]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blob - arch/x86/kvm/svm/nested.c
projects / mirror_ubuntu-jammy-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
KVM: nSVM: Optimize vmcb12 to vmcb02 save area copies
[mirror_ubuntu-jammy-kernel.git] / arch / x86 / kvm / svm / nested.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Kernel-based Virtual Machine driver for Linux
4 *
5 * AMD SVM support
6 *
7 * Copyright (C) 2006 Qumranet, Inc.
8 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
9 *
10 * Authors:
11 * Yaniv Kamay <yaniv@qumranet.com>
12 * Avi Kivity <avi@qumranet.com>
13 */
14
15 #define pr_fmt(fmt) "SVM: " fmt
16
17 #include <linux/kvm_types.h>
18 #include <linux/kvm_host.h>
19 #include <linux/kernel.h>
20
21 #include <asm/msr-index.h>
22 #include <asm/debugreg.h>
23
24 #include "kvm_emulate.h"
25 #include "trace.h"
26 #include "mmu.h"
27 #include "x86.h"
28 #include "cpuid.h"
29 #include "lapic.h"
30 #include "svm.h"
31
32 #define CC KVM_NESTED_VMENTER_CONSISTENCY_CHECK
33
34 static void nested_svm_inject_npf_exit(struct kvm_vcpu *vcpu,
35 struct x86_exception *fault)
36 {
37 struct vcpu_svm *svm = to_svm(vcpu);
38
39 if (svm->vmcb->control.exit_code != SVM_EXIT_NPF) {
40 /*
41 * TODO: track the cause of the nested page fault, and
42 * correctly fill in the high bits of exit_info_1.
43 */
44 svm->vmcb->control.exit_code = SVM_EXIT_NPF;
45 svm->vmcb->control.exit_code_hi = 0;
46 svm->vmcb->control.exit_info_1 = (1ULL << 32);
47 svm->vmcb->control.exit_info_2 = fault->address;
48 }
49
50 svm->vmcb->control.exit_info_1 &= ~0xffffffffULL;
51 svm->vmcb->control.exit_info_1 |= fault->error_code;
52
53 nested_svm_vmexit(svm);
54 }
55
56 static void svm_inject_page_fault_nested(struct kvm_vcpu *vcpu, struct x86_exception *fault)
57 {
58 struct vcpu_svm *svm = to_svm(vcpu);
59 WARN_ON(!is_guest_mode(vcpu));
60
61 if (vmcb_is_intercept(&svm->nested.ctl, INTERCEPT_EXCEPTION_OFFSET + PF_VECTOR) &&
62 !svm->nested.nested_run_pending) {
63 svm->vmcb->control.exit_code = SVM_EXIT_EXCP_BASE + PF_VECTOR;
64 svm->vmcb->control.exit_code_hi = 0;
65 svm->vmcb->control.exit_info_1 = fault->error_code;
66 svm->vmcb->control.exit_info_2 = fault->address;
67 nested_svm_vmexit(svm);
68 } else {
69 kvm_inject_page_fault(vcpu, fault);
70 }
71 }
72
73 static u64 nested_svm_get_tdp_pdptr(struct kvm_vcpu *vcpu, int index)
74 {
75 struct vcpu_svm *svm = to_svm(vcpu);
76 u64 cr3 = svm->nested.ctl.nested_cr3;
77 u64 pdpte;
78 int ret;
79
80 ret = kvm_vcpu_read_guest_page(vcpu, gpa_to_gfn(cr3), &pdpte,
81 offset_in_page(cr3) + index * 8, 8);
82 if (ret)
83 return 0;
84 return pdpte;
85 }
86
87 static unsigned long nested_svm_get_tdp_cr3(struct kvm_vcpu *vcpu)
88 {
89 struct vcpu_svm *svm = to_svm(vcpu);
90
91 return svm->nested.ctl.nested_cr3;
92 }
93
94 static void nested_svm_init_mmu_context(struct kvm_vcpu *vcpu)
95 {
96 struct vcpu_svm *svm = to_svm(vcpu);
97
98 WARN_ON(mmu_is_nested(vcpu));
99
100 vcpu->arch.mmu = &vcpu->arch.guest_mmu;
101 kvm_init_shadow_npt_mmu(vcpu, X86_CR0_PG, svm->vmcb01.ptr->save.cr4,
102 svm->vmcb01.ptr->save.efer,
103 svm->nested.ctl.nested_cr3);
