/*
 * Kernel-based Virtual Machine driver for Linux
 *
 * This module enables machines with Intel VT-x extensions to run virtual
 * machines without emulation or binary translation.
 *
 * Copyright (C) 2006 Qumranet, Inc.
 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
 *
 * Authors:
 *   Avi Kivity   <avi@qumranet.com>
 *   Yaniv Kamay  <yaniv@qumranet.com>
 *
 * This work is licensed under the terms of the GNU GPL, version 2.  See
 * the COPYING file in the top-level directory.
 *
 */

#include "irq.h"
#include "mmu.h"
#include "cpuid.h"

#include <linux/kvm_host.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/mm.h>
#include <linux/highmem.h>
#include <linux/sched.h>
#include <linux/moduleparam.h>
#include <linux/mod_devicetable.h>
#include <linux/ftrace_event.h>
#include <linux/slab.h>
#include <linux/tboot.h>
#include <linux/hrtimer.h>
#include "kvm_cache_regs.h"
#include "x86.h"

#include <asm/io.h>
#include <asm/desc.h>
#include <asm/vmx.h>
#include <asm/virtext.h>
#include <asm/mce.h>
#include <asm/i387.h>
#include <asm/xcr.h>
#include <asm/perf_event.h>
#include <asm/debugreg.h>
#include <asm/kexec.h>
#include <asm/apic.h>

#include "trace.h"

#define __ex(x) __kvm_handle_fault_on_reboot(x)
#define __ex_clear(x, reg) \
        ____kvm_handle_fault_on_reboot(x, "xor " reg " , " reg)

MODULE_AUTHOR("Qumranet");
MODULE_LICENSE("GPL");

static const struct x86_cpu_id vmx_cpu_id[] = {
        X86_FEATURE_MATCH(X86_FEATURE_VMX),
        {}
};
MODULE_DEVICE_TABLE(x86cpu, vmx_cpu_id);

static bool __read_mostly enable_vpid = 1;
module_param_named(vpid, enable_vpid, bool, 0444);

static bool __read_mostly flexpriority_enabled = 1;
module_param_named(flexpriority, flexpriority_enabled, bool, S_IRUGO);

static bool __read_mostly enable_ept = 1;
module_param_named(ept, enable_ept, bool, S_IRUGO);

static bool __read_mostly enable_unrestricted_guest = 1;
module_param_named(unrestricted_guest,
                        enable_unrestricted_guest, bool, S_IRUGO);

static bool __read_mostly enable_ept_ad_bits = 1;
module_param_named(eptad, enable_ept_ad_bits, bool, S_IRUGO);

static bool __read_mostly emulate_invalid_guest_state = true;
module_param(emulate_invalid_guest_state, bool, S_IRUGO);

static bool __read_mostly vmm_exclusive = 1;
module_param(vmm_exclusive, bool, S_IRUGO);

static bool __read_mostly fasteoi = 1;
module_param(fasteoi, bool, S_IRUGO);

static bool __read_mostly enable_apicv = 1;
module_param(enable_apicv, bool, S_IRUGO);

static bool __read_mostly enable_shadow_vmcs = 1;
module_param_named(enable_shadow_vmcs, enable_shadow_vmcs, bool, S_IRUGO);
/*
 * If nested=1, nested virtualization is supported, i.e., guests may use
 * VMX and be a hypervisor for its own guests. If nested=0, guests may not
 * use VMX instructions.
 */
static bool __read_mostly nested = 0;
module_param(nested, bool, S_IRUGO);

static u64 __read_mostly host_xss;

static bool __read_mostly enable_pml = 1;
module_param_named(pml, enable_pml, bool, S_IRUGO);

#define KVM_GUEST_CR0_MASK (X86_CR0_NW | X86_CR0_CD)
#define KVM_VM_CR0_ALWAYS_ON_UNRESTRICTED_GUEST (X86_CR0_WP | X86_CR0_NE)
#define KVM_VM_CR0_ALWAYS_ON                                            \
        (KVM_VM_CR0_ALWAYS_ON_UNRESTRICTED_GUEST | X86_CR0_PG | X86_CR0_PE)
#define KVM_CR4_GUEST_OWNED_BITS                                      \
        (X86_CR4_PVI | X86_CR4_DE | X86_CR4_PCE | X86_CR4_OSFXSR      \
         | X86_CR4_OSXMMEXCPT | X86_CR4_TSD)

#define KVM_PMODE_VM_CR4_ALWAYS_ON (X86_CR4_PAE | X86_CR4_VMXE)
#define KVM_RMODE_VM_CR4_ALWAYS_ON (X86_CR4_VME | X86_CR4_PAE | X86_CR4_VMXE)

#define RMODE_GUEST_OWNED_EFLAGS_BITS (~(X86_EFLAGS_IOPL | X86_EFLAGS_VM))

#define VMX_MISC_EMULATED_PREEMPTION_TIMER_RATE 5

/*
 * These 2 parameters are used to config the controls for Pause-Loop Exiting:
 * ple_gap:    upper bound on the amount of time between two successive
 *             executions of PAUSE in a loop. Also indicate if ple enabled.
 *             According to test, this time is usually smaller than 128 cycles.
 * ple_window: upper bound on the amount of time a guest is allowed to execute
 *             in a PAUSE loop. Tests indicate that most spinlocks are held for
 *             less than 2^12 cycles
 * Time is measured based on a counter that runs at the same rate as the TSC,
 * refer SDM volume 3b section 21.6.13 & 22.1.3.
 */
#define KVM_VMX_DEFAULT_PLE_GAP           128
#define KVM_VMX_DEFAULT_PLE_WINDOW        4096
#define KVM_VMX_DEFAULT_PLE_WINDOW_GROW   2
#define KVM_VMX_DEFAULT_PLE_WINDOW_SHRINK 0
#define KVM_VMX_DEFAULT_PLE_WINDOW_MAX    \
                INT_MAX / KVM_VMX_DEFAULT_PLE_WINDOW_GROW

static int ple_gap = KVM_VMX_DEFAULT_PLE_GAP;
module_param(ple_gap, int, S_IRUGO);

static int ple_window = KVM_VMX_DEFAULT_PLE_WINDOW;
module_param(ple_window, int, S_IRUGO);

/* Default doubles per-vcpu window every exit. */
static int ple_window_grow = KVM_VMX_DEFAULT_PLE_WINDOW_GROW;
module_param(ple_window_grow, int, S_IRUGO);

/* Default resets per-vcpu window every exit to ple_window. */
static int ple_window_shrink = KVM_VMX_DEFAULT_PLE_WINDOW_SHRINK;
module_param(ple_window_shrink, int, S_IRUGO);

/* Default is to compute the maximum so we can never overflow. */
static int ple_window_actual_max = KVM_VMX_DEFAULT_PLE_WINDOW_MAX;
static int ple_window_max        = KVM_VMX_DEFAULT_PLE_WINDOW_MAX;
module_param(ple_window_max, int, S_IRUGO);

extern const ulong vmx_return;

#define NR_AUTOLOAD_MSRS 8
#define VMCS02_POOL_SIZE 1

struct vmcs {
        u32 revision_id;
        u32 abort;
        char data[0];
};

/*
 * Track a VMCS that may be loaded on a certain CPU. If it is (cpu!=-1), also
 * remember whether it was VMLAUNCHed, and maintain a linked list of all VMCSs
 * loaded on this CPU (so we can clear them if the CPU goes down).
 */
struct loaded_vmcs {
        struct vmcs *vmcs;
        int cpu;
        int launched;
        struct list_head loaded_vmcss_on_cpu_link;
};

struct shared_msr_entry {
        unsigned index;
        u64 data;
        u64 mask;
};

/*
 * struct vmcs12 describes the state that our guest hypervisor (L1) keeps for a
 * single nested guest (L2), hence the name vmcs12. Any VMX implementation has
 * a VMCS structure, and vmcs12 is our emulated VMX's VMCS. This structure is
 * stored in guest memory specified by VMPTRLD, but is opaque to the guest,
 * which must access it using VMREAD/VMWRITE/VMCLEAR instructions.
 * More than one of these structures may exist, if L1 runs multiple L2 guests.
 * nested_vmx_run() will use the data here to build a vmcs02: a VMCS for the
 * underlying hardware which will be used to run L2.
 * This structure is packed to ensure that its layout is identical across
 * machines (necessary for live migration).
 * If there are changes in this struct, VMCS12_REVISION must be changed.
 */
typedef u64 natural_width;
struct __packed vmcs12 {
        /* According to the Intel spec, a VMCS region must start with the
         * following two fields. Then follow implementation-specific data.
         */
        u32 revision_id;
        u32 abort;

        u32 launch_state; /* set to 0 by VMCLEAR, to 1 by VMLAUNCH */
        u32 padding[7]; /* room for future expansion */

        u64 io_bitmap_a;
        u64 io_bitmap_b;
        u64 msr_bitmap;
        u64 vm_exit_msr_store_addr;
        u64 vm_exit_msr_load_addr;
        u64 vm_entry_msr_load_addr;
        u64 tsc_offset;
        u64 virtual_apic_page_addr;
        u64 apic_access_addr;
        u64 posted_intr_desc_addr;
        u64 ept_pointer;
        u64 eoi_exit_bitmap0;
        u64 eoi_exit_bitmap1;
        u64 eoi_exit_bitmap2;
        u64 eoi_exit_bitmap3;
        u64 xss_exit_bitmap;
        u64 guest_physical_address;
        u64 vmcs_link_pointer;
        u64 guest_ia32_debugctl;
        u64 guest_ia32_pat;
        u64 guest_ia32_efer;
        u64 guest_ia32_perf_global_ctrl;
        u64 guest_pdptr0;
        u64 guest_pdptr1;
        u64 guest_pdptr2;
        u64 guest_pdptr3;
        u64 guest_bndcfgs;
        u64 host_ia32_pat;
        u64 host_ia32_efer;
        u64 host_ia32_perf_global_ctrl;
        u64 padding64[8]; /* room for future expansion */
        /*
         * To allow migration of L1 (complete with its L2 guests) between
         * machines of different natural widths (32 or 64 bit), we cannot have
         * unsigned long fields with no explict size. We use u64 (aliased
         * natural_width) instead. Luckily, x86 is little-endian.
         */
        natural_width cr0_guest_host_mask;
        natural_width cr4_guest_host_mask;
        natural_width cr0_read_shadow;
        natural_width cr4_read_shadow;
        natural_width cr3_target_value0;
        natural_width cr3_target_value1;
        natural_width cr3_target_value2;
        natural_width cr3_target_value3;
        natural_width exit_qualification;
        natural_width guest_linear_address;
        natural_width guest_cr0;
        natural_width guest_cr3;
        natural_width guest_cr4;
        natural_width guest_es_base;
        natural_width guest_cs_base;
        natural_width guest_ss_base;
        natural_width guest_ds_base;
        natural_width guest_fs_base;
        natural_width guest_gs_base;
        natural_width guest_ldtr_base;
        natural_width guest_tr_base;
        natural_width guest_gdtr_base;
        natural_width guest_idtr_base;
        natural_width guest_dr7;
        natural_width guest_rsp;
        natural_width guest_rip;
        natural_width guest_rflags;
        natural_width guest_pending_dbg_exceptions;
        natural_width guest_sysenter_esp;
        natural_width guest_sysenter_eip;
        natural_width host_cr0;
        natural_width host_cr3;
        natural_width host_cr4;
        natural_width host_fs_base;
        natural_width host_gs_base;
        natural_width host_tr_base;
        natural_width host_gdtr_base;
        natural_width host_idtr_base;
        natural_width host_ia32_sysenter_esp;
        natural_width host_ia32_sysenter_eip;
        natural_width host_rsp;
        natural_width host_rip;
        natural_width paddingl[8]; /* room for future expansion */
        u32 pin_based_vm_exec_control;
        u32 cpu_based_vm_exec_control;
        u32 exception_bitmap;
        u32 page_fault_error_code_mask;
        u32 page_fault_error_code_match;
        u32 cr3_target_count;
        u32 vm_exit_controls;
        u32 vm_exit_msr_store_count;
        u32 vm_exit_msr_load_count;
        u32 vm_entry_controls;
        u32 vm_entry_msr_load_count;
        u32 vm_entry_intr_info_field;
        u32 vm_entry_exception_error_code;
        u32 vm_entry_instruction_len;
        u32 tpr_threshold;
        u32 secondary_vm_exec_control;
        u32 vm_instruction_error;
        u32 vm_exit_reason;
        u32 vm_exit_intr_info;
        u32 vm_exit_intr_error_code;
        u32 idt_vectoring_info_field;
        u32 idt_vectoring_error_code;
        u32 vm_exit_instruction_len;
        u32 vmx_instruction_info;
        u32 guest_es_limit;
        u32 guest_cs_limit;
        u32 guest_ss_limit;
        u32 guest_ds_limit;
        u32 guest_fs_limit;
        u32 guest_gs_limit;
        u32 guest_ldtr_limit;
        u32 guest_tr_limit;
        u32 guest_gdtr_limit;
        u32 guest_idtr_limit;
        u32 guest_es_ar_bytes;
        u32 guest_cs_ar_bytes;
        u32 guest_ss_ar_bytes;
        u32 guest_ds_ar_bytes;
        u32 guest_fs_ar_bytes;
        u32 guest_gs_ar_bytes;
        u32 guest_ldtr_ar_bytes;
        u32 guest_tr_ar_bytes;
        u32 guest_interruptibility_info;
        u32 guest_activity_state;
        u32 guest_sysenter_cs;
        u32 host_ia32_sysenter_cs;
        u32 vmx_preemption_timer_value;
        u32 padding32[7]; /* room for future expansion */
        u16 virtual_processor_id;
        u16 posted_intr_nv;
        u16 guest_es_selector;
        u16 guest_cs_selector;
        u16 guest_ss_selector;
        u16 guest_ds_selector;
        u16 guest_fs_selector;
        u16 guest_gs_selector;
        u16 guest_ldtr_selector;
        u16 guest_tr_selector;
        u16 guest_intr_status;
        u16 host_es_selector;
        u16 host_cs_selector;
        u16 host_ss_selector;
        u16 host_ds_selector;
        u16 host_fs_selector;
        u16 host_gs_selector;
        u16 host_tr_selector;
};

/*
 * VMCS12_REVISION is an arbitrary id that should be changed if the content or
 * layout of struct vmcs12 is changed. MSR_IA32_VMX_BASIC returns this id, and
 * VMPTRLD verifies that the VMCS region that L1 is loading contains this id.
 */
#define VMCS12_REVISION 0x11e57ed0

/*
 * VMCS12_SIZE is the number of bytes L1 should allocate for the VMXON region
 * and any VMCS region. Although only sizeof(struct vmcs12) are used by the
 * current implementation, 4K are reserved to avoid future complications.
 */
#define VMCS12_SIZE 0x1000

