Merge tag 'kvm-x86-2025.02.21' of https://github.com/kvm-x86/kvm-unit-tests into HEAD

KVM-Unit-Tests x86 changes:

- Expand the per-CPU data+stack area to 12KiB per CPU to reduce the
probability

Merge tag 'kvm-x86-2025.02.21' of https://github.com/kvm-x86/kvm-unit-tests into HEAD

KVM-Unit-Tests x86 changes:

- Expand the per-CPU data+stack area to 12KiB per CPU to reduce the
probability of tests overflowing their stack and clobbering pre-CPU
data.

- Add testcases for LA57 canonical checks.

- Add testcases for LAM.

- Add a smoke test to make sure KVM doesn't bleed split-lock #AC/#DB into
the guest.

- Fix many warts and bugs in the PMU test, and prepare it for PMU version 5
and beyond.

- Many misc fixes and cleanups.

show more ...

x86: Add test cases for LAM_{U48,U57}

This unit test covers:
1. CR3 LAM bits toggles.
2. Memory/MMIO access with user mode address containing LAM metadata.

Signed-off-by: Binbin Wu <binbin.wu@linux

x86: Add test cases for LAM_{U48,U57}

This unit test covers:
1. CR3 LAM bits toggles.
2. Memory/MMIO access with user mode address containing LAM metadata.

Signed-off-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
Link: https://lore.kernel.org/r/20240701073010.91417-5-binbin.wu@linux.intel.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86: Add test case for LAM_SUP

This unit test covers:
1. CR4.LAM_SUP toggles.
2. Memory & MMIO access with supervisor mode address with LAM metadata.
3. INVLPG memory operand doesn't contain LAM met

x86: Add test case for LAM_SUP

This unit test covers:
1. CR4.LAM_SUP toggles.
2. Memory & MMIO access with supervisor mode address with LAM metadata.
3. INVLPG memory operand doesn't contain LAM meta data, if the address
is non-canonical form then the INVLPG is the same as a NOP (no #GP).
4. INVPCID memory operand (descriptor pointer) could contain LAM meta data,
however, the address in the descriptor should be canonical.

In x86/unittests.cfg, add 2 test cases/guest conf, with and without LAM.

LAM feature spec: https://cdrdv2.intel.com/v1/dl/getContent/671368,
Chapter LINEAR ADDRESS MASKING (LAM)

Signed-off-by: Robert Hoo <robert.hu@linux.intel.com>
Co-developed-by: Binbin Wu <binbin.wu@linux.intel.com>
Signed-off-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
Link: https://lore.kernel.org/r/20240701073010.91417-4-binbin.wu@linux.intel.com
[sean: s/set/get for the helper, smush tests, call it "lam", use "-cpu max"]
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86: Allow setting of CR3 LAM bits if LAM supported

If LINEAR ADDRESS MASKING (LAM) is supported, VM entry allows CR3.LAM_U48
(bit 62) and CR3.LAM_U57 (bit 61) to be set in CR3 field.

Change the te

x86: Allow setting of CR3 LAM bits if LAM supported

If LINEAR ADDRESS MASKING (LAM) is supported, VM entry allows CR3.LAM_U48
(bit 62) and CR3.LAM_U57 (bit 61) to be set in CR3 field.

Change the test result expectations when setting CR3.LAM_U48 or CR3.LAM_U57
on vmlaunch tests when LAM is supported.

Signed-off-by: Binbin Wu <binbin.wu@linux.intel.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
Link: https://lore.kernel.org/r/20240701073010.91417-3-binbin.wu@linux.intel.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86: Add testcases for writing (non)canonical LA57 values to MSRs and bases

Extend the LA57 test to thoroughly validate the canonical checks that are
done when setting various MSRs and CPU registers

x86: Add testcases for writing (non)canonical LA57 values to MSRs and bases

Extend the LA57 test to thoroughly validate the canonical checks that are
done when setting various MSRs and CPU registers. CPUs that support LA57
have convoluted behavior when it comes to canonical checks. Writes to
MSRs, descriptor table bases, and for TLB invalidation instructions,
don't consult CR4.LA57, and so a value that is 57-bit canonical but not
48-bit canonical is allowed irrespective of CR4.LA57 if the CPU supports
5-level paging.

Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Link: https://lore.kernel.org/r/20240907005440.500075-5-mlevitsk@redhat.com
Co-developed-by: Sean Christopherson <seanjc@google.com>
Link: https://lore.kernel.org/r/20250215013018.1210432-6-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86: Move struct invpcid_desc descriptor to processor.h

Move struct invpcid_desc descriptor to processor.h so that it can be used
in tests that are external to pcid.c.

