Re: [PATCH 4/7] KVM: arm64: Set IL for injected FPAC exceptions during ERET emulation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Fuad Tabba" <tabba@google.com>
Cc: "Marc Zyngier" <maz@kernel.org>,
	"Oliver Upton" <oupton@kernel.org>,
	kvmarm@lists.linux.dev
Subject: Re: [PATCH 4/7] KVM: arm64: Set IL for injected FPAC exceptions during ERET emulation
Date: Sun, 14 Jun 2026 16:45:47 +0000	[thread overview]
Message-ID: <20260614164547.D398B1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260614163336.3490925-5-tabba@google.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Incorrect Emulation of Illegal Exception Return corrupts ELR_EL2 and may cause spurious Instruction Aborts
--

commit 56bc216de713f5bf0e45ff5ad97580cbdc7eeb66
Author: Fuad Tabba <tabba@google.com>

KVM: arm64: Set IL for injected FPAC exceptions during ERET emulation

This commit fixes the FPAC syndrome constructed during nested ERET
emulation to include the IL bit. It ensures that the IL bit is set to 1
for ERET and its authenticated variants, which are always 32-bit A64
instructions.

> diff --git a/arch/arm64/kvm/emulate-nested.c b/arch/arm64/kvm/emulate-nested.c
> --- a/arch/arm64/kvm/emulate-nested.c
> +++ b/arch/arm64/kvm/emulate-nested.c
> @@ -2777,7 +2777,7 @@ void kvm_emulate_nested_eret(struct kvm_vcpu *vcpu)
>  		 */
>  		if (kvm_has_pauth(vcpu->kvm, FPACCOMBINE) && !(spsr & PSR_IL_BIT)) {
>  			esr &= ESR_ELx_ERET_ISS_ERETA;
> -			esr |= FIELD_PREP(ESR_ELx_EC_MASK, ESR_ELx_EC_FPAC);
> +			esr |= FIELD_PREP(ESR_ELx_EC_MASK, ESR_ELx_EC_FPAC) | ESR_ELx_IL;
>  			kvm_inject_nested_sync(vcpu, esr);
>  			return;
>  		}
>  	}
>  
>  	preempt_disable();
>  	vcpu_set_flag(vcpu, IN_NESTED_ERET);
>  	kvm_arch_vcpu_put(vcpu);
>  
>  	if (!esr_iss_is_eretax(esr))
>  		elr = __vcpu_sys_reg(vcpu, ELR_EL2);
>  
>  	trace_kvm_nested_eret(vcpu, elr, spsr);
>  
>  	*vcpu_pc(vcpu) = elr;
>  	*vcpu_cpsr(vcpu) = spsr;

[Severity: High]
This is a pre-existing issue, but does setting the PC to the target address
here cause issues when an illegal exception return is detected?

If kvm_check_illegal_exception_return() previously detected an illegal return
and set PSR_IL_BIT in spsr, kvm_emulate_nested_eret() unconditionally
advances the guest PC to the ERET target address (elr) and returns to the
guest, relying on hardware to generate the Illegal Execution State exception.

Wouldn't the hardware then save the target address into the guest's ELR_EL2
instead of the faulting ERET address, corrupting the architectural state?

Additionally, since the hardware fetches the instruction at the target address
using the guest EL2 translation regime before execution, an unmapped or
unexecutable target address could trigger an Instruction Abort instead of the
required Illegal Execution State exception, per ARM ARM D1.8.2.

Could this result in the guest hypervisor receiving a spurious Instruction
Abort for an EL1/EL0 address?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260614163336.3490925-1-tabba@google.com?part=4

next prev parent reply	other threads:[~2026-06-14 16:45 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-14 16:33 [PATCH 0/7] KVM: arm64: Fix missing ESR_ELx.IL in syndrome injection Fuad Tabba
2026-06-14 16:33 ` [PATCH 1/7] KVM: arm64: Set ESR_ELx.IL for injected undefined exceptions at EL2 Fuad Tabba
2026-06-14 16:33 ` [PATCH 2/7] KVM: arm64: Unconditionally set IL for injected undefined exceptions Fuad Tabba
2026-06-14 16:33 ` [PATCH 3/7] KVM: arm64: Unconditionally set IL for injected abort exceptions Fuad Tabba
2026-06-14 16:33 ` [PATCH 4/7] KVM: arm64: Set IL for injected FPAC exceptions during ERET emulation Fuad Tabba
2026-06-14 16:45   ` sashiko-bot [this message]
2026-06-15 12:42     ` Fuad Tabba
2026-06-14 16:33 ` [PATCH 5/7] KVM: arm64: Set IL for emulated SError injection Fuad Tabba
2026-06-14 16:46   ` sashiko-bot
2026-06-15 12:48     ` Fuad Tabba
2026-06-14 16:33 ` [PATCH 6/7] KVM: arm64: Set IL for nested " Fuad Tabba
2026-06-14 16:44   ` sashiko-bot
2026-06-15  4:46     ` Oliver Upton
2026-06-15 13:12       ` Fuad Tabba
2026-06-14 16:33 ` [PATCH 7/7] KVM: arm64: Set IL in fake ESR for pKVM memory sharing exit Fuad Tabba

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260614164547.D398B1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=kvmarm@lists.linux.dev \
    --cc=maz@kernel.org \
    --cc=oupton@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=tabba@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.