From: Binbin Wu <binbin.wu@linux.intel.com>
To: kvm@vger.kernel.org
Cc: pbonzini@redhat.com, seanjc@google.com,
rick.p.edgecombe@intel.com, xiaoyao.li@intel.com,
chao.gao@intel.com, kai.huang@intel.com,
binbin.wu@linux.intel.com
Subject: [RFC PATCH 12/27] KVM: x86: Split KVM CPU cap leafs into two parts
Date: Fri, 17 Apr 2026 15:35:55 +0800 [thread overview]
Message-ID: <20260417073610.3246316-13-binbin.wu@linux.intel.com> (raw)
In-Reply-To: <20260417073610.3246316-1-binbin.wu@linux.intel.com>
Introduce NR_KVM_CPU_CAPS_PARANOID as the total number of KVM CPUID
leafs, distinct from NR_KVM_CPU_CAPS which denotes only the leafs
tracked in the per-vCPU cpu_caps[] array.
The number of per-overlay leafs in the global kvm_cpu_caps[][] array is
extended to NR_KVM_CPU_CAPS_PARANOID so that it can hold both CPUID
leafs queried by KVM during vCPU runtime and additional leafs used
exclusively for CPUID paranoid mode validation. The per-vCPU
cpu_caps[] array in kvm_vcpu_arch remains sized to NR_KVM_CPU_CAPS,
since KVM only cares these leaves during vCPU running and should not
grow when paranoid-mode-only leaves are added.
Add BUILD_BUG_ON() for guest_cpu_cap_{set, clear, has}() to prevent
accidental out-of-bounds access to the per-vCPU array with leaves that
are only present in the global array.
No functional change, as NR_KVM_CPU_CAPS_PARANOID == NR_KVM_CPU_CAPS
until paranoid-only leaves are introduced.
Signed-off-by: Binbin Wu <binbin.wu@linux.intel.com>
---
arch/x86/include/asm/kvm_host.h | 13 +++++++++----
arch/x86/kvm/cpuid.c | 4 ++--
arch/x86/kvm/cpuid.h | 5 ++++-
3 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index c470e40a00aa..75895ab569fb 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -774,9 +774,12 @@ struct kvm_queued_exception {
};
/*
- * Hardware-defined CPUID leafs that are either scattered by the kernel or are
- * unknown to the kernel, but need to be directly used by KVM. Note, these
- * word values conflict with the kernel's "bug" caps, but KVM doesn't use those.
+ * The leafs before NR_KVM_CPU_CAPS are hardware-defined CPUID leafs that are
+ * either scattered by the kernel or are unknown to the kernel, but need to be
+ * directly used by KVM during vCPU running. Note, these word values conflict
+ * with the kernel's "bug" caps, but KVM doesn't use those.
+ * The leafs from NR_KVM_CPU_CAPS and above are only used for validation of
+ * CPUID inputs from userspace in CPUID paranoid mode.
*/
enum kvm_only_cpuid_leafs {
CPUID_12_EAX = NCAPINTS,
@@ -789,9 +792,11 @@ enum kvm_only_cpuid_leafs {
CPUID_7_1_ECX,
CPUID_1E_1_EAX,
CPUID_24_1_ECX,
+ /* End of the leafs tracked by per-vcpu caps. */
NR_KVM_CPU_CAPS,
+ NR_KVM_CPU_CAPS_PARANOID = NR_KVM_CPU_CAPS,
- NKVMCAPINTS = NR_KVM_CPU_CAPS - NCAPINTS,
+ NKVMCAPINTS = NR_KVM_CPU_CAPS_PARANOID - NCAPINTS,
};
struct kvm_vcpu_arch {
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 71959f4918e7..78d8f89d6079 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -33,7 +33,7 @@
* Unlike "struct cpuinfo_x86.x86_capability", kvm_cpu_caps doesn't need to be
* aligned to sizeof(unsigned long) because it's not accessed via bitops.
*/
-u32 kvm_cpu_caps[NR_CPUID_OL][NR_KVM_CPU_CAPS] __read_mostly;
+u32 kvm_cpu_caps[NR_CPUID_OL][NR_KVM_CPU_CAPS_PARANOID] __read_mostly;
EXPORT_SYMBOL_FOR_KVM_INTERNAL(kvm_cpu_caps);
bool kvm_is_configuring_cpu_caps __read_mostly;
@@ -382,7 +382,7 @@ void kvm_vcpu_after_set_cpuid(struct kvm_vcpu *vcpu)
int i;
memset(vcpu->arch.cpu_caps, 0, sizeof(vcpu->arch.cpu_caps));
- BUILD_BUG_ON(ARRAY_SIZE(reverse_cpuid) != NR_KVM_CPU_CAPS);
+ BUILD_BUG_ON(ARRAY_SIZE(reverse_cpuid) != NR_KVM_CPU_CAPS_PARANOID);
/*
* Reset guest capabilities to userspace's guest CPUID definition, i.e.
diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
index c3f2417c7980..bdfaedb1cfcc 100644
--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
@@ -31,7 +31,7 @@ static inline u8 get_cpuid_overlay(struct kvm *kvm)
return CPUID_OL_VMX;
}
-extern u32 kvm_cpu_caps[NR_CPUID_OL][NR_KVM_CPU_CAPS] __read_mostly;
+extern u32 kvm_cpu_caps[NR_CPUID_OL][NR_KVM_CPU_CAPS_PARANOID] __read_mostly;
extern bool kvm_is_configuring_cpu_caps __read_mostly;
void kvm_initialize_cpu_caps(void);
@@ -273,6 +273,7 @@ static __always_inline void guest_cpu_cap_set(struct kvm_vcpu *vcpu,
{
unsigned int x86_leaf = __feature_leaf(x86_feature);
+ BUILD_BUG_ON(x86_leaf >= NR_KVM_CPU_CAPS);
vcpu->arch.cpu_caps[x86_leaf] |= __feature_bit(x86_feature);
}
@@ -281,6 +282,7 @@ static __always_inline void guest_cpu_cap_clear(struct kvm_vcpu *vcpu,
{
unsigned int x86_leaf = __feature_leaf(x86_feature);
+ BUILD_BUG_ON(x86_leaf >= NR_KVM_CPU_CAPS);
vcpu->arch.cpu_caps[x86_leaf] &= ~__feature_bit(x86_feature);
}
@@ -299,6 +301,7 @@ static __always_inline bool guest_cpu_cap_has(struct kvm_vcpu *vcpu,
{
unsigned int x86_leaf = __feature_leaf(x86_feature);
+ BUILD_BUG_ON(x86_leaf >= NR_KVM_CPU_CAPS);
/*
* Except for MWAIT, querying dynamic feature bits is disallowed, so
* that KVM can defer runtime updates until the next CPUID emulation.
--
2.46.0
next prev parent reply other threads:[~2026-04-17 7:32 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 7:35 [RFC PATCH 00/27] KVM: x86: Add a paranoid mode for CPUID verification Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 01/27] KVM: x86: Fix emulated CPUID features being applied to wrong sub-leaf Binbin Wu
2026-05-15 9:03 ` Xiaoyao Li
2026-04-17 7:35 ` [RFC PATCH 02/27] KVM: x86: Reorder the features for CPUID 7 Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 03/27] KVM: x86: Add definitions for CPUID overlays Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 04/27] KVM: x86: Extend F() and its variants " Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 05/27] KVM: x86: Extend kvm_cpu_cap_{set/clear}() to configure overlays Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 06/27] KVM: x86: Populate TDX CPUID overlay with supported feature bits Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 07/27] KVM: x86: Support KVM_GET_{SUPPORTED,EMULATED}_CPUID as VM scope ioctls Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 08/27] KVM: x86: Thread @kvm to KVM CPU capability helpers Binbin Wu
2026-04-21 6:18 ` Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 09/27] KVM: x86: Use overlays of KVM CPU capabilities Binbin Wu
2026-04-21 5:31 ` Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 10/27] KVM: x86: Use vendor-specific overlay flags instead of F_CPUID_DEFAULT Binbin Wu
2026-04-21 6:43 ` Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 11/27] KVM: SVM: Drop unnecessary clears of unsupported common x86 features Binbin Wu
2026-04-17 7:35 ` Binbin Wu [this message]
2026-04-17 7:35 ` [RFC PATCH 13/27] KVM: x86: Add a helper to initialize CPUID multi-bit fields Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 14/27] KVM: x86: Add a helper to init multiple feature bits based on raw CPUID Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 15/27] KVM: x86: Add infrastructure to track CPUID entries ignored in paranoid mode Binbin Wu
2026-04-17 7:35 ` [RFC PATCH 16/27] KVM: x86: Init allowed masks for basic CPUID range " Binbin Wu
2026-04-21 6:51 ` Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 17/27] KVM: x86: Init allowed masks for extended " Binbin Wu
2026-04-21 7:55 ` Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 18/27] KVM: x86: Handle Centaur CPUID leafs " Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 19/27] KVM: x86: Track KVM PV CPUID features for " Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 20/27] KVM: x86: Add per-VM flag to track CPUID " Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 21/27] KVM: x86: Make kvm_vcpu_after_set_cpuid() return an error code Binbin Wu
2026-04-22 8:22 ` Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 22/27] KVM: x86: Verify userspace CPUID inputs in paranoid mode Binbin Wu
2026-04-22 8:59 ` Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 23/27] KVM: x86: Account for runtime CPUID features " Binbin Wu
2026-04-23 2:41 ` Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 24/27] KVM: x86: Skip paranoid CPUID check for KVM PV leafs when base is relocated Binbin Wu
2026-04-23 3:02 ` Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 25/27] KVM: x86: Add new KVM_CAP_X86_CPUID_PARANOID Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 26/27] KVM: x86: Add a helper to query the allowed CPUID mask Binbin Wu
2026-04-17 7:36 ` [RFC PATCH 27/27] KVM: TDX: Replace hardcoded CPUID filtering with the allowed mask Binbin Wu
2026-04-23 3:25 ` Binbin Wu
2026-05-15 8:08 ` [RFC PATCH 00/27] KVM: x86: Add a paranoid mode for CPUID verification Xiaoyao Li
2026-05-15 15:45 ` Edgecombe, Rick P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260417073610.3246316-13-binbin.wu@linux.intel.com \
--to=binbin.wu@linux.intel.com \
--cc=chao.gao@intel.com \
--cc=kai.huang@intel.com \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=rick.p.edgecombe@intel.com \
--cc=seanjc@google.com \
--cc=xiaoyao.li@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.