don't let scratch base overlap with kvm apic page

ludfjig · ludfjig · commit 0bb7ce7b7a53 · 2026-04-20T18:56:52.000-07:00
Signed-off-by: Ludvig Liljenberg &lt;4257730+ludfjig@users.noreply.github.com&gt;
diff --git a/src/hyperlight_common/src/layout.rs b/src/hyperlight_common/src/layout.rs
@@ -48,12 +48,77 @@ pub const SCRATCH_TOP_EXN_STACK_OFFSET: u64 = 0x20;
 #[cfg(feature = "nanvix-unstable")]
 pub const SCRATCH_TOP_GUEST_COUNTER_OFFSET: u64 = 0x1008;
 
+/// GPA of the LAPIC access page that KVM reserves when hw-interrupts
+/// are enabled. Only relevant for i686 guests in practice,
+/// as amd64/aarch64 MAX_GPA is large enough that scratch
+/// never reaches this address.
+const KVM_APIC_PAGE_GPA: u64 = 0xFEE0_0000;
+
 pub fn scratch_base_gpa(size: usize) -> u64 {
-    (MAX_GPA - size + 1) as u64
+    let base = (MAX_GPA - size + 1) as u64;
+    if base <= KVM_APIC_PAGE_GPA {
+        // Scratch would overlap the LAPIC access page at 0xFEE00000.
+        // Place the entire region just below the APIC page.
+        KVM_APIC_PAGE_GPA - size as u64
+    } else {
+        base
+    }
 }
 pub fn scratch_base_gva(size: usize) -> u64 {
     (MAX_GVA - size + 1) as u64
 }
 
 /// Compute the minimum scratch region size needed for a sandbox.
 pub use arch::min_scratch_size;
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn small_scratch_not_relocated() {
+        // Default scratch (288KB) should not be relocated on any arch.
+        let size = 0x48000;
+        let base = scratch_base_gpa(size);
+        assert_eq!(base, (MAX_GPA - size + 1) as u64);
+    }
+
+    #[test]
+    fn scratch_avoids_apic_page() {
+        // For any scratch size, the region [base, base+size) must not
+        // contain the APIC page at 0xFEE00000.
+        for &size in &[0x48000, 0x100000, 0x2000000, 0x6000000] {
+            let base = scratch_base_gpa(size);
+            let end = base + size as u64;
+            let apic_start = KVM_APIC_PAGE_GPA;
+            let apic_end = KVM_APIC_PAGE_GPA + 0x1000;
+            let overlaps = base < apic_end && end > apic_start;
+            assert!(
+                !overlaps,
+                "scratch [base={:#x}, end={:#x}) overlaps APIC [{:#x}, {:#x}) for size={:#x}",
+                base, end, apic_start, apic_end, size,
+            );
+        }
+    }
+
+    /// On i686, MAX_GPA is 0xFFFFFFFF, so large scratch regions would
+    /// normally overlap the APIC page. Verify relocation works.
+    #[cfg(feature = "nanvix-unstable")]
+    #[test]
+    fn i686_large_scratch_relocated() {
+        let size = 0x2000000; // 32MB
+        let base = scratch_base_gpa(size);
+        assert_eq!(base, KVM_APIC_PAGE_GPA - size as u64);
+        assert!(base + size as u64 <= KVM_APIC_PAGE_GPA);
+    }
+
+    #[cfg(feature = "nanvix-unstable")]
+    #[test]
+    fn i686_scratch_just_fitting_not_relocated() {
+        // Scratch of ~18MB starts at 0xFEE00001, just above the APIC page.
+        let size = 0x11FFFFF;
+        let base = scratch_base_gpa(size);
+        assert_eq!(base, (MAX_GPA - size + 1) as u64);
+        assert!(base > KVM_APIC_PAGE_GPA);
+    }
+}
