From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A861C328617 for ; Thu, 8 Jan 2026 18:58:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767898726; cv=none; b=oUJt7UkxRHCoGTt0v/3oC6qYXcFRZSJ6ZB8dU9SFjXnx7clveLZAELZRMFC20M7bVUq4ht6UlBg3RyGfgOpBDMwObTsJPTbmkTrjqKmQcY/opyFa33JadwEA4Q0OFRTed4XwsC3C8bcIdMj75BMenwcOUqQK5hVu+tmdctRWrWI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767898726; c=relaxed/simple; bh=w5f2PEgTs0BBLv9c9FM2NNv1zeik3LXcK5KkbJ2+x0Y=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=LdYcQAP45TcqmmbYOWUwLGZSvSYX5YAG+40h9F2vuDa2gEEgkafy0V7XzVLZqA04dxczp5tAgNy+2F+saFr7G0BNOiwJOjuOwoDwCgYhhCJKEYCtHBh/Y+t2w++V4G/eoXsZ+6zFFEkV7Q8KeZo9vpIA2q/d7cvhGKBbZI+/e24= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=TPY9+YSh; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="TPY9+YSh" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-34c7d0c5ed2so3397950a91.0 for ; Thu, 08 Jan 2026 10:58:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1767898722; x=1768503522; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=ypsK1rGG2ABw2BBL2zqC+68joUlmGkI7LLGq70eowD8=; b=TPY9+YShiwsWKaGEV2v7viBQmflrk4KBaOGSPOSxUyav4TvxJPhZKtDLoZmWSmyUqI 6GpM3fDyavdAfDsWDawriqCL1d9Of61pk+zFKOX5BMEIYucxWFslxr37InFr95tp7lNx 0rSR7LyGc7vXN5GG2HL1Nxpy8EZRJTCuoKTCgQKuhQrQAEuL0gsXN+1hdODwcfgFF3y9 rC9/2f/kd+bA/cm7vXXPak+spKpk3BQMezUlENY1y6LJpbUrLSDDGuLm9LgC1uB3eSpM GJh5pfPh8331xE+M9NepeTI/tPHQp2cpZL5I9scyh42EXK7Lpzbh/0sveS8ANQDBgWq2 f4Wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767898722; x=1768503522; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ypsK1rGG2ABw2BBL2zqC+68joUlmGkI7LLGq70eowD8=; b=J5cezzy+fp8nVJT0CzYDYzVi4P22IGfPLCm0T4kpx7vZRXo1Zgnj7j+xhq+UsLGFxt cCqyL0ykkNvdQURSizgWabxnrf51KlQYzMjYumNvi9BTBrOQg47hTn9fjhyFBD19Pn4f 8Wlyb82fALPBc5XZH8hx5iowt7clFJHe32DCP3FpqdEGtjgeF8xKzxTLXV+9NjaTVWum eLqE/KZHny22EvHtKFzcduKWx4o5CrBta4//aq0vVrSbXsnGEwsrGtkKgxGq74rNpl8H zgzU5srHWorfMCz+Cb55+S3YzQPgjz1MdBvYowq+LLHNYSo7gfMyORluH/41g7aHE0YM 5P9w== X-Forwarded-Encrypted: i=1; AJvYcCW61xT9TWx1ab6zVP94h7AyJxdFHVkPSpAjOzSe7gqtQRuUO0O0iCFVVenwJVeM6bxl3306zyHNfPhKtcQ=@vger.kernel.org X-Gm-Message-State: AOJu0YyYlYPCKHy1X0RI6XJjG20pR3aYrPQaAadplbZSR5BxQ3YlueuY DTPKNAQxMyHXHJH+2VyHIPXhzAxf/L4EbS6RSt+f+JYWXDkhsHhPOXEhLj9dtSWse6MYLOQhAeX kV2QjNg== X-Google-Smtp-Source: AGHT+IHcj9+yiUqOxzZRi7EfayWO5WMSQAE/YG4SEvKNM7JAUjZ2IzYBjVUP0qUXkmPw+uiul3QFtKg4pw8= X-Received: from pjqf5.prod.google.com ([2002:a17:90a:a785:b0:34c:cc12:1613]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:264a:b0:341:3ea2:b625 with SMTP id 98e67ed59e1d1-34f68b661eamr7710714a91.12.1767898722034; Thu, 08 Jan 2026 10:58:42 -0800 (PST) Date: Thu, 8 Jan 2026 10:58:40 -0800 In-Reply-To: <20251121204803.991707-2-yosry.ahmed@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20251121204803.991707-1-yosry.ahmed@linux.dev> <20251121204803.991707-2-yosry.ahmed@linux.dev> Message-ID: Subject: Re: [PATCH v3 1/4] KVM: SVM: Allow KVM_SET_NESTED_STATE to clear GIF when SVME==0 From: Sean Christopherson To: Yosry Ahmed Cc: Paolo Bonzini , Jim Mattson , kvm@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="us-ascii" On Fri, Nov 21, 2025, Yosry Ahmed wrote: > From: Jim Mattson > > GIF==0 together with EFER.SVME==0 is a valid architectural > state. Don't return -EINVAL for KVM_SET_NESTED_STATE when this > combination is specified. > > Fixes: cc440cdad5b7 ("KVM: nSVM: implement KVM_GET_NESTED_STATE and KVM_SET_NESTED_STATE") > Signed-off-by: Jim Mattson > Reviewed-by: Yosry Ahmed > Signed-off-by: Yosry Ahmed > --- > arch/x86/kvm/svm/nested.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c > index c81005b24522..3e4bd8d69788 100644 > --- a/arch/x86/kvm/svm/nested.c > +++ b/arch/x86/kvm/svm/nested.c > @@ -1784,8 +1784,8 @@ static int svm_set_nested_state(struct kvm_vcpu *vcpu, > * EFER.SVME, but EFER.SVME still has to be 1 for VMRUN to succeed. > */ > if (!(vcpu->arch.efer & EFER_SVME)) { > - /* GIF=1 and no guest mode are required if SVME=0. */ > - if (kvm_state->flags != KVM_STATE_NESTED_GIF_SET) > + /* GUEST_MODE must be clear when SVME==0 */ > + if (kvm_state->flags & KVM_STATE_NESTED_GUEST_MODE) Hmm, this is technically wrong, as it will allow KVM_STATE_NESTED_RUN_PENDING. Now, arguably KVM already has a flaw there as KVM allows KVM_STATE_NESTED_RUN_PENDING without KVM_STATE_NESTED_GUEST_MODE for SVME=1, but I'd prefer not to make the hole bigger. The nested if-statement is also unnecessary. How about this instead? (not yet tested) /* * If in guest mode, vcpu->arch.efer actually refers to the L2 guest's * EFER.SVME, but EFER.SVME still has to be 1 for VMRUN to succeed. * If SVME is disabled, the only valid states are "none" and GIF=1 * (clearing SVME does NOT set GIF, i.e. GIF=0 is allowed). */ if (!(vcpu->arch.efer & EFER_SVME) && kvm_state->flags && kvm_state->flags != KVM_STATE_NESTED_GIF_SET) return -EINVAL;