From nobody Mon Jun 8 08:28:04 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0A5A32DEA8C; Thu, 4 Jun 2026 14:47:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780584433; cv=none; b=XHVXS/kvn0u2HPsZw2aaYy2L44KCcvve/Np71B/vAsin5R1w6/x9kIsunKt7n0t+nmzNJD9Xxe5X2gPQdzuVf8UEeQ+JGXAJ8CDprkeu2REBePGfbkxCei7IDdk9ZDmuSNGE3TaGAvB3ae30rz6ECFQMHMSMazPpT6Z0bp1SuRY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780584433; c=relaxed/simple; bh=5W01sVx2RIds1DAOkxhzGj9ZtpdsFUHRR8oVnYx2nJs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=r50/vLEjki6mU0cGVEERhYPY5B2cpGdvci/OA6YDzbnFLPFmTwnJOj16k00OgVMAppLLZcSNHVuLiJDXrlv/GngDg5XEhggWFkRhCUWiQcKlAv2AU/LNMhvvF9K7uYfZmYPXJXnU2lnrTfp/yYI921227tHpu37CZbMWrTaVkFo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ZonB7/A3; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ZonB7/A3" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3E07C1F00893; Thu, 4 Jun 2026 14:47:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780584431; bh=dYvl/3K29ZV0cu6YhcZ12nwDPuy1zRO0Zwwz9harlvI=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=ZonB7/A3SLrOt0qeRcodQVxDUOXFkE1F+VKgBsMGGKkmOVZ3Q4wHyQ7gOcFvA9Vtu WRLLdwitv+LESPihxrcMU/i3WzNhbcpSj7KOpe5ejLr0VugFx1Fh2Hsw2iSOj033li 9I9/pbswfMS4K4WNY3KGsmxulntqL0D6jtuBsTsCsBDp2Rzn3v2aIEDybFaXJdFs0y wBh6KMN0UogQvalNj4XiMWH1QWk7TDL1tgRuHIFvz1MnxVZ32j1LQlPKKhOf0rZrQ8 WDXRy95bM0wGQULdxsU2YiBjW4y9Lnq1jMhkAm6c+lAeDXXK7KId2Kl8295gEl46xA w1NgTUYWS1+ZA== Received: from phl-compute-03.internal (phl-compute-03.internal [10.202.2.43]) by mailfauth.phl.internal (Postfix) with ESMTP id 8D6C0F4006A; Thu, 4 Jun 2026 10:47:10 -0400 (EDT) Received: from phl-frontend-04 ([10.202.2.163]) by phl-compute-03.internal (MEProxy); Thu, 04 Jun 2026 10:47:10 -0400 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: dmFkZTEnbxOoIv6tM0dLsEuDtk1qDKvd9SBoRk315SFIs+8A8nvG6NPaTuTHtWxX09pQd2 kmhZQJAFXIZRoG2uwqXsCvSQLHHFyqPBLRlgDZDOM1R+77uRHXsLwpqHqkuB/xQMEeL5H9 Yh7j9EoCepX3S8oxsk0Q7b1XMMuXVtxHCUg4Aa5UHd0TkOkqN6exGRI2HWKvJ5gzF66+CH 9fJySW0myPH7lfp6BMxlzjyNHqw9L6PwmZLSyt1okrlhfToPVERjX7lBHt/jPkXvBx/Qrl D5naZubOYqFywyiARe2ZjFKnu+RDowAinYmgXtLtTezD1qxkQqUbpHifL2f+9hFdA0KVYK x7+p/JfmYQvSDHpUkJjASvFUQWPpThlG7Ur/1PI0pPcV3mDP0pDnG5goD0sRUdzPNoNy7n w7AiDQ7em4blbZ1R89QSnh7iZmECUW9JnEN8dvyPZ2rBfvVAgrqkgwe15JgZKwwCuPqj97 je7aMqqWbiOdaj8JjDMQ0WWE3ADmpFfepDVnUdKy/LJNW9uQMMoocVDn/NLeKZA2NLhnzg bO09zNzE7xShuvITJvPfK5bZulikellPjGWur93O3qQcIOD83PGZZTTXEwVsFpP6zFvf5M vKVDuQkqlQo28OGHAggYwYcFZhYlkKFtiI28HTT1Gx8GYqRMzBmo7ZyULn2g X-ME-Proxy: Feedback-ID: i10464835:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 4 Jun 2026 10:47:09 -0400 (EDT) From: "Kiryl Shutsemau (Meta)" To: tglx@kernel.org, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com Cc: