If a triple fault is injected while the vCPU is in guest mode, but
before it actually ran, inject it into L1 instead of synthesizing a
SHUTDOWN VM-Exit to L1, as synthesizing a VM-Exit is not allowed before
completing the nested VM-Enter.

This could happen if KVM exits to userspace with nested_run_pending=1,
and userspace injects a triple fault with KVM_SET_VCPU_EVENTS, and
triggers WARN_ON_ONCE(vcpu->arch.nested_run_pending) in
__nested_vmx_vmexit().

Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Yosry Ahmed <yosry@kernel.org>
---
 arch/x86/kvm/x86.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index db3f393192d94..e39c5faf94230 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -11914,6 +11914,19 @@ static int kvm_x86_vcpu_pre_run(struct kvm_vcpu *vcpu)
 	    !kvm_apic_init_sipi_allowed(vcpu))
 		return -EINVAL;
 
+	/*
+	 * If a triple fault was injected in guest mode (e.g. through
+	 * KVM_SET_VCPU_EVENTS), but before L2 actually ran, inject it into L1
+	 * instead of synthesizing a SHUTDOWN VM-Exit to L1, as synthesizing a
+	 * VM-Exit is not allowed before completing the nested VM-Enter.
+	 */
+	if (is_guest_mode(vcpu) && vcpu->arch.nested_run_pending &&
+	    kvm_check_request(KVM_REQ_TRIPLE_FAULT, vcpu)) {
+		vcpu->run->exit_reason = KVM_EXIT_SHUTDOWN;
+		vcpu->mmio_needed = 0;
+		return 0;
+	}
+
 	return kvm_x86_call(vcpu_pre_run)(vcpu);
 }
 
-- 
2.53.0.473.g4a7958ca14-goog