From nobody Wed Apr 29 02:00:47 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58DAEC433F5 for ; Wed, 25 May 2022 22:26:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231669AbiEYW0l (ORCPT ); Wed, 25 May 2022 18:26:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55456 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345368AbiEYW0N (ORCPT ); Wed, 25 May 2022 18:26:13 -0400 Received: from mail-pj1-x1049.google.com (mail-pj1-x1049.google.com [IPv6:2607:f8b0:4864:20::1049]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5285B10F for ; Wed, 25 May 2022 15:26:10 -0700 (PDT) Received: by mail-pj1-x1049.google.com with SMTP id on14-20020a17090b1d0e00b001c7a548e4f7so2003614pjb.2 for ; Wed, 25 May 2022 15:26:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=reply-to:date:in-reply-to:message-id:mime-version:references :subject:from:to:cc; bh=1+sE54bQx2t4fwpbWEt17sU4LeDI45Rz3nd8Z1fxEVM=; b=ShFQVD12P8JMQ//0COOqBxO64VBS2rO4ICn0VoixRym+8gf7yxI5GUCZwQa/dMooZZ zNj9bZnqXh6tAOLyWobqHp7Yo6b1qsvfxeaDZbVB87VtxVPq2wCD/RGxCYYFLaCe5kAy bUrnz0suGuIVrHH3yNidW0GXjtZYuxoRBQfPYnPVmhB0JYIb/Q0LZKfmmDM1rq12GeE4 sWjYbFS8TWnaTCjTouv4h7bs6aW21oT6MGJjHjqGSf0Ej0oPq9jCCHZjuzPdTMBqdSj7 0iv2lnADB6batSLynOoQ5dB9Vg2lm7vggQz5JVZroRUQhzavtTSt6sQU6nnRTKGGZHwb tdQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:reply-to:date:in-reply-to:message-id :mime-version:references:subject:from:to:cc; bh=1+sE54bQx2t4fwpbWEt17sU4LeDI45Rz3nd8Z1fxEVM=; b=ngC2r8quACrPUbB9is6nPyml5ABInONGU6UYjnaA08YFlhHr1DgBkBUtPbWcQjIxiD ZEooMlVddgDnrUrQIffDvLKWr6PGB14u56aBQ3YNI2Wos41BsTivblrlzY6nUh6N0FZ7 hdG7KgBHKGLq24pgonoD+67JdamdguOl9D5r27HemdERfbcmVU7wZ6EJqjKmXZy0ra1D q5Cav5Ojg5jrsooaegGYb33ZrdgsReY+nKxNhXWNVImYNz8XuY0eEnWAJTa2ZJwhG4AO GlZCtqrT5fPSwTIJi6gAs/9+Mctb6TRHpUB+Och/huP8KYDKuAA6dnnbZUA3V4o9rrl+ 6aMg== X-Gm-Message-State: AOAM533GxsXNfnCMTDrUPkCu9OJWXtj+s6wJfAz5XBC+Mpl9ikb+s9N2 XCPIAplztT8geIC8nwBlML7+V56w49s= X-Google-Smtp-Source: ABdhPJxzEOOjvl7kgGks3plOPdNixXYXYcduS3W+WrJEIL+vcj1zZdB3vif0SZDFUx6i5RTW5fMkKhe71nU= X-Received: from seanjc.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:3e5]) (user=seanjc job=sendgmr) by 2002:a17:90b:38ce:b0:1e0:5bb2:9316 with SMTP id nn14-20020a17090b38ce00b001e05bb29316mr12652709pjb.51.1653517569704; Wed, 25 May 2022 15:26:09 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 25 May 2022 22:26:01 +0000 In-Reply-To: <20220525222604.2810054-1-seanjc@google.com> Message-Id: <20220525222604.2810054-2-seanjc@google.com> Mime-Version: 1.0 References: <20220525222604.2810054-1-seanjc@google.com> X-Mailer: git-send-email 2.36.1.124.g0e6072fb45-goog Subject: [PATCH 1/4] KVM: x86: Grab regs_dirty in local 'unsigned long' From: Sean Christopherson To: Paolo Bonzini Cc: Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Robert Dinse , Kees Cook Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Capture ctxt->regs_dirty in a local 'unsigned long' instead of casting ctxt->regs_dirty to an 'unsigned long *' for use in for_each_set_bit(). The bitops helpers really do read the entire 'unsigned long', even though the walking of the read value is capped at the specified size. I.e. KVM is reading memory beyond ctxt->regs_dirty. Functionally it's not an issue because regs_dirty is in the middle of x86_emulate_ctxt, i.e. KVM is just reading its own memory, but relying on that coincidence is gross and unsafe. Signed-off-by: Sean Christopherson Reviewed-by: Kees Cook Reviewed-by: Vitaly Kuznetsov --- arch/x86/kvm/emulate.