Changeset 74603 in vbox for trunk/src

Timestamp:

Oct 4, 2018 6:07:20 AM (6 years ago)

Author:

vboxsync

Message:

VMM/IEM, HM: Nested VMX: bugref:9180 VM-exit bits; LMSW intercept. Separated VINF_HM_INTERCEPT_NOT_ACTIVE into VMX and SVM
specific codes. Adjusted IEMExecDecodedLmsw to supply the additional memory operand parameter from the VMCS guest-linear address
field.

Location:

trunk/src/VBox/VMM

Files:

• VMMAll/IEMAll.cpp (modified) (2 diffs)
• VMMAll/IEMAllCImpl.cpp.h (modified) (5 diffs)
• VMMAll/IEMAllCImplStrInstr.cpp.h (modified) (4 diffs)
• VMMAll/IEMAllCImplSvmInstr.cpp.h (modified) (3 diffs)
• VMMAll/IEMAllCImplVmxInstr.cpp.h (modified) (3 diffs)
• VMMAll/IEMAllInstructionsTwoByte0f.cpp.h (modified) (1 diff)
• VMMR0/HMVMXR0.cpp (modified) (5 diffs)

trunk/src/VBox/VMM/VMMAll/IEMAll.cpp

@@ -5492 +5492 @@
              */
             VBOXSTRICTRC rcStrict0 = iemHandleSvmEventIntercept(pVCpu, u8Vector, fFlags, uErr, uCr2);
-            if (rcStrict0 != VINF_HM_INTERCEPT_NOT_ACTIVE)
+            if (rcStrict0 != VINF_SVM_INTERCEPT_NOT_ACTIVE)
                 return rcStrict0;
         }
@@ -15079 +15079 @@
  *
  * @returns Strict VBox status code.
- * @param   pVCpu       The cross context virtual CPU structure.
- * @param   cbInstr     The instruction length in bytes.
- * @param   uValue      The value to load into CR0.
+ * @param   pVCpu           The cross context virtual CPU structure.
+ * @param   cbInstr         The instruction length in bytes.
+ * @param   uValue          The value to load into CR0.
+ * @param   GCPtrEffDst     The guest-linear address if the LMSW instruction has a
+ *                          memory operand. Otherwise pass NIL_RTGCPTR.
  *
  * @remarks In ring-0 not all of the state needs to be synced in.
  */
-VMM_INT_DECL(VBOXSTRICTRC) IEMExecDecodedLmsw(PVMCPU pVCpu, uint8_t cbInstr, uint16_t uValue)
+VMM_INT_DECL(VBOXSTRICTRC) IEMExecDecodedLmsw(PVMCPU pVCpu, uint8_t cbInstr, uint16_t uValue, RTGCPTR GCPtrEffDst)
 {
     IEMEXEC_ASSERT_INSTR_LEN_RETURN(cbInstr, 3);
 
     iemInitExec(pVCpu, false /*fBypassHandlers*/);
-    VBOXSTRICTRC rcStrict = IEM_CIMPL_CALL_1(iemCImpl_lmsw, uValue);
+    VBOXSTRICTRC rcStrict = IEM_CIMPL_CALL_2(iemCImpl_lmsw, uValue, GCPtrEffDst);
     Assert(!pVCpu->iem.s.cActiveMappings);
     return iemUninitExecAndFiddleStatusAndMaybeReenter(pVCpu, rcStrict);

trunk/src/VBox/VMM/VMMAll/IEMAllCImpl.cpp.h

@@ -5743 +5743 @@
  *
  * @param   u16NewMsw       The new value.
- */
-IEM_CIMPL_DEF_1(iemCImpl_lmsw, uint16_t, u16NewMsw)
+ * @param   GCPtrEffDst     The guest-linear address of the source operand in case
+ *                          of a memory operand. For register operand, pass
+ *                          NIL_RTGCPTR.
+ */
+IEM_CIMPL_DEF_2(iemCImpl_lmsw, uint16_t, u16NewMsw, RTGCPTR, GCPtrEffDst)
 {
     if (pVCpu->iem.s.uCpl != 0)
         return iemRaiseGeneralProtectionFault0(pVCpu);
     Assert(!pVCpu->cpum.GstCtx.eflags.Bits.u1VM);
+    IEM_CTX_ASSERT(pVCpu, CPUMCTX_EXTRN_CR0);
+
+#ifdef VBOX_WITH_NESTED_HWVIRT_VMX
+    /* Check nested-guest VMX intercept and get updated MSW if there's no VM-exit. */
+    if (IEM_VMX_IS_NON_ROOT_MODE(pVCpu))
+    {
+        VBOXSTRICTRC rcStrict = iemVmxVmexitInstrLmsw(pVCpu, pVCpu->cpum.GstCtx.cr0, &u16NewMsw, GCPtrEffDst, cbInstr);
+        if (rcStrict != VINF_VMX_INTERCEPT_NOT_ACTIVE)
+            return rcStrict;
+    }
+#else
+    RT_NOREF_PV(GCPtrEffDst);
+#endif
 
     /*
      * Compose the new CR0 value and call common worker.
      */
-    IEM_CTX_ASSERT(pVCpu, CPUMCTX_EXTRN_CR0);
-    uint64_t uNewCr0 = pVCpu->cpum.GstCtx.cr0     & ~(X86_CR0_MP | X86_CR0_EM | X86_CR0_TS);
+    uint64_t uNewCr0 = pVCpu->cpum.GstCtx.cr0  & ~(X86_CR0_MP | X86_CR0_EM | X86_CR0_TS);
     uNewCr0 |= u16NewMsw & (X86_CR0_PE | X86_CR0_MP | X86_CR0_EM | X86_CR0_TS);
     return IEM_CIMPL_CALL_4(iemCImpl_load_CrX, /*cr*/ 0, uNewCr0, IEMACCESSCRX_LMSW, UINT8_MAX /* iGReg */);
@@ -6370 +6385 @@
         if (rcStrict == VINF_SVM_VMEXIT)
             return VINF_SUCCESS;
-        if (rcStrict != VINF_HM_INTERCEPT_NOT_ACTIVE)
+        if (rcStrict != VINF_SVM_INTERCEPT_NOT_ACTIVE)
         {
             Log(("IEM: SVM intercepted rdmsr(%#x) failed. rc=%Rrc\n", pVCpu->cpum.GstCtx.ecx, VBOXSTRICTRC_VAL(rcStrict)));
@@ -6446 +6461 @@
         if (rcStrict == VINF_SVM_VMEXIT)
             return VINF_SUCCESS;
-        if (rcStrict != VINF_HM_INTERCEPT_NOT_ACTIVE)
+        if (rcStrict != VINF_SVM_INTERCEPT_NOT_ACTIVE)
         {
             Log(("IEM: SVM intercepted rdmsr(%#x) failed. rc=%Rrc\n", pVCpu->cpum.GstCtx.ecx, VBOXSTRICTRC_VAL(rcStrict)));
@@ -6526 +6541 @@
         if (rcStrict == VINF_SVM_VMEXIT)
             return VINF_SUCCESS;
-        if (rcStrict != VINF_HM_INTERCEPT_NOT_ACTIVE)
+        if (rcStrict != VINF_SVM_INTERCEPT_NOT_ACTIVE)
         {
             Log(("iemCImpl_in: iemSvmHandleIOIntercept failed (u16Port=%#x, cbReg=%u) rc=%Rrc\n", u16Port, cbReg,
@@ -6619 +6634 @@
         if (rcStrict == VINF_SVM_VMEXIT)
             return VINF_SUCCESS;
-        if (rcStrict != VINF_HM_INTERCEPT_NOT_ACTIVE)
+        if (rcStrict != VINF_SVM_INTERCEPT_NOT_ACTIVE)
         {
             Log(("iemCImpl_out: iemSvmHandleIOIntercept failed (u16Port=%#x, cbReg=%u) rc=%Rrc\n", u16Port, cbReg,