Signed-off-by: Maxim Levitsky

x86: Move struct invpcid_desc descriptor to processor.h

Move struct invpcid_desc descriptor to processor.h so that it can be used
in tests that are external to pcid.c.

Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Link: https://lore.kernel.org/r/20240907005440.500075-4-mlevitsk@redhat.com
Link: https://lore.kernel.org/r/20250215013018.1210432-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86: Add _safe() and _fep_safe() variants to segment base load instructions

Add _safe() and _fep_safe() helpers for segment/base instructions; the
helpers will be used to validate various ways of se

x86: Add _safe() and _fep_safe() variants to segment base load instructions

Add _safe() and _fep_safe() helpers for segment/base instructions; the
helpers will be used to validate various ways of setting the segment bases
and GDT/LDT bases.

Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Link: https://lore.kernel.org/r/20240907005440.500075-2-mlevitsk@redhat.com
Link: https://lore.kernel.org/r/20250215013018.1210432-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86: Make set/clear_bit() atomic

x86 is the only architecture that defines set/clear_bit() as non-atomic.
This makes it incompatible with arch-agnostic code that might implicitly
require atomicity.

x86: Make set/clear_bit() atomic

x86 is the only architecture that defines set/clear_bit() as non-atomic.
This makes it incompatible with arch-agnostic code that might implicitly
require atomicity. And it was observed to corrupt the 'online_cpus'
bitmap, as non BSP CPUs perform RmWs on the bitmap concurrently during
bring up. See:

ap_start64()
save_id()
set_bit(apic_id(), online_cpus)

Address this by making set/clear_bit() atomic.

Signed-off-by: Nicolas Saenz Julienne <nsaenz@amazon.com>
Link: https://lore.kernel.org/r/20250214173644.22895-1-nsaenz@amazon.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

Merge tag 'kvm-x86-2024.06.14' of https://github.com/kvm-x86/kvm-unit-tests into HEAD

x86 fixes, cleanups, and new testcases:

- Add a testcase to verify that KVM doesn't inject a triple fault (or

Merge tag 'kvm-x86-2024.06.14' of https://github.com/kvm-x86/kvm-unit-tests into HEAD

x86 fixes, cleanups, and new testcases:

- Add a testcase to verify that KVM doesn't inject a triple fault (or any
other "error") if a nested VM is run with an EP4TA pointing MMIO.

- Play nice with CR4.CET in test_vmxon_bad_cr()

- Force emulation when testing MSR_IA32_FLUSH_CMD to workaround an issue where
Skylake CPUs don't follow the architecturally defined behavior, and so that
the test doesn't break if/when new bits are supported by future CPUs.

- Rework the async #PF test to support IRQ-based page-ready notifications.

- Fix a variety of issues related to adaptive PEBS.

- Add several nested VMX tests for virtual interrupt delivery and posted
interrupts.

- Ensure PAT is loaded with the default value after the nVMX PAT tests
(failure to do so was causing tests to fail due to all memory being UC).

- Misc cleanups.

show more ...

x86: Add FEP support on read/write register instructions

Add FEP support on read/write register instructions to enable testing rdmsr
and wrmsr when force emulation is turned on.

Suggested-by: Sean

x86: Add FEP support on read/write register instructions

Add FEP support on read/write register instructions to enable testing rdmsr
and wrmsr when force emulation is turned on.

Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Mingwei Zhang <mizhang@google.com>
Link: https://lore.kernel.org/r/20240417232906.3057638-2-mizhang@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86/asyncpf: Update async page fault test for IRQ-based "page ready"

KVM switched to use interrupt for 'page ready' APF event since Linux v5.10
and the legacy mechanism using #PF was deprecated. Int

x86/asyncpf: Update async page fault test for IRQ-based "page ready"

KVM switched to use interrupt for 'page ready' APF event since Linux v5.10
and the legacy mechanism using #PF was deprecated. Interrupt-based
'page-ready' notification requires KVM_ASYNC_PF_DELIVERY_AS_INT to be set
as well in MSR_KVM_ASYNC_PF_EN to enable asyncpf.

Update asyncpf.c for the new interrupt-based notification to check for
(KVM_FEATURE_ASYNC_PF && KVM_FEATURE_ASYNC_PF_INT) support, and implement
interrupt-based 'page-ready' handler with the necessary struct changes.

