VM entry (vmlaunch) with invalid control field

I am learning Intel VMX with a Linux based VMM.
I found 'vmlaunch' instruction failed with vm instruction error of 7.
I checked Intel's SDM, it means 'VM entry with invalid control field'.
I double checked the VM_entry_control, VM_exit_control, VM_exec_control, but could NOT find anything wrong. I am using EPTP for VM execution (VM is in real mode). Below is the control fields, and VMX capabilities. Host CPU info is as follows.
Linux kernel is 3.10, and 4.4.0.

    processor       : 1
    vendor_id       : GenuineIntel
    cpu family      : 6
    model           : 63
    model name      : Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz
    stepping        : 2
    microcode       : 0x37
    cpu MHz         : 2391.223
    cache size      : 15360 KB
    fpu             : yes
    fpu_exception   : yes
    cpuid level     : 13
    wp              : yes
    

<pre>
 0x0000001F = control_VMX_pin_based
 0xA50061F2 = control_VMX_cpu_based
 0x00000082 = control_VMX_proc2_based
 0x00000000 = control_exception_bitmap
 0x00000000 = control_pagefault_errorcode_mask
 0xFFFFFFFF = control_pagefault_errorcode_match
 0x00000002 = control_CR3_target_count
 0x00036FFB = control_VM_exit_controls
 0x000011FB = control_VM_entry_controls
 0x00000000 = control_VM_entry_interruption_information
 0x00000000 = control_VM_entry_exception_errorcode
 0x00000000 = control_VM_entry_instruction_length

 0x0000000000000020 = control_CR0_mask
 0x0000000000002000 = control_CR4_mask
 0x0000000000000020 = control_CR0_shadow
 0x0000000000002000 = control_CR4_shadow
 0x0000000000000000 = control_CR3_target0
 0x0000000124FCE000 = control_CR3_target1
 0x0000000000000000 = control_CR3_target2
 0x0000000000000000 = control_CR3_target3

Host VMX capabilities are as follows,

 VMX-Capability Model-Specific Registers

     00D8100000000001 = IA32_VMX_BASIC_MSR
     0000003F00000016 = IA32_VMX_PINBASED_CTLS_MSR
     FFF9FFFE0401E172 = IA32_VMX_PROCBASED_CTLS_MSR
     0033FFFF00036DFF = IA32_VMX_EXIT_CTLS_MSR
     0000B3FF000011FF = IA32_VMX_ENTRY_CTLS_MSR
     00000000000401E0 = IA32_VMX_MISC_MSR
     0000000080000021 = IA32_VMX_CR0_FIXED0_MSR
     00000000FFFFFFFF = IA32_VMX_CR0_FIXED1_MSR
     0000000000002000 = IA32_VMX_CR4_FIXED0_MSR
     00000000000427FF = IA32_VMX_CR4_FIXED1_MSR
     000000000000005A = IA32_VMX_VMCS_ENUM_MSR
     000000EE00000000 = IA32_VMX_PROCBASED_CTLS2
     00000F0106114041 = IA32_VMX_EPT_VPID_CAP
     0000003F00000016 = IA32_VMX_TRUE_PINBASED_CTLS
     FFF9FFFE04006172 = IA32_VMX_TRUE_PROCBASED_CTLS
     0033FFFF00036DFB = IA32_VMX_TRUE_EXIT_CTLS
     0000B3FF000011FB = IA32_VMX_TRUE_ENTRY_CTLS

I don’t see anything wrong in the fields you provided, but there are more checks on fields you haven’t listed. For example, Use MSR bitmap is 1, but you don’t show the value of the MSR bitmap address.

You should go through all the checks in section 26.2.1.

I suggest also looking at any checks related to unrestricted-guest. It is recommended that you set the controls to save and restore EFER in the exit and entry controls.