Changeset 93922 in vbox

Timestamp:

Feb 24, 2022 3:14:31 PM (3 years ago)

Author:

vboxsync

Message:

VMM: Nested VMX: bugref:10092 EPT VM-exit handling with HM ring-0 code.

Location:

trunk

Files:

• include/VBox/vmm/cpum.h (modified) (2 diffs)
• include/VBox/vmm/iem.h (modified) (1 diff)
• include/VBox/vmm/pgm.h (modified) (3 diffs)
• src/VBox/VMM/VMMAll/CPUMAllRegs.cpp (modified) (1 diff)
• src/VBox/VMM/VMMAll/IEMAll.cpp (modified) (4 diffs)
• src/VBox/VMM/VMMAll/IEMAllCImpl.cpp.h (modified) (2 diffs)
• src/VBox/VMM/VMMAll/IEMAllCImplVmxInstr.cpp.h (modified) (16 diffs)
• src/VBox/VMM/VMMAll/PGMAll.cpp (modified) (8 diffs)
• src/VBox/VMM/VMMAll/PGMAllBth.h (modified) (2 diffs)
• src/VBox/VMM/VMMAll/PGMAllGst.h (modified) (1 diff)
• src/VBox/VMM/VMMAll/PGMAllGstSlatEpt.cpp.h (modified) (3 diffs)
• src/VBox/VMM/VMMAll/VMXAllTemplate.cpp.h (modified) (3 diffs)
• src/VBox/VMM/VMMR0/HMVMXR0.cpp (modified) (9 diffs)
• src/VBox/VMM/VMMR0/IEMR0.cpp (modified) (1 diff)
• src/VBox/VMM/VMMR0/PGMR0.cpp (modified) (1 diff)
• src/VBox/VMM/VMMR0/PGMR0Bth.h (modified) (1 diff)
• src/VBox/VMM/VMMR3/CPUMR3CpuId.cpp (modified) (2 diffs)
• src/VBox/VMM/VMMR3/HM.cpp (modified) (1 diff)
• src/VBox/VMM/VMMR3/PGM.cpp (modified) (5 diffs)
• src/VBox/VMM/VMMR3/PGMSavedState.cpp (modified) (1 diff)
• src/VBox/VMM/include/IEMInternal.h (modified) (1 diff)
• src/VBox/VMM/include/PGMInternal.h (modified) (1 diff)

trunk/include/VBox/vmm/cpum.h

@@ -1597 +1597 @@
 VMM_INT_DECL(bool)      CPUMIsGuestVmxEptPagingEnabled(PCVMCPUCC pVCpu);
 VMM_INT_DECL(bool)      CPUMIsGuestVmxEptPaePagingEnabled(PCVMCPUCC pVCpu);
+VMM_INT_DECL(uint64_t)  CPUMGetGuestVmxApicAccessPageAddr(PCVMCPUCC pVCpu);
 /** @} */
 
@@ -2335 +2336 @@
  * @param   pCtx    Current CPU context.
  */
-DECLINLINE(uint64_t) CPUMGetGuestVmxApicAccessPageAddr(PCCPUMCTX pCtx)
+DECLINLINE(uint64_t) CPUMGetGuestVmxApicAccessPageAddrEx(PCCPUMCTX pCtx)
 {
     Assert(CPUMIsGuestInVmxNonRootMode(pCtx));

trunk/include/VBox/vmm/iem.h

@@ -383 +383 @@
 # ifdef VBOX_WITH_NESTED_HWVIRT_VMX_EPT
 VMM_INT_DECL(VBOXSTRICTRC)  IEMExecDecodedInvept(PVMCPUCC pVCpu, PCVMXVEXITINFO pExitInfo);
+VMM_INT_DECL(VBOXSTRICTRC)  IEMExecVmxVmexitEptViolation(PVMCPUCC pVCpu, PCVMXVEXITINFO pExitInfo, PCVMXVEXITEVENTINFO pExitEventInfo);
+VMM_INT_DECL(VBOXSTRICTRC)  IEMExecVmxVmexitEptMisconfig(PVMCPUCC pVCpu, RTGCPHYS GCPhysAddr, PCVMXVEXITEVENTINFO pExitEventInfo);
 # endif
 #endif

trunk/include/VBox/vmm/pgm.h

@@ -508 +508 @@
     RTGCPHYS        GCPhysNested;
 
-    /** The physical address that is the result of the walk (output).
-     * @remarks This is page aligned and only valid if fSucceeded is set. */
+    /** The physical address that is the result of the walk (output). */
     RTGCPHYS        GCPhys;
 
@@ -613 +612 @@
 VMMDECL(int)        PGMUpdateCR3(PVMCPUCC pVCpu, uint64_t cr3);
 VMMDECL(int)        PGMChangeMode(PVMCPUCC pVCpu, uint64_t cr0, uint64_t cr4, uint64_t efer, bool fForce);
-VMM_INT_DECL(int)   PGMHCChangeMode(PVMCC pVM, PVMCPUCC pVCpu, PGMMODE enmGuestMode);
+VMM_INT_DECL(int)   PGMHCChangeMode(PVMCC pVM, PVMCPUCC pVCpu, PGMMODE enmGuestMode, bool fForce);
 VMMDECL(void)       PGMCr0WpEnabled(PVMCPUCC pVCpu);
 VMMDECL(PGMMODE)    PGMGetGuestMode(PVMCPU pVCpu);
@@ -949 +948 @@
                                                       PCPUMCTXCORE pRegFrame, RTGCPHYS GCPhysFault, uint32_t uErr);
 VMMR0_INT_DECL(int)  PGMR0PoolGrow(PGVM pGVM, VMCPUID idCpu);
+
+# ifdef VBOX_WITH_NESTED_HWVIRT_VMX_EPT
+VMMR0DECL(VBOXSTRICTRC) PGMR0NestedTrap0eHandlerNestedPaging(PGVMCPU pGVCpu, PGMMODE enmShwPagingMode, RTGCUINT uErr,
+                                                             PCPUMCTXCORE pRegFrame, RTGCPHYS GCPhysNested,
+                                                             bool fIsLinearAddrValid, RTGCPTR GCPtrNested, PPGMPTWALK pWalk);
+# endif
 /** @} */
 #endif /* IN_RING0 */

trunk/src/VBox/VMM/VMMAll/CPUMAllRegs.cpp

@@ -3061 +3061 @@
 }
 
+
+/**
+ * Returns the guest-physical address of the APIC-access page when executing a
+ * nested-guest.
+ *
+ * @returns The APIC-access page guest-physical address.
+ * @param   pVCpu   The cross context virtual CPU structure.
+ */
+VMM_INT_DECL(uint64_t) CPUMGetGuestVmxApicAccessPageAddr(PCVMCPUCC pVCpu)
+{
+    return CPUMGetGuestVmxApicAccessPageAddrEx(&pVCpu->cpum.s.Guest);
+}
+

trunk/src/VBox/VMM/VMMAll/IEMAll.cpp

@@ -16366 +16366 @@
     return iemUninitExecAndFiddleStatusAndMaybeReenter(pVCpu, rcStrict);
 }
+
+
+/**
+ * Interface for HM and EM to emulate a VM-exit due to an EPT violation.
+ *
+ * @returns Strict VBox status code.
+ * @param   pVCpu           The cross context virtual CPU structure of the calling EMT.
+ * @param   pExitInfo       Pointer to the VM-exit information.
+ * @param   pExitEventInfo  Pointer to the VM-exit event information.
+ * @thread  EMT(pVCpu)
+ */
+VMM_INT_DECL(VBOXSTRICTRC) IEMExecVmxVmexitEptViolation(PVMCPUCC pVCpu, PCVMXVEXITINFO pExitInfo,
+                                                        PCVMXVEXITEVENTINFO pExitEventInfo)
+{
+    IEM_CTX_ASSERT(pVCpu, IEM_CPUMCTX_EXTRN_EXEC_DECODED_MEM_MASK | CPUMCTX_EXTRN_INHIBIT_INT | CPUMCTX_EXTRN_INHIBIT_NMI);
+
+    iemInitExec(pVCpu, false /*fBypassHandlers*/);
+    VBOXSTRICTRC rcStrict = iemVmxVmexitEptViolationWithInfo(pVCpu, pExitInfo, pExitEventInfo);
+    Assert(!pVCpu->iem.s.cActiveMappings);
+    return iemUninitExecAndFiddleStatusAndMaybeReenter(pVCpu, rcStrict);
+}
+
+
+/**
+ * Interface for HM and EM to emulate a VM-exit due to an EPT misconfiguration.
+ *
+ * @returns Strict VBox status code.
+ * @param   pVCpu           The cross context virtual CPU structure of the calling EMT.
+ * @param   GCPhysAddr      The nested-guest physical address causing the EPT
+ *                          misconfiguration.
+ * @param   pExitEventInfo  Pointer to the VM-exit event information.
+ * @thread  EMT(pVCpu)
+ */
+VMM_INT_DECL(VBOXSTRICTRC) IEMExecVmxVmexitEptMisconfig(PVMCPUCC pVCpu, RTGCPHYS GCPhysAddr, PCVMXVEXITEVENTINFO pExitEventInfo)
+{
+    IEM_CTX_ASSERT(pVCpu, IEM_CPUMCTX_EXTRN_EXEC_DECODED_MEM_MASK | CPUMCTX_EXTRN_INHIBIT_INT | CPUMCTX_EXTRN_INHIBIT_NMI);
+
+    iemInitExec(pVCpu, false /*fBypassHandlers*/);
+    VBOXSTRICTRC rcStrict = iemVmxVmexitEptMisconfigWithInfo(pVCpu, GCPhysAddr, pExitEventInfo);
+    Assert(!pVCpu->iem.s.cActiveMappings);
+    return iemUninitExecAndFiddleStatusAndMaybeReenter(pVCpu, rcStrict);
+}
+
 # endif /* VBOX_WITH_NESTED_HWVIRT_VMX_EPT */
 
@@ -16384 +16427 @@
     {
         Assert(CPUMIsGuestVmxProcCtls2Set(IEM_GET_CTX(pVCpu), VMX_PROC_CTLS2_VIRT_APIC_ACCESS));
-        Assert(CPUMGetGuestVmxApicAccessPageAddr(IEM_GET_CTX(pVCpu)) == GCPhysAccessBase);
-
-        /** @todo NSTVMX: How are we to distinguish instruction fetch accesses here?
-         *        Currently they will go through as read accesses. */
-        uint32_t const fAccess   = enmAccessType == PGMACCESSTYPE_WRITE ? IEM_ACCESS_TYPE_WRITE : IEM_ACCESS_TYPE_READ;
+        Assert(CPUMGetGuestVmxApicAccessPageAddrEx(IEM_GET_CTX(pVCpu)) == GCPhysAccessBase);
+
+        uint32_t const fAccess   = enmAccessType == PGMACCESSTYPE_WRITE ? IEM_ACCESS_DATA_W : IEM_ACCESS_DATA_R;
         uint16_t const offAccess = GCPhysFault & GUEST_PAGE_OFFSET_MASK;
         VBOXSTRICTRC rcStrict = iemVmxVirtApicAccessMem(pVCpu, offAccess, cbBuf, pvBuf, fAccess);
@@ -16398 +16439 @@
     }
 
-    Log(("iemVmxApicAccessPageHandler: Access outside VMX non-root mode, deregistering page at %#RGp\n", GCPhysAccessBase));
+    LogFunc(("Accessed outside VMX non-root mode, deregistering page handler for %#RGp\n", GCPhysAccessBase));
     int rc = PGMHandlerPhysicalDeregister(pVM, GCPhysAccessBase);
     if (RT_FAILURE(rc))
@@ -16407 +16448 @@
 }
 
+
+# ifndef IN_RING3
+/**
+ * @callback_method_impl{FNPGMRZPHYSPFHANDLER,
+ *      \#PF access handler callback for guest VMX APIC-access page.}
+ */
+DECLCALLBACK(VBOXSTRICTRC) iemVmxApicAccessPagePfHandler(PVMCC pVM, PVMCPUCC pVCpu, RTGCUINT uErr, PCPUMCTXCORE pRegFrame,
+                                                         RTGCPTR pvFault, RTGCPHYS GCPhysFault, uint64_t uUser)
+
+{
+    RT_NOREF4(pVM, pRegFrame, pvFault, uUser);
+
+    /** @todo We lack information about such as the current instruction length, IDT
+     *        vectoring info etc. These need to be queried from HMR0. */
+    RTGCPHYS const GCPhysAccessBase = GCPhysFault & ~(RTGCPHYS)GUEST_PAGE_OFFSET_MASK;
+    if (CPUMIsGuestInVmxNonRootMode(IEM_GET_CTX(pVCpu)))
+    {
+        Assert(CPUMIsGuestVmxProcCtls2Set(IEM_GET_CTX(pVCpu), VMX_PROC_CTLS2_VIRT_APIC_ACCESS));
+        Assert(CPUMGetGuestVmxApicAccessPageAddrEx(IEM_GET_CTX(pVCpu)) == GCPhysAccessBase);
+
+        uint32_t fAccess;
+        if (uErr & X86_TRAP_PF_ID)
+            fAccess = IEM_ACCESS_INSTRUCTION;
+        else if (uErr & X86_TRAP_PF_RW)
+            fAccess = IEM_ACCESS_DATA_W;
+        else
+            fAccess = IEM_ACCESS_DATA_R;
+
+        uint16_t const offAccess = GCPhysFault & GUEST_PAGE_OFFSET_MASK;
+        bool const fIntercept = iemVmxVirtApicIsMemAccessIntercepted(pVCpu, offAccess, 0 /* cbAccess */, fAccess);
+        if (fIntercept)
+        {
+            /** @todo Once HMR0 interface for querying VMXTRANSIENT info is available, use
+             *        iemVmxVmexitApicAccessWithInfo instead. This is R0-only code anyway. */
+            VBOXSTRICTRC rcStrict = iemVmxVmexitApicAccess(pVCpu, offAccess, fAccess);
+            return iemExecStatusCodeFiddling(pVCpu, rcStrict);
+        }
+
+        /* The access isn't intercepted, which means it needs to be virtualized. */
+        return VINF_EM_RAW_EMULATE_INSTR;
+    }
+
+    LogFunc(("Accessed outside VMX non-root mode, deregistering page handler for %#RGp\n", GCPhysAccessBase));
+    int rc = PGMHandlerPhysicalDeregister(pVM, GCPhysAccessBase);
+    if (RT_FAILURE(rc))
+        return rc;
+
+    return VINF_SUCCESS;
+}
+# endif /* !IN_RING3 */
 #endif /* VBOX_WITH_NESTED_HWVIRT_VMX */
+
 
 #ifdef IN_RING3

trunk/src/VBox/VMM/VMMAll/IEMAllCImpl.cpp.h

@@ -7560 +7560 @@
          * See Intel spec. 29.4.4 "Instruction-Specific Considerations".
          */
-        rcStrict = iemVmxVirtApicAccessUnused(pVCpu, &GCPhysMem);
+        rcStrict = iemVmxVirtApicAccessUnused(pVCpu, &GCPhysMem, IEM_ACCESS_TYPE_READ | IEM_ACCESS_WHAT_DATA);
         if (   rcStrict != VINF_VMX_INTERCEPT_NOT_ACTIVE
             && rcStrict != VINF_VMX_MODIFIES_BEHAVIOR)
@@ -8218 +8218 @@
                  * See Intel spec. 29.4.4 "Instruction-Specific Considerations".
                  */
-                rcStrict = iemVmxVirtApicAccessUnused(pVCpu, &GCPhysMem);
+                rcStrict = iemVmxVirtApicAccessUnused(pVCpu, &GCPhysMem, IEM_ACCESS_TYPE_READ | IEM_ACCESS_WHAT_DATA);
                 if (   rcStrict != VINF_VMX_INTERCEPT_NOT_ACTIVE
                     && rcStrict != VINF_VMX_MODIFIES_BEHAVIOR)

trunk/src/VBox/VMM/VMMAll/IEMAllCImplVmxInstr.cpp.h

@@ -3711 +3711 @@
  *                          This need not be page aligned (e.g. nested-guest in real
  *                          mode).
- * @param   pExitEventInfo  Pointer to the VM-exit event information. Optional, can
- *                          be NULL.
- */
-IEM_STATIC VBOXSTRICTRC iemVmxVmexitEptMisconfig(PVMCPUCC pVCpu, RTGCPHYS GCPhysAddr, PCVMXVEXITEVENTINFO pExitEventInfo)
-{
-    if (pExitEventInfo)
-    {
-        iemVmxVmcsSetExitIntInfo(pVCpu, pExitEventInfo->uExitIntInfo);
-        iemVmxVmcsSetExitIntErrCode(pVCpu, pExitEventInfo->uExitIntErrCode);
-        iemVmxVmcsSetIdtVectoringInfo(pVCpu, pExitEventInfo->uIdtVectoringInfo);
-        iemVmxVmcsSetIdtVectoringErrCode(pVCpu, pExitEventInfo->uIdtVectoringErrCode);
-    }
-
+ */
+IEM_STATIC VBOXSTRICTRC iemVmxVmexitEptMisconfig(PVMCPUCC pVCpu, RTGCPHYS GCPhysAddr)
+{
+    iemVmxVmcsSetExitGuestPhysAddr(pVCpu, GCPhysAddr);
+    return iemVmxVmexit(pVCpu, VMX_EXIT_EPT_MISCONFIG, 0 /* u64ExitQual */);
+}
+
+
+/**
+ * VMX VM-exit handler for EPT misconfiguration.
+ *
+ * This is intended for EPT misconfigurations where the caller provides all the
+ * relevant VM-exit information.
+ *
+ * @param   pVCpu           The cross context virtual CPU structure.
+ * @param   GCPhysAddr      The physical address causing the EPT misconfiguration.
+ *                          This need not be page aligned (e.g. nested-guest in real
+ *                          mode).
+ * @param   pExitEventInfo  Pointer to the VM-exit event information.
+ */
+IEM_STATIC VBOXSTRICTRC iemVmxVmexitEptMisconfigWithInfo(PVMCPUCC pVCpu, RTGCPHYS GCPhysAddr, PCVMXVEXITEVENTINFO pExitEventInfo)
+{
+    Assert(pExitEventInfo);
+    Assert(!VMX_EXIT_INT_INFO_IS_VALID(pExitEventInfo->uExitIntInfo));
+    iemVmxVmcsSetIdtVectoringInfo(pVCpu, pExitEventInfo->uIdtVectoringInfo);
+    iemVmxVmcsSetIdtVectoringErrCode(pVCpu, pExitEventInfo->uIdtVectoringErrCode);
     iemVmxVmcsSetExitGuestPhysAddr(pVCpu, GCPhysAddr);
     return iemVmxVmexit(pVCpu, VMX_EXIT_EPT_MISCONFIG, 0 /* u64ExitQual */);
@@ -3745 +3758 @@
  */
 IEM_STATIC VBOXSTRICTRC iemVmxVmexitEptViolation(PVMCPUCC pVCpu, uint32_t fAccess, uint32_t fSlatFail, uint64_t fEptAccess,
-                                                 RTGCPHYS GCPhysAddr, bool fLinearAddrValid, uint64_t GCPtrAddr, uint8_t cbInstr)
+                                                 RTGCPHYS GCPhysAddr, bool fIsLinearAddrValid, uint64_t GCPtrAddr,
+                                                 uint8_t cbInstr)
 {
     /*
@@ -3752 +3766 @@
      * While we can leave it this way, it's preferrable to zero it for consistency.
      */
-    Assert(fLinearAddrValid || GCPtrAddr == 0);
+    Assert(fIsLinearAddrValid || GCPtrAddr == 0);
 
     uint64_t const fCaps = pVCpu->cpum.GstCtx.hwvirt.vmx.Msrs.u64EptVpidCaps;
-    uint8_t const fSupportsAccessDirty = fCaps & MSR_IA32_VMX_EPT_VPID_CAP_ACCESS_DIRTY;
-
-    uint8_t const fDataRead      = ((fAccess & IEM_ACCESS_DATA_R)  == IEM_ACCESS_DATA_R)  | fSupportsAccessDirty;
-    uint8_t const fDataWrite     = ((fAccess & IEM_ACCESS_DATA_RW) == IEM_ACCESS_DATA_RW) | fSupportsAccessDirty;
-    uint8_t const fInstrFetch    = (fAccess & IEM_ACCESS_INSTRUCTION) == IEM_ACCESS_INSTRUCTION;
-    bool const fEptRead          = RT_BOOL(fEptAccess & EPT_E_READ);
-    bool const fEptWrite         = RT_BOOL(fEptAccess & EPT_E_WRITE);
-    bool const fEptExec          = RT_BOOL(fEptAccess & EPT_E_EXECUTE);
-    bool const fNmiUnblocking    = pVCpu->cpum.GstCtx.hwvirt.vmx.fNmiUnblockingIret;
-    bool const fLinearToPhysAddr = fLinearAddrValid & RT_BOOL(fSlatFail & IEM_SLAT_FAIL_LINEAR_TO_PHYS_ADDR);
+    bool const fSupportsAccessDirty = RT_BOOL(fCaps & MSR_IA32_VMX_EPT_VPID_CAP_ACCESS_DIRTY);
+
+    uint32_t const fDataRdMask     = IEM_ACCESS_WHAT_MASK | IEM_ACCESS_TYPE_READ;
+    uint32_t const fDataWrMask     = IEM_ACCESS_WHAT_MASK | IEM_ACCESS_TYPE_WRITE;
+    uint32_t const fInstrMask      = IEM_ACCESS_WHAT_MASK | IEM_ACCESS_TYPE_EXEC;
+    bool const fDataRead           = ((fAccess & fDataRdMask) == IEM_ACCESS_DATA_R) | fSupportsAccessDirty;
+    bool const fDataWrite          = ((fAccess & fDataWrMask) == IEM_ACCESS_DATA_W) | fSupportsAccessDirty;
+    bool const fInstrFetch         = ((fAccess & fInstrMask)  == IEM_ACCESS_INSTRUCTION);
+    bool const fEptRead            = RT_BOOL(fEptAccess & EPT_E_READ);
+    bool const fEptWrite           = RT_BOOL(fEptAccess & EPT_E_WRITE);
+    bool const fEptExec            = RT_BOOL(fEptAccess & EPT_E_EXECUTE);
+    bool const fNmiUnblocking      = pVCpu->cpum.GstCtx.hwvirt.vmx.fNmiUnblockingIret;
+    bool const fIsLinearToPhysAddr = fIsLinearAddrValid & RT_BOOL(fSlatFail & IEM_SLAT_FAIL_LINEAR_TO_PHYS_ADDR);
 
     uint64_t const u64ExitQual = RT_BF_MAKE(VMX_BF_EXIT_QUAL_EPT_ACCESS_READ,         fDataRead)
@@ -3772 +3789 @@
                                | RT_BF_MAKE(VMX_BF_EXIT_QUAL_EPT_ENTRY_WRITE,         fEptWrite)
                                | RT_BF_MAKE(VMX_BF_EXIT_QUAL_EPT_ENTRY_EXECUTE,       fEptExec)
-                               | RT_BF_MAKE(VMX_BF_EXIT_QUAL_EPT_LINEAR_ADDR_VALID,   fLinearAddrValid)
-                               | RT_BF_MAKE(VMX_BF_EXIT_QUAL_EPT_LINEAR_TO_PHYS_ADDR, fLinearToPhysAddr)
+                               | RT_BF_MAKE(VMX_BF_EXIT_QUAL_EPT_LINEAR_ADDR_VALID,   fIsLinearAddrValid)
+                               | RT_BF_MAKE(VMX_BF_EXIT_QUAL_EPT_LINEAR_TO_PHYS_ADDR, fIsLinearToPhysAddr)
                                | RT_BF_MAKE(VMX_BF_EXIT_QUAL_EPT_NMI_UNBLOCK_IRET,    fNmiUnblocking);
 
@@ -3807 +3824 @@
                                                          PCVMXVEXITEVENTINFO pExitEventInfo)
 {
+    Assert(pExitInfo);
+    Assert(pExitEventInfo);
     Assert(pExitInfo->uReason == VMX_EXIT_EPT_VIOLATION);
-
-    iemVmxVmcsSetExitIntInfo(pVCpu, pExitEventInfo->uExitIntInfo);
-    iemVmxVmcsSetExitIntErrCode(pVCpu, pExitEventInfo->uExitIntErrCode);
+    Assert(!VMX_EXIT_INT_INFO_IS_VALID(pExitEventInfo->uExitIntInfo));
+
     iemVmxVmcsSetIdtVectoringInfo(pVCpu, pExitEventInfo->uIdtVectoringInfo);
     iemVmxVmcsSetIdtVectoringErrCode(pVCpu, pExitEventInfo->uIdtVectoringErrCode);
@@ -3818 +3836 @@
         iemVmxVmcsSetExitGuestLinearAddr(pVCpu, pExitInfo->u64GuestLinearAddr);
     else
-        iemVmxVmcsSetExitGuestLinearAddr(pVCpu,  0);
+        iemVmxVmcsSetExitGuestLinearAddr(pVCpu, 0);
     iemVmxVmcsSetExitInstrLen(pVCpu, pExitInfo->cbInstr);
     return iemVmxVmexit(pVCpu, VMX_EXIT_EPT_VIOLATION, pExitInfo->u64Qual);
@@ -3834 +3852 @@
  *                      applicable.
  */
-IEM_STATIC VBOXSTRICTRC iemVmxVmexitEpt(PVMCPUCC pVCpu, PPGMPTWALK pWalk, uint32_t fAccess, uint32_t fSlatFail,
-                                        uint8_t cbInstr)
+IEM_STATIC VBOXSTRICTRC iemVmxVmexitEpt(PVMCPUCC pVCpu, PPGMPTWALK pWalk, uint32_t fAccess, uint32_t fSlatFail, uint8_t cbInstr)
 {
     Assert(pWalk->fIsSlat);
@@ -3852 +3869 @@
     Log(("EptMisconfig: cs:rip=%x:%#RX64 fAccess=%#RX32\n", pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip, fAccess));
     Assert(pWalk->fFailed & PGM_WALKFAIL_EPT_MISCONFIG);
-    return iemVmxVmexitEptMisconfig(pVCpu, pWalk->GCPhysNested, NULL /* pExitEventInfo */);
+    return iemVmxVmexitEptMisconfig(pVCpu, pWalk->GCPhysNested);
 }
 
@@ -3861 +3878 @@
  * @param   pVCpu       The cross context virtual CPU structure.
  * @param   offAccess   The offset of the register being accessed.
- * @param   fAccess     The type of access (must contain IEM_ACCESS_TYPE_READ or
- *                      IEM_ACCESS_TYPE_WRITE or IEM_ACCESS_INSTRUCTION).
+ * @param   fAccess     The type of access, see IEM_ACCESS_XXX.
  */
 IEM_STATIC VBOXSTRICTRC iemVmxVmexitApicAccess(PVMCPUCC pVCpu, uint16_t offAccess, uint32_t fAccess)
 {
-    Assert((fAccess & IEM_ACCESS_TYPE_READ) || (fAccess & IEM_ACCESS_TYPE_WRITE) || (fAccess & IEM_ACCESS_INSTRUCTION));
-
     VMXAPICACCESS enmAccess;
     bool const fInEventDelivery = IEMGetCurrentXcpt(pVCpu, NULL, NULL, NULL, NULL);
     if (fInEventDelivery)
         enmAccess = VMXAPICACCESS_LINEAR_EVENT_DELIVERY;
-    else if (fAccess & IEM_ACCESS_INSTRUCTION)
+    else if ((fAccess & (IEM_ACCESS_WHAT_MASK | IEM_ACCESS_TYPE_MASK)) == IEM_ACCESS_INSTRUCTION)
         enmAccess = VMXAPICACCESS_LINEAR_INSTR_FETCH;
     else if (fAccess & IEM_ACCESS_TYPE_WRITE)
@@ -4127 +4141 @@
  * @param   offAccess   The offset of the register being accessed.
  * @param   cbAccess    The size of the access in bytes.
- * @param   fAccess     The type of access (must be IEM_ACCESS_TYPE_READ or
- *                      IEM_ACCESS_TYPE_WRITE).
+ * @param   fAccess     The type of access, see IEM_ACCESS_XXX.
  *
  * @remarks This must not be used for MSR-based APIC-access page accesses!
@@ -4136 +4149 @@
 {
     PCVMXVVMCS const pVmcs = &pVCpu->cpum.GstCtx.hwvirt.vmx.Vmcs;
-    Assert(fAccess == IEM_ACCESS_TYPE_READ || fAccess == IEM_ACCESS_TYPE_WRITE);
 
     /*
@@ -4297 +4309 @@
  *
  * @param   pVCpu           The cross context virtual CPU structure.
- * @param   pGCPhysAccess   Pointer to the guest-physical address used.
- */
-IEM_STATIC VBOXSTRICTRC iemVmxVirtApicAccessUnused(PVMCPUCC pVCpu, PRTGCPHYS pGCPhysAccess)
+ * @param   pGCPhysAccess   Pointer to the guest-physical address accessed.
+ * @param   fAccess         The type of access, see IEM_ACCESS_XXX.
+ */
+IEM_STATIC VBOXSTRICTRC iemVmxVirtApicAccessUnused(PVMCPUCC pVCpu, PRTGCPHYS pGCPhysAccess, uint32_t fAccess)
 {
     Assert(pVCpu->cpum.GstCtx.hwvirt.vmx.Vmcs.u32ProcCtls2 & VMX_PROC_CTLS2_VIRT_APIC_ACCESS);
@@ -4311 +4324 @@
     {
         uint16_t const offAccess = *pGCPhysAccess & GUEST_PAGE_OFFSET_MASK;
-        uint32_t const fAccess   = IEM_ACCESS_TYPE_READ;
         uint16_t const cbAccess  = 1;
         bool const fIntercept = iemVmxVirtApicIsMemAccessIntercepted(pVCpu, offAccess, cbAccess, fAccess);
@@ -4338 +4350 @@
  * @param   pvData      Pointer to the data being written or where to store the data
  *                      being read.
- * @param   fAccess     The type of access (must contain IEM_ACCESS_TYPE_READ or
- *                      IEM_ACCESS_TYPE_WRITE or IEM_ACCESS_INSTRUCTION).
+ * @param   fAccess     The type of access, see IEM_ACCESS_XXX.
  */
 IEM_STATIC VBOXSTRICTRC iemVmxVirtApicAccessMem(PVMCPUCC pVCpu, uint16_t offAccess, size_t cbAccess, void *pvData,
@@ -4346 +4357 @@
     Assert(pVCpu->cpum.GstCtx.hwvirt.vmx.Vmcs.u32ProcCtls2 & VMX_PROC_CTLS2_VIRT_APIC_ACCESS);
     Assert(pvData);
-    Assert(   (fAccess & IEM_ACCESS_TYPE_READ)
-           || (fAccess & IEM_ACCESS_TYPE_WRITE)
-           || (fAccess & IEM_ACCESS_INSTRUCTION));
 
     bool const fIntercept = iemVmxVirtApicIsMemAccessIntercepted(pVCpu, offAccess, cbAccess, fAccess);
@@ -4389 +4397 @@
          * See Intel spec. 29.4.2 "Virtualizing Reads from the APIC-Access Page".
          */
+        Assert(fAccess & IEM_ACCESS_TYPE_READ);
+
         Assert(cbAccess <= 4);
         Assert(offAccess < XAPIC_OFF_END + 4);

trunk/src/VBox/VMM/VMMAll/PGMAll.cpp

@@ -736 +736 @@
 # define PGMMODEDATABTH_NULL_ENTRY()    { UINT32_MAX, UINT32_MAX, NULL, NULL, NULL, NULL, NULL, NULL, NULL }
 # define PGMMODEDATABTH_ENTRY(uShwT, uGstT, Nm) \
-    { uShwT, uGstT, Nm(InvalidatePage), Nm(SyncCR3), Nm(PrefetchPage), Nm(VerifyAccessSyncPage), Nm(MapCR3), Nm(UnmapCR3), Nm(Enter), Nm(Trap0eHandler) }
+    { uShwT, uGstT, Nm(InvalidatePage), Nm(SyncCR3), Nm(PrefetchPage), Nm(VerifyAccessSyncPage), Nm(MapCR3), Nm(UnmapCR3), Nm(Enter), Nm(Trap0eHandler), Nm(NestedTrap0eHandler) }
 
 #elif !defined(IN_RING3) && defined(VBOX_STRICT)
 # define PGMMODEDATABTH_NULL_ENTRY()    { UINT32_MAX, UINT32_MAX, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL }
 # define PGMMODEDATABTH_ENTRY(uShwT, uGstT, Nm) \
-    { uShwT, uGstT, Nm(InvalidatePage), Nm(SyncCR3), Nm(PrefetchPage), Nm(VerifyAccessSyncPage), Nm(MapCR3), Nm(UnmapCR3), Nm(Enter), Nm(Trap0eHandler), Nm(AssertCR3) }
+    { uShwT, uGstT, Nm(InvalidatePage), Nm(SyncCR3), Nm(PrefetchPage), Nm(VerifyAccessSyncPage), Nm(MapCR3), Nm(UnmapCR3), Nm(Enter), Nm(Trap0eHandler), Nm(NestedTrap0eHandler), Nm(AssertCR3) }
 
 #elif defined(IN_RING3) && !defined(VBOX_STRICT)
@@ -1907 +1907 @@
         case PGMSLAT_EPT:
             pGstWalk->enmType = PGMPTWALKGSTTYPE_EPT;
-            return PGM_GST_SLAT_NAME_EPT(Walk)(pVCpu, GCPhysNested, false /* fIsLinearaddrValid */, NIL_RTGCPTR, pWalk,
-                                               &pGstWalk->u.Ept);
+            return PGM_GST_SLAT_NAME_EPT(Walk)(pVCpu, GCPhysNested, false /* fIsLinearaddrValid */, 0 /* GCPtrNested */,
+                                               pWalk, &pGstWalk->u.Ept);
 
         default:
@@ -2991 +2991 @@
     /* Flush the TLB */
     PGM_INVL_VCPU_TLBS(pVCpu);
-    return PGMHCChangeMode(pVCpu->CTX_SUFF(pVM), pVCpu, enmGuestMode);
+    return PGMHCChangeMode(pVCpu->CTX_SUFF(pVM), pVCpu, enmGuestMode, fForce);
 }
 
@@ -3226 +3226 @@
  * @param   enmGuestMode    The new guest mode. This is assumed to be different from
  *                          the current mode.
- */
-VMM_INT_DECL(int) PGMHCChangeMode(PVMCC pVM, PVMCPUCC pVCpu, PGMMODE enmGuestMode)
+ * @param   fForce          Whether to force a shadow paging mode change.
+ */
+VMM_INT_DECL(int) PGMHCChangeMode(PVMCC pVM, PVMCPUCC pVCpu, PGMMODE enmGuestMode, bool fForce)
 {
     Log(("PGMHCChangeMode: Guest mode: %s -> %s\n", PGMGetModeName(pVCpu->pgm.s.enmGuestMode), PGMGetModeName(enmGuestMode)));
@@ -3235 +3236 @@
      * Calc the shadow mode and switcher.
      */
-    PGMMODE enmShadowMode = pgmCalcShadowMode(pVM, enmGuestMode, pVM->pgm.s.enmHostMode, pVCpu->pgm.s.enmShadowMode);
+    PGMMODE const enmShadowMode = pgmCalcShadowMode(pVM, enmGuestMode, pVM->pgm.s.enmHostMode, pVCpu->pgm.s.enmShadowMode);
+    bool const fShadowModeChanged = enmShadowMode != pVCpu->pgm.s.enmShadowMode || fForce;
 
     /*
@@ -3241 +3243 @@
      */
     /* shadow */
-    if (enmShadowMode != pVCpu->pgm.s.enmShadowMode)
-    {
-        LogFlow(("PGMHCChangeMode: Shadow mode: %s -> %s\n",  PGMGetModeName(pVCpu->pgm.s.enmShadowMode), PGMGetModeName(enmShadowMode)));
+    if (fShadowModeChanged)
+    {
+        LogFlow(("PGMHCChangeMode: Shadow mode: %s -> %s\n", PGMGetModeName(pVCpu->pgm.s.enmShadowMode), PGMGetModeName(enmShadowMode)));
         uintptr_t idxOldShw = pVCpu->pgm.s.idxShadowModeData;
         if (   idxOldShw < RT_ELEMENTS(g_aPgmShadowModeData)
@@ -3310 +3312 @@
      * Enter new shadow mode (if changed).
      */
-    if (enmShadowMode != pVCpu->pgm.s.enmShadowMode)
+    if (fShadowModeChanged)
     {
         pVCpu->pgm.s.enmShadowMode = enmShadowMode;
@@ -3580 +3582 @@
     }
 }
-#endif
+#endif  /* VBOX_WITH_NESTED_HWVIRT_VMX_EPT */
 
 

trunk/src/VBox/VMM/VMMAll/PGMAllBth.h

@@ -37 +37 @@
 #ifndef IN_RING3
 PGM_BTH_DECL(int, Trap0eHandler)(PVMCPUCC pVCpu, RTGCUINT uErr, PCPUMCTXCORE pRegFrame, RTGCPTR pvFault, bool *pfLockTaken);
+PGM_BTH_DECL(int, NestedTrap0eHandler)(PVMCPUCC pVCpu, RTGCUINT uErr, PCPUMCTXCORE pRegFrame, RTGCPHYS GCPhysNested,
+                                       bool fIsLinearAddrValid, RTGCPTR GCPtrNested, PPGMPTWALK pWalk, bool *pfLockTaken);
 #endif
 PGM_BTH_DECL(int, InvalidatePage)(PVMCPUCC pVCpu, RTGCPTR GCPtrPage);
@@ -966 +968 @@
 # else  /* Nested paging, EPT except PGM_GST_TYPE = PROT, NONE.   */
     NOREF(uErr); NOREF(pRegFrame); NOREF(pvFault);
+    AssertReleaseMsgFailed(("Shw=%d Gst=%d is not implemented!\n", PGM_SHW_TYPE, PGM_GST_TYPE));
+    return VERR_PGM_NOT_USED_IN_MODE;
+# endif
+}
+
+
+/**
+ * Nested \#PF handler for nested-guest hardware-assisted execution using nested
+ * paging.
+ *
+ * @returns VBox status code (appropriate for trap handling and GC return).
+ * @param   pVCpu               The cross context virtual CPU structure.
+ * @param   uErr                The fault error (X86_TRAP_PF_*).
+ * @param   pRegFrame           The register frame.
+ * @param   GCPhysNested        The nested-guest physical address being accessed.
+ * @param   fIsLinearAddrValid  Whether translation of a nested-guest linear address
+ *                              caused this fault. If @c false, GCPtrNested must be
+ *                              0.
+ * @param   GCPtrNested         The nested-guest linear address that caused this
+ *                              fault.
+ * @param   pWalk               The guest page table walk result.
+ * @param   pfLockTaken         Where to store whether the PGM lock is still held
+ *                              when this function completes.
+ */
+PGM_BTH_DECL(int, NestedTrap0eHandler)(PVMCPUCC pVCpu, RTGCUINT uErr, PCPUMCTXCORE pRegFrame, RTGCPHYS GCPhysNested,
+                                       bool fIsLinearAddrValid, RTGCPTR GCPtrNested, PPGMPTWALK pWalk, bool *pfLockTaken)
+{
+    *pfLockTaken = false;
+# if defined(VBOX_WITH_NESTED_HWVIRT_VMX_EPT) \
+    && (   PGM_GST_TYPE == PGM_TYPE_REAL || PGM_GST_TYPE == PGM_TYPE_PROT || PGM_GST_TYPE == PGM_TYPE_32BIT  \
+        || PGM_GST_TYPE == PGM_TYPE_PAE  || PGM_GST_TYPE == PGM_TYPE_AMD64) \
+    && PGM_SHW_TYPE == PGM_TYPE_EPT
+
+    Assert(CPUMIsGuestVmxEptPagingEnabled(pVCpu));
+
+    /*
+     * Walk the guest EPT tables and check if it's an EPT violation or misconfiguration.
+     */
+    PGMPTWALKGST GstWalkAll;
+    int rc = pgmGstSlatWalk(pVCpu, GCPhysNested, fIsLinearAddrValid, GCPtrNested, pWalk, &GstWalkAll);
+    if (RT_FAILURE(rc))
+        return rc;
+
+    Assert(GstWalkAll.enmType == PGMPTWALKGSTTYPE_EPT);
+    Assert(pWalk->fSucceeded);
+    Assert(pWalk->fEffective & PGM_PTATTRS_R_MASK);
+    Assert(pWalk->fIsSlat);
+
+    if (uErr & (X86_TRAP_PF_RW | X86_TRAP_PF_US | X86_TRAP_PF_ID))
+    {
+        if (    (   (uErr & X86_TRAP_PF_RW)
+                 && !(pWalk->fEffective & PGM_PTATTRS_W_MASK)
+                 && (   (uErr & X86_TRAP_PF_US)
+                     || CPUMIsGuestR0WriteProtEnabled(pVCpu)) )
+            ||  ((uErr & X86_TRAP_PF_US) && !(pWalk->fEffective & PGM_PTATTRS_US_MASK))
+            ||  ((uErr & X86_TRAP_PF_ID) &&  (pWalk->fEffective & PGM_PTATTRS_NX_MASK))
+           )
+            return VERR_ACCESS_DENIED;
+    }
+
+    PVMCC pVM = pVCpu->CTX_SUFF(pVM);
+    RTGCPHYS const GCPhysFault = PGM_A20_APPLY(pVCpu, GCPhysNested & ~(RTGCPHYS)GUEST_PAGE_OFFSET_MASK);
+    GSTPDE const   PdeSrcDummy = { X86_PDE_P | X86_PDE_US | X86_PDE_RW | X86_PDE_A };
+
+    /* Take the big lock now. */
+    *pfLockTaken = true;
+    PGM_LOCK_VOID(pVM);
+
+    /*
+     * Check if this is an APIC-access page access (VMX specific).
+     */
+    RTGCPHYS const GCPhysApicAccess = CPUMGetGuestVmxApicAccessPageAddr(pVCpu);
+    if ((pWalk->GCPhys & ~(RTGCPHYS)GUEST_PAGE_OFFSET_MASK) == GCPhysApicAccess)
+    {
+        PPGMPAGE pPage;
+        rc = pgmPhysGetPageEx(pVM, PGM_A20_APPLY(pVCpu, GCPhysApicAccess), &pPage);
+        if (RT_SUCCESS(rc) && PGM_PAGE_HAS_ACTIVE_ALL_HANDLERS(pPage))
+        {
+            rc = VBOXSTRICTRC_TODO(PGM_BTH_NAME(Trap0eHandlerDoAccessHandlers)(pVCpu, uErr, pRegFrame, pWalk->GCPhys, pPage,
+                                                                               pfLockTaken));
+            return rc;
+        }
+    }
+
+#  ifdef PGM_WITH_MMIO_OPTIMIZATIONS
+    /*
+    * Check if this is an MMIO access.
+    */
+    if (uErr & X86_TRAP_PF_RSVD)
+    {
+        PPGMPAGE pPage;
+        rc = pgmPhysGetPageEx(pVM, PGM_A20_APPLY(pVCpu, (RTGCPHYS)GCPhysFault), &pPage);
+        if (RT_SUCCESS(rc) && PGM_PAGE_HAS_ACTIVE_ALL_HANDLERS(pPage))
+            return VBOXSTRICTRC_TODO(PGM_BTH_NAME(Trap0eHandlerDoAccessHandlers)(pVCpu, uErr, pRegFrame, GCPhysFault, pPage,
+                                                                                 pfLockTaken));
+        rc = PGM_BTH_NAME(SyncPage)(pVCpu, PdeSrcDummy, GCPhysFault, 1, uErr);
+        AssertRC(rc);
+        HMInvalidatePhysPage(pVM, GCPhysFault);
+        return rc; /* Restart with the corrected entry. */
+    }
+#  endif /* PGM_WITH_MMIO_OPTIMIZATIONS */
+
+    /*
+     * Fetch the guest EPT page directory pointer.
+     */
+    const unsigned  iPDDst = ((GCPhysFault >> SHW_PD_SHIFT) & SHW_PD_MASK);
+    PEPTPD          pPDDst;
+    rc = pgmShwGetEPTPDPtr(pVCpu, GCPhysFault, NULL /* ppPdpt */, &pPDDst);
+    AssertMsgReturn(rc == VINF_SUCCESS, ("rc=%Rrc\n", rc), RT_FAILURE_NP(rc) ? rc : VERR_IPE_UNEXPECTED_INFO_STATUS);
+    Assert(pPDDst);
+
+    /*
+     * A common case is the not-present error caused by lazy page table syncing.
+     *
+     * It is IMPORTANT that we weed out any access to non-present shadow PDEs
+     * here so we can safely assume that the shadow PT is present when calling
+     * SyncPage later.
+     *
+     * On failure, we ASSUME that SyncPT is out of memory or detected some kind
+     * of mapping conflict and defer to SyncCR3 in R3.
+     * (Again, we do NOT support access handlers for non-present guest pages.)
+     *
+     */
+    if (   !(uErr & X86_TRAP_PF_P) /* not set means page not present instead of page protection violation */
+        && !SHW_PDE_IS_P(pPDDst->a[iPDDst]))
+    {
+        STAM_STATS({ pVCpu->pgmr0.s.pStatTrap0eAttributionR0 = &pVCpu->pgm.s.Stats.StatRZTrap0eTime2SyncPT; });
+        LogFlow(("=>SyncPT GCPhysFault=%RGp\n", GCPhysFault));
+        rc = PGM_BTH_NAME(SyncPT)(pVCpu, 0 /* iPDSrc */, NULL /* pPDSrc */, GCPhysFault);
+        if (RT_SUCCESS(rc))
+            return rc;
+        Log(("SyncPT: %RGp failed!! rc=%Rrc\n", GCPhysFault, rc));
+        VMCPU_FF_SET(pVCpu, VMCPU_FF_PGM_SYNC_CR3); /** @todo no need to do global sync, right? */
+        return VINF_PGM_SYNC_CR3;
+    }
+
+    /*
+     * Check if this fault address is flagged for special treatment,
+     * which means we'll have to figure out the physical address and
+     * check flags associated with it.
+     *
+     * ASSUME that we can limit any special access handling to pages
+     * in page tables which the guest believes to be present.
+     */
+    PPGMPAGE pPage;
+    rc = pgmPhysGetPageEx(pVM, GCPhysFault, &pPage);
+    if (RT_FAILURE(rc))
+    {
+        /*
+         * When the guest accesses invalid physical memory (e.g. probing
+         * of RAM or accessing a remapped MMIO range), then we'll fall
+         * back to the recompiler to emulate the instruction.
+         */
+        LogFlow(("PGM #PF: pgmPhysGetPageEx(%RGp) failed with %Rrc\n", GCPhysFault, rc));
+        STAM_COUNTER_INC(&pVCpu->pgm.s.Stats.StatRZTrap0eHandlersInvalid);
+        STAM_STATS({ pVCpu->pgmr0.s.pStatTrap0eAttributionR0 = &pVCpu->pgm.s.Stats.StatRZTrap0eTime2InvalidPhys; });
+        return VINF_EM_RAW_EMULATE_INSTR;
+    }
+
+    /*
+     * Any handlers for this page?
+     */
+    if (PGM_PAGE_HAS_ACTIVE_HANDLERS(pPage))
+        return VBOXSTRICTRC_TODO(PGM_BTH_NAME(Trap0eHandlerDoAccessHandlers)(pVCpu, uErr, pRegFrame, GCPhysFault, pPage,
+                                                                             pfLockTaken));
+
+    /*
+     * We are here only if page is present in Guest page tables and
+     * trap is not handled by our handlers.
+     *
+     * Check it for page out-of-sync situation.
+     */
+    if (!(uErr & X86_TRAP_PF_P))
+    {
+        /*
+         * Page is not present in our page tables. Try to sync it!
+         */
+        if (uErr & X86_TRAP_PF_US)
+            STAM_COUNTER_INC(&pVCpu->pgm.s.Stats.CTX_MID_Z(Stat,PageOutOfSyncUser));
+        else /* supervisor */
+            STAM_COUNTER_INC(&pVCpu->pgm.s.Stats.CTX_MID_Z(Stat,PageOutOfSyncSupervisor));
+
+        if (PGM_PAGE_IS_BALLOONED(pPage))
+        {
+            /* Emulate reads from ballooned pages as they are not present in
+               our shadow page tables. (Required for e.g. Solaris guests; soft
+               ecc, random nr generator.) */
+            rc = VBOXSTRICTRC_TODO(PGMInterpretInstruction(pVM, pVCpu, pRegFrame, GCPhysFault));
+            LogFlow(("PGM: PGMInterpretInstruction balloon -> rc=%d pPage=%R[pgmpage]\n", rc, pPage));
+            STAM_COUNTER_INC(&pVCpu->pgm.s.Stats.CTX_MID_Z(Stat,PageOutOfSyncBallloon));
+            STAM_STATS({ pVCpu->pgmr0.s.pStatTrap0eAttributionR0 = &pVCpu->pgm.s.Stats.StatRZTrap0eTime2Ballooned; });
+            return rc;
+        }
+
+        rc = PGM_BTH_NAME(SyncPage)(pVCpu, PdeSrcDummy, GCPhysFault, PGM_SYNC_NR_PAGES, uErr);
+        if (RT_SUCCESS(rc))
+        {
+            /* The page was successfully synced, return to the guest. */
+            STAM_STATS({ pVCpu->pgmr0.s.pStatTrap0eAttributionR0 = &pVCpu->pgm.s.Stats.StatRZTrap0eTime2OutOfSync; });
+            return VINF_SUCCESS;
+        }
+    }
+    else
+    {
+        /*
+         * Write protected pages are made writable when the guest makes the
+         * first write to it.  This happens for pages that are shared, write
+         * monitored or not yet allocated.
+         *
+         * We may also end up here when CR0.WP=0 in the guest.
+         *
+         * Also, a side effect of not flushing global PDEs are out of sync
+         * pages due to physical monitored regions, that are no longer valid.
+         * Assume for now it only applies to the read/write flag.
+         */
+        if (uErr & X86_TRAP_PF_RW)
+        {
+            /*
+             * Check if it is a read-only page.
+             */
+            if (PGM_PAGE_GET_STATE(pPage) != PGM_PAGE_STATE_ALLOCATED)
+            {
+                Assert(!PGM_PAGE_IS_ZERO(pPage));
+                AssertFatalMsg(!PGM_PAGE_IS_BALLOONED(pPage), ("Unexpected ballooned page at %RGp\n", GCPhysFault));
+                STAM_STATS({ pVCpu->pgmr0.s.pStatTrap0eAttributionR0 = &pVCpu->pgm.s.Stats.StatRZTrap0eTime2MakeWritable; });
+
+                rc = pgmPhysPageMakeWritable(pVM, pPage, GCPhysFault);
+                if (rc != VINF_SUCCESS)
+                {
+                    AssertMsg(rc == VINF_PGM_SYNC_CR3 || RT_FAILURE(rc), ("%Rrc\n", rc));
+                    return rc;
+                }
+                if (RT_UNLIKELY(VM_FF_IS_SET(pVM, VM_FF_PGM_NO_MEMORY)))
+                    return VINF_EM_NO_MEMORY;
+            }
+
+            if (uErr & X86_TRAP_PF_US)
+                STAM_COUNTER_INC(&pVCpu->pgm.s.Stats.CTX_MID_Z(Stat,PageOutOfSyncUserWrite));
+            else
+                STAM_COUNTER_INC(&pVCpu->pgm.s.Stats.CTX_MID_Z(Stat,PageOutOfSyncSupervisorWrite));
+
+            /*
+             * Sync the page.
+             *
+             * Note: Do NOT use PGM_SYNC_NR_PAGES here. That only works if the
+             *       page is not present, which is not true in this case.
+             */
+            rc = PGM_BTH_NAME(SyncPage)(pVCpu, PdeSrcDummy, GCPhysFault, 1, uErr);
+            if (RT_SUCCESS(rc))
+            {
+               /*
+                * Page was successfully synced, return to guest but invalidate
+                * the TLB first as the page is very likely to be in it.
+                */
+                HMInvalidatePhysPage(pVM, GCPhysFault);
+                STAM_STATS({ pVCpu->pgmr0.s.pStatTrap0eAttributionR0 = &pVCpu->pgm.s.Stats.StatRZTrap0eTime2OutOfSyncHndObs; });
+                return VINF_SUCCESS;
+            }
+        }
+    }
+
+    /*
+     * If we get here it is because something failed above, i.e. most like guru meditation time.
+     */
+    LogRelFunc(("returns rc=%Rrc GCPhysFault=%RGp uErr=%RX64 cs:rip=%04x:%08RX64\n", rc, GCPhysFault, (uint64_t)uErr,
+                pRegFrame->cs.Sel, pRegFrame->rip));
+    return rc;
+
+# else
+    RT_NOREF7(pVCpu, uErr, pRegFrame, GCPhysNested, fIsLinearAddrValid, GCPtrNested, pWalk);
     AssertReleaseMsgFailed(("Shw=%d Gst=%d is not implemented!\n", PGM_SHW_TYPE, PGM_GST_TYPE));
     return VERR_PGM_NOT_USED_IN_MODE;

trunk/src/VBox/VMM/VMMAll/PGMAllGst.h

@@ -376 +376 @@
             pWalk->fSucceeded = true;
             pWalk->GCPtr      = GCPtr;
-            pWalk->GCPhys     = SlatWalk.GCPhys & PAGE_BASE_GC_MASK;
+            pWalk->GCPhys     = SlatWalk.GCPhys & ~(RTGCPHYS)GUEST_PAGE_OFFSET_MASK;
             pWalk->fEffective = X86_PTE_P | X86_PTE_RW | X86_PTE_US;
         }

trunk/src/VBox/VMM/VMMAll/PGMAllGstSlatEpt.cpp.h

@@ -21 +21 @@
     if (!(uEntry & EPT_E_READ))
     {
-        if (uEntry & EPT_E_WRITE)
+        Assert(!pVCpu->CTX_SUFF(pVM)->cpum.ro.GuestFeatures.fVmxModeBasedExecuteEpt);
+        Assert(!RT_BF_GET(pVCpu->pgm.s.uEptVpidCapMsr, VMX_BF_EPT_VPID_CAP_EXEC_ONLY));
+        NOREF(pVCpu);
+        if (uEntry & (EPT_E_WRITE | EPT_E_EXECUTE))
             return false;
-        Assert(!pVCpu->CTX_SUFF(pVM)->cpum.ro.GuestFeatures.fVmxModeBasedExecuteEpt);
-        if (   !RT_BF_GET(pVCpu->pgm.s.uEptVpidCapMsr, VMX_BF_EPT_VPID_CAP_EXEC_ONLY)
-            && (uEntry & EPT_E_EXECUTE))
-            return false;
     }
     return true;
@@ -35 +34 @@
 {
     Assert(uLevel <= 3 && uLevel >= 1); NOREF(uLevel);
-    uint64_t const fEptMemTypeMask = uEntry & VMX_BF_EPT_PT_MEMTYPE_MASK;
-    if (   fEptMemTypeMask == EPT_E_MEMTYPE_INVALID_2
-        || fEptMemTypeMask == EPT_E_MEMTYPE_INVALID_3
-        || fEptMemTypeMask == EPT_E_MEMTYPE_INVALID_7)
-        return false;
-    return true;
+    uint8_t const fEptMemTypeMask = uEntry & VMX_BF_EPT_PT_MEMTYPE_MASK;
+    switch (fEptMemTypeMask)
+    {
+        case EPT_E_MEMTYPE_WB:
+        case EPT_E_MEMTYPE_UC:
+        case EPT_E_MEMTYPE_WP:
+        case EPT_E_MEMTYPE_WT:
+        case EPT_E_MEMTYPE_WC:
+            return true;
+    }
+    return false;
 }
 
@@ -88 +92 @@
  * @param   GCPhysNested        The nested-guest physical address to walk.
  * @param   fIsLinearAddrValid  Whether the linear-address in @c GCPtrNested caused
- *                              this page walk. If this is false, @c GCPtrNested
- *                              must be 0.
+ *                              this page walk.
  * @param   GCPtrNested         The nested-guest linear address that caused this
- *                              page walk.
+ *                              page walk. If @c fIsLinearAddrValid is false, pass
+ *                              0.
  * @param   pWalk               The page walk info.
  * @param   pGstWalk            The guest mode specific page walk info.

trunk/src/VBox/VMM/VMMAll/VMXAllTemplate.cpp.h

@@ -311 +311 @@
 static FNVMXEXITHANDLER            vmxHCExitInstrNested;
 static FNVMXEXITHANDLER            vmxHCExitInstrWithInfoNested;
+# ifdef VBOX_WITH_NESTED_HWVIRT_VMX_EPT
+static FNVMXEXITHANDLER            vmxHCExitEptViolationNested;
+static FNVMXEXITHANDLER            vmxHCExitEptMisconfigNested;
+# endif
 /** @} */
 #endif /* VBOX_WITH_NESTED_HWVIRT_VMX */
@@ -5411 +5415 @@
     switch (uExitReason)
     {
-        case VMX_EXIT_EPT_MISCONFIG:            return vmxHCExitEptMisconfig(pVCpu, pVmxTransient);
-        case VMX_EXIT_EPT_VIOLATION:            return vmxHCExitEptViolation(pVCpu, pVmxTransient);
+        case VMX_EXIT_EPT_MISCONFIG:            return vmxHCExitEptMisconfigNested(pVCpu, pVmxTransient);
+        case VMX_EXIT_EPT_VIOLATION:            return vmxHCExitEptViolationNested(pVCpu, pVmxTransient);
         case VMX_EXIT_XCPT_OR_NMI:              return vmxHCExitXcptOrNmiNested(pVCpu, pVmxTransient);
         case VMX_EXIT_IO_INSTR:                 return vmxHCExitIoInstrNested(pVCpu, pVmxTransient);
@@ -10211 +10215 @@
 }
 
+
+# ifdef VBOX_WITH_NESTED_HWVIRT_VMX_EPT
+/**
+ * Nested-guest VM-exit handler for EPT violation (VMX_EXIT_EPT_VIOLATION).
+ * Conditional VM-exit.
+ */
+HMVMX_EXIT_DECL vmxHCExitEptViolationNested(PVMCPUCC pVCpu, PVMXTRANSIENT pVmxTransient)
+{
+    HMVMX_VALIDATE_EXIT_HANDLER_PARAMS(pVCpu, pVmxTransient);
+    Assert(pVCpu->CTX_SUFF(pVM)->hmr0.s.fNestedPaging);
+
+    PVMXVMCSINFO pVmcsInfo = pVmxTransient->pVmcsInfo;
+    int rc = vmxHCImportGuestState(pVCpu, pVmcsInfo, IEM_CPUMCTX_EXTRN_MUST_MASK);
+    AssertRCReturn(rc, rc);
+
+    vmxHCReadExitQualVmcs(pVCpu, pVmxTransient);
+    vmxHCReadExitInstrLenVmcs(pVCpu, pVmxTransient);
+    vmxHCReadGuestPhysicalAddrVmcs(pVCpu, pVmxTransient);
+
+    RTGCPHYS const GCPhysNested = pVmxTransient->uGuestPhysicalAddr;
+    uint64_t const uExitQual    = pVmxTransient->uExitQual;
+
+    RTGCPTR GCPtrNested;
+    bool const fIsLinearAddrValid = RT_BOOL(uExitQual & VMX_EXIT_QUAL_EPT_LINEAR_ADDR_VALID);
+    if (fIsLinearAddrValid)
+    {
+        vmxHCReadGuestLinearAddrVmcs(pVCpu, pVmxTransient);
+        GCPtrNested = pVmxTransient->uGuestLinearAddr;
+    }
+    else
+        GCPtrNested = 0;
+
+    RTGCUINT const uErr = ((uExitQual & VMX_EXIT_QUAL_EPT_ACCESS_INSTR_FETCH) ? X86_TRAP_PF_ID : 0)
+                        | ((uExitQual & VMX_EXIT_QUAL_EPT_ACCESS_WRITE)       ? X86_TRAP_PF_RW : 0)
+                        | ((uExitQual & (  VMX_EXIT_QUAL_EPT_ENTRY_READ
+                                         | VMX_EXIT_QUAL_EPT_ENTRY_WRITE
+                                         | VMX_EXIT_QUAL_EPT_ENTRY_EXECUTE))  ? X86_TRAP_PF_P  : 0);
+
+    PGMPTWALK Walk;
+    PCPUMCTX pCtx = &pVCpu->cpum.GstCtx;
+    VBOXSTRICTRC rcStrict = PGMR0NestedTrap0eHandlerNestedPaging(pVCpu, PGMMODE_EPT, uErr, CPUMCTX2CORE(pCtx), GCPhysNested,
+                                                                 fIsLinearAddrValid, GCPtrNested, &Walk);
+    if (RT_SUCCESS(rcStrict))
+    {
+        if (rcStrict == VINF_SUCCESS)
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_GUEST_RIP | HM_CHANGED_GUEST_RFLAGS);
+        else if (rcStrict == VINF_IEM_RAISED_XCPT)
+        {
+            ASMAtomicUoOrU64(&VCPU_2_VMXSTATE(pVCpu).fCtxChanged, HM_CHANGED_RAISED_XCPT_MASK);
+            rcStrict = VINF_SUCCESS;
+        }
+        return rcStrict;
+    }
+
+    vmxHCReadIdtVectoringInfoVmcs(pVCpu, pVmxTransient);
+    vmxHCReadIdtVectoringErrorCodeVmcs(pVCpu, pVmxTransient);
+
+    VMXVEXITEVENTINFO ExitEventInfo;
+    RT_ZERO(ExitEventInfo);
+    ExitEventInfo.uIdtVectoringInfo    = pVmxTransient->uIdtVectoringInfo;
+    ExitEventInfo.uIdtVectoringErrCode = pVmxTransient->uIdtVectoringErrorCode;
+
+    if (Walk.fFailed & PGM_WALKFAIL_EPT_VIOLATION)
+    {
+        VMXVEXITINFO ExitInfo;
+        RT_ZERO(ExitInfo);
+        ExitInfo.uReason            = VMX_EXIT_EPT_VIOLATION;
+        ExitInfo.cbInstr            = pVmxTransient->cbExitInstr;
+        ExitInfo.u64Qual            = pVmxTransient->uExitQual;
+        ExitInfo.u64GuestLinearAddr = pVmxTransient->uGuestLinearAddr;
+        ExitInfo.u64GuestPhysAddr   = pVmxTransient->uGuestPhysicalAddr;
+        return IEMExecVmxVmexitEptViolation(pVCpu, &ExitInfo, &ExitEventInfo);
+    }
+
+    Assert(Walk.fFailed & PGM_WALKFAIL_EPT_MISCONFIG);
+    return IEMExecVmxVmexitEptMisconfig(pVCpu, pVmxTransient->uGuestPhysicalAddr, &ExitEventInfo);
+}
+
+
+/**
+ * Nested-guest VM-exit handler for EPT misconfiguration (VMX_EXIT_EPT_MISCONFIG).
+ * Conditional VM-exit.
+ */
+HMVMX_EXIT_DECL vmxHCExitEptMisconfigNested(PVMCPUCC pVCpu, PVMXTRANSIENT pVmxTransient)
+{
+    HMVMX_VALIDATE_EXIT_HANDLER_PARAMS(pVCpu, pVmxTransient);
+    Assert(pVCpu->CTX_SUFF(pVM)->hmr0.s.fNestedPaging);
+
+    PVMXVMCSINFO pVmcsInfo = pVmxTransient->pVmcsInfo;
+    int rc = vmxHCImportGuestState(pVCpu, pVmcsInfo, IEM_CPUMCTX_EXTRN_MUST_MASK);
+    AssertRCReturn(rc, rc);
+
+    vmxHCReadGuestPhysicalAddrVmcs(pVCpu, pVmxTransient);
+
+    PGMPTWALK Walk;
+    PCPUMCTX pCtx = &pVCpu->cpum.GstCtx;
+    RTGCPHYS const GCPhysNested = pVmxTransient->uGuestPhysicalAddr;
+    VBOXSTRICTRC rcStrict = PGMR0NestedTrap0eHandlerNestedPaging(pVCpu, PGMMODE_EPT, X86_TRAP_PF_RSVD, CPUMCTX2CORE(pCtx),
+                                                                 GCPhysNested, false /* fIsLinearAddrValid */,
+                                                                 0 /* GCPtrNested*/, &Walk);
+    if (RT_SUCCESS(rcStrict))
+        return VINF_EM_RAW_EMULATE_INSTR;
+
+    vmxHCReadIdtVectoringInfoVmcs(pVCpu, pVmxTransient);
+    vmxHCReadIdtVectoringErrorCodeVmcs(pVCpu, pVmxTransient);
+
+    VMXVEXITEVENTINFO ExitEventInfo;
+    RT_ZERO(ExitEventInfo);
+    ExitEventInfo.uIdtVectoringInfo    = pVmxTransient->uIdtVectoringInfo;
+    ExitEventInfo.uIdtVectoringErrCode = pVmxTransient->uIdtVectoringErrorCode;
+
+    return IEMExecVmxVmexitEptMisconfig(pVCpu, pVmxTransient->uGuestPhysicalAddr, &ExitEventInfo);
+}
+# endif /* VBOX_WITH_NESTED_HWVIRT_VMX_EPT */
+
 /** @} */
 #endif /* VBOX_WITH_NESTED_HWVIRT_VMX */

trunk/src/VBox/VMM/VMMR0/HMVMXR0.cpp

@@ -43 +43 @@
 #include "dtrace/VBoxVMM.h"
 
+/*********************************************************************************************************************************
+*   Defined Constants And Macros                                                                                                 *
+*********************************************************************************************************************************/
 #ifdef DEBUG_ramshankar
 # define HMVMX_ALWAYS_SAVE_GUEST_RFLAGS
@@ -58 +61 @@
 
 /*********************************************************************************************************************************
-*   Defined Constants And Macros                                                                                                 *
-*********************************************************************************************************************************/
-
-
-/*********************************************************************************************************************************
 *   Structures and Typedefs                                                                                                      *
 *********************************************************************************************************************************/
-
 /**
  * VMX page allocation information.
@@ -86 +83 @@
 *   Internal Functions                                                                                                           *
 *********************************************************************************************************************************/
-
-
-/*********************************************************************************************************************************
-*   Global Variables                                                                                                             *
-*********************************************************************************************************************************/
-static bool hmR0VmxShouldSwapEferMsr(PCVMCPUCC pVCpu, PCVMXTRANSIENT pVmxTransient);
-static int hmR0VmxExitHostNmi(PVMCPUCC pVCpu, PCVMXVMCSINFO pVmcsInfo);
+static bool     hmR0VmxShouldSwapEferMsr(PCVMCPUCC pVCpu, PCVMXTRANSIENT pVmxTransient);
+static int      hmR0VmxExitHostNmi(PVMCPUCC pVCpu, PCVMXVMCSINFO pVmcsInfo);
 
 
@@ -3520 +3512 @@
     rc = VMXWriteVmcs16(VMX_VMCS16_HOST_CS_SEL,  pVCpu->hmr0.s.vmx.RestoreHost.uHostSelCS);       AssertRC(rc);
     rc = VMXWriteVmcs16(VMX_VMCS16_HOST_SS_SEL,  pVCpu->hmr0.s.vmx.RestoreHost.uHostSelSS);       AssertRC(rc);
-    rc = VMXWriteVmcs16(VMX_VMCS16_HOST_DS_SEL,  uSelDS);                                       AssertRC(rc);
-    rc = VMXWriteVmcs16(VMX_VMCS16_HOST_ES_SEL,  uSelES);                                       AssertRC(rc);
-    rc = VMXWriteVmcs16(VMX_VMCS16_HOST_FS_SEL,  uSelFS);                                       AssertRC(rc);
-    rc = VMXWriteVmcs16(VMX_VMCS16_HOST_GS_SEL,  uSelGS);                                       AssertRC(rc);
+    rc = VMXWriteVmcs16(VMX_VMCS16_HOST_DS_SEL,  uSelDS);                                         AssertRC(rc);
+    rc = VMXWriteVmcs16(VMX_VMCS16_HOST_ES_SEL,  uSelES);                                         AssertRC(rc);
+    rc = VMXWriteVmcs16(VMX_VMCS16_HOST_FS_SEL,  uSelFS);                                         AssertRC(rc);
+    rc = VMXWriteVmcs16(VMX_VMCS16_HOST_GS_SEL,  uSelGS);                                         AssertRC(rc);
     rc = VMXWriteVmcs16(VMX_VMCS16_HOST_TR_SEL,  pVCpu->hmr0.s.vmx.RestoreHost.uHostSelTR);       AssertRC(rc);
     rc = VMXWriteVmcsNw(VMX_VMCS_HOST_GDTR_BASE, pVCpu->hmr0.s.vmx.RestoreHost.HostGdtr.uAddr);   AssertRC(rc);
     rc = VMXWriteVmcsNw(VMX_VMCS_HOST_IDTR_BASE, pVCpu->hmr0.s.vmx.RestoreHost.HostIdtr.uAddr);   AssertRC(rc);
-    rc = VMXWriteVmcsNw(VMX_VMCS_HOST_TR_BASE,   uTRBase);                                      AssertRC(rc);
+    rc = VMXWriteVmcsNw(VMX_VMCS_HOST_TR_BASE,   uTRBase);                                        AssertRC(rc);
     rc = VMXWriteVmcsNw(VMX_VMCS_HOST_FS_BASE,   pVCpu->hmr0.s.vmx.RestoreHost.uHostFSBase);      AssertRC(rc);
     rc = VMXWriteVmcsNw(VMX_VMCS_HOST_GS_BASE,   pVCpu->hmr0.s.vmx.RestoreHost.uHostGSBase);      AssertRC(rc);
@@ -5589 +5581 @@
  *
  * @returns VBox status code.
- * @param   pVCpu   The cross context virtual CPU structure.
- */
-static int hmR0VmxMapHCApicAccessPage(PVMCPUCC pVCpu)
+ * @param   pVCpu           The cross context virtual CPU structure.
+ * @param   u64MsrApicBase  The guest-physical address of the APIC access page.
+ */
+static int hmR0VmxMapHCApicAccessPage(PVMCPUCC pVCpu, RTGCPHYS GCPhysApicBase)
 {
     PVMCC pVM = pVCpu->CTX_SUFF(pVM);
-    uint64_t const u64MsrApicBase = APICGetBaseMsrNoCheck(pVCpu);
-
-    Assert(PDMHasApic(pVM));
-    Assert(u64MsrApicBase);
-
-    RTGCPHYS const GCPhysApicBase = u64MsrApicBase & PAGE_BASE_GC_MASK;
-    Log4Func(("Mappping HC APIC-access page at %#RGp\n", GCPhysApicBase));
+    Assert(GCPhysApicBase);
+
+    LogFunc(("Mappping HC APIC-access page at %#RGp\n", GCPhysApicBase));
 
     /* Unalias the existing mapping. */
@@ -5611 +5600 @@
     AssertRCReturn(rc, rc);
 
-    /* Update the per-VCPU cache of the APIC base MSR. */
-    pVCpu->hm.s.vmx.u64GstMsrApicBase = u64MsrApicBase;
     return VINF_SUCCESS;
 }
@@ -6113 +6100 @@
         && PDMHasApic(pVM))
     {
-        int rc = hmR0VmxMapHCApicAccessPage(pVCpu);
+        /* Get the APIC base MSR from the virtual APIC device. */
+        uint64_t const uApicBaseMsr = APICGetBaseMsrNoCheck(pVCpu);
+
+        /* Map the APIC access page. */
+        int rc = hmR0VmxMapHCApicAccessPage(pVCpu, uApicBaseMsr & PAGE_BASE_GC_MASK);
         AssertRCReturn(rc, rc);
+
+        /* Update the per-VCPU cache of the APIC base MSR corresponding to the mapped APIC access page. */
+        pVCpu->hm.s.vmx.u64GstMsrApicBase = uApicBaseMsr;
     }
 
@@ -6812 +6806 @@
             hmR0VmxReportWorldSwitchError(pVCpu, rcRun, &VmxTransient);
             return rcRun;
+        }
+
+        /*
+         * Undo temporary disabling of the APIC-access page monitoring we did in hmR0VmxMergeVmcsNested.
+         * This is needed for NestedTrap0eHandler (and IEM) to cause nested-guest APIC-access VM-exits.
+         */
+        if (VmxTransient.pVmcsInfo->u32ProcCtls2 & VMX_PROC_CTLS2_VIRT_APIC_ACCESS)
+        {
+            PVMXVVMCS const pVmcsNstGst      = &pVCpu->cpum.GstCtx.hwvirt.vmx.Vmcs;
+            RTGCPHYS const  GCPhysApicAccess = pVmcsNstGst->u64AddrApicAccess.u;
+            PGMHandlerPhysicalReset(pVCpu->CTX_SUFF(pVM), GCPhysApicAccess);
         }
 
@@ -7239 +7244 @@
     return rcStrict;
 }
+

trunk/src/VBox/VMM/VMMR0/IEMR0.cpp

@@ -44 +44 @@
     {
         int rc = PGMR0HandlerPhysicalTypeSetUpContext(pGVM, PGMPHYSHANDLERKIND_ALL, 0 /*fFlags*/,
-                                                      iemVmxApicAccessPageHandler, NULL /*pfnzPfHandlerR0*/,
+                                                      iemVmxApicAccessPageHandler, iemVmxApicAccessPagePfHandler,
                                                       "VMX APIC-access page", pGVM->iem.s.hVmxApicAccessPage);
         AssertLogRelRCReturn(rc, rc);

trunk/src/VBox/VMM/VMMR0/PGMR0.cpp

@@ -1213 +1213 @@
     return rc;
 }
+
+
+#ifdef VBOX_WITH_NESTED_HWVIRT_VMX_EPT
+/**
+ * Nested \#PF Handler for nested-guest execution using nested paging.
+ *
+ * @returns Strict VBox status code (appropriate for trap handling and GC return).
+ * @param   pGVM                The global (ring-0) VM structure.
+ * @param   pGVCpu              The global (ring-0) CPU structure of the calling
+ *                              EMT.
+ * @param   uErr                The trap error code.
+ */
+VMMR0DECL(VBOXSTRICTRC) PGMR0NestedTrap0eHandlerNestedPaging(PGVMCPU pGVCpu, PGMMODE enmShwPagingMode, RTGCUINT uErr,
+                                                             PCPUMCTXCORE pRegFrame, RTGCPHYS GCPhysNested,
+                                                             bool fIsLinearAddrValid, RTGCPTR GCPtrNested, PPGMPTWALK pWalk)
+{
+    Assert(enmShwPagingMode == PGMMODE_EPT);
+    NOREF(enmShwPagingMode);
+
+    bool fLockTaken;
+    VBOXSTRICTRC rcStrict = PGM_BTH_NAME_EPT_PROT(NestedTrap0eHandler)(pGVCpu, uErr, pRegFrame, GCPhysNested, fIsLinearAddrValid,
+                                                                       GCPtrNested, pWalk, &fLockTaken);
+    if (fLockTaken)
+    {
+        PGM_LOCK_ASSERT_OWNER(pGVCpu->CTX_SUFF(pVM));
+        PGM_UNLOCK(pGVCpu->CTX_SUFF(pVM));
+    }
+    if (rcStrict == VINF_PGM_SYNCPAGE_MODIFIED_PDE)
+        rcStrict = VINF_SUCCESS;
+    return rcStrict;
+}
+#endif /* VBOX_WITH_NESTED_HWVIRT_VMX_EPT */
 
 

trunk/src/VBox/VMM/VMMR0/PGMR0Bth.h

@@ -22 +22 @@
 RT_C_DECLS_BEGIN
 PGM_BTH_DECL(int, Trap0eHandler)(PVMCPUCC pVCpu, RTGCUINT uErr, PCPUMCTXCORE pRegFrame, RTGCPTR pvFault, bool *pfLockTaken);
+PGM_BTH_DECL(int, NestedTrap0eHandler)(PVMCPUCC pVCpu, RTGCUINT uErr, PCPUMCTXCORE pRegFrame, RTGCPHYS GCPhysNested,
+                                       bool fIsLinearAddrValid, RTGCPTR GCPtrNested, PPGMPTWALK pWalk, bool *pfLockTaken);
 RT_C_DECLS_END
 

trunk/src/VBox/VMM/VMMR3/CPUMR3CpuId.cpp

@@ -4264 +4264 @@
              * disabled will automatically prevent exposing features that rely on
              */
-            rc = CFGMR3QueryBoolDef(pCpumCfg, "NestedVmxEpt", &pVM->cpum.s.fNestedVmxEpt, false);
+            rc = CFGMR3QueryBoolDef(pCpumCfg, "NestedVmxEpt", &pVM->cpum.s.fNestedVmxEpt, true);
             AssertLogRelRCReturn(rc, rc);
 
@@ -4272 +4272 @@
              * it.
              */
-            rc = CFGMR3QueryBoolDef(pCpumCfg, "NestedVmxUnrestrictedGuest", &pVM->cpum.s.fNestedVmxUnrestrictedGuest, false);
+            rc = CFGMR3QueryBoolDef(pCpumCfg, "NestedVmxUnrestrictedGuest", &pVM->cpum.s.fNestedVmxUnrestrictedGuest, true);
             AssertLogRelRCReturn(rc, rc);
 

trunk/src/VBox/VMM/VMMR3/HM.cpp

@@ -1080 +1080 @@
     {
         PVMCPU pVCpu = pVM->apCpusR3[idCpu];
-        PGMHCChangeMode(pVM, pVCpu, PGMMODE_REAL);
+        PGMHCChangeMode(pVM, pVCpu, PGMMODE_REAL, false /* fForce */);
     }
 }

trunk/src/VBox/VMM/VMMR3/PGM.cpp

@@ -1024 +1024 @@
         {
             PVMCPU pVCpu = pVM->apCpusR3[i];
-            rc = PGMHCChangeMode(pVM, pVCpu, PGMMODE_REAL);
+            rc = PGMHCChangeMode(pVM, pVCpu, PGMMODE_REAL, false /* fForce */);
             if (RT_FAILURE(rc))
                 break;
@@ -1647 +1647 @@
         pVM->pgm.s.HCPhysInvMmioPg |= UINT64_C(0x000f0000000000);
     }
-    Assert(pVM->cpum.ro.GuestFeatures.cMaxPhysAddrWidth == cMaxPhysAddrWidth);
+    /* Disabled the below assertion -- triggers 24 vs 39 on my Intel Skylake box for a 32-bit (Guest-type Other/Unknown) VM. */
+    //AssertMsg(pVM->cpum.ro.GuestFeatures.cMaxPhysAddrWidth == cMaxPhysAddrWidth,
+    //          ("CPUM %u - PGM %u\n", pVM->cpum.ro.GuestFeatures.cMaxPhysAddrWidth, cMaxPhysAddrWidth));
 #else
     uint32_t const cMaxPhysAddrWidth = pVM->cpum.ro.GuestFeatures.cMaxPhysAddrWidth;
@@ -1852 +1854 @@
     pVCpu->pgm.s.GCPhysNstGstCR3 = NIL_RTGCPHYS;
 
-    int rc = PGMHCChangeMode(pVM, pVCpu, PGMMODE_REAL);
+    int rc = PGMHCChangeMode(pVM, pVCpu, PGMMODE_REAL, false /* fForce */);
     AssertReleaseRC(rc);
 
@@ -1918 +1920 @@
         PVMCPU  pVCpu = pVM->apCpusR3[i];
 
-        int rc = PGMHCChangeMode(pVM, pVCpu, PGMMODE_REAL);
+        int rc = PGMHCChangeMode(pVM, pVCpu, PGMMODE_REAL, false /* fForce */);
         AssertReleaseRC(rc);
 
@@ -2298 +2300 @@
 {
     pVCpu->pgm.s.enmShadowMode = PGMMODE_INVALID;
-    int rc = PGMHCChangeMode(pVM, pVCpu, PGMGetGuestMode(pVCpu));
+    int rc = PGMHCChangeMode(pVM, pVCpu, PGMGetGuestMode(pVCpu), false /* fForce */);
     Assert(VMCPU_FF_IS_SET(pVCpu, VMCPU_FF_PGM_SYNC_CR3));
     AssertRCReturn(rc, rc);

trunk/src/VBox/VMM/VMMR3/PGMSavedState.cpp

@@ -3190 +3190 @@
                 PVMCPU pVCpu = pVM->apCpusR3[i];
 
-                rc = PGMHCChangeMode(pVM, pVCpu, pVCpu->pgm.s.enmGuestMode);
+                rc = PGMHCChangeMode(pVM, pVCpu, pVCpu->pgm.s.enmGuestMode, false /* fForce */);
                 AssertLogRelRCReturn(rc, rc);
 

trunk/src/VBox/VMM/include/IEMInternal.h

@@ -942 +942 @@
 # define IEM_SLAT_FAIL_LINEAR_TO_PHYS_ADDR          RT_BIT_32(0)
 /** Translating a nested-guest linear address failed accessing a
- *  paging-structure entry. */
+ *  paging-structure entry or updating accessed/dirty bits. */
 # define IEM_SLAT_FAIL_LINEAR_TO_PAGE_TABLE         RT_BIT_32(1)
 /** @} */
 
 PGM_ALL_CB2_PROTO(FNPGMPHYSHANDLER) iemVmxApicAccessPageHandler;
+# ifndef IN_RING3
+DECLCALLBACK(FNPGMRZPHYSPFHANDLER)  iemVmxApicAccessPagePfHandler;
+# endif
 #endif
 

trunk/src/VBox/VMM/include/PGMInternal.h

@@ -2745 +2745 @@
 #ifndef IN_RING3
     DECLCALLBACKMEMBER(int, pfnTrap0eHandler,(PVMCPUCC pVCpu, RTGCUINT uErr, PCPUMCTXCORE pRegFrame, RTGCPTR pvFault, bool *pfLockTaken));
+    DECLCALLBACKMEMBER(int, pfnNestedTrap0eHandler,(PVMCPUCC pVCpu, RTGCUINT uErr, PCPUMCTXCORE pRegFrame, RTGCPHYS GCPhysNested,
+                                                    bool fIsLinearAddrValid, RTGCPTR GCPtrNested, PPGMPTWALK pWalk,
+                                                    bool *pfLockTaken));
 #endif
 #ifdef VBOX_STRICT