KVM instruction emulation can run while KVM_VCPU_PREEMPTED is set, which can lead other vcpus to skip sending TLB flush IPIs. As a consequence, KVM instruction emulation can access memory through stale translations when the guest kernel thinks it has flushed all cached translations. This could potentially be used by unprivileged userspace inside a guest to compromise the guest kernel.
16fd49b64aee26c8f9a9ad6cb4265e74537f37bede65109a50798f82ac77833b