lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <69598161.050a0220.a1b6.0376.GAE@google.com>
Date: Sat, 03 Jan 2026 12:51:45 -0800
From: syzbot <syzbot+1522459a74d26b0ac33a@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: Re: [syzbot] [kvm?] WARNING in vcpu_run

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: Re: [syzbot] [kvm?] WARNING in vcpu_run
Author: alessandro@...5c.net

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/kvm/kvm.git master

>From cbcf01f93bc65d617c35a06fa71b5aea345dc04f Mon Sep 17 00:00:00 2001
From: Alessandro Ratti <alessandro@...5c.net>
Date: Sat, 3 Jan 2026 21:44:23 +0100
Subject: [PATCH] KVM: x86: Handle -EBUSY from nested event check in
 vcpu_block()

When a vCPU running in nested guest mode attempts to block (e.g. due to
HLT), kvm_check_nested_events() may return -EBUSY to indicate that a
nested event is pending but cannot be injected immediately, such as
when event delivery is temporarily blocked in the guest.

Currently, vcpu_block() treats this as a generic error and exits to
userspace. This can cause the vCPU to repeatedly block without making
forward progress, delaying nested event injection and potentially
leading to guest hangs under rare timing conditions.

Handle -EBUSY explicitly by returning to the vCPU run loop and retrying
guest entry instead of blocking. This allows nested event delivery to
complete once the temporary blocking condition clears.

This issue was triggered by syzkaller during nested virtualization
stress testing.

Fixes: 45405155d876 ("KVM: x86: WARN if a vCPU gets a valid wakeup
that KVM can't yet inject")
Reported-by: syzbot+1522459a74d26b0ac33a@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=b646ef310afe5b51ae0372e1de8fdd68baad9eb5
Signed-off-by: Alessandro Ratti <alessandro@...5c.net>
---
 arch/x86/kvm/x86.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index ff8812f3a129..4b2781d61a84 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -11596,7 +11596,16 @@ static inline int vcpu_block(struct kvm_vcpu *vcpu)
        if (is_guest_mode(vcpu)) {
                int r = kvm_check_nested_events(vcpu);

-               WARN_ON_ONCE(r == -EBUSY);
+               /*
+                * -EBUSY indicates a nested event is pending but cannot be
+                * injected immediately (e.g., event delivery is temporarily
+                * blocked). Return to the vCPU run loop to retry guest entry
+                * instead of blocking, which would lose the pending event.
+                * This is a rare race condition, but we must handle
it correctly.
+                */
+               if (r == -EBUSY)
+                       return 1;
+
                if (r < 0)
                        return 0;
        }
-- 
2.52.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