From: sashiko-bot@kernel.org
To: "Fuad Tabba" <tabba@google.com>
Cc: "Oliver Upton" <oupton@kernel.org>,
kvmarm@lists.linux.dev, "Marc Zyngier" <maz@kernel.org>
Subject: Re: [PATCH 6/7] KVM: arm64: Set IL for nested SError injection
Date: Sun, 14 Jun 2026 16:44:16 +0000 [thread overview]
Message-ID: <20260614164416.D37E61F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260614163336.3490925-7-tabba@google.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] The constructed SError syndrome (ESR) is silently dropped during nested EL2 exception injection because `ESR_EL2` is never updated.
- [High] When SCTLR2_EL1_EASE routes a Synchronous External abort to an SError, the ESR injected has the wrong EC (IABT/DABT instead of SERROR) and an incorrect ISS format.
--
commit 09fd06d56ab3236a0e7af03e0d026ed6725ad6d6
Author: Fuad Tabba <tabba@google.com>
KVM: arm64: Set IL for nested SError injection
This patch modifies the emulated SError injection to unconditionally
set the IL (Instruction Length) bit in the generated ESR, as mandated
by the architecture.
> diff --git a/arch/arm64/kvm/emulate-nested.c b/arch/arm64/kvm/emulate-nested.c
> index 4b39363cf8911..4262d4c17a877 100644
> --- a/arch/arm64/kvm/emulate-nested.c
> +++ b/arch/arm64/kvm/emulate-nested.c
> @@ -2938,6 +2938,6 @@ int kvm_inject_nested_serror(struct kvm_vcpu *vcpu, u64 esr)
> * vSError injection. Manually populate EC for an emulated SError
> * exception.
> */
> - esr |= FIELD_PREP(ESR_ELx_EC_MASK, ESR_ELx_EC_SERROR);
> + esr |= FIELD_PREP(ESR_ELx_EC_MASK, ESR_ELx_EC_SERROR) | ESR_ELx_IL;
> return kvm_inject_nested(vcpu, esr, except_type_serror);
[Severity: High]
This isn't a bug introduced by this patch, but does the carefully constructed
esr value actually get written to the guest's ESR_EL2?
Looking at kvm_inject_nested(), it passes the esr_el2 argument down:
kvm_inject_nested(vcpu, esr_el2, type) {
...
kvm_inject_el2_exception(vcpu, esr_el2, type);
...
}
However, in kvm_inject_el2_exception():
static void kvm_inject_el2_exception(...) {
...
switch (type) {
...
case except_type_serror:
kvm_pend_exception(vcpu, EXCEPT_AA64_EL2_SERR);
break;
...
}
Since except_type_serror only pends the exception and doesn't explicitly
write the esr_el2 argument into ESR_EL2 (unlike except_type_sync), does the
nested hypervisor observe a stale or uninitialized syndrome when it takes
the SError?
[Severity: High]
This is a pre-existing issue, but since this code deals with fixing SError
syndromes, what happens when SCTLR2_ELx.EASE is enabled and a Synchronous
External abort is routed to an SError?
Looking at kvm_inject_nested_sea() in the same file:
int kvm_inject_nested_sea(struct kvm_vcpu *vcpu) {
...
u64 esr = FIELD_PREP(ESR_ELx_EC_MASK,
iabt ? ESR_ELx_EC_IABT_LOW : ESR_ELx_EC_DABT_LOW);
...
if (__vcpu_sys_reg(vcpu, SCTLR2_EL2) & SCTLR2_EL1_EASE)
return kvm_inject_nested(vcpu, esr, except_type_serror);
...
}
Does this result in an SError being injected with a Data/Instruction Abort
EC? According to the ARM Architecture Reference Manual (D8.2.5), shouldn't
an SError always have its ESR_ELx.EC field set to 0b101111 (SError)?
A similar pattern appears in inject_abt64() for EL1, where a DABT/IABT
syndrome is constructed and actively written to exception_esr_elx(vcpu)
even though an SError exception was pended. Would this incorrect EC format
confuse the guest's exception handlers?
> }
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260614163336.3490925-1-tabba@google.com?part=6
next prev parent reply other threads:[~2026-06-14 16:44 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-14 16:33 [PATCH 0/7] KVM: arm64: Fix missing ESR_ELx.IL in syndrome injection Fuad Tabba
2026-06-14 16:33 ` [PATCH 1/7] KVM: arm64: Set ESR_ELx.IL for injected undefined exceptions at EL2 Fuad Tabba
2026-06-14 16:33 ` [PATCH 2/7] KVM: arm64: Unconditionally set IL for injected undefined exceptions Fuad Tabba
2026-06-14 16:33 ` [PATCH 3/7] KVM: arm64: Unconditionally set IL for injected abort exceptions Fuad Tabba
2026-06-14 16:33 ` [PATCH 4/7] KVM: arm64: Set IL for injected FPAC exceptions during ERET emulation Fuad Tabba
2026-06-14 16:45 ` sashiko-bot
2026-06-15 12:42 ` Fuad Tabba
2026-06-14 16:33 ` [PATCH 5/7] KVM: arm64: Set IL for emulated SError injection Fuad Tabba
2026-06-14 16:46 ` sashiko-bot
2026-06-15 12:48 ` Fuad Tabba
2026-06-14 16:33 ` [PATCH 6/7] KVM: arm64: Set IL for nested " Fuad Tabba
2026-06-14 16:44 ` sashiko-bot [this message]
2026-06-15 4:46 ` Oliver Upton
2026-06-15 13:12 ` Fuad Tabba
2026-06-14 16:33 ` [PATCH 7/7] KVM: arm64: Set IL in fake ESR for pKVM memory sharing exit Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260614164416.D37E61F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=maz@kernel.org \
--cc=oupton@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tabba@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.