Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
vmx.c
Go to the documentation of this file.
1 /*
2  * Kernel-based Virtual Machine driver for Linux
3  *
4  * This module enables machines with Intel VT-x extensions to run virtual
5  * machines without emulation or binary translation.
6  *
7  * Copyright (C) 2006 Qumranet, Inc.
8  * Copyright 2010 Red Hat, Inc. and/or its affiliates.
9  *
10  * Authors:
11  * Avi Kivity <[email protected]>
12  * Yaniv Kamay <[email protected]>
13  *
14  * This work is licensed under the terms of the GNU GPL, version 2. See
15  * the COPYING file in the top-level directory.
16  *
17  */
18 
19 #include "irq.h"
20 #include "mmu.h"
21 #include "cpuid.h"
22 
23 #include <linux/kvm_host.h>
24 #include <linux/module.h>
25 #include <linux/kernel.h>
26 #include <linux/mm.h>
27 #include <linux/highmem.h>
28 #include <linux/sched.h>
29 #include <linux/moduleparam.h>
30 #include <linux/mod_devicetable.h>
31 #include <linux/ftrace_event.h>
32 #include <linux/slab.h>
33 #include <linux/tboot.h>
34 #include "kvm_cache_regs.h"
35 #include "x86.h"
36 
37 #include <asm/io.h>
38 #include <asm/desc.h>
39 #include <asm/vmx.h>
40 #include <asm/virtext.h>
41 #include <asm/mce.h>
42 #include <asm/i387.h>
43 #include <asm/xcr.h>
44 #include <asm/perf_event.h>
45 
46 #include "trace.h"
47 
48 #define __ex(x) __kvm_handle_fault_on_reboot(x)
49 #define __ex_clear(x, reg) \
50  ____kvm_handle_fault_on_reboot(x, "xor " reg " , " reg)
51 
52 MODULE_AUTHOR("Qumranet");
53 MODULE_LICENSE("GPL");
54 
55 static const struct x86_cpu_id vmx_cpu_id[] = {
56  X86_FEATURE_MATCH(X86_FEATURE_VMX),
57  {}
58 };
59 MODULE_DEVICE_TABLE(x86cpu, vmx_cpu_id);
60 
61 static bool __read_mostly enable_vpid = 1;
62 module_param_named(vpid, enable_vpid, bool, 0444);
63 
64 static bool __read_mostly flexpriority_enabled = 1;
65 module_param_named(flexpriority, flexpriority_enabled, bool, S_IRUGO);
66 
67 static bool __read_mostly enable_ept = 1;
68 module_param_named(ept, enable_ept, bool, S_IRUGO);
69 
70 static bool __read_mostly enable_unrestricted_guest = 1;
71 module_param_named(unrestricted_guest,
72  enable_unrestricted_guest, bool, S_IRUGO);
73 
74 static bool __read_mostly enable_ept_ad_bits = 1;
75 module_param_named(eptad, enable_ept_ad_bits, bool, S_IRUGO);
76 
77 static bool __read_mostly emulate_invalid_guest_state = true;
78 module_param(emulate_invalid_guest_state, bool, S_IRUGO);
79 
80 static bool __read_mostly vmm_exclusive = 1;
81 module_param(vmm_exclusive, bool, S_IRUGO);
82 
83 static bool __read_mostly fasteoi = 1;
84 module_param(fasteoi, bool, S_IRUGO);
85 
86 /*
87  * If nested=1, nested virtualization is supported, i.e., guests may use
88  * VMX and be a hypervisor for its own guests. If nested=0, guests may not
89  * use VMX instructions.
90  */
91 static bool __read_mostly nested = 0;
92 module_param(nested, bool, S_IRUGO);
93 
94 #define KVM_GUEST_CR0_MASK_UNRESTRICTED_GUEST \
95  (X86_CR0_WP | X86_CR0_NE | X86_CR0_NW | X86_CR0_CD)
96 #define KVM_GUEST_CR0_MASK \
97  (KVM_GUEST_CR0_MASK_UNRESTRICTED_GUEST | X86_CR0_PG | X86_CR0_PE)
98 #define KVM_VM_CR0_ALWAYS_ON_UNRESTRICTED_GUEST \
99  (X86_CR0_WP | X86_CR0_NE)
100 #define KVM_VM_CR0_ALWAYS_ON \
101  (KVM_VM_CR0_ALWAYS_ON_UNRESTRICTED_GUEST | X86_CR0_PG | X86_CR0_PE)
102 #define KVM_CR4_GUEST_OWNED_BITS \
103  (X86_CR4_PVI | X86_CR4_DE | X86_CR4_PCE | X86_CR4_OSFXSR \
104  | X86_CR4_OSXMMEXCPT)
105 
106 #define KVM_PMODE_VM_CR4_ALWAYS_ON (X86_CR4_PAE | X86_CR4_VMXE)
107 #define KVM_RMODE_VM_CR4_ALWAYS_ON (X86_CR4_VME | X86_CR4_PAE | X86_CR4_VMXE)
108 
109 #define RMODE_GUEST_OWNED_EFLAGS_BITS (~(X86_EFLAGS_IOPL | X86_EFLAGS_VM))
110 
111 /*
112  * These 2 parameters are used to config the controls for Pause-Loop Exiting:
113  * ple_gap: upper bound on the amount of time between two successive
114  * executions of PAUSE in a loop. Also indicate if ple enabled.
115  * According to test, this time is usually smaller than 128 cycles.
116  * ple_window: upper bound on the amount of time a guest is allowed to execute
117  * in a PAUSE loop. Tests indicate that most spinlocks are held for
118  * less than 2^12 cycles
119  * Time is measured based on a counter that runs at the same rate as the TSC,
120  * refer SDM volume 3b section 21.6.13 & 22.1.3.
121  */
122 #define KVM_VMX_DEFAULT_PLE_GAP 128
123 #define KVM_VMX_DEFAULT_PLE_WINDOW 4096
124 static int ple_gap = KVM_VMX_DEFAULT_PLE_GAP;
125 module_param(ple_gap, int, S_IRUGO);
126 
127 static int ple_window = KVM_VMX_DEFAULT_PLE_WINDOW;
128 module_param(ple_window, int, S_IRUGO);
129 
130 extern const ulong vmx_return;
131 
132 #define NR_AUTOLOAD_MSRS 8
133 #define VMCS02_POOL_SIZE 1
134 
135 struct vmcs {
136  u32 revision_id;
137  u32 abort;
138  char data[0];
139 };
140 
141 /*
142  * Track a VMCS that may be loaded on a certain CPU. If it is (cpu!=-1), also
143  * remember whether it was VMLAUNCHed, and maintain a linked list of all VMCSs
144  * loaded on this CPU (so we can clear them if the CPU goes down).
145  */
146 struct loaded_vmcs {
147  struct vmcs *vmcs;
148  int cpu;
149  int launched;
150  struct list_head loaded_vmcss_on_cpu_link;
151 };
152 
153 struct shared_msr_entry {
154  unsigned index;
155  u64 data;
156  u64 mask;
157 };
158 
159 /*
160  * struct vmcs12 describes the state that our guest hypervisor (L1) keeps for a
161  * single nested guest (L2), hence the name vmcs12. Any VMX implementation has
162  * a VMCS structure, and vmcs12 is our emulated VMX's VMCS. This structure is
163  * stored in guest memory specified by VMPTRLD, but is opaque to the guest,
164  * which must access it using VMREAD/VMWRITE/VMCLEAR instructions.
165  * More than one of these structures may exist, if L1 runs multiple L2 guests.
166  * nested_vmx_run() will use the data here to build a vmcs02: a VMCS for the
167  * underlying hardware which will be used to run L2.
168  * This structure is packed to ensure that its layout is identical across
169  * machines (necessary for live migration).
170  * If there are changes in this struct, VMCS12_REVISION must be changed.
171  */
172 typedef u64 natural_width;
173 struct __packed vmcs12 {
174  /* According to the Intel spec, a VMCS region must start with the
175  * following two fields. Then follow implementation-specific data.
176  */
177  u32 revision_id;
178  u32 abort;
179 
180  u32 launch_state; /* set to 0 by VMCLEAR, to 1 by VMLAUNCH */
181  u32 padding[7]; /* room for future expansion */
182 
183  u64 io_bitmap_a;
184  u64 io_bitmap_b;
185  u64 msr_bitmap;
186  u64 vm_exit_msr_store_addr;
187  u64 vm_exit_msr_load_addr;
188  u64 vm_entry_msr_load_addr;
189  u64 tsc_offset;
190  u64 virtual_apic_page_addr;
191  u64 apic_access_addr;
192  u64 ept_pointer;
193  u64 guest_physical_address;
194  u64 vmcs_link_pointer;
195  u64 guest_ia32_debugctl;
196  u64 guest_ia32_pat;
197  u64 guest_ia32_efer;
198  u64 guest_ia32_perf_global_ctrl;
199  u64 guest_pdptr0;
200  u64 guest_pdptr1;
201  u64 guest_pdptr2;
202  u64 guest_pdptr3;
203  u64 host_ia32_pat;
204  u64 host_ia32_efer;
205  u64 host_ia32_perf_global_ctrl;
206  u64 padding64[8]; /* room for future expansion */
207  /*
208  * To allow migration of L1 (complete with its L2 guests) between
209  * machines of different natural widths (32 or 64 bit), we cannot have
210  * unsigned long fields with no explict size. We use u64 (aliased
211  * natural_width) instead. Luckily, x86 is little-endian.
212  */
213  natural_width cr0_guest_host_mask;
214  natural_width cr4_guest_host_mask;
215  natural_width cr0_read_shadow;
216  natural_width cr4_read_shadow;
217  natural_width cr3_target_value0;
218  natural_width cr3_target_value1;
219  natural_width cr3_target_value2;
220  natural_width cr3_target_value3;
221  natural_width exit_qualification;
222  natural_width guest_linear_address;
223  natural_width guest_cr0;
224  natural_width guest_cr3;
225  natural_width guest_cr4;
226  natural_width guest_es_base;
227  natural_width guest_cs_base;
228  natural_width guest_ss_base;
229  natural_width guest_ds_base;
230  natural_width guest_fs_base;
231  natural_width guest_gs_base;
232  natural_width guest_ldtr_base;
233  natural_width guest_tr_base;
234  natural_width guest_gdtr_base;
235  natural_width guest_idtr_base;
236  natural_width guest_dr7;
237  natural_width guest_rsp;
238  natural_width guest_rip;
239  natural_width guest_rflags;
240  natural_width guest_pending_dbg_exceptions;
241  natural_width guest_sysenter_esp;
242  natural_width guest_sysenter_eip;
243  natural_width host_cr0;
244  natural_width host_cr3;
245  natural_width host_cr4;
246  natural_width host_fs_base;
247  natural_width host_gs_base;
248  natural_width host_tr_base;
249  natural_width host_gdtr_base;
250  natural_width host_idtr_base;
251  natural_width host_ia32_sysenter_esp;
252  natural_width host_ia32_sysenter_eip;
253  natural_width host_rsp;
254  natural_width host_rip;
255  natural_width paddingl[8]; /* room for future expansion */
256  u32 pin_based_vm_exec_control;
257  u32 cpu_based_vm_exec_control;
258  u32 exception_bitmap;
259  u32 page_fault_error_code_mask;
260  u32 page_fault_error_code_match;
261  u32 cr3_target_count;
262  u32 vm_exit_controls;
263  u32 vm_exit_msr_store_count;
264  u32 vm_exit_msr_load_count;
265  u32 vm_entry_controls;
266  u32 vm_entry_msr_load_count;
267  u32 vm_entry_intr_info_field;
268  u32 vm_entry_exception_error_code;
269  u32 vm_entry_instruction_len;
270  u32 tpr_threshold;
271  u32 secondary_vm_exec_control;
272  u32 vm_instruction_error;
273  u32 vm_exit_reason;
274  u32 vm_exit_intr_info;
275  u32 vm_exit_intr_error_code;
276  u32 idt_vectoring_info_field;
277  u32 idt_vectoring_error_code;
278  u32 vm_exit_instruction_len;
279  u32 vmx_instruction_info;
280  u32 guest_es_limit;
281  u32 guest_cs_limit;
282  u32 guest_ss_limit;
283  u32 guest_ds_limit;
284  u32 guest_fs_limit;
285  u32 guest_gs_limit;
286  u32 guest_ldtr_limit;
287  u32 guest_tr_limit;
288  u32 guest_gdtr_limit;
289  u32 guest_idtr_limit;
290  u32 guest_es_ar_bytes;
291  u32 guest_cs_ar_bytes;
292  u32 guest_ss_ar_bytes;
293  u32 guest_ds_ar_bytes;
294  u32 guest_fs_ar_bytes;
295  u32 guest_gs_ar_bytes;
296  u32 guest_ldtr_ar_bytes;
297  u32 guest_tr_ar_bytes;
298  u32 guest_interruptibility_info;
299  u32 guest_activity_state;
300  u32 guest_sysenter_cs;
301  u32 host_ia32_sysenter_cs;
302  u32 padding32[8]; /* room for future expansion */
303  u16 virtual_processor_id;
304  u16 guest_es_selector;
305  u16 guest_cs_selector;
306  u16 guest_ss_selector;
307  u16 guest_ds_selector;
308  u16 guest_fs_selector;
309  u16 guest_gs_selector;
310  u16 guest_ldtr_selector;
311  u16 guest_tr_selector;
312  u16 host_es_selector;
313  u16 host_cs_selector;
314  u16 host_ss_selector;
315  u16 host_ds_selector;
316  u16 host_fs_selector;
317  u16 host_gs_selector;
318  u16 host_tr_selector;
319 };
320 
321 /*
322  * VMCS12_REVISION is an arbitrary id that should be changed if the content or
323  * layout of struct vmcs12 is changed. MSR_IA32_VMX_BASIC returns this id, and
324  * VMPTRLD verifies that the VMCS region that L1 is loading contains this id.
325  */
326 #define VMCS12_REVISION 0x11e57ed0
327 
328 /*
329  * VMCS12_SIZE is the number of bytes L1 should allocate for the VMXON region
330  * and any VMCS region. Although only sizeof(struct vmcs12) are used by the
331  * current implementation, 4K are reserved to avoid future complications.
332  */
333 #define VMCS12_SIZE 0x1000
334 
335 /* Used to remember the last vmcs02 used for some recently used vmcs12s */
336 struct vmcs02_list {
337  struct list_head list;
338  gpa_t vmptr;
339  struct loaded_vmcs vmcs02;
340 };
341 
342 /*
343  * The nested_vmx structure is part of vcpu_vmx, and holds information we need
344  * for correct emulation of VMX (i.e., nested VMX) on this vcpu.
345  */
346 struct nested_vmx {
347  /* Has the level1 guest done vmxon? */
348  bool vmxon;
349 
350  /* The guest-physical address of the current VMCS L1 keeps for L2 */
351  gpa_t current_vmptr;
352  /* The host-usable pointer to the above */
353  struct page *current_vmcs12_page;
354  struct vmcs12 *current_vmcs12;
355 
356  /* vmcs02_list cache of VMCSs recently used to run L2 guests */
357  struct list_head vmcs02_pool;
358  int vmcs02_num;
359  u64 vmcs01_tsc_offset;
360  /* L2 must run next, and mustn't decide to exit to L1. */
361  bool nested_run_pending;
362  /*
363  * Guest pages referred to in vmcs02 with host-physical pointers, so
364  * we must keep them pinned while L2 runs.
365  */
366  struct page *apic_access_page;
367 };
368 
369 struct vcpu_vmx {
370  struct kvm_vcpu vcpu;
371  unsigned long host_rsp;
372  u8 fail;
373  u8 cpl;
374  bool nmi_known_unmasked;
375  u32 exit_intr_info;
376  u32 idt_vectoring_info;
377  ulong rflags;
378  struct shared_msr_entry *guest_msrs;
379  int nmsrs;
380  int save_nmsrs;
381 #ifdef CONFIG_X86_64
382  u64 msr_host_kernel_gs_base;
383  u64 msr_guest_kernel_gs_base;
384 #endif
385  /*
386  * loaded_vmcs points to the VMCS currently used in this vcpu. For a
387  * non-nested (L1) guest, it always points to vmcs01. For a nested
388  * guest (L2), it points to a different VMCS.
389  */
390  struct loaded_vmcs vmcs01;
391  struct loaded_vmcs *loaded_vmcs;
392  bool __launched; /* temporary, used in vmx_vcpu_run */
393  struct msr_autoload {
394  unsigned nr;
395  struct vmx_msr_entry guest[NR_AUTOLOAD_MSRS];
396  struct vmx_msr_entry host[NR_AUTOLOAD_MSRS];
397  } msr_autoload;
398  struct {
399  int loaded;
400  u16 fs_sel, gs_sel, ldt_sel;
401 #ifdef CONFIG_X86_64
402  u16 ds_sel, es_sel;
403 #endif
404  int gs_ldt_reload_needed;
405  int fs_reload_needed;
406  } host_state;
407  struct {
408  int vm86_active;
409  ulong save_rflags;
410  struct kvm_segment segs[8];
411  } rmode;
412  struct {
413  u32 bitmask; /* 4 bits per segment (1 bit per field) */
414  struct kvm_save_segment {
415  u16 selector;
416  unsigned long base;
417  u32 limit;
418  u32 ar;
419  } seg[8];
420  } segment_cache;
421  int vpid;
422  bool emulation_required;
423 
424  /* Support for vnmi-less CPUs */
425  int soft_vnmi_blocked;
426  ktime_t entry_time;
427  s64 vnmi_blocked_time;
428  u32 exit_reason;
429 
430  bool rdtscp_enabled;
431 
432  /* Support for a guest hypervisor (nested VMX) */
433  struct nested_vmx nested;
434 };
435 
436 enum segment_cache_field {
437  SEG_FIELD_SEL = 0,
438  SEG_FIELD_BASE = 1,
439  SEG_FIELD_LIMIT = 2,
440  SEG_FIELD_AR = 3,
441 
442  SEG_FIELD_NR = 4
443 };
444 
445 static inline struct vcpu_vmx *to_vmx(struct kvm_vcpu *vcpu)
446 {
447  return container_of(vcpu, struct vcpu_vmx, vcpu);
448 }
449 
450 #define VMCS12_OFFSET(x) offsetof(struct vmcs12, x)
451 #define FIELD(number, name) [number] = VMCS12_OFFSET(name)
452 #define FIELD64(number, name) [number] = VMCS12_OFFSET(name), \
453  [number##_HIGH] = VMCS12_OFFSET(name)+4
454 
455 static const unsigned short vmcs_field_to_offset_table[] = {
456  FIELD(VIRTUAL_PROCESSOR_ID, virtual_processor_id),
457  FIELD(GUEST_ES_SELECTOR, guest_es_selector),
458  FIELD(GUEST_CS_SELECTOR, guest_cs_selector),
459  FIELD(GUEST_SS_SELECTOR, guest_ss_selector),
460  FIELD(GUEST_DS_SELECTOR, guest_ds_selector),
461  FIELD(GUEST_FS_SELECTOR, guest_fs_selector),
462  FIELD(GUEST_GS_SELECTOR, guest_gs_selector),
463  FIELD(GUEST_LDTR_SELECTOR, guest_ldtr_selector),
464  FIELD(GUEST_TR_SELECTOR, guest_tr_selector),
465  FIELD(HOST_ES_SELECTOR, host_es_selector),
466  FIELD(HOST_CS_SELECTOR, host_cs_selector),
467  FIELD(HOST_SS_SELECTOR, host_ss_selector),
468  FIELD(HOST_DS_SELECTOR, host_ds_selector),
469  FIELD(HOST_FS_SELECTOR, host_fs_selector),
470  FIELD(HOST_GS_SELECTOR, host_gs_selector),
471  FIELD(HOST_TR_SELECTOR, host_tr_selector),
472  FIELD64(IO_BITMAP_A, io_bitmap_a),
473  FIELD64(IO_BITMAP_B, io_bitmap_b),
474  FIELD64(MSR_BITMAP, msr_bitmap),
475  FIELD64(VM_EXIT_MSR_STORE_ADDR, vm_exit_msr_store_addr),
476  FIELD64(VM_EXIT_MSR_LOAD_ADDR, vm_exit_msr_load_addr),
477  FIELD64(VM_ENTRY_MSR_LOAD_ADDR, vm_entry_msr_load_addr),
478  FIELD64(TSC_OFFSET, tsc_offset),
479  FIELD64(VIRTUAL_APIC_PAGE_ADDR, virtual_apic_page_addr),
480  FIELD64(APIC_ACCESS_ADDR, apic_access_addr),
481  FIELD64(EPT_POINTER, ept_pointer),
482  FIELD64(GUEST_PHYSICAL_ADDRESS, guest_physical_address),
483  FIELD64(VMCS_LINK_POINTER, vmcs_link_pointer),
484  FIELD64(GUEST_IA32_DEBUGCTL, guest_ia32_debugctl),
485  FIELD64(GUEST_IA32_PAT, guest_ia32_pat),
486  FIELD64(GUEST_IA32_EFER, guest_ia32_efer),
487  FIELD64(GUEST_IA32_PERF_GLOBAL_CTRL, guest_ia32_perf_global_ctrl),
488  FIELD64(GUEST_PDPTR0, guest_pdptr0),
489  FIELD64(GUEST_PDPTR1, guest_pdptr1),
490  FIELD64(GUEST_PDPTR2, guest_pdptr2),
491  FIELD64(GUEST_PDPTR3, guest_pdptr3),
492  FIELD64(HOST_IA32_PAT, host_ia32_pat),
493  FIELD64(HOST_IA32_EFER, host_ia32_efer),
494  FIELD64(HOST_IA32_PERF_GLOBAL_CTRL, host_ia32_perf_global_ctrl),
495  FIELD(PIN_BASED_VM_EXEC_CONTROL, pin_based_vm_exec_control),
496  FIELD(CPU_BASED_VM_EXEC_CONTROL, cpu_based_vm_exec_control),
497  FIELD(EXCEPTION_BITMAP, exception_bitmap),
498  FIELD(PAGE_FAULT_ERROR_CODE_MASK, page_fault_error_code_mask),
499  FIELD(PAGE_FAULT_ERROR_CODE_MATCH, page_fault_error_code_match),
500  FIELD(CR3_TARGET_COUNT, cr3_target_count),
501  FIELD(VM_EXIT_CONTROLS, vm_exit_controls),
502  FIELD(VM_EXIT_MSR_STORE_COUNT, vm_exit_msr_store_count),
503  FIELD(VM_EXIT_MSR_LOAD_COUNT, vm_exit_msr_load_count),
504  FIELD(VM_ENTRY_CONTROLS, vm_entry_controls),
505  FIELD(VM_ENTRY_MSR_LOAD_COUNT, vm_entry_msr_load_count),
506  FIELD(VM_ENTRY_INTR_INFO_FIELD, vm_entry_intr_info_field),
507  FIELD(VM_ENTRY_EXCEPTION_ERROR_CODE, vm_entry_exception_error_code),
508  FIELD(VM_ENTRY_INSTRUCTION_LEN, vm_entry_instruction_len),
509  FIELD(TPR_THRESHOLD, tpr_threshold),
510  FIELD(SECONDARY_VM_EXEC_CONTROL, secondary_vm_exec_control),
511  FIELD(VM_INSTRUCTION_ERROR, vm_instruction_error),
512  FIELD(VM_EXIT_REASON, vm_exit_reason),
513  FIELD(VM_EXIT_INTR_INFO, vm_exit_intr_info),
514  FIELD(VM_EXIT_INTR_ERROR_CODE, vm_exit_intr_error_code),
515  FIELD(IDT_VECTORING_INFO_FIELD, idt_vectoring_info_field),
516  FIELD(IDT_VECTORING_ERROR_CODE, idt_vectoring_error_code),
517  FIELD(VM_EXIT_INSTRUCTION_LEN, vm_exit_instruction_len),
518  FIELD(VMX_INSTRUCTION_INFO, vmx_instruction_info),
519  FIELD(GUEST_ES_LIMIT, guest_es_limit),
520  FIELD(GUEST_CS_LIMIT, guest_cs_limit),
521  FIELD(GUEST_SS_LIMIT, guest_ss_limit),
522  FIELD(GUEST_DS_LIMIT, guest_ds_limit),
523  FIELD(GUEST_FS_LIMIT, guest_fs_limit),
524  FIELD(GUEST_GS_LIMIT, guest_gs_limit),
525  FIELD(GUEST_LDTR_LIMIT, guest_ldtr_limit),
526  FIELD(GUEST_TR_LIMIT, guest_tr_limit),
527  FIELD(GUEST_GDTR_LIMIT, guest_gdtr_limit),
528  FIELD(GUEST_IDTR_LIMIT, guest_idtr_limit),
529  FIELD(GUEST_ES_AR_BYTES, guest_es_ar_bytes),
530  FIELD(GUEST_CS_AR_BYTES, guest_cs_ar_bytes),
531  FIELD(GUEST_SS_AR_BYTES, guest_ss_ar_bytes),
532  FIELD(GUEST_DS_AR_BYTES, guest_ds_ar_bytes),
533  FIELD(GUEST_FS_AR_BYTES, guest_fs_ar_bytes),
534  FIELD(GUEST_GS_AR_BYTES, guest_gs_ar_bytes),
535  FIELD(GUEST_LDTR_AR_BYTES, guest_ldtr_ar_bytes),
536  FIELD(GUEST_TR_AR_BYTES, guest_tr_ar_bytes),
537  FIELD(GUEST_INTERRUPTIBILITY_INFO, guest_interruptibility_info),
538  FIELD(GUEST_ACTIVITY_STATE, guest_activity_state),
539  FIELD(GUEST_SYSENTER_CS, guest_sysenter_cs),
540  FIELD(HOST_IA32_SYSENTER_CS, host_ia32_sysenter_cs),
541  FIELD(CR0_GUEST_HOST_MASK, cr0_guest_host_mask),
542  FIELD(CR4_GUEST_HOST_MASK, cr4_guest_host_mask),
543  FIELD(CR0_READ_SHADOW, cr0_read_shadow),
544  FIELD(CR4_READ_SHADOW, cr4_read_shadow),
545  FIELD(CR3_TARGET_VALUE0, cr3_target_value0),
546  FIELD(CR3_TARGET_VALUE1, cr3_target_value1),
547  FIELD(CR3_TARGET_VALUE2, cr3_target_value2),
548  FIELD(CR3_TARGET_VALUE3, cr3_target_value3),
549  FIELD(EXIT_QUALIFICATION, exit_qualification),
550  FIELD(GUEST_LINEAR_ADDRESS, guest_linear_address),
551  FIELD(GUEST_CR0, guest_cr0),
552  FIELD(GUEST_CR3, guest_cr3),
553  FIELD(GUEST_CR4, guest_cr4),
554  FIELD(GUEST_ES_BASE, guest_es_base),
555  FIELD(GUEST_CS_BASE, guest_cs_base),
556  FIELD(GUEST_SS_BASE, guest_ss_base),
557  FIELD(GUEST_DS_BASE, guest_ds_base),
558  FIELD(GUEST_FS_BASE, guest_fs_base),
559  FIELD(GUEST_GS_BASE, guest_gs_base),
560  FIELD(GUEST_LDTR_BASE, guest_ldtr_base),
561  FIELD(GUEST_TR_BASE, guest_tr_base),
562  FIELD(GUEST_GDTR_BASE, guest_gdtr_base),
563  FIELD(GUEST_IDTR_BASE, guest_idtr_base),
564  FIELD(GUEST_DR7, guest_dr7),
565  FIELD(GUEST_RSP, guest_rsp),
566  FIELD(GUEST_RIP, guest_rip),
567  FIELD(GUEST_RFLAGS, guest_rflags),
568  FIELD(GUEST_PENDING_DBG_EXCEPTIONS, guest_pending_dbg_exceptions),
569  FIELD(GUEST_SYSENTER_ESP, guest_sysenter_esp),
570  FIELD(GUEST_SYSENTER_EIP, guest_sysenter_eip),
571  FIELD(HOST_CR0, host_cr0),
572  FIELD(HOST_CR3, host_cr3),
573  FIELD(HOST_CR4, host_cr4),
574  FIELD(HOST_FS_BASE, host_fs_base),
575  FIELD(HOST_GS_BASE, host_gs_base),
576  FIELD(HOST_TR_BASE, host_tr_base),
577  FIELD(HOST_GDTR_BASE, host_gdtr_base),
578  FIELD(HOST_IDTR_BASE, host_idtr_base),
579  FIELD(HOST_IA32_SYSENTER_ESP, host_ia32_sysenter_esp),
580  FIELD(HOST_IA32_SYSENTER_EIP, host_ia32_sysenter_eip),
581  FIELD(HOST_RSP, host_rsp),
582  FIELD(HOST_RIP, host_rip),
583 };
584 static const int max_vmcs_field = ARRAY_SIZE(vmcs_field_to_offset_table);
585 
586 static inline short vmcs_field_to_offset(unsigned long field)
587 {
588  if (field >= max_vmcs_field || vmcs_field_to_offset_table[field] == 0)
589  return -1;
590  return vmcs_field_to_offset_table[field];
591 }
592 
593 static inline struct vmcs12 *get_vmcs12(struct kvm_vcpu *vcpu)
594 {
595  return to_vmx(vcpu)->nested.current_vmcs12;
596 }
597 
598 static struct page *nested_get_page(struct kvm_vcpu *vcpu, gpa_t addr)
599 {
600  struct page *page = gfn_to_page(vcpu->kvm, addr >> PAGE_SHIFT);
601  if (is_error_page(page))
602  return NULL;
603 
604  return page;
605 }
606 
607 static void nested_release_page(struct page *page)
608 {
609  kvm_release_page_dirty(page);
610 }
611 
612 static void nested_release_page_clean(struct page *page)
613 {
614  kvm_release_page_clean(page);
615 }
616 
617 static u64 construct_eptp(unsigned long root_hpa);
618 static void kvm_cpu_vmxon(u64 addr);
619 static void kvm_cpu_vmxoff(void);
620 static void vmx_set_cr3(struct kvm_vcpu *vcpu, unsigned long cr3);
621 static int vmx_set_tss_addr(struct kvm *kvm, unsigned int addr);
622 static void vmx_set_segment(struct kvm_vcpu *vcpu,
623  struct kvm_segment *var, int seg);
624 static void vmx_get_segment(struct kvm_vcpu *vcpu,
625  struct kvm_segment *var, int seg);
626 
627 static DEFINE_PER_CPU(struct vmcs *, vmxarea);
628 static DEFINE_PER_CPU(struct vmcs *, current_vmcs);
629 /*
630  * We maintain a per-CPU linked-list of VMCS loaded on that CPU. This is needed
631  * when a CPU is brought down, and we need to VMCLEAR all VMCSs loaded on it.
632  */
633 static DEFINE_PER_CPU(struct list_head, loaded_vmcss_on_cpu);
634 static DEFINE_PER_CPU(struct desc_ptr, host_gdt);
635 
636 static unsigned long *vmx_io_bitmap_a;
637 static unsigned long *vmx_io_bitmap_b;
638 static unsigned long *vmx_msr_bitmap_legacy;
639 static unsigned long *vmx_msr_bitmap_longmode;
640 
641 static bool cpu_has_load_ia32_efer;
642 static bool cpu_has_load_perf_global_ctrl;
643 
644 static DECLARE_BITMAP(vmx_vpid_bitmap, VMX_NR_VPIDS);
645 static DEFINE_SPINLOCK(vmx_vpid_lock);
646 
647 static struct vmcs_config {
648  int size;
649  int order;
650  u32 revision_id;
651  u32 pin_based_exec_ctrl;
652  u32 cpu_based_exec_ctrl;
653  u32 cpu_based_2nd_exec_ctrl;
654  u32 vmexit_ctrl;
655  u32 vmentry_ctrl;
656 } vmcs_config;
657 
658 static struct vmx_capability {
659  u32 ept;
660  u32 vpid;
661 } vmx_capability;
662 
663 #define VMX_SEGMENT_FIELD(seg) \
664  [VCPU_SREG_##seg] = { \
665  .selector = GUEST_##seg##_SELECTOR, \
666  .base = GUEST_##seg##_BASE, \
667  .limit = GUEST_##seg##_LIMIT, \
668  .ar_bytes = GUEST_##seg##_AR_BYTES, \
669  }
670 
671 static const struct kvm_vmx_segment_field {
672  unsigned selector;
673  unsigned base;
674  unsigned limit;
675  unsigned ar_bytes;
676 } kvm_vmx_segment_fields[] = {
677  VMX_SEGMENT_FIELD(CS),
678  VMX_SEGMENT_FIELD(DS),
679  VMX_SEGMENT_FIELD(ES),
680  VMX_SEGMENT_FIELD(FS),
681  VMX_SEGMENT_FIELD(GS),
682  VMX_SEGMENT_FIELD(SS),
683  VMX_SEGMENT_FIELD(TR),
684  VMX_SEGMENT_FIELD(LDTR),
685 };
686 
687 static u64 host_efer;
688 
689 static void ept_save_pdptrs(struct kvm_vcpu *vcpu);
690 
691 /*
692  * Keep MSR_STAR at the end, as setup_msrs() will try to optimize it
693  * away by decrementing the array size.
