2 * Kernel-based Virtual Machine driver for Linux
4 * This module enables machines with Intel VT-x extensions to run virtual
5 * machines without emulation or binary translation.
9 * Copyright (C) 2006 Qumranet, Inc.
12 * Yaniv Kamay <yaniv@qumranet.com>
13 * Avi Kivity <avi@qumranet.com>
15 * This work is licensed under the terms of the GNU GPL, version 2. See
16 * the COPYING file in the top-level directory.
22 #include <linux/kvm_host.h>
23 #include <linux/types.h>
24 #include <linux/string.h>
26 #include <linux/highmem.h>
27 #include <linux/module.h>
28 #include <linux/swap.h>
29 #include <linux/hugetlb.h>
30 #include <linux/compiler.h>
33 #include <asm/cmpxchg.h>
38 * When setting this variable to true it enables Two-Dimensional-Paging
39 * where the hardware walks 2 page tables:
40 * 1. the guest-virtual to guest-physical
41 * 2. while doing 1. it walks guest-physical to host-physical
42 * If the hardware supports that we don't need to do shadow paging.
44 bool tdp_enabled = false;
51 static void kvm_mmu_audit(struct kvm_vcpu *vcpu, const char *msg);
53 static void kvm_mmu_audit(struct kvm_vcpu *vcpu, const char *msg) {}
58 #define pgprintk(x...) do { if (dbg) printk(x); } while (0)
59 #define rmap_printk(x...) do { if (dbg) printk(x); } while (0)
63 #define pgprintk(x...) do { } while (0)
64 #define rmap_printk(x...) do { } while (0)
68 #if defined(MMU_DEBUG) || defined(AUDIT)
70 module_param(dbg, bool, 0644);
73 static int oos_shadow = 1;
74 module_param(oos_shadow, bool, 0644);
77 #define ASSERT(x) do { } while (0)
81 printk(KERN_WARNING "assertion failed %s:%d: %s\n", \
82 __FILE__, __LINE__, #x); \
86 #define PT_FIRST_AVAIL_BITS_SHIFT 9
87 #define PT64_SECOND_AVAIL_BITS_SHIFT 52
89 #define VALID_PAGE(x) ((x) != INVALID_PAGE)
91 #define PT64_LEVEL_BITS 9
93 #define PT64_LEVEL_SHIFT(level) \
94 (PAGE_SHIFT + (level - 1) * PT64_LEVEL_BITS)
96 #define PT64_LEVEL_MASK(level) \
97 (((1ULL << PT64_LEVEL_BITS) - 1) << PT64_LEVEL_SHIFT(level))
99 #define PT64_INDEX(address, level)\
100 (((address) >> PT64_LEVEL_SHIFT(level)) & ((1 << PT64_LEVEL_BITS) - 1))
103 #define PT32_LEVEL_BITS 10
105 #define PT32_LEVEL_SHIFT(level) \
106 (PAGE_SHIFT + (level - 1) * PT32_LEVEL_BITS)
108 #define PT32_LEVEL_MASK(level) \
109 (((1ULL << PT32_LEVEL_BITS) - 1) << PT32_LEVEL_SHIFT(level))
111 #define PT32_INDEX(address, level)\
112 (((address) >> PT32_LEVEL_SHIFT(level)) & ((1 << PT32_LEVEL_BITS) - 1))
115 #define PT64_BASE_ADDR_MASK (((1ULL << 52) - 1) & ~(u64)(PAGE_SIZE-1))
116 #define PT64_DIR_BASE_ADDR_MASK \
117 (PT64_BASE_ADDR_MASK & ~((1ULL << (PAGE_SHIFT + PT64_LEVEL_BITS)) - 1))
119 #define PT32_BASE_ADDR_MASK PAGE_MASK
120 #define PT32_DIR_BASE_ADDR_MASK \
121 (PAGE_MASK & ~((1ULL << (PAGE_SHIFT + PT32_LEVEL_BITS)) - 1))
123 #define PT64_PERM_MASK (PT_PRESENT_MASK | PT_WRITABLE_MASK | PT_USER_MASK \
126 #define PFERR_PRESENT_MASK (1U << 0)
127 #define PFERR_WRITE_MASK (1U << 1)
128 #define PFERR_USER_MASK (1U << 2)
129 #define PFERR_FETCH_MASK (1U << 4)
131 #define PT_DIRECTORY_LEVEL 2
132 #define PT_PAGE_TABLE_LEVEL 1
136 #define ACC_EXEC_MASK 1
137 #define ACC_WRITE_MASK PT_WRITABLE_MASK
138 #define ACC_USER_MASK PT_USER_MASK
139 #define ACC_ALL (ACC_EXEC_MASK | ACC_WRITE_MASK | ACC_USER_MASK)
141 #define SHADOW_PT_INDEX(addr, level) PT64_INDEX(addr, level)
143 struct kvm_rmap_desc {
144 u64 *shadow_ptes[RMAP_EXT];
145 struct kvm_rmap_desc *more;
148 struct kvm_shadow_walk_iterator {
156 #define for_each_shadow_entry(_vcpu, _addr, _walker) \
157 for (shadow_walk_init(&(_walker), _vcpu, _addr); \
158 shadow_walk_okay(&(_walker)); \
159 shadow_walk_next(&(_walker)))
162 struct kvm_unsync_walk {
163 int (*entry) (struct kvm_mmu_page *sp, struct kvm_unsync_walk *walk);
166 typedef int (*mmu_parent_walk_fn) (struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp);
168 static struct kmem_cache *pte_chain_cache;
169 static struct kmem_cache *rmap_desc_cache;
170 static struct kmem_cache *mmu_page_header_cache;
172 static u64 __read_mostly shadow_trap_nonpresent_pte;
173 static u64 __read_mostly shadow_notrap_nonpresent_pte;
174 static u64 __read_mostly shadow_base_present_pte;
175 static u64 __read_mostly shadow_nx_mask;
176 static u64 __read_mostly shadow_x_mask; /* mutual exclusive with nx_mask */
177 static u64 __read_mostly shadow_user_mask;
178 static u64 __read_mostly shadow_accessed_mask;
179 static u64 __read_mostly shadow_dirty_mask;
180 static u64 __read_mostly shadow_mt_mask;
182 void kvm_mmu_set_nonpresent_ptes(u64 trap_pte, u64 notrap_pte)
184 shadow_trap_nonpresent_pte = trap_pte;
185 shadow_notrap_nonpresent_pte = notrap_pte;
187 EXPORT_SYMBOL_GPL(kvm_mmu_set_nonpresent_ptes);
189 void kvm_mmu_set_base_ptes(u64 base_pte)
191 shadow_base_present_pte = base_pte;
193 EXPORT_SYMBOL_GPL(kvm_mmu_set_base_ptes);
195 void kvm_mmu_set_mask_ptes(u64 user_mask, u64 accessed_mask,
196 u64 dirty_mask, u64 nx_mask, u64 x_mask, u64 mt_mask)
198 shadow_user_mask = user_mask;
199 shadow_accessed_mask = accessed_mask;
200 shadow_dirty_mask = dirty_mask;
201 shadow_nx_mask = nx_mask;
202 shadow_x_mask = x_mask;
203 shadow_mt_mask = mt_mask;
205 EXPORT_SYMBOL_GPL(kvm_mmu_set_mask_ptes);
207 static int is_write_protection(struct kvm_vcpu *vcpu)
209 return vcpu->arch.cr0 & X86_CR0_WP;
212 static int is_cpuid_PSE36(void)
217 static int is_nx(struct kvm_vcpu *vcpu)
219 return vcpu->arch.shadow_efer & EFER_NX;
222 static int is_present_pte(unsigned long pte)
224 return pte & PT_PRESENT_MASK;
227 static int is_shadow_present_pte(u64 pte)
229 return pte != shadow_trap_nonpresent_pte
230 && pte != shadow_notrap_nonpresent_pte;
233 static int is_large_pte(u64 pte)
235 return pte & PT_PAGE_SIZE_MASK;
238 static int is_writeble_pte(unsigned long pte)
240 return pte & PT_WRITABLE_MASK;
243 static int is_dirty_pte(unsigned long pte)
245 return pte & shadow_dirty_mask;
248 static int is_rmap_pte(u64 pte)
250 return is_shadow_present_pte(pte);
253 static pfn_t spte_to_pfn(u64 pte)
255 return (pte & PT64_BASE_ADDR_MASK) >> PAGE_SHIFT;
258 static gfn_t pse36_gfn_delta(u32 gpte)
260 int shift = 32 - PT32_DIR_PSE36_SHIFT - PAGE_SHIFT;
262 return (gpte & PT32_DIR_PSE36_MASK) << shift;
265 static void set_shadow_pte(u64 *sptep, u64 spte)
268 set_64bit((unsigned long *)sptep, spte);
270 set_64bit((unsigned long long *)sptep, spte);
274 static int mmu_topup_memory_cache(struct kvm_mmu_memory_cache *cache,
275 struct kmem_cache *base_cache, int min)
279 if (cache->nobjs >= min)
281 while (cache->nobjs < ARRAY_SIZE(cache->objects)) {
282 obj = kmem_cache_zalloc(base_cache, GFP_KERNEL);
285 cache->objects[cache->nobjs++] = obj;
290 static void mmu_free_memory_cache(struct kvm_mmu_memory_cache *mc)
293 kfree(mc->objects[--mc->nobjs]);
296 static int mmu_topup_memory_cache_page(struct kvm_mmu_memory_cache *cache,
301 if (cache->nobjs >= min)
303 while (cache->nobjs < ARRAY_SIZE(cache->objects)) {
304 page = alloc_page(GFP_KERNEL);
307 set_page_private(page, 0);
308 cache->objects[cache->nobjs++] = page_address(page);
313 static void mmu_free_memory_cache_page(struct kvm_mmu_memory_cache *mc)
316 free_page((unsigned long)mc->objects[--mc->nobjs]);
319 static int mmu_topup_memory_caches(struct kvm_vcpu *vcpu)
323 r = mmu_topup_memory_cache(&vcpu->arch.mmu_pte_chain_cache,
327 r = mmu_topup_memory_cache(&vcpu->arch.mmu_rmap_desc_cache,
331 r = mmu_topup_memory_cache_page(&vcpu->arch.mmu_page_cache, 8);
334 r = mmu_topup_memory_cache(&vcpu->arch.mmu_page_header_cache,
335 mmu_page_header_cache, 4);
340 static void mmu_free_memory_caches(struct kvm_vcpu *vcpu)
342 mmu_free_memory_cache(&vcpu->arch.mmu_pte_chain_cache);
343 mmu_free_memory_cache(&vcpu->arch.mmu_rmap_desc_cache);
344 mmu_free_memory_cache_page(&vcpu->arch.mmu_page_cache);
345 mmu_free_memory_cache(&vcpu->arch.mmu_page_header_cache);
348 static void *mmu_memory_cache_alloc(struct kvm_mmu_memory_cache *mc,
354 p = mc->objects[--mc->nobjs];
359 static struct kvm_pte_chain *mmu_alloc_pte_chain(struct kvm_vcpu *vcpu)
361 return mmu_memory_cache_alloc(&vcpu->arch.mmu_pte_chain_cache,
362 sizeof(struct kvm_pte_chain));
365 static void mmu_free_pte_chain(struct kvm_pte_chain *pc)
370 static struct kvm_rmap_desc *mmu_alloc_rmap_desc(struct kvm_vcpu *vcpu)
372 return mmu_memory_cache_alloc(&vcpu->arch.mmu_rmap_desc_cache,
373 sizeof(struct kvm_rmap_desc));
376 static void mmu_free_rmap_desc(struct kvm_rmap_desc *rd)
382 * Return the pointer to the largepage write count for a given
383 * gfn, handling slots that are not large page aligned.
