On Sun, Oct 11, 2020 at 02:48:18PM -0400, Cathy Avery wrote: > @@ -628,8 +620,10 @@ int nested_svm_vmexit(struct vcpu_svm *svm) > nested_vmcb->control.pause_filter_thresh = > svm->vmcb->control.pause_filter_thresh; > > - /* Restore the original control entries */ > - copy_vmcb_control_area(&vmcb->control, &hsave->control); > + nested_svm_vmloadsave(svm->nested.vmcb02, svm->vmcb01); > + > + svm->vmcb = svm->vmcb01; > + svm->vmcb_pa = svm->vmcb01_pa; I very highly recommend adding a helper to switch VMCB. Odds are very good there will be more than just these two lines of boilerplate code for changing the active VMCB. > > /* On vmexit the GIF is set to false */ > svm_set_gif(svm, false); ... > @@ -1121,16 +1102,24 @@ static int svm_set_nested_state(struct kvm_vcpu *vcpu, > if (!(save.cr0 & X86_CR0_PG)) > return -EINVAL; > > + svm->nested.vmcb02->control = svm->vmcb01->control; > + svm->nested.vmcb02->save = svm->vmcb01->save; > + svm->vmcb01->save = save; > + > + WARN_ON(svm->vmcb == svm->nested.vmcb02); I'm pretty sure this is user triggerable. AFAIK, nothing prevents calling svm_set_nested_state() while L2 is active, e.g. VMX explicitly (and forcefully) kicks the vCPU out of L2 in vmx_set_nested_state(). > + > + svm->nested.vmcb = kvm_state->hdr.svm.vmcb_pa; > + > + svm->vmcb = svm->nested.vmcb02; > + svm->vmcb_pa = svm->nested.vmcb02_pa; > + > /* > - * All checks done, we can enter guest mode. L1 control fields > - * come from the nested save state. Guest state is already > - * in the registers, the save area of the nested state instead > - * contains saved L1 state. > + * All checks done, we can enter guest mode. L2 control fields will > + * be the result of a combination of L1 and userspace indicated > + * L12.control. The save area of L1 vmcb now contains the userspace > + * indicated L1.save. > */ > - copy_vmcb_control_area(&hsave->control, &svm->vmcb->control); > - hsave->save = save; > > - svm->nested.vmcb = kvm_state->hdr.svm.vmcb_pa; > load_nested_vmcb_control(svm, &ctl); > nested_prepare_vmcb_control(svm); >