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index 89b11e7dca8a..7226a127ccb4 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -269,9 +269,10 @@ static ulong *reg_rmw(struct x86_emulate_ctxt *ctxt, u= nsigned nr) =20 static void writeback_registers(struct x86_emulate_ctxt *ctxt) { + unsigned long dirty =3D ctxt->regs_dirty; unsigned reg; =20 - for_each_set_bit(reg, (ulong *)&ctxt->regs_dirty, 16) + for_each_set_bit(reg, &dirty, 16) ctxt->ops->write_gpr(ctxt, reg, ctxt->_regs[reg]); } =20 --=20 2.36.1.124.g0e6072fb45-goog From nobody Wed Apr 29 02:00:47 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B4CE3C433EF for ; Wed, 25 May 2022 22:26:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345454AbiEYW0q (ORCPT ); Wed, 25 May 2022 18:26:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55274 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345380AbiEYW0R (ORCPT ); Wed, 25 May 2022 18:26:17 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3C37C185 for ; Wed, 25 May 2022 15:26:12 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id n3-20020a257203000000b0064f867fcfc0so17163ybc.15 for ; Wed, 25 May 2022 15:26:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=reply-to:date:in-reply-to:message-id:mime-version:references :subject:from:to:cc; bh=BYFiENncuVJ2TvmhMEdP2audf2NxqV608VtgAVJJeVI=; b=IbW8vJJI7X1j43Z/4nZsPK9eWZGKk7cSQrblreYcVOM8uer7o4RhoKvjJykAXprlTB KZJ5FFDsh7YZlMwSMhwukU1EBAvaQYfiqnxlWu7iUMVV28K5YiIFBDlJs7UlRwO1c2S3 Ri9Pm1jcibc8+s3HqE/fhhiKexxkDhj0t2HzF1Sj8WL1qrdv1GkzDOp/1IxiYYDhElzD yVXwDkobkNF6dkpArA3KJc2pl13xsmdCi4ZPivuPHm5KniCW54AnQSxFx8X8rzWr+xy5 tdP5sPDHNJp3Phv8z1LnX1h8YbTLOW98xzDiPylEA6E+NqqhJbGJpVulvBMNbad2vMc/ QNAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:reply-to:date:in-reply-to:message-id :mime-version:references:subject:from:to:cc; bh=BYFiENncuVJ2TvmhMEdP2audf2NxqV608VtgAVJJeVI=; b=mLitHFTdWNJxYa7cAwYhQ2sWNtQd7+6AyZCqcbBRpvwy8uKOjYadOmHnvPyuj4k3ey whS0CNMMmAqVIub2t6aOF8Uad1mGzE/sXA/ypg5bfJ/vwxLPS7JpBUEURuglC+aNfgDB MxLYkh155tW5sot1FaVJwwMObhgMRTG6hbYMa88UpiV1cWpPboqm26r9dVi1podHMypL bg168qNVZxzdJPU8TG+UynoiS+TCFOowlTeFoiA82EVOQwEL/5nluB7cm/aFE1kOs6lb FVNBqScqfRTopVHVAVt1ZDvLZ3135Ebh9CQ/WkuoJyRZlP8XhrZZb2NZmwQiYqESRGK6 JZ8Q== X-Gm-Message-State: AOAM532/UA5hSQsRHphl070SyUSm0mKmMvyqQ3kmgqc0m6nt1NbFzmEi uzlVVAmMuf8oaDObO6FofYn4+qe2kvA= X-Google-Smtp-Source: ABdhPJzG9ZXHCHAK8MpiWigPcMD718Z2JGUtzMAwdktki7ZuPJWTkQQn7bqwbKeLlXo4t+/9JDe0zQOVZXI= X-Received: from seanjc.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:3e5]) (user=seanjc job=sendgmr) by 2002:a81:5a87:0:b0:2ec:239:d1e with SMTP id o129-20020a815a87000000b002ec02390d1emr35367109ywb.211.1653517571441; Wed, 25 May 2022 15:26:11 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 25 May 2022 22:26:02 +0000 In-Reply-To: <20220525222604.2810054-1-seanjc@google.com> Message-Id: <20220525222604.2810054-3-seanjc@google.com> Mime-Version: 1.0 References: <20220525222604.2810054-1-seanjc@google.com> X-Mailer: git-send-email 2.36.1.124.g0e6072fb45-goog Subject: [PATCH 