| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <mfejpune47o6ebsbv4bpn6qlgpwcc5rld3tik4c7xp7odxfa5u@w7ovavcrxn43>
Date: Mon, 9 Feb 2026 16:05:41 +0000
From: Yosry Ahmed <yosry.ahmed@...ux.dev>
To: Jim Mattson <jmattson@...gle.com>
Cc: Sean Christopherson <seanjc@...gle.com>,
Paolo Bonzini <pbonzini@...hat.com>, Thomas Gleixner <tglx@...nel.org>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
Shuah Khan <shuah@...nel.org>, kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-kselftest@...r.kernel.org
Subject: Re: [PATCH v3 1/8] KVM: x86: nSVM: Clear VMCB_NPT clean bit when
updating g_pat in L2
On Thu, Feb 05, 2026 at 01:43:01PM -0800, Jim Mattson wrote:
> When running an L2 guest and writing to MSR_IA32_CR_PAT, the host PAT value
> is stored in vmcb01.ptr->save.g_pat, but the clean bit was only being
> cleared for svm->vmcb, which points to vmcb02 in guest mode.
>
> Introduce the helper svm_set_vmcb_gpat() which sets vmcb->save.g_pat and
> marks the VMCB dirty for VMCB_NPT. Use this helper in both svm_set_msr()
> for updating vmcb01 and in nested_vmcb02_compute_g_pat() for updating
> vmcb02, ensuring both VMCBs are properly marked dirty.
>
> Fixes: 4995a3685f1b ("KVM: SVM: Use a separate vmcb for the nested L2 guest")
> Signed-off-by: Jim Mattson <jmattson@...gle.com>
> ---
> arch/x86/kvm/svm/nested.c | 2 +-
> arch/x86/kvm/svm/svm.c | 3 +--
> arch/x86/kvm/svm/svm.h | 6 ++++++
> 3 files changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
> index de90b104a0dd..f72dbd10dcad 100644
> --- a/arch/x86/kvm/svm/nested.c
> +++ b/arch/x86/kvm/svm/nested.c
> @@ -636,7 +636,7 @@ void nested_vmcb02_compute_g_pat(struct vcpu_svm *svm)
> return;
>
> /* FIXME: merge g_pat from vmcb01 and vmcb12. */
> - svm->nested.vmcb02.ptr->save.g_pat = svm->vmcb01.ptr->save.g_pat;
> + svm_set_vmcb_gpat(svm->nested.vmcb02.ptr, svm->vmcb01.ptr->save.g_pat);
> }
>
> static void nested_vmcb02_prepare_save(struct vcpu_svm *svm, struct vmcb *vmcb12)
> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
> index 5f0136dbdde6..08f145eb9215 100644
> --- a/arch/x86/kvm/svm/svm.c
> +++ b/arch/x86/kvm/svm/svm.c
> @@ -2939,10 +2939,9 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
> if (ret)
> break;
>
> - svm->vmcb01.ptr->save.g_pat = data;
> + svm_set_vmcb_gpat(svm->vmcb01.ptr, data);
> if (is_guest_mode(vcpu))
> nested_vmcb02_compute_g_pat(svm);
> - vmcb_mark_dirty(svm->vmcb, VMCB_NPT);
> break;
> case MSR_IA32_SPEC_CTRL:
> if (!msr->host_initiated &&
> diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h
> index ebd7b36b1ceb..986d90f2d4ca 100644
> --- a/arch/x86/kvm/svm/svm.h
> +++ b/arch/x86/kvm/svm/svm.h
> @@ -420,6 +420,12 @@ static inline bool vmcb_is_dirty(struct vmcb *vmcb, int bit)
> return !test_bit(bit, (unsigned long *)&vmcb->control.clean);
> }
>
> +static inline void svm_set_vmcb_gpat(struct vmcb *vmcb, u64 data)
Nit: vmcb_set_gpat() is probably more consistent with other helpers
(e.g. vmcb_set_intercept() and vmcb_set_seg()).
> +{
> + vmcb->save.g_pat = data;
> + vmcb_mark_dirty(vmcb, VMCB_NPT);
> +}
> +
> static __always_inline struct vcpu_svm *to_svm(struct kvm_vcpu *vcpu)
> {
> return container_of(vcpu, struct vcpu_svm, vcpu);
> --
> 2.53.0.rc2.204.g2597b5adb4-goog
>
Powered by blists - more mailing lists