On Fri, Sep 27, 2019 at 2:45 PM Sean Christopherson <sean.j.christopherson@xxxxxxxxx> wrote: > > Write the desired L2 CR3 into vmcs02.GUEST_CR3 during nested VM-Enter > instead of deferring the VMWRITE until vmx_set_cr3(). If the VMWRITE > is deferred, then KVM can consume a stale vmcs02.GUEST_CR3 when it > refreshes vmcs12->guest_cr3 during nested_vmx_vmexit() if the emulated > VM-Exit occurs without actually entering L2, e.g. if the nested run > is squashed because nested VM-Enter (from L1) is putting L2 into HLT. > > Note, the above scenario can occur regardless of whether L1 is > intercepting HLT, e.g. L1 can intercept HLT and then re-enter L2 with > vmcs.GUEST_ACTIVITY_STATE=HALTED. But practically speaking, a VMM will > likely put a guest into HALTED if and only if it's not intercepting HLT. > > In an ideal world where EPT *requires* unrestricted guest (and vice > versa), VMX could handle CR3 similar to how it handles RSP and RIP, > e.g. mark CR3 dirty and conditionally load it at vmx_vcpu_run(). But > the unrestricted guest silliness complicates the dirty tracking logic > to the point that explicitly handling vmcs02.GUEST_CR3 during nested > VM-Enter is a simpler overall implementation. > > Cc: stable@xxxxxxxxxxxxxxx > Reported-and-tested-by: Reto Buerki <reet@xxxxxxxxxxx> > Tested-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx> > Reviewed-by: Liran Alon <liran.alon@xxxxxxxxxx> > Signed-off-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx> Reviewed-by: Jim Mattson <jmattson@xxxxxxxxxx>
