From: Marc Zyngier <maz@kernel.org>
To: Oliver Upton <oupton@google.com>
Cc: kvm@vger.kernel.org, Peter Shier <pshier@google.com>,
Raghavendra Rao Anata <rananta@google.com>,
kvmarm@lists.cs.columbia.edu
Subject: Re: [PATCH 3/4] KVM: arm64: Enforce reserved bits for PSCI target affinities
Date: Wed, 18 Aug 2021 12:12:52 +0100 [thread overview]
Message-ID: <87pmubrop7.wl-maz@kernel.org> (raw)
In-Reply-To: <20210818085047.1005285-4-oupton@google.com>
On Wed, 18 Aug 2021 09:50:46 +0100,
Oliver Upton <oupton@google.com> wrote:
>
> Some calls in PSCI take a target affinity argument, defined to be
> bit-compatible with the affinity fields in MPIDR_EL1. All other bits in
> the parameter are reserved and must be 0.
For future reference, it may be worth quoting the spec (ARM DEN 0022D,
5.1.4 "CPU_ON").
> Return INVALID_PARAMETERS if the guest incorrectly sets a reserved
> bit.
>
> Signed-off-by: Oliver Upton <oupton@google.com>
> ---
> arch/arm64/kvm/psci.c | 20 +++++++++++++++++---
> 1 file changed, 17 insertions(+), 3 deletions(-)
>
> diff --git a/arch/arm64/kvm/psci.c b/arch/arm64/kvm/psci.c
> index db4056ecccfd..bb76be01abd2 100644
> --- a/arch/arm64/kvm/psci.c
> +++ b/arch/arm64/kvm/psci.c
> @@ -59,6 +59,17 @@ static void kvm_psci_vcpu_off(struct kvm_vcpu *vcpu)
> kvm_vcpu_kick(vcpu);
> }
>
> +static inline bool kvm_psci_valid_affinity(struct kvm_vcpu *vcpu,
> + unsigned long affinity)
> +{
> + unsigned long mask = MPIDR_HWID_BITMASK;
> +
> + if (vcpu_mode_is_32bit(vcpu))
> + mask &= ~((u32) 0);
I don't think we need this anymore since 5.7:
- fdc9999e20cd ("KVM: arm64: PSCI: Forbid 64bit functions for 32bit
guests") guarantees that the guest can't trick KVM into using the
SMC64 functions.
- with 2890ac993daa ("KVM: arm64: PSCI: Narrow input registers when
using 32bit functions"), the registers are always narrowed down to
32bit
Put the two together, and you can't have a 32bit guest issuing a PSCI
operation with crap in the upper 32bits.
> +
> + return !(affinity & ~mask);
So the whole helper can now be rewritten as
return !(affinity & ~MPIDR_HWID_BITMASK);
> +}
> +
> static unsigned long kvm_psci_vcpu_on(struct kvm_vcpu *source_vcpu)
> {
> struct vcpu_reset_state *reset_state;
> @@ -66,9 +77,9 @@ static unsigned long kvm_psci_vcpu_on(struct kvm_vcpu *source_vcpu)
> struct kvm_vcpu *vcpu = NULL;
> unsigned long cpu_id;
>
> - cpu_id = smccc_get_arg1(source_vcpu) & MPIDR_HWID_BITMASK;
> - if (vcpu_mode_is_32bit(source_vcpu))
> - cpu_id &= ~((u32) 0);
> + cpu_id = smccc_get_arg1(source_vcpu);
> + if (!kvm_psci_valid_affinity(source_vcpu, cpu_id))
> + return PSCI_RET_INVALID_PARAMS;
>
> vcpu = kvm_mpidr_to_vcpu(kvm, cpu_id);
>
> @@ -126,6 +137,9 @@ static unsigned long kvm_psci_vcpu_affinity_info(struct kvm_vcpu *vcpu)
> target_affinity = smccc_get_arg1(vcpu);
> lowest_affinity_level = smccc_get_arg2(vcpu);
>
> + if (!kvm_psci_valid_affinity(vcpu, target_affinity))
> + return PSCI_RET_INVALID_PARAMS;
> +
> /* Determine target affinity mask */
> target_affinity_mask = psci_affinity_mask(lowest_affinity_level);
> if (!target_affinity_mask)
Otherwise, looks good to me.
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
_______________________________________________
kvmarm mailing list
kvmarm@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
WARNING: multiple messages have this Message-ID (diff)
From: Marc Zyngier <maz@kernel.org>
To: Oliver Upton <oupton@google.com>
Cc: kvm@vger.kernel.org, kvmarm@lists.cs.columbia.edu,
Peter Shier <pshier@google.com>,
Ricardo Koller <ricarkol@google.com>,
Jing Zhang <jingzhangos@google.com>,
Raghavendra Rao Anata <rananta@google.com>,
James Morse <james.morse@arm.com>,
Alexandru Elisei <alexandru.elisei@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>
Subject: Re: [PATCH 3/4] KVM: arm64: Enforce reserved bits for PSCI target affinities
Date: Wed, 18 Aug 2021 12:12:52 +0100 [thread overview]
Message-ID: <87pmubrop7.wl-maz@kernel.org> (raw)
In-Reply-To: <20210818085047.1005285-4-oupton@google.com>
On Wed, 18 Aug 2021 09:50:46 +0100,
Oliver Upton <oupton@google.com> wrote:
>
> Some calls in PSCI take a target affinity argument, defined to be
> bit-compatible with the affinity fields in MPIDR_EL1. All other bits in
> the parameter are reserved and must be 0.
