QEMU-Devel Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Magnus Kulke <magnuskulke@linux.microsoft.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>, qemu-devel@nongnu.org
Subject: Re: [PULL 23/45] accel/mshv: store partition proc features
Date: Tue, 30 Jun 2026 18:59:52 +0200	[thread overview]
Message-ID: <akP2CAiVH6XEMi0z@example.com> (raw)
In-Reply-To: <CAFEAcA_TQHLNswnYhGKVf8bY+oy_fxWDoTTbunrwXGtAcV-gbw@mail.gmail.com>

On Mon, Jun 29, 2026 at 03:27:40PM +0100, Peter Maydell wrote:
> On Fri, 26 Jun 2026 at 11:23, Paolo Bonzini <pbonzini@redhat.com> wrote:
> >
> > From: Magnus Kulke <magnuskulke@linux.microsoft.com>
> >
> > We retrieve and store processor features on the state, so we can query
> > them later when deciding which MSRs to migrate.
> >
> > Signed-off-by: Magnus Kulke <magnuskulke@linux.microsoft.com>
> > Link: https://lore.kernel.org/r/20260417105618.3621-19-magnuskulke@linux.microsoft.com
> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> 
> Coverity points out what looks like an error in this commit
> (CID 1660876):
> 
> > ---
> >  include/hw/hyperv/hvhdk.h |  2 +-
> >  include/system/mshv_int.h |  3 +++
> >  accel/mshv/mshv-all.c     | 57 +++++++++++++++++++++++++++++++++++++++
> >  3 files changed, 61 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/hw/hyperv/hvhdk.h b/include/hw/hyperv/hvhdk.h
> > index 9ad16c47da9..9e6dcb22f61 100644
> > --- a/include/hw/hyperv/hvhdk.h
> > +++ b/include/hw/hyperv/hvhdk.h
> > @@ -353,7 +353,7 @@ union hv_partition_processor_features {
> >          uint64_t lass_support:1;
> >          uint64_t idle_hlt_intercept_support:1;
> >          uint64_t msr_list_support:1;
> > -    };
> > +    } QEMU_PACKED;
> >  };
> 
> hv_partition_processor_features is a union of a 2-element
> uint64_t array and a pile of bitfields...
> 
> >
> >  enum hv_translate_gva_result_code {
> > diff --git a/include/system/mshv_int.h b/include/system/mshv_int.h
> > index 5eef2e6e2cb..0cf68d2879e 100644
> > --- a/include/system/mshv_int.h
> > +++ b/include/system/mshv_int.h
> > @@ -14,6 +14,8 @@
> >  #ifndef QEMU_MSHV_INT_H
> >  #define QEMU_MSHV_INT_H
> >
> > +#include "hw/hyperv/hvhdk.h"
> > +
> >  #define MSHV_MSR_ENTRIES_COUNT 64
> >
> >  typedef struct hyperv_message hv_message;
> > @@ -53,6 +55,7 @@ struct MshvState {
> >      int nr_allocated_irq_routes;
> >      unsigned long *used_gsi_bitmap;
> >      unsigned int gsi_count;
> > +    union hv_partition_processor_features processor_features;
> 
> ...and processor_features is a field with one of those unions.
> 
> >  };
> >
> 
> > +static int get_proc_features(int vm_fd,
> > +                             union hv_partition_processor_features *features)
> 
> In this function we take a pointer to a union hv_partition_processor_features...
> 
> > +{
> > +    int ret;
> > +
> > +    ret = get_partition_property(vm_fd,
> > +                                 HV_PARTITION_PROPERTY_PROCESSOR_FEATURES0,
> > +                                 features[0].as_uint64);
> > +    if (ret < 0) {
> > +        error_report("Failed to get processor features bank 0");
> > +        return -1;
> > +    }
> > +
> > +    ret = get_partition_property(vm_fd,
> > +                                 HV_PARTITION_PROPERTY_PROCESSOR_FEATURES1,
> > +                                 features[1].as_uint64);
> 
> ...and treat that pointer as an array of at least 2 elements.
> 
> > +    if (ret < 0) {
> > +        error_report("Failed to get processor features bank 1");
> > +        return -1;
> > +    }
> > +
> > +    return 0;
> > +}
> > +
> >  static int create_partition(int mshv_fd, int *vm_fd)
> >  {
> >      int ret;
> > @@ -520,6 +571,12 @@ static int mshv_init(AccelState *as, MachineState *ms)
> >hv_partition_processor_features
> >      s->vm = vm_fd;
> >      s->fd = mshv_fd;
> > +
> > +    ret = get_proc_features(vm_fd, &s->processor_features);
> 
> But here we pass in s->processor_features, which has only
> one hv_partition_processor_features, not 2. So the [1]
> element access will read beyond the size of the field.
> 
> My guess is that the intention here was "features.as_uint64[1]"
> rather than "features[1].as_uint64" (and similarly for 0,
> though there it doesn't actually walk off the end of the field).
> 