385 static int *slot_largepage_idx(gfn_t gfn, struct kvm_memory_slot *slot)
389 idx = (gfn / KVM_PAGES_PER_HPAGE) -
390 (slot->base_gfn / KVM_PAGES_PER_HPAGE);
391 return &slot->lpage_info[idx].write_count;
394 static void account_shadowed(struct kvm *kvm, gfn_t gfn)
398 gfn = unalias_gfn(kvm, gfn);
399 write_count = slot_largepage_idx(gfn,
400 gfn_to_memslot_unaliased(kvm, gfn));
404 static void unaccount_shadowed(struct kvm *kvm, gfn_t gfn)
408 gfn = unalias_gfn(kvm, gfn);
409 write_count = slot_largepage_idx(gfn,
410 gfn_to_memslot_unaliased(kvm, gfn));
412 WARN_ON(*write_count < 0);
415 static int has_wrprotected_page(struct kvm *kvm, gfn_t gfn)
417 struct kvm_memory_slot *slot;
420 gfn = unalias_gfn(kvm, gfn);
421 slot = gfn_to_memslot_unaliased(kvm, gfn);
423 largepage_idx = slot_largepage_idx(gfn, slot);
424 return *largepage_idx;
430 static int host_largepage_backed(struct kvm *kvm, gfn_t gfn)
432 struct vm_area_struct *vma;
436 addr = gfn_to_hva(kvm, gfn);
437 if (kvm_is_error_hva(addr))
440 down_read(¤t->mm->mmap_sem);
441 vma = find_vma(current->mm, addr);
442 if (vma && is_vm_hugetlb_page(vma))
444 up_read(¤t->mm->mmap_sem);
449 static int is_largepage_backed(struct kvm_vcpu *vcpu, gfn_t large_gfn)
451 struct kvm_memory_slot *slot;
453 if (has_wrprotected_page(vcpu->kvm, large_gfn))
456 if (!host_largepage_backed(vcpu->kvm, large_gfn))
459 slot = gfn_to_memslot(vcpu->kvm, large_gfn);
460 if (slot && slot->dirty_bitmap)
467 * Take gfn and return the reverse mapping to it.
468 * Note: gfn must be unaliased before this function get called
471 static unsigned long *gfn_to_rmap(struct kvm *kvm, gfn_t gfn, int lpage)
473 struct kvm_memory_slot *slot;
476 slot = gfn_to_memslot(kvm, gfn);
478 return &slot->rmap[gfn - slot->base_gfn];
480 idx = (gfn / KVM_PAGES_PER_HPAGE) -
481 (slot->base_gfn / KVM_PAGES_PER_HPAGE);
483 return &slot->lpage_info[idx].rmap_pde;
487 * Reverse mapping data structures:
489 * If rmapp bit zero is zero, then rmapp point to the shadw page table entry
490 * that points to page_address(page).
492 * If rmapp bit zero is one, (then rmap & ~1) points to a struct kvm_rmap_desc
493 * containing more mappings.
495 static void rmap_add(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn, int lpage)
497 struct kvm_mmu_page *sp;
498 struct kvm_rmap_desc *desc;
499 unsigned long *rmapp;
502 if (!is_rmap_pte(*spte))
504 gfn = unalias_gfn(vcpu->kvm, gfn);
505 sp = page_header(__pa(spte));
506 sp->gfns[spte - sp->spt] = gfn;
507 rmapp = gfn_to_rmap(vcpu->kvm, gfn, lpage);
509 rmap_printk("rmap_add: %p %llx 0->1\n", spte, *spte);
510 *rmapp = (unsigned long)spte;
511 } else if (!(*rmapp & 1)) {
512 rmap_printk("rmap_add: %p %llx 1->many\n", spte, *spte);
513 desc = mmu_alloc_rmap_desc(vcpu);
514 desc->shadow_ptes[0] = (u64 *)*rmapp;
515 desc->shadow_ptes[1] = spte;
516 *rmapp = (unsigned long)desc | 1;
518 rmap_printk("rmap_add: %p %llx many->many\n", spte, *spte);
519 desc = (struct kvm_rmap_desc *)(*rmapp & ~1ul);
520 while (desc->shadow_ptes[RMAP_EXT-1] && desc->more)
522 if (desc->shadow_ptes[RMAP_EXT-1]) {
523 desc->more = mmu_alloc_rmap_desc(vcpu);
526 for (i = 0; desc->shadow_ptes[i]; ++i)
528 desc->shadow_ptes[i] = spte;
532 static void rmap_desc_remove_entry(unsigned long *rmapp,
533 struct kvm_rmap_desc *desc,
535 struct kvm_rmap_desc *prev_desc)
539 for (j = RMAP_EXT - 1; !desc->shadow_ptes[j] && j > i; --j)
541 desc->shadow_ptes[i] = desc->shadow_ptes[j];
542 desc->shadow_ptes[j] = NULL;
545 if (!prev_desc && !desc->more)
546 *rmapp = (unsigned long)desc->shadow_ptes[0];
549 prev_desc->more = desc->more;
551 *rmapp = (unsigned long)desc->more | 1;
552 mmu_free_rmap_desc(desc);
555 static void rmap_remove(struct kvm *kvm, u64 *spte)
557 struct kvm_rmap_desc *desc;
558 struct kvm_rmap_desc *prev_desc;
559 struct kvm_mmu_page *sp;
561 unsigned long *rmapp;
564 if (!is_rmap_pte(*spte))
566 sp = page_header(__pa(spte));
567 pfn = spte_to_pfn(*spte);
568 if (*spte & shadow_accessed_mask)
569 kvm_set_pfn_accessed(pfn);
570 if (is_writeble_pte(*spte))
571 kvm_release_pfn_dirty(pfn);
573 kvm_release_pfn_clean(pfn);
574 rmapp = gfn_to_rmap(kvm, sp->gfns[spte - sp->spt], is_large_pte(*spte));
576 printk(KERN_ERR "rmap_remove: %p %llx 0->BUG\n", spte, *spte);
578 } else if (!(*rmapp & 1)) {
579 rmap_printk("rmap_remove: %p %llx 1->0\n", spte, *spte);
580 if ((u64 *)*rmapp != spte) {
581 printk(KERN_ERR "rmap_remove: %p %llx 1->BUG\n",
587 rmap_printk("rmap_remove: %p %llx many->many\n", spte, *spte);
588 desc = (struct kvm_rmap_desc *)(*rmapp & ~1ul);
591 for (i = 0; i < RMAP_EXT && desc->shadow_ptes[i]; ++i)
592 if (desc->shadow_ptes[i] == spte) {
593 rmap_desc_remove_entry(rmapp,
605 static u64 *rmap_next(struct kvm *kvm, unsigned long *rmapp, u64 *spte)
607 struct kvm_rmap_desc *desc;
608 struct kvm_rmap_desc *prev_desc;
614 else if (!(*rmapp & 1)) {
616 return (u64 *)*rmapp;
619 desc = (struct kvm_rmap_desc *)(*rmapp & ~1ul);
623 for (i = 0; i < RMAP_EXT && desc->shadow_ptes[i]; ++i) {
624 if (prev_spte == spte)
625 return desc->shadow_ptes[i];
626 prev_spte = desc->shadow_ptes[i];
633 static int rmap_write_protect(struct kvm *kvm, u64 gfn)
635 unsigned long *rmapp;
637 int write_protected = 0;
639 gfn = unalias_gfn(kvm, gfn);
640 rmapp = gfn_to_rmap(kvm, gfn, 0);
642 spte = rmap_next(kvm, rmapp, NULL);
645 BUG_ON(!(*spte & PT_PRESENT_MASK));
646 rmap_printk("rmap_write_protect: spte %p %llx\n", spte, *spte);
647 if (is_writeble_pte(*spte)) {
648 set_shadow_pte(spte, *spte & ~PT_WRITABLE_MASK);
651 spte = rmap_next(kvm, rmapp, spte);
653 if (write_protected) {
656 spte = rmap_next(kvm, rmapp, NULL);
657 pfn = spte_to_pfn(*spte);
658 kvm_set_pfn_dirty(pfn);
661 /* check for huge page mappings */
662 rmapp = gfn_to_rmap(kvm, gfn, 1);
663 spte = rmap_next(kvm, rmapp, NULL);
666 BUG_ON(!(*spte & PT_PRESENT_MASK));
667 BUG_ON((*spte & (PT_PAGE_SIZE_MASK|PT_PRESENT_MASK)) != (PT_PAGE_SIZE_MASK|PT_PRESENT_MASK));
668 pgprintk("rmap_write_protect(large): spte %p %llx %lld\n", spte, *spte, gfn);
669 if (is_writeble_pte(*spte)) {
670 rmap_remove(kvm, spte);
672 set_shadow_pte(spte, shadow_trap_nonpresent_pte);
676 spte = rmap_next(kvm, rmapp, spte);
679 return write_protected;
682 static int kvm_unmap_rmapp(struct kvm *kvm, unsigned long *rmapp)
685 int need_tlb_flush = 0;
687 while ((spte = rmap_next(kvm, rmapp, NULL))) {
688 BUG_ON(!(*spte & PT_PRESENT_MASK));
689 rmap_printk("kvm_rmap_unmap_hva: spte %p %llx\n", spte, *spte);
690 rmap_remove(kvm, spte);
691 set_shadow_pte(spte, shadow_trap_nonpresent_pte);
694 return need_tlb_flush;
697 static int kvm_handle_hva(struct kvm *kvm, unsigned long hva,
698 int (*handler)(struct kvm *kvm, unsigned long *rmapp))
704 * If mmap_sem isn't taken, we can look the memslots with only
705 * the mmu_lock by skipping over the slots with userspace_addr == 0.
