Merge tag 'kvm-x86-2025.02.21' of https://github.com/kvm-x86/kvm-unit-tests into HEAD

KVM-Unit-Tests x86 changes:

- Expand the per-CPU data+stack area to 12KiB per CPU to reduce the
probability

Merge tag 'kvm-x86-2025.02.21' of https://github.com/kvm-x86/kvm-unit-tests into HEAD

KVM-Unit-Tests x86 changes:

- Expand the per-CPU data+stack area to 12KiB per CPU to reduce the
probability of tests overflowing their stack and clobbering pre-CPU
data.

- Add testcases for LA57 canonical checks.

- Add testcases for LAM.

- Add a smoke test to make sure KVM doesn't bleed split-lock #AC/#DB into
the guest.

- Fix many warts and bugs in the PMU test, and prepare it for PMU version 5
and beyond.

- Many misc fixes and cleanups.

show more ...

x86/debug: Add a split-lock #AC / bus-lock #DB testcase

Add a testcase to the debug test to verify that a split-lock in the guest
does NOT result in an #AC or #DB (and that the test isn't killed).

x86/debug: Add a split-lock #AC / bus-lock #DB testcase

Add a testcase to the debug test to verify that a split-lock in the guest
does NOT result in an #AC or #DB (and that the test isn't killed). While
KVM may run the guest with split-lock #AC enabled, KVM should never inject
an #AC into the guest. And Bus Lock Detect/Trap should flat out never be
enabled while KVM is running the guest.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=219787
Link: https://lore.kernel.org/all/bug-219787-28872@https.bugzilla.kernel.org%2F
Link: https://lore.kernel.org/r/20250221204148.2171418-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

show more ...

debug: add testcase for singlestepping over STI;HLT

Test that HLT sets RIP correctly when returning from singlestep.
QEMU's emulation is currently not injecting a #DB exception
for single-step at al

debug: add testcase for singlestepping over STI;HLT

Test that HLT sets RIP correctly when returning from singlestep.
QEMU's emulation is currently not injecting a #DB exception
for single-step at all after an HLT instruction. Also, after
single-step is injected EFLAGS.IF might very well be zero,
meaning that the CPU would not have to leave HLT. Check
that the emulation is not confused, i.e. that it remembers
that it has _already_ left HLT.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: Fix test failures as a result of using clang-18

When building 'debug' test on clang-18 the compiler more aggressively
inlines helper functions. This results in test failures because some
of th

x86: Fix test failures as a result of using clang-18

When building 'debug' test on clang-18 the compiler more aggressively
inlines helper functions. This results in test failures because some
of the helpers are not intended to be inlined. Fix this by marking
those functions with 'noinline'.

Reported-by: John Sperbeck <jsperbeck@google.com>
Signed-off-by: Aaron Lewis <aaronlewis@google.com>
Message-Id: <20221129203240.1815829-1-aaronlewis@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86 UEFI: Fix broken build for UEFI

UEFI loads EFI applications to dynamic runtime addresses, so it requires
all applications to be compiled as PIC (position independent code).

The new introduced s

x86 UEFI: Fix broken build for UEFI

UEFI loads EFI applications to dynamic runtime addresses, so it requires
all applications to be compiled as PIC (position independent code).

The new introduced single-step #DB tests series bring some compile time
absolute address, fixed it with RIP relative address.

Fixes: 9734b4236294 ("x86/debug: Add framework for single-step #DB tests")
Fixes: 6bfb9572ec04 ("x86/debug: Test IN instead of RDMSR for single-step #DB emulation test")
Fixes: bc0dd8bdc627 ("x86/debug: Add single-step #DB + STI/MOVSS blocking tests")
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Message-Id: <20220210092044.18808-1-zhenzhong.duan@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86/debug: Explicitly write DR6 in the H/W watchpoint + DR6.BS sub-test

Explicitly set DR6.BS for the sub-test that verifies DR6.BS isn't cleared
when a data breakpoint (a.k.a. H/W watchpoint) #DB o

x86/debug: Explicitly write DR6 in the H/W watchpoint + DR6.BS sub-test

Explicitly set DR6.BS for the sub-test that verifies DR6.BS isn't cleared
when a data breakpoint (a.k.a. H/W watchpoint) #DB occurs. Relying on
the single-step #DB tests to leave DR6 is all kinds of mean.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220120002923.668708-8-seanjc@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86/debug: Add single-step #DB + STI/MOVSS blocking tests

