Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp3772837imm;
        Sun, 13 May 2018 19:58:29 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZrUKuHLpfVZuOPShh2qA7SX3FfzUOv8xpomKOUjrlIsLZe7cFH9L8gLxgmjh/t8r+61/cPg
X-Received: by 2002:a17:902:70c9:: with SMTP id l9-v6mr7829118plt.382.1526266709865;
        Sun, 13 May 2018 19:58:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526266709; cv=none;
        d=google.com; s=arc-20160816;
        b=vtmIEuEmmNKu6QiMkSSLVUyq8kPLFZBjAA7sLGBB3pRYPrgeOkTUJg2LKZbqWjWpXQ
         Dd74tIMaPLnxGC6D8aEFGZWU/mZeu+6rTGGUMFMV9GKweyjWs+cFXqbPYnLFFLn5MBLI
         qXpz9wUO61WLswP9OnmZpSvEbNYtpkb+Jztr6TJ29dhd653niMMeXAmGL9slGFHash25
         TxAjllL7n6roinfp1jCphmMyCJTJj9Gq15/Eyvlq+sgwu3pcQOj7earhgtVooC95jZma
         AwCVcde+83CyFv0ll+OZOpAKZ4q2x0Y0BTzvAXcXP7r1KsSMfgsgRZU9maEFTUmbiY++
         +bWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:content-disposition
         :mime-version:message-id:subject:cc:to:from:date:dkim-signature
         :arc-authentication-results;
        bh=qdSrp9lQ6/Orgg/jdz1y7gRQ4u9/COF8dO1eh4QgcJM=;
        b=LwFWvvORc4fpBksJZZpwJrM7ySysYEtQRInOjc2xzEb3vticlo7P6VmFrn1jhTnkH8
         Kls/MQupwQVl+AWxwEzZdMMWrXJmX5jSYFzAzoPHt/GawKZzwDjQmpBOuWbpd374VC4N
         NQRtrvHZyGzaV68Lf0cnNgvAu0xzGpaH86J2G1ONz7cNtlmdNCcwCCKHVRfmscAU0PRa
         g9QZd0VeKVJ2ZP0JV52lv5q8BgTwkh+w8hpc+BFDsSggfewwXgTcRMSMjQ+oM3Pc6HwM
         UIc/NS4MOVKSkoOa/LAZ3ODUxB3aggvQsZfmQtC2XdIkMc1cAXnYZZKSDq92+B1RQxXd
         3byg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=rnJ4YMEZ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b5-v6si7807113plm.202.2018.05.13.19.58.13;
        Sun, 13 May 2018 19:58:29 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=rnJ4YMEZ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752028AbeENC6D (ORCPT <rfc822;yuankui.zhao@gmail.com>
        + 99 others); Sun, 13 May 2018 22:58:03 -0400
Received: from mail-pg0-f66.google.com ([74.125.83.66]:43594 "EHLO
        mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751953AbeENC6C (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 13 May 2018 22:58:02 -0400
Received: by mail-pg0-f66.google.com with SMTP id p8-v6so1297962pgq.10;
        Sun, 13 May 2018 19:58:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:mime-version:content-disposition
         :user-agent;
        bh=qdSrp9lQ6/Orgg/jdz1y7gRQ4u9/COF8dO1eh4QgcJM=;
        b=rnJ4YMEZNSV+UGd4CGg5p9XjbVGyOOQSIVoMK8CsyigLdk1s5L/smWmkunoONLGPx/
         VIDwqLkkajItL7iX3LtcgSqUxKmeeQ2OrPJAkLQ1l/oC82ZCFRzvS3pvuYtCvV06rz7W
         ouW2Vox84CKmteTY1Qd/yR+UQH3GdNVjYhQOUjgsHfspilOKJadmUfErSNmyqN1GTH8h
         RCvAtXkKAqPhUkxDe+lS0v2VXm/f9NJei1cGbGJiRVN004YlE5mOcqkm3Di/sBN6zPpz
         VZFDPB5GqtXXUhTt+coa2eu6Bc9oBlSl3OOL8A6DQ1yvxCjvJt6hPOiPtLk1XH53lFH7
         +uZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
         :content-disposition:user-agent;
        bh=qdSrp9lQ6/Orgg/jdz1y7gRQ4u9/COF8dO1eh4QgcJM=;
        b=OEg8M7HE0FnbZNxWv7IiGG2wATY5Mlq7mUNugFi5rQd4WQwvKdiOHF16nSnYpRQGs6
         gAsGS2foJG8B2CsMRgUf86cNoF2DF11JHV0YJ+78sLQQbtZ4KQCSwktFKvbwPHI1Liz0
         CxUw9NowJsiI0lEy3py7RQ2h4Zp2No50s7nXkb0RmsmgVB1lCa5rbFJPKG2KAKRtvrE6
         1NHeO1tmrwxrYOmHnO1ou+iBoJAv1cvcyESuCeuu6jwY1tVE7YD7YGBMsOYS+BCiKnQt
         Zl14aaZJNEU+6SXcfSXYHfA23MbKWe+uegC1oP8gvX/1T6EAhP/hXpNf9JPGWIr/vTUh
         ZOdw==
X-Gm-Message-State: ALKqPwdvY+9cL6IHE3utVHZwJ2DCt/gL6ufbBbeYNVBXo7xBTgOAAwGB
        CGjp2Te+ydAdPrHnWrngLqCDTIwcXBg=
X-Received: by 2002:a62:2417:: with SMTP id r23-v6mr8475562pfj.108.1526266681148;
        Sun, 13 May 2018 19:58:01 -0700 (PDT)
Received: from sol.localdomain (c-67-185-97-198.hsd1.wa.comcast.net. [67.185.97.198])
        by smtp.gmail.com with ESMTPSA id f29-v6sm16722984pff.169.2018.05.13.19.58.00
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Sun, 13 May 2018 19:58:00 -0700 (PDT)
Date:   Sun, 13 May 2018 20:00:07 -0700
From:   Eric Biggers <ebiggers3@gmail.com>
To:     linux-kvm@vger.kernel.org, dvyukov@google.com, karahmed@amazon.de
Cc:     x86@kernel.org, linux-kernel@vger.kernel.org
Subject: CONFIG_KCOV causing crash in svm_vcpu_run()
Message-ID: <20180514030007.GH677@sol.localdomain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.9.5 (2018-04-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