seanjc@google.com, pbonzini@redhat.com, sathyanarayanan.kuppuswamy@linux.intel.com, kai.huang@intel.com, xiaoyao.li@intel.com, binbin.wu@linux.intel.com, rick.p.edgecombe@intel.com, david.laight.linux@gmail.com, ak@linux.intel.com, djbw@kernel.org, tsyrulnikov.borys@gmail.com, x86@kernel.org, kvm@vger.kernel.org, linux-coco@lists.linux.dev, linux-kernel@vger.kernel.org, "Kiryl Shutsemau (Meta)" , stable@vger.kernel.org Subject: [PATCH v4 1/3] x86/tdx: Fix off-by-one in port I/O handling Date: Thu, 4 Jun 2026 15:46:59 +0100 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" handle_in() and handle_out() in arch/x86/coco/tdx/tdx.c use: u64 mask =3D GENMASK(BITS_PER_BYTE * size, 0); GENMASK(h, l) includes bit h. For size=3D1 (INB), this produces GENMASK(8, 0) =3D 0x1FF (9 bits) instead of GENMASK(7, 0) =3D 0xFF (8 bits). The mask is one bit too wide for all I/O sizes. Fix the mask calculation. Fixes: 03149948832a ("x86/tdx: Port I/O: Add runtime hypercalls") Reported-by: Borys Tsyrulnikov Link: https://lore.kernel.org/all/CAKw_Dz96rfSQc6Rn+9QBcUFHhmkK+9zu+P=3Dbxo= wfZwxrATCBRg@mail.gmail.com/ Signed-off-by: Kiryl Shutsemau (Meta) Reviewed-by: Kai Huang Reviewed-by: Kuppuswamy Sathyanarayanan Cc: stable@vger.kernel.org Reviewed-by: Binbin Wu --- arch/x86/coco/tdx/tdx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index 186915a17c50..65119362f9a2 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -693,7 +693,7 @@ static bool handle_in(struct pt_regs *regs, int size, i= nt port) .r13 =3D PORT_READ, .r14 =3D port, }; - u64 mask =3D GENMASK(BITS_PER_BYTE * size, 0); + u64 mask =3D GENMASK(BITS_PER_BYTE * size - 1, 0); bool success; =20 /* @@ -713,7 +713,7 @@ static bool handle_in(struct pt_regs *regs, int size, i= nt port) =20 static bool handle_out(struct pt_regs *regs, int size, int port) { - u64 mask =3D GENMASK(BITS_PER_BYTE * size, 0); + u64 mask =3D GENMASK(BITS_PER_BYTE * size - 1, 0); =20 /* * Emulate the I/O write via hypercall. More info about ABI can be found --=20 2.54.0 From nobody Mon Jun 8 08:28:04 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 985222FD66D for ; Thu, 4 Jun 2026 14:47:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780584435; cv=none; b=Y2eC/tgKMN9mxM2cd885uSQtsxgJeMYWDKX/2gHi1qpE5KSe+LhMSQ+io3sFk4fMwgxS/TzoNbGEtjgN7yjjFwjTXB2aN+N1q96IrjRugKBFiLabH9h1kRgBUsAAFWuvkX0PzNv2wUWJCeWfpB7KKl6HY7OaEp1NcuGQzinkr10= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780584435; c=relaxed/simple; bh=jgrP38vN0ksP/oa1kiyCmivDmkkc+7nIEFf7CigrHKs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=cQzCykUqIEhlppFqh/DWddaaXmf6M6ik138MrvvRw4wxssDfsVLkjhswGzINttyjVU05tYfrKoJbFqefDNK3btAFifLUAzeiCqZtLIfsa/RX2mRoK+bOxORbFwJiKy0qIPiAmPgWuGYNzeq0kjBOy6GIvb9vE9C8RpCfStFWiZo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=KBFXnSsw; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="KBFXnSsw" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0DC8E1F00898; Thu, 