From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: Maxim Levitsky <mlevitsk@redhat.com>, qemu-stable@nongnu.org
Subject: [PULL 03/27] target/i386: do not consult nonexistent host leaves
Date: Thu, 12 May 2022 19:24:41 +0200 [thread overview]
Message-ID: <20220512172505.1065394-4-pbonzini@redhat.com> (raw)
In-Reply-To: <20220512172505.1065394-1-pbonzini@redhat.com>
When cache_info_passthrough is requested, QEMU passes the host values
of the cache information CPUID leaves down to the guest. However,
it blindly assumes that the CPUID leaf exists on the host, and this
cannot be guaranteed: for example, KVM has recently started to
synthesize AMD leaves up to 0x80000021 in order to provide accurate
CPU bug information to guests.
Querying a nonexistent host leaf fills the output arguments of
host_cpuid with data that (albeit deterministic) is nonsensical
as cache information, namely the data in the highest Intel CPUID
leaf. If said highest leaf is not ECX-dependent, this can even
cause an infinite loop when kvm_arch_init_vcpu prepares the input
to KVM_SET_CPUID2. The infinite loop is only terminated by an
abort() when the array gets full.
Reported-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
target/i386/cpu.c | 41 ++++++++++++++++++++++++++++++++++++-----
1 file changed, 36 insertions(+), 5 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 62c240fa91..c4a17c93f6 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -5022,6 +5022,37 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w,
return r;
}
+static void x86_cpu_get_cache_cpuid(uint32_t func, uint32_t index,
+ uint32_t *eax, uint32_t *ebx,
+ uint32_t *ecx, uint32_t *edx)
+{
+ uint32_t level, unused;
+
+ /* Only return valid host leaves. */
+ switch (func) {
+ case 2:
+ case 4:
+ host_cpuid(0, 0, &level, &unused, &unused, &unused);
+ break;
+ case 0x80000005:
+ case 0x80000006:
+ case 0x8000001d:
+ host_cpuid(0x80000000, 0, &level, &unused, &unused, &unused);
+ break;
+ default:
+ return;
+ }
+
+ if (func > level) {
+ *eax = 0;
+ *ebx = 0;
+ *ecx = 0;
+ *edx = 0;
+ } else {
+ host_cpuid(func, index, eax, ebx, ecx, edx);
+ }
+}
+
/*
* Only for builtin_x86_defs models initialized with x86_register_cpudef_types.
*/
@@ -5280,7 +5311,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
case 2:
/* cache info: needed for Pentium Pro compatibility */
if (cpu->cache_info_passthrough) {
- host_cpuid(index, 0, eax, ebx, ecx, edx);
+ x86_cpu_get_cache_cpuid(index, 0, eax, ebx, ecx, edx);
break;
} else if (cpu->vendor_cpuid_only && IS_AMD_CPU(env)) {
*eax = *ebx = *ecx = *edx = 0;
@@ -5300,7 +5331,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
case 4:
/* cache info: needed for Core compatibility */
if (cpu->cache_info_passthrough) {
- host_cpuid(index, count, eax, ebx, ecx, edx);
+ x86_cpu_get_cache_cpuid(index, count, eax, ebx, ecx, edx);
/* QEMU gives out its own APIC IDs, never pass down bits 31..26. */
*eax &= ~0xFC000000;
if ((*eax & 31) && cs->nr_cores > 1) {
@@ -5702,7 +5733,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
case 0x80000005:
/* cache info (L1 cache) */
if (cpu->cache_info_passthrough) {
- host_cpuid(index, 0, eax, ebx, ecx, edx);
+ x86_cpu_get_cache_cpuid(index, 0, eax, ebx, ecx, edx);
break;
}
*eax = (L1_DTLB_2M_ASSOC << 24) | (L1_DTLB_2M_ENTRIES << 16) |
@@ -5715,7 +5746,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
case 0x80000006:
/* cache info (L2 cache) */
if (cpu->cache_info_passthrough) {
- host_cpuid(index, 0, eax, ebx, ecx, edx);
+ x86_cpu_get_cache_cpuid(index, 0, eax, ebx, ecx, edx);
