KVM: Disable SMAP for guests in EPT realmode and EPT unpaging mode

SMAP is disabled if CPU is in non-paging mode in hardware.
However KVM always uses paging mode to emulate guest non-paging
mode with TDP. To emulate this behavior, SMAP needs to be
manually disabled when guest switches to non-paging mode.

Signed-off-by: Feng Wu <feng.wu@intel.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

1 files changed, 6 insertions, 5 deletions

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 1320e0f8e611..1f68c5831924 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -3484,13 +3484,14 @@ static int vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
                         hw_cr4 &= ~X86_CR4_PAE;
                         hw_cr4 |= X86_CR4_PSE;
                         /*
-                         * SMEP is disabled if CPU is in non-paging mode in
-                         * hardware. However KVM always uses paging mode to
+                         * SMEP/SMAP is disabled if CPU is in non-paging mode
+                         * in hardware. However KVM always uses paging mode to
                          * emulate guest non-paging mode with TDP.
-                         * To emulate this behavior, SMEP needs to be manually
-                         * disabled when guest switches to non-paging mode.
+                         * To emulate this behavior, SMEP/SMAP needs to be
+                         * manually disabled when guest switches to non-paging
+                         * mode.
                          */
-                        hw_cr4 &= ~X86_CR4_SMEP;
+                        hw_cr4 &= ~(X86_CR4_SMEP | X86_CR4_SMAP);
                 } else if (!(cr4 & X86_CR4_PAE)) {
                         hw_cr4 &= ~X86_CR4_PAE;
                 }