From: Patrick Roy patrick.roy@linux.dev
Use the per-module export functionality to allow KVM (and only KVM) access to set_direct_map_valid_noflush(). This allows guest_memfd to remove its memory from the direct map, even if KVM is built as a module.
Only do this on x86, as only x86 and arm64 support guest_memfd, and arm64 does not support building KVM as a module.
Direct map removal gives guest_memfd the same protection that memfd_secret enjoys, such as hardening against Spectre-like attacks through in-kernel gadgets.
Signed-off-by: Patrick Roy patrick.roy@linux.dev Signed-off-by: Nikita Kalyazin kalyazin@amazon.com --- arch/x86/mm/pat/set_memory.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c index 970981893c9b..a7a88b598d99 100644 --- a/arch/x86/mm/pat/set_memory.c +++ b/arch/x86/mm/pat/set_memory.c @@ -2655,6 +2655,7 @@ int set_direct_map_valid_noflush(struct page *page, unsigned nr, bool valid)
return __set_pages_np(page, nr); } +EXPORT_SYMBOL_FOR_MODULES(set_direct_map_valid_noflush, "kvm");
#ifdef CONFIG_DEBUG_PAGEALLOC void __kernel_map_pages(struct page *page, int numpages, int enable)