From patchwork Thu Feb 20 23:29:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jiaqi Yan X-Patchwork-Id: 13984615 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 85F23C021B3 for ; Thu, 20 Feb 2025 23:35:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Type:Cc:To:From: Subject:Message-ID:Mime-Version:Date:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=16mDfwgtMHX4C5Bzktye9hLGYxEoL74KODcm/rd0Vtg=; b=H1YkhlNSrYeQEF36x4oo+kRWjM co0EG73KppDwtyR8OUv+GYLQ5QcpLgZk3KUtS4RADjym95ODgRDCB7FLp/dsA/FfE1P6ybe/ohyYA MflQkqqhHltU2woxtPVljBcNQFG6QdxwFz55KVm7+93gEk5eWRUIq3Xwcn7DlqKA2HujOC8ir+NRr 37/6a9crrSpTAVv+CEEkCpyqen1L2RPAQRDw/BR6Aa0BOzcx8F6VuEPB0tVj80tS4FLI+a/mZzVIA bL5uw221TfHcEECkywAvBp1NDJCiJFFaFuwOFR12UtPM0Y/WDq3oM36/yep/2lRWbV1yAfGX62TEM AUDipX9g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1tlG4H-00000003LJC-3GWC; Thu, 20 Feb 2025 23:34:57 +0000 Received: from mail-pj1-x1049.google.com ([2607:f8b0:4864:20::1049]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1tlFzY-00000003KD7-2sig for linux-arm-kernel@lists.infradead.org; Thu, 20 Feb 2025 23:30:06 +0000 Received: by mail-pj1-x1049.google.com with SMTP id 98e67ed59e1d1-2f83e54432dso4988924a91.2 for ; Thu, 20 Feb 2025 15:30:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1740094203; x=1740699003; darn=lists.infradead.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=16mDfwgtMHX4C5Bzktye9hLGYxEoL74KODcm/rd0Vtg=; b=cxfAM4bwmN00cTx2r09cngSIsPjpO4jYXK1mxxqrWbkde3b40jFxvVNFX72luDAXx2 iGmLpdNmSMDEfPL4X81bJxqSRlvpZq9NvF8KaZquWbcvcFBZB0uKJ1sA6HKk3m4K9Cfr hKEqm5/7d3lvGn9Ul8Fav+DHHjhr8Ht2fHZ7XWZjYBW73Zj/s9c56R699iwugKvWaD8K t8Y6ilXZ3xL+nGptjDmsTQNhWoeie5yc+orWYgX1JlQYY1r3RfrWcErfPh7LvqG01e4Y ZMq603bJTOaGjC+UhF1FmwAwWF96+cj7wbYAQWVtT4tud5oq4eihYAKhv9KXXo0W2Rwg Nwxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740094203; x=1740699003; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=16mDfwgtMHX4C5Bzktye9hLGYxEoL74KODcm/rd0Vtg=; b=Jfh9x7OoQ75oxJ7FVoXs/Y6upZ3l4wtLXmuQILP7FkbUNWAMnW3t1k/t4XCK6g3jrC NpuFD7rAZocpFm6e9X4nIb90lbkZuF+uwW4S4JfOisoDIKM6IDBTDCdhsBeNeLcRa/9B nOp3YKsaL7ozpuOtfEt6i5n1dW32SCjG4bpV/rZ3uTFOy2c9SBGsUweMIgs/kab4thoO w/vl/g3i7N8NnSei322nwUmRDCQNRiU1iDSodHN3xiZZsIWCA/9LE2qGYORV4IIXqfS2 BPYS1QGsTFCEeAS4k21qs2cMav30T6NcghmTqIQcr7e2/LWB90FW1eWr8GuBEKfxmLJR OLWw== X-Forwarded-Encrypted: i=1; AJvYcCU+TFVd2WnX0A7bps/K81TYlspSCG7qz7Oskt4n15JWaf4cbhcweI8SNjndlgwJOjGEI0nAOVcydyKJKUwWJ/jN@lists.infradead.org X-Gm-Message-State: AOJu0Yy1eih2goi+I1Y8KF1xKsCC6GmtgyN8dStZEXKNxzmTIRC5VPug uOnj1TW7BVmZfp3GtRy2+jExAUwlyR3F9v2NIFlkAka7+L+buVTDdHODa7VaMz+hvMMBhXrpyz4 pEgjTAq9r3w== X-Google-Smtp-Source: AGHT+IE0UCb7fstOq8GvjQmovtZG7N52pSWA/eoj0xYpz/TJAddrAEm6ZQs55YbiR88DnJaYKlzvY93re7M0jA== X-Received: from pjg5.prod.google.com ([2002:a17:90b:3f45:b0:2ef:d136:17fc]) (user=jiaqiyan job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:3ece:b0:2ee:6d04:9dac with SMTP id 98e67ed59e1d1-2fce7b3e506mr1466909a91.32.1740094203403; Thu, 