From nobody Tue Dec 16 14:52:18 2025
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com
 [209.85.216.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E099A2E06E4
	for <linux-kernel@vger.kernel.org>; Fri,  5 Dec 2025 23:19:34 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764976777; cv=none;
 b=L+nz/WDTvVqeo+gsp3NLQaa9gJ4JjZFSOxAJTB1b97jTC888uaGdpgGfO4QU52cgrrarGYoDiuCevN67XGRIcyHYg0seuRWJT6pmAWtjzXNl0WagNh8Wx4ntoJlDOH2IuVDHOSCOG2/8vYBjAQV6Dxyjeply1W2COo50CEJIb/g=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764976777; c=relaxed/simple;
	bh=nyBOMcsqOad7IoLOo0q40mFK6aPw3NvQd2nvH1ocBgQ=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=fLmWz9fTRXDWwY6gzC8uiAkn8eAhA719htUBK/kOwcEurbhwFA9D0FalhPMf5iVDa14TMB1JaQf1P6k4NozzEPA1dasj4ZRDNrRIAmKbmbO2N+YKKKRGBsdu7lF50EV3ACdSFhOcmKaiFqL4M8SG+Hz3Qhkj3vSTJv0K79j3ntA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=puAV1KyX; arc=none smtp.client-ip=209.85.216.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="puAV1KyX"
Received: by mail-pj1-f74.google.com with SMTP id
 98e67ed59e1d1-3436e9e3569so4520642a91.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 05 Dec 2025 15:19:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1764976774; x=1765581574;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=IsexBN3HLqIzHAM1sNf2bQBLDWiAlBctQuC9XLUheco=;
        b=puAV1KyXlshPVQIIEhd543D5HpWnCzsGuKgXTa6dIJMC5vF62Etto68ZY8HMMkoLxK
         Kf7BCDK8cS0chXEi7YKaZgsluetwERqSlvcOiXxNbdKgu0heivAQn2xuAsV1hEY0eaP+
         j11Lkpg+I5UfLI6T27fkYgvaVjYYsWRbolPlOP118tgXfPCWSJriicYR085xBUhwje92
         xTTv5HQ34jr9+HB3DXa4ajLhuUgtCDIVmUYUOzz9heNLJv0ysQ0EISPuUcE3h2DSAODr
         oalOaSEccBZCK6Rjvmc6Plbw1/NfofAyKoWKsdGbyOn9k1YcJAIAzBcMPasGdj3ZSj17
         rV4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764976774; x=1765581574;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=IsexBN3HLqIzHAM1sNf2bQBLDWiAlBctQuC9XLUheco=;
        b=aw2/cfJ/TnGnqmHQMmwudyJCHnGIqDJXNyo1Ghwrarvq0l2GF+0h0d2V/I5jYMGw/G
         S3KUxnFD38knIrlATNPhrxAD4y1YgKlN5RgtxttsXPmIPMU8z9AO7YSeSKgJD5snsA2t
         ci5PgID3V+3NTzgaIh8hX/yl7XFXwwg5PWofUQLyZXKDRMRgSec5lAieFKhO2HI+ZdvD
         JEkEs0RKULmSEZMfA/DzMFlRsfKkNIrAolB07mnuHU7A+hDfLFwmH1xsEuBA8cmWCV5J
         6AZ4iFdCoVYY1HMSlyenN7oWzXW50a+oeISMZBY3eUjZZdt0IXcheD6iLMfqo3uA8Iak
         JRJg==
X-Forwarded-Encrypted: i=1;
 AJvYcCUeRmmoK2559dRqCPSPhQ+tdbyyacNXH+ZbU57JZsJCACnv+XyVgVA63H5LjMjUKriJIP5hh7cfwg3Im0Y=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy+2uyyny4TZ+cg/YeBGvw8WosQjGH085x1v0wgs/Xh9NMTAc1m
	5dEgHcvb2zBJ6ngtPy+G83NyXuc82AZoSBSPaBQ6sIW04OhHQdQolyXp1JHU4QFtqUUgDlZ0tih
	nT4ekfQ==
X-Google-Smtp-Source: 
 AGHT+IF9TcyPCg1udOgDVkvfEtBjujDFLUwg7kUIcspQ/gscSHWTd+z00f00CIgGLLi0UWiscML0Yh1hEnY=
X-Received: from pjbfw22.prod.google.com
 ([2002:a17:90b:1296:b0:340:b14b:de78])
 (user=seanjc job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:2886:b0:339:a243:e96d
 with SMTP id 98e67ed59e1d1-349a2610ecfmr427297a91.36.1764976773801; Fri, 05
 Dec 2025 15:19:33 -0800 (PST)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri,  5 Dec 2025 15:19:12 -0800
In-Reply-To: <20251205231913.441872-1-seanjc@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20251205231913.441872-1-seanjc@google.com>
X-Mailer: git-send-email 2.52.0.223.gf5cc29aaa4-goog
Message-ID: <20251205231913.441872-10-seanjc@google.com>
Subject: [PATCH v3 09/10] KVM: nVMX: Switch to vmcs01 to set virtual APICv
 mode on-demand if L2 is active
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
 Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	Dongli Zhang <dongli.zhang@oracle.com>, Chao Gao <chao.gao@intel.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

If L1's virtual APIC mode changes while L2 is active, e.g. because L1
doesn't intercept writes to the APIC_BASE MSR and L2 changes the mode,
temporarily load vmcs01 and do all of the necessary actions instead of
deferring the update until the next nested VM-Exit.

