[PATCH v2 3/6] KVM: arm64: Allow userspace to inject external instruction aborts

[Jiaqi Yan]

On Sat, Jul 12, 2025 at 12:47 PM Oliver Upton <oliver.upton at linux.dev> wrote:
>
> On Fri, Jul 11, 2025 at 04:58:57PM -0700, Jiaqi Yan wrote:
> > On Fri, Jul 11, 2025 at 12:42 PM Oliver Upton <oliver.upton at linux.dev> wrote:
> > >
> > > On Wed, Jun 04, 2025 at 05:08:58AM +0000, Jiaqi Yan wrote:
> > > > From: Raghavendra Rao Ananta <rananta at google.com>
> > > >
> > > > When KVM returns to userspace for KVM_EXIT_ARM_SEA, the userspace is
> > > > encouraged to inject the abort into the guest via KVM_SET_VCPU_EVENTS.
> > > >
> > > > KVM_SET_VCPU_EVENTS currently only allows injecting external data aborts.
> > > > However, the synchronous external abort that caused KVM_EXIT_ARM_SEA
> > > > is possible to be an instruction abort. Userspace is already able to
> > > > tell if an abort is due to data or instruction via kvm_run.arm_sea.esr,
> > > > by checking its Exception Class value.
> > > >
> > > > Extend the KVM_SET_VCPU_EVENTS ioctl to allow injecting instruction
> > > > abort into the guest.
> > > >
> > > > Signed-off-by: Raghavendra Rao Ananta <rananta at google.com>
> > > > Signed-off-by: Jiaqi Yan <jiaqiyan at google.com>
> > >
> > > Hmm. Since we expose an ESR value to userspace I get the feeling that we
> > > should allow the user to supply an ISS for the external abort, similar
> > > to what we already do for SErrors.
> >
> > Oh, I will create something in v3, by extending kvm_vcpu_events to
> > something like:
> >
> > struct {
> >   __u8 serror_pending;
> >   __u8 serror_has_esr;
> >   __u8 ext_dabt_pending;
> >   __u8 ext_iabt_pending;
> >   __u8 ext_abt_has_esr;  // <= new
> >   /* Align it to 8 bytes */
> >   __u8 pad[3];
> >   union {
> >     __u64 serror_esr;
> >     __u64 ext_abt_esr;  // <= new
>
> This doesn't work. The ABI allows userspace to pend both an SError and
> SEA, so we can't use the same storage for the ESR.

You are right, the implementation (__kvm_arm_vcpu_set_events) indeed
continues to inject SError after injecting SEA.

Then we may have to extend the size of exception and meanwhile reduce
the size of reserved, because I believe we want to place ext_abt_esr
into kvm_vcpu_events.exception. Something like:
struct kvm_vcpu_events {
  struct {
    __u8 serror_pending;
    __u8 serror_has_esr;
    __u8 ext_dabt_pending;
    __u8 ext_iabt_pending;
    __u8 ext_abt_has_esr;
    __u8 pad[3];
    __u64 serror_esr;
    __u64 ext_abt_esr;  // <= +64 bits
  } exception;
  __u32 reserved[10];  // <= -64 bits
};

The offset to kvm_vcpu_events .reserved changes; I don' think
userspace will read/write reserved (so its offset is probably not very
important?), but theoretically this is an ABI break.

Another safer but not very readable way is to add at the end:
struct kvm_vcpu_events {
  struct {
    __u8 serror_pending;
    __u8 serror_has_esr;
    __u8 ext_dabt_pending;
    __u8 ext_iabt_pending;
    __u8 ext_abt_has_esr;
    __u8 pad[3];
    __u64 serror_esr;
  } exception;
  __u32 reserved[10];  // <= -64 bits
  __u64 ext_abt_esr;  // <= +64 bits
};

Any better suggestions?

>
> >   };
> > } exception;
> >
> > One question about the naming since we cannot change it once
> > committed. Taking the existing SError injection as example, although
> > the name in kvm_vcpu_events is serror_has_esr, it is essentially just
> > the ISS fields of the ESR (which is also written in virt/kvm/api.rst).
> > Why named after "esr" instead of "iss"? The only reason I can think of
> > is, KVM wants to leave the room to accept more fields than ISS from
> > userspace. Does this reason apply to external aborts? Asking in case
> > if "iss" is a better name in kvm_vcpu_events, maybe for external
> > aborts, we should use ext_abt_has_iss?
>
> We will probably need to include more ESR fields in the future, like
> ESR_ELx.ISS2. So let's just keep the existing naming if that's OK with
> you.

Ack to "esr", thanks Oliver!

>
> Thanks,
> Oliver