Re: [PATCH v2 1/3] KVM: x86: Explicitly configure supported XSS from {svm,vmx}_set_cpu_caps()
From: Xiaoyao Li
Date: Thu Jan 29 2026 - 22:24:17 EST
On 1/29/2026 3:34 PM, Binbin Wu wrote:
On 1/28/2026 9:43 AM, Sean Christopherson wrote:
Explicitly configure KVM's supported XSS as part of each vendor's setup
flow to fix a bug where clearing SHSTK and IBT in kvm_cpu_caps, e.g. due
to lack of CET XFEATURE support, makes kvm-intel.ko unloadable when nested
VMX is enabled, i.e. when nested=1. The late clearing results in
nested_vmx_setup_{entry,exit}_ctls() clearing VM_{ENTRY,EXIT}_LOAD_CET_STATE
when nested_vmx_setup_ctls_msrs() runs during the CPU compatibility checks,
ultimately leading to a mismatched VMCS config due to the reference config
having the CET bits set, but every CPU's "local" config having the bits
cleared.
A bit confuse about the description.
Before this patch:
kvm_x86_vendor_init
| vmx_hardware_setup
| nested_vmx_hardware_setup
| nested_vmx_setup_ctls_msrs
| ...
| for_each_online_cpu(cpu)
| smp_call_function_single(cpu, kvm_x86_check_cpu_compat, &r, 1)
| | kvm_x86_check_processor_compatibility
| | kvm_x86_call(check_processor_compatibility)()
| | vmx_check_processor_compatibility
| | setup_vmcs_config
| | nested_vmx_setup_ctls_msrs
| ...
| //late clearing of SHSTK and IBT
If we don't consider CPU hotplug case, both the setup of reference VMCS and the
local config are before the late clearing of SHSTK and IBT. They should be
consistent.
So you are referring the mismatch situation during CPU hotplug?
I guess it's triggered the path
kvm_init()
kvm_init_virtualization()
kvm_enable_virtualization()
cpuhp_setup_state()
kvm_online_cpu()
...
(note, it requires enable_virt_at_load to be true)
which is after
vmx_init()
kvm_x86_vendor_init()