On 1/14/25 09:05, Dave Hansen wrote: > On 1/14/25 06:29, Tom Lendacky wrote: >>> Given the choice between "a bug in the calling code >>> crashes the kernel" and "a bug in the calling code >>> results in a missed TLB flush", I'm guessing the >>> crash is probably better. >> So instead of the negative number protection, shouldn't this just use an >> unsigned int for extra_count and panic() if the value is greater than >> invlpgb_count_max? The caller has some sort of logic problem and it >> could possibly result in missed TLB flushes. Or if a panic() is out of >> the question, maybe a WARN() and a full TLB flush to be safe? > > The current implementation will panic in the #GP handler though. It > should be pretty easy to figure out that INVLPGB is involved with RIP or > the Code: snippet. From there, you'd need to figure out what caused the #GP. Hmmm, maybe I'm missing something. IIUC, when a negative number is supplied, the extra_count field will be set to 0 (via the max() function) and allow the INVLPGB to continue. 0 is valid in ECX[15:0] and so the instruction won't #GP. Thanks, Tom > > I guess the one nasty thing is that a person debugging this might not > have a CPUID dump handy so wouldn't actually know the number of valid > addresses that INVLPGB can take. > > But otherwise, I'm not sure an explicit panic adds _much_ value here > over an implicit one via the #GP handler. I don't know how everybody > else feels about it, but I'm happy just depending on the #GP for now.