Hi Peter,

yes, indeed. this is a bug, it should be uint64_t[0] and uint64_t[1]
instead of features[0] and features[1]. Ironically I spend some time
debugging this very bug today, albeit _before_ reading this email.

it's causing some breakage for migrating guest with CET support (or any
feature that is part of the second bank of processor features, I guess).

thanks!

magnus

> thanks
> -- PMM


  reply	other threads:[~2026-06-30 17:00 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-26 10:17 [PULL 00/45] target/i386, CLI deprecation patches for 2026-06-25 Paolo Bonzini
2026-06-26 10:17 ` [PULL 01/45] accel/mshv: use mshv_create_partition_v2 payload Paolo Bonzini
2026-06-26 10:17 ` [PULL 02/45] target/i386/mshv: fix cpuid propagation bug Paolo Bonzini
2026-06-26 10:17 ` [PULL 03/45] target/i386/mshv: fix various cpuid traversal bugs Paolo Bonzini
2026-06-26 10:17 ` [PULL 04/45] target/i386/mshv: change cpuid mask to UINT32_MAX Paolo Bonzini
2026-06-26 10:17 ` [PULL 05/45] target/i386/mshv: set cpu model name on -cpu host Paolo Bonzini
2026-06-26 10:17 ` [PULL 06/45] target/i386: query mshv accel for supported cpuids Paolo Bonzini
2026-06-26 10:17 ` [PULL 07/45] target/i386/mshv: populate xsave area offsets Paolo Bonzini
2026-06-26 10:17 ` [PULL 08/45] target/i386/mshv: use hv-provided [0xD,1+2].EBX Paolo Bonzini
2026-06-26 10:17 ` [PULL 09/45] accel/mshv: disable la57 (5lvl paging) Paolo Bonzini
2026-06-26 10:17 ` [PULL 10/45] target/i386/mshv: use arch_load/store_reg fns Paolo Bonzini
2026-06-26 10:17 ` [PULL 11/45] target/i386/mshv: use generic FPU/xcr0 state Paolo Bonzini
2026-06-26 10:17 ` [PULL 12/45] target/i386/mshv: impl init/load/store_vcpu_state Paolo Bonzini
2026-06-26 10:17 ` [PULL 13/45] accel/accel-irq: add AccelRouteChange abstraction Paolo Bonzini
2026-06-26 10:17 ` [PULL 14/45] accel/accel-irq: add generic begin_route_changes Paolo Bonzini
2026-06-26 10:17 ` [PULL 15/45] accel/accel-irq: add generic commit_route_changes Paolo Bonzini
2026-06-26 10:17 ` [PULL 16/45] accel/mshv: add irq_routes to state Paolo Bonzini
2026-06-26 10:17 ` [PULL 17/45] accel/mshv: update s->irq_routes in add_msi_route Paolo Bonzini
2026-06-26 10:17 ` [PULL 18/45] accel/mshv: update s->irq_routes in update_msi_route Paolo Bonzini
2026-06-26 10:17 ` [PULL 19/45] accel/mshv: update s->irq_routes in release_virq Paolo Bonzini
2026-06-26 10:17 ` [PULL 20/45] accel/mshv: use s->irq_routes in commit_routes Paolo Bonzini
2026-06-26 10:17 ` [PULL 21/45] accel/mshv: reserve ioapic routes on s->irq_routes Paolo Bonzini
2026-06-26 10:17 ` [PULL 22/45] accel/mshv: remove redundant msi controller Paolo Bonzini
