[PATCH v3 3/7] KVM: arm64: Handle DABT caused by LS64* instructions on unsupported memory

Marc Zyngier maz at kernel.org
Thu Jun 26 01:51:49 PDT 2025


On Thu, 26 Jun 2025 09:09:02 +0100,
Yicong Yang <yangyicong at huawei.com> wrote:
> 
> From: Yicong Yang <yangyicong at hisilicon.com>
> 
> If FEAT_LS64WB not supported, FEAT_LS64* instructions only support
> to access Device/Uncacheable memory, otherwise a data abort for
> unsupported Exclusive or atomic access (0x35) is generated per spec.
> It's implementation defined whether the target exception level is
> routed and is possible to implemented as route to EL2 on a VHE VM
> according to DDI0487K.a Section C3.2.12.2 Single-copy atomic 64-byte
> load/store.

Nit: in DDI0487L.b (the latest as I write), this is in C3.2.6.

> 
> If it's implemented as generate the DABT to the final enabled stage
> (stage-2), since no valid ISV indicated in the ESR, it's better for
> the userspace to decide how to handle it. Reuse the
> NISV_IO_ABORT_TO_USER path with exit reason KVM_EXIT_ARM_LDST64B.
> 
> Signed-off-by: Yicong Yang <yangyicong at hisilicon.com>
> ---
>  arch/arm64/include/asm/esr.h |  8 ++++++++
>  arch/arm64/kvm/mmu.c         | 21 ++++++++++++++++++++-
>  2 files changed, 28 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/arm64/include/asm/esr.h b/arch/arm64/include/asm/esr.h
> index e1deed824464..63cd17f830da 100644
> --- a/arch/arm64/include/asm/esr.h
> +++ b/arch/arm64/include/asm/esr.h
> @@ -124,6 +124,7 @@
>  #define ESR_ELx_FSC_SEA_TTW(n)	(0x14 + (n))
>  #define ESR_ELx_FSC_SECC	(0x18)
>  #define ESR_ELx_FSC_SECC_TTW(n)	(0x1c + (n))
> +#define ESR_ELx_FSC_EXCL_ATOMIC	(0x35)
>  #define ESR_ELx_FSC_ADDRSZ	(0x00)
>  
>  /*
> @@ -488,6 +489,13 @@ static inline bool esr_fsc_is_access_flag_fault(unsigned long esr)
>  	       (esr == ESR_ELx_FSC_ACCESS_L(0));
>  }
>  
> +static inline bool esr_fsc_is_excl_atomic_fault(unsigned long esr)
> +{
> +	esr = esr & ESR_ELx_FSC;
> +
> +	return esr == ESR_ELx_FSC_EXCL_ATOMIC;
> +}
> +
>  static inline bool esr_fsc_is_addr_sz_fault(unsigned long esr)
>  {
>  	esr &= ESR_ELx_FSC;
> diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
> index 2942ec92c5a4..5f05d1c4b5a2 100644
> --- a/arch/arm64/kvm/mmu.c
> +++ b/arch/arm64/kvm/mmu.c
> @@ -1665,6 +1665,24 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
>  	if (exec_fault && device)
>  		return -ENOEXEC;
>  
> +	/*
> +	 * Target address is normal memory on the Host. We come here
> +	 * because:
> +	 * 1) Guest map it as device memory and perform LS64 operations
> +	 * 2) VMM report it as device memory mistakenly
> +	 * Hand it to the userspace.
> +	 */
> +	if (esr_fsc_is_excl_atomic_fault(kvm_vcpu_get_esr(vcpu))) {
> +		struct kvm_run *run = vcpu->run;
> +
> +		run->exit_reason = KVM_EXIT_ARM_LDST64B;
> +		run->arm_nisv.esr_iss = kvm_vcpu_dabt_iss_nisv_sanitized(vcpu);
> +		run->arm_nisv.fault_ipa = fault_ipa |
> +			(kvm_vcpu_get_hfar(vcpu) & (vma_pagesize - 1));
> +
> +		return -EAGAIN;
> +	}

I'm not sure that's the right thing to do.

If:

- the guest was told it doesn't have LS64WB,

- it was told that some range is memory,

- it uses that range as device,

- thanks to FWB the resulting memory type is "Normal-Cacheable"

- which results in an Unsupported Atomic exception

why would we involve the VMM at all? The VMM clearly said it didn't
want to be involved in this (we have a memslot).

I think we should simply inject the corresponding S1 fault back into
the guest.

Thanks,

	M.

-- 
Without deviation from the norm, progress is not possible.



More information about the linux-arm-kernel mailing list