From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 64BF36FB2
	for <kvmarm@lists.linux.dev>; Mon, 26 Jun 2023 09:23:27 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id E0672C433C8;
	Mon, 26 Jun 2023 09:23:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1687771406;
	bh=lBRr288pjC0D5uj0v+Y8mG2y+ZZgp9bff4zUCHYw3SU=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=o8O4ZkRFxcnYFMEUQII/bdyvAl/k/8ZzCUfjxUm2/p0eXBYpO0TdXUi4bATjnFKXB
	 3cQFKb92czPhJ40Jz2UxBfDYvphhBHJ/EWR0qBBSCWnATPUkZNCK6diQI0DVORVv1H
	 rg/tT/KN74RaTZTTkp406VrWLo3jm4a+QIQXvxh1/h+0LqCuf4qSsiO7ApR19SBOGt
	 CIz0hZS7WbhaIH+LQAZ4JLDRJnfxjOFWl5w5T0rSA5qwW/tKiBVejAjzEv3jD0S4UM
	 JsgZ+onZw2A4/4KyLrXs/RGZZ4XuEwEmQ+CqTfdPinSLNUelqL2XHMMnpYunx9HqJb
	 erTpUon1oQIkQ==
Received: from sofa.misterjones.org ([185.219.108.64] helo=goblin-girl.misterjones.org)
	by disco-boy.misterjones.org with esmtpsa  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.95)
	(envelope-from <maz@kernel.org>)
	id 1qDiRQ-008PSM-By;
	Mon, 26 Jun 2023 10:23:24 +0100
Date: Mon, 26 Jun 2023 10:23:24 +0100
Message-ID: <86jzvqbmr7.wl-maz@kernel.org>
From: Marc Zyngier <maz@kernel.org>
To: Oliver Upton <oliver.upton@linux.dev>
Cc: kvmarm@lists.linux.dev,
	James Morse <james.morse@arm.com>,
	Suzuki K Poulose <suzuki.poulose@arm.com>,
	Zenghui Yu <yuzenghui@huawei.com>,
	Jing Zhang <jingzhangos@google.com>,
	Reiji Watanabe <reijiw@google.com>
Subject: Re: [PATCH] KVM: arm64: Reject attempts to set invalid debug arch version
In-Reply-To: <20230623205232.2837077-1-oliver.upton@linux.dev>
References: <20230623205232.2837077-1-oliver.upton@linux.dev>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue)
 FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/28.2
 (aarch64-unknown-linux-gnu) MULE/6.0 (HANACHIRUSATO)
Precedence: bulk
X-Mailing-List: kvmarm@lists.linux.dev
List-Id: <kvmarm.lists.linux.dev>
List-Subscribe: <mailto:kvmarm+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:kvmarm+unsubscribe@lists.linux.dev>
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-SA-Exim-Connect-IP: 185.219.108.64
X-SA-Exim-Rcpt-To: oliver.upton@linux.dev, kvmarm@lists.linux.dev, james.morse@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com, jingzhangos@google.com, reijiw@google.com
X-SA-Exim-Mail-From: maz@kernel.org
X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false

On Fri, 23 Jun 2023 21:52:32 +0100,
Oliver Upton <oliver.upton@linux.dev> wrote:
> 
> The debug architecture is mandatory in ARMv8, so KVM should not allow
> userspace to configure a vCPU with less than that. Of course, this isn't
> handled elegantly by the generic ID register plumbing, as the respective
> ID register fields have a nonzero starting value.
> 
> Add an explicit check for debug versions less than v8 of the
> architecture.
> 
> Fixes: c118cead07a7 ("KVM: arm64: Use generic sanitisation for ID_(AA64)DFR0_EL1")
> Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
> ---
>  arch/arm64/kvm/sys_regs.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
> index 1a13bab1a06c..5b25053a8e04 100644
> --- a/arch/arm64/kvm/sys_regs.c
> +++ b/arch/arm64/kvm/sys_regs.c
> @@ -1482,6 +1482,7 @@ static int set_id_aa64dfr0_el1(struct kvm_vcpu *vcpu,
>  			       const struct sys_reg_desc *rd,
>  			       u64 val)
>  {
> +	u8 debugver = SYS_FIELD_GET(ID_AA64DFR0_EL1, DebugVer, val);
>  	u8 pmuver = SYS_FIELD_GET(ID_AA64DFR0_EL1, PMUVer, val);
>  
>  	/*
> @@ -1501,6 +1502,13 @@ static int set_id_aa64dfr0_el1(struct kvm_vcpu *vcpu,
>  	if (pmuver == ID_AA64DFR0_EL1_PMUVer_IMP_DEF)
>  		val &= ~ID_AA64DFR0_EL1_PMUVer_MASK;
>  
> +	/*
> +	 * ID_AA64DFR0_EL1.DebugVer is one of those awkward fields with a
> +	 * nonzero minimum safe value.
> +	 */
> +	if (debugver < ID_AA64DFR0_EL1_DebugVer_IMP)
> +		return -EINVAL;
> +

Why isn't that caught by the check at the end of arm64_check_features
which says that for RO fields, the only safe value is the sanitised
version?

Am I missing something obvious (full disclosure, I've had a single
coffee at this time of the day...)?

Thanks,

	M.

-- 
Without deviation from the norm, progress is not possible.