104 vcpu->arch.mmu->get_guest_pgd = nested_svm_get_tdp_cr3;
105 vcpu->arch.mmu->get_pdptr = nested_svm_get_tdp_pdptr;
106 vcpu->arch.mmu->inject_page_fault = nested_svm_inject_npf_exit;
107 reset_shadow_zero_bits_mask(vcpu, vcpu->arch.mmu);
108 vcpu->arch.walk_mmu = &vcpu->arch.nested_mmu;
109 }
110
111 static void nested_svm_uninit_mmu_context(struct kvm_vcpu *vcpu)
112 {
113 vcpu->arch.mmu = &vcpu->arch.root_mmu;
114 vcpu->arch.walk_mmu = &vcpu->arch.root_mmu;
115 }
116
117 void recalc_intercepts(struct vcpu_svm *svm)
118 {
119 struct vmcb_control_area *c, *h, *g;
120 unsigned int i;
121
122 vmcb_mark_dirty(svm->vmcb, VMCB_INTERCEPTS);
123
124 if (!is_guest_mode(&svm->vcpu))
125 return;
126
127 c = &svm->vmcb->control;
128 h = &svm->vmcb01.ptr->control;
129 g = &svm->nested.ctl;
130
131 for (i = 0; i < MAX_INTERCEPT; i++)
132 c->intercepts[i] = h->intercepts[i];
133
134 if (g->int_ctl & V_INTR_MASKING_MASK) {
135 /* We only want the cr8 intercept bits of L1 */
136 vmcb_clr_intercept(c, INTERCEPT_CR8_READ);
137 vmcb_clr_intercept(c, INTERCEPT_CR8_WRITE);
138
139 /*
140 * Once running L2 with HF_VINTR_MASK, EFLAGS.IF does not
141 * affect any interrupt we may want to inject; therefore,
142 * interrupt window vmexits are irrelevant to L0.
143 */
144 vmcb_clr_intercept(c, INTERCEPT_VINTR);
145 }
146
147 /* We don't want to see VMMCALLs from a nested guest */
148 vmcb_clr_intercept(c, INTERCEPT_VMMCALL);
149
150 for (i = 0; i < MAX_INTERCEPT; i++)
151 c->intercepts[i] |= g->intercepts[i];
152 }
153
154 static void copy_vmcb_control_area(struct vmcb_control_area *dst,
155 struct vmcb_control_area *from)
156 {
157 unsigned int i;
158
159 for (i = 0; i < MAX_INTERCEPT; i++)
160 dst->intercepts[i] = from->intercepts[i];
161
162 dst->iopm_base_pa = from->iopm_base_pa;
163 dst->msrpm_base_pa = from->msrpm_base_pa;
164 dst->tsc_offset = from->tsc_offset;
165 /* asid not copied, it is handled manually for svm->vmcb. */
166 dst->tlb_ctl = from->tlb_ctl;
167 dst->int_ctl = from->int_ctl;
168 dst->int_vector = from->int_vector;
169 dst->int_state = from->int_state;
170 dst->exit_code = from->exit_code;
171 dst->exit_code_hi = from->exit_code_hi;
172 dst->exit_info_1 = from->exit_info_1;
173 dst->exit_info_2 = from->exit_info_2;
174 dst->exit_int_info = from->exit_int_info;
175 dst->exit_int_info_err = from->exit_int_info_err;
176 dst->nested_ctl = from->nested_ctl;
177 dst->event_inj = from->event_inj;
178 dst->event_inj_err = from->event_inj_err;
179 dst->nested_cr3 = from->nested_cr3;
180 dst->virt_ext = from->virt_ext;
181 dst->pause_filter_count = from->pause_filter_count;
182 dst->pause_filter_thresh = from->pause_filter_thresh;
183 }
184
185 static bool nested_svm_vmrun_msrpm(struct vcpu_svm *svm)
186 {
187 /*
188 * This function merges the msr permission bitmaps of kvm and the
189 * nested vmcb. It is optimized in that it only merges the parts where
190 * the kvm msr permission bitmap may contain zero bits
191 */
192 int i;
193
194 if (!(vmcb_is_intercept(&svm->nested.ctl, INTERCEPT_MSR_PROT)))
195 return true;
196
197 for (i = 0; i < MSRPM_OFFSETS; i++) {
198 u32 value, p;
