Changeset 92219 in vbox

Timestamp:

Nov 4, 2021 7:17:05 PM (4 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

148052

Message:

VMM/VMMAll/VMXAllTemplate.cpp.h: Delete more code only usable in R0 and introduce the VCPU_2_VMXSTATE() macro which resolves from the vCPU pointer to the VMX state of the calling component (either HM or NEM/Apple), bugref:10136

File:

• trunk/src/VBox/VMM/VMMAll/VMXAllTemplate.cpp.h (modified) (338 diffs)

trunk/src/VBox/VMM/VMMAll/VMXAllTemplate.cpp.h

@@ -119 +119 @@
 /** Profiling macro. */
 #ifdef HM_PROFILE_EXIT_DISPATCH
-# define HMVMX_START_EXIT_DISPATCH_PROF()           STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatExitDispatch, ed)
-# define HMVMX_STOP_EXIT_DISPATCH_PROF()            STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitDispatch, ed)
+# define HMVMX_START_EXIT_DISPATCH_PROF()           STAM_PROFILE_ADV_START(&VCPU_2_VMXSTATE(pVCpu).StatExitDispatch, ed)
+# define HMVMX_STOP_EXIT_DISPATCH_PROF()            STAM_PROFILE_ADV_STOP(&VCPU_2_VMXSTATE(pVCpu).StatExitDispatch, ed)
 #else
 # define HMVMX_START_EXIT_DISPATCH_PROF()           do { } while (0)
@@ -126 +126 @@
 #endif
 
+#ifdef IN_RING0
 /** Assert that preemption is disabled or covered by thread-context hooks. */
-#define HMVMX_ASSERT_PREEMPT_SAFE(a_pVCpu)          Assert(   VMMR0ThreadCtxHookIsEnabled((a_pVCpu))   \
-                                                           || !RTThreadPreemptIsEnabled(NIL_RTTHREAD))
+# define HMVMX_ASSERT_PREEMPT_SAFE(a_pVCpu)          Assert(   VMMR0ThreadCtxHookIsEnabled((a_pVCpu))   \
+                                                            || !RTThreadPreemptIsEnabled(NIL_RTTHREAD))
 
 /** Assert that we haven't migrated CPUs when thread-context hooks are not
  *  used. */
-#define HMVMX_ASSERT_CPU_SAFE(a_pVCpu)              AssertMsg(   VMMR0ThreadCtxHookIsEnabled((a_pVCpu)) \
-                                                              || (a_pVCpu)->hmr0.s.idEnteredCpu == RTMpCpuId(), \
-                                                              ("Illegal migration! Entered on CPU %u Current %u\n", \
-                                                              (a_pVCpu)->hmr0.s.idEnteredCpu, RTMpCpuId()))
+# define HMVMX_ASSERT_CPU_SAFE(a_pVCpu)              AssertMsg(   VMMR0ThreadCtxHookIsEnabled((a_pVCpu)) \
+                                                               || (a_pVCpu)->hmr0.s.idEnteredCpu == RTMpCpuId(), \
+                                                               ("Illegal migration! Entered on CPU %u Current %u\n", \
+                                                               (a_pVCpu)->hmr0.s.idEnteredCpu, RTMpCpuId()))
+#else
+# define HMVMX_ASSERT_PREEMPT_SAFE(a_pVCpu)          do { } while (0)
+# define HMVMX_ASSERT_CPU_SAFE(a_pVCpu)              do { } while (0)
+#endif
 
 /** Asserts that the given CPUMCTX_EXTRN_XXX bits are present in the guest-CPU
@@ -839 +844 @@
 
 
+#ifdef IN_RING0
 /**
  * Checks if the given MSR is part of the lastbranch-from-IP MSR stack.
@@ -894 +900 @@
     return false;
 }
+#endif
 
 
@@ -919 +926 @@
      *        enmGuestMode to be in-sync with the current mode. See @bugref{6398}
      *        and @bugref{6944}. */
+#ifdef IN_RING0
     PCVMCC pVM = pVCpu->CTX_SUFF(pVM);
+#else
+    RT_NOREF(pVCpu);
+#endif
     return (  X86_CR0_PE
             | X86_CR0_NE
+#ifdef IN_RING0
             | (pVM->hmr0.s.fNestedPaging ? 0 : X86_CR0_WP)
+#endif
             | X86_CR0_PG
             | VMX_EXIT_HOST_CR0_IGNORE_MASK);
@@ -978 +991 @@
                                | (fFxSaveRstor ? X86_CR4_OSFXSR   : 0));
     return ~fGstMask;
-}
-
-
-/**
- * Gets the active (in use) VMCS info. object for the specified VCPU.
- *
- * This is either the guest or nested-guest VMCS info. and need not necessarily
- * pertain to the "current" VMCS (in the VMX definition of the term). For instance,
- * if the VM-entry failed due to an invalid-guest state, we may have "cleared" the
- * current VMCS while returning to ring-3. However, the VMCS info. object for that
- * VMCS would still be active and returned here so that we could dump the VMCS
- * fields to ring-3 for diagnostics. This function is thus only used to
- * distinguish between the nested-guest or guest VMCS.
- *
- * @returns The active VMCS information.
- * @param   pVCpu   The cross context virtual CPU structure.
- *
- * @thread  EMT.
- * @remarks This function may be called with preemption or interrupts disabled!
- */
-DECLINLINE(PVMXVMCSINFO) hmGetVmxActiveVmcsInfo(PVMCPUCC pVCpu)
-{
-    if (!pVCpu->hmr0.s.vmx.fSwitchedToNstGstVmcs)
-        return &pVCpu->hmr0.s.vmx.VmcsInfo;
-    return &pVCpu->hmr0.s.vmx.VmcsInfoNstGst;
 }
 
@@ -1165 +1153 @@
         {
             /* Validate we are not removing any essential exception intercepts. */
+#ifdef IN_RING0
             Assert(pVCpu->CTX_SUFF(pVM)->hmr0.s.fNestedPaging || !(uXcptMask & RT_BIT(X86_XCPT_PF)));
+#else
+            Assert(!(uXcptMask & RT_BIT(X86_XCPT_PF)));
+#endif
             NOREF(pVCpu);
             Assert(!(uXcptMask & RT_BIT(X86_XCPT_DB)));
@@ -1201 +1193 @@
 
 
-/**
- * Loads the VMCS specified by the VMCS info. object.
- *
- * @returns VBox status code.
- * @param   pVmcsInfo       The VMCS info. object.
- *
- * @remarks Can be called with interrupts disabled.
- */
-static int vmxHCLoadVmcs(PVMXVMCSINFO pVmcsInfo)
-{
-    Assert(pVmcsInfo->HCPhysVmcs != 0 && pVmcsInfo->HCPhysVmcs != NIL_RTHCPHYS);
-    Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
-
-    int rc = VMXLoadVmcs(pVmcsInfo->HCPhysVmcs);
-    if (RT_SUCCESS(rc))
-        pVmcsInfo->fVmcsState |= VMX_V_VMCS_LAUNCH_STATE_CURRENT;
-    return rc;
-}
-
-
-/**
- * Clears the VMCS specified by the VMCS info. object.
- *
- * @returns VBox status code.
- * @param   pVmcsInfo   The VMCS info. object.
- *
- * @remarks Can be called with interrupts disabled.
- */
-static int vmxHCClearVmcs(PVMXVMCSINFO pVmcsInfo)
-{
-    Assert(pVmcsInfo->HCPhysVmcs != 0 && pVmcsInfo->HCPhysVmcs != NIL_RTHCPHYS);
-    Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
-
-    int rc = VMXClearVmcs(pVmcsInfo->HCPhysVmcs);
-    if (RT_SUCCESS(rc))
-        pVmcsInfo->fVmcsState = VMX_V_VMCS_LAUNCH_STATE_CLEAR;
-    return rc;
-}
-
-
 #ifdef VBOX_WITH_NESTED_HWVIRT_VMX
 /**
@@ -1373 +1325 @@
     {
         pVCpu->hmr0.s.vmx.fSwitchedToNstGstVmcs           = fSwitchToNstGstVmcs;
-        pVCpu->hm.s.vmx.fSwitchedToNstGstVmcsCopyForRing3 = fSwitchToNstGstVmcs;
+        VCPU_2_VMXSTATE(pVCpu).vmx.fSwitchedToNstGstVmcsCopyForRing3 = fSwitchToNstGstVmcs;
 
         /*
@@ -1389 +1341 @@
         { /* likely */ }
         else
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_HOST_CONTEXT | HM_CHANGED_VMX_HOST_GUEST_SHARED_STATE);
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_HOST_CONTEXT | HM_CHANGED_VMX_HOST_GUEST_SHARED_STATE);
 
         ASMSetFlags(fEFlags);
@@ -1425 +1377 @@
     {
         AssertPtrReturnVoid(pVCpu);
-        VMX_VMCS_READ_32(pVCpu, VMX_VMCS32_RO_VM_INSTR_ERROR, &pVCpu->hm.s.vmx.LastError.u32InstrError);
-    }
+        VMX_VMCS_READ_32(pVCpu, VMX_VMCS32_RO_VM_INSTR_ERROR, &VCPU_2_VMXSTATE(pVCpu).vmx.LastError.u32InstrError);
+    }
+#if IN_RING0
     pVCpu->CTX_SUFF(pVM)->hm.s.ForR3.rcInit = rc;
+#endif
 }
 
@@ -1826 +1780 @@
 
     LogRel(("Auto-load/store MSR count exceeded! cMsrs=%u MaxSupported=%u\n", cMsrs, cMaxSupportedMsrs));
-    pVCpu->hm.s.u32HMError = VMX_UFC_INSUFFICIENT_GUEST_MSR_STORAGE;
+    VCPU_2_VMXSTATE(pVCpu).u32HMError = VMX_UFC_INSUFFICIENT_GUEST_MSR_STORAGE;
     return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
 }
@@ -1847 +1801 @@
  */
 static int vmxHCAddAutoLoadStoreMsr(PVMCPUCC pVCpu, PCVMXTRANSIENT pVmxTransient, uint32_t idMsr, uint64_t uGuestMsrValue,
-                                      bool fSetReadWrite, bool fUpdateHostMsr)
+                                    bool fSetReadWrite, bool fUpdateHostMsr)
 {
     PVMXVMCSINFO  pVmcsInfo     = pVmxTransient->pVmcsInfo;
@@ -1904 +1858 @@
     pHostMsr[i].u32Msr = idMsr;
 
+#ifdef IN_RING0
     /*
      * Only if the caller requests to update the host MSR value AND we've newly added the
@@ -1925 +1880 @@
         }
     }
+#else
+    RT_NOREF(fUpdateHostMsr);
+#endif
     return VINF_SUCCESS;
 }
@@ -2027 +1985 @@
 
 /**
- * Updates the value of all host MSRs in the VM-exit MSR-load area.
- *
- * @param   pVCpu       The cross context virtual CPU structure.
- * @param   pVmcsInfo   The VMCS info. object.
- *
- * @remarks No-long-jump zone!!!
- */
-static void vmxHCUpdateAutoLoadHostMsrs(PCVMCPUCC pVCpu, PCVMXVMCSINFO pVmcsInfo)
-{
-    RT_NOREF(pVCpu);
-    Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
-
-    PVMXAUTOMSR pHostMsrLoad = (PVMXAUTOMSR)pVmcsInfo->pvHostMsrLoad;
-    uint32_t const cMsrs     = pVmcsInfo->cExitMsrLoad;
-    Assert(pHostMsrLoad);
-    Assert(sizeof(*pHostMsrLoad) * cMsrs <= X86_PAGE_4K_SIZE);
-    LogFlowFunc(("pVCpu=%p cMsrs=%u\n", pVCpu, cMsrs));
-    for (uint32_t i = 0; i < cMsrs; i++)
-    {
-        /*
-         * Performance hack for the host EFER MSR. We use the cached value rather than re-read it.
-         * Strict builds will catch mismatches in vmxHCCheckAutoLoadStoreMsrs(). See @bugref{7368}.
-         */
-        if (pHostMsrLoad[i].u32Msr == MSR_K6_EFER)
-            pHostMsrLoad[i].u64Value = g_uHmVmxHostMsrEfer;
-        else
-            pHostMsrLoad[i].u64Value = ASMRdMsr(pHostMsrLoad[i].u32Msr);
-    }
-}
-
-
-/**
- * Saves a set of host MSRs to allow read/write passthru access to the guest and
- * perform lazy restoration of the host MSRs while leaving VT-x.
- *
- * @param   pVCpu   The cross context virtual CPU structure.
- *
- * @remarks No-long-jump zone!!!
- */
-static void vmxHCLazySaveHostMsrs(PVMCPUCC pVCpu)
-{
-    Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
-
-    /*
-     * Note: If you're adding MSRs here, make sure to update the MSR-bitmap accesses in vmxHCSetupVmcsProcCtls().
-     */
-    if (!(pVCpu->hmr0.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_SAVED_HOST))
-    {
-        Assert(!(pVCpu->hmr0.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_LOADED_GUEST));  /* Guest MSRs better not be loaded now. */
-        if (pVCpu->CTX_SUFF(pVM)->hmr0.s.fAllow64BitGuests)
-        {
-            pVCpu->hmr0.s.vmx.u64HostMsrLStar        = ASMRdMsr(MSR_K8_LSTAR);
-            pVCpu->hmr0.s.vmx.u64HostMsrStar         = ASMRdMsr(MSR_K6_STAR);
-            pVCpu->hmr0.s.vmx.u64HostMsrSfMask       = ASMRdMsr(MSR_K8_SF_MASK);
-            pVCpu->hmr0.s.vmx.u64HostMsrKernelGsBase = ASMRdMsr(MSR_K8_KERNEL_GS_BASE);
-        }
-        pVCpu->hmr0.s.vmx.fLazyMsrs |= VMX_LAZY_MSRS_SAVED_HOST;
-    }
-}
-
-
-/**
- * Checks whether the MSR belongs to the set of guest MSRs that we restore
- * lazily while leaving VT-x.
- *
- * @returns true if it does, false otherwise.
- * @param   pVCpu   The cross context virtual CPU structure.
- * @param   idMsr   The MSR to check.
- */
-static bool vmxHCIsLazyGuestMsr(PCVMCPUCC pVCpu, uint32_t idMsr)
-{
-    if (pVCpu->CTX_SUFF(pVM)->hmr0.s.fAllow64BitGuests)
-    {
-        switch (idMsr)
-        {
-            case MSR_K8_LSTAR:
-            case MSR_K6_STAR:
-            case MSR_K8_SF_MASK:
-            case MSR_K8_KERNEL_GS_BASE:
-                return true;
-        }
-    }
-    return false;
-}
-
-
-/**
- * Loads a set of guests MSRs to allow read/passthru to the guest.
- *
- * The name of this function is slightly confusing. This function does NOT
- * postpone loading, but loads the MSR right now. "vmxHCLazy" is simply a
- * common prefix for functions dealing with "lazy restoration" of the shared
- * MSRs.
- *
- * @param   pVCpu   The cross context virtual CPU structure.
- *
- * @remarks No-long-jump zone!!!
- */
-static void vmxHCLazyLoadGuestMsrs(PVMCPUCC pVCpu)
-{
-    Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
-    Assert(!VMMRZCallRing3IsEnabled(pVCpu));
-
-    Assert(pVCpu->hmr0.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_SAVED_HOST);
-    if (pVCpu->CTX_SUFF(pVM)->hmr0.s.fAllow64BitGuests)
-    {
-        /*
-         * If the guest MSRs are not loaded -and- if all the guest MSRs are identical
-         * to the MSRs on the CPU (which are the saved host MSRs, see assertion above) then
-         * we can skip a few MSR writes.
-         *
-         * Otherwise, it implies either 1. they're not loaded, or 2. they're loaded but the
-         * guest MSR values in the guest-CPU context might be different to what's currently
-         * loaded in the CPU. In either case, we need to write the new guest MSR values to the
-         * CPU, see @bugref{8728}.
-         */
-        PCCPUMCTX pCtx = &pVCpu->cpum.GstCtx;
-        if (   !(pVCpu->hmr0.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_LOADED_GUEST)
-            && pCtx->msrKERNELGSBASE == pVCpu->hmr0.s.vmx.u64HostMsrKernelGsBase
-            && pCtx->msrLSTAR        == pVCpu->hmr0.s.vmx.u64HostMsrLStar
-            && pCtx->msrSTAR         == pVCpu->hmr0.s.vmx.u64HostMsrStar
-            && pCtx->msrSFMASK       == pVCpu->hmr0.s.vmx.u64HostMsrSfMask)
-        {
-#ifdef VBOX_STRICT
-            Assert(ASMRdMsr(MSR_K8_KERNEL_GS_BASE) == pCtx->msrKERNELGSBASE);
-            Assert(ASMRdMsr(MSR_K8_LSTAR)          == pCtx->msrLSTAR);
-            Assert(ASMRdMsr(MSR_K6_STAR)           == pCtx->msrSTAR);
-            Assert(ASMRdMsr(MSR_K8_SF_MASK)        == pCtx->msrSFMASK);
-#endif
-        }
-        else
-        {
-            ASMWrMsr(MSR_K8_KERNEL_GS_BASE, pCtx->msrKERNELGSBASE);
-            ASMWrMsr(MSR_K8_LSTAR,          pCtx->msrLSTAR);
-            ASMWrMsr(MSR_K6_STAR,           pCtx->msrSTAR);
-            /* The system call flag mask register isn't as benign and accepting of all
-               values as the above, so mask it to avoid #GP'ing on corrupted input. */
-            Assert(!(pCtx->msrSFMASK & ~(uint64_t)UINT32_MAX));
-            ASMWrMsr(MSR_K8_SF_MASK,        pCtx->msrSFMASK & UINT32_MAX);
-        }
-    }
-    pVCpu->hmr0.s.vmx.fLazyMsrs |= VMX_LAZY_MSRS_LOADED_GUEST;
-}
-
-
-/**
- * Performs lazy restoration of the set of host MSRs if they were previously
- * loaded with guest MSR values.
- *
- * @param   pVCpu   The cross context virtual CPU structure.
- *
- * @remarks No-long-jump zone!!!
- * @remarks The guest MSRs should have been saved back into the guest-CPU
- *          context by vmxHCImportGuestState()!!!
- */
-static void vmxHCLazyRestoreHostMsrs(PVMCPUCC pVCpu)
-{
-    Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
-    Assert(!VMMRZCallRing3IsEnabled(pVCpu));
-
-    if (pVCpu->hmr0.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_LOADED_GUEST)
-    {
-        Assert(pVCpu->hmr0.s.vmx.fLazyMsrs & VMX_LAZY_MSRS_SAVED_HOST);
-        if (pVCpu->CTX_SUFF(pVM)->hmr0.s.fAllow64BitGuests)
-        {
-            ASMWrMsr(MSR_K8_LSTAR,          pVCpu->hmr0.s.vmx.u64HostMsrLStar);
-            ASMWrMsr(MSR_K6_STAR,           pVCpu->hmr0.s.vmx.u64HostMsrStar);
-            ASMWrMsr(MSR_K8_SF_MASK,        pVCpu->hmr0.s.vmx.u64HostMsrSfMask);
-            ASMWrMsr(MSR_K8_KERNEL_GS_BASE, pVCpu->hmr0.s.vmx.u64HostMsrKernelGsBase);
-        }
-    }
-    pVCpu->hmr0.s.vmx.fLazyMsrs &= ~(VMX_LAZY_MSRS_LOADED_GUEST | VMX_LAZY_MSRS_SAVED_HOST);
-}
-
-
-/**
  * Verifies that our cached values of the VMCS fields are all consistent with
  * what's actually present in the VMCS.
@@ -2224 +2006 @@
     AssertMsgReturnStmt(pVmcsInfo->u32EntryCtls == u32Val,
                         ("%s entry controls mismatch: Cache=%#RX32 VMCS=%#RX32\n", pcszVmcs, pVmcsInfo->u32EntryCtls, u32Val),
-                        pVCpu->hm.s.u32HMError = VMX_VCI_CTRL_ENTRY,
+                        VCPU_2_VMXSTATE(pVCpu).u32HMError = VMX_VCI_CTRL_ENTRY,
                         VERR_VMX_VMCS_FIELD_CACHE_INVALID);
 
@@ -2231 +2013 @@
     AssertMsgReturnStmt(pVmcsInfo->u32ExitCtls == u32Val,
                         ("%s exit controls mismatch: Cache=%#RX32 VMCS=%#RX32\n", pcszVmcs, pVmcsInfo->u32ExitCtls, u32Val),
-                        pVCpu->hm.s.u32HMError = VMX_VCI_CTRL_EXIT,
+                        VCPU_2_VMXSTATE(pVCpu).u32HMError = VMX_VCI_CTRL_EXIT,
                         VERR_VMX_VMCS_FIELD_CACHE_INVALID);
 
@@ -2238 +2020 @@
     AssertMsgReturnStmt(pVmcsInfo->u32PinCtls == u32Val,
                         ("%s pin controls mismatch: Cache=%#RX32 VMCS=%#RX32\n", pcszVmcs, pVmcsInfo->u32PinCtls, u32Val),
-                        pVCpu->hm.s.u32HMError = VMX_VCI_CTRL_PIN_EXEC,
+                        VCPU_2_VMXSTATE(pVCpu).u32HMError = VMX_VCI_CTRL_PIN_EXEC,
                         VERR_VMX_VMCS_FIELD_CACHE_INVALID);
 
@@ -2245 +2027 @@
     AssertMsgReturnStmt(pVmcsInfo->u32ProcCtls == u32Val,
                         ("%s proc controls mismatch: Cache=%#RX32 VMCS=%#RX32\n", pcszVmcs, pVmcsInfo->u32ProcCtls, u32Val),
-                        pVCpu->hm.s.u32HMError = VMX_VCI_CTRL_PROC_EXEC,
+                        VCPU_2_VMXSTATE(pVCpu).u32HMError = VMX_VCI_CTRL_PROC_EXEC,
                         VERR_VMX_VMCS_FIELD_CACHE_INVALID);
 
@@ -2254 +2036 @@
         AssertMsgReturnStmt(pVmcsInfo->u32ProcCtls2 == u32Val,
                             ("%s proc2 controls mismatch: Cache=%#RX32 VMCS=%#RX32\n", pcszVmcs, pVmcsInfo->u32ProcCtls2, u32Val),
-                            pVCpu->hm.s.u32HMError = VMX_VCI_CTRL_PROC_EXEC2,
+                            VCPU_2_VMXSTATE(pVCpu).u32HMError = VMX_VCI_CTRL_PROC_EXEC2,
                             VERR_VMX_VMCS_FIELD_CACHE_INVALID);
     }
@@ -2265 +2047 @@
         AssertMsgReturnStmt(pVmcsInfo->u64ProcCtls3 == u64Val,
                             ("%s proc3 controls mismatch: Cache=%#RX32 VMCS=%#RX64\n", pcszVmcs, pVmcsInfo->u64ProcCtls3, u64Val),
-                            pVCpu->hm.s.u32HMError = VMX_VCI_CTRL_PROC_EXEC3,
+                            VCPU_2_VMXSTATE(pVCpu).u32HMError = VMX_VCI_CTRL_PROC_EXEC3,
                             VERR_VMX_VMCS_FIELD_CACHE_INVALID);
     }
@@ -2273 +2055 @@
     AssertMsgReturnStmt(pVmcsInfo->u32XcptBitmap == u32Val,
                         ("%s exception bitmap mismatch: Cache=%#RX32 VMCS=%#RX32\n", pcszVmcs, pVmcsInfo->u32XcptBitmap, u32Val),
-                        pVCpu->hm.s.u32HMError = VMX_VCI_CTRL_XCPT_BITMAP,
+                        VCPU_2_VMXSTATE(pVCpu).u32HMError = VMX_VCI_CTRL_XCPT_BITMAP,
                         VERR_VMX_VMCS_FIELD_CACHE_INVALID);
 
@@ -2280 +2062 @@
     AssertMsgReturnStmt(pVmcsInfo->u64TscOffset == u64Val,
                         ("%s TSC offset mismatch: Cache=%#RX64 VMCS=%#RX64\n", pcszVmcs, pVmcsInfo->u64TscOffset, u64Val),
-                        pVCpu->hm.s.u32HMError = VMX_VCI_CTRL_TSC_OFFSET,
+                        VCPU_2_VMXSTATE(pVCpu).u32HMError = VMX_VCI_CTRL_TSC_OFFSET,
                         VERR_VMX_VMCS_FIELD_CACHE_INVALID);
 