/* Used to remember the last vmcs02 used for some recently used vmcs12s */
struct vmcs02_list {
        struct list_head list;
        gpa_t vmptr;
        struct loaded_vmcs vmcs02;
};

/*
 * The nested_vmx structure is part of vcpu_vmx, and holds information we need
 * for correct emulation of VMX (i.e., nested VMX) on this vcpu.
 */
struct nested_vmx {
        /* Has the level1 guest done vmxon? */
        bool vmxon;
        gpa_t vmxon_ptr;

        /* The guest-physical address of the current VMCS L1 keeps for L2 */
        gpa_t current_vmptr;
        /* The host-usable pointer to the above */
        struct page *current_vmcs12_page;
        struct vmcs12 *current_vmcs12;
        struct vmcs *current_shadow_vmcs;
        /*
         * Indicates if the shadow vmcs must be updated with the
         * data hold by vmcs12
         */
        bool sync_shadow_vmcs;

        /* vmcs02_list cache of VMCSs recently used to run L2 guests */
        struct list_head vmcs02_pool;
        int vmcs02_num;
        u64 vmcs01_tsc_offset;
        /* L2 must run next, and mustn't decide to exit to L1. */
        bool nested_run_pending;
        /*
         * Guest pages referred to in vmcs02 with host-physical pointers, so
         * we must keep them pinned while L2 runs.
         */
        struct page *apic_access_page;
        struct page *virtual_apic_page;
        struct page *pi_desc_page;
        struct pi_desc *pi_desc;
        bool pi_pending;
        u16 posted_intr_nv;
        u64 msr_ia32_feature_control;

        struct hrtimer preemption_timer;
        bool preemption_timer_expired;

        /* to migrate it to L2 if VM_ENTRY_LOAD_DEBUG_CONTROLS is off */
        u64 vmcs01_debugctl;

        u32 nested_vmx_procbased_ctls_low;
        u32 nested_vmx_procbased_ctls_high;
        u32 nested_vmx_true_procbased_ctls_low;
        u32 nested_vmx_secondary_ctls_low;
        u32 nested_vmx_secondary_ctls_high;
        u32 nested_vmx_pinbased_ctls_low;
        u32 nested_vmx_pinbased_ctls_high;
        u32 nested_vmx_exit_ctls_low;
        u32 nested_vmx_exit_ctls_high;
        u32 nested_vmx_true_exit_ctls_low;
        u32 nested_vmx_entry_ctls_low;
        u32 nested_vmx_entry_ctls_high;
        u32 nested_vmx_true_entry_ctls_low;
        u32 nested_vmx_misc_low;
        u32 nested_vmx_misc_high;
        u32 nested_vmx_ept_caps;
};

#define POSTED_INTR_ON  0
/* Posted-Interrupt Descriptor */
struct pi_desc {
        u32 pir[8];     /* Posted interrupt requested */
        u32 control;    /* bit 0 of control is outstanding notification bit */
        u32 rsvd[7];
} __aligned(64);

static bool pi_test_and_set_on(struct pi_desc *pi_desc)
{
        return test_and_set_bit(POSTED_INTR_ON,
                        (unsigned long *)&pi_desc->control);
}

static bool pi_test_and_clear_on(struct pi_desc *pi_desc)
{
        return test_and_clear_bit(POSTED_INTR_ON,
                        (unsigned long *)&pi_desc->control);
}

static int pi_test_and_set_pir(int vector, struct pi_desc *pi_desc)
{
        return test_and_set_bit(vector, (unsigned long *)pi_desc->pir);
}

struct vcpu_vmx {
        struct kvm_vcpu       vcpu;
        unsigned long         host_rsp;
        u8                    fail;
        bool                  nmi_known_unmasked;
        u32                   exit_intr_info;
        u32                   idt_vectoring_info;
        ulong                 rflags;
        struct shared_msr_entry *guest_msrs;
        int                   nmsrs;
        int                   save_nmsrs;
        unsigned long         host_idt_base;
#ifdef CONFIG_X86_64
        u64                   msr_host_kernel_gs_base;
        u64                   msr_guest_kernel_gs_base;
#endif
        u32 vm_entry_controls_shadow;
        u32 vm_exit_controls_shadow;
        /*
         * loaded_vmcs points to the VMCS currently used in this vcpu. For a
         * non-nested (L1) guest, it always points to vmcs01. For a nested
         * guest (L2), it points to a different VMCS.
         */
        struct loaded_vmcs    vmcs01;
        struct loaded_vmcs   *loaded_vmcs;
        bool                  __launched; /* temporary, used in vmx_vcpu_run */
        struct msr_autoload {
                unsigned nr;
                struct vmx_msr_entry guest[NR_AUTOLOAD_MSRS];
                struct vmx_msr_entry host[NR_AUTOLOAD_MSRS];
        } msr_autoload;
        struct {
                int           loaded;
                u16           fs_sel, gs_sel, ldt_sel;
#ifdef CONFIG_X86_64
                u16           ds_sel, es_sel;
#endif
                int           gs_ldt_reload_needed;
                int           fs_reload_needed;
                u64           msr_host_bndcfgs;
                unsigned long vmcs_host_cr4;    /* May not match real cr4 */
        } host_state;
        struct {
                int vm86_active;
                ulong save_rflags;
                struct kvm_segment segs[8];
        } rmode;
        struct {
                u32 bitmask; /* 4 bits per segment (1 bit per field) */
                struct kvm_save_segment {
                        u16 selector;
                        unsigned long base;
                        u32 limit;
                        u32 ar;
                } seg[8];
        } segment_cache;
        int vpid;
        bool emulation_required;

        /* Support for vnmi-less CPUs */
        int soft_vnmi_blocked;
        ktime_t entry_time;
        s64 vnmi_blocked_time;
        u32 exit_reason;

        bool rdtscp_enabled;

        /* Posted interrupt descriptor */
        struct pi_desc pi_desc;

        /* Support for a guest hypervisor (nested VMX) */
        struct nested_vmx nested;

        /* Dynamic PLE window. */
        int ple_window;
        bool ple_window_dirty;

        /* Support for PML */
#define PML_ENTITY_NUM          512
        struct page *pml_pg;
};

enum segment_cache_field {
        SEG_FIELD_SEL = 0,
        SEG_FIELD_BASE = 1,
        SEG_FIELD_LIMIT = 2,
        SEG_FIELD_AR = 3,

        SEG_FIELD_NR = 4
};

static inline struct vcpu_vmx *to_vmx(struct kvm_vcpu *vcpu)
{
        return container_of(vcpu, struct vcpu_vmx, vcpu);
}

#define VMCS12_OFFSET(x) offsetof(struct vmcs12, x)
#define FIELD(number, name)     [number] = VMCS12_OFFSET(name)
#define FIELD64(number, name)   [number] = VMCS12_OFFSET(name), \
                                [number##_HIGH] = VMCS12_OFFSET(name)+4


static unsigned long shadow_read_only_fields[] = {
        /*
         * We do NOT shadow fields that are modified when L0
         * traps and emulates any vmx instruction (e.g. VMPTRLD,
         * VMXON...) executed by L1.
         * For example, VM_INSTRUCTION_ERROR is read
         * by L1 if a vmx instruction fails (part of the error path).
         * Note the code assumes this logic. If for some reason
         * we start shadowing these fields then we need to
         * force a shadow sync when L0 emulates vmx instructions
         * (e.g. force a sync if VM_INSTRUCTION_ERROR is modified
         * by nested_vmx_failValid)
         */
        VM_EXIT_REASON,
        VM_EXIT_INTR_INFO,
        VM_EXIT_INSTRUCTION_LEN,
        IDT_VECTORING_INFO_FIELD,
        IDT_VECTORING_ERROR_CODE,
        VM_EXIT_INTR_ERROR_CODE,
        EXIT_QUALIFICATION,
        GUEST_LINEAR_ADDRESS,
        GUEST_PHYSICAL_ADDRESS
};
static int max_shadow_read_only_fields =
        ARRAY_SIZE(shadow_read_only_fields);

static unsigned long shadow_read_write_fields[] = {
        TPR_THRESHOLD,
        GUEST_RIP,
        GUEST_RSP,
        GUEST_CR0,
        GUEST_CR3,
        GUEST_CR4,
        GUEST_INTERRUPTIBILITY_INFO,
        GUEST_RFLAGS,
        GUEST_CS_SELECTOR,
        GUEST_CS_AR_BYTES,
        GUEST_CS_LIMIT,
        GUEST_CS_BASE,
        GUEST_ES_BASE,
        GUEST_BNDCFGS,
        CR0_GUEST_HOST_MASK,
        CR0_READ_SHADOW,
        CR4_READ_SHADOW,
        TSC_OFFSET,
        EXCEPTION_BITMAP,
        CPU_BASED_VM_EXEC_CONTROL,
        VM_ENTRY_EXCEPTION_ERROR_CODE,
        VM_ENTRY_INTR_INFO_FIELD,
        VM_ENTRY_INSTRUCTION_LEN,
        VM_ENTRY_EXCEPTION_ERROR_CODE,
        HOST_FS_BASE,
        HOST_GS_BASE,
        HOST_FS_SELECTOR,
        HOST_GS_SELECTOR
};
static int max_shadow_read_write_fields =
        ARRAY_SIZE(shadow_read_write_fields);