trunk/src/VBox/VMM/VMMAll/IEMAllCImplStrInstr.cpp.h

@@ -1214 +1214 @@
         if (rcStrict == VINF_SVM_VMEXIT)
             return VINF_SUCCESS;
-        if (rcStrict != VINF_HM_INTERCEPT_NOT_ACTIVE)
+        if (rcStrict != VINF_SVM_INTERCEPT_NOT_ACTIVE)
         {
             Log(("iemCImpl_ins_op: iemSvmHandleIOIntercept failed (u16Port=%#x, cbReg=%u) rc=%Rrc\n", pVCpu->cpum.GstCtx.dx, OP_SIZE / 8,
@@ -1285 +1285 @@
         if (rcStrict == VINF_SVM_VMEXIT)
             return VINF_SUCCESS;
-        if (rcStrict != VINF_HM_INTERCEPT_NOT_ACTIVE)
+        if (rcStrict != VINF_SVM_INTERCEPT_NOT_ACTIVE)
         {
             Log(("iemCImpl_rep_ins_op: iemSvmHandleIOIntercept failed (u16Port=%#x, cbReg=%u) rc=%Rrc\n", u16Port, OP_SIZE / 8,
@@ -1486 +1486 @@
         if (rcStrict == VINF_SVM_VMEXIT)
             return VINF_SUCCESS;
-        if (rcStrict != VINF_HM_INTERCEPT_NOT_ACTIVE)
+        if (rcStrict != VINF_SVM_INTERCEPT_NOT_ACTIVE)
         {
             Log(("iemCImpl_outs_op: iemSvmHandleIOIntercept failed (u16Port=%#x, cbReg=%u) rc=%Rrc\n", pVCpu->cpum.GstCtx.dx, OP_SIZE / 8,
@@ -1545 +1545 @@
         if (rcStrict == VINF_SVM_VMEXIT)
             return VINF_SUCCESS;
-        if (rcStrict != VINF_HM_INTERCEPT_NOT_ACTIVE)
+        if (rcStrict != VINF_SVM_INTERCEPT_NOT_ACTIVE)
         {
             Log(("iemCImpl_rep_outs_op: iemSvmHandleIOIntercept failed (u16Port=%#x, cbReg=%u) rc=%Rrc\n", u16Port, OP_SIZE / 8,

trunk/src/VBox/VMM/VMMAll/IEMAllCImplSvmInstr.cpp.h

@@ -947 +947 @@
     }
 
-    return VINF_HM_INTERCEPT_NOT_ACTIVE;
+    return VINF_SVM_INTERCEPT_NOT_ACTIVE;
 }
 
@@ -997 +997 @@
      *        intercepts). */
     AssertMsgFailed(("iemSvmHandleIOIntercept: We expect an IO intercept here!\n"));
-    return VINF_HM_INTERCEPT_NOT_ACTIVE;
+    return VINF_SVM_INTERCEPT_NOT_ACTIVE;
 }
 
@@ -1061 +1061 @@
         return iemSvmVmexit(pVCpu, SVM_EXIT_MSR, uExitInfo1, 0 /* uExitInfo2 */);
     }
-    return VINF_HM_INTERCEPT_NOT_ACTIVE;
+    return VINF_SVM_INTERCEPT_NOT_ACTIVE;
 }
 

trunk/src/VBox/VMM/VMMAll/IEMAllCImplVmxInstr.cpp.h

@@ -681 +681 @@
         case VMX_VMCS_RO_IO_RDI:
         case VMX_VMCS_RO_IO_RIP:
-        case VMX_VMCS_RO_EXIT_GUEST_LINEAR_ADDR:          return true;
+        case VMX_VMCS_RO_GUEST_LINEAR_ADDR:               return true;
 
         /* Guest-state fields. */
@@ -2608 +2608 @@
      * instruction execution.
      *
-     * In our implementation, all undefined fields are generally cleared (caller's
-     * responsibility).
+     * In our implementation in IEM, all undefined fields are generally cleared. However,
+     * if the caller supplies information (from say the physical CPU directly) it is
+     * then possible that the undefined fields not cleared.
      *
      * See Intel spec. 27.2.1 "Basic VM-Exit Information".
@@ -2755 +2756 @@
 
