Commit bb605df21e for qemu.org
commit bb605df21e2edb7b40ddff595bb755618c031f7a
Author: Mohamed Mediouni <mohamed@unpredictable.fr>
Date: Wed Apr 22 23:42:22 2026 +0200
whpx: i386: add feature to intercept #GP MSR accesses
It turns out they're not that uncommon, so have
a feature around to log those.
Signed-off-by: Mohamed Mediouni <mohamed@unpredictable.fr>
Link: https://lore.kernel.org/r/20260422214225.2242-35-mohamed@unpredictable.fr
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/accel/whpx/whpx-common.c b/accel/whpx/whpx-common.c
index 497c03138e..d846e08714 100644
--- a/accel/whpx/whpx-common.c
+++ b/accel/whpx/whpx-common.c
@@ -555,6 +555,7 @@ static void whpx_accel_instance_init(Object *obj)
/* Value determined at whpx_accel_init */
whpx->hyperv_enlightenments_enabled = false;
whpx->ignore_unknown_msr = true;
+ whpx->intercept_msr_gp = false;
}
static const TypeInfo whpx_accel_type = {
diff --git a/include/system/whpx-internal.h b/include/system/whpx-internal.h
index 0aae83bd7c..15027a7d52 100644
--- a/include/system/whpx-internal.h
+++ b/include/system/whpx-internal.h
@@ -48,6 +48,7 @@ struct whpx_state {
bool hyperv_enlightenments_enabled;
bool ignore_unknown_msr;
+ bool intercept_msr_gp;
};
extern struct whpx_state whpx_global;
diff --git a/target/i386/whpx/whpx-all.c b/target/i386/whpx/whpx-all.c
index 5750539ee4..d6bc36686c 100644
--- a/target/i386/whpx/whpx-all.c
+++ b/target/i386/whpx/whpx-all.c
@@ -1008,6 +1008,27 @@ static int emulate_instruction(CPUState *cpu, const uint8_t *insn_bytes, size_t
return 0;
}
+static int emulate_msr_instruction(CPUState *cpu,
+ const uint8_t *insn_bytes, size_t insn_len)
+{
+ X86CPU *x86_cpu = X86_CPU(cpu);
+ CPUX86State *env = &x86_cpu->env;
+ struct x86_decode decode = { 0 };
+ x86_insn_stream stream = { .bytes = insn_bytes, .len = insn_len };
+
+ whpx_get_registers(cpu, WHPX_LEVEL_FAST_RUNTIME_STATE);
+ decode_instruction_stream(env, &decode, &stream);
+
+ if (decode.cmd != X86_DECODE_CMD_RDMSR
+ && decode.cmd != X86_DECODE_CMD_WRMSR) {
+ return 1;
+ }
+
+ exec_instruction(env, &decode);
+ whpx_set_registers(cpu, WHPX_LEVEL_FAST_RUNTIME_STATE);
+ return 0;
+}
+
static int whpx_handle_mmio(CPUState *cpu, WHV_RUN_VP_EXIT_CONTEXT *exit_ctx)
{
WHV_MEMORY_ACCESS_CONTEXT *ctx = &exit_ctx->MemoryAccess;
@@ -1022,6 +1043,45 @@ static int whpx_handle_mmio(CPUState *cpu, WHV_RUN_VP_EXIT_CONTEXT *exit_ctx)
return 0;
}
+static int whpx_handle_msr_from_gpf(CPUState *cpu)
+{
+ WHV_VP_EXCEPTION_CONTEXT *ctx = &cpu->accel->exit_ctx.VpException;
+ int ret;
+
+ ret = emulate_msr_instruction(cpu, ctx->InstructionBytes, ctx->InstructionByteCount);
+ if (ret == 1) {
+ /* Not an MSR instruction */
