Backport upstream patches, fixing today's XSA 191, 192, 195, 196, 197, 198.

Bump PKGREVISIONs

8 files changed, 469 insertions, 3 deletions

diff --git a/sysutils/xenkernel45/Makefile b/sysutils/xenkernel45/Makefile
index ab1463b1b9c..34cbdb133b8 100644
--- a/sysutils/xenkernel45/Makefile
+++ b/sysutils/xenkernel45/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.22 2016/09/21 17:03:37 bouyer Exp $
+# $NetBSD: Makefile,v 1.23 2016/11/22 20:57:10 bouyer Exp $
 
 VERSION=	4.5.5
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel45-${VERSION}
-#PKGREVISION=	0
+PKGREVISION=	1
 CATEGORIES=	sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 
diff --git a/sysutils/xenkernel45/distinfo b/sysutils/xenkernel45/distinfo
index da29f8ffb59..82a10dd7dc6 100644
--- a/sysutils/xenkernel45/distinfo
+++ b/sysutils/xenkernel45/distinfo
@@ -1,10 +1,16 @@
-$NetBSD: distinfo,v 1.18 2016/09/21 17:03:37 bouyer Exp $
+$NetBSD: distinfo,v 1.19 2016/11/22 20:57:10 bouyer Exp $
 
 SHA1 (xen-4.5.5.tar.gz) = 4073d411c72d3298baacfc15577b92b9ae577073
 RMD160 (xen-4.5.5.tar.gz) = 34132ab04752dc594fbdc1404c95f402b7bbbe39
 SHA512 (xen-4.5.5.tar.gz) = 7e8d7e0248daa91389db0250c5f214dc1ab46c058d556a4326c801933ead05cc450cb9510108586418de029b81a80fd9f272ec1749d288a8250e69599aa2d769
 Size (xen-4.5.5.tar.gz) = 18426889 bytes
 SHA1 (patch-Config.mk) = a2a104d023cea4e551a3ad40927d4884d6c610bf
+SHA1 (patch-XSA-191) = adf1b0d6d8a17b6585fd0ecbe0ca77517623e0af
+SHA1 (patch-XSA-192) = d54322eba9db1b0266ea1c48e9322bc91549ff3f
+SHA1 (patch-XSA-193) = 7088e2278da771f7140eb0d4200dc877326cfa5a
+SHA1 (patch-XSA-195) = 0a44b7deda6a17c88e9d1858eeb7c33b0ebaf3f7
+SHA1 (patch-XSA-196-1) = bdcd7673443fbf59aeff8ad019ffbe39758fcaee
+SHA1 (patch-XSA-196-2) = 81b1d46f3ec8a3c5133f6a923fee0ab1b2b1c6a0
 SHA1 (patch-xen_Makefile) = 750d0c8d4fea14d3ef3f872de5242a1f5104cbbe
 SHA1 (patch-xen_arch_x86_Rules.mk) = 7b0894ba7311edb02118a021671f304cf3872154
 SHA1 (patch-xen_common_page__alloc.c) = c4d606de1cada8cf89b5abd16efada3d58c68a03
diff --git a/sysutils/xenkernel45/patches/patch-XSA-191 b/sysutils/xenkernel45/patches/patch-XSA-191
new file mode 100644
index 00000000000..33ac05d9142
--- /dev/null
+++ b/sysutils/xenkernel45/patches/patch-XSA-191
@@ -0,0 +1,140 @@
+$NetBSD: patch-XSA-191,v 1.1 2016/11/22 20:57:10 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/hvm: Fix the handling of non-present segments
+
+In 32bit, the data segments may be NULL to indicate that the segment is
+ineligible for use.  In both 32bit and 64bit, the LDT selector may be NULL to
+indicate that the entire LDT is ineligible for use.  However, nothing in Xen
+actually checks for this condition when performing other segmentation
+checks.  (Note however that limit and writeability checks are correctly
+performed).
+
+Neither Intel nor AMD specify the exact behaviour of loading a NULL segment.
+Experimentally, AMD zeroes all attributes but leaves the base and limit
+unmodified.  Intel zeroes the base, sets the limit to 0xfffffff and resets the
+attributes to just .G and .D/B.