@@ -2287 +2069 @@
 }
 
-#ifdef VBOX_STRICT
-
-/**
- * Verifies that our cached host EFER MSR value has not changed since we cached it.
- *
- * @param   pVmcsInfo   The VMCS info. object.
- */
-static void vmxHCCheckHostEferMsr(PCVMXVMCSINFO pVmcsInfo)
-{
-    Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
-
-    if (pVmcsInfo->u32ExitCtls & VMX_EXIT_CTLS_LOAD_EFER_MSR)
-    {
-        uint64_t const uHostEferMsr      = ASMRdMsr(MSR_K6_EFER);
-        uint64_t const uHostEferMsrCache = g_uHmVmxHostMsrEfer;
-        uint64_t       uVmcsEferMsrVmcs;
-        int rc = VMX_VMCS_READ_64(pVCpu, VMX_VMCS64_HOST_EFER_FULL, &uVmcsEferMsrVmcs);
-        AssertRC(rc);
-
-        AssertMsgReturnVoid(uHostEferMsr == uVmcsEferMsrVmcs,
-                            ("EFER Host/VMCS mismatch! host=%#RX64 vmcs=%#RX64\n", uHostEferMsr, uVmcsEferMsrVmcs));
-        AssertMsgReturnVoid(uHostEferMsr == uHostEferMsrCache,
-                            ("EFER Host/Cache mismatch! host=%#RX64 cache=%#RX64\n", uHostEferMsr, uHostEferMsrCache));
-    }
-}
-
-
-/**
- * Verifies whether the guest/host MSR pairs in the auto-load/store area in the
- * VMCS are correct.
- *
- * @param   pVCpu           The cross context virtual CPU structure.
- * @param   pVmcsInfo       The VMCS info. object.
- * @param   fIsNstGstVmcs   Whether this is a nested-guest VMCS.
- */
-static void vmxHCCheckAutoLoadStoreMsrs(PVMCPUCC pVCpu, PCVMXVMCSINFO pVmcsInfo, bool fIsNstGstVmcs)
-{
-    Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
-
-    /* Read the various MSR-area counts from the VMCS. */
-    uint32_t cEntryLoadMsrs;
-    uint32_t cExitStoreMsrs;
-    uint32_t cExitLoadMsrs;
-    int rc = VMX_VMCS_READ_32(pVCpu, VMX_VMCS32_CTRL_ENTRY_MSR_LOAD_COUNT, &cEntryLoadMsrs);  AssertRC(rc);
-    rc     = VMX_VMCS_READ_32(pVCpu, VMX_VMCS32_CTRL_EXIT_MSR_STORE_COUNT, &cExitStoreMsrs);  AssertRC(rc);
-    rc     = VMX_VMCS_READ_32(pVCpu, VMX_VMCS32_CTRL_EXIT_MSR_LOAD_COUNT,  &cExitLoadMsrs);   AssertRC(rc);
-
-    /* Verify all the MSR counts are the same. */
-    Assert(cEntryLoadMsrs == cExitStoreMsrs);
-    Assert(cExitStoreMsrs == cExitLoadMsrs);
-    uint32_t const cMsrs = cExitLoadMsrs;
-
-    /* Verify the MSR counts do not exceed the maximum count supported by the hardware. */
-    Assert(cMsrs < VMX_MISC_MAX_MSRS(g_HmMsrs.u.vmx.u64Misc));
-
-    /* Verify the MSR counts are within the allocated page size. */
-    Assert(sizeof(VMXAUTOMSR) * cMsrs <= X86_PAGE_4K_SIZE);
-
-    /* Verify the relevant contents of the MSR areas match. */
-    PCVMXAUTOMSR pGuestMsrLoad  = (PCVMXAUTOMSR)pVmcsInfo->pvGuestMsrLoad;
-    PCVMXAUTOMSR pGuestMsrStore = (PCVMXAUTOMSR)pVmcsInfo->pvGuestMsrStore;
-    PCVMXAUTOMSR pHostMsrLoad   = (PCVMXAUTOMSR)pVmcsInfo->pvHostMsrLoad;
-    bool const   fSeparateExitMsrStorePage = vmxHCIsSeparateExitMsrStoreAreaVmcs(pVmcsInfo);
-    for (uint32_t i = 0; i < cMsrs; i++)
-    {
-        /* Verify that the MSRs are paired properly and that the host MSR has the correct value. */
-        if (fSeparateExitMsrStorePage)
-        {
-            AssertMsgReturnVoid(pGuestMsrLoad->u32Msr == pGuestMsrStore->u32Msr,
-                                ("GuestMsrLoad=%#RX32 GuestMsrStore=%#RX32 cMsrs=%u\n",
-                                 pGuestMsrLoad->u32Msr, pGuestMsrStore->u32Msr, cMsrs));
-        }
-
-        AssertMsgReturnVoid(pHostMsrLoad->u32Msr == pGuestMsrLoad->u32Msr,
-                            ("HostMsrLoad=%#RX32 GuestMsrLoad=%#RX32 cMsrs=%u\n",
-                             pHostMsrLoad->u32Msr, pGuestMsrLoad->u32Msr, cMsrs));
-
-        uint64_t const u64HostMsr = ASMRdMsr(pHostMsrLoad->u32Msr);
-        AssertMsgReturnVoid(pHostMsrLoad->u64Value == u64HostMsr,
-                            ("u32Msr=%#RX32 VMCS Value=%#RX64 ASMRdMsr=%#RX64 cMsrs=%u\n",
-                             pHostMsrLoad->u32Msr, pHostMsrLoad->u64Value, u64HostMsr, cMsrs));
-
-        /* Verify that cached host EFER MSR matches what's loaded on the CPU. */
-        bool const fIsEferMsr = RT_BOOL(pHostMsrLoad->u32Msr == MSR_K6_EFER);
-        AssertMsgReturnVoid(!fIsEferMsr || u64HostMsr == g_uHmVmxHostMsrEfer,
-                            ("Cached=%#RX64 ASMRdMsr=%#RX64 cMsrs=%u\n", g_uHmVmxHostMsrEfer, u64HostMsr, cMsrs));
-
-        /* Verify that the accesses are as expected in the MSR bitmap for auto-load/store MSRs. */
-        if (pVmcsInfo->u32ProcCtls & VMX_PROC_CTLS_USE_MSR_BITMAPS)
-        {
-            uint32_t const fMsrpm = CPUMGetVmxMsrPermission(pVmcsInfo->pvMsrBitmap, pGuestMsrLoad->u32Msr);
-            if (fIsEferMsr)
-            {
-                AssertMsgReturnVoid((fMsrpm & VMXMSRPM_EXIT_RD), ("Passthru read for EFER MSR!?\n"));
-                AssertMsgReturnVoid((fMsrpm & VMXMSRPM_EXIT_WR), ("Passthru write for EFER MSR!?\n"));
-            }
-            else
-            {
-                /* Verify LBR MSRs (used only for debugging) are intercepted. We don't passthru these MSRs to the guest yet. */
-                PCVMCC pVM = pVCpu->CTX_SUFF(pVM);
-                if (   pVM->hmr0.s.vmx.fLbr
-                    && (   vmxHCIsLbrBranchFromMsr(pVM, pGuestMsrLoad->u32Msr, NULL /* pidxMsr */)
-                        || vmxHCIsLbrBranchToMsr(pVM, pGuestMsrLoad->u32Msr, NULL /* pidxMsr */)
-                        || pGuestMsrLoad->u32Msr == pVM->hmr0.s.vmx.idLbrTosMsr))
-                {
-                    AssertMsgReturnVoid((fMsrpm & VMXMSRPM_MASK) == VMXMSRPM_EXIT_RD_WR,
-                                        ("u32Msr=%#RX32 cMsrs=%u Passthru read/write for LBR MSRs!\n",
-                                         pGuestMsrLoad->u32Msr, cMsrs));
-                }
-                else if (!fIsNstGstVmcs)
-                {
-                    AssertMsgReturnVoid((fMsrpm & VMXMSRPM_MASK) == VMXMSRPM_ALLOW_RD_WR,
-                                        ("u32Msr=%#RX32 cMsrs=%u No passthru read/write!\n", pGuestMsrLoad->u32Msr, cMsrs));
-                }
-                else
-                {
-                    /*
-                     * A nested-guest VMCS must -also- allow read/write passthrough for the MSR for us to
-                     * execute a nested-guest with MSR passthrough.
-                     *
-                     * Check if the nested-guest MSR bitmap allows passthrough, and if so, assert that we
-                     * allow passthrough too.
-                     */
-                    void const *pvMsrBitmapNstGst = pVCpu->cpum.GstCtx.hwvirt.vmx.abMsrBitmap;
-                    Assert(pvMsrBitmapNstGst);
-                    uint32_t const fMsrpmNstGst = CPUMGetVmxMsrPermission(pvMsrBitmapNstGst, pGuestMsrLoad->u32Msr);
-                    AssertMsgReturnVoid(fMsrpm == fMsrpmNstGst,
-                                        ("u32Msr=%#RX32 cMsrs=%u Permission mismatch fMsrpm=%#x fMsrpmNstGst=%#x!\n",
-                                         pGuestMsrLoad->u32Msr, cMsrs, fMsrpm, fMsrpmNstGst));
-                }
-            }
-        }
-
-        /* Move to the next MSR. */
-        pHostMsrLoad++;
-        pGuestMsrLoad++;
-        pGuestMsrStore++;
-    }
-}
-
-#endif /* VBOX_STRICT */
-
-/**
- * Flushes the TLB using EPT.
- *
- * @returns VBox status code.
- * @param   pVCpu           The cross context virtual CPU structure of the calling
- *                          EMT.  Can be NULL depending on @a enmTlbFlush.
- * @param   pVmcsInfo       The VMCS info. object. Can be NULL depending on @a
- *                          enmTlbFlush.
- * @param   enmTlbFlush     Type of flush.
- *
- * @remarks Caller is responsible for making sure this function is called only
- *          when NestedPaging is supported and providing @a enmTlbFlush that is
- *          supported by the CPU.
- * @remarks Can be called with interrupts disabled.
- */
-static void vmxHCFlushEpt(PVMCPUCC pVCpu, PCVMXVMCSINFO pVmcsInfo, VMXTLBFLUSHEPT enmTlbFlush)
-{
-    uint64_t au64Descriptor[2];
-    if (enmTlbFlush == VMXTLBFLUSHEPT_ALL_CONTEXTS)
-        au64Descriptor[0] = 0;
-    else
-    {
-        Assert(pVCpu);
-        Assert(pVmcsInfo);
-        au64Descriptor[0] = pVmcsInfo->HCPhysEPTP;
-    }
-    au64Descriptor[1] = 0;                       /* MBZ. Intel spec. 33.3 "VMX Instructions" */
-
-    int rc = VMXR0InvEPT(enmTlbFlush, &au64Descriptor[0]);
-    AssertMsg(rc == VINF_SUCCESS, ("VMXR0InvEPT %#x %#RHp failed. rc=%Rrc\n", enmTlbFlush, au64Descriptor[0], rc));
-
-    if (   RT_SUCCESS(rc)
-        && pVCpu)
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushNestedPaging);
-}
-
-
-/**
- * Flushes the TLB using VPID.
- *
- * @returns VBox status code.
- * @param   pVCpu           The cross context virtual CPU structure of the calling
- *                          EMT.  Can be NULL depending on @a enmTlbFlush.
- * @param   enmTlbFlush     Type of flush.
- * @param   GCPtr           Virtual address of the page to flush (can be 0 depending
- *                          on @a enmTlbFlush).
- *
- * @remarks Can be called with interrupts disabled.
- */
-static void vmxHCFlushVpid(PVMCPUCC pVCpu, VMXTLBFLUSHVPID enmTlbFlush, RTGCPTR GCPtr)
-{
-    Assert(pVCpu->CTX_SUFF(pVM)->hmr0.s.vmx.fVpid);
-
-    uint64_t au64Descriptor[2];
-    if (enmTlbFlush == VMXTLBFLUSHVPID_ALL_CONTEXTS)
-    {
-        au64Descriptor[0] = 0;
-        au64Descriptor[1] = 0;
-    }
-    else
-    {
-        AssertPtr(pVCpu);
-        AssertMsg(pVCpu->hmr0.s.uCurrentAsid != 0, ("VMXR0InvVPID: invalid ASID %lu\n", pVCpu->hmr0.s.uCurrentAsid));
-        AssertMsg(pVCpu->hmr0.s.uCurrentAsid <= UINT16_MAX, ("VMXR0InvVPID: invalid ASID %lu\n", pVCpu->hmr0.s.uCurrentAsid));
-        au64Descriptor[0] = pVCpu->hmr0.s.uCurrentAsid;
-        au64Descriptor[1] = GCPtr;
-    }
-
-    int rc = VMXR0InvVPID(enmTlbFlush, &au64Descriptor[0]);
-    AssertMsg(rc == VINF_SUCCESS,
-              ("VMXR0InvVPID %#x %u %RGv failed with %Rrc\n", enmTlbFlush, pVCpu ? pVCpu->hmr0.s.uCurrentAsid : 0, GCPtr, rc));
-
-    if (   RT_SUCCESS(rc)
-        && pVCpu)
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushAsid);
-    NOREF(rc);
-}
-
-
-/**
- * Dummy placeholder for tagged-TLB flush handling before VM-entry. Used in the
- * case where neither EPT nor VPID is supported by the CPU.
- *
- * @param   pHostCpu    The HM physical-CPU structure.
- * @param   pVCpu       The cross context virtual CPU structure.
- *
- * @remarks Called with interrupts disabled.
- */
-static void vmxHCFlushTaggedTlbNone(PHMPHYSCPU pHostCpu, PVMCPUCC pVCpu)
-{
-    AssertPtr(pVCpu);
-    AssertPtr(pHostCpu);
-
-    VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_TLB_FLUSH);
-
-    Assert(pHostCpu->idCpu != NIL_RTCPUID);
-    pVCpu->hmr0.s.idLastCpu     = pHostCpu->idCpu;
-    pVCpu->hmr0.s.cTlbFlushes   = pHostCpu->cTlbFlushes;
-    pVCpu->hmr0.s.fForceTLBFlush  = false;
-    return;
-}
-
-
-/**
- * Flushes the tagged-TLB entries for EPT+VPID CPUs as necessary.
- *
- * @param   pHostCpu    The HM physical-CPU structure.
- * @param   pVCpu       The cross context virtual CPU structure.
- * @param   pVmcsInfo   The VMCS info. object.
- *
- * @remarks  All references to "ASID" in this function pertains to "VPID" in Intel's
- *           nomenclature. The reason is, to avoid confusion in compare statements
- *           since the host-CPU copies are named "ASID".
- *
- * @remarks  Called with interrupts disabled.
- */
-static void vmxHCFlushTaggedTlbBoth(PHMPHYSCPU pHostCpu, PVMCPUCC pVCpu, PCVMXVMCSINFO pVmcsInfo)
-{
-#ifdef VBOX_WITH_STATISTICS
-    bool fTlbFlushed = false;
-# define HMVMX_SET_TAGGED_TLB_FLUSHED()       do { fTlbFlushed = true; } while (0)
-# define HMVMX_UPDATE_FLUSH_SKIPPED_STAT()    do { \
-                                                if (!fTlbFlushed) \
-                                                    STAM_COUNTER_INC(&pVCpu->hm.s.StatNoFlushTlbWorldSwitch); \
-                                              } while (0)
-#else
-# define HMVMX_SET_TAGGED_TLB_FLUSHED()       do { } while (0)
-# define HMVMX_UPDATE_FLUSH_SKIPPED_STAT()    do { } while (0)
-#endif
-
-    AssertPtr(pVCpu);
-    AssertPtr(pHostCpu);
-    Assert(pHostCpu->idCpu != NIL_RTCPUID);
-
-    PVMCC pVM = pVCpu->CTX_SUFF(pVM);
-    AssertMsg(pVM->hmr0.s.fNestedPaging && pVM->hmr0.s.vmx.fVpid,
-              ("vmxHCFlushTaggedTlbBoth cannot be invoked unless NestedPaging & VPID are enabled."
-               "fNestedPaging=%RTbool fVpid=%RTbool", pVM->hmr0.s.fNestedPaging, pVM->hmr0.s.vmx.fVpid));
-
-    /*
-     * Force a TLB flush for the first world-switch if the current CPU differs from the one we
-     * ran on last. If the TLB flush count changed, another VM (VCPU rather) has hit the ASID
-     * limit while flushing the TLB or the host CPU is online after a suspend/resume, so we
-     * cannot reuse the current ASID anymore.
-     */
-    if (   pVCpu->hmr0.s.idLastCpu   != pHostCpu->idCpu
-        || pVCpu->hmr0.s.cTlbFlushes != pHostCpu->cTlbFlushes)
-    {
-        ++pHostCpu->uCurrentAsid;
-        if (pHostCpu->uCurrentAsid >= g_uHmMaxAsid)
-        {
-            pHostCpu->uCurrentAsid = 1;            /* Wraparound to 1; host uses 0. */
-            pHostCpu->cTlbFlushes++;               /* All VCPUs that run on this host CPU must use a new VPID. */
-            pHostCpu->fFlushAsidBeforeUse = true;  /* All VCPUs that run on this host CPU must flush their new VPID before use. */
-        }
-
-        pVCpu->hmr0.s.uCurrentAsid = pHostCpu->uCurrentAsid;
-        pVCpu->hmr0.s.idLastCpu    = pHostCpu->idCpu;
-        pVCpu->hmr0.s.cTlbFlushes  = pHostCpu->cTlbFlushes;
-
-        /*
-         * Flush by EPT when we get rescheduled to a new host CPU to ensure EPT-only tagged mappings are also
-         * invalidated. We don't need to flush-by-VPID here as flushing by EPT covers it. See @bugref{6568}.
-         */
-        vmxHCFlushEpt(pVCpu, pVmcsInfo, pVM->hmr0.s.vmx.enmTlbFlushEpt);
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlbWorldSwitch);
-        HMVMX_SET_TAGGED_TLB_FLUSHED();
-        VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_TLB_FLUSH);
-    }
-    else if (VMCPU_FF_TEST_AND_CLEAR(pVCpu, VMCPU_FF_TLB_FLUSH))    /* Check for explicit TLB flushes. */
-    {
-        /*
-         * Changes to the EPT paging structure by VMM requires flushing-by-EPT as the CPU
-         * creates guest-physical (ie. only EPT-tagged) mappings while traversing the EPT
-         * tables when EPT is in use. Flushing-by-VPID will only flush linear (only
-         * VPID-tagged) and combined (EPT+VPID tagged) mappings but not guest-physical
-         * mappings, see @bugref{6568}.
-         *
-         * See Intel spec. 28.3.2 "Creating and Using Cached Translation Information".
-         */
-        vmxHCFlushEpt(pVCpu, pVmcsInfo, pVM->hmr0.s.vmx.enmTlbFlushEpt);
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlb);
-        HMVMX_SET_TAGGED_TLB_FLUSHED();
-    }
-    else if (pVCpu->hm.s.vmx.fSwitchedNstGstFlushTlb)
-    {
-        /*
-         * The nested-guest specifies its own guest-physical address to use as the APIC-access
-         * address which requires flushing the TLB of EPT cached structures.
-         *
-         * See Intel spec. 28.3.3.4 "Guidelines for Use of the INVEPT Instruction".
-         */
-        vmxHCFlushEpt(pVCpu, pVmcsInfo, pVM->hmr0.s.vmx.enmTlbFlushEpt);
-        pVCpu->hm.s.vmx.fSwitchedNstGstFlushTlb = false;
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlbNstGst);
-        HMVMX_SET_TAGGED_TLB_FLUSHED();
-    }
-
-
-    pVCpu->hmr0.s.fForceTLBFlush = false;
-    HMVMX_UPDATE_FLUSH_SKIPPED_STAT();
-
-    Assert(pVCpu->hmr0.s.idLastCpu == pHostCpu->idCpu);
-    Assert(pVCpu->hmr0.s.cTlbFlushes == pHostCpu->cTlbFlushes);
-    AssertMsg(pVCpu->hmr0.s.cTlbFlushes == pHostCpu->cTlbFlushes,
-              ("Flush count mismatch for cpu %d (%u vs %u)\n", pHostCpu->idCpu, pVCpu->hmr0.s.cTlbFlushes, pHostCpu->cTlbFlushes));
-    AssertMsg(pHostCpu->uCurrentAsid >= 1 && pHostCpu->uCurrentAsid < g_uHmMaxAsid,
-              ("Cpu[%u] uCurrentAsid=%u cTlbFlushes=%u pVCpu->idLastCpu=%u pVCpu->cTlbFlushes=%u\n", pHostCpu->idCpu,
-               pHostCpu->uCurrentAsid, pHostCpu->cTlbFlushes, pVCpu->hmr0.s.idLastCpu, pVCpu->hmr0.s.cTlbFlushes));
-    AssertMsg(pVCpu->hmr0.s.uCurrentAsid >= 1 && pVCpu->hmr0.s.uCurrentAsid < g_uHmMaxAsid,
-              ("Cpu[%u] pVCpu->uCurrentAsid=%u\n", pHostCpu->idCpu, pVCpu->hmr0.s.uCurrentAsid));
-
-    /* Update VMCS with the VPID. */
-    int rc  = VMX_VMCS_WRITE_16(pVCpu, VMX_VMCS16_VPID, pVCpu->hmr0.s.uCurrentAsid);
-    AssertRC(rc);
-
-#undef HMVMX_SET_TAGGED_TLB_FLUSHED
-}
-
-
-/**
- * Flushes the tagged-TLB entries for EPT CPUs as necessary.
- *
- * @param   pHostCpu    The HM physical-CPU structure.
- * @param   pVCpu       The cross context virtual CPU structure.
- * @param   pVmcsInfo   The VMCS info. object.
- *
- * @remarks Called with interrupts disabled.
- */
-static void vmxHCFlushTaggedTlbEpt(PHMPHYSCPU pHostCpu, PVMCPUCC pVCpu, PCVMXVMCSINFO pVmcsInfo)
-{
-    AssertPtr(pVCpu);
-    AssertPtr(pHostCpu);
-    Assert(pHostCpu->idCpu != NIL_RTCPUID);
-    AssertMsg(pVCpu->CTX_SUFF(pVM)->hmr0.s.fNestedPaging, ("vmxHCFlushTaggedTlbEpt cannot be invoked without NestedPaging."));
-    AssertMsg(!pVCpu->CTX_SUFF(pVM)->hmr0.s.vmx.fVpid, ("vmxHCFlushTaggedTlbEpt cannot be invoked with VPID."));
-
-    /*
-     * Force a TLB flush for the first world-switch if the current CPU differs from the one we ran on last.
-     * A change in the TLB flush count implies the host CPU is online after a suspend/resume.
-     */
-    if (   pVCpu->hmr0.s.idLastCpu   != pHostCpu->idCpu
-        || pVCpu->hmr0.s.cTlbFlushes != pHostCpu->cTlbFlushes)
-    {
-        pVCpu->hmr0.s.fForceTLBFlush = true;
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlbWorldSwitch);
-    }
-
-    /* Check for explicit TLB flushes. */
-    if (VMCPU_FF_TEST_AND_CLEAR(pVCpu, VMCPU_FF_TLB_FLUSH))
-    {
-        pVCpu->hmr0.s.fForceTLBFlush = true;
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlb);
-    }
-
-    /* Check for TLB flushes while switching to/from a nested-guest. */
-    if (pVCpu->hm.s.vmx.fSwitchedNstGstFlushTlb)
-    {
-        pVCpu->hmr0.s.fForceTLBFlush = true;
-        pVCpu->hm.s.vmx.fSwitchedNstGstFlushTlb = false;
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlbNstGst);
-    }
-
-    pVCpu->hmr0.s.idLastCpu = pHostCpu->idCpu;
-    pVCpu->hmr0.s.cTlbFlushes = pHostCpu->cTlbFlushes;
-
-    if (pVCpu->hmr0.s.fForceTLBFlush)
-    {
-        vmxHCFlushEpt(pVCpu, pVmcsInfo, pVCpu->CTX_SUFF(pVM)->hmr0.s.vmx.enmTlbFlushEpt);
-        pVCpu->hmr0.s.fForceTLBFlush = false;
-    }
-}
-
-
-/**
- * Flushes the tagged-TLB entries for VPID CPUs as necessary.
- *
- * @param   pHostCpu    The HM physical-CPU structure.
- * @param   pVCpu       The cross context virtual CPU structure.
- *
- * @remarks Called with interrupts disabled.
- */
-static void vmxHCFlushTaggedTlbVpid(PHMPHYSCPU pHostCpu, PVMCPUCC pVCpu)
-{
-    AssertPtr(pVCpu);
-    AssertPtr(pHostCpu);
-    Assert(pHostCpu->idCpu != NIL_RTCPUID);
-    AssertMsg(pVCpu->CTX_SUFF(pVM)->hmr0.s.vmx.fVpid, ("vmxHCFlushTlbVpid cannot be invoked without VPID."));
-    AssertMsg(!pVCpu->CTX_SUFF(pVM)->hmr0.s.fNestedPaging, ("vmxHCFlushTlbVpid cannot be invoked with NestedPaging"));
-
-    /*
-     * Force a TLB flush for the first world switch if the current CPU differs from the one we
-     * ran on last. If the TLB flush count changed, another VM (VCPU rather) has hit the ASID
-     * limit while flushing the TLB or the host CPU is online after a suspend/resume, so we
-     * cannot reuse the current ASID anymore.
-     */
-    if (   pVCpu->hmr0.s.idLastCpu != pHostCpu->idCpu
-        || pVCpu->hmr0.s.cTlbFlushes != pHostCpu->cTlbFlushes)
-    {
-        pVCpu->hmr0.s.fForceTLBFlush = true;
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlbWorldSwitch);
-    }
-
-    /* Check for explicit TLB flushes. */
-    if (VMCPU_FF_TEST_AND_CLEAR(pVCpu, VMCPU_FF_TLB_FLUSH))
-    {
-        /*
-         * If we ever support VPID flush combinations other than ALL or SINGLE-context (see
-         * vmxHCSetupTaggedTlb()) we would need to explicitly flush in this case (add an
-         * fExplicitFlush = true here and change the pHostCpu->fFlushAsidBeforeUse check below to
-         * include fExplicitFlush's too) - an obscure corner case.
-         */
-        pVCpu->hmr0.s.fForceTLBFlush = true;
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlb);
-    }
-
-    /* Check for TLB flushes while switching to/from a nested-guest. */
-    if (pVCpu->hm.s.vmx.fSwitchedNstGstFlushTlb)
-    {
-        pVCpu->hmr0.s.fForceTLBFlush = true;
-        pVCpu->hm.s.vmx.fSwitchedNstGstFlushTlb = false;
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatFlushTlbNstGst);
-    }
-
-    PVMCC pVM = pVCpu->CTX_SUFF(pVM);
-    pVCpu->hmr0.s.idLastCpu = pHostCpu->idCpu;
-    if (pVCpu->hmr0.s.fForceTLBFlush)
-    {
-        ++pHostCpu->uCurrentAsid;
-        if (pHostCpu->uCurrentAsid >= g_uHmMaxAsid)
-        {
-            pHostCpu->uCurrentAsid        = 1;     /* Wraparound to 1; host uses 0 */
-            pHostCpu->cTlbFlushes++;               /* All VCPUs that run on this host CPU must use a new VPID. */
-            pHostCpu->fFlushAsidBeforeUse = true;  /* All VCPUs that run on this host CPU must flush their new VPID before use. */
-        }
-
-        pVCpu->hmr0.s.fForceTLBFlush = false;
-        pVCpu->hmr0.s.cTlbFlushes    = pHostCpu->cTlbFlushes;
-        pVCpu->hmr0.s.uCurrentAsid   = pHostCpu->uCurrentAsid;
-        if (pHostCpu->fFlushAsidBeforeUse)
-        {
-            if (pVM->hmr0.s.vmx.enmTlbFlushVpid == VMXTLBFLUSHVPID_SINGLE_CONTEXT)
-                vmxHCFlushVpid(pVCpu, VMXTLBFLUSHVPID_SINGLE_CONTEXT, 0 /* GCPtr */);
-            else if (pVM->hmr0.s.vmx.enmTlbFlushVpid == VMXTLBFLUSHVPID_ALL_CONTEXTS)
-            {
-                vmxHCFlushVpid(pVCpu, VMXTLBFLUSHVPID_ALL_CONTEXTS, 0 /* GCPtr */);
-                pHostCpu->fFlushAsidBeforeUse = false;
-            }
-            else
-            {
-                /* vmxHCSetupTaggedTlb() ensures we never get here. Paranoia. */
-                AssertMsgFailed(("Unsupported VPID-flush context type.\n"));
-            }
-        }
-    }
-
-    AssertMsg(pVCpu->hmr0.s.cTlbFlushes == pHostCpu->cTlbFlushes,
-              ("Flush count mismatch for cpu %d (%u vs %u)\n", pHostCpu->idCpu, pVCpu->hmr0.s.cTlbFlushes, pHostCpu->cTlbFlushes));
-    AssertMsg(pHostCpu->uCurrentAsid >= 1 && pHostCpu->uCurrentAsid < g_uHmMaxAsid,
-              ("Cpu[%u] uCurrentAsid=%u cTlbFlushes=%u pVCpu->idLastCpu=%u pVCpu->cTlbFlushes=%u\n", pHostCpu->idCpu,
-               pHostCpu->uCurrentAsid, pHostCpu->cTlbFlushes, pVCpu->hmr0.s.idLastCpu, pVCpu->hmr0.s.cTlbFlushes));
-    AssertMsg(pVCpu->hmr0.s.uCurrentAsid >= 1 && pVCpu->hmr0.s.uCurrentAsid < g_uHmMaxAsid,
-              ("Cpu[%u] pVCpu->uCurrentAsid=%u\n", pHostCpu->idCpu, pVCpu->hmr0.s.uCurrentAsid));
-
-    int rc  = VMX_VMCS_WRITE_16(pVCpu, VMX_VMCS16_VPID, pVCpu->hmr0.s.uCurrentAsid);
-    AssertRC(rc);
-}
-
-
-/**
- * Flushes the guest TLB entry based on CPU capabilities.
- *
- * @param   pHostCpu    The HM physical-CPU structure.
- * @param   pVCpu       The cross context virtual CPU structure.
- * @param   pVmcsInfo   The VMCS info. object.
- *
- * @remarks Called with interrupts disabled.
- */
-static void vmxHCFlushTaggedTlb(PHMPHYSCPU pHostCpu, PVMCPUCC pVCpu, PVMXVMCSINFO pVmcsInfo)
-{
-#ifdef HMVMX_ALWAYS_FLUSH_TLB
-    VMCPU_FF_SET(pVCpu, VMCPU_FF_TLB_FLUSH);
-#endif
-    PVMCC pVM = pVCpu->CTX_SUFF(pVM);
-    switch (pVM->hmr0.s.vmx.enmTlbFlushType)
-    {
-        case VMXTLBFLUSHTYPE_EPT_VPID: vmxHCFlushTaggedTlbBoth(pHostCpu, pVCpu, pVmcsInfo); break;
-        case VMXTLBFLUSHTYPE_EPT:      vmxHCFlushTaggedTlbEpt(pHostCpu, pVCpu, pVmcsInfo);  break;
-        case VMXTLBFLUSHTYPE_VPID:     vmxHCFlushTaggedTlbVpid(pHostCpu, pVCpu);            break;
-        case VMXTLBFLUSHTYPE_NONE:     vmxHCFlushTaggedTlbNone(pHostCpu, pVCpu);            break;
-        default:
-            AssertMsgFailed(("Invalid flush-tag function identifier\n"));
-            break;
-    }
-    /* Don't assert that VMCPU_FF_TLB_FLUSH should no longer be pending. It can be set by other EMTs. */
-}
-
-
-/**
- * Sets up the appropriate tagged TLB-flush level and handler for flushing guest
- * TLB entries from the host TLB before VM-entry.
- *
- * @returns VBox status code.
- * @param   pVM     The cross context VM structure.
- */
-static int vmxHCSetupTaggedTlb(PVMCC pVM)
-{
-    /*
-     * Determine optimal flush type for nested paging.
-     * We cannot ignore EPT if no suitable flush-types is supported by the CPU as we've already setup
-     * unrestricted guest execution (see hmR3InitFinalizeR0()).
-     */
-    if (pVM->hmr0.s.fNestedPaging)
-    {
-        if (g_HmMsrs.u.vmx.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVEPT)
-        {
-            if (g_HmMsrs.u.vmx.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVEPT_SINGLE_CONTEXT)
-                pVM->hmr0.s.vmx.enmTlbFlushEpt = VMXTLBFLUSHEPT_SINGLE_CONTEXT;
-            else if (g_HmMsrs.u.vmx.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVEPT_ALL_CONTEXTS)
-                pVM->hmr0.s.vmx.enmTlbFlushEpt = VMXTLBFLUSHEPT_ALL_CONTEXTS;
-            else
-            {
-                /* Shouldn't happen. EPT is supported but no suitable flush-types supported. */
-                pVM->hmr0.s.vmx.enmTlbFlushEpt = VMXTLBFLUSHEPT_NOT_SUPPORTED;
-                VMCC_GET_CPU_0(pVM)->hm.s.u32HMError = VMX_UFC_EPT_FLUSH_TYPE_UNSUPPORTED;
-                return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
-            }
-
-            /* Make sure the write-back cacheable memory type for EPT is supported. */
-            if (RT_UNLIKELY(!(g_HmMsrs.u.vmx.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_MEMTYPE_WB)))
-            {
-                pVM->hmr0.s.vmx.enmTlbFlushEpt = VMXTLBFLUSHEPT_NOT_SUPPORTED;
-                VMCC_GET_CPU_0(pVM)->hm.s.u32HMError = VMX_UFC_EPT_MEM_TYPE_NOT_WB;
-                return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
-            }
-
-            /* EPT requires a page-walk length of 4. */
-            if (RT_UNLIKELY(!(g_HmMsrs.u.vmx.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_PAGE_WALK_LENGTH_4)))
-            {
-                pVM->hmr0.s.vmx.enmTlbFlushEpt = VMXTLBFLUSHEPT_NOT_SUPPORTED;
-                VMCC_GET_CPU_0(pVM)->hm.s.u32HMError = VMX_UFC_EPT_PAGE_WALK_LENGTH_UNSUPPORTED;
-                return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
-            }
-        }
-        else
-        {
-            /* Shouldn't happen. EPT is supported but INVEPT instruction is not supported. */
-            pVM->hmr0.s.vmx.enmTlbFlushEpt = VMXTLBFLUSHEPT_NOT_SUPPORTED;
-            VMCC_GET_CPU_0(pVM)->hm.s.u32HMError = VMX_UFC_EPT_INVEPT_UNAVAILABLE;
-            return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
-        }
-    }
-
-    /*
-     * Determine optimal flush type for VPID.
-     */
-    if (pVM->hmr0.s.vmx.fVpid)
-    {
-        if (g_HmMsrs.u.vmx.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID)
-        {
-            if (g_HmMsrs.u.vmx.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID_SINGLE_CONTEXT)
-                pVM->hmr0.s.vmx.enmTlbFlushVpid = VMXTLBFLUSHVPID_SINGLE_CONTEXT;
-            else if (g_HmMsrs.u.vmx.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID_ALL_CONTEXTS)
-                pVM->hmr0.s.vmx.enmTlbFlushVpid = VMXTLBFLUSHVPID_ALL_CONTEXTS;
-            else
-            {
-                /* Neither SINGLE nor ALL-context flush types for VPID is supported by the CPU. Ignore VPID capability. */
-                if (g_HmMsrs.u.vmx.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID_INDIV_ADDR)
-                    LogRelFunc(("Only INDIV_ADDR supported. Ignoring VPID.\n"));
-                if (g_HmMsrs.u.vmx.u64EptVpidCaps & MSR_IA32_VMX_EPT_VPID_CAP_INVVPID_SINGLE_CONTEXT_RETAIN_GLOBALS)
-                    LogRelFunc(("Only SINGLE_CONTEXT_RETAIN_GLOBALS supported. Ignoring VPID.\n"));
-                pVM->hmr0.s.vmx.enmTlbFlushVpid = VMXTLBFLUSHVPID_NOT_SUPPORTED;
-                pVM->hmr0.s.vmx.fVpid           = false;
-            }
-        }
-        else
-        {
-            /*  Shouldn't happen. VPID is supported but INVVPID is not supported by the CPU. Ignore VPID capability. */
-            Log4Func(("VPID supported without INVEPT support. Ignoring VPID.\n"));
-            pVM->hmr0.s.vmx.enmTlbFlushVpid = VMXTLBFLUSHVPID_NOT_SUPPORTED;
-            pVM->hmr0.s.vmx.fVpid           = false;
-        }
-    }
-
-    /*
-     * Setup the handler for flushing tagged-TLBs.
-     */
-    if (pVM->hmr0.s.fNestedPaging && pVM->hmr0.s.vmx.fVpid)
-        pVM->hmr0.s.vmx.enmTlbFlushType = VMXTLBFLUSHTYPE_EPT_VPID;
-    else if (pVM->hmr0.s.fNestedPaging)
-        pVM->hmr0.s.vmx.enmTlbFlushType = VMXTLBFLUSHTYPE_EPT;
-    else if (pVM->hmr0.s.vmx.fVpid)
-        pVM->hmr0.s.vmx.enmTlbFlushType = VMXTLBFLUSHTYPE_VPID;
-    else
-        pVM->hmr0.s.vmx.enmTlbFlushType = VMXTLBFLUSHTYPE_NONE;
-
-
-    /*
-     * Copy out the result to ring-3.
-     */
-    pVM->hm.s.ForR3.vmx.fVpid           = pVM->hmr0.s.vmx.fVpid;
-    pVM->hm.s.ForR3.vmx.enmTlbFlushType = pVM->hmr0.s.vmx.enmTlbFlushType;
-    pVM->hm.s.ForR3.vmx.enmTlbFlushEpt  = pVM->hmr0.s.vmx.enmTlbFlushEpt;
-    pVM->hm.s.ForR3.vmx.enmTlbFlushVpid = pVM->hmr0.s.vmx.enmTlbFlushVpid;
-    return VINF_SUCCESS;
-}
-
-
+
+#ifdef IN_RING0
 /**
  * Sets up the LBR MSR ranges based on the host CPU.
@@ -3166 +2300 @@
 
 /**
- * Sets up the virtual-APIC page address for the VMCS.
- *
- * @param   pVmcsInfo   The VMCS info. object.
- */
-DECLINLINE(void) vmxHCSetupVmcsVirtApicAddr(PCVMXVMCSINFO pVmcsInfo)
-{
-    RTHCPHYS const HCPhysVirtApic = pVmcsInfo->HCPhysVirtApic;
-    Assert(HCPhysVirtApic != NIL_RTHCPHYS);
-    Assert(!(HCPhysVirtApic & 0xfff));                       /* Bits 11:0 MBZ. */
-    int rc = VMX_VMCS_WRITE_64(pVCpu, VMX_VMCS64_CTRL_VIRT_APIC_PAGEADDR_FULL, HCPhysVirtApic);
-    AssertRC(rc);
-}
-
-
-/**
- * Sets up the MSR-bitmap address for the VMCS.
- *
- * @param   pVmcsInfo   The VMCS info. object.
- */
-DECLINLINE(void) vmxHCSetupVmcsMsrBitmapAddr(PCVMXVMCSINFO pVmcsInfo)
-{
-    RTHCPHYS const HCPhysMsrBitmap = pVmcsInfo->HCPhysMsrBitmap;
-    Assert(HCPhysMsrBitmap != NIL_RTHCPHYS);
-    Assert(!(HCPhysMsrBitmap & 0xfff));                      /* Bits 11:0 MBZ. */
-    int rc = VMX_VMCS_WRITE_64(pVCpu, VMX_VMCS64_CTRL_MSR_BITMAP_FULL, HCPhysMsrBitmap);
-    AssertRC(rc);
-}
-
-
-/**
  * Sets up the APIC-access page address for the VMCS.
  *
@@ -3241 +2345 @@
 
