FAILED: patch "[PATCH] KVM: x86/mmu: Drop/zap existing present SPTE even when" failed to apply to 5.10-stable tree

FAILED: patch "[PATCH] KVM: x86/mmu: Drop/zap existing present SPTE even when" failed to apply to 5.10-stable tree

[gregkh]

The patch below does not apply to the 5.10-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

To reproduce the conflict and resubmit, you may use the following commands:

git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y
git checkout FETCH_HEAD
git cherry-pick -x aad885e774966e97b675dfe928da164214a71605
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2026033039-occupy-slush-db02@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^..

Possible dependencies:



thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

From aad885e774966e97b675dfe928da164214a71605 Mon Sep 17 00:00:00 2001
From: Sean Christopherson <seanjc@google.com>
Date: Thu, 5 Mar 2026 17:28:04 -0800
Subject: [PATCH] KVM: x86/mmu: Drop/zap existing present SPTE even when
 creating an MMIO SPTE

When installing an emulated MMIO SPTE, do so *after* dropping/zapping the
existing SPTE (if it's shadow-present).  While commit a54aa15c6bda3 was
right about it being impossible to convert a shadow-present SPTE to an
MMIO SPTE due to a _guest_ write, it failed to account for writes to guest
memory that are outside the scope of KVM.

E.g. if host userspace modifies a shadowed gPTE to switch from a memslot
to emulted MMIO and then the guest hits a relevant page fault, KVM will
install the MMIO SPTE without first zapping the shadow-present SPTE.

  ------------[ cut here ]------------
  is_shadow_present_pte(*sptep)
  WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292
  Modules linked in: kvm_intel kvm irqbypass
  CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
  RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]
  Call Trace:
   <TASK>
   mmu_set_spte+0x237/0x440 [kvm]
   ept_page_fault+0x535/0x7f0 [kvm]
   kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]
   kvm_mmu_page_fault+0x8d/0x620 [kvm]
   vmx_handle_exit+0x18c/0x5a0 [kvm_intel]
   kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]
   kvm_vcpu_ioctl+0x2d5/0x980 [kvm]
   __x64_sys_ioctl+0x8a/0xd0
   do_syscall_64+0xb5/0x730
   entry_SYSCALL_64_after_hwframe+0x4b/0x53
  RIP: 0033:0x47fa3f
   </TASK>
  ---[ end trace 0000000000000000 ]---

Reported-by: Alexander Bulekov <bkov@amazon.com>
Debugged-by: Alexander Bulekov <bkov@amazon.com>
Suggested-by: Fred Griffoul <fgriffo@amazon.co.uk>
Fixes: a54aa15c6bda3 ("KVM: x86/mmu: Handle MMIO SPTEs directly in mmu_set_spte()")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>

diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index b922a8b00057..98406d6aa2d6 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -3044,12 +3044,6 @@ static int mmu_set_spte(struct kvm_vcpu *vcpu, struct kvm_memory_slot *slot,
 	bool prefetch = !fault || fault->prefetch;
 	bool write_fault = fault && fault->write;
 
-	if (unlikely(is_noslot_pfn(pfn))) {
-		vcpu->stat.pf_mmio_spte_created++;
-		mark_mmio_spte(vcpu, sptep, gfn, pte_access);
-		return RET_PF_EMULATE;
-	}
-
 	if (is_shadow_present_pte(*sptep)) {
 		if (prefetch && is_last_spte(*sptep, level) &&
 		    pfn == spte_to_pfn(*sptep))
@@ -3073,6 +3067,14 @@ static int mmu_set_spte(struct kvm_vcpu *vcpu, struct kvm_memory_slot *slot,
 			was_rmapped = 1;
 	}
 
+	if (unlikely(is_noslot_pfn(pfn))) {
+		vcpu->stat.pf_mmio_spte_created++;
+		mark_mmio_spte(vcpu, sptep, gfn, pte_access);
+		if (flush)
+			kvm_flush_remote_tlbs_gfn(vcpu->kvm, gfn, level);
+		return RET_PF_EMULATE;
+	}
+
 	wrprot = make_spte(vcpu, sp, slot, pte_access, gfn, pfn, *sptep, prefetch,
 			   false, host_writable, &spte);
 

[PATCH 5.10.y] KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE

[Sasha Levin]

From: Sean Christopherson <seanjc@google.com>

[ Upstream commit aad885e774966e97b675dfe928da164214a71605 ]

When installing an emulated MMIO SPTE, do so *after* dropping/zapping the
existing SPTE (if it's shadow-present).  While commit a54aa15c6bda3 was
right about it being impossible to convert a shadow-present SPTE to an
MMIO SPTE due to a _guest_ write, it failed to account for writes to guest
memory that are outside the scope of KVM.