static const unsigned short vmcs_field_to_offset_table[] = {
        FIELD(VIRTUAL_PROCESSOR_ID, virtual_processor_id),
        FIELD(POSTED_INTR_NV, posted_intr_nv),
        FIELD(GUEST_ES_SELECTOR, guest_es_selector),
        FIELD(GUEST_CS_SELECTOR, guest_cs_selector),
        FIELD(GUEST_SS_SELECTOR, guest_ss_selector),
        FIELD(GUEST_DS_SELECTOR, guest_ds_selector),
        FIELD(GUEST_FS_SELECTOR, guest_fs_selector),
        FIELD(GUEST_GS_SELECTOR, guest_gs_selector),
        FIELD(GUEST_LDTR_SELECTOR, guest_ldtr_selector),
        FIELD(GUEST_TR_SELECTOR, guest_tr_selector),
        FIELD(GUEST_INTR_STATUS, guest_intr_status),
        FIELD(HOST_ES_SELECTOR, host_es_selector),
        FIELD(HOST_CS_SELECTOR, host_cs_selector),
        FIELD(HOST_SS_SELECTOR, host_ss_selector),
        FIELD(HOST_DS_SELECTOR, host_ds_selector),
        FIELD(HOST_FS_SELECTOR, host_fs_selector),
        FIELD(HOST_GS_SELECTOR, host_gs_selector),
        FIELD(HOST_TR_SELECTOR, host_tr_selector),
        FIELD64(IO_BITMAP_A, io_bitmap_a),
        FIELD64(IO_BITMAP_B, io_bitmap_b),
        FIELD64(MSR_BITMAP, msr_bitmap),
        FIELD64(VM_EXIT_MSR_STORE_ADDR, vm_exit_msr_store_addr),
        FIELD64(VM_EXIT_MSR_LOAD_ADDR, vm_exit_msr_load_addr),
        FIELD64(VM_ENTRY_MSR_LOAD_ADDR, vm_entry_msr_load_addr),
        FIELD64(TSC_OFFSET, tsc_offset),
        FIELD64(VIRTUAL_APIC_PAGE_ADDR, virtual_apic_page_addr),
        FIELD64(APIC_ACCESS_ADDR, apic_access_addr),
        FIELD64(POSTED_INTR_DESC_ADDR, posted_intr_desc_addr),
        FIELD64(EPT_POINTER, ept_pointer),
        FIELD64(EOI_EXIT_BITMAP0, eoi_exit_bitmap0),
        FIELD64(EOI_EXIT_BITMAP1, eoi_exit_bitmap1),
        FIELD64(EOI_EXIT_BITMAP2, eoi_exit_bitmap2),
        FIELD64(EOI_EXIT_BITMAP3, eoi_exit_bitmap3),
        FIELD64(XSS_EXIT_BITMAP, xss_exit_bitmap),
        FIELD64(GUEST_PHYSICAL_ADDRESS, guest_physical_address),
        FIELD64(VMCS_LINK_POINTER, vmcs_link_pointer),
        FIELD64(GUEST_IA32_DEBUGCTL, guest_ia32_debugctl),
        FIELD64(GUEST_IA32_PAT, guest_ia32_pat),
        FIELD64(GUEST_IA32_EFER, guest_ia32_efer),
        FIELD64(GUEST_IA32_PERF_GLOBAL_CTRL, guest_ia32_perf_global_ctrl),
        FIELD64(GUEST_PDPTR0, guest_pdptr0),
        FIELD64(GUEST_PDPTR1, guest_pdptr1),
        FIELD64(GUEST_PDPTR2, guest_pdptr2),
        FIELD64(GUEST_PDPTR3, guest_pdptr3),
        FIELD64(GUEST_BNDCFGS, guest_bndcfgs),
        FIELD64(HOST_IA32_PAT, host_ia32_pat),
        FIELD64(HOST_IA32_EFER, host_ia32_efer),
        FIELD64(HOST_IA32_PERF_GLOBAL_CTRL, host_ia32_perf_global_ctrl),
        FIELD(PIN_BASED_VM_EXEC_CONTROL, pin_based_vm_exec_control),
        FIELD(CPU_BASED_VM_EXEC_CONTROL, cpu_based_vm_exec_control),
        FIELD(EXCEPTION_BITMAP, exception_bitmap),
        FIELD(PAGE_FAULT_ERROR_CODE_MASK, page_fault_error_code_mask),
        FIELD(PAGE_FAULT_ERROR_CODE_MATCH, page_fault_error_code_match),
        FIELD(CR3_TARGET_COUNT, cr3_target_count),
        FIELD(VM_EXIT_CONTROLS, vm_exit_controls),
        FIELD(VM_EXIT_MSR_STORE_COUNT, vm_exit_msr_store_count),
        FIELD(VM_EXIT_MSR_LOAD_COUNT, vm_exit_msr_load_count),
        FIELD(VM_ENTRY_CONTROLS, vm_entry_controls),
        FIELD(VM_ENTRY_MSR_LOAD_COUNT, vm_entry_msr_load_count),
        FIELD(VM_ENTRY_INTR_INFO_FIELD, vm_entry_intr_info_field),
        FIELD(VM_ENTRY_EXCEPTION_ERROR_CODE, vm_entry_exception_error_code),
        FIELD(VM_ENTRY_INSTRUCTION_LEN, vm_entry_instruction_len),
        FIELD(TPR_THRESHOLD, tpr_threshold),
        FIELD(SECONDARY_VM_EXEC_CONTROL, secondary_vm_exec_control),
        FIELD(VM_INSTRUCTION_ERROR, vm_instruction_error),
        FIELD(VM_EXIT_REASON, vm_exit_reason),
        FIELD(VM_EXIT_INTR_INFO, vm_exit_intr_info),
        FIELD(VM_EXIT_INTR_ERROR_CODE, vm_exit_intr_error_code),
        FIELD(IDT_VECTORING_INFO_FIELD, idt_vectoring_info_field),
        FIELD(IDT_VECTORING_ERROR_CODE, idt_vectoring_error_code),
        FIELD(VM_EXIT_INSTRUCTION_LEN, vm_exit_instruction_len),
        FIELD(VMX_INSTRUCTION_INFO, vmx_instruction_info),
        FIELD(GUEST_ES_LIMIT, guest_es_limit),
        FIELD(GUEST_CS_LIMIT, guest_cs_limit),
        FIELD(GUEST_SS_LIMIT, guest_ss_limit),
        FIELD(GUEST_DS_LIMIT, guest_ds_limit),
        FIELD(GUEST_FS_LIMIT, guest_fs_limit),
        FIELD(GUEST_GS_LIMIT, guest_gs_limit),
        FIELD(GUEST_LDTR_LIMIT, guest_ldtr_limit),
        FIELD(GUEST_TR_LIMIT, guest_tr_limit),
        FIELD(GUEST_GDTR_LIMIT, guest_gdtr_limit),
        FIELD(GUEST_IDTR_LIMIT, guest_idtr_limit),
        FIELD(GUEST_ES_AR_BYTES, guest_es_ar_bytes),
        FIELD(GUEST_CS_AR_BYTES, guest_cs_ar_bytes),
        FIELD(GUEST_SS_AR_BYTES, guest_ss_ar_bytes),
        FIELD(GUEST_DS_AR_BYTES, guest_ds_ar_bytes),
        FIELD(GUEST_FS_AR_BYTES, guest_fs_ar_bytes),
        FIELD(GUEST_GS_AR_BYTES, guest_gs_ar_bytes),
        FIELD(GUEST_LDTR_AR_BYTES, guest_ldtr_ar_bytes),
        FIELD(GUEST_TR_AR_BYTES, guest_tr_ar_bytes),
        FIELD(GUEST_INTERRUPTIBILITY_INFO, guest_interruptibility_info),
        FIELD(GUEST_ACTIVITY_STATE, guest_activity_state),
        FIELD(GUEST_SYSENTER_CS, guest_sysenter_cs),
        FIELD(HOST_IA32_SYSENTER_CS, host_ia32_sysenter_cs),
        FIELD(VMX_PREEMPTION_TIMER_VALUE, vmx_preemption_timer_value),
        FIELD(CR0_GUEST_HOST_MASK, cr0_guest_host_mask),
        FIELD(CR4_GUEST_HOST_MASK, cr4_guest_host_mask),
        FIELD(CR0_READ_SHADOW, cr0_read_shadow),
        FIELD(CR4_READ_SHADOW, cr4_read_shadow),
        FIELD(CR3_TARGET_VALUE0, cr3_target_value0),
        FIELD(CR3_TARGET_VALUE1, cr3_target_value1),
        FIELD(CR3_TARGET_VALUE2, cr3_target_value2),
        FIELD(CR3_TARGET_VALUE3, cr3_target_value3),
        FIELD(EXIT_QUALIFICATION, exit_qualification),
        FIELD(GUEST_LINEAR_ADDRESS, guest_linear_address),
        FIELD(GUEST_CR0, guest_cr0),
        FIELD(GUEST_CR3, guest_cr3),
        FIELD(GUEST_CR4, guest_cr4),
        FIELD(GUEST_ES_BASE, guest_es_base),
        FIELD(GUEST_CS_BASE, guest_cs_base),
        FIELD(GUEST_SS_BASE, guest_ss_base),
        FIELD(GUEST_DS_BASE, guest_ds_base),
        FIELD(GUEST_FS_BASE, guest_fs_base),
        FIELD(GUEST_GS_BASE, guest_gs_base),
        FIELD(GUEST_LDTR_BASE, guest_ldtr_base),
        FIELD(GUEST_TR_BASE, guest_tr_base),
        FIELD(GUEST_GDTR_BASE, guest_gdtr_base),
        FIELD(GUEST_IDTR_BASE, guest_idtr_base),
        FIELD(GUEST_DR7, guest_dr7),
        FIELD(GUEST_RSP, guest_rsp),
        FIELD(GUEST_RIP, guest_rip),
        FIELD(GUEST_RFLAGS, guest_rflags),
        FIELD(GUEST_PENDING_DBG_EXCEPTIONS, guest_pending_dbg_exceptions),
        FIELD(GUEST_SYSENTER_ESP, guest_sysenter_esp),
        FIELD(GUEST_SYSENTER_EIP, guest_sysenter_eip),
        FIELD(HOST_CR0, host_cr0),
        FIELD(HOST_CR3, host_cr3),
        FIELD(HOST_CR4, host_cr4),
        FIELD(HOST_FS_BASE, host_fs_base),
        FIELD(HOST_GS_BASE, host_gs_base),
        FIELD(HOST_TR_BASE, host_tr_base),
        FIELD(HOST_GDTR_BASE, host_gdtr_base),
        FIELD(HOST_IDTR_BASE, host_idtr_base),
        FIELD(HOST_IA32_SYSENTER_ESP, host_ia32_sysenter_esp),
        FIELD(HOST_IA32_SYSENTER_EIP, host_ia32_sysenter_eip),
        FIELD(HOST_RSP, host_rsp),
        FIELD(HOST_RIP, host_rip),
};

static inline short vmcs_field_to_offset(unsigned long field)
{
        BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX);

        if (field >= ARRAY_SIZE(vmcs_field_to_offset_table) ||
            vmcs_field_to_offset_table[field] == 0)
                return -ENOENT;

        return vmcs_field_to_offset_table[field];
}

static inline struct vmcs12 *get_vmcs12(struct kvm_vcpu *vcpu)
{
        return to_vmx(vcpu)->nested.current_vmcs12;
}

static struct page *nested_get_page(struct kvm_vcpu *vcpu, gpa_t addr)
{
        struct page *page = gfn_to_page(vcpu->kvm, addr >> PAGE_SHIFT);
        if (is_error_page(page))
                return NULL;

        return page;
}

static void nested_release_page(struct page *page)
{
        kvm_release_page_dirty(page);
}

static void nested_release_page_clean(struct page *page)
{
        kvm_release_page_clean(page);
}

static unsigned long nested_ept_get_cr3(struct kvm_vcpu *vcpu);
static u64 construct_eptp(unsigned long root_hpa);
static void kvm_cpu_vmxon(u64 addr);
static void kvm_cpu_vmxoff(void);
static bool vmx_mpx_supported(void);
static bool vmx_xsaves_supported(void);
static int vmx_vm_has_apicv(struct kvm *kvm);
static int vmx_set_tss_addr(struct kvm *kvm, unsigned int addr);
static void vmx_set_segment(struct kvm_vcpu *vcpu,
                            struct kvm_segment *var, int seg);
static void vmx_get_segment(struct kvm_vcpu *vcpu,
                            struct kvm_segment *var, int seg);
static bool guest_state_valid(struct kvm_vcpu *vcpu);
static u32 vmx_segment_access_rights(struct kvm_segment *var);
static void vmx_sync_pir_to_irr_dummy(struct kvm_vcpu *vcpu);
static void copy_vmcs12_to_shadow(struct vcpu_vmx *vmx);
static void copy_shadow_to_vmcs12(struct vcpu_vmx *vmx);
static int alloc_identity_pagetable(struct kvm *kvm);

static DEFINE_PER_CPU(struct vmcs *, vmxarea);
static DEFINE_PER_CPU(struct vmcs *, current_vmcs);
/*
 * We maintain a per-CPU linked-list of VMCS loaded on that CPU. This is needed
 * when a CPU is brought down, and we need to VMCLEAR all VMCSs loaded on it.
 */
static DEFINE_PER_CPU(struct list_head, loaded_vmcss_on_cpu);
static DEFINE_PER_CPU(struct desc_ptr, host_gdt);

static unsigned long *vmx_io_bitmap_a;
static unsigned long *vmx_io_bitmap_b;
static unsigned long *vmx_msr_bitmap_legacy;
static unsigned long *vmx_msr_bitmap_longmode;
static unsigned long *vmx_msr_bitmap_legacy_x2apic;
static unsigned long *vmx_msr_bitmap_longmode_x2apic;
static unsigned long *vmx_msr_bitmap_nested;
static unsigned long *vmx_vmread_bitmap;
static unsigned long *vmx_vmwrite_bitmap;

static bool cpu_has_load_ia32_efer;
static bool cpu_has_load_perf_global_ctrl;

static DECLARE_BITMAP(vmx_vpid_bitmap, VMX_NR_VPIDS);
static DEFINE_SPINLOCK(vmx_vpid_lock);

static struct vmcs_config {
        int size;
        int order;
        u32 revision_id;
        u32 pin_based_exec_ctrl;
        u32 cpu_based_exec_ctrl;
        u32 cpu_based_2nd_exec_ctrl;
        u32 vmexit_ctrl;
        u32 vmentry_ctrl;
} vmcs_config;

static struct vmx_capability {
        u32 ept;
        u32 vpid;
} vmx_capability;

#define VMX_SEGMENT_FIELD(seg)                                  \
        [VCPU_SREG_##seg] = {                                   \
                .selector = GUEST_##seg##_SELECTOR,             \
                .base = GUEST_##seg##_BASE,                     \
                .limit = GUEST_##seg##_LIMIT,                   \
                .ar_bytes = GUEST_##seg##_AR_BYTES,             \
        }

static const struct kvm_vmx_segment_field {
        unsigned selector;
        unsigned base;
        unsigned limit;
        unsigned ar_bytes;
} kvm_vmx_segment_fields[] = {
        VMX_SEGMENT_FIELD(CS),
        VMX_SEGMENT_FIELD(DS),
        VMX_SEGMENT_FIELD(ES),
        VMX_SEGMENT_FIELD(FS),
        VMX_SEGMENT_FIELD(GS),
        VMX_SEGMENT_FIELD(SS),
        VMX_SEGMENT_FIELD(TR),
        VMX_SEGMENT_FIELD(LDTR),
};

static u64 host_efer;

static void ept_save_pdptrs(struct kvm_vcpu *vcpu);

/*
 * Keep MSR_STAR at the end, as setup_msrs() will try to optimize it
 * away by decrementing the array size.
 */
static const u32 vmx_msr_index[] = {
#ifdef CONFIG_X86_64
        MSR_SYSCALL_MASK, MSR_LSTAR, MSR_CSTAR,
#endif
        MSR_EFER, MSR_TSC_AUX, MSR_STAR,
};

static inline bool is_page_fault(u32 intr_info)
{
        return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VECTOR_MASK |
                             INTR_INFO_VALID_MASK)) ==
                (INTR_TYPE_HARD_EXCEPTION | PF_VECTOR | INTR_INFO_VALID_MASK);
}

static inline bool is_no_device(u32 intr_info)
{
        return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VECTOR_MASK |
                             INTR_INFO_VALID_MASK)) ==
                (INTR_TYPE_HARD_EXCEPTION | NM_VECTOR | INTR_INFO_VALID_MASK);
}

static inline bool is_invalid_opcode(u32 intr_info)
{
        return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VECTOR_MASK |
                             INTR_INFO_VALID_MASK)) ==
                (INTR_TYPE_HARD_EXCEPTION | UD_VECTOR | INTR_INFO_VALID_MASK);
}

static inline bool is_external_interrupt(u32 intr_info)
{
        return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VALID_MASK))
                == (INTR_TYPE_EXT_INTR | INTR_INFO_VALID_MASK);
}

static inline bool is_machine_check(u32 intr_info)
{
        return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VECTOR_MASK |
                             INTR_INFO_VALID_MASK)) ==
                (INTR_TYPE_HARD_EXCEPTION | MC_VECTOR | INTR_INFO_VALID_MASK);
}

static inline bool cpu_has_vmx_msr_bitmap(void)
{
        return vmcs_config.cpu_based_exec_ctrl & CPU_BASED_USE_MSR_BITMAPS;
}

static inline bool cpu_has_vmx_tpr_shadow(void)
{
        return vmcs_config.cpu_based_exec_ctrl & CPU_BASED_TPR_SHADOW;
}

static inline bool vm_need_tpr_shadow(struct kvm *kvm)
{
        return (cpu_has_vmx_tpr_shadow()) && (irqchip_in_kernel(kvm));
}

static inline bool cpu_has_secondary_exec_ctrls(void)
{
        return vmcs_config.cpu_based_exec_ctrl &
                CPU_BASED_ACTIVATE_SECONDARY_CONTROLS;
}

static inline bool cpu_has_vmx_virtualize_apic_accesses(void)
{
        return vmcs_config.cpu_based_2nd_exec_ctrl &
                SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
}

static inline bool cpu_has_vmx_virtualize_x2apic_mode(void)
{
        return vmcs_config.cpu_based_2nd_exec_ctrl &
                SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE;
}

static inline bool cpu_has_vmx_apic_register_virt(void)
{
        return vmcs_config.cpu_based_2nd_exec_ctrl &
                SECONDARY_EXEC_APIC_REGISTER_VIRT;
}

static inline bool cpu_has_vmx_virtual_intr_delivery(void)
{
        return vmcs_config.cpu_based_2nd_exec_ctrl &
                SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY;
}

static inline bool cpu_has_vmx_posted_intr(void)
{
        return vmcs_config.pin_based_exec_ctrl & PIN_BASED_POSTED_INTR;
}

static inline bool cpu_has_vmx_apicv(void)
{
        return cpu_has_vmx_apic_register_virt() &&
                cpu_has_vmx_virtual_intr_delivery() &&
                cpu_has_vmx_posted_intr();
}

static inline bool cpu_has_vmx_flexpriority(void)
{
        return cpu_has_vmx_tpr_shadow() &&
                cpu_has_vmx_virtualize_apic_accesses();
}

static inline bool cpu_has_vmx_ept_execute_only(void)
{
        return vmx_capability.ept & VMX_EPT_EXECUTE_ONLY_BIT;
}

static inline bool cpu_has_vmx_ept_2m_page(void)
{
        return vmx_capability.ept & VMX_EPT_2MB_PAGE_BIT;
}

static inline bool cpu_has_vmx_ept_1g_page(void)
{
        return vmx_capability.ept & VMX_EPT_1GB_PAGE_BIT;
}

static inline bool cpu_has_vmx_ept_4levels(void)
{
        return vmx_capability.ept & VMX_EPT_PAGE_WALK_4_BIT;
}

