KVM: x86/mmu: Bug the VM, not the host kernel, if KVM write-protects upper SPTEs

Instead of bugging the host kernel, WARN and terminate the VM if KVM
attempts to write-protect at a level that cannot use leaf SPTEs.
There is no reason to bring down the entire host; even termininating
the VM is likely overkill, but in theory a missed write could corrupt
guest memory, so play it safe.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Kai Huang <kai.huang@intel.com>
Message-ID: <20260618185641.2022368-1-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/arch/x86/kvm/mmu/tdp_mmu.c b/arch/x86/kvm/mmu/tdp_mmu.c
index 5b3041138301b55b8c77ac1557ebf551bc4dfbcd..c1cbae65d239f54d4b7e5397e0105467f87d686c 100644 (file)
--- a/arch/x86/kvm/mmu/tdp_mmu.c
+++ b/arch/x86/kvm/mmu/tdp_mmu.c
@@ -1410,9 +1410,10 @@ static bool wrprot_gfn_range(struct kvm *kvm, struct kvm_mmu_page *root,
        u64 new_spte;
        bool spte_set = false;
 
-       rcu_read_lock();
+       if (KVM_BUG_ON(min_level > KVM_MAX_HUGEPAGE_LEVEL, kvm))
+               return false;
 
-       BUG_ON(min_level > KVM_MAX_HUGEPAGE_LEVEL);
+       rcu_read_lock();
 
        for_each_tdp_pte_min_level(iter, kvm, root, min_level, start, end) {
 retry:
@@ -1844,7 +1845,8 @@ static bool write_protect_gfn(struct kvm *kvm, struct kvm_mmu_page *root,
        u64 new_spte;
        bool spte_set = false;
 
-       BUG_ON(min_level > KVM_MAX_HUGEPAGE_LEVEL);
+       if (KVM_BUG_ON(min_level > KVM_MAX_HUGEPAGE_LEVEL, kvm))
+               return false;
 
        rcu_read_lock();