x86/cpuid: Perform max_leaf calculations in guest_cpuid()

Clamp the toolstack-providied max_leaf values in recalculate_cpuid_policy(),
causing the per-domain policy to have guest-accurate data.

Have guest_cpuid() exit early if a requested leaf is out of range, rather than
falling into the legacy path.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

diff --git a/xen/arch/x86/cpuid.c b/xen/arch/x86/cpuid.c
index c238776c6392a8db460c631fb460e5584c8290da..c6552b709796e6f8705bbadf546839ca4922f64d 100644 (file)
--- a/xen/arch/x86/cpuid.c
+++ b/xen/arch/x86/cpuid.c
@@ -283,6 +283,10 @@ void recalculate_cpuid_policy(struct domain *d)
     uint32_t fs[FSCAPINTS], max_fs[FSCAPINTS];
     unsigned int i;
 
+    p->basic.max_leaf   = min(p->basic.max_leaf,   max->basic.max_leaf);
+    p->feat.max_subleaf = min(p->feat.max_subleaf, max->feat.max_subleaf);
+    p->extd.max_leaf    = min(p->extd.max_leaf,    max->extd.max_leaf);
+
     cpuid_policy_to_featureset(p, fs);
     cpuid_policy_to_featureset(max, max_fs);
 
@@ -319,6 +323,9 @@ void recalculate_cpuid_policy(struct domain *d)
     for ( i = 0; i < ARRAY_SIZE(fs); i++ )
         fs[i] &= max_fs[i];
 
+    if ( p->basic.max_leaf < XSTATE_CPUID )
+        __clear_bit(X86_FEATURE_XSAVE, fs);
+
     sanitise_featureset(fs);
 
     /* Fold host's FDP_EXCP_ONLY and NO_FPU_SEL into guest's view. */
@@ -347,15 +354,36 @@ void guest_cpuid(const struct vcpu *v, uint32_t leaf,
                  uint32_t subleaf, struct cpuid_leaf *res)
 {
     const struct domain *d = v->domain;
+    const struct cpuid_policy *p = d->arch.cpuid;
 
     *res = EMPTY_LEAF;
 
     /*
      * First pass:
+     * - Perform max_leaf/subleaf calculations.  Out-of-range leaves return
+     *   all zeros, following the AMD model.
      * - Dispatch the virtualised leaves to their respective handlers.
      */
     switch ( leaf )
     {
+    case 0 ... CPUID_GUEST_NR_BASIC - 1:
+        if ( leaf > p->basic.max_leaf )
+            return;
+
+        switch ( leaf )
+        {
+        case 0x7:
+            if ( subleaf > p->feat.max_subleaf )
+                return;
+            break;
+
+        case XSTATE_CPUID:
+            if ( subleaf > ARRAY_SIZE(p->xstate.raw) )
+                return;
+            break;
+        }
+        break;
+
     case 0x40000000 ... 0x400000ff:
         if ( is_viridian_domain(d) )
             return cpuid_viridian_leaves(v, leaf, subleaf, res);
@@ -368,6 +396,14 @@ void guest_cpuid(const struct vcpu *v, uint32_t leaf,
          */
     case 0x40000100 ... 0x400001ff:
         return cpuid_hypervisor_leaves(v, leaf, subleaf, res);
+
+    case 0x80000000 ... 0x80000000 + CPUID_GUEST_NR_EXTD - 1:
+        if ( leaf > p->extd.max_leaf )
+            return;
+        break;
+
+    default:
+        return;
     }
 
     /* {hvm,pv}_cpuid() have this expectation. */

diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 82cb69b4613baac43c095c968023a7113b078306..e2af1795466d9205e753526beb38f856b32993da 100644 (file)
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3306,27 +3306,6 @@ void hvm_cpuid(unsigned int input, unsigned int *eax, unsigned int *ebx,
     if ( !edx )
         edx = &dummy;
 
-    if ( input & 0x7fffffff )
-    {
-        /*
-         * Requests outside the supported leaf ranges return zero on AMD
-         * and the highest basic leaf output on Intel. Uniformly follow
-         * the AMD model as the more sane one.
-         */
-        unsigned int limit;
-
-        domain_cpuid(d, (input >> 16) != 0x8000 ? 0 : 0x80000000, 0,
-                     &limit, &dummy, &dummy, &dummy);
-        if ( input > limit )
-        {
-            *eax = 0;
-            *ebx = 0;
-            *ecx = 0;
-            *edx = 0;
-            return;
-        }
-    }
-
     domain_cpuid(d, input, count, eax, ebx, ecx, edx);
 
     switch ( input )

diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index ef706af7e5a5eadfd0e4aaf05e1bd1d8f1555598..6e08efe3c2ce4c63fd9d04fda83bf912ab7ab1b1 100644 (file)
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -1031,29 +1031,6 @@ void pv_cpuid(struct cpu_user_regs *regs)
     subleaf = c = regs->_ecx;
     d = regs->_edx;
 
-    if ( leaf & 0x7fffffff )
-    {
-        /*
-         * Requests outside the supported leaf ranges return zero on AMD
-         * and the highest basic leaf output on Intel. Uniformly follow
-         * the AMD model as the more sane one.
-         */
-        unsigned int limit = (leaf >> 16) != 0x8000 ? 0 : 0x80000000, dummy;
-
-        if ( !is_control_domain(currd) && !is_hardware_domain(currd) )
-            domain_cpuid(currd, limit, 0, &limit, &dummy, &dummy, &dummy);
-        else
-            limit = cpuid_eax(limit);
-        if ( leaf > limit )
-        {
-            regs->rax = 0;
-            regs->rbx = 0;
-            regs->rcx = 0;
-            regs->rdx = 0;
-            return;
-        }
-    }
-
     if ( !is_control_domain(currd) && !is_hardware_domain(currd) )
         domain_cpuid(currd, leaf, subleaf, &a, &b, &c, &d);
     else

diff --git a/xen/include/asm-x86/cpuid.h b/xen/include/asm-x86/cpuid.h
index 0f12c0c05816755b17cf1451c0eea1e4ae84fc49..9354e3afe6fe11d21b5ca563e4e537beacae8142 100644 (file)
--- a/xen/include/asm-x86/cpuid.h
+++ b/xen/include/asm-x86/cpuid.h
@@ -87,6 +87,7 @@ struct cpuid_policy
      * Per-domain objects:
      *
      * - Guest accurate:
+     *   - max_{,sub}leaf
      *   - All FEATURESET_* words
      *
      * Everything else should be considered inaccurate, and not necesserily 0.