1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20#include "mmu.h"
21
22#include <linux/kvm_host.h>
23#include <linux/types.h>
24#include <linux/string.h>
25#include <linux/mm.h>
26#include <linux/highmem.h>
27#include <linux/module.h>
28#include <linux/swap.h>
29#include <linux/hugetlb.h>
30#include <linux/compiler.h>
31
32#include <asm/page.h>
33#include <asm/cmpxchg.h>
34#include <asm/io.h>
35#include <asm/vmx.h>
36
37
38
39
40
41
42
43
44bool tdp_enabled = false;
45
46#undef MMU_DEBUG
47
48#undef AUDIT
49
50#ifdef AUDIT
51static void kvm_mmu_audit(struct kvm_vcpu *vcpu, const char *msg);
52#else
53static void kvm_mmu_audit(struct kvm_vcpu *vcpu, const char *msg) {}
54#endif
55
56#ifdef MMU_DEBUG
57
58#define pgprintk(x...) do { if (dbg) printk(x); } while (0)
59#define rmap_printk(x...) do { if (dbg) printk(x); } while (0)
60
61#else
62
63#define pgprintk(x...) do { } while (0)
64#define rmap_printk(x...) do { } while (0)
65
66#endif
67
68#if defined(MMU_DEBUG) || defined(AUDIT)
69static int dbg = 0;
70module_param(dbg, bool, 0644);
71#endif
72
73static int oos_shadow = 1;
74module_param(oos_shadow, bool, 0644);
75
76#ifndef MMU_DEBUG
77#define ASSERT(x) do { } while (0)
78#else
79#define ASSERT(x) \
80 if (!(x)) { \
81 printk(KERN_WARNING "assertion failed %s:%d: %s\n", \
82 __FILE__, __LINE__, #x); \
83 }
84#endif
85
86#define PT_FIRST_AVAIL_BITS_SHIFT 9
87#define PT64_SECOND_AVAIL_BITS_SHIFT 52
88
89#define VALID_PAGE(x) ((x) != INVALID_PAGE)
90
91#define PT64_LEVEL_BITS 9
92
93#define PT64_LEVEL_SHIFT(level) \
94 (PAGE_SHIFT + (level - 1) * PT64_LEVEL_BITS)
95
96#define PT64_LEVEL_MASK(level) \
97 (((1ULL << PT64_LEVEL_BITS) - 1) << PT64_LEVEL_SHIFT(level))
98
99#define PT64_INDEX(address, level)\
100 (((address) >> PT64_LEVEL_SHIFT(level)) & ((1 << PT64_LEVEL_BITS) - 1))
101
102
103#define PT32_LEVEL_BITS 10
104
105#define PT32_LEVEL_SHIFT(level) \
106 (PAGE_SHIFT + (level - 1) * PT32_LEVEL_BITS)
107
108#define PT32_LEVEL_MASK(level) \
109 (((1ULL << PT32_LEVEL_BITS) - 1) << PT32_LEVEL_SHIFT(level))
110
111#define PT32_INDEX(address, level)\
112 (((address) >> PT32_LEVEL_SHIFT(level)) & ((1 << PT32_LEVEL_BITS) - 1))
113
114
115#define PT64_BASE_ADDR_MASK (((1ULL << 52) - 1) & ~(u64)(PAGE_SIZE-1))
116#define PT64_DIR_BASE_ADDR_MASK \
117 (PT64_BASE_ADDR_MASK & ~((1ULL << (PAGE_SHIFT + PT64_LEVEL_BITS)) - 1))
118
119#define PT32_BASE_ADDR_MASK PAGE_MASK
120#define PT32_DIR_BASE_ADDR_MASK \
121 (PAGE_MASK & ~((1ULL << (PAGE_SHIFT + PT32_LEVEL_BITS)) - 1))
122
123#define PT64_PERM_MASK (PT_PRESENT_MASK | PT_WRITABLE_MASK | PT_USER_MASK \
124 | PT64_NX_MASK)
125
126#define PFERR_PRESENT_MASK (1U << 0)
127#define PFERR_WRITE_MASK (1U << 1)
128#define PFERR_USER_MASK (1U << 2)
129#define PFERR_RSVD_MASK (1U << 3)
130#define PFERR_FETCH_MASK (1U << 4)
131
132#define PT_DIRECTORY_LEVEL 2
133#define PT_PAGE_TABLE_LEVEL 1
134
135#define RMAP_EXT 4
136
137#define ACC_EXEC_MASK 1
138#define ACC_WRITE_MASK PT_WRITABLE_MASK
139#define ACC_USER_MASK PT_USER_MASK
140#define ACC_ALL (ACC_EXEC_MASK | ACC_WRITE_MASK | ACC_USER_MASK)
141
142#define SHADOW_PT_INDEX(addr, level) PT64_INDEX(addr, level)
143
144struct kvm_rmap_desc {
145 u64 *shadow_ptes[RMAP_EXT];
146 struct kvm_rmap_desc *more;
147};
148
149struct kvm_shadow_walk_iterator {
150 u64 addr;
151 hpa_t shadow_addr;
152 int level;
153 u64 *sptep;
154 unsigned index;
155};
156
157#define for_each_shadow_entry(_vcpu, _addr, _walker) \
158 for (shadow_walk_init(&(_walker), _vcpu, _addr); \
159 shadow_walk_okay(&(_walker)); \
160 shadow_walk_next(&(_walker)))
161
162
163struct kvm_unsync_walk {
164 int (*entry) (struct kvm_mmu_page *sp, struct kvm_unsync_walk *walk);
165};
166
167typedef int (*mmu_parent_walk_fn) (struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp);
168
169static struct kmem_cache *pte_chain_cache;
170static struct kmem_cache *rmap_desc_cache;
171static struct kmem_cache *mmu_page_header_cache;
172
173static u64 __read_mostly shadow_trap_nonpresent_pte;
174static u64 __read_mostly shadow_notrap_nonpresent_pte;
175static u64 __read_mostly shadow_base_present_pte;
176static u64 __read_mostly shadow_nx_mask;
177static u64 __read_mostly shadow_x_mask;
178static u64 __read_mostly shadow_user_mask;
179static u64 __read_mostly shadow_accessed_mask;
180static u64 __read_mostly shadow_dirty_mask;
181
182static inline u64 rsvd_bits(int s, int e)
183{
184 return ((1ULL << (e - s + 1)) - 1) << s;
185}
186
187void kvm_mmu_set_nonpresent_ptes(u64 trap_pte, u64 notrap_pte)
188{
189 shadow_trap_nonpresent_pte = trap_pte;
190 shadow_notrap_nonpresent_pte = notrap_pte;
191}
192EXPORT_SYMBOL_GPL(kvm_mmu_set_nonpresent_ptes);
193
194void kvm_mmu_set_base_ptes(u64 base_pte)
195{
196 shadow_base_present_pte = base_pte;
197}
198EXPORT_SYMBOL_GPL(kvm_mmu_set_base_ptes);
199
200void kvm_mmu_set_mask_ptes(u64 user_mask, u64 accessed_mask,
201 u64 dirty_mask, u64 nx_mask, u64 x_mask)
202{
203 shadow_user_mask = user_mask;
204 shadow_accessed_mask = accessed_mask;
205 shadow_dirty_mask = dirty_mask;
206 shadow_nx_mask = nx_mask;
207 shadow_x_mask = x_mask;
208}
209EXPORT_SYMBOL_GPL(kvm_mmu_set_mask_ptes);
210
211static int is_write_protection(struct kvm_vcpu *vcpu)
212{
213 return vcpu->arch.cr0 & X86_CR0_WP;
214}
215
216static int is_cpuid_PSE36(void)
217{
218 return 1;
219}
220
221static int is_nx(struct kvm_vcpu *vcpu)
222{
223 return vcpu->arch.shadow_efer & EFER_NX;
224}
225
226static int is_shadow_present_pte(u64 pte)
227{
228 return pte != shadow_trap_nonpresent_pte
229 && pte != shadow_notrap_nonpresent_pte;
230}
231
232static int is_large_pte(u64 pte)
233{
234 return pte & PT_PAGE_SIZE_MASK;
235}
236
237static int is_writeble_pte(unsigned long pte)
238{
239 return pte & PT_WRITABLE_MASK;
240}
241
242static int is_dirty_pte(unsigned long pte)
243{
244 return pte & shadow_dirty_mask;
245}
246
247static int is_rmap_pte(u64 pte)
248{
249 return is_shadow_present_pte(pte);
250}
251
252static pfn_t spte_to_pfn(u64 pte)
253{
254 return (pte & PT64_BASE_ADDR_MASK) >> PAGE_SHIFT;
255}
256
257static gfn_t pse36_gfn_delta(u32 gpte)
258{
259 int shift = 32 - PT32_DIR_PSE36_SHIFT - PAGE_SHIFT;
260
261 return (gpte & PT32_DIR_PSE36_MASK) << shift;
262}
263
264static void set_shadow_pte(u64 *sptep, u64 spte)
265{
266#ifdef CONFIG_X86_64
267 set_64bit((unsigned long *)sptep, spte);
268#else
269 set_64bit((unsigned long long *)sptep, spte);
270#endif
271}
272
273static int mmu_topup_memory_cache(struct kvm_mmu_memory_cache *cache,
274 struct kmem_cache *base_cache, int min)
275{
276 void *obj;
277
278 if (cache->nobjs >= min)
279 return 0;
280 while (cache->nobjs < ARRAY_SIZE(cache->objects)) {
281 obj = kmem_cache_zalloc(base_cache, GFP_KERNEL);
282 if (!obj)
283 return -ENOMEM;
284 cache->objects[cache->nobjs++] = obj;
285 }
286 return 0;
287}
288
289static void mmu_free_memory_cache(struct kvm_mmu_memory_cache *mc)
290{
291 while (mc->nobjs)
292 kfree(mc->objects[--mc->nobjs]);
293}
294
295static int mmu_topup_memory_cache_page(struct kvm_mmu_memory_cache *cache,
296 int min)
297{
298 struct page *page;
299
300 if (cache->nobjs >= min)
301 return 0;
302 while (cache->nobjs < ARRAY_SIZE(cache->objects)) {
303 page = alloc_page(GFP_KERNEL);
304 if (!page)
305 return -ENOMEM;
306 set_page_private(page, 0);
307 cache->objects[cache->nobjs++] = page_address(page);
308 }
309 return 0;
310}
311
312static void mmu_free_memory_cache_page(struct kvm_mmu_memory_cache *mc)
313{
314 while (mc->nobjs)
315 free_page((unsigned long)mc->objects[--mc->nobjs]);
316}
317
318static int mmu_topup_memory_caches(struct kvm_vcpu *vcpu)
319{
320 int r;
321
322 r = mmu_topup_memory_cache(&vcpu->arch.mmu_pte_chain_cache,
323 pte_chain_cache, 4);
324 if (r)
325 goto out;
326 r = mmu_topup_memory_cache(&vcpu->arch.mmu_rmap_desc_cache,
327 rmap_desc_cache, 4);
328 if (r)
329 goto out;
330 r = mmu_topup_memory_cache_page(&vcpu->arch.mmu_page_cache, 8);
331 if (r)
332 goto out;
333 r = mmu_topup_memory_cache(&vcpu->arch.mmu_page_header_cache,
334 mmu_page_header_cache, 4);
335out:
336 return r;
337}
338
339static void mmu_free_memory_caches(struct kvm_vcpu *vcpu)
340{
341 mmu_free_memory_cache(&vcpu->arch.mmu_pte_chain_cache);
342 mmu_free_memory_cache(&vcpu->arch.mmu_rmap_desc_cache);
343 mmu_free_memory_cache_page(&vcpu->arch.mmu_page_cache);
344 mmu_free_memory_cache(&vcpu->arch.mmu_page_header_cache);
345}
346
347static void *mmu_memory_cache_alloc(struct kvm_mmu_memory_cache *mc,
348 size_t size)
349{
350 void *p;
351
352 BUG_ON(!mc->nobjs);
353 p = mc->objects[--mc->nobjs];
354 return p;
355}
356
357static struct kvm_pte_chain *mmu_alloc_pte_chain(struct kvm_vcpu *vcpu)
358{
359 return mmu_memory_cache_alloc(&vcpu->arch.mmu_pte_chain_cache,
360 sizeof(struct kvm_pte_chain));
361}
362
363static void mmu_free_pte_chain(struct kvm_pte_chain *pc)
364{
365 kfree(pc);
366}
367
368static struct kvm_rmap_desc *mmu_alloc_rmap_desc(struct kvm_vcpu *vcpu)
369{
370 return mmu_memory_cache_alloc(&vcpu->arch.mmu_rmap_desc_cache,
371 sizeof(struct kvm_rmap_desc));
372}
373
374static void mmu_free_rmap_desc(struct kvm_rmap_desc *rd)
375{
376 kfree(rd);
377}
378
379
380
381
382
383static int *slot_largepage_idx(gfn_t gfn, struct kvm_memory_slot *slot)
384{
385 unsigned long idx;
386
387 idx = (gfn / KVM_PAGES_PER_HPAGE) -
388 (slot->base_gfn / KVM_PAGES_PER_HPAGE);
389 return &slot->lpage_info[idx].write_count;
390}
391
392static void account_shadowed(struct kvm *kvm, gfn_t gfn)
393{
394 int *write_count;
395
396 gfn = unalias_gfn(kvm, gfn);
397 write_count = slot_largepage_idx(gfn,
398 gfn_to_memslot_unaliased(kvm, gfn));
399 *write_count += 1;
400}
401
402static void unaccount_shadowed(struct kvm *kvm, gfn_t gfn)
403{
404 int *write_count;
405
406 gfn = unalias_gfn(kvm, gfn);
407 write_count = slot_largepage_idx(gfn,
408 gfn_to_memslot_unaliased(kvm, gfn));
409 *write_count -= 1;
410 WARN_ON(*write_count < 0);
411}
412
413static int has_wrprotected_page(struct kvm *kvm, gfn_t gfn)
414{
415 struct kvm_memory_slot *slot;
416 int *largepage_idx;
417
418 gfn = unalias_gfn(kvm, gfn);
419 slot = gfn_to_memslot_unaliased(kvm, gfn);
420 if (slot) {
421 largepage_idx = slot_largepage_idx(gfn, slot);
422 return *largepage_idx;
423 }
424
425 return 1;
426}
427
428static int host_largepage_backed(struct kvm *kvm, gfn_t gfn)
429{
430 struct vm_area_struct *vma;
