The case when the SIE for guest3 is not setup for using encryption keys nor Adjunct processor but the guest2 does use these features was not properly handled. This leads SIE entry for guest3 to crash with validity intercept because the guest2, not having the use of encryption keys nor Adjunct Processor did not initialize the CRYCB designation. In the case where none of ECA_APIE, ECB3_AES or ECB3_DEA are set in guest3 a format 0 CRYCB is allowed for guest3 and the CRYCB designation in the SIE for guest3 is not checked on SIE entry. Let's allow the CRYCD designation to be ignored when the SIE for guest3 is not initialized for encryption key usage nor AP. Fixup: d6f6959 (KVM: s390: vsie: Do the CRYCB validation first) Signed-off-by: Pierre Morel <pmorel@xxxxxxxxxxxxx> Reported-by: Claudio Imbrenda <imbrenda@xxxxxxxxxxxxx> --- arch/s390/kvm/vsie.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/s390/kvm/vsie.c b/arch/s390/kvm/vsie.c index a153257..a748f76 100644 --- a/arch/s390/kvm/vsie.c +++ b/arch/s390/kvm/vsie.c @@ -300,6 +300,9 @@ static int shadow_crycb(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page) if (!apie_h && !key_msk) return 0; + if (!(scb_o->eca & ECA_APIE) && !(scb_o->ecb3 & (ECB3_AES | ECB3_DEA))) + return 0; + if (!crycb_addr) return set_validity_icpt(scb_s, 0x0039U); -- 2.7.4