From nobody Sun Apr  5 18:17:38 2026
Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com
 [209.85.214.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8B84B2DC76C
	for <linux-kernel@vger.kernel.org>; Sat, 28 Feb 2026 03:33:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772249618; cv=none;
 b=G8gqbhc5QFCvonEmQzx28RXD1Xf123BS04Ge4J2YqKFLVvXo0Gk00dVIkyhOgDe86wMfQAqCg+Ey+A5HsWzk3QJyiC7J4NbQito4fnikVG18lwbc1rhBQCuRIO/1eTtVXzEzEmX+O+DXbZZVquD/b2hLaeE+z3xZtRIBoAl/yuY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772249618; c=relaxed/simple;
	bh=TMlSqCyWvJ5+oyMgoxICTdMjB6gA1+Lo1/8Yg28tCac=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=GgIPM74GNIqkXsszy7G3xaPpMHV1YG3zG/6WYGrUuCzJQB8ptO4FP2CG+DgmXV7NgI07gYioHYYC35aGxxmpoEVZP5p5aruSrnPJcTPsTLTdEW3+Qzd0MHFqbmtdISfzGLUBM06los21A3e1s9lrXECpEe6VwlKMEz8IUG6qW8Y=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--chengkev.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=Ug5x1mup; arc=none smtp.client-ip=209.85.214.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--chengkev.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="Ug5x1mup"
Received: by mail-pl1-f202.google.com with SMTP id
 d9443c01a7336-2addb9ba334so26048555ad.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 27 Feb 2026 19:33:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1772249617; x=1772854417;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=KECV5NM5vA0Sv5chR0aDxTLlt1UbjfAsSg2hi5p5zD8=;
        b=Ug5x1mupzby7JS+XXXkRWin4EQEn3O/iVyug0evHCDvMJLRvJY9XpjviStFzgU4xDF
         BowPumWwYPrfdZ0lZaly+ts01qZLa9/9tO1OdCUbGBxTZMQ92ZqWGOU52EWPiKJ+yZ6U
         IFzN+2/dtfpjvotcbEB/pRvUAxTYjk8ok6H4/KGe/nwaBlVRTxCVR8d4Xsh8WbeJ0Tun
         0HM3iW1MT4Kw6uGnk4alFvsWMqDcpojhhpXT9NCS0lYnHca3sj9O5gzRdKaDni40uYS6
         rksabqlTL/rZOn6f+MLhU0CqcTlQogUNxn0r466U2uUauRXuwXRuNOjDmHd52noYXVKM
         SvOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772249617; x=1772854417;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=KECV5NM5vA0Sv5chR0aDxTLlt1UbjfAsSg2hi5p5zD8=;
        b=uaj11JpBSmr0ChtmH9Q81ENJEBuUYAy48eje2JK2/vnRzKgm2MDFMGBgAfOTxZv897
         ApQJdLPFRHZTFQXSltDU2l05Hh6UkQFreVtuPJZsguZL8lhUkJ1jYeLcOgCPdDCMYeWQ
         uSQ0ZQtKKoQUX8+e8tH/20+YxcB+9bBLgKWHsD5ouJ9P9Rv+iqqP38q7n6i9576EzeYh
         PUigcKaa+uDJxRo6Dpc8wm/hXjjcuQTuYKBGvqf7nh5AUQLwf7Xo1W9oGKO1P3pJNRrL
         LnEFM3XX98PWqJPqhhjurLs1Zj22bxbVyjeRFExtJ0Rcd4s4aL/4IsNTWGXHZGURWGeH
         /O+A==
X-Forwarded-Encrypted: i=1;
 AJvYcCWc4mSGJgKQN8YqQy9UKxDgay+VOG1mQ4A9qVZYnrCB5Kk79zjaV1M36S7sGtnuFhGDIYSPwG4QXtZcH+k=@vger.kernel.org
X-Gm-Message-State: AOJu0YwEHGDYfpFhpviq8rqTn6u8dsO5zi+iM1ud+pvXa3nrPsHXSpng
	4MPmQvWxGpIaYGFmbAMSm3ElWM9U/dgnyrMw+gxytD/Tjeu14ZTxVQZoSzJskAt6llyK3F9eIgn
	elYhTOx/LpyoYYQ==
X-Received: from pltt19.prod.google.com ([2002:a17:902:d153:b0:2ab:4d9c:3c06])
 (user=chengkev job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:903:41cb:b0:2ad:9421:613c with SMTP id
 d9443c01a7336-2ae2e400d0fmr40863855ad.21.1772249616796;
 Fri, 27 Feb 2026 19:33:36 -0800 (PST)
Date: Sat, 28 Feb 2026 03:33:27 +0000
In-Reply-To: <20260228033328.2285047-1-chengkev@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260228033328.2285047-1-chengkev@google.com>
X-Mailer: git-send-email 2.53.0.473.g4a7958ca14-goog
Message-ID: <20260228033328.2285047-4-chengkev@google.com>
Subject: [PATCH V4 3/4] KVM: SVM: Recalc instructions intercepts when
 EFER.SVME is toggled
From: Kevin Cheng <chengkev@google.com>
To: seanjc@google.com, pbonzini@redhat.com
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, yosry@kernel.org,
	Kevin Cheng <chengkev@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The AMD APM states that VMRUN, VMLOAD, VMSAVE, CLGI, VMMCALL, and
INVLPGA instructions should generate a #UD when EFER.SVME is cleared.
Currently, when VMLOAD, VMSAVE, or CLGI are executed in L1 with
EFER.SVME cleared, no #UD is generated in certain cases. This is because
the intercepts for these instructions are cleared based on whether or
not vls or vgif is enabled. The #UD fails to be generated when the
intercepts are absent.