431 unsigned long addr;
432 int ret = 0;
433
434 addr = gfn_to_hva(kvm, gfn);
435 if (kvm_is_error_hva(addr))
436 return ret;
437
438 down_read(¤t->mm->mmap_sem);
439 vma = find_vma(current->mm, addr);
440 if (vma && is_vm_hugetlb_page(vma))
441 ret = 1;
442 up_read(¤t->mm->mmap_sem);
443
444 return ret;
445}
446
447static int is_largepage_backed(struct kvm_vcpu *vcpu, gfn_t large_gfn)
448{
449 struct kvm_memory_slot *slot;
450
451 if (has_wrprotected_page(vcpu->kvm, large_gfn))
452 return 0;
453
454 if (!host_largepage_backed(vcpu->kvm, large_gfn))
455 return 0;
456
457 slot = gfn_to_memslot(vcpu->kvm, large_gfn);
458 if (slot && slot->dirty_bitmap)
459 return 0;
460
461 return 1;
462}
463
464
465
466
467
468
469static unsigned long *gfn_to_rmap(struct kvm *kvm, gfn_t gfn, int lpage)
470{
471 struct kvm_memory_slot *slot;
472 unsigned long idx;
473
474 slot = gfn_to_memslot(kvm, gfn);
475 if (!lpage)
476 return &slot->rmap[gfn - slot->base_gfn];
477
478 idx = (gfn / KVM_PAGES_PER_HPAGE) -
479 (slot->base_gfn / KVM_PAGES_PER_HPAGE);
480
481 return &slot->lpage_info[idx].rmap_pde;
482}
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497static int rmap_add(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn, int lpage)
498{
499 struct kvm_mmu_page *sp;
500 struct kvm_rmap_desc *desc;
501 unsigned long *rmapp;
502 int i, count = 0;
503
504 if (!is_rmap_pte(*spte))
505 return count;
506 gfn = unalias_gfn(vcpu->kvm, gfn);
507 sp = page_header(__pa(spte));
508 sp->gfns[spte - sp->spt] = gfn;
509 rmapp = gfn_to_rmap(vcpu->kvm, gfn, lpage);
510 if (!*rmapp) {
511 rmap_printk("rmap_add: %p %llx 0->1\n", spte, *spte);
512 *rmapp = (unsigned long)spte;
513 } else if (!(*rmapp & 1)) {
514 rmap_printk("rmap_add: %p %llx 1->many\n", spte, *spte);
515 desc = mmu_alloc_rmap_desc(vcpu);
516 desc->shadow_ptes[0] = (u64 *)*rmapp;
517 desc->shadow_ptes[1] = spte;
518 *rmapp = (unsigned long)desc | 1;
519 } else {
520 rmap_printk("rmap_add: %p %llx many->many\n", spte, *spte);
521 desc = (struct kvm_rmap_desc *)(*rmapp & ~1ul);
522 while (desc->shadow_ptes[RMAP_EXT-1] && desc->more) {
523 desc = desc->more;
524 count += RMAP_EXT;
525 }
526 if (desc->shadow_ptes[RMAP_EXT-1]) {
527 desc->more = mmu_alloc_rmap_desc(vcpu);
528 desc = desc->more;
529 }
530 for (i = 0; desc->shadow_ptes[i]; ++i)
531 ;
532 desc->shadow_ptes[i] = spte;
533 }
534 return count;
535}
536
537static void rmap_desc_remove_entry(unsigned long *rmapp,
538 struct kvm_rmap_desc *desc,
539 int i,
540 struct kvm_rmap_desc *prev_desc)
541{
542 int j;
543
544 for (j = RMAP_EXT - 1; !desc->shadow_ptes[j] && j > i; --j)
545 ;
546 desc->shadow_ptes[i] = desc->shadow_ptes[j];
547 desc->shadow_ptes[j] = NULL;
548 if (j != 0)
549 return;
550 if (!prev_desc && !desc->more)
551 *rmapp = (unsigned long)desc->shadow_ptes[0];
552 else
553 if (prev_desc)
554 prev_desc->more = desc->more;
555 else
556 *rmapp = (unsigned long)desc->more | 1;
557 mmu_free_rmap_desc(desc);
558}
559
560static void rmap_remove(struct kvm *kvm, u64 *spte)
561{
562 struct kvm_rmap_desc *desc;
563 struct kvm_rmap_desc *prev_desc;
564 struct kvm_mmu_page *sp;
565 pfn_t pfn;
566 unsigned long *rmapp;
567 int i;
568
569 if (!is_rmap_pte(*spte))
570 return;
571 sp = page_header(__pa(spte));
572 pfn = spte_to_pfn(*spte);
573 if (*spte & shadow_accessed_mask)
574 kvm_set_pfn_accessed(pfn);
575 if (is_writeble_pte(*spte))
576 kvm_release_pfn_dirty(pfn);
577 else
578 kvm_release_pfn_clean(pfn);
579 rmapp = gfn_to_rmap(kvm, sp->gfns[spte - sp->spt], is_large_pte(*spte));
580 if (!*rmapp) {
581 printk(KERN_ERR "rmap_remove: %p %llx 0->BUG\n", spte, *spte);
582 BUG();
583 } else if (!(*rmapp & 1)) {
584 rmap_printk("rmap_remove: %p %llx 1->0\n", spte, *spte);
585 if ((u64 *)*rmapp != spte) {
586 printk(KERN_ERR "rmap_remove: %p %llx 1->BUG\n",
587 spte, *spte);
588 BUG();
589 }
590 *rmapp = 0;
591 } else {
592 rmap_printk("rmap_remove: %p %llx many->many\n", spte, *spte);
593 desc = (struct kvm_rmap_desc *)(*rmapp & ~1ul);
594 prev_desc = NULL;
595 while (desc) {
596 for (i = 0; i < RMAP_EXT && desc->shadow_ptes[i]; ++i)
597 if (desc->shadow_ptes[i] == spte) {
598 rmap_desc_remove_entry(rmapp,
599 desc, i,
600 prev_desc);
601 return;
602 }
603 prev_desc = desc;
604 desc = desc->more;
605 }
606 BUG();
607 }
608}
609
610static u64 *rmap_next(struct kvm *kvm, unsigned long *rmapp, u64 *spte)
611{
612 struct kvm_rmap_desc *desc;
613 struct kvm_rmap_desc *prev_desc;
614 u64 *prev_spte;
615 int i;
616
617 if (!*rmapp)
618 return NULL;
619 else if (!(*rmapp & 1)) {
620 if (!spte)
621 return (u64 *)*rmapp;
622 return NULL;
623 }
624 desc = (struct kvm_rmap_desc *)(*rmapp & ~1ul);
625 prev_desc = NULL;
626 prev_spte = NULL;
627 while (desc) {
628 for (i = 0; i < RMAP_EXT && desc->shadow_ptes[i]; ++i) {
629 if (prev_spte == spte)
630 return desc->shadow_ptes[i];
631 prev_spte = desc->shadow_ptes[i];
632 }
633 desc = desc->more;
634 }
635 return NULL;
636}
637
638static int rmap_write_protect(struct kvm *kvm, u64 gfn)
639{
640 unsigned long *rmapp;
641 u64 *spte;
642 int write_protected = 0;
643
644 gfn = unalias_gfn(kvm, gfn);
645 rmapp = gfn_to_rmap(kvm, gfn, 0);
646
647 spte = rmap_next(kvm, rmapp, NULL);
648 while (spte) {
649 BUG_ON(!spte);
650 BUG_ON(!(*spte & PT_PRESENT_MASK));
651 rmap_printk("rmap_write_protect: spte %p %llx\n", spte, *spte);
652 if (is_writeble_pte(*spte)) {
653 set_shadow_pte(spte, *spte & ~PT_WRITABLE_MASK);
654 write_protected = 1;
655 }
656 spte = rmap_next(kvm, rmapp, spte);
657 }
658 if (write_protected) {
659 pfn_t pfn;
660
661 spte = rmap_next(kvm, rmapp, NULL);
662 pfn = spte_to_pfn(*spte);
663 kvm_set_pfn_dirty(pfn);
664 }
665
666
667 rmapp = gfn_to_rmap(kvm, gfn, 1);
668 spte = rmap_next(kvm, rmapp, NULL);
669 while (spte) {
670 BUG_ON(!spte);
671 BUG_ON(!(*spte & PT_PRESENT_MASK));
672 BUG_ON((*spte & (PT_PAGE_SIZE_MASK|PT_PRESENT_MASK)) != (PT_PAGE_SIZE_MASK|PT_PRESENT_MASK));
673 pgprintk("rmap_write_protect(large): spte %p %llx %lld\n", spte, *spte, gfn);
674 if (is_writeble_pte(*spte)) {
675 rmap_remove(kvm, spte);
676 --kvm->stat.lpages;
677 set_shadow_pte(spte, shadow_trap_nonpresent_pte);
678 spte = NULL;
679 write_protected = 1;
680 }
681 spte = rmap_next(kvm, rmapp, spte);
682 }
683
684 return write_protected;
685}
686
687static int kvm_unmap_rmapp(struct kvm *kvm, unsigned long *rmapp)
688{
689 u64 *spte;
690 int need_tlb_flush = 0;
691
692 while ((spte = rmap_next(kvm, rmapp, NULL))) {
693 BUG_ON(!(*spte & PT_PRESENT_MASK));
694 rmap_printk("kvm_rmap_unmap_hva: spte %p %llx\n", spte, *spte);
695 rmap_remove(kvm, spte);
696 set_shadow_pte(spte, shadow_trap_nonpresent_pte);
697 need_tlb_flush = 1;
698 }
699 return need_tlb_flush;
700}
701
702static int kvm_handle_hva(struct kvm *kvm, unsigned long hva,
703 int (*handler)(struct kvm *kvm, unsigned long *rmapp))
704{
705 int i;
706 int retval = 0;
707
708
709
710
711
712 for (i = 0; i < kvm->nmemslots; i++) {
713 struct kvm_memory_slot *memslot = &kvm->memslots[i];
714 unsigned long start = memslot->userspace_addr;
715 unsigned long end;
716
717
718 if (!start)
719 continue;
720
721 end = start + (memslot->npages << PAGE_SHIFT);
722 if (hva >= start && hva < end) {
723 gfn_t gfn_offset = (hva - start) >> PAGE_SHIFT;
724 retval |= handler(kvm, &memslot->rmap[gfn_offset]);
725 retval |= handler(kvm,
726 &memslot->lpage_info[
727 gfn_offset /
728 KVM_PAGES_PER_HPAGE].rmap_pde);
729 }
730 }
731
732 return retval;
733}
734
735int kvm_unmap_hva(struct kvm *kvm, unsigned long hva)
736{
737 return kvm_handle_hva(kvm, hva, kvm_unmap_rmapp);
738}
739
740static int kvm_age_rmapp(struct kvm *kvm, unsigned long *rmapp)
741{
742 u64 *spte;
743 int young = 0;
744
745
746 if (!shadow_accessed_mask)
747 return 0;
748
749 spte = rmap_next(kvm, rmapp, NULL);
750 while (spte) {
751 int _young;
752 u64 _spte = *spte;
753 BUG_ON(!(_spte & PT_PRESENT_MASK));
754 _young = _spte & PT_ACCESSED_MASK;
755 if (_young) {
756 young = 1;
757 clear_bit(PT_ACCESSED_SHIFT, (unsigned long *)spte);
758 }
759 spte = rmap_next(kvm, rmapp, spte);
760 }
761 return young;
762}
763
764#define RMAP_RECYCLE_THRESHOLD 1000
765
766static void rmap_recycle(struct kvm_vcpu *vcpu, gfn_t gfn, int lpage)
767{
768 unsigned long *rmapp;
769
770 gfn = unalias_gfn(vcpu->kvm, gfn);
771 rmapp = gfn_to_rmap(vcpu->kvm, gfn, lpage);
772
773 kvm_unmap_rmapp(vcpu->kvm, rmapp);
774 kvm_flush_remote_tlbs(vcpu->kvm);
775}
776
777int kvm_age_hva(struct kvm *kvm, unsigned long hva)
778{
779 return kvm_handle_hva(kvm, hva, kvm_age_rmapp);
780}
781
782#ifdef MMU_DEBUG
783static int is_empty_shadow_page(u64 *spt)
784{
785 u64 *pos;
786 u64 *end;
787
788 for (pos = spt, end = pos + PAGE_SIZE / sizeof(u64); pos != end; pos++)
789 if (is_shadow_present_pte(*pos)) {
790 printk(KERN_ERR "%s: %p %llx\n", __func__,
791 pos, *pos);
792 return 0;
793 }
794 return 1;
795}
796#endif
797
798static void kvm_mmu_free_page(struct kvm *kvm, struct kvm_mmu_page *sp)
799{
800 ASSERT(is_empty_shadow_page(sp->spt));
801 list_del(&sp->link);
802 __free_page(virt_to_page(sp->spt));
803 __free_page(virt_to_page(sp->gfns));
804 kfree(sp);
805 ++kvm->arch.n_free_mmu_pages;
806}
807
808static unsigned kvm_page_table_hashfn(gfn_t gfn)
809{
810 return gfn & ((1 << KVM_MMU_HASH_SHIFT) - 1);
811}
812
813static struct kvm_mmu_page *kvm_mmu_alloc_page(struct kvm_vcpu *vcpu,
814 u64 *parent_pte)
815{
816 struct kvm_mmu_page *sp;
817
818 sp = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_header_cache, sizeof *sp);
819 sp->spt = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_cache, PAGE_SIZE);
820 sp->gfns = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_cache, PAGE_SIZE);
821 set_page_private(virt_to_page(sp->spt), (unsigned long)sp);
822 list_add(&sp->link, &vcpu->kvm->arch.active_mmu_pages);
823 INIT_LIST_HEAD(&sp->oos_link);
824 bitmap_zero(sp->slot_bitmap, KVM_MEMORY_SLOTS + KVM_PRIVATE_MEM_SLOTS);
825 sp->multimapped = 0;
826 sp->parent_pte = parent_pte;
827 --vcpu->kvm->arch.n_free_mmu_pages;
828 return sp;
829}
830
831static void mmu_page_add_parent_pte(struct kvm_vcpu *vcpu,
832 struct kvm_mmu_page *sp, u64 *parent_pte)
833{
834 struct kvm_pte_chain *pte_chain;
835 struct hlist_node *node;
836 int i;
837
838 if (!parent_pte)
839 return;
840 if (!sp->multimapped) {
841 u64 *old = sp->parent_pte;
842
843 if (!old) {
844 sp->parent_pte = parent_pte;
