From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3E49C29CB24 for ; Mon, 22 Jun 2026 23:55:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782172508; cv=none; b=nR80PMALFybCLb1M/HwGahTHTIkVVhrRLeFxQj8ilInRcDoioQmstd2lDwJ+nFa/Z/pHL9jQvz9A4+11O6qCDX9NFzy/yySvJs/NGAF3Zu80B/c1LVt+ORM3fPvHJp7BL3j+IiSe7G54GXugmm9G2qo0zj0oQo+QaVDra5PHZTQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782172508; c=relaxed/simple; bh=4+XW0wS4GPLWKZihV9FKtxXfAVhAGSYLkXn+Fk5FBrg=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=HrhIu0iEv4e87IUQjFvvkTeAf6sfdxs0y6jiC5OzYnBT9i15jqG04CAV/WaLfkxjydOqnzCBhM+RN4l/LnrpcKU0ggTuQek3Dk8HbA9Tc5ApOc1BYqGyMLwZxPkDx9UUgPZfHlRth6iNHOrMrtBZQa7eg/kGjozA0QQnlyVBPU0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=TOl76CCO; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="TOl76CCO" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-2c354050c34so41046525ad.3 for ; Mon, 22 Jun 2026 16:55:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1782172506; x=1782777306; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=PcNEYq3Q4R8B4zmWpMGTdvRzGqoFvElrUkkb4tMYFek=; b=TOl76CCOwPbd0c0QJj6X1FRW+eUK1NiHUzMcaCgXBlBpfQI/0rEUEfyz6Sn4oDbJqu UNewchNtrAZH0ZNv6ims96hy2kV+JRMl4Bw6zYT3m1nkbfk87bjCyr2/Ctm9eKhtRBJB FI2X1AQFQxJae0lVNpSvdfKS5lGxZ9vSuuDY30RC+q5kdNgrgyy4atG0w+EolPgIewSR ezBIfXfgjiCUxW29wYK9lc9K+WDqDsTABkLjSdqtPvrKTDLRh3t5fpQsckb1C3StN0L5 NtX3+1iTJ/OJS4Dcn8hNsqPwujgi1ML/Hpx9dRtg2skW4iieJbgwC/A23ttcNsnY1Nbi BkDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782172506; x=1782777306; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=PcNEYq3Q4R8B4zmWpMGTdvRzGqoFvElrUkkb4tMYFek=; b=ZiPjV5CgP1gTs7J4YLhRNkK619hf98z/yG7e9jCOFPE3aA5HFK1JHQP7dIP+dgik49 0MiUEnNuno/JyxbfIXtzhtUaHSVufG2IRgoEZ+56tqbJRcb9cqC12i92qmYdkUyouerI w/THFdCLTDfLa7FC+htEWIXt31R6e88Z33odLp/wBeJ3tBnOWya0NeEROWseUJDh4wsA 7FBsMwqjFc2VoGs0U2RkrhR7vHfP14+dcYY0vkVLzF/0RgDOKPw1W5G7hFTTf1rEwUNh dgqrCq7iC2DHN7Umej0dJ2Yq4H6hEgx5WszsXL0qaXj2iutLbLFNBUdMeohdIIc98Wuj OkPA== X-Forwarded-Encrypted: i=1; AHgh+Rp9v5uBQw05NpTKD5oj65v8u5RlJib2WrOn/zYWq1B4HbU5TqrZQne2XentVCxq6+BHwRaT5SZSeiJQV3s=@vger.kernel.org X-Gm-Message-State: AOJu0Yx2RE8DDNno0OZtdJip4tGGg2VfwSZHbLjjaHTaJSlkX2JF2AIt 3v1szkMuOxsrf+z9fIauZOmsgA4DgaVaP1w1oGC9pfa+pzmRes7YWRxJ1dAsm5gsDJcJ64Q2u6r Oi2dugQ== X-Received: from plpw17.prod.google.com ([2002:a17:902:9a91:b0:2c6:d38e:54df]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:eccc:b0:2c7:b709:ed2 with SMTP id d9443c01a7336-2c7b7091176mr32694785ad.21.1782172506050; Mon, 22 Jun 2026 16:55:06 -0700 (PDT) Date: Mon, 22 Jun 2026 16:55:05 -0700 In-Reply-To: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260618185515.2021642-1-seanjc@google.com> Message-ID: Subject: Re: [PATCH] KVM: x86: Clamp the EOI vector if its OOB instead of bugging the kernel From: Sean Christopherson To: Kai Huang Cc: "pbonzini@redhat.com" , "kvm@vger.kernel.org" , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="us-ascii" On Fri, Jun 19, 2026, Kai Huang wrote: > On Thu, 2026-06-18 at 11:55 -0700, Sean Christopherson wrote: > > If KVM handles an I/O APIC EOI exit request with a bad vector, clamp the > > vector to 255 and hope for the best instead of bugging the host. In all > > likelihood, a missed EOI is survivable for the guest, and it's most > > definitely not remotely fatal to the host, i.e. potentially panicking the > > host is completely unjustified. Arbitrarily use 255 for the dummy vector, > > the goal is purely to ensure the vector is covered by the bitmap. > > 255 is a valid vector. How about use a CPU reserved one instead (e.g., vector > 0) and hope for the best? I was thinking it would be better to err on the side of spuriously exiting to userspace, versus suppressing an exit? And I wanted to keep the vector legal, in case something else in KVM cares about legal vectors? Hmm, but using 255 is bad because it likely never be cleared, and thus will block other EOI exits due to 255 being the highest priority vector. Ah, and the field is never explicitly initialized beyond the structutre being, so it's starting state is '0' as well. My only hesitation with zero is that in the unlikely case bit 0 is set in ioapic_handled_vectors, userspace will be extra confused. But that's easy enough to deal with, just skip the check. This? if (kvm_check_request(KVM_REQ_IOAPIC_EOI_EXIT, vcpu)) { if (WARN_ON_ONCE(vcpu->arch.pending_ioapic_eoi < 0 || vcpu->arch.pending_ioapic_eoi > 255)) vcpu->arch.pending_ioapic_eoi = 0; else if (test_bit(vcpu->arch.pending_ioapic_eoi, vcpu->arch.ioapic_handled_vectors)) { vcpu->run->exit_reason = KVM_EXIT_IOAPIC_EOI; vcpu->run->eoi.vector = vcpu->arch.pending_ioapic_eoi; r = 0; goto out; } }