694  */
695 static const u32 vmx_msr_index[] = {
696 #ifdef CONFIG_X86_64
697  MSR_SYSCALL_MASK, MSR_LSTAR, MSR_CSTAR,
698 #endif
699  MSR_EFER, MSR_TSC_AUX, MSR_STAR,
700 };
701 #define NR_VMX_MSR ARRAY_SIZE(vmx_msr_index)
702 
703 static inline bool is_page_fault(u32 intr_info)
704 {
705  return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VECTOR_MASK |
706  INTR_INFO_VALID_MASK)) ==
707  (INTR_TYPE_HARD_EXCEPTION | PF_VECTOR | INTR_INFO_VALID_MASK);
708 }
709 
710 static inline bool is_no_device(u32 intr_info)
711 {
712  return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VECTOR_MASK |
713  INTR_INFO_VALID_MASK)) ==
714  (INTR_TYPE_HARD_EXCEPTION | NM_VECTOR | INTR_INFO_VALID_MASK);
715 }
716 
717 static inline bool is_invalid_opcode(u32 intr_info)
718 {
719  return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VECTOR_MASK |
720  INTR_INFO_VALID_MASK)) ==
721  (INTR_TYPE_HARD_EXCEPTION | UD_VECTOR | INTR_INFO_VALID_MASK);
722 }
723 
724 static inline bool is_external_interrupt(u32 intr_info)
725 {
726  return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VALID_MASK))
727  == (INTR_TYPE_EXT_INTR | INTR_INFO_VALID_MASK);
728 }
729 
730 static inline bool is_machine_check(u32 intr_info)
731 {
732  return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VECTOR_MASK |
733  INTR_INFO_VALID_MASK)) ==
734  (INTR_TYPE_HARD_EXCEPTION | MC_VECTOR | INTR_INFO_VALID_MASK);
735 }
736 
737 static inline bool cpu_has_vmx_msr_bitmap(void)
738 {
739  return vmcs_config.cpu_based_exec_ctrl & CPU_BASED_USE_MSR_BITMAPS;
740 }
741 
742 static inline bool cpu_has_vmx_tpr_shadow(void)
743 {
744  return vmcs_config.cpu_based_exec_ctrl & CPU_BASED_TPR_SHADOW;
745 }
746 
747 static inline bool vm_need_tpr_shadow(struct kvm *kvm)
748 {
749  return (cpu_has_vmx_tpr_shadow()) && (irqchip_in_kernel(kvm));
750 }
751 
752 static inline bool cpu_has_secondary_exec_ctrls(void)
753 {
754  return vmcs_config.cpu_based_exec_ctrl &
755  CPU_BASED_ACTIVATE_SECONDARY_CONTROLS;
756 }
757 
758 static inline bool cpu_has_vmx_virtualize_apic_accesses(void)
759 {
760  return vmcs_config.cpu_based_2nd_exec_ctrl &
761  SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
762 }
763 
764 static inline bool cpu_has_vmx_flexpriority(void)
765 {
766  return cpu_has_vmx_tpr_shadow() &&
767  cpu_has_vmx_virtualize_apic_accesses();
768 }
769 
770 static inline bool cpu_has_vmx_ept_execute_only(void)
771 {
772  return vmx_capability.ept & VMX_EPT_EXECUTE_ONLY_BIT;
773 }
774 
775 static inline bool cpu_has_vmx_eptp_uncacheable(void)
776 {
777  return vmx_capability.ept & VMX_EPTP_UC_BIT;
778 }
779 
780 static inline bool cpu_has_vmx_eptp_writeback(void)
781 {
782  return vmx_capability.ept & VMX_EPTP_WB_BIT;
783 }
784 
785 static inline bool cpu_has_vmx_ept_2m_page(void)
786 {
787  return vmx_capability.ept & VMX_EPT_2MB_PAGE_BIT;
788 }
789 
790 static inline bool cpu_has_vmx_ept_1g_page(void)
791 {
792  return vmx_capability.ept & VMX_EPT_1GB_PAGE_BIT;
793 }
794 
795 static inline bool cpu_has_vmx_ept_4levels(void)
796 {
797  return vmx_capability.ept & VMX_EPT_PAGE_WALK_4_BIT;
798 }
799 
800 static inline bool cpu_has_vmx_ept_ad_bits(void)
801 {
802  return vmx_capability.ept & VMX_EPT_AD_BIT;
803 }
804 
805 static inline bool cpu_has_vmx_invept_individual_addr(void)
806 {
807  return vmx_capability.ept & VMX_EPT_EXTENT_INDIVIDUAL_BIT;
808 }
809 
810 static inline bool cpu_has_vmx_invept_context(void)
811 {
812  return vmx_capability.ept & VMX_EPT_EXTENT_CONTEXT_BIT;
813 }
814 
815 static inline bool cpu_has_vmx_invept_global(void)
816 {
817  return vmx_capability.ept & VMX_EPT_EXTENT_GLOBAL_BIT;
818 }
819 
820 static inline bool cpu_has_vmx_invvpid_single(void)
821 {
822  return vmx_capability.vpid & VMX_VPID_EXTENT_SINGLE_CONTEXT_BIT;
823 }
824 
825 static inline bool cpu_has_vmx_invvpid_global(void)
826 {
827  return vmx_capability.vpid & VMX_VPID_EXTENT_GLOBAL_CONTEXT_BIT;
828 }
829 
830 static inline bool cpu_has_vmx_ept(void)
831 {
832  return vmcs_config.cpu_based_2nd_exec_ctrl &
833  SECONDARY_EXEC_ENABLE_EPT;
834 }
835 
836 static inline bool cpu_has_vmx_unrestricted_guest(void)
837 {
838  return vmcs_config.cpu_based_2nd_exec_ctrl &
839  SECONDARY_EXEC_UNRESTRICTED_GUEST;
840 }
841 
842 static inline bool cpu_has_vmx_ple(void)
843 {
844  return vmcs_config.cpu_based_2nd_exec_ctrl &
845  SECONDARY_EXEC_PAUSE_LOOP_EXITING;
846 }
847 
848 static inline bool vm_need_virtualize_apic_accesses(struct kvm *kvm)
849 {
850  return flexpriority_enabled && irqchip_in_kernel(kvm);
851 }
852 
853 static inline bool cpu_has_vmx_vpid(void)
854 {
855  return vmcs_config.cpu_based_2nd_exec_ctrl &
856  SECONDARY_EXEC_ENABLE_VPID;
857 }
858 
859 static inline bool cpu_has_vmx_rdtscp(void)
860 {
861  return vmcs_config.cpu_based_2nd_exec_ctrl &
862  SECONDARY_EXEC_RDTSCP;
863 }
864 
865 static inline bool cpu_has_vmx_invpcid(void)
866 {
867  return vmcs_config.cpu_based_2nd_exec_ctrl &
868  SECONDARY_EXEC_ENABLE_INVPCID;
869 }
870 
871 static inline bool cpu_has_virtual_nmis(void)
872 {
873  return vmcs_config.pin_based_exec_ctrl & PIN_BASED_VIRTUAL_NMIS;
874 }
875 
876 static inline bool cpu_has_vmx_wbinvd_exit(void)
877 {
878  return vmcs_config.cpu_based_2nd_exec_ctrl &
879  SECONDARY_EXEC_WBINVD_EXITING;
880 }
881 
882 static inline bool report_flexpriority(void)
883 {
884  return flexpriority_enabled;
885 }
886 
887 static inline bool nested_cpu_has(struct vmcs12 *vmcs12, u32 bit)
888 {
889  return vmcs12->cpu_based_vm_exec_control & bit;
890 }
891 
892 static inline bool nested_cpu_has2(struct vmcs12 *vmcs12, u32 bit)
893 {
894  return (vmcs12->cpu_based_vm_exec_control &
895  CPU_BASED_ACTIVATE_SECONDARY_CONTROLS) &&
896  (vmcs12->secondary_vm_exec_control & bit);
897 }
898 
899 static inline bool nested_cpu_has_virtual_nmis(struct vmcs12 *vmcs12,
900  struct kvm_vcpu *vcpu)
901 {
902  return vmcs12->pin_based_vm_exec_control & PIN_BASED_VIRTUAL_NMIS;
903 }
904 
905 static inline bool is_exception(u32 intr_info)
906 {
907  return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VALID_MASK))
908  == (INTR_TYPE_HARD_EXCEPTION | INTR_INFO_VALID_MASK);
909 }
910 
911 static void nested_vmx_vmexit(struct kvm_vcpu *vcpu);
912 static void nested_vmx_entry_failure(struct kvm_vcpu *vcpu,
913  struct vmcs12 *vmcs12,
914  u32 reason, unsigned long qualification);
915 
916 static int __find_msr_index(struct vcpu_vmx *vmx, u32 msr)
917 {
918  int i;
919 
920  for (i = 0; i < vmx->nmsrs; ++i)
921  if (vmx_msr_index[vmx->guest_msrs[i].index] == msr)
922  return i;
923  return -1;
924 }
925 
926 static inline void __invvpid(int ext, u16 vpid, gva_t gva)
927 {
928  struct {
929  u64 vpid : 16;
930  u64 rsvd : 48;
931  u64 gva;
932  } operand = { vpid, 0, gva };
933 
934  asm volatile (__ex(ASM_VMX_INVVPID)
935  /* CF==1 or ZF==1 --> rc = -1 */
936  "; ja 1f ; ud2 ; 1:"
937  : : "a"(&operand), "c"(ext) : "cc", "memory");
938 }
939 
940 static inline void __invept(int ext, u64 eptp, gpa_t gpa)
941 {
942  struct {
943  u64 eptp, gpa;
944  } operand = {eptp, gpa};
945 
946  asm volatile (__ex(ASM_VMX_INVEPT)
947  /* CF==1 or ZF==1 --> rc = -1 */
948  "; ja 1f ; ud2 ; 1:\n"
949  : : "a" (&operand), "c" (ext) : "cc", "memory");
950 }
951 
952 static struct shared_msr_entry *find_msr_entry(struct vcpu_vmx *vmx, u32 msr)
953 {
954  int i;
955 
956  i = __find_msr_index(vmx, msr);
957  if (i >= 0)
958  return &vmx->guest_msrs[i];
959  return NULL;
960 }
961 
962 static void vmcs_clear(struct vmcs *vmcs)
963 {
964  u64 phys_addr = __pa(vmcs);
965  u8 error;
966 
967  asm volatile (__ex(ASM_VMX_VMCLEAR_RAX) "; setna %0"
968  : "=qm"(error) : "a"(&phys_addr), "m"(phys_addr)
969  : "cc", "memory");
970  if (error)
971  printk(KERN_ERR "kvm: vmclear fail: %p/%llx\n",
972  vmcs, phys_addr);
973 }
974 
975 static inline void loaded_vmcs_init(struct loaded_vmcs *loaded_vmcs)
976 {
977  vmcs_clear(loaded_vmcs->vmcs);
978  loaded_vmcs->cpu = -1;
979  loaded_vmcs->launched = 0;
980 }
981 
982 static void vmcs_load(struct vmcs *vmcs)
983 {
984  u64 phys_addr = __pa(vmcs);
985  u8 error;
986 
987  asm volatile (__ex(ASM_VMX_VMPTRLD_RAX) "; setna %0"
988  : "=qm"(error) : "a"(&phys_addr), "m"(phys_addr)
989  : "cc", "memory");
990  if (error)
991  printk(KERN_ERR "kvm: vmptrld %p/%llx failed\n",
992  vmcs, phys_addr);
993 }
994 
995 static void __loaded_vmcs_clear(void *arg)
996 {
997  struct loaded_vmcs *loaded_vmcs = arg;
998  int cpu = raw_smp_processor_id();
999 
1000  if (loaded_vmcs->cpu != cpu)
1001  return; /* vcpu migration can race with cpu offline */
1002  if (per_cpu(current_vmcs, cpu) == loaded_vmcs->vmcs)
1003  per_cpu(current_vmcs, cpu) = NULL;
1004  list_del(&loaded_vmcs->loaded_vmcss_on_cpu_link);
1005  loaded_vmcs_init(loaded_vmcs);
1006 }
1007 
1008 static void loaded_vmcs_clear(struct loaded_vmcs *loaded_vmcs)
1009 {
1010  if (loaded_vmcs->cpu != -1)
1011  smp_call_function_single(
1012  loaded_vmcs->cpu, __loaded_vmcs_clear, loaded_vmcs, 1);
1013 }
1014 
1015 static inline void vpid_sync_vcpu_single(struct vcpu_vmx *vmx)
1016 {
1017  if (vmx->vpid == 0)
1018  return;
1019 
1020  if (cpu_has_vmx_invvpid_single())
1021  __invvpid(VMX_VPID_EXTENT_SINGLE_CONTEXT, vmx->vpid, 0);
1022 }
1023 
1024 static inline void vpid_sync_vcpu_global(void)
1025 {
1026  if (cpu_has_vmx_invvpid_global())
1027  __invvpid(VMX_VPID_EXTENT_ALL_CONTEXT, 0, 0);
1028 }
1029 
1030 static inline void vpid_sync_context(struct vcpu_vmx *vmx)
1031 {
1032  if (cpu_has_vmx_invvpid_single())
1033  vpid_sync_vcpu_single(vmx);
1034  else
1035  vpid_sync_vcpu_global();
1036 }
1037 
1038 static inline void ept_sync_global(void)
1039 {
1040  if (cpu_has_vmx_invept_global())
1041  __invept(VMX_EPT_EXTENT_GLOBAL, 0, 0);
1042 }
1043 
1044 static inline void ept_sync_context(u64 eptp)
1045 {
1046  if (enable_ept) {
1047  if (cpu_has_vmx_invept_context())
1048  __invept(VMX_EPT_EXTENT_CONTEXT, eptp, 0);
1049  else
1050  ept_sync_global();
1051  }
1052 }
1053 
1054 static inline void ept_sync_individual_addr(u64 eptp, gpa_t gpa)
1055 {
1056  if (enable_ept) {
1057  if (cpu_has_vmx_invept_individual_addr())
1058  __invept(VMX_EPT_EXTENT_INDIVIDUAL_ADDR,
1059  eptp, gpa);
1060  else
1061  ept_sync_context(eptp);
1062  }
1063 }
1064 
1065 static __always_inline unsigned long vmcs_readl(unsigned long field)
1066 {
1067  unsigned long value;
1068 
1069  asm volatile (__ex_clear(ASM_VMX_VMREAD_RDX_RAX, "%0")
1070  : "=a"(value) : "d"(field) : "cc");
1071  return value;
1072 }
1073 
1074 static __always_inline u16 vmcs_read16(unsigned long field)
1075 {
1076  return vmcs_readl(field);
1077 }
1078 
1079 static __always_inline u32 vmcs_read32(unsigned long field)
1080 {
1081  return vmcs_readl(field);
1082 }
1083 
1084 static __always_inline u64 vmcs_read64(unsigned long field)
1085 {
1086 #ifdef CONFIG_X86_64
1087  return vmcs_readl(field);
1088 #else
1089  return vmcs_readl(field) | ((u64)vmcs_readl(field+1) << 32);
1090 #endif
1091 }
1092 
1093 static noinline void vmwrite_error(unsigned long field, unsigned long value)
1094 {
1095  printk(KERN_ERR "vmwrite error: reg %lx value %lx (err %d)\n",
1096  field, value, vmcs_read32(VM_INSTRUCTION_ERROR));
1097  dump_stack();
1098 }
1099 
1100 static void vmcs_writel(unsigned long field, unsigned long value)
1101 {
1102  u8 error;
1103 
1104  asm volatile (__ex(ASM_VMX_VMWRITE_RAX_RDX) "; setna %0"
1105  : "=q"(error) : "a"(value), "d"(field) : "cc");
1106  if (unlikely(error))
1107  vmwrite_error(field, value);
1108 }
1109 
1110 static void vmcs_write16(unsigned long field, u16 value)
1111 {
1112  vmcs_writel(field, value);
1113 }
1114 
1115 static void vmcs_write32(unsigned long field, u32 value)
1116 {
1117  vmcs_writel(field, value);
1118 }
1119 
1120 static void vmcs_write64(unsigned long field, u64 value)
1121 {
1122  vmcs_writel(field, value);
1123 #ifndef CONFIG_X86_64
1124  asm volatile ("");
1125  vmcs_writel(field+1, value >> 32);
1126 #endif
1127 }
1128 
1129 static void vmcs_clear_bits(unsigned long field, u32 mask)
1130 {
1131  vmcs_writel(field, vmcs_readl(field) & ~mask);
1132 }
1133 
1134 static void vmcs_set_bits(unsigned long field, u32 mask)
1135 {
1136  vmcs_writel(field, vmcs_readl(field) | mask);
1137 }
1138 
1139 static void vmx_segment_cache_clear(struct vcpu_vmx *vmx)
1140 {
1141  vmx->segment_cache.bitmask = 0;
1142 }
1143 
1144 static bool vmx_segment_cache_test_set(struct vcpu_vmx *vmx, unsigned seg,
1145  unsigned field)
1146 {
1147  bool ret;
1148  u32 mask = 1 << (seg * SEG_FIELD_NR + field);
1149 
1150  if (!(vmx->vcpu.arch.regs_avail & (1 << VCPU_EXREG_SEGMENTS))) {
1151  vmx->vcpu.arch.regs_avail |= (1 << VCPU_EXREG_SEGMENTS);
1152  vmx->segment_cache.bitmask = 0;
1153  }
1154  ret = vmx->segment_cache.bitmask & mask;
1155  vmx->segment_cache.bitmask |= mask;
1156  return ret;
1157 }
1158 
1159 static u16 vmx_read_guest_seg_selector(struct vcpu_vmx *vmx, unsigned seg)
1160 {
1161  u16 *p = &vmx->segment_cache.seg[seg].selector;
1162 
1163  if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_SEL))
1164  *p = vmcs_read16(kvm_vmx_segment_fields[seg].selector);
1165  return *p;
1166 }
1167 
1168 static ulong vmx_read_guest_seg_base(struct vcpu_vmx *vmx, unsigned seg)
1169 {
1170  ulong *p = &vmx->segment_cache.seg[seg].base;
1171 
1172  if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_BASE))
1173  *p = vmcs_readl(kvm_vmx_segment_fields[seg].base);
1174  return *p;
1175 }
1176 
1177 static u32 vmx_read_guest_seg_limit(struct vcpu_vmx *vmx, unsigned seg)
1178 {
1179  u32 *p = &vmx->segment_cache.seg[seg].limit;
1180 
1181  if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_LIMIT))
1182  *p = vmcs_read32(kvm_vmx_segment_fields[seg].limit);
1183  return *p;
1184 }
1185 
1186 static u32 vmx_read_guest_seg_ar(struct vcpu_vmx *vmx, unsigned seg)
1187 {
1188  u32 *p = &vmx->segment_cache.seg[seg].ar;
1189 
1190  if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_AR))
1191  *p = vmcs_read32(kvm_vmx_segment_fields[seg].ar_bytes);
1192  return *p;
1193 }
1194 
1195 static void update_exception_bitmap(struct kvm_vcpu *vcpu)
1196 {
1197  u32 eb;
1198 
1199  eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) |
1200  (1u << NM_VECTOR) | (1u << DB_VECTOR);
1201  if ((vcpu->guest_debug &
1202  (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) ==
1203  (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP))
1204  eb |= 1u << BP_VECTOR;
1205  if (to_vmx(vcpu)->rmode.vm86_active)
1206  eb = ~0;
1207  if (enable_ept)
1208  eb &= ~(1u << PF_VECTOR); /* bypass_guest_pf = 0 */
1209  if (vcpu->fpu_active)
1210  eb &= ~(1u << NM_VECTOR);
1211 
1212  /* When we are running a nested L2 guest and L1 specified for it a
1213  * certain exception bitmap, we must trap the same exceptions and pass
1214  * them to L1. When running L2, we will only handle the exceptions
1215  * specified above if L1 did not want them.
1216  */
1217  if (is_guest_mode(vcpu))
1218  eb |= get_vmcs12(vcpu)->exception_bitmap;
1219 
1220  vmcs_write32(EXCEPTION_BITMAP, eb);
1221 }
1222 
1223 static void clear_atomic_switch_msr_special(unsigned long entry,
1224  unsigned long exit)
1225 {
1226  vmcs_clear_bits(VM_ENTRY_CONTROLS, entry);
1227  vmcs_clear_bits(VM_EXIT_CONTROLS, exit);
1228 }
1229 
1230 static void clear_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr)
1231 {
1232  unsigned i;
1233  struct msr_autoload *m = &vmx->msr_autoload;
1234 
1235  switch (msr) {
1236  case MSR_EFER:
1237  if (cpu_has_load_ia32_efer) {
1238  clear_atomic_switch_msr_special(VM_ENTRY_LOAD_IA32_EFER,
1239  VM_EXIT_LOAD_IA32_EFER);
1240  return;
1241  }
1242  break;
1243  case MSR_CORE_PERF_GLOBAL_CTRL:
1244  if (cpu_has_load_perf_global_ctrl) {
1245  clear_atomic_switch_msr_special(
1246  VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL,
1247  VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL);
1248  return;
1249  }
1250  break;
1251  }
1252 
1253  for (i = 0; i < m->nr; ++i)
1254  if (m->guest[i].index == msr)
1255  break;
1256 
1257  if (i == m->nr)
1258  return;
1259  --m->nr;
1260  m->guest[i] = m->guest[m->nr];
1261  m->host[i] = m->host[m->nr];
1262  vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, m->nr);
1263  vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, m->nr);
1264 }
1265 
1266 static void add_atomic_switch_msr_special(unsigned long entry,
1267  unsigned long exit, unsigned long guest_val_vmcs,
1268  unsigned long host_val_vmcs, u64 guest_val, u64 host_val)
1269 {
1270  vmcs_write64(guest_val_vmcs, guest_val);
1271  vmcs_write64(host_val_vmcs, host_val);
1272  vmcs_set_bits(VM_ENTRY_CONTROLS, entry);
1273  vmcs_set_bits(VM_EXIT_CONTROLS, exit);
1274 }
1275 
1276 static void add_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr,
1277  u64 guest_val, u64 host_val)
1278 {
1279  unsigned i;
1280  struct msr_autoload *m = &vmx->msr_autoload;
1281 
1282  switch (msr) {
1283  case MSR_EFER:
1284  if (cpu_has_load_ia32_efer) {
1285  add_atomic_switch_msr_special(VM_ENTRY_LOAD_IA32_EFER,
1286  VM_EXIT_LOAD_IA32_EFER,
1287  GUEST_IA32_EFER,
1288  HOST_IA32_EFER,
1289  guest_val, host_val);
1290  return;
1291  }
1292  break;
1293  case MSR_CORE_PERF_GLOBAL_CTRL:
1294  if (cpu_has_load_perf_global_ctrl) {
1295  add_atomic_switch_msr_special(
1296  VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL,
1297  VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL,
1298  GUEST_IA32_PERF_GLOBAL_CTRL,
1299  HOST_IA32_PERF_GLOBAL_CTRL,
1300  guest_val, host_val);
1301  return;
1302  }
1303  break;
1304  }
1305 
1306  for (i = 0; i < m->nr; ++i)
1307  if (m->guest[i].index == msr)
1308  break;
1309 
1310  if (i == NR_AUTOLOAD_MSRS) {
1311  printk_once(KERN_WARNING"Not enough mst switch entries. "
1312  "Can't add msr %x\n", msr);
1313  return;
1314  } else if (i == m->nr) {
1315  ++m->nr;
1316  vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, m->nr);
1317  vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, m->nr);
1318  }
1319 
1320  m->guest[i].index = msr;
1321  m->guest[i].value = guest_val;
1322  m->host[i].index = msr;
1323  m->host[i].value = host_val;
1324 }
1325 
1326 static void reload_tss(void)
1327 {
1328  /*
1329  * VT restores TR but not its size. Useless.
1330  */
1331  struct desc_ptr *gdt = &__get_cpu_var(host_gdt);
1332  struct desc_struct *descs;
1333 
1334  descs = (void *)gdt->address;
1335  descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
1336  load_TR_desc();
1337 }
1338 
1339 static bool update_transition_efer(struct vcpu_vmx *vmx, int efer_offset)
1340 {
1341  u64 guest_efer;
1342  u64 ignore_bits;
1343 
1344  guest_efer = vmx->vcpu.arch.efer;
1345 
1346  /*
1347  * NX is emulated; LMA and LME handled by hardware; SCE meaningless
1348  * outside long mode
1349  */
1350  ignore_bits = EFER_NX | EFER_SCE;
1351 #ifdef CONFIG_X86_64
1352  ignore_bits |= EFER_LMA | EFER_LME;
1353  /* SCE is meaningful only in long mode on Intel */
1354  if (guest_efer & EFER_LMA)
1355  ignore_bits &= ~(u64)EFER_SCE;
1356 #endif
1357  guest_efer &= ~ignore_bits;
1358  guest_efer |= host_efer & ignore_bits;
1359  vmx->guest_msrs[efer_offset].data = guest_efer;
1360  vmx->guest_msrs[efer_offset].mask = ~ignore_bits;
1361 
1362  clear_atomic_switch_msr(vmx, MSR_EFER);
1363  /* On ept, can't emulate nx, and must switch nx atomically */
1364  if (enable_ept && ((vmx->vcpu.arch.efer ^ host_efer) & EFER_NX)) {
1365  guest_efer = vmx->vcpu.arch.efer;
1366  if (!(guest_efer & EFER_LMA))
1367  guest_efer &= ~EFER_LME;
1368  add_atomic_switch_msr(vmx, MSR_EFER, guest_efer, host_efer);
1369  return false;
1370  }
1371 
1372  return true;
1373 }
1374 
1375 static unsigned long segment_base(u16 selector)
1376 {
1377  struct desc_ptr *gdt = &__get_cpu_var(host_gdt);
1378  struct desc_struct *d;
1379  unsigned long table_base;
1380  unsigned long v;
1381 
1382  if (!(selector & ~3))
1383  return 0;
1384 
1385  table_base = gdt->address;
1386 
1387  if (selector & 4) { /* from ldt */
1388  u16 ldt_selector = kvm_read_ldt();
1389 
1390  if (!(ldt_selector & ~3))
1391  return 0;
1392 
1393  table_base = segment_base(ldt_selector);
1394  }
1395  d = (struct desc_struct *)(table_base + (selector & ~7));
1396  v = get_desc_base(d);
1397 #ifdef CONFIG_X86_64
1398  if (d->s == 0 && (d->type == 2 || d->type == 9 || d->type == 11))
1399  v |= ((unsigned long)((struct ldttss_desc64 *)d)->base3) << 32;
1400 #endif
1401  return v;
1402 }
1403 
1404 static inline unsigned long kvm_read_tr_base(void)
1405 {
1406  u16 tr;
1407  asm("str %0" : "=g"(tr));
1408  return segment_base(tr);
1409 }
1410 
1411 static void vmx_save_host_state(struct kvm_vcpu *vcpu)
1412 {
1413  struct vcpu_vmx *vmx = to_vmx(vcpu);
1414  int i;
1415 
1416  if (vmx->host_state.loaded)
1417  return;
1418 
1419  vmx->host_state.loaded = 1;
1420  /*
1421  * Set host fs and gs selectors. Unfortunately, 22.2.3 does not
1422  * allow segment selectors with cpl > 0 or ti == 1.
1423  */
1424  vmx->host_state.ldt_sel = kvm_read_ldt();
1425  vmx->host_state.gs_ldt_reload_needed = vmx->host_state.ldt_sel;
1426  savesegment(fs, vmx->host_state.fs_sel);
1427  if (!(vmx->host_state.fs_sel & 7)) {
1428  vmcs_write16(HOST_FS_SELECTOR, vmx->host_state.fs_sel);
1429  vmx->host_state.fs_reload_needed = 0;
1430  } else {
1431  vmcs_write16(HOST_FS_SELECTOR, 0);
1432  vmx->host_state.fs_reload_needed = 1;
1433  }
1434  savesegment(gs, vmx->host_state.gs_sel);
1435  if (!(vmx->host_state.gs_sel & 7))
1436  vmcs_write16(HOST_GS_SELECTOR, vmx->host_state.gs_sel);
1437  else {
1438  vmcs_write16(HOST_GS_SELECTOR, 0);
1439  vmx->host_state.gs_ldt_reload_needed = 1;
1440  }
1441 
1442 #ifdef CONFIG_X86_64
1443  savesegment(ds, vmx->host_state.ds_sel);
1444  savesegment(es, vmx->host_state.es_sel);
1445 #endif
1446 
1447 #ifdef CONFIG_X86_64
1448  vmcs_writel(HOST_FS_BASE, read_msr(MSR_FS_BASE));
1449  vmcs_writel(HOST_GS_BASE, read_msr(MSR_GS_BASE));
1450 #else
1451  vmcs_writel(HOST_FS_BASE, segment_base(vmx->host_state.fs_sel));
1452  vmcs_writel(HOST_GS_BASE, segment_base(vmx->host_state.gs_sel));
1453 #endif
1454 
1455 #ifdef CONFIG_X86_64
1456  rdmsrl(MSR_KERNEL_GS_BASE, vmx->msr_host_kernel_gs_base);
1457  if (is_long_mode(&vmx->vcpu))
1458  wrmsrl(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base);
1459 #endif
1460  for (i = 0; i < vmx->save_nmsrs; ++i)
1461  kvm_set_shared_msr(vmx->guest_msrs[i].index,
1462  vmx->guest_msrs[i].data,
1463  vmx->guest_msrs[i].mask);
1464 }
1465 
1466 static void __vmx_load_host_state(struct vcpu_vmx *vmx)
1467 {
1468  if (!vmx->host_state.loaded)
1469  return;
1470 
1471  ++vmx->vcpu.stat.host_state_reload;
1472  vmx->host_state.loaded = 0;
1473 #ifdef CONFIG_X86_64
1474  if (is_long_mode(&vmx->vcpu))
1475  rdmsrl(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base);
1476 #endif
1477  if (vmx->host_state.gs_ldt_reload_needed) {
1478  kvm_load_ldt(vmx->host_state.ldt_sel);
1479 #ifdef CONFIG_X86_64
1480  load_gs_index(vmx->host_state.gs_sel);
1481 #else
1482  loadsegment(gs, vmx->host_state.gs_sel);
1483 #endif
1484  }
1485  if (vmx->host_state.fs_reload_needed)
1486  loadsegment(fs, vmx->host_state.fs_sel);
1487 #ifdef CONFIG_X86_64
1488  if (unlikely(vmx->host_state.ds_sel | vmx->host_state.es_sel)) {
1489  loadsegment(ds, vmx->host_state.ds_sel);
1490  loadsegment(es, vmx->host_state.es_sel);
1491  }
1492 #endif
1493  reload_tss();
1494 #ifdef CONFIG_X86_64
1495  wrmsrl(MSR_KERNEL_GS_BASE, vmx->msr_host_kernel_gs_base);
1496 #endif
1497  /*
1498  * If the FPU is not active (through the host task or
1499  * the guest vcpu), then restore the cr0.TS bit.
1500  */
1501  if (!user_has_fpu() && !vmx->vcpu.guest_fpu_loaded)
1502  stts();
1503  load_gdt(&__get_cpu_var(host_gdt));
1504 }
1505 
1506 static void vmx_load_host_state(struct vcpu_vmx *vmx)
1507 {
1508  preempt_disable();
1509  __vmx_load_host_state(vmx);
1510  preempt_enable();
1511 }
1512 
1513 /*
1514  * Switches to specified vcpu, until a matching vcpu_put(), but assumes
1515  * vcpu mutex is already taken.
1516  */
1517 static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
1518 {
1519  struct vcpu_vmx *vmx = to_vmx(vcpu);
1520  u64 phys_addr = __pa(per_cpu(vmxarea, cpu));
1521 
1522  if (!vmm_exclusive)
1523  kvm_cpu_vmxon(phys_addr);
1524  else if (vmx->loaded_vmcs->cpu != cpu)
1525  loaded_vmcs_clear(vmx->loaded_vmcs);
1526 
1527  if (per_cpu(current_vmcs, cpu) != vmx->loaded_vmcs->vmcs) {
1528  per_cpu(current_vmcs, cpu) = vmx->loaded_vmcs->vmcs;
1529  vmcs_load(vmx->loaded_vmcs->vmcs);
1530  }
1531 
1532  if (vmx->loaded_vmcs->cpu != cpu) {
1533  struct desc_ptr *gdt = &__get_cpu_var(host_gdt);
1534  unsigned long sysenter_esp;
1535 
1536  kvm_make_request(KVM_REQ_TLB_FLUSH, vcpu);
1537  local_irq_disable();
1538  list_add(&vmx->loaded_vmcs->loaded_vmcss_on_cpu_link,
1539  &per_cpu(loaded_vmcss_on_cpu, cpu));
1540  local_irq_enable();
1541 
1542  /*
1543  * Linux uses per-cpu TSS and GDT, so set these when switching
1544  * processors.
1545  */
1546  vmcs_writel(HOST_TR_BASE, kvm_read_tr_base()); /* 22.2.4 */
1547  vmcs_writel(HOST_GDTR_BASE, gdt->address); /* 22.2.4 */
1548 
1549  rdmsrl(MSR_IA32_SYSENTER_ESP, sysenter_esp);
1550  vmcs_writel(HOST_IA32_SYSENTER_ESP, sysenter_esp); /* 22.2.3 */
1551  vmx->loaded_vmcs->cpu = cpu;
1552  }
1553 }
1554 
1555 static void vmx_vcpu_put(struct kvm_vcpu *vcpu)
1556 {
1557  __vmx_load_host_state(to_vmx(vcpu));
1558  if (!vmm_exclusive) {
1559  __loaded_vmcs_clear(to_vmx(vcpu)->loaded_vmcs);
1560  vcpu->cpu = -1;
1561  kvm_cpu_vmxoff();
1562  }
1563 }
1564 
1565 static void vmx_fpu_activate(struct kvm_vcpu *vcpu)
1566 {
1567  ulong cr0;
1568 
1569  if (vcpu->fpu_active)
1570  return;
1571  vcpu->fpu_active = 1;
1572  cr0 = vmcs_readl(GUEST_CR0);
1573  cr0 &= ~(X86_CR0_TS | X86_CR0_MP);
1574  cr0 |= kvm_read_cr0_bits(vcpu, X86_CR0_TS | X86_CR0_MP);
1575  vmcs_writel(GUEST_CR0, cr0);
1576  update_exception_bitmap(vcpu);
1577  vcpu->arch.cr0_guest_owned_bits = X86_CR0_TS;
1578  if (is_guest_mode(vcpu))
1579  vcpu->arch.cr0_guest_owned_bits &=
1580  ~get_vmcs12(vcpu)->cr0_guest_host_mask;
1581  vmcs_writel(CR0_GUEST_HOST_MASK, ~vcpu->arch.cr0_guest_owned_bits);
1582 }
1583 
1584 static void vmx_decache_cr0_guest_bits(struct kvm_vcpu *vcpu);
1585 
1586 /*
1587  * Return the cr0 value that a nested guest would read. This is a combination
1588  * of the real cr0 used to run the guest (guest_cr0), and the bits shadowed by
1589  * its hypervisor (cr0_read_shadow).
1590  */
1591 static inline unsigned long nested_read_cr0(struct vmcs12 *fields)
1592 {
1593  return (fields->guest_cr0 & ~fields->cr0_guest_host_mask) |
1594  (fields->cr0_read_shadow & fields->cr0_guest_host_mask);
1595 }
1596 static inline unsigned long nested_read_cr4(struct vmcs12 *fields)
1597 {
1598  return (fields->guest_cr4 & ~fields->cr4_guest_host_mask) |
1599  (fields->cr4_read_shadow & fields->cr4_guest_host_mask);
1600 }
1601 
1602 static void vmx_fpu_deactivate(struct kvm_vcpu *vcpu)
1603 {
1604  /* Note that there is no vcpu->fpu_active = 0 here. The caller must
1605  * set this *before* calling this function.
1606  */
1607  vmx_decache_cr0_guest_bits(vcpu);
1608  vmcs_set_bits(GUEST_CR0, X86_CR0_TS | X86_CR0_MP);
1609  update_exception_bitmap(vcpu);
1610  vcpu->arch.cr0_guest_owned_bits = 0;
1611  vmcs_writel(CR0_GUEST_HOST_MASK, ~vcpu->arch.cr0_guest_owned_bits);
1612  if (is_guest_mode(vcpu)) {
1613  /*
1614  * L1's specified read shadow might not contain the TS bit,
1615  * so now that we turned on shadowing of this bit, we need to
1616  * set this bit of the shadow. Like in nested_vmx_run we need
1617  * nested_read_cr0(vmcs12), but vmcs12->guest_cr0 is not yet
1618  * up-to-date here because we just decached cr0.TS (and we'll
1619  * only update vmcs12->guest_cr0 on nested exit).
1620  */
1621  struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
1622  vmcs12->guest_cr0 = (vmcs12->guest_cr0 & ~X86_CR0_TS) |
1623  (vcpu->arch.cr0 & X86_CR0_TS);
1624  vmcs_writel(CR0_READ_SHADOW, nested_read_cr0(vmcs12));
1625  } else
1626  vmcs_writel(CR0_READ_SHADOW, vcpu->arch.cr0);
1627 }
1628 
1629 static unsigned long vmx_get_rflags(struct kvm_vcpu *vcpu)
1630 {
1631  unsigned long rflags, save_rflags;
1632 
1633  if (!test_bit(VCPU_EXREG_RFLAGS, (ulong *)&vcpu->arch.regs_avail)) {
1634  __set_bit(VCPU_EXREG_RFLAGS, (ulong *)&vcpu->arch.regs_avail);
1635  rflags = vmcs_readl(GUEST_RFLAGS);
1636  if (to_vmx(vcpu)->rmode.vm86_active) {
1637  rflags &= RMODE_GUEST_OWNED_EFLAGS_BITS;
1638  save_rflags = to_vmx(vcpu)->rmode.save_rflags;
1639  rflags |= save_rflags & ~RMODE_GUEST_OWNED_EFLAGS_BITS;
1640  }
1641  to_vmx(vcpu)->rflags = rflags;
1642  }
1643  return to_vmx(vcpu)->rflags;
1644 }
1645 
1646 static void vmx_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags)
1647 {
1648  __set_bit(VCPU_EXREG_RFLAGS, (ulong *)&vcpu->arch.regs_avail);
1649  __clear_bit(VCPU_EXREG_CPL, (ulong *)&vcpu->arch.regs_avail);
1650  to_vmx(vcpu)->rflags = rflags;
1651  if (to_vmx(vcpu)->rmode.vm86_active) {
1652  to_vmx(vcpu)->rmode.save_rflags = rflags;
1653  rflags |= X86_EFLAGS_IOPL | X86_EFLAGS_VM;
1654  }
1655  vmcs_writel(GUEST_RFLAGS, rflags);
1656 }
1657 
1658 static u32 vmx_get_interrupt_shadow(struct kvm_vcpu *vcpu, int mask)
1659 {
1660  u32 interruptibility = vmcs_read32(GUEST_INTERRUPTIBILITY_INFO);
1661  int ret = 0;
1662 
1663  if (interruptibility & GUEST_INTR_STATE_STI)
1664  ret |= KVM_X86_SHADOW_INT_STI;
1665  if (interruptibility & GUEST_INTR_STATE_MOV_SS)
1666  ret |= KVM_X86_SHADOW_INT_MOV_SS;
1667 
1668  return ret & mask;
1669 }
1670 
1671 static void vmx_set_interrupt_shadow(struct kvm_vcpu *vcpu, int mask)
1672 {
1673  u32 interruptibility_old = vmcs_read32(GUEST_INTERRUPTIBILITY_INFO);
1674  u32 interruptibility = interruptibility_old;
1675 
1676  interruptibility &= ~(GUEST_INTR_STATE_STI | GUEST_INTR_STATE_MOV_SS);
1677 
1678  if (mask & KVM_X86_SHADOW_INT_MOV_SS)
1679  interruptibility |= GUEST_INTR_STATE_MOV_SS;
1680  else if (mask & KVM_X86_SHADOW_INT_STI)
1681  interruptibility |= GUEST_INTR_STATE_STI;
1682 
1683  if ((interruptibility != interruptibility_old))
1684  vmcs_write32(GUEST_INTERRUPTIBILITY_INFO, interruptibility);
1685 }
1686 
1687 static void skip_emulated_instruction(struct kvm_vcpu *vcpu)
1688 {
1689  unsigned long rip;
1690 
1691  rip = kvm_rip_read(vcpu);
1692  rip += vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
1693  kvm_rip_write(vcpu, rip);
1694 
1695  /* skipping an emulated instruction also counts */
1696  vmx_set_interrupt_shadow(vcpu, 0);
1697 }
1698 
1699 /*
1700  * KVM wants to inject page-faults which it got to the guest. This function
1701  * checks whether in a nested guest, we need to inject them to L1 or L2.
1702  * This function assumes it is called with the exit reason in vmcs02 being
1703  * a #PF exception (this is the only case in which KVM injects a #PF when L2
1704  * is running).
1705  */
1706 static int nested_pf_handled(struct kvm_vcpu *vcpu)
1707 {
1708  struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
1709 
1710  /* TODO: also check PFEC_MATCH/MASK, not just EB.PF. */
1711  if (!(vmcs12->exception_bitmap & (1u << PF_VECTOR)))
1712  return 0;
1713 
1714  nested_vmx_vmexit(vcpu);
1715  return 1;
1716 }
1717 
1718 static void vmx_queue_exception(struct kvm_vcpu *vcpu, unsigned nr,
1719  bool has_error_code, u32 error_code,
1720  bool reinject)
1721 {
1722  struct vcpu_vmx *vmx = to_vmx(vcpu);
1723  u32 intr_info = nr | INTR_INFO_VALID_MASK;
1724 
1725  if (nr == PF_VECTOR && is_guest_mode(vcpu) &&
1726  nested_pf_handled(vcpu))
1727  return;
1728 
1729  if (has_error_code) {
1730  vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE, error_code);
1731  intr_info |= INTR_INFO_DELIVER_CODE_MASK;
1732  }
1733 
1734  if (vmx->rmode.vm86_active) {
1735  int inc_eip = 0;
1736  if (kvm_exception_is_soft(nr))
1737  inc_eip = vcpu->arch.event_exit_inst_len;
1738  if (kvm_inject_realmode_interrupt(vcpu, nr, inc_eip) != EMULATE_DONE)
1739  kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
1740  return;
1741  }
1742 
1743  if (kvm_exception_is_soft(nr)) {
1744  vmcs_write32(VM_ENTRY_INSTRUCTION_LEN,
1745  vmx->vcpu.arch.event_exit_inst_len);
1746  intr_info |= INTR_TYPE_SOFT_EXCEPTION;
1747  } else
1748  intr_info |= INTR_TYPE_HARD_EXCEPTION;
1749 
1750  vmcs_write32(VM_ENTRY_INTR_INFO_FIELD, intr_info);
1751 }
1752 
1753 static bool vmx_rdtscp_supported(void)
1754 {
1755  return cpu_has_vmx_rdtscp();
1756 }
1757 
1758 static bool vmx_invpcid_supported(void)
1759 {
1760  return cpu_has_vmx_invpcid() && enable_ept;
1761 }
1762 
1763 /*
1764  * Swap MSR entry in host/guest MSR entry array.
1765  */
1766 static void move_msr_up(struct vcpu_vmx *vmx, int from, int to)
1767 {
1768  struct shared_msr_entry tmp;
1769 
1770  tmp = vmx->guest_msrs[to];
1771  vmx->guest_msrs[to] = vmx->guest_msrs[from];
1772  vmx->guest_msrs[from] = tmp;
1773 }
1774 
1775 /*
1776  * Set up the vmcs to automatically save and restore system
1777  * msrs. Don't touch the 64-bit msrs if the guest is in legacy
1778  * mode, as fiddling with msrs is very expensive.
1779  */
1780 static void setup_msrs(struct vcpu_vmx *vmx)
1781 {
1782  int save_nmsrs, index;
1783  unsigned long *msr_bitmap;
1784 
1785  save_nmsrs = 0;
1786 #ifdef CONFIG_X86_64
1787  if (is_long_mode(&vmx->vcpu)) {
1788  index = __find_msr_index(vmx, MSR_SYSCALL_MASK);
1789  if (index >= 0)
1790  move_msr_up(vmx, index, save_nmsrs++);
1791  index = __find_msr_index(vmx, MSR_LSTAR);
1792  if (index >= 0)
1793  move_msr_up(vmx, index, save_nmsrs++);
1794  index = __find_msr_index(vmx, MSR_CSTAR);
1795  if (index >= 0)
1796  move_msr_up(vmx, index, save_nmsrs++);
1797  index = __find_msr_index(vmx, MSR_TSC_AUX);
1798  if (index >= 0 && vmx->rdtscp_enabled)
1799  move_msr_up(vmx, index, save_nmsrs++);
1800  /*
1801  * MSR_STAR is only needed on long mode guests, and only
1802  * if efer.sce is enabled.
1803  */
1804  index = __find_msr_index(vmx, MSR_STAR);
1805  if ((index >= 0) && (vmx->vcpu.arch.efer & EFER_SCE))
1806  move_msr_up(vmx, index, save_nmsrs++);
1807  }
1808 #endif
1809  index = __find_msr_index(vmx, MSR_EFER);
1810  if (index >= 0 && update_transition_efer(vmx, index))
1811  move_msr_up(vmx, index, save_nmsrs++);
1812 
1813  vmx->save_nmsrs = save_nmsrs;
1814 
1815  if (cpu_has_vmx_msr_bitmap()) {
1816  if (is_long_mode(&vmx->vcpu))
1817  msr_bitmap = vmx_msr_bitmap_longmode;
1818  else
1819  msr_bitmap = vmx_msr_bitmap_legacy;
1820 
1821  vmcs_write64(MSR_BITMAP, __pa(msr_bitmap));
1822  }
1823 }
1824 
1825 /*
1826  * reads and returns guest's timestamp counter "register"
1827  * guest_tsc = host_tsc + tsc_offset -- 21.3
1828  */
1829 static u64 guest_read_tsc(void)
1830 {
1831  u64 host_tsc, tsc_offset;
1832 
1833  rdtscll(host_tsc);
1834  tsc_offset = vmcs_read64(TSC_OFFSET);
1835  return host_tsc + tsc_offset;
1836 }
1837 
1838 /*
1839  * Like guest_read_tsc, but always returns L1's notion of the timestamp
1840  * counter, even if a nested guest (L2) is currently running.
1841  */
1842 u64 vmx_read_l1_tsc(struct kvm_vcpu *vcpu)
1843 {
1844  u64 host_tsc, tsc_offset;
1845 
1846  rdtscll(host_tsc);
1847  tsc_offset = is_guest_mode(vcpu) ?
1848  to_vmx(vcpu)->nested.vmcs01_tsc_offset :
1849  vmcs_read64(TSC_OFFSET);
1850  return host_tsc + tsc_offset;
1851 }
1852 
1853 /*
1854  * Engage any workarounds for mis-matched TSC rates. Currently limited to
1855  * software catchup for faster rates on slower CPUs.
1856  */
1857 static void vmx_set_tsc_khz(struct kvm_vcpu *vcpu, u32 user_tsc_khz, bool scale)
1858 {
1859  if (!scale)
1860  return;
1861 
1862  if (user_tsc_khz > tsc_khz) {
1863  vcpu->arch.tsc_catchup = 1;
1864  vcpu->arch.tsc_always_catchup = 1;
1865  } else
1866  WARN(1, "user requested TSC rate below hardware speed\n");
1867 }
1868 
1869 /*
1870  * writes 'offset' into guest's timestamp counter offset register
1871  */
1872 static void vmx_write_tsc_offset(struct kvm_vcpu *vcpu, u64 offset)
1873 {
1874  if (is_guest_mode(vcpu)) {
1875  /*
1876  * We're here if L1 chose not to trap WRMSR to TSC. According
1877  * to the spec, this should set L1's TSC; The offset that L1
1878  * set for L2 remains unchanged, and still needs to be added
1879  * to the newly set TSC to get L2's TSC.
1880  */
1881  struct vmcs12 *vmcs12;
1882  to_vmx(vcpu)->nested.vmcs01_tsc_offset = offset;
1883  /* recalculate vmcs02.TSC_OFFSET: */
1884  vmcs12 = get_vmcs12(vcpu);
1885  vmcs_write64(TSC_OFFSET, offset +
1886  (nested_cpu_has(vmcs12, CPU_BASED_USE_TSC_OFFSETING) ?
1887  vmcs12->tsc_offset : 0));
1888  } else {
1889  vmcs_write64(TSC_OFFSET, offset);
1890  }
1891 }
1892 
1893 static void vmx_adjust_tsc_offset(struct kvm_vcpu *vcpu, s64 adjustment, bool host)
1894 {
1895  u64 offset = vmcs_read64(TSC_OFFSET);
1896  vmcs_write64(TSC_OFFSET, offset + adjustment);
1897  if (is_guest_mode(vcpu)) {
1898  /* Even when running L2, the adjustment needs to apply to L1 */
1899  to_vmx(vcpu)->nested.vmcs01_tsc_offset += adjustment;
1900  }
1901 }
1902 
1903 static u64 vmx_compute_tsc_offset(struct kvm_vcpu *vcpu, u64 target_tsc)
1904 {
1905  return target_tsc - native_read_tsc();
1906 }
1907 
1908 static bool guest_cpuid_has_vmx(struct kvm_vcpu *vcpu)
1909 {
1910  struct kvm_cpuid_entry2 *best = kvm_find_cpuid_entry(vcpu, 1, 0);
1911  return best && (best->ecx & (1 << (X86_FEATURE_VMX & 31)));
1912 }
1913 
1914 /*
1915  * nested_vmx_allowed() checks whether a guest should be allowed to use VMX
1916  * instructions and MSRs (i.e., nested VMX). Nested VMX is disabled for
1917  * all guests if the "nested" module option is off, and can also be disabled
1918  * for a single guest by disabling its VMX cpuid bit.
