From: Patrick Roy <[email protected]> Use the per-module export functionality to allow KVM (and only KVM) access to set_direct_map_valid_noflush(). This allows guest_memfd to remove its memory from the direct map, even if KVM is built as a module.
Only do this on x86, as only x86 and arm64 support guest_memfd, and arm64 does not support building KVM as a module. Direct map removal gives guest_memfd the same protection that memfd_secret enjoys, such as hardening against Spectre-like attacks through in-kernel gadgets. Signed-off-by: Patrick Roy <[email protected]> Signed-off-by: Nikita Kalyazin <[email protected]> --- arch/x86/mm/pat/set_memory.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c index 970981893c9b..a7a88b598d99 100644 --- a/arch/x86/mm/pat/set_memory.c +++ b/arch/x86/mm/pat/set_memory.c @@ -2655,6 +2655,7 @@ int set_direct_map_valid_noflush(struct page *page, unsigned nr, bool valid) return __set_pages_np(page, nr); } +EXPORT_SYMBOL_FOR_MODULES(set_direct_map_valid_noflush, "kvm"); #ifdef CONFIG_DEBUG_PAGEALLOC void __kernel_map_pages(struct page *page, int numpages, int enable) -- 2.50.1