static inline bool cpu_has_vmx_ept_ad_bits(void)
{
        return vmx_capability.ept & VMX_EPT_AD_BIT;
}

static inline bool cpu_has_vmx_invept_context(void)
{
        return vmx_capability.ept & VMX_EPT_EXTENT_CONTEXT_BIT;
}

static inline bool cpu_has_vmx_invept_global(void)
{
        return vmx_capability.ept & VMX_EPT_EXTENT_GLOBAL_BIT;
}

static inline bool cpu_has_vmx_invvpid_single(void)
{
        return vmx_capability.vpid & VMX_VPID_EXTENT_SINGLE_CONTEXT_BIT;
}

static inline bool cpu_has_vmx_invvpid_global(void)
{
        return vmx_capability.vpid & VMX_VPID_EXTENT_GLOBAL_CONTEXT_BIT;
}

static inline bool cpu_has_vmx_ept(void)
{
        return vmcs_config.cpu_based_2nd_exec_ctrl &
                SECONDARY_EXEC_ENABLE_EPT;
}

static inline bool cpu_has_vmx_unrestricted_guest(void)
{
        return vmcs_config.cpu_based_2nd_exec_ctrl &
                SECONDARY_EXEC_UNRESTRICTED_GUEST;
}

static inline bool cpu_has_vmx_ple(void)
{
        return vmcs_config.cpu_based_2nd_exec_ctrl &
                SECONDARY_EXEC_PAUSE_LOOP_EXITING;
}

static inline bool vm_need_virtualize_apic_accesses(struct kvm *kvm)
{
        return flexpriority_enabled && irqchip_in_kernel(kvm);
}

static inline bool cpu_has_vmx_vpid(void)
{
        return vmcs_config.cpu_based_2nd_exec_ctrl &
                SECONDARY_EXEC_ENABLE_VPID;
}

static inline bool cpu_has_vmx_rdtscp(void)
{
        return vmcs_config.cpu_based_2nd_exec_ctrl &
                SECONDARY_EXEC_RDTSCP;
}

static inline bool cpu_has_vmx_invpcid(void)
{
        return vmcs_config.cpu_based_2nd_exec_ctrl &
                SECONDARY_EXEC_ENABLE_INVPCID;
}

static inline bool cpu_has_virtual_nmis(void)
{
        return vmcs_config.pin_based_exec_ctrl & PIN_BASED_VIRTUAL_NMIS;
}

static inline bool cpu_has_vmx_wbinvd_exit(void)
{
        return vmcs_config.cpu_based_2nd_exec_ctrl &
                SECONDARY_EXEC_WBINVD_EXITING;
}

static inline bool cpu_has_vmx_shadow_vmcs(void)
{
        u64 vmx_msr;
        rdmsrl(MSR_IA32_VMX_MISC, vmx_msr);
        /* check if the cpu supports writing r/o exit information fields */
        if (!(vmx_msr & MSR_IA32_VMX_MISC_VMWRITE_SHADOW_RO_FIELDS))
                return false;

        return vmcs_config.cpu_based_2nd_exec_ctrl &
                SECONDARY_EXEC_SHADOW_VMCS;
}

static inline bool cpu_has_vmx_pml(void)
{
        return vmcs_config.cpu_based_2nd_exec_ctrl & SECONDARY_EXEC_ENABLE_PML;
}

static inline bool report_flexpriority(void)
{
        return flexpriority_enabled;
}

static inline bool nested_cpu_has(struct vmcs12 *vmcs12, u32 bit)
{
        return vmcs12->cpu_based_vm_exec_control & bit;
}

static inline bool nested_cpu_has2(struct vmcs12 *vmcs12, u32 bit)
{
        return (vmcs12->cpu_based_vm_exec_control &
                        CPU_BASED_ACTIVATE_SECONDARY_CONTROLS) &&
                (vmcs12->secondary_vm_exec_control & bit);
}

static inline bool nested_cpu_has_virtual_nmis(struct vmcs12 *vmcs12)
{
        return vmcs12->pin_based_vm_exec_control & PIN_BASED_VIRTUAL_NMIS;
}

static inline bool nested_cpu_has_preemption_timer(struct vmcs12 *vmcs12)
{
        return vmcs12->pin_based_vm_exec_control &
                PIN_BASED_VMX_PREEMPTION_TIMER;
}

static inline int nested_cpu_has_ept(struct vmcs12 *vmcs12)
{
        return nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENABLE_EPT);
}

static inline bool nested_cpu_has_xsaves(struct vmcs12 *vmcs12)
{
        return nested_cpu_has2(vmcs12, SECONDARY_EXEC_XSAVES) &&
                vmx_xsaves_supported();
}

static inline bool nested_cpu_has_virt_x2apic_mode(struct vmcs12 *vmcs12)
{
        return nested_cpu_has2(vmcs12, SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE);
}

static inline bool nested_cpu_has_apic_reg_virt(struct vmcs12 *vmcs12)
{
        return nested_cpu_has2(vmcs12, SECONDARY_EXEC_APIC_REGISTER_VIRT);
}

static inline bool nested_cpu_has_vid(struct vmcs12 *vmcs12)
{
        return nested_cpu_has2(vmcs12, SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY);
}

static inline bool nested_cpu_has_posted_intr(struct vmcs12 *vmcs12)
{
        return vmcs12->pin_based_vm_exec_control & PIN_BASED_POSTED_INTR;
}

static inline bool is_exception(u32 intr_info)
{
        return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VALID_MASK))
                == (INTR_TYPE_HARD_EXCEPTION | INTR_INFO_VALID_MASK);
}

static void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 exit_reason,
                              u32 exit_intr_info,
                              unsigned long exit_qualification);
static void nested_vmx_entry_failure(struct kvm_vcpu *vcpu,
                        struct vmcs12 *vmcs12,
                        u32 reason, unsigned long qualification);

static int __find_msr_index(struct vcpu_vmx *vmx, u32 msr)
{
        int i;

        for (i = 0; i < vmx->nmsrs; ++i)
                if (vmx_msr_index[vmx->guest_msrs[i].index] == msr)
                        return i;
        return -1;
}

static inline void __invvpid(int ext, u16 vpid, gva_t gva)
{
    struct {
        u64 vpid : 16;
        u64 rsvd : 48;
        u64 gva;
    } operand = { vpid, 0, gva };

    asm volatile (__ex(ASM_VMX_INVVPID)
                  /* CF==1 or ZF==1 --> rc = -1 */
                  "; ja 1f ; ud2 ; 1:"
                  : : "a"(&operand), "c"(ext) : "cc", "memory");
}

static inline void __invept(int ext, u64 eptp, gpa_t gpa)
{
        struct {
                u64 eptp, gpa;
        } operand = {eptp, gpa};

        asm volatile (__ex(ASM_VMX_INVEPT)
                        /* CF==1 or ZF==1 --> rc = -1 */
                        "; ja 1f ; ud2 ; 1:\n"
                        : : "a" (&operand), "c" (ext) : "cc", "memory");
}

static struct shared_msr_entry *find_msr_entry(struct vcpu_vmx *vmx, u32 msr)
{
        int i;

        i = __find_msr_index(vmx, msr);
        if (i >= 0)
                return &vmx->guest_msrs[i];
        return NULL;
}

static void vmcs_clear(struct vmcs *vmcs)
{
        u64 phys_addr = __pa(vmcs);
        u8 error;

        asm volatile (__ex(ASM_VMX_VMCLEAR_RAX) "; setna %0"
                      : "=qm"(error) : "a"(&phys_addr), "m"(phys_addr)
                      : "cc", "memory");
        if (error)
                printk(KERN_ERR "kvm: vmclear fail: %p/%llx\n",
                       vmcs, phys_addr);
}

static inline void loaded_vmcs_init(struct loaded_vmcs *loaded_vmcs)
{
        vmcs_clear(loaded_vmcs->vmcs);
        loaded_vmcs->cpu = -1;
        loaded_vmcs->launched = 0;
}

static void vmcs_load(struct vmcs *vmcs)
{
        u64 phys_addr = __pa(vmcs);
        u8 error;

        asm volatile (__ex(ASM_VMX_VMPTRLD_RAX) "; setna %0"
                        : "=qm"(error) : "a"(&phys_addr), "m"(phys_addr)
                        : "cc", "memory");
        if (error)
                printk(KERN_ERR "kvm: vmptrld %p/%llx failed\n",
                       vmcs, phys_addr);
}

#ifdef CONFIG_KEXEC
/*
 * This bitmap is used to indicate whether the vmclear
 * operation is enabled on all cpus. All disabled by
 * default.
 */
static cpumask_t crash_vmclear_enabled_bitmap = CPU_MASK_NONE;

static inline void crash_enable_local_vmclear(int cpu)
{
        cpumask_set_cpu(cpu, &crash_vmclear_enabled_bitmap);
}

static inline void crash_disable_local_vmclear(int cpu)
{
        cpumask_clear_cpu(cpu, &crash_vmclear_enabled_bitmap);
}

static inline int crash_local_vmclear_enabled(int cpu)
{
        return cpumask_test_cpu(cpu, &crash_vmclear_enabled_bitmap);
}

static void crash_vmclear_local_loaded_vmcss(void)
{
        int cpu = raw_smp_processor_id();
        struct loaded_vmcs *v;

        if (!crash_local_vmclear_enabled(cpu))
                return;

        list_for_each_entry(v, &per_cpu(loaded_vmcss_on_cpu, cpu),
                            loaded_vmcss_on_cpu_link)
                vmcs_clear(v->vmcs);
}
#else
static inline void crash_enable_local_vmclear(int cpu) { }
static inline void crash_disable_local_vmclear(int cpu) { }
#endif /* CONFIG_KEXEC */

static void __loaded_vmcs_clear(void *arg)
{
        struct loaded_vmcs *loaded_vmcs = arg;
        int cpu = raw_smp_processor_id();

        if (loaded_vmcs->cpu != cpu)
                return; /* vcpu migration can race with cpu offline */
        if (per_cpu(current_vmcs, cpu) == loaded_vmcs->vmcs)
                per_cpu(current_vmcs, cpu) = NULL;
        crash_disable_local_vmclear(cpu);
        list_del(&loaded_vmcs->loaded_vmcss_on_cpu_link);

        /*
         * we should ensure updating loaded_vmcs->loaded_vmcss_on_cpu_link
         * is before setting loaded_vmcs->vcpu to -1 which is done in
         * loaded_vmcs_init. Otherwise, other cpu can see vcpu = -1 fist
         * then adds the vmcs into percpu list before it is deleted.
         */
        smp_wmb();

        loaded_vmcs_init(loaded_vmcs);
        crash_enable_local_vmclear(cpu);
}

static void loaded_vmcs_clear(struct loaded_vmcs *loaded_vmcs)
{
        int cpu = loaded_vmcs->cpu;

        if (cpu != -1)
                smp_call_function_single(cpu,
                         __loaded_vmcs_clear, loaded_vmcs, 1);
}

static inline void vpid_sync_vcpu_single(struct vcpu_vmx *vmx)
{
        if (vmx->vpid == 0)
                return;

        if (cpu_has_vmx_invvpid_single())
                __invvpid(VMX_VPID_EXTENT_SINGLE_CONTEXT, vmx->vpid, 0);
}

static inline void vpid_sync_vcpu_global(void)
{
        if (cpu_has_vmx_invvpid_global())
                __invvpid(VMX_VPID_EXTENT_ALL_CONTEXT, 0, 0);
}

static inline void vpid_sync_context(struct vcpu_vmx *vmx)
{
        if (cpu_has_vmx_invvpid_single())
                vpid_sync_vcpu_single(vmx);
        else
                vpid_sync_vcpu_global();
}

static inline void ept_sync_global(void)
{
        if (cpu_has_vmx_invept_global())
                __invept(VMX_EPT_EXTENT_GLOBAL, 0, 0);
}

static inline void ept_sync_context(u64 eptp)
{
        if (enable_ept) {
                if (cpu_has_vmx_invept_context())
                        __invept(VMX_EPT_EXTENT_CONTEXT, eptp, 0);
                else
                        ept_sync_global();
        }
}

static __always_inline unsigned long vmcs_readl(unsigned long field)
{
        unsigned long value;

        asm volatile (__ex_clear(ASM_VMX_VMREAD_RDX_RAX, "%0")
                      : "=a"(value) : "d"(field) : "cc");
        return value;
}

static __always_inline u16 vmcs_read16(unsigned long field)
{
        return vmcs_readl(field);
}

static __always_inline u32 vmcs_read32(unsigned long field)
{
        return vmcs_readl(field);
}

static __always_inline u64 vmcs_read64(unsigned long field)
{
#ifdef CONFIG_X86_64
        return vmcs_readl(field);
#else
        return vmcs_readl(field) | ((u64)vmcs_readl(field+1) << 32);
#endif
}

static noinline void vmwrite_error(unsigned long field, unsigned long value)
{
        printk(KERN_ERR "vmwrite error: reg %lx value %lx (err %d)\n",
               field, value, vmcs_read32(VM_INSTRUCTION_ERROR));
        dump_stack();
}

static void vmcs_writel(unsigned long field, unsigned long value)
{
        u8 error;

        asm volatile (__ex(ASM_VMX_VMWRITE_RAX_RDX) "; setna %0"
                       : "=q"(error) : "a"(value), "d"(field) : "cc");
        if (unlikely(error))
                vmwrite_error(field, value);
}

static void vmcs_write16(unsigned long field, u16 value)
{
        vmcs_writel(field, value);
}

static void vmcs_write32(unsigned long field, u32 value)
{
        vmcs_writel(field, value);
}

static void vmcs_write64(unsigned long field, u64 value)
{
        vmcs_writel(field, value);
#ifndef CONFIG_X86_64
        asm volatile ("");
        vmcs_writel(field+1, value >> 32);
#endif
}

static void vmcs_clear_bits(unsigned long field, u32 mask)
{
        vmcs_writel(field, vmcs_readl(field) & ~mask);
}

static void vmcs_set_bits(unsigned long field, u32 mask)
{
        vmcs_writel(field, vmcs_readl(field) | mask);
}

static inline void vm_entry_controls_init(struct vcpu_vmx *vmx, u32 val)
{
        vmcs_write32(VM_ENTRY_CONTROLS, val);
        vmx->vm_entry_controls_shadow = val;
}

static inline void vm_entry_controls_set(struct vcpu_vmx *vmx, u32 val)
{
        if (vmx->vm_entry_controls_shadow != val)
                vm_entry_controls_init(vmx, val);
}

static inline u32 vm_entry_controls_get(struct vcpu_vmx *vmx)
{
        return vmx->vm_entry_controls_shadow;
}


static inline void vm_entry_controls_setbit(struct vcpu_vmx *vmx, u32 val)
{
        vm_entry_controls_set(vmx, vm_entry_controls_get(vmx) | val);
}