845 return;
846 }
847 sp->multimapped = 1;
848 pte_chain = mmu_alloc_pte_chain(vcpu);
849 INIT_HLIST_HEAD(&sp->parent_ptes);
850 hlist_add_head(&pte_chain->link, &sp->parent_ptes);
851 pte_chain->parent_ptes[0] = old;
852 }
853 hlist_for_each_entry(pte_chain, node, &sp->parent_ptes, link) {
854 if (pte_chain->parent_ptes[NR_PTE_CHAIN_ENTRIES-1])
855 continue;
856 for (i = 0; i < NR_PTE_CHAIN_ENTRIES; ++i)
857 if (!pte_chain->parent_ptes[i]) {
858 pte_chain->parent_ptes[i] = parent_pte;
859 return;
860 }
861 }
862 pte_chain = mmu_alloc_pte_chain(vcpu);
863 BUG_ON(!pte_chain);
864 hlist_add_head(&pte_chain->link, &sp->parent_ptes);
865 pte_chain->parent_ptes[0] = parent_pte;
866}
867
868static void mmu_page_remove_parent_pte(struct kvm_mmu_page *sp,
869 u64 *parent_pte)
870{
871 struct kvm_pte_chain *pte_chain;
872 struct hlist_node *node;
873 int i;
874
875 if (!sp->multimapped) {
876 BUG_ON(sp->parent_pte != parent_pte);
877 sp->parent_pte = NULL;
878 return;
879 }
880 hlist_for_each_entry(pte_chain, node, &sp->parent_ptes, link)
881 for (i = 0; i < NR_PTE_CHAIN_ENTRIES; ++i) {
882 if (!pte_chain->parent_ptes[i])
883 break;
884 if (pte_chain->parent_ptes[i] != parent_pte)
885 continue;
886 while (i + 1 < NR_PTE_CHAIN_ENTRIES
887 && pte_chain->parent_ptes[i + 1]) {
888 pte_chain->parent_ptes[i]
889 = pte_chain->parent_ptes[i + 1];
890 ++i;
891 }
892 pte_chain->parent_ptes[i] = NULL;
893 if (i == 0) {
894 hlist_del(&pte_chain->link);
895 mmu_free_pte_chain(pte_chain);
896 if (hlist_empty(&sp->parent_ptes)) {
897 sp->multimapped = 0;
898 sp->parent_pte = NULL;
899 }
900 }
901 return;
902 }
903 BUG();
904}
905
906
907static void mmu_parent_walk(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
908 mmu_parent_walk_fn fn)
909{
910 struct kvm_pte_chain *pte_chain;
911 struct hlist_node *node;
912 struct kvm_mmu_page *parent_sp;
913 int i;
914
915 if (!sp->multimapped && sp->parent_pte) {
916 parent_sp = page_header(__pa(sp->parent_pte));
917 fn(vcpu, parent_sp);
918 mmu_parent_walk(vcpu, parent_sp, fn);
919 return;
920 }
921 hlist_for_each_entry(pte_chain, node, &sp->parent_ptes, link)
922 for (i = 0; i < NR_PTE_CHAIN_ENTRIES; ++i) {
923 if (!pte_chain->parent_ptes[i])
924 break;
925 parent_sp = page_header(__pa(pte_chain->parent_ptes[i]));
926 fn(vcpu, parent_sp);
927 mmu_parent_walk(vcpu, parent_sp, fn);
928 }
929}
930
931static void kvm_mmu_update_unsync_bitmap(u64 *spte)
932{
933 unsigned int index;
934 struct kvm_mmu_page *sp = page_header(__pa(spte));
935
936 index = spte - sp->spt;
937 if (!__test_and_set_bit(index, sp->unsync_child_bitmap))
938 sp->unsync_children++;
939 WARN_ON(!sp->unsync_children);
940}
941
942static void kvm_mmu_update_parents_unsync(struct kvm_mmu_page *sp)
943{
944 struct kvm_pte_chain *pte_chain;
945 struct hlist_node *node;
946 int i;
947
948 if (!sp->parent_pte)
949 return;
950
951 if (!sp->multimapped) {
952 kvm_mmu_update_unsync_bitmap(sp->parent_pte);
953 return;
954 }
955
956 hlist_for_each_entry(pte_chain, node, &sp->parent_ptes, link)
957 for (i = 0; i < NR_PTE_CHAIN_ENTRIES; ++i) {
958 if (!pte_chain->parent_ptes[i])
959 break;
960 kvm_mmu_update_unsync_bitmap(pte_chain->parent_ptes[i]);
961 }
962}
963
964static int unsync_walk_fn(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
965{
966 kvm_mmu_update_parents_unsync(sp);
967 return 1;
968}
969
970static void kvm_mmu_mark_parents_unsync(struct kvm_vcpu *vcpu,
971 struct kvm_mmu_page *sp)
972{
973 mmu_parent_walk(vcpu, sp, unsync_walk_fn);
974 kvm_mmu_update_parents_unsync(sp);
975}
976
977static void nonpaging_prefetch_page(struct kvm_vcpu *vcpu,
978 struct kvm_mmu_page *sp)
979{
980 int i;
981
982 for (i = 0; i < PT64_ENT_PER_PAGE; ++i)
983 sp->spt[i] = shadow_trap_nonpresent_pte;
984}
985
986static int nonpaging_sync_page(struct kvm_vcpu *vcpu,
987 struct kvm_mmu_page *sp)
988{
989 return 1;
990}
991
992static void nonpaging_invlpg(struct kvm_vcpu *vcpu, gva_t gva)
993{
994}
995
996#define KVM_PAGE_ARRAY_NR 16
997
998struct kvm_mmu_pages {
999 struct mmu_page_and_offset {
1000 struct kvm_mmu_page *sp;
1001 unsigned int idx;
1002 } page[KVM_PAGE_ARRAY_NR];
1003 unsigned int nr;
1004};
1005
1006#define for_each_unsync_children(bitmap, idx) \
1007 for (idx = find_first_bit(bitmap, 512); \
1008 idx < 512; \
1009 idx = find_next_bit(bitmap, 512, idx+1))
1010
1011static int mmu_pages_add(struct kvm_mmu_pages *pvec, struct kvm_mmu_page *sp,
1012 int idx)
1013{
1014 int i;
1015
1016 if (sp->unsync)
1017 for (i=0; i < pvec->nr; i++)
1018 if (pvec->page[i].sp == sp)
1019 return 0;
1020
1021 pvec->page[pvec->nr].sp = sp;
1022 pvec->page[pvec->nr].idx = idx;
1023 pvec->nr++;
1024 return (pvec->nr == KVM_PAGE_ARRAY_NR);
1025}
1026
1027static int __mmu_unsync_walk(struct kvm_mmu_page *sp,
1028 struct kvm_mmu_pages *pvec)
1029{
1030 int i, ret, nr_unsync_leaf = 0;
1031
1032 for_each_unsync_children(sp->unsync_child_bitmap, i) {
1033 u64 ent = sp->spt[i];
1034
1035 if (is_shadow_present_pte(ent) && !is_large_pte(ent)) {
1036 struct kvm_mmu_page *child;
1037 child = page_header(ent & PT64_BASE_ADDR_MASK);
1038
1039 if (child->unsync_children) {
1040 if (mmu_pages_add(pvec, child, i))
1041 return -ENOSPC;
1042
1043 ret = __mmu_unsync_walk(child, pvec);
1044 if (!ret)
1045 __clear_bit(i, sp->unsync_child_bitmap);
1046 else if (ret > 0)
1047 nr_unsync_leaf += ret;
1048 else
1049 return ret;
1050 }
1051
1052 if (child->unsync) {
1053 nr_unsync_leaf++;
1054 if (mmu_pages_add(pvec, child, i))
1055 return -ENOSPC;
1056 }
1057 }
1058 }
1059
1060 if (find_first_bit(sp->unsync_child_bitmap, 512) == 512)
1061 sp->unsync_children = 0;
1062
1063 return nr_unsync_leaf;
1064}
1065
1066static int mmu_unsync_walk(struct kvm_mmu_page *sp,
1067 struct kvm_mmu_pages *pvec)
1068{
1069 if (!sp->unsync_children)
1070 return 0;
1071
1072 mmu_pages_add(pvec, sp, 0);
1073 return __mmu_unsync_walk(sp, pvec);
1074}
1075
1076static struct kvm_mmu_page *kvm_mmu_lookup_page(struct kvm *kvm, gfn_t gfn)
1077{
1078 unsigned index;
1079 struct hlist_head *bucket;
1080 struct kvm_mmu_page *sp;
1081 struct hlist_node *node;
1082
1083 pgprintk("%s: looking for gfn %lx\n", __func__, gfn);
1084 index = kvm_page_table_hashfn(gfn);
1085 bucket = &kvm->arch.mmu_page_hash[index];
1086 hlist_for_each_entry(sp, node, bucket, hash_link)
1087 if (sp->gfn == gfn && !sp->role.direct
1088 && !sp->role.invalid) {
1089 pgprintk("%s: found role %x\n",
1090 __func__, sp->role.word);
1091 return sp;
1092 }
1093 return NULL;
1094}
1095
1096static void kvm_unlink_unsync_page(struct kvm *kvm, struct kvm_mmu_page *sp)
1097{
1098 WARN_ON(!sp->unsync);
1099 sp->unsync = 0;
1100 --kvm->stat.mmu_unsync;
1101}
1102
1103static int kvm_mmu_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp);
1104
1105static int kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
1106{
1107 if (sp->role.glevels != vcpu->arch.mmu.root_level) {
1108 kvm_mmu_zap_page(vcpu->kvm, sp);
1109 return 1;
1110 }
1111
1112 if (rmap_write_protect(vcpu->kvm, sp->gfn))
1113 kvm_flush_remote_tlbs(vcpu->kvm);
1114 kvm_unlink_unsync_page(vcpu->kvm, sp);
1115 if (vcpu->arch.mmu.sync_page(vcpu, sp)) {
1116 kvm_mmu_zap_page(vcpu->kvm, sp);
1117 return 1;
1118 }
1119
1120 kvm_mmu_flush_tlb(vcpu);
1121 return 0;
1122}
1123
1124struct mmu_page_path {
1125 struct kvm_mmu_page *parent[PT64_ROOT_LEVEL-1];
1126 unsigned int idx[PT64_ROOT_LEVEL-1];
1127};
1128
1129#define for_each_sp(pvec, sp, parents, i) \
1130 for (i = mmu_pages_next(&pvec, &parents, -1), \
1131 sp = pvec.page[i].sp; \
1132 i < pvec.nr && ({ sp = pvec.page[i].sp; 1;}); \
1133 i = mmu_pages_next(&pvec, &parents, i))
1134
1135static int mmu_pages_next(struct kvm_mmu_pages *pvec,
1136 struct mmu_page_path *parents,
1137 int i)
1138{
1139 int n;
1140
1141 for (n = i+1; n < pvec->nr; n++) {
1142 struct kvm_mmu_page *sp = pvec->page[n].sp;
1143
1144 if (sp->role.level == PT_PAGE_TABLE_LEVEL) {
1145 parents->idx[0] = pvec->page[n].idx;
1146 return n;
1147 }
1148
1149 parents->parent[sp->role.level-2] = sp;
1150 parents->idx[sp->role.level-1] = pvec->page[n].idx;
1151 }
1152
1153 return n;
1154}
1155
1156static void mmu_pages_clear_parents(struct mmu_page_path *parents)
1157{
1158 struct kvm_mmu_page *sp;
1159 unsigned int level = 0;
1160
1161 do {
1162 unsigned int idx = parents->idx[level];
1163
1164 sp = parents->parent[level];
1165 if (!sp)
1166 return;
1167
1168 --sp->unsync_children;
1169 WARN_ON((int)sp->unsync_children < 0);
1170 __clear_bit(idx, sp->unsync_child_bitmap);
1171 level++;
1172 } while (level < PT64_ROOT_LEVEL-1 && !sp->unsync_children);
1173}
1174
1175static void kvm_mmu_pages_init(struct kvm_mmu_page *parent,
1176 struct mmu_page_path *parents,
1177 struct kvm_mmu_pages *pvec)
1178{
1179 parents->parent[parent->role.level-1] = NULL;
1180 pvec->nr = 0;
1181}
1182
1183static void mmu_sync_children(struct kvm_vcpu *vcpu,
1184 struct kvm_mmu_page *parent)
1185{
1186 int i;
1187 struct kvm_mmu_page *sp;
1188 struct mmu_page_path parents;
1189 struct kvm_mmu_pages pages;
1190
1191 kvm_mmu_pages_init(parent, &parents, &pages);
1192 while (mmu_unsync_walk(parent, &pages)) {
1193 int protected = 0;
1194
1195 for_each_sp(pages, sp, parents, i)
1196 protected |= rmap_write_protect(vcpu->kvm, sp->gfn);
1197
1198 if (protected)
1199 kvm_flush_remote_tlbs(vcpu->kvm);
1200
1201 for_each_sp(pages, sp, parents, i) {
1202 kvm_sync_page(vcpu, sp);
1203 mmu_pages_clear_parents(&parents);
1204 }
1205 cond_resched_lock(&vcpu->kvm->mmu_lock);
1206 kvm_mmu_pages_init(parent, &parents, &pages);
1207 }
1208}
1209
1210static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
1211 gfn_t gfn,
1212 gva_t gaddr,
1213 unsigned level,
1214 int direct,
1215 unsigned access,
1216 u64 *parent_pte)
1217{
1218 union kvm_mmu_page_role role;
1219 unsigned index;
1220 unsigned quadrant;
1221 struct hlist_head *bucket;
1222 struct kvm_mmu_page *sp;
1223 struct hlist_node *node, *tmp;
1224
1225 role = vcpu->arch.mmu.base_role;
1226 role.level = level;
1227 role.direct = direct;
1228 role.access = access;
1229 if (vcpu->arch.mmu.root_level <= PT32_ROOT_LEVEL) {
1230 quadrant = gaddr >> (PAGE_SHIFT + (PT64_PT_BITS * level));
1231 quadrant &= (1 << ((PT32_PT_BITS - PT64_PT_BITS) * level)) - 1;
1232 role.quadrant = quadrant;
1233 }
1234 pgprintk("%s: looking gfn %lx role %x\n", __func__,
1235 gfn, role.word);
1236 index = kvm_page_table_hashfn(gfn);