707 for (i = 0; i < kvm->nmemslots; i++) {
708 struct kvm_memory_slot *memslot = &kvm->memslots[i];
709 unsigned long start = memslot->userspace_addr;
712 /* mmu_lock protects userspace_addr */
716 end = start + (memslot->npages << PAGE_SHIFT);
717 if (hva >= start && hva < end) {
718 gfn_t gfn_offset = (hva - start) >> PAGE_SHIFT;
719 retval |= handler(kvm, &memslot->rmap[gfn_offset]);
720 retval |= handler(kvm,
721 &memslot->lpage_info[
723 KVM_PAGES_PER_HPAGE].rmap_pde);
730 int kvm_unmap_hva(struct kvm *kvm, unsigned long hva)
732 return kvm_handle_hva(kvm, hva, kvm_unmap_rmapp);
735 static int kvm_age_rmapp(struct kvm *kvm, unsigned long *rmapp)
740 /* always return old for EPT */
741 if (!shadow_accessed_mask)
744 spte = rmap_next(kvm, rmapp, NULL);
748 BUG_ON(!(_spte & PT_PRESENT_MASK));
749 _young = _spte & PT_ACCESSED_MASK;
752 clear_bit(PT_ACCESSED_SHIFT, (unsigned long *)spte);
754 spte = rmap_next(kvm, rmapp, spte);
759 int kvm_age_hva(struct kvm *kvm, unsigned long hva)
761 return kvm_handle_hva(kvm, hva, kvm_age_rmapp);
765 static int is_empty_shadow_page(u64 *spt)
770 for (pos = spt, end = pos + PAGE_SIZE / sizeof(u64); pos != end; pos++)
771 if (is_shadow_present_pte(*pos)) {
772 printk(KERN_ERR "%s: %p %llx\n", __func__,
780 static void kvm_mmu_free_page(struct kvm *kvm, struct kvm_mmu_page *sp)
782 ASSERT(is_empty_shadow_page(sp->spt));
784 __free_page(virt_to_page(sp->spt));
785 __free_page(virt_to_page(sp->gfns));
787 ++kvm->arch.n_free_mmu_pages;
790 static unsigned kvm_page_table_hashfn(gfn_t gfn)
792 return gfn & ((1 << KVM_MMU_HASH_SHIFT) - 1);
795 static struct kvm_mmu_page *kvm_mmu_alloc_page(struct kvm_vcpu *vcpu,
798 struct kvm_mmu_page *sp;
800 sp = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_header_cache, sizeof *sp);
801 sp->spt = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_cache, PAGE_SIZE);
802 sp->gfns = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_cache, PAGE_SIZE);
803 set_page_private(virt_to_page(sp->spt), (unsigned long)sp);
804 list_add(&sp->link, &vcpu->kvm->arch.active_mmu_pages);
805 INIT_LIST_HEAD(&sp->oos_link);
806 ASSERT(is_empty_shadow_page(sp->spt));
807 bitmap_zero(sp->slot_bitmap, KVM_MEMORY_SLOTS + KVM_PRIVATE_MEM_SLOTS);
809 sp->parent_pte = parent_pte;
810 --vcpu->kvm->arch.n_free_mmu_pages;
814 static void mmu_page_add_parent_pte(struct kvm_vcpu *vcpu,
815 struct kvm_mmu_page *sp, u64 *parent_pte)
817 struct kvm_pte_chain *pte_chain;
818 struct hlist_node *node;
823 if (!sp->multimapped) {
824 u64 *old = sp->parent_pte;
827 sp->parent_pte = parent_pte;
831 pte_chain = mmu_alloc_pte_chain(vcpu);
832 INIT_HLIST_HEAD(&sp->parent_ptes);
833 hlist_add_head(&pte_chain->link, &sp->parent_ptes);
834 pte_chain->parent_ptes[0] = old;
836 hlist_for_each_entry(pte_chain, node, &sp->parent_ptes, link) {
837 if (pte_chain->parent_ptes[NR_PTE_CHAIN_ENTRIES-1])
839 for (i = 0; i < NR_PTE_CHAIN_ENTRIES; ++i)
840 if (!pte_chain->parent_ptes[i]) {
841 pte_chain->parent_ptes[i] = parent_pte;
845 pte_chain = mmu_alloc_pte_chain(vcpu);
847 hlist_add_head(&pte_chain->link, &sp->parent_ptes);
848 pte_chain->parent_ptes[0] = parent_pte;
851 static void mmu_page_remove_parent_pte(struct kvm_mmu_page *sp,
854 struct kvm_pte_chain *pte_chain;
855 struct hlist_node *node;
858 if (!sp->multimapped) {
859 BUG_ON(sp->parent_pte != parent_pte);
860 sp->parent_pte = NULL;
863 hlist_for_each_entry(pte_chain, node, &sp->parent_ptes, link)
864 for (i = 0; i < NR_PTE_CHAIN_ENTRIES; ++i) {
865 if (!pte_chain->parent_ptes[i])
867 if (pte_chain->parent_ptes[i] != parent_pte)
869 while (i + 1 < NR_PTE_CHAIN_ENTRIES
870 && pte_chain->parent_ptes[i + 1]) {
871 pte_chain->parent_ptes[i]
872 = pte_chain->parent_ptes[i + 1];
875 pte_chain->parent_ptes[i] = NULL;
877 hlist_del(&pte_chain->link);
878 mmu_free_pte_chain(pte_chain);
879 if (hlist_empty(&sp->parent_ptes)) {
881 sp->parent_pte = NULL;
890 static void mmu_parent_walk(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
891 mmu_parent_walk_fn fn)
893 struct kvm_pte_chain *pte_chain;
894 struct hlist_node *node;
895 struct kvm_mmu_page *parent_sp;
898 if (!sp->multimapped && sp->parent_pte) {
899 parent_sp = page_header(__pa(sp->parent_pte));
901 mmu_parent_walk(vcpu, parent_sp, fn);
904 hlist_for_each_entry(pte_chain, node, &sp->parent_ptes, link)
905 for (i = 0; i < NR_PTE_CHAIN_ENTRIES; ++i) {
906 if (!pte_chain->parent_ptes[i])
908 parent_sp = page_header(__pa(pte_chain->parent_ptes[i]));
910 mmu_parent_walk(vcpu, parent_sp, fn);
914 static void kvm_mmu_update_unsync_bitmap(u64 *spte)
917 struct kvm_mmu_page *sp = page_header(__pa(spte));
919 index = spte - sp->spt;
920 if (!__test_and_set_bit(index, sp->unsync_child_bitmap))
921 sp->unsync_children++;
922 WARN_ON(!sp->unsync_children);
925 static void kvm_mmu_update_parents_unsync(struct kvm_mmu_page *sp)
927 struct kvm_pte_chain *pte_chain;
928 struct hlist_node *node;
934 if (!sp->multimapped) {
935 kvm_mmu_update_unsync_bitmap(sp->parent_pte);
939 hlist_for_each_entry(pte_chain, node, &sp->parent_ptes, link)
940 for (i = 0; i < NR_PTE_CHAIN_ENTRIES; ++i) {
941 if (!pte_chain->parent_ptes[i])
943 kvm_mmu_update_unsync_bitmap(pte_chain->parent_ptes[i]);
947 static int unsync_walk_fn(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
949 kvm_mmu_update_parents_unsync(sp);
953 static void kvm_mmu_mark_parents_unsync(struct kvm_vcpu *vcpu,
954 struct kvm_mmu_page *sp)
956 mmu_parent_walk(vcpu, sp, unsync_walk_fn);
957 kvm_mmu_update_parents_unsync(sp);
960 static void nonpaging_prefetch_page(struct kvm_vcpu *vcpu,
961 struct kvm_mmu_page *sp)
965 for (i = 0; i < PT64_ENT_PER_PAGE; ++i)
966 sp->spt[i] = shadow_trap_nonpresent_pte;
969 static int nonpaging_sync_page(struct kvm_vcpu *vcpu,
970 struct kvm_mmu_page *sp)
975 static void nonpaging_invlpg(struct kvm_vcpu *vcpu, gva_t gva)
979 #define KVM_PAGE_ARRAY_NR 16
981 struct kvm_mmu_pages {
982 struct mmu_page_and_offset {
983 struct kvm_mmu_page *sp;
985 } page[KVM_PAGE_ARRAY_NR];
989 #define for_each_unsync_children(bitmap, idx) \
990 for (idx = find_first_bit(bitmap, 512); \
992 idx = find_next_bit(bitmap, 512, idx+1))
994 int mmu_pages_add(struct kvm_mmu_pages *pvec, struct kvm_mmu_page *sp,
1000 for (i=0; i < pvec->nr; i++)
1001 if (pvec->page[i].sp == sp)
1004 pvec->page[pvec->nr].sp = sp;
1005 pvec->page[pvec->nr].idx = idx;
1007 return (pvec->nr == KVM_PAGE_ARRAY_NR);
1010 static int __mmu_unsync_walk(struct kvm_mmu_page *sp,
1011 struct kvm_mmu_pages *pvec)
1013 int i, ret, nr_unsync_leaf = 0;
1015 for_each_unsync_children(sp->unsync_child_bitmap, i) {
1016 u64 ent = sp->spt[i];
1018 if (is_shadow_present_pte(ent) && !is_large_pte(ent)) {
1019 struct kvm_mmu_page *child;
1020 child = page_header(ent & PT64_BASE_ADDR_MASK);
1022 if (child->unsync_children) {
1023 if (mmu_pages_add(pvec, child, i))
1026 ret = __mmu_unsync_walk(child, pvec);
1028 __clear_bit(i, sp->unsync_child_bitmap);
1030 nr_unsync_leaf += ret;
1035 if (child->unsync) {
1037 if (mmu_pages_add(pvec, child, i))
1043 if (find_first_bit(sp->unsync_child_bitmap, 512) == 512)
1044 sp->unsync_children = 0;
1046 return nr_unsync_leaf;
1049 static int mmu_unsync_walk(struct kvm_mmu_page *sp,
1050 struct kvm_mmu_pages *pvec)
1052 if (!sp->unsync_children)
1055 mmu_pages_add(pvec, sp, 0);
1056 return __mmu_unsync_walk(sp, pvec);
1059 static struct kvm_mmu_page *kvm_mmu_lookup_page(struct kvm *kvm, gfn_t gfn)
1062 struct hlist_head *bucket;
1063 struct kvm_mmu_page *sp;
1064 struct hlist_node *node;
1066 pgprintk("%s: looking for gfn %lx\n", __func__, gfn);
1067 index = kvm_page_table_hashfn(gfn);
1068 bucket = &kvm->arch.mmu_page_hash[index];
1069 hlist_for_each_entry(sp, node, bucket, hash_link)
1070 if (sp->gfn == gfn && !sp->role.metaphysical
1071 && !sp->role.invalid) {
1072 pgprintk("%s: found role %x\n",
1073 __func__, sp->role.word);
1079 static void kvm_unlink_unsync_global(struct kvm *kvm, struct kvm_mmu_page *sp)
1081 list_del(&sp->oos_link);
1082 --kvm->stat.mmu_unsync_global;
1085 static void kvm_unlink_unsync_page(struct kvm *kvm, struct kvm_mmu_page *sp)
1087 WARN_ON(!sp->unsync);
1090 kvm_unlink_unsync_global(kvm, sp);
1091 --kvm->stat.mmu_unsync;
1094 static int kvm_mmu_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp);
1096 static int kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
1098 if (sp->role.glevels != vcpu->arch.mmu.root_level) {
1099 kvm_mmu_zap_page(vcpu->kvm, sp);
1103 if (rmap_write_protect(vcpu->kvm, sp->gfn))
1104 kvm_flush_remote_tlbs(vcpu->kvm);
1105 kvm_unlink_unsync_page(vcpu->kvm, sp);
1106 if (vcpu->arch.mmu.sync_page(vcpu, sp)) {
1107 kvm_mmu_zap_page(vcpu->kvm, sp);
1111 kvm_mmu_flush_tlb(vcpu);
1115 struct mmu_page_path {
1116 struct kvm_mmu_page *parent[PT64_ROOT_LEVEL-1];
1117 unsigned int idx[PT64_ROOT_LEVEL-1];
1120 #define for_each_sp(pvec, sp, parents, i) \
1121 for (i = mmu_pages_next(&pvec, &parents, -1), \
1122 sp = pvec.page[i].sp; \
