[PATCH] x86/msr: Restrict /dev/cpu/*/msr read and write to a single MSR per call

[Tim Wiederhake]

Reading or writing /dev/cpu/*/msr with a buffer larger than 8 bytes
reads or writes not successive MSRs, but the same one over and over.
While documented, this behavior is unintuitive and not helpful.

Remove the loops and process a single 8-byte MSR value per call.

Signed-off-by: Tim Wiederhake <twiederh@xxxxxxxxxx>
---
This is a resend of a patch originally submitted in May 2023 [1],
updated to also cover msr_write and rebased to v7.1.

[1] https://lkml.org/lkml/2023/5/23/1230

 arch/x86/kernel/msr.c | 48 +++++++++++++++----------------------------
 1 file changed, 16 insertions(+), 32 deletions(-)

diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index 4469c784eaa0..528a8e9b2319 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -10,8 +10,7 @@
  * x86 MSR access device
  *
  * This device is accessed by lseek() to the appropriate register number
- * and then read/write in chunks of 8 bytes.  A larger size means multiple
- * reads or writes of the same register.
+ * and then read/write in chunks of 8 bytes.
  *
  * This driver uses /dev/cpu/%d/msr where %d is the minor number, and on
  * an SMP box will direct the access to CPU %d.
@@ -57,24 +56,17 @@ static ssize_t msr_read(struct file *file, char __user *buf,
 	u32 reg = *ppos;
 	int cpu = iminor(file_inode(file));
 	int err = 0;
-	ssize_t bytes = 0;
 
-	if (count % 8)
+	if (count < 8)
 		return -EINVAL;	/* Invalid chunk size */
 
-	for (; count; count -= 8) {
-		err = rdmsr_safe_on_cpu(cpu, reg, &data[0], &data[1]);
-		if (err)
-			break;
-		if (copy_to_user(tmp, &data, 8)) {
-			err = -EFAULT;
-			break;
-		}
-		tmp += 2;
-		bytes += 8;
-	}
+	err = rdmsr_safe_on_cpu(cpu, reg, &data[0], &data[1]);
+	if (err)
+		return err;
+	if (copy_to_user(tmp, &data, 8))
+		return -EFAULT;
 
-	return bytes ? bytes : err;
+	return 8;
 }
 
 static int filter_write(u32 reg)
@@ -113,7 +105,6 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
 	u32 reg = *ppos;
 	int cpu = iminor(file_inode(file));
 	int err = 0;
-	ssize_t bytes = 0;
 
 	err = security_locked_down(LOCKDOWN_MSR);
 	if (err)
@@ -123,26 +114,19 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
 	if (err)
 		return err;
 
-	if (count % 8)
+	if (count < 8)
 		return -EINVAL;	/* Invalid chunk size */
 
-	for (; count; count -= 8) {
-		if (copy_from_user(&data, tmp, 8)) {
-			err = -EFAULT;
-			break;
-		}
-
-		add_taint(TAINT_CPU_OUT_OF_SPEC, LOCKDEP_STILL_OK);
+	if (copy_from_user(&data, tmp, 8))
+		return -EFAULT;
 
-		err = wrmsr_safe_on_cpu(cpu, reg, data[0], data[1]);
-		if (err)
-			break;
+	add_taint(TAINT_CPU_OUT_OF_SPEC, LOCKDEP_STILL_OK);
 
-		tmp += 2;
-		bytes += 8;
-	}
+	err = wrmsr_safe_on_cpu(cpu, reg, data[0], data[1]);
+	if (err)
+		return err;
 
-	return bytes ? bytes : err;
+	return 8;
 }
 
 static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
-- 
2.52.0