From: sashiko-bot@kernel.org
To: "Fuad Tabba" <tabba@google.com>
Cc: "Oliver Upton" <oupton@kernel.org>,
"Marc Zyngier" <maz@kernel.org>,
kvmarm@lists.linux.dev
Subject: Re: [PATCH v2 5/7] KVM: arm64: Set IL for emulated SError injection
Date: Thu, 18 Jun 2026 12:32:50 +0000 [thread overview]
Message-ID: <20260618123251.260FC1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260618121643.4105064-6-tabba@google.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] kvm_inject_nested_sea() passes an Instruction/Data Abort EC instead of an SError EC when FEAT_EASE converts a Synchronous External Abort into an SError.
- [High] The constructed ESR for a nested SError is discarded during injection because kvm_inject_el2_exception() never writes it to the guest's ESR_EL2.
--
commit da891cfcd9b452feacd8b631f8c20dae39b009fc
Author: Fuad Tabba <tabba@google.com>
KVM: arm64: Set IL for emulated SError injection
kvm_inject_serror_esr() constructs an SError syndrome without IL. The
architecture mandates IL=1 for SError unconditionally.
> diff --git a/arch/arm64/kvm/inject_fault.c b/arch/arm64/kvm/inject_fault.c
> index 444d219b02174..d6c4fc16f8795 100644
> --- a/arch/arm64/kvm/inject_fault.c
> +++ b/arch/arm64/kvm/inject_fault.c
> @@ -381,7 +381,7 @@ int kvm_inject_serror_esr(struct kvm_vcpu *vcpu, u64 esr)
> */
> if (!serror_is_masked(vcpu)) {
> pend_serror_exception(vcpu);
> - esr |= FIELD_PREP(ESR_ELx_EC_MASK, ESR_ELx_EC_SERROR);
> + esr |= FIELD_PREP(ESR_ELx_EC_MASK, ESR_ELx_EC_SERROR) | ESR_ELx_IL;
> vcpu_write_sys_reg(vcpu, esr, exception_esr_elx(vcpu));
> return 1;
> }
[Severity: High]
This isn't a bug introduced by this patch, but while reviewing this SError
injection logic, I noticed an issue in how ESR is constructed for nested
SErrors. When SCTLR2_ELx.EASE is set and a Synchronous External Abort is
converted to an SError, does kvm_inject_nested_sea() pass an incorrect
Exception Class?
In arch/arm64/kvm/emulate-nested.c:kvm_inject_nested_sea():
if (__vcpu_sys_reg(vcpu, SCTLR2_EL2) & SCTLR2_EL1_EASE)
return kvm_inject_nested(vcpu, esr, except_type_serror);
The esr variable retains the previously constructed IABT/DABT Exception
Class instead of being reconstructed with ESR_ELx_EC_SERROR. Does this
present an invalid syndrome to the nested guest hypervisor, since the
architecture mandates that ESR_ELx.EC must be 0x2F (SError) when an
External abort is treated as an SError?
Also, does this unconditionally update FAR_EL2, which is architecturally
incorrect for an SError?
[Severity: High]
This is also a pre-existing issue, but there appears to be a problem where
the constructed ESR for a nested SError is discarded during injection. Does
kvm_inject_el2_exception() fail to write the esr_el2 argument to ESR_EL2?
In arch/arm64/kvm/emulate-nested.c:kvm_inject_el2_exception():
case except_type_serror:
kvm_pend_exception(vcpu, EXCEPT_AA64_EL2_SERR);
break;
Unlike the synchronous exception case, the esr_el2 argument isn't written
to the guest's ESR_EL2. Since the downstream exception entry path
enter_exception64() does not write ESR_ELx, does this result in the nested
guest hypervisor receiving an SError with a stale, unmodified ESR_EL2?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260618121643.4105064-1-tabba@google.com?part=5
next prev parent reply other threads:[~2026-06-18 12:32 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 12:16 [PATCH v2 0/7] KVM: arm64: Fix missing ESR_ELx.IL in syndrome injection Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 1/7] KVM: arm64: Set ESR_ELx.IL for injected undefined exceptions at EL2 Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 2/7] KVM: arm64: Unconditionally set IL for injected undefined exceptions Fuad Tabba
2026-06-18 12:30 ` sashiko-bot
2026-06-18 14:41 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 3/7] KVM: arm64: Unconditionally set IL for injected abort exceptions Fuad Tabba
2026-06-18 12:29 ` sashiko-bot
2026-06-18 14:47 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 4/7] KVM: arm64: Set IL for injected FPAC exceptions during ERET emulation Fuad Tabba
2026-06-18 12:28 ` sashiko-bot
2026-06-18 12:39 ` Fuad Tabba
2026-06-18 12:48 ` Marc Zyngier
2026-06-18 14:24 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 5/7] KVM: arm64: Set IL for emulated SError injection Fuad Tabba
2026-06-18 12:32 ` sashiko-bot [this message]
2026-06-18 15:03 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 6/7] KVM: arm64: Set IL for nested " Fuad Tabba
2026-06-18 12:33 ` sashiko-bot
2026-06-18 15:06 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 7/7] KVM: arm64: Set IL in fake ESR for pKVM memory sharing exit Fuad Tabba
2026-06-18 15:47 ` [PATCH v2 0/7] KVM: arm64: Fix missing ESR_ELx.IL in syndrome injection Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260618123251.260FC1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=maz@kernel.org \
--cc=oupton@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tabba@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.