Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp410759ybg; Tue, 28 Jul 2020 09:00:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzXHvqB0V0FpOIAvoV4UQvoRqYcxV3LrMJGehQWWBfu8Oq2ruExy5b/hmdSwf3cH0rN+cWC X-Received: by 2002:a17:907:94c9:: with SMTP id dn9mr25497210ejc.355.1595952043214; Tue, 28 Jul 2020 09:00:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595952043; cv=none; d=google.com; s=arc-20160816; b=xmR7T3pILYLIZK3hjwtik/0TNhS5n3ZVZKEbnFIFCKtCTX9dR/abG1bC20CbwB4UMv ysCZgYdEo7mI8HEW5c0mN0O1wxF5XxXpQ1k2MwvB6qPh/JD6+vPAQ1RGh3OApK9fmXVH NwM2qOiIU3JGqWAB5XoRQ2ZI2+Ij/u+0EwmjgZTa9afJYdI4KOAWsLr0pPf1/7HWcNTP qj9xaBmkGu7B+3FurhAf0k30CpOe4IEoC3GEs53f6f302P1VAjbamHlv2i9o7s6Y4fl3 yQ/yxiXcbHMxdzKjGIy//b6MnOzYdLfXwvMYpQx0SI7EasyFO20BmKPGyIAqgIxjOiiY Y66w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:ironport-sdr:ironport-sdr; bh=wOLoXCIdwLrMuBn3lUEVIACMx5Go6nEQqDTA59+uNgI=; b=hFZ1eRJgWGPXSw/lCTPXFrILMS79hfVwQvXJF5jpxDlPdbkOQ8i0T+ZrXBunVbvT9h huXusU9qaEdnyGFOwPXpu6pzV0VkJkbCWC0p3bBRMrAl2YaYufYiBzXFaa3c/8UFcb3b FJyDq50+UG0vrxhTSkrF1TOk5AFnRhGx48UUtIGwCItL4EvqgfWdOVlvxn+Ms9mihmQ0 61Koez+qcLboDX85OeDOoGLozxj0jTLmLxQYPgPM0j+oj00dkSXRh7CWpMjmVCR5N6nf MfscuNN5/lhwOuIhle4hVw3LF/PHlhtabbkIUaDm/6ShAQVHr33jRmeEjqEJg31o+JDX EpDQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d8si3146508edl.399.2020.07.28.09.00.20; Tue, 28 Jul 2020 09:00:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731187AbgG1P7X (ORCPT + 99 others); Tue, 28 Jul 2020 11:59:23 -0400 Received: from mga09.intel.com ([134.134.136.24]:30043 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730679AbgG1P7X (ORCPT ); Tue, 28 Jul 2020 11:59:23 -0400 IronPort-SDR: hb9ddBj5c99+NOMi7xoavry0r6zdXsv74jEwqQAwAx8TVZqIKDjZD0IwlAvU/d2/1Eg94AOA8S aFHRO70BRCxA== X-IronPort-AV: E=McAfee;i="6000,8403,9695"; a="152492565" X-IronPort-AV: E=Sophos;i="5.75,406,1589266800"; d="scan'208";a="152492565" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Jul 2020 08:59:22 -0700 IronPort-SDR: 3+avlv1CfLZM+1dJZ3q9UKyBJRhsBI18RcjkFTL8a/m36xIVEZe9AmnmWnbnm7aeGNQlWYS5cG utYz7RovAyIA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,406,1589266800"; d="scan'208";a="490410915" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.152]) by fmsmga005.fm.intel.com with ESMTP; 28 Jul 2020 08:59:21 -0700 Date: Tue, 28 Jul 2020 08:59:21 -0700 From: Sean Christopherson To: Paolo Bonzini Cc: Vitaly Kuznetsov , kvm@vger.kernel.org, Wanpeng Li , Jim Mattson , linux-kernel@vger.kernel.org Subject: Re: [PATCH] KVM: nVMX: properly pad struct kvm_vmx_nested_state_hdr Message-ID: <20200728155921.GC5300@linux.intel.com> References: <20200713082824.1728868-1-vkuznets@redhat.com> <20200713151750.GA29901@linux.intel.com> <878sfntnoz.fsf@vitty.brq.redhat.com> <85fd54ff-01f5-0f1f-1bb7-922c740a37c1@redhat.com> <20200727154654.GA8675@linux.intel.com> <5d50ea1e-f2a2-8aa9-1dd3-4cbca6c6f885@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5d50ea1e-f2a2-8aa9-1dd3-4cbca6c6f885@redhat.com> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 27, 2020 at 06:16:56PM +0200, Paolo Bonzini wrote: > On 27/07/20 17:46, Sean Christopherson wrote: > > All the above being said, after looking at the whole picture I think padding > > the header is a moot point. The header is padded out to 120 bytes[*] when > > including in the full nested state, and KVM only ever consumes the header in > > the context of the full nested state. I.e. if there's garbage at offset 6, > > odds are there's going to be garbage at offset 18, so internally padding the > > header does nothing. > > Yes, that was what I was hinting at with "it might as well send it now" > (i.e., after the patch). > > (All of this is moot for userspace that just uses KVM_GET_NESTED_STATE > and passes it back to KVM_SET_NESTED_STATE). > > > KVM should be checking that the unused bytes of (sizeof(pad) - sizeof(vmx/svm)) > > is zero if we want to expand into the padding in the future. Right now we're > > relying on userspace to zero allocate the struct without enforcing it. > > The alternative, which is almost as good, is to only use these extra > fields which could be garbage if the flags are not set, and check the > flags (see the patches I have sent earlier today). > > The chance of the flags passing the check will decrease over time as > more flags are added; but the chance of having buggy userspace that > sends down garbage also will. Ah, I see what you're saying. Ya, that makes sense. > > [*] Amusing side note, the comment in the header is wrong. It states "pad > > the header to 128 bytes", but only pads it to 120 bytes, because union. > > > > /* for KVM_CAP_NESTED_STATE */ > > struct kvm_nested_state { > > __u16 flags; > > __u16 format; > > __u32 size; > > > > union { > > struct kvm_vmx_nested_state_hdr vmx; > > struct kvm_svm_nested_state_hdr svm; > > > > /* Pad the header to 128 bytes. */ > > __u8 pad[120]; > > } hdr; > > There are 8 bytes before the union, and it's not a coincidence. :) > "Header" refers to the stuff before the data region. Ugh, then 'hdr' probably should be named vendor_header or something.