Re: [PATCH 5.10.y] KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE

[Sean Christopherson <seanjc@google.com>]

On Tue, Mar 31, 2026, Sasha Levin wrote:
> From: Sean Christopherson <seanjc@google.com>
> 
> [ Upstream commit aad885e774966e97b675dfe928da164214a71605 ]
> 
> When installing an emulated MMIO SPTE, do so *after* dropping/zapping the
> existing SPTE (if it's shadow-present).  While commit a54aa15c6bda3 was
> right about it being impossible to convert a shadow-present SPTE to an
> MMIO SPTE due to a _guest_ write, it failed to account for writes to guest
> memory that are outside the scope of KVM.
> 
> E.g. if host userspace modifies a shadowed gPTE to switch from a memslot
> to emulted MMIO and then the guest hits a relevant page fault, KVM will
> install the MMIO SPTE without first zapping the shadow-present SPTE.
> 
>   ------------[ cut here ]------------
>   is_shadow_present_pte(*sptep)
>   WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292
>   Modules linked in: kvm_intel kvm irqbypass
>   CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT
>   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
>   RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]
>   Call Trace:
>    <TASK>
>    mmu_set_spte+0x237/0x440 [kvm]
>    ept_page_fault+0x535/0x7f0 [kvm]
>    kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]
>    kvm_mmu_page_fault+0x8d/0x620 [kvm]
>    vmx_handle_exit+0x18c/0x5a0 [kvm_intel]
>    kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]
>    kvm_vcpu_ioctl+0x2d5/0x980 [kvm]
>    __x64_sys_ioctl+0x8a/0xd0
>    do_syscall_64+0xb5/0x730
>    entry_SYSCALL_64_after_hwframe+0x4b/0x53
>   RIP: 0033:0x47fa3f
>    </TASK>
>   ---[ end trace 0000000000000000 ]---
> 
> Reported-by: Alexander Bulekov <bkov@amazon.com>
> Debugged-by: Alexander Bulekov <bkov@amazon.com>
> Suggested-by: Fred Griffoul <fgriffo@amazon.co.uk>
> Fixes: a54aa15c6bda3 ("KVM: x86/mmu: Handle MMIO SPTEs directly in mmu_set_spte()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> [ replaced `kvm_flush_remote_tlbs_gfn()` with `kvm_flush_remote_tlbs_with_address()` and omitted `pf_mmio_spte_created` stat counter ]
> Signed-off-by: Sasha Levin <sashal@kernel.org>

NAK, the buggy commit was introduced in 5.13 and never made its way to 5.10.y.

E.g. the fact that this is purely additive highlights the lack of fixing anything.

> ---
>  arch/x86/kvm/mmu/mmu.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
> index 13bf3198d0cee..79bcb5430b5f8 100644
> --- a/arch/x86/kvm/mmu/mmu.c
> +++ b/arch/x86/kvm/mmu/mmu.c
> @@ -2619,6 +2619,14 @@ static int mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
>  			was_rmapped = 1;
>  	}
>  
> +	if (unlikely(is_noslot_pfn(pfn))) {
> +		mark_mmio_spte(vcpu, sptep, gfn, pte_access);
> +		if (flush)
> +			kvm_flush_remote_tlbs_with_address(vcpu->kvm, gfn,
> +					KVM_PAGES_PER_HPAGE(level));
> +		return RET_PF_EMULATE;
> +	}
> +
>  	set_spte_ret = set_spte(vcpu, sptep, pte_access, level, gfn, pfn,
>  				speculative, true, host_writable);
>  	if (set_spte_ret & SET_SPTE_WRITE_PROTECTED_PT) {
> -- 
> 2.53.0
>