[RFC PATCH 12/27] KVM: x86: Split KVM CPU cap leafs into two parts

[Binbin Wu <binbin.wu@linux.intel.com>]

Introduce NR_KVM_CPU_CAPS_PARANOID as the total number of KVM CPUID
leafs, distinct from NR_KVM_CPU_CAPS which denotes only the leafs
tracked in the per-vCPU cpu_caps[] array.

The number of per-overlay leafs in the global kvm_cpu_caps[][] array is
extended to NR_KVM_CPU_CAPS_PARANOID so that it can hold both CPUID
leafs queried by KVM during vCPU runtime and additional leafs used
exclusively for CPUID paranoid mode validation.  The per-vCPU
cpu_caps[] array in kvm_vcpu_arch remains sized to NR_KVM_CPU_CAPS,
since KVM only cares these leaves during vCPU running and should not
grow when paranoid-mode-only leaves are added.

Add BUILD_BUG_ON() for guest_cpu_cap_{set, clear, has}() to prevent
accidental out-of-bounds access to the per-vCPU array with leaves that
are only present in the global array.

No functional change, as NR_KVM_CPU_CAPS_PARANOID == NR_KVM_CPU_CAPS
until paranoid-only leaves are introduced.

Signed-off-by: Binbin Wu <binbin.wu@linux.intel.com>
---
 arch/x86/include/asm/kvm_host.h | 13 +++++++++----
 arch/x86/kvm/cpuid.c            |  4 ++--
 arch/x86/kvm/cpuid.h            |  5 ++++-
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index c470e40a00aa..75895ab569fb 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -774,9 +774,12 @@ struct kvm_queued_exception {
 };
 
 /*
- * Hardware-defined CPUID leafs that are either scattered by the kernel or are
- * unknown to the kernel, but need to be directly used by KVM.  Note, these
- * word values conflict with the kernel's "bug" caps, but KVM doesn't use those.
+ * The leafs before NR_KVM_CPU_CAPS are hardware-defined CPUID leafs that are
+ * either scattered by the kernel or are unknown to the kernel, but need to be
+ * directly used by KVM during vCPU running.  Note, these word values conflict
+ * with the kernel's "bug" caps, but KVM doesn't use those.
+ * The leafs from NR_KVM_CPU_CAPS and above are only used for validation of
+ * CPUID inputs from userspace in CPUID paranoid mode.
  */
 enum kvm_only_cpuid_leafs {
 	CPUID_12_EAX	 = NCAPINTS,
@@ -789,9 +792,11 @@ enum kvm_only_cpuid_leafs {
 	CPUID_7_1_ECX,
 	CPUID_1E_1_EAX,
 	CPUID_24_1_ECX,
+	/* End of the leafs tracked by per-vcpu caps. */
 	NR_KVM_CPU_CAPS,
+	NR_KVM_CPU_CAPS_PARANOID = NR_KVM_CPU_CAPS,
 
-	NKVMCAPINTS = NR_KVM_CPU_CAPS - NCAPINTS,
+	NKVMCAPINTS = NR_KVM_CPU_CAPS_PARANOID - NCAPINTS,
 };
 
 struct kvm_vcpu_arch {
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 71959f4918e7..78d8f89d6079 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -33,7 +33,7 @@
  * Unlike "struct cpuinfo_x86.x86_capability", kvm_cpu_caps doesn't need to be
  * aligned to sizeof(unsigned long) because it's not accessed via bitops.
  */
-u32 kvm_cpu_caps[NR_CPUID_OL][NR_KVM_CPU_CAPS] __read_mostly;
+u32 kvm_cpu_caps[NR_CPUID_OL][NR_KVM_CPU_CAPS_PARANOID] __read_mostly;
 EXPORT_SYMBOL_FOR_KVM_INTERNAL(kvm_cpu_caps);
 
 bool kvm_is_configuring_cpu_caps __read_mostly;
@@ -382,7 +382,7 @@ void kvm_vcpu_after_set_cpuid(struct kvm_vcpu *vcpu)
 	int i;
 
 	memset(vcpu->arch.cpu_caps, 0, sizeof(vcpu->arch.cpu_caps));
-	BUILD_BUG_ON(ARRAY_SIZE(reverse_cpuid) != NR_KVM_CPU_CAPS);
+	BUILD_BUG_ON(ARRAY_SIZE(reverse_cpuid) != NR_KVM_CPU_CAPS_PARANOID);
 
 	/*
 	 * Reset guest capabilities to userspace's guest CPUID definition, i.e.
diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
index c3f2417c7980..bdfaedb1cfcc 100644
--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
@@ -31,7 +31,7 @@ static inline u8 get_cpuid_overlay(struct kvm *kvm)
 	return CPUID_OL_VMX;
 }
 
-extern u32 kvm_cpu_caps[NR_CPUID_OL][NR_KVM_CPU_CAPS] __read_mostly;
+extern u32 kvm_cpu_caps[NR_CPUID_OL][NR_KVM_CPU_CAPS_PARANOID] __read_mostly;
 extern bool kvm_is_configuring_cpu_caps __read_mostly;
 
 void kvm_initialize_cpu_caps(void);
@@ -273,6 +273,7 @@ static __always_inline void guest_cpu_cap_set(struct kvm_vcpu *vcpu,
 {
 	unsigned int x86_leaf = __feature_leaf(x86_feature);
 
+	BUILD_BUG_ON(x86_leaf >= NR_KVM_CPU_CAPS);
 	vcpu->arch.cpu_caps[x86_leaf] |= __feature_bit(x86_feature);
 }
 
@@ -281,6 +282,7 @@ static __always_inline void guest_cpu_cap_clear(struct kvm_vcpu *vcpu,
 {
 	unsigned int x86_leaf = __feature_leaf(x86_feature);
 
+	BUILD_BUG_ON(x86_leaf >= NR_KVM_CPU_CAPS);
 	vcpu->arch.cpu_caps[x86_leaf] &= ~__feature_bit(x86_feature);
 }
 
@@ -299,6 +301,7 @@ static __always_inline bool guest_cpu_cap_has(struct kvm_vcpu *vcpu,
 {
 	unsigned int x86_leaf = __feature_leaf(x86_feature);
 
+	BUILD_BUG_ON(x86_leaf >= NR_KVM_CPU_CAPS);
 	/*
 	 * Except for MWAIT, querying dynamic feature bits is disallowed, so
 	 * that KVM can defer runtime updates until the next CPUID emulation.
-- 
2.46.0