KVM: x86/mmu: Exempt nested EPT page tables from !USER, CR0.WP=0 logic

author Sean Christopherson <seanjc@google.com>

Mon, 2 Jun 2025 23:48:51 +0000 (16:48 -0700)

committer Sean Christopherson <seanjc@google.com>

Fri, 20 Jun 2025 20:08:22 +0000 (13:08 -0700)
author Sean Christopherson <seanjc@google.com>
Mon, 2 Jun 2025 23:48:51 +0000 (16:48 -0700)
committer Sean Christopherson <seanjc@google.com>
Fri, 20 Jun 2025 20:08:22 +0000 (13:08 -0700)
diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h

index 68e323568e95e65d4dae0e00c53e8f00330b4ec9..ed762bb4b007b9236727f338d8cfb5fe4131521f 100644 (file)
--- a/arch/x86/kvm/mmu/paging_tmpl.h
+++ b/arch/x86/kvm/mmu/paging_tmpl.h
@@ -804,9 +804,12 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault
         if (r != RET_PF_CONTINUE)
                 return r;
  
+#if PTTYPE != PTTYPE_EPT
         /*
-        * Do not change pte_access if the pfn is a mmio page, otherwise
-        * we will cache the incorrect access into mmio spte.
+        * Treat the guest PTE protections as writable, supervisor-only if this
+        * is a supervisor write fault and CR0.WP=0 (supervisor accesses ignore
+        * PTE.W if CR0.WP=0).  Don't change the access type for emulated MMIO,
+        * otherwise KVM will cache incorrect access information in the SPTE.
          */
         if (fault->write && !(walker.pte_access & ACC_WRITE_MASK) &&
             !is_cr0_wp(vcpu->arch.mmu) && !fault->user && fault->slot) {
@@ -822,6 +825,7 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault
                 if (is_cr4_smep(vcpu->arch.mmu))
                         walker.pte_access &= ~ACC_EXEC_MASK;
         }
+#endif
  
         r = RET_PF_RETRY;
         write_lock(&vcpu->kvm->mmu_lock);
author	Sean Christopherson <seanjc@google.com>
	Mon, 2 Jun 2025 23:48:51 +0000 (16:48 -0700)
committer	Sean Christopherson <seanjc@google.com>
	Fri, 20 Jun 2025 20:08:22 +0000 (13:08 -0700)