Guest to host page translation is missing if the guest runs in unpaged mode. See last sentence in AMD SDM rev 3.40 section 15.25.5. Signed-off-by: Bernhard Kauer <bernhard.kauer@incari.com> --- target/i386/tcg/sysemu/excp_helper.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/target/i386/tcg/sysemu/excp_helper.c b/target/i386/tcg/sysemu/excp_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/i386/tcg/sysemu/excp_helper.c +++ b/target/i386/tcg/sysemu/excp_helper.c @@ -XXX,XX +XXX,XX @@ static bool get_physical_address(CPUX86State *env, vaddr addr, } return mmu_translate(env, &in, out, err); } + if (use_stage2) { + return get_physical_address(env, addr, access_type, MMU_NESTED_IDX, out, err); + } break; } Guest to host page translation should be done even if the guest runs in unpaged mode. See last sentence in AMD SDM rev 3.40 section 15.25.5. Signed-off-by: Bernhard Kauer <bernhard.kauer@incari.com> ---  target/i386/tcg/sysemu/excp_helper.c | 3 +++  1 file changed, 3 insertions(+) diff --git a/target/i386/tcg/sysemu/excp_helper.c b/target/i386/tcg/sysemu/excp_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/i386/tcg/sysemu/excp_helper.c +++ b/target/i386/tcg/sysemu/excp_helper.c @@ -XXX,XX +XXX,XX @@ static bool get_physical_address(CPUX86State *env, vaddr addr,              }              return mmu_translate(env, &in, out, err);          } +        if (use_stage2) { +            return get_physical_address(env, addr, access_type, MMU_NESTED_IDX, out, err); +        }          break;      }