1237 bucket = &vcpu->kvm->arch.mmu_page_hash[index];
1238 hlist_for_each_entry_safe(sp, node, tmp, bucket, hash_link)
1239 if (sp->gfn == gfn) {
1240 if (sp->unsync)
1241 if (kvm_sync_page(vcpu, sp))
1242 continue;
1243
1244 if (sp->role.word != role.word)
1245 continue;
1246
1247 mmu_page_add_parent_pte(vcpu, sp, parent_pte);
1248 if (sp->unsync_children) {
1249 set_bit(KVM_REQ_MMU_SYNC, &vcpu->requests);
1250 kvm_mmu_mark_parents_unsync(vcpu, sp);
1251 }
1252 pgprintk("%s: found\n", __func__);
1253 return sp;
1254 }
1255 ++vcpu->kvm->stat.mmu_cache_miss;
1256 sp = kvm_mmu_alloc_page(vcpu, parent_pte);
1257 if (!sp)
1258 return sp;
1259 pgprintk("%s: adding gfn %lx role %x\n", __func__, gfn, role.word);
1260 sp->gfn = gfn;
1261 sp->role = role;
1262 hlist_add_head(&sp->hash_link, bucket);
1263 if (!direct) {
1264 if (rmap_write_protect(vcpu->kvm, gfn))
1265 kvm_flush_remote_tlbs(vcpu->kvm);
1266 account_shadowed(vcpu->kvm, gfn);
1267 }
1268 if (shadow_trap_nonpresent_pte != shadow_notrap_nonpresent_pte)
1269 vcpu->arch.mmu.prefetch_page(vcpu, sp);
1270 else
1271 nonpaging_prefetch_page(vcpu, sp);
1272 return sp;
1273}
1274
1275static void shadow_walk_init(struct kvm_shadow_walk_iterator *iterator,
1276 struct kvm_vcpu *vcpu, u64 addr)
1277{
1278 iterator->addr = addr;
1279 iterator->shadow_addr = vcpu->arch.mmu.root_hpa;
1280 iterator->level = vcpu->arch.mmu.shadow_root_level;
1281 if (iterator->level == PT32E_ROOT_LEVEL) {
1282 iterator->shadow_addr
1283 = vcpu->arch.mmu.pae_root[(addr >> 30) & 3];
1284 iterator->shadow_addr &= PT64_BASE_ADDR_MASK;
1285 --iterator->level;
1286 if (!iterator->shadow_addr)
1287 iterator->level = 0;
1288 }
1289}
1290
1291static bool shadow_walk_okay(struct kvm_shadow_walk_iterator *iterator)
1292{
1293 if (iterator->level < PT_PAGE_TABLE_LEVEL)
1294 return false;
1295 iterator->index = SHADOW_PT_INDEX(iterator->addr, iterator->level);
1296 iterator->sptep = ((u64 *)__va(iterator->shadow_addr)) + iterator->index;
1297 return true;
1298}
1299
1300static void shadow_walk_next(struct kvm_shadow_walk_iterator *iterator)
1301{
1302 iterator->shadow_addr = *iterator->sptep & PT64_BASE_ADDR_MASK;
1303 --iterator->level;
1304}
1305
1306static void kvm_mmu_page_unlink_children(struct kvm *kvm,
1307 struct kvm_mmu_page *sp)
1308{
1309 unsigned i;
1310 u64 *pt;
1311 u64 ent;
1312
1313 pt = sp->spt;
1314
1315 if (sp->role.level == PT_PAGE_TABLE_LEVEL) {
1316 for (i = 0; i < PT64_ENT_PER_PAGE; ++i) {
1317 if (is_shadow_present_pte(pt[i]))
1318 rmap_remove(kvm, &pt[i]);
1319 pt[i] = shadow_trap_nonpresent_pte;
1320 }
1321 return;
1322 }
1323
1324 for (i = 0; i < PT64_ENT_PER_PAGE; ++i) {
1325 ent = pt[i];
1326
1327 if (is_shadow_present_pte(ent)) {
1328 if (!is_large_pte(ent)) {
1329 ent &= PT64_BASE_ADDR_MASK;
1330 mmu_page_remove_parent_pte(page_header(ent),
1331 &pt[i]);
1332 } else {
1333 --kvm->stat.lpages;
1334 rmap_remove(kvm, &pt[i]);
1335 }
1336 }
1337 pt[i] = shadow_trap_nonpresent_pte;
1338 }
1339}
1340
1341static void kvm_mmu_put_page(struct kvm_mmu_page *sp, u64 *parent_pte)
1342{
1343 mmu_page_remove_parent_pte(sp, parent_pte);
1344}
1345
1346static void kvm_mmu_reset_last_pte_updated(struct kvm *kvm)
1347{
1348 int i;
1349
1350 for (i = 0; i < KVM_MAX_VCPUS; ++i)
1351 if (kvm->vcpus[i])
1352 kvm->vcpus[i]->arch.last_pte_updated = NULL;
1353}
1354
1355static void kvm_mmu_unlink_parents(struct kvm *kvm, struct kvm_mmu_page *sp)
1356{
1357 u64 *parent_pte;
1358
1359 while (sp->multimapped || sp->parent_pte) {
1360 if (!sp->multimapped)
1361 parent_pte = sp->parent_pte;
1362 else {
1363 struct kvm_pte_chain *chain;
1364
1365 chain = container_of(sp->parent_ptes.first,
1366 struct kvm_pte_chain, link);
1367 parent_pte = chain->parent_ptes[0];
1368 }
1369 BUG_ON(!parent_pte);
1370 kvm_mmu_put_page(sp, parent_pte);
1371 set_shadow_pte(parent_pte, shadow_trap_nonpresent_pte);
1372 }
1373}
1374
1375static int mmu_zap_unsync_children(struct kvm *kvm,
1376 struct kvm_mmu_page *parent)
1377{
1378 int i, zapped = 0;
1379 struct mmu_page_path parents;
1380 struct kvm_mmu_pages pages;
1381
1382 if (parent->role.level == PT_PAGE_TABLE_LEVEL)
1383 return 0;
1384
1385 kvm_mmu_pages_init(parent, &parents, &pages);
1386 while (mmu_unsync_walk(parent, &pages)) {
1387 struct kvm_mmu_page *sp;
1388
1389 for_each_sp(pages, sp, parents, i) {
1390 kvm_mmu_zap_page(kvm, sp);
1391 mmu_pages_clear_parents(&parents);
1392 }
1393 zapped += pages.nr;
1394 kvm_mmu_pages_init(parent, &parents, &pages);
1395 }
1396
1397 return zapped;
1398}
1399
1400static int kvm_mmu_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp)
1401{
1402 int ret;
1403 ++kvm->stat.mmu_shadow_zapped;
1404 ret = mmu_zap_unsync_children(kvm, sp);
1405 kvm_mmu_page_unlink_children(kvm, sp);
1406 kvm_mmu_unlink_parents(kvm, sp);
1407 kvm_flush_remote_tlbs(kvm);
1408 if (!sp->role.invalid && !sp->role.direct)
1409 unaccount_shadowed(kvm, sp->gfn);
1410 if (sp->unsync)
1411 kvm_unlink_unsync_page(kvm, sp);
1412 if (!sp->root_count) {
1413 hlist_del(&sp->hash_link);
1414 kvm_mmu_free_page(kvm, sp);
1415 } else {
1416 sp->role.invalid = 1;
1417 list_move(&sp->link, &kvm->arch.active_mmu_pages);
1418 kvm_reload_remote_mmus(kvm);
1419 }
1420 kvm_mmu_reset_last_pte_updated(kvm);
1421 return ret;
1422}
1423
1424
1425
1426
1427
1428void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int kvm_nr_mmu_pages)
1429{
1430 int used_pages;
1431
1432 used_pages = kvm->arch.n_alloc_mmu_pages - kvm->arch.n_free_mmu_pages;
1433 used_pages = max(0, used_pages);
1434
1435
1436
1437
1438
1439
1440
1441 if (used_pages > kvm_nr_mmu_pages) {
1442 while (used_pages > kvm_nr_mmu_pages) {
1443 struct kvm_mmu_page *page;
1444
1445 page = container_of(kvm->arch.active_mmu_pages.prev,
1446 struct kvm_mmu_page, link);
1447 kvm_mmu_zap_page(kvm, page);
1448 used_pages--;
1449 }
1450 kvm->arch.n_free_mmu_pages = 0;
1451 }
1452 else
1453 kvm->arch.n_free_mmu_pages += kvm_nr_mmu_pages
1454 - kvm->arch.n_alloc_mmu_pages;
1455
1456 kvm->arch.n_alloc_mmu_pages = kvm_nr_mmu_pages;
1457}
1458
1459static int kvm_mmu_unprotect_page(struct kvm *kvm, gfn_t gfn)
1460{
1461 unsigned index;
1462 struct hlist_head *bucket;
1463 struct kvm_mmu_page *sp;
1464 struct hlist_node *node, *n;
1465 int r;
1466
1467 pgprintk("%s: looking for gfn %lx\n", __func__, gfn);
1468 r = 0;
1469 index = kvm_page_table_hashfn(gfn);
1470 bucket = &kvm->arch.mmu_page_hash[index];
1471 hlist_for_each_entry_safe(sp, node, n, bucket, hash_link)
1472 if (sp->gfn == gfn && !sp->role.direct) {
1473 pgprintk("%s: gfn %lx role %x\n", __func__, gfn,
1474 sp->role.word);
1475 r = 1;
1476 if (kvm_mmu_zap_page(kvm, sp))
1477 n = bucket->first;
1478 }
1479 return r;
1480}
1481
1482static void mmu_unshadow(struct kvm *kvm, gfn_t gfn)
1483{
1484 unsigned index;
1485 struct hlist_head *bucket;
1486 struct kvm_mmu_page *sp;
1487 struct hlist_node *node, *nn;
1488
1489 index = kvm_page_table_hashfn(gfn);
1490 bucket = &kvm->arch.mmu_page_hash[index];
1491 hlist_for_each_entry_safe(sp, node, nn, bucket, hash_link) {
1492 if (sp->gfn == gfn && !sp->role.direct
1493 && !sp->role.invalid) {
1494 pgprintk("%s: zap %lx %x\n",
1495 __func__, gfn, sp->role.word);
1496 kvm_mmu_zap_page(kvm, sp);
1497 }
1498 }
1499}
1500
1501static void page_header_update_slot(struct kvm *kvm, void *pte, gfn_t gfn)
1502{
1503 int slot = memslot_id(kvm, gfn_to_memslot(kvm, gfn));
1504 struct kvm_mmu_page *sp = page_header(__pa(pte));
1505
1506 __set_bit(slot, sp->slot_bitmap);
1507}
1508
1509static void mmu_convert_notrap(struct kvm_mmu_page *sp)
1510{
1511 int i;
1512 u64 *pt = sp->spt;
1513
1514 if (shadow_trap_nonpresent_pte == shadow_notrap_nonpresent_pte)
1515 return;
1516
1517 for (i = 0; i < PT64_ENT_PER_PAGE; ++i) {
1518 if (pt[i] == shadow_notrap_nonpresent_pte)
1519 set_shadow_pte(&pt[i], shadow_trap_nonpresent_pte);
1520 }
1521}
1522
1523struct page *gva_to_page(struct kvm_vcpu *vcpu, gva_t gva)
1524{
1525 struct page *page;
1526
1527 gpa_t gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, gva);
1528
1529 if (gpa == UNMAPPED_GVA)
1530 return NULL;
1531
1532 page = gfn_to_page(vcpu->kvm, gpa >> PAGE_SHIFT);
1533
1534 return page;
1535}
1536
1537
1538
1539
1540
1541static int get_mtrr_type(struct mtrr_state_type *mtrr_state,
1542 u64 start, u64 end)
1543{
1544 int i;
1545 u64 base, mask;
1546 u8 prev_match, curr_match;
1547 int num_var_ranges = KVM_NR_VAR_MTRR;
1548
1549 if (!mtrr_state->enabled)
1550 return 0xFF;
1551
1552
1553 end--;
1554
1555
1556 if (mtrr_state->have_fixed && (start < 0x100000)) {
1557 int idx;
1558
1559 if (start < 0x80000) {
1560 idx = 0;
1561 idx += (start >> 16);
1562 return mtrr_state->fixed_ranges[idx];
1563 } else if (start < 0xC0000) {
1564 idx = 1 * 8;
1565 idx += ((start - 0x80000) >> 14);
1566 return mtrr_state->fixed_ranges[idx];
1567 } else if (start < 0x1000000) {
1568 idx = 3 * 8;
1569 idx += ((start - 0xC0000) >> 12);
1570 return mtrr_state->fixed_ranges[idx];
1571 }
1572 }
1573
1574
1575
1576
1577
1578
1579 if (!(mtrr_state->enabled & 2))
1580 return mtrr_state->def_type;
1581
1582 prev_match = 0xFF;
1583 for (i = 0; i < num_var_ranges; ++i) {
1584 unsigned short start_state, end_state;
1585
1586 if (!(mtrr_state->var_ranges[i].mask_lo & (1 << 11)))
1587 continue;
1588
1589 base = (((u64)mtrr_state->var_ranges[i].base_hi) << 32) +
1590 (mtrr_state->var_ranges[i].base_lo & PAGE_MASK);
1591 mask = (((u64)mtrr_state->var_ranges[i].mask_hi) << 32) +
1592 (mtrr_state->var_ranges[i].mask_lo & PAGE_MASK);
1593
1594 start_state = ((start & mask) == (base & mask));
1595 end_state = ((end & mask) == (base & mask));
1596 if (start_state != end_state)
1597 return 0xFE;
1598
1599 if ((start & mask) != (base & mask))
1600 continue;
1601
1602 curr_match = mtrr_state->var_ranges[i].base_lo & 0xff;
1603 if (prev_match == 0xFF) {
1604 prev_match = curr_match;
1605 continue;
1606 }
1607
1608 if (prev_match == MTRR_TYPE_UNCACHABLE ||
1609 curr_match == MTRR_TYPE_UNCACHABLE)
1610 return MTRR_TYPE_UNCACHABLE;
1611
1612 if ((prev_match == MTRR_TYPE_WRBACK &&
1613 curr_match == MTRR_TYPE_WRTHROUGH) ||
1614 (prev_match == MTRR_TYPE_WRTHROUGH &&
1615 curr_match == MTRR_TYPE_WRBACK)) {
1616 prev_match = MTRR_TYPE_WRTHROUGH;
1617 curr_match = MTRR_TYPE_WRTHROUGH;
1618 }
1619
1620 if (prev_match != curr_match)
1621 return MTRR_TYPE_UNCACHABLE;
1622 }
1623
1624 if (prev_match != 0xFF)
