LXR linux/arch/x86/kvm/paging

   1/*
   2 * Kernel-based Virtual Machine driver for Linux
   3 *
   4 * This module enables machines with Intel VT-x extensions to run virtual
   5 * machines without emulation or binary translation.
   6 *
   7 * MMU support
   8 *
   9 * Copyright (C) 2006 Qumranet, Inc.
  10 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
  11 *
  12 * Authors:
  13 *   Yaniv Kamay  <yaniv@qumranet.com>
  14 *   Avi Kivity   <avi@qumranet.com>
  15 *
  16 * This work is licensed under the terms of the GNU GPL, version 2.  See
  17 * the COPYING file in the top-level directory.
  18 *
  19 */
  20
  21/*
  22 * We need the mmu code to access both 32-bit and 64-bit guest ptes,
  23 * so the code in this file is compiled twice, once per pte size.
  24 */
  25
  26#if PTTYPE == 64
  27        #define pt_element_t u64
  28        #define guest_walker guest_walker64
  29        #define FNAME(name) paging##64_##name
  30        #define PT_BASE_ADDR_MASK PT64_BASE_ADDR_MASK
  31        #define PT_LVL_ADDR_MASK(lvl) PT64_LVL_ADDR_MASK(lvl)
  32        #define PT_LVL_OFFSET_MASK(lvl) PT64_LVL_OFFSET_MASK(lvl)
  33        #define PT_INDEX(addr, level) PT64_INDEX(addr, level)
  34        #define PT_LEVEL_BITS PT64_LEVEL_BITS
  35        #define PT_GUEST_DIRTY_SHIFT PT_DIRTY_SHIFT
  36        #define PT_GUEST_ACCESSED_SHIFT PT_ACCESSED_SHIFT
  37        #define PT_HAVE_ACCESSED_DIRTY(mmu) true
  38        #ifdef CONFIG_X86_64
  39        #define PT_MAX_FULL_LEVELS 4
  40        #define CMPXCHG cmpxchg
  41        #else
  42        #define CMPXCHG cmpxchg64
  43        #define PT_MAX_FULL_LEVELS 2
  44        #endif
  45#elif PTTYPE == 32
  46        #define pt_element_t u32
  47        #define guest_walker guest_walker32
  48        #define FNAME(name) paging##32_##name
  49        #define PT_BASE_ADDR_MASK PT32_BASE_ADDR_MASK
  50        #define PT_LVL_ADDR_MASK(lvl) PT32_LVL_ADDR_MASK(lvl)
  51        #define PT_LVL_OFFSET_MASK(lvl) PT32_LVL_OFFSET_MASK(lvl)
  52        #define PT_INDEX(addr, level) PT32_INDEX(addr, level)
  53        #define PT_LEVEL_BITS PT32_LEVEL_BITS
  54        #define PT_MAX_FULL_LEVELS 2
  55        #define PT_GUEST_DIRTY_SHIFT PT_DIRTY_SHIFT
  56        #define PT_GUEST_ACCESSED_SHIFT PT_ACCESSED_SHIFT
  57        #define PT_HAVE_ACCESSED_DIRTY(mmu) true
  58        #define CMPXCHG cmpxchg
  59#elif PTTYPE == PTTYPE_EPT
  60        #define pt_element_t u64
  61        #define guest_walker guest_walkerEPT
  62        #define FNAME(name) ept_##name
  63        #define PT_BASE_ADDR_MASK PT64_BASE_ADDR_MASK
  64        #define PT_LVL_ADDR_MASK(lvl) PT64_LVL_ADDR_MASK(lvl)
  65        #define PT_LVL_OFFSET_MASK(lvl) PT64_LVL_OFFSET_MASK(lvl)
  66        #define PT_INDEX(addr, level) PT64_INDEX(addr, level)
  67        #define PT_LEVEL_BITS PT64_LEVEL_BITS
  68        #define PT_GUEST_DIRTY_SHIFT 9
  69        #define PT_GUEST_ACCESSED_SHIFT 8
  70        #define PT_HAVE_ACCESSED_DIRTY(mmu) ((mmu)->ept_ad)
  71        #define CMPXCHG cmpxchg64
  72        #define PT_MAX_FULL_LEVELS 4
  73#else
  74        #error Invalid PTTYPE value
  75#endif
  76
  77#define PT_GUEST_DIRTY_MASK    (1 << PT_GUEST_DIRTY_SHIFT)
  78#define PT_GUEST_ACCESSED_MASK (1 << PT_GUEST_ACCESSED_SHIFT)
  79
  80#define gpte_to_gfn_lvl FNAME(gpte_to_gfn_lvl)
  81#define gpte_to_gfn(pte) gpte_to_gfn_lvl((pte), PT_PAGE_TABLE_LEVEL)
  82
  83/*
  84 * The guest_walker structure emulates the behavior of the hardware page
  85 * table walker.
