From: sashiko-bot@kernel.org
To: "Fuad Tabba" <tabba@google.com>
Cc: "Marc Zyngier" <maz@kernel.org>,
kvmarm@lists.linux.dev, "Oliver Upton" <oupton@kernel.org>
Subject: Re: [PATCH v2 2/7] KVM: arm64: Unconditionally set IL for injected undefined exceptions
Date: Thu, 18 Jun 2026 12:30:42 +0000 [thread overview]
Message-ID: <20260618123043.5D1C21F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260618121643.4105064-3-tabba@google.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Nested SError exception injection silently drops the ESR_EL2 value.
--
commit e7d1337c1e8d6db55c7b9ce2682f4c52e85c3f44
Author: Fuad Tabba <tabba@google.com>
KVM: arm64: Unconditionally set IL for injected undefined exceptions
This commit simplifies the inject_undef64() exception injection path by
unconditionally setting the IL bit, as the architecture mandates IL=1 for
EC=0 (Unknown).
> diff --git a/arch/arm64/kvm/inject_fault.c b/arch/arm64/kvm/inject_fault.c
> index 89982bd3345f6..9dfae1bcdf992 100644
> --- a/arch/arm64/kvm/inject_fault.c
> +++ b/arch/arm64/kvm/inject_fault.c
> @@ -170,14 +170,7 @@ void kvm_inject_sync(struct kvm_vcpu *vcpu, u64 esr)
>
> static void inject_undef64(struct kvm_vcpu *vcpu)
> {
> - u64 esr = (ESR_ELx_EC_UNKNOWN << ESR_ELx_EC_SHIFT);
> -
> - /*
> - * Build an unknown exception, depending on the instruction
> - * set.
> - */
> - if (kvm_vcpu_trap_il_is32bit(vcpu))
> - esr |= ESR_ELx_IL;
> + u64 esr = (ESR_ELx_EC_UNKNOWN << ESR_ELx_EC_SHIFT) | ESR_ELx_IL;
>
> kvm_inject_sync(vcpu, esr);
> }
[Severity: High]
This isn't a bug introduced by this patch, but while reviewing the exception
injection changes, I noticed a pre-existing issue in the nested SError
injection path.
In arch/arm64/kvm/emulate-nested.c, kvm_inject_nested_serror() constructs
the ESR for the nested SError and passes it down to kvm_inject_nested():
arch/arm64/kvm/emulate-nested.c:kvm_inject_nested_serror() {
...
esr |= FIELD_PREP(ESR_ELx_EC_MASK, ESR_ELx_EC_SERROR);
return kvm_inject_nested(vcpu, esr, except_type_serror);
}
However, when this esr reaches kvm_inject_el2_exception(), the value is
silently discarded:
arch/arm64/kvm/emulate-nested.c:kvm_inject_el2_exception() {
...
switch (type) {
case except_type_sync:
kvm_pend_exception(vcpu, EXCEPT_AA64_EL2_SYNC);
vcpu_write_sys_reg(vcpu, esr_el2, ESR_EL2);
break;
case except_type_irq:
kvm_pend_exception(vcpu, EXCEPT_AA64_EL2_IRQ);
break;
case except_type_serror:
kvm_pend_exception(vcpu, EXCEPT_AA64_EL2_SERR);
break;
...
}
Because the except_type_serror case breaks without writing esr_el2 to
ESR_EL2 (unlike the except_type_sync case), the constructed syndrome is
completely dropped.
Since enter_exception64() does not dynamically update ESR_ELx, will the
guest hypervisor observe a stale ESR_EL2 when handling the injected SError?
Could this cause the guest to misinterpret the error, potentially leading
to incorrect functional behavior or a guest panic?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260618121643.4105064-1-tabba@google.com?part=2
next prev parent reply other threads:[~2026-06-18 12:30 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 12:16 [PATCH v2 0/7] KVM: arm64: Fix missing ESR_ELx.IL in syndrome injection Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 1/7] KVM: arm64: Set ESR_ELx.IL for injected undefined exceptions at EL2 Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 2/7] KVM: arm64: Unconditionally set IL for injected undefined exceptions Fuad Tabba
2026-06-18 12:30 ` sashiko-bot [this message]
2026-06-18 14:41 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 3/7] KVM: arm64: Unconditionally set IL for injected abort exceptions Fuad Tabba
2026-06-18 12:29 ` sashiko-bot
2026-06-18 14:47 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 4/7] KVM: arm64: Set IL for injected FPAC exceptions during ERET emulation Fuad Tabba
2026-06-18 12:28 ` sashiko-bot
2026-06-18 12:39 ` Fuad Tabba
2026-06-18 12:48 ` Marc Zyngier
2026-06-18 14:24 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 5/7] KVM: arm64: Set IL for emulated SError injection Fuad Tabba
2026-06-18 12:32 ` sashiko-bot
2026-06-18 15:03 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 6/7] KVM: arm64: Set IL for nested " Fuad Tabba
2026-06-18 12:33 ` sashiko-bot
2026-06-18 15:06 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 7/7] KVM: arm64: Set IL in fake ESR for pKVM memory sharing exit Fuad Tabba
2026-06-18 15:47 ` [PATCH v2 0/7] KVM: arm64: Fix missing ESR_ELx.IL in syndrome injection Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260618123043.5D1C21F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=maz@kernel.org \
--cc=oupton@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tabba@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.