break;
}
*eax = (AMD_ENC_ASSOC(L2_DTLB_2M_ASSOC) << 28) |
@@ -5775,7 +5806,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
case 0x8000001D:
*eax = 0;
if (cpu->cache_info_passthrough) {
- host_cpuid(index, count, eax, ebx, ecx, edx);
+ x86_cpu_get_cache_cpuid(index, count, eax, ebx, ecx, edx);
break;
}
switch (count) {
--
2.36.0
next prev parent reply other threads:[~2022-05-12 17:35 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-12 17:24 [PULL 00/27] Misc patches for 2022-05-12 Paolo Bonzini
2022-05-12 17:24 ` [PULL 01/27] pc-bios/optionrom: detect -fno-pie Paolo Bonzini
2022-05-12 17:24 ` [PULL 02/27] pc-bios/optionrom: compile with -Wno-array-bounds Paolo Bonzini
2022-05-12 17:24 ` Paolo Bonzini [this message]
2022-05-12 17:24 ` [PULL 04/27] checkpatch: fix g_malloc check Paolo Bonzini
2022-05-12 17:24 ` [PULL 05/27] meson: Make mremap() detecting works correctly Paolo Bonzini
2022-05-12 17:24 ` [PULL 06/27] hw/xen/xen_pt: Confine igd-passthrough-isa-bridge to XEN Paolo Bonzini
2022-05-12 17:24 ` [PULL 07/27] hw/xen/xen_pt: Resolve igd_passthrough_isa_bridge_create() indirection Paolo Bonzini
2022-05-12 17:24 ` [PULL 08/27] tests/qtest/libqos/pci: Introduce pio_limit Paolo Bonzini
2022-05-12 17:24 ` [PULL 09/27] tests/qtest/libqos: Skip hotplug tests if pci root bus is not hotpluggable Paolo Bonzini
2022-05-12 17:24 ` [PULL 10/27] tests/qtest/libqos: Add generic pci host bridge in arm-virt machine Paolo Bonzini
2022-05-12 17:24 ` [PULL 11/27] machine: use QAPI struct for boot configuration Paolo Bonzini
2022-05-12 17:24 ` [PULL 12/27] machine: add boot compound property Paolo Bonzini
2022-05-12 17:24 ` [PULL 13/27] machine: add mem " Paolo Bonzini
2022-06-13 13:42 ` Markus Armbruster
2022-08-05 9:30 ` Regression in -readconfig [memory] size (was: [PULL 13/27] machine: add mem compound property) Markus Armbruster
2022-08-05 9:42 ` Paolo Bonzini
2022-08-05 9:51 ` Daniel P. Berrangé
2022-05-12 17:24 ` [PULL 14/27] machine: make memory-backend a link property Paolo Bonzini
2022-05-12 17:24 ` [PULL 15/27] machine: move more memory validation to Machine object Paolo Bonzini
2022-05-12 17:24 ` [PULL 16/27] slirp: bump submodule past 4.7 release Paolo Bonzini
2022-05-12 17:24 ` [PULL 17/27] net: slirp: introduce a wrapper struct for QemuTimer Paolo Bonzini
2022-05-12 17:24 ` [PULL 18/27] net: slirp: switch to slirp_new Paolo Bonzini
2022-05-12 17:24 ` [PULL 19/27] net: slirp: add support for CFI-friendly timer API Paolo Bonzini
2022-05-12 17:24 ` [PULL 20/27] net: slirp: allow CFI with libslirp >= 4.7 Paolo Bonzini
2022-05-12 17:24 ` [PULL 21/27] coroutine-lock: qemu_co_queue_next is a coroutine-only qemu_co_enter_next Paolo Bonzini
2022-05-12 17:25 ` [PULL 22/27] coroutine-lock: introduce qemu_co_queue_enter_all Paolo Bonzini
2022-05-12 17:25 ` [PULL 23/27] coroutine-lock: qemu_co_queue_restart_all is a coroutine-only qemu_co_enter_all Paolo Bonzini
2022-05-12 17:25 ` [PULL 24/27] vhost-backend: do not depend on CONFIG_VHOST_VSOCK Paolo Bonzini
2022-05-12 17:25 ` [PULL 25/27] meson: link libpng independent of vnc Paolo Bonzini
2022-05-12 17:25 ` [PULL 26/27] vl: make machine type deprecation a warning Paolo Bonzini
2022-05-12 17:25 ` [PULL 27/27] vmxcap: add tertiary execution controls Paolo Bonzini
2022-05-12 21:14 ` [PULL 00/27] Misc patches for 2022-05-12 Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220512172505.1065394-4-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=mlevitsk@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).