4 Jun 2026 14:47:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780584433; bh=Gap47TFOhQ6ls41YxeGXU4G423uVPHsg939VsDxPFk8=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=KBFXnSswvYVCg9eysZQNuFFJE4G9x4cOdwkvX8b9ue9jiemQBPzwvlfkMWFIOKDQ3 l57vw4ntncETnQcYHWHxpkFBUtE7GXuyWc1PmbvWGTfHaqFefoBP4B/x28aGWfRV4R uk+l5uX+LUF2TvCqJb6xTCtlS1TnNGKfVQiNQfiL+Odx4shL2ZfH329iTlvlJYqqPg 78Qs1LKUBk+ih4mhJg2RkQMJ7/aCdz1Ufu+TeFSaZyYXH5cmPWZ4vExijG1v6AMTW7 liMOugEg+kc2qjj/Tf6Jnwf6WmPj7SVmmesaAo9mknefU/K8TaJD9Z4M+zomGrpj8T ndQRjF279ryvA== Received: from phl-compute-02.internal (phl-compute-02.internal [10.202.2.42]) by mailfauth.phl.internal (Postfix) with ESMTP id 60A49F4006A; Thu, 4 Jun 2026 10:47:12 -0400 (EDT) Received: from phl-frontend-03 ([10.202.2.162]) by phl-compute-02.internal (MEProxy); Thu, 04 Jun 2026 10:47:12 -0400 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: dmFkZTFj8ZnrVtOWx8yn50yce9nPuOihKudbBgfFxqft5oPy1zZX5JIfLuFpGdCcWrnhfl Pxz325N4XazAyAzTdNz9aWTIHmCJwIofCI+99fVGtXOCjxSo8k+EHuf2f7CbPoHEMSWrfL Eu/vyp4eHayFnrBZ+cvyjC170T8MtAfXrlwruHYlST6W6tnHi2O6FaxgAEwRiKVEZclZgB 1OCxiWZWO0+bd+wOVrTUbIWcIOKxo9Jhw8E1nFS7ABPYRi3tBDwc6A3isnRgid/yx8777k UbZgmYnR8zVjavXZPBuNijxgMcY5IV2jOz3OuyI0TuHvOl6pbuCj+E3+Wwala5e5leikEG C+j80mjhalvt/GDp7Kt08a3Sdvna0iBUHd63KUeNIYVAizY212bFNayQnsE6YGNQ9bDdU5 yjCD8mQ79RkHa7mHneLUSPxcUSoY0RAdvlDZ5GJqOHTFkuJbe8NJ+DTrjpsQ8JZwil1fjE FfgkAelctBIXeXXC5I+Yx6WUPRuegb8q4KGzM7FXjnNkLK/Pt7IXHIrbbwv48OiuILve2a PmYdA+kzbDzP4iRYWejwTR4+mMCT3DbFJdoc2erIO81qAUAZgENV7QIH2rWDiuZxyCpRwk /UI0kmcW0aLlkdxKzTlkpNVQPrnQFWSMmBt/gZKeufI97vEsqbUSlgUkl0bw X-ME-Proxy: Feedback-ID: i10464835:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 4 Jun 2026 10:47:11 -0400 (EDT) From: "Kiryl Shutsemau (Meta)" To: tglx@kernel.org, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com Cc: seanjc@google.com, pbonzini@redhat.com, sathyanarayanan.kuppuswamy@linux.intel.com, kai.huang@intel.com, xiaoyao.li@intel.com, binbin.wu@linux.intel.com, rick.p.edgecombe@intel.com, david.laight.linux@gmail.com, ak@linux.intel.com, djbw@kernel.org, tsyrulnikov.borys@gmail.com, x86@kernel.org, kvm@vger.kernel.org, linux-coco@lists.linux.dev, linux-kernel@vger.kernel.org, "Kiryl Shutsemau (Meta)" Subject: [PATCH v4 2/3] x86/insn-eval: Add insn_assign_reg() helper Date: Thu, 4 Jun 2026 15:47:00 +0100 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" KVM's instruction emulator has a small helper, assign_register(), that writes a value into a sub-register with x86 partial-register-write semantics: 1- and 2-byte writes leave the upper bits of the destination untouched, 4-byte writes zero-extend to 64 bits, 8-byte writes overwrite the full register. The TDX guest #VE handler needs the same logic for port I/O