199 u64 offset;
200
201 if (msrpm_offsets[i] == 0xffffffff)
202 break;
203
204 p = msrpm_offsets[i];
205 offset = svm->nested.ctl.msrpm_base_pa + (p * 4);
206
207 if (kvm_vcpu_read_guest(&svm->vcpu, offset, &value, 4))
208 return false;
209
210 svm->nested.msrpm[p] = svm->msrpm[p] | value;
211 }
212
213 svm->vmcb->control.msrpm_base_pa = __sme_set(__pa(svm->nested.msrpm));
214
215 return true;
216 }
217
218 static bool svm_get_nested_state_pages(struct kvm_vcpu *vcpu)
219 {
220 struct vcpu_svm *svm = to_svm(vcpu);
221
222 if (WARN_ON(!is_guest_mode(vcpu)))
223 return true;
224
225 if (!nested_svm_vmrun_msrpm(svm)) {
226 vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
227 vcpu->run->internal.suberror =
228 KVM_INTERNAL_ERROR_EMULATION;
229 vcpu->run->internal.ndata = 0;
230 return false;
231 }
232
233 return true;
234 }
235
236 static bool nested_vmcb_check_controls(struct vmcb_control_area *control)
237 {
238 if (CC(!vmcb_is_intercept(control, INTERCEPT_VMRUN)))
239 return false;
240
241 if (CC(control->asid == 0))
242 return false;
243
244 if (CC((control->nested_ctl & SVM_NESTED_CTL_NP_ENABLE) && !npt_enabled))
245 return false;
246
247 return true;
248 }
249
250 static bool nested_vmcb_check_cr3_cr4(struct kvm_vcpu *vcpu,
251 struct vmcb_save_area *save)
252 {
253 /*
254 * These checks are also performed by KVM_SET_SREGS,
255 * except that EFER.LMA is not checked by SVM against
256 * CR0.PG && EFER.LME.
257 */
258 if ((save->efer & EFER_LME) && (save->cr0 & X86_CR0_PG)) {
259 if (CC(!(save->cr4 & X86_CR4_PAE)) ||
260 CC(!(save->cr0 & X86_CR0_PE)) ||
261 CC(kvm_vcpu_is_illegal_gpa(vcpu, save->cr3)))
262 return false;
263 }
264
265 if (CC(!kvm_is_valid_cr4(vcpu, save->cr4)))
266 return false;
267
268 return true;
269 }
270
271 /* Common checks that apply to both L1 and L2 state. */
272 static bool nested_vmcb_valid_sregs(struct kvm_vcpu *vcpu,
273 struct vmcb_save_area *save)
274 {
275 if (CC(!(save->efer & EFER_SVME)))
276 return false;
277
278 if (CC((save->cr0 & X86_CR0_CD) == 0 && (save->cr0 & X86_CR0_NW)) ||
279 CC(save->cr0 & ~0xffffffffULL))
280 return false;
281
282 if (CC(!kvm_dr6_valid(save->dr6)) || CC(!kvm_dr7_valid(save->dr7)))
283 return false;
284
285 if (!nested_vmcb_check_cr3_cr4(vcpu, save))
286 return false;
287
288 if (CC(!kvm_valid_efer(vcpu, save->efer)))
289 return false;
290
291 return true;
292 }
293
294 static bool nested_vmcb_checks(struct kvm_vcpu *vcpu, struct vmcb *vmcb12)
295 {
296 if (!nested_vmcb_valid_sregs(vcpu, &vmcb12->save))
297 return false;
298
299 return nested_vmcb_check_controls(&vmcb12->control);
300 }
301
302 static void nested_load_control_from_vmcb12(struct vcpu_svm *svm,
303 struct vmcb_control_area *control)
304 {
305 copy_vmcb_control_area(&svm->nested.ctl, control);
306
307 /* Copy it here because nested_svm_check_controls will check it. */
308 svm->nested.ctl.asid = control->asid;
309 svm->nested.ctl.msrpm_base_pa &= ~0x0fffULL;
310 svm->nested.ctl.iopm_base_pa &= ~0x0fffULL;
311 }
312
313 /*
314 * Synchronize fields that are written by the processor, so that
315 * they can be copied back into the vmcb12.
