[syzbot] [kvm?] WARNING in vcpu_run

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: ae90f6a6170d Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=168d0230580000
kernel config: https://syzkaller.appspot.com/x/.config?x=309bb816d40abc28
dashboard link: https://syzkaller.appspot.com/bug?extid=1522459a74d26b0ac33a
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=158d0230580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f8de40580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1fd044836856/disk-ae90f6a6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a01e01be8aa8/vmlinux-ae90f6a6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9b0e73e0cce7/bzImage-ae90f6a6.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+152245...@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 1 PID: 5838 at arch/x86/kvm/x86.c:11215 vcpu_block arch/x86/kvm/x86.c:11215 [inline]
WARNING: CPU: 1 PID: 5838 at arch/x86/kvm/x86.c:11215 vcpu_run+0x872d/0x8900 arch/x86/kvm/x86.c:11259
Modules linked in:
CPU: 1 UID: 0 PID: 5838 Comm: syz-executor929 Not tainted 6.12.0-rc4-syzkaller-00161-gae90f6a6170d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:vcpu_block arch/x86/kvm/x86.c:11215 [inline]
RIP: 0010:vcpu_run+0x872d/0x8900 arch/x86/kvm/x86.c:11259
Code: 48 3b 84 24 e0 04 00 00 0f 85 e5 01 00 00 44 89 f0 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 f4 12 81 00 90 <0f> 0b 90 e9 72 ff ff ff e8 e6 12 81 00 e9 68 ff ff ff e8 dc 12 81
RSP: 0018:ffffc90003c6f480 EFLAGS: 00010293
RAX: ffffffff8113c4cc RBX: 00000000fffffff0 RCX: ffff88802eae8000
RDX: 0000000000000000 RSI: 00000000fffffff0 RDI: 00000000fffffff0
RBP: ffffc90003c6f9b0 R08: ffffffff8113498c R09: 1ffff110069638dc
R10: dffffc0000000000 R11: ffffed10069638dd R12: 1ffff1100691305d
R13: ffff888034898000 R14: ffffffff8e72ae90 R15: ffff888034898038
FS: 00007f148304f6c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000781b4000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
kvm_arch_vcpu_ioctl_run+0xa73/0x19d0 arch/x86/kvm/x86.c:11575
kvm_vcpu_ioctl+0x91a/0xea0 virt/kvm/kvm_main.c:4475
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f14830f9049
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f148304f228 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f1483183358 RCX: 00007f14830f9049
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
RBP: 00007f1483183350 R08: 00007ffe514601c7 R09: 00007f148304f6c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f148318335c
R13: 00007f1483150038 R14: 6d766b2f7665642f R15: 00007ffe514601c8
</TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

syzbot has bisected this issue to:

commit 45405155d876c326da89162b8173b8cc9ab7ed75
Author: Sean Christopherson <sea...@google.com>
Date: Fri Jun 7 17:26:09 2024 +0000

KVM: x86: WARN if a vCPU gets a valid wakeup that KVM can't yet inject

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11ac34df980000
start commit: ae90f6a6170d Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=13ac34df980000
console output: https://syzkaller.appspot.com/x/log.txt?x=15ac34df980000

kernel config: https://syzkaller.appspot.com/x/.config?x=309bb816d40abc28
dashboard link: https://syzkaller.appspot.com/bug?extid=1522459a74d26b0ac33a

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=158d0230580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f8de40580000

Reported-by: syzbot+152245...@syzkaller.appspotmail.com
Fixes: 45405155d876 ("KVM: x86: WARN if a vCPU gets a valid wakeup that KVM can't yet inject")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [kvm?] WARNING in vcpu_run
Author: aless...@0x65c.net

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/kvm/kvm.git master

From cbcf01f93bc65d617c35a06fa71b5aea345dc04f Mon Sep 17 00:00:00 2001
From: Alessandro Ratti <aless...@0x65c.net>
Date: Sat, 3 Jan 2026 21:44:23 +0100
Subject: [PATCH] KVM: x86: Handle -EBUSY from nested event check in
vcpu_block()

When a vCPU running in nested guest mode attempts to block (e.g. due to
HLT), kvm_check_nested_events() may return -EBUSY to indicate that a
nested event is pending but cannot be injected immediately, such as
when event delivery is temporarily blocked in the guest.

Currently, vcpu_block() treats this as a generic error and exits to
userspace. This can cause the vCPU to repeatedly block without making
forward progress, delaying nested event injection and potentially
leading to guest hangs under rare timing conditions.

Handle -EBUSY explicitly by returning to the vCPU run loop and retrying
guest entry instead of blocking. This allows nested event delivery to
complete once the temporary blocking condition clears.

This issue was triggered by syzkaller during nested virtualization
stress testing.

Fixes: 45405155d876 ("KVM: x86: WARN if a vCPU gets a valid wakeup
that KVM can't yet inject")

Reported-by: syzbot+152245...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=b646ef310afe5b51ae0372e1de8fdd68baad9eb5
Signed-off-by: Alessandro Ratti <aless...@0x65c.net>
---
arch/x86/kvm/x86.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index ff8812f3a129..4b2781d61a84 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -11596,7 +11596,16 @@ static inline int vcpu_block(struct kvm_vcpu *vcpu)
if (is_guest_mode(vcpu)) {
int r = kvm_check_nested_events(vcpu);

- WARN_ON_ONCE(r == -EBUSY);
+ /*
+ * -EBUSY indicates a nested event is pending but cannot be
+ * injected immediately (e.g., event delivery is temporarily
+ * blocked). Return to the vCPU run loop to retry guest entry
+ * instead of blocking, which would lose the pending event.
+ * This is a rare race condition, but we must handle
it correctly.
+ */
+ if (r == -EBUSY)
+ return 1;
+
if (r < 0)
return 0;
}
--
2.52.0

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [kvm?] WARNING in vcpu_run
Author: aless...@0x65c.net

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

From 2090baeb71f48c9ad62129bd457a2c3bb5f0ed55 Mon Sep 17 00:00:00 2001
From: Alessandro Ratti <aless...@0x65c.net>
Date: Sat, 3 Jan 2026 22:01:32 +0100

Subject: [PATCH] KVM: x86: Handle -EBUSY from nested event check in
vcpu_block()

When a vCPU running in nested guest mode attempts to block (e.g. due to
HLT), kvm_check_nested_events() may return -EBUSY to indicate that a
nested event is pending but cannot be injected immediately, such as
when event delivery is temporarily blocked in the guest.

Currently, vcpu_block() treats this as a generic error and exits to
userspace. This can cause the vCPU to repeatedly block without making
forward progress, delaying nested event injection and potentially
leading to guest hangs under rare timing conditions.

Handle -EBUSY explicitly by returning to the vCPU run loop and retrying
guest entry instead of blocking. This allows nested event delivery to
complete once the temporary blocking condition clears.

This issue was triggered by syzkaller during nested virtualization
stress testing.

Fixes: 45405155d876 ("KVM: x86: WARN if a vCPU gets a valid wakeup that KVM can't yet inject")
Reported-by: syzbot+152245...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=b646ef310afe5b51ae0372e1de8fdd68baad9eb5
Signed-off-by: Alessandro Ratti <aless...@0x65c.net>
---

arch/x86/kvm/x86.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index ff8812f3a129..d5cf9a7ff8c5 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -11596,7 +11596,15 @@ static inline int vcpu_block(struct kvm_vcpu *vcpu)

if (is_guest_mode(vcpu)) {
int r = kvm_check_nested_events(vcpu);

- WARN_ON_ONCE(r == -EBUSY);
+ /*
+ * -EBUSY indicates a nested event is pending but cannot be
+ * injected immediately (e.g., event delivery is temporarily
+ * blocked). Return to the vCPU run loop to retry guest entry
+ * instead of blocking, which would lose the pending event.