On 2021/10/19 23:25, Sean Christopherson wrote:
/* * MOV CR3 and INVPCID are usually not intercepted when using TDP, but * this is reachable when running EPT=1 and unrestricted_guest=0, and * also via the emulator. KVM's TDP page tables are not in the scope of * the invalidation, but the guest's TLB entries need to be flushed as * the CPU may have cached entries in its TLB for the target PCID. */
Thanks! It is a better description. I just read some interception policy in vmx.c, if EPT=1 but vmx_need_pf_intercept() return true for some reasons/configs, #PF is intercepted. But CR3 write is not intercepted, which means there will be an EPT fault _after_ (IIUC) the CR3 write if the GPA of the new CR3 exceeds the guest maxphyaddr limit. And kvm queues a fault to the guest which is also _after_ the CR3 write, but the guest expects the fault before the write. IIUC, it can be fixed by intercepting CR3 write or reversing the CR3 write in EPT violation handler. Thanks Lai.
