From nobody Mon Feb  9 13:01:12 2026
Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com
 [209.85.215.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B9E6137BE8B
	for <linux-kernel@vger.kernel.org>; Mon, 12 Jan 2026 17:45:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768239952; cv=none;
 b=GO0/L1dNrlVrckCYNC0Ph/tdsutaLB2rDP2i3NoWL1xcqTbl4sGi/SfUkHjRgaKUay34Rgc0fNZeUp8BeeIfaLymn03T1kVE3xqu/E8wT85sMeAc1mjnfFBQNPqO9h4++gDOY947hMF08WbqOu6o8dFp1ErzfHRTQ6L7ft1IcAk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768239952; c=relaxed/simple;
	bh=9dxDLq6/qAbthmcYVLL6UpPvQimXHGVn+my1jHf4ajs=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=eB4fENMN83p3ZPaZcOkdNSJ+6F9kMZcDjEoSOhz4fCZqWNiFKvDRP6r7l9FYwUhEe5e1J9MU51aR5pB/svpYyOu3IXY6HpMBfixRbHHP27QEevvGTqj4gRfidFsNpEMn3gjyviU+dO8fMLcc6kxtR26NqM/XI7l2wARXlpVRu+M=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--chengkev.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=xabDZH0C; arc=none smtp.client-ip=209.85.215.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--chengkev.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="xabDZH0C"
Received: by mail-pg1-f202.google.com with SMTP id
 41be03b00d2f7-bce224720d8so4874316a12.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 12 Jan 2026 09:45:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1768239947; x=1768844747;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=Z9mYJ7s1EdI2aCs8/LY1HGP2jLg2izSehk1J5fh5cOc=;
        b=xabDZH0Cwrs9jzvfGlyzajmKwkNAAU59OmT4GnNkP0Tj2dPj9kZCg00nyK17XS5hiZ
         QkHJbFwk/tgfE9+HpNFc/Egx8uanGI8boaAFwf+bGApeiwDeeYunyYjnX+ELq+fPIfEP
         X1B0sY8RnElviNY79+Jxe8zz35+NY+HdduGbsc+sNC9f0h726ONTmNFiWRFHxNUZ2zmo
         asXzOfeOX5CXhkL58a4VL9HO/HuVFATWSY6EADYrNGSj10860fsph+fmQzsqmURZd65n
         bRaCmMQEyGplckvj48TbBfCVw6PX75Txr2JKokmU1zRlJLWbzbRE6PTjwLvzxJODWgG0
         rb8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768239947; x=1768844747;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=Z9mYJ7s1EdI2aCs8/LY1HGP2jLg2izSehk1J5fh5cOc=;
        b=Is/SGHsBj4KwwWvkLyfWrAzxk/E64SRW4Ob6vinQ2nLDhkM00/yNU6c+WJMqEJeVpx
         bsoaZOdRaivLOpg/LXOYPTa8rxCkebEJVWO4UTXEZ2dBJorOB7BHwdhGmAGWWm2W7HDr
         QosttLHtGARlTRyeXZYeIiGQdzVUjbrR3UO791esdQ6cVCn3x8z6y2JNPNhmEp5Fi6MC
         A0UI5c0052IKorqK98hjvP/sk5+BQyV16MR724ux1CzgKyjoJLxP/mtc9Nst/JXUHPo+
         ZV0InrJ/dcFrXE/w6PTVA6scmPYrX24dllymr6s4muv5M/u0tsrw7IxL9veZFBwyJFQ3
         Y0sQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCVBwmXZFS/BSzLJsF/9bAs4uMKC6ogEFoKApWaRTRTwOUjcsgceGf9oLLt3zvcpuZ3/gVnZaP1ssvZUvlM=@vger.kernel.org
X-Gm-Message-State: AOJu0YxguZ0hJFPUZcwF5AnakpOJSRQbukEmxjGQHai/ebwN4LM3qkk3
	0mwBs23B1vqNWXiB7YTqt3bovoNWEf5bpzWOp7OlQ3gRBojPub3CgGRKP9CJ46dcPVVXwu5fLkC
	S5nFhTicNEksqhQ==
X-Google-Smtp-Source: 
 AGHT+IHZLWinKl0nXEQlsM/Y2+fQq9S0C1TX1a/ig3aUG4pOqNvEjoIehuB27rxhWrnVV4X7V9ruCvf18/saHw==
X-Received: from pjbcc4.prod.google.com ([2002:a17:90a:f104:b0:34e:8f5a:9197])
 (user=chengkev job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:1c05:b0:340:bb51:17eb with SMTP id
 98e67ed59e1d1-34f68c286c8mr16880247a91.15.1768239946859;
 Mon, 12 Jan 2026 09:45:46 -0800 (PST)
Date: Mon, 12 Jan 2026 17:45:34 +0000
In-Reply-To: <20260112174535.3132800-1-chengkev@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260112174535.3132800-1-chengkev@google.com>
X-Mailer: git-send-email 2.52.0.457.g6b5491de43-goog
Message-ID: <20260112174535.3132800-5-chengkev@google.com>
Subject: [PATCH V2 4/5] KVM: SVM: Recalc instructions intercepts when
 EFER.SVME is toggled
From: Kevin Cheng <chengkev@google.com>
To: seanjc@google.com, pbonzini@redhat.com
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, yosry.ahmed@linux.dev,
	Kevin Cheng <chengkev@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The AMD APM states that VMRUN, VMLOAD, VMSAVE, CLGI, VMMCALL, and
INVLPGA instructions should generate a #UD when EFER.SVME is cleared.
Currently, when VMLOAD, VMSAVE, or CLGI are executed in L1 with
EFER.SVME cleared, no #UD is generated in certain cases. This is because
the intercepts for these instructions are cleared based on whether or
not vls or vgif is enabled. The #UD fails to be generated when the
intercepts are absent.

