x86/vvmx: virtualize x2APIC mode and APIC accesses can't both be enabled

According to the Intel SDM, "virtualize x2APIC mode" and "virtualize
APIC accesses" can't be enabled at the same time, or else a
vm{launch/entry} failure will happen. This was seen when running Xen
nested and with x2APIC enabled:

  (XEN) d3v0 VMLAUNCH error: 0x7
  [...]
  (XEN) *** Control State ***
  (XEN) PinBased=0000003f CPUBased=b6a075fe SecondaryExec=000014fb
  [...]

Fix this by making sure nvmx_update_secondary_exec_control clears the
incompatible bits from the host vmcs before merging it with the nested
vmcs.

This fixes a regression reported by osstest in the
test-amd64-amd64-qemuu-nested-intel job.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c
index 5dd00e11b52641070492f3b5ec9ad88a3523a5e1..d8ab167d6220639c8ddcf53922cd581127f38016 100644 (file)
--- a/xen/arch/x86/hvm/vmx/vvmx.c
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
@@ -594,6 +594,7 @@ void nvmx_update_secondary_exec_control(struct vcpu *v,
     u32 shadow_cntrl;
     struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
     u32 apicv_bit = SECONDARY_EXEC_APIC_REGISTER_VIRT |
+                    SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE |
                     SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY;
 
     host_cntrl &= ~apicv_bit;