| Message ID | 20210401143817.1030695-2-mlevitsk@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | KVM: nSVM/nVMX: fix nested virtualization treatment of nested exceptions | expand |
On Thu, 2021-04-01 at 19:05 +0200, Paolo Bonzini wrote: > On 01/04/21 16:38, Maxim Levitsky wrote: > > Injected interrupts/nmi should not block a pending exception, > > but rather be either lost if nested hypervisor doesn't > > intercept the pending exception (as in stock x86), or be delivered > > in exitintinfo/IDT_VECTORING_INFO field, as a part of a VMexit > > that corresponds to the pending exception. > > > > The only reason for an exception to be blocked is when nested run > > is pending (and that can't really happen currently > > but still worth checking for). > > > > Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> > > This patch would be an almost separate bugfix, right? I am going to > queue this, but a confirmation would be helpful. Yes, this patch doesn't depend on anything else. Thanks! Best regards, Maxim Levitsky > > Paolo > > > --- > > arch/x86/kvm/svm/nested.c | 8 +++++++- > > arch/x86/kvm/vmx/nested.c | 10 ++++++++-- > > 2 files changed, 15 insertions(+), 3 deletions(-) > > > > diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c > > index 8523f60adb92..34a37b2bd486 100644 > > --- a/arch/x86/kvm/svm/nested.c > > +++ b/arch/x86/kvm/svm/nested.c > > @@ -1062,7 +1062,13 @@ static int svm_check_nested_events(struct kvm_vcpu *vcpu) > > } > > > > if (vcpu->arch.exception.pending) { > > - if (block_nested_events) > > + /* > > + * Only a pending nested run can block a pending exception. > > + * Otherwise an injected NMI/interrupt should either be > > + * lost or delivered to the nested hypervisor in the EXITINTINFO > > + * vmcb field, while delivering the pending exception. > > + */ > > + if (svm->nested.nested_run_pending) > > return -EBUSY; > > if (!nested_exit_on_exception(svm)) > > return 0; > > diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c > > index fd334e4aa6db..c3ba842fc07f 100644 > > --- a/arch/x86/kvm/vmx/nested.c > > +++ b/arch/x86/kvm/vmx/nested.c > > @@ -3806,9 +3806,15 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) > > > > /* > > * Process any exceptions that are not debug traps before MTF. > > + * > > + * Note that only a pending nested run can block a pending exception. > > + * Otherwise an injected NMI/interrupt should either be > > + * lost or delivered to the nested hypervisor in the IDT_VECTORING_INFO, > > + * while delivering the pending exception. > > */ > > + > > if (vcpu->arch.exception.pending && !vmx_pending_dbg_trap(vcpu)) { > > - if (block_nested_events) > > + if (vmx->nested.nested_run_pending) > > return -EBUSY; > > if (!nested_vmx_check_exception(vcpu, &exit_qual)) > > goto no_vmexit; > > @@ -3825,7 +3831,7 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) > > } > > > > if (vcpu->arch.exception.pending) { > > - if (block_nested_events) > > + if (vmx->nested.nested_run_pending) > > return -EBUSY; > > if (!nested_vmx_check_exception(vcpu, &exit_qual)) > > goto no_vmexit; > >
diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c index 8523f60adb92..34a37b2bd486 100644 --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -1062,7 +1062,13 @@ static int svm_check_nested_events(struct kvm_vcpu *vcpu) } if (vcpu->arch.exception.pending) { - if (block_nested_events) + /* + * Only a pending nested run can block a pending exception. + * Otherwise an injected NMI/interrupt should either be + * lost or delivered to the nested hypervisor in the EXITINTINFO + * vmcb field, while delivering the pending exception. + */ + if (svm->nested.nested_run_pending) return -EBUSY; if (!nested_exit_on_exception(svm)) return 0; diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index fd334e4aa6db..c3ba842fc07f 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -3806,9 +3806,15 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) /* * Process any exceptions that are not debug traps before MTF. + * + * Note that only a pending nested run can block a pending exception. + * Otherwise an injected NMI/interrupt should either be + * lost or delivered to the nested hypervisor in the IDT_VECTORING_INFO, + * while delivering the pending exception. */ + if (vcpu->arch.exception.pending && !vmx_pending_dbg_trap(vcpu)) { - if (block_nested_events) + if (vmx->nested.nested_run_pending) return -EBUSY; if (!nested_vmx_check_exception(vcpu, &exit_qual)) goto no_vmexit; @@ -3825,7 +3831,7 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) } if (vcpu->arch.exception.pending) { - if (block_nested_events) + if (vmx->nested.nested_run_pending) return -EBUSY; if (!nested_vmx_check_exception(vcpu, &exit_qual)) goto no_vmexit;
Injected interrupts/nmi should not block a pending exception, but rather be either lost if nested hypervisor doesn't intercept the pending exception (as in stock x86), or be delivered in exitintinfo/IDT_VECTORING_INFO field, as a part of a VMexit that corresponds to the pending exception. The only reason for an exception to be blocked is when nested run is pending (and that can't really happen currently but still worth checking for). Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> --- arch/x86/kvm/svm/nested.c | 8 +++++++- arch/x86/kvm/vmx/nested.c | 10 ++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-)