[PATCH v2 0/2] KVM: nVMX: Fix ept=n bugs where KVM runs L2 with guest CR3

Next message: Sean Christopherson: "[PATCH v2 1/2] KVM: nVMX: Move vTPR vs. TPR Threshold consistency check into &quot;normal&quot; checks"
Previous message: Sean Christopherson: "Re: [PATCH v3 RESEND 04/10] KVM: PPC: selftests: powerpc enable kvm_create_max_vcpus test"
Next in thread: Sean Christopherson: "[PATCH v2 1/2] KVM: nVMX: Move vTPR vs. TPR Threshold consistency check into &quot;normal&quot; checks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sean Christopherson

Date: Fri Jun 12 2026 - 10:56:54 EST

Fix two bugs where KVM can run L2 with a guest-controlled CR3. The underlying
flaw dates back to commit f087a02941fe ("KVM: nVMX: Stash L1's CR3 in
vmcs01.GUEST_CR3 on nested entry w/o EPT"). Past me claimed:

Smashing vmcs01.GUEST_CR3 is safe because nested VM-Exits, and the unwind,
reset KVM's MMU, i.e. vmcs01.GUEST_CR3 is guaranteed to be overwritten with
a shadow CR3 prior to re-entering L1.

which was and is true, _if_ a nested VM-Exit or the unwind is reached. If KVM
fails directly, vmcs01.GUEST_CR3 will be left pointing at L1's actual CR3, i.e.
KVM will run with legacy shadow paging a guest-controlled CR3, which is... not
good.

v2:
- Use kvm_read_cr3() to read vcpu->arch.cr3. [Sashiko]
- Skip consistency check if reading vTPR fails. [Jim]

v1: https://lore.kernel.org/all/20260603223418.1720035-1-seanjc@xxxxxxxxxx

Sean Christopherson (2):
KVM: nVMX: Move vTPR vs. TPR Threshold consistency check into "normal"
checks
KVM: nVMX: Don't use vmcs01.GUEST_CR3 to snapshot L1's CR3 when EPT is
disabled

arch/x86/kvm/vmx/nested.c | 87 +++++++++++++++++----------------------
arch/x86/kvm/vmx/vmx.h | 7 ++++
2 files changed, 44 insertions(+), 50 deletions(-)

base-commit: de3a35be92d2391ece4bf3143ef2887192625fd0
--
2.54.0.1136.gdb2ca164c4-goog