1919  */
1920 static inline bool nested_vmx_allowed(struct kvm_vcpu *vcpu)
1921 {
1922  return nested && guest_cpuid_has_vmx(vcpu);
1923 }
1924 
1925 /*
1926  * nested_vmx_setup_ctls_msrs() sets up variables containing the values to be
1927  * returned for the various VMX controls MSRs when nested VMX is enabled.
1928  * The same values should also be used to verify that vmcs12 control fields are
1929  * valid during nested entry from L1 to L2.
1930  * Each of these control msrs has a low and high 32-bit half: A low bit is on
1931  * if the corresponding bit in the (32-bit) control field *must* be on, and a
1932  * bit in the high half is on if the corresponding bit in the control field
1933  * may be on. See also vmx_control_verify().
1934  * TODO: allow these variables to be modified (downgraded) by module options
1935  * or other means.
1936  */
1937 static u32 nested_vmx_procbased_ctls_low, nested_vmx_procbased_ctls_high;
1938 static u32 nested_vmx_secondary_ctls_low, nested_vmx_secondary_ctls_high;
1939 static u32 nested_vmx_pinbased_ctls_low, nested_vmx_pinbased_ctls_high;
1940 static u32 nested_vmx_exit_ctls_low, nested_vmx_exit_ctls_high;
1941 static u32 nested_vmx_entry_ctls_low, nested_vmx_entry_ctls_high;
1942 static __init void nested_vmx_setup_ctls_msrs(void)
1943 {
1944  /*
1945  * Note that as a general rule, the high half of the MSRs (bits in
1946  * the control fields which may be 1) should be initialized by the
1947  * intersection of the underlying hardware's MSR (i.e., features which
1948  * can be supported) and the list of features we want to expose -
1949  * because they are known to be properly supported in our code.
1950  * Also, usually, the low half of the MSRs (bits which must be 1) can
1951  * be set to 0, meaning that L1 may turn off any of these bits. The
1952  * reason is that if one of these bits is necessary, it will appear
1953  * in vmcs01 and prepare_vmcs02, when it bitwise-or's the control
1954  * fields of vmcs01 and vmcs02, will turn these bits off - and
1955  * nested_vmx_exit_handled() will not pass related exits to L1.
1956  * These rules have exceptions below.
1957  */
1958 
1959  /* pin-based controls */
1960  /*
1961  * According to the Intel spec, if bit 55 of VMX_BASIC is off (as it is
1962  * in our case), bits 1, 2 and 4 (i.e., 0x16) must be 1 in this MSR.
1963  */
1964  nested_vmx_pinbased_ctls_low = 0x16 ;
1965  nested_vmx_pinbased_ctls_high = 0x16 |
1966  PIN_BASED_EXT_INTR_MASK | PIN_BASED_NMI_EXITING |
1967  PIN_BASED_VIRTUAL_NMIS;
1968 
1969  /* exit controls */
1970  nested_vmx_exit_ctls_low = 0;
1971  /* Note that guest use of VM_EXIT_ACK_INTR_ON_EXIT is not supported. */
1972 #ifdef CONFIG_X86_64
1973  nested_vmx_exit_ctls_high = VM_EXIT_HOST_ADDR_SPACE_SIZE;
1974 #else
1975  nested_vmx_exit_ctls_high = 0;
1976 #endif
1977 
1978  /* entry controls */
1979  rdmsr(MSR_IA32_VMX_ENTRY_CTLS,
1980  nested_vmx_entry_ctls_low, nested_vmx_entry_ctls_high);
1981  nested_vmx_entry_ctls_low = 0;
1982  nested_vmx_entry_ctls_high &=
1983  VM_ENTRY_LOAD_IA32_PAT | VM_ENTRY_IA32E_MODE;
1984 
1985  /* cpu-based controls */
1986  rdmsr(MSR_IA32_VMX_PROCBASED_CTLS,
1987  nested_vmx_procbased_ctls_low, nested_vmx_procbased_ctls_high);
1988  nested_vmx_procbased_ctls_low = 0;
1989  nested_vmx_procbased_ctls_high &=
1990  CPU_BASED_VIRTUAL_INTR_PENDING | CPU_BASED_USE_TSC_OFFSETING |
1991  CPU_BASED_HLT_EXITING | CPU_BASED_INVLPG_EXITING |
1992  CPU_BASED_MWAIT_EXITING | CPU_BASED_CR3_LOAD_EXITING |
1993  CPU_BASED_CR3_STORE_EXITING |
1994 #ifdef CONFIG_X86_64
1995  CPU_BASED_CR8_LOAD_EXITING | CPU_BASED_CR8_STORE_EXITING |
1996 #endif
1997  CPU_BASED_MOV_DR_EXITING | CPU_BASED_UNCOND_IO_EXITING |
1998  CPU_BASED_USE_IO_BITMAPS | CPU_BASED_MONITOR_EXITING |
1999  CPU_BASED_RDPMC_EXITING | CPU_BASED_RDTSC_EXITING |
2000  CPU_BASED_ACTIVATE_SECONDARY_CONTROLS;
2001  /*
2002  * We can allow some features even when not supported by the
2003  * hardware. For example, L1 can specify an MSR bitmap - and we
2004  * can use it to avoid exits to L1 - even when L0 runs L2
2005  * without MSR bitmaps.
2006  */
2007  nested_vmx_procbased_ctls_high |= CPU_BASED_USE_MSR_BITMAPS;
2008 
2009  /* secondary cpu-based controls */
2010  rdmsr(MSR_IA32_VMX_PROCBASED_CTLS2,
2011  nested_vmx_secondary_ctls_low, nested_vmx_secondary_ctls_high);
2012  nested_vmx_secondary_ctls_low = 0;
2013  nested_vmx_secondary_ctls_high &=
2014  SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
2015 }
2016 
2017 static inline bool vmx_control_verify(u32 control, u32 low, u32 high)
2018 {
2019  /*
2020  * Bits 0 in high must be 0, and bits 1 in low must be 1.
2021  */
2022  return ((control & high) | low) == control;
2023 }
2024 
2025 static inline u64 vmx_control_msr(u32 low, u32 high)
2026 {
2027  return low | ((u64)high << 32);
2028 }
2029 
2030 /*
2031  * If we allow our guest to use VMX instructions (i.e., nested VMX), we should
2032  * also let it use VMX-specific MSRs.
2033  * vmx_get_vmx_msr() and vmx_set_vmx_msr() return 1 when we handled a
2034  * VMX-specific MSR, or 0 when we haven't (and the caller should handle it
2035  * like all other MSRs).
2036  */
2037 static int vmx_get_vmx_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
2038 {
2039  if (!nested_vmx_allowed(vcpu) && msr_index >= MSR_IA32_VMX_BASIC &&
2040  msr_index <= MSR_IA32_VMX_TRUE_ENTRY_CTLS) {
2041  /*
2042  * According to the spec, processors which do not support VMX
2043  * should throw a #GP(0) when VMX capability MSRs are read.
2044  */
2045  kvm_queue_exception_e(vcpu, GP_VECTOR, 0);
2046  return 1;
2047  }
2048 
2049  switch (msr_index) {
2050  case MSR_IA32_FEATURE_CONTROL:
2051  *pdata = 0;
2052  break;
2053  case MSR_IA32_VMX_BASIC:
2054  /*
2055  * This MSR reports some information about VMX support. We
2056  * should return information about the VMX we emulate for the
2057  * guest, and the VMCS structure we give it - not about the
2058  * VMX support of the underlying hardware.
2059  */
2060  *pdata = VMCS12_REVISION |
2061  ((u64)VMCS12_SIZE << VMX_BASIC_VMCS_SIZE_SHIFT) |
2062  (VMX_BASIC_MEM_TYPE_WB << VMX_BASIC_MEM_TYPE_SHIFT);
2063  break;
2064  case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
2065  case MSR_IA32_VMX_PINBASED_CTLS:
2066  *pdata = vmx_control_msr(nested_vmx_pinbased_ctls_low,
2067  nested_vmx_pinbased_ctls_high);
2068  break;
2069  case MSR_IA32_VMX_TRUE_PROCBASED_CTLS:
2070  case MSR_IA32_VMX_PROCBASED_CTLS:
2071  *pdata = vmx_control_msr(nested_vmx_procbased_ctls_low,
2072  nested_vmx_procbased_ctls_high);
2073  break;
2074  case MSR_IA32_VMX_TRUE_EXIT_CTLS:
2075  case MSR_IA32_VMX_EXIT_CTLS:
2076  *pdata = vmx_control_msr(nested_vmx_exit_ctls_low,
2077  nested_vmx_exit_ctls_high);
2078  break;
2079  case MSR_IA32_VMX_TRUE_ENTRY_CTLS:
2080  case MSR_IA32_VMX_ENTRY_CTLS:
2081  *pdata = vmx_control_msr(nested_vmx_entry_ctls_low,
2082  nested_vmx_entry_ctls_high);
2083  break;
2084  case MSR_IA32_VMX_MISC:
2085  *pdata = 0;
2086  break;
2087  /*
2088  * These MSRs specify bits which the guest must keep fixed (on or off)
2089  * while L1 is in VMXON mode (in L1's root mode, or running an L2).
2090  * We picked the standard core2 setting.
2091  */
2092 #define VMXON_CR0_ALWAYSON (X86_CR0_PE | X86_CR0_PG | X86_CR0_NE)
2093 #define VMXON_CR4_ALWAYSON X86_CR4_VMXE
2094  case MSR_IA32_VMX_CR0_FIXED0:
2095  *pdata = VMXON_CR0_ALWAYSON;
2096  break;
2097  case MSR_IA32_VMX_CR0_FIXED1:
2098  *pdata = -1ULL;
2099  break;
2100  case MSR_IA32_VMX_CR4_FIXED0:
2101  *pdata = VMXON_CR4_ALWAYSON;
2102  break;
2103  case MSR_IA32_VMX_CR4_FIXED1:
2104  *pdata = -1ULL;
2105  break;
2106  case MSR_IA32_VMX_VMCS_ENUM:
2107  *pdata = 0x1f;
2108  break;
2109  case MSR_IA32_VMX_PROCBASED_CTLS2:
2110  *pdata = vmx_control_msr(nested_vmx_secondary_ctls_low,
2111  nested_vmx_secondary_ctls_high);
2112  break;
2113  case MSR_IA32_VMX_EPT_VPID_CAP:
2114  /* Currently, no nested ept or nested vpid */
2115  *pdata = 0;
2116  break;
2117  default:
2118  return 0;
2119  }
2120 
2121  return 1;
2122 }
2123 
2124 static int vmx_set_vmx_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data)
2125 {
2126  if (!nested_vmx_allowed(vcpu))
2127  return 0;
2128 
2129  if (msr_index == MSR_IA32_FEATURE_CONTROL)
2130  /* TODO: the right thing. */
2131  return 1;
2132  /*
2133  * No need to treat VMX capability MSRs specially: If we don't handle
2134  * them, handle_wrmsr will #GP(0), which is correct (they are readonly)
2135  */
2136  return 0;
2137 }
2138 
2139 /*
2140  * Reads an msr value (of 'msr_index') into 'pdata'.
2141  * Returns 0 on success, non-0 otherwise.
2142  * Assumes vcpu_load() was already called.
2143  */
2144 static int vmx_get_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
2145 {
2146  u64 data;
2147  struct shared_msr_entry *msr;
2148 
2149  if (!pdata) {
2150  printk(KERN_ERR "BUG: get_msr called with NULL pdata\n");
2151  return -EINVAL;
2152  }
2153 
2154  switch (msr_index) {
2155 #ifdef CONFIG_X86_64
2156  case MSR_FS_BASE:
2157  data = vmcs_readl(GUEST_FS_BASE);
2158  break;
2159  case MSR_GS_BASE:
2160  data = vmcs_readl(GUEST_GS_BASE);
2161  break;
2162  case MSR_KERNEL_GS_BASE:
2163  vmx_load_host_state(to_vmx(vcpu));
2164  data = to_vmx(vcpu)->msr_guest_kernel_gs_base;
2165  break;
2166 #endif
2167  case MSR_EFER:
2168  return kvm_get_msr_common(vcpu, msr_index, pdata);
2169  case MSR_IA32_TSC:
2170  data = guest_read_tsc();
2171  break;
2172  case MSR_IA32_SYSENTER_CS:
2173  data = vmcs_read32(GUEST_SYSENTER_CS);
2174  break;
2175  case MSR_IA32_SYSENTER_EIP:
2176  data = vmcs_readl(GUEST_SYSENTER_EIP);
2177  break;
2178  case MSR_IA32_SYSENTER_ESP:
2179  data = vmcs_readl(GUEST_SYSENTER_ESP);
2180  break;
2181  case MSR_TSC_AUX:
2182  if (!to_vmx(vcpu)->rdtscp_enabled)
2183  return 1;
2184  /* Otherwise falls through */
2185  default:
2186  if (vmx_get_vmx_msr(vcpu, msr_index, pdata))
2187  return 0;
2188  msr = find_msr_entry(to_vmx(vcpu), msr_index);
2189  if (msr) {
2190  data = msr->data;
2191  break;
2192  }
2193  return kvm_get_msr_common(vcpu, msr_index, pdata);
2194  }
2195 
2196  *pdata = data;
2197  return 0;
2198 }
2199 
2200 /*
2201  * Writes msr value into into the appropriate "register".
2202  * Returns 0 on success, non-0 otherwise.
2203  * Assumes vcpu_load() was already called.
2204  */
2205 static int vmx_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data)
2206 {
2207  struct vcpu_vmx *vmx = to_vmx(vcpu);
2208  struct shared_msr_entry *msr;
2209  int ret = 0;
2210 
2211  switch (msr_index) {
2212  case MSR_EFER:
2213  ret = kvm_set_msr_common(vcpu, msr_index, data);
2214  break;
2215 #ifdef CONFIG_X86_64
2216  case MSR_FS_BASE:
2217  vmx_segment_cache_clear(vmx);
2218  vmcs_writel(GUEST_FS_BASE, data);
2219  break;
2220  case MSR_GS_BASE:
2221  vmx_segment_cache_clear(vmx);
2222  vmcs_writel(GUEST_GS_BASE, data);
2223  break;
2224  case MSR_KERNEL_GS_BASE:
2225  vmx_load_host_state(vmx);
2226  vmx->msr_guest_kernel_gs_base = data;
2227  break;
2228 #endif
2229  case MSR_IA32_SYSENTER_CS:
2230  vmcs_write32(GUEST_SYSENTER_CS, data);
2231  break;
2232  case MSR_IA32_SYSENTER_EIP:
2233  vmcs_writel(GUEST_SYSENTER_EIP, data);
2234  break;
2235  case MSR_IA32_SYSENTER_ESP:
2236  vmcs_writel(GUEST_SYSENTER_ESP, data);
2237  break;
2238  case MSR_IA32_TSC:
2239  kvm_write_tsc(vcpu, data);
2240  break;
2241  case MSR_IA32_CR_PAT:
2242  if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) {
2243  vmcs_write64(GUEST_IA32_PAT, data);
2244  vcpu->arch.pat = data;
2245  break;
2246  }
2247  ret = kvm_set_msr_common(vcpu, msr_index, data);
2248  break;
2249  case MSR_TSC_AUX:
2250  if (!vmx->rdtscp_enabled)
2251  return 1;
2252  /* Check reserved bit, higher 32 bits should be zero */
2253  if ((data >> 32) != 0)
2254  return 1;
2255  /* Otherwise falls through */
2256  default:
2257  if (vmx_set_vmx_msr(vcpu, msr_index, data))
2258  break;
2259  msr = find_msr_entry(vmx, msr_index);
2260  if (msr) {
2261  msr->data = data;
2262  if (msr - vmx->guest_msrs < vmx->save_nmsrs) {
2263  preempt_disable();
2264  kvm_set_shared_msr(msr->index, msr->data,
2265  msr->mask);
2266  preempt_enable();
2267  }
2268  break;
2269  }
2270  ret = kvm_set_msr_common(vcpu, msr_index, data);
2271  }
2272 
2273  return ret;
2274 }
2275 
2276 static void vmx_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg)
2277 {
2278  __set_bit(reg, (unsigned long *)&vcpu->arch.regs_avail);
2279  switch (reg) {
2280  case VCPU_REGS_RSP:
2281  vcpu->arch.regs[VCPU_REGS_RSP] = vmcs_readl(GUEST_RSP);
2282  break;
2283  case VCPU_REGS_RIP:
2284  vcpu->arch.regs[VCPU_REGS_RIP] = vmcs_readl(GUEST_RIP);
2285  break;
2286  case VCPU_EXREG_PDPTR:
2287  if (enable_ept)
2288  ept_save_pdptrs(vcpu);
2289  break;
2290  default:
2291  break;
2292  }
2293 }
2294 
2295 static __init int cpu_has_kvm_support(void)
2296 {
2297  return cpu_has_vmx();
2298 }
2299 
2300 static __init int vmx_disabled_by_bios(void)
2301 {
2302  u64 msr;
2303 
2304  rdmsrl(MSR_IA32_FEATURE_CONTROL, msr);
2305  if (msr & FEATURE_CONTROL_LOCKED) {
2306  /* launched w/ TXT and VMX disabled */
2307  if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX)
2308  && tboot_enabled())
2309  return 1;
2310  /* launched w/o TXT and VMX only enabled w/ TXT */
2311  if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
2312  && (msr & FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX)
2313  && !tboot_enabled()) {
2314  printk(KERN_WARNING "kvm: disable TXT in the BIOS or "
2315  "activate TXT before enabling KVM\n");
2316  return 1;
2317  }
2318  /* launched w/o TXT and VMX disabled */
2319  if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
2320  && !tboot_enabled())
2321  return 1;
2322  }
2323 
2324  return 0;
2325 }
2326 
2327 static void kvm_cpu_vmxon(u64 addr)
2328 {
2329  asm volatile (ASM_VMX_VMXON_RAX
2330  : : "a"(&addr), "m"(addr)
2331  : "memory", "cc");
2332 }
2333 
2334 static int hardware_enable(void *garbage)
2335 {
2336  int cpu = raw_smp_processor_id();
2337  u64 phys_addr = __pa(per_cpu(vmxarea, cpu));
2338  u64 old, test_bits;
2339 
2340  if (read_cr4() & X86_CR4_VMXE)
2341  return -EBUSY;
2342 
2343  INIT_LIST_HEAD(&per_cpu(loaded_vmcss_on_cpu, cpu));
2344  rdmsrl(MSR_IA32_FEATURE_CONTROL, old);
2345 
2346  test_bits = FEATURE_CONTROL_LOCKED;
2347  test_bits |= FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX;
2348  if (tboot_enabled())
2349  test_bits |= FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX;
2350 
2351  if ((old & test_bits) != test_bits) {
2352  /* enable and lock */
2353  wrmsrl(MSR_IA32_FEATURE_CONTROL, old | test_bits);
2354  }
2355  write_cr4(read_cr4() | X86_CR4_VMXE); /* FIXME: not cpu hotplug safe */
2356 
2357  if (vmm_exclusive) {
2358  kvm_cpu_vmxon(phys_addr);
2359  ept_sync_global();
2360  }
2361 
2362  store_gdt(&__get_cpu_var(host_gdt));
2363 
2364  return 0;
2365 }
2366 
2367 static void vmclear_local_loaded_vmcss(void)
2368 {
2369  int cpu = raw_smp_processor_id();
2370  struct loaded_vmcs *v, *n;
2371 
2372  list_for_each_entry_safe(v, n, &per_cpu(loaded_vmcss_on_cpu, cpu),
2373  loaded_vmcss_on_cpu_link)
2374  __loaded_vmcs_clear(v);
2375 }
2376 
2377 
2378 /* Just like cpu_vmxoff(), but with the __kvm_handle_fault_on_reboot()
2379  * tricks.
2380  */
2381 static void kvm_cpu_vmxoff(void)
2382 {
2383  asm volatile (__ex(ASM_VMX_VMXOFF) : : : "cc");
2384 }
2385 
2386 static void hardware_disable(void *garbage)
2387 {
2388  if (vmm_exclusive) {
2389  vmclear_local_loaded_vmcss();
2390  kvm_cpu_vmxoff();
2391  }
2392  write_cr4(read_cr4() & ~X86_CR4_VMXE);
2393 }
2394 
2395 static __init int adjust_vmx_controls(u32 ctl_min, u32 ctl_opt,
2396  u32 msr, u32 *result)
2397 {
2398  u32 vmx_msr_low, vmx_msr_high;
2399  u32 ctl = ctl_min | ctl_opt;
2400 
2401  rdmsr(msr, vmx_msr_low, vmx_msr_high);
2402 
2403  ctl &= vmx_msr_high; /* bit == 0 in high word ==> must be zero */
2404  ctl |= vmx_msr_low; /* bit == 1 in low word ==> must be one */
2405 
2406  /* Ensure minimum (required) set of control bits are supported. */
2407  if (ctl_min & ~ctl)
2408  return -EIO;
2409 
2410  *result = ctl;
2411  return 0;
2412 }
2413 
2414 static __init bool allow_1_setting(u32 msr, u32 ctl)
2415 {
2416  u32 vmx_msr_low, vmx_msr_high;
2417 
2418  rdmsr(msr, vmx_msr_low, vmx_msr_high);
2419  return vmx_msr_high & ctl;
2420 }
2421 
2422 static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
2423 {
2424  u32 vmx_msr_low, vmx_msr_high;
2425  u32 min, opt, min2, opt2;
2426  u32 _pin_based_exec_control = 0;
2427  u32 _cpu_based_exec_control = 0;
2428  u32 _cpu_based_2nd_exec_control = 0;
2429  u32 _vmexit_control = 0;
2430  u32 _vmentry_control = 0;
2431 
2432  min = PIN_BASED_EXT_INTR_MASK | PIN_BASED_NMI_EXITING;
2433  opt = PIN_BASED_VIRTUAL_NMIS;
2434  if (adjust_vmx_controls(min, opt, MSR_IA32_VMX_PINBASED_CTLS,
2435  &_pin_based_exec_control) < 0)
2436  return -EIO;
2437 
2438  min = CPU_BASED_HLT_EXITING |
2439 #ifdef CONFIG_X86_64
2440  CPU_BASED_CR8_LOAD_EXITING |
2441  CPU_BASED_CR8_STORE_EXITING |
2442 #endif
2443  CPU_BASED_CR3_LOAD_EXITING |
2444  CPU_BASED_CR3_STORE_EXITING |
2445  CPU_BASED_USE_IO_BITMAPS |
2446  CPU_BASED_MOV_DR_EXITING |
2447  CPU_BASED_USE_TSC_OFFSETING |
2448  CPU_BASED_MWAIT_EXITING |
2449  CPU_BASED_MONITOR_EXITING |
2450  CPU_BASED_INVLPG_EXITING |
2451  CPU_BASED_RDPMC_EXITING;
2452 
2453  opt = CPU_BASED_TPR_SHADOW |
2454  CPU_BASED_USE_MSR_BITMAPS |
2455  CPU_BASED_ACTIVATE_SECONDARY_CONTROLS;
2456  if (adjust_vmx_controls(min, opt, MSR_IA32_VMX_PROCBASED_CTLS,
2457  &_cpu_based_exec_control) < 0)
2458  return -EIO;
2459 #ifdef CONFIG_X86_64
2460  if ((_cpu_based_exec_control & CPU_BASED_TPR_SHADOW))
2461  _cpu_based_exec_control &= ~CPU_BASED_CR8_LOAD_EXITING &
2462  ~CPU_BASED_CR8_STORE_EXITING;
2463 #endif
2464  if (_cpu_based_exec_control & CPU_BASED_ACTIVATE_SECONDARY_CONTROLS) {
2465  min2 = 0;
2466  opt2 = SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES |
2467  SECONDARY_EXEC_WBINVD_EXITING |
2468  SECONDARY_EXEC_ENABLE_VPID |
2469  SECONDARY_EXEC_ENABLE_EPT |
2470  SECONDARY_EXEC_UNRESTRICTED_GUEST |
2471  SECONDARY_EXEC_PAUSE_LOOP_EXITING |
2472  SECONDARY_EXEC_RDTSCP |
2473  SECONDARY_EXEC_ENABLE_INVPCID;
2474  if (adjust_vmx_controls(min2, opt2,
2475  MSR_IA32_VMX_PROCBASED_CTLS2,
2476  &_cpu_based_2nd_exec_control) < 0)
2477  return -EIO;
2478  }
2479 #ifndef CONFIG_X86_64
2480  if (!(_cpu_based_2nd_exec_control &
2481  SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES))
2482  _cpu_based_exec_control &= ~CPU_BASED_TPR_SHADOW;
2483 #endif
2484  if (_cpu_based_2nd_exec_control & SECONDARY_EXEC_ENABLE_EPT) {
2485  /* CR3 accesses and invlpg don't need to cause VM Exits when EPT
2486  enabled */
2487  _cpu_based_exec_control &= ~(CPU_BASED_CR3_LOAD_EXITING |
2488  CPU_BASED_CR3_STORE_EXITING |
2489  CPU_BASED_INVLPG_EXITING);
2490  rdmsr(MSR_IA32_VMX_EPT_VPID_CAP,
2491  vmx_capability.ept, vmx_capability.vpid);
2492  }
2493 
2494  min = 0;
2495 #ifdef CONFIG_X86_64
2496  min |= VM_EXIT_HOST_ADDR_SPACE_SIZE;
2497 #endif
2498  opt = VM_EXIT_SAVE_IA32_PAT | VM_EXIT_LOAD_IA32_PAT;
2499  if (adjust_vmx_controls(min, opt, MSR_IA32_VMX_EXIT_CTLS,
2500  &_vmexit_control) < 0)
2501  return -EIO;
2502 
2503  min = 0;
2504  opt = VM_ENTRY_LOAD_IA32_PAT;
2505  if (adjust_vmx_controls(min, opt, MSR_IA32_VMX_ENTRY_CTLS,
2506  &_vmentry_control) < 0)
2507  return -EIO;
2508 
2509  rdmsr(MSR_IA32_VMX_BASIC, vmx_msr_low, vmx_msr_high);
2510 
2511  /* IA-32 SDM Vol 3B: VMCS size is never greater than 4kB. */
2512  if ((vmx_msr_high & 0x1fff) > PAGE_SIZE)
2513  return -EIO;
2514 
2515 #ifdef CONFIG_X86_64
2516  /* IA-32 SDM Vol 3B: 64-bit CPUs always have VMX_BASIC_MSR[48]==0. */
2517  if (vmx_msr_high & (1u<<16))
2518  return -EIO;
2519 #endif
2520 
2521  /* Require Write-Back (WB) memory type for VMCS accesses. */
2522  if (((vmx_msr_high >> 18) & 15) != 6)
2523  return -EIO;
2524 
2525  vmcs_conf->size = vmx_msr_high & 0x1fff;
2526  vmcs_conf->order = get_order(vmcs_config.size);
2527  vmcs_conf->revision_id = vmx_msr_low;
2528 
2529  vmcs_conf->pin_based_exec_ctrl = _pin_based_exec_control;
2530  vmcs_conf->cpu_based_exec_ctrl = _cpu_based_exec_control;
2531  vmcs_conf->cpu_based_2nd_exec_ctrl = _cpu_based_2nd_exec_control;
2532  vmcs_conf->vmexit_ctrl = _vmexit_control;
2533  vmcs_conf->vmentry_ctrl = _vmentry_control;
2534 
2535  cpu_has_load_ia32_efer =
2536  allow_1_setting(MSR_IA32_VMX_ENTRY_CTLS,
2537  VM_ENTRY_LOAD_IA32_EFER)
2538  && allow_1_setting(MSR_IA32_VMX_EXIT_CTLS,
2539  VM_EXIT_LOAD_IA32_EFER);
2540 
2541  cpu_has_load_perf_global_ctrl =
2542  allow_1_setting(MSR_IA32_VMX_ENTRY_CTLS,
2543  VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL)
2544  && allow_1_setting(MSR_IA32_VMX_EXIT_CTLS,
2545  VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL);
2546 
2547  /*
2548  * Some cpus support VM_ENTRY_(LOAD|SAVE)_IA32_PERF_GLOBAL_CTRL
2549  * but due to arrata below it can't be used. Workaround is to use
2550  * msr load mechanism to switch IA32_PERF_GLOBAL_CTRL.
2551  *
2552  * VM Exit May Incorrectly Clear IA32_PERF_GLOBAL_CTRL [34:32]
2553  *
2554  * AAK155 (model 26)
2555  * AAP115 (model 30)
2556  * AAT100 (model 37)
2557  * BC86,AAY89,BD102 (model 44)
2558  * BA97 (model 46)
2559  *
2560  */
2561  if (cpu_has_load_perf_global_ctrl && boot_cpu_data.x86 == 0x6) {
2562  switch (boot_cpu_data.x86_model) {
2563  case 26:
2564  case 30:
2565  case 37:
2566  case 44:
2567  case 46:
2568  cpu_has_load_perf_global_ctrl = false;
2569  printk_once(KERN_WARNING"kvm: VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL "
2570  "does not work properly. Using workaround\n");
2571  break;
2572  default:
2573  break;
2574  }
2575  }
2576 
2577  return 0;
2578 }
2579 
2580 static struct vmcs *alloc_vmcs_cpu(int cpu)
2581 {
2582  int node = cpu_to_node(cpu);
2583  struct page *pages;
2584  struct vmcs *vmcs;
2585 
2586  pages = alloc_pages_exact_node(node, GFP_KERNEL, vmcs_config.order);
2587  if (!pages)
2588  return NULL;
2589  vmcs = page_address(pages);
2590  memset(vmcs, 0, vmcs_config.size);
2591  vmcs->revision_id = vmcs_config.revision_id; /* vmcs revision id */
2592  return vmcs;
2593 }
2594 
2595 static struct vmcs *alloc_vmcs(void)
2596 {
2597  return alloc_vmcs_cpu(raw_smp_processor_id());
2598 }
2599 
2600 static void free_vmcs(struct vmcs *vmcs)
2601 {
2602  free_pages((unsigned long)vmcs, vmcs_config.order);
2603 }
2604 
2605 /*
2606  * Free a VMCS, but before that VMCLEAR it on the CPU where it was last loaded
2607  */
2608 static void free_loaded_vmcs(struct loaded_vmcs *loaded_vmcs)
2609 {
2610  if (!loaded_vmcs->vmcs)
2611  return;
2612  loaded_vmcs_clear(loaded_vmcs);
2613  free_vmcs(loaded_vmcs->vmcs);
2614  loaded_vmcs->vmcs = NULL;
2615 }
2616 
2617 static void free_kvm_area(void)
2618 {
2619  int cpu;
2620 
2621  for_each_possible_cpu(cpu) {
2622  free_vmcs(per_cpu(vmxarea, cpu));
2623  per_cpu(vmxarea, cpu) = NULL;
2624  }
2625 }
2626 
2627 static __init int alloc_kvm_area(void)
2628 {
2629  int cpu;
2630 
2631  for_each_possible_cpu(cpu) {
2632  struct vmcs *vmcs;
2633 
2634  vmcs = alloc_vmcs_cpu(cpu);
2635  if (!vmcs) {
2636  free_kvm_area();
2637  return -ENOMEM;
2638  }
2639 
2640  per_cpu(vmxarea, cpu) = vmcs;
2641  }
2642  return 0;
2643 }
2644 
2645 static __init int hardware_setup(void)
2646 {
2647  if (setup_vmcs_config(&vmcs_config) < 0)
2648  return -EIO;
2649 
2650  if (boot_cpu_has(X86_FEATURE_NX))
2651  kvm_enable_efer_bits(EFER_NX);
2652 
2653  if (!cpu_has_vmx_vpid())
2654  enable_vpid = 0;
2655 
2656  if (!cpu_has_vmx_ept() ||
2657  !cpu_has_vmx_ept_4levels()) {
2658  enable_ept = 0;
2659  enable_unrestricted_guest = 0;
2660  enable_ept_ad_bits = 0;
2661  }
2662 
2663  if (!cpu_has_vmx_ept_ad_bits())
2664  enable_ept_ad_bits = 0;
2665 
2666  if (!cpu_has_vmx_unrestricted_guest())
2667  enable_unrestricted_guest = 0;
2668 
2669  if (!cpu_has_vmx_flexpriority())
2670  flexpriority_enabled = 0;
2671 
2672  if (!cpu_has_vmx_tpr_shadow())
2673  kvm_x86_ops->update_cr8_intercept = NULL;
2674 
2675  if (enable_ept && !cpu_has_vmx_ept_2m_page())
2676  kvm_disable_largepages();
2677 
2678  if (!cpu_has_vmx_ple())
2679  ple_gap = 0;
2680 
2681  if (nested)
2682  nested_vmx_setup_ctls_msrs();
2683 
2684  return alloc_kvm_area();
2685 }
2686 
2687 static __exit void hardware_unsetup(void)
2688 {
2689  free_kvm_area();
2690 }
2691 
2692 static void fix_pmode_dataseg(struct kvm_vcpu *vcpu, int seg, struct kvm_segment *save)
2693 {
2694  const struct kvm_vmx_segment_field *sf = &kvm_vmx_segment_fields[seg];
2695  struct kvm_segment tmp = *save;
2696 
2697  if (!(vmcs_readl(sf->base) == tmp.base && tmp.s)) {
2698  tmp.base = vmcs_readl(sf->base);
2699  tmp.selector = vmcs_read16(sf->selector);
2700  tmp.s = 1;
2701  }
2702  vmx_set_segment(vcpu, &tmp, seg);
2703 }
2704 
2705 static void enter_pmode(struct kvm_vcpu *vcpu)
2706 {
2707  unsigned long flags;
2708  struct vcpu_vmx *vmx = to_vmx(vcpu);
2709 
2710  vmx->emulation_required = 1;
2711  vmx->rmode.vm86_active = 0;
2712 
2713  vmx_segment_cache_clear(vmx);
2714 
2715  vmx_set_segment(vcpu, &vmx->rmode.segs[VCPU_SREG_TR], VCPU_SREG_TR);
2716 
2717  flags = vmcs_readl(GUEST_RFLAGS);
2718  flags &= RMODE_GUEST_OWNED_EFLAGS_BITS;
2719  flags |= vmx->rmode.save_rflags & ~RMODE_GUEST_OWNED_EFLAGS_BITS;
2720  vmcs_writel(GUEST_RFLAGS, flags);
2721 
2722  vmcs_writel(GUEST_CR4, (vmcs_readl(GUEST_CR4) & ~X86_CR4_VME) |
2723  (vmcs_readl(CR4_READ_SHADOW) & X86_CR4_VME));
2724 
2725  update_exception_bitmap(vcpu);
2726 
2727  if (emulate_invalid_guest_state)
2728  return;
2729 
2730  fix_pmode_dataseg(vcpu, VCPU_SREG_ES, &vmx->rmode.segs[VCPU_SREG_ES]);
2731  fix_pmode_dataseg(vcpu, VCPU_SREG_DS, &vmx->rmode.segs[VCPU_SREG_DS]);
2732  fix_pmode_dataseg(vcpu, VCPU_SREG_FS, &vmx->rmode.segs[VCPU_SREG_FS]);
2733  fix_pmode_dataseg(vcpu, VCPU_SREG_GS, &vmx->rmode.segs[VCPU_SREG_GS]);
2734 
2735  vmx_segment_cache_clear(vmx);
2736 
2737  vmcs_write16(GUEST_SS_SELECTOR, 0);
2738  vmcs_write32(GUEST_SS_AR_BYTES, 0x93);
2739 
2740  vmcs_write16(GUEST_CS_SELECTOR,
2741  vmcs_read16(GUEST_CS_SELECTOR) & ~SELECTOR_RPL_MASK);
2742  vmcs_write32(GUEST_CS_AR_BYTES, 0x9b);
2743 }
2744 
2745 static gva_t rmode_tss_base(struct kvm *kvm)
2746 {
2747  if (!kvm->arch.tss_addr) {
2748  struct kvm_memslots *slots;
2749  struct kvm_memory_slot *slot;
2750  gfn_t base_gfn;
2751 
2752  slots = kvm_memslots(kvm);
2753  slot = id_to_memslot(slots, 0);
2754  base_gfn = slot->base_gfn + slot->npages - 3;
2755 
2756  return base_gfn << PAGE_SHIFT;
2757  }
2758  return kvm->arch.tss_addr;
2759 }
2760 
2761 static void fix_rmode_seg(int seg, struct kvm_segment *save)
2762 {
2763  const struct kvm_vmx_segment_field *sf = &kvm_vmx_segment_fields[seg];
2764 
2765  vmcs_write16(sf->selector, save->base >> 4);
2766  vmcs_write32(sf->base, save->base & 0xffff0);
2767  vmcs_write32(sf->limit, 0xffff);
2768  vmcs_write32(sf->ar_bytes, 0xf3);
2769  if (save->base & 0xf)
2770  printk_once(KERN_WARNING "kvm: segment base is not paragraph"
2771  " aligned when entering protected mode (seg=%d)",
2772  seg);
2773 }
2774 
2775 static void enter_rmode(struct kvm_vcpu *vcpu)
2776 {
2777  unsigned long flags;
2778  struct vcpu_vmx *vmx = to_vmx(vcpu);
2779  struct kvm_segment var;
2780 
2781  if (enable_unrestricted_guest)
2782  return;
2783 
2784  vmx_get_segment(vcpu, &vmx->rmode.segs[VCPU_SREG_TR], VCPU_SREG_TR);
2785  vmx_get_segment(vcpu, &vmx->rmode.segs[VCPU_SREG_ES], VCPU_SREG_ES);
2786  vmx_get_segment(vcpu, &vmx->rmode.segs[VCPU_SREG_DS], VCPU_SREG_DS);
2787  vmx_get_segment(vcpu, &vmx->rmode.segs[VCPU_SREG_FS], VCPU_SREG_FS);
2788  vmx_get_segment(vcpu, &vmx->rmode.segs[VCPU_SREG_GS], VCPU_SREG_GS);
2789 
2790  vmx->emulation_required = 1;
2791  vmx->rmode.vm86_active = 1;
2792 
2793 
2794  /*
2795  * Very old userspace does not call KVM_SET_TSS_ADDR before entering
2796  * vcpu. Call it here with phys address pointing 16M below 4G.
2797  */
2798  if (!vcpu->kvm->arch.tss_addr) {
2799  printk_once(KERN_WARNING "kvm: KVM_SET_TSS_ADDR need to be "
2800  "called before entering vcpu\n");
2801  srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);
2802  vmx_set_tss_addr(vcpu->kvm, 0xfeffd000);
2803  vcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
2804  }
2805 
2806  vmx_segment_cache_clear(vmx);
2807 
2808  vmcs_writel(GUEST_TR_BASE, rmode_tss_base(vcpu->kvm));
2809  vmcs_write32(GUEST_TR_LIMIT, RMODE_TSS_SIZE - 1);
2810  vmcs_write32(GUEST_TR_AR_BYTES, 0x008b);
2811 
2812  flags = vmcs_readl(GUEST_RFLAGS);
2813  vmx->rmode.save_rflags = flags;
2814 
2815  flags |= X86_EFLAGS_IOPL | X86_EFLAGS_VM;
2816 
2817  vmcs_writel(GUEST_RFLAGS, flags);
2818  vmcs_writel(GUEST_CR4, vmcs_readl(GUEST_CR4) | X86_CR4_VME);
2819  update_exception_bitmap(vcpu);
2820 
2821  if (emulate_invalid_guest_state)
2822  goto continue_rmode;
2823 
2824  vmx_get_segment(vcpu, &var, VCPU_SREG_SS);
2825  vmx_set_segment(vcpu, &var, VCPU_SREG_SS);
2826 
2827  vmx_get_segment(vcpu, &var, VCPU_SREG_CS);
2828  vmx_set_segment(vcpu, &var, VCPU_SREG_CS);
2829 
2830  vmx_get_segment(vcpu, &var, VCPU_SREG_ES);
2831  vmx_set_segment(vcpu, &var, VCPU_SREG_ES);
2832 
2833  vmx_get_segment(vcpu, &var, VCPU_SREG_DS);
2834  vmx_set_segment(vcpu, &var, VCPU_SREG_DS);
2835 
2836  vmx_get_segment(vcpu, &var, VCPU_SREG_GS);
2837  vmx_set_segment(vcpu, &var, VCPU_SREG_GS);
2838 
2839  vmx_get_segment(vcpu, &var, VCPU_SREG_FS);
2840  vmx_set_segment(vcpu, &var, VCPU_SREG_FS);
2841 
2842 continue_rmode:
2843  kvm_mmu_reset_context(vcpu);
2844 }
2845 
2846 static void vmx_set_efer(struct kvm_vcpu *vcpu, u64 efer)
2847 {
2848  struct vcpu_vmx *vmx = to_vmx(vcpu);
2849  struct shared_msr_entry *msr = find_msr_entry(vmx, MSR_EFER);
2850 
2851  if (!msr)
2852  return;
2853 
2854  /*
2855  * Force kernel_gs_base reloading before EFER changes, as control
2856  * of this msr depends on is_long_mode().
