executor: sys/linux: SYZOS: add support for AMD Nested Event Injection

Implement SYZOS_API_NESTED_AMD_INJECT_EVENT to allow the L1 guest to
inject events (Interrupts, NMIs, Exceptions) into L2 via the VMCB EVENTINJ
field.

This primitive abstracts the VMCB bit-packing logic
(Vector, Type, Valid, Error Code) into a high-level API, enabling the fuzzer
to semantically mutate event injection parameters.

This targets KVM's nested event merging logic, specifically where L0 must
reconcile L1-injected events with Host-pending events.

Author: ramosian-glider

executor/common_kvm_amd64_syzos.h

@@ -36,6 +36,7 @@ typedef enum {
 	SYZOS_API_NESTED_AMD_INVLPGA = 381,
 	SYZOS_API_NESTED_AMD_STGI = 382,
 	SYZOS_API_NESTED_AMD_CLGI = 383,
+	SYZOS_API_NESTED_AMD_INJECT_EVENT = 384,
 	SYZOS_API_STOP, // Must be the last one
 } syzos_api_id;
 
@@ -119,6 +120,7 @@ GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5
 GUEST_CODE static void guest_handle_nested_amd_invlpga(struct api_call_2* cmd, uint64 cpu_id);
 GUEST_CODE static void guest_handle_nested_amd_stgi();
 GUEST_CODE static void guest_handle_nested_amd_clgi();
+GUEST_CODE static void guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64 cpu_id);
 
 typedef enum {
 	UEXIT_END = (uint64)-1,
@@ -243,6 +245,9 @@ guest_main(uint64 size, uint64 cpu)
 		} else if (call == SYZOS_API_NESTED_AMD_CLGI) {
 			// Clear Global Interrupt Flag (Disable Interrupts, including NMI).
 			guest_handle_nested_amd_clgi();
+		} else if (call == SYZOS_API_NESTED_AMD_INJECT_EVENT) {
+			// Inject an event (IRQ/Exception) into the L2 guest via VMCB.
+			guest_handle_nested_amd_inject_event((struct api_call_5*)cmd, cpu);
 		}
 		addr += cmd->size;
 		size -= cmd->size;
@@ -1326,4 +1331,32 @@ guest_handle_nested_amd_clgi()
 	asm volatile("clgi" ::: "memory");
 }
 
+GUEST_CODE static noinline void
+guest_handle_nested_amd_inject_event(struct api_call_5* cmd, uint64 cpu_id)
+{
+	if (get_cpu_vendor() != CPU_VENDOR_AMD)
+		return;
+
+	uint64 vm_id = cmd->args[0];
+	uint64 vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id);
+
+	uint64 vector = cmd->args[1] & 0xFF;
+	uint64 type = cmd->args[2] & 0x7;
+	uint64 error_code = cmd->args[3] & 0xFFFFFFFF;
+	uint64 flags = cmd->args[4];
+
+	// Flags bit 0: Valid (V)
+	// Flags bit 1: Error Code Valid (EV)
+	uint64 event_inj = vector;
+	event_inj |= (type << 8);
+	if (flags & 2)
+		event_inj |= (1ULL << 11); // EV bit
+	if (flags & 1)
+		event_inj |= (1ULL << 31); // V bit
+	event_inj |= (error_code << 32);
+
+	// Write to VMCB Offset 0x60 (EVENTINJ)
+	vmcb_write64(vmcb_addr, 0x60, event_inj);
+}
+
 #endif // EXECUTOR_COMMON_KVM_AMD64_SYZOS_H

sys/linux/dev_kvm_amd64.txt

@@ -152,6 +152,14 @@ syzos_api_nested_amd_invlpga {
 	asid	int64[0:65535]
 }
 
+syzos_api_nested_amd_inject_event {
+	vm_id		syzos_api_vm_id
+	vector		int64[0:255]
+	type		int64[0:7]
+	error_code	int64
+	flags		int64[0:3]
+}
+
 # IDs here must match those in executor/common_kvm_amd64_syzos.h.
 syzos_api_call$x86 [
 	uexit				syzos_api$x86[0, intptr]
@@ -174,6 +182,7 @@ syzos_api_call$x86 [
 	nested_amd_invlpga		syzos_api$x86[381, syzos_api_nested_amd_invlpga]
 	nested_amd_stgi			syzos_api$x86[382, void]
 	nested_amd_clgi			syzos_api$x86[383, void]
+	nested_amd_inject_event		syzos_api$x86[384, syzos_api_nested_amd_inject_event]
 ] [varlen]
 
 kvm_text_x86 [

sys/linux/test/amd64-syz_kvm_nested_amd_inject

@@ -0,0 +1,37 @@
+#
+# requires: arch=amd64 -threaded
+#
+r0 = openat$kvm(0, &AUTO='/dev/kvm\x00', 0x0, 0x0)
+r1 = ioctl$KVM_CREATE_VM(r0, AUTO, 0x0)
+r2 = syz_kvm_setup_syzos_vm$x86(r1, &(0x7f0000c00000/0x400000)=nil)
+
+# Test AMD Nested Event Injection.
+#
+# 1. Setup nested environment (L1) and Create VM (L2).
+# 2. Inject an NMI (Vector 2, Type 2, Valid) into L2 via VMCB EVENTINJ.
+# 3. Launch L2.
+#    - This forces KVM L0 to parse EVENTINJ and handle the injection.
+#    - We expect L0 to succeed without crashing.
+#
+# Arguments for INJECT_EVENT:
+# vm_id=0
+# vector=2 (NMI)
+# type=2 (NMI)
+# error_code=0
+# flags=1 (Valid=1, EV=0)
+#
+r3 = syz_kvm_add_vcpu$x86(r2, &AUTO={0x0, &AUTO=[@enable_nested={AUTO, AUTO, 0x0}, @nested_create_vm={AUTO, AUTO, 0x0}, @nested_amd_inject_event={AUTO, AUTO, {0x0, 0x2, 0x2, 0x0, 0x1}}, @nested_vmlaunch={AUTO, AUTO, 0x0}, @uexit={AUTO, AUTO, 0xface}], AUTO})
+r4 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, AUTO)
+r5 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r4, 0x3, 0x1, r3, 0x0)
+
+# Run the VCPU.
+# The guest executes the injection and launch.
+# If KVM L0 processes the EVENTINJ correctly, the guest should eventually exit back to us.
+#
+ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit$x86(r5, 0xface)
+
+# Cleanup
+#
+ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit$x86(r5, 0xffffffff)