E.g. if host userspace modifies a shadowed gPTE to switch from a memslot
to emulted MMIO and then the guest hits a relevant page fault, KVM will
install the MMIO SPTE without first zapping the shadow-present SPTE.

  ------------[ cut here ]------------
  is_shadow_present_pte(*sptep)
  WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292
  Modules linked in: kvm_intel kvm irqbypass
  CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
  RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]
  Call Trace:
   <TASK>
   mmu_set_spte+0x237/0x440 [kvm]
   ept_page_fault+0x535/0x7f0 [kvm]
   kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]
   kvm_mmu_page_fault+0x8d/0x620 [kvm]
   vmx_handle_exit+0x18c/0x5a0 [kvm_intel]
   kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]
   kvm_vcpu_ioctl+0x2d5/0x980 [kvm]
   __x64_sys_ioctl+0x8a/0xd0
   do_syscall_64+0xb5/0x730
   entry_SYSCALL_64_after_hwframe+0x4b/0x53
  RIP: 0033:0x47fa3f
   </TASK>
  ---[ end trace 0000000000000000 ]---

Reported-by: Alexander Bulekov <bkov@amazon.com>
Debugged-by: Alexander Bulekov <bkov@amazon.com>
Suggested-by: Fred Griffoul <fgriffo@amazon.co.uk>
Fixes: a54aa15c6bda3 ("KVM: x86/mmu: Handle MMIO SPTEs directly in mmu_set_spte()")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
[ replaced `kvm_flush_remote_tlbs_gfn()` with `kvm_flush_remote_tlbs_with_address()` and omitted `pf_mmio_spte_created` stat counter ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kvm/mmu/mmu.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index 13bf3198d0cee..79bcb5430b5f8 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -2619,6 +2619,14 @@ static int mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
 			was_rmapped = 1;
 	}
 
+	if (unlikely(is_noslot_pfn(pfn))) {
+		mark_mmio_spte(vcpu, sptep, gfn, pte_access);
+		if (flush)
+			kvm_flush_remote_tlbs_with_address(vcpu->kvm, gfn,
+					KVM_PAGES_PER_HPAGE(level));
+		return RET_PF_EMULATE;
+	}
+
 	set_spte_ret = set_spte(vcpu, sptep, pte_access, level, gfn, pfn,
 				speculative, true, host_writable);
 	if (set_spte_ret & SET_SPTE_WRITE_PROTECTED_PT) {
-- 
2.53.0

Re: [PATCH 5.10.y] KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE

[Sean Christopherson]

On Tue, Mar 31, 2026, Sasha Levin wrote:
> From: Sean Christopherson <seanjc@google.com>
> 
> [ Upstream commit aad885e774966e97b675dfe928da164214a71605 ]
> 
> When installing an emulated MMIO SPTE, do so *after* dropping/zapping the
> existing SPTE (if it's shadow-present).  While commit a54aa15c6bda3 was
> right about it being impossible to convert a shadow-present SPTE to an
> MMIO SPTE due to a _guest_ write, it failed to account for writes to guest
> memory that are outside the scope of KVM.
> 
> E.g. if host userspace modifies a shadowed gPTE to switch from a memslot
> to emulted MMIO and then the guest hits a relevant page fault, KVM will
> install the MMIO SPTE without first zapping the shadow-present SPTE.
> 
>   ------------[ cut here ]------------
>   is_shadow_present_pte(*sptep)
>   WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292
>   Modules linked in: kvm_intel kvm irqbypass
>   CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT
>   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
>   RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]
>   Call Trace:
>    <TASK>
>    mmu_set_spte+0x237/0x440 [kvm]
>    ept_page_fault+0x535/0x7f0 [kvm]
>    kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]
>    kvm_mmu_page_fault+0x8d/0x620 [kvm]
>    vmx_handle_exit+0x18c/0x5a0 [kvm_intel]
>    kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]
>    kvm_vcpu_ioctl+0x2d5/0x980 [kvm]
>    __x64_sys_ioctl+0x8a/0xd0
>    do_syscall_64+0xb5/0x730
>    entry_SYSCALL_64_after_hwframe+0x4b/0x53
>   RIP: 0033:0x47fa3f
>    </TASK>
>   ---[ end trace 0000000000000000 ]---
> 
> Reported-by: Alexander Bulekov <bkov@amazon.com>
> Debugged-by: Alexander Bulekov <bkov@amazon.com>
> Suggested-by: Fred Griffoul <fgriffo@amazon.co.uk>
> Fixes: a54aa15c6bda3 ("KVM: x86/mmu: Handle MMIO SPTEs directly in mmu_set_spte()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> [ replaced `kvm_flush_remote_tlbs_gfn()` with `kvm_flush_remote_tlbs_with_address()` and omitted `pf_mmio_spte_created` stat counter ]
> Signed-off-by: Sasha Levin <sashal@kernel.org>

NAK, the buggy commit was introduced in 5.13 and never made its way to 5.10.y.