emulation to get 32-bit zero-extension right. Rather than copy-pasting the helper, lift it to as insn_assign_reg() so both can use it. Rewrite the body using arithmetic instead of pointer punning so the helper does not depend on -fno-strict-aliasing or little-endian byte order, and add to the header's includes so it builds standalone in callers that have not pulled it in transitively. No functional change. Signed-off-by: Kiryl Shutsemau --- arch/x86/include/asm/insn-eval.h | 25 +++++++++++++++++++++++++ arch/x86/kvm/emulate.c | 26 ++++---------------------- 2 files changed, 29 insertions(+), 22 deletions(-) diff --git a/arch/x86/include/asm/insn-eval.h b/arch/x86/include/asm/insn-e= val.h index 4733e9064ee5..85251e718a77 100644 --- a/arch/x86/include/asm/insn-eval.h +++ b/arch/x86/include/asm/insn-eval.h @@ -9,6 +9,7 @@ #include #include #include +#include #include =20 #define INSN_CODE_SEG_ADDR_SZ(params) ((params >> 4) & 0xf) @@ -46,4 +47,28 @@ enum insn_mmio_type insn_decode_mmio(struct insn *insn, = int *bytes); =20 bool insn_is_nop(struct insn *insn); =20 +/* + * Write @val into *@reg with x86 partial-register-write semantics: a 1- + * or 2-byte write leaves the upper bits of the destination untouched; a + * 4-byte write zero-extends to 64 bits (matching IN[BWL], MOV[BWL] + * etc.); an 8-byte write overwrites the full register. + */ +static inline void insn_assign_reg(unsigned long *reg, u64 val, int bytes) +{ + switch (bytes) { + case 1: + *reg =3D (*reg & ~0xfful) | (val & 0xff); + break; + case 2: + *reg =3D (*reg & ~0xfffful) | (val & 0xffff); + break; + case 4: + *reg =3D (u32)val; + break; + case 8: + *reg =3D val; + break; + } +} + #endif /* _ASM_X86_INSN_EVAL_H */ diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index 8013dccb3110..74972c17edb8 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -24,6 +24,7 @@ #include "kvm_emulate.h" #include #include +#include #include #include #include @@ -439,25 +440,6 @@ static void assign_masked(ulong *dest, ulong src, ulon= g mask) *dest =3D (*dest & ~mask) | (src & mask); } =20 -static void assign_register(unsigned long *reg, u64 val, int bytes) -{ - /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */ - switch (bytes) { - case 1: - *(u8 *)reg =3D (u8)val; - break; - case 2: - *(u16 *)reg =3D (u16)val; - break; - case 4: - *reg =3D (u32)val; - break; /* 64b: zero-extend */ - case 8: - *reg =3D val; - break; - } -} - static inline unsigned long ad_mask(struct x86_emulate_ctxt *ctxt) { return (1UL << (ctxt->ad_bytes << 3)) - 1; @@ -505,7 +487,7 @@ register_address_increment(struct x86_emulate_ctxt *ctx= t, int reg, int inc) { ulong *preg =3D reg_rmw(ctxt, reg); =20 - assign_register(preg, *preg + inc, ctxt->ad_bytes); + insn_assign_reg(preg, *preg + inc, ctxt->ad_bytes); } =20 static void