Add a variety of test cases to verify single-step #DB interaction with
STI and MOVSS blocking. Of particular note are STI blocking and MOVS

x86/debug: Add single-step #DB + STI/MOVSS blocking tests

Add a variety of test cases to verify single-step #DB interaction with
STI and MOVSS blocking. Of particular note are STI blocking and MOVSS
blocking with DR7.GD=1, both of which require manual intervention from
the hypervisor to set vmcs.GUEST_PENDING_DBG_EXCEPTION.BS when
re-injecting an intercepted #DB with STI/MOVSS blocking active.

Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Alexander Graf <graf@amazon.de>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220120002923.668708-7-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: Overhaul definitions for DR6 and DR7 bits

Clean up the mess that is debugreg.h to follow the nomenclature used by
the SDM and the kernel (as best as possible). Use the "new" defines in
various

x86: Overhaul definitions for DR6 and DR7 bits

Clean up the mess that is debugreg.h to follow the nomenclature used by
the SDM and the kernel (as best as possible). Use the "new" defines in
various tests. Opportunistically add a define for VMX's extra flag in
vmcs.GUEST_PENDING_DBG_EXCEPTIONS that is set if any DR0-3 trap matched
and was enabled.

No functional change intended.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220120002923.668708-6-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86/debug: Run single-step #DB tests in usermode (and kernel mode)

Run the single-step #DB tests in usermode in addition to running them in
kernel mode, i.e. run at CPL0 and CPL3.

Signed-off-by: Se

x86/debug: Run single-step #DB tests in usermode (and kernel mode)

Run the single-step #DB tests in usermode in addition to running them in
kernel mode, i.e. run at CPL0 and CPL3.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220120002923.668708-5-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86/debug: Test IN instead of RDMSR for single-step #DB emulation test

Replace RDMSR with IN so that testing single-step #DBs on emulated
instructions can be run in userspace (by modifying IOPL). I

x86/debug: Test IN instead of RDMSR for single-step #DB emulation test

Replace RDMSR with IN so that testing single-step #DBs on emulated
instructions can be run in userspace (by modifying IOPL). IN is also
more interesting in that it is guaranteed to exit to host userspace,
whereas RDMSR will do so if and only if userspace is filtering the target
MSR.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220120002923.668708-4-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86/debug: Add framework for single-step #DB tests

Add a framework to the "debug" test for running single-step #DB tests,
future commits will extend the single-step tests to run in usermode and
to v

x86/debug: Add framework for single-step #DB tests

Add a framework to the "debug" test for running single-step #DB tests,
future commits will extend the single-step tests to run in usermode and
to verify interaction with STI and MOVSS blocking.

Opportunistically add comments and stop open coding RFLAGS stuff.

No functional change intended.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20220120002923.668708-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

Test: x86: Move setter/getter for Debug registers to common library

The setter/getter functions for the DR0..DR3 registers exist in debug.c
test and hence they can not be re-used by other tests. The

Test: x86: Move setter/getter for Debug registers to common library

The setter/getter functions for the DR0..DR3 registers exist in debug.c
test and hence they can not be re-used by other tests. Therefore, move
them to the common library.

Signed-off-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Message-Id: <20210726180226.253738-2-krish.sadhukhan@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: add CR4.DE test to debug.flat

Check whether reading/writing DR4 generates an undefined opcode exception.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

x86: always set up SMP

Currently setup_vm cannot assume that it can invoke IPIs, and therefore
only initializes CR0/CR3/CR4 on the CPU it runs on. In order to keep the
initialization code clean, le

x86: always set up SMP

Currently setup_vm cannot assume that it can invoke IPIs, and therefore
only initializes CR0/CR3/CR4 on the CPU it runs on. In order to keep the
initialization code clean, let's just call smp_init (and therefore
setup_idt) unconditionally.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: Move definition of some exception vectors into processor.h

Both processor.h and desc.h hold some definitions of exception vector.
put them together in processor.h

Signed-off-by: Xiaoyao Li <xi

x86: Move definition of some exception vectors into processor.h

Both processor.h and desc.h hold some definitions of exception vector.
put them together in processor.h

Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

Switch the order of the parameters in report() and report_xfail()

Commit c09c54c66b1df ("lib: use an argument which doesn't require
default argument promotion") fixed a warning that occurs with Clan

Switch the order of the parameters in report() and report_xfail()

Commit c09c54c66b1df ("lib: use an argument which doesn't require
default argument promotion") fixed a warning that occurs with Clang,
but introduced a regression: If the "pass" parameter is a value
which has only set the condition bits in the upper 32 bits of a
64 bit value, the condition is now false since the value is truncated
to "unsigned int" so that the upper bits are simply discarded.

We fixed it by reverting the commit, but that of course also means
trouble with Clang again. We can not use "bool" if it is the last
parameter before the variable argument list. The proper fix is to
swap the parameters around and make the format string the last
parameter.

This patch (except the changes in lib/libcflat.h and lib/report.c
and some rebase conflicts along the way) has basically been created
with following coccinelle script (with some additional manual tweaking
of long and disabled lines afterwards):

@@
expression fmt;
expression pass;
expression list args;
@@
report(
-fmt, pass
+pass, fmt
, args);

@@
expression fmt;
expression pass;
expression list args;
@@
report_xfail(
-fmt, xfail, pass
+xfail, pass, fmt
, args);

Tested-by: Andrew Jones <drjones@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20191206113102.14914-1-thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: debug: use a constraint that doesn't allow a memory operand

The "lea" instruction cannot load the effective address into a memory
location. The "g" constraint allows a compiler to use a memory

x86: debug: use a constraint that doesn't allow a memory operand

The "lea" instruction cannot load the effective address into a memory
location. The "g" constraint allows a compiler to use a memory location.
A compiler that uses a register destination does so only because one is
available. Use a general register constraint to make sure it always uses
a register.

Signed-off-by: Bill Wendling <morbo@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

debug: add tests for CVE-2018-1087

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

kvm: debug: split bp_addr and db_addr

The same variable is used by both #DB and #BP handlers to store the RIP of
the exception. This can be a bit confusing, so split.

Signed-off-by: Paolo Bonzini

kvm: debug: split bp_addr and db_addr

The same variable is used by both #DB and #BP handlers to store the RIP of
the exception. This can be a bit confusing, so split.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: debug: use assembly labels instead of C labels

This is a bit more resilient to changes in the compiler. If
the compiler puts spill instructions before or after the label,
the test may fail spu

x86: debug: use assembly labels instead of C labels

This is a bit more resilient to changes in the compiler. If
the compiler puts spill instructions before or after the label,
the test may fail spuriously.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: Test single stepping with emulated instructions

This test checks that single stepping through CPUID and RDMSR works.
Both instructions trigger VM exits and are emulated by the hypervisor.

Sign

x86: Test single stepping with emulated instructions

This test checks that single stepping through CPUID and RDMSR works.
Both instructions trigger VM exits and are emulated by the hypervisor.

Signed-off-by: Kyle Huey <khuey@kylehuey.com>
[Fixed dr6 indices to check even dr6[5] and dr6[6].]
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>

show more ...

x86: additional debug tests

Test the undocumented ICEBP (aka INT1 or INT01) opcode, and test that
dr6.BS is not modified by neither watchpoints nor breakpoints.

Signed-off-by: Paolo Bonzini <pbonzi

x86: additional debug tests

Test the undocumented ICEBP (aka INT1 or INT01) opcode, and test that
dr6.BS is not modified by neither watchpoints nor breakpoints.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86/debug: return report_summary

run_tests always reported 'PASS debug', even when subtests were
failing. Fix that.

Signed-off-by: Andrew Jones <drjones@redhat.com>
Signed-off-by: Paolo Bonzini <pb

x86/debug: return report_summary

run_tests always reported 'PASS debug', even when subtests were
failing. Fix that.

Signed-off-by: Andrew Jones <drjones@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

x86: Add debug facility test case

This adds a basic test for INT3/#BP, hardware breakpoints, hardware
watchpoints and single-stepping.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-

x86: Add debug facility test case

This adds a basic test for INT3/#BP, hardware breakpoints, hardware
watchpoints and single-stepping.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...