Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp107193imm;
        Tue, 22 May 2018 14:57:39 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZofSMs/EowNUGER/nQZbdYKwZ4Lcn+vN5qU9AdNLmXSIWoMvv2kuMNQiLPyqx6DxZbKiFGZ
X-Received: by 2002:a62:66dd:: with SMTP id s90-v6mr195466pfj.123.1527026259259;
        Tue, 22 May 2018 14:57:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527026259; cv=none;
        d=google.com; s=arc-20160816;
        b=G7jU1LiX/BIo9yC0Inmv6bxjAXZnzhB2+cgwcx+HH0Y/4Qg7MwWaeIGgtXUFA68Alf
         iqmAQiUbHBwURwRHVKJF1YAGBtwGrzM1IZs9vjsTf1q/wN4plQb3Bue1DAcIb2NqShnm
         dHOxQWyaXEHjZWDY7hO1WlD8sYaJpxHK9BA0JipPXYhhjsz2rLZ05+9Jg3H7Thtk3ORl
         l1fvHTCVeMbO2jdhm7dSjzYNrlal81R76an2aTMm3dg5eIc16XFTULMgP0xyeBw+0tk5
         oPlaqxrFxe+VCZLdW+XgbDg0NFo7hNonoeAySirFOGCOKZ/lSlTsXdsa4aHz/133ihSC
         4GjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=7vxXV+GUTqANVeuSxm5loTijiy5+iRsvuuAOpx34ugk=;
        b=Izl73BhSqk3jbs32MVT7Qaa3fmJzrI27WLu604Go5+gNz23tnBk45YOxakzzWhcbfw
         qgh5F+bmupF0hftmQTN3udxJwF/Xkwi7thylTkC+ydqHFvyfo9VQP6c9nVb4Zi6856wm
         bvWi7bLU1xnHWOUlHo2VOjGL96g1f/oKj0txZiG6iQ5hYzJA+6f9epJ/sBsQYyhM4qVC
         23nMXI2MbP3lOYKIildvYGvNSIt/lAzFiqUzOQMS4fm4nXGVpBfIB9O/M66eafIGnXW6
         M/98ZRF788dy/clahv1HoR0zq1nfLh7u8KjLYxKEUicD0u1mWuagw81+jgKU/PJKkvJf
         hV/Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=TCBP508C;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p5-v6si13651804pga.610.2018.05.22.14.57.24;
        Tue, 22 May 2018 14:57:39 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=TCBP508C;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753224AbeEVV5F (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Tue, 22 May 2018 17:57:05 -0400
Received: from mail-pf0-f196.google.com ([209.85.192.196]:41800 "EHLO
        mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753137AbeEVV5D (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 22 May 2018 17:57:03 -0400
Received: by mail-pf0-f196.google.com with SMTP id v63-v6so9409586pfk.8;
        Tue, 22 May 2018 14:57:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=7vxXV+GUTqANVeuSxm5loTijiy5+iRsvuuAOpx34ugk=;
        b=TCBP508C3HlS/c4Njq97f7j9ejcTFi3CEZathdM3PO0LsthmOu6vUnWsJ+z+VSbZD5
         tVXfcW6OJOVfWCq4XQn22miNpYIveSGkP621p3109Hn7zoNYfhNitPs5elvYBYYJ4Uqu
         7Rj5mhnAjq228d5n+2+6Fhe9JEQATbJBa+ZCPvP/T33xHWS6RJGt9xmuEPf4lD3xm+Nj
         fOOqZn3si5Bskqfi9D+eRXHKXFN5tjfYei4zoR9oQQkTN9EC/4uzBgPokNQLKF0pJIzH
         2bSaW6TAJVXNge4ey7jmb5BQoAqRupBfOHMgJLBh0mqQp1O7TvxBgAs3TA1p191tW9Tt
         gr6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=7vxXV+GUTqANVeuSxm5loTijiy5+iRsvuuAOpx34ugk=;
        b=YzF5/LvxMsXNo1rOH7WsoZDGy4IMa0abGns/xl+3IjxNdkg5wIDZUb4kVxdfcMklGz
         rTJUYLGe6FMg9Ip/hYRs9VuU6cy87sSmDWPoZqflZ/ctiBNGglWPSMCUBCo84H8mLLEB
         W6m2hezW3SPSSYa6KsxQp8SQUOdWeepvbK41945C6xAOVQ1ogTIhT1KfyeyaYcT5BGJq
         elYq8T8B9Ysb66TWssj7C1KRUHIYiV20CXLLXscK1CKDlju+JhMiLnHvzvW8KcIwOR+C
         EIQPdsnpfhUjReHXHc79BwWoBmDPiG9ta2sSaXMjoVcMGqD8VbN+7leT3ugd0MWqxuGE
         StIA==
X-Gm-Message-State: ALKqPwd7ra/FOcXfvkw2vGRGc59i5piogs4yE+xliTlrGDrKtvLUQJ7C
        +tR8TaQWbSsnmZE3eClL+7s=
X-Received: by 2002:a62:679a:: with SMTP id t26-v6mr234994pfj.24.1527026222340;
        Tue, 22 May 2018 14:57:02 -0700 (PDT)
Received: from sol.localdomain (c-67-185-97-198.hsd1.wa.comcast.net. [67.185.97.198])
        by smtp.gmail.com with ESMTPSA id r90-v6sm44157012pfg.122.2018.05.22.14.57.01
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 22 May 2018 14:57:01 -0700 (PDT)
Date:   Tue, 22 May 2018 14:56:59 -0700
From:   Eric Biggers <ebiggers3@gmail.com>
To:     Dmitry Vyukov <dvyukov@google.com>
Cc:     KVM list <kvm@vger.kernel.org>, karahmed@amazon.de,
