From nobody Tue May  5 10:15:04 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=reject dis=none)  header.from=citrix.com
ARC-Seal: i=1; a=rsa-sha256; t=1777671551; cv=none;
	d=zohomail.com; s=zohoarc;
	b=hMoMz2IbkMt7eTQTXAzGNT3X1Y4RBb4kgKESnujAbZAE+ETqxp8h5AC4GpGiJG5doKumcU0ZyL7t39ksF4GkeGw1d8wISpw5lm8WFdfLm3am1DP70Yn4pZGFYVMm9KreVB7Qo2XNlNXUnh2hJZXGhQEdvrqGj9dShmQ13/EJDK8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1777671551;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=CcrVhPKL924+HX0LUqaF9tbfBrxLJHzpVSLiSNTCUME=;
	b=BGo2FcORr+tojPP1auLVCegMVhm/oHB53mhHllo6F/eUfzbmXTAzxG8sUaYiDqlTUsgQkmylF5lQc0domEgydTZcJhs2I9giJ+8fXv1wj2NWNz6A9xVllHzLZT9wuPRxGhU2ET4DOtuvd3ocd3D/r/UCF9653Ht/Km//dckdsus=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<andrew.cooper3@citrix.com> (p=reject dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1777671551822753.3230171880866;
 Fri, 1 May 2026 14:39:11 -0700 (PDT)
Received: from list by lists.xenproject.org with
 outflank-mailman.1298928.1573861 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1wIvZ8-00083j-QX; Fri, 01 May 2026 21:38:30 +0000
Received: by outflank-mailman (output) from mailman id 1298928.1573861;
 Fri, 01 May 2026 21:38:30 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1wIvZ8-00083c-Mk; Fri, 01 May 2026 21:38:30 +0000
Received: by outflank-mailman (input) for mailman id 1298928;
 Fri, 01 May 2026 21:38:29 +0000
Received: from mx.expurgate.net ([195.190.135.10])
 by lists.xenproject.org with esmtp (Exim 4.92)
 (envelope-from <andrew.cooper3@citrix.com>) id 1wIvZ7-00083W-Gr
 for xen-devel@lists.xenproject.org; Fri, 01 May 2026 21:38:29 +0000
Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with
 esmtp
 id 1wIvZ5-00AT3D-AC
 for xen-devel@lists.xenproject.org; Fri, 01 May 2026 23:38:28 +0200
Received: from [10.42.69.2] (helo=localhost)
 by localhost with ESMTP (eXpurgate MTA 0.9.1)
 (envelope-from <andrew.cooper3@citrix.com>)
 id 69f51d33-2eae-0a2a0a5409dd-0a2a4502dc1a-16
 for <xen-devel@lists.xenproject.org>; Fri, 01 May 2026 23:38:28 +0200
Received: from [209.85.128.53] (helo=mail-wm1-f53.google.com)
 by tlsNG-720697.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.1)
 (envelope-from <andrew.cooper3@citrix.com>)
 id 69f51d54-af86-0a2a45020019-d1558035d46c-3
 for <xen-devel@lists.xenproject.org>; Fri, 01 May 2026 23:38:28 +0200
Received: by mail-wm1-f53.google.com with SMTP id
 5b1f17b1804b1-4852a9c6309so18648615e9.0
 for <xen-devel@lists.xenproject.org>; Fri, 01 May 2026 14:38:28 -0700 (PDT)
Received: from localhost.localdomain (host-78-146-242-105.as13285.net.
 [78.146.242.105]) by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48a822c3422sm137436495e9.8.2026.05.01.14.38.27
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 01 May 2026 14:38:27 -0700 (PDT)
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
Authentication-Results: eu.smtp.expurgate.cloud;
 dkim=pass header.s=google header.d=citrix.com header.i="@citrix.com"
 header.h="Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=citrix.com; s=google; t=1777671508; x=1778276308;
 darn=lists.xenproject.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=CcrVhPKL924+HX0LUqaF9tbfBrxLJHzpVSLiSNTCUME=;
        b=WeUPjyZg3muJqydiM/zUlYgvCYOGDx8H9Zr0v0SNUp9MnDX6ZpHwdbHS97ZRVmajTp
         9gnugnBr4bJvdW4Um5zCXt0GPtUBsgJfICF0LcxEOQZFMeU1zJL389zGpQ9jwriuyMpR
         /u4rAJXLE+weFViyY8aJDBadgctruA98QuAJc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777671508; x=1778276308;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=CcrVhPKL924+HX0LUqaF9tbfBrxLJHzpVSLiSNTCUME=;
        b=aHftFpdk02x0dFGrAWJfNIfdWe8w7JpFX0FX/j8JfXc2fK5zuYZ3WcBgvNrFd0W/Nu
         FS1UVCGKc4xzBQTWlml+t7KPLtkjSxvqas7Mp1NyeNh6cJWQzkGWnmy6+yJpxMQUhrza
         vvk8+8f2vmQ73kzpEhUG6lz2dq6u2nrDXTql8xDrUI+MqgNCA/0CjB/KSDBQhaPA5Gl6
         BCXUuOB4bPaYFPIEEoFuHu3WdVHIKl73XdBTbvJFCy7+nQjV7lMCnXu/O89q/DPN8JGw
         xNTKw4pVC9m9cEHBlAmFl26gVlU54fwxlelFHUsqPk0hHjEWlixp5UtLV+My+2UZzsyK
         YagQ==
X-Gm-Message-State: AOJu0YzkHPB1JcG+4bSryRC40/ztzZmj7iglHMBMrMoSB6aEVedX9BaV
	rHB9j972MHAevAH8JckpCEZXGoycSdfTWqG+wq3UonlfrHPze5urHUyII6DXDHkxck2gPi9N9Bj
	2g4RD/yA=
X-Gm-Gg: AeBDietmFabkXjZbNLT+8o+fpewcR/H3dM+2mEQLPuvhJQZ/F0bpNp+pCgb8iLBnFPu
	yieluak7f0LeDo0hNqeszqi8ICEkQl6wdN5R/vTi3bZPIxYKvgHnVnYSPKvaC/aQbOIXdCjqKE8
	rq5c9HVymol8/AEvW3RNQATi4Ir+xTPjjoWRmj2s79XAWb85G68eV5hwt44mlyKqXDK0+tk6Y0e
	Qd4G/9lre+SOAkvw0hvXCPC5WqociGENBn00/IukohFifNoR77iPwSakYBBxTOnaFZPHm1bgGmk
	U3fVNq22y9Xs3o3Hf7vBZQGwIx2zNu46NyWO8tSUDn8Xe/C/uoxzc9JYi1UegF4Ne3/21CAP/42
	/++5SGW8QIscr/G5hMBFPbSmsqXHen5h292r3NfcgJc6egaQSJPijjX/nL3OlXRiKlqJFmR94l+
	86djlRvdws6MwZpYuiH1UF5AaH3Jlla9plr+UCXP5Ur6pBSl4iz6qYXKnhM6I2nL5pbknO1QnRE
	xcU2HfZY2cV2UQ=
X-Received: by 2002:a05:600c:a118:b0:489:ecee:c4ef with SMTP id
 5b1f17b1804b1-48a9865daacmr7747625e9.13.1777671507797;
        Fri, 01 May 2026 14:38:27 -0700 (PDT)
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Stefano Stabellini <sstabellini@kernel.org>,
	Jan Beulich <jbeulich@suse.com>,
	=?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>,
	Teddy Astie <teddy.astie@vates.tech>
Subject: [PATCH] x86/svm: Always sync guest CR2 on VMExit
Date: Fri,  1 May 2026 22:38:26 +0100
Message-Id: <20260501213826.1291860-1-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.39.5
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-purgate-ID: tlsNG-720697/1777671508-894CD161-47778207/0/0
X-purgate-type: clean
X-purgate-size: 1761
X-ZohoMail-DKIM: pass (identity @citrix.com)
X-ZM-MESSAGEID: 1777671554425154100

Under SVM, there are two copies of guest CR2.  One is v->arch.hvm.guest_cr[=
2]
and one is in the VMCB.

Xen doesn't intercept CR2 accesses, so this mostly goes unnoticed; hardware
loads and saves the guest CR2 across VMRUN/VMExit.

For HAP guests (where #PF is not intercepted, and therefore we don't typica=
lly
inject #PF either), this causes the guest CR2 value to be lost on migrate. =
 As
migration is cooperative and not done from the #PF handler, this also goes
unoticed by guests.

It also means that an emulated MOV-from-CR2 reads a stale value.

Reported-by: Stefano Stabellini <sstabellini@kernel.org>
Fixes: d1bd157fbc9b ("Big merge the HVM full-virtualisation abstractions.")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Teddy Astie <teddy.astie@vates.tech>
Tested-by: Stefano Stabellini <sstabellini@kernel.org>
---
CC: Jan Beulich <jbeulich@suse.com>
CC: Roger Pau Monn=C3=A9 <roger.pau@citrix.com>
CC: Teddy Astie <teddy.astie@vates.tech>
CC: Stefano Stabellini <sstabellini@kernel.org>

It also also works around the QEMU bug that triggered the investigion, where
the CR2 intercepts trigger despite Xen requesting CR2 not to be intercepted.
---
 xen/arch/x86/hvm/svm/svm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c
index ced616684732..f49d2ebbfdd5 100644
--- a/xen/arch/x86/hvm/svm/svm.c
+++ b/xen/arch/x86/hvm/svm/svm.c
@@ -2505,6 +2505,7 @@ void asmlinkage svm_vmexit_handler(void)
     hvm_sanitize_regs_fields(
         regs, !(vmcb_get_efer(vmcb) & EFER_LMA) || !(vmcb->cs.l));
=20
+    v->arch.hvm.guest_cr[2] =3D vmcb_get_cr2(vmcb);
     if ( paging_mode_hap(v->domain) )
         v->arch.hvm.guest_cr[3] =3D v->arch.hvm.hw_cr[3] =3D vmcb_get_cr3(=
vmcb);
=20

base-commit: 61f957d48c78df6c5254b6f54d6170d3bd3d717e
--=20
2.39.5