2857  */
2858  vmx_load_host_state(to_vmx(vcpu));
2859  vcpu->arch.efer = efer;
2860  if (efer & EFER_LMA) {
2861  vmcs_write32(VM_ENTRY_CONTROLS,
2862  vmcs_read32(VM_ENTRY_CONTROLS) |
2863  VM_ENTRY_IA32E_MODE);
2864  msr->data = efer;
2865  } else {
2866  vmcs_write32(VM_ENTRY_CONTROLS,
2867  vmcs_read32(VM_ENTRY_CONTROLS) &
2868  ~VM_ENTRY_IA32E_MODE);
2869 
2870  msr->data = efer & ~EFER_LME;
2871  }
2872  setup_msrs(vmx);
2873 }
2874 
2875 #ifdef CONFIG_X86_64
2876 
2877 static void enter_lmode(struct kvm_vcpu *vcpu)
2878 {
2879  u32 guest_tr_ar;
2880 
2881  vmx_segment_cache_clear(to_vmx(vcpu));
2882 
2883  guest_tr_ar = vmcs_read32(GUEST_TR_AR_BYTES);
2884  if ((guest_tr_ar & AR_TYPE_MASK) != AR_TYPE_BUSY_64_TSS) {
2885  pr_debug_ratelimited("%s: tss fixup for long mode. \n",
2886  __func__);
2887  vmcs_write32(GUEST_TR_AR_BYTES,
2888  (guest_tr_ar & ~AR_TYPE_MASK)
2889  | AR_TYPE_BUSY_64_TSS);
2890  }
2891  vmx_set_efer(vcpu, vcpu->arch.efer | EFER_LMA);
2892 }
2893 
2894 static void exit_lmode(struct kvm_vcpu *vcpu)
2895 {
2896  vmcs_write32(VM_ENTRY_CONTROLS,
2897  vmcs_read32(VM_ENTRY_CONTROLS)
2898  & ~VM_ENTRY_IA32E_MODE);
2899  vmx_set_efer(vcpu, vcpu->arch.efer & ~EFER_LMA);
2900 }
2901 
2902 #endif
2903 
2904 static void vmx_flush_tlb(struct kvm_vcpu *vcpu)
2905 {
2906  vpid_sync_context(to_vmx(vcpu));
2907  if (enable_ept) {
2908  if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
2909  return;
2910  ept_sync_context(construct_eptp(vcpu->arch.mmu.root_hpa));
2911  }
2912 }
2913 
2914 static void vmx_decache_cr0_guest_bits(struct kvm_vcpu *vcpu)
2915 {
2916  ulong cr0_guest_owned_bits = vcpu->arch.cr0_guest_owned_bits;
2917 
2918  vcpu->arch.cr0 &= ~cr0_guest_owned_bits;
2919  vcpu->arch.cr0 |= vmcs_readl(GUEST_CR0) & cr0_guest_owned_bits;
2920 }
2921 
2922 static void vmx_decache_cr3(struct kvm_vcpu *vcpu)
2923 {
2924  if (enable_ept && is_paging(vcpu))
2925  vcpu->arch.cr3 = vmcs_readl(GUEST_CR3);
2926  __set_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail);
2927 }
2928 
2929 static void vmx_decache_cr4_guest_bits(struct kvm_vcpu *vcpu)
2930 {
2931  ulong cr4_guest_owned_bits = vcpu->arch.cr4_guest_owned_bits;
2932 
2933  vcpu->arch.cr4 &= ~cr4_guest_owned_bits;
2934  vcpu->arch.cr4 |= vmcs_readl(GUEST_CR4) & cr4_guest_owned_bits;
2935 }
2936 
2937 static void ept_load_pdptrs(struct kvm_vcpu *vcpu)
2938 {
2939  if (!test_bit(VCPU_EXREG_PDPTR,
2940  (unsigned long *)&vcpu->arch.regs_dirty))
2941  return;
2942 
2943  if (is_paging(vcpu) && is_pae(vcpu) && !is_long_mode(vcpu)) {
2944  vmcs_write64(GUEST_PDPTR0, vcpu->arch.mmu.pdptrs[0]);
2945  vmcs_write64(GUEST_PDPTR1, vcpu->arch.mmu.pdptrs[1]);
2946  vmcs_write64(GUEST_PDPTR2, vcpu->arch.mmu.pdptrs[2]);
2947  vmcs_write64(GUEST_PDPTR3, vcpu->arch.mmu.pdptrs[3]);
2948  }
2949 }
2950 
2951 static void ept_save_pdptrs(struct kvm_vcpu *vcpu)
2952 {
2953  if (is_paging(vcpu) && is_pae(vcpu) && !is_long_mode(vcpu)) {
2954  vcpu->arch.mmu.pdptrs[0] = vmcs_read64(GUEST_PDPTR0);
2955  vcpu->arch.mmu.pdptrs[1] = vmcs_read64(GUEST_PDPTR1);
2956  vcpu->arch.mmu.pdptrs[2] = vmcs_read64(GUEST_PDPTR2);
2957  vcpu->arch.mmu.pdptrs[3] = vmcs_read64(GUEST_PDPTR3);
2958  }
2959 
2960  __set_bit(VCPU_EXREG_PDPTR,
2961  (unsigned long *)&vcpu->arch.regs_avail);
2962  __set_bit(VCPU_EXREG_PDPTR,
2963  (unsigned long *)&vcpu->arch.regs_dirty);
2964 }
2965 
2966 static int vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4);
2967 
2968 static void ept_update_paging_mode_cr0(unsigned long *hw_cr0,
2969  unsigned long cr0,
2970  struct kvm_vcpu *vcpu)
2971 {
2972  if (!test_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail))
2973  vmx_decache_cr3(vcpu);
2974  if (!(cr0 & X86_CR0_PG)) {
2975  /* From paging/starting to nonpaging */
2976  vmcs_write32(CPU_BASED_VM_EXEC_CONTROL,
2977  vmcs_read32(CPU_BASED_VM_EXEC_CONTROL) |
2978  (CPU_BASED_CR3_LOAD_EXITING |
2979  CPU_BASED_CR3_STORE_EXITING));
2980  vcpu->arch.cr0 = cr0;
2981  vmx_set_cr4(vcpu, kvm_read_cr4(vcpu));
2982  } else if (!is_paging(vcpu)) {
2983  /* From nonpaging to paging */
2984  vmcs_write32(CPU_BASED_VM_EXEC_CONTROL,
2985  vmcs_read32(CPU_BASED_VM_EXEC_CONTROL) &
2986  ~(CPU_BASED_CR3_LOAD_EXITING |
2987  CPU_BASED_CR3_STORE_EXITING));
2988  vcpu->arch.cr0 = cr0;
2989  vmx_set_cr4(vcpu, kvm_read_cr4(vcpu));
2990  }
2991 
2992  if (!(cr0 & X86_CR0_WP))
2993  *hw_cr0 &= ~X86_CR0_WP;
2994 }
2995 
2996 static void vmx_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)
2997 {
2998  struct vcpu_vmx *vmx = to_vmx(vcpu);
2999  unsigned long hw_cr0;
3000 
3001  if (enable_unrestricted_guest)
3002  hw_cr0 = (cr0 & ~KVM_GUEST_CR0_MASK_UNRESTRICTED_GUEST)
3003  | KVM_VM_CR0_ALWAYS_ON_UNRESTRICTED_GUEST;
3004  else
3005  hw_cr0 = (cr0 & ~KVM_GUEST_CR0_MASK) | KVM_VM_CR0_ALWAYS_ON;
3006 
3007  if (vmx->rmode.vm86_active && (cr0 & X86_CR0_PE))
3008  enter_pmode(vcpu);
3009 
3010  if (!vmx->rmode.vm86_active && !(cr0 & X86_CR0_PE))
3011  enter_rmode(vcpu);
3012 
3013 #ifdef CONFIG_X86_64
3014  if (vcpu->arch.efer & EFER_LME) {
3015  if (!is_paging(vcpu) && (cr0 & X86_CR0_PG))
3016  enter_lmode(vcpu);
3017  if (is_paging(vcpu) && !(cr0 & X86_CR0_PG))
3018  exit_lmode(vcpu);
3019  }
3020 #endif
3021 
3022  if (enable_ept)
3023  ept_update_paging_mode_cr0(&hw_cr0, cr0, vcpu);
3024 
3025  if (!vcpu->fpu_active)
3026  hw_cr0 |= X86_CR0_TS | X86_CR0_MP;
3027 
3028  vmcs_writel(CR0_READ_SHADOW, cr0);
3029  vmcs_writel(GUEST_CR0, hw_cr0);
3030  vcpu->arch.cr0 = cr0;
3031  __clear_bit(VCPU_EXREG_CPL, (ulong *)&vcpu->arch.regs_avail);
3032 }
3033 
3034 static u64 construct_eptp(unsigned long root_hpa)
3035 {
3036  u64 eptp;
3037 
3038  /* TODO write the value reading from MSR */
3039  eptp = VMX_EPT_DEFAULT_MT |
3040  VMX_EPT_DEFAULT_GAW << VMX_EPT_GAW_EPTP_SHIFT;
3041  if (enable_ept_ad_bits)
3042  eptp |= VMX_EPT_AD_ENABLE_BIT;
3043  eptp |= (root_hpa & PAGE_MASK);
3044 
3045  return eptp;
3046 }
3047 
3048 static void vmx_set_cr3(struct kvm_vcpu *vcpu, unsigned long cr3)
3049 {
3050  unsigned long guest_cr3;
3051  u64 eptp;
3052 
3053  guest_cr3 = cr3;
3054  if (enable_ept) {
3055  eptp = construct_eptp(cr3);
3056  vmcs_write64(EPT_POINTER, eptp);
3057  guest_cr3 = is_paging(vcpu) ? kvm_read_cr3(vcpu) :
3058  vcpu->kvm->arch.ept_identity_map_addr;
3059  ept_load_pdptrs(vcpu);
3060  }
3061 
3062  vmx_flush_tlb(vcpu);
3063  vmcs_writel(GUEST_CR3, guest_cr3);
3064 }
3065 
3066 static int vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
3067 {
3068  unsigned long hw_cr4 = cr4 | (to_vmx(vcpu)->rmode.vm86_active ?
3069  KVM_RMODE_VM_CR4_ALWAYS_ON : KVM_PMODE_VM_CR4_ALWAYS_ON);
3070 
3071  if (cr4 & X86_CR4_VMXE) {
3072  /*
3073  * To use VMXON (and later other VMX instructions), a guest
3074  * must first be able to turn on cr4.VMXE (see handle_vmon()).
3075  * So basically the check on whether to allow nested VMX
3076  * is here.
3077  */
3078  if (!nested_vmx_allowed(vcpu))
3079  return 1;
3080  } else if (to_vmx(vcpu)->nested.vmxon)
3081  return 1;
3082 
3083  vcpu->arch.cr4 = cr4;
3084  if (enable_ept) {
3085  if (!is_paging(vcpu)) {
3086  hw_cr4 &= ~X86_CR4_PAE;
3087  hw_cr4 |= X86_CR4_PSE;
3088  } else if (!(cr4 & X86_CR4_PAE)) {
3089  hw_cr4 &= ~X86_CR4_PAE;
3090  }
3091  }
3092 
3093  vmcs_writel(CR4_READ_SHADOW, cr4);
3094  vmcs_writel(GUEST_CR4, hw_cr4);
3095  return 0;
3096 }
3097 
3098 static void vmx_get_segment(struct kvm_vcpu *vcpu,
3099  struct kvm_segment *var, int seg)
3100 {
3101  struct vcpu_vmx *vmx = to_vmx(vcpu);
3102  u32 ar;
3103 
3104  if (vmx->rmode.vm86_active
3105  && (seg == VCPU_SREG_TR || seg == VCPU_SREG_ES
3106  || seg == VCPU_SREG_DS || seg == VCPU_SREG_FS
3107  || seg == VCPU_SREG_GS)) {
3108  *var = vmx->rmode.segs[seg];
3109  if (seg == VCPU_SREG_TR
3110  || var->selector == vmx_read_guest_seg_selector(vmx, seg))
3111  return;
3112  var->base = vmx_read_guest_seg_base(vmx, seg);
3113  var->selector = vmx_read_guest_seg_selector(vmx, seg);
3114  return;
3115  }
3116  var->base = vmx_read_guest_seg_base(vmx, seg);
3117  var->limit = vmx_read_guest_seg_limit(vmx, seg);
3118  var->selector = vmx_read_guest_seg_selector(vmx, seg);
3119  ar = vmx_read_guest_seg_ar(vmx, seg);
3120  if ((ar & AR_UNUSABLE_MASK) && !emulate_invalid_guest_state)
3121  ar = 0;
3122  var->type = ar & 15;
3123  var->s = (ar >> 4) & 1;
3124  var->dpl = (ar >> 5) & 3;
3125  var->present = (ar >> 7) & 1;
3126  var->avl = (ar >> 12) & 1;
3127  var->l = (ar >> 13) & 1;
3128  var->db = (ar >> 14) & 1;
3129  var->g = (ar >> 15) & 1;
3130  var->unusable = (ar >> 16) & 1;
3131 }
3132 
3133 static u64 vmx_get_segment_base(struct kvm_vcpu *vcpu, int seg)
3134 {
3135  struct kvm_segment s;
3136 
3137  if (to_vmx(vcpu)->rmode.vm86_active) {
3138  vmx_get_segment(vcpu, &s, seg);
3139  return s.base;
3140  }
3141  return vmx_read_guest_seg_base(to_vmx(vcpu), seg);
3142 }
3143 
3144 static int __vmx_get_cpl(struct kvm_vcpu *vcpu)
3145 {
3146  if (!is_protmode(vcpu))
3147  return 0;
3148 
3149  if (!is_long_mode(vcpu)
3150  && (kvm_get_rflags(vcpu) & X86_EFLAGS_VM)) /* if virtual 8086 */
3151  return 3;
3152 
3153  return vmx_read_guest_seg_selector(to_vmx(vcpu), VCPU_SREG_CS) & 3;
3154 }
3155 
3156 static int vmx_get_cpl(struct kvm_vcpu *vcpu)
3157 {
3158  struct vcpu_vmx *vmx = to_vmx(vcpu);
3159 
3160  /*
3161  * If we enter real mode with cs.sel & 3 != 0, the normal CPL calculations
3162  * fail; use the cache instead.
3163  */
3164  if (unlikely(vmx->emulation_required && emulate_invalid_guest_state)) {
3165  return vmx->cpl;
3166  }
3167 
3168  if (!test_bit(VCPU_EXREG_CPL, (ulong *)&vcpu->arch.regs_avail)) {
3169  __set_bit(VCPU_EXREG_CPL, (ulong *)&vcpu->arch.regs_avail);
3170  vmx->cpl = __vmx_get_cpl(vcpu);
3171  }
3172 
3173  return vmx->cpl;
3174 }
3175 
3176 
3177 static u32 vmx_segment_access_rights(struct kvm_segment *var)
3178 {
3179  u32 ar;
3180 
3181  if (var->unusable || !var->present)
3182  ar = 1 << 16;
3183  else {
3184  ar = var->type & 15;
3185  ar |= (var->s & 1) << 4;
3186  ar |= (var->dpl & 3) << 5;
3187  ar |= (var->present & 1) << 7;
3188  ar |= (var->avl & 1) << 12;
3189  ar |= (var->l & 1) << 13;
3190  ar |= (var->db & 1) << 14;
3191  ar |= (var->g & 1) << 15;
3192  }
3193 
3194  return ar;
3195 }
3196 
3197 static void vmx_set_segment(struct kvm_vcpu *vcpu,
3198  struct kvm_segment *var, int seg)
3199 {
3200  struct vcpu_vmx *vmx = to_vmx(vcpu);
3201  const struct kvm_vmx_segment_field *sf = &kvm_vmx_segment_fields[seg];
3202  u32 ar;
3203 
3204  vmx_segment_cache_clear(vmx);
3205 
3206  if (vmx->rmode.vm86_active && seg == VCPU_SREG_TR) {
3207  vmcs_write16(sf->selector, var->selector);
3208  vmx->rmode.segs[VCPU_SREG_TR] = *var;
3209  return;
3210  }
3211  vmcs_writel(sf->base, var->base);
3212  vmcs_write32(sf->limit, var->limit);
3213  vmcs_write16(sf->selector, var->selector);
3214  if (vmx->rmode.vm86_active && var->s) {
3215  vmx->rmode.segs[seg] = *var;
3216  /*
3217  * Hack real-mode segments into vm86 compatibility.
3218  */
3219  if (var->base == 0xffff0000 && var->selector == 0xf000)
3220  vmcs_writel(sf->base, 0xf0000);
3221  ar = 0xf3;
3222  } else
3223  ar = vmx_segment_access_rights(var);
3224 
3225  /*
3226  * Fix the "Accessed" bit in AR field of segment registers for older
3227  * qemu binaries.
3228  * IA32 arch specifies that at the time of processor reset the
3229  * "Accessed" bit in the AR field of segment registers is 1. And qemu
3230  * is setting it to 0 in the userland code. This causes invalid guest
3231  * state vmexit when "unrestricted guest" mode is turned on.
3232  * Fix for this setup issue in cpu_reset is being pushed in the qemu
3233  * tree. Newer qemu binaries with that qemu fix would not need this
3234  * kvm hack.
3235  */
3236  if (enable_unrestricted_guest && (seg != VCPU_SREG_LDTR))
3237  ar |= 0x1; /* Accessed */
3238 
3239  vmcs_write32(sf->ar_bytes, ar);
3240  __clear_bit(VCPU_EXREG_CPL, (ulong *)&vcpu->arch.regs_avail);
3241 
3242  /*
3243  * Fix segments for real mode guest in hosts that don't have
3244  * "unrestricted_mode" or it was disabled.
3245  * This is done to allow migration of the guests from hosts with
3246  * unrestricted guest like Westmere to older host that don't have
3247  * unrestricted guest like Nehelem.
3248  */
3249  if (!enable_unrestricted_guest && vmx->rmode.vm86_active) {
3250  switch (seg) {
3251  case VCPU_SREG_CS:
3252  vmcs_write32(GUEST_CS_AR_BYTES, 0xf3);
3253  vmcs_write32(GUEST_CS_LIMIT, 0xffff);
3254  if (vmcs_readl(GUEST_CS_BASE) == 0xffff0000)
3255  vmcs_writel(GUEST_CS_BASE, 0xf0000);
3256  vmcs_write16(GUEST_CS_SELECTOR,
3257  vmcs_readl(GUEST_CS_BASE) >> 4);
3258  break;
3259  case VCPU_SREG_ES:
3260  case VCPU_SREG_DS:
3261  case VCPU_SREG_GS:
3262  case VCPU_SREG_FS:
3263  fix_rmode_seg(seg, &vmx->rmode.segs[seg]);
3264  break;
3265  case VCPU_SREG_SS:
3266  vmcs_write16(GUEST_SS_SELECTOR,
3267  vmcs_readl(GUEST_SS_BASE) >> 4);
3268  vmcs_write32(GUEST_SS_LIMIT, 0xffff);
3269  vmcs_write32(GUEST_SS_AR_BYTES, 0xf3);
3270  break;
3271  }
3272  }
3273 }
3274 
3275 static void vmx_get_cs_db_l_bits(struct kvm_vcpu *vcpu, int *db, int *l)
3276 {
3277  u32 ar = vmx_read_guest_seg_ar(to_vmx(vcpu), VCPU_SREG_CS);
3278 
3279  *db = (ar >> 14) & 1;
3280  *l = (ar >> 13) & 1;
3281 }
3282 
3283 static void vmx_get_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt)
3284 {
3285  dt->size = vmcs_read32(GUEST_IDTR_LIMIT);
3286  dt->address = vmcs_readl(GUEST_IDTR_BASE);
3287 }
3288 
3289 static void vmx_set_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt)
3290 {
3291  vmcs_write32(GUEST_IDTR_LIMIT, dt->size);
3292  vmcs_writel(GUEST_IDTR_BASE, dt->address);
3293 }
3294 
3295 static void vmx_get_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt)
3296 {
3297  dt->size = vmcs_read32(GUEST_GDTR_LIMIT);
3298  dt->address = vmcs_readl(GUEST_GDTR_BASE);
3299 }
3300 
3301 static void vmx_set_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt)
3302 {
3303  vmcs_write32(GUEST_GDTR_LIMIT, dt->size);
3304  vmcs_writel(GUEST_GDTR_BASE, dt->address);
3305 }
3306 
3307 static bool rmode_segment_valid(struct kvm_vcpu *vcpu, int seg)
3308 {
3309  struct kvm_segment var;
3310  u32 ar;
3311 
3312  vmx_get_segment(vcpu, &var, seg);
3313  ar = vmx_segment_access_rights(&var);
3314 
3315  if (var.base != (var.selector << 4))
3316  return false;
3317  if (var.limit < 0xffff)
3318  return false;
3319  if (((ar | (3 << AR_DPL_SHIFT)) & ~(AR_G_MASK | AR_DB_MASK)) != 0xf3)
3320  return false;
3321 
3322  return true;
3323 }
3324 
3325 static bool code_segment_valid(struct kvm_vcpu *vcpu)
3326 {
3327  struct kvm_segment cs;
3328  unsigned int cs_rpl;
3329 
3330  vmx_get_segment(vcpu, &cs, VCPU_SREG_CS);
3331  cs_rpl = cs.selector & SELECTOR_RPL_MASK;
3332 
3333  if (cs.unusable)
3334  return false;
3335  if (~cs.type & (AR_TYPE_CODE_MASK|AR_TYPE_ACCESSES_MASK))
3336  return false;
3337  if (!cs.s)
3338  return false;
3339  if (cs.type & AR_TYPE_WRITEABLE_MASK) {
3340  if (cs.dpl > cs_rpl)
3341  return false;
3342  } else {
3343  if (cs.dpl != cs_rpl)
3344  return false;
3345  }
3346  if (!cs.present)
3347  return false;
3348 
3349  /* TODO: Add Reserved field check, this'll require a new member in the kvm_segment_field structure */
3350  return true;
3351 }
3352 
3353 static bool stack_segment_valid(struct kvm_vcpu *vcpu)
3354 {
3355  struct kvm_segment ss;
3356  unsigned int ss_rpl;
3357 
3358  vmx_get_segment(vcpu, &ss, VCPU_SREG_SS);
3359  ss_rpl = ss.selector & SELECTOR_RPL_MASK;
3360 
3361  if (ss.unusable)
3362  return true;
3363  if (ss.type != 3 && ss.type != 7)
3364  return false;
3365  if (!ss.s)
3366  return false;
3367  if (ss.dpl != ss_rpl) /* DPL != RPL */
3368  return false;
3369  if (!ss.present)
3370  return false;
3371 
3372  return true;
3373 }
3374 
3375 static bool data_segment_valid(struct kvm_vcpu *vcpu, int seg)
3376 {
3377  struct kvm_segment var;
3378  unsigned int rpl;
3379 
3380  vmx_get_segment(vcpu, &var, seg);
3381  rpl = var.selector & SELECTOR_RPL_MASK;
3382 
3383  if (var.unusable)
3384  return true;
3385  if (!var.s)
3386  return false;
3387  if (!var.present)
3388  return false;
3389  if (~var.type & (AR_TYPE_CODE_MASK|AR_TYPE_WRITEABLE_MASK)) {
3390  if (var.dpl < rpl) /* DPL < RPL */
3391  return false;
3392  }
3393 
3394  /* TODO: Add other members to kvm_segment_field to allow checking for other access
3395  * rights flags
3396  */
3397  return true;
3398 }
3399 
3400 static bool tr_valid(struct kvm_vcpu *vcpu)
3401 {
3402  struct kvm_segment tr;
3403 
3404  vmx_get_segment(vcpu, &tr, VCPU_SREG_TR);
3405 
3406  if (tr.unusable)
3407  return false;
3408  if (tr.selector & SELECTOR_TI_MASK) /* TI = 1 */
3409  return false;
3410  if (tr.type != 3 && tr.type != 11) /* TODO: Check if guest is in IA32e mode */
3411  return false;
3412  if (!tr.present)
3413  return false;
3414 
3415  return true;
3416 }
3417 
3418 static bool ldtr_valid(struct kvm_vcpu *vcpu)
3419 {
3420  struct kvm_segment ldtr;
3421 
3422  vmx_get_segment(vcpu, &ldtr, VCPU_SREG_LDTR);
3423 
3424  if (ldtr.unusable)
3425  return true;
3426  if (ldtr.selector & SELECTOR_TI_MASK) /* TI = 1 */
3427  return false;
3428  if (ldtr.type != 2)
3429  return false;
3430  if (!ldtr.present)
3431  return false;
3432 
3433  return true;
3434 }
3435 
3436 static bool cs_ss_rpl_check(struct kvm_vcpu *vcpu)
3437 {
3438  struct kvm_segment cs, ss;
3439 
3440  vmx_get_segment(vcpu, &cs, VCPU_SREG_CS);
3441  vmx_get_segment(vcpu, &ss, VCPU_SREG_SS);
3442 
3443  return ((cs.selector & SELECTOR_RPL_MASK) ==
3444  (ss.selector & SELECTOR_RPL_MASK));
3445 }
3446 
3447 /*
3448  * Check if guest state is valid. Returns true if valid, false if
3449  * not.
3450  * We assume that registers are always usable
3451  */
3452 static bool guest_state_valid(struct kvm_vcpu *vcpu)
3453 {
3454  /* real mode guest state checks */
3455  if (!is_protmode(vcpu)) {
3456  if (!rmode_segment_valid(vcpu, VCPU_SREG_CS))
3457  return false;
3458  if (!rmode_segment_valid(vcpu, VCPU_SREG_SS))
3459  return false;
3460  if (!rmode_segment_valid(vcpu, VCPU_SREG_DS))
3461  return false;
3462  if (!rmode_segment_valid(vcpu, VCPU_SREG_ES))
3463  return false;
3464  if (!rmode_segment_valid(vcpu, VCPU_SREG_FS))
3465  return false;
3466  if (!rmode_segment_valid(vcpu, VCPU_SREG_GS))
3467  return false;
3468  } else {
3469  /* protected mode guest state checks */
3470  if (!cs_ss_rpl_check(vcpu))
3471  return false;
3472  if (!code_segment_valid(vcpu))
3473  return false;
3474  if (!stack_segment_valid(vcpu))
3475  return false;
3476  if (!data_segment_valid(vcpu, VCPU_SREG_DS))
3477  return false;
3478  if (!data_segment_valid(vcpu, VCPU_SREG_ES))
3479  return false;
3480  if (!data_segment_valid(vcpu, VCPU_SREG_FS))
3481  return false;
3482  if (!data_segment_valid(vcpu, VCPU_SREG_GS))
3483  return false;
3484  if (!tr_valid(vcpu))
3485  return false;
3486  if (!ldtr_valid(vcpu))
3487  return false;
3488  }
3489  /* TODO:
3490  * - Add checks on RIP
3491  * - Add checks on RFLAGS
3492  */
3493 
3494  return true;
3495 }
3496 
3497 static int init_rmode_tss(struct kvm *kvm)
3498 {
3499  gfn_t fn;
3500  u16 data = 0;
3501  int r, idx, ret = 0;
3502 
3503  idx = srcu_read_lock(&kvm->srcu);
3504  fn = rmode_tss_base(kvm) >> PAGE_SHIFT;
3505  r = kvm_clear_guest_page(kvm, fn, 0, PAGE_SIZE);
3506  if (r < 0)
3507  goto out;
3508  data = TSS_BASE_SIZE + TSS_REDIRECTION_SIZE;
3509  r = kvm_write_guest_page(kvm, fn++, &data,
3510  TSS_IOPB_BASE_OFFSET, sizeof(u16));
3511  if (r < 0)
3512  goto out;
3513  r = kvm_clear_guest_page(kvm, fn++, 0, PAGE_SIZE);
3514  if (r < 0)
3515  goto out;
3516  r = kvm_clear_guest_page(kvm, fn, 0, PAGE_SIZE);
3517  if (r < 0)
3518  goto out;
3519  data = ~0;
3520  r = kvm_write_guest_page(kvm, fn, &data,
3521  RMODE_TSS_SIZE - 2 * PAGE_SIZE - 1,
3522  sizeof(u8));
3523  if (r < 0)
3524  goto out;
3525 
3526  ret = 1;
3527 out:
3528  srcu_read_unlock(&kvm->srcu, idx);
3529  return ret;
3530 }
3531 
3532 static int init_rmode_identity_map(struct kvm *kvm)
3533 {
3534  int i, idx, r, ret;
3535  pfn_t identity_map_pfn;
3536  u32 tmp;
3537 
3538  if (!enable_ept)
3539  return 1;
3540  if (unlikely(!kvm->arch.ept_identity_pagetable)) {
3541  printk(KERN_ERR "EPT: identity-mapping pagetable "
3542  "haven't been allocated!\n");
3543  return 0;
3544  }
3545  if (likely(kvm->arch.ept_identity_pagetable_done))
3546  return 1;
3547  ret = 0;
3548  identity_map_pfn = kvm->arch.ept_identity_map_addr >> PAGE_SHIFT;
3549  idx = srcu_read_lock(&kvm->srcu);
3550  r = kvm_clear_guest_page(kvm, identity_map_pfn, 0, PAGE_SIZE);
3551  if (r < 0)
3552  goto out;
3553  /* Set up identity-mapping pagetable for EPT in real mode */
3554  for (i = 0; i < PT32_ENT_PER_PAGE; i++) {
3555  tmp = (i << 22) + (_PAGE_PRESENT | _PAGE_RW | _PAGE_USER |
3556  _PAGE_ACCESSED | _PAGE_DIRTY | _PAGE_PSE);
3557  r = kvm_write_guest_page(kvm, identity_map_pfn,
3558  &tmp, i * sizeof(tmp), sizeof(tmp));
3559  if (r < 0)
3560  goto out;
3561  }
3562  kvm->arch.ept_identity_pagetable_done = true;
3563  ret = 1;
3564 out:
3565  srcu_read_unlock(&kvm->srcu, idx);
3566  return ret;
3567 }
3568 
3569 static void seg_setup(int seg)
3570 {
3571  const struct kvm_vmx_segment_field *sf = &kvm_vmx_segment_fields[seg];
3572  unsigned int ar;
3573 
3574  vmcs_write16(sf->selector, 0);
3575  vmcs_writel(sf->base, 0);
3576  vmcs_write32(sf->limit, 0xffff);
3577  if (enable_unrestricted_guest) {
3578  ar = 0x93;
3579  if (seg == VCPU_SREG_CS)
3580  ar |= 0x08; /* code segment */
3581  } else
3582  ar = 0xf3;
3583 
3584  vmcs_write32(sf->ar_bytes, ar);
3585 }
3586 
3587 static int alloc_apic_access_page(struct kvm *kvm)
3588 {
3589  struct page *page;
3590  struct kvm_userspace_memory_region kvm_userspace_mem;
3591  int r = 0;
3592 
3593  mutex_lock(&kvm->slots_lock);
3594  if (kvm->arch.apic_access_page)
3595  goto out;
3596  kvm_userspace_mem.slot = APIC_ACCESS_PAGE_PRIVATE_MEMSLOT;
3597  kvm_userspace_mem.flags = 0;
3598  kvm_userspace_mem.guest_phys_addr = 0xfee00000ULL;
3599  kvm_userspace_mem.memory_size = PAGE_SIZE;
3600  r = __kvm_set_memory_region(kvm, &kvm_userspace_mem, 0);
3601  if (r)
3602  goto out;
3603 
3604  page = gfn_to_page(kvm, 0xfee00);
3605  if (is_error_page(page)) {
3606  r = -EFAULT;
3607  goto out;
3608  }
3609 
3610  kvm->arch.apic_access_page = page;
3611 out:
3612  mutex_unlock(&kvm->slots_lock);
3613  return r;
3614 }
3615 
3616 static int alloc_identity_pagetable(struct kvm *kvm)
3617 {
3618  struct page *page;
3619  struct kvm_userspace_memory_region kvm_userspace_mem;
3620  int r = 0;
3621 
3622  mutex_lock(&kvm->slots_lock);
3623  if (kvm->arch.ept_identity_pagetable)
3624  goto out;
3625  kvm_userspace_mem.slot = IDENTITY_PAGETABLE_PRIVATE_MEMSLOT;
3626  kvm_userspace_mem.flags = 0;
3627  kvm_userspace_mem.guest_phys_addr =
3628  kvm->arch.ept_identity_map_addr;
3629  kvm_userspace_mem.memory_size = PAGE_SIZE;
3630  r = __kvm_set_memory_region(kvm, &kvm_userspace_mem, 0);
3631  if (r)
3632  goto out;
3633 
3634  page = gfn_to_page(kvm, kvm->arch.ept_identity_map_addr >> PAGE_SHIFT);
3635  if (is_error_page(page)) {
3636  r = -EFAULT;
3637  goto out;
3638  }
3639 
3640  kvm->arch.ept_identity_pagetable = page;
3641 out:
3642  mutex_unlock(&kvm->slots_lock);
3643  return r;
3644 }
3645 
3646 static void allocate_vpid(struct vcpu_vmx *vmx)
3647 {
3648  int vpid;
3649 
3650  vmx->vpid = 0;
3651  if (!enable_vpid)
3652  return;
3653  spin_lock(&vmx_vpid_lock);
3654  vpid = find_first_zero_bit(vmx_vpid_bitmap, VMX_NR_VPIDS);
3655  if (vpid < VMX_NR_VPIDS) {
3656  vmx->vpid = vpid;
3657  __set_bit(vpid, vmx_vpid_bitmap);
3658  }
3659  spin_unlock(&vmx_vpid_lock);
3660 }
3661 
3662 static void free_vpid(struct vcpu_vmx *vmx)
3663 {
3664  if (!enable_vpid)
3665  return;
3666  spin_lock(&vmx_vpid_lock);
3667  if (vmx->vpid != 0)
3668  __clear_bit(vmx->vpid, vmx_vpid_bitmap);
3669  spin_unlock(&vmx_vpid_lock);
3670 }
3671 
3672 static void __vmx_disable_intercept_for_msr(unsigned long *msr_bitmap, u32 msr)
3673 {
3674  int f = sizeof(unsigned long);
3675 
3676  if (!cpu_has_vmx_msr_bitmap())
3677  return;
3678 
3679  /*
3680  * See Intel PRM Vol. 3, 20.6.9 (MSR-Bitmap Address). Early manuals
3681  * have the write-low and read-high bitmap offsets the wrong way round.
3682  * We can control MSRs 0x00000000-0x00001fff and 0xc0000000-0xc0001fff.
3683  */
3684  if (msr <= 0x1fff) {
3685  __clear_bit(msr, msr_bitmap + 0x000 / f); /* read-low */
3686  __clear_bit(msr, msr_bitmap + 0x800 / f); /* write-low */
3687  } else if ((msr >= 0xc0000000) && (msr <= 0xc0001fff)) {
3688  msr &= 0x1fff;
3689  __clear_bit(msr, msr_bitmap + 0x400 / f); /* read-high */
3690  __clear_bit(msr, msr_bitmap + 0xc00 / f); /* write-high */
3691  }
3692 }
3693 
3694 static void vmx_disable_intercept_for_msr(u32 msr, bool longmode_only)
3695 {
3696  if (!longmode_only)
3697  __vmx_disable_intercept_for_msr(vmx_msr_bitmap_legacy, msr);
3698  __vmx_disable_intercept_for_msr(vmx_msr_bitmap_longmode, msr);
3699 }
3700 
3701 /*
3702  * Set up the vmcs's constant host-state fields, i.e., host-state fields that
3703  * will not change in the lifetime of the guest.
3704  * Note that host-state that does change is set elsewhere. E.g., host-state
3705  * that is set differently for each CPU is set in vmx_vcpu_load(), not here.
3706  */
3707 static void vmx_set_constant_host_state(void)
3708 {
3709  u32 low32, high32;
3710  unsigned long tmpl;
3711  struct desc_ptr dt;
3712 
3713  vmcs_writel(HOST_CR0, read_cr0() & ~X86_CR0_TS); /* 22.2.3 */
3714  vmcs_writel(HOST_CR4, read_cr4()); /* 22.2.3, 22.2.5 */
3715  vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */
3716 
3717  vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */
3718 #ifdef CONFIG_X86_64
3719  /*
3720  * Load null selectors, so we can avoid reloading them in
3721  * __vmx_load_host_state(), in case userspace uses the null selectors
3722  * too (the expected case).
3723  */
3724  vmcs_write16(HOST_DS_SELECTOR, 0);
3725  vmcs_write16(HOST_ES_SELECTOR, 0);
3726 #else
3727  vmcs_write16(HOST_DS_SELECTOR, __KERNEL_DS); /* 22.2.4 */
3728  vmcs_write16(HOST_ES_SELECTOR, __KERNEL_DS); /* 22.2.4 */
3729 #endif
3730  vmcs_write16(HOST_SS_SELECTOR, __KERNEL_DS); /* 22.2.4 */
3731  vmcs_write16(HOST_TR_SELECTOR, GDT_ENTRY_TSS*8); /* 22.2.4 */
3732 
3733  native_store_idt(&dt);
3734  vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
3735 
3736  vmcs_writel(HOST_RIP, vmx_return); /* 22.2.5 */
3737 
3738  rdmsr(MSR_IA32_SYSENTER_CS, low32, high32);
3739  vmcs_write32(HOST_IA32_SYSENTER_CS, low32);
3740  rdmsrl(MSR_IA32_SYSENTER_EIP, tmpl);
3741  vmcs_writel(HOST_IA32_SYSENTER_EIP, tmpl); /* 22.2.3 */
3742 
3743  if (vmcs_config.vmexit_ctrl & VM_EXIT_LOAD_IA32_PAT) {
3744  rdmsr(MSR_IA32_CR_PAT, low32, high32);
3745  vmcs_write64(HOST_IA32_PAT, low32 | ((u64) high32 << 32));
3746  }
3747 }
3748 
3749 static void set_cr4_guest_host_mask(struct vcpu_vmx *vmx)
3750 {
3751  vmx->vcpu.arch.cr4_guest_owned_bits = KVM_CR4_GUEST_OWNED_BITS;
3752  if (enable_ept)
3753  vmx->vcpu.arch.cr4_guest_owned_bits |= X86_CR4_PGE;
3754  if (is_guest_mode(&vmx->vcpu))
3755  vmx->vcpu.arch.cr4_guest_owned_bits &=
3756  ~get_vmcs12(&vmx->vcpu)->cr4_guest_host_mask;
3757  vmcs_writel(CR4_GUEST_HOST_MASK, ~vmx->vcpu.arch.cr4_guest_owned_bits);
3758 }
3759 
3760 static u32 vmx_exec_control(struct vcpu_vmx *vmx)
3761 {
3762  u32 exec_control = vmcs_config.cpu_based_exec_ctrl;
3763  if (!vm_need_tpr_shadow(vmx->vcpu.kvm)) {
3764  exec_control &= ~CPU_BASED_TPR_SHADOW;
3765 #ifdef CONFIG_X86_64
3766  exec_control |= CPU_BASED_CR8_STORE_EXITING |
3767  CPU_BASED_CR8_LOAD_EXITING;
3768 #endif
3769  }
3770  if (!enable_ept)
3771  exec_control |= CPU_BASED_CR3_STORE_EXITING |
3772  CPU_BASED_CR3_LOAD_EXITING |
3773  CPU_BASED_INVLPG_EXITING;
3774  return exec_control;
3775 }
3776 
3777 static u32 vmx_secondary_exec_control(struct vcpu_vmx *vmx)
3778 {
3779  u32 exec_control = vmcs_config.cpu_based_2nd_exec_ctrl;
3780  if (!vm_need_virtualize_apic_accesses(vmx->vcpu.kvm))
3781  exec_control &= ~SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
3782  if (vmx->vpid == 0)
3783  exec_control &= ~SECONDARY_EXEC_ENABLE_VPID;
3784  if (!enable_ept) {
3785  exec_control &= ~SECONDARY_EXEC_ENABLE_EPT;
3786  enable_unrestricted_guest = 0;
3787  /* Enable INVPCID for non-ept guests may cause performance regression. */
3788  exec_control &= ~SECONDARY_EXEC_ENABLE_INVPCID;
3789  }
3790  if (!enable_unrestricted_guest)
3791  exec_control &= ~SECONDARY_EXEC_UNRESTRICTED_GUEST;
3792  if (!ple_gap)
3793  exec_control &= ~SECONDARY_EXEC_PAUSE_LOOP_EXITING;
3794  return exec_control;
3795 }
3796 
3797 static void ept_set_mmio_spte_mask(void)
3798 {
3799  /*
3800  * EPT Misconfigurations can be generated if the value of bits 2:0
3801  * of an EPT paging-structure entry is 110b (write/execute).
3802  * Also, magic bits (0xffull << 49) is set to quickly identify mmio
3803  * spte.
3804  */
3805  kvm_mmu_set_mmio_spte_mask(0xffull << 49 | 0x6ull);
3806 }
3807 
3808 /*
3809  * Sets up the vmcs for emulated real mode.
