From nobody Tue Sep 23 22:20:47 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1752746311761931.986652441121; Thu, 17 Jul 2025 02:58:31 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ucLHI-0007Rd-GU; Thu, 17 Jul 2025 05:51:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ucL2M-0003mb-Sh; Thu, 17 Jul 2025 05:36:23 -0400 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ucL2K-00028X-R8; Thu, 17 Jul 2025 05:36:22 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id E167B137D01; Thu, 17 Jul 2025 12:34:05 +0300 (MSK) Received: from think4mjt.origo (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id C334C2491FA; Thu, 17 Jul 2025 12:34:13 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Qian Wen , Xiaoyao Li , Zhao Liu , Paolo Bonzini , Michael Tokarev Subject: [Stable-10.0.3 64/65] i386/cpu: Fix overflow of cache topology fields in CPUID.04H Date: Thu, 17 Jul 2025 12:34:00 +0300 Message-ID: <20250717093412.728292-25-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.2 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1752746312604116600 Content-Type: text/plain; charset="utf-8" From: Qian Wen According to SDM, CPUID.0x4:EAX[31:26] indicates the Maximum number of addressable IDs for processor cores in the physical package. If we launch over 64 cores VM, the 6-bit field will overflow, and the wrong core_id number will be reported. Since the HW reports 0x3f when the intel processor has over 64 cores, limit the max value written to EAX[31:26] to 63, so max num_cores should be 64. For EAX[14:25], though at present Q35 supports up to 4096 CPUs, by constructing a specific topology, the width of the APIC ID can be extended beyond 12 bits. For example, using `-smp threads=3D33,cores=3D9, modules=3D9` results in a die level offset of 6 + 4 + 4 =3D 14 bits, which can also cause overflow. check and honor the maximum value for EAX[14:25] as well. In addition, for host-cache-info case, also apply the same checks and fixes. Reviewed-by: Xiaoyao Li Signed-off-by: Qian Wen Signed-off-by: Zhao Liu Link: https://lore.kernel.org/r/20250714080859.1960104-7-zhao1.liu@intel.com Signed-off-by: Paolo Bonzini (cherry picked from commit 3e86124e7cb9b66e07fb992667865a308f16fcf2) Signed-off-by: Michael Tokarev diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 4603b2b98b..0480ad4ab1 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -283,11 +283,17 @@ static void encode_cache_cpuid4(CPUCacheInfo *cache, assert(cache->size =3D=3D cache->line_size * cache->associativity * cache->partitions * cache->sets); =20 + /* + * The following fields have bit-width limitations, so consider the + * maximum values to avoid overflow: + * Bits 25-14: maximum 4095. + * Bits 31-26: maximum 63. + */ *eax =3D CACHE_TYPE(cache->type) | CACHE_LEVEL(cache->level) | (cache->self_init ? CACHE_SELF_INIT_LEVEL : 0) | - (max_core_ids_in_package(topo_info) << 26) | - (max_thread_ids_for_cache(topo_info, cache->share_level) << 14); + (MIN(max_core_ids_in_package(topo_info), 63) << 26) | + (MIN(max_thread_ids_for_cache(topo_info, cache->share_level), 4= 095) << 14); =20 assert(cache->line_size > 0); assert(cache->partitions > 0); @@ -6867,13 +6873,13 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index= , uint32_t count, int host_vcpus_per_cache =3D 1 + ((*eax & 0x3FFC000) >> 14= ); =20 *eax &=3D ~0xFC000000; - *eax |=3D max_core_ids_in_package(topo_info) << 26; + *eax |=3D MIN(max_core_ids_in_package(topo_info), 63) << 2= 6; if (host_vcpus_per_cache > threads_per_pkg) { *eax &=3D ~0x3FFC000; =20 /* Share the cache at package level. */ - *eax |=3D max_thread_ids_for_cache(topo_info, - CPU_TOPOLOGY_LEVEL_SOCKET) << 14; + *eax |=3D MIN(max_thread_ids_for_cache(topo_info, + CPU_TOPOLOGY_LEVEL_SOCKET), 4095) << 14; } } } else if (cpu->vendor_cpuid_only && IS_AMD_CPU(env)) { --=20 2.47.2