20 Feb 2025 15:30:03 -0800 (PST) Date: Thu, 20 Feb 2025 23:29:57 +0000 Mime-Version: 1.0 X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog Message-ID: <20250220232959.247600-1-jiaqiyan@google.com> Subject: [RFC PATCH v3 1/3] KVM: arm64: SIGBUS VMM for SEA guest abort From: Jiaqi Yan To: maz@kernel.org, oliver.upton@linux.dev Cc: joey.gouly@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com, catalin.marinas@arm.com, will@kernel.org, pbonzini@redhat.com, corbet@lwn.net, kvm@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, duenwen@google.com, rananta@google.com, jthoughton@google.com, Jiaqi Yan X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250220_153004_757131_2CD0DEBE X-CRM114-Status: GOOD ( 29.04 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org When APEI is unable claim or handles synchronous external abort (SEA) today KVM handles SEA for guest by injecting an async SError into the guest directly, bypassing VMM, usually results in guest kernel panic. One major situation of guest SEA is when vCPU consumes uncorrectable memory error on the physical memory. Although SError and guest kernel panic effectively stops the propagation of corrupted memory, it is not easy for VMM and guest to recover from memory error in a more graceful manner. This patch teaches KVM to send a SIGBUS BUS_OBJERR to VMM/vCPU, like how core kernel signals SIGBUS BUS_OBJERR to a gernal poison consuming userspace thread when APEI is unable to claim the SEA. In addition to the benifit that KVM's handling for SEA becomes aligned with core kernel's behavior: - VMM can inject SEA to guest. Compared to SError, the blast radius in VM is possible to be limited to only the consuming thread in guest, instead of the entire guest kernel (unless the poison consumption is from guest kernel). - VMM usually tracks the poisoned guest pages. Together with [1], if guest consumes again the already poisoned guest pages, VMM can protect itself and the host by stopping the consumption at software level, by intercepting guest's access to poisoned pages, and again injecting SEA to guest. KVM now handles SEA as follows: 1. Delegate to APEI and GHES to see if SEA can be claimed by them. 2. If APEI failed to claim the SEA, send current thread (i.e. VMM in EL0) a si_code=BUS_OBJERR SIGBUS signal. If the DIMM error's physical address is available from FAR_EL2, si_addr will be the DIMM error's host virtual address in VMM/vCPU's memory space. Tested on a machine running Siryn AmpereOne processor. A dummy application in VM allocated some memory buffer. The test used EINJ to inject an uncorrectable recoverable memory error at a page in the allocated memory buffer. The dummy application then consumed the memory error. Some hack was done to make core kernel's memory_failure triggered by poison generation to fail, so KVM had to deal with the SEA guest abort due to poison consumption. vCPU