From: Sean Christopherson <seanjc@google.com>
To: Yahya Sohail <ysohail@cs.utexas.edu>
Cc: kvm@vger.kernel.org
Subject: Re: KVM_EXIT_FAIL_ENTRY with hardware_entry_failure_reason = 7
Date: Wed, 26 Jul 2023 10:17:34 -0700 [thread overview]
Message-ID: <ZMFVLiC3YvPY3bSP@google.com> (raw)
In-Reply-To: <7b5f626c-9f48-15e2-8f7a-1178941db048@cs.utexas.edu>
On Wed, Jul 26, 2023, Yahya Sohail wrote:
> Hi,
>
> I'm trying to copy the state of an x86 emulator into a KVM VM.
>
> I've loaded the relevant state (i.e. registers and memory) into a KVM VM and
> VCPU, and tried to do a KVM_RUN on the VCPU, but it fails with
> KVM_EXIT_FAIL_ENTRY and hardware_entry_failure_reason = 7. I looked through
> the KVM source and Intel manuals to determine that this either means that
> the CPU is in an interrupt window and the VM was setup to exit on an
> interrupt window, or that a VM entry occurred with invalid control fields.
> The former is not possible because my RFLAGS.IF = 0, meaning interrupts are
> currently disabled, so I think it's the latter.
No, there are far, far more possible problems. Error code 7 is "invalid control
field", which is a gigantic bin for any failed consistency check that is related
to one or more VMCS control fields.
> Is it possible for someone using the KVM API to set the VMCS to an invalid
> state?
Yes. Ideally it _shouldn't_ be possible[*], but practically speaking I don't think
there's ever been a version of KVM that prevents userspace from coercing KVM into
loading invalid state. E.g. see https://lore.kernel.org/all/20230613203037.1968489-1-seanjc@google.com
[*] For VMCS control fields specifically. Preventing userspace from loading
invalid guest state is extremely difficult, and not something I realistically
expect KVM to get 100% right anytime soon.
> If so, what fields in the kvm_run struct should I check that could cause such
> an issue?
Heh, all of them. I'm only somewhat joking. Root causing "invalid control field"
errors on bare metal is painfully difficult, bordering on impossible if you don't
have something to give you a hint as to what might be going wrong.
If you can, try running a nested setup, i.e. run a normal Linux guest as your L1
VM (L0 is bare metal), and then run your problematic x86 emulator VM within that
L1 guest (that's your L2). Then, in L0 (your bare metal host), enable the
kvm_nested_vmenter_failed tracepoint.
The kvm_nested_vmenter_failed tracepoint logs all VM-Enter failures that _KVM_
detects when L1 attempts a nested VM-Enter from L1 to L2. If you're at all lucky,
KVM in L0 (acting a the CPU from L1's perspective) will detect the invalid state
and explicitly log which consistency check failed.
next prev parent reply other threads:[~2023-07-26 17:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-26 16:35 KVM_EXIT_FAIL_ENTRY with hardware_entry_failure_reason = 7 Yahya Sohail
2023-07-26 17:17 ` Sean Christopherson [this message]
2023-07-26 19:16 ` Yahya Sohail
2023-07-26 19:51 ` Sean Christopherson
2023-07-26 22:14 ` Yahya Sohail
2023-07-27 16:52 ` Sean Christopherson
2023-07-28 17:45 ` Yahya Sohail
2023-08-02 19:04 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZMFVLiC3YvPY3bSP@google.com \
--to=seanjc@google.com \
--cc=kvm@vger.kernel.org \
--cc=ysohail@cs.utexas.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox