Changeset 75822 in vbox

Timestamp:

Nov 29, 2018 5:37:35 PM (6 years ago)

Author:

vboxsync

Message:

HMVMX,ConsoleImpl: Workaround for incorrect assumptions in mesa vmsvga 3d driver. AMD-V variant, untested.

Location:

trunk/src/VBox/VMM/VMMR0

Files:

• HMSVMR0.cpp (modified) (8 diffs)
• HMVMXR0.cpp (modified) (2 diffs)

trunk/src/VBox/VMM/VMMR0/HMSVMR0.cpp

@@ -401 +401 @@
 static FNSVMEXITHANDLER hmR0SvmExitXcptAC;
 static FNSVMEXITHANDLER hmR0SvmExitXcptBP;
+static FNSVMEXITHANDLER hmR0SvmExitXcptGP;
 #if defined(HMSVM_ALWAYS_TRAP_ALL_XCPTS) || defined(VBOX_WITH_NESTED_HWVIRT_SVM)
 static FNSVMEXITHANDLER hmR0SvmExitXcptGeneric;
@@ -982 +983 @@
     if (pVCpu->hm.s.fGIMTrapXcptUD)
         pVmcbCtrl->u32InterceptXcpt |= RT_BIT(X86_XCPT_UD);
+
+    /* The mesa 3d driver hack needs #GP. */
+    if (pVCpu->hm.s.fTrapXcptGpForLovelyMesaDrv)
+        pVmcbCtrl->u32InterceptXcpt |= RT_BIT(X86_XCPT_GP);
 
     /* Set up unconditional intercepts and conditions. */
@@ -1427 +1432 @@
     Assert(uXcpt != X86_XCPT_DB);
     Assert(uXcpt != X86_XCPT_AC);
+    Assert(uXcpt != X86_XCPT_GP);
 #ifndef HMSVM_ALWAYS_TRAP_ALL_XCPTS
     if (pVmcb->ctrl.u32InterceptXcpt & RT_BIT(uXcpt))
@@ -2232 +2238 @@
      * Merge the guest's exception intercepts into the nested-guest VMCB.
      *
-     * - \#UD: Exclude these as the outer guest's GIM hypercalls are not applicable
+     * - #UD: Exclude these as the outer guest's GIM hypercalls are not applicable
      * while executing the nested-guest.
      *
-     * - \#BP: Exclude breakpoints set by the VM debugger for the outer guest. This can
+     * - #BP: Exclude breakpoints set by the VM debugger for the outer guest. This can
      * be tweaked later depending on how we wish to implement breakpoints.
+     *
+     * - #GP: Exclude these as it's the inner VMMs problem to get vmsvga 3d drivers
+     *        loaded into their guests, not ours.
      *
      * Warning!! This ASSUMES we only intercept \#UD for hypercall purposes and \#BP
@@ -2242 +2251 @@
      */
 #ifndef HMSVM_ALWAYS_TRAP_ALL_XCPTS
-    pVmcbNstGstCtrl->u32InterceptXcpt  |= (pVmcb->ctrl.u32InterceptXcpt & ~(  RT_BIT(X86_XCPT_UD)
-                                                                            | RT_BIT(X86_XCPT_BP)));
+    pVmcbNstGstCtrl->u32InterceptXcpt  |= pVmcb->ctrl.u32InterceptXcpt
+                                        & ~(  RT_BIT(X86_XCPT_UD)
+                                            | RT_BIT(X86_XCPT_BP)
+                                            | (pVCpu->hm.s.fTrapXcptGpForLovelyMesaDrv ? RT_BIT(X86_XCPT_GP) : 0));
 #else
     pVmcbNstGstCtrl->u32InterceptXcpt  |= pVmcb->ctrl.u32InterceptXcpt;
@@ -5690 +5701 @@
         case SVM_EXIT_XCPT_AC:      VMEXIT_CALL_RET(0, hmR0SvmExitXcptAC(pVCpu, pSvmTransient));
         case SVM_EXIT_XCPT_BP:      VMEXIT_CALL_RET(0, hmR0SvmExitXcptBP(pVCpu, pSvmTransient));
+        case SVM_EXIT_XCPT_GP:      VMEXIT_CALL_RET(0, hmR0SvmExitXcptGP(pVCpu, pSvmTransient));
         case SVM_EXIT_XSETBV:       VMEXIT_CALL_RET(0, hmR0SvmExitXsetbv(pVCpu, pSvmTransient));
         case SVM_EXIT_FERR_FREEZE:  VMEXIT_CALL_RET(0, hmR0SvmExitFerrFreeze(pVCpu, pSvmTransient));
@@ -5758 +5770 @@
                 case SVM_EXIT_XCPT_NP:
                 case SVM_EXIT_XCPT_SS:
-                case SVM_EXIT_XCPT_GP:
+                /*   SVM_EXIT_XCPT_GP: */       /* Handled above. */
                 /*   SVM_EXIT_XCPT_PF: */
                 case SVM_EXIT_XCPT_15:          /* Reserved. */
@@ -7798 +7810 @@
 
