Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2169499pxb;
        Mon, 18 Jan 2021 10:00:24 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxxeC3Zij5EevfQynOBGis3ADe2IQsXSkbiFo60AnHdi1DDrKsq/etESN+fTw10DiMY9ecb
X-Received: by 2002:a17:906:c254:: with SMTP id bl20mr565201ejb.336.1610992824723;
        Mon, 18 Jan 2021 10:00:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1610992824; cv=none;
        d=google.com; s=arc-20160816;
        b=H9WALE/yTFEz63sK+3c6yCmBkn5YsaExQhMzz6/eg+PZ5iC80GQ1B5ZZIKS6cko1TF
         KhiPNP5vLNYsv4tQ6OjV/prq8dkzLoeCWF05he+R0GFJHsASg6Iys6O+3MPpfL8A6M6d
         ZX/zKyYOJhygddHK2LcUo08Ayx/Ef7BoXiMRSiHzJOSqkXky3VWuywDvRUs5vMVM4Y9O
         ci8+ktVUL774cBDIv1m2162FWkWBDSHdJSBrY/577zpJwlchH/SUKXfcgZgsPaDOa3yE
         MSYF4WebrV3qwY/RRw4Z8c7RtMJCb9L8GpB+ivryMIpln0A1P5m+t6KCmzLABszNEIbG
         t/Zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject:dkim-signature;
        bh=hWCFJ1Ui+QPJSU5mbyAyYwW1tEtCr30ZbCpgxh1LYJY=;
        b=xpI+KnhSV4bPqyUroPduTTYi/5AGlDgCy0HnTZ8lw7MMhCVmbVe2zhfVZVmn6pXpj/
         BnCVB0SbYdtgZYA/WeX/PSLKGda3QFRvv0+POa+VSA+h+pj6ARtYAYPPdu2LrZYZmPI8
         l0j+YxSuA4vdjojdrRKDO9KQoy24ka6ls24+kjlmun4/5OgeakGGu4XOoCazGrqkiN4f
         sIdjizyqFIpEJ0OwIHk0ml+ONEN2+tXgDpclYG98jCupcWGctCWOd30PpopaX5Hslv8L
         asZdnhVnJtQKVvapNyYq50kjgrBjJTF0uco/D2ZpMgrpYVvticRQs2U2K3EG9S/bMg39
         3lWg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=M3W2Hajx;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id n3si3621594ejd.265.2021.01.18.09.59.57;
        Mon, 18 Jan 2021 10:00:24 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=M3W2Hajx;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2407337AbhARR5z (ORCPT <rfc822;liu3tao@gmail.com> + 99 others);
        Mon, 18 Jan 2021 12:57:55 -0500
Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:60191 "EHLO
        us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S2407254AbhARR5q (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 18 Jan 2021 12:57:46 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1610992580;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=hWCFJ1Ui+QPJSU5mbyAyYwW1tEtCr30ZbCpgxh1LYJY=;
        b=M3W2Hajxip1CSnjK9e8rxGoUF/0uxR9FSDDQIn0Vcqv5bqL0GZvJYBzufuudMfmRz9jsBc
        EZbbxuaOA80NCiW4CzM8GT7OGybOkvhNgEBA9QlQtn591KMuT/x+0T3ajB6aCJTrA32r2C
        /Tje8FElHJoG1DXxarxJJs2Hoq4uA9Y=
Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com
 [209.85.208.71]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-149-DkUwnKPNOqS9a5BBfg66mg-1; Mon, 18 Jan 2021 12:56:18 -0500
X-MC-Unique: DkUwnKPNOqS9a5BBfg66mg-1
Received: by mail-ed1-f71.google.com with SMTP id t9so2186830edd.3
        for <linux-kernel@vger.kernel.org>; Mon, 18 Jan 2021 09:56:18 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=hWCFJ1Ui+QPJSU5mbyAyYwW1tEtCr30ZbCpgxh1LYJY=;
        b=qfhQCtW1hnG1CiSkOZzH0G0uf1EwLn16lI1p6kQPNoC96oiDaLJpfN5W+PMd06rqDn
         55XHvPcMR/rKJjgzufeIQ20Rm6TQ/0bruXmUX088jLOPNcdah/3xZtWglbEGYvczYrqr
         KBhg+9G5vQR6fZWZ0ubADAQGWIrm0c7aB3i7nKEK5MSyjK3QFGh4zA1j2NYSyKDy045m
         l6gpnUqKxNrTGK5sz0VHuUpZI6aMqewNrv7VfuA8HhV3LtikwGgSB1cPpRz0Mx6pKtrM
         IZf8vgxLM5Pg0NomNg7zzlu3WEEf36JnoF23112SJ+mthqCNi3QBCwPzjP0GUZ9gV39W
         /MpA==
X-Gm-Message-State: AOAM5309q306ZpSt8bd/aFzNO36qihJ+0eGMXAuICMy7rSTVHSjFXwDA
        11Pw89vHkTrceV0ue0al7wkIo2I50+DZtkqoZt3r33qxTf+JhQEAkKU/ubQuxkrZwB3VzQ3OCOi
        u7/OEeR+mp7vf4p2jpJRA2mFtnNenfVpVSkE54ANfjx5z3GTO+RVQUkkeRo9lh4WQ/h0T9w6aYl
        RG
X-Received: by 2002:a17:906:2743:: with SMTP id a3mr581496ejd.378.1610992577133;
        Mon, 18 Jan 2021 09:56:17 -0800 (PST)
X-Received: by 2002:a17:906:2743:: with SMTP id a3mr581477ejd.378.1610992576903;
        Mon, 18 Jan 2021 09:56:16 -0800 (PST)
