Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp1137582ybg; Mon, 27 Jul 2020 08:48:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz8oTI6WRmrUkz5Rv+fnOTVB3IU8mnwAkeH6xDCBZKxaJmRAIaFqzgqnbngoTSqwFID7uo9 X-Received: by 2002:a50:d8c2:: with SMTP id y2mr21725343edj.114.1595864917120; Mon, 27 Jul 2020 08:48:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595864917; cv=none; d=google.com; s=arc-20160816; b=a3XbXjV+5QMuicb8GdHF2cX8cXDcJkcA1AM4nB4+HSSmeERAdDAcu83zAD5PxSqpYt EW8zO8kjeRtLZO2gUp9dZ1RfytahlDO8BNsHUrVEc5+VZqDIwg27RTZrrk70H4VkQRhD nahb+PlNdUhojKPy/qw+Th21XCWUnvg9F8y0dA4pRazii9C98AYNiDURtk1qk32K92pS FkVFEwxpL2awJ6RyTDp7nWiyjLpxi2HwvXQxkJJhdm+YSX0GGcsX7whjmR9AF+HC4NYP i1n7ItJkDEm4DwF/cbOS7k4D0DIu5EEcQy25r5xe1y+t1Dzgi42NdSd+NZZjL0Aqywxi sfdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:ironport-sdr:ironport-sdr; bh=bzdavYYkCPmN4l4EKciWcw3dSzVIpt06jI1BmqHSCqE=; b=Id01YOFqkLUPSOjq/YZ7RGJJTcBHrZpNGFXBmM9jZXeLwdWzpE4aCyyV21gQFXWRrJ qaG0FTo9qqFafiDSKSccD3IX27dy6iOGSagAdOZSvjMf/CAvIbnW6TpiqOkncLn/Vi0U Aeq4INofdLVUrphHefUTTcGqarZma2nY79OzOuDrDSi6Eu1NcvqkGWU7/RsBkd3isJjH Lk144UcB9o52y0ZF3bMAO6lo3htuNd8WHLGslM48rveCqukRIkeD9/NqKnJH3vxuCmLc bAoVRrtdE5r23I4w5JYyQq1JP57EUxmu+H3Fc2wWp7JEcoq5/tVKOznxVDzFjPY8t/os YmVg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e12si6940267edc.318.2020.07.27.08.48.15; Mon, 27 Jul 2020 08:48:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731035AbgG0Pq4 (ORCPT + 99 others); Mon, 27 Jul 2020 11:46:56 -0400 Received: from mga12.intel.com ([192.55.52.136]:33366 "EHLO mga12.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728015AbgG0Pqz (ORCPT ); Mon, 27 Jul 2020 11:46:55 -0400 IronPort-SDR: ijYCwLN+uF2fKAdRqy7GWUg2qeY5F000UrK8mmx8U1fCSoVbRwpuVJgTrLLBtM3Vj4+7nnJzIl E2wKSb/PJTpg== X-IronPort-AV: E=McAfee;i="6000,8403,9694"; a="130593839" X-IronPort-AV: E=Sophos;i="5.75,402,1589266800"; d="scan'208";a="130593839" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Jul 2020 08:46:55 -0700 IronPort-SDR: ih74wHAEYTgG09ISPxHpa0sZYUGRI/PD0HgCEATM0+pBVOUSwgyikQi0/0Q2DOSW/3f5JerjGz ZIhxFi+nRlFQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,402,1589266800"; d="scan'208";a="273290556" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.152]) by fmsmga008.fm.intel.com with ESMTP; 27 Jul 2020 08:46:54 -0700 Date: Mon, 27 Jul 2020 08:46:54 -0700 From: Sean Christopherson To: Paolo Bonzini Cc: Vitaly Kuznetsov , kvm@vger.kernel.org, Wanpeng Li , Jim Mattson , linux-kernel@vger.kernel.org Subject: Re: [PATCH] KVM: nVMX: properly pad struct kvm_vmx_nested_state_hdr Message-ID: <20200727154654.GA8675@linux.intel.com> References: <20200713082824.1728868-1-vkuznets@redhat.com> <20200713151750.GA29901@linux.intel.com> <878sfntnoz.fsf@vitty.brq.redhat.com> <85fd54ff-01f5-0f1f-1bb7-922c740a37c1@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <85fd54ff-01f5-0f1f-1bb7-922c740a37c1@redhat.com> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 27, 2020 at 01:43:34PM +0200, Paolo Bonzini wrote: > On 13/07/20 17:54, Vitaly Kuznetsov wrote: > > Which means that userspace built for the old kernel will potentially send in > > garbage for the new 'flags' field due to it being uninitialized stack data, > > even with the layout after this patch. > > It might as well send it now if the code didn't attempt to zero the > struct before filling it in (this is another good reason to use a > "flags" field to say what's been filled in). The issue is that flags itself could hold garbage. https://lkml.kernel.org/r/20200713151750.GA29901@linux.intel.com > I don't think special > casing padding is particularly useful; C11 for example requires > designated initializers to fill padding with zero bits[1] and even > before it's always been considered good behavior to use memset. > > Paolo > > [1] It says: "If an object that has static or thread storage duration > is not initialized explicitly, then [...] any padding is initialized to > zero bits" static and per-thread storage is unlikely to be relevant, > and even for non-static objects, "If there are fewer > initializers in a brace-enclosed list than there are elements or members > of an aggregate [...] the remainder of the aggregate shall be > initialized implicitly the same as objects that have static storage > duration". That's specifically talking about members, not usused/padded space, e.g. smm.flags (in the hold struct) must be zeroed with this, but it doesn't say anything about initializing padding. struct kvm_vmx_nested_state_hdr hdr = { .vmxon_pa = root, .vmcs12_pa = vmcs12, }; QEMU won't see issues because it zero allocates the entire nested state. All the above being said, after looking at the whole picture I think padding the header is a moot point. The header is padded out to 120 bytes[*] when including in the full nested state, and KVM only ever consumes the header in the context of the full nested state. I.e. if there's garbage at offset 6, odds are there's going to be garbage at offset 18, so internally padding the header does nothing. KVM should be checking that the unused bytes of (sizeof(pad) - sizeof(vmx/svm)) is zero if we want to expand into the padding in the future. Right now we're relying on userspace to zero allocate the struct without enforcing it. [*] Amusing side note, the comment in the header is wrong. It states "pad the header to 128 bytes", but only pads it to 120 bytes, because union. /* for KVM_CAP_NESTED_STATE */ struct kvm_nested_state { __u16 flags; __u16 format; __u32 size; union { struct kvm_vmx_nested_state_hdr vmx; struct kvm_svm_nested_state_hdr svm; /* Pad the header to 128 bytes. */ __u8 pad[120]; } hdr; /* * Define data region as 0 bytes to preserve backwards-compatability * to old definition of kvm_nested_state in order to avoid changing * KVM_{GET,PUT}_NESTED_STATE ioctl values. */ union { struct kvm_vmx_nested_state_data vmx[0]; struct kvm_svm_nested_state_data svm[0]; } data; }; Odds are no real VMM will have issue given the dynamic size of struct kvm_nested_state, but