From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 012DD47DD63;
	Wed, 17 Jun 2026 16:23:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1781713433; cv=none; b=NdC2TT7EIkrH8WKeHjIMgzvBFzqYPdvqyfAyUh+Oup4QJ0Mz5VSREuOX1eCsle4JG4zVBd8n7777DLwsNN/7rN0hkr0Q6FO/vYWGcdAUXC81o77bUd41tfhEzjn0ABbM4yWtfdjetEPexB8C8U5oeujEmRDZd7q/LN+xqR4XQnk=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1781713433; c=relaxed/simple;
	bh=xF86MtEByuYzb7ihaaNlC7yj8xU4EVyf6FuSNvQ49gU=;
	h=Date:Message-ID:From:To:Cc:Subject:In-Reply-To:References:
	 MIME-Version:Content-Type; b=IEnTJY65gMgiz5pQh7ZBadth7jyvQrSOOx4XZF/L9zxknagcLcukzlTOxtwFFuQyDWoi5iAlDhmxRHQ85mghgWYWttZRwfQe9/8Riwt/9nWwIKav8UFOeIxvrtI6JFKwzPZYRWHSRFxz9FJ5SQtkSpWqlpyQcEsy+Uy4/W2yqmU=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=gU+Eo9fG; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="gU+Eo9fG"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 250051F000E9;
	Wed, 17 Jun 2026 16:23:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1781713429;
	bh=8lHFx0Ewtk5abIk7L5p+JL/ewyQV7XXZkqneN6OeKoI=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References;
	b=gU+Eo9fGhiA+5RN1idNne/cL8Foxx4boTblipCbHTw4wZEfmPdNvUIyn1TVH+1qiQ
	 IcRptaaUSclPFU5cdqf/TdcFPoSBQf9ST7a209VWS6TF8xHwIXnmzQCeAseI3Ie89N
	 z/x60dqUfJYnT69gT6USvF3mof+3Wv/r6RnGi5wQEYGEXPpka4W1SEp6EUkzai9UCx
	 x6iEyead68DKCz7kjbpbK3K0NjAiTRSRP5RHxTi53aSyM8y5wunTxnWIPAmx8Fk1Hy
	 i7MTCIfaOrThGAtcP9WFs944EnO9xtYsH/8sUL2I2Kdm7922Dc/jK6qjmFNvlK3qaG
	 7wDN1TzWFXUpw==
Received: from sofa.misterjones.org ([185.219.108.64] helo=goblin-girl.misterjones.org)
	by disco-boy.misterjones.org with esmtpsa  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.2)
	(envelope-from <maz@kernel.org>)
	id 1wZt3L-0000000Dkaq-0EE7;
	Wed, 17 Jun 2026 16:23:47 +0000
Date: Wed, 17 Jun 2026 17:23:46 +0100
Message-ID: <86tsr1rv8t.wl-maz@kernel.org>
From: Marc Zyngier <maz@kernel.org>
To: Fuad Tabba <tabba@google.com>
Cc: sashiko-reviews@lists.linux.dev,
	kvmarm@lists.linux.dev,
	Oliver Upton <oupton@kernel.org>
Subject: Re: [PATCH] KVM: arm64: nv: Fix PSTATE construction on illegal exception return
In-Reply-To: <CA+EHjTybyMvQtBAbRhShXA8Ba0=-W8E7-RvCKO2X3EMnMXhhuw@mail.gmail.com>
References: <20260617144907.2972095-1-tabba@google.com>
	<20260617150438.66E3A1F000E9@smtp.kernel.org>
	<CA+EHjTybyMvQtBAbRhShXA8Ba0=-W8E7-RvCKO2X3EMnMXhhuw@mail.gmail.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue)
 FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/30.1
 (aarch64-unknown-linux-gnu) MULE/6.0 (HANACHIRUSATO)
Precedence: bulk
X-Mailing-List: kvmarm@lists.linux.dev
List-Id: <kvmarm.lists.linux.dev>
List-Subscribe: <mailto:kvmarm+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:kvmarm+unsubscribe@lists.linux.dev>
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-SA-Exim-Connect-IP: 185.219.108.64
X-SA-Exim-Rcpt-To: tabba@google.com, sashiko-reviews@lists.linux.dev, kvmarm@lists.linux.dev, oupton@kernel.org
X-SA-Exim-Mail-From: maz@kernel.org
X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false

