That seems like a convoluted path to produce an illegal RFLAGS value.
What's to prevent syzkaller from simply clearing bit 1 of RFLAGS with
the KVM_SET_REGS ioctl?
On Mon, Nov 20, 2017 at 4:34 PM, Wanpeng Li <kernellwp@xxxxxxxxx> wrote:
> 2017-11-21 7:09 GMT+08:00 Paolo Bonzini <pbonzini@xxxxxxxxxx>:
>> On 20/11/2017 23:52, Wanpeng Li wrote:
>>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>>> index b348920..131fa1c 100644
>>> --- a/arch/x86/kvm/vmx.c
>>> +++ b/arch/x86/kvm/vmx.c
>>> @@ -5590,6 +5590,7 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
>>> vmcs_write64(GUEST_IA32_DEBUGCTL, 0);
>>> }
>>>
>>> + kvm_set_rflags(vcpu, 2);
>>> vmcs_writel(GUEST_RFLAGS, 0x02);
>>
>> I think the vmcs_writel can go, kvm_set_rflags ends up calling
>> vmx_set_rflags.
>
> Agreed.
>
>>
>>> kvm_rip_write(vcpu, 0xfff0);
>>>
>>>
>>
>> Beautified testcase:
>>
>> #include <unistd.h>
>> #include <sys/syscall.h>
>> #include <string.h>
>> #include <stdint.h>
>> #include <linux/kvm.h>
>> #include <fcntl.h>
>> #include <sys/ioctl.h>
>>
>> long r[5];
>> int main()
>> {
>> struct kvm_debugregs dr = { 0 };
>>
>> r[2] = open("/dev/kvm", O_RDONLY);
>> r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
>> r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7);
>> struct kvm_guest_debug debug = {
>> .control = 0xf0403,
>> .arch = {
>> .debugreg[6] = 0x2,
>> .debugreg[7] = 0x2
>> }
>> };
>> ioctl(r[4], KVM_SET_GUEST_DEBUG, &debug);
>> ioctl(r[4], KVM_RUN, 0);
>> }
>>
>> No need to do anything, I'll handle this patch after -rc1.
>
> Thanks for that. :)
>
> Regards,
> Wanpeng Li