1123 i < pvec.nr && ({ sp = pvec.page[i].sp; 1;}); \
1124 i = mmu_pages_next(&pvec, &parents, i))
1126 int mmu_pages_next(struct kvm_mmu_pages *pvec, struct mmu_page_path *parents,
1131 for (n = i+1; n < pvec->nr; n++) {
1132 struct kvm_mmu_page *sp = pvec->page[n].sp;
1134 if (sp->role.level == PT_PAGE_TABLE_LEVEL) {
1135 parents->idx[0] = pvec->page[n].idx;
1139 parents->parent[sp->role.level-2] = sp;
1140 parents->idx[sp->role.level-1] = pvec->page[n].idx;
1146 void mmu_pages_clear_parents(struct mmu_page_path *parents)
1148 struct kvm_mmu_page *sp;
1149 unsigned int level = 0;
1152 unsigned int idx = parents->idx[level];
1154 sp = parents->parent[level];
1158 --sp->unsync_children;
1159 WARN_ON((int)sp->unsync_children < 0);
1160 __clear_bit(idx, sp->unsync_child_bitmap);
1162 } while (level < PT64_ROOT_LEVEL-1 && !sp->unsync_children);
1165 static void kvm_mmu_pages_init(struct kvm_mmu_page *parent,
1166 struct mmu_page_path *parents,
1167 struct kvm_mmu_pages *pvec)
1169 parents->parent[parent->role.level-1] = NULL;
1173 static void mmu_sync_children(struct kvm_vcpu *vcpu,
1174 struct kvm_mmu_page *parent)
1177 struct kvm_mmu_page *sp;
1178 struct mmu_page_path parents;
1179 struct kvm_mmu_pages pages;
1181 kvm_mmu_pages_init(parent, &parents, &pages);
1182 while (mmu_unsync_walk(parent, &pages)) {
1185 for_each_sp(pages, sp, parents, i)
1186 protected |= rmap_write_protect(vcpu->kvm, sp->gfn);
1189 kvm_flush_remote_tlbs(vcpu->kvm);
1191 for_each_sp(pages, sp, parents, i) {
1192 kvm_sync_page(vcpu, sp);
1193 mmu_pages_clear_parents(&parents);
1195 cond_resched_lock(&vcpu->kvm->mmu_lock);
1196 kvm_mmu_pages_init(parent, &parents, &pages);
1200 static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
1208 union kvm_mmu_page_role role;
1211 struct hlist_head *bucket;
1212 struct kvm_mmu_page *sp;
1213 struct hlist_node *node, *tmp;
1215 role = vcpu->arch.mmu.base_role;
1217 role.metaphysical = metaphysical;
1218 role.access = access;
1219 if (vcpu->arch.mmu.root_level <= PT32_ROOT_LEVEL) {
1220 quadrant = gaddr >> (PAGE_SHIFT + (PT64_PT_BITS * level));
1221 quadrant &= (1 << ((PT32_PT_BITS - PT64_PT_BITS) * level)) - 1;
1222 role.quadrant = quadrant;
1224 pgprintk("%s: looking gfn %lx role %x\n", __func__,
1226 index = kvm_page_table_hashfn(gfn);
1227 bucket = &vcpu->kvm->arch.mmu_page_hash[index];
1228 hlist_for_each_entry_safe(sp, node, tmp, bucket, hash_link)
1229 if (sp->gfn == gfn) {
1231 if (kvm_sync_page(vcpu, sp))
1234 if (sp->role.word != role.word)
1237 mmu_page_add_parent_pte(vcpu, sp, parent_pte);
1238 if (sp->unsync_children) {
1239 set_bit(KVM_REQ_MMU_SYNC, &vcpu->requests);
1240 kvm_mmu_mark_parents_unsync(vcpu, sp);
1242 pgprintk("%s: found\n", __func__);
1245 ++vcpu->kvm->stat.mmu_cache_miss;
1246 sp = kvm_mmu_alloc_page(vcpu, parent_pte);
1249 pgprintk("%s: adding gfn %lx role %x\n", __func__, gfn, role.word);
1252 sp->global = role.cr4_pge;
1253 hlist_add_head(&sp->hash_link, bucket);
1254 if (!metaphysical) {
1255 if (rmap_write_protect(vcpu->kvm, gfn))
1256 kvm_flush_remote_tlbs(vcpu->kvm);
1257 account_shadowed(vcpu->kvm, gfn);
1259 if (shadow_trap_nonpresent_pte != shadow_notrap_nonpresent_pte)
1260 vcpu->arch.mmu.prefetch_page(vcpu, sp);
1262 nonpaging_prefetch_page(vcpu, sp);
1266 static void shadow_walk_init(struct kvm_shadow_walk_iterator *iterator,
1267 struct kvm_vcpu *vcpu, u64 addr)
1269 iterator->addr = addr;
1270 iterator->shadow_addr = vcpu->arch.mmu.root_hpa;
1271 iterator->level = vcpu->arch.mmu.shadow_root_level;
1272 if (iterator->level == PT32E_ROOT_LEVEL) {
1273 iterator->shadow_addr
1274 = vcpu->arch.mmu.pae_root[(addr >> 30) & 3];
1275 iterator->shadow_addr &= PT64_BASE_ADDR_MASK;
1277 if (!iterator->shadow_addr)
1278 iterator->level = 0;
1282 static bool shadow_walk_okay(struct kvm_shadow_walk_iterator *iterator)
1284 if (iterator->level < PT_PAGE_TABLE_LEVEL)
1286 iterator->index = SHADOW_PT_INDEX(iterator->addr, iterator->level);
1287 iterator->sptep = ((u64 *)__va(iterator->shadow_addr)) + iterator->index;
1291 static void shadow_walk_next(struct kvm_shadow_walk_iterator *iterator)
1293 iterator->shadow_addr = *iterator->sptep & PT64_BASE_ADDR_MASK;
1297 static void kvm_mmu_page_unlink_children(struct kvm *kvm,
1298 struct kvm_mmu_page *sp)
1306 if (sp->role.level == PT_PAGE_TABLE_LEVEL) {
1307 for (i = 0; i < PT64_ENT_PER_PAGE; ++i) {
1308 if (is_shadow_present_pte(pt[i]))
1309 rmap_remove(kvm, &pt[i]);
1310 pt[i] = shadow_trap_nonpresent_pte;
1315 for (i = 0; i < PT64_ENT_PER_PAGE; ++i) {
1318 if (is_shadow_present_pte(ent)) {
1319 if (!is_large_pte(ent)) {
1320 ent &= PT64_BASE_ADDR_MASK;
1321 mmu_page_remove_parent_pte(page_header(ent),
1325 rmap_remove(kvm, &pt[i]);
1328 pt[i] = shadow_trap_nonpresent_pte;
1332 static void kvm_mmu_put_page(struct kvm_mmu_page *sp, u64 *parent_pte)
1334 mmu_page_remove_parent_pte(sp, parent_pte);
1337 static void kvm_mmu_reset_last_pte_updated(struct kvm *kvm)
1341 for (i = 0; i < KVM_MAX_VCPUS; ++i)
1343 kvm->vcpus[i]->arch.last_pte_updated = NULL;
1346 static void kvm_mmu_unlink_parents(struct kvm *kvm, struct kvm_mmu_page *sp)
1350 while (sp->multimapped || sp->parent_pte) {
1351 if (!sp->multimapped)
1352 parent_pte = sp->parent_pte;
1354 struct kvm_pte_chain *chain;
1356 chain = container_of(sp->parent_ptes.first,
1357 struct kvm_pte_chain, link);
1358 parent_pte = chain->parent_ptes[0];
1360 BUG_ON(!parent_pte);
1361 kvm_mmu_put_page(sp, parent_pte);
1362 set_shadow_pte(parent_pte, shadow_trap_nonpresent_pte);
1366 static int mmu_zap_unsync_children(struct kvm *kvm,
1367 struct kvm_mmu_page *parent)
1370 struct mmu_page_path parents;
1371 struct kvm_mmu_pages pages;
1373 if (parent->role.level == PT_PAGE_TABLE_LEVEL)
1376 kvm_mmu_pages_init(parent, &parents, &pages);
1377 while (mmu_unsync_walk(parent, &pages)) {
1378 struct kvm_mmu_page *sp;
1380 for_each_sp(pages, sp, parents, i) {
1381 kvm_mmu_zap_page(kvm, sp);
1382 mmu_pages_clear_parents(&parents);
1385 kvm_mmu_pages_init(parent, &parents, &pages);
1391 static int kvm_mmu_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp)
1394 ++kvm->stat.mmu_shadow_zapped;
1395 ret = mmu_zap_unsync_children(kvm, sp);
1396 kvm_mmu_page_unlink_children(kvm, sp);
1397 kvm_mmu_unlink_parents(kvm, sp);
1398 kvm_flush_remote_tlbs(kvm);
1399 if (!sp->role.invalid && !sp->role.metaphysical)
1400 unaccount_shadowed(kvm, sp->gfn);
1402 kvm_unlink_unsync_page(kvm, sp);
1403 if (!sp->root_count) {
1404 hlist_del(&sp->hash_link);
1405 kvm_mmu_free_page(kvm, sp);
1407 sp->role.invalid = 1;
1408 list_move(&sp->link, &kvm->arch.active_mmu_pages);
1409 kvm_reload_remote_mmus(kvm);
1411 kvm_mmu_reset_last_pte_updated(kvm);
1416 * Changing the number of mmu pages allocated to the vm
1417 * Note: if kvm_nr_mmu_pages is too small, you will get dead lock
1419 void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int kvm_nr_mmu_pages)
1422 * If we set the number of mmu pages to be smaller be than the
1423 * number of actived pages , we must to free some mmu pages before we
1427 if ((kvm->arch.n_alloc_mmu_pages - kvm->arch.n_free_mmu_pages) >
1429 int n_used_mmu_pages = kvm->arch.n_alloc_mmu_pages
1430 - kvm->arch.n_free_mmu_pages;
1432 while (n_used_mmu_pages > kvm_nr_mmu_pages) {
1433 struct kvm_mmu_page *page;
1435 page = container_of(kvm->arch.active_mmu_pages.prev,
1436 struct kvm_mmu_page, link);
1437 kvm_mmu_zap_page(kvm, page);
1440 kvm->arch.n_free_mmu_pages = 0;
1443 kvm->arch.n_free_mmu_pages += kvm_nr_mmu_pages
1444 - kvm->arch.n_alloc_mmu_pages;
1446 kvm->arch.n_alloc_mmu_pages = kvm_nr_mmu_pages;
1449 static int kvm_mmu_unprotect_page(struct kvm *kvm, gfn_t gfn)
1452 struct hlist_head *bucket;
1453 struct kvm_mmu_page *sp;
1454 struct hlist_node *node, *n;
1457 pgprintk("%s: looking for gfn %lx\n", __func__, gfn);
1459 index = kvm_page_table_hashfn(gfn);
1460 bucket = &kvm->arch.mmu_page_hash[index];
1461 hlist_for_each_entry_safe(sp, node, n, bucket, hash_link)
1462 if (sp->gfn == gfn && !sp->role.metaphysical) {
1463 pgprintk("%s: gfn %lx role %x\n", __func__, gfn,
1466 if (kvm_mmu_zap_page(kvm, sp))
1472 static void mmu_unshadow(struct kvm *kvm, gfn_t gfn)
1475 struct hlist_head *bucket;
1476 struct kvm_mmu_page *sp;
1477 struct hlist_node *node, *nn;
1479 index = kvm_page_table_hashfn(gfn);
1480 bucket = &kvm->arch.mmu_page_hash[index];
1481 hlist_for_each_entry_safe(sp, node, nn, bucket, hash_link) {
1482 if (sp->gfn == gfn && !sp->role.metaphysical
1483 && !sp->role.invalid) {
1484 pgprintk("%s: zap %lx %x\n",
1485 __func__, gfn, sp->role.word);
1486 kvm_mmu_zap_page(kvm, sp);
1491 static void page_header_update_slot(struct kvm *kvm, void *pte, gfn_t gfn)
1493 int slot = memslot_id(kvm, gfn_to_memslot(kvm, gfn));
1494 struct kvm_mmu_page *sp = page_header(__pa(pte));
1496 __set_bit(slot, sp->slot_bitmap);
1499 static void mmu_convert_notrap(struct kvm_mmu_page *sp)
1504 if (shadow_trap_nonpresent_pte == shadow_notrap_nonpresent_pte)
