[GIT PULL] Last minute KVM x86 fixes for Linux 7.1-rc2

[Paolo Bonzini]

Linus,

The following changes since commit 39f1c201b93f4ff71631bac72cff6eb155f976a4:

  Merge tag 'kvm-x86-selftests_kernel_types-7.1' of https://github.com/kvm-x86/linux into HEAD (2026-04-27 04:24:41 -0400)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/virt/kvm/kvm.git tags/for-linus

for you to fetch changes up to 0cb2af2ea66ad8ff195c156ea690f11216285bdf:

  KVM: x86: Fix shadow paging use-after-free due to unexpected GFN (2026-05-03 22:32:53 +0200)

For once, these were all found by humans.  Two of the patches were
developed and tested offlist, but I have now posted them on LKML and
the KVM list.  So here they are for inclusion in the release candidates.

I was hoping to send them earlier today, but a birthday present from
one son to the other got in the way. :)  If it's too late, then it'll
be for -rc3.

Please pull,

Paolo

----------------------------------------------------------------
Three bug fixes for x86:

* Check that nEPT/nNPT is enabled in slow flush hypercalls.  If it is
  not, the hypercalls can be processed as usual even while running a
  nested guest.

* Fix shadow paging use-after-free due to page tables changing outside
  execution of the guest.  A bug that is 16 years old and stems from an
  imprecision in the very first KVM series.

* Scan IRR whenever PID.ON is true, even if PIR is empty, which avoids
  a somewhat rare WARN.

----------------------------------------------------------------
Paolo Bonzini (2):
      KVM: x86: check for nEPT/nNPT in slow flush hypercalls
      KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty

Sean Christopherson (2):
      KVM: x86: Fix misleading variable names and add more comments for PIR=>IRR flow
      KVM: x86: Fix shadow paging use-after-free due to unexpected GFN

 arch/x86/kvm/hyperv.c  |  2 +-
 arch/x86/kvm/lapic.c   | 24 +++++++++++++-----------
 arch/x86/kvm/mmu/mmu.c | 35 ++++++++++++++---------------------
 arch/x86/kvm/vmx/vmx.c | 40 ++++++++++++++++++++++++++++++++--------
 4 files changed, 60 insertions(+), 41 deletions(-)