 #endif
-
-/**
- * Sets up the VM-entry MSR load, VM-exit MSR-store and VM-exit MSR-load addresses
- * in the VMCS.
- *
- * @returns VBox status code.
- * @param   pVmcsInfo   The VMCS info. object.
- */
-DECLINLINE(int) vmxHCSetupVmcsAutoLoadStoreMsrAddrs(PVMXVMCSINFO pVmcsInfo)
-{
-    RTHCPHYS const HCPhysGuestMsrLoad = pVmcsInfo->HCPhysGuestMsrLoad;
-    Assert(HCPhysGuestMsrLoad != NIL_RTHCPHYS);
-    Assert(!(HCPhysGuestMsrLoad & 0xf));                     /* Bits 3:0 MBZ. */
-
-    RTHCPHYS const HCPhysGuestMsrStore = pVmcsInfo->HCPhysGuestMsrStore;
-    Assert(HCPhysGuestMsrStore != NIL_RTHCPHYS);
-    Assert(!(HCPhysGuestMsrStore & 0xf));                    /* Bits 3:0 MBZ. */
-
-    RTHCPHYS const HCPhysHostMsrLoad = pVmcsInfo->HCPhysHostMsrLoad;
-    Assert(HCPhysHostMsrLoad != NIL_RTHCPHYS);
-    Assert(!(HCPhysHostMsrLoad & 0xf));                      /* Bits 3:0 MBZ. */
-
-    int rc = VMX_VMCS_WRITE_64(pVCpu, VMX_VMCS64_CTRL_ENTRY_MSR_LOAD_FULL, HCPhysGuestMsrLoad);   AssertRC(rc);
-    rc     = VMX_VMCS_WRITE_64(pVCpu, VMX_VMCS64_CTRL_EXIT_MSR_STORE_FULL, HCPhysGuestMsrStore);  AssertRC(rc);
-    rc     = VMX_VMCS_WRITE_64(pVCpu, VMX_VMCS64_CTRL_EXIT_MSR_LOAD_FULL,  HCPhysHostMsrLoad);    AssertRC(rc);
-    return VINF_SUCCESS;
-}
-
 
 /**
@@ -3381 +2457 @@
         LogRelFunc(("Invalid pin-based VM-execution controls combo! Cpu=%#RX32 fVal=%#RX32 fZap=%#RX32\n",
                     g_HmMsrs.u.vmx.PinCtls.n.allowed0, fVal, fZap));
-        pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_PIN_EXEC;
+        VCPU_2_VMXSTATE(pVCpu).u32HMError = VMX_UFC_CTRL_PIN_EXEC;
         return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
     }
@@ -3473 +2549 @@
         LogRelFunc(("Invalid secondary processor-based VM-execution controls combo! cpu=%#RX32 fVal=%#RX32 fZap=%#RX32\n",
                     g_HmMsrs.u.vmx.ProcCtls2.n.allowed0, fVal, fZap));
-        pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_PROC_EXEC2;
+        VCPU_2_VMXSTATE(pVCpu).u32HMError = VMX_UFC_CTRL_PROC_EXEC2;
         return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
     }
@@ -3511 +2587 @@
         ||  (g_HmMsrs.u.vmx.ProcCtls.n.allowed0 & VMX_PROC_CTLS_MOV_DR_EXIT))
     {
-        pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_PROC_MOV_DRX_EXIT;
+        VCPU_2_VMXSTATE(pVCpu).u32HMError = VMX_UFC_CTRL_PROC_MOV_DRX_EXIT;
         return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
     }
@@ -3524 +2600 @@
     }
 
+#ifdef IN_INRG0
     /* Use TPR shadowing if supported by the CPU. */
     if (   PDMHasApic(pVM)
@@ -3549 +2626 @@
         vmxHCSetupVmcsMsrBitmapAddr(pVmcsInfo);
     }
+#endif
 
     /* Use the secondary processor-based VM-execution controls if supported by the CPU. */
@@ -3558 +2636 @@
         LogRelFunc(("Invalid processor-based VM-execution controls combo! cpu=%#RX32 fVal=%#RX32 fZap=%#RX32\n",
                     g_HmMsrs.u.vmx.ProcCtls.n.allowed0, fVal, fZap));
-        pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_PROC_EXEC;
+        VCPU_2_VMXSTATE(pVCpu).u32HMError = VMX_UFC_CTRL_PROC_EXEC;
         return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
     }
@@ -3580 +2658 @@
     else
     {
-        pVCpu->hm.s.u32HMError = VMX_UFC_INVALID_UX_COMBO;
+        VCPU_2_VMXSTATE(pVCpu).u32HMError = VMX_UFC_INVALID_UX_COMBO;
         return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
     }
@@ -3702 +2780 @@
 
 /**
- * Sets pfnStartVm to the best suited variant.
- *
- * This must be called whenever anything changes relative to the vmxHCStartVm
- * variant selection:
- *      - pVCpu->hm.s.fLoadSaveGuestXcr0
- *      - HM_WSF_IBPB_ENTRY in pVCpu->hmr0.s.fWorldSwitcher
- *      - HM_WSF_IBPB_EXIT  in pVCpu->hmr0.s.fWorldSwitcher
- *      - Perhaps: CPUMIsGuestFPUStateActive() (windows only)
- *      - Perhaps: CPUMCTX.fXStateMask (windows only)
- *
- * We currently ASSUME that neither HM_WSF_IBPB_ENTRY nor HM_WSF_IBPB_EXIT
- * cannot be changed at runtime.
- */
-static void vmxHCUpdateStartVmFunction(PVMCPUCC pVCpu)
-{
-    static const struct CLANGWORKAROUND { PFNHMVMXSTARTVM pfn; } s_avmxHCStartVmFunctions[] =
-    {
-        { vmxHCStartVm_SansXcr0_SansIbpbEntry_SansL1dEntry_SansMdsEntry_SansIbpbExit },
-        { vmxHCStartVm_WithXcr0_SansIbpbEntry_SansL1dEntry_SansMdsEntry_SansIbpbExit },
-        { vmxHCStartVm_SansXcr0_WithIbpbEntry_SansL1dEntry_SansMdsEntry_SansIbpbExit },
-        { vmxHCStartVm_WithXcr0_WithIbpbEntry_SansL1dEntry_SansMdsEntry_SansIbpbExit },
-        { vmxHCStartVm_SansXcr0_SansIbpbEntry_WithL1dEntry_SansMdsEntry_SansIbpbExit },
-        { vmxHCStartVm_WithXcr0_SansIbpbEntry_WithL1dEntry_SansMdsEntry_SansIbpbExit },
-        { vmxHCStartVm_SansXcr0_WithIbpbEntry_WithL1dEntry_SansMdsEntry_SansIbpbExit },
-        { vmxHCStartVm_WithXcr0_WithIbpbEntry_WithL1dEntry_SansMdsEntry_SansIbpbExit },
-        { vmxHCStartVm_SansXcr0_SansIbpbEntry_SansL1dEntry_WithMdsEntry_SansIbpbExit },
-        { vmxHCStartVm_WithXcr0_SansIbpbEntry_SansL1dEntry_WithMdsEntry_SansIbpbExit },
-        { vmxHCStartVm_SansXcr0_WithIbpbEntry_SansL1dEntry_WithMdsEntry_SansIbpbExit },
-        { vmxHCStartVm_WithXcr0_WithIbpbEntry_SansL1dEntry_WithMdsEntry_SansIbpbExit },
-        { vmxHCStartVm_SansXcr0_SansIbpbEntry_WithL1dEntry_WithMdsEntry_SansIbpbExit },
-        { vmxHCStartVm_WithXcr0_SansIbpbEntry_WithL1dEntry_WithMdsEntry_SansIbpbExit },
-        { vmxHCStartVm_SansXcr0_WithIbpbEntry_WithL1dEntry_WithMdsEntry_SansIbpbExit },
-        { vmxHCStartVm_WithXcr0_WithIbpbEntry_WithL1dEntry_WithMdsEntry_SansIbpbExit },
-        { vmxHCStartVm_SansXcr0_SansIbpbEntry_SansL1dEntry_SansMdsEntry_WithIbpbExit },
-        { vmxHCStartVm_WithXcr0_SansIbpbEntry_SansL1dEntry_SansMdsEntry_WithIbpbExit },
-        { vmxHCStartVm_SansXcr0_WithIbpbEntry_SansL1dEntry_SansMdsEntry_WithIbpbExit },
-        { vmxHCStartVm_WithXcr0_WithIbpbEntry_SansL1dEntry_SansMdsEntry_WithIbpbExit },
-        { vmxHCStartVm_SansXcr0_SansIbpbEntry_WithL1dEntry_SansMdsEntry_WithIbpbExit },
-        { vmxHCStartVm_WithXcr0_SansIbpbEntry_WithL1dEntry_SansMdsEntry_WithIbpbExit },
-        { vmxHCStartVm_SansXcr0_WithIbpbEntry_WithL1dEntry_SansMdsEntry_WithIbpbExit },
-        { vmxHCStartVm_WithXcr0_WithIbpbEntry_WithL1dEntry_SansMdsEntry_WithIbpbExit },
-        { vmxHCStartVm_SansXcr0_SansIbpbEntry_SansL1dEntry_WithMdsEntry_WithIbpbExit },
-        { vmxHCStartVm_WithXcr0_SansIbpbEntry_SansL1dEntry_WithMdsEntry_WithIbpbExit },
-        { vmxHCStartVm_SansXcr0_WithIbpbEntry_SansL1dEntry_WithMdsEntry_WithIbpbExit },
-        { vmxHCStartVm_WithXcr0_WithIbpbEntry_SansL1dEntry_WithMdsEntry_WithIbpbExit },
-        { vmxHCStartVm_SansXcr0_SansIbpbEntry_WithL1dEntry_WithMdsEntry_WithIbpbExit },
-        { vmxHCStartVm_WithXcr0_SansIbpbEntry_WithL1dEntry_WithMdsEntry_WithIbpbExit },
-        { vmxHCStartVm_SansXcr0_WithIbpbEntry_WithL1dEntry_WithMdsEntry_WithIbpbExit },
-        { vmxHCStartVm_WithXcr0_WithIbpbEntry_WithL1dEntry_WithMdsEntry_WithIbpbExit },
-    };
-    uintptr_t const idx = (pVCpu->hmr0.s.fLoadSaveGuestXcr0                 ?  1 : 0)
-                        | (pVCpu->hmr0.s.fWorldSwitcher & HM_WSF_IBPB_ENTRY ?  2 : 0)
-                        | (pVCpu->hmr0.s.fWorldSwitcher & HM_WSF_L1D_ENTRY  ?  4 : 0)
-                        | (pVCpu->hmr0.s.fWorldSwitcher & HM_WSF_MDS_ENTRY  ?  8 : 0)
-                        | (pVCpu->hmr0.s.fWorldSwitcher & HM_WSF_IBPB_EXIT  ? 16 : 0);
-    PFNHMVMXSTARTVM const pfnStartVm = s_avmxHCStartVmFunctions[idx].pfn;
-    if (pVCpu->hmr0.s.vmx.pfnStartVm != pfnStartVm)
-        pVCpu->hmr0.s.vmx.pfnStartVm = pfnStartVm;
-}
-
-
-/**
- * Selector FNHMSVMVMRUN implementation.
- */
-static DECLCALLBACK(int) vmxHCStartVmSelector(PVMXVMCSINFO pVmcsInfo, PVMCPUCC pVCpu, bool fResume)
-{
-    vmxHCUpdateStartVmFunction(pVCpu);
-    return pVCpu->hmr0.s.vmx.pfnStartVm(pVmcsInfo, pVCpu, fResume);
-}
-
-
-/**
- * Sets up the VMCS for executing a guest (or nested-guest) using hardware-assisted
- * VMX.
- *
- * @returns VBox status code.
- * @param   pVCpu           The cross context virtual CPU structure.
- * @param   pVmcsInfo       The VMCS info. object.
- * @param   fIsNstGstVmcs   Whether this is a nested-guest VMCS.
- */
-static int vmxHCSetupVmcs(PVMCPUCC pVCpu, PVMXVMCSINFO pVmcsInfo, bool fIsNstGstVmcs)
-{
-    Assert(pVmcsInfo->pvVmcs);
-    Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
-
-    /* Set the CPU specified revision identifier at the beginning of the VMCS structure. */
-    *(uint32_t *)pVmcsInfo->pvVmcs = RT_BF_GET(g_HmMsrs.u.vmx.u64Basic, VMX_BF_BASIC_VMCS_ID);
-    const char * const pszVmcs     = fIsNstGstVmcs ? "nested-guest VMCS" : "guest VMCS";
-
-    LogFlowFunc(("\n"));
-
-    /*
-     * Initialize the VMCS using VMCLEAR before loading the VMCS.
-     * See Intel spec. 31.6 "Preparation And Launching A Virtual Machine".
-     */
-    int rc = vmxHCClearVmcs(pVmcsInfo);
-    if (RT_SUCCESS(rc))
-    {
-        rc = vmxHCLoadVmcs(pVmcsInfo);
-        if (RT_SUCCESS(rc))
-        {
-            /*
-             * Initialize the hardware-assisted VMX execution handler for guest and nested-guest VMCS.
-             * The host is always 64-bit since we no longer support 32-bit hosts.
-             * Currently we have just a single handler for all guest modes as well, see @bugref{6208#c73}.
-             */
-            if (!fIsNstGstVmcs)
-            {
-                rc = vmxHCSetupVmcsPinCtls(pVCpu, pVmcsInfo);
-                if (RT_SUCCESS(rc))
-                {
-                    rc = vmxHCSetupVmcsProcCtls(pVCpu, pVmcsInfo);
-                    if (RT_SUCCESS(rc))
-                    {
-                        rc = vmxHCSetupVmcsMiscCtls(pVCpu, pVmcsInfo);
-                        if (RT_SUCCESS(rc))
-                        {
-                            vmxHCSetupVmcsXcptBitmap(pVCpu, pVmcsInfo);
-#ifdef VBOX_WITH_NESTED_HWVIRT_VMX
-                            /*
-                             * If a shadow VMCS is allocated for the VMCS info. object, initialize the
-                             * VMCS revision ID and shadow VMCS indicator bit. Also, clear the VMCS
-                             * making it fit for use when VMCS shadowing is later enabled.
-                             */
-                            if (pVmcsInfo->pvShadowVmcs)
-                            {
-                                VMXVMCSREVID VmcsRevId;
-                                VmcsRevId.u = RT_BF_GET(g_HmMsrs.u.vmx.u64Basic, VMX_BF_BASIC_VMCS_ID);
-                                VmcsRevId.n.fIsShadowVmcs = 1;
-                                *(uint32_t *)pVmcsInfo->pvShadowVmcs = VmcsRevId.u;
-                                rc = vmxHCClearShadowVmcs(pVmcsInfo);
-                                if (RT_SUCCESS(rc))
-                                { /* likely */ }
-                                else
-                                    LogRelFunc(("Failed to initialize shadow VMCS. rc=%Rrc\n", rc));
-                            }
-#endif
-                        }
-                        else
-                            LogRelFunc(("Failed to setup miscellaneous controls. rc=%Rrc\n", rc));
-                    }
-                    else
-                        LogRelFunc(("Failed to setup processor-based VM-execution controls. rc=%Rrc\n", rc));
-                }
-                else
-                    LogRelFunc(("Failed to setup pin-based controls. rc=%Rrc\n", rc));
-            }
-            else
-            {
-#ifdef VBOX_WITH_NESTED_HWVIRT_VMX
-                rc = vmxHCSetupVmcsCtlsNested(pVmcsInfo);
-                if (RT_SUCCESS(rc))
-                { /* likely */ }
-                else
-                    LogRelFunc(("Failed to initialize nested-guest VMCS. rc=%Rrc\n", rc));
-#else
-                AssertFailed();
-#endif
-            }
-        }
-        else
-            LogRelFunc(("Failed to load the %s. rc=%Rrc\n", rc, pszVmcs));
-    }
-    else
-        LogRelFunc(("Failed to clear the %s. rc=%Rrc\n", rc, pszVmcs));
-
-    /* Sync any CPU internal VMCS data back into our VMCS in memory. */
-    if (RT_SUCCESS(rc))
-    {
-        rc = vmxHCClearVmcs(pVmcsInfo);
-        if (RT_SUCCESS(rc))
-        { /* likely */ }
-        else
-            LogRelFunc(("Failed to clear the %s post setup. rc=%Rrc\n", rc, pszVmcs));
-    }
-
-    /*
-     * Update the last-error record both for failures and success, so we
-     * can propagate the status code back to ring-3 for diagnostics.
-     */
-    vmxHCUpdateErrorRecord(pVCpu, rc);
-    NOREF(pszVmcs);
-    return rc;
-}
-
-
-/**
  * Exports the guest state with appropriate VM-entry and VM-exit controls in the
  * VMCS.
@@ -3903 +2794 @@
 static int vmxHCExportGuestEntryExitCtls(PVMCPUCC pVCpu, PCVMXTRANSIENT pVmxTransient)
 {
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_VMX_ENTRY_EXIT_CTLS)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_VMX_ENTRY_EXIT_CTLS)
     {
         PVMCC pVM = pVCpu->CTX_SUFF(pVM);
@@ -3970 +2861 @@
                 Log4Func(("Invalid VM-entry controls combo! Cpu=%#RX32 fVal=%#RX32 fZap=%#RX32\n",
                           g_HmMsrs.u.vmx.EntryCtls.n.allowed0, fVal, fZap));
-                pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_ENTRY;
+                VCPU_2_VMXSTATE(pVCpu).u32HMError = VMX_UFC_CTRL_ENTRY;
                 return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
             }
@@ -4048 +2939 @@
                 Log4Func(("Invalid VM-exit controls combo! cpu=%#RX32 fVal=%#RX32 fZap=%R#X32\n",
                           g_HmMsrs.u.vmx.ExitCtls.n.allowed0, fVal, fZap));
-                pVCpu->hm.s.u32HMError = VMX_UFC_CTRL_EXIT;
+                VCPU_2_VMXSTATE(pVCpu).u32HMError = VMX_UFC_CTRL_EXIT;
                 return VERR_HM_UNSUPPORTED_CPU_FEATURE_COMBO;
             }
@@ -4061 +2952 @@
         }
 
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_VMX_ENTRY_EXIT_CTLS);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_VMX_ENTRY_EXIT_CTLS);
     }
     return VINF_SUCCESS;
 }
+#endif /* !IN_RING0 */
 
 
@@ -4070 +2962 @@
  * Sets the TPR threshold in the VMCS.
  *
+ * @param   pVCpu               The cross context virtual CPU structure.
  * @param   pVmcsInfo           The VMCS info. object.
  * @param   u32TprThreshold     The TPR threshold (task-priority class only).
  */
-DECLINLINE(void) vmxHCApicSetTprThreshold(PVMXVMCSINFO pVmcsInfo, uint32_t u32TprThreshold)
+DECLINLINE(void) vmxHCApicSetTprThreshold(PVMCPUCC pVCpu, PVMXVMCSINFO pVmcsInfo, uint32_t u32TprThreshold)
 {
     Assert(!(u32TprThreshold & ~VMX_TPR_THRESHOLD_MASK));         /* Bits 31:4 MBZ. */
@@ -4093 +2986 @@
 static void vmxHCExportGuestApicTpr(PVMCPUCC pVCpu, PCVMXTRANSIENT pVmxTransient)
 {
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_APIC_TPR)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_APIC_TPR)
     {
         HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_APIC_TPR);
@@ -4132 +3025 @@
                     }
 
-                    vmxHCApicSetTprThreshold(pVmcsInfo, u32TprThreshold);
+                    vmxHCApicSetTprThreshold(pVCpu, pVmcsInfo, u32TprThreshold);
                 }
             }
         }
         /* else: the TPR threshold has already been updated while merging the nested-guest VMCS. */
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_APIC_TPR);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_APIC_TPR);
     }
 }
@@ -4204 +3097 @@
 }
 
-
+#ifdef IN_RING0
 /**
  * Exports the exception intercepts required for guest execution in the VMCS.
@@ -4215 +3108 @@
 static void vmxHCExportGuestXcptIntercepts(PVMCPUCC pVCpu, PCVMXTRANSIENT pVmxTransient)
 {
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_VMX_XCPT_INTERCEPTS)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_VMX_XCPT_INTERCEPTS)
     {
         /* When executing a nested-guest, we do not need to trap GIM hypercalls by intercepting #UD. */
         if (   !pVmxTransient->fIsNestedGuest
-            &&  pVCpu->hm.s.fGIMTrapXcptUD)
+            &&  VCPU_2_VMXSTATE(pVCpu).fGIMTrapXcptUD)
             vmxHCAddXcptIntercept(pVCpu, pVmxTransient, X86_XCPT_UD);
         else
@@ -4225 +3118 @@
 
         /* Other exception intercepts are handled elsewhere, e.g. while exporting guest CR0. */
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_VMX_XCPT_INTERCEPTS);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_VMX_XCPT_INTERCEPTS);
     }
 }
@@ -4239 +3132 @@
 static void vmxHCExportGuestRip(PVMCPUCC pVCpu)
 {
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_RIP)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_RIP)
     {
         HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_RIP);
@@ -4246 +3139 @@
         AssertRC(rc);
 
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_RIP);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_RIP);
         Log4Func(("rip=%#RX64\n", pVCpu->cpum.GstCtx.rip));
     }
@@ -4261 +3154 @@
 static void vmxHCExportGuestRsp(PVMCPUCC pVCpu)
 {
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_RSP)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_RSP)
     {
         HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_RSP);
@@ -4268 +3161 @@
         AssertRC(rc);
 
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_RSP);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_RSP);
         Log4Func(("rsp=%#RX64\n", pVCpu->cpum.GstCtx.rsp));
     }
@@ -4284 +3177 @@
 static void vmxHCExportGuestRflags(PVMCPUCC pVCpu, PCVMXTRANSIENT pVmxTransient)
 {
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_RFLAGS)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_RFLAGS)
     {
         HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_RFLAGS);
@@ -4314 +3207 @@
         AssertRC(rc);
 
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_RFLAGS);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_RFLAGS);
         Log4Func(("eflags=%#RX32\n", fEFlags.u32));
     }
@@ -4498 +3391 @@
 static int vmxHCExportGuestHwvirtState(PVMCPUCC pVCpu, PCVMXTRANSIENT pVmxTransient)
 {
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_HWVIRT)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_HWVIRT)
     {
 #ifdef VBOX_WITH_NESTED_HWVIRT_VMX
@@ -4528 +3421 @@
                  * was newly loaded or modified before copying it to the shadow VMCS.
                  */
-                if (!pVCpu->hm.s.vmx.fCopiedNstGstToShadowVmcs)
+                if (!VCPU_2_VMXSTATE(pVCpu).vmx.fCopiedNstGstToShadowVmcs)
                 {
                     int rc = vmxHCCopyNstGstToShadowVmcs(pVCpu, pVmcsInfo);
                     AssertRCReturn(rc, rc);
-                    pVCpu->hm.s.vmx.fCopiedNstGstToShadowVmcs = true;
+                    VCPU_2_VMXSTATE(pVCpu).vmx.fCopiedNstGstToShadowVmcs = true;
                 }
                 vmxHCEnableVmcsShadowing(pVmcsInfo);
@@ -4542 +3435 @@
         NOREF(pVmxTransient);
 #endif
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_HWVIRT);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_HWVIRT);
     }
     return VINF_SUCCESS;
@@ -4562 +3455 @@
 static int vmxHCExportGuestCR0(PVMCPUCC pVCpu, PCVMXTRANSIENT pVmxTransient)
 {
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_CR0)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_CR0)
     {
         PVMCC pVM = pVCpu->CTX_SUFF(pVM);
@@ -4659 +3552 @@
             uXcptBitmap |= RT_BIT(X86_XCPT_PF);
 #endif
-            if (pVCpu->hm.s.fTrapXcptGpForLovelyMesaDrv)
+            if (VCPU_2_VMXSTATE(pVCpu).fTrapXcptGpForLovelyMesaDrv)
                 uXcptBitmap |= RT_BIT(X86_XCPT_GP);
             Assert(pVM->hmr0.s.fNestedPaging || (uXcptBitmap & RT_BIT(X86_XCPT_PF)));
@@ -4715 +3608 @@
         }
 
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_CR0);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_CR0);
     }
 
@@ -4749 +3642 @@
      * Guest CR3.
      */
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_CR3)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_CR3)
     {
         HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_CR3);
@@ -4840 +3733 @@
         }
 
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_CR3);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_CR3);
     }
 
@@ -4847 +3740 @@
      * ASSUMES this is done everytime we get in from ring-3! (XCR0)
      */
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_CR4)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_CR4)
     {
         PCPUMCTX     pCtx      = &pVCpu->cpum.GstCtx;
@@ -4905 +3798 @@
              * paging mode and thus we need to adjust VT-x's view of CR4 depending on our shadow page tables.
              */
-            switch (pVCpu->hm.s.enmShadowMode)
+            switch (VCPU_2_VMXSTATE(pVCpu).enmShadowMode)
             {
                 case PGMMODE_REAL:              /* Real-mode. */
@@ -4953 +3846 @@
         }
 
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_CR4);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_CR4);
 
         Log4Func(("cr4=%#RX64 shadow=%#RX64 (set=%#RX64 zap=%#RX64)\n", u64GuestCr4, u64ShadowCr4, fSetCr4, fZapCr4));
@@ -5014 +3907 @@
     bool     fInterceptMovDRx = false;
     uint32_t uProcCtls        = pVmcsInfo->u32ProcCtls;
-    if (pVCpu->hm.s.fSingleInstruction)
+    if (VCPU_2_VMXSTATE(pVCpu).fSingleInstruction)
     {
         /* If the CPU supports the monitor trap flag, use it for single stepping in DBGF and avoid intercepting #DB. */
@@ -5025 +3918 @@
         {
             pVCpu->cpum.GstCtx.eflags.u32 |= X86_EFL_TF;
-            pVCpu->hm.s.fCtxChanged |= HM_CHANGED_GUEST_RFLAGS;
+            VCPU_2_VMXSTATE(pVCpu).fCtxChanged |= HM_CHANGED_GUEST_RFLAGS;
             pVCpu->hmr0.s.fClearTrapFlag = true;
             fSteppingDB = true;
@@ -5068 +3961 @@
                 Assert(CPUMIsGuestDebugStateActive(pVCpu));
                 Assert(!CPUMIsHyperDebugStateActive(pVCpu));
-                STAM_COUNTER_INC(&pVCpu->hm.s.StatDRxArmed);
+                STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatDRxArmed);
             }
             Assert(!fInterceptMovDRx);
@@ -5118 +4011 @@
     if (fSteppingDB)
     {
-        Assert(pVCpu->hm.s.fSingleInstruction);
+        Assert(VCPU_2_VMXSTATE(pVCpu).fSingleInstruction);
         Assert(pVCpu->cpum.GstCtx.eflags.Bits.u1TF);
 
@@ -5396 +4289 @@
      * Guest Segment registers: CS, SS, DS, ES, FS, GS.
      */
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_SREG_MASK)
-    {
-        if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_CS)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_SREG_MASK)
+    {
+        if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_CS)
         {
             HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_CS);
@@ -5405 +4298 @@
             rc = vmxHCExportGuestSegReg(pVCpu, pVmcsInfo, X86_SREG_CS, &pCtx->cs);
             AssertRC(rc);
-            ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_CS);
-        }
-
-        if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_SS)
+            ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_CS);
+        }
+
+        if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_SS)
         {
             HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_SS);
@@ -5415 +4308 @@
             rc = vmxHCExportGuestSegReg(pVCpu, pVmcsInfo, X86_SREG_SS, &pCtx->ss);
             AssertRC(rc);
-            ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_SS);
-        }
-
-        if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_DS)
+            ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_SS);
+        }
+
+        if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_DS)
         {
             HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_DS);
@@ -5425 +4318 @@
             rc = vmxHCExportGuestSegReg(pVCpu, pVmcsInfo, X86_SREG_DS, &pCtx->ds);
             AssertRC(rc);
-            ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_DS);
-        }
-
-        if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_ES)
+            ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_DS);
+        }
+
+        if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_ES)
         {
             HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_ES);
@@ -5435 +4328 @@
             rc = vmxHCExportGuestSegReg(pVCpu, pVmcsInfo, X86_SREG_ES, &pCtx->es);
             AssertRC(rc);
-            ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_ES);
-        }
-
-        if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_FS)
+            ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_ES);
+        }
+
+        if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_FS)
         {
             HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_FS);
@@ -5445 +4338 @@
             rc = vmxHCExportGuestSegReg(pVCpu, pVmcsInfo, X86_SREG_FS, &pCtx->fs);
             AssertRC(rc);
-            ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_FS);
-        }
-
-        if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_GS)
+            ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_FS);
+        }
+
+        if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_GS)
         {
             HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_GS);
@@ -5455 +4348 @@
             rc = vmxHCExportGuestSegReg(pVCpu, pVmcsInfo, X86_SREG_GS, &pCtx->gs);
             AssertRC(rc);
-            ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_GS);
+            ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_GS);
         }
 
@@ -5468 +4361 @@
      * Guest TR.
      */
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_TR)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_TR)
     {
         HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_TR);
@@ -5529 +4422 @@
         rc = VMX_VMCS_WRITE_NW(pVCpu, VMX_VMCS_GUEST_TR_BASE,            u64Base);            AssertRC(rc);
 
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_TR);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_TR);
         Log4Func(("tr base=%#RX64 limit=%#RX32\n", pCtx->tr.u64Base, pCtx->tr.u32Limit));
     }
@@ -5536 +4429 @@
      * Guest GDTR.
      */
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_GDTR)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_GDTR)
     {
         HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_GDTR);
@@ -5546 +4439 @@
         Assert(!(pCtx->gdtr.cbGdt & 0xffff0000));          /* Bits 31:16 MBZ. */
 
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_GDTR);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_GDTR);
         Log4Func(("gdtr base=%#RX64 limit=%#RX32\n", pCtx->gdtr.pGdt, pCtx->gdtr.cbGdt));
     }
@@ -5553 +4446 @@
      * Guest LDTR.
      */
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_LDTR)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_LDTR)
     {
         HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_LDTR);
@@ -5585 +4478 @@
         }
 
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_LDTR);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_LDTR);
         Log4Func(("ldtr base=%#RX64 limit=%#RX32\n", pCtx->ldtr.u64Base, pCtx->ldtr.u32Limit));
     }
@@ -5592 +4485 @@
      * Guest IDTR.
      */
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_IDTR)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_IDTR)
     {
         HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_IDTR);
@@ -5602 +4495 @@
         Assert(!(pCtx->idtr.cbIdt & 0xffff0000));          /* Bits 31:16 MBZ. */
 
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_IDTR);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_IDTR);
         Log4Func(("idtr base=%#RX64 limit=%#RX32\n", pCtx->idtr.pIdt, pCtx->idtr.cbIdt));
     }
@@ -5649 +4542 @@
      * those MSRs into the auto-load/store MSR area. Nothing to do here.
      */
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_VMX_GUEST_AUTO_MSRS)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_VMX_GUEST_AUTO_MSRS)
     {
         /* No auto-load/store MSRs currently. */
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_VMX_GUEST_AUTO_MSRS);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_VMX_GUEST_AUTO_MSRS);
     }
 
@@ -5658 +4551 @@
      * Guest Sysenter MSRs.
      */
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_SYSENTER_MSR_MASK)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_SYSENTER_MSR_MASK)
     {
         HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_SYSENTER_MSRS);
 
-        if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_SYSENTER_CS_MSR)
+        if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_SYSENTER_CS_MSR)
         {
             int rc = VMX_VMCS_WRITE_32(pVCpu, VMX_VMCS32_GUEST_SYSENTER_CS, pCtx->SysEnter.cs);
             AssertRC(rc);
-            ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_SYSENTER_CS_MSR);
-        }
-
-        if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_SYSENTER_EIP_MSR)
+            ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_SYSENTER_CS_MSR);
+        }
+
+        if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_SYSENTER_EIP_MSR)
         {
             int rc = VMX_VMCS_WRITE_NW(pVCpu, VMX_VMCS_GUEST_SYSENTER_EIP, pCtx->SysEnter.eip);
             AssertRC(rc);
-            ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_SYSENTER_EIP_MSR);
-        }
-
-        if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_SYSENTER_ESP_MSR)
+            ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_SYSENTER_EIP_MSR);
+        }
+
+        if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_SYSENTER_ESP_MSR)
         {
             int rc = VMX_VMCS_WRITE_NW(pVCpu, VMX_VMCS_GUEST_SYSENTER_ESP, pCtx->SysEnter.esp);
             AssertRC(rc);
-            ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_SYSENTER_ESP_MSR);
+            ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_SYSENTER_ESP_MSR);
         }
     }
@@ -5687 +4580 @@
      * Guest/host EFER MSR.
      */
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_EFER_MSR)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_EFER_MSR)
     {
         /* Whether we are using the VMCS to swap the EFER MSR must have been
            determined earlier while exporting VM-entry/VM-exit controls. */
-        Assert(!(ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_VMX_ENTRY_EXIT_CTLS));
+        Assert(!(ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_VMX_ENTRY_EXIT_CTLS));
         HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_EFER);
 
@@ -5739 +4632 @@
             vmxHCRemoveAutoLoadStoreMsr(pVCpu, pVmxTransient, MSR_K6_EFER);
 
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_EFER_MSR);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_EFER_MSR);
     }
 
@@ -5745 +4638 @@
      * Other MSRs.
      */
-    if (ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged) & HM_CHANGED_GUEST_OTHER_MSRS)
+    if (ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged) & HM_CHANGED_GUEST_OTHER_MSRS)
     {
         /* Speculation Control (R/W). */
@@ -5788 +4681 @@
         }
 