static inline void vm_entry_controls_clearbit(struct vcpu_vmx *vmx, u32 val)
{
        vm_entry_controls_set(vmx, vm_entry_controls_get(vmx) & ~val);
}

static inline void vm_exit_controls_init(struct vcpu_vmx *vmx, u32 val)
{
        vmcs_write32(VM_EXIT_CONTROLS, val);
        vmx->vm_exit_controls_shadow = val;
}

static inline void vm_exit_controls_set(struct vcpu_vmx *vmx, u32 val)
{
        if (vmx->vm_exit_controls_shadow != val)
                vm_exit_controls_init(vmx, val);
}

static inline u32 vm_exit_controls_get(struct vcpu_vmx *vmx)
{
        return vmx->vm_exit_controls_shadow;
}


static inline void vm_exit_controls_setbit(struct vcpu_vmx *vmx, u32 val)
{
        vm_exit_controls_set(vmx, vm_exit_controls_get(vmx) | val);
}

static inline void vm_exit_controls_clearbit(struct vcpu_vmx *vmx, u32 val)
{
        vm_exit_controls_set(vmx, vm_exit_controls_get(vmx) & ~val);
}

static void vmx_segment_cache_clear(struct vcpu_vmx *vmx)
{
        vmx->segment_cache.bitmask = 0;
}

static bool vmx_segment_cache_test_set(struct vcpu_vmx *vmx, unsigned seg,
                                       unsigned field)
{
        bool ret;
        u32 mask = 1 << (seg * SEG_FIELD_NR + field);

        if (!(vmx->vcpu.arch.regs_avail & (1 << VCPU_EXREG_SEGMENTS))) {
                vmx->vcpu.arch.regs_avail |= (1 << VCPU_EXREG_SEGMENTS);
                vmx->segment_cache.bitmask = 0;
        }
        ret = vmx->segment_cache.bitmask & mask;
        vmx->segment_cache.bitmask |= mask;
        return ret;
}

static u16 vmx_read_guest_seg_selector(struct vcpu_vmx *vmx, unsigned seg)
{
        u16 *p = &vmx->segment_cache.seg[seg].selector;

        if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_SEL))
                *p = vmcs_read16(kvm_vmx_segment_fields[seg].selector);
        return *p;
}

static ulong vmx_read_guest_seg_base(struct vcpu_vmx *vmx, unsigned seg)
{
        ulong *p = &vmx->segment_cache.seg[seg].base;

        if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_BASE))
                *p = vmcs_readl(kvm_vmx_segment_fields[seg].base);
        return *p;
}

static u32 vmx_read_guest_seg_limit(struct vcpu_vmx *vmx, unsigned seg)
{
        u32 *p = &vmx->segment_cache.seg[seg].limit;

        if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_LIMIT))
                *p = vmcs_read32(kvm_vmx_segment_fields[seg].limit);
        return *p;
}

static u32 vmx_read_guest_seg_ar(struct vcpu_vmx *vmx, unsigned seg)
{
        u32 *p = &vmx->segment_cache.seg[seg].ar;

        if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_AR))
                *p = vmcs_read32(kvm_vmx_segment_fields[seg].ar_bytes);
        return *p;
}

static void update_exception_bitmap(struct kvm_vcpu *vcpu)
{
        u32 eb;

        eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) |
             (1u << NM_VECTOR) | (1u << DB_VECTOR);
        if ((vcpu->guest_debug &
             (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) ==
            (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP))
                eb |= 1u << BP_VECTOR;
        if (to_vmx(vcpu)->rmode.vm86_active)
                eb = ~0;
        if (enable_ept)
                eb &= ~(1u << PF_VECTOR); /* bypass_guest_pf = 0 */
        if (vcpu->fpu_active)
                eb &= ~(1u << NM_VECTOR);

        /* When we are running a nested L2 guest and L1 specified for it a
         * certain exception bitmap, we must trap the same exceptions and pass
         * them to L1. When running L2, we will only handle the exceptions
         * specified above if L1 did not want them.
         */
        if (is_guest_mode(vcpu))
                eb |= get_vmcs12(vcpu)->exception_bitmap;

        vmcs_write32(EXCEPTION_BITMAP, eb);
}

static void clear_atomic_switch_msr_special(struct vcpu_vmx *vmx,
                unsigned long entry, unsigned long exit)
{
        vm_entry_controls_clearbit(vmx, entry);
        vm_exit_controls_clearbit(vmx, exit);
}

static void clear_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr)
{
        unsigned i;
        struct msr_autoload *m = &vmx->msr_autoload;

        switch (msr) {
        case MSR_EFER:
                if (cpu_has_load_ia32_efer) {
                        clear_atomic_switch_msr_special(vmx,
                                        VM_ENTRY_LOAD_IA32_EFER,
                                        VM_EXIT_LOAD_IA32_EFER);
                        return;
                }
                break;
        case MSR_CORE_PERF_GLOBAL_CTRL:
                if (cpu_has_load_perf_global_ctrl) {
                        clear_atomic_switch_msr_special(vmx,
                                        VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL,
                                        VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL);
                        return;
                }
                break;
        }

        for (i = 0; i < m->nr; ++i)
                if (m->guest[i].index == msr)
                        break;

        if (i == m->nr)
                return;
        --m->nr;
        m->guest[i] = m->guest[m->nr];
        m->host[i] = m->host[m->nr];
        vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, m->nr);
        vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, m->nr);
}

static void add_atomic_switch_msr_special(struct vcpu_vmx *vmx,
                unsigned long entry, unsigned long exit,
                unsigned long guest_val_vmcs, unsigned long host_val_vmcs,
                u64 guest_val, u64 host_val)
{
        vmcs_write64(guest_val_vmcs, guest_val);
        vmcs_write64(host_val_vmcs, host_val);
        vm_entry_controls_setbit(vmx, entry);
        vm_exit_controls_setbit(vmx, exit);
}

static void add_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr,
                                  u64 guest_val, u64 host_val)
{
        unsigned i;
        struct msr_autoload *m = &vmx->msr_autoload;

        switch (msr) {
        case MSR_EFER:
                if (cpu_has_load_ia32_efer) {
                        add_atomic_switch_msr_special(vmx,
                                        VM_ENTRY_LOAD_IA32_EFER,
                                        VM_EXIT_LOAD_IA32_EFER,
                                        GUEST_IA32_EFER,
                                        HOST_IA32_EFER,
                                        guest_val, host_val);
                        return;
                }
                break;
        case MSR_CORE_PERF_GLOBAL_CTRL:
                if (cpu_has_load_perf_global_ctrl) {
                        add_atomic_switch_msr_special(vmx,
                                        VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL,
                                        VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL,
                                        GUEST_IA32_PERF_GLOBAL_CTRL,
                                        HOST_IA32_PERF_GLOBAL_CTRL,
                                        guest_val, host_val);
                        return;
                }
                break;
        }

        for (i = 0; i < m->nr; ++i)
                if (m->guest[i].index == msr)
                        break;

        if (i == NR_AUTOLOAD_MSRS) {
                printk_once(KERN_WARNING "Not enough msr switch entries. "
                                "Can't add msr %x\n", msr);
                return;
        } else if (i == m->nr) {
                ++m->nr;
                vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, m->nr);
                vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, m->nr);
        }

        m->guest[i].index = msr;
        m->guest[i].value = guest_val;
        m->host[i].index = msr;
        m->host[i].value = host_val;
}

static void reload_tss(void)
{
        /*
         * VT restores TR but not its size.  Useless.
         */
        struct desc_ptr *gdt = this_cpu_ptr(&host_gdt);
        struct desc_struct *descs;

        descs = (void *)gdt->address;
        descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
        load_TR_desc();
}

static bool update_transition_efer(struct vcpu_vmx *vmx, int efer_offset)
{
        u64 guest_efer;
        u64 ignore_bits;

        guest_efer = vmx->vcpu.arch.efer;

        /*
         * NX is emulated; LMA and LME handled by hardware; SCE meaningless
         * outside long mode
         */
        ignore_bits = EFER_NX | EFER_SCE;
#ifdef CONFIG_X86_64
        ignore_bits |= EFER_LMA | EFER_LME;
        /* SCE is meaningful only in long mode on Intel */
        if (guest_efer & EFER_LMA)
                ignore_bits &= ~(u64)EFER_SCE;
#endif
        guest_efer &= ~ignore_bits;
        guest_efer |= host_efer & ignore_bits;
        vmx->guest_msrs[efer_offset].data = guest_efer;
        vmx->guest_msrs[efer_offset].mask = ~ignore_bits;

        clear_atomic_switch_msr(vmx, MSR_EFER);

        /*
         * On EPT, we can't emulate NX, so we must switch EFER atomically.
         * On CPUs that support "load IA32_EFER", always switch EFER
         * atomically, since it's faster than switching it manually.
         */
        if (cpu_has_load_ia32_efer ||
            (enable_ept && ((vmx->vcpu.arch.efer ^ host_efer) & EFER_NX))) {
                guest_efer = vmx->vcpu.arch.efer;
                if (!(guest_efer & EFER_LMA))
                        guest_efer &= ~EFER_LME;
                if (guest_efer != host_efer)
                        add_atomic_switch_msr(vmx, MSR_EFER,
                                              guest_efer, host_efer);
                return false;
        }

        return true;
}

static unsigned long segment_base(u16 selector)
{
        struct desc_ptr *gdt = this_cpu_ptr(&host_gdt);
        struct desc_struct *d;
        unsigned long table_base;
        unsigned long v;

        if (!(selector & ~3))
                return 0;

        table_base = gdt->address;

        if (selector & 4) {           /* from ldt */
                u16 ldt_selector = kvm_read_ldt();

                if (!(ldt_selector & ~3))
                        return 0;

                table_base = segment_base(ldt_selector);
        }
        d = (struct desc_struct *)(table_base + (selector & ~7));
        v = get_desc_base(d);
#ifdef CONFIG_X86_64
       if (d->s == 0 && (d->type == 2 || d->type == 9 || d->type == 11))
               v |= ((unsigned long)((struct ldttss_desc64 *)d)->base3) << 32;
#endif
        return v;
}

static inline unsigned long kvm_read_tr_base(void)
{
        u16 tr;
        asm("str %0" : "=g"(tr));
        return segment_base(tr);
}

static void vmx_save_host_state(struct kvm_vcpu *vcpu)
{
        struct vcpu_vmx *vmx = to_vmx(vcpu);
        int i;

        if (vmx->host_state.loaded)
                return;

        vmx->host_state.loaded = 1;
        /*
         * Set host fs and gs selectors.  Unfortunately, 22.2.3 does not
         * allow segment selectors with cpl > 0 or ti == 1.
         */
        vmx->host_state.ldt_sel = kvm_read_ldt();
        vmx->host_state.gs_ldt_reload_needed = vmx->host_state.ldt_sel;
        savesegment(fs, vmx->host_state.fs_sel);
        if (!(vmx->host_state.fs_sel & 7)) {
                vmcs_write16(HOST_FS_SELECTOR, vmx->host_state.fs_sel);
                vmx->host_state.fs_reload_needed = 0;
        } else {
                vmcs_write16(HOST_FS_SELECTOR, 0);
                vmx->host_state.fs_reload_needed = 1;
        }
        savesegment(gs, vmx->host_state.gs_sel);
        if (!(vmx->host_state.gs_sel & 7))
                vmcs_write16(HOST_GS_SELECTOR, vmx->host_state.gs_sel);
        else {
                vmcs_write16(HOST_GS_SELECTOR, 0);
                vmx->host_state.gs_ldt_reload_needed = 1;
        }

#ifdef CONFIG_X86_64
        savesegment(ds, vmx->host_state.ds_sel);
        savesegment(es, vmx->host_state.es_sel);
#endif

#ifdef CONFIG_X86_64
        vmcs_writel(HOST_FS_BASE, read_msr(MSR_FS_BASE));
        vmcs_writel(HOST_GS_BASE, read_msr(MSR_GS_BASE));
#else
        vmcs_writel(HOST_FS_BASE, segment_base(vmx->host_state.fs_sel));
        vmcs_writel(HOST_GS_BASE, segment_base(vmx->host_state.gs_sel));
#endif

#ifdef CONFIG_X86_64
        rdmsrl(MSR_KERNEL_GS_BASE, vmx->msr_host_kernel_gs_base);
        if (is_long_mode(&vmx->vcpu))
                wrmsrl(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base);
#endif
        if (boot_cpu_has(X86_FEATURE_MPX))
                rdmsrl(MSR_IA32_BNDCFGS, vmx->host_state.msr_host_bndcfgs);
        for (i = 0; i < vmx->save_nmsrs; ++i)
                kvm_set_shared_msr(vmx->guest_msrs[i].index,
                                   vmx->guest_msrs[i].data,
                                   vmx->guest_msrs[i].mask);
}

static void __vmx_load_host_state(struct vcpu_vmx *vmx)
{
        if (!vmx->host_state.loaded)
                return;

        ++vmx->vcpu.stat.host_state_reload;
        vmx->host_state.loaded = 0;
#ifdef CONFIG_X86_64
        if (is_long_mode(&vmx->vcpu))
                rdmsrl(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base);
#endif
        if (vmx->host_state.gs_ldt_reload_needed) {
                kvm_load_ldt(vmx->host_state.ldt_sel);
#ifdef CONFIG_X86_64
                load_gs_index(vmx->host_state.gs_sel);
#else
                loadsegment(gs, vmx->host_state.gs_sel);
#endif
        }
        if (vmx->host_state.fs_reload_needed)
                loadsegment(fs, vmx->host_state.fs_sel);
#ifdef CONFIG_X86_64
        if (unlikely(vmx->host_state.ds_sel | vmx->host_state.es_sel)) {
                loadsegment(ds, vmx->host_state.ds_sel);
                loadsegment(es, vmx->host_state.es_sel);
        }
#endif
        reload_tss();
#ifdef CONFIG_X86_64
        wrmsrl(MSR_KERNEL_GS_BASE, vmx->msr_host_kernel_gs_base);
#endif
        if (vmx->host_state.msr_host_bndcfgs)
                wrmsrl(MSR_IA32_BNDCFGS, vmx->host_state.msr_host_bndcfgs);
        /*
         * If the FPU is not active (through the host task or
         * the guest vcpu), then restore the cr0.TS bit.
         */
        if (!user_has_fpu() && !vmx->vcpu.guest_fpu_loaded)
                stts();
        load_gdt(this_cpu_ptr(&host_gdt));
}

static void vmx_load_host_state(struct vcpu_vmx *vmx)
{
        preempt_disable();
        __vmx_load_host_state(vmx);
        preempt_enable();
}