316 */
317 void nested_sync_control_from_vmcb02(struct vcpu_svm *svm)
318 {
319 u32 mask;
320 svm->nested.ctl.event_inj = svm->vmcb->control.event_inj;
321 svm->nested.ctl.event_inj_err = svm->vmcb->control.event_inj_err;
322
323 /* Only a few fields of int_ctl are written by the processor. */
324 mask = V_IRQ_MASK | V_TPR_MASK;
325 if (!(svm->nested.ctl.int_ctl & V_INTR_MASKING_MASK) &&
326 svm_is_intercept(svm, INTERCEPT_VINTR)) {
327 /*
328 * In order to request an interrupt window, L0 is usurping
329 * svm->vmcb->control.int_ctl and possibly setting V_IRQ
330 * even if it was clear in L1's VMCB. Restoring it would be
331 * wrong. However, in this case V_IRQ will remain true until
332 * interrupt_window_interception calls svm_clear_vintr and
333 * restores int_ctl. We can just leave it aside.
334 */
335 mask &= ~V_IRQ_MASK;
336 }
337 svm->nested.ctl.int_ctl &= ~mask;
338 svm->nested.ctl.int_ctl |= svm->vmcb->control.int_ctl & mask;
339 }
340
341 /*
342 * Transfer any event that L0 or L1 wanted to inject into L2 to
343 * EXIT_INT_INFO.
344 */
345 static void nested_save_pending_event_to_vmcb12(struct vcpu_svm *svm,
346 struct vmcb *vmcb12)
347 {
348 struct kvm_vcpu *vcpu = &svm->vcpu;
349 u32 exit_int_info = 0;
350 unsigned int nr;
351
352 if (vcpu->arch.exception.injected) {
353 nr = vcpu->arch.exception.nr;
354 exit_int_info = nr | SVM_EVTINJ_VALID | SVM_EVTINJ_TYPE_EXEPT;
355
356 if (vcpu->arch.exception.has_error_code) {
357 exit_int_info |= SVM_EVTINJ_VALID_ERR;
358 vmcb12->control.exit_int_info_err =
359 vcpu->arch.exception.error_code;
360 }
361
362 } else if (vcpu->arch.nmi_injected) {
363 exit_int_info = SVM_EVTINJ_VALID | SVM_EVTINJ_TYPE_NMI;
364
365 } else if (vcpu->arch.interrupt.injected) {
366 nr = vcpu->arch.interrupt.nr;
367 exit_int_info = nr | SVM_EVTINJ_VALID;
368
369 if (vcpu->arch.interrupt.soft)
370 exit_int_info |= SVM_EVTINJ_TYPE_SOFT;
371 else
372 exit_int_info |= SVM_EVTINJ_TYPE_INTR;
373 }
374
375 vmcb12->control.exit_int_info = exit_int_info;
376 }
377
378 static inline bool nested_npt_enabled(struct vcpu_svm *svm)
379 {
380 return svm->nested.ctl.nested_ctl & SVM_NESTED_CTL_NP_ENABLE;
381 }
382
383 /*
384 * Load guest's/host's cr3 on nested vmentry or vmexit. @nested_npt is true
385 * if we are emulating VM-Entry into a guest with NPT enabled.
386 */
387 static int nested_svm_load_cr3(struct kvm_vcpu *vcpu, unsigned long cr3,
388 bool nested_npt)
389 {
390 if (CC(kvm_vcpu_is_illegal_gpa(vcpu, cr3)))
391 return -EINVAL;
392
393 if (!nested_npt && is_pae_paging(vcpu) &&
394 (cr3 != kvm_read_cr3(vcpu) || pdptrs_changed(vcpu))) {
395 if (CC(!load_pdptrs(vcpu, vcpu->arch.walk_mmu, cr3)))
396 return -EINVAL;
397 }
398
399 /*
400 * TODO: optimize unconditional TLB flush/MMU sync here and in
401 * kvm_init_shadow_npt_mmu().
