Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3329536imu; Sun, 11 Nov 2018 12:30:29 -0800 (PST) X-Google-Smtp-Source: AJdET5flBdDS0UrFUYOyRHdgpGcrJhlnykA6orprK3/mPLsiGuL9DMh+3TLKfVYq3T3n55tfzR5s X-Received: by 2002:a63:a112:: with SMTP id b18mr15044734pgf.440.1541968229562; Sun, 11 Nov 2018 12:30:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541968229; cv=none; d=google.com; s=arc-20160816; b=yeZg1++eUsP0jJ9JF/udZgqzxT8SeZUcJYnzwt1BLCqbDqsbstRCPLdDZPeNAG1n9f GWr09m7MOxNrW8s9Du+3vvM9u3SvNIypplbP5hbiSidXxA+4xZv3MdLkpDG2xOCveiL+ hKWo9UanTclYA8JqnrRXjnaeQTMivg0NVxHV1TGpnj+HKneUjPJk2rx4PJcUVgNxFm7q g6tgMPN5VG1YP78ti828FnGCOQz3dNAuPL0RiP+bzjVIYmqJclEMUrg5BQ5jzhMywZ6h VeKHZiWcUusW6PyOM5usNNA96hbpGQaoF4+wpFe6BwIXBHcLkyvjWwUQTa79TaLOHUuY 1rrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=H142gtcN9qPVXc0Fwcarzi3naXH4E/zdRBpfLb7elsY=; b=M695dajn0jxllJvPTlFJeGPMzfpgL649OOoa49kK0EjHhPnJ1tVcAidqp53BINJRaP u5AX/IoNPj+GTdl2XKr68nz80AHUQVXyjyiPuy9KaEwitkwWY0B8iyozhttxvtN70ian iRaUob+AD00HQgoK2MbOBk1tosehhaRiNv9r21d5OtV8lY+/mF9816KoVtlyG8ng4kLG LZM2OgUEBKdzdY+tvzXGAgiQOsMDfF066p8/xsVMzHflk3WR47HET6g4dW19itSIDzJW i9/vY771JgvNXNEif+VMTAJIBCh7zD+JsGvKXUamusIyN8fkAM4og1SuQb/FGk4zipaW I+Yw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q64si14677535pga.280.2018.11.11.12.30.14; Sun, 11 Nov 2018 12:30:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730915AbeKLGTD (ORCPT + 99 others); Mon, 12 Nov 2018 01:19:03 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:50552 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730472AbeKLFsW (ORCPT ); Mon, 12 Nov 2018 00:48:22 -0500 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gLvsh-0000oM-LO; Sun, 11 Nov 2018 19:58:51 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gLvsa-0001rN-7G; Sun, 11 Nov 2018 19:58:44 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Wanpeng Li" , "David Hildenbrand" , "Radim =?UTF-8?Q?Kr=C4=8Dm=C3=A1=C5=99?=" , "Dmitry Vyukov" , "Paolo Bonzini" Date: Sun, 11 Nov 2018 19:49:05 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 339/366] KVM: x86: fix escape of guest dr6 to the host In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.61-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Wanpeng Li commit efdab992813fb2ed825745625b83c05032e9cda2 upstream. syzkaller reported: WARNING: CPU: 0 PID: 12927 at arch/x86/kernel/traps.c:780 do_debug+0x222/0x250 CPU: 0 PID: 12927 Comm: syz-executor Tainted: G OE 4.15.0-rc2+ #16 RIP: 0010:do_debug+0x222/0x250 Call Trace: <#DB> debug+0x3e/0x70 RIP: 0010:copy_user_enhanced_fast_string+0x10/0x20 _copy_from_user+0x5b/0x90 SyS_timer_create+0x33/0x80 entry_SYSCALL_64_fastpath+0x23/0x9a The testcase sets a watchpoint (with perf_event_open) on a buffer that is passed to timer_create() as the struct sigevent argument. In timer_create(), copy_from_user()'s rep movsb triggers the BP. The testcase also sets the debug registers for the guest. However, KVM only restores host debug registers when the host has active watchpoints, which triggers a race condition when running the testcase with multiple threads. The guest's DR6.BS bit can escape to the host before another thread invokes timer_create(), and do_debug() complains. The fix is to respect do_debug()'s dr6 invariant when leaving KVM. Reported-by: Dmitry Vyukov Cc: Paolo Bonzini Cc: Radim Krčmář Cc: David Hildenbrand Cc: Dmitry Vyukov Reviewed-by: David Hildenbrand Signed-off-by: Wanpeng Li Signed-off-by: Paolo Bonzini Signed-off-by: Radim Krčmář [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- arch/x86/kvm/x86.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -2892,6 +2892,12 @@ void kvm_arch_vcpu_put(struct kvm_vcpu * kvm_x86_ops->vcpu_put(vcpu); kvm_put_guest_fpu(vcpu); vcpu->arch.last_host_tsc = native_read_tsc(); + /* + * If userspace has set any breakpoints or watchpoints, dr6 is restored + * on every vmexit, but if not, we might have a stale dr6 from the + * guest. do_debug expects dr6 to be cleared after it runs, do the same. + */ + set_debugreg(0, 6); } static int kvm_vcpu_ioctl_get_lapic(struct kvm_vcpu *vcpu,