On Tue, 2025-01-14 at 09:23 -0600, Tom Lendacky wrote: > On 1/14/25 09:05, Dave Hansen wrote: > > On 1/14/25 06:29, Tom Lendacky wrote: > > > > Given the choice between "a bug in the calling code > > > > crashes the kernel" and "a bug in the calling code > > > > results in a missed TLB flush", I'm guessing the > > > > crash is probably better. > > > So instead of the negative number protection, shouldn't this just > > > use an > > > unsigned int for extra_count and panic() if the value is greater > > > than > > > invlpgb_count_max? The caller has some sort of logic problem and > > > it > > > could possibly result in missed TLB flushes. Or if a panic() is > > > out of > > > the question, maybe a WARN() and a full TLB flush to be safe? > > > > The current implementation will panic in the #GP handler though. It > > should be pretty easy to figure out that INVLPGB is involved with > > RIP or > > the Code: snippet. From there, you'd need to figure out what caused > > the #GP. > > Hmmm, maybe I'm missing something. IIUC, when a negative number is > supplied, the extra_count field will be set to 0 (via the max() > function) and allow the INVLPGB to continue. 0 is valid in ECX[15:0] > and > so the instruction won't #GP. I added that at the request of somebody else :) Let me remove it again, now that we seem to have a consensus that a panic is preferable to a wrong TLB flush. -- All Rights Reversed.
