Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp135210imm; Mon, 14 May 2018 22:34:44 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrgr9+1Lezfk2ZvoaLkMv1pREmkdFVgwUj0b1ZzjOiPfayp986Oj1g5FNHM5sKeR59u34r3 X-Received: by 2002:a17:902:b184:: with SMTP id s4-v6mr12593011plr.359.1526362484426; Mon, 14 May 2018 22:34:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526362484; cv=none; d=google.com; s=arc-20160816; b=z3w1bgFBZelnltKbgbI5i9gfZEO0Y2UbYC9hkPsO0unSFjn6UoSErOaQnXKtQX3gs6 f8dr5eKMDd3mL7YgI9vvK/lezF5bZbXk4lOEshOsFwTipe4omhB9/ek/TLkzhVVYxLST AA5+Zm2U/2FyEmv5G00vGQHAk60nizkzEZ/TP9xne9P1heJJTFrI8yiwiVt0qiH8vObX qkly4z0abkjrNDsR1MtIKnmFQsu2X4dai4YEBvuSauyXttJYQUdhzzHY+yzu1MaX+Q+x FxlhyAPjg5WvZkEnVW9dw112bHOtpZQWqb+3cXzRvEm3xZ9DADizCvVTHC7u241WKmbj jhgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=3CfI4YXq+ii/8C6PC9fecwaKXMCOQk6AGhgEll4CXis=; b=kHOXBXo9nMWjka5SiNC46nxMF2fhtyb9VUvDzuRztQNqlDl+oad/cpVgaTCKC0P2tf NdVscTl3vMqkiVsmhM3+QH5TrHsnJr9K4HbTXWzqZ76Zsvi99FmFiZHuDxfQMvHh534P KJN+Wu8ntwHLyTTML/8N3a42P3i6FDFDi8T9OHYcYrOPimdp3NlEhXoZcO5G2aOXStCh nVSHmsvGVstb9+1eN+v1Vg0Apt0Q6EnwDxjAgZX7RcQ+JNgJRwGyv9dEZykHS0iU9qcw pXO4PM0iVv4SMVKjg9qy0qrr0bvltbuFLMgako+Cpo7AThXG9pXFhoOJRjOIeEylqeUp u3CQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=aazvXbFY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a1-v6si10921122pls.523.2018.05.14.22.34.29; Mon, 14 May 2018 22:34:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=aazvXbFY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752272AbeEOFeM (ORCPT + 99 others); Tue, 15 May 2018 01:34:12 -0400 Received: from mail-pg0-f46.google.com ([74.125.83.46]:36787 "EHLO mail-pg0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752241AbeEOFeK (ORCPT ); Tue, 15 May 2018 01:34:10 -0400 Received: by mail-pg0-f46.google.com with SMTP id z70-v6so6488173pgz.3 for ; Mon, 14 May 2018 22:34:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3CfI4YXq+ii/8C6PC9fecwaKXMCOQk6AGhgEll4CXis=; b=aazvXbFYttCQtlxTVrXh2UpHZswsfa4BLi97EiPaJpMdDBe15d2fsF3FJ1T4bDTrIZ eHqWVHiNOujNdnCEUxtys+LzUwNxNKOJcywM1OYpPq4l6Tdqms8u9Uoj5S8UIIW7BjnA miOHvdHEfbLGh5eCjfcun6r8lQlB01A8wE7qk5pVP+Tcu4Ivy/dR9z3dFcgdGMn9kyFF 1OEkgSyHNSZePFlp0DrH22lZdJc6D7AlYke6Ol5071ntmmKPEaRciOaUq9DB++nuJDwH mUD5E52PG3ijkMTIzYX/cDZEV3KbBQDeAe9Vch5BMzZUEE32sP0tYeCjoirMsqx1HOZQ Wvig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3CfI4YXq+ii/8C6PC9fecwaKXMCOQk6AGhgEll4CXis=; b=EXt6RTXPTW3I3YNQ2G+WOclGHAR4JJFBGqhOZDB0BsAwxhXTRCXn81+0bEdUftwfXU KlBBbrhvHh/a1yFWh1weowkV27e9GGOistbkP0mag40KQFsTOeZXNc5sCZvDrviVKzVO cZzW4CTC+yb2iv+KMCzeCsgFBZbCuNgivOKbShu26V6dxCD2vcpObZgSLFzFoHtiXZlB ZeIotT/TpW4msbuz8jCC19+wXvSnfLmS/D/ogeL7+BdFHiUkBus/f07YnGa5VvOZj2af CLEmlFaKi1wawxpYK1ipvsW9hnJd/wpzOVRY8hvBXEiISdU+CF/UPbnuMvbXzoop/Fhu +M1A== X-Gm-Message-State: ALKqPwc1ILBlFIqSR/d9lBoptXZTQYibjOLgdo36xBws/pTUgw1ZJ+S7 dl1PR4kuqprSu8Ovqw5VH2BCn8EWjpfG4hWVvis78Q== X-Received: by 2002:a62:d352:: with SMTP id q79-v6mr13681905pfg.45.1526362449295; Mon, 14 May 2018 22:34:09 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a17:90a:d01:0:0:0:0 with HTTP; Mon, 14 May 2018 22:33:48 -0700 (PDT) In-Reply-To: <20180514172508.GC252575@gmail.com> References: <20180514030007.GH677@sol.localdomain> <20180514030205.GI677@sol.localdomain> <20180514172508.GC252575@gmail.com> From: Dmitry Vyukov Date: Tue, 15 May 2018 07:33:48 +0200 Message-ID: Subject: Re: CONFIG_KCOV causing crash in svm_vcpu_run() To: Eric Biggers Cc: KVM list , karahmed@amazon.de, "the arch/x86 maintainers" , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 14, 2018 at 7:25 PM, Eric Biggers wrote: > On Mon, May 14, 2018 at 07:14:41AM +0200, Dmitry Vyukov wrote: >> On Mon, May 14, 2018 at 5:02 AM, Eric Biggers wrote: >> > Sorry, messed up address for KVM mailing list. See message below. >> > >> > On Sun, May 13, 2018 at 08:00:07PM -0700, Eric Biggers wrote: >> >> With CONFIG_KCOV=y and an AMD processor, running the following program crashes >> >> the kernel with no output (I'm testing in a VM, so it's using nested >> >> virtualization): >> >> >> >> #include >> >> #include >> >> #include >> >> >> >> int main() >> >> { >> >> int dev, vm, cpu; >> >> char page[4096] __attribute__((aligned(4096))) = { 0 }; >> >> struct kvm_userspace_memory_region memreg = { >> >> .memory_size = 4096, >> >> .userspace_addr = (unsigned long)page, >> >> }; >> >> dev = open("/dev/kvm", O_RDONLY); >> >> vm = ioctl(dev, KVM_CREATE_VM, 0); >> >> cpu = ioctl(vm, KVM_CREATE_VCPU, 0); >> >> ioctl(vm, KVM_SET_USER_MEMORY_REGION, &memreg); >> >> ioctl(cpu, KVM_RUN, 0); >> >> } >> >> >> >> It bisects down to commit b2ac58f90540e39 ("KVM/SVM: Allow direct access to >> >> MSR_IA32_SPEC_CTRL"). The bug is apparently that due to the new code for >> >> managing the SPEC_CTRL MSR, __sanitizer_cov_trace_pc() is being called from >> >> svm_vcpu_run() before the host's MSR_GS_BASE has been restored, which causes a >> >> crash somehow. The following patch fixes it, though I don't know that it's the >> >> right solution; maybe KCOV should be disabled in the function instead, or maybe >> >> there's a more fundamental problem. What do people think? >> >> >> If __sanitizer_cov_trace_pc() crashes, I would expect there must be >> few more of them here: >> >> if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL))) >> svm->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL); >> >> if (svm->spec_ctrl) >> native_wrmsrl(MSR_IA32_SPEC_CTRL, 0); >> >> Compiler inserts these callbacks into every basic block/edge.. Aren't there? >> >> Unfortunately we don't have an attribute that disables instrumentation >> of a single function. This is currently possible only on file level. >> > > Yes, due to the code dealing with MSR_IA32_SPEC_CTRL, there were several calls > to __sanitizer_cov_trace_pc() before the write to MSR_GS_BASE. The patch I > tested moves the write to MSR_GS_BASE to before all of them, so it's once again > the first thing after the asm block. Again I'm not sure it's the proper > solution, but it did make it stop crashing. From KCOV perspective: This is definitely the simplest and less intrusive solution. It's somewhat unreliable. But it's hard to tell if/when it will actually break in practice. Compiler can decide to insert the callback after asm block, or a branch can be added to wrmsrl (e.g. under some debug config). More reliable solution would be to restore registers in asm block itself, or move this to a separate file and disable instrumentation of that file (though, will not save from non-inlined wrmsrl). But again, the proposed solution may work well for the next 10 years, so additional complexity may not worth it. Btw, I don't see anything about fs/gs in vmx_vcpu_run. Is it VMLAUNCH that saves/restores them?