/*
 * Switches to specified vcpu, until a matching vcpu_put(), but assumes
 * vcpu mutex is already taken.
 */
static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
{
        struct vcpu_vmx *vmx = to_vmx(vcpu);
        u64 phys_addr = __pa(per_cpu(vmxarea, cpu));

        if (!vmm_exclusive)
                kvm_cpu_vmxon(phys_addr);
        else if (vmx->loaded_vmcs->cpu != cpu)
                loaded_vmcs_clear(vmx->loaded_vmcs);

        if (per_cpu(current_vmcs, cpu) != vmx->loaded_vmcs->vmcs) {
                per_cpu(current_vmcs, cpu) = vmx->loaded_vmcs->vmcs;
                vmcs_load(vmx->loaded_vmcs->vmcs);
        }

        if (vmx->loaded_vmcs->cpu != cpu) {
                struct desc_ptr *gdt = this_cpu_ptr(&host_gdt);
                unsigned long sysenter_esp;

                kvm_make_request(KVM_REQ_TLB_FLUSH, vcpu);
                local_irq_disable();
                crash_disable_local_vmclear(cpu);

                /*
                 * Read loaded_vmcs->cpu should be before fetching
                 * loaded_vmcs->loaded_vmcss_on_cpu_link.
                 * See the comments in __loaded_vmcs_clear().
                 */
                smp_rmb();

                list_add(&vmx->loaded_vmcs->loaded_vmcss_on_cpu_link,
                         &per_cpu(loaded_vmcss_on_cpu, cpu));
                crash_enable_local_vmclear(cpu);
                local_irq_enable();

                /*
                 * Linux uses per-cpu TSS and GDT, so set these when switching
                 * processors.
                 */
                vmcs_writel(HOST_TR_BASE, kvm_read_tr_base()); /* 22.2.4 */
                vmcs_writel(HOST_GDTR_BASE, gdt->address);   /* 22.2.4 */

                rdmsrl(MSR_IA32_SYSENTER_ESP, sysenter_esp);
                vmcs_writel(HOST_IA32_SYSENTER_ESP, sysenter_esp); /* 22.2.3 */
                vmx->loaded_vmcs->cpu = cpu;
        }
}

static void vmx_vcpu_put(struct kvm_vcpu *vcpu)
{
        __vmx_load_host_state(to_vmx(vcpu));
        if (!vmm_exclusive) {
                __loaded_vmcs_clear(to_vmx(vcpu)->loaded_vmcs);
                vcpu->cpu = -1;
                kvm_cpu_vmxoff();
        }
}

static void vmx_fpu_activate(struct kvm_vcpu *vcpu)
{
        ulong cr0;

        if (vcpu->fpu_active)
                return;
        vcpu->fpu_active = 1;
        cr0 = vmcs_readl(GUEST_CR0);
        cr0 &= ~(X86_CR0_TS | X86_CR0_MP);
        cr0 |= kvm_read_cr0_bits(vcpu, X86_CR0_TS | X86_CR0_MP);
        vmcs_writel(GUEST_CR0, cr0);
        update_exception_bitmap(vcpu);
        vcpu->arch.cr0_guest_owned_bits = X86_CR0_TS;
        if (is_guest_mode(vcpu))
                vcpu->arch.cr0_guest_owned_bits &=
                        ~get_vmcs12(vcpu)->cr0_guest_host_mask;
        vmcs_writel(CR0_GUEST_HOST_MASK, ~vcpu->arch.cr0_guest_owned_bits);
}

static void vmx_decache_cr0_guest_bits(struct kvm_vcpu *vcpu);

/*
 * Return the cr0 value that a nested guest would read. This is a combination
 * of the real cr0 used to run the guest (guest_cr0), and the bits shadowed by
 * its hypervisor (cr0_read_shadow).
 */
static inline unsigned long nested_read_cr0(struct vmcs12 *fields)
{
        return (fields->guest_cr0 & ~fields->cr0_guest_host_mask) |
                (fields->cr0_read_shadow & fields->cr0_guest_host_mask);
}
static inline unsigned long nested_read_cr4(struct vmcs12 *fields)
{
        return (fields->guest_cr4 & ~fields->cr4_guest_host_mask) |
                (fields->cr4_read_shadow & fields->cr4_guest_host_mask);
}

static void vmx_fpu_deactivate(struct kvm_vcpu *vcpu)
{
        /* Note that there is no vcpu->fpu_active = 0 here. The caller must
         * set this *before* calling this function.

         */
        vmx_decache_cr0_guest_bits(vcpu);
        vmcs_set_bits(GUEST_CR0, X86_CR0_TS | X86_CR0_MP);
        update_exception_bitmap(vcpu);
        vcpu->arch.cr0_guest_owned_bits = 0;
        vmcs_writel(CR0_GUEST_HOST_MASK, ~vcpu->arch.cr0_guest_owned_bits);
        if (is_guest_mode(vcpu)) {
                /*
                 * L1's specified read shadow might not contain the TS bit,
                 * so now that we turned on shadowing of this bit, we need to
                 * set this bit of the shadow. Like in nested_vmx_run we need
                 * nested_read_cr0(vmcs12), but vmcs12->guest_cr0 is not yet
                 * up-to-date here because we just decached cr0.TS (and we'll
                 * only update vmcs12->guest_cr0 on nested exit).
                 */
                struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
                vmcs12->guest_cr0 = (vmcs12->guest_cr0 & ~X86_CR0_TS) |
                        (vcpu->arch.cr0 & X86_CR0_TS);
                vmcs_writel(CR0_READ_SHADOW, nested_read_cr0(vmcs12));
        } else
                vmcs_writel(CR0_READ_SHADOW, vcpu->arch.cr0);
}

static unsigned long vmx_get_rflags(struct kvm_vcpu *vcpu)
{
        unsigned long rflags, save_rflags;

        if (!test_bit(VCPU_EXREG_RFLAGS, (ulong *)&vcpu->arch.regs_avail)) {
                __set_bit(VCPU_EXREG_RFLAGS, (ulong *)&vcpu->arch.regs_avail);
                rflags = vmcs_readl(GUEST_RFLAGS);
                if (to_vmx(vcpu)->rmode.vm86_active) {
                        rflags &= RMODE_GUEST_OWNED_EFLAGS_BITS;
                        save_rflags = to_vmx(vcpu)->rmode.save_rflags;
                        rflags |= save_rflags & ~RMODE_GUEST_OWNED_EFLAGS_BITS;
                }
                to_vmx(vcpu)->rflags = rflags;
        }
        return to_vmx(vcpu)->rflags;
}

static void vmx_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags)
{
        __set_bit(VCPU_EXREG_RFLAGS, (ulong *)&vcpu->arch.regs_avail);
        to_vmx(vcpu)->rflags = rflags;
        if (to_vmx(vcpu)->rmode.vm86_active) {
                to_vmx(vcpu)->rmode.save_rflags = rflags;
                rflags |= X86_EFLAGS_IOPL | X86_EFLAGS_VM;
        }
        vmcs_writel(GUEST_RFLAGS, rflags);
}

static u32 vmx_get_interrupt_shadow(struct kvm_vcpu *vcpu)
{
        u32 interruptibility = vmcs_read32(GUEST_INTERRUPTIBILITY_INFO);
        int ret = 0;

        if (interruptibility & GUEST_INTR_STATE_STI)
                ret |= KVM_X86_SHADOW_INT_STI;
        if (interruptibility & GUEST_INTR_STATE_MOV_SS)
                ret |= KVM_X86_SHADOW_INT_MOV_SS;

        return ret;
}

static void vmx_set_interrupt_shadow(struct kvm_vcpu *vcpu, int mask)
{
        u32 interruptibility_old = vmcs_read32(GUEST_INTERRUPTIBILITY_INFO);
        u32 interruptibility = interruptibility_old;

        interruptibility &= ~(GUEST_INTR_STATE_STI | GUEST_INTR_STATE_MOV_SS);

        if (mask & KVM_X86_SHADOW_INT_MOV_SS)
                interruptibility |= GUEST_INTR_STATE_MOV_SS;
        else if (mask & KVM_X86_SHADOW_INT_STI)
                interruptibility |= GUEST_INTR_STATE_STI;

        if ((interruptibility != interruptibility_old))
                vmcs_write32(GUEST_INTERRUPTIBILITY_INFO, interruptibility);
}

static void skip_emulated_instruction(struct kvm_vcpu *vcpu)
{
        unsigned long rip;

        rip = kvm_rip_read(vcpu);
        rip += vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
        kvm_rip_write(vcpu, rip);

        /* skipping an emulated instruction also counts */
        vmx_set_interrupt_shadow(vcpu, 0);
}

/*
 * KVM wants to inject page-faults which it got to the guest. This function
 * checks whether in a nested guest, we need to inject them to L1 or L2.
 */
static int nested_vmx_check_exception(struct kvm_vcpu *vcpu, unsigned nr)
{
        struct vmcs12 *vmcs12 = get_vmcs12(vcpu);

        if (!(vmcs12->exception_bitmap & (1u << nr)))
                return 0;

        nested_vmx_vmexit(vcpu, to_vmx(vcpu)->exit_reason,
                          vmcs_read32(VM_EXIT_INTR_INFO),
                          vmcs_readl(EXIT_QUALIFICATION));
        return 1;
}

static void vmx_queue_exception(struct kvm_vcpu *vcpu, unsigned nr,
                                bool has_error_code, u32 error_code,
                                bool reinject)
{
        struct vcpu_vmx *vmx = to_vmx(vcpu);
        u32 intr_info = nr | INTR_INFO_VALID_MASK;

        if (!reinject && is_guest_mode(vcpu) &&
            nested_vmx_check_exception(vcpu, nr))
                return;

        if (has_error_code) {
                vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE, error_code);
                intr_info |= INTR_INFO_DELIVER_CODE_MASK;
        }

        if (vmx->rmode.vm86_active) {
                int inc_eip = 0;
                if (kvm_exception_is_soft(nr))
                        inc_eip = vcpu->arch.event_exit_inst_len;
                if (kvm_inject_realmode_interrupt(vcpu, nr, inc_eip) != EMULATE_DONE)
                        kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
                return;
        }

        if (kvm_exception_is_soft(nr)) {
                vmcs_write32(VM_ENTRY_INSTRUCTION_LEN,
                             vmx->vcpu.arch.event_exit_inst_len);
                intr_info |= INTR_TYPE_SOFT_EXCEPTION;
        } else
                intr_info |= INTR_TYPE_HARD_EXCEPTION;

        vmcs_write32(VM_ENTRY_INTR_INFO_FIELD, intr_info);
}

static bool vmx_rdtscp_supported(void)
{
        return cpu_has_vmx_rdtscp();
}

static bool vmx_invpcid_supported(void)
{
        return cpu_has_vmx_invpcid() && enable_ept;
}

/*
 * Swap MSR entry in host/guest MSR entry array.
 */
static void move_msr_up(struct vcpu_vmx *vmx, int from, int to)
{
        struct shared_msr_entry tmp;

        tmp = vmx->guest_msrs[to];
        vmx->guest_msrs[to] = vmx->guest_msrs[from];
        vmx->guest_msrs[from] = tmp;
}

static void vmx_set_msr_bitmap(struct kvm_vcpu *vcpu)
{
        unsigned long *msr_bitmap;

        if (is_guest_mode(vcpu))
                msr_bitmap = vmx_msr_bitmap_nested;
        else if (irqchip_in_kernel(vcpu->kvm) &&
                apic_x2apic_mode(vcpu->arch.apic)) {
                if (is_long_mode(vcpu))
                        msr_bitmap = vmx_msr_bitmap_longmode_x2apic;
                else
                        msr_bitmap = vmx_msr_bitmap_legacy_x2apic;
        } else {
                if (is_long_mode(vcpu))
                        msr_bitmap = vmx_msr_bitmap_longmode;
                else
                        msr_bitmap = vmx_msr_bitmap_legacy;
        }

        vmcs_write64(MSR_BITMAP, __pa(msr_bitmap));
}

/*
 * Set up the vmcs to automatically save and restore system
 * msrs.  Don't touch the 64-bit msrs if the guest is in legacy
 * mode, as fiddling with msrs is very expensive.
 */
static void setup_msrs(struct vcpu_vmx *vmx)
{
        int save_nmsrs, index;

        save_nmsrs = 0;
#ifdef CONFIG_X86_64
        if (is_long_mode(&vmx->vcpu)) {
                index = __find_msr_index(vmx, MSR_SYSCALL_MASK);
                if (index >= 0)
                        move_msr_up(vmx, index, save_nmsrs++);
                index = __find_msr_index(vmx, MSR_LSTAR);
                if (index >= 0)
                        move_msr_up(vmx, index, save_nmsrs++);
                index = __find_msr_index(vmx, MSR_CSTAR);
                if (index >= 0)
                        move_msr_up(vmx, index, save_nmsrs++);
                index = __find_msr_index(vmx, MSR_TSC_AUX);
                if (index >= 0 && vmx->rdtscp_enabled)
                        move_msr_up(vmx, index, save_nmsrs++);
                /*
                 * MSR_STAR is only needed on long mode guests, and only
                 * if efer.sce is enabled.
                 */
                index = __find_msr_index(vmx, MSR_STAR);
                if ((index >= 0) && (vmx->vcpu.arch.efer & EFER_SCE))
                        move_msr_up(vmx, index, save_nmsrs++);
        }
#endif
        index = __find_msr_index(vmx, MSR_EFER);
        if (index >= 0 && update_transition_efer(vmx, index))
                move_msr_up(vmx, index, save_nmsrs++);

        vmx->save_nmsrs = save_nmsrs;

        if (cpu_has_vmx_msr_bitmap())
                vmx_set_msr_bitmap(&vmx->vcpu);
}

/*
 * reads and returns guest's timestamp counter "register"
 * guest_tsc = host_tsc + tsc_offset    -- 21.3
 */
static u64 guest_read_tsc(void)
{
        u64 host_tsc, tsc_offset;

        rdtscll(host_tsc);
        tsc_offset = vmcs_read64(TSC_OFFSET);
        return host_tsc + tsc_offset;
}

/*
 * Like guest_read_tsc, but always returns L1's notion of the timestamp
 * counter, even if a nested guest (L2) is currently running.
 */
static u64 vmx_read_l1_tsc(struct kvm_vcpu *vcpu, u64 host_tsc)
{
        u64 tsc_offset;

        tsc_offset = is_guest_mode(vcpu) ?
                to_vmx(vcpu)->nested.vmcs01_tsc_offset :
                vmcs_read64(TSC_OFFSET);
        return host_tsc + tsc_offset;
}

