Commit 783cf7d0 authored by Yosry Ahmed's avatar Yosry Ahmed Committed by Sean Christopherson
Browse files

KVM: SVM: Check EFER.SVME and CPL on #GP intercept of SVM instructions 



When KVM intercepts #GP on an SVM instruction from L2, it checks the
legality of RAX, and injects a #GP if RAX is illegal, or otherwise
synthesizes a #VMEXIT to L1. However, checking EFER.SVME and CPL takes
precedence over both the RAX check and the intercept. Call
nested_svm_check_permissions() first to cover both.

Note that if #GP is intercepted on SVM instruction in L1, the intercept
handlers of VMRUN/VMLOAD/VMSAVE already perform these checks.

Note #2, if KVM does not intercept #GP, the check for EFER.SVME is not
done in the correct order, because KVM handles it by intercepting the
instructions when EFER.SVME=0 and injecting #UD.  However, a #GP
injected by hardware would happen before the instruction intercept,
leading to #GP taking precedence over #UD from the guest's perspective.
Opportunistically add a FIXME for this.

Fixes: 82a11e9c ("KVM: SVM: Add emulation support for #GP triggered by SVM instructions")
Signed-off-by: default avatarYosry Ahmed <yosry@kernel.org>
Link: https://patch.msgid.link/20260316202732.3164936-6-yosry@kernel.org


Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
parent d2fbeb61

arch/x86/kvm/svm/svm.c

+8 −0
Original line number Diff line number Diff line
@@ -1054,6 +1054,11 @@ static void svm_recalc_instruction_intercepts(struct kvm_vcpu *vcpu) 
	 * No need to toggle any of the vgif/vls/etc. enable bits here, as they

	 * are set when the VMCB is initialized and never cleared (if the

	 * relevant intercepts are set, the enablements are meaningless anyway).

	 *

	 * FIXME: When #GP is not intercepted, a #GP on these instructions (e.g.

	 * due to CPL > 0) could be injected by hardware before the instruction

	 * is intercepted, leading to #GP taking precedence over #UD from the

	 * guest's perspective.

	 */

	if (!(vcpu->arch.efer & EFER_SVME)) {

		svm_set_intercept(svm, INTERCEPT_VMLOAD);
@@ -2294,6 +2299,9 @@ static int gp_interception(struct kvm_vcpu *vcpu) 
		if (!is_guest_mode(vcpu))

			return svm_invoke_exit_handler(vcpu, svm_exit_code);



		if (nested_svm_check_permissions(vcpu))

			return 1;



		if (!page_address_valid(vcpu, kvm_register_read(vcpu, VCPU_REGS_RAX)))

			goto reinject;