From: Grygorii Strashko <[email protected]> The LAPIC LVTx registers have two RO bits: - all: Delivery Status (DS) bit 12 - LINT0/LINT1: Remote IRR Flag (RIR) bit 14. This bit is reserved for other LVTx regs with RAZ/WI access type (MMIO), while WRMSR (guest_wrmsr_x2apic()) has appropiate checks for reserved bits (MBZ access type). and the current vLAPIC implementations allows guest to write to these RO bits.
The Delivery Status (DS) is not emulated by Xen - there is no IRQ msg bus, and the IRQ is: - or accepted at destination and appears as pending (vLAPIC Interrupt Request Register (IRR)) - or get rejected immediately. The Remote IRR Flag (RIR) behavior emulation is not implemented for LINT0/LINT1 in Xen for now. Hence it is definitely wrong to allow guest to write to LVTx regs RO bits, fix it by unconditionally cleaning up those bits in vlapic_reg_write(). Signed-off-by: Grygorii Strashko <[email protected]> --- xen/arch/x86/hvm/vlapic.c | 1 + 1 file changed, 1 insertion(+) diff --git a/xen/arch/x86/hvm/vlapic.c b/xen/arch/x86/hvm/vlapic.c index 79697487ba90..78162afe7711 100644 --- a/xen/arch/x86/hvm/vlapic.c +++ b/xen/arch/x86/hvm/vlapic.c @@ -880,6 +880,7 @@ void vlapic_reg_write(struct vcpu *v, unsigned int reg, uint32_t val) if ( vlapic_sw_disabled(vlapic) ) val |= APIC_LVT_MASKED; val &= array_access_nospec(vlapic_lvt_mask, (reg - APIC_LVTT) >> 4); + val &= ~(APIC_LVT_REMOTE_IRR | APIC_SEND_PENDING); vlapic_set_reg(vlapic, reg, val); if ( reg == APIC_LVT0 ) { -- 2.34.1