2/4] KVM: x86: Harden _regs accesses to guard against buggy input From: Sean Christopherson To: Paolo Bonzini Cc: Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Robert Dinse , Kees Cook Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" WARN and truncate the incoming GPR number/index when reading/writing GPRs in the emulator to guard against KVM bugs, e.g. to avoid out-of-bounds accesses to ctxt->_regs[] if KVM generates a bogus index. Truncate the index instead of returning e.g. zero, as reg_write() returns a pointer to the register, i.e. returning zero would result in a NULL pointer dereference. KVM could also force the index to any arbitrary GPR, but that's no better or worse, just different. Open code the restriction to 16 registers; RIP is handled via _eip and should never be accessed through reg_read() or reg_write(). See the comments above the declarations of reg_read() and reg_write(), and the behavior of writeback_registers(). The horrific open coded mess will be cleaned up in a future commit. There are no such bugs known to exist in the emulator, but determining that KVM is bug-free is not at all simple and requires a deep dive into the emulator. The code is so convoluted that GCC-12 with the recently enable -Warray-bounds spits out a (suspected) false-positive: arch/x86/kvm/emulate.c:254:27: warning: array subscript 32 is above array bounds of 'long unsigned int[17]' [-Warray= -bounds] 254 | return ctxt->_regs[nr]; | ~~~~~~~~~~~^~~~ In file included from arch/x86/kvm/emulate.c:23: arch/x86/kvm/kvm_emulate.h: In function 'reg_rmw': arch/x86/kvm/kvm_emulate.h:366:23: note: while referencing '_regs' 366 | unsigned long _regs[NR_VCPU_REGS]; | ^~~~~ Link: https://lore.kernel.org/all/YofQlBrlx18J7h9Y@google.com Cc: Robert Dinse Cc: Kees Cook Signed-off-by: Sean Christopherson --- arch/x86/kvm/emulate.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index 7226a127ccb4..c58366ae4da2 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -247,6 +247,9 @@ enum x86_transfer_type { =20 static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr) { + if (WARN_ON_ONCE(nr >=3D 16)) + nr &=3D 16 - 1; + if (!(ctxt->regs_valid & (1 << nr))) { ctxt->regs_valid |=3D 1 << nr; ctxt->_regs[nr] =3D ctxt->ops->read_gpr(ctxt, nr); @@ -256,6 +259,9 @@ static ulong reg_read(struct x86_emulate_ctxt *ctxt, un= signed nr) =20 static ulong *reg_write(struct x86_emulate_ctxt *ctxt, unsigned nr) { + if (WARN_ON_ONCE(nr >=3D 16)) + nr &=3D 16 - 1; + ctxt->regs_valid |=3D 1 << nr; ctxt->regs_dirty |=3D 1 << nr; return &ctxt->_regs[nr]; --=20 2.36.1.124.g0e6072fb45-goog From nobody Wed Apr 29 02:00:47 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DBB55C4332F for ; Wed, 25 May 2022 22:26:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344989AbiEYW01 (ORCPT ); Wed, 25 May 2022 18:26:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55292 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345388AbiEYW0U (ORCPT ); Wed, 25 May 2022 18:26:20 -0400 Received: from mail-pl1-x64a.google.com (mail-pl1-x64a.google.com [IPv6:2607:f8b0:4864:20::64a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3C1DB277 for ; Wed, 25 May 2022 15:26:14 -0700 (PDT) Received: by mail-pl1-x64a.google.com with SMTP id