1 files changed, 18 insertions, 0 deletions
diff --git a/Documentation/virtual/kvm/mmu.txt b/Documentation/virtual/kvm/mmu.txt
index f46aa58389c..5dc972c09b5 100644
--- a/Documentation/virtual/kvm/mmu.txt
+++ b/Documentation/virtual/kvm/mmu.txt
@@ -165,6 +165,10 @@ Shadow pages contain the following information:
    Contains the value of efer.nxe for which the page is valid.
  role.cr0_wp:
    Contains the value of cr0.wp for which the page is valid.
+  role.smep_andnot_wp:
+    Contains the value of cr4.smep && !cr0.wp for which the page is valid
+    (pages for which this is true are different from other pages; see the
+    treatment of cr0.wp=0 below).
  gfn:
    Either the guest page table containing the translations shadowed by this
    page, or the base page frame for linear translations.  See role.direct.
@@ -317,6 +321,20 @@ on fault type:
 (user write faults generate a #PF)
+In the first case there is an additional complication if CR4.SMEP is
+enabled: since we've turned the page into a kernel page, the kernel may now
+execute it.  We handle this by also setting spte.nx.  If we get a user
+fetch or read fault, we'll change spte.u=1 and spte.nx=gpte.nx back.
+To prevent an spte that was converted into a kernel page with cr0.wp=0
+from being written by the kernel after cr0.wp has changed to 1, we make
+the value of cr0.wp part of the page role.  This means that an spte created
+with one value of cr0.wp cannot be used when cr0.wp has a different value -
+it will simply be missed by the shadow page lookup code.  A similar issue
+exists when an spte created with cr0.wp=0 and cr4.smep=0 is used after
+changing cr4.smep to 1.  To avoid this, the value of !cr0.wp && cr4.smep
+is also made a part of the page role.
 Large pages
 ===========

diff --git a/Documentation/virtual/kvm/mmu.txt b/Documentation/virtual/kvm/mmu.txt index f46aa58389c..5dc972c09b5 100644 --- a/Documentation/virtual/kvm/mmu.txt +++ b/Documentation/virtual/kvm/mmu.txt
@@ -165,6 +165,10 @@ Shadow pages contain the following information:
165	Contains the value of efer.nxe for which the page is valid.	165	Contains the value of efer.nxe for which the page is valid.
166	role.cr0_wp:	166	role.cr0_wp:
167	Contains the value of cr0.wp for which the page is valid.	167	Contains the value of cr0.wp for which the page is valid.
		168	role.smep_andnot_wp:
		169	Contains the value of cr4.smep && !cr0.wp for which the page is valid
		170	(pages for which this is true are different from other pages; see the
		171	treatment of cr0.wp=0 below).
168	gfn:	172	gfn:
169	Either the guest page table containing the translations shadowed by this	173	Either the guest page table containing the translations shadowed by this
170	page, or the base page frame for linear translations. See role.direct.	174	page, or the base page frame for linear translations. See role.direct.
@@ -317,6 +321,20 @@ on fault type:
317		321
318	(user write faults generate a #PF)	322	(user write faults generate a #PF)
319		323
		324	In the first case there is an additional complication if CR4.SMEP is
		325	enabled: since we've turned the page into a kernel page, the kernel may now
		326	execute it. We handle this by also setting spte.nx. If we get a user
		327	fetch or read fault, we'll change spte.u=1 and spte.nx=gpte.nx back.
		328
		329	To prevent an spte that was converted into a kernel page with cr0.wp=0
		330	from being written by the kernel after cr0.wp has changed to 1, we make
		331	the value of cr0.wp part of the page role. This means that an spte created
		332	with one value of cr0.wp cannot be used when cr0.wp has a different value -
		333	it will simply be missed by the shadow page lookup code. A similar issue
		334	exists when an spte created with cr0.wp=0 and cr4.smep=0 is used after
		335	changing cr4.smep to 1. To avoid this, the value of !cr0.wp && cr4.smep
		336	is also made a part of the page role.
		337
320	Large pages	338	Large pages
321	===========	339	===========
322		340