No need to use MAX_POSSIBLE_PASSTHROUGH_MSRS in the definition of array
vmx_possible_passthrough_msrs, as the macro name indicates the _possible_
maximum size of passthrough MSRs.

Use ARRAY_SIZE instead of MAX_POSSIBLE_PASSTHROUGH_MSRS when the size of
the array is needed and add a BUILD_BUG_ON to make sure the actual array
size does not exceed the possible maximum size of passthrough MSRs.

Signed-off-by: Xin Li (Intel) <xin@zytor.com>
Tested-by: Shan Kang <shan.kang@intel.com>
---
 arch/x86/kvm/vmx/vmx.c | 8 +++++---
 arch/x86/kvm/vmx/vmx.h | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 9acc9661fdb2..28cf89c97bda 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -167,7 +167,7 @@ module_param(allow_smaller_maxphyaddr, bool, S_IRUGO);
  * List of MSRs that can be directly passed to the guest.
  * In addition to these x2apic, PT and LBR MSRs are handled specially.
  */
-static u32 vmx_possible_passthrough_msrs[MAX_POSSIBLE_PASSTHROUGH_MSRS] = {
+static u32 vmx_possible_passthrough_msrs[] = {
 	MSR_IA32_SPEC_CTRL,
 	MSR_IA32_PRED_CMD,
 	MSR_IA32_FLUSH_CMD,
@@ -4182,6 +4182,8 @@ void vmx_msr_filter_changed(struct kvm_vcpu *vcpu)
 	if (!cpu_has_vmx_msr_bitmap())
 		return;
 
+	BUILD_BUG_ON(ARRAY_SIZE(vmx_possible_passthrough_msrs) > MAX_POSSIBLE_PASSTHROUGH_MSRS);
+
 	/*
 	 * Redo intercept permissions for MSRs that KVM is passing through to
 	 * the guest.  Disabling interception will check the new MSR filter and
@@ -7626,8 +7628,8 @@ int vmx_vcpu_create(struct kvm_vcpu *vcpu)
 	}
 
 	/* The MSR bitmap starts with all ones */
-	bitmap_fill(vmx->shadow_msr_intercept.read, MAX_POSSIBLE_PASSTHROUGH_MSRS);
-	bitmap_fill(vmx->shadow_msr_intercept.write, MAX_POSSIBLE_PASSTHROUGH_MSRS);
+	bitmap_fill(vmx->shadow_msr_intercept.read, ARRAY_SIZE(vmx_possible_passthrough_msrs));
+	bitmap_fill(vmx->shadow_msr_intercept.write, ARRAY_SIZE(vmx_possible_passthrough_msrs));
 
 	vmx_disable_intercept_for_msr(vcpu, MSR_IA32_TSC, MSR_TYPE_R);
 #ifdef CONFIG_X86_64
diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h
index e0d76d2460ef..e7409f8f28b1 100644
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -356,7 +356,7 @@ struct vcpu_vmx {
 	struct lbr_desc lbr_desc;
 
 	/* Save desired MSR intercept (read: pass-through) state */
-#define MAX_POSSIBLE_PASSTHROUGH_MSRS	16
+#define MAX_POSSIBLE_PASSTHROUGH_MSRS	64
 	struct {
 		DECLARE_BITMAP(read, MAX_POSSIBLE_PASSTHROUGH_MSRS);
 		DECLARE_BITMAP(write, MAX_POSSIBLE_PASSTHROUGH_MSRS);
-- 
2.46.2

On Mon, Sep 30, 2024 at 10:00:52PM -0700, Xin Li (Intel) wrote:
> No need to use MAX_POSSIBLE_PASSTHROUGH_MSRS in the definition of array
> vmx_possible_passthrough_msrs, as the macro name indicates the _possible_
> maximum size of passthrough MSRs.
> 
> Use ARRAY_SIZE instead of MAX_POSSIBLE_PASSTHROUGH_MSRS when the size of
> the array is needed and add a BUILD_BUG_ON to make sure the actual array
> size does not exceed the possible maximum size of passthrough MSRs.

This commit message needs to talk about the why - not the what. Latter should
be visible from the diff itself.

What you're not talking about is the sneaked increase of
MAX_POSSIBLE_PASSTHROUGH_MSRS to 64. Something you *should* mention because
the array is full and blablabla...

> diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h
> index e0d76d2460ef..e7409f8f28b1 100644
> --- a/arch/x86/kvm/vmx/vmx.h
> +++ b/arch/x86/kvm/vmx/vmx.h
> @@ -356,7 +356,7 @@ struct vcpu_vmx {
>  	struct lbr_desc lbr_desc;
>  
>  	/* Save desired MSR intercept (read: pass-through) state */
> -#define MAX_POSSIBLE_PASSTHROUGH_MSRS	16
> +#define MAX_POSSIBLE_PASSTHROUGH_MSRS	64
						^^^

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

On 11/26/2024 10:02 AM, Borislav Petkov wrote:
> On Mon, Sep 30, 2024 at 10:00:52PM -0700, Xin Li (Intel) wrote:
>> No need to use MAX_POSSIBLE_PASSTHROUGH_MSRS in the definition of array
>> vmx_possible_passthrough_msrs, as the macro name indicates the _possible_
>> maximum size of passthrough MSRs.
>>
>> Use ARRAY_SIZE instead of MAX_POSSIBLE_PASSTHROUGH_MSRS when the size of
>> the array is needed and add a BUILD_BUG_ON to make sure the actual array
>> size does not exceed the possible maximum size of passthrough MSRs.
> 
> This commit message needs to talk about the why - not the what. Latter should
> be visible from the diff itself.

I should not write such a changelog...

> What you're not talking about is the sneaked increase of
> MAX_POSSIBLE_PASSTHROUGH_MSRS to 64. Something you *should* mention because
> the array is full and blablabla...

It's still far from full in a bitmap on x86-64, but just that the
existing use of MAX_POSSIBLE_PASSTHROUGH_MSRS tastes bad.


A better one?

Per the definition, a bitmap on x86-64 is an array of 'unsigned long',
and is at least 64-bit long.

#define DECLARE_BITMAP(name,bits) \
	unsigned long name[BITS_TO_LONGS(bits)]

It's not accurate and error-prone to use a hard-coded possible size of
a bitmap, Use ARRAY_SIZE with an overflow build check instead.

> 
>> diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h
>> index e0d76d2460ef..e7409f8f28b1 100644
>> --- a/arch/x86/kvm/vmx/vmx.h
>> +++ b/arch/x86/kvm/vmx/vmx.h
>> @@ -356,7 +356,7 @@ struct vcpu_vmx {
>>   	struct lbr_desc lbr_desc;
>>   
>>   	/* Save desired MSR intercept (read: pass-through) state */
>> -#define MAX_POSSIBLE_PASSTHROUGH_MSRS	16
>> +#define MAX_POSSIBLE_PASSTHROUGH_MSRS	64
> 						^^^
>

On Tue, Nov 26, 2024 at 11:22:45AM -0800, Xin Li wrote:
> It's still far from full in a bitmap on x86-64, but just that the
> existing use of MAX_POSSIBLE_PASSTHROUGH_MSRS tastes bad.

Far from full?

It is full:

static u32 vmx_possible_passthrough_msrs[MAX_POSSIBLE_PASSTHROUGH_MSRS] = {
        MSR_IA32_SPEC_CTRL,
        MSR_IA32_PRED_CMD,
        MSR_IA32_FLUSH_CMD,
        MSR_IA32_TSC,
#ifdef CONFIG_X86_64
        MSR_FS_BASE,
        MSR_GS_BASE,
        MSR_KERNEL_GS_BASE,
        MSR_IA32_XFD,
        MSR_IA32_XFD_ERR,
#endif
        MSR_IA32_SYSENTER_CS,
        MSR_IA32_SYSENTER_ESP,
        MSR_IA32_SYSENTER_EIP,
        MSR_CORE_C1_RES,
        MSR_CORE_C3_RESIDENCY,
        MSR_CORE_C6_RESIDENCY,
        MSR_CORE_C7_RESIDENCY,
};

I count 16 here.

If you need to add more, you need to increment MAX_POSSIBLE_PASSTHROUGH_MSRS.

> A better one?

Not really.

You're not explaining why MAX_POSSIBLE_PASSTHROUGH_MSRS becomes 64.

> Per the definition, a bitmap on x86-64 is an array of 'unsigned long',
> and is at least 64-bit long.
> 
> #define DECLARE_BITMAP(name,bits) \
> 	unsigned long name[BITS_TO_LONGS(bits)]
> 
> It's not accurate and error-prone to use a hard-coded possible size of
> a bitmap, Use ARRAY_SIZE with an overflow build check instead.

It becomes 64 because a bitmap has 64 bits?

Not because you need to add more MSRs to it and thus raise the limit?