  86 */
  87struct guest_walker {
  88        int level;
  89        unsigned max_level;
  90        gfn_t table_gfn[PT_MAX_FULL_LEVELS];
  91        pt_element_t ptes[PT_MAX_FULL_LEVELS];
  92        pt_element_t prefetch_ptes[PTE_PREFETCH_NUM];
  93        gpa_t pte_gpa[PT_MAX_FULL_LEVELS];
  94        pt_element_t __user *ptep_user[PT_MAX_FULL_LEVELS];
  95        bool pte_writable[PT_MAX_FULL_LEVELS];
  96        unsigned pt_access;
  97        unsigned pte_access;
  98        gfn_t gfn;
  99        struct x86_exception fault;
 100};
 101
 102static gfn_t gpte_to_gfn_lvl(pt_element_t gpte, int lvl)
 103{
 104        return (gpte & PT_LVL_ADDR_MASK(lvl)) >> PAGE_SHIFT;
 105}
 106
 107static inline void FNAME(protect_clean_gpte)(struct kvm_mmu *mmu, unsigned *access,
 108                                             unsigned gpte)
 109{
 110        unsigned mask;
 111
 112        /* dirty bit is not supported, so no need to track it */
 113        if (!PT_HAVE_ACCESSED_DIRTY(mmu))
 114                return;
 115
 116        BUILD_BUG_ON(PT_WRITABLE_MASK != ACC_WRITE_MASK);
 117
 118        mask = (unsigned)~ACC_WRITE_MASK;
 119        /* Allow write access to dirty gptes */
 120        mask |= (gpte >> (PT_GUEST_DIRTY_SHIFT - PT_WRITABLE_SHIFT)) &
 121                PT_WRITABLE_MASK;
 122        *access &= mask;
 123}
 124
 125static inline int FNAME(is_present_gpte)(unsigned long pte)
 126{
 127#if PTTYPE != PTTYPE_EPT
 128        return pte & PT_PRESENT_MASK;
 129#else
 130        return pte & 7;
 131#endif
 132}
 133
 134static int FNAME(cmpxchg_gpte)(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
 135                               pt_element_t __user *ptep_user, unsigned index,
 136                               pt_element_t orig_pte, pt_element_t new_pte)
 137{
 138        int npages;
 139        pt_element_t ret;
 140        pt_element_t *table;
 141        struct page *page;
 142
 143        npages = get_user_pages_fast((unsigned long)ptep_user, 1, 1, &page);
 144        /* Check if the user is doing something meaningless. */
 145        if (unlikely(npages != 1))
 146                return -EFAULT;
 147
 148        table = kmap_atomic(page);
 149        ret = CMPXCHG(&table[index], orig_pte, new_pte);
 150        kunmap_atomic(table);
 151
 152        kvm_release_page_dirty(page);
 153
 154        return (ret != orig_pte);
 155}
 156
 157static bool FNAME(prefetch_invalid_gpte)(struct kvm_vcpu *vcpu,
 158                                  struct kvm_mmu_page *sp, u64 *spte,
 159                                  u64 gpte)
 160{
 161        if (is_rsvd_bits_set(vcpu->arch.mmu, gpte, PT_PAGE_TABLE_LEVEL))
 162                goto no_present;
 163
 164        if (!FNAME(is_present_gpte)(gpte))
 165                goto no_present;
 166
 167        /* if accessed bit is not supported prefetch non accessed gpte */
 168        if (PT_HAVE_ACCESSED_DIRTY(vcpu->arch.mmu) &&
 169            !(gpte & PT_GUEST_ACCESSED_MASK))
 170                goto no_present;
 171
 172        return false;
 173
 174no_present:
 175        drop_spte(vcpu->kvm, spte);
 176        return true;
 177}
 178
 179/*
 180 * For PTTYPE_EPT, a page table can be executable but not readable
 181 * on supported processors. Therefore, set_spte does not automatically
 182 * set bit 0 if execute only is supported. Here, we repurpose ACC_USER_MASK
 183 * to signify readability since it isn't used in the EPT case
 184 */
 185static inline unsigned FNAME(gpte_access)(struct kvm_vcpu *vcpu, u64 gpte)
 186{
 187        unsigned access;
 188#if PTTYPE == PTTYPE_EPT
 189        access = ((gpte & VMX_EPT_WRITABLE_MASK) ? ACC_WRITE_MASK : 0) |
 190                ((gpte & VMX_EPT_EXECUTABLE_MASK) ? ACC_EXEC_MASK : 0) |
 191                ((gpte & VMX_EPT_READABLE_MASK) ? ACC_USER_MASK : 0);
 192#else
 193        BUILD_BUG_ON(ACC_EXEC_MASK != PT_PRESENT_MASK);
 194        BUILD_BUG_ON(ACC_EXEC_MASK != 1);
 195        access = gpte & (PT_WRITABLE_MASK | PT_USER_MASK | PT_PRESENT_MASK);
 196        /* Combine NX with P (which is set here) to get ACC_EXEC_MASK.  */
 197        access ^= (gpte >> PT64_NX_SHIFT);
 198#endif
 199
 200        return access;
 201}
 202
 203static int FNAME(update_accessed_dirty_bits)(struct kvm_vcpu *vcpu,
 204                                             struct kvm_mmu *mmu,
 205                                             struct guest_walker *walker,
 206                                             int write_fault)
 207{
 208        unsigned level, index;
 209        pt_element_t pte, orig_pte;
 210        pt_element_t __user *ptep_user;
 211        gfn_t table_gfn;
 212        int ret;
 213
 214        /* dirty/accessed bits are not supported, so no need to update them */
 215        if (!PT_HAVE_ACCESSED_DIRTY(mmu))
 216                return 0;
 217
 218        for (level = walker->max_level; level >= walker->level; --level) {
 219                pte = orig_pte = walker->ptes[level - 1];
 220                table_gfn = walker->table_gfn[level - 1];
 221                ptep_user = walker->ptep_user[level - 1];
 222                index = offset_in_page(ptep_user) / sizeof(pt_element_t);
 223                if (!(pte & PT_GUEST_ACCESSED_MASK)) {
 224                        trace_kvm_mmu_set_accessed_bit(table_gfn, index, sizeof(pte));
 225                        pte |= PT_GUEST_ACCESSED_MASK;
 226                }
 227                if (level == walker->level && write_fault &&
 228                                !(pte & PT_GUEST_DIRTY_MASK)) {
 229                        trace_kvm_mmu_set_dirty_bit(table_gfn, index, sizeof(pte));
 230#if PTTYPE == PTTYPE_EPT
 231                        if (kvm_arch_write_log_dirty(vcpu))
 232                                return -EINVAL;
 233#endif
 234                        pte |= PT_GUEST_DIRTY_MASK;
 235                }
 236                if (pte == orig_pte)
 237                        continue;
 238
 239                /*
 240                 * If the slot is read-only, simply do not process the accessed
 241                 * and dirty bits.  This is the correct thing to do if the slot
 242                 * is ROM, and page tables in read-as-ROM/write-as-MMIO slots
 243                 * are only supported if the accessed and dirty bits are already
 244                 * set in the ROM (so that MMIO writes are never needed).
