kvm: vmx: Flush TLB when the APIC-access address changes

Quoting from the Intel SDM, volume 3, section 28.3.3.4: Guidelines for Use of the INVEPT Instruction: If EPT was in use on a logical processor at one time with EPTP X, it is recommended that software use the INVEPT instruction with the "single-context" INVEPT type and with EPTP X in the INVEPT descriptor before a VM entry on the same logical processor that enables EPT with EPTP X and either (a) the "virtualize APIC accesses" VM-execution control was changed from 0 to 1; or (b) the value of the APIC-access address was changed. In the nested case, the burden falls on L1, unless L0 enables EPT in vmcs02 when L1 doesn't enable EPT in vmcs12. Signed-off-by: Jim Mattson <jmattson@google.com> Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
author: Jim Mattson <jmattson@google.com> 2017-03-16 16:53:59 -0400
committer: Paolo Bonzini <pbonzini@redhat.com> 2017-03-23 14:02:06 -0400
commit: fb6c8198431311027c3434d4e94ab8bc040f7aea (patch)
tree: 24158162ec309947b0452170b391aff74ff0a12d
parent: c761159cf81b8641290f7559a8d8e30f6ab92669 (diff)
1 files changed, 17 insertions, 1 deletions
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index c66436530a93..e2f608283a5a 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -4024,6 +4024,12 @@ static void vmx_flush_tlb(struct kvm_vcpu *vcpu)
        __vmx_flush_tlb(vcpu, to_vmx(vcpu)->vpid);
 }
+static void vmx_flush_tlb_ept_only(struct kvm_vcpu *vcpu)
+{
+        if (enable_ept)
+                vmx_flush_tlb(vcpu);
+}
 static void vmx_decache_cr0_guest_bits(struct kvm_vcpu *vcpu)
 {
        ulong cr0_guest_owned_bits = vcpu->arch.cr0_guest_owned_bits;
@@ -8548,6 +8554,7 @@ static void vmx_set_virtual_x2apic_mode(struct kvm_vcpu *vcpu, bool set)
        } else {
                sec_exec_control &= ~SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE;
                sec_exec_control |= SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
+                vmx_flush_tlb_ept_only(vcpu);
        }
        vmcs_write32(SECONDARY_VM_EXEC_CONTROL, sec_exec_control);
@@ -8573,8 +8580,10 @@ static void vmx_set_apic_access_page_addr(struct kvm_vcpu *vcpu, hpa_t hpa)
         */
        if (!is_guest_mode(vcpu) ||
            !nested_cpu_has2(get_vmcs12(&vmx->vcpu),
-                             SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES))
+                             SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES)) {
                vmcs_write64(APIC_ACCESS_ADDR, hpa);
+                vmx_flush_tlb_ept_only(vcpu);
+        }
 }
 static void vmx_hwapic_isr_update(struct kvm_vcpu *vcpu, int max_isr)
@@ -10256,6 +10265,9 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12,
        if (nested_cpu_has_ept(vmcs12)) {
                kvm_mmu_unload(vcpu);
                nested_ept_init_mmu_context(vcpu);
+        } else if (nested_cpu_has2(vmcs12,
+                                   SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES)) {
+                vmx_flush_tlb_ept_only(vcpu);
        }
        /*
@@ -11055,6 +11067,10 @@ static void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 exit_reason,
                vmx->nested.change_vmcs01_virtual_x2apic_mode = false;
                vmx_set_virtual_x2apic_mode(vcpu,
                                vcpu->arch.apic_base & X2APIC_ENABLE);
+        } else if (!nested_cpu_has_ept(vmcs12) &&
+                   nested_cpu_has2(vmcs12,
+                                   SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES)) {
+                vmx_flush_tlb_ept_only(vcpu);
        }
        /* This is needed for same reason as it was needed in prepare_vmcs02 */
author	Jim Mattson <jmattson@google.com>	2017-03-16 16:53:59 -0400
committer	Paolo Bonzini <pbonzini@redhat.com>	2017-03-23 14:02:06 -0400
commit	fb6c8198431311027c3434d4e94ab8bc040f7aea (patch)
tree	24158162ec309947b0452170b391aff74ff0a12d
parent	c761159cf81b8641290f7559a8d8e30f6ab92669 (diff)