1507 for (i = 0; i < PT64_ENT_PER_PAGE; ++i) {
1508 if (pt[i] == shadow_notrap_nonpresent_pte)
1509 set_shadow_pte(&pt[i], shadow_trap_nonpresent_pte);
1513 struct page *gva_to_page(struct kvm_vcpu *vcpu, gva_t gva)
1517 gpa_t gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, gva);
1519 if (gpa == UNMAPPED_GVA)
1522 page = gfn_to_page(vcpu->kvm, gpa >> PAGE_SHIFT);
1528 * The function is based on mtrr_type_lookup() in
1529 * arch/x86/kernel/cpu/mtrr/generic.c
1531 static int get_mtrr_type(struct mtrr_state_type *mtrr_state,
1536 u8 prev_match, curr_match;
1537 int num_var_ranges = KVM_NR_VAR_MTRR;
1539 if (!mtrr_state->enabled)
1542 /* Make end inclusive end, instead of exclusive */
1545 /* Look in fixed ranges. Just return the type as per start */
1546 if (mtrr_state->have_fixed && (start < 0x100000)) {
1549 if (start < 0x80000) {
1551 idx += (start >> 16);
1552 return mtrr_state->fixed_ranges[idx];
1553 } else if (start < 0xC0000) {
1555 idx += ((start - 0x80000) >> 14);
1556 return mtrr_state->fixed_ranges[idx];
1557 } else if (start < 0x1000000) {
1559 idx += ((start - 0xC0000) >> 12);
1560 return mtrr_state->fixed_ranges[idx];
1565 * Look in variable ranges
1566 * Look of multiple ranges matching this address and pick type
1567 * as per MTRR precedence
1569 if (!(mtrr_state->enabled & 2))
1570 return mtrr_state->def_type;
1573 for (i = 0; i < num_var_ranges; ++i) {
1574 unsigned short start_state, end_state;
1576 if (!(mtrr_state->var_ranges[i].mask_lo & (1 << 11)))
1579 base = (((u64)mtrr_state->var_ranges[i].base_hi) << 32) +
1580 (mtrr_state->var_ranges[i].base_lo & PAGE_MASK);
1581 mask = (((u64)mtrr_state->var_ranges[i].mask_hi) << 32) +
1582 (mtrr_state->var_ranges[i].mask_lo & PAGE_MASK);
1584 start_state = ((start & mask) == (base & mask));
1585 end_state = ((end & mask) == (base & mask));
1586 if (start_state != end_state)
1589 if ((start & mask) != (base & mask))
1592 curr_match = mtrr_state->var_ranges[i].base_lo & 0xff;
1593 if (prev_match == 0xFF) {
1594 prev_match = curr_match;
1598 if (prev_match == MTRR_TYPE_UNCACHABLE ||
1599 curr_match == MTRR_TYPE_UNCACHABLE)
1600 return MTRR_TYPE_UNCACHABLE;
1602 if ((prev_match == MTRR_TYPE_WRBACK &&
1603 curr_match == MTRR_TYPE_WRTHROUGH) ||
1604 (prev_match == MTRR_TYPE_WRTHROUGH &&
1605 curr_match == MTRR_TYPE_WRBACK)) {
1606 prev_match = MTRR_TYPE_WRTHROUGH;
1607 curr_match = MTRR_TYPE_WRTHROUGH;
1610 if (prev_match != curr_match)
1611 return MTRR_TYPE_UNCACHABLE;
1614 if (prev_match != 0xFF)
1617 return mtrr_state->def_type;
1620 static u8 get_memory_type(struct kvm_vcpu *vcpu, gfn_t gfn)
1624 mtrr = get_mtrr_type(&vcpu->arch.mtrr_state, gfn << PAGE_SHIFT,
1625 (gfn << PAGE_SHIFT) + PAGE_SIZE);
1626 if (mtrr == 0xfe || mtrr == 0xff)
1627 mtrr = MTRR_TYPE_WRBACK;
1631 static int kvm_unsync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
1634 struct hlist_head *bucket;
1635 struct kvm_mmu_page *s;
1636 struct hlist_node *node, *n;
1638 index = kvm_page_table_hashfn(sp->gfn);
1639 bucket = &vcpu->kvm->arch.mmu_page_hash[index];
1640 /* don't unsync if pagetable is shadowed with multiple roles */
1641 hlist_for_each_entry_safe(s, node, n, bucket, hash_link) {
1642 if (s->gfn != sp->gfn || s->role.metaphysical)
1644 if (s->role.word != sp->role.word)
1647 ++vcpu->kvm->stat.mmu_unsync;
1651 list_add(&sp->oos_link, &vcpu->kvm->arch.oos_global_pages);
1652 ++vcpu->kvm->stat.mmu_unsync_global;
1654 kvm_mmu_mark_parents_unsync(vcpu, sp);
1656 mmu_convert_notrap(sp);
1660 static int mmu_need_write_protect(struct kvm_vcpu *vcpu, gfn_t gfn,
1663 struct kvm_mmu_page *shadow;
1665 shadow = kvm_mmu_lookup_page(vcpu->kvm, gfn);
1667 if (shadow->role.level != PT_PAGE_TABLE_LEVEL)
1671 if (can_unsync && oos_shadow)
1672 return kvm_unsync_page(vcpu, shadow);
1678 static int set_spte(struct kvm_vcpu *vcpu, u64 *shadow_pte,
1679 unsigned pte_access, int user_fault,
1680 int write_fault, int dirty, int largepage,
1681 int global, gfn_t gfn, pfn_t pfn, bool speculative,
1686 u64 mt_mask = shadow_mt_mask;
1687 struct kvm_mmu_page *sp = page_header(__pa(shadow_pte));
1689 if (!global && sp->global) {
1692 kvm_unlink_unsync_global(vcpu->kvm, sp);
1693 kvm_mmu_mark_parents_unsync(vcpu, sp);
1698 * We don't set the accessed bit, since we sometimes want to see
1699 * whether the guest actually used the pte (in order to detect
1702 spte = shadow_base_present_pte | shadow_dirty_mask;
1704 spte |= shadow_accessed_mask;
1706 pte_access &= ~ACC_WRITE_MASK;
1707 if (pte_access & ACC_EXEC_MASK)
1708 spte |= shadow_x_mask;
1710 spte |= shadow_nx_mask;
1711 if (pte_access & ACC_USER_MASK)
1712 spte |= shadow_user_mask;
1714 spte |= PT_PAGE_SIZE_MASK;
1716 if (!kvm_is_mmio_pfn(pfn)) {
1717 mt_mask = get_memory_type(vcpu, gfn) <<
1718 kvm_x86_ops->get_mt_mask_shift();
1719 mt_mask |= VMX_EPT_IGMT_BIT;
1721 mt_mask = MTRR_TYPE_UNCACHABLE <<
1722 kvm_x86_ops->get_mt_mask_shift();
1726 spte |= (u64)pfn << PAGE_SHIFT;
1728 if ((pte_access & ACC_WRITE_MASK)
1729 || (write_fault && !is_write_protection(vcpu) && !user_fault)) {
1731 if (largepage && has_wrprotected_page(vcpu->kvm, gfn)) {
1733 spte = shadow_trap_nonpresent_pte;
1737 spte |= PT_WRITABLE_MASK;
1740 * Optimization: for pte sync, if spte was writable the hash
1741 * lookup is unnecessary (and expensive). Write protection
1742 * is responsibility of mmu_get_page / kvm_sync_page.
1743 * Same reasoning can be applied to dirty page accounting.
1745 if (!can_unsync && is_writeble_pte(*shadow_pte))
1748 if (mmu_need_write_protect(vcpu, gfn, can_unsync)) {
1749 pgprintk("%s: found shadow page for %lx, marking ro\n",
1752 pte_access &= ~ACC_WRITE_MASK;
1753 if (is_writeble_pte(spte))
1754 spte &= ~PT_WRITABLE_MASK;
1758 if (pte_access & ACC_WRITE_MASK)
1759 mark_page_dirty(vcpu->kvm, gfn);
1762 set_shadow_pte(shadow_pte, spte);
1766 static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *shadow_pte,
1767 unsigned pt_access, unsigned pte_access,
1768 int user_fault, int write_fault, int dirty,
1769 int *ptwrite, int largepage, int global,
1770 gfn_t gfn, pfn_t pfn, bool speculative)
1772 int was_rmapped = 0;
1773 int was_writeble = is_writeble_pte(*shadow_pte);
1775 pgprintk("%s: spte %llx access %x write_fault %d"
1776 " user_fault %d gfn %lx\n",
1777 __func__, *shadow_pte, pt_access,
1778 write_fault, user_fault, gfn);
1780 if (is_rmap_pte(*shadow_pte)) {
1782 * If we overwrite a PTE page pointer with a 2MB PMD, unlink
1783 * the parent of the now unreachable PTE.
1785 if (largepage && !is_large_pte(*shadow_pte)) {
1786 struct kvm_mmu_page *child;
1787 u64 pte = *shadow_pte;
1789 child = page_header(pte & PT64_BASE_ADDR_MASK);
1790 mmu_page_remove_parent_pte(child, shadow_pte);
1791 } else if (pfn != spte_to_pfn(*shadow_pte)) {
1792 pgprintk("hfn old %lx new %lx\n",
1793 spte_to_pfn(*shadow_pte), pfn);
1794 rmap_remove(vcpu->kvm, shadow_pte);
1797 was_rmapped = is_large_pte(*shadow_pte);
1802 if (set_spte(vcpu, shadow_pte, pte_access, user_fault, write_fault,
1803 dirty, largepage, global, gfn, pfn, speculative, true)) {
1806 kvm_x86_ops->tlb_flush(vcpu);
1809 pgprintk("%s: setting spte %llx\n", __func__, *shadow_pte);
1810 pgprintk("instantiating %s PTE (%s) at %ld (%llx) addr %p\n",
1811 is_large_pte(*shadow_pte)? "2MB" : "4kB",
1812 is_present_pte(*shadow_pte)?"RW":"R", gfn,
1813 *shadow_pte, shadow_pte);
1814 if (!was_rmapped && is_large_pte(*shadow_pte))
1815 ++vcpu->kvm->stat.lpages;
1817 page_header_update_slot(vcpu->kvm, shadow_pte, gfn);
1819 rmap_add(vcpu, shadow_pte, gfn, largepage);
1820 if (!is_rmap_pte(*shadow_pte))
1821 kvm_release_pfn_clean(pfn);
1824 kvm_release_pfn_dirty(pfn);
1826 kvm_release_pfn_clean(pfn);
1829 vcpu->arch.last_pte_updated = shadow_pte;
1830 vcpu->arch.last_pte_gfn = gfn;
1834 static void nonpaging_new_cr3(struct kvm_vcpu *vcpu)
1838 static int __direct_map(struct kvm_vcpu *vcpu, gpa_t v, int write,
1839 int largepage, gfn_t gfn, pfn_t pfn)
1841 struct kvm_shadow_walk_iterator iterator;
1842 struct kvm_mmu_page *sp;
1846 for_each_shadow_entry(vcpu, (u64)gfn << PAGE_SHIFT, iterator) {
1847 if (iterator.level == PT_PAGE_TABLE_LEVEL
1848 || (largepage && iterator.level == PT_DIRECTORY_LEVEL)) {
1849 mmu_set_spte(vcpu, iterator.sptep, ACC_ALL, ACC_ALL,
1850 0, write, 1, &pt_write,
1851 largepage, 0, gfn, pfn, false);
1852 ++vcpu->stat.pf_fixed;
1856 if (*iterator.sptep == shadow_trap_nonpresent_pte) {
1857 pseudo_gfn = (iterator.addr & PT64_DIR_BASE_ADDR_MASK) >> PAGE_SHIFT;
1858 sp = kvm_mmu_get_page(vcpu, pseudo_gfn, iterator.addr,
1860 1, ACC_ALL, iterator.sptep);
1862 pgprintk("nonpaging_map: ENOMEM\n");
1863 kvm_release_pfn_clean(pfn);
1867 set_shadow_pte(iterator.sptep,
1869 | PT_PRESENT_MASK | PT_WRITABLE_MASK
1870 | shadow_user_mask | shadow_x_mask);
1876 static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, int write, gfn_t gfn)
1881 unsigned long mmu_seq;
