From: sashiko-bot@kernel.org
To: "Fuad Tabba" <tabba@google.com>
Cc: "Marc Zyngier" <maz@kernel.org>,
kvmarm@lists.linux.dev, "Oliver Upton" <oupton@kernel.org>
Subject: Re: [PATCH v2 6/7] KVM: arm64: Set IL for nested SError injection
Date: Thu, 18 Jun 2026 12:33:48 +0000 [thread overview]
Message-ID: <20260618123349.1F2ED1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260618121643.4105064-7-tabba@google.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] The SError syndrome constructed by `kvm_inject_nested_serror()` (including the newly added IL bit) is a dead store because the downstream injection logic silently drops the syndrome.
- [High] When a Synchronous External Abort is routed to an SError via FEAT_DoubleFault2 (`EASE`), KVM incorrectly populates the ESR with an IABT or DABT Exception Class (EC) instead of the architectural SError EC.
--
commit 889dc0193654a25a0ce52006ebe91e58fc4c4ed8
Author: Fuad Tabba <tabba@google.com>
KVM: arm64: Set IL for nested SError injection
This patch modifies kvm_inject_nested_serror() to unconditionally set the IL
bit in the SError syndrome, as mandated by the architecture.
> diff --git a/arch/arm64/kvm/emulate-nested.c b/arch/arm64/kvm/emulate-nested.c
> index b74369e9ad7ff..6f12496cae815 100644
> --- a/arch/arm64/kvm/emulate-nested.c
> +++ b/arch/arm64/kvm/emulate-nested.c
> @@ -2938,6 +2938,6 @@ int kvm_inject_nested_serror(struct kvm_vcpu *vcpu, u64 esr)
> * vSError injection. Manually populate EC for an emulated SError
> * exception.
> */
> - esr |= FIELD_PREP(ESR_ELx_EC_MASK, ESR_ELx_EC_SERROR);
> + esr |= FIELD_PREP(ESR_ELx_EC_MASK, ESR_ELx_EC_SERROR) | ESR_ELx_IL;
> return kvm_inject_nested(vcpu, esr, except_type_serror);
> }
[Severity: High]
This isn't a bug introduced by this patch, but does the constructed syndrome
value get silently dropped downstream?
Looking at kvm_inject_nested(), it forwards the esr to
kvm_inject_el2_exception():
arch/arm64/kvm/emulate-nested.c:kvm_inject_el2_exception() {
...
case except_type_serror:
kvm_pend_exception(vcpu, EXCEPT_AA64_EL2_SERR);
break;
...
}
The except_type_serror case doesn't write esr_el2 to ESR_EL2 (unlike the
except_type_sync case), and downstream exception entry code doesn't write
it either.
The constructed payload appears to be entirely discarded.
Would the nested hypervisor observe a stale ESR_EL2 value when taking the
SError, rendering this fix functionally ineffective?
[Severity: High]
This is a pre-existing issue, but when a Synchronous External Abort is routed
to an SError via EASE (FEAT_DoubleFault2), does KVM incorrectly populate the
ESR with an Abort Exception Class instead of SError?
In kvm_inject_nested_sea(), if SCTLR2_EL1_EASE is set, an SError is requested
using an ESR constructed with an Abort EC:
arch/arm64/kvm/emulate-nested.c:kvm_inject_nested_sea() {
...
if (__vcpu_sys_reg(vcpu, SCTLR2_EL2) & SCTLR2_EL1_EASE)
return kvm_inject_nested(vcpu, esr, except_type_serror);
...
}
Similarly in arch/arm64/kvm/inject_fault.c:inject_abt64(), the ESR is
populated with ESR_ELx_EC_IABT_* or ESR_ELx_EC_DABT_* before being written.
Architecturally, all SError interrupts must have an SError Exception Class,
even when representing a routed SEA.
Does supplying an Abort EC violate the architecture and provide the guest with
a malformed exception syndrome?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260618121643.4105064-1-tabba@google.com?part=6
next prev parent reply other threads:[~2026-06-18 12:33 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 12:16 [PATCH v2 0/7] KVM: arm64: Fix missing ESR_ELx.IL in syndrome injection Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 1/7] KVM: arm64: Set ESR_ELx.IL for injected undefined exceptions at EL2 Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 2/7] KVM: arm64: Unconditionally set IL for injected undefined exceptions Fuad Tabba
2026-06-18 12:30 ` sashiko-bot
2026-06-18 14:41 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 3/7] KVM: arm64: Unconditionally set IL for injected abort exceptions Fuad Tabba
2026-06-18 12:29 ` sashiko-bot
2026-06-18 14:47 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 4/7] KVM: arm64: Set IL for injected FPAC exceptions during ERET emulation Fuad Tabba
2026-06-18 12:28 ` sashiko-bot
2026-06-18 12:39 ` Fuad Tabba
2026-06-18 12:48 ` Marc Zyngier
2026-06-18 14:24 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 5/7] KVM: arm64: Set IL for emulated SError injection Fuad Tabba
2026-06-18 12:32 ` sashiko-bot
2026-06-18 15:03 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 6/7] KVM: arm64: Set IL for nested " Fuad Tabba
2026-06-18 12:33 ` sashiko-bot [this message]
2026-06-18 15:06 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 7/7] KVM: arm64: Set IL in fake ESR for pKVM memory sharing exit Fuad Tabba
2026-06-18 15:47 ` [PATCH v2 0/7] KVM: arm64: Fix missing ESR_ELx.IL in syndrome injection Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260618123349.1F2ED1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=maz@kernel.org \
--cc=oupton@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tabba@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.