diff --git a/drivers/kvm/kvm.h b/drivers/kvm/kvm.h
index f99e89e185b20c7ba20f3da857c932ab9717d5a4..41634fde8e13f0e594520bdde5f7be066e9cd57e 100644
--- a/drivers/kvm/kvm.h
+++ b/drivers/kvm/kvm.h
@@ -310,6 +310,7 @@ struct kvm_vcpu {
 	int mmio_size;
 	unsigned char mmio_data[8];
 	gpa_t mmio_phys_addr;
+	gva_t mmio_fault_cr2;
 	struct kvm_pio_request pio;
 	void *pio_data;
 
diff --git a/drivers/kvm/kvm_main.c b/drivers/kvm/kvm_main.c
index cdf0b176851db8e1f1270a48011c4f8dc000b401..f267dbb52845f4b3b6c16119c62a34f3302ddfb8 100644
--- a/drivers/kvm/kvm_main.c
+++ b/drivers/kvm/kvm_main.c
@@ -1186,6 +1186,7 @@ int emulate_instruction(struct kvm_vcpu *vcpu,
 	int r;
 	int cs_db, cs_l;
 
+	vcpu->mmio_fault_cr2 = cr2;
 	kvm_arch_ops->cache_regs(vcpu);
 
 	kvm_arch_ops->get_cs_db_l_bits(vcpu, &cs_db, &cs_l);
@@ -1804,14 +1805,23 @@ static int kvm_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
 			r = complete_pio(vcpu);
 			if (r)
 				goto out;
-		} else {
+		} else if (!vcpu->mmio_is_write) {
 			memcpy(vcpu->mmio_data, kvm_run->mmio.data, 8);
 			vcpu->mmio_read_completed = 1;
+			vcpu->mmio_needed = 0;
+			r = emulate_instruction(vcpu, kvm_run,
+					    vcpu->mmio_fault_cr2, 0);
+			if (r == EMULATE_DO_MMIO) {
+				/*
+				 * Read-modify-write.  Back to userspace.
+				 */
+				kvm_run->exit_reason = KVM_EXIT_MMIO;
+				r = 0;
+				goto out;
+			}
 		}
 	}
 
-	vcpu->mmio_needed = 0;
-
 	if (kvm_run->exit_reason == KVM_EXIT_HYPERCALL) {
 		kvm_arch_ops->cache_regs(vcpu);
 		vcpu->regs[VCPU_REGS_RAX] = kvm_run->hypercall.ret;