On Fri, Aug 21, 2020 at 01:45:40PM +0100, Marc Zyngier wrote:

quoted

On 2020-08-21 13:26, Catalin Marinas wrote:

quoted

On Fri, Aug 21, 2020 at 01:12:10PM +0100, Will Deacon wrote:

quoted

On Fri, Aug 21, 2020 at 01:07:00PM +0100, Catalin Marinas wrote:

quoted

On Mon, Aug 03, 2020 at 01:31:27PM -0600, Rob Herring wrote:

quoted

@@ -979,6 +980,14 @@
 		write_sysreg(__scs_new, sysreg);			\
 } while (0)

+#define read_sysreg_par() ({						\
+	u64 par;							\
+	asm(ALTERNATIVE("nop", "dmb sy", ARM64_WORKAROUND_1508412));	\
+	par = read_sysreg(par_el1);					\
+	asm(ALTERNATIVE("nop", "dmb sy", ARM64_WORKAROUND_1508412));	\
+	par;								\
+})

I was about to queue this up but one more point to clarify: can we get
an interrupt at either side of the PAR_EL1 read and the handler do a
device read, triggering the erratum? Do we need a DMB at exception
entry/return?

Disabling irqs around the PAR access would be simpler, I think
(assuming
this is needed).

This wouldn't work if it interrupts a guest.

If we take an interrupt either side of the PAR_EL1 read and that we
fully exit, the saving of PAR_EL1 on the way out solves the problem.

If we don't fully exit, but instead reenter the guest immediately
(fixup_guest_exit() returns true), we'd need a DMB at that point,
at least because of the GICv2 proxying code which performs device
accesses on the guest's behalf.

If you are ok with the diff below, I can fold it in:

diff --git a/arch/arm64/kvm/hyp/include/hyp/switch.h

b/arch/arm64/kvm/hyp/include/hyp/switch.h
index ca88ea416176..8770cf7ccd42 100644

--- a/arch/arm64/kvm/hyp/include/hyp/switch.h
+++ b/arch/arm64/kvm/hyp/include/hyp/switch.h

@@ -420,7 +420,7 @@ static inline bool fixup_guest_exit(struct

kvm_vcpu *vcpu, u64 *exit_code)
 	if (cpus_have_final_cap(ARM64_WORKAROUND_CAVIUM_TX2_219_TVM) &&
 	    kvm_vcpu_trap_get_class(vcpu) == ESR_ELx_EC_SYS64 &&
 	    handle_tx2_tvm(vcpu))
-		return true;
+		goto guest;

 	/*
 	 * We trap the first access to the FP/SIMD to save the host context

@@ -430,13 +430,13 @@ static inline bool fixup_guest_exit(struct

kvm_vcpu *vcpu, u64 *exit_code)
 	 * Similarly for trapped SVE accesses.
 	 */
 	if (__hyp_handle_fpsimd(vcpu))
-		return true;
+		goto guest;

 	if (__hyp_handle_ptrauth(vcpu))
-		return true;
+		goto guest;

 	if (!__populate_fault_info(vcpu))
-		return true;
+		goto guest;

 	if (static_branch_unlikely(&vgic_v2_cpuif_trap)) {
 		bool valid;

@@ -451,7 +451,7 @@ static inline bool fixup_guest_exit(struct

kvm_vcpu *vcpu, u64 *exit_code)
 			int ret = __vgic_v2_perform_cpuif_access(vcpu);

 			if (ret == 1)
-				return true;
+				goto guest;

 			/* Promote an illegal access to an SError.*/
 			if (ret == -1)

@@ -467,12 +467,17 @@ static inline bool fixup_guest_exit(struct

kvm_vcpu *vcpu, u64 *exit_code)
 		int ret = __vgic_v3_perform_cpuif_access(vcpu);

 		if (ret == 1)
-			return true;
+			goto guest;
 	}

 exit:
 	/* Return to the host kernel and handle the exit */
 	return false;
+
+guest:
+	/* Re-enter the guest */
+	asm(ALTERNATIVE("nop", "dmb sy", ARM64_WORKAROUND_1508412));
+	return true;
 }

 static inline bool __needs_ssbd_off(struct kvm_vcpu *vcpu)