Commit eed0030e authored Mar 20, 2020 by Sean Christopherson Committed by Paolo Bonzini Apr 15, 2020

KVM: nVMX: Validate the EPTP when emulating INVEPT(EXTENT_CONTEXT)



Signal VM-Fail for the single-context variant of INVEPT if the specified
EPTP is invalid.  Per the INEVPT pseudocode in Intel's SDM, it's subject
to the standard EPT checks:

  If VM entry with the "enable EPT" VM execution control set to 1 would
  fail due to the EPTP value then VMfail(Invalid operand to INVEPT/INVVPID);

Fixes: bfd0a56b ("nEPT: Nested INVEPT")
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Message-Id: <20200320212833.3507-3-sean.j.christopherson@intel.com>
Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

parent e8eff282

arch/x86/kvm/vmx/nested.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -5157,8 +5157,12 @@ static int handle_invept(struct kvm_vcpu *vcpu)
		}

		switch (type) {
		case VMX_EPT_EXTENT_GLOBAL:
		case VMX_EPT_EXTENT_CONTEXT:
		if (!nested_vmx_check_eptp(vcpu, operand.eptp))
		return nested_vmx_failValid(vcpu,
		VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
		fallthrough;
		case VMX_EPT_EXTENT_GLOBAL:
		/*
		* TODO: Sync the necessary shadow EPT roots here, rather than
		* at the next emulated VM-entry.