From nobody Mon Feb 9 23:42:59 2026 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 53C4A33375B for ; Thu, 5 Feb 2026 21:43:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770327821; cv=none; b=Ib+QEE4X1W+H+4CmWOBOqx1VqojCR1+E2vRVOsI4kvK4vgHlY7iJdfRNjW7yg436oiMcIymCQnZ0Ec1nbXEYyHZob+F68tjwi+u1aeDv532hngY/T5cMyZmBcQkGO9aWh1rkQirm8dcWqBlax9wt2sMPV14LyKhe2/9ZCiSLlMk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770327821; c=relaxed/simple; bh=//1gJ9AADdkcXusZWlVgojFG22OU4StZISH4Uz81e5w=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Vf3CQ47/sLQYoBB0SE2z7pKaM+zBW7tSQ3CKZUg5GtC91msg59xX27Pv+srjzAd9afD4vTyUcekWV7ObNrSuO+A+5y/x2naEsT3QZz25umXplV8xk9E5ljtpmv86LRw8OdZb6ZPs/43v8HAhE++AKXiimn0BKbyEd9nE7o+cvCw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--jmattson.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=PQJ+eijR; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--jmattson.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="PQJ+eijR" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-34c43f8ef9bso2807207a91.1 for ; Thu, 05 Feb 2026 13:43:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1770327821; x=1770932621; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=zeNAWI4t8RbEksTte5HEam/g+zHUdM8Hnj9AjmiEzPY=; b=PQJ+eijRx4H8jK6nVyGF6gJGPv8IVrMjwgn+MFAfrWOvVSYwXXsnZfiMFOfXHxw8zZ o1N/HLrqJTHsSjxcSRQoyW3IVvZxFLmyJcmBXTiQcxrejuXSjcCH7ByYnRqQOLFNdx0b VSh5CaCS4Qnxe1PwFu3528IgeyA7734s/FBMHiM0oPIPmflcyi2Nv/W6WbSzMDY2yezE zgKnhm6+yrHs4sNFuA7Nirv7sd+NaPCE2hU0x7dkiIt9Y41tpVw9iv4+LL6bBAeupBYh vT9QvAE4YYCXL2XNdVnTbsB3kBOuNNTGkJVbQzIG5AN5se4opiiDwivR3jmrNwkSlp50 4DhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770327821; x=1770932621; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=zeNAWI4t8RbEksTte5HEam/g+zHUdM8Hnj9AjmiEzPY=; b=O7jXekZPGD3NQL6q/NVbweuTKtHRxuGe/EPFUfqxGYW/EEYcwsRtsEXQDILuS/5Joy WpSx+1jM2qjU7MAYK20Qtup4sXBNKJWFr8r7lDtj+NqNOxUAuCw17gzOUabUUCo714/W zc10tPz7b9FUsVuo8JwbK0XNNDIlaExIkJW5VwOKeKud5nEMZGNFFheuJnVYdFg2wS7s DfCD0PZHXp+xDjiRLQOUICkJ3DtnRTKNDYyi5/xmcLs98tAJ2l+6L8JAahVblexNTkKI VOpBitvh9p4eE4hMRhCBFReWWQzS3jHAsQQ4+9EmpaExmyPNg4Xay88fvIW0bb+EOMRj ZN3g== X-Forwarded-Encrypted: i=1; AJvYcCWEInMTUkMHKl1gRckNagwb1SiMFCTh1aBfUgVnbi3VoaVdsjsx4g8hMRE3dFI5vN4q9wFrTC6IR+Tpa28=@vger.kernel.org X-Gm-Message-State: AOJu0YyRK8stXQcz7ABO7JmuyZfL1CSe6hX+WcvLw4o+rdYCLjGrpL4o 0M5hDKR7SJF3pRKTM0cEuYFevz88fsyFHl20ls8Svif/q0PxO6M34Obw272qTgjXNpSir5ez9f3 QVTIza59t2JY7Xw== X-Received: from pjbqe9.prod.google.com ([2002:a17:90b:4f89:b0:352:de4e:4038]) (user=jmattson job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:28cc:b0:352:dbcc:d74c with SMTP id 98e67ed59e1d1-354b30ace04mr594953a91.15.1770327820720; Thu, 05 Feb 2026 13:43:40 -0800 (PST) Date: Thu, 5 Feb 2026 13:43:02 -0800 In-Reply-To: <20260205214326.1029278-1-jmattson@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260205214326.1029278-1-jmattson@google.com> X-Mailer: git-send-email 2.53.0.rc2.204.g2597b5adb4-goog Message-ID: <20260205214326.1029278-3-jmattson@google.com> Subject: [PATCH v3 2/8] KVM: x86: nSVM: Cache and validate vmcb12 g_pat From: Jim Mattson To: Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Shuah Khan , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Yosry Ahmed Cc: Jim Mattson Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Cache g_pat from vmcb12 in svm->nested.gpat to avoid TOCTTOU issues, and add a validity check so that when nested paging is enabled for vmcb12, an invalid g_pat causes an immediate VMEXIT with exit code VMEXIT_INVALID, as specified in the APM, volume 2: "Nested Paging and VMRUN/VMEXIT." Fixes: 3d6368ef580a ("KVM: SVM: Add VMRUN handler") Signed-off-by: Jim Mattson --- arch/x86/kvm/svm/nested.c | 4 +++- arch/x86/kvm/svm/svm.h | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c index f72dbd10dcad..1d4ff6408b34 100644 --- a/arch/x86/kvm/svm/nested.c +++ b/arch/x86/kvm/svm/nested.c @@ -1027,9 +1027,11 @@ int nested_svm_vmrun(struct kvm_vcpu *vcpu) =20 nested_copy_vmcb_control_to_cache(svm, &vmcb12->control); nested_copy_vmcb_save_to_cache(svm, &vmcb12->save); + svm->nested.gpat =3D vmcb12->save.g_pat; =20 if (!nested_vmcb_check_save(vcpu) || - !nested_vmcb_check_controls(vcpu)) { + !nested_vmcb_check_controls(vcpu) || + (nested_npt_enabled(svm) && !kvm_pat_valid(svm->nested.gpat))) { vmcb12->control.exit_code =3D SVM_EXIT_ERR; vmcb12->control.exit_info_1 =3D 0; vmcb12->control.exit_info_2 =3D 0; diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index 986d90f2d4ca..42a4bf83b3aa 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -208,6 +208,9 @@ struct svm_nested_state { */ struct vmcb_save_area_cached save; =20 + /* Cached guest PAT from vmcb12.save.g_pat */ + u64 gpat; + bool initialized; =20 /* --=20 2.53.0.rc2.204.g2597b5adb4-goog