On 1/14/25 08:30, Tom Lendacky wrote: >> Let me remove it again, now that we seem to have a >> consensus that a panic is preferable to a wrong >> TLB flush. > I believe the instruction will #GP if any of the ECX[30:16] reserved > bits are non-zero (although the APM doesn't document that), in addition > to ECX[15:0] being greater than allowed. But what if 0x80000000 is > passed in. That would set ECX[31] with a zero count field, which is > valid for the instruction, but the input is obviously bogus. > > I think the safest thing to do is make the extra_count parameter an > unsigned int and check if it is greater than invlpgb_count_max. Not sure > what to actually do at that point, though... panic()? WARN() with full > TLB flush? How about we give 'extra_count' a type that can't bleed over into the stride bits: static inline void __invlpgb(unsigned long asid, unsigned long pcid, unsigned long addr, u16 extra_count, bool pmd_stride, u8 flags) plus a check on CPUID 8000_0008h EDX[15:0] to make sure it's not 0xffff.