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

On 11/26/2024 12:06 PM, Borislav Petkov wrote:
> On Tue, Nov 26, 2024 at 11:22:45AM -0800, Xin Li wrote:
>> It's still far from full in a bitmap on x86-64, but just that the
>> existing use of MAX_POSSIBLE_PASSTHROUGH_MSRS tastes bad.
> 
> Far from full?
> 
> It is full:
> 
> static u32 vmx_possible_passthrough_msrs[MAX_POSSIBLE_PASSTHROUGH_MSRS] = {
>          MSR_IA32_SPEC_CTRL,
>          MSR_IA32_PRED_CMD,
>          MSR_IA32_FLUSH_CMD,
>          MSR_IA32_TSC,
> #ifdef CONFIG_X86_64
>          MSR_FS_BASE,
>          MSR_GS_BASE,
>          MSR_KERNEL_GS_BASE,
>          MSR_IA32_XFD,
>          MSR_IA32_XFD_ERR,
> #endif
>          MSR_IA32_SYSENTER_CS,
>          MSR_IA32_SYSENTER_ESP,
>          MSR_IA32_SYSENTER_EIP,
>          MSR_CORE_C1_RES,
>          MSR_CORE_C3_RESIDENCY,
>          MSR_CORE_C6_RESIDENCY,
>          MSR_CORE_C7_RESIDENCY,
> };
> 
> I count 16 here.
> 
> If you need to add more, you need to increment MAX_POSSIBLE_PASSTHROUGH_MSRS.

Yes, the most obvious approach is to simply increase
MAX_POSSIBLE_PASSTHROUGH_MSRS by the number of MSRs to be added into the 
array.

However I hate to count it myself, especially we have ARRAY_SIZE.

> 
>> A better one?
> 
> Not really.
> 
> You're not explaining why MAX_POSSIBLE_PASSTHROUGH_MSRS becomes 64.
> 
>> Per the definition, a bitmap on x86-64 is an array of 'unsigned long',
>> and is at least 64-bit long.
>>
>> #define DECLARE_BITMAP(name,bits) \
>> 	unsigned long name[BITS_TO_LONGS(bits)]
>>
>> It's not accurate and error-prone to use a hard-coded possible size of
>> a bitmap, Use ARRAY_SIZE with an overflow build check instead.
> 
> It becomes 64 because a bitmap has 64 bits?

Yes, maybe better to name the macro as MAX_ALLOWED_PASSTHROUGH_MSRS?

> 
> Not because you need to add more MSRs to it and thus raise the limit?

Right.  It triggered me to look at the code further, though, I think the
existing code could be written in a better way no matter whether I need
to add more MSRs.  And whoever wants to add more won't need to increase
MAX_POSSIBLE_PASSTHROUGH_MSRS (ofc unless overflow 64).

Thanks!
     Xin

On Tue, Nov 26, 2024 at 10:46:09PM -0800, Xin Li wrote:
> Right.  It triggered me to look at the code further, though, I think the
> existing code could be written in a better way no matter whether I need
> to add more MSRs.  And whoever wants to add more won't need to increase
> MAX_POSSIBLE_PASSTHROUGH_MSRS (ofc unless overflow 64).

But do you see what I mean?

This patch is "all over the place": what are you actually fixing?

And more importantly, why is it part of this series?

Questions over questions.

So can you pls concentrate and spell out for me what is going on here...

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

On 11/26/2024 10:55 PM, Borislav Petkov wrote:
> On Tue, Nov 26, 2024 at 10:46:09PM -0800, Xin Li wrote:
>> Right.  It triggered me to look at the code further, though, I think the
>> existing code could be written in a better way no matter whether I need
>> to add more MSRs.  And whoever wants to add more won't need to increase
>> MAX_POSSIBLE_PASSTHROUGH_MSRS (ofc unless overflow 64).
> 
> But do you see what I mean?
> 
> This patch is "all over the place": what are you actually fixing?
> 
> And more importantly, why is it part of this series?
> 
> Questions over questions.
> 
> So can you pls concentrate and spell out for me what is going on here...
> 

This is a patch that cleanup the existing code for better accommodate
new VMX pass-through MSRs.  And it can be a standalone one.

Thanks!
     Xin

On Tue, Nov 26, 2024 at 11:02:31PM -0800, Xin Li wrote:
> This is a patch that cleanup the existing code for better accommodate
> new VMX pass-through MSRs.  And it can be a standalone one.

Well, your very *next* patch is adding more MSRs to that array. So it needs to
be part of this series.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

On 11/26/2024 11:10 PM, Borislav Petkov wrote:
> On Tue, Nov 26, 2024 at 11:02:31PM -0800, Xin Li wrote:
>> This is a patch that cleanup the existing code for better accommodate
>> new VMX pass-through MSRs.  And it can be a standalone one.
> 
> Well, your very *next* patch is adding more MSRs to that array. So it needs to
> be part of this series.
> 

It's self-contained.  Another approach is to send cleanup patches in a 
separate preparation patch set.

Thanks!
     Xin

On Tue, Nov 26, 2024 at 11:32:13PM -0800, Xin Li wrote:
> It's self-contained. 

It better be. Each patch needs to build and boot on its own.

> Another approach is to send cleanup patches in a separate preparation patch
> set.

Not in this case. The next patch shows *why* you're doing the cleanup so it
makes sense for them going together.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette