HMVMXR0.cpp@ 58118

Last change on this file since 58118 was 58118, checked in by vboxsync, 9 years ago
VMM,GIM: Made the order of RIP update on hypercalls consistent. Removed redundant DBGFIsStepping() in VMX/SVM R0 code and fixed a couple of places where pending debug exceptions weren't being handled properly.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 505.5 KB

Line
1	/* $Id: HMVMXR0.cpp 58118 2015-10-08 16:04:59Z vboxsync $ */
2	/** @file
3	* HM VMX (Intel VT-x) - Host Context Ring-0.
4	*/
5
6	/*
7	* Copyright (C) 2012-2015 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*/
17
18
19	/*********************************************************************************************************************************
20	* Header Files *
21	*********************************************************************************************************************************/
22	#define LOG_GROUP LOG_GROUP_HM
23	#include <iprt/x86.h>
24	#include <iprt/asm-amd64-x86.h>
25	#include <iprt/thread.h>
26
27	#include <VBox/vmm/pdmapi.h>
28	#include <VBox/vmm/dbgf.h>
29	#include <VBox/vmm/iem.h>
30	#include <VBox/vmm/iom.h>
31	#include <VBox/vmm/selm.h>
32	#include <VBox/vmm/tm.h>
33	#include <VBox/vmm/gim.h>
34	#ifdef VBOX_WITH_REM
35	# include <VBox/vmm/rem.h>
36	#endif
37	#include "HMInternal.h"
38	#include <VBox/vmm/vm.h>
39	#include "HMVMXR0.h"
40	#include "dtrace/VBoxVMM.h"
41
42	#ifdef DEBUG_ramshankar
43	# define HMVMX_ALWAYS_SAVE_GUEST_RFLAGS
44	# define HMVMX_ALWAYS_SAVE_FULL_GUEST_STATE
45	# define HMVMX_ALWAYS_SYNC_FULL_GUEST_STATE
46	# define HMVMX_ALWAYS_CHECK_GUEST_STATE
47	# define HMVMX_ALWAYS_TRAP_ALL_XCPTS
48	# define HMVMX_ALWAYS_TRAP_PF
49	# define HMVMX_ALWAYS_SWAP_FPU_STATE
50	# define HMVMX_ALWAYS_FLUSH_TLB
51	# define HMVMX_ALWAYS_SWAP_EFER
52	#endif
53
54
55	/*********************************************************************************************************************************
56	* Defined Constants And Macros *
57	*********************************************************************************************************************************/
58	/** Use the function table. */
59	#define HMVMX_USE_FUNCTION_TABLE
60
61	/** Determine which tagged-TLB flush handler to use. */
62	#define HMVMX_FLUSH_TAGGED_TLB_EPT_VPID 0
63	#define HMVMX_FLUSH_TAGGED_TLB_EPT 1
64	#define HMVMX_FLUSH_TAGGED_TLB_VPID 2
65	#define HMVMX_FLUSH_TAGGED_TLB_NONE 3
66
67	/** @name Updated-guest-state flags.
68	* @{ */
69	#define HMVMX_UPDATED_GUEST_RIP RT_BIT(0)
70	#define HMVMX_UPDATED_GUEST_RSP RT_BIT(1)
71	#define HMVMX_UPDATED_GUEST_RFLAGS RT_BIT(2)
72	#define HMVMX_UPDATED_GUEST_CR0 RT_BIT(3)
73	#define HMVMX_UPDATED_GUEST_CR3 RT_BIT(4)
74	#define HMVMX_UPDATED_GUEST_CR4 RT_BIT(5)
75	#define HMVMX_UPDATED_GUEST_GDTR RT_BIT(6)
76	#define HMVMX_UPDATED_GUEST_IDTR RT_BIT(7)
77	#define HMVMX_UPDATED_GUEST_LDTR RT_BIT(8)
78	#define HMVMX_UPDATED_GUEST_TR RT_BIT(9)
79	#define HMVMX_UPDATED_GUEST_SEGMENT_REGS RT_BIT(10)
80	#define HMVMX_UPDATED_GUEST_DEBUG RT_BIT(11)
81	#define HMVMX_UPDATED_GUEST_SYSENTER_CS_MSR RT_BIT(12)
82	#define HMVMX_UPDATED_GUEST_SYSENTER_EIP_MSR RT_BIT(13)
83	#define HMVMX_UPDATED_GUEST_SYSENTER_ESP_MSR RT_BIT(14)
84	#define HMVMX_UPDATED_GUEST_AUTO_LOAD_STORE_MSRS RT_BIT(15)
85	#define HMVMX_UPDATED_GUEST_LAZY_MSRS RT_BIT(16)
86	#define HMVMX_UPDATED_GUEST_ACTIVITY_STATE RT_BIT(17)
87	#define HMVMX_UPDATED_GUEST_INTR_STATE RT_BIT(18)
88	#define HMVMX_UPDATED_GUEST_APIC_STATE RT_BIT(19)
89	#define HMVMX_UPDATED_GUEST_ALL ( HMVMX_UPDATED_GUEST_RIP \
90	\| HMVMX_UPDATED_GUEST_RSP \
91	\| HMVMX_UPDATED_GUEST_RFLAGS \
92	\| HMVMX_UPDATED_GUEST_CR0 \
93	\| HMVMX_UPDATED_GUEST_CR3 \
94	\| HMVMX_UPDATED_GUEST_CR4 \
95	\| HMVMX_UPDATED_GUEST_GDTR \
96	\| HMVMX_UPDATED_GUEST_IDTR \
97	\| HMVMX_UPDATED_GUEST_LDTR \
98	\| HMVMX_UPDATED_GUEST_TR \
99	\| HMVMX_UPDATED_GUEST_SEGMENT_REGS \
100	\| HMVMX_UPDATED_GUEST_DEBUG \
101	\| HMVMX_UPDATED_GUEST_SYSENTER_CS_MSR \
102	\| HMVMX_UPDATED_GUEST_SYSENTER_EIP_MSR \
103	\| HMVMX_UPDATED_GUEST_SYSENTER_ESP_MSR \
104	\| HMVMX_UPDATED_GUEST_AUTO_LOAD_STORE_MSRS \
105	\| HMVMX_UPDATED_GUEST_LAZY_MSRS \
106	\| HMVMX_UPDATED_GUEST_ACTIVITY_STATE \
107	\| HMVMX_UPDATED_GUEST_INTR_STATE \
108	\| HMVMX_UPDATED_GUEST_APIC_STATE)
109	/** @} */
110
111	/** @name
112	* Flags to skip redundant reads of some common VMCS fields that are not part of
113	* the guest-CPU state but are in the transient structure.
114	*/
115	#define HMVMX_UPDATED_TRANSIENT_IDT_VECTORING_INFO RT_BIT(0)
116	#define HMVMX_UPDATED_TRANSIENT_IDT_VECTORING_ERROR_CODE RT_BIT(1)
117	#define HMVMX_UPDATED_TRANSIENT_EXIT_QUALIFICATION RT_BIT(2)
118	#define HMVMX_UPDATED_TRANSIENT_EXIT_INSTR_LEN RT_BIT(3)
119	#define HMVMX_UPDATED_TRANSIENT_EXIT_INTERRUPTION_INFO RT_BIT(4)
120	#define HMVMX_UPDATED_TRANSIENT_EXIT_INTERRUPTION_ERROR_CODE RT_BIT(5)
121	#define HMVMX_UPDATED_TRANSIENT_EXIT_INSTR_INFO RT_BIT(6)
122	/** @} */
123
124	/** @name
125	* States of the VMCS.
126	*
127	* This does not reflect all possible VMCS states but currently only those
128	* needed for maintaining the VMCS consistently even when thread-context hooks
129	* are used. Maybe later this can be extended (i.e. Nested Virtualization).
130	*/
131	#define HMVMX_VMCS_STATE_CLEAR RT_BIT(0)
132	#define HMVMX_VMCS_STATE_ACTIVE RT_BIT(1)
133	#define HMVMX_VMCS_STATE_LAUNCHED RT_BIT(2)
134	/** @} */
135
136	/**
137	* Exception bitmap mask for real-mode guests (real-on-v86).
138	*
139	* We need to intercept all exceptions manually except:
140	* - \#NM, \#MF handled in hmR0VmxLoadSharedCR0().
141	* - \#DB handled in hmR0VmxLoadSharedDebugState().
142	* - \#PF need not be intercepted even in real-mode if we have Nested Paging
143	* support.
144	*/
145	#define HMVMX_REAL_MODE_XCPT_MASK ( RT_BIT(X86_XCPT_DE) /* RT_BIT(X86_XCPT_DB) */ \| RT_BIT(X86_XCPT_NMI) \
146	\| RT_BIT(X86_XCPT_BP) \| RT_BIT(X86_XCPT_OF) \| RT_BIT(X86_XCPT_BR) \
147	\| RT_BIT(X86_XCPT_UD) /* RT_BIT(X86_XCPT_NM) */ \| RT_BIT(X86_XCPT_DF) \
148	\| RT_BIT(X86_XCPT_CO_SEG_OVERRUN) \| RT_BIT(X86_XCPT_TS) \| RT_BIT(X86_XCPT_NP) \
149	\| RT_BIT(X86_XCPT_SS) \| RT_BIT(X86_XCPT_GP) /* RT_BIT(X86_XCPT_PF) */ \
150	/* RT_BIT(X86_XCPT_MF) */ \| RT_BIT(X86_XCPT_AC) \| RT_BIT(X86_XCPT_MC) \
151	\| RT_BIT(X86_XCPT_XF))
152
153	/**
154	* Exception bitmap mask for all contributory exceptions.
155	*
156	* Page fault is deliberately excluded here as it's conditional as to whether
157	* it's contributory or benign. Page faults are handled separately.
158	*/
159	#define HMVMX_CONTRIBUTORY_XCPT_MASK ( RT_BIT(X86_XCPT_GP) \| RT_BIT(X86_XCPT_NP) \| RT_BIT(X86_XCPT_SS) \| RT_BIT(X86_XCPT_TS) \
160	\| RT_BIT(X86_XCPT_DE))
161
162	/** Maximum VM-instruction error number. */
163	#define HMVMX_INSTR_ERROR_MAX 28
164
165	/** Profiling macro. */
166	#ifdef HM_PROFILE_EXIT_DISPATCH
167	# define HMVMX_START_EXIT_DISPATCH_PROF() STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatExitDispatch, ed)
168	# define HMVMX_STOP_EXIT_DISPATCH_PROF() STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitDispatch, ed)
169	#else
170	# define HMVMX_START_EXIT_DISPATCH_PROF() do { } while (0)
171	# define HMVMX_STOP_EXIT_DISPATCH_PROF() do { } while (0)
172	#endif
173
174	/** Assert that preemption is disabled or covered by thread-context hooks. */
175	#define HMVMX_ASSERT_PREEMPT_SAFE() Assert( VMMR0ThreadCtxHookIsEnabled(pVCpu) \
176	\|\| !RTThreadPreemptIsEnabled(NIL_RTTHREAD));
177
178	/** Assert that we haven't migrated CPUs when thread-context hooks are not
179	* used. */
180	#define HMVMX_ASSERT_CPU_SAFE() AssertMsg( VMMR0ThreadCtxHookIsEnabled(pVCpu) \
181	\|\| pVCpu->hm.s.idEnteredCpu == RTMpCpuId(), \
182	("Illegal migration! Entered on CPU %u Current %u\n", \
183	pVCpu->hm.s.idEnteredCpu, RTMpCpuId())); \
184
185	/** Helper macro for VM-exit handlers called unexpectedly. */
186	#define HMVMX_RETURN_UNEXPECTED_EXIT() \
187	do { \
188	pVCpu->hm.s.u32HMError = pVmxTransient->uExitReason; \
189	return VERR_VMX_UNEXPECTED_EXIT; \
190	} while (0)
191
192
193	/*********************************************************************************************************************************
194	* Structures and Typedefs *
195	*********************************************************************************************************************************/
196	/**
197	* VMX transient state.
198	*
199	* A state structure for holding miscellaneous information across
200	* VMX non-root operation and restored after the transition.
201	*/
202	typedef struct VMXTRANSIENT
203	{
204	/** The host's rflags/eflags. */
205	RTCCUINTREG fEFlags;
206	#if HC_ARCH_BITS == 32
207	uint32_t u32Alignment0;
208	#endif
209	/** The guest's TPR value used for TPR shadowing. */
210	uint8_t u8GuestTpr;
211	/** Alignment. */
212	uint8_t abAlignment0[7];
213
214	/** The basic VM-exit reason. */
215	uint16_t uExitReason;
216	/** Alignment. */
217	uint16_t u16Alignment0;
218	/** The VM-exit interruption error code. */
219	uint32_t uExitIntErrorCode;
220	/** The VM-exit exit code qualification. */
221	uint64_t uExitQualification;
222
223	/** The VM-exit interruption-information field. */
224	uint32_t uExitIntInfo;
225	/** The VM-exit instruction-length field. */
226	uint32_t cbInstr;
227	/** The VM-exit instruction-information field. */
228	union
229	{
230	/** Plain unsigned int representation. */
231	uint32_t u;
232	/** INS and OUTS information. */
233	struct
234	{
235	uint32_t u6Reserved0 : 7;
236	/** The address size; 0=16-bit, 1=32-bit, 2=64-bit, rest undefined. */
237	uint32_t u3AddrSize : 3;
238	uint32_t u5Reserved1 : 5;
239	/** The segment register (X86_SREG_XXX). */
240	uint32_t iSegReg : 3;
241	uint32_t uReserved2 : 14;
242	} StrIo;
243	} ExitInstrInfo;
244	/** Whether the VM-entry failed or not. */
245	bool fVMEntryFailed;
246	/** Alignment. */
247	uint8_t abAlignment1[3];
248
249	/** The VM-entry interruption-information field. */
250	uint32_t uEntryIntInfo;
251	/** The VM-entry exception error code field. */
252	uint32_t uEntryXcptErrorCode;
253	/** The VM-entry instruction length field. */
254	uint32_t cbEntryInstr;
255
256	/** IDT-vectoring information field. */
257	uint32_t uIdtVectoringInfo;
258	/** IDT-vectoring error code. */
259	uint32_t uIdtVectoringErrorCode;
260
261	/** Mask of currently read VMCS fields; HMVMX_UPDATED_TRANSIENT_. /
262	uint32_t fVmcsFieldsRead;
263
264	/** Whether the guest FPU was active at the time of VM-exit. */
265	bool fWasGuestFPUStateActive;
266	/** Whether the guest debug state was active at the time of VM-exit. */
267	bool fWasGuestDebugStateActive;
268	/** Whether the hyper debug state was active at the time of VM-exit. */
269	bool fWasHyperDebugStateActive;
270	/** Whether TSC-offsetting should be setup before VM-entry. */
271	bool fUpdateTscOffsettingAndPreemptTimer;
272	/** Whether the VM-exit was caused by a page-fault during delivery of a
273	* contributory exception or a page-fault. */
274	bool fVectoringDoublePF;
275	/** Whether the VM-exit was caused by a page-fault during delivery of an
276	* external interrupt or NMI. */
277	bool fVectoringPF;
278	} VMXTRANSIENT;
279	AssertCompileMemberAlignment(VMXTRANSIENT, uExitReason, sizeof(uint64_t));
280	AssertCompileMemberAlignment(VMXTRANSIENT, uExitIntInfo, sizeof(uint64_t));
281	AssertCompileMemberAlignment(VMXTRANSIENT, uEntryIntInfo, sizeof(uint64_t));
282	AssertCompileMemberAlignment(VMXTRANSIENT, fWasGuestFPUStateActive, sizeof(uint64_t));
283	AssertCompileMemberSize(VMXTRANSIENT, ExitInstrInfo, sizeof(uint32_t));
284	/** Pointer to VMX transient state. */
285	typedef VMXTRANSIENT *PVMXTRANSIENT;
286
287
288	/**
289	* MSR-bitmap read permissions.
290	*/
291	typedef enum VMXMSREXITREAD
292	{
293	/** Reading this MSR causes a VM-exit. */
294	VMXMSREXIT_INTERCEPT_READ = 0xb,
295	/** Reading this MSR does not cause a VM-exit. */
296	VMXMSREXIT_PASSTHRU_READ
297	} VMXMSREXITREAD;
298	/** Pointer to MSR-bitmap read permissions. */
299	typedef VMXMSREXITREAD* PVMXMSREXITREAD;
300
301	/**
302	* MSR-bitmap write permissions.
303	*/
304	typedef enum VMXMSREXITWRITE
305	{
306	/** Writing to this MSR causes a VM-exit. */
307	VMXMSREXIT_INTERCEPT_WRITE = 0xd,
308	/** Writing to this MSR does not cause a VM-exit. */
309	VMXMSREXIT_PASSTHRU_WRITE
310	} VMXMSREXITWRITE;
311	/** Pointer to MSR-bitmap write permissions. */
312	typedef VMXMSREXITWRITE* PVMXMSREXITWRITE;
313
314
315	/**
316	* VMX VM-exit handler.
317	*
318	* @returns VBox status code.
319	* @param pVCpu Pointer to the VMCPU.
320	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
321	* out-of-sync. Make sure to update the required
322	* fields before using them.
323	* @param pVmxTransient Pointer to the VMX-transient structure.
324	*/
325	#ifndef HMVMX_USE_FUNCTION_TABLE
326	typedef int FNVMXEXITHANDLER(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
327	#else
328	typedef DECLCALLBACK(int) FNVMXEXITHANDLER(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
329	/** Pointer to VM-exit handler. */
330	typedef FNVMXEXITHANDLER *PFNVMXEXITHANDLER;
331	#endif
332
333
334	/*********************************************************************************************************************************
335	* Internal Functions *
336	*********************************************************************************************************************************/
337	static void hmR0VmxFlushEpt(PVMCPU pVCpu, VMXFLUSHEPT enmFlush);
338	static void hmR0VmxFlushVpid(PVM pVM, PVMCPU pVCpu, VMXFLUSHVPID enmFlush, RTGCPTR GCPtr);
339	static void hmR0VmxClearIntNmiWindowsVmcs(PVMCPU pVCpu);
340	static int hmR0VmxInjectEventVmcs(PVMCPU pVCpu, PCPUMCTX pMixedCtx, uint64_t u64IntInfo, uint32_t cbInstr,
341	uint32_t u32ErrCode, RTGCUINTREG GCPtrFaultAddress,
342	bool fStepping, uint32_t *puIntState);
343	#if HC_ARCH_BITS == 32
344	static int hmR0VmxInitVmcsReadCache(PVM pVM, PVMCPU pVCpu);
345	#endif
346	#ifndef HMVMX_USE_FUNCTION_TABLE
347	DECLINLINE(int) hmR0VmxHandleExit(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient, uint32_t rcReason);
348	# define HMVMX_EXIT_DECL static int
349	#else
350	# define HMVMX_EXIT_DECL static DECLCALLBACK(int)
351	#endif
352	DECLINLINE(VBOXSTRICTRC) hmR0VmxHandleExitStep(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient,
353	uint32_t uExitReason, uint16_t uCsStart, uint64_t uRipStart);
354
355	/** @name VM-exit handlers.
356	* @{
357	*/
358	static FNVMXEXITHANDLER hmR0VmxExitXcptOrNmi;
359	static FNVMXEXITHANDLER hmR0VmxExitExtInt;
360	static FNVMXEXITHANDLER hmR0VmxExitTripleFault;
361	static FNVMXEXITHANDLER hmR0VmxExitInitSignal;
362	static FNVMXEXITHANDLER hmR0VmxExitSipi;
363	static FNVMXEXITHANDLER hmR0VmxExitIoSmi;
364	static FNVMXEXITHANDLER hmR0VmxExitSmi;
365	static FNVMXEXITHANDLER hmR0VmxExitIntWindow;
366	static FNVMXEXITHANDLER hmR0VmxExitNmiWindow;
367	static FNVMXEXITHANDLER hmR0VmxExitTaskSwitch;
368	static FNVMXEXITHANDLER hmR0VmxExitCpuid;
369	static FNVMXEXITHANDLER hmR0VmxExitGetsec;
370	static FNVMXEXITHANDLER hmR0VmxExitHlt;
371	static FNVMXEXITHANDLER hmR0VmxExitInvd;
372	static FNVMXEXITHANDLER hmR0VmxExitInvlpg;
373	static FNVMXEXITHANDLER hmR0VmxExitRdpmc;
374	static FNVMXEXITHANDLER hmR0VmxExitVmcall;
375	static FNVMXEXITHANDLER hmR0VmxExitRdtsc;
376	static FNVMXEXITHANDLER hmR0VmxExitRsm;
377	static FNVMXEXITHANDLER hmR0VmxExitSetPendingXcptUD;
378	static FNVMXEXITHANDLER hmR0VmxExitMovCRx;
379	static FNVMXEXITHANDLER hmR0VmxExitMovDRx;
380	static FNVMXEXITHANDLER hmR0VmxExitIoInstr;
381	static FNVMXEXITHANDLER hmR0VmxExitRdmsr;
382	static FNVMXEXITHANDLER hmR0VmxExitWrmsr;
383	static FNVMXEXITHANDLER hmR0VmxExitErrInvalidGuestState;
384	static FNVMXEXITHANDLER hmR0VmxExitErrMsrLoad;
385	static FNVMXEXITHANDLER hmR0VmxExitErrUndefined;
386	static FNVMXEXITHANDLER hmR0VmxExitMwait;
387	static FNVMXEXITHANDLER hmR0VmxExitMtf;
388	static FNVMXEXITHANDLER hmR0VmxExitMonitor;
389	static FNVMXEXITHANDLER hmR0VmxExitPause;
390	static FNVMXEXITHANDLER hmR0VmxExitErrMachineCheck;
391	static FNVMXEXITHANDLER hmR0VmxExitTprBelowThreshold;
392	static FNVMXEXITHANDLER hmR0VmxExitApicAccess;
393	static FNVMXEXITHANDLER hmR0VmxExitXdtrAccess;
394	static FNVMXEXITHANDLER hmR0VmxExitXdtrAccess;
395	static FNVMXEXITHANDLER hmR0VmxExitEptViolation;
396	static FNVMXEXITHANDLER hmR0VmxExitEptMisconfig;
397	static FNVMXEXITHANDLER hmR0VmxExitRdtscp;
398	static FNVMXEXITHANDLER hmR0VmxExitPreemptTimer;
399	static FNVMXEXITHANDLER hmR0VmxExitWbinvd;
400	static FNVMXEXITHANDLER hmR0VmxExitXsetbv;
401	static FNVMXEXITHANDLER hmR0VmxExitRdrand;
402	static FNVMXEXITHANDLER hmR0VmxExitInvpcid;
403	/** @} */
404
405	static int hmR0VmxExitXcptNM(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
406	static int hmR0VmxExitXcptPF(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
407	static int hmR0VmxExitXcptMF(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
408	static int hmR0VmxExitXcptDB(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
409	static int hmR0VmxExitXcptBP(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
410	static int hmR0VmxExitXcptGP(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
411	#ifdef HMVMX_ALWAYS_TRAP_ALL_XCPTS
412	static int hmR0VmxExitXcptGeneric(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient);
413	#endif
414	static uint32_t hmR0VmxCheckGuestState(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx);
415
416
417	/*********************************************************************************************************************************
418	* Global Variables *
419	*********************************************************************************************************************************/
420	#ifdef HMVMX_USE_FUNCTION_TABLE
421
422	/**
423	* VMX_EXIT dispatch table.
424	*/
425	static const PFNVMXEXITHANDLER g_apfnVMExitHandlers[VMX_EXIT_MAX + 1] =
426	{
427	/* 00 VMX_EXIT_XCPT_OR_NMI */ hmR0VmxExitXcptOrNmi,
428	/* 01 VMX_EXIT_EXT_INT */ hmR0VmxExitExtInt,
429	/* 02 VMX_EXIT_TRIPLE_FAULT */ hmR0VmxExitTripleFault,
430	/* 03 VMX_EXIT_INIT_SIGNAL */ hmR0VmxExitInitSignal,
431	/* 04 VMX_EXIT_SIPI */ hmR0VmxExitSipi,
432	/* 05 VMX_EXIT_IO_SMI */ hmR0VmxExitIoSmi,
433	/* 06 VMX_EXIT_SMI */ hmR0VmxExitSmi,
434	/* 07 VMX_EXIT_INT_WINDOW */ hmR0VmxExitIntWindow,
435	/* 08 VMX_EXIT_NMI_WINDOW */ hmR0VmxExitNmiWindow,
436	/* 09 VMX_EXIT_TASK_SWITCH */ hmR0VmxExitTaskSwitch,
437	/* 10 VMX_EXIT_CPUID */ hmR0VmxExitCpuid,
438	/* 11 VMX_EXIT_GETSEC */ hmR0VmxExitGetsec,
439	/* 12 VMX_EXIT_HLT */ hmR0VmxExitHlt,
440	/* 13 VMX_EXIT_INVD */ hmR0VmxExitInvd,
441	/* 14 VMX_EXIT_INVLPG */ hmR0VmxExitInvlpg,
442	/* 15 VMX_EXIT_RDPMC */ hmR0VmxExitRdpmc,
443	/* 16 VMX_EXIT_RDTSC */ hmR0VmxExitRdtsc,
444	/* 17 VMX_EXIT_RSM */ hmR0VmxExitRsm,
445	/* 18 VMX_EXIT_VMCALL */ hmR0VmxExitVmcall,
446	/* 19 VMX_EXIT_VMCLEAR */ hmR0VmxExitSetPendingXcptUD,
447	/* 20 VMX_EXIT_VMLAUNCH */ hmR0VmxExitSetPendingXcptUD,
448	/* 21 VMX_EXIT_VMPTRLD */ hmR0VmxExitSetPendingXcptUD,
449	/* 22 VMX_EXIT_VMPTRST */ hmR0VmxExitSetPendingXcptUD,
450	/* 23 VMX_EXIT_VMREAD */ hmR0VmxExitSetPendingXcptUD,
451	/* 24 VMX_EXIT_VMRESUME */ hmR0VmxExitSetPendingXcptUD,
452	/* 25 VMX_EXIT_VMWRITE */ hmR0VmxExitSetPendingXcptUD,
453	/* 26 VMX_EXIT_VMXOFF */ hmR0VmxExitSetPendingXcptUD,
454	/* 27 VMX_EXIT_VMXON */ hmR0VmxExitSetPendingXcptUD,
455	/* 28 VMX_EXIT_MOV_CRX */ hmR0VmxExitMovCRx,
456	/* 29 VMX_EXIT_MOV_DRX */ hmR0VmxExitMovDRx,
457	/* 30 VMX_EXIT_IO_INSTR */ hmR0VmxExitIoInstr,
458	/* 31 VMX_EXIT_RDMSR */ hmR0VmxExitRdmsr,
459	/* 32 VMX_EXIT_WRMSR */ hmR0VmxExitWrmsr,
460	/* 33 VMX_EXIT_ERR_INVALID_GUEST_STATE */ hmR0VmxExitErrInvalidGuestState,
461	/* 34 VMX_EXIT_ERR_MSR_LOAD */ hmR0VmxExitErrMsrLoad,
462	/* 35 UNDEFINED */ hmR0VmxExitErrUndefined,
463	/* 36 VMX_EXIT_MWAIT */ hmR0VmxExitMwait,
464	/* 37 VMX_EXIT_MTF */ hmR0VmxExitMtf,
465	/* 38 UNDEFINED */ hmR0VmxExitErrUndefined,
466	/* 39 VMX_EXIT_MONITOR */ hmR0VmxExitMonitor,
467	/* 40 UNDEFINED */ hmR0VmxExitPause,
468	/* 41 VMX_EXIT_PAUSE */ hmR0VmxExitErrMachineCheck,
469	/* 42 VMX_EXIT_ERR_MACHINE_CHECK */ hmR0VmxExitErrUndefined,
470	/* 43 VMX_EXIT_TPR_BELOW_THRESHOLD */ hmR0VmxExitTprBelowThreshold,
471	/* 44 VMX_EXIT_APIC_ACCESS */ hmR0VmxExitApicAccess,
472	/* 45 UNDEFINED */ hmR0VmxExitErrUndefined,
473	/* 46 VMX_EXIT_XDTR_ACCESS */ hmR0VmxExitXdtrAccess,
474	/* 47 VMX_EXIT_TR_ACCESS */ hmR0VmxExitXdtrAccess,
475	/* 48 VMX_EXIT_EPT_VIOLATION */ hmR0VmxExitEptViolation,
476	/* 49 VMX_EXIT_EPT_MISCONFIG */ hmR0VmxExitEptMisconfig,
477	/* 50 VMX_EXIT_INVEPT */ hmR0VmxExitSetPendingXcptUD,
478	/* 51 VMX_EXIT_RDTSCP */ hmR0VmxExitRdtscp,
479	/* 52 VMX_EXIT_PREEMPT_TIMER */ hmR0VmxExitPreemptTimer,
480	/* 53 VMX_EXIT_INVVPID */ hmR0VmxExitSetPendingXcptUD,
481	/* 54 VMX_EXIT_WBINVD */ hmR0VmxExitWbinvd,
482	/* 55 VMX_EXIT_XSETBV */ hmR0VmxExitXsetbv,
483	/* 56 UNDEFINED */ hmR0VmxExitErrUndefined,
484	/* 57 VMX_EXIT_RDRAND */ hmR0VmxExitRdrand,
485	/* 58 VMX_EXIT_INVPCID */ hmR0VmxExitInvpcid,
486	/* 59 VMX_EXIT_VMFUNC */ hmR0VmxExitSetPendingXcptUD,
487	/* 60 VMX_EXIT_RESERVED_60 */ hmR0VmxExitErrUndefined,
488	/* 61 VMX_EXIT_RDSEED / hmR0VmxExitErrUndefined, / only spurious exits, so undefined */
489	/* 62 VMX_EXIT_RESERVED_62 */ hmR0VmxExitErrUndefined,
490	/* 63 VMX_EXIT_XSAVES */ hmR0VmxExitSetPendingXcptUD,
491	/* 64 VMX_EXIT_XRSTORS */ hmR0VmxExitSetPendingXcptUD,
492	};
493	#endif /* HMVMX_USE_FUNCTION_TABLE */
494
495	#ifdef VBOX_STRICT
496	static const char * const g_apszVmxInstrErrors[HMVMX_INSTR_ERROR_MAX + 1] =
497	{
498	/* 0 */ "(Not Used)",
499	/* 1 */ "VMCALL executed in VMX root operation.",
500	/* 2 */ "VMCLEAR with invalid physical address.",
501	/* 3 */ "VMCLEAR with VMXON pointer.",
502	/* 4 */ "VMLAUNCH with non-clear VMCS.",
503	/* 5 */ "VMRESUME with non-launched VMCS.",
504	/* 6 */ "VMRESUME after VMXOFF",
505	/* 7 */ "VM-entry with invalid control fields.",
506	/* 8 */ "VM-entry with invalid host state fields.",
507	/* 9 */ "VMPTRLD with invalid physical address.",
508	/* 10 */ "VMPTRLD with VMXON pointer.",
509	/* 11 */ "VMPTRLD with incorrect revision identifier.",
510	/* 12 */ "VMREAD/VMWRITE from/to unsupported VMCS component.",
511	/* 13 */ "VMWRITE to read-only VMCS component.",
512	/* 14 */ "(Not Used)",
513	/* 15 */ "VMXON executed in VMX root operation.",
514	/* 16 */ "VM-entry with invalid executive-VMCS pointer.",
515	/* 17 */ "VM-entry with non-launched executing VMCS.",
516	/* 18 */ "VM-entry with executive-VMCS pointer not VMXON pointer.",
517	/* 19 */ "VMCALL with non-clear VMCS.",
518	/* 20 */ "VMCALL with invalid VM-exit control fields.",
519	/* 21 */ "(Not Used)",
520	/* 22 */ "VMCALL with incorrect MSEG revision identifier.",
521	/* 23 */ "VMXOFF under dual monitor treatment of SMIs and SMM.",
522	/* 24 */ "VMCALL with invalid SMM-monitor features.",
523	/* 25 */ "VM-entry with invalid VM-execution control fields in executive VMCS.",
524	/* 26 */ "VM-entry with events blocked by MOV SS.",
525	/* 27 */ "(Not Used)",
526	/* 28 */ "Invalid operand to INVEPT/INVVPID."
527	};
528	#endif /* VBOX_STRICT */
529
530
531
532	/**
533	* Updates the VM's last error record. If there was a VMX instruction error,
534	* reads the error data from the VMCS and updates VCPU's last error record as
535	* well.
536	*
537	* @param pVM Pointer to the VM.
538	* @param pVCpu Pointer to the VMCPU (can be NULL if @a rc is not
539	* VERR_VMX_UNABLE_TO_START_VM or
540	* VERR_VMX_INVALID_VMCS_FIELD).
541	* @param rc The error code.
542	*/
543	static void hmR0VmxUpdateErrorRecord(PVM pVM, PVMCPU pVCpu, int rc)
544	{
545	AssertPtr(pVM);
546	if ( rc == VERR_VMX_INVALID_VMCS_FIELD
547	\|\| rc == VERR_VMX_UNABLE_TO_START_VM)
548	{
549	AssertPtrReturnVoid(pVCpu);
550	VMXReadVmcs32(VMX_VMCS32_RO_VM_INSTR_ERROR, &pVCpu->hm.s.vmx.LastError.u32InstrError);
551	}
552	pVM->hm.s.lLastError = rc;
553	}
554
555
556	/**
557	* Reads the VM-entry interruption-information field from the VMCS into the VMX
558	* transient structure.
559	*
560	* @returns VBox status code.
561	* @param pVmxTransient Pointer to the VMX transient structure.
562	*
563	* @remarks No-long-jump zone!!!
564	*/
565	DECLINLINE(int) hmR0VmxReadEntryIntInfoVmcs(PVMXTRANSIENT pVmxTransient)
566	{
567	int rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_INTERRUPTION_INFO, &pVmxTransient->uEntryIntInfo);
568	AssertRCReturn(rc, rc);
569	return VINF_SUCCESS;
570	}
571
572
573	/**
574	* Reads the VM-entry exception error code field from the VMCS into
575	* the VMX transient structure.
576	*
577	* @returns VBox status code.
578	* @param pVmxTransient Pointer to the VMX transient structure.
579	*
580	* @remarks No-long-jump zone!!!
581	*/
582	DECLINLINE(int) hmR0VmxReadEntryXcptErrorCodeVmcs(PVMXTRANSIENT pVmxTransient)
583	{
584	int rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_EXCEPTION_ERRCODE, &pVmxTransient->uEntryXcptErrorCode);
585	AssertRCReturn(rc, rc);
586	return VINF_SUCCESS;
587	}
588
589
590	/**
591	* Reads the VM-entry exception error code field from the VMCS into
592	* the VMX transient structure.
593	*
594	* @returns VBox status code.
595	* @param pVmxTransient Pointer to the VMX transient structure.
596	*
597	* @remarks No-long-jump zone!!!
598	*/
599	DECLINLINE(int) hmR0VmxReadEntryInstrLenVmcs(PVMXTRANSIENT pVmxTransient)
600	{
601	int rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_INSTR_LENGTH, &pVmxTransient->cbEntryInstr);
602	AssertRCReturn(rc, rc);
603	return VINF_SUCCESS;
604	}
605
606
607	/**
608	* Reads the VM-exit interruption-information field from the VMCS into the VMX
609	* transient structure.
610	*
611	* @returns VBox status code.
612	* @param pVmxTransient Pointer to the VMX transient structure.
613	*/
614	DECLINLINE(int) hmR0VmxReadExitIntInfoVmcs(PVMXTRANSIENT pVmxTransient)
615	{
616	if (!(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_EXIT_INTERRUPTION_INFO))
617	{
618	int rc = VMXReadVmcs32(VMX_VMCS32_RO_EXIT_INTERRUPTION_INFO, &pVmxTransient->uExitIntInfo);
619	AssertRCReturn(rc, rc);
620	pVmxTransient->fVmcsFieldsRead \|= HMVMX_UPDATED_TRANSIENT_EXIT_INTERRUPTION_INFO;
621	}
622	return VINF_SUCCESS;
623	}
624
625
626	/**
627	* Reads the VM-exit interruption error code from the VMCS into the VMX
628	* transient structure.
629	*
630	* @returns VBox status code.
631	* @param pVmxTransient Pointer to the VMX transient structure.
632	*/
633	DECLINLINE(int) hmR0VmxReadExitIntErrorCodeVmcs(PVMXTRANSIENT pVmxTransient)
634	{
635	if (!(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_EXIT_INTERRUPTION_ERROR_CODE))
636	{
637	int rc = VMXReadVmcs32(VMX_VMCS32_RO_EXIT_INTERRUPTION_ERROR_CODE, &pVmxTransient->uExitIntErrorCode);
638	AssertRCReturn(rc, rc);
639	pVmxTransient->fVmcsFieldsRead \|= HMVMX_UPDATED_TRANSIENT_EXIT_INTERRUPTION_ERROR_CODE;
640	}
641	return VINF_SUCCESS;
642	}
643
644
645	/**
646	* Reads the VM-exit instruction length field from the VMCS into the VMX
647	* transient structure.
648	*
649	* @returns VBox status code.
650	* @param pVCpu Pointer to the VMCPU.
651	* @param pVmxTransient Pointer to the VMX transient structure.
652	*/
653	DECLINLINE(int) hmR0VmxReadExitInstrLenVmcs(PVMXTRANSIENT pVmxTransient)
654	{
655	if (!(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_EXIT_INSTR_LEN))
656	{
657	int rc = VMXReadVmcs32(VMX_VMCS32_RO_EXIT_INSTR_LENGTH, &pVmxTransient->cbInstr);
658	AssertRCReturn(rc, rc);
659	pVmxTransient->fVmcsFieldsRead \|= HMVMX_UPDATED_TRANSIENT_EXIT_INSTR_LEN;
660	}
661	return VINF_SUCCESS;
662	}
663
664
665	/**
666	* Reads the VM-exit instruction-information field from the VMCS into
667	* the VMX transient structure.
668	*
669	* @returns VBox status code.
670	* @param pVmxTransient Pointer to the VMX transient structure.
671	*/
672	DECLINLINE(int) hmR0VmxReadExitInstrInfoVmcs(PVMXTRANSIENT pVmxTransient)
673	{
674	if (!(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_EXIT_INSTR_INFO))
675	{
676	int rc = VMXReadVmcs32(VMX_VMCS32_RO_EXIT_INSTR_INFO, &pVmxTransient->ExitInstrInfo.u);
677	AssertRCReturn(rc, rc);
678	pVmxTransient->fVmcsFieldsRead \|= HMVMX_UPDATED_TRANSIENT_EXIT_INSTR_INFO;
679	}
680	return VINF_SUCCESS;
681	}
682
683
684	/**
685	* Reads the exit code qualification from the VMCS into the VMX transient
686	* structure.
687	*
688	* @returns VBox status code.
689	* @param pVCpu Pointer to the VMCPU (required for the VMCS cache
690	* case).
691	* @param pVmxTransient Pointer to the VMX transient structure.
692	*/
693	DECLINLINE(int) hmR0VmxReadExitQualificationVmcs(PVMCPU pVCpu, PVMXTRANSIENT pVmxTransient)
694	{
695	if (!(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_EXIT_QUALIFICATION))
696	{
697	int rc = VMXReadVmcsGstN(VMX_VMCS_RO_EXIT_QUALIFICATION, &pVmxTransient->uExitQualification); NOREF(pVCpu);
698	AssertRCReturn(rc, rc);
699	pVmxTransient->fVmcsFieldsRead \|= HMVMX_UPDATED_TRANSIENT_EXIT_QUALIFICATION;
700	}
701	return VINF_SUCCESS;
702	}
703
704
705	/**
706	* Reads the IDT-vectoring information field from the VMCS into the VMX
707	* transient structure.
708	*
709	* @returns VBox status code.
710	* @param pVmxTransient Pointer to the VMX transient structure.
711	*
712	* @remarks No-long-jump zone!!!
713	*/
714	DECLINLINE(int) hmR0VmxReadIdtVectoringInfoVmcs(PVMXTRANSIENT pVmxTransient)
715	{
716	if (!(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_IDT_VECTORING_INFO))
717	{
718	int rc = VMXReadVmcs32(VMX_VMCS32_RO_IDT_INFO, &pVmxTransient->uIdtVectoringInfo);
719	AssertRCReturn(rc, rc);
720	pVmxTransient->fVmcsFieldsRead \|= HMVMX_UPDATED_TRANSIENT_IDT_VECTORING_INFO;
721	}
722	return VINF_SUCCESS;
723	}
724
725
726	/**
727	* Reads the IDT-vectoring error code from the VMCS into the VMX
728	* transient structure.
729	*
730	* @returns VBox status code.
731	* @param pVmxTransient Pointer to the VMX transient structure.
732	*/
733	DECLINLINE(int) hmR0VmxReadIdtVectoringErrorCodeVmcs(PVMXTRANSIENT pVmxTransient)
734	{
735	if (!(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_IDT_VECTORING_ERROR_CODE))
736	{
737	int rc = VMXReadVmcs32(VMX_VMCS32_RO_IDT_ERROR_CODE, &pVmxTransient->uIdtVectoringErrorCode);
738	AssertRCReturn(rc, rc);
739	pVmxTransient->fVmcsFieldsRead \|= HMVMX_UPDATED_TRANSIENT_IDT_VECTORING_ERROR_CODE;
740	}
741	return VINF_SUCCESS;
742	}
743
744
745	/**
746	* Enters VMX root mode operation on the current CPU.
747	*
748	* @returns VBox status code.
749	* @param pVM Pointer to the VM (optional, can be NULL, after
750	* a resume).
751	* @param HCPhysCpuPage Physical address of the VMXON region.
752	* @param pvCpuPage Pointer to the VMXON region.
753	*/
754	static int hmR0VmxEnterRootMode(PVM pVM, RTHCPHYS HCPhysCpuPage, void *pvCpuPage)
755	{
756	Assert(HCPhysCpuPage && HCPhysCpuPage != NIL_RTHCPHYS);
757	Assert(RT_ALIGN_T(HCPhysCpuPage, _4K, RTHCPHYS) == HCPhysCpuPage);
758	Assert(pvCpuPage);
759	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
760
761	if (pVM)
762	{
763	/* Write the VMCS revision dword to the VMXON region. */
764	(uint32_t )pvCpuPage = MSR_IA32_VMX_BASIC_INFO_VMCS_ID(pVM->hm.s.vmx.Msrs.u64BasicInfo);
765	}
766
767	/* Paranoid: Disable interrupts as, in theory, interrupt handlers might mess with CR4. */
768	RTCCUINTREG fEFlags = ASMIntDisableFlags();
769
770	/* Enable the VMX bit in CR4 if necessary. */
771	RTCCUINTREG uOldCr4 = SUPR0ChangeCR4(X86_CR4_VMXE, ~0);
772
773	/* Enter VMX root mode. */
774	int rc = VMXEnable(HCPhysCpuPage);
775	if (RT_FAILURE(rc))
776	{
777	if (!(uOldCr4 & X86_CR4_VMXE))
778	SUPR0ChangeCR4(0, ~X86_CR4_VMXE);
779
780	if (pVM)
781	pVM->hm.s.vmx.HCPhysVmxEnableError = HCPhysCpuPage;
782	}
783
784	/* Restore interrupts. */
785	ASMSetFlags(fEFlags);
786	return rc;
787	}
788
789
790	/**
791	* Exits VMX root mode operation on the current CPU.
792	*
793	* @returns VBox status code.
794	*/
795	static int hmR0VmxLeaveRootMode(void)
796	{
797	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
798
799	/* Paranoid: Disable interrupts as, in theory, interrupts handlers might mess with CR4. */
800	RTCCUINTREG fEFlags = ASMIntDisableFlags();
801
802	/* If we're for some reason not in VMX root mode, then don't leave it. */
803	RTCCUINTREG uHostCR4 = ASMGetCR4();
804
805	int rc;
806	if (uHostCR4 & X86_CR4_VMXE)
807	{
808	/* Exit VMX root mode and clear the VMX bit in CR4. */
809	VMXDisable();
810	SUPR0ChangeCR4(0, ~X86_CR4_VMXE);
811	rc = VINF_SUCCESS;
812	}
813	else
814	rc = VERR_VMX_NOT_IN_VMX_ROOT_MODE;
815
816	/* Restore interrupts. */
817	ASMSetFlags(fEFlags);
818	return rc;
819	}
820
821
822	/**
823	* Allocates and maps one physically contiguous page. The allocated page is
824	* zero'd out. (Used by various VT-x structures).
825	*
826	* @returns IPRT status code.
827	* @param pMemObj Pointer to the ring-0 memory object.
828	* @param ppVirt Where to store the virtual address of the
829	* allocation.
830	* @param pPhys Where to store the physical address of the
831	* allocation.
832	*/
833	DECLINLINE(int) hmR0VmxPageAllocZ(PRTR0MEMOBJ pMemObj, PRTR0PTR ppVirt, PRTHCPHYS pHCPhys)
834	{
835	AssertPtrReturn(pMemObj, VERR_INVALID_PARAMETER);
836	AssertPtrReturn(ppVirt, VERR_INVALID_PARAMETER);
837	AssertPtrReturn(pHCPhys, VERR_INVALID_PARAMETER);
838
839	int rc = RTR0MemObjAllocCont(pMemObj, PAGE_SIZE, false /* fExecutable */);
840	if (RT_FAILURE(rc))
841	return rc;
842	ppVirt = RTR0MemObjAddress(pMemObj);
843	pHCPhys = RTR0MemObjGetPagePhysAddr(pMemObj, 0 /* iPage */);
844	ASMMemZero32(*ppVirt, PAGE_SIZE);
845	return VINF_SUCCESS;
846	}
847
848
849	/**
850	* Frees and unmaps an allocated physical page.
851	*
852	* @param pMemObj Pointer to the ring-0 memory object.
853	* @param ppVirt Where to re-initialize the virtual address of
854	* allocation as 0.
855	* @param pHCPhys Where to re-initialize the physical address of the
856	* allocation as 0.
857	*/
858	DECLINLINE(void) hmR0VmxPageFree(PRTR0MEMOBJ pMemObj, PRTR0PTR ppVirt, PRTHCPHYS pHCPhys)
859	{
860	AssertPtr(pMemObj);
861	AssertPtr(ppVirt);
862	AssertPtr(pHCPhys);
863	if (*pMemObj != NIL_RTR0MEMOBJ)
864	{
865	int rc = RTR0MemObjFree(pMemObj, true / fFreeMappings */);
866	AssertRC(rc);
867	*pMemObj = NIL_RTR0MEMOBJ;
868	*ppVirt = 0;
869	*pHCPhys = 0;
870	}
871	}
872
873
874	/**
875	* Worker function to free VT-x related structures.
876	*
877	* @returns IPRT status code.
878	* @param pVM Pointer to the VM.
879	*/
880	static void hmR0VmxStructsFree(PVM pVM)
881	{
882	for (VMCPUID i = 0; i < pVM->cCpus; i++)
883	{
884	PVMCPU pVCpu = &pVM->aCpus[i];
885	AssertPtr(pVCpu);
886
887	hmR0VmxPageFree(&pVCpu->hm.s.vmx.hMemObjHostMsr, &pVCpu->hm.s.vmx.pvHostMsr, &pVCpu->hm.s.vmx.HCPhysHostMsr);
888	hmR0VmxPageFree(&pVCpu->hm.s.vmx.hMemObjGuestMsr, &pVCpu->hm.s.vmx.pvGuestMsr, &pVCpu->hm.s.vmx.HCPhysGuestMsr);
889
890	if (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS)
891	hmR0VmxPageFree(&pVCpu->hm.s.vmx.hMemObjMsrBitmap, &pVCpu->hm.s.vmx.pvMsrBitmap, &pVCpu->hm.s.vmx.HCPhysMsrBitmap);
892
893	hmR0VmxPageFree(&pVCpu->hm.s.vmx.hMemObjVirtApic, (PRTR0PTR)&pVCpu->hm.s.vmx.pbVirtApic, &pVCpu->hm.s.vmx.HCPhysVirtApic);
894	hmR0VmxPageFree(&pVCpu->hm.s.vmx.hMemObjVmcs, &pVCpu->hm.s.vmx.pvVmcs, &pVCpu->hm.s.vmx.HCPhysVmcs);
895	}
896
897	hmR0VmxPageFree(&pVM->hm.s.vmx.hMemObjApicAccess, (PRTR0PTR)&pVM->hm.s.vmx.pbApicAccess, &pVM->hm.s.vmx.HCPhysApicAccess);
898	#ifdef VBOX_WITH_CRASHDUMP_MAGIC
899	hmR0VmxPageFree(&pVM->hm.s.vmx.hMemObjScratch, &pVM->hm.s.vmx.pbScratch, &pVM->hm.s.vmx.HCPhysScratch);
900	#endif
901	}
902
903
904	/**
905	* Worker function to allocate VT-x related VM structures.
906	*
907	* @returns IPRT status code.
908	* @param pVM Pointer to the VM.
909	*/
910	static int hmR0VmxStructsAlloc(PVM pVM)
911	{
912	/*
913	* Initialize members up-front so we can cleanup properly on allocation failure.
914	*/
915	#define VMXLOCAL_INIT_VM_MEMOBJ(a_Name, a_VirtPrefix) \
916	pVM->hm.s.vmx.hMemObj##a_Name = NIL_RTR0MEMOBJ; \
917	pVM->hm.s.vmx.a_VirtPrefix##a_Name = 0; \
918	pVM->hm.s.vmx.HCPhys##a_Name = 0;
919
920	#define VMXLOCAL_INIT_VMCPU_MEMOBJ(a_Name, a_VirtPrefix) \
921	pVCpu->hm.s.vmx.hMemObj##a_Name = NIL_RTR0MEMOBJ; \
922	pVCpu->hm.s.vmx.a_VirtPrefix##a_Name = 0; \
923	pVCpu->hm.s.vmx.HCPhys##a_Name = 0;
924
925	#ifdef VBOX_WITH_CRASHDUMP_MAGIC
926	VMXLOCAL_INIT_VM_MEMOBJ(Scratch, pv);
927	#endif
928	VMXLOCAL_INIT_VM_MEMOBJ(ApicAccess, pb);
929
930	AssertCompile(sizeof(VMCPUID) == sizeof(pVM->cCpus));
931	for (VMCPUID i = 0; i < pVM->cCpus; i++)
932	{
933	PVMCPU pVCpu = &pVM->aCpus[i];
934	VMXLOCAL_INIT_VMCPU_MEMOBJ(Vmcs, pv);
935	VMXLOCAL_INIT_VMCPU_MEMOBJ(VirtApic, pb);
936	VMXLOCAL_INIT_VMCPU_MEMOBJ(MsrBitmap, pv);
937	VMXLOCAL_INIT_VMCPU_MEMOBJ(GuestMsr, pv);
938	VMXLOCAL_INIT_VMCPU_MEMOBJ(HostMsr, pv);
939	}
940	#undef VMXLOCAL_INIT_VMCPU_MEMOBJ
941	#undef VMXLOCAL_INIT_VM_MEMOBJ
942
943	/* The VMCS size cannot be more than 4096 bytes. See Intel spec. Appendix A.1 "Basic VMX Information". */
944	AssertReturnStmt(MSR_IA32_VMX_BASIC_INFO_VMCS_SIZE(pVM->hm.s.vmx.Msrs.u64BasicInfo) <= PAGE_SIZE,
945	(&pVM->aCpus[0])->hm.s.u32HMError = VMX_UFC_INVALID_VMCS_SIZE,
946	VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO);
947
948	/*
949	* Allocate all the VT-x structures.
950	*/
951	int rc = VINF_SUCCESS;
952	#ifdef VBOX_WITH_CRASHDUMP_MAGIC
953	rc = hmR0VmxPageAllocZ(&pVM->hm.s.vmx.hMemObjScratch, &pVM->hm.s.vmx.pbScratch, &pVM->hm.s.vmx.HCPhysScratch);
954	if (RT_FAILURE(rc))
955	goto cleanup;
956	strcpy((char *)pVM->hm.s.vmx.pbScratch, "SCRATCH Magic");
957	(uint64_t )(pVM->hm.s.vmx.pbScratch + 16) = UINT64_C(0xdeadbeefdeadbeef);
958	#endif
959
960	/* Allocate the APIC-access page for trapping APIC accesses from the guest. */
961	if (pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC2_VIRT_APIC)
962	{
963	rc = hmR0VmxPageAllocZ(&pVM->hm.s.vmx.hMemObjApicAccess, (PRTR0PTR)&pVM->hm.s.vmx.pbApicAccess,
964	&pVM->hm.s.vmx.HCPhysApicAccess);
965	if (RT_FAILURE(rc))
966	goto cleanup;
967	}
968
969	/*
970	* Initialize per-VCPU VT-x structures.
971	*/
972	for (VMCPUID i = 0; i < pVM->cCpus; i++)
973	{
974	PVMCPU pVCpu = &pVM->aCpus[i];
975	AssertPtr(pVCpu);
976
977	/* Allocate the VM control structure (VMCS). */
978	rc = hmR0VmxPageAllocZ(&pVCpu->hm.s.vmx.hMemObjVmcs, &pVCpu->hm.s.vmx.pvVmcs, &pVCpu->hm.s.vmx.HCPhysVmcs);
979	if (RT_FAILURE(rc))
980	goto cleanup;
981
982	/* Allocate the Virtual-APIC page for transparent TPR accesses. */
983	if (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW)
984	{
985	rc = hmR0VmxPageAllocZ(&pVCpu->hm.s.vmx.hMemObjVirtApic, (PRTR0PTR)&pVCpu->hm.s.vmx.pbVirtApic,
986	&pVCpu->hm.s.vmx.HCPhysVirtApic);
987	if (RT_FAILURE(rc))
988	goto cleanup;
989	}
990
991	/*
992	* Allocate the MSR-bitmap if supported by the CPU. The MSR-bitmap is for
993	* transparent accesses of specific MSRs.
994	*
995	* If the condition for enabling MSR bitmaps changes here, don't forget to
996	* update HMAreMsrBitmapsAvailable().
997	*/
998	if (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS)
999	{
1000	rc = hmR0VmxPageAllocZ(&pVCpu->hm.s.vmx.hMemObjMsrBitmap, &pVCpu->hm.s.vmx.pvMsrBitmap,
1001	&pVCpu->hm.s.vmx.HCPhysMsrBitmap);
1002	if (RT_FAILURE(rc))
1003	goto cleanup;
1004	ASMMemFill32(pVCpu->hm.s.vmx.pvMsrBitmap, PAGE_SIZE, UINT32_C(0xffffffff));
1005	}
1006
1007	/* Allocate the VM-entry MSR-load and VM-exit MSR-store page for the guest MSRs. */
1008	rc = hmR0VmxPageAllocZ(&pVCpu->hm.s.vmx.hMemObjGuestMsr, &pVCpu->hm.s.vmx.pvGuestMsr, &pVCpu->hm.s.vmx.HCPhysGuestMsr);
1009	if (RT_FAILURE(rc))
1010	goto cleanup;
1011
1012	/* Allocate the VM-exit MSR-load page for the host MSRs. */
1013	rc = hmR0VmxPageAllocZ(&pVCpu->hm.s.vmx.hMemObjHostMsr, &pVCpu->hm.s.vmx.pvHostMsr, &pVCpu->hm.s.vmx.HCPhysHostMsr);
1014	if (RT_FAILURE(rc))
1015	goto cleanup;
1016	}
1017
1018	return VINF_SUCCESS;
1019
1020	cleanup:
1021	hmR0VmxStructsFree(pVM);
1022	return rc;
1023	}
1024
1025
1026	/**
1027	* Does global VT-x initialization (called during module initialization).
1028	*
1029	* @returns VBox status code.
1030	*/
1031	VMMR0DECL(int) VMXR0GlobalInit(void)
1032	{
1033	#ifdef HMVMX_USE_FUNCTION_TABLE
1034	AssertCompile(VMX_EXIT_MAX + 1 == RT_ELEMENTS(g_apfnVMExitHandlers));
1035	# ifdef VBOX_STRICT
1036	for (unsigned i = 0; i < RT_ELEMENTS(g_apfnVMExitHandlers); i++)
1037	Assert(g_apfnVMExitHandlers[i]);
1038	# endif
1039	#endif
1040	return VINF_SUCCESS;
1041	}
1042
1043
1044	/**
1045	* Does global VT-x termination (called during module termination).
1046	*/
1047	VMMR0DECL(void) VMXR0GlobalTerm()
1048	{
1049	/* Nothing to do currently. */
1050	}
1051
1052
1053	/**
1054	* Sets up and activates VT-x on the current CPU.
1055	*
1056	* @returns VBox status code.
1057	* @param pCpu Pointer to the global CPU info struct.
1058	* @param pVM Pointer to the VM (can be NULL after a host resume
1059	* operation).
1060	* @param pvCpuPage Pointer to the VMXON region (can be NULL if @a
1061	* fEnabledByHost is true).
1062	* @param HCPhysCpuPage Physical address of the VMXON region (can be 0 if
1063	* @a fEnabledByHost is true).
1064	* @param fEnabledByHost Set if SUPR0EnableVTx() or similar was used to
1065	* enable VT-x on the host.
1066	* @param pvMsrs Opaque pointer to VMXMSRS struct.
1067	*/
1068	VMMR0DECL(int) VMXR0EnableCpu(PHMGLOBALCPUINFO pCpu, PVM pVM, void *pvCpuPage, RTHCPHYS HCPhysCpuPage, bool fEnabledByHost,
1069	void *pvMsrs)
1070	{
1071	Assert(pCpu);
1072	Assert(pvMsrs);
1073	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1074
1075	/* Enable VT-x if it's not already enabled by the host. */
1076	if (!fEnabledByHost)
1077	{
1078	int rc = hmR0VmxEnterRootMode(pVM, HCPhysCpuPage, pvCpuPage);
1079	if (RT_FAILURE(rc))
1080	return rc;
1081	}
1082
1083	/*
1084	* Flush all EPT tagged-TLB entries (in case VirtualBox or any other hypervisor have been using EPTPs) so
1085	* we don't retain any stale guest-physical mappings which won't get invalidated when flushing by VPID.
1086	*/
1087	PVMXMSRS pMsrs = (PVMXMSRS)pvMsrs;
1088	if (pMsrs->u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVEPT_ALL_CONTEXTS)
1089	{
1090	hmR0VmxFlushEpt(NULL /* pVCpu */, VMXFLUSHEPT_ALL_CONTEXTS);
1091	pCpu->fFlushAsidBeforeUse = false;
1092	}
1093	else
1094	pCpu->fFlushAsidBeforeUse = true;
1095
1096	/* Ensure each VCPU scheduled on this CPU gets a new VPID on resume. See @bugref{6255}. */
1097	++pCpu->cTlbFlushes;
1098
1099	return VINF_SUCCESS;
1100	}
1101
1102
1103	/**
1104	* Deactivates VT-x on the current CPU.
1105	*
1106	* @returns VBox status code.
1107	* @param pCpu Pointer to the global CPU info struct.
1108	* @param pvCpuPage Pointer to the VMXON region.
1109	* @param HCPhysCpuPage Physical address of the VMXON region.
1110	*
1111	* @remarks This function should never be called when SUPR0EnableVTx() or
1112	* similar was used to enable VT-x on the host.
1113	*/
1114	VMMR0DECL(int) VMXR0DisableCpu(PHMGLOBALCPUINFO pCpu, void *pvCpuPage, RTHCPHYS HCPhysCpuPage)
1115	{
1116	NOREF(pCpu);
1117	NOREF(pvCpuPage);
1118	NOREF(HCPhysCpuPage);
1119
1120	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1121	return hmR0VmxLeaveRootMode();
1122	}
1123
1124
1125	/**
1126	* Sets the permission bits for the specified MSR in the MSR bitmap.
1127	*
1128	* @param pVCpu Pointer to the VMCPU.
1129	* @param uMSR The MSR value.
1130	* @param enmRead Whether reading this MSR causes a VM-exit.
1131	* @param enmWrite Whether writing this MSR causes a VM-exit.
1132	*/
1133	static void hmR0VmxSetMsrPermission(PVMCPU pVCpu, uint32_t uMsr, VMXMSREXITREAD enmRead, VMXMSREXITWRITE enmWrite)
1134	{
1135	int32_t iBit;
1136	uint8_t pbMsrBitmap = (uint8_t )pVCpu->hm.s.vmx.pvMsrBitmap;
1137
1138	/*
1139	* Layout:
1140	* 0x000 - 0x3ff - Low MSR read bits
1141	* 0x400 - 0x7ff - High MSR read bits
1142	* 0x800 - 0xbff - Low MSR write bits
1143	* 0xc00 - 0xfff - High MSR write bits
1144	*/
1145	if (uMsr <= 0x00001FFF)
1146	iBit = uMsr;
1147	else if ( uMsr >= 0xC0000000
1148	&& uMsr <= 0xC0001FFF)
1149	{
1150	iBit = (uMsr - 0xC0000000);
1151	pbMsrBitmap += 0x400;
1152	}
1153	else
1154	AssertMsgFailedReturnVoid(("hmR0VmxSetMsrPermission: Invalid MSR %#RX32\n", uMsr));
1155
1156	Assert(iBit <= 0x1fff);
1157	if (enmRead == VMXMSREXIT_INTERCEPT_READ)
1158	ASMBitSet(pbMsrBitmap, iBit);
1159	else
1160	ASMBitClear(pbMsrBitmap, iBit);
1161
1162	if (enmWrite == VMXMSREXIT_INTERCEPT_WRITE)
1163	ASMBitSet(pbMsrBitmap + 0x800, iBit);
1164	else
1165	ASMBitClear(pbMsrBitmap + 0x800, iBit);
1166	}
1167
1168
1169	#ifdef VBOX_STRICT
1170	/**
1171	* Gets the permission bits for the specified MSR in the MSR bitmap.
1172	*
1173	* @returns VBox status code.
1174	* @retval VINF_SUCCESS if the specified MSR is found.
1175	* @retval VERR_NOT_FOUND if the specified MSR is not found.
1176	* @retval VERR_NOT_SUPPORTED if VT-x doesn't allow the MSR.
1177	*
1178	* @param pVCpu Pointer to the VMCPU.
1179	* @param uMsr The MSR.
1180	* @param penmRead Where to store the read permissions.
1181	* @param penmWrite Where to store the write permissions.
1182	*/
1183	static int hmR0VmxGetMsrPermission(PVMCPU pVCpu, uint32_t uMsr, PVMXMSREXITREAD penmRead, PVMXMSREXITWRITE penmWrite)
1184	{
1185	AssertPtrReturn(penmRead, VERR_INVALID_PARAMETER);
1186	AssertPtrReturn(penmWrite, VERR_INVALID_PARAMETER);
1187	int32_t iBit;
1188	uint8_t pbMsrBitmap = (uint8_t )pVCpu->hm.s.vmx.pvMsrBitmap;
1189
1190	/* See hmR0VmxSetMsrPermission() for the layout. */
1191	if (uMsr <= 0x00001FFF)
1192	iBit = uMsr;
1193	else if ( uMsr >= 0xC0000000
1194	&& uMsr <= 0xC0001FFF)
1195	{
1196	iBit = (uMsr - 0xC0000000);
1197	pbMsrBitmap += 0x400;
1198	}
1199	else
1200	AssertMsgFailedReturn(("hmR0VmxGetMsrPermission: Invalid MSR %#RX32\n", uMsr), VERR_NOT_SUPPORTED);
1201
1202	Assert(iBit <= 0x1fff);
1203	if (ASMBitTest(pbMsrBitmap, iBit))
1204	*penmRead = VMXMSREXIT_INTERCEPT_READ;
1205	else
1206	*penmRead = VMXMSREXIT_PASSTHRU_READ;
1207
1208	if (ASMBitTest(pbMsrBitmap + 0x800, iBit))
1209	*penmWrite = VMXMSREXIT_INTERCEPT_WRITE;
1210	else
1211	*penmWrite = VMXMSREXIT_PASSTHRU_WRITE;
1212	return VINF_SUCCESS;
1213	}
1214	#endif /* VBOX_STRICT */
1215
1216
1217	/**
1218	* Updates the VMCS with the number of effective MSRs in the auto-load/store MSR
1219	* area.
1220	*
1221	* @returns VBox status code.
1222	* @param pVCpu Pointer to the VMCPU.
1223	* @param cMsrs The number of MSRs.
1224	*/
1225	DECLINLINE(int) hmR0VmxSetAutoLoadStoreMsrCount(PVMCPU pVCpu, uint32_t cMsrs)
1226	{
1227	/* Shouldn't ever happen but there -is- a number. We're well within the recommended 512. */
1228	uint32_t const cMaxSupportedMsrs = MSR_IA32_VMX_MISC_MAX_MSR(pVCpu->CTX_SUFF(pVM)->hm.s.vmx.Msrs.u64Misc);
1229	if (RT_UNLIKELY(cMsrs > cMaxSupportedMsrs))
1230	{
1231	LogRel(("CPU auto-load/store MSR count in VMCS exceeded cMsrs=%u Supported=%u.\n", cMsrs, cMaxSupportedMsrs));
1232	pVCpu->hm.s.u32HMError = VMX_UFC_INSUFFICIENT_GUEST_MSR_STORAGE;
1233	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
1234	}
1235
1236	/* Update number of guest MSRs to load/store across the world-switch. */
1237	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_ENTRY_MSR_LOAD_COUNT, cMsrs); AssertRCReturn(rc, rc);
1238	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_EXIT_MSR_STORE_COUNT, cMsrs); AssertRCReturn(rc, rc);
1239
1240	/* Update number of host MSRs to load after the world-switch. Identical to guest-MSR count as it's always paired. */
1241	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_EXIT_MSR_LOAD_COUNT, cMsrs); AssertRCReturn(rc, rc);
1242
1243	/* Update the VCPU's copy of the MSR count. */
1244	pVCpu->hm.s.vmx.cMsrs = cMsrs;
1245
1246	return VINF_SUCCESS;
1247	}
1248
1249
1250	/**
1251	* Adds a new (or updates the value of an existing) guest/host MSR
1252	* pair to be swapped during the world-switch as part of the
1253	* auto-load/store MSR area in the VMCS.
1254	*
1255	* @returns VBox status code.
1256	* @param pVCpu Pointer to the VMCPU.
1257	* @param uMsr The MSR.
1258	* @param uGuestMsr Value of the guest MSR.
1259	* @param fUpdateHostMsr Whether to update the value of the host MSR if
1260	* necessary.
1261	* @param pfAddedAndUpdated Where to store whether the MSR was added -and-
1262	* its value was updated. Optional, can be NULL.
1263	*/
1264	static int hmR0VmxAddAutoLoadStoreMsr(PVMCPU pVCpu, uint32_t uMsr, uint64_t uGuestMsrValue, bool fUpdateHostMsr,
1265	bool *pfAddedAndUpdated)
1266	{
1267	PVMXAUTOMSR pGuestMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvGuestMsr;
1268	uint32_t cMsrs = pVCpu->hm.s.vmx.cMsrs;
1269	uint32_t i;
1270	for (i = 0; i < cMsrs; i++)
1271	{
1272	if (pGuestMsr->u32Msr == uMsr)
1273	break;
1274	pGuestMsr++;
1275	}
1276
1277	bool fAdded = false;
1278	if (i == cMsrs)
1279	{
1280	++cMsrs;
1281	int rc = hmR0VmxSetAutoLoadStoreMsrCount(pVCpu, cMsrs);
1282	AssertMsgRCReturn(rc, ("hmR0VmxAddAutoLoadStoreMsr: Insufficient space to add MSR %u\n", uMsr), rc);
1283
1284	/* Now that we're swapping MSRs during the world-switch, allow the guest to read/write them without causing VM-exits. */
1285	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS)
1286	hmR0VmxSetMsrPermission(pVCpu, uMsr, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
1287
1288	fAdded = true;
1289	}
1290
1291	/* Update the MSR values in the auto-load/store MSR area. */
1292	pGuestMsr->u32Msr = uMsr;
1293	pGuestMsr->u64Value = uGuestMsrValue;
1294
1295	/* Create/update the MSR slot in the host MSR area. */
1296	PVMXAUTOMSR pHostMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvHostMsr;
1297	pHostMsr += i;
1298	pHostMsr->u32Msr = uMsr;
1299
1300	/*
1301	* Update the host MSR only when requested by the caller AND when we're
1302	* adding it to the auto-load/store area. Otherwise, it would have been
1303	* updated by hmR0VmxSaveHostMsrs(). We do this for performance reasons.
1304	*/
1305	bool fUpdatedMsrValue = false;
1306	if ( fAdded
1307	&& fUpdateHostMsr)
1308	{
1309	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
1310	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1311	pHostMsr->u64Value = ASMRdMsr(pHostMsr->u32Msr);
1312	fUpdatedMsrValue = true;
1313	}
1314
1315	if (pfAddedAndUpdated)
1316	*pfAddedAndUpdated = fUpdatedMsrValue;
1317	return VINF_SUCCESS;
1318	}
1319
1320
1321	/**
1322	* Removes a guest/host MSR pair to be swapped during the world-switch from the
1323	* auto-load/store MSR area in the VMCS.
1324	*
1325	* @returns VBox status code.
1326	* @param pVCpu Pointer to the VMCPU.
1327	* @param uMsr The MSR.
1328	*/
1329	static int hmR0VmxRemoveAutoLoadStoreMsr(PVMCPU pVCpu, uint32_t uMsr)
1330	{
1331	PVMXAUTOMSR pGuestMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvGuestMsr;
1332	uint32_t cMsrs = pVCpu->hm.s.vmx.cMsrs;
1333	for (uint32_t i = 0; i < cMsrs; i++)
1334	{
1335	/* Find the MSR. */
1336	if (pGuestMsr->u32Msr == uMsr)
1337	{
1338	/* If it's the last MSR, simply reduce the count. */
1339	if (i == cMsrs - 1)
1340	{
1341	--cMsrs;
1342	break;
1343	}
1344
1345	/* Remove it by swapping the last MSR in place of it, and reducing the count. */
1346	PVMXAUTOMSR pLastGuestMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvGuestMsr;
1347	pLastGuestMsr += cMsrs - 1;
1348	pGuestMsr->u32Msr = pLastGuestMsr->u32Msr;
1349	pGuestMsr->u64Value = pLastGuestMsr->u64Value;
1350
1351	PVMXAUTOMSR pHostMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvHostMsr;
1352	PVMXAUTOMSR pLastHostMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvHostMsr;
1353	pLastHostMsr += cMsrs - 1;
1354	pHostMsr->u32Msr = pLastHostMsr->u32Msr;
1355	pHostMsr->u64Value = pLastHostMsr->u64Value;
1356	--cMsrs;
1357	break;
1358	}
1359	pGuestMsr++;
1360	}
1361
1362	/* Update the VMCS if the count changed (meaning the MSR was found). */
1363	if (cMsrs != pVCpu->hm.s.vmx.cMsrs)
1364	{
1365	int rc = hmR0VmxSetAutoLoadStoreMsrCount(pVCpu, cMsrs);
1366	AssertRCReturn(rc, rc);
1367
1368	/* We're no longer swapping MSRs during the world-switch, intercept guest read/writes to them. */
1369	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS)
1370	hmR0VmxSetMsrPermission(pVCpu, uMsr, VMXMSREXIT_INTERCEPT_READ, VMXMSREXIT_INTERCEPT_WRITE);
1371
1372	Log4(("Removed MSR %#RX32 new cMsrs=%u\n", uMsr, pVCpu->hm.s.vmx.cMsrs));
1373	return VINF_SUCCESS;
1374	}
1375
1376	return VERR_NOT_FOUND;
1377	}
1378
1379
1380	/**
1381	* Checks if the specified guest MSR is part of the auto-load/store area in
1382	* the VMCS.
1383	*
1384	* @returns true if found, false otherwise.
1385	* @param pVCpu Pointer to the VMCPU.
1386	* @param uMsr The MSR to find.
1387	*/
1388	static bool hmR0VmxIsAutoLoadStoreGuestMsr(PVMCPU pVCpu, uint32_t uMsr)
1389	{
1390	PVMXAUTOMSR pGuestMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvGuestMsr;
1391	uint32_t cMsrs = pVCpu->hm.s.vmx.cMsrs;
1392
1393	for (uint32_t i = 0; i < cMsrs; i++, pGuestMsr++)
1394	{
1395	if (pGuestMsr->u32Msr == uMsr)
1396	return true;
1397	}
1398	return false;
1399	}
1400
1401
1402	/**
1403	* Updates the value of all host MSRs in the auto-load/store area in the VMCS.
1404	*
1405	* @param pVCpu Pointer to the VMCPU.
1406	*
1407	* @remarks No-long-jump zone!!!
1408	*/
1409	static void hmR0VmxUpdateAutoLoadStoreHostMsrs(PVMCPU pVCpu)
1410	{
1411	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1412	PVMXAUTOMSR pHostMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvHostMsr;
1413	PVMXAUTOMSR pGuestMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvGuestMsr;
1414	uint32_t cMsrs = pVCpu->hm.s.vmx.cMsrs;
1415
1416	for (uint32_t i = 0; i < cMsrs; i++, pHostMsr++, pGuestMsr++)
1417	{
1418	AssertReturnVoid(pHostMsr->u32Msr == pGuestMsr->u32Msr);
1419
1420	/*
1421	* Performance hack for the host EFER MSR. We use the cached value rather than re-read it.
1422	* Strict builds will catch mismatches in hmR0VmxCheckAutoLoadStoreMsrs(). See @bugref{7368}.
1423	*/
1424	if (pHostMsr->u32Msr == MSR_K6_EFER)
1425	pHostMsr->u64Value = pVCpu->CTX_SUFF(pVM)->hm.s.vmx.u64HostEfer;
1426	else
1427	pHostMsr->u64Value = ASMRdMsr(pHostMsr->u32Msr);
1428	}
1429
1430	pVCpu->hm.s.vmx.fUpdatedHostMsrs = true;
1431	}
1432
1433
1434	#if HC_ARCH_BITS == 64
1435	/**
1436	* Saves a set of host MSRs to allow read/write passthru access to the guest and
1437	* perform lazy restoration of the host MSRs while leaving VT-x.
1438	*
1439	* @param pVCpu Pointer to the VMCPU.
1440	*
1441	* @remarks No-long-jump zone!!!
1442	*/
1443	static void hmR0VmxLazySaveHostMsrs(PVMCPU pVCpu)
1444	{
1445	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1446
1447	/*
1448	* Note: If you're adding MSRs here, make sure to update the MSR-bitmap permissions in hmR0VmxSetupProcCtls().
1449	*/
1450	if (!(pVCpu->hm.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_LOADED_GUEST))
1451	{
1452	pVCpu->hm.s.vmx.u64HostLStarMsr = ASMRdMsr(MSR_K8_LSTAR);
1453	pVCpu->hm.s.vmx.u64HostStarMsr = ASMRdMsr(MSR_K6_STAR);
1454	pVCpu->hm.s.vmx.u64HostSFMaskMsr = ASMRdMsr(MSR_K8_SF_MASK);
1455	pVCpu->hm.s.vmx.u64HostKernelGSBaseMsr = ASMRdMsr(MSR_K8_KERNEL_GS_BASE);
1456	pVCpu->hm.s.vmx.fLazyMsrs \|= VMX_LAZY_MSRS_SAVED_HOST;
1457	}
1458	}
1459
1460
1461	/**
1462	* Checks whether the MSR belongs to the set of guest MSRs that we restore
1463	* lazily while leaving VT-x.
1464	*
1465	* @returns true if it does, false otherwise.
1466	* @param pVCpu Pointer to the VMCPU.
1467	* @param uMsr The MSR to check.
1468	*/
1469	static bool hmR0VmxIsLazyGuestMsr(PVMCPU pVCpu, uint32_t uMsr)
1470	{
1471	NOREF(pVCpu);
1472	switch (uMsr)
1473	{
1474	case MSR_K8_LSTAR:
1475	case MSR_K6_STAR:
1476	case MSR_K8_SF_MASK:
1477	case MSR_K8_KERNEL_GS_BASE:
1478	return true;
1479	}
1480	return false;
1481	}
1482
1483
1484	/**
1485	* Saves a set of guest MSRs back into the guest-CPU context.
1486	*
1487	* @param pVCpu Pointer to the VMCPU.
1488	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
1489	* out-of-sync. Make sure to update the required fields
1490	* before using them.
1491	*
1492	* @remarks No-long-jump zone!!!
1493	*/
1494	static void hmR0VmxLazySaveGuestMsrs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
1495	{
1496	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1497	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
1498
1499	if (pVCpu->hm.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_LOADED_GUEST)
1500	{
1501	Assert(pVCpu->hm.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_SAVED_HOST);
1502	pMixedCtx->msrLSTAR = ASMRdMsr(MSR_K8_LSTAR);
1503	pMixedCtx->msrSTAR = ASMRdMsr(MSR_K6_STAR);
1504	pMixedCtx->msrSFMASK = ASMRdMsr(MSR_K8_SF_MASK);
1505	pMixedCtx->msrKERNELGSBASE = ASMRdMsr(MSR_K8_KERNEL_GS_BASE);
1506	}
1507	}
1508
1509
1510	/**
1511	* Loads a set of guests MSRs to allow read/passthru to the guest.
1512	*
1513	* The name of this function is slightly confusing. This function does NOT
1514	* postpone loading, but loads the MSR right now. "hmR0VmxLazy" is simply a
1515	* common prefix for functions dealing with "lazy restoration" of the shared
1516	* MSRs.
1517	*
1518	* @param pVCpu Pointer to the VMCPU.
1519	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
1520	* out-of-sync. Make sure to update the required fields
1521	* before using them.
1522	*
1523	* @remarks No-long-jump zone!!!
1524	*/
1525	static void hmR0VmxLazyLoadGuestMsrs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
1526	{
1527	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1528	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
1529
1530	#define VMXLOCAL_LAZY_LOAD_GUEST_MSR(uMsr, a_GuestMsr, a_HostMsr) \
1531	do { \
1532	if (pMixedCtx->msr##a_GuestMsr != pVCpu->hm.s.vmx.u64Host##a_HostMsr##Msr) \
1533	ASMWrMsr(uMsr, pMixedCtx->msr##a_GuestMsr); \
1534	else \
1535	Assert(ASMRdMsr(uMsr) == pVCpu->hm.s.vmx.u64Host##a_HostMsr##Msr); \
1536	} while (0)
1537
1538	Assert(pVCpu->hm.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_SAVED_HOST);
1539	if (!(pVCpu->hm.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_LOADED_GUEST))
1540	{
1541	VMXLOCAL_LAZY_LOAD_GUEST_MSR(MSR_K8_LSTAR, LSTAR, LStar);
1542	VMXLOCAL_LAZY_LOAD_GUEST_MSR(MSR_K6_STAR, STAR, Star);
1543	VMXLOCAL_LAZY_LOAD_GUEST_MSR(MSR_K8_SF_MASK, SFMASK, SFMask);
1544	VMXLOCAL_LAZY_LOAD_GUEST_MSR(MSR_K8_KERNEL_GS_BASE, KERNELGSBASE, KernelGSBase);
1545	pVCpu->hm.s.vmx.fLazyMsrs \|= VMX_LAZY_MSRS_LOADED_GUEST;
1546	}
1547	else
1548	{
1549	ASMWrMsr(MSR_K8_LSTAR, pMixedCtx->msrLSTAR);
1550	ASMWrMsr(MSR_K6_STAR, pMixedCtx->msrSTAR);
1551	ASMWrMsr(MSR_K8_SF_MASK, pMixedCtx->msrSFMASK);
1552	ASMWrMsr(MSR_K8_KERNEL_GS_BASE, pMixedCtx->msrKERNELGSBASE);
1553	}
1554
1555	#undef VMXLOCAL_LAZY_LOAD_GUEST_MSR
1556	}
1557
1558
1559	/**
1560	* Performs lazy restoration of the set of host MSRs if they were previously
1561	* loaded with guest MSR values.
1562	*
1563	* @param pVCpu Pointer to the VMCPU.
1564	*
1565	* @remarks No-long-jump zone!!!
1566	* @remarks The guest MSRs should have been saved back into the guest-CPU
1567	* context by hmR0VmxSaveGuestLazyMsrs()!!!