thread in VMM received SIGBUS BUS_OBJERR with valid host virtual address of the poisoned page. VMM then injected a SEA into guest using KVM_SET_VCPU_EVENTS with ext_dabt_pending=1. At last the dummy application in guest was killed by SIGBUS BUS_OBJERR, while the guest survived and continued to run. [1] https://lpc.events/event/18/contributions/1757/attachments/1442/3073/LPC_%20KVM%20Userfault.pdf Changelog RFC V3 -> RFC v2 - SEA or ECC error at all levels of TTW can be handled by SIGBUS EL0, and no case to inject SError to guest anymore. - move #include from kvm_ras.h to kvm_ras.c. RFC v2 -> RFC v1 - reword commit msg - drop unused parameters from kvm_delegate_guest_sea - remove KVM_CAP_ARM_SIGBUS_ON_SEA and its opt in code - set FnV bit in vcpu's ESR_ELx if host ESR_EL2's FnV is set - add documentation for this new SIGBUS feature Signed-off-by: Jiaqi Yan --- arch/arm64/include/asm/kvm_ras.h | 29 +++++++------- arch/arm64/kvm/Makefile | 2 +- arch/arm64/kvm/kvm_ras.c | 65 ++++++++++++++++++++++++++++++++ arch/arm64/kvm/mmu.c | 8 +--- 4 files changed, 83 insertions(+), 21 deletions(-) create mode 100644 arch/arm64/kvm/kvm_ras.c diff --git a/arch/arm64/include/asm/kvm_ras.h b/arch/arm64/include/asm/kvm_ras.h index 87e10d9a635b5..bacae54013b4e 100644 --- a/arch/arm64/include/asm/kvm_ras.h +++ b/arch/arm64/include/asm/kvm_ras.h @@ -4,22 +4,25 @@ #ifndef __ARM64_KVM_RAS_H__ #define __ARM64_KVM_RAS_H__ -#include -#include -#include - -#include +#include /* - * Was this synchronous external abort a RAS notification? - * Returns '0' for errors handled by some RAS subsystem, or -ENOENT. + * For synchrnous external abort taken to KVM at EL2, not on translation + * table walk or hardware update of translation table, is FAR_EL2 valid? */ -static inline int kvm_handle_guest_sea(phys_addr_t addr, u64 esr) -{ - /* apei_claim_sea(NULL) expects to mask interrupts itself */ - lockdep_assert_irqs_enabled(); +bool kvm_vcpu_sea_far_valid(const struct kvm_vcpu *vcpu); - return apei_claim_sea(NULL); -} +/* + * Handle synchronous external abort (SEA) in the following order: + * 1. Delegate to APEI/GHES to see if they can claim SEA. If so, all done. + * 2. Send SIGBUS to current with si_code=BUS_OBJERR and si_addr set to + * the poisoned host virtual address. When accurate HVA is unavailable, + * si_addr will be 0. + * + * Note this applies to both instruction and data abort (ESR_ELx_EC_IABT_* + * and ESR_ELx_EC_DABT_*). As the name suggests, KVM must be taking the SEA + * when calling into this function, e.g. kvm_vcpu_abt_issea == true. + */ +void kvm_handle_guest_sea(struct kvm_vcpu *vcpu); #endif /* __ARM64_KVM_RAS_H__ */ diff --git a/arch/arm64/kvm/Makefile b/arch/arm64/kvm/Makefile index 3cf7adb2b5038..c4a3a6d4870e6 100644 --- a/arch/arm64/kvm/Makefile +++ b/arch/arm64/kvm/Makefile @@ -23,7 +23,7 @@ kvm-y += arm.o mmu.o mmio.o psci.o hypercalls.o pvtime.o \ vgic/vgic-v3.o vgic/vgic-v4.o \ vgic/vgic-mmio.o