 245                 *
 246                 * Note that NPT does not allow this at all and faults, since
 247                 * it always wants nested page table entries for the guest
 248                 * page tables to be writable.  And EPT works but will simply
 249                 * overwrite the read-only memory to set the accessed and dirty
 250                 * bits.
 251                 */
 252                if (unlikely(!walker->pte_writable[level - 1]))
 253                        continue;
 254
 255                ret = FNAME(cmpxchg_gpte)(vcpu, mmu, ptep_user, index, orig_pte, pte);
 256                if (ret)
 257                        return ret;
 258
 259                kvm_vcpu_mark_page_dirty(vcpu, table_gfn);
 260                walker->ptes[level - 1] = pte;
 261        }
 262        return 0;
 263}
 264
 265static inline unsigned FNAME(gpte_pkeys)(struct kvm_vcpu *vcpu, u64 gpte)
 266{
 267        unsigned pkeys = 0;
 268#if PTTYPE == 64
 269        pte_t pte = {.pte = gpte};
 270
 271        pkeys = pte_flags_pkey(pte_flags(pte));
 272#endif
 273        return pkeys;
 274}
 275
 276/*
 277 * Fetch a guest pte for a guest virtual address
 278 */
 279static int FNAME(walk_addr_generic)(struct guest_walker *walker,
 280                                    struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
 281                                    gva_t addr, u32 access)
 282{
 283        int ret;
 284        pt_element_t pte;
 285        pt_element_t __user *uninitialized_var(ptep_user);
 286        gfn_t table_gfn;
 287        u64 pt_access, pte_access;
 288        unsigned index, accessed_dirty, pte_pkey;
 289        unsigned nested_access;
 290        gpa_t pte_gpa;
 291        bool have_ad;
 292        int offset;
 293        u64 walk_nx_mask = 0;
 294        const int write_fault = access & PFERR_WRITE_MASK;
 295        const int user_fault  = access & PFERR_USER_MASK;
 296        const int fetch_fault = access & PFERR_FETCH_MASK;
 297        u16 errcode = 0;
 298        gpa_t real_gpa;
 299        gfn_t gfn;
 300
 301        trace_kvm_mmu_pagetable_walk(addr, access);
 302retry_walk:
 303        walker->level = mmu->root_level;
 304        pte           = mmu->get_cr3(vcpu);
 305        have_ad       = PT_HAVE_ACCESSED_DIRTY(mmu);
 306
 307#if PTTYPE == 64
 308        walk_nx_mask = 1ULL << PT64_NX_SHIFT;
 309        if (walker->level == PT32E_ROOT_LEVEL) {
 310                pte = mmu->get_pdptr(vcpu, (addr >> 30) & 3);
 311                trace_kvm_mmu_paging_element(pte, walker->level);
 312                if (!FNAME(is_present_gpte)(pte))
 313                        goto error;
 314                --walker->level;
 315        }
 316#endif
 317        walker->max_level = walker->level;
 318        ASSERT(!(is_long_mode(vcpu) && !is_pae(vcpu)));
 319
 320        /*
 321         * FIXME: on Intel processors, loads of the PDPTE registers for PAE paging
 322         * by the MOV to CR instruction are treated as reads and do not cause the
 323         * processor to set the dirty flag in any EPT paging-structure entry.
 324         */
 325        nested_access = (have_ad ? PFERR_WRITE_MASK : 0) | PFERR_USER_MASK;
 326
 327        pte_access = ~0;
 328        ++walker->level;
 329
 330        do {
 331                gfn_t real_gfn;
 332                unsigned long host_addr;
 333
 334                pt_access = pte_access;
 335                --walker->level;
 336
 337                index = PT_INDEX(addr, walker->level);
 338                table_gfn = gpte_to_gfn(pte);
 339                offset    = index * sizeof(pt_element_t);
 340                pte_gpa   = gfn_to_gpa(table_gfn) + offset;
 341
 342                BUG_ON(walker->level < 1);
 343                walker->table_gfn[walker->level - 1] = table_gfn;
 344                walker->pte_gpa[walker->level - 1] = pte_gpa;
 345
 346                real_gfn = mmu->translate_gpa(vcpu, gfn_to_gpa(table_gfn),
 347                                              nested_access,
 348                                              &walker->fault);
 349
 350                /*
 351                 * FIXME: This can happen if emulation (for of an INS/OUTS
 352                 * instruction) triggers a nested page fault.  The exit
 353                 * qualification / exit info field will incorrectly have
 354                 * "guest page access" as the nested page fault's cause,
 355                 * instead of "guest page structure access".  To fix this,
 356                 * the x86_exception struct should be augmented with enough
 357                 * information to fix the exit_qualification or exit_info_1
 358                 * fields.
 359                 */
 360                if (unlikely(real_gfn == UNMAPPED_GVA))
 361                        return 0;
 362
 363                real_gfn = gpa_to_gfn(real_gfn);
 364
 365                host_addr = kvm_vcpu_gfn_to_hva_prot(vcpu, real_gfn,
 366                                            &walker->pte_writable[walker->level - 1]);
 367                if (unlikely(kvm_is_error_hva(host_addr)))
 368                        goto error;
 369
 370                ptep_user = (pt_element_t __user *)((void *)host_addr + offset);
 371                if (unlikely(__copy_from_user(&pte, ptep_user, sizeof(pte))))
 372                        goto error;
 373                walker->ptep_user[walker->level - 1] = ptep_user;
 374
 375                trace_kvm_mmu_paging_element(pte, walker->level);
 376
 377                /*
 378                 * Inverting the NX it lets us AND it like other
 379                 * permission bits.
 380                 */
 381                pte_access = pt_access & (pte ^ walk_nx_mask);
 382
 383                if (unlikely(!FNAME(is_present_gpte)(pte)))
 384                        goto error;
 385
 386                if (unlikely(is_rsvd_bits_set(mmu, pte, walker->level))) {
 387                        errcode = PFERR_RSVD_MASK | PFERR_PRESENT_MASK;
 388                        goto error;
 389                }
 390
 391                walker->ptes[walker->level - 1] = pte;
 392        } while (!is_last_gpte(mmu, walker->level, pte));
 393
 394        pte_pkey = FNAME(gpte_pkeys)(vcpu, pte);
 395        accessed_dirty = have_ad ? pte_access & PT_GUEST_ACCESSED_MASK : 0;
 396
 397        /* Convert to ACC_*_MASK flags for struct guest_walker.  */
 398        walker->pt_access = FNAME(gpte_access)(vcpu, pt_access ^ walk_nx_mask);
 399        walker->pte_access = FNAME(gpte_access)(vcpu, pte_access ^ walk_nx_mask);
 400        errcode = permission_fault(vcpu, mmu, walker->pte_access, pte_pkey, access);
 401        if (unlikely(errcode))
 402                goto error;
 403
 404        gfn = gpte_to_gfn_lvl(pte, walker->level);
 405        gfn += (addr & PT_LVL_OFFSET_MASK(walker->level)) >> PAGE_SHIFT;
 406
 407        if (PTTYPE == 32 && walker->level == PT_DIRECTORY_LEVEL && is_cpuid_PSE36())
 408                gfn += pse36_gfn_delta(pte);
 409
 410        real_gpa = mmu->translate_gpa(vcpu, gfn_to_gpa(gfn), access, &walker->fault);
 411        if (real_gpa == UNMAPPED_GVA)
 412                return 0;
 413
 414        walker->gfn = real_gpa >> PAGE_SHIFT;
 415
 416        if (!write_fault)
 417                FNAME(protect_clean_gpte)(mmu, &walker->pte_access, pte);
 418        else
 419                /*
 420                 * On a write fault, fold the dirty bit into accessed_dirty.
 421                 * For modes without A/D bits support accessed_dirty will be
 422                 * always clear.
 423                 */
 424                accessed_dirty &= pte >>
 425                        (PT_GUEST_DIRTY_SHIFT - PT_GUEST_ACCESSED_SHIFT);
 426
 427        if (unlikely(!accessed_dirty)) {
 428                ret = FNAME(update_accessed_dirty_bits)(vcpu, mmu, walker, write_fault);
 429                if (unlikely(ret < 0))
 430                        goto error;
 431                else if (ret)
 432                        goto retry_walk;
 433        }
 434
 435        pgprintk("%s: pte %llx pte_access %x pt_access %x\n",
 436                 __func__, (u64)pte, walker->pte_access, walker->pt_access);
 437        return 1;
 438
 439error:
 440        errcode |= write_fault | user_fault;
 441        if (fetch_fault && (mmu->nx ||
 442                            kvm_read_cr4_bits(vcpu, X86_CR4_SMEP)))
 443                errcode |= PFERR_FETCH_MASK;
 444
 445        walker->fault.vector = PF_VECTOR;
 446        walker->fault.error_code_valid = true;
 447        walker->fault.error_code = errcode;
 448
 449#if PTTYPE == PTTYPE_EPT
 450        /*
 451         * Use PFERR_RSVD_MASK in error_code to to tell if EPT
 452         * misconfiguration requires to be injected. The detection is
 453         * done by is_rsvd_bits_set() above.
 454         *
 455         * We set up the value of exit_qualification to inject:
 456         * [2:0] - Derive from the access bits. The exit_qualification might be
 457         *         out of date if it is serving an EPT misconfiguration.
 458         * [5:3] - Calculated by the page walk of the guest EPT page tables
 459         * [7:8] - Derived from [7:8] of real exit_qualification
 460         *
 461         * The other bits are set to 0.
 462         */
 463        if (!(errcode & PFERR_RSVD_MASK)) {
 464                vcpu->arch.exit_qualification &= 0x180;
 465                if (write_fault)
 466                        vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_WRITE;
 467                if (user_fault)
 468                        vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_READ;
 469                if (fetch_fault)
 470                        vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_INSTR;
 471                vcpu->arch.exit_qualification |= (pte_access & 0x7) << 3;
 472        }
 473#endif
 474        walker->fault.address = addr;
 475        walker->fault.nested_page_fault = mmu != vcpu->arch.walk_mmu;
 476
 477        trace_kvm_mmu_walker_error(walker->fault.error_code);
 478        return 0;
 479}
 480
 481static int FNAME(walk_addr)(struct guest_walker *walker,
 482                            struct kvm_vcpu *vcpu, gva_t addr, u32 access)
 483{
 484        return FNAME(walk_addr_generic)(walker, vcpu, vcpu->arch.mmu, addr,
 485                                        access);
 486}
 487
 488#if PTTYPE != PTTYPE_EPT
 489static int FNAME(walk_addr_nested)(struct guest_walker *walker,
 490                                   struct kvm_vcpu *vcpu, gva_t addr,
 491                                   u32 access)
 492{
 493        return FNAME(walk_addr_generic)(walker, vcpu, &vcpu->arch.nested_mmu,
 494                                        addr, access);
 495}
 496#endif
 497
 498static bool
 499FNAME(prefetch_gpte)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
 500                     u64 *spte, pt_element_t gpte, bool no_dirty_log)
 501{
 502        unsigned pte_access;
 503        gfn_t gfn;
 504        kvm_pfn_t pfn;
 505
 506        if (FNAME(prefetch_invalid_gpte)(vcpu, sp, spte, gpte))
 507                return false;
 508
 509        pgprintk("%s: gpte %llx spte %p\n", __func__, (u64)gpte, spte);
 510
 511        gfn = gpte_to_gfn(gpte);
 512        pte_access = sp->role.access & FNAME(gpte_access)(vcpu, gpte);
 513        FNAME(protect_clean_gpte)(vcpu->arch.mmu, &pte_access, gpte);
 514        pfn = pte_prefetch_gfn_to_pfn(vcpu, gfn,
 515                        no_dirty_log && (pte_access & ACC_WRITE_MASK));
 516        if (is_error_pfn(pfn))
 517                return false;
 518
 519        /*
 520         * we call mmu_set_spte() with host_writable = true because
 521         * pte_prefetch_gfn_to_pfn always gets a writable pfn.
