On Fri, May 13, 2022, David Matlack wrote: > On Fri, May 13, 2022 at 12:50 PM Sean Christopherson <seanjc@xxxxxxxxxx> wrote: > > > > Drop SPTEs whose new protections will yield a RWX=0 SPTE, i.e. a SPTE > > that is marked shadow-present but is not-present in the page tables. If > > EPT with execute-only support is in use by L1, KVM can create a RWX=0 > > SPTE can be created for an EPTE if the upper level combined permissions > > are R (or RW) and the leaf EPTE is changed from R (or RW) to X. > > For some reason I found this sentence hard to read. Heh, probably because "KVM can create a RWX=0 SPTE can be created" is nonsensical. I botched a late edit to the changelog... > What about this: > > When shadowing EPT and NX HugePages is enabled, if the guest changes This doesn' thave anything to do with NX HugePages, it's an execute-only specific bug where L1 can create a gPTE that is !READABLE but is considered PRESENT because it is EXECUTABLE. If the upper level protections are R or RW, the resulting protections for the entire translation are RWX=0. All of sync_page()'s existing checks filter out only !PRESENT gPTE, because without execute-only, all upper levels are guaranteed to be at least READABLE.