/*
 * Engage any workarounds for mis-matched TSC rates.  Currently limited to
 * software catchup for faster rates on slower CPUs.
 */
static void vmx_set_tsc_khz(struct kvm_vcpu *vcpu, u32 user_tsc_khz, bool scale)
{
        if (!scale)
                return;

        if (user_tsc_khz > tsc_khz) {
                vcpu->arch.tsc_catchup = 1;
                vcpu->arch.tsc_always_catchup = 1;
        } else
                WARN(1, "user requested TSC rate below hardware speed\n");
}

static u64 vmx_read_tsc_offset(struct kvm_vcpu *vcpu)
{
        return vmcs_read64(TSC_OFFSET);
}

/*
 * writes 'offset' into guest's timestamp counter offset register
 */
static void vmx_write_tsc_offset(struct kvm_vcpu *vcpu, u64 offset)
{
        if (is_guest_mode(vcpu)) {
                /*
                 * We're here if L1 chose not to trap WRMSR to TSC. According
                 * to the spec, this should set L1's TSC; The offset that L1
                 * set for L2 remains unchanged, and still needs to be added
                 * to the newly set TSC to get L2's TSC.
                 */
                struct vmcs12 *vmcs12;
                to_vmx(vcpu)->nested.vmcs01_tsc_offset = offset;
                /* recalculate vmcs02.TSC_OFFSET: */
                vmcs12 = get_vmcs12(vcpu);
                vmcs_write64(TSC_OFFSET, offset +
                        (nested_cpu_has(vmcs12, CPU_BASED_USE_TSC_OFFSETING) ?
                         vmcs12->tsc_offset : 0));
        } else {
                trace_kvm_write_tsc_offset(vcpu->vcpu_id,
                                           vmcs_read64(TSC_OFFSET), offset);
                vmcs_write64(TSC_OFFSET, offset);
        }
}

static void vmx_adjust_tsc_offset(struct kvm_vcpu *vcpu, s64 adjustment, bool host)
{
        u64 offset = vmcs_read64(TSC_OFFSET);

        vmcs_write64(TSC_OFFSET, offset + adjustment);
        if (is_guest_mode(vcpu)) {
                /* Even when running L2, the adjustment needs to apply to L1 */
                to_vmx(vcpu)->nested.vmcs01_tsc_offset += adjustment;
        } else
                trace_kvm_write_tsc_offset(vcpu->vcpu_id, offset,
                                           offset + adjustment);
}

static u64 vmx_compute_tsc_offset(struct kvm_vcpu *vcpu, u64 target_tsc)
{
        return target_tsc - native_read_tsc();
}

static bool guest_cpuid_has_vmx(struct kvm_vcpu *vcpu)
{
        struct kvm_cpuid_entry2 *best = kvm_find_cpuid_entry(vcpu, 1, 0);
        return best && (best->ecx & (1 << (X86_FEATURE_VMX & 31)));
}

/*
 * nested_vmx_allowed() checks whether a guest should be allowed to use VMX
 * instructions and MSRs (i.e., nested VMX). Nested VMX is disabled for
 * all guests if the "nested" module option is off, and can also be disabled
 * for a single guest by disabling its VMX cpuid bit.
 */
static inline bool nested_vmx_allowed(struct kvm_vcpu *vcpu)
{
        return nested && guest_cpuid_has_vmx(vcpu);
}

/*
 * nested_vmx_setup_ctls_msrs() sets up variables containing the values to be
 * returned for the various VMX controls MSRs when nested VMX is enabled.
 * The same values should also be used to verify that vmcs12 control fields are
 * valid during nested entry from L1 to L2.
 * Each of these control msrs has a low and high 32-bit half: A low bit is on
 * if the corresponding bit in the (32-bit) control field *must* be on, and a
 * bit in the high half is on if the corresponding bit in the control field
 * may be on. See also vmx_control_verify().
 */
static void nested_vmx_setup_ctls_msrs(struct vcpu_vmx *vmx)
{
        /*
         * Note that as a general rule, the high half of the MSRs (bits in
         * the control fields which may be 1) should be initialized by the
         * intersection of the underlying hardware's MSR (i.e., features which
         * can be supported) and the list of features we want to expose -
         * because they are known to be properly supported in our code.
         * Also, usually, the low half of the MSRs (bits which must be 1) can
         * be set to 0, meaning that L1 may turn off any of these bits. The
         * reason is that if one of these bits is necessary, it will appear
         * in vmcs01 and prepare_vmcs02, when it bitwise-or's the control
         * fields of vmcs01 and vmcs02, will turn these bits off - and
         * nested_vmx_exit_handled() will not pass related exits to L1.
         * These rules have exceptions below.
         */

        /* pin-based controls */
        rdmsr(MSR_IA32_VMX_PINBASED_CTLS,
                vmx->nested.nested_vmx_pinbased_ctls_low,
                vmx->nested.nested_vmx_pinbased_ctls_high);
        vmx->nested.nested_vmx_pinbased_ctls_low |=
                PIN_BASED_ALWAYSON_WITHOUT_TRUE_MSR;
        vmx->nested.nested_vmx_pinbased_ctls_high &=
                PIN_BASED_EXT_INTR_MASK |
                PIN_BASED_NMI_EXITING |
                PIN_BASED_VIRTUAL_NMIS;
        vmx->nested.nested_vmx_pinbased_ctls_high |=
                PIN_BASED_ALWAYSON_WITHOUT_TRUE_MSR |
                PIN_BASED_VMX_PREEMPTION_TIMER;
        if (vmx_vm_has_apicv(vmx->vcpu.kvm))
                vmx->nested.nested_vmx_pinbased_ctls_high |=
                        PIN_BASED_POSTED_INTR;

        /* exit controls */
        rdmsr(MSR_IA32_VMX_EXIT_CTLS,
                vmx->nested.nested_vmx_exit_ctls_low,
                vmx->nested.nested_vmx_exit_ctls_high);
        vmx->nested.nested_vmx_exit_ctls_low =
                VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR;

        vmx->nested.nested_vmx_exit_ctls_high &=
#ifdef CONFIG_X86_64
                VM_EXIT_HOST_ADDR_SPACE_SIZE |
#endif
                VM_EXIT_LOAD_IA32_PAT | VM_EXIT_SAVE_IA32_PAT;
        vmx->nested.nested_vmx_exit_ctls_high |=
                VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR |
                VM_EXIT_LOAD_IA32_EFER | VM_EXIT_SAVE_IA32_EFER |
                VM_EXIT_SAVE_VMX_PREEMPTION_TIMER | VM_EXIT_ACK_INTR_ON_EXIT;

        if (vmx_mpx_supported())
                vmx->nested.nested_vmx_exit_ctls_high |= VM_EXIT_CLEAR_BNDCFGS;

        /* We support free control of debug control saving. */
        vmx->nested.nested_vmx_true_exit_ctls_low =
                vmx->nested.nested_vmx_exit_ctls_low &
                ~VM_EXIT_SAVE_DEBUG_CONTROLS;

        /* entry controls */
        rdmsr(MSR_IA32_VMX_ENTRY_CTLS,
                vmx->nested.nested_vmx_entry_ctls_low,
                vmx->nested.nested_vmx_entry_ctls_high);
        vmx->nested.nested_vmx_entry_ctls_low =
                VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR;
        vmx->nested.nested_vmx_entry_ctls_high &=
#ifdef CONFIG_X86_64
                VM_ENTRY_IA32E_MODE |
#endif
                VM_ENTRY_LOAD_IA32_PAT;
        vmx->nested.nested_vmx_entry_ctls_high |=
                (VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR | VM_ENTRY_LOAD_IA32_EFER);
        if (vmx_mpx_supported())
                vmx->nested.nested_vmx_entry_ctls_high |= VM_ENTRY_LOAD_BNDCFGS;

        /* We support free control of debug control loading. */
        vmx->nested.nested_vmx_true_entry_ctls_low =
                vmx->nested.nested_vmx_entry_ctls_low &
                ~VM_ENTRY_LOAD_DEBUG_CONTROLS;

        /* cpu-based controls */
        rdmsr(MSR_IA32_VMX_PROCBASED_CTLS,
                vmx->nested.nested_vmx_procbased_ctls_low,
                vmx->nested.nested_vmx_procbased_ctls_high);
        vmx->nested.nested_vmx_procbased_ctls_low =
                CPU_BASED_ALWAYSON_WITHOUT_TRUE_MSR;
        vmx->nested.nested_vmx_procbased_ctls_high &=
                CPU_BASED_VIRTUAL_INTR_PENDING |
                CPU_BASED_VIRTUAL_NMI_PENDING | CPU_BASED_USE_TSC_OFFSETING |
                CPU_BASED_HLT_EXITING | CPU_BASED_INVLPG_EXITING |
                CPU_BASED_MWAIT_EXITING | CPU_BASED_CR3_LOAD_EXITING |
                CPU_BASED_CR3_STORE_EXITING |
#ifdef CONFIG_X86_64
                CPU_BASED_CR8_LOAD_EXITING | CPU_BASED_CR8_STORE_EXITING |
#endif
                CPU_BASED_MOV_DR_EXITING | CPU_BASED_UNCOND_IO_EXITING |
                CPU_BASED_USE_IO_BITMAPS | CPU_BASED_MONITOR_EXITING |
                CPU_BASED_RDPMC_EXITING | CPU_BASED_RDTSC_EXITING |
                CPU_BASED_PAUSE_EXITING | CPU_BASED_TPR_SHADOW |
                CPU_BASED_ACTIVATE_SECONDARY_CONTROLS;
        /*
         * We can allow some features even when not supported by the
         * hardware. For example, L1 can specify an MSR bitmap - and we
         * can use it to avoid exits to L1 - even when L0 runs L2
         * without MSR bitmaps.
         */
        vmx->nested.nested_vmx_procbased_ctls_high |=
                CPU_BASED_ALWAYSON_WITHOUT_TRUE_MSR |
                CPU_BASED_USE_MSR_BITMAPS;

        /* We support free control of CR3 access interception. */
        vmx->nested.nested_vmx_true_procbased_ctls_low =
                vmx->nested.nested_vmx_procbased_ctls_low &
                ~(CPU_BASED_CR3_LOAD_EXITING | CPU_BASED_CR3_STORE_EXITING);

        /* secondary cpu-based controls */
        rdmsr(MSR_IA32_VMX_PROCBASED_CTLS2,
                vmx->nested.nested_vmx_secondary_ctls_low,
                vmx->nested.nested_vmx_secondary_ctls_high);
        vmx->nested.nested_vmx_secondary_ctls_low = 0;
        vmx->nested.nested_vmx_secondary_ctls_high &=
                SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES |
                SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE |
                SECONDARY_EXEC_APIC_REGISTER_VIRT |
                SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY |
                SECONDARY_EXEC_WBINVD_EXITING |
                SECONDARY_EXEC_XSAVES;

        if (enable_ept) {
                /* nested EPT: emulate EPT also to L1 */
                vmx->nested.nested_vmx_secondary_ctls_high |=
                        SECONDARY_EXEC_ENABLE_EPT;
                vmx->nested.nested_vmx_ept_caps = VMX_EPT_PAGE_WALK_4_BIT |
                         VMX_EPTP_WB_BIT | VMX_EPT_2MB_PAGE_BIT |
                         VMX_EPT_INVEPT_BIT;
                vmx->nested.nested_vmx_ept_caps &= vmx_capability.ept;
                /*
                 * For nested guests, we don't do anything specific
                 * for single context invalidation. Hence, only advertise
                 * support for global context invalidation.
                 */
                vmx->nested.nested_vmx_ept_caps |= VMX_EPT_EXTENT_GLOBAL_BIT;
        } else
                vmx->nested.nested_vmx_ept_caps = 0;

        if (enable_unrestricted_guest)
                vmx->nested.nested_vmx_secondary_ctls_high |=
                        SECONDARY_EXEC_UNRESTRICTED_GUEST;

        /* miscellaneous data */
        rdmsr(MSR_IA32_VMX_MISC,
                vmx->nested.nested_vmx_misc_low,
                vmx->nested.nested_vmx_misc_high);
        vmx->nested.nested_vmx_misc_low &= VMX_MISC_SAVE_EFER_LMA;
        vmx->nested.nested_vmx_misc_low |=
                VMX_MISC_EMULATED_PREEMPTION_TIMER_RATE |
                VMX_MISC_ACTIVITY_HLT;
        vmx->nested.nested_vmx_misc_high = 0;
}

static inline bool vmx_control_verify(u32 control, u32 low, u32 high)
{
        /*
         * Bits 0 in high must be 0, and bits 1 in low must be 1.
         */
        return ((control & high) | low) == control;
}

static inline u64 vmx_control_msr(u32 low, u32 high)
{
        return low | ((u64)high << 32);
}

/* Returns 0 on success, non-0 otherwise. */
static int vmx_get_vmx_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
{
        struct vcpu_vmx *vmx = to_vmx(vcpu);

        switch (msr_index) {
        case MSR_IA32_VMX_BASIC:
                /*
                 * This MSR reports some information about VMX support. We
                 * should return information about the VMX we emulate for the
                 * guest, and the VMCS structure we give it - not about the
                 * VMX support of the underlying hardware.
                 */
                *pdata = VMCS12_REVISION | VMX_BASIC_TRUE_CTLS |
                           ((u64)VMCS12_SIZE << VMX_BASIC_VMCS_SIZE_SHIFT) |
                           (VMX_BASIC_MEM_TYPE_WB << VMX_BASIC_MEM_TYPE_SHIFT);
                break;
        case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
        case MSR_IA32_VMX_PINBASED_CTLS:
                *pdata = vmx_control_msr(
                        vmx->nested.nested_vmx_pinbased_ctls_low,
                        vmx->nested.nested_vmx_pinbased_ctls_high);
                break;
        case MSR_IA32_VMX_TRUE_PROCBASED_CTLS:
                *pdata = vmx_control_msr(
                        vmx->nested.nested_vmx_true_procbased_ctls_low,
                        vmx->nested.nested_vmx_procbased_ctls_high);
                break;
        case MSR_IA32_VMX_PROCBASED_CTLS:
                *pdata = vmx_control_msr(
                        vmx->nested.nested_vmx_procbased_ctls_low,
                        vmx->nested.nested_vmx_procbased_ctls_high);
                break;
        case MSR_IA32_VMX_TRUE_EXIT_CTLS:
                *pdata = vmx_control_msr(
                        vmx->nested.nested_vmx_true_exit_ctls_low,
                        vmx->nested.nested_vmx_exit_ctls_high);
                break;
        case MSR_IA32_VMX_EXIT_CTLS:
                *pdata = vmx_control_msr(
                        vmx->nested.nested_vmx_exit_ctls_low,
                        vmx->nested.nested_vmx_exit_ctls_high);
                break;
        case MSR_IA32_VMX_TRUE_ENTRY_CTLS:
                *pdata = vmx_control_msr(
                        vmx->nested.nested_vmx_true_entry_ctls_low,
                        vmx->nested.nested_vmx_entry_ctls_high);
                break;
        case MSR_IA32_VMX_ENTRY_CTLS:
                *pdata = vmx_control_msr(
                        vmx->nested.nested_vmx_entry_ctls_low,
                        vmx->nested.nested_vmx_entry_ctls_high);
                break;
        case MSR_IA32_VMX_MISC:
                *pdata = vmx_control_msr(
                        vmx->nested.nested_vmx_misc_low,
                        vmx->nested.nested_vmx_misc_high);
                break;
        /*
         * These MSRs specify bits which the guest must keep fixed (on or off)
         * while L1 is in VMXON mode (in L1's root mode, or running an L2).
         * We picked the standard core2 setting.
         */
#define VMXON_CR0_ALWAYSON      (X86_CR0_PE | X86_CR0_PG | X86_CR0_NE)
#define VMXON_CR4_ALWAYSON      X86_CR4_VMXE
        case MSR_IA32_VMX_CR0_FIXED0:
                *pdata = VMXON_CR0_ALWAYSON;
                break;
        case MSR_IA32_VMX_CR0_FIXED1:
                *pdata = -1ULL;
                break;
        case MSR_IA32_VMX_CR4_FIXED0:
                *pdata = VMXON_CR4_ALWAYSON;
                break;
        case MSR_IA32_VMX_CR4_FIXED1:
                *pdata = -1ULL;
                break;
        case MSR_IA32_VMX_VMCS_ENUM:
                *pdata = 0x2e; /* highest index: VMX_PREEMPTION_TIMER_VALUE */
                break;
        case MSR_IA32_VMX_PROCBASED_CTLS2:
                *pdata = vmx_control_msr(
                        vmx->nested.nested_vmx_secondary_ctls_low,
                        vmx->nested.nested_vmx_secondary_ctls_high);
                break;
        case MSR_IA32_VMX_EPT_VPID_CAP:
                /* Currently, no nested vpid support */
                *pdata = vmx->nested.nested_vmx_ept_caps;
                break;
        default:
                return 1;
        }

        return 0;
}

/*
 * Reads an msr value (of 'msr_index') into 'pdata'.
 * Returns 0 on success, non-0 otherwise.
 * Assumes vcpu_load() was already called.
 */
static int vmx_get_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
{
        u64 data;
        struct shared_msr_entry *msr;

        if (!pdata) {
                printk(KERN_ERR "BUG: get_msr called with NULL pdata\n");
                return -EINVAL;
        }

        switch (msr_index) {
#ifdef CONFIG_X86_64
        case MSR_FS_BASE:
                data = vmcs_readl(GUEST_FS_BASE);
                break;
        case MSR_GS_BASE:
                data = vmcs_readl(GUEST_GS_BASE);
                break;
        case MSR_KERNEL_GS_BASE:
                vmx_load_host_state(to_vmx(vcpu));
                data = to_vmx(vcpu)->msr_guest_kernel_gs_base;
                break;
#endif
        case MSR_EFER:
                return kvm_get_msr_common(vcpu, msr_index, pdata);
        case MSR_IA32_TSC:
                data = guest_read_tsc();
                break;
        case MSR_IA32_SYSENTER_CS:
                data = vmcs_read32(GUEST_SYSENTER_CS);
                break;
        case MSR_IA32_SYSENTER_EIP:
                data = vmcs_readl(GUEST_SYSENTER_EIP);
                break;
        case MSR_IA32_SYSENTER_ESP:
                data = vmcs_readl(GUEST_SYSENTER_ESP);
                break;
        case MSR_IA32_BNDCFGS:
                if (!vmx_mpx_supported())
                        return 1;
                data = vmcs_read64(GUEST_BNDCFGS);
                break;
        case MSR_IA32_FEATURE_CONTROL:
                if (!nested_vmx_allowed(vcpu))
                        return 1;
                data = to_vmx(vcpu)->nested.msr_ia32_feature_control;
                break;
        case MSR_IA32_VMX_BASIC ... MSR_IA32_VMX_VMFUNC:
                if (!nested_vmx_allowed(vcpu))
                        return 1;
                return vmx_get_vmx_msr(vcpu, msr_index, pdata);
        case MSR_IA32_XSS:
                if (!vmx_xsaves_supported())
                        return 1;
                data = vcpu->arch.ia32_xss;
                break;
        case MSR_TSC_AUX:
                if (!to_vmx(vcpu)->rdtscp_enabled)
                        return 1;
                /* Otherwise falls through */
        default:
                msr = find_msr_entry(to_vmx(vcpu), msr_index);
                if (msr) {
                        data = msr->data;
                        break;
                }
                return kvm_get_msr_common(vcpu, msr_index, pdata);
        }

        *pdata = data;
        return 0;
}

static void vmx_leave_nested(struct kvm_vcpu *vcpu);

/*
 * Writes msr value into into the appropriate "register".
 * Returns 0 on success, non-0 otherwise.
 * Assumes vcpu_load() was already called.
 */
static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
{
        struct vcpu_vmx *vmx = to_vmx(vcpu);
        struct shared_msr_entry *msr;
        int ret = 0;
        u32 msr_index = msr_info->index;
        u64 data = msr_info->data;

        switch (msr_index) {
        case MSR_EFER:
                ret = kvm_set_msr_common(vcpu, msr_info);
                break;
#ifdef CONFIG_X86_64
        case MSR_FS_BASE:
                vmx_segment_cache_clear(vmx);
                vmcs_writel(GUEST_FS_BASE, data);
                break;
        case MSR_GS_BASE:
                vmx_segment_cache_clear(vmx);
                vmcs_writel(GUEST_GS_BASE, data);
                break;
        case MSR_KERNEL_GS_BASE:
                vmx_load_host_state(vmx);
                vmx->msr_guest_kernel_gs_base = data;
                break;
#endif
        case MSR_IA32_SYSENTER_CS:
                vmcs_write32(GUEST_SYSENTER_CS, data);
                break;
        case MSR_IA32_SYSENTER_EIP:
                vmcs_writel(GUEST_SYSENTER_EIP, data);
                break;
        case MSR_IA32_SYSENTER_ESP:
                vmcs_writel(GUEST_SYSENTER_ESP, data);
                break;
        case MSR_IA32_BNDCFGS:
                if (!vmx_mpx_supported())
                        return 1;
                vmcs_write64(GUEST_BNDCFGS, data);
                break;
        case MSR_IA32_TSC:
                kvm_write_tsc(vcpu, msr_info);
                break;
        case MSR_IA32_CR_PAT:
                if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) {
                        if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
                                return 1;
                        vmcs_write64(GUEST_IA32_PAT, data);
                        vcpu->arch.pat = data;
                        break;
                }
                ret = kvm_set_msr_common(vcpu, msr_info);
                break;
        case MSR_IA32_TSC_ADJUST:
                ret = kvm_set_msr_common(vcpu, msr_info);
                break;
        case MSR_IA32_FEATURE_CONTROL:
                if (!nested_vmx_allowed(vcpu) ||
                    (to_vmx(vcpu)->nested.msr_ia32_feature_control &
                     FEATURE_CONTROL_LOCKED && !msr_info->host_initiated))
                        return 1;
                vmx->nested.msr_ia32_feature_control = data;
                if (msr_info->host_initiated && data == 0)
                        vmx_leave_nested(vcpu);
                break;
        case MSR_IA32_VMX_BASIC ... MSR_IA32_VMX_VMFUNC:
                return 1; /* they are read-only */
        case MSR_IA32_XSS:
                if (!vmx_xsaves_supported())
                        return 1;
                /*
                 * The only supported bit as of Skylake is bit 8, but
                 * it is not supported on KVM.
                 */
                if (data != 0)
                        return 1;
                vcpu->arch.ia32_xss = data;
                if (vcpu->arch.ia32_xss != host_xss)
                        add_atomic_switch_msr(vmx, MSR_IA32_XSS,
                                vcpu->arch.ia32_xss, host_xss);
                else
                        clear_atomic_switch_msr(vmx, MSR_IA32_XSS);
                break;
        case MSR_TSC_AUX:
                if (!vmx->rdtscp_enabled)
                        return 1;
                /* Check reserved bit, higher 32 bits should be zero */
                if ((data >> 32) != 0)
                        return 1;
                /* Otherwise falls through */
        default:
                msr = find_msr_entry(vmx, msr_index);
                if (msr) {
                        u64 old_msr_data = msr->data;
                        msr->data = data;
                        if (msr - vmx->guest_msrs < vmx->save_nmsrs) {
                                preempt_disable();
                                ret = kvm_set_shared_msr(msr->index, msr->data,
                                                         msr->mask);
                                preempt_enable();
                                if (ret)
                                        msr->data = old_msr_data;
                        }
                        break;
                }
                ret = kvm_set_msr_common(vcpu, msr_info);
        }

        return ret;
}

static void vmx_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg)
{
        __set_bit(reg, (unsigned long *)&vcpu->arch.regs_avail);
        switch (reg) {
        case VCPU_REGS_RSP:
                vcpu->arch.regs[VCPU_REGS_RSP] = vmcs_readl(GUEST_RSP);
                break;
        case VCPU_REGS_RIP:
                vcpu->arch.regs[VCPU_REGS_RIP] = vmcs_readl(GUEST_RIP);
                break;
        case VCPU_EXREG_PDPTR:
                if (enable_ept)
                        ept_save_pdptrs(vcpu);
                break;
        default:
                break;
        }
}

static __init int cpu_has_kvm_support(void)
{
        return cpu_has_vmx();
}

static __init int vmx_disabled_by_bios(void)
{
        u64 msr;

        rdmsrl(MSR_IA32_FEATURE_CONTROL, msr);
        if (msr & FEATURE_CONTROL_LOCKED) {
                /* launched w/ TXT and VMX disabled */
                if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX)
                        && tboot_enabled())
                        return 1;
                /* launched w/o TXT and VMX only enabled w/ TXT */
                if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
                        && (msr & FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX)
                        && !tboot_enabled()) {
                        printk(KERN_WARNING "kvm: disable TXT in the BIOS or "
                                "activate TXT before enabling KVM\n");
                        return 1;
                }
                /* launched w/o TXT and VMX disabled */
                if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
                        && !tboot_enabled())
                        return 1;
        }

        return 0;
}

static void kvm_cpu_vmxon(u64 addr)
{
        asm volatile (ASM_VMX_VMXON_RAX
                        : : "a"(&addr), "m"(addr)
                        : "memory", "cc");
}

static int hardware_enable(void)
{
        int cpu = raw_smp_processor_id();
        u64 phys_addr = __pa(per_cpu(vmxarea, cpu));
        u64 old, test_bits;

        if (cr4_read_shadow() & X86_CR4_VMXE)
                return -EBUSY;

        INIT_LIST_HEAD(&per_cpu(loaded_vmcss_on_cpu, cpu));

        /*
         * Now we can enable the vmclear operation in kdump
         * since the loaded_vmcss_on_cpu list on this cpu
         * has been initialized.
         *
         * Though the cpu is not in VMX operation now, there
         * is no problem to enable the vmclear operation
         * for the loaded_vmcss_on_cpu list is empty!
         */
        crash_enable_local_vmclear(cpu);

        rdmsrl(MSR_IA32_FEATURE_CONTROL, old);

        test_bits = FEATURE_CONTROL_LOCKED;
        test_bits |= FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX;
        if (tboot_enabled())
                test_bits |= FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX;

        if ((old & test_bits) != test_bits) {
                /* enable and lock */
                wrmsrl(MSR_IA32_FEATURE_CONTROL, old | test_bits);
        }
        cr4_set_bits(X86_CR4_VMXE);

        if (vmm_exclusive) {
                kvm_cpu_vmxon(phys_addr);
                ept_sync_global();
        }

        native_store_gdt(this_cpu_ptr(&host_gdt));

        return 0;
}

static void vmclear_local_loaded_vmcss(void)
{
        int cpu = raw_smp_processor_id();
        struct loaded_vmcs *v, *n;

        list_for_each_entry_safe(v, n, &per_cpu(loaded_vmcss_on_cpu, cpu),
                                 loaded_vmcss_on_cpu_link)
                __loaded_vmcs_clear(v);
}


/* Just like cpu_vmxoff(), but with the __kvm_handle_fault_on_reboot()
 * tricks.
 */
static void kvm_cpu_vmxoff(void)
{
        asm volatile (__ex(ASM_VMX_VMXOFF) : : : "cc");
}

static void hardware_disable(void)
{
        if (vmm_exclusive) {
                vmclear_local_loaded_vmcss();
                kvm_cpu_vmxoff();
        }
        cr4_clear_bits(X86_CR4_VMXE);
}

static __init int adjust_vmx_controls(u32 ctl_min, u32 ctl_opt,
                                      u32 msr, u32 *result)
{
        u32 vmx_msr_low, vmx_msr_high;
        u32 ctl = ctl_min | ctl_opt;

        rdmsr(msr, vmx_msr_low, vmx_msr_high);

        ctl &= vmx_msr_high; /* bit == 0 in high word ==> must be zero */
        ctl |= vmx_msr_low;  /* bit == 1 in low word  ==> must be one  */

        /* Ensure minimum (required) set of control bits are supported. */
        if (ctl_min & ~ctl)
                return -EIO;

        *result = ctl;
        return 0;
}

static __init bool allow_1_setting(u32 msr, u32 ctl)
{
        u32 vmx_msr_low, vmx_msr_high;

        rdmsr(msr, vmx_msr_low, vmx_msr_high);
        return vmx_msr_high & ctl;
}

static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
{
        u32 vmx_msr_low, vmx_msr_high;
        u32 min, opt, min2, opt2;
        u32 _pin_based_exec_control = 0;
        u32 _cpu_based_exec_control = 0;
        u32 _cpu_based_2nd_exec_control = 0;
        u32 _vmexit_control = 0;
        u32 _vmentry_control = 0;

        min = CPU_BASED_HLT_EXITING |
#ifdef CONFIG_X86_64
              CPU_BASED_CR8_LOAD_EXITING |
              CPU_BASED_CR8_STORE_EXITING |
#endif
              CPU_BASED_CR3_LOAD_EXITING |
              CPU_BASED_CR3_STORE_EXITING |
              CPU_BASED_USE_IO_BITMAPS |
              CPU_BASED_MOV_DR_EXITING |
              CPU_BASED_USE_TSC_OFFSETING |
              CPU_BASED_MWAIT_EXITING |
              CPU_BASED_MONITOR_EXITING |
              CPU_BASED_INVLPG_EXITING |
              CPU_BASED_RDPMC_EXITING;

        opt = CPU_BASED_TPR_SHADOW |
              CPU_BASED_USE_MSR_BITMAPS |