 
+/**
+ * Hacks its way around the lovely mesa driver's backdoor accesses.
+ *
+ * @sa hmR0VmxHandleMesaDrvGp
+ */
+static int hmR0SvmHandleMesaDrvGp(PVMCPU pVCpu, PSVMTRANSIENT pSvmTransient, PCPUMCTX pCtx, PCSVMVMCB pVmcb)
+{
+    Log(("hmR0SvmHandleMesaDrvGp: at %04x:%08RX64 rcx=%RX64 rbx=%RX64\n",
+         pVmcb->guest.CS.u16Sel, pVmcb->guest.u64RIP, pCtx->rcx, pCtx->rbx));
+    RT_NOREF(pCtx, pSvmTransient, pVmcb);
+
+    /* For now we'll just skip the instruction. */
+    hmR0SvmAdvanceRip(pVCpu, 1);
+    return VINF_SUCCESS;
+}
+
+
+/**
+ * Checks if the \#GP'ing instruction is the mesa driver doing it's lovely
+ * backdoor logging w/o checking what it is running inside.
+ *
+ * This recognizes an "IN EAX,DX" instruction executed in flat ring-3, with the
+ * backdoor port and magic numbers loaded in registers.
+ *
+ * @returns true if it is, false if it isn't.
+ * @sa      hmR0VmxIsMesaDrvGp
+ */
+DECLINLINE(bool) hmR0SvmIsMesaDrvGp(PVMCPU pVCpu, PSVMTRANSIENT pSvmTransient, PCPUMCTX pCtx, PCSVMVMCB pVmcb)
+{
+    /* Check magic and port. */
+    Assert(!(pCtx->fExtrn & (CPUMCTX_EXTRN_RDX | CPUMCTX_EXTRN_RCX)));
+    /*Log(("hmR0SvmIsMesaDrvGp: rax=%RX64 rdx=%RX64\n", pCtx->fExtrn & CPUMCTX_EXTRN_RAX ? pCtx->rax : pVmcb->guest.u64RAX, pCtx->rdx));*/
+    if (pCtx->dx != UINT32_C(0x5658))
+        return false;
+    if ((pCtx->fExtrn & CPUMCTX_EXTRN_RAX ? pCtx->rax : pVmcb->guest.u64RAX) != UINT32_C(0x564d5868))
+        return false;
+
+    /* Check that it is #GP(0). */
+    if (pSvmTransient->u64ExitCode != 0)
+        return false;
+
+    /* Flat ring-3 CS. */
+    /*Log(("hmR0SvmIsMesaDrvGp: u8CPL=%d base=%Rx64\n", pVmcb->guest.u8CPL, pCtx->fExtrn & CPUMCTX_EXTRN_CS ? pVmcb->guest.CS.u64Base : pCtx->cs.Sel));*/
+    if (pVmcb->guest.u8CPL != 3)
+        return false;
+    if ((pCtx->fExtrn & CPUMCTX_EXTRN_CS ? pVmcb->guest.CS.u64Base : pCtx->cs.Sel) != 0)
+        return false;
+
+    /* 0xed:  IN eAX,dx */
+    uint64_t const uRip = pCtx->fExtrn & CPUMCTX_EXTRN_RIP ? pCtx->rip : pVmcb->guest.u64RIP;
+    uint8_t abInstr[1];
+    if (   hmR0SvmSupportsNextRipSave(pVCpu)
+        && pVmcb->ctrl.u64NextRIP - uRip != sizeof(abInstr))
+        return false;