With CONFIG_KCOV=y and an AMD processor, running the following program crashes
the kernel with no output (I'm testing in a VM, so it's using nested
virtualization):

	#include <fcntl.h>
	#include <linux/kvm.h>
	#include <sys/ioctl.h>

	int main()
	{
		int dev, vm, cpu;
		char page[4096] __attribute__((aligned(4096))) = { 0 };
		struct kvm_userspace_memory_region memreg = {
			.memory_size = 4096,
			.userspace_addr = (unsigned long)page,
		};
		dev = open("/dev/kvm", O_RDONLY);
		vm = ioctl(dev, KVM_CREATE_VM, 0);
		cpu = ioctl(vm, KVM_CREATE_VCPU, 0);
		ioctl(vm, KVM_SET_USER_MEMORY_REGION, &memreg);
		ioctl(cpu, KVM_RUN, 0);
	}

It bisects down to commit b2ac58f90540e39 ("KVM/SVM: Allow direct access to
MSR_IA32_SPEC_CTRL").  The bug is apparently that due to the new code for
managing the SPEC_CTRL MSR, __sanitizer_cov_trace_pc() is being called from
svm_vcpu_run() before the host's MSR_GS_BASE has been restored, which causes a
crash somehow.  The following patch fixes it, though I don't know that it's the
right solution; maybe KCOV should be disabled in the function instead, or maybe
there's a more fundamental problem.  What do people think?

diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 1fc05e428aba8..d35ef241e66d8 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -5652,6 +5652,15 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
 #endif
 		);
 
+#ifdef CONFIG_X86_64
+	wrmsrl(MSR_GS_BASE, svm->host.gs_base);
+#else
+	loadsegment(fs, svm->host.fs);
+#ifndef CONFIG_X86_32_LAZY_GS
+	loadsegment(gs, svm->host.gs);
+#endif
+#endif
+
 	/*
 	 * We do not use IBRS in the kernel. If this vCPU has used the
 	 * SPEC_CTRL MSR it may have left it on; save the value and
@@ -5676,15 +5685,6 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
 	/* Eliminate branch target predictions from guest mode */
 	vmexit_fill_RSB();
 
-#ifdef CONFIG_X86_64
-	wrmsrl(MSR_GS_BASE, svm->host.gs_base);
-#else
-	loadsegment(fs, svm->host.fs);
-#ifndef CONFIG_X86_32_LAZY_GS
-	loadsegment(gs, svm->host.gs);
-#endif
-#endif
-
 	reload_tss(vcpu);
 
 	local_irq_disable();