[PATCH 5.15.y v2 0/8] KVM: fixes for CVE-2026-46113 and related issues

From: Paolo Bonzini

Date: Fri Jun 26 2026 - 13:46:34 EST


Sasha, Greg,

this is the backport to 5.15 for the above CVE. The fix was relatively
simple upstream but only due to years of refactoring and cleaning up
of the code; fixing from scratch is not really feasible so start by
applying the patches that are needed.

Please apply this instead of v1, due to a missing line in the last
patch. Sorry about that.

Paolo

David Matlack (2):
KVM: x86/mmu: Use a bool for direct
KVM: x86/mmu: Stop passing "direct" to mmu_alloc_root()

Paolo Bonzini (5):
KVM: x86/mmu: Derive shadow MMU page role from parent
KVM: x86/mmu: Always pass 0 for @quadrant when gptes are 8 bytes
KVM: x86/mmu: pull call to drop_large_spte() into __link_shadow_page()
KVM: x86: Fix shadow paging use-after-free due to unexpected role

Sean Christopherson (2):
KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
KVM: x86/mmu: Ensure hugepage is in by slot before checking max
mapping level

arch/x86/kvm/mmu/mmu.c | 192 +++++++++++++++++++++------------
arch/x86/kvm/mmu/paging_tmpl.h | 30 +++---
arch/x86/kvm/mmu/spte.h | 5 +
arch/x86/kvm/vmx/vmx_ops.h | 3 +-
include/linux/kvm_host.h | 7 +-
5 files changed, 147 insertions(+), 90 deletions(-)

--
2.54.0