Currently, the virq_inject test advances guest RIP regardless of what
instruction caused the nested VM exit. This is an issue when
INTERCEPT_VINTR is set and the sti_nop_cli() is called in L2 with a
pending interrupt. The vmcb save rip will point to the nop instruction
on exit due to a one instruction interrupt shadow. The unconditional
advance of the guest rip will move it three bytes, which is past the
entire sti_nop_cli() call. This produces some unintended/inconsitent
behavior including test failures.

Only advance the guest rip if the exiting instruction was vmmcall().

Signed-off-by: Kevin Cheng <chengkev@google.com>
---
 x86/svm_tests.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/x86/svm_tests.c b/x86/svm_tests.c
index 3761647642542..11d0e3d39f5ba 100644
--- a/x86/svm_tests.c
+++ b/x86/svm_tests.c
@@ -1790,7 +1790,9 @@ static void virq_inject_test(struct svm_test *test)
 
 static bool virq_inject_finished(struct svm_test *test)
 {
-	vmcb->save.rip += 3;
+	/* Only jump over VMMCALL instruction */
+	if (vmcb->control.exit_code == SVM_EXIT_VMMCALL)
+		vmcb->save.rip += 3;
 
 	switch (get_test_stage(test)) {
 	case 0:
-- 
2.52.0.322.g1dd061c0dc-goog