/*
 * Copyright 2011 Paul Mackerras, IBM Corp. <paulus@au1.ibm.com>
 * Copyright (C) 2009. SUSE Linux Products GmbH. All rights reserved.
 *
 * Authors:
 *    Paul Mackerras <paulus@au1.ibm.com>
 *    Alexander Graf <agraf@suse.de>
 *    Kevin Wolf <mail@kevin-wolf.de>
 *
 * Description: KVM functions specific to running on Book 3S
 * processors in hypervisor mode (specifically POWER7 and later).
 *
 * This file is derived from arch/powerpc/kvm/book3s.c,
 * by Alexander Graf <agraf@suse.de>.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License, version 2, as
 * published by the Free Software Foundation.
 */

#include <linux/kvm_host.h>
#include <linux/kernel.h>
#include <linux/err.h>
#include <linux/slab.h>
#include <linux/preempt.h>
#include <linux/sched/signal.h>
#include <linux/sched/stat.h>
#include <linux/delay.h>
#include <linux/export.h>
#include <linux/fs.h>
#include <linux/anon_inodes.h>
#include <linux/cpu.h>
#include <linux/cpumask.h>
#include <linux/spinlock.h>
#include <linux/page-flags.h>
#include <linux/srcu.h>
#include <linux/miscdevice.h>
#include <linux/debugfs.h>
#include <linux/gfp.h>
#include <linux/vmalloc.h>
#include <linux/highmem.h>
#include <linux/hugetlb.h>
#include <linux/kvm_irqfd.h>
#include <linux/irqbypass.h>
#include <linux/module.h>
#include <linux/compiler.h>
#include <linux/of.h>

#include <asm/ftrace.h>
#include <asm/reg.h>
#include <asm/ppc-opcode.h>
#include <asm/asm-prototypes.h>
#include <asm/archrandom.h>
#include <asm/debug.h>
#include <asm/disassemble.h>
#include <asm/cputable.h>
#include <asm/cacheflush.h>
#include <asm/tlbflush.h>
#include <linux/uaccess.h>
#include <asm/io.h>
#include <asm/kvm_ppc.h>
#include <asm/kvm_book3s.h>
#include <asm/mmu_context.h>
#include <asm/lppaca.h>
#include <asm/processor.h>
#include <asm/cputhreads.h>
#include <asm/page.h>
#include <asm/hvcall.h>
#include <asm/switch_to.h>
#include <asm/smp.h>
#include <asm/dbell.h>
#include <asm/hmi.h>
#include <asm/pnv-pci.h>
#include <asm/mmu.h>
#include <asm/opal.h>
#include <asm/xics.h>
#include <asm/xive.h>
#include <asm/hw_breakpoint.h>
#include <asm/kvm_host.h>
#include <asm/kvm_book3s_uvmem.h>
#include <asm/ultravisor.h>
#include <asm/dtl.h>

#include "book3s.h"

#define CREATE_TRACE_POINTS
#include "trace_hv.h"

/* #define EXIT_DEBUG */
/* #define EXIT_DEBUG_SIMPLE */
/* #define EXIT_DEBUG_INT */

/* Used to indicate that a guest page fault needs to be handled */
#define RESUME_PAGE_FAULT       (RESUME_GUEST | RESUME_FLAG_ARCH1)
/* Used to indicate that a guest passthrough interrupt needs to be handled */
#define RESUME_PASSTHROUGH      (RESUME_GUEST | RESUME_FLAG_ARCH2)

/* Used as a "null" value for timebase values */
#define TB_NIL  (~(u64)0)

static DECLARE_BITMAP(default_enabled_hcalls, MAX_HCALL_OPCODE/4 + 1);

static int dynamic_mt_modes = 6;
module_param(dynamic_mt_modes, int, 0644);
MODULE_PARM_DESC(dynamic_mt_modes, "Set of allowed dynamic micro-threading modes: 0 (= none), 2, 4, or 6 (= 2 or 4)");
static int target_smt_mode;
module_param(target_smt_mode, int, 0644);
MODULE_PARM_DESC(target_smt_mode, "Target threads per core (0 = max)");

static bool indep_threads_mode = true;
module_param(indep_threads_mode, bool, S_IRUGO | S_IWUSR);
MODULE_PARM_DESC(indep_threads_mode, "Independent-threads mode (only on POWER9)");

static bool one_vm_per_core;
module_param(one_vm_per_core, bool, S_IRUGO | S_IWUSR);
MODULE_PARM_DESC(one_vm_per_core, "Only run vCPUs from the same VM on a core (requires indep_threads_mode=N)");

#ifdef CONFIG_KVM_XICS
static const struct kernel_param_ops module_param_ops = {
        .set = param_set_int,
        .get = param_get_int,
};

module_param_cb(kvm_irq_bypass, &module_param_ops, &kvm_irq_bypass, 0644);
MODULE_PARM_DESC(kvm_irq_bypass, "Bypass passthrough interrupt optimization");

module_param_cb(h_ipi_redirect, &module_param_ops, &h_ipi_redirect, 0644);
MODULE_PARM_DESC(h_ipi_redirect, "Redirect H_IPI wakeup to a free host core");
#endif

/* If set, guests are allowed to create and control nested guests */
static bool nested = true;
module_param(nested, bool, S_IRUGO | S_IWUSR);
MODULE_PARM_DESC(nested, "Enable nested virtualization (only on POWER9)");

static inline bool nesting_enabled(struct kvm *kvm)
{
        return kvm->arch.nested_enable && kvm_is_radix(kvm);
}

/* If set, the threads on each CPU core have to be in the same MMU mode */
static bool no_mixing_hpt_and_radix __read_mostly;

static int kvmppc_hv_setup_htab_rma(struct kvm_vcpu *vcpu);

/*
 * RWMR values for POWER8.  These control the rate at which PURR
 * and SPURR count and should be set according to the number of
 * online threads in the vcore being run.
 */
#define RWMR_RPA_P8_1THREAD     0x164520C62609AECAUL
#define RWMR_RPA_P8_2THREAD     0x7FFF2908450D8DA9UL
#define RWMR_RPA_P8_3THREAD     0x164520C62609AECAUL
#define RWMR_RPA_P8_4THREAD     0x199A421245058DA9UL
#define RWMR_RPA_P8_5THREAD     0x164520C62609AECAUL
#define RWMR_RPA_P8_6THREAD     0x164520C62609AECAUL
#define RWMR_RPA_P8_7THREAD     0x164520C62609AECAUL
#define RWMR_RPA_P8_8THREAD     0x164520C62609AECAUL

static unsigned long p8_rwmr_values[MAX_SMT_THREADS + 1] = {
        RWMR_RPA_P8_1THREAD,
        RWMR_RPA_P8_1THREAD,
        RWMR_RPA_P8_2THREAD,
        RWMR_RPA_P8_3THREAD,
        RWMR_RPA_P8_4THREAD,
        RWMR_RPA_P8_5THREAD,
        RWMR_RPA_P8_6THREAD,
        RWMR_RPA_P8_7THREAD,
        RWMR_RPA_P8_8THREAD,
};

static inline struct kvm_vcpu *next_runnable_thread(struct kvmppc_vcore *vc,
                int *ip)
{
        int i = *ip;
        struct kvm_vcpu *vcpu;

        while (++i < MAX_SMT_THREADS) {
                vcpu = READ_ONCE(vc->runnable_threads[i]);
                if (vcpu) {
                        *ip = i;
                        return vcpu;
                }
        }
        return NULL;
}

/* Used to traverse the list of runnable threads for a given vcore */
#define for_each_runnable_thread(i, vcpu, vc) \
        for (i = -1; (vcpu = next_runnable_thread(vc, &i)); )

static bool kvmppc_ipi_thread(int cpu)
{
        unsigned long msg = PPC_DBELL_TYPE(PPC_DBELL_SERVER);

        /* If we're a nested hypervisor, fall back to ordinary IPIs for now */
        if (kvmhv_on_pseries())
                return false;

        /* On POWER9 we can use msgsnd to IPI any cpu */
        if (cpu_has_feature(CPU_FTR_ARCH_300)) {
                msg |= get_hard_smp_processor_id(cpu);
                smp_mb();
                __asm__ __volatile__ (PPC_MSGSND(%0) : : "r" (msg));
                return true;
        }

        /* On POWER8 for IPIs to threads in the same core, use msgsnd */
        if (cpu_has_feature(CPU_FTR_ARCH_207S)) {
                preempt_disable();
                if (cpu_first_thread_sibling(cpu) ==
                    cpu_first_thread_sibling(smp_processor_id())) {
                        msg |= cpu_thread_in_core(cpu);
                        smp_mb();
                        __asm__ __volatile__ (PPC_MSGSND(%0) : : "r" (msg));
                        preempt_enable();
                        return true;
                }
                preempt_enable();
        }

#if defined(CONFIG_PPC_ICP_NATIVE) && defined(CONFIG_SMP)
        if (cpu >= 0 && cpu < nr_cpu_ids) {
                if (paca_ptrs[cpu]->kvm_hstate.xics_phys) {
                        xics_wake_cpu(cpu);
                        return true;
                }
                opal_int_set_mfrr(get_hard_smp_processor_id(cpu), IPI_PRIORITY);
                return true;
        }
#endif

        return false;
}

static void kvmppc_fast_vcpu_kick_hv(struct kvm_vcpu *vcpu)
{
        int cpu;
        struct rcuwait *waitp;

        waitp = kvm_arch_vcpu_get_wait(vcpu);
        if (rcuwait_wake_up(waitp))
                ++vcpu->stat.generic.halt_wakeup;

        cpu = READ_ONCE(vcpu->arch.thread_cpu);
        if (cpu >= 0 && kvmppc_ipi_thread(cpu))
                return;

        /* CPU points to the first thread of the core */
        cpu = vcpu->cpu;
        if (cpu >= 0 && cpu < nr_cpu_ids && cpu_online(cpu))
                smp_send_reschedule(cpu);
}

/*
 * We use the vcpu_load/put functions to measure stolen time.
 * Stolen time is counted as time when either the vcpu is able to
 * run as part of a virtual core, but the task running the vcore
 * is preempted or sleeping, or when the vcpu needs something done
 * in the kernel by the task running the vcpu, but that task is
 * preempted or sleeping.  Those two things have to be counted
 * separately, since one of the vcpu tasks will take on the job
 * of running the core, and the other vcpu tasks in the vcore will
 * sleep waiting for it to do that, but that sleep shouldn't count
 * as stolen time.
 *
 * Hence we accumulate stolen time when the vcpu can run as part of
 * a vcore using vc->stolen_tb, and the stolen time when the vcpu
 * needs its task to do other things in the kernel (for example,
 * service a page fault) in busy_stolen.  We don't accumulate
 * stolen time for a vcore when it is inactive, or for a vcpu
 * when it is in state RUNNING or NOTREADY.  NOTREADY is a bit of
 * a misnomer; it means that the vcpu task is not executing in
 * the KVM_VCPU_RUN ioctl, i.e. it is in userspace or elsewhere in
 * the kernel.  We don't have any way of dividing up that time
 * between time that the vcpu is genuinely stopped, time that
 * the task is actively working on behalf of the vcpu, and time
 * that the task is preempted, so we don't count any of it as
 * stolen.
 *
 * Updates to busy_stolen are protected by arch.tbacct_lock;
 * updates to vc->stolen_tb are protected by the vcore->stoltb_lock
 * lock.  The stolen times are measured in units of timebase ticks.
 * (Note that the != TB_NIL checks below are purely defensive;
 * they should never fail.)
 */

static void kvmppc_core_start_stolen(struct kvmppc_vcore *vc)
{
        unsigned long flags;

        spin_lock_irqsave(&vc->stoltb_lock, flags);
        vc->preempt_tb = mftb();
        spin_unlock_irqrestore(&vc->stoltb_lock, flags);
}

static void kvmppc_core_end_stolen(struct kvmppc_vcore *vc)
{
        unsigned long flags;

        spin_lock_irqsave(&vc->stoltb_lock, flags);
        if (vc->preempt_tb != TB_NIL) {
                vc->stolen_tb += mftb() - vc->preempt_tb;
                vc->preempt_tb = TB_NIL;
        }
        spin_unlock_irqrestore(&vc->stoltb_lock, flags);
}

static void kvmppc_core_vcpu_load_hv(struct kvm_vcpu *vcpu, int cpu)
{
        struct kvmppc_vcore *vc = vcpu->arch.vcore;
        unsigned long flags;

        /*
         * We can test vc->runner without taking the vcore lock,
         * because only this task ever sets vc->runner to this
         * vcpu, and once it is set to this vcpu, only this task
         * ever sets it to NULL.
         */
        if (vc->runner == vcpu && vc->vcore_state >= VCORE_SLEEPING)
                kvmppc_core_end_stolen(vc);

        spin_lock_irqsave(&vcpu->arch.tbacct_lock, flags);
        if (vcpu->arch.state == KVMPPC_VCPU_BUSY_IN_HOST &&
            vcpu->arch.busy_preempt != TB_NIL) {
                vcpu->arch.busy_stolen += mftb() - vcpu->arch.busy_preempt;
                vcpu->arch.busy_preempt = TB_NIL;
        }
        spin_unlock_irqrestore(&vcpu->arch.tbacct_lock, flags);
}

static void kvmppc_core_vcpu_put_hv(struct kvm_vcpu *vcpu)
{
        struct kvmppc_vcore *vc = vcpu->arch.vcore;
        unsigned long flags;

        if (vc->runner == vcpu && vc->vcore_state >= VCORE_SLEEPING)
                kvmppc_core_start_stolen(vc);

        spin_lock_irqsave(&vcpu->arch.tbacct_lock, flags);
        if (vcpu->arch.state == KVMPPC_VCPU_BUSY_IN_HOST)
                vcpu->arch.busy_preempt = mftb();
        spin_unlock_irqrestore(&vcpu->arch.tbacct_lock, flags);
}

static void kvmppc_set_pvr_hv(struct kvm_vcpu *vcpu, u32 pvr)
{
        vcpu->arch.pvr = pvr;
}

