Re: [PATCH 1/2] KVM: nVMX: fix CR4_READ_SHADOW when L0 updates CR4 during a signal

[Sean Christopherson <seanjc@google.com>]

On Thu, Apr 18, 2024, Thomas Prescher wrote:
> You are right. After your pointers and looking at the nesting code
> again, I think I know what to do. Just to make sure I understand this
> correctly: 
> 
> If L0 exits with L2 state, KVM_GET_NESTED_STATE will have
> KVM_STATE_NESTED_RUN_PENDING set in the flags field.

Not necessarily.  KVM_STATE_NESTED_GUEST_MODE is the flag that says "L2 state is
loaded", the NESTED_RUN_PENDING flag is effectively a modifier on top of that.

KVM_STATE_NESTED_RUN_PENDING is set when userspace interrupts KVM in the middle
of nested VM-Enter emulation.  In that case, KVM needs to complete emulation of
the VM-Enter instruction (VMLAUNCH, VMRESUME, or VMRUN) before doing anything.
I.e. KVM has loaded L2 state and is committed to completing VM-Enter, but hasn't
actually done so yet.

In retrospect, KVM probably should have forced userspace to call back into KVM to
complete emulation before allowing KVM_GET_NESTED_STATE to succeed, but it's a
minor blip.

> So when we restore the vCPU state after a vmsave/vmload cycle, we don't need
> to update anything in kvm_run.s.regs because KVM will enter the L2
> immediately.  Is that correct?

No?  Presumably your touching vCPU state, otherwise you wouldn't be doing
vmsave/vmload.  And if you touch vCPU state, then you need to restore the old
state for things to work.

Again, what are you trying to do, at a higher level?  I.e. _why_ are you doing
a save/restore cycle?  If it's for something akin to live migration, where you
need to save and restore *everything*, then stating the obvious, you need to
save and restore everything in KVM too, which includes nested state.