From patchwork Thu May  9 00:53:18 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Nakajima, Jun" <jun.nakajima@intel.com>
X-Patchwork-Id: 2542421
Return-Path: <kvm-owner@vger.kernel.org>
X-Original-To: patchwork-kvm@patchwork.kernel.org
Delivered-To: patchwork-process-083081@patchwork2.kernel.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by patchwork2.kernel.org (Postfix) with ESMTP id AB37ADF2E5
	for <patchwork-kvm@patchwork.kernel.org>;
	Thu,  9 May 2013 00:53:41 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755015Ab3EIAxj (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Wed, 8 May 2013 20:53:39 -0400
Received: from mail-pb0-f42.google.com ([209.85.160.42]:44414 "EHLO
	mail-pb0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752619Ab3EIAxi (ORCPT <rfc822; kvm@vger.kernel.org>);
	Wed, 8 May 2013 20:53:38 -0400
Received: by mail-pb0-f42.google.com with SMTP id up7so1595501pbc.29
	for <kvm@vger.kernel.org>; Wed, 08 May 2013 17:53:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=x-received:from:to:subject:date:message-id:x-mailer:in-reply-to
	:references:x-gm-message-state;
	bh=TNWJsqg6taGwy32I/y2tasVhLuLpMBtokTW1h4ndHY4=;
	b=HW1zQ3zUhSWT0j+7UCdEsawaaFxd3PDKXIMjZxKHJ24U0yqPY/n9u+HqEZVia16iWC
	PHgIHd5WpFoj28l5TTqzwfh3Je81rV79QZHKzv6v+Av1qq6+tOKOKYi6V2gIWgqCzvbx
	LuxWKGomG8afQSQtpNyT7crbNbYR+t1W9/9OEc7VYXSdzC86HcJBiHFEKlnSsKMUKMgo
	nrLBkyjwZDLhQxkilrKKXkyC7iTV3rG2M9nN4u+5yrMyNXlX3NIMhQqr2SRAKkLfM+TX
	3bdEPJzm1Ex9LlYNNSfB4qOT+ZyiGwMGmvNrfzVWnm77B93TaseGTGP5Hd3xezdk7WB+
	mciQ==
X-Received: by 10.66.232.196 with SMTP id tq4mr10781614pac.167.1368060817927;
	Wed, 08 May 2013 17:53:37 -0700 (PDT)
Received: from localhost (c-98-207-34-191.hsd1.ca.comcast.net.
	[98.207.34.191]) by mx.google.com with ESMTPSA id
	tq8sm708445pbc.30.2013.05.08.17.53.35 for <kvm@vger.kernel.org>
	(version=TLSv1.2 cipher=RC4-SHA bits=128/128);
	Wed, 08 May 2013 17:53:36 -0700 (PDT)
From: Jun Nakajima <jun.nakajima@intel.com>
To: kvm@vger.kernel.org
Subject: [PATCH v3 06/13] nEPT: Fix cr3 handling in nested exit and entry
Date: Wed,  8 May 2013 17:53:18 -0700
Message-Id: <1368060805-2790-6-git-send-email-jun.nakajima@intel.com>
X-Mailer: git-send-email 1.8.2.1.610.g562af5b
In-Reply-To: <1368060805-2790-5-git-send-email-jun.nakajima@intel.com>
References: <1368060805-2790-1-git-send-email-jun.nakajima@intel.com>
	<1368060805-2790-2-git-send-email-jun.nakajima@intel.com>
	<1368060805-2790-3-git-send-email-jun.nakajima@intel.com>
	<1368060805-2790-4-git-send-email-jun.nakajima@intel.com>
	<1368060805-2790-5-git-send-email-jun.nakajima@intel.com>
X-Gm-Message-State: 
 ALoCoQmVZbh/5aUfFWJdwrpWJ3uIeLkiHMUlHH+lxdHN/ZoDDnDLAM4oQuuJYMXVeOB2RZRHMGu3
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org

The existing code for handling cr3 and related VMCS fields during nested
exit and entry wasn't correct in all cases:

If L2 is allowed to control cr3 (and this is indeed the case in nested EPT),
during nested exit we must copy the modified cr3 from vmcs02 to vmcs12, and
we forgot to do so. This patch adds this copy.

If L0 isn't controlling cr3 when running L2 (i.e., L0 is using EPT), and
whoever does control cr3 (L1 or L2) is using PAE, the processor might have
saved PDPTEs and we should also save them in vmcs12 (and restore later).

Signed-off-by: Nadav Har'El <nyh@il.ibm.com>
Signed-off-by: Jun Nakajima <jun.nakajima@intel.com>
Signed-off-by: Xinhao Xu <xinhao.xu@intel.com>
---
 arch/x86/kvm/vmx.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 80ab5b1..db8df4c 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7602,6 +7602,17 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
 	kvm_set_cr3(vcpu, vmcs12->guest_cr3);
 	kvm_mmu_reset_context(vcpu);
 
+	/*
+	 * Additionally, except when L0 is using shadow page tables, L1 or
+	 * L2 control guest_cr3 for L2, so they may also have saved PDPTEs
+	 */
+	if (enable_ept) {
+		vmcs_write64(GUEST_PDPTR0, vmcs12->guest_pdptr0);
+		vmcs_write64(GUEST_PDPTR1, vmcs12->guest_pdptr1);
+		vmcs_write64(GUEST_PDPTR2, vmcs12->guest_pdptr2);
+		vmcs_write64(GUEST_PDPTR3, vmcs12->guest_pdptr3);
+	}
+
 	kvm_register_write(vcpu, VCPU_REGS_RSP, vmcs12->guest_rsp);
 	kvm_register_write(vcpu, VCPU_REGS_RIP, vmcs12->guest_rip);
 }
@@ -7924,6 +7935,25 @@ static void prepare_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
 	vmcs12->guest_pending_dbg_exceptions =
 		vmcs_readl(GUEST_PENDING_DBG_EXCEPTIONS);
 
+	/*
+	 * In some cases (usually, nested EPT), L2 is allowed to change its
+	 * own CR3 without exiting. If it has changed it, we must keep it.
+	 * Of course, if L0 is using shadow page tables, GUEST_CR3 was defined
+	 * by L0, not L1 or L2, so we mustn't unconditionally copy it to vmcs12.
+	 */
+	if (enable_ept)
+		vmcs12->guest_cr3 = vmcs_read64(GUEST_CR3);
+	/*
+	 * Additionally, except when L0 is using shadow page tables, L1 or
+	 * L2 control guest_cr3 for L2, so save their PDPTEs
+	 */
+	if (enable_ept) {
+		vmcs12->guest_pdptr0 = vmcs_read64(GUEST_PDPTR0);
+		vmcs12->guest_pdptr1 = vmcs_read64(GUEST_PDPTR1);
+		vmcs12->guest_pdptr2 = vmcs_read64(GUEST_PDPTR2);
+		vmcs12->guest_pdptr3 = vmcs_read64(GUEST_PDPTR3);
+	}
+
 	vmcs12->vm_entry_controls =
 		(vmcs12->vm_entry_controls & ~VM_ENTRY_IA32E_MODE) |
 		(vmcs_read32(VM_ENTRY_CONTROLS) & VM_ENTRY_IA32E_MODE);