Fix the missing #UD generation by ensuring that all relevant
instructions have intercepts set when SVME.EFER is disabled.

VMMCALL is special because KVM's ABI is that VMCALL/VMMCALL are always
supported for L1 and never fault.

Signed-off-by: Kevin Cheng <chengkev@google.com>
---
 arch/x86/kvm/svm/svm.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 249bc3efe993a..f8f9b7a124c36 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -244,6 +244,8 @@ int svm_set_efer(struct kvm_vcpu *vcpu, u64 efer)
 			if (svm_gp_erratum_intercept && !sev_guest(vcpu->kvm))
 				set_exception_intercept(svm, GP_VECTOR);
 		}
+
+		kvm_make_request(KVM_REQ_RECALC_INTERCEPTS, vcpu);
 	}
=20
 	svm->vmcb->save.efer =3D efer | EFER_SVME;
@@ -1021,6 +1023,7 @@ static bool svm_has_pending_gif_event(struct vcpu_svm=
 *svm)
 static void svm_recalc_instruction_intercepts(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_svm *svm =3D to_svm(vcpu);
+	u64 efer =3D vcpu->arch.efer;
=20
 	/*
 	 * Intercept INVPCID if shadow paging is enabled to sync/free shadow
@@ -1045,8 +1048,13 @@ static void svm_recalc_instruction_intercepts(struct=
 kvm_vcpu *vcpu)
 	 * No need to toggle VIRTUAL_VMLOAD_VMSAVE_ENABLE_MASK here, it is
 	 * always set if vls is enabled. If the intercepts are set, the bit is
 	 * meaningless anyway.
+	 *
+	 * Intercept instructions that #UD if EFER.SVME=3D0, as SVME must be set =
even
+	 * when running the guest, i.e. hardware will only ever see EFER.SVME=3D1.
 	 */
-	if (guest_cpuid_is_intel_compatible(vcpu)) {
+	if (guest_cpuid_is_intel_compatible(vcpu) || !(efer & EFER_SVME)) {
+		svm_set_intercept(svm, INTERCEPT_CLGI);
+		svm_set_intercept(svm, INTERCEPT_STGI);
 		svm_set_intercept(svm, INTERCEPT_VMLOAD);
 		svm_set_intercept(svm, INTERCEPT_VMSAVE);
 	} else {
--=20
2.53.0.473.g4a7958ca14-goog