1625 return prev_match;
1626
1627 return mtrr_state->def_type;
1628}
1629
1630u8 kvm_get_guest_memory_type(struct kvm_vcpu *vcpu, gfn_t gfn)
1631{
1632 u8 mtrr;
1633
1634 mtrr = get_mtrr_type(&vcpu->arch.mtrr_state, gfn << PAGE_SHIFT,
1635 (gfn << PAGE_SHIFT) + PAGE_SIZE);
1636 if (mtrr == 0xfe || mtrr == 0xff)
1637 mtrr = MTRR_TYPE_WRBACK;
1638 return mtrr;
1639}
1640EXPORT_SYMBOL_GPL(kvm_get_guest_memory_type);
1641
1642static int kvm_unsync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
1643{
1644 unsigned index;
1645 struct hlist_head *bucket;
1646 struct kvm_mmu_page *s;
1647 struct hlist_node *node, *n;
1648
1649 index = kvm_page_table_hashfn(sp->gfn);
1650 bucket = &vcpu->kvm->arch.mmu_page_hash[index];
1651
1652 hlist_for_each_entry_safe(s, node, n, bucket, hash_link) {
1653 if (s->gfn != sp->gfn || s->role.direct)
1654 continue;
1655 if (s->role.word != sp->role.word)
1656 return 1;
1657 }
1658 ++vcpu->kvm->stat.mmu_unsync;
1659 sp->unsync = 1;
1660
1661 kvm_mmu_mark_parents_unsync(vcpu, sp);
1662
1663 mmu_convert_notrap(sp);
1664 return 0;
1665}
1666
1667static int mmu_need_write_protect(struct kvm_vcpu *vcpu, gfn_t gfn,
1668 bool can_unsync)
1669{
1670 struct kvm_mmu_page *shadow;
1671
1672 shadow = kvm_mmu_lookup_page(vcpu->kvm, gfn);
1673 if (shadow) {
1674 if (shadow->role.level != PT_PAGE_TABLE_LEVEL)
1675 return 1;
1676 if (shadow->unsync)
1677 return 0;
1678 if (can_unsync && oos_shadow)
1679 return kvm_unsync_page(vcpu, shadow);
1680 return 1;
1681 }
1682 return 0;
1683}
1684
1685static int set_spte(struct kvm_vcpu *vcpu, u64 *shadow_pte,
1686 unsigned pte_access, int user_fault,
1687 int write_fault, int dirty, int largepage,
1688 gfn_t gfn, pfn_t pfn, bool speculative,
1689 bool can_unsync)
1690{
1691 u64 spte;
1692 int ret = 0;
1693
1694
1695
1696
1697
1698
1699 spte = shadow_base_present_pte | shadow_dirty_mask;
1700 if (!speculative)
1701 spte |= shadow_accessed_mask;
1702 if (!dirty)
1703 pte_access &= ~ACC_WRITE_MASK;
1704 if (pte_access & ACC_EXEC_MASK)
1705 spte |= shadow_x_mask;
1706 else
1707 spte |= shadow_nx_mask;
1708 if (pte_access & ACC_USER_MASK)
1709 spte |= shadow_user_mask;
1710 if (largepage)
1711 spte |= PT_PAGE_SIZE_MASK;
1712 if (tdp_enabled)
1713 spte |= kvm_x86_ops->get_mt_mask(vcpu, gfn,
1714 kvm_is_mmio_pfn(pfn));
1715
1716 spte |= (u64)pfn << PAGE_SHIFT;
1717
1718 if ((pte_access & ACC_WRITE_MASK)
1719 || (write_fault && !is_write_protection(vcpu) && !user_fault)) {
1720
1721 if (largepage && has_wrprotected_page(vcpu->kvm, gfn)) {
1722 ret = 1;
1723 spte = shadow_trap_nonpresent_pte;
1724 goto set_pte;
1725 }
1726
1727 spte |= PT_WRITABLE_MASK;
1728
1729
1730
1731
1732
1733
1734
1735 if (!can_unsync && is_writeble_pte(*shadow_pte))
1736 goto set_pte;
1737
1738 if (mmu_need_write_protect(vcpu, gfn, can_unsync)) {
1739 pgprintk("%s: found shadow page for %lx, marking ro\n",
1740 __func__, gfn);
1741 ret = 1;
1742 pte_access &= ~ACC_WRITE_MASK;
1743 if (is_writeble_pte(spte))
1744 spte &= ~PT_WRITABLE_MASK;
1745 }
1746 }
1747
1748 if (pte_access & ACC_WRITE_MASK)
1749 mark_page_dirty(vcpu->kvm, gfn);
1750
1751set_pte:
1752 set_shadow_pte(shadow_pte, spte);
1753 return ret;
1754}
1755
1756static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *shadow_pte,
1757 unsigned pt_access, unsigned pte_access,
1758 int user_fault, int write_fault, int dirty,
1759 int *ptwrite, int largepage, gfn_t gfn,
1760 pfn_t pfn, bool speculative)
1761{
1762 int was_rmapped = 0;
1763 int was_writeble = is_writeble_pte(*shadow_pte);
1764 int rmap_count;
1765
1766 pgprintk("%s: spte %llx access %x write_fault %d"
1767 " user_fault %d gfn %lx\n",
1768 __func__, *shadow_pte, pt_access,
1769 write_fault, user_fault, gfn);
1770
1771 if (is_rmap_pte(*shadow_pte)) {
1772
1773
1774
1775
1776 if (largepage && !is_large_pte(*shadow_pte)) {
1777 struct kvm_mmu_page *child;
1778 u64 pte = *shadow_pte;
1779
1780 child = page_header(pte & PT64_BASE_ADDR_MASK);
1781 mmu_page_remove_parent_pte(child, shadow_pte);
1782 } else if (pfn != spte_to_pfn(*shadow_pte)) {
1783 pgprintk("hfn old %lx new %lx\n",
1784 spte_to_pfn(*shadow_pte), pfn);
1785 rmap_remove(vcpu->kvm, shadow_pte);
1786 } else
1787 was_rmapped = 1;
1788 }
1789 if (set_spte(vcpu, shadow_pte, pte_access, user_fault, write_fault,
1790 dirty, largepage, gfn, pfn, speculative, true)) {
1791 if (write_fault)
1792 *ptwrite = 1;
1793 kvm_x86_ops->tlb_flush(vcpu);
1794 }
1795
1796 pgprintk("%s: setting spte %llx\n", __func__, *shadow_pte);
1797 pgprintk("instantiating %s PTE (%s) at %ld (%llx) addr %p\n",
1798 is_large_pte(*shadow_pte)? "2MB" : "4kB",
1799 is_present_pte(*shadow_pte)?"RW":"R", gfn,
1800 *shadow_pte, shadow_pte);
1801 if (!was_rmapped && is_large_pte(*shadow_pte))
1802 ++vcpu->kvm->stat.lpages;
1803
1804 page_header_update_slot(vcpu->kvm, shadow_pte, gfn);
1805 if (!was_rmapped) {
1806 rmap_count = rmap_add(vcpu, shadow_pte, gfn, largepage);
1807 if (!is_rmap_pte(*shadow_pte))
1808 kvm_release_pfn_clean(pfn);
1809 if (rmap_count > RMAP_RECYCLE_THRESHOLD)
1810 rmap_recycle(vcpu, gfn, largepage);
1811 } else {
1812 if (was_writeble)
1813 kvm_release_pfn_dirty(pfn);
1814 else
1815 kvm_release_pfn_clean(pfn);
1816 }
1817 if (speculative) {
1818 vcpu->arch.last_pte_updated = shadow_pte;
1819 vcpu->arch.last_pte_gfn = gfn;
1820 }
1821}
1822
1823static void nonpaging_new_cr3(struct kvm_vcpu *vcpu)
1824{
1825}
1826
1827static int __direct_map(struct kvm_vcpu *vcpu, gpa_t v, int write,
1828 int largepage, gfn_t gfn, pfn_t pfn)
1829{
1830 struct kvm_shadow_walk_iterator iterator;
1831 struct kvm_mmu_page *sp;
1832 int pt_write = 0;
1833 gfn_t pseudo_gfn;
1834
1835 for_each_shadow_entry(vcpu, (u64)gfn << PAGE_SHIFT, iterator) {
1836 if (iterator.level == PT_PAGE_TABLE_LEVEL
1837 || (largepage && iterator.level == PT_DIRECTORY_LEVEL)) {
1838 mmu_set_spte(vcpu, iterator.sptep, ACC_ALL, ACC_ALL,
1839 0, write, 1, &pt_write,
1840 largepage, gfn, pfn, false);
1841 ++vcpu->stat.pf_fixed;
1842 break;
1843 }
1844
1845 if (*iterator.sptep == shadow_trap_nonpresent_pte) {
1846 pseudo_gfn = (iterator.addr & PT64_DIR_BASE_ADDR_MASK) >> PAGE_SHIFT;
1847 sp = kvm_mmu_get_page(vcpu, pseudo_gfn, iterator.addr,
1848 iterator.level - 1,
1849 1, ACC_ALL, iterator.sptep);
1850 if (!sp) {
1851 pgprintk("nonpaging_map: ENOMEM\n");
1852 kvm_release_pfn_clean(pfn);
1853 return -ENOMEM;
1854 }
1855
1856 set_shadow_pte(iterator.sptep,
1857 __pa(sp->spt)
1858 | PT_PRESENT_MASK | PT_WRITABLE_MASK
1859 | shadow_user_mask | shadow_x_mask);
1860 }
1861 }
1862 return pt_write;
1863}
1864
1865static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, int write, gfn_t gfn)
1866{
1867 int r;
1868 int largepage = 0;
1869 pfn_t pfn;
1870 unsigned long mmu_seq;
1871
1872 if (is_largepage_backed(vcpu, gfn & ~(KVM_PAGES_PER_HPAGE-1))) {
1873 gfn &= ~(KVM_PAGES_PER_HPAGE-1);
1874 largepage = 1;
1875 }
1876
1877 mmu_seq = vcpu->kvm->mmu_notifier_seq;
1878 smp_rmb();
1879 pfn = gfn_to_pfn(vcpu->kvm, gfn);
1880
1881
1882 if (is_error_pfn(pfn)) {
1883 kvm_release_pfn_clean(pfn);
1884 return 1;
1885 }
1886
1887 spin_lock(&vcpu->kvm->mmu_lock);
1888 if (mmu_notifier_retry(vcpu, mmu_seq))
1889 goto out_unlock;
1890 kvm_mmu_free_some_pages(vcpu);
1891 r = __direct_map(vcpu, v, write, largepage, gfn, pfn);
1892 spin_unlock(&vcpu->kvm->mmu_lock);
1893
1894
1895 return r;
1896
1897out_unlock:
1898 spin_unlock(&vcpu->kvm->mmu_lock);
1899 kvm_release_pfn_clean(pfn);
1900 return 0;
1901}
1902
1903
1904static void mmu_free_roots(struct kvm_vcpu *vcpu)
1905{
1906 int i;
1907 struct kvm_mmu_page *sp;
1908
1909 if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
1910 return;
1911 spin_lock(&vcpu->kvm->mmu_lock);
1912 if (vcpu->arch.mmu.shadow_root_level == PT64_ROOT_LEVEL) {
1913 hpa_t root = vcpu->arch.mmu.root_hpa;
1914
1915 sp = page_header(root);
1916 --sp->root_count;
1917 if (!sp->root_count && sp->role.invalid)
1918 kvm_mmu_zap_page(vcpu->kvm, sp);
1919 vcpu->arch.mmu.root_hpa = INVALID_PAGE;
1920 spin_unlock(&vcpu->kvm->mmu_lock);
1921 return;
1922 }
1923 for (i = 0; i < 4; ++i) {
1924 hpa_t root = vcpu->arch.mmu.pae_root[i];
1925
1926 if (root) {
1927 root &= PT64_BASE_ADDR_MASK;
1928 sp = page_header(root);
1929 --sp->root_count;
1930 if (!sp->root_count && sp->role.invalid)
1931 kvm_mmu_zap_page(vcpu->kvm, sp);
1932 }
1933 vcpu->arch.mmu.pae_root[i] = INVALID_PAGE;
1934 }
1935 spin_unlock(&vcpu->kvm->mmu_lock);
1936 vcpu->arch.mmu.root_hpa = INVALID_PAGE;
1937}
1938
1939static int mmu_check_root(struct kvm_vcpu *vcpu, gfn_t root_gfn)
1940{
1941 int ret = 0;
1942
1943 if (!kvm_is_visible_gfn(vcpu->kvm, root_gfn)) {
1944 set_bit(KVM_REQ_TRIPLE_FAULT, &vcpu->requests);
1945 ret = 1;
1946 }
1947
1948 return ret;
1949}
1950
1951static int mmu_alloc_roots(struct kvm_vcpu *vcpu)
1952{
1953 int i;
1954 gfn_t root_gfn;
1955 struct kvm_mmu_page *sp;
1956 int direct = 0;
1957
1958 root_gfn = vcpu->arch.cr3 >> PAGE_SHIFT;
1959
1960 if (vcpu->arch.mmu.shadow_root_level == PT64_ROOT_LEVEL) {
1961 hpa_t root = vcpu->arch.mmu.root_hpa;
1962
1963 ASSERT(!VALID_PAGE(root));
1964 if (tdp_enabled)
1965 direct = 1;
1966 if (mmu_check_root(vcpu, root_gfn))
1967 return 1;
1968 sp = kvm_mmu_get_page(vcpu, root_gfn, 0,
1969 PT64_ROOT_LEVEL, direct,
1970 ACC_ALL, NULL);
1971 root = __pa(sp->spt);
1972 ++sp->root_count;
1973 vcpu->arch.mmu.root_hpa = root;
1974 return 0;
1975 }
1976 direct = !is_paging(vcpu);
1977 if (tdp_enabled)
1978 direct = 1;
1979 for (i = 0; i < 4; ++i) {
1980 hpa_t root = vcpu->arch.mmu.pae_root[i];
1981
1982 ASSERT(!VALID_PAGE(root));
1983 if (vcpu->arch.mmu.root_level == PT32E_ROOT_LEVEL) {
1984 if (!is_present_pte(vcpu->arch.pdptrs[i])) {
1985 vcpu->arch.mmu.pae_root[i] = 0;
1986 continue;
1987 }
1988 root_gfn = vcpu->arch.pdptrs[i] >> PAGE_SHIFT;
1989 } else if (vcpu->arch.mmu.root_level == 0)
1990 root_gfn = 0;
1991 if (mmu_check_root(vcpu, root_gfn))
1992 return 1;
1993 sp = kvm_mmu_get_page(vcpu, root_gfn, i << 30,
1994 PT32_ROOT_LEVEL, direct,
1995 ACC_ALL, NULL);
1996 root = __pa(sp->spt);
1997 ++sp->root_count;
1998 vcpu->arch.mmu.pae_root[i] = root | PT_PRESENT_MASK;
1999 }
2000 vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root);
2001 return 0;
2002}
2003
2004static void mmu_sync_roots(struct kvm_vcpu *vcpu)
2005{
2006 int i;
2007 struct kvm_mmu_page *sp;
2008
2009 if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