+ return 1;
+ }
+
+ return 0;
+}
+
+static void whpx_inject_back_gpf(CPUState *cpu)
+{
+ WHV_VP_EXCEPTION_CONTEXT *ctx = &cpu->accel->exit_ctx.VpException;
+ WHV_REGISTER_VALUE reg = {};
+
+ if (ctx->ExceptionInfo.SoftwareException) {
+ /* TODO */
+ warn_report("Was asked to inject software exception.");
+ return;
+ }
+
+ if (ctx->ExceptionType != EXCP0D_GPF) {
+ warn_report("Was asked to inject exception other than GPF.");
+ return;
+ }
+
+ reg.ExceptionEvent.EventPending = 1;
+ reg.ExceptionEvent.EventType = WHvX64PendingEventException;
+ reg.ExceptionEvent.DeliverErrorCode = ctx->ExceptionInfo.ErrorCodeValid;
+ reg.ExceptionEvent.Vector = ctx->ExceptionType;
+ reg.ExceptionEvent.ErrorCode = ctx->ErrorCode;
+ reg.ExceptionEvent.ExceptionParameter = ctx->ExceptionParameter;
+ whpx_set_reg(cpu, WHvRegisterPendingEvent, reg);
+}
+
static void handle_io(CPUState *env, uint16_t port, void *buffer,
int direction, int size, int count)
{
@@ -1210,13 +1270,54 @@ static target_ulong read_cr(CPUState *cpu, int cr)
return val.Reg64;
}
+static bool whpx_simulate_rdmsr(CPUState *cs)
+{
+ X86CPU *cpu = X86_CPU(cs);
+ CPUX86State *env = &cpu->env;
+ uint32_t msr = ECX(env);
+ uint64_t val = 0;
+
+ switch (msr) {
+ default:
+ error_report("WHPX: unknown msr 0x%x", msr);
+ x86_emul_raise_exception(&X86_CPU(cpu)->env, EXCP0D_GPF, 0);
+ return 1;
+ break;
+ }
+
+ RAX(env) = (uint32_t)val;
+ RDX(env) = (uint32_t)(val >> 32);
+
+ return 0;
+}
+
+static bool whpx_simulate_wrmsr(CPUState *cs)
+{
+ X86CPU *cpu = X86_CPU(cs);
+ CPUX86State *env = &cpu->env;
+ uint32_t msr = ECX(env);
+ uint64_t data = ((uint64_t)EDX(env) << 32) | EAX(env);
+
+ switch (msr) {
+ default:
+ error_report("WHPX: unknown msr 0x%x val %llx", msr, data);
+ x86_emul_raise_exception(&X86_CPU(cpu)->env, EXCP0D_GPF, 0);
+ return 1;
+ break;
+ }
+
+ return 0;
+}
+
static const struct x86_emul_ops whpx_x86_emul_ops = {
.read_segment_descriptor = read_segment_descriptor,
.handle_io = handle_io,
.is_protected_mode = is_protected_mode,
.is_long_mode = is_long_mode,
.is_user_mode = is_user_mode,
- .read_cr = read_cr
+ .read_cr = read_cr,
+ .simulate_rdmsr = whpx_simulate_rdmsr,
+ .simulate_wrmsr = whpx_simulate_wrmsr
};
static void whpx_init_emu(void)
@@ -1356,6 +1457,18 @@ uint64_t whpx_get_supported_msr_feature(uint32_t index)
return 0;
}
+static UINT64 whpx_get_default_exceptions(void)
+{
+ struct whpx_state *whpx = &whpx_global;
+ UINT64 intercepts = 0;
+
+ if (whpx->intercept_msr_gp) {
+ intercepts |= 1UL << WHvX64ExceptionTypeGeneralProtectionFault;
+ }
+
+ return intercepts;
+}
+
/*
* Controls whether we should intercept various exceptions on the guest,
* namely breakpoint/single-step events.
@@ -1378,7 +1491,7 @@ HRESULT whpx_set_exception_exit_bitmap(UINT64 exceptions)
prop.ExtendedVmExits.X64MsrExit = 1;
prop.ExtendedVmExits.X64CpuidExit = 1;
- if (exceptions != 0) {
+ if (exceptions != 0 || whpx_get_default_exceptions() != 0) {
prop.ExtendedVmExits.ExceptionExit = 1;
}
@@ -1393,7 +1506,7 @@ HRESULT whpx_set_exception_exit_bitmap(UINT64 exceptions)
}
memset(&prop, 0, sizeof(WHV_PARTITION_PROPERTY));
- prop.ExceptionExitBitmap = exceptions;
+ prop.ExceptionExitBitmap = exceptions | whpx_get_default_exceptions();
hr = whp_dispatch.WHvSetPartitionProperty(
whpx->partition,
@@ -1403,6 +1516,8 @@ HRESULT whpx_set_exception_exit_bitmap(UINT64 exceptions)
if (SUCCEEDED(hr)) {
whpx->exception_exit_bitmap = exceptions;
+ } else {
+ error_report("WHPX: Failed to set exception exit bitmap, hr=%08lx", hr);
}
return hr;
@@ -2518,6 +2633,15 @@ int whpx_vcpu_run(CPUState *cpu)
break;
}
case WHvRunVpExitReasonException:
+ if (vcpu->exit_ctx.VpException.ExceptionType ==
+ WHvX64ExceptionTypeGeneralProtectionFault) {
+ if (whpx_handle_msr_from_gpf(cpu)) {
+ whpx_inject_back_gpf(cpu);
+ }
+ ret = 0;
+ break;
+ }
+
whpx_get_registers(cpu, WHPX_LEVEL_FULL_STATE);
if ((vcpu->exit_ctx.VpException.ExceptionType ==
@@ -2806,6 +2930,38 @@ static void whpx_set_unknown_msr(Object *obj, Visitor *v,
}
}
+static void whpx_set_intercept_msr_gp(Object *obj, Visitor *v,
+ const char *name, void *opaque,
+ Error **errp)
+{
+ struct whpx_state *whpx = &whpx_global;
+ OnOffAuto mode;
+
+ if (!visit_type_OnOffAuto(v, name, &mode, errp)) {
+ return;
+ }
+
+ switch (mode) {
+ case ON_OFF_AUTO_ON:
+ whpx->intercept_msr_gp = true;
+ break;
+
+ case ON_OFF_AUTO_OFF:
+ whpx->intercept_msr_gp = false;
+ break;
+
+ case ON_OFF_AUTO_AUTO:
+ whpx->intercept_msr_gp = false;
+ break;
+ default:
+ /*
+ * The value was checked in visit_type_OnOffAuto() above. If
+ * we get here, then something is wrong in QEMU.
+ */
+ abort();
+ }
+}
+
void whpx_arch_accel_class_init(ObjectClass *oc)
{
object_class_property_add(oc, "ignore-unknown-msr", "OnOffAuto",
@@ -2813,6 +2969,11 @@ void whpx_arch_accel_class_init(ObjectClass *oc)
NULL, NULL);
object_class_property_set_description(oc, "ignore-unknown-msr",
"Configure unknown MSR behavior");
+ object_class_property_add(oc, "intercept-msr-gp", "OnOffAuto",
+ NULL, whpx_set_intercept_msr_gp,
+ NULL, NULL);
+ object_class_property_set_description(oc, "intercept-msr-gp",
+ "Intercept #GP to log erroring MSR accesses.");
}
int whpx_accel_init(AccelState *as, MachineState *ms)
@@ -3067,22 +3228,6 @@ int whpx_accel_init(AccelState *as, MachineState *ms)
goto error;
}
- /* Register for MSR and CPUID exits */
- memset(&prop, 0, sizeof(WHV_PARTITION_PROPERTY));
- prop.ExtendedVmExits.X64MsrExit = 1;
- prop.ExtendedVmExits.X64CpuidExit = 1;
-
- hr = whp_dispatch.WHvSetPartitionProperty(
- whpx->partition,
- WHvPartitionPropertyCodeExtendedVmExits,
- &prop,
- sizeof(WHV_PARTITION_PROPERTY));
- if (FAILED(hr)) {
- error_report("WHPX: Failed to enable extended VM exits, hr=%08lx", hr);
- ret = -EINVAL;
- goto error;
- }
-
memset(&prop, 0, sizeof(WHV_PARTITION_PROPERTY));
prop.X64MsrExitBitmap.UnhandledMsrs = 1;
prop.X64MsrExitBitmap.ApicBaseMsrWrite = 1;