3810  */
3811 static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
3812 {
3813 #ifdef CONFIG_X86_64
3814  unsigned long a;
3815 #endif
3816  int i;
3817 
3818  /* I/O */
3819  vmcs_write64(IO_BITMAP_A, __pa(vmx_io_bitmap_a));
3820  vmcs_write64(IO_BITMAP_B, __pa(vmx_io_bitmap_b));
3821 
3822  if (cpu_has_vmx_msr_bitmap())
3823  vmcs_write64(MSR_BITMAP, __pa(vmx_msr_bitmap_legacy));
3824 
3825  vmcs_write64(VMCS_LINK_POINTER, -1ull); /* 22.3.1.5 */
3826 
3827  /* Control */
3828  vmcs_write32(PIN_BASED_VM_EXEC_CONTROL,
3829  vmcs_config.pin_based_exec_ctrl);
3830 
3831  vmcs_write32(CPU_BASED_VM_EXEC_CONTROL, vmx_exec_control(vmx));
3832 
3833  if (cpu_has_secondary_exec_ctrls()) {
3834  vmcs_write32(SECONDARY_VM_EXEC_CONTROL,
3835  vmx_secondary_exec_control(vmx));
3836  }
3837 
3838  if (ple_gap) {
3839  vmcs_write32(PLE_GAP, ple_gap);
3840  vmcs_write32(PLE_WINDOW, ple_window);
3841  }
3842 
3843  vmcs_write32(PAGE_FAULT_ERROR_CODE_MASK, 0);
3844  vmcs_write32(PAGE_FAULT_ERROR_CODE_MATCH, 0);
3845  vmcs_write32(CR3_TARGET_COUNT, 0); /* 22.2.1 */
3846 
3847  vmcs_write16(HOST_FS_SELECTOR, 0); /* 22.2.4 */
3848  vmcs_write16(HOST_GS_SELECTOR, 0); /* 22.2.4 */
3849  vmx_set_constant_host_state();
3850 #ifdef CONFIG_X86_64
3851  rdmsrl(MSR_FS_BASE, a);
3852  vmcs_writel(HOST_FS_BASE, a); /* 22.2.4 */
3853  rdmsrl(MSR_GS_BASE, a);
3854  vmcs_writel(HOST_GS_BASE, a); /* 22.2.4 */
3855 #else
3856  vmcs_writel(HOST_FS_BASE, 0); /* 22.2.4 */
3857  vmcs_writel(HOST_GS_BASE, 0); /* 22.2.4 */
3858 #endif
3859 
3860  vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
3861  vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
3862  vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
3863  vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, 0);
3864  vmcs_write64(VM_ENTRY_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.guest));
3865 
3866  if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) {
3867  u32 msr_low, msr_high;
3868  u64 host_pat;
3869  rdmsr(MSR_IA32_CR_PAT, msr_low, msr_high);
3870  host_pat = msr_low | ((u64) msr_high << 32);
3871  /* Write the default value follow host pat */
3872  vmcs_write64(GUEST_IA32_PAT, host_pat);
3873  /* Keep arch.pat sync with GUEST_IA32_PAT */
3874  vmx->vcpu.arch.pat = host_pat;
3875  }
3876 
3877  for (i = 0; i < NR_VMX_MSR; ++i) {
3878  u32 index = vmx_msr_index[i];
3879  u32 data_low, data_high;
3880  int j = vmx->nmsrs;
3881 
3882  if (rdmsr_safe(index, &data_low, &data_high) < 0)
3883  continue;
3884  if (wrmsr_safe(index, data_low, data_high) < 0)
3885  continue;
3886  vmx->guest_msrs[j].index = i;
3887  vmx->guest_msrs[j].data = 0;
3888  vmx->guest_msrs[j].mask = -1ull;
3889  ++vmx->nmsrs;
3890  }
3891 
3892  vmcs_write32(VM_EXIT_CONTROLS, vmcs_config.vmexit_ctrl);
3893 
3894  /* 22.2.1, 20.8.1 */
3895  vmcs_write32(VM_ENTRY_CONTROLS, vmcs_config.vmentry_ctrl);
3896 
3897  vmcs_writel(CR0_GUEST_HOST_MASK, ~0UL);
3898  set_cr4_guest_host_mask(vmx);
3899 
3900  kvm_write_tsc(&vmx->vcpu, 0);
3901 
3902  return 0;
3903 }
3904 
3905 static int vmx_vcpu_reset(struct kvm_vcpu *vcpu)
3906 {
3907  struct vcpu_vmx *vmx = to_vmx(vcpu);
3908  u64 msr;
3909  int ret;
3910 
3911  vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP));
3912 
3913  vmx->rmode.vm86_active = 0;
3914 
3915  vmx->soft_vnmi_blocked = 0;
3916 
3917  vmx->vcpu.arch.regs[VCPU_REGS_RDX] = get_rdx_init_val();
3918  kvm_set_cr8(&vmx->vcpu, 0);
3919  msr = 0xfee00000 | MSR_IA32_APICBASE_ENABLE;
3920  if (kvm_vcpu_is_bsp(&vmx->vcpu))
3921  msr |= MSR_IA32_APICBASE_BSP;
3922  kvm_set_apic_base(&vmx->vcpu, msr);
3923 
3924  ret = fx_init(&vmx->vcpu);
3925  if (ret != 0)
3926  goto out;
3927 
3928  vmx_segment_cache_clear(vmx);
3929 
3930  seg_setup(VCPU_SREG_CS);
3931  /*
3932  * GUEST_CS_BASE should really be 0xffff0000, but VT vm86 mode
3933  * insists on having GUEST_CS_BASE == GUEST_CS_SELECTOR << 4. Sigh.
3934  */
3935  if (kvm_vcpu_is_bsp(&vmx->vcpu)) {
3936  vmcs_write16(GUEST_CS_SELECTOR, 0xf000);
3937  vmcs_writel(GUEST_CS_BASE, 0x000f0000);
3938  } else {
3939  vmcs_write16(GUEST_CS_SELECTOR, vmx->vcpu.arch.sipi_vector << 8);
3940  vmcs_writel(GUEST_CS_BASE, vmx->vcpu.arch.sipi_vector << 12);
3941  }
3942 
3943  seg_setup(VCPU_SREG_DS);
3944  seg_setup(VCPU_SREG_ES);
3945  seg_setup(VCPU_SREG_FS);
3946  seg_setup(VCPU_SREG_GS);
3947  seg_setup(VCPU_SREG_SS);
3948 
3949  vmcs_write16(GUEST_TR_SELECTOR, 0);
3950  vmcs_writel(GUEST_TR_BASE, 0);
3951  vmcs_write32(GUEST_TR_LIMIT, 0xffff);
3952  vmcs_write32(GUEST_TR_AR_BYTES, 0x008b);
3953 
3954  vmcs_write16(GUEST_LDTR_SELECTOR, 0);
3955  vmcs_writel(GUEST_LDTR_BASE, 0);
3956  vmcs_write32(GUEST_LDTR_LIMIT, 0xffff);
3957  vmcs_write32(GUEST_LDTR_AR_BYTES, 0x00082);
3958 
3959  vmcs_write32(GUEST_SYSENTER_CS, 0);
3960  vmcs_writel(GUEST_SYSENTER_ESP, 0);
3961  vmcs_writel(GUEST_SYSENTER_EIP, 0);
3962 
3963  vmcs_writel(GUEST_RFLAGS, 0x02);
3964  if (kvm_vcpu_is_bsp(&vmx->vcpu))
3965  kvm_rip_write(vcpu, 0xfff0);
3966  else
3967  kvm_rip_write(vcpu, 0);
3968  kvm_register_write(vcpu, VCPU_REGS_RSP, 0);
3969 
3970  vmcs_writel(GUEST_GDTR_BASE, 0);
3971  vmcs_write32(GUEST_GDTR_LIMIT, 0xffff);
3972 
3973  vmcs_writel(GUEST_IDTR_BASE, 0);
3974  vmcs_write32(GUEST_IDTR_LIMIT, 0xffff);
3975 
3976  vmcs_write32(GUEST_ACTIVITY_STATE, GUEST_ACTIVITY_ACTIVE);
3977  vmcs_write32(GUEST_INTERRUPTIBILITY_INFO, 0);
3978  vmcs_write32(GUEST_PENDING_DBG_EXCEPTIONS, 0);
3979 
3980  /* Special registers */
3981  vmcs_write64(GUEST_IA32_DEBUGCTL, 0);
3982 
3983  setup_msrs(vmx);
3984 
3985  vmcs_write32(VM_ENTRY_INTR_INFO_FIELD, 0); /* 22.2.1 */
3986 
3987  if (cpu_has_vmx_tpr_shadow()) {
3988  vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, 0);
3989  if (vm_need_tpr_shadow(vmx->vcpu.kvm))
3990  vmcs_write64(VIRTUAL_APIC_PAGE_ADDR,
3991  __pa(vmx->vcpu.arch.apic->regs));
3992  vmcs_write32(TPR_THRESHOLD, 0);
3993  }
3994 
3995  if (vm_need_virtualize_apic_accesses(vmx->vcpu.kvm))
3996  vmcs_write64(APIC_ACCESS_ADDR,
3997  page_to_phys(vmx->vcpu.kvm->arch.apic_access_page));
3998 
3999  if (vmx->vpid != 0)
4000  vmcs_write16(VIRTUAL_PROCESSOR_ID, vmx->vpid);
4001 
4002  vmx->vcpu.arch.cr0 = X86_CR0_NW | X86_CR0_CD | X86_CR0_ET;
4003  vcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
4004  vmx_set_cr0(&vmx->vcpu, kvm_read_cr0(vcpu)); /* enter rmode */
4005  srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);
4006  vmx_set_cr4(&vmx->vcpu, 0);
4007  vmx_set_efer(&vmx->vcpu, 0);
4008  vmx_fpu_activate(&vmx->vcpu);
4009  update_exception_bitmap(&vmx->vcpu);
4010 
4011  vpid_sync_context(vmx);
4012 
4013  ret = 0;
4014 
4015  /* HACK: Don't enable emulation on guest boot/reset */
4016  vmx->emulation_required = 0;
4017 
4018 out:
4019  return ret;
4020 }
4021 
4022 /*
4023  * In nested virtualization, check if L1 asked to exit on external interrupts.
4024  * For most existing hypervisors, this will always return true.
4025  */
4026 static bool nested_exit_on_intr(struct kvm_vcpu *vcpu)
4027 {
4028  return get_vmcs12(vcpu)->pin_based_vm_exec_control &
4029  PIN_BASED_EXT_INTR_MASK;
4030 }
4031 
4032 static void enable_irq_window(struct kvm_vcpu *vcpu)
4033 {
4034  u32 cpu_based_vm_exec_control;
4035  if (is_guest_mode(vcpu) && nested_exit_on_intr(vcpu)) {
4036  /*
4037  * We get here if vmx_interrupt_allowed() said we can't
4038  * inject to L1 now because L2 must run. Ask L2 to exit
4039  * right after entry, so we can inject to L1 more promptly.
4040  */
4041  kvm_make_request(KVM_REQ_IMMEDIATE_EXIT, vcpu);
4042  return;
4043  }
4044 
4045  cpu_based_vm_exec_control = vmcs_read32(CPU_BASED_VM_EXEC_CONTROL);
4046  cpu_based_vm_exec_control |= CPU_BASED_VIRTUAL_INTR_PENDING;
4047  vmcs_write32(CPU_BASED_VM_EXEC_CONTROL, cpu_based_vm_exec_control);
4048 }
4049 
4050 static void enable_nmi_window(struct kvm_vcpu *vcpu)
4051 {
4052  u32 cpu_based_vm_exec_control;
4053 
4054  if (!cpu_has_virtual_nmis()) {
4055  enable_irq_window(vcpu);
4056  return;
4057  }
4058 
4059  if (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & GUEST_INTR_STATE_STI) {
4060  enable_irq_window(vcpu);
4061  return;
4062  }
4063  cpu_based_vm_exec_control = vmcs_read32(CPU_BASED_VM_EXEC_CONTROL);
4064  cpu_based_vm_exec_control |= CPU_BASED_VIRTUAL_NMI_PENDING;
4065  vmcs_write32(CPU_BASED_VM_EXEC_CONTROL, cpu_based_vm_exec_control);
4066 }
4067 
4068 static void vmx_inject_irq(struct kvm_vcpu *vcpu)
4069 {
4070  struct vcpu_vmx *vmx = to_vmx(vcpu);
4071  uint32_t intr;
4072  int irq = vcpu->arch.interrupt.nr;
4073 
4074  trace_kvm_inj_virq(irq);
4075 
4076  ++vcpu->stat.irq_injections;
4077  if (vmx->rmode.vm86_active) {
4078  int inc_eip = 0;
4079  if (vcpu->arch.interrupt.soft)
4080  inc_eip = vcpu->arch.event_exit_inst_len;
4081  if (kvm_inject_realmode_interrupt(vcpu, irq, inc_eip) != EMULATE_DONE)
4082  kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
4083  return;
4084  }
4085  intr = irq | INTR_INFO_VALID_MASK;
4086  if (vcpu->arch.interrupt.soft) {
4087  intr |= INTR_TYPE_SOFT_INTR;
4088  vmcs_write32(VM_ENTRY_INSTRUCTION_LEN,
4089  vmx->vcpu.arch.event_exit_inst_len);
4090  } else
4091  intr |= INTR_TYPE_EXT_INTR;
4092  vmcs_write32(VM_ENTRY_INTR_INFO_FIELD, intr);
4093 }
4094 
4095 static void vmx_inject_nmi(struct kvm_vcpu *vcpu)
4096 {
4097  struct vcpu_vmx *vmx = to_vmx(vcpu);
4098 
4099  if (is_guest_mode(vcpu))
4100  return;
4101 
4102  if (!cpu_has_virtual_nmis()) {
4103  /*
4104  * Tracking the NMI-blocked state in software is built upon
4105  * finding the next open IRQ window. This, in turn, depends on
4106  * well-behaving guests: They have to keep IRQs disabled at
4107  * least as long as the NMI handler runs. Otherwise we may
4108  * cause NMI nesting, maybe breaking the guest. But as this is
4109  * highly unlikely, we can live with the residual risk.
4110  */
4111  vmx->soft_vnmi_blocked = 1;
4112  vmx->vnmi_blocked_time = 0;
4113  }
4114 
4115  ++vcpu->stat.nmi_injections;
4116  vmx->nmi_known_unmasked = false;
4117  if (vmx->rmode.vm86_active) {
4118  if (kvm_inject_realmode_interrupt(vcpu, NMI_VECTOR, 0) != EMULATE_DONE)
4119  kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
4120  return;
4121  }
4122  vmcs_write32(VM_ENTRY_INTR_INFO_FIELD,
4123  INTR_TYPE_NMI_INTR | INTR_INFO_VALID_MASK | NMI_VECTOR);
4124 }
4125 
4126 static int vmx_nmi_allowed(struct kvm_vcpu *vcpu)
4127 {
4128  if (!cpu_has_virtual_nmis() && to_vmx(vcpu)->soft_vnmi_blocked)
4129  return 0;
4130 
4131  return !(vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) &
4132  (GUEST_INTR_STATE_MOV_SS | GUEST_INTR_STATE_STI
4133  | GUEST_INTR_STATE_NMI));
4134 }
4135 
4136 static bool vmx_get_nmi_mask(struct kvm_vcpu *vcpu)
4137 {
4138  if (!cpu_has_virtual_nmis())
4139  return to_vmx(vcpu)->soft_vnmi_blocked;
4140  if (to_vmx(vcpu)->nmi_known_unmasked)
4141  return false;
4142  return vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & GUEST_INTR_STATE_NMI;
4143 }
4144 
4145 static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)
4146 {
4147  struct vcpu_vmx *vmx = to_vmx(vcpu);
4148 
4149  if (!cpu_has_virtual_nmis()) {
4150  if (vmx->soft_vnmi_blocked != masked) {
4151  vmx->soft_vnmi_blocked = masked;
4152  vmx->vnmi_blocked_time = 0;
4153  }
4154  } else {
4155  vmx->nmi_known_unmasked = !masked;
4156  if (masked)
4157  vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO,
4158  GUEST_INTR_STATE_NMI);
4159  else
4160  vmcs_clear_bits(GUEST_INTERRUPTIBILITY_INFO,
4161  GUEST_INTR_STATE_NMI);
4162  }
4163 }
4164 
4165 static int vmx_interrupt_allowed(struct kvm_vcpu *vcpu)
4166 {
4167  if (is_guest_mode(vcpu) && nested_exit_on_intr(vcpu)) {
4168  struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
4169  if (to_vmx(vcpu)->nested.nested_run_pending ||
4170  (vmcs12->idt_vectoring_info_field &
4171  VECTORING_INFO_VALID_MASK))
4172  return 0;
4173  nested_vmx_vmexit(vcpu);
4174  vmcs12->vm_exit_reason = EXIT_REASON_EXTERNAL_INTERRUPT;
4175  vmcs12->vm_exit_intr_info = 0;
4176  /* fall through to normal code, but now in L1, not L2 */
4177  }
4178 
4179  return (vmcs_readl(GUEST_RFLAGS) & X86_EFLAGS_IF) &&
4180  !(vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) &
4181  (GUEST_INTR_STATE_STI | GUEST_INTR_STATE_MOV_SS));
4182 }
4183 
4184 static int vmx_set_tss_addr(struct kvm *kvm, unsigned int addr)
4185 {
4186  int ret;
4187  struct kvm_userspace_memory_region tss_mem = {
4188  .slot = TSS_PRIVATE_MEMSLOT,
4189  .guest_phys_addr = addr,
4190  .memory_size = PAGE_SIZE * 3,
4191  .flags = 0,
4192  };
4193 
4194  ret = kvm_set_memory_region(kvm, &tss_mem, 0);
4195  if (ret)
4196  return ret;
4197  kvm->arch.tss_addr = addr;
4198  if (!init_rmode_tss(kvm))
4199  return -ENOMEM;
4200 
4201  return 0;
4202 }
4203 
4204 static int handle_rmode_exception(struct kvm_vcpu *vcpu,
4205  int vec, u32 err_code)
4206 {
4207  /*
4208  * Instruction with address size override prefix opcode 0x67
4209  * Cause the #SS fault with 0 error code in VM86 mode.
4210  */
4211  if (((vec == GP_VECTOR) || (vec == SS_VECTOR)) && err_code == 0)
4212  if (emulate_instruction(vcpu, 0) == EMULATE_DONE)
4213  return 1;
4214  /*
4215  * Forward all other exceptions that are valid in real mode.
4216  * FIXME: Breaks guest debugging in real mode, needs to be fixed with
4217  * the required debugging infrastructure rework.
4218  */
4219  switch (vec) {
4220  case DB_VECTOR:
4221  if (vcpu->guest_debug &
4222  (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
4223  return 0;
4224  kvm_queue_exception(vcpu, vec);
4225  return 1;
4226  case BP_VECTOR:
4227  /*
4228  * Update instruction length as we may reinject the exception
4229  * from user space while in guest debugging mode.
4230  */
4231  to_vmx(vcpu)->vcpu.arch.event_exit_inst_len =
4232  vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
4233  if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
4234  return 0;
4235  /* fall through */
4236  case DE_VECTOR:
4237  case OF_VECTOR:
4238  case BR_VECTOR:
4239  case UD_VECTOR:
4240  case DF_VECTOR:
4241  case SS_VECTOR:
4242  case GP_VECTOR:
4243  case MF_VECTOR:
4244  kvm_queue_exception(vcpu, vec);
4245  return 1;
4246  }
4247  return 0;
4248 }
4249 
4250 /*
4251  * Trigger machine check on the host. We assume all the MSRs are already set up
4252  * by the CPU and that we still run on the same CPU as the MCE occurred on.
4253  * We pass a fake environment to the machine check handler because we want
4254  * the guest to be always treated like user space, no matter what context
4255  * it used internally.
4256  */
4257 static void kvm_machine_check(void)
4258 {
4259 #if defined(CONFIG_X86_MCE) && defined(CONFIG_X86_64)
4260  struct pt_regs regs = {
4261  .cs = 3, /* Fake ring 3 no matter what the guest ran on */
4262  .flags = X86_EFLAGS_IF,
4263  };
4264 
4265  do_machine_check(&regs, 0);
4266 #endif
4267 }
4268 
4269 static int handle_machine_check(struct kvm_vcpu *vcpu)
4270 {
4271  /* already handled by vcpu_run */
4272  return 1;
4273 }
4274 
4275 static int handle_exception(struct kvm_vcpu *vcpu)
4276 {
4277  struct vcpu_vmx *vmx = to_vmx(vcpu);
4278  struct kvm_run *kvm_run = vcpu->run;
4279  u32 intr_info, ex_no, error_code;
4280  unsigned long cr2, rip, dr6;
4281  u32 vect_info;
4282  enum emulation_result er;
4283 
4284  vect_info = vmx->idt_vectoring_info;
4285  intr_info = vmx->exit_intr_info;
4286 
4287  if (is_machine_check(intr_info))
4288  return handle_machine_check(vcpu);
4289 
4290  if ((vect_info & VECTORING_INFO_VALID_MASK) &&
4291  !is_page_fault(intr_info)) {
4292  vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
4293  vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_SIMUL_EX;
4294  vcpu->run->internal.ndata = 2;
4295  vcpu->run->internal.data[0] = vect_info;
4296  vcpu->run->internal.data[1] = intr_info;
4297  return 0;
4298  }
4299 
4300  if ((intr_info & INTR_INFO_INTR_TYPE_MASK) == INTR_TYPE_NMI_INTR)
4301  return 1; /* already handled by vmx_vcpu_run() */
4302 
4303  if (is_no_device(intr_info)) {
4304  vmx_fpu_activate(vcpu);
4305  return 1;
4306  }
4307 
4308  if (is_invalid_opcode(intr_info)) {
4309  er = emulate_instruction(vcpu, EMULTYPE_TRAP_UD);
4310  if (er != EMULATE_DONE)
4311  kvm_queue_exception(vcpu, UD_VECTOR);
4312  return 1;
4313  }
4314 
4315  error_code = 0;
4316  if (intr_info & INTR_INFO_DELIVER_CODE_MASK)
4317  error_code = vmcs_read32(VM_EXIT_INTR_ERROR_CODE);
4318  if (is_page_fault(intr_info)) {
4319  /* EPT won't cause page fault directly */
4320  BUG_ON(enable_ept);
4321  cr2 = vmcs_readl(EXIT_QUALIFICATION);
4322  trace_kvm_page_fault(cr2, error_code);
4323 
4324  if (kvm_event_needs_reinjection(vcpu))
4325  kvm_mmu_unprotect_page_virt(vcpu, cr2);
4326  return kvm_mmu_page_fault(vcpu, cr2, error_code, NULL, 0);
4327  }
4328 
4329  if (vmx->rmode.vm86_active &&
4330  handle_rmode_exception(vcpu, intr_info & INTR_INFO_VECTOR_MASK,
4331  error_code)) {
4332  if (vcpu->arch.halt_request) {
4333  vcpu->arch.halt_request = 0;
4334  return kvm_emulate_halt(vcpu);
4335  }
4336  return 1;
4337  }
4338 
4339  ex_no = intr_info & INTR_INFO_VECTOR_MASK;
4340  switch (ex_no) {
4341  case DB_VECTOR:
4342  dr6 = vmcs_readl(EXIT_QUALIFICATION);
4343  if (!(vcpu->guest_debug &
4344  (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))) {
4345  vcpu->arch.dr6 = dr6 | DR6_FIXED_1;
4346  kvm_queue_exception(vcpu, DB_VECTOR);
4347  return 1;
4348  }
4349  kvm_run->debug.arch.dr6 = dr6 | DR6_FIXED_1;
4350  kvm_run->debug.arch.dr7 = vmcs_readl(GUEST_DR7);
4351  /* fall through */
4352  case BP_VECTOR:
4353  /*
4354  * Update instruction length as we may reinject #BP from
4355  * user space while in guest debugging mode. Reading it for
4356  * #DB as well causes no harm, it is not used in that case.
4357  */
4358  vmx->vcpu.arch.event_exit_inst_len =
4359  vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
4360  kvm_run->exit_reason = KVM_EXIT_DEBUG;
4361  rip = kvm_rip_read(vcpu);
4362  kvm_run->debug.arch.pc = vmcs_readl(GUEST_CS_BASE) + rip;
4363  kvm_run->debug.arch.exception = ex_no;
4364  break;
4365  default:
4366  kvm_run->exit_reason = KVM_EXIT_EXCEPTION;
4367  kvm_run->ex.exception = ex_no;
4368  kvm_run->ex.error_code = error_code;
4369  break;
4370  }
4371  return 0;
4372 }
4373 
4374 static int handle_external_interrupt(struct kvm_vcpu *vcpu)
4375 {
4376  ++vcpu->stat.irq_exits;
4377  return 1;
4378 }
4379 
4380 static int handle_triple_fault(struct kvm_vcpu *vcpu)
4381 {
4382  vcpu->run->exit_reason = KVM_EXIT_SHUTDOWN;
4383  return 0;
4384 }
4385 
4386 static int handle_io(struct kvm_vcpu *vcpu)
4387 {
4388  unsigned long exit_qualification;
4389  int size, in, string;
4390  unsigned port;
4391 
4392  exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
4393  string = (exit_qualification & 16) != 0;
4394  in = (exit_qualification & 8) != 0;
4395 
4396  ++vcpu->stat.io_exits;
4397 
4398  if (string || in)
4399  return emulate_instruction(vcpu, 0) == EMULATE_DONE;
4400 
4401  port = exit_qualification >> 16;
4402  size = (exit_qualification & 7) + 1;
4403  skip_emulated_instruction(vcpu);
4404 
4405  return kvm_fast_pio_out(vcpu, size, port);
4406 }
4407 
4408 static void
4409 vmx_patch_hypercall(struct kvm_vcpu *vcpu, unsigned char *hypercall)
4410 {
4411  /*
4412  * Patch in the VMCALL instruction:
4413  */
4414  hypercall[0] = 0x0f;
4415  hypercall[1] = 0x01;
4416  hypercall[2] = 0xc1;
4417 }
4418 
4419 /* called to set cr0 as appropriate for a mov-to-cr0 exit. */
4420 static int handle_set_cr0(struct kvm_vcpu *vcpu, unsigned long val)
4421 {
4422  if (to_vmx(vcpu)->nested.vmxon &&
4423  ((val & VMXON_CR0_ALWAYSON) != VMXON_CR0_ALWAYSON))
4424  return 1;
4425 
4426  if (is_guest_mode(vcpu)) {
4427  /*
4428  * We get here when L2 changed cr0 in a way that did not change
4429  * any of L1's shadowed bits (see nested_vmx_exit_handled_cr),
4430  * but did change L0 shadowed bits. This can currently happen
4431  * with the TS bit: L0 may want to leave TS on (for lazy fpu
4432  * loading) while pretending to allow the guest to change it.
4433  */
4434  if (kvm_set_cr0(vcpu, (val & vcpu->arch.cr0_guest_owned_bits) |
4435  (vcpu->arch.cr0 & ~vcpu->arch.cr0_guest_owned_bits)))
4436  return 1;
4437  vmcs_writel(CR0_READ_SHADOW, val);
4438  return 0;
4439  } else
4440  return kvm_set_cr0(vcpu, val);
4441 }
4442 
4443 static int handle_set_cr4(struct kvm_vcpu *vcpu, unsigned long val)
4444 {
4445  if (is_guest_mode(vcpu)) {
4446  if (kvm_set_cr4(vcpu, (val & vcpu->arch.cr4_guest_owned_bits) |
4447  (vcpu->arch.cr4 & ~vcpu->arch.cr4_guest_owned_bits)))
4448  return 1;
4449  vmcs_writel(CR4_READ_SHADOW, val);
4450  return 0;
4451  } else
4452  return kvm_set_cr4(vcpu, val);
4453 }
4454 
4455 /* called to set cr0 as approriate for clts instruction exit. */
4456 static void handle_clts(struct kvm_vcpu *vcpu)
4457 {
4458  if (is_guest_mode(vcpu)) {
4459  /*
4460  * We get here when L2 did CLTS, and L1 didn't shadow CR0.TS
4461  * but we did (!fpu_active). We need to keep GUEST_CR0.TS on,
4462  * just pretend it's off (also in arch.cr0 for fpu_activate).
4463  */
4464  vmcs_writel(CR0_READ_SHADOW,
4465  vmcs_readl(CR0_READ_SHADOW) & ~X86_CR0_TS);
4466  vcpu->arch.cr0 &= ~X86_CR0_TS;
4467  } else
4468  vmx_set_cr0(vcpu, kvm_read_cr0_bits(vcpu, ~X86_CR0_TS));
4469 }
4470 
4471 static int handle_cr(struct kvm_vcpu *vcpu)
4472 {
4473  unsigned long exit_qualification, val;
4474  int cr;
4475  int reg;
4476  int err;
4477 
4478  exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
4479  cr = exit_qualification & 15;
4480  reg = (exit_qualification >> 8) & 15;
4481  switch ((exit_qualification >> 4) & 3) {
4482  case 0: /* mov to cr */
4483  val = kvm_register_read(vcpu, reg);
4484  trace_kvm_cr_write(cr, val);
4485  switch (cr) {
4486  case 0:
4487  err = handle_set_cr0(vcpu, val);
4488  kvm_complete_insn_gp(vcpu, err);
4489  return 1;
4490  case 3:
4491  err = kvm_set_cr3(vcpu, val);
4492  kvm_complete_insn_gp(vcpu, err);
4493  return 1;
4494  case 4:
4495  err = handle_set_cr4(vcpu, val);
4496  kvm_complete_insn_gp(vcpu, err);
4497  return 1;
4498  case 8: {
4499  u8 cr8_prev = kvm_get_cr8(vcpu);
4500  u8 cr8 = kvm_register_read(vcpu, reg);
4501  err = kvm_set_cr8(vcpu, cr8);
4502  kvm_complete_insn_gp(vcpu, err);
4503  if (irqchip_in_kernel(vcpu->kvm))
4504  return 1;
4505  if (cr8_prev <= cr8)
4506  return 1;
4507  vcpu->run->exit_reason = KVM_EXIT_SET_TPR;
4508  return 0;
4509  }
4510  }
4511  break;
4512  case 2: /* clts */
4513  handle_clts(vcpu);
4514  trace_kvm_cr_write(0, kvm_read_cr0(vcpu));
4515  skip_emulated_instruction(vcpu);
4516  vmx_fpu_activate(vcpu);
4517  return 1;
4518  case 1: /*mov from cr*/
4519  switch (cr) {
4520  case 3:
4521  val = kvm_read_cr3(vcpu);
4522  kvm_register_write(vcpu, reg, val);
4523  trace_kvm_cr_read(cr, val);
4524  skip_emulated_instruction(vcpu);
4525  return 1;
4526  case 8:
4527  val = kvm_get_cr8(vcpu);
4528  kvm_register_write(vcpu, reg, val);
4529  trace_kvm_cr_read(cr, val);
4530  skip_emulated_instruction(vcpu);
4531  return 1;
4532  }
4533  break;
4534  case 3: /* lmsw */
4535  val = (exit_qualification >> LMSW_SOURCE_DATA_SHIFT) & 0x0f;
4536  trace_kvm_cr_write(0, (kvm_read_cr0(vcpu) & ~0xful) | val);
4537  kvm_lmsw(vcpu, val);
4538 
4539  skip_emulated_instruction(vcpu);
4540  return 1;
4541  default:
4542  break;
4543  }
4544  vcpu->run->exit_reason = 0;
4545  vcpu_unimpl(vcpu, "unhandled control register: op %d cr %d\n",
4546  (int)(exit_qualification >> 4) & 3, cr);
4547  return 0;
4548 }
4549 
4550 static int handle_dr(struct kvm_vcpu *vcpu)
4551 {
4552  unsigned long exit_qualification;
4553  int dr, reg;
4554 
4555  /* Do not handle if the CPL > 0, will trigger GP on re-entry */
4556  if (!kvm_require_cpl(vcpu, 0))
4557  return 1;
4558  dr = vmcs_readl(GUEST_DR7);
4559  if (dr & DR7_GD) {
4560  /*
4561  * As the vm-exit takes precedence over the debug trap, we
4562  * need to emulate the latter, either for the host or the
4563  * guest debugging itself.
4564  */
4565  if (vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP) {
4566  vcpu->run->debug.arch.dr6 = vcpu->arch.dr6;
4567  vcpu->run->debug.arch.dr7 = dr;
4568  vcpu->run->debug.arch.pc =
4569  vmcs_readl(GUEST_CS_BASE) +
4570  vmcs_readl(GUEST_RIP);
4571  vcpu->run->debug.arch.exception = DB_VECTOR;
4572  vcpu->run->exit_reason = KVM_EXIT_DEBUG;
4573  return 0;
4574  } else {
4575  vcpu->arch.dr7 &= ~DR7_GD;
4576  vcpu->arch.dr6 |= DR6_BD;
4577  vmcs_writel(GUEST_DR7, vcpu->arch.dr7);
4578  kvm_queue_exception(vcpu, DB_VECTOR);
4579  return 1;
4580  }
4581  }
4582 
4583  exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
4584  dr = exit_qualification & DEBUG_REG_ACCESS_NUM;
4585  reg = DEBUG_REG_ACCESS_REG(exit_qualification);
4586  if (exit_qualification & TYPE_MOV_FROM_DR) {
4587  unsigned long val;
4588  if (!kvm_get_dr(vcpu, dr, &val))
4589  kvm_register_write(vcpu, reg, val);
4590  } else
4591  kvm_set_dr(vcpu, dr, vcpu->arch.regs[reg]);
4592  skip_emulated_instruction(vcpu);
4593  return 1;
4594 }
4595 
4596 static void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val)
4597 {
4598  vmcs_writel(GUEST_DR7, val);
4599 }
4600 
4601 static int handle_cpuid(struct kvm_vcpu *vcpu)
4602 {
4603  kvm_emulate_cpuid(vcpu);
4604  return 1;
4605 }
4606 
4607 static int handle_rdmsr(struct kvm_vcpu *vcpu)
4608 {
4609  u32 ecx = vcpu->arch.regs[VCPU_REGS_RCX];
4610  u64 data;
4611 
4612  if (vmx_get_msr(vcpu, ecx, &data)) {
4613  trace_kvm_msr_read_ex(ecx);
4614  kvm_inject_gp(vcpu, 0);
4615  return 1;
4616  }
4617 
4618  trace_kvm_msr_read(ecx, data);
4619 
4620  /* FIXME: handling of bits 32:63 of rax, rdx */
4621  vcpu->arch.regs[VCPU_REGS_RAX] = data & -1u;
4622  vcpu->arch.regs[VCPU_REGS_RDX] = (data >> 32) & -1u;
4623  skip_emulated_instruction(vcpu);
4624  return 1;
4625 }
4626 
4627 static int handle_wrmsr(struct kvm_vcpu *vcpu)
4628 {
4629  u32 ecx = vcpu->arch.regs[VCPU_REGS_RCX];
4630  u64 data = (vcpu->arch.regs[VCPU_REGS_RAX] & -1u)
4631  | ((u64)(vcpu->arch.regs[VCPU_REGS_RDX] & -1u) << 32);
4632 
4633  if (vmx_set_msr(vcpu, ecx, data) != 0) {
4634  trace_kvm_msr_write_ex(ecx, data);
4635  kvm_inject_gp(vcpu, 0);
4636  return 1;
4637  }
4638 
4639  trace_kvm_msr_write(ecx, data);
4640  skip_emulated_instruction(vcpu);
4641  return 1;
4642 }
4643 
4644 static int handle_tpr_below_threshold(struct kvm_vcpu *vcpu)
4645 {
4646  kvm_make_request(KVM_REQ_EVENT, vcpu);
4647  return 1;
4648 }
4649 
4650 static int handle_interrupt_window(struct kvm_vcpu *vcpu)
4651 {
4652  u32 cpu_based_vm_exec_control;
4653 
4654  /* clear pending irq */
4655  cpu_based_vm_exec_control = vmcs_read32(CPU_BASED_VM_EXEC_CONTROL);
4656  cpu_based_vm_exec_control &= ~CPU_BASED_VIRTUAL_INTR_PENDING;
4657  vmcs_write32(CPU_BASED_VM_EXEC_CONTROL, cpu_based_vm_exec_control);
4658 
4659  kvm_make_request(KVM_REQ_EVENT, vcpu);
4660 
4661  ++vcpu->stat.irq_window_exits;
4662 
4663  /*
4664  * If the user space waits to inject interrupts, exit as soon as
4665  * possible
4666  */
4667  if (!irqchip_in_kernel(vcpu->kvm) &&
4668  vcpu->run->request_interrupt_window &&
4669  !kvm_cpu_has_interrupt(vcpu)) {
4670  vcpu->run->exit_reason = KVM_EXIT_IRQ_WINDOW_OPEN;
4671  return 0;
4672  }
4673  return 1;
4674 }
4675 
4676 static int handle_halt(struct kvm_vcpu *vcpu)
4677 {
4678  skip_emulated_instruction(vcpu);
4679  return kvm_emulate_halt(vcpu);
4680 }
4681 
4682 static int handle_vmcall(struct kvm_vcpu *vcpu)
4683 {
4684  skip_emulated_instruction(vcpu);
4685  kvm_emulate_hypercall(vcpu);
4686  return 1;
4687 }
4688 
4689 static int handle_invd(struct kvm_vcpu *vcpu)
4690 {
4691  return emulate_instruction(vcpu, 0) == EMULATE_DONE;
4692 }
4693 
4694 static int handle_invlpg(struct kvm_vcpu *vcpu)
4695 {
4696  unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
4697 
4698  kvm_mmu_invlpg(vcpu, exit_qualification);
4699  skip_emulated_instruction(vcpu);
4700  return 1;
4701 }
4702 
4703 static int handle_rdpmc(struct kvm_vcpu *vcpu)
4704 {
4705  int err;
4706 
4707  err = kvm_rdpmc(vcpu);
4708  kvm_complete_insn_gp(vcpu, err);
4709 
4710  return 1;
4711 }
4712 
4713 static int handle_wbinvd(struct kvm_vcpu *vcpu)
4714 {
4715  skip_emulated_instruction(vcpu);
4716  kvm_emulate_wbinvd(vcpu);
4717  return 1;
4718 }
4719 
4720 static int handle_xsetbv(struct kvm_vcpu *vcpu)
4721 {
4722  u64 new_bv = kvm_read_edx_eax(vcpu);
4723  u32 index = kvm_register_read(vcpu, VCPU_REGS_RCX);
4724 
4725  if (kvm_set_xcr(vcpu, index, new_bv) == 0)
4726  skip_emulated_instruction(vcpu);
4727  return 1;
4728 }
4729 
4730 static int handle_apic_access(struct kvm_vcpu *vcpu)
4731 {
4732  if (likely(fasteoi)) {
4733  unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
4734  int access_type, offset;
4735 
4736  access_type = exit_qualification & APIC_ACCESS_TYPE;
4737  offset = exit_qualification & APIC_ACCESS_OFFSET;
4738  /*
4739  * Sane guest uses MOV to write EOI, with written value
4740  * not cared. So make a short-circuit here by avoiding
4741  * heavy instruction emulation.
4742  */
4743  if ((access_type == TYPE_LINEAR_APIC_INST_WRITE) &&
4744  (offset == APIC_EOI)) {
4745  kvm_lapic_set_eoi(vcpu);
4746  skip_emulated_instruction(vcpu);
4747  return 1;
4748  }
4749  }
4750  return emulate_instruction(vcpu, 0) == EMULATE_DONE;
4751 }
4752 
4753 static int handle_task_switch(struct kvm_vcpu *vcpu)
4754 {
4755  struct vcpu_vmx *vmx = to_vmx(vcpu);
4756  unsigned long exit_qualification;
4757  bool has_error_code = false;
4758  u32 error_code = 0;
4759  u16 tss_selector;
4760  int reason, type, idt_v, idt_index;
4761 
4762  idt_v = (vmx->idt_vectoring_info & VECTORING_INFO_VALID_MASK);
4763  idt_index = (vmx->idt_vectoring_info & VECTORING_INFO_VECTOR_MASK);
4764  type = (vmx->idt_vectoring_info & VECTORING_INFO_TYPE_MASK);
4765 
4766  exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
4767 
4768  reason = (u32)exit_qualification >> 30;
4769  if (reason == TASK_SWITCH_GATE && idt_v) {
4770  switch (type) {
4771  case INTR_TYPE_NMI_INTR:
4772  vcpu->arch.nmi_injected = false;
4773  vmx_set_nmi_mask(vcpu, true);
4774  break;
4775  case INTR_TYPE_EXT_INTR:
4776  case INTR_TYPE_SOFT_INTR:
4777  kvm_clear_interrupt_queue(vcpu);
4778  break;
4779  case INTR_TYPE_HARD_EXCEPTION:
4780  if (vmx->idt_vectoring_info &
4781  VECTORING_INFO_DELIVER_CODE_MASK) {
4782  has_error_code = true;
4783  error_code =
4784  vmcs_read32(IDT_VECTORING_ERROR_CODE);
4785  }
4786  /* fall through */
4787  case INTR_TYPE_SOFT_EXCEPTION:
4788  kvm_clear_exception_queue(vcpu);
4789  break;
4790  default:
4791  break;
4792  }
4793  }
4794  tss_selector = exit_qualification;
4795 
4796  if (!idt_v || (type != INTR_TYPE_HARD_EXCEPTION &&
4797  type != INTR_TYPE_EXT_INTR &&
4798  type != INTR_TYPE_NMI_INTR))
4799  skip_emulated_instruction(vcpu);
4800 
4801  if (kvm_task_switch(vcpu, tss_selector,
4802  type == INTR_TYPE_SOFT_INTR ? idt_index : -1, reason,
4803  has_error_code, error_code) == EMULATE_FAIL) {
4804  vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
4805  vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
4806  vcpu->run->internal.ndata = 0;
4807  return 0;
4808  }
4809 
4810  /* clear all local breakpoint enable flags */
4811  vmcs_writel(GUEST_DR7, vmcs_readl(GUEST_DR7) & ~55);
4812 
4813  /*
4814  * TODO: What about debug traps on tss switch?