2010 return;
2011 if (vcpu->arch.mmu.shadow_root_level == PT64_ROOT_LEVEL) {
2012 hpa_t root = vcpu->arch.mmu.root_hpa;
2013 sp = page_header(root);
2014 mmu_sync_children(vcpu, sp);
2015 return;
2016 }
2017 for (i = 0; i < 4; ++i) {
2018 hpa_t root = vcpu->arch.mmu.pae_root[i];
2019
2020 if (root && VALID_PAGE(root)) {
2021 root &= PT64_BASE_ADDR_MASK;
2022 sp = page_header(root);
2023 mmu_sync_children(vcpu, sp);
2024 }
2025 }
2026}
2027
2028void kvm_mmu_sync_roots(struct kvm_vcpu *vcpu)
2029{
2030 spin_lock(&vcpu->kvm->mmu_lock);
2031 mmu_sync_roots(vcpu);
2032 spin_unlock(&vcpu->kvm->mmu_lock);
2033}
2034
2035static gpa_t nonpaging_gva_to_gpa(struct kvm_vcpu *vcpu, gva_t vaddr)
2036{
2037 return vaddr;
2038}
2039
2040static int nonpaging_page_fault(struct kvm_vcpu *vcpu, gva_t gva,
2041 u32 error_code)
2042{
2043 gfn_t gfn;
2044 int r;
2045
2046 pgprintk("%s: gva %lx error %x\n", __func__, gva, error_code);
2047 r = mmu_topup_memory_caches(vcpu);
2048 if (r)
2049 return r;
2050
2051 ASSERT(vcpu);
2052 ASSERT(VALID_PAGE(vcpu->arch.mmu.root_hpa));
2053
2054 gfn = gva >> PAGE_SHIFT;
2055
2056 return nonpaging_map(vcpu, gva & PAGE_MASK,
2057 error_code & PFERR_WRITE_MASK, gfn);
2058}
2059
2060static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa,
2061 u32 error_code)
2062{
2063 pfn_t pfn;
2064 int r;
2065 int largepage = 0;
2066 gfn_t gfn = gpa >> PAGE_SHIFT;
2067 unsigned long mmu_seq;
2068
2069 ASSERT(vcpu);
2070 ASSERT(VALID_PAGE(vcpu->arch.mmu.root_hpa));
2071
2072 r = mmu_topup_memory_caches(vcpu);
2073 if (r)
2074 return r;
2075
2076 if (is_largepage_backed(vcpu, gfn & ~(KVM_PAGES_PER_HPAGE-1))) {
2077 gfn &= ~(KVM_PAGES_PER_HPAGE-1);
2078 largepage = 1;
2079 }
2080 mmu_seq = vcpu->kvm->mmu_notifier_seq;
2081 smp_rmb();
2082 pfn = gfn_to_pfn(vcpu->kvm, gfn);
2083 if (is_error_pfn(pfn)) {
2084 kvm_release_pfn_clean(pfn);
2085 return 1;
2086 }
2087 spin_lock(&vcpu->kvm->mmu_lock);
2088 if (mmu_notifier_retry(vcpu, mmu_seq))
2089 goto out_unlock;
2090 kvm_mmu_free_some_pages(vcpu);
2091 r = __direct_map(vcpu, gpa, error_code & PFERR_WRITE_MASK,
2092 largepage, gfn, pfn);
2093 spin_unlock(&vcpu->kvm->mmu_lock);
2094
2095 return r;
2096
2097out_unlock:
2098 spin_unlock(&vcpu->kvm->mmu_lock);
2099 kvm_release_pfn_clean(pfn);
2100 return 0;
2101}
2102
2103static void nonpaging_free(struct kvm_vcpu *vcpu)
2104{
2105 mmu_free_roots(vcpu);
2106}
2107
2108static int nonpaging_init_context(struct kvm_vcpu *vcpu)
2109{
2110 struct kvm_mmu *context = &vcpu->arch.mmu;
2111
2112 context->new_cr3 = nonpaging_new_cr3;
2113 context->page_fault = nonpaging_page_fault;
2114 context->gva_to_gpa = nonpaging_gva_to_gpa;
2115 context->free = nonpaging_free;
2116 context->prefetch_page = nonpaging_prefetch_page;
2117 context->sync_page = nonpaging_sync_page;
2118 context->invlpg = nonpaging_invlpg;
2119 context->root_level = 0;
2120 context->shadow_root_level = PT32E_ROOT_LEVEL;
2121 context->root_hpa = INVALID_PAGE;
2122 return 0;
2123}
2124
2125void kvm_mmu_flush_tlb(struct kvm_vcpu *vcpu)
2126{
2127 ++vcpu->stat.tlb_flush;
2128 kvm_x86_ops->tlb_flush(vcpu);
2129}
2130
2131static void paging_new_cr3(struct kvm_vcpu *vcpu)
2132{
2133 pgprintk("%s: cr3 %lx\n", __func__, vcpu->arch.cr3);
2134 mmu_free_roots(vcpu);
2135}
2136
2137static void inject_page_fault(struct kvm_vcpu *vcpu,
2138 u64 addr,
2139 u32 err_code)
2140{
2141 kvm_inject_page_fault(vcpu, addr, err_code);
2142}
2143
2144static void paging_free(struct kvm_vcpu *vcpu)
2145{
2146 nonpaging_free(vcpu);
2147}
2148
2149static bool is_rsvd_bits_set(struct kvm_vcpu *vcpu, u64 gpte, int level)
2150{
2151 int bit7;
2152
2153 bit7 = (gpte >> 7) & 1;
2154 return (gpte & vcpu->arch.mmu.rsvd_bits_mask[bit7][level-1]) != 0;
2155}
2156
2157#define PTTYPE 64
2158#include "paging_tmpl.h"
2159#undef PTTYPE
2160
2161#define PTTYPE 32
2162#include "paging_tmpl.h"
2163#undef PTTYPE
2164
2165static void reset_rsvds_bits_mask(struct kvm_vcpu *vcpu, int level)
2166{
2167 struct kvm_mmu *context = &vcpu->arch.mmu;
2168 int maxphyaddr = cpuid_maxphyaddr(vcpu);
2169 u64 exb_bit_rsvd = 0;
2170
2171 if (!is_nx(vcpu))
2172 exb_bit_rsvd = rsvd_bits(63, 63);
2173 switch (level) {
2174 case PT32_ROOT_LEVEL:
2175
2176 context->rsvd_bits_mask[0][1] = 0;
2177 context->rsvd_bits_mask[0][0] = 0;
2178 if (is_cpuid_PSE36())
2179
2180 context->rsvd_bits_mask[1][1] = rsvd_bits(17, 21);
2181 else
2182
2183 context->rsvd_bits_mask[1][1] = rsvd_bits(13, 21);
2184 context->rsvd_bits_mask[1][0] = context->rsvd_bits_mask[1][0];
2185 break;
2186 case PT32E_ROOT_LEVEL:
2187 context->rsvd_bits_mask[0][2] =
2188 rsvd_bits(maxphyaddr, 63) |
2189 rsvd_bits(7, 8) | rsvd_bits(1, 2);
2190 context->rsvd_bits_mask[0][1] = exb_bit_rsvd |
2191 rsvd_bits(maxphyaddr, 62);
2192 context->rsvd_bits_mask[0][0] = exb_bit_rsvd |
2193 rsvd_bits(maxphyaddr, 62);
2194 context->rsvd_bits_mask[1][1] = exb_bit_rsvd |
2195 rsvd_bits(maxphyaddr, 62) |
2196 rsvd_bits(13, 20);
2197 context->rsvd_bits_mask[1][0] = context->rsvd_bits_mask[1][0];
2198 break;
2199 case PT64_ROOT_LEVEL:
2200 context->rsvd_bits_mask[0][3] = exb_bit_rsvd |
2201 rsvd_bits(maxphyaddr, 51) | rsvd_bits(7, 8);
2202 context->rsvd_bits_mask[0][2] = exb_bit_rsvd |
2203 rsvd_bits(maxphyaddr, 51) | rsvd_bits(7, 8);
2204 context->rsvd_bits_mask[0][1] = exb_bit_rsvd |
2205 rsvd_bits(maxphyaddr, 51);
2206 context->rsvd_bits_mask[0][0] = exb_bit_rsvd |
2207 rsvd_bits(maxphyaddr, 51);
2208 context->rsvd_bits_mask[1][3] = context->rsvd_bits_mask[0][3];
2209 context->rsvd_bits_mask[1][2] = context->rsvd_bits_mask[0][2];
2210 context->rsvd_bits_mask[1][1] = exb_bit_rsvd |
2211 rsvd_bits(maxphyaddr, 51) |
2212 rsvd_bits(13, 20);
2213 context->rsvd_bits_mask[1][0] = context->rsvd_bits_mask[1][0];
2214 break;
2215 }
2216}
2217
2218static int paging64_init_context_common(struct kvm_vcpu *vcpu, int level)
2219{
2220 struct kvm_mmu *context = &vcpu->arch.mmu;
2221
2222 ASSERT(is_pae(vcpu));
2223 context->new_cr3 = paging_new_cr3;
2224 context->page_fault = paging64_page_fault;
2225 context->gva_to_gpa = paging64_gva_to_gpa;
2226 context->prefetch_page = paging64_prefetch_page;
2227 context->sync_page = paging64_sync_page;
2228 context->invlpg = paging64_invlpg;
2229 context->free = paging_free;
2230 context->root_level = level;
2231 context->shadow_root_level = level;
2232 context->root_hpa = INVALID_PAGE;
2233 return 0;
2234}
2235
2236static int paging64_init_context(struct kvm_vcpu *vcpu)
2237{
2238 reset_rsvds_bits_mask(vcpu, PT64_ROOT_LEVEL);
2239 return paging64_init_context_common(vcpu, PT64_ROOT_LEVEL);
2240}
2241
2242static int paging32_init_context(struct kvm_vcpu *vcpu)
2243{
2244 struct kvm_mmu *context = &vcpu->arch.mmu;
2245
2246 reset_rsvds_bits_mask(vcpu, PT32_ROOT_LEVEL);
2247 context->new_cr3 = paging_new_cr3;
2248 context->page_fault = paging32_page_fault;
2249 context->gva_to_gpa = paging32_gva_to_gpa;
2250 context->free = paging_free;
2251 context->prefetch_page = paging32_prefetch_page;
2252 context->sync_page = paging32_sync_page;
2253 context->invlpg = paging32_invlpg;
2254 context->root_level = PT32_ROOT_LEVEL;
2255 context->shadow_root_level = PT32E_ROOT_LEVEL;
2256 context->root_hpa = INVALID_PAGE;
2257 return 0;
2258}
2259
2260static int paging32E_init_context(struct kvm_vcpu *vcpu)
2261{
2262 reset_rsvds_bits_mask(vcpu, PT32E_ROOT_LEVEL);
2263 return paging64_init_context_common(vcpu, PT32E_ROOT_LEVEL);
2264}
2265
2266static int init_kvm_tdp_mmu(struct kvm_vcpu *vcpu)
2267{
2268 struct kvm_mmu *context = &vcpu->arch.mmu;
2269
2270 context->new_cr3 = nonpaging_new_cr3;
2271 context->page_fault = tdp_page_fault;
2272 context->free = nonpaging_free;
2273 context->prefetch_page = nonpaging_prefetch_page;
2274 context->sync_page = nonpaging_sync_page;
2275 context->invlpg = nonpaging_invlpg;
2276 context->shadow_root_level = kvm_x86_ops->get_tdp_level();
2277 context->root_hpa = INVALID_PAGE;
2278
2279 if (!is_paging(vcpu)) {
2280 context->gva_to_gpa = nonpaging_gva_to_gpa;
2281 context->root_level = 0;
2282 } else if (is_long_mode(vcpu)) {
2283 reset_rsvds_bits_mask(vcpu, PT64_ROOT_LEVEL);
2284 context->gva_to_gpa = paging64_gva_to_gpa;
2285 context->root_level = PT64_ROOT_LEVEL;
2286 } else if (is_pae(vcpu)) {
2287 reset_rsvds_bits_mask(vcpu, PT32E_ROOT_LEVEL);
2288 context->gva_to_gpa = paging64_gva_to_gpa;
2289 context->root_level = PT32E_ROOT_LEVEL;
2290 } else {
2291 reset_rsvds_bits_mask(vcpu, PT32_ROOT_LEVEL);
2292 context->gva_to_gpa = paging32_gva_to_gpa;
2293 context->root_level = PT32_ROOT_LEVEL;
2294 }
2295
2296 return 0;
2297}
2298
2299static int init_kvm_softmmu(struct kvm_vcpu *vcpu)
2300{
2301 int r;
2302
2303 ASSERT(vcpu);
2304 ASSERT(!VALID_PAGE(vcpu->arch.mmu.root_hpa));
2305
2306 if (!is_paging(vcpu))
2307 r = nonpaging_init_context(vcpu);
2308 else if (is_long_mode(vcpu))
2309 r = paging64_init_context(vcpu);
2310 else if (is_pae(vcpu))
2311 r = paging32E_init_context(vcpu);
2312 else
2313 r = paging32_init_context(vcpu);
2314
2315 vcpu->arch.mmu.base_role.glevels = vcpu->arch.mmu.root_level;
2316
2317 return r;
2318}
2319
2320static int init_kvm_mmu(struct kvm_vcpu *vcpu)
2321{
2322 vcpu->arch.update_pte.pfn = bad_pfn;
2323
2324 if (tdp_enabled)
2325 return init_kvm_tdp_mmu(vcpu);
2326 else
2327 return init_kvm_softmmu(vcpu);
2328}
2329
2330static void destroy_kvm_mmu(struct kvm_vcpu *vcpu)
2331{
2332 ASSERT(vcpu);
2333 if (VALID_PAGE(vcpu->arch.mmu.root_hpa)) {
2334 vcpu->arch.mmu.free(vcpu);
2335 vcpu->arch.mmu.root_hpa = INVALID_PAGE;
2336 }
2337}
2338
2339int kvm_mmu_reset_context(struct kvm_vcpu *vcpu)
2340{
2341 destroy_kvm_mmu(vcpu);
2342 return init_kvm_mmu(vcpu);
2343}
2344EXPORT_SYMBOL_GPL(kvm_mmu_reset_context);
2345
2346int kvm_mmu_load(struct kvm_vcpu *vcpu)
2347{
2348 int r;
2349
2350 r = mmu_topup_memory_caches(vcpu);
2351 if (r)
2352 goto out;
2353 spin_lock(&vcpu->kvm->mmu_lock);
2354 kvm_mmu_free_some_pages(vcpu);
2355 r = mmu_alloc_roots(vcpu);
2356 mmu_sync_roots(vcpu);
2357 spin_unlock(&vcpu->kvm->mmu_lock);
2358 if (r)
2359 goto out;
2360 kvm_x86_ops->set_cr3(vcpu, vcpu->arch.mmu.root_hpa);
2361 kvm_mmu_flush_tlb(vcpu);
2362out:
2363 return r;
2364}
2365EXPORT_SYMBOL_GPL(kvm_mmu_load);
2366
2367void kvm_mmu_unload(struct kvm_vcpu *vcpu)
2368{
2369 mmu_free_roots(vcpu);
2370}
2371
2372static void mmu_pte_write_zap_pte(struct kvm_vcpu *vcpu,
