[PATCH 5.15.y v2 0/8] KVM: fixes for CVE-2026-46113 and related issues
From: Paolo Bonzini
Date: Fri Jun 26 2026 - 13:46:34 EST
Sasha, Greg,
this is the backport to 5.15 for the above CVE. The fix was relatively
simple upstream but only due to years of refactoring and cleaning up
of the code; fixing from scratch is not really feasible so start by
applying the patches that are needed.
Please apply this instead of v1, due to a missing line in the last
patch. Sorry about that.
Paolo
David Matlack (2):
KVM: x86/mmu: Use a bool for direct
KVM: x86/mmu: Stop passing "direct" to mmu_alloc_root()
Paolo Bonzini (5):
KVM: x86/mmu: Derive shadow MMU page role from parent
KVM: x86/mmu: Always pass 0 for @quadrant when gptes are 8 bytes
KVM: x86/mmu: pull call to drop_large_spte() into __link_shadow_page()
KVM: x86: Fix shadow paging use-after-free due to unexpected role
Sean Christopherson (2):
KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
KVM: x86/mmu: Ensure hugepage is in by slot before checking max
mapping level
arch/x86/kvm/mmu/mmu.c | 192 +++++++++++++++++++++------------
arch/x86/kvm/mmu/paging_tmpl.h | 30 +++---
arch/x86/kvm/mmu/spte.h | 5 +
arch/x86/kvm/vmx/vmx_ops.h | 3 +-
include/linux/kvm_host.h | 7 +-
5 files changed, 147 insertions(+), 90 deletions(-)
--
2.54.0