KVM: nVMX: Switch to vmcs01 to set virtual APICv mode on-demand if L2 is active

If L1's virtual APIC mode changes while L2 is active, e.g. because L1
doesn't intercept writes to the APIC_BASE MSR and L2 changes the mode,
temporarily load vmcs01 and do all of the necessary actions instead of
deferring the update until the next nested VM-Exit.

This will help in fixing yet more issues related to updates while L2 is
active, e.g. KVM neglects to update vmcs02 MSR intercepts if vmcs01's MSR
intercepts are modified while L2 is active.  Not updating x2APIC MSRs is
benign because vmcs01's settings are not factored into vmcs02's bitmap, but
deferring the x2APIC MSR updates would create a weird, inconsistent state.

Reviewed-by: Chao Gao <chao.gao@intel.com>
Link: https://patch.msgid.link/20260109034532.1012993-8-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 9354d2017fd9de9841904d4585f0e49b7cdb303e..685f016a2233d83915400f88431fd05fb4a94830 100644 (file)
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -5122,11 +5122,6 @@ void __nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 vm_exit_reason,
        if (kvm_caps.has_tsc_control)
                vmcs_write64(TSC_MULTIPLIER, vcpu->arch.tsc_scaling_ratio);
 
-       if (vmx->nested.change_vmcs01_virtual_apic_mode) {
-               vmx->nested.change_vmcs01_virtual_apic_mode = false;
-               vmx_set_virtual_apic_mode(vcpu);
-       }
-
        nested_put_vmcs12_pages(vcpu);
 
        if ((vm_exit_reason != -1) &&

diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index a8ddf0266072b59e2fffa4aadb8e829fc2efa0e7..0d9897f79b71c4b1fd470df5de6518da1672c7dc 100644 (file)
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -6851,11 +6851,7 @@ void vmx_set_virtual_apic_mode(struct kvm_vcpu *vcpu)
            !cpu_has_vmx_virtualize_x2apic_mode())
                return;
 
-       /* Postpone execution until vmcs01 is the current VMCS. */
-       if (is_guest_mode(vcpu)) {
-               vmx->nested.change_vmcs01_virtual_apic_mode = true;
-               return;
-       }
+       guard(vmx_vmcs01)(vcpu);
 
        sec_exec_control = secondary_exec_controls_get(vmx);
        sec_exec_control &= ~(SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES |
@@ -6878,8 +6874,17 @@ void vmx_set_virtual_apic_mode(struct kvm_vcpu *vcpu)
                         * only do so if its physical address has changed, but
                         * the guest may have inserted a non-APIC mapping into
                         * the TLB while the APIC access page was disabled.
+                        *
+                        * If L2 is active, immediately flush L1's TLB instead
+                        * of requesting a flush of the current TLB, because
+                        * the current TLB context is L2's.
                         */
-                       kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, vcpu);
+                       if (!is_guest_mode(vcpu))
+                               kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, vcpu);
+                       else if (!enable_ept)
+                               vpid_sync_context(vmx->vpid);
+                       else if (VALID_PAGE(vcpu->arch.root_mmu.root.hpa))
+                               vmx_flush_tlb_ept_root(vcpu->arch.root_mmu.root.hpa);
                }
                break;
        case LAPIC_MODE_X2APIC:

diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h
index 078bc6fef7e644bb95d63834c23814bb4aefce97..a926ce43ad400486f2155353d22c25dad799e8a3 100644 (file)
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -131,8 +131,6 @@ struct nested_vmx {
         */
        bool vmcs02_initialized;
 
-       bool change_vmcs01_virtual_apic_mode;
-
        /*
         * Enlightened VMCS has been enabled. It does not mean that L1 has to
         * use it. However, VMX features available to L1 will be limited based