2373 struct kvm_mmu_page *sp,
2374 u64 *spte)
2375{
2376 u64 pte;
2377 struct kvm_mmu_page *child;
2378
2379 pte = *spte;
2380 if (is_shadow_present_pte(pte)) {
2381 if (sp->role.level == PT_PAGE_TABLE_LEVEL ||
2382 is_large_pte(pte))
2383 rmap_remove(vcpu->kvm, spte);
2384 else {
2385 child = page_header(pte & PT64_BASE_ADDR_MASK);
2386 mmu_page_remove_parent_pte(child, spte);
2387 }
2388 }
2389 set_shadow_pte(spte, shadow_trap_nonpresent_pte);
2390 if (is_large_pte(pte))
2391 --vcpu->kvm->stat.lpages;
2392}
2393
2394static void mmu_pte_write_new_pte(struct kvm_vcpu *vcpu,
2395 struct kvm_mmu_page *sp,
2396 u64 *spte,
2397 const void *new)
2398{
2399 if (sp->role.level != PT_PAGE_TABLE_LEVEL) {
2400 if (!vcpu->arch.update_pte.largepage ||
2401 sp->role.glevels == PT32_ROOT_LEVEL) {
2402 ++vcpu->kvm->stat.mmu_pde_zapped;
2403 return;
2404 }
2405 }
2406
2407 ++vcpu->kvm->stat.mmu_pte_updated;
2408 if (sp->role.glevels == PT32_ROOT_LEVEL)
2409 paging32_update_pte(vcpu, sp, spte, new);
2410 else
2411 paging64_update_pte(vcpu, sp, spte, new);
2412}
2413
2414static bool need_remote_flush(u64 old, u64 new)
2415{
2416 if (!is_shadow_present_pte(old))
2417 return false;
2418 if (!is_shadow_present_pte(new))
2419 return true;
2420 if ((old ^ new) & PT64_BASE_ADDR_MASK)
2421 return true;
2422 old ^= PT64_NX_MASK;
2423 new ^= PT64_NX_MASK;
2424 return (old & ~new & PT64_PERM_MASK) != 0;
2425}
2426
2427static void mmu_pte_write_flush_tlb(struct kvm_vcpu *vcpu, u64 old, u64 new)
2428{
2429 if (need_remote_flush(old, new))
2430 kvm_flush_remote_tlbs(vcpu->kvm);
2431 else
2432 kvm_mmu_flush_tlb(vcpu);
2433}
2434
2435static bool last_updated_pte_accessed(struct kvm_vcpu *vcpu)
2436{
2437 u64 *spte = vcpu->arch.last_pte_updated;
2438
2439 return !!(spte && (*spte & shadow_accessed_mask));
2440}
2441
2442static void mmu_guess_page_from_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
2443 const u8 *new, int bytes)
2444{
2445 gfn_t gfn;
2446 int r;
2447 u64 gpte = 0;
2448 pfn_t pfn;
2449
2450 vcpu->arch.update_pte.largepage = 0;
2451
2452 if (bytes != 4 && bytes != 8)
2453 return;
2454
2455
2456
2457
2458
2459
2460
2461 if (is_pae(vcpu)) {
2462
2463 if ((bytes == 4) && (gpa % 4 == 0)) {
2464 r = kvm_read_guest(vcpu->kvm, gpa & ~(u64)7, &gpte, 8);
2465 if (r)
2466 return;
2467 memcpy((void *)&gpte + (gpa % 8), new, 4);
2468 } else if ((bytes == 8) && (gpa % 8 == 0)) {
2469 memcpy((void *)&gpte, new, 8);
2470 }
2471 } else {
2472 if ((bytes == 4) && (gpa % 4 == 0))
2473 memcpy((void *)&gpte, new, 4);
2474 }
2475 if (!is_present_pte(gpte))
2476 return;
2477 gfn = (gpte & PT64_BASE_ADDR_MASK) >> PAGE_SHIFT;
2478
2479 if (is_large_pte(gpte) && is_largepage_backed(vcpu, gfn)) {
2480 gfn &= ~(KVM_PAGES_PER_HPAGE-1);
2481 vcpu->arch.update_pte.largepage = 1;
2482 }
2483 vcpu->arch.update_pte.mmu_seq = vcpu->kvm->mmu_notifier_seq;
2484 smp_rmb();
2485 pfn = gfn_to_pfn(vcpu->kvm, gfn);
2486
2487 if (is_error_pfn(pfn)) {
2488 kvm_release_pfn_clean(pfn);
2489 return;
2490 }
2491 vcpu->arch.update_pte.gfn = gfn;
2492 vcpu->arch.update_pte.pfn = pfn;
2493}
2494
2495static void kvm_mmu_access_page(struct kvm_vcpu *vcpu, gfn_t gfn)
2496{
2497 u64 *spte = vcpu->arch.last_pte_updated;
2498
2499 if (spte
2500 && vcpu->arch.last_pte_gfn == gfn
2501 && shadow_accessed_mask
2502 && !(*spte & shadow_accessed_mask)
2503 && is_shadow_present_pte(*spte))
2504 set_bit(PT_ACCESSED_SHIFT, (unsigned long *)spte);
2505}
2506
2507void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
2508 const u8 *new, int bytes,
2509 bool guest_initiated)
2510{
2511 gfn_t gfn = gpa >> PAGE_SHIFT;
2512 struct kvm_mmu_page *sp;
2513 struct hlist_node *node, *n;
2514 struct hlist_head *bucket;
2515 unsigned index;
2516 u64 entry, gentry;
2517 u64 *spte;
2518 unsigned offset = offset_in_page(gpa);
2519 unsigned pte_size;
2520 unsigned page_offset;
2521 unsigned misaligned;
2522 unsigned quadrant;
2523 int level;
2524 int flooded = 0;
2525 int npte;
2526 int r;
2527
2528 pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
2529 mmu_guess_page_from_pte_write(vcpu, gpa, new, bytes);
2530 spin_lock(&vcpu->kvm->mmu_lock);
2531 kvm_mmu_access_page(vcpu, gfn);
2532 kvm_mmu_free_some_pages(vcpu);
2533 ++vcpu->kvm->stat.mmu_pte_write;
2534 kvm_mmu_audit(vcpu, "pre pte write");
2535 if (guest_initiated) {
2536 if (gfn == vcpu->arch.last_pt_write_gfn
2537 && !last_updated_pte_accessed(vcpu)) {
2538 ++vcpu->arch.last_pt_write_count;
2539 if (vcpu->arch.last_pt_write_count >= 3)
2540 flooded = 1;
2541 } else {
2542 vcpu->arch.last_pt_write_gfn = gfn;
2543 vcpu->arch.last_pt_write_count = 1;
2544 vcpu->arch.last_pte_updated = NULL;
2545 }
2546 }
2547 index = kvm_page_table_hashfn(gfn);
2548 bucket = &vcpu->kvm->arch.mmu_page_hash[index];
2549 hlist_for_each_entry_safe(sp, node, n, bucket, hash_link) {
2550 if (sp->gfn != gfn || sp->role.direct || sp->role.invalid)
2551 continue;
2552 pte_size = sp->role.glevels == PT32_ROOT_LEVEL ? 4 : 8;
2553 misaligned = (offset ^ (offset + bytes - 1)) & ~(pte_size - 1);
2554 misaligned |= bytes < 4;
2555 if (misaligned || flooded) {
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566 pgprintk("misaligned: gpa %llx bytes %d role %x\n",
2567 gpa, bytes, sp->role.word);
2568 if (kvm_mmu_zap_page(vcpu->kvm, sp))
2569 n = bucket->first;
2570 ++vcpu->kvm->stat.mmu_flooded;
2571 continue;
2572 }
2573 page_offset = offset;
2574 level = sp->role.level;
2575 npte = 1;
2576 if (sp->role.glevels == PT32_ROOT_LEVEL) {
2577 page_offset <<= 1;
2578
2579
2580
2581
2582
2583 if (level == PT32_ROOT_LEVEL) {
2584 page_offset &= ~7;
2585 page_offset <<= 1;
2586 npte = 2;
2587 }
2588 quadrant = page_offset >> PAGE_SHIFT;
2589 page_offset &= ~PAGE_MASK;
2590 if (quadrant != sp->role.quadrant)
2591 continue;
2592 }
2593 spte = &sp->spt[page_offset / sizeof(*spte)];
2594 if ((gpa & (pte_size - 1)) || (bytes < pte_size)) {
2595 gentry = 0;
2596 r = kvm_read_guest_atomic(vcpu->kvm,
2597 gpa & ~(u64)(pte_size - 1),
2598 &gentry, pte_size);
2599 new = (const void *)&gentry;
2600 if (r < 0)
2601 new = NULL;
2602 }
2603 while (npte--) {
2604 entry = *spte;
2605 mmu_pte_write_zap_pte(vcpu, sp, spte);
2606 if (new)
2607 mmu_pte_write_new_pte(vcpu, sp, spte, new);
2608 mmu_pte_write_flush_tlb(vcpu, entry, *spte);
2609 ++spte;
2610 }
2611 }
2612 kvm_mmu_audit(vcpu, "post pte write");
2613 spin_unlock(&vcpu->kvm->mmu_lock);
2614 if (!is_error_pfn(vcpu->arch.update_pte.pfn)) {
2615 kvm_release_pfn_clean(vcpu->arch.update_pte.pfn);
2616 vcpu->arch.update_pte.pfn = bad_pfn;
2617 }
2618}
2619
2620int kvm_mmu_unprotect_page_virt(struct kvm_vcpu *vcpu, gva_t gva)
2621{
2622 gpa_t gpa;
2623 int r;
2624
2625 gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, gva);
2626
2627 spin_lock(&vcpu->kvm->mmu_lock);
2628 r = kvm_mmu_unprotect_page(vcpu->kvm, gpa >> PAGE_SHIFT);
2629 spin_unlock(&vcpu->kvm->mmu_lock);
2630 return r;
2631}
2632EXPORT_SYMBOL_GPL(kvm_mmu_unprotect_page_virt);
2633
2634void __kvm_mmu_free_some_pages(struct kvm_vcpu *vcpu)
2635{
2636 while (vcpu->kvm->arch.n_free_mmu_pages < KVM_REFILL_PAGES) {
2637 struct kvm_mmu_page *sp;
2638
2639 sp = container_of(vcpu->kvm->arch.active_mmu_pages.prev,
2640 struct kvm_mmu_page, link);
2641 kvm_mmu_zap_page(vcpu->kvm, sp);
2642 ++vcpu->kvm->stat.mmu_recycled;
2643 }
2644}
2645
2646int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u32 error_code)
2647{
2648 int r;
2649 enum emulation_result er;
2650
2651 r = vcpu->arch.mmu.page_fault(vcpu, cr2, error_code);
2652 if (r < 0)
2653 goto out;
2654
2655 if (!r) {
2656 r = 1;
2657 goto out;
2658 }
2659
2660 r = mmu_topup_memory_caches(vcpu);
2661 if (r)
2662 goto out;
2663
2664 er = emulate_instruction(vcpu, vcpu->run, cr2, error_code, 0);
2665
2666 switch (er) {
2667 case EMULATE_DONE:
2668 return 1;
2669 case EMULATE_DO_MMIO:
2670 ++vcpu->stat.mmio_exits;
2671 return 0;
2672 case EMULATE_FAIL:
2673 kvm_report_emulation_failure(vcpu, "pagetable");
2674 return 1;
2675 default:
2676 BUG();
2677 }
2678out:
2679 return r;
2680}
2681EXPORT_SYMBOL_GPL(kvm_mmu_page_fault);
2682
2683void kvm_mmu_invlpg(struct kvm_vcpu *vcpu, gva_t gva)
2684{
2685 vcpu->arch.mmu.invlpg(vcpu, gva);
2686 kvm_mmu_flush_tlb(vcpu);
2687 ++vcpu->stat.invlpg;
2688}
2689EXPORT_SYMBOL_GPL(kvm_mmu_invlpg);
2690
2691void kvm_enable_tdp(void)
2692{
2693 tdp_enabled = true;
2694}
2695EXPORT_SYMBOL_GPL(kvm_enable_tdp);
2696
2697void kvm_disable_tdp(void)
2698{
2699 tdp_enabled = false;
2700}
2701EXPORT_SYMBOL_GPL(kvm_disable_tdp);
2702
2703static void free_mmu_pages(struct kvm_vcpu *vcpu)
2704{
2705 free_page((unsigned long)vcpu->arch.mmu.pae_root);
2706}
2707
2708static int alloc_mmu_pages(struct kvm_vcpu *vcpu)
2709{
2710 struct page *page;
2711 int i;
2712
2713 ASSERT(vcpu);
2714
2715 if (vcpu->kvm->arch.n_requested_mmu_pages)
2716 vcpu->kvm->arch.n_free_mmu_pages =
2717 vcpu->kvm->arch.n_requested_mmu_pages;
2718 else
2719 vcpu->kvm->arch.n_free_mmu_pages =
2720 vcpu->kvm->arch.n_alloc_mmu_pages;
2721
2722
2723
2724
2725
2726 page = alloc_page(GFP_KERNEL | __GFP_DMA32);
2727 if (!page)
2728 goto error_1;
2729 vcpu->arch.mmu.pae_root = page_address(page);
2730 for (i = 0; i < 4; ++i)
2731 vcpu->arch.mmu.pae_root[i] = INVALID_PAGE;
2732
2733 return 0;
2734
2735error_1:
2736 free_mmu_pages(vcpu);
2737 return -ENOMEM;
2738}
2739
2740int kvm_mmu_create(struct kvm_vcpu *vcpu)
2741{
2742 ASSERT(vcpu);
2743 ASSERT(!VALID_PAGE(vcpu->arch.mmu.root_hpa));
2744
2745 return alloc_mmu_pages(vcpu);
2746}
2747
2748int kvm_mmu_setup(struct kvm_vcpu *vcpu)
2749{
2750 ASSERT(vcpu);
2751 ASSERT(!VALID_PAGE(vcpu->arch.mmu.root_hpa));
2752
2753 return init_kvm_mmu(vcpu);
2754}
2755
2756void kvm_mmu_destroy(struct kvm_vcpu *vcpu)
2757{
2758 ASSERT(vcpu);
2759
2760 destroy_kvm_mmu(vcpu);
2761 free_mmu_pages(vcpu);
2762 mmu_free_memory_caches(vcpu);
2763}
2764
2765void kvm_mmu_slot_remove_write_access(struct kvm *kvm, int slot)
2766{
2767 struct kvm_mmu_page *sp;
2768
2769 list_for_each_entry(sp, &kvm->arch.active_mmu_pages, link) {
2770 int i;
2771 u64 *pt;
2772
2773 if (!test_bit(slot, sp->slot_bitmap))
2774 continue;
2775
2776 pt = sp->spt;
2777 for (i = 0; i < PT64_ENT_PER_PAGE; ++i)
2778
2779 if (pt[i] & PT_WRITABLE_MASK)
2780 pt[i] &= ~PT_WRITABLE_MASK;
2781 }
2782 kvm_flush_remote_tlbs(kvm);
2783}
2784
2785void kvm_mmu_zap_all(struct kvm *kvm)
2786{
2787 struct kvm_mmu_page *sp, *node;
