On Mon, 2021-05-17 at 15:50 +0200, Vitaly Kuznetsov wrote:
> Unlike VMREAD/VMWRITE/VMPTRLD, VMCLEAR is a valid instruction when
> enlightened VMCS is in use. TLFS has the following brief description:
> "The L1 hypervisor can execute a VMCLEAR instruction to transition an
> enlightened VMCS from the active to the non-active state". Normally,
> this change can be ignored as unmapping active eVMCS can be postponed
> until the next VMLAUNCH instruction but in case nested state is migrated
> with KVM_GET_NESTED_STATE/KVM_SET_NESTED_STATE, keeping eVMCS mapped
> may result in its synchronization with VMCS12 and this is incorrect:
> L1 hypervisor is free to reuse inactive eVMCS memory for something else.
>
> Inactive eVMCS after VMCLEAR can just be unmapped.
>
> Signed-off-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
> ---
> arch/x86/kvm/vmx/nested.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> index 3080e00c8f90..ea2869d8b823 100644
> --- a/arch/x86/kvm/vmx/nested.c
> +++ b/arch/x86/kvm/vmx/nested.c
> @@ -5008,6 +5008,8 @@ static int handle_vmclear(struct kvm_vcpu *vcpu)
> vmptr + offsetof(struct vmcs12,
> launch_state),
> &zero, sizeof(zero));
> + } else if (vmx->nested.hv_evmcs && vmptr == vmx->nested.hv_evmcs_vmptr) {
> + nested_release_evmcs(vcpu);
> }
Releasing the eVMCS is a good thing not only for migration
but for instance for nested_vmx_fail which could write to
current eVMCS even outside of nested mode
(there is a bug there but you fixed it in the patch 4).
Reviewed-by: Maxim Levitsky <mlevitsk@xxxxxxxxxx>
Best regards,
Maxim Levitsky
>
> return nested_vmx_succeed(vcpu);
