On Tue, Jul 16, 2019 at 07:20:42PM +0300, Liran Alon wrote: > How can a SMAP fault occur when CPL==3? One of the conditions for SMAP is > that CPL<3. The CPU is effectively at CPL0 when it does the decode assist, e.g.: 1. CPL3 guest hits reserved bit NPT fault (MMIO access) 2. CPU transitions to CPL0 on VM-Exit 3. CPU performs data access on **%rip**, encounters SMAP violation 4. CPU squashes SMAP violation, sets VMCB.insn_len=0 5. CPU delivers VM-Exit to software for original NPT fault The original NPT fault is due to a reserved bit (or not present) entry for a MMIO GPA, *not* the GPA corresponding to %rip. The fault on the decode assist is never delivered to software, it simply results in having invalid info in the VMCB's insn_bytes and insn_len fields.
