From: Marc Zyngier <maz@kernel.org>
To: sashiko-reviews@lists.linux.dev
Cc: "Fuad Tabba" <tabba@google.com>,
kvmarm@lists.linux.dev, "Oliver Upton" <oupton@kernel.org>
Subject: Re: [PATCH v2 4/7] KVM: arm64: Set IL for injected FPAC exceptions during ERET emulation
Date: Thu, 18 Jun 2026 13:48:53 +0100 [thread overview]
Message-ID: <86cxxorp3e.wl-maz@kernel.org> (raw)
In-Reply-To: <20260618122808.1369D1F000E9@smtp.kernel.org>
On Thu, 18 Jun 2026 13:28:07 +0100,
sashiko-bot@kernel.org wrote:
>
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
>
> Pre-existing issues:
> - [High] The constructed FPAC exception syndrome incorrectly maps the ERET ISS encoding directly to the FPAC ISS encoding, resulting in malformed ISS[2:0] bits being injected into the guest.
> --
>
> commit 27996a8004c4285e2d114067b3fc644f3f649d64
> Author: Fuad Tabba <tabba@google.com>
> KVM: arm64: Set IL for injected FPAC exceptions during ERET emulation
>
> This commit sets the IL (Instruction Length) bit for the FPAC syndrome
> constructed during nested ERET emulation. Since ERET and its authenticated
> variants are always A64 32-bit instructions, the IL bit must be set to 1.
>
> > diff --git a/arch/arm64/kvm/emulate-nested.c b/arch/arm64/kvm/emulate-nested.c
> > index dba7ced74ca5e..b74369e9ad7ff 100644
> > --- a/arch/arm64/kvm/emulate-nested.c
> > +++ b/arch/arm64/kvm/emulate-nested.c
> > @@ -2776,7 +2776,7 @@ void kvm_emulate_nested_eret(struct kvm_vcpu *vcpu)
> > * ERET handling, and the guest will have a little surprise.
> > */
> > if (kvm_has_pauth(vcpu->kvm, FPACCOMBINE) && !(spsr & PSR_IL_BIT)) {
> > - esr &= ESR_ELx_ERET_ISS_ERETA;
> > + esr &= (ESR_ELx_ERET_ISS_ERETA | ESR_ELx_IL);
>
> [Severity: High]
> This isn't a bug introduced by this patch, but does this mapping of the ERET
> ISS to the FPAC ISS result in malformed ISS[2:0] bits being injected into
> the guest?
>
> For an ERET trap (EC=0x1A), ISS[0] indicates the key used (0 for ERETAA,
> 1 for ERETAB). For an FPAC exception (EC=0x1C), ISS[0] is the Instruction
> Type (must be 1 for a branch/return instruction), and ISS[2:1] indicates
> the Authentication Key.
No. Not at all. ESR_ELx_EC_FPAC (0x1C) defines ISS[0] as BnA. Which
matches the definition for ERET. On purpose. See ARM DDI 0487, version
M.b, D24-8777.
>
> By retaining the ERET ISS[0] bit and clearing the rest, it appears KVM
> inadvertently maps the ERET key type directly into the FPAC Instruction
> Type bit, while leaving the FPAC key type (ISS[2:1]) always at 00.
>
> Consequently, wouldn't ERETAA be injected with an FPAC ISS of 0 (wrong
> instruction type), and ERETAB get an FPAC ISS of 1 (wrong key type)?
Yes, and that'd be correct.
I don't know who told Sashiko about the ARM ARM, but it doesn't seem
to parse it correctly.
M.
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2026-06-18 12:48 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 12:16 [PATCH v2 0/7] KVM: arm64: Fix missing ESR_ELx.IL in syndrome injection Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 1/7] KVM: arm64: Set ESR_ELx.IL for injected undefined exceptions at EL2 Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 2/7] KVM: arm64: Unconditionally set IL for injected undefined exceptions Fuad Tabba
2026-06-18 12:30 ` sashiko-bot
2026-06-18 14:41 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 3/7] KVM: arm64: Unconditionally set IL for injected abort exceptions Fuad Tabba
2026-06-18 12:29 ` sashiko-bot
2026-06-18 14:47 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 4/7] KVM: arm64: Set IL for injected FPAC exceptions during ERET emulation Fuad Tabba
2026-06-18 12:28 ` sashiko-bot
2026-06-18 12:39 ` Fuad Tabba
2026-06-18 12:48 ` Marc Zyngier [this message]
2026-06-18 14:24 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 5/7] KVM: arm64: Set IL for emulated SError injection Fuad Tabba
2026-06-18 12:32 ` sashiko-bot
2026-06-18 15:03 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 6/7] KVM: arm64: Set IL for nested " Fuad Tabba
2026-06-18 12:33 ` sashiko-bot
2026-06-18 15:06 ` Fuad Tabba
2026-06-18 12:16 ` [PATCH v2 7/7] KVM: arm64: Set IL in fake ESR for pKVM memory sharing exit Fuad Tabba
2026-06-18 15:47 ` [PATCH v2 0/7] KVM: arm64: Fix missing ESR_ELx.IL in syndrome injection Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86cxxorp3e.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=oupton@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tabba@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.