1883 if (is_largepage_backed(vcpu, gfn & ~(KVM_PAGES_PER_HPAGE-1))) {
1884 gfn &= ~(KVM_PAGES_PER_HPAGE-1);
1888 mmu_seq = vcpu->kvm->mmu_notifier_seq;
1890 pfn = gfn_to_pfn(vcpu->kvm, gfn);
1893 if (is_error_pfn(pfn)) {
1894 kvm_release_pfn_clean(pfn);
1898 spin_lock(&vcpu->kvm->mmu_lock);
1899 if (mmu_notifier_retry(vcpu, mmu_seq))
1901 kvm_mmu_free_some_pages(vcpu);
1902 r = __direct_map(vcpu, v, write, largepage, gfn, pfn);
1903 spin_unlock(&vcpu->kvm->mmu_lock);
1909 spin_unlock(&vcpu->kvm->mmu_lock);
1910 kvm_release_pfn_clean(pfn);
1915 static void mmu_free_roots(struct kvm_vcpu *vcpu)
1918 struct kvm_mmu_page *sp;
1920 if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
1922 spin_lock(&vcpu->kvm->mmu_lock);
1923 if (vcpu->arch.mmu.shadow_root_level == PT64_ROOT_LEVEL) {
1924 hpa_t root = vcpu->arch.mmu.root_hpa;
1926 sp = page_header(root);
1928 if (!sp->root_count && sp->role.invalid)
1929 kvm_mmu_zap_page(vcpu->kvm, sp);
1930 vcpu->arch.mmu.root_hpa = INVALID_PAGE;
1931 spin_unlock(&vcpu->kvm->mmu_lock);
1934 for (i = 0; i < 4; ++i) {
1935 hpa_t root = vcpu->arch.mmu.pae_root[i];
1938 root &= PT64_BASE_ADDR_MASK;
1939 sp = page_header(root);
1941 if (!sp->root_count && sp->role.invalid)
1942 kvm_mmu_zap_page(vcpu->kvm, sp);
1944 vcpu->arch.mmu.pae_root[i] = INVALID_PAGE;
1946 spin_unlock(&vcpu->kvm->mmu_lock);
1947 vcpu->arch.mmu.root_hpa = INVALID_PAGE;
1950 static void mmu_alloc_roots(struct kvm_vcpu *vcpu)
1954 struct kvm_mmu_page *sp;
1955 int metaphysical = 0;
1957 root_gfn = vcpu->arch.cr3 >> PAGE_SHIFT;
1959 if (vcpu->arch.mmu.shadow_root_level == PT64_ROOT_LEVEL) {
1960 hpa_t root = vcpu->arch.mmu.root_hpa;
1962 ASSERT(!VALID_PAGE(root));
1965 sp = kvm_mmu_get_page(vcpu, root_gfn, 0,
1966 PT64_ROOT_LEVEL, metaphysical,
1968 root = __pa(sp->spt);
1970 vcpu->arch.mmu.root_hpa = root;
1973 metaphysical = !is_paging(vcpu);
1976 for (i = 0; i < 4; ++i) {
1977 hpa_t root = vcpu->arch.mmu.pae_root[i];
1979 ASSERT(!VALID_PAGE(root));
1980 if (vcpu->arch.mmu.root_level == PT32E_ROOT_LEVEL) {
1981 if (!is_present_pte(vcpu->arch.pdptrs[i])) {
1982 vcpu->arch.mmu.pae_root[i] = 0;
1985 root_gfn = vcpu->arch.pdptrs[i] >> PAGE_SHIFT;
1986 } else if (vcpu->arch.mmu.root_level == 0)
1988 sp = kvm_mmu_get_page(vcpu, root_gfn, i << 30,
1989 PT32_ROOT_LEVEL, metaphysical,
1991 root = __pa(sp->spt);
1993 vcpu->arch.mmu.pae_root[i] = root | PT_PRESENT_MASK;
1995 vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root);
1998 static void mmu_sync_roots(struct kvm_vcpu *vcpu)
2001 struct kvm_mmu_page *sp;
2003 if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
2005 if (vcpu->arch.mmu.shadow_root_level == PT64_ROOT_LEVEL) {
2006 hpa_t root = vcpu->arch.mmu.root_hpa;
2007 sp = page_header(root);
2008 mmu_sync_children(vcpu, sp);
2011 for (i = 0; i < 4; ++i) {
2012 hpa_t root = vcpu->arch.mmu.pae_root[i];
2015 root &= PT64_BASE_ADDR_MASK;
2016 sp = page_header(root);
2017 mmu_sync_children(vcpu, sp);
2022 static void mmu_sync_global(struct kvm_vcpu *vcpu)
2024 struct kvm *kvm = vcpu->kvm;
2025 struct kvm_mmu_page *sp, *n;
2027 list_for_each_entry_safe(sp, n, &kvm->arch.oos_global_pages, oos_link)
2028 kvm_sync_page(vcpu, sp);
2031 void kvm_mmu_sync_roots(struct kvm_vcpu *vcpu)
2033 spin_lock(&vcpu->kvm->mmu_lock);
2034 mmu_sync_roots(vcpu);
2035 spin_unlock(&vcpu->kvm->mmu_lock);
2038 void kvm_mmu_sync_global(struct kvm_vcpu *vcpu)
2040 spin_lock(&vcpu->kvm->mmu_lock);
2041 mmu_sync_global(vcpu);
2042 spin_unlock(&vcpu->kvm->mmu_lock);
2045 static gpa_t nonpaging_gva_to_gpa(struct kvm_vcpu *vcpu, gva_t vaddr)
2050 static int nonpaging_page_fault(struct kvm_vcpu *vcpu, gva_t gva,
2056 pgprintk("%s: gva %lx error %x\n", __func__, gva, error_code);
2057 r = mmu_topup_memory_caches(vcpu);
2062 ASSERT(VALID_PAGE(vcpu->arch.mmu.root_hpa));
2064 gfn = gva >> PAGE_SHIFT;
2066 return nonpaging_map(vcpu, gva & PAGE_MASK,
2067 error_code & PFERR_WRITE_MASK, gfn);
2070 static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa,
2076 gfn_t gfn = gpa >> PAGE_SHIFT;
2077 unsigned long mmu_seq;
2080 ASSERT(VALID_PAGE(vcpu->arch.mmu.root_hpa));
2082 r = mmu_topup_memory_caches(vcpu);
2086 if (is_largepage_backed(vcpu, gfn & ~(KVM_PAGES_PER_HPAGE-1))) {
2087 gfn &= ~(KVM_PAGES_PER_HPAGE-1);
2090 mmu_seq = vcpu->kvm->mmu_notifier_seq;
2092 pfn = gfn_to_pfn(vcpu->kvm, gfn);
2093 if (is_error_pfn(pfn)) {
2094 kvm_release_pfn_clean(pfn);
2097 spin_lock(&vcpu->kvm->mmu_lock);
2098 if (mmu_notifier_retry(vcpu, mmu_seq))
2100 kvm_mmu_free_some_pages(vcpu);
2101 r = __direct_map(vcpu, gpa, error_code & PFERR_WRITE_MASK,
2102 largepage, gfn, pfn);
2103 spin_unlock(&vcpu->kvm->mmu_lock);
2108 spin_unlock(&vcpu->kvm->mmu_lock);
2109 kvm_release_pfn_clean(pfn);
2113 static void nonpaging_free(struct kvm_vcpu *vcpu)
2115 mmu_free_roots(vcpu);
2118 static int nonpaging_init_context(struct kvm_vcpu *vcpu)
2120 struct kvm_mmu *context = &vcpu->arch.mmu;
2122 context->new_cr3 = nonpaging_new_cr3;
2123 context->page_fault = nonpaging_page_fault;
2124 context->gva_to_gpa = nonpaging_gva_to_gpa;
2125 context->free = nonpaging_free;
2126 context->prefetch_page = nonpaging_prefetch_page;
2127 context->sync_page = nonpaging_sync_page;
2128 context->invlpg = nonpaging_invlpg;
2129 context->root_level = 0;
2130 context->shadow_root_level = PT32E_ROOT_LEVEL;
2131 context->root_hpa = INVALID_PAGE;
2135 void kvm_mmu_flush_tlb(struct kvm_vcpu *vcpu)
2137 ++vcpu->stat.tlb_flush;
2138 kvm_x86_ops->tlb_flush(vcpu);
2141 static void paging_new_cr3(struct kvm_vcpu *vcpu)
2143 pgprintk("%s: cr3 %lx\n", __func__, vcpu->arch.cr3);
2144 mmu_free_roots(vcpu);
2147 static void inject_page_fault(struct kvm_vcpu *vcpu,
2151 kvm_inject_page_fault(vcpu, addr, err_code);
2154 static void paging_free(struct kvm_vcpu *vcpu)
2156 nonpaging_free(vcpu);
2160 #include "paging_tmpl.h"
2164 #include "paging_tmpl.h"
2167 static int paging64_init_context_common(struct kvm_vcpu *vcpu, int level)
2169 struct kvm_mmu *context = &vcpu->arch.mmu;
2171 ASSERT(is_pae(vcpu));
2172 context->new_cr3 = paging_new_cr3;
2173 context->page_fault = paging64_page_fault;
2174 context->gva_to_gpa = paging64_gva_to_gpa;
2175 context->prefetch_page = paging64_prefetch_page;
2176 context->sync_page = paging64_sync_page;
2177 context->invlpg = paging64_invlpg;
2178 context->free = paging_free;
2179 context->root_level = level;
2180 context->shadow_root_level = level;
2181 context->root_hpa = INVALID_PAGE;
2185 static int paging64_init_context(struct kvm_vcpu *vcpu)
2187 return paging64_init_context_common(vcpu, PT64_ROOT_LEVEL);
2190 static int paging32_init_context(struct kvm_vcpu *vcpu)
2192 struct kvm_mmu *context = &vcpu->arch.mmu;
2194 context->new_cr3 = paging_new_cr3;
2195 context->page_fault = paging32_page_fault;
2196 context->gva_to_gpa = paging32_gva_to_gpa;
2197 context->free = paging_free;
2198 context->prefetch_page = paging32_prefetch_page;
2199 context->sync_page = paging32_sync_page;
2200 context->invlpg = paging32_invlpg;
2201 context->root_level = PT32_ROOT_LEVEL;
2202 context->shadow_root_level = PT32E_ROOT_LEVEL;
2203 context->root_hpa = INVALID_PAGE;
2207 static int paging32E_init_context(struct kvm_vcpu *vcpu)
2209 return paging64_init_context_common(vcpu, PT32E_ROOT_LEVEL);
2212 static int init_kvm_tdp_mmu(struct kvm_vcpu *vcpu)
2214 struct kvm_mmu *context = &vcpu->arch.mmu;
2216 context->new_cr3 = nonpaging_new_cr3;
2217 context->page_fault = tdp_page_fault;
2218 context->free = nonpaging_free;
2219 context->prefetch_page = nonpaging_prefetch_page;
2220 context->sync_page = nonpaging_sync_page;
2221 context->invlpg = nonpaging_invlpg;
2222 context->shadow_root_level = kvm_x86_ops->get_tdp_level();
2223 context->root_hpa = INVALID_PAGE;
2225 if (!is_paging(vcpu)) {
2226 context->gva_to_gpa = nonpaging_gva_to_gpa;
2227 context->root_level = 0;
2228 } else if (is_long_mode(vcpu)) {
2229 context->gva_to_gpa = paging64_gva_to_gpa;
2230 context->root_level = PT64_ROOT_LEVEL;
2231 } else if (is_pae(vcpu)) {
2232 context->gva_to_gpa = paging64_gva_to_gpa;
2233 context->root_level = PT32E_ROOT_LEVEL;
2235 context->gva_to_gpa = paging32_gva_to_gpa;
2236 context->root_level = PT32_ROOT_LEVEL;
2242 static int init_kvm_softmmu(struct kvm_vcpu *vcpu)
2247 ASSERT(!VALID_PAGE(vcpu->arch.mmu.root_hpa));
2249 if (!is_paging(vcpu))
2250 r = nonpaging_init_context(vcpu);
2251 else if (is_long_mode(vcpu))
2252 r = paging64_init_context(vcpu);
2253 else if (is_pae(vcpu))
2254 r = paging32E_init_context(vcpu);
2256 r = paging32_init_context(vcpu);
2258 vcpu->arch.mmu.base_role.glevels = vcpu->arch.mmu.root_level;
2263 static int init_kvm_mmu(struct kvm_vcpu *vcpu)
2265 vcpu->arch.update_pte.pfn = bad_pfn;
2268 return init_kvm_tdp_mmu(vcpu);
2270 return init_kvm_softmmu(vcpu);
2273 static void destroy_kvm_mmu(struct kvm_vcpu *vcpu)
2276 if (VALID_PAGE(vcpu->arch.mmu.root_hpa)) {
2277 vcpu->arch.mmu.free(vcpu);
2278 vcpu->arch.mmu.root_hpa = INVALID_PAGE;
