Re: [PATCH v6 20/31] KVM: nSVM: Add missing consistency check for hCR0.PG and NP_ENABLE

From: Yosry Ahmed

Date: Mon Mar 02 2026 - 19:01:05 EST

> diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
> index 752dd9eb98a84..6fffb6ae6b88b 100644
> --- a/arch/x86/kvm/svm/nested.c
> +++ b/arch/x86/kvm/svm/nested.c
> @@ -342,7 +342,8 @@ static bool nested_svm_check_bitmap_pa(struct kvm_vcpu *vcpu, u64 pa, u32 size)
> }
>
> static bool nested_vmcb_check_controls(struct kvm_vcpu *vcpu,
> - struct vmcb_ctrl_area_cached *control)
> + struct vmcb_ctrl_area_cached *control,
> + unsigned long l1_cr0)
> {
> if (CC(!vmcb12_is_intercept(control, INTERCEPT_VMRUN)))
> return false;
> @@ -353,6 +354,8 @@ static bool nested_vmcb_check_controls(struct kvm_vcpu *vcpu,
> if (control->nested_ctl & SVM_NESTED_CTL_NP_ENABLE) {
> if (CC(!kvm_vcpu_is_legal_gpa(vcpu, control->nested_cr3)))
> return false;
> + if (CC(!(l1_cr0 & X86_CR0_PG)))
> + return false;

This is already checked by nested_svm_check_permissions() -> is_paging().

> }
>
> if (CC(!nested_svm_check_bitmap_pa(vcpu, control->msrpm_base_pa,
> @@ -952,7 +955,8 @@ int enter_svm_guest_mode(struct kvm_vcpu *vcpu, u64 vmcb12_gpa,
> enter_guest_mode(vcpu);
>
> if (!nested_vmcb_check_save(vcpu, &svm->nested.save) ||
> - !nested_vmcb_check_controls(vcpu, &svm->nested.ctl))
> + !nested_vmcb_check_controls(vcpu, &svm->nested.ctl,
> + svm->vmcb01.ptr->save.cr0))
> return -EINVAL;
>
> if (nested_npt_enabled(svm))
> @@ -1888,7 +1892,8 @@ static int svm_set_nested_state(struct kvm_vcpu *vcpu,
>
> ret = -EINVAL;
> __nested_copy_vmcb_control_to_cache(vcpu, &ctl_cached, ctl);
> - if (!nested_vmcb_check_controls(vcpu, &ctl_cached))
> + /* 'save' contains L1 state saved from before VMRUN */
> + if (!nested_vmcb_check_controls(vcpu, &ctl_cached, save->cr0))

..and this is checked slightly below.

I will drop this patch.

> goto out_free;
>
> /*
> --
> 2.53.0.414.gf7e9f6c205-goog
>
>