1568	*/
1569	static void hmR0VmxLazyRestoreHostMsrs(PVMCPU pVCpu)
1570	{
1571	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1572	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
1573
1574	if (pVCpu->hm.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_LOADED_GUEST)
1575	{
1576	Assert(pVCpu->hm.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_SAVED_HOST);
1577	ASMWrMsr(MSR_K8_LSTAR, pVCpu->hm.s.vmx.u64HostLStarMsr);
1578	ASMWrMsr(MSR_K6_STAR, pVCpu->hm.s.vmx.u64HostStarMsr);
1579	ASMWrMsr(MSR_K8_SF_MASK, pVCpu->hm.s.vmx.u64HostSFMaskMsr);
1580	ASMWrMsr(MSR_K8_KERNEL_GS_BASE, pVCpu->hm.s.vmx.u64HostKernelGSBaseMsr);
1581	}
1582	pVCpu->hm.s.vmx.fLazyMsrs &= ~(VMX_LAZY_MSRS_LOADED_GUEST \| VMX_LAZY_MSRS_SAVED_HOST);
1583	}
1584	#endif /* HC_ARCH_BITS == 64 */
1585
1586
1587	/**
1588	* Verifies that our cached values of the VMCS controls are all
1589	* consistent with what's actually present in the VMCS.
1590	*
1591	* @returns VBox status code.
1592	* @param pVCpu Pointer to the VMCPU.
1593	*/
1594	static int hmR0VmxCheckVmcsCtls(PVMCPU pVCpu)
1595	{
1596	uint32_t u32Val;
1597	int rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY, &u32Val);
1598	AssertRCReturn(rc, rc);
1599	AssertMsgReturn(pVCpu->hm.s.vmx.u32EntryCtls == u32Val, ("Cache=%#RX32 VMCS=%#RX32", pVCpu->hm.s.vmx.u32EntryCtls, u32Val),
1600	VERR_VMX_ENTRY_CTLS_CACHE_INVALID);
1601
1602	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_EXIT, &u32Val);
1603	AssertRCReturn(rc, rc);
1604	AssertMsgReturn(pVCpu->hm.s.vmx.u32ExitCtls == u32Val, ("Cache=%#RX32 VMCS=%#RX32", pVCpu->hm.s.vmx.u32ExitCtls, u32Val),
1605	VERR_VMX_EXIT_CTLS_CACHE_INVALID);
1606
1607	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_PIN_EXEC, &u32Val);
1608	AssertRCReturn(rc, rc);
1609	AssertMsgReturn(pVCpu->hm.s.vmx.u32PinCtls == u32Val, ("Cache=%#RX32 VMCS=%#RX32", pVCpu->hm.s.vmx.u32PinCtls, u32Val),
1610	VERR_VMX_PIN_EXEC_CTLS_CACHE_INVALID);
1611
1612	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, &u32Val);
1613	AssertRCReturn(rc, rc);
1614	AssertMsgReturn(pVCpu->hm.s.vmx.u32ProcCtls == u32Val, ("Cache=%#RX32 VMCS=%#RX32", pVCpu->hm.s.vmx.u32ProcCtls, u32Val),
1615	VERR_VMX_PROC_EXEC_CTLS_CACHE_INVALID);
1616
1617	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_SECONDARY_EXEC_CTRL)
1618	{
1619	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_PROC_EXEC2, &u32Val);
1620	AssertRCReturn(rc, rc);
1621	AssertMsgReturn(pVCpu->hm.s.vmx.u32ProcCtls2 == u32Val,
1622	("Cache=%#RX32 VMCS=%#RX32", pVCpu->hm.s.vmx.u32ProcCtls2, u32Val),
1623	VERR_VMX_PROC_EXEC2_CTLS_CACHE_INVALID);
1624	}
1625
1626	return VINF_SUCCESS;
1627	}
1628
1629
1630	#ifdef VBOX_STRICT
1631	/**
1632	* Verifies that our cached host EFER value has not changed
1633	* since we cached it.
1634	*
1635	* @param pVCpu Pointer to the VMCPU.
1636	*/
1637	static void hmR0VmxCheckHostEferMsr(PVMCPU pVCpu)
1638	{
1639	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1640
1641	if (pVCpu->hm.s.vmx.u32ExitCtls & VMX_VMCS_CTRL_EXIT_LOAD_HOST_EFER_MSR)
1642	{
1643	uint64_t u64Val;
1644	int rc = VMXReadVmcs64(VMX_VMCS64_HOST_FIELD_EFER_FULL, &u64Val);
1645	AssertRC(rc);
1646
1647	uint64_t u64HostEferMsr = ASMRdMsr(MSR_K6_EFER);
1648	AssertMsgReturnVoid(u64HostEferMsr == u64Val, ("u64HostEferMsr=%#RX64 u64Val=%#RX64\n", u64HostEferMsr, u64Val));
1649	}
1650	}
1651
1652
1653	/**
1654	* Verifies whether the guest/host MSR pairs in the auto-load/store area in the
1655	* VMCS are correct.
1656	*
1657	* @param pVCpu Pointer to the VMCPU.
1658	*/
1659	static void hmR0VmxCheckAutoLoadStoreMsrs(PVMCPU pVCpu)
1660	{
1661	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
1662
1663	/* Verify MSR counts in the VMCS are what we think it should be. */
1664	uint32_t cMsrs;
1665	int rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_MSR_LOAD_COUNT, &cMsrs); AssertRC(rc);
1666	Assert(cMsrs == pVCpu->hm.s.vmx.cMsrs);
1667
1668	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_EXIT_MSR_STORE_COUNT, &cMsrs); AssertRC(rc);
1669	Assert(cMsrs == pVCpu->hm.s.vmx.cMsrs);
1670
1671	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_EXIT_MSR_LOAD_COUNT, &cMsrs); AssertRC(rc);
1672	Assert(cMsrs == pVCpu->hm.s.vmx.cMsrs);
1673
1674	PVMXAUTOMSR pHostMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvHostMsr;
1675	PVMXAUTOMSR pGuestMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvGuestMsr;
1676	for (uint32_t i = 0; i < cMsrs; i++, pHostMsr++, pGuestMsr++)
1677	{
1678	/* Verify that the MSRs are paired properly and that the host MSR has the correct value. */
1679	AssertMsgReturnVoid(pHostMsr->u32Msr == pGuestMsr->u32Msr, ("HostMsr=%#RX32 GuestMsr=%#RX32 cMsrs=%u\n", pHostMsr->u32Msr,
1680	pGuestMsr->u32Msr, cMsrs));
1681
1682	uint64_t u64Msr = ASMRdMsr(pHostMsr->u32Msr);
1683	AssertMsgReturnVoid(pHostMsr->u64Value == u64Msr, ("u32Msr=%#RX32 VMCS Value=%#RX64 ASMRdMsr=%#RX64 cMsrs=%u\n",
1684	pHostMsr->u32Msr, pHostMsr->u64Value, u64Msr, cMsrs));
1685
1686	/* Verify that the permissions are as expected in the MSR bitmap. */
1687	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS)
1688	{
1689	VMXMSREXITREAD enmRead;
1690	VMXMSREXITWRITE enmWrite;
1691	rc = hmR0VmxGetMsrPermission(pVCpu, pGuestMsr->u32Msr, &enmRead, &enmWrite);
1692	AssertMsgReturnVoid(rc == VINF_SUCCESS, ("hmR0VmxGetMsrPermission! failed. rc=%Rrc\n", rc));
1693	if (pGuestMsr->u32Msr == MSR_K6_EFER)
1694	{
1695	AssertMsgReturnVoid(enmRead == VMXMSREXIT_INTERCEPT_READ, ("Passthru read for EFER!?\n"));
1696	AssertMsgReturnVoid(enmWrite == VMXMSREXIT_INTERCEPT_WRITE, ("Passthru write for EFER!?\n"));
1697	}
1698	else
1699	{
1700	AssertMsgReturnVoid(enmRead == VMXMSREXIT_PASSTHRU_READ, ("u32Msr=%#RX32 cMsrs=%u No passthru read!\n",
1701	pGuestMsr->u32Msr, cMsrs));
1702	AssertMsgReturnVoid(enmWrite == VMXMSREXIT_PASSTHRU_WRITE, ("u32Msr=%#RX32 cMsrs=%u No passthru write!\n",
1703	pGuestMsr->u32Msr, cMsrs));
1704	}
1705	}
1706	}
1707	}
1708	#endif /* VBOX_STRICT */
1709
1710
1711	/**
1712	* Flushes the TLB using EPT.
1713	*
1714	* @returns VBox status code.
1715	* @param pVCpu Pointer to the VMCPU (can be NULL depending on @a
1716	* enmFlush).
1717	* @param enmFlush Type of flush.
1718	*
1719	* @remarks Caller is responsible for making sure this function is called only
1720	* when NestedPaging is supported and providing @a enmFlush that is
1721	* supported by the CPU.
1722	* @remarks Can be called with interrupts disabled.
1723	*/
1724	static void hmR0VmxFlushEpt(PVMCPU pVCpu, VMXFLUSHEPT enmFlush)
1725	{
1726	uint64_t au64Descriptor[2];
1727	if (enmFlush == VMXFLUSHEPT_ALL_CONTEXTS)
1728	au64Descriptor[0] = 0;
1729	else
1730	{
1731	Assert(pVCpu);
1732	au64Descriptor[0] = pVCpu->hm.s.vmx.HCPhysEPTP;
1733	}
1734	au64Descriptor[1] = 0; /* MBZ. Intel spec. 33.3 "VMX Instructions" */
1735
1736	int rc = VMXR0InvEPT(enmFlush, &au64Descriptor[0]);
1737	AssertMsg(rc == VINF_SUCCESS, ("VMXR0InvEPT %#x %RGv failed with %Rrc\n", enmFlush, pVCpu ? pVCpu->hm.s.vmx.HCPhysEPTP : 0,
1738	rc));
1739	if ( RT_SUCCESS(rc)
1740	&& pVCpu)
1741	{
1742	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushNestedPaging);
1743	}
1744	}
1745
1746
1747	/**
1748	* Flushes the TLB using VPID.
1749	*
1750	* @returns VBox status code.
1751	* @param pVM Pointer to the VM.
1752	* @param pVCpu Pointer to the VMCPU (can be NULL depending on @a
1753	* enmFlush).
1754	* @param enmFlush Type of flush.
1755	* @param GCPtr Virtual address of the page to flush (can be 0 depending
1756	* on @a enmFlush).
1757	*
1758	* @remarks Can be called with interrupts disabled.
1759	*/
1760	static void hmR0VmxFlushVpid(PVM pVM, PVMCPU pVCpu, VMXFLUSHVPID enmFlush, RTGCPTR GCPtr)
1761	{
1762	NOREF(pVM);
1763	AssertPtr(pVM);
1764	Assert(pVM->hm.s.vmx.fVpid);
1765
1766	uint64_t au64Descriptor[2];
1767	if (enmFlush == VMXFLUSHVPID_ALL_CONTEXTS)
1768	{
1769	au64Descriptor[0] = 0;
1770	au64Descriptor[1] = 0;
1771	}
1772	else
1773	{
1774	AssertPtr(pVCpu);
1775	AssertMsg(pVCpu->hm.s.uCurrentAsid != 0, ("VMXR0InvVPID: invalid ASID %lu\n", pVCpu->hm.s.uCurrentAsid));
1776	AssertMsg(pVCpu->hm.s.uCurrentAsid <= UINT16_MAX, ("VMXR0InvVPID: invalid ASID %lu\n", pVCpu->hm.s.uCurrentAsid));
1777	au64Descriptor[0] = pVCpu->hm.s.uCurrentAsid;
1778	au64Descriptor[1] = GCPtr;
1779	}
1780
1781	int rc = VMXR0InvVPID(enmFlush, &au64Descriptor[0]); NOREF(rc);
1782	AssertMsg(rc == VINF_SUCCESS,
1783	("VMXR0InvVPID %#x %u %RGv failed with %d\n", enmFlush, pVCpu ? pVCpu->hm.s.uCurrentAsid : 0, GCPtr, rc));
1784	if ( RT_SUCCESS(rc)
1785	&& pVCpu)
1786	{
1787	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushAsid);
1788	}
1789	}
1790
1791
1792	/**
1793	* Invalidates a guest page by guest virtual address. Only relevant for
1794	* EPT/VPID, otherwise there is nothing really to invalidate.
1795	*
1796	* @returns VBox status code.
1797	* @param pVM Pointer to the VM.
1798	* @param pVCpu Pointer to the VMCPU.
1799	* @param GCVirt Guest virtual address of the page to invalidate.
1800	*/
1801	VMMR0DECL(int) VMXR0InvalidatePage(PVM pVM, PVMCPU pVCpu, RTGCPTR GCVirt)
1802	{
1803	AssertPtr(pVM);
1804	AssertPtr(pVCpu);
1805	LogFlowFunc(("pVM=%p pVCpu=%p GCVirt=%RGv\n", pVM, pVCpu, GCVirt));
1806
1807	bool fFlushPending = VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_TLB_FLUSH);
1808	if (!fFlushPending)
1809	{
1810	/*
1811	* We must invalidate the guest TLB entry in either case, we cannot ignore it even for the EPT case
1812	* See @bugref{6043} and @bugref{6177}.
1813	*
1814	* Set the VMCPU_FF_TLB_FLUSH force flag and flush before VM-entry in hmR0VmxFlushTLB*() as this
1815	* function maybe called in a loop with individual addresses.
1816	*/
1817	if (pVM->hm.s.vmx.fVpid)
1818	{
1819	if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID_INDIV_ADDR)
1820	{
1821	hmR0VmxFlushVpid(pVM, pVCpu, VMXFLUSHVPID_INDIV_ADDR, GCVirt);
1822	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlbInvlpgVirt);
1823	}
1824	else
1825	VMCPU_FF_SET(pVCpu, VMCPU_FF_TLB_FLUSH);
1826	}
1827	else if (pVM->hm.s.fNestedPaging)
1828	VMCPU_FF_SET(pVCpu, VMCPU_FF_TLB_FLUSH);
1829	}
1830
1831	return VINF_SUCCESS;
1832	}
1833
1834
1835	/**
1836	* Invalidates a guest page by physical address. Only relevant for EPT/VPID,
1837	* otherwise there is nothing really to invalidate.
1838	*
1839	* @returns VBox status code.
1840	* @param pVM Pointer to the VM.
1841	* @param pVCpu Pointer to the VMCPU.
1842	* @param GCPhys Guest physical address of the page to invalidate.
1843	*/
1844	VMMR0DECL(int) VMXR0InvalidatePhysPage(PVM pVM, PVMCPU pVCpu, RTGCPHYS GCPhys)
1845	{
1846	NOREF(pVM); NOREF(GCPhys);
1847	LogFlowFunc(("%RGp\n", GCPhys));
1848
1849	/*
1850	* We cannot flush a page by guest-physical address. invvpid takes only a linear address while invept only flushes
1851	* by EPT not individual addresses. We update the force flag here and flush before the next VM-entry in hmR0VmxFlushTLB*().
1852	* This function might be called in a loop. This should cause a flush-by-EPT if EPT is in use. See @bugref{6568}.
1853	*/
1854	VMCPU_FF_SET(pVCpu, VMCPU_FF_TLB_FLUSH);
1855	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlbInvlpgPhys);
1856	return VINF_SUCCESS;
1857	}
1858
1859
1860	/**
1861	* Dummy placeholder for tagged-TLB flush handling before VM-entry. Used in the
1862	* case where neither EPT nor VPID is supported by the CPU.
1863	*
1864	* @param pVM Pointer to the VM.
1865	* @param pVCpu Pointer to the VMCPU.
1866	* @param pCpu Pointer to the global HM struct.
1867	*
1868	* @remarks Called with interrupts disabled.
1869	*/
1870	static void hmR0VmxFlushTaggedTlbNone(PVM pVM, PVMCPU pVCpu, PHMGLOBALCPUINFO pCpu)
1871	{
1872	AssertPtr(pVCpu);
1873	AssertPtr(pCpu);
1874	NOREF(pVM);
1875
1876	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_TLB_FLUSH);
1877
1878	Assert(pCpu->idCpu != NIL_RTCPUID);
1879	pVCpu->hm.s.idLastCpu = pCpu->idCpu;
1880	pVCpu->hm.s.cTlbFlushes = pCpu->cTlbFlushes;
1881	pVCpu->hm.s.fForceTLBFlush = false;
1882	return;
1883	}
1884
1885
1886	/**
1887	* Flushes the tagged-TLB entries for EPT+VPID CPUs as necessary.
1888	*
1889	* @param pVM Pointer to the VM.
1890	* @param pVCpu Pointer to the VMCPU.
1891	* @param pCpu Pointer to the global HM CPU struct.
1892	* @remarks All references to "ASID" in this function pertains to "VPID" in
1893	* Intel's nomenclature. The reason is, to avoid confusion in compare
1894	* statements since the host-CPU copies are named "ASID".
1895	*
1896	* @remarks Called with interrupts disabled.
1897	*/
1898	static void hmR0VmxFlushTaggedTlbBoth(PVM pVM, PVMCPU pVCpu, PHMGLOBALCPUINFO pCpu)
1899	{
1900	#ifdef VBOX_WITH_STATISTICS
1901	bool fTlbFlushed = false;
1902	# define HMVMX_SET_TAGGED_TLB_FLUSHED() do { fTlbFlushed = true; } while (0)
1903	# define HMVMX_UPDATE_FLUSH_SKIPPED_STAT() do { \
1904	if (!fTlbFlushed) \
1905	STAM_COUNTER_INC(&pVCpu->hm.s.StatNoFlushTlbWorldSwitch); \
1906	} while (0)
1907	#else
1908	# define HMVMX_SET_TAGGED_TLB_FLUSHED() do { } while (0)
1909	# define HMVMX_UPDATE_FLUSH_SKIPPED_STAT() do { } while (0)
1910	#endif
1911
1912	AssertPtr(pVM);
1913	AssertPtr(pCpu);
1914	AssertPtr(pVCpu);
1915	Assert(pCpu->idCpu != NIL_RTCPUID);
1916
1917	AssertMsg(pVM->hm.s.fNestedPaging && pVM->hm.s.vmx.fVpid,
1918	("hmR0VmxFlushTaggedTlbBoth cannot be invoked unless NestedPaging & VPID are enabled."
1919	"fNestedPaging=%RTbool fVpid=%RTbool", pVM->hm.s.fNestedPaging, pVM->hm.s.vmx.fVpid));
1920
1921	/*
1922	* Force a TLB flush for the first world-switch if the current CPU differs from the one we ran on last.
1923	* If the TLB flush count changed, another VM (VCPU rather) has hit the ASID limit while flushing the TLB
1924	* or the host CPU is online after a suspend/resume, so we cannot reuse the current ASID anymore.
1925	*/
1926	if ( pVCpu->hm.s.idLastCpu != pCpu->idCpu
1927	\|\| pVCpu->hm.s.cTlbFlushes != pCpu->cTlbFlushes)
1928	{
1929	++pCpu->uCurrentAsid;
1930	if (pCpu->uCurrentAsid >= pVM->hm.s.uMaxAsid)
1931	{
1932	pCpu->uCurrentAsid = 1; /* Wraparound to 1; host uses 0. */
1933	pCpu->cTlbFlushes++; /* All VCPUs that run on this host CPU must use a new VPID. */
1934	pCpu->fFlushAsidBeforeUse = true; /* All VCPUs that run on this host CPU must flush their new VPID before use. */
1935	}
1936
1937	pVCpu->hm.s.uCurrentAsid = pCpu->uCurrentAsid;
1938	pVCpu->hm.s.idLastCpu = pCpu->idCpu;
1939	pVCpu->hm.s.cTlbFlushes = pCpu->cTlbFlushes;
1940
1941	/*
1942	* Flush by EPT when we get rescheduled to a new host CPU to ensure EPT-only tagged mappings are also
1943	* invalidated. We don't need to flush-by-VPID here as flushing by EPT covers it. See @bugref{6568}.
1944	*/
1945	hmR0VmxFlushEpt(pVCpu, pVM->hm.s.vmx.enmFlushEpt);
1946	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlbWorldSwitch);
1947	HMVMX_SET_TAGGED_TLB_FLUSHED();
1948	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_TLB_FLUSH); /* Already flushed-by-EPT, skip doing it again below. */
1949	}
1950
1951	/* Check for explicit TLB flushes. */
1952	if (VMCPU_FF_TEST_AND_CLEAR(pVCpu, VMCPU_FF_TLB_FLUSH))
1953	{
1954	/*
1955	* Changes to the EPT paging structure by VMM requires flushing by EPT as the CPU creates
1956	* guest-physical (only EPT-tagged) mappings while traversing the EPT tables when EPT is in use.
1957	* Flushing by VPID will only flush linear (only VPID-tagged) and combined (EPT+VPID tagged) mappings
1958	* but not guest-physical mappings.
1959	* See Intel spec. 28.3.2 "Creating and Using Cached Translation Information". See @bugref{6568}.
1960	*/
1961	hmR0VmxFlushEpt(pVCpu, pVM->hm.s.vmx.enmFlushEpt);
1962	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlb);
1963	HMVMX_SET_TAGGED_TLB_FLUSHED();
1964	}
1965
1966	pVCpu->hm.s.fForceTLBFlush = false;
1967	HMVMX_UPDATE_FLUSH_SKIPPED_STAT();
1968
1969	Assert(pVCpu->hm.s.idLastCpu == pCpu->idCpu);
1970	Assert(pVCpu->hm.s.cTlbFlushes == pCpu->cTlbFlushes);
1971	AssertMsg(pVCpu->hm.s.cTlbFlushes == pCpu->cTlbFlushes,
1972	("Flush count mismatch for cpu %d (%u vs %u)\n", pCpu->idCpu, pVCpu->hm.s.cTlbFlushes, pCpu->cTlbFlushes));
1973	AssertMsg(pCpu->uCurrentAsid >= 1 && pCpu->uCurrentAsid < pVM->hm.s.uMaxAsid,
1974	("Cpu[%u] uCurrentAsid=%u cTlbFlushes=%u pVCpu->idLastCpu=%u pVCpu->cTlbFlushes=%u\n", pCpu->idCpu,
1975	pCpu->uCurrentAsid, pCpu->cTlbFlushes, pVCpu->hm.s.idLastCpu, pVCpu->hm.s.cTlbFlushes));
1976	AssertMsg(pVCpu->hm.s.uCurrentAsid >= 1 && pVCpu->hm.s.uCurrentAsid < pVM->hm.s.uMaxAsid,
1977	("Cpu[%u] pVCpu->uCurrentAsid=%u\n", pCpu->idCpu, pVCpu->hm.s.uCurrentAsid));
1978
1979	/* Update VMCS with the VPID. */
1980	int rc = VMXWriteVmcs32(VMX_VMCS16_GUEST_FIELD_VPID, pVCpu->hm.s.uCurrentAsid);
1981	AssertRC(rc);
1982
1983	#undef HMVMX_SET_TAGGED_TLB_FLUSHED
1984	}
1985
1986
1987	/**
1988	* Flushes the tagged-TLB entries for EPT CPUs as necessary.
1989	*
1990	* @returns VBox status code.
1991	* @param pVM Pointer to the VM.
1992	* @param pVCpu Pointer to the VMCPU.
1993	* @param pCpu Pointer to the global HM CPU struct.
1994	*
1995	* @remarks Called with interrupts disabled.
1996	*/
1997	static void hmR0VmxFlushTaggedTlbEpt(PVM pVM, PVMCPU pVCpu, PHMGLOBALCPUINFO pCpu)
1998	{
1999	AssertPtr(pVM);
2000	AssertPtr(pVCpu);
2001	AssertPtr(pCpu);
2002	Assert(pCpu->idCpu != NIL_RTCPUID);
2003	AssertMsg(pVM->hm.s.fNestedPaging, ("hmR0VmxFlushTaggedTlbEpt cannot be invoked with NestedPaging disabled."));
2004	AssertMsg(!pVM->hm.s.vmx.fVpid, ("hmR0VmxFlushTaggedTlbEpt cannot be invoked with VPID enabled."));
2005
2006	/*
2007	* Force a TLB flush for the first world-switch if the current CPU differs from the one we ran on last.
2008	* A change in the TLB flush count implies the host CPU is online after a suspend/resume.
2009	*/
2010	if ( pVCpu->hm.s.idLastCpu != pCpu->idCpu
2011	\|\| pVCpu->hm.s.cTlbFlushes != pCpu->cTlbFlushes)
2012	{
2013	pVCpu->hm.s.fForceTLBFlush = true;
2014	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlbWorldSwitch);
2015	}
2016
2017	/* Check for explicit TLB flushes. */
2018	if (VMCPU_FF_TEST_AND_CLEAR(pVCpu, VMCPU_FF_TLB_FLUSH))
2019	{
2020	pVCpu->hm.s.fForceTLBFlush = true;
2021	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlb);
2022	}
2023
2024	pVCpu->hm.s.idLastCpu = pCpu->idCpu;
2025	pVCpu->hm.s.cTlbFlushes = pCpu->cTlbFlushes;
2026
2027	if (pVCpu->hm.s.fForceTLBFlush)
2028	{
2029	hmR0VmxFlushEpt(pVCpu, pVM->hm.s.vmx.enmFlushEpt);
2030	pVCpu->hm.s.fForceTLBFlush = false;
2031	}
2032	}
2033
2034
2035	/**
2036	* Flushes the tagged-TLB entries for VPID CPUs as necessary.
2037	*
2038	* @returns VBox status code.
2039	* @param pVM Pointer to the VM.
2040	* @param pVCpu Pointer to the VMCPU.
2041	* @param pCpu Pointer to the global HM CPU struct.
2042	*
2043	* @remarks Called with interrupts disabled.
2044	*/
2045	static void hmR0VmxFlushTaggedTlbVpid(PVM pVM, PVMCPU pVCpu, PHMGLOBALCPUINFO pCpu)
2046	{
2047	AssertPtr(pVM);
2048	AssertPtr(pVCpu);
2049	AssertPtr(pCpu);
2050	Assert(pCpu->idCpu != NIL_RTCPUID);
2051	AssertMsg(pVM->hm.s.vmx.fVpid, ("hmR0VmxFlushTlbVpid cannot be invoked with VPID disabled."));
2052	AssertMsg(!pVM->hm.s.fNestedPaging, ("hmR0VmxFlushTlbVpid cannot be invoked with NestedPaging enabled"));
2053
2054	/*
2055	* Force a TLB flush for the first world switch if the current CPU differs from the one we ran on last.
2056	* If the TLB flush count changed, another VM (VCPU rather) has hit the ASID limit while flushing the TLB
2057	* or the host CPU is online after a suspend/resume, so we cannot reuse the current ASID anymore.
2058	*/
2059	if ( pVCpu->hm.s.idLastCpu != pCpu->idCpu
2060	\|\| pVCpu->hm.s.cTlbFlushes != pCpu->cTlbFlushes)
2061	{
2062	pVCpu->hm.s.fForceTLBFlush = true;
2063	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlbWorldSwitch);
2064	}
2065
2066	/* Check for explicit TLB flushes. */
2067	if (VMCPU_FF_TEST_AND_CLEAR(pVCpu, VMCPU_FF_TLB_FLUSH))
2068	{
2069	/*
2070	* If we ever support VPID flush combinations other than ALL or SINGLE-context (see hmR0VmxSetupTaggedTlb())
2071	* we would need to explicitly flush in this case (add an fExplicitFlush = true here and change the
2072	* pCpu->fFlushAsidBeforeUse check below to include fExplicitFlush's too) - an obscure corner case.
2073	*/
2074	pVCpu->hm.s.fForceTLBFlush = true;
2075	STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlb);
2076	}
2077
2078	pVCpu->hm.s.idLastCpu = pCpu->idCpu;
2079	if (pVCpu->hm.s.fForceTLBFlush)
2080	{
2081	++pCpu->uCurrentAsid;
2082	if (pCpu->uCurrentAsid >= pVM->hm.s.uMaxAsid)
2083	{
2084	pCpu->uCurrentAsid = 1; /* Wraparound to 1; host uses 0 */
2085	pCpu->cTlbFlushes++; /* All VCPUs that run on this host CPU must use a new VPID. */
2086	pCpu->fFlushAsidBeforeUse = true; /* All VCPUs that run on this host CPU must flush their new VPID before use. */
2087	}
2088
2089	pVCpu->hm.s.fForceTLBFlush = false;
2090	pVCpu->hm.s.cTlbFlushes = pCpu->cTlbFlushes;
2091	pVCpu->hm.s.uCurrentAsid = pCpu->uCurrentAsid;
2092	if (pCpu->fFlushAsidBeforeUse)
2093	{
2094	if (pVM->hm.s.vmx.enmFlushVpid == VMXFLUSHVPID_SINGLE_CONTEXT)
2095	hmR0VmxFlushVpid(pVM, pVCpu, VMXFLUSHVPID_SINGLE_CONTEXT, 0 /* GCPtr */);
2096	else if (pVM->hm.s.vmx.enmFlushVpid == VMXFLUSHVPID_ALL_CONTEXTS)
2097	{
2098	hmR0VmxFlushVpid(pVM, pVCpu, VMXFLUSHVPID_ALL_CONTEXTS, 0 /* GCPtr */);
2099	pCpu->fFlushAsidBeforeUse = false;
2100	}
2101	else
2102	{
2103	/* hmR0VmxSetupTaggedTlb() ensures we never get here. Paranoia. */
2104	AssertMsgFailed(("Unsupported VPID-flush context type.\n"));
2105	}
2106	}
2107	}
2108
2109	AssertMsg(pVCpu->hm.s.cTlbFlushes == pCpu->cTlbFlushes,
2110	("Flush count mismatch for cpu %d (%u vs %u)\n", pCpu->idCpu, pVCpu->hm.s.cTlbFlushes, pCpu->cTlbFlushes));
2111	AssertMsg(pCpu->uCurrentAsid >= 1 && pCpu->uCurrentAsid < pVM->hm.s.uMaxAsid,
2112	("Cpu[%u] uCurrentAsid=%u cTlbFlushes=%u pVCpu->idLastCpu=%u pVCpu->cTlbFlushes=%u\n", pCpu->idCpu,
2113	pCpu->uCurrentAsid, pCpu->cTlbFlushes, pVCpu->hm.s.idLastCpu, pVCpu->hm.s.cTlbFlushes));
2114	AssertMsg(pVCpu->hm.s.uCurrentAsid >= 1 && pVCpu->hm.s.uCurrentAsid < pVM->hm.s.uMaxAsid,
2115	("Cpu[%u] pVCpu->uCurrentAsid=%u\n", pCpu->idCpu, pVCpu->hm.s.uCurrentAsid));
2116
2117	int rc = VMXWriteVmcs32(VMX_VMCS16_GUEST_FIELD_VPID, pVCpu->hm.s.uCurrentAsid);
2118	AssertRC(rc);
2119	}
2120
2121
2122	/**
2123	* Flushes the guest TLB entry based on CPU capabilities.
2124	*
2125	* @param pVCpu Pointer to the VMCPU.
2126	* @param pCpu Pointer to the global HM CPU struct.
2127	*/
2128	DECLINLINE(void) hmR0VmxFlushTaggedTlb(PVMCPU pVCpu, PHMGLOBALCPUINFO pCpu)
2129	{
2130	#ifdef HMVMX_ALWAYS_FLUSH_TLB
2131	VMCPU_FF_SET(pVCpu, VMCPU_FF_TLB_FLUSH);
2132	#endif
2133	PVM pVM = pVCpu->CTX_SUFF(pVM);
2134	switch (pVM->hm.s.vmx.uFlushTaggedTlb)
2135	{
2136	case HMVMX_FLUSH_TAGGED_TLB_EPT_VPID: hmR0VmxFlushTaggedTlbBoth(pVM, pVCpu, pCpu); break;
2137	case HMVMX_FLUSH_TAGGED_TLB_EPT: hmR0VmxFlushTaggedTlbEpt(pVM, pVCpu, pCpu); break;
2138	case HMVMX_FLUSH_TAGGED_TLB_VPID: hmR0VmxFlushTaggedTlbVpid(pVM, pVCpu, pCpu); break;
2139	case HMVMX_FLUSH_TAGGED_TLB_NONE: hmR0VmxFlushTaggedTlbNone(pVM, pVCpu, pCpu); break;
2140	default:
2141	AssertMsgFailed(("Invalid flush-tag function identifier\n"));
2142	break;
2143	}
2144
2145	/* Don't assert that VMCPU_FF_TLB_FLUSH should no longer be pending. It can be set by other EMTs. */
2146	}
2147
2148
2149	/**
2150	* Sets up the appropriate tagged TLB-flush level and handler for flushing guest
2151	* TLB entries from the host TLB before VM-entry.
2152	*
2153	* @returns VBox status code.
2154	* @param pVM Pointer to the VM.
2155	*/
2156	static int hmR0VmxSetupTaggedTlb(PVM pVM)
2157	{
2158	/*
2159	* Determine optimal flush type for Nested Paging.
2160	* We cannot ignore EPT if no suitable flush-types is supported by the CPU as we've already setup unrestricted
2161	* guest execution (see hmR3InitFinalizeR0()).
2162	*/
2163	if (pVM->hm.s.fNestedPaging)
2164	{
2165	if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVEPT)
2166	{
2167	if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVEPT_SINGLE_CONTEXT)
2168	pVM->hm.s.vmx.enmFlushEpt = VMXFLUSHEPT_SINGLE_CONTEXT;
2169	else if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVEPT_ALL_CONTEXTS)
2170	pVM->hm.s.vmx.enmFlushEpt = VMXFLUSHEPT_ALL_CONTEXTS;
2171	else
2172	{
2173	/* Shouldn't happen. EPT is supported but no suitable flush-types supported. */
2174	pVM->hm.s.vmx.enmFlushEpt = VMXFLUSHEPT_NOT_SUPPORTED;
2175	pVM->aCpus[0].hm.s.u32HMError = VMX_UFC_EPT_FLUSH_TYPE_UNSUPPORTED;
2176	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2177	}
2178
2179	/* Make sure the write-back cacheable memory type for EPT is supported. */
2180	if (RT_UNLIKELY(!(pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_EMT_WB)))
2181	{
2182	pVM->hm.s.vmx.enmFlushEpt = VMXFLUSHEPT_NOT_SUPPORTED;
2183	pVM->aCpus[0].hm.s.u32HMError = VMX_UFC_EPT_MEM_TYPE_NOT_WB;
2184	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2185	}
2186
2187	/* EPT requires a page-walk length of 4. */
2188	if (RT_UNLIKELY(!(pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_PAGE_WALK_LENGTH_4)))
2189	{
2190	pVM->hm.s.vmx.enmFlushEpt = VMXFLUSHEPT_NOT_SUPPORTED;
2191	pVM->aCpus[0].hm.s.u32HMError = VMX_UFC_EPT_PAGE_WALK_LENGTH_UNSUPPORTED;
2192	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2193	}
2194	}
2195	else
2196	{
2197	/* Shouldn't happen. EPT is supported but INVEPT instruction is not supported. */
2198	pVM->hm.s.vmx.enmFlushEpt = VMXFLUSHEPT_NOT_SUPPORTED;
2199	pVM->aCpus[0].hm.s.u32HMError = VMX_UFC_EPT_INVEPT_UNAVAILABLE;
2200	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2201	}
2202	}
2203
2204	/*
2205	* Determine optimal flush type for VPID.
2206	*/
2207	if (pVM->hm.s.vmx.fVpid)
2208	{
2209	if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID)
2210	{
2211	if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID_SINGLE_CONTEXT)
2212	pVM->hm.s.vmx.enmFlushVpid = VMXFLUSHVPID_SINGLE_CONTEXT;
2213	else if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID_ALL_CONTEXTS)
2214	pVM->hm.s.vmx.enmFlushVpid = VMXFLUSHVPID_ALL_CONTEXTS;
2215	else
2216	{
2217	/* Neither SINGLE nor ALL-context flush types for VPID is supported by the CPU. Ignore VPID capability. */
2218	if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID_INDIV_ADDR)
2219	LogRel(("hmR0VmxSetupTaggedTlb: Only INDIV_ADDR supported. Ignoring VPID.\n"));
2220	if (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID_SINGLE_CONTEXT_RETAIN_GLOBALS)
2221	LogRel(("hmR0VmxSetupTaggedTlb: Only SINGLE_CONTEXT_RETAIN_GLOBALS supported. Ignoring VPID.\n"));
2222	pVM->hm.s.vmx.enmFlushVpid = VMXFLUSHVPID_NOT_SUPPORTED;
2223	pVM->hm.s.vmx.fVpid = false;
2224	}
2225	}
2226	else
2227	{
2228	/* Shouldn't happen. VPID is supported but INVVPID is not supported by the CPU. Ignore VPID capability. */
2229	Log4(("hmR0VmxSetupTaggedTlb: VPID supported without INVEPT support. Ignoring VPID.\n"));
2230	pVM->hm.s.vmx.enmFlushVpid = VMXFLUSHVPID_NOT_SUPPORTED;
2231	pVM->hm.s.vmx.fVpid = false;
2232	}
2233	}
2234
2235	/*
2236	* Setup the handler for flushing tagged-TLBs.
2237	*/
2238	if (pVM->hm.s.fNestedPaging && pVM->hm.s.vmx.fVpid)
2239	pVM->hm.s.vmx.uFlushTaggedTlb = HMVMX_FLUSH_TAGGED_TLB_EPT_VPID;
2240	else if (pVM->hm.s.fNestedPaging)
2241	pVM->hm.s.vmx.uFlushTaggedTlb = HMVMX_FLUSH_TAGGED_TLB_EPT;
2242	else if (pVM->hm.s.vmx.fVpid)
2243	pVM->hm.s.vmx.uFlushTaggedTlb = HMVMX_FLUSH_TAGGED_TLB_VPID;
2244	else
2245	pVM->hm.s.vmx.uFlushTaggedTlb = HMVMX_FLUSH_TAGGED_TLB_NONE;
2246	return VINF_SUCCESS;
2247	}
2248
2249
2250	/**
2251	* Sets up pin-based VM-execution controls in the VMCS.
2252	*
2253	* @returns VBox status code.
2254	* @param pVM Pointer to the VM.
2255	* @param pVCpu Pointer to the VMCPU.
2256	*/
2257	static int hmR0VmxSetupPinCtls(PVM pVM, PVMCPU pVCpu)
2258	{
2259	AssertPtr(pVM);
2260	AssertPtr(pVCpu);
2261
2262	uint32_t val = pVM->hm.s.vmx.Msrs.VmxPinCtls.n.disallowed0; /* Bits set here must always be set. */
2263	uint32_t zap = pVM->hm.s.vmx.Msrs.VmxPinCtls.n.allowed1; /* Bits cleared here must always be cleared. */
2264
2265	val \|= VMX_VMCS_CTRL_PIN_EXEC_EXT_INT_EXIT /* External interrupts cause a VM-exit. */
2266	\| VMX_VMCS_CTRL_PIN_EXEC_NMI_EXIT; /* Non-maskable interrupts (NMIs) cause a VM-exit. */
2267
2268	if (pVM->hm.s.vmx.Msrs.VmxPinCtls.n.allowed1 & VMX_VMCS_CTRL_PIN_EXEC_VIRTUAL_NMI)
2269	val \|= VMX_VMCS_CTRL_PIN_EXEC_VIRTUAL_NMI; /* Use virtual NMIs and virtual-NMI blocking features. */
2270
2271	/* Enable the VMX preemption timer. */
2272	if (pVM->hm.s.vmx.fUsePreemptTimer)
2273	{
2274	Assert(pVM->hm.s.vmx.Msrs.VmxPinCtls.n.allowed1 & VMX_VMCS_CTRL_PIN_EXEC_PREEMPT_TIMER);
2275	val \|= VMX_VMCS_CTRL_PIN_EXEC_PREEMPT_TIMER;
2276	}
2277
2278	if ((val & zap) != val)
2279	{
2280	LogRel(("hmR0VmxSetupPinCtls: Invalid pin-based VM-execution controls combo! cpu=%#RX64 val=%#RX64 zap=%#RX64\n",
2281	pVM->hm.s.vmx.Msrs.VmxPinCtls.n.disallowed0, val, zap));
2282	pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_PIN_EXEC;
2283	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2284	}
2285
2286	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PIN_EXEC, val);
2287	AssertRCReturn(rc, rc);
2288
2289	pVCpu->hm.s.vmx.u32PinCtls = val;
2290	return rc;
2291	}
2292
2293
2294	/**
2295	* Sets up processor-based VM-execution controls in the VMCS.
2296	*
2297	* @returns VBox status code.
2298	* @param pVM Pointer to the VM.
2299	* @param pVCpu Pointer to the VMCPU.
2300	*/
2301	static int hmR0VmxSetupProcCtls(PVM pVM, PVMCPU pVCpu)
2302	{
2303	AssertPtr(pVM);
2304	AssertPtr(pVCpu);
2305
2306	int rc = VERR_INTERNAL_ERROR_5;
2307	uint32_t val = pVM->hm.s.vmx.Msrs.VmxProcCtls.n.disallowed0; /* Bits set here must be set in the VMCS. */
2308	uint32_t zap = pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1; /* Bits cleared here must be cleared in the VMCS. */
2309
2310	val \|= VMX_VMCS_CTRL_PROC_EXEC_HLT_EXIT /* HLT causes a VM-exit. */
2311	\| VMX_VMCS_CTRL_PROC_EXEC_USE_TSC_OFFSETTING /* Use TSC-offsetting. */
2312	\| VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT /* MOV DRx causes a VM-exit. */
2313	\| VMX_VMCS_CTRL_PROC_EXEC_UNCOND_IO_EXIT /* All IO instructions cause a VM-exit. */
2314	\| VMX_VMCS_CTRL_PROC_EXEC_RDPMC_EXIT /* RDPMC causes a VM-exit. */
2315	\| VMX_VMCS_CTRL_PROC_EXEC_MONITOR_EXIT /* MONITOR causes a VM-exit. */
2316	\| VMX_VMCS_CTRL_PROC_EXEC_MWAIT_EXIT; /* MWAIT causes a VM-exit. */
2317
2318	/* We toggle VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT later, check if it's not -always- needed to be set or clear. */
2319	if ( !(pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT)
2320	\|\| (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.disallowed0 & VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT))
2321	{
2322	LogRel(("hmR0VmxSetupProcCtls: Unsupported VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT combo!"));
2323	pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_PROC_MOV_DRX_EXIT;
2324	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2325	}
2326
2327	/* Without Nested Paging, INVLPG (also affects INVPCID) and MOV CR3 instructions should cause VM-exits. */
2328	if (!pVM->hm.s.fNestedPaging)
2329	{
2330	Assert(!pVM->hm.s.vmx.fUnrestrictedGuest); /* Paranoia. */
2331	val \|= VMX_VMCS_CTRL_PROC_EXEC_INVLPG_EXIT
2332	\| VMX_VMCS_CTRL_PROC_EXEC_CR3_LOAD_EXIT
2333	\| VMX_VMCS_CTRL_PROC_EXEC_CR3_STORE_EXIT;
2334	}
2335
2336	/* Use TPR shadowing if supported by the CPU. */
2337	if (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW)
2338	{
2339	Assert(pVCpu->hm.s.vmx.HCPhysVirtApic);
2340	Assert(!(pVCpu->hm.s.vmx.HCPhysVirtApic & 0xfff)); /* Bits 11:0 MBZ. */
2341	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_TPR_THRESHOLD, 0);
2342	rc \|= VMXWriteVmcs64(VMX_VMCS64_CTRL_VAPIC_PAGEADDR_FULL, pVCpu->hm.s.vmx.HCPhysVirtApic);
2343	AssertRCReturn(rc, rc);
2344
2345	val \|= VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW; /* CR8 reads from the Virtual-APIC page. */
2346	/* CR8 writes cause a VM-exit based on TPR threshold. */
2347	Assert(!(val & VMX_VMCS_CTRL_PROC_EXEC_CR8_STORE_EXIT));
2348	Assert(!(val & VMX_VMCS_CTRL_PROC_EXEC_CR8_LOAD_EXIT));
2349	}
2350	else
2351	{
2352	/*
2353	* Some 32-bit CPUs do not support CR8 load/store exiting as MOV CR8 is invalid on 32-bit Intel CPUs.
2354	* Set this control only for 64-bit guests.
2355	*/
2356	if (pVM->hm.s.fAllow64BitGuests)
2357	{
2358	val \|= VMX_VMCS_CTRL_PROC_EXEC_CR8_STORE_EXIT /* CR8 reads cause a VM-exit. */
2359	\| VMX_VMCS_CTRL_PROC_EXEC_CR8_LOAD_EXIT; /* CR8 writes cause a VM-exit. */
2360	}
2361	}
2362
2363	/* Use MSR-bitmaps if supported by the CPU. */
2364	if (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS)
2365	{
2366	val \|= VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS;
2367
2368	Assert(pVCpu->hm.s.vmx.HCPhysMsrBitmap);
2369	Assert(!(pVCpu->hm.s.vmx.HCPhysMsrBitmap & 0xfff)); /* Bits 11:0 MBZ. */
2370	rc = VMXWriteVmcs64(VMX_VMCS64_CTRL_MSR_BITMAP_FULL, pVCpu->hm.s.vmx.HCPhysMsrBitmap);
2371	AssertRCReturn(rc, rc);
2372
2373	/*
2374	* The guest can access the following MSRs (read, write) without causing VM-exits; they are loaded/stored
2375	* automatically using dedicated fields in the VMCS.
2376	*/
2377	hmR0VmxSetMsrPermission(pVCpu, MSR_IA32_SYSENTER_CS, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2378	hmR0VmxSetMsrPermission(pVCpu, MSR_IA32_SYSENTER_ESP, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2379	hmR0VmxSetMsrPermission(pVCpu, MSR_IA32_SYSENTER_EIP, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2380	hmR0VmxSetMsrPermission(pVCpu, MSR_K8_GS_BASE, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2381	hmR0VmxSetMsrPermission(pVCpu, MSR_K8_FS_BASE, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2382
2383	#if HC_ARCH_BITS == 64
2384	/*
2385	* Set passthru permissions for the following MSRs (mandatory for VT-x) required for 64-bit guests.
2386	*/
2387	if (pVM->hm.s.fAllow64BitGuests)
2388	{
2389	hmR0VmxSetMsrPermission(pVCpu, MSR_K8_LSTAR, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2390	hmR0VmxSetMsrPermission(pVCpu, MSR_K6_STAR, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2391	hmR0VmxSetMsrPermission(pVCpu, MSR_K8_SF_MASK, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2392	hmR0VmxSetMsrPermission(pVCpu, MSR_K8_KERNEL_GS_BASE, VMXMSREXIT_PASSTHRU_READ, VMXMSREXIT_PASSTHRU_WRITE);
2393	}
2394	#endif
2395	}
2396
2397	/* Use the secondary processor-based VM-execution controls if supported by the CPU. */
2398	if (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_USE_SECONDARY_EXEC_CTRL)
2399	val \|= VMX_VMCS_CTRL_PROC_EXEC_USE_SECONDARY_EXEC_CTRL;
2400
2401	if ((val & zap) != val)
2402	{
2403	LogRel(("hmR0VmxSetupProcCtls: Invalid processor-based VM-execution controls combo! cpu=%#RX64 val=%#RX64 zap=%#RX64\n",
2404	pVM->hm.s.vmx.Msrs.VmxProcCtls.n.disallowed0, val, zap));
2405	pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_PROC_EXEC;
2406	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2407	}
2408
2409	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, val);
2410	AssertRCReturn(rc, rc);
2411
2412	pVCpu->hm.s.vmx.u32ProcCtls = val;
2413
2414	/*
2415	* Secondary processor-based VM-execution controls.
2416	*/
2417	if (RT_LIKELY(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_SECONDARY_EXEC_CTRL))
2418	{
2419	val = pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.disallowed0; /* Bits set here must be set in the VMCS. */
2420	zap = pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1; /* Bits cleared here must be cleared in the VMCS. */
2421
2422	if (pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC2_WBINVD_EXIT)
2423	val \|= VMX_VMCS_CTRL_PROC_EXEC2_WBINVD_EXIT; /* WBINVD causes a VM-exit. */
2424
2425	if (pVM->hm.s.fNestedPaging)
2426	val \|= VMX_VMCS_CTRL_PROC_EXEC2_EPT; /* Enable EPT. */
2427	else
2428	{
2429	/*
2430	* Without Nested Paging, INVPCID should cause a VM-exit. Enabling this bit causes the CPU to refer to
2431	* VMX_VMCS_CTRL_PROC_EXEC_INVLPG_EXIT when INVPCID is executed by the guest.
2432	* See Intel spec. 25.4 "Changes to instruction behaviour in VMX non-root operation".
2433	*/
2434	if (pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC2_INVPCID)
2435	val \|= VMX_VMCS_CTRL_PROC_EXEC2_INVPCID;
2436	}
2437
2438	if (pVM->hm.s.vmx.fVpid)
2439	val \|= VMX_VMCS_CTRL_PROC_EXEC2_VPID; /* Enable VPID. */
2440
2441	if (pVM->hm.s.vmx.fUnrestrictedGuest)
2442	val \|= VMX_VMCS_CTRL_PROC_EXEC2_UNRESTRICTED_GUEST; /* Enable Unrestricted Execution. */
2443
2444	/* Enable Virtual-APIC page accesses if supported by the CPU. This is essentially where the TPR shadow resides. */
2445	/** @todo VIRT_X2APIC support, it's mutually exclusive with this. So must be
2446	* done dynamically. */
2447	if (pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC2_VIRT_APIC)
2448	{
2449	Assert(pVM->hm.s.vmx.HCPhysApicAccess);
2450	Assert(!(pVM->hm.s.vmx.HCPhysApicAccess & 0xfff)); /* Bits 11:0 MBZ. */
2451	val \|= VMX_VMCS_CTRL_PROC_EXEC2_VIRT_APIC; /* Virtualize APIC accesses. */
2452	rc = VMXWriteVmcs64(VMX_VMCS64_CTRL_APIC_ACCESSADDR_FULL, pVM->hm.s.vmx.HCPhysApicAccess);
2453	AssertRCReturn(rc, rc);
2454	}
2455
2456	if (pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC2_RDTSCP)
2457	val \|= VMX_VMCS_CTRL_PROC_EXEC2_RDTSCP; /* Enable RDTSCP support. */
2458
2459	if ( pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC2_PAUSE_LOOP_EXIT
2460	&& pVM->hm.s.vmx.cPleGapTicks
2461	&& pVM->hm.s.vmx.cPleWindowTicks)
2462	{
2463	val \|= VMX_VMCS_CTRL_PROC_EXEC2_PAUSE_LOOP_EXIT; /* Enable pause-loop exiting. */
2464
2465	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PLE_GAP, pVM->hm.s.vmx.cPleGapTicks);
2466	AssertRCReturn(rc, rc);
2467
2468	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PLE_WINDOW, pVM->hm.s.vmx.cPleWindowTicks);
2469	AssertRCReturn(rc, rc);
2470	}
2471
2472	if ((val & zap) != val)
2473	{
2474	LogRel(("hmR0VmxSetupProcCtls: Invalid secondary processor-based VM-execution controls combo! "
2475	"cpu=%#RX64 val=%#RX64 zap=%#RX64\n", pVM->hm.s.vmx.Msrs.VmxProcCtls2.n.disallowed0, val, zap));
2476	pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_PROC_EXEC2;
2477	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2478	}
2479
2480	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC2, val);
2481	AssertRCReturn(rc, rc);
2482
2483	pVCpu->hm.s.vmx.u32ProcCtls2 = val;
2484	}
2485	else if (RT_UNLIKELY(pVM->hm.s.vmx.fUnrestrictedGuest))
2486	{
2487	LogRel(("hmR0VmxSetupProcCtls: Unrestricted Guest set as true when secondary processor-based VM-execution controls not "
2488	"available\n"));
2489	pVCpu->hm.s.u32HMError = VMX_UFC_INVALID_UX_COMBO;
2490	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
2491	}
2492
2493	return VINF_SUCCESS;
2494	}
2495
2496
2497	/**
2498	* Sets up miscellaneous (everything other than Pin & Processor-based
2499	* VM-execution) control fields in the VMCS.
2500	*
2501	* @returns VBox status code.
2502	* @param pVM Pointer to the VM.
2503	* @param pVCpu Pointer to the VMCPU.
2504	*/
2505	static int hmR0VmxSetupMiscCtls(PVM pVM, PVMCPU pVCpu)
2506	{
2507	NOREF(pVM);
2508	AssertPtr(pVM);
2509	AssertPtr(pVCpu);
2510
2511	int rc = VERR_GENERAL_FAILURE;
2512
2513	/* All fields are zero-initialized during allocation; but don't remove the commented block below. */
2514	#if 0
2515	/* All CR3 accesses cause VM-exits. Later we optimize CR3 accesses (see hmR0VmxLoadGuestCR3AndCR4())*/
2516	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_CR3_TARGET_COUNT, 0); AssertRCReturn(rc, rc);
2517	rc = VMXWriteVmcs64(VMX_VMCS64_CTRL_TSC_OFFSET_FULL, 0); AssertRCReturn(rc, rc);
2518
2519	/*
2520	* Set MASK & MATCH to 0. VMX checks if GuestPFErrCode & MASK == MATCH. If equal (in our case it always is)
2521	* and if the X86_XCPT_PF bit in the exception bitmap is set it causes a VM-exit, if clear doesn't cause an exit.
2522	* We thus use the exception bitmap to control it rather than use both.
2523	*/
2524	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PAGEFAULT_ERROR_MASK, 0); AssertRCReturn(rc, rc);
2525	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PAGEFAULT_ERROR_MATCH, 0); AssertRCReturn(rc, rc);
2526
2527	/** @todo Explore possibility of using IO-bitmaps. */
2528	/* All IO & IOIO instructions cause VM-exits. */
2529	rc = VMXWriteVmcs64(VMX_VMCS64_CTRL_IO_BITMAP_A_FULL, 0); AssertRCReturn(rc, rc);
2530	rc = VMXWriteVmcs64(VMX_VMCS64_CTRL_IO_BITMAP_B_FULL, 0); AssertRCReturn(rc, rc);
2531
2532	/* Initialize the MSR-bitmap area. */
2533	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_ENTRY_MSR_LOAD_COUNT, 0); AssertRCReturn(rc, rc);
2534	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_EXIT_MSR_STORE_COUNT, 0); AssertRCReturn(rc, rc);
2535	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_EXIT_MSR_LOAD_COUNT, 0); AssertRCReturn(rc, rc);
2536	#endif
2537
2538	/* Setup MSR auto-load/store area. */
2539	Assert(pVCpu->hm.s.vmx.HCPhysGuestMsr);
2540	Assert(!(pVCpu->hm.s.vmx.HCPhysGuestMsr & 0xf)); /* Lower 4 bits MBZ. */
2541	rc = VMXWriteVmcs64(VMX_VMCS64_CTRL_ENTRY_MSR_LOAD_FULL, pVCpu->hm.s.vmx.HCPhysGuestMsr);
2542	AssertRCReturn(rc, rc);
2543	rc = VMXWriteVmcs64(VMX_VMCS64_CTRL_EXIT_MSR_STORE_FULL, pVCpu->hm.s.vmx.HCPhysGuestMsr);
2544	AssertRCReturn(rc, rc);
2545
2546	Assert(pVCpu->hm.s.vmx.HCPhysHostMsr);
2547	Assert(!(pVCpu->hm.s.vmx.HCPhysHostMsr & 0xf)); /* Lower 4 bits MBZ. */
2548	rc = VMXWriteVmcs64(VMX_VMCS64_CTRL_EXIT_MSR_LOAD_FULL, pVCpu->hm.s.vmx.HCPhysHostMsr);
2549	AssertRCReturn(rc, rc);
2550
2551	/* Set VMCS link pointer. Reserved for future use, must be -1. Intel spec. 24.4 "Guest-State Area". */
2552	rc = VMXWriteVmcs64(VMX_VMCS64_GUEST_VMCS_LINK_PTR_FULL, UINT64_C(0xffffffffffffffff));
2553	AssertRCReturn(rc, rc);
2554
2555	/* All fields are zero-initialized during allocation; but don't remove the commented block below. */
2556	#if 0
2557	/* Setup debug controls */
2558	rc = VMXWriteVmcs64(VMX_VMCS64_GUEST_DEBUGCTL_FULL, 0); /** @todo We don't support IA32_DEBUGCTL MSR. Should we? */
2559	AssertRCReturn(rc, rc);
2560	rc = VMXWriteVmcs32(VMX_VMCS_GUEST_PENDING_DEBUG_EXCEPTIONS, 0);
2561	AssertRCReturn(rc, rc);
2562	#endif
2563
2564	return rc;
2565	}
2566
2567
2568	/**
2569	* Sets up the initial exception bitmap in the VMCS based on static conditions.
2570	*
2571	* @returns VBox status code.
2572	* @param pVM Pointer to the VM.
2573	* @param pVCpu Pointer to the VMCPU.
2574	*/
2575	static int hmR0VmxInitXcptBitmap(PVM pVM, PVMCPU pVCpu)
2576	{
2577	AssertPtr(pVM);
2578	AssertPtr(pVCpu);
2579
2580	LogFlowFunc(("pVM=%p pVCpu=%p\n", pVM, pVCpu));
2581
2582	uint32_t u32XcptBitmap = pVCpu->hm.s.fGIMTrapXcptUD ? RT_BIT(X86_XCPT_UD) : 0;
2583
2584	/* Without Nested Paging, #PF must cause a VM-exit so we can sync our shadow page tables. */
2585	if (!pVM->hm.s.fNestedPaging)
2586	u32XcptBitmap \|= RT_BIT(X86_XCPT_PF);
2587
2588	pVCpu->hm.s.vmx.u32XcptBitmap = u32XcptBitmap;
2589	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_EXCEPTION_BITMAP, u32XcptBitmap);
2590	AssertRCReturn(rc, rc);
2591	return rc;
2592	}
2593
2594
2595	/**
2596	* Sets up the initial guest-state mask. The guest-state mask is consulted
2597	* before reading guest-state fields from the VMCS as VMREADs can be expensive
2598	* for the nested virtualization case (as it would cause a VM-exit).
2599	*
2600	* @param pVCpu Pointer to the VMCPU.
2601	*/
2602	static int hmR0VmxInitUpdatedGuestStateMask(PVMCPU pVCpu)
2603	{
2604	/* Initially the guest-state is up-to-date as there is nothing in the VMCS. */
2605	HMVMXCPU_GST_RESET_TO(pVCpu, HMVMX_UPDATED_GUEST_ALL);
2606	return VINF_SUCCESS;
2607	}
2608
2609
2610	/**
2611	* Does per-VM VT-x initialization.
2612	*
2613	* @returns VBox status code.
2614	* @param pVM Pointer to the VM.
2615	*/
2616	VMMR0DECL(int) VMXR0InitVM(PVM pVM)
2617	{
2618	LogFlowFunc(("pVM=%p\n", pVM));
2619
2620	int rc = hmR0VmxStructsAlloc(pVM);
2621	if (RT_FAILURE(rc))
2622	{
2623	LogRel(("VMXR0InitVM: hmR0VmxStructsAlloc failed! rc=%Rrc\n", rc));
2624	return rc;
2625	}
2626
2627	return VINF_SUCCESS;
2628	}
2629
2630
2631	/**
2632	* Does per-VM VT-x termination.
2633	*
2634	* @returns VBox status code.
2635	* @param pVM Pointer to the VM.
2636	*/
2637	VMMR0DECL(int) VMXR0TermVM(PVM pVM)
2638	{
2639	LogFlowFunc(("pVM=%p\n", pVM));
2640
2641	#ifdef VBOX_WITH_CRASHDUMP_MAGIC
2642	if (pVM->hm.s.vmx.hMemObjScratch != NIL_RTR0MEMOBJ)
2643	ASMMemZero32(pVM->hm.s.vmx.pvScratch, PAGE_SIZE);
2644	#endif
2645	hmR0VmxStructsFree(pVM);
2646	return VINF_SUCCESS;
2647	}
2648
2649
2650	/**
2651	* Sets up the VM for execution under VT-x.
2652	* This function is only called once per-VM during initialization.
2653	*
2654	* @returns VBox status code.
2655	* @param pVM Pointer to the VM.
2656	*/
2657	VMMR0DECL(int) VMXR0SetupVM(PVM pVM)
2658	{
2659	AssertPtrReturn(pVM, VERR_INVALID_PARAMETER);
2660	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
2661
2662	LogFlowFunc(("pVM=%p\n", pVM));
2663
2664	/*
2665	* Without UnrestrictedGuest, pRealModeTSS and pNonPagingModeEPTPageTable must always be allocated.
2666	* We no longer support the highly unlikely case of UnrestrictedGuest without pRealModeTSS. See hmR3InitFinalizeR0Intel().
2667	*/
2668	if ( !pVM->hm.s.vmx.fUnrestrictedGuest
2669	&& ( !pVM->hm.s.vmx.pNonPagingModeEPTPageTable
2670	\|\| !pVM->hm.s.vmx.pRealModeTSS))
2671	{
2672	LogRel(("VMXR0SetupVM: Invalid real-on-v86 state.\n"));
2673	return VERR_INTERNAL_ERROR;
2674	}
2675
2676	/* Initialize these always, see hmR3InitFinalizeR0().*/
2677	pVM->hm.s.vmx.enmFlushEpt = VMXFLUSHEPT_NONE;
2678	pVM->hm.s.vmx.enmFlushVpid = VMXFLUSHVPID_NONE;
2679
2680	/* Setup the tagged-TLB flush handlers. */
2681	int rc = hmR0VmxSetupTaggedTlb(pVM);
2682	if (RT_FAILURE(rc))
2683	{
2684	LogRel(("VMXR0SetupVM: hmR0VmxSetupTaggedTlb failed! rc=%Rrc\n", rc));
2685	return rc;
2686	}
2687
2688	/* Check if we can use the VMCS controls for swapping the EFER MSR. */
2689	Assert(!pVM->hm.s.vmx.fSupportsVmcsEfer);
2690	#if HC_ARCH_BITS == 64
2691	if ( (pVM->hm.s.vmx.Msrs.VmxEntry.n.allowed1 & VMX_VMCS_CTRL_ENTRY_LOAD_GUEST_EFER_MSR)
2692	&& (pVM->hm.s.vmx.Msrs.VmxExit.n.allowed1 & VMX_VMCS_CTRL_EXIT_LOAD_HOST_EFER_MSR)
2693	&& (pVM->hm.s.vmx.Msrs.VmxExit.n.allowed1 & VMX_VMCS_CTRL_EXIT_SAVE_GUEST_EFER_MSR))
2694	{
2695	pVM->hm.s.vmx.fSupportsVmcsEfer = true;
2696	}
2697	#endif
2698
2699	for (VMCPUID i = 0; i < pVM->cCpus; i++)
2700	{
2701	PVMCPU pVCpu = &pVM->aCpus[i];
2702	AssertPtr(pVCpu);
2703	AssertPtr(pVCpu->hm.s.vmx.pvVmcs);
2704
2705	/* Log the VCPU pointers, useful for debugging SMP VMs. */
2706	Log4(("VMXR0SetupVM: pVCpu=%p idCpu=%RU32\n", pVCpu, pVCpu->idCpu));
2707
2708	/* Initialize the VM-exit history array with end-of-array markers (UINT16_MAX). */
2709	Assert(!pVCpu->hm.s.idxExitHistoryFree);
2710	HMCPU_EXIT_HISTORY_RESET(pVCpu);
2711
2712	/* Set revision dword at the beginning of the VMCS structure. */
2713	(uint32_t )pVCpu->hm.s.vmx.pvVmcs = MSR_IA32_VMX_BASIC_INFO_VMCS_ID(pVM->hm.s.vmx.Msrs.u64BasicInfo);
2714
2715	/* Initialize our VMCS region in memory, set the VMCS launch state to "clear". */
2716	rc = VMXClearVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
2717	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: VMXClearVmcs failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2718	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2719
2720	/* Load this VMCS as the current VMCS. */
2721	rc = VMXActivateVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
2722	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: VMXActivateVmcs failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2723	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2724
2725	rc = hmR0VmxSetupPinCtls(pVM, pVCpu);
2726	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: hmR0VmxSetupPinCtls failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2727	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2728
2729	rc = hmR0VmxSetupProcCtls(pVM, pVCpu);
2730	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: hmR0VmxSetupProcCtls failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2731	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2732
2733	rc = hmR0VmxSetupMiscCtls(pVM, pVCpu);
2734	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: hmR0VmxSetupMiscCtls failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2735	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2736
2737	rc = hmR0VmxInitXcptBitmap(pVM, pVCpu);
2738	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: hmR0VmxInitXcptBitmap failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2739	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2740
2741	rc = hmR0VmxInitUpdatedGuestStateMask(pVCpu);
2742	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: hmR0VmxInitUpdatedGuestStateMask failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2743	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2744
2745	#if HC_ARCH_BITS == 32
2746	rc = hmR0VmxInitVmcsReadCache(pVM, pVCpu);
2747	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: hmR0VmxInitVmcsReadCache failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2748	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2749	#endif
2750
2751	/* Re-sync the CPU's internal data into our VMCS memory region & reset the launch state to "clear". */
2752	rc = VMXClearVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
2753	AssertLogRelMsgRCReturnStmt(rc, ("VMXR0SetupVM: VMXClearVmcs(2) failed! rc=%Rrc (pVM=%p)\n", rc, pVM),
2754	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc), rc);
2755
2756	pVCpu->hm.s.vmx.uVmcsState = HMVMX_VMCS_STATE_CLEAR;
2757
2758	hmR0VmxUpdateErrorRecord(pVM, pVCpu, rc);
2759	}
2760
2761	return VINF_SUCCESS;
2762	}
2763
2764
2765	/**
2766	* Saves the host control registers (CR0, CR3, CR4) into the host-state area in
2767	* the VMCS.
2768	*
2769	* @returns VBox status code.
2770	* @param pVM Pointer to the VM.
2771	* @param pVCpu Pointer to the VMCPU.
2772	*/
2773	DECLINLINE(int) hmR0VmxSaveHostControlRegs(PVM pVM, PVMCPU pVCpu)
2774	{
2775	NOREF(pVM); NOREF(pVCpu);
2776
2777	RTCCUINTREG uReg = ASMGetCR0();
2778	int rc = VMXWriteVmcsHstN(VMX_VMCS_HOST_CR0, uReg);
2779	AssertRCReturn(rc, rc);
2780
2781	uReg = ASMGetCR3();
2782	rc = VMXWriteVmcsHstN(VMX_VMCS_HOST_CR3, uReg);
2783	AssertRCReturn(rc, rc);
2784
2785	uReg = ASMGetCR4();
2786	rc = VMXWriteVmcsHstN(VMX_VMCS_HOST_CR4, uReg);
2787	AssertRCReturn(rc, rc);
2788	return rc;
2789	}
2790
2791
2792	#if HC_ARCH_BITS == 64
2793	/**
2794	* Macro for adjusting host segment selectors to satisfy VT-x's VM-entry
2795	* requirements. See hmR0VmxSaveHostSegmentRegs().
2796	*/
2797	# define VMXLOCAL_ADJUST_HOST_SEG(seg, selValue) \
2798	if ((selValue) & (X86_SEL_RPL \| X86_SEL_LDT)) \
2799	{ \
2800	bool fValidSelector = true; \
2801	if ((selValue) & X86_SEL_LDT) \
2802	{ \
2803	uint32_t uAttr = ASMGetSegAttr((selValue)); \
2804	fValidSelector = RT_BOOL(uAttr != UINT32_MAX && (uAttr & X86_DESC_P)); \
2805	} \
2806	if (fValidSelector) \
2807	{ \
2808	pVCpu->hm.s.vmx.fRestoreHostFlags \|= VMX_RESTORE_HOST_SEL_##seg; \
2809	pVCpu->hm.s.vmx.RestoreHost.uHostSel##seg = (selValue); \
2810	} \
2811	(selValue) = 0; \
2812	}
2813	#endif
2814
2815
2816	/**
2817	* Saves the host segment registers and GDTR, IDTR, (TR, GS and FS bases) into
2818	* the host-state area in the VMCS.
2819	*
2820	* @returns VBox status code.
2821	* @param pVM Pointer to the VM.
2822	* @param pVCpu Pointer to the VMCPU.
2823	*/
2824	DECLINLINE(int) hmR0VmxSaveHostSegmentRegs(PVM pVM, PVMCPU pVCpu)
2825	{
2826	int rc = VERR_INTERNAL_ERROR_5;
2827
2828	#if HC_ARCH_BITS == 64
2829	/*
2830	* If we've executed guest code using VT-x, the host-state bits will be messed up. We
2831	* should -not- save the messed up state without restoring the original host-state. See @bugref{7240}.
2832	*/
2833	AssertMsgReturn(!(pVCpu->hm.s.vmx.fRestoreHostFlags & VMX_RESTORE_HOST_REQUIRED),
2834	("Re-saving host-state after executing guest code without leaving VT-x!\n"), VERR_WRONG_ORDER);
2835	#endif
2836
2837	/*
2838	* Host DS, ES, FS and GS segment registers.
2839	*/
2840	#if HC_ARCH_BITS == 64
2841	RTSEL uSelDS = ASMGetDS();
2842	RTSEL uSelES = ASMGetES();
2843	RTSEL uSelFS = ASMGetFS();
2844	RTSEL uSelGS = ASMGetGS();
2845	#else
2846	RTSEL uSelDS = 0;
2847	RTSEL uSelES = 0;
2848	RTSEL uSelFS = 0;
2849	RTSEL uSelGS = 0;
2850	#endif
2851
2852	/* Recalculate which host-state bits need to be manually restored. */
2853	pVCpu->hm.s.vmx.fRestoreHostFlags = 0;
2854
2855	/*
2856	* Host CS and SS segment registers.
2857	*/
2858	RTSEL uSelCS = ASMGetCS();
2859	RTSEL uSelSS = ASMGetSS();
2860
2861	/*
2862	* Host TR segment register.
2863	*/
2864	RTSEL uSelTR = ASMGetTR();
2865
2866	#if HC_ARCH_BITS == 64
2867	/*
2868	* Determine if the host segment registers are suitable for VT-x. Otherwise use zero to gain VM-entry and restore them
2869	* before we get preempted. See Intel spec. 26.2.3 "Checks on Host Segment and Descriptor-Table Registers".
2870	*/
2871	VMXLOCAL_ADJUST_HOST_SEG(DS, uSelDS);
2872	VMXLOCAL_ADJUST_HOST_SEG(ES, uSelES);
2873	VMXLOCAL_ADJUST_HOST_SEG(FS, uSelFS);
2874	VMXLOCAL_ADJUST_HOST_SEG(GS, uSelGS);
2875	# undef VMXLOCAL_ADJUST_HOST_SEG
2876	#endif
2877
2878	/* Verification based on Intel spec. 26.2.3 "Checks on Host Segment and Descriptor-Table Registers" */
2879	Assert(!(uSelCS & X86_SEL_RPL)); Assert(!(uSelCS & X86_SEL_LDT));
2880	Assert(!(uSelSS & X86_SEL_RPL)); Assert(!(uSelSS & X86_SEL_LDT));
2881	Assert(!(uSelDS & X86_SEL_RPL)); Assert(!(uSelDS & X86_SEL_LDT));
2882	Assert(!(uSelES & X86_SEL_RPL)); Assert(!(uSelES & X86_SEL_LDT));
2883	Assert(!(uSelFS & X86_SEL_RPL)); Assert(!(uSelFS & X86_SEL_LDT));
2884	Assert(!(uSelGS & X86_SEL_RPL)); Assert(!(uSelGS & X86_SEL_LDT));
2885	Assert(!(uSelTR & X86_SEL_RPL)); Assert(!(uSelTR & X86_SEL_LDT));
2886	Assert(uSelCS);
2887	Assert(uSelTR);
2888
2889	/* Assertion is right but we would not have updated u32ExitCtls yet. */
2890	#if 0
2891	if (!(pVCpu->hm.s.vmx.u32ExitCtls & VMX_VMCS_CTRL_EXIT_HOST_ADDR_SPACE_SIZE))
2892	Assert(uSelSS != 0);
2893	#endif
2894
2895	/* Write these host selector fields into the host-state area in the VMCS. */
2896	rc = VMXWriteVmcs32(VMX_VMCS16_HOST_FIELD_CS, uSelCS); AssertRCReturn(rc, rc);
2897	rc = VMXWriteVmcs32(VMX_VMCS16_HOST_FIELD_SS, uSelSS); AssertRCReturn(rc, rc);
2898	#if HC_ARCH_BITS == 64
2899	rc = VMXWriteVmcs32(VMX_VMCS16_HOST_FIELD_DS, uSelDS); AssertRCReturn(rc, rc);
2900	rc = VMXWriteVmcs32(VMX_VMCS16_HOST_FIELD_ES, uSelES); AssertRCReturn(rc, rc);
2901	rc = VMXWriteVmcs32(VMX_VMCS16_HOST_FIELD_FS, uSelFS); AssertRCReturn(rc, rc);
2902	rc = VMXWriteVmcs32(VMX_VMCS16_HOST_FIELD_GS, uSelGS); AssertRCReturn(rc, rc);
2903	#else
2904	NOREF(uSelDS);
2905	NOREF(uSelES);
2906	NOREF(uSelFS);
2907	NOREF(uSelGS);
2908	#endif
2909	rc = VMXWriteVmcs32(VMX_VMCS16_HOST_FIELD_TR, uSelTR); AssertRCReturn(rc, rc);
2910
2911	/*
2912	* Host GDTR and IDTR.
2913	*/
2914	RTGDTR Gdtr;
2915	RTIDTR Idtr;
2916	RT_ZERO(Gdtr);
2917	RT_ZERO(Idtr);
2918	ASMGetGDTR(&Gdtr);
2919	ASMGetIDTR(&Idtr);
2920	rc = VMXWriteVmcsHstN(VMX_VMCS_HOST_GDTR_BASE, Gdtr.pGdt); AssertRCReturn(rc, rc);
2921	rc = VMXWriteVmcsHstN(VMX_VMCS_HOST_IDTR_BASE, Idtr.pIdt); AssertRCReturn(rc, rc);
2922
2923	#if HC_ARCH_BITS == 64
2924	/*
2925	* Determine if we need to manually need to restore the GDTR and IDTR limits as VT-x zaps them to the
2926	* maximum limit (0xffff) on every VM-exit.
2927	*/
2928	if (Gdtr.cbGdt != 0xffff)
2929	{
2930	pVCpu->hm.s.vmx.fRestoreHostFlags \|= VMX_RESTORE_HOST_GDTR;
2931	AssertCompile(sizeof(Gdtr) == sizeof(X86XDTR64));
2932	memcpy(&pVCpu->hm.s.vmx.RestoreHost.HostGdtr, &Gdtr, sizeof(X86XDTR64));
2933	}
2934
2935	/*
2936	* IDT limit is effectively capped at 0xfff. (See Intel spec. 6.14.1 "64-Bit Mode IDT"
2937	* and Intel spec. 6.2 "Exception and Interrupt Vectors".) Therefore if the host has the limit as 0xfff, VT-x
2938	* bloating the limit to 0xffff shouldn't cause any different CPU behavior. However, several hosts either insists
2939	* on 0xfff being the limit (Windows Patch Guard) or uses the limit for other purposes (darwin puts the CPU ID in there
2940	* but botches sidt alignment in at least one consumer). So, we're only allowing IDTR.LIMIT to be left at 0xffff on
2941	* hosts where we are pretty sure it won't cause trouble.
2942	*/
2943	# if defined(RT_OS_LINUX) \|\| defined(RT_OS_SOLARIS)
2944	if (Idtr.cbIdt < 0x0fff)
2945	# else
2946	if (Idtr.cbIdt != 0xffff)
2947	# endif
2948	{
2949	pVCpu->hm.s.vmx.fRestoreHostFlags \|= VMX_RESTORE_HOST_IDTR;
2950	AssertCompile(sizeof(Idtr) == sizeof(X86XDTR64));
2951	memcpy(&pVCpu->hm.s.vmx.RestoreHost.HostIdtr, &Idtr, sizeof(X86XDTR64));
2952	}
2953	#endif
2954
2955	/*
2956	* Host TR base. Verify that TR selector doesn't point past the GDT. Masking off the TI and RPL bits
2957	* is effectively what the CPU does for "scaling by 8". TI is always 0 and RPL should be too in most cases.
2958	*/
2959	AssertMsgReturn((uSelTR \| X86_SEL_RPL_LDT) <= Gdtr.cbGdt,
2960	("hmR0VmxSaveHostSegmentRegs: TR selector exceeds limit. TR=%RTsel cbGdt=%#x\n", uSelTR, Gdtr.cbGdt),
2961	VERR_VMX_INVALID_HOST_STATE);
2962
2963	PCX86DESCHC pDesc = (PCX86DESCHC)(Gdtr.pGdt + (uSelTR & X86_SEL_MASK));
2964	#if HC_ARCH_BITS == 64
2965	uintptr_t uTRBase = X86DESC64_BASE(pDesc);
2966
2967	/*
2968	* VT-x unconditionally restores the TR limit to 0x67 and type to 11 (32-bit busy TSS) on all VM-exits.
2969	* The type is the same for 64-bit busy TSS[1]. The limit needs manual restoration if the host has something else.
2970	* Task switching is not supported in 64-bit mode[2], but the limit still matters as IOPM is supported in 64-bit mode.
2971	* Restoring the limit lazily while returning to ring-3 is safe because IOPM is not applicable in ring-0.
2972	*
2973	* [1] See Intel spec. 3.5 "System Descriptor Types".
2974	* [2] See Intel spec. 7.2.3 "TSS Descriptor in 64-bit mode".
2975	*/
2976	Assert(pDesc->System.u4Type == 11);
2977	if ( pDesc->System.u16LimitLow != 0x67
2978	\|\| pDesc->System.u4LimitHigh)
2979	{
2980	pVCpu->hm.s.vmx.fRestoreHostFlags \|= VMX_RESTORE_HOST_SEL_TR;
2981	/* If the host has made GDT read-only, we would need to temporarily toggle CR0.WP before writing the GDT. */
2982	if (pVM->hm.s.fHostKernelFeatures & SUPKERNELFEATURES_GDT_READ_ONLY)
2983	pVCpu->hm.s.vmx.fRestoreHostFlags \|= VMX_RESTORE_HOST_GDT_READ_ONLY;
2984	pVCpu->hm.s.vmx.RestoreHost.uHostSelTR = uSelTR;
2985
2986	/* Store the GDTR here as we need it while restoring TR. */
2987	memcpy(&pVCpu->hm.s.vmx.RestoreHost.HostGdtr, &Gdtr, sizeof(X86XDTR64));
2988	}
2989	#else
2990	NOREF(pVM);
2991	uintptr_t uTRBase = X86DESC_BASE(pDesc);
2992	#endif
2993	rc = VMXWriteVmcsHstN(VMX_VMCS_HOST_TR_BASE, uTRBase);
2994	AssertRCReturn(rc, rc);
2995
2996	/*
2997	* Host FS base and GS base.
2998	*/
2999	#if HC_ARCH_BITS == 64
3000	uint64_t u64FSBase = ASMRdMsr(MSR_K8_FS_BASE);
3001	uint64_t u64GSBase = ASMRdMsr(MSR_K8_GS_BASE);
3002	rc = VMXWriteVmcs64(VMX_VMCS_HOST_FS_BASE, u64FSBase); AssertRCReturn(rc, rc);
3003	rc = VMXWriteVmcs64(VMX_VMCS_HOST_GS_BASE, u64GSBase); AssertRCReturn(rc, rc);
3004
3005	/* Store the base if we have to restore FS or GS manually as we need to restore the base as well. */
3006	if (pVCpu->hm.s.vmx.fRestoreHostFlags & VMX_RESTORE_HOST_SEL_FS)
3007	pVCpu->hm.s.vmx.RestoreHost.uHostFSBase = u64FSBase;
3008	if (pVCpu->hm.s.vmx.fRestoreHostFlags & VMX_RESTORE_HOST_SEL_GS)
3009	pVCpu->hm.s.vmx.RestoreHost.uHostGSBase = u64GSBase;
3010	#endif
3011	return rc;
3012	}
3013
3014
3015	/**
3016	* Saves certain host MSRs in the VM-Exit MSR-load area and some in the
3017	* host-state area of the VMCS. Theses MSRs will be automatically restored on
3018	* the host after every successful VM-exit.
3019	*
3020	* @returns VBox status code.
3021	* @param pVM Pointer to the VM.
3022	* @param pVCpu Pointer to the VMCPU.
3023	*
3024	* @remarks No-long-jump zone!!!
3025	*/
3026	DECLINLINE(int) hmR0VmxSaveHostMsrs(PVM pVM, PVMCPU pVCpu)
3027	{
3028	NOREF(pVM);
3029
3030	AssertPtr(pVCpu);
3031	AssertPtr(pVCpu->hm.s.vmx.pvHostMsr);
3032
3033	int rc = VINF_SUCCESS;
3034	#if HC_ARCH_BITS == 64
3035	if (pVM->hm.s.fAllow64BitGuests)
3036	hmR0VmxLazySaveHostMsrs(pVCpu);
3037	#endif
3038
3039	/*
3040	* Host Sysenter MSRs.
3041	*/
3042	rc = VMXWriteVmcs32(VMX_VMCS32_HOST_SYSENTER_CS, ASMRdMsr_Low(MSR_IA32_SYSENTER_CS));
3043	AssertRCReturn(rc, rc);
3044	#if HC_ARCH_BITS == 32
3045	rc = VMXWriteVmcs32(VMX_VMCS_HOST_SYSENTER_ESP, ASMRdMsr_Low(MSR_IA32_SYSENTER_ESP));
3046	AssertRCReturn(rc, rc);
3047	rc = VMXWriteVmcs32(VMX_VMCS_HOST_SYSENTER_EIP, ASMRdMsr_Low(MSR_IA32_SYSENTER_EIP));
3048	#else
3049	rc = VMXWriteVmcs64(VMX_VMCS_HOST_SYSENTER_ESP, ASMRdMsr(MSR_IA32_SYSENTER_ESP));
3050	AssertRCReturn(rc, rc);
3051	rc = VMXWriteVmcs64(VMX_VMCS_HOST_SYSENTER_EIP, ASMRdMsr(MSR_IA32_SYSENTER_EIP));
3052	#endif
3053	AssertRCReturn(rc, rc);
3054
3055	/*
3056	* Host EFER MSR.
3057	* If the CPU supports the newer VMCS controls for managing EFER, use it.
3058	* Otherwise it's done as part of auto-load/store MSR area in the VMCS, see hmR0VmxLoadGuestMsrs().
3059	*/
3060	if (pVM->hm.s.vmx.fSupportsVmcsEfer)
3061	{
3062	rc = VMXWriteVmcs64(VMX_VMCS64_HOST_FIELD_EFER_FULL, pVM->hm.s.vmx.u64HostEfer);
3063	AssertRCReturn(rc, rc);
3064	}
3065
3066	/** @todo IA32_PERF_GLOBALCTRL, IA32_PAT also see
3067	* hmR0VmxLoadGuestExitCtls() !! */
3068
3069	return rc;
3070	}
3071
3072
3073	/**
3074	* Figures out if we need to swap the EFER MSR which is
3075	* particularly expensive.
3076	*
3077	* We check all relevant bits. For now, that's everything
3078	* besides LMA/LME, as these two bits are handled by VM-entry,
3079	* see hmR0VmxLoadGuestExitCtls() and
3080	* hmR0VMxLoadGuestEntryCtls().
3081	*
3082	* @returns true if we need to load guest EFER, false otherwise.
3083	* @param pVCpu Pointer to the VMCPU.
3084	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3085	* out-of-sync. Make sure to update the required fields
3086	* before using them.
3087	*
3088	* @remarks Requires EFER, CR4.
3089	* @remarks No-long-jump zone!!!
3090	*/
3091	static bool hmR0VmxShouldSwapEferMsr(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3092	{
3093	#ifdef HMVMX_ALWAYS_SWAP_EFER
3094	return true;
3095	#endif
3096
3097	#if HC_ARCH_BITS == 32 && defined(VBOX_ENABLE_64_BITS_GUESTS)
3098	/* For 32-bit hosts running 64-bit guests, we always swap EFER in the world-switcher. Nothing to do here. */
3099	if (CPUMIsGuestInLongMode(pVCpu))
3100	return false;
3101	#endif
3102
3103	PVM pVM = pVCpu->CTX_SUFF(pVM);
3104	uint64_t u64HostEfer = pVM->hm.s.vmx.u64HostEfer;
3105	uint64_t u64GuestEfer = pMixedCtx->msrEFER;
3106
3107	/*
3108	* For 64-bit guests, if EFER.SCE bit differs, we need to swap to ensure that the
3109	* guest's SYSCALL behaviour isn't screwed. See @bugref{7386}.
3110	*/
3111	if ( CPUMIsGuestInLongMode(pVCpu)
3112	&& (u64GuestEfer & MSR_K6_EFER_SCE) != (u64HostEfer & MSR_K6_EFER_SCE))
3113	{
3114	return true;
3115	}
3116
3117	/*
3118	* If the guest uses PAE and EFER.NXE bit differs, we need to swap EFER as it
3119	* affects guest paging. 64-bit paging implies CR4.PAE as well.
3120	* See Intel spec. 4.5 "IA-32e Paging" and Intel spec. 4.1.1 "Three Paging Modes".
3121	*/
3122	if ( (pMixedCtx->cr4 & X86_CR4_PAE)
3123	&& (pMixedCtx->cr0 & X86_CR0_PG)
3124	&& (u64GuestEfer & MSR_K6_EFER_NXE) != (u64HostEfer & MSR_K6_EFER_NXE))
3125	{
3126	/* Assert that host is PAE capable. */
3127	Assert(pVM->hm.s.cpuid.u32AMDFeatureEDX & X86_CPUID_EXT_FEATURE_EDX_NX);
3128	return true;
3129	}
3130
3131	/** @todo Check the latest Intel spec. for any other bits,
3132	* like SMEP/SMAP? */
3133	return false;
3134	}
3135
3136
3137	/**
3138	* Sets up VM-entry controls in the VMCS. These controls can affect things done
3139	* on VM-exit; e.g. "load debug controls", see Intel spec. 24.8.1 "VM-entry
3140	* controls".
3141	*
3142	* @returns VBox status code.
3143	* @param pVCpu Pointer to the VMCPU.
3144	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3145	* out-of-sync. Make sure to update the required fields
3146	* before using them.
3147	*
3148	* @remarks Requires EFER.
3149	* @remarks No-long-jump zone!!!
3150	*/
3151	DECLINLINE(int) hmR0VmxLoadGuestEntryCtls(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3152	{
3153	int rc = VINF_SUCCESS;
3154	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_VMX_ENTRY_CTLS))
3155	{
3156	PVM pVM = pVCpu->CTX_SUFF(pVM);
3157	uint32_t val = pVM->hm.s.vmx.Msrs.VmxEntry.n.disallowed0; /* Bits set here must be set in the VMCS. */
3158	uint32_t zap = pVM->hm.s.vmx.Msrs.VmxEntry.n.allowed1; /* Bits cleared here must be cleared in the VMCS. */
3159
3160	/* Load debug controls (DR7 & IA32_DEBUGCTL_MSR). The first VT-x capable CPUs only supports the 1-setting of this bit. */
3161	val \|= VMX_VMCS_CTRL_ENTRY_LOAD_DEBUG;
3162
3163	/* Set if the guest is in long mode. This will set/clear the EFER.LMA bit on VM-entry. */
3164	if (CPUMIsGuestInLongModeEx(pMixedCtx))
3165	{
3166	val \|= VMX_VMCS_CTRL_ENTRY_IA32E_MODE_GUEST;
3167	Log4(("Load[%RU32]: VMX_VMCS_CTRL_ENTRY_IA32E_MODE_GUEST\n", pVCpu->idCpu));
3168	}
3169	else
3170	Assert(!(val & VMX_VMCS_CTRL_ENTRY_IA32E_MODE_GUEST));
3171
3172	/* If the CPU supports the newer VMCS controls for managing guest/host EFER, use it. */
3173	if ( pVM->hm.s.vmx.fSupportsVmcsEfer
3174	&& hmR0VmxShouldSwapEferMsr(pVCpu, pMixedCtx))
3175	{
3176	val \|= VMX_VMCS_CTRL_ENTRY_LOAD_GUEST_EFER_MSR;
3177	Log4(("Load[%RU32]: VMX_VMCS_CTRL_ENTRY_LOAD_GUEST_EFER_MSR\n", pVCpu->idCpu));
3178	}
3179
3180	/*
3181	* The following should -not- be set (since we're not in SMM mode):
3182	* - VMX_VMCS_CTRL_ENTRY_ENTRY_SMM
3183	* - VMX_VMCS_CTRL_ENTRY_DEACTIVATE_DUALMON
3184	*/
3185
3186	/** @todo VMX_VMCS_CTRL_ENTRY_LOAD_GUEST_PERF_MSR,
3187	* VMX_VMCS_CTRL_ENTRY_LOAD_GUEST_PAT_MSR. */
3188
3189	if ((val & zap) != val)
3190	{
3191	LogRel(("hmR0VmxLoadGuestEntryCtls: Invalid VM-entry controls combo! cpu=%RX64 val=%RX64 zap=%RX64\n",
3192	pVM->hm.s.vmx.Msrs.VmxEntry.n.disallowed0, val, zap));
3193	pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_ENTRY;
3194	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
3195	}
3196
3197	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_ENTRY, val);
3198	AssertRCReturn(rc, rc);
3199
3200	pVCpu->hm.s.vmx.u32EntryCtls = val;
3201	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_VMX_ENTRY_CTLS);
3202	}
3203	return rc;
3204	}
3205
3206
3207	/**
3208	* Sets up the VM-exit controls in the VMCS.
3209	*
3210	* @returns VBox status code.
3211	* @param pVCpu Pointer to the VMCPU.
3212	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3213	* out-of-sync. Make sure to update the required fields
3214	* before using them.
3215	*
3216	* @remarks Requires EFER.
3217	*/
3218	DECLINLINE(int) hmR0VmxLoadGuestExitCtls(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3219	{
3220	NOREF(pMixedCtx);
3221
3222	int rc = VINF_SUCCESS;
3223	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_VMX_EXIT_CTLS))
3224	{
3225	PVM pVM = pVCpu->CTX_SUFF(pVM);
3226	uint32_t val = pVM->hm.s.vmx.Msrs.VmxExit.n.disallowed0; /* Bits set here must be set in the VMCS. */
3227	uint32_t zap = pVM->hm.s.vmx.Msrs.VmxExit.n.allowed1; /* Bits cleared here must be cleared in the VMCS. */
3228
3229	/* Save debug controls (DR7 & IA32_DEBUGCTL_MSR). The first VT-x CPUs only supported the 1-setting of this bit. */
3230	val \|= VMX_VMCS_CTRL_EXIT_SAVE_DEBUG;
3231
3232	/*
3233	* Set the host long mode active (EFER.LMA) bit (which Intel calls "Host address-space size") if necessary.
3234	* On VM-exit, VT-x sets both the host EFER.LMA and EFER.LME bit to this value. See assertion in hmR0VmxSaveHostMsrs().
3235	*/
3236	#if HC_ARCH_BITS == 64
3237	val \|= VMX_VMCS_CTRL_EXIT_HOST_ADDR_SPACE_SIZE;
3238	Log4(("Load[%RU32]: VMX_VMCS_CTRL_EXIT_HOST_ADDR_SPACE_SIZE\n", pVCpu->idCpu));
3239	#else
3240	if (CPUMIsGuestInLongModeEx(pMixedCtx))
3241	{
3242	/* The switcher returns to long mode, EFER is managed by the switcher. */
3243	val \|= VMX_VMCS_CTRL_EXIT_HOST_ADDR_SPACE_SIZE;
3244	Log4(("Load[%RU32]: VMX_VMCS_CTRL_EXIT_HOST_ADDR_SPACE_SIZE\n", pVCpu->idCpu));
3245	}
3246	else
3247	Assert(!(val & VMX_VMCS_CTRL_EXIT_HOST_ADDR_SPACE_SIZE));
3248	#endif
3249
3250	/* If the newer VMCS fields for managing EFER exists, use it. */
3251	if ( pVM->hm.s.vmx.fSupportsVmcsEfer
3252	&& hmR0VmxShouldSwapEferMsr(pVCpu, pMixedCtx))
3253	{
3254	val \|= VMX_VMCS_CTRL_EXIT_SAVE_GUEST_EFER_MSR
3255	\| VMX_VMCS_CTRL_EXIT_LOAD_HOST_EFER_MSR;
3256	Log4(("Load[%RU32]: VMX_VMCS_CTRL_EXIT_SAVE_GUEST_EFER_MSR, VMX_VMCS_CTRL_EXIT_LOAD_HOST_EFER_MSR\n", pVCpu->idCpu));
3257	}
3258
3259	/* Don't acknowledge external interrupts on VM-exit. We want to let the host do that. */
3260	Assert(!(val & VMX_VMCS_CTRL_EXIT_ACK_EXT_INT));
3261
3262	/** @todo VMX_VMCS_CTRL_EXIT_LOAD_PERF_MSR,
3263	* VMX_VMCS_CTRL_EXIT_SAVE_GUEST_PAT_MSR,
3264	* VMX_VMCS_CTRL_EXIT_LOAD_HOST_PAT_MSR. */
3265
3266	if ( pVM->hm.s.vmx.fUsePreemptTimer
3267	&& (pVM->hm.s.vmx.Msrs.VmxExit.n.allowed1 & VMX_VMCS_CTRL_EXIT_SAVE_VMX_PREEMPT_TIMER))
3268	val \|= VMX_VMCS_CTRL_EXIT_SAVE_VMX_PREEMPT_TIMER;
3269
3270	if ((val & zap) != val)
3271	{
3272	LogRel(("hmR0VmxSetupProcCtls: Invalid VM-exit controls combo! cpu=%RX64 val=%RX64 zap=%RX64\n",
3273	pVM->hm.s.vmx.Msrs.VmxExit.n.disallowed0, val, zap));
3274	pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_EXIT;
3275	return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
3276	}
3277
3278	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_EXIT, val);
3279	AssertRCReturn(rc, rc);
3280
3281	pVCpu->hm.s.vmx.u32ExitCtls = val;
3282	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_VMX_EXIT_CTLS);
3283	}
3284	return rc;
3285	}
3286
3287
3288	/**
3289	* Loads the guest APIC and related state.
3290	*
3291	* @returns VBox status code.
3292	* @param pVCpu Pointer to the VMCPU.
3293	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3294	* out-of-sync. Make sure to update the required fields
3295	* before using them.
3296	*/
3297	DECLINLINE(int) hmR0VmxLoadGuestApicState(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3298	{
3299	NOREF(pMixedCtx);
3300
3301	int rc = VINF_SUCCESS;
3302	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_VMX_GUEST_APIC_STATE))
3303	{
3304	/* Setup TPR shadowing. Also setup TPR patching for 32-bit guests. */
3305	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW)
3306	{
3307	Assert(pVCpu->hm.s.vmx.HCPhysVirtApic);
3308
3309	bool fPendingIntr = false;
3310	uint8_t u8Tpr = 0;
3311	uint8_t u8PendingIntr = 0;
3312	rc = PDMApicGetTPR(pVCpu, &u8Tpr, &fPendingIntr, &u8PendingIntr);
3313	AssertRCReturn(rc, rc);
3314
3315	/*
3316	* If there are external interrupts pending but masked by the TPR value, instruct VT-x to cause a VM-exit when
3317	* the guest lowers its TPR below the highest-priority pending interrupt and we can deliver the interrupt.
3318	* If there are no external interrupts pending, set threshold to 0 to not cause a VM-exit. We will eventually deliver
3319	* the interrupt when we VM-exit for other reasons.
3320	*/
3321	pVCpu->hm.s.vmx.pbVirtApic[0x80] = u8Tpr; /* Offset 0x80 is TPR in the APIC MMIO range. */
3322	uint32_t u32TprThreshold = 0;
3323	if (fPendingIntr)
3324	{
3325	/* Bits 3:0 of the TPR threshold field correspond to bits 7:4 of the TPR (which is the Task-Priority Class). */
3326	const uint8_t u8PendingPriority = (u8PendingIntr >> 4) & 0xf;
3327	const uint8_t u8TprPriority = (u8Tpr >> 4) & 0xf;
3328	if (u8PendingPriority <= u8TprPriority)
3329	u32TprThreshold = u8PendingPriority;
3330	else
3331	u32TprThreshold = u8TprPriority; /* Required for Vista 64-bit guest, see @bugref{6398}. */
3332	}
3333	Assert(!(u32TprThreshold & 0xfffffff0)); /* Bits 31:4 MBZ. */
3334
3335	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_TPR_THRESHOLD, u32TprThreshold);
3336	AssertRCReturn(rc, rc);
3337	}
3338
3339	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_VMX_GUEST_APIC_STATE);
3340	}
3341	return rc;
3342	}
3343
3344
3345	/**
3346	* Gets the guest's interruptibility-state ("interrupt shadow" as AMD calls it).
3347	*
3348	* @returns Guest's interruptibility-state.
3349	* @param pVCpu Pointer to the VMCPU.
3350	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3351	* out-of-sync. Make sure to update the required fields
3352	* before using them.
3353	*
3354	* @remarks No-long-jump zone!!!
3355	*/
3356	DECLINLINE(uint32_t) hmR0VmxGetGuestIntrState(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3357	{
3358	/*
3359	* Check if we should inhibit interrupt delivery due to instructions like STI and MOV SS.
3360	*/
3361	uint32_t uIntrState = 0;
3362	if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS))
3363	{
3364	/* If inhibition is active, RIP & RFLAGS should've been accessed (i.e. read previously from the VMCS or from ring-3). */
3365	AssertMsg(HMVMXCPU_GST_IS_SET(pVCpu, HMVMX_UPDATED_GUEST_RIP \| HMVMX_UPDATED_GUEST_RFLAGS),
3366	("%#x\n", HMVMXCPU_GST_VALUE(pVCpu)));
3367	if (pMixedCtx->rip == EMGetInhibitInterruptsPC(pVCpu))
3368	{
3369	if (pMixedCtx->eflags.Bits.u1IF)
3370	uIntrState = VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI;
3371	else
3372	uIntrState = VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS;
3373	}
3374	/* else: Although we can clear the force-flag here, let's keep this side-effects free. */
3375	}
3376
3377	/*
3378	* NMIs to the guest are blocked after an NMI is injected until the guest executes an IRET. We only
3379	* bother with virtual-NMI blocking when we have support for virtual NMIs in the CPU, otherwise
3380	* setting this would block host-NMIs and IRET will not clear the blocking.
3381	*
3382	* See Intel spec. 26.6.1 "Interruptibility state". See @bugref{7445}.
3383	*/
3384	if ( VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_BLOCK_NMIS)
3385	&& (pVCpu->hm.s.vmx.u32PinCtls & VMX_VMCS_CTRL_PIN_EXEC_VIRTUAL_NMI))
3386	{
3387	uIntrState \|= VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_NMI;
3388	}
3389
3390	return uIntrState;
3391	}
3392
3393
3394	/**
3395	* Loads the guest's interruptibility-state into the guest-state area in the
3396	* VMCS.
3397	*
3398	* @returns VBox status code.
3399	* @param pVCpu Pointer to the VMCPU.
3400	* @param uIntrState The interruptibility-state to set.
3401	*/
3402	static int hmR0VmxLoadGuestIntrState(PVMCPU pVCpu, uint32_t uIntrState)
3403	{
3404	NOREF(pVCpu);
3405	AssertMsg(!(uIntrState & 0xfffffff0), ("%#x\n", uIntrState)); /* Bits 31:4 MBZ. */
3406	Assert((uIntrState & 0x3) != 0x3); /* Block-by-STI and MOV SS cannot be simultaneously set. */
3407	int rc = VMXWriteVmcs32(VMX_VMCS32_GUEST_INTERRUPTIBILITY_STATE, uIntrState);
3408	AssertRCReturn(rc, rc);
3409	return rc;
3410	}
3411
3412
3413	/**
3414	* Loads the exception intercepts required for guest execution in the VMCS.
3415	*
3416	* @returns VBox status code.
3417	* @param pVCpu Pointer to the VMCPU.
3418	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3419	* out-of-sync. Make sure to update the required fields
3420	* before using them.
3421	*/
3422	static int hmR0VmxLoadGuestXcptIntercepts(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3423	{
3424	NOREF(pMixedCtx);
3425	int rc = VINF_SUCCESS;
3426	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS))
3427	{
3428	/* The remaining exception intercepts are handled elsewhere, e.g. in hmR0VmxLoadSharedCR0(). */
3429	if (pVCpu->hm.s.fGIMTrapXcptUD)
3430	pVCpu->hm.s.vmx.u32XcptBitmap \|= RT_BIT(X86_XCPT_UD);
3431	else
3432	{
3433	#ifndef HMVMX_ALWAYS_TRAP_ALL_XCPTS
3434	pVCpu->hm.s.vmx.u32XcptBitmap &= ~RT_BIT(X86_XCPT_UD);
3435	#endif
3436	}
3437
3438	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_EXCEPTION_BITMAP, pVCpu->hm.s.vmx.u32XcptBitmap);
3439	AssertRCReturn(rc, rc);
3440
3441	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS);
3442	Log4(("Load[%RU32]: VMX_VMCS32_CTRL_EXCEPTION_BITMAP=%#RX64 fContextUseFlags=%#RX32\n", pVCpu->idCpu,
3443	pVCpu->hm.s.vmx.u32XcptBitmap, HMCPU_CF_VALUE(pVCpu)));
3444	}
3445	return rc;
3446	}
3447
3448
3449	/**
3450	* Loads the guest's RIP into the guest-state area in the VMCS.
3451	*
3452	* @returns VBox status code.
3453	* @param pVCpu Pointer to the VMCPU.
3454	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3455	* out-of-sync. Make sure to update the required fields
3456	* before using them.
3457	*
3458	* @remarks No-long-jump zone!!!
3459	*/
3460	static int hmR0VmxLoadGuestRip(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3461	{
3462	int rc = VINF_SUCCESS;
3463	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_RIP))
3464	{
3465	rc = VMXWriteVmcsGstN(VMX_VMCS_GUEST_RIP, pMixedCtx->rip);
3466	AssertRCReturn(rc, rc);
3467
3468	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_RIP);
3469	Log4(("Load[%RU32]: VMX_VMCS_GUEST_RIP=%#RX64 fContextUseFlags=%#RX32\n", pVCpu->idCpu, pMixedCtx->rip,
3470	HMCPU_CF_VALUE(pVCpu)));
3471	}
3472	return rc;
3473	}
3474
3475
3476	/**
3477	* Loads the guest's RSP into the guest-state area in the VMCS.
3478	*
3479	* @returns VBox status code.
3480	* @param pVCpu Pointer to the VMCPU.
3481	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3482	* out-of-sync. Make sure to update the required fields
3483	* before using them.
3484	*
3485	* @remarks No-long-jump zone!!!
3486	*/
3487	static int hmR0VmxLoadGuestRsp(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3488	{
3489	int rc = VINF_SUCCESS;
3490	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_RSP))
3491	{
3492	rc = VMXWriteVmcsGstN(VMX_VMCS_GUEST_RSP, pMixedCtx->rsp);
3493	AssertRCReturn(rc, rc);
3494
3495	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_RSP);
3496	Log4(("Load[%RU32]: VMX_VMCS_GUEST_RSP=%#RX64\n", pVCpu->idCpu, pMixedCtx->rsp));
3497	}
3498	return rc;
3499	}
3500
3501
3502	/**
3503	* Loads the guest's RFLAGS into the guest-state area in the VMCS.
3504	*
3505	* @returns VBox status code.
3506	* @param pVCpu Pointer to the VMCPU.
3507	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3508	* out-of-sync. Make sure to update the required fields
3509	* before using them.
3510	*
3511	* @remarks No-long-jump zone!!!
3512	*/
3513	static int hmR0VmxLoadGuestRflags(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3514	{
3515	int rc = VINF_SUCCESS;
3516	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_RFLAGS))
3517	{
3518	/* Intel spec. 2.3.1 "System Flags and Fields in IA-32e Mode" claims the upper 32-bits of RFLAGS are reserved (MBZ).
3519	Let us assert it as such and use 32-bit VMWRITE. */
3520	Assert(!(pMixedCtx->rflags.u64 >> 32));
3521	X86EFLAGS Eflags = pMixedCtx->eflags;
3522	/** @todo r=bird: There shall be no need to OR in X86_EFL_1 here, nor
3523	* shall there be any reason for clearing bits 63:22, 15, 5 and 3.
3524	* These will never be cleared/set, unless some other part of the VMM
3525	* code is buggy - in which case we're better of finding and fixing
3526	* those bugs than hiding them. */
3527	Assert(Eflags.u32 & X86_EFL_RA1_MASK);
3528	Assert(!(Eflags.u32 & ~(X86_EFL_1 \| X86_EFL_LIVE_MASK)));
3529	Eflags.u32 &= VMX_EFLAGS_RESERVED_0; /* Bits 22-31, 15, 5 & 3 MBZ. */
3530	Eflags.u32 \|= VMX_EFLAGS_RESERVED_1; /* Bit 1 MB1. */
3531
3532	/*
3533	* If we're emulating real-mode using Virtual 8086 mode, save the real-mode eflags so we can restore them on VM-exit.
3534	* Modify the real-mode guest's eflags so that VT-x can run the real-mode guest code under Virtual 8086 mode.
3535	*/
3536	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
3537	{
3538	Assert(pVCpu->CTX_SUFF(pVM)->hm.s.vmx.pRealModeTSS);
3539	Assert(PDMVmmDevHeapIsEnabled(pVCpu->CTX_SUFF(pVM)));
3540	pVCpu->hm.s.vmx.RealMode.Eflags.u32 = Eflags.u32; /* Save the original eflags of the real-mode guest. */
3541	Eflags.Bits.u1VM = 1; /* Set the Virtual 8086 mode bit. */
3542	Eflags.Bits.u2IOPL = 0; /* Change IOPL to 0, otherwise certain instructions won't fault. */
3543	}
3544
3545	rc = VMXWriteVmcs32(VMX_VMCS_GUEST_RFLAGS, Eflags.u32);
3546	AssertRCReturn(rc, rc);
3547
3548	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_RFLAGS);
3549	Log4(("Load[%RU32]: VMX_VMCS_GUEST_RFLAGS=%#RX32\n", pVCpu->idCpu, Eflags.u32));
3550	}
3551	return rc;
3552	}
3553
3554
3555	/**
3556	* Loads the guest RIP, RSP and RFLAGS into the guest-state area in the VMCS.
3557	*
3558	* @returns VBox status code.
3559	* @param pVCpu Pointer to the VMCPU.
3560	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3561	* out-of-sync. Make sure to update the required fields
3562	* before using them.
3563	*
3564	* @remarks No-long-jump zone!!!
3565	*/
3566	DECLINLINE(int) hmR0VmxLoadGuestRipRspRflags(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3567	{
3568	int rc = hmR0VmxLoadGuestRip(pVCpu, pMixedCtx);
3569	AssertRCReturn(rc, rc);
3570	rc = hmR0VmxLoadGuestRsp(pVCpu, pMixedCtx);
3571	AssertRCReturn(rc, rc);
3572	rc = hmR0VmxLoadGuestRflags(pVCpu, pMixedCtx);
3573	AssertRCReturn(rc, rc);
3574	return rc;
3575	}
3576
3577
3578	/**
3579	* Loads the guest CR0 control register into the guest-state area in the VMCS.
3580	* CR0 is partially shared with the host and we have to consider the FPU bits.
3581	*
3582	* @returns VBox status code.
3583	* @param pVCpu Pointer to the VMCPU.
3584	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3585	* out-of-sync. Make sure to update the required fields
3586	* before using them.
3587	*
3588	* @remarks No-long-jump zone!!!
3589	*/
3590	static int hmR0VmxLoadSharedCR0(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3591	{
3592	/*
3593	* Guest CR0.
3594	* Guest FPU.
3595	*/
3596	int rc = VINF_SUCCESS;
3597	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_CR0))
3598	{
3599	Assert(!(pMixedCtx->cr0 >> 32));
3600	uint32_t u32GuestCR0 = pMixedCtx->cr0;
3601	PVM pVM = pVCpu->CTX_SUFF(pVM);
3602
3603	/* The guest's view (read access) of its CR0 is unblemished. */
3604	rc = VMXWriteVmcs32(VMX_VMCS_CTRL_CR0_READ_SHADOW, u32GuestCR0);
3605	AssertRCReturn(rc, rc);
3606	Log4(("Load[%RU32]: VMX_VMCS_CTRL_CR0_READ_SHADOW=%#RX32\n", pVCpu->idCpu, u32GuestCR0));
3607
3608	/* Setup VT-x's view of the guest CR0. */
3609	/* Minimize VM-exits due to CR3 changes when we have NestedPaging. */
3610	if (pVM->hm.s.fNestedPaging)
3611	{
3612	if (CPUMIsGuestPagingEnabledEx(pMixedCtx))
3613	{
3614	/* The guest has paging enabled, let it access CR3 without causing a VM-exit if supported. */
3615	pVCpu->hm.s.vmx.u32ProcCtls &= ~( VMX_VMCS_CTRL_PROC_EXEC_CR3_LOAD_EXIT
3616	\| VMX_VMCS_CTRL_PROC_EXEC_CR3_STORE_EXIT);
3617	}
3618	else
3619	{
3620	/* The guest doesn't have paging enabled, make CR3 access cause a VM-exit to update our shadow. */
3621	pVCpu->hm.s.vmx.u32ProcCtls \|= VMX_VMCS_CTRL_PROC_EXEC_CR3_LOAD_EXIT
3622	\| VMX_VMCS_CTRL_PROC_EXEC_CR3_STORE_EXIT;
3623	}
3624
3625	/* If we have unrestricted guest execution, we never have to intercept CR3 reads. */
3626	if (pVM->hm.s.vmx.fUnrestrictedGuest)
3627	pVCpu->hm.s.vmx.u32ProcCtls &= ~VMX_VMCS_CTRL_PROC_EXEC_CR3_STORE_EXIT;
3628
3629	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
3630	AssertRCReturn(rc, rc);
3631	}
3632	else
3633	u32GuestCR0 \|= X86_CR0_WP; /* Guest CPL 0 writes to its read-only pages should cause a #PF VM-exit. */
3634
3635	/*
3636	* Guest FPU bits.
3637	* Intel spec. 23.8 "Restrictions on VMX operation" mentions that CR0.NE bit must always be set on the first
3638	* CPUs to support VT-x and no mention of with regards to UX in VM-entry checks.
3639	*/
3640	u32GuestCR0 \|= X86_CR0_NE;
3641	bool fInterceptNM = false;
3642	if (CPUMIsGuestFPUStateActive(pVCpu))
3643	{
3644	fInterceptNM = false; /* Guest FPU active, no need to VM-exit on #NM. */
3645	/* The guest should still get #NM exceptions when it expects it to, so we should not clear TS & MP bits here.
3646	We're only concerned about -us- not intercepting #NMs when the guest-FPU is active. Not the guest itself! */
3647	}
3648	else
3649	{
3650	fInterceptNM = true; /* Guest FPU inactive, VM-exit on #NM for lazy FPU loading. */
3651	u32GuestCR0 \|= X86_CR0_TS /* Guest can task switch quickly and do lazy FPU syncing. */
3652	\| X86_CR0_MP; /* FWAIT/WAIT should not ignore CR0.TS and should generate #NM. */
3653	}
3654
3655	/* Catch floating point exceptions if we need to report them to the guest in a different way. */
3656	bool fInterceptMF = false;
3657	if (!(pMixedCtx->cr0 & X86_CR0_NE))
3658	fInterceptMF = true;
3659
3660	/* Finally, intercept all exceptions as we cannot directly inject them in real-mode, see hmR0VmxInjectEventVmcs(). */
3661	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
3662	{
3663	Assert(PDMVmmDevHeapIsEnabled(pVM));
3664	Assert(pVM->hm.s.vmx.pRealModeTSS);
3665	pVCpu->hm.s.vmx.u32XcptBitmap \|= HMVMX_REAL_MODE_XCPT_MASK;
3666	fInterceptNM = true;
3667	fInterceptMF = true;
3668	}
3669	else
3670	{
3671	/* For now, cleared here as mode-switches can happen outside HM/VT-x. See @bugref{7626#c11}. */
3672	pVCpu->hm.s.vmx.u32XcptBitmap &= ~HMVMX_REAL_MODE_XCPT_MASK;
3673	}
3674	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS);
3675
3676	if (fInterceptNM)
3677	pVCpu->hm.s.vmx.u32XcptBitmap \|= RT_BIT(X86_XCPT_NM);
3678	else
3679	pVCpu->hm.s.vmx.u32XcptBitmap &= ~RT_BIT(X86_XCPT_NM);
3680
3681	if (fInterceptMF)
3682	pVCpu->hm.s.vmx.u32XcptBitmap \|= RT_BIT(X86_XCPT_MF);
3683	else
3684	pVCpu->hm.s.vmx.u32XcptBitmap &= ~RT_BIT(X86_XCPT_MF);
3685
3686	/* Additional intercepts for debugging, define these yourself explicitly. */
3687	#ifdef HMVMX_ALWAYS_TRAP_ALL_XCPTS
3688	pVCpu->hm.s.vmx.u32XcptBitmap \|= 0
3689	\| RT_BIT(X86_XCPT_BP)
3690	\| RT_BIT(X86_XCPT_DB)
3691	\| RT_BIT(X86_XCPT_DE)
3692	\| RT_BIT(X86_XCPT_NM)
3693	\| RT_BIT(X86_XCPT_TS)
3694	\| RT_BIT(X86_XCPT_UD)
3695	\| RT_BIT(X86_XCPT_NP)
3696	\| RT_BIT(X86_XCPT_SS)
3697	\| RT_BIT(X86_XCPT_GP)
3698	\| RT_BIT(X86_XCPT_PF)
3699	\| RT_BIT(X86_XCPT_MF)
3700	;
3701	#elif defined(HMVMX_ALWAYS_TRAP_PF)
3702	pVCpu->hm.s.vmx.u32XcptBitmap \|= RT_BIT(X86_XCPT_PF);
3703	#endif
3704
3705	Assert(pVM->hm.s.fNestedPaging \|\| (pVCpu->hm.s.vmx.u32XcptBitmap & RT_BIT(X86_XCPT_PF)));
3706
3707	/* Set/clear the CR0 specific bits along with their exceptions (PE, PG, CD, NW). */
3708	uint32_t uSetCR0 = (uint32_t)(pVM->hm.s.vmx.Msrs.u64Cr0Fixed0 & pVM->hm.s.vmx.Msrs.u64Cr0Fixed1);
3709	uint32_t uZapCR0 = (uint32_t)(pVM->hm.s.vmx.Msrs.u64Cr0Fixed0 \| pVM->hm.s.vmx.Msrs.u64Cr0Fixed1);
3710	if (pVM->hm.s.vmx.fUnrestrictedGuest) /* Exceptions for unrestricted-guests for fixed CR0 bits (PE, PG). */
3711	uSetCR0 &= ~(X86_CR0_PE \| X86_CR0_PG);
3712	else
3713	Assert((uSetCR0 & (X86_CR0_PE \| X86_CR0_PG)) == (X86_CR0_PE \| X86_CR0_PG));
3714
3715	u32GuestCR0 \|= uSetCR0;
3716	u32GuestCR0 &= uZapCR0;
3717	u32GuestCR0 &= ~(X86_CR0_CD \| X86_CR0_NW); /* Always enable caching. */
3718
3719	/* Write VT-x's view of the guest CR0 into the VMCS. */
3720	rc = VMXWriteVmcs32(VMX_VMCS_GUEST_CR0, u32GuestCR0);
3721	AssertRCReturn(rc, rc);
3722	Log4(("Load[%RU32]: VMX_VMCS_GUEST_CR0=%#RX32 (uSetCR0=%#RX32 uZapCR0=%#RX32)\n", pVCpu->idCpu, u32GuestCR0, uSetCR0,
3723	uZapCR0));
3724
3725	/*
3726	* CR0 is shared between host and guest along with a CR0 read shadow. Therefore, certain bits must not be changed
3727	* by the guest because VT-x ignores saving/restoring them (namely CD, ET, NW) and for certain other bits
3728	* we want to be notified immediately of guest CR0 changes (e.g. PG to update our shadow page tables).
3729	*/
3730	uint32_t u32CR0Mask = 0;
3731	u32CR0Mask = X86_CR0_PE
3732	\| X86_CR0_NE
3733	\| X86_CR0_WP
3734	\| X86_CR0_PG
3735	\| X86_CR0_ET /* Bit ignored on VM-entry and VM-exit. Don't let the guest modify the host CR0.ET */
3736	\| X86_CR0_CD /* Bit ignored on VM-entry and VM-exit. Don't let the guest modify the host CR0.CD */
3737	\| X86_CR0_NW; /* Bit ignored on VM-entry and VM-exit. Don't let the guest modify the host CR0.NW */
3738
3739	/** @todo Avoid intercepting CR0.PE with unrestricted guests. Fix PGM
3740	* enmGuestMode to be in-sync with the current mode. See @bugref{6398}
3741	* and @bugref{6944}. */
3742	#if 0
3743	if (pVM->hm.s.vmx.fUnrestrictedGuest)
3744	u32CR0Mask &= ~X86_CR0_PE;
3745	#endif
3746	if (pVM->hm.s.fNestedPaging)
3747	u32CR0Mask &= ~X86_CR0_WP;
3748
3749	/* If the guest FPU state is active, don't need to VM-exit on writes to FPU related bits in CR0. */
3750	if (fInterceptNM)
3751	{
3752	u32CR0Mask \|= X86_CR0_TS
3753	\| X86_CR0_MP;
3754	}
3755
3756	/* Write the CR0 mask into the VMCS and update the VCPU's copy of the current CR0 mask. */
3757	pVCpu->hm.s.vmx.u32CR0Mask = u32CR0Mask;
3758	rc = VMXWriteVmcs32(VMX_VMCS_CTRL_CR0_MASK, u32CR0Mask);
3759	AssertRCReturn(rc, rc);
3760	Log4(("Load[%RU32]: VMX_VMCS_CTRL_CR0_MASK=%#RX32\n", pVCpu->idCpu, u32CR0Mask));
3761
3762	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_CR0);
3763	}
3764	return rc;
3765	}
3766
3767
3768	/**
3769	* Loads the guest control registers (CR3, CR4) into the guest-state area
3770	* in the VMCS.
3771	*
3772	* @returns VBox status code.
3773	* @param pVCpu Pointer to the VMCPU.
3774	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3775	* out-of-sync. Make sure to update the required fields
3776	* before using them.
3777	*
3778	* @remarks No-long-jump zone!!!
3779	*/
3780	static int hmR0VmxLoadGuestCR3AndCR4(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3781	{
3782	int rc = VINF_SUCCESS;
3783	PVM pVM = pVCpu->CTX_SUFF(pVM);
3784
3785	/*
3786	* Guest CR2.
3787	* It's always loaded in the assembler code. Nothing to do here.
3788	*/
3789
3790	/*
3791	* Guest CR3.
3792	*/
3793	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_CR3))
3794	{
3795	RTGCPHYS GCPhysGuestCR3 = NIL_RTGCPHYS;
3796	if (pVM->hm.s.fNestedPaging)
3797	{
3798	pVCpu->hm.s.vmx.HCPhysEPTP = PGMGetHyperCR3(pVCpu);
3799
3800	/* Validate. See Intel spec. 28.2.2 "EPT Translation Mechanism" and 24.6.11 "Extended-Page-Table Pointer (EPTP)" */
3801	Assert(pVCpu->hm.s.vmx.HCPhysEPTP);
3802	Assert(!(pVCpu->hm.s.vmx.HCPhysEPTP & UINT64_C(0xfff0000000000000)));
3803	Assert(!(pVCpu->hm.s.vmx.HCPhysEPTP & 0xfff));
3804
3805	/* VMX_EPT_MEMTYPE_WB support is already checked in hmR0VmxSetupTaggedTlb(). */
3806	pVCpu->hm.s.vmx.HCPhysEPTP \|= VMX_EPT_MEMTYPE_WB
3807	\| (VMX_EPT_PAGE_WALK_LENGTH_DEFAULT << VMX_EPT_PAGE_WALK_LENGTH_SHIFT);
3808
3809	/* Validate. See Intel spec. 26.2.1 "Checks on VMX Controls" */
3810	AssertMsg( ((pVCpu->hm.s.vmx.HCPhysEPTP >> 3) & 0x07) == 3 /* Bits 3:5 (EPT page walk length - 1) must be 3. */
3811	&& ((pVCpu->hm.s.vmx.HCPhysEPTP >> 7) & 0x1f) == 0, /* Bits 7:11 MBZ. */
3812	("EPTP %#RX64\n", pVCpu->hm.s.vmx.HCPhysEPTP));
3813	AssertMsg( !((pVCpu->hm.s.vmx.HCPhysEPTP >> 6) & 0x01) /* Bit 6 (EPT accessed & dirty bit). */
3814	\|\| (pVM->hm.s.vmx.Msrs.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_EPT_ACCESS_DIRTY),
3815	("EPTP accessed/dirty bit not supported by CPU but set %#RX64\n", pVCpu->hm.s.vmx.HCPhysEPTP));
3816
3817	rc = VMXWriteVmcs64(VMX_VMCS64_CTRL_EPTP_FULL, pVCpu->hm.s.vmx.HCPhysEPTP);
3818	AssertRCReturn(rc, rc);
3819	Log4(("Load[%RU32]: VMX_VMCS64_CTRL_EPTP_FULL=%#RX64\n", pVCpu->idCpu, pVCpu->hm.s.vmx.HCPhysEPTP));
3820
3821	if ( pVM->hm.s.vmx.fUnrestrictedGuest
3822	\|\| CPUMIsGuestPagingEnabledEx(pMixedCtx))
3823	{
3824	/* If the guest is in PAE mode, pass the PDPEs to VT-x using the VMCS fields. */
3825	if (CPUMIsGuestInPAEModeEx(pMixedCtx))
3826	{
3827	rc = PGMGstGetPaePdpes(pVCpu, &pVCpu->hm.s.aPdpes[0]); AssertRCReturn(rc, rc);
3828	rc = VMXWriteVmcs64(VMX_VMCS64_GUEST_PDPTE0_FULL, pVCpu->hm.s.aPdpes[0].u); AssertRCReturn(rc, rc);
3829	rc = VMXWriteVmcs64(VMX_VMCS64_GUEST_PDPTE1_FULL, pVCpu->hm.s.aPdpes[1].u); AssertRCReturn(rc, rc);
3830	rc = VMXWriteVmcs64(VMX_VMCS64_GUEST_PDPTE2_FULL, pVCpu->hm.s.aPdpes[2].u); AssertRCReturn(rc, rc);
3831	rc = VMXWriteVmcs64(VMX_VMCS64_GUEST_PDPTE3_FULL, pVCpu->hm.s.aPdpes[3].u); AssertRCReturn(rc, rc);
3832	}
3833
3834	/* The guest's view of its CR3 is unblemished with Nested Paging when the guest is using paging or we
3835	have Unrestricted Execution to handle the guest when it's not using paging. */
3836	GCPhysGuestCR3 = pMixedCtx->cr3;
3837	}
3838	else
3839	{
3840	/*
3841	* The guest is not using paging, but the CPU (VT-x) has to. While the guest thinks it accesses physical memory
3842	* directly, we use our identity-mapped page table to map guest-linear to guest-physical addresses.
3843	* EPT takes care of translating it to host-physical addresses.
3844	*/
3845	RTGCPHYS GCPhys;
3846	Assert(pVM->hm.s.vmx.pNonPagingModeEPTPageTable);
3847	Assert(PDMVmmDevHeapIsEnabled(pVM));
3848
3849	/* We obtain it here every time as the guest could have relocated this PCI region. */
3850	rc = PDMVmmDevHeapR3ToGCPhys(pVM, pVM->hm.s.vmx.pNonPagingModeEPTPageTable, &GCPhys);
3851	AssertRCReturn(rc, rc);
3852
3853	GCPhysGuestCR3 = GCPhys;
3854	}
3855
3856	Log4(("Load[%RU32]: VMX_VMCS_GUEST_CR3=%#RGv (GstN)\n", pVCpu->idCpu, GCPhysGuestCR3));
3857	rc = VMXWriteVmcsGstN(VMX_VMCS_GUEST_CR3, GCPhysGuestCR3);
3858	}
3859	else
3860	{
3861	/* Non-nested paging case, just use the hypervisor's CR3. */
3862	RTHCPHYS HCPhysGuestCR3 = PGMGetHyperCR3(pVCpu);
3863
3864	Log4(("Load[%RU32]: VMX_VMCS_GUEST_CR3=%#RHv (HstN)\n", pVCpu->idCpu, HCPhysGuestCR3));
3865	rc = VMXWriteVmcsHstN(VMX_VMCS_GUEST_CR3, HCPhysGuestCR3);
3866	}
3867	AssertRCReturn(rc, rc);
3868
3869	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_CR3);
3870	}
3871
3872	/*
3873	* Guest CR4.
3874	* ASSUMES this is done everytime we get in from ring-3! (XCR0)
3875	*/
3876	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_CR4))
3877	{
3878	Assert(!(pMixedCtx->cr4 >> 32));
3879	uint32_t u32GuestCR4 = pMixedCtx->cr4;
3880
3881	/* The guest's view of its CR4 is unblemished. */
3882	rc = VMXWriteVmcs32(VMX_VMCS_CTRL_CR4_READ_SHADOW, u32GuestCR4);
3883	AssertRCReturn(rc, rc);
3884	Log4(("Load[%RU32]: VMX_VMCS_CTRL_CR4_READ_SHADOW=%#RX32\n", pVCpu->idCpu, u32GuestCR4));
3885
3886	/* Setup VT-x's view of the guest CR4. */
3887	/*
3888	* If we're emulating real-mode using virtual-8086 mode, we want to redirect software interrupts to the 8086 program
3889	* interrupt handler. Clear the VME bit (the interrupt redirection bitmap is already all 0, see hmR3InitFinalizeR0())
3890	* See Intel spec. 20.2 "Software Interrupt Handling Methods While in Virtual-8086 Mode".
3891	*/
3892	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
3893	{
3894	Assert(pVM->hm.s.vmx.pRealModeTSS);
3895	Assert(PDMVmmDevHeapIsEnabled(pVM));
3896	u32GuestCR4 &= ~X86_CR4_VME;
3897	}
3898
3899	if (pVM->hm.s.fNestedPaging)
3900	{
3901	if ( !CPUMIsGuestPagingEnabledEx(pMixedCtx)
3902	&& !pVM->hm.s.vmx.fUnrestrictedGuest)
3903	{
3904	/* We use 4 MB pages in our identity mapping page table when the guest doesn't have paging. */
3905	u32GuestCR4 \|= X86_CR4_PSE;
3906	/* Our identity mapping is a 32-bit page directory. */
3907	u32GuestCR4 &= ~X86_CR4_PAE;
3908	}
3909	/* else use guest CR4.*/
3910	}
3911	else
3912	{
3913	/*
3914	* The shadow paging modes and guest paging modes are different, the shadow is in accordance with the host
3915	* paging mode and thus we need to adjust VT-x's view of CR4 depending on our shadow page tables.
3916	*/
3917	switch (pVCpu->hm.s.enmShadowMode)
3918	{
3919	case PGMMODE_REAL: /* Real-mode. */
3920	case PGMMODE_PROTECTED: /* Protected mode without paging. */
3921	case PGMMODE_32_BIT: /* 32-bit paging. */
3922	{
3923	u32GuestCR4 &= ~X86_CR4_PAE;
3924	break;
3925	}
3926
3927	case PGMMODE_PAE: /* PAE paging. */
3928	case PGMMODE_PAE_NX: /* PAE paging with NX. */
3929	{
3930	u32GuestCR4 \|= X86_CR4_PAE;
3931	break;
3932	}
3933
3934	case PGMMODE_AMD64: /* 64-bit AMD paging (long mode). */
3935	case PGMMODE_AMD64_NX: /* 64-bit AMD paging (long mode) with NX enabled. */
3936	#ifdef VBOX_ENABLE_64_BITS_GUESTS
3937	break;
3938	#endif
3939	default:
3940	AssertFailed();
3941	return VERR_PGM_UNSUPPORTED_SHADOW_PAGING_MODE;
3942	}
3943	}
3944
3945	/* We need to set and clear the CR4 specific bits here (mainly the X86_CR4_VMXE bit). */
3946	uint64_t uSetCR4 = (pVM->hm.s.vmx.Msrs.u64Cr4Fixed0 & pVM->hm.s.vmx.Msrs.u64Cr4Fixed1);
3947	uint64_t uZapCR4 = (pVM->hm.s.vmx.Msrs.u64Cr4Fixed0 \| pVM->hm.s.vmx.Msrs.u64Cr4Fixed1);
3948	u32GuestCR4 \|= uSetCR4;
3949	u32GuestCR4 &= uZapCR4;
3950
3951	/* Write VT-x's view of the guest CR4 into the VMCS. */
3952	Log4(("Load[%RU32]: VMX_VMCS_GUEST_CR4=%#RX32 (Set=%#RX32 Zap=%#RX32)\n", pVCpu->idCpu, u32GuestCR4, uSetCR4, uZapCR4));
3953	rc = VMXWriteVmcs32(VMX_VMCS_GUEST_CR4, u32GuestCR4);
3954	AssertRCReturn(rc, rc);
3955
3956	/* Setup CR4 mask. CR4 flags owned by the host, if the guest attempts to change them, that would cause a VM-exit. */
3957	uint32_t u32CR4Mask = X86_CR4_VME
3958	\| X86_CR4_PAE
3959	\| X86_CR4_PGE
3960	\| X86_CR4_PSE
3961	\| X86_CR4_VMXE;
3962	if (pVM->cpum.ro.HostFeatures.fXSaveRstor)
3963	u32CR4Mask \|= X86_CR4_OSXSAVE;
3964	pVCpu->hm.s.vmx.u32CR4Mask = u32CR4Mask;
3965	rc = VMXWriteVmcs32(VMX_VMCS_CTRL_CR4_MASK, u32CR4Mask);
3966	AssertRCReturn(rc, rc);
3967
3968	/* Whether to save/load/restore XCR0 during world switch depends on CR4.OSXSAVE and host+guest XCR0. */
3969	pVCpu->hm.s.fLoadSaveGuestXcr0 = (pMixedCtx->cr4 & X86_CR4_OSXSAVE) && pMixedCtx->aXcr[0] != ASMGetXcr0();
3970
3971	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_CR4);
3972	}
3973	return rc;
3974	}
3975
3976
3977	/**
3978	* Loads the guest debug registers into the guest-state area in the VMCS.
3979	* This also sets up whether #DB and MOV DRx accesses cause VM-exits.
3980	*
3981	* The guest debug bits are partially shared with the host (e.g. DR6, DR0-3).
3982	*
3983	* @returns VBox status code.
3984	* @param pVCpu Pointer to the VMCPU.
3985	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
3986	* out-of-sync. Make sure to update the required fields
3987	* before using them.
3988	*
3989	* @remarks No-long-jump zone!!!
3990	*/
3991	static int hmR0VmxLoadSharedDebugState(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
3992	{
3993	if (!HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_DEBUG))
3994	return VINF_SUCCESS;
3995
3996	#ifdef VBOX_STRICT
3997	/* Validate. Intel spec. 26.3.1.1 "Checks on Guest Controls Registers, Debug Registers, MSRs" */
3998	if (pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_LOAD_DEBUG)
3999	{
4000	/* Validate. Intel spec. 17.2 "Debug Registers", recompiler paranoia checks. */
4001	Assert((pMixedCtx->dr[7] & (X86_DR7_MBZ_MASK \| X86_DR7_RAZ_MASK)) == 0); /* Bits 63:32, 15, 14, 12, 11 are reserved. */
4002	Assert((pMixedCtx->dr[7] & X86_DR7_RA1_MASK) == X86_DR7_RA1_MASK); /* Bit 10 is reserved (RA1). */
4003	}
4004	#endif
4005
4006	int rc;
4007	PVM pVM = pVCpu->CTX_SUFF(pVM);
4008	bool fInterceptDB = false;
4009	bool fInterceptMovDRx = false;
4010	if (pVCpu->hm.s.fSingleInstruction)
4011	{
4012	/* If the CPU supports the monitor trap flag, use it for single stepping in DBGF and avoid intercepting #DB. */
4013	if (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_MONITOR_TRAP_FLAG)
4014	{
4015	pVCpu->hm.s.vmx.u32ProcCtls \|= VMX_VMCS_CTRL_PROC_EXEC_MONITOR_TRAP_FLAG;
4016	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
4017	AssertRCReturn(rc, rc);
4018	Assert(fInterceptDB == false);
4019	}
4020	else
4021	{
4022	pMixedCtx->eflags.u32 \|= X86_EFL_TF;
4023	pVCpu->hm.s.fClearTrapFlag = true;
4024	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RFLAGS);
4025	fInterceptDB = true;
4026	}
4027	}
4028
4029	if ( fInterceptDB
4030	\|\| (CPUMGetHyperDR7(pVCpu) & X86_DR7_ENABLED_MASK))
4031	{
4032	/*
4033	* Use the combined guest and host DRx values found in the hypervisor
4034	* register set because the debugger has breakpoints active or someone
4035	* is single stepping on the host side without a monitor trap flag.
4036	*
4037	* Note! DBGF expects a clean DR6 state before executing guest code.
4038	*/
4039	#if HC_ARCH_BITS == 32 && defined(VBOX_WITH_64_BITS_GUESTS)
4040	if ( CPUMIsGuestInLongModeEx(pMixedCtx)
4041	&& !CPUMIsHyperDebugStateActivePending(pVCpu))
4042	{
4043	CPUMR0LoadHyperDebugState(pVCpu, true /* include DR6 */);
4044	Assert(CPUMIsHyperDebugStateActivePending(pVCpu));
4045	Assert(!CPUMIsGuestDebugStateActivePending(pVCpu));
4046	}
4047	else
4048	#endif
4049	if (!CPUMIsHyperDebugStateActive(pVCpu))
4050	{
4051	CPUMR0LoadHyperDebugState(pVCpu, true /* include DR6 */);
4052	Assert(CPUMIsHyperDebugStateActive(pVCpu));
4053	Assert(!CPUMIsGuestDebugStateActive(pVCpu));
4054	}
4055
4056	/* Update DR7. (The other DRx values are handled by CPUM one way or the other.) */
4057	rc = VMXWriteVmcs32(VMX_VMCS_GUEST_DR7, (uint32_t)CPUMGetHyperDR7(pVCpu));
4058	AssertRCReturn(rc, rc);
4059
4060	pVCpu->hm.s.fUsingHyperDR7 = true;
4061	fInterceptDB = true;
4062	fInterceptMovDRx = true;
4063	}
4064	else
4065	{
4066	/*
4067	* If the guest has enabled debug registers, we need to load them prior to
4068	* executing guest code so they'll trigger at the right time.
4069	*/
4070	if (pMixedCtx->dr[7] & (X86_DR7_ENABLED_MASK \| X86_DR7_GD)) /** @todo Why GD? */
4071	{
4072	#if HC_ARCH_BITS == 32 && defined(VBOX_WITH_64_BITS_GUESTS)
4073	if ( CPUMIsGuestInLongModeEx(pMixedCtx)
4074	&& !CPUMIsGuestDebugStateActivePending(pVCpu))
4075	{
4076	CPUMR0LoadGuestDebugState(pVCpu, true /* include DR6 */);
4077	Assert(CPUMIsGuestDebugStateActivePending(pVCpu));
4078	Assert(!CPUMIsHyperDebugStateActivePending(pVCpu));
4079	STAM_COUNTER_INC(&pVCpu->hm.s.StatDRxArmed);
4080	}
4081	else
4082	#endif
4083	if (!CPUMIsGuestDebugStateActive(pVCpu))
4084	{
4085	CPUMR0LoadGuestDebugState(pVCpu, true /* include DR6 */);
4086	Assert(CPUMIsGuestDebugStateActive(pVCpu));
4087	Assert(!CPUMIsHyperDebugStateActive(pVCpu));
4088	STAM_COUNTER_INC(&pVCpu->hm.s.StatDRxArmed);
4089	}
4090	Assert(!fInterceptDB);
4091	Assert(!fInterceptMovDRx);
4092	}
4093	/*
4094	* If no debugging enabled, we'll lazy load DR0-3. Unlike on AMD-V, we
4095	* must intercept #DB in order to maintain a correct DR6 guest value.
4096	*/
4097	#if HC_ARCH_BITS == 32 && defined(VBOX_WITH_64_BITS_GUESTS)
4098	else if ( !CPUMIsGuestDebugStateActivePending(pVCpu)
4099	&& !CPUMIsGuestDebugStateActive(pVCpu))
4100	#else
4101	else if (!CPUMIsGuestDebugStateActive(pVCpu))
4102	#endif
4103	{
4104	fInterceptMovDRx = true;
4105	fInterceptDB = true;
4106	}
4107
4108	/* Update guest DR7. */
4109	rc = VMXWriteVmcs32(VMX_VMCS_GUEST_DR7, pMixedCtx->dr[7]);
4110	AssertRCReturn(rc, rc);
4111
4112	pVCpu->hm.s.fUsingHyperDR7 = false;
4113	}
4114
4115	/*
4116	* Update the exception bitmap regarding intercepting #DB generated by the guest.
4117	*/
4118	if ( fInterceptDB
4119	\|\| pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
4120	{
4121	pVCpu->hm.s.vmx.u32XcptBitmap \|= RT_BIT(X86_XCPT_DB);
4122	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS);
4123	}
4124	else
4125	{
4126	#ifndef HMVMX_ALWAYS_TRAP_ALL_XCPTS
4127	pVCpu->hm.s.vmx.u32XcptBitmap &= ~RT_BIT(X86_XCPT_DB);
4128	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS);
4129	#endif
4130	}
4131
4132	/*
4133	* Update the processor-based VM-execution controls regarding intercepting MOV DRx instructions.
4134	*/
4135	if (fInterceptMovDRx)
4136	pVCpu->hm.s.vmx.u32ProcCtls \|= VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT;
4137	else
4138	pVCpu->hm.s.vmx.u32ProcCtls &= ~VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT;
4139	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
4140	AssertRCReturn(rc, rc);
4141
4142	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_DEBUG);
4143	return VINF_SUCCESS;
4144	}
4145
4146
4147	#ifdef VBOX_STRICT
4148	/**
4149	* Strict function to validate segment registers.
4150	*
4151	* @remarks ASSUMES CR0 is up to date.
4152	*/
4153	static void hmR0VmxValidateSegmentRegs(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx)
4154	{
4155	/* Validate segment registers. See Intel spec. 26.3.1.2 "Checks on Guest Segment Registers". */
4156	/* NOTE: The reason we check for attribute value 0 and not just the unusable bit here is because hmR0VmxWriteSegmentReg()
4157	* only updates the VMCS' copy of the value with the unusable bit and doesn't change the guest-context value. */
4158	if ( !pVM->hm.s.vmx.fUnrestrictedGuest
4159	&& ( !CPUMIsGuestInRealModeEx(pCtx)
4160	&& !CPUMIsGuestInV86ModeEx(pCtx)))
4161	{
4162	/* Protected mode checks */
4163	/* CS */
4164	Assert(pCtx->cs.Attr.n.u1Present);
4165	Assert(!(pCtx->cs.Attr.u & 0xf00));
4166	Assert(!(pCtx->cs.Attr.u & 0xfffe0000));
4167	Assert( (pCtx->cs.u32Limit & 0xfff) == 0xfff
4168	\|\| !(pCtx->cs.Attr.n.u1Granularity));
4169	Assert( !(pCtx->cs.u32Limit & 0xfff00000)
4170	\|\| (pCtx->cs.Attr.n.u1Granularity));
4171	/* CS cannot be loaded with NULL in protected mode. */
4172	Assert(pCtx->cs.Attr.u && !(pCtx->cs.Attr.u & X86DESCATTR_UNUSABLE)); /** @todo is this really true even for 64-bit CS? */
4173	if (pCtx->cs.Attr.n.u4Type == 9 \|\| pCtx->cs.Attr.n.u4Type == 11)
4174	Assert(pCtx->cs.Attr.n.u2Dpl == pCtx->ss.Attr.n.u2Dpl);
4175	else if (pCtx->cs.Attr.n.u4Type == 13 \|\| pCtx->cs.Attr.n.u4Type == 15)
4176	Assert(pCtx->cs.Attr.n.u2Dpl <= pCtx->ss.Attr.n.u2Dpl);
4177	else
4178	AssertMsgFailed(("Invalid CS Type %#x\n", pCtx->cs.Attr.n.u2Dpl));
4179	/* SS */
4180	Assert((pCtx->ss.Sel & X86_SEL_RPL) == (pCtx->cs.Sel & X86_SEL_RPL));
4181	Assert(pCtx->ss.Attr.n.u2Dpl == (pCtx->ss.Sel & X86_SEL_RPL));
4182	if ( !(pCtx->cr0 & X86_CR0_PE)
4183	\|\| pCtx->cs.Attr.n.u4Type == 3)
4184	{
4185	Assert(!pCtx->ss.Attr.n.u2Dpl);
4186	}
4187	if (pCtx->ss.Attr.u && !(pCtx->ss.Attr.u & X86DESCATTR_UNUSABLE))
4188	{
4189	Assert((pCtx->ss.Sel & X86_SEL_RPL) == (pCtx->cs.Sel & X86_SEL_RPL));
4190	Assert(pCtx->ss.Attr.n.u4Type == 3 \|\| pCtx->ss.Attr.n.u4Type == 7);
4191	Assert(pCtx->ss.Attr.n.u1Present);
4192	Assert(!(pCtx->ss.Attr.u & 0xf00));
4193	Assert(!(pCtx->ss.Attr.u & 0xfffe0000));
4194	Assert( (pCtx->ss.u32Limit & 0xfff) == 0xfff
4195	\|\| !(pCtx->ss.Attr.n.u1Granularity));
4196	Assert( !(pCtx->ss.u32Limit & 0xfff00000)
4197	\|\| (pCtx->ss.Attr.n.u1Granularity));
4198	}
4199	/* DS, ES, FS, GS - only check for usable selectors, see hmR0VmxWriteSegmentReg(). */
4200	if (pCtx->ds.Attr.u && !(pCtx->ds.Attr.u & X86DESCATTR_UNUSABLE))
4201	{
4202	Assert(pCtx->ds.Attr.n.u4Type & X86_SEL_TYPE_ACCESSED);
4203	Assert(pCtx->ds.Attr.n.u1Present);
4204	Assert(pCtx->ds.Attr.n.u4Type > 11 \|\| pCtx->ds.Attr.n.u2Dpl >= (pCtx->ds.Sel & X86_SEL_RPL));
4205	Assert(!(pCtx->ds.Attr.u & 0xf00));
4206	Assert(!(pCtx->ds.Attr.u & 0xfffe0000));
4207	Assert( (pCtx->ds.u32Limit & 0xfff) == 0xfff
4208	\|\| !(pCtx->ds.Attr.n.u1Granularity));
4209	Assert( !(pCtx->ds.u32Limit & 0xfff00000)
4210	\|\| (pCtx->ds.Attr.n.u1Granularity));
4211	Assert( !(pCtx->ds.Attr.n.u4Type & X86_SEL_TYPE_CODE)
4212	\|\| (pCtx->ds.Attr.n.u4Type & X86_SEL_TYPE_READ));
4213	}
4214	if (pCtx->es.Attr.u && !(pCtx->es.Attr.u & X86DESCATTR_UNUSABLE))
4215	{
4216	Assert(pCtx->es.Attr.n.u4Type & X86_SEL_TYPE_ACCESSED);
4217	Assert(pCtx->es.Attr.n.u1Present);
4218	Assert(pCtx->es.Attr.n.u4Type > 11 \|\| pCtx->es.Attr.n.u2Dpl >= (pCtx->es.Sel & X86_SEL_RPL));
4219	Assert(!(pCtx->es.Attr.u & 0xf00));
4220	Assert(!(pCtx->es.Attr.u & 0xfffe0000));
4221	Assert( (pCtx->es.u32Limit & 0xfff) == 0xfff
4222	\|\| !(pCtx->es.Attr.n.u1Granularity));
4223	Assert( !(pCtx->es.u32Limit & 0xfff00000)
4224	\|\| (pCtx->es.Attr.n.u1Granularity));
4225	Assert( !(pCtx->es.Attr.n.u4Type & X86_SEL_TYPE_CODE)
4226	\|\| (pCtx->es.Attr.n.u4Type & X86_SEL_TYPE_READ));
4227	}
4228	if (pCtx->fs.Attr.u && !(pCtx->fs.Attr.u & X86DESCATTR_UNUSABLE))
4229	{
4230	Assert(pCtx->fs.Attr.n.u4Type & X86_SEL_TYPE_ACCESSED);
4231	Assert(pCtx->fs.Attr.n.u1Present);
4232	Assert(pCtx->fs.Attr.n.u4Type > 11 \|\| pCtx->fs.Attr.n.u2Dpl >= (pCtx->fs.Sel & X86_SEL_RPL));
4233	Assert(!(pCtx->fs.Attr.u & 0xf00));
4234	Assert(!(pCtx->fs.Attr.u & 0xfffe0000));
4235	Assert( (pCtx->fs.u32Limit & 0xfff) == 0xfff
4236	\|\| !(pCtx->fs.Attr.n.u1Granularity));
4237	Assert( !(pCtx->fs.u32Limit & 0xfff00000)
4238	\|\| (pCtx->fs.Attr.n.u1Granularity));
4239	Assert( !(pCtx->fs.Attr.n.u4Type & X86_SEL_TYPE_CODE)
4240	\|\| (pCtx->fs.Attr.n.u4Type & X86_SEL_TYPE_READ));
4241	}
4242	if (pCtx->gs.Attr.u && !(pCtx->gs.Attr.u & X86DESCATTR_UNUSABLE))
4243	{
4244	Assert(pCtx->gs.Attr.n.u4Type & X86_SEL_TYPE_ACCESSED);
4245	Assert(pCtx->gs.Attr.n.u1Present);
4246	Assert(pCtx->gs.Attr.n.u4Type > 11 \|\| pCtx->gs.Attr.n.u2Dpl >= (pCtx->gs.Sel & X86_SEL_RPL));
4247	Assert(!(pCtx->gs.Attr.u & 0xf00));
4248	Assert(!(pCtx->gs.Attr.u & 0xfffe0000));
4249	Assert( (pCtx->gs.u32Limit & 0xfff) == 0xfff
4250	\|\| !(pCtx->gs.Attr.n.u1Granularity));
4251	Assert( !(pCtx->gs.u32Limit & 0xfff00000)
4252	\|\| (pCtx->gs.Attr.n.u1Granularity));
4253	Assert( !(pCtx->gs.Attr.n.u4Type & X86_SEL_TYPE_CODE)
4254	\|\| (pCtx->gs.Attr.n.u4Type & X86_SEL_TYPE_READ));
4255	}
4256	/* 64-bit capable CPUs. */
4257	# if HC_ARCH_BITS == 64
4258	Assert(!(pCtx->cs.u64Base >> 32));
4259	Assert(!pCtx->ss.Attr.u \|\| !(pCtx->ss.u64Base >> 32));
4260	Assert(!pCtx->ds.Attr.u \|\| !(pCtx->ds.u64Base >> 32));
4261	Assert(!pCtx->es.Attr.u \|\| !(pCtx->es.u64Base >> 32));
4262	# endif
4263	}
4264	else if ( CPUMIsGuestInV86ModeEx(pCtx)
4265	\|\| ( CPUMIsGuestInRealModeEx(pCtx)
4266	&& !pVM->hm.s.vmx.fUnrestrictedGuest))
4267	{
4268	/* Real and v86 mode checks. */
4269	/* hmR0VmxWriteSegmentReg() writes the modified in VMCS. We want what we're feeding to VT-x. */
4270	uint32_t u32CSAttr, u32SSAttr, u32DSAttr, u32ESAttr, u32FSAttr, u32GSAttr;
4271	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
4272	{
4273	u32CSAttr = 0xf3; u32SSAttr = 0xf3; u32DSAttr = 0xf3; u32ESAttr = 0xf3; u32FSAttr = 0xf3; u32GSAttr = 0xf3;
4274	}
4275	else
4276	{
4277	u32CSAttr = pCtx->cs.Attr.u; u32SSAttr = pCtx->ss.Attr.u; u32DSAttr = pCtx->ds.Attr.u;
4278	u32ESAttr = pCtx->es.Attr.u; u32FSAttr = pCtx->fs.Attr.u; u32GSAttr = pCtx->gs.Attr.u;
4279	}
4280
4281	/* CS */
4282	AssertMsg((pCtx->cs.u64Base == (uint64_t)pCtx->cs.Sel << 4), ("CS base %#x %#x\n", pCtx->cs.u64Base, pCtx->cs.Sel));
4283	Assert(pCtx->cs.u32Limit == 0xffff);
4284	Assert(u32CSAttr == 0xf3);
4285	/* SS */
4286	Assert(pCtx->ss.u64Base == (uint64_t)pCtx->ss.Sel << 4);
4287	Assert(pCtx->ss.u32Limit == 0xffff);
4288	Assert(u32SSAttr == 0xf3);
4289	/* DS */
4290	Assert(pCtx->ds.u64Base == (uint64_t)pCtx->ds.Sel << 4);
4291	Assert(pCtx->ds.u32Limit == 0xffff);
4292	Assert(u32DSAttr == 0xf3);
4293	/* ES */
4294	Assert(pCtx->es.u64Base == (uint64_t)pCtx->es.Sel << 4);
4295	Assert(pCtx->es.u32Limit == 0xffff);
4296	Assert(u32ESAttr == 0xf3);
4297	/* FS */
4298	Assert(pCtx->fs.u64Base == (uint64_t)pCtx->fs.Sel << 4);
4299	Assert(pCtx->fs.u32Limit == 0xffff);
4300	Assert(u32FSAttr == 0xf3);
4301	/* GS */
4302	Assert(pCtx->gs.u64Base == (uint64_t)pCtx->gs.Sel << 4);
4303	Assert(pCtx->gs.u32Limit == 0xffff);
4304	Assert(u32GSAttr == 0xf3);
4305	/* 64-bit capable CPUs. */
4306	# if HC_ARCH_BITS == 64
4307	Assert(!(pCtx->cs.u64Base >> 32));
4308	Assert(!u32SSAttr \|\| !(pCtx->ss.u64Base >> 32));
4309	Assert(!u32DSAttr \|\| !(pCtx->ds.u64Base >> 32));
4310	Assert(!u32ESAttr \|\| !(pCtx->es.u64Base >> 32));
4311	# endif
4312	}
4313	}
4314	#endif /* VBOX_STRICT */
4315
4316
4317	/**
4318	* Writes a guest segment register into the guest-state area in the VMCS.
4319	*
4320	* @returns VBox status code.
4321	* @param pVCpu Pointer to the VMCPU.
4322	* @param idxSel Index of the selector in the VMCS.
4323	* @param idxLimit Index of the segment limit in the VMCS.
4324	* @param idxBase Index of the segment base in the VMCS.
4325	* @param idxAccess Index of the access rights of the segment in the VMCS.
4326	* @param pSelReg Pointer to the segment selector.
4327	*
4328	* @remarks No-long-jump zone!!!
4329	*/
4330	static int hmR0VmxWriteSegmentReg(PVMCPU pVCpu, uint32_t idxSel, uint32_t idxLimit, uint32_t idxBase,
4331	uint32_t idxAccess, PCPUMSELREG pSelReg)
4332	{
4333	int rc = VMXWriteVmcs32(idxSel, pSelReg->Sel); /* 16-bit guest selector field. */
4334	AssertRCReturn(rc, rc);
4335	rc = VMXWriteVmcs32(idxLimit, pSelReg->u32Limit); /* 32-bit guest segment limit field. */
4336	AssertRCReturn(rc, rc);
4337	rc = VMXWriteVmcsGstN(idxBase, pSelReg->u64Base); /* Natural width guest segment base field.*/
4338	AssertRCReturn(rc, rc);
4339
4340	uint32_t u32Access = pSelReg->Attr.u;
4341	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
4342	{
4343	/* VT-x requires our real-using-v86 mode hack to override the segment access-right bits. */
4344	u32Access = 0xf3;
4345	Assert(pVCpu->CTX_SUFF(pVM)->hm.s.vmx.pRealModeTSS);
4346	Assert(PDMVmmDevHeapIsEnabled(pVCpu->CTX_SUFF(pVM)));
4347	}
4348	else
4349	{
4350	/*
4351	* The way to differentiate between whether this is really a null selector or was just a selector loaded with 0 in
4352	* real-mode is using the segment attributes. A selector loaded in real-mode with the value 0 is valid and usable in
4353	* protected-mode and we should -not- mark it as an unusable segment. Both the recompiler & VT-x ensures NULL selectors
4354	* loaded in protected-mode have their attribute as 0.
4355	*/
4356	if (!u32Access)
4357	u32Access = X86DESCATTR_UNUSABLE;
4358	}
4359
4360	/* Validate segment access rights. Refer to Intel spec. "26.3.1.2 Checks on Guest Segment Registers". */
4361	AssertMsg((u32Access & X86DESCATTR_UNUSABLE) \|\| (u32Access & X86_SEL_TYPE_ACCESSED),
4362	("Access bit not set for usable segment. idx=%#x sel=%#x attr %#x\n", idxBase, pSelReg, pSelReg->Attr.u));
4363
4364	rc = VMXWriteVmcs32(idxAccess, u32Access); /* 32-bit guest segment access-rights field. */
4365	AssertRCReturn(rc, rc);
4366	return rc;
4367	}
4368
4369
4370	/**
4371	* Loads the guest segment registers, GDTR, IDTR, LDTR, (TR, FS and GS bases)
4372	* into the guest-state area in the VMCS.
4373	*
4374	* @returns VBox status code.
4375	* @param pVCPU Pointer to the VMCPU.
4376	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
4377	* out-of-sync. Make sure to update the required fields
4378	* before using them.
4379	*
4380	* @remarks ASSUMES pMixedCtx->cr0 is up to date (strict builds validation).
4381	* @remarks No-long-jump zone!!!
4382	*/
4383	static int hmR0VmxLoadGuestSegmentRegs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
4384	{
4385	int rc = VERR_INTERNAL_ERROR_5;
4386	PVM pVM = pVCpu->CTX_SUFF(pVM);
4387
4388	/*
4389	* Guest Segment registers: CS, SS, DS, ES, FS, GS.
4390	*/
4391	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_SEGMENT_REGS))
4392	{
4393	/* Save the segment attributes for real-on-v86 mode hack, so we can restore them on VM-exit. */
4394	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
4395	{
4396	pVCpu->hm.s.vmx.RealMode.AttrCS.u = pMixedCtx->cs.Attr.u;
4397	pVCpu->hm.s.vmx.RealMode.AttrSS.u = pMixedCtx->ss.Attr.u;
4398	pVCpu->hm.s.vmx.RealMode.AttrDS.u = pMixedCtx->ds.Attr.u;
4399	pVCpu->hm.s.vmx.RealMode.AttrES.u = pMixedCtx->es.Attr.u;
4400	pVCpu->hm.s.vmx.RealMode.AttrFS.u = pMixedCtx->fs.Attr.u;
4401	pVCpu->hm.s.vmx.RealMode.AttrGS.u = pMixedCtx->gs.Attr.u;
4402	}
4403
4404	#ifdef VBOX_WITH_REM
4405	if (!pVM->hm.s.vmx.fUnrestrictedGuest)
4406	{
4407	Assert(pVM->hm.s.vmx.pRealModeTSS);
4408	AssertCompile(PGMMODE_REAL < PGMMODE_PROTECTED);
4409	if ( pVCpu->hm.s.vmx.fWasInRealMode
4410	&& PGMGetGuestMode(pVCpu) >= PGMMODE_PROTECTED)
4411	{
4412	/* Signal that the recompiler must flush its code-cache as the guest -may- rewrite code it will later execute
4413	in real-mode (e.g. OpenBSD 4.0) */
4414	REMFlushTBs(pVM);
4415	Log4(("Load[%RU32]: Switch to protected mode detected!\n", pVCpu->idCpu));
4416	pVCpu->hm.s.vmx.fWasInRealMode = false;
4417	}
4418	}
4419	#endif
4420	rc = hmR0VmxWriteSegmentReg(pVCpu, VMX_VMCS16_GUEST_FIELD_CS, VMX_VMCS32_GUEST_CS_LIMIT, VMX_VMCS_GUEST_CS_BASE,
4421	VMX_VMCS32_GUEST_CS_ACCESS_RIGHTS, &pMixedCtx->cs);
4422	AssertRCReturn(rc, rc);
4423	rc = hmR0VmxWriteSegmentReg(pVCpu, VMX_VMCS16_GUEST_FIELD_SS, VMX_VMCS32_GUEST_SS_LIMIT, VMX_VMCS_GUEST_SS_BASE,
4424	VMX_VMCS32_GUEST_SS_ACCESS_RIGHTS, &pMixedCtx->ss);
4425	AssertRCReturn(rc, rc);
4426	rc = hmR0VmxWriteSegmentReg(pVCpu, VMX_VMCS16_GUEST_FIELD_DS, VMX_VMCS32_GUEST_DS_LIMIT, VMX_VMCS_GUEST_DS_BASE,
4427	VMX_VMCS32_GUEST_DS_ACCESS_RIGHTS, &pMixedCtx->ds);
4428	AssertRCReturn(rc, rc);
4429	rc = hmR0VmxWriteSegmentReg(pVCpu, VMX_VMCS16_GUEST_FIELD_ES, VMX_VMCS32_GUEST_ES_LIMIT, VMX_VMCS_GUEST_ES_BASE,
4430	VMX_VMCS32_GUEST_ES_ACCESS_RIGHTS, &pMixedCtx->es);
4431	AssertRCReturn(rc, rc);
4432	rc = hmR0VmxWriteSegmentReg(pVCpu, VMX_VMCS16_GUEST_FIELD_FS, VMX_VMCS32_GUEST_FS_LIMIT, VMX_VMCS_GUEST_FS_BASE,
4433	VMX_VMCS32_GUEST_FS_ACCESS_RIGHTS, &pMixedCtx->fs);
4434	AssertRCReturn(rc, rc);
4435	rc = hmR0VmxWriteSegmentReg(pVCpu, VMX_VMCS16_GUEST_FIELD_GS, VMX_VMCS32_GUEST_GS_LIMIT, VMX_VMCS_GUEST_GS_BASE,
4436	VMX_VMCS32_GUEST_GS_ACCESS_RIGHTS, &pMixedCtx->gs);
4437	AssertRCReturn(rc, rc);
4438
4439	#ifdef VBOX_STRICT
4440	/* Validate. */
4441	hmR0VmxValidateSegmentRegs(pVM, pVCpu, pMixedCtx);
4442	#endif
4443
4444	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_SEGMENT_REGS);
4445	Log4(("Load[%RU32]: CS=%#RX16 Base=%#RX64 Limit=%#RX32 Attr=%#RX32\n", pVCpu->idCpu, pMixedCtx->cs.Sel,
4446	pMixedCtx->cs.u64Base, pMixedCtx->cs.u32Limit, pMixedCtx->cs.Attr.u));
4447	}
4448
4449	/*
4450	* Guest TR.
4451	*/
4452	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_TR))
4453	{
4454	/*
4455	* Real-mode emulation using virtual-8086 mode with CR4.VME. Interrupt redirection is achieved
4456	* using the interrupt redirection bitmap (all bits cleared to let the guest handle INT-n's) in the TSS.
4457	* See hmR3InitFinalizeR0() to see how pRealModeTSS is setup.
4458	*/
4459	uint16_t u16Sel = 0;
4460	uint32_t u32Limit = 0;
4461	uint64_t u64Base = 0;
4462	uint32_t u32AccessRights = 0;
4463
4464	if (!pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
4465	{
4466	u16Sel = pMixedCtx->tr.Sel;
4467	u32Limit = pMixedCtx->tr.u32Limit;
4468	u64Base = pMixedCtx->tr.u64Base;
4469	u32AccessRights = pMixedCtx->tr.Attr.u;
4470	}
4471	else
4472	{
4473	Assert(pVM->hm.s.vmx.pRealModeTSS);
4474	Assert(PDMVmmDevHeapIsEnabled(pVM)); /* Guaranteed by HMR3CanExecuteGuest() -XXX- what about inner loop changes? */
4475
4476	/* We obtain it here every time as PCI regions could be reconfigured in the guest, changing the VMMDev base. */
4477	RTGCPHYS GCPhys;
4478	rc = PDMVmmDevHeapR3ToGCPhys(pVM, pVM->hm.s.vmx.pRealModeTSS, &GCPhys);
4479	AssertRCReturn(rc, rc);
4480
4481	X86DESCATTR DescAttr;
4482	DescAttr.u = 0;
4483	DescAttr.n.u1Present = 1;
4484	DescAttr.n.u4Type = X86_SEL_TYPE_SYS_386_TSS_BUSY;
4485
4486	u16Sel = 0;
4487	u32Limit = HM_VTX_TSS_SIZE;
4488	u64Base = GCPhys; /* in real-mode phys = virt. */
4489	u32AccessRights = DescAttr.u;
4490	}
4491
4492	/* Validate. */
4493	Assert(!(u16Sel & RT_BIT(2)));
4494	AssertMsg( (u32AccessRights & 0xf) == X86_SEL_TYPE_SYS_386_TSS_BUSY
4495	\|\| (u32AccessRights & 0xf) == X86_SEL_TYPE_SYS_286_TSS_BUSY, ("TSS is not busy!? %#x\n", u32AccessRights));
4496	AssertMsg(!(u32AccessRights & X86DESCATTR_UNUSABLE), ("TR unusable bit is not clear!? %#x\n", u32AccessRights));
4497	Assert(!(u32AccessRights & RT_BIT(4))); /* System MBZ.*/
4498	Assert(u32AccessRights & RT_BIT(7)); /* Present MB1.*/
4499	Assert(!(u32AccessRights & 0xf00)); /* 11:8 MBZ. */
4500	Assert(!(u32AccessRights & 0xfffe0000)); /* 31:17 MBZ. */
4501	Assert( (u32Limit & 0xfff) == 0xfff
4502	\|\| !(u32AccessRights & RT_BIT(15))); /* Granularity MBZ. */
4503	Assert( !(pMixedCtx->tr.u32Limit & 0xfff00000)
4504	\|\| (u32AccessRights & RT_BIT(15))); /* Granularity MB1. */
4505
4506	rc = VMXWriteVmcs32(VMX_VMCS16_GUEST_FIELD_TR, u16Sel); AssertRCReturn(rc, rc);
4507	rc = VMXWriteVmcs32(VMX_VMCS32_GUEST_TR_LIMIT, u32Limit); AssertRCReturn(rc, rc);
4508	rc = VMXWriteVmcsGstN(VMX_VMCS_GUEST_TR_BASE, u64Base); AssertRCReturn(rc, rc);
4509	rc = VMXWriteVmcs32(VMX_VMCS32_GUEST_TR_ACCESS_RIGHTS, u32AccessRights); AssertRCReturn(rc, rc);
4510
4511	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_TR);
4512	Log4(("Load[%RU32]: VMX_VMCS_GUEST_TR_BASE=%#RX64\n", pVCpu->idCpu, u64Base));
4513	}
4514
4515	/*
4516	* Guest GDTR.
