2017-06-15 13:20+0200, Ladi Prosek:
> Nested hypervisor should not see singlestep VM exits if singlestepping
> was enabled internally by KVM. Windows is particularly sensitive to this
> and known to bluescreen on unexpected VM exits.
>
> Signed-off-by: Ladi Prosek <lprosek@xxxxxxxxxx>
> ---
> diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
> @@ -966,9 +967,13 @@ static void svm_disable_lbrv(struct vcpu_svm *svm)
> static void disable_nmi_singlestep(struct vcpu_svm *svm)
> {
> svm->nmi_singlestep = false;
> - if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
> - svm->vmcb->save.rflags &=
> - ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
> + if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) {
> + /* Clear our flags if they were not set by the guest */
> + if (!(svm->nmi_singlestep_guest_rflags & X86_EFLAGS_TF))
> + svm->vmcb->save.rflags &= ~X86_EFLAGS_TF;
> + if (!(svm->nmi_singlestep_guest_rflags & X86_EFLAGS_RF))
> + svm->vmcb->save.rflags &= ~X86_EFLAGS_RF;
IIUC, we intercept/fault on IRET, disable the interception, set TF+RF
and enter again, the CPU executes IRET and then we get a #DB exit.
IRET pops EFLAGS from before the NMI -- doesn't the CPU properly restore
EFLAGS, so we do not need this part here?
Thanks.
