oYG2sLds6JyARBrrW2mxt9+IWNn+crIgatx3VHVMTTiWYO7aGN6BAVN0 5tR7clBSpYVIbW1fDCczrRF6Bq+tbQqspZ9DYa+Pjz4g4o8uINcEswZuhPyBhckeDs EQt0Ho09VPkHllKWZCT9b8A2hzfjUsbjGettcItw= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Yosry Ahmed , Sean Christopherson Subject: [PATCH 6.18 185/275] KVM: nSVM: Triple fault if mapping VMCB12 fails on nested #VMEXIT Date: Mon, 4 May 2026 15:52:05 +0200 Message-ID: <20260504135149.950083909@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260504135142.929052779@linuxfoundation.org> References: <20260504135142.929052779@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Yosry Ahmed commit 1b30e7551767cb95b3e49bb169c72bbd76b56e05 upstream. KVM currently injects a #GP and hopes for the best if mapping VMCB12 fails on nested #VMEXIT, and only if the failure mode is -EINVAL. Mapping the VMCB12 could also fail if creating host mappings fails. After the #GP is injected, nested_svm_vmexit() bails early, without cleaning up (e.g. KVM_REQ_GET_NESTED_STATE_PAGES is set, is_guest_mode() is true, etc). Instead of optionally injecting a #GP, triple fault the guest if mapping VMCB12 fails since KVM cannot make a sane recovery. The APM states that a #VMEXIT will triple fault if host state is illegal or an exception occurs while loading host state, so the behavior is not entirely made up. Do not return early from nested_svm_vmexit(), continue cleaning up the vCPU state (e.g. switch back to vmcb01), to handle the failure as gracefully as possible. Fixes: cf74a78b229d ("KVM: SVM: Add VMEXIT handler and intercepts") CC: stable@vger.kernel.org Co-developed-by: Sean Christopherson Signed-off-by: Yosry Ahmed Link: https://patch.msgid.link/20260303003421.2185681-9-yosry@kernel.org Signed-off-by: Sean Christopherson Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/svm/nested.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -1158,12 +1158,8 @@ int nested_svm_vmexit(struct vcpu_svm *s struct vmcb *vmcb02 = svm->nested.vmcb02.ptr; int rc; - rc = nested_svm_vmexit_update_vmcb12(vcpu); - if (rc) { - if (rc == -EINVAL) - kvm_inject_gp(vcpu, 0); - return 1; - } + if (nested_svm_vmexit_update_vmcb12(vcpu)) + kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu); /* Exit Guest-Mode */ leave_guest_mode(vcpu);