-        ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~HM_CHANGED_GUEST_OTHER_MSRS);
+        ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~HM_CHANGED_GUEST_OTHER_MSRS);
     }
 
     return VINF_SUCCESS;
-}
-
-
-/**
- * Wrapper for running the guest code in VT-x.
- *
- * @returns VBox status code, no informational status codes.
- * @param   pVCpu           The cross context virtual CPU structure.
- * @param   pVmxTransient   The VMX-transient structure.
- *
- * @remarks No-long-jump zone!!!
- */
-DECLINLINE(int) vmxHCRunGuest(PVMCPUCC pVCpu, PCVMXTRANSIENT pVmxTransient)
-{
-    /* Mark that HM is the keeper of all guest-CPU registers now that we're going to execute guest code. */
-    pVCpu->cpum.GstCtx.fExtrn |= HMVMX_CPUMCTX_EXTRN_ALL | CPUMCTX_EXTRN_KEEPER_HM;
-
-    PVMXVMCSINFO pVmcsInfo = pVmxTransient->pVmcsInfo;
-    bool const   fResumeVM = RT_BOOL(pVmcsInfo->fVmcsState & VMX_V_VMCS_LAUNCH_STATE_LAUNCHED);
-#ifdef VBOX_WITH_STATISTICS
-    if (fResumeVM)
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatVmxVmResume);
-    else
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatVmxVmLaunch);
-#endif
-    int rc = pVCpu->hmr0.s.vmx.pfnStartVm(pVmcsInfo, pVCpu, fResumeVM);
-    AssertMsg(rc <= VINF_SUCCESS, ("%Rrc\n", rc));
-    return rc;
-}
-
-
-/**
- * Reports world-switch error and dumps some useful debug info.
- *
- * @param   pVCpu           The cross context virtual CPU structure.
- * @param   rcVMRun         The return code from VMLAUNCH/VMRESUME.
- * @param   pVmxTransient   The VMX-transient structure (only
- *                          exitReason updated).
- */
-static void vmxHCReportWorldSwitchError(PVMCPUCC pVCpu, int rcVMRun, PVMXTRANSIENT pVmxTransient)
-{
-    Assert(pVCpu);
-    Assert(pVmxTransient);
-    HMVMX_ASSERT_PREEMPT_SAFE(pVCpu);
-
-    Log4Func(("VM-entry failure: %Rrc\n", rcVMRun));
-    switch (rcVMRun)
-    {
-        case VERR_VMX_INVALID_VMXON_PTR:
-            AssertFailed();
-            break;
-        case VINF_SUCCESS:                  /* VMLAUNCH/VMRESUME succeeded but VM-entry failed... yeah, true story. */
-        case VERR_VMX_UNABLE_TO_START_VM:   /* VMLAUNCH/VMRESUME itself failed. */
-        {
-            int rc = VMX_VMCS_READ_32(pVCpu, VMX_VMCS32_RO_EXIT_REASON, &pVCpu->hm.s.vmx.LastError.u32ExitReason);
-            rc    |= VMX_VMCS_READ_32(pVCpu, VMX_VMCS32_RO_VM_INSTR_ERROR, &pVCpu->hm.s.vmx.LastError.u32InstrError);
-            AssertRC(rc);
-            vmxHCReadExitQualVmcs(pVCpu, pVmxTransient);
-
-            pVCpu->hm.s.vmx.LastError.idEnteredCpu = pVCpu->hmr0.s.idEnteredCpu;
-            /* LastError.idCurrentCpu was already updated in vmxHCPreRunGuestCommitted().
-               Cannot do it here as we may have been long preempted. */
-
-#ifdef VBOX_STRICT
-                PVMXVMCSINFO pVmcsInfo = hmGetVmxActiveVmcsInfo(pVCpu);
-                Log4(("uExitReason        %#RX32 (VmxTransient %#RX16)\n", pVCpu->hm.s.vmx.LastError.u32ExitReason,
-                     pVmxTransient->uExitReason));
-                Log4(("Exit Qualification %#RX64\n", pVmxTransient->uExitQual));
-                Log4(("InstrError         %#RX32\n", pVCpu->hm.s.vmx.LastError.u32InstrError));
-                if (pVCpu->hm.s.vmx.LastError.u32InstrError <= HMVMX_INSTR_ERROR_MAX)
-                    Log4(("InstrError Desc.  \"%s\"\n", g_apszVmxInstrErrors[pVCpu->hm.s.vmx.LastError.u32InstrError]));
-                else
-                    Log4(("InstrError Desc.    Range exceeded %u\n", HMVMX_INSTR_ERROR_MAX));
-                Log4(("Entered host CPU   %u\n", pVCpu->hm.s.vmx.LastError.idEnteredCpu));
-                Log4(("Current host CPU   %u\n", pVCpu->hm.s.vmx.LastError.idCurrentCpu));
-
-                static struct
-                {
-                    /** Name of the field to log. */
-                    const char     *pszName;
-                    /** The VMCS field. */
-                    uint32_t        uVmcsField;
-                    /** Whether host support of this field needs to be checked. */
-                    bool            fCheckSupport;
-                } const s_aVmcsFields[] =
-                {
-                    { "VMX_VMCS32_CTRL_PIN_EXEC",                 VMX_VMCS32_CTRL_PIN_EXEC,                   false  },
-                    { "VMX_VMCS32_CTRL_PROC_EXEC",                VMX_VMCS32_CTRL_PROC_EXEC,                  false  },
-                    { "VMX_VMCS32_CTRL_PROC_EXEC2",               VMX_VMCS32_CTRL_PROC_EXEC2,                 true   },
-                    { "VMX_VMCS32_CTRL_ENTRY",                    VMX_VMCS32_CTRL_ENTRY,                      false  },
-                    { "VMX_VMCS32_CTRL_EXIT",                     VMX_VMCS32_CTRL_EXIT,                       false  },
-                    { "VMX_VMCS32_CTRL_CR3_TARGET_COUNT",         VMX_VMCS32_CTRL_CR3_TARGET_COUNT,           false  },
-                    { "VMX_VMCS32_CTRL_ENTRY_INTERRUPTION_INFO",  VMX_VMCS32_CTRL_ENTRY_INTERRUPTION_INFO,    false  },
-                    { "VMX_VMCS32_CTRL_ENTRY_EXCEPTION_ERRCODE",  VMX_VMCS32_CTRL_ENTRY_EXCEPTION_ERRCODE,    false  },
-                    { "VMX_VMCS32_CTRL_ENTRY_INSTR_LENGTH",       VMX_VMCS32_CTRL_ENTRY_INSTR_LENGTH,         false  },
-                    { "VMX_VMCS32_CTRL_TPR_THRESHOLD",            VMX_VMCS32_CTRL_TPR_THRESHOLD,              false  },
-                    { "VMX_VMCS32_CTRL_EXIT_MSR_STORE_COUNT",     VMX_VMCS32_CTRL_EXIT_MSR_STORE_COUNT,       false  },
-                    { "VMX_VMCS32_CTRL_EXIT_MSR_LOAD_COUNT",      VMX_VMCS32_CTRL_EXIT_MSR_LOAD_COUNT,        false  },
-                    { "VMX_VMCS32_CTRL_ENTRY_MSR_LOAD_COUNT",     VMX_VMCS32_CTRL_ENTRY_MSR_LOAD_COUNT,       false  },
-                    { "VMX_VMCS32_CTRL_EXCEPTION_BITMAP",         VMX_VMCS32_CTRL_EXCEPTION_BITMAP,           false  },
-                    { "VMX_VMCS32_CTRL_PAGEFAULT_ERROR_MASK",     VMX_VMCS32_CTRL_PAGEFAULT_ERROR_MASK,       false  },
-                    { "VMX_VMCS32_CTRL_PAGEFAULT_ERROR_MATCH",    VMX_VMCS32_CTRL_PAGEFAULT_ERROR_MATCH,      false  },
-                    { "VMX_VMCS_CTRL_CR0_MASK",                   VMX_VMCS_CTRL_CR0_MASK,                     false  },
-                    { "VMX_VMCS_CTRL_CR0_READ_SHADOW",            VMX_VMCS_CTRL_CR0_READ_SHADOW,              false  },
-                    { "VMX_VMCS_CTRL_CR4_MASK",                   VMX_VMCS_CTRL_CR4_MASK,                     false  },
-                    { "VMX_VMCS_CTRL_CR4_READ_SHADOW",            VMX_VMCS_CTRL_CR4_READ_SHADOW,              false  },
-                    { "VMX_VMCS64_CTRL_EPTP_FULL",                VMX_VMCS64_CTRL_EPTP_FULL,                  true   },
-                    { "VMX_VMCS_GUEST_RIP",                       VMX_VMCS_GUEST_RIP,                         false  },
-                    { "VMX_VMCS_GUEST_RSP",                       VMX_VMCS_GUEST_RSP,                         false  },
-                    { "VMX_VMCS_GUEST_RFLAGS",                    VMX_VMCS_GUEST_RFLAGS,                      false  },
-                    { "VMX_VMCS16_VPID",                          VMX_VMCS16_VPID,                            true,  },
-                    { "VMX_VMCS_HOST_CR0",                        VMX_VMCS_HOST_CR0,                          false  },
-                    { "VMX_VMCS_HOST_CR3",                        VMX_VMCS_HOST_CR3,                          false  },
-                    { "VMX_VMCS_HOST_CR4",                        VMX_VMCS_HOST_CR4,                          false  },
-                    /* The order of selector fields below are fixed! */
-                    { "VMX_VMCS16_HOST_ES_SEL",                   VMX_VMCS16_HOST_ES_SEL,                     false  },
-                    { "VMX_VMCS16_HOST_CS_SEL",                   VMX_VMCS16_HOST_CS_SEL,                     false  },
-                    { "VMX_VMCS16_HOST_SS_SEL",                   VMX_VMCS16_HOST_SS_SEL,                     false  },
-                    { "VMX_VMCS16_HOST_DS_SEL",                   VMX_VMCS16_HOST_DS_SEL,                     false  },
-                    { "VMX_VMCS16_HOST_FS_SEL",                   VMX_VMCS16_HOST_FS_SEL,                     false  },
-                    { "VMX_VMCS16_HOST_GS_SEL",                   VMX_VMCS16_HOST_GS_SEL,                     false  },
-                    { "VMX_VMCS16_HOST_TR_SEL",                   VMX_VMCS16_HOST_TR_SEL,                     false  },
-                    /* End of ordered selector fields. */
-                    { "VMX_VMCS_HOST_TR_BASE",                    VMX_VMCS_HOST_TR_BASE,                      false  },
-                    { "VMX_VMCS_HOST_GDTR_BASE",                  VMX_VMCS_HOST_GDTR_BASE,                    false  },
-                    { "VMX_VMCS_HOST_IDTR_BASE",                  VMX_VMCS_HOST_IDTR_BASE,                    false  },
-                    { "VMX_VMCS32_HOST_SYSENTER_CS",              VMX_VMCS32_HOST_SYSENTER_CS,                false  },
-                    { "VMX_VMCS_HOST_SYSENTER_EIP",               VMX_VMCS_HOST_SYSENTER_EIP,                 false  },
-                    { "VMX_VMCS_HOST_SYSENTER_ESP",               VMX_VMCS_HOST_SYSENTER_ESP,                 false  },
-                    { "VMX_VMCS_HOST_RSP",                        VMX_VMCS_HOST_RSP,                          false  },
-                    { "VMX_VMCS_HOST_RIP",                        VMX_VMCS_HOST_RIP,                          false  }
-                };
-
-                RTGDTR      HostGdtr;
-                ASMGetGDTR(&HostGdtr);
-
-                uint32_t const cVmcsFields = RT_ELEMENTS(s_aVmcsFields);
-                for (uint32_t i = 0; i < cVmcsFields; i++)
-                {
-                    uint32_t const uVmcsField = s_aVmcsFields[i].uVmcsField;
-
-                    bool fSupported;
-                    if (!s_aVmcsFields[i].fCheckSupport)
-                        fSupported = true;
-                    else
-                    {
-                        PVMCC pVM = pVCpu->CTX_SUFF(pVM);
-                        switch (uVmcsField)
-                        {
-                            case VMX_VMCS64_CTRL_EPTP_FULL:  fSupported = pVM->hmr0.s.fNestedPaging;    break;
-                            case VMX_VMCS16_VPID:            fSupported = pVM->hmr0.s.vmx.fVpid;          break;
-                            case VMX_VMCS32_CTRL_PROC_EXEC2:
-                                fSupported = RT_BOOL(pVmcsInfo->u32ProcCtls & VMX_PROC_CTLS_USE_SECONDARY_CTLS);
-                                break;
-                            default:
-                                AssertMsgFailedReturnVoid(("Failed to provide VMCS field support for %#RX32\n", uVmcsField));
-                        }
-                    }
-
-                    if (fSupported)
-                    {
-                        uint8_t const uWidth = RT_BF_GET(uVmcsField, VMX_BF_VMCSFIELD_WIDTH);
-                        switch (uWidth)
-                        {
-                            case VMX_VMCSFIELD_WIDTH_16BIT:
-                            {
-                                uint16_t u16Val;
-                                rc = VMX_VMCS_READ_16(pVCpu, uVmcsField, &u16Val);
-                                AssertRC(rc);
-                                Log4(("%-40s = %#RX16\n", s_aVmcsFields[i].pszName, u16Val));
-
-                                if (   uVmcsField >= VMX_VMCS16_HOST_ES_SEL
-                                    && uVmcsField <= VMX_VMCS16_HOST_TR_SEL)
-                                {
-                                    if (u16Val < HostGdtr.cbGdt)
-                                    {
-                                        /* Order of selectors in s_apszSel is fixed and matches the order in s_aVmcsFields. */
-                                        static const char * const s_apszSel[] = { "Host ES", "Host CS", "Host SS", "Host DS",
-                                                                                  "Host FS", "Host GS", "Host TR" };
-                                        uint8_t const idxSel = RT_BF_GET(uVmcsField, VMX_BF_VMCSFIELD_INDEX);
-                                        Assert(idxSel < RT_ELEMENTS(s_apszSel));
-                                        PCX86DESCHC pDesc = (PCX86DESCHC)(HostGdtr.pGdt + (u16Val & X86_SEL_MASK));
-                                        hmR0DumpDescriptor(pDesc, u16Val, s_apszSel[idxSel]);
-                                    }
-                                    else
-                                        Log4(("  Selector value exceeds GDT limit!\n"));
-                                }
-                                break;
-                            }
-
-                            case VMX_VMCSFIELD_WIDTH_32BIT:
-                            {
-                                uint32_t u32Val;
-                                rc = VMX_VMCS_READ_32(pVCpu, uVmcsField, &u32Val);
-                                AssertRC(rc);
-                                Log4(("%-40s = %#RX32\n", s_aVmcsFields[i].pszName, u32Val));
-                                break;
-                            }
-
-                            case VMX_VMCSFIELD_WIDTH_64BIT:
-                            case VMX_VMCSFIELD_WIDTH_NATURAL:
-                            {
-                                uint64_t u64Val;
-                                rc = VMX_VMCS_READ_64(pVCpu, uVmcsField, &u64Val);
-                                AssertRC(rc);
-                                Log4(("%-40s = %#RX64\n", s_aVmcsFields[i].pszName, u64Val));
-                                break;
-                            }
-                        }
-                    }
-                }
-
-                Log4(("MSR_K6_EFER            = %#RX64\n", ASMRdMsr(MSR_K6_EFER)));
-                Log4(("MSR_K8_CSTAR           = %#RX64\n", ASMRdMsr(MSR_K8_CSTAR)));
-                Log4(("MSR_K8_LSTAR           = %#RX64\n", ASMRdMsr(MSR_K8_LSTAR)));
-                Log4(("MSR_K6_STAR            = %#RX64\n", ASMRdMsr(MSR_K6_STAR)));
-                Log4(("MSR_K8_SF_MASK         = %#RX64\n", ASMRdMsr(MSR_K8_SF_MASK)));
-                Log4(("MSR_K8_KERNEL_GS_BASE  = %#RX64\n", ASMRdMsr(MSR_K8_KERNEL_GS_BASE)));
-#endif /* VBOX_STRICT */
-            break;
-        }
-
-        default:
-            /* Impossible */
-            AssertMsgFailed(("vmxHCReportWorldSwitchError %Rrc (%#x)\n", rcVMRun, rcVMRun));
-            break;
-    }
 }
 
@@ -6051 +4717 @@
             && TMVirtualSyncIsCurrentDeadlineVersion(pVM, pVCpu->hmr0.s.vmx.uTscDeadlineVersion))
         {
-            STAM_REL_COUNTER_INC(&pVCpu->hm.s.StatVmxPreemptionReusingDeadline);
+            STAM_REL_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatVmxPreemptionReusingDeadline);
             fOffsettedTsc = TMCpuTickCanUseRealTSC(pVM, pVCpu, &uTscOffset, &fParavirtTsc);
             cTicksToDeadline = pVCpu->hmr0.s.vmx.uTscDeadline - SUPReadTsc();
@@ -6058 +4724 @@
             else
             {
-                STAM_REL_COUNTER_INC(&pVCpu->hm.s.StatVmxPreemptionReusingDeadlineExpired);
+                STAM_REL_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatVmxPreemptionReusingDeadlineExpired);
                 cTicksToDeadline = 0;
             }
@@ -6064 +4730 @@
         else
         {
-            STAM_REL_COUNTER_INC(&pVCpu->hm.s.StatVmxPreemptionRecalcingDeadline);
+            STAM_REL_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatVmxPreemptionRecalcingDeadline);
             cTicksToDeadline = TMCpuTickGetDeadlineAndTscOffset(pVM, pVCpu, &uTscOffset, &fOffsettedTsc, &fParavirtTsc,
                                                                 &pVCpu->hmr0.s.vmx.uTscDeadline,
@@ -6072 +4738 @@
             { /* hopefully */ }
             else
-                STAM_REL_COUNTER_INC(&pVCpu->hm.s.StatVmxPreemptionRecalcingDeadlineExpired);
+                STAM_REL_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatVmxPreemptionRecalcingDeadlineExpired);
         }
 
@@ -6099 +4765 @@
         AssertRC(rc);
 #endif
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatTscParavirt);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatTscParavirt);
     }
 
@@ -6116 +4782 @@
     }
 }
+#endif /* !IN_RING0 */
 
 
@@ -6191 +4858 @@
                                         RTGCUINTPTR GCPtrFaultAddress)
 {
-    Assert(!pVCpu->hm.s.Event.fPending);
-    pVCpu->hm.s.Event.fPending          = true;
-    pVCpu->hm.s.Event.u64IntInfo        = u32IntInfo;
-    pVCpu->hm.s.Event.u32ErrCode        = u32ErrCode;
-    pVCpu->hm.s.Event.cbInstr           = cbInstr;
-    pVCpu->hm.s.Event.GCPtrFaultAddress = GCPtrFaultAddress;
+    Assert(!VCPU_2_VMXSTATE(pVCpu).Event.fPending);
+    VCPU_2_VMXSTATE(pVCpu).Event.fPending          = true;
+    VCPU_2_VMXSTATE(pVCpu).Event.u64IntInfo        = u32IntInfo;
+    VCPU_2_VMXSTATE(pVCpu).Event.u32ErrCode        = u32ErrCode;
+    VCPU_2_VMXSTATE(pVCpu).Event.cbInstr           = cbInstr;
+    VCPU_2_VMXSTATE(pVCpu).Event.GCPtrFaultAddress = GCPtrFaultAddress;
 }
 
@@ -6348 +5015 @@
 
 #ifdef VBOX_STRICT
+# ifdef IN_RING0
     VMMRZCallRing3Disable(pVCpu);
+# endif
     Log4Func(("Unusable %s: sel=%#x attr=%#x -> %#x\n", pszRegName, pSelReg->Sel, uAttr, pSelReg->Attr.u));
 # ifdef DEBUG_bird
@@ -6355 +5024 @@
                pszRegName, uAttr, pSelReg->Attr.u, pSelReg->Sel, pSelReg->u64Base, pSelReg->u32Limit));
 # endif
+# ifdef IN_RING0
     VMMRZCallRing3Enable(pVCpu);
+# endif
     NOREF(uAttr);
 #endif
@@ -6474 +5145 @@
 
         pCtx->rip = u64Val;
-        EMR0HistoryUpdatePC(pVCpu, pCtx->rip, false);
+        EMHistoryUpdatePC(pVCpu, pCtx->rip, false);
         pCtx->fExtrn &= ~CPUMCTX_EXTRN_RIP;
     }
@@ -6500 +5171 @@
 
         pCtx->rflags.u64 = u64Val;
+#ifdef IN_RING0
         PCVMXVMCSINFOSHARED pVmcsInfoShared = pVmcsInfo->pShared;
         if (pVmcsInfoShared->RealMode.fRealOnV86Active)
@@ -6506 +5178 @@
             pCtx->eflags.Bits.u2IOPL = pVmcsInfoShared->RealMode.Eflags.Bits.u2IOPL;
         }
+#else
+        RT_NOREF(pVmcsInfo);
+#endif
         pCtx->fExtrn &= ~CPUMCTX_EXTRN_RFLAGS;
     }
@@ -6565 +5240 @@
 {
     int      rc   = VINF_SUCCESS;
+#ifdef IN_RING0
     PVMCC    pVM  = pVCpu->CTX_SUFF(pVM);
+#endif
     PCPUMCTX pCtx = &pVCpu->cpum.GstCtx;
     uint32_t u32Val;
@@ -6578 +5255 @@
      * Update: This is very likely a compiler optimization bug, see @bugref{9180}.
      */
-#ifdef RT_OS_WINDOWS
+# ifdef RT_OS_WINDOWS
     if (pVM == 0 || pVM == (void *)(uintptr_t)-1)
         return VERR_HM_IPE_1;
-#endif
-
-    STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatImportGuestState, x);
-
+# endif
+
+    STAM_PROFILE_ADV_START(&VCPU_2_VMXSTATE(pVCpu).StatImportGuestState, x);
+
+#ifdef IN_RING0
     /*
      * We disable interrupts to make the updating of the state and in particular
@@ -6590 +5268 @@
      */
     RTCCUINTREG const fEFlags = ASMIntDisableFlags();
+#endif
 
     fWhat &= pCtx->fExtrn;
@@ -6621 +5300 @@
                     if (fRealOnV86Active)
                         pCtx->cs.Attr.u = pVmcsInfoShared->RealMode.AttrCS.u;
-                    EMR0HistoryUpdatePC(pVCpu, pCtx->cs.u64Base + pCtx->rip, true /* fFlattened */);
+                    EMHistoryUpdatePC(pVCpu, pCtx->cs.u64Base + pCtx->rip, true /* fFlattened */);
                 }
                 if (fWhat & CPUMCTX_EXTRN_SS)
@@ -6678 +5357 @@
                 if (fWhat & CPUMCTX_EXTRN_TR)
                 {
+#ifdef IN_RING0
                     /* Real-mode emulation using virtual-8086 mode has the fake TSS (pRealModeTSS) in TR,
                        don't need to import that one. */
                     if (!pVmcsInfo->pShared->RealMode.fRealOnV86Active)
+#endif
                         vmxHCImportGuestTr(pVCpu);
                 }
@@ -6687 +5368 @@
             if (fWhat & CPUMCTX_EXTRN_DR7)
             {
+#ifdef IN_RING0
                 if (!pVCpu->hmr0.s.fUsingHyperDR7)
+#endif
                 {
                     rc = VMX_VMCS_READ_NW(pVCpu, VMX_VMCS_GUEST_DR7, &pCtx->dr[7]);
@@ -6702 +5385 @@
             }
 
+#ifdef IN_RING0
             if (fWhat & CPUMCTX_EXTRN_KERNEL_GS_BASE)
             {
@@ -6761 +5445 @@
                             }
                             pCtx->fExtrn = 0;
-                            pVCpu->hm.s.u32HMError = pMsrs->u32Msr;
+                            VCPU_2_VMXSTATE(pVCpu).u32HMError = pMsrs->u32Msr;
                             ASMSetFlags(fEFlags);
                             AssertMsgFailed(("Unexpected MSR in auto-load/store area. idMsr=%#RX32 cMsrs=%u\n", idMsr, cMsrs));
@@ -6769 +5453 @@
                 }
             }
+#endif
 
             if (fWhat & CPUMCTX_EXTRN_CR_MASK)
@@ -6801 +5486 @@
                     }
 #endif
+#ifdef IN_RING0
                     VMMRZCallRing3Disable(pVCpu);   /* May call into PGM which has Log statements. */
+#endif
                     CPUMSetGuestCR0(pVCpu, u64Cr0);
+#ifdef IN_RING0
                     VMMRZCallRing3Enable(pVCpu);
+#endif
                 }
 
@@ -6841 +5530 @@
                 {
                     /* CR0.PG bit changes are always intercepted, so it's up to date. */
+#ifdef IN_RING0 /* With R3 we always have unresitricted guest support. */
                     if (   pVM->hmr0.s.vmx.fUnrestrictedGuest
                         || (   pVM->hmr0.s.fNestedPaging
                             && CPUMIsGuestPagingEnabledEx(pCtx)))
+#endif
                     {
                         uint64_t u64Cr3;
@@ -6905 +5596 @@
         }
     }
+#ifdef IN_RING0
     else
         AssertMsg(!pCtx->fExtrn || (pCtx->fExtrn & HMVMX_CPUMCTX_EXTRN_ALL), ("%#RX64\n", pCtx->fExtrn));
@@ -6912 +5604 @@
      */
     ASMSetFlags(fEFlags);
-
-    STAM_PROFILE_ADV_STOP(& pVCpu->hm.s.StatImportGuestState, x);
+#endif
+
+    STAM_PROFILE_ADV_STOP(& VCPU_2_VMXSTATE(pVCpu).StatImportGuestState, x);
 
     if (RT_SUCCESS(rc))
@@ -6937 +5630 @@
      */
     if (   VMCPU_FF_IS_SET(pVCpu, VMCPU_FF_HM_UPDATE_CR3)
-        && VMMRZCallRing3IsEnabled(pVCpu))
+#ifdef IN_RING0
+        && VMMRZCallRing3IsEnabled(pVCpu)
+#endif
+        )
     {
         Assert(!(ASMAtomicUoReadU64(&pCtx->fExtrn) & CPUMCTX_EXTRN_CR3));
@@ -6965 +5661 @@
  *
  * @param   pVCpu           The cross context virtual CPU structure.
- * @param   pVmxTransient   The VMX-transient structure.
+ * @param   fIsNestedGuest  Flag whether this is for a for a pending nested guest event.
  * @param   fStepping       Whether we are single-stepping the guest using the
  *                          hypervisor debugger.
@@ -6972 +5668 @@
  *          is no longer in VMX non-root mode.
  */
-static VBOXSTRICTRC vmxHCCheckForceFlags(PVMCPUCC pVCpu, PCVMXTRANSIENT pVmxTransient, bool fStepping)
-{
+static VBOXSTRICTRC vmxHCCheckForceFlags(PVMCPUCC pVCpu, bool fIsNestedGuest, bool fStepping)
+{
+#ifdef IN_RING0
     Assert(VMMRZCallRing3IsEnabled(pVCpu));
+#endif
 
     /*
@@ -7012 +5710 @@
         || VMCPU_FF_IS_ANY_SET(pVCpu, VMCPU_FF_HM_TO_R3_MASK))
     {
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchHmToR3FF);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatSwitchHmToR3FF);
         int rc = RT_LIKELY(!VM_FF_IS_SET(pVM, VM_FF_PGM_NO_MEMORY)) ? VINF_EM_RAW_TO_R3 : VINF_EM_NO_MEMORY;
         Log4Func(("HM_TO_R3 forcing us back to ring-3. rc=%d\n", rc));
@@ -7022 +5720 @@
         || VMCPU_FF_IS_SET(pVCpu, VMCPU_FF_REQUEST))
     {
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchVmReq);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatSwitchVmReq);
         Log4Func(("Pending VM request forcing us back to ring-3\n"));
         return VINF_EM_PENDING_REQUEST;
@@ -7030 +5728 @@
     if (VM_FF_IS_SET(pVM, VM_FF_PGM_POOL_FLUSH_PENDING))
     {
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchPgmPoolFlush);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatSwitchPgmPoolFlush);
         Log4Func(("PGM pool flush pending forcing us back to ring-3\n"));
         return VINF_PGM_POOL_FLUSH_PENDING;
@@ -7038 +5736 @@
     if (VM_FF_IS_SET(pVM, VM_FF_PDM_DMA))
     {
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchDma);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatSwitchDma);
         Log4Func(("Pending DMA request forcing us back to ring-3\n"));
         return VINF_EM_RAW_TO_R3;
@@ -7051 +5749 @@
      * See Intel spec. 6.9 "Priority Among Simultaneous Exceptions And Interrupts".
      */
-    if (pVmxTransient->fIsNestedGuest)
+    if (fIsNestedGuest)
     {
         /* Pending nested-guest APIC-write. */
@@ -7081 +5779 @@
     }
 #else
-    NOREF(pVmxTransient);
+    NOREF(fIsNestedGuest);
 #endif
 
@@ -7097 +5795 @@
 {
     Assert(TRPMHasTrap(pVCpu));
-    Assert(!pVCpu->hm.s.Event.fPending);
+    Assert(!VCPU_2_VMXSTATE(pVCpu).Event.fPending);
 
     uint8_t     uVector;
@@ -7129 +5827 @@
 static void vmxHCPendingEventToTrpmTrap(PVMCPUCC pVCpu)
 {
-    Assert(pVCpu->hm.s.Event.fPending);
+    Assert(VCPU_2_VMXSTATE(pVCpu).Event.fPending);
 
     /* If a trap was already pending, we did something wrong! */
     Assert(TRPMQueryTrap(pVCpu, NULL /* pu8TrapNo */, NULL /* pEnmType */) == VERR_TRPM_NO_ACTIVE_TRAP);
 
-    uint32_t const  u32IntInfo  = pVCpu->hm.s.Event.u64IntInfo;
+    uint32_t const  u32IntInfo  = VCPU_2_VMXSTATE(pVCpu).Event.u64IntInfo;
     uint32_t const  uVector     = VMX_IDT_VECTORING_INFO_VECTOR(u32IntInfo);
     TRPMEVENT const enmTrapType = HMVmxEventTypeToTrpmEventType(u32IntInfo);
@@ -7144 +5842 @@
 
     if (VMX_IDT_VECTORING_INFO_IS_ERROR_CODE_VALID(u32IntInfo))
-        TRPMSetErrorCode(pVCpu, pVCpu->hm.s.Event.u32ErrCode);
+        TRPMSetErrorCode(pVCpu, VCPU_2_VMXSTATE(pVCpu).Event.u32ErrCode);
 
     if (VMX_IDT_VECTORING_INFO_IS_XCPT_PF(u32IntInfo))
-        TRPMSetFaultAddress(pVCpu, pVCpu->hm.s.Event.GCPtrFaultAddress);
+        TRPMSetFaultAddress(pVCpu, VCPU_2_VMXSTATE(pVCpu).Event.GCPtrFaultAddress);
     else
     {
@@ -7164 +5862 @@
                               || uVector == X86_XCPT_DB /* INT1 (ICEBP) */),
                           ("Invalid vector: uVector=%#x uVectorType=%#x\n", uVector, uVectorType));
-                TRPMSetInstrLength(pVCpu, pVCpu->hm.s.Event.cbInstr);
+                TRPMSetInstrLength(pVCpu, VCPU_2_VMXSTATE(pVCpu).Event.cbInstr);
                 break;
             }
@@ -7171 +5869 @@
 
     /* We're now done converting the pending event. */
-    pVCpu->hm.s.Event.fPending = false;
+    VCPU_2_VMXSTATE(pVCpu).Event.fPending = false;
 }
 