4815  * Are we supposed to inject them and update dr6?
4816  */
4817 
4818  return 1;
4819 }
4820 
4821 static int handle_ept_violation(struct kvm_vcpu *vcpu)
4822 {
4823  unsigned long exit_qualification;
4824  gpa_t gpa;
4825  u32 error_code;
4826  int gla_validity;
4827 
4828  exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
4829 
4830  if (exit_qualification & (1 << 6)) {
4831  printk(KERN_ERR "EPT: GPA exceeds GAW!\n");
4832  return -EINVAL;
4833  }
4834 
4835  gla_validity = (exit_qualification >> 7) & 0x3;
4836  if (gla_validity != 0x3 && gla_validity != 0x1 && gla_validity != 0) {
4837  printk(KERN_ERR "EPT: Handling EPT violation failed!\n");
4838  printk(KERN_ERR "EPT: GPA: 0x%lx, GVA: 0x%lx\n",
4839  (long unsigned int)vmcs_read64(GUEST_PHYSICAL_ADDRESS),
4840  vmcs_readl(GUEST_LINEAR_ADDRESS));
4841  printk(KERN_ERR "EPT: Exit qualification is 0x%lx\n",
4842  (long unsigned int)exit_qualification);
4843  vcpu->run->exit_reason = KVM_EXIT_UNKNOWN;
4844  vcpu->run->hw.hardware_exit_reason = EXIT_REASON_EPT_VIOLATION;
4845  return 0;
4846  }
4847 
4848  gpa = vmcs_read64(GUEST_PHYSICAL_ADDRESS);
4849  trace_kvm_page_fault(gpa, exit_qualification);
4850 
4851  /* It is a write fault? */
4852  error_code = exit_qualification & (1U << 1);
4853  /* ept page table is present? */
4854  error_code |= (exit_qualification >> 3) & 0x1;
4855 
4856  return kvm_mmu_page_fault(vcpu, gpa, error_code, NULL, 0);
4857 }
4858 
4859 static u64 ept_rsvd_mask(u64 spte, int level)
4860 {
4861  int i;
4862  u64 mask = 0;
4863 
4864  for (i = 51; i > boot_cpu_data.x86_phys_bits; i--)
4865  mask |= (1ULL << i);
4866 
4867  if (level > 2)
4868  /* bits 7:3 reserved */
4869  mask |= 0xf8;
4870  else if (level == 2) {
4871  if (spte & (1ULL << 7))
4872  /* 2MB ref, bits 20:12 reserved */
4873  mask |= 0x1ff000;
4874  else
4875  /* bits 6:3 reserved */
4876  mask |= 0x78;
4877  }
4878 
4879  return mask;
4880 }
4881 
4882 static void ept_misconfig_inspect_spte(struct kvm_vcpu *vcpu, u64 spte,
4883  int level)
4884 {
4885  printk(KERN_ERR "%s: spte 0x%llx level %d\n", __func__, spte, level);
4886 
4887  /* 010b (write-only) */
4888  WARN_ON((spte & 0x7) == 0x2);
4889 
4890  /* 110b (write/execute) */
4891  WARN_ON((spte & 0x7) == 0x6);
4892 
4893  /* 100b (execute-only) and value not supported by logical processor */
4894  if (!cpu_has_vmx_ept_execute_only())
4895  WARN_ON((spte & 0x7) == 0x4);
4896 
4897  /* not 000b */
4898  if ((spte & 0x7)) {
4899  u64 rsvd_bits = spte & ept_rsvd_mask(spte, level);
4900 
4901  if (rsvd_bits != 0) {
4902  printk(KERN_ERR "%s: rsvd_bits = 0x%llx\n",
4903  __func__, rsvd_bits);
4904  WARN_ON(1);
4905  }
4906 
4907  if (level == 1 || (level == 2 && (spte & (1ULL << 7)))) {
4908  u64 ept_mem_type = (spte & 0x38) >> 3;
4909 
4910  if (ept_mem_type == 2 || ept_mem_type == 3 ||
4911  ept_mem_type == 7) {
4912  printk(KERN_ERR "%s: ept_mem_type=0x%llx\n",
4913  __func__, ept_mem_type);
4914  WARN_ON(1);
4915  }
4916  }
4917  }
4918 }
4919 
4920 static int handle_ept_misconfig(struct kvm_vcpu *vcpu)
4921 {
4922  u64 sptes[4];
4923  int nr_sptes, i, ret;
4924  gpa_t gpa;
4925 
4926  gpa = vmcs_read64(GUEST_PHYSICAL_ADDRESS);
4927 
4928  ret = handle_mmio_page_fault_common(vcpu, gpa, true);
4929  if (likely(ret == 1))
4930  return x86_emulate_instruction(vcpu, gpa, 0, NULL, 0) ==
4931  EMULATE_DONE;
4932  if (unlikely(!ret))
4933  return 1;
4934 
4935  /* It is the real ept misconfig */
4936  printk(KERN_ERR "EPT: Misconfiguration.\n");
4937  printk(KERN_ERR "EPT: GPA: 0x%llx\n", gpa);
4938 
4939  nr_sptes = kvm_mmu_get_spte_hierarchy(vcpu, gpa, sptes);
4940 
4941  for (i = PT64_ROOT_LEVEL; i > PT64_ROOT_LEVEL - nr_sptes; --i)
4942  ept_misconfig_inspect_spte(vcpu, sptes[i-1], i);
4943 
4944  vcpu->run->exit_reason = KVM_EXIT_UNKNOWN;
4945  vcpu->run->hw.hardware_exit_reason = EXIT_REASON_EPT_MISCONFIG;
4946 
4947  return 0;
4948 }
4949 
4950 static int handle_nmi_window(struct kvm_vcpu *vcpu)
4951 {
4952  u32 cpu_based_vm_exec_control;
4953 
4954  /* clear pending NMI */
4955  cpu_based_vm_exec_control = vmcs_read32(CPU_BASED_VM_EXEC_CONTROL);
4956  cpu_based_vm_exec_control &= ~CPU_BASED_VIRTUAL_NMI_PENDING;
4957  vmcs_write32(CPU_BASED_VM_EXEC_CONTROL, cpu_based_vm_exec_control);
4958  ++vcpu->stat.nmi_window_exits;
4959  kvm_make_request(KVM_REQ_EVENT, vcpu);
4960 
4961  return 1;
4962 }
4963 
4964 static int handle_invalid_guest_state(struct kvm_vcpu *vcpu)
4965 {
4966  struct vcpu_vmx *vmx = to_vmx(vcpu);
4967  enum emulation_result err = EMULATE_DONE;
4968  int ret = 1;
4969  u32 cpu_exec_ctrl;
4970  bool intr_window_requested;
4971  unsigned count = 130;
4972 
4973  cpu_exec_ctrl = vmcs_read32(CPU_BASED_VM_EXEC_CONTROL);
4974  intr_window_requested = cpu_exec_ctrl & CPU_BASED_VIRTUAL_INTR_PENDING;
4975 
4976  while (!guest_state_valid(vcpu) && count-- != 0) {
4977  if (intr_window_requested && vmx_interrupt_allowed(vcpu))
4978  return handle_interrupt_window(&vmx->vcpu);
4979 
4980  if (test_bit(KVM_REQ_EVENT, &vcpu->requests))
4981  return 1;
4982 
4983  err = emulate_instruction(vcpu, 0);
4984 
4985  if (err == EMULATE_DO_MMIO) {
4986  ret = 0;
4987  goto out;
4988  }
4989 
4990  if (err != EMULATE_DONE) {
4991  vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
4992  vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
4993  vcpu->run->internal.ndata = 0;
4994  return 0;
4995  }
4996 
4997  if (signal_pending(current))
4998  goto out;
4999  if (need_resched())
5000  schedule();
5001  }
5002 
5003  vmx->emulation_required = !guest_state_valid(vcpu);
5004 out:
5005  return ret;
5006 }
5007 
5008 /*
5009  * Indicate a busy-waiting vcpu in spinlock. We do not enable the PAUSE
5010  * exiting, so only get here on cpu with PAUSE-Loop-Exiting.
5011  */
5012 static int handle_pause(struct kvm_vcpu *vcpu)
5013 {
5014  skip_emulated_instruction(vcpu);
5015  kvm_vcpu_on_spin(vcpu);
5016 
5017  return 1;
5018 }
5019 
5020 static int handle_invalid_op(struct kvm_vcpu *vcpu)
5021 {
5022  kvm_queue_exception(vcpu, UD_VECTOR);
5023  return 1;
5024 }
5025 
5026 /*
5027  * To run an L2 guest, we need a vmcs02 based on the L1-specified vmcs12.
5028  * We could reuse a single VMCS for all the L2 guests, but we also want the
5029  * option to allocate a separate vmcs02 for each separate loaded vmcs12 - this
5030  * allows keeping them loaded on the processor, and in the future will allow
5031  * optimizations where prepare_vmcs02 doesn't need to set all the fields on
5032  * every entry if they never change.
5033  * So we keep, in vmx->nested.vmcs02_pool, a cache of size VMCS02_POOL_SIZE
5034  * (>=0) with a vmcs02 for each recently loaded vmcs12s, most recent first.
5035  *
5036  * The following functions allocate and free a vmcs02 in this pool.
5037  */
5038 
5039 /* Get a VMCS from the pool to use as vmcs02 for the current vmcs12. */
5040 static struct loaded_vmcs *nested_get_current_vmcs02(struct vcpu_vmx *vmx)
5041 {
5042  struct vmcs02_list *item;
5043  list_for_each_entry(item, &vmx->nested.vmcs02_pool, list)
5044  if (item->vmptr == vmx->nested.current_vmptr) {
5045  list_move(&item->list, &vmx->nested.vmcs02_pool);
5046  return &item->vmcs02;
5047  }
5048 
5049  if (vmx->nested.vmcs02_num >= max(VMCS02_POOL_SIZE, 1)) {
5050  /* Recycle the least recently used VMCS. */
5051  item = list_entry(vmx->nested.vmcs02_pool.prev,
5052  struct vmcs02_list, list);
5053  item->vmptr = vmx->nested.current_vmptr;
5054  list_move(&item->list, &vmx->nested.vmcs02_pool);
5055  return &item->vmcs02;
5056  }
5057 
5058  /* Create a new VMCS */
5059  item = (struct vmcs02_list *)
5060  kmalloc(sizeof(struct vmcs02_list), GFP_KERNEL);
5061  if (!item)
5062  return NULL;
5063  item->vmcs02.vmcs = alloc_vmcs();
5064  if (!item->vmcs02.vmcs) {
5065  kfree(item);
5066  return NULL;
5067  }
5068  loaded_vmcs_init(&item->vmcs02);
5069  item->vmptr = vmx->nested.current_vmptr;
5070  list_add(&(item->list), &(vmx->nested.vmcs02_pool));
5071  vmx->nested.vmcs02_num++;
5072  return &item->vmcs02;
5073 }
5074 
5075 /* Free and remove from pool a vmcs02 saved for a vmcs12 (if there is one) */
5076 static void nested_free_vmcs02(struct vcpu_vmx *vmx, gpa_t vmptr)
5077 {
5078  struct vmcs02_list *item;
5079  list_for_each_entry(item, &vmx->nested.vmcs02_pool, list)
5080  if (item->vmptr == vmptr) {
5081  free_loaded_vmcs(&item->vmcs02);
5082  list_del(&item->list);
5083  kfree(item);
5084  vmx->nested.vmcs02_num--;
5085  return;
5086  }
5087 }
5088 
5089 /*
5090  * Free all VMCSs saved for this vcpu, except the one pointed by
5091  * vmx->loaded_vmcs. These include the VMCSs in vmcs02_pool (except the one
5092  * currently used, if running L2), and vmcs01 when running L2.
5093  */
5094 static void nested_free_all_saved_vmcss(struct vcpu_vmx *vmx)
5095 {
5096  struct vmcs02_list *item, *n;
5097  list_for_each_entry_safe(item, n, &vmx->nested.vmcs02_pool, list) {
5098  if (vmx->loaded_vmcs != &item->vmcs02)
5099  free_loaded_vmcs(&item->vmcs02);
5100  list_del(&item->list);
5101  kfree(item);
5102  }
5103  vmx->nested.vmcs02_num = 0;
5104 
5105  if (vmx->loaded_vmcs != &vmx->vmcs01)
5106  free_loaded_vmcs(&vmx->vmcs01);
5107 }
5108 
5109 /*
5110  * Emulate the VMXON instruction.
5111  * Currently, we just remember that VMX is active, and do not save or even
5112  * inspect the argument to VMXON (the so-called "VMXON pointer") because we
5113  * do not currently need to store anything in that guest-allocated memory
5114  * region. Consequently, VMCLEAR and VMPTRLD also do not verify that the their
5115  * argument is different from the VMXON pointer (which the spec says they do).
5116  */
5117 static int handle_vmon(struct kvm_vcpu *vcpu)
5118 {
5119  struct kvm_segment cs;
5120  struct vcpu_vmx *vmx = to_vmx(vcpu);
5121 
5122  /* The Intel VMX Instruction Reference lists a bunch of bits that
5123  * are prerequisite to running VMXON, most notably cr4.VMXE must be
5124  * set to 1 (see vmx_set_cr4() for when we allow the guest to set this).
5125  * Otherwise, we should fail with #UD. We test these now:
5126  */
5127  if (!kvm_read_cr4_bits(vcpu, X86_CR4_VMXE) ||
5128  !kvm_read_cr0_bits(vcpu, X86_CR0_PE) ||
5129  (vmx_get_rflags(vcpu) & X86_EFLAGS_VM)) {
5130  kvm_queue_exception(vcpu, UD_VECTOR);
5131  return 1;
5132  }
5133 
5134  vmx_get_segment(vcpu, &cs, VCPU_SREG_CS);
5135  if (is_long_mode(vcpu) && !cs.l) {
5136  kvm_queue_exception(vcpu, UD_VECTOR);
5137  return 1;
5138  }
5139 
5140  if (vmx_get_cpl(vcpu)) {
5141  kvm_inject_gp(vcpu, 0);
5142  return 1;
5143  }
5144 
5145  INIT_LIST_HEAD(&(vmx->nested.vmcs02_pool));
5146  vmx->nested.vmcs02_num = 0;
5147 
5148  vmx->nested.vmxon = true;
5149 
5150  skip_emulated_instruction(vcpu);
5151  return 1;
5152 }
5153 
5154 /*
5155  * Intel's VMX Instruction Reference specifies a common set of prerequisites
5156  * for running VMX instructions (except VMXON, whose prerequisites are
5157  * slightly different). It also specifies what exception to inject otherwise.
5158  */
5159 static int nested_vmx_check_permission(struct kvm_vcpu *vcpu)
5160 {
5161  struct kvm_segment cs;
5162  struct vcpu_vmx *vmx = to_vmx(vcpu);
5163 
5164  if (!vmx->nested.vmxon) {
5165  kvm_queue_exception(vcpu, UD_VECTOR);
5166  return 0;
5167  }
5168 
5169  vmx_get_segment(vcpu, &cs, VCPU_SREG_CS);
5170  if ((vmx_get_rflags(vcpu) & X86_EFLAGS_VM) ||
5171  (is_long_mode(vcpu) && !cs.l)) {
5172  kvm_queue_exception(vcpu, UD_VECTOR);
5173  return 0;
5174  }
5175 
5176  if (vmx_get_cpl(vcpu)) {
5177  kvm_inject_gp(vcpu, 0);
5178  return 0;
5179  }
5180 
5181  return 1;
5182 }
5183 
5184 /*
5185  * Free whatever needs to be freed from vmx->nested when L1 goes down, or
5186  * just stops using VMX.
5187  */
5188 static void free_nested(struct vcpu_vmx *vmx)
5189 {
5190  if (!vmx->nested.vmxon)
5191  return;
5192  vmx->nested.vmxon = false;
5193  if (vmx->nested.current_vmptr != -1ull) {
5194  kunmap(vmx->nested.current_vmcs12_page);
5195  nested_release_page(vmx->nested.current_vmcs12_page);
5196  vmx->nested.current_vmptr = -1ull;
5197  vmx->nested.current_vmcs12 = NULL;
5198  }
5199  /* Unpin physical memory we referred to in current vmcs02 */
5200  if (vmx->nested.apic_access_page) {
5201  nested_release_page(vmx->nested.apic_access_page);
5202  vmx->nested.apic_access_page = 0;
5203  }
5204 
5205  nested_free_all_saved_vmcss(vmx);
5206 }
5207 
5208 /* Emulate the VMXOFF instruction */
5209 static int handle_vmoff(struct kvm_vcpu *vcpu)
5210 {
5211  if (!nested_vmx_check_permission(vcpu))
5212  return 1;
5213  free_nested(to_vmx(vcpu));
5214  skip_emulated_instruction(vcpu);
5215  return 1;
5216 }
5217 
5218 /*
5219  * Decode the memory-address operand of a vmx instruction, as recorded on an
5220  * exit caused by such an instruction (run by a guest hypervisor).
5221  * On success, returns 0. When the operand is invalid, returns 1 and throws
5222  * #UD or #GP.
5223  */
5224 static int get_vmx_mem_address(struct kvm_vcpu *vcpu,
5225  unsigned long exit_qualification,
5226  u32 vmx_instruction_info, gva_t *ret)
5227 {
5228  /*
5229  * According to Vol. 3B, "Information for VM Exits Due to Instruction
5230  * Execution", on an exit, vmx_instruction_info holds most of the
5231  * addressing components of the operand. Only the displacement part
5232  * is put in exit_qualification (see 3B, "Basic VM-Exit Information").
5233  * For how an actual address is calculated from all these components,
5234  * refer to Vol. 1, "Operand Addressing".
5235  */
5236  int scaling = vmx_instruction_info & 3;
5237  int addr_size = (vmx_instruction_info >> 7) & 7;
5238  bool is_reg = vmx_instruction_info & (1u << 10);
5239  int seg_reg = (vmx_instruction_info >> 15) & 7;
5240  int index_reg = (vmx_instruction_info >> 18) & 0xf;
5241  bool index_is_valid = !(vmx_instruction_info & (1u << 22));
5242  int base_reg = (vmx_instruction_info >> 23) & 0xf;
5243  bool base_is_valid = !(vmx_instruction_info & (1u << 27));
5244 
5245  if (is_reg) {
5246  kvm_queue_exception(vcpu, UD_VECTOR);
5247  return 1;
5248  }
5249 
5250  /* Addr = segment_base + offset */
5251  /* offset = base + [index * scale] + displacement */
5252  *ret = vmx_get_segment_base(vcpu, seg_reg);
5253  if (base_is_valid)
5254  *ret += kvm_register_read(vcpu, base_reg);
5255  if (index_is_valid)
5256  *ret += kvm_register_read(vcpu, index_reg)<<scaling;
5257  *ret += exit_qualification; /* holds the displacement */
5258 
5259  if (addr_size == 1) /* 32 bit */
5260  *ret &= 0xffffffff;
5261 
5262  /*
5263  * TODO: throw #GP (and return 1) in various cases that the VM*
5264  * instructions require it - e.g., offset beyond segment limit,
5265  * unusable or unreadable/unwritable segment, non-canonical 64-bit
5266  * address, and so on. Currently these are not checked.
5267  */
5268  return 0;
5269 }
5270 
5271 /*
5272  * The following 3 functions, nested_vmx_succeed()/failValid()/failInvalid(),
5273  * set the success or error code of an emulated VMX instruction, as specified
5274  * by Vol 2B, VMX Instruction Reference, "Conventions".
5275  */
5276 static void nested_vmx_succeed(struct kvm_vcpu *vcpu)
5277 {
5278  vmx_set_rflags(vcpu, vmx_get_rflags(vcpu)
5279  & ~(X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
5280  X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_OF));
5281 }
5282 
5283 static void nested_vmx_failInvalid(struct kvm_vcpu *vcpu)
5284 {
5285  vmx_set_rflags(vcpu, (vmx_get_rflags(vcpu)
5286  & ~(X86_EFLAGS_PF | X86_EFLAGS_AF | X86_EFLAGS_ZF |
5287  X86_EFLAGS_SF | X86_EFLAGS_OF))
5288  | X86_EFLAGS_CF);
5289 }
5290 
5291 static void nested_vmx_failValid(struct kvm_vcpu *vcpu,
5292  u32 vm_instruction_error)
5293 {
5294  if (to_vmx(vcpu)->nested.current_vmptr == -1ull) {
5295  /*
5296  * failValid writes the error number to the current VMCS, which
5297  * can't be done there isn't a current VMCS.
5298  */
5299  nested_vmx_failInvalid(vcpu);
5300  return;
5301  }
5302  vmx_set_rflags(vcpu, (vmx_get_rflags(vcpu)
5303  & ~(X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
5304  X86_EFLAGS_SF | X86_EFLAGS_OF))
5305  | X86_EFLAGS_ZF);
5306  get_vmcs12(vcpu)->vm_instruction_error = vm_instruction_error;
5307 }
5308 
5309 /* Emulate the VMCLEAR instruction */
5310 static int handle_vmclear(struct kvm_vcpu *vcpu)
5311 {
5312  struct vcpu_vmx *vmx = to_vmx(vcpu);
5313  gva_t gva;
5314  gpa_t vmptr;
5315  struct vmcs12 *vmcs12;
5316  struct page *page;
5317  struct x86_exception e;
5318 
5319  if (!nested_vmx_check_permission(vcpu))
5320  return 1;
5321 
5322  if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION),
5323  vmcs_read32(VMX_INSTRUCTION_INFO), &gva))
5324  return 1;
5325 
5326  if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, &vmptr,
5327  sizeof(vmptr), &e)) {
5328  kvm_inject_page_fault(vcpu, &e);
5329  return 1;
5330  }
5331 
5332  if (!IS_ALIGNED(vmptr, PAGE_SIZE)) {
5333  nested_vmx_failValid(vcpu, VMXERR_VMCLEAR_INVALID_ADDRESS);
5334  skip_emulated_instruction(vcpu);
5335  return 1;
5336  }
5337 
5338  if (vmptr == vmx->nested.current_vmptr) {
5339  kunmap(vmx->nested.current_vmcs12_page);
5340  nested_release_page(vmx->nested.current_vmcs12_page);
5341  vmx->nested.current_vmptr = -1ull;
5342  vmx->nested.current_vmcs12 = NULL;
5343  }
5344 
5345  page = nested_get_page(vcpu, vmptr);
5346  if (page == NULL) {
5347  /*
5348  * For accurate processor emulation, VMCLEAR beyond available
5349  * physical memory should do nothing at all. However, it is
5350  * possible that a nested vmx bug, not a guest hypervisor bug,
5351  * resulted in this case, so let's shut down before doing any
5352  * more damage:
5353  */
5354  kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
5355  return 1;
5356  }
5357  vmcs12 = kmap(page);
5358  vmcs12->launch_state = 0;
5359  kunmap(page);
5360  nested_release_page(page);
5361 
5362  nested_free_vmcs02(vmx, vmptr);
5363 
5364  skip_emulated_instruction(vcpu);
5365  nested_vmx_succeed(vcpu);
5366  return 1;
5367 }
5368 
5369 static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch);
5370 
5371 /* Emulate the VMLAUNCH instruction */
5372 static int handle_vmlaunch(struct kvm_vcpu *vcpu)
5373 {
5374  return nested_vmx_run(vcpu, true);
5375 }
5376 
5377 /* Emulate the VMRESUME instruction */
5378 static int handle_vmresume(struct kvm_vcpu *vcpu)
5379 {
5380 
5381  return nested_vmx_run(vcpu, false);
5382 }
5383 
5384 enum vmcs_field_type {
5385  VMCS_FIELD_TYPE_U16 = 0,
5386  VMCS_FIELD_TYPE_U64 = 1,
5387  VMCS_FIELD_TYPE_U32 = 2,
5388  VMCS_FIELD_TYPE_NATURAL_WIDTH = 3
5389 };
5390 
5391 static inline int vmcs_field_type(unsigned long field)
5392 {
5393  if (0x1 & field) /* the *_HIGH fields are all 32 bit */
5394  return VMCS_FIELD_TYPE_U32;
5395  return (field >> 13) & 0x3 ;
5396 }
5397 
5398 static inline int vmcs_field_readonly(unsigned long field)
5399 {
5400  return (((field >> 10) & 0x3) == 1);
5401 }
5402 
5403 /*
5404  * Read a vmcs12 field. Since these can have varying lengths and we return
5405  * one type, we chose the biggest type (u64) and zero-extend the return value
5406  * to that size. Note that the caller, handle_vmread, might need to use only
5407  * some of the bits we return here (e.g., on 32-bit guests, only 32 bits of
5408  * 64-bit fields are to be returned).
5409  */
5410 static inline bool vmcs12_read_any(struct kvm_vcpu *vcpu,
5411  unsigned long field, u64 *ret)
5412 {
5413  short offset = vmcs_field_to_offset(field);
5414  char *p;
5415 
5416  if (offset < 0)
5417  return 0;
5418 
5419  p = ((char *)(get_vmcs12(vcpu))) + offset;
5420 
5421  switch (vmcs_field_type(field)) {
5422  case VMCS_FIELD_TYPE_NATURAL_WIDTH:
5423  *ret = *((natural_width *)p);
5424  return 1;
5425  case VMCS_FIELD_TYPE_U16:
5426  *ret = *((u16 *)p);
5427  return 1;
5428  case VMCS_FIELD_TYPE_U32:
5429  *ret = *((u32 *)p);
5430  return 1;
5431  case VMCS_FIELD_TYPE_U64:
5432  *ret = *((u64 *)p);
5433  return 1;
5434  default:
5435  return 0; /* can never happen. */
5436  }
5437 }
5438 
5439 /*
5440  * VMX instructions which assume a current vmcs12 (i.e., that VMPTRLD was
5441  * used before) all generate the same failure when it is missing.
5442  */
5443 static int nested_vmx_check_vmcs12(struct kvm_vcpu *vcpu)
5444 {
5445  struct vcpu_vmx *vmx = to_vmx(vcpu);
5446  if (vmx->nested.current_vmptr == -1ull) {
5447  nested_vmx_failInvalid(vcpu);
5448  skip_emulated_instruction(vcpu);
5449  return 0;
5450  }
5451  return 1;
5452 }
5453 
5454 static int handle_vmread(struct kvm_vcpu *vcpu)
5455 {
5456  unsigned long field;
5457  u64 field_value;
5458  unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
5459  u32 vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO);
5460  gva_t gva = 0;
5461 
5462  if (!nested_vmx_check_permission(vcpu) ||
5463  !nested_vmx_check_vmcs12(vcpu))
5464  return 1;
5465 
5466  /* Decode instruction info and find the field to read */
5467  field = kvm_register_read(vcpu, (((vmx_instruction_info) >> 28) & 0xf));
5468  /* Read the field, zero-extended to a u64 field_value */
5469  if (!vmcs12_read_any(vcpu, field, &field_value)) {
5470  nested_vmx_failValid(vcpu, VMXERR_UNSUPPORTED_VMCS_COMPONENT);
5471  skip_emulated_instruction(vcpu);
5472  return 1;
5473  }
5474  /*
5475  * Now copy part of this value to register or memory, as requested.
5476  * Note that the number of bits actually copied is 32 or 64 depending
5477  * on the guest's mode (32 or 64 bit), not on the given field's length.
5478  */
5479  if (vmx_instruction_info & (1u << 10)) {
5480  kvm_register_write(vcpu, (((vmx_instruction_info) >> 3) & 0xf),
5481  field_value);
5482  } else {
5483  if (get_vmx_mem_address(vcpu, exit_qualification,
5484  vmx_instruction_info, &gva))
5485  return 1;
5486  /* _system ok, as nested_vmx_check_permission verified cpl=0 */
5487  kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva,
5488  &field_value, (is_long_mode(vcpu) ? 8 : 4), NULL);
5489  }
5490 
5491  nested_vmx_succeed(vcpu);
5492  skip_emulated_instruction(vcpu);
5493  return 1;
5494 }
5495 
5496 
5497 static int handle_vmwrite(struct kvm_vcpu *vcpu)
5498 {
5499  unsigned long field;
5500  gva_t gva;
5501  unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
5502  u32 vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO);
5503  char *p;
5504  short offset;
5505  /* The value to write might be 32 or 64 bits, depending on L1's long
5506  * mode, and eventually we need to write that into a field of several
5507  * possible lengths. The code below first zero-extends the value to 64
5508  * bit (field_value), and then copies only the approriate number of
5509  * bits into the vmcs12 field.
5510  */
5511  u64 field_value = 0;
5512  struct x86_exception e;
5513 
5514  if (!nested_vmx_check_permission(vcpu) ||
5515  !nested_vmx_check_vmcs12(vcpu))
5516  return 1;
5517 
5518  if (vmx_instruction_info & (1u << 10))
5519  field_value = kvm_register_read(vcpu,
5520  (((vmx_instruction_info) >> 3) & 0xf));
5521  else {
5522  if (get_vmx_mem_address(vcpu, exit_qualification,
5523  vmx_instruction_info, &gva))
5524  return 1;
5525  if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva,
5526  &field_value, (is_long_mode(vcpu) ? 8 : 4), &e)) {
5527  kvm_inject_page_fault(vcpu, &e);
5528  return 1;
5529  }
5530  }
5531 
5532 
5533  field = kvm_register_read(vcpu, (((vmx_instruction_info) >> 28) & 0xf));
5534  if (vmcs_field_readonly(field)) {
5535  nested_vmx_failValid(vcpu,
5536  VMXERR_VMWRITE_READ_ONLY_VMCS_COMPONENT);
5537  skip_emulated_instruction(vcpu);
5538  return 1;
5539  }
5540 
5541  offset = vmcs_field_to_offset(field);
5542  if (offset < 0) {
5543  nested_vmx_failValid(vcpu, VMXERR_UNSUPPORTED_VMCS_COMPONENT);
5544  skip_emulated_instruction(vcpu);
5545  return 1;
5546  }
5547  p = ((char *) get_vmcs12(vcpu)) + offset;
5548 
5549  switch (vmcs_field_type(field)) {
5550  case VMCS_FIELD_TYPE_U16:
5551  *(u16 *)p = field_value;
5552  break;
5553  case VMCS_FIELD_TYPE_U32:
5554  *(u32 *)p = field_value;
5555  break;
5556  case VMCS_FIELD_TYPE_U64:
5557  *(u64 *)p = field_value;
5558  break;
5559  case VMCS_FIELD_TYPE_NATURAL_WIDTH:
5560  *(natural_width *)p = field_value;
5561  break;
5562  default:
5563  nested_vmx_failValid(vcpu, VMXERR_UNSUPPORTED_VMCS_COMPONENT);
5564  skip_emulated_instruction(vcpu);
5565  return 1;
5566  }
5567 
5568  nested_vmx_succeed(vcpu);
5569  skip_emulated_instruction(vcpu);
5570  return 1;
5571 }
5572 
5573 /* Emulate the VMPTRLD instruction */
5574 static int handle_vmptrld(struct kvm_vcpu *vcpu)
5575 {
5576  struct vcpu_vmx *vmx = to_vmx(vcpu);
5577  gva_t gva;
5578  gpa_t vmptr;
5579  struct x86_exception e;
5580 
5581  if (!nested_vmx_check_permission(vcpu))
5582  return 1;
5583 
5584  if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION),
5585  vmcs_read32(VMX_INSTRUCTION_INFO), &gva))
5586  return 1;
5587 
5588  if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, &vmptr,
5589  sizeof(vmptr), &e)) {
5590  kvm_inject_page_fault(vcpu, &e);
5591  return 1;
5592  }
5593 
5594  if (!IS_ALIGNED(vmptr, PAGE_SIZE)) {
5595  nested_vmx_failValid(vcpu, VMXERR_VMPTRLD_INVALID_ADDRESS);
5596  skip_emulated_instruction(vcpu);
5597  return 1;
5598  }
5599 
5600  if (vmx->nested.current_vmptr != vmptr) {
5601  struct vmcs12 *new_vmcs12;
5602  struct page *page;
5603  page = nested_get_page(vcpu, vmptr);
5604  if (page == NULL) {
5605  nested_vmx_failInvalid(vcpu);
5606  skip_emulated_instruction(vcpu);
5607  return 1;
5608  }
5609  new_vmcs12 = kmap(page);
5610  if (new_vmcs12->revision_id != VMCS12_REVISION) {
5611  kunmap(page);
5612  nested_release_page_clean(page);
5613  nested_vmx_failValid(vcpu,
5614  VMXERR_VMPTRLD_INCORRECT_VMCS_REVISION_ID);
5615  skip_emulated_instruction(vcpu);
5616  return 1;
5617  }
5618  if (vmx->nested.current_vmptr != -1ull) {
5619  kunmap(vmx->nested.current_vmcs12_page);
5620  nested_release_page(vmx->nested.current_vmcs12_page);
5621  }
5622 
5623  vmx->nested.current_vmptr = vmptr;
5624  vmx->nested.current_vmcs12 = new_vmcs12;
5625  vmx->nested.current_vmcs12_page = page;
5626  }
5627 
5628  nested_vmx_succeed(vcpu);
5629  skip_emulated_instruction(vcpu);
5630  return 1;
5631 }
5632 
5633 /* Emulate the VMPTRST instruction */
5634 static int handle_vmptrst(struct kvm_vcpu *vcpu)
5635 {
5636  unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
5637  u32 vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO);
5638  gva_t vmcs_gva;
5639  struct x86_exception e;
5640 
5641  if (!nested_vmx_check_permission(vcpu))
5642  return 1;
5643 
5644  if (get_vmx_mem_address(vcpu, exit_qualification,
5645  vmx_instruction_info, &vmcs_gva))
5646  return 1;
5647  /* ok to use *_system, as nested_vmx_check_permission verified cpl=0 */
5648  if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva,
5649  (void *)&to_vmx(vcpu)->nested.current_vmptr,
5650  sizeof(u64), &e)) {
5651  kvm_inject_page_fault(vcpu, &e);
5652  return 1;
5653  }
5654  nested_vmx_succeed(vcpu);
5655  skip_emulated_instruction(vcpu);
5656  return 1;
5657 }
5658 
5659 /*
5660  * The exit handlers return 1 if the exit was handled fully and guest execution
5661  * may resume. Otherwise they set the kvm_run parameter to indicate what needs
5662  * to be done to userspace and return 0.
5663  */
5664 static int (*const kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu) = {
5665  [EXIT_REASON_EXCEPTION_NMI] = handle_exception,
5666  [EXIT_REASON_EXTERNAL_INTERRUPT] = handle_external_interrupt,
5667  [EXIT_REASON_TRIPLE_FAULT] = handle_triple_fault,
5668  [EXIT_REASON_NMI_WINDOW] = handle_nmi_window,
5669  [EXIT_REASON_IO_INSTRUCTION] = handle_io,
5670  [EXIT_REASON_CR_ACCESS] = handle_cr,
5671  [EXIT_REASON_DR_ACCESS] = handle_dr,
5672  [EXIT_REASON_CPUID] = handle_cpuid,
5673  [EXIT_REASON_MSR_READ] = handle_rdmsr,
5674  [EXIT_REASON_MSR_WRITE] = handle_wrmsr,
5675  [EXIT_REASON_PENDING_INTERRUPT] = handle_interrupt_window,
5676  [EXIT_REASON_HLT] = handle_halt,
5677  [EXIT_REASON_INVD] = handle_invd,
5678  [EXIT_REASON_INVLPG] = handle_invlpg,
5679  [EXIT_REASON_RDPMC] = handle_rdpmc,
5680  [EXIT_REASON_VMCALL] = handle_vmcall,
5681  [EXIT_REASON_VMCLEAR] = handle_vmclear,
5682  [EXIT_REASON_VMLAUNCH] = handle_vmlaunch,
5683  [EXIT_REASON_VMPTRLD] = handle_vmptrld,
5684  [EXIT_REASON_VMPTRST] = handle_vmptrst,
5685  [EXIT_REASON_VMREAD] = handle_vmread,
5686  [EXIT_REASON_VMRESUME] = handle_vmresume,
5687  [EXIT_REASON_VMWRITE] = handle_vmwrite,
5688  [EXIT_REASON_VMOFF] = handle_vmoff,
5689  [EXIT_REASON_VMON] = handle_vmon,
5690  [EXIT_REASON_TPR_BELOW_THRESHOLD] = handle_tpr_below_threshold,
5691  [EXIT_REASON_APIC_ACCESS] = handle_apic_access,
5692  [EXIT_REASON_WBINVD] = handle_wbinvd,
5693  [EXIT_REASON_XSETBV] = handle_xsetbv,
5694  [EXIT_REASON_TASK_SWITCH] = handle_task_switch,
5695  [EXIT_REASON_MCE_DURING_VMENTRY] = handle_machine_check,
5696  [EXIT_REASON_EPT_VIOLATION] = handle_ept_violation,
5697  [EXIT_REASON_EPT_MISCONFIG] = handle_ept_misconfig,
5698  [EXIT_REASON_PAUSE_INSTRUCTION] = handle_pause,
5699  [EXIT_REASON_MWAIT_INSTRUCTION] = handle_invalid_op,
5700  [EXIT_REASON_MONITOR_INSTRUCTION] = handle_invalid_op,
5701 };
5702 
5703 static const int kvm_vmx_max_exit_handlers =
5704  ARRAY_SIZE(kvm_vmx_exit_handlers);
5705 
5706 /*
5707  * Return 1 if we should exit from L2 to L1 to handle an MSR access access,
5708  * rather than handle it ourselves in L0. I.e., check whether L1 expressed
5709  * disinterest in the current event (read or write a specific MSR) by using an
5710  * MSR bitmap. This may be the case even when L0 doesn't use MSR bitmaps.
5711  */
5712 static bool nested_vmx_exit_handled_msr(struct kvm_vcpu *vcpu,
5713  struct vmcs12 *vmcs12, u32 exit_reason)
5714 {
5715  u32 msr_index = vcpu->arch.regs[VCPU_REGS_RCX];
5716  gpa_t bitmap;
5717 
5718  if (!nested_cpu_has(get_vmcs12(vcpu), CPU_BASED_USE_MSR_BITMAPS))
5719  return 1;
5720 
5721  /*
5722  * The MSR_BITMAP page is divided into four 1024-byte bitmaps,
5723  * for the four combinations of read/write and low/high MSR numbers.
5724  * First we need to figure out which of the four to use:
5725  */
5726  bitmap = vmcs12->msr_bitmap;
5727  if (exit_reason == EXIT_REASON_MSR_WRITE)
5728  bitmap += 2048;
5729  if (msr_index >= 0xc0000000) {
5730  msr_index -= 0xc0000000;
5731  bitmap += 1024;
5732  }
5733 
5734  /* Then read the msr_index'th bit from this bitmap: */
5735  if (msr_index < 1024*8) {
5736  unsigned char b;
5737  kvm_read_guest(vcpu->kvm, bitmap + msr_index/8, &b, 1);
5738  return 1 & (b >> (msr_index & 7));
5739  } else
5740  return 1; /* let L1 handle the wrong parameter */
5741 }
5742 
5743 /*
5744  * Return 1 if we should exit from L2 to L1 to handle a CR access exit,
5745  * rather than handle it ourselves in L0. I.e., check if L1 wanted to
5746  * intercept (via guest_host_mask etc.) the current event.
5747  */
5748 static bool nested_vmx_exit_handled_cr(struct kvm_vcpu *vcpu,
5749  struct vmcs12 *vmcs12)
5750 {
5751  unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
5752  int cr = exit_qualification & 15;
5753  int reg = (exit_qualification >> 8) & 15;
5754  unsigned long val = kvm_register_read(vcpu, reg);
5755 
5756  switch ((exit_qualification >> 4) & 3) {
5757  case 0: /* mov to cr */
5758  switch (cr) {
5759  case 0:
5760  if (vmcs12->cr0_guest_host_mask &
5761  (val ^ vmcs12->cr0_read_shadow))
5762  return 1;
5763  break;
5764  case 3:
5765  if ((vmcs12->cr3_target_count >= 1 &&
5766  vmcs12->cr3_target_value0 == val) ||
5767  (vmcs12->cr3_target_count >= 2 &&
5768  vmcs12->cr3_target_value1 == val) ||
5769  (vmcs12->cr3_target_count >= 3 &&
5770  vmcs12->cr3_target_value2 == val) ||
5771  (vmcs12->cr3_target_count >= 4 &&
5772  vmcs12->cr3_target_value3 == val))
5773  return 0;
5774  if (nested_cpu_has(vmcs12, CPU_BASED_CR3_LOAD_EXITING))
5775  return 1;
5776  break;
5777  case 4:
5778  if (vmcs12->cr4_guest_host_mask &
5779  (vmcs12->cr4_read_shadow ^ val))
5780  return 1;
5781  break;
5782  case 8:
5783  if (nested_cpu_has(vmcs12, CPU_BASED_CR8_LOAD_EXITING))
5784  return 1;
5785  break;
5786  }
5787  break;
5788  case 2: /* clts */
5789  if ((vmcs12->cr0_guest_host_mask & X86_CR0_TS) &&
5790  (vmcs12->cr0_read_shadow & X86_CR0_TS))
5791  return 1;
5792  break;
5793  case 1: /* mov from cr */
5794  switch (cr) {
5795  case 3:
5796  if (vmcs12->cpu_based_vm_exec_control &
5797  CPU_BASED_CR3_STORE_EXITING)
5798  return 1;
5799  break;
5800  case 8:
5801  if (vmcs12->cpu_based_vm_exec_control &
5802  CPU_BASED_CR8_STORE_EXITING)
5803  return 1;
5804  break;
5805  }
5806  break;
5807  case 3: /* lmsw */
5808  /*
5809  * lmsw can change bits 1..3 of cr0, and only set bit 0 of
5810  * cr0. Other attempted changes are ignored, with no exit.