4517	*/
4518	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_GDTR))
4519	{
4520	rc = VMXWriteVmcs32(VMX_VMCS32_GUEST_GDTR_LIMIT, pMixedCtx->gdtr.cbGdt); AssertRCReturn(rc, rc);
4521	rc = VMXWriteVmcsGstN(VMX_VMCS_GUEST_GDTR_BASE, pMixedCtx->gdtr.pGdt); AssertRCReturn(rc, rc);
4522
4523	/* Validate. */
4524	Assert(!(pMixedCtx->gdtr.cbGdt & 0xffff0000)); /* Bits 31:16 MBZ. */
4525
4526	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_GDTR);
4527	Log4(("Load[%RU32]: VMX_VMCS_GUEST_GDTR_BASE=%#RX64\n", pVCpu->idCpu, pMixedCtx->gdtr.pGdt));
4528	}
4529
4530	/*
4531	* Guest LDTR.
4532	*/
4533	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_LDTR))
4534	{
4535	/* The unusable bit is specific to VT-x, if it's a null selector mark it as an unusable segment. */
4536	uint32_t u32Access = 0;
4537	if (!pMixedCtx->ldtr.Attr.u)
4538	u32Access = X86DESCATTR_UNUSABLE;
4539	else
4540	u32Access = pMixedCtx->ldtr.Attr.u;
4541
4542	rc = VMXWriteVmcs32(VMX_VMCS16_GUEST_FIELD_LDTR, pMixedCtx->ldtr.Sel); AssertRCReturn(rc, rc);
4543	rc = VMXWriteVmcs32(VMX_VMCS32_GUEST_LDTR_LIMIT, pMixedCtx->ldtr.u32Limit); AssertRCReturn(rc, rc);
4544	rc = VMXWriteVmcsGstN(VMX_VMCS_GUEST_LDTR_BASE, pMixedCtx->ldtr.u64Base); AssertRCReturn(rc, rc);
4545	rc = VMXWriteVmcs32(VMX_VMCS32_GUEST_LDTR_ACCESS_RIGHTS, u32Access); AssertRCReturn(rc, rc);
4546
4547	/* Validate. */
4548	if (!(u32Access & X86DESCATTR_UNUSABLE))
4549	{
4550	Assert(!(pMixedCtx->ldtr.Sel & RT_BIT(2))); /* TI MBZ. */
4551	Assert(pMixedCtx->ldtr.Attr.n.u4Type == 2); /* Type MB2 (LDT). */
4552	Assert(!pMixedCtx->ldtr.Attr.n.u1DescType); /* System MBZ. */
4553	Assert(pMixedCtx->ldtr.Attr.n.u1Present == 1); /* Present MB1. */
4554	Assert(!pMixedCtx->ldtr.Attr.n.u4LimitHigh); /* 11:8 MBZ. */
4555	Assert(!(pMixedCtx->ldtr.Attr.u & 0xfffe0000)); /* 31:17 MBZ. */
4556	Assert( (pMixedCtx->ldtr.u32Limit & 0xfff) == 0xfff
4557	\|\| !pMixedCtx->ldtr.Attr.n.u1Granularity); /* Granularity MBZ. */
4558	Assert( !(pMixedCtx->ldtr.u32Limit & 0xfff00000)
4559	\|\| pMixedCtx->ldtr.Attr.n.u1Granularity); /* Granularity MB1. */
4560	}
4561
4562	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_LDTR);
4563	Log4(("Load[%RU32]: VMX_VMCS_GUEST_LDTR_BASE=%#RX64\n", pVCpu->idCpu, pMixedCtx->ldtr.u64Base));
4564	}
4565
4566	/*
4567	* Guest IDTR.
4568	*/
4569	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_IDTR))
4570	{
4571	rc = VMXWriteVmcs32(VMX_VMCS32_GUEST_IDTR_LIMIT, pMixedCtx->idtr.cbIdt); AssertRCReturn(rc, rc);
4572	rc = VMXWriteVmcsGstN(VMX_VMCS_GUEST_IDTR_BASE, pMixedCtx->idtr.pIdt); AssertRCReturn(rc, rc);
4573
4574	/* Validate. */
4575	Assert(!(pMixedCtx->idtr.cbIdt & 0xffff0000)); /* Bits 31:16 MBZ. */
4576
4577	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_IDTR);
4578	Log4(("Load[%RU32]: VMX_VMCS_GUEST_IDTR_BASE=%#RX64\n", pVCpu->idCpu, pMixedCtx->idtr.pIdt));
4579	}
4580
4581	return VINF_SUCCESS;
4582	}
4583
4584
4585	/**
4586	* Loads certain guest MSRs into the VM-entry MSR-load and VM-exit MSR-store
4587	* areas.
4588	*
4589	* These MSRs will automatically be loaded to the host CPU on every successful
4590	* VM-entry and stored from the host CPU on every successful VM-exit. This also
4591	* creates/updates MSR slots for the host MSRs. The actual host MSR values are
4592	* -not- updated here for performance reasons. See hmR0VmxSaveHostMsrs().
4593	*
4594	* Also loads the sysenter MSRs into the guest-state area in the VMCS.
4595	*
4596	* @returns VBox status code.
4597	* @param pVCpu Pointer to the VMCPU.
4598	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
4599	* out-of-sync. Make sure to update the required fields
4600	* before using them.
4601	*
4602	* @remarks No-long-jump zone!!!
4603	*/
4604	static int hmR0VmxLoadGuestMsrs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
4605	{
4606	AssertPtr(pVCpu);
4607	AssertPtr(pVCpu->hm.s.vmx.pvGuestMsr);
4608
4609	/*
4610	* MSRs that we use the auto-load/store MSR area in the VMCS.
4611	*/
4612	PVM pVM = pVCpu->CTX_SUFF(pVM);
4613	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_VMX_GUEST_AUTO_MSRS))
4614	{
4615	/* For 64-bit hosts, we load/restore them lazily, see hmR0VmxLazyLoadGuestMsrs(). */
4616	#if HC_ARCH_BITS == 32
4617	if (pVM->hm.s.fAllow64BitGuests)
4618	{
4619	int rc = VINF_SUCCESS;
4620	rc \|= hmR0VmxAddAutoLoadStoreMsr(pVCpu, MSR_K8_LSTAR, pMixedCtx->msrLSTAR, false, NULL);
4621	rc \|= hmR0VmxAddAutoLoadStoreMsr(pVCpu, MSR_K6_STAR, pMixedCtx->msrSTAR, false, NULL);
4622	rc \|= hmR0VmxAddAutoLoadStoreMsr(pVCpu, MSR_K8_SF_MASK, pMixedCtx->msrSFMASK, false, NULL);
4623	rc \|= hmR0VmxAddAutoLoadStoreMsr(pVCpu, MSR_K8_KERNEL_GS_BASE, pMixedCtx->msrKERNELGSBASE, false, NULL);
4624	AssertRCReturn(rc, rc);
4625	# ifdef LOG_ENABLED
4626	PVMXAUTOMSR pMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvGuestMsr;
4627	for (uint32_t i = 0; i < pVCpu->hm.s.vmx.cMsrs; i++, pMsr++)
4628	{
4629	Log4(("Load[%RU32]: MSR[%RU32]: u32Msr=%#RX32 u64Value=%#RX64\n", pVCpu->idCpu, i, pMsr->u32Msr,
4630	pMsr->u64Value));
4631	}
4632	# endif
4633	}
4634	#endif
4635	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_VMX_GUEST_AUTO_MSRS);
4636	}
4637
4638	/*
4639	* Guest Sysenter MSRs.
4640	* These flags are only set when MSR-bitmaps are not supported by the CPU and we cause
4641	* VM-exits on WRMSRs for these MSRs.
4642	*/
4643	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_SYSENTER_CS_MSR))
4644	{
4645	int rc = VMXWriteVmcs32(VMX_VMCS32_GUEST_SYSENTER_CS, pMixedCtx->SysEnter.cs); AssertRCReturn(rc, rc);
4646	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_SYSENTER_CS_MSR);
4647	}
4648
4649	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_SYSENTER_EIP_MSR))
4650	{
4651	int rc = VMXWriteVmcsGstN(VMX_VMCS_GUEST_SYSENTER_EIP, pMixedCtx->SysEnter.eip); AssertRCReturn(rc, rc);
4652	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_SYSENTER_EIP_MSR);
4653	}
4654
4655	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_SYSENTER_ESP_MSR))
4656	{
4657	int rc = VMXWriteVmcsGstN(VMX_VMCS_GUEST_SYSENTER_ESP, pMixedCtx->SysEnter.esp); AssertRCReturn(rc, rc);
4658	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_SYSENTER_ESP_MSR);
4659	}
4660
4661	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_EFER_MSR))
4662	{
4663	if (hmR0VmxShouldSwapEferMsr(pVCpu, pMixedCtx))
4664	{
4665	/*
4666	* If the CPU supports VMCS controls for swapping EFER, use it. Otherwise, we have no option
4667	* but to use the auto-load store MSR area in the VMCS for swapping EFER. See @bugref{7368}.
4668	*/
4669	if (pVM->hm.s.vmx.fSupportsVmcsEfer)
4670	{
4671	int rc = VMXWriteVmcs64(VMX_VMCS64_GUEST_EFER_FULL, pMixedCtx->msrEFER);
4672	AssertRCReturn(rc,rc);
4673	Log4(("Load[%RU32]: VMX_VMCS64_GUEST_EFER_FULL=%#RX64\n", pVCpu->idCpu, pMixedCtx->msrEFER));
4674	}
4675	else
4676	{
4677	int rc = hmR0VmxAddAutoLoadStoreMsr(pVCpu, MSR_K6_EFER, pMixedCtx->msrEFER, false /* fUpdateHostMsr */,
4678	NULL /* pfAddedAndUpdated */);
4679	AssertRCReturn(rc, rc);
4680
4681	/* We need to intercept reads too, see @bugref{7386#c16}. */
4682	if (pVM->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS)
4683	hmR0VmxSetMsrPermission(pVCpu, MSR_K6_EFER, VMXMSREXIT_INTERCEPT_READ, VMXMSREXIT_INTERCEPT_WRITE);
4684	Log4(("Load[%RU32]: MSR[--]: u32Msr=%#RX32 u64Value=%#RX64 cMsrs=%u\n", pVCpu->idCpu, MSR_K6_EFER,
4685	pMixedCtx->msrEFER, pVCpu->hm.s.vmx.cMsrs));
4686	}
4687	}
4688	else if (!pVM->hm.s.vmx.fSupportsVmcsEfer)
4689	hmR0VmxRemoveAutoLoadStoreMsr(pVCpu, MSR_K6_EFER);
4690	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_EFER_MSR);
4691	}
4692
4693	return VINF_SUCCESS;
4694	}
4695
4696
4697	/**
4698	* Loads the guest activity state into the guest-state area in the VMCS.
4699	*
4700	* @returns VBox status code.
4701	* @param pVCpu Pointer to the VMCPU.
4702	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
4703	* out-of-sync. Make sure to update the required fields
4704	* before using them.
4705	*
4706	* @remarks No-long-jump zone!!!
4707	*/
4708	static int hmR0VmxLoadGuestActivityState(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
4709	{
4710	NOREF(pMixedCtx);
4711	/** @todo See if we can make use of other states, e.g.
4712	* VMX_VMCS_GUEST_ACTIVITY_SHUTDOWN or HLT. */
4713	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_VMX_GUEST_ACTIVITY_STATE))
4714	{
4715	int rc = VMXWriteVmcs32(VMX_VMCS32_GUEST_ACTIVITY_STATE, VMX_VMCS_GUEST_ACTIVITY_ACTIVE);
4716	AssertRCReturn(rc, rc);
4717
4718	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_VMX_GUEST_ACTIVITY_STATE);
4719	}
4720	return VINF_SUCCESS;
4721	}
4722
4723
4724	/**
4725	* Sets up the appropriate function to run guest code.
4726	*
4727	* @returns VBox status code.
4728	* @param pVCpu Pointer to the VMCPU.
4729	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
4730	* out-of-sync. Make sure to update the required fields
4731	* before using them.
4732	*
4733	* @remarks No-long-jump zone!!!
4734	*/
4735	static int hmR0VmxSetupVMRunHandler(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
4736	{
4737	if (CPUMIsGuestInLongModeEx(pMixedCtx))
4738	{
4739	#ifndef VBOX_ENABLE_64_BITS_GUESTS
4740	return VERR_PGM_UNSUPPORTED_SHADOW_PAGING_MODE;
4741	#endif
4742	Assert(pVCpu->CTX_SUFF(pVM)->hm.s.fAllow64BitGuests); /* Guaranteed by hmR3InitFinalizeR0(). */
4743	#if HC_ARCH_BITS == 32
4744	/* 32-bit host. We need to switch to 64-bit before running the 64-bit guest. */
4745	if (pVCpu->hm.s.vmx.pfnStartVM != VMXR0SwitcherStartVM64)
4746	{
4747	if (pVCpu->hm.s.vmx.pfnStartVM != NULL) /* Very first entry would have saved host-state already, ignore it. */
4748	{
4749	/* Currently, all mode changes sends us back to ring-3, so these should be set. See @bugref{6944}. */
4750	AssertMsg(HMCPU_CF_IS_SET(pVCpu, HM_CHANGED_VMX_EXIT_CTLS
4751	\| HM_CHANGED_VMX_ENTRY_CTLS
4752	\| HM_CHANGED_GUEST_EFER_MSR), ("flags=%#x\n", HMCPU_CF_VALUE(pVCpu)));
4753	}
4754	pVCpu->hm.s.vmx.pfnStartVM = VMXR0SwitcherStartVM64;
4755	}
4756	#else
4757	/* 64-bit host. */
4758	pVCpu->hm.s.vmx.pfnStartVM = VMXR0StartVM64;
4759	#endif
4760	}
4761	else
4762	{
4763	/* Guest is not in long mode, use the 32-bit handler. */
4764	#if HC_ARCH_BITS == 32
4765	if ( pVCpu->hm.s.vmx.pfnStartVM != VMXR0StartVM32
4766	&& pVCpu->hm.s.vmx.pfnStartVM != NULL) /* Very first entry would have saved host-state already, ignore it. */
4767	{
4768	/* Currently, all mode changes sends us back to ring-3, so these should be set. See @bugref{6944}. */
4769	AssertMsg(HMCPU_CF_IS_SET(pVCpu, HM_CHANGED_VMX_EXIT_CTLS
4770	\| HM_CHANGED_VMX_ENTRY_CTLS
4771	\| HM_CHANGED_GUEST_EFER_MSR), ("flags=%#x\n", HMCPU_CF_VALUE(pVCpu)));
4772	}
4773	#endif
4774	pVCpu->hm.s.vmx.pfnStartVM = VMXR0StartVM32;
4775	}
4776	Assert(pVCpu->hm.s.vmx.pfnStartVM);
4777	return VINF_SUCCESS;
4778	}
4779
4780
4781	/**
4782	* Wrapper for running the guest code in VT-x.
4783	*
4784	* @returns VBox strict status code.
4785	* @param pVM Pointer to the VM.
4786	* @param pVCpu Pointer to the VMCPU.
4787	* @param pCtx Pointer to the guest-CPU context.
4788	*
4789	* @remarks No-long-jump zone!!!
4790	*/
4791	DECLINLINE(int) hmR0VmxRunGuest(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx)
4792	{
4793	/*
4794	* 64-bit Windows uses XMM registers in the kernel as the Microsoft compiler expresses floating-point operations
4795	* using SSE instructions. Some XMM registers (XMM6-XMM15) are callee-saved and thus the need for this XMM wrapper.
4796	* Refer MSDN docs. "Configuring Programs for 64-bit / x64 Software Conventions / Register Usage" for details.
4797	*/
4798	bool const fResumeVM = RT_BOOL(pVCpu->hm.s.vmx.uVmcsState & HMVMX_VMCS_STATE_LAUNCHED);
4799	/** @todo Add stats for resume vs launch. */
4800	#ifdef VBOX_WITH_KERNEL_USING_XMM
4801	return HMR0VMXStartVMWrapXMM(fResumeVM, pCtx, &pVCpu->hm.s.vmx.VMCSCache, pVM, pVCpu, pVCpu->hm.s.vmx.pfnStartVM);
4802	#else
4803	return pVCpu->hm.s.vmx.pfnStartVM(fResumeVM, pCtx, &pVCpu->hm.s.vmx.VMCSCache, pVM, pVCpu);
4804	#endif
4805	}
4806
4807
4808	/**
4809	* Reports world-switch error and dumps some useful debug info.
4810	*
4811	* @param pVM Pointer to the VM.
4812	* @param pVCpu Pointer to the VMCPU.
4813	* @param rcVMRun The return code from VMLAUNCH/VMRESUME.
4814	* @param pCtx Pointer to the guest-CPU context.
4815	* @param pVmxTransient Pointer to the VMX transient structure (only
4816	* exitReason updated).
4817	*/
4818	static void hmR0VmxReportWorldSwitchError(PVM pVM, PVMCPU pVCpu, int rcVMRun, PCPUMCTX pCtx, PVMXTRANSIENT pVmxTransient)
4819	{
4820	Assert(pVM);
4821	Assert(pVCpu);
4822	Assert(pCtx);
4823	Assert(pVmxTransient);
4824	HMVMX_ASSERT_PREEMPT_SAFE();
4825
4826	Log4(("VM-entry failure: %Rrc\n", rcVMRun));
4827	switch (rcVMRun)
4828	{
4829	case VERR_VMX_INVALID_VMXON_PTR:
4830	AssertFailed();
4831	break;
4832	case VINF_SUCCESS: /* VMLAUNCH/VMRESUME succeeded but VM-entry failed... yeah, true story. */
4833	case VERR_VMX_UNABLE_TO_START_VM: /* VMLAUNCH/VMRESUME itself failed. */
4834	{
4835	int rc = VMXReadVmcs32(VMX_VMCS32_RO_EXIT_REASON, &pVCpu->hm.s.vmx.LastError.u32ExitReason);
4836	rc \|= VMXReadVmcs32(VMX_VMCS32_RO_VM_INSTR_ERROR, &pVCpu->hm.s.vmx.LastError.u32InstrError);
4837	rc \|= hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
4838	AssertRC(rc);
4839
4840	pVCpu->hm.s.vmx.LastError.idEnteredCpu = pVCpu->hm.s.idEnteredCpu;
4841	/* LastError.idCurrentCpu was already updated in hmR0VmxPreRunGuestCommitted().
4842	Cannot do it here as we may have been long preempted. */
4843
4844	#ifdef VBOX_STRICT
4845	Log4(("uExitReason %#RX32 (VmxTransient %#RX16)\n", pVCpu->hm.s.vmx.LastError.u32ExitReason,
4846	pVmxTransient->uExitReason));
4847	Log4(("Exit Qualification %#RX64\n", pVmxTransient->uExitQualification));
4848	Log4(("InstrError %#RX32\n", pVCpu->hm.s.vmx.LastError.u32InstrError));
4849	if (pVCpu->hm.s.vmx.LastError.u32InstrError <= HMVMX_INSTR_ERROR_MAX)
4850	Log4(("InstrError Desc. \"%s\"\n", g_apszVmxInstrErrors[pVCpu->hm.s.vmx.LastError.u32InstrError]));
4851	else
4852	Log4(("InstrError Desc. Range exceeded %u\n", HMVMX_INSTR_ERROR_MAX));
4853	Log4(("Entered host CPU %u\n", pVCpu->hm.s.vmx.LastError.idEnteredCpu));
4854	Log4(("Current host CPU %u\n", pVCpu->hm.s.vmx.LastError.idCurrentCpu));
4855
4856	/* VMX control bits. */
4857	uint32_t u32Val;
4858	uint64_t u64Val;
4859	RTHCUINTREG uHCReg;
4860	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_PIN_EXEC, &u32Val); AssertRC(rc);
4861	Log4(("VMX_VMCS32_CTRL_PIN_EXEC %#RX32\n", u32Val));
4862	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, &u32Val); AssertRC(rc);
4863	Log4(("VMX_VMCS32_CTRL_PROC_EXEC %#RX32\n", u32Val));
4864	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_PROC_EXEC2, &u32Val); AssertRC(rc);
4865	Log4(("VMX_VMCS32_CTRL_PROC_EXEC2 %#RX32\n", u32Val));
4866	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY, &u32Val); AssertRC(rc);
4867	Log4(("VMX_VMCS32_CTRL_ENTRY %#RX32\n", u32Val));
4868	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_EXIT, &u32Val); AssertRC(rc);
4869	Log4(("VMX_VMCS32_CTRL_EXIT %#RX32\n", u32Val));
4870	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_CR3_TARGET_COUNT, &u32Val); AssertRC(rc);
4871	Log4(("VMX_VMCS32_CTRL_CR3_TARGET_COUNT %#RX32\n", u32Val));
4872	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_INTERRUPTION_INFO, &u32Val); AssertRC(rc);
4873	Log4(("VMX_VMCS32_CTRL_ENTRY_INTERRUPTION_INFO %#RX32\n", u32Val));
4874	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_EXCEPTION_ERRCODE, &u32Val); AssertRC(rc);
4875	Log4(("VMX_VMCS32_CTRL_ENTRY_EXCEPTION_ERRCODE %#RX32\n", u32Val));
4876	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_INSTR_LENGTH, &u32Val); AssertRC(rc);
4877	Log4(("VMX_VMCS32_CTRL_ENTRY_INSTR_LENGTH %u\n", u32Val));
4878	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_TPR_THRESHOLD, &u32Val); AssertRC(rc);
4879	Log4(("VMX_VMCS32_CTRL_TPR_THRESHOLD %u\n", u32Val));
4880	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_EXIT_MSR_STORE_COUNT, &u32Val); AssertRC(rc);
4881	Log4(("VMX_VMCS32_CTRL_EXIT_MSR_STORE_COUNT %u (guest MSRs)\n", u32Val));
4882	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_EXIT_MSR_LOAD_COUNT, &u32Val); AssertRC(rc);
4883	Log4(("VMX_VMCS32_CTRL_EXIT_MSR_LOAD_COUNT %u (host MSRs)\n", u32Val));
4884	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_MSR_LOAD_COUNT, &u32Val); AssertRC(rc);
4885	Log4(("VMX_VMCS32_CTRL_ENTRY_MSR_LOAD_COUNT %u (guest MSRs)\n", u32Val));
4886	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_EXCEPTION_BITMAP, &u32Val); AssertRC(rc);
4887	Log4(("VMX_VMCS32_CTRL_EXCEPTION_BITMAP %#RX32\n", u32Val));
4888	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_PAGEFAULT_ERROR_MASK, &u32Val); AssertRC(rc);
4889	Log4(("VMX_VMCS32_CTRL_PAGEFAULT_ERROR_MASK %#RX32\n", u32Val));
4890	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_PAGEFAULT_ERROR_MATCH, &u32Val); AssertRC(rc);
4891	Log4(("VMX_VMCS32_CTRL_PAGEFAULT_ERROR_MATCH %#RX32\n", u32Val));
4892	rc = VMXReadVmcsHstN(VMX_VMCS_CTRL_CR0_MASK, &uHCReg); AssertRC(rc);
4893	Log4(("VMX_VMCS_CTRL_CR0_MASK %#RHr\n", uHCReg));
4894	rc = VMXReadVmcsHstN(VMX_VMCS_CTRL_CR0_READ_SHADOW, &uHCReg); AssertRC(rc);
4895	Log4(("VMX_VMCS_CTRL_CR4_READ_SHADOW %#RHr\n", uHCReg));
4896	rc = VMXReadVmcsHstN(VMX_VMCS_CTRL_CR4_MASK, &uHCReg); AssertRC(rc);
4897	Log4(("VMX_VMCS_CTRL_CR4_MASK %#RHr\n", uHCReg));
4898	rc = VMXReadVmcsHstN(VMX_VMCS_CTRL_CR4_READ_SHADOW, &uHCReg); AssertRC(rc);
4899	Log4(("VMX_VMCS_CTRL_CR4_READ_SHADOW %#RHr\n", uHCReg));
4900	rc = VMXReadVmcs64(VMX_VMCS64_CTRL_EPTP_FULL, &u64Val); AssertRC(rc);
4901	Log4(("VMX_VMCS64_CTRL_EPTP_FULL %#RX64\n", u64Val));
4902
4903	/* Guest bits. */
4904	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_RIP, &u64Val); AssertRC(rc);
4905	Log4(("Old Guest Rip %#RX64 New %#RX64\n", pCtx->rip, u64Val));
4906	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_RSP, &u64Val); AssertRC(rc);
4907	Log4(("Old Guest Rsp %#RX64 New %#RX64\n", pCtx->rsp, u64Val));
4908	rc = VMXReadVmcs32(VMX_VMCS_GUEST_RFLAGS, &u32Val); AssertRC(rc);
4909	Log4(("Old Guest Rflags %#RX32 New %#RX32\n", pCtx->eflags.u32, u32Val));
4910	rc = VMXReadVmcs32(VMX_VMCS16_GUEST_FIELD_VPID, &u32Val); AssertRC(rc);
4911	Log4(("VMX_VMCS16_GUEST_FIELD_VPID %u\n", u32Val));
4912
4913	/* Host bits. */
4914	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_CR0, &uHCReg); AssertRC(rc);
4915	Log4(("Host CR0 %#RHr\n", uHCReg));
4916	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_CR3, &uHCReg); AssertRC(rc);
4917	Log4(("Host CR3 %#RHr\n", uHCReg));
4918	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_CR4, &uHCReg); AssertRC(rc);
4919	Log4(("Host CR4 %#RHr\n", uHCReg));
4920
4921	RTGDTR HostGdtr;
4922	PCX86DESCHC pDesc;
4923	ASMGetGDTR(&HostGdtr);
4924	rc = VMXReadVmcs32(VMX_VMCS16_HOST_FIELD_CS, &u32Val); AssertRC(rc);
4925	Log4(("Host CS %#08x\n", u32Val));
4926	if (u32Val < HostGdtr.cbGdt)
4927	{
4928	pDesc = (PCX86DESCHC)(HostGdtr.pGdt + (u32Val & X86_SEL_MASK));
4929	HMR0DumpDescriptor(pDesc, u32Val, "CS: ");
4930	}
4931
4932	rc = VMXReadVmcs32(VMX_VMCS16_HOST_FIELD_DS, &u32Val); AssertRC(rc);
4933	Log4(("Host DS %#08x\n", u32Val));
4934	if (u32Val < HostGdtr.cbGdt)
4935	{
4936	pDesc = (PCX86DESCHC)(HostGdtr.pGdt + (u32Val & X86_SEL_MASK));
4937	HMR0DumpDescriptor(pDesc, u32Val, "DS: ");
4938	}
4939
4940	rc = VMXReadVmcs32(VMX_VMCS16_HOST_FIELD_ES, &u32Val); AssertRC(rc);
4941	Log4(("Host ES %#08x\n", u32Val));
4942	if (u32Val < HostGdtr.cbGdt)
4943	{
4944	pDesc = (PCX86DESCHC)(HostGdtr.pGdt + (u32Val & X86_SEL_MASK));
4945	HMR0DumpDescriptor(pDesc, u32Val, "ES: ");
4946	}
4947
4948	rc = VMXReadVmcs32(VMX_VMCS16_HOST_FIELD_FS, &u32Val); AssertRC(rc);
4949	Log4(("Host FS %#08x\n", u32Val));
4950	if (u32Val < HostGdtr.cbGdt)
4951	{
4952	pDesc = (PCX86DESCHC)(HostGdtr.pGdt + (u32Val & X86_SEL_MASK));
4953	HMR0DumpDescriptor(pDesc, u32Val, "FS: ");
4954	}
4955
4956	rc = VMXReadVmcs32(VMX_VMCS16_HOST_FIELD_GS, &u32Val); AssertRC(rc);
4957	Log4(("Host GS %#08x\n", u32Val));
4958	if (u32Val < HostGdtr.cbGdt)
4959	{
4960	pDesc = (PCX86DESCHC)(HostGdtr.pGdt + (u32Val & X86_SEL_MASK));
4961	HMR0DumpDescriptor(pDesc, u32Val, "GS: ");
4962	}
4963
4964	rc = VMXReadVmcs32(VMX_VMCS16_HOST_FIELD_SS, &u32Val); AssertRC(rc);
4965	Log4(("Host SS %#08x\n", u32Val));
4966	if (u32Val < HostGdtr.cbGdt)
4967	{
4968	pDesc = (PCX86DESCHC)(HostGdtr.pGdt + (u32Val & X86_SEL_MASK));
4969	HMR0DumpDescriptor(pDesc, u32Val, "SS: ");
4970	}
4971
4972	rc = VMXReadVmcs32(VMX_VMCS16_HOST_FIELD_TR, &u32Val); AssertRC(rc);
4973	Log4(("Host TR %#08x\n", u32Val));
4974	if (u32Val < HostGdtr.cbGdt)
4975	{
4976	pDesc = (PCX86DESCHC)(HostGdtr.pGdt + (u32Val & X86_SEL_MASK));
4977	HMR0DumpDescriptor(pDesc, u32Val, "TR: ");
4978	}
4979
4980	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_TR_BASE, &uHCReg); AssertRC(rc);
4981	Log4(("Host TR Base %#RHv\n", uHCReg));
4982	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_GDTR_BASE, &uHCReg); AssertRC(rc);
4983	Log4(("Host GDTR Base %#RHv\n", uHCReg));
4984	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_IDTR_BASE, &uHCReg); AssertRC(rc);
4985	Log4(("Host IDTR Base %#RHv\n", uHCReg));
4986	rc = VMXReadVmcs32(VMX_VMCS32_HOST_SYSENTER_CS, &u32Val); AssertRC(rc);
4987	Log4(("Host SYSENTER CS %#08x\n", u32Val));
4988	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_SYSENTER_EIP, &uHCReg); AssertRC(rc);
4989	Log4(("Host SYSENTER EIP %#RHv\n", uHCReg));
4990	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_SYSENTER_ESP, &uHCReg); AssertRC(rc);
4991	Log4(("Host SYSENTER ESP %#RHv\n", uHCReg));
4992	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_RSP, &uHCReg); AssertRC(rc);
4993	Log4(("Host RSP %#RHv\n", uHCReg));
4994	rc = VMXReadVmcsHstN(VMX_VMCS_HOST_RIP, &uHCReg); AssertRC(rc);
4995	Log4(("Host RIP %#RHv\n", uHCReg));
4996	# if HC_ARCH_BITS == 64
4997	Log4(("MSR_K6_EFER = %#RX64\n", ASMRdMsr(MSR_K6_EFER)));
4998	Log4(("MSR_K8_CSTAR = %#RX64\n", ASMRdMsr(MSR_K8_CSTAR)));
4999	Log4(("MSR_K8_LSTAR = %#RX64\n", ASMRdMsr(MSR_K8_LSTAR)));
5000	Log4(("MSR_K6_STAR = %#RX64\n", ASMRdMsr(MSR_K6_STAR)));
5001	Log4(("MSR_K8_SF_MASK = %#RX64\n", ASMRdMsr(MSR_K8_SF_MASK)));
5002	Log4(("MSR_K8_KERNEL_GS_BASE = %#RX64\n", ASMRdMsr(MSR_K8_KERNEL_GS_BASE)));
5003	# endif
5004	#endif /* VBOX_STRICT */
5005	break;
5006	}
5007
5008	default:
5009	/* Impossible */
5010	AssertMsgFailed(("hmR0VmxReportWorldSwitchError %Rrc (%#x)\n", rcVMRun, rcVMRun));
5011	break;
5012	}
5013	NOREF(pVM); NOREF(pCtx);
5014	}
5015
5016
5017	#if HC_ARCH_BITS == 32 && defined(VBOX_ENABLE_64_BITS_GUESTS)
5018	#ifndef VMX_USE_CACHED_VMCS_ACCESSES
5019	# error "VMX_USE_CACHED_VMCS_ACCESSES not defined when it should be!"
5020	#endif
5021	#ifdef VBOX_STRICT
5022	static bool hmR0VmxIsValidWriteField(uint32_t idxField)
5023	{
5024	switch (idxField)
5025	{
5026	case VMX_VMCS_GUEST_RIP:
5027	case VMX_VMCS_GUEST_RSP:
5028	case VMX_VMCS_GUEST_SYSENTER_EIP:
5029	case VMX_VMCS_GUEST_SYSENTER_ESP:
5030	case VMX_VMCS_GUEST_GDTR_BASE:
5031	case VMX_VMCS_GUEST_IDTR_BASE:
5032	case VMX_VMCS_GUEST_CS_BASE:
5033	case VMX_VMCS_GUEST_DS_BASE:
5034	case VMX_VMCS_GUEST_ES_BASE:
5035	case VMX_VMCS_GUEST_FS_BASE:
5036	case VMX_VMCS_GUEST_GS_BASE:
5037	case VMX_VMCS_GUEST_SS_BASE:
5038	case VMX_VMCS_GUEST_LDTR_BASE:
5039	case VMX_VMCS_GUEST_TR_BASE:
5040	case VMX_VMCS_GUEST_CR3:
5041	return true;
5042	}
5043	return false;
5044	}
5045
5046	static bool hmR0VmxIsValidReadField(uint32_t idxField)
5047	{
5048	switch (idxField)
5049	{
5050	/* Read-only fields. */
5051	case VMX_VMCS_RO_EXIT_QUALIFICATION:
5052	return true;
5053	}
5054	/* Remaining readable fields should also be writable. */
5055	return hmR0VmxIsValidWriteField(idxField);
5056	}
5057	#endif /* VBOX_STRICT */
5058
5059
5060	/**
5061	* Executes the specified handler in 64-bit mode.
5062	*
5063	* @returns VBox status code.
5064	* @param pVM Pointer to the VM.
5065	* @param pVCpu Pointer to the VMCPU.
5066	* @param pCtx Pointer to the guest CPU context.
5067	* @param enmOp The operation to perform.
5068	* @param cParams Number of parameters.
5069	* @param paParam Array of 32-bit parameters.
5070	*/
5071	VMMR0DECL(int) VMXR0Execute64BitsHandler(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx, HM64ON32OP enmOp,
5072	uint32_t cParams, uint32_t *paParam)
5073	{
5074	NOREF(pCtx);
5075
5076	AssertReturn(pVM->hm.s.pfnHost32ToGuest64R0, VERR_HM_NO_32_TO_64_SWITCHER);
5077	Assert(enmOp > HM64ON32OP_INVALID && enmOp < HM64ON32OP_END);
5078	Assert(pVCpu->hm.s.vmx.VMCSCache.Write.cValidEntries <= RT_ELEMENTS(pVCpu->hm.s.vmx.VMCSCache.Write.aField));
5079	Assert(pVCpu->hm.s.vmx.VMCSCache.Read.cValidEntries <= RT_ELEMENTS(pVCpu->hm.s.vmx.VMCSCache.Read.aField));
5080
5081	#ifdef VBOX_STRICT
5082	for (uint32_t i = 0; i < pVCpu->hm.s.vmx.VMCSCache.Write.cValidEntries; i++)
5083	Assert(hmR0VmxIsValidWriteField(pVCpu->hm.s.vmx.VMCSCache.Write.aField[i]));
5084
5085	for (uint32_t i = 0; i <pVCpu->hm.s.vmx.VMCSCache.Read.cValidEntries; i++)
5086	Assert(hmR0VmxIsValidReadField(pVCpu->hm.s.vmx.VMCSCache.Read.aField[i]));
5087	#endif
5088
5089	/* Disable interrupts. */
5090	RTCCUINTREG fOldEFlags = ASMIntDisableFlags();
5091
5092	#ifdef VBOX_WITH_VMMR0_DISABLE_LAPIC_NMI
5093	RTCPUID idHostCpu = RTMpCpuId();
5094	CPUMR0SetLApic(pVCpu, idHostCpu);
5095	#endif
5096
5097	PHMGLOBALCPUINFO pCpu = HMR0GetCurrentCpu();
5098	RTHCPHYS HCPhysCpuPage = RTR0MemObjGetPagePhysAddr(pCpu->hMemObj, 0);
5099
5100	/* Clear VMCS. Marking it inactive, clearing implementation-specific data and writing VMCS data back to memory. */
5101	VMXClearVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
5102
5103	/* Leave VMX Root Mode. */
5104	VMXDisable();
5105
5106	SUPR0ChangeCR4(0, ~X86_CR4_VMXE);
5107
5108	CPUMSetHyperESP(pVCpu, VMMGetStackRC(pVCpu));
5109	CPUMSetHyperEIP(pVCpu, enmOp);
5110	for (int i = (int)cParams - 1; i >= 0; i--)
5111	CPUMPushHyper(pVCpu, paParam[i]);
5112
5113	STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatWorldSwitch3264, z);
5114
5115	/* Call the switcher. */
5116	int rc = pVM->hm.s.pfnHost32ToGuest64R0(pVM, RT_OFFSETOF(VM, aCpus[pVCpu->idCpu].cpum) - RT_OFFSETOF(VM, cpum));
5117	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatWorldSwitch3264, z);
5118
5119	/** @todo replace with hmR0VmxEnterRootMode() and hmR0VmxLeaveRootMode(). */
5120	/* Make sure the VMX instructions don't cause #UD faults. */
5121	SUPR0ChangeCR4(X86_CR4_VMXE, ~0);
5122
5123	/* Re-enter VMX Root Mode */
5124	int rc2 = VMXEnable(HCPhysCpuPage);
5125	if (RT_FAILURE(rc2))
5126	{
5127	SUPR0ChangeCR4(0, ~X86_CR4_VMXE);
5128	ASMSetFlags(fOldEFlags);
5129	pVM->hm.s.vmx.HCPhysVmxEnableError = HCPhysCpuPage;
5130	return rc2;
5131	}
5132
5133	rc2 = VMXActivateVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
5134	AssertRC(rc2);
5135	Assert(!(ASMGetFlags() & X86_EFL_IF));
5136	ASMSetFlags(fOldEFlags);
5137	return rc;
5138	}
5139
5140
5141	/**
5142	* Prepares for and executes VMLAUNCH (64-bit guests) for 32-bit hosts
5143	* supporting 64-bit guests.
5144	*
5145	* @returns VBox status code.
5146	* @param fResume Whether to VMLAUNCH or VMRESUME.
5147	* @param pCtx Pointer to the guest-CPU context.
5148	* @param pCache Pointer to the VMCS cache.
5149	* @param pVM Pointer to the VM.
5150	* @param pVCpu Pointer to the VMCPU.
5151	*/
5152	DECLASM(int) VMXR0SwitcherStartVM64(RTHCUINT fResume, PCPUMCTX pCtx, PVMCSCACHE pCache, PVM pVM, PVMCPU pVCpu)
5153	{
5154	NOREF(fResume);
5155
5156	PHMGLOBALCPUINFO pCpu = HMR0GetCurrentCpu();
5157	RTHCPHYS HCPhysCpuPage = RTR0MemObjGetPagePhysAddr(pCpu->hMemObj, 0);
5158
5159	#ifdef VBOX_WITH_CRASHDUMP_MAGIC
5160	pCache->uPos = 1;
5161	pCache->interPD = PGMGetInterPaeCR3(pVM);
5162	pCache->pSwitcher = (uint64_t)pVM->hm.s.pfnHost32ToGuest64R0;
5163	#endif
5164
5165	#if defined(DEBUG) && defined(VMX_USE_CACHED_VMCS_ACCESSES)
5166	pCache->TestIn.HCPhysCpuPage = 0;
5167	pCache->TestIn.HCPhysVmcs = 0;
5168	pCache->TestIn.pCache = 0;
5169	pCache->TestOut.HCPhysVmcs = 0;
5170	pCache->TestOut.pCache = 0;
5171	pCache->TestOut.pCtx = 0;
5172	pCache->TestOut.eflags = 0;
5173	#else
5174	NOREF(pCache);
5175	#endif
5176
5177	uint32_t aParam[10];
5178	aParam[0] = (uint32_t)(HCPhysCpuPage); /* Param 1: VMXON physical address - Lo. */
5179	aParam[1] = (uint32_t)(HCPhysCpuPage >> 32); /* Param 1: VMXON physical address - Hi. */
5180	aParam[2] = (uint32_t)(pVCpu->hm.s.vmx.HCPhysVmcs); /* Param 2: VMCS physical address - Lo. */
5181	aParam[3] = (uint32_t)(pVCpu->hm.s.vmx.HCPhysVmcs >> 32); /* Param 2: VMCS physical address - Hi. */
5182	aParam[4] = VM_RC_ADDR(pVM, &pVM->aCpus[pVCpu->idCpu].hm.s.vmx.VMCSCache);
5183	aParam[5] = 0;
5184	aParam[6] = VM_RC_ADDR(pVM, pVM);
5185	aParam[7] = 0;
5186	aParam[8] = VM_RC_ADDR(pVM, pVCpu);
5187	aParam[9] = 0;
5188
5189	#ifdef VBOX_WITH_CRASHDUMP_MAGIC
5190	pCtx->dr[4] = pVM->hm.s.vmx.pScratchPhys + 16 + 8;
5191	(uint32_t )(pVM->hm.s.vmx.pScratch + 16 + 8) = 1;
5192	#endif
5193	int rc = VMXR0Execute64BitsHandler(pVM, pVCpu, pCtx, HM64ON32OP_VMXRCStartVM64, RT_ELEMENTS(aParam), &aParam[0]);
5194
5195	#ifdef VBOX_WITH_CRASHDUMP_MAGIC
5196	Assert((uint32_t )(pVM->hm.s.vmx.pScratch + 16 + 8) == 5);
5197	Assert(pCtx->dr[4] == 10);
5198	(uint32_t )(pVM->hm.s.vmx.pScratch + 16 + 8) = 0xff;
5199	#endif
5200
5201	#if defined(DEBUG) && defined(VMX_USE_CACHED_VMCS_ACCESSES)
5202	AssertMsg(pCache->TestIn.HCPhysCpuPage == HCPhysCpuPage, ("%RHp vs %RHp\n", pCache->TestIn.HCPhysCpuPage, HCPhysCpuPage));
5203	AssertMsg(pCache->TestIn.HCPhysVmcs == pVCpu->hm.s.vmx.HCPhysVmcs, ("%RHp vs %RHp\n", pCache->TestIn.HCPhysVmcs,
5204	pVCpu->hm.s.vmx.HCPhysVmcs));
5205	AssertMsg(pCache->TestIn.HCPhysVmcs == pCache->TestOut.HCPhysVmcs, ("%RHp vs %RHp\n", pCache->TestIn.HCPhysVmcs,
5206	pCache->TestOut.HCPhysVmcs));
5207	AssertMsg(pCache->TestIn.pCache == pCache->TestOut.pCache, ("%RGv vs %RGv\n", pCache->TestIn.pCache,
5208	pCache->TestOut.pCache));
5209	AssertMsg(pCache->TestIn.pCache == VM_RC_ADDR(pVM, &pVM->aCpus[pVCpu->idCpu].hm.s.vmx.VMCSCache),
5210	("%RGv vs %RGv\n", pCache->TestIn.pCache, VM_RC_ADDR(pVM, &pVM->aCpus[pVCpu->idCpu].hm.s.vmx.VMCSCache)));
5211	AssertMsg(pCache->TestIn.pCtx == pCache->TestOut.pCtx, ("%RGv vs %RGv\n", pCache->TestIn.pCtx,
5212	pCache->TestOut.pCtx));
5213	Assert(!(pCache->TestOut.eflags & X86_EFL_IF));
5214	#endif
5215	return rc;
5216	}
5217
5218
5219	/**
5220	* Initialize the VMCS-Read cache.
5221	*
5222	* The VMCS cache is used for 32-bit hosts running 64-bit guests (except 32-bit
5223	* Darwin which runs with 64-bit paging in 32-bit mode) for 64-bit fields that
5224	* cannot be accessed in 32-bit mode. Some 64-bit fields -can- be accessed
5225	* (those that have a 32-bit FULL & HIGH part).
5226	*
5227	* @returns VBox status code.
5228	* @param pVM Pointer to the VM.
5229	* @param pVCpu Pointer to the VMCPU.
5230	*/
5231	static int hmR0VmxInitVmcsReadCache(PVM pVM, PVMCPU pVCpu)
5232	{
5233	#define VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, idxField) \
5234	{ \
5235	Assert(pCache->Read.aField[idxField##_CACHE_IDX] == 0); \
5236	pCache->Read.aField[idxField##_CACHE_IDX] = idxField; \
5237	pCache->Read.aFieldVal[idxField##_CACHE_IDX] = 0; \
5238	++cReadFields; \
5239	}
5240
5241	AssertPtr(pVM);
5242	AssertPtr(pVCpu);
5243	PVMCSCACHE pCache = &pVCpu->hm.s.vmx.VMCSCache;
5244	uint32_t cReadFields = 0;
5245
5246	/*
5247	* Don't remove the #if 0'd fields in this code. They're listed here for consistency
5248	* and serve to indicate exceptions to the rules.
5249	*/
5250
5251	/* Guest-natural selector base fields. */
5252	#if 0
5253	/* These are 32-bit in practice. See Intel spec. 2.5 "Control Registers". */
5254	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_CR0);
5255	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_CR4);
5256	#endif
5257	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_ES_BASE);
5258	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_CS_BASE);
5259	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_SS_BASE);
5260	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_DS_BASE);
5261	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_FS_BASE);
5262	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_GS_BASE);
5263	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_LDTR_BASE);
5264	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_TR_BASE);
5265	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_GDTR_BASE);
5266	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_IDTR_BASE);
5267	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_RSP);
5268	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_RIP);
5269	#if 0
5270	/* Unused natural width guest-state fields. */
5271	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_PENDING_DEBUG_EXCEPTIONS);
5272	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_CR3); /* Handled in Nested Paging case */
5273	#endif
5274	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_SYSENTER_ESP);
5275	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_SYSENTER_EIP);
5276
5277	/* 64-bit guest-state fields; unused as we use two 32-bit VMREADs for these 64-bit fields (using "FULL" and "HIGH" fields). */
5278	#if 0
5279	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_VMCS_LINK_PTR_FULL);
5280	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_DEBUGCTL_FULL);
5281	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_PAT_FULL);
5282	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_EFER_FULL);
5283	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_PERF_GLOBAL_CTRL_FULL);
5284	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_PDPTE0_FULL);
5285	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_PDPTE1_FULL);
5286	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_PDPTE2_FULL);
5287	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS64_GUEST_PDPTE3_FULL);
5288	#endif
5289
5290	/* Natural width guest-state fields. */
5291	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_RO_EXIT_QUALIFICATION);
5292	#if 0
5293	/* Currently unused field. */
5294	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_RO_EXIT_GUEST_LINEAR_ADDR);
5295	#endif
5296
5297	if (pVM->hm.s.fNestedPaging)
5298	{
5299	VMXLOCAL_INIT_READ_CACHE_FIELD(pCache, VMX_VMCS_GUEST_CR3);
5300	AssertMsg(cReadFields == VMX_VMCS_MAX_NESTED_PAGING_CACHE_IDX, ("cReadFields=%u expected %u\n", cReadFields,
5301	VMX_VMCS_MAX_NESTED_PAGING_CACHE_IDX));
5302	pCache->Read.cValidEntries = VMX_VMCS_MAX_NESTED_PAGING_CACHE_IDX;
5303	}
5304	else
5305	{
5306	AssertMsg(cReadFields == VMX_VMCS_MAX_CACHE_IDX, ("cReadFields=%u expected %u\n", cReadFields, VMX_VMCS_MAX_CACHE_IDX));
5307	pCache->Read.cValidEntries = VMX_VMCS_MAX_CACHE_IDX;
5308	}
5309
5310	#undef VMXLOCAL_INIT_READ_CACHE_FIELD
5311	return VINF_SUCCESS;
5312	}
5313
5314
5315	/**
5316	* Writes a field into the VMCS. This can either directly invoke a VMWRITE or
5317	* queue up the VMWRITE by using the VMCS write cache (on 32-bit hosts, except
5318	* darwin, running 64-bit guests).
5319	*
5320	* @returns VBox status code.
5321	* @param pVCpu Pointer to the VMCPU.
5322	* @param idxField The VMCS field encoding.
5323	* @param u64Val 16, 32 or 64-bit value.
5324	*/
5325	VMMR0DECL(int) VMXWriteVmcs64Ex(PVMCPU pVCpu, uint32_t idxField, uint64_t u64Val)
5326	{
5327	int rc;
5328	switch (idxField)
5329	{
5330	/*
5331	* These fields consists of a "FULL" and a "HIGH" part which can be written to individually.
5332	*/
5333	/* 64-bit Control fields. */
5334	case VMX_VMCS64_CTRL_IO_BITMAP_A_FULL:
5335	case VMX_VMCS64_CTRL_IO_BITMAP_B_FULL:
5336	case VMX_VMCS64_CTRL_MSR_BITMAP_FULL:
5337	case VMX_VMCS64_CTRL_EXIT_MSR_STORE_FULL:
5338	case VMX_VMCS64_CTRL_EXIT_MSR_LOAD_FULL:
5339	case VMX_VMCS64_CTRL_ENTRY_MSR_LOAD_FULL:
5340	case VMX_VMCS64_CTRL_EXEC_VMCS_PTR_FULL:
5341	case VMX_VMCS64_CTRL_TSC_OFFSET_FULL:
5342	case VMX_VMCS64_CTRL_VAPIC_PAGEADDR_FULL:
5343	case VMX_VMCS64_CTRL_APIC_ACCESSADDR_FULL:
5344	case VMX_VMCS64_CTRL_VMFUNC_CTRLS_FULL:
5345	case VMX_VMCS64_CTRL_EPTP_FULL:
5346	case VMX_VMCS64_CTRL_EPTP_LIST_FULL:
5347	/* 64-bit Guest-state fields. */
5348	case VMX_VMCS64_GUEST_VMCS_LINK_PTR_FULL:
5349	case VMX_VMCS64_GUEST_DEBUGCTL_FULL:
5350	case VMX_VMCS64_GUEST_PAT_FULL:
5351	case VMX_VMCS64_GUEST_EFER_FULL:
5352	case VMX_VMCS64_GUEST_PERF_GLOBAL_CTRL_FULL:
5353	case VMX_VMCS64_GUEST_PDPTE0_FULL:
5354	case VMX_VMCS64_GUEST_PDPTE1_FULL:
5355	case VMX_VMCS64_GUEST_PDPTE2_FULL:
5356	case VMX_VMCS64_GUEST_PDPTE3_FULL:
5357	/* 64-bit Host-state fields. */
5358	case VMX_VMCS64_HOST_FIELD_PAT_FULL:
5359	case VMX_VMCS64_HOST_FIELD_EFER_FULL:
5360	case VMX_VMCS64_HOST_PERF_GLOBAL_CTRL_FULL:
5361	{
5362	rc = VMXWriteVmcs32(idxField, u64Val);
5363	rc \|= VMXWriteVmcs32(idxField + 1, (uint32_t)(u64Val >> 32));
5364	break;
5365	}
5366
5367	/*
5368	* These fields do not have high and low parts. Queue up the VMWRITE by using the VMCS write-cache (for 64-bit
5369	* values). When we switch the host to 64-bit mode for running 64-bit guests, these VMWRITEs get executed then.
5370	*/
5371	/* Natural-width Guest-state fields. */
5372	case VMX_VMCS_GUEST_CR3:
5373	case VMX_VMCS_GUEST_ES_BASE:
5374	case VMX_VMCS_GUEST_CS_BASE:
5375	case VMX_VMCS_GUEST_SS_BASE:
5376	case VMX_VMCS_GUEST_DS_BASE:
5377	case VMX_VMCS_GUEST_FS_BASE:
5378	case VMX_VMCS_GUEST_GS_BASE:
5379	case VMX_VMCS_GUEST_LDTR_BASE:
5380	case VMX_VMCS_GUEST_TR_BASE:
5381	case VMX_VMCS_GUEST_GDTR_BASE:
5382	case VMX_VMCS_GUEST_IDTR_BASE:
5383	case VMX_VMCS_GUEST_RSP:
5384	case VMX_VMCS_GUEST_RIP:
5385	case VMX_VMCS_GUEST_SYSENTER_ESP:
5386	case VMX_VMCS_GUEST_SYSENTER_EIP:
5387	{
5388	if (!(u64Val >> 32))
5389	{
5390	/* If this field is 64-bit, VT-x will zero out the top bits. */
5391	rc = VMXWriteVmcs32(idxField, (uint32_t)u64Val);
5392	}
5393	else
5394	{
5395	/* Assert that only the 32->64 switcher case should ever come here. */
5396	Assert(pVCpu->CTX_SUFF(pVM)->hm.s.fAllow64BitGuests);
5397	rc = VMXWriteCachedVmcsEx(pVCpu, idxField, u64Val);
5398	}
5399	break;
5400	}
5401
5402	default:
5403	{
5404	AssertMsgFailed(("VMXWriteVmcs64Ex: Invalid field %#RX32 (pVCpu=%p u64Val=%#RX64)\n", idxField, pVCpu, u64Val));
5405	rc = VERR_INVALID_PARAMETER;
5406	break;
5407	}
5408	}
5409	AssertRCReturn(rc, rc);
5410	return rc;
5411	}
5412
5413
5414	/**
5415	* Queue up a VMWRITE by using the VMCS write cache.
5416	* This is only used on 32-bit hosts (except darwin) for 64-bit guests.
5417	*
5418	* @param pVCpu Pointer to the VMCPU.
5419	* @param idxField The VMCS field encoding.
5420	* @param u64Val 16, 32 or 64-bit value.
5421	*/
5422	VMMR0DECL(int) VMXWriteCachedVmcsEx(PVMCPU pVCpu, uint32_t idxField, uint64_t u64Val)
5423	{
5424	AssertPtr(pVCpu);
5425	PVMCSCACHE pCache = &pVCpu->hm.s.vmx.VMCSCache;
5426
5427	AssertMsgReturn(pCache->Write.cValidEntries < VMCSCACHE_MAX_ENTRY - 1,
5428	("entries=%u\n", pCache->Write.cValidEntries), VERR_ACCESS_DENIED);
5429
5430	/* Make sure there are no duplicates. */
5431	for (uint32_t i = 0; i < pCache->Write.cValidEntries; i++)
5432	{
5433	if (pCache->Write.aField[i] == idxField)
5434	{
5435	pCache->Write.aFieldVal[i] = u64Val;
5436	return VINF_SUCCESS;
5437	}
5438	}
5439
5440	pCache->Write.aField[pCache->Write.cValidEntries] = idxField;
5441	pCache->Write.aFieldVal[pCache->Write.cValidEntries] = u64Val;
5442	pCache->Write.cValidEntries++;
5443	return VINF_SUCCESS;
5444	}
5445	#endif /* HC_ARCH_BITS == 32 && defined(VBOX_ENABLE_64_BITS_GUESTS) */
5446
5447
5448	/**
5449	* Sets up the usage of TSC-offsetting and updates the VMCS.
5450	*
5451	* If offsetting is not possible, cause VM-exits on RDTSC(P)s. Also sets up the
5452	* VMX preemption timer.
5453	*
5454	* @returns VBox status code.
5455	* @param pVM Pointer to the cross context VM structure.
5456	* @param pVCpu Pointer to the VMCPU.
5457	*
5458	* @remarks No-long-jump zone!!!
5459	*/
5460	static void hmR0VmxUpdateTscOffsettingAndPreemptTimer(PVM pVM, PVMCPU pVCpu)
5461	{
5462	int rc;
5463	bool fOffsettedTsc;
5464	bool fParavirtTsc;
5465	if (pVM->hm.s.vmx.fUsePreemptTimer)
5466	{
5467	uint64_t cTicksToDeadline = TMCpuTickGetDeadlineAndTscOffset(pVM, pVCpu, &pVCpu->hm.s.vmx.u64TSCOffset,
5468	&fOffsettedTsc, &fParavirtTsc);
5469
5470	/* Make sure the returned values have sane upper and lower boundaries. */
5471	uint64_t u64CpuHz = SUPGetCpuHzFromGipBySetIndex(g_pSUPGlobalInfoPage, pVCpu->iHostCpuSet);
5472	cTicksToDeadline = RT_MIN(cTicksToDeadline, u64CpuHz / 64); /* 1/64th of a second */
5473	cTicksToDeadline = RT_MAX(cTicksToDeadline, u64CpuHz / 2048); /* 1/2048th of a second */
5474	cTicksToDeadline >>= pVM->hm.s.vmx.cPreemptTimerShift;
5475
5476	uint32_t cPreemptionTickCount = (uint32_t)RT_MIN(cTicksToDeadline, UINT32_MAX - 16);
5477	rc = VMXWriteVmcs32(VMX_VMCS32_GUEST_PREEMPT_TIMER_VALUE, cPreemptionTickCount); AssertRC(rc);
5478	}
5479	else
5480	fOffsettedTsc = TMCpuTickCanUseRealTSC(pVM, pVCpu, &pVCpu->hm.s.vmx.u64TSCOffset, &fParavirtTsc);
5481
5482	/** @todo later optimize this to be done elsewhere and not before every
5483	* VM-entry. */
5484	if (fParavirtTsc)
5485	{
5486	/* Currently neither Hyper-V nor KVM need to update their paravirt. TSC
5487	information before every VM-entry, hence disable it for performance sake. */
5488	#if 0
5489	rc = GIMR0UpdateParavirtTsc(pVM, 0 /* u64Offset */);
5490	AssertRC(rc);
5491	#endif
5492	STAM_COUNTER_INC(&pVCpu->hm.s.StatTscParavirt);
5493	}
5494
5495	if (fOffsettedTsc)
5496	{
5497	/* Note: VMX_VMCS_CTRL_PROC_EXEC_RDTSC_EXIT takes precedence over TSC_OFFSET, applies to RDTSCP too. */
5498	rc = VMXWriteVmcs64(VMX_VMCS64_CTRL_TSC_OFFSET_FULL, pVCpu->hm.s.vmx.u64TSCOffset); AssertRC(rc);
5499
5500	pVCpu->hm.s.vmx.u32ProcCtls &= ~VMX_VMCS_CTRL_PROC_EXEC_RDTSC_EXIT;
5501	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls); AssertRC(rc);
5502	STAM_COUNTER_INC(&pVCpu->hm.s.StatTscOffset);
5503	}
5504	else
5505	{
5506	/* We can't use TSC-offsetting (non-fixed TSC, warp drive active etc.), VM-exit on RDTSC(P). */
5507	pVCpu->hm.s.vmx.u32ProcCtls \|= VMX_VMCS_CTRL_PROC_EXEC_RDTSC_EXIT;
5508	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls); AssertRC(rc);
5509	STAM_COUNTER_INC(&pVCpu->hm.s.StatTscIntercept);
5510	}
5511	}
5512
5513
5514	/**
5515	* Determines if an exception is a contributory exception.
5516	*
5517	* Contributory exceptions are ones which can cause double-faults unless the
5518	* original exception was a benign exception. Page-fault is intentionally not
5519	* included here as it's a conditional contributory exception.
5520	*
5521	* @returns true if the exception is contributory, false otherwise.
5522	* @param uVector The exception vector.
5523	*/
5524	DECLINLINE(bool) hmR0VmxIsContributoryXcpt(const uint32_t uVector)
5525	{
5526	switch (uVector)
5527	{
5528	case X86_XCPT_GP:
5529	case X86_XCPT_SS:
5530	case X86_XCPT_NP:
5531	case X86_XCPT_TS:
5532	case X86_XCPT_DE:
5533	return true;
5534	default:
5535	break;
5536	}
5537	return false;
5538	}
5539
5540
5541	/**
5542	* Sets an event as a pending event to be injected into the guest.
5543	*
5544	* @param pVCpu Pointer to the VMCPU.
5545	* @param u32IntInfo The VM-entry interruption-information field.
5546	* @param cbInstr The VM-entry instruction length in bytes (for software
5547	* interrupts, exceptions and privileged software
5548	* exceptions).
5549	* @param u32ErrCode The VM-entry exception error code.
5550	* @param GCPtrFaultAddress The fault-address (CR2) in case it's a
5551	* page-fault.
5552	*
5553	* @remarks Statistics counter assumes this is a guest event being injected or
5554	* re-injected into the guest, i.e. 'StatInjectPendingReflect' is
5555	* always incremented.
5556	*/
5557	DECLINLINE(void) hmR0VmxSetPendingEvent(PVMCPU pVCpu, uint32_t u32IntInfo, uint32_t cbInstr, uint32_t u32ErrCode,
5558	RTGCUINTPTR GCPtrFaultAddress)
5559	{
5560	Assert(!pVCpu->hm.s.Event.fPending);
5561	pVCpu->hm.s.Event.fPending = true;
5562	pVCpu->hm.s.Event.u64IntInfo = u32IntInfo;
5563	pVCpu->hm.s.Event.u32ErrCode = u32ErrCode;
5564	pVCpu->hm.s.Event.cbInstr = cbInstr;
5565	pVCpu->hm.s.Event.GCPtrFaultAddress = GCPtrFaultAddress;
5566
5567	STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectPendingReflect);
5568	}
5569
5570
5571	/**
5572	* Sets a double-fault (\#DF) exception as pending-for-injection into the VM.
5573	*
5574	* @param pVCpu Pointer to the VMCPU.
5575	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
5576	* out-of-sync. Make sure to update the required fields
5577	* before using them.
5578	*/
5579	DECLINLINE(void) hmR0VmxSetPendingXcptDF(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
5580	{
5581	NOREF(pMixedCtx);
5582	uint32_t u32IntInfo = X86_XCPT_DF \| VMX_EXIT_INTERRUPTION_INFO_VALID;
5583	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
5584	u32IntInfo \|= VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_VALID;
5585	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, 0 /* cbInstr /, 0 / u32ErrCode /, 0 / GCPtrFaultAddress */);
5586	}
5587
5588
5589	/**
5590	* Handle a condition that occurred while delivering an event through the guest
5591	* IDT.
5592	*
5593	* @returns VBox status code (informational error codes included).
5594	* @retval VINF_SUCCESS if we should continue handling the VM-exit.
5595	* @retval VINF_HM_DOUBLE_FAULT if a \#DF condition was detected and we ought to
5596	* continue execution of the guest which will delivery the \#DF.
5597	* @retval VINF_EM_RESET if we detected a triple-fault condition.
5598	*
5599	* @param pVCpu Pointer to the VMCPU.
5600	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
5601	* out-of-sync. Make sure to update the required fields
5602	* before using them.
5603	* @param pVmxTransient Pointer to the VMX transient structure.
5604	*
5605	* @remarks No-long-jump zone!!!
5606	*/
5607	static int hmR0VmxCheckExitDueToEventDelivery(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
5608	{
5609	uint32_t uExitVector = VMX_EXIT_INTERRUPTION_INFO_VECTOR(pVmxTransient->uExitIntInfo);
5610
5611	int rc = hmR0VmxReadIdtVectoringInfoVmcs(pVmxTransient);
5612	AssertRCReturn(rc, rc);
5613	rc = hmR0VmxReadExitIntInfoVmcs(pVmxTransient);
5614	AssertRCReturn(rc, rc);
5615
5616	if (VMX_IDT_VECTORING_INFO_VALID(pVmxTransient->uIdtVectoringInfo))
5617	{
5618	uint32_t uIdtVectorType = VMX_IDT_VECTORING_INFO_TYPE(pVmxTransient->uIdtVectoringInfo);
5619	uint32_t uIdtVector = VMX_IDT_VECTORING_INFO_VECTOR(pVmxTransient->uIdtVectoringInfo);
5620
5621	typedef enum
5622	{
5623	VMXREFLECTXCPT_XCPT, /* Reflect the exception to the guest or for further evaluation by VMM. */
5624	VMXREFLECTXCPT_DF, /* Reflect the exception as a double-fault to the guest. */
5625	VMXREFLECTXCPT_TF, /* Indicate a triple faulted state to the VMM. */
5626	VMXREFLECTXCPT_NONE /* Nothing to reflect. */
5627	} VMXREFLECTXCPT;
5628
5629	/* See Intel spec. 30.7.1.1 "Reflecting Exceptions to Guest Software". */
5630	VMXREFLECTXCPT enmReflect = VMXREFLECTXCPT_NONE;
5631	if (VMX_EXIT_INTERRUPTION_INFO_IS_VALID(pVmxTransient->uExitIntInfo))
5632	{
5633	if (uIdtVectorType == VMX_IDT_VECTORING_INFO_TYPE_HW_XCPT)
5634	{
5635	enmReflect = VMXREFLECTXCPT_XCPT;
5636	#ifdef VBOX_STRICT
5637	if ( hmR0VmxIsContributoryXcpt(uIdtVector)
5638	&& uExitVector == X86_XCPT_PF)
5639	{
5640	Log4(("IDT: vcpu[%RU32] Contributory #PF uCR2=%#RX64\n", pVCpu->idCpu, pMixedCtx->cr2));
5641	}
5642	#endif
5643	if ( uExitVector == X86_XCPT_PF
5644	&& uIdtVector == X86_XCPT_PF)
5645	{
5646	pVmxTransient->fVectoringDoublePF = true;
5647	Log4(("IDT: vcpu[%RU32] Vectoring Double #PF uCR2=%#RX64\n", pVCpu->idCpu, pMixedCtx->cr2));
5648	}
5649	else if ( (pVCpu->hm.s.vmx.u32XcptBitmap & HMVMX_CONTRIBUTORY_XCPT_MASK)
5650	&& hmR0VmxIsContributoryXcpt(uExitVector)
5651	&& ( hmR0VmxIsContributoryXcpt(uIdtVector)
5652	\|\| uIdtVector == X86_XCPT_PF))
5653	{
5654	enmReflect = VMXREFLECTXCPT_DF;
5655	}
5656	else if (uIdtVector == X86_XCPT_DF)
5657	enmReflect = VMXREFLECTXCPT_TF;
5658	}
5659	else if ( uIdtVectorType == VMX_IDT_VECTORING_INFO_TYPE_EXT_INT
5660	\|\| uIdtVectorType == VMX_IDT_VECTORING_INFO_TYPE_NMI)
5661	{
5662	/*
5663	* Ignore software interrupts (INT n), software exceptions (#BP, #OF) and
5664	* privileged software exception (#DB from ICEBP) as they reoccur when restarting the instruction.
5665	*/
5666	enmReflect = VMXREFLECTXCPT_XCPT;
5667
5668	if (uExitVector == X86_XCPT_PF)
5669	{
5670	pVmxTransient->fVectoringPF = true;
5671	Log4(("IDT: vcpu[%RU32] Vectoring #PF due to Ext-Int/NMI. uCR2=%#RX64\n", pVCpu->idCpu, pMixedCtx->cr2));
5672	}
5673	}
5674	}
5675	else if ( uIdtVectorType == VMX_IDT_VECTORING_INFO_TYPE_HW_XCPT
5676	\|\| uIdtVectorType == VMX_IDT_VECTORING_INFO_TYPE_EXT_INT
5677	\|\| uIdtVectorType == VMX_IDT_VECTORING_INFO_TYPE_NMI)
5678	{
5679	/*
5680	* If event delivery caused an EPT violation/misconfig or APIC access VM-exit, then the VM-exit
5681	* interruption-information will not be valid as it's not an exception and we end up here. In such cases,
5682	* it is sufficient to reflect the original exception to the guest after handling the VM-exit.
5683	*/
5684	enmReflect = VMXREFLECTXCPT_XCPT;
5685	}
5686
5687	/*
5688	* On CPUs that support Virtual NMIs, if this VM-exit (be it an exception or EPT violation/misconfig etc.) occurred
5689	* while delivering the NMI, we need to clear the block-by-NMI field in the guest interruptibility-state before
5690	* re-delivering the NMI after handling the VM-exit. Otherwise the subsequent VM-entry would fail.
5691	*
5692	* See Intel spec. 30.7.1.2 "Resuming Guest Software after Handling an Exception". See @bugref{7445}.
5693	*/
5694	if ( uIdtVectorType == VMX_IDT_VECTORING_INFO_TYPE_NMI
5695	&& enmReflect == VMXREFLECTXCPT_XCPT
5696	&& (pVCpu->hm.s.vmx.u32PinCtls & VMX_VMCS_CTRL_PIN_EXEC_VIRTUAL_NMI)
5697	&& VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_BLOCK_NMIS))
5698	{
5699	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_BLOCK_NMIS);
5700	}
5701
5702	switch (enmReflect)
5703	{
5704	case VMXREFLECTXCPT_XCPT:
5705	{
5706	Assert( uIdtVectorType != VMX_IDT_VECTORING_INFO_TYPE_SW_INT
5707	&& uIdtVectorType != VMX_IDT_VECTORING_INFO_TYPE_SW_XCPT
5708	&& uIdtVectorType != VMX_IDT_VECTORING_INFO_TYPE_PRIV_SW_XCPT);
5709
5710	uint32_t u32ErrCode = 0;
5711	if (VMX_IDT_VECTORING_INFO_ERROR_CODE_IS_VALID(pVmxTransient->uIdtVectoringInfo))
5712	{
5713	rc = hmR0VmxReadIdtVectoringErrorCodeVmcs(pVmxTransient);
5714	AssertRCReturn(rc, rc);
5715	u32ErrCode = pVmxTransient->uIdtVectoringErrorCode;
5716	}
5717
5718	/* If uExitVector is #PF, CR2 value will be updated from the VMCS if it's a guest #PF. See hmR0VmxExitXcptPF(). */
5719	hmR0VmxSetPendingEvent(pVCpu, VMX_ENTRY_INT_INFO_FROM_EXIT_IDT_INFO(pVmxTransient->uIdtVectoringInfo),
5720	0 /* cbInstr */, u32ErrCode, pMixedCtx->cr2);
5721	rc = VINF_SUCCESS;
5722	Log4(("IDT: vcpu[%RU32] Pending vectoring event %#RX64 Err=%#RX32\n", pVCpu->idCpu,
5723	pVCpu->hm.s.Event.u64IntInfo, pVCpu->hm.s.Event.u32ErrCode));
5724
5725	break;
5726	}
5727
5728	case VMXREFLECTXCPT_DF:
5729	{
5730	hmR0VmxSetPendingXcptDF(pVCpu, pMixedCtx);
5731	rc = VINF_HM_DOUBLE_FAULT;
5732	Log4(("IDT: vcpu[%RU32] Pending vectoring #DF %#RX64 uIdtVector=%#x uExitVector=%#x\n", pVCpu->idCpu,
5733	pVCpu->hm.s.Event.u64IntInfo, uIdtVector, uExitVector));
5734
5735	break;
5736	}
5737
5738	case VMXREFLECTXCPT_TF:
5739	{
5740	rc = VINF_EM_RESET;
5741	Log4(("IDT: vcpu[%RU32] Pending vectoring triple-fault uIdt=%#x uExit=%#x\n", pVCpu->idCpu, uIdtVector,
5742	uExitVector));
5743	break;
5744	}
5745
5746	default:
5747	Assert(rc == VINF_SUCCESS);
5748	break;
5749	}
5750	}
5751	else if ( VMX_EXIT_INTERRUPTION_INFO_IS_VALID(pVmxTransient->uExitIntInfo)
5752	&& VMX_EXIT_INTERRUPTION_INFO_NMI_UNBLOCK_IRET(pVmxTransient->uExitIntInfo)
5753	&& uExitVector != X86_XCPT_DF
5754	&& (pVCpu->hm.s.vmx.u32PinCtls & VMX_VMCS_CTRL_PIN_EXEC_VIRTUAL_NMI))
5755	{
5756	/*
5757	* Execution of IRET caused this fault when NMI blocking was in effect (i.e we're in the guest NMI handler).
5758	* We need to set the block-by-NMI field so that NMIs remain blocked until the IRET execution is restarted.
5759	* See Intel spec. 30.7.1.2 "Resuming guest software after handling an exception".
5760	*/
5761	if (!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_BLOCK_NMIS))
5762	{
5763	Log4(("hmR0VmxCheckExitDueToEventDelivery: vcpu[%RU32] Setting VMCPU_FF_BLOCK_NMIS. Valid=%RTbool uExitReason=%u\n",
5764	pVCpu->idCpu, VMX_EXIT_INTERRUPTION_INFO_IS_VALID(pVmxTransient->uExitIntInfo), pVmxTransient->uExitReason));
5765	VMCPU_FF_SET(pVCpu, VMCPU_FF_BLOCK_NMIS);
5766	}
5767	}
5768
5769	Assert(rc == VINF_SUCCESS \|\| rc == VINF_HM_DOUBLE_FAULT \|\| rc == VINF_EM_RESET);
5770	return rc;
5771	}
5772
5773
5774	/**
5775	* Saves the guest's CR0 register from the VMCS into the guest-CPU context.
5776	*
5777	* @returns VBox status code.
5778	* @param pVCpu Pointer to the VMCPU.
5779	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
5780	* out-of-sync. Make sure to update the required fields
5781	* before using them.
5782	*
5783	* @remarks No-long-jump zone!!!
5784	*/
5785	static int hmR0VmxSaveGuestCR0(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
5786	{
5787	NOREF(pMixedCtx);
5788
5789	/*
5790	* While in the middle of saving guest-CR0, we could get preempted and re-invoked from the preemption hook,
5791	* see hmR0VmxLeave(). Safer to just make this code non-preemptible.
5792	*/
5793	VMMRZCallRing3Disable(pVCpu);
5794	HM_DISABLE_PREEMPT();
5795
5796	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR0))
5797	{
5798	uint32_t uVal = 0;
5799	int rc = VMXReadVmcs32(VMX_VMCS_GUEST_CR0, &uVal);
5800	AssertRCReturn(rc, rc);
5801
5802	uint32_t uShadow = 0;
5803	rc = VMXReadVmcs32(VMX_VMCS_CTRL_CR0_READ_SHADOW, &uShadow);
5804	AssertRCReturn(rc, rc);
5805
5806	uVal = (uShadow & pVCpu->hm.s.vmx.u32CR0Mask) \| (uVal & ~pVCpu->hm.s.vmx.u32CR0Mask);
5807	CPUMSetGuestCR0(pVCpu, uVal);
5808	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR0);
5809	}
5810
5811	HM_RESTORE_PREEMPT();
5812	VMMRZCallRing3Enable(pVCpu);
5813	return VINF_SUCCESS;
5814	}
5815
5816
5817	/**
5818	* Saves the guest's CR4 register from the VMCS into the guest-CPU context.
5819	*
5820	* @returns VBox status code.
5821	* @param pVCpu Pointer to the VMCPU.
5822	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
5823	* out-of-sync. Make sure to update the required fields
5824	* before using them.
5825	*
5826	* @remarks No-long-jump zone!!!
5827	*/
5828	static int hmR0VmxSaveGuestCR4(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
5829	{
5830	NOREF(pMixedCtx);
5831
5832	int rc = VINF_SUCCESS;
5833	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR4))
5834	{
5835	uint32_t uVal = 0;
5836	uint32_t uShadow = 0;
5837	rc = VMXReadVmcs32(VMX_VMCS_GUEST_CR4, &uVal);
5838	AssertRCReturn(rc, rc);
5839	rc = VMXReadVmcs32(VMX_VMCS_CTRL_CR4_READ_SHADOW, &uShadow);
5840	AssertRCReturn(rc, rc);
5841
5842	uVal = (uShadow & pVCpu->hm.s.vmx.u32CR4Mask) \| (uVal & ~pVCpu->hm.s.vmx.u32CR4Mask);
5843	CPUMSetGuestCR4(pVCpu, uVal);
5844	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR4);
5845	}
5846	return rc;
5847	}
5848
5849
5850	/**
5851	* Saves the guest's RIP register from the VMCS into the guest-CPU context.
5852	*
5853	* @returns VBox status code.
5854	* @param pVCpu Pointer to the VMCPU.
5855	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
5856	* out-of-sync. Make sure to update the required fields
5857	* before using them.
5858	*
5859	* @remarks No-long-jump zone!!!
5860	*/
5861	static int hmR0VmxSaveGuestRip(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
5862	{
5863	int rc = VINF_SUCCESS;
5864	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RIP))
5865	{
5866	uint64_t u64Val = 0;
5867	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_RIP, &u64Val);
5868	AssertRCReturn(rc, rc);
5869
5870	pMixedCtx->rip = u64Val;
5871	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RIP);
5872	}
5873	return rc;
5874	}
5875
5876
5877	/**
5878	* Saves the guest's RSP register from the VMCS into the guest-CPU context.
5879	*
5880	* @returns VBox status code.
5881	* @param pVCpu Pointer to the VMCPU.
5882	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
5883	* out-of-sync. Make sure to update the required fields
5884	* before using them.
5885	*
5886	* @remarks No-long-jump zone!!!
5887	*/
5888	static int hmR0VmxSaveGuestRsp(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
5889	{
5890	int rc = VINF_SUCCESS;
5891	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RSP))
5892	{
5893	uint64_t u64Val = 0;
5894	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_RSP, &u64Val);
5895	AssertRCReturn(rc, rc);
5896
5897	pMixedCtx->rsp = u64Val;
5898	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RSP);
5899	}
5900	return rc;
5901	}
5902
5903
5904	/**
5905	* Saves the guest's RFLAGS from the VMCS into the guest-CPU context.
5906	*
5907	* @returns VBox status code.
5908	* @param pVCpu Pointer to the VMCPU.
5909	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
5910	* out-of-sync. Make sure to update the required fields
5911	* before using them.
5912	*
5913	* @remarks No-long-jump zone!!!
5914	*/
5915	static int hmR0VmxSaveGuestRflags(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
5916	{
5917	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RFLAGS))
5918	{
5919	uint32_t uVal = 0;
5920	int rc = VMXReadVmcs32(VMX_VMCS_GUEST_RFLAGS, &uVal);
5921	AssertRCReturn(rc, rc);
5922
5923	pMixedCtx->eflags.u32 = uVal;
5924	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active) /* Undo our real-on-v86-mode changes to eflags if necessary. */
5925	{
5926	Assert(pVCpu->CTX_SUFF(pVM)->hm.s.vmx.pRealModeTSS);
5927	Log4(("Saving real-mode EFLAGS VT-x view=%#RX32\n", pMixedCtx->eflags.u32));
5928
5929	pMixedCtx->eflags.Bits.u1VM = 0;
5930	pMixedCtx->eflags.Bits.u2IOPL = pVCpu->hm.s.vmx.RealMode.Eflags.Bits.u2IOPL;
5931	}
5932
5933	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RFLAGS);
5934	}
5935	return VINF_SUCCESS;
5936	}
5937
5938
5939	/**
5940	* Wrapper for saving the guest's RIP, RSP and RFLAGS from the VMCS into the
5941	* guest-CPU context.
5942	*/
5943	DECLINLINE(int) hmR0VmxSaveGuestRipRspRflags(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
5944	{
5945	int rc = hmR0VmxSaveGuestRip(pVCpu, pMixedCtx);
5946	rc \|= hmR0VmxSaveGuestRsp(pVCpu, pMixedCtx);
5947	rc \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
5948	return rc;
5949	}
5950
5951
5952	/**
5953	* Saves the guest's interruptibility-state ("interrupt shadow" as AMD calls it)
5954	* from the guest-state area in the VMCS.
5955	*
5956	* @param pVCpu Pointer to the VMCPU.
5957	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
5958	* out-of-sync. Make sure to update the required fields
5959	* before using them.
5960	*
5961	* @remarks No-long-jump zone!!!
5962	*/
5963	static void hmR0VmxSaveGuestIntrState(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
5964	{
5965	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_INTR_STATE))
5966	{
5967	uint32_t uIntrState = 0;
5968	int rc = VMXReadVmcs32(VMX_VMCS32_GUEST_INTERRUPTIBILITY_STATE, &uIntrState);
5969	AssertRC(rc);
5970
5971	if (!uIntrState)
5972	{
5973	if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS))
5974	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS);
5975
5976	if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_BLOCK_NMIS))
5977	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_BLOCK_NMIS);
5978	}
5979	else
5980	{
5981	if (uIntrState & ( VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS
5982	\| VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI))
5983	{
5984	rc = hmR0VmxSaveGuestRip(pVCpu, pMixedCtx);
5985	AssertRC(rc);
5986	rc = hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx); /* for hmR0VmxGetGuestIntrState(). */
5987	AssertRC(rc);
5988
5989	EMSetInhibitInterruptsPC(pVCpu, pMixedCtx->rip);
5990	Assert(VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS));
5991	}
5992	else if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS))
5993	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS);
5994
5995	if (uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_NMI)
5996	{
5997	if (!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_BLOCK_NMIS))
5998	VMCPU_FF_SET(pVCpu, VMCPU_FF_BLOCK_NMIS);
5999	}
6000	else if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_BLOCK_NMIS))
6001	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_BLOCK_NMIS);
6002	}
6003
6004	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_INTR_STATE);
6005	}
6006	}
6007
6008
6009	/**
6010	* Saves the guest's activity state.
6011	*
6012	* @returns VBox status code.
6013	* @param pVCpu Pointer to the VMCPU.
6014	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6015	* out-of-sync. Make sure to update the required fields
6016	* before using them.
6017	*
6018	* @remarks No-long-jump zone!!!
6019	*/
6020	static int hmR0VmxSaveGuestActivityState(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6021	{
6022	NOREF(pMixedCtx);
6023	/* Nothing to do for now until we make use of different guest-CPU activity state. Just update the flag. */
6024	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_ACTIVITY_STATE);
6025	return VINF_SUCCESS;
6026	}
6027
6028
6029	/**
6030	* Saves the guest SYSENTER MSRs (SYSENTER_CS, SYSENTER_EIP, SYSENTER_ESP) from
6031	* the current VMCS into the guest-CPU context.
6032	*
6033	* @returns VBox status code.
6034	* @param pVCpu Pointer to the VMCPU.
6035	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6036	* out-of-sync. Make sure to update the required fields
6037	* before using them.
6038	*
6039	* @remarks No-long-jump zone!!!
6040	*/
6041	static int hmR0VmxSaveGuestSysenterMsrs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6042	{
6043	int rc = VINF_SUCCESS;
6044	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_SYSENTER_CS_MSR))
6045	{
6046	uint32_t u32Val = 0;
6047	rc = VMXReadVmcs32(VMX_VMCS32_GUEST_SYSENTER_CS, &u32Val); AssertRCReturn(rc, rc);
6048	pMixedCtx->SysEnter.cs = u32Val;
6049	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_SYSENTER_CS_MSR);
6050	}
6051
6052	uint64_t u64Val = 0;
6053	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_SYSENTER_EIP_MSR))
6054	{
6055	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_SYSENTER_EIP, &u64Val); AssertRCReturn(rc, rc);
6056	pMixedCtx->SysEnter.eip = u64Val;
6057	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_SYSENTER_EIP_MSR);
6058	}
6059	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_SYSENTER_ESP_MSR))
6060	{
6061	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_SYSENTER_ESP, &u64Val); AssertRCReturn(rc, rc);
6062	pMixedCtx->SysEnter.esp = u64Val;
6063	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_SYSENTER_ESP_MSR);
6064	}
6065	return rc;
6066	}
6067
6068
6069	/**
6070	* Saves the set of guest MSRs (that we restore lazily while leaving VT-x) from
6071	* the CPU back into the guest-CPU context.
6072	*
6073	* @returns VBox status code.
6074	* @param pVCpu Pointer to the VMCPU.
6075	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6076	* out-of-sync. Make sure to update the required fields
6077	* before using them.
6078	*
6079	* @remarks No-long-jump zone!!!
6080	*/
6081	static int hmR0VmxSaveGuestLazyMsrs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6082	{
6083	#if HC_ARCH_BITS == 64
6084	if (pVCpu->CTX_SUFF(pVM)->hm.s.fAllow64BitGuests)
6085	{
6086	/* Since this can be called from our preemption hook it's safer to make the guest-MSRs update non-preemptible. */
6087	VMMRZCallRing3Disable(pVCpu);
6088	HM_DISABLE_PREEMPT();
6089
6090	/* Doing the check here ensures we don't overwrite already-saved guest MSRs from a preemption hook. */
6091	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_LAZY_MSRS))
6092	{
6093	hmR0VmxLazySaveGuestMsrs(pVCpu, pMixedCtx);
6094	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_LAZY_MSRS);
6095	}
6096
6097	HM_RESTORE_PREEMPT();
6098	VMMRZCallRing3Enable(pVCpu);
6099	}
6100	else
6101	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_LAZY_MSRS);
6102	#else
6103	NOREF(pMixedCtx);
6104	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_LAZY_MSRS);
6105	#endif
6106
6107	return VINF_SUCCESS;
6108	}
6109
6110
6111	/**
6112	* Saves the auto load/store'd guest MSRs from the current VMCS into
6113	* the guest-CPU context.
6114	*
6115	* @returns VBox status code.
6116	* @param pVCpu Pointer to the VMCPU.
6117	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6118	* out-of-sync. Make sure to update the required fields
6119	* before using them.
6120	*
6121	* @remarks No-long-jump zone!!!
6122	*/
6123	static int hmR0VmxSaveGuestAutoLoadStoreMsrs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6124	{
6125	if (HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_AUTO_LOAD_STORE_MSRS))
6126	return VINF_SUCCESS;
6127
6128	PVMXAUTOMSR pMsr = (PVMXAUTOMSR)pVCpu->hm.s.vmx.pvGuestMsr;
6129	uint32_t cMsrs = pVCpu->hm.s.vmx.cMsrs;
6130	Log4(("hmR0VmxSaveGuestAutoLoadStoreMsrs: cMsrs=%u\n", cMsrs));
6131	for (uint32_t i = 0; i < cMsrs; i++, pMsr++)
6132	{
6133	switch (pMsr->u32Msr)
6134	{
6135	case MSR_K8_TSC_AUX: CPUMR0SetGuestTscAux(pVCpu, pMsr->u64Value); break;
6136	case MSR_K8_LSTAR: pMixedCtx->msrLSTAR = pMsr->u64Value; break;
6137	case MSR_K6_STAR: pMixedCtx->msrSTAR = pMsr->u64Value; break;
6138	case MSR_K8_SF_MASK: pMixedCtx->msrSFMASK = pMsr->u64Value; break;
6139	case MSR_K8_KERNEL_GS_BASE: pMixedCtx->msrKERNELGSBASE = pMsr->u64Value; break;
6140	case MSR_K6_EFER: /* Nothing to do here since we intercept writes, see hmR0VmxLoadGuestMsrs(). */
6141	break;
6142
6143	default:
6144	{
6145	AssertMsgFailed(("Unexpected MSR in auto-load/store area. uMsr=%#RX32 cMsrs=%u\n", pMsr->u32Msr, cMsrs));
6146	pVCpu->hm.s.u32HMError = pMsr->u32Msr;
6147	return VERR_HM_UNEXPECTED_LD_ST_MSR;
6148	}
6149	}
6150	}
6151
6152	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_AUTO_LOAD_STORE_MSRS);
6153	return VINF_SUCCESS;
6154	}
6155
6156
6157	/**
6158	* Saves the guest control registers from the current VMCS into the guest-CPU
6159	* context.
6160	*
6161	* @returns VBox status code.
6162	* @param pVCpu Pointer to the VMCPU.
6163	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6164	* out-of-sync. Make sure to update the required fields
6165	* before using them.
6166	*
6167	* @remarks No-long-jump zone!!!
6168	*/
6169	static int hmR0VmxSaveGuestControlRegs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6170	{
6171	/* Guest CR0. Guest FPU. */
6172	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
6173	AssertRCReturn(rc, rc);
6174
6175	/* Guest CR4. */
6176	rc = hmR0VmxSaveGuestCR4(pVCpu, pMixedCtx);
6177	AssertRCReturn(rc, rc);
6178
6179	/* Guest CR2 - updated always during the world-switch or in #PF. */
6180	/* Guest CR3. Only changes with Nested Paging. This must be done -after- saving CR0 and CR4 from the guest! */
6181	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR3))
6182	{
6183	Assert(HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR0));
6184	Assert(HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR4));
6185
6186	PVM pVM = pVCpu->CTX_SUFF(pVM);
6187	if ( pVM->hm.s.vmx.fUnrestrictedGuest
6188	\|\| ( pVM->hm.s.fNestedPaging
6189	&& CPUMIsGuestPagingEnabledEx(pMixedCtx)))
6190	{
6191	uint64_t u64Val = 0;
6192	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_CR3, &u64Val);
6193	if (pMixedCtx->cr3 != u64Val)
6194	{
6195	CPUMSetGuestCR3(pVCpu, u64Val);
6196	if (VMMRZCallRing3IsEnabled(pVCpu))
6197	{
6198	PGMUpdateCR3(pVCpu, u64Val);
6199	Assert(!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_CR3));
6200	}
6201	else
6202	{
6203	/* Set the force flag to inform PGM about it when necessary. It is cleared by PGMUpdateCR3().*/
6204	VMCPU_FF_SET(pVCpu, VMCPU_FF_HM_UPDATE_CR3);
6205	}
6206	}
6207
6208	/* If the guest is in PAE mode, sync back the PDPE's into the guest state. */
6209	if (CPUMIsGuestInPAEModeEx(pMixedCtx)) /* Reads CR0, CR4 and EFER MSR (EFER is always up-to-date). */
6210	{
6211	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PDPTE0_FULL, &pVCpu->hm.s.aPdpes[0].u); AssertRCReturn(rc, rc);
6212	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PDPTE1_FULL, &pVCpu->hm.s.aPdpes[1].u); AssertRCReturn(rc, rc);
6213	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PDPTE2_FULL, &pVCpu->hm.s.aPdpes[2].u); AssertRCReturn(rc, rc);
6214	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PDPTE3_FULL, &pVCpu->hm.s.aPdpes[3].u); AssertRCReturn(rc, rc);
6215
6216	if (VMMRZCallRing3IsEnabled(pVCpu))
6217	{
6218	PGMGstUpdatePaePdpes(pVCpu, &pVCpu->hm.s.aPdpes[0]);
6219	Assert(!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_PAE_PDPES));
6220	}
6221	else
6222	{
6223	/* Set the force flag to inform PGM about it when necessary. It is cleared by PGMGstUpdatePaePdpes(). */
6224	VMCPU_FF_SET(pVCpu, VMCPU_FF_HM_UPDATE_PAE_PDPES);
6225	}
6226	}
6227	}
6228
6229	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR3);
6230	}
6231
6232	/*
6233	* Consider this scenario: VM-exit -> VMMRZCallRing3Enable() -> do stuff that causes a longjmp -> hmR0VmxCallRing3Callback()
6234	* -> VMMRZCallRing3Disable() -> hmR0VmxSaveGuestState() -> Set VMCPU_FF_HM_UPDATE_CR3 pending -> return from the longjmp
6235	* -> continue with VM-exit handling -> hmR0VmxSaveGuestControlRegs() and here we are.
6236	*
6237	* The reason for such complicated handling is because VM-exits that call into PGM expect CR3 to be up-to-date and thus
6238	* if any CR3-saves -before- the VM-exit (longjmp) postponed the CR3 update via the force-flag, any VM-exit handler that
6239	* calls into PGM when it re-saves CR3 will end up here and we call PGMUpdateCR3(). This is why the code below should
6240	* -NOT- check if HMVMX_UPDATED_GUEST_CR3 is already set or not!
6241	*
6242	* The longjmp exit path can't check these CR3 force-flags and call code that takes a lock again. We cover for it here.
6243	*/
6244	if (VMMRZCallRing3IsEnabled(pVCpu))
6245	{
6246	if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_CR3))
6247	PGMUpdateCR3(pVCpu, CPUMGetGuestCR3(pVCpu));
6248
6249	if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_PAE_PDPES))
6250	PGMGstUpdatePaePdpes(pVCpu, &pVCpu->hm.s.aPdpes[0]);
6251
6252	Assert(!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_CR3));
6253	Assert(!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_PAE_PDPES));
6254	}
6255
6256	return rc;
6257	}
6258
6259
6260	/**
6261	* Reads a guest segment register from the current VMCS into the guest-CPU
6262	* context.
6263	*
6264	* @returns VBox status code.
6265	* @param pVCpu Pointer to the VMCPU.
6266	* @param idxSel Index of the selector in the VMCS.
6267	* @param idxLimit Index of the segment limit in the VMCS.
6268	* @param idxBase Index of the segment base in the VMCS.
6269	* @param idxAccess Index of the access rights of the segment in the VMCS.
6270	* @param pSelReg Pointer to the segment selector.
6271	*
6272	* @remarks No-long-jump zone!!!
6273	* @remarks Never call this function directly!!! Use the VMXLOCAL_READ_SEG()
6274	* macro as that takes care of whether to read from the VMCS cache or
6275	* not.
6276	*/
6277	DECLINLINE(int) hmR0VmxReadSegmentReg(PVMCPU pVCpu, uint32_t idxSel, uint32_t idxLimit, uint32_t idxBase, uint32_t idxAccess,
6278	PCPUMSELREG pSelReg)
6279	{
6280	NOREF(pVCpu);
6281
6282	uint32_t u32Val = 0;
6283	int rc = VMXReadVmcs32(idxSel, &u32Val);
6284	AssertRCReturn(rc, rc);
6285	pSelReg->Sel = (uint16_t)u32Val;
6286	pSelReg->ValidSel = (uint16_t)u32Val;
6287	pSelReg->fFlags = CPUMSELREG_FLAGS_VALID;
6288
6289	rc = VMXReadVmcs32(idxLimit, &u32Val);
6290	AssertRCReturn(rc, rc);
6291	pSelReg->u32Limit = u32Val;
6292
6293	uint64_t u64Val = 0;
6294	rc = VMXReadVmcsGstNByIdxVal(idxBase, &u64Val);
6295	AssertRCReturn(rc, rc);
6296	pSelReg->u64Base = u64Val;
6297
6298	rc = VMXReadVmcs32(idxAccess, &u32Val);
6299	AssertRCReturn(rc, rc);
6300	pSelReg->Attr.u = u32Val;
6301
6302	/*
6303	* If VT-x marks the segment as unusable, most other bits remain undefined:
6304	* - For CS the L, D and G bits have meaning.
6305	* - For SS the DPL has meaning (it -is- the CPL for Intel and VBox).
6306	* - For the remaining data segments no bits are defined.
6307	*
6308	* The present bit and the unusable bit has been observed to be set at the
6309	* same time (the selector was supposed to be invalid as we started executing
6310	* a V8086 interrupt in ring-0).
6311	*
6312	* What should be important for the rest of the VBox code, is that the P bit is
6313	* cleared. Some of the other VBox code recognizes the unusable bit, but
6314	* AMD-V certainly don't, and REM doesn't really either. So, to be on the
6315	* safe side here, we'll strip off P and other bits we don't care about. If
6316	* any code breaks because Attr.u != 0 when Sel < 4, it should be fixed.
6317	*
6318	* See Intel spec. 27.3.2 "Saving Segment Registers and Descriptor-Table Registers".
6319	*/
6320	if (pSelReg->Attr.u & X86DESCATTR_UNUSABLE)
6321	{
6322	Assert(idxSel != VMX_VMCS16_GUEST_FIELD_TR); /* TR is the only selector that can never be unusable. */
6323
6324	/* Masking off: X86DESCATTR_P, X86DESCATTR_LIMIT_HIGH, and X86DESCATTR_AVL. The latter two are really irrelevant. */
6325	pSelReg->Attr.u &= X86DESCATTR_UNUSABLE \| X86DESCATTR_L \| X86DESCATTR_D \| X86DESCATTR_G
6326	\| X86DESCATTR_DPL \| X86DESCATTR_TYPE \| X86DESCATTR_DT;
6327
6328	Log4(("hmR0VmxReadSegmentReg: Unusable idxSel=%#x attr=%#x -> %#x\n", idxSel, u32Val, pSelReg->Attr.u));
6329	#ifdef DEBUG_bird
6330	AssertMsg((u32Val & ~X86DESCATTR_P) == pSelReg->Attr.u,
6331	("%#x: %#x != %#x (sel=%#x base=%#llx limit=%#x)\n",
6332	idxSel, u32Val, pSelReg->Attr.u, pSelReg->Sel, pSelReg->u64Base, pSelReg->u32Limit));
6333	#endif
6334	}
6335	return VINF_SUCCESS;
6336	}
6337
6338
6339	#ifdef VMX_USE_CACHED_VMCS_ACCESSES
6340	# define VMXLOCAL_READ_SEG(Sel, CtxSel) \
6341	hmR0VmxReadSegmentReg(pVCpu, VMX_VMCS16_GUEST_FIELD_##Sel, VMX_VMCS32_GUEST_##Sel##_LIMIT, \
6342	VMX_VMCS_GUEST_##Sel##_BASE_CACHE_IDX, VMX_VMCS32_GUEST_##Sel##_ACCESS_RIGHTS, &pMixedCtx->CtxSel)
6343	#else
6344	# define VMXLOCAL_READ_SEG(Sel, CtxSel) \
6345	hmR0VmxReadSegmentReg(pVCpu, VMX_VMCS16_GUEST_FIELD_##Sel, VMX_VMCS32_GUEST_##Sel##_LIMIT, \
6346	VMX_VMCS_GUEST_##Sel##_BASE, VMX_VMCS32_GUEST_##Sel##_ACCESS_RIGHTS, &pMixedCtx->CtxSel)
6347	#endif
6348
6349
6350	/**
6351	* Saves the guest segment registers from the current VMCS into the guest-CPU
6352	* context.
6353	*
6354	* @returns VBox status code.
6355	* @param pVCpu Pointer to the VMCPU.
6356	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6357	* out-of-sync. Make sure to update the required fields
6358	* before using them.
6359	*
6360	* @remarks No-long-jump zone!!!
6361	*/
6362	static int hmR0VmxSaveGuestSegmentRegs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6363	{
6364	/* Guest segment registers. */
6365	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_SEGMENT_REGS))
6366	{
6367	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx); AssertRCReturn(rc, rc);
6368	rc = VMXLOCAL_READ_SEG(CS, cs); AssertRCReturn(rc, rc);
6369	rc = VMXLOCAL_READ_SEG(SS, ss); AssertRCReturn(rc, rc);
6370	rc = VMXLOCAL_READ_SEG(DS, ds); AssertRCReturn(rc, rc);
6371	rc = VMXLOCAL_READ_SEG(ES, es); AssertRCReturn(rc, rc);
6372	rc = VMXLOCAL_READ_SEG(FS, fs); AssertRCReturn(rc, rc);
6373	rc = VMXLOCAL_READ_SEG(GS, gs); AssertRCReturn(rc, rc);
6374
6375	/* Restore segment attributes for real-on-v86 mode hack. */
6376	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
6377	{
6378	pMixedCtx->cs.Attr.u = pVCpu->hm.s.vmx.RealMode.AttrCS.u;
6379	pMixedCtx->ss.Attr.u = pVCpu->hm.s.vmx.RealMode.AttrSS.u;
6380	pMixedCtx->ds.Attr.u = pVCpu->hm.s.vmx.RealMode.AttrDS.u;
6381	pMixedCtx->es.Attr.u = pVCpu->hm.s.vmx.RealMode.AttrES.u;
6382	pMixedCtx->fs.Attr.u = pVCpu->hm.s.vmx.RealMode.AttrFS.u;
6383	pMixedCtx->gs.Attr.u = pVCpu->hm.s.vmx.RealMode.AttrGS.u;
6384	}
6385	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_SEGMENT_REGS);
6386	}
6387
6388	return VINF_SUCCESS;
6389	}
6390
6391
6392	/**
6393	* Saves the guest descriptor table registers and task register from the current
6394	* VMCS into the guest-CPU context.
6395	*
6396	* @returns VBox status code.
6397	* @param pVCpu Pointer to the VMCPU.
6398	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6399	* out-of-sync. Make sure to update the required fields
6400	* before using them.
6401	*
6402	* @remarks No-long-jump zone!!!
6403	*/
6404	static int hmR0VmxSaveGuestTableRegs(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6405	{
6406	int rc = VINF_SUCCESS;
6407
6408	/* Guest LDTR. */
6409	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_LDTR))
6410	{
6411	rc = VMXLOCAL_READ_SEG(LDTR, ldtr);
6412	AssertRCReturn(rc, rc);
6413	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_LDTR);
6414	}
6415
6416	/* Guest GDTR. */
6417	uint64_t u64Val = 0;
6418	uint32_t u32Val = 0;
6419	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_GDTR))
6420	{
6421	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_GDTR_BASE, &u64Val); AssertRCReturn(rc, rc);
6422	rc = VMXReadVmcs32(VMX_VMCS32_GUEST_GDTR_LIMIT, &u32Val); AssertRCReturn(rc, rc);
6423	pMixedCtx->gdtr.pGdt = u64Val;
6424	pMixedCtx->gdtr.cbGdt = u32Val;
6425	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_GDTR);
6426	}
6427
6428	/* Guest IDTR. */
6429	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_IDTR))
6430	{
6431	rc = VMXReadVmcsGstN(VMX_VMCS_GUEST_IDTR_BASE, &u64Val); AssertRCReturn(rc, rc);
6432	rc = VMXReadVmcs32(VMX_VMCS32_GUEST_IDTR_LIMIT, &u32Val); AssertRCReturn(rc, rc);
6433	pMixedCtx->idtr.pIdt = u64Val;
6434	pMixedCtx->idtr.cbIdt = u32Val;
6435	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_IDTR);
6436	}
6437
6438	/* Guest TR. */
6439	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_TR))
6440	{
6441	rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
6442	AssertRCReturn(rc, rc);
6443
6444	/* For real-mode emulation using virtual-8086 mode we have the fake TSS (pRealModeTSS) in TR, don't save the fake one. */
6445	if (!pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
6446	{
6447	rc = VMXLOCAL_READ_SEG(TR, tr);
6448	AssertRCReturn(rc, rc);
6449	}
6450	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_TR);
6451	}
6452	return rc;
6453	}
6454
6455	#undef VMXLOCAL_READ_SEG
6456
6457
6458	/**
6459	* Saves the guest debug-register DR7 from the current VMCS into the guest-CPU
6460	* context.
6461	*
6462	* @returns VBox status code.
6463	* @param pVCpu Pointer to the VMCPU.
6464	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6465	* out-of-sync. Make sure to update the required fields
6466	* before using them.
6467	*
6468	* @remarks No-long-jump zone!!!
6469	*/
6470	static int hmR0VmxSaveGuestDR7(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6471	{
6472	if (!HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_DEBUG))
6473	{
6474	if (!pVCpu->hm.s.fUsingHyperDR7)
6475	{
6476	/* Upper 32-bits are always zero. See Intel spec. 2.7.3 "Loading and Storing Debug Registers". */
6477	uint32_t u32Val;
6478	int rc = VMXReadVmcs32(VMX_VMCS_GUEST_DR7, &u32Val); AssertRCReturn(rc, rc);
6479	pMixedCtx->dr[7] = u32Val;
6480	}
6481
6482	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_DEBUG);
6483	}
6484	return VINF_SUCCESS;
6485	}
6486
6487
6488	/**
6489	* Saves the guest APIC state from the current VMCS into the guest-CPU context.
6490	*
6491	* @returns VBox status code.
6492	* @param pVCpu Pointer to the VMCPU.
6493	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
6494	* out-of-sync. Make sure to update the required fields
6495	* before using them.
6496	*
6497	* @remarks No-long-jump zone!!!
6498	*/
6499	static int hmR0VmxSaveGuestApicState(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6500	{
6501	NOREF(pMixedCtx);
6502
6503	/* Updating TPR is already done in hmR0VmxPostRunGuest(). Just update the flag. */
6504	HMVMXCPU_GST_SET_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_APIC_STATE);
6505	return VINF_SUCCESS;
6506	}
6507
6508
6509	/**
6510	* Saves the entire guest state from the currently active VMCS into the
6511	* guest-CPU context.
6512	*
6513	* This essentially VMREADs all guest-data.
6514	*
6515	* @returns VBox status code.
6516	* @param pVCpu Pointer to the VMCPU.
6517	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
6518	* out-of-sync. Make sure to update the required fields
6519	* before using them.
6520	*/
6521	static int hmR0VmxSaveGuestState(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6522	{
6523	Assert(pVCpu);
6524	Assert(pMixedCtx);
6525
6526	if (HMVMXCPU_GST_VALUE(pVCpu) == HMVMX_UPDATED_GUEST_ALL)
6527	return VINF_SUCCESS;
6528
6529	/* Though we can longjmp to ring-3 due to log-flushes here and get recalled
6530	again on the ring-3 callback path, there is no real need to. */
6531	if (VMMRZCallRing3IsEnabled(pVCpu))
6532	VMMR0LogFlushDisable(pVCpu);
6533	else
6534	Assert(VMMR0IsLogFlushDisabled(pVCpu));
6535	Log4Func(("vcpu[%RU32]\n", pVCpu->idCpu));
6536
6537	int rc = hmR0VmxSaveGuestRipRspRflags(pVCpu, pMixedCtx);
6538	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestRipRspRflags failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6539
6540	rc = hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
6541	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestControlRegs failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6542
6543	rc = hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
6544	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestSegmentRegs failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6545
6546	rc = hmR0VmxSaveGuestTableRegs(pVCpu, pMixedCtx);
6547	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestTableRegs failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6548
6549	rc = hmR0VmxSaveGuestDR7(pVCpu, pMixedCtx);
6550	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestDR7 failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6551
6552	rc = hmR0VmxSaveGuestSysenterMsrs(pVCpu, pMixedCtx);
6553	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestSysenterMsrs failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6554
6555	rc = hmR0VmxSaveGuestLazyMsrs(pVCpu, pMixedCtx);
6556	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestLazyMsrs failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6557
6558	rc = hmR0VmxSaveGuestAutoLoadStoreMsrs(pVCpu, pMixedCtx);
6559	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestAutoLoadStoreMsrs failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6560
6561	rc = hmR0VmxSaveGuestActivityState(pVCpu, pMixedCtx);
6562	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestActivityState failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6563
6564	rc = hmR0VmxSaveGuestApicState(pVCpu, pMixedCtx);
6565	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveGuestApicState failed! rc=%Rrc (pVCpu=%p)\n", rc, pVCpu), rc);
6566
6567	AssertMsg(HMVMXCPU_GST_VALUE(pVCpu) == HMVMX_UPDATED_GUEST_ALL,
6568	("Missed guest state bits while saving state; residue %RX32\n", HMVMXCPU_GST_VALUE(pVCpu)));
6569
6570	if (VMMRZCallRing3IsEnabled(pVCpu))
6571	VMMR0LogFlushEnable(pVCpu);
6572
6573	return VINF_SUCCESS;
6574	}
6575
6576
6577	/**
6578	* Saves basic guest registers needed for IEM instruction execution.
6579	*
6580	* @returns VBox status code (OR-able).
6581	* @param pVCpu Pointer to the cross context CPU data for the calling
6582	* EMT.
6583	* @param pMixedCtx Pointer to the CPU context of the guest.
6584	* @param fMemory Whether the instruction being executed operates on
6585	* memory or not. Only CR0 is synced up if clear.
6586	* @param fNeedRsp Need RSP (any instruction working on GPRs or stack).
6587	*/
6588	static int hmR0VmxSaveGuestRegsForIemExec(PVMCPU pVCpu, PCPUMCTX pMixedCtx, bool fMemory, bool fNeedRsp)
6589	{
6590	/*
6591	* We assume all general purpose registers other than RSP are available.
6592	*
6593	* RIP is a must, as it will be incremented or otherwise changed.
6594	*
6595	* RFLAGS are always required to figure the CPL.
6596	*
6597	* RSP isn't always required, however it's a GPR, so frequently required.
6598	*
6599	* SS and CS are the only segment register needed if IEM doesn't do memory
6600	* access (CPL + 16/32/64-bit mode), but we can only get all segment registers.
6601	*
6602	* CR0 is always required by IEM for the CPL, while CR3 and CR4 will only
6603	* be required for memory accesses.
6604	*
6605	* Note! Before IEM dispatches an exception, it will call us to sync in everything.
6606	*/
6607	int rc = hmR0VmxSaveGuestRip(pVCpu, pMixedCtx);
6608	rc \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
6609	if (fNeedRsp)
6610	rc \|= hmR0VmxSaveGuestRsp(pVCpu, pMixedCtx);
6611	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
6612	if (!fMemory)
6613	rc \|= hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
6614	else
6615	rc \|= hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
6616	return rc;
6617	}
6618
6619
6620	/**
6621	* Ensures that we've got a complete basic guest-context.
6622	*
6623	* This excludes the FPU, SSE, AVX, and similar extended state. The interface
6624	* is for the interpreter.
6625	*
6626	* @returns VBox status code.
6627	* @param pVCpu Pointer to the VMCPU of the calling EMT.
6628	* @param pMixedCtx Pointer to the guest-CPU context which may have data
6629	* needing to be synced in.
6630	* @thread EMT(pVCpu)
6631	*/
6632	VMMR0_INT_DECL(int) HMR0EnsureCompleteBasicContext(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6633	{
6634	/* Note! Since this is only applicable to VT-x, the implementation is placed
6635	in the VT-x part of the sources instead of the generic stuff. */
6636	if (pVCpu->CTX_SUFF(pVM)->hm.s.vmx.fSupported)
6637	return hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
6638	return VINF_SUCCESS;
6639	}
6640
6641
6642	/**
6643	* Check per-VM and per-VCPU force flag actions that require us to go back to
6644	* ring-3 for one reason or another.
6645	*
6646	* @returns VBox status code (information status code included).
6647	* @retval VINF_SUCCESS if we don't have any actions that require going back to
6648	* ring-3.
6649	* @retval VINF_PGM_SYNC_CR3 if we have pending PGM CR3 sync.
6650	* @retval VINF_EM_PENDING_REQUEST if we have pending requests (like hardware
6651	* interrupts)
6652	* @retval VINF_PGM_POOL_FLUSH_PENDING if PGM is doing a pool flush and requires
6653	* all EMTs to be in ring-3.
6654	* @retval VINF_EM_RAW_TO_R3 if there is pending DMA requests.
6655	* @retval VINF_EM_NO_MEMORY PGM is out of memory, we need to return
6656	* to the EM loop.
6657	*
6658	* @param pVM Pointer to the VM.
6659	* @param pVCpu Pointer to the VMCPU.
6660	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
6661	* out-of-sync. Make sure to update the required fields
6662	* before using them.
6663	*/
6664	static int hmR0VmxCheckForceFlags(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx)
6665	{
6666	Assert(VMMRZCallRing3IsEnabled(pVCpu));
6667
6668	if ( VM_FF_IS_PENDING(pVM, !pVCpu->hm.s.fSingleInstruction
6669	? VM_FF_HP_R0_PRE_HM_MASK : VM_FF_HP_R0_PRE_HM_STEP_MASK)
6670	\|\| VMCPU_FF_IS_PENDING(pVCpu, !pVCpu->hm.s.fSingleInstruction
6671	? VMCPU_FF_HP_R0_PRE_HM_MASK : VMCPU_FF_HP_R0_PRE_HM_STEP_MASK) )
6672	{
6673	/* We need the control registers now, make sure the guest-CPU context is updated. */
6674	int rc3 = hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
6675	AssertRCReturn(rc3, rc3);
6676
6677	/* Pending HM CR3 sync. */
6678	if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_CR3))
6679	{
6680	int rc2 = PGMUpdateCR3(pVCpu, pMixedCtx->cr3);
6681	AssertMsgReturn(rc2 == VINF_SUCCESS \|\| rc2 == VINF_PGM_SYNC_CR3,
6682	("%Rrc\n", rc2), RT_FAILURE_NP(rc2) ? rc2 : VERR_IPE_UNEXPECTED_INFO_STATUS);
6683	Assert(!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_CR3));
6684	}
6685
6686	/* Pending HM PAE PDPEs. */
6687	if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_PAE_PDPES))
6688	{
6689	PGMGstUpdatePaePdpes(pVCpu, &pVCpu->hm.s.aPdpes[0]);
6690	Assert(!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_UPDATE_PAE_PDPES));
6691	}
6692
6693	/* Pending PGM C3 sync. */
6694	if (VMCPU_FF_IS_PENDING(pVCpu,VMCPU_FF_PGM_SYNC_CR3 \| VMCPU_FF_PGM_SYNC_CR3_NON_GLOBAL))
6695	{
6696	int rc2 = PGMSyncCR3(pVCpu, pMixedCtx->cr0, pMixedCtx->cr3, pMixedCtx->cr4,
6697	VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_PGM_SYNC_CR3));
6698	if (rc2 != VINF_SUCCESS)
6699	{
6700	AssertRC(rc2);
6701	Log4(("hmR0VmxCheckForceFlags: PGMSyncCR3 forcing us back to ring-3. rc2=%d\n", rc2));
6702	return rc2;
6703	}
6704	}
6705
6706	/* Pending HM-to-R3 operations (critsects, timers, EMT rendezvous etc.) */
6707	if ( VM_FF_IS_PENDING(pVM, VM_FF_HM_TO_R3_MASK)
6708	\|\| VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_TO_R3_MASK))
6709	{
6710	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchHmToR3FF);
6711	int rc2 = RT_UNLIKELY(VM_FF_IS_PENDING(pVM, VM_FF_PGM_NO_MEMORY)) ? VINF_EM_NO_MEMORY : VINF_EM_RAW_TO_R3;
6712	Log4(("hmR0VmxCheckForceFlags: HM_TO_R3 forcing us back to ring-3. rc=%d\n", rc2));
6713	return rc2;
6714	}
6715
6716	/* Pending VM request packets, such as hardware interrupts. */
6717	if ( VM_FF_IS_PENDING(pVM, VM_FF_REQUEST)
6718	\|\| VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_REQUEST))
6719	{
6720	Log4(("hmR0VmxCheckForceFlags: Pending VM request forcing us back to ring-3\n"));
6721	return VINF_EM_PENDING_REQUEST;
6722	}
6723
6724	/* Pending PGM pool flushes. */
6725	if (VM_FF_IS_PENDING(pVM, VM_FF_PGM_POOL_FLUSH_PENDING))
6726	{
6727	Log4(("hmR0VmxCheckForceFlags: PGM pool flush pending forcing us back to ring-3\n"));
6728	return VINF_PGM_POOL_FLUSH_PENDING;
6729	}
6730
6731	/* Pending DMA requests. */
6732	if (VM_FF_IS_PENDING(pVM, VM_FF_PDM_DMA))
6733	{
6734	Log4(("hmR0VmxCheckForceFlags: Pending DMA request forcing us back to ring-3\n"));
6735	return VINF_EM_RAW_TO_R3;
6736	}
6737	}
6738
6739	return VINF_SUCCESS;
6740	}
6741
6742
6743	/**
6744	* Converts any TRPM trap into a pending HM event. This is typically used when
6745	* entering from ring-3 (not longjmp returns).
6746	*
6747	* @param pVCpu Pointer to the VMCPU.
6748	*/
6749	static void hmR0VmxTrpmTrapToPendingEvent(PVMCPU pVCpu)
6750	{
6751	Assert(TRPMHasTrap(pVCpu));
6752	Assert(!pVCpu->hm.s.Event.fPending);
6753
6754	uint8_t uVector;
6755	TRPMEVENT enmTrpmEvent;
6756	RTGCUINT uErrCode;
6757	RTGCUINTPTR GCPtrFaultAddress;
6758	uint8_t cbInstr;
6759
6760	int rc = TRPMQueryTrapAll(pVCpu, &uVector, &enmTrpmEvent, &uErrCode, &GCPtrFaultAddress, &cbInstr);
6761	AssertRC(rc);
6762
6763	/* Refer Intel spec. 24.8.3 "VM-entry Controls for Event Injection" for the format of u32IntInfo. */
6764	uint32_t u32IntInfo = uVector \| VMX_EXIT_INTERRUPTION_INFO_VALID;
6765	if (enmTrpmEvent == TRPM_TRAP)
6766	{
6767	switch (uVector)
6768	{
6769	case X86_XCPT_NMI:
6770	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
6771	break;
6772
6773	case X86_XCPT_BP:
6774	case X86_XCPT_OF:
6775	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_XCPT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
6776	break;
6777
6778	case X86_XCPT_PF:
6779	case X86_XCPT_DF:
6780	case X86_XCPT_TS:
6781	case X86_XCPT_NP:
6782	case X86_XCPT_SS:
6783	case X86_XCPT_GP:
6784	case X86_XCPT_AC:
6785	u32IntInfo \|= VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_VALID;
6786	/* no break! */
6787	default:
6788	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
6789	break;
6790	}
6791	}
6792	else if (enmTrpmEvent == TRPM_HARDWARE_INT)
6793	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_EXT_INT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
6794	else if (enmTrpmEvent == TRPM_SOFTWARE_INT)
6795	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_INT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
6796	else
6797	AssertMsgFailed(("Invalid TRPM event type %d\n", enmTrpmEvent));
6798
6799	rc = TRPMResetTrap(pVCpu);
6800	AssertRC(rc);
6801	Log4(("TRPM->HM event: u32IntInfo=%#RX32 enmTrpmEvent=%d cbInstr=%u uErrCode=%#RX32 GCPtrFaultAddress=%#RGv\n",
6802	u32IntInfo, enmTrpmEvent, cbInstr, uErrCode, GCPtrFaultAddress));
6803
6804	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, cbInstr, uErrCode, GCPtrFaultAddress);
6805	STAM_COUNTER_DEC(&pVCpu->hm.s.StatInjectPendingReflect);
6806	}
6807
6808
6809	/**
6810	* Converts the pending HM event into a TRPM trap.
6811	*
6812	* @param pvCpu Pointer to the VMCPU.
6813	*/
6814	static void hmR0VmxPendingEventToTrpmTrap(PVMCPU pVCpu)
6815	{
6816	Assert(pVCpu->hm.s.Event.fPending);
6817
6818	uint32_t uVectorType = VMX_IDT_VECTORING_INFO_TYPE(pVCpu->hm.s.Event.u64IntInfo);
6819	uint32_t uVector = VMX_IDT_VECTORING_INFO_VECTOR(pVCpu->hm.s.Event.u64IntInfo);
6820	bool fErrorCodeValid = VMX_IDT_VECTORING_INFO_ERROR_CODE_IS_VALID(pVCpu->hm.s.Event.u64IntInfo);
6821	uint32_t uErrorCode = pVCpu->hm.s.Event.u32ErrCode;
6822
6823	/* If a trap was already pending, we did something wrong! */
6824	Assert(TRPMQueryTrap(pVCpu, NULL /* pu8TrapNo /, NULL / pEnmType */) == VERR_TRPM_NO_ACTIVE_TRAP);
6825
6826	TRPMEVENT enmTrapType;
6827	switch (uVectorType)
6828	{
6829	case VMX_IDT_VECTORING_INFO_TYPE_EXT_INT:
6830	enmTrapType = TRPM_HARDWARE_INT;
6831	break;
6832
6833	case VMX_IDT_VECTORING_INFO_TYPE_SW_INT:
6834	enmTrapType = TRPM_SOFTWARE_INT;
6835	break;
6836
6837	case VMX_IDT_VECTORING_INFO_TYPE_NMI:
6838	case VMX_IDT_VECTORING_INFO_TYPE_PRIV_SW_XCPT:
6839	case VMX_IDT_VECTORING_INFO_TYPE_SW_XCPT: /* #BP and #OF */
6840	case VMX_IDT_VECTORING_INFO_TYPE_HW_XCPT:
6841	enmTrapType = TRPM_TRAP;
6842	break;
6843
6844	default:
6845	AssertMsgFailed(("Invalid trap type %#x\n", uVectorType));
6846	enmTrapType = TRPM_32BIT_HACK;
6847	break;
6848	}
6849
6850	Log4(("HM event->TRPM: uVector=%#x enmTrapType=%d\n", uVector, enmTrapType));
6851
6852	int rc = TRPMAssertTrap(pVCpu, uVector, enmTrapType);
6853	AssertRC(rc);
6854
6855	if (fErrorCodeValid)
6856	TRPMSetErrorCode(pVCpu, uErrorCode);
6857
6858	if ( uVectorType == VMX_IDT_VECTORING_INFO_TYPE_HW_XCPT
6859	&& uVector == X86_XCPT_PF)
6860	{
6861	TRPMSetFaultAddress(pVCpu, pVCpu->hm.s.Event.GCPtrFaultAddress);
6862	}
6863	else if ( uVectorType == VMX_IDT_VECTORING_INFO_TYPE_SW_INT
6864	\|\| uVectorType == VMX_IDT_VECTORING_INFO_TYPE_SW_XCPT
6865	\|\| uVectorType == VMX_IDT_VECTORING_INFO_TYPE_PRIV_SW_XCPT)
6866	{
6867	AssertMsg( uVectorType == VMX_IDT_VECTORING_INFO_TYPE_SW_INT
6868	\|\| (uVector == X86_XCPT_BP \|\| uVector == X86_XCPT_OF),
6869	("Invalid vector: uVector=%#x uVectorType=%#x\n", uVector, uVectorType));
6870	TRPMSetInstrLength(pVCpu, pVCpu->hm.s.Event.cbInstr);
6871	}
6872
6873	/* Clear any pending events from the VMCS. */
6874	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_ENTRY_INTERRUPTION_INFO, 0); AssertRC(rc);
6875	rc = VMXWriteVmcs32(VMX_VMCS_GUEST_PENDING_DEBUG_EXCEPTIONS, 0); AssertRC(rc);
6876
6877	/* We're now done converting the pending event. */
6878	pVCpu->hm.s.Event.fPending = false;
6879	}
6880
6881
6882	/**
6883	* Does the necessary state syncing before returning to ring-3 for any reason
6884	* (longjmp, preemption, voluntary exits to ring-3) from VT-x.
6885	*
6886	* @returns VBox status code.
6887	* @param pVM Pointer to the VM.
6888	* @param pVCpu Pointer to the VMCPU.
6889	* @param pMixedCtx Pointer to the guest-CPU context. The data may
6890	* be out-of-sync. Make sure to update the required
6891	* fields before using them.
6892	* @param fSaveGuestState Whether to save the guest state or not.
6893	*
6894	* @remarks No-long-jmp zone!!!
6895	*/
6896	static int hmR0VmxLeave(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx, bool fSaveGuestState)
6897	{
6898	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
6899	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
6900
6901	RTCPUID idCpu = RTMpCpuId();
6902	Log4Func(("HostCpuId=%u\n", idCpu));
6903
6904	/*
6905	* !!! IMPORTANT !!!
6906	* If you modify code here, check whether hmR0VmxCallRing3Callback() needs to be updated too.
6907	*/
6908
6909	/* Save the guest state if necessary. */
6910	if ( fSaveGuestState
6911	&& HMVMXCPU_GST_VALUE(pVCpu) != HMVMX_UPDATED_GUEST_ALL)
6912	{
6913	int rc = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
6914	AssertRCReturn(rc, rc);
6915	Assert(HMVMXCPU_GST_VALUE(pVCpu) == HMVMX_UPDATED_GUEST_ALL);
6916	}
6917
6918	/* Restore host FPU state if necessary and resync on next R0 reentry .*/
6919	if (CPUMIsGuestFPUStateActive(pVCpu))
6920	{
6921	/* We shouldn't reload CR0 without saving it first. */
6922	if (!fSaveGuestState)
6923	{
6924	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
6925	AssertRCReturn(rc, rc);
6926	}
6927	CPUMR0SaveGuestFPU(pVM, pVCpu, pMixedCtx);
6928	Assert(!CPUMIsGuestFPUStateActive(pVCpu));
6929	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0);
6930	}
6931
6932	/* Restore host debug registers if necessary and resync on next R0 reentry. */
6933	#ifdef VBOX_STRICT
6934	if (CPUMIsHyperDebugStateActive(pVCpu))
6935	Assert(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT);
6936	#endif
6937	if (CPUMR0DebugStateMaybeSaveGuestAndRestoreHost(pVCpu, true /* save DR6 */))
6938	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_DEBUG);
6939	Assert(!CPUMIsGuestDebugStateActive(pVCpu) && !CPUMIsGuestDebugStateActivePending(pVCpu));
6940	Assert(!CPUMIsHyperDebugStateActive(pVCpu) && !CPUMIsHyperDebugStateActivePending(pVCpu));
6941
6942	#if HC_ARCH_BITS == 64
6943	/* Restore host-state bits that VT-x only restores partially. */
6944	if ( (pVCpu->hm.s.vmx.fRestoreHostFlags & VMX_RESTORE_HOST_REQUIRED)
6945	&& (pVCpu->hm.s.vmx.fRestoreHostFlags & ~VMX_RESTORE_HOST_REQUIRED))
6946	{
6947	Log4Func(("Restoring Host State: fRestoreHostFlags=%#RX32 HostCpuId=%u\n", pVCpu->hm.s.vmx.fRestoreHostFlags, idCpu));
6948	VMXRestoreHostState(pVCpu->hm.s.vmx.fRestoreHostFlags, &pVCpu->hm.s.vmx.RestoreHost);
6949	}
6950	pVCpu->hm.s.vmx.fRestoreHostFlags = 0;
6951	#endif
6952
6953	#if HC_ARCH_BITS == 64
6954	/* Restore the lazy host MSRs as we're leaving VT-x context. */
6955	if ( pVM->hm.s.fAllow64BitGuests
6956	&& pVCpu->hm.s.vmx.fLazyMsrs)
6957	{
6958	/* We shouldn't reload the guest MSRs without saving it first. */
6959	if (!fSaveGuestState)
6960	{
6961	int rc = hmR0VmxSaveGuestLazyMsrs(pVCpu, pMixedCtx);
6962	AssertRCReturn(rc, rc);
6963	}
6964	Assert(HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_LAZY_MSRS));
6965	hmR0VmxLazyRestoreHostMsrs(pVCpu);
6966	Assert(!pVCpu->hm.s.vmx.fLazyMsrs);
6967	}
6968	#endif
6969
6970	/* Update auto-load/store host MSRs values when we re-enter VT-x (as we could be on a different CPU). */
6971	pVCpu->hm.s.vmx.fUpdatedHostMsrs = false;
6972
6973	STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatEntry);
6974	STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatLoadGuestState);
6975	STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatExit1);
6976	STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatExit2);
6977	STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatExitIO);
6978	STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatExitMovCRx);
6979	STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatExitXcptNmi);
6980	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchLongJmpToR3);
6981
6982	VMCPU_CMPXCHG_STATE(pVCpu, VMCPUSTATE_STARTED_HM, VMCPUSTATE_STARTED_EXEC);
6983
6984	/** @todo This partially defeats the purpose of having preemption hooks.
6985	* The problem is, deregistering the hooks should be moved to a place that
6986	* lasts until the EMT is about to be destroyed not everytime while leaving HM
6987	* context.
6988	*/
6989	if (pVCpu->hm.s.vmx.uVmcsState & HMVMX_VMCS_STATE_ACTIVE)
6990	{
6991	int rc = VMXClearVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
6992	AssertRCReturn(rc, rc);
6993
6994	pVCpu->hm.s.vmx.uVmcsState = HMVMX_VMCS_STATE_CLEAR;
6995	Log4Func(("Cleared Vmcs. HostCpuId=%u\n", idCpu));
6996	}
6997	Assert(!(pVCpu->hm.s.vmx.uVmcsState & HMVMX_VMCS_STATE_LAUNCHED));
6998	NOREF(idCpu);
6999
7000	return VINF_SUCCESS;
7001	}
7002
7003
7004	/**
7005	* Leaves the VT-x session.
7006	*
7007	* @returns VBox status code.
7008	* @param pVM Pointer to the VM.
7009	* @param pVCpu Pointer to the VMCPU.
7010	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7011	* out-of-sync. Make sure to update the required fields
7012	* before using them.
7013	*
7014	* @remarks No-long-jmp zone!!!
7015	*/
7016	DECLINLINE(int) hmR0VmxLeaveSession(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx)
7017	{
7018	HM_DISABLE_PREEMPT();
7019	HMVMX_ASSERT_CPU_SAFE();
7020	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
7021	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
7022
7023	/* When thread-context hooks are used, we can avoid doing the leave again if we had been preempted before
7024	and done this from the VMXR0ThreadCtxCallback(). */
7025	if (!pVCpu->hm.s.fLeaveDone)
7026	{
7027	int rc2 = hmR0VmxLeave(pVM, pVCpu, pMixedCtx, true /* fSaveGuestState */);
7028	AssertRCReturnStmt(rc2, HM_RESTORE_PREEMPT(), rc2);
7029	pVCpu->hm.s.fLeaveDone = true;
7030	}
7031	Assert(HMVMXCPU_GST_VALUE(pVCpu) == HMVMX_UPDATED_GUEST_ALL);
7032
7033	/*
7034	* !!! IMPORTANT !!!
7035	* If you modify code here, make sure to check whether hmR0VmxCallRing3Callback() needs to be updated too.
7036	*/
7037
7038	/* Deregister hook now that we've left HM context before re-enabling preemption. */
7039	/** @todo Deregistering here means we need to VMCLEAR always
7040	* (longjmp/exit-to-r3) in VT-x which is not efficient. */
7041	/** @todo eliminate the need for calling VMMR0ThreadCtxHookDisable here! */
7042	VMMR0ThreadCtxHookDisable(pVCpu);
7043
7044	/* Leave HM context. This takes care of local init (term). */
7045	int rc = HMR0LeaveCpu(pVCpu);
7046
7047	HM_RESTORE_PREEMPT();
7048	return rc;
7049	}
7050
7051
7052	/**
7053	* Does the necessary state syncing before doing a longjmp to ring-3.
7054	*
7055	* @returns VBox status code.
7056	* @param pVM Pointer to the VM.
7057	* @param pVCpu Pointer to the VMCPU.
7058	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7059	* out-of-sync. Make sure to update the required fields
7060	* before using them.
7061	*
7062	* @remarks No-long-jmp zone!!!
7063	*/
7064	DECLINLINE(int) hmR0VmxLongJmpToRing3(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx)
7065	{
7066	return hmR0VmxLeaveSession(pVM, pVCpu, pMixedCtx);
7067	}
7068
7069
7070	/**
7071	* Take necessary actions before going back to ring-3.
7072	*
7073	* An action requires us to go back to ring-3. This function does the necessary
7074	* steps before we can safely return to ring-3. This is not the same as longjmps
7075	* to ring-3, this is voluntary and prepares the guest so it may continue
7076	* executing outside HM (recompiler/IEM).
7077	*
7078	* @returns VBox status code.
7079	* @param pVM Pointer to the VM.
7080	* @param pVCpu Pointer to the VMCPU.
7081	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7082	* out-of-sync. Make sure to update the required fields
7083	* before using them.
7084	* @param rcExit The reason for exiting to ring-3. Can be
7085	* VINF_VMM_UNKNOWN_RING3_CALL.
7086	*/
7087	static int hmR0VmxExitToRing3(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx, int rcExit)
7088	{
7089	Assert(pVM);
7090	Assert(pVCpu);
7091	Assert(pMixedCtx);
7092	HMVMX_ASSERT_PREEMPT_SAFE();
7093
7094	if (RT_UNLIKELY(rcExit == VERR_VMX_INVALID_VMCS_PTR))
7095	{
7096	VMXGetActivatedVmcs(&pVCpu->hm.s.vmx.LastError.u64VMCSPhys);
7097	pVCpu->hm.s.vmx.LastError.u32VMCSRevision = (uint32_t )pVCpu->hm.s.vmx.pvVmcs;
7098	pVCpu->hm.s.vmx.LastError.idEnteredCpu = pVCpu->hm.s.idEnteredCpu;
7099	/* LastError.idCurrentCpu was updated in hmR0VmxPreRunGuestCommitted(). */
7100	}
7101
7102	/* Please, no longjumps here (any logging shouldn't flush jump back to ring-3). NO LOGGING BEFORE THIS POINT! */
7103	VMMRZCallRing3Disable(pVCpu);
7104	Log4(("hmR0VmxExitToRing3: pVCpu=%p idCpu=%RU32 rcExit=%d\n", pVCpu, pVCpu->idCpu, rcExit));
7105
7106	/* We need to do this only while truly exiting the "inner loop" back to ring-3 and -not- for any longjmp to ring3. */
7107	if (pVCpu->hm.s.Event.fPending)
7108	{
7109	hmR0VmxPendingEventToTrpmTrap(pVCpu);
7110	Assert(!pVCpu->hm.s.Event.fPending);
7111	}
7112
7113	/* Clear interrupt-window and NMI-window controls as we re-evaluate it when we return from ring-3. */
7114	hmR0VmxClearIntNmiWindowsVmcs(pVCpu);
7115
7116	/* If we're emulating an instruction, we shouldn't have any TRPM traps pending
7117	and if we're injecting an event we should have a TRPM trap pending. */
7118	AssertMsg(rcExit != VINF_EM_RAW_INJECT_TRPM_EVENT \|\| TRPMHasTrap(pVCpu), ("%Rrc\n", rcExit));
7119	AssertMsg(rcExit != VINF_EM_RAW_EMULATE_INSTR \|\| !TRPMHasTrap(pVCpu), ("%Rrc\n", rcExit));
7120
7121	/* Save guest state and restore host state bits. */
7122	int rc = hmR0VmxLeaveSession(pVM, pVCpu, pMixedCtx);
7123	AssertRCReturn(rc, rc);
7124	STAM_COUNTER_DEC(&pVCpu->hm.s.StatSwitchLongJmpToR3);
7125	/* Thread-context hooks are unregistered at this point!!! */
7126
7127	/* Sync recompiler state. */
7128	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_TO_R3);
7129	CPUMSetChangedFlags(pVCpu, CPUM_CHANGED_SYSENTER_MSR
7130	\| CPUM_CHANGED_LDTR
7131	\| CPUM_CHANGED_GDTR
7132	\| CPUM_CHANGED_IDTR
7133	\| CPUM_CHANGED_TR
7134	\| CPUM_CHANGED_HIDDEN_SEL_REGS);
7135	Assert(HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR0));
7136	if ( pVM->hm.s.fNestedPaging
7137	&& CPUMIsGuestPagingEnabledEx(pMixedCtx))
7138	{
7139	CPUMSetChangedFlags(pVCpu, CPUM_CHANGED_GLOBAL_TLB_FLUSH);
7140	}
7141
7142	Assert(!pVCpu->hm.s.fClearTrapFlag);
7143
7144	/* On our way back from ring-3 reload the guest state if there is a possibility of it being changed. */
7145	if (rcExit != VINF_EM_RAW_INTERRUPT)
7146	HMCPU_CF_SET(pVCpu, HM_CHANGED_ALL_GUEST);
7147
7148	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchExitToR3);
7149
7150	/* We do -not- want any longjmp notifications after this! We must return to ring-3 ASAP. */
7151	VMMRZCallRing3RemoveNotification(pVCpu);
7152	VMMRZCallRing3Enable(pVCpu);
7153
7154	return rc;
7155	}
7156
7157
7158	/**
7159	* VMMRZCallRing3() callback wrapper which saves the guest state before we
7160	* longjump to ring-3 and possibly get preempted.
7161	*
7162	* @returns VBox status code.
7163	* @param pVCpu Pointer to the VMCPU.
7164	* @param enmOperation The operation causing the ring-3 longjump.
7165	* @param pvUser Opaque pointer to the guest-CPU context. The data
7166	* may be out-of-sync. Make sure to update the required
7167	* fields before using them.
7168	*/
7169	static DECLCALLBACK(int) hmR0VmxCallRing3Callback(PVMCPU pVCpu, VMMCALLRING3 enmOperation, void *pvUser)
7170	{
7171	if (enmOperation == VMMCALLRING3_VM_R0_ASSERTION)
7172	{
7173	/*
7174	* !!! IMPORTANT !!!
7175	* If you modify code here, check whether hmR0VmxLeave() and hmR0VmxLeaveSession() needs to be updated too.
7176	* This is a stripped down version which gets out ASAP, trying to not trigger any further assertions.
7177	*/
7178	VMMRZCallRing3RemoveNotification(pVCpu);
7179	VMMRZCallRing3Disable(pVCpu);
7180	RTTHREADPREEMPTSTATE PreemptState = RTTHREADPREEMPTSTATE_INITIALIZER;
7181	RTThreadPreemptDisable(&PreemptState);
7182
7183	PVM pVM = pVCpu->CTX_SUFF(pVM);
7184	if (CPUMIsGuestFPUStateActive(pVCpu))
7185	CPUMR0SaveGuestFPU(pVM, pVCpu, (PCPUMCTX)pvUser);
7186
7187	CPUMR0DebugStateMaybeSaveGuestAndRestoreHost(pVCpu, true /* save DR6 */);
7188
7189	#if HC_ARCH_BITS == 64
7190	/* Restore host-state bits that VT-x only restores partially. */
7191	if ( (pVCpu->hm.s.vmx.fRestoreHostFlags & VMX_RESTORE_HOST_REQUIRED)
7192	&& (pVCpu->hm.s.vmx.fRestoreHostFlags & ~VMX_RESTORE_HOST_REQUIRED))
7193	VMXRestoreHostState(pVCpu->hm.s.vmx.fRestoreHostFlags, &pVCpu->hm.s.vmx.RestoreHost);
7194	pVCpu->hm.s.vmx.fRestoreHostFlags = 0;
7195
7196	/* Restore the lazy host MSRs as we're leaving VT-x context. */
7197	if ( pVM->hm.s.fAllow64BitGuests
7198	&& pVCpu->hm.s.vmx.fLazyMsrs)
7199	hmR0VmxLazyRestoreHostMsrs(pVCpu);
7200	#endif
7201	/* Update auto-load/store host MSRs values when we re-enter VT-x (as we could be on a different CPU). */
7202	pVCpu->hm.s.vmx.fUpdatedHostMsrs = false;
7203	VMCPU_CMPXCHG_STATE(pVCpu, VMCPUSTATE_STARTED_HM, VMCPUSTATE_STARTED_EXEC);
7204	if (pVCpu->hm.s.vmx.uVmcsState & HMVMX_VMCS_STATE_ACTIVE)
7205	{
7206	VMXClearVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
7207	pVCpu->hm.s.vmx.uVmcsState = HMVMX_VMCS_STATE_CLEAR;
7208	}
7209
7210	/** @todo eliminate the need for calling VMMR0ThreadCtxHookDisable here! */
7211	VMMR0ThreadCtxHookDisable(pVCpu);
7212	HMR0LeaveCpu(pVCpu);
7213	RTThreadPreemptRestore(&PreemptState);
7214	return VINF_SUCCESS;
7215	}
7216
7217	Assert(pVCpu);
7218	Assert(pvUser);
7219	Assert(VMMRZCallRing3IsEnabled(pVCpu));
7220	HMVMX_ASSERT_PREEMPT_SAFE();
7221
7222	VMMRZCallRing3Disable(pVCpu);
7223	Assert(VMMR0IsLogFlushDisabled(pVCpu));
7224
7225	Log4(("hmR0VmxCallRing3Callback->hmR0VmxLongJmpToRing3 pVCpu=%p idCpu=%RU32 enmOperation=%d\n", pVCpu, pVCpu->idCpu,
7226	enmOperation));
7227
7228	int rc = hmR0VmxLongJmpToRing3(pVCpu->CTX_SUFF(pVM), pVCpu, (PCPUMCTX)pvUser);
7229	AssertRCReturn(rc, rc);
7230
7231	VMMRZCallRing3Enable(pVCpu);
7232	return VINF_SUCCESS;
7233	}
7234
7235
7236	/**
7237	* Sets the interrupt-window exiting control in the VMCS which instructs VT-x to
7238	* cause a VM-exit as soon as the guest is in a state to receive interrupts.
7239	*
7240	* @param pVCpu Pointer to the VMCPU.
7241	*/
7242	DECLINLINE(void) hmR0VmxSetIntWindowExitVmcs(PVMCPU pVCpu)
7243	{
7244	if (RT_LIKELY(pVCpu->CTX_SUFF(pVM)->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_INT_WINDOW_EXIT))
7245	{
7246	if (!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_INT_WINDOW_EXIT))
7247	{
7248	pVCpu->hm.s.vmx.u32ProcCtls \|= VMX_VMCS_CTRL_PROC_EXEC_INT_WINDOW_EXIT;
7249	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
7250	AssertRC(rc);
7251	Log4(("Setup interrupt-window exiting\n"));
7252	}
7253	} /* else we will deliver interrupts whenever the guest exits next and is in a state to receive events. */
7254	}
7255
7256
7257	/**
7258	* Clears the interrupt-window exiting control in the VMCS.
7259	*
7260	* @param pVCpu Pointer to the VMCPU.
7261	*/
7262	DECLINLINE(void) hmR0VmxClearIntWindowExitVmcs(PVMCPU pVCpu)
7263	{
7264	Assert(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_INT_WINDOW_EXIT);
7265	pVCpu->hm.s.vmx.u32ProcCtls &= ~VMX_VMCS_CTRL_PROC_EXEC_INT_WINDOW_EXIT;
7266	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
7267	AssertRC(rc);
7268	Log4(("Cleared interrupt-window exiting\n"));
7269	}
7270
7271
7272	/**
7273	* Sets the NMI-window exiting control in the VMCS which instructs VT-x to
7274	* cause a VM-exit as soon as the guest is in a state to receive NMIs.
7275	*
7276	* @param pVCpu Pointer to the VMCPU.
7277	*/
7278	DECLINLINE(void) hmR0VmxSetNmiWindowExitVmcs(PVMCPU pVCpu)
7279	{
7280	if (RT_LIKELY(pVCpu->CTX_SUFF(pVM)->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_NMI_WINDOW_EXIT))
7281	{
7282	if (!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_NMI_WINDOW_EXIT))
7283	{
7284	pVCpu->hm.s.vmx.u32ProcCtls \|= VMX_VMCS_CTRL_PROC_EXEC_NMI_WINDOW_EXIT;
7285	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
7286	AssertRC(rc);
7287	Log4(("Setup NMI-window exiting\n"));
7288	}
7289	} /* else we will deliver NMIs whenever we VM-exit next, even possibly nesting NMIs. Can't be helped on ancient CPUs. */
7290	}
7291
7292
7293	/**
7294	* Clears the NMI-window exiting control in the VMCS.
7295	*
7296	* @param pVCpu Pointer to the VMCPU.
7297	*/
7298	DECLINLINE(void) hmR0VmxClearNmiWindowExitVmcs(PVMCPU pVCpu)
7299	{
7300	Assert(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_NMI_WINDOW_EXIT);
7301	pVCpu->hm.s.vmx.u32ProcCtls &= ~VMX_VMCS_CTRL_PROC_EXEC_NMI_WINDOW_EXIT;
7302	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
7303	AssertRC(rc);
7304	Log4(("Cleared NMI-window exiting\n"));
7305	}
7306
7307
7308	/**
7309	* Evaluates the event to be delivered to the guest and sets it as the pending
7310	* event.
7311	*
7312	* @param pVCpu Pointer to the VMCPU.
7313	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7314	* out-of-sync. Make sure to update the required fields
7315	* before using them.
7316	*/
7317	static void hmR0VmxEvaluatePendingEvent(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
7318	{
7319	/* Get the current interruptibility-state of the guest and then figure out what can be injected. */
7320	uint32_t const uIntrState = hmR0VmxGetGuestIntrState(pVCpu, pMixedCtx);
7321	bool const fBlockMovSS = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS);
7322	bool const fBlockSti = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI);
7323	bool const fBlockNmi = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_NMI);
7324
7325	Assert(!fBlockSti \|\| HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RFLAGS));
7326	Assert(!(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_SMI)); /* We don't support block-by-SMI yet.*/
7327	Assert(!fBlockSti \|\| pMixedCtx->eflags.Bits.u1IF); /* Cannot set block-by-STI when interrupts are disabled. */
7328	Assert(!TRPMHasTrap(pVCpu));
7329
7330	/*
7331	* Toggling of interrupt force-flags here is safe since we update TRPM on premature exits
7332	* to ring-3 before executing guest code, see hmR0VmxExitToRing3(). We must NOT restore these force-flags.
7333	*/
7334	/** @todo SMI. SMIs take priority over NMIs. */
7335	if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_INTERRUPT_NMI)) /* NMI. NMIs take priority over regular interrupts. */
7336	{
7337	/* On some CPUs block-by-STI also blocks NMIs. See Intel spec. 26.3.1.5 "Checks On Guest Non-Register State". */
7338	if ( !pVCpu->hm.s.Event.fPending
7339	&& !fBlockNmi
7340	&& !fBlockSti
7341	&& !fBlockMovSS)
7342	{
7343	Log4(("Pending NMI vcpu[%RU32]\n", pVCpu->idCpu));
7344	uint32_t u32IntInfo = X86_XCPT_NMI \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7345	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7346
7347	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, 0 /* cbInstr /, 0 / u32ErrCode /, 0 / GCPtrFaultAddress */);
7348	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_INTERRUPT_NMI);
7349	}
7350	else
7351	hmR0VmxSetNmiWindowExitVmcs(pVCpu);
7352	}
7353	/*
7354	* Check if the guest can receive external interrupts (PIC/APIC). Once we do PDMGetInterrupt() we -must- deliver
7355	* the interrupt ASAP. We must not execute any guest code until we inject the interrupt.
7356	*/
7357	else if ( VMCPU_FF_IS_PENDING(pVCpu, (VMCPU_FF_INTERRUPT_APIC \| VMCPU_FF_INTERRUPT_PIC))
7358	&& !pVCpu->hm.s.fSingleInstruction)
7359	{
7360	Assert(!DBGFIsStepping(pVCpu));
7361	int rc = hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
7362	AssertRC(rc);
7363	bool const fBlockInt = !(pMixedCtx->eflags.u32 & X86_EFL_IF);
7364	if ( !pVCpu->hm.s.Event.fPending
7365	&& !fBlockInt
7366	&& !fBlockSti
7367	&& !fBlockMovSS)
7368	{
7369	uint8_t u8Interrupt;
7370	rc = PDMGetInterrupt(pVCpu, &u8Interrupt);
7371	if (RT_SUCCESS(rc))
7372	{
7373	Log4(("Pending interrupt vcpu[%RU32] u8Interrupt=%#x \n", pVCpu->idCpu, u8Interrupt));
7374	uint32_t u32IntInfo = u8Interrupt \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7375	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_EXT_INT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7376
7377	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, 0 /* cbInstr /, 0 / u32ErrCode /, 0 / GCPtrfaultAddress */);
7378	}
7379	else
7380	{
7381	/** @todo Does this actually happen? If not turn it into an assertion. */
7382	Assert(!VMCPU_FF_IS_PENDING(pVCpu, (VMCPU_FF_INTERRUPT_APIC \| VMCPU_FF_INTERRUPT_PIC)));
7383	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchGuestIrq);
7384	}
7385	}
7386	else
7387	hmR0VmxSetIntWindowExitVmcs(pVCpu);
7388	}
7389	}
7390
7391
7392	/**
7393	* Sets a pending-debug exception to be delivered to the guest if the guest is
7394	* single-stepping in the VMCS.
7395	*
7396	* @param pVCpu Pointer to the VMCPU.
7397	*/
7398	DECLINLINE(void) hmR0VmxSetPendingDebugXcptVmcs(PVMCPU pVCpu)
7399	{
7400	Assert(HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RFLAGS)); NOREF(pVCpu);
7401	int rc = VMXWriteVmcs32(VMX_VMCS_GUEST_PENDING_DEBUG_EXCEPTIONS, VMX_VMCS_GUEST_DEBUG_EXCEPTIONS_BS);
7402	AssertRC(rc);
7403	}
7404
7405
7406	/**
7407	* Injects any pending events into the guest if the guest is in a state to
7408	* receive them.
7409	*
7410	* @returns VBox status code (informational status codes included).
7411	* @param pVCpu Pointer to the VMCPU.
7412	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7413	* out-of-sync. Make sure to update the required fields
7414	* before using them.
7415	* @param fStepping Running in hmR0VmxRunGuestCodeStep() and we should
7416	* return VINF_EM_DBG_STEPPED if the event was
7417	* dispatched directly.
7418	*/
7419	static int hmR0VmxInjectPendingEvent(PVMCPU pVCpu, PCPUMCTX pMixedCtx, bool fStepping)
7420	{
7421	HMVMX_ASSERT_PREEMPT_SAFE();
7422	Assert(VMMRZCallRing3IsEnabled(pVCpu));
7423
7424	/* Get the current interruptibility-state of the guest and then figure out what can be injected. */
7425	uint32_t uIntrState = hmR0VmxGetGuestIntrState(pVCpu, pMixedCtx);
7426	bool fBlockMovSS = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS);
7427	bool fBlockSti = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI);
7428
7429	Assert(!fBlockSti \|\| HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RFLAGS));
7430	Assert(!(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_SMI)); /* We don't support block-by-SMI yet.*/
7431	Assert(!fBlockSti \|\| pMixedCtx->eflags.Bits.u1IF); /* Cannot set block-by-STI when interrupts are disabled. */
7432	Assert(!TRPMHasTrap(pVCpu));
7433
7434	int rc = VINF_SUCCESS;
7435	if (pVCpu->hm.s.Event.fPending)
7436	{
7437	/*
7438	* Do -not- clear any interrupt-window exiting control here. We might have an interrupt
7439	* pending even while injecting an event and in this case, we want a VM-exit as soon as
7440	* the guest is ready for the next interrupt, see @bugref{6208#c45}.
7441	*
7442	* See Intel spec. 26.6.5 "Interrupt-Window Exiting and Virtual-Interrupt Delivery".
7443	*/
7444	uint32_t const uIntType = VMX_EXIT_INTERRUPTION_INFO_TYPE(pVCpu->hm.s.Event.u64IntInfo);
7445	#ifdef VBOX_STRICT
7446	if (uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_EXT_INT)
7447	{
7448	bool const fBlockInt = !(pMixedCtx->eflags.u32 & X86_EFL_IF);
7449	Assert(!fBlockInt);
7450	Assert(!fBlockSti);
7451	Assert(!fBlockMovSS);
7452	}
7453	else if (uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI)
7454	{
7455	bool const fBlockNmi = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_NMI);
7456	Assert(!fBlockSti);
7457	Assert(!fBlockMovSS);
7458	Assert(!fBlockNmi);
7459	}
7460	#endif
7461	Log4(("Injecting pending event vcpu[%RU32] u64IntInfo=%#RX64 Type=%#x\n", pVCpu->idCpu, pVCpu->hm.s.Event.u64IntInfo,
7462	(uint8_t)uIntType));
7463	rc = hmR0VmxInjectEventVmcs(pVCpu, pMixedCtx, pVCpu->hm.s.Event.u64IntInfo, pVCpu->hm.s.Event.cbInstr,
7464	pVCpu->hm.s.Event.u32ErrCode, pVCpu->hm.s.Event.GCPtrFaultAddress, fStepping, &uIntrState);
7465	AssertRCReturn(rc, rc);
7466
7467	/* Update the interruptibility-state as it could have been changed by
7468	hmR0VmxInjectEventVmcs() (e.g. real-on-v86 guest injecting software interrupts) */
7469	fBlockMovSS = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS);
7470	fBlockSti = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI);
7471
7472	if (uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_EXT_INT)
7473	STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectInterrupt);
7474	else
7475	STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectXcpt);
7476	}
7477
7478	/* Deliver pending debug exception if the guest is single-stepping. Evaluate and set the BS bit. */
7479	if ( fBlockSti
7480	\|\| fBlockMovSS)
7481	{
7482	if (!pVCpu->hm.s.fSingleInstruction)
7483	{
7484	/*
7485	* The pending-debug exceptions field is cleared on all VM-exits except VMX_EXIT_TPR_BELOW_THRESHOLD,
7486	* VMX_EXIT_MTF, VMX_EXIT_APIC_WRITE and VMX_EXIT_VIRTUALIZED_EOI.
7487	* See Intel spec. 27.3.4 "Saving Non-Register State".
7488	*/
7489	Assert(!DBGFIsStepping(pVCpu));
7490	int rc2 = hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
7491	AssertRCReturn(rc2, rc2);
7492	if (pMixedCtx->eflags.Bits.u1TF)
7493	hmR0VmxSetPendingDebugXcptVmcs(pVCpu);
7494	}
7495	else if (pMixedCtx->eflags.Bits.u1TF)
7496	{
7497	/*
7498	* We are single-stepping in the hypervisor debugger using EFLAGS.TF. Clear interrupt inhibition as setting the
7499	* BS bit would mean delivering a #DB to the guest upon VM-entry when it shouldn't be.
7500	*/
7501	Assert(!(pVCpu->CTX_SUFF(pVM)->hm.s.vmx.Msrs.VmxProcCtls.n.allowed1 & VMX_VMCS_CTRL_PROC_EXEC_MONITOR_TRAP_FLAG));
7502	uIntrState = 0;
7503	}
7504	}
7505
7506	/*
7507	* There's no need to clear the VM-entry interruption-information field here if we're not injecting anything.
7508	* VT-x clears the valid bit on every VM-exit. See Intel spec. 24.8.3 "VM-Entry Controls for Event Injection".
7509	*/
7510	int rc2 = hmR0VmxLoadGuestIntrState(pVCpu, uIntrState);
7511	AssertRC(rc2);
7512
7513	Assert(rc == VINF_SUCCESS \|\| rc == VINF_EM_RESET \|\| (rc == VINF_EM_DBG_STEPPED && fStepping));
7514	NOREF(fBlockMovSS); NOREF(fBlockSti);
7515	return rc;
7516	}
7517
7518
7519	/**
7520	* Sets an invalid-opcode (\#UD) exception as pending-for-injection into the VM.
7521	*
7522	* @param pVCpu Pointer to the VMCPU.
7523	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7524	* out-of-sync. Make sure to update the required fields
7525	* before using them.
7526	*/
7527	DECLINLINE(void) hmR0VmxSetPendingXcptUD(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
7528	{
7529	NOREF(pMixedCtx);
7530	uint32_t u32IntInfo = X86_XCPT_UD \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7531	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, 0 /* cbInstr /, 0 / u32ErrCode /, 0 / GCPtrFaultAddress */);
7532	}
7533
7534
7535	/**
7536	* Injects a double-fault (\#DF) exception into the VM.
7537	*
7538	* @returns VBox status code (informational status code included).
7539	* @param pVCpu Pointer to the VMCPU.
7540	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7541	* out-of-sync. Make sure to update the required fields
7542	* before using them.
7543	* @param fStepping Whether we're running in hmR0VmxRunGuestCodeStep()
7544	* and should return VINF_EM_DBG_STEPPED if the event
7545	* is injected directly (register modified by us, not
7546	* by hardware on VM-entry).
7547	* @param puIntrState Pointer to the current guest interruptibility-state.
7548	* This interruptibility-state will be updated if
7549	* necessary. This cannot not be NULL.
7550	*/
7551	DECLINLINE(int) hmR0VmxInjectXcptDF(PVMCPU pVCpu, PCPUMCTX pMixedCtx, bool fStepping, uint32_t *puIntrState)
7552	{
7553	uint32_t u32IntInfo = X86_XCPT_DF \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7554	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7555	u32IntInfo \|= VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_VALID;
7556	return hmR0VmxInjectEventVmcs(pVCpu, pMixedCtx, u32IntInfo, 0 /* cbInstr /, 0 / u32ErrCode /, 0 / GCPtrFaultAddress */,
7557	fStepping, puIntrState);
7558	}
7559
7560
7561	/**
7562	* Sets a debug (\#DB) exception as pending-for-injection into the VM.
7563	*
7564	* @param pVCpu Pointer to the VMCPU.
7565	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7566	* out-of-sync. Make sure to update the required fields
7567	* before using them.
7568	*/
7569	DECLINLINE(void) hmR0VmxSetPendingXcptDB(PVMCPU pVCpu, PCPUMCTX pMixedCtx)
7570	{
7571	NOREF(pMixedCtx);
7572	uint32_t u32IntInfo = X86_XCPT_DB \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7573	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7574	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, 0 /* cbInstr /, 0 / u32ErrCode /, 0 / GCPtrFaultAddress */);
7575	}
7576
7577
7578	/**
7579	* Sets an overflow (\#OF) exception as pending-for-injection into the VM.
7580	*
7581	* @param pVCpu Pointer to the VMCPU.
7582	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7583	* out-of-sync. Make sure to update the required fields
7584	* before using them.
7585	* @param cbInstr The value of RIP that is to be pushed on the guest
7586	* stack.
7587	*/
7588	DECLINLINE(void) hmR0VmxSetPendingXcptOF(PVMCPU pVCpu, PCPUMCTX pMixedCtx, uint32_t cbInstr)
7589	{
7590	NOREF(pMixedCtx);
7591	uint32_t u32IntInfo = X86_XCPT_OF \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7592	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_INT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7593	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, cbInstr, 0 /* u32ErrCode /, 0 / GCPtrFaultAddress */);
7594	}
7595
7596
7597	/**
7598	* Injects a general-protection (\#GP) fault into the VM.
7599	*
7600	* @returns VBox status code (informational status code included).
7601	* @param pVCpu Pointer to the VMCPU.
7602	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7603	* out-of-sync. Make sure to update the required fields
7604	* before using them.
7605	* @param fErrorCodeValid Whether the error code is valid (depends on the CPU
7606	* mode, i.e. in real-mode it's not valid).
7607	* @param u32ErrorCode The error code associated with the \#GP.
7608	* @param fStepping Whether we're running in
7609	* hmR0VmxRunGuestCodeStep() and should return
7610	* VINF_EM_DBG_STEPPED if the event is injected
7611	* directly (register modified by us, not by
7612	* hardware on VM-entry).
7613	* @param puIntrState Pointer to the current guest interruptibility-state.
7614	* This interruptibility-state will be updated if
7615	* necessary. This cannot not be NULL.
7616	*/
7617	DECLINLINE(int) hmR0VmxInjectXcptGP(PVMCPU pVCpu, PCPUMCTX pMixedCtx, bool fErrorCodeValid, uint32_t u32ErrorCode,
7618	bool fStepping, uint32_t *puIntrState)
7619	{
7620	uint32_t u32IntInfo = X86_XCPT_GP \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7621	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7622	if (fErrorCodeValid)
7623	u32IntInfo \|= VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_VALID;
7624	return hmR0VmxInjectEventVmcs(pVCpu, pMixedCtx, u32IntInfo, 0 /* cbInstr /, u32ErrorCode, 0 / GCPtrFaultAddress */,
7625	fStepping, puIntrState);
7626	}
7627
7628
7629	/**
7630	* Sets a general-protection (\#GP) exception as pending-for-injection into the
7631	* VM.
7632	*
7633	* @param pVCpu Pointer to the VMCPU.
7634	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7635	* out-of-sync. Make sure to update the required fields
7636	* before using them.
7637	* @param u32ErrorCode The error code associated with the \#GP.
7638	*/
7639	DECLINLINE(void) hmR0VmxSetPendingXcptGP(PVMCPU pVCpu, PCPUMCTX pMixedCtx, uint32_t u32ErrorCode)
7640	{
7641	NOREF(pMixedCtx);
7642	uint32_t u32IntInfo = X86_XCPT_GP \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7643	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7644	u32IntInfo \|= VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_VALID;
7645	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, 0 /* cbInstr /, u32ErrorCode, 0 / GCPtrFaultAddress */);
7646	}
7647
7648
7649	/**
7650	* Sets a software interrupt (INTn) as pending-for-injection into the VM.
7651	*
7652	* @param pVCpu Pointer to the VMCPU.
7653	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
7654	* out-of-sync. Make sure to update the required fields
7655	* before using them.
7656	* @param uVector The software interrupt vector number.
7657	* @param cbInstr The value of RIP that is to be pushed on the guest
7658	* stack.