     return iemVmxVmexitInstrWithInfo(pVCpu, &ExitInfo);
+}
+
+
+/**
+ * VMX VM-exit handler for VM-exits due to LMSW.
+ *
+ * @returns Strict VBox status code.
+ * @param   pVCpu           The cross context virtual CPU structure.
+ * @param   uGuestCr0       The current guest CR0.
+ * @param   pu16NewMsw      The machine-status word specified in LMSW's source
+ *                          operand. This will be updated depending on the VMX
+ *                          guest/host CR0 mask if LMSW is not intercepted.
+ * @param   GCPtrEffDst     The guest-linear address of the source operand in case
+ *                          of a memory operand. For register operand, pass
+ *                          NIL_RTGCPTR.
+ * @param   cbInstr         The instruction length (in bytes).
+ */
+IEM_STATIC VBOXSTRICTRC iemVmxVmexitInstrLmsw(PVMCPU pVCpu, uint32_t uGuestCr0, uint16_t *pu16NewMsw, RTGCPTR GCPtrEffDst,
+                                              uint8_t cbInstr)
+{
+    /*
+     * LMSW VM-exits are subject to the CR0 guest/host mask and the CR0 read shadow.
+     *
+     * See Intel spec. 24.6.6 "Guest/Host Masks and Read Shadows for CR0 and CR4".
+     * See Intel spec. 25.1.3 "Instructions That Cause VM Exits Conditionally".
+     */
+    PCVMXVVMCS pVmcs = pVCpu->cpum.GstCtx.hwvirt.vmx.CTX_SUFF(pVmcs);
+    Assert(pVmcs);
+    Assert(pu16NewMsw);
+
+    bool fIntercept = false;
+    uint32_t const fGstHostMask = pVmcs->u64Cr0Mask.u;
+    uint32_t const fReadShadow  = pVmcs->u64Cr0ReadShadow.u;
+
+    /*
+     * LMSW can never clear CR0.PE but it may set it. Hence, we handle the
+     * CR0.PE case first, before the rest of the bits in the MSW.
+     *
+     * If CR0.PE is owned by the host and CR0.PE differs between the
+     * MSW (source operand) and the read-shadow, we must cause a VM-exit.
+     */
+    if (    (fGstHostMask & X86_CR0_PE)
+        &&  (*pu16NewMsw  & X86_CR0_PE)
+        && !(fReadShadow  & X86_CR0_PE))
+        fIntercept = true;
+
+    /*
+     * If CR0.MP, CR0.EM or CR0.TS is owned by the host, and the corresponding
+     * bits differ between the MSW (source operand) and the read-shadow, we must
+     * cause a VM-exit.
+     */
+    uint32_t fGstHostLmswMask = fGstHostMask & (X86_CR0_MP | X86_CR0_EM | X86_CR0_TS);
+    if ((fReadShadow & fGstHostLmswMask) != (*pu16NewMsw & fGstHostLmswMask))
+        fIntercept = true;
+
+    if (fIntercept)
+    {
+        Log2(("lmsw: Guest intercept -> VM-exit\n"));
+
+        VMXVEXITINFO ExitInfo;
+        RT_ZERO(ExitInfo);
+        ExitInfo.uReason = VMX_EXIT_MOV_CRX;
+        ExitInfo.cbInstr = cbInstr;
+
+        bool const fMemOperand = RT_BOOL(GCPtrEffDst != NIL_RTGCPTR);
+        if (fMemOperand)
+        {
+            Assert(IEM_GET_GUEST_CPU_FEATURES(pVCpu)->fLongMode || !RT_HI_U32(GCPtrEffDst));
+            ExitInfo.u64GuestLinearAddr = GCPtrEffDst;
+        }
+
+        ExitInfo.u64Qual = RT_BF_MAKE(VMX_BF_EXIT_QUAL_CRX_REGISTER,  0) /* CR0 */
+                         | RT_BF_MAKE(VMX_BF_EXIT_QUAL_CRX_ACCESS,    VMX_EXIT_QUAL_CRX_ACCESS_LMSW)
+                         | RT_BF_MAKE(VMX_BF_EXIT_QUAL_CRX_LMSW_OP,   fMemOperand)
+                         | RT_BF_MAKE(VMX_BF_EXIT_QUAL_CRX_LMSW_DATA, *pu16NewMsw);
+
+        return iemVmxVmexitInstrWithInfo(pVCpu, &ExitInfo);
+    }
+
+    /*
+     * If LMSW did not cause a VM-exit, any CR0 bits in the range 0:3 that is set in the
+     * CR0 guest/host mask must be left unmodified.
+     *
+     * See Intel Spec. 25.3 "Changes To Instruction Behavior In VMX Non-root Operation".
+     */
+    fGstHostLmswMask = fGstHostMask & (X86_CR0_PE | X86_CR0_MP | X86_CR0_EM | X86_CR0_TS);
+    *pu16NewMsw = (uGuestCr0 & fGstHostLmswMask) | (*pu16NewMsw & ~fGstHostLmswMask);
+
+    return VINF_VMX_INTERCEPT_NOT_ACTIVE;
 }
 