E.g. the fact that this is purely additive highlights the lack of fixing anything.

> ---
>  arch/x86/kvm/mmu/mmu.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
> index 13bf3198d0cee..79bcb5430b5f8 100644
> --- a/arch/x86/kvm/mmu/mmu.c
> +++ b/arch/x86/kvm/mmu/mmu.c
> @@ -2619,6 +2619,14 @@ static int mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
>  			was_rmapped = 1;
>  	}
>  
> +	if (unlikely(is_noslot_pfn(pfn))) {
> +		mark_mmio_spte(vcpu, sptep, gfn, pte_access);
> +		if (flush)
> +			kvm_flush_remote_tlbs_with_address(vcpu->kvm, gfn,
> +					KVM_PAGES_PER_HPAGE(level));
> +		return RET_PF_EMULATE;
> +	}
> +
>  	set_spte_ret = set_spte(vcpu, sptep, pte_access, level, gfn, pfn,
>  				speculative, true, host_writable);
>  	if (set_spte_ret & SET_SPTE_WRITE_PROTECTED_PT) {
> -- 
> 2.53.0
> 

Re: FAILED: patch "[PATCH] KVM: x86/mmu: Drop/zap existing present SPTE even when" failed to apply to 5.10-stable tree

[Sean Christopherson]

On Mon, Mar 30, 2026, gregkh@linuxfoundation.org wrote:
> 
> The patch below does not apply to the 5.10-stable tree.

...

> Fixes: a54aa15c6bda3 ("KVM: x86/mmu: Handle MMIO SPTEs directly in mmu_set_spte()")
> Cc: stable@vger.kernel.org

Partially out of curiosity, partially to reduce the probability of future goofs,
why did the tooling try to apply a patch to a kernel without the Fixes commit?
5.10 doesn't have a54aa15c6bda3 and so doesn't need this fix.

I assumed that having an explicit Fixes would implicit scope the backport to
kernels with that commit (or a backport of that commit).

Re: FAILED: patch "[PATCH] KVM: x86/mmu: Drop/zap existing present SPTE even when" failed to apply to 5.10-stable tree

[Greg KH]

On Wed, Apr 01, 2026 at 02:25:25PM -0700, Sean Christopherson wrote:
> On Mon, Mar 30, 2026, gregkh@linuxfoundation.org wrote:
> > 
> > The patch below does not apply to the 5.10-stable tree.
> 
> ...
> 
> > Fixes: a54aa15c6bda3 ("KVM: x86/mmu: Handle MMIO SPTEs directly in mmu_set_spte()")
> > Cc: stable@vger.kernel.org
> 
> Partially out of curiosity, partially to reduce the probability of future goofs,
> why did the tooling try to apply a patch to a kernel without the Fixes commit?
> 5.10 doesn't have a54aa15c6bda3 and so doesn't need this fix.
> 
> I assumed that having an explicit Fixes would implicit scope the backport to
> kernels with that commit (or a backport of that commit).

Yeah, my fault, I still "manually" read that, and my script properly
spit out:

	Commit id aad885e774966e97b675dfe928da164214a71605
		queued in:	queue-6.19/kvm-x86-mmu-drop-zap-existing-present-spte-even-when-creating-an-mmio-spte.patch
		queued in:	queue-6.18/kvm-x86-mmu-drop-zap-existing-present-spte-even-when-creating-an-mmio-spte.patch
		queued in:	queue-6.12/kvm-x86-mmu-drop-zap-existing-present-spte-even-when-creating-an-mmio-spte.patch
		queued in:	queue-6.6/kvm-x86-mmu-drop-zap-existing-present-spte-even-when-creating-an-mmio-spte.patch
		fixed in:	5.13
	> ○ 6.19
	  ○ 6.18
	  ○ 6.12
	  ○ 6.6
	  ○ 6.1
	  ○ 5.15
	  ○ 5.10

But I guess I seleced "5.10" accidentally as well.

Sorry about that, my fault, one of these days I'll make the script a bit
smarter to "pre-populate" the checkboxes with what it thinks should be
happening here, and not require me to actually read values :)

thanks,

greg k-h