[PATCH] KVM: arm64: Correct BTYPE/SS in host SMC emulation

Tue May 7 07:57:34 PDT 2024

On Thu, May 02, 2024 at 07:00:20PM +0100, Marc Zyngier wrote:
> When taking a trap for an SMC instruction on the host, we must
> stau true to the letter of the architecture and perform all the

typo: stay

> actions that the CPU would otherwise do. Among those are clearing
> the BTYPE and SS bits.
> 
> Just do that.
> 
> Fixes: a805e1fb3099 ("KVM: arm64: Add SMC handler in nVHE EL2")
> Signed-off-by: Marc Zyngier <maz at kernel.org>
> ---
>  arch/arm64/kvm/hyp/include/hyp/adjust_pc.h | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/arch/arm64/kvm/hyp/include/hyp/adjust_pc.h b/arch/arm64/kvm/hyp/include/hyp/adjust_pc.h
> index 4fdfeabefeb4..b1afb7b59a31 100644
> --- a/arch/arm64/kvm/hyp/include/hyp/adjust_pc.h
> +++ b/arch/arm64/kvm/hyp/include/hyp/adjust_pc.h
> @@ -47,7 +47,13 @@ static inline void __kvm_skip_instr(struct kvm_vcpu *vcpu)
>   */
>  static inline void kvm_skip_host_instr(void)
>  {
> +	u64 spsr = read_sysreg_el2(SYS_SPSR);
> +
>  	write_sysreg_el2(read_sysreg_el2(SYS_ELR) + 4, SYS_ELR);
> +
> +	spsr &= ~(PSR_BTYPE_MASK | DBG_SPSR_SS);
> +
> +	write_sysreg_el2(spsr, SYS_SPSR);

The handling of SS looks correct to me, but I think the BTYPE
manipulation could do with a little more commentary as it looks quite
subtle when the SMC is in a guarded page. Am I right in thinking:

   * If the SMC is in a guarded page, the Branch Target exception is
     higher priority (12) than the trap to EL2 and so the host will
     handle it.

   * Therefore if a trapping SMC is in a guarded page, BTYPE must be
     zero and we don't have to worry about injecting a Branch Target
     exception.

   * Otherwise, if the SMC is in a non-guarded page, we should clear it
     to 0 per the architecture (R_YWFHD).

?

Having said that, I can't actually find the priority of an SMC trapped
to EL2 by HCR_EL2.TSC in the Arm ARM. Trapped HVCs are priority 15 and
SMCs trapped to EL3 are priority 23.

Will