From nobody Sat Feb  7 18:15:35 2026
Received: from mail-oa1-f70.google.com (mail-oa1-f70.google.com
 [209.85.160.70])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 417F82192F2
	for <linux-kernel@vger.kernel.org>; Sat,  3 Jan 2026 20:51:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.160.70
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767473507; cv=none;
 b=TTt7AgKarFQ1fJOz+Q3IsoYSgJbscqSK2eYoP2ZbLIQbhXSSQEEWa8KUu9i/UDADX1HDGOegk1Mv191lpyYfENpIRUtd5TvrvBq1OKxApmdRNEH7N93nRTNTzLGA44natP5UuQtsW085VlsbBwtfHDmLj6jsACsIfLja1UaPOMo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767473507; c=relaxed/simple;
	bh=NgQ+bOzFraP0U7VssbjUlBNd7pkbHe6eL92W1q0MSxg=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type;
 b=IyPfb2I8FK6iW36RmD0sH11oBrbKw9H+P9yMtIfWctFIxGciChq+M1ig99RBmkVeZvaJD4q0xejKnlH/4AgB5rwcObdNnasOIdlhzodG9Cw7UEckWyaPo6hP+7OJsim/0v2mVfcRHvQ/9JzR0sqEHPyi4dlJhoaxRiwBioKLlTc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com;
 arc=none smtp.client-ip=209.85.160.70
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-oa1-f70.google.com with SMTP id
 586e51a60fabf-3ff590953b1so1303099fac.2
        for <linux-kernel@vger.kernel.org>;
 Sat, 03 Jan 2026 12:51:45 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767473505; x=1768078305;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=gAg2cMG1prZZdqfg9jWGe/PBBjpFhH7/BiYNsfd4doY=;
        b=DmEUv0HU+mABNc/ywDHmIcdYdRI9nBZep4J13RtEU5lg6M84xDXPWj8ZsQ75GSQJxS
         kfRnCQNTIVGBmxi/DnUm/NO+yuQAn73dsT90NIxK4HJ9MAdMC5QPtDEF7cofF7HBqQjG
         duQCnNPYvZSTMW9nlM4dcpnqIoAchP7W+AJTlmlyaWV59cf22CNY9ssksvQYTlUf4D1d
         gTqe2zqxMxl04Zz0l7+Pj1G/NU+D4FGa06AgX28deKSLPMn9T6QdatVRmXhLhWwBEPO+
         Q1dRWrNwli8lYkkad6SKuQ/0kwaCPoRG8Qm2VH3OK52p9NsbjjW5c7ZzBbFCtNwJxmt5
         bseQ==
X-Gm-Message-State: AOJu0Yz/Y4FsqAP7zcsnmNVY3QHX6DJ2nW7ig/dHWtBuLNHb6VPMYt6p
	bBmH+L/CF8e/ZjAFBHtmVhnov7QxJUZ3hyB3+lyMrSOg8iw4hmzM8TktbPw0fXWmXBFrWwqSrAM
	Ha2/zlc9vbaSkoBParujNW69XdQQFUSonvMYwh1VKj3449EA/nRpLlrzBAA8=
X-Google-Smtp-Source: 
 AGHT+IEJ5N1VtYRcvg/OXoe0c6dBtZha32vAMDCSaD0y3KcD+ku9mZaA0lAOlEuGhec+IVIg8vyu/fNt8hhIhQ32cUIOcbFDbslx
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a05:6820:1519:b0:65d:1ab:7835 with SMTP id
 006d021491bc7-65d0e94d52fmr23273262eaf.5.1767473505040; Sat, 03 Jan 2026
 12:51:45 -0800 (PST)
Date: Sat, 03 Jan 2026 12:51:45 -0800
In-Reply-To: <671bc7a7.050a0220.455e8.022a.GAE@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <69598161.050a0220.a1b6.0376.GAE@google.com>
Subject: Forwarded: Re: [syzbot] [kvm?] WARNING in vcpu_run
From: syzbot <syzbot+1522459a74d26b0ac33a@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [kvm?] WARNING in vcpu_run
Author: alessandro@0x65c.net

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/kvm/kvm.git master

From cbcf01f93bc65d617c35a06fa71b5aea345dc04f Mon Sep 17 00:00:00 2001
From: Alessandro Ratti <alessandro@0x65c.net>
Date: Sat, 3 Jan 2026 21:44:23 +0100
Subject: [PATCH] KVM: x86: Handle -EBUSY from nested event check in
 vcpu_block()

When a vCPU running in nested guest mode attempts to block (e.g. due to
HLT), kvm_check_nested_events() may return -EBUSY to indicate that a
nested event is pending but cannot be injected immediately, such as
when event delivery is temporarily blocked in the guest.

Currently, vcpu_block() treats this as a generic error and exits to
userspace. This can cause the vCPU to repeatedly block without making
forward progress, delaying nested event injection and potentially
leading to guest hangs under rare timing conditions.

Handle -EBUSY explicitly by returning to the vCPU run loop and retrying
guest entry instead of blocking. This allows nested event delivery to
complete once the temporary blocking condition clears.

This issue was triggered by syzkaller during nested virtualization
stress testing.

Fixes: 45405155d876 ("KVM: x86: WARN if a vCPU gets a valid wakeup
that KVM can't yet inject")
Reported-by: syzbot+1522459a74d26b0ac33a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=3Db646ef310afe5b51ae0372e1de8f=
dd68baad9eb5
Signed-off-by: Alessandro Ratti <alessandro@0x65c.net>
---
 arch/x86/kvm/x86.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index ff8812f3a129..4b2781d61a84 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -11596,7 +11596,16 @@ static inline int vcpu_block(struct kvm_vcpu *vcpu)
        if (is_guest_mode(vcpu)) {
                int r =3D kvm_check_nested_events(vcpu);

-               WARN_ON_ONCE(r =3D=3D -EBUSY);
+               /*
+                * -EBUSY indicates a nested event is pending but cannot be
+                * injected immediately (e.g., event delivery is temporarily
+                * blocked). Return to the vCPU run loop to retry guest ent=
ry
+                * instead of blocking, which would lose the pending event.
+                * This is a rare race condition, but we must handle
it correctly.
+                */
+               if (r =3D=3D -EBUSY)
+                       return 1;
+
                if (r < 0)
                        return 0;
        }
--=20
2.52.0