t14-20020a1709028c8e00b0015cf7e541feso12121217plo.1 for ; Wed, 25 May 2022 15:26:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=reply-to:date:in-reply-to:message-id:mime-version:references :subject:from:to:cc; bh=1K6OM5CVosmRq7VrXJUvnPyF0+jKI5Wt9fyUJ3K2ibY=; b=L3C+sxFViTeVKuyVx5ivxoNs7Q6DYSLINTgXeRAUuwL1UVebb8TNStoOpMZyfvPmh7 VU+hFtXQ2sdfPs465VxYnDTutAK2XRTNQbBz9Ht2PHH4sRve6QgaSf01OMCXm63bwqGN TKTmrdaY1EGLCOpSa1LH4g3mL/V1MYdFetwPFYdxNhlDI/DlnnvqFaqX7Rlc/ppN4zPf DuaG4mikEbaBkcOsHBWoOcI666PRRP/tDC3SdopDwzkvXYU/pb8XHb5sg7iqFnV+HFHI 3TFgrrEBIOIymBspGi1iMC95/Q0EQ7VwvHnH9BoFgOlQu0+mPtt4RWu/eB7M/uC2JEsb 7IYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:reply-to:date:in-reply-to:message-id :mime-version:references:subject:from:to:cc; bh=1K6OM5CVosmRq7VrXJUvnPyF0+jKI5Wt9fyUJ3K2ibY=; b=NLvOa2Y7eVQxmWdPNt14HSTgBA929N5nC5u/PZOnIaia77ptp/2DAW12Um9g7S4ssu Uh7LQF2UuY0uktixJNfu7/c0cPDSxtPX9MVZyfBGCuYJ6ZJJuo6uSYLkX8XQFReghb9M BVpE7nED5ujfPjarjnDH78IikM6iNE5kuBSDvahUoeLjMBkmogzsK8Zu+IdKmZ3Qnbsr 6dd/E5et9/0HnOpibQvtt2jR5uf6rToF/mZeRDtOts10grITGpiubPqMyAtKR1CsvF6Y ay7fcRXOSpmzPpFg3FLQIDcxDMWFUNDwV8esGD7XbdxuHN+p1SYL5U6fxLj6tfBAEmRC m6+Q== X-Gm-Message-State: AOAM5302XAzPyfDdD9hDVEq/6fwXbutaTMCcUFaYuUo36IohIpzkd5XN 6A1g1Ocy8ViJ2XE4i+NX1xKdj1lkaBc= X-Google-Smtp-Source: ABdhPJy88zKrcNaUS/fJ+z8CMMhWxSLqAWS1xOCdoT7FwuQTGaaLJiJLN6NuKX+u7dqcA6a7HXAciPgJN2E= X-Received: from seanjc.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:3e5]) (user=seanjc job=sendgmr) by 2002:a17:90b:1192:b0:1e0:63f3:c463 with SMTP id gk18-20020a17090b119200b001e063f3c463mr30564pjb.1.1653517573248; Wed, 25 May 2022 15:26:13 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 25 May 2022 22:26:03 +0000 In-Reply-To: <20220525222604.2810054-1-seanjc@google.com> Message-Id: <20220525222604.2810054-4-seanjc@google.com> Mime-Version: 1.0 References: <20220525222604.2810054-1-seanjc@google.com> X-Mailer: git-send-email 2.36.1.124.g0e6072fb45-goog Subject: [PATCH 3/4] KVM: x86: Omit VCPU_REGS_RIP from emulator's _regs array From: Sean Christopherson To: Paolo Bonzini Cc: Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Robert Dinse , Kees Cook Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Omit RIP from the emulator's _regs array, which is used only for GPRs, i.e. registers that can be referenced via ModRM and/or SIB bytes. The emulator uses the dedicated _eip field for RIP, and manually reads from _eip to handle RIP-relative addressing. Replace all open coded instances of '16' with the new NR_EMULATOR_GPRS. See also the comments above the read_gpr() and write_gpr() declarations, and obviously the handling in writeback_registers(). No functional change intended. Signed-off-by: Sean Christopherson Reported-by: kernel test robot --- arch/x86/kvm/emulate.c | 12 ++++++------ arch/x86/kvm/kvm_emulate.h | 10 +++++++++- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index c58366ae4da2..dd1bf116a9ed 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -247,8 +247,8 @@ enum x86_transfer_type { =20 static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr) { - if (WARN_ON_ONCE(nr >=3D 16)) - nr &=3D 16 - 1; + if (WARN_ON_ONCE(nr >=3D NR_EMULATOR_GPRS)) + nr &=3D NR_EMULATOR_GPRS - 1; =20 if (!