To run this test, add the QEMU option "-cpu host" to check CPUID, since
KVM_FEATURE_ASYNC_PF_INT can't be detected without "-cpu host".

Opportunistically update the "help" section to describe how to setup
cgroups for cgroup v1 vs. v2.

Signed-off-by: Dan Wu <dan1.wu@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Link: https://lore.kernel.org/r/20240108063014.41117-1-dan1.wu@intel.com
[sean: report skip instead of fail if no async #PFs occur, massage changelog]
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

Merge tag 'kvm-x86-2023.09.01' of https://github.com/kvm-x86/kvm-unit-tests into HEAD

x86 fixes, cleanups, and new testcases, and a few generic changes

- Fix a bug in runtime.bash that caused it t

Merge tag 'kvm-x86-2023.09.01' of https://github.com/kvm-x86/kvm-unit-tests into HEAD

x86 fixes, cleanups, and new testcases, and a few generic changes

- Fix a bug in runtime.bash that caused it to mishandle "check" strings with
multiple entries, e.g. a test that depends on multiple module params
- Make the PMU tests depend on vPMU support being enabled in KVM
- Fix PMU's forced emulation test on CPUs with full-width writes
- Add a PMU testcase for measuring TSX transactional cycles
- Nested SVM testcase for virtual NMIs
- Move a pile of code to ASM_TRY() and "safe" helpers
- Set up the guest stack in the LBRV tests so that the tests don't fail if the
compiler decides to generate function calls in guest code
- Ignore the "mispredict" flag in nSVM's LBRV tests to fix false failures
- Clean up usage of helpers that disable interrupts, e.g. stop inserting
unnecessary nops
- Add helpers to dedup code for programming the APIC timer
- Fix a variety of bugs in nVMX testcases related to being a 64-bit host

show more ...

x86: Add vendor specific exception vectors

Intel and AMD have some vendor specific exception vectors, namely:
- Intel only: #VE (20),
- AMD only: #HV (28), #VC (29) and #SX (30).

Also Intel's #XM (

x86: Add vendor specific exception vectors

Intel and AMD have some vendor specific exception vectors, namely:
- Intel only: #VE (20),
- AMD only: #HV (28), #VC (29) and #SX (30).

Also Intel's #XM (19) is called #XF for AMD.

Add definitions for all of these and add comments stating they're vendor
specific.

Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Link: https://lore.kernel.org/r/20230413184219.36404-4-minipli@grsecurity.net
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86: Use symbolic names in exception_mnemonic()

Use existing symbolic definitions for vector numbers instead of plain
numbers and streamline the stringification further by using a macro.

While at i

x86: Use symbolic names in exception_mnemonic()

Use existing symbolic definitions for vector numbers instead of plain
numbers and streamline the stringification further by using a macro.

While at it, add the missing case for #CP.

Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Link: https://lore.kernel.org/r/20230413184219.36404-3-minipli@grsecurity.net
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86: Drop types.h

The file types.h never declared any types, only exception vectors which
are partially re-defined in processor.h.

Move the remaining vector definitions to processor.h and remove ty

x86: Drop types.h

The file types.h never declared any types, only exception vectors which
are partially re-defined in processor.h.

Move the remaining vector definitions to processor.h and remove types.h,
as all users already include processor.h

Signed-off-by: Mathias Krause <minipli@grsecurity.net>
Link: https://lore.kernel.org/r/20230413184219.36404-2-minipli@grsecurity.net
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86: introduce sti_nop() and sti_nop_cli()

Add functions that shorten the common usage of sti

Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Emanuele Giuseppe Esposito <eesposit@r

x86: introduce sti_nop() and sti_nop_cli()

Add functions that shorten the common usage of sti

Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Link: https://lore.kernel.org/r/20221122161152.293072-3-mlevitsk@redhat.com
[sean: massage comments]
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86: replace irq_{enable|disable}() with sti()/cli()

This removes a layer of indirection which is strictly
speaking not needed since its x86 code anyway.

Signed-off-by: Maxim Levitsky <mlevitsk@red

x86: replace irq_{enable|disable}() with sti()/cli()

This removes a layer of indirection which is strictly
speaking not needed since its x86 code anyway.

Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Link: https://lore.kernel.org/r/20221122161152.293072-2-mlevitsk@redhat.com
[sean: move and reword IRQ shadow to be above and about safe_halt()]
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86: Move XSETBV and XGETBV "safe" helpers to processor.h

Move the "safe" helpers for XSETBV and XGETBV to processor.h, and convert
them to use asm_safe() and other common macros as appropriate.