rsp_increment(struct x86_emulate_ctxt *ctxt, int inc) @@ -1766,7 +1748,7 @@ static int load_segment_descriptor(struct x86_emulate= _ctxt *ctxt, =20 static void write_register_operand(struct operand *op) { - return assign_register(op->addr.reg, op->val, op->bytes); + return insn_assign_reg(op->addr.reg, op->val, op->bytes); } =20 static int writeback(struct x86_emulate_ctxt *ctxt, struct operand *op) @@ -2007,7 +1989,7 @@ static int em_popa(struct x86_emulate_ctxt *ctxt) rc =3D emulate_pop(ctxt, &val, ctxt->op_bytes); if (rc !=3D X86EMUL_CONTINUE) break; - assign_register(reg_rmw(ctxt, reg), val, ctxt->op_bytes); + insn_assign_reg(reg_rmw(ctxt, reg), val, ctxt->op_bytes); --reg; } return rc; --=20 2.54.0 From nobody Mon Jun 8 08:28:04 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 96D7F2DECA8; Thu, 4 Jun 2026 14:47:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780584438; cv=none; b=fl1plLXxGbogXgY20ntLofpCdJrTGhNpIJ8dZr376HfjJDd/3QJ9rKU8R7tUa0Z41aoI1Iqi9DnL9nIHJZqs7NL4F2M6MHx8n1hwPUiyo4vBHEq0HyFcLWIG/s8eqldEVQhcKb4b+QMe488GTD1JPz456wPwWIbQFG2efj8e6ao= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780584438; c=relaxed/simple; bh=RL31Gfg1eTNY6OHuTS5TeU5WfcxL4Weqp9TpWAfAUpE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=r2CqnF+apLxPvSmoqNTos8hfo3+2JJjfXqhuv3JTWhZSbWewEsQqGhXWtVNnx77HroeQ+oAWrTEjX8gyDHCdtfgwLXWvcW1qY8SCTlDGc45hqFva2acQEn2JxmHKRLyEEwOVDfd1L6OCNiVCFCLTq9/cy/GUFUEGn/iRftlwtLM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=HsMA/eKo; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="HsMA/eKo" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A52291F00893; Thu, 4 Jun 2026 14:47:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780584435; bh=BJNiAhUi1JSZBSURTg09310Ft25YHyhdAoc13ntBPJE=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=HsMA/eKoYs0mem0vIicbQeYx0RYO18o6beKHfNDIX6FWHit4NpunspjUPPukemiRy 0Q713MyDJIb2bOGDb+ca+obt+IoY6mVK43ljgd7aOavoGIqFenVTD/mZiK0A7o8IvR aGzV0k7AFb17M/pLjMSmjnkGVn34vgtbRp6wWMGnan3/DVs9yOgun5N8ZZTM8JbGkq IYFv1poJc9r0HW/BIkMILVALE8X0z9TYUXbUVnU75kkDmVf77RVuy8ul37QQ+LFNoP BoAPfedcwwK5X7vc+QVBSpneVBk28vwxa2zN3OuV7I/6M/Z2Jvkc5c439jetqtrVI6 M4xRTOl1kg4PQ== Received: from phl-compute-01.internal (phl-compute-01.internal [10.202.2.41]) by mailfauth.phl.internal (Postfix) with ESMTP id 033EFF40079; Thu, 4 Jun 2026 10:47:14 -0400 (EDT) Received: from phl-frontend-04 ([10.202.2.163]) by phl-compute-01.internal (MEProxy); Thu, 04 Jun 2026 10:47:14 -0400 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: dmFkZTEnbxOoIv6tM0dLsEuDtk1qDKvd9SBoRk315SFIs+8A8nvG6NPaTuTHtWxX09pQd2 kmhZQJAFXIZRoG2uwqXsCvSQLHHFyqPBLRlgDZDOM1R+77uRHXsLwpqHqkuB/xQMEeL5H9 Yh7j9EoCepX3S8oxsk0Q7b1XMMuXVtxHCUg4Aa5UHd0TkOkqN6exGRI2HWKvJ5gzF66+CH 9fJySW0myPH7lfp6BMxlzjyNHqw9L6PwmZLSyt1okrlhfToPVERjX7lBHt/jPkXvBx/Qrl