/* Dummy value used in computing PCR value below */
#define PCR_ARCH_31    (PCR_ARCH_300 << 1)

static int kvmppc_set_arch_compat(struct kvm_vcpu *vcpu, u32 arch_compat)
{
        unsigned long host_pcr_bit = 0, guest_pcr_bit = 0;
        struct kvmppc_vcore *vc = vcpu->arch.vcore;

        /* We can (emulate) our own architecture version and anything older */
        if (cpu_has_feature(CPU_FTR_ARCH_31))
                host_pcr_bit = PCR_ARCH_31;
        else if (cpu_has_feature(CPU_FTR_ARCH_300))
                host_pcr_bit = PCR_ARCH_300;
        else if (cpu_has_feature(CPU_FTR_ARCH_207S))
                host_pcr_bit = PCR_ARCH_207;
        else if (cpu_has_feature(CPU_FTR_ARCH_206))
                host_pcr_bit = PCR_ARCH_206;
        else
                host_pcr_bit = PCR_ARCH_205;

        /* Determine lowest PCR bit needed to run guest in given PVR level */
        guest_pcr_bit = host_pcr_bit;
        if (arch_compat) {
                switch (arch_compat) {
                case PVR_ARCH_205:
                        guest_pcr_bit = PCR_ARCH_205;
                        break;
                case PVR_ARCH_206:
                case PVR_ARCH_206p:
                        guest_pcr_bit = PCR_ARCH_206;
                        break;
                case PVR_ARCH_207:
                        guest_pcr_bit = PCR_ARCH_207;
                        break;
                case PVR_ARCH_300:
                        guest_pcr_bit = PCR_ARCH_300;
                        break;
                case PVR_ARCH_31:
                        guest_pcr_bit = PCR_ARCH_31;
                        break;
                default:
                        return -EINVAL;
                }
        }

        /* Check requested PCR bits don't exceed our capabilities */
        if (guest_pcr_bit > host_pcr_bit)
                return -EINVAL;

        spin_lock(&vc->lock);
        vc->arch_compat = arch_compat;
        /*
         * Set all PCR bits for which guest_pcr_bit <= bit < host_pcr_bit
         * Also set all reserved PCR bits
         */
        vc->pcr = (host_pcr_bit - guest_pcr_bit) | PCR_MASK;
        spin_unlock(&vc->lock);

        return 0;
}

static void kvmppc_dump_regs(struct kvm_vcpu *vcpu)
{
        int r;

        pr_err("vcpu %p (%d):\n", vcpu, vcpu->vcpu_id);
        pr_err("pc  = %.16lx  msr = %.16llx  trap = %x\n",
               vcpu->arch.regs.nip, vcpu->arch.shregs.msr, vcpu->arch.trap);
        for (r = 0; r < 16; ++r)
                pr_err("r%2d = %.16lx  r%d = %.16lx\n",
                       r, kvmppc_get_gpr(vcpu, r),
                       r+16, kvmppc_get_gpr(vcpu, r+16));
        pr_err("ctr = %.16lx  lr  = %.16lx\n",
               vcpu->arch.regs.ctr, vcpu->arch.regs.link);
        pr_err("srr0 = %.16llx srr1 = %.16llx\n",
               vcpu->arch.shregs.srr0, vcpu->arch.shregs.srr1);
        pr_err("sprg0 = %.16llx sprg1 = %.16llx\n",
               vcpu->arch.shregs.sprg0, vcpu->arch.shregs.sprg1);
        pr_err("sprg2 = %.16llx sprg3 = %.16llx\n",
               vcpu->arch.shregs.sprg2, vcpu->arch.shregs.sprg3);
        pr_err("cr = %.8lx  xer = %.16lx  dsisr = %.8x\n",
               vcpu->arch.regs.ccr, vcpu->arch.regs.xer, vcpu->arch.shregs.dsisr);
        pr_err("dar = %.16llx\n", vcpu->arch.shregs.dar);
        pr_err("fault dar = %.16lx dsisr = %.8x\n",
               vcpu->arch.fault_dar, vcpu->arch.fault_dsisr);
        pr_err("SLB (%d entries):\n", vcpu->arch.slb_max);
        for (r = 0; r < vcpu->arch.slb_max; ++r)
                pr_err("  ESID = %.16llx VSID = %.16llx\n",
                       vcpu->arch.slb[r].orige, vcpu->arch.slb[r].origv);
        pr_err("lpcr = %.16lx sdr1 = %.16lx last_inst = %.8x\n",
               vcpu->arch.vcore->lpcr, vcpu->kvm->arch.sdr1,
               vcpu->arch.last_inst);
}

static struct kvm_vcpu *kvmppc_find_vcpu(struct kvm *kvm, int id)
{
        return kvm_get_vcpu_by_id(kvm, id);
}

static void init_vpa(struct kvm_vcpu *vcpu, struct lppaca *vpa)
{
        vpa->__old_status |= LPPACA_OLD_SHARED_PROC;
        vpa->yield_count = cpu_to_be32(1);
}

static int set_vpa(struct kvm_vcpu *vcpu, struct kvmppc_vpa *v,
                   unsigned long addr, unsigned long len)
{
        /* check address is cacheline aligned */
        if (addr & (L1_CACHE_BYTES - 1))
                return -EINVAL;
        spin_lock(&vcpu->arch.vpa_update_lock);
        if (v->next_gpa != addr || v->len != len) {
                v->next_gpa = addr;
                v->len = addr ? len : 0;
                v->update_pending = 1;
        }
        spin_unlock(&vcpu->arch.vpa_update_lock);
        return 0;
}

/* Length for a per-processor buffer is passed in at offset 4 in the buffer */
struct reg_vpa {
        u32 dummy;
        union {
                __be16 hword;
                __be32 word;
        } length;
};

static int vpa_is_registered(struct kvmppc_vpa *vpap)
{
        if (vpap->update_pending)
                return vpap->next_gpa != 0;
        return vpap->pinned_addr != NULL;
}

static unsigned long do_h_register_vpa(struct kvm_vcpu *vcpu,
                                       unsigned long flags,
                                       unsigned long vcpuid, unsigned long vpa)
{
        struct kvm *kvm = vcpu->kvm;
        unsigned long len, nb;
        void *va;
        struct kvm_vcpu *tvcpu;
        int err;
        int subfunc;
        struct kvmppc_vpa *vpap;

        tvcpu = kvmppc_find_vcpu(kvm, vcpuid);
        if (!tvcpu)
                return H_PARAMETER;

        subfunc = (flags >> H_VPA_FUNC_SHIFT) & H_VPA_FUNC_MASK;
        if (subfunc == H_VPA_REG_VPA || subfunc == H_VPA_REG_DTL ||
            subfunc == H_VPA_REG_SLB) {
                /* Registering new area - address must be cache-line aligned */
                if ((vpa & (L1_CACHE_BYTES - 1)) || !vpa)
                        return H_PARAMETER;

                /* convert logical addr to kernel addr and read length */
                va = kvmppc_pin_guest_page(kvm, vpa, &nb);
                if (va == NULL)
                        return H_PARAMETER;
                if (subfunc == H_VPA_REG_VPA)
                        len = be16_to_cpu(((struct reg_vpa *)va)->length.hword);
                else
                        len = be32_to_cpu(((struct reg_vpa *)va)->length.word);
                kvmppc_unpin_guest_page(kvm, va, vpa, false);

                /* Check length */
                if (len > nb || len < sizeof(struct reg_vpa))
                        return H_PARAMETER;
        } else {
                vpa = 0;
                len = 0;
        }

        err = H_PARAMETER;
        vpap = NULL;
        spin_lock(&tvcpu->arch.vpa_update_lock);

        switch (subfunc) {
        case H_VPA_REG_VPA:             /* register VPA */
                /*
                 * The size of our lppaca is 1kB because of the way we align
                 * it for the guest to avoid crossing a 4kB boundary. We only
                 * use 640 bytes of the structure though, so we should accept
                 * clients that set a size of 640.
                 */
                BUILD_BUG_ON(sizeof(struct lppaca) != 640);
                if (len < sizeof(struct lppaca))
                        break;
                vpap = &tvcpu->arch.vpa;
                err = 0;
                break;

        case H_VPA_REG_DTL:             /* register DTL */
                if (len < sizeof(struct dtl_entry))
                        break;
                len -= len % sizeof(struct dtl_entry);

                /* Check that they have previously registered a VPA */
                err = H_RESOURCE;
                if (!vpa_is_registered(&tvcpu->arch.vpa))
                        break;

                vpap = &tvcpu->arch.dtl;
                err = 0;
                break;

        case H_VPA_REG_SLB:             /* register SLB shadow buffer */
                /* Check that they have previously registered a VPA */
                err = H_RESOURCE;
                if (!vpa_is_registered(&tvcpu->arch.vpa))
                        break;

                vpap = &tvcpu->arch.slb_shadow;
                err = 0;
                break;

        case H_VPA_DEREG_VPA:           /* deregister VPA */
                /* Check they don't still have a DTL or SLB buf registered */
                err = H_RESOURCE;
                if (vpa_is_registered(&tvcpu->arch.dtl) ||
                    vpa_is_registered(&tvcpu->arch.slb_shadow))
                        break;

                vpap = &tvcpu->arch.vpa;
                err = 0;
                break;

        case H_VPA_DEREG_DTL:           /* deregister DTL */
                vpap = &tvcpu->arch.dtl;
                err = 0;
                break;

        case H_VPA_DEREG_SLB:           /* deregister SLB shadow buffer */
                vpap = &tvcpu->arch.slb_shadow;
                err = 0;
                break;
        }

        if (vpap) {
                vpap->next_gpa = vpa;
                vpap->len = len;
                vpap->update_pending = 1;
        }

        spin_unlock(&tvcpu->arch.vpa_update_lock);

        return err;
}

static void kvmppc_update_vpa(struct kvm_vcpu *vcpu, struct kvmppc_vpa *vpap)
{
        struct kvm *kvm = vcpu->kvm;
        void *va;
        unsigned long nb;
        unsigned long gpa;

        /*
         * We need to pin the page pointed to by vpap->next_gpa,
         * but we can't call kvmppc_pin_guest_page under the lock
         * as it does get_user_pages() and down_read().  So we
         * have to drop the lock, pin the page, then get the lock
         * again and check that a new area didn't get registered
         * in the meantime.
         */
        for (;;) {
                gpa = vpap->next_gpa;
                spin_unlock(&vcpu->arch.vpa_update_lock);
                va = NULL;
                nb = 0;
                if (gpa)
                        va = kvmppc_pin_guest_page(kvm, gpa, &nb);
                spin_lock(&vcpu->arch.vpa_update_lock);
                if (gpa == vpap->next_gpa)
                        break;
                /* sigh... unpin that one and try again */
                if (va)
                        kvmppc_unpin_guest_page(kvm, va, gpa, false);
        }

        vpap->update_pending = 0;
        if (va && nb < vpap->len) {
                /*
                 * If it's now too short, it must be that userspace
                 * has changed the mappings underlying guest memory,
                 * so unregister the region.
                 */
                kvmppc_unpin_guest_page(kvm, va, gpa, false);
                va = NULL;
        }
        if (vpap->pinned_addr)
                kvmppc_unpin_guest_page(kvm, vpap->pinned_addr, vpap->gpa,
                                        vpap->dirty);
        vpap->gpa = gpa;
        vpap->pinned_addr = va;
        vpap->dirty = false;
        if (va)
                vpap->pinned_end = va + vpap->len;
}

static void kvmppc_update_vpas(struct kvm_vcpu *vcpu)
{
        if (!(vcpu->arch.vpa.update_pending ||
              vcpu->arch.slb_shadow.update_pending ||
              vcpu->arch.dtl.update_pending))
                return;

        spin_lock(&vcpu->arch.vpa_update_lock);
        if (vcpu->arch.vpa.update_pending) {
                kvmppc_update_vpa(vcpu, &vcpu->arch.vpa);
                if (vcpu->arch.vpa.pinned_addr)
                        init_vpa(vcpu, vcpu->arch.vpa.pinned_addr);
        }
        if (vcpu->arch.dtl.update_pending) {
                kvmppc_update_vpa(vcpu, &vcpu->arch.dtl);
                vcpu->arch.dtl_ptr = vcpu->arch.dtl.pinned_addr;
                vcpu->arch.dtl_index = 0;
        }
        if (vcpu->arch.slb_shadow.update_pending)
                kvmppc_update_vpa(vcpu, &vcpu->arch.slb_shadow);
        spin_unlock(&vcpu->arch.vpa_update_lock);
}

/*
 * Return the accumulated stolen time for the vcore up until `now'.
 * The caller should hold the vcore lock.
 */
static u64 vcore_stolen_time(struct kvmppc_vcore *vc, u64 now)
{
        u64 p;
        unsigned long flags;

        spin_lock_irqsave(&vc->stoltb_lock, flags);
        p = vc->stolen_tb;
        if (vc->vcore_state != VCORE_INACTIVE &&
            vc->preempt_tb != TB_NIL)
                p += now - vc->preempt_tb;
        spin_unlock_irqrestore(&vc->stoltb_lock, flags);
        return p;
}

static void kvmppc_create_dtl_entry(struct kvm_vcpu *vcpu,
                                    struct kvmppc_vcore *vc)
{
        struct dtl_entry *dt;
        struct lppaca *vpa;
        unsigned long stolen;
        unsigned long core_stolen;
        u64 now;
        unsigned long flags;

        dt = vcpu->arch.dtl_ptr;
        vpa = vcpu->arch.vpa.pinned_addr;
        now = mftb();
        core_stolen = vcore_stolen_time(vc, now);
        stolen = core_stolen - vcpu->arch.stolen_logged;
        vcpu->arch.stolen_logged = core_stolen;
        spin_lock_irqsave(&vcpu->arch.tbacct_lock, flags);
        stolen += vcpu->arch.busy_stolen;
        vcpu->arch.busy_stolen = 0;
        spin_unlock_irqrestore(&vcpu->arch.tbacct_lock, flags);
        if (!dt || !vpa)
                return;
        memset(dt, 0, sizeof(struct dtl_entry));
        dt->dispatch_reason = 7;
        dt->processor_id = cpu_to_be16(vc->pcpu + vcpu->arch.ptid);
        dt->timebase = cpu_to_be64(now + vc->tb_offset);
        dt->enqueue_to_dispatch_time = cpu_to_be32(stolen);
        dt->srr0 = cpu_to_be64(kvmppc_get_pc(vcpu));
        dt->srr1 = cpu_to_be64(vcpu->arch.shregs.msr);
        ++dt;
        if (dt == vcpu->arch.dtl.pinned_end)
                dt = vcpu->arch.dtl.pinned_addr;
        vcpu->arch.dtl_ptr = dt;
        /* order writing *dt vs. writing vpa->dtl_idx */
        smp_wmb();
        vpa->dtl_idx = cpu_to_be64(++vcpu->arch.dtl_index);
        vcpu->arch.dtl.dirty = true;
}