@@ -7179 +5877 @@
  * cause a VM-exit as soon as the guest is in a state to receive interrupts.
  *
+ * @param   pVCpu       The cross context virtual CPU structure.
  * @param   pVmcsInfo   The VMCS info. object.
  */
-static void vmxHCSetIntWindowExitVmcs(PVMXVMCSINFO pVmcsInfo)
+static void vmxHCSetIntWindowExitVmcs(PVMCPUCC pVCpu, PVMXVMCSINFO pVmcsInfo)
 {
     if (g_HmMsrs.u.vmx.ProcCtls.n.allowed1 & VMX_PROC_CTLS_INT_WINDOW_EXIT)
@@ -7198 +5897 @@
  * Clears the interrupt-window exiting control in the VMCS.
  *
+ * @param   pVCpu       The cross context virtual CPU structure.
  * @param   pVmcsInfo   The VMCS info. object.
  */
-DECLINLINE(void) vmxHCClearIntWindowExitVmcs(PVMXVMCSINFO pVmcsInfo)
+DECLINLINE(void) vmxHCClearIntWindowExitVmcs(PVMCPUCC pVCpu, PVMXVMCSINFO pVmcsInfo)
 {
     if (pVmcsInfo->u32ProcCtls & VMX_PROC_CTLS_INT_WINDOW_EXIT)
@@ -7215 +5915 @@
  * cause a VM-exit as soon as the guest is in a state to receive NMIs.
  *
+ * @param   pVCpu       The cross context virtual CPU structure.
  * @param   pVmcsInfo   The VMCS info. object.
  */
-static void vmxHCSetNmiWindowExitVmcs(PVMXVMCSINFO pVmcsInfo)
+static void vmxHCSetNmiWindowExitVmcs(PVMCPUCC pVCpu, PVMXVMCSINFO pVmcsInfo)
 {
     if (g_HmMsrs.u.vmx.ProcCtls.n.allowed1 & VMX_PROC_CTLS_NMI_WINDOW_EXIT)
@@ -7235 +5936 @@
  * Clears the NMI-window exiting control in the VMCS.
  *
+ * @param   pVCpu       The cross context virtual CPU structure.
  * @param   pVmcsInfo   The VMCS info. object.
  */
-DECLINLINE(void) vmxHCClearNmiWindowExitVmcs(PVMXVMCSINFO pVmcsInfo)
+DECLINLINE(void) vmxHCClearNmiWindowExitVmcs(PVMCPUCC pVCpu, PVMXVMCSINFO pVmcsInfo)
 {
     if (pVmcsInfo->u32ProcCtls & VMX_PROC_CTLS_NMI_WINDOW_EXIT)
@@ -7248 +5950 @@
 
 
+#ifdef IN_RING0
 /**
  * Does the necessary state syncing before returning to ring-3 for any reason
@@ -7319 +6022 @@
     pVCpu->hmr0.s.vmx.fUpdatedHostAutoMsrs = false;
 
-    STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatEntry);
-    STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatImportGuestState);
-    STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatExportGuestState);
-    STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatPreExit);
-    STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatExitHandling);
-    STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatExitIO);
-    STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatExitMovCRx);
-    STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatExitXcptNmi);
-    STAM_PROFILE_ADV_SET_STOPPED(&pVCpu->hm.s.StatExitVmentry);
-    STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchLongJmpToR3);
+    STAM_PROFILE_ADV_SET_STOPPED(&VCPU_2_VMXSTATE(pVCpu).StatEntry);
+    STAM_PROFILE_ADV_SET_STOPPED(&VCPU_2_VMXSTATE(pVCpu).StatImportGuestState);
+    STAM_PROFILE_ADV_SET_STOPPED(&VCPU_2_VMXSTATE(pVCpu).StatExportGuestState);
+    STAM_PROFILE_ADV_SET_STOPPED(&VCPU_2_VMXSTATE(pVCpu).StatPreExit);
+    STAM_PROFILE_ADV_SET_STOPPED(&VCPU_2_VMXSTATE(pVCpu).StatExitHandling);
+    STAM_PROFILE_ADV_SET_STOPPED(&VCPU_2_VMXSTATE(pVCpu).StatExitIO);
+    STAM_PROFILE_ADV_SET_STOPPED(&VCPU_2_VMXSTATE(pVCpu).StatExitMovCRx);
+    STAM_PROFILE_ADV_SET_STOPPED(&VCPU_2_VMXSTATE(pVCpu).StatExitXcptNmi);
+    STAM_PROFILE_ADV_SET_STOPPED(&VCPU_2_VMXSTATE(pVCpu).StatExitVmentry);
+    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatSwitchLongJmpToR3);
 
     VMCPU_CMPXCHG_STATE(pVCpu, VMCPUSTATE_STARTED_HM, VMCPUSTATE_STARTED_EXEC);
@@ -7446 +6149 @@
     if (RT_UNLIKELY(rcExit == VERR_VMX_INVALID_VMCS_PTR))
     {
-        VMXGetCurrentVmcs(&pVCpu->hm.s.vmx.LastError.HCPhysCurrentVmcs);
-        pVCpu->hm.s.vmx.LastError.u32VmcsRev   = *(uint32_t *)pVmcsInfo->pvVmcs;
-        pVCpu->hm.s.vmx.LastError.idEnteredCpu = pVCpu->hmr0.s.idEnteredCpu;
+        VMXGetCurrentVmcs(&VCPU_2_VMXSTATE(pVCpu).vmx.LastError.HCPhysCurrentVmcs);
+        VCPU_2_VMXSTATE(pVCpu).vmx.LastError.u32VmcsRev   = *(uint32_t *)pVmcsInfo->pvVmcs;
+        VCPU_2_VMXSTATE(pVCpu).vmx.LastError.idEnteredCpu = pVCpu->hmr0.s.idEnteredCpu;
         /* LastError.idCurrentCpu was updated in vmxHCPreRunGuestCommitted(). */
     }
@@ -7463 +6166 @@
      * the event from there (hence place it back in TRPM).
      */
-    if (pVCpu->hm.s.Event.fPending)
+    if (VCPU_2_VMXSTATE(pVCpu).Event.fPending)
     {
         vmxHCPendingEventToTrpmTrap(pVCpu);
-        Assert(!pVCpu->hm.s.Event.fPending);
+        Assert(!VCPU_2_VMXSTATE(pVCpu).Event.fPending);
 
         /* Clear the events from the VMCS. */
@@ -7507 +6210 @@
     if (!CPUMIsGuestInVmxNonRootMode(&pVCpu->cpum.GstCtx))
     {
-        vmxHCClearIntWindowExitVmcs(pVmcsInfo);
-        vmxHCClearNmiWindowExitVmcs(pVmcsInfo);
+        vmxHCClearIntWindowExitVmcs(pVCpu, pVmcsInfo);
+        vmxHCClearNmiWindowExitVmcs(pVCpu, pVmcsInfo);
     }
 
@@ -7521 +6224 @@
     int rc = vmxHCLeaveSession(pVCpu);
     AssertRCReturn(rc, rc);
-    STAM_COUNTER_DEC(&pVCpu->hm.s.StatSwitchLongJmpToR3);
+    STAM_COUNTER_DEC(&VCPU_2_VMXSTATE(pVCpu).StatSwitchLongJmpToR3);
 
     /* Thread-context hooks are unregistered at this point!!! */
@@ -7541 +6244 @@
 
     /* Update the exit-to-ring 3 reason. */
-    pVCpu->hm.s.rcLastExitToR3 = VBOXSTRICTRC_VAL(rcExit);
+    VCPU_2_VMXSTATE(pVCpu).rcLastExitToR3 = VBOXSTRICTRC_VAL(rcExit);
 
     /* On our way back from ring-3 reload the guest state if there is a possibility of it being changed. */
@@ -7548 +6251 @@
     {
         Assert(!(pVCpu->cpum.GstCtx.fExtrn & HMVMX_CPUMCTX_EXTRN_ALL));
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_ALL_GUEST);
-    }
-
-    STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchExitToR3);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_ALL_GUEST);
+    }
+
+    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatSwitchExitToR3);
     VMMRZCallRing3Enable(pVCpu);
     return rc;
@@ -7581 +6284 @@
     return rc;
 }
-
+#endif /* !IN_RING */
 
 /**
@@ -7601 +6304 @@
  *                          VM-entry).
  */
-static VBOXSTRICTRC vmxHCInjectEventVmcs(PVMCPUCC pVCpu, PCVMXTRANSIENT pVmxTransient, PCHMEVENT pEvent, bool fStepping,
+static VBOXSTRICTRC vmxHCInjectEventVmcs(PVMCPUCC pVCpu, PVMXVMCSINFO pVmcsInfo, bool fIsNestedGuest, PCHMEVENT pEvent, bool fStepping,
                                            uint32_t *pfIntrState)
 {
@@ -7656 +6359 @@
         Assert(uIntType != VMX_EXIT_INT_INFO_TYPE_NMI          || uVector == X86_XCPT_NMI);
         Assert(uIntType != VMX_EXIT_INT_INFO_TYPE_PRIV_SW_XCPT || uVector == X86_XCPT_DB);
-        STAM_COUNTER_INC(&pVCpu->hm.s.aStatInjectedXcpts[uVector]);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).aStatInjectedXcpts[uVector]);
     }
     else
-        STAM_COUNTER_INC(&pVCpu->hm.s.aStatInjectedIrqs[uVector & MASK_INJECT_IRQ_STAT]);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).aStatInjectedIrqs[uVector & MASK_INJECT_IRQ_STAT]);
 
     /*
@@ -7671 +6374 @@
     if (CPUMIsGuestInRealModeEx(pCtx))     /* CR0.PE bit changes are always intercepted, so it's up to date. */
     {
+#ifdef IN_RING0
         if (pVCpu->CTX_SUFF(pVM)->hmr0.s.vmx.fUnrestrictedGuest)
+#endif
         {
             /*
@@ -7681 +6386 @@
             u32IntInfo &= ~VMX_ENTRY_INT_INFO_ERROR_CODE_VALID;
         }
+#ifdef IN_RING0
         else
         {
@@ -7689 +6395 @@
 
             /* We require RIP, RSP, RFLAGS, CS, IDTR, import them. */
-            PVMXVMCSINFO pVmcsInfo = pVmxTransient->pVmcsInfo;
             int rc2 = vmxHCImportGuestState(pVCpu, pVmcsInfo, CPUMCTX_EXTRN_SREG_MASK | CPUMCTX_EXTRN_TABLE_MASK
                                                               | CPUMCTX_EXTRN_RIP | CPUMCTX_EXTRN_RSP | CPUMCTX_EXTRN_RFLAGS);
@@ -7713 +6418 @@
                     RT_ZERO(EventXcptDf);
                     EventXcptDf.u64IntInfo = uXcptDfInfo;
-                    return vmxHCInjectEventVmcs(pVCpu, pVmxTransient, &EventXcptDf, fStepping, pfIntrState);
+                    return vmxHCInjectEventVmcs(pVCpu, pVmcsInfo, fIsNestedGuest, &EventXcptDf, fStepping, pfIntrState);
                 }
 
@@ -7729 +6434 @@
                 RT_ZERO(EventXcptGp);
                 EventXcptGp.u64IntInfo = uXcptGpInfo;
-                return vmxHCInjectEventVmcs(pVCpu, pVmxTransient, &EventXcptGp, fStepping, pfIntrState);
+                return vmxHCInjectEventVmcs(pVCpu, pVmcsInfo, fIsNestedGuest, &EventXcptGp, fStepping, pfIntrState);
             }
 
@@ -7771 +6476 @@
                     pCtx->cr2 = GCPtrFault;
 
-                ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_CS  | HM_CHANGED_GUEST_CR2
+                ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_CS  | HM_CHANGED_GUEST_CR2
                                                          | HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS
                                                          | HM_CHANGED_GUEST_RSP);
@@ -7794 +6499 @@
                  * we don't attempt to undo it if we are returning to ring-3 before executing guest code.
                  */
-                pVCpu->hm.s.Event.fPending = false;
+                VCPU_2_VMXSTATE(pVCpu).Event.fPending = false;
 
                 /*
@@ -7800 +6505 @@
                  * we should set fInterceptEvents here.
                  */
-                Assert(!pVmxTransient->fIsNestedGuest);
+                Assert(!fIsNestedGuest);
 
                 /* If we're stepping and we've changed cs:rip above, bail out of the VMX R0 execution loop. */
@@ -7810 +6515 @@
             return rcStrict;
         }
+#else
+        RT_NOREF(pVmcsInfo);
+#endif
     }
 
@@ -7848 +6556 @@
  * @returns Strict VBox status code (i.e. informational status codes too).
  * @param   pVCpu           The cross context virtual CPU structure.
- * @param   pVmxTransient   The VMX-transient structure.
+ * @param   pVmcsInfo       The VMCS information structure.
+ * @param   fIsNestedGuest  Flag whether the evaluation happens for a nestd guest.
  * @param   pfIntrState     Where to store the VT-x guest-interruptibility state.
  */
-static VBOXSTRICTRC vmxHCEvaluatePendingEvent(PVMCPUCC pVCpu, PCVMXTRANSIENT pVmxTransient, uint32_t *pfIntrState)
+static VBOXSTRICTRC vmxHCEvaluatePendingEvent(PVMCPUCC pVCpu, PVMXVMCSINFO pVmcsInfo, bool fIsNestedGuest, uint32_t *pfIntrState)
 {
     Assert(pfIntrState);
@@ -7866 +6575 @@
      * An event that's already pending has already performed all necessary checks.
      */
-    PVMXVMCSINFO pVmcsInfo      = pVmxTransient->pVmcsInfo;
-    bool const   fIsNestedGuest = pVmxTransient->fIsNestedGuest;
-    if (   !pVCpu->hm.s.Event.fPending
+    if (   !VCPU_2_VMXSTATE(pVCpu).Event.fPending
         && !VMCPU_FF_IS_SET(pVCpu, VMCPU_FF_INHIBIT_INTERRUPTS))
     {
@@ -7877 +6584 @@
          * NMIs take priority over external interrupts.
          */
+#ifdef VBOX_WITH_NESTED_HWVIRT_VMX
         PCCPUMCTX pCtx = &pVCpu->cpum.GstCtx;
+#endif
         if (VMCPU_FF_IS_SET(pVCpu, VMCPU_FF_INTERRUPT_NMI))
         {
@@ -7902 +6611 @@
             }
             else if (!fIsNestedGuest)
-                vmxHCSetNmiWindowExitVmcs(pVmcsInfo);
+                vmxHCSetNmiWindowExitVmcs(pVCpu, pVmcsInfo);
         }
 
@@ -7911 +6620 @@
          */
         if (    VMCPU_FF_IS_ANY_SET(pVCpu, VMCPU_FF_INTERRUPT_APIC | VMCPU_FF_INTERRUPT_PIC)
-            && !pVCpu->hm.s.fSingleInstruction)
+            && !VCPU_2_VMXSTATE(pVCpu).fSingleInstruction)
         {
             Assert(!DBGFIsStepping(pVCpu));
@@ -7955 +6664 @@
                 else if (rc == VERR_APIC_INTR_MASKED_BY_TPR)
                 {
-                    STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchTprMaskedIrq);
+                    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatSwitchTprMaskedIrq);
 
                     if (   !fIsNestedGuest
                         && (pVmcsInfo->u32ProcCtls & VMX_PROC_CTLS_USE_TPR_SHADOW))
-                        vmxHCApicSetTprThreshold(pVmcsInfo, u8Interrupt >> 4);
+                        vmxHCApicSetTprThreshold(pVCpu, pVmcsInfo, u8Interrupt >> 4);
                     /* else: for nested-guests, TPR threshold is picked up while merging VMCS controls. */
 
@@ -7969 +6678 @@
                 }
                 else
-                    STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchGuestIrq);
+                    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatSwitchGuestIrq);
 
                 /* We've injected the interrupt or taken necessary action, bail. */
@@ -7975 +6684 @@
             }
             if (!fIsNestedGuest)
-                vmxHCSetIntWindowExitVmcs(pVmcsInfo);
+                vmxHCSetIntWindowExitVmcs(pVCpu, pVmcsInfo);
         }
     }
@@ -7986 +6695 @@
          */
         if (VMCPU_FF_IS_SET(pVCpu, VMCPU_FF_INTERRUPT_NMI))
-            vmxHCSetNmiWindowExitVmcs(pVmcsInfo);
+            vmxHCSetNmiWindowExitVmcs(pVCpu, pVmcsInfo);
         else if (   VMCPU_FF_IS_ANY_SET(pVCpu, VMCPU_FF_INTERRUPT_APIC | VMCPU_FF_INTERRUPT_PIC)
-                 && !pVCpu->hm.s.fSingleInstruction)
-            vmxHCSetIntWindowExitVmcs(pVmcsInfo);
+                 && !VCPU_2_VMXSTATE(pVCpu).fSingleInstruction)
+            vmxHCSetIntWindowExitVmcs(pVCpu, pVmcsInfo);
     }
     /* else: for nested-guests, NMI/interrupt-window exiting will be picked up when merging VMCS controls. */
@@ -8003 +6712 @@
  * @returns Strict VBox status code (i.e. informational status codes too).
  * @param   pVCpu           The cross context virtual CPU structure.
- * @param   pVmxTransient   The VMX-transient structure.
+ * @param   fIsNestedGuest  Flag whether the event injection happens for a nested guest.
  * @param   fIntrState      The VT-x guest-interruptibility state.
  * @param   fStepping       Whether we are single-stepping the guest using the
@@ -8010 +6719 @@
  *                          directly.
  */
-static VBOXSTRICTRC vmxHCInjectPendingEvent(PVMCPUCC pVCpu, PCVMXTRANSIENT pVmxTransient, uint32_t fIntrState, bool fStepping)
+static VBOXSTRICTRC vmxHCInjectPendingEvent(PVMCPUCC pVCpu, PVMXVMCSINFO pVmcsInfo, bool fIsNestedGuest, uint32_t fIntrState, bool fStepping)
 {
     HMVMX_ASSERT_PREEMPT_SAFE(pVCpu);
+#ifdef IN_RING0
     Assert(VMMRZCallRing3IsEnabled(pVCpu));
+#endif
 
 #ifdef VBOX_STRICT
@@ -8035 +6746 @@
 
     VBOXSTRICTRC rcStrict = VINF_SUCCESS;
-    if (pVCpu->hm.s.Event.fPending)
+    if (VCPU_2_VMXSTATE(pVCpu).Event.fPending)
     {
         /*
@@ -8044 +6755 @@
          * See Intel spec. 26.6.5 "Interrupt-Window Exiting and Virtual-Interrupt Delivery".
          */
-        uint32_t const uIntType = VMX_ENTRY_INT_INFO_TYPE(pVCpu->hm.s.Event.u64IntInfo);
+        uint32_t const uIntType = VMX_ENTRY_INT_INFO_TYPE(VCPU_2_VMXSTATE(pVCpu).Event.u64IntInfo);
 #ifdef VBOX_STRICT
         if (uIntType == VMX_ENTRY_INT_INFO_TYPE_EXT_INT)
@@ -8059 +6770 @@
         }
 #endif
-        Log4(("Injecting pending event vcpu[%RU32] u64IntInfo=%#RX64 Type=%#RX32\n", pVCpu->idCpu, pVCpu->hm.s.Event.u64IntInfo,
+        Log4(("Injecting pending event vcpu[%RU32] u64IntInfo=%#RX64 Type=%#RX32\n", pVCpu->idCpu, VCPU_2_VMXSTATE(pVCpu).Event.u64IntInfo,
               uIntType));
 
@@ -8068 +6779 @@
          * into the guest IDT ourselves (for real-on-v86 guest injecting software interrupts).
          */
-        rcStrict = vmxHCInjectEventVmcs(pVCpu, pVmxTransient, &pVCpu->hm.s.Event, fStepping, &fIntrState);
+        rcStrict = vmxHCInjectEventVmcs(pVCpu, pVmcsInfo, fIsNestedGuest, &VCPU_2_VMXSTATE(pVCpu).Event, fStepping, &fIntrState);
         AssertRCReturn(VBOXSTRICTRC_VAL(rcStrict), rcStrict);
 
         if (uIntType == VMX_ENTRY_INT_INFO_TYPE_EXT_INT)
-            STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectInterrupt);
+            STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatInjectInterrupt);
         else
-            STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectXcpt);
+            STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatInjectXcpt);
     }
 
@@ -8082 +6793 @@
      */
     if (   (fIntrState & (VMX_VMCS_GUEST_INT_STATE_BLOCK_STI | VMX_VMCS_GUEST_INT_STATE_BLOCK_MOVSS))
-        && !pVmxTransient->fIsNestedGuest)
+        && !fIsNestedGuest)
     {
         HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_RFLAGS);
 
-        if (!pVCpu->hm.s.fSingleInstruction)
+        if (!VCPU_2_VMXSTATE(pVCpu).fSingleInstruction)
         {
             /*
@@ -8105 +6816 @@
              * we use MTF, so just make sure it's called before executing guest-code.
              */
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_DR_MASK);
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_DR_MASK);
         }
     }
@@ -8130 +6841 @@
 }
 
-
+#ifdef IN_RING0
 /**
  * Exports the guest state into the VMCS guest-state area.
@@ -8158 +6869 @@
     LogFlowFunc(("pVCpu=%p\n", pVCpu));
 
-    STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatExportGuestState, x);
+    STAM_PROFILE_ADV_START(&VCPU_2_VMXSTATE(pVCpu).StatExportGuestState, x);
 
     /*
@@ -8209 +6920 @@
 
     /* Clear any bits that may be set but exported unconditionally or unused/reserved bits. */
-    ASMAtomicUoAndU64(&pVCpu->hm.s.fCtxChanged, ~(  (HM_CHANGED_GUEST_GPRS_MASK & ~HM_CHANGED_GUEST_RSP)
+    ASMAtomicUoAndU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, ~(  (HM_CHANGED_GUEST_GPRS_MASK & ~HM_CHANGED_GUEST_RSP)
                                                   |  HM_CHANGED_GUEST_CR2
                                                   | (HM_CHANGED_GUEST_DR_MASK & ~HM_CHANGED_GUEST_DR7)
@@ -8222 +6933 @@
                                                   | (HM_CHANGED_KEEPER_STATE_MASK & ~HM_CHANGED_VMX_MASK)));
 
-    STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExportGuestState, x);
+    STAM_PROFILE_ADV_STOP(&VCPU_2_VMXSTATE(pVCpu).StatExportGuestState, x);
     return rc;
 }
@@ -8240 +6951 @@
     Assert(!VMMRZCallRing3IsEnabled(pVCpu));
 
-    if (pVCpu->hm.s.fCtxChanged & HM_CHANGED_GUEST_DR_MASK)
+    if (VCPU_2_VMXSTATE(pVCpu).fCtxChanged & HM_CHANGED_GUEST_DR_MASK)
     {
         int rc = vmxHCExportSharedDebugState(pVCpu, pVmxTransient);
         AssertRC(rc);
-        pVCpu->hm.s.fCtxChanged &= ~HM_CHANGED_GUEST_DR_MASK;
+        VCPU_2_VMXSTATE(pVCpu).fCtxChanged &= ~HM_CHANGED_GUEST_DR_MASK;
 
         /* Loading shared debug bits might have changed eflags.TF bit for debugging purposes. */
-        if (pVCpu->hm.s.fCtxChanged & HM_CHANGED_GUEST_RFLAGS)
+        if (VCPU_2_VMXSTATE(pVCpu).fCtxChanged & HM_CHANGED_GUEST_RFLAGS)
             vmxHCExportGuestRflags(pVCpu, pVmxTransient);
     }
 
-    if (pVCpu->hm.s.fCtxChanged & HM_CHANGED_VMX_GUEST_LAZY_MSRS)
+    if (VCPU_2_VMXSTATE(pVCpu).fCtxChanged & HM_CHANGED_VMX_GUEST_LAZY_MSRS)
     {
         vmxHCLazyLoadGuestMsrs(pVCpu);
-        pVCpu->hm.s.fCtxChanged &= ~HM_CHANGED_VMX_GUEST_LAZY_MSRS;
-    }
-
-    AssertMsg(!(pVCpu->hm.s.fCtxChanged & HM_CHANGED_VMX_HOST_GUEST_SHARED_STATE),
-              ("fCtxChanged=%#RX64\n", pVCpu->hm.s.fCtxChanged));
+        VCPU_2_VMXSTATE(pVCpu).fCtxChanged &= ~HM_CHANGED_VMX_GUEST_LAZY_MSRS;
+    }
+
+    AssertMsg(!(VCPU_2_VMXSTATE(pVCpu).fCtxChanged & HM_CHANGED_VMX_HOST_GUEST_SHARED_STATE),
+              ("fCtxChanged=%#RX64\n", VCPU_2_VMXSTATE(pVCpu).fCtxChanged));
 }
 
@@ -8281 +6992 @@
 
 #ifdef HMVMX_ALWAYS_SYNC_FULL_GUEST_STATE
-    ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_ALL_GUEST);
+    ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_ALL_GUEST);
 #endif
 
@@ -8291 +7002 @@
     uint64_t const fCtxMask     = HM_CHANGED_ALL_GUEST & ~HM_CHANGED_VMX_HOST_GUEST_SHARED_STATE;
     uint64_t const fMinimalMask = HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RSP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_HWVIRT;
-    uint64_t const fCtxChanged  = ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged);
+    uint64_t const fCtxChanged  = ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged);
 
     /* If only RIP/RSP/RFLAGS/HWVIRT changed, export only those (quicker, happens more often).*/
@@ -8301 +7012 @@
         vmxHCExportGuestRflags(pVCpu, pVmxTransient);
         rcStrict = vmxHCExportGuestHwvirtState(pVCpu, pVmxTransient);
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatExportMinimal);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExportMinimal);
     }
     /* If anything else also changed, go through the full export routine and export as required. */
@@ -8316 +7027 @@
             return rcStrict;
         }
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatExportFull);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExportFull);
     }
     /* Nothing changed, nothing to load here. */
@@ -8324 +7035 @@
 #ifdef VBOX_STRICT
     /* All the guest state bits should be loaded except maybe the host context and/or the shared host/guest bits. */
-    uint64_t const fCtxChangedCur = ASMAtomicUoReadU64(&pVCpu->hm.s.fCtxChanged);
+    uint64_t const fCtxChangedCur = ASMAtomicUoReadU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged);
     AssertMsg(!(fCtxChangedCur & fCtxMask), ("fCtxChangedCur=%#RX64\n", fCtxChangedCur));
 #endif
     return rcStrict;
 }
+#endif /* !IN_RING0 */
 
 
@@ -8352 +7064 @@
                                             } while (0)
 
-    PVMCC    pVM    = pVCpu->CTX_SUFF(pVM);
     PCPUMCTX pCtx   = &pVCpu->cpum.GstCtx;
     uint32_t uError = VMX_IGS_ERROR;
     uint32_t u32IntrState = 0;
+#ifdef IN_RING0
+    PVMCC    pVM    = pVCpu->CTX_SUFF(pVM);
     bool const fUnrestrictedGuest = pVM->hmr0.s.vmx.fUnrestrictedGuest;
+#else
+    bool const fUnrestrictedGuest = true;
+#endif
     do
     {
@@ -8523 +7239 @@
         }
 
+#ifdef IN_RING0
         /*
          * EFER MSR.
@@ -8543 +7260 @@
                               VMX_IGS_EFER_LMA_LME_MISMATCH);
         }
+#endif
 
         /*
@@ -8844 +7562 @@
         }
 
+#ifdef IN_RING0
         /* VMCS link pointer. */
         rc = VMX_VMCS_READ_64(pVCpu, VMX_VMCS64_GUEST_VMCS_LINK_PTR_FULL, &u64Val);
@@ -8884 +7603 @@
             HMVMX_CHECK_BREAK(!(u64Val & X86_PDPE_PAE_MBZ_MASK), VMX_IGS_PAE_PDPTE_RESERVED);
         }
+#endif
 
         /* Shouldn't happen but distinguish it from AssertRCBreak() errors. */
@@ -8890 +7610 @@
     } while (0);
 
-    pVCpu->hm.s.u32HMError = uError;
-    pVCpu->hm.s.vmx.LastError.u32GuestIntrState = u32IntrState;
+    VCPU_2_VMXSTATE(pVCpu).u32HMError = uError;
+    VCPU_2_VMXSTATE(pVCpu).vmx.LastError.u32GuestIntrState = u32IntrState;
     return uError;
 
@@ -8899 +7619 @@
 
 
+#ifdef IN_RING0
 /**
  * Map the APIC-access page for virtualizing APIC accesses.
@@ -8929 +7650 @@
 
     /* Update the per-VCPU cache of the APIC base MSR. */
-    pVCpu->hm.s.vmx.u64GstMsrApicBase = u64MsrApicBase;
+    VCPU_2_VMXSTATE(pVCpu).vmx.u64GstMsrApicBase = u64MsrApicBase;
     return VINF_SUCCESS;
 }
@@ -8990 +7711 @@
     if (fDispatched)
     {
-        STAM_REL_COUNTER_INC(&pVCpu->hm.s.StatExitHostNmiInGC);
+        STAM_REL_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitHostNmiInGC);
         return VINF_SUCCESS;
     }
@@ -8999 +7720 @@
      * (to the target CPU) without dispatching the host NMI above.
      */
-    STAM_REL_COUNTER_INC(&pVCpu->hm.s.StatExitHostNmiInGCIpi);
+    STAM_REL_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitHostNmiInGCIpi);
     return RTMpOnSpecific(idCpu, &hmR0DispatchHostNmi, NULL /* pvUser1 */,  NULL /* pvUser2 */);
 }
@@ -9341 +8062 @@
      */
     if (u32ProcCtls2 & VMX_PROC_CTLS2_VIRT_APIC_ACCESS)
-        pVCpu->hm.s.vmx.fSwitchedNstGstFlushTlb = true;
+        VCPU_2_VMXSTATE(pVCpu).vmx.fSwitchedNstGstFlushTlb = true;
 
     /*
@@ -9358 +8079 @@
 
 /**
- * Does the preparations before executing guest code in VT-x.
- *
- * This may cause longjmps to ring-3 and may even result in rescheduling to the
- * recompiler/IEM. We must be cautious what we do here regarding committing
- * guest-state information into the VMCS assuming we assuredly execute the
- * guest in VT-x mode.
- *
- * If we fall back to the recompiler/IEM after updating the VMCS and clearing
- * the common-state (TRPM/forceflags), we must undo those changes so that the
- * recompiler/IEM can (and should) use them when it resumes guest execution.
- * Otherwise such operations must be done when we can no longer exit to ring-3.
- *
- * @returns Strict VBox status code (i.e. informational status codes too).
- * @retval  VINF_SUCCESS if we can proceed with running the guest, interrupts
- *          have been disabled.
- * @retval  VINF_VMX_VMEXIT if a nested-guest VM-exit occurs (e.g., while evaluating
- *          pending events).
- * @retval  VINF_EM_RESET if a triple-fault occurs while injecting a
- *          double-fault into the guest.
- * @retval  VINF_EM_DBG_STEPPED if @a fStepping is true and an event was
- *          dispatched directly.
- * @retval  VINF_* scheduling changes, we have to go back to ring-3.
- *
- * @param   pVCpu           The cross context virtual CPU structure.
- * @param   pVmxTransient   The VMX-transient structure.
- * @param   fStepping       Whether we are single-stepping the guest in the
- *                          hypervisor debugger. Makes us ignore some of the reasons
- *                          for returning to ring-3, and return VINF_EM_DBG_STEPPED
- *                          if event dispatching took place.
- */
-static VBOXSTRICTRC vmxHCPreRunGuest(PVMCPUCC pVCpu, PVMXTRANSIENT pVmxTransient, bool fStepping)
-{
-    Assert(VMMRZCallRing3IsEnabled(pVCpu));
-
-    Log4Func(("fIsNested=%RTbool fStepping=%RTbool\n", pVmxTransient->fIsNestedGuest, fStepping));
-
-#ifdef VBOX_WITH_NESTED_HWVIRT_ONLY_IN_IEM
-    if (pVmxTransient->fIsNestedGuest)
-    {
-        RT_NOREF2(pVCpu, fStepping);
-        Log2Func(("Rescheduling to IEM due to nested-hwvirt or forced IEM exec -> VINF_EM_RESCHEDULE_REM\n"));
-        return VINF_EM_RESCHEDULE_REM;
-    }
-#endif
-
-    /*
-     * Check and process force flag actions, some of which might require us to go back to ring-3.
-     */
-    VBOXSTRICTRC rcStrict = vmxHCCheckForceFlags(pVCpu, pVmxTransient, fStepping);
-    if (rcStrict == VINF_SUCCESS)
-    {
-        /* FFs don't get set all the time. */
-#ifdef VBOX_WITH_NESTED_HWVIRT_VMX
-        if (   pVmxTransient->fIsNestedGuest
-            && !CPUMIsGuestInVmxNonRootMode(&pVCpu->cpum.GstCtx))
-        {
-            STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchNstGstVmexit);
-            return VINF_VMX_VMEXIT;
-        }
-#endif
-    }
-    else
-        return rcStrict;
-
-    /*
-     * Virtualize memory-mapped accesses to the physical APIC (may take locks).
-     */
-    PVMCC pVM = pVCpu->CTX_SUFF(pVM);
-    if (   !pVCpu->hm.s.vmx.u64GstMsrApicBase
-        && (g_HmMsrs.u.vmx.ProcCtls2.n.allowed1 & VMX_PROC_CTLS2_VIRT_APIC_ACCESS)
-        && PDMHasApic(pVM))
-    {
-        int rc = vmxHCMapHCApicAccessPage(pVCpu);
-        AssertRCReturn(rc, rc);
-    }
-
-#ifdef VBOX_WITH_NESTED_HWVIRT_VMX
-    /*
-     * Merge guest VMCS controls with the nested-guest VMCS controls.
-     *
-     * Even if we have not executed the guest prior to this (e.g. when resuming from a
-     * saved state), we should be okay with merging controls as we initialize the
-     * guest VMCS controls as part of VM setup phase.
-     */
-    if (   pVmxTransient->fIsNestedGuest
-        && !pVCpu->hm.s.vmx.fMergedNstGstCtls)
-    {
-        int rc = vmxHCMergeVmcsNested(pVCpu);
-        AssertRCReturn(rc, rc);
-        pVCpu->hm.s.vmx.fMergedNstGstCtls = true;
-    }
-#endif
-
-    /*
-     * Evaluate events to be injected into the guest.
-     *
-     * Events in TRPM can be injected without inspecting the guest state.
-     * If any new events (interrupts/NMI) are pending currently, we try to set up the
-     * guest to cause a VM-exit the next time they are ready to receive the event.
-     */
-    if (TRPMHasTrap(pVCpu))
-        vmxHCTrpmTrapToPendingEvent(pVCpu);
-
-    uint32_t fIntrState;
-    rcStrict = vmxHCEvaluatePendingEvent(pVCpu, pVmxTransient, &fIntrState);
-
-#ifdef VBOX_WITH_NESTED_HWVIRT_VMX
-    /*
-     * While evaluating pending events if something failed (unlikely) or if we were
-     * preparing to run a nested-guest but performed a nested-guest VM-exit, we should bail.
-     */
-    if (rcStrict != VINF_SUCCESS)
-        return rcStrict;
-    if (   pVmxTransient->fIsNestedGuest
-        && !CPUMIsGuestInVmxNonRootMode(&pVCpu->cpum.GstCtx))
-    {
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchNstGstVmexit);
-        return VINF_VMX_VMEXIT;
-    }
-#else
-    Assert(rcStrict == VINF_SUCCESS);
-#endif
-
-    /*
-     * Event injection may take locks (currently the PGM lock for real-on-v86 case) and thus
-     * needs to be done with longjmps or interrupts + preemption enabled. Event injection might
-     * also result in triple-faulting the VM.
-     *
-     * With nested-guests, the above does not apply since unrestricted guest execution is a
-     * requirement. Regardless, we do this here to avoid duplicating code elsewhere.
-     */
-    rcStrict = vmxHCInjectPendingEvent(pVCpu, pVmxTransient, fIntrState, fStepping);
-    if (RT_LIKELY(rcStrict == VINF_SUCCESS))
-    { /* likely */ }
-    else
-    {
-        AssertMsg(rcStrict == VINF_EM_RESET || (rcStrict == VINF_EM_DBG_STEPPED && fStepping),
-                  ("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
-        return rcStrict;
-    }
-
-    /*
-     * A longjump might result in importing CR3 even for VM-exits that don't necessarily
-     * import CR3 themselves. We will need to update them here, as even as late as the above
-     * vmxHCInjectPendingEvent() call may lazily import guest-CPU state on demand causing
-     * the below force flags to be set.
-     */
-    if (VMCPU_FF_IS_SET(pVCpu, VMCPU_FF_HM_UPDATE_CR3))
-    {
-        Assert(!(ASMAtomicUoReadU64(&pVCpu->cpum.GstCtx.fExtrn) & CPUMCTX_EXTRN_CR3));
-        int rc2 = PGMUpdateCR3(pVCpu, CPUMGetGuestCR3(pVCpu), false /* fPdpesMapped */);
-        AssertMsgReturn(rc2 == VINF_SUCCESS || rc2 == VINF_PGM_SYNC_CR3,
-                        ("%Rrc\n", rc2), RT_FAILURE_NP(rc2) ? rc2 : VERR_IPE_UNEXPECTED_INFO_STATUS);
-        Assert(!VMCPU_FF_IS_SET(pVCpu, VMCPU_FF_HM_UPDATE_CR3));
-    }
-
-#ifdef VBOX_WITH_NESTED_HWVIRT_VMX
-    /* Paranoia. */
-    Assert(!pVmxTransient->fIsNestedGuest || CPUMIsGuestInVmxNonRootMode(&pVCpu->cpum.GstCtx));
-#endif
-
-    /*
-     * No longjmps to ring-3 from this point on!!!
-     * Asserts() will still longjmp to ring-3 (but won't return), which is intentional, better than a kernel panic.
-     * This also disables flushing of the R0-logger instance (if any).
-     */
-    VMMRZCallRing3Disable(pVCpu);
-
-    /*
-     * Export the guest state bits.
-     *
-     * We cannot perform longjmps while loading the guest state because we do not preserve the
-     * host/guest state (although the VMCS will be preserved) across longjmps which can cause
-     * CPU migration.
-     *
-     * If we are injecting events to a real-on-v86 mode guest, we would have updated RIP and some segment
-     * registers. Hence, exporting of the guest state needs to be done -after- injection of events.
-     */
-    rcStrict = vmxHCExportGuestStateOptimal(pVCpu, pVmxTransient);
-    if (RT_LIKELY(rcStrict == VINF_SUCCESS))
-    { /* likely */ }
-    else
-    {
-        VMMRZCallRing3Enable(pVCpu);
-        return rcStrict;
-    }
-
-    /*
-     * We disable interrupts so that we don't miss any interrupts that would flag preemption
-     * (IPI/timers etc.) when thread-context hooks aren't used and we've been running with
-     * preemption disabled for a while.  Since this is purely to aid the
-     * RTThreadPreemptIsPending() code, it doesn't matter that it may temporarily reenable and
-     * disable interrupt on NT.
-     *
-     * We need to check for force-flags that could've possible been altered since we last
-     * checked them (e.g. by PDMGetInterrupt() leaving the PDM critical section,
-     * see @bugref{6398}).
-     *
-     * We also check a couple of other force-flags as a last opportunity to get the EMT back
-     * to ring-3 before executing guest code.
-     */
-    pVmxTransient->fEFlags = ASMIntDisableFlags();
-
-    if (   (   !VM_FF_IS_ANY_SET(pVM, VM_FF_EMT_RENDEZVOUS | VM_FF_TM_VIRTUAL_SYNC)
-            && !VMCPU_FF_IS_ANY_SET(pVCpu, VMCPU_FF_HM_TO_R3_MASK))
-        || (   fStepping /* Optimized for the non-stepping case, so a bit of unnecessary work when stepping. */
-            && !VMCPU_FF_IS_ANY_SET(pVCpu, VMCPU_FF_HM_TO_R3_MASK & ~(VMCPU_FF_TIMER | VMCPU_FF_PDM_CRITSECT))) )
-    {
-        if (!RTThreadPreemptIsPending(NIL_RTTHREAD))
-        {
-#ifdef VBOX_WITH_NESTED_HWVIRT_VMX
-            /*
-             * If we are executing a nested-guest make sure that we should intercept subsequent
-             * events. The one we are injecting might be part of VM-entry. This is mainly to keep
-             * the VM-exit instruction emulation happy.
-             */
-            if (pVmxTransient->fIsNestedGuest)
-                CPUMSetGuestVmxInterceptEvents(&pVCpu->cpum.GstCtx, true);
-#endif
-
-            /*
-             * We've injected any pending events. This is really the point of no return (to ring-3).
-             *
-             * Note! The caller expects to continue with interrupts & longjmps disabled on successful
-             *       returns from this function, so do -not- enable them here.
-             */
-            pVCpu->hm.s.Event.fPending = false;
-            return VINF_SUCCESS;
-        }
-
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchPendingHostIrq);
-        rcStrict = VINF_EM_RAW_INTERRUPT;
-    }
-    else
-    {
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchHmToR3FF);
-        rcStrict = VINF_EM_RAW_TO_R3;
-    }
-
-    ASMSetFlags(pVmxTransient->fEFlags);
-    VMMRZCallRing3Enable(pVCpu);
-
-    return rcStrict;
-}
-
-
-/**
- * Final preparations before executing guest code using hardware-assisted VMX.
- *
- * We can no longer get preempted to a different host CPU and there are no returns
- * to ring-3. We ignore any errors that may happen from this point (e.g. VMWRITE
- * failures), this function is not intended to fail sans unrecoverable hardware
- * errors.
- *
- * @param   pVCpu           The cross context virtual CPU structure.
- * @param   pVmxTransient   The VMX-transient structure.
- *
- * @remarks Called with preemption disabled.
- * @remarks No-long-jump zone!!!
- */
-static void vmxHCPreRunGuestCommitted(PVMCPUCC pVCpu, PVMXTRANSIENT pVmxTransient)
-{
-    Assert(!VMMRZCallRing3IsEnabled(pVCpu));
-    Assert(!RTThreadPreemptIsEnabled(NIL_RTTHREAD));
-    Assert(!pVCpu->hm.s.Event.fPending);
-
-    /*
-     * Indicate start of guest execution and where poking EMT out of guest-context is recognized.
-     */
-    VMCPU_ASSERT_STATE(pVCpu, VMCPUSTATE_STARTED_HM);
-    VMCPU_SET_STATE(pVCpu, VMCPUSTATE_STARTED_EXEC);
-
-    PVMCC         pVM          = pVCpu->CTX_SUFF(pVM);
-    PVMXVMCSINFO  pVmcsInfo    = pVmxTransient->pVmcsInfo;
-    PHMPHYSCPU    pHostCpu     = hmR0GetCurrentCpu();
-    RTCPUID const idCurrentCpu = pHostCpu->idCpu;
-
-    if (!CPUMIsGuestFPUStateActive(pVCpu))
-    {
-        STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatLoadGuestFpuState, x);
-        if (CPUMR0LoadGuestFPU(pVM, pVCpu) == VINF_CPUM_HOST_CR0_MODIFIED)
-            pVCpu->hm.s.fCtxChanged |= HM_CHANGED_HOST_CONTEXT;
-        STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatLoadGuestFpuState, x);
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatLoadGuestFpu);
-    }
-
-    /*
-     * Re-export the host state bits as we may've been preempted (only happens when
-     * thread-context hooks are used or when the VM start function changes) or if
-     * the host CR0 is modified while loading the guest FPU state above.
-     *
-     * The 64-on-32 switcher saves the (64-bit) host state into the VMCS and if we
-     * changed the switcher back to 32-bit, we *must* save the 32-bit host state here,
-     * see @bugref{8432}.
-     *
-     * This may also happen when switching to/from a nested-guest VMCS without leaving
-     * ring-0.
-     */
-    if (pVCpu->hm.s.fCtxChanged & HM_CHANGED_HOST_CONTEXT)
-    {
-        vmxHCExportHostState(pVCpu);
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatExportHostState);
-    }
-    Assert(!(pVCpu->hm.s.fCtxChanged & HM_CHANGED_HOST_CONTEXT));
-
-    /*
-     * Export the state shared between host and guest (FPU, debug, lazy MSRs).
-     */
-    if (pVCpu->hm.s.fCtxChanged & HM_CHANGED_VMX_HOST_GUEST_SHARED_STATE)
-        vmxHCExportSharedState(pVCpu, pVmxTransient);
-    AssertMsg(!pVCpu->hm.s.fCtxChanged, ("fCtxChanged=%#RX64\n", pVCpu->hm.s.fCtxChanged));
-
-    /*
-     * Store status of the shared guest/host debug state at the time of VM-entry.
-     */
-    pVmxTransient->fWasGuestDebugStateActive = CPUMIsGuestDebugStateActive(pVCpu);
-    pVmxTransient->fWasHyperDebugStateActive = CPUMIsHyperDebugStateActive(pVCpu);
-
-    /*
-     * Always cache the TPR-shadow if the virtual-APIC page exists, thereby skipping
-     * more than one conditional check. The post-run side of our code shall determine
-     * if it needs to sync. the virtual APIC TPR with the TPR-shadow.
-     */
-    if (pVmcsInfo->pbVirtApic)
-        pVmxTransient->u8GuestTpr = pVmcsInfo->pbVirtApic[XAPIC_OFF_TPR];
-
-    /*
-     * Update the host MSRs values in the VM-exit MSR-load area.
-     */
-    if (!pVCpu->hmr0.s.vmx.fUpdatedHostAutoMsrs)
-    {
-        if (pVmcsInfo->cExitMsrLoad > 0)
-            vmxHCUpdateAutoLoadHostMsrs(pVCpu, pVmcsInfo);
-        pVCpu->hmr0.s.vmx.fUpdatedHostAutoMsrs = true;
-    }
-
-    /*
-     * Evaluate if we need to intercept guest RDTSC/P accesses. Set up the
-     * VMX-preemption timer based on the next virtual sync clock deadline.
-     */
-    if (   !pVmxTransient->fUpdatedTscOffsettingAndPreemptTimer
-        || idCurrentCpu != pVCpu->hmr0.s.idLastCpu)
-    {
-        vmxHCUpdateTscOffsettingAndPreemptTimer(pVCpu, pVmxTransient, idCurrentCpu);
-        pVmxTransient->fUpdatedTscOffsettingAndPreemptTimer = true;
-    }
-
-    /* Record statistics of how often we use TSC offsetting as opposed to intercepting RDTSC/P. */
-    bool const fIsRdtscIntercepted = RT_BOOL(pVmcsInfo->u32ProcCtls & VMX_PROC_CTLS_RDTSC_EXIT);
-    if (!fIsRdtscIntercepted)
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatTscOffset);
-    else
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatTscIntercept);
-
-    ASMAtomicUoWriteBool(&pVCpu->hm.s.fCheckedTLBFlush, true);  /* Used for TLB flushing, set this across the world switch. */
-    vmxHCFlushTaggedTlb(pHostCpu, pVCpu, pVmcsInfo);          /* Invalidate the appropriate guest entries from the TLB. */
-    Assert(idCurrentCpu == pVCpu->hmr0.s.idLastCpu);
-    pVCpu->hm.s.vmx.LastError.idCurrentCpu = idCurrentCpu;      /* Record the error reporting info. with the current host CPU. */
-    pVmcsInfo->idHostCpuState = idCurrentCpu;                   /* Record the CPU for which the host-state has been exported. */
-    pVmcsInfo->idHostCpuExec  = idCurrentCpu;                   /* Record the CPU on which we shall execute. */
-
-    STAM_PROFILE_ADV_STOP_START(&pVCpu->hm.s.StatEntry, &pVCpu->hm.s.StatInGC, x);
-
-    TMNotifyStartOfExecution(pVM, pVCpu);                       /* Notify TM to resume its clocks when TSC is tied to execution,
-                                                                   as we're about to start executing the guest. */
-
-    /*
-     * Load the guest TSC_AUX MSR when we are not intercepting RDTSCP.
-     *
-     * This is done this late as updating the TSC offsetting/preemption timer above
-     * figures out if we can skip intercepting RDTSCP by calculating the number of
-     * host CPU ticks till the next virtual sync deadline (for the dynamic case).
-     */
-    if (   (pVmcsInfo->u32ProcCtls2 & VMX_PROC_CTLS2_RDTSCP)
-        && !fIsRdtscIntercepted)
-    {
-        vmxHCImportGuestState(pVCpu, pVmcsInfo, CPUMCTX_EXTRN_TSC_AUX);
-
-        /* NB: Because we call vmxHCAddAutoLoadStoreMsr with fUpdateHostMsr=true,
-           it's safe even after vmxHCUpdateAutoLoadHostMsrs has already been done. */
-        int rc = vmxHCAddAutoLoadStoreMsr(pVCpu, pVmxTransient, MSR_K8_TSC_AUX, CPUMGetGuestTscAux(pVCpu),
-                                            true /* fSetReadWrite */, true /* fUpdateHostMsr */);
-        AssertRC(rc);
-        Assert(!pVmxTransient->fRemoveTscAuxMsr);
-        pVmxTransient->fRemoveTscAuxMsr = true;
-    }
-
-#ifdef VBOX_STRICT
-    Assert(pVCpu->hmr0.s.vmx.fUpdatedHostAutoMsrs);
-    vmxHCCheckAutoLoadStoreMsrs(pVCpu, pVmcsInfo, pVmxTransient->fIsNestedGuest);
-    vmxHCCheckHostEferMsr(pVmcsInfo);
-    AssertRC(vmxHCCheckCachedVmcsCtls(pVCpu, pVmcsInfo, pVmxTransient->fIsNestedGuest));
-#endif
-
-#ifdef HMVMX_ALWAYS_CHECK_GUEST_STATE
-    /** @todo r=ramshankar: We can now probably use iemVmxVmentryCheckGuestState here.
-     *        Add a PVMXMSRS parameter to it, so that IEM can look at the host MSRs,
-     *        see @bugref{9180#c54}. */
-    uint32_t const uInvalidReason = vmxHCCheckGuestState(pVCpu, pVmcsInfo);
-    if (uInvalidReason != VMX_IGS_REASON_NOT_FOUND)
-        Log4(("vmxHCCheckGuestState returned %#x\n", uInvalidReason));
-#endif
-}
-
-
-/**
- * First C routine invoked after running guest code using hardware-assisted VMX.
- *
- * @param   pVCpu           The cross context virtual CPU structure.
- * @param   pVmxTransient   The VMX-transient structure.
- * @param   rcVMRun         Return code of VMLAUNCH/VMRESUME.
- *
- * @remarks Called with interrupts disabled, and returns with interrupts enabled!
- *
- * @remarks No-long-jump zone!!! This function will however re-enable longjmps
- *          unconditionally when it is safe to do so.
- */
-static void vmxHCPostRunGuest(PVMCPUCC pVCpu, PVMXTRANSIENT pVmxTransient, int rcVMRun)
-{
-    ASMAtomicUoWriteBool(&pVCpu->hm.s.fCheckedTLBFlush, false); /* See HMInvalidatePageOnAllVCpus(): used for TLB flushing. */
-    ASMAtomicIncU32(&pVCpu->hmr0.s.cWorldSwitchExits);          /* Initialized in vmR3CreateUVM(): used for EMT poking. */
-    pVCpu->hm.s.fCtxChanged            = 0;                     /* Exits/longjmps to ring-3 requires saving the guest state. */
-    pVmxTransient->fVmcsFieldsRead     = 0;                     /* Transient fields need to be read from the VMCS. */
-    pVmxTransient->fVectoringPF        = false;                 /* Vectoring page-fault needs to be determined later. */
-    pVmxTransient->fVectoringDoublePF  = false;                 /* Vectoring double page-fault needs to be determined later. */
-
-    PVMXVMCSINFO pVmcsInfo = pVmxTransient->pVmcsInfo;
-    if (!(pVmcsInfo->u32ProcCtls & VMX_PROC_CTLS_RDTSC_EXIT))
-    {
-        uint64_t uGstTsc;
-        if (!pVmxTransient->fIsNestedGuest)
-            uGstTsc = pVCpu->hmr0.s.uTscExit + pVmcsInfo->u64TscOffset;
-        else
-        {
-            uint64_t const uNstGstTsc = pVCpu->hmr0.s.uTscExit + pVmcsInfo->u64TscOffset;
-            uGstTsc = CPUMRemoveNestedGuestTscOffset(pVCpu, uNstGstTsc);
-        }
-        TMCpuTickSetLastSeen(pVCpu, uGstTsc);                           /* Update TM with the guest TSC. */
-    }
-
-    STAM_PROFILE_ADV_STOP_START(&pVCpu->hm.s.StatInGC, &pVCpu->hm.s.StatPreExit, x);
-    TMNotifyEndOfExecution(pVCpu->CTX_SUFF(pVM), pVCpu, pVCpu->hmr0.s.uTscExit); /* Notify TM that the guest is no longer running. */
-    VMCPU_SET_STATE(pVCpu, VMCPUSTATE_STARTED_HM);
-
-    pVCpu->hmr0.s.vmx.fRestoreHostFlags |= VMX_RESTORE_HOST_REQUIRED;   /* Some host state messed up by VMX needs restoring. */
-    pVmcsInfo->fVmcsState |= VMX_V_VMCS_LAUNCH_STATE_LAUNCHED;          /* Use VMRESUME instead of VMLAUNCH in the next run. */
-#ifdef VBOX_STRICT
-    vmxHCCheckHostEferMsr(pVmcsInfo);                                 /* Verify that the host EFER MSR wasn't modified. */
-#endif
-    Assert(!ASMIntAreEnabled());
-    ASMSetFlags(pVmxTransient->fEFlags);                                /* Enable interrupts. */
-    Assert(!VMMRZCallRing3IsEnabled(pVCpu));
-
-#ifdef HMVMX_ALWAYS_CLEAN_TRANSIENT
-    /*
-     * Clean all the VMCS fields in the transient structure before reading
-     * anything from the VMCS.
-     */
-    pVmxTransient->uExitReason            = 0;
-    pVmxTransient->uExitIntErrorCode      = 0;
-    pVmxTransient->uExitQual              = 0;
-    pVmxTransient->uGuestLinearAddr       = 0;
-    pVmxTransient->uExitIntInfo           = 0;
-    pVmxTransient->cbExitInstr            = 0;
-    pVmxTransient->ExitInstrInfo.u        = 0;
-    pVmxTransient->uEntryIntInfo          = 0;
-    pVmxTransient->uEntryXcptErrorCode    = 0;
-    pVmxTransient->cbEntryInstr           = 0;
-    pVmxTransient->uIdtVectoringInfo      = 0;
-    pVmxTransient->uIdtVectoringErrorCode = 0;
-#endif
-
-    /*
-     * Save the basic VM-exit reason and check if the VM-entry failed.
-     * See Intel spec. 24.9.1 "Basic VM-exit Information".
-     */
-    uint32_t uExitReason;
-    int rc = VMX_VMCS_READ_32(pVCpu, VMX_VMCS32_RO_EXIT_REASON, &uExitReason);
-    AssertRC(rc);
-    pVmxTransient->uExitReason    = VMX_EXIT_REASON_BASIC(uExitReason);
-    pVmxTransient->fVMEntryFailed = VMX_EXIT_REASON_HAS_ENTRY_FAILED(uExitReason);
-
-    /*
-     * Log the VM-exit before logging anything else as otherwise it might be a
-     * tad confusing what happens before and after the world-switch.
-     */
-    HMVMX_LOG_EXIT(pVCpu, uExitReason);
-
-    /*
-     * Remove the TSC_AUX MSR from the auto-load/store MSR area and reset any MSR
-     * bitmap permissions, if it was added before VM-entry.
-     */
-    if (pVmxTransient->fRemoveTscAuxMsr)
-    {
-        vmxHCRemoveAutoLoadStoreMsr(pVCpu, pVmxTransient, MSR_K8_TSC_AUX);
-        pVmxTransient->fRemoveTscAuxMsr = false;
-    }
-
-    /*
-     * Check if VMLAUNCH/VMRESUME succeeded.
-     * If this failed, we cause a guru meditation and cease further execution.
-     *
-     * However, if we are executing a nested-guest we might fail if we use the
-     * fast path rather than fully emulating VMLAUNCH/VMRESUME instruction in IEM.
-     */
-    if (RT_LIKELY(rcVMRun == VINF_SUCCESS))
-    {
-        /*
-         * Update the VM-exit history array here even if the VM-entry failed due to:
-         *   - Invalid guest state.
-         *   - MSR loading.
-         *   - Machine-check event.
-         *
-         * In any of the above cases we will still have a "valid" VM-exit reason
-         * despite @a fVMEntryFailed being false.
-         *
-         * See Intel spec. 26.7 "VM-Entry failures during or after loading guest state".
-         *
-         * Note! We don't have CS or RIP at this point.  Will probably address that later
-         *       by amending the history entry added here.
-         */
-        EMHistoryAddExit(pVCpu, EMEXIT_MAKE_FT(EMEXIT_F_KIND_VMX, pVmxTransient->uExitReason & EMEXIT_F_TYPE_MASK),
-                         UINT64_MAX, pVCpu->hmr0.s.uTscExit);
-
-        if (RT_LIKELY(!pVmxTransient->fVMEntryFailed))
-        {
-            VMMRZCallRing3Enable(pVCpu);
-            Assert(!VMCPU_FF_IS_SET(pVCpu, VMCPU_FF_HM_UPDATE_CR3));
-
-#ifdef HMVMX_ALWAYS_SAVE_RO_GUEST_STATE
-            vmxHCReadAllRoFieldsVmcs(pVCpu, pVmxTransient);
-#endif
-
-            /*
-             * Import the guest-interruptibility state always as we need it while evaluating
-             * injecting events on re-entry.
-             *
-             * We don't import CR0 (when unrestricted guest execution is unavailable) despite
-             * checking for real-mode while exporting the state because all bits that cause
-             * mode changes wrt CR0 are intercepted.
-             */
-            uint64_t const fImportMask = CPUMCTX_EXTRN_HM_VMX_INT_STATE
-#if defined(HMVMX_ALWAYS_SYNC_FULL_GUEST_STATE) || defined(HMVMX_ALWAYS_SAVE_FULL_GUEST_STATE)
-                                       | HMVMX_CPUMCTX_EXTRN_ALL
-#elif defined(HMVMX_ALWAYS_SAVE_GUEST_RFLAGS)
-                                       | CPUMCTX_EXTRN_RFLAGS
-#endif
-                                       ;
-            rc = vmxHCImportGuestState(pVCpu, pVmcsInfo, fImportMask);
-            AssertRC(rc);
-
-            /*
-             * Sync the TPR shadow with our APIC state.
-             */
-            if (   !pVmxTransient->fIsNestedGuest
-                && (pVmcsInfo->u32ProcCtls & VMX_PROC_CTLS_USE_TPR_SHADOW))
-            {
-                Assert(pVmcsInfo->pbVirtApic);
-                if (pVmxTransient->u8GuestTpr != pVmcsInfo->pbVirtApic[XAPIC_OFF_TPR])
-                {
-                    rc = APICSetTpr(pVCpu, pVmcsInfo->pbVirtApic[XAPIC_OFF_TPR]);
-                    AssertRC(rc);
-                    ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_APIC_TPR);
-                }
-            }
-
-            Assert(VMMRZCallRing3IsEnabled(pVCpu));
-            Assert(   pVmxTransient->fWasGuestDebugStateActive == false
-                   || pVmxTransient->fWasHyperDebugStateActive == false);
-            return;
-        }
-    }
-#ifdef VBOX_WITH_NESTED_HWVIRT_VMX
-    else if (pVmxTransient->fIsNestedGuest)
-        AssertMsgFailed(("VMLAUNCH/VMRESUME failed but shouldn't happen when VMLAUNCH/VMRESUME was emulated in IEM!\n"));
-#endif
-    else
-        Log4Func(("VM-entry failure: rcVMRun=%Rrc fVMEntryFailed=%RTbool\n", rcVMRun, pVmxTransient->fVMEntryFailed));
-
-    VMMRZCallRing3Enable(pVCpu);
-}
-
-
-/**
  * Runs the guest code using hardware-assisted VMX the normal way.
  *
@@ -9986 +8123 @@
         Assert(!HMR0SuspendPending());
         HMVMX_ASSERT_CPU_SAFE(pVCpu);
-        STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatEntry, x);
+        STAM_PROFILE_ADV_START(&VCPU_2_VMXSTATE(pVCpu).StatEntry, x);
 
         /*
@@ -10011 +8148 @@
         else
         {
-            STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatPreExit, x);
+            STAM_PROFILE_ADV_STOP(&VCPU_2_VMXSTATE(pVCpu).StatPreExit, x);
             vmxHCReportWorldSwitchError(pVCpu, rcRun, &VmxTransient);
             return rcRun;
@@ -10020 +8157 @@
          */
         AssertMsg(VmxTransient.uExitReason <= VMX_EXIT_MAX, ("%#x\n", VmxTransient.uExitReason));
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatExitAll);
-        STAM_COUNTER_INC(&pVCpu->hm.s.aStatExitReason[VmxTransient.uExitReason & MASK_EXITREASON_STAT]);
-        STAM_PROFILE_ADV_STOP_START(&pVCpu->hm.s.StatPreExit, &pVCpu->hm.s.StatExitHandling, x);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitAll);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).aStatExitReason[VmxTransient.uExitReason & MASK_EXITREASON_STAT]);
+        STAM_PROFILE_ADV_STOP_START(&VCPU_2_VMXSTATE(pVCpu).StatPreExit, &VCPU_2_VMXSTATE(pVCpu).StatExitHandling, x);
         HMVMX_START_EXIT_DISPATCH_PROF();
 
@@ -10035 +8172 @@
         rcStrict = vmxHCHandleExit(pVCpu, &VmxTransient);
 #endif
-        STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitHandling, x);
+        STAM_PROFILE_ADV_STOP(&VCPU_2_VMXSTATE(pVCpu).StatExitHandling, x);
         if (rcStrict == VINF_SUCCESS)
         {
             if (++(*pcLoops) <= cMaxResumeLoops)
                 continue;
-            STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchMaxResumeLoops);
+            STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatSwitchMaxResumeLoops);
             rcStrict = VINF_EM_RAW_INTERRUPT;
         }
@@ -10046 +8183 @@
     }
 
-    STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatEntry, x);
+    STAM_PROFILE_ADV_STOP(&VCPU_2_VMXSTATE(pVCpu).StatEntry, x);
     return rcStrict;
 }
@@ -10098 +8235 @@
         Assert(!HMR0SuspendPending());
         HMVMX_ASSERT_CPU_SAFE(pVCpu);
-        STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatEntry, x);
+        STAM_PROFILE_ADV_START(&VCPU_2_VMXSTATE(pVCpu).StatEntry, x);
 
         /*
@@ -10123 +8260 @@
         else
         {
-            STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatPreExit, x);
+            STAM_PROFILE_ADV_STOP(&VCPU_2_VMXSTATE(pVCpu).StatPreExit, x);
             vmxHCReportWorldSwitchError(pVCpu, rcRun, &VmxTransient);
             return rcRun;
@@ -10132 +8269 @@
          */
         AssertMsg(VmxTransient.uExitReason <= VMX_EXIT_MAX, ("%#x\n", VmxTransient.uExitReason));
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatExitAll);
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatNestedExitAll);
-        STAM_COUNTER_INC(&pVCpu->hm.s.aStatNestedExitReason[VmxTransient.uExitReason & MASK_EXITREASON_STAT]);
-        STAM_PROFILE_ADV_STOP_START(&pVCpu->hm.s.StatPreExit, &pVCpu->hm.s.StatExitHandling, x);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitAll);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatNestedExitAll);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).aStatNestedExitReason[VmxTransient.uExitReason & MASK_EXITREASON_STAT]);
+        STAM_PROFILE_ADV_STOP_START(&VCPU_2_VMXSTATE(pVCpu).StatPreExit, &VCPU_2_VMXSTATE(pVCpu).StatExitHandling, x);
         HMVMX_START_EXIT_DISPATCH_PROF();
 
@@ -10144 +8281 @@
          */
         rcStrict = vmxHCHandleExitNested(pVCpu, &VmxTransient);
-        STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitHandling, x);
+        STAM_PROFILE_ADV_STOP(&VCPU_2_VMXSTATE(pVCpu).StatExitHandling, x);
         if (rcStrict == VINF_SUCCESS)
         {
             if (!CPUMIsGuestInVmxNonRootMode(&pVCpu->cpum.GstCtx))
             {
-                STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchNstGstVmexit);
+                STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatSwitchNstGstVmexit);
                 rcStrict = VINF_VMX_VMEXIT;
             }
@@ -10156 +8293 @@
                 if (++(*pcLoops) <= cMaxResumeLoops)
                     continue;
-                STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchMaxResumeLoops);
+                STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatSwitchMaxResumeLoops);
                 rcStrict = VINF_EM_RAW_INTERRUPT;
             }
@@ -10165 +8302 @@
     }
 
-    STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatEntry, x);
+    STAM_PROFILE_ADV_STOP(&VCPU_2_VMXSTATE(pVCpu).StatEntry, x);
     return rcStrict;
 }
@@ -10560 +8697 @@
         {
             pDbgState->fClearCr0Mask = false;
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_CR0);
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_CR0);
         }
         if (pDbgState->fClearCr4Mask)
         {
             pDbgState->fClearCr4Mask = false;
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_CR4);
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_CR4);
         }
     }
@@ -11085 +9222 @@
     }
 
+#ifdef IN_RING0 /* NMIs should never reach R3. */
     /*
      * Check for host NMI, just to get that out of the way.
@@ -11097 +9235 @@
             return vmxHCExitHostNmi(pVCpu, pVmxTransient->pVmcsInfo);
     }
+#endif
 
     /*
      * Check for single stepping event if we're stepping.
      */
-    if (pVCpu->hm.s.fSingleInstruction)
+    if (VCPU_2_VMXSTATE(pVCpu).fSingleInstruction)
     {
         switch (uExitReason)
@@ -11234 +9373 @@
 
     /* Set HMCPU indicators.  */
-    bool const fSavedSingleInstruction = pVCpu->hm.s.fSingleInstruction;
-    pVCpu->hm.s.fSingleInstruction     = pVCpu->hm.s.fSingleInstruction || DBGFIsStepping(pVCpu);
+    bool const fSavedSingleInstruction = VCPU_2_VMXSTATE(pVCpu).fSingleInstruction;
+    VCPU_2_VMXSTATE(pVCpu).fSingleInstruction     = VCPU_2_VMXSTATE(pVCpu).fSingleInstruction || DBGFIsStepping(pVCpu);
     pVCpu->hmr0.s.fDebugWantRdTscExit    = false;
     pVCpu->hmr0.s.fUsingDebugLoop        = true;
@@ -11252 +9391 @@
         Assert(!HMR0SuspendPending());
         HMVMX_ASSERT_CPU_SAFE(pVCpu);
-        STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatEntry, x);
-        bool fStepping = pVCpu->hm.s.fSingleInstruction;
+        STAM_PROFILE_ADV_START(&VCPU_2_VMXSTATE(pVCpu).StatEntry, x);
+        bool fStepping = VCPU_2_VMXSTATE(pVCpu).fSingleInstruction;
 
         /* Set up VM-execution controls the next two can respond to. */
@@ -11287 +9426 @@
         else
         {
-            STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatPreExit, x);
+            STAM_PROFILE_ADV_STOP(&VCPU_2_VMXSTATE(pVCpu).StatPreExit, x);
             vmxHCReportWorldSwitchError(pVCpu, rcRun, &VmxTransient);
             return rcRun;
@@ -11294 +9433 @@
         /* Profile the VM-exit. */
         AssertMsg(VmxTransient.uExitReason <= VMX_EXIT_MAX, ("%#x\n", VmxTransient.uExitReason));
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatExitAll);
-        STAM_COUNTER_INC(&pVCpu->hm.s.aStatExitReason[VmxTransient.uExitReason & MASK_EXITREASON_STAT]);
-        STAM_PROFILE_ADV_STOP_START(&pVCpu->hm.s.StatPreExit, &pVCpu->hm.s.StatExitHandling, x);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitAll);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).aStatExitReason[VmxTransient.uExitReason & MASK_EXITREASON_STAT]);
+        STAM_PROFILE_ADV_STOP_START(&VCPU_2_VMXSTATE(pVCpu).StatPreExit, &VCPU_2_VMXSTATE(pVCpu).StatExitHandling, x);
         HMVMX_START_EXIT_DISPATCH_PROF();
 
@@ -11305 +9444 @@
          */
         rcStrict = vmxHCRunDebugHandleExit(pVCpu, &VmxTransient, &DbgState);
-        STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitHandling, x);
+        STAM_PROFILE_ADV_STOP(&VCPU_2_VMXSTATE(pVCpu).StatExitHandling, x);
         if (rcStrict != VINF_SUCCESS)
             break;
         if (++(*pcLoops) > cMaxResumeLoops)
         {
-            STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchMaxResumeLoops);
+            STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatSwitchMaxResumeLoops);
             rcStrict = VINF_EM_RAW_INTERRUPT;
             break;
@@ -11329 +9468 @@
                 break;
             }
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_DR7);
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_DR7);
         }
 
@@ -11360 +9499 @@
     pVCpu->hmr0.s.fUsingDebugLoop     = false;
     pVCpu->hmr0.s.fDebugWantRdTscExit = false;
-    pVCpu->hm.s.fSingleInstruction  = fSavedSingleInstruction;
-
-    STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatEntry, x);
+    VCPU_2_VMXSTATE(pVCpu).fSingleInstruction  = fSavedSingleInstruction;
+
+    STAM_PROFILE_ADV_STOP(&VCPU_2_VMXSTATE(pVCpu).StatEntry, x);
     return rcStrict;
 }
-
+#endif
 
 /** @} */
@@ -11387 +9526 @@
             VBOXSTRICTRC rcStrict = a_CallExpr; \
             if (a_fSave != 0) \
-                ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_ALL_GUEST); \
+                ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_ALL_GUEST); \
             return rcStrict; \
         } while (0)
@@ -11621 +9760 @@
 #define HMVMX_UNEXPECTED_EXIT_RET(a_pVCpu, a_HmError) \
     do { \
-        (a_pVCpu)->hm.s.u32HMError = (a_HmError); \
+        VCPU_2_VMXSTATE((a_pVCpu)).u32HMError = (a_HmError); \
         return VERR_VMX_UNEXPECTED_EXIT; \
     } while (0)
 
 #ifdef VBOX_STRICT
+# ifdef IN_RING0
 /* Is there some generic IPRT define for this that are not in Runtime/internal/\* ?? */
 # define HMVMX_ASSERT_PREEMPT_CPUID_VAR() \
@@ -11651 +9791 @@
         HMVMX_STOP_EXIT_DISPATCH_PROF(); \
     } while (0)
+# else
+# define HMVMX_ASSERT_PREEMPT_CPUID_VAR()   do { } while(0)
+# define HMVMX_ASSERT_PREEMPT_CPUID()       do { } while(0)
+# define HMVMX_VALIDATE_EXIT_HANDLER_PARAMS(a_pVCpu, a_pVmxTransient) \
+    do { \
+        AssertPtr((a_pVCpu)); \
+        AssertPtr((a_pVmxTransient)); \
+        Assert((a_pVmxTransient)->fVMEntryFailed == false); \
+        Assert((a_pVmxTransient)->pVmcsInfo); \
+        Log4Func(("vcpu[%RU32]\n", (a_pVCpu)->idCpu)); \
+        HMVMX_STOP_EXIT_DISPATCH_PROF(); \
+    } while (0)
+# endif
 
 # define HMVMX_VALIDATE_NESTED_EXIT_HANDLER_PARAMS(a_pVCpu, a_pVmxTransient) \
@@ -11733 +9886 @@
     /* Advance the RIP. */
     pVCpu->cpum.GstCtx.rip += cbInstr;
-    ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP);
+    ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP);
 
     /* Update interrupt inhibition. */
@@ -11784 +9937 @@
 static VBOXSTRICTRC vmxHCCheckExitDueToEventDelivery(PVMCPUCC pVCpu, PVMXTRANSIENT pVmxTransient)
 {
-    Assert(!pVCpu->hm.s.Event.fPending);
+    Assert(!VCPU_2_VMXSTATE(pVCpu).Event.fPending);
     HMVMX_ASSERT_READ(pVmxTransient, HMVMX_READ_XCPT_INFO);
     if (   pVmxTransient->uExitReason == VMX_EXIT_EPT_VIOLATION
@@ -11884 +10037 @@
 
                 /* If uExitVector is #PF, CR2 value will be updated from the VMCS if it's a guest #PF, see vmxHCExitXcptPF(). */
-                STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectReflect);
+                STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatInjectReflect);
                 vmxHCSetPendingEvent(pVCpu, VMX_ENTRY_INT_INFO_FROM_EXIT_IDT_INFO(uIdtVectorInfo), 0 /* cbInstr */,
                                        u32ErrCode, pVCpu->cpum.GstCtx.cr2);
 
-                Log4Func(("IDT: Pending vectoring event %#RX64 Err=%#RX32\n", pVCpu->hm.s.Event.u64IntInfo,
-                          pVCpu->hm.s.Event.u32ErrCode));
+                Log4Func(("IDT: Pending vectoring event %#RX64 Err=%#RX32\n", VCPU_2_VMXSTATE(pVCpu).Event.u64IntInfo,
+                          VCPU_2_VMXSTATE(pVCpu).Event.u32ErrCode));
                 Assert(rcStrict == VINF_SUCCESS);
                 break;
@@ -11907 +10060 @@
                 {
                     pVmxTransient->fVectoringDoublePF = true;
-                    Log4Func(("IDT: Vectoring double #PF %#RX64 cr2=%#RX64\n", pVCpu->hm.s.Event.u64IntInfo,
+                    Log4Func(("IDT: Vectoring double #PF %#RX64 cr2=%#RX64\n", VCPU_2_VMXSTATE(pVCpu).Event.u64IntInfo,
                           pVCpu->cpum.GstCtx.cr2));
                     rcStrict = VINF_SUCCESS;
@@ -11913 +10066 @@
                 else
                 {
-                    STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectConvertDF);
+                    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatInjectConvertDF);
                     vmxHCSetPendingXcptDF(pVCpu);
-                    Log4Func(("IDT: Pending vectoring #DF %#RX64 uIdtVector=%#x uExitVector=%#x\n", pVCpu->hm.s.Event.u64IntInfo,
+                    Log4Func(("IDT: Pending vectoring #DF %#RX64 uIdtVector=%#x uExitVector=%#x\n", VCPU_2_VMXSTATE(pVCpu).Event.u64IntInfo,
                               uIdtVector, VMX_EXIT_INT_INFO_VECTOR(uExitIntInfo)));
                     rcStrict = VINF_HM_DOUBLE_FAULT;
@@ -12256 +10409 @@
               || rcStrict == VINF_IEM_RAISED_XCPT, ("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
 
-    ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_CR0);
+    ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_CR0);
     if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
 
-    STAM_COUNTER_INC(&pVCpu->hm.s.StatExitLmsw);
+    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitLmsw);
     Log4Func(("rcStrict=%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
     return rcStrict;
@@ -12281 +10434 @@
               || rcStrict == VINF_IEM_RAISED_XCPT, ("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
 
-    ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_CR0);
+    ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_CR0);
     if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
 
-    STAM_COUNTER_INC(&pVCpu->hm.s.StatExitClts);
+    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitClts);
     Log4Func(("rcStrict=%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
     return rcStrict;
@@ -12310 +10463 @@
 
     if (iGReg == X86_GREG_xSP)
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_RSP);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_RSP);
     else
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
 #ifdef VBOX_WITH_STATISTICS
     switch (iCrReg)
     {
-        case 0: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCR0Read); break;
-        case 2: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCR2Read); break;
-        case 3: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCR3Read); break;
-        case 4: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCR4Read); break;
-        case 8: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCR8Read); break;
+        case 0: STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitCR0Read); break;
+        case 2: STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitCR2Read); break;
+        case 3: STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitCR3Read); break;
+        case 4: STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitCR4Read); break;
+        case 8: STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitCR8Read); break;
     }
 #endif
@@ -12343 +10496 @@
     {
         case 0:
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_CR0
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_CR0
                                                      | HM_CHANGED_GUEST_EFER_MSR | HM_CHANGED_VMX_ENTRY_EXIT_CTLS);
-            STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCR0Write);
+            STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitCR0Write);
             Log4Func(("CR0 write. rcStrict=%Rrc CR0=%#RX64\n", VBOXSTRICTRC_VAL(rcStrict), pVCpu->cpum.GstCtx.cr0));
             break;
 
         case 2:
-            STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCR2Write);
+            STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitCR2Write);
             /* Nothing to do here, CR2 it's not part of the VMCS. */
             break;
 
         case 3:
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_CR3);
-            STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCR3Write);
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_CR3);
+            STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitCR3Write);
             Log4Func(("CR3 write. rcStrict=%Rrc CR3=%#RX64\n", VBOXSTRICTRC_VAL(rcStrict), pVCpu->cpum.GstCtx.cr3));
             break;
 
         case 4:
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_CR4);
-            STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCR4Write);
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_CR4);
+            STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitCR4Write);
+#ifdef IN_RING0
             Log4Func(("CR4 write. rc=%Rrc CR4=%#RX64 fLoadSaveGuestXcr0=%u\n", VBOXSTRICTRC_VAL(rcStrict),
                       pVCpu->cpum.GstCtx.cr4, pVCpu->hmr0.s.fLoadSaveGuestXcr0));
+#else
+            Log4Func(("CR4 write. rc=%Rrc CR4=%#RX64\n", VBOXSTRICTRC_VAL(rcStrict), pVCpu->cpum.GstCtx.cr4));
+#endif
             break;
 
         case 8:
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged,
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged,
                              HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_APIC_TPR);
-            STAM_COUNTER_INC(&pVCpu->hm.s.StatExitCR8Write);
+            STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitCR8Write);
             break;
 
@@ -12380 +10537 @@
     if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
@@ -12395 +10552 @@
 {
     HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS(pVCpu, pVmxTransient);
+    vmxHCReadExitQualVmcs(pVCpu, pVmxTransient);
+
+#ifdef IN_RING0
     PVMCC pVM = pVCpu->CTX_SUFF(pVM);
-    vmxHCReadExitQualVmcs(pVCpu, pVmxTransient);
-
     if (!pVM->hmr0.s.fNestedPaging)
     { /* likely */ }
     else
-    {
-#if !defined(HMVMX_ALWAYS_TRAP_ALL_XCPTS) && !defined(HMVMX_ALWAYS_TRAP_PF)
+#endif
+    {
+#if !defined(HMVMX_ALWAYS_TRAP_ALL_XCPTS) && !defined(HMVMX_ALWAYS_TRAP_PF) && defined(IN_RING0)
         Assert(pVmxTransient->fIsNestedGuest || pVCpu->hmr0.s.fUsingDebugLoop);
 #endif
-        pVCpu->hm.s.Event.fPending = false;                  /* In case it's a contributory or vectoring #PF. */
+        VCPU_2_VMXSTATE(pVCpu).Event.fPending = false;                  /* In case it's a contributory or vectoring #PF. */
         if (!pVmxTransient->fVectoringDoublePF)
         {
@@ -12418 +10577 @@
             Log4Func(("Pending #DF due to vectoring #PF w/ NestedPaging\n"));
         }
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestPF);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestPF);
         return VINF_SUCCESS;
     }
@@ -12428 +10587 @@
     if (pVmxTransient->fVectoringPF)
     {
-        Assert(pVCpu->hm.s.Event.fPending);
+        Assert(VCPU_2_VMXSTATE(pVCpu).Event.fPending);
         return VINF_EM_RAW_INJECT_TRPM_EVENT;
     }
@@ -12449 +10608 @@
          * emulated something like LTR or a far jump. Any part of the CPU context may have changed.
          */
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_ALL_GUEST);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_ALL_GUEST);
         TRPMResetTrap(pVCpu);
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatExitShadowPF);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitShadowPF);
         return rc;
     }
@@ -12462 +10621 @@
             uint32_t const uGstErrorCode = TRPMGetErrorCode(pVCpu);
             TRPMResetTrap(pVCpu);
-            pVCpu->hm.s.Event.fPending = false;                 /* In case it's a contributory #PF. */
+            VCPU_2_VMXSTATE(pVCpu).Event.fPending = false;                 /* In case it's a contributory #PF. */
             vmxHCSetPendingEvent(pVCpu, VMX_ENTRY_INT_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo), 0 /* cbInstr */,
                                    uGstErrorCode, pVmxTransient->uExitQual);
@@ -12470 +10629 @@
             /* A guest page-fault occurred during delivery of a page-fault. Inject #DF. */
             TRPMResetTrap(pVCpu);
-            pVCpu->hm.s.Event.fPending = false;     /* Clear pending #PF to replace it with #DF. */
+            VCPU_2_VMXSTATE(pVCpu).Event.fPending = false;     /* Clear pending #PF to replace it with #DF. */
             vmxHCSetPendingXcptDF(pVCpu);
             Log4Func(("#PF: Pending #DF due to vectoring #PF\n"));
         }
 
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestPF);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestPF);
         return VINF_SUCCESS;
     }
 
     TRPMResetTrap(pVCpu);
-    STAM_COUNTER_INC(&pVCpu->hm.s.StatExitShadowPFEM);
+    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitShadowPFEM);
     return rc;
 }
@@ -12493 +10652 @@
 {
     HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS(pVCpu, pVmxTransient);
-    STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestMF);
+    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestMF);
 
     int rc = vmxHCImportGuestState(pVCpu, pVmxTransient->pVmcsInfo, CPUMCTX_EXTRN_CR0);
@@ -12525 +10684 @@
 {
     HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS(pVCpu, pVmxTransient);
-    STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestBP);
+    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestBP);
 
     int rc = vmxHCImportGuestState(pVCpu, pVmxTransient->pVmcsInfo, HMVMX_CPUMCTX_EXTRN_ALL);
@@ -12574 +10733 @@
          * Check for debug/trace events and import state accordingly.
          */
-        STAM_REL_COUNTER_INC(&pVCpu->hm.s.StatExitGuestACSplitLock);
-        PVMCC pVM = pVCpu->pVMR0;
+        STAM_REL_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestACSplitLock);
+        PVMCC pVM = pVCpu->CTX_SUFF(pVM);
         if (   !DBGF_IS_EVENT_ENABLED(pVM, DBGFEVENT_VMX_SPLIT_LOCK)
-            && !VBOXVMM_VMX_SPLIT_LOCK_ENABLED())
+#ifdef IN_RING0
+            && !VBOXVMM_VMX_SPLIT_LOCK_ENABLED()
+#endif
+            )
         {
             if (pVM->cCpus == 1)
@@ -12619 +10781 @@
             if (rcStrict == VINF_SUCCESS)
 #if 0 /** @todo r=bird: This is potentially wrong.  Might have to just do a whole state sync above and mark everything changed to be safe... */
-                ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged,
+                ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged,
                                    HM_CHANGED_GUEST_RIP
                                  | HM_CHANGED_GUEST_RFLAGS
@@ -12626 +10788 @@
                                  | HM_CHANGED_GUEST_SS);
 #else
-                ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_ALL_GUEST);
+                ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_ALL_GUEST);
 #endif
             else if (rcStrict == VINF_IEM_RAISED_XCPT)
             {
-                ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+                ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
                 rcStrict = VINF_SUCCESS;
             }
@@ -12640 +10802 @@
     }
 
-    STAM_REL_COUNTER_INC(&pVCpu->hm.s.StatExitGuestAC);
+    STAM_REL_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestAC);
     Log8Func(("cs:rip=%#04x:%#RX64 rflags=%#RX64 cr0=%#RX64 cpl=%d -> #AC\n", pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip,
               pVCpu->cpum.GstCtx.rflags, pVCpu->cpum.GstCtx.cr0, CPUMGetGuestCPL(pVCpu) ));
@@ -12659 +10821 @@
 {
     HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS(pVCpu, pVmxTransient);
-    STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestDB);
+    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestDB);
 
     /*
@@ -12675 +10837 @@
     if (!pVmxTransient->fIsNestedGuest)
     {
-        rc = DBGFTrap01Handler(pVCpu->CTX_SUFF(pVM), pVCpu, CPUMCTX2CORE(pCtx), uDR6, pVCpu->hm.s.fSingleInstruction);
+        rc = DBGFTrap01Handler(pVCpu->CTX_SUFF(pVM), pVCpu, CPUMCTX2CORE(pCtx), uDR6, VCPU_2_VMXSTATE(pVCpu).fSingleInstruction);
 
         /*
@@ -12685 +10847 @@
             && (pVmxTransient->pVmcsInfo->u32ProcCtls & VMX_PROC_CTLS_MONITOR_TRAP_FLAG))
         {
-            Assert(pVCpu->hm.s.fSingleInstruction);
+            Assert(VCPU_2_VMXSTATE(pVCpu).fSingleInstruction);
             rc = VINF_EM_RAW_GUEST_TRAP;
         }
@@ -12699 +10861 @@
          * See Intel spec. 27.1 "Architectural State before a VM-Exit".
          */
+#ifdef IN_RING0
         VMMRZCallRing3Disable(pVCpu);
         HM_DISABLE_PREEMPT(pVCpu);
@@ -12709 +10872 @@
         HM_RESTORE_PREEMPT();
         VMMRZCallRing3Enable(pVCpu);
+#else
+        /** @todo */
+#endif
 
         rc = vmxHCImportGuestState(pVCpu, pVmxTransient->pVmcsInfo, CPUMCTX_EXTRN_DR7);
@@ -12826 +10992 @@
 {
     HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS(pVCpu, pVmxTransient);
-    STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestGP);
+    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestGP);
 
     PCPUMCTX            pCtx            = &pVCpu->cpum.GstCtx;
     PVMXVMCSINFO        pVmcsInfo       = pVmxTransient->pVmcsInfo;
+#ifdef IN_RING0
     PVMXVMCSINFOSHARED  pVmcsInfoShared = pVmcsInfo->pShared;
     if (pVmcsInfoShared->RealMode.fRealOnV86Active)
     { /* likely */ }
     else
+#endif
     {
 #ifndef HMVMX_ALWAYS_TRAP_ALL_XCPTS
-        Assert(pVCpu->hmr0.s.fUsingDebugLoop || pVCpu->hm.s.fTrapXcptGpForLovelyMesaDrv || pVmxTransient->fIsNestedGuest);
+# ifdef IN_RING0
+        Assert(pVCpu->hmr0.s.fUsingDebugLoop || VCPU_2_VMXSTATE(pVCpu).fTrapXcptGpForLovelyMesaDrv || pVmxTransient->fIsNestedGuest);
+# else
+        Assert(/*pVCpu->hmr0.s.fUsingDebugLoop ||*/ VCPU_2_VMXSTATE(pVCpu).fTrapXcptGpForLovelyMesaDrv || pVmxTransient->fIsNestedGuest);
+# endif
 #endif
         /*
@@ -12848 +11020 @@
 
         if (    pVmxTransient->fIsNestedGuest
-            || !pVCpu->hm.s.fTrapXcptGpForLovelyMesaDrv
+            || !VCPU_2_VMXSTATE(pVCpu).fTrapXcptGpForLovelyMesaDrv
             || !vmxHCIsMesaDrvGp(pVCpu, pVmxTransient, pCtx))
             vmxHCSetPendingEvent(pVCpu, VMX_ENTRY_INT_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo),
@@ -12857 +11029 @@
     }
 
+#ifdef IN_RING0
     Assert(CPUMIsGuestInRealModeEx(pCtx));
     Assert(!pVCpu->CTX_SUFF(pVM)->hmr0.s.vmx.fUnrestrictedGuest);
@@ -12874 +11047 @@
              */
             pVmcsInfoShared->RealMode.fRealOnV86Active = false;
-            if (HMCanExecuteVmxGuest(pVCpu->pVMR0, pVCpu, pCtx))
+            if (HMCanExecuteVmxGuest(pVCpu->CTX_SUFF(pVM), pVCpu, pCtx))
             {
                 Log4Func(("Mode changed but guest still suitable for executing using hardware-assisted VMX\n"));
-                ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_ALL_GUEST);
+                ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_ALL_GUEST);
             }
             else
@@ -12886 +11059 @@
         }
         else
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_ALL_GUEST);
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_ALL_GUEST);
     }
     else if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
         rcStrict = VINF_SUCCESS;
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
     }
     return VBOXSTRICTRC_VAL(rcStrict);
+#endif
 }
 
@@ -12911 +11085 @@
 
 #ifndef HMVMX_ALWAYS_TRAP_ALL_XCPTS
+# ifdef IN_RING0
     PCVMXVMCSINFO pVmcsInfo = pVmxTransient->pVmcsInfo;
     AssertMsg(pVCpu->hmr0.s.fUsingDebugLoop || pVmcsInfo->pShared->RealMode.fRealOnV86Active || pVmxTransient->fIsNestedGuest,
@@ -12916 +11091 @@
                VMX_EXIT_INT_INFO_VECTOR(pVmxTransient->uExitIntInfo), pVmcsInfo->u32XcptBitmap));
     NOREF(pVmcsInfo);
+# endif
 #endif
 
@@ -12927 +11103 @@
     int rc = vmxHCImportGuestState(pVCpu, pVmxTransient->pVmcsInfo, CPUMCTX_EXTRN_CS | CPUMCTX_EXTRN_RIP);
     AssertRCReturn(rc, rc);
-    Log4Func(("Reinjecting Xcpt. uVector=%#x cs:rip=%#04x:%#RX64\n", uVector, pCtx->cs.Sel, pCtx->rip));
+    Log4Func(("Reinjecting Xcpt. uVector=%#x cs:rip=%#04x:%#RX64\n", uVector, pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip));
 #endif
 
@@ -12933 +11109 @@
     switch (uVector)
     {
-        case X86_XCPT_DE:   STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestDE);     break;
-        case X86_XCPT_DB:   STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestDB);     break;
-        case X86_XCPT_BP:   STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestBP);     break;
-        case X86_XCPT_OF:   STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestOF);     break;
-        case X86_XCPT_BR:   STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestBR);     break;
-        case X86_XCPT_UD:   STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestUD);     break;
-        case X86_XCPT_NM:   STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestOF);     break;
-        case X86_XCPT_DF:   STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestDF);     break;
-        case X86_XCPT_TS:   STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestTS);     break;
-        case X86_XCPT_NP:   STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestNP);     break;
-        case X86_XCPT_SS:   STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestSS);     break;
-        case X86_XCPT_GP:   STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestGP);     break;
-        case X86_XCPT_PF:   STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestPF);     break;
-        case X86_XCPT_MF:   STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestMF);     break;
-        case X86_XCPT_AC:   STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestAC);     break;
-        case X86_XCPT_XF:   STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestXF);     break;
+        case X86_XCPT_DE:   STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestDE);     break;
+        case X86_XCPT_DB:   STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestDB);     break;
+        case X86_XCPT_BP:   STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestBP);     break;
+        case X86_XCPT_OF:   STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestOF);     break;
+        case X86_XCPT_BR:   STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestBR);     break;
+        case X86_XCPT_UD:   STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestUD);     break;
+        case X86_XCPT_NM:   STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestOF);     break;
+        case X86_XCPT_DF:   STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestDF);     break;
+        case X86_XCPT_TS:   STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestTS);     break;
+        case X86_XCPT_NP:   STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestNP);     break;
+        case X86_XCPT_SS:   STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestSS);     break;
+        case X86_XCPT_GP:   STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestGP);     break;
+        case X86_XCPT_PF:   STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestPF);     break;
+        case X86_XCPT_MF:   STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestMF);     break;
+        case X86_XCPT_AC:   STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestAC);     break;
+        case X86_XCPT_XF:   STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestXF);     break;
         default:
-            STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestXcpUnk);
+            STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitGuestXcpUnk);
             break;
     }
@@ -12993 +11169 @@
         Assert(VMX_EXIT_INT_INFO_IS_VALID(pVmxTransient->uExitIntInfo));
         uint8_t const uVector = VMX_EXIT_INT_INFO_VECTOR(pVmxTransient->uExitIntInfo);
-        if (   !pVCpu->hm.s.Event.fPending
+        if (   !VCPU_2_VMXSTATE(pVCpu).Event.fPending
             || uVector == X86_XCPT_PF)
         {
@@ -13012 +11188 @@
     else if (rcStrict == VINF_HM_DOUBLE_FAULT)
     {
-        Assert(pVCpu->hm.s.Event.fPending);
+        Assert(VCPU_2_VMXSTATE(pVCpu).Event.fPending);
         rcStrict = VINF_SUCCESS;
     }
@@ -13034 +11210 @@
 {
     HMVMX_VALIDATE_EXIT_HANDLER_PARAMS(pVCpu, pVmxTransient);
-    STAM_COUNTER_INC(&pVCpu->hm.s.StatExitExtInt);
+    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitExtInt);
+
+#ifdef IN_RING0
     /* Windows hosts (32-bit and 64-bit) have DPC latency issues. See @bugref{6853}. */
     if (VMMR0ThreadCtxHookIsEnabled(pVCpu))
         return VINF_SUCCESS;
     return VINF_EM_RAW_INTERRUPT;
+#else
+    return VINF_SUCCESS;
+#endif
 }
 
@@ -13049 +11230 @@
 {
     HMVMX_VALIDATE_EXIT_HANDLER_PARAMS(pVCpu, pVmxTransient);
-    STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatExitXcptNmi, y3);
+    STAM_PROFILE_ADV_START(&VCPU_2_VMXSTATE(pVCpu).StatExitXcptNmi, y3);
 
     vmxHCReadExitIntInfoVmcs(pVCpu, pVmxTransient);
@@ -13065 +11246 @@
     switch (uExitIntType)
     {
+#ifdef IN_RING0 /* NMIs should never reach R3. */
         /*
          * Host physical NMIs:
@@ -13079 +11261 @@
             break;
         }
+#endif
 
         /*
@@ -13106 +11289 @@
         default:
         {
-            pVCpu->hm.s.u32HMError = pVmxTransient->uExitIntInfo;
+            VCPU_2_VMXSTATE(pVCpu).u32HMError = pVmxTransient->uExitIntInfo;
             rcStrict = VERR_VMX_UNEXPECTED_INTERRUPTION_EXIT_TYPE;
             AssertMsgFailed(("Invalid/unexpected VM-exit interruption info %#x\n", pVmxTransient->uExitIntInfo));
@@ -13113 +11296 @@
     }
 
-    STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitXcptNmi, y3);
+    STAM_PROFILE_ADV_STOP(&VCPU_2_VMXSTATE(pVCpu).StatExitXcptNmi, y3);
     return rcStrict;
 }
@@ -13127 +11310 @@
     /* Indicate that we no longer need to VM-exit when the guest is ready to receive interrupts, it is now ready. */
     PVMXVMCSINFO pVmcsInfo = pVmxTransient->pVmcsInfo;
-    vmxHCClearIntWindowExitVmcs(pVmcsInfo);
+    vmxHCClearIntWindowExitVmcs(pVCpu, pVmcsInfo);
 
     /* Evaluate and deliver pending events and resume guest execution. */
-    STAM_COUNTER_INC(&pVCpu->hm.s.StatExitIntWindow);
+    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitIntWindow);
     return VINF_SUCCESS;
 }
@@ -13170 +11353 @@
 
     /* Indicate that we no longer need to VM-exit when the guest is ready to receive NMIs, it is now ready */
-    vmxHCClearNmiWindowExitVmcs(pVmcsInfo);
+    vmxHCClearNmiWindowExitVmcs(pVCpu, pVmcsInfo);
 
     /* Evaluate and deliver pending events and resume guest execution. */
@@ -13224 +11407 @@
         rcStrict = IEMExecDecodedCpuid(pVCpu, pVmxTransient->cbExitInstr);
         if (rcStrict == VINF_SUCCESS)
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
         else if (rcStrict == VINF_IEM_RAISED_XCPT)
         {
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
             rcStrict = VINF_SUCCESS;
         }
@@ -13243 +11426 @@
 
         rcStrict = EMHistoryExec(pVCpu, pExitRec, 0);
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_ALL_GUEST);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_ALL_GUEST);
 
         Log4(("CpuIdExit/%u: %04x:%08RX64: EMHistoryExec -> %Rrc + %04x:%08RX64\n",
@@ -13291 +11474 @@
         if (pVmcsInfo->u32ProcCtls & VMX_PROC_CTLS_USE_TSC_OFFSETTING)
             pVmxTransient->fUpdatedTscOffsettingAndPreemptTimer = false;
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
     }
     else if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
@@ -13321 +11504 @@
         if (pVmcsInfo->u32ProcCtls & VMX_PROC_CTLS_USE_TSC_OFFSETTING)
             pVmxTransient->fUpdatedTscOffsettingAndPreemptTimer = false;
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
     }
     else if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
@@ -13410 +11593 @@
 {
     HMVMX_VALIDATE_EXIT_HANDLER_PARAMS(pVCpu, pVmxTransient);
+#ifdef IN_RING0
     Assert(!pVCpu->CTX_SUFF(pVM)->hmr0.s.fNestedPaging || pVCpu->hmr0.s.fUsingDebugLoop);
+#endif
 
     PVMXVMCSINFO pVmcsInfo = pVmxTransient->pVmcsInfo;
@@ -13421 +11606 @@
 
     if (rcStrict == VINF_SUCCESS || rcStrict == VINF_PGM_SYNC_CR3)
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
     else if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
@@ -13448 +11633 @@
     VBOXSTRICTRC rcStrict = IEMExecDecodedMonitor(pVCpu, pVmxTransient->cbExitInstr);
     if (rcStrict == VINF_SUCCESS)
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
     else if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
@@ -13474 +11659 @@
     if (RT_SUCCESS(rcStrict))
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
         if (EMMonitorWaitShouldContinue(pVCpu, &pVCpu->cpum.GstCtx))
             rcStrict = VINF_SUCCESS;
@@ -13511 +11696 @@
 
     if (rc != VINF_SUCCESS)
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchHltToR3);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatSwitchHltToR3);
     return rc;
 }
@@ -13542 +11727 @@
     PVMCC pVM = pVCpu->CTX_SUFF(pVM);
     bool fTimersPending = TMTimerPollBool(pVM, pVCpu);
-    STAM_REL_COUNTER_INC(&pVCpu->hm.s.StatExitPreemptTimer);
+    STAM_REL_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitPreemptTimer);
     return fTimersPending ? VINF_EM_RAW_TIMER_PENDING : VINF_SUCCESS;
 }
@@ -13554 +11739 @@
     HMVMX_VALIDATE_EXIT_HANDLER_PARAMS(pVCpu, pVmxTransient);
 