402 */
403 if (!nested_npt)
404 kvm_mmu_new_pgd(vcpu, cr3, false, false);
405
406 vcpu->arch.cr3 = cr3;
407 kvm_register_mark_available(vcpu, VCPU_EXREG_CR3);
408
409 kvm_init_mmu(vcpu, false);
410
411 return 0;
412 }
413
414 void nested_vmcb02_compute_g_pat(struct vcpu_svm *svm)
415 {
416 if (!svm->nested.vmcb02.ptr)
417 return;
418
419 /* FIXME: merge g_pat from vmcb01 and vmcb12. */
420 svm->nested.vmcb02.ptr->save.g_pat = svm->vmcb01.ptr->save.g_pat;
421 }
422
423 static void nested_vmcb02_prepare_save(struct vcpu_svm *svm, struct vmcb *vmcb12)
424 {
425 bool new_vmcb12 = false;
426
427 nested_vmcb02_compute_g_pat(svm);
428
429 /* Load the nested guest state */
430
431 if (svm->nested.vmcb12_gpa != svm->nested.last_vmcb12_gpa) {
432 new_vmcb12 = true;
433 svm->nested.last_vmcb12_gpa = svm->nested.vmcb12_gpa;
434 }
435
436 if (unlikely(new_vmcb12 || vmcb_is_dirty(vmcb12, VMCB_SEG))) {
437 svm->vmcb->save.es = vmcb12->save.es;
438 svm->vmcb->save.cs = vmcb12->save.cs;
439 svm->vmcb->save.ss = vmcb12->save.ss;
440 svm->vmcb->save.ds = vmcb12->save.ds;
441 svm->vmcb->save.cpl = vmcb12->save.cpl;
442 vmcb_mark_dirty(svm->vmcb, VMCB_SEG);
443 }
444
445 if (unlikely(new_vmcb12 || vmcb_is_dirty(vmcb12, VMCB_DT))) {
446 svm->vmcb->save.gdtr = vmcb12->save.gdtr;
447 svm->vmcb->save.idtr = vmcb12->save.idtr;
448 vmcb_mark_dirty(svm->vmcb, VMCB_DT);
449 }
450
451 kvm_set_rflags(&svm->vcpu, vmcb12->save.rflags | X86_EFLAGS_FIXED);
452 svm_set_efer(&svm->vcpu, vmcb12->save.efer);
453 svm_set_cr0(&svm->vcpu, vmcb12->save.cr0);
454 svm_set_cr4(&svm->vcpu, vmcb12->save.cr4);
455
456 svm->vcpu.arch.cr2 = vmcb12->save.cr2;
457
458 kvm_rax_write(&svm->vcpu, vmcb12->save.rax);
459 kvm_rsp_write(&svm->vcpu, vmcb12->save.rsp);
460 kvm_rip_write(&svm->vcpu, vmcb12->save.rip);
461
462 /* In case we don't even reach vcpu_run, the fields are not updated */
463 svm->vmcb->save.rax = vmcb12->save.rax;
464 svm->vmcb->save.rsp = vmcb12->save.rsp;
465 svm->vmcb->save.rip = vmcb12->save.rip;
466
467 /* These bits will be set properly on the first execution when new_vmc12 is true */
468 if (unlikely(new_vmcb12 || vmcb_is_dirty(vmcb12, VMCB_DR))) {
469 svm->vmcb->save.dr7 = vmcb12->save.dr7 | DR7_FIXED_1;
470 svm->vcpu.arch.dr6 = vmcb12->save.dr6 | DR6_ACTIVE_LOW;
471 vmcb_mark_dirty(svm->vmcb, VMCB_DR);
472 }
473 }
474
475 static void nested_vmcb02_prepare_control(struct vcpu_svm *svm)
476 {
477 const u32 mask = V_INTR_MASKING_MASK | V_GIF_ENABLE_MASK | V_GIF_MASK;
478
479 /*
480 * Filled at exit: exit_code, exit_code_hi, exit_info_1, exit_info_2,
481 * exit_int_info, exit_int_info_err, next_rip, insn_len, insn_bytes.
482 */
483
484 /*
485 * Also covers avic_vapic_bar, avic_backing_page, avic_logical_id,
486 * avic_physical_id.
487 */
488 WARN_ON(svm->vmcb01.ptr->control.int_ctl & AVIC_ENABLE_MASK);
489
490 /* Copied from vmcb01. msrpm_base can be overwritten later. */
491 svm->vmcb->control.nested_ctl = svm->vmcb01.ptr->control.nested_ctl;
492 svm->vmcb->control.iopm_base_pa = svm->vmcb01.ptr->control.iopm_base_pa;
493 svm->vmcb->control.msrpm_base_pa = svm->vmcb01.ptr->control.msrpm_base_pa;
494
495 /* Done at vmrun: asid. */
496
497 /* Also overwritten later if necessary. */
498 svm->vmcb->control.tlb_ctl = TLB_CONTROL_DO_NOTHING;
499
500 /* nested_cr3. */
501 if (nested_npt_enabled(svm))
502 nested_svm_init_mmu_context(&svm->vcpu);
503
504 svm->vmcb->control.tsc_offset = svm->vcpu.arch.tsc_offset =
505 svm->vcpu.arch.l1_tsc_offset + svm->nested.ctl.tsc_offset;
506
507 svm->vmcb->control.int_ctl =
508 (svm->nested.ctl.int_ctl & ~mask) |
509 (svm->vmcb01.ptr->control.int_ctl & mask);
510
511 svm->vmcb->control.virt_ext = svm->nested.ctl.virt_ext;
512 svm->vmcb->control.int_vector = svm->nested.ctl.int_vector;
513 svm->vmcb->control.int_state = svm->nested.ctl.int_state;
514 svm->vmcb->control.event_inj = svm->nested.ctl.event_inj;
515 svm->vmcb->control.event_inj_err = svm->nested.ctl.event_inj_err;
516
517 svm->vmcb->control.pause_filter_count = svm->nested.ctl.pause_filter_count;
518 svm->vmcb->control.pause_filter_thresh = svm->nested.ctl.pause_filter_thresh;
519
520 /* Enter Guest-Mode */
521 enter_guest_mode(&svm->vcpu);
522
523 /*
524 * Merge guest and host intercepts - must be called with vcpu in
525 * guest-mode to take effect.
