Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752062AbdLEA24 (ORCPT <rfc822;w@1wt.eu>);
        Mon, 4 Dec 2017 19:28:56 -0500
Received: from mail-it0-f65.google.com ([209.85.214.65]:44087 "EHLO
        mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751380AbdLEA2y (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 4 Dec 2017 19:28:54 -0500
X-Google-Smtp-Source: AGs4zMZgRXOXgXRUwygwI2HBzmmrH7I4HRscSOqe/gZMV4mXEPTyd0p5wXh46zEDKw1o7V9kZdZGhulJkqX9+DuT23A=
MIME-Version: 1.0
In-Reply-To: <CANRm+Cx8r5GFwsEHOBv8DVkrcdQHW6CHgD+g5EFXGUTJmysG1Q@mail.gmail.com>
References: <1511218341-6221-1-git-send-email-wanpeng.li@hotmail.com>
 <eeb8c609-3fbb-bdd4-5556-d75dec87a6bd@redhat.com> <CANRm+Cx8r5GFwsEHOBv8DVkrcdQHW6CHgD+g5EFXGUTJmysG1Q@mail.gmail.com>
From: Jim Mattson <jmattson@google.com>
Date: Mon, 4 Dec 2017 16:28:52 -0800
Message-ID: <CALMp9eQNhLcStivpk37DkSoY0qQHPobXAXsT8YKbP3Uwg0Gamg@mail.gmail.com>
Subject: Re: [PATCH v2] KVM: VMX: Fix rflags cache during vCPU reset
To: Wanpeng Li <kernellwp@gmail.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        kvm <kvm@vger.kernel.org>,
        =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Wanpeng Li <wanpeng.li@hotmail.com>, Nadav Amit <nadav.amit@gmail.com>,
        Dmitry Vyukov <dvyukov@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1812
Lines: 63

That seems like a convoluted path to produce an illegal RFLAGS value.
What's to prevent syzkaller from simply clearing bit 1 of RFLAGS with
the KVM_SET_REGS ioctl?

On Mon, Nov 20, 2017 at 4:34 PM, Wanpeng Li <kernellwp@gmail.com> wrote:
> 2017-11-21 7:09 GMT+08:00 Paolo Bonzini <pbonzini@redhat.com>:
>> On 20/11/2017 23:52, Wanpeng Li wrote:
>>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>>> index b348920..131fa1c 100644
>>> --- a/arch/x86/kvm/vmx.c
>>> +++ b/arch/x86/kvm/vmx.c
>>> @@ -5590,6 +5590,7 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
>>>               vmcs_write64(GUEST_IA32_DEBUGCTL, 0);
>>>       }
>>>
>>> +     kvm_set_rflags(vcpu, 2);
>>>       vmcs_writel(GUEST_RFLAGS, 0x02);
>>
>> I think the vmcs_writel can go, kvm_set_rflags ends up calling
>> vmx_set_rflags.
>
> Agreed.
>
>>
>>>       kvm_rip_write(vcpu, 0xfff0);
>>>
>>>
>>
>> Beautified testcase:
>>
>>     #include <unistd.h>
>>     #include <sys/syscall.h>
>>     #include <string.h>
>>     #include <stdint.h>
>>     #include <linux/kvm.h>
>>     #include <fcntl.h>
>>     #include <sys/ioctl.h>
>>
>>     long r[5];
>>     int main()
>>     {
>>         struct kvm_debugregs dr = { 0 };
>>
>>         r[2] = open("/dev/kvm", O_RDONLY);
>>         r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
>>         r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7);
>>         struct kvm_guest_debug debug = {
>>                 .control = 0xf0403,
>>                 .arch = {
>>                         .debugreg[6] = 0x2,
>>                         .debugreg[7] = 0x2
>>                 }
>>         };
>>         ioctl(r[4], KVM_SET_GUEST_DEBUG, &debug);
>>         ioctl(r[4], KVM_RUN, 0);
>>     }
>>
>> No need to do anything, I'll handle this patch after -rc1.
>
> Thanks for that. :)
>
> Regards,
> Wanpeng Li