vgic/vgic-mmio-v2.o \ vgic/vgic-mmio-v3.o vgic/vgic-kvm-device.o \ - vgic/vgic-its.o vgic/vgic-debug.o + vgic/vgic-its.o vgic/vgic-debug.o kvm_ras.o kvm-$(CONFIG_HW_PERF_EVENTS) += pmu-emul.o pmu.o kvm-$(CONFIG_ARM64_PTR_AUTH) += pauth.o diff --git a/arch/arm64/kvm/kvm_ras.c b/arch/arm64/kvm/kvm_ras.c new file mode 100644 index 0000000000000..47531ed378910 --- /dev/null +++ b/arch/arm64/kvm/kvm_ras.c @@ -0,0 +1,65 @@ +// SPDX-License-Identifier: GPL-2.0-only + +#include +#include + +#include +#include +#include +#include + +bool kvm_vcpu_sea_far_valid(const struct kvm_vcpu *vcpu) +{ + /* + * FnV is valid only for Data/Instruction aborts and if DFSC/IFSC + * is ESR_ELx_FSC_EXTABT(0b010000). + */ + if (kvm_vcpu_trap_get_fault(vcpu) == ESR_ELx_FSC_EXTABT) + return !(vcpu->arch.fault.esr_el2 & ESR_ELx_FnV); + + /* Other exception classes or aborts don't care about FnV field. */ + return true; +} + +/* + * Was this synchronous external abort a RAS notification? + * Returns '0' for errors handled by some RAS subsystem, or -ENOENT. + */ +static int kvm_delegate_guest_sea(void) +{ + /* apei_claim_sea(NULL) expects to mask interrupts itself */ + lockdep_assert_irqs_enabled(); + return apei_claim_sea(NULL); +} + +void kvm_handle_guest_sea(struct kvm_vcpu *vcpu) +{ + int idx; + u64 vcpu_esr = kvm_vcpu_get_esr(vcpu); + phys_addr_t fault_ipa = kvm_vcpu_get_fault_ipa(vcpu); + gfn_t gfn = fault_ipa >> PAGE_SHIFT; + unsigned long hva = 0UL; + + /* + * For RAS the host kernel may handle this abort. + * There is no need to SIGBUS VMM, or pass the error into the guest. + */ + if (kvm_delegate_guest_sea() == 0) + return; + + if (kvm_vcpu_sea_far_valid(vcpu)) { + idx = srcu_read_lock(&vcpu->kvm->srcu); + hva = gfn_to_hva(vcpu->kvm, gfn); + srcu_read_unlock(&vcpu->kvm->srcu, idx); + } + + /* + * When FAR is not valid, or GFN to HVA translation failed, send 0 + * as si_addr like what do_sea() does. + */ + if (kvm_is_error_hva(hva)) + hva = 0UL; + + arm64_notify_die("synchronous external abort", + current_pt_regs(), SIGBUS, BUS_OBJERR, hva, vcpu_esr); +} diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c index 1f55b0c7b11d9..ef6127d0bf24f 100644 --- a/arch/arm64/kvm/mmu.c +++ b/arch/arm64/kvm/mmu.c @@ -1808,13 +1808,7 @@ int kvm_handle_guest_abort(struct kvm_vcpu *vcpu) /* Synchronous External Abort? */ if (kvm_vcpu_abt_issea(vcpu)) { - /* - * For RAS the host kernel may handle this abort. - * There is no need to pass the error into the guest. - */ - if (kvm_handle_guest_sea(fault_ipa, kvm_vcpu_get_esr(vcpu))) - kvm_inject_vabt(vcpu); - + kvm_handle_guest_sea(vcpu); return 1; } From patchwork Thu Feb 20 23:29:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jiaqi Yan X-Patchwork-Id: 13984616 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9630AC021B2 for ; Thu, 20 Feb 2025 23:36:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Type:Cc:To:From: Subject:Message-ID:References:Mime-Version:In-Reply-To:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=GWRXbppsiEDXYIZyPawrnpzOZz1QBOlzbaekCOtPmh4=; b=kvqdTm4rft+fgd/oGL4pAIAweS uPBZgSmdiliKzHnOxitbZKsvSO1OmXT1exXOl/IlAvyhX2Ddk/9GJJ5tDu2tgEB5kBEFri5Ojnwyo zZIeZqEg1Yfz7G2sY4en+AF6/cktcB5rPOUewgmK+PdVANwLNFzEFN6MnAlu59vZ8tgJLmUXb+pWN 2sx+D1odXrDt6QXJjkQ12HIyXY50QtxZlHUPotISoHZD3WdnZMWL2ML/WMhaBMkEU4Q41eSl9vZai A06v8anp2JZhbrKBIrdHd+6+iVSX/NvZTmIoAb2u/D2jJiHfm/XlH0Pxhfy3bfJBOslGFV3Kbz8V0 tvqT8w9A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1tlG5k-00000003Le4-1jKN; Thu, 20 Feb 2025 23:36:28 +0000 Received: from mail-pj1-x104a.google.com ([2607:f8b0:4864:20::104a]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1tlFzb-00000003KE3-01oX for linux-arm-kernel@lists.infradead.org; Thu, 20 Feb 2025 23:30:08 +0000 Received: by mail-pj1-x104a.google.com with SMTP id 98e67ed59e1d1-2fc1cb0c2cbso4809134a91.1 for ; Thu, 20 Feb 2025 15:30:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1740094205; x=1740699005; darn=lists.infradead.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=GWRXbppsiEDXYIZyPawrnpzOZz1QBOlzbaekCOtPmh4=; b=XET/kCuwFZ0kiT3kiW3psSCm61dVPyHq+UnR2KqWaZ2JyPNoFH3Jo4MFfjsCC6kbWf YqYEFQaaTl8Y+h2T6QCVwBWUTdeF9QTa8q9DQfPugRaRcsJoxMDnidK3uu6hbUBisgeE wIstFU6JER+1ux/L5qxOlBtWxoH1KGo8I4ZkyWnrLtFDlZukM1SVrIzEZEigXt+fFj72 u2nXonyaTVUxkcQ2hguSXfbAy4m7wmVh/3RPY8wG7eJmzVNpJ4P1ZTZW34rEAa4WxIMI kkS/r4XQ78IMAV+Pd0xd3WjXBzEnPSu+Q7NWLyevsFY2waTLY6m56Po30Buupp0aUiJs oxjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740094205; x=1740699005; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=GWRXbppsiEDXYIZyPawrnpzOZz1QBOlzbaekCOtPmh4=; b=Ez0kAlpH9FSLzHmoWfz5u/bTJsa8aXDAgG20L9ZiUwiURYrxdlmcZ0DH0wFC6hkddJ ONbd7b0Fns0my9fJUGFegdqsVDMOJVpg0pL1K4D7XEqEL/vDvxyNtRW0AVh8HJUKsIkZ St1PET3vV57d/dOgnH2f4orwqcJiS9Hbzx02FWb5/+Htj9mJFWzrKVLOYR6KaHQ5DN3f sucU+7ioMbOLDFBWdSIiDqwmIiWuN4w0dm66RwT3bu8cw/rN2kSR+dEllwcH69OTlYwP AWhSnsndhHdALVXOJCVTOAf7q7UeanC76YTJYLO/WPDoIA+A9yYflTs721am+yVw+KS3 zJPA== X-Forwarded-Encrypted: i=1; AJvYcCWpI1GMj7EMXExIaF5WrqeWmlBFIadfvqoqDIWInvXxcEEhjlwgwRWiZLnLuAc6Vq3Q1VK1t+n8Ao0Ju/Yptbfs@lists.infradead.org X-Gm-Message-State: AOJu0YxuQ2GRYcm1P7ROfBVYugVaGboiTDtG2w+a3BlzntEAbXltWu/9 L+Ns6oAQvAjQTpsaQ5o79Z1De7nGA6LvGJxvCGAmvrqHzfQR64DDio0LOiXS/YyifIg8EYu1icM vaEw4iHZv0g== X-Google-Smtp-Source: AGHT+IEJgmi64wdMWyANqEO34cKSZI9Wuz5tHq4A/owmtalUI629cLYAyrOiwBDklXhEIDQhnrCFWifbpOyeVA== X-Received: from pjz8.prod.google.com ([2002:a17:90b:56c8:b0:2fc:c98:ea47]) (user=jiaqiyan job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:2590:b0:2ee:df70:1ff3 with SMTP id 98e67ed59e1d1-2fce75e1b18mr2115049a91.0.1740094205662; Thu, 20 Feb 2025 15:30:05 -0800 (PST) Date: Thu, 20 Feb 2025 23:29:58 +0000 In-Reply-To: <20250220232959.247600-1-jiaqiyan@google.com> Mime-Version: 1.0 References: <20250220232959.247600-1-jiaqiyan@google.com> X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog Message-ID: <20250220232959.247600-2-jiaqiyan@google.com> Subject: [RFC PATCH v3 2/3] KVM: arm64: set FnV in vcpu's ESR_ELx when host FAR_EL2 is invalid From: Jiaqi Yan To: maz@kernel.org, oliver.upton@linux.dev Cc: joey.gouly@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com, catalin.marinas@arm.com, will@kernel.org, pbonzini@redhat.com, corbet@lwn.net, kvm@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, duenwen@google.com, rananta@google.com, jthoughton@google.com, Jiaqi Yan X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250220_153007_044659_D4C7D441 X-CRM114-Status: GOOD ( 13.60 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Certain microarchitectures (e.g. Neoverse V2) do not keep track of the faulting address for a memory load that consumes poisoned data and results in a synchronous external abort (SEA). This means the poisoned guest physical address is unavailable when KVM handles such SEA in EL2, and FAR_EL2 just holds a garbage value. KVM sends SIGBUS to interrupt VMM/vCPU but the si_addr will be zero. In case VMM later asks KVM to synchronously inject a SEA into the guest, KVM should set FnV bit - in vcpu's ESR_EL1 to let guest kernel know that FAR_EL1 is invalid and holds garbage value - in vcpu's ESR_EL2 to let nested virtualization know that FAR_EL2 is invalid and holds garbage value Signed-off-by: Jiaqi Yan --- arch/arm64/kvm/inject_fault.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/arm64/kvm/inject_fault.c b/arch/arm64/kvm/inject_fault.c index a640e839848e6..2b01b331a4879 100644 --- a/arch/arm64/kvm/inject_fault.c +++ b/arch/arm64/kvm/inject_fault.c @@ -13,6 +13,7 @@ #include #include #include +#include #include static void pend_sync_exception(struct kvm_vcpu *vcpu) @@ -81,6 +82,9 @@ static void inject_abt64(struct kvm_vcpu *vcpu, bool is_iabt, unsigned long addr if (!is_iabt) esr |= ESR_ELx_EC_DABT_LOW << ESR_ELx_EC_SHIFT; + if (!kvm_vcpu_sea_far_valid(vcpu)) + esr |= ESR_ELx_FnV; + esr |= ESR_ELx_FSC_EXTABT; if (match_target_el(vcpu, unpack_vcpu_flag(EXCEPT_AA64_EL1_SYNC))) { From patchwork Thu Feb 20 23:29:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jiaqi Yan X-Patchwork-Id: 13984617 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id AD179C021B3 for ; Thu, 20 Feb 2025 23:38:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Type:Cc:To:From: Subject:Message-ID:References:Mime-Version:In-Reply-To:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=tZY+qAPOicOUq8p2LK8IeikgixBi4lx8HxmpqAWAHnA=; b=pXl7K5blIApjodFlkWuOT3Klr4 iwFGUkusfaK3AfL6xX3dBHQu//Ss4S3MnOXIvxAyGrpKMqFzPWd17i0U22ij3dDBIYCqt8eNOqo7A Ik6Y+gthB2g14aZU0ZG63sKaClgASs4q33wauLQnrcexGRzzFYBfBmQGRrj8L6zzH5YAOmwHbw6zs ruYgxRoSaKAPP8GjLiurNtLx0P11tniZ7uuA8FEOUUo3lNuoEY/qPNFG3zMZd74ft5wOApkGXFMoo CGNbw7w2Q00wKDnD4QCy5eBqD/5lKUIjHDpIxM3W0qmUJNH+tvNifoVEOapSPGCV1kOSOhOaci8d6 0DYt5rkw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1tlG7D-00000003Lzz-0m9a; Thu, 20 Feb 2025 