diff mbox series

[v9,10/28] KVM: x86/pmu: Explicitly check for RDPMC of unsupported Intel PMC types

Message ID 20231202000417.922113-11-seanjc@google.com (mailing list archive)
State New, archived
Headers show
Series KVM: x86/pmu: selftests: Fixes and new tests | expand

Commit Message

Sean Christopherson Dec. 2, 2023, 12:03 a.m. UTC 
Explicitly check for attempts to read unsupported PMC types instead of
letting the bounds check fail.  Functionally, letting the check fail is
ok, but it's unnecessarily subtle and does a poor job of documenting the
architectural behavior that KVM is emulating.

Opportunistically add macros for the type vs. index to further document
what is going on.

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/vmx/pmu_intel.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

Comments

Mi, Dapeng Dec. 11, 2023, 6:26 a.m. UTC | #1 
On 12/2/2023 8:03 AM, Sean Christopherson wrote:
> Explicitly check for attempts to read unsupported PMC types instead of
> letting the bounds check fail.  Functionally, letting the check fail is
> ok, but it's unnecessarily subtle and does a poor job of documenting the
> architectural behavior that KVM is emulating.
>
> Opportunistically add macros for the type vs. index to further document
> what is going on.
>
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> ---
>   arch/x86/kvm/vmx/pmu_intel.c | 11 +++++++++--
>   1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c
> index 644de27bd48a..bd4f4bdf5419 100644
> --- a/arch/x86/kvm/vmx/pmu_intel.c
> +++ b/arch/x86/kvm/vmx/pmu_intel.c
> @@ -23,6 +23,9 @@
>   /* Perf's "BASE" is wildly misleading, this is a single-bit flag, not a base. */
>   #define INTEL_RDPMC_FIXED	INTEL_PMC_FIXED_RDPMC_BASE
>   
> +#define INTEL_RDPMC_TYPE_MASK	GENMASK(31, 16)
> +#define INTEL_RDPMC_INDEX_MASK	GENMASK(15, 0)
> +
>   #define MSR_PMC_FULL_WIDTH_BIT      (MSR_IA32_PMC0 - MSR_IA32_PERFCTR0)
>   
>   static void reprogram_fixed_counters(struct kvm_pmu *pmu, u64 data)
> @@ -82,9 +85,13 @@ static struct kvm_pmc *intel_rdpmc_ecx_to_pmc(struct kvm_vcpu *vcpu,
>   	/*
>   	 * Fixed PMCs are supported on all architectural PMUs.  Note, KVM only
>   	 * emulates fixed PMCs for PMU v2+, but the flag itself is still valid,
> -	 * i.e. let RDPMC fail due to accessing a non-existent counter.
> +	 * i.e. let RDPMC fail due to accessing a non-existent counter.  Reject
> +	 * attempts to read all other types, which are unknown/unsupported.
>   	 */
> -	idx &= ~INTEL_RDPMC_FIXED;
> +	if (idx & INTEL_RDPMC_TYPE_MASK & ~INTEL_RDPMC_FIXED)
> +		return NULL;
> +
> +	idx &= INTEL_RDPMC_INDEX_MASK;
>   	if (fixed) {
>   		counters = pmu->fixed_counters;
>   		num_counters = pmu->nr_arch_fixed_counters;
Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Jim Mattson Dec. 11, 2023, 9:33 p.m. UTC | #2 
On Sun, Dec 10, 2023 at 10:26 PM Mi, Dapeng <dapeng1.mi@linux.intel.com> wrote:
>
>
> On 12/2/2023 8:03 AM, Sean Christopherson wrote:
> > Explicitly check for attempts to read unsupported PMC types instead of
> > letting the bounds check fail.  Functionally, letting the check fail is
> > ok, but it's unnecessarily subtle and does a poor job of documenting the
> > architectural behavior that KVM is emulating.
> >
> > Opportunistically add macros for the type vs. index to further document
> > what is going on.
> >
> > Signed-off-by: Sean Christopherson <seanjc@google.com>
> > ---
> >   arch/x86/kvm/vmx/pmu_intel.c | 11 +++++++++--
> >   1 file changed, 9 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c
> > index 644de27bd48a..bd4f4bdf5419 100644
> > --- a/arch/x86/kvm/vmx/pmu_intel.c
> > +++ b/arch/x86/kvm/vmx/pmu_intel.c
> > @@ -23,6 +23,9 @@
> >   /* Perf's "BASE" is wildly misleading, this is a single-bit flag, not a base. */
> >   #define INTEL_RDPMC_FIXED   INTEL_PMC_FIXED_RDPMC_BASE
> >
> > +#define INTEL_RDPMC_TYPE_MASK        GENMASK(31, 16)
> > +#define INTEL_RDPMC_INDEX_MASK       GENMASK(15, 0)
> > +
> >   #define MSR_PMC_FULL_WIDTH_BIT      (MSR_IA32_PMC0 - MSR_IA32_PERFCTR0)
> >
> >   static void reprogram_fixed_counters(struct kvm_pmu *pmu, u64 data)
> > @@ -82,9 +85,13 @@ static struct kvm_pmc *intel_rdpmc_ecx_to_pmc(struct kvm_vcpu *vcpu,
> >       /*
> >        * Fixed PMCs are supported on all architectural PMUs.  Note, KVM only
> >        * emulates fixed PMCs for PMU v2+, but the flag itself is still valid,
> > -      * i.e. let RDPMC fail due to accessing a non-existent counter.
> > +      * i.e. let RDPMC fail due to accessing a non-existent counter.  Reject
> > +      * attempts to read all other types, which are unknown/unsupported.
> >        */
> > -     idx &= ~INTEL_RDPMC_FIXED;
> > +     if (idx & INTEL_RDPMC_TYPE_MASK & ~INTEL_RDPMC_FIXED)