trunk/src/VBox/VMM/VMMAll/IEMAllInstructionsTwoByte0f.cpp.h

@@ -547 +547 @@
     {
         IEMOP_HLP_DONE_DECODING_NO_LOCK_PREFIX();
-        IEM_MC_BEGIN(1, 0);
-        IEM_MC_ARG(uint16_t, u16Tmp, 0);
+        IEM_MC_BEGIN(2, 0);
+        IEM_MC_ARG(uint16_t, u16Tmp,                         0);
+        IEM_MC_ARG_CONST(RTGCPTR,  GCPtrEffDst, NIL_RTGCPTR, 1);
         IEM_MC_FETCH_GREG_U16(u16Tmp, (bRm & X86_MODRM_RM_MASK) | pVCpu->iem.s.uRexB);
-        IEM_MC_CALL_CIMPL_1(iemCImpl_lmsw, u16Tmp);
-        IEM_MC_END();
-    }
-    else
-    {
-        IEM_MC_BEGIN(1, 1);
-        IEM_MC_ARG(uint16_t, u16Tmp, 0);
-        IEM_MC_LOCAL(RTGCPTR,  GCPtrEffDst);
+        IEM_MC_CALL_CIMPL_2(iemCImpl_lmsw, u16Tmp, GCPtrEffDst);
+        IEM_MC_END();
+    }
+    else
+    {
+        IEM_MC_BEGIN(2, 0);
+        IEM_MC_ARG(uint16_t, u16Tmp,      0);
+        IEM_MC_ARG(RTGCPTR,  GCPtrEffDst, 1);
         IEM_MC_CALC_RM_EFF_ADDR(GCPtrEffDst, bRm, 0);
         IEMOP_HLP_DONE_DECODING_NO_LOCK_PREFIX();
         IEM_MC_FETCH_MEM_U16(u16Tmp, pVCpu->iem.s.iEffSeg, GCPtrEffDst);
-        IEM_MC_CALL_CIMPL_1(iemCImpl_lmsw, u16Tmp);
+        IEM_MC_CALL_CIMPL_2(iemCImpl_lmsw, u16Tmp, GCPtrEffDst);
         IEM_MC_END();
     }

trunk/src/VBox/VMM/VMMR0/HMVMXR0.cpp

@@ -78 +78 @@
 #define HMVMX_READ_EXIT_INTERRUPTION_ERROR_CODE  RT_BIT_32(5)
 #define HMVMX_READ_EXIT_INSTR_INFO               RT_BIT_32(6)
+#define HMVMX_READ_GUEST_LINEAR_ADDR             RT_BIT_32(7)
 /** @} */
 
@@ -263 +264 @@
     /** The VM-exit exit code qualification. */
     uint64_t            uExitQual;
+    /** The Guest-linear address. */
+    uint64_t            uGuestLinearAddr;
 
     /** The VM-exit interruption-information field. */
@@ -724 +727 @@
 
 /**
- * Reads the exit code qualification from the VMCS into the VMX transient
- * structure.
+ * Reads the VM-exit Qualification from the VMCS into the VMX transient structure.
  *
  * @returns VBox status code.
@@ -739 +741 @@
         AssertRCReturn(rc, rc);
         pVmxTransient->fVmcsFieldsRead |= HMVMX_READ_EXIT_QUALIFICATION;
+    }
+    return VINF_SUCCESS;
+}
+
+
+/**
+ * Reads the Guest-linear address from the VMCS into the VMX transient structure.
+ *
+ * @returns VBox status code.
+ * @param   pVCpu           The cross context virtual CPU structure of the
+ *                          calling EMT. (Required for the VMCS cache case.)
+ * @param   pVmxTransient   Pointer to the VMX transient structure.
+ */
+DECLINLINE(int) hmR0VmxReadGuestLinearAddrVmcs(PVMCPU pVCpu, PVMXTRANSIENT pVmxTransient)
+{
+    if (!(pVmxTransient->fVmcsFieldsRead & HMVMX_READ_GUEST_LINEAR_ADDR))
+    {
+        int rc = VMXReadVmcsGstN(VMX_VMCS_RO_GUEST_LINEAR_ADDR, &pVmxTransient->uGuestLinearAddr); NOREF(pVCpu);
+        AssertRCReturn(rc, rc);
+        pVmxTransient->fVmcsFieldsRead |= HMVMX_READ_GUEST_LINEAR_ADDR;
     }
     return VINF_SUCCESS;
@@ -12282 +12304 @@
         {
             /* Note! LMSW cannot clear CR0.PE, so no fRealOnV86Active kludge needed here. */
-            rcStrict = IEMExecDecodedLmsw(pVCpu, pVmxTransient->cbInstr, VMX_EXIT_QUAL_CRX_LMSW_DATA(uExitQual));
+            rc = hmR0VmxReadGuestLinearAddrVmcs(pVCpu, pVmxTransient);
+            AssertRCReturn(rc, rc);
+            rcStrict = IEMExecDecodedLmsw(pVCpu, pVmxTransient->cbInstr, VMX_EXIT_QUAL_CRX_LMSW_DATA(uExitQual),
+                                          pVmxTransient->uGuestLinearAddr);
             AssertMsg(   rcStrict == VINF_SUCCESS
                       || rcStrict == VINF_IEM_RAISED_XCPT