Bug 732752 - exclude VMX_PROCBASED_CTL2 from the MSRs a VMX guest is allowed to access
Summary: exclude VMX_PROCBASED_CTL2 from the MSRs a VMX guest is allowed to access
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel-xen
Version: 5.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Paolo Bonzini
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 514490
TreeView+ depends on / blocked
 
Reported: 2011-08-23 13:49 UTC by Paolo Bonzini
Modified: 2012-02-21 03:53 UTC (History)
8 users (show)

Fixed In Version: kernel-2.6.18-284.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-21 03:53:36 UTC


Attachments (Terms of Use)
test module (1.26 KB, application/zip)
2011-08-25 09:13 UTC, Paolo Bonzini
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0150 normal SHIPPED_LIVE Moderate: Red Hat Enterprise Linux 5.8 kernel update 2012-02-21 07:35:24 UTC

Description Paolo Bonzini 2011-08-23 13:49:04 UTC
I found this in xen-unstable.hg c/s 15426:

vmx: Exclude VMX_PROCBASED_CTL2 from set of MSRs a VMX guest is allowd
to access.
Signed-off-by: Keir Fraser <keir@xensource.com>

diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -2601,7 +2601,7 @@ static inline int vmx_do_msr_read(struct
     case MSR_IA32_APICBASE:
         msr_content = vcpu_vlapic(v)->hw.apic_base_msr;
         break;
-    case MSR_IA32_VMX_BASIC...MSR_IA32_VMX_CR4_FIXED1:
+    case MSR_IA32_VMX_BASIC...MSR_IA32_VMX_PROCBASED_CTLS2:
         goto gp_fault;
     default:
         if ( long_mode_do_msr_read(regs) )
@@ -2727,7 +2727,7 @@ static inline int vmx_do_msr_write(struc
     case MSR_IA32_APICBASE:
         vlapic_msr_set(vcpu_vlapic(v), msr_content);
         break;
-    case MSR_IA32_VMX_BASIC...MSR_IA32_VMX_CR4_FIXED1:
+    case MSR_IA32_VMX_BASIC...MSR_IA32_VMX_PROCBASED_CTLS2:
         goto gp_fault;
     default:
         if ( !long_mode_do_msr_write(regs) )


The bits we use in VMX_PROCBASED_CTLS2 are "enable EPT" and "virtualize APIC accesses".  I don't know what happens if a guest disable those, but I wouldn't be surprised if it's ugly so in the meanwhile I'm making the bug private.

Comment 1 Paolo Bonzini 2011-08-25 09:12:47 UTC
The MSR write ultimately becomes a no-op, while other VMX registers fail and inject a #GP in the guest (the #GP in turn is trapped if using wrmsr_safe and becomes an EFAULT).

Comment 2 Paolo Bonzini 2011-08-25 09:13:44 UTC
Created attachment 519794 [details]
test module

The test module should print "failed" twice.

Comment 3 RHEL Product and Program Management 2011-08-25 09:29:41 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 5 Jarod Wilson 2011-09-02 15:41:45 UTC
Patch(es) available in kernel-2.6.18-284.el5
You can download this test kernel (or newer) from http://people.redhat.com/jwilson/el5
Detailed testing feedback is always welcomed.

Comment 6 Jarod Wilson 2011-09-02 17:43:26 UTC
Patch(es) available in kernel-2.6.18-284.el5
You can download this test kernel (or newer) from http://people.redhat.com/jwilson/el5
Detailed testing feedback is always welcomed.

Comment 8 Qixiang Wan 2011-12-07 07:14:03 UTC
Verified with kernel-xen-2.6.18-300.el5.

On the 5.7 GA kernel host, insmod the module in comment 2 within HVM guests(RHEL5.7 i386, x86_64 and RHEL6.1 i386), got the following messages in dmesg:

$ dmesg
Check MSR write failed -14
MSR write succeeded 0

After update host to kernel-xen-2.6.18-300.el5, got the following messages:

$ dmesg
Check MSR write failed -14
MSR write failed -14

Comment 9 errata-xmlrpc 2012-02-21 03:53:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0150.html


Note You need to log in before you can comment on or make changes to this bug.