Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp2355978pxb;
        Sat, 2 Oct 2021 14:38:54 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxh0oFVfEVsekycDF07S8pzf0UKG4GgMXBnj2tLD+++FIg9zAhPSL09bW5xDlqJGxXPL74c
X-Received: by 2002:a50:8405:: with SMTP id 5mr6618221edp.228.1633210734280;
        Sat, 02 Oct 2021 14:38:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1633210734; cv=none;
        d=google.com; s=arc-20160816;
        b=maHEGXOwih+86LwUxNOllrIUPCq3QUutiqkE8mZCCXqsFztaaIGzRGP0k/zma9ZvqL
         9hLy0A/qX+K+xJux535kOrxV1xE0p5dLAfnq8SruClNdS3NtCdvlpEBSwOTk3bTEu2g4
         kP8/7r9+26u95G6xBFhLW+VVXjGFo/nW5wY6T9XjR2MvAx0pyhCRI5y6YdA97IcmDZk7
         lzq2lSPKFEaP0Ohx6aiV4ZyjspVO6PxNFFouWe9oJDBQU7t1qBeoZAw/vu2BwMffY6uo
         y1DK9iHXOVXAel6Npx3BegxSG7i/8GcieTqWfZBOqn5c70P6usV/+YZlarJxA1ERqgZJ
         CK1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:message-id:date:in-reply-to:subject
         :cc:to:dkim-signature:dkim-signature:from;
        bh=XAgRQtFBHsbRzmJ/Hn8rU+rglpQXhDRVc8VEErk4l88=;
        b=yDjLDHfsE8AttTLS8ub7arvrXbIe3oFoIFpKUFZen60tF3gxd48QNCNDsz6Rok/4Aw
         Aq2GaWBslswowoU+nvR+R0C+si2J4PzSNRSTJlZHxqNX6g9NoZ+PEiFQANew3swgCTRs
         dM/5j3FJDuOAV3Wzh7KGfu4ytBS0ExTWkag1g7LUtYKpTbIerbw3o6nr63/qNYY2t88z
         KTotIvGKecqJJkoKX2xVhzSmnO6rzzymhyAqly6idqo4y30ckQUwKDQXjaXT6G2JXT/0
         FtzwXuFN70qZEZdrnFFgA0p+rzT2Q6TIPxE8l2UK6lAIN/jz1HVNm754i4ur9pB5a5La
         O5gQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linutronix.de header.s=2020 header.b=OOgOM7Yt;
       dkim=neutral (no key) header.i=@linutronix.de;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u9si17583897edf.223.2021.10.02.14.38.04;
        Sat, 02 Oct 2021 14:38:54 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linutronix.de header.s=2020 header.b=OOgOM7Yt;
       dkim=neutral (no key) header.i=@linutronix.de;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234072AbhJBVdi (ORCPT <rfc822;longbowk@gmail.com> + 99 others);
        Sat, 2 Oct 2021 17:33:38 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44360 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229503AbhJBVdh (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 2 Oct 2021 17:33:37 -0400
Received: from galois.linutronix.de (Galois.linutronix.de [IPv6:2a0a:51c0:0:12e:550::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E617C061714;
        Sat,  2 Oct 2021 14:31:51 -0700 (PDT)
From:   Thomas Gleixner <tglx@linutronix.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de;
        s=2020; t=1633210309;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to; bh=XAgRQtFBHsbRzmJ/Hn8rU+rglpQXhDRVc8VEErk4l88=;
        b=OOgOM7YtXOhLWRkpS5/up6YJYIb5XY/mVgEOq+HXp4S6UaTts/077HIUsyQhhrCfBZLm4h
        DcOhfXVkTGWfTIIui0TKbEg39RwGDEPWsbRZ29VbZcUHUt2KpdPqnUbq8gHXTK7Kt9hs0C
        bqed1yCUaWPPFs4XtzvEyrJDD8ACNcAznsLRzqecIaJBqMJM/nxtdt3Z5yW2ho/sY22J0H
        nrfYSLoejZuxwOYt/Voa/BTRfsJR0oAMq4/jclJmKGsCVrwaZeIvKXr5/DupT//1HGfLrA
        bJJIW8bfUoxtdEFko5JHO5/bZ0QCfO1VcGYXlxgSOh5t48DJ9G9SquVWuRg0Zw==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de;
        s=2020e; t=1633210309;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to; bh=XAgRQtFBHsbRzmJ/Hn8rU+rglpQXhDRVc8VEErk4l88=;
        b=j6gtvaQTt1AY/2a2N7nrXZ1imOK6vuHY0DcXRKP3J/EuzAYA3QGu/iPDFJFkM0k2wP3Sjp
        f9BQfS+vxRUDRDCg==
To:     "Chang S. Bae" <chang.seok.bae@intel.com>, bp@suse.de,
        luto@kernel.org, mingo@kernel.org, x86@kernel.org
Cc:     len.brown@intel.com, lenb@kernel.org, dave.hansen@intel.com,
        thiago.macieira@intel.com, jing2.liu@intel.com,
        ravi.v.shankar@intel.com, linux-kernel@vger.kernel.org,
        chang.seok.bae@intel.com, kvm@vger.kernel.org,
        Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH v10 10/28] x86/fpu/xstate: Update the XSTATE save
 function to support dynamic states
In-Reply-To: <87tui04urt.ffs@tglx>
Date:   Sat, 02 Oct 2021 23:31:48 +0200
Message-ID: <87pmsnglkr.ffs@tglx>
MIME-Version: 1.0
Content-Type: text/plain
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Oct 01 2021 at 17:41, Thomas Gleixner wrote:
> On Wed, Aug 25 2021 at 08:53, Chang S. Bae wrote:
>> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
>> index 74dde635df40..7c46747f6865 100644
>> --- a/arch/x86/kvm/x86.c
>> +++ b/arch/x86/kvm/x86.c
>> @@ -9899,11 +9899,16 @@ static void kvm_save_current_fpu(struct fpu *fpu)
>>  	 * KVM does not support dynamic user states yet. Assume the buffer
>>  	 * always has the minimum size.

I have to come back to this because that assumption is just broken.

create_vcpu()
   vcpu->user_fpu = alloc_default_fpu_size();
   vcpu->guest_fpu = alloc_default_fpu_size();

vcpu_task()
   get_amx_permission()
   use_amx()
     #NM
     alloc_larger_state()
   ...
   kvm_arch_vcpu_ioctl_run()
     kvm_arch_vcpu_ioctl_run()
       kvm_load_guest_fpu()
         kvm_save_current_fpu(vcpu->arch.user_fpu);
           save_fpregs_to_fpstate(fpu);         <- Out of bounds write

Adding a comment that KVM does not yet support dynamic user states does
not cut it, really.

Even if the above is unlikely, it is possible and has to be handled
correctly at the point where AMX support is enabled in the kernel
independent of guest support.

You have two options:

  1) Always allocate the large buffer size which is required to
     accomodate all possible features.

     Trivial, but waste of memory.

  2) Make the allocation dynamic which seems to be trivial to do in
     kvm_load_guest_fpu() at least for vcpu->user_fpu.

     The vcpu->guest_fpu handling can probably be postponed to the
     point where AMX is actually exposed to guests, but it's probably
     not the worst idea to think about the implications now.

Paolo, any opinions?

Thanks,

        tglx