526 */
527 recalc_intercepts(svm);
528 }
529
530 static void nested_svm_copy_common_state(struct vmcb *from_vmcb, struct vmcb *to_vmcb)
531 {
532 /*
533 * Some VMCB state is shared between L1 and L2 and thus has to be
534 * moved at the time of nested vmrun and vmexit.
535 *
536 * VMLOAD/VMSAVE state would also belong in this category, but KVM
537 * always performs VMLOAD and VMSAVE from the VMCB01.
538 */
539 to_vmcb->save.spec_ctrl = from_vmcb->save.spec_ctrl;
540 }
541
542 int enter_svm_guest_mode(struct kvm_vcpu *vcpu, u64 vmcb12_gpa,
543 struct vmcb *vmcb12)
544 {
545 struct vcpu_svm *svm = to_svm(vcpu);
546 int ret;
547
548 trace_kvm_nested_vmrun(svm->vmcb->save.rip, vmcb12_gpa,
549 vmcb12->save.rip,
550 vmcb12->control.int_ctl,
551 vmcb12->control.event_inj,
552 vmcb12->control.nested_ctl);
553
554 trace_kvm_nested_intercepts(vmcb12->control.intercepts[INTERCEPT_CR] & 0xffff,
555 vmcb12->control.intercepts[INTERCEPT_CR] >> 16,
556 vmcb12->control.intercepts[INTERCEPT_EXCEPTION],
557 vmcb12->control.intercepts[INTERCEPT_WORD3],
558 vmcb12->control.intercepts[INTERCEPT_WORD4],
559 vmcb12->control.intercepts[INTERCEPT_WORD5]);
560
561
562 svm->nested.vmcb12_gpa = vmcb12_gpa;
563
564 WARN_ON(svm->vmcb == svm->nested.vmcb02.ptr);
565
566 nested_svm_copy_common_state(svm->vmcb01.ptr, svm->nested.vmcb02.ptr);
567 nested_load_control_from_vmcb12(svm, &vmcb12->control);
568
569 svm_switch_vmcb(svm, &svm->nested.vmcb02);
570 nested_vmcb02_prepare_control(svm);
571 nested_vmcb02_prepare_save(svm, vmcb12);
572
573 ret = nested_svm_load_cr3(&svm->vcpu, vmcb12->save.cr3,
574 nested_npt_enabled(svm));
575 if (ret)
576 return ret;
577
578 if (!npt_enabled)
579 vcpu->arch.mmu->inject_page_fault = svm_inject_page_fault_nested;
580
581 svm_set_gif(svm, true);
582
583 return 0;
584 }
585
586 int nested_svm_vmrun(struct kvm_vcpu *vcpu)
587 {
588 struct vcpu_svm *svm = to_svm(vcpu);
589 int ret;
590 struct vmcb *vmcb12;
591 struct kvm_host_map map;
592 u64 vmcb12_gpa;
593
594 ++vcpu->stat.nested_run;
595
596 if (is_smm(vcpu)) {
597 kvm_queue_exception(vcpu, UD_VECTOR);
598 return 1;
599 }
600
601 vmcb12_gpa = svm->vmcb->save.rax;
602 ret = kvm_vcpu_map(vcpu, gpa_to_gfn(vmcb12_gpa), &map);
603 if (ret == -EINVAL) {
604 kvm_inject_gp(vcpu, 0);
605 return 1;
606 