7659	*/
7660	DECLINLINE(void) hmR0VmxSetPendingIntN(PVMCPU pVCpu, PCPUMCTX pMixedCtx, uint16_t uVector, uint32_t cbInstr)
7661	{
7662	NOREF(pMixedCtx);
7663	uint32_t u32IntInfo = uVector \| VMX_EXIT_INTERRUPTION_INFO_VALID;
7664	if ( uVector == X86_XCPT_BP
7665	\|\| uVector == X86_XCPT_OF)
7666	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_XCPT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7667	else
7668	u32IntInfo \|= (VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_INT << VMX_EXIT_INTERRUPTION_INFO_TYPE_SHIFT);
7669	hmR0VmxSetPendingEvent(pVCpu, u32IntInfo, cbInstr, 0 /* u32ErrCode /, 0 / GCPtrFaultAddress */);
7670	}
7671
7672
7673	/**
7674	* Pushes a 2-byte value onto the real-mode (in virtual-8086 mode) guest's
7675	* stack.
7676	*
7677	* @returns VBox status code (information status code included).
7678	* @retval VINF_EM_RESET if pushing a value to the stack caused a triple-fault.
7679	* @param pVM Pointer to the VM.
7680	* @param pMixedCtx Pointer to the guest-CPU context.
7681	* @param uValue The value to push to the guest stack.
7682	*/
7683	DECLINLINE(int) hmR0VmxRealModeGuestStackPush(PVM pVM, PCPUMCTX pMixedCtx, uint16_t uValue)
7684	{
7685	/*
7686	* The stack limit is 0xffff in real-on-virtual 8086 mode. Real-mode with weird stack limits cannot be run in
7687	* virtual 8086 mode in VT-x. See Intel spec. 26.3.1.2 "Checks on Guest Segment Registers".
7688	* See Intel Instruction reference for PUSH and Intel spec. 22.33.1 "Segment Wraparound".
7689	*/
7690	if (pMixedCtx->sp == 1)
7691	return VINF_EM_RESET;
7692	pMixedCtx->sp -= sizeof(uint16_t); /* May wrap around which is expected behaviour. */
7693	int rc = PGMPhysSimpleWriteGCPhys(pVM, pMixedCtx->ss.u64Base + pMixedCtx->sp, &uValue, sizeof(uint16_t));
7694	AssertRCReturn(rc, rc);
7695	return rc;
7696	}
7697
7698
7699	/**
7700	* Injects an event into the guest upon VM-entry by updating the relevant fields
7701	* in the VM-entry area in the VMCS.
7702	*
7703	* @returns VBox status code (informational error codes included).
7704	* @retval VINF_SUCCESS if the event is successfully injected into the VMCS.
7705	* @retval VINF_EM_RESET if event injection resulted in a triple-fault.
7706	*
7707	* @param pVCpu Pointer to the VMCPU.
7708	* @param pMixedCtx Pointer to the guest-CPU context. The data may
7709	* be out-of-sync. Make sure to update the required
7710	* fields before using them.
7711	* @param u64IntInfo The VM-entry interruption-information field.
7712	* @param cbInstr The VM-entry instruction length in bytes (for
7713	* software interrupts, exceptions and privileged
7714	* software exceptions).
7715	* @param u32ErrCode The VM-entry exception error code.
7716	* @param GCPtrFaultAddress The page-fault address for \#PF exceptions.
7717	* @param puIntrState Pointer to the current guest interruptibility-state.
7718	* This interruptibility-state will be updated if
7719	* necessary. This cannot not be NULL.
7720	* @param fStepping Whether we're running in
7721	* hmR0VmxRunGuestCodeStep() and should return
7722	* VINF_EM_DBG_STEPPED if the event is injected
7723	* directly (register modified by us, not by
7724	* hardware on VM-entry).
7725	*
7726	* @remarks Requires CR0!
7727	* @remarks No-long-jump zone!!!
7728	*/
7729	static int hmR0VmxInjectEventVmcs(PVMCPU pVCpu, PCPUMCTX pMixedCtx, uint64_t u64IntInfo, uint32_t cbInstr,
7730	uint32_t u32ErrCode, RTGCUINTREG GCPtrFaultAddress, bool fStepping, uint32_t *puIntrState)
7731	{
7732	/* Intel spec. 24.8.3 "VM-Entry Controls for Event Injection" specifies the interruption-information field to be 32-bits. */
7733	AssertMsg(u64IntInfo >> 32 == 0, ("%#RX64\n", u64IntInfo));
7734	Assert(puIntrState);
7735	uint32_t u32IntInfo = (uint32_t)u64IntInfo;
7736
7737	uint32_t const uVector = VMX_EXIT_INTERRUPTION_INFO_VECTOR(u32IntInfo);
7738	uint32_t const uIntType = VMX_EXIT_INTERRUPTION_INFO_TYPE(u32IntInfo);
7739
7740	#ifdef VBOX_STRICT
7741	/* Validate the error-code-valid bit for hardware exceptions. */
7742	if (uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT)
7743	{
7744	switch (uVector)
7745	{
7746	case X86_XCPT_PF:
7747	case X86_XCPT_DF:
7748	case X86_XCPT_TS:
7749	case X86_XCPT_NP:
7750	case X86_XCPT_SS:
7751	case X86_XCPT_GP:
7752	case X86_XCPT_AC:
7753	AssertMsg(VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_IS_VALID(u32IntInfo),
7754	("Error-code-valid bit not set for exception that has an error code uVector=%#x\n", uVector));
7755	/* fallthru */
7756	default:
7757	break;
7758	}
7759	}
7760	#endif
7761
7762	/* Cannot inject an NMI when block-by-MOV SS is in effect. */
7763	Assert( uIntType != VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI
7764	\|\| !(*puIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS));
7765
7766	STAM_COUNTER_INC(&pVCpu->hm.s.paStatInjectedIrqsR0[uVector & MASK_INJECT_IRQ_STAT]);
7767
7768	/* We require CR0 to check if the guest is in real-mode. */
7769	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
7770	AssertRCReturn(rc, rc);
7771
7772	/*
7773	* Hardware interrupts & exceptions cannot be delivered through the software interrupt redirection bitmap to the real
7774	* mode task in virtual-8086 mode. We must jump to the interrupt handler in the (real-mode) guest.
7775	* See Intel spec. 20.3 "Interrupt and Exception handling in Virtual-8086 Mode" for interrupt & exception classes.
7776	* See Intel spec. 20.1.4 "Interrupt and Exception Handling" for real-mode interrupt handling.
7777	*/
7778	if (CPUMIsGuestInRealModeEx(pMixedCtx))
7779	{
7780	PVM pVM = pVCpu->CTX_SUFF(pVM);
7781	if (!pVM->hm.s.vmx.fUnrestrictedGuest)
7782	{
7783	Assert(PDMVmmDevHeapIsEnabled(pVM));
7784	Assert(pVM->hm.s.vmx.pRealModeTSS);
7785
7786	/* We require RIP, RSP, RFLAGS, CS, IDTR. Save the required ones from the VMCS. */
7787	rc = hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
7788	rc \|= hmR0VmxSaveGuestTableRegs(pVCpu, pMixedCtx);
7789	rc \|= hmR0VmxSaveGuestRipRspRflags(pVCpu, pMixedCtx);
7790	AssertRCReturn(rc, rc);
7791	Assert(HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_RIP));
7792
7793	/* Check if the interrupt handler is present in the IVT (real-mode IDT). IDT limit is (4N - 1). */
7794	size_t const cbIdtEntry = sizeof(X86IDTR16);
7795	if (uVector * cbIdtEntry + (cbIdtEntry - 1) > pMixedCtx->idtr.cbIdt)
7796	{
7797	/* If we are trying to inject a #DF with no valid IDT entry, return a triple-fault. */
7798	if (uVector == X86_XCPT_DF)
7799	return VINF_EM_RESET;
7800
7801	/* If we're injecting a #GP with no valid IDT entry, inject a double-fault. */
7802	if (uVector == X86_XCPT_GP)
7803	return hmR0VmxInjectXcptDF(pVCpu, pMixedCtx, fStepping, puIntrState);
7804
7805	/* If we're injecting an interrupt/exception with no valid IDT entry, inject a general-protection fault. */
7806	/* No error codes for exceptions in real-mode. See Intel spec. 20.1.4 "Interrupt and Exception Handling" */
7807	return hmR0VmxInjectXcptGP(pVCpu, pMixedCtx, false /* fErrCodeValid /, 0 / u32ErrCode */,
7808	fStepping, puIntrState);
7809	}
7810
7811	/* Software exceptions (#BP and #OF exceptions thrown as a result of INT3 or INTO) */
7812	uint16_t uGuestIp = pMixedCtx->ip;
7813	if (uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_XCPT)
7814	{
7815	Assert(uVector == X86_XCPT_BP \|\| uVector == X86_XCPT_OF);
7816	/* #BP and #OF are both benign traps, we need to resume the next instruction. */
7817	uGuestIp = pMixedCtx->ip + (uint16_t)cbInstr;
7818	}
7819	else if (uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_INT)
7820	uGuestIp = pMixedCtx->ip + (uint16_t)cbInstr;
7821
7822	/* Get the code segment selector and offset from the IDT entry for the interrupt handler. */
7823	X86IDTR16 IdtEntry;
7824	RTGCPHYS GCPhysIdtEntry = (RTGCPHYS)pMixedCtx->idtr.pIdt + uVector * cbIdtEntry;
7825	rc = PGMPhysSimpleReadGCPhys(pVM, &IdtEntry, GCPhysIdtEntry, cbIdtEntry);
7826	AssertRCReturn(rc, rc);
7827
7828	/* Construct the stack frame for the interrupt/exception handler. */
7829	rc = hmR0VmxRealModeGuestStackPush(pVM, pMixedCtx, pMixedCtx->eflags.u32);
7830	rc \|= hmR0VmxRealModeGuestStackPush(pVM, pMixedCtx, pMixedCtx->cs.Sel);
7831	rc \|= hmR0VmxRealModeGuestStackPush(pVM, pMixedCtx, uGuestIp);
7832	AssertRCReturn(rc, rc);
7833
7834	/* Clear the required eflag bits and jump to the interrupt/exception handler. */
7835	if (rc == VINF_SUCCESS)
7836	{
7837	pMixedCtx->eflags.u32 &= ~(X86_EFL_IF \| X86_EFL_TF \| X86_EFL_RF \| X86_EFL_AC);
7838	pMixedCtx->rip = IdtEntry.offSel;
7839	pMixedCtx->cs.Sel = IdtEntry.uSel;
7840	pMixedCtx->cs.ValidSel = IdtEntry.uSel;
7841	pMixedCtx->cs.u64Base = IdtEntry.uSel << cbIdtEntry;
7842	if ( uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT
7843	&& uVector == X86_XCPT_PF)
7844	pMixedCtx->cr2 = GCPtrFaultAddress;
7845
7846	/* If any other guest-state bits are changed here, make sure to update
7847	hmR0VmxPreRunGuestCommitted() when thread-context hooks are used. */
7848	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_SEGMENT_REGS
7849	\| HM_CHANGED_GUEST_RIP
7850	\| HM_CHANGED_GUEST_RFLAGS
7851	\| HM_CHANGED_GUEST_RSP);
7852
7853	/* We're clearing interrupts, which means no block-by-STI interrupt-inhibition. */
7854	if (*puIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI)
7855	{
7856	Assert( uIntType != VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI
7857	&& uIntType != VMX_EXIT_INTERRUPTION_INFO_TYPE_EXT_INT);
7858	Log4(("Clearing inhibition due to STI.\n"));
7859	*puIntrState &= ~VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI;
7860	}
7861	Log4(("Injecting real-mode: u32IntInfo=%#x u32ErrCode=%#x cbInstr=%#x Eflags=%#x CS:EIP=%04x:%04x\n",
7862	u32IntInfo, u32ErrCode, cbInstr, pMixedCtx->eflags.u, pMixedCtx->cs.Sel, pMixedCtx->eip));
7863
7864	/* The event has been truly dispatched. Mark it as no longer pending so we don't attempt to 'undo'
7865	it, if we are returning to ring-3 before executing guest code. */
7866	pVCpu->hm.s.Event.fPending = false;
7867
7868	/* Make hmR0VmxPreRunGuest return if we're stepping since we've changed cs:rip. */
7869	if (fStepping)
7870	rc = VINF_EM_DBG_STEPPED;
7871	}
7872	Assert(rc == VINF_SUCCESS \|\| rc == VINF_EM_RESET \|\| (rc == VINF_EM_DBG_STEPPED && fStepping));
7873	return rc;
7874	}
7875
7876	/*
7877	* For unrestricted execution enabled CPUs running real-mode guests, we must not set the deliver-error-code bit.
7878	* See Intel spec. 26.2.1.3 "VM-Entry Control Fields".
7879	*/
7880	u32IntInfo &= ~VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_VALID;
7881	}
7882
7883	/* Validate. */
7884	Assert(VMX_EXIT_INTERRUPTION_INFO_IS_VALID(u32IntInfo)); /* Bit 31 (Valid bit) must be set by caller. */
7885	Assert(!VMX_EXIT_INTERRUPTION_INFO_NMI_UNBLOCK_IRET(u32IntInfo)); /* Bit 12 MBZ. */
7886	Assert(!(u32IntInfo & 0x7ffff000)); /* Bits 30:12 MBZ. */
7887
7888	/* Inject. */
7889	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_ENTRY_INTERRUPTION_INFO, u32IntInfo);
7890	if (VMX_EXIT_INTERRUPTION_INFO_ERROR_CODE_IS_VALID(u32IntInfo))
7891	rc \|= VMXWriteVmcs32(VMX_VMCS32_CTRL_ENTRY_EXCEPTION_ERRCODE, u32ErrCode);
7892	rc \|= VMXWriteVmcs32(VMX_VMCS32_CTRL_ENTRY_INSTR_LENGTH, cbInstr);
7893
7894	if ( VMX_EXIT_INTERRUPTION_INFO_TYPE(u32IntInfo) == VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT
7895	&& uVector == X86_XCPT_PF)
7896	pMixedCtx->cr2 = GCPtrFaultAddress;
7897
7898	Log4(("Injecting vcpu[%RU32] u32IntInfo=%#x u32ErrCode=%#x cbInstr=%#x pMixedCtx->uCR2=%#RX64\n", pVCpu->idCpu,
7899	u32IntInfo, u32ErrCode, cbInstr, pMixedCtx->cr2));
7900
7901	AssertRCReturn(rc, rc);
7902	return rc;
7903	}
7904
7905
7906	/**
7907	* Clears the interrupt-window exiting control in the VMCS and if necessary
7908	* clears the current event in the VMCS as well.
7909	*
7910	* @returns VBox status code.
7911	* @param pVCpu Pointer to the VMCPU.
7912	*
7913	* @remarks Use this function only to clear events that have not yet been
7914	* delivered to the guest but are injected in the VMCS!
7915	* @remarks No-long-jump zone!!!
7916	*/
7917	static void hmR0VmxClearIntNmiWindowsVmcs(PVMCPU pVCpu)
7918	{
7919	Log4Func(("vcpu[%d]\n", pVCpu->idCpu));
7920
7921	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_INT_WINDOW_EXIT)
7922	hmR0VmxClearIntWindowExitVmcs(pVCpu);
7923
7924	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_NMI_WINDOW_EXIT)
7925	hmR0VmxClearNmiWindowExitVmcs(pVCpu);
7926	}
7927
7928
7929	/**
7930	* Enters the VT-x session.
7931	*
7932	* @returns VBox status code.
7933	* @param pVM Pointer to the VM.
7934	* @param pVCpu Pointer to the VMCPU.
7935	* @param pCpu Pointer to the CPU info struct.
7936	*/
7937	VMMR0DECL(int) VMXR0Enter(PVM pVM, PVMCPU pVCpu, PHMGLOBALCPUINFO pCpu)
7938	{
7939	AssertPtr(pVM);
7940	AssertPtr(pVCpu);
7941	Assert(pVM->hm.s.vmx.fSupported);
7942	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
7943	NOREF(pCpu); NOREF(pVM);
7944
7945	LogFlowFunc(("pVM=%p pVCpu=%p\n", pVM, pVCpu));
7946	Assert(HMCPU_CF_IS_SET(pVCpu, HM_CHANGED_HOST_CONTEXT \| HM_CHANGED_HOST_GUEST_SHARED_STATE));
7947
7948	#ifdef VBOX_STRICT
7949	/* Make sure we're in VMX root mode. */
7950	RTCCUINTREG u32HostCR4 = ASMGetCR4();
7951	if (!(u32HostCR4 & X86_CR4_VMXE))
7952	{
7953	LogRel(("VMXR0Enter: X86_CR4_VMXE bit in CR4 is not set!\n"));
7954	return VERR_VMX_X86_CR4_VMXE_CLEARED;
7955	}
7956	#endif
7957
7958	/*
7959	* Load the VCPU's VMCS as the current (and active) one.
7960	*/
7961	Assert(pVCpu->hm.s.vmx.uVmcsState & HMVMX_VMCS_STATE_CLEAR);
7962	int rc = VMXActivateVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
7963	if (RT_FAILURE(rc))
7964	return rc;
7965
7966	pVCpu->hm.s.vmx.uVmcsState = HMVMX_VMCS_STATE_ACTIVE;
7967	pVCpu->hm.s.fLeaveDone = false;
7968	Log4Func(("Activated Vmcs. HostCpuId=%u\n", RTMpCpuId()));
7969
7970	return VINF_SUCCESS;
7971	}
7972
7973
7974	/**
7975	* The thread-context callback (only on platforms which support it).
7976	*
7977	* @param enmEvent The thread-context event.
7978	* @param pVCpu Pointer to the VMCPU.
7979	* @param fGlobalInit Whether global VT-x/AMD-V init. was used.
7980	* @thread EMT(pVCpu)
7981	*/
7982	VMMR0DECL(void) VMXR0ThreadCtxCallback(RTTHREADCTXEVENT enmEvent, PVMCPU pVCpu, bool fGlobalInit)
7983	{
7984	NOREF(fGlobalInit);
7985
7986	switch (enmEvent)
7987	{
7988	case RTTHREADCTXEVENT_OUT:
7989	{
7990	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
7991	Assert(VMMR0ThreadCtxHookIsEnabled(pVCpu));
7992	VMCPU_ASSERT_EMT(pVCpu);
7993
7994	PVM pVM = pVCpu->CTX_SUFF(pVM);
7995	PCPUMCTX pMixedCtx = CPUMQueryGuestCtxPtr(pVCpu);
7996
7997	/* No longjmps (logger flushes, locks) in this fragile context. */
7998	VMMRZCallRing3Disable(pVCpu);
7999	Log4Func(("Preempting: HostCpuId=%u\n", RTMpCpuId()));
8000
8001	/*
8002	* Restore host-state (FPU, debug etc.)
8003	*/
8004	if (!pVCpu->hm.s.fLeaveDone)
8005	{
8006	/* Do -not- save guest-state here as we might already be in the middle of saving it (esp. bad if we are
8007	holding the PGM lock while saving the guest state (see hmR0VmxSaveGuestControlRegs()). */
8008	hmR0VmxLeave(pVM, pVCpu, pMixedCtx, false /* fSaveGuestState */);
8009	pVCpu->hm.s.fLeaveDone = true;
8010	}
8011
8012	/* Leave HM context, takes care of local init (term). */
8013	int rc = HMR0LeaveCpu(pVCpu);
8014	AssertRC(rc); NOREF(rc);
8015
8016	/* Restore longjmp state. */
8017	VMMRZCallRing3Enable(pVCpu);
8018	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchPreempt);
8019	break;
8020	}
8021
8022	case RTTHREADCTXEVENT_IN:
8023	{
8024	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
8025	Assert(VMMR0ThreadCtxHookIsEnabled(pVCpu));
8026	VMCPU_ASSERT_EMT(pVCpu);
8027
8028	/* No longjmps here, as we don't want to trigger preemption (& its hook) while resuming. */
8029	VMMRZCallRing3Disable(pVCpu);
8030	Log4Func(("Resumed: HostCpuId=%u\n", RTMpCpuId()));
8031
8032	/* Initialize the bare minimum state required for HM. This takes care of
8033	initializing VT-x if necessary (onlined CPUs, local init etc.) */
8034	int rc = HMR0EnterCpu(pVCpu);
8035	AssertRC(rc);
8036	Assert(HMCPU_CF_IS_SET(pVCpu, HM_CHANGED_HOST_CONTEXT \| HM_CHANGED_HOST_GUEST_SHARED_STATE));
8037
8038	/* Load the active VMCS as the current one. */
8039	if (pVCpu->hm.s.vmx.uVmcsState & HMVMX_VMCS_STATE_CLEAR)
8040	{
8041	rc = VMXActivateVmcs(pVCpu->hm.s.vmx.HCPhysVmcs);
8042	AssertRC(rc); NOREF(rc);
8043	pVCpu->hm.s.vmx.uVmcsState = HMVMX_VMCS_STATE_ACTIVE;
8044	Log4Func(("Resumed: Activated Vmcs. HostCpuId=%u\n", RTMpCpuId()));
8045	}
8046	pVCpu->hm.s.fLeaveDone = false;
8047
8048	/* Restore longjmp state. */
8049	VMMRZCallRing3Enable(pVCpu);
8050	break;
8051	}
8052
8053	default:
8054	break;
8055	}
8056	}
8057
8058
8059	/**
8060	* Saves the host state in the VMCS host-state.
8061	* Sets up the VM-exit MSR-load area.
8062	*
8063	* The CPU state will be loaded from these fields on every successful VM-exit.
8064	*
8065	* @returns VBox status code.
8066	* @param pVM Pointer to the VM.
8067	* @param pVCpu Pointer to the VMCPU.
8068	*
8069	* @remarks No-long-jump zone!!!
8070	*/
8071	static int hmR0VmxSaveHostState(PVM pVM, PVMCPU pVCpu)
8072	{
8073	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
8074
8075	if (!HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_HOST_CONTEXT))
8076	return VINF_SUCCESS;
8077
8078	int rc = hmR0VmxSaveHostControlRegs(pVM, pVCpu);
8079	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveHostControlRegisters failed! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8080
8081	rc = hmR0VmxSaveHostSegmentRegs(pVM, pVCpu);
8082	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveHostSegmentRegisters failed! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8083
8084	rc = hmR0VmxSaveHostMsrs(pVM, pVCpu);
8085	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSaveHostMsrs failed! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8086
8087	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_HOST_CONTEXT);
8088	return rc;
8089	}
8090
8091
8092	/**
8093	* Saves the host state in the VMCS host-state.
8094	*
8095	* @returns VBox status code.
8096	* @param pVM Pointer to the VM.
8097	* @param pVCpu Pointer to the VMCPU.
8098	*
8099	* @remarks No-long-jump zone!!!
8100	*/
8101	VMMR0DECL(int) VMXR0SaveHostState(PVM pVM, PVMCPU pVCpu)
8102	{
8103	AssertPtr(pVM);
8104	AssertPtr(pVCpu);
8105
8106	LogFlowFunc(("pVM=%p pVCpu=%p\n", pVM, pVCpu));
8107
8108	/* Save the host state here while entering HM context. When thread-context hooks are used, we might get preempted
8109	and have to resave the host state but most of the time we won't be, so do it here before we disable interrupts. */
8110	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
8111	return hmR0VmxSaveHostState(pVM, pVCpu);
8112	}
8113
8114
8115	/**
8116	* Loads the guest state into the VMCS guest-state area.
8117	*
8118	* The will typically be done before VM-entry when the guest-CPU state and the
8119	* VMCS state may potentially be out of sync.
8120	*
8121	* Sets up the VM-entry MSR-load and VM-exit MSR-store areas. Sets up the
8122	* VM-entry controls.
8123	* Sets up the appropriate VMX non-root function to execute guest code based on
8124	* the guest CPU mode.
8125	*
8126	* @returns VBox status code.
8127	* @param pVM Pointer to the VM.
8128	* @param pVCpu Pointer to the VMCPU.
8129	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
8130	* out-of-sync. Make sure to update the required fields
8131	* before using them.
8132	*
8133	* @remarks No-long-jump zone!!!
8134	*/
8135	static int hmR0VmxLoadGuestState(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx)
8136	{
8137	AssertPtr(pVM);
8138	AssertPtr(pVCpu);
8139	AssertPtr(pMixedCtx);
8140	HMVMX_ASSERT_PREEMPT_SAFE();
8141
8142	VMMRZCallRing3Disable(pVCpu);
8143	Assert(VMMR0IsLogFlushDisabled(pVCpu));
8144
8145	LogFlowFunc(("pVM=%p pVCpu=%p\n", pVM, pVCpu));
8146
8147	STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatLoadGuestState, x);
8148
8149	/* Determine real-on-v86 mode. */
8150	pVCpu->hm.s.vmx.RealMode.fRealOnV86Active = false;
8151	if ( !pVM->hm.s.vmx.fUnrestrictedGuest
8152	&& CPUMIsGuestInRealModeEx(pMixedCtx))
8153	{
8154	pVCpu->hm.s.vmx.RealMode.fRealOnV86Active = true;
8155	}
8156
8157	/*
8158	* Load the guest-state into the VMCS.
8159	* Any ordering dependency among the sub-functions below must be explicitly stated using comments.
8160	* Ideally, assert that the cross-dependent bits are up-to-date at the point of using it.
8161	*/
8162	int rc = hmR0VmxSetupVMRunHandler(pVCpu, pMixedCtx);
8163	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSetupVMRunHandler! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8164
8165	/* This needs to be done after hmR0VmxSetupVMRunHandler() as changing pfnStartVM may require VM-entry control updates. */
8166	rc = hmR0VmxLoadGuestEntryCtls(pVCpu, pMixedCtx);
8167	AssertLogRelMsgRCReturn(rc, ("hmR0VmxLoadGuestEntryCtls! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8168
8169	/* This needs to be done after hmR0VmxSetupVMRunHandler() as changing pfnStartVM may require VM-exit control updates. */
8170	rc = hmR0VmxLoadGuestExitCtls(pVCpu, pMixedCtx);
8171	AssertLogRelMsgRCReturn(rc, ("hmR0VmxSetupExitCtls failed! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8172
8173	rc = hmR0VmxLoadGuestActivityState(pVCpu, pMixedCtx);
8174	AssertLogRelMsgRCReturn(rc, ("hmR0VmxLoadGuestActivityState! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8175
8176	rc = hmR0VmxLoadGuestCR3AndCR4(pVCpu, pMixedCtx);
8177	AssertLogRelMsgRCReturn(rc, ("hmR0VmxLoadGuestCR3AndCR4: rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8178
8179	/* Assumes pMixedCtx->cr0 is up-to-date (strict builds require CR0 for segment register validation checks). */
8180	rc = hmR0VmxLoadGuestSegmentRegs(pVCpu, pMixedCtx);
8181	AssertLogRelMsgRCReturn(rc, ("hmR0VmxLoadGuestSegmentRegs: rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8182
8183	/* This needs to be done after hmR0VmxLoadGuestEntryCtls() and hmR0VmxLoadGuestExitCtls() as it may alter controls if we
8184	determine we don't have to swap EFER after all. */
8185	rc = hmR0VmxLoadGuestMsrs(pVCpu, pMixedCtx);
8186	AssertLogRelMsgRCReturn(rc, ("hmR0VmxLoadSharedMsrs! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8187
8188	rc = hmR0VmxLoadGuestApicState(pVCpu, pMixedCtx);
8189	AssertLogRelMsgRCReturn(rc, ("hmR0VmxLoadGuestApicState! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8190
8191	rc = hmR0VmxLoadGuestXcptIntercepts(pVCpu, pMixedCtx);
8192	AssertLogRelMsgRCReturn(rc, ("hmR0VmxLoadGuestXcptIntercepts! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8193
8194	/*
8195	* Loading Rflags here is fine, even though Rflags.TF might depend on guest debug state (which is not loaded here).
8196	* It is re-evaluated and updated if necessary in hmR0VmxLoadSharedState().
8197	*/
8198	rc = hmR0VmxLoadGuestRipRspRflags(pVCpu, pMixedCtx);
8199	AssertLogRelMsgRCReturn(rc, ("hmR0VmxLoadGuestRipRspRflags! rc=%Rrc (pVM=%p pVCpu=%p)\n", rc, pVM, pVCpu), rc);
8200
8201	/* Clear any unused and reserved bits. */
8202	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_CR2);
8203
8204	VMMRZCallRing3Enable(pVCpu);
8205
8206	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatLoadGuestState, x);
8207	return rc;
8208	}
8209
8210
8211	/**
8212	* Loads the state shared between the host and guest into the VMCS.
8213	*
8214	* @param pVM Pointer to the VM.
8215	* @param pVCpu Pointer to the VMCPU.
8216	* @param pCtx Pointer to the guest-CPU context.
8217	*
8218	* @remarks No-long-jump zone!!!
8219	*/
8220	static void hmR0VmxLoadSharedState(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx)
8221	{
8222	NOREF(pVM);
8223
8224	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
8225	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
8226
8227	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_CR0))
8228	{
8229	int rc = hmR0VmxLoadSharedCR0(pVCpu, pCtx);
8230	AssertRC(rc);
8231	}
8232
8233	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_DEBUG))
8234	{
8235	int rc = hmR0VmxLoadSharedDebugState(pVCpu, pCtx);
8236	AssertRC(rc);
8237
8238	/* Loading shared debug bits might have changed eflags.TF bit for debugging purposes. */
8239	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_RFLAGS))
8240	{
8241	rc = hmR0VmxLoadGuestRflags(pVCpu, pCtx);
8242	AssertRC(rc);
8243	}
8244	}
8245
8246	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_LAZY_MSRS))
8247	{
8248	#if HC_ARCH_BITS == 64
8249	if (pVM->hm.s.fAllow64BitGuests)
8250	hmR0VmxLazyLoadGuestMsrs(pVCpu, pCtx);
8251	#endif
8252	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_LAZY_MSRS);
8253	}
8254
8255	/* Loading CR0, debug state might have changed intercepts, update VMCS. */
8256	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS))
8257	{
8258	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_EXCEPTION_BITMAP, pVCpu->hm.s.vmx.u32XcptBitmap);
8259	AssertRC(rc);
8260	HMCPU_CF_CLEAR(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS);
8261	}
8262
8263	AssertMsg(!HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_HOST_GUEST_SHARED_STATE),
8264	("fContextUseFlags=%#RX32\n", HMCPU_CF_VALUE(pVCpu)));
8265	}
8266
8267
8268	/**
8269	* Worker for loading the guest-state bits in the inner VT-x execution loop.
8270	*
8271	* @param pVM Pointer to the VM.
8272	* @param pVCpu Pointer to the VMCPU.
8273	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
8274	* out-of-sync. Make sure to update the required fields
8275	* before using them.
8276	*/
8277	DECLINLINE(void) hmR0VmxLoadGuestStateOptimal(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx)
8278	{
8279	HMVMX_ASSERT_PREEMPT_SAFE();
8280
8281	Log5(("LoadFlags=%#RX32\n", HMCPU_CF_VALUE(pVCpu)));
8282	#ifdef HMVMX_ALWAYS_SYNC_FULL_GUEST_STATE
8283	HMCPU_CF_SET(pVCpu, HM_CHANGED_ALL_GUEST);
8284	#endif
8285
8286	if (HMCPU_CF_IS_SET_ONLY(pVCpu, HM_CHANGED_GUEST_RIP))
8287	{
8288	int rc = hmR0VmxLoadGuestRip(pVCpu, pMixedCtx);
8289	AssertRC(rc);
8290	STAM_COUNTER_INC(&pVCpu->hm.s.StatLoadMinimal);
8291	}
8292	else if (HMCPU_CF_VALUE(pVCpu))
8293	{
8294	int rc = hmR0VmxLoadGuestState(pVM, pVCpu, pMixedCtx);
8295	AssertRC(rc);
8296	STAM_COUNTER_INC(&pVCpu->hm.s.StatLoadFull);
8297	}
8298
8299	/* All the guest state bits should be loaded except maybe the host context and/or the shared host/guest bits. */
8300	AssertMsg( !HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_ALL_GUEST)
8301	\|\| HMCPU_CF_IS_PENDING_ONLY(pVCpu, HM_CHANGED_HOST_CONTEXT \| HM_CHANGED_HOST_GUEST_SHARED_STATE),
8302	("fContextUseFlags=%#RX32\n", HMCPU_CF_VALUE(pVCpu)));
8303	}
8304
8305
8306	/**
8307	* Does the preparations before executing guest code in VT-x.
8308	*
8309	* This may cause longjmps to ring-3 and may even result in rescheduling to the
8310	* recompiler/IEM. We must be cautious what we do here regarding committing
8311	* guest-state information into the VMCS assuming we assuredly execute the
8312	* guest in VT-x mode.
8313	*
8314	* If we fall back to the recompiler/IEM after updating the VMCS and clearing
8315	* the common-state (TRPM/forceflags), we must undo those changes so that the
8316	* recompiler/IEM can (and should) use them when it resumes guest execution.
8317	* Otherwise such operations must be done when we can no longer exit to ring-3.
8318	*
8319	* @returns Strict VBox status code.
8320	* @retval VINF_SUCCESS if we can proceed with running the guest, interrupts
8321	* have been disabled.
8322	* @retval VINF_EM_RESET if a triple-fault occurs while injecting a
8323	* double-fault into the guest.
8324	* @retval VINF_EM_DBG_STEPPED if @a fStepping is true and an event was
8325	* dispatched directly.
8326	* @retval VINF_* scheduling changes, we have to go back to ring-3.
8327	*
8328	* @param pVM Pointer to the VM.
8329	* @param pVCpu Pointer to the VMCPU.
8330	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
8331	* out-of-sync. Make sure to update the required fields
8332	* before using them.
8333	* @param pVmxTransient Pointer to the VMX transient structure.
8334	* @param fStepping Set if called from hmR0VmxRunGuestCodeStep(). Makes
8335	* us ignore some of the reasons for returning to
8336	* ring-3, and return VINF_EM_DBG_STEPPED if event
8337	* dispatching took place.
8338	*/
8339	static int hmR0VmxPreRunGuest(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient, bool fStepping)
8340	{
8341	Assert(VMMRZCallRing3IsEnabled(pVCpu));
8342
8343	#ifdef VBOX_WITH_2X_4GB_ADDR_SPACE_IN_R0
8344	PGMRZDynMapFlushAutoSet(pVCpu);
8345	#endif
8346
8347	/* Check force flag actions that might require us to go back to ring-3. */
8348	int rc = hmR0VmxCheckForceFlags(pVM, pVCpu, pMixedCtx);
8349	if (rc != VINF_SUCCESS)
8350	return rc;
8351
8352	#ifndef IEM_VERIFICATION_MODE_FULL
8353	/* Setup the Virtualized APIC accesses. pMixedCtx->msrApicBase is always up-to-date. It's not part of the VMCS. */
8354	if ( pVCpu->hm.s.vmx.u64MsrApicBase != pMixedCtx->msrApicBase
8355	&& (pVCpu->hm.s.vmx.u32ProcCtls2 & VMX_VMCS_CTRL_PROC_EXEC2_VIRT_APIC))
8356	{
8357	Assert(pVM->hm.s.vmx.HCPhysApicAccess);
8358	RTGCPHYS GCPhysApicBase;
8359	GCPhysApicBase = pMixedCtx->msrApicBase;
8360	GCPhysApicBase &= PAGE_BASE_GC_MASK;
8361
8362	/* Unalias any existing mapping. */
8363	rc = PGMHandlerPhysicalReset(pVM, GCPhysApicBase);
8364	AssertRCReturn(rc, rc);
8365
8366	/* Map the HC APIC-access page into the GC space, this also updates the shadow page tables if necessary. */
8367	Log4(("Mapped HC APIC-access page into GC: GCPhysApicBase=%#RGv\n", GCPhysApicBase));
8368	rc = IOMMMIOMapMMIOHCPage(pVM, pVCpu, GCPhysApicBase, pVM->hm.s.vmx.HCPhysApicAccess, X86_PTE_RW \| X86_PTE_P);
8369	AssertRCReturn(rc, rc);
8370
8371	pVCpu->hm.s.vmx.u64MsrApicBase = pMixedCtx->msrApicBase;
8372	}
8373	#endif /* !IEM_VERIFICATION_MODE_FULL */
8374
8375	if (TRPMHasTrap(pVCpu))
8376	hmR0VmxTrpmTrapToPendingEvent(pVCpu);
8377	hmR0VmxEvaluatePendingEvent(pVCpu, pMixedCtx);
8378
8379	/*
8380	* Event injection may take locks (currently the PGM lock for real-on-v86 case) and thus needs to be done with
8381	* longjmps or interrupts + preemption enabled. Event injection might also result in triple-faulting the VM.
8382	*/
8383	rc = hmR0VmxInjectPendingEvent(pVCpu, pMixedCtx, fStepping);
8384	if (RT_UNLIKELY(rc != VINF_SUCCESS))
8385	{
8386	Assert(rc == VINF_EM_RESET \|\| (rc == VINF_EM_DBG_STEPPED && fStepping));
8387	return rc;
8388	}
8389
8390	/*
8391	* Load the guest state bits, we can handle longjmps/getting preempted here.
8392	*
8393	* If we are injecting events to a real-on-v86 mode guest, we will have to update
8394	* RIP and some segment registers, i.e. hmR0VmxInjectPendingEvent()->hmR0VmxInjectEventVmcs().
8395	* Hence, this needs to be done -after- injection of events.
8396	*/
8397	hmR0VmxLoadGuestStateOptimal(pVM, pVCpu, pMixedCtx);
8398
8399	/*
8400	* No longjmps to ring-3 from this point on!!!
8401	* Asserts() will still longjmp to ring-3 (but won't return), which is intentional, better than a kernel panic.
8402	* This also disables flushing of the R0-logger instance (if any).
8403	*/
8404	VMMRZCallRing3Disable(pVCpu);
8405
8406	/*
8407	* We disable interrupts so that we don't miss any interrupts that would flag preemption (IPI/timers etc.)
8408	* when thread-context hooks aren't used and we've been running with preemption disabled for a while.
8409	*
8410	* We need to check for force-flags that could've possible been altered since we last checked them (e.g.
8411	* by PDMGetInterrupt() leaving the PDM critical section, see @bugref{6398}).
8412	*
8413	* We also check a couple of other force-flags as a last opportunity to get the EMT back to ring-3 before
8414	* executing guest code.
8415	*/
8416	pVmxTransient->fEFlags = ASMIntDisableFlags();
8417	if ( ( VM_FF_IS_PENDING(pVM, VM_FF_EMT_RENDEZVOUS \| VM_FF_TM_VIRTUAL_SYNC)
8418	\|\| VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_TO_R3_MASK))
8419	&& ( !fStepping /* Optimized for the non-stepping case, of course. */
8420	\|\| VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_HM_TO_R3_MASK & ~(VMCPU_FF_TIMER \| VMCPU_FF_PDM_CRITSECT))) )
8421	{
8422	ASMSetFlags(pVmxTransient->fEFlags);
8423	VMMRZCallRing3Enable(pVCpu);
8424	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchHmToR3FF);
8425	return VINF_EM_RAW_TO_R3;
8426	}
8427
8428	if (RTThreadPreemptIsPending(NIL_RTTHREAD))
8429	{
8430	ASMSetFlags(pVmxTransient->fEFlags);
8431	VMMRZCallRing3Enable(pVCpu);
8432	STAM_COUNTER_INC(&pVCpu->hm.s.StatPendingHostIrq);
8433	return VINF_EM_RAW_INTERRUPT;
8434	}
8435
8436	/* We've injected any pending events. This is really the point of no return (to ring-3). */
8437	pVCpu->hm.s.Event.fPending = false;
8438
8439	return VINF_SUCCESS;
8440	}
8441
8442
8443	/**
8444	* Prepares to run guest code in VT-x and we've committed to doing so. This
8445	* means there is no backing out to ring-3 or anywhere else at this
8446	* point.
8447	*
8448	* @param pVM Pointer to the VM.
8449	* @param pVCpu Pointer to the VMCPU.
8450	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
8451	* out-of-sync. Make sure to update the required fields
8452	* before using them.
8453	* @param pVmxTransient Pointer to the VMX transient structure.
8454	*
8455	* @remarks Called with preemption disabled.
8456	* @remarks No-long-jump zone!!!
8457	*/
8458	static void hmR0VmxPreRunGuestCommitted(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
8459	{
8460	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
8461	Assert(VMMR0IsLogFlushDisabled(pVCpu));
8462	Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
8463
8464	VMCPU_ASSERT_STATE(pVCpu, VMCPUSTATE_STARTED_HM);
8465	VMCPU_SET_STATE(pVCpu, VMCPUSTATE_STARTED_EXEC); /* Indicate the start of guest execution. */
8466
8467	#ifdef HMVMX_ALWAYS_SWAP_FPU_STATE
8468	if (!CPUMIsGuestFPUStateActive(pVCpu))
8469	CPUMR0LoadGuestFPU(pVM, pVCpu, pMixedCtx);
8470	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0);
8471	#endif
8472
8473	if ( pVCpu->hm.s.fPreloadGuestFpu
8474	&& !CPUMIsGuestFPUStateActive(pVCpu))
8475	{
8476	CPUMR0LoadGuestFPU(pVM, pVCpu, pMixedCtx);
8477	Assert(HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_CR0));
8478	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0);
8479	}
8480
8481	/*
8482	* Lazy-update of the host MSRs values in the auto-load/store MSR area.
8483	*/
8484	if ( !pVCpu->hm.s.vmx.fUpdatedHostMsrs
8485	&& pVCpu->hm.s.vmx.cMsrs > 0)
8486	{
8487	hmR0VmxUpdateAutoLoadStoreHostMsrs(pVCpu);
8488	}
8489
8490	/*
8491	* Load the host state bits as we may've been preempted (only happens when
8492	* thread-context hooks are used or when hmR0VmxSetupVMRunHandler() changes pfnStartVM).
8493	*/
8494	/** @todo Why should hmR0VmxSetupVMRunHandler() changing pfnStartVM have
8495	* any effect to the host state needing to be saved? */
8496	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_HOST_CONTEXT))
8497	{
8498	/* This ASSUMES that pfnStartVM has been set up already. */
8499	int rc = hmR0VmxSaveHostState(pVM, pVCpu);
8500	AssertRC(rc);
8501	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchPreemptSaveHostState);
8502	}
8503	Assert(!HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_HOST_CONTEXT));
8504
8505	/*
8506	* Load the state shared between host and guest (FPU, debug, lazy MSRs).
8507	*/
8508	if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_HOST_GUEST_SHARED_STATE))
8509	hmR0VmxLoadSharedState(pVM, pVCpu, pMixedCtx);
8510	AssertMsg(!HMCPU_CF_VALUE(pVCpu), ("fContextUseFlags=%#RX32\n", HMCPU_CF_VALUE(pVCpu)));
8511
8512	/* Store status of the shared guest-host state at the time of VM-entry. */
8513	#if HC_ARCH_BITS == 32 && defined(VBOX_WITH_64_BITS_GUESTS)
8514	if (CPUMIsGuestInLongModeEx(pMixedCtx))
8515	{
8516	pVmxTransient->fWasGuestDebugStateActive = CPUMIsGuestDebugStateActivePending(pVCpu);
8517	pVmxTransient->fWasHyperDebugStateActive = CPUMIsHyperDebugStateActivePending(pVCpu);
8518	}
8519	else
8520	#endif
8521	{
8522	pVmxTransient->fWasGuestDebugStateActive = CPUMIsGuestDebugStateActive(pVCpu);
8523	pVmxTransient->fWasHyperDebugStateActive = CPUMIsHyperDebugStateActive(pVCpu);
8524	}
8525	pVmxTransient->fWasGuestFPUStateActive = CPUMIsGuestFPUStateActive(pVCpu);
8526
8527	/*
8528	* Cache the TPR-shadow for checking on every VM-exit if it might have changed.
8529	*/
8530	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW)
8531	pVmxTransient->u8GuestTpr = pVCpu->hm.s.vmx.pbVirtApic[0x80];
8532
8533	PHMGLOBALCPUINFO pCpu = HMR0GetCurrentCpu();
8534	RTCPUID idCurrentCpu = pCpu->idCpu;
8535	if ( pVmxTransient->fUpdateTscOffsettingAndPreemptTimer
8536	\|\| idCurrentCpu != pVCpu->hm.s.idLastCpu)
8537	{
8538	hmR0VmxUpdateTscOffsettingAndPreemptTimer(pVM, pVCpu);
8539	pVmxTransient->fUpdateTscOffsettingAndPreemptTimer = false;
8540	}
8541
8542	ASMAtomicWriteBool(&pVCpu->hm.s.fCheckedTLBFlush, true); /* Used for TLB flushing, set this across the world switch. */
8543	hmR0VmxFlushTaggedTlb(pVCpu, pCpu); /* Invalidate the appropriate guest entries from the TLB. */
8544	Assert(idCurrentCpu == pVCpu->hm.s.idLastCpu);
8545	pVCpu->hm.s.vmx.LastError.idCurrentCpu = idCurrentCpu; /* Update the error reporting info. with the current host CPU. */
8546
8547	STAM_PROFILE_ADV_STOP_START(&pVCpu->hm.s.StatEntry, &pVCpu->hm.s.StatInGC, x);
8548
8549	TMNotifyStartOfExecution(pVCpu); /* Finally, notify TM to resume its clocks as we're about
8550	to start executing. */
8551
8552	/*
8553	* Load the TSC_AUX MSR when we are not intercepting RDTSCP.
8554	*/
8555	if (pVCpu->hm.s.vmx.u32ProcCtls2 & VMX_VMCS_CTRL_PROC_EXEC2_RDTSCP)
8556	{
8557	if (!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_RDTSC_EXIT))
8558	{
8559	bool fMsrUpdated;
8560	int rc2 = hmR0VmxSaveGuestAutoLoadStoreMsrs(pVCpu, pMixedCtx);
8561	AssertRC(rc2);
8562	Assert(HMVMXCPU_GST_IS_UPDATED(pVCpu, HMVMX_UPDATED_GUEST_AUTO_LOAD_STORE_MSRS));
8563
8564	rc2 = hmR0VmxAddAutoLoadStoreMsr(pVCpu, MSR_K8_TSC_AUX, CPUMR0GetGuestTscAux(pVCpu), true /* fUpdateHostMsr */,
8565	&fMsrUpdated);
8566	AssertRC(rc2);
8567	Assert(fMsrUpdated \|\| pVCpu->hm.s.vmx.fUpdatedHostMsrs);
8568
8569	/* Finally, mark that all host MSR values are updated so we don't redo it without leaving VT-x. See @bugref{6956}. */
8570	pVCpu->hm.s.vmx.fUpdatedHostMsrs = true;
8571	}
8572	else
8573	{
8574	hmR0VmxRemoveAutoLoadStoreMsr(pVCpu, MSR_K8_TSC_AUX);
8575	Assert(!pVCpu->hm.s.vmx.cMsrs \|\| pVCpu->hm.s.vmx.fUpdatedHostMsrs);
8576	}
8577	}
8578
8579	#ifdef VBOX_STRICT
8580	hmR0VmxCheckAutoLoadStoreMsrs(pVCpu);
8581	hmR0VmxCheckHostEferMsr(pVCpu);
8582	AssertRC(hmR0VmxCheckVmcsCtls(pVCpu));
8583	#endif
8584	#ifdef HMVMX_ALWAYS_CHECK_GUEST_STATE
8585	uint32_t uInvalidReason = hmR0VmxCheckGuestState(pVM, pVCpu, pMixedCtx);
8586	if (uInvalidReason != VMX_IGS_REASON_NOT_FOUND)
8587	Log4(("hmR0VmxCheckGuestState returned %#x\n", uInvalidReason));
8588	#endif
8589	}
8590
8591
8592	/**
8593	* Performs some essential restoration of state after running guest code in
8594	* VT-x.
8595	*
8596	* @param pVM Pointer to the VM.
8597	* @param pVCpu Pointer to the VMCPU.
8598	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
8599	* out-of-sync. Make sure to update the required fields
8600	* before using them.
8601	* @param pVmxTransient Pointer to the VMX transient structure.
8602	* @param rcVMRun Return code of VMLAUNCH/VMRESUME.
8603	*
8604	* @remarks Called with interrupts disabled, and returns with interrups enabled!
8605	*
8606	* @remarks No-long-jump zone!!! This function will however re-enable longjmps
8607	* unconditionally when it is safe to do so.
8608	*/
8609	static void hmR0VmxPostRunGuest(PVM pVM, PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient, int rcVMRun)
8610	{
8611	NOREF(pVM);
8612
8613	Assert(!VMMRZCallRing3IsEnabled(pVCpu));
8614
8615	ASMAtomicWriteBool(&pVCpu->hm.s.fCheckedTLBFlush, false); /* See HMInvalidatePageOnAllVCpus(): used for TLB flushing. */
8616	ASMAtomicIncU32(&pVCpu->hm.s.cWorldSwitchExits); /* Initialized in vmR3CreateUVM(): used for EMT poking. */
8617	HMVMXCPU_GST_RESET_TO(pVCpu, 0); /* Exits/longjmps to ring-3 requires saving the guest state. */
8618	pVmxTransient->fVmcsFieldsRead = 0; /* Transient fields need to be read from the VMCS. */
8619	pVmxTransient->fVectoringPF = false; /* Vectoring page-fault needs to be determined later. */
8620	pVmxTransient->fVectoringDoublePF = false; /* Vectoring double page-fault needs to be determined later. */
8621
8622	if (!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_RDTSC_EXIT))
8623	TMCpuTickSetLastSeen(pVCpu, ASMReadTSC() + pVCpu->hm.s.vmx.u64TSCOffset);
8624
8625	STAM_PROFILE_ADV_STOP_START(&pVCpu->hm.s.StatInGC, &pVCpu->hm.s.StatExit1, x);
8626	TMNotifyEndOfExecution(pVCpu); /* Notify TM that the guest is no longer running. */
8627	Assert(!ASMIntAreEnabled());
8628	VMCPU_SET_STATE(pVCpu, VMCPUSTATE_STARTED_HM);
8629
8630	#ifdef HMVMX_ALWAYS_SWAP_FPU_STATE
8631	if (CPUMIsGuestFPUStateActive(pVCpu))
8632	{
8633	hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
8634	CPUMR0SaveGuestFPU(pVM, pVCpu, pMixedCtx);
8635	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0);
8636	}
8637	#endif
8638
8639	#if HC_ARCH_BITS == 64
8640	pVCpu->hm.s.vmx.fRestoreHostFlags \|= VMX_RESTORE_HOST_REQUIRED; /* Host state messed up by VT-x, we must restore. */
8641	#endif
8642	pVCpu->hm.s.vmx.uVmcsState \|= HMVMX_VMCS_STATE_LAUNCHED; /* Use VMRESUME instead of VMLAUNCH in the next run. */
8643	#ifdef VBOX_STRICT
8644	hmR0VmxCheckHostEferMsr(pVCpu); /* Verify that VMRUN/VMLAUNCH didn't modify host EFER. */
8645	#endif
8646	ASMSetFlags(pVmxTransient->fEFlags); /* Enable interrupts. */
8647	VMMRZCallRing3Enable(pVCpu); /* It is now safe to do longjmps to ring-3!!! */
8648
8649	/* Save the basic VM-exit reason. Refer Intel spec. 24.9.1 "Basic VM-exit Information". */
8650	uint32_t uExitReason;
8651	int rc = VMXReadVmcs32(VMX_VMCS32_RO_EXIT_REASON, &uExitReason);
8652	rc \|= hmR0VmxReadEntryIntInfoVmcs(pVmxTransient);
8653	AssertRC(rc);
8654	pVmxTransient->uExitReason = (uint16_t)VMX_EXIT_REASON_BASIC(uExitReason);
8655	pVmxTransient->fVMEntryFailed = VMX_ENTRY_INTERRUPTION_INFO_IS_VALID(pVmxTransient->uEntryIntInfo);
8656
8657	/* Update the VM-exit history array. */
8658	HMCPU_EXIT_HISTORY_ADD(pVCpu, pVmxTransient->uExitReason);
8659
8660	/* If the VMLAUNCH/VMRESUME failed, we can bail out early. This does -not- cover VMX_EXIT_ERR_. /
8661	if (RT_UNLIKELY(rcVMRun != VINF_SUCCESS))
8662	{
8663	Log4(("VM-entry failure: pVCpu=%p idCpu=%RU32 rcVMRun=%Rrc fVMEntryFailed=%RTbool\n", pVCpu, pVCpu->idCpu, rcVMRun,
8664	pVmxTransient->fVMEntryFailed));
8665	return;
8666	}
8667
8668	if (RT_LIKELY(!pVmxTransient->fVMEntryFailed))
8669	{
8670	/** @todo We can optimize this by only syncing with our force-flags when
8671	* really needed and keeping the VMCS state as it is for most
8672	* VM-exits. */
8673	/* Update the guest interruptibility-state from the VMCS. */
8674	hmR0VmxSaveGuestIntrState(pVCpu, pMixedCtx);
8675
8676	#if defined(HMVMX_ALWAYS_SYNC_FULL_GUEST_STATE) \|\| defined(HMVMX_ALWAYS_SAVE_FULL_GUEST_STATE)
8677	rc = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
8678	AssertRC(rc);
8679	#elif defined(HMVMX_ALWAYS_SAVE_GUEST_RFLAGS)
8680	rc = hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
8681	AssertRC(rc);
8682	#endif
8683
8684	/*
8685	* If the TPR was raised by the guest, it wouldn't cause a VM-exit immediately. Instead we sync the TPR lazily whenever
8686	* we eventually get a VM-exit for any reason. This maybe expensive as PDMApicSetTPR() can longjmp to ring-3 and which is
8687	* why it's done here as it's easier and no less efficient to deal with it here than making hmR0VmxSaveGuestState()
8688	* cope with longjmps safely (see VMCPU_FF_HM_UPDATE_CR3 handling).
8689	*/
8690	if ( (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW)
8691	&& pVmxTransient->u8GuestTpr != pVCpu->hm.s.vmx.pbVirtApic[0x80])
8692	{
8693	rc = PDMApicSetTPR(pVCpu, pVCpu->hm.s.vmx.pbVirtApic[0x80]);
8694	AssertRC(rc);
8695	HMCPU_CF_SET(pVCpu, HM_CHANGED_VMX_GUEST_APIC_STATE);
8696	}
8697	}
8698	}
8699
8700
8701	/**
8702	* Runs the guest code using VT-x the normal way.
8703	*
8704	* @returns VBox status code.
8705	* @param pVM Pointer to the VM.
8706	* @param pVCpu Pointer to the VMCPU.
8707	* @param pCtx Pointer to the guest-CPU context.
8708	*
8709	* @note Mostly the same as hmR0VmxRunGuestCodeStep().
8710	*/
8711	static int hmR0VmxRunGuestCodeNormal(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx)
8712	{
8713	VMXTRANSIENT VmxTransient;
8714	VmxTransient.fUpdateTscOffsettingAndPreemptTimer = true;
8715	int rc = VERR_INTERNAL_ERROR_5;
8716	uint32_t cLoops = 0;
8717
8718	for (;; cLoops++)
8719	{
8720	Assert(!HMR0SuspendPending());
8721	HMVMX_ASSERT_CPU_SAFE();
8722
8723	/* Preparatory work for running guest code, this may force us to return
8724	to ring-3. This bugger disables interrupts on VINF_SUCCESS! */
8725	STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatEntry, x);
8726	rc = hmR0VmxPreRunGuest(pVM, pVCpu, pCtx, &VmxTransient, false /* fStepping */);
8727	if (rc != VINF_SUCCESS)
8728	break;
8729
8730	hmR0VmxPreRunGuestCommitted(pVM, pVCpu, pCtx, &VmxTransient);
8731	rc = hmR0VmxRunGuest(pVM, pVCpu, pCtx);
8732	/* The guest-CPU context is now outdated, 'pCtx' is to be treated as 'pMixedCtx' from this point on!!! */
8733
8734	/* Restore any residual host-state and save any bits shared between host
8735	and guest into the guest-CPU state. Re-enables interrupts! */
8736	hmR0VmxPostRunGuest(pVM, pVCpu, pCtx, &VmxTransient, rc);
8737
8738	/* Check for errors with running the VM (VMLAUNCH/VMRESUME). */
8739	if (RT_UNLIKELY(rc != VINF_SUCCESS))
8740	{
8741	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExit1, x);
8742	hmR0VmxReportWorldSwitchError(pVM, pVCpu, rc, pCtx, &VmxTransient);
8743	return rc;
8744	}
8745
8746	/* Profile the VM-exit. */
8747	AssertMsg(VmxTransient.uExitReason <= VMX_EXIT_MAX, ("%#x\n", VmxTransient.uExitReason));
8748	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitAll);
8749	STAM_COUNTER_INC(&pVCpu->hm.s.paStatExitReasonR0[VmxTransient.uExitReason & MASK_EXITREASON_STAT]);
8750	STAM_PROFILE_ADV_STOP_START(&pVCpu->hm.s.StatExit1, &pVCpu->hm.s.StatExit2, x);
8751	HMVMX_START_EXIT_DISPATCH_PROF();
8752
8753	VBOXVMM_R0_HMVMX_VMEXIT_NOCTX(pVCpu, pCtx, VmxTransient.uExitReason);
8754	if (RT_UNLIKELY(VBOXVMM_R0_HMVMX_VMEXIT_ENABLED()))
8755	{
8756	hmR0VmxReadExitQualificationVmcs(pVCpu, &VmxTransient);
8757	hmR0VmxSaveGuestState(pVCpu, pCtx);
8758	VBOXVMM_R0_HMVMX_VMEXIT(pVCpu, pCtx, VmxTransient.uExitReason, VmxTransient.uExitQualification);
8759	}
8760
8761	/* Handle the VM-exit. */
8762	#ifdef HMVMX_USE_FUNCTION_TABLE
8763	rc = g_apfnVMExitHandlers[VmxTransient.uExitReason](pVCpu, pCtx, &VmxTransient);
8764	#else
8765	rc = hmR0VmxHandleExit(pVCpu, pCtx, &VmxTransient, VmxTransient.uExitReason);
8766	#endif
8767	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExit2, x);
8768	if (rc != VINF_SUCCESS)
8769	break;
8770	if (cLoops > pVM->hm.s.cMaxResumeLoops)
8771	{
8772	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchMaxResumeLoops);
8773	rc = VINF_EM_RAW_INTERRUPT;
8774	break;
8775	}
8776	}
8777
8778	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatEntry, x);
8779	return rc;
8780	}
8781
8782
8783	/**
8784	* Single steps guest code using VT-x.
8785	*
8786	* @returns VBox status code.
8787	* @param pVM Pointer to the VM.
8788	* @param pVCpu Pointer to the VMCPU.
8789	* @param pCtx Pointer to the guest-CPU context.
8790	*
8791	* @note Mostly the same as hmR0VmxRunGuestCodeNormal().
8792	*/
8793	static int hmR0VmxRunGuestCodeStep(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx)
8794	{
8795	VMXTRANSIENT VmxTransient;
8796	VmxTransient.fUpdateTscOffsettingAndPreemptTimer = true;
8797	VBOXSTRICTRC rcStrict = VERR_INTERNAL_ERROR_5;
8798	uint32_t cLoops = 0;
8799	uint16_t uCsStart = pCtx->cs.Sel;
8800	uint64_t uRipStart = pCtx->rip;
8801
8802	for (;; cLoops++)
8803	{
8804	Assert(!HMR0SuspendPending());
8805	HMVMX_ASSERT_CPU_SAFE();
8806
8807	/* Preparatory work for running guest code, this may force us to return
8808	to ring-3. This bugger disables interrupts on VINF_SUCCESS! */
8809	STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatEntry, x);
8810	rcStrict = hmR0VmxPreRunGuest(pVM, pVCpu, pCtx, &VmxTransient, true /* fStepping */);
8811	if (rcStrict != VINF_SUCCESS)
8812	break;
8813
8814	hmR0VmxPreRunGuestCommitted(pVM, pVCpu, pCtx, &VmxTransient);
8815	rcStrict = hmR0VmxRunGuest(pVM, pVCpu, pCtx);
8816	/* The guest-CPU context is now outdated, 'pCtx' is to be treated as 'pMixedCtx' from this point on!!! */
8817
8818	/* Restore any residual host-state and save any bits shared between host
8819	and guest into the guest-CPU state. Re-enables interrupts! */
8820	hmR0VmxPostRunGuest(pVM, pVCpu, pCtx, &VmxTransient, VBOXSTRICTRC_TODO(rcStrict));
8821
8822	/* Check for errors with running the VM (VMLAUNCH/VMRESUME). */
8823	if (RT_UNLIKELY(rcStrict != VINF_SUCCESS))
8824	{
8825	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExit1, x);
8826	hmR0VmxReportWorldSwitchError(pVM, pVCpu, VBOXSTRICTRC_TODO(rcStrict), pCtx, &VmxTransient);
8827	return VBOXSTRICTRC_TODO(rcStrict);
8828	}
8829
8830	/* Profile the VM-exit. */
8831	AssertMsg(VmxTransient.uExitReason <= VMX_EXIT_MAX, ("%#x\n", VmxTransient.uExitReason));
8832	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitAll);
8833	STAM_COUNTER_INC(&pVCpu->hm.s.paStatExitReasonR0[VmxTransient.uExitReason & MASK_EXITREASON_STAT]);
8834	STAM_PROFILE_ADV_STOP_START(&pVCpu->hm.s.StatExit1, &pVCpu->hm.s.StatExit2, x);
8835	HMVMX_START_EXIT_DISPATCH_PROF();
8836
8837	VBOXVMM_R0_HMVMX_VMEXIT_NOCTX(pVCpu, pCtx, VmxTransient.uExitReason);
8838	if (RT_UNLIKELY(VBOXVMM_R0_HMVMX_VMEXIT_ENABLED()))
8839	{
8840	hmR0VmxReadExitQualificationVmcs(pVCpu, &VmxTransient);
8841	hmR0VmxSaveGuestState(pVCpu, pCtx);
8842	VBOXVMM_R0_HMVMX_VMEXIT(pVCpu, pCtx, VmxTransient.uExitReason, VmxTransient.uExitQualification);
8843	}
8844
8845	/* Handle the VM-exit - we quit earlier on certain VM-exits, see hmR0VmxHandleExitStep(). */
8846	rcStrict = hmR0VmxHandleExitStep(pVCpu, pCtx, &VmxTransient, VmxTransient.uExitReason, uCsStart, uRipStart);
8847	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExit2, x);
8848	if (rcStrict != VINF_SUCCESS)
8849	break;
8850	if (cLoops > pVM->hm.s.cMaxResumeLoops)
8851	{
8852	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchMaxResumeLoops);
8853	rcStrict = VINF_EM_RAW_INTERRUPT;
8854	break;
8855	}
8856
8857	/*
8858	* Did the RIP change, if so, consider it a single step.
8859	* Otherwise, make sure one of the TFs gets set.
8860	*/
8861	int rc2 = hmR0VmxSaveGuestRip(pVCpu, pCtx);
8862	rc2 \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pCtx);
8863	AssertRCReturn(rc2, rc2);
8864	if ( pCtx->rip != uRipStart
8865	\|\| pCtx->cs.Sel != uCsStart)
8866	{
8867	rcStrict = VINF_EM_DBG_STEPPED;
8868	break;
8869	}
8870	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_DEBUG);
8871	}
8872
8873	/*
8874	* Clear the X86_EFL_TF if necessary.
8875	*/
8876	if (pVCpu->hm.s.fClearTrapFlag)
8877	{
8878	int rc2 = hmR0VmxSaveGuestRflags(pVCpu, pCtx);
8879	AssertRCReturn(rc2, rc2);
8880	pVCpu->hm.s.fClearTrapFlag = false;
8881	pCtx->eflags.Bits.u1TF = 0;
8882	}
8883	/** @todo there seems to be issues with the resume flag when the monitor trap
8884	* flag is pending without being used. Seen early in bios init when
8885	* accessing APIC page in protected mode. */
8886
8887	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatEntry, x);
8888	return VBOXSTRICTRC_TODO(rcStrict);
8889	}
8890
8891
8892	/**
8893	* Runs the guest code using VT-x.
8894	*
8895	* @returns VBox status code.
8896	* @param pVM Pointer to the VM.
8897	* @param pVCpu Pointer to the VMCPU.
8898	* @param pCtx Pointer to the guest-CPU context.
8899	*/
8900	VMMR0DECL(int) VMXR0RunGuestCode(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx)
8901	{
8902	Assert(VMMRZCallRing3IsEnabled(pVCpu));
8903	Assert(HMVMXCPU_GST_VALUE(pVCpu) == HMVMX_UPDATED_GUEST_ALL);
8904	HMVMX_ASSERT_PREEMPT_SAFE();
8905
8906	VMMRZCallRing3SetNotification(pVCpu, hmR0VmxCallRing3Callback, pCtx);
8907
8908	int rc;
8909	if (!pVCpu->hm.s.fSingleInstruction)
8910	rc = hmR0VmxRunGuestCodeNormal(pVM, pVCpu, pCtx);
8911	else
8912	rc = hmR0VmxRunGuestCodeStep(pVM, pVCpu, pCtx);
8913
8914	if (rc == VERR_EM_INTERPRETER)
8915	rc = VINF_EM_RAW_EMULATE_INSTR;
8916	else if (rc == VINF_EM_RESET)
8917	rc = VINF_EM_TRIPLE_FAULT;
8918
8919	int rc2 = hmR0VmxExitToRing3(pVM, pVCpu, pCtx, rc);
8920	if (RT_FAILURE(rc2))
8921	{
8922	pVCpu->hm.s.u32HMError = rc;
8923	rc = rc2;
8924	}
8925	Assert(!VMMRZCallRing3IsNotificationSet(pVCpu));
8926	return rc;
8927	}
8928
8929
8930	#ifndef HMVMX_USE_FUNCTION_TABLE
8931	DECLINLINE(int) hmR0VmxHandleExit(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient, uint32_t rcReason)
8932	{
8933	#ifdef DEBUG_ramshankar
8934	# define SVVMCS() do { int rc2 = hmR0VmxSaveGuestState(pVCpu, pMixedCtx); AssertRC(rc2); } while (0)
8935	# define LDVMCS() do { HMCPU_CF_SET(pVCpu, HM_CHANGED_ALL_GUEST); } while (0)
8936	#endif
8937	int rc;
8938	switch (rcReason)
8939	{
8940	case VMX_EXIT_EPT_MISCONFIG: /* SVVMCS(); / rc = hmR0VmxExitEptMisconfig(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8941	case VMX_EXIT_EPT_VIOLATION: /* SVVMCS(); / rc = hmR0VmxExitEptViolation(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8942	case VMX_EXIT_IO_INSTR: /* SVVMCS(); / rc = hmR0VmxExitIoInstr(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8943	case VMX_EXIT_CPUID: /* SVVMCS(); / rc = hmR0VmxExitCpuid(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8944	case VMX_EXIT_RDTSC: /* SVVMCS(); / rc = hmR0VmxExitRdtsc(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8945	case VMX_EXIT_RDTSCP: /* SVVMCS(); / rc = hmR0VmxExitRdtscp(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8946	case VMX_EXIT_APIC_ACCESS: /* SVVMCS(); / rc = hmR0VmxExitApicAccess(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8947	case VMX_EXIT_XCPT_OR_NMI: /* SVVMCS(); / rc = hmR0VmxExitXcptOrNmi(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8948	case VMX_EXIT_MOV_CRX: /* SVVMCS(); / rc = hmR0VmxExitMovCRx(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8949	case VMX_EXIT_EXT_INT: /* SVVMCS(); / rc = hmR0VmxExitExtInt(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8950	case VMX_EXIT_INT_WINDOW: /* SVVMCS(); / rc = hmR0VmxExitIntWindow(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8951	case VMX_EXIT_MWAIT: /* SVVMCS(); / rc = hmR0VmxExitMwait(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8952	case VMX_EXIT_MONITOR: /* SVVMCS(); / rc = hmR0VmxExitMonitor(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8953	case VMX_EXIT_TASK_SWITCH: /* SVVMCS(); / rc = hmR0VmxExitTaskSwitch(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8954	case VMX_EXIT_PREEMPT_TIMER: /* SVVMCS(); / rc = hmR0VmxExitPreemptTimer(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8955	case VMX_EXIT_RDMSR: /* SVVMCS(); / rc = hmR0VmxExitRdmsr(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8956	case VMX_EXIT_WRMSR: /* SVVMCS(); / rc = hmR0VmxExitWrmsr(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8957	case VMX_EXIT_MOV_DRX: /* SVVMCS(); / rc = hmR0VmxExitMovDRx(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8958	case VMX_EXIT_TPR_BELOW_THRESHOLD: /* SVVMCS(); / rc = hmR0VmxExitTprBelowThreshold(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8959	case VMX_EXIT_HLT: /* SVVMCS(); / rc = hmR0VmxExitHlt(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8960	case VMX_EXIT_INVD: /* SVVMCS(); / rc = hmR0VmxExitInvd(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8961	case VMX_EXIT_INVLPG: /* SVVMCS(); / rc = hmR0VmxExitInvlpg(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8962	case VMX_EXIT_RSM: /* SVVMCS(); / rc = hmR0VmxExitRsm(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8963	case VMX_EXIT_MTF: /* SVVMCS(); / rc = hmR0VmxExitMtf(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8964	case VMX_EXIT_PAUSE: /* SVVMCS(); / rc = hmR0VmxExitPause(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8965	case VMX_EXIT_XDTR_ACCESS: /* SVVMCS(); / rc = hmR0VmxExitXdtrAccess(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8966	case VMX_EXIT_TR_ACCESS: /* SVVMCS(); / rc = hmR0VmxExitXdtrAccess(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8967	case VMX_EXIT_WBINVD: /* SVVMCS(); / rc = hmR0VmxExitWbinvd(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8968	case VMX_EXIT_XSETBV: /* SVVMCS(); / rc = hmR0VmxExitXsetbv(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8969	case VMX_EXIT_RDRAND: /* SVVMCS(); / rc = hmR0VmxExitRdrand(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8970	case VMX_EXIT_INVPCID: /* SVVMCS(); / rc = hmR0VmxExitInvpcid(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8971	case VMX_EXIT_GETSEC: /* SVVMCS(); / rc = hmR0VmxExitGetsec(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8972	case VMX_EXIT_RDPMC: /* SVVMCS(); / rc = hmR0VmxExitRdpmc(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8973	case VMX_EXIT_VMCALL: /* SVVMCS(); / rc = hmR0VmxExitVmcall(pVCpu, pMixedCtx, pVmxTransient); / LDVMCS(); */ break;
8974
8975	case VMX_EXIT_TRIPLE_FAULT: rc = hmR0VmxExitTripleFault(pVCpu, pMixedCtx, pVmxTransient); break;
8976	case VMX_EXIT_NMI_WINDOW: rc = hmR0VmxExitNmiWindow(pVCpu, pMixedCtx, pVmxTransient); break;
8977	case VMX_EXIT_INIT_SIGNAL: rc = hmR0VmxExitInitSignal(pVCpu, pMixedCtx, pVmxTransient); break;
8978	case VMX_EXIT_SIPI: rc = hmR0VmxExitSipi(pVCpu, pMixedCtx, pVmxTransient); break;
8979	case VMX_EXIT_IO_SMI: rc = hmR0VmxExitIoSmi(pVCpu, pMixedCtx, pVmxTransient); break;
8980	case VMX_EXIT_SMI: rc = hmR0VmxExitSmi(pVCpu, pMixedCtx, pVmxTransient); break;
8981	case VMX_EXIT_ERR_MSR_LOAD: rc = hmR0VmxExitErrMsrLoad(pVCpu, pMixedCtx, pVmxTransient); break;
8982	case VMX_EXIT_ERR_INVALID_GUEST_STATE: rc = hmR0VmxExitErrInvalidGuestState(pVCpu, pMixedCtx, pVmxTransient); break;
8983	case VMX_EXIT_ERR_MACHINE_CHECK: rc = hmR0VmxExitErrMachineCheck(pVCpu, pMixedCtx, pVmxTransient); break;
8984
8985	case VMX_EXIT_VMCLEAR:
8986	case VMX_EXIT_VMLAUNCH:
8987	case VMX_EXIT_VMPTRLD:
8988	case VMX_EXIT_VMPTRST:
8989	case VMX_EXIT_VMREAD:
8990	case VMX_EXIT_VMRESUME:
8991	case VMX_EXIT_VMWRITE:
8992	case VMX_EXIT_VMXOFF:
8993	case VMX_EXIT_VMXON:
8994	case VMX_EXIT_INVEPT:
8995	case VMX_EXIT_INVVPID:
8996	case VMX_EXIT_VMFUNC:
8997	case VMX_EXIT_XSAVES:
8998	case VMX_EXIT_XRSTORS:
8999	rc = hmR0VmxExitSetPendingXcptUD(pVCpu, pMixedCtx, pVmxTransient);
9000	break;
9001	case VMX_EXIT_RESERVED_60:
9002	case VMX_EXIT_RDSEED: /* only spurious exits, so undefined */
9003	case VMX_EXIT_RESERVED_62:
9004	default:
9005	rc = hmR0VmxExitErrUndefined(pVCpu, pMixedCtx, pVmxTransient);
9006	break;
9007	}
9008	return rc;
9009	}
9010	#endif /* !HMVMX_USE_FUNCTION_TABLE */
9011
9012
9013	/**
9014	* Single-stepping VM-exit filtering.
9015	*
9016	* This is preprocessing the exits and deciding whether we've gotten far enough
9017	* to return VINF_EM_DBG_STEPPED already. If not, normal VM-exit handling is
9018	* performed.
9019	*
9020	* @returns Strict VBox status code.
9021	* @param pVCpu The virtual CPU of the calling EMT.
9022	* @param pMixedCtx Pointer to the guest-CPU context. The data may be
9023	* out-of-sync. Make sure to update the required
9024	* fields before using them.
9025	* @param pVmxTransient Pointer to the VMX-transient structure.
9026	* @param uExitReason The VM-exit reason.
9027	*/
9028	DECLINLINE(VBOXSTRICTRC) hmR0VmxHandleExitStep(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient,
9029	uint32_t uExitReason, uint16_t uCsStart, uint64_t uRipStart)
9030	{
9031	switch (uExitReason)
9032	{
9033	case VMX_EXIT_XCPT_OR_NMI:
9034	{
9035	/* Check for host NMI. */
9036	int rc2 = hmR0VmxReadExitIntInfoVmcs(pVmxTransient);
9037	AssertRCReturn(rc2, rc2);
9038	uint32_t uIntType = VMX_EXIT_INTERRUPTION_INFO_TYPE(pVmxTransient->uExitIntInfo);
9039	if (uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI)
9040	return hmR0VmxExitXcptOrNmi(pVCpu, pMixedCtx, pVmxTransient);
9041	/* fall thru */
9042	}
9043
9044	case VMX_EXIT_EPT_MISCONFIG:
9045	case VMX_EXIT_TRIPLE_FAULT:
9046	case VMX_EXIT_APIC_ACCESS:
9047	case VMX_EXIT_TPR_BELOW_THRESHOLD:
9048	case VMX_EXIT_TASK_SWITCH:
9049
9050	/* Instruction specific VM-exits: */
9051	case VMX_EXIT_IO_INSTR:
9052	case VMX_EXIT_CPUID:
9053	case VMX_EXIT_RDTSC:
9054	case VMX_EXIT_RDTSCP:
9055	case VMX_EXIT_MOV_CRX:
9056	case VMX_EXIT_MWAIT:
9057	case VMX_EXIT_MONITOR:
9058	case VMX_EXIT_RDMSR:
9059	case VMX_EXIT_WRMSR:
9060	case VMX_EXIT_MOV_DRX:
9061	case VMX_EXIT_HLT:
9062	case VMX_EXIT_INVD:
9063	case VMX_EXIT_INVLPG:
9064	case VMX_EXIT_RSM:
9065	case VMX_EXIT_PAUSE:
9066	case VMX_EXIT_XDTR_ACCESS:
9067	case VMX_EXIT_TR_ACCESS:
9068	case VMX_EXIT_WBINVD:
9069	case VMX_EXIT_XSETBV:
9070	case VMX_EXIT_RDRAND:
9071	case VMX_EXIT_INVPCID:
9072	case VMX_EXIT_GETSEC:
9073	case VMX_EXIT_RDPMC:
9074	case VMX_EXIT_VMCALL:
9075	case VMX_EXIT_VMCLEAR:
9076	case VMX_EXIT_VMLAUNCH:
9077	case VMX_EXIT_VMPTRLD:
9078	case VMX_EXIT_VMPTRST:
9079	case VMX_EXIT_VMREAD:
9080	case VMX_EXIT_VMRESUME:
9081	case VMX_EXIT_VMWRITE:
9082	case VMX_EXIT_VMXOFF:
9083	case VMX_EXIT_VMXON:
9084	case VMX_EXIT_INVEPT:
9085	case VMX_EXIT_INVVPID:
9086	case VMX_EXIT_VMFUNC:
9087	{
9088	int rc2 = hmR0VmxSaveGuestRip(pVCpu, pMixedCtx);
9089	rc2 \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
9090	AssertRCReturn(rc2, rc2);
9091	if ( pMixedCtx->rip != uRipStart
9092	\|\| pMixedCtx->cs.Sel != uCsStart)
9093	return VINF_EM_DBG_STEPPED;
9094	break;
9095	}
9096	}
9097
9098	/*
9099	* Normal processing.
9100	*/
9101	#ifdef HMVMX_USE_FUNCTION_TABLE
9102	return g_apfnVMExitHandlers[uExitReason](pVCpu, pMixedCtx, pVmxTransient);
9103	#else
9104	return hmR0VmxHandleExit(pVCpu, pMixedCtx, pVmxTransient, uExitReason);
9105	#endif
9106	}
9107
9108
9109	#ifdef VBOX_STRICT
9110	/* Is there some generic IPRT define for this that are not in Runtime/internal/\* ?? */
9111	# define HMVMX_ASSERT_PREEMPT_CPUID_VAR() \
9112	RTCPUID const idAssertCpu = RTThreadPreemptIsEnabled(NIL_RTTHREAD) ? NIL_RTCPUID : RTMpCpuId()
9113
9114	# define HMVMX_ASSERT_PREEMPT_CPUID() \
9115	do { \
9116	RTCPUID const idAssertCpuNow = RTThreadPreemptIsEnabled(NIL_RTTHREAD) ? NIL_RTCPUID : RTMpCpuId(); \
9117	AssertMsg(idAssertCpu == idAssertCpuNow, ("VMX %#x, %#x\n", idAssertCpu, idAssertCpuNow)); \
9118	} while (0)
9119
9120	# define HMVMX_VALIDATE_EXIT_HANDLER_PARAMS() \
9121	do { \
9122	AssertPtr(pVCpu); \
9123	AssertPtr(pMixedCtx); \
9124	AssertPtr(pVmxTransient); \
9125	Assert(pVmxTransient->fVMEntryFailed == false); \
9126	Assert(ASMIntAreEnabled()); \
9127	HMVMX_ASSERT_PREEMPT_SAFE(); \
9128	HMVMX_ASSERT_PREEMPT_CPUID_VAR(); \
9129	Log4Func(("vcpu[%RU32] -v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v-v\n", pVCpu->idCpu)); \
9130	HMVMX_ASSERT_PREEMPT_SAFE(); \
9131	if (VMMR0IsLogFlushDisabled(pVCpu)) \
9132	HMVMX_ASSERT_PREEMPT_CPUID(); \
9133	HMVMX_STOP_EXIT_DISPATCH_PROF(); \
9134	} while (0)
9135
9136	# define HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS() \
9137	do { \
9138	Log4Func(("\n")); \
9139	} while (0)
9140	#else /* nonstrict builds: */
9141	# define HMVMX_VALIDATE_EXIT_HANDLER_PARAMS() \
9142	do { \
9143	HMVMX_STOP_EXIT_DISPATCH_PROF(); \
9144	NOREF(pVCpu); NOREF(pMixedCtx); NOREF(pVmxTransient); \
9145	} while (0)
9146	# define HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS() do { } while (0)
9147	#endif
9148
9149
9150	/**
9151	* Advances the guest RIP after reading it from the VMCS.
9152	*
9153	* @returns VBox status code.
9154	* @param pVCpu Pointer to the VMCPU.
9155	* @param pMixedCtx Pointer to the guest-CPU context. The data maybe
9156	* out-of-sync. Make sure to update the required fields
9157	* before using them.
9158	* @param pVmxTransient Pointer to the VMX transient structure.
9159	*
9160	* @remarks No-long-jump zone!!!
9161	*/
9162	DECLINLINE(int) hmR0VmxAdvanceGuestRip(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
9163	{
9164	int rc = hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
9165	rc \|= hmR0VmxSaveGuestRip(pVCpu, pMixedCtx);
9166	rc \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
9167	AssertRCReturn(rc, rc);
9168
9169	pMixedCtx->rip += pVmxTransient->cbInstr;
9170	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP);
9171
9172	/*
9173	* Deliver a debug exception to the guest if it is single-stepping. Don't directly inject a #DB but use the
9174	* pending debug exception field as it takes care of priority of events.