You know how I hate to be pedantic (ROFL), but the SDM only says:

If the processor does support architectural performance monitoring
(CPUID.0AH:EAX[7:0] ≠ 0), ECX[31:16] specifies type of PMC while
ECX[15:0] specifies the index of the PMC to be read within that type.

It does not say that the types are bitwise-exclusive.

Yes, the types defined thus far are bitwise-exclusive, but who knows
what tomorrow may bring?

> > +             return NULL;
> > +
> > +     idx &= INTEL_RDPMC_INDEX_MASK;
> >       if (fixed) {
> >               counters = pmu->fixed_counters;
> >               num_counters = pmu->nr_arch_fixed_counters;
> Reviewed-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Sean Christopherson Dec. 11, 2023, 11:43 p.m. UTC | #3 
On Mon, Dec 11, 2023, Jim Mattson wrote:
> On Sun, Dec 10, 2023 at 10:26 PM Mi, Dapeng <dapeng1.mi@linux.intel.com> wrote:
> >
> >
> > On 12/2/2023 8:03 AM, Sean Christopherson wrote:
> > > Explicitly check for attempts to read unsupported PMC types instead of
> > > letting the bounds check fail.  Functionally, letting the check fail is
> > > ok, but it's unnecessarily subtle and does a poor job of documenting the
> > > architectural behavior that KVM is emulating.
> > >
> > > Opportunistically add macros for the type vs. index to further document
> > > what is going on.
> > >
> > > Signed-off-by: Sean Christopherson <seanjc@google.com>
> > > ---
> > >   arch/x86/kvm/vmx/pmu_intel.c | 11 +++++++++--
> > >   1 file changed, 9 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c
> > > index 644de27bd48a..bd4f4bdf5419 100644
> > > --- a/arch/x86/kvm/vmx/pmu_intel.c
> > > +++ b/arch/x86/kvm/vmx/pmu_intel.c
> > > @@ -23,6 +23,9 @@
> > >   /* Perf's "BASE" is wildly misleading, this is a single-bit flag, not a base. */
> > >   #define INTEL_RDPMC_FIXED   INTEL_PMC_FIXED_RDPMC_BASE
> > >
> > > +#define INTEL_RDPMC_TYPE_MASK        GENMASK(31, 16)
> > > +#define INTEL_RDPMC_INDEX_MASK       GENMASK(15, 0)
> > > +
> > >   #define MSR_PMC_FULL_WIDTH_BIT      (MSR_IA32_PMC0 - MSR_IA32_PERFCTR0)
> > >
> > >   static void reprogram_fixed_counters(struct kvm_pmu *pmu, u64 data)
> > > @@ -82,9 +85,13 @@ static struct kvm_pmc *intel_rdpmc_ecx_to_pmc(struct kvm_vcpu *vcpu,
> > >       /*
> > >        * Fixed PMCs are supported on all architectural PMUs.  Note, KVM only
> > >        * emulates fixed PMCs for PMU v2+, but the flag itself is still valid,
> > > -      * i.e. let RDPMC fail due to accessing a non-existent counter.
> > > +      * i.e. let RDPMC fail due to accessing a non-existent counter.  Reject
> > > +      * attempts to read all other types, which are unknown/unsupported.
> > >        */
> > > -     idx &= ~INTEL_RDPMC_FIXED;
> > > +     if (idx & INTEL_RDPMC_TYPE_MASK & ~INTEL_RDPMC_FIXED)
> 
> You know how I hate to be pedantic (ROFL), but the SDM only says:
> 
> If the processor does support architectural performance monitoring
> (CPUID.0AH:EAX[7:0] ≠ 0), ECX[31:16] specifies type of PMC while
> ECX[15:0] specifies the index of the PMC to be read within that type.
> 
> It does not say that the types are bitwise-exclusive.
> 
> Yes, the types defined thus far are bitwise-exclusive, but who knows
> what tomorrow may bring?

