{"id":2233146,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2233146/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260505185028.237207-8-dblanzeanu@linux.microsoft.com/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.2/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260505185028.237207-8-dblanzeanu@linux.microsoft.com>","list_archive_url":null,"date":"2026-05-05T18:50:28","name":"[v2,7/7] target/i386/mshv: fix pio handlers clobbering device-modified registers","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"8b47dbbf1bde3660620efe1f3da1b6ece5cfa114","submitter":{"id":93106,"url":"http://patchwork.ozlabs.org/api/1.2/people/93106/?format=json","name":"Doru Blânzeanu","email":"dblanzeanu@linux.microsoft.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260505185028.237207-8-dblanzeanu@linux.microsoft.com/mbox/","series":[{"id":502882,"url":"http://patchwork.ozlabs.org/api/1.2/series/502882/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=502882","date":"2026-05-05T18:50:22","name":"target/i386/mshv: use hv_vp_register_page for fast register access","version":2,"mbox":"http://patchwork.ozlabs.org/series/502882/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2233146/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2233146/checks/","tags":{},"related":[],"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=linux.microsoft.com header.i=@linux.microsoft.com\n header.a=rsa-sha256 header.s=default header.b=L6w+FWDE;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g970c0t64z1yJx\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 06 May 2026 04:52:00 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wKKrD-0000i3-QO; Tue, 05 May 2026 14:50:59 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <dblanzeanu@linux.microsoft.com>)\n id 1wKKr8-0000hE-JO\n for qemu-devel@nongnu.org; Tue, 05 May 2026 14:50:55 -0400","from linux.microsoft.com ([13.77.154.182])\n by eggs.gnu.org with esmtp (Exim 4.90_1)\n (envelope-from <dblanzeanu@linux.microsoft.com>) id 1wKKr6-0006jT-Ld\n for qemu-devel@nongnu.org; Tue, 05 May 2026 14:50:54 -0400","from laptop.localdomain (unknown [86.121.140.248])\n by linux.microsoft.com (Postfix) with ESMTPSA id 1AB0620B7169;\n Tue,  5 May 2026 11:50:47 -0700 (PDT)"],"DKIM-Filter":"OpenDKIM Filter v2.11.0 linux.microsoft.com 1AB0620B7169","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com;\n s=default; t=1778007049;\n bh=qhK+besfkzswTlnKE72DUmc6HXtjGeutb1TQjNxHTQ8=;\n h=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n b=L6w+FWDEZStU5PC2UWo0ZmO11OTl0XmAt/TGUI9YpdN+nkiwOCmkoTJiuS/4C8wa2\n 24MyHX46CDDILX5krU6GTPe/tanR33zYDcV+i6WS/wB7Pw8sD4pKvl7IC542ZOB21/\n 3NPiPsaYwcZMdm1fe0fEjuWgq7sNOdsmx7GkNP7g=","From":"=?utf-8?q?Doru_Bl=C3=A2nzeanu?= <dblanzeanu@linux.microsoft.com>","To":"qemu-devel@nongnu.org","Cc":"=?utf-8?q?Doru_Bl=C3=A2nzeanu?= <dblanzeanu@linux.microsoft.com>,\n Magnus Kulke <magnuskulke@linux.microsoft.com>,\n Zhao Liu <zhao1.liu@intel.com>, Wei Liu <wei.liu@kernel.org>,\n Paolo Bonzini <pbonzini@redhat.com>","Subject":"[PATCH v2 7/7] target/i386/mshv: fix pio handlers clobbering\n device-modified registers","Date":"Tue,  5 May 2026 21:50:28 +0300","Message-ID":"<20260505185028.237207-8-dblanzeanu@linux.microsoft.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260505185028.237207-1-dblanzeanu@linux.microsoft.com>","References":"<20260505185028.237207-1-dblanzeanu@linux.microsoft.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=UTF-8","Content-Transfer-Encoding":"8bit","Received-SPF":"pass client-ip=13.77.154.182;\n envelope-from=dblanzeanu@linux.microsoft.com; helo=linux.microsoft.com","X-Spam_score_int":"-19","X-Spam_score":"-2.0","X-Spam_bar":"--","X-Spam_report":"(-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001,\n SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"When a device handler (e.g. vmport) calls cpu_synchronize_state() during\nI/O port dispatch, it sets cpu->accel->dirty = true and may modify\nregisters directly in env. The old PIO code ignored this: it\nunconditionally wrote the stale info->rax from the VM-exit intercept\nmessage back to the hypervisor and then cleared dirty, discarding any\nregister changes made by the device.\n\nBifurcate both handlers on cpu->accel->dirty:\n\nhandle_pio_non_str:\n- dirty path: update env->eip directly. For reads (IN), merge the I/O\n  result into env->regs[R_EAX] (which may have been modified by the\n  device) rather than info->rax. For writes (OUT), leave RAX untouched.\n  Flush all registers via mshv_store_regs() and clear dirty.\n- non-dirty path: write RIP and RAX via set_x64_registers hypercall as\n  before.\n\nhandle_pio_str:\n- dirty path: update env->eip and the appropriate index register\n  (RSI for OUTS, RDI for INS) directly. Flush via mshv_store_regs()\n  and clear dirty.\n- non-dirty path: write the index register and RIP via\n  set_x64_registers. Drop the RAX assignment that was here before;\n  string I/O does not modify RAX, and set_x64_registers is hardcoded\n  to write only 2 registers so the third slot was silently ignored\n  anyway.\n\nRemove the unconditional \"cpu->accel->dirty = false\" at the end of both\nhandlers. In the non-dirty fast path it was redundant (already false).\nIn the dirty path it was actively harmful: it told the vcpu run loop\nthat env was clean when it was not, losing the device's modifications.\n\nSigned-off-by: Doru Blânzeanu <dblanzeanu@linux.microsoft.com>\n---\n target/i386/mshv/mshv-cpu.c | 82 ++++++++++++++++++++++++++-----------\n 1 file changed, 59 insertions(+), 23 deletions(-)","diff":"diff --git a/target/i386/mshv/mshv-cpu.c b/target/i386/mshv/mshv-cpu.c\nindex 0cfac26a5c..7be3fdcc45 100644\n--- a/target/i386/mshv/mshv-cpu.c\n+++ b/target/i386/mshv/mshv-cpu.c\n@@ -1348,7 +1348,7 @@ static int pio_write(uint64_t port, const uint8_t *data, uintptr_t size,\n     return ret;\n }\n \n-static int handle_pio_non_str(const CPUState *cpu,\n+static int handle_pio_non_str(CPUState *cpu,\n                               hv_x64_io_port_intercept_message *info)\n {\n     size_t len = info->access_info.access_size;\n@@ -1357,10 +1357,12 @@ static int handle_pio_non_str(const CPUState *cpu,\n     uint32_t val, eax;\n     const uint32_t eax_mask =  0xffffffffu >> (32 - len * 8);\n     size_t insn_len;\n-    uint64_t rip, rax;\n+    uint64_t rip;\n     uint32_t reg_names[2];\n     uint64_t reg_values[2];\n     uint16_t port = info->port_number;\n+    X86CPU *x86_cpu = X86_CPU(cpu);\n+    CPUX86State *env = &x86_cpu->env;\n \n     if (access_type == HV_X64_INTERCEPT_ACCESS_TYPE_WRITE) {\n         union {\n@@ -1391,21 +1393,40 @@ static int handle_pio_non_str(const CPUState *cpu,\n \n     /* Advance RIP and update RAX */\n     rip = info->header.rip + insn_len;\n-    rax = info->rax;\n \n-    reg_names[0] = HV_X64_REGISTER_RIP;\n-    reg_values[0] = rip;\n-    reg_names[1] = HV_X64_REGISTER_RAX;\n-    reg_values[1] = rax;\n+    if (cpu->accel->dirty) {\n+        env->eip = rip;\n+        if (access_type != HV_X64_INTERCEPT_ACCESS_TYPE_WRITE) {\n+            /*\n+             * For reads, merge the I/O result into the current RAX.\n+             * Use env->regs[R_EAX] as the base since a device handler\n+             * (e.g. vmport) may have called cpu_synchronize_state()\n+             * and modified registers.\n+             */\n+            eax = (((uint32_t)env->regs[R_EAX]) & ~eax_mask)\n+                  | (val & eax_mask);\n+            env->regs[R_EAX] = (uint64_t)eax;\n+        }\n+        /* Sync modified standard registers back and clear dirty. */\n+        ret = mshv_store_regs(cpu);\n+        if (ret < 0) {\n+            error_report(\"Failed to store registers after PIO\");\n+            return -1;\n+        }\n+        cpu->accel->dirty = false;\n+    } else {\n+        reg_names[0] = HV_X64_REGISTER_RIP;\n+        reg_values[0] = rip;\n+        reg_names[1] = HV_X64_REGISTER_RAX;\n+        reg_values[1] = info->rax;\n \n-    ret = set_x64_registers(cpu, reg_names, reg_values);\n-    if (ret < 0) {\n-        error_report(\"Failed to set x64 registers\");\n-        return -1;\n+        ret = set_x64_registers(cpu, reg_names, reg_values);\n+        if (ret < 0) {\n+            error_report(\"Failed to set x64 registers\");\n+            return -1;\n+        }\n     }\n \n-    cpu->accel->dirty = false;\n-\n     return 0;\n }\n \n@@ -1521,6 +1542,7 @@ static int handle_pio_str(CPUState *cpu, hv_x64_io_port_intercept_message *info)\n     bool repop = info->access_info.rep_prefix == 1;\n     size_t repeat = repop ? info->rcx : 1;\n     size_t insn_len = info->header.instruction_length;\n+    uint64_t rip;\n     bool direction_flag;\n     uint32_t reg_names[3];\n     uint64_t reg_values[3];\n@@ -1554,18 +1576,32 @@ static int handle_pio_str(CPUState *cpu, hv_x64_io_port_intercept_message *info)\n         reg_values[0] = info->rdi;\n     }\n \n-    reg_names[1] = HV_X64_REGISTER_RIP;\n-    reg_values[1] = info->header.rip + insn_len;\n-    reg_names[2] = HV_X64_REGISTER_RAX;\n-    reg_values[2] = info->rax;\n+    rip = info->header.rip + insn_len;\n \n-    ret = set_x64_registers(cpu, reg_names, reg_values);\n-    if (ret < 0) {\n-        error_report(\"Failed to set x64 registers\");\n-        return -1;\n-    }\n+    if (cpu->accel->dirty) {\n+        env->eip = rip;\n+        if (access_type == HV_X64_INTERCEPT_ACCESS_TYPE_WRITE) {\n+            env->regs[R_ESI] = info->rsi;\n+        } else {\n+            env->regs[R_EDI] = info->rdi;\n+        }\n+        /* Sync modified standard registers back and clear dirty. */\n+        ret = mshv_store_regs(cpu);\n+        if (ret < 0) {\n+            error_report(\"Failed to store registers after string PIO\");\n+            return -1;\n+        }\n+        cpu->accel->dirty = false;\n+    } else {\n+        reg_names[1] = HV_X64_REGISTER_RIP;\n+        reg_values[1] = rip;\n \n-    cpu->accel->dirty = false;\n+        ret = set_x64_registers(cpu, reg_names, reg_values);\n+        if (ret < 0) {\n+            error_report(\"Failed to set x64 registers\");\n+            return -1;\n+        }\n+    }\n \n     return 0;\n }\n","prefixes":["v2","7/7"]}