KVM: SVM: Allow KVM_SET_NESTED_STATE to clear GIF when SVME==0

GIF==0 together with EFER.SVME==0 is a valid architectural
state. Don't return -EINVAL for KVM_SET_NESTED_STATE when this
combination is specified.

Fixes: cc440cdad5b7 ("KVM: nSVM: implement KVM_GET_NESTED_STATE and KVM_SET_NESTED_STATE")
Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251121204803.991707-2-yosry.ahmed@linux.dev
[sean: disallow KVM_STATE_NESTED_RUN_PENDING with SVME=0]
Signed-off-by: Sean Christopherson <seanjc@google.com>

diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
index 47e8ce7d360a7d14c9965845378a8029dcb851de..5b741f8ed170985f8352098cf239c368ef5b407d 100644 (file)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -1821,12 +1821,12 @@ static int svm_set_nested_state(struct kvm_vcpu *vcpu,
        /*
         * If in guest mode, vcpu->arch.efer actually refers to the L2 guest's
         * EFER.SVME, but EFER.SVME still has to be 1 for VMRUN to succeed.
+        * If SVME is disabled, the only valid states are "none" and GIF=1
+        * (clearing SVME does NOT set GIF, i.e. GIF=0 is allowed).
         */
-       if (!(vcpu->arch.efer & EFER_SVME)) {
-               /* GIF=1 and no guest mode are required if SVME=0.  */
-               if (kvm_state->flags != KVM_STATE_NESTED_GIF_SET)
-                       return -EINVAL;
-       }
+       if (!(vcpu->arch.efer & EFER_SVME) && kvm_state->flags &&
+           kvm_state->flags != KVM_STATE_NESTED_GIF_SET)
+               return -EINVAL;
 
        /* SMM temporarily disables SVM, so we cannot be in guest mode.  */
        if (is_smm(vcpu) && (kvm_state->flags & KVM_STATE_NESTED_GUEST_MODE))