On Wed, 17 Jun 2026 16:29:09 +0100,
Fuad Tabba <tabba@google.com> wrote:
> 
> On Wed, 17 Jun 2026 at 16:04, <sashiko-bot@kernel.org> wrote:
> >
> > Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> >
> > Pre-existing issues:
> > - [High] Incomplete PSTATE allowlist on illegal exception return causes guest state corruption
> > --
> >
> > commit 93d5c5c2769fe9f58076ca66eb01cbe04fd87921
> > Author: Fuad Tabba <tabba@google.com>
> >
> > KVM: arm64: nv: Fix PSTATE construction on illegal exception return
> >
> > This commit updates PSTATE construction during an illegal exception return
> > to correctly source flags and masks from the SPSR being returned to, as
> > per ARM rule R_VWJHB. It constructs the PSTATE by taking these fields from
> > the SPSR while preserving EL, SP, nRW, and EXLOCK from the current PSTATE.
> >
> > Link: https://lore.kernel.org/all/86wlvxs5r0.wl-maz@kernel.org/
> >
> > > diff --git a/arch/arm64/kvm/emulate-nested.c b/arch/arm64/kvm/emulate-nested.c
> > > index dba7ced74ca5e..ace2b40cf8756 100644
> > > --- a/arch/arm64/kvm/emulate-nested.c
> > > +++ b/arch/arm64/kvm/emulate-nested.c
> > > @@ -2738,17 +2738,30 @@ static u64 kvm_check_illegal_exception_return(struct kvm_vcpu *vcpu, u64 spsr)
> >
> > [ ... ]
> >
> > > +             mask = PSR_D_BIT | PSR_A_BIT | PSR_I_BIT | PSR_F_BIT |
> > > +                    PSR_N_BIT | PSR_Z_BIT | PSR_C_BIT | PSR_V_BIT;
> > > +
> > > +             if (kvm_has_feat(vcpu->kvm, ID_AA64MMFR1_EL1, PAN, IMP))
> > > +                     mask |= PSR_PAN_BIT;
> > > +             if (kvm_has_feat(vcpu->kvm, ID_AA64PFR1_EL1, NMI, IMP))
> > > +                     mask |= ALLINT_ALLINT;
> > > +             /* FEAT_SPE_EXC and FEAT_TRBE_EXC also gate PSTATE.PM one day... */
> > > +             if (kvm_has_feat(vcpu->kvm, ID_AA64DFR1_EL1, EBEP, IMP))
> > > +                     mask |= BIT_ULL(32);    /* PSTATE.PM */
> > > +
> > > +             spsr &= mask;
> >
> > [Severity: High]
> > This is a pre-existing issue, but this explicit allowlist approach seems to
> > omit several architecturally defined and KVM-supported PSTATE fields.
> >
> > For example, PSR_SSBS_BIT, PSR_DIT_BIT, PSR_UAO_BIT, PSR_TCO_BIT, and
> > PSR_BTYPE_MASK are not included in the mask. Because spsr is masked with
> > this incomplete allowlist, won't these valid bits be silently zeroed out
> > instead of being preserved?
> >
> > When the guest takes the resulting Illegal State Exception, its SPSR_ELx
> > will have lost these bits, which could corrupt the guest's architectural
> > state and break guest exception handlers that rely on them.
> >
> > Would a denylist approach (masking out only the mode bits and EXLOCK from
> > SPSR and taking them from CPSR) be safer to ensure all relevant bits are
> > retained?
> 
> I don't think so, but Marc, please correct me if I'm wrong.
> 
> My reading of the ARM ARM is that these fields are UNKNOWN on an illegal
> exception return, not preserved. R_VWJHB says "All of the following are
> UNKNOWN" and lists PSTATE.{UAO, DIT, TCO, SSBS, BTYPE, PACM}. If that is
> right, masking them to 0 is a valid realisation of UNKNOWN rather than a
> loss of state, since a guest cannot rely on them surviving an illegal ERET.

Correct. R_VWJHB is pretty clear that these bits are UNKNOWN, and
therefore 0 is a perfect value for it.

I'm already getting tired of Sashiko.

	M.

-- 
Without deviation from the norm, progress is not possible.