Unexpected EPT Violations



we’re currently working in a project that involves extending the KVM hypervisor. While running the VM, we sometimes get EPT violations that shouldn’t be possible from our understanding of the Intel documents.

The scenario is as follow (we use Intel VT with EPT enabled):
All guest paging structures (i.e., the paging structures inside the VM) are set to non-writable on the last EPT level. In other words, whenever the guest OS writes to a guest paging structure (e.g. to map/free a page), this triggers an EPT violation.

Now, “occasionally” the following happens:
The VM performs a normal read operation somewhere in memory (doesn’t seem to matter where). This then yields an EPT violation and bit 0, bit 1, and bit 7 are set in the exit qualification field, bit 8 is cleared. According to the Intel specification (Table 27-7), this means that the EPT violation was caused by the MMU setting the dirty or accessed bit in the guest paging structures. At first, this makes sense since these are set to non-writable on the EPT. However, this specific behavior can be disabled according to the Intel docs if bit 6 of the EPTP is cleared (see Section 28.2.4). Then, writes to the access or dirty bits in the PTEs are not considered as memory writes and no EPT violation should happen (to our understanding).

In fact, for almost all memory operations, we never see any EPT violations as explained in the previous paragraph. They only happens “rarely”, but it does.

Thus my question is if anybody knows under which circumstances writes to access/dirty bits can actually cause EPT violation although bit 6 of the EPTP is cleared. Or are we just missing something in the documentation?