23:37:59 +0000 Received: from mail-pj1-x1049.google.com ([2607:f8b0:4864:20::1049]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1tlFzd-00000003KEy-11Eo for linux-arm-kernel@lists.infradead.org; Thu, 20 Feb 2025 23:30:10 +0000 Received: by mail-pj1-x1049.google.com with SMTP id 98e67ed59e1d1-2f83e54432dso4989128a91.2 for ; Thu, 20 Feb 2025 15:30:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1740094208; x=1740699008; darn=lists.infradead.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=tZY+qAPOicOUq8p2LK8IeikgixBi4lx8HxmpqAWAHnA=; b=yWbQzmpesgbb6Gnwt34k898Um36hELbFn33muZfTpQTvgeBscHfAdlzAVmLOmKbjYN C4qisOUiwL2Fd+YXlbIpqwCqPeHjSIKqdrYdTCqpED4HtGhtAXgvDzhyyqh8GdoqBkqa fXZT2OZlUOXbk9bsCrst+g/8yj8iCCAkvHOTyt0BfUfXdQuT1OYCJgNclV9T3YIVATdq d25aX6yHDWCfOM3oyICKmpjYgnEmFrsUPwcgRyK4tU9PViNTK4U4ndl/ENzMGJOmDKRh 5IxEz9uN7jwUrdmtjLYSP+YtONLfv4B4JrVIjUsRc5oblF7becG8IQjyG3H2I65WO3iQ IC2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740094208; x=1740699008; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=tZY+qAPOicOUq8p2LK8IeikgixBi4lx8HxmpqAWAHnA=; b=hGx9lekPqzIt9LsoXJBgd4ZmFJ5fJoyX149KaC/Yd+vPWQsKBWLdUg86C91uf1zR+i qXC1w2YJP/mewb2Xnp1HDx2jABorcPzMRHffHw2ppviAuc6MSdKVRiVFtDglgT+bsEc+ 8dMLy7Wn3/10eMGmA+4ZMrK8ESH5Ulmo5WN7Zb1zP1mC8GlKwPgEilWB3k2fMYK1CeIP 3wRzOlBHz5LkJBUgBYJ2kc2S9dDZcjr0wMSjP5VVUAcy094MWaEmKwHghxWUFXzVddYW vFcEvoFF/bP/74bNqlsbeLZ5cNykXUgkSgTTD0TbSZs8Dx5J7W+IkDh/wfAkiiTggfdd Ua0g== X-Forwarded-Encrypted: i=1; AJvYcCXAgHErxo9rixs5L7thhuDQ5ERP11Vjm0XIru2o9SiAS3CaQ8swPvTb0+hIMfZpwdFto4xDfqOy5CjG+zENHtbU@lists.infradead.org X-Gm-Message-State: AOJu0YxiBXvmqKuKhsuhtKwcwCLhFAtIywp+anPKC+P1Fv2ZnJ3M/mvI c/bza4rPxAWg/dNLibHVXTb+jHminIeXAvpAptppOQQThqYve/lFvcXZ+9BXA3EkKnG2BfqEd6A 19wK0wc/okA== X-Google-Smtp-Source: AGHT+IEBaG/uVrgEVEadJS5uoF6GF3zEvxqFSthLZ+KCQQjV/E6qlAa7wWQxBxQYuGn6ZWD8KVd4x5+IgTERjw== X-Received: from pjbpt3.prod.google.com ([2002:a17:90b:3d03:b0:2fc:13d6:b4cb]) (user=jiaqiyan job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:2e4f:b0:2fc:b40:339a with SMTP id 98e67ed59e1d1-2fce78a95d5mr1872440a91.10.1740094207918; Thu, 20 Feb 2025 15:30:07 -0800 (PST) Date: Thu, 20 Feb 2025 23:29:59 +0000 In-Reply-To: <20250220232959.247600-1-jiaqiyan@google.com> Mime-Version: 1.0 References: <20250220232959.247600-1-jiaqiyan@google.com> X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog Message-ID: <20250220232959.247600-3-jiaqiyan@google.com> Subject: [RFC PATCH v3 3/3] Documentation: kvm: new UAPI when arm64 guest consumes UER From: Jiaqi Yan To: maz@kernel.org, oliver.upton@linux.dev Cc: joey.gouly@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com, catalin.marinas@arm.com, will@kernel.org, pbonzini@redhat.com, corbet@lwn.net, kvm@vger.kernel.org, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, duenwen@google.com, rananta@google.com, jthoughton@google.com, Jiaqi Yan X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250220_153009_283116_1574CF3A