This will help in fixing yet more issues related to updates while L2 is
active, e.g. KVM neglects to update vmcs02 MSR intercepts if vmcs01's MSR
intercepts are modified while L2 is active.  Not updating x2APIC MSRs is
benign because vmcs01's settings are not factored into vmcs02's bitmap, but
deferring the x2APIC MSR updates would create a weird, inconsistent state.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/vmx/nested.c |  5 -----
 arch/x86/kvm/vmx/vmx.c    | 17 +++++++++++------
 arch/x86/kvm/vmx/vmx.h    |  2 --
 3 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 8196a1ac22e1..b99e3c80d43e 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -5143,11 +5143,6 @@ void __nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 =
vm_exit_reason,
 	if (kvm_caps.has_tsc_control)
 		vmcs_write64(TSC_MULTIPLIER, vcpu->arch.tsc_scaling_ratio);
=20
-	if (vmx->nested.change_vmcs01_virtual_apic_mode) {
-		vmx->nested.change_vmcs01_virtual_apic_mode =3D false;
-		vmx_set_virtual_apic_mode(vcpu);
-	}
-
 	nested_put_vmcs12_pages(vcpu);
=20
 	if ((vm_exit_reason !=3D -1) &&
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index af8ec72e8ebf..ef8d29c677b9 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -6842,11 +6842,7 @@ void vmx_set_virtual_apic_mode(struct kvm_vcpu *vcpu)
 	    !cpu_has_vmx_virtualize_x2apic_mode())
 		return;
=20
-	/* Postpone execution until vmcs01 is the current VMCS. */
-	if (is_guest_mode(vcpu)) {
-		vmx->nested.change_vmcs01_virtual_apic_mode =3D true;
-		return;
-	}
+	guard(vmx_vmcs01)(vcpu);
=20
 	sec_exec_control =3D secondary_exec_controls_get(vmx);
 	sec_exec_control &=3D ~(SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES |
@@ -6869,8 +6865,17 @@ void vmx_set_virtual_apic_mode(struct kvm_vcpu *vcpu)
 			 * only do so if its physical address has changed, but
 			 * the guest may have inserted a non-APIC mapping into
 			 * the TLB while the APIC access page was disabled.
+			 *
+			 * If L2 is active, immediately flush L1's TLB instead
+			 * of requesting a flush of the current TLB, because
+			 * the current TLB context is L2's.
 			 */
-			kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, vcpu);
+			if (!is_guest_mode(vcpu))
+				kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, vcpu);
+			else if (!enable_ept)
+				vpid_sync_context(to_vmx(vcpu)->vpid);
+			else if (VALID_PAGE(vcpu->arch.root_mmu.root.hpa))
+				vmx_flush_tlb_ept_root(vcpu->arch.root_mmu.root.hpa);
 		}
 		break;
 	case LAPIC_MODE_X2APIC:
diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h
index 078bc6fef7e6..a926ce43ad40 100644
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -131,8 +131,6 @@ struct nested_vmx {
 	 */
 	bool vmcs02_initialized;
=20
-	bool change_vmcs01_virtual_apic_mode;
-
 	/*
 	 * Enlightened VMCS has been enabled. It does not mean that L1 has to
 	 * use it. However, VMX features available to L1 will be limited based
--=20
2.52.0.223.gf5cc29aaa4-goog