The goal isn't to make the types exclusive, the goal is to reject types that
aren't supported by KVM.  The above accomplishes that, no?  I don't see how KVM
could get a false negative or false positive, the above allows exactly FIXED and
"none" types.  Or are you objecting to the comment?
Jim Mattson Dec. 12, 2023, 2:26 a.m. UTC | #4 
On Mon, Dec 11, 2023 at 3:43 PM Sean Christopherson <seanjc@google.com> wrote:
>
> On Mon, Dec 11, 2023, Jim Mattson wrote:
> > On Sun, Dec 10, 2023 at 10:26 PM Mi, Dapeng <dapeng1.mi@linux.intel.com> wrote:
> > >
> > >
> > > On 12/2/2023 8:03 AM, Sean Christopherson wrote:
> > > > Explicitly check for attempts to read unsupported PMC types instead of
> > > > letting the bounds check fail.  Functionally, letting the check fail is
> > > > ok, but it's unnecessarily subtle and does a poor job of documenting the
> > > > architectural behavior that KVM is emulating.
> > > >
> > > > Opportunistically add macros for the type vs. index to further document
> > > > what is going on.
> > > >
> > > > Signed-off-by: Sean Christopherson <seanjc@google.com>
> > > > ---
> > > >   arch/x86/kvm/vmx/pmu_intel.c | 11 +++++++++--
> > > >   1 file changed, 9 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c
> > > > index 644de27bd48a..bd4f4bdf5419 100644
> > > > --- a/arch/x86/kvm/vmx/pmu_intel.c
> > > > +++ b/arch/x86/kvm/vmx/pmu_intel.c
> > > > @@ -23,6 +23,9 @@
> > > >   /* Perf's "BASE" is wildly misleading, this is a single-bit flag, not a base. */
> > > >   #define INTEL_RDPMC_FIXED   INTEL_PMC_FIXED_RDPMC_BASE
> > > >
> > > > +#define INTEL_RDPMC_TYPE_MASK        GENMASK(31, 16)
> > > > +#define INTEL_RDPMC_INDEX_MASK       GENMASK(15, 0)
> > > > +
> > > >   #define MSR_PMC_FULL_WIDTH_BIT      (MSR_IA32_PMC0 - MSR_IA32_PERFCTR0)
> > > >
> > > >   static void reprogram_fixed_counters(struct kvm_pmu *pmu, u64 data)
> > > > @@ -82,9 +85,13 @@ static struct kvm_pmc *intel_rdpmc_ecx_to_pmc(struct kvm_vcpu *vcpu,
> > > >       /*
> > > >        * Fixed PMCs are supported on all architectural PMUs.  Note, KVM only
> > > >        * emulates fixed PMCs for PMU v2+, but the flag itself is still valid,
> > > > -      * i.e. let RDPMC fail due to accessing a non-existent counter.
> > > > +      * i.e. let RDPMC fail due to accessing a non-existent counter.  Reject
> > > > +      * attempts to read all other types, which are unknown/unsupported.
> > > >        */
> > > > -     idx &= ~INTEL_RDPMC_FIXED;
> > > > +     if (idx & INTEL_RDPMC_TYPE_MASK & ~INTEL_RDPMC_FIXED)
> >
> > You know how I hate to be pedantic (ROFL), but the SDM only says:
> >
> > If the processor does support architectural performance monitoring
> > (CPUID.0AH:EAX[7:0] ≠ 0), ECX[31:16] specifies type of PMC while
> > ECX[15:0] specifies the index of the PMC to be read within that type.
> >
> > It does not say that the types are bitwise-exclusive.
> >
> > Yes, the types defined thus far are bitwise-exclusive, but who knows
> > what tomorrow may bring?
>
> The goal isn't to make the types exclusive, the goal is to reject types that
> aren't supported by KVM.  The above accomplishes that, no?  I don't see how KVM
> could get a false negative or false positive, the above allows exactly FIXED and
> "none" types.  Or are you objecting to the comment?

You're right. The code is fine. My brain is not.

But what's wrong with something like:

type = idx & INTEL_RDPMC_TYPE_MASK;
if (type != INTEL_RDPMC_GP && type != INTEL_RDPMC_FIXED) ...

