On Fri, Mar 28, 2025, Xin Li (Intel) wrote:
> diff --git a/arch/x86/kvm/vmx/capabilities.h b/arch/x86/kvm/vmx/capabilities.h
> index b4f49a4690ca..d29be4e4124e 100644
> --- a/arch/x86/kvm/vmx/capabilities.h
> +++ b/arch/x86/kvm/vmx/capabilities.h
> @@ -38,6 +38,7 @@ struct nested_vmx_msrs {
> u32 pinbased_ctls_high;
> u32 exit_ctls_low;
> u32 exit_ctls_high;
> + u64 secondary_exit_ctls;
> u32 entry_ctls_low;
> u32 entry_ctls_high;
> u32 misc_low;
> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> index 5504d9e9fd32..8b0c5e5f1e98 100644
> --- a/arch/x86/kvm/vmx/nested.c
> +++ b/arch/x86/kvm/vmx/nested.c
> @@ -1457,6 +1457,7 @@ int vmx_set_vmx_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data)
> case MSR_IA32_VMX_PINBASED_CTLS:
> case MSR_IA32_VMX_PROCBASED_CTLS:
> case MSR_IA32_VMX_EXIT_CTLS:
> + case MSR_IA32_VMX_EXIT_CTLS2:
This is wrong. KVM allows userspace to configure control MSRs, it's just the
non-true MSRs that have a true version that KVM rejects. I.e. KVM needs to
actually handle writing MSR_IA32_VMX_EXIT_CTLS2.
> case MSR_IA32_VMX_ENTRY_CTLS:
> /*
> * The "non-true" VMX capability MSRs are generated from the