9175	*
9176	* See Intel spec. 32.2.1 "Debug Exceptions".
9177	*/
9178	if ( !pVCpu->hm.s.fSingleInstruction
9179	&& pMixedCtx->eflags.Bits.u1TF)
9180	hmR0VmxSetPendingDebugXcptVmcs(pVCpu);
9181
9182	return rc;
9183	}
9184
9185
9186	/**
9187	* Tries to determine what part of the guest-state VT-x has deemed as invalid
9188	* and update error record fields accordingly.
9189	*
9190	* @return VMX_IGS_* return codes.
9191	* @retval VMX_IGS_REASON_NOT_FOUND if this function could not find anything
9192	* wrong with the guest state.
9193	*
9194	* @param pVM Pointer to the VM.
9195	* @param pVCpu Pointer to the VMCPU.
9196	* @param pCtx Pointer to the guest-CPU state.
9197	*
9198	* @remarks This function assumes our cache of the VMCS controls
9199	* are valid, i.e. hmR0VmxCheckVmcsCtls() succeeded.
9200	*/
9201	static uint32_t hmR0VmxCheckGuestState(PVM pVM, PVMCPU pVCpu, PCPUMCTX pCtx)
9202	{
9203	#define HMVMX_ERROR_BREAK(err) { uError = (err); break; }
9204	#define HMVMX_CHECK_BREAK(expr, err) if (!(expr)) { \
9205	uError = (err); \
9206	break; \
9207	} else do { } while (0)
9208
9209	int rc;
9210	uint32_t uError = VMX_IGS_ERROR;
9211	uint32_t u32Val;
9212	bool fUnrestrictedGuest = pVM->hm.s.vmx.fUnrestrictedGuest;
9213
9214	do
9215	{
9216	/*
9217	* CR0.
9218	*/
9219	uint32_t uSetCR0 = (uint32_t)(pVM->hm.s.vmx.Msrs.u64Cr0Fixed0 & pVM->hm.s.vmx.Msrs.u64Cr0Fixed1);
9220	uint32_t uZapCR0 = (uint32_t)(pVM->hm.s.vmx.Msrs.u64Cr0Fixed0 \| pVM->hm.s.vmx.Msrs.u64Cr0Fixed1);
9221	/* Exceptions for unrestricted-guests for fixed CR0 bits (PE, PG).
9222	See Intel spec. 26.3.1 "Checks on Guest Control Registers, Debug Registers and MSRs." */
9223	if (fUnrestrictedGuest)
9224	uSetCR0 &= ~(X86_CR0_PE \| X86_CR0_PG);
9225
9226	uint32_t u32GuestCR0;
9227	rc = VMXReadVmcs32(VMX_VMCS_GUEST_CR0, &u32GuestCR0);
9228	AssertRCBreak(rc);
9229	HMVMX_CHECK_BREAK((u32GuestCR0 & uSetCR0) == uSetCR0, VMX_IGS_CR0_FIXED1);
9230	HMVMX_CHECK_BREAK(!(u32GuestCR0 & ~uZapCR0), VMX_IGS_CR0_FIXED0);
9231	if ( !fUnrestrictedGuest
9232	&& (u32GuestCR0 & X86_CR0_PG)
9233	&& !(u32GuestCR0 & X86_CR0_PE))
9234	{
9235	HMVMX_ERROR_BREAK(VMX_IGS_CR0_PG_PE_COMBO);
9236	}
9237
9238	/*
9239	* CR4.
9240	*/
9241	uint64_t uSetCR4 = (pVM->hm.s.vmx.Msrs.u64Cr4Fixed0 & pVM->hm.s.vmx.Msrs.u64Cr4Fixed1);
9242	uint64_t uZapCR4 = (pVM->hm.s.vmx.Msrs.u64Cr4Fixed0 \| pVM->hm.s.vmx.Msrs.u64Cr4Fixed1);
9243
9244	uint32_t u32GuestCR4;
9245	rc = VMXReadVmcs32(VMX_VMCS_GUEST_CR4, &u32GuestCR4);
9246	AssertRCBreak(rc);
9247	HMVMX_CHECK_BREAK((u32GuestCR4 & uSetCR4) == uSetCR4, VMX_IGS_CR4_FIXED1);
9248	HMVMX_CHECK_BREAK(!(u32GuestCR4 & ~uZapCR4), VMX_IGS_CR4_FIXED0);
9249
9250	/*
9251	* IA32_DEBUGCTL MSR.
9252	*/
9253	uint64_t u64Val;
9254	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_DEBUGCTL_FULL, &u64Val);
9255	AssertRCBreak(rc);
9256	if ( (pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_LOAD_DEBUG)
9257	&& (u64Val & 0xfffffe3c)) /* Bits 31:9, bits 5:2 MBZ. */
9258	{
9259	HMVMX_ERROR_BREAK(VMX_IGS_DEBUGCTL_MSR_RESERVED);
9260	}
9261	uint64_t u64DebugCtlMsr = u64Val;
9262
9263	#ifdef VBOX_STRICT
9264	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY, &u32Val);
9265	AssertRCBreak(rc);
9266	Assert(u32Val == pVCpu->hm.s.vmx.u32EntryCtls);
9267	#endif
9268	bool const fLongModeGuest = RT_BOOL(pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_IA32E_MODE_GUEST);
9269
9270	/*
9271	* RIP and RFLAGS.
9272	*/
9273	uint32_t u32Eflags;
9274	#if HC_ARCH_BITS == 64
9275	rc = VMXReadVmcs64(VMX_VMCS_GUEST_RIP, &u64Val);
9276	AssertRCBreak(rc);
9277	/* pCtx->rip can be different than the one in the VMCS (e.g. run guest code and VM-exits that don't update it). */
9278	if ( !fLongModeGuest
9279	\|\| !pCtx->cs.Attr.n.u1Long)
9280	{
9281	HMVMX_CHECK_BREAK(!(u64Val & UINT64_C(0xffffffff00000000)), VMX_IGS_LONGMODE_RIP_INVALID);
9282	}
9283	/** @todo If the processor supports N < 64 linear-address bits, bits 63:N
9284	* must be identical if the "IA-32e mode guest" VM-entry
9285	* control is 1 and CS.L is 1. No check applies if the
9286	* CPU supports 64 linear-address bits. */
9287
9288	/* Flags in pCtx can be different (real-on-v86 for instance). We are only concerned about the VMCS contents here. */
9289	rc = VMXReadVmcs64(VMX_VMCS_GUEST_RFLAGS, &u64Val);
9290	AssertRCBreak(rc);
9291	HMVMX_CHECK_BREAK(!(u64Val & UINT64_C(0xffffffffffc08028)), /* Bit 63:22, Bit 15, 5, 3 MBZ. */
9292	VMX_IGS_RFLAGS_RESERVED);
9293	HMVMX_CHECK_BREAK((u64Val & X86_EFL_RA1_MASK), VMX_IGS_RFLAGS_RESERVED1); /* Bit 1 MB1. */
9294	u32Eflags = u64Val;
9295	#else
9296	rc = VMXReadVmcs32(VMX_VMCS_GUEST_RFLAGS, &u32Eflags);
9297	AssertRCBreak(rc);
9298	HMVMX_CHECK_BREAK(!(u32Eflags & 0xffc08028), VMX_IGS_RFLAGS_RESERVED); /* Bit 31:22, Bit 15, 5, 3 MBZ. */
9299	HMVMX_CHECK_BREAK((u32Eflags & X86_EFL_RA1_MASK), VMX_IGS_RFLAGS_RESERVED1); /* Bit 1 MB1. */
9300	#endif
9301
9302	if ( fLongModeGuest
9303	\|\| ( fUnrestrictedGuest
9304	&& !(u32GuestCR0 & X86_CR0_PE)))
9305	{
9306	HMVMX_CHECK_BREAK(!(u32Eflags & X86_EFL_VM), VMX_IGS_RFLAGS_VM_INVALID);
9307	}
9308
9309	uint32_t u32EntryInfo;
9310	rc = VMXReadVmcs32(VMX_VMCS32_CTRL_ENTRY_INTERRUPTION_INFO, &u32EntryInfo);
9311	AssertRCBreak(rc);
9312	if ( VMX_ENTRY_INTERRUPTION_INFO_IS_VALID(u32EntryInfo)
9313	&& VMX_ENTRY_INTERRUPTION_INFO_TYPE(u32EntryInfo) == VMX_EXIT_INTERRUPTION_INFO_TYPE_EXT_INT)
9314	{
9315	HMVMX_CHECK_BREAK(u32Eflags & X86_EFL_IF, VMX_IGS_RFLAGS_IF_INVALID);
9316	}
9317
9318	/*
9319	* 64-bit checks.
9320	*/
9321	#if HC_ARCH_BITS == 64
9322	if (fLongModeGuest)
9323	{
9324	HMVMX_CHECK_BREAK(u32GuestCR0 & X86_CR0_PG, VMX_IGS_CR0_PG_LONGMODE);
9325	HMVMX_CHECK_BREAK(u32GuestCR4 & X86_CR4_PAE, VMX_IGS_CR4_PAE_LONGMODE);
9326	}
9327
9328	if ( !fLongModeGuest
9329	&& (u32GuestCR4 & X86_CR4_PCIDE))
9330	{
9331	HMVMX_ERROR_BREAK(VMX_IGS_CR4_PCIDE);
9332	}
9333
9334	/** @todo CR3 field must be such that bits 63:52 and bits in the range
9335	* 51:32 beyond the processor's physical-address width are 0. */
9336
9337	if ( (pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_LOAD_DEBUG)
9338	&& (pCtx->dr[7] & X86_DR7_MBZ_MASK))
9339	{
9340	HMVMX_ERROR_BREAK(VMX_IGS_DR7_RESERVED);
9341	}
9342
9343	rc = VMXReadVmcs64(VMX_VMCS_HOST_SYSENTER_ESP, &u64Val);
9344	AssertRCBreak(rc);
9345	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(u64Val), VMX_IGS_SYSENTER_ESP_NOT_CANONICAL);
9346
9347	rc = VMXReadVmcs64(VMX_VMCS_HOST_SYSENTER_EIP, &u64Val);
9348	AssertRCBreak(rc);
9349	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(u64Val), VMX_IGS_SYSENTER_EIP_NOT_CANONICAL);
9350	#endif
9351
9352	/*
9353	* PERF_GLOBAL MSR.
9354	*/
9355	if (pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_LOAD_GUEST_PERF_MSR)
9356	{
9357	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PERF_GLOBAL_CTRL_FULL, &u64Val);
9358	AssertRCBreak(rc);
9359	HMVMX_CHECK_BREAK(!(u64Val & UINT64_C(0xfffffff8fffffffc)),
9360	VMX_IGS_PERF_GLOBAL_MSR_RESERVED); /* Bits 63:35, bits 31:2 MBZ. */
9361	}
9362
9363	/*
9364	* PAT MSR.
9365	*/
9366	if (pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_LOAD_GUEST_PAT_MSR)
9367	{
9368	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PAT_FULL, &u64Val);
9369	AssertRCBreak(rc);
9370	HMVMX_CHECK_BREAK(!(u64Val & UINT64_C(0x707070707070707)), VMX_IGS_PAT_MSR_RESERVED);
9371	for (unsigned i = 0; i < 8; i++)
9372	{
9373	uint8_t u8Val = (u64Val & 0xff);
9374	if ( u8Val != 0 /* UC */
9375	&& u8Val != 1 /* WC */
9376	&& u8Val != 4 /* WT */
9377	&& u8Val != 5 /* WP */
9378	&& u8Val != 6 /* WB */
9379	&& u8Val != 7 /* UC- */)
9380	{
9381	HMVMX_ERROR_BREAK(VMX_IGS_PAT_MSR_INVALID);
9382	}
9383	u64Val >>= 8;
9384	}
9385	}
9386
9387	/*
9388	* EFER MSR.
9389	*/
9390	if (pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_LOAD_GUEST_EFER_MSR)
9391	{
9392	Assert(pVM->hm.s.vmx.fSupportsVmcsEfer);
9393	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_EFER_FULL, &u64Val);
9394	AssertRCBreak(rc);
9395	HMVMX_CHECK_BREAK(!(u64Val & UINT64_C(0xfffffffffffff2fe)),
9396	VMX_IGS_EFER_MSR_RESERVED); /* Bits 63:12, bit 9, bits 7:1 MBZ. */
9397	HMVMX_CHECK_BREAK(RT_BOOL(u64Val & MSR_K6_EFER_LMA) == RT_BOOL( pVCpu->hm.s.vmx.u32EntryCtls
9398	& VMX_VMCS_CTRL_ENTRY_IA32E_MODE_GUEST),
9399	VMX_IGS_EFER_LMA_GUEST_MODE_MISMATCH);
9400	HMVMX_CHECK_BREAK( fUnrestrictedGuest
9401	\|\| !(u32GuestCR0 & X86_CR0_PG)
9402	\|\| RT_BOOL(u64Val & MSR_K6_EFER_LMA) == RT_BOOL(u64Val & MSR_K6_EFER_LME),
9403	VMX_IGS_EFER_LMA_LME_MISMATCH);
9404	}
9405
9406	/*
9407	* Segment registers.
9408	*/
9409	HMVMX_CHECK_BREAK( (pCtx->ldtr.Attr.u & X86DESCATTR_UNUSABLE)
9410	\|\| !(pCtx->ldtr.Sel & X86_SEL_LDT), VMX_IGS_LDTR_TI_INVALID);
9411	if (!(u32Eflags & X86_EFL_VM))
9412	{
9413	/* CS */
9414	HMVMX_CHECK_BREAK(pCtx->cs.Attr.n.u1Present, VMX_IGS_CS_ATTR_P_INVALID);
9415	HMVMX_CHECK_BREAK(!(pCtx->cs.Attr.u & 0xf00), VMX_IGS_CS_ATTR_RESERVED);
9416	HMVMX_CHECK_BREAK(!(pCtx->cs.Attr.u & 0xfffe0000), VMX_IGS_CS_ATTR_RESERVED);
9417	HMVMX_CHECK_BREAK( (pCtx->cs.u32Limit & 0xfff) == 0xfff
9418	\|\| !(pCtx->cs.Attr.n.u1Granularity), VMX_IGS_CS_ATTR_G_INVALID);
9419	HMVMX_CHECK_BREAK( !(pCtx->cs.u32Limit & 0xfff00000)
9420	\|\| (pCtx->cs.Attr.n.u1Granularity), VMX_IGS_CS_ATTR_G_INVALID);
9421	/* CS cannot be loaded with NULL in protected mode. */
9422	HMVMX_CHECK_BREAK(pCtx->cs.Attr.u && !(pCtx->cs.Attr.u & X86DESCATTR_UNUSABLE), VMX_IGS_CS_ATTR_UNUSABLE);
9423	HMVMX_CHECK_BREAK(pCtx->cs.Attr.n.u1DescType, VMX_IGS_CS_ATTR_S_INVALID);
9424	if (pCtx->cs.Attr.n.u4Type == 9 \|\| pCtx->cs.Attr.n.u4Type == 11)
9425	HMVMX_CHECK_BREAK(pCtx->cs.Attr.n.u2Dpl == pCtx->ss.Attr.n.u2Dpl, VMX_IGS_CS_SS_ATTR_DPL_UNEQUAL);
9426	else if (pCtx->cs.Attr.n.u4Type == 13 \|\| pCtx->cs.Attr.n.u4Type == 15)
9427	HMVMX_CHECK_BREAK(pCtx->cs.Attr.n.u2Dpl <= pCtx->ss.Attr.n.u2Dpl, VMX_IGS_CS_SS_ATTR_DPL_MISMATCH);
9428	else if (pVM->hm.s.vmx.fUnrestrictedGuest && pCtx->cs.Attr.n.u4Type == 3)
9429	HMVMX_CHECK_BREAK(pCtx->cs.Attr.n.u2Dpl == 0, VMX_IGS_CS_ATTR_DPL_INVALID);
9430	else
9431	HMVMX_ERROR_BREAK(VMX_IGS_CS_ATTR_TYPE_INVALID);
9432
9433	/* SS */
9434	HMVMX_CHECK_BREAK( pVM->hm.s.vmx.fUnrestrictedGuest
9435	\|\| (pCtx->ss.Sel & X86_SEL_RPL) == (pCtx->cs.Sel & X86_SEL_RPL), VMX_IGS_SS_CS_RPL_UNEQUAL);
9436	HMVMX_CHECK_BREAK(pCtx->ss.Attr.n.u2Dpl == (pCtx->ss.Sel & X86_SEL_RPL), VMX_IGS_SS_ATTR_DPL_RPL_UNEQUAL);
9437	if ( !(pCtx->cr0 & X86_CR0_PE)
9438	\|\| pCtx->cs.Attr.n.u4Type == 3)
9439	{
9440	HMVMX_CHECK_BREAK(!pCtx->ss.Attr.n.u2Dpl, VMX_IGS_SS_ATTR_DPL_INVALID);
9441	}
9442	if (!(pCtx->ss.Attr.u & X86DESCATTR_UNUSABLE))
9443	{
9444	HMVMX_CHECK_BREAK(pCtx->ss.Attr.n.u4Type == 3 \|\| pCtx->ss.Attr.n.u4Type == 7, VMX_IGS_SS_ATTR_TYPE_INVALID);
9445	HMVMX_CHECK_BREAK(pCtx->ss.Attr.n.u1Present, VMX_IGS_SS_ATTR_P_INVALID);
9446	HMVMX_CHECK_BREAK(!(pCtx->ss.Attr.u & 0xf00), VMX_IGS_SS_ATTR_RESERVED);
9447	HMVMX_CHECK_BREAK(!(pCtx->ss.Attr.u & 0xfffe0000), VMX_IGS_SS_ATTR_RESERVED);
9448	HMVMX_CHECK_BREAK( (pCtx->ss.u32Limit & 0xfff) == 0xfff
9449	\|\| !(pCtx->ss.Attr.n.u1Granularity), VMX_IGS_SS_ATTR_G_INVALID);
9450	HMVMX_CHECK_BREAK( !(pCtx->ss.u32Limit & 0xfff00000)
9451	\|\| (pCtx->ss.Attr.n.u1Granularity), VMX_IGS_SS_ATTR_G_INVALID);
9452	}
9453
9454	/* DS, ES, FS, GS - only check for usable selectors, see hmR0VmxWriteSegmentReg(). */
9455	if (!(pCtx->ds.Attr.u & X86DESCATTR_UNUSABLE))
9456	{
9457	HMVMX_CHECK_BREAK(pCtx->ds.Attr.n.u4Type & X86_SEL_TYPE_ACCESSED, VMX_IGS_DS_ATTR_A_INVALID);
9458	HMVMX_CHECK_BREAK(pCtx->ds.Attr.n.u1Present, VMX_IGS_DS_ATTR_P_INVALID);
9459	HMVMX_CHECK_BREAK( pVM->hm.s.vmx.fUnrestrictedGuest
9460	\|\| pCtx->ds.Attr.n.u4Type > 11
9461	\|\| pCtx->ds.Attr.n.u2Dpl >= (pCtx->ds.Sel & X86_SEL_RPL), VMX_IGS_DS_ATTR_DPL_RPL_UNEQUAL);
9462	HMVMX_CHECK_BREAK(!(pCtx->ds.Attr.u & 0xf00), VMX_IGS_DS_ATTR_RESERVED);
9463	HMVMX_CHECK_BREAK(!(pCtx->ds.Attr.u & 0xfffe0000), VMX_IGS_DS_ATTR_RESERVED);
9464	HMVMX_CHECK_BREAK( (pCtx->ds.u32Limit & 0xfff) == 0xfff
9465	\|\| !(pCtx->ds.Attr.n.u1Granularity), VMX_IGS_DS_ATTR_G_INVALID);
9466	HMVMX_CHECK_BREAK( !(pCtx->ds.u32Limit & 0xfff00000)
9467	\|\| (pCtx->ds.Attr.n.u1Granularity), VMX_IGS_DS_ATTR_G_INVALID);
9468	HMVMX_CHECK_BREAK( !(pCtx->ds.Attr.n.u4Type & X86_SEL_TYPE_CODE)
9469	\|\| (pCtx->ds.Attr.n.u4Type & X86_SEL_TYPE_READ), VMX_IGS_DS_ATTR_TYPE_INVALID);
9470	}
9471	if (!(pCtx->es.Attr.u & X86DESCATTR_UNUSABLE))
9472	{
9473	HMVMX_CHECK_BREAK(pCtx->es.Attr.n.u4Type & X86_SEL_TYPE_ACCESSED, VMX_IGS_ES_ATTR_A_INVALID);
9474	HMVMX_CHECK_BREAK(pCtx->es.Attr.n.u1Present, VMX_IGS_ES_ATTR_P_INVALID);
9475	HMVMX_CHECK_BREAK( pVM->hm.s.vmx.fUnrestrictedGuest
9476	\|\| pCtx->es.Attr.n.u4Type > 11
9477	\|\| pCtx->es.Attr.n.u2Dpl >= (pCtx->es.Sel & X86_SEL_RPL), VMX_IGS_DS_ATTR_DPL_RPL_UNEQUAL);
9478	HMVMX_CHECK_BREAK(!(pCtx->es.Attr.u & 0xf00), VMX_IGS_ES_ATTR_RESERVED);
9479	HMVMX_CHECK_BREAK(!(pCtx->es.Attr.u & 0xfffe0000), VMX_IGS_ES_ATTR_RESERVED);
9480	HMVMX_CHECK_BREAK( (pCtx->es.u32Limit & 0xfff) == 0xfff
9481	\|\| !(pCtx->es.Attr.n.u1Granularity), VMX_IGS_ES_ATTR_G_INVALID);
9482	HMVMX_CHECK_BREAK( !(pCtx->es.u32Limit & 0xfff00000)
9483	\|\| (pCtx->es.Attr.n.u1Granularity), VMX_IGS_ES_ATTR_G_INVALID);
9484	HMVMX_CHECK_BREAK( !(pCtx->es.Attr.n.u4Type & X86_SEL_TYPE_CODE)
9485	\|\| (pCtx->es.Attr.n.u4Type & X86_SEL_TYPE_READ), VMX_IGS_ES_ATTR_TYPE_INVALID);
9486	}
9487	if (!(pCtx->fs.Attr.u & X86DESCATTR_UNUSABLE))
9488	{
9489	HMVMX_CHECK_BREAK(pCtx->fs.Attr.n.u4Type & X86_SEL_TYPE_ACCESSED, VMX_IGS_FS_ATTR_A_INVALID);
9490	HMVMX_CHECK_BREAK(pCtx->fs.Attr.n.u1Present, VMX_IGS_FS_ATTR_P_INVALID);
9491	HMVMX_CHECK_BREAK( pVM->hm.s.vmx.fUnrestrictedGuest
9492	\|\| pCtx->fs.Attr.n.u4Type > 11
9493	\|\| pCtx->fs.Attr.n.u2Dpl >= (pCtx->fs.Sel & X86_SEL_RPL), VMX_IGS_FS_ATTR_DPL_RPL_UNEQUAL);
9494	HMVMX_CHECK_BREAK(!(pCtx->fs.Attr.u & 0xf00), VMX_IGS_FS_ATTR_RESERVED);
9495	HMVMX_CHECK_BREAK(!(pCtx->fs.Attr.u & 0xfffe0000), VMX_IGS_FS_ATTR_RESERVED);
9496	HMVMX_CHECK_BREAK( (pCtx->fs.u32Limit & 0xfff) == 0xfff
9497	\|\| !(pCtx->fs.Attr.n.u1Granularity), VMX_IGS_FS_ATTR_G_INVALID);
9498	HMVMX_CHECK_BREAK( !(pCtx->fs.u32Limit & 0xfff00000)
9499	\|\| (pCtx->fs.Attr.n.u1Granularity), VMX_IGS_FS_ATTR_G_INVALID);
9500	HMVMX_CHECK_BREAK( !(pCtx->fs.Attr.n.u4Type & X86_SEL_TYPE_CODE)
9501	\|\| (pCtx->fs.Attr.n.u4Type & X86_SEL_TYPE_READ), VMX_IGS_FS_ATTR_TYPE_INVALID);
9502	}
9503	if (!(pCtx->gs.Attr.u & X86DESCATTR_UNUSABLE))
9504	{
9505	HMVMX_CHECK_BREAK(pCtx->gs.Attr.n.u4Type & X86_SEL_TYPE_ACCESSED, VMX_IGS_GS_ATTR_A_INVALID);
9506	HMVMX_CHECK_BREAK(pCtx->gs.Attr.n.u1Present, VMX_IGS_GS_ATTR_P_INVALID);
9507	HMVMX_CHECK_BREAK( pVM->hm.s.vmx.fUnrestrictedGuest
9508	\|\| pCtx->gs.Attr.n.u4Type > 11
9509	\|\| pCtx->gs.Attr.n.u2Dpl >= (pCtx->gs.Sel & X86_SEL_RPL), VMX_IGS_GS_ATTR_DPL_RPL_UNEQUAL);
9510	HMVMX_CHECK_BREAK(!(pCtx->gs.Attr.u & 0xf00), VMX_IGS_GS_ATTR_RESERVED);
9511	HMVMX_CHECK_BREAK(!(pCtx->gs.Attr.u & 0xfffe0000), VMX_IGS_GS_ATTR_RESERVED);
9512	HMVMX_CHECK_BREAK( (pCtx->gs.u32Limit & 0xfff) == 0xfff
9513	\|\| !(pCtx->gs.Attr.n.u1Granularity), VMX_IGS_GS_ATTR_G_INVALID);
9514	HMVMX_CHECK_BREAK( !(pCtx->gs.u32Limit & 0xfff00000)
9515	\|\| (pCtx->gs.Attr.n.u1Granularity), VMX_IGS_GS_ATTR_G_INVALID);
9516	HMVMX_CHECK_BREAK( !(pCtx->gs.Attr.n.u4Type & X86_SEL_TYPE_CODE)
9517	\|\| (pCtx->gs.Attr.n.u4Type & X86_SEL_TYPE_READ), VMX_IGS_GS_ATTR_TYPE_INVALID);
9518	}
9519	/* 64-bit capable CPUs. */
9520	#if HC_ARCH_BITS == 64
9521	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(pCtx->fs.u64Base), VMX_IGS_FS_BASE_NOT_CANONICAL);
9522	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(pCtx->gs.u64Base), VMX_IGS_GS_BASE_NOT_CANONICAL);
9523	HMVMX_CHECK_BREAK( (pCtx->ldtr.Attr.u & X86DESCATTR_UNUSABLE)
9524	\|\| X86_IS_CANONICAL(pCtx->ldtr.u64Base), VMX_IGS_LDTR_BASE_NOT_CANONICAL);
9525	HMVMX_CHECK_BREAK(!(pCtx->cs.u64Base >> 32), VMX_IGS_LONGMODE_CS_BASE_INVALID);
9526	HMVMX_CHECK_BREAK((pCtx->ss.Attr.u & X86DESCATTR_UNUSABLE) \|\| !(pCtx->ss.u64Base >> 32),
9527	VMX_IGS_LONGMODE_SS_BASE_INVALID);
9528	HMVMX_CHECK_BREAK((pCtx->ds.Attr.u & X86DESCATTR_UNUSABLE) \|\| !(pCtx->ds.u64Base >> 32),
9529	VMX_IGS_LONGMODE_DS_BASE_INVALID);
9530	HMVMX_CHECK_BREAK((pCtx->es.Attr.u & X86DESCATTR_UNUSABLE) \|\| !(pCtx->es.u64Base >> 32),
9531	VMX_IGS_LONGMODE_ES_BASE_INVALID);
9532	#endif
9533	}
9534	else
9535	{
9536	/* V86 mode checks. */
9537	uint32_t u32CSAttr, u32SSAttr, u32DSAttr, u32ESAttr, u32FSAttr, u32GSAttr;
9538	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
9539	{
9540	u32CSAttr = 0xf3; u32SSAttr = 0xf3;
9541	u32DSAttr = 0xf3; u32ESAttr = 0xf3;
9542	u32FSAttr = 0xf3; u32GSAttr = 0xf3;
9543	}
9544	else
9545	{
9546	u32CSAttr = pCtx->cs.Attr.u; u32SSAttr = pCtx->ss.Attr.u;
9547	u32DSAttr = pCtx->ds.Attr.u; u32ESAttr = pCtx->es.Attr.u;
9548	u32FSAttr = pCtx->fs.Attr.u; u32GSAttr = pCtx->gs.Attr.u;
9549	}
9550
9551	/* CS */
9552	HMVMX_CHECK_BREAK((pCtx->cs.u64Base == (uint64_t)pCtx->cs.Sel << 4), VMX_IGS_V86_CS_BASE_INVALID);
9553	HMVMX_CHECK_BREAK(pCtx->cs.u32Limit == 0xffff, VMX_IGS_V86_CS_LIMIT_INVALID);
9554	HMVMX_CHECK_BREAK(u32CSAttr == 0xf3, VMX_IGS_V86_CS_ATTR_INVALID);
9555	/* SS */
9556	HMVMX_CHECK_BREAK((pCtx->ss.u64Base == (uint64_t)pCtx->ss.Sel << 4), VMX_IGS_V86_SS_BASE_INVALID);
9557	HMVMX_CHECK_BREAK(pCtx->ss.u32Limit == 0xffff, VMX_IGS_V86_SS_LIMIT_INVALID);
9558	HMVMX_CHECK_BREAK(u32SSAttr == 0xf3, VMX_IGS_V86_SS_ATTR_INVALID);
9559	/* DS */
9560	HMVMX_CHECK_BREAK((pCtx->ds.u64Base == (uint64_t)pCtx->ds.Sel << 4), VMX_IGS_V86_DS_BASE_INVALID);
9561	HMVMX_CHECK_BREAK(pCtx->ds.u32Limit == 0xffff, VMX_IGS_V86_DS_LIMIT_INVALID);
9562	HMVMX_CHECK_BREAK(u32DSAttr == 0xf3, VMX_IGS_V86_DS_ATTR_INVALID);
9563	/* ES */
9564	HMVMX_CHECK_BREAK((pCtx->es.u64Base == (uint64_t)pCtx->es.Sel << 4), VMX_IGS_V86_ES_BASE_INVALID);
9565	HMVMX_CHECK_BREAK(pCtx->es.u32Limit == 0xffff, VMX_IGS_V86_ES_LIMIT_INVALID);
9566	HMVMX_CHECK_BREAK(u32ESAttr == 0xf3, VMX_IGS_V86_ES_ATTR_INVALID);
9567	/* FS */
9568	HMVMX_CHECK_BREAK((pCtx->fs.u64Base == (uint64_t)pCtx->fs.Sel << 4), VMX_IGS_V86_FS_BASE_INVALID);
9569	HMVMX_CHECK_BREAK(pCtx->fs.u32Limit == 0xffff, VMX_IGS_V86_FS_LIMIT_INVALID);
9570	HMVMX_CHECK_BREAK(u32FSAttr == 0xf3, VMX_IGS_V86_FS_ATTR_INVALID);
9571	/* GS */
9572	HMVMX_CHECK_BREAK((pCtx->gs.u64Base == (uint64_t)pCtx->gs.Sel << 4), VMX_IGS_V86_GS_BASE_INVALID);
9573	HMVMX_CHECK_BREAK(pCtx->gs.u32Limit == 0xffff, VMX_IGS_V86_GS_LIMIT_INVALID);
9574	HMVMX_CHECK_BREAK(u32GSAttr == 0xf3, VMX_IGS_V86_GS_ATTR_INVALID);
9575	/* 64-bit capable CPUs. */
9576	#if HC_ARCH_BITS == 64
9577	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(pCtx->fs.u64Base), VMX_IGS_FS_BASE_NOT_CANONICAL);
9578	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(pCtx->gs.u64Base), VMX_IGS_GS_BASE_NOT_CANONICAL);
9579	HMVMX_CHECK_BREAK( (pCtx->ldtr.Attr.u & X86DESCATTR_UNUSABLE)
9580	\|\| X86_IS_CANONICAL(pCtx->ldtr.u64Base), VMX_IGS_LDTR_BASE_NOT_CANONICAL);
9581	HMVMX_CHECK_BREAK(!(pCtx->cs.u64Base >> 32), VMX_IGS_LONGMODE_CS_BASE_INVALID);
9582	HMVMX_CHECK_BREAK((pCtx->ss.Attr.u & X86DESCATTR_UNUSABLE) \|\| !(pCtx->ss.u64Base >> 32),
9583	VMX_IGS_LONGMODE_SS_BASE_INVALID);
9584	HMVMX_CHECK_BREAK((pCtx->ds.Attr.u & X86DESCATTR_UNUSABLE) \|\| !(pCtx->ds.u64Base >> 32),
9585	VMX_IGS_LONGMODE_DS_BASE_INVALID);
9586	HMVMX_CHECK_BREAK((pCtx->es.Attr.u & X86DESCATTR_UNUSABLE) \|\| !(pCtx->es.u64Base >> 32),
9587	VMX_IGS_LONGMODE_ES_BASE_INVALID);
9588	#endif
9589	}
9590
9591	/*
9592	* TR.
9593	*/
9594	HMVMX_CHECK_BREAK(!(pCtx->tr.Sel & X86_SEL_LDT), VMX_IGS_TR_TI_INVALID);
9595	/* 64-bit capable CPUs. */
9596	#if HC_ARCH_BITS == 64
9597	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(pCtx->tr.u64Base), VMX_IGS_TR_BASE_NOT_CANONICAL);
9598	#endif
9599	if (fLongModeGuest)
9600	{
9601	HMVMX_CHECK_BREAK(pCtx->tr.Attr.n.u4Type == 11, /* 64-bit busy TSS. */
9602	VMX_IGS_LONGMODE_TR_ATTR_TYPE_INVALID);
9603	}
9604	else
9605	{
9606	HMVMX_CHECK_BREAK( pCtx->tr.Attr.n.u4Type == 3 /* 16-bit busy TSS. */
9607	\|\| pCtx->tr.Attr.n.u4Type == 11, /* 32-bit busy TSS.*/
9608	VMX_IGS_TR_ATTR_TYPE_INVALID);
9609	}
9610	HMVMX_CHECK_BREAK(!pCtx->tr.Attr.n.u1DescType, VMX_IGS_TR_ATTR_S_INVALID);
9611	HMVMX_CHECK_BREAK(pCtx->tr.Attr.n.u1Present, VMX_IGS_TR_ATTR_P_INVALID);
9612	HMVMX_CHECK_BREAK(!(pCtx->tr.Attr.u & 0xf00), VMX_IGS_TR_ATTR_RESERVED); /* Bits 11:8 MBZ. */
9613	HMVMX_CHECK_BREAK( (pCtx->tr.u32Limit & 0xfff) == 0xfff
9614	\|\| !(pCtx->tr.Attr.n.u1Granularity), VMX_IGS_TR_ATTR_G_INVALID);
9615	HMVMX_CHECK_BREAK( !(pCtx->tr.u32Limit & 0xfff00000)
9616	\|\| (pCtx->tr.Attr.n.u1Granularity), VMX_IGS_TR_ATTR_G_INVALID);
9617	HMVMX_CHECK_BREAK(!(pCtx->tr.Attr.u & X86DESCATTR_UNUSABLE), VMX_IGS_TR_ATTR_UNUSABLE);
9618
9619	/*
9620	* GDTR and IDTR.
9621	*/
9622	#if HC_ARCH_BITS == 64
9623	rc = VMXReadVmcs64(VMX_VMCS_GUEST_GDTR_BASE, &u64Val);
9624	AssertRCBreak(rc);
9625	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(u64Val), VMX_IGS_GDTR_BASE_NOT_CANONICAL);
9626
9627	rc = VMXReadVmcs64(VMX_VMCS_GUEST_IDTR_BASE, &u64Val);
9628	AssertRCBreak(rc);
9629	HMVMX_CHECK_BREAK(X86_IS_CANONICAL(u64Val), VMX_IGS_IDTR_BASE_NOT_CANONICAL);
9630	#endif
9631
9632	rc = VMXReadVmcs32(VMX_VMCS32_GUEST_GDTR_LIMIT, &u32Val);
9633	AssertRCBreak(rc);
9634	HMVMX_CHECK_BREAK(!(u32Val & 0xffff0000), VMX_IGS_GDTR_LIMIT_INVALID); /* Bits 31:16 MBZ. */
9635
9636	rc = VMXReadVmcs32(VMX_VMCS32_GUEST_IDTR_LIMIT, &u32Val);
9637	AssertRCBreak(rc);
9638	HMVMX_CHECK_BREAK(!(u32Val & 0xffff0000), VMX_IGS_IDTR_LIMIT_INVALID); /* Bits 31:16 MBZ. */
9639
9640	/*
9641	* Guest Non-Register State.
9642	*/
9643	/* Activity State. */
9644	uint32_t u32ActivityState;
9645	rc = VMXReadVmcs32(VMX_VMCS32_GUEST_ACTIVITY_STATE, &u32ActivityState);
9646	AssertRCBreak(rc);
9647	HMVMX_CHECK_BREAK( !u32ActivityState
9648	\|\| (u32ActivityState & MSR_IA32_VMX_MISC_ACTIVITY_STATES(pVM->hm.s.vmx.Msrs.u64Misc)),
9649	VMX_IGS_ACTIVITY_STATE_INVALID);
9650	HMVMX_CHECK_BREAK( !(pCtx->ss.Attr.n.u2Dpl)
9651	\|\| u32ActivityState != VMX_VMCS_GUEST_ACTIVITY_HLT, VMX_IGS_ACTIVITY_STATE_HLT_INVALID);
9652	uint32_t u32IntrState;
9653	rc = VMXReadVmcs32(VMX_VMCS32_GUEST_INTERRUPTIBILITY_STATE, &u32IntrState);
9654	AssertRCBreak(rc);
9655	if ( u32IntrState == VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS
9656	\|\| u32IntrState == VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI)
9657	{
9658	HMVMX_CHECK_BREAK(u32ActivityState == VMX_VMCS_GUEST_ACTIVITY_ACTIVE, VMX_IGS_ACTIVITY_STATE_ACTIVE_INVALID);
9659	}
9660
9661	/** @todo Activity state and injecting interrupts. Left as a todo since we
9662	* currently don't use activity states but ACTIVE. */
9663
9664	HMVMX_CHECK_BREAK( !(pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_ENTRY_SMM)
9665	\|\| u32ActivityState != VMX_VMCS_GUEST_ACTIVITY_SIPI_WAIT, VMX_IGS_ACTIVITY_STATE_SIPI_WAIT_INVALID);
9666
9667	/* Guest interruptibility-state. */
9668	HMVMX_CHECK_BREAK(!(u32IntrState & 0xfffffff0), VMX_IGS_INTERRUPTIBILITY_STATE_RESERVED);
9669	HMVMX_CHECK_BREAK((u32IntrState & ( VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI
9670	\| VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS))
9671	!= ( VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI
9672	\| VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS),
9673	VMX_IGS_INTERRUPTIBILITY_STATE_STI_MOVSS_INVALID);
9674	HMVMX_CHECK_BREAK( (u32Eflags & X86_EFL_IF)
9675	\|\| !(u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI),
9676	VMX_IGS_INTERRUPTIBILITY_STATE_STI_EFL_INVALID);
9677	if (VMX_ENTRY_INTERRUPTION_INFO_IS_VALID(u32EntryInfo))
9678	{
9679	if (VMX_ENTRY_INTERRUPTION_INFO_TYPE(u32EntryInfo) == VMX_EXIT_INTERRUPTION_INFO_TYPE_EXT_INT)
9680	{
9681	HMVMX_CHECK_BREAK( !(u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI)
9682	&& !(u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS),
9683	VMX_IGS_INTERRUPTIBILITY_STATE_EXT_INT_INVALID);
9684	}
9685	else if (VMX_ENTRY_INTERRUPTION_INFO_TYPE(u32EntryInfo) == VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI)
9686	{
9687	HMVMX_CHECK_BREAK(!(u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS),
9688	VMX_IGS_INTERRUPTIBILITY_STATE_MOVSS_INVALID);
9689	HMVMX_CHECK_BREAK(!(u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI),
9690	VMX_IGS_INTERRUPTIBILITY_STATE_STI_INVALID);
9691	}
9692	}
9693	/** @todo Assumes the processor is not in SMM. */
9694	HMVMX_CHECK_BREAK(!(u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_SMI),
9695	VMX_IGS_INTERRUPTIBILITY_STATE_SMI_INVALID);
9696	HMVMX_CHECK_BREAK( !(pVCpu->hm.s.vmx.u32EntryCtls & VMX_VMCS_CTRL_ENTRY_ENTRY_SMM)
9697	\|\| (u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_SMI),
9698	VMX_IGS_INTERRUPTIBILITY_STATE_SMI_SMM_INVALID);
9699	if ( (pVCpu->hm.s.vmx.u32PinCtls & VMX_VMCS_CTRL_PIN_EXEC_VIRTUAL_NMI)
9700	&& VMX_ENTRY_INTERRUPTION_INFO_IS_VALID(u32EntryInfo)
9701	&& VMX_ENTRY_INTERRUPTION_INFO_TYPE(u32EntryInfo) == VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI)
9702	{
9703	HMVMX_CHECK_BREAK(!(u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_NMI),
9704	VMX_IGS_INTERRUPTIBILITY_STATE_NMI_INVALID);
9705	}
9706
9707	/* Pending debug exceptions. */
9708	#if HC_ARCH_BITS == 64
9709	rc = VMXReadVmcs64(VMX_VMCS_GUEST_PENDING_DEBUG_EXCEPTIONS, &u64Val);
9710	AssertRCBreak(rc);
9711	/* Bits 63:15, Bit 13, Bits 11:4 MBZ. */
9712	HMVMX_CHECK_BREAK(!(u64Val & UINT64_C(0xffffffffffffaff0)), VMX_IGS_LONGMODE_PENDING_DEBUG_RESERVED);
9713	u32Val = u64Val; /* For pending debug exceptions checks below. */
9714	#else
9715	rc = VMXReadVmcs32(VMX_VMCS_GUEST_PENDING_DEBUG_EXCEPTIONS, &u32Val);
9716	AssertRCBreak(rc);
9717	/* Bits 31:15, Bit 13, Bits 11:4 MBZ. */
9718	HMVMX_CHECK_BREAK(!(u32Val & 0xffffaff0), VMX_IGS_PENDING_DEBUG_RESERVED);
9719	#endif
9720
9721	if ( (u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI)
9722	\|\| (u32IntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_MOVSS)
9723	\|\| u32ActivityState == VMX_VMCS_GUEST_ACTIVITY_HLT)
9724	{
9725	if ( (u32Eflags & X86_EFL_TF)
9726	&& !(u64DebugCtlMsr & RT_BIT_64(1))) /* Bit 1 is IA32_DEBUGCTL.BTF. */
9727	{
9728	/* Bit 14 is PendingDebug.BS. */
9729	HMVMX_CHECK_BREAK(u32Val & RT_BIT(14), VMX_IGS_PENDING_DEBUG_XCPT_BS_NOT_SET);
9730	}
9731	if ( !(u32Eflags & X86_EFL_TF)
9732	\|\| (u64DebugCtlMsr & RT_BIT_64(1))) /* Bit 1 is IA32_DEBUGCTL.BTF. */
9733	{
9734	/* Bit 14 is PendingDebug.BS. */
9735	HMVMX_CHECK_BREAK(!(u32Val & RT_BIT(14)), VMX_IGS_PENDING_DEBUG_XCPT_BS_NOT_CLEAR);
9736	}
9737	}
9738
9739	/* VMCS link pointer. */
9740	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_VMCS_LINK_PTR_FULL, &u64Val);
9741	AssertRCBreak(rc);
9742	if (u64Val != UINT64_C(0xffffffffffffffff))
9743	{
9744	HMVMX_CHECK_BREAK(!(u64Val & 0xfff), VMX_IGS_VMCS_LINK_PTR_RESERVED);
9745	/** @todo Bits beyond the processor's physical-address width MBZ. */
9746	/** @todo 32-bit located in memory referenced by value of this field (as a
9747	* physical address) must contain the processor's VMCS revision ID. */
9748	/** @todo SMM checks. */
9749	}
9750
9751	/** @todo Checks on Guest Page-Directory-Pointer-Table Entries when guest is
9752	* not using Nested Paging? */
9753	if ( pVM->hm.s.fNestedPaging
9754	&& !fLongModeGuest
9755	&& CPUMIsGuestInPAEModeEx(pCtx))
9756	{
9757	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PDPTE0_FULL, &u64Val);
9758	AssertRCBreak(rc);
9759	HMVMX_CHECK_BREAK(!(u64Val & X86_PDPE_PAE_MBZ_MASK), VMX_IGS_PAE_PDPTE_RESERVED);
9760
9761	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PDPTE1_FULL, &u64Val);
9762	AssertRCBreak(rc);
9763	HMVMX_CHECK_BREAK(!(u64Val & X86_PDPE_PAE_MBZ_MASK), VMX_IGS_PAE_PDPTE_RESERVED);
9764
9765	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PDPTE2_FULL, &u64Val);
9766	AssertRCBreak(rc);
9767	HMVMX_CHECK_BREAK(!(u64Val & X86_PDPE_PAE_MBZ_MASK), VMX_IGS_PAE_PDPTE_RESERVED);
9768
9769	rc = VMXReadVmcs64(VMX_VMCS64_GUEST_PDPTE3_FULL, &u64Val);
9770	AssertRCBreak(rc);
9771	HMVMX_CHECK_BREAK(!(u64Val & X86_PDPE_PAE_MBZ_MASK), VMX_IGS_PAE_PDPTE_RESERVED);
9772	}
9773
9774	/* Shouldn't happen but distinguish it from AssertRCBreak() errors. */
9775	if (uError == VMX_IGS_ERROR)
9776	uError = VMX_IGS_REASON_NOT_FOUND;
9777	} while (0);
9778
9779	pVCpu->hm.s.u32HMError = uError;
9780	return uError;
9781
9782	#undef HMVMX_ERROR_BREAK
9783	#undef HMVMX_CHECK_BREAK
9784	}
9785
9786	/* -=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= */
9787	/* -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- VM-exit handlers -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- */
9788	/* -=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= */
9789
9790	/** @name VM-exit handlers.
9791	* @{
9792	*/
9793
9794	/**
9795	* VM-exit handler for external interrupts (VMX_EXIT_EXT_INT).
9796	*/
9797	HMVMX_EXIT_DECL hmR0VmxExitExtInt(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
9798	{
9799	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
9800	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitExtInt);
9801	/* Windows hosts (32-bit and 64-bit) have DPC latency issues. See @bugref{6853}. */
9802	if (VMMR0ThreadCtxHookIsEnabled(pVCpu))
9803	return VINF_SUCCESS;
9804	return VINF_EM_RAW_INTERRUPT;
9805	}
9806
9807
9808	/**
9809	* VM-exit handler for exceptions or NMIs (VMX_EXIT_XCPT_OR_NMI).
9810	*/
9811	HMVMX_EXIT_DECL hmR0VmxExitXcptOrNmi(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
9812	{
9813	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
9814	STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatExitXcptNmi, y3);
9815
9816	int rc = hmR0VmxReadExitIntInfoVmcs(pVmxTransient);
9817	AssertRCReturn(rc, rc);
9818
9819	uint32_t uIntType = VMX_EXIT_INTERRUPTION_INFO_TYPE(pVmxTransient->uExitIntInfo);
9820	Assert( !(pVCpu->hm.s.vmx.u32ExitCtls & VMX_VMCS_CTRL_EXIT_ACK_EXT_INT)
9821	&& uIntType != VMX_EXIT_INTERRUPTION_INFO_TYPE_EXT_INT);
9822	Assert(VMX_EXIT_INTERRUPTION_INFO_IS_VALID(pVmxTransient->uExitIntInfo));
9823
9824	if (uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_NMI)
9825	{
9826	/*
9827	* This cannot be a guest NMI as the only way for the guest to receive an NMI is if we injected it ourselves and
9828	* anything we inject is not going to cause a VM-exit directly for the event being injected.
9829	* See Intel spec. 27.2.3 "Information for VM Exits During Event Delivery".
9830	*
9831	* Dispatch the NMI to the host. See Intel spec. 27.5.5 "Updating Non-Register State".
9832	*/
9833	VMXDispatchHostNmi();
9834	STAM_REL_COUNTER_INC(&pVCpu->hm.s.StatExitHostNmiInGC);
9835	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitXcptNmi, y3);
9836	return VINF_SUCCESS;
9837	}
9838
9839	/* If this VM-exit occurred while delivering an event through the guest IDT, handle it accordingly. */
9840	rc = hmR0VmxCheckExitDueToEventDelivery(pVCpu, pMixedCtx, pVmxTransient);
9841	if (RT_UNLIKELY(rc != VINF_SUCCESS))
9842	{
9843	if (rc == VINF_HM_DOUBLE_FAULT)
9844	rc = VINF_SUCCESS;
9845	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitXcptNmi, y3);
9846	return rc;
9847	}
9848
9849	uint32_t uExitIntInfo = pVmxTransient->uExitIntInfo;
9850	uint32_t uVector = VMX_EXIT_INTERRUPTION_INFO_VECTOR(uExitIntInfo);
9851	switch (uIntType)
9852	{
9853	case VMX_EXIT_INTERRUPTION_INFO_TYPE_PRIV_SW_XCPT: /* Privileged software exception. (#DB from ICEBP) */
9854	Assert(uVector == X86_XCPT_DB);
9855	/* no break */
9856	case VMX_EXIT_INTERRUPTION_INFO_TYPE_SW_XCPT: /* Software exception. (#BP or #OF) */
9857	Assert(uVector == X86_XCPT_BP \|\| uVector == X86_XCPT_OF \|\| uIntType == VMX_EXIT_INTERRUPTION_INFO_TYPE_PRIV_SW_XCPT);
9858	/* no break */
9859	case VMX_EXIT_INTERRUPTION_INFO_TYPE_HW_XCPT:
9860	{
9861	switch (uVector)
9862	{
9863	case X86_XCPT_PF: rc = hmR0VmxExitXcptPF(pVCpu, pMixedCtx, pVmxTransient); break;
9864	case X86_XCPT_GP: rc = hmR0VmxExitXcptGP(pVCpu, pMixedCtx, pVmxTransient); break;
9865	case X86_XCPT_NM: rc = hmR0VmxExitXcptNM(pVCpu, pMixedCtx, pVmxTransient); break;
9866	case X86_XCPT_MF: rc = hmR0VmxExitXcptMF(pVCpu, pMixedCtx, pVmxTransient); break;
9867	case X86_XCPT_DB: rc = hmR0VmxExitXcptDB(pVCpu, pMixedCtx, pVmxTransient); break;
9868	case X86_XCPT_BP: rc = hmR0VmxExitXcptBP(pVCpu, pMixedCtx, pVmxTransient); break;
9869	#ifdef HMVMX_ALWAYS_TRAP_ALL_XCPTS
9870	case X86_XCPT_XF: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestXF);
9871	rc = hmR0VmxExitXcptGeneric(pVCpu, pMixedCtx, pVmxTransient); break;
9872	case X86_XCPT_DE: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestDE);
9873	rc = hmR0VmxExitXcptGeneric(pVCpu, pMixedCtx, pVmxTransient); break;
9874	case X86_XCPT_UD: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestUD);
9875	rc = hmR0VmxExitXcptGeneric(pVCpu, pMixedCtx, pVmxTransient); break;
9876	case X86_XCPT_SS: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestSS);
9877	rc = hmR0VmxExitXcptGeneric(pVCpu, pMixedCtx, pVmxTransient); break;
9878	case X86_XCPT_NP: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestNP);
9879	rc = hmR0VmxExitXcptGeneric(pVCpu, pMixedCtx, pVmxTransient); break;
9880	case X86_XCPT_TS: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestTS);
9881	rc = hmR0VmxExitXcptGeneric(pVCpu, pMixedCtx, pVmxTransient); break;
9882	#endif
9883	default:
9884	{
9885	rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
9886	AssertRCReturn(rc, rc);
9887
9888	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestXcpUnk);
9889	if (pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
9890	{
9891	Assert(pVCpu->CTX_SUFF(pVM)->hm.s.vmx.pRealModeTSS);
9892	Assert(PDMVmmDevHeapIsEnabled(pVCpu->CTX_SUFF(pVM)));
9893	Assert(CPUMIsGuestInRealModeEx(pMixedCtx));
9894
9895	rc = hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
9896	rc \|= hmR0VmxReadExitIntErrorCodeVmcs(pVmxTransient);
9897	AssertRCReturn(rc, rc);
9898	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(uExitIntInfo),
9899	pVmxTransient->cbInstr, pVmxTransient->uExitIntErrorCode,
9900	0 /* GCPtrFaultAddress */);
9901	AssertRCReturn(rc, rc);
9902	}
9903	else
9904	{
9905	AssertMsgFailed(("Unexpected VM-exit caused by exception %#x\n", uVector));
9906	pVCpu->hm.s.u32HMError = uVector;
9907	rc = VERR_VMX_UNEXPECTED_EXCEPTION;
9908	}
9909	break;
9910	}
9911	}
9912	break;
9913	}
9914
9915	default:
9916	{
9917	pVCpu->hm.s.u32HMError = uExitIntInfo;
9918	rc = VERR_VMX_UNEXPECTED_INTERRUPTION_EXIT_TYPE;
9919	AssertMsgFailed(("Unexpected interruption info %#x\n", VMX_EXIT_INTERRUPTION_INFO_TYPE(uExitIntInfo)));
9920	break;
9921	}
9922	}
9923	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitXcptNmi, y3);
9924	return rc;
9925	}
9926
9927
9928	/**
9929	* VM-exit handler for interrupt-window exiting (VMX_EXIT_INT_WINDOW).
9930	*/
9931	HMVMX_EXIT_DECL hmR0VmxExitIntWindow(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
9932	{
9933	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
9934
9935	/* Indicate that we no longer need to VM-exit when the guest is ready to receive interrupts, it is now ready. */
9936	hmR0VmxClearIntWindowExitVmcs(pVCpu);
9937
9938	/* Deliver the pending interrupts via hmR0VmxEvaluatePendingEvent() and resume guest execution. */
9939	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitIntWindow);
9940	return VINF_SUCCESS;
9941	}
9942
9943
9944	/**
9945	* VM-exit handler for NMI-window exiting (VMX_EXIT_NMI_WINDOW).
9946	*/
9947	HMVMX_EXIT_DECL hmR0VmxExitNmiWindow(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
9948	{
9949	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
9950	if (RT_UNLIKELY(!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_NMI_WINDOW_EXIT)))
9951	{
9952	AssertMsgFailed(("Unexpected NMI-window exit.\n"));
9953	HMVMX_RETURN_UNEXPECTED_EXIT();
9954	}
9955
9956	Assert(!VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_BLOCK_NMIS));
9957
9958	/*
9959	* If block-by-STI is set when we get this VM-exit, it means the CPU doesn't block NMIs following STI.
9960	* It is therefore safe to unblock STI and deliver the NMI ourselves. See @bugref{7445}.
9961	*/
9962	uint32_t uIntrState = 0;
9963	int rc = VMXReadVmcs32(VMX_VMCS32_GUEST_INTERRUPTIBILITY_STATE, &uIntrState);
9964	AssertRCReturn(rc, rc);
9965
9966	bool const fBlockSti = RT_BOOL(uIntrState & VMX_VMCS_GUEST_INTERRUPTIBILITY_STATE_BLOCK_STI);
9967	if ( fBlockSti
9968	&& VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS))
9969	{
9970	VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS);
9971	}
9972
9973	/* Indicate that we no longer need to VM-exit when the guest is ready to receive NMIs, it is now ready */
9974	hmR0VmxClearNmiWindowExitVmcs(pVCpu);
9975
9976	/* Deliver the pending NMI via hmR0VmxEvaluatePendingEvent() and resume guest execution. */
9977	return VINF_SUCCESS;
9978	}
9979
9980
9981	/**
9982	* VM-exit handler for WBINVD (VMX_EXIT_WBINVD). Conditional VM-exit.
9983	*/
9984	HMVMX_EXIT_DECL hmR0VmxExitWbinvd(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
9985	{
9986	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
9987	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitWbinvd);
9988	return hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
9989	}
9990
9991
9992	/**
9993	* VM-exit handler for INVD (VMX_EXIT_INVD). Unconditional VM-exit.
9994	*/
9995	HMVMX_EXIT_DECL hmR0VmxExitInvd(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
9996	{
9997	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
9998	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitInvd);
9999	return hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
10000	}
10001
10002
10003	/**
10004	* VM-exit handler for CPUID (VMX_EXIT_CPUID). Unconditional VM-exit.
10005	*/
10006	HMVMX_EXIT_DECL hmR0VmxExitCpuid(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10007	{
10008	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10009	PVM pVM = pVCpu->CTX_SUFF(pVM);
10010	int rc = EMInterpretCpuId(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx));
10011	if (RT_LIKELY(rc == VINF_SUCCESS))
10012	{
10013	rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
10014	Assert(pVmxTransient->cbInstr == 2);
10015	}
10016	else
10017	{
10018	AssertMsgFailed(("hmR0VmxExitCpuid: EMInterpretCpuId failed with %Rrc\n", rc));
10019	rc = VERR_EM_INTERPRETER;
10020	}
10021	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCpuid);
10022	return rc;
10023	}
10024
10025
10026	/**
10027	* VM-exit handler for GETSEC (VMX_EXIT_GETSEC). Unconditional VM-exit.
10028	*/
10029	HMVMX_EXIT_DECL hmR0VmxExitGetsec(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10030	{
10031	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10032	int rc = hmR0VmxSaveGuestCR4(pVCpu, pMixedCtx);
10033	AssertRCReturn(rc, rc);
10034
10035	if (pMixedCtx->cr4 & X86_CR4_SMXE)
10036	return VINF_EM_RAW_EMULATE_INSTR;
10037
10038	AssertMsgFailed(("hmR0VmxExitGetsec: unexpected VM-exit when CR4.SMXE is 0.\n"));
10039	HMVMX_RETURN_UNEXPECTED_EXIT();
10040	}
10041
10042
10043	/**
10044	* VM-exit handler for RDTSC (VMX_EXIT_RDTSC). Conditional VM-exit.
10045	*/
10046	HMVMX_EXIT_DECL hmR0VmxExitRdtsc(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10047	{
10048	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10049	int rc = hmR0VmxSaveGuestCR4(pVCpu, pMixedCtx); /** @todo review if CR4 is really required by EM. */
10050	AssertRCReturn(rc, rc);
10051
10052	PVM pVM = pVCpu->CTX_SUFF(pVM);
10053	rc = EMInterpretRdtsc(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx));
10054	if (RT_LIKELY(rc == VINF_SUCCESS))
10055	{
10056	rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
10057	Assert(pVmxTransient->cbInstr == 2);
10058	/* If we get a spurious VM-exit when offsetting is enabled, we must reset offsetting on VM-reentry. See @bugref{6634}. */
10059	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TSC_OFFSETTING)
10060	pVmxTransient->fUpdateTscOffsettingAndPreemptTimer = true;
10061	}
10062	else
10063	rc = VERR_EM_INTERPRETER;
10064	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitRdtsc);
10065	return rc;
10066	}
10067
10068
10069	/**
10070	* VM-exit handler for RDTSCP (VMX_EXIT_RDTSCP). Conditional VM-exit.
10071	*/
10072	HMVMX_EXIT_DECL hmR0VmxExitRdtscp(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10073	{
10074	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10075	int rc = hmR0VmxSaveGuestCR4(pVCpu, pMixedCtx); /** @todo review if CR4 is really required by EM. */
10076	rc \|= hmR0VmxSaveGuestAutoLoadStoreMsrs(pVCpu, pMixedCtx); /* For MSR_K8_TSC_AUX */
10077	AssertRCReturn(rc, rc);
10078
10079	PVM pVM = pVCpu->CTX_SUFF(pVM);
10080	rc = EMInterpretRdtscp(pVM, pVCpu, pMixedCtx);
10081	if (RT_LIKELY(rc == VINF_SUCCESS))
10082	{
10083	rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
10084	Assert(pVmxTransient->cbInstr == 3);
10085	/* If we get a spurious VM-exit when offsetting is enabled, we must reset offsetting on VM-reentry. See @bugref{6634}. */
10086	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TSC_OFFSETTING)
10087	pVmxTransient->fUpdateTscOffsettingAndPreemptTimer = true;
10088	}
10089	else
10090	{
10091	AssertMsgFailed(("hmR0VmxExitRdtscp: EMInterpretRdtscp failed with %Rrc\n", rc));
10092	rc = VERR_EM_INTERPRETER;
10093	}
10094	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitRdtsc);
10095	return rc;
10096	}
10097
10098
10099	/**
10100	* VM-exit handler for RDPMC (VMX_EXIT_RDPMC). Conditional VM-exit.
10101	*/
10102	HMVMX_EXIT_DECL hmR0VmxExitRdpmc(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10103	{
10104	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10105	int rc = hmR0VmxSaveGuestCR4(pVCpu, pMixedCtx); /** @todo review if CR4 is really required by EM. */
10106	rc \|= hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx); /** @todo review if CR0 is really required by EM. */
10107	AssertRCReturn(rc, rc);
10108
10109	PVM pVM = pVCpu->CTX_SUFF(pVM);
10110	rc = EMInterpretRdpmc(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx));
10111	if (RT_LIKELY(rc == VINF_SUCCESS))
10112	{
10113	rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
10114	Assert(pVmxTransient->cbInstr == 2);
10115	}
10116	else
10117	{
10118	AssertMsgFailed(("hmR0VmxExitRdpmc: EMInterpretRdpmc failed with %Rrc\n", rc));
10119	rc = VERR_EM_INTERPRETER;
10120	}
10121	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitRdpmc);
10122	return rc;
10123	}
10124
10125
10126	/**
10127	* VM-exit handler for VMCALL (VMX_EXIT_VMCALL). Unconditional VM-exit.
10128	*/
10129	HMVMX_EXIT_DECL hmR0VmxExitVmcall(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10130	{
10131	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10132	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitVmcall);
10133
10134	if (pVCpu->hm.s.fHypercallsEnabled)
10135	{
10136	#if 0
10137	int rc = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
10138	AssertRCReturn(rc, rc);
10139	#else
10140	/* Aggressive state sync. for now. */
10141	int rc = hmR0VmxSaveGuestRip(pVCpu, pMixedCtx);
10142	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx); /* For long-mode checks in gimKvmHypercall(). */
10143	#endif
10144	rc \|= hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
10145	AssertRCReturn(rc, rc);
10146
10147	rc = GIMHypercall(pVCpu, pMixedCtx);
10148	/* If the hypercall changes anything other than guest general-purpose registers,
10149	we would need to reload the guest changed bits here before VM-entry. */
10150	return rc;
10151	}
10152	else
10153	{
10154	Log4(("hmR0VmxExitVmcall: Hypercalls not enabled\n"));
10155	hmR0VmxSetPendingXcptUD(pVCpu, pMixedCtx);
10156	}
10157
10158	return VINF_SUCCESS;
10159	}
10160
10161
10162	/**
10163	* VM-exit handler for INVLPG (VMX_EXIT_INVLPG). Conditional VM-exit.
10164	*/
10165	HMVMX_EXIT_DECL hmR0VmxExitInvlpg(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10166	{
10167	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10168	PVM pVM = pVCpu->CTX_SUFF(pVM);
10169	Assert(!pVM->hm.s.fNestedPaging);
10170
10171	int rc = hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
10172	rc \|= hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
10173	AssertRCReturn(rc, rc);
10174
10175	VBOXSTRICTRC rc2 = EMInterpretInvlpg(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx), pVmxTransient->uExitQualification);
10176	rc = VBOXSTRICTRC_VAL(rc2);
10177	if (RT_LIKELY(rc == VINF_SUCCESS))
10178	rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
10179	else
10180	{
10181	AssertMsg(rc == VERR_EM_INTERPRETER, ("hmR0VmxExitInvlpg: EMInterpretInvlpg %#RX64 failed with %Rrc\n",
10182	pVmxTransient->uExitQualification, rc));
10183	}
10184	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitInvlpg);
10185	return rc;
10186	}
10187
10188
10189	/**
10190	* VM-exit handler for MONITOR (VMX_EXIT_MONITOR). Conditional VM-exit.
10191	*/
10192	HMVMX_EXIT_DECL hmR0VmxExitMonitor(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10193	{
10194	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10195	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
10196	rc \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
10197	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
10198	AssertRCReturn(rc, rc);
10199
10200	PVM pVM = pVCpu->CTX_SUFF(pVM);
10201	rc = EMInterpretMonitor(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx));
10202	if (RT_LIKELY(rc == VINF_SUCCESS))
10203	rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
10204	else
10205	{
10206	AssertMsg(rc == VERR_EM_INTERPRETER, ("hmR0VmxExitMonitor: EMInterpretMonitor failed with %Rrc\n", rc));
10207	rc = VERR_EM_INTERPRETER;
10208	}
10209	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitMonitor);
10210	return rc;
10211	}
10212
10213
10214	/**
10215	* VM-exit handler for MWAIT (VMX_EXIT_MWAIT). Conditional VM-exit.
10216	*/
10217	HMVMX_EXIT_DECL hmR0VmxExitMwait(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10218	{
10219	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10220	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
10221	rc \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
10222	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
10223	AssertRCReturn(rc, rc);
10224
10225	PVM pVM = pVCpu->CTX_SUFF(pVM);
10226	VBOXSTRICTRC rc2 = EMInterpretMWait(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx));
10227	rc = VBOXSTRICTRC_VAL(rc2);
10228	if (RT_LIKELY( rc == VINF_SUCCESS
10229	\|\| rc == VINF_EM_HALT))
10230	{
10231	int rc3 = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
10232	AssertRCReturn(rc3, rc3);
10233
10234	if ( rc == VINF_EM_HALT
10235	&& EMMonitorWaitShouldContinue(pVCpu, pMixedCtx))
10236	{
10237	rc = VINF_SUCCESS;
10238	}
10239	}
10240	else
10241	{
10242	AssertMsg(rc == VERR_EM_INTERPRETER, ("hmR0VmxExitMwait: EMInterpretMWait failed with %Rrc\n", rc));
10243	rc = VERR_EM_INTERPRETER;
10244	}
10245	AssertMsg(rc == VINF_SUCCESS \|\| rc == VINF_EM_HALT \|\| rc == VERR_EM_INTERPRETER,
10246	("hmR0VmxExitMwait: failed, invalid error code %Rrc\n", rc));
10247	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitMwait);
10248	return rc;
10249	}
10250
10251
10252	/**
10253	* VM-exit handler for RSM (VMX_EXIT_RSM). Unconditional VM-exit.
10254	*/
10255	HMVMX_EXIT_DECL hmR0VmxExitRsm(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10256	{
10257	/*
10258	* Execution of RSM outside of SMM mode causes #UD regardless of VMX root or VMX non-root mode. In theory, we should never
10259	* get this VM-exit. This can happen only if dual-monitor treatment of SMI and VMX is enabled, which can (only?) be done by
10260	* executing VMCALL in VMX root operation. If we get here, something funny is going on.
10261	* See Intel spec. "33.15.5 Enabling the Dual-Monitor Treatment".
10262	*/
10263	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10264	AssertMsgFailed(("Unexpected RSM VM-exit. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx));
10265	HMVMX_RETURN_UNEXPECTED_EXIT();
10266	}
10267
10268
10269	/**
10270	* VM-exit handler for SMI (VMX_EXIT_SMI). Unconditional VM-exit.
10271	*/
10272	HMVMX_EXIT_DECL hmR0VmxExitSmi(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10273	{
10274	/*
10275	* This can only happen if we support dual-monitor treatment of SMI, which can be activated by executing VMCALL in VMX
10276	* root operation. Only an STM (SMM transfer monitor) would get this VM-exit when we (the executive monitor) execute a VMCALL
10277	* in VMX root mode or receive an SMI. If we get here, something funny is going on.
10278	* See Intel spec. "33.15.6 Activating the Dual-Monitor Treatment" and Intel spec. 25.3 "Other Causes of VM-Exits"
10279	*/
10280	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10281	AssertMsgFailed(("Unexpected SMI VM-exit. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx));
10282	HMVMX_RETURN_UNEXPECTED_EXIT();
10283	}
10284
10285
10286	/**
10287	* VM-exit handler for IO SMI (VMX_EXIT_IO_SMI). Unconditional VM-exit.
10288	*/
10289	HMVMX_EXIT_DECL hmR0VmxExitIoSmi(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10290	{
10291	/* Same treatment as VMX_EXIT_SMI. See comment in hmR0VmxExitSmi(). */
10292	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10293	AssertMsgFailed(("Unexpected IO SMI VM-exit. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx));
10294	HMVMX_RETURN_UNEXPECTED_EXIT();
10295	}
10296
10297
10298	/**
10299	* VM-exit handler for SIPI (VMX_EXIT_SIPI). Conditional VM-exit.
10300	*/
10301	HMVMX_EXIT_DECL hmR0VmxExitSipi(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10302	{
10303	/*
10304	* SIPI exits can only occur in VMX non-root operation when the "wait-for-SIPI" guest activity state is used. We currently
10305	* don't make use of it (see hmR0VmxLoadGuestActivityState()) as our guests don't have direct access to the host LAPIC.
10306	* See Intel spec. 25.3 "Other Causes of VM-exits".
10307	*/
10308	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10309	AssertMsgFailed(("Unexpected SIPI VM-exit. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx));
10310	HMVMX_RETURN_UNEXPECTED_EXIT();
10311	}
10312
10313
10314	/**
10315	* VM-exit handler for INIT signal (VMX_EXIT_INIT_SIGNAL). Unconditional
10316	* VM-exit.
10317	*/
10318	HMVMX_EXIT_DECL hmR0VmxExitInitSignal(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10319	{
10320	/*
10321	* INIT signals are blocked in VMX root operation by VMXON and by SMI in SMM.
10322	* See Intel spec. 33.14.1 Default Treatment of SMI Delivery" and Intel spec. 29.3 "VMX Instructions" for "VMXON".
10323	*
10324	* It is -NOT- blocked in VMX non-root operation so we can, in theory, still get these VM-exits.
10325	* See Intel spec. "23.8 Restrictions on VMX operation".
10326	*/
10327	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10328	return VINF_SUCCESS;
10329	}
10330
10331
10332	/**
10333	* VM-exit handler for triple faults (VMX_EXIT_TRIPLE_FAULT). Unconditional
10334	* VM-exit.
10335	*/
10336	HMVMX_EXIT_DECL hmR0VmxExitTripleFault(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10337	{
10338	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10339	return VINF_EM_RESET;
10340	}
10341
10342
10343	/**
10344	* VM-exit handler for HLT (VMX_EXIT_HLT). Conditional VM-exit.
10345	*/
10346	HMVMX_EXIT_DECL hmR0VmxExitHlt(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10347	{
10348	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10349	Assert(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_HLT_EXIT);
10350	int rc = hmR0VmxSaveGuestRip(pVCpu, pMixedCtx);
10351	rc \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
10352	AssertRCReturn(rc, rc);
10353
10354	pMixedCtx->rip++;
10355	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP);
10356	if (EMShouldContinueAfterHalt(pVCpu, pMixedCtx)) /* Requires eflags. */
10357	rc = VINF_SUCCESS;
10358	else
10359	rc = VINF_EM_HALT;
10360
10361	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitHlt);
10362	if (rc != VINF_SUCCESS)
10363	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchHltToR3);
10364	return rc;
10365	}
10366
10367
10368	/**
10369	* VM-exit handler for instructions that result in a \#UD exception delivered to
10370	* the guest.
10371	*/
10372	HMVMX_EXIT_DECL hmR0VmxExitSetPendingXcptUD(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10373	{
10374	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10375	hmR0VmxSetPendingXcptUD(pVCpu, pMixedCtx);
10376	return VINF_SUCCESS;
10377	}
10378
10379
10380	/**
10381	* VM-exit handler for expiry of the VMX preemption timer.
10382	*/
10383	HMVMX_EXIT_DECL hmR0VmxExitPreemptTimer(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10384	{
10385	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10386
10387	/* If the preemption-timer has expired, reinitialize the preemption timer on next VM-entry. */
10388	pVmxTransient->fUpdateTscOffsettingAndPreemptTimer = true;
10389
10390	/* If there are any timer events pending, fall back to ring-3, otherwise resume guest execution. */
10391	PVM pVM = pVCpu->CTX_SUFF(pVM);
10392	bool fTimersPending = TMTimerPollBool(pVM, pVCpu);
10393	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitPreemptTimer);
10394	return fTimersPending ? VINF_EM_RAW_TIMER_PENDING : VINF_SUCCESS;
10395	}
10396
10397
10398	/**
10399	* VM-exit handler for XSETBV (VMX_EXIT_XSETBV). Unconditional VM-exit.
10400	*/
10401	HMVMX_EXIT_DECL hmR0VmxExitXsetbv(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10402	{
10403	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10404
10405	int rc = hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
10406	rc \|= hmR0VmxSaveGuestRegsForIemExec(pVCpu, pMixedCtx, false /fMemory/, false /fNeedRsp/);
10407	rc \|= hmR0VmxSaveGuestCR4(pVCpu, pMixedCtx);
10408	AssertRCReturn(rc, rc);
10409
10410	VBOXSTRICTRC rcStrict = IEMExecDecodedXsetbv(pVCpu, pVmxTransient->cbInstr);
10411	HMCPU_CF_SET(pVCpu, rcStrict != VINF_IEM_RAISED_XCPT ? HM_CHANGED_GUEST_RIP \| HM_CHANGED_GUEST_RFLAGS : HM_CHANGED_ALL_GUEST);
10412
10413	pVCpu->hm.s.fLoadSaveGuestXcr0 = (pMixedCtx->cr4 & X86_CR4_OSXSAVE) && pMixedCtx->aXcr[0] != ASMGetXcr0();
10414
10415	return VBOXSTRICTRC_TODO(rcStrict);
10416	}
10417
10418
10419	/**
10420	* VM-exit handler for INVPCID (VMX_EXIT_INVPCID). Conditional VM-exit.
10421	*/
10422	HMVMX_EXIT_DECL hmR0VmxExitInvpcid(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10423	{
10424	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10425
10426	/* The guest should not invalidate the host CPU's TLBs, fallback to interpreter. */
10427	/** @todo implement EMInterpretInvpcid() */
10428	return VERR_EM_INTERPRETER;
10429	}
10430
10431
10432	/**
10433	* VM-exit handler for invalid-guest-state (VMX_EXIT_ERR_INVALID_GUEST_STATE).
10434	* Error VM-exit.
10435	*/
10436	HMVMX_EXIT_DECL hmR0VmxExitErrInvalidGuestState(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10437	{
10438	int rc = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
10439	AssertRCReturn(rc, rc);
10440
10441	rc = hmR0VmxCheckVmcsCtls(pVCpu);
10442	AssertRCReturn(rc, rc);
10443
10444	uint32_t uInvalidReason = hmR0VmxCheckGuestState(pVCpu->CTX_SUFF(pVM), pVCpu, pMixedCtx);
10445	NOREF(uInvalidReason);
10446
10447	#ifdef VBOX_STRICT
10448	uint32_t uIntrState;
10449	RTHCUINTREG uHCReg;
10450	uint64_t u64Val;
10451	uint32_t u32Val;
10452
10453	rc = hmR0VmxReadEntryIntInfoVmcs(pVmxTransient);
10454	rc \|= hmR0VmxReadEntryXcptErrorCodeVmcs(pVmxTransient);
10455	rc \|= hmR0VmxReadEntryInstrLenVmcs(pVmxTransient);
10456	rc \|= VMXReadVmcs32(VMX_VMCS32_GUEST_INTERRUPTIBILITY_STATE, &uIntrState);
10457	AssertRCReturn(rc, rc);
10458
10459	Log4(("uInvalidReason %u\n", uInvalidReason));
10460	Log4(("VMX_VMCS32_CTRL_ENTRY_INTERRUPTION_INFO %#RX32\n", pVmxTransient->uEntryIntInfo));
10461	Log4(("VMX_VMCS32_CTRL_ENTRY_EXCEPTION_ERRCODE %#RX32\n", pVmxTransient->uEntryXcptErrorCode));
10462	Log4(("VMX_VMCS32_CTRL_ENTRY_INSTR_LENGTH %#RX32\n", pVmxTransient->cbEntryInstr));
10463	Log4(("VMX_VMCS32_GUEST_INTERRUPTIBILITY_STATE %#RX32\n", uIntrState));
10464
10465	rc = VMXReadVmcs32(VMX_VMCS_GUEST_CR0, &u32Val); AssertRC(rc);
10466	Log4(("VMX_VMCS_GUEST_CR0 %#RX32\n", u32Val));
10467	rc = VMXReadVmcsHstN(VMX_VMCS_CTRL_CR0_MASK, &uHCReg); AssertRC(rc);
10468	Log4(("VMX_VMCS_CTRL_CR0_MASK %#RHr\n", uHCReg));
10469	rc = VMXReadVmcsHstN(VMX_VMCS_CTRL_CR0_READ_SHADOW, &uHCReg); AssertRC(rc);
10470	Log4(("VMX_VMCS_CTRL_CR4_READ_SHADOW %#RHr\n", uHCReg));
10471	rc = VMXReadVmcsHstN(VMX_VMCS_CTRL_CR4_MASK, &uHCReg); AssertRC(rc);
10472	Log4(("VMX_VMCS_CTRL_CR4_MASK %#RHr\n", uHCReg));
10473	rc = VMXReadVmcsHstN(VMX_VMCS_CTRL_CR4_READ_SHADOW, &uHCReg); AssertRC(rc);
10474	Log4(("VMX_VMCS_CTRL_CR4_READ_SHADOW %#RHr\n", uHCReg));
10475	rc = VMXReadVmcs64(VMX_VMCS64_CTRL_EPTP_FULL, &u64Val); AssertRC(rc);
10476	Log4(("VMX_VMCS64_CTRL_EPTP_FULL %#RX64\n", u64Val));
10477	#else
10478	NOREF(pVmxTransient);
10479	#endif
10480
10481	HMDumpRegs(pVCpu->CTX_SUFF(pVM), pVCpu, pMixedCtx);
10482	return VERR_VMX_INVALID_GUEST_STATE;
10483	}
10484
10485
10486	/**
10487	* VM-exit handler for VM-entry failure due to an MSR-load
10488	* (VMX_EXIT_ERR_MSR_LOAD). Error VM-exit.
10489	*/
10490	HMVMX_EXIT_DECL hmR0VmxExitErrMsrLoad(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10491	{
10492	NOREF(pVmxTransient);
10493	AssertMsgFailed(("Unexpected MSR-load exit. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx)); NOREF(pMixedCtx);
10494	HMVMX_RETURN_UNEXPECTED_EXIT();
10495	}
10496
10497
10498	/**
10499	* VM-exit handler for VM-entry failure due to a machine-check event
10500	* (VMX_EXIT_ERR_MACHINE_CHECK). Error VM-exit.
10501	*/
10502	HMVMX_EXIT_DECL hmR0VmxExitErrMachineCheck(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10503	{
10504	NOREF(pVmxTransient);
10505	AssertMsgFailed(("Unexpected machine-check event exit. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx)); NOREF(pMixedCtx);
10506	HMVMX_RETURN_UNEXPECTED_EXIT();
10507	}
10508
10509
10510	/**
10511	* VM-exit handler for all undefined reasons. Should never ever happen.. in
10512	* theory.
10513	*/
10514	HMVMX_EXIT_DECL hmR0VmxExitErrUndefined(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10515	{
10516	AssertMsgFailed(("Huh!? Undefined VM-exit reason %d. pVCpu=%p pMixedCtx=%p\n", pVmxTransient->uExitReason, pVCpu, pMixedCtx));
10517	NOREF(pVCpu); NOREF(pMixedCtx); NOREF(pVmxTransient);
10518	return VERR_VMX_UNDEFINED_EXIT_CODE;
10519	}
10520
10521
10522	/**
10523	* VM-exit handler for XDTR (LGDT, SGDT, LIDT, SIDT) accesses
10524	* (VMX_EXIT_XDTR_ACCESS) and LDT and TR access (LLDT, LTR, SLDT, STR).
10525	* Conditional VM-exit.
10526	*/
10527	HMVMX_EXIT_DECL hmR0VmxExitXdtrAccess(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10528	{
10529	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10530
10531	/* By default, we don't enable VMX_VMCS_CTRL_PROC_EXEC2_DESCRIPTOR_TABLE_EXIT. */
10532	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitXdtrAccess);
10533	if (pVCpu->hm.s.vmx.u32ProcCtls2 & VMX_VMCS_CTRL_PROC_EXEC2_DESCRIPTOR_TABLE_EXIT)
10534	return VERR_EM_INTERPRETER;
10535	AssertMsgFailed(("Unexpected XDTR access. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx));
10536	HMVMX_RETURN_UNEXPECTED_EXIT();
10537	}
10538
10539
10540	/**
10541	* VM-exit handler for RDRAND (VMX_EXIT_RDRAND). Conditional VM-exit.