 522         */
 523        mmu_set_spte(vcpu, spte, pte_access, 0, PT_PAGE_TABLE_LEVEL, gfn, pfn,
 524                     true, true);
 525
 526        return true;
 527}
 528
 529static void FNAME(update_pte)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
 530                              u64 *spte, const void *pte)
 531{
 532        pt_element_t gpte = *(const pt_element_t *)pte;
 533
 534        FNAME(prefetch_gpte)(vcpu, sp, spte, gpte, false);
 535}
 536
 537static bool FNAME(gpte_changed)(struct kvm_vcpu *vcpu,
 538                                struct guest_walker *gw, int level)
 539{
 540        pt_element_t curr_pte;
 541        gpa_t base_gpa, pte_gpa = gw->pte_gpa[level - 1];
 542        u64 mask;
 543        int r, index;
 544
 545        if (level == PT_PAGE_TABLE_LEVEL) {
 546                mask = PTE_PREFETCH_NUM * sizeof(pt_element_t) - 1;
 547                base_gpa = pte_gpa & ~mask;
 548                index = (pte_gpa - base_gpa) / sizeof(pt_element_t);
 549
 550                r = kvm_vcpu_read_guest_atomic(vcpu, base_gpa,
 551                                gw->prefetch_ptes, sizeof(gw->prefetch_ptes));
 552                curr_pte = gw->prefetch_ptes[index];
 553        } else
 554                r = kvm_vcpu_read_guest_atomic(vcpu, pte_gpa,
 555                                  &curr_pte, sizeof(curr_pte));
 556
 557        return r || curr_pte != gw->ptes[level - 1];
 558}
 559
 560static void FNAME(pte_prefetch)(struct kvm_vcpu *vcpu, struct guest_walker *gw,
 561                                u64 *sptep)
 562{
 563        struct kvm_mmu_page *sp;
 564        pt_element_t *gptep = gw->prefetch_ptes;
 565        u64 *spte;
 566        int i;
 567
 568        sp = page_header(__pa(sptep));
 569
 570        if (sp->role.level > PT_PAGE_TABLE_LEVEL)
 571                return;
 572
 573        if (sp->role.direct)
 574                return __direct_pte_prefetch(vcpu, sp, sptep);
 575
 576        i = (sptep - sp->spt) & ~(PTE_PREFETCH_NUM - 1);
 577        spte = sp->spt + i;
 578
 579        for (i = 0; i < PTE_PREFETCH_NUM; i++, spte++) {
 580                if (spte == sptep)
 581                        continue;
 582
 583                if (is_shadow_present_pte(*spte))
 584                        continue;
 585
 586                if (!FNAME(prefetch_gpte)(vcpu, sp, spte, gptep[i], true))
 587                        break;
 588        }
 589}
 590
 591/*
 592 * Fetch a shadow pte for a specific level in the paging hierarchy.
 593 * If the guest tries to write a write-protected page, we need to
 594 * emulate this operation, return 1 to indicate this case.
 595 */
 596static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
 597                         struct guest_walker *gw,
 598                         int write_fault, int hlevel,
 599                         kvm_pfn_t pfn, bool map_writable, bool prefault)
 600{
 601        struct kvm_mmu_page *sp = NULL;
 602        struct kvm_shadow_walk_iterator it;
 603        unsigned direct_access, access = gw->pt_access;
 604        int top_level, ret;
 605
 606        direct_access = gw->pte_access;
 607
 608        top_level = vcpu->arch.mmu->root_level;
 609        if (top_level == PT32E_ROOT_LEVEL)
 610                top_level = PT32_ROOT_LEVEL;
 611        /*
 612         * Verify that the top-level gpte is still there.  Since the page
 613         * is a root page, it is either write protected (and cannot be
 614         * changed from now on) or it is invalid (in which case, we don't
 615         * really care if it changes underneath us after this point).
 616         */
 617        if (FNAME(gpte_changed)(vcpu, gw, top_level))
 618                goto out_gpte_changed;
 619
 620        if (!VALID_PAGE(vcpu->arch.mmu->root_hpa))
 621                goto out_gpte_changed;
 622
 623        for (shadow_walk_init(&it, vcpu, addr);
 624             shadow_walk_okay(&it) && it.level > gw->level;
 625             shadow_walk_next(&it)) {
 626                gfn_t table_gfn;
 627
 628                clear_sp_write_flooding_count(it.sptep);
 629                drop_large_spte(vcpu, it.sptep);
 630
 631                sp = NULL;
 632                if (!is_shadow_present_pte(*it.sptep)) {
 633                        table_gfn = gw->table_gfn[it.level - 2];
 634                        sp = kvm_mmu_get_page(vcpu, table_gfn, addr, it.level-1,
 635                                              false, access);
 636                }
 637
 638                /*
 639                 * Verify that the gpte in the page we've just write
 640                 * protected is still there.
 641                 */
 642                if (FNAME(gpte_changed)(vcpu, gw, it.level - 1))
 643                        goto out_gpte_changed;
 644
 645                if (sp)
 646                        link_shadow_page(vcpu, it.sptep, sp);
 647        }
 648
 649        for (;
 650             shadow_walk_okay(&it) && it.level > hlevel;
 651             shadow_walk_next(&it)) {
 652                gfn_t direct_gfn;
 653
 654                clear_sp_write_flooding_count(it.sptep);
 655                validate_direct_spte(vcpu, it.sptep, direct_access);
 656
 657                drop_large_spte(vcpu, it.sptep);
 658
 659                if (is_shadow_present_pte(*it.sptep))
 660                        continue;
 661
 662                direct_gfn = gw->gfn & ~(KVM_PAGES_PER_HPAGE(it.level) - 1);
 663
 664                sp = kvm_mmu_get_page(vcpu, direct_gfn, addr, it.level-1,
 665                                      true, direct_access);
 666                link_shadow_page(vcpu, it.sptep, sp);
 667        }
 668
 669        clear_sp_write_flooding_count(it.sptep);
 670        ret = mmu_set_spte(vcpu, it.sptep, gw->pte_access, write_fault,
 671                           it.level, gw->gfn, pfn, prefault, map_writable);
 672        FNAME(pte_prefetch)(vcpu, gw, it.sptep);
 673
 674        return ret;
 675
 676out_gpte_changed:
 677        kvm_release_pfn_clean(pfn);
 678        return RET_PF_RETRY;
 679}
 680
 681 /*
 682 * To see whether the mapped gfn can write its page table in the current
 683 * mapping.
 684 *
 685 * It is the helper function of FNAME(page_fault). When guest uses large page
 686 * size to map the writable gfn which is used as current page table, we should
 687 * force kvm to use small page size to map it because new shadow page will be
 688 * created when kvm establishes shadow page table that stop kvm using large
 689 * page size. Do it early can avoid unnecessary #PF and emulation.
 690 *
 691 * @write_fault_to_shadow_pgtable will return true if the fault gfn is
 692 * currently used as its page table.
 693 *
 694 * Note: the PDPT page table is not checked for PAE-32 bit guest. It is ok
 695 * since the PDPT is always shadowed, that means, we can not use large page
 696 * size to map the gfn which is used as PDPT.
 697 */
 698static bool
 699FNAME(is_self_change_mapping)(struct kvm_vcpu *vcpu,
 700                              struct guest_walker *walker, int user_fault,
 701                              bool *write_fault_to_shadow_pgtable)
 702{
 703        int level;
 704        gfn_t mask = ~(KVM_PAGES_PER_HPAGE(walker->level) - 1);
 705        bool self_changed = false;
 706
 707        if (!(walker->pte_access & ACC_WRITE_MASK ||
 708              (!is_write_protection(vcpu) && !user_fault)))
 709                return false;
 710
 711        for (level = walker->level; level <= walker->max_level; level++) {
 712                gfn_t gfn = walker->gfn ^ walker->table_gfn[level - 1];
 713
 714                self_changed |= !(gfn & mask);
 715                *write_fault_to_shadow_pgtable |= !gfn;
 716        }
 717
 718        return self_changed;
 719}
 720
 721/*
 722 * Page fault handler.  There are several causes for a page fault:
 723 *   - there is no shadow pte for the guest pte
 724 *   - write access through a shadow pte marked read only so that we can set
 725 *     the dirty bit
 726 *   - write access to a shadow pte marked read only so we can update the page
 727 *     dirty bitmap, when userspace requests it
 728 *   - mmio access; in this case we will never install a present shadow pte
 729 *   - normal guest page fault due to the guest pte marked not present, not
 730 *     writable, or not executable
 731 *
 732 *  Returns: 1 if we need to emulate the instruction, 0 otherwise, or
 733 *           a negative value on error.
 734 */
 735static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr, u32 error_code,
 736                             bool prefault)
 737{
 738        int write_fault = error_code & PFERR_WRITE_MASK;
 739        int user_fault = error_code & PFERR_USER_MASK;
 740        struct guest_walker walker;
 741        int r;
 742        kvm_pfn_t pfn;
 743        int level = PT_PAGE_TABLE_LEVEL;
 744        bool force_pt_level;
 745        unsigned long mmu_seq;
 746        bool map_writable, is_self_change_mapping;
 747
 748        pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
 749
 750        r = mmu_topup_memory_caches(vcpu);
 751        if (r)
 752                return r;
 753
 754        /*
 755         * If PFEC.RSVD is set, this is a shadow page fault.
 756         * The bit needs to be cleared before walking guest page tables.
 757         */
 758        error_code &= ~PFERR_RSVD_MASK;
 759
 760        /*
 761         * Look up the guest pte for the faulting address.
 762         */
 763        r = FNAME(walk_addr)(&walker, vcpu, addr, error_code);
 764
 765        /*
 766         * The page is not mapped by the guest.  Let the guest handle it.
 767         */
 768        if (!r) {
 769                pgprintk("%s: guest page fault\n", __func__);
 770                if (!prefault)
 771                        inject_page_fault(vcpu, &walker.fault);
 772
 773                return RET_PF_RETRY;
 774        }
 775
 776        if (page_fault_handle_page_track(vcpu, error_code, walker.gfn)) {
 777                shadow_page_table_clear_flood(vcpu, addr);
 778                return RET_PF_EMULATE;
 779        }
 780
 781        vcpu->arch.write_fault_to_shadow_pgtable = false;
 782
 783        is_self_change_mapping = FNAME(is_self_change_mapping)(vcpu,
 784              &walker, user_fault, &vcpu->arch.write_fault_to_shadow_pgtable);
 785
 786        if (walker.level >= PT_DIRECTORY_LEVEL && !is_self_change_mapping) {
 787                level = mapping_level(vcpu, walker.gfn, &force_pt_level);
 788                if (likely(!force_pt_level)) {
 789                        level = min(walker.level, level);
 790                        walker.gfn = walker.gfn & ~(KVM_PAGES_PER_HPAGE(level) - 1);
 791                }
 792        } else
 793                force_pt_level = true;
 794
 795        mmu_seq = vcpu->kvm->mmu_notifier_seq;
 796        smp_rmb();
 797
 798        if (try_async_pf(vcpu, prefault, walker.gfn, addr, &pfn, write_fault,
 799                         &map_writable))
 800                return RET_PF_RETRY;
 801
 802        if (handle_abnormal_pfn(vcpu, addr, walker.gfn, pfn, walker.pte_access, &r))
 803                return r;
 804
 805        /*
 806         * Do not change pte_access if the pfn is a mmio page, otherwise
 807         * we will cache the incorrect access into mmio spte.
 808         */
 809        if (write_fault && !(walker.pte_access & ACC_WRITE_MASK) &&
 810             !is_write_protection(vcpu) && !user_fault &&
 811              !is_noslot_pfn(pfn)) {
 812                walker.pte_access |= ACC_WRITE_MASK;
 813                walker.pte_access &= ~ACC_USER_MASK;
 814
 815                /*
 816                 * If we converted a user page to a kernel page,
 817                 * so that the kernel can write to it when cr0.wp=0,
 818                 * then we should prevent the kernel from executing it
 819                 * if SMEP is enabled.
 820                 */
 821                if (kvm_read_cr4_bits(vcpu, X86_CR4_SMEP))
 822                        walker.pte_access &= ~ACC_EXEC_MASK;
 823        }
 824
 825        spin_lock(&vcpu->kvm->mmu_lock);
 826        if (mmu_notifier_retry(vcpu->kvm, mmu_seq))
 827                goto out_unlock;
 828
 829        kvm_mmu_audit(vcpu, AUDIT_PRE_PAGE_FAULT);
 830        if (make_mmu_pages_available(vcpu) < 0)
 831                goto out_unlock;
 832        if (!force_pt_level)
 833                transparent_hugepage_adjust(vcpu, &walker.gfn, &pfn, &level);
 834        r = FNAME(fetch)(vcpu, addr, &walker, write_fault,
 835                         level, pfn, map_writable, prefault);
 836        ++vcpu->stat.pf_fixed;
 837        kvm_mmu_audit(vcpu, AUDIT_POST_PAGE_FAULT);
 838        spin_unlock(&vcpu->kvm->mmu_lock);
 839
 840        return r;
 841
 842out_unlock:
 843        spin_unlock(&vcpu->kvm->mmu_lock);
 844        kvm_release_pfn_clean(pfn);
 845        return RET_PF_RETRY;
 846}
 847
 848static gpa_t FNAME(get_level1_sp_gpa)(struct kvm_mmu_page *sp)
 849{
 850        int offset = 0;
 851
 852        WARN_ON(sp->role.level != PT_PAGE_TABLE_LEVEL);
 853
 854        if (PTTYPE == 32)
 855                offset = sp->role.quadrant << PT64_LEVEL_BITS;
 856
 857        return gfn_to_gpa(sp->gfn) + offset * sizeof(pt_element_t);
 858}
 859
 860static void FNAME(invlpg)(struct kvm_vcpu *vcpu, gva_t gva, hpa_t root_hpa)
 861{
 862        struct kvm_shadow_walk_iterator iterator;
 863        struct kvm_mmu_page *sp;
 864        int level;
 865        u64 *sptep;
 866
 867        vcpu_clear_mmio_info(vcpu, gva);
 868
 869        /*
 870         * No need to check return value here, rmap_can_add() can
 871         * help us to skip pte prefetch later.
 872         */
 873        mmu_topup_memory_caches(vcpu);
 874
 875        if (!VALID_PAGE(root_hpa)) {
 876                WARN_ON(1);
 877                return;
 878        }
 879
 880        spin_lock(&vcpu->kvm->mmu_lock);
 881        for_each_shadow_entry_using_root(vcpu, root_hpa, gva, iterator) {
 882                level = iterator.level;
 883                sptep = iterator.sptep;
 884
 885                sp = page_header(__pa(sptep));
 886                if (is_last_spte(*sptep, level)) {
 887                        pt_element_t gpte;
 888                        gpa_t pte_gpa;
 889
 890                        if (!sp->unsync)
 891                                break;
 892
 893                        pte_gpa = FNAME(get_level1_sp_gpa)(sp);
 894                        pte_gpa += (sptep - sp->spt) * sizeof(pt_element_t);
 895
 896                        if (mmu_page_zap_pte(vcpu->kvm, sp, sptep))
 897                                kvm_flush_remote_tlbs(vcpu->kvm);
 898
 899                        if (!rmap_can_add(vcpu))
 900                                break;
 901
 902                        if (kvm_vcpu_read_guest_atomic(vcpu, pte_gpa, &gpte,
 903                                                       sizeof(pt_element_t)))
 904                                break;
 905
 906                        FNAME(update_pte)(vcpu, sp, sptep, &gpte);
 907                }
 908
 909                if (!is_shadow_present_pte(*sptep) || !sp->unsync_children)
 910                        break;
 911        }
 912        spin_unlock(&vcpu->kvm->mmu_lock);
 913}
 914
 915static gpa_t FNAME(gva_to_gpa)(struct kvm_vcpu *vcpu, gva_t vaddr, u32 access,
 916                               struct x86_exception *exception)
 917{
 918        struct guest_walker walker;
 919        gpa_t gpa = UNMAPPED_GVA;
 920        int r;
 921
 922        r = FNAME(walk_addr)(&walker, vcpu, vaddr, access);
 923
 924        if (r) {
 925                gpa = gfn_to_gpa(walker.gfn);
 926                gpa |= vaddr & ~PAGE_MASK;
 927        } else if (exception)
 928                *exception = walker.fault;
 929
 930        return gpa;
 931}
 932
 933#if PTTYPE != PTTYPE_EPT
 934static gpa_t FNAME(gva_to_gpa_nested)(struct kvm_vcpu *vcpu, gva_t vaddr,
 935                                      u32 access,
 936                                      struct x86_exception *exception)
 937{
 938        struct guest_walker walker;
 939        gpa_t gpa = UNMAPPED_GVA;
 940        int r;
 941
 942        r = FNAME(walk_addr_nested)(&walker, vcpu, vaddr, access);
 943
 944        if (r) {
 945                gpa = gfn_to_gpa(walker.gfn);
 946                gpa |= vaddr & ~PAGE_MASK;
 947        } else if (exception)
 948                *exception = walker.fault;
 949
 950        return gpa;
 951}
 952#endif
 953
 954/*
 955 * Using the cached information from sp->gfns is safe because:
 956 * - The spte has a reference to the struct page, so the pfn for a given gfn
 957 *   can't change unless all sptes pointing to it are nuked first.