+    if (pVmcb->ctrl.cbInstrFetched >= 1)
+    {
+        /*Log(("hmR0SvmIsMesaDrvGp: %#x\n", pVmcb->ctrl.abInstr));*/
+        if (pVmcb->ctrl.abInstr[0] != 0xed)
+            return false;
+    }
+    else
+    {
+        int rc = PGMPhysSimpleReadGCPtr(pVCpu, abInstr, uRip, sizeof(abInstr));
+        /*Log(("hmR0SvmIsMesaDrvGp: PGMPhysSimpleReadGCPtr -> %Rrc %#x\n", rc, abInstr[0]));*/
+        if (RT_FAILURE(rc))
+            return false;
+        if (abInstr[0] != 0xed)
+            return false;
+    }
+
+    return true;
+}
+
+
+/**
+ * \#VMEXIT handler for general protection faults (SVM_EXIT_XCPT_BP).
+ * Conditional \#VMEXIT.
+ */
+HMSVM_EXIT_DECL hmR0SvmExitXcptGP(PVMCPU pVCpu, PSVMTRANSIENT pSvmTransient)
+{
+    HMSVM_VALIDATE_EXIT_HANDLER_PARAMS(pVCpu, pSvmTransient);
+    HMSVM_CHECK_EXIT_DUE_TO_EVENT_DELIVERY(pVCpu, pSvmTransient);
+
+    PCSVMVMCB pVmcb = hmR0SvmGetCurrentVmcb(pVCpu);
+    Assert(pSvmTransient->u64ExitCode == pVmcb->ctrl.u64ExitCode);
+
+    PCPUMCTX pCtx = &pVCpu->cpum.GstCtx;
+    if (   !pVCpu->hm.s.fTrapXcptGpForLovelyMesaDrv
+        || hmR0SvmIsMesaDrvGp(pVCpu, pSvmTransient, pCtx, pVmcb))
+    {
+        SVMEVENT Event;
+        Event.u                  = 0;
+        Event.n.u1Valid          = 1;
+        Event.n.u3Type           = SVM_EVENT_EXCEPTION;
+        Event.n.u8Vector         = X86_XCPT_GP;
+        Event.n.u1ErrorCodeValid = 1;
+        Event.n.u32ErrorCode     = (uint32_t)pSvmTransient->u64ExitCode;
+        hmR0SvmSetPendingEvent(pVCpu, &Event, 0 /* GCPtrFaultAddress */);
+        return VINF_SUCCESS;
+    }
+    return hmR0SvmHandleMesaDrvGp(pVCpu, pSvmTransient, pCtx, pVmcb);
+}
+
+
 #if defined(HMSVM_ALWAYS_TRAP_ALL_XCPTS) || defined(VBOX_WITH_NESTED_HWVIRT_SVM)
 /**

trunk/src/VBox/VMM/VMMR0/HMVMXR0.cpp

@@ -13168 +13168 @@
 /**
  * Hacks its way around the lovely mesa driver's backdoor accesses.
+ *
+ * @sa hmR0SvmHandleMesaDrvGp
  */
 static int hmR0VmxHandleMesaDrvGp(PVMCPU pVCpu, PVMXTRANSIENT pVmxTransient, PCPUMCTX pCtx)
@@ -13187 +13189 @@
  *
  * @returns true if it is, false if it isn't.
+ * @sa      hmR0SvmIsMesaDrvGp
  */
 DECLINLINE(bool) hmR0VmxIsMesaDrvGp(PVMCPU pVCpu, PVMXTRANSIENT pVmxTransient, PCPUMCTX pCtx)