Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp2602486ybf; Mon, 2 Mar 2020 11:59:42 -0800 (PST) X-Google-Smtp-Source: ADFU+vsvJRqzqAvFvOVwHfPikaT1sYUw1gsPX2JJKMpRk0UPZwDn1W7Hy7EGdYbJdIft0fl/z/mU X-Received: by 2002:aca:4ed7:: with SMTP id c206mr45998oib.161.1583179182647; Mon, 02 Mar 2020 11:59:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583179182; cv=none; d=google.com; s=arc-20160816; b=F7EWKiaO7f0cNnFA4khUMfj7ZlGL5ySGgnW7S1d7MstCtzJU+kcCSXihyV2pZXpvxB 3Bt91m016GNBrF1e3UbYK0SK0m/Wl6gV5MNM3ywyD3f9cFIFnwmX5v6nitwpQGApjhZr voMZVPFlKgRQwS+IgUWohi+eoRqwERfdQnNJiobkOiPPwm+WMCm5aiz40IY6K6wA8WIY A7xrYhW1LIKJp6NFfwmTQ2hGtFbxcyvL6dNSRV0gOPlQ25sA1YI//iK5XXzgLvOxVycI 4nt6qBQnYv2mTOX01csi/yYdd9Nk2MLiljwNLsUxJE8vaS0eML2ksb3lDNrPWfoe5ikg 3SIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=IcGuEcun1zm85mXqxe6xEhU3a15k/XY6Nw+GadHI6NE=; b=QDwjn+N9IuWV5e0F+QGVuhK6V7Z3fuBmTmb9QBHIeNm5s/pkvbYeDbcYXEcNYsuhkA YCdfqAjPoPoj4IoGoJhm0xwI4KbXPTDAbLu9K2b0QzT7KolAN0DIaw1HxgKG6fqQDDJ9 4JV7dPd6G9MdVOJWsv6O3AsUYqTkSU+2zmg/swLbBXg2I84cz81afKqIfh5Xl7oyy216 vcJ6MkFUQARZpXOf+Od9umgYuTMxoQnPQDJZY9PqzLUW8rUk5pZh232s4Tp8oqtuJpSM UEBTcWuHr6vAgirZRewgc08Db4Ed8yoPXgTBXanU3Gu3kp1rI1fPig3RanitLH8YKUpw xaDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u15si2305171oic.269.2020.03.02.11.59.30; Mon, 02 Mar 2020 11:59:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727083AbgCBT6C (ORCPT + 99 others); Mon, 2 Mar 2020 14:58:02 -0500 Received: from mga05.intel.com ([192.55.52.43]:30422 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725781AbgCBT5i (ORCPT ); Mon, 2 Mar 2020 14:57:38 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 Mar 2020 11:57:38 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,508,1574150400"; d="scan'208";a="438404978" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.202]) by fmsmga005.fm.intel.com with ESMTP; 02 Mar 2020 11:57:37 -0800 From: Sean Christopherson To: Paolo Bonzini Cc: Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Jan Kiszka , Xiaoyao Li Subject: [PATCH 2/6] KVM: x86: Fix CPUID range check for Centaur and Hypervisor ranges Date: Mon, 2 Mar 2020 11:57:32 -0800 Message-Id: <20200302195736.24777-3-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200302195736.24777-1-sean.j.christopherson@intel.com> References: <20200302195736.24777-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Extend the mask in cpuid_function_in_range() for finding the "class" of the function to 0xfffffff00. While there is no official definition of what constitutes a class, e.g. arguably bits 31:16 should be the class and bits 15:0 the functions within that class, the Hypervisor logic effectively uses bits 31:8 as the class by virtue of checking for different bases in increments of 0x100, e.g. KVM advertises its CPUID functions starting at 0x40000100 when HyperV features are advertised at the default base of 0x40000000. Masking against 0x80000000 only handles basic and extended leafs, which results in Centaur and Hypervisor range checks being performed against the basic CPUID range, e.g. if CPUID.0x40000000.EAX=0x4000000A and there is no entry for CPUID.0x40000006, then function 0x40000006 would be incorrectly reported as out of bounds. The bad range check doesn't cause function problems for any known VMM because out-of-range semantics only come into play if the exact entry isn't found, and VMMs either support a very limited Hypervisor range, e.g. the official KVM range is 0x40000000-0x40000001 (effectively no room for undefined leafs) or explicitly defines gaps to be zero, e.g. Qemu explicitly creates zeroed entries up to the Cenatur and Hypervisor limits (the latter comes into play when providing HyperV features). The bad behavior can be visually confirmed by dumping CPUID output in the guest when running Qemu with a stable TSC, as Qemu extends the limit of range 0x40000000 to 0x40000010 to advertise VMware's cpuid_freq, without defining zeroed entries for 0x40000002 - 0x4000000f. Fixes: 43561123ab37 ("kvm: x86: Improve emulation of CPUID leaves 0BH and 1FH") Cc: Jim Mattson Signed-off-by: Sean Christopherson --- arch/x86/kvm/cpuid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index 6be012937eba..c320126e0118 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -993,7 +993,7 @@ static bool cpuid_function_in_range(struct kvm_vcpu *vcpu, u32 function) { struct kvm_cpuid_entry2 *max; - max = kvm_find_cpuid_entry(vcpu, function & 0x80000000, 0); + max = kvm_find_cpuid_entry(vcpu, function & 0xffffff00u, 0); return max && function <= max->eax; } -- 2.24.1