From e2e042c0c42d5a33b7303e1c66c32d4fa94a6d9f Mon Sep 17 00:00:00 2001
From: Fuad Tabba <tabba@google.com>
Date: Fri, 6 May 2022 10:28:06 +0000
Subject: [PATCH] ANDROID: KVM: arm64: Fix for do not allow memslot changes
 after first VM run under pKVM

Move the check for protected VMs up to ensure that we don't miss
a KVM_MR_DELETE.

Bug: 231684412
Change-Id: Ia5cecc13232e8c430f2a1747a3cebd7e7bd5e348
Signed-off-by: Fuad Tabba <tabba@google.com>
---
 arch/arm64/kvm/mmu.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
index cb8db727edad..6e1de374ac5b 100644
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -1796,10 +1796,6 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
 	hva_t reg_end = hva + mem->memory_size;
 	int ret = 0;
 
-	if (change != KVM_MR_CREATE && change != KVM_MR_MOVE &&
-			change != KVM_MR_FLAGS_ONLY)
-		return 0;
-
 	/* In protected mode, cannot modify memslots once a VM has run. */
 	if (is_protected_kvm_enabled() &&
 	    (change == KVM_MR_DELETE || change == KVM_MR_MOVE) &&
@@ -1807,6 +1803,10 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
 		return -EPERM;
 	}
 
+	if (change != KVM_MR_CREATE && change != KVM_MR_MOVE &&
+			change != KVM_MR_FLAGS_ONLY)
+		return 0;
+
 	/*
 	 * Prevent userspace from creating a memory region outside of the IPA
 	 * space addressable by the KVM guest IPA space.