+
+The use of the segment information in the VMCB/VMCS is equivalent to a native
+pipeline interacting with the segment cache.  The present bit can therefore
+have a subtly different meaning, and it is now cooked to uniformly indicate
+whether the segment is usable or not.
+
+GDTR and IDTR don't have access rights like the other segments, but for
+consistency, they are treated as being present so no special casing is needed
+elsewhere in the segmentation logic.
+
+AMD hardware does not consider the present bit for %cs and %tr, and will
+function as if they were present.  They are therefore unconditionally set to
+present when reading information from the VMCB, to maintain the new meaning of
+usability.
+
+Intel hardware has a separate unusable bit in the VMCS segment attributes.
+This bit is inverted and stored in the present field, so the hvm code can work
+with architecturally-common state.
+
+This is XSA-191.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- xen/arch/x86/hvm/hvm.c.orig
++++ xen/arch/x86/hvm/hvm.c
+@@ -3666,6 +3666,10 @@ int hvm_virtual_to_linear_addr(
+          * COMPATIBILITY MODE: Apply segment checks and add base.
+          */
+ 
++        /* Segment not valid for use (cooked meaning of .p)? */
++        if ( !reg->attr.fields.p )
++            return 0;
++
+         switch ( access_type )
+         {
+         case hvm_access_read:
+@@ -3871,6 +3875,10 @@ static int hvm_load_segment_selector(
+     hvm_get_segment_register(
+         v, (sel & 4) ? x86_seg_ldtr : x86_seg_gdtr, &desctab);
+ 
++    /* Segment not valid for use (cooked meaning of .p)? */
++    if ( !desctab.attr.fields.p )
++        goto fail;
++
+     /* Check against descriptor table limit. */
+     if ( ((sel & 0xfff8) + 7) > desctab.limit )
+         goto fail;
+--- xen/arch/x86/hvm/svm/svm.c.orig
++++ xen/arch/x86/hvm/svm/svm.c
+@@ -620,6 +620,7 @@ static void svm_get_segment_register(str
+     {
+     case x86_seg_cs:
+         memcpy(reg, &vmcb->cs, sizeof(*reg));
++        reg->attr.fields.p = 1;
+         reg->attr.fields.g = reg->limit > 0xFFFFF;
+         break;
+     case x86_seg_ds:
+@@ -653,13 +654,16 @@ static void svm_get_segment_register(str
+     case x86_seg_tr:
+         svm_sync_vmcb(v);
+         memcpy(reg, &vmcb->tr, sizeof(*reg));
++        reg->attr.fields.p = 1;
+         reg->attr.fields.type |= 0x2;
+         break;
+     case x86_seg_gdtr:
+         memcpy(reg, &vmcb->gdtr, sizeof(*reg));
++        reg->attr.bytes = 0x80;
+         break;
+     case x86_seg_idtr:
+         memcpy(reg, &vmcb->idtr, sizeof(*reg));
++        reg->attr.bytes = 0x80;
+         break;
+     case x86_seg_ldtr:
+         svm_sync_vmcb(v);
+--- xen/arch/x86/hvm/vmx/vmx.c.orig
++++ xen/arch/x86/hvm/vmx/vmx.c
+@@ -867,10 +867,12 @@ void vmx_get_segment_register(struct vcp
+     reg->sel = sel;
+     reg->limit = limit;
+ 
+-    reg->attr.bytes = (attr & 0xff) | ((attr >> 4) & 0xf00);
+-    /* Unusable flag is folded into Present flag. */
+-    if ( attr & (1u<<16) )
+-        reg->attr.fields.p = 0;
++    /*
++     * Fold VT-x representation into Xen's representation.  The Present bit is
++     * unconditionally set to the inverse of unusable.
++     */
++    reg->attr.bytes =
++        (!(attr & (1u << 16)) << 7) | (attr & 0x7f) | ((attr >> 4) & 0xf00);
+ 
+     /* Adjust for virtual 8086 mode */
+     if ( v->arch.hvm_vmx.vmx_realmode && seg <= x86_seg_tr 
+@@ -950,11 +952,11 @@ static void vmx_set_segment_register(str
+         }
+     }
+ 
+-    attr = ((attr & 0xf00) << 4) | (attr & 0xff);
+-
+-    /* Not-present must mean unusable. */
+-    if ( !reg->attr.fields.p )
+-        attr |= (1u << 16);
++    /*
++     * Unfold Xen representation into VT-x representation.  The unusable bit
++     * is unconditionally set to the inverse of present.
++     */
++    attr = (!(attr & (1u << 7)) << 16) | ((attr & 0xf00) << 4) | (attr & 0xff);
+ 
+     /* VMX has strict consistency requirement for flag G. */
+     attr |= !!(limit >> 20) << 15;
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1209,6 +1209,10 @@ protmode_load_seg(
+                                  &desctab, ctxt)) )
+         return rc;
+ 
++    /* Segment not valid for use (cooked meaning of .p)? */
++    if ( !desctab.attr.fields.p )
++        goto raise_exn;
++
+     /* Check against descriptor table limit. */
+     if ( ((sel & 0xfff8) + 7) > desctab.limit )
+         goto raise_exn;
diff --git a/sysutils/xenkernel45/patches/patch-XSA-192 b/sysutils/xenkernel45/patches/patch-XSA-192
new file mode 100644
index 00000000000..f991decad69
--- /dev/null
+++ b/sysutils/xenkernel45/patches/patch-XSA-192
@@ -0,0 +1,65 @@
+$NetBSD: patch-XSA-192,v 1.1 2016/11/22 20:57:10 bouyer Exp $
+
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/HVM: don't load LDTR with VM86 mode attrs during task switch
+
+Just like TR, LDTR is purely a protected mode facility and hence needs
+to be loaded accordingly. Also move its loading to where it
+architecurally belongs.
+
+This is XSA-192.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- xen/arch/x86/hvm/hvm.c.orig
++++ xen/arch/x86/hvm/hvm.c
+@@ -3577,16 +3577,15 @@ static void hvm_unmap_entry(void *p)
+ }
+ 
+ static int hvm_load_segment_selector(
+-    enum x86_segment seg, uint16_t sel)
++    enum x86_segment seg, uint16_t sel, unsigned int eflags)
+ {
+     struct segment_register desctab, cs, segr;
+     struct desc_struct *pdesc, desc;
+     u8 dpl, rpl, cpl;
+     int fault_type = TRAP_invalid_tss;
+-    struct cpu_user_regs *regs = guest_cpu_user_regs();
+     struct vcpu *v = current;
+ 
+-    if ( regs->eflags & X86_EFLAGS_VM )
++    if ( eflags & X86_EFLAGS_VM )
+     {
+         segr.sel = sel;
+         segr.base = (uint32_t)sel << 4;
+@@ -3829,6 +3828,8 @@ void hvm_task_switch(
+     if ( rc != HVMCOPY_okay )
+         goto out;
+ 
++    if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt, 0) )
++        goto out;
+ 
+     if ( hvm_set_cr3(tss.cr3) )
+         goto out;
+@@ -3851,13 +3852,12 @@ void hvm_task_switch(
+     }
+ 
+     exn_raised = 0;
+-    if ( hvm_load_segment_selector(x86_seg_ldtr, tss.ldt) ||
+-         hvm_load_segment_selector(x86_seg_es, tss.es) ||
+-         hvm_load_segment_selector(x86_seg_cs, tss.cs) ||
+-         hvm_load_segment_selector(x86_seg_ss, tss.ss) ||
+-         hvm_load_segment_selector(x86_seg_ds, tss.ds) ||
+-         hvm_load_segment_selector(x86_seg_fs, tss.fs) ||
+-         hvm_load_segment_selector(x86_seg_gs, tss.gs) )
++    if ( hvm_load_segment_selector(x86_seg_es, tss.es, tss.eflags) ||
++         hvm_load_segment_selector(x86_seg_cs, tss.cs, tss.eflags) ||
++         hvm_load_segment_selector(x86_seg_ss, tss.ss, tss.eflags) ||
++         hvm_load_segment_selector(x86_seg_ds, tss.ds, tss.eflags) ||
++         hvm_load_segment_selector(x86_seg_fs, tss.fs, tss.eflags) ||
++         hvm_load_segment_selector(x86_seg_gs, tss.gs, tss.eflags) )
+         exn_raised = 1;
+ 
+     rc = hvm_copy_to_guest_virt(
diff --git a/sysutils/xenkernel45/patches/patch-XSA-193 b/sysutils/xenkernel45/patches/patch-XSA-193
new file mode 100644
index 00000000000..1cb54779278
--- /dev/null
+++ b/sysutils/xenkernel45/patches/patch-XSA-193
@@ -0,0 +1,67 @@
+$NetBSD: patch-XSA-193,v 1.1 2016/11/22 20:57:10 bouyer Exp $
+
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/PV: writes of %fs and %gs base MSRs require canonical addresses
+
+Commit c42494acb2 ("x86: fix FS/GS base handling when using the
+fsgsbase feature") replaced the use of wrmsr_safe() on these paths
+without recognizing that wr{f,g}sbase() use just wrmsrl() and that the
+WR{F,G}SBASE instructions also raise #GP for non-canonical input.
+
+Similarly arch_set_info_guest() needs to prevent non-canonical
+addresses from getting stored into state later to be loaded by context
+switch code. For consistency also check stack pointers and LDT base.
+DR0..3, otoh, already get properly checked in set_debugreg() (albeit
+we discard the error there).
+
+The SHADOW_GS_BASE check isn't strictly necessary, but I think we
+better avoid trying the WRMSR if we know it's going to fail.
+
+This is XSA-193.
+
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- xen/arch/x86/domain.c.orig
++++ xen/arch/x86/domain.c
+@@ -741,7 +741,13 @@ int arch_set_info_guest(
+     {
+         if ( !compat )
+         {
+-            if ( !is_canonical_address(c.nat->user_regs.eip) ||
++            if ( !is_canonical_address(c.nat->user_regs.rip) ||
++                 !is_canonical_address(c.nat->user_regs.rsp) ||
++                 !is_canonical_address(c.nat->kernel_sp) ||
++                 (c.nat->ldt_ents && !is_canonical_address(c.nat->ldt_base)) ||
++                 !is_canonical_address(c.nat->fs_base) ||
++                 !is_canonical_address(c.nat->gs_base_kernel) ||
++                 !is_canonical_address(c.nat->gs_base_user) ||
+                  !is_canonical_address(c.nat->event_callback_eip) ||
+                  !is_canonical_address(c.nat->syscall_callback_eip) ||
+                  !is_canonical_address(c.nat->failsafe_callback_eip) )
+--- xen/arch/x86/traps.c.orig
++++ xen/arch/x86/traps.c
+@@ -2439,19 +2439,19 @@ static int emulate_privileged_op(struct
+         switch ( (u32)regs->ecx )
+         {
+         case MSR_FS_BASE:
+-            if ( is_pv_32on64_vcpu(v) )
++            if ( is_pv_32on64_vcpu(v) || !is_canonical_address(msr_content) )
+                 goto fail;
+             wrfsbase(msr_content);
+             v->arch.pv_vcpu.fs_base = msr_content;
+             break;
+         case MSR_GS_BASE:
+-            if ( is_pv_32on64_vcpu(v) )
++            if ( is_pv_32on64_vcpu(v) || !is_canonical_address(msr_content) )
+                 goto fail;
+             wrgsbase(msr_content);
+             v->arch.pv_vcpu.gs_base_kernel = msr_content;
+             break;
+         case MSR_SHADOW_GS_BASE:
+-            if ( is_pv_32on64_vcpu(v) )
++            if ( is_pv_32on64_vcpu(v) || !is_canonical_address(msr_content) )
+                 goto fail;
+             if ( wrmsr_safe(MSR_SHADOW_GS_BASE, msr_content) )
+                 goto fail;
diff --git a/sysutils/xenkernel45/patches/patch-XSA-195 b/sysutils/xenkernel45/patches/patch-XSA-195
new file mode 100644
index 00000000000..d15d85cacff
--- /dev/null
+++ b/sysutils/xenkernel45/patches/patch-XSA-195
@@ -0,0 +1,47 @@
+$NetBSD: patch-XSA-195,v 1.1 2016/11/22 20:57:10 bouyer Exp $
+
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86emul: fix huge bit offset handling
+
+We must never chop off the high 32 bits.
+
+This is XSA-195.
+
+Reported-by: George Dunlap <george.dunlap@citrix.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -2549,6 +2549,12 @@ x86_emulate(
+         else
+         {
+             /*
++             * Instructions such as bt can reference an arbitrary offset from
++             * their memory operand, but the instruction doing the actual
++             * emulation needs the appropriate op_bytes read from memory.
++             * Adjust both the source register and memory operand to make an
++             * equivalent instruction.
++             *
+              * EA       += BitOffset DIV op_bytes*8
+              * BitOffset = BitOffset MOD op_bytes*8
+              * DIV truncates towards negative infinity.
+@@ -2560,14 +2566,15 @@ x86_emulate(
+                 src.val = (int32_t)src.val;
+             if ( (long)src.val < 0 )
+             {
+-                unsigned long byte_offset;
+-                byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
++                unsigned long byte_offset =
++                    op_bytes + (((-src.val - 1) >> 3) & ~(op_bytes - 1L));
++
+                 ea.mem.off -= byte_offset;
+                 src.val = (byte_offset << 3) + src.val;
+             }
+             else
+             {
+-                ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
++                ea.mem.off += (src.val >> 3) & ~(op_bytes - 1L);
+                 src.val &= (op_bytes << 3) - 1;
+             }
+         }
diff --git a/sysutils/xenkernel45/patches/patch-XSA-196-1 b/sysutils/xenkernel45/patches/patch-XSA-196-1
new file mode 100644
index 00000000000..556e281aad7
--- /dev/null
+++ b/sysutils/xenkernel45/patches/patch-XSA-196-1
@@ -0,0 +1,63 @@
+$NetBSD: patch-XSA-196-1,v 1.1 2016/11/22 20:57:10 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/emul: Correct the IDT entry calculation in inject_swint()
+
+The logic, as introduced in c/s 36ebf14ebe "x86/emulate: support for emulating
+software event injection" is buggy.  The size of an IDT entry depends on long
+mode being active, not the width of the code segment currently in use.
+
+In particular, this means that a compatibility code segment which hits
+emulation for software event injection will end up using an incorrect offset
+in the IDT for DPL/Presence checking.  In practice, this only occurs on old
+AMD hardware lacking NRip support; all newer AMD hardware, and all Intel
+hardware bypass this path in the emulator.
+
+While here, fix a minor issue with reading the IDT entry.  The return value
+from ops->read() wasn't checked, but in reality the only failure case is if a
+pagefault occurs.  This is not a realistic problem as the kernel will almost
+certainly crash with a double fault if this setup actually occured.
+
+This is part of XSA-196.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/x86_emulate/x86_emulate.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
+index 7a707dc..f74aa8f 100644
+--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
++++ xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1630,10 +1630,16 @@ static int inject_swint(enum x86_swint_type type,
+     {
+         if ( !in_realmode(ctxt, ops) )
+         {
+-            unsigned int idte_size = (ctxt->addr_size == 64) ? 16 : 8;
+-            unsigned int idte_offset = vector * idte_size;
++            unsigned int idte_size, idte_offset;
+             struct segment_register idtr;
+             uint32_t idte_ctl;
++            int lm = in_longmode(ctxt, ops);
++
++            if ( lm < 0 )
++                return X86EMUL_UNHANDLEABLE;
++
++            idte_size = lm ? 16 : 8;
++            idte_offset = vector * idte_size;
+ 
+             /* icebp sets the External Event bit despite being an instruction. */
+             error_code = (vector << 3) | ECODE_IDT |
+@@ -1661,8 +1667,9 @@ static int inject_swint(enum x86_swint_type type,
+              * Should strictly speaking read all 8/16 bytes of an entry,
+              * but we currently only care about the dpl and present bits.