Fix the missing #UD generation by ensuring that all relevant
instructions have intercepts set when SVME.EFER is disabled.

VMMCALL is special because KVM's ABI is that VMCALL/VMMCALL are always
supported for L1 and never fault.

Signed-off-by: Kevin Cheng <chengkev@google.com>
---
 arch/x86/kvm/svm/svm.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 92a2faff1ccc8..92a66b62cfabd 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -243,6 +243,8 @@ int svm_set_efer(struct kvm_vcpu *vcpu, u64 efer)
 			if (svm_gp_erratum_intercept && !sev_guest(vcpu->kvm))
 				set_exception_intercept(svm, GP_VECTOR);
 		}
+
+		kvm_make_request(KVM_REQ_RECALC_INTERCEPTS, vcpu);
 	}
=20
 	svm->vmcb->save.efer =3D efer | EFER_SVME;
@@ -976,6 +978,7 @@ void svm_write_tsc_multiplier(struct kvm_vcpu *vcpu)
 static void svm_recalc_instruction_intercepts(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_svm *svm =3D to_svm(vcpu);
+	u64 efer =3D vcpu->arch.efer;
=20
 	/*
 	 * Intercept INVPCID if shadow paging is enabled to sync/free shadow
@@ -996,7 +999,13 @@ static void svm_recalc_instruction_intercepts(struct k=
vm_vcpu *vcpu)
 			svm_set_intercept(svm, INTERCEPT_RDTSCP);
 	}
=20
-	if (guest_cpuid_is_intel_compatible(vcpu)) {
+	/*
+	 * Intercept instructions that #UD if EFER.SVME=3D0, as SVME must be set =
even
+	 * when running the guest, i.e. hardware will only ever see EFER.SVME=3D1.
+	 */
+	if (guest_cpuid_is_intel_compatible(vcpu) || !(efer & EFER_SVME)) {
+		svm_set_intercept(svm, INTERCEPT_CLGI);
+		svm_set_intercept(svm, INTERCEPT_STGI);
 		svm_set_intercept(svm, INTERCEPT_VMLOAD);
 		svm_set_intercept(svm, INTERCEPT_VMSAVE);
 		svm->vmcb->control.virt_ext &=3D ~VIRTUAL_VMLOAD_VMSAVE_ENABLE_MASK;
--=20
2.52.0.457.g6b5491de43-goog