According to the APM volume 3 pseudo-code for "VMRUN," when nested
paging is enabled in the VMCB, the guest PAT register (gPAT) is saved
to the VMCB on #VMEXIT.

KVM doesn't implement a separate gPAT register. Instead, the guest PAT
is stored in the IA32_PAT MSR while in guest mode (L2) and nested NPT
is enabled in vmcs02.

Save the current IA32_PAT MSR to the vmcb12 g_pat field on
emulated #VMEXIT from L2 to L1.

Fixes: 15038e147247 ("KVM: SVM: obey guest PAT")
Signed-off-by: Jim Mattson <jmattson@google.com>
---
 arch/x86/kvm/svm/nested.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
index 90edea73ec58..5fbe730d4c69 100644
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -1197,6 +1197,15 @@ int nested_svm_vmexit(struct vcpu_svm *svm)
 	vmcb12->save.dr6    = svm->vcpu.arch.dr6;
 	vmcb12->save.cpl    = vmcb02->save.cpl;
 
+	/*
+	 * KVM stores the guest PAT in the IA32_PAT register while in
+	 * guest mode with nested NPT enabled (rather than in a
+	 * separate G_PAT register). Hence, the IA32_PAT MSR is stored
+	 * in the VMCB12 g_pat field on #VMEXIT.
+	 */
+	if (nested_npt_enabled(svm))
+		vmcb12->save.g_pat = vcpu->arch.pat;
+
 	if (guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK)) {
 		vmcb12->save.s_cet	= vmcb02->save.s_cet;
 		vmcb12->save.isst_addr	= vmcb02->save.isst_addr;
-- 
2.52.0.457.g6b5491de43-goog