Li

x86: Move XSETBV and XGETBV "safe" helpers to processor.h

Move the "safe" helpers for XSETBV and XGETBV to processor.h, and convert
them to use asm_safe() and other common macros as appropriate.

Link: https://lore.kernel.org/r/20230406025117.738014-6-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86: Move invpcid_safe() to processor.h and convert to asm_safe()

Move invpcid_safe() to processor.h so that it can be used by other tests,
and convert it to use asm_safe() instead of open coding AS

x86: Move invpcid_safe() to processor.h and convert to asm_safe()

Move invpcid_safe() to processor.h so that it can be used by other tests,
and convert it to use asm_safe() instead of open coding ASM_TRY() usage.

Link: https://lore.kernel.org/r/20230406025117.738014-5-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86: Add macros to wrap ASM_TRY() for single instructions with output(s)

Add macros for "safe" execution of instructions with outputs. Outputs
require dedicated macros as the variadic arguments she

x86: Add macros to wrap ASM_TRY() for single instructions with output(s)

Add macros for "safe" execution of instructions with outputs. Outputs
require dedicated macros as the variadic arguments shenanigans only work
for one type, i.e. can either be used for inputs or outputs, not both.

Opportunistically provide a common macro for RDMSR and RDPMC, the common
macro can also be used for xgetbv_safe().

Link: https://lore.kernel.org/r/20230406025117.738014-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86: Convert inputs-only "safe" instruction helpers to asm_safe()

Convert processor.h's "safe" helpers that do not have outputs to use
asm_safe() instead of open coding the equivalent. Leave instru

x86: Convert inputs-only "safe" instruction helpers to asm_safe()

Convert processor.h's "safe" helpers that do not have outputs to use
asm_safe() instead of open coding the equivalent. Leave instructions
without outputs for a separate, future change as handling outputs is a
bit more complex.

Link: https://lore.kernel.org/r/20230406025117.738014-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86: nSVM: Add support for VNMI test

Add a VNMI test case to test Virtual NMI in a nested environment,
The test covers the Virtual NMI (VNMI) delivery.

Signed-off-by: Santosh Shukla <santosh.shukla

x86: nSVM: Add support for VNMI test

Add a VNMI test case to test Virtual NMI in a nested environment,
The test covers the Virtual NMI (VNMI) delivery.

Signed-off-by: Santosh Shukla <santosh.shukla@amd.com>
[sean: reuse pieces of NMI test framework, fix formatting issues]
Link: https://lore.kernel.org/r/20230405205138.525310-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

x86/msr: Add testcases for MSR_IA32_FLUSH_CMD and its L1D_FLUSH command

Add test coverage to verify MSR_IA32_FLUSH_CMD is write-only, that it can
be written with '0' (nop command) and '1' (L1D flush

x86/msr: Add testcases for MSR_IA32_FLUSH_CMD and its L1D_FLUSH command

Add test coverage to verify MSR_IA32_FLUSH_CMD is write-only, that it can
be written with '0' (nop command) and '1' (L1D flush command) when the L1D
flush command is suported, and that writing any other bit (1-63) triggers
a #GP due to the bits/commands being reserved.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20230328050231.3008531-4-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86/msr: Add testcases for MSR_IA32_FLUSH_CMD and its L1D_FLUSH command

Add test coverage to verify MSR_IA32_FLUSH_CMD is write-only, that it can
be written with '0' (nop command) and '1' (L1D flush

x86/msr: Add testcases for MSR_IA32_FLUSH_CMD and its L1D_FLUSH command

Add test coverage to verify MSR_IA32_FLUSH_CMD is write-only, that it can
be written with '0' (nop command) and '1' (L1D flush command) when the L1D
flush command is suported, and that writing any other bit (1-63) triggers
a #GP due to the bits/commands being reserved.

Link: https://lore.kernel.org/r/20230328050231.3008531-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

Revert "fix printf warning on 32-bit macOS"

This reverts commit 91cc4c3c0b6e17ab816855a16089909607ea8e70.

The issue had been fixed in commit 96772b2e5154 ("lib: x86: Use
portable format macros for

Revert "fix printf warning on 32-bit macOS"

This reverts commit 91cc4c3c0b6e17ab816855a16089909607ea8e70.

The issue had been fixed in commit 96772b2e5154 ("lib: x86: Use
portable format macros for uint32_t") already, just the other
way round by changing the format string. Changing the parameter
now re-introduced the compiler warning, so let's revert this.

Signed-off-by: Thomas Huth <thuth@redhat.com>

show more ...