KVM: arm64: Handle out-of-bound write to MDCR_EL2.HPMN

We don't really pay attention to what gets written to MDCR_EL2.HPMN,
and funky guests could play ugly games on us.

Restrict what gets written there, and limit the number of counters
to what the PMU is allowed to have.

Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
Signed-off-by: Marc Zyngier <maz@kernel.org>

diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
index 228a548f0a5b4a5f3e273bcbfb7438baecc9440b..f3e603ef2a951dfabc7dc1bfb34221b543a88478 100644 (file)
--- a/arch/arm64/kvm/sys_regs.c
+++ b/arch/arm64/kvm/sys_regs.c
@@ -2571,16 +2571,33 @@ static bool access_mdcr(struct kvm_vcpu *vcpu,
                        struct sys_reg_params *p,
                        const struct sys_reg_desc *r)
 {
-       u64 old = __vcpu_sys_reg(vcpu, MDCR_EL2);
+       u64 hpmn, val, old = __vcpu_sys_reg(vcpu, MDCR_EL2);
 
-       if (!access_rw(vcpu, p, r))
-               return false;
+       if (!p->is_write) {
+               p->regval = old;
+               return true;
+       }
+
+       val = p->regval;
+       hpmn = FIELD_GET(MDCR_EL2_HPMN, val);
+
+       /*
+        * If HPMN is out of bounds, limit it to what we actually
+        * support. This matches the UNKNOWN definition of the field
+        * in that case, and keeps the emulation simple. Sort of.
+        */
+       if (hpmn > vcpu->kvm->arch.nr_pmu_counters) {
+               hpmn = vcpu->kvm->arch.nr_pmu_counters;
+               u64_replace_bits(val, hpmn, MDCR_EL2_HPMN);
+       }
+
+       __vcpu_sys_reg(vcpu, MDCR_EL2) = val;
 
        /*
-        * Request a reload of the PMU to enable/disable the counters affected
-        * by HPME.
+        * Request a reload of the PMU to enable/disable the counters
+        * affected by HPME.
         */
-       if ((old ^ __vcpu_sys_reg(vcpu, MDCR_EL2)) & MDCR_EL2_HPME)
+       if ((old ^ val) & MDCR_EL2_HPME)
                kvm_make_request(KVM_REQ_RELOAD_PMU, vcpu);
 
        return true;