5811  */
5812  if (vmcs12->cr0_guest_host_mask & 0xe &
5813  (val ^ vmcs12->cr0_read_shadow))
5814  return 1;
5815  if ((vmcs12->cr0_guest_host_mask & 0x1) &&
5816  !(vmcs12->cr0_read_shadow & 0x1) &&
5817  (val & 0x1))
5818  return 1;
5819  break;
5820  }
5821  return 0;
5822 }
5823 
5824 /*
5825  * Return 1 if we should exit from L2 to L1 to handle an exit, or 0 if we
5826  * should handle it ourselves in L0 (and then continue L2). Only call this
5827  * when in is_guest_mode (L2).
5828  */
5829 static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu)
5830 {
5831  u32 exit_reason = vmcs_read32(VM_EXIT_REASON);
5832  u32 intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
5833  struct vcpu_vmx *vmx = to_vmx(vcpu);
5834  struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
5835 
5836  if (vmx->nested.nested_run_pending)
5837  return 0;
5838 
5839  if (unlikely(vmx->fail)) {
5840  pr_info_ratelimited("%s failed vm entry %x\n", __func__,
5841  vmcs_read32(VM_INSTRUCTION_ERROR));
5842  return 1;
5843  }
5844 
5845  switch (exit_reason) {
5846  case EXIT_REASON_EXCEPTION_NMI:
5847  if (!is_exception(intr_info))
5848  return 0;
5849  else if (is_page_fault(intr_info))
5850  return enable_ept;
5851  return vmcs12->exception_bitmap &
5852  (1u << (intr_info & INTR_INFO_VECTOR_MASK));
5853  case EXIT_REASON_EXTERNAL_INTERRUPT:
5854  return 0;
5855  case EXIT_REASON_TRIPLE_FAULT:
5856  return 1;
5857  case EXIT_REASON_PENDING_INTERRUPT:
5858  case EXIT_REASON_NMI_WINDOW:
5859  /*
5860  * prepare_vmcs02() set the CPU_BASED_VIRTUAL_INTR_PENDING bit
5861  * (aka Interrupt Window Exiting) only when L1 turned it on,
5862  * so if we got a PENDING_INTERRUPT exit, this must be for L1.
5863  * Same for NMI Window Exiting.
5864  */
5865  return 1;
5866  case EXIT_REASON_TASK_SWITCH:
5867  return 1;
5868  case EXIT_REASON_CPUID:
5869  return 1;
5870  case EXIT_REASON_HLT:
5871  return nested_cpu_has(vmcs12, CPU_BASED_HLT_EXITING);
5872  case EXIT_REASON_INVD:
5873  return 1;
5874  case EXIT_REASON_INVLPG:
5875  return nested_cpu_has(vmcs12, CPU_BASED_INVLPG_EXITING);
5876  case EXIT_REASON_RDPMC:
5877  return nested_cpu_has(vmcs12, CPU_BASED_RDPMC_EXITING);
5878  case EXIT_REASON_RDTSC:
5879  return nested_cpu_has(vmcs12, CPU_BASED_RDTSC_EXITING);
5880  case EXIT_REASON_VMCALL: case EXIT_REASON_VMCLEAR:
5881  case EXIT_REASON_VMLAUNCH: case EXIT_REASON_VMPTRLD:
5882  case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD:
5883  case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE:
5884  case EXIT_REASON_VMOFF: case EXIT_REASON_VMON:
5885  /*
5886  * VMX instructions trap unconditionally. This allows L1 to
5887  * emulate them for its L2 guest, i.e., allows 3-level nesting!
5888  */
5889  return 1;
5890  case EXIT_REASON_CR_ACCESS:
5891  return nested_vmx_exit_handled_cr(vcpu, vmcs12);
5892  case EXIT_REASON_DR_ACCESS:
5893  return nested_cpu_has(vmcs12, CPU_BASED_MOV_DR_EXITING);
5894  case EXIT_REASON_IO_INSTRUCTION:
5895  /* TODO: support IO bitmaps */
5896  return 1;
5897  case EXIT_REASON_MSR_READ:
5898  case EXIT_REASON_MSR_WRITE:
5899  return nested_vmx_exit_handled_msr(vcpu, vmcs12, exit_reason);
5900  case EXIT_REASON_INVALID_STATE:
5901  return 1;
5902  case EXIT_REASON_MWAIT_INSTRUCTION:
5903  return nested_cpu_has(vmcs12, CPU_BASED_MWAIT_EXITING);
5904  case EXIT_REASON_MONITOR_INSTRUCTION:
5905  return nested_cpu_has(vmcs12, CPU_BASED_MONITOR_EXITING);
5906  case EXIT_REASON_PAUSE_INSTRUCTION:
5907  return nested_cpu_has(vmcs12, CPU_BASED_PAUSE_EXITING) ||
5908  nested_cpu_has2(vmcs12,
5909  SECONDARY_EXEC_PAUSE_LOOP_EXITING);
5910  case EXIT_REASON_MCE_DURING_VMENTRY:
5911  return 0;
5912  case EXIT_REASON_TPR_BELOW_THRESHOLD:
5913  return 1;
5914  case EXIT_REASON_APIC_ACCESS:
5915  return nested_cpu_has2(vmcs12,
5916  SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES);
5917  case EXIT_REASON_EPT_VIOLATION:
5918  case EXIT_REASON_EPT_MISCONFIG:
5919  return 0;
5920  case EXIT_REASON_WBINVD:
5921  return nested_cpu_has2(vmcs12, SECONDARY_EXEC_WBINVD_EXITING);
5922  case EXIT_REASON_XSETBV:
5923  return 1;
5924  default:
5925  return 1;
5926  }
5927 }
5928 
5929 static void vmx_get_exit_info(struct kvm_vcpu *vcpu, u64 *info1, u64 *info2)
5930 {
5931  *info1 = vmcs_readl(EXIT_QUALIFICATION);
5932  *info2 = vmcs_read32(VM_EXIT_INTR_INFO);
5933 }
5934 
5935 /*
5936  * The guest has exited. See if we can fix it or if we need userspace
5937  * assistance.
5938  */
5939 static int vmx_handle_exit(struct kvm_vcpu *vcpu)
5940 {
5941  struct vcpu_vmx *vmx = to_vmx(vcpu);
5942  u32 exit_reason = vmx->exit_reason;
5943  u32 vectoring_info = vmx->idt_vectoring_info;
5944 
5945  /* If guest state is invalid, start emulating */
5946  if (vmx->emulation_required && emulate_invalid_guest_state)
5947  return handle_invalid_guest_state(vcpu);
5948 
5949  /*
5950  * the KVM_REQ_EVENT optimization bit is only on for one entry, and if
5951  * we did not inject a still-pending event to L1 now because of
5952  * nested_run_pending, we need to re-enable this bit.
5953  */
5954  if (vmx->nested.nested_run_pending)
5955  kvm_make_request(KVM_REQ_EVENT, vcpu);
5956 
5957  if (!is_guest_mode(vcpu) && (exit_reason == EXIT_REASON_VMLAUNCH ||
5958  exit_reason == EXIT_REASON_VMRESUME))
5959  vmx->nested.nested_run_pending = 1;
5960  else
5961  vmx->nested.nested_run_pending = 0;
5962 
5963  if (is_guest_mode(vcpu) && nested_vmx_exit_handled(vcpu)) {
5964  nested_vmx_vmexit(vcpu);
5965  return 1;
5966  }
5967 
5968  if (exit_reason & VMX_EXIT_REASONS_FAILED_VMENTRY) {
5969  vcpu->run->exit_reason = KVM_EXIT_FAIL_ENTRY;
5970  vcpu->run->fail_entry.hardware_entry_failure_reason
5971  = exit_reason;
5972  return 0;
5973  }
5974 
5975  if (unlikely(vmx->fail)) {
5976  vcpu->run->exit_reason = KVM_EXIT_FAIL_ENTRY;
5977  vcpu->run->fail_entry.hardware_entry_failure_reason
5978  = vmcs_read32(VM_INSTRUCTION_ERROR);
5979  return 0;
5980  }
5981 
5982  if ((vectoring_info & VECTORING_INFO_VALID_MASK) &&
5983  (exit_reason != EXIT_REASON_EXCEPTION_NMI &&
5984  exit_reason != EXIT_REASON_EPT_VIOLATION &&
5985  exit_reason != EXIT_REASON_TASK_SWITCH))
5986  printk(KERN_WARNING "%s: unexpected, valid vectoring info "
5987  "(0x%x) and exit reason is 0x%x\n",
5988  __func__, vectoring_info, exit_reason);
5989 
5990  if (unlikely(!cpu_has_virtual_nmis() && vmx->soft_vnmi_blocked &&
5991  !(is_guest_mode(vcpu) && nested_cpu_has_virtual_nmis(
5992  get_vmcs12(vcpu), vcpu)))) {
5993  if (vmx_interrupt_allowed(vcpu)) {
5994  vmx->soft_vnmi_blocked = 0;
5995  } else if (vmx->vnmi_blocked_time > 1000000000LL &&
5996  vcpu->arch.nmi_pending) {
5997  /*
5998  * This CPU don't support us in finding the end of an
5999  * NMI-blocked window if the guest runs with IRQs
6000  * disabled. So we pull the trigger after 1 s of
6001  * futile waiting, but inform the user about this.
6002  */
6003  printk(KERN_WARNING "%s: Breaking out of NMI-blocked "
6004  "state on VCPU %d after 1 s timeout\n",
6005  __func__, vcpu->vcpu_id);
6006  vmx->soft_vnmi_blocked = 0;
6007  }
6008  }
6009 
6010  if (exit_reason < kvm_vmx_max_exit_handlers
6011  && kvm_vmx_exit_handlers[exit_reason])
6012  return kvm_vmx_exit_handlers[exit_reason](vcpu);
6013  else {
6014  vcpu->run->exit_reason = KVM_EXIT_UNKNOWN;
6015  vcpu->run->hw.hardware_exit_reason = exit_reason;
6016  }
6017  return 0;
6018 }
6019 
6020 static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr)
6021 {
6022  if (irr == -1 || tpr < irr) {
6023  vmcs_write32(TPR_THRESHOLD, 0);
6024  return;
6025  }
6026 
6027  vmcs_write32(TPR_THRESHOLD, irr);
6028 }
6029 
6030 static void vmx_complete_atomic_exit(struct vcpu_vmx *vmx)
6031 {
6032  u32 exit_intr_info;
6033 
6034  if (!(vmx->exit_reason == EXIT_REASON_MCE_DURING_VMENTRY
6035  || vmx->exit_reason == EXIT_REASON_EXCEPTION_NMI))
6036  return;
6037 
6038  vmx->exit_intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
6039  exit_intr_info = vmx->exit_intr_info;
6040 
6041  /* Handle machine checks before interrupts are enabled */
6042  if (is_machine_check(exit_intr_info))
6043  kvm_machine_check();
6044 
6045  /* We need to handle NMIs before interrupts are enabled */
6046  if ((exit_intr_info & INTR_INFO_INTR_TYPE_MASK) == INTR_TYPE_NMI_INTR &&
6047  (exit_intr_info & INTR_INFO_VALID_MASK)) {
6048  kvm_before_handle_nmi(&vmx->vcpu);
6049  asm("int $2");
6050  kvm_after_handle_nmi(&vmx->vcpu);
6051  }
6052 }
6053 
6054 static void vmx_recover_nmi_blocking(struct vcpu_vmx *vmx)
6055 {
6056  u32 exit_intr_info;
6057  bool unblock_nmi;
6058  u8 vector;
6059  bool idtv_info_valid;
6060 
6061  idtv_info_valid = vmx->idt_vectoring_info & VECTORING_INFO_VALID_MASK;
6062 
6063  if (cpu_has_virtual_nmis()) {
6064  if (vmx->nmi_known_unmasked)
6065  return;
6066  /*
6067  * Can't use vmx->exit_intr_info since we're not sure what
6068  * the exit reason is.
6069  */
6070  exit_intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
6071  unblock_nmi = (exit_intr_info & INTR_INFO_UNBLOCK_NMI) != 0;
6072  vector = exit_intr_info & INTR_INFO_VECTOR_MASK;
6073  /*
6074  * SDM 3: 27.7.1.2 (September 2008)
6075  * Re-set bit "block by NMI" before VM entry if vmexit caused by
6076  * a guest IRET fault.
6077  * SDM 3: 23.2.2 (September 2008)
6078  * Bit 12 is undefined in any of the following cases:
6079  * If the VM exit sets the valid bit in the IDT-vectoring
6080  * information field.
6081  * If the VM exit is due to a double fault.
6082  */
6083  if ((exit_intr_info & INTR_INFO_VALID_MASK) && unblock_nmi &&
6084  vector != DF_VECTOR && !idtv_info_valid)
6085  vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO,
6086  GUEST_INTR_STATE_NMI);
6087  else
6088  vmx->nmi_known_unmasked =
6089  !(vmcs_read32(GUEST_INTERRUPTIBILITY_INFO)
6090  & GUEST_INTR_STATE_NMI);
6091  } else if (unlikely(vmx->soft_vnmi_blocked))
6092  vmx->vnmi_blocked_time +=
6093  ktime_to_ns(ktime_sub(ktime_get(), vmx->entry_time));
6094 }
6095 
6096 static void __vmx_complete_interrupts(struct vcpu_vmx *vmx,
6097  u32 idt_vectoring_info,
6098  int instr_len_field,
6099  int error_code_field)
6100 {
6101  u8 vector;
6102  int type;
6103  bool idtv_info_valid;
6104 
6105  idtv_info_valid = idt_vectoring_info & VECTORING_INFO_VALID_MASK;
6106 
6107  vmx->vcpu.arch.nmi_injected = false;
6108  kvm_clear_exception_queue(&vmx->vcpu);
6109  kvm_clear_interrupt_queue(&vmx->vcpu);
6110 
6111  if (!idtv_info_valid)
6112  return;
6113 
6114  kvm_make_request(KVM_REQ_EVENT, &vmx->vcpu);
6115 
6116  vector = idt_vectoring_info & VECTORING_INFO_VECTOR_MASK;
6117  type = idt_vectoring_info & VECTORING_INFO_TYPE_MASK;
6118 
6119  switch (type) {
6120  case INTR_TYPE_NMI_INTR:
6121  vmx->vcpu.arch.nmi_injected = true;
6122  /*
6123  * SDM 3: 27.7.1.2 (September 2008)
6124  * Clear bit "block by NMI" before VM entry if a NMI
6125  * delivery faulted.
6126  */
6127  vmx_set_nmi_mask(&vmx->vcpu, false);
6128  break;
6129  case INTR_TYPE_SOFT_EXCEPTION:
6130  vmx->vcpu.arch.event_exit_inst_len =
6131  vmcs_read32(instr_len_field);
6132  /* fall through */
6133  case INTR_TYPE_HARD_EXCEPTION:
6134  if (idt_vectoring_info & VECTORING_INFO_DELIVER_CODE_MASK) {
6135  u32 err = vmcs_read32(error_code_field);
6136  kvm_queue_exception_e(&vmx->vcpu, vector, err);
6137  } else
6138  kvm_queue_exception(&vmx->vcpu, vector);
6139  break;
6140  case INTR_TYPE_SOFT_INTR:
6141  vmx->vcpu.arch.event_exit_inst_len =
6142  vmcs_read32(instr_len_field);
6143  /* fall through */
6144  case INTR_TYPE_EXT_INTR:
6145  kvm_queue_interrupt(&vmx->vcpu, vector,
6146  type == INTR_TYPE_SOFT_INTR);
6147  break;
6148  default:
6149  break;
6150  }
6151 }
6152 
6153 static void vmx_complete_interrupts(struct vcpu_vmx *vmx)
6154 {
6155  if (is_guest_mode(&vmx->vcpu))
6156  return;
6157  __vmx_complete_interrupts(vmx, vmx->idt_vectoring_info,
6158  VM_EXIT_INSTRUCTION_LEN,
6159  IDT_VECTORING_ERROR_CODE);
6160 }
6161 
6162 static void vmx_cancel_injection(struct kvm_vcpu *vcpu)
6163 {
6164  if (is_guest_mode(vcpu))
6165  return;
6166  __vmx_complete_interrupts(to_vmx(vcpu),
6167  vmcs_read32(VM_ENTRY_INTR_INFO_FIELD),
6168  VM_ENTRY_INSTRUCTION_LEN,
6169  VM_ENTRY_EXCEPTION_ERROR_CODE);
6170 
6171  vmcs_write32(VM_ENTRY_INTR_INFO_FIELD, 0);
6172 }
6173 
6174 static void atomic_switch_perf_msrs(struct vcpu_vmx *vmx)
6175 {
6176  int i, nr_msrs;
6177  struct perf_guest_switch_msr *msrs;
6178 
6179  msrs = perf_guest_get_msrs(&nr_msrs);
6180 
6181  if (!msrs)
6182  return;
6183 
6184  for (i = 0; i < nr_msrs; i++)
6185  if (msrs[i].host == msrs[i].guest)
6186  clear_atomic_switch_msr(vmx, msrs[i].msr);
6187  else
6188  add_atomic_switch_msr(vmx, msrs[i].msr, msrs[i].guest,
6189  msrs[i].host);
6190 }
6191 
6192 static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
6193 {
6194  struct vcpu_vmx *vmx = to_vmx(vcpu);
6195  unsigned long debugctlmsr;
6196 
6197  if (is_guest_mode(vcpu) && !vmx->nested.nested_run_pending) {
6198  struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
6199  if (vmcs12->idt_vectoring_info_field &
6200  VECTORING_INFO_VALID_MASK) {
6201  vmcs_write32(VM_ENTRY_INTR_INFO_FIELD,
6202  vmcs12->idt_vectoring_info_field);
6203  vmcs_write32(VM_ENTRY_INSTRUCTION_LEN,
6204  vmcs12->vm_exit_instruction_len);
6205  if (vmcs12->idt_vectoring_info_field &
6206  VECTORING_INFO_DELIVER_CODE_MASK)
6207  vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE,
6208  vmcs12->idt_vectoring_error_code);
6209  }
6210  }
6211 
6212  /* Record the guest's net vcpu time for enforced NMI injections. */
6213  if (unlikely(!cpu_has_virtual_nmis() && vmx->soft_vnmi_blocked))
6214  vmx->entry_time = ktime_get();
6215 
6216  /* Don't enter VMX if guest state is invalid, let the exit handler
6217  start emulation until we arrive back to a valid state */
6218  if (vmx->emulation_required && emulate_invalid_guest_state)
6219  return;
6220 
6221  if (test_bit(VCPU_REGS_RSP, (unsigned long *)&vcpu->arch.regs_dirty))
6222  vmcs_writel(GUEST_RSP, vcpu->arch.regs[VCPU_REGS_RSP]);
6223  if (test_bit(VCPU_REGS_RIP, (unsigned long *)&vcpu->arch.regs_dirty))
6224  vmcs_writel(GUEST_RIP, vcpu->arch.regs[VCPU_REGS_RIP]);
6225 
6226  /* When single-stepping over STI and MOV SS, we must clear the
6227  * corresponding interruptibility bits in the guest state. Otherwise
6228  * vmentry fails as it then expects bit 14 (BS) in pending debug
6229  * exceptions being set, but that's not correct for the guest debugging
6230  * case. */
6231  if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)
6232  vmx_set_interrupt_shadow(vcpu, 0);
6233 
6234  atomic_switch_perf_msrs(vmx);
6235  debugctlmsr = get_debugctlmsr();
6236 
6237  vmx->__launched = vmx->loaded_vmcs->launched;
6238  asm(
6239  /* Store host registers */
6240  "push %%" _ASM_DX "; push %%" _ASM_BP ";"
6241  "push %%" _ASM_CX " \n\t" /* placeholder for guest rcx */
6242  "push %%" _ASM_CX " \n\t"
6243  "cmp %%" _ASM_SP ", %c[host_rsp](%0) \n\t"
6244  "je 1f \n\t"
6245  "mov %%" _ASM_SP ", %c[host_rsp](%0) \n\t"
6246  __ex(ASM_VMX_VMWRITE_RSP_RDX) "\n\t"
6247  "1: \n\t"
6248  /* Reload cr2 if changed */
6249  "mov %c[cr2](%0), %%" _ASM_AX " \n\t"
6250  "mov %%cr2, %%" _ASM_DX " \n\t"
6251  "cmp %%" _ASM_AX ", %%" _ASM_DX " \n\t"
6252  "je 2f \n\t"
6253  "mov %%" _ASM_AX", %%cr2 \n\t"
6254  "2: \n\t"
6255  /* Check if vmlaunch of vmresume is needed */
6256  "cmpl $0, %c[launched](%0) \n\t"
6257  /* Load guest registers. Don't clobber flags. */
6258  "mov %c[rax](%0), %%" _ASM_AX " \n\t"
6259  "mov %c[rbx](%0), %%" _ASM_BX " \n\t"
6260  "mov %c[rdx](%0), %%" _ASM_DX " \n\t"
6261  "mov %c[rsi](%0), %%" _ASM_SI " \n\t"
6262  "mov %c[rdi](%0), %%" _ASM_DI " \n\t"
6263  "mov %c[rbp](%0), %%" _ASM_BP " \n\t"
6264 #ifdef CONFIG_X86_64
6265  "mov %c[r8](%0), %%r8 \n\t"
6266  "mov %c[r9](%0), %%r9 \n\t"
6267  "mov %c[r10](%0), %%r10 \n\t"
6268  "mov %c[r11](%0), %%r11 \n\t"
6269  "mov %c[r12](%0), %%r12 \n\t"
6270  "mov %c[r13](%0), %%r13 \n\t"
6271  "mov %c[r14](%0), %%r14 \n\t"
6272  "mov %c[r15](%0), %%r15 \n\t"
6273 #endif
6274  "mov %c[rcx](%0), %%" _ASM_CX " \n\t" /* kills %0 (ecx) */
6275 
6276  /* Enter guest mode */
6277  "jne 1f \n\t"
6278  __ex(ASM_VMX_VMLAUNCH) "\n\t"
6279  "jmp 2f \n\t"
6280  "1: " __ex(ASM_VMX_VMRESUME) "\n\t"
6281  "2: "
6282  /* Save guest registers, load host registers, keep flags */
6283  "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
6284  "pop %0 \n\t"
6285  "mov %%" _ASM_AX ", %c[rax](%0) \n\t"
6286  "mov %%" _ASM_BX ", %c[rbx](%0) \n\t"
6287  __ASM_SIZE(pop) " %c[rcx](%0) \n\t"
6288  "mov %%" _ASM_DX ", %c[rdx](%0) \n\t"
6289  "mov %%" _ASM_SI ", %c[rsi](%0) \n\t"
6290  "mov %%" _ASM_DI ", %c[rdi](%0) \n\t"
6291  "mov %%" _ASM_BP ", %c[rbp](%0) \n\t"
6292 #ifdef CONFIG_X86_64
6293  "mov %%r8, %c[r8](%0) \n\t"
6294  "mov %%r9, %c[r9](%0) \n\t"
6295  "mov %%r10, %c[r10](%0) \n\t"
6296  "mov %%r11, %c[r11](%0) \n\t"
6297  "mov %%r12, %c[r12](%0) \n\t"
6298  "mov %%r13, %c[r13](%0) \n\t"
6299  "mov %%r14, %c[r14](%0) \n\t"
6300  "mov %%r15, %c[r15](%0) \n\t"
6301 #endif
6302  "mov %%cr2, %%" _ASM_AX " \n\t"
6303  "mov %%" _ASM_AX ", %c[cr2](%0) \n\t"
6304 
6305  "pop %%" _ASM_BP "; pop %%" _ASM_DX " \n\t"
6306  "setbe %c[fail](%0) \n\t"
6307  ".pushsection .rodata \n\t"
6308  ".global vmx_return \n\t"
6309  "vmx_return: " _ASM_PTR " 2b \n\t"
6310  ".popsection"
6311  : : "c"(vmx), "d"((unsigned long)HOST_RSP),
6312  [launched]"i"(offsetof(struct vcpu_vmx, __launched)),
6313  [fail]"i"(offsetof(struct vcpu_vmx, fail)),
6314  [host_rsp]"i"(offsetof(struct vcpu_vmx, host_rsp)),
6315  [rax]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_RAX])),
6316  [rbx]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_RBX])),
6317  [rcx]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_RCX])),
6318  [rdx]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_RDX])),
6319  [rsi]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_RSI])),
6320  [rdi]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_RDI])),
6321  [rbp]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_RBP])),
6322 #ifdef CONFIG_X86_64
6323  [r8]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R8])),
6324  [r9]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R9])),
6325  [r10]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R10])),
6326  [r11]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R11])),
6327  [r12]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R12])),
6328  [r13]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R13])),
6329  [r14]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R14])),
6330  [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
6331 #endif
6332  [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
6333  [wordsize]"i"(sizeof(ulong))
6334  : "cc", "memory"
6335 #ifdef CONFIG_X86_64
6336  , "rax", "rbx", "rdi", "rsi"
6337  , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
6338 #else
6339  , "eax", "ebx", "edi", "esi"
6340 #endif
6341  );
6342 
6343  /* MSR_IA32_DEBUGCTLMSR is zeroed on vmexit. Restore it if needed */
6344  if (debugctlmsr)
6345  update_debugctlmsr(debugctlmsr);
6346 
6347 #ifndef CONFIG_X86_64
6348  /*
6349  * The sysexit path does not restore ds/es, so we must set them to
6350  * a reasonable value ourselves.
6351  *
6352  * We can't defer this to vmx_load_host_state() since that function
6353  * may be executed in interrupt context, which saves and restore segments
6354  * around it, nullifying its effect.
6355  */
6356  loadsegment(ds, __USER_DS);
6357  loadsegment(es, __USER_DS);
6358 #endif
6359 
6360  vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
6361  | (1 << VCPU_EXREG_RFLAGS)
6362  | (1 << VCPU_EXREG_CPL)
6363  | (1 << VCPU_EXREG_PDPTR)
6364  | (1 << VCPU_EXREG_SEGMENTS)
6365  | (1 << VCPU_EXREG_CR3));
6366  vcpu->arch.regs_dirty = 0;
6367 
6368  vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
6369 
6370  if (is_guest_mode(vcpu)) {
6371  struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
6372  vmcs12->idt_vectoring_info_field = vmx->idt_vectoring_info;
6373  if (vmx->idt_vectoring_info & VECTORING_INFO_VALID_MASK) {
6374  vmcs12->idt_vectoring_error_code =
6375  vmcs_read32(IDT_VECTORING_ERROR_CODE);
6376  vmcs12->vm_exit_instruction_len =
6377  vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
6378  }
6379  }
6380 
6381  vmx->loaded_vmcs->launched = 1;
6382 
6383  vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
6384  trace_kvm_exit(vmx->exit_reason, vcpu, KVM_ISA_VMX);
6385 
6386  vmx_complete_atomic_exit(vmx);
6387  vmx_recover_nmi_blocking(vmx);
6388  vmx_complete_interrupts(vmx);
6389 }
6390 
6391 static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
6392 {
6393  struct vcpu_vmx *vmx = to_vmx(vcpu);
6394 
6395  free_vpid(vmx);
6396  free_nested(vmx);
6397  free_loaded_vmcs(vmx->loaded_vmcs);
6398  kfree(vmx->guest_msrs);
6399  kvm_vcpu_uninit(vcpu);
6400  kmem_cache_free(kvm_vcpu_cache, vmx);
6401 }
6402 
6403 static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
6404 {
6405  int err;
6406  struct vcpu_vmx *vmx = kmem_cache_zalloc(kvm_vcpu_cache, GFP_KERNEL);
6407  int cpu;
6408 
6409  if (!vmx)
6410  return ERR_PTR(-ENOMEM);
6411 
6412  allocate_vpid(vmx);
6413 
6414  err = kvm_vcpu_init(&vmx->vcpu, kvm, id);
6415  if (err)
6416  goto free_vcpu;
6417 
6418  vmx->guest_msrs = kmalloc(PAGE_SIZE, GFP_KERNEL);
6419  err = -ENOMEM;
6420  if (!vmx->guest_msrs) {
6421  goto uninit_vcpu;
6422  }
6423 
6424  vmx->loaded_vmcs = &vmx->vmcs01;
6425  vmx->loaded_vmcs->vmcs = alloc_vmcs();
6426  if (!vmx->loaded_vmcs->vmcs)
6427  goto free_msrs;
6428  if (!vmm_exclusive)
6429  kvm_cpu_vmxon(__pa(per_cpu(vmxarea, raw_smp_processor_id())));
6430  loaded_vmcs_init(vmx->loaded_vmcs);
6431  if (!vmm_exclusive)
6432  kvm_cpu_vmxoff();
6433 
6434  cpu = get_cpu();
6435  vmx_vcpu_load(&vmx->vcpu, cpu);
6436  vmx->vcpu.cpu = cpu;
6437  err = vmx_vcpu_setup(vmx);
6438  vmx_vcpu_put(&vmx->vcpu);
6439  put_cpu();
6440  if (err)
6441  goto free_vmcs;
6442  if (vm_need_virtualize_apic_accesses(kvm))
6443  err = alloc_apic_access_page(kvm);
6444  if (err)
6445  goto free_vmcs;
6446 
6447  if (enable_ept) {
6448  if (!kvm->arch.ept_identity_map_addr)
6449  kvm->arch.ept_identity_map_addr =
6450  VMX_EPT_IDENTITY_PAGETABLE_ADDR;
6451  err = -ENOMEM;
6452  if (alloc_identity_pagetable(kvm) != 0)
6453  goto free_vmcs;
6454  if (!init_rmode_identity_map(kvm))
6455  goto free_vmcs;
6456  }
6457 
6458  vmx->nested.current_vmptr = -1ull;
6459  vmx->nested.current_vmcs12 = NULL;
6460 
6461  return &vmx->vcpu;
6462 
6463 free_vmcs:
6464  free_loaded_vmcs(vmx->loaded_vmcs);
6465 free_msrs:
6466  kfree(vmx->guest_msrs);
6467 uninit_vcpu:
6468  kvm_vcpu_uninit(&vmx->vcpu);
6469 free_vcpu:
6470  free_vpid(vmx);
6471  kmem_cache_free(kvm_vcpu_cache, vmx);
6472  return ERR_PTR(err);
6473 }
6474 
6475 static void __init vmx_check_processor_compat(void *rtn)
6476 {
6477  struct vmcs_config vmcs_conf;
6478 
6479  *(int *)rtn = 0;
6480  if (setup_vmcs_config(&vmcs_conf) < 0)
6481  *(int *)rtn = -EIO;
6482  if (memcmp(&vmcs_config, &vmcs_conf, sizeof(struct vmcs_config)) != 0) {
6483  printk(KERN_ERR "kvm: CPU %d feature inconsistency!\n",
6484  smp_processor_id());
6485  *(int *)rtn = -EIO;
6486  }
6487 }
6488 
6489 static int get_ept_level(void)
6490 {
6491  return VMX_EPT_DEFAULT_GAW + 1;
6492 }
6493 
6494 static u64 vmx_get_mt_mask(struct kvm_vcpu *vcpu, gfn_t gfn, bool is_mmio)
6495 {
6496  u64 ret;
6497 
6498  /* For VT-d and EPT combination
6499  * 1. MMIO: always map as UC
6500  * 2. EPT with VT-d:
6501  * a. VT-d without snooping control feature: can't guarantee the
6502  * result, try to trust guest.
6503  * b. VT-d with snooping control feature: snooping control feature of
6504  * VT-d engine can guarantee the cache correctness. Just set it
6505  * to WB to keep consistent with host. So the same as item 3.
6506  * 3. EPT without VT-d: always map as WB and set IPAT=1 to keep
6507  * consistent with host MTRR
6508  */
6509  if (is_mmio)
6510  ret = MTRR_TYPE_UNCACHABLE << VMX_EPT_MT_EPTE_SHIFT;
6511  else if (vcpu->kvm->arch.iommu_domain &&
6512  !(vcpu->kvm->arch.iommu_flags & KVM_IOMMU_CACHE_COHERENCY))
6513  ret = kvm_get_guest_memory_type(vcpu, gfn) <<
6514  VMX_EPT_MT_EPTE_SHIFT;
6515  else
6516  ret = (MTRR_TYPE_WRBACK << VMX_EPT_MT_EPTE_SHIFT)
6517  | VMX_EPT_IPAT_BIT;
6518 
6519  return ret;
6520 }
6521 
6522 static int vmx_get_lpage_level(void)
6523 {
6524  if (enable_ept && !cpu_has_vmx_ept_1g_page())
6525  return PT_DIRECTORY_LEVEL;
6526  else
6527  /* For shadow and EPT supported 1GB page */
6528  return PT_PDPE_LEVEL;
6529 }
6530 
6531 static void vmx_cpuid_update(struct kvm_vcpu *vcpu)
6532 {
6533  struct kvm_cpuid_entry2 *best;
6534  struct vcpu_vmx *vmx = to_vmx(vcpu);
6535  u32 exec_control;
6536 
6537  vmx->rdtscp_enabled = false;
6538  if (vmx_rdtscp_supported()) {
6539  exec_control = vmcs_read32(SECONDARY_VM_EXEC_CONTROL);
6540  if (exec_control & SECONDARY_EXEC_RDTSCP) {
6541  best = kvm_find_cpuid_entry(vcpu, 0x80000001, 0);
6542  if (best && (best->edx & bit(X86_FEATURE_RDTSCP)))
6543  vmx->rdtscp_enabled = true;
6544  else {
6545  exec_control &= ~SECONDARY_EXEC_RDTSCP;
6546  vmcs_write32(SECONDARY_VM_EXEC_CONTROL,
6547  exec_control);
6548  }
6549  }
6550  }
6551 
6552  /* Exposing INVPCID only when PCID is exposed */
6553  best = kvm_find_cpuid_entry(vcpu, 0x7, 0);
6554  if (vmx_invpcid_supported() &&
6555  best && (best->ebx & bit(X86_FEATURE_INVPCID)) &&
6556  guest_cpuid_has_pcid(vcpu)) {
6557  exec_control = vmcs_read32(SECONDARY_VM_EXEC_CONTROL);
6558  exec_control |= SECONDARY_EXEC_ENABLE_INVPCID;
6559  vmcs_write32(SECONDARY_VM_EXEC_CONTROL,
6560  exec_control);
6561  } else {
6562  if (cpu_has_secondary_exec_ctrls()) {
6563  exec_control = vmcs_read32(SECONDARY_VM_EXEC_CONTROL);
6564  exec_control &= ~SECONDARY_EXEC_ENABLE_INVPCID;
6565  vmcs_write32(SECONDARY_VM_EXEC_CONTROL,
6566  exec_control);
6567  }
6568  if (best)
6569  best->ebx &= ~bit(X86_FEATURE_INVPCID);
6570  }
6571 }
6572 
6573 static void vmx_set_supported_cpuid(u32 func, struct kvm_cpuid_entry2 *entry)
6574 {
6575  if (func == 1 && nested)
6576  entry->ecx |= bit(X86_FEATURE_VMX);
6577 }
6578 
6579 /*
6580  * prepare_vmcs02 is called when the L1 guest hypervisor runs its nested
6581  * L2 guest. L1 has a vmcs for L2 (vmcs12), and this function "merges" it
6582  * with L0's requirements for its guest (a.k.a. vmsc01), so we can run the L2
6583  * guest in a way that will both be appropriate to L1's requests, and our
6584  * needs. In addition to modifying the active vmcs (which is vmcs02), this
6585  * function also has additional necessary side-effects, like setting various
6586  * vcpu->arch fields.
6587  */
6588 static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
6589 {
6590  struct vcpu_vmx *vmx = to_vmx(vcpu);
6591  u32 exec_control;
6592 
6593  vmcs_write16(GUEST_ES_SELECTOR, vmcs12->guest_es_selector);
6594  vmcs_write16(GUEST_CS_SELECTOR, vmcs12->guest_cs_selector);
6595  vmcs_write16(GUEST_SS_SELECTOR, vmcs12->guest_ss_selector);
6596  vmcs_write16(GUEST_DS_SELECTOR, vmcs12->guest_ds_selector);
6597  vmcs_write16(GUEST_FS_SELECTOR, vmcs12->guest_fs_selector);
6598  vmcs_write16(GUEST_GS_SELECTOR, vmcs12->guest_gs_selector);
6599  vmcs_write16(GUEST_LDTR_SELECTOR, vmcs12->guest_ldtr_selector);
6600  vmcs_write16(GUEST_TR_SELECTOR, vmcs12->guest_tr_selector);
6601  vmcs_write32(GUEST_ES_LIMIT, vmcs12->guest_es_limit);
6602  vmcs_write32(GUEST_CS_LIMIT, vmcs12->guest_cs_limit);
6603  vmcs_write32(GUEST_SS_LIMIT, vmcs12->guest_ss_limit);
6604  vmcs_write32(GUEST_DS_LIMIT, vmcs12->guest_ds_limit);
6605  vmcs_write32(GUEST_FS_LIMIT, vmcs12->guest_fs_limit);
6606  vmcs_write32(GUEST_GS_LIMIT, vmcs12->guest_gs_limit);
6607  vmcs_write32(GUEST_LDTR_LIMIT, vmcs12->guest_ldtr_limit);
6608  vmcs_write32(GUEST_TR_LIMIT, vmcs12->guest_tr_limit);
6609  vmcs_write32(GUEST_GDTR_LIMIT, vmcs12->guest_gdtr_limit);
6610  vmcs_write32(GUEST_IDTR_LIMIT, vmcs12->guest_idtr_limit);
6611  vmcs_write32(GUEST_ES_AR_BYTES, vmcs12->guest_es_ar_bytes);
6612  vmcs_write32(GUEST_CS_AR_BYTES, vmcs12->guest_cs_ar_bytes);
6613  vmcs_write32(GUEST_SS_AR_BYTES, vmcs12->guest_ss_ar_bytes);
6614  vmcs_write32(GUEST_DS_AR_BYTES, vmcs12->guest_ds_ar_bytes);
6615  vmcs_write32(GUEST_FS_AR_BYTES, vmcs12->guest_fs_ar_bytes);
6616  vmcs_write32(GUEST_GS_AR_BYTES, vmcs12->guest_gs_ar_bytes);
6617  vmcs_write32(GUEST_LDTR_AR_BYTES, vmcs12->guest_ldtr_ar_bytes);
6618  vmcs_write32(GUEST_TR_AR_BYTES, vmcs12->guest_tr_ar_bytes);
6619  vmcs_writel(GUEST_ES_BASE, vmcs12->guest_es_base);
6620  vmcs_writel(GUEST_CS_BASE, vmcs12->guest_cs_base);
6621  vmcs_writel(GUEST_SS_BASE, vmcs12->guest_ss_base);
6622  vmcs_writel(GUEST_DS_BASE, vmcs12->guest_ds_base);
6623  vmcs_writel(GUEST_FS_BASE, vmcs12->guest_fs_base);
6624  vmcs_writel(GUEST_GS_BASE, vmcs12->guest_gs_base);
6625  vmcs_writel(GUEST_LDTR_BASE, vmcs12->guest_ldtr_base);
6626  vmcs_writel(GUEST_TR_BASE, vmcs12->guest_tr_base);
6627  vmcs_writel(GUEST_GDTR_BASE, vmcs12->guest_gdtr_base);
6628  vmcs_writel(GUEST_IDTR_BASE, vmcs12->guest_idtr_base);
6629 
6630  vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl);
6631  vmcs_write32(VM_ENTRY_INTR_INFO_FIELD,
6632  vmcs12->vm_entry_intr_info_field);
6633  vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE,
6634  vmcs12->vm_entry_exception_error_code);
6635  vmcs_write32(VM_ENTRY_INSTRUCTION_LEN,
6636  vmcs12->vm_entry_instruction_len);
6637  vmcs_write32(GUEST_INTERRUPTIBILITY_INFO,
6638  vmcs12->guest_interruptibility_info);
6639  vmcs_write32(GUEST_ACTIVITY_STATE, vmcs12->guest_activity_state);
6640  vmcs_write32(GUEST_SYSENTER_CS, vmcs12->guest_sysenter_cs);
6641  vmcs_writel(GUEST_DR7, vmcs12->guest_dr7);
6642  vmcs_writel(GUEST_RFLAGS, vmcs12->guest_rflags);
6643  vmcs_writel(GUEST_PENDING_DBG_EXCEPTIONS,
6644  vmcs12->guest_pending_dbg_exceptions);
6645  vmcs_writel(GUEST_SYSENTER_ESP, vmcs12->guest_sysenter_esp);
6646  vmcs_writel(GUEST_SYSENTER_EIP, vmcs12->guest_sysenter_eip);
6647 
6648  vmcs_write64(VMCS_LINK_POINTER, -1ull);
6649 
6650  vmcs_write32(PIN_BASED_VM_EXEC_CONTROL,
6651  (vmcs_config.pin_based_exec_ctrl |
6652  vmcs12->pin_based_vm_exec_control));
6653 
6654  /*
6655  * Whether page-faults are trapped is determined by a combination of
6656  * 3 settings: PFEC_MASK, PFEC_MATCH and EXCEPTION_BITMAP.PF.
6657  * If enable_ept, L0 doesn't care about page faults and we should
6658  * set all of these to L1's desires. However, if !enable_ept, L0 does
6659  * care about (at least some) page faults, and because it is not easy
6660  * (if at all possible?) to merge L0 and L1's desires, we simply ask
6661  * to exit on each and every L2 page fault. This is done by setting
6662  * MASK=MATCH=0 and (see below) EB.PF=1.
6663  * Note that below we don't need special code to set EB.PF beyond the
6664  * "or"ing of the EB of vmcs01 and vmcs12, because when enable_ept,
6665  * vmcs01's EB.PF is 0 so the "or" will take vmcs12's value, and when
6666  * !enable_ept, EB.PF is 1, so the "or" will always be 1.
6667  *
6668  * A problem with this approach (when !enable_ept) is that L1 may be
6669  * injected with more page faults than it asked for. This could have
6670  * caused problems, but in practice existing hypervisors don't care.
6671  * To fix this, we will need to emulate the PFEC checking (on the L1
6672  * page tables), using walk_addr(), when injecting PFs to L1.
6673  */
6674  vmcs_write32(PAGE_FAULT_ERROR_CODE_MASK,
6675  enable_ept ? vmcs12->page_fault_error_code_mask : 0);
6676  vmcs_write32(PAGE_FAULT_ERROR_CODE_MATCH,
6677  enable_ept ? vmcs12->page_fault_error_code_match : 0);
6678 
6679  if (cpu_has_secondary_exec_ctrls()) {
6680  u32 exec_control = vmx_secondary_exec_control(vmx);
6681  if (!vmx->rdtscp_enabled)
6682  exec_control &= ~SECONDARY_EXEC_RDTSCP;
6683  /* Take the following fields only from vmcs12 */
6684  exec_control &= ~SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
6685  if (nested_cpu_has(vmcs12,
6686  CPU_BASED_ACTIVATE_SECONDARY_CONTROLS))
6687  exec_control |= vmcs12->secondary_vm_exec_control;
6688 
6689  if (exec_control & SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES) {
6690  /*
6691  * Translate L1 physical address to host physical
6692  * address for vmcs02. Keep the page pinned, so this
6693  * physical address remains valid. We keep a reference
6694  * to it so we can release it later.
6695  */
6696  if (vmx->nested.apic_access_page) /* shouldn't happen */
6697  nested_release_page(vmx->nested.apic_access_page);
6698  vmx->nested.apic_access_page =
6699  nested_get_page(vcpu, vmcs12->apic_access_addr);
6700  /*
6701  * If translation failed, no matter: This feature asks
6702  * to exit when accessing the given address, and if it
6703  * can never be accessed, this feature won't do
6704  * anything anyway.
6705  */
6706  if (!vmx->nested.apic_access_page)
6707  exec_control &=
6708  ~SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
6709  else
6710  vmcs_write64(APIC_ACCESS_ADDR,
6711  page_to_phys(vmx->nested.apic_access_page));
6712  }
6713 
6714  vmcs_write32(SECONDARY_VM_EXEC_CONTROL, exec_control);
6715  }
6716 
6717 
6718  /*
6719  * Set host-state according to L0's settings (vmcs12 is irrelevant here)
6720  * Some constant fields are set here by vmx_set_constant_host_state().
6721  * Other fields are different per CPU, and will be set later when
6722  * vmx_vcpu_load() is called, and when vmx_save_host_state() is called.
6723  */
6724  vmx_set_constant_host_state();
6725 
6726  /*
6727  * HOST_RSP is normally set correctly in vmx_vcpu_run() just before
6728  * entry, but only if the current (host) sp changed from the value
6729  * we wrote last (vmx->host_rsp). This cache is no longer relevant
6730  * if we switch vmcs, and rather than hold a separate cache per vmcs,
6731  * here we just force the write to happen on entry.
6732  */
6733  vmx->host_rsp = 0;
6734 
6735  exec_control = vmx_exec_control(vmx); /* L0's desires */
6736  exec_control &= ~CPU_BASED_VIRTUAL_INTR_PENDING;
6737  exec_control &= ~CPU_BASED_VIRTUAL_NMI_PENDING;
6738  exec_control &= ~CPU_BASED_TPR_SHADOW;
6739  exec_control |= vmcs12->cpu_based_vm_exec_control;
6740  /*
6741  * Merging of IO and MSR bitmaps not currently supported.
6742  * Rather, exit every time.
6743  */
6744  exec_control &= ~CPU_BASED_USE_MSR_BITMAPS;
6745  exec_control &= ~CPU_BASED_USE_IO_BITMAPS;
6746  exec_control |= CPU_BASED_UNCOND_IO_EXITING;
6747 
6748  vmcs_write32(CPU_BASED_VM_EXEC_CONTROL, exec_control);
6749 
6750  /* EXCEPTION_BITMAP and CR0_GUEST_HOST_MASK should basically be the
6751  * bitwise-or of what L1 wants to trap for L2, and what we want to
6752  * trap. Note that CR0.TS also needs updating - we do this later.
6753  */
6754  update_exception_bitmap(vcpu);
6755  vcpu->arch.cr0_guest_owned_bits &= ~vmcs12->cr0_guest_host_mask;
6756  vmcs_writel(CR0_GUEST_HOST_MASK, ~vcpu->arch.cr0_guest_owned_bits);
6757 
6758  /* Note: IA32_MODE, LOAD_IA32_EFER are modified by vmx_set_efer below */
6759  vmcs_write32(VM_EXIT_CONTROLS,
6760  vmcs12->vm_exit_controls | vmcs_config.vmexit_ctrl);
6761  vmcs_write32(VM_ENTRY_CONTROLS, vmcs12->vm_entry_controls |
6762  (vmcs_config.vmentry_ctrl & ~VM_ENTRY_IA32E_MODE));
6763 
6764  if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_PAT)
6765  vmcs_write64(GUEST_IA32_PAT, vmcs12->guest_ia32_pat);
6766  else if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT)
6767  vmcs_write64(GUEST_IA32_PAT, vmx->vcpu.arch.pat);
6768 
6769 
6770  set_cr4_guest_host_mask(vmx);
6771 
6772  if (vmcs12->cpu_based_vm_exec_control & CPU_BASED_USE_TSC_OFFSETING)
6773  vmcs_write64(TSC_OFFSET,
6774  vmx->nested.vmcs01_tsc_offset + vmcs12->tsc_offset);
6775  else
6776  vmcs_write64(TSC_OFFSET, vmx->nested.vmcs01_tsc_offset);
6777 
6778  if (enable_vpid) {
6779  /*
6780  * Trivially support vpid by letting L2s share their parent
6781  * L1's vpid. TODO: move to a more elaborate solution, giving
6782  * each L2 its own vpid and exposing the vpid feature to L1.
6783  */
6784  vmcs_write16(VIRTUAL_PROCESSOR_ID, vmx->vpid);
6785  vmx_flush_tlb(vcpu);
6786  }
6787 
6788  if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_EFER)
6789  vcpu->arch.efer = vmcs12->guest_ia32_efer;
6790  if (vmcs12->vm_entry_controls & VM_ENTRY_IA32E_MODE)
6791  vcpu->arch.efer |= (EFER_LMA | EFER_LME);
6792  else
6793  vcpu->arch.efer &= ~(EFER_LMA | EFER_LME);
6794  /* Note: modifies VM_ENTRY/EXIT_CONTROLS and GUEST/HOST_IA32_EFER */
6795  vmx_set_efer(vcpu, vcpu->arch.efer);
6796 
6797  /*
6798  * This sets GUEST_CR0 to vmcs12->guest_cr0, with possibly a modified
6799  * TS bit (for lazy fpu) and bits which we consider mandatory enabled.
6800  * The CR0_READ_SHADOW is what L2 should have expected to read given
6801  * the specifications by L1; It's not enough to take
6802  * vmcs12->cr0_read_shadow because on our cr0_guest_host_mask we we
6803  * have more bits than L1 expected.
6804  */
6805  vmx_set_cr0(vcpu, vmcs12->guest_cr0);
6806  vmcs_writel(CR0_READ_SHADOW, nested_read_cr0(vmcs12));
6807 
6808  vmx_set_cr4(vcpu, vmcs12->guest_cr4);
6809  vmcs_writel(CR4_READ_SHADOW, nested_read_cr4(vmcs12));
6810 
6811  /* shadow page tables on either EPT or shadow page tables */
6812  kvm_set_cr3(vcpu, vmcs12->guest_cr3);
6813  kvm_mmu_reset_context(vcpu);
6814 
6815  kvm_register_write(vcpu, VCPU_REGS_RSP, vmcs12->guest_rsp);
6816  kvm_register_write(vcpu, VCPU_REGS_RIP, vmcs12->guest_rip);
6817 }
6818 
6819 /*
6820  * nested_vmx_run() handles a nested entry, i.e., a VMLAUNCH or VMRESUME on L1
6821  * for running an L2 nested guest.
6822  */
6823 static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
6824 {
6825  struct vmcs12 *vmcs12;
6826  struct vcpu_vmx *vmx = to_vmx(vcpu);
6827  int cpu;
6828  struct loaded_vmcs *vmcs02;
6829 
6830  if (!nested_vmx_check_permission(vcpu) ||
6831  !nested_vmx_check_vmcs12(vcpu))
6832  return 1;
6833 
6834  skip_emulated_instruction(vcpu);
6835  vmcs12 = get_vmcs12(vcpu);
6836 
6837  /*
6838  * The nested entry process starts with enforcing various prerequisites
6839  * on vmcs12 as required by the Intel SDM, and act appropriately when
6840  * they fail: As the SDM explains, some conditions should cause the
6841  * instruction to fail, while others will cause the instruction to seem
6842  * to succeed, but return an EXIT_REASON_INVALID_STATE.
6843  * To speed up the normal (success) code path, we should avoid checking
6844  * for misconfigurations which will anyway be caught by the processor
6845  * when using the merged vmcs02.
6846  */
6847  if (vmcs12->launch_state == launch) {
6848  nested_vmx_failValid(vcpu,
6849  launch ? VMXERR_VMLAUNCH_NONCLEAR_VMCS
6850  : VMXERR_VMRESUME_NONLAUNCHED_VMCS);
6851  return 1;
6852  }
6853 
6854  if ((vmcs12->cpu_based_vm_exec_control & CPU_BASED_USE_MSR_BITMAPS) &&
6855  !IS_ALIGNED(vmcs12->msr_bitmap, PAGE_SIZE)) {
6856  /*TODO: Also verify bits beyond physical address width are 0*/
6857  nested_vmx_failValid(vcpu, VMXERR_ENTRY_INVALID_CONTROL_FIELD);
6858  return 1;
6859  }
6860 
6861  if (nested_cpu_has2(vmcs12, SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES) &&
6862  !IS_ALIGNED(vmcs12->apic_access_addr, PAGE_SIZE)) {
6863  /*TODO: Also verify bits beyond physical address width are 0*/
6864  nested_vmx_failValid(vcpu, VMXERR_ENTRY_INVALID_CONTROL_FIELD);
6865  return 1;
6866  }
6867 
6868  if (vmcs12->vm_entry_msr_load_count > 0 ||
6869  vmcs12->vm_exit_msr_load_count > 0 ||
6870  vmcs12->vm_exit_msr_store_count > 0) {
6871  pr_warn_ratelimited("%s: VMCS MSR_{LOAD,STORE} unsupported\n",
6872  __func__);
6873  nested_vmx_failValid(vcpu, VMXERR_ENTRY_INVALID_CONTROL_FIELD);
6874  return 1;
6875  }
6876 
6877  if (!vmx_control_verify(vmcs12->cpu_based_vm_exec_control,
6878  nested_vmx_procbased_ctls_low, nested_vmx_procbased_ctls_high) ||
6879  !vmx_control_verify(vmcs12->secondary_vm_exec_control,
6880  nested_vmx_secondary_ctls_low, nested_vmx_secondary_ctls_high) ||
6881  !vmx_control_verify(vmcs12->pin_based_vm_exec_control,
6882  nested_vmx_pinbased_ctls_low, nested_vmx_pinbased_ctls_high) ||
6883  !vmx_control_verify(vmcs12->vm_exit_controls,
6884  nested_vmx_exit_ctls_low, nested_vmx_exit_ctls_high) ||
6885  !vmx_control_verify(vmcs12->vm_entry_controls,
6886  nested_vmx_entry_ctls_low, nested_vmx_entry_ctls_high))
6887  {
6888  nested_vmx_failValid(vcpu, VMXERR_ENTRY_INVALID_CONTROL_FIELD);
6889  return 1;
6890  }
6891 
6892  if (((vmcs12->host_cr0 & VMXON_CR0_ALWAYSON) != VMXON_CR0_ALWAYSON) ||
6893  ((vmcs12->host_cr4 & VMXON_CR4_ALWAYSON) != VMXON_CR4_ALWAYSON)) {
6894  nested_vmx_failValid(vcpu,
6895  VMXERR_ENTRY_INVALID_HOST_STATE_FIELD);
6896  return 1;
6897  }
6898 
6899  if (((vmcs12->guest_cr0 & VMXON_CR0_ALWAYSON) != VMXON_CR0_ALWAYSON) ||
6900  ((vmcs12->guest_cr4 & VMXON_CR4_ALWAYSON) != VMXON_CR4_ALWAYSON)) {
6901  nested_vmx_entry_failure(vcpu, vmcs12,
6902  EXIT_REASON_INVALID_STATE, ENTRY_FAIL_DEFAULT);
6903  return 1;
6904  }
6905  if (vmcs12->vmcs_link_pointer != -1ull) {
6906  nested_vmx_entry_failure(vcpu, vmcs12,
6907  EXIT_REASON_INVALID_STATE, ENTRY_FAIL_VMCS_LINK_PTR);
6908  return 1;
6909  }
6910 
6911  /*
6912  * We're finally done with prerequisite checking, and can start with
6913  * the nested entry.
6914  */
6915 
6916  vmcs02 = nested_get_current_vmcs02(vmx);
6917  if (!vmcs02)
6918  return -ENOMEM;
6919 
6920  enter_guest_mode(vcpu);
6921 
6922  vmx->nested.vmcs01_tsc_offset = vmcs_read64(TSC_OFFSET);
6923 
6924  cpu = get_cpu();
6925  vmx->loaded_vmcs = vmcs02;
6926  vmx_vcpu_put(vcpu);
6927  vmx_vcpu_load(vcpu, cpu);
6928  vcpu->cpu = cpu;
6929  put_cpu();
6930 
6931  vmcs12->launch_state = 1;
6932 
6933  prepare_vmcs02(vcpu, vmcs12);
6934 
6935  /*
6936  * Note no nested_vmx_succeed or nested_vmx_fail here. At this point
6937  * we are no longer running L1, and VMLAUNCH/VMRESUME has not yet
6938  * returned as far as L1 is concerned. It will only return (and set
6939  * the success flag) when L2 exits (see nested_vmx_vmexit()).
6940  */
6941  return 1;
6942 }
6943 
6944 /*
6945  * On a nested exit from L2 to L1, vmcs12.guest_cr0 might not be up-to-date
6946  * because L2 may have changed some cr0 bits directly (CRO_GUEST_HOST_MASK).
6947  * This function returns the new value we should put in vmcs12.guest_cr0.
6948  * It's not enough to just return the vmcs02 GUEST_CR0. Rather,
6949  * 1. Bits that neither L0 nor L1 trapped, were set directly by L2 and are now
6950  * available in vmcs02 GUEST_CR0. (Note: It's enough to check that L0
6951  * didn't trap the bit, because if L1 did, so would L0).
6952  * 2. Bits that L1 asked to trap (and therefore L0 also did) could not have
6953  * been modified by L2, and L1 knows it. So just leave the old value of
6954  * the bit from vmcs12.guest_cr0. Note that the bit from vmcs02 GUEST_CR0
6955  * isn't relevant, because if L0 traps this bit it can set it to anything.
6956  * 3. Bits that L1 didn't trap, but L0 did. L1 believes the guest could have
6957  * changed these bits, and therefore they need to be updated, but L0
6958  * didn't necessarily allow them to be changed in GUEST_CR0 - and rather
6959  * put them in vmcs02 CR0_READ_SHADOW. So take these bits from there.
6960  */
6961 static inline unsigned long
6962 vmcs12_guest_cr0(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
6963 {
6964  return
6965  /*1*/ (vmcs_readl(GUEST_CR0) & vcpu->arch.cr0_guest_owned_bits) |
6966  /*2*/ (vmcs12->guest_cr0 & vmcs12->cr0_guest_host_mask) |
6967  /*3*/ (vmcs_readl(CR0_READ_SHADOW) & ~(vmcs12->cr0_guest_host_mask |
6968  vcpu->arch.cr0_guest_owned_bits));
6969 }
6970 
6971 static inline unsigned long
6972 vmcs12_guest_cr4(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
6973 {
6974  return
6975  /*1*/ (vmcs_readl(GUEST_CR4) & vcpu->arch.cr4_guest_owned_bits) |
6976  /*2*/ (vmcs12->guest_cr4 & vmcs12->cr4_guest_host_mask) |
6977  /*3*/ (vmcs_readl(CR4_READ_SHADOW) & ~(vmcs12->cr4_guest_host_mask |
6978  vcpu->arch.cr4_guest_owned_bits));
6979 }
6980 
6981 /*
6982  * prepare_vmcs12 is part of what we need to do when the nested L2 guest exits
6983  * and we want to prepare to run its L1 parent. L1 keeps a vmcs for L2 (vmcs12),
6984  * and this function updates it to reflect the changes to the guest state while
6985  * L2 was running (and perhaps made some exits which were handled directly by L0
6986  * without going back to L1), and to reflect the exit reason.
6987  * Note that we do not have to copy here all VMCS fields, just those that
6988  * could have changed by the L2 guest or the exit - i.e., the guest-state and
6989  * exit-information fields only. Other fields are modified by L1 with VMWRITE,
6990  * which already writes to vmcs12 directly.
6991  */
6992 void prepare_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
6993 {
6994  /* update guest state fields: */
6995  vmcs12->guest_cr0 = vmcs12_guest_cr0(vcpu, vmcs12);
6996  vmcs12->guest_cr4 = vmcs12_guest_cr4(vcpu, vmcs12);
6997 
6998  kvm_get_dr(vcpu, 7, (unsigned long *)&vmcs12->guest_dr7);
6999  vmcs12->guest_rsp = kvm_register_read(vcpu, VCPU_REGS_RSP);
7000  vmcs12->guest_rip = kvm_register_read(vcpu, VCPU_REGS_RIP);
7001  vmcs12->guest_rflags = vmcs_readl(GUEST_RFLAGS);
7002 
7003  vmcs12->guest_es_selector = vmcs_read16(GUEST_ES_SELECTOR);
7004  vmcs12->guest_cs_selector = vmcs_read16(GUEST_CS_SELECTOR);
7005  vmcs12->guest_ss_selector = vmcs_read16(GUEST_SS_SELECTOR);
7006  vmcs12->guest_ds_selector = vmcs_read16(GUEST_DS_SELECTOR);
7007  vmcs12->guest_fs_selector = vmcs_read16(GUEST_FS_SELECTOR);
7008  vmcs12->guest_gs_selector = vmcs_read16(GUEST_GS_SELECTOR);
7009  vmcs12->guest_ldtr_selector = vmcs_read16(GUEST_LDTR_SELECTOR);
7010  vmcs12->guest_tr_selector = vmcs_read16(GUEST_TR_SELECTOR);
7011  vmcs12->guest_es_limit = vmcs_read32(GUEST_ES_LIMIT);
7012  vmcs12->guest_cs_limit = vmcs_read32(GUEST_CS_LIMIT);
7013  vmcs12->guest_ss_limit = vmcs_read32(GUEST_SS_LIMIT);
7014  vmcs12->guest_ds_limit = vmcs_read32(GUEST_DS_LIMIT);
7015  vmcs12->guest_fs_limit = vmcs_read32(GUEST_FS_LIMIT);
7016  vmcs12->guest_gs_limit = vmcs_read32(GUEST_GS_LIMIT);
7017  vmcs12->guest_ldtr_limit = vmcs_read32(GUEST_LDTR_LIMIT);
7018  vmcs12->guest_tr_limit = vmcs_read32(GUEST_TR_LIMIT);
7019  vmcs12->guest_gdtr_limit = vmcs_read32(GUEST_GDTR_LIMIT);
7020  vmcs12->guest_idtr_limit = vmcs_read32(GUEST_IDTR_LIMIT);
7021  vmcs12->guest_es_ar_bytes = vmcs_read32(GUEST_ES_AR_BYTES);
7022  vmcs12->guest_cs_ar_bytes = vmcs_read32(GUEST_CS_AR_BYTES);
7023  vmcs12->guest_ss_ar_bytes = vmcs_read32(GUEST_SS_AR_BYTES);
7024  vmcs12->guest_ds_ar_bytes = vmcs_read32(GUEST_DS_AR_BYTES);
7025  vmcs12->guest_fs_ar_bytes = vmcs_read32(GUEST_FS_AR_BYTES);
7026  vmcs12->guest_gs_ar_bytes = vmcs_read32(GUEST_GS_AR_BYTES);
7027  vmcs12->guest_ldtr_ar_bytes = vmcs_read32(GUEST_LDTR_AR_BYTES);
7028  vmcs12->guest_tr_ar_bytes = vmcs_read32(GUEST_TR_AR_BYTES);
7029  vmcs12->guest_es_base = vmcs_readl(GUEST_ES_BASE);
7030  vmcs12->guest_cs_base = vmcs_readl(GUEST_CS_BASE);
7031  vmcs12->guest_ss_base = vmcs_readl(GUEST_SS_BASE);
7032  vmcs12->guest_ds_base = vmcs_readl(GUEST_DS_BASE);
7033  vmcs12->guest_fs_base = vmcs_readl(GUEST_FS_BASE);
7034  vmcs12->guest_gs_base = vmcs_readl(GUEST_GS_BASE);
7035  vmcs12->guest_ldtr_base = vmcs_readl(GUEST_LDTR_BASE);
7036  vmcs12->guest_tr_base = vmcs_readl(GUEST_TR_BASE);
7037  vmcs12->guest_gdtr_base = vmcs_readl(GUEST_GDTR_BASE);
7038  vmcs12->guest_idtr_base = vmcs_readl(GUEST_IDTR_BASE);
7039 
7040  vmcs12->guest_activity_state = vmcs_read32(GUEST_ACTIVITY_STATE);
7041  vmcs12->guest_interruptibility_info =
7042  vmcs_read32(GUEST_INTERRUPTIBILITY_INFO);
7043  vmcs12->guest_pending_dbg_exceptions =
7044  vmcs_readl(GUEST_PENDING_DBG_EXCEPTIONS);
7045 
7046  /* TODO: These cannot have changed unless we have MSR bitmaps and
7047  * the relevant bit asks not to trap the change */
7048  vmcs12->guest_ia32_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL);
7049  if (vmcs12->vm_entry_controls & VM_EXIT_SAVE_IA32_PAT)
7050  vmcs12->guest_ia32_pat = vmcs_read64(GUEST_IA32_PAT);
7051  vmcs12->guest_sysenter_cs = vmcs_read32(GUEST_SYSENTER_CS);
7052  vmcs12->guest_sysenter_esp = vmcs_readl(GUEST_SYSENTER_ESP);
7053  vmcs12->guest_sysenter_eip = vmcs_readl(GUEST_SYSENTER_EIP);
7054 
7055  /* update exit information fields: */
7056 
7057  vmcs12->vm_exit_reason = vmcs_read32(VM_EXIT_REASON);
7058  vmcs12->exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
7059 
7060  vmcs12->vm_exit_intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
7061  vmcs12->vm_exit_intr_error_code = vmcs_read32(VM_EXIT_INTR_ERROR_CODE);
7062  vmcs12->idt_vectoring_info_field =
7063  vmcs_read32(IDT_VECTORING_INFO_FIELD);
7064  vmcs12->idt_vectoring_error_code =
7065  vmcs_read32(IDT_VECTORING_ERROR_CODE);
7066  vmcs12->vm_exit_instruction_len = vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
7067  vmcs12->vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO);
7068 
7069  /* clear vm-entry fields which are to be cleared on exit */
7070  if (!(vmcs12->vm_exit_reason & VMX_EXIT_REASONS_FAILED_VMENTRY))
7071  vmcs12->vm_entry_intr_info_field &= ~INTR_INFO_VALID_MASK;
7072 }
7073 
7074 /*
7075  * A part of what we need to when the nested L2 guest exits and we want to
7076  * run its L1 parent, is to reset L1's guest state to the host state specified
7077  * in vmcs12.
7078  * This function is to be called not only on normal nested exit, but also on
7079  * a nested entry failure, as explained in Intel's spec, 3B.23.7 ("VM-Entry
7080  * Failures During or After Loading Guest State").
7081  * This function should be called when the active VMCS is L1's (vmcs01).
7082  */
7083 void load_vmcs12_host_state(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
7084 {
7085  if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_EFER)
7086  vcpu->arch.efer = vmcs12->host_ia32_efer;
7087  if (vmcs12->vm_exit_controls & VM_EXIT_HOST_ADDR_SPACE_SIZE)
7088  vcpu->arch.efer |= (EFER_LMA | EFER_LME);
7089  else
7090  vcpu->arch.efer &= ~(EFER_LMA | EFER_LME);
7091  vmx_set_efer(vcpu, vcpu->arch.efer);
7092 
7093  kvm_register_write(vcpu, VCPU_REGS_RSP, vmcs12->host_rsp);
7094  kvm_register_write(vcpu, VCPU_REGS_RIP, vmcs12->host_rip);
7095  /*
7096  * Note that calling vmx_set_cr0 is important, even if cr0 hasn't
7097  * actually changed, because it depends on the current state of
7098  * fpu_active (which may have changed).
7099  * Note that vmx_set_cr0 refers to efer set above.
7100  */
7101  kvm_set_cr0(vcpu, vmcs12->host_cr0);
7102  /*
7103  * If we did fpu_activate()/fpu_deactivate() during L2's run, we need
7104  * to apply the same changes to L1's vmcs. We just set cr0 correctly,
7105  * but we also need to update cr0_guest_host_mask and exception_bitmap.
7106  */
7107  update_exception_bitmap(vcpu);
7108  vcpu->arch.cr0_guest_owned_bits = (vcpu->fpu_active ? X86_CR0_TS : 0);
7109  vmcs_writel(CR0_GUEST_HOST_MASK, ~vcpu->arch.cr0_guest_owned_bits);
7110 
7111  /*
7112  * Note that CR4_GUEST_HOST_MASK is already set in the original vmcs01
7113  * (KVM doesn't change it)- no reason to call set_cr4_guest_host_mask();
7114  */
7115  vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(CR4_GUEST_HOST_MASK);
7116  kvm_set_cr4(vcpu, vmcs12->host_cr4);
7117 
7118  /* shadow page tables on either EPT or shadow page tables */
7119  kvm_set_cr3(vcpu, vmcs12->host_cr3);
7120  kvm_mmu_reset_context(vcpu);
7121 
7122  if (enable_vpid) {
7123  /*
7124  * Trivially support vpid by letting L2s share their parent
7125  * L1's vpid. TODO: move to a more elaborate solution, giving
7126  * each L2 its own vpid and exposing the vpid feature to L1.
7127  */
7128  vmx_flush_tlb(vcpu);
7129  }
7130 
7131 
7132  vmcs_write32(GUEST_SYSENTER_CS, vmcs12->host_ia32_sysenter_cs);
7133  vmcs_writel(GUEST_SYSENTER_ESP, vmcs12->host_ia32_sysenter_esp);
7134  vmcs_writel(GUEST_SYSENTER_EIP, vmcs12->host_ia32_sysenter_eip);
7135  vmcs_writel(GUEST_IDTR_BASE, vmcs12->host_idtr_base);
7136  vmcs_writel(GUEST_GDTR_BASE, vmcs12->host_gdtr_base);
7137  vmcs_writel(GUEST_TR_BASE, vmcs12->host_tr_base);
7138  vmcs_writel(GUEST_GS_BASE, vmcs12->host_gs_base);
7139  vmcs_writel(GUEST_FS_BASE, vmcs12->host_fs_base);
7140  vmcs_write16(GUEST_ES_SELECTOR, vmcs12->host_es_selector);
7141  vmcs_write16(GUEST_CS_SELECTOR, vmcs12->host_cs_selector);
7142  vmcs_write16(GUEST_SS_SELECTOR, vmcs12->host_ss_selector);
7143  vmcs_write16(GUEST_DS_SELECTOR, vmcs12->host_ds_selector);
7144  vmcs_write16(GUEST_FS_SELECTOR, vmcs12->host_fs_selector);
7145  vmcs_write16(GUEST_GS_SELECTOR, vmcs12->host_gs_selector);
7146  vmcs_write16(GUEST_TR_SELECTOR, vmcs12->host_tr_selector);
7147 
7148  if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_PAT)
7149  vmcs_write64(GUEST_IA32_PAT, vmcs12->host_ia32_pat);
7150  if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL)
7151  vmcs_write64(GUEST_IA32_PERF_GLOBAL_CTRL,
7152  vmcs12->host_ia32_perf_global_ctrl);
7153 }
7154 
7155 /*
7156  * Emulate an exit from nested guest (L2) to L1, i.e., prepare to run L1
7157  * and modify vmcs12 to make it see what it would expect to see there if
7158  * L2 was its real guest. Must only be called when in L2 (is_guest_mode())
7159  */
7160 static void nested_vmx_vmexit(struct kvm_vcpu *vcpu)
7161 {
7162  struct vcpu_vmx *vmx = to_vmx(vcpu);
7163  int cpu;
7164  struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
7165 
7166  leave_guest_mode(vcpu);
7167  prepare_vmcs12(vcpu, vmcs12);
7168 
7169  cpu = get_cpu();
7170  vmx->loaded_vmcs = &vmx->vmcs01;
7171  vmx_vcpu_put(vcpu);
7172  vmx_vcpu_load(vcpu, cpu);
7173  vcpu->cpu = cpu;
7174  put_cpu();
7175 
7176  /* if no vmcs02 cache requested, remove the one we used */
7177  if (VMCS02_POOL_SIZE == 0)
7178  nested_free_vmcs02(vmx, vmx->nested.current_vmptr);
7179 
7180  load_vmcs12_host_state(vcpu, vmcs12);
7181 
7182  /* Update TSC_OFFSET if TSC was changed while L2 ran */
7183  vmcs_write64(TSC_OFFSET, vmx->nested.vmcs01_tsc_offset);
7184 
7185  /* This is needed for same reason as it was needed in prepare_vmcs02 */
7186  vmx->host_rsp = 0;
7187 
7188  /* Unpin physical memory we referred to in vmcs02 */
7189  if (vmx->nested.apic_access_page) {
7190  nested_release_page(vmx->nested.apic_access_page);
7191  vmx->nested.apic_access_page = 0;
7192  }
7193 
7194  /*
7195  * Exiting from L2 to L1, we're now back to L1 which thinks it just
7196  * finished a VMLAUNCH or VMRESUME instruction, so we need to set the
7197  * success or failure flag accordingly.
7198  */
7199  if (unlikely(vmx->fail)) {
7200  vmx->fail = 0;
7201  nested_vmx_failValid(vcpu, vmcs_read32(VM_INSTRUCTION_ERROR));
7202  } else
7203  nested_vmx_succeed(vcpu);
7204 }
7205 
7206 /*
7207  * L1's failure to enter L2 is a subset of a normal exit, as explained in
7208  * 23.7 "VM-entry failures during or after loading guest state" (this also
7209  * lists the acceptable exit-reason and exit-qualification parameters).
7210  * It should only be called before L2 actually succeeded to run, and when
7211  * vmcs01 is current (it doesn't leave_guest_mode() or switch vmcss).
7212  */
7213 static void nested_vmx_entry_failure(struct kvm_vcpu *vcpu,
7214  struct vmcs12 *vmcs12,
7215  u32 reason, unsigned long qualification)
7216 {
7217  load_vmcs12_host_state(vcpu, vmcs12);
7218  vmcs12->vm_exit_reason = reason | VMX_EXIT_REASONS_FAILED_VMENTRY;
7219  vmcs12->exit_qualification = qualification;
7220  nested_vmx_succeed(vcpu);
7221 }
7222 
7223 static int vmx_check_intercept(struct kvm_vcpu *vcpu,
7224  struct x86_instruction_info *info,
7225  enum x86_intercept_stage stage)
7226 {
7227  return X86EMUL_CONTINUE;
7228 }
7229 
7230 static struct kvm_x86_ops vmx_x86_ops = {
7231  .cpu_has_kvm_support = cpu_has_kvm_support,
7232  .disabled_by_bios = vmx_disabled_by_bios,
7233  .hardware_setup = hardware_setup,
7234  .hardware_unsetup = hardware_unsetup,
7235  .check_processor_compatibility = vmx_check_processor_compat,
7236  .hardware_enable = hardware_enable,
7237  .hardware_disable = hardware_disable,
7238  .cpu_has_accelerated_tpr = report_flexpriority,
7239 
7240  .vcpu_create = vmx_create_vcpu,
7241  .vcpu_free = vmx_free_vcpu,
7242  .vcpu_reset = vmx_vcpu_reset,
7243 
7244  .prepare_guest_switch = vmx_save_host_state,
7245  .vcpu_load = vmx_vcpu_load,
7246  .vcpu_put = vmx_vcpu_put,
7247 
7248  .update_db_bp_intercept = update_exception_bitmap,
7249  .get_msr = vmx_get_msr,
7250  .set_msr = vmx_set_msr,
7251  .get_segment_base = vmx_get_segment_base,
7252  .get_segment = vmx_get_segment,
7253  .set_segment = vmx_set_segment,
7254  .get_cpl = vmx_get_cpl,
7255  .get_cs_db_l_bits = vmx_get_cs_db_l_bits,
7256  .decache_cr0_guest_bits = vmx_decache_cr0_guest_bits,
7257  .decache_cr3 = vmx_decache_cr3,
7258  .decache_cr4_guest_bits = vmx_decache_cr4_guest_bits,
7259  .set_cr0 = vmx_set_cr0,
7260  .set_cr3 = vmx_set_cr3,
7261  .set_cr4 = vmx_set_cr4,
7262  .set_efer = vmx_set_efer,
7263  .get_idt = vmx_get_idt,
7264  .set_idt = vmx_set_idt,
7265  .get_gdt = vmx_get_gdt,
7266  .set_gdt = vmx_set_gdt,
7267  .set_dr7 = vmx_set_dr7,
7268  .cache_reg = vmx_cache_reg,
7269  .get_rflags = vmx_get_rflags,
7270  .set_rflags = vmx_set_rflags,
7271  .fpu_activate = vmx_fpu_activate,
7272  .fpu_deactivate = vmx_fpu_deactivate,
7273 
7274  .tlb_flush = vmx_flush_tlb,
7275 
7276  .run = vmx_vcpu_run,
7277  .handle_exit = vmx_handle_exit,
7278  .skip_emulated_instruction = skip_emulated_instruction,
7279  .set_interrupt_shadow = vmx_set_interrupt_shadow,
7280  .get_interrupt_shadow = vmx_get_interrupt_shadow,
7281  .patch_hypercall = vmx_patch_hypercall,
7282  .set_irq = vmx_inject_irq,
7283  .set_nmi = vmx_inject_nmi,
7284  .queue_exception = vmx_queue_exception,
7285  .cancel_injection = vmx_cancel_injection,
7286  .interrupt_allowed = vmx_interrupt_allowed,
7287  .nmi_allowed = vmx_nmi_allowed,
7288  .get_nmi_mask = vmx_get_nmi_mask,
7289  .set_nmi_mask = vmx_set_nmi_mask,
7290  .enable_nmi_window = enable_nmi_window,
7291  .enable_irq_window = enable_irq_window,
7292  .update_cr8_intercept = update_cr8_intercept,
7293 
7294  .set_tss_addr = vmx_set_tss_addr,
7295  .get_tdp_level = get_ept_level,
7296  .get_mt_mask = vmx_get_mt_mask,
7297 
7298  .get_exit_info = vmx_get_exit_info,
7299 
7300  .get_lpage_level = vmx_get_lpage_level,
7301 
7302  .cpuid_update = vmx_cpuid_update,
7303 
7304  .rdtscp_supported = vmx_rdtscp_supported,
7305  .invpcid_supported = vmx_invpcid_supported,
7306 
7307  .set_supported_cpuid = vmx_set_supported_cpuid,
7308 
7309  .has_wbinvd_exit = cpu_has_vmx_wbinvd_exit,
7310 
7311  .set_tsc_khz = vmx_set_tsc_khz,
7312  .write_tsc_offset = vmx_write_tsc_offset,
7313  .adjust_tsc_offset = vmx_adjust_tsc_offset,
7314  .compute_tsc_offset = vmx_compute_tsc_offset,
7315  .read_l1_tsc = vmx_read_l1_tsc,
7316 
7317  .set_tdp_cr3 = vmx_set_cr3,
7318 
7319  .check_intercept = vmx_check_intercept,
7320 };
7321 
7322 static int __init vmx_init(void)
7323 {
7324  int r, i;
7325 
7326  rdmsrl_safe(MSR_EFER, &host_efer);
7327 
7328  for (i = 0; i < NR_VMX_MSR; ++i)
7329  kvm_define_shared_msr(i, vmx_msr_index[i]);
7330 
7331  vmx_io_bitmap_a = (unsigned long *)__get_free_page(GFP_KERNEL);
7332  if (!vmx_io_bitmap_a)
7333  return -ENOMEM;
7334 
7335  r = -ENOMEM;
7336 
7337  vmx_io_bitmap_b = (unsigned long *)__get_free_page(GFP_KERNEL);
7338  if (!vmx_io_bitmap_b)
7339  goto out;
7340 
7341  vmx_msr_bitmap_legacy = (unsigned long *)__get_free_page(GFP_KERNEL);
7342  if (!vmx_msr_bitmap_legacy)
7343  goto out1;
7344 
7345 
7346  vmx_msr_bitmap_longmode = (unsigned long *)__get_free_page(GFP_KERNEL);
7347  if (!vmx_msr_bitmap_longmode)
7348  goto out2;
7349 
7350 
7351  /*
7352  * Allow direct access to the PC debug port (it is often used for I/O
7353  * delays, but the vmexits simply slow things down).
7354  */
7355  memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
7356  clear_bit(0x80, vmx_io_bitmap_a);
7357 
7358  memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
7359 
7360  memset(vmx_msr_bitmap_legacy, 0xff, PAGE_SIZE);
7361  memset(vmx_msr_bitmap_longmode, 0xff, PAGE_SIZE);
7362 
7363  set_bit(0, vmx_vpid_bitmap); /* 0 is reserved for host */
7364 
7365  r = kvm_init(&vmx_x86_ops, sizeof(struct vcpu_vmx),
7366  __alignof__(struct vcpu_vmx), THIS_MODULE);
7367  if (r)
7368  goto out3;
7369 
7370  vmx_disable_intercept_for_msr(MSR_FS_BASE, false);
7371  vmx_disable_intercept_for_msr(MSR_GS_BASE, false);
7372  vmx_disable_intercept_for_msr(MSR_KERNEL_GS_BASE, true);
7373  vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_CS, false);
7374  vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_ESP, false);
7375  vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_EIP, false);
7376 
7377  if (enable_ept) {
7378  kvm_mmu_set_mask_ptes(0ull,
7379  (enable_ept_ad_bits) ? VMX_EPT_ACCESS_BIT : 0ull,
7380  (enable_ept_ad_bits) ? VMX_EPT_DIRTY_BIT : 0ull,
7381  0ull, VMX_EPT_EXECUTABLE_MASK);
7382  ept_set_mmio_spte_mask();
7383  kvm_enable_tdp();
7384  } else
7385  kvm_disable_tdp();
7386 
7387  return 0;
7388 
7389 out3:
7390  free_page((unsigned long)vmx_msr_bitmap_longmode);
7391 out2:
7392  free_page((unsigned long)vmx_msr_bitmap_legacy);
7393 out1:
7394  free_page((unsigned long)vmx_io_bitmap_b);
7395 out:
7396  free_page((unsigned long)vmx_io_bitmap_a);
7397  return r;
7398 }
7399 
7400 static void __exit vmx_exit(void)
7401 {
7402  free_page((unsigned long)vmx_msr_bitmap_legacy);
7403  free_page((unsigned long)vmx_msr_bitmap_longmode);
7404  free_page((unsigned long)vmx_io_bitmap_b);
7405  free_page((unsigned long)vmx_io_bitmap_a);
7406 
7407  kvm_exit();
7408 }
7409 
7410 module_init(vmx_init)
7411 module_exit(vmx_exit)
Generated on Thu Jan 10 2013 13:21:17 for Linux Kernel by   doxygen 1.8.2