KVM: vmx: disable APIC virtualization in nested guests

While running a nested guest, we should disable APIC virtualization
controls (virtualized APIC register accesses, virtual interrupt
delivery and posted interrupts), because we do not expose them to
the nested guest.

Reported-by: Hu Yaohui <loki2441@gmail.com>
Suggested-by: Abel Gordon <abel@stratoscale.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 33e8c028842f..138ceffc6377 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7778,7 +7778,8 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
 
         exec_control = vmcs12->pin_based_vm_exec_control;
         exec_control |= vmcs_config.pin_based_exec_ctrl;
-        exec_control &= ~PIN_BASED_VMX_PREEMPTION_TIMER;
+        exec_control &= ~(PIN_BASED_VMX_PREEMPTION_TIMER |
+                          PIN_BASED_POSTED_INTR);
         vmcs_write32(PIN_BASED_VM_EXEC_CONTROL, exec_control);
 
         vmx->nested.preemption_timer_expired = false;
@@ -7815,7 +7816,9 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
                 if (!vmx->rdtscp_enabled)
                         exec_control &= ~SECONDARY_EXEC_RDTSCP;
                 /* Take the following fields only from vmcs12 */
-                exec_control &= ~SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
+                exec_control &= ~(SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES |
+                                  SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY |
+                                  SECONDARY_EXEC_APIC_REGISTER_VIRT);
                 if (nested_cpu_has(vmcs12,
                                 CPU_BASED_ACTIVATE_SECONDARY_CONTROLS))
                         exec_control |= vmcs12->secondary_vm_exec_control;