[PATCH v2 3/6] KVM: x86: Manually check DR4/5 write values to fix SVM intercept priority

Next message: Askar Safin: "Re: [PATCH 0/3] vmsplice: make vmsplice a trivial wrapper for preadv2/pwritev2"
Previous message: Sean Christopherson: "[PATCH v2 1/6] KVM: x86: Treat any non-zero return from set_dr() as a faulting condition"
In reply to: Sean Christopherson: "[PATCH v2 1/6] KVM: x86: Treat any non-zero return from set_dr() as a faulting condition"
Next in thread: Sean Christopherson: "[PATCH v2 2/6] KVM: x86: Prioritize DR7.GD #DB over #GP due to illegal DR6/7 value"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sean Christopherson

Date: Wed Jun 03 2026 - 19:08:46 EST

Manually (pre)check the values being written to DR4/5, i.e. the DR6/DR7
aliases, instead of relying on ->set_dr() => kvm_set_dr() to signal a #GP.
SVM unfortunately prioritizes all exceptions over an instruction intercept,
i.e. nSVM is relying on the emulator to perform *all* exception checks
prior to attempting to execute the instruction.

Fixes: 3b88e41a4134 ("KVM: SVM: Add intercept check for accessing dr registers")
Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
---
arch/x86/kvm/emulate.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 4484c5fa19e3..a1bccab0eefe 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -3853,15 +3853,23 @@ static int check_dr_read(struct x86_emulate_ctxt *ctxt)
static int check_dr_write(struct x86_emulate_ctxt *ctxt)
{
u64 new_val = ctxt->src.val64;
- int dr = ctxt->modrm_reg;
int rc;

rc = check_dr_read(ctxt);
if (rc != X86EMUL_CONTINUE)
return rc;

- if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
- return emulate_gp(ctxt, 0);
+ switch (ctxt->modrm_reg) {
+ case 4:
+ case 5:
+ case 6:
+ case 7:
+ if (new_val & 0xffffffff00000000ULL)
+ return emulate_gp(ctxt, 0);
+ break;
+ default:
+ break;
+ }

return X86EMUL_CONTINUE;
}
--
2.54.0.1032.g2f8565e1d1-goog