Received: from ?IPv6:2001:b07:6468:f312:c8dd:75d4:99ab:290a? ([2001:b07:6468:f312:c8dd:75d4:99ab:290a])
        by smtp.gmail.com with ESMTPSA id u24sm9809545eje.71.2021.01.18.09.56.15
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 18 Jan 2021 09:56:16 -0800 (PST)
Subject: Re: [PATCH v2] KVM: x86/pmu: Fix UBSAN shift-out-of-bounds warning in
 intel_pmu_refresh()
To:     Like Xu <like.xu@linux.intel.com>,
        Sean Christopherson <seanjc@google.com>
Cc:     Vitaly Kuznetsov <vkuznets@redhat.com>,
        Wanpeng Li <wanpengli@tencent.com>,
        Jim Mattson <jmattson@google.com>,
        Joerg Roedel <joro@8bytes.org>, kvm@vger.kernel.org,
        linux-kernel@vger.kernel.org
References: <20210118025800.34620-1-like.xu@linux.intel.com>
From:   Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <53930fc4-46d8-ce87-daa9-00460c6adb63@redhat.com>
Date:   Mon, 18 Jan 2021 18:56:15 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <20210118025800.34620-1-like.xu@linux.intel.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 18/01/21 03:58, Like Xu wrote:
> Since we know vPMU will not work properly when (1) the guest bit_width(s)
> of the [gp|fixed] counters are greater than the host ones, or (2) guest
> requested architectural events exceeds the range supported by the host, so
> we can setup a smaller left shift value and refresh the guest cpuid entry,
> thus fixing the following UBSAN shift-out-of-bounds warning:
> 
> shift exponent 197 is too large for 64-bit type 'long long unsigned int'
> 
> Call Trace:
>   __dump_stack lib/dump_stack.c:79 [inline]
>   dump_stack+0x107/0x163 lib/dump_stack.c:120
>   ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
>   __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
>   intel_pmu_refresh.cold+0x75/0x99 arch/x86/kvm/vmx/pmu_intel.c:348
>   kvm_vcpu_after_set_cpuid+0x65a/0xf80 arch/x86/kvm/cpuid.c:177
>   kvm_vcpu_ioctl_set_cpuid2+0x160/0x440 arch/x86/kvm/cpuid.c:308
>   kvm_arch_vcpu_ioctl+0x11b6/0x2d70 arch/x86/kvm/x86.c:4709
>   kvm_vcpu_ioctl+0x7b9/0xdb0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3386
>   vfs_ioctl fs/ioctl.c:48 [inline]
>   __do_sys_ioctl fs/ioctl.c:753 [inline]
>   __se_sys_ioctl fs/ioctl.c:739 [inline]
>   __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
>   do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>   entry_SYSCALL_64_after_hwframe+0x44/0xa9
> 
> Reported-by: syzbot+ae488dc136a4cc6ba32b@syzkaller.appspotmail.com
> Signed-off-by: Like Xu <like.xu@linux.intel.com>
> ---
> v1->v2 Changelog:
> - Add similar treatment for eax.split.mask_length (Sean)
> 
>   arch/x86/kvm/vmx/pmu_intel.c | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c
> index a886a47daebd..d1584ae6625a 100644
> --- a/arch/x86/kvm/vmx/pmu_intel.c
> +++ b/arch/x86/kvm/vmx/pmu_intel.c
> @@ -345,7 +345,9 @@ static void intel_pmu_refresh(struct kvm_vcpu *vcpu)
>   
>   	pmu->nr_arch_gp_counters = min_t(int, eax.split.num_counters,
>   					 x86_pmu.num_counters_gp);
> +	eax.split.bit_width = min_t(int, eax.split.bit_width, x86_pmu.bit_width_gp);
>   	pmu->counter_bitmask[KVM_PMC_GP] = ((u64)1 << eax.split.bit_width) - 1;
> +	eax.split.mask_length = min_t(int, eax.split.mask_length, x86_pmu.events_mask_len);
>   	pmu->available_event_types = ~entry->ebx &
>   					((1ull << eax.split.mask_length) - 1);
>   
> @@ -355,6 +357,8 @@ static void intel_pmu_refresh(struct kvm_vcpu *vcpu)
>   		pmu->nr_arch_fixed_counters =
>   			min_t(int, edx.split.num_counters_fixed,
>   			      x86_pmu.num_counters_fixed);
> +		edx.split.bit_width_fixed = min_t(int,
> +			edx.split.bit_width_fixed, x86_pmu.bit_width_fixed);
>   		pmu->counter_bitmask[KVM_PMC_FIXED] =
>   			((u64)1 << edx.split.bit_width_fixed) - 1;
>   	}
> 

Queued, thanks.

Paolo