Defer updating SVI (i.e. the VMCS's highest ISR cache) when L2 is active, but L1 has not enabled virtual interrupt delivery for L2, as an EOI that is emulated _by KVM_ in such a case acts on L1's ISR, i.e. vmcs01 needs to reflect the updated ISR when L1 is next run. Note, L1's ISR is also effectively L2's ISR in such a setup, but because virtual interrupt deliver is disable for L2, there's no need to update SVI in vmcs02, because it will never be used. v2: - WARN only if the vCPU is running to avoid false positives due to userspace stuffing APIC state while L2 is active. [Chao] - Grab Chao's Tested-by. v1: https://lore.kernel.org/all/20241101192114.1810198-1-seanjc@xxxxxxxxxx Chao Gao (1): KVM: nVMX: Defer SVI update to vmcs01 on EOI when L2 is active w/o VID Sean Christopherson (1): KVM: x86: Plumb in the vCPU to kvm_x86_ops.hwapic_isr_update() arch/x86/include/asm/kvm_host.h | 2 +- arch/x86/kvm/lapic.c | 22 ++++++++++++++++------ arch/x86/kvm/lapic.h | 1 + arch/x86/kvm/vmx/nested.c | 5 +++++ arch/x86/kvm/vmx/vmx.c | 23 ++++++++++++++++++++++- arch/x86/kvm/vmx/vmx.h | 1 + arch/x86/kvm/vmx/x86_ops.h | 2 +- 7 files changed, 47 insertions(+), 9 deletions(-) base-commit: 4d911c7abee56771b0219a9fbf0120d06bdc9c14 -- 2.47.0.338.g60cca15819-goog