2026-06-26 10:17 ` [PULL 23/45] accel/mshv: store partition proc features Paolo Bonzini
2026-06-29 14:27   ` Peter Maydell
2026-06-30 16:59     ` Magnus Kulke [this message]
2026-06-26 10:17 ` [PULL 24/45] target/i386/mshv: expose mshv_get_generic_regs Paolo Bonzini
2026-06-26 10:17 ` [PULL 25/45] accel/mshv: enable dirty page tracking Paolo Bonzini
2026-06-26 10:17 ` [PULL 26/45] target/i386/mshv: move msr code to arch Paolo Bonzini
2026-06-26 10:17 ` [PULL 27/45] target/i386/mshv: migrate pending ints/excs Paolo Bonzini
2026-06-26 10:17 ` [PULL 28/45] target/i386/mshv: migrate XSAVE state Paolo Bonzini
2026-06-26 10:17 ` [PULL 29/45] target/i386/mshv: reconstruct hflags after load Paolo Bonzini
2026-06-26 10:17 ` [PULL 30/45] target/i386/mshv: migrate MSRs Paolo Bonzini
2026-06-29 14:37   ` Peter Maydell
2026-06-26 10:17 ` [PULL 31/45] target/i386/mshv: migrate MTRR MSRs Paolo Bonzini
2026-06-26 10:17 ` [PULL 32/45] target/i386/mshv: migrate CET/SS MSRs Paolo Bonzini
2026-06-26 10:17 ` [PULL 33/45] accel: remove unnecessary #ifdefs Paolo Bonzini
2026-06-26 10:17 ` [PULL 34/45] include/hw/hyperv: add hv_vp_register_page struct definition Paolo Bonzini
2026-06-26 10:17 ` [PULL 35/45] target/i386/mshv: hv_vp_register_page setup for the vcpu Paolo Bonzini
2026-06-26 10:17 ` [PULL 36/45] target/i386/mshv: use the register page to get registers Paolo Bonzini
2026-06-26 10:17 ` [PULL 37/45] target/i386/mshv: use the register page to set registers Paolo Bonzini
2026-06-26 10:17 ` [PULL 38/45] i386/sev: Remove the example that references memory-encryption Paolo Bonzini
2026-06-26 10:17 ` [PULL 39/45] qemu-options: Change memory-encryption to confidential-guest-support in the example Paolo Bonzini
2026-06-26 10:17 ` [PULL 40/45] qemu-options: Add confidential-guest-support to machine options Paolo Bonzini
2026-06-26 10:17 ` [PULL 41/45] qemu-options: Add description of tdx-guest object Paolo Bonzini
2026-06-26 10:17 ` [PULL 42/45] machine: Deprecate memory-encryption Paolo Bonzini
2026-06-26 10:17 ` [PULL 43/45] i386/tdx: Use .has_gpa field to check if the gpa is valid Paolo Bonzini
2026-06-26 10:17 ` [PULL 44/45] i386/tdx: Make AMX alias bits supported Paolo Bonzini
2026-06-26 10:17 ` [PULL 45/45] i386/tdx: Add CPUID_24_0_EBX_AVX10_VL_MASK as supported Paolo Bonzini
2026-06-28 11:01 ` [PULL 00/45] target/i386, CLI deprecation patches for 2026-06-25 Stefan Hajnoczi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=akP2CAiVH6XEMi0z@example.com \
    --to=magnuskulke@linux.microsoft.com \
    --cc=pbonzini@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox