Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp2801202ybf; Mon, 2 Mar 2020 16:04:03 -0800 (PST) X-Google-Smtp-Source: ADFU+vv+535CLLgxH7dgsefrfESV16wvwVS4A4TfIRR6zGyLOPDWBOO5Wa4afyeuETWJJyc97bbJ X-Received: by 2002:a9d:69ce:: with SMTP id v14mr1391215oto.248.1583193843815; Mon, 02 Mar 2020 16:04:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583193843; cv=none; d=google.com; s=arc-20160816; b=AI18v7y42K5BywYxaO+38MdMyjSWX3A8VwJKMblss3HouYioLycxxdJHWLIqzIfZoV BTNkw1A0EAziPmO6wsoxOoC7LwFvg39FOclbZaq1AAgr7a1iBJ2BYo0QbMWt/KCb8Qkn g82MeMztD3VgnSLea2gM/Bxl/je364mBukNlpThjN0IjULlVKkdCQQfHTSr4zOExJZKN L3F3vttZnAQfd2tWh4Wr+h1oyoZht/rL7uMO3Tg0ZxPdy4GB/LQbbSl/PlXuq7TC1psS kcn3FVcC9U6yHLgbkGb0zyDq7Q5e1PyocCFAV2NoEXeZNSSye6FDfBANHLFaljCX7QP4 fgIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=08i5eosg2Nrjg2Zr/0d8yw8zMj63O5OI9ah6lXy1vHs=; b=HwrTQ4KzoQnBGTDCv1/yLXp73z+IvAw8D/u+xJiGOJCSIn54tRe8r7OfcH8r/9+/5L xJYE/RtPnv1982ckO4yDKmsIuhb12IN3dG5pib1IENaNYpsu0iP0hptt9xcgzRWDnwUI dUyhacCzN14rSgOdiB51jVNQnDy2f1qBiLnXOMHAncUmkyx7/y/3KXS4QUQiwoG4iFKG 1G/f45ni2CqQmCpeS1fbeGYs3KbuPFBs7Jnjv++Uu7fdFQ+JhS55tgwM69ly2KZoXZ4b 8n3LcspMrkdFKmxAWNWoSQQJRJiiuLHmGr5LjuGkqvS9SJFBOZd9MnaAo2Q2RzayBjEl LL1w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v14si7343149oto.127.2020.03.02.16.03.50; Mon, 02 Mar 2020 16:04:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727879AbgCCADC (ORCPT + 99 others); Mon, 2 Mar 2020 19:03:02 -0500 Received: from mga17.intel.com ([192.55.52.151]:37735 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726793AbgCBX5W (ORCPT ); Mon, 2 Mar 2020 18:57:22 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 Mar 2020 15:57:21 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,509,1574150400"; d="scan'208";a="243384625" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.202]) by orsmga006.jf.intel.com with ESMTP; 02 Mar 2020 15:57:21 -0800 From: Sean Christopherson To: Paolo Bonzini Cc: Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Xiaoyao Li Subject: [PATCH v2 01/66] KVM: x86: Return -E2BIG when KVM_GET_SUPPORTED_CPUID hits max entries Date: Mon, 2 Mar 2020 15:56:04 -0800 Message-Id: <20200302235709.27467-2-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200302235709.27467-1-sean.j.christopherson@intel.com> References: <20200302235709.27467-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Fix a long-standing bug that causes KVM to return 0 instead of -E2BIG when userspace's array is insufficiently sized. This technically breaks backwards compatibility, e.g. a userspace with a hardcoded cpuid->nent could theoretically be broken as it would see an error instead of success if cpuid->nent is less than the number of entries required to fully enumerate the host CPU. But, the lowest known cpuid->nent hardcoded by a VMM is 100 (lkvm and selftests), and the largest realistic limit on Intel and AMD is well under a 100. E.g. Intel's Icelake server with all the bells and whistles tops out at ~60 entries (variable due to SGX sub-leafs), and AMD's CPUID documentation allows for less than 50 (KVM hard caps CPUID 0xD at a single sub-leaf). Note, while the Fixes: tag is accurate with respect to the immediate bug, it's likely that similar bugs in KVM_GET_SUPPORTED_CPUID existed prior to the refactoring, e.g. Qemu contains a workaround for the broken KVM_GET_SUPPORTED_CPUID behavior that predates the buggy commit by over two years. The Qemu workaround is also likely the main reason the bug has gone unreported for so long. Qemu hack: commit 76ae317f7c16aec6b469604b1764094870a75470 Author: Mark McLoughlin Date: Tue May 19 18:55:21 2009 +0100 kvm: work around supported cpuid ioctl() brokenness KVM_GET_SUPPORTED_CPUID has been known to fail to return -E2BIG when it runs out of entries. Detect this by always trying again with a bigger table if the ioctl() fills the table. Fixes: 831bf664e9c1f ("KVM: Refactor and simplify kvm_dev_ioctl_get_supported_cpuid") Reviewed-by: Vitaly Kuznetsov Signed-off-by: Sean Christopherson --- arch/x86/kvm/cpuid.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index b1c469446b07..47ce04762c20 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -908,9 +908,14 @@ int kvm_dev_ioctl_get_cpuid(struct kvm_cpuid2 *cpuid, goto out_free; limit = cpuid_entries[nent - 1].eax; - for (func = ent->func + 1; func <= limit && nent < cpuid->nent && r == 0; ++func) + for (func = ent->func + 1; func <= limit && r == 0; ++func) { + if (nent >= cpuid->nent) { + r = -E2BIG; + goto out_free; + } r = do_cpuid_func(&cpuid_entries[nent], func, &nent, cpuid->nent, type); + } if (r) goto out_free; -- 2.24.1