Re: [PATCH v2 4/6] KVM/x86: Return -errno instead of "1" for VMX related MSR emulation

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Replacing literal `1` with negative error codes (e.g., `-EINVAL`, `-EACCES`) in KVM MSR emulation handlers breaks `#GP` fault injection, causing guest MSR violations to fatally abort the `KVM_RUN` ioctl and crash the VM.
--

commit cd49bcf603dc5dd7de8fce25d5359556bec52252
Author: Juergen Gross <jgross@suse.com>

KVM/x86: Return -errno instead of "1" for VMX related MSR emulation

This commit updates VMX-related MSR emulation handlers to return negative
errno values instead of a literal 1 on error.

> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> --- a/arch/x86/kvm/vmx/vmx.c
> +++ b/arch/x86/kvm/vmx/vmx.c
[ ... ]
> @@ -2391,12 +2391,12 @@ int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
>  		break;
>  	case MSR_IA32_UMWAIT_CONTROL:
>  		if (!msr_info->host_initiated && !vmx_has_waitpkg(vmx))
> -			return 1;
> +			return -EINVAL;
>  
>  		/* The reserved bit 1 and non-32 bit [63:32] should be zero */
>  		if (data & (BIT_ULL(1) | GENMASK_ULL(63, 32)))
> -			return 1;
> +			return -EINVAL;

[Severity: Critical]
Does this change break #GP fault injection for guest MSR violations? 

When a guest executes a write to an MSR with invalid data, the handler is 
expected to return 1. This signals __kvm_emulate_wrmsr() to inject a #GP into 
the guest via complete_emulated_msr_access().

If the handler returns a negative error code like -EINVAL, it appears
__kvm_emulate_wrmsr() will instead hit the "if (r < 0) return r;" check.

Won't this propagate the error directly up the call stack, abort the ioctl, and
cause userspace to terminate the guest instead of properly injecting a fault?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260528113605.267111-1-jgross@suse.com?part=4