From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 118C11C68F; Mon, 4 May 2026 14:15:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777904116; cv=none; b=kNepXzxOJSYLe7s16w1OCYDf7DYzhIPKRpmWP4K7NieFQN6vPAy5HxS1WLNytj7whiS1heFhjLqB2onJDM3HIgVbZjQGI6DLiJey/wi6yqXtoAG/5VvL339bjMAQ0KzjbAfw9NkyCvS6l5GfISkGdOvYEd63+NwdK4+VIB4KMok= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777904116; c=relaxed/simple; bh=IuL/hP6mu+u5u09S0bRlEg8VA7E3kb4/NPxwxG/1kLY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=htN9taHVu0C66Kc3scFDvZGzipIBlyGO0gPb12iAFznX+DL8tt1p+hbvo2gTi6EBjKLkYsvikIE59mwWbZzhjPMESjxcy9g9du7aOc5MNcBziCq0Q7WLrR/eZVLCyd77cnq/aFlinW+6KdDVbPuo3GbO4DZD3eT7ObcdptZ44b8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=ERS+Pajz; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="ERS+Pajz" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9D6D5C2BCB8; Mon, 4 May 2026 14:15:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1777904116; bh=IuL/hP6mu+u5u09S0bRlEg8VA7E3kb4/NPxwxG/1kLY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ERS+Pajz6EWmBQ9jMXfkHR6ZbXNz/Vauq1M3Y9rXQF7QfMIQbh+EqtEGQ4vtBAmo3 caq9Ns45gw+ZcVKVV+38rc4TWmL75nPLFvavCVkaT1tWvMpLVl5qintMhkY/XDUvNZ 5nrKQJ17AYXqaes+VksOxjsPNYGBuZnCISYD5LMY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Yosry Ahmed , Sean Christopherson Subject: [PATCH 6.18 188/275] KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT Date: Mon, 4 May 2026 15:52:08 +0200 Message-ID: <20260504135150.060501948@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260504135142.929052779@linuxfoundation.org> References: <20260504135142.929052779@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Yosry Ahmed commit 8998e1d012f3f45d0456f16706682cef04c3c436 upstream. KVM clears tracking of L1->L2 injected NMIs (i.e. nmi_l1_to_l2) and soft IRQs (i.e. soft_int_injected) on a synthesized #VMEXIT(INVALID) due to failed VMRUN. However, they are not explicitly cleared in other synthesized #VMEXITs. soft_int_injected is always cleared after the first VMRUN of L2 when completing interrupts, as any re-injection is then tracked by KVM (instead of purely in vmcb02). nmi_l1_to_l2 is not cleared after the first VMRUN if NMI injection failed, as KVM still needs to keep track that the NMI originated from L1 to avoid blocking NMIs for L1. It is only cleared when the NMI injection succeeds. KVM could synthesize a #VMEXIT to L1 before successfully injecting the NMI into L2 (e.g. due to a #NPF on L2's NMI handler in L1's NPTs). In this case, nmi_l1_to_l2 will remain true, and KVM may not correctly mask NMIs and intercept IRET when injecting an NMI into L1. Clear both nmi_l1_to_l2 and soft_int_injected in nested_svm_vmexit(), i.e. for all #VMEXITs except those that occur due to failed consistency checks, as those happen before nmi_l1_to_l2 or soft_int_injected are set. Fixes: 159fc6fa3b7d ("KVM: nSVM: Transparently handle L1 -> L2 NMI re-injection") Cc: stable@vger.kernel.org Signed-off-by: Yosry Ahmed Link: https://patch.msgid.link/20260303003421.2185681-13-yosry@kernel.org Signed-off-by: Sean Christopherson Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/svm/nested.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -1021,8 +1021,6 @@ int nested_svm_vmrun(struct kvm_vcpu *vc out_exit_err: svm->nested.nested_run_pending = 0; - svm->nmi_l1_to_l2 = false; - svm->soft_int_injected = false; svm->vmcb->control.exit_code = SVM_EXIT_ERR; svm->vmcb->control.exit_code_hi = -1u; @@ -1279,6 +1277,10 @@ int nested_svm_vmexit(struct vcpu_svm *s if (rc) return 1; + /* Drop tracking for L1->L2 injected NMIs and soft IRQs */ + svm->nmi_l1_to_l2 = false; + svm->soft_int_injected = false; + /* * Drop what we picked up for L2 via svm_complete_interrupts() so it * doesn't end up in L1.