/* See if there is a doorbell interrupt pending for a vcpu */
static bool kvmppc_doorbell_pending(struct kvm_vcpu *vcpu)
{
        int thr;
        struct kvmppc_vcore *vc;

        if (vcpu->arch.doorbell_request)
                return true;
        /*
         * Ensure that the read of vcore->dpdes comes after the read
         * of vcpu->doorbell_request.  This barrier matches the
         * smp_wmb() in kvmppc_guest_entry_inject().
         */
        smp_rmb();
        vc = vcpu->arch.vcore;
        thr = vcpu->vcpu_id - vc->first_vcpuid;
        return !!(vc->dpdes & (1 << thr));
}

static bool kvmppc_power8_compatible(struct kvm_vcpu *vcpu)
{
        if (vcpu->arch.vcore->arch_compat >= PVR_ARCH_207)
                return true;
        if ((!vcpu->arch.vcore->arch_compat) &&
            cpu_has_feature(CPU_FTR_ARCH_207S))
                return true;
        return false;
}

static int kvmppc_h_set_mode(struct kvm_vcpu *vcpu, unsigned long mflags,
                             unsigned long resource, unsigned long value1,
                             unsigned long value2)
{
        switch (resource) {
        case H_SET_MODE_RESOURCE_SET_CIABR:
                if (!kvmppc_power8_compatible(vcpu))
                        return H_P2;
                if (value2)
                        return H_P4;
                if (mflags)
                        return H_UNSUPPORTED_FLAG_START;
                /* Guests can't breakpoint the hypervisor */
                if ((value1 & CIABR_PRIV) == CIABR_PRIV_HYPER)
                        return H_P3;
                vcpu->arch.ciabr  = value1;
                return H_SUCCESS;
        case H_SET_MODE_RESOURCE_SET_DAWR0:
                if (!kvmppc_power8_compatible(vcpu))
                        return H_P2;
                if (!ppc_breakpoint_available())
                        return H_P2;
                if (mflags)
                        return H_UNSUPPORTED_FLAG_START;
                if (value2 & DABRX_HYP)
                        return H_P4;
                vcpu->arch.dawr  = value1;
                vcpu->arch.dawrx = value2;
                return H_SUCCESS;
        case H_SET_MODE_RESOURCE_ADDR_TRANS_MODE:
                /*
                 * KVM does not support mflags=2 (AIL=2) and AIL=1 is reserved.
                 * Keep this in synch with kvmppc_filter_guest_lpcr_hv.
                 */
                if (mflags != 0 && mflags != 3)
                        return H_UNSUPPORTED_FLAG_START;
                return H_TOO_HARD;
        default:
                return H_TOO_HARD;
        }
}

/* Copy guest memory in place - must reside within a single memslot */
static int kvmppc_copy_guest(struct kvm *kvm, gpa_t to, gpa_t from,
                                  unsigned long len)
{
        struct kvm_memory_slot *to_memslot = NULL;
        struct kvm_memory_slot *from_memslot = NULL;
        unsigned long to_addr, from_addr;
        int r;

        /* Get HPA for from address */
        from_memslot = gfn_to_memslot(kvm, from >> PAGE_SHIFT);
        if (!from_memslot)
                return -EFAULT;
        if ((from + len) >= ((from_memslot->base_gfn + from_memslot->npages)
                             << PAGE_SHIFT))
                return -EINVAL;
        from_addr = gfn_to_hva_memslot(from_memslot, from >> PAGE_SHIFT);
        if (kvm_is_error_hva(from_addr))
                return -EFAULT;
        from_addr |= (from & (PAGE_SIZE - 1));

        /* Get HPA for to address */
        to_memslot = gfn_to_memslot(kvm, to >> PAGE_SHIFT);
        if (!to_memslot)
                return -EFAULT;
        if ((to + len) >= ((to_memslot->base_gfn + to_memslot->npages)
                           << PAGE_SHIFT))
                return -EINVAL;
        to_addr = gfn_to_hva_memslot(to_memslot, to >> PAGE_SHIFT);
        if (kvm_is_error_hva(to_addr))
                return -EFAULT;
        to_addr |= (to & (PAGE_SIZE - 1));

        /* Perform copy */
        r = raw_copy_in_user((void __user *)to_addr, (void __user *)from_addr,
                             len);
        if (r)
                return -EFAULT;
        mark_page_dirty(kvm, to >> PAGE_SHIFT);
        return 0;
}

static long kvmppc_h_page_init(struct kvm_vcpu *vcpu, unsigned long flags,
                               unsigned long dest, unsigned long src)
{
        u64 pg_sz = SZ_4K;              /* 4K page size */
        u64 pg_mask = SZ_4K - 1;
        int ret;

        /* Check for invalid flags (H_PAGE_SET_LOANED covers all CMO flags) */
        if (flags & ~(H_ICACHE_INVALIDATE | H_ICACHE_SYNCHRONIZE |
                      H_ZERO_PAGE | H_COPY_PAGE | H_PAGE_SET_LOANED))
                return H_PARAMETER;

        /* dest (and src if copy_page flag set) must be page aligned */
        if ((dest & pg_mask) || ((flags & H_COPY_PAGE) && (src & pg_mask)))
                return H_PARAMETER;

        /* zero and/or copy the page as determined by the flags */
        if (flags & H_COPY_PAGE) {
                ret = kvmppc_copy_guest(vcpu->kvm, dest, src, pg_sz);
                if (ret < 0)
                        return H_PARAMETER;
        } else if (flags & H_ZERO_PAGE) {
                ret = kvm_clear_guest(vcpu->kvm, dest, pg_sz);
                if (ret < 0)
                        return H_PARAMETER;
        }

        /* We can ignore the remaining flags */

        return H_SUCCESS;
}

static int kvm_arch_vcpu_yield_to(struct kvm_vcpu *target)
{
        struct kvmppc_vcore *vcore = target->arch.vcore;

        /*
         * We expect to have been called by the real mode handler
         * (kvmppc_rm_h_confer()) which would have directly returned
         * H_SUCCESS if the source vcore wasn't idle (e.g. if it may
         * have useful work to do and should not confer) so we don't
         * recheck that here.
         */

        spin_lock(&vcore->lock);
        if (target->arch.state == KVMPPC_VCPU_RUNNABLE &&
            vcore->vcore_state != VCORE_INACTIVE &&
            vcore->runner)
                target = vcore->runner;
        spin_unlock(&vcore->lock);

        return kvm_vcpu_yield_to(target);
}

static int kvmppc_get_yield_count(struct kvm_vcpu *vcpu)
{
        int yield_count = 0;
        struct lppaca *lppaca;

        spin_lock(&vcpu->arch.vpa_update_lock);
        lppaca = (struct lppaca *)vcpu->arch.vpa.pinned_addr;
        if (lppaca)
                yield_count = be32_to_cpu(lppaca->yield_count);
        spin_unlock(&vcpu->arch.vpa_update_lock);
        return yield_count;
}

int kvmppc_pseries_do_hcall(struct kvm_vcpu *vcpu)
{
        unsigned long req = kvmppc_get_gpr(vcpu, 3);
        unsigned long target, ret = H_SUCCESS;
        int yield_count;
        struct kvm_vcpu *tvcpu;
        int idx, rc;

        if (req <= MAX_HCALL_OPCODE &&
            !test_bit(req/4, vcpu->kvm->arch.enabled_hcalls))
                return RESUME_HOST;

        switch (req) {
        case H_CEDE:
                break;
        case H_PROD:
                target = kvmppc_get_gpr(vcpu, 4);
                tvcpu = kvmppc_find_vcpu(vcpu->kvm, target);
                if (!tvcpu) {
                        ret = H_PARAMETER;
                        break;
                }
                tvcpu->arch.prodded = 1;
                smp_mb();
                if (tvcpu->arch.ceded)
                        kvmppc_fast_vcpu_kick_hv(tvcpu);
                break;
        case H_CONFER:
                target = kvmppc_get_gpr(vcpu, 4);
                if (target == -1)
                        break;
                tvcpu = kvmppc_find_vcpu(vcpu->kvm, target);
                if (!tvcpu) {
                        ret = H_PARAMETER;
                        break;
                }
                yield_count = kvmppc_get_gpr(vcpu, 5);
                if (kvmppc_get_yield_count(tvcpu) != yield_count)
                        break;
                kvm_arch_vcpu_yield_to(tvcpu);
                break;
        case H_REGISTER_VPA:
                ret = do_h_register_vpa(vcpu, kvmppc_get_gpr(vcpu, 4),
                                        kvmppc_get_gpr(vcpu, 5),
                                        kvmppc_get_gpr(vcpu, 6));
                break;
        case H_RTAS:
                if (list_empty(&vcpu->kvm->arch.rtas_tokens))
                        return RESUME_HOST;

                idx = srcu_read_lock(&vcpu->kvm->srcu);
                rc = kvmppc_rtas_hcall(vcpu);
                srcu_read_unlock(&vcpu->kvm->srcu, idx);

                if (rc == -ENOENT)
                        return RESUME_HOST;
                else if (rc == 0)
                        break;

                /* Send the error out to userspace via KVM_RUN */
                return rc;
        case H_LOGICAL_CI_LOAD:
                ret = kvmppc_h_logical_ci_load(vcpu);
                if (ret == H_TOO_HARD)
                        return RESUME_HOST;
                break;
        case H_LOGICAL_CI_STORE:
                ret = kvmppc_h_logical_ci_store(vcpu);
                if (ret == H_TOO_HARD)
                        return RESUME_HOST;
                break;
        case H_SET_MODE:
                ret = kvmppc_h_set_mode(vcpu, kvmppc_get_gpr(vcpu, 4),
                                        kvmppc_get_gpr(vcpu, 5),
                                        kvmppc_get_gpr(vcpu, 6),
                                        kvmppc_get_gpr(vcpu, 7));
                if (ret == H_TOO_HARD)
                        return RESUME_HOST;
                break;
        case H_XIRR:
        case H_CPPR:
        case H_EOI:
        case H_IPI:
        case H_IPOLL:
        case H_XIRR_X:
                if (kvmppc_xics_enabled(vcpu)) {

                        if (xics_on_xive()) {
                                ret = H_NOT_AVAILABLE;
                                return RESUME_GUEST;
                        }
                        ret = kvmppc_xics_hcall(vcpu, req);
                        break;
                }
                return RESUME_HOST;
        case H_SET_DABR:
                ret = kvmppc_h_set_dabr(vcpu, kvmppc_get_gpr(vcpu, 4));
                break;
        case H_SET_XDABR:
                ret = kvmppc_h_set_xdabr(vcpu, kvmppc_get_gpr(vcpu, 4),
                                                kvmppc_get_gpr(vcpu, 5));
                break;
#ifdef CONFIG_SPAPR_TCE_IOMMU
        case H_GET_TCE:
                ret = kvmppc_h_get_tce(vcpu, kvmppc_get_gpr(vcpu, 4),
                                                kvmppc_get_gpr(vcpu, 5));
                if (ret == H_TOO_HARD)
                        return RESUME_HOST;
                break;
        case H_PUT_TCE:
                ret = kvmppc_h_put_tce(vcpu, kvmppc_get_gpr(vcpu, 4),
                                                kvmppc_get_gpr(vcpu, 5),
                                                kvmppc_get_gpr(vcpu, 6));
                if (ret == H_TOO_HARD)
                        return RESUME_HOST;
                break;
        case H_PUT_TCE_INDIRECT:
                ret = kvmppc_h_put_tce_indirect(vcpu, kvmppc_get_gpr(vcpu, 4),
                                                kvmppc_get_gpr(vcpu, 5),
                                                kvmppc_get_gpr(vcpu, 6),
                                                kvmppc_get_gpr(vcpu, 7));
                if (ret == H_TOO_HARD)
                        return RESUME_HOST;
                break;
        case H_STUFF_TCE:
                ret = kvmppc_h_stuff_tce(vcpu, kvmppc_get_gpr(vcpu, 4),
                                                kvmppc_get_gpr(vcpu, 5),
                                                kvmppc_get_gpr(vcpu, 6),
                                                kvmppc_get_gpr(vcpu, 7));
                if (ret == H_TOO_HARD)
                        return RESUME_HOST;
                break;
#endif
        case H_RANDOM:
                if (!powernv_get_random_long(&vcpu->arch.regs.gpr[4]))
                        ret = H_HARDWARE;
                break;

        case H_SET_PARTITION_TABLE:
                ret = H_FUNCTION;
                if (nesting_enabled(vcpu->kvm))
                        ret = kvmhv_set_partition_table(vcpu);
                break;
        case H_ENTER_NESTED:
                ret = H_FUNCTION;
                if (!nesting_enabled(vcpu->kvm))
                        break;
                ret = kvmhv_enter_nested_guest(vcpu);
                if (ret == H_INTERRUPT) {
                        kvmppc_set_gpr(vcpu, 3, 0);
                        vcpu->arch.hcall_needed = 0;
                        return -EINTR;
                } else if (ret == H_TOO_HARD) {
                        kvmppc_set_gpr(vcpu, 3, 0);
                        vcpu->arch.hcall_needed = 0;
                        return RESUME_HOST;
                }
                break;
        case H_TLB_INVALIDATE:
                ret = H_FUNCTION;
                if (nesting_enabled(vcpu->kvm))
                        ret = kvmhv_do_nested_tlbie(vcpu);
                break;
        case H_COPY_TOFROM_GUEST:
                ret = H_FUNCTION;
                if (nesting_enabled(vcpu->kvm))
                        ret = kvmhv_copy_tofrom_guest_nested(vcpu);
                break;
        case H_PAGE_INIT:
                ret = kvmppc_h_page_init(vcpu, kvmppc_get_gpr(vcpu, 4),
                                         kvmppc_get_gpr(vcpu, 5),
                                         kvmppc_get_gpr(vcpu, 6));
                break;
        case H_SVM_PAGE_IN:
                ret = H_UNSUPPORTED;
                if (kvmppc_get_srr1(vcpu) & MSR_S)
                        ret = kvmppc_h_svm_page_in(vcpu->kvm,
                                                   kvmppc_get_gpr(vcpu, 4),
                                                   kvmppc_get_gpr(vcpu, 5),
                                                   kvmppc_get_gpr(vcpu, 6));
                break;
        case H_SVM_PAGE_OUT:
                ret = H_UNSUPPORTED;
                if (kvmppc_get_srr1(vcpu) & MSR_S)
                        ret = kvmppc_h_svm_page_out(vcpu->kvm,
                                                    kvmppc_get_gpr(vcpu, 4),
                                                    kvmppc_get_gpr(vcpu, 5),
                                                    kvmppc_get_gpr(vcpu, 6));
                break;
        case H_SVM_INIT_START:
                ret = H_UNSUPPORTED;
                if (kvmppc_get_srr1(vcpu) & MSR_S)
                        ret = kvmppc_h_svm_init_start(vcpu->kvm);
                break;
        case H_SVM_INIT_DONE:
                ret = H_UNSUPPORTED;
                if (kvmppc_get_srr1(vcpu) & MSR_S)
                        ret = kvmppc_h_svm_init_done(vcpu->kvm);
                break;
        case H_SVM_INIT_ABORT:
                /*
                 * Even if that call is made by the Ultravisor, the SSR1 value
                 * is the guest context one, with the secure bit clear as it has
                 * not yet been secured. So we can't check it here.
                 * Instead the kvm->arch.secure_guest flag is checked inside
                 * kvmppc_h_svm_init_abort().
                 */
                ret = kvmppc_h_svm_init_abort(vcpu->kvm);
                break;

        default:
                return RESUME_HOST;
        }
        kvmppc_set_gpr(vcpu, 3, ret);
        vcpu->arch.hcall_needed = 0;
        return RESUME_GUEST;
}

/*
 * Handle H_CEDE in the nested virtualization case where we haven't
 * called the real-mode hcall handlers in book3s_hv_rmhandlers.S.
 * This has to be done early, not in kvmppc_pseries_do_hcall(), so
 * that the cede logic in kvmppc_run_single_vcpu() works properly.
 */
static void kvmppc_nested_cede(struct kvm_vcpu *vcpu)
{
        vcpu->arch.shregs.msr |= MSR_EE;
        vcpu->arch.ceded = 1;
        smp_mb();
        if (vcpu->arch.prodded) {
                vcpu->arch.prodded = 0;
                smp_mb();
                vcpu->arch.ceded = 0;
        }
}

static int kvmppc_hcall_impl_hv(unsigned long cmd)
{
        switch (cmd) {
        case H_CEDE:
        case H_PROD:
        case H_CONFER:
        case H_REGISTER_VPA:
        case H_SET_MODE:
        case H_LOGICAL_CI_LOAD:
        case H_LOGICAL_CI_STORE:
#ifdef CONFIG_KVM_XICS
        case H_XIRR:
        case H_CPPR:
        case H_EOI:
        case H_IPI:
        case H_IPOLL:
        case H_XIRR_X:
#endif
        case H_PAGE_INIT:
                return 1;
        }

        /* See if it's in the real-mode table */
        return kvmppc_hcall_impl_hv_realmode(cmd);
}

static int kvmppc_emulate_debug_inst(struct kvm_vcpu *vcpu)
{
        u32 last_inst;

        if (kvmppc_get_last_inst(vcpu, INST_GENERIC, &last_inst) !=
                                        EMULATE_DONE) {
                /*
                 * Fetch failed, so return to guest and
                 * try executing it again.
                 */
                return RESUME_GUEST;
        }

        if (last_inst == KVMPPC_INST_SW_BREAKPOINT) {
                vcpu->run->exit_reason = KVM_EXIT_DEBUG;
                vcpu->run->debug.arch.address = kvmppc_get_pc(vcpu);
                return RESUME_HOST;
        } else {
                kvmppc_core_queue_program(vcpu, SRR1_PROGILL);
                return RESUME_GUEST;
        }
}

static void do_nothing(void *x)
{
}

static unsigned long kvmppc_read_dpdes(struct kvm_vcpu *vcpu)
{
        int thr, cpu, pcpu, nthreads;
        struct kvm_vcpu *v;
        unsigned long dpdes;

        nthreads = vcpu->kvm->arch.emul_smt_mode;
        dpdes = 0;
        cpu = vcpu->vcpu_id & ~(nthreads - 1);
        for (thr = 0; thr < nthreads; ++thr, ++cpu) {
                v = kvmppc_find_vcpu(vcpu->kvm, cpu);
                if (!v)
                        continue;
                /*
                 * If the vcpu is currently running on a physical cpu thread,
                 * interrupt it in order to pull it out of the guest briefly,
                 * which will update its vcore->dpdes value.
                 */
                pcpu = READ_ONCE(v->cpu);
                if (pcpu >= 0)
                        smp_call_function_single(pcpu, do_nothing, NULL, 1);
                if (kvmppc_doorbell_pending(v))
                        dpdes |= 1 << thr;
        }
        return dpdes;
}

/*
 * On POWER9, emulate doorbell-related instructions in order to
 * give the guest the illusion of running on a multi-threaded core.
 * The instructions emulated are msgsndp, msgclrp, mfspr TIR,
 * and mfspr DPDES.
 */
static int kvmppc_emulate_doorbell_instr(struct kvm_vcpu *vcpu)
{
        u32 inst, rb, thr;
        unsigned long arg;
        struct kvm *kvm = vcpu->kvm;
        struct kvm_vcpu *tvcpu;

        if (kvmppc_get_last_inst(vcpu, INST_GENERIC, &inst) != EMULATE_DONE)
                return RESUME_GUEST;
        if (get_op(inst) != 31)
                return EMULATE_FAIL;
        rb = get_rb(inst);
        thr = vcpu->vcpu_id & (kvm->arch.emul_smt_mode - 1);
        switch (get_xop(inst)) {
        case OP_31_XOP_MSGSNDP:
                arg = kvmppc_get_gpr(vcpu, rb);
                if (((arg >> 27) & 0x1f) != PPC_DBELL_SERVER)
                        break;
                arg &= 0x7f;
                if (arg >= kvm->arch.emul_smt_mode)
                        break;
                tvcpu = kvmppc_find_vcpu(kvm, vcpu->vcpu_id - thr + arg);
                if (!tvcpu)
                        break;
                if (!tvcpu->arch.doorbell_request) {
                        tvcpu->arch.doorbell_request = 1;
                        kvmppc_fast_vcpu_kick_hv(tvcpu);
                }
                break;
        case OP_31_XOP_MSGCLRP:
                arg = kvmppc_get_gpr(vcpu, rb);
                if (((arg >> 27) & 0x1f) != PPC_DBELL_SERVER)
                        break;
                vcpu->arch.vcore->dpdes = 0;
                vcpu->arch.doorbell_request = 0;
                break;
        case OP_31_XOP_MFSPR:
                switch (get_sprn(inst)) {
                case SPRN_TIR:
                        arg = thr;
                        break;
                case SPRN_DPDES:
                        arg = kvmppc_read_dpdes(vcpu);
                        break;
                default:
                        return EMULATE_FAIL;
                }
                kvmppc_set_gpr(vcpu, get_rt(inst), arg);
                break;
        default:
                return EMULATE_FAIL;
        }
        kvmppc_set_pc(vcpu, kvmppc_get_pc(vcpu) + 4);
        return RESUME_GUEST;
}

static int kvmppc_handle_exit_hv(struct kvm_vcpu *vcpu,
                                 struct task_struct *tsk)
{
        struct kvm_run *run = vcpu->run;
        int r = RESUME_HOST;

        vcpu->stat.sum_exits++;

        /*
         * This can happen if an interrupt occurs in the last stages
         * of guest entry or the first stages of guest exit (i.e. after
         * setting paca->kvm_hstate.in_guest to KVM_GUEST_MODE_GUEST_HV
         * and before setting it to KVM_GUEST_MODE_HOST_HV).
         * That can happen due to a bug, or due to a machine check
         * occurring at just the wrong time.
         */
        if (vcpu->arch.shregs.msr & MSR_HV) {
                printk(KERN_EMERG "KVM trap in HV mode!\n");
                printk(KERN_EMERG "trap=0x%x | pc=0x%lx | msr=0x%llx\n",
                        vcpu->arch.trap, kvmppc_get_pc(vcpu),
                        vcpu->arch.shregs.msr);
                kvmppc_dump_regs(vcpu);
                run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
                run->hw.hardware_exit_reason = vcpu->arch.trap;
                return RESUME_HOST;
        }
        run->exit_reason = KVM_EXIT_UNKNOWN;
        run->ready_for_interrupt_injection = 1;
        switch (vcpu->arch.trap) {
        /* We're good on these - the host merely wanted to get our attention */
        case BOOK3S_INTERRUPT_HV_DECREMENTER:
                vcpu->stat.dec_exits++;
                r = RESUME_GUEST;
                break;
        case BOOK3S_INTERRUPT_EXTERNAL:
        case BOOK3S_INTERRUPT_H_DOORBELL:
        case BOOK3S_INTERRUPT_H_VIRT:
                vcpu->stat.ext_intr_exits++;
                r = RESUME_GUEST;
                break;
        /* SR/HMI/PMI are HV interrupts that host has handled. Resume guest.*/
        case BOOK3S_INTERRUPT_HMI:
        case BOOK3S_INTERRUPT_PERFMON:
        case BOOK3S_INTERRUPT_SYSTEM_RESET:
                r = RESUME_GUEST;
                break;
        case BOOK3S_INTERRUPT_MACHINE_CHECK: {
                static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL,
                                              DEFAULT_RATELIMIT_BURST);
                /*
                 * Print the MCE event to host console. Ratelimit so the guest
                 * can't flood the host log.
                 */
                if (__ratelimit(&rs))
                        machine_check_print_event_info(&vcpu->arch.mce_evt,false, true);

                /*
                 * If the guest can do FWNMI, exit to userspace so it can
                 * deliver a FWNMI to the guest.
                 * Otherwise we synthesize a machine check for the guest
                 * so that it knows that the machine check occurred.
                 */
                if (!vcpu->kvm->arch.fwnmi_enabled) {
                        ulong flags = vcpu->arch.shregs.msr & 0x083c0000;
                        kvmppc_core_queue_machine_check(vcpu, flags);
                        r = RESUME_GUEST;
                        break;
                }

                /* Exit to guest with KVM_EXIT_NMI as exit reason */
                run->exit_reason = KVM_EXIT_NMI;
                run->hw.hardware_exit_reason = vcpu->arch.trap;
                /* Clear out the old NMI status from run->flags */
                run->flags &= ~KVM_RUN_PPC_NMI_DISP_MASK;
                /* Now set the NMI status */
                if (vcpu->arch.mce_evt.disposition == MCE_DISPOSITION_RECOVERED)
                        run->flags |= KVM_RUN_PPC_NMI_DISP_FULLY_RECOV;
                else
                        run->flags |= KVM_RUN_PPC_NMI_DISP_NOT_RECOV;

                r = RESUME_HOST;
                break;
        }
        case BOOK3S_INTERRUPT_PROGRAM:
        {
                ulong flags;
                /*
                 * Normally program interrupts are delivered directly
                 * to the guest by the hardware, but we can get here
                 * as a result of a hypervisor emulation interrupt
                 * (e40) getting turned into a 700 by BML RTAS.
                 */
                flags = vcpu->arch.shregs.msr & 0x1f0000ull;
                kvmppc_core_queue_program(vcpu, flags);
                r = RESUME_GUEST;
                break;
        }
        case BOOK3S_INTERRUPT_SYSCALL:
        {
                /* hcall - punt to userspace */
                int i;

                /* hypercall with MSR_PR has already been handled in rmode,
                 * and never reaches here.
                 */

                run->papr_hcall.nr = kvmppc_get_gpr(vcpu, 3);
                for (i = 0; i < 9; ++i)
                        run->papr_hcall.args[i] = kvmppc_get_gpr(vcpu, 4 + i);
                run->exit_reason = KVM_EXIT_PAPR_HCALL;
                vcpu->arch.hcall_needed = 1;
                r = RESUME_HOST;
                break;
        }
        /*
         * We get these next two if the guest accesses a page which it thinks
         * it has mapped but which is not actually present, either because
         * it is for an emulated I/O device or because the corresonding
         * host page has been paged out.  Any other HDSI/HISI interrupts
         * have been handled already.
         */
        case BOOK3S_INTERRUPT_H_DATA_STORAGE:
                r = RESUME_PAGE_FAULT;
                break;
        case BOOK3S_INTERRUPT_H_INST_STORAGE:
                vcpu->arch.fault_dar = kvmppc_get_pc(vcpu);
                vcpu->arch.fault_dsisr = vcpu->arch.shregs.msr &
                        DSISR_SRR1_MATCH_64S;
                if (vcpu->arch.shregs.msr & HSRR1_HISI_WRITE)
                        vcpu->arch.fault_dsisr |= DSISR_ISSTORE;
                r = RESUME_PAGE_FAULT;
                break;
        /*
         * This occurs if the guest executes an illegal instruction.
         * If the guest debug is disabled, generate a program interrupt
         * to the guest. If guest debug is enabled, we need to check
         * whether the instruction is a software breakpoint instruction.
         * Accordingly return to Guest or Host.
         */
        case BOOK3S_INTERRUPT_H_EMUL_ASSIST:
                if (vcpu->arch.emul_inst != KVM_INST_FETCH_FAILED)
                        vcpu->arch.last_inst = kvmppc_need_byteswap(vcpu) ?
                                swab32(vcpu->arch.emul_inst) :
                                vcpu->arch.emul_inst;
                if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP) {
                        r = kvmppc_emulate_debug_inst(vcpu);
                } else {
                        kvmppc_core_queue_program(vcpu, SRR1_PROGILL);
                        r = RESUME_GUEST;
                }
                break;
        /*
         * This occurs if the guest (kernel or userspace), does something that
         * is prohibited by HFSCR.
         * On POWER9, this could be a doorbell instruction that we need
         * to emulate.
         * Otherwise, we just generate a program interrupt to the guest.
         */
        case BOOK3S_INTERRUPT_H_FAC_UNAVAIL:
                r = EMULATE_FAIL;
                if (((vcpu->arch.hfscr >> 56) == FSCR_MSGP_LG) &&
                    cpu_has_feature(CPU_FTR_ARCH_300))
                        r = kvmppc_emulate_doorbell_instr(vcpu);
                if (r == EMULATE_FAIL) {
                        kvmppc_core_queue_program(vcpu, SRR1_PROGILL);
                        r = RESUME_GUEST;
                }
                break;

#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
        case BOOK3S_INTERRUPT_HV_SOFTPATCH:
                /*
                 * This occurs for various TM-related instructions that
                 * we need to emulate on POWER9 DD2.2.  We have already
                 * handled the cases where the guest was in real-suspend
                 * mode and was transitioning to transactional state.
                 */
                r = kvmhv_p9_tm_emulation(vcpu);
                break;
#endif

        case BOOK3S_INTERRUPT_HV_RM_HARD:
                r = RESUME_PASSTHROUGH;
                break;
        default:
                kvmppc_dump_regs(vcpu);
                printk(KERN_EMERG "trap=0x%x | pc=0x%lx | msr=0x%llx\n",
                        vcpu->arch.trap, kvmppc_get_pc(vcpu),
                        vcpu->arch.shregs.msr);
                run->hw.hardware_exit_reason = vcpu->arch.trap;
                r = RESUME_HOST;
                break;
        }

        return r;
}

static int kvmppc_handle_nested_exit(struct kvm_vcpu *vcpu)
{
        int r;
        int srcu_idx;

        vcpu->stat.sum_exits++;

        /*
         * This can happen if an interrupt occurs in the last stages
         * of guest entry or the first stages of guest exit (i.e. after
         * setting paca->kvm_hstate.in_guest to KVM_GUEST_MODE_GUEST_HV
         * and before setting it to KVM_GUEST_MODE_HOST_HV).
         * That can happen due to a bug, or due to a machine check
         * occurring at just the wrong time.
         */
        if (vcpu->arch.shregs.msr & MSR_HV) {
                pr_emerg("KVM trap in HV mode while nested!\n");
                pr_emerg("trap=0x%x | pc=0x%lx | msr=0x%llx\n",
                         vcpu->arch.trap, kvmppc_get_pc(vcpu),
                         vcpu->arch.shregs.msr);
                kvmppc_dump_regs(vcpu);
                return RESUME_HOST;
        }
        switch (vcpu->arch.trap) {
        /* We're good on these - the host merely wanted to get our attention */
        case BOOK3S_INTERRUPT_HV_DECREMENTER:
                vcpu->stat.dec_exits++;
                r = RESUME_GUEST;
                break;
        case BOOK3S_INTERRUPT_EXTERNAL:
                vcpu->stat.ext_intr_exits++;
                r = RESUME_HOST;
                break;
        case BOOK3S_INTERRUPT_H_DOORBELL:
        case BOOK3S_INTERRUPT_H_VIRT:
                vcpu->stat.ext_intr_exits++;
                r = RESUME_GUEST;
                break;
        /* SR/HMI/PMI are HV interrupts that host has handled. Resume guest.*/
        case BOOK3S_INTERRUPT_HMI:
        case BOOK3S_INTERRUPT_PERFMON:
        case BOOK3S_INTERRUPT_SYSTEM_RESET:
                r = RESUME_GUEST;
                break;
        case BOOK3S_INTERRUPT_MACHINE_CHECK:
        {
                static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL,
                                              DEFAULT_RATELIMIT_BURST);
                /* Pass the machine check to the L1 guest */
                r = RESUME_HOST;
                /* Print the MCE event to host console. */
                if (__ratelimit(&rs))
                        machine_check_print_event_info(&vcpu->arch.mce_evt, false, true);
                break;
        }
        /*
         * We get these next two if the guest accesses a page which it thinks
         * it has mapped but which is not actually present, either because
         * it is for an emulated I/O device or because the corresonding
         * host page has been paged out.
         */
        case BOOK3S_INTERRUPT_H_DATA_STORAGE:
                srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
                r = kvmhv_nested_page_fault(vcpu);
                srcu_read_unlock(&vcpu->kvm->srcu, srcu_idx);
                break;
        case BOOK3S_INTERRUPT_H_INST_STORAGE:
                vcpu->arch.fault_dar = kvmppc_get_pc(vcpu);
                vcpu->arch.fault_dsisr = kvmppc_get_msr(vcpu) &
                                         DSISR_SRR1_MATCH_64S;
                if (vcpu->arch.shregs.msr & HSRR1_HISI_WRITE)
                        vcpu->arch.fault_dsisr |= DSISR_ISSTORE;
                srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
                r = kvmhv_nested_page_fault(vcpu);
                srcu_read_unlock(&vcpu->kvm->srcu, srcu_idx);
                break;

#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
        case BOOK3S_INTERRUPT_HV_SOFTPATCH:
                /*
                 * This occurs for various TM-related instructions that
                 * we need to emulate on POWER9 DD2.2.  We have already
                 * handled the cases where the guest was in real-suspend
                 * mode and was transitioning to transactional state.
                 */
                r = kvmhv_p9_tm_emulation(vcpu);
                break;
#endif

        case BOOK3S_INTERRUPT_HV_RM_HARD:
                vcpu->arch.trap = 0;
                r = RESUME_GUEST;
                if (!xics_on_xive())
                        kvmppc_xics_rm_complete(vcpu, 0);
                break;
        default:
                r = RESUME_HOST;
                break;
        }

        return r;
}

static int kvm_arch_vcpu_ioctl_get_sregs_hv(struct kvm_vcpu *vcpu,
                                            struct kvm_sregs *sregs)
{
        int i;

        memset(sregs, 0, sizeof(struct kvm_sregs));
        sregs->pvr = vcpu->arch.pvr;
        for (i = 0; i < vcpu->arch.slb_max; i++) {
                sregs->u.s.ppc64.slb[i].slbe = vcpu->arch.slb[i].orige;
                sregs->u.s.ppc64.slb[i].slbv = vcpu->arch.slb[i].origv;
        }

        return 0;
}

static int kvm_arch_vcpu_ioctl_set_sregs_hv(struct kvm_vcpu *vcpu,
                                            struct kvm_sregs *sregs)
{
        int i, j;

        /* Only accept the same PVR as the host's, since we can't spoof it */
        if (sregs->pvr != vcpu->arch.pvr)
                return -EINVAL;

        j = 0;
        for (i = 0; i < vcpu->arch.slb_nr; i++) {
                if (sregs->u.s.ppc64.slb[i].slbe & SLB_ESID_V) {
                        vcpu->arch.slb[j].orige = sregs->u.s.ppc64.slb[i].slbe;
                        vcpu->arch.slb[j].origv = sregs->u.s.ppc64.slb[i].slbv;
                        ++j;
                }
        }
        vcpu->arch.slb_max = j;

        return 0;
}

/*
 * Enforce limits on guest LPCR values based on hardware availability,
 * guest configuration, and possibly hypervisor support and security
 * concerns.
 */
unsigned long kvmppc_filter_lpcr_hv(struct kvm *kvm, unsigned long lpcr)
{
        /* LPCR_TC only applies to HPT guests */
        if (kvm_is_radix(kvm))
                lpcr &= ~LPCR_TC;

        /* On POWER8 and above, userspace can modify AIL */
        if (!cpu_has_feature(CPU_FTR_ARCH_207S))
                lpcr &= ~LPCR_AIL;
        if ((lpcr & LPCR_AIL) != LPCR_AIL_3)
                lpcr &= ~LPCR_AIL; /* LPCR[AIL]=1/2 is disallowed */

        /*
         * On POWER9, allow userspace to enable large decrementer for the
         * guest, whether or not the host has it enabled.
         */
        if (!cpu_has_feature(CPU_FTR_ARCH_300))
                lpcr &= ~LPCR_LD;

        return lpcr;
}

static void verify_lpcr(struct kvm *kvm, unsigned long lpcr)
{
        if (lpcr != kvmppc_filter_lpcr_hv(kvm, lpcr)) {
                WARN_ONCE(1, "lpcr 0x%lx differs from filtered 0x%lx\n",
                          lpcr, kvmppc_filter_lpcr_hv(kvm, lpcr));
        }
}

static void kvmppc_set_lpcr(struct kvm_vcpu *vcpu, u64 new_lpcr,
                bool preserve_top32)
{
        struct kvm *kvm = vcpu->kvm;
        struct kvmppc_vcore *vc = vcpu->arch.vcore;
        u64 mask;

        spin_lock(&vc->lock);

        /*
         * Userspace can only modify
         * DPFD (default prefetch depth), ILE (interrupt little-endian),
         * TC (translation control), AIL (alternate interrupt location),
         * LD (large decrementer).
         * These are subject to restrictions from kvmppc_filter_lcpr_hv().
         */
        mask = LPCR_DPFD | LPCR_ILE | LPCR_TC | LPCR_AIL | LPCR_LD;

        /* Broken 32-bit version of LPCR must not clear top bits */
        if (preserve_top32)
                mask &= 0xFFFFFFFF;

        new_lpcr = kvmppc_filter_lpcr_hv(kvm,
                        (vc->lpcr & ~mask) | (new_lpcr & mask));

        /*
         * If ILE (interrupt little-endian) has changed, update the
         * MSR_LE bit in the intr_msr for each vcpu in this vcore.
         */
        if ((new_lpcr & LPCR_ILE) != (vc->lpcr & LPCR_ILE)) {
                struct kvm_vcpu *vcpu;
                int i;

                kvm_for_each_vcpu(i, vcpu, kvm) {
                        if (vcpu->arch.vcore != vc)
                                continue;
                        if (new_lpcr & LPCR_ILE)
                                vcpu->arch.intr_msr |= MSR_LE;
                        else
                                vcpu->arch.intr_msr &= ~MSR_LE;
                }
        }

        vc->lpcr = new_lpcr;

        spin_unlock(&vc->lock);
}

static int kvmppc_get_one_reg_hv(struct kvm_vcpu *vcpu, u64 id,
                                 union kvmppc_one_reg *val)
{
        int r = 0;
        long int i;

        switch (id) {
        case KVM_REG_PPC_DEBUG_INST:
                *val = get_reg_val(id, KVMPPC_INST_SW_BREAKPOINT);
                break;
        case KVM_REG_PPC_HIOR:
                *val = get_reg_val(id, 0);
                break;
        case KVM_REG_PPC_DABR:
                *val = get_reg_val(id, vcpu->arch.dabr);
                break;
        case KVM_REG_PPC_DABRX:
                *val = get_reg_val(id, vcpu->arch.dabrx);
                break;
        case KVM_REG_PPC_DSCR:
                *val = get_reg_val(id, vcpu->arch.dscr);
                break;
        case KVM_REG_PPC_PURR:
                *val = get_reg_val(id, vcpu->arch.purr);
                break;
        case KVM_REG_PPC_SPURR:
                *val = get_reg_val(id, vcpu->arch.spurr);
                break;
        case KVM_REG_PPC_AMR:
                *val = get_reg_val(id, vcpu->arch.amr);
                break;
        case KVM_REG_PPC_UAMOR:
                *val = get_reg_val(id, vcpu->arch.uamor);
                break;
        case KVM_REG_PPC_MMCR0 ... KVM_REG_PPC_MMCR1:
                i = id - KVM_REG_PPC_MMCR0;
                *val = get_reg_val(id, vcpu->arch.mmcr[i]);
                break;
        case KVM_REG_PPC_MMCR2:
                *val = get_reg_val(id, vcpu->arch.mmcr[2]);
                break;
        case KVM_REG_PPC_MMCRA:
                *val = get_reg_val(id, vcpu->arch.mmcra);
                break;
        case KVM_REG_PPC_MMCRS:
                *val = get_reg_val(id, vcpu->arch.mmcrs);
                break;
        case KVM_REG_PPC_MMCR3:
                *val = get_reg_val(id, vcpu->arch.mmcr[3]);
                break;
        case KVM_REG_PPC_PMC1 ... KVM_REG_PPC_PMC8:
                i = id - KVM_REG_PPC_PMC1;
                *val = get_reg_val(id, vcpu->arch.pmc[i]);
                break;
        case KVM_REG_PPC_SPMC1 ... KVM_REG_PPC_SPMC2:
                i = id - KVM_REG_PPC_SPMC1;
                *val = get_reg_val(id, vcpu->arch.spmc[i]);
                break;
        case KVM_REG_PPC_SIAR:
                *val = get_reg_val(id, vcpu->arch.siar);
                break;
        case KVM_REG_PPC_SDAR:
                *val = get_reg_val(id, vcpu->arch.sdar);
                break;
        case KVM_REG_PPC_SIER:
                *val = get_reg_val(id, vcpu->arch.sier[0]);
                break;
        case KVM_REG_PPC_SIER2:
                *val = get_reg_val(id, vcpu->arch.sier[1]);
                break;
        case KVM_REG_PPC_SIER3:
                *val = get_reg_val(id, vcpu->arch.sier[2]);
                break;
        case KVM_REG_PPC_IAMR:
                *val = get_reg_val(id, vcpu->arch.iamr);
                break;
        case KVM_REG_PPC_PSPB:
                *val = get_reg_val(id, vcpu->arch.pspb);
                break;
        case KVM_REG_PPC_DPDES:
                /*
                 * On POWER9, where we are emulating msgsndp etc.,
                 * we return 1 bit for each vcpu, which can come from
                 * either vcore->dpdes or doorbell_request.
                 * On POWER8, doorbell_request is 0.
                 */
                *val = get_reg_val(id, vcpu->arch.vcore->dpdes |
                                   vcpu->arch.doorbell_request);
                break;
        case KVM_REG_PPC_VTB:
                *val = get_reg_val(id, vcpu->arch.vcore->vtb);
                break;
        case KVM_REG_PPC_DAWR:
                *val = get_reg_val(id, vcpu->arch.dawr);
                break;
        case KVM_REG_PPC_DAWRX:
                *val = get_reg_val(id, vcpu->arch.dawrx);
                break;
        case KVM_REG_PPC_CIABR:
                *val = get_reg_val(id, vcpu->arch.ciabr);
                break;
        case KVM_REG_PPC_CSIGR:
                *val = get_reg_val(id, vcpu->arch.csigr);
                break;
        case KVM_REG_PPC_TACR:
                *val = get_reg_val(id, vcpu->arch.tacr);
                break;
        case KVM_REG_PPC_TCSCR:
                *val = get_reg_val(id, vcpu->arch.tcscr);
                break;
        case KVM_REG_PPC_PID:
                *val = get_reg_val(id, vcpu->arch.pid);
                break;
        case KVM_REG_PPC_ACOP:
                *val = get_reg_val(id, vcpu->arch.acop);
                break;
        case KVM_REG_PPC_WORT:
                *val = get_reg_val(id, vcpu->arch.wort);
                break;
        case KVM_REG_PPC_TIDR:
                *val = get_reg_val(id, vcpu->arch.tid);
                break;
        case KVM_REG_PPC_PSSCR:
                *val = get_reg_val(id, vcpu->arch.psscr);
                break;
        case KVM_REG_PPC_VPA_ADDR:
                spin_lock(&vcpu->arch.vpa_update_lock);
                *val = get_reg_val(id, vcpu->arch.vpa.next_gpa);
                spin_unlock(&vcpu->arch.vpa_update_lock);
                break;
        case KVM_REG_PPC_VPA_SLB:
                spin_lock(&vcpu->arch.vpa_update_lock);
                val->vpaval.addr = vcpu->arch.slb_shadow.next_gpa;
                val->vpaval.length = vcpu->arch.slb_shadow.len;
                spin_unlock(&vcpu->arch.vpa_update_lock);
                break;
        case KVM_REG_PPC_VPA_DTL:
                spin_lock(&vcpu->arch.vpa_update_lock);
                val->vpaval.addr = vcpu->arch.dtl.next_gpa;
                val->vpaval.length = vcpu->arch.dtl.len;
                spin_unlock(&vcpu->arch.vpa_update_lock);
                break;
        case KVM_REG_PPC_TB_OFFSET:
                *val = get_reg_val(id, vcpu->arch.vcore->tb_offset);
                break;
        case KVM_REG_PPC_LPCR:
        case KVM_REG_PPC_LPCR_64:
                *val = get_reg_val(id, vcpu->arch.vcore->lpcr);
                break;
        case KVM_REG_PPC_PPR:
                *val = get_reg_val(id, vcpu->arch.ppr);
                break;
#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
        case KVM_REG_PPC_TFHAR:
                *val = get_reg_val(id, vcpu->arch.tfhar);
                break;
        case KVM_REG_PPC_TFIAR:
                *val = get_reg_val(id, vcpu->arch.tfiar);
                break;
        case KVM_REG_PPC_TEXASR:
                *val = get_reg_val(id, vcpu->arch.texasr);
                break;
        case KVM_REG_PPC_TM_GPR0 ... KVM_REG_PPC_TM_GPR31:
                i = id - KVM_REG_PPC_TM_GPR0;
                *val = get_reg_val(id, vcpu->arch.gpr_tm[i]);
                break;
        case KVM_REG_PPC_TM_VSR0 ... KVM_REG_PPC_TM_VSR63:
        {
                int j;
                i = id - KVM_REG_PPC_TM_VSR0;
                if (i < 32)
                        for (j = 0; j < TS_FPRWIDTH; j++)
                                val->vsxval[j] = vcpu->arch.fp_tm.fpr[i][j];
                else {
                        if (cpu_has_feature(CPU_FTR_ALTIVEC))
                                val->vval = vcpu->arch.vr_tm.vr[i-32];
                        else
                                r = -ENXIO;
                }
                break;
        }
        case KVM_REG_PPC_TM_CR:
                *val = get_reg_val(id, vcpu->arch.cr_tm);
                break;
        case KVM_REG_PPC_TM_XER:
                *val = get_reg_val(id, vcpu->arch.xer_tm);
                break;
        case KVM_REG_PPC_TM_LR:
                *val = get_reg_val(id, vcpu->arch.lr_tm);
                break;
        case KVM_REG_PPC_TM_CTR:
                *val = get_reg_val(id, vcpu->arch.ctr_tm);
                break;
        case KVM_REG_PPC_TM_FPSCR:
                *val = get_reg_val(id, vcpu->arch.fp_tm.fpscr);
                break;
        case KVM_REG_PPC_TM_AMR:
                *val = get_reg_val(id, vcpu->arch.amr_tm);
                break;
        case KVM_REG_PPC_TM_PPR:
                *val = get_reg_val(id, vcpu->arch.ppr_tm);
                break;
        case KVM_REG_PPC_TM_VRSAVE:
                *val = get_reg_val(id, vcpu->arch.vrsave_tm);
                break;
        case KVM_REG_PPC_TM_VSCR:
                if (cpu_has_feature(CPU_FTR_ALTIVEC))
                        *val = get_reg_val(id, vcpu->arch.vr_tm.vscr.u[3]);
                else
                        r = -ENXIO;
                break;
        case KVM_REG_PPC_TM_DSCR:
                *val = get_reg_val(id, vcpu->arch.dscr_tm);
                break;
        case KVM_REG_PPC_TM_TAR:
                *val = get_reg_val(id, vcpu->arch.tar_tm);
                break;
#endif
        case KVM_REG_PPC_ARCH_COMPAT:
                *val = get_reg_val(id, vcpu->arch.vcore->arch_compat);
                break;
        case KVM_REG_PPC_DEC_EXPIRY:
                *val = get_reg_val(id, vcpu->arch.dec_expires +
                                   vcpu->arch.vcore->tb_offset);
                break;
        case KVM_REG_PPC_ONLINE:
                *val = get_reg_val(id, vcpu->arch.online);
                break;
        case KVM_REG_PPC_PTCR:
                *val = get_reg_val(id, vcpu->kvm->arch.l1_ptcr);
                break;
        default:
                r = -EINVAL;
                break;
        }

        return r;
}

static int kvmppc_set_one_reg_hv(struct kvm_vcpu *vcpu, u64 id,
                                 union kvmppc_one_reg *val)
{
        int r = 0;
        long int i;
        unsigned long addr, len;

        switch (id) {
        case KVM_REG_PPC_HIOR:
                /* Only allow this to be set to zero */
                if (set_reg_val(id, *val))
                        r = -EINVAL;
                break;
        case KVM_REG_PPC_DABR:
                vcpu->arch.dabr = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_DABRX:
                vcpu->arch.dabrx = set_reg_val(id, *val) & ~DABRX_HYP;
                break;
        case KVM_REG_PPC_DSCR:
                vcpu->arch.dscr = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_PURR:
                vcpu->arch.purr = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_SPURR:
                vcpu->arch.spurr = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_AMR:
                vcpu->arch.amr = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_UAMOR:
                vcpu->arch.uamor = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_MMCR0 ... KVM_REG_PPC_MMCR1:
                i = id - KVM_REG_PPC_MMCR0;
                vcpu->arch.mmcr[i] = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_MMCR2:
                vcpu->arch.mmcr[2] = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_MMCRA:
                vcpu->arch.mmcra = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_MMCRS:
                vcpu->arch.mmcrs = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_MMCR3:
                *val = get_reg_val(id, vcpu->arch.mmcr[3]);
                break;

        case KVM_REG_PPC_PMC1 ... KVM_REG_PPC_PMC8:
                i = id - KVM_REG_PPC_PMC1;
                vcpu->arch.pmc[i] = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_SPMC1 ... KVM_REG_PPC_SPMC2:
                i = id - KVM_REG_PPC_SPMC1;
                vcpu->arch.spmc[i] = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_SIAR:
                vcpu->arch.siar = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_SDAR:
                vcpu->arch.sdar = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_SIER:
                vcpu->arch.sier[0] = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_SIER2:
                vcpu->arch.sier[1] = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_SIER3:
                vcpu->arch.sier[2] = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_IAMR:
                vcpu->arch.iamr = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_PSPB:
                vcpu->arch.pspb = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_DPDES:
                vcpu->arch.vcore->dpdes = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_VTB:
                vcpu->arch.vcore->vtb = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_DAWR:
                vcpu->arch.dawr = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_DAWRX:
                vcpu->arch.dawrx = set_reg_val(id, *val) & ~DAWRX_HYP;
                break;
        case KVM_REG_PPC_CIABR:
                vcpu->arch.ciabr = set_reg_val(id, *val);
                /* Don't allow setting breakpoints in hypervisor code */
                if ((vcpu->arch.ciabr & CIABR_PRIV) == CIABR_PRIV_HYPER)
                        vcpu->arch.ciabr &= ~CIABR_PRIV;        /* disable */
                break;
        case KVM_REG_PPC_CSIGR:
                vcpu->arch.csigr = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_TACR:
                vcpu->arch.tacr = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_TCSCR:
                vcpu->arch.tcscr = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_PID:
                vcpu->arch.pid = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_ACOP:
                vcpu->arch.acop = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_WORT:
                vcpu->arch.wort = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_TIDR:
                vcpu->arch.tid = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_PSSCR:
                vcpu->arch.psscr = set_reg_val(id, *val) & PSSCR_GUEST_VIS;
                break;
        case KVM_REG_PPC_VPA_ADDR:
                addr = set_reg_val(id, *val);
                r = -EINVAL;
                if (!addr && (vcpu->arch.slb_shadow.next_gpa ||
                              vcpu->arch.dtl.next_gpa))
                        break;
                r = set_vpa(vcpu, &vcpu->arch.vpa, addr, sizeof(struct lppaca));
                break;
        case KVM_REG_PPC_VPA_SLB:
                addr = val->vpaval.addr;
                len = val->vpaval.length;
                r = -EINVAL;
                if (addr && !vcpu->arch.vpa.next_gpa)
                        break;
                r = set_vpa(vcpu, &vcpu->arch.slb_shadow, addr, len);
                break;
        case KVM_REG_PPC_VPA_DTL:
                addr = val->vpaval.addr;
                len = val->vpaval.length;
                r = -EINVAL;
                if (addr && (len < sizeof(struct dtl_entry) ||
                             !vcpu->arch.vpa.next_gpa))
                        break;
                len -= len % sizeof(struct dtl_entry);
                r = set_vpa(vcpu, &vcpu->arch.dtl, addr, len);
                break;
        case KVM_REG_PPC_TB_OFFSET:
                /* round up to multiple of 2^24 */
                vcpu->arch.vcore->tb_offset =
                        ALIGN(set_reg_val(id, *val), 1UL << 24);
                break;
        case KVM_REG_PPC_LPCR:
                kvmppc_set_lpcr(vcpu, set_reg_val(id, *val), true);
                break;
        case KVM_REG_PPC_LPCR_64:
                kvmppc_set_lpcr(vcpu, set_reg_val(id, *val), false);
                break;
        case KVM_REG_PPC_PPR:
                vcpu->arch.ppr = set_reg_val(id, *val);
                break;
#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
        case KVM_REG_PPC_TFHAR:
                vcpu->arch.tfhar = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_TFIAR:
                vcpu->arch.tfiar = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_TEXASR:
                vcpu->arch.texasr = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_TM_GPR0 ... KVM_REG_PPC_TM_GPR31:
                i = id - KVM_REG_PPC_TM_GPR0;
                vcpu->arch.gpr_tm[i] = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_TM_VSR0 ... KVM_REG_PPC_TM_VSR63:
        {
                int j;
                i = id - KVM_REG_PPC_TM_VSR0;
                if (i < 32)
                        for (j = 0; j < TS_FPRWIDTH; j++)
                                vcpu->arch.fp_tm.fpr[i][j] = val->vsxval[j];
                else
                        if (cpu_has_feature(CPU_FTR_ALTIVEC))
                                vcpu->arch.vr_tm.vr[i-32] = val->vval;
                        else
                                r = -ENXIO;
                break;
        }
        case KVM_REG_PPC_TM_CR:
                vcpu->arch.cr_tm = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_TM_XER:
                vcpu->arch.xer_tm = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_TM_LR:
                vcpu->arch.lr_tm = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_TM_CTR:
                vcpu->arch.ctr_tm = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_TM_FPSCR:
                vcpu->arch.fp_tm.fpscr = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_TM_AMR:
                vcpu->arch.amr_tm = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_TM_PPR:
                vcpu->arch.ppr_tm = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_TM_VRSAVE:
                vcpu->arch.vrsave_tm = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_TM_VSCR:
                if (cpu_has_feature(CPU_FTR_ALTIVEC))
                        vcpu->arch.vr.vscr.u[3] = set_reg_val(id, *val);
                else
                        r = - ENXIO;
                break;
        case KVM_REG_PPC_TM_DSCR:
                vcpu->arch.dscr_tm = set_reg_val(id, *val);
                break;
        case KVM_REG_PPC_TM_TAR:
                vcpu->arch.tar_tm = set_reg_val(id, *val);
                break;
#endif
        case KVM_REG_PPC_ARCH_COMPAT:
                r = kvmppc_set_arch_compat(vcpu, set_reg_val(id, *val));
                break;
        case KVM_REG_PPC_DEC_EXPIRY:
                vcpu->arch.dec_expires = set_reg_val(id, *val) -
                        vcpu->arch.vcore->tb_offset;
                break;
        case KVM_REG_PPC_ONLINE:
                i = set_reg_val(id, *val);
                if (i && !vcpu->arch.online)
                        atomic_inc(&vcpu->arch.vcore->online_count);
                else if (!i && vcpu->arch.online)
                        atomic_dec(&vcpu->arch.vcore->online_count);
                vcpu->arch.online = i;
                break;
        case KVM_REG_PPC_PTCR:
                vcpu->kvm->arch.l1_ptcr = set_reg_val(id, *val);
                break;
        default:
                r = -EINVAL;
                break;
        }

        return r;
}

/*
 * On POWER9, threads are independent and can be in different partitions.
 * Therefore we consider each thread to be a subcore.
 * There is a restriction that all threads have to be in the same
 * MMU mode (radix or HPT), unfortunately, but since we only support
 * HPT guests on a HPT host so far, that isn't an impediment yet.
 */
static int threads_per_vcore(struct kvm *kvm)
{
        if (kvm->arch.threads_indep)
                return 1;
        return threads_per_subcore;
}

static struct kvmppc_vcore *kvmppc_vcore_create(struct kvm *kvm, int id)
{
        struct kvmppc_vcore *vcore;

        vcore = kzalloc(sizeof(struct kvmppc_vcore), GFP_KERNEL);

        if (vcore == NULL)
                return NULL;

        spin_lock_init(&vcore->lock);
        spin_lock_init(&vcore->stoltb_lock);
        rcuwait_init(&vcore->wait);
        vcore->preempt_tb = TB_NIL;
        vcore->lpcr = kvm->arch.lpcr;
        vcore->first_vcpuid = id;
        vcore->kvm = kvm;
        INIT_LIST_HEAD(&vcore->preempt_list);

        return vcore;
}

#ifdef CONFIG_KVM_BOOK3S_HV_EXIT_TIMING
static struct debugfs_timings_element {
        const char *name;
        size_t offset;
} timings[] = {
        {"rm_entry",    offsetof(struct kvm_vcpu, arch.rm_entry)},
        {"rm_intr",     offsetof(struct kvm_vcpu, arch.rm_intr)},
        {"rm_exit",     offsetof(struct kvm_vcpu, arch.rm_exit)},
        {"guest",       offsetof(struct kvm_vcpu, arch.guest_time)},
        {"cede",        offsetof(struct kvm_vcpu, arch.cede_time)},
};

#define N_TIMINGS       (ARRAY_SIZE(timings))

struct debugfs_timings_state {
        struct kvm_vcpu *vcpu;
        unsigned int    buflen;
        char            buf[N_TIMINGS * 100];
};

static int debugfs_timings_open(struct inode *inode, struct file *file)
{
        struct kvm_vcpu *vcpu = inode->i_private;
        struct debugfs_timings_state *p;

        p = kzalloc(sizeof(*p), GFP_KERNEL);
        if (!p)
                return -ENOMEM;

        kvm_get_kvm(vcpu->kvm);
        p->vcpu = vcpu;
        file->private_data = p;

        return nonseekable_open(inode, file);
}

static int debugfs_timings_release(struct inode *inode, struct file *file)
{
        struct debugfs_timings_state *p = file->private_data;

        kvm_put_kvm(p->vcpu->kvm);
        kfree(p);
        return 0;
}

static ssize_t debugfs_timings_read(struct file *file, char __user *buf,
                                    size_t len, loff_t *ppos)
{
        struct debugfs_timings_state *p = file->private_data;
        struct kvm_vcpu *vcpu = p->vcpu;
        char *s, *buf_end;
        struct kvmhv_tb_accumulator tb;
        u64 count;
        loff_t pos;
        ssize_t n;
        int i, loops;
        bool ok;

        if (!p->buflen) {
                s = p->buf;
                buf_end = s + sizeof(p->buf);
                for (i = 0; i < N_TIMINGS; ++i) {
                        struct kvmhv_tb_accumulator *acc;

                        acc = (struct kvmhv_tb_accumulator *)
                                ((unsigned long)vcpu + timings[i].offset);
                        ok = false;
                        for (loops = 0; loops < 1000; ++loops) {
                                count = acc->seqcount;
                                if (!(count & 1)) {
                                        smp_rmb();
                                        tb = *acc;
                                        smp_rmb();
                                        if (count == acc->seqcount) {
                                                ok = true;
                                                break;
                                        }
                                }
                                udelay(1);
                        }
                        if (!ok)
                                snprintf(s, buf_end - s, "%s: stuck\n",
                                        timings[i].name);
                        else
                                snprintf(s, buf_end - s,
                                        "%s: %llu %llu %llu %llu\n",
                                        timings[i].name, count / 2,
                                        tb_to_ns(tb.tb_total),
                                        tb_to_ns(tb.tb_min),
                                        tb_to_ns(tb.tb_max));
                        s += strlen(s);
                }
                p->buflen = s - p->buf;
        }

        pos = *ppos;
        if (pos >= p->buflen)
                return 0;
        if (len > p->buflen - pos)
                len = p->buflen - pos;
        n = copy_to_user(buf, p->buf + pos, len);
        if (n) {
                if (n == len)
                        return -EFAULT;
                len -= n;
        }
        *ppos = pos + len;
        return len;
}

static ssize_t debugfs_timings_write(struct file *file, const char __user *buf,
                                     size_t len, loff_t *ppos)
{
        return -EACCES;
}

static const struct file_operations debugfs_timings_ops = {
        .owner   = THIS_MODULE,
        .open    = debugfs_timings_open,
        .release = debugfs_timings_release,
        .read    = debugfs_timings_read,
        .write   = debugfs_timings_write,
        .llseek  = generic_file_llseek,
};

/* Create a debugfs directory for the vcpu */
static void debugfs_vcpu_init(struct kvm_vcpu *vcpu, unsigned int id)
{
        char buf[16];
        struct kvm *kvm = vcpu->kvm;

        snprintf(buf, sizeof(buf), "vcpu%u", id);
        vcpu->arch.debugfs_dir = debugfs_create_dir(buf, kvm->arch.debugfs_dir);
        debugfs_create_file("timings", 0444, vcpu->arch.debugfs_dir, vcpu,
                            &debugfs_timings_ops);
}

#else /* CONFIG_KVM_BOOK3S_HV_EXIT_TIMING */
static void debugfs_vcpu_init(struct kvm_vcpu *vcpu, unsigned int id)
{
}
#endif /* CONFIG_KVM_BOOK3S_HV_EXIT_TIMING */

static int kvmppc_core_vcpu_create_hv(struct kvm_vcpu *vcpu)
{
        int err;
        int core;
        struct kvmppc_vcore *vcore;
        struct kvm *kvm;
        unsigned int id;

        kvm = vcpu->kvm;
        id = vcpu->vcpu_id;

        vcpu->arch.shared = &vcpu->arch.shregs;
#ifdef CONFIG_KVM_BOOK3S_PR_POSSIBLE
        /*
         * The shared struct is never shared on HV,
         * so we can always use host endianness
         */
#ifdef __BIG_ENDIAN__
        vcpu->arch.shared_big_endian = true;
#else
        vcpu->arch.shared_big_endian = false;
#endif
#endif
        vcpu->arch.mmcr[0] = MMCR0_FC;
        vcpu->arch.ctrl = CTRL_RUNLATCH;
        /* default to host PVR, since we can't spoof it */
        kvmppc_set_pvr_hv(vcpu, mfspr(SPRN_PVR));
        spin_lock_init(&vcpu->arch.vpa_update_lock);
        spin_lock_init(&vcpu->arch.tbacct_lock);
        vcpu->arch.busy_preempt = TB_NIL;
        vcpu->arch.intr_msr = MSR_SF | MSR_ME;

        /*
         * Set the default HFSCR for the guest from the host value.
         * This value is only used on POWER9.
         * On POWER9, we want to virtualize the doorbell facility, so we
         * don't set the HFSCR_MSGP bit, and that causes those instructions
         * to trap and then we emulate them.
         */
        vcpu->arch.hfscr = HFSCR_TAR | HFSCR_EBB | HFSCR_PM | HFSCR_BHRB |
                HFSCR_DSCR | HFSCR_VECVSX | HFSCR_FP | HFSCR_PREFIX;
        if (cpu_has_feature(CPU_FTR_HVMODE)) {
                vcpu->arch.hfscr &= mfspr(SPRN_HFSCR);
                if (cpu_has_feature(CPU_FTR_P9_TM_HV_ASSIST))
                        vcpu->arch.hfscr |= HFSCR_TM;
        }
        if (cpu_has_feature(CPU_FTR_TM_COMP))
                vcpu->arch.hfscr |= HFSCR_TM;

        kvmppc_mmu_book3s_hv_init(vcpu);

        vcpu->arch.state = KVMPPC_VCPU_NOTREADY;

        init_waitqueue_head(&vcpu->arch.cpu_run);

        mutex_lock(&kvm->lock);
        vcore = NULL;
        err = -EINVAL;
        if (cpu_has_feature(CPU_FTR_ARCH_300)) {
                if (id >= (KVM_MAX_VCPUS * kvm->arch.emul_smt_mode)) {
                        pr_devel("KVM: VCPU ID too high\n");
                        core = KVM_MAX_VCORES;
                } else {
                        BUG_ON(kvm->arch.smt_mode != 1);
                        core = kvmppc_pack_vcpu_id(kvm, id);
                }
        } else {
                core = id / kvm->arch.smt_mode;
        }
        if (core < KVM_MAX_VCORES) {
                vcore = kvm->arch.vcores[core];
                if (vcore && cpu_has_feature(CPU_FTR_ARCH_300)) {
                        pr_devel("KVM: collision on id %u", id);
                        vcore = NULL;
                } else if (!vcore) {
                        /*
                         * Take mmu_setup_lock for mutual exclusion
                         * with kvmppc_update_lpcr().
                         */
                        err = -ENOMEM;
                        vcore = kvmppc_vcore_create(kvm,
                                        id & ~(kvm->arch.smt_mode - 1));
                        mutex_lock(&kvm->arch.mmu_setup_lock);
                        kvm->arch.vcores[core] = vcore;
                        kvm->arch.online_vcores++;
                        mutex_unlock(&kvm->arch.mmu_setup_lock);
                }
        }
        mutex_unlock(&kvm->lock);

        if (!vcore)
                return err;

        spin_lock(&vcore->lock);
        ++vcore->num_threads;
        spin_unlock(&vcore->lock);
        vcpu->arch.vcore = vcore;
        vcpu->arch.ptid = vcpu->vcpu_id - vcore->first_vcpuid;
        vcpu->arch.thread_cpu = -1;
        vcpu->arch.prev_cpu = -1;

        vcpu->arch.cpu_type = KVM_CPU_3S_64;
        kvmppc_sanity_check(vcpu);

        debugfs_vcpu_init(vcpu, id);

        return 0;
}

static int kvmhv_set_smt_mode(struct kvm *kvm, unsigned long smt_mode,
                              unsigned long flags)
{
        int err;
        int esmt = 0;

        if (flags)
                return -EINVAL;
        if (smt_mode > MAX_SMT_THREADS || !is_power_of_2(smt_mode))
                return -EINVAL;
        if (!cpu_has_feature(CPU_FTR_ARCH_300)) {
                /*
                 * On POWER8 (or POWER7), the threading mode is "strict",
                 * so we pack smt_mode vcpus per vcore.
                 */
                if (smt_mode > threads_per_subcore)
                        return -EINVAL;
        } else {
                /*
                 * On POWER9, the threading mode is "loose",
                 * so each vcpu gets its own vcore.
                 */
                esmt = smt_mode;
                smt_mode = 1;
        }
        mutex_lock(&kvm->lock);
        err = -EBUSY;
        if (!kvm->arch.online_vcores) {
                kvm->arch.smt_mode = smt_mode;
                kvm->arch.emul_smt_mode = esmt;
                err = 0;
        }
        mutex_unlock(&kvm->lock);

        return err;
}

static void unpin_vpa(struct kvm *kvm, struct kvmppc_vpa *vpa)
{
        if (vpa->pinned_addr)
                kvmppc_unpin_guest_page(kvm, vpa->pinned_addr, vpa->gpa,
                                        vpa->dirty);
}

static void kvmppc_core_vcpu_free_hv(struct kvm_vcpu *vcpu)
{
        spin_lock(&vcpu->arch.vpa_update_lock);
        unpin_vpa(vcpu->kvm, &vcpu->arch.dtl);
        unpin_vpa(vcpu->kvm, &vcpu->arch.slb_shadow);
        unpin_vpa(vcpu->kvm, &vcpu->arch.vpa);
        spin_unlock(&vcpu->arch.vpa_update_lock);
}

static int kvmppc_core_check_requests_hv(struct kvm_vcpu *vcpu)
{
        /* Indicate we want to get back into the guest */
        return 1;
}

static void kvmppc_set_timer(struct kvm_vcpu *vcpu)
{
        unsigned long dec_nsec, now;

        now = get_tb();
        if (now > vcpu->arch.dec_expires) {
                /* decrementer has already gone negative */
                kvmppc_core_queue_dec(vcpu);
                kvmppc_core_prepare_to_enter(vcpu);
                return;
        }
        dec_nsec = tb_to_ns(vcpu->arch.dec_expires - now);
        hrtimer_start(&vcpu->arch.dec_timer, dec_nsec, HRTIMER_MODE_REL);
        vcpu->arch.timer_running = 1;
}

extern int __kvmppc_vcore_entry(void);

static void kvmppc_remove_runnable(struct kvmppc_vcore *vc,
                                   struct kvm_vcpu *vcpu)
{
        u64 now;

        if (vcpu->arch.state != KVMPPC_VCPU_RUNNABLE)
                return;
        spin_lock_irq(&vcpu->arch.tbacct_lock);
        now = mftb();
        vcpu->arch.busy_stolen += vcore_stolen_time(vc, now) -
                vcpu->arch.stolen_logged;
        vcpu->arch.busy_preempt = now;
        vcpu->arch.state = KVMPPC_VCPU_BUSY_IN_HOST;
        spin_unlock_irq(&vcpu->arch.tbacct_lock);
        --vc->n_runnable;
        WRITE_ONCE(vc->runnable_threads[vcpu->arch.ptid], NULL);
}

static int kvmppc_grab_hwthread(int cpu)
{
        struct paca_struct *tpaca;
        long timeout = 10000;

        tpaca = paca_ptrs[cpu];

        /* Ensure the thread won't go into the kernel if it wakes */
        tpaca->kvm_hstate.kvm_vcpu = NULL;
        tpaca->kvm_hstate.kvm_vcore = NULL;
        tpaca->kvm_hstate.napping = 0;
        smp_wmb();
        tpaca->kvm_hstate.hwthread_req = 1;

        /*
         * If the thread is already executing in the kernel (e.g. handling
         * a stray interrupt), wait for it to get back to nap mode.
         * The smp_mb() is to ensure that our setting of hwthread_req
         * is visible before we look at hwthread_state, so if this
         * races with the code at system_reset_pSeries and the thread
         * misses our setting of hwthread_req, we are sure to see its
         * setting of hwthread_state, and vice versa.
         */
        smp_mb();
        while (tpaca->kvm_hstate.hwthread_state == KVM_HWTHREAD_IN_KERNEL) {
                if (--timeout <= 0) {
                        pr_err("KVM: couldn't grab cpu %d\n", cpu);
                        return -EBUSY;
                }
                udelay(1);
        }
        return 0;
}

static void kvmppc_release_hwthread(int cpu)
{
        struct paca_struct *tpaca;

        tpaca = paca_ptrs[cpu];
        tpaca->kvm_hstate.hwthread_req = 0;
        tpaca->kvm_hstate.kvm_vcpu = NULL;
        tpaca->kvm_hstate.kvm_vcore = NULL;
        tpaca->kvm_hstate.kvm_split_mode = NULL;
}

static void radix_flush_cpu(struct kvm *kvm, int cpu, struct kvm_vcpu *vcpu)
{
        struct kvm_nested_guest *nested = vcpu->arch.nested;
        cpumask_t *cpu_in_guest;
        int i;

        cpu = cpu_first_thread_sibling(cpu);
        if (nested) {
                cpumask_set_cpu(cpu, &nested->need_tlb_flush);
                cpu_in_guest = &nested->cpu_in_guest;
        } else {
                cpumask_set_cpu(cpu, &kvm->arch.need_tlb_flush);
                cpu_in_guest = &kvm->arch.cpu_in_guest;
        }
        /*
         * Make sure setting of bit in need_tlb_flush precedes
         * testing of cpu_in_guest bits.  The matching barrier on
         * the other side is the first smp_mb() in kvmppc_run_core().
         */
        smp_mb();
        for (i = 0; i < threads_per_core; ++i)
                if (cpumask_test_cpu(cpu + i, cpu_in_guest))
                        smp_call_function_single(cpu + i, do_nothing, NULL, 1);
}

static void kvmppc_prepare_radix_vcpu(struct kvm_vcpu *vcpu, int pcpu)
{
        struct kvm_nested_guest *nested = vcpu->arch.nested;
        struct kvm *kvm = vcpu->kvm;
        int prev_cpu;

        if (!cpu_has_feature(CPU_FTR_HVMODE))
                return;

        if (nested)
                prev_cpu = nested->prev_cpu[vcpu->arch.nested_vcpu_id];
        else
                prev_cpu = vcpu->arch.prev_cpu;

        /*
         * With radix, the guest can do TLB invalidations itself,
         * and it could choose to use the local form (tlbiel) if
         * it is invalidating a translation that has only ever been
         * used on one vcpu.  However, that doesn't mean it has
         * only ever been used on one physical cpu, since vcpus
         * can move around between pcpus.  To cope with this, when
         * a vcpu moves from one pcpu to another, we need to tell
         * any vcpus running on the same core as this vcpu previously
         * ran to flush the TLB.  The TLB is shared between threads,
         * so we use a single bit in .need_tlb_flush for all 4 threads.
         */
        if (prev_cpu != pcpu) {
                if (prev_cpu >= 0 &&
                    cpu_first_thread_sibling(prev_cpu) !=
                    cpu_first_thread_sibling(pcpu))
                        radix_flush_cpu(kvm, prev_cpu, vcpu);
                if (nested)
                        nested->prev_cpu[vcpu->arch.nested_vcpu_id] = pcpu;
                else
                        vcpu->arch.prev_cpu = pcpu;
        }
}

static void kvmppc_start_thread(struct kvm_vcpu *vcpu, struct kvmppc_vcore *vc)
{
        int cpu;
        struct paca_struct *tpaca;
        struct kvm *kvm = vc->kvm;

        cpu = vc->pcpu;
        if (vcpu) {
                if (vcpu->arch.timer_running) {
                        hrtimer_try_to_cancel(&vcpu->arch.dec_timer);
                        vcpu->arch.timer_running = 0;
                }
                cpu += vcpu->arch.ptid;
                vcpu->cpu = vc->pcpu;
                vcpu->arch.thread_cpu = cpu;
                cpumask_set_cpu(cpu, &kvm->arch.cpu_in_guest);
        }
        tpaca = paca_ptrs[cpu];
        tpaca->kvm_hstate.kvm_vcpu = vcpu;
        tpaca->kvm_hstate.ptid = cpu - vc->pcpu;
        tpaca->kvm_hstate.fake_suspend = 0;
        /* Order stores to hstate.kvm_vcpu etc. before store to kvm_vcore */
        smp_wmb();
        tpaca->kvm_hstate.kvm_vcore = vc;
        if (cpu != smp_processor_id())
                kvmppc_ipi_thread(cpu);
}

static void kvmppc_wait_for_nap(int n_threads)
{
        int cpu = smp_processor_id();
        int i, loops;

        if (n_threads <= 1)
                return;
        for (loops = 0; loops < 1000000; ++loops) {
                /*
                 * Check if all threads are finished.
                 * We set the vcore pointer when starting a thread
                 * and the thread clears it when finished, so we look
                 * for any threads that still have a non-NULL vcore ptr.
                 */
                for (i = 1; i < n_threads; ++i)
                        if (paca_ptrs[cpu + i]->kvm_hstate.kvm_vcore)
                                break;
                if (i == n_threads) {
                        HMT_medium();
                        return;
                }
                HMT_low();
        }
        HMT_medium();
        for (i = 1; i < n_threads; ++i)
                if (paca_ptrs[cpu + i]->kvm_hstate.kvm_vcore)
                        pr_err("KVM: CPU %d seems to be stuck\n", cpu + i);
}

/*
 * Check that we are on thread 0 and that any other threads in
 * this core are off-line.  Then grab the threads so they can't
 * enter the kernel.
 */
static int on_primary_thread(void)
{
        int cpu = smp_processor_id();
        int thr;

        /* Are we on a primary subcore? */
        if (cpu_thread_in_subcore(cpu))
                return 0;

        thr = 0;
        while (++thr < threads_per_subcore)
                if (cpu_online(cpu + thr))
                        return 0;

        /* Grab all hw threads so they can't go into the kernel */
        for (thr = 1; thr < threads_per_subcore; ++thr) {
                if (kvmppc_grab_hwthread(cpu + thr)) {
                        /* Couldn't grab one; let the others go */
                        do {
                                kvmppc_release_hwthread(cpu + thr);
                        } while (--thr > 0);
                        return 0;
                }
        }
        return 1;
}

/*
 * A list of virtual cores for each physical CPU.
 * These are vcores that could run but their runner VCPU tasks are
 * (or may be) preempted.
 */
struct preempted_vcore_list {
        struct list_head        list;
        spinlock_t              lock;
};

static DEFINE_PER_CPU(struct preempted_vcore_list, preempted_vcores);

static void init_vcore_lists(void)
{
        int cpu;

        for_each_possible_cpu(cpu) {
                struct preempted_vcore_list *lp = &per_cpu(preempted_vcores, cpu);
                spin_lock_init(&lp->lock);
                INIT_LIST_HEAD(&lp->list);
        }
}

static void kvmppc_vcore_preempt(struct kvmppc_vcore *vc)
{
        struct preempted_vcore_list *lp = this_cpu_ptr(&preempted_vcores);

        vc->vcore_state = VCORE_PREEMPT;
        vc->pcpu = smp_processor_id();
        if (vc->num_threads < threads_per_vcore(vc->kvm)) {
                spin_lock(&lp->lock);
                list_add_tail(&vc->preempt_list, &lp->list);
                spin_unlock(&lp->lock);
        }

        /* Start accumulating stolen time */
        kvmppc_core_start_stolen(vc);
}

static void kvmppc_vcore_end_preempt(struct kvmppc_vcore *vc)
{
        struct preempted_vcore_list *lp;

        kvmppc_core_end_stolen(vc);
        if (!list_empty(&vc->preempt_list)) {
                lp = &per_cpu(preempted_vcores, vc->pcpu);
                spin_lock(&lp->lock);
                list_del_init(&vc->preempt_list);
                spin_unlock(&lp->lock);
        }
        vc->vcore_state = VCORE_INACTIVE;
}

/*
 * This stores information about the virtual cores currently
 * assigned to a physical core.
 */
struct core_info {
        int             n_subcores;
        int             max_subcore_threads;
        int             total_threads;
        int             subcore_threads[MAX_SUBCORES];
        struct kvmppc_vcore *vc[MAX_SUBCORES];
};

/*
 * This mapping means subcores 0 and 1 can use threads 0-3 and 4-7
 * respectively in 2-way micro-threading (split-core) mode on POWER8.
 */
static int subcore_thread_map[MAX_SUBCORES] = { 0, 4, 2, 6 };

static void init_core_info(struct core_info *cip, struct kvmppc_vcore *vc)
{
        memset(cip, 0, sizeof(*cip));
        cip->n_subcores = 1;
        cip->max_subcore_threads = vc->num_threads;
        cip->total_threads = vc->num_threads;
        cip->subcore_threads[0] = vc->num_threads;
        cip->vc[0] = vc;
}

static bool subcore_config_ok(int n_subcores, int n_threads)
{
        /*
         * POWER9 "SMT4" cores are permanently in what is effectively a 4-way
         * split-core mode, with one thread per subcore.
         */
        if (cpu_has_feature(CPU_FTR_ARCH_300))
                return n_subcores <= 4 && n_threads == 1;

        /* On POWER8, can only dynamically split if unsplit to begin with */
        if (n_subcores > 1 && threads_per_subcore < MAX_SMT_THREADS)
                return false;
        if (n_subcores > MAX_SUBCORES)
                return false;
        if (n_subcores > 1) {
                if (!(dynamic_mt_modes & 2))
                        n_subcores = 4;
                if (n_subcores > 2 && !(dynamic_mt_modes & 4))
                        return false;
        }

        return n_subcores * roundup_pow_of_two(n_threads) <= MAX_SMT_THREADS;
}

static void init_vcore_to_run(struct kvmppc_vcore *vc)
{
        vc->entry_exit_map = 0;
        vc->in_guest = 0;
        vc->napping_threads = 0;
        vc->conferring_threads = 0;
        vc->tb_offset_applied = 0;
}

static bool can_dynamic_split(struct kvmppc_vcore *vc, struct core_info *cip)
{
        int n_threads = vc->num_threads;
        int sub;

        if (!cpu_has_feature(CPU_FTR_ARCH_207S))
                return false;

        /* In one_vm_per_core mode, require all vcores to be from the same vm */
        if (one_vm_per_core && vc->kvm != cip->vc[0]->kvm)
                return false;

        if (n_threads < cip->max_subcore_threads)
                n_threads = cip->max_subcore_threads;
        if (!subcore_config_ok(cip->n_subcores + 1, n_threads))
                return false;
        cip->max_subcore_threads = n_threads;

        sub = cip->n_subcores;
        ++cip->n_subcores;
        cip->total_threads += vc->num_threads;
        cip->subcore_threads[sub] = vc->num_threads;
        cip->vc[sub] = vc;
        init_vcore_to_run(vc);
        list_del_init(&vc->preempt_list);

        return true;
}

/*
 * Work out whether it is possible to piggyback the execution of
 * vcore *pvc onto the execution of the other vcores described in *cip.
 */
static bool can_piggyback(struct kvmppc_vcore *pvc, struct core_info *cip,
                          int target_threads)
{
        if (cip->total_threads + pvc->num_threads > target_threads)
                return false;

        return can_dynamic_split(pvc, cip);
}

static void prepare_threads(struct kvmppc_vcore *vc)
{
        int i;
        struct kvm_vcpu *vcpu;

        for_each_runnable_thread(i, vcpu, vc) {
                if (signal_pending(vcpu->arch.run_task))
                        vcpu->arch.ret = -EINTR;
                else if (no_mixing_hpt_and_radix &&
                         kvm_is_radix(vc->kvm) != radix_enabled())
                        vcpu->arch.ret = -EINVAL;
                else if (vcpu->arch.vpa.update_pending ||
                         vcpu->arch.slb_shadow.update_pending ||
                         vcpu->arch.dtl.update_pending)
                        vcpu->arch.ret = RESUME_GUEST;
                else
                        continue;
                kvmppc_remove_runnable(vc, vcpu);
                wake_up(&vcpu->arch.cpu_run);
        }
}

static void collect_piggybacks(struct core_info *cip, int target_threads)
{
        struct preempted_vcore_list *lp = this_cpu_ptr(&preempted_vcores);
        struct kvmppc_vcore *pvc, *vcnext;

        spin_lock(&lp->lock);
        list_for_each_entry_safe(pvc, vcnext, &lp->list, preempt_list) {
                if (!spin_trylock(&pvc->lock))
                        continue;
                prepare_threads(pvc);
                if (!pvc->n_runnable || !pvc->kvm->arch.mmu_ready) {
                        list_del_init(&pvc->preempt_list);
                        if (pvc->runner == NULL) {
                                pvc->vcore_state = VCORE_INACTIVE;
                                kvmppc_core_end_stolen(pvc);
                        }
                        spin_unlock(&pvc->lock);
                        continue;
                }
                if (!can_piggyback(pvc, cip, target_threads)) {
                        spin_unlock(&pvc->lock);
                        continue;
                }
                kvmppc_core_end_stolen(pvc);
                pvc->vcore_state = VCORE_PIGGYBACK;
                if (cip->total_threads >= target_threads)
                        break;
        }
        spin_unlock(&lp->lock);
}

static bool recheck_signals_and_mmu(struct core_info *cip)
{
        int sub, i;
        struct kvm_vcpu *vcpu;
        struct kvmppc_vcore *vc;

        for (sub = 0; sub < cip->n_subcores; ++sub) {
                vc = cip->vc[sub];
                if (!vc->kvm->arch.mmu_ready)
                        return true;