2282 int kvm_mmu_reset_context(struct kvm_vcpu *vcpu)
2284 destroy_kvm_mmu(vcpu);
2285 return init_kvm_mmu(vcpu);
2287 EXPORT_SYMBOL_GPL(kvm_mmu_reset_context);
2289 int kvm_mmu_load(struct kvm_vcpu *vcpu)
2293 r = mmu_topup_memory_caches(vcpu);
2296 spin_lock(&vcpu->kvm->mmu_lock);
2297 kvm_mmu_free_some_pages(vcpu);
2298 mmu_alloc_roots(vcpu);
2299 mmu_sync_roots(vcpu);
2300 spin_unlock(&vcpu->kvm->mmu_lock);
2301 kvm_x86_ops->set_cr3(vcpu, vcpu->arch.mmu.root_hpa);
2302 kvm_mmu_flush_tlb(vcpu);
2306 EXPORT_SYMBOL_GPL(kvm_mmu_load);
2308 void kvm_mmu_unload(struct kvm_vcpu *vcpu)
2310 mmu_free_roots(vcpu);
2313 static void mmu_pte_write_zap_pte(struct kvm_vcpu *vcpu,
2314 struct kvm_mmu_page *sp,
2318 struct kvm_mmu_page *child;
2321 if (is_shadow_present_pte(pte)) {
2322 if (sp->role.level == PT_PAGE_TABLE_LEVEL ||
2324 rmap_remove(vcpu->kvm, spte);
2326 child = page_header(pte & PT64_BASE_ADDR_MASK);
2327 mmu_page_remove_parent_pte(child, spte);
2330 set_shadow_pte(spte, shadow_trap_nonpresent_pte);
2331 if (is_large_pte(pte))
2332 --vcpu->kvm->stat.lpages;
2335 static void mmu_pte_write_new_pte(struct kvm_vcpu *vcpu,
2336 struct kvm_mmu_page *sp,
2340 if (sp->role.level != PT_PAGE_TABLE_LEVEL) {
2341 if (!vcpu->arch.update_pte.largepage ||
2342 sp->role.glevels == PT32_ROOT_LEVEL) {
2343 ++vcpu->kvm->stat.mmu_pde_zapped;
2348 ++vcpu->kvm->stat.mmu_pte_updated;
2349 if (sp->role.glevels == PT32_ROOT_LEVEL)
2350 paging32_update_pte(vcpu, sp, spte, new);
2352 paging64_update_pte(vcpu, sp, spte, new);
2355 static bool need_remote_flush(u64 old, u64 new)
2357 if (!is_shadow_present_pte(old))
2359 if (!is_shadow_present_pte(new))
2361 if ((old ^ new) & PT64_BASE_ADDR_MASK)
2363 old ^= PT64_NX_MASK;
2364 new ^= PT64_NX_MASK;
2365 return (old & ~new & PT64_PERM_MASK) != 0;
2368 static void mmu_pte_write_flush_tlb(struct kvm_vcpu *vcpu, u64 old, u64 new)
2370 if (need_remote_flush(old, new))
2371 kvm_flush_remote_tlbs(vcpu->kvm);
2373 kvm_mmu_flush_tlb(vcpu);
2376 static bool last_updated_pte_accessed(struct kvm_vcpu *vcpu)
2378 u64 *spte = vcpu->arch.last_pte_updated;
2380 return !!(spte && (*spte & shadow_accessed_mask));
2383 static void mmu_guess_page_from_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
2384 const u8 *new, int bytes)
2391 vcpu->arch.update_pte.largepage = 0;
2393 if (bytes != 4 && bytes != 8)
2397 * Assume that the pte write on a page table of the same type
2398 * as the current vcpu paging mode. This is nearly always true
2399 * (might be false while changing modes). Note it is verified later
2403 /* Handle a 32-bit guest writing two halves of a 64-bit gpte */
2404 if ((bytes == 4) && (gpa % 4 == 0)) {
2405 r = kvm_read_guest(vcpu->kvm, gpa & ~(u64)7, &gpte, 8);
2408 memcpy((void *)&gpte + (gpa % 8), new, 4);
2409 } else if ((bytes == 8) && (gpa % 8 == 0)) {
2410 memcpy((void *)&gpte, new, 8);
2413 if ((bytes == 4) && (gpa % 4 == 0))
2414 memcpy((void *)&gpte, new, 4);
2416 if (!is_present_pte(gpte))
2418 gfn = (gpte & PT64_BASE_ADDR_MASK) >> PAGE_SHIFT;
2420 if (is_large_pte(gpte) && is_largepage_backed(vcpu, gfn)) {
2421 gfn &= ~(KVM_PAGES_PER_HPAGE-1);
2422 vcpu->arch.update_pte.largepage = 1;
2424 vcpu->arch.update_pte.mmu_seq = vcpu->kvm->mmu_notifier_seq;
2426 pfn = gfn_to_pfn(vcpu->kvm, gfn);
2428 if (is_error_pfn(pfn)) {
2429 kvm_release_pfn_clean(pfn);
2432 vcpu->arch.update_pte.gfn = gfn;
2433 vcpu->arch.update_pte.pfn = pfn;
2436 static void kvm_mmu_access_page(struct kvm_vcpu *vcpu, gfn_t gfn)
2438 u64 *spte = vcpu->arch.last_pte_updated;
2441 && vcpu->arch.last_pte_gfn == gfn
2442 && shadow_accessed_mask
2443 && !(*spte & shadow_accessed_mask)
2444 && is_shadow_present_pte(*spte))
2445 set_bit(PT_ACCESSED_SHIFT, (unsigned long *)spte);
2448 void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
2449 const u8 *new, int bytes,
2450 bool guest_initiated)
2452 gfn_t gfn = gpa >> PAGE_SHIFT;
2453 struct kvm_mmu_page *sp;
2454 struct hlist_node *node, *n;
2455 struct hlist_head *bucket;
2459 unsigned offset = offset_in_page(gpa);
2461 unsigned page_offset;
2462 unsigned misaligned;
2469 pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
2470 mmu_guess_page_from_pte_write(vcpu, gpa, new, bytes);
2471 spin_lock(&vcpu->kvm->mmu_lock);
2472 kvm_mmu_access_page(vcpu, gfn);
2473 kvm_mmu_free_some_pages(vcpu);
2474 ++vcpu->kvm->stat.mmu_pte_write;
2475 kvm_mmu_audit(vcpu, "pre pte write");
2476 if (guest_initiated) {
2477 if (gfn == vcpu->arch.last_pt_write_gfn
2478 && !last_updated_pte_accessed(vcpu)) {
2479 ++vcpu->arch.last_pt_write_count;
2480 if (vcpu->arch.last_pt_write_count >= 3)
2483 vcpu->arch.last_pt_write_gfn = gfn;
2484 vcpu->arch.last_pt_write_count = 1;
2485 vcpu->arch.last_pte_updated = NULL;
2488 index = kvm_page_table_hashfn(gfn);
2489 bucket = &vcpu->kvm->arch.mmu_page_hash[index];
2490 hlist_for_each_entry_safe(sp, node, n, bucket, hash_link) {
2491 if (sp->gfn != gfn || sp->role.metaphysical || sp->role.invalid)
2493 pte_size = sp->role.glevels == PT32_ROOT_LEVEL ? 4 : 8;
2494 misaligned = (offset ^ (offset + bytes - 1)) & ~(pte_size - 1);
2495 misaligned |= bytes < 4;
2496 if (misaligned || flooded) {
2498 * Misaligned accesses are too much trouble to fix
2499 * up; also, they usually indicate a page is not used
2502 * If we're seeing too many writes to a page,
2503 * it may no longer be a page table, or we may be
2504 * forking, in which case it is better to unmap the
2507 pgprintk("misaligned: gpa %llx bytes %d role %x\n",
2508 gpa, bytes, sp->role.word);
2509 if (kvm_mmu_zap_page(vcpu->kvm, sp))
2511 ++vcpu->kvm->stat.mmu_flooded;
2514 page_offset = offset;
2515 level = sp->role.level;
2517 if (sp->role.glevels == PT32_ROOT_LEVEL) {
2518 page_offset <<= 1; /* 32->64 */
2520 * A 32-bit pde maps 4MB while the shadow pdes map
2521 * only 2MB. So we need to double the offset again
2522 * and zap two pdes instead of one.
2524 if (level == PT32_ROOT_LEVEL) {
2525 page_offset &= ~7; /* kill rounding error */
2529 quadrant = page_offset >> PAGE_SHIFT;
2530 page_offset &= ~PAGE_MASK;
2531 if (quadrant != sp->role.quadrant)
2534 spte = &sp->spt[page_offset / sizeof(*spte)];
2535 if ((gpa & (pte_size - 1)) || (bytes < pte_size)) {
2537 r = kvm_read_guest_atomic(vcpu->kvm,
2538 gpa & ~(u64)(pte_size - 1),
2540 new = (const void *)&gentry;
2546 mmu_pte_write_zap_pte(vcpu, sp, spte);
2548 mmu_pte_write_new_pte(vcpu, sp, spte, new);
2549 mmu_pte_write_flush_tlb(vcpu, entry, *spte);
2553 kvm_mmu_audit(vcpu, "post pte write");
2554 spin_unlock(&vcpu->kvm->mmu_lock);
2555 if (!is_error_pfn(vcpu->arch.update_pte.pfn)) {
2556 kvm_release_pfn_clean(vcpu->arch.update_pte.pfn);
2557 vcpu->arch.update_pte.pfn = bad_pfn;
2561 int kvm_mmu_unprotect_page_virt(struct kvm_vcpu *vcpu, gva_t gva)
2566 gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, gva);
2568 spin_lock(&vcpu->kvm->mmu_lock);
2569 r = kvm_mmu_unprotect_page(vcpu->kvm, gpa >> PAGE_SHIFT);
2570 spin_unlock(&vcpu->kvm->mmu_lock);
2573 EXPORT_SYMBOL_GPL(kvm_mmu_unprotect_page_virt);
2575 void __kvm_mmu_free_some_pages(struct kvm_vcpu *vcpu)
2577 while (vcpu->kvm->arch.n_free_mmu_pages < KVM_REFILL_PAGES) {
2578 struct kvm_mmu_page *sp;
2580 sp = container_of(vcpu->kvm->arch.active_mmu_pages.prev,
2581 struct kvm_mmu_page, link);
2582 kvm_mmu_zap_page(vcpu->kvm, sp);
2583 ++vcpu->kvm->stat.mmu_recycled;
2587 int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u32 error_code)
2590 enum emulation_result er;
2592 r = vcpu->arch.mmu.page_fault(vcpu, cr2, error_code);
2601 r = mmu_topup_memory_caches(vcpu);
2605 er = emulate_instruction(vcpu, vcpu->run, cr2, error_code, 0);
2610 case EMULATE_DO_MMIO:
2611 ++vcpu->stat.mmio_exits;
2614 kvm_report_emulation_failure(vcpu, "pagetable");
2622 EXPORT_SYMBOL_GPL(kvm_mmu_page_fault);
2624 void kvm_mmu_invlpg(struct kvm_vcpu *vcpu, gva_t gva)
2626 vcpu->arch.mmu.invlpg(vcpu, gva);
2627 kvm_mmu_flush_tlb(vcpu);
2628 ++vcpu->stat.invlpg;
2630 EXPORT_SYMBOL_GPL(kvm_mmu_invlpg);
2632 void kvm_enable_tdp(void)
2636 EXPORT_SYMBOL_GPL(kvm_enable_tdp);
2638 void kvm_disable_tdp(void)
2640 tdp_enabled = false;
2642 EXPORT_SYMBOL_GPL(kvm_disable_tdp);
2644 static void free_mmu_pages(struct kvm_vcpu *vcpu)
2646 struct kvm_mmu_page *sp;
2648 while (!list_empty(&vcpu->kvm->arch.active_mmu_pages)) {
2649 sp = container_of(vcpu->kvm->arch.active_mmu_pages.next,
2650 struct kvm_mmu_page, link);
2651 kvm_mmu_zap_page(vcpu->kvm, sp);
2654 free_page((unsigned long)vcpu->arch.mmu.pae_root);
2657 static int alloc_mmu_pages(struct kvm_vcpu *vcpu)
2664 if (vcpu->kvm->arch.n_requested_mmu_pages)
2665 vcpu->kvm->arch.n_free_mmu_pages =
2666 vcpu->kvm->arch.n_requested_mmu_pages;
2668 vcpu->kvm->arch.n_free_mmu_pages =
2669 vcpu->kvm->arch.n_alloc_mmu_pages;
2671 * When emulating 32-bit mode, cr3 is only 32 bits even on x86_64.
2672 * Therefore we need to allocate shadow page tables in the first
2673 * 4GB of memory, which happens to fit the DMA32 zone.
