git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Kevin Cheng <chengkev@google.com>
	Fri, 22 May 2026 23:26:59 +0000 (16:26 -0700)
committer	Sean Christopherson <seanjc@google.com>
	Tue, 26 May 2026 21:54:19 +0000 (14:54 -0700)
commit	297c2fe249db38bb28f343fa3ce9d3c1b3a9b1d6
tree	b2b9ba6b0c8bcdc0b722c0fc6edff54f9312641d	tree \| snapshot
parent	fe0b872d750023eda270cbc01c53ead52b1049d8	commit \| diff

KVM: SVM: Fix nested NPF injection of PFERR_GUEST_{PAGE,FINAL}_MASK bits

Fix KVM's generation of PFERR_GUEST_{PAGE,FINAL}_MASK bits when injecting a
Nested Page Fault into L1.  Currently, KVM blindly stuffs GUEST_FINAL into
L1, which is blatantly wrong given that KVM obviously generates NPFs for
page table accesses.

There are two paths that trigger NPF injection: hardware NPF exits (from
L2) and emulation-triggered faults, i.e. when KVM detects a NPF as part of
emulating an L2 GVA access.  For the hardware case, use the bits verbatim
from the VMCB, as KVM is simply forwarding a NPF to L1.  For the emulation
case, propagate the GUEST_{PAGE,FINAL} bits from the access field (which
were recently added for MBEC+GMET support).

To differentiate between the two cases, add "hardware_nested_page_fault"
to "struct x86_exception", and set it when injecting a NPF in response to
an NPF exit from L2.

To help guard against future goofs, assert that exactly one of GUEST_PAGE
or GUEST_FINAL is set when injecting a NPF.  Unlike VMX, there are no
(known) cases where hardware doesn't set either bit, and KVM should always
set one or the other when emulating a GVA access.

Signed-off-by: Kevin Cheng <chengkev@google.com>
[sean: use plumbed in @access bits, massage changelog]
Link: https://patch.msgid.link/20260522232701.3671446-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>

arch/x86/include/asm/kvm_host.h		diff \| blob \| blame \| history
arch/x86/kvm/mmu/paging_tmpl.h		diff \| blob \| blame \| history
arch/x86/kvm/svm/nested.c		diff \| blob \| blame \| history