On 7/30/2025 3:33 AM, Sean Christopherson wrote:
Exit to userspace with -EFAULT and a valid MEMORY_FAULT exit if a vCPU
hits an unexpected pending S-EPT Violation instead of marking the VM dead.
While it's unlikely the VM can continue on, whether or not to terminate
the VM is not KVM's decision to make.
Set memory_fault.size to zero to communicate to userspace that reported
fault is "bad", and to effectively terminate the VM if userspace blindly
treats the exit as a conversion attempt (KVM_SET_MEMORY_ATTRIBUTES will
fail with -EINVAL if the size is zero).
This sets a special contract on size zero.
I had a patch internally, which introduce a new exit type:
+ /* KVM_EXIT_GUEST_ERROR */
+ struct {
+ #define KVM_GUEST_ERROR_TDX_ACCESS_PENDING_PAGE 0
+ __u32 error_type;
+ __u32 ndata;
+ __u64 data[16];
+ } guest_error;
how about it?
Opportunistically delete the pr_warn(), which could be abused to spam the
kernel log, and is largely useless outside of interact debug as it doesn't
specify which VM encountered a failure.
Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
---
arch/x86/kvm/vmx/tdx.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c
index 3e0d4edee849..c2ef03f39c32 100644
--- a/arch/x86/kvm/vmx/tdx.c
+++ b/arch/x86/kvm/vmx/tdx.c
@@ -1937,10 +1937,8 @@ static int tdx_handle_ept_violation(struct kvm_vcpu *vcpu)
if (vt_is_tdx_private_gpa(vcpu->kvm, gpa)) {
if (tdx_is_sept_violation_unexpected_pending(vcpu)) {
- pr_warn("Guest access before accepting 0x%llx on vCPU %d\n",
- gpa, vcpu->vcpu_id);
- kvm_vm_dead(vcpu->kvm);
- return -EIO;
+ kvm_prepare_memory_fault_exit(vcpu, gpa, 0, true, false, true);
+ return -EFAULT;
}
/*
* Always treat SEPT violations as write faults. Ignore the
