If userspace (QEMU) debug guest, when #DB is raised in guest and intercepted by KVM, KVM forwards information on #DB to userspace instead of injecting #DB to guest. While doing so, KVM don't update vCPU DR6 but instead report the #DB DR6 value to userspace for further handling. See KVM's handle_exception() DB_VECTOR handler. QEMU handler for this case is kvm_handle_debug(). This handler basically checks if #DB is related to one of user set hardware breakpoints and if not, it re-inject #DB into guest. The re-injection is done by setting env->exception_injected to #DB which will later be passed as events.exception.nr to KVM_SET_VCPU_EVENTS ioctl by kvm_put_vcpu_events(). However, in case userspace re-injects #DB, KVM expects userspace to set vCPU DR6 as reported to userspace when #DB was intercepted! Otherwise, KVM_REQ_EVENT handler will inject #DB with wrong DR6 to guest. Fix this issue by updating vCPU DR6 appropriately when re-inject #DB to guest. Reviewed-by: Nikita Leshenko <nikita.leshchenko@xxxxxxxxxx> Reviewed-by: Krish Sadhukhan <krish.sadhukhan@xxxxxxxxxx> Signed-off-by: Liran Alon <liran.alon@xxxxxxxxxx> --- target/i386/kvm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/target/i386/kvm.c b/target/i386/kvm.c index 738dd91ff3cc..c8fd53055d37 100644 --- a/target/i386/kvm.c +++ b/target/i386/kvm.c @@ -3558,6 +3558,9 @@ static int kvm_handle_debug(X86CPU *cpu, /* pass to guest */ env->exception_injected = arch_info->exception; env->has_error_code = 0; + if (arch_info->exception == EXCP01_DB) { + env->dr[6] = arch_info->dr6; + } } return ret; -- 2.20.1