(ctxt->regs_valid & (1 << nr))) { ctxt->regs_valid |=3D 1 << nr; @@ -259,8 +259,8 @@ static ulong reg_read(struct x86_emulate_ctxt *ctxt, un= signed nr) =20 static ulong *reg_write(struct x86_emulate_ctxt *ctxt, unsigned nr) { - if (WARN_ON_ONCE(nr >=3D 16)) - nr &=3D 16 - 1; + if (WARN_ON_ONCE(nr >=3D NR_EMULATOR_GPRS)) + nr &=3D NR_EMULATOR_GPRS - 1; =20 ctxt->regs_valid |=3D 1 << nr; ctxt->regs_dirty |=3D 1 << nr; @@ -278,7 +278,7 @@ static void writeback_registers(struct x86_emulate_ctxt= *ctxt) unsigned long dirty =3D ctxt->regs_dirty; unsigned reg; =20 - for_each_set_bit(reg, &dirty, 16) + for_each_set_bit(reg, &dirty, NR_EMULATOR_GPRS) ctxt->ops->write_gpr(ctxt, reg, ctxt->_regs[reg]); } =20 @@ -2495,7 +2495,7 @@ static int rsm_load_state_64(struct x86_emulate_ctxt = *ctxt, u16 selector; int i, r; =20 - for (i =3D 0; i < 16; i++) + for (i =3D 0; i < NR_EMULATOR_GPRS; i++) *reg_write(ctxt, i) =3D GET_SMSTATE(u64, smstate, 0x7ff8 - i * 8); =20 ctxt->_eip =3D GET_SMSTATE(u64, smstate, 0x7f78); diff --git a/arch/x86/kvm/kvm_emulate.h b/arch/x86/kvm/kvm_emulate.h index 8dff25d267b7..bdd4e9865ca9 100644 --- a/arch/x86/kvm/kvm_emulate.h +++ b/arch/x86/kvm/kvm_emulate.h @@ -301,6 +301,14 @@ struct fastop; =20 typedef void (*fastop_t)(struct fastop *); =20 +/* + * The emulator's _regs array tracks only the GPRs, i.e. excludes RIP. RI= P is + * tracked/accessed via _eip, and except for RIP relative addressing, which + * also uses _eip, RIP cannot be a register operand nor can it be an opera= nd in + * a ModRM or SIB byte. + */ +#define NR_EMULATOR_GPRS (VCPU_REGS_R15 + 1) + struct x86_emulate_ctxt { void *vcpu; const struct x86_emulate_ops *ops; @@ -363,7 +371,7 @@ struct x86_emulate_ctxt { struct operand src2; struct operand dst; struct operand memop; - unsigned long _regs[NR_VCPU_REGS]; + unsigned long _regs[NR_EMULATOR_GPRS]; struct operand *memopp; struct fetch_cache fetch; struct read_cache io_read; --=20 2.36.1.124.g0e6072fb45-goog From nobody Wed Apr 29 02:00:47 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 434A0C433FE for ; Wed, 25 May 2022 22:26:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345423AbiEYW0g (ORCPT ); Wed, 25 May 2022 18:26:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55538 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345411AbiEYW0V (ORCPT ); Wed, 25 May 2022 18:26:21 -0400 Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com [IPv6:2607:f8b0:4864:20::1149]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0CC3326EA for ; Wed, 25 May 2022 15:26:16 -0700 (PDT) Received: by mail-yw1-x1149.google.com with SMTP id 00721157ae682-2f7dbceab08so188482977b3.10 for ; Wed, 25 May 2022 15:26:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=reply-to:date:in-reply-to:message-id:mime-version:references :subject:from:to:cc; bh=sP4pft3yTMhXYmyTAUA9SDM5ympNXK0fw2aWJc3LaWM=; b=nt8xIxammCWBKmuZkiAyG5Rfz8Wi+6snvbgkikf7esrJCQZz6kOdx+Day2vV2sO0s0 Cdb9tCPtVcRNZKt9tqyi+H5WzmOtP9vbdXPm2NDP6a8FFSA/gHxOYDC2wY6a9+Htd0e8 WG676KXqy6xskD362nmb8T+9mg3JeTqIe8sFrphUxixgMSIHs3djCBOpnx8fwJyY6dx/ 6cZpOzp9DAkrASVkngVbSfTtsygFC8F1gfailABOosvp7tpqSETO9M9PnMf2HyPGPb5E n4lzS3Q2DZJVTrUKbsyaZx/8wt3mfVyuMnZ1aemACgJSNb4mb3/SmPfPwnY/YRvAl9/E no5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:reply-to:date:in-reply-to:message-id :mime-version:references:subject:from:to:cc; bh=sP4pft3yTMhXYmyTAUA9SDM5ympNXK0fw2aWJc3LaWM=; b=ZncLOwk6lw5hEAZ7RjzhdztI6EyJPZ61w7zyNOV8VLkl0Ws+tAey58vX5KXHT4SQ44 J39LOhRIGtdJQUOcX+5SppaehzaEfNALNqy5mLbFTSv+rMf9oREzmAUcAio757N2S9BH f3HtbhR5KJo8p0rUXwuq1pGnrvNKh9cTqoju6TEKRSRVjznS7VabU0rP7mKM+XVTqhW9 6oqlvZKsHddkdlngzi3AmaLewVYMRGFMG1lIafvjhpdoVd7bDF73OfluNZIIgB6epl/Q X2JapEwnHsE7zhfSoIpk+W0n6ffJoGlbvKV5ysEW7uaqAYJ97oICXqnj0/oG9STy2KYN mmOg== X-Gm-Message-State: AOAM5336I6Jq4MOs2Zf9z2dyxgQ7J272cYfU34p0+QIVdIxYR0Y3l2dv nwmR7XvADVEr5yofUEUjytTJtLryDek= X-Google-Smtp-Source: ABdhPJyJ4tmdcPftxWFkmif8ejJIr/nQV0DAemlOUfspDQk7AN8fRlvb33qyuKNBkQq4K+vySs4+bJ4qE7Q= X-Received: from seanjc.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:3e5]) (user=seanjc job=sendgmr) by 2002:a25:cb17:0:b0:64f:5939:533 with SMTP id b23-20020a25cb17000000b0064f59390533mr27804829ybg.105.1653517575274; Wed, 25 May 2022 15:26:15 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 25 May 2022 22:26:04 +0000 In-Reply-To: <20220525222604.2810054-1-seanjc@google.com> Message-Id: <20220525222604.2810054-5-seanjc@google.com> Mime-Version: 1.0 References: <20220525222604.2810054-1-seanjc@google.com> X-Mailer: git-send-email 2.36.1.124.g0e6072fb45-goog Subject: [PATCH 4/4] KVM: x86: Use 16-bit fields to track dirty/valid emulator GPRs From: Sean Christopherson To: Paolo Bonzini Cc: Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Robert Dinse , Kees Cook Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Use a u16 instead of a u32 to track the dirty/valid status of GPRs in the emulator. Unlike struct kvm_vcpu_arch, x86_emulate_ctxt tracks only the "true" GPRs, i.e. doesn't include RIP in its array, and so only needs to track 16 registers. Note, having 16 GPRs is a fundamental property of x86-64 and will not change barring a massive architecture update. Legacy x86 ModRM and SIB encodings use 3 bits for GPRs, i.e. support 8 registers. x86-64 uses a single bit in the REX prefix for each possible reference type to double the number of supported GPRs to 16 registers (4 bits). Signed-off-by: Sean Christopherson Reviewed-by: Kees Cook --- arch/x86/kvm/emulate.c | 3 +++ arch/x86/kvm/kvm_emulate.h | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index dd1bf116a9ed..afb115b6a5a4 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -262,6 +262,9 @@ static ulong *reg_write(struct x86_emulate_ctxt *ctxt, = unsigned nr) if (WARN_ON_ONCE(nr >=3D NR_EMULATOR_GPRS)) nr &=3D NR_EMULATOR_GPRS - 1; =20 + BUILD_BUG_ON(sizeof(ctxt->regs_dirty) * BITS_PER_BYTE < NR_EMULATOR_GPRS); + BUILD_BUG_ON(sizeof(ctxt->regs_valid) * BITS_PER_BYTE < NR_EMULATOR_GPRS); + ctxt->regs_valid |=3D 1 << nr; ctxt->regs_dirty |=3D 1 << nr; return &ctxt->_regs[nr]; diff --git a/arch/x86/kvm/kvm_emulate.h b/arch/x86/kvm/kvm_emulate.h index bdd4e9865ca9..fbe87ba78163 100644 --- a/arch/x86/kvm/kvm_emulate.h +++ b/arch/x86/kvm/kvm_emulate.h @@ -353,9 +353,9 @@ struct x86_emulate_ctxt { u8 lock_prefix; u8 rep_prefix; /* bitmaps of registers in _regs[] that can be read */ - u32 regs_valid; + u16 regs_valid; /* bitmaps of registers in _regs[] that have been written */ - u32 regs_dirty; + u16 regs_dirty; /* modrm */ u8 modrm; u8 modrm_mod; --=20 2.36.1.124.g0e6072fb45-goog