+#ifdef IN_RING0
     PVMXVMCSINFO pVmcsInfo = pVmxTransient->pVmcsInfo;
     vmxHCReadExitInstrLenVmcs(pVCpu, pVmxTransient);
@@ -13560 +11746 @@
 
     VBOXSTRICTRC rcStrict = IEMExecDecodedXsetbv(pVCpu, pVmxTransient->cbExitInstr);
-    ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, rcStrict != VINF_IEM_RAISED_XCPT ? HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS
+    ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, rcStrict != VINF_IEM_RAISED_XCPT ? HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS
                                                                                 : HM_CHANGED_RAISED_XCPT_MASK);
 
@@ -13572 +11758 @@
 
     return rcStrict;
+#else
+    return VERR_EM_INTERPRETER;
+#endif
 }
 
@@ -13607 +11796 @@
                                                   GCPtrDesc, uType);
     if (RT_LIKELY(rcStrict == VINF_SUCCESS))
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
     else if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
@@ -13659 +11848 @@
     rc = VMX_VMCS_READ_NW(pVCpu, VMX_VMCS_CTRL_CR4_READ_SHADOW, &u64Val);             AssertRC(rc);
     Log4(("VMX_VMCS_CTRL_CR4_READ_SHADOW              %#RX64\n", u64Val));
+# ifdef IN_RING0
     if (pVCpu->CTX_SUFF(pVM)->hmr0.s.fNestedPaging)
     {
@@ -13664 +11854 @@
         Log4(("VMX_VMCS64_CTRL_EPTP_FULL                  %#RX64\n", u64Val));
     }
+
     hmR0DumpRegs(pVCpu, HM_DUMP_REG_FLAGS_ALL);
+# endif
 #endif
 
@@ -13784 +11976 @@
     Log4Func(("ecx=%#RX32\n", idMsr));
 
-#ifdef VBOX_STRICT
+#if defined(VBOX_STRICT) && defined(IN_RING0)
     Assert(!pVmxTransient->fIsNestedGuest);
     if (pVmcsInfo->u32ProcCtls & VMX_PROC_CTLS_USE_MSR_BITMAPS)
@@ -13808 +12000 @@
 
     VBOXSTRICTRC rcStrict = IEMExecDecodedRdmsr(pVCpu, pVmxTransient->cbExitInstr);
-    STAM_COUNTER_INC(&pVCpu->hm.s.StatExitRdmsr);
+    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitRdmsr);
     if (rcStrict == VINF_SUCCESS)
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
     else if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
@@ -13858 +12050 @@
 
     VBOXSTRICTRC rcStrict = IEMExecDecodedWrmsr(pVCpu, pVmxTransient->cbExitInstr);
-    STAM_COUNTER_INC(&pVCpu->hm.s.StatExitWrmsr);
+    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitWrmsr);
 
     if (rcStrict == VINF_SUCCESS)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
 
         /* If this is an X2APIC WRMSR access, update the APIC state as well. */
@@ -13874 +12066 @@
              * sure APIC state is saved from the VMCS before IEM changes it.
              */
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_APIC_TPR);
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_APIC_TPR);
         }
         else if (idMsr == MSR_IA32_TSC)        /* Windows 7 does this during bootup. See @bugref{6398}. */
@@ -13885 +12077 @@
              * We care about the other bits as well, SCE and NXE. See @bugref{7368}.
              */
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_EFER_MSR | HM_CHANGED_VMX_ENTRY_EXIT_CTLS);
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_EFER_MSR | HM_CHANGED_VMX_ENTRY_EXIT_CTLS);
         }
 
@@ -13893 +12085 @@
             switch (idMsr)
             {
-                case MSR_IA32_SYSENTER_CS:  ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_SYSENTER_CS_MSR);  break;
-                case MSR_IA32_SYSENTER_EIP: ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_SYSENTER_EIP_MSR); break;
-                case MSR_IA32_SYSENTER_ESP: ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_SYSENTER_ESP_MSR); break;
-                case MSR_K8_FS_BASE:        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_FS);               break;
-                case MSR_K8_GS_BASE:        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_GS);               break;
+                case MSR_IA32_SYSENTER_CS:  ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_SYSENTER_CS_MSR);  break;
+                case MSR_IA32_SYSENTER_EIP: ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_SYSENTER_EIP_MSR); break;
+                case MSR_IA32_SYSENTER_ESP: ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_SYSENTER_ESP_MSR); break;
+                case MSR_K8_FS_BASE:        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_FS);               break;
+                case MSR_K8_GS_BASE:        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_GS);               break;
                 case MSR_K6_EFER:           /* Nothing to do, already handled above. */                                    break;
                 default:
                 {
+#ifdef IN_RING0
                     if (vmxHCIsLazyGuestMsr(pVCpu, idMsr))
-                        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_VMX_GUEST_LAZY_MSRS);
+                        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_VMX_GUEST_LAZY_MSRS);
                     else if (vmxHCIsAutoLoadGuestMsr(pVmcsInfo, idMsr))
-                        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_VMX_GUEST_AUTO_MSRS);
+                        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_VMX_GUEST_AUTO_MSRS);
+#else
+                    AssertMsgFailed(("TODO\n"));
+#endif
                     break;
                 }
             }
         }
-#ifdef VBOX_STRICT
+#if defined(VBOX_STRICT) && defined(IN_RING0)
         else
         {
@@ -13957 +12153 @@
     else if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
@@ -14000 +12196 @@
      * entry so we can just continue execution here.
      */
-    STAM_COUNTER_INC(&pVCpu->hm.s.StatExitTprBelowThreshold);
+    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitTprBelowThreshold);
     return VINF_SUCCESS;
 }
@@ -14017 +12213 @@
 {
     HMVMX_VALIDATE_EXIT_HANDLER_PARAMS(pVCpu, pVmxTransient);
-    STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatExitMovCRx, y2);
+    STAM_PROFILE_ADV_START(&VCPU_2_VMXSTATE(pVCpu).StatExitMovCRx, y2);
 
     PVMXVMCSINFO pVmcsInfo = pVmxTransient->pVmcsInfo;
@@ -14044 +12240 @@
 
             HMVMX_CPUMCTX_ASSERT(pVCpu, CPUMCTX_EXTRN_CR0);
+#ifdef IN_RING0
             uint32_t const uOldCr0 = pVCpu->cpum.GstCtx.cr0;
+#endif
             uint8_t const  iGReg   = VMX_EXIT_QUAL_CRX_GENREG(uExitQual);
             uint8_t const  iCrReg  = VMX_EXIT_QUAL_CRX_REGISTER(uExitQual);
@@ -14054 +12252 @@
              *   - We are executing in the VM debug loop.
              */
+#ifdef IN_RING0
             Assert(   iCrReg != 3
                    || !pVM->hmr0.s.fNestedPaging
                    || !CPUMIsGuestPagingEnabledEx(&pVCpu->cpum.GstCtx)
                    || pVCpu->hmr0.s.fUsingDebugLoop);
+#else
+            Assert(   iCrReg != 3
+                   || !CPUMIsGuestPagingEnabledEx(&pVCpu->cpum.GstCtx));
+#endif
 
             /* MOV to CR8 writes only cause VM-exits when TPR shadow is not used. */
@@ -14067 +12270 @@
                       || rcStrict == VINF_PGM_SYNC_CR3, ("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
 
+#ifdef IN_RING0
             /*
              * This is a kludge for handling switches back to real mode when we try to use
@@ -14089 +12293 @@
                 rcStrict = VINF_EM_RESCHEDULE_REM;
             }
+#endif
+
             break;
         }
@@ -14106 +12312 @@
              *   - We are executing in the VM debug loop.
              */
+#ifdef IN_RING0
             Assert(   iCrReg != 3
                    || !pVM->hmr0.s.fNestedPaging
                    || !CPUMIsGuestPagingEnabledEx(&pVCpu->cpum.GstCtx)
                    || pVCpu->hmr0.s.fLeaveDone);
+#else
+            Assert(   iCrReg != 3
+                   || !CPUMIsGuestPagingEnabledEx(&pVCpu->cpum.GstCtx));
+#endif
 
             /* MOV from CR8 reads only cause a VM-exit when the TPR shadow feature isn't enabled. */
@@ -14156 +12367 @@
     }
 
-    Assert((pVCpu->hm.s.fCtxChanged & (HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS))
+    Assert((VCPU_2_VMXSTATE(pVCpu).fCtxChanged & (HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS))
                                    == (HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS));
     Assert(rcStrict != VINF_IEM_RAISED_XCPT);
 
-    STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitMovCRx, y2);
+    STAM_PROFILE_ADV_STOP(&VCPU_2_VMXSTATE(pVCpu).StatExitMovCRx, y2);
     NOREF(pVM);
     return rcStrict;
@@ -14173 +12384 @@
 {
     HMVMX_VALIDATE_EXIT_HANDLER_PARAMS(pVCpu, pVmxTransient);
-    STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatExitIO, y1);
+    STAM_PROFILE_ADV_START(&VCPU_2_VMXSTATE(pVCpu).StatExitIO, y1);
 
     PCPUMCTX pCtx = &pVCpu->cpum.GstCtx;
@@ -14190 +12401 @@
     bool     const fIOString    = VMX_EXIT_QUAL_IO_IS_STRING(pVmxTransient->uExitQual);
     bool     const fGstStepping = RT_BOOL(pCtx->eflags.Bits.u1TF);
-    bool     const fDbgStepping = pVCpu->hm.s.fSingleInstruction;
+    bool     const fDbgStepping = VCPU_2_VMXSTATE(pVCpu).fSingleInstruction;
     AssertReturn(uIOSize <= 3 && uIOSize != 2, VERR_VMX_IPE_1);
 
@@ -14253 +12464 @@
                 rcStrict = IEMExecOne(pVCpu);
 
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP);
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP);
             fUpdateRipAlready = true;
         }
@@ -14267 +12478 @@
             {
                 rcStrict = IOMIOPortWrite(pVM, pVCpu, uIOPort, pCtx->eax & uAndVal, cbValue);
-                STAM_COUNTER_INC(&pVCpu->hm.s.StatExitIOWrite);
+                STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitIOWrite);
+#ifdef IN_RING0
                 if (    rcStrict == VINF_IOM_R3_IOPORT_WRITE
                     && !pCtx->eflags.Bits.u1TF)
                     rcStrict = EMRZSetPendingIoPortWrite(pVCpu, uIOPort, cbInstr, cbValue, pCtx->eax & uAndVal);
+#endif
             }
             else
@@ -14281 +12494 @@
                     pCtx->eax = (pCtx->eax & ~uAndVal) | (u32Result & uAndVal);
                 }
+#ifdef IN_RING0
                 if (    rcStrict == VINF_IOM_R3_IOPORT_READ
                     && !pCtx->eflags.Bits.u1TF)
                     rcStrict = EMRZSetPendingIoPortRead(pVCpu, uIOPort, cbInstr, cbValue);
-                STAM_COUNTER_INC(&pVCpu->hm.s.StatExitIORead);
+#endif
+                STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitIORead);
             }
         }
@@ -14293 +12508 @@
             {
                 vmxHCAdvanceGuestRipBy(pVCpu, cbInstr);
-                ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP);
+                ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP);
             }
 
@@ -14303 +12518 @@
              */
             if (fIOString)
-                ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RFLAGS);
+                ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RFLAGS);
 
             /*
@@ -14321 +12536 @@
                             || DBGFBpIsHwIoArmed(pVM)))
             {
-                STAM_COUNTER_INC(&pVCpu->hm.s.StatDRxIoCheck);
-
+                STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatDRxIoCheck);
+
+#ifdef IN_RING0
                 /* We're playing with the host CPU state here, make sure we don't preempt or longjmp. */
                 VMMRZCallRing3Disable(pVCpu);
@@ -14336 +12552 @@
                         ASMSetDR6(pCtx->dr[6]);
                     if (pCtx->dr[7] != uDr7)
-                        pVCpu->hm.s.fCtxChanged |= HM_CHANGED_GUEST_DR7;
+                        VCPU_2_VMXSTATE(pVCpu).fCtxChanged |= HM_CHANGED_GUEST_DR7;
 
                     vmxHCSetPendingXcptDB(pVCpu);
@@ -14349 +12565 @@
                 HM_RESTORE_PREEMPT();
                 VMMRZCallRing3Enable(pVCpu);
+#else
+                /** @todo */
+#endif
             }
         }
@@ -14374 +12593 @@
         }
 #endif
-        STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitIO, y1);
+        STAM_PROFILE_ADV_STOP(&VCPU_2_VMXSTATE(pVCpu).StatExitIO, y1);
     }
     else
@@ -14383 +12602 @@
         int rc2 = vmxHCImportGuestState(pVCpu, pVmcsInfo, HMVMX_CPUMCTX_EXTRN_ALL);
         AssertRCReturn(rc2, rc2);
-        STAM_COUNTER_INC(!fIOString ? fIOWrite ? &pVCpu->hm.s.StatExitIOWrite : &pVCpu->hm.s.StatExitIORead
-                         : fIOWrite ? &pVCpu->hm.s.StatExitIOStringWrite : &pVCpu->hm.s.StatExitIOStringRead);
+        STAM_COUNTER_INC(!fIOString ? fIOWrite ? &VCPU_2_VMXSTATE(pVCpu).StatExitIOWrite : &VCPU_2_VMXSTATE(pVCpu).StatExitIORead
+                         : fIOWrite ? &VCPU_2_VMXSTATE(pVCpu).StatExitIOStringWrite : &VCPU_2_VMXSTATE(pVCpu).StatExitIOStringRead);
         Log4(("IOExit/%u: %04x:%08RX64: %s%s%s %#x LB %u -> EMHistoryExec\n",
               pVCpu->idCpu, pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip,
@@ -14391 +12610 @@
 
         rcStrict = EMHistoryExec(pVCpu, pExitRec, 0);
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_ALL_GUEST);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_ALL_GUEST);
 
         Log4(("IOExit/%u: %04x:%08RX64: EMHistoryExec -> %Rrc + %04x:%08RX64\n",
@@ -14438 +12657 @@
             Log4Func(("Pending event. uIntType=%#x uVector=%#x\n", VMX_IDT_VECTORING_INFO_TYPE(pVmxTransient->uIdtVectoringInfo),
                       VMX_IDT_VECTORING_INFO_VECTOR(pVmxTransient->uIdtVectoringInfo)));
-            STAM_COUNTER_INC(&pVCpu->hm.s.StatExitTaskSwitch);
+            STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitTaskSwitch);
             return VINF_EM_RAW_INJECT_TRPM_EVENT;
         }
@@ -14444 +12663 @@
 
     /* Fall back to the interpreter to emulate the task-switch. */
-    STAM_COUNTER_INC(&pVCpu->hm.s.StatExitTaskSwitch);
+    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitTaskSwitch);
     return VERR_EM_INTERPRETER;
 }
@@ -14470 +12689 @@
 {
     HMVMX_VALIDATE_EXIT_HANDLER_PARAMS(pVCpu, pVmxTransient);
-    STAM_COUNTER_INC(&pVCpu->hm.s.StatExitApicAccess);
+    STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitApicAccess);
 
     vmxHCReadExitIntInfoVmcs(pVCpu, pVmxTransient);
@@ -14485 +12704 @@
     {
         /* For some crazy guest, if an event delivery causes an APIC-access VM-exit, go to instruction emulation. */
-        if (RT_UNLIKELY(pVCpu->hm.s.Event.fPending))
-        {
-            STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectInterpret);
+        if (RT_UNLIKELY(VCPU_2_VMXSTATE(pVCpu).Event.fPending))
+        {
+            STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatInjectInterpret);
             return VINF_EM_RAW_INJECT_TRPM_EVENT;
         }
@@ -14507 +12726 @@
     switch (uAccessType)
     {
+#ifdef IN_RING0
         case VMX_APIC_ACCESS_TYPE_LINEAR_WRITE:
         case VMX_APIC_ACCESS_TYPE_LINEAR_READ:
@@ -14514 +12734 @@
                       ("vmxHCExitApicAccess: can't access TPR offset while using TPR shadowing.\n"));
 
-            RTGCPHYS GCPhys = pVCpu->hm.s.vmx.u64GstMsrApicBase;    /* Always up-to-date, as it is not part of the VMCS. */
+            RTGCPHYS GCPhys = VCPU_2_VMXSTATE(pVCpu).vmx.u64GstMsrApicBase;    /* Always up-to-date, as it is not part of the VMCS. */
             GCPhys &= PAGE_BASE_GC_MASK;
             GCPhys += VMX_EXIT_QUAL_APIC_ACCESS_OFFSET(pVmxTransient->uExitQual);
@@ -14527 +12747 @@
                 || rcStrict == VERR_PAGE_NOT_PRESENT)
             {
-                ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RSP | HM_CHANGED_GUEST_RFLAGS
+                ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RSP | HM_CHANGED_GUEST_RFLAGS
                                                          | HM_CHANGED_GUEST_APIC_TPR);
                 rcStrict = VINF_SUCCESS;
@@ -14533 +12753 @@
             break;
         }
+#else
+        /** @todo */
+#endif
 
         default:
@@ -14543 +12766 @@
 
     if (rcStrict != VINF_SUCCESS)
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatSwitchApicAccessToR3);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatSwitchApicAccessToR3);
     return rcStrict;
 }
@@ -14571 +12794 @@
         }
 
-        if (   !pVCpu->hm.s.fSingleInstruction
+        if (   !VCPU_2_VMXSTATE(pVCpu).fSingleInstruction
             && !pVmxTransient->fWasHyperDebugStateActive)
         {
@@ -14582 +12805 @@
             AssertRC(rc);
 
+#ifdef IN_RING0
             /* We're playing with the host CPU state here, make sure we can't preempt or longjmp. */
             VMMRZCallRing3Disable(pVCpu);
@@ -14592 +12816 @@
             HM_RESTORE_PREEMPT();
             VMMRZCallRing3Enable(pVCpu);
+#else
+            /** @todo */
+#endif
 
 #ifdef VBOX_WITH_STATISTICS
             vmxHCReadExitQualVmcs(pVCpu, pVmxTransient);
             if (VMX_EXIT_QUAL_DRX_DIRECTION(pVmxTransient->uExitQual) == VMX_EXIT_QUAL_DRX_DIRECTION_WRITE)
-                STAM_COUNTER_INC(&pVCpu->hm.s.StatExitDRxWrite);
+                STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitDRxWrite);
             else
-                STAM_COUNTER_INC(&pVCpu->hm.s.StatExitDRxRead);
+                STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitDRxRead);
 #endif
-            STAM_COUNTER_INC(&pVCpu->hm.s.StatDRxContextSwitch);
+            STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatDRxContextSwitch);
             return VINF_SUCCESS;
         }
@@ -14623 +12850 @@
                                  VMX_EXIT_QUAL_DRX_GENREG(pVmxTransient->uExitQual));
         if (RT_SUCCESS(rc))
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_DR7);
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatExitDRxWrite);
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_DR7);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitDRxWrite);
     }
     else
@@ -14631 +12858 @@
                                 VMX_EXIT_QUAL_DRX_GENREG(pVmxTransient->uExitQual),
                                 VMX_EXIT_QUAL_DRX_REGISTER(pVmxTransient->uExitQual));
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatExitDRxRead);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitDRxRead);
     }
 
@@ -14652 +12879 @@
 {
     HMVMX_VALIDATE_EXIT_HANDLER_PARAMS(pVCpu, pVmxTransient);
+
+#ifdef IN_RING0
     Assert(pVCpu->CTX_SUFF(pVM)->hmr0.s.fNestedPaging);
 
@@ -14671 +12900 @@
          * using hardware-assisted VMX would trigger the same EPT misconfig VM-exit again.
          */
-        if (!pVCpu->hm.s.Event.fPending)
+        if (!VCPU_2_VMXSTATE(pVCpu).Event.fPending)
         { /* likely */ }
         else
         {
-            STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectInterpret);
+            STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatInjectInterpret);
 #ifdef VBOX_WITH_NESTED_HWVIRT_VMX
             /** @todo NSTVMX: Think about how this should be handled. */
@@ -14729 +12958 @@
         {
             /* Successfully handled MMIO operation. */
-            ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RSP | HM_CHANGED_GUEST_RFLAGS
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RSP | HM_CHANGED_GUEST_RFLAGS
                                                      | HM_CHANGED_GUEST_APIC_TPR);
             rcStrict = VINF_SUCCESS;
@@ -14743 +12972 @@
 
         rcStrict = EMHistoryExec(pVCpu, pExitRec, 0);
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_ALL_GUEST);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_ALL_GUEST);
 
         Log4(("EptMisscfgExit/%u: %04x:%08RX64: EMHistoryExec -> %Rrc + %04x:%08RX64\n",
@@ -14750 +12979 @@
     }
     return rcStrict;
+#else
+    AssertFailed();
+    return VERR_VMX_IPE_3; /* Should never happen with Apple HV in R3. */
+#endif
 }
 
@@ -14760 +12993 @@
 {
     HMVMX_VALIDATE_EXIT_HANDLER_PARAMS(pVCpu, pVmxTransient);
+#ifdef IN_RING0
     Assert(pVCpu->CTX_SUFF(pVM)->hmr0.s.fNestedPaging);
 
@@ -14779 +13013 @@
          * we shall resolve the nested #PF and re-inject the original event.
          */
-        if (pVCpu->hm.s.Event.fPending)
-            STAM_COUNTER_INC(&pVCpu->hm.s.StatInjectReflectNPF);
+        if (VCPU_2_VMXSTATE(pVCpu).Event.fPending)
+            STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatInjectReflectNPF);
     }
     else
@@ -14805 +13039 @@
         uErrorCode |= X86_TRAP_PF_P;
 
-    PVMCC    pVM  = pVCpu->CTX_SUFF(pVM);
     PCPUMCTX pCtx = &pVCpu->cpum.GstCtx;
     Log4Func(("at %#RX64 (%#RX64 errcode=%#x) cs:rip=%#04x:%#RX64\n", GCPhys, uExitQual, uErrorCode, pCtx->cs.Sel, pCtx->rip));
+
+    PVMCC    pVM  = pVCpu->CTX_SUFF(pVM);
 
     /*
@@ -14822 +13057 @@
     {
         /* Successfully synced our nested page tables. */
-        STAM_COUNTER_INC(&pVCpu->hm.s.StatExitReasonNpf);
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RSP | HM_CHANGED_GUEST_RFLAGS);
+        STAM_COUNTER_INC(&VCPU_2_VMXSTATE(pVCpu).StatExitReasonNpf);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RSP | HM_CHANGED_GUEST_RFLAGS);
         return VINF_SUCCESS;
     }
+#else
+    PVM pVM = pVCpu->CTX_SUFF(pVM);
+    uint64_t const uHostTsc = ASMReadTSC(); RT_NOREF(uHostTsc);
+    vmxHCReadExitQualVmcs(pVCpu, pVmxTransient);
+    vmxHCReadGuestPhysicalAddrVmcs(pVCpu, pVmxTransient);
+    vmxHCImportGuestRip(pVCpu);
+    vmxHCImportGuestSegReg(pVCpu, X86_SREG_CS);
+
+    /*
+     * Ask PGM for information about the given GCPhys.  We need to check if we're
+     * out of sync first.
+     */
+    NEMHCDARWINHMACPCCSTATE State = { RT_BOOL(pVmxTransient->uExitQual & VMX_EXIT_QUAL_EPT_ACCESS_WRITE), false, false };
+    PGMPHYSNEMPAGEINFO      Info;
+    int rc = PGMPhysNemPageInfoChecker(pVM, pVCpu, pVmxTransient->uGuestPhysicalAddr, State.fWriteAccess, &Info,
+                                       nemR3DarwinHandleMemoryAccessPageCheckerCallback, &State);
+    if (RT_SUCCESS(rc))
+    {
+        if (Info.fNemProt & (  RT_BOOL(pVmxTransient->uExitQual & VMX_EXIT_QUAL_EPT_ACCESS_WRITE)
+                             ? NEM_PAGE_PROT_WRITE : NEM_PAGE_PROT_READ))
+        {
+            if (State.fCanResume)
+            {
+                Log4(("MemExit/%u: %04x:%08RX64: %RGp (=>%RHp) %s fProt=%u%s%s%s; restarting\n",
+                      pVCpu->idCpu, pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip,
+                      pVmxTransient->uGuestPhysicalAddr, Info.HCPhys, g_apszPageStates[Info.u2NemState], Info.fNemProt,
+                      Info.fHasHandlers ? " handlers" : "", Info.fZeroPage    ? " zero-pg" : "",
+                      State.fDidSomething ? "" : " no-change"));
+                EMHistoryAddExit(pVCpu, EMEXIT_MAKE_FT(EMEXIT_F_KIND_NEM, NEMEXITTYPE_MEMORY_ACCESS),
+                                 pVCpu->cpum.GstCtx.cs.u64Base + pVCpu->cpum.GstCtx.rip, uHostTsc);
+                return VINF_SUCCESS;
+            }
+        }
+
+        Log4(("MemExit/%u: %04x:%08RX64: %RGp (=>%RHp) %s fProt=%u%s%s%s; emulating\n",
+              pVCpu->idCpu, pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip,
+              pVmxTransient->uGuestPhysicalAddr, Info.HCPhys, g_apszPageStates[Info.u2NemState], Info.fNemProt,
+              Info.fHasHandlers ? " handlers" : "", Info.fZeroPage    ? " zero-pg" : "",
+              State.fDidSomething ? "" : " no-change"));
+    }
+    else
+        Log4(("MemExit/%u: %04x:%08RX64: %RGp rc=%Rrc%s; emulating\n",
+              pVCpu->idCpu, pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip,
+              pVmxTransient->uGuestPhysicalAddr, rc, State.fDidSomething ? " modified-backing" : ""));
+
+    /*
+     * Emulate the memory access, either access handler or special memory.
+     */
+    PCEMEXITREC pExitRec = EMHistoryAddExit(pVCpu,
+                                              RT_BOOL(pVmxTransient->uExitQual & VMX_EXIT_QUAL_EPT_ACCESS_WRITE)
+                                            ? EMEXIT_MAKE_FT(EMEXIT_F_KIND_EM, EMEXITTYPE_MMIO_WRITE)
+                                            : EMEXIT_MAKE_FT(EMEXIT_F_KIND_EM, EMEXITTYPE_MMIO_READ),
+                                            pVCpu->cpum.GstCtx.cs.u64Base + pVCpu->cpum.GstCtx.rip, uHostTsc);
+#if 0
+    rc = nemR3DarwinCopyStateFromHv(pVM, pVCpu,   CPUMCTX_EXTRN_RIP | CPUMCTX_EXTRN_RFLAGS | CPUMCTX_EXTRN_CS
+                                                | NEM_DARWIN_CPUMCTX_EXTRN_MASK_FOR_IEM | CPUMCTX_EXTRN_DS | CPUMCTX_EXTRN_ES);
+    AssertRCReturn(rc, rc);
+#endif
+    VBOXSTRICTRC rcStrict;
+    if (!pExitRec)
+    {
+        rcStrict = IEMExecOne(pVCpu);
+        /** @todo do we need to do anything wrt debugging here?   */
+    }
+    else
+    {
+        /* Frequent access or probing. */
+        rcStrict = EMHistoryExec(pVCpu, pExitRec, 0);
+        Log4(("MemExit/%u: %04x:%08RX64: EMHistoryExec -> %Rrc + %04x:%08RX64\n",
+              pVCpu->idCpu, pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip,
+              VBOXSTRICTRC_VAL(rcStrict), pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip));
+    }
+#endif
 
     Log4Func(("EPT return to ring-3 rcStrict2=%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
@@ -14860 +13168 @@
     VBOXSTRICTRC rcStrict = IEMExecDecodedVmclear(pVCpu, &ExitInfo);
     if (RT_LIKELY(rcStrict == VINF_SUCCESS))
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_HWVIRT);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_HWVIRT);
     else if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
@@ -14885 +13193 @@
     HMVMX_CHECK_EXIT_DUE_TO_VMX_INSTR(pVCpu, pVmxTransient->uExitReason);
 
-    STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatExitVmentry, z);
+    STAM_PROFILE_ADV_START(&VCPU_2_VMXSTATE(pVCpu).StatExitVmentry, z);
     VBOXSTRICTRC rcStrict = IEMExecDecodedVmlaunchVmresume(pVCpu, pVmxTransient->cbExitInstr, VMXINSTRID_VMLAUNCH);
-    STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitVmentry, z);
+    STAM_PROFILE_ADV_STOP(&VCPU_2_VMXSTATE(pVCpu).StatExitVmentry, z);
     if (RT_LIKELY(rcStrict == VINF_SUCCESS))
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_ALL_GUEST);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_ALL_GUEST);
         if (CPUMIsGuestInVmxNonRootMode(&pVCpu->cpum.GstCtx))
             rcStrict = VINF_VMX_VMLAUNCH_VMRESUME;
@@ -14926 +13234 @@
     VBOXSTRICTRC rcStrict = IEMExecDecodedVmptrld(pVCpu, &ExitInfo);
     if (RT_LIKELY(rcStrict == VINF_SUCCESS))
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_HWVIRT);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_HWVIRT);
     else if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
@@ -14963 +13271 @@
     VBOXSTRICTRC rcStrict = IEMExecDecodedVmptrst(pVCpu, &ExitInfo);
     if (RT_LIKELY(rcStrict == VINF_SUCCESS))
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
     else if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
@@ -15006 +13314 @@
     VBOXSTRICTRC rcStrict = IEMExecDecodedVmread(pVCpu, &ExitInfo);
     if (RT_LIKELY(rcStrict == VINF_SUCCESS))
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
     else if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
@@ -15031 +13339 @@
     HMVMX_CHECK_EXIT_DUE_TO_VMX_INSTR(pVCpu, pVmxTransient->uExitReason);
 
-    STAM_PROFILE_ADV_START(&pVCpu->hm.s.StatExitVmentry, z);
+    STAM_PROFILE_ADV_START(&VCPU_2_VMXSTATE(pVCpu).StatExitVmentry, z);
     VBOXSTRICTRC rcStrict = IEMExecDecodedVmlaunchVmresume(pVCpu, pVmxTransient->cbExitInstr, VMXINSTRID_VMRESUME);
-    STAM_PROFILE_ADV_STOP(&pVCpu->hm.s.StatExitVmentry, z);
+    STAM_PROFILE_ADV_STOP(&VCPU_2_VMXSTATE(pVCpu).StatExitVmentry, z);
     if (RT_LIKELY(rcStrict == VINF_SUCCESS))
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_ALL_GUEST);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_ALL_GUEST);
         if (CPUMIsGuestInVmxNonRootMode(&pVCpu->cpum.GstCtx))
             rcStrict = VINF_VMX_VMLAUNCH_VMRESUME;
@@ -15078 +13386 @@
     VBOXSTRICTRC rcStrict = IEMExecDecodedVmwrite(pVCpu, &ExitInfo);
     if (RT_LIKELY(rcStrict == VINF_SUCCESS))
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_HWVIRT);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_HWVIRT);
     else if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
@@ -15105 +13413 @@
     VBOXSTRICTRC rcStrict = IEMExecDecodedVmxoff(pVCpu, pVmxTransient->cbExitInstr);
     if (RT_LIKELY(rcStrict == VINF_SUCCESS))
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_HWVIRT);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_HWVIRT);
     else if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
@@ -15142 +13450 @@
     VBOXSTRICTRC rcStrict = IEMExecDecodedVmxon(pVCpu, &ExitInfo);
     if (RT_LIKELY(rcStrict == VINF_SUCCESS))
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_HWVIRT);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS | HM_CHANGED_GUEST_HWVIRT);
     else if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
@@ -15178 +13486 @@
     VBOXSTRICTRC rcStrict = IEMExecDecodedInvvpid(pVCpu, &ExitInfo);
     if (RT_LIKELY(rcStrict == VINF_SUCCESS))
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
     else if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }
@@ -15295 +13603 @@
         default:
         {
-            pVCpu->hm.s.u32HMError = pVmxTransient->uExitIntInfo;
+            VCPU_2_VMXSTATE(pVCpu).u32HMError = pVmxTransient->uExitIntInfo;
             return VERR_VMX_UNEXPECTED_INTERRUPTION_EXIT_TYPE;
         }
@@ -15634 +13942 @@
     if (rcStrict == VINF_IEM_RAISED_XCPT)
     {
-        ASMAtomicUoOrU64(&pVCpu->hm.s.fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+        ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
         rcStrict = VINF_SUCCESS;
     }