]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
projects / thirdparty / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b3744c5)
KVM: nVMX: Always forward XSAVES/XRSTORS exits from L2 to L1
authorSean Christopherson <seanjc@google.com>
Fri, 19 Sep 2025 22:32:31 +0000 (15:32 -0700)
committerSean Christopherson <seanjc@google.com>
Tue, 23 Sep 2025 16:18:28 +0000 (09:18 -0700)
Unconditionally forward XSAVES/XRSTORS VM-Exits from L2 to L1, as KVM
doesn't utilize the XSS-bitmap (KVM relies on controlling the XSS value
in hardware to prevent unauthorized access to XSAVES state).  KVM always
loads vmcs02 with vmcs12's bitmap, and so any exit _must_ be due to
vmcs12's XSS-bitmap.

Drop the comment about XSS never being non-zero in anticipation of
enabling CET_KERNEL and CET_USER support.

Opportunistically WARN if XSAVES is not enabled for L2, as the CPU is
supposed to generate #UD before checking the XSS-bitmap.

Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
Link: https://lore.kernel.org/r/20250919223258.1604852-25-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
arch/x86/kvm/vmx/nested.c patch | blob | blame | history

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 2156c9a854f4b092404372e4d0e039cafc2a1dd9..846c07380eac05b498ad6533488faaa02ca0626a 100644 (file)
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -6570,14 +6570,17 @@ static bool nested_vmx_l1_wants_exit(struct kvm_vcpu *vcpu,
                return nested_cpu_has2(vmcs12, SECONDARY_EXEC_WBINVD_EXITING);
        case EXIT_REASON_XSETBV:
                return true;
-       case EXIT_REASON_XSAVES: case EXIT_REASON_XRSTORS:
+       case EXIT_REASON_XSAVES:
+       case EXIT_REASON_XRSTORS:
                /*
-                * This should never happen, since it is not possible to
-                * set XSS to a non-zero value---neither in L1 nor in L2.
-                * If if it were, XSS would have to be checked against
-                * the XSS exit bitmap in vmcs12.
+                * Always forward XSAVES/XRSTORS to L1 as KVM doesn't utilize
+                * XSS-bitmap, and always loads vmcs02 with vmcs12's XSS-bitmap
+                * verbatim, i.e. any exit is due to L1's bitmap.  WARN if
+                * XSAVES isn't enabled, as the CPU is supposed to inject #UD
+                * in that case, before consulting the XSS-bitmap.
                 */
-               return nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENABLE_XSAVES);
+               WARN_ON_ONCE(!nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENABLE_XSAVES));
+               return true;
        case EXIT_REASON_UMWAIT:
        case EXIT_REASON_TPAUSE:
                return nested_cpu_has2(vmcs12,
A mirror of Linus' kernel repository