 958 *
 959 * Note:
 960 *   We should flush all tlbs if spte is dropped even though guest is
 961 *   responsible for it. Since if we don't, kvm_mmu_notifier_invalidate_page
 962 *   and kvm_mmu_notifier_invalidate_range_start detect the mapping page isn't
 963 *   used by guest then tlbs are not flushed, so guest is allowed to access the
 964 *   freed pages.
 965 *   And we increase kvm->tlbs_dirty to delay tlbs flush in this case.
 966 */
 967static int FNAME(sync_page)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
 968{
 969        int i, nr_present = 0;
 970        bool host_writable;
 971        gpa_t first_pte_gpa;
 972        int set_spte_ret = 0;
 973
 974        /* direct kvm_mmu_page can not be unsync. */
 975        BUG_ON(sp->role.direct);
 976
 977        first_pte_gpa = FNAME(get_level1_sp_gpa)(sp);
 978
 979        for (i = 0; i < PT64_ENT_PER_PAGE; i++) {
 980                unsigned pte_access;
 981                pt_element_t gpte;
 982                gpa_t pte_gpa;
 983                gfn_t gfn;
 984
 985                if (!sp->spt[i])
 986                        continue;
 987
 988                pte_gpa = first_pte_gpa + i * sizeof(pt_element_t);
 989
 990                if (kvm_vcpu_read_guest_atomic(vcpu, pte_gpa, &gpte,
 991                                               sizeof(pt_element_t)))
 992                        return 0;
 993
 994                if (FNAME(prefetch_invalid_gpte)(vcpu, sp, &sp->spt[i], gpte)) {
 995                        /*
 996                         * Update spte before increasing tlbs_dirty to make
 997                         * sure no tlb flush is lost after spte is zapped; see
 998                         * the comments in kvm_flush_remote_tlbs().
 999                         */
1000                        smp_wmb();

1001                        vcpu->kvm->tlbs_dirty++;
1002                        continue;
1003                }
1004
1005                gfn = gpte_to_gfn(gpte);
1006                pte_access = sp->role.access;
1007                pte_access &= FNAME(gpte_access)(vcpu, gpte);
1008                FNAME(protect_clean_gpte)(vcpu->arch.mmu, &pte_access, gpte);
1009
1010                if (sync_mmio_spte(vcpu, &sp->spt[i], gfn, pte_access,
1011                      &nr_present))
1012                        continue;
1013
1014                if (gfn != sp->gfns[i]) {
1015                        drop_spte(vcpu->kvm, &sp->spt[i]);
1016                        /*
1017                         * The same as above where we are doing
1018                         * prefetch_invalid_gpte().
1019                         */
1020                        smp_wmb();
1021                        vcpu->kvm->tlbs_dirty++;
1022                        continue;
1023                }
1024
1025                nr_present++;
1026
1027                host_writable = sp->spt[i] & SPTE_HOST_WRITEABLE;
1028
1029                set_spte_ret |= set_spte(vcpu, &sp->spt[i],
1030                                         pte_access, PT_PAGE_TABLE_LEVEL,
1031                                         gfn, spte_to_pfn(sp->spt[i]),
1032                                         true, false, host_writable);
1033        }
1034
1035        if (set_spte_ret & SET_SPTE_NEED_REMOTE_TLB_FLUSH)
1036                kvm_flush_remote_tlbs(vcpu->kvm);
1037
1038        return nr_present;
1039}
1040
1041#undef pt_element_t
1042#undef guest_walker
1043#undef FNAME
1044#undef PT_BASE_ADDR_MASK
1045#undef PT_INDEX
1046#undef PT_LVL_ADDR_MASK
1047#undef PT_LVL_OFFSET_MASK
1048#undef PT_LEVEL_BITS
1049#undef PT_MAX_FULL_LEVELS
1050#undef gpte_to_gfn
1051#undef gpte_to_gfn_lvl
1052#undef CMPXCHG
1053#undef PT_GUEST_ACCESSED_MASK
1054#undef PT_GUEST_DIRTY_MASK
1055#undef PT_GUEST_DIRTY_SHIFT
1056#undef PT_GUEST_ACCESSED_SHIFT
1057#undef PT_HAVE_ACCESSED_DIRTY
1058