Re: [PATCH 1/3] KVM: arm64: Only read HPFAR_EL2 when value is architecturally valid

[Marc Zyngier <maz@kernel.org>]

On Tue, 01 Apr 2025 23:42:32 +0100,
Oliver Upton <oliver.upton@linux.dev> wrote:
> 
> KVM's logic for deciding when HPFAR_EL2 is UNKNOWN doesn't align with
> the architecture. Most notably, KVM assumes HPFAR_EL2 contains the
> faulting IPA even in the case of an SEA.
> 
> Align the logic with the architecture rather than attempting to
> paraphrase it. Additionally, take the opportunity to improve the
> language around ARM erratum #834220 such that it actually describes the
> bug.
> 
> Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
> ---
>  arch/arm64/include/asm/esr.h           |  1 +
>  arch/arm64/kvm/hyp/include/hyp/fault.h | 46 ++++++++++++++++----------
>  2 files changed, 29 insertions(+), 18 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/esr.h b/arch/arm64/include/asm/esr.h
> index d1b1a33f9a8b..7b096ed87360 100644
> --- a/arch/arm64/include/asm/esr.h
> +++ b/arch/arm64/include/asm/esr.h
> @@ -121,6 +121,7 @@
>  #define ESR_ELx_FSC_SEA_TTW(n)	(0x14 + (n))
>  #define ESR_ELx_FSC_SECC	(0x18)
>  #define ESR_ELx_FSC_SECC_TTW(n)	(0x1c + (n))
> +#define ESR_ELx_FSC_ADDRESS	(0x00)

I think this should probably read "ADDRESS_SIZE", rather than just
"ADDRESS".

>
>  /* Status codes for individual page table levels */
>  #define ESR_ELx_FSC_ACCESS_L(n)	(ESR_ELx_FSC_ACCESS + (n))
> diff --git a/arch/arm64/kvm/hyp/include/hyp/fault.h b/arch/arm64/kvm/hyp/include/hyp/fault.h
> index 17df94570f03..84d165e17bd0 100644
> --- a/arch/arm64/kvm/hyp/include/hyp/fault.h
> +++ b/arch/arm64/kvm/hyp/include/hyp/fault.h
> @@ -44,31 +44,41 @@ static inline bool __translate_far_to_hpfar(u64 far, u64 *hpfar)
>  	return true;
>  }
>  
> +/*
> + * Checks for the conditions when HPFAR_EL2 is written, per DDI0487L.a D24.2.70.
> + */

You could also quote R_FKLWR, which was clarified in C23700 (Known
Issues L.a-03) by making the text clearer *and* adding a couple of
embarrassing typos (PFAR_EL2 instead of HPFAR_EL2). If anything, the
rule is more or less guaranteed to keep its reference, while the
numbering above will definitely move around.

> +static inline bool __hpfar_valid(u64 esr)
> +{
> +	/*
> +	 * CPUs affected by ARM erratum #834220 may incorrectly report a
> +	 * stage-2 translation fault when a stage-1 permission fault occurs.
> +	 *
> +	 * Re-walk the page tables to determine if a stage-1 fault actually
> +	 * occurred.
> +	 */
> +	if (cpus_have_final_cap(ARM64_WORKAROUND_834220) &&
> +	    esr_fsc_is_translation_fault(esr))
> +		return false;
> +
> +	if (esr_fsc_is_translation_fault(esr) || esr_fsc_is_access_flag_fault(esr))
> +		return true;
> +
> +	if ((esr & ESR_ELx_S1PTW) && esr_fsc_is_permission_fault(esr))
> +		return true;
> +
> +	return (esr & ESR_ELx_FSC) == ESR_ELx_FSC_ADDRESS;

Maybe add a esr_fsc_is_addr_sz_fault()?

> +}
> +
>  static inline bool __get_fault_info(u64 esr, struct kvm_vcpu_fault_info *fault)
>  {
>  	u64 hpfar, far;
>  
>  	far = read_sysreg_el2(SYS_FAR);
>  
> -	/*
> -	 * The HPFAR can be invalid if the stage 2 fault did not
> -	 * happen during a stage 1 page table walk (the ESR_EL2.S1PTW
> -	 * bit is clear) and one of the two following cases are true:
> -	 *   1. The fault was due to a permission fault
> -	 *   2. The processor carries errata 834220
> -	 *
> -	 * Therefore, for all non S1PTW faults where we either have a
> -	 * permission fault or the errata workaround is enabled, we
> -	 * resolve the IPA using the AT instruction.
> -	 */
> -	if (!(esr & ESR_ELx_S1PTW) &&
> -	    (cpus_have_final_cap(ARM64_WORKAROUND_834220) ||
> -	     esr_fsc_is_permission_fault(esr))) {
> -		if (!__translate_far_to_hpfar(far, &hpfar))
> -			return false;
> -	} else {
> +	if (__hpfar_valid(esr))
>  		hpfar = read_sysreg(hpfar_el2);
> -	}
> +	else if (!__translate_far_to_hpfar(far, &hpfar))
> +		return false;
>  
>  	fault->far_el2 = far;
>  	fault->hpfar_el2 = hpfar;

Otherwise looks OK to me.

	M.

-- 
Jazz isn't dead. It just smells funny.