From da9290639eb5d6ac9d77d577927b6e69c8ca9e21 Mon Sep 17 00:00:00 2001 From: Roger Pau Monne Date: Tue, 24 Dec 2019 16:32:47 +0100 Subject: [PATCH] x86/vvmx: virtualize x2APIC mode and APIC accesses can't both be enabled MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit According to the Intel SDM, "virtualize x2APIC mode" and "virtualize APIC accesses" can't be enabled at the same time, or else a vm{launch/entry} failure will happen. This was seen when running Xen nested and with x2APIC enabled: (XEN) d3v0 VMLAUNCH error: 0x7 [...] (XEN) *** Control State *** (XEN) PinBased=0000003f CPUBased=b6a075fe SecondaryExec=000014fb [...] Fix this by making sure nvmx_update_secondary_exec_control clears the incompatible bits from the host vmcs before merging it with the nested vmcs. This fixes a regression reported by osstest in the test-amd64-amd64-qemuu-nested-intel job. Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper --- xen/arch/x86/hvm/vmx/vvmx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c index 5dd00e11b5..d8ab167d62 100644 --- a/xen/arch/x86/hvm/vmx/vvmx.c +++ b/xen/arch/x86/hvm/vmx/vvmx.c @@ -594,6 +594,7 @@ void nvmx_update_secondary_exec_control(struct vcpu *v, u32 shadow_cntrl; struct nestedvmx *nvmx = &vcpu_2_nvmx(v); u32 apicv_bit = SECONDARY_EXEC_APIC_REGISTER_VIRT | + SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE | SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY; host_cntrl &= ~apicv_bit; -- 2.30.2