git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Sean Christopherson <seanjc@google.com>
	Thu, 12 Mar 2026 23:48:23 +0000 (16:48 -0700)
committer	Sean Christopherson <seanjc@google.com>
	Fri, 3 Apr 2026 16:34:01 +0000 (09:34 -0700)
commit	7212094baef5acabef1969d77781a6527c09d743
tree	84d8f69e905b177e74350dd24bd181d2d6ad7561	tree \| snapshot
parent	3d4470d71fbf70576636947aba1ae51adbad5225	commit \| diff

KVM: x86: Suppress WARNs on nested_run_pending after userspace exit

To end an ongoing game of whack-a-mole between KVM and syzkaller, WARN on
illegally cancelling a pending nested VM-Enter if and only if userspace
has NOT gained control of the vCPU since the nested run was initiated. As
proven time and time again by syzkaller, userspace can clobber vCPU state
so as to force a VM-Exit that violates KVM's architectural modelling of
VMRUN/VMLAUNCH/VMRESUME.

To detect that userspace has gained control, while minimizing the risk of
operating on stale data, convert nested_run_pending from a pure boolean to
a tri-state of sorts, where '0' is still "not pending", '1' is "pending",
and '2' is "pending but untrusted". Then on KVM_RUN, if the flag is in
the "trusted pending" state, move it to "untrusted pending".

Note, moving the state to "untrusted" even if KVM_RUN is ultimately
rejected is a-ok, because for the "untrusted" state to matter, KVM must
get past kvm_x86_vcpu_pre_run() at some point for the vCPU.

Reviewed-by: Yosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260312234823.3120658-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

arch/x86/include/asm/kvm_host.h		diff \| blob \| blame \| history
arch/x86/kvm/svm/nested.c		diff \| blob \| blame \| history
arch/x86/kvm/svm/svm.c		diff \| blob \| blame \| history
arch/x86/kvm/vmx/nested.c		diff \| blob \| blame \| history
arch/x86/kvm/vmx/vmx.c		diff \| blob \| blame \| history
arch/x86/kvm/x86.c		diff \| blob \| blame \| history
arch/x86/kvm/x86.h		diff \| blob \| blame \| history