For future reference, it may be worth quoting the spec (ARM DEN 0022D,
5.1.4 "CPU_ON").
> Return INVALID_PARAMETERS if the guest incorrectly sets a reserved
> bit.
>
> Signed-off-by: Oliver Upton <oupton@google.com>
> ---
> arch/arm64/kvm/psci.c | 20 +++++++++++++++++---
> 1 file changed, 17 insertions(+), 3 deletions(-)
>
> diff --git a/arch/arm64/kvm/psci.c b/arch/arm64/kvm/psci.c
> index db4056ecccfd..bb76be01abd2 100644
> --- a/arch/arm64/kvm/psci.c
> +++ b/arch/arm64/kvm/psci.c
> @@ -59,6 +59,17 @@ static void kvm_psci_vcpu_off(struct kvm_vcpu *vcpu)
> kvm_vcpu_kick(vcpu);
> }
>
> +static inline bool kvm_psci_valid_affinity(struct kvm_vcpu *vcpu,
> + unsigned long affinity)
> +{
> + unsigned long mask = MPIDR_HWID_BITMASK;
> +
> + if (vcpu_mode_is_32bit(vcpu))
> + mask &= ~((u32) 0);
I don't think we need this anymore since 5.7:
- fdc9999e20cd ("KVM: arm64: PSCI: Forbid 64bit functions for 32bit
guests") guarantees that the guest can't trick KVM into using the
SMC64 functions.
- with 2890ac993daa ("KVM: arm64: PSCI: Narrow input registers when
using 32bit functions"), the registers are always narrowed down to
32bit
Put the two together, and you can't have a 32bit guest issuing a PSCI
operation with crap in the upper 32bits.
> +
> + return !(affinity & ~mask);
So the whole helper can now be rewritten as
return !(affinity & ~MPIDR_HWID_BITMASK);
> +}
> +
> static unsigned long kvm_psci_vcpu_on(struct kvm_vcpu *source_vcpu)
> {
> struct vcpu_reset_state *reset_state;
> @@ -66,9 +77,9 @@ static unsigned long kvm_psci_vcpu_on(struct kvm_vcpu *source_vcpu)
> struct kvm_vcpu *vcpu = NULL;
> unsigned long cpu_id;
>
> - cpu_id = smccc_get_arg1(source_vcpu) & MPIDR_HWID_BITMASK;
> - if (vcpu_mode_is_32bit(source_vcpu))
> - cpu_id &= ~((u32) 0);
> + cpu_id = smccc_get_arg1(source_vcpu);
> + if (!kvm_psci_valid_affinity(source_vcpu, cpu_id))
> + return PSCI_RET_INVALID_PARAMS;
>
> vcpu = kvm_mpidr_to_vcpu(kvm, cpu_id);
>
> @@ -126,6 +137,9 @@ static unsigned long kvm_psci_vcpu_affinity_info(struct kvm_vcpu *vcpu)
> target_affinity = smccc_get_arg1(vcpu);
> lowest_affinity_level = smccc_get_arg2(vcpu);
>
> + if (!kvm_psci_valid_affinity(vcpu, target_affinity))
> + return PSCI_RET_INVALID_PARAMS;
> +
> /* Determine target affinity mask */
> target_affinity_mask = psci_affinity_mask(lowest_affinity_level);
> if (!target_affinity_mask)
Otherwise, looks good to me.
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2021-08-18 11:13 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-18 8:50 [PATCH 0/4] KVM: arm64: Fix some races in CPU_ON PSCI call Oliver Upton
2021-08-18 8:50 ` Oliver Upton
2021-08-18 8:50 ` [PATCH 1/4] KVM: arm64: Fix read-side race on updates to vcpu reset state Oliver Upton
2021-08-18 8:50 ` Oliver Upton
2021-08-18 10:06 ` Marc Zyngier
2021-08-18 10:06 ` Marc Zyngier
2021-08-18 8:50 ` [PATCH 2/4] KVM: arm64: Handle PSCI resets before userspace touches vCPU state Oliver Upton
2021-08-18 8:50 ` Oliver Upton
2021-08-18 10:38 ` Marc Zyngier
2021-08-18 10:38 ` Marc Zyngier
2021-08-18 8:50 ` [PATCH 3/4] KVM: arm64: Enforce reserved bits for PSCI target affinities Oliver Upton
2021-08-18 8:50 ` Oliver Upton
2021-08-18 11:12 ` Marc Zyngier [this message]
2021-08-18 11:12 ` Marc Zyngier
2021-08-18 8:50 ` [PATCH 4/4] selftests: KVM: Introduce psci_cpu_on_test Oliver Upton
2021-08-18 8:50 ` Oliver Upton
2021-08-18 14:42 ` Andrew Jones
2021-08-18 14:42 ` Andrew Jones
2021-08-18 11:32 ` [PATCH 0/4] KVM: arm64: Fix some races in CPU_ON PSCI call Marc Zyngier
2021-08-18 11:32 ` Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pmubrop7.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=oupton@google.com \
--cc=pshier@google.com \
--cc=rananta@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.