2788
2789 spin_lock(&kvm->mmu_lock);
2790 list_for_each_entry_safe(sp, node, &kvm->arch.active_mmu_pages, link)
2791 if (kvm_mmu_zap_page(kvm, sp))
2792 node = container_of(kvm->arch.active_mmu_pages.next,
2793 struct kvm_mmu_page, link);
2794 spin_unlock(&kvm->mmu_lock);
2795
2796 kvm_flush_remote_tlbs(kvm);
2797}
2798
2799static void kvm_mmu_remove_one_alloc_mmu_page(struct kvm *kvm)
2800{
2801 struct kvm_mmu_page *page;
2802
2803 page = container_of(kvm->arch.active_mmu_pages.prev,
2804 struct kvm_mmu_page, link);
2805 kvm_mmu_zap_page(kvm, page);
2806}
2807
2808static int mmu_shrink(int nr_to_scan, gfp_t gfp_mask)
2809{
2810 struct kvm *kvm;
2811 struct kvm *kvm_freed = NULL;
2812 int cache_count = 0;
2813
2814 spin_lock(&kvm_lock);
2815
2816 list_for_each_entry(kvm, &vm_list, vm_list) {
2817 int npages;
2818
2819 if (!down_read_trylock(&kvm->slots_lock))
2820 continue;
2821 spin_lock(&kvm->mmu_lock);
2822 npages = kvm->arch.n_alloc_mmu_pages -
2823 kvm->arch.n_free_mmu_pages;
2824 cache_count += npages;
2825 if (!kvm_freed && nr_to_scan > 0 && npages > 0) {
2826 kvm_mmu_remove_one_alloc_mmu_page(kvm);
2827 cache_count--;
2828 kvm_freed = kvm;
2829 }
2830 nr_to_scan--;
2831
2832 spin_unlock(&kvm->mmu_lock);
2833 up_read(&kvm->slots_lock);
2834 }
2835 if (kvm_freed)
2836 list_move_tail(&kvm_freed->vm_list, &vm_list);
2837
2838 spin_unlock(&kvm_lock);
2839
2840 return cache_count;
2841}
2842
2843static struct shrinker mmu_shrinker = {
2844 .shrink = mmu_shrink,
2845 .seeks = DEFAULT_SEEKS * 10,
2846};
2847
2848static void mmu_destroy_caches(void)
2849{
2850 if (pte_chain_cache)
2851 kmem_cache_destroy(pte_chain_cache);
2852 if (rmap_desc_cache)
2853 kmem_cache_destroy(rmap_desc_cache);
2854 if (mmu_page_header_cache)
2855 kmem_cache_destroy(mmu_page_header_cache);
2856}
2857
2858void kvm_mmu_module_exit(void)
2859{
2860 mmu_destroy_caches();
2861 unregister_shrinker(&mmu_shrinker);
2862}
2863
2864int kvm_mmu_module_init(void)
2865{
2866 pte_chain_cache = kmem_cache_create("kvm_pte_chain",
2867 sizeof(struct kvm_pte_chain),
2868 0, 0, NULL);
2869 if (!pte_chain_cache)
2870 goto nomem;
2871 rmap_desc_cache = kmem_cache_create("kvm_rmap_desc",
2872 sizeof(struct kvm_rmap_desc),
2873 0, 0, NULL);
2874 if (!rmap_desc_cache)
2875 goto nomem;
2876
2877 mmu_page_header_cache = kmem_cache_create("kvm_mmu_page_header",
2878 sizeof(struct kvm_mmu_page),
2879 0, 0, NULL);
2880 if (!mmu_page_header_cache)
2881 goto nomem;
2882
2883 register_shrinker(&mmu_shrinker);
2884
2885 return 0;
2886
2887nomem:
2888 mmu_destroy_caches();
2889 return -ENOMEM;
2890}
2891
2892
2893
2894
2895unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm)
2896{
2897 int i;
2898 unsigned int nr_mmu_pages;
2899 unsigned int nr_pages = 0;
2900
2901 for (i = 0; i < kvm->nmemslots; i++)
2902 nr_pages += kvm->memslots[i].npages;
2903
2904 nr_mmu_pages = nr_pages * KVM_PERMILLE_MMU_PAGES / 1000;
2905 nr_mmu_pages = max(nr_mmu_pages,
2906 (unsigned int) KVM_MIN_ALLOC_MMU_PAGES);
2907
2908 return nr_mmu_pages;
2909}
2910
2911static void *pv_mmu_peek_buffer(struct kvm_pv_mmu_op_buffer *buffer,
2912 unsigned len)
2913{
2914 if (len > buffer->len)
2915 return NULL;
2916 return buffer->ptr;
2917}
2918
2919static void *pv_mmu_read_buffer(struct kvm_pv_mmu_op_buffer *buffer,
2920 unsigned len)
2921{
2922 void *ret;
2923
2924 ret = pv_mmu_peek_buffer(buffer, len);
2925 if (!ret)
2926 return ret;
2927 buffer->ptr += len;
2928 buffer->len -= len;
2929 buffer->processed += len;
2930 return ret;
2931}
2932
2933static int kvm_pv_mmu_write(struct kvm_vcpu *vcpu,
2934 gpa_t addr, gpa_t value)
2935{
2936 int bytes = 8;
2937 int r;
2938
2939 if (!is_long_mode(vcpu) && !is_pae(vcpu))
2940 bytes = 4;
2941
2942 r = mmu_topup_memory_caches(vcpu);
2943 if (r)
2944 return r;
2945
2946 if (!emulator_write_phys(vcpu, addr, &value, bytes))
2947 return -EFAULT;
2948
2949 return 1;
2950}
2951
2952static int kvm_pv_mmu_flush_tlb(struct kvm_vcpu *vcpu)
2953{
2954 kvm_set_cr3(vcpu, vcpu->arch.cr3);
2955 return 1;
2956}
2957
2958static int kvm_pv_mmu_release_pt(struct kvm_vcpu *vcpu, gpa_t addr)
2959{
2960 spin_lock(&vcpu->kvm->mmu_lock);
2961 mmu_unshadow(vcpu->kvm, addr >> PAGE_SHIFT);
2962 spin_unlock(&vcpu->kvm->mmu_lock);
2963 return 1;
2964}
2965
2966static int kvm_pv_mmu_op_one(struct kvm_vcpu *vcpu,
2967 struct kvm_pv_mmu_op_buffer *buffer)
2968{
2969 struct kvm_mmu_op_header *header;
2970
2971 header = pv_mmu_peek_buffer(buffer, sizeof *header);
2972 if (!header)
2973 return 0;
2974 switch (header->op) {
2975 case KVM_MMU_OP_WRITE_PTE: {
2976 struct kvm_mmu_op_write_pte *wpte;
2977
2978 wpte = pv_mmu_read_buffer(buffer, sizeof *wpte);
2979 if (!wpte)
2980 return 0;
2981 return kvm_pv_mmu_write(vcpu, wpte->pte_phys,
2982 wpte->pte_val);
2983 }
2984 case KVM_MMU_OP_FLUSH_TLB: {
2985 struct kvm_mmu_op_flush_tlb *ftlb;
2986
2987 ftlb = pv_mmu_read_buffer(buffer, sizeof *ftlb);
2988 if (!ftlb)
2989 return 0;
2990 return kvm_pv_mmu_flush_tlb(vcpu);
2991 }
2992 case KVM_MMU_OP_RELEASE_PT: {
2993 struct kvm_mmu_op_release_pt *rpt;
2994
2995 rpt = pv_mmu_read_buffer(buffer, sizeof *rpt);
2996 if (!rpt)
2997 return 0;
2998 return kvm_pv_mmu_release_pt(vcpu, rpt->pt_phys);
2999 }
3000 default: return 0;
3001 }
3002}
3003
3004int kvm_pv_mmu_op(struct kvm_vcpu *vcpu, unsigned long bytes,
3005 gpa_t addr, unsigned long *ret)
3006{
3007 int r;
3008 struct kvm_pv_mmu_op_buffer *buffer = &vcpu->arch.mmu_op_buffer;
3009
3010 buffer->ptr = buffer->buf;
3011 buffer->len = min_t(unsigned long, bytes, sizeof buffer->buf);
3012 buffer->processed = 0;
3013
3014 r = kvm_read_guest(vcpu->kvm, addr, buffer->buf, buffer->len);
3015 if (r)
3016 goto out;
3017
3018 while (buffer->len) {
3019 r = kvm_pv_mmu_op_one(vcpu, buffer);
3020 if (r < 0)
3021 goto out;
3022 if (r == 0)
3023 break;
3024 }
3025
3026 r = 1;
3027out:
3028 *ret = buffer->processed;
3029 return r;
3030}
3031
3032#ifdef AUDIT
3033
3034static const char *audit_msg;
3035
3036static gva_t canonicalize(gva_t gva)
3037{
3038#ifdef CONFIG_X86_64
3039 gva = (long long)(gva << 16) >> 16;
3040#endif
3041 return gva;
3042}
3043
3044static void audit_mappings_page(struct kvm_vcpu *vcpu, u64 page_pte,
3045 gva_t va, int level)
3046{
3047 u64 *pt = __va(page_pte & PT64_BASE_ADDR_MASK);
3048 int i;
3049 gva_t va_delta = 1ul << (PAGE_SHIFT + 9 * (level - 1));
3050
3051 for (i = 0; i < PT64_ENT_PER_PAGE; ++i, va += va_delta) {
3052 u64 ent = pt[i];
3053
3054 if (ent == shadow_trap_nonpresent_pte)
3055 continue;
3056
3057 va = canonicalize(va);
3058 if (level > 1) {
3059 if (ent == shadow_notrap_nonpresent_pte)
3060 printk(KERN_ERR "audit: (%s) nontrapping pte"
3061 " in nonleaf level: levels %d gva %lx"
3062 " level %d pte %llx\n", audit_msg,
3063 vcpu->arch.mmu.root_level, va, level, ent);
3064 else
3065 audit_mappings_page(vcpu, ent, va, level - 1);
3066 } else {
3067 gpa_t gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, va);
3068 gfn_t gfn = gpa >> PAGE_SHIFT;
3069 pfn_t pfn = gfn_to_pfn(vcpu->kvm, gfn);
3070 hpa_t hpa = (hpa_t)pfn << PAGE_SHIFT;
3071
3072 if (is_shadow_present_pte(ent)
3073 && (ent & PT64_BASE_ADDR_MASK) != hpa)
3074 printk(KERN_ERR "xx audit error: (%s) levels %d"
3075 " gva %lx gpa %llx hpa %llx ent %llx %d\n",
3076 audit_msg, vcpu->arch.mmu.root_level,
3077 va, gpa, hpa, ent,
3078 is_shadow_present_pte(ent));
3079 else if (ent == shadow_notrap_nonpresent_pte
3080 && !is_error_hpa(hpa))
3081 printk(KERN_ERR "audit: (%s) notrap shadow,"
3082 " valid guest gva %lx\n", audit_msg, va);
3083 kvm_release_pfn_clean(pfn);
3084
3085 }
3086 }
3087}
3088
3089static void audit_mappings(struct kvm_vcpu *vcpu)
3090{
3091 unsigned i;
3092
3093 if (vcpu->arch.mmu.root_level == 4)
3094 audit_mappings_page(vcpu, vcpu->arch.mmu.root_hpa, 0, 4);
3095 else
3096 for (i = 0; i < 4; ++i)
3097 if (vcpu->arch.mmu.pae_root[i] & PT_PRESENT_MASK)
3098 audit_mappings_page(vcpu,
3099 vcpu->arch.mmu.pae_root[i],
3100 i << 30,
3101 2);
3102}
3103
3104static int count_rmaps(struct kvm_vcpu *vcpu)
3105{
3106 int nmaps = 0;
3107 int i, j, k;
3108
3109 for (i = 0; i < KVM_MEMORY_SLOTS; ++i) {
3110 struct kvm_memory_slot *m = &vcpu->kvm->memslots[i];
3111 struct kvm_rmap_desc *d;
3112
3113 for (j = 0; j < m->npages; ++j) {
3114 unsigned long *rmapp = &m->rmap[j];
3115
3116 if (!*rmapp)
3117 continue;
3118 if (!(*rmapp & 1)) {
3119 ++nmaps;
3120 continue;
3121 }
3122 d = (struct kvm_rmap_desc *)(*rmapp & ~1ul);
3123 while (d) {
3124 for (k = 0; k < RMAP_EXT; ++k)
3125 if (d->shadow_ptes[k])
3126 ++nmaps;
3127 else
3128 break;
3129 d = d->more;
3130 }
3131 }
3132 }
3133 return nmaps;
3134}
3135
3136static int count_writable_mappings(struct kvm_vcpu *vcpu)
3137{
3138 int nmaps = 0;
3139 struct kvm_mmu_page *sp;
3140 int i;
3141
3142 list_for_each_entry(sp, &vcpu->kvm->arch.active_mmu_pages, link) {
3143 u64 *pt = sp->spt;
3144
3145 if (sp->role.level != PT_PAGE_TABLE_LEVEL)
3146 continue;
3147
3148 for (i = 0; i < PT64_ENT_PER_PAGE; ++i) {
3149 u64 ent = pt[i];
3150
3151 if (!(ent & PT_PRESENT_MASK))
3152 continue;
3153 if (!(ent & PT_WRITABLE_MASK))
3154 continue;
3155 ++nmaps;
3156 }
3157 }
3158 return nmaps;
3159}
3160
3161static void audit_rmap(struct kvm_vcpu *vcpu)
3162{
3163 int n_rmap = count_rmaps(vcpu);
3164 int n_actual = count_writable_mappings(vcpu);
3165
3166 if (n_rmap != n_actual)
3167 printk(KERN_ERR "%s: (%s) rmap %d actual %d\n",
3168 __func__, audit_msg, n_rmap, n_actual);
3169}
3170
3171static void audit_write_protection(struct kvm_vcpu *vcpu)
3172{
3173 struct kvm_mmu_page *sp;
3174 struct kvm_memory_slot *slot;
3175 unsigned long *rmapp;
3176 gfn_t gfn;
3177
3178 list_for_each_entry(sp, &vcpu->kvm->arch.active_mmu_pages, link) {
3179 if (sp->role.direct)
3180 continue;
3181
3182 gfn = unalias_gfn(vcpu->kvm, sp->gfn);
3183 slot = gfn_to_memslot_unaliased(vcpu->kvm, sp->gfn);
3184 rmapp = &slot->rmap[gfn - slot->base_gfn];
3185 if (*rmapp)
3186 printk(KERN_ERR "%s: (%s) shadow page has writable"
3187 " mappings: gfn %lx role %x\n",
3188 __func__, audit_msg, sp->gfn,
3189 sp->role.word);
3190 }
3191}
3192
3193static void kvm_mmu_audit(struct kvm_vcpu *vcpu, const char *msg)
3194{
3195 int olddbg = dbg;
3196
3197 dbg = 0;
3198 audit_msg = msg;
3199 audit_rmap(vcpu);
3200 audit_write_protection(vcpu);
3201 audit_mappings(vcpu);
3202 dbg = olddbg;
3203}
3204
3205#endif
3206