        the arch/x86 maintainers <x86@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Borislav Petkov <bp@suse.de>,
        Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Subject: Re: CONFIG_KCOV causing crash in svm_vcpu_run()
Message-ID: <20180522215659.GA658@sol.localdomain>
References: <20180514030007.GH677@sol.localdomain>
 <20180514030205.GI677@sol.localdomain>
 <CACT4Y+bV3HQTZ5+ugQmukiiJBkhN_FWqPRuNRYRbe6xoKstWVA@mail.gmail.com>
 <20180514172508.GC252575@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180514172508.GC252575@gmail.com>
User-Agent: Mutt/1.9.5 (2018-04-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, May 14, 2018 at 10:25:08AM -0700, Eric Biggers wrote:
> On Mon, May 14, 2018 at 07:14:41AM +0200, Dmitry Vyukov wrote:
> > On Mon, May 14, 2018 at 5:02 AM, Eric Biggers <ebiggers3@gmail.com> wrote:
> > > Sorry, messed up address for KVM mailing list.  See message below.
> > >
> > > On Sun, May 13, 2018 at 08:00:07PM -0700, Eric Biggers wrote:
> > >> With CONFIG_KCOV=y and an AMD processor, running the following program crashes
> > >> the kernel with no output (I'm testing in a VM, so it's using nested
> > >> virtualization):
> > >>
> > >>       #include <fcntl.h>
> > >>       #include <linux/kvm.h>
> > >>       #include <sys/ioctl.h>
> > >>
> > >>       int main()
> > >>       {
> > >>               int dev, vm, cpu;
> > >>               char page[4096] __attribute__((aligned(4096))) = { 0 };
> > >>               struct kvm_userspace_memory_region memreg = {
> > >>                       .memory_size = 4096,
> > >>                       .userspace_addr = (unsigned long)page,
> > >>               };
> > >>               dev = open("/dev/kvm", O_RDONLY);
> > >>               vm = ioctl(dev, KVM_CREATE_VM, 0);
> > >>               cpu = ioctl(vm, KVM_CREATE_VCPU, 0);
> > >>               ioctl(vm, KVM_SET_USER_MEMORY_REGION, &memreg);
> > >>               ioctl(cpu, KVM_RUN, 0);
> > >>       }
> > >>
> > >> It bisects down to commit b2ac58f90540e39 ("KVM/SVM: Allow direct access to
> > >> MSR_IA32_SPEC_CTRL").  The bug is apparently that due to the new code for
> > >> managing the SPEC_CTRL MSR, __sanitizer_cov_trace_pc() is being called from
> > >> svm_vcpu_run() before the host's MSR_GS_BASE has been restored, which causes a
> > >> crash somehow.  The following patch fixes it, though I don't know that it's the
> > >> right solution; maybe KCOV should be disabled in the function instead, or maybe
> > >> there's a more fundamental problem.  What do people think?
> > 
> > 
> > If __sanitizer_cov_trace_pc() crashes, I would expect there must be
> > few more of them here:
> > 
> > if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)))
> >     svm->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL);
> > 
> > if (svm->spec_ctrl)
> >     native_wrmsrl(MSR_IA32_SPEC_CTRL, 0);
> > 
> > Compiler inserts these callbacks into every basic block/edge.. Aren't there?
> > 
> > Unfortunately we don't have an attribute that disables instrumentation
> > of a single function. This is currently possible only on file level.
> > 
> 
> Yes, due to the code dealing with MSR_IA32_SPEC_CTRL, there were several calls
> to __sanitizer_cov_trace_pc() before the write to MSR_GS_BASE.  The patch I
> tested moves the write to MSR_GS_BASE to before all of them, so it's once again
> the first thing after the asm block.  Again I'm not sure it's the proper
> solution, but it did make it stop crashing.
> 
> Also I'm guessing this isn't specific to nested virtualization; I just didn't
> have KCOV enabled on the host, thus the host didn't crash.
> 

Okay, this was (apparently coincidentally) fixed by commit 15e6c22fd8e5a:
"KVM: SVM: Move spec control call after restore of GS".  Thanks Thomas!

- Eric