2675 page = alloc_page(GFP_KERNEL | __GFP_DMA32);
2678 vcpu->arch.mmu.pae_root = page_address(page);
2679 for (i = 0; i < 4; ++i)
2680 vcpu->arch.mmu.pae_root[i] = INVALID_PAGE;
2685 free_mmu_pages(vcpu);
2689 int kvm_mmu_create(struct kvm_vcpu *vcpu)
2692 ASSERT(!VALID_PAGE(vcpu->arch.mmu.root_hpa));
2694 return alloc_mmu_pages(vcpu);
2697 int kvm_mmu_setup(struct kvm_vcpu *vcpu)
2700 ASSERT(!VALID_PAGE(vcpu->arch.mmu.root_hpa));
2702 return init_kvm_mmu(vcpu);
2705 void kvm_mmu_destroy(struct kvm_vcpu *vcpu)
2709 destroy_kvm_mmu(vcpu);
2710 free_mmu_pages(vcpu);
2711 mmu_free_memory_caches(vcpu);
2714 void kvm_mmu_slot_remove_write_access(struct kvm *kvm, int slot)
2716 struct kvm_mmu_page *sp;
2718 spin_lock(&kvm->mmu_lock);
2719 list_for_each_entry(sp, &kvm->arch.active_mmu_pages, link) {
2723 if (!test_bit(slot, sp->slot_bitmap))
2727 for (i = 0; i < PT64_ENT_PER_PAGE; ++i)
2729 if (pt[i] & PT_WRITABLE_MASK)
2730 pt[i] &= ~PT_WRITABLE_MASK;
2732 kvm_flush_remote_tlbs(kvm);
2733 spin_unlock(&kvm->mmu_lock);
2736 void kvm_mmu_zap_all(struct kvm *kvm)
2738 struct kvm_mmu_page *sp, *node;
2740 spin_lock(&kvm->mmu_lock);
2741 list_for_each_entry_safe(sp, node, &kvm->arch.active_mmu_pages, link)
2742 if (kvm_mmu_zap_page(kvm, sp))
2743 node = container_of(kvm->arch.active_mmu_pages.next,
2744 struct kvm_mmu_page, link);
2745 spin_unlock(&kvm->mmu_lock);
2747 kvm_flush_remote_tlbs(kvm);
2750 static void kvm_mmu_remove_one_alloc_mmu_page(struct kvm *kvm)
2752 struct kvm_mmu_page *page;
2754 page = container_of(kvm->arch.active_mmu_pages.prev,
2755 struct kvm_mmu_page, link);
2756 kvm_mmu_zap_page(kvm, page);
2759 static int mmu_shrink(int nr_to_scan, gfp_t gfp_mask)
2762 struct kvm *kvm_freed = NULL;
2763 int cache_count = 0;
2765 spin_lock(&kvm_lock);
2767 list_for_each_entry(kvm, &vm_list, vm_list) {
2770 if (!down_read_trylock(&kvm->slots_lock))
2772 spin_lock(&kvm->mmu_lock);
2773 npages = kvm->arch.n_alloc_mmu_pages -
2774 kvm->arch.n_free_mmu_pages;
2775 cache_count += npages;
2776 if (!kvm_freed && nr_to_scan > 0 && npages > 0) {
2777 kvm_mmu_remove_one_alloc_mmu_page(kvm);
2783 spin_unlock(&kvm->mmu_lock);
2784 up_read(&kvm->slots_lock);
2787 list_move_tail(&kvm_freed->vm_list, &vm_list);
2789 spin_unlock(&kvm_lock);
2794 static struct shrinker mmu_shrinker = {
2795 .shrink = mmu_shrink,
2796 .seeks = DEFAULT_SEEKS * 10,
2799 static void mmu_destroy_caches(void)
2801 if (pte_chain_cache)
2802 kmem_cache_destroy(pte_chain_cache);
2803 if (rmap_desc_cache)
2804 kmem_cache_destroy(rmap_desc_cache);
2805 if (mmu_page_header_cache)
2806 kmem_cache_destroy(mmu_page_header_cache);
2809 void kvm_mmu_module_exit(void)
2811 mmu_destroy_caches();
2812 unregister_shrinker(&mmu_shrinker);
2815 int kvm_mmu_module_init(void)
2817 pte_chain_cache = kmem_cache_create("kvm_pte_chain",
2818 sizeof(struct kvm_pte_chain),
2820 if (!pte_chain_cache)
2822 rmap_desc_cache = kmem_cache_create("kvm_rmap_desc",
2823 sizeof(struct kvm_rmap_desc),
2825 if (!rmap_desc_cache)
2828 mmu_page_header_cache = kmem_cache_create("kvm_mmu_page_header",
2829 sizeof(struct kvm_mmu_page),
2831 if (!mmu_page_header_cache)
2834 register_shrinker(&mmu_shrinker);
2839 mmu_destroy_caches();
2844 * Caculate mmu pages needed for kvm.
2846 unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm)
2849 unsigned int nr_mmu_pages;
2850 unsigned int nr_pages = 0;
2852 for (i = 0; i < kvm->nmemslots; i++)
2853 nr_pages += kvm->memslots[i].npages;
2855 nr_mmu_pages = nr_pages * KVM_PERMILLE_MMU_PAGES / 1000;
2856 nr_mmu_pages = max(nr_mmu_pages,
2857 (unsigned int) KVM_MIN_ALLOC_MMU_PAGES);
2859 return nr_mmu_pages;
2862 static void *pv_mmu_peek_buffer(struct kvm_pv_mmu_op_buffer *buffer,
2865 if (len > buffer->len)
2870 static void *pv_mmu_read_buffer(struct kvm_pv_mmu_op_buffer *buffer,
2875 ret = pv_mmu_peek_buffer(buffer, len);
2880 buffer->processed += len;
2884 static int kvm_pv_mmu_write(struct kvm_vcpu *vcpu,
2885 gpa_t addr, gpa_t value)
2890 if (!is_long_mode(vcpu) && !is_pae(vcpu))
2893 r = mmu_topup_memory_caches(vcpu);
2897 if (!emulator_write_phys(vcpu, addr, &value, bytes))
2903 static int kvm_pv_mmu_flush_tlb(struct kvm_vcpu *vcpu)
2905 kvm_x86_ops->tlb_flush(vcpu);
2906 set_bit(KVM_REQ_MMU_SYNC, &vcpu->requests);
2910 static int kvm_pv_mmu_release_pt(struct kvm_vcpu *vcpu, gpa_t addr)
2912 spin_lock(&vcpu->kvm->mmu_lock);
2913 mmu_unshadow(vcpu->kvm, addr >> PAGE_SHIFT);
2914 spin_unlock(&vcpu->kvm->mmu_lock);
2918 static int kvm_pv_mmu_op_one(struct kvm_vcpu *vcpu,
2919 struct kvm_pv_mmu_op_buffer *buffer)
2921 struct kvm_mmu_op_header *header;
2923 header = pv_mmu_peek_buffer(buffer, sizeof *header);
2926 switch (header->op) {
2927 case KVM_MMU_OP_WRITE_PTE: {
2928 struct kvm_mmu_op_write_pte *wpte;
2930 wpte = pv_mmu_read_buffer(buffer, sizeof *wpte);
2933 return kvm_pv_mmu_write(vcpu, wpte->pte_phys,
2936 case KVM_MMU_OP_FLUSH_TLB: {
2937 struct kvm_mmu_op_flush_tlb *ftlb;
2939 ftlb = pv_mmu_read_buffer(buffer, sizeof *ftlb);
2942 return kvm_pv_mmu_flush_tlb(vcpu);
2944 case KVM_MMU_OP_RELEASE_PT: {
2945 struct kvm_mmu_op_release_pt *rpt;
2947 rpt = pv_mmu_read_buffer(buffer, sizeof *rpt);
2950 return kvm_pv_mmu_release_pt(vcpu, rpt->pt_phys);
2956 int kvm_pv_mmu_op(struct kvm_vcpu *vcpu, unsigned long bytes,
2957 gpa_t addr, unsigned long *ret)
2960 struct kvm_pv_mmu_op_buffer *buffer = &vcpu->arch.mmu_op_buffer;
2962 buffer->ptr = buffer->buf;
2963 buffer->len = min_t(unsigned long, bytes, sizeof buffer->buf);
2964 buffer->processed = 0;
2966 r = kvm_read_guest(vcpu->kvm, addr, buffer->buf, buffer->len);
2970 while (buffer->len) {
2971 r = kvm_pv_mmu_op_one(vcpu, buffer);
2980 *ret = buffer->processed;
2986 static const char *audit_msg;
2988 static gva_t canonicalize(gva_t gva)
2990 #ifdef CONFIG_X86_64
2991 gva = (long long)(gva << 16) >> 16;
2996 static void audit_mappings_page(struct kvm_vcpu *vcpu, u64 page_pte,
2997 gva_t va, int level)
2999 u64 *pt = __va(page_pte & PT64_BASE_ADDR_MASK);
3001 gva_t va_delta = 1ul << (PAGE_SHIFT + 9 * (level - 1));
3003 for (i = 0; i < PT64_ENT_PER_PAGE; ++i, va += va_delta) {
3006 if (ent == shadow_trap_nonpresent_pte)
3009 va = canonicalize(va);
3011 if (ent == shadow_notrap_nonpresent_pte)
3012 printk(KERN_ERR "audit: (%s) nontrapping pte"
3013 " in nonleaf level: levels %d gva %lx"
3014 " level %d pte %llx\n", audit_msg,
3015 vcpu->arch.mmu.root_level, va, level, ent);
3017 audit_mappings_page(vcpu, ent, va, level - 1);
3019 gpa_t gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, va);
3020 hpa_t hpa = (hpa_t)gpa_to_pfn(vcpu, gpa) << PAGE_SHIFT;
3022 if (is_shadow_present_pte(ent)
3023 && (ent & PT64_BASE_ADDR_MASK) != hpa)
3024 printk(KERN_ERR "xx audit error: (%s) levels %d"
3025 " gva %lx gpa %llx hpa %llx ent %llx %d\n",
3026 audit_msg, vcpu->arch.mmu.root_level,
3028 is_shadow_present_pte(ent));
3029 else if (ent == shadow_notrap_nonpresent_pte
3030 && !is_error_hpa(hpa))
3031 printk(KERN_ERR "audit: (%s) notrap shadow,"
3032 " valid guest gva %lx\n", audit_msg, va);
3033 kvm_release_pfn_clean(pfn);
3039 static void audit_mappings(struct kvm_vcpu *vcpu)
3043 if (vcpu->arch.mmu.root_level == 4)
3044 audit_mappings_page(vcpu, vcpu->arch.mmu.root_hpa, 0, 4);
3046 for (i = 0; i < 4; ++i)
3047 if (vcpu->arch.mmu.pae_root[i] & PT_PRESENT_MASK)
3048 audit_mappings_page(vcpu,
3049 vcpu->arch.mmu.pae_root[i],
3054 static int count_rmaps(struct kvm_vcpu *vcpu)
3059 for (i = 0; i < KVM_MEMORY_SLOTS; ++i) {
3060 struct kvm_memory_slot *m = &vcpu->kvm->memslots[i];
3061 struct kvm_rmap_desc *d;
3063 for (j = 0; j < m->npages; ++j) {
3064 unsigned long *rmapp = &m->rmap[j];
3068 if (!(*rmapp & 1)) {
3072 d = (struct kvm_rmap_desc *)(*rmapp & ~1ul);
3074 for (k = 0; k < RMAP_EXT; ++k)
3075 if (d->shadow_ptes[k])
3086 static int count_writable_mappings(struct kvm_vcpu *vcpu)
3089 struct kvm_mmu_page *sp;
3092 list_for_each_entry(sp, &vcpu->kvm->arch.active_mmu_pages, link) {
3095 if (sp->role.level != PT_PAGE_TABLE_LEVEL)
3098 for (i = 0; i < PT64_ENT_PER_PAGE; ++i) {
3101 if (!(ent & PT_PRESENT_MASK))
3103 if (!(ent & PT_WRITABLE_MASK))
3111 static void audit_rmap(struct kvm_vcpu *vcpu)
3113 int n_rmap = count_rmaps(vcpu);
3114 int n_actual = count_writable_mappings(vcpu);
3116 if (n_rmap != n_actual)
3117 printk(KERN_ERR "%s: (%s) rmap %d actual %d\n",
3118 __func__, audit_msg, n_rmap, n_actual);
3121 static void audit_write_protection(struct kvm_vcpu *vcpu)
3123 struct kvm_mmu_page *sp;
3124 struct kvm_memory_slot *slot;
3125 unsigned long *rmapp;
3128 list_for_each_entry(sp, &vcpu->kvm->arch.active_mmu_pages, link) {
3129 if (sp->role.metaphysical)
3132 gfn = unalias_gfn(vcpu->kvm, sp->gfn);
3133 slot = gfn_to_memslot_unaliased(vcpu->kvm, sp->gfn);
3134 rmapp = &slot->rmap[gfn - slot->base_gfn];
3136 printk(KERN_ERR "%s: (%s) shadow page has writable"
3137 " mappings: gfn %lx role %x\n",
3138 __func__, audit_msg, sp->gfn,
3143 static void kvm_mmu_audit(struct kvm_vcpu *vcpu, const char *msg)
3150 audit_write_protection(vcpu);
3151 audit_mappings(vcpu);
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob