[PATCH v2 0/5] KVM: nSVM: Fix save/restore of NextRIP & interrupt shadow

[PATCH v2 0/5] KVM: nSVM: Fix save/restore of NextRIP & interrupt shadow

[Yosry Ahmed]

NextRIP and interrupt shadow are both not sync'd correctly to the cached
vmcb12 after VMRUN of L2. Sync the cached vmcb12 is the payload of
nested state, these fields are not saved/restored correctly.

Sync both fields correctly, and extend state_test to check vGIF (already
sync'd field) and next_rip. Checking the interrupt shadow would be
tricky, as GUEST_SYNC() executes several instructions before exiting to
L0, so the interrupt shadow will be consumed before the test can check
for it. L2 could execute STI followed directly by in/out, but that would
not handle transitioning between L2 and L2 correctly (see
ucall_arch_do_ucall()).

I updated patch 1 to be a minimal fix without moving code around, but I
kept the code movement in patch 3 as it leaves the code in better shape
until a more significant rework/cleanup is done. It also leaves the
FIXME in a more appropriate spot. If you feel strongly, feel free to
drop patch 3, but I'd rather we keep it.

v1 -> v2:
- Split patch 1 into a minimal fix without code movement for stable, and
  code movement patch (patch 3) [Sean].
- Comments and changelog updates [Sean].

v1: https://lore.kernel.org/kvm/20260210005449.3125133-1-yosry.ahmed@linux.dev/

Yosry Ahmed (5):
  KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2
  KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
  KVM: nSVM: Move sync'ing to vmcb12 cache after completing interrupts
  KVM: selftests: Extend state_test to check vGIF
  KVM: selftests: Extend state_test to check next_rip

 arch/x86/kvm/svm/nested.c                    | 11 ++++--
 arch/x86/kvm/svm/svm.c                       | 26 +++++++++------
 tools/testing/selftests/kvm/x86/state_test.c | 35 ++++++++++++++++++++
 3 files changed, 59 insertions(+), 13 deletions(-)


base-commit: e944fe2c09f405a2e2d147145c9b470084bc4c9a
-- 
2.53.0.239.g8d8fc8a987-goog

[PATCH v2 1/5] KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2

[Yosry Ahmed]

After VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs
fields written by the CPU from vmcb02 to the cached vmcb12. This is
because the cached vmcb12 is used as the authoritative copy of some of
the controls, and is the payload when saving/restoring nested state.

NextRIP is also written by the CPU (in some cases) after VMRUN, but is
not sync'd to the cached vmcb12. As a result, it is corrupted after
save/restore (replaced by the original value written by L1 on nested
VMRUN). This could cause problems for both KVM (e.g. when injecting a
soft IRQ) or L1 (e.g. when using NextRIP to advance RIP after emulating
an instruction).

Fix this by sync'ing NextRIP to the cache after VMRUN of L2, but only
after completing interrupts (not in nested_sync_control_from_vmcb02()),
as KVM may update NextRIP (e.g. when re-injecting a soft IRQ).

Fixes: cc440cdad5b7 ("KVM: nSVM: implement KVM_GET_NESTED_STATE and KVM_SET_NESTED_STATE")
CC: stable@vger.kernel.org
Co-developed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
---
 arch/x86/kvm/svm/svm.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 5f0136dbdde6..1073a32a96fa 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4435,6 +4435,16 @@ static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags)
 
 	svm_complete_interrupts(vcpu);
 
+	/*
+	 * Update the cache after completing interrupts to get an accurate
+	 * NextRIP, e.g. when re-injecting a soft interrupt.
+	 *
+	 * FIXME: Rework svm_get_nested_state() to not pull data from the
+	 *        cache (except for maybe int_ctl).
+	 */
+	if (is_guest_mode(vcpu))
+		svm->nested.ctl.next_rip = svm->vmcb->control.next_rip;
+
 	return svm_exit_handlers_fastpath(vcpu);
 }
 
-- 
2.53.0.239.g8d8fc8a987-goog

[PATCH v2 2/5] KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2

[Yosry Ahmed]

After VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs
fields written by the CPU from vmcb02 to the cached vmcb12. This is
because the cached vmcb12 is used as the authoritative copy of some of
the controls, and is the payload when saving/restoring nested state.

int_state is also written by the CPU, specifically bit 0 (i.e.
SVM_INTERRUPT_SHADOW_MASK) for nested VMs, but it is not sync'd to
cached vmcb12. This does not cause a problem if KVM_SET_NESTED_STATE
preceeds KVM_SET_VCPU_EVENTS in the restore path, as an interrupt shadow
would be correctly restored to vmcb02 (KVM_SET_VCPU_EVENTS overwrites
what KVM_SET_NESTED_STATE restored in int_state).

However, if KVM_SET_VCPU_EVENTS preceeds KVM_SET_NESTED_STATE, an
interrupt shadow would be restored into vmcb01 instead of vmcb02. This
would mostly be benign for L1 (delays an interrupt), but not for L2. For
L2, the vCPU could hang (e.g. if a wakeup interrupt is delivered before
a HLT that should have been in an interrupt shadow).

Sync int_state to the cached vmcb12 in nested_sync_control_from_vmcb02()
to avoid this problem. With that, KVM_SET_NESTED_STATE restores the
correct interrupt shadow state, and if KVM_SET_VCPU_EVENTS follows it
would overwrite it with the same value.

Fixes: cc440cdad5b7 ("KVM: nSVM: implement KVM_GET_NESTED_STATE and KVM_SET_NESTED_STATE")
CC: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
---
 arch/x86/kvm/svm/nested.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
index de90b104a0dd..9909ff237e5c 100644
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -521,6 +521,7 @@ void nested_sync_control_from_vmcb02(struct vcpu_svm *svm)
 	u32 mask;
 	svm->nested.ctl.event_inj      = svm->vmcb->control.event_inj;
 	svm->nested.ctl.event_inj_err  = svm->vmcb->control.event_inj_err;
+	svm->nested.ctl.int_state	= svm->vmcb->control.int_state;
 
 	/* Only a few fields of int_ctl are written by the processor.  */
 	mask = V_IRQ_MASK | V_TPR_MASK;
-- 
2.53.0.239.g8d8fc8a987-goog

[PATCH v2 3/5] KVM: nSVM: Move sync'ing to vmcb12 cache after completing interrupts

[Yosry Ahmed]

nested_sync_control_from_vmcb02() sync's some fields from vmcb02 to the
cached vmcb12 after a VMRUN of L2, mainly to keep the cache up-to-date
for save/restore. However, NextRIP is sync'd separately after
completing interrupts, as svm_complete_soft_interrupt() may update it
(e.g. for soft IRQ re-injection).

Move the call to nested_sync_control_from_vmcb02() after completing
interrupts, moving the NextRIP sync (and the FIXME) inside it. This
keeps the sync code together, and puts the FIXME in a more adequate
location, as it applies to most/all fields sync'd by
nested_sync_control_from_vmcb02().

Moving the call is safe, as nothing in-between accesses any of the VMCB
fields sync'd by nested_sync_control_from_vmcb02(), except NextRIP.

Opportunistically make some whitespace fixes. No functional change
intended.

Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
---
 arch/x86/kvm/svm/nested.c | 10 ++++++++--
 arch/x86/kvm/svm/svm.c    | 26 ++++++++++----------------
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
index 9909ff237e5c..6a7c7c5b742a 100644
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -519,9 +519,15 @@ void nested_copy_vmcb_save_to_cache(struct vcpu_svm *svm,
 void nested_sync_control_from_vmcb02(struct vcpu_svm *svm)
 {
 	u32 mask;
-	svm->nested.ctl.event_inj      = svm->vmcb->control.event_inj;
-	svm->nested.ctl.event_inj_err  = svm->vmcb->control.event_inj_err;
+
+	/*
+	 * FIXME: Rework svm_get_nested_state() to not pull data from the
+	 *        cache (except for maybe int_ctl).
+	 */
+	svm->nested.ctl.event_inj	= svm->vmcb->control.event_inj;
+	svm->nested.ctl.event_inj_err	= svm->vmcb->control.event_inj_err;
 	svm->nested.ctl.int_state	= svm->vmcb->control.int_state;
+	svm->nested.ctl.next_rip	= svm->vmcb->control.next_rip;
 
 	/* Only a few fields of int_ctl are written by the processor.  */
 	mask = V_IRQ_MASK | V_TPR_MASK;
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 1073a32a96fa..458abead9d5b 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4399,17 +4399,6 @@ static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags)
 	sync_cr8_to_lapic(vcpu);
 
 	svm->next_rip = 0;
-	if (is_guest_mode(vcpu)) {
-		nested_sync_control_from_vmcb02(svm);
-
-		/* Track VMRUNs that have made past consistency checking */
-		if (svm->nested.nested_run_pending &&
-		    !svm_is_vmrun_failure(svm->vmcb->control.exit_code))
-                        ++vcpu->stat.nested_run;
-
-		svm->nested.nested_run_pending = 0;
-	}
-
 	svm->vmcb->control.tlb_ctl = TLB_CONTROL_DO_NOTHING;
 
 	/*
@@ -4438,12 +4427,17 @@ static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags)
 	/*
 	 * Update the cache after completing interrupts to get an accurate
 	 * NextRIP, e.g. when re-injecting a soft interrupt.
-	 *
-	 * FIXME: Rework svm_get_nested_state() to not pull data from the
-	 *        cache (except for maybe int_ctl).
 	 */
-	if (is_guest_mode(vcpu))
-		svm->nested.ctl.next_rip = svm->vmcb->control.next_rip;
+	if (is_guest_mode(vcpu)) {
+		nested_sync_control_from_vmcb02(svm);
+
+		/* Track VMRUNs that have made past consistency checking */
+		if (svm->nested.nested_run_pending &&
+		    !svm_is_vmrun_failure(svm->vmcb->control.exit_code))
+			++vcpu->stat.nested_run;
+
+		svm->nested.nested_run_pending = 0;
+	}
 
 	return svm_exit_handlers_fastpath(vcpu);
 }
-- 
2.53.0.239.g8d8fc8a987-goog

[PATCH v2 4/5] KVM: selftests: Extend state_test to check vGIF

[Yosry Ahmed]

V_GIF_MASK is one of the fields written by the CPU after VMRUN, and
sync'd by KVM from vmcb02 to cached vmcb12 after running L2. Part of the
reason is to make sure V_GIF_MASK is saved/restored correctly, as the
cached vmcb12 is the payload of nested state.

Verify that V_GIF_MASK is saved/restored correctly in state_test by
enabling vGIF in vmcb12, toggling GIF in L2 at different GUEST_SYNC()
points, and verifying that V_GIF_MASK is correctly propagated to the
nested state.

Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
---
 tools/testing/selftests/kvm/x86/state_test.c | 24 ++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/tools/testing/selftests/kvm/x86/state_test.c b/tools/testing/selftests/kvm/x86/state_test.c
index f2c7a1c297e3..57c7546f3d7c 100644
--- a/tools/testing/selftests/kvm/x86/state_test.c
+++ b/tools/testing/selftests/kvm/x86/state_test.c
@@ -26,7 +26,9 @@ void svm_l2_guest_code(void)
 	GUEST_SYNC(4);
 	/* Exit to L1 */
 	vmcall();
+	clgi();
 	GUEST_SYNC(6);
+	stgi();
 	/* Done, exit to L1 and never come back.  */
 	vmcall();
 }
@@ -41,6 +43,8 @@ static void svm_l1_guest_code(struct svm_test_data *svm)
 	generic_svm_setup(svm, svm_l2_guest_code,
 			  &l2_guest_stack[L2_GUEST_STACK_SIZE]);
 
+	vmcb->control.int_ctl |= (V_GIF_ENABLE_MASK | V_GIF_MASK);
+
 	GUEST_SYNC(3);
 	run_guest(vmcb, svm->vmcb_gpa);
 	GUEST_ASSERT(vmcb->control.exit_code == SVM_EXIT_VMMCALL);
@@ -222,6 +226,24 @@ static void __attribute__((__flatten__)) guest_code(void *arg)
 	GUEST_DONE();
 }
 
+void svm_check_nested_state(int stage, struct kvm_x86_state *state)
+{
+	struct vmcb *vmcb = (struct vmcb *)state->nested.data.svm;
+
+	if (kvm_cpu_has(X86_FEATURE_VGIF)) {
+		if (stage == 4)
+			TEST_ASSERT_EQ(!!(vmcb->control.int_ctl & V_GIF_MASK), 1);
+		if (stage == 6)
+			TEST_ASSERT_EQ(!!(vmcb->control.int_ctl & V_GIF_MASK), 0);
+	}
+}
+
+void check_nested_state(int stage, struct kvm_x86_state *state)
+{
+	if (kvm_has_cap(KVM_CAP_NESTED_STATE) && kvm_cpu_has(X86_FEATURE_SVM))
+		svm_check_nested_state(stage, state);
+}
+
 int main(int argc, char *argv[])
 {
 	uint64_t *xstate_bv, saved_xstate_bv;
@@ -278,6 +300,8 @@ int main(int argc, char *argv[])
 
 		kvm_vm_release(vm);
 
+		check_nested_state(stage, state);
+
 		/* Restore state in a new VM.  */
 		vcpu = vm_recreate_with_one_vcpu(vm);
 		vcpu_load_state(vcpu, state);
-- 
2.53.0.239.g8d8fc8a987-goog

[PATCH v2 5/5] KVM: selftests: Extend state_test to check next_rip

[Yosry Ahmed]

Similar to vGIF, extend state_test to make sure that next_rip is saved
correctly in nested state. GUEST_SYNC() in L2 causes IO emulation by
KVM, which advances the RIP to the value of next_rip. Hence, if next_rip
is saved correctly, its value should match the saved RIP value.

Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
---
 tools/testing/selftests/kvm/x86/state_test.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tools/testing/selftests/kvm/x86/state_test.c b/tools/testing/selftests/kvm/x86/state_test.c
index 57c7546f3d7c..992a52504a4a 100644
--- a/tools/testing/selftests/kvm/x86/state_test.c
+++ b/tools/testing/selftests/kvm/x86/state_test.c
@@ -236,6 +236,17 @@ void svm_check_nested_state(int stage, struct kvm_x86_state *state)
 		if (stage == 6)
 			TEST_ASSERT_EQ(!!(vmcb->control.int_ctl & V_GIF_MASK), 0);
 	}
+
+	if (kvm_cpu_has(X86_FEATURE_NRIPS)) {
+		/*
+		 * GUEST_SYNC() causes IO emulation in KVM, in which case the
+		 * RIP is advanced before exiting to userspace. Hence, the RIP
+		 * in the saved state should be the same as nRIP saved by the
+		 * CPU in the VMCB.
+		 */
+		if (stage == 6)
+			TEST_ASSERT_EQ(vmcb->control.next_rip, state->regs.rip);
+	}
 }
 
 void check_nested_state(int stage, struct kvm_x86_state *state)
-- 
2.53.0.239.g8d8fc8a987-goog

Re: [PATCH v2 3/5] KVM: nSVM: Move sync'ing to vmcb12 cache after completing interrupts

[Sean Christopherson]

On Wed, Feb 11, 2026, Yosry Ahmed wrote:
> nested_sync_control_from_vmcb02() sync's some fields from vmcb02 to the
> cached vmcb12 after a VMRUN of L2, mainly to keep the cache up-to-date
> for save/restore. However, NextRIP is sync'd separately after
> completing interrupts, as svm_complete_soft_interrupt() may update it
> (e.g. for soft IRQ re-injection).
> 
> Move the call to nested_sync_control_from_vmcb02() after completing
> interrupts, moving the NextRIP sync (and the FIXME) inside it. This
> keeps the sync code together, and puts the FIXME in a more adequate
> location, as it applies to most/all fields sync'd by
> nested_sync_control_from_vmcb02().
> 
> Moving the call is safe, as nothing in-between accesses any of the VMCB
> fields sync'd by nested_sync_control_from_vmcb02(), except NextRIP.
> 
> Opportunistically make some whitespace fixes. No functional change
> intended.
> 
> Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
> ---

As discussed off-list, I think I'll skip this patch, I'd prefer to go straight
to addressing the FIXME.  For me, the ugliness of the FIXME is a good thing: if
we make the code awful enough, we'll hopefully be more motivated to fix it :-)

Re: [PATCH v2 0/5] KVM: nSVM: Fix save/restore of NextRIP & interrupt shadow

[Sean Christopherson]

On Wed, 11 Feb 2026 16:28:37 +0000, Yosry Ahmed wrote:
> NextRIP and interrupt shadow are both not sync'd correctly to the cached
> vmcb12 after VMRUN of L2. Sync the cached vmcb12 is the payload of
> nested state, these fields are not saved/restored correctly.
> 
> Sync both fields correctly, and extend state_test to check vGIF (already
> sync'd field) and next_rip. Checking the interrupt shadow would be
> tricky, as GUEST_SYNC() executes several instructions before exiting to
> L0, so the interrupt shadow will be consumed before the test can check
> for it. L2 could execute STI followed directly by in/out, but that would
> not handle transitioning between L2 and L2 correctly (see
> ucall_arch_do_ucall()).
> 
> [...]

Applied to kvm-x86 nested (except for patch 3), thanks!

[1/5] KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2
      https://github.com/kvm-x86/linux/commit/778d8c1b2a6f
[2/5] KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
      https://github.com/kvm-x86/linux/commit/03bee264f8eb
[3/5] KVM: nSVM: Move sync'ing to vmcb12 cache after completing interrupts
      (DROP)
[4/5] KVM: selftests: Extend state_test to check vGIF
      https://github.com/kvm-x86/linux/commit/2303ca26fbb0
[5/5] KVM: selftests: Extend state_test to check next_rip
      https://github.com/kvm-x86/linux/commit/e5cdd34b5f74

--
https://github.com/kvm-x86/linux/tree/next