Thanks for nailing this down for me! One more question: should we be concerned about any guest memory accesses occurring in the preamble to that vcpu_run() call in kvm_arch_vcpu_ioctl_run()? I only see two spots from which an EFAULT could make it to userspace, those being the sync_regs() and cui() calls. The former looks clean but I'm not sure about the latter. As written it's not an issue per se if the cui() call tries a vCPU memory access- the kvm_populate_efault_info() helper will just not populate the run struct and WARN_ON_ONCE(). But it would be good to know about.
