Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp3774764imm; Sun, 13 May 2018 20:01:02 -0700 (PDT) X-Google-Smtp-Source: AB8JxZobyPPi2vSj+OdzyL3cdj/F7CiAUV1YQ1biItxU5rH/qBzidYbRbMMSIwLNbM3B+PJeKVXr X-Received: by 2002:a62:a096:: with SMTP id p22-v6mr8529582pfl.9.1526266862829; Sun, 13 May 2018 20:01:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526266862; cv=none; d=google.com; s=arc-20160816; b=hcYpCdBt3BOPJ+n5Qvf7BViSj1bSlEPLAKhwDhmyR03iGsfILOh2J01aUPIa/AVz9d kj+O8rTMXBgJIGtR0oxdfTtKP0IHpY0vwkKwenBatgd11Xd0uM7hIVKNnsNlC2Ls3in+ PXL7Y5erJAGg2P91GEBPwFV44l50BNLldrpJbKyk0PrxmKDap64K3GFZ37/Z0WdaTmCj 1T1zsWzWmgBjwV3Nzvp3vChi90pltwns7AJ1HqTXH4/WFDc9w2G0AupmH3J6gCovpXOg V/21J+n8Vn1NnK1E/kiijxFzKWIbRIHeOhvdbD/4BrVJuC1UAXle1oLQdrV4el4FM5zj 5Gfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=Z8aGHLgZQlk52G0XbWT8pkt/d5ucJulmI5g6+6l776M=; b=WKOF6/BdXYVxRg8PKnlLu5U6clHiVUQIHDwONsWzuh6ofTbaqhQ10619QX+ytKwRqm +zTdO4ehPE/PaBdxXDtMGcS60KGlwOkUist3+SlSIEYFcEtLld1rXD3AmVQPKO+YBQ/L Msmv005YVGiLHVWpKu1My/ZTgBVPKjnrohHXczhd00Kkoj16tQ7u2S1gYwR4LvpaXqn/ MiumOD3pXf7++lYs4stm1eVgeFkqatMb84ZM88TwKzsEapqewjbHr8LAFXbouu0DWjMX fKRKzuqa7ePTeQMRINu9+RumEPmGgrv6V0zS/bIcDY6lLCOnbhayYCH5/i6xY4u0T/Jd xQtQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=drnxARKU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b5-v6si7807113plm.202.2018.05.13.20.00.48; Sun, 13 May 2018 20:01:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=drnxARKU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752079AbeENDAB (ORCPT + 99 others); Sun, 13 May 2018 23:00:01 -0400 Received: from mail-pl0-f67.google.com ([209.85.160.67]:39029 "EHLO mail-pl0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751953AbeENC77 (ORCPT ); Sun, 13 May 2018 22:59:59 -0400 Received: by mail-pl0-f67.google.com with SMTP id c19-v6so6480378pls.6; Sun, 13 May 2018 19:59:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=Z8aGHLgZQlk52G0XbWT8pkt/d5ucJulmI5g6+6l776M=; b=drnxARKUX4k2bzWwDILhLZWc/atRaNnETFnKIoQLa/uMUsJiY9iRmgqbz+VSZNqv4E Y4gMOIrUStXYkR7T65hPGUB+tFdFhiA7zBUdID5rAmNxASXehzhnr9VycS2CEfrFOVph ffSTip3ZZ+F7y9ceKdL6XYujaWhNQSg4V/VitXUso++bU/p5latF9U2qWWgiHMZ6dURH HAAVSZmInUKzmFuOWrzZAlkPRyEtSRW4der1yx0BVF9GLh0tn+0N01NzVvhKAyRAJHvl wNZUi1hOb0EHLia5fwOfLnp5m9cvqtKIDjzxtsgfP4WYqw5IIkLfvZdhiSYilBmXUrN0 n7nA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=Z8aGHLgZQlk52G0XbWT8pkt/d5ucJulmI5g6+6l776M=; b=D698ubpkk2oJn2bWXymyNwvy0FIvRhbZXeJ9F1LKCLM0Pl/qfMmw7Vo+WOE71D/Xpz vDPLaba4w/LRUfbYlo/kER0Dc4H7mQD+35QF0toP7B4NzLI7gBBfEcHuP2vWQeAChnzF ncHP58whsPgdICVzjMRkGpxU1ZA5Bx+ixfoFjMlGb8b/2kb+otT62a7OkZRCN6SMeivo 0g+sHbpGeR9r2g8Ur1x19Te7/tUSMqOSKvQH22Bc+rH8hi/dZDHKn5iD3rsy2jsIjHt/ INQj7GJ6PaMAFI3Lf8JeL0g9xQZzWiSh267NaYlMrR/vppWAOnQ6yhW7SM+mVnWRhQ8z l+lQ== X-Gm-Message-State: ALKqPwcd8rRDQqoMOtr7pl4PxtxxKGgs3wWf+xs+FYFSLsPNWKnJnJTr bJKYihpa9sN+RqGaQ0aohAbQiDhOp+Q= X-Received: by 2002:a17:902:8bc4:: with SMTP id r4-v6mr7774710plo.381.1526266798846; Sun, 13 May 2018 19:59:58 -0700 (PDT) Received: from sol.localdomain (c-67-185-97-198.hsd1.wa.comcast.net. [67.185.97.198]) by smtp.gmail.com with ESMTPSA id q22-v6sm21515906pfk.4.2018.05.13.19.59.58 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 13 May 2018 19:59:58 -0700 (PDT) Date: Sun, 13 May 2018 20:02:05 -0700 From: Eric Biggers To: kvm@vger.kernel.org, dvyukov@google.com, karahmed@amazon.de Cc: x86@kernel.org, linux-kernel@vger.kernel.org Subject: Re: CONFIG_KCOV causing crash in svm_vcpu_run() Message-ID: <20180514030205.GI677@sol.localdomain> References: <20180514030007.GH677@sol.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180514030007.GH677@sol.localdomain> User-Agent: Mutt/1.9.5 (2018-04-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Sorry, messed up address for KVM mailing list. See message below. On Sun, May 13, 2018 at 08:00:07PM -0700, Eric Biggers wrote: > With CONFIG_KCOV=y and an AMD processor, running the following program crashes > the kernel with no output (I'm testing in a VM, so it's using nested > virtualization): > > #include > #include > #include > > int main() > { > int dev, vm, cpu; > char page[4096] __attribute__((aligned(4096))) = { 0 }; > struct kvm_userspace_memory_region memreg = { > .memory_size = 4096, > .userspace_addr = (unsigned long)page, > }; > dev = open("/dev/kvm", O_RDONLY); > vm = ioctl(dev, KVM_CREATE_VM, 0); > cpu = ioctl(vm, KVM_CREATE_VCPU, 0); > ioctl(vm, KVM_SET_USER_MEMORY_REGION, &memreg); > ioctl(cpu, KVM_RUN, 0); > } > > It bisects down to commit b2ac58f90540e39 ("KVM/SVM: Allow direct access to > MSR_IA32_SPEC_CTRL"). The bug is apparently that due to the new code for > managing the SPEC_CTRL MSR, __sanitizer_cov_trace_pc() is being called from > svm_vcpu_run() before the host's MSR_GS_BASE has been restored, which causes a > crash somehow. The following patch fixes it, though I don't know that it's the > right solution; maybe KCOV should be disabled in the function instead, or maybe > there's a more fundamental problem. What do people think? > > diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c > index 1fc05e428aba8..d35ef241e66d8 100644 > --- a/arch/x86/kvm/svm.c > +++ b/arch/x86/kvm/svm.c > @@ -5652,6 +5652,15 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) > #endif > ); > > +#ifdef CONFIG_X86_64 > + wrmsrl(MSR_GS_BASE, svm->host.gs_base); > +#else > + loadsegment(fs, svm->host.fs); > +#ifndef CONFIG_X86_32_LAZY_GS > + loadsegment(gs, svm->host.gs); > +#endif > +#endif > + > /* > * We do not use IBRS in the kernel. If this vCPU has used the > * SPEC_CTRL MSR it may have left it on; save the value and > @@ -5676,15 +5685,6 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) > /* Eliminate branch target predictions from guest mode */ > vmexit_fill_RSB(); > > -#ifdef CONFIG_X86_64 > - wrmsrl(MSR_GS_BASE, svm->host.gs_base); > -#else > - loadsegment(fs, svm->host.fs); > -#ifndef CONFIG_X86_32_LAZY_GS > - loadsegment(gs, svm->host.gs); > -#endif > -#endif > - > reload_tss(vcpu); > > local_irq_disable();