X-CRM114-Status: GOOD ( 16.95 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Add the documentation for new UAPI when guest consumes uncorrectable but recoverable memory error (UER). This new UAPI enables userspace to inject SEA into the guest. Tested: make htmldocs and proofreading Signed-off-by: Jiaqi Yan --- Documentation/virt/kvm/api.rst | 38 +++++++++++++++++++++++++++------- 1 file changed, 31 insertions(+), 7 deletions(-) diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst index 2b52eb77e29cb..20c7049508484 100644 --- a/Documentation/virt/kvm/api.rst +++ b/Documentation/virt/kvm/api.rst @@ -1288,16 +1288,40 @@ ARM64: User space may need to inject several types of events to the guest. +Inject SError +~~~~~~~~~~~~~ + Set the pending SError exception state for this VCPU. It is not possible to 'cancel' an Serror that has been made pending. -If the guest performed an access to I/O memory which could not be handled by -userspace, for example because of missing instruction syndrome decode -information or because there is no device mapped at the accessed IPA, then -userspace can ask the kernel to inject an external abort using the address -from the exiting fault on the VCPU. It is a programming error to set -ext_dabt_pending after an exit which was not either KVM_EXIT_MMIO or -KVM_EXIT_ARM_NISV. This feature is only available if the system supports +Inject SEA +~~~~~~~~~~ + +- If the guest performed an access to I/O memory which could not be handled by + userspace, for example because of missing instruction syndrome decode + information or because there is no device mapped at the accessed IPA, then + userspace can ask the kernel to inject an external abort using the address + from the exiting fault on the VCPU. + +- If the guest consumed an uncorrectable memory error, and RAS extension in + Trusted Firmware choosed to notify PE with SEA, KVM and core kernel may have + to handle the memory poison consumption when host APEI was unable to claim + the SEA. For the following type of faults, KVM sends SIGBUS to current thread + (i.e. VMM in EL0) with si_code=BUS_OBJERR: + + - Synchronous external abort + + - Synchronous parity or ECC error on memory access + + If the memory error's physical address is available, si_addr will be the + error's host virtual address in VM's memory space; otherwise si_addr is zero. + When userspace vCPU thread is interrupted by such SIGBUS, it can ask KVM to + replay an external abort into guest. + +It is a programming error to set ext_dabt_pending after an exit which was not +KVM_EXIT_MMIO, not KVM_EXIT_ARM_NISV, and not interrupted by BUS_OBJERR SIGBUS. + +This feature is only available if the system supports KVM_CAP_ARM_INJECT_EXT_DABT. This is a helper which provides commonality in how userspace reports accesses for the above cases to guests, across different userspace implementations. Nevertheless, userspace can still emulate all Arm