Re: [PATCH v3 1/2] KVM: TDX: Allow userspace to return errors to guest for MAPGPA

[Tom Lendacky]

On 2/17/26 12:05, Michael Roth wrote:
> On Fri, Feb 06, 2026 at 10:28:28PM +0000, Sagi Shahar wrote:
>> From: Vishal Annapurve <vannapurve@xxxxxxxxxx>
>>
>> MAPGPA request from TDX VMs gets split into chunks by KVM using a loop
>> of userspace exits until the complete range is handled.
>>
>> In some cases userspace VMM might decide to break the MAPGPA operation
>> and continue it later. For example: in the case of intrahost migration
>> userspace might decide to continue the MAPGPA operation after the
>> migration is completed.
>>
>> Allow userspace to signal to TDX guests that the MAPGPA operation should
>> be retried the next time the guest is scheduled.
>>
>> This is potentially a breaking change since if userspace sets
>> hypercall.ret to a value other than EBUSY or EINVAL an EINVAL error code
>> will be returned to userspace. As of now QEMU never sets hypercall.ret
>> to a non-zero value after handling KVM_EXIT_HYPERCALL so this change
>> should be safe.
>>
>> Signed-off-by: Vishal Annapurve <vannapurve@xxxxxxxxxx>
>> Co-developed-by: Sagi Shahar <sagis@xxxxxxxxxx>
>> Signed-off-by: Sagi Shahar <sagis@xxxxxxxxxx>
>> ---
>>  Documentation/virt/kvm/api.rst |  3 +++
>>  arch/x86/kvm/vmx/tdx.c         | 15 +++++++++++++--
>>  arch/x86/kvm/x86.h             |  6 ++++++
>>  3 files changed, 22 insertions(+), 2 deletions(-)
>>
>> diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst
>> index 01a3abef8abb..9978cd9d897e 100644
>> --- a/Documentation/virt/kvm/api.rst
>> +++ b/Documentation/virt/kvm/api.rst
>> @@ -8679,6 +8679,9 @@ block sizes is exposed in KVM_CAP_ARM_SUPPORTED_BLOCK_SIZES as a
>>  
>>  This capability, if enabled, will cause KVM to exit to userspace
>>  with KVM_EXIT_HYPERCALL exit reason to process some hypercalls.
>> +Userspace may fail the hypercall by setting hypercall.ret to EINVAL
>> +or may request the hypercall to be retried the next time the guest run
>> +by setting hypercall.ret to EAGAIN.
>>  
>>  Calling KVM_CHECK_EXTENSION for this capability will return a bitmask
>>  of hypercalls that can be configured to exit to userspace.
>> diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
>> index 2d7a4d52ccfb..056a44b9d78b 100644
>> --- a/arch/x86/kvm/vmx/tdx.c
>> +++ b/arch/x86/kvm/vmx/tdx.c
>> @@ -1186,10 +1186,21 @@ static void __tdx_map_gpa(struct vcpu_tdx *tdx);
>>  
>>  static int tdx_complete_vmcall_map_gpa(struct kvm_vcpu *vcpu)
>>  {
>> +	u64 hypercall_ret = READ_ONCE(vcpu->run->hypercall.ret);
>>  	struct vcpu_tdx *tdx = to_tdx(vcpu);
>>  
>> -	if (vcpu->run->hypercall.ret) {
>> -		tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_INVALID_OPERAND);
>> +	if (hypercall_ret) {
>> +		if (hypercall_ret == EAGAIN) {
>> +			tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_RETRY);
>> +		} else if (vcpu->run->hypercall.ret == EINVAL) {
>> +			tdvmcall_set_return_code(
>> +				vcpu, TDVMCALL_STATUS_INVALID_OPERAND);
>> +		} else {
>> +			WARN_ON_ONCE(
>> +				kvm_is_valid_map_gpa_range_ret(hypercall_ret));
>> +			return -EINVAL;
>> +		}
>> +
>>  		tdx->vp_enter_args.r11 = tdx->map_gpa_next;
>>  		return 1;
>>  	}
> 
> Maybe slightly more readable?
> 
>     switch (hypercall_ret) {
>     case EAGAIN:
>         tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_RETRY);
>         /* fallthrough */

I think you want a break here, not a fallthrough, so that you don't set
the return code twice with the last one not being correct for EAGAIN.

Thanks,
Tom

>     case EINVAL:
>         tdvmcall_set_return_code(vcpu, TDVMCALL_STATUS_INVALID_OPERAND);
>         /* fallthrough */
>     case 0:
>         break;
>     case default:
>         WARN_ON_ONCE(kvm_is_valid_map_gpa_range_ret(hypercall_ret));
>         return -EINVAL;
>     }
> 
>     tdx->vp_enter_args.r11 = tdx->map_gpa_next;
>     return 1;
> 
> Either way:
> 
> Reviewed-by: Michael Roth <michael.roth@xxxxxxx>
> 
>> diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
>> index fdab0ad49098..3d464d12423a 100644
>> --- a/arch/x86/kvm/x86.h
>> +++ b/arch/x86/kvm/x86.h
>> @@ -706,6 +706,12 @@ int kvm_sev_es_string_io(struct kvm_vcpu *vcpu, unsigned int size,
>>  			 unsigned int port, void *data,  unsigned int count,
>>  			 int in);
>>  
>> +static inline bool kvm_is_valid_map_gpa_range_ret(u64 hypercall_ret)
>> +{
>> +	return !hypercall_ret || hypercall_ret == EINVAL ||
>> +	       hypercall_ret == EAGAIN;
>> +}
>> +
>>  static inline bool user_exit_on_hypercall(struct kvm *kvm, unsigned long hc_nr)
>>  {
>>  	return kvm->arch.hypercall_exit_enabled & BIT(hc_nr);
>> -- 
>> 2.53.0.rc2.204.g2597b5adb4-goog
>>