D5naZubOYqFywyiARe2ZjFKnu+RDowAinYmgXtLtTezD1qxkQqUbpHifL2f+9hFdA0KVND GXf7G3DsuFo4qYNje9KnNs2ve3hDdGpDonI7au6HfLD7L8B58SLnTRkAK3zMOZJb8zIVVR qrjGRYiQ7qv1RaaZnF8UokegdOD59s1RcKkd6SHBk2G27FWTTHpsH7ahhm708iwZeycsQ6 baQpQOfcAa878UOJTpb8JYkopMIHV/85qKYNeW5iSsXfDdpDL99//ujKHD2rDXQwEt0PSN vzJMrGhjqDn8uaH0Tcy+xm8nvQp8B20Tj88TCgXezk+nE2asDc8kMTuMNPa1yhm4HCTw4u EG5nYPL137xe+9P4+/wNPgeZz/yg1Hsyf7rXOVyptwAsXc2OKFgPgXZ4IbWA X-ME-Proxy: Feedback-ID: i10464835:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 4 Jun 2026 10:47:13 -0400 (EDT) From: "Kiryl Shutsemau (Meta)" To: tglx@kernel.org, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com Cc: seanjc@google.com, pbonzini@redhat.com, sathyanarayanan.kuppuswamy@linux.intel.com, kai.huang@intel.com, xiaoyao.li@intel.com, binbin.wu@linux.intel.com, rick.p.edgecombe@intel.com, david.laight.linux@gmail.com, ak@linux.intel.com, djbw@kernel.org, tsyrulnikov.borys@gmail.com, x86@kernel.org, kvm@vger.kernel.org, linux-coco@lists.linux.dev, linux-kernel@vger.kernel.org, "Kiryl Shutsemau (Meta)" , stable@vger.kernel.org Subject: [PATCH v4 3/3] x86/tdx: Fix zero-extension for 32-bit port I/O Date: Thu, 4 Jun 2026 15:47:01 +0100 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" According to x86 architecture rules, 32-bit operations zero-extend the result to 64 bits. The current implementation of handle_in() only masks the lower 32 bits, which preserves the upper 32 bits of RAX when a 32-bit port IN instruction is emulated. Use insn_assign_reg() to write the result back into RAX with proper partial-register-write semantics: 1- and 2-byte forms leave the upper bits untouched, the 4-byte form zero-extends to the full register. Fixes: 03149948832a ("x86/tdx: Port I/O: Add runtime hypercalls") Reported-by: Borys Tsyrulnikov Link: https://lore.kernel.org/all/CAKw_Dz96rfSQc6Rn+9QBcUFHhmkK+9zu+P=3Dbxo= wfZwxrATCBRg@mail.gmail.com/ Signed-off-by: Kiryl Shutsemau Cc: stable@vger.kernel.org Reviewed-by: Binbin Wu --- arch/x86/coco/tdx/tdx.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index 65119362f9a2..41cc23cc63dd 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -693,8 +693,8 @@ static bool handle_in(struct pt_regs *regs, int size, i= nt port) .r13 =3D PORT_READ, .r14 =3D port, }; - u64 mask =3D GENMASK(BITS_PER_BYTE * size - 1, 0); bool success; + u64 val; =20 /* * Emulate the I/O read via hypercall. More info about ABI can be found @@ -702,11 +702,9 @@ static bool handle_in(struct pt_regs *regs, int size, = int port) * "TDG.VP.VMCALL". */ success =3D !__tdx_hypercall(&args); + val =3D success ? args.r11 : 0; =20 - /* Update part of the register affected by the emulated instruction */ - regs->ax &=3D ~mask; - if (success) - regs->ax |=3D args.r11 & mask; + insn_assign_reg(®s->ax, val, size); =20 return success; } --=20 2.54.0