diff -r 55b3a1acb259 xen/arch/x86/hvm/hvm.c
--- a/xen/arch/x86/hvm/hvm.c	Fri Oct 21 11:15:06 2011 +0200
+++ b/xen/arch/x86/hvm/hvm.c	Fri Oct 21 15:16:13 2011 +0200
@@ -1208,6 +1208,10 @@ int hvm_hap_nested_page_fault(unsigned l
             return 0;
         case NESTEDHVM_PAGEFAULT_INJECT:
             return -1;
+        case NESTEDHVM_PAGEFAULT_MMIO:
+            if ( !handle_mmio() )
+                hvm_inject_exception(TRAP_gp_fault, 0, 0);
+            return 1;
         }
     }
 
diff -r 55b3a1acb259 xen/arch/x86/hvm/svm/nestedsvm.c
--- a/xen/arch/x86/hvm/svm/nestedsvm.c	Fri Oct 21 11:15:06 2011 +0200
+++ b/xen/arch/x86/hvm/svm/nestedsvm.c	Fri Oct 21 15:16:13 2011 +0200
@@ -1165,6 +1165,15 @@ enum hvm_intblk nsvm_intr_blocked(struct
         if ( svm->ns_hostflags.fields.vintrmask )
             if ( !svm->ns_hostflags.fields.rflagsif )
                 return hvm_intblk_rflags_ie;
+
+        /* when l1 guest passes its devices through to the l2 guest
+         * and l2 guest does an MMIO access then we may want to
+         * inject an VMEXIT(#INTR) exitcode into the l1 guest.
+         * Delay the injection because this would result in delivering
+         * an interrupt *within* the execution of an instruction.
+         */
+        if ( v->arch.hvm_vcpu.io_state != HVMIO_none )
+            return hvm_intblk_shadow;
     }
 
     if ( nv->nv_vmexit_pending ) {
diff -r 55b3a1acb259 xen/arch/x86/mm/hap/nested_hap.c
--- a/xen/arch/x86/mm/hap/nested_hap.c	Fri Oct 21 11:15:06 2011 +0200
+++ b/xen/arch/x86/mm/hap/nested_hap.c	Fri Oct 21 15:16:13 2011 +0200
@@ -151,6 +151,9 @@ nestedhap_walk_L0_p2m(struct p2m_domain 
     mfn = gfn_to_mfn_type_p2m(p2m, L1_gpa >> PAGE_SHIFT, &p2mt, &p2ma, 
                               p2m_query, page_order);
 
+    if ( p2m_is_mmio(p2mt) )
+        return NESTEDHVM_PAGEFAULT_MMIO;
+
     if ( p2m_is_paging(p2mt) || p2m_is_shared(p2mt) || !p2m_is_ram(p2mt) )
         return NESTEDHVM_PAGEFAULT_ERROR;
 
@@ -228,6 +231,8 @@ nestedhvm_hap_nested_page_fault(struct v
         return rv;
     case NESTEDHVM_PAGEFAULT_DONE:
         break;
+    case NESTEDHVM_PAGEFAULT_MMIO:
+        return rv;
     default:
         BUG();
         break;
diff -r 55b3a1acb259 xen/include/asm-x86/hvm/nestedhvm.h
--- a/xen/include/asm-x86/hvm/nestedhvm.h	Fri Oct 21 11:15:06 2011 +0200
+++ b/xen/include/asm-x86/hvm/nestedhvm.h	Fri Oct 21 15:16:13 2011 +0200
@@ -50,6 +50,7 @@ bool_t nestedhvm_vcpu_in_guestmode(struc
 #define NESTEDHVM_PAGEFAULT_DONE   0
 #define NESTEDHVM_PAGEFAULT_INJECT 1
 #define NESTEDHVM_PAGEFAULT_ERROR  2
+#define NESTEDHVM_PAGEFAULT_MMIO   3
 int nestedhvm_hap_nested_page_fault(struct vcpu *v, paddr_t L2_gpa);
 
 /* IO permission map */