Project

General

Profile

Actions
Copy link

Bug #13139

closed

bhyve bungles math for VMX ins/outs size

Added by Patrick Mooney almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Patrick Mooney
Category:
bhyve
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
bhyve
Gerrit CR:
917

Description

A user on the smartos-discuss mailing list reported a blown assertion:

panic[cpu1]/thread=fffffe16ef6df0a0:
assertion failed: inout->addrsize == 2 || inout->addrsize == 4 || inout->addrsize == 8, file: ../../i86pc/io/vmm/intel/vmx.c, line: 1953

This would be from code added/modified by #12989. Taking a closer look at the code in question, the problem is apparent:

                inst_info = vmcs_read(VMCS_EXIT_INSTRUCTION_INFO);

                /*
                 * Bits 7-9 encode the address size of ins/outs operations where
                 * the 0/1/2 values correspond to 16/32/64 bit sizes.
                 */
                inout->addrsize = 2 << (1 + ((inst_info >> 7) & 0x3));
                VERIFY(inout->addrsize == 2 || inout->addrsize == 4 ||
                    inout->addrsize == 8);

That Intel reserved 3 bits is deceiving. The only expected values from that field (once shifted) are 0/1/2. Considering the result is 2 << 0 or 1 or 2, the erroneous 1 + should be eliminated, as it results in output values of 4/8/16, blowing the assert in the high case.

Related issues

Related to illumos gate - Bug #12989: improve interface boundary for bhyve MMIOClosedPatrick Mooney

Actions
Related to illumos gate - Bug #13147: bhyve kernel could make more use of BITX()New

Actions
Actions
Copy link

Also available in: Atom PDF