This makes it more clear what kvm accepts and what it doesn't accept,
regardless of the actual values of the macros.
Sean Christopherson Dec. 13, 2023, 2:25 a.m. UTC | #5 
On Mon, Dec 11, 2023, Jim Mattson wrote:
> On Mon, Dec 11, 2023 at 3:43 PM Sean Christopherson <seanjc@google.com> wrote:
> > > > > @@ -82,9 +85,13 @@ static struct kvm_pmc *intel_rdpmc_ecx_to_pmc(struct kvm_vcpu *vcpu,
> > > > >       /*
> > > > >        * Fixed PMCs are supported on all architectural PMUs.  Note, KVM only
> > > > >        * emulates fixed PMCs for PMU v2+, but the flag itself is still valid,
> > > > > -      * i.e. let RDPMC fail due to accessing a non-existent counter.
> > > > > +      * i.e. let RDPMC fail due to accessing a non-existent counter.  Reject
> > > > > +      * attempts to read all other types, which are unknown/unsupported.
> > > > >        */
> > > > > -     idx &= ~INTEL_RDPMC_FIXED;
> > > > > +     if (idx & INTEL_RDPMC_TYPE_MASK & ~INTEL_RDPMC_FIXED)
> > >
> > > You know how I hate to be pedantic (ROFL), but the SDM only says:
> > >
> > > If the processor does support architectural performance monitoring
> > > (CPUID.0AH:EAX[7:0] ≠ 0), ECX[31:16] specifies type of PMC while
> > > ECX[15:0] specifies the index of the PMC to be read within that type.
> > >
> > > It does not say that the types are bitwise-exclusive.
> > >
> > > Yes, the types defined thus far are bitwise-exclusive, but who knows
> > > what tomorrow may bring?
> >
> > The goal isn't to make the types exclusive, the goal is to reject types that
> > aren't supported by KVM.  The above accomplishes that, no?  I don't see how KVM
> > could get a false negative or false positive, the above allows exactly FIXED and
> > "none" types.  Or are you objecting to the comment?
> 
> You're right. The code is fine. My brain is not.
> 
> But what's wrong with something like:
> 
> type = idx & INTEL_RDPMC_TYPE_MASK;
> if (type != INTEL_RDPMC_GP && type != INTEL_RDPMC_FIXED) ...
> 
> This makes it more clear what kvm accepts and what it doesn't accept,
> regardless of the actual values of the macros.

Because when I read the SDM, my reading was heavily colored by KVM's existing
implementation.  And the SDM using 4000H and 2000H for the non-zero types doesn't
help (those scream "flags" to me).  But rereading things, the SDM clearly states
they are explicit, distinct types.  I'll massage this to have KVM treat them as
such.
diff mbox series

Patch

diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c
index 644de27bd48a..bd4f4bdf5419 100644
--- a/arch/x86/kvm/vmx/pmu_intel.c
+++ b/arch/x86/kvm/vmx/pmu_intel.c
@@ -23,6 +23,9 @@ 
 /* Perf's "BASE" is wildly misleading, this is a single-bit flag, not a base. */
 #define INTEL_RDPMC_FIXED	INTEL_PMC_FIXED_RDPMC_BASE
 
+#define INTEL_RDPMC_TYPE_MASK	GENMASK(31, 16)
+#define INTEL_RDPMC_INDEX_MASK	GENMASK(15, 0)
+
 #define MSR_PMC_FULL_WIDTH_BIT      (MSR_IA32_PMC0 - MSR_IA32_PERFCTR0)
 
 static void reprogram_fixed_counters(struct kvm_pmu *pmu, u64 data)
@@ -82,9 +85,13 @@  static struct kvm_pmc *intel_rdpmc_ecx_to_pmc(struct kvm_vcpu *vcpu,
 	/*
 	 * Fixed PMCs are supported on all architectural PMUs.  Note, KVM only
 	 * emulates fixed PMCs for PMU v2+, but the flag itself is still valid,
-	 * i.e. let RDPMC fail due to accessing a non-existent counter.
+	 * i.e. let RDPMC fail due to accessing a non-existent counter.  Reject
+	 * attempts to read all other types, which are unknown/unsupported.
 	 */
-	idx &= ~INTEL_RDPMC_FIXED;
+	if (idx & INTEL_RDPMC_TYPE_MASK & ~INTEL_RDPMC_FIXED)
+		return NULL;
+
+	idx &= INTEL_RDPMC_INDEX_MASK;
 	if (fixed) {
 		counters = pmu->fixed_counters;
 		num_counters = pmu->nr_arch_fixed_counters;