When KVM_CAP_X86_USER_SPACE_MSR cap is enabled, userspace can control
MSR accesses. In normal scenario, RDMSR/WRMSR can be interceped, but
when kvm.force_emulation_prefix is enabled, RDMSR/WRMSR with kvm prefix
would trigger an UD and cause instruction emulation. If MSR accesses is
filtered, em_rdmsr()/em_wrmsr() returns X86EMUL_IO_NEEDED, but it is
ignored by x86_emulate_instruction(). Then guest continues execution,
but RIP has been updated to point to RDMSR/WRMSR in handle_ud(), so
RDMSR/WRMSR can be interceped and guest exits to userspace finnaly by
mistake. Such behaviour leads to two vm exits and wastes one instruction
emulation.
After let x86_emulate_instruction() returns 0 for RDMSR/WRMSR emulation,
if it needs to exit to userspace, its complete_userspace_io callback
would call kvm_skip_instruction() to skip instruction. But for vmx,
VMX_EXIT_INSTRUCTION_LEN in vmcs is invalid for UD, it can't be used to
update RIP, kvm_emulate_instruction() should be used instead. As for
svm, nRIP in vmcb is 0 for UD, so kvm_emulate_instruction() is used.
But for nested svm, I'm not sure, since svm_check_intercept() would
change nRIP.
Hou Wenlong (2):
KVM: VMX: fix instruction skipping when handling UD exception
KVM: X86: Exit to userspace if RDMSR/WRMSR emulation returns
X86EMUL_IO_NEEDED
arch/x86/kvm/vmx/vmx.c | 4 ++--
arch/x86/kvm/vmx/vmx.h | 9 +++++++++
arch/x86/kvm/x86.c | 4 +++-
3 files changed, 14 insertions(+), 3 deletions(-)
--
2.31.1
