From owner-freebsd-virtualization@freebsd.org Sun Dec 11 07:06:15 2016 Return-Path: Delivered-To: freebsd-virtualization@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1205AC701D2 for ; Sun, 11 Dec 2016 07:06:15 +0000 (UTC) (envelope-from grehan@freebsd.org) Received: from alto.onthenet.com.au (alto.OntheNet.com.au [203.13.68.12]) by mx1.freebsd.org (Postfix) with ESMTP id C8A2D287 for ; Sun, 11 Dec 2016 07:06:14 +0000 (UTC) (envelope-from grehan@freebsd.org) Received: from iredmail.onthenet.com.au (iredmail.onthenet.com.au [203.13.68.150]) by alto.onthenet.com.au (Postfix) with ESMTPS id D31FA20AE991 for ; Sun, 11 Dec 2016 17:05:48 +1000 (AEST) Received: from localhost (iredmail.onthenet.com.au [127.0.0.1]) by iredmail.onthenet.com.au (Postfix) with ESMTP id CACC82809D3 for ; Sun, 11 Dec 2016 17:05:48 +1000 (AEST) X-Amavis-Modified: Mail body modified (using disclaimer) - iredmail.onthenet.com.au Received: from iredmail.onthenet.com.au ([127.0.0.1]) by localhost (iredmail.onthenet.com.au [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Qv-tFu9sFaBd for ; Sun, 11 Dec 2016 17:05:48 +1000 (AEST) Received: from Peters-MacBook-Pro-2.local (c-67-180-92-13.hsd1.ca.comcast.net [67.180.92.13]) by iredmail.onthenet.com.au (Postfix) with ESMTPSA id 47D5D280996; Sun, 11 Dec 2016 17:05:46 +1000 (AEST) Subject: Re: Execute VMXON again without setting CR4.VMXE to 1 To: "Shen, Zhuojia" References: Cc: "freebsd-virtualization@freebsd.org" From: Peter Grehan Message-ID: <97006289-6009-d16b-ade4-b70716038d23@freebsd.org> Date: Sat, 10 Dec 2016 23:06:01 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-CMAE-Score: 0 X-CMAE-Analysis: v=2.2 cv=YJDv8VOx c=1 sm=1 tr=0 a=A6CF0fG5TOl4vs6YHvqXgw==:117 a=5eVCmCvhg37cu/pjidAGzw==:17 a=N659UExz7-8A:10 a=n5n_aSjo0skA:10 a=Y-EksX5Qq8rZYlfHvRIA:9 a=pILNOxqGKmIA:10 wl=host:3 X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2016 07:06:15 -0000 Hi, > I believe I have found a bug in the BHyVe VMX implementation for > Intel platform. Following is the details. > > In sys/amd64/vmm/intel/vmx.c, there are three functions, vmx_enable > (line 500), vmx_disable (line 462), and vmx_restore (line 522), which > respectively enable, disable, and restore VMX on the current > processor. There is also a file scope integer array vmxon_enabled > (line 122) which keeps a record whether VMX on each processor is > enabled. > > I noticed that in function vmx_enable, the kernel sets CR4.VMXE to 1, > executes the VMXON instruction, and then sets the corresponding cell > in vmxon_enabled to 1. That is fine. However, in function > vmx_disable, the kernel executes VMXOFF, clears CR4.VMXE back to 0, > but does not clear the corresponding cell in vmxon_enabled back to 0. > This will cause a problem when the function vmx_restore is called, in > which the kernel executes VMXON again if that the corresponding cell > in that array is 1. That is, it will execute VMXON without CR4.VMXE > being set. > > Of course, that is only my understanding of the way how these > functions will be called. If I am wrong, could anyone of you please > advise me how this works? Thanks. vmx_disable is currently only called on vmm module unload, so vmx_restore/vmx_enable can never be called again after that. later, Peter.