This is a note to let you know that I've just added the patch titled
KVM: MMU: shadow nested paging does not have PKU
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
kvm-mmu-shadow-nested-paging-does-not-have-pku.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 28f091bc2f8c23b7eac2402956b692621be7f9f4 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Date: Mon, 22 Nov 2021 13:01:37 -0500
Subject: KVM: MMU: shadow nested paging does not have PKU
From: Paolo Bonzini <pbonzini@xxxxxxxxxx>
commit 28f091bc2f8c23b7eac2402956b692621be7f9f4 upstream.
Initialize the mask for PKU permissions as if CR4.PKE=0, avoiding
incorrect interpretations of the nested hypervisor's page tables.
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
arch/x86/kvm/mmu/mmu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -4852,7 +4852,7 @@ void kvm_init_shadow_npt_mmu(struct kvm_
struct kvm_mmu *context = &vcpu->arch.guest_mmu;
struct kvm_mmu_role_regs regs = {
.cr0 = cr0,
- .cr4 = cr4,
+ .cr4 = cr4 & ~X86_CR4_PKE,
.efer = efer,
};
union kvm_mmu_role new_role;
@@ -4916,7 +4916,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_
context->direct_map = false;
update_permission_bitmask(context, true);
- update_pkru_bitmask(context);
+ context->pkru_mask = 0;
reset_rsvds_bits_mask_ept(vcpu, context, execonly);
reset_ept_shadow_zero_bits_mask(vcpu, context, execonly);
}
Patches currently in stable-queue which might be from pbonzini@xxxxxxxxxx are
queue-5.15/kvm-nvmx-abide-to-kvm_req_tlb_flush_guest-request-on-nested-vmentry-vmexit.patch
queue-5.15/kvm-x86-mmu-fix-tlb-flush-range-when-handling-disconnected-pt.patch
queue-5.15/kvm-nvmx-flush-current-vpid-l1-vs.-l2-for-kvm_req_tlb_flush_guest.patch
queue-5.15/kvm-x86-use-vcpu-arch.walk_mmu-for-kvm_mmu_invlpg.patch
queue-5.15/kvm-disallow-user-memslot-with-size-that-exceeds-unsigned-long.patch
queue-5.15/kvm-nvmx-emulate-guest-tlb-flush-on-nested-vm-enter-with-new-vpid12.patch
queue-5.15/kvm-x86-ignore-apicv-if-lapic-is-not-enabled.patch
queue-5.15/kvm-fix-avic_set_running-for-preemptable-kernels.patch
queue-5.15/kvm-x86-check-pir-even-for-vcpus-with-disabled-apicv.patch
queue-5.15/kvm-x86-use-a-stable-condition-around-all-vt-d-pi-paths.patch
queue-5.15/kvm-mmu-shadow-nested-paging-does-not-have-pku.patch
queue-5.15/kvm-ensure-local-memslot-copies-operate-on-up-to-date-arch-specific-data.patch
queue-5.15/kvm-vmx-prepare-sync_pir_to_irr-for-running-with-apicv-disabled.patch