+              */
+-            ops->read(x86_seg_none, idtr.base + idte_offset + 4,
+-                      &idte_ctl, sizeof(idte_ctl), ctxt);
++            if ( (rc = ops->read(x86_seg_none, idtr.base + idte_offset + 4,
++                                 &idte_ctl, sizeof(idte_ctl), ctxt)) )
++                goto done;
+ 
+             /* Is this entry present? */
+             if ( !(idte_ctl & (1u << 15)) )
diff --git a/sysutils/xenkernel45/patches/patch-XSA-196-2 b/sysutils/xenkernel45/patches/patch-XSA-196-2
new file mode 100644
index 00000000000..052780760b1
--- /dev/null
+++ b/sysutils/xenkernel45/patches/patch-XSA-196-2
@@ -0,0 +1,78 @@
+$NetBSD: patch-XSA-196-2,v 1.1 2016/11/22 20:57:10 bouyer Exp $
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/svm: Fix injection of software interrupts
+
+The non-NextRip logic in c/s 36ebf14eb "x86/emulate: support for emulating
+software event injection" was based on an older version of the AMD software
+manual.  The manual was later corrected, following findings from that series.
+
+I took the original wording of "not supported without NextRIP" to mean that
+X86_EVENTTYPE_SW_INTERRUPT was not eligible for use.  It turns out that this
+is not the case, and the new wording is clearer on the matter.
+
+Despite testing the original patch series on non-NRip hardware, the
+swint-emulation XTF test case focuses on the debug vectors; it never ended up
+executing an `int $n` instruction for a vector which wasn't also an exception.
+
+During a vmentry, the use of X86_EVENTTYPE_HW_EXCEPTION comes with a vector
+check to ensure that it is only used with exception vectors.  Xen's use of
+X86_EVENTTYPE_HW_EXCEPTION for `int $n` injection has always been buggy on AMD
+hardware.
+
+Fix this by always using X86_EVENTTYPE_SW_INTERRUPT.
+
+Print and decode the eventinj information in svm_vmcb_dump(), as it has
+several invalid combinations which cause vmentry failures.
+
+This is part of XSA-196.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+ xen/arch/x86/hvm/svm/svm.c      | 13 +++++--------
+ xen/arch/x86/hvm/svm/svmdebug.c |  4 ++++
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c
+index 4391744..76efc3e 100644
+--- xen/arch/x86/hvm/svm/svm.c.orig
++++ xen/arch/x86/hvm/svm/svm.c
+@@ -1231,17 +1231,14 @@ static void svm_inject_trap(const struct hvm_trap *trap)
+     {
+     case X86_EVENTTYPE_SW_INTERRUPT: /* int $n */
+         /*
+-         * Injection type 4 (software interrupt) is only supported with
+-         * NextRIP support.  Without NextRIP, the emulator will have performed
+-         * DPL and presence checks for us.
++         * Software interrupts (type 4) cannot be properly injected if the
++         * processor doesn't support NextRIP.  Without NextRIP, the emulator
++         * will have performed DPL and presence checks for us, and will have
++         * moved eip forward if appropriate.
+          */
+         if ( cpu_has_svm_nrips )
+-        {
+             vmcb->nextrip = regs->eip + _trap.insn_len;
+-            event.fields.type = X86_EVENTTYPE_SW_INTERRUPT;
+-        }
+-        else
+-            event.fields.type = X86_EVENTTYPE_HW_EXCEPTION;
++        event.fields.type = X86_EVENTTYPE_SW_INTERRUPT;
+         break;
+ 
+     case X86_EVENTTYPE_PRI_SW_EXCEPTION: /* icebp */
+diff --git a/xen/arch/x86/hvm/svm/svmdebug.c b/xen/arch/x86/hvm/svm/svmdebug.c
+index ded5d19..f93dfed 100644
+--- xen/arch/x86/hvm/svm/svmdebug.c.orig
++++ xen/arch/x86/hvm/svm/svmdebug.c
+@@ -48,6 +48,10 @@ void svm_vmcb_dump(const char *from, struct vmcb_struct *vmcb)
+            vmcb->tlb_control,
+            (unsigned long long)vmcb->_vintr.bytes,
+            (unsigned long long)vmcb->interrupt_shadow);
++    printk("eventinj %016"PRIx64", valid? %d, ec? %d, type %u, vector %#x\n",
++           vmcb->eventinj.bytes, vmcb->eventinj.fields.v,
++           vmcb->eventinj.fields.ev, vmcb->eventinj.fields.type,
++           vmcb->eventinj.fields.vector);
+     printk("exitcode = %#Lx exitintinfo = %#Lx\n",
+            (unsigned long long)vmcb->exitcode,
+            (unsigned long long)vmcb->exitintinfo.bytes);