Re: [PATCH v2 4/6] KVM: nSVM: Fail emulation of VMRUN/VMLOAD/VMSAVE if mapping vmcb12 fails

[Yosry Ahmed]

On Fri, Mar 6, 2026 at 5:09 PM Yosry Ahmed <yosry@xxxxxxxxxx> wrote:
>
> On Fri, Mar 6, 2026 at 1:09 PM Yosry Ahmed <yosry@xxxxxxxxxx> wrote:
> >
> > KVM currently injects a #GP if mapping vmcb12 fails when emulating
> > VMRUN/VMLOAD/VMSAVE. This is not architectural behavior, as #GP should
> > only be injected if the physical address is not supported or not aligned
> > (which hardware will do before the VMRUN intercept is checked).
> >
> > Instead, handle it as an emulation failure, similar to how nVMX handles
> > failures to read/write guest memory in several emulation paths.
> >
> > When virtual VMLOAD/VMSAVE is enabled, if vmcb12's GPA is not mapped in
> > the NPTs a VMEXIT(#NPF) will be generated, and KVM will install an MMIO
> > SPTE and emulate the instruction if there is no corresponding memslot.
> > x86_emulate_insn() will return EMULATION_FAILED as VMLOAD/VMSAVE are not
> > handled as part of the twobyte_insn cases.
> >
> > Even though this will also result in an emulation failure, it will only
> > result in a straight return to userspace if
> > KVM_CAP_EXIT_ON_EMULATION_FAILURE is set. Otherwise, it would inject #UD
> > and only exit to userspace if not in guest mode. So the behavior is
> > slightly different if virtual VMLOAD/VMSAVE is enabled.
> >
> > Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler")
> > Reported-by: Jim Mattson <jmattson@xxxxxxxxxx>
> > Signed-off-by: Yosry Ahmed <yosry@xxxxxxxxxx>
> > ---
>
> Nice find from AI bot, we should probably update gp_interception() to
> make sure we reinject a #GP if the address exceeds MAXPHYADDR.
> Something like:

Actually we should probably add a helper (e.g. svm_instr_should_gp()
or svm_instr_check_rax()) to figure out if we need to #GP on RAX for
VMRUN/VMLOAD/VMSAVE, and use it in both gp_interception() and
check_svme_pa() -- the latter doesn't have the misaligned page check
(although I think in practice we might not need it).