From: Roger Pau Monne <roger.pau@citrix.com>
Date: Tue, 24 Dec 2019 15:32:47 +0000 (+0100)
Subject: x86/vvmx: virtualize x2APIC mode and APIC accesses can't both be enabled
X-Git-Tag: archive/raspbian/4.14.0+80-gd101b417b7-1+rpi1^2~63^2~973
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=da9290639eb5d6ac9d77d577927b6e69c8ca9e21;p=xen.git

x86/vvmx: virtualize x2APIC mode and APIC accesses can't both be enabled

According to the Intel SDM, "virtualize x2APIC mode" and "virtualize
APIC accesses" can't be enabled at the same time, or else a
vm{launch/entry} failure will happen. This was seen when running Xen
nested and with x2APIC enabled:

  (XEN) d3v0 VMLAUNCH error: 0x7
  [...]
  (XEN) *** Control State ***
  (XEN) PinBased=0000003f CPUBased=b6a075fe SecondaryExec=000014fb
  [...]

Fix this by making sure nvmx_update_secondary_exec_control clears the
incompatible bits from the host vmcs before merging it with the nested
vmcs.

This fixes a regression reported by osstest in the
test-amd64-amd64-qemuu-nested-intel job.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c
index 5dd00e11b5..d8ab167d62 100644
--- a/xen/arch/x86/hvm/vmx/vvmx.c
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
@@ -594,6 +594,7 @@ void nvmx_update_secondary_exec_control(struct vcpu *v,
     u32 shadow_cntrl;
     struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
     u32 apicv_bit = SECONDARY_EXEC_APIC_REGISTER_VIRT |
+                    SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE |
                     SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY;
 
     host_cntrl &= ~apicv_bit;