It would appear that userspace can select the NV feature flag regardless of whether the system actually supports the feature. Obviously a nested guest isn't getting far in this situation; let's reject the flag instead. Signed-off-by: Oliver Upton <oliver.upton@xxxxxxxxx> --- arch/arm64/kvm/arm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c index e40f3bfcb0a1..ef92c2f2de70 100644 --- a/arch/arm64/kvm/arm.c +++ b/arch/arm64/kvm/arm.c @@ -1208,6 +1208,9 @@ static unsigned long system_supported_vcpu_features(void) clear_bit(KVM_ARM_VCPU_PTRAUTH_GENERIC, &features); } + if (!cpus_have_const_cap(ARM64_HAS_NESTED_VIRT)) + clear_bit(KVM_ARM_VCPU_HAS_EL2, &features); + return features; } -- 2.42.0.515.g380fc7ccd1-goog
