From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jim Mattson <jmattson@google.com>
Subject: [PATCH] kvm: nVMX: Don't validate disabled secondary controls
Date: Thu,  4 May 2017 11:51:58 -0700
Message-ID: <20170504185158.91991-1-jmattson@google.com>
Cc: Jim Mattson <jmattson@google.com>
To: kvm@vger.kernel.org
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-pg0-f50.google.com ([74.125.83.50]:35740 "EHLO
        mail-pg0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932073AbdEDSwg (ORCPT <rfc822;kvm@vger.kernel.org>);
        Thu, 4 May 2017 14:52:36 -0400
Received: by mail-pg0-f50.google.com with SMTP id o3so13023328pgn.2
        for <kvm@vger.kernel.org>; Thu, 04 May 2017 11:52:36 -0700 (PDT)
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

According to the SDM, if the "activate secondary controls" primary
processor-based VM-execution control is 0, no checks are performed on
the secondary processor-based VM-execution controls.

Signed-off-by: Jim Mattson <jmattson@google.com>
---
 arch/x86/kvm/vmx.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index b2daee0bfb35..9142b31ae9d2 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -10314,9 +10314,10 @@ static int check_vmentry_prereqs(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
 	if (!vmx_control_verify(vmcs12->cpu_based_vm_exec_control,
 				vmx->nested.nested_vmx_procbased_ctls_low,
 				vmx->nested.nested_vmx_procbased_ctls_high) ||
-	    !vmx_control_verify(vmcs12->secondary_vm_exec_control,
-				vmx->nested.nested_vmx_secondary_ctls_low,
-				vmx->nested.nested_vmx_secondary_ctls_high) ||
+	    (nested_cpu_has(vmcs12, CPU_BASED_ACTIVATE_SECONDARY_CONTROLS) &&
+	     !vmx_control_verify(vmcs12->secondary_vm_exec_control,
+				 vmx->nested.nested_vmx_secondary_ctls_low,
+				 vmx->nested.nested_vmx_secondary_ctls_high)) ||
 	    !vmx_control_verify(vmcs12->pin_based_vm_exec_control,
 				vmx->nested.nested_vmx_pinbased_ctls_low,
 				vmx->nested.nested_vmx_pinbased_ctls_high) ||
-- 
2.13.0.rc1.294.g07d810a77f-goog