10542	*/
10543	HMVMX_EXIT_DECL hmR0VmxExitRdrand(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10544	{
10545	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10546
10547	/* By default, we don't enable VMX_VMCS_CTRL_PROC_EXEC2_RDRAND_EXIT. */
10548	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitRdrand);
10549	if (pVCpu->hm.s.vmx.u32ProcCtls2 & VMX_VMCS_CTRL_PROC_EXEC2_RDRAND_EXIT)
10550	return VERR_EM_INTERPRETER;
10551	AssertMsgFailed(("Unexpected RDRAND exit. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx));
10552	HMVMX_RETURN_UNEXPECTED_EXIT();
10553	}
10554
10555
10556	/**
10557	* VM-exit handler for RDMSR (VMX_EXIT_RDMSR).
10558	*/
10559	HMVMX_EXIT_DECL hmR0VmxExitRdmsr(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10560	{
10561	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10562
10563	/* EMInterpretRdmsr() requires CR0, Eflags and SS segment register. */
10564	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
10565	rc \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
10566	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
10567	if (!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS))
10568	{
10569	rc \|= hmR0VmxSaveGuestLazyMsrs(pVCpu, pMixedCtx);
10570	rc \|= hmR0VmxSaveGuestAutoLoadStoreMsrs(pVCpu, pMixedCtx);
10571	}
10572	AssertRCReturn(rc, rc);
10573	Log4(("ecx=%#RX32\n", pMixedCtx->ecx));
10574
10575	#ifdef VBOX_STRICT
10576	if (pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS)
10577	{
10578	if ( hmR0VmxIsAutoLoadStoreGuestMsr(pVCpu, pMixedCtx->ecx)
10579	&& pMixedCtx->ecx != MSR_K6_EFER)
10580	{
10581	AssertMsgFailed(("Unexpected RDMSR for an MSR in the auto-load/store area in the VMCS. ecx=%#RX32\n",
10582	pMixedCtx->ecx));
10583	HMVMX_RETURN_UNEXPECTED_EXIT();
10584	}
10585	# if HC_ARCH_BITS == 64
10586	if ( pVCpu->CTX_SUFF(pVM)->hm.s.fAllow64BitGuests
10587	&& hmR0VmxIsLazyGuestMsr(pVCpu, pMixedCtx->ecx))
10588	{
10589	AssertMsgFailed(("Unexpected RDMSR for a passthru lazy-restore MSR. ecx=%#RX32\n", pMixedCtx->ecx));
10590	HMVMX_RETURN_UNEXPECTED_EXIT();
10591	}
10592	# endif
10593	}
10594	#endif
10595
10596	PVM pVM = pVCpu->CTX_SUFF(pVM);
10597	rc = EMInterpretRdmsr(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx));
10598	AssertMsg(rc == VINF_SUCCESS \|\| rc == VERR_EM_INTERPRETER,
10599	("hmR0VmxExitRdmsr: failed, invalid error code %Rrc\n", rc));
10600	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitRdmsr);
10601	if (RT_LIKELY(rc == VINF_SUCCESS))
10602	{
10603	rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
10604	Assert(pVmxTransient->cbInstr == 2);
10605	}
10606	return rc;
10607	}
10608
10609
10610	/**
10611	* VM-exit handler for WRMSR (VMX_EXIT_WRMSR).
10612	*/
10613	HMVMX_EXIT_DECL hmR0VmxExitWrmsr(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10614	{
10615	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10616	PVM pVM = pVCpu->CTX_SUFF(pVM);
10617	int rc = VINF_SUCCESS;
10618
10619	/* EMInterpretWrmsr() requires CR0, EFLAGS and SS segment register. */
10620	rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
10621	rc \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx);
10622	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
10623	if (!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS))
10624	{
10625	rc \|= hmR0VmxSaveGuestLazyMsrs(pVCpu, pMixedCtx);
10626	rc \|= hmR0VmxSaveGuestAutoLoadStoreMsrs(pVCpu, pMixedCtx);
10627	}
10628	AssertRCReturn(rc, rc);
10629	Log4(("ecx=%#RX32 edx:eax=%#RX32:%#RX32\n", pMixedCtx->ecx, pMixedCtx->edx, pMixedCtx->eax));
10630
10631	rc = EMInterpretWrmsr(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx));
10632	AssertMsg(rc == VINF_SUCCESS \|\| rc == VERR_EM_INTERPRETER, ("hmR0VmxExitWrmsr: failed, invalid error code %Rrc\n", rc));
10633	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitWrmsr);
10634
10635	if (RT_LIKELY(rc == VINF_SUCCESS))
10636	{
10637	rc = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
10638
10639	/* If this is an X2APIC WRMSR access, update the APIC state as well. */
10640	if ( pMixedCtx->ecx >= MSR_IA32_X2APIC_START
10641	&& pMixedCtx->ecx <= MSR_IA32_X2APIC_END)
10642	{
10643	/* We've already saved the APIC related guest-state (TPR) in hmR0VmxPostRunGuest(). When full APIC register
10644	* virtualization is implemented we'll have to make sure APIC state is saved from the VMCS before
10645	EMInterpretWrmsr() changes it. */
10646	HMCPU_CF_SET(pVCpu, HM_CHANGED_VMX_GUEST_APIC_STATE);
10647	}
10648	else if (pMixedCtx->ecx == MSR_IA32_TSC) /* Windows 7 does this during bootup. See @bugref{6398}. */
10649	pVmxTransient->fUpdateTscOffsettingAndPreemptTimer = true;
10650	else if (pMixedCtx->ecx == MSR_K6_EFER)
10651	{
10652	/*
10653	* If the guest touches EFER we need to update the VM-Entry and VM-Exit controls as well,
10654	* even if it is -not- touching bits that cause paging mode changes (LMA/LME). We care about
10655	* the other bits as well, SCE and NXE. See @bugref{7368}.
10656	*/
10657	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_EFER_MSR \| HM_CHANGED_VMX_ENTRY_CTLS \| HM_CHANGED_VMX_EXIT_CTLS);
10658	}
10659
10660	/* Update MSRs that are part of the VMCS and auto-load/store area when MSR-bitmaps are not supported. */
10661	if (!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_MSR_BITMAPS))
10662	{
10663	switch (pMixedCtx->ecx)
10664	{
10665	case MSR_IA32_SYSENTER_CS: HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_SYSENTER_CS_MSR); break;
10666	case MSR_IA32_SYSENTER_EIP: HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_SYSENTER_EIP_MSR); break;
10667	case MSR_IA32_SYSENTER_ESP: HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_SYSENTER_ESP_MSR); break;
10668	case MSR_K8_FS_BASE: /* no break */
10669	case MSR_K8_GS_BASE: HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_SEGMENT_REGS); break;
10670	case MSR_K6_EFER: /* already handled above */ break;
10671	default:
10672	{
10673	if (hmR0VmxIsAutoLoadStoreGuestMsr(pVCpu, pMixedCtx->ecx))
10674	HMCPU_CF_SET(pVCpu, HM_CHANGED_VMX_GUEST_AUTO_MSRS);
10675	#if HC_ARCH_BITS == 64
10676	else if (hmR0VmxIsLazyGuestMsr(pVCpu, pMixedCtx->ecx))
10677	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_LAZY_MSRS);
10678	#endif
10679	break;
10680	}
10681	}
10682	}
10683	#ifdef VBOX_STRICT
10684	else
10685	{
10686	/* Paranoia. Validate that MSRs in the MSR-bitmaps with write-passthru are not intercepted. */
10687	switch (pMixedCtx->ecx)
10688	{
10689	case MSR_IA32_SYSENTER_CS:
10690	case MSR_IA32_SYSENTER_EIP:
10691	case MSR_IA32_SYSENTER_ESP:
10692	case MSR_K8_FS_BASE:
10693	case MSR_K8_GS_BASE:
10694	{
10695	AssertMsgFailed(("Unexpected WRMSR for an MSR in the VMCS. ecx=%#RX32\n", pMixedCtx->ecx));
10696	HMVMX_RETURN_UNEXPECTED_EXIT();
10697	}
10698
10699	/* Writes to MSRs in auto-load/store area/swapped MSRs, shouldn't cause VM-exits with MSR-bitmaps. */
10700	default:
10701	{
10702	if (hmR0VmxIsAutoLoadStoreGuestMsr(pVCpu, pMixedCtx->ecx))
10703	{
10704	/* EFER writes are always intercepted, see hmR0VmxLoadGuestMsrs(). */
10705	if (pMixedCtx->ecx != MSR_K6_EFER)
10706	{
10707	AssertMsgFailed(("Unexpected WRMSR for an MSR in the auto-load/store area in the VMCS. ecx=%#RX32\n",
10708	pMixedCtx->ecx));
10709	HMVMX_RETURN_UNEXPECTED_EXIT();
10710	}
10711	}
10712
10713	#if HC_ARCH_BITS == 64
10714	if (hmR0VmxIsLazyGuestMsr(pVCpu, pMixedCtx->ecx))
10715	{
10716	AssertMsgFailed(("Unexpected WRMSR for passthru, lazy-restore MSR. ecx=%#RX32\n", pMixedCtx->ecx));
10717	HMVMX_RETURN_UNEXPECTED_EXIT();
10718	}
10719	#endif
10720	break;
10721	}
10722	}
10723	}
10724	#endif /* VBOX_STRICT */
10725	}
10726	return rc;
10727	}
10728
10729
10730	/**
10731	* VM-exit handler for PAUSE (VMX_EXIT_PAUSE). Conditional VM-exit.
10732	*/
10733	HMVMX_EXIT_DECL hmR0VmxExitPause(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10734	{
10735	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10736
10737	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitPause);
10738	return VINF_EM_RAW_INTERRUPT;
10739	}
10740
10741
10742	/**
10743	* VM-exit handler for when the TPR value is lowered below the specified
10744	* threshold (VMX_EXIT_TPR_BELOW_THRESHOLD). Conditional VM-exit.
10745	*/
10746	HMVMX_EXIT_DECL hmR0VmxExitTprBelowThreshold(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10747	{
10748	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10749	Assert(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW);
10750
10751	/*
10752	* The TPR has already been updated, see hmR0VMXPostRunGuest(). RIP is also updated as part of the VM-exit by VT-x. Update
10753	* the threshold in the VMCS, deliver the pending interrupt via hmR0VmxPreRunGuest()->hmR0VmxInjectPendingEvent() and
10754	* resume guest execution.
10755	*/
10756	HMCPU_CF_SET(pVCpu, HM_CHANGED_VMX_GUEST_APIC_STATE);
10757	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitTprBelowThreshold);
10758	return VINF_SUCCESS;
10759	}
10760
10761
10762	/**
10763	* VM-exit handler for control-register accesses (VMX_EXIT_MOV_CRX). Conditional
10764	* VM-exit.
10765	*
10766	* @retval VINF_SUCCESS when guest execution can continue.
10767	* @retval VINF_PGM_CHANGE_MODE when shadow paging mode changed, back to ring-3.
10768	* @retval VINF_PGM_SYNC_CR3 CR3 sync is required, back to ring-3.
10769	* @retval VERR_EM_INTERPRETER when something unexpected happened, fallback to
10770	* interpreter.
10771	*/
10772	HMVMX_EXIT_DECL hmR0VmxExitMovCRx(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10773	{
10774	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10775	STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatExitMovCRx, y2);
10776	int rc = hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
10777	rc \|= hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
10778	AssertRCReturn(rc, rc);
10779
10780	RTGCUINTPTR const uExitQualification = pVmxTransient->uExitQualification;
10781	uint32_t const uAccessType = VMX_EXIT_QUALIFICATION_CRX_ACCESS(uExitQualification);
10782	PVM pVM = pVCpu->CTX_SUFF(pVM);
10783	VBOXSTRICTRC rcStrict;
10784	rc = hmR0VmxSaveGuestRegsForIemExec(pVCpu, pMixedCtx, false /fMemory/, true /fNeedRsp/);
10785	switch (uAccessType)
10786	{
10787	case VMX_EXIT_QUALIFICATION_CRX_ACCESS_WRITE: /* MOV to CRx */
10788	{
10789	rc \|= hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
10790	AssertRCReturn(rc, rc);
10791
10792	rcStrict = IEMExecDecodedMovCRxWrite(pVCpu, pVmxTransient->cbInstr,
10793	VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification),
10794	VMX_EXIT_QUALIFICATION_CRX_GENREG(uExitQualification));
10795	AssertMsg(rcStrict == VINF_SUCCESS \|\| rcStrict == VINF_IEM_RAISED_XCPT \|\| rcStrict == VINF_PGM_CHANGE_MODE
10796	\|\| rcStrict == VINF_PGM_SYNC_CR3, ("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
10797	switch (VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification))
10798	{
10799	case 0: /* CR0 */
10800	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0);
10801	Log4(("CRX CR0 write rcStrict=%Rrc CR0=%#RX64\n", VBOXSTRICTRC_VAL(rcStrict), pMixedCtx->cr0));
10802	break;
10803	case 2: /* CR2 */
10804	/* Nothing to do here, CR2 it's not part of the VMCS. */
10805	break;
10806	case 3: /* CR3 */
10807	Assert(!pVM->hm.s.fNestedPaging \|\| !CPUMIsGuestPagingEnabledEx(pMixedCtx));
10808	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR3);
10809	Log4(("CRX CR3 write rcStrict=%Rrc CR3=%#RX64\n", VBOXSTRICTRC_VAL(rcStrict), pMixedCtx->cr3));
10810	break;
10811	case 4: /* CR4 */
10812	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR4);
10813	Log4(("CRX CR4 write rc=%Rrc CR4=%#RX64 fLoadSaveGuestXcr0=%u\n",
10814	VBOXSTRICTRC_VAL(rcStrict), pMixedCtx->cr4, pVCpu->hm.s.fLoadSaveGuestXcr0));
10815	break;
10816	case 8: /* CR8 */
10817	Assert(!(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW));
10818	/* CR8 contains the APIC TPR. Was updated by IEMExecDecodedMovCRxWrite(). */
10819	HMCPU_CF_SET(pVCpu, HM_CHANGED_VMX_GUEST_APIC_STATE);
10820	break;
10821	default:
10822	AssertMsgFailed(("Invalid CRx register %#x\n", VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification)));
10823	break;
10824	}
10825
10826	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCRxWrite[VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification)]);
10827	break;
10828	}
10829
10830	case VMX_EXIT_QUALIFICATION_CRX_ACCESS_READ: /* MOV from CRx */
10831	{
10832	rc \|= hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
10833	AssertRCReturn(rc, rc);
10834
10835	Assert( !pVM->hm.s.fNestedPaging
10836	\|\| !CPUMIsGuestPagingEnabledEx(pMixedCtx)
10837	\|\| VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification) != 3);
10838
10839	/* CR8 reads only cause a VM-exit when the TPR shadow feature isn't enabled. */
10840	Assert( VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification) != 8
10841	\|\| !(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW));
10842
10843	rcStrict = IEMExecDecodedMovCRxRead(pVCpu, pVmxTransient->cbInstr,
10844	VMX_EXIT_QUALIFICATION_CRX_GENREG(uExitQualification),
10845	VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification));
10846	AssertMsg(rcStrict == VINF_SUCCESS \|\| rcStrict == VINF_IEM_RAISED_XCPT, ("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
10847	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCRxRead[VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification)]);
10848	Log4(("CRX CR%d Read access rcStrict=%Rrc\n", VMX_EXIT_QUALIFICATION_CRX_REGISTER(uExitQualification),
10849	VBOXSTRICTRC_VAL(rcStrict)));
10850	break;
10851	}
10852
10853	case VMX_EXIT_QUALIFICATION_CRX_ACCESS_CLTS: /* CLTS (Clear Task-Switch Flag in CR0) */
10854	{
10855	AssertRCReturn(rc, rc);
10856	rcStrict = IEMExecDecodedClts(pVCpu, pVmxTransient->cbInstr);
10857	AssertMsg(rcStrict == VINF_SUCCESS \|\| rcStrict == VINF_IEM_RAISED_XCPT, ("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
10858	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0);
10859	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitClts);
10860	Log4(("CRX CLTS rcStrict=%d\n", VBOXSTRICTRC_VAL(rcStrict)));
10861	break;
10862	}
10863
10864	case VMX_EXIT_QUALIFICATION_CRX_ACCESS_LMSW: /* LMSW (Load Machine-Status Word into CR0) */
10865	{
10866	AssertRCReturn(rc, rc);
10867	rcStrict = IEMExecDecodedLmsw(pVCpu, pVmxTransient->cbInstr,
10868	VMX_EXIT_QUALIFICATION_CRX_LMSW_DATA(uExitQualification));
10869	AssertMsg(rcStrict == VINF_SUCCESS \|\| rcStrict == VINF_IEM_RAISED_XCPT \|\| rcStrict == VINF_PGM_CHANGE_MODE,
10870	("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
10871	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitLmsw);
10872	Log4(("CRX LMSW rcStrict=%d\n", VBOXSTRICTRC_VAL(rcStrict)));
10873	break;
10874	}
10875
10876	default:
10877	AssertMsgFailedReturn(("Invalid access-type in Mov CRx VM-exit qualification %#x\n", uAccessType),
10878	VERR_VMX_UNEXPECTED_EXCEPTION);
10879	}
10880
10881	HMCPU_CF_SET(pVCpu, rcStrict != VINF_IEM_RAISED_XCPT ? HM_CHANGED_GUEST_RIP \| HM_CHANGED_GUEST_RFLAGS : HM_CHANGED_ALL_GUEST);
10882	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitMovCRx, y2);
10883	NOREF(pVM);
10884	return VBOXSTRICTRC_TODO(rcStrict);
10885	}
10886
10887
10888	/**
10889	* VM-exit handler for I/O instructions (VMX_EXIT_IO_INSTR). Conditional
10890	* VM-exit.
10891	*/
10892	HMVMX_EXIT_DECL hmR0VmxExitIoInstr(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
10893	{
10894	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
10895	STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatExitIO, y1);
10896
10897	int rc2 = hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
10898	rc2 \|= hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
10899	rc2 \|= hmR0VmxSaveGuestRip(pVCpu, pMixedCtx);
10900	rc2 \|= hmR0VmxSaveGuestRflags(pVCpu, pMixedCtx); /* Eflag checks in EMInterpretDisasCurrent(). */
10901	rc2 \|= hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx); /* CR0 checks & PGM* in EMInterpretDisasCurrent(). */
10902	rc2 \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx); /* SELM checks in EMInterpretDisasCurrent(). */
10903	/* EFER also required for longmode checks in EMInterpretDisasCurrent(), but it's always up-to-date. */
10904	AssertRCReturn(rc2, rc2);
10905
10906	/* Refer Intel spec. 27-5. "Exit Qualifications for I/O Instructions" for the format. */
10907	uint32_t uIOPort = VMX_EXIT_QUALIFICATION_IO_PORT(pVmxTransient->uExitQualification);
10908	uint8_t uIOWidth = VMX_EXIT_QUALIFICATION_IO_WIDTH(pVmxTransient->uExitQualification);
10909	bool fIOWrite = ( VMX_EXIT_QUALIFICATION_IO_DIRECTION(pVmxTransient->uExitQualification)
10910	== VMX_EXIT_QUALIFICATION_IO_DIRECTION_OUT);
10911	bool fIOString = VMX_EXIT_QUALIFICATION_IO_IS_STRING(pVmxTransient->uExitQualification);
10912	bool fGstStepping = RT_BOOL(pMixedCtx->eflags.Bits.u1TF);
10913	bool fDbgStepping = pVCpu->hm.s.fSingleInstruction;
10914	AssertReturn(uIOWidth <= 3 && uIOWidth != 2, VERR_VMX_IPE_1);
10915
10916	/* I/O operation lookup arrays. */
10917	static uint32_t const s_aIOSizes[4] = { 1, 2, 0, 4 }; /* Size of the I/O accesses. */
10918	static uint32_t const s_aIOOpAnd[4] = { 0xff, 0xffff, 0, 0xffffffff }; /* AND masks for saving the result (in AL/AX/EAX). */
10919
10920	VBOXSTRICTRC rcStrict;
10921	uint32_t const cbValue = s_aIOSizes[uIOWidth];
10922	uint32_t const cbInstr = pVmxTransient->cbInstr;
10923	bool fUpdateRipAlready = false; /* ugly hack, should be temporary. */
10924	PVM pVM = pVCpu->CTX_SUFF(pVM);
10925	if (fIOString)
10926	{
10927	#ifdef VBOX_WITH_2ND_IEM_STEP /* This used to gurus with debian 32-bit guest without NP (on ATA reads).
10928	See @bugref{5752#c158}. Should work now. */
10929	/*
10930	* INS/OUTS - I/O String instruction.
10931	*
10932	* Use instruction-information if available, otherwise fall back on
10933	* interpreting the instruction.
10934	*/
10935	Log4(("CS:RIP=%04x:%08RX64 %#06x/%u %c str\n", pMixedCtx->cs.Sel, pMixedCtx->rip, uIOPort, cbValue,
10936	fIOWrite ? 'w' : 'r'));
10937	AssertReturn(pMixedCtx->dx == uIOPort, VERR_VMX_IPE_2);
10938	if (MSR_IA32_VMX_BASIC_INFO_VMCS_INS_OUTS(pVM->hm.s.vmx.Msrs.u64BasicInfo))
10939	{
10940	rc2 = hmR0VmxReadExitInstrInfoVmcs(pVmxTransient);
10941	/** @todo optimize this, IEM should request the additional state if it needs it (GP, PF, ++). */
10942	rc2 \|= hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
10943	AssertRCReturn(rc2, rc2);
10944	AssertReturn(pVmxTransient->ExitInstrInfo.StrIo.u3AddrSize <= 2, VERR_VMX_IPE_3);
10945	AssertCompile(IEMMODE_16BIT == 0 && IEMMODE_32BIT == 1 && IEMMODE_64BIT == 2);
10946	IEMMODE enmAddrMode = (IEMMODE)pVmxTransient->ExitInstrInfo.StrIo.u3AddrSize;
10947	bool fRep = VMX_EXIT_QUALIFICATION_IO_IS_REP(pVmxTransient->uExitQualification);
10948	if (fIOWrite)
10949	{
10950	rcStrict = IEMExecStringIoWrite(pVCpu, cbValue, enmAddrMode, fRep, cbInstr,
10951	pVmxTransient->ExitInstrInfo.StrIo.iSegReg);
10952	}
10953	else
10954	{
10955	/*
10956	* The segment prefix for INS cannot be overridden and is always ES. We can safely assume X86_SREG_ES.
10957	* Hence "iSegReg" field is undefined in the instruction-information field in VT-x for INS.
10958	* See Intel Instruction spec. for "INS".
10959	* See Intel spec. Table 27-8 "Format of the VM-Exit Instruction-Information Field as Used for INS and OUTS".
10960	*/
10961	rcStrict = IEMExecStringIoRead(pVCpu, cbValue, enmAddrMode, fRep, cbInstr);
10962	}
10963	}
10964	else
10965	{
10966	/** @todo optimize this, IEM should request the additional state if it needs it (GP, PF, ++). */
10967	rc2 = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
10968	AssertRCReturn(rc2, rc2);
10969	rcStrict = IEMExecOne(pVCpu);
10970	}
10971	/** @todo IEM needs to be setting these flags somehow. */
10972	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP);
10973	fUpdateRipAlready = true;
10974	#else
10975	PDISCPUSTATE pDis = &pVCpu->hm.s.DisState;
10976	rcStrict = EMInterpretDisasCurrent(pVM, pVCpu, pDis, NULL /* pcbInstr */);
10977	if (RT_SUCCESS(rcStrict))
10978	{
10979	if (fIOWrite)
10980	{
10981	rcStrict = IOMInterpretOUTSEx(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx), uIOPort, pDis->fPrefix,
10982	(DISCPUMODE)pDis->uAddrMode, cbValue);
10983	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitIOStringWrite);
10984	}
10985	else
10986	{
10987	rcStrict = IOMInterpretINSEx(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx), uIOPort, pDis->fPrefix,
10988	(DISCPUMODE)pDis->uAddrMode, cbValue);
10989	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitIOStringRead);
10990	}
10991	}
10992	else
10993	{
10994	AssertMsg(rcStrict == VERR_EM_INTERPRETER, ("rcStrict=%Rrc RIP=%#RX64\n", VBOXSTRICTRC_VAL(rcStrict),
10995	pMixedCtx->rip));
10996	rcStrict = VINF_EM_RAW_EMULATE_INSTR;
10997	}
10998	#endif
10999	}
11000	else
11001	{
11002	/*
11003	* IN/OUT - I/O instruction.
11004	*/
11005	Log4(("CS:RIP=%04x:%08RX64 %#06x/%u %c\n", pMixedCtx->cs.Sel, pMixedCtx->rip, uIOPort, cbValue, fIOWrite ? 'w' : 'r'));
11006	uint32_t const uAndVal = s_aIOOpAnd[uIOWidth];
11007	Assert(!VMX_EXIT_QUALIFICATION_IO_IS_REP(pVmxTransient->uExitQualification));
11008	if (fIOWrite)
11009	{
11010	rcStrict = IOMIOPortWrite(pVM, pVCpu, uIOPort, pMixedCtx->eax & uAndVal, cbValue);
11011	if (rcStrict == VINF_IOM_R3_IOPORT_WRITE)
11012	HMR0SavePendingIOPortWrite(pVCpu, pMixedCtx->rip, pMixedCtx->rip + cbInstr, uIOPort, uAndVal, cbValue);
11013	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitIOWrite);
11014	}
11015	else
11016	{
11017	uint32_t u32Result = 0;
11018	rcStrict = IOMIOPortRead(pVM, pVCpu, uIOPort, &u32Result, cbValue);
11019	if (IOM_SUCCESS(rcStrict))
11020	{
11021	/* Save result of I/O IN instr. in AL/AX/EAX. */
11022	pMixedCtx->eax = (pMixedCtx->eax & ~uAndVal) \| (u32Result & uAndVal);
11023	}
11024	else if (rcStrict == VINF_IOM_R3_IOPORT_READ)
11025	HMR0SavePendingIOPortRead(pVCpu, pMixedCtx->rip, pMixedCtx->rip + cbInstr, uIOPort, uAndVal, cbValue);
11026	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitIORead);
11027	}
11028	}
11029
11030	if (IOM_SUCCESS(rcStrict))
11031	{
11032	if (!fUpdateRipAlready)
11033	{
11034	pMixedCtx->rip += cbInstr;
11035	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP);
11036	}
11037
11038	/*
11039	* INS/OUTS with REP prefix updates RFLAGS, can be observed with triple-fault guru while booting Fedora 17 64-bit guest.
11040	* See Intel Instruction reference for REP/REPE/REPZ/REPNE/REPNZ.
11041	*/
11042	if (fIOString)
11043	{
11044	/** @todo Single-step for INS/OUTS with REP prefix? */
11045	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RFLAGS);
11046	}
11047	else if ( !fDbgStepping
11048	&& fGstStepping)
11049	{
11050	hmR0VmxSetPendingDebugXcptVmcs(pVCpu);
11051	}
11052
11053	/*
11054	* If any I/O breakpoints are armed, we need to check if one triggered
11055	* and take appropriate action.
11056	* Note that the I/O breakpoint type is undefined if CR4.DE is 0.
11057	*/
11058	rc2 = hmR0VmxSaveGuestDR7(pVCpu, pMixedCtx);
11059	AssertRCReturn(rc2, rc2);
11060
11061	/** @todo Optimize away the DBGFBpIsHwIoArmed call by having DBGF tell the
11062	* execution engines about whether hyper BPs and such are pending. */
11063	uint32_t const uDr7 = pMixedCtx->dr[7];
11064	if (RT_UNLIKELY( ( (uDr7 & X86_DR7_ENABLED_MASK)
11065	&& X86_DR7_ANY_RW_IO(uDr7)
11066	&& (pMixedCtx->cr4 & X86_CR4_DE))
11067	\|\| DBGFBpIsHwIoArmed(pVM)))
11068	{
11069	STAM_COUNTER_INC(&pVCpu->hm.s.StatDRxIoCheck);
11070
11071	/* We're playing with the host CPU state here, make sure we don't preempt or longjmp. */
11072	VMMRZCallRing3Disable(pVCpu);
11073	HM_DISABLE_PREEMPT();
11074
11075	bool fIsGuestDbgActive = CPUMR0DebugStateMaybeSaveGuest(pVCpu, true /* fDr6 */);
11076
11077	VBOXSTRICTRC rcStrict2 = DBGFBpCheckIo(pVM, pVCpu, pMixedCtx, uIOPort, cbValue);
11078	if (rcStrict2 == VINF_EM_RAW_GUEST_TRAP)
11079	{
11080	/* Raise #DB. */
11081	if (fIsGuestDbgActive)
11082	ASMSetDR6(pMixedCtx->dr[6]);
11083	if (pMixedCtx->dr[7] != uDr7)
11084	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_DEBUG);
11085
11086	hmR0VmxSetPendingXcptDB(pVCpu, pMixedCtx);
11087	}
11088	/* rcStrict is VINF_SUCCESS or in [VINF_EM_FIRST..VINF_EM_LAST]. */
11089	else if ( rcStrict2 != VINF_SUCCESS
11090	&& (rcStrict == VINF_SUCCESS \|\| rcStrict2 < rcStrict))
11091	rcStrict = rcStrict2;
11092
11093	HM_RESTORE_PREEMPT();
11094	VMMRZCallRing3Enable(pVCpu);
11095	}
11096	}
11097
11098	#ifdef VBOX_STRICT
11099	if (rcStrict == VINF_IOM_R3_IOPORT_READ)
11100	Assert(!fIOWrite);
11101	else if (rcStrict == VINF_IOM_R3_IOPORT_WRITE)
11102	Assert(fIOWrite);
11103	else
11104	{
11105	#if 0 /** @todo r=bird: This is missing a bunch of VINF_EM_FIRST..VINF_EM_LAST
11106	* statuses, that the VMM device and some others may return. See
11107	* IOM_SUCCESS() for guidance. */
11108	AssertMsg( RT_FAILURE(rcStrict)
11109	\|\| rcStrict == VINF_SUCCESS
11110	\|\| rcStrict == VINF_EM_RAW_EMULATE_INSTR
11111	\|\| rcStrict == VINF_EM_DBG_BREAKPOINT
11112	\|\| rcStrict == VINF_EM_RAW_GUEST_TRAP
11113	\|\| rcStrict == VINF_EM_RAW_TO_R3
11114	\|\| rcStrict == VINF_TRPM_XCPT_DISPATCHED, ("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
11115	#endif
11116	}
11117	#endif
11118
11119	STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitIO, y1);
11120	return VBOXSTRICTRC_TODO(rcStrict);
11121	}
11122
11123
11124	/**
11125	* VM-exit handler for task switches (VMX_EXIT_TASK_SWITCH). Unconditional
11126	* VM-exit.
11127	*/
11128	HMVMX_EXIT_DECL hmR0VmxExitTaskSwitch(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11129	{
11130	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11131
11132	/* Check if this task-switch occurred while delivery an event through the guest IDT. */
11133	int rc = hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
11134	AssertRCReturn(rc, rc);
11135	if (VMX_EXIT_QUALIFICATION_TASK_SWITCH_TYPE(pVmxTransient->uExitQualification) == VMX_EXIT_QUALIFICATION_TASK_SWITCH_TYPE_IDT)
11136	{
11137	rc = hmR0VmxReadIdtVectoringInfoVmcs(pVmxTransient);
11138	AssertRCReturn(rc, rc);
11139	if (VMX_IDT_VECTORING_INFO_VALID(pVmxTransient->uIdtVectoringInfo))
11140	{
11141	uint32_t uIntType = VMX_IDT_VECTORING_INFO_TYPE(pVmxTransient->uIdtVectoringInfo);
11142
11143	uint32_t uVector = VMX_IDT_VECTORING_INFO_VECTOR(pVmxTransient->uIdtVectoringInfo);
11144	bool fErrorCodeValid = VMX_IDT_VECTORING_INFO_ERROR_CODE_IS_VALID(pVmxTransient->uIdtVectoringInfo);
11145
11146	/* Save it as a pending event and it'll be converted to a TRPM event on the way out to ring-3. */
11147	Assert(!pVCpu->hm.s.Event.fPending);
11148	pVCpu->hm.s.Event.fPending = true;
11149	pVCpu->hm.s.Event.u64IntInfo = pVmxTransient->uIdtVectoringInfo;
11150	rc = hmR0VmxReadIdtVectoringErrorCodeVmcs(pVmxTransient);
11151	AssertRCReturn(rc, rc);
11152	if (fErrorCodeValid)
11153	pVCpu->hm.s.Event.u32ErrCode = pVmxTransient->uIdtVectoringErrorCode;
11154	else
11155	pVCpu->hm.s.Event.u32ErrCode = 0;
11156	if ( uIntType == VMX_IDT_VECTORING_INFO_TYPE_HW_XCPT
11157	&& uVector == X86_XCPT_PF)
11158	{
11159	pVCpu->hm.s.Event.GCPtrFaultAddress = pMixedCtx->cr2;
11160	}
11161
11162	Log4(("Pending event on TaskSwitch uIntType=%#x uVector=%#x\n", uIntType, uVector));
11163	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitTaskSwitch);
11164	return VINF_EM_RAW_INJECT_TRPM_EVENT;
11165	}
11166	}
11167
11168	/** @todo Emulate task switch someday, currently just going back to ring-3 for
11169	* emulation. */
11170	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitTaskSwitch);
11171	return VERR_EM_INTERPRETER;
11172	}
11173
11174
11175	/**
11176	* VM-exit handler for monitor-trap-flag (VMX_EXIT_MTF). Conditional VM-exit.
11177	*/
11178	HMVMX_EXIT_DECL hmR0VmxExitMtf(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11179	{
11180	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11181	Assert(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_MONITOR_TRAP_FLAG);
11182	pVCpu->hm.s.vmx.u32ProcCtls &= ~VMX_VMCS_CTRL_PROC_EXEC_MONITOR_TRAP_FLAG;
11183	int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
11184	AssertRCReturn(rc, rc);
11185	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitMtf);
11186	return VINF_EM_DBG_STEPPED;
11187	}
11188
11189
11190	/**
11191	* VM-exit handler for APIC access (VMX_EXIT_APIC_ACCESS). Conditional VM-exit.
11192	*/
11193	HMVMX_EXIT_DECL hmR0VmxExitApicAccess(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11194	{
11195	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11196
11197	/* If this VM-exit occurred while delivering an event through the guest IDT, handle it accordingly. */
11198	int rc = hmR0VmxCheckExitDueToEventDelivery(pVCpu, pMixedCtx, pVmxTransient);
11199	if (RT_UNLIKELY(rc != VINF_SUCCESS))
11200	{
11201	if (rc == VINF_HM_DOUBLE_FAULT)
11202	rc = VINF_SUCCESS;
11203	return rc;
11204	}
11205
11206	#if 0
11207	/** @todo Investigate if IOMMMIOPhysHandler() requires a lot of state, for now
11208	* just sync the whole thing. */
11209	rc = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
11210	#else
11211	/* Aggressive state sync. for now. */
11212	rc = hmR0VmxSaveGuestRipRspRflags(pVCpu, pMixedCtx);
11213	rc \|= hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
11214	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
11215	#endif
11216	rc \|= hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
11217	AssertRCReturn(rc, rc);
11218
11219	/* See Intel spec. 27-6 "Exit Qualifications for APIC-access VM-exits from Linear Accesses & Guest-Phyiscal Addresses" */
11220	uint32_t uAccessType = VMX_EXIT_QUALIFICATION_APIC_ACCESS_TYPE(pVmxTransient->uExitQualification);
11221	switch (uAccessType)
11222	{
11223	case VMX_APIC_ACCESS_TYPE_LINEAR_WRITE:
11224	case VMX_APIC_ACCESS_TYPE_LINEAR_READ:
11225	{
11226	AssertMsg( !(pVCpu->hm.s.vmx.u32ProcCtls & VMX_VMCS_CTRL_PROC_EXEC_USE_TPR_SHADOW)
11227	\|\| VMX_EXIT_QUALIFICATION_APIC_ACCESS_OFFSET(pVmxTransient->uExitQualification) != 0x80,
11228	("hmR0VmxExitApicAccess: can't access TPR offset while using TPR shadowing.\n"));
11229
11230	RTGCPHYS GCPhys = pMixedCtx->msrApicBase; /* Always up-to-date, msrApicBase is not part of the VMCS. */
11231	GCPhys &= PAGE_BASE_GC_MASK;
11232	GCPhys += VMX_EXIT_QUALIFICATION_APIC_ACCESS_OFFSET(pVmxTransient->uExitQualification);
11233	PVM pVM = pVCpu->CTX_SUFF(pVM);
11234	Log4(("ApicAccess uAccessType=%#x GCPhys=%#RGv Off=%#x\n", uAccessType, GCPhys,
11235	VMX_EXIT_QUALIFICATION_APIC_ACCESS_OFFSET(pVmxTransient->uExitQualification)));
11236
11237	VBOXSTRICTRC rc2 = IOMMMIOPhysHandler(pVM, pVCpu,
11238	uAccessType == VMX_APIC_ACCESS_TYPE_LINEAR_READ ? 0 : X86_TRAP_PF_RW,
11239	CPUMCTX2CORE(pMixedCtx), GCPhys);
11240	rc = VBOXSTRICTRC_VAL(rc2);
11241	Log4(("ApicAccess rc=%d\n", rc));
11242	if ( rc == VINF_SUCCESS
11243	\|\| rc == VERR_PAGE_TABLE_NOT_PRESENT
11244	\|\| rc == VERR_PAGE_NOT_PRESENT)
11245	{
11246	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP
11247	\| HM_CHANGED_GUEST_RSP
11248	\| HM_CHANGED_GUEST_RFLAGS
11249	\| HM_CHANGED_VMX_GUEST_APIC_STATE);
11250	rc = VINF_SUCCESS;
11251	}
11252	break;
11253	}
11254
11255	default:
11256	Log4(("ApicAccess uAccessType=%#x\n", uAccessType));
11257	rc = VINF_EM_RAW_EMULATE_INSTR;
11258	break;
11259	}
11260
11261	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitApicAccess);
11262	if (rc != VINF_SUCCESS)
11263	STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchApicAccessToR3);
11264	return rc;
11265	}
11266
11267
11268	/**
11269	* VM-exit handler for debug-register accesses (VMX_EXIT_MOV_DRX). Conditional
11270	* VM-exit.
11271	*/
11272	HMVMX_EXIT_DECL hmR0VmxExitMovDRx(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11273	{
11274	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11275
11276	/* We should -not- get this VM-exit if the guest's debug registers were active. */
11277	if (pVmxTransient->fWasGuestDebugStateActive)
11278	{
11279	AssertMsgFailed(("Unexpected MOV DRx exit. pVCpu=%p pMixedCtx=%p\n", pVCpu, pMixedCtx));
11280	HMVMX_RETURN_UNEXPECTED_EXIT();
11281	}
11282
11283	int rc = VERR_INTERNAL_ERROR_5;
11284	if ( !pVCpu->hm.s.fSingleInstruction
11285	&& !pVmxTransient->fWasHyperDebugStateActive)
11286	{
11287	Assert(!DBGFIsStepping(pVCpu));
11288
11289	/* Don't intercept MOV DRx and #DB any more. */
11290	pVCpu->hm.s.vmx.u32ProcCtls &= ~VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT;
11291	rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls);
11292	AssertRCReturn(rc, rc);
11293
11294	if (!pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
11295	{
11296	#ifndef HMVMX_ALWAYS_TRAP_ALL_XCPTS
11297	pVCpu->hm.s.vmx.u32XcptBitmap &= ~RT_BIT(X86_XCPT_DB);
11298	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS);
11299	#endif
11300	}
11301
11302	/* We're playing with the host CPU state here, make sure we can't preempt or longjmp. */
11303	VMMRZCallRing3Disable(pVCpu);
11304	HM_DISABLE_PREEMPT();
11305
11306	/* Save the host & load the guest debug state, restart execution of the MOV DRx instruction. */
11307	CPUMR0LoadGuestDebugState(pVCpu, true /* include DR6 */);
11308	Assert(CPUMIsGuestDebugStateActive(pVCpu) \|\| HC_ARCH_BITS == 32);
11309
11310	HM_RESTORE_PREEMPT();
11311	VMMRZCallRing3Enable(pVCpu);
11312
11313	#ifdef VBOX_WITH_STATISTICS
11314	rc = hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
11315	AssertRCReturn(rc, rc);
11316	if (VMX_EXIT_QUALIFICATION_DRX_DIRECTION(pVmxTransient->uExitQualification) == VMX_EXIT_QUALIFICATION_DRX_DIRECTION_WRITE)
11317	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitDRxWrite);
11318	else
11319	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitDRxRead);
11320	#endif
11321	STAM_COUNTER_INC(&pVCpu->hm.s.StatDRxContextSwitch);
11322	return VINF_SUCCESS;
11323	}
11324
11325	/*
11326	* EMInterpretDRx[Write\|Read]() calls CPUMIsGuestIn64BitCode() which requires EFER, CS. EFER is always up-to-date.
11327	* Update the segment registers and DR7 from the CPU.
11328	*/
11329	rc = hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
11330	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
11331	rc \|= hmR0VmxSaveGuestDR7(pVCpu, pMixedCtx);
11332	AssertRCReturn(rc, rc);
11333	Log4(("CS:RIP=%04x:%08RX64\n", pMixedCtx->cs.Sel, pMixedCtx->rip));
11334
11335	PVM pVM = pVCpu->CTX_SUFF(pVM);
11336	if (VMX_EXIT_QUALIFICATION_DRX_DIRECTION(pVmxTransient->uExitQualification) == VMX_EXIT_QUALIFICATION_DRX_DIRECTION_WRITE)
11337	{
11338	rc = EMInterpretDRxWrite(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx),
11339	VMX_EXIT_QUALIFICATION_DRX_REGISTER(pVmxTransient->uExitQualification),
11340	VMX_EXIT_QUALIFICATION_DRX_GENREG(pVmxTransient->uExitQualification));
11341	if (RT_SUCCESS(rc))
11342	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_DEBUG);
11343	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitDRxWrite);
11344	}
11345	else
11346	{
11347	rc = EMInterpretDRxRead(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx),
11348	VMX_EXIT_QUALIFICATION_DRX_GENREG(pVmxTransient->uExitQualification),
11349	VMX_EXIT_QUALIFICATION_DRX_REGISTER(pVmxTransient->uExitQualification));
11350	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitDRxRead);
11351	}
11352
11353	Assert(rc == VINF_SUCCESS \|\| rc == VERR_EM_INTERPRETER);
11354	if (RT_SUCCESS(rc))
11355	{
11356	int rc2 = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
11357	AssertRCReturn(rc2, rc2);
11358	}
11359	return rc;
11360	}
11361
11362
11363	/**
11364	* VM-exit handler for EPT misconfiguration (VMX_EXIT_EPT_MISCONFIG).
11365	* Conditional VM-exit.
11366	*/
11367	HMVMX_EXIT_DECL hmR0VmxExitEptMisconfig(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11368	{
11369	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11370	Assert(pVCpu->CTX_SUFF(pVM)->hm.s.fNestedPaging);
11371
11372	/* If this VM-exit occurred while delivering an event through the guest IDT, handle it accordingly. */
11373	int rc = hmR0VmxCheckExitDueToEventDelivery(pVCpu, pMixedCtx, pVmxTransient);
11374	if (RT_UNLIKELY(rc != VINF_SUCCESS))
11375	{
11376	if (rc == VINF_HM_DOUBLE_FAULT)
11377	rc = VINF_SUCCESS;
11378	return rc;
11379	}
11380
11381	RTGCPHYS GCPhys = 0;
11382	rc = VMXReadVmcs64(VMX_VMCS64_EXIT_GUEST_PHYS_ADDR_FULL, &GCPhys);
11383
11384	#if 0
11385	rc \|= hmR0VmxSaveGuestState(pVCpu, pMixedCtx); /** @todo Can we do better? */
11386	#else
11387	/* Aggressive state sync. for now. */
11388	rc \|= hmR0VmxSaveGuestRipRspRflags(pVCpu, pMixedCtx);
11389	rc \|= hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
11390	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
11391	#endif
11392	AssertRCReturn(rc, rc);
11393
11394	/*
11395	* If we succeed, resume guest execution.
11396	* If we fail in interpreting the instruction because we couldn't get the guest physical address
11397	* of the page containing the instruction via the guest's page tables (we would invalidate the guest page
11398	* in the host TLB), resume execution which would cause a guest page fault to let the guest handle this
11399	* weird case. See @bugref{6043}.
11400	*/
11401	PVM pVM = pVCpu->CTX_SUFF(pVM);
11402	VBOXSTRICTRC rc2 = PGMR0Trap0eHandlerNPMisconfig(pVM, pVCpu, PGMMODE_EPT, CPUMCTX2CORE(pMixedCtx), GCPhys, UINT32_MAX);
11403	rc = VBOXSTRICTRC_VAL(rc2);
11404	Log4(("EPT misconfig at %#RGv RIP=%#RX64 rc=%d\n", GCPhys, pMixedCtx->rip, rc));
11405	if ( rc == VINF_SUCCESS
11406	\|\| rc == VERR_PAGE_TABLE_NOT_PRESENT
11407	\|\| rc == VERR_PAGE_NOT_PRESENT)
11408	{
11409	/* Successfully handled MMIO operation. */
11410	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP
11411	\| HM_CHANGED_GUEST_RSP
11412	\| HM_CHANGED_GUEST_RFLAGS
11413	\| HM_CHANGED_VMX_GUEST_APIC_STATE);
11414	rc = VINF_SUCCESS;
11415	}
11416	return rc;
11417	}
11418
11419
11420	/**
11421	* VM-exit handler for EPT violation (VMX_EXIT_EPT_VIOLATION). Conditional
11422	* VM-exit.
11423	*/
11424	HMVMX_EXIT_DECL hmR0VmxExitEptViolation(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11425	{
11426	HMVMX_VALIDATE_EXIT_HANDLER_PARAMS();
11427	Assert(pVCpu->CTX_SUFF(pVM)->hm.s.fNestedPaging);
11428
11429	/* If this VM-exit occurred while delivering an event through the guest IDT, handle it accordingly. */
11430	int rc = hmR0VmxCheckExitDueToEventDelivery(pVCpu, pMixedCtx, pVmxTransient);
11431	if (RT_UNLIKELY(rc != VINF_SUCCESS))
11432	{
11433	if (rc == VINF_HM_DOUBLE_FAULT)
11434	rc = VINF_SUCCESS;
11435	return rc;
11436	}
11437
11438	RTGCPHYS GCPhys = 0;
11439	rc = VMXReadVmcs64(VMX_VMCS64_EXIT_GUEST_PHYS_ADDR_FULL, &GCPhys);
11440	rc \|= hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
11441	#if 0
11442	rc \|= hmR0VmxSaveGuestState(pVCpu, pMixedCtx); /** @todo Can we do better? */
11443	#else
11444	/* Aggressive state sync. for now. */
11445	rc \|= hmR0VmxSaveGuestRipRspRflags(pVCpu, pMixedCtx);
11446	rc \|= hmR0VmxSaveGuestControlRegs(pVCpu, pMixedCtx);
11447	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
11448	#endif
11449	AssertRCReturn(rc, rc);
11450
11451	/* Intel spec. Table 27-7 "Exit Qualifications for EPT violations". */
11452	AssertMsg(((pVmxTransient->uExitQualification >> 7) & 3) != 2, ("%#RX64", pVmxTransient->uExitQualification));
11453
11454	RTGCUINT uErrorCode = 0;
11455	if (pVmxTransient->uExitQualification & VMX_EXIT_QUALIFICATION_EPT_INSTR_FETCH)
11456	uErrorCode \|= X86_TRAP_PF_ID;
11457	if (pVmxTransient->uExitQualification & VMX_EXIT_QUALIFICATION_EPT_DATA_WRITE)
11458	uErrorCode \|= X86_TRAP_PF_RW;
11459	if (pVmxTransient->uExitQualification & VMX_EXIT_QUALIFICATION_EPT_ENTRY_PRESENT)
11460	uErrorCode \|= X86_TRAP_PF_P;
11461
11462	TRPMAssertXcptPF(pVCpu, GCPhys, uErrorCode);
11463
11464	Log4(("EPT violation %#x at %#RX64 ErrorCode %#x CS:RIP=%04x:%08RX64\n", pVmxTransient->uExitQualification, GCPhys,
11465	uErrorCode, pMixedCtx->cs.Sel, pMixedCtx->rip));
11466
11467	/* Handle the pagefault trap for the nested shadow table. */
11468	PVM pVM = pVCpu->CTX_SUFF(pVM);
11469	rc = PGMR0Trap0eHandlerNestedPaging(pVM, pVCpu, PGMMODE_EPT, uErrorCode, CPUMCTX2CORE(pMixedCtx), GCPhys);
11470	TRPMResetTrap(pVCpu);
11471
11472	/* Same case as PGMR0Trap0eHandlerNPMisconfig(). See comment above, @bugref{6043}. */
11473	if ( rc == VINF_SUCCESS
11474	\|\| rc == VERR_PAGE_TABLE_NOT_PRESENT
11475	\|\| rc == VERR_PAGE_NOT_PRESENT)
11476	{
11477	/* Successfully synced our nested page tables. */
11478	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitReasonNpf);
11479	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP
11480	\| HM_CHANGED_GUEST_RSP
11481	\| HM_CHANGED_GUEST_RFLAGS);
11482	return VINF_SUCCESS;
11483	}
11484
11485	Log4(("EPT return to ring-3 rc=%Rrc\n", rc));
11486	return rc;
11487	}
11488
11489	/** @} */
11490
11491	/* -=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-= */
11492	/* -=-=-=-=-=-=-=-=-=- VM-exit Exception Handlers -=-=-=-=-=-=-=-=-=-=- */
11493	/* -=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-= */
11494
11495	/** @name VM-exit exception handlers.
11496	* @{
11497	*/
11498
11499	/**
11500	* VM-exit exception handler for \#MF (Math Fault: floating point exception).
11501	*/
11502	static int hmR0VmxExitXcptMF(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11503	{
11504	HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS();
11505	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestMF);
11506
11507	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
11508	AssertRCReturn(rc, rc);
11509
11510	if (!(pMixedCtx->cr0 & X86_CR0_NE))
11511	{
11512	/* Convert a #MF into a FERR -> IRQ 13. See @bugref{6117}. */
11513	rc = PDMIsaSetIrq(pVCpu->CTX_SUFF(pVM), 13, 1, 0 /* uTagSrc */);
11514
11515	/** @todo r=ramshankar: The Intel spec. does -not- specify that this VM-exit
11516	* provides VM-exit instruction length. If this causes problem later,
11517	* disassemble the instruction like it's done on AMD-V. */
11518	int rc2 = hmR0VmxAdvanceGuestRip(pVCpu, pMixedCtx, pVmxTransient);
11519	AssertRCReturn(rc2, rc2);
11520	return rc;
11521	}
11522
11523	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
11524	pVmxTransient->cbInstr, pVmxTransient->uExitIntErrorCode, 0 /* GCPtrFaultAddress */);
11525	return rc;
11526	}
11527
11528
11529	/**
11530	* VM-exit exception handler for \#BP (Breakpoint exception).
11531	*/
11532	static int hmR0VmxExitXcptBP(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11533	{
11534	HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS();
11535	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestBP);
11536
11537	/** @todo Try optimize this by not saving the entire guest state unless
11538	* really needed. */
11539	int rc = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
11540	AssertRCReturn(rc, rc);
11541
11542	PVM pVM = pVCpu->CTX_SUFF(pVM);
11543	rc = DBGFRZTrap03Handler(pVM, pVCpu, CPUMCTX2CORE(pMixedCtx));
11544	if (rc == VINF_EM_RAW_GUEST_TRAP)
11545	{
11546	rc = hmR0VmxReadExitIntInfoVmcs(pVmxTransient);
11547	rc \|= hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
11548	rc \|= hmR0VmxReadExitIntErrorCodeVmcs(pVmxTransient);
11549	AssertRCReturn(rc, rc);
11550
11551	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
11552	pVmxTransient->cbInstr, pVmxTransient->uExitIntErrorCode, 0 /* GCPtrFaultAddress */);
11553	}
11554
11555	Assert(rc == VINF_SUCCESS \|\| rc == VINF_EM_RAW_GUEST_TRAP \|\| rc == VINF_EM_DBG_BREAKPOINT);
11556	return rc;
11557	}
11558
11559
11560	/**
11561	* VM-exit exception handler for \#DB (Debug exception).
11562	*/
11563	static int hmR0VmxExitXcptDB(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11564	{
11565	HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS();
11566	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestDB);
11567	Log6(("XcptDB\n"));
11568
11569	/*
11570	* Get the DR6-like values from the VM-exit qualification and pass it to DBGF
11571	* for processing.
11572	*/
11573	int rc = hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
11574	AssertRCReturn(rc, rc);
11575
11576	/* Refer Intel spec. Table 27-1. "Exit Qualifications for debug exceptions" for the format. */
11577	uint64_t uDR6 = X86_DR6_INIT_VAL;
11578	uDR6 \|= ( pVmxTransient->uExitQualification
11579	& (X86_DR6_B0 \| X86_DR6_B1 \| X86_DR6_B2 \| X86_DR6_B3 \| X86_DR6_BD \| X86_DR6_BS));
11580
11581	rc = DBGFRZTrap01Handler(pVCpu->CTX_SUFF(pVM), pVCpu, CPUMCTX2CORE(pMixedCtx), uDR6, pVCpu->hm.s.fSingleInstruction);
11582	if (rc == VINF_EM_RAW_GUEST_TRAP)
11583	{
11584	/*
11585	* The exception was for the guest. Update DR6, DR7.GD and
11586	* IA32_DEBUGCTL.LBR before forwarding it.
11587	* (See Intel spec. 27.1 "Architectural State before a VM-Exit".)
11588	*/
11589	VMMRZCallRing3Disable(pVCpu);
11590	HM_DISABLE_PREEMPT();
11591
11592	pMixedCtx->dr[6] &= ~X86_DR6_B_MASK;
11593	pMixedCtx->dr[6] \|= uDR6;
11594	if (CPUMIsGuestDebugStateActive(pVCpu))
11595	ASMSetDR6(pMixedCtx->dr[6]);
11596
11597	HM_RESTORE_PREEMPT();
11598	VMMRZCallRing3Enable(pVCpu);
11599
11600	rc = hmR0VmxSaveGuestDR7(pVCpu, pMixedCtx);
11601	AssertRCReturn(rc, rc);
11602
11603	/* X86_DR7_GD will be cleared if DRx accesses should be trapped inside the guest. */
11604	pMixedCtx->dr[7] &= ~X86_DR7_GD;
11605
11606	/* Paranoia. */
11607	pMixedCtx->dr[7] &= ~X86_DR7_RAZ_MASK;
11608	pMixedCtx->dr[7] \|= X86_DR7_RA1_MASK;
11609
11610	rc = VMXWriteVmcs32(VMX_VMCS_GUEST_DR7, (uint32_t)pMixedCtx->dr[7]);
11611	AssertRCReturn(rc, rc);
11612
11613	/*
11614	* Raise #DB in the guest.
11615	*
11616	* It is important to reflect what the VM-exit gave us (preserving the interruption-type) rather than use
11617	* hmR0VmxSetPendingXcptDB() as the #DB could've been raised while executing ICEBP and not the 'normal' #DB.
11618	* Thus it -may- trigger different handling in the CPU (like skipped DPL checks). See @bugref{6398}.
11619	*
11620	* Since ICEBP isn't documented on Intel, see AMD spec. 15.20 "Event Injection".
11621	*/
11622	rc = hmR0VmxReadExitIntInfoVmcs(pVmxTransient);
11623	rc \|= hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
11624	rc \|= hmR0VmxReadExitIntErrorCodeVmcs(pVmxTransient);
11625	AssertRCReturn(rc, rc);
11626	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
11627	pVmxTransient->cbInstr, pVmxTransient->uExitIntErrorCode, 0 /* GCPtrFaultAddress */);
11628	return VINF_SUCCESS;
11629	}
11630
11631	/*
11632	* Not a guest trap, must be a hypervisor related debug event then.
11633	* Update DR6 in case someone is interested in it.
11634	*/
11635	AssertMsg(rc == VINF_EM_DBG_STEPPED \|\| rc == VINF_EM_DBG_BREAKPOINT, ("%Rrc\n", rc));
11636	AssertReturn(pVmxTransient->fWasHyperDebugStateActive, VERR_HM_IPE_5);
11637	CPUMSetHyperDR6(pVCpu, uDR6);
11638
11639	return rc;
11640	}
11641
11642
11643	/**
11644	* VM-exit exception handler for \#NM (Device-not-available exception: floating
11645	* point exception).
11646	*/
11647	static int hmR0VmxExitXcptNM(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11648	{
11649	HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS();
11650
11651	/* We require CR0 and EFER. EFER is always up-to-date. */
11652	int rc = hmR0VmxSaveGuestCR0(pVCpu, pMixedCtx);
11653	AssertRCReturn(rc, rc);
11654
11655	/* We're playing with the host CPU state here, have to disable preemption or longjmp. */
11656	VMMRZCallRing3Disable(pVCpu);
11657	HM_DISABLE_PREEMPT();
11658
11659	/* If the guest FPU was active at the time of the #NM exit, then it's a guest fault. */
11660	if (pVmxTransient->fWasGuestFPUStateActive)
11661	{
11662	rc = VINF_EM_RAW_GUEST_TRAP;
11663	Assert(CPUMIsGuestFPUStateActive(pVCpu) \|\| HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_CR0));
11664	}
11665	else
11666	{
11667	#ifndef HMVMX_ALWAYS_TRAP_ALL_XCPTS
11668	Assert(!pVmxTransient->fWasGuestFPUStateActive);
11669	#endif
11670	rc = CPUMR0Trap07Handler(pVCpu->CTX_SUFF(pVM), pVCpu, pMixedCtx);
11671	Assert(rc == VINF_EM_RAW_GUEST_TRAP \|\| (rc == VINF_SUCCESS && CPUMIsGuestFPUStateActive(pVCpu)));
11672	}
11673
11674	HM_RESTORE_PREEMPT();
11675	VMMRZCallRing3Enable(pVCpu);
11676
11677	if (rc == VINF_SUCCESS)
11678	{
11679	/* Guest FPU state was activated, we'll want to change CR0 FPU intercepts before the next VM-reentry. */
11680	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_CR0);
11681	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitShadowNM);
11682	pVCpu->hm.s.fPreloadGuestFpu = true;
11683	}
11684	else
11685	{
11686	/* Forward #NM to the guest. */
11687	Assert(rc == VINF_EM_RAW_GUEST_TRAP);
11688	rc = hmR0VmxReadExitIntInfoVmcs(pVmxTransient);
11689	AssertRCReturn(rc, rc);
11690	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
11691	pVmxTransient->cbInstr, 0 /* error code /, 0 / GCPtrFaultAddress */);
11692	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestNM);
11693	}
11694
11695	return VINF_SUCCESS;
11696	}
11697
11698
11699	/**
11700	* VM-exit exception handler for \#GP (General-protection exception).
11701	*
11702	* @remarks Requires pVmxTransient->uExitIntInfo to be up-to-date.
11703	*/
11704	static int hmR0VmxExitXcptGP(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
11705	{
11706	HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS();
11707	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestGP);
11708
11709	int rc = VERR_INTERNAL_ERROR_5;
11710	if (!pVCpu->hm.s.vmx.RealMode.fRealOnV86Active)
11711	{
11712	#ifdef HMVMX_ALWAYS_TRAP_ALL_XCPTS
11713	/* If the guest is not in real-mode or we have unrestricted execution support, reflect #GP to the guest. */
11714	rc = hmR0VmxReadExitIntInfoVmcs(pVmxTransient);
11715	rc \|= hmR0VmxReadExitIntErrorCodeVmcs(pVmxTransient);
11716	rc \|= hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
11717	rc \|= hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
11718	AssertRCReturn(rc, rc);
11719	Log4(("#GP Gst: CS:RIP %04x:%08RX64 ErrorCode=%#x CR0=%#RX64 CPL=%u TR=%#04x\n", pMixedCtx->cs.Sel, pMixedCtx->rip,
11720	pVmxTransient->uExitIntErrorCode, pMixedCtx->cr0, CPUMGetGuestCPL(pVCpu), pMixedCtx->tr.Sel));
11721	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
11722	pVmxTransient->cbInstr, pVmxTransient->uExitIntErrorCode, 0 /* GCPtrFaultAddress */);
11723	return rc;
11724	#else
11725	/* We don't intercept #GP. */
11726	AssertMsgFailed(("Unexpected VM-exit caused by #GP exception\n"));
11727	NOREF(pVmxTransient);
11728	return VERR_VMX_UNEXPECTED_EXCEPTION;
11729	#endif
11730	}
11731
11732	Assert(CPUMIsGuestInRealModeEx(pMixedCtx));
11733	Assert(!pVCpu->CTX_SUFF(pVM)->hm.s.vmx.fUnrestrictedGuest);
11734
11735	/* EMInterpretDisasCurrent() requires a lot of the state, save the entire state. */
11736	rc = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
11737	AssertRCReturn(rc, rc);
11738
11739	PDISCPUSTATE pDis = &pVCpu->hm.s.DisState;
11740	uint32_t cbOp = 0;
11741	PVM pVM = pVCpu->CTX_SUFF(pVM);
11742	bool fDbgStepping = pVCpu->hm.s.fSingleInstruction;
11743	rc = EMInterpretDisasCurrent(pVM, pVCpu, pDis, &cbOp);
11744	if (RT_SUCCESS(rc))
11745	{
11746	rc = VINF_SUCCESS;
11747	Assert(cbOp == pDis->cbInstr);
11748	Log4(("#GP Disas OpCode=%u CS:EIP %04x:%04RX64\n", pDis->pCurInstr->uOpcode, pMixedCtx->cs.Sel, pMixedCtx->rip));
11749	switch (pDis->pCurInstr->uOpcode)
11750	{
11751	case OP_CLI:
11752	{
11753	pMixedCtx->eflags.Bits.u1IF = 0;
11754	pMixedCtx->eflags.Bits.u1RF = 0;
11755	pMixedCtx->rip += pDis->cbInstr;
11756	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP \| HM_CHANGED_GUEST_RFLAGS);
11757	if ( !fDbgStepping
11758	&& pMixedCtx->eflags.Bits.u1TF)
11759	hmR0VmxSetPendingDebugXcptVmcs(pVCpu);
11760	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCli);
11761	break;
11762	}
11763
11764	case OP_STI:
11765	{
11766	bool fOldIF = pMixedCtx->eflags.Bits.u1IF;
11767	pMixedCtx->eflags.Bits.u1IF = 1;
11768	pMixedCtx->eflags.Bits.u1RF = 0;
11769	pMixedCtx->rip += pDis->cbInstr;
11770	if (!fOldIF)
11771	{
11772	EMSetInhibitInterruptsPC(pVCpu, pMixedCtx->rip);
11773	Assert(VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS));
11774	}
11775	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP \| HM_CHANGED_GUEST_RFLAGS);
11776	if ( !fDbgStepping
11777	&& pMixedCtx->eflags.Bits.u1TF)
11778	hmR0VmxSetPendingDebugXcptVmcs(pVCpu);
11779	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitSti);
11780	break;
11781	}
11782
11783	case OP_HLT:
11784	{
11785	rc = VINF_EM_HALT;
11786	pMixedCtx->rip += pDis->cbInstr;
11787	pMixedCtx->eflags.Bits.u1RF = 0;
11788	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP \| HM_CHANGED_GUEST_RFLAGS);
11789	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitHlt);
11790	break;
11791	}
11792
11793	case OP_POPF:
11794	{
11795	Log4(("POPF CS:EIP %04x:%04RX64\n", pMixedCtx->cs.Sel, pMixedCtx->rip));
11796	uint32_t cbParm;
11797	uint32_t uMask;
11798	bool fGstStepping = RT_BOOL(pMixedCtx->eflags.Bits.u1TF);
11799	if (pDis->fPrefix & DISPREFIX_OPSIZE)
11800	{
11801	cbParm = 4;
11802	uMask = 0xffffffff;
11803	}
11804	else
11805	{
11806	cbParm = 2;
11807	uMask = 0xffff;
11808	}
11809
11810	/* Get the stack pointer & pop the contents of the stack onto Eflags. */
11811	RTGCPTR GCPtrStack = 0;
11812	X86EFLAGS Eflags;
11813	rc = SELMToFlatEx(pVCpu, DISSELREG_SS, CPUMCTX2CORE(pMixedCtx), pMixedCtx->esp & uMask, SELMTOFLAT_FLAGS_CPL0,
11814	&GCPtrStack);
11815	if (RT_SUCCESS(rc))
11816	{
11817	Assert(sizeof(Eflags.u32) >= cbParm);
11818	Eflags.u32 = 0;
11819	rc = VBOXSTRICTRC_TODO(PGMPhysRead(pVM, (RTGCPHYS)GCPtrStack, &Eflags.u32, cbParm, PGMACCESSORIGIN_HM));
11820	AssertMsg(rc == VINF_SUCCESS, ("%Rrc\n", rc)); /** @todo allow strict return codes here */
11821	}
11822	if (RT_FAILURE(rc))
11823	{
11824	rc = VERR_EM_INTERPRETER;
11825	break;
11826	}
11827	Log4(("POPF %#x -> %#RX64 mask=%#x RIP=%#RX64\n", Eflags.u, pMixedCtx->rsp, uMask, pMixedCtx->rip));
11828	pMixedCtx->eflags.u32 = (pMixedCtx->eflags.u32 & ~((X86_EFL_POPF_BITS & uMask) \| X86_EFL_RF))
11829	\| (Eflags.u32 & X86_EFL_POPF_BITS & uMask);
11830	pMixedCtx->esp += cbParm;
11831	pMixedCtx->esp &= uMask;
11832	pMixedCtx->rip += pDis->cbInstr;
11833	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP
11834	\| HM_CHANGED_GUEST_RSP
11835	\| HM_CHANGED_GUEST_RFLAGS);
11836	/* Generate a pending-debug exception when the guest stepping over POPF regardless of how
11837	POPF restores EFLAGS.TF. */
11838	if ( !fDbgStepping
11839	&& fGstStepping)
11840	hmR0VmxSetPendingDebugXcptVmcs(pVCpu);
11841	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitPopf);
11842	break;
11843	}
11844
11845	case OP_PUSHF:
11846	{
11847	uint32_t cbParm;
11848	uint32_t uMask;
11849	if (pDis->fPrefix & DISPREFIX_OPSIZE)
11850	{
11851	cbParm = 4;
11852	uMask = 0xffffffff;
11853	}
11854	else
11855	{
11856	cbParm = 2;
11857	uMask = 0xffff;
11858	}
11859
11860	/* Get the stack pointer & push the contents of eflags onto the stack. */
11861	RTGCPTR GCPtrStack = 0;
11862	rc = SELMToFlatEx(pVCpu, DISSELREG_SS, CPUMCTX2CORE(pMixedCtx), (pMixedCtx->esp - cbParm) & uMask,
11863	SELMTOFLAT_FLAGS_CPL0, &GCPtrStack);
11864	if (RT_FAILURE(rc))
11865	{
11866	rc = VERR_EM_INTERPRETER;
11867	break;
11868	}
11869	X86EFLAGS Eflags = pMixedCtx->eflags;
11870	/* The RF & VM bits are cleared on image stored on stack; see Intel Instruction reference for PUSHF. */
11871	Eflags.Bits.u1RF = 0;
11872	Eflags.Bits.u1VM = 0;
11873
11874	rc = VBOXSTRICTRC_TODO(PGMPhysWrite(pVM, (RTGCPHYS)GCPtrStack, &Eflags.u, cbParm, PGMACCESSORIGIN_HM));
11875	if (RT_UNLIKELY(rc != VINF_SUCCESS))
11876	{
11877	AssertMsgFailed(("%Rrc\n", rc)); /** @todo allow strict return codes here */
11878	rc = VERR_EM_INTERPRETER;
11879	break;
11880	}
11881	Log4(("PUSHF %#x -> %#RGv\n", Eflags.u, GCPtrStack));
11882	pMixedCtx->esp -= cbParm;
11883	pMixedCtx->esp &= uMask;
11884	pMixedCtx->rip += pDis->cbInstr;
11885	pMixedCtx->eflags.Bits.u1RF = 0;
11886	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP
11887	\| HM_CHANGED_GUEST_RSP
11888	\| HM_CHANGED_GUEST_RFLAGS);
11889	if ( !fDbgStepping
11890	&& pMixedCtx->eflags.Bits.u1TF)
11891	hmR0VmxSetPendingDebugXcptVmcs(pVCpu);
11892	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitPushf);
11893	break;
11894	}
11895
11896	case OP_IRET:
11897	{
11898	/** @todo Handle 32-bit operand sizes and check stack limits. See Intel
11899	* instruction reference. */
11900	RTGCPTR GCPtrStack = 0;
11901	uint32_t uMask = 0xffff;
11902	bool fGstStepping = RT_BOOL(pMixedCtx->eflags.Bits.u1TF);
11903	uint16_t aIretFrame[3];
11904	if (pDis->fPrefix & (DISPREFIX_OPSIZE \| DISPREFIX_ADDRSIZE))
11905	{
11906	rc = VERR_EM_INTERPRETER;
11907	break;
11908	}
11909	rc = SELMToFlatEx(pVCpu, DISSELREG_SS, CPUMCTX2CORE(pMixedCtx), pMixedCtx->esp & uMask, SELMTOFLAT_FLAGS_CPL0,
11910	&GCPtrStack);
11911	if (RT_SUCCESS(rc))
11912	{
11913	rc = VBOXSTRICTRC_TODO(PGMPhysRead(pVM, (RTGCPHYS)GCPtrStack, &aIretFrame[0], sizeof(aIretFrame),
11914	PGMACCESSORIGIN_HM));
11915	AssertMsg(rc == VINF_SUCCESS, ("%Rrc\n", rc)); /** @todo allow strict return codes here */
11916	}
11917	if (RT_FAILURE(rc))
11918	{
11919	rc = VERR_EM_INTERPRETER;
11920	break;
11921	}
11922	pMixedCtx->eip = 0;
11923	pMixedCtx->ip = aIretFrame[0];
11924	pMixedCtx->cs.Sel = aIretFrame[1];
11925	pMixedCtx->cs.ValidSel = aIretFrame[1];
11926	pMixedCtx->cs.u64Base = (uint64_t)pMixedCtx->cs.Sel << 4;
11927	pMixedCtx->eflags.u32 = (pMixedCtx->eflags.u32 & ((UINT32_C(0xffff0000) \| X86_EFL_1) & ~X86_EFL_RF))
11928	\| (aIretFrame[2] & X86_EFL_POPF_BITS & uMask);
11929	pMixedCtx->sp += sizeof(aIretFrame);
11930	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP
11931	\| HM_CHANGED_GUEST_SEGMENT_REGS
11932	\| HM_CHANGED_GUEST_RSP
11933	\| HM_CHANGED_GUEST_RFLAGS);
11934	/* Generate a pending-debug exception when stepping over IRET regardless of how IRET modifies EFLAGS.TF. */
11935	if ( !fDbgStepping
11936	&& fGstStepping)
11937	hmR0VmxSetPendingDebugXcptVmcs(pVCpu);
11938	Log4(("IRET %#RX32 to %04x:%04x\n", GCPtrStack, pMixedCtx->cs.Sel, pMixedCtx->ip));
11939	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitIret);
11940	break;
11941	}
11942
11943	case OP_INT:
11944	{
11945	uint16_t uVector = pDis->Param1.uValue & 0xff;
11946	hmR0VmxSetPendingIntN(pVCpu, pMixedCtx, uVector, pDis->cbInstr);
11947	/* INT clears EFLAGS.TF, we mustn't set any pending debug exceptions here. */
11948	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitInt);
11949	break;
11950	}
11951
11952	case OP_INTO:
11953	{
11954	if (pMixedCtx->eflags.Bits.u1OF)
11955	{
11956	hmR0VmxSetPendingXcptOF(pVCpu, pMixedCtx, pDis->cbInstr);
11957	/* INTO clears EFLAGS.TF, we mustn't set any pending debug exceptions here. */
11958	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitInt);
11959	}
11960	else
11961	{
11962	pMixedCtx->eflags.Bits.u1RF = 0;
11963	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RFLAGS);
11964	}
11965	break;
11966	}
11967
11968	default:
11969	{
11970	pMixedCtx->eflags.Bits.u1RF = 0; /* This is correct most of the time... */
11971	VBOXSTRICTRC rc2 = EMInterpretInstructionDisasState(pVCpu, pDis, CPUMCTX2CORE(pMixedCtx), 0 /* pvFault */,
11972	EMCODETYPE_SUPERVISOR);
11973	rc = VBOXSTRICTRC_VAL(rc2);
11974	HMCPU_CF_SET(pVCpu, HM_CHANGED_ALL_GUEST);
11975	/** @todo We have to set pending-debug exceptions here when the guest is
11976	* single-stepping depending on the instruction that was interpreted. */
11977	Log4(("#GP rc=%Rrc\n", rc));
11978	break;
11979	}
11980	}
11981	}
11982	else
11983	rc = VERR_EM_INTERPRETER;
11984
11985	AssertMsg(rc == VINF_SUCCESS \|\| rc == VERR_EM_INTERPRETER \|\| rc == VINF_PGM_CHANGE_MODE \|\| rc == VINF_EM_HALT,
11986	("#GP Unexpected rc=%Rrc\n", rc));
11987	return rc;
11988	}
11989
11990
11991	#ifdef HMVMX_ALWAYS_TRAP_ALL_XCPTS
11992	/**
11993	* VM-exit exception handler wrapper for generic exceptions. Simply re-injects
11994	* the exception reported in the VMX transient structure back into the VM.
11995	*
11996	* @remarks Requires uExitIntInfo in the VMX transient structure to be
11997	* up-to-date.
11998	*/
11999	static int hmR0VmxExitXcptGeneric(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
12000	{
12001	HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS();
12002
12003	/* Re-inject the exception into the guest. This cannot be a double-fault condition which would have been handled in
12004	hmR0VmxCheckExitDueToEventDelivery(). */
12005	int rc = hmR0VmxReadExitIntErrorCodeVmcs(pVmxTransient);
12006	rc \|= hmR0VmxReadExitInstrLenVmcs(pVmxTransient);
12007	AssertRCReturn(rc, rc);
12008	Assert(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_EXIT_INTERRUPTION_INFO);
12009
12010	#ifdef DEBUG_ramshankar
12011	rc \|= hmR0VmxSaveGuestSegmentRegs(pVCpu, pMixedCtx);
12012	uint8_t uVector = VMX_EXIT_INTERRUPTION_INFO_VECTOR(pVmxTransient->uExitIntInfo);
12013	Log(("hmR0VmxExitXcptGeneric: Reinjecting Xcpt. uVector=%#x cs:rip=%#04x:%#RX64\n", uVector, pCtx->cs.Sel, pCtx->rip));
12014	#endif
12015
12016	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
12017	pVmxTransient->cbInstr, pVmxTransient->uExitIntErrorCode, 0 /* GCPtrFaultAddress */);
12018	return VINF_SUCCESS;
12019	}
12020	#endif
12021
12022
12023	/**
12024	* VM-exit exception handler for \#PF (Page-fault exception).
12025	*/
12026	static int hmR0VmxExitXcptPF(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient)
12027	{
12028	HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS();
12029	PVM pVM = pVCpu->CTX_SUFF(pVM);
12030	int rc = hmR0VmxReadExitQualificationVmcs(pVCpu, pVmxTransient);
12031	rc \|= hmR0VmxReadExitIntInfoVmcs(pVmxTransient);
12032	rc \|= hmR0VmxReadExitIntErrorCodeVmcs(pVmxTransient);
12033	AssertRCReturn(rc, rc);
12034
12035	#if defined(HMVMX_ALWAYS_TRAP_ALL_XCPTS) \|\| defined(HMVMX_ALWAYS_TRAP_PF)
12036	if (pVM->hm.s.fNestedPaging)
12037	{
12038	pVCpu->hm.s.Event.fPending = false; /* In case it's a contributory or vectoring #PF. */
12039	if (RT_LIKELY(!pVmxTransient->fVectoringDoublePF))
12040	{
12041	pMixedCtx->cr2 = pVmxTransient->uExitQualification; /* Update here in case we go back to ring-3 before injection. */
12042	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
12043	0 /* cbInstr */, pVmxTransient->uExitIntErrorCode, pVmxTransient->uExitQualification);
12044	}
12045	else
12046	{
12047	/* A guest page-fault occurred during delivery of a page-fault. Inject #DF. */
12048	hmR0VmxSetPendingXcptDF(pVCpu, pMixedCtx);
12049	Log4(("Pending #DF due to vectoring #PF. NP\n"));
12050	}
12051	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestPF);
12052	return rc;
12053	}
12054	#else
12055	Assert(!pVM->hm.s.fNestedPaging);
12056	NOREF(pVM);
12057	#endif
12058
12059	/* If it's a vectoring #PF, emulate injecting the original event injection as PGMTrap0eHandler() is incapable
12060	of differentiating between instruction emulation and event injection that caused a #PF. See @bugref{6607}. */
12061	if (pVmxTransient->fVectoringPF)
12062	{
12063	Assert(pVCpu->hm.s.Event.fPending);
12064	return VINF_EM_RAW_INJECT_TRPM_EVENT;
12065	}
12066
12067	rc = hmR0VmxSaveGuestState(pVCpu, pMixedCtx);
12068	AssertRCReturn(rc, rc);
12069
12070	Log4(("#PF: cr2=%#RX64 cs:rip=%#04x:%#RX64 uErrCode %#RX32 cr3=%#RX64\n", pVmxTransient->uExitQualification,
12071	pMixedCtx->cs.Sel, pMixedCtx->rip, pVmxTransient->uExitIntErrorCode, pMixedCtx->cr3));
12072
12073	TRPMAssertXcptPF(pVCpu, pVmxTransient->uExitQualification, (RTGCUINT)pVmxTransient->uExitIntErrorCode);
12074	rc = PGMTrap0eHandler(pVCpu, pVmxTransient->uExitIntErrorCode, CPUMCTX2CORE(pMixedCtx),
12075	(RTGCPTR)pVmxTransient->uExitQualification);
12076
12077	Log4(("#PF: rc=%Rrc\n", rc));
12078	if (rc == VINF_SUCCESS)
12079	{
12080	/* Successfully synced shadow pages tables or emulated an MMIO instruction. */
12081	/** @todo this isn't quite right, what if guest does lgdt with some MMIO
12082	* memory? We don't update the whole state here... */
12083	HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RIP
12084	\| HM_CHANGED_GUEST_RSP
12085	\| HM_CHANGED_GUEST_RFLAGS
12086	\| HM_CHANGED_VMX_GUEST_APIC_STATE);
12087	TRPMResetTrap(pVCpu);
12088	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitShadowPF);
12089	return rc;
12090	}
12091
12092	if (rc == VINF_EM_RAW_GUEST_TRAP)
12093	{
12094	if (!pVmxTransient->fVectoringDoublePF)
12095	{
12096	/* It's a guest page fault and needs to be reflected to the guest. */
12097	uint32_t uGstErrorCode = TRPMGetErrorCode(pVCpu);
12098	TRPMResetTrap(pVCpu);
12099	pVCpu->hm.s.Event.fPending = false; /* In case it's a contributory #PF. */
12100	pMixedCtx->cr2 = pVmxTransient->uExitQualification; /* Update here in case we go back to ring-3 before injection. */
12101	hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
12102	0 /* cbInstr */, uGstErrorCode, pVmxTransient->uExitQualification);
12103	}
12104	else
12105	{
12106	/* A guest page-fault occurred during delivery of a page-fault. Inject #DF. */
12107	TRPMResetTrap(pVCpu);
12108	pVCpu->hm.s.Event.fPending = false; /* Clear pending #PF to replace it with #DF. */
12109	hmR0VmxSetPendingXcptDF(pVCpu, pMixedCtx);
12110	Log4(("#PF: Pending #DF due to vectoring #PF\n"));
12111	}
12112
12113	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestPF);
12114	return VINF_SUCCESS;
12115	}
12116
12117	TRPMResetTrap(pVCpu);
12118	STAM_COUNTER_INC(&pVCpu->hm.s.StatExitShadowPFEM);
12119	return rc;
12120	}
12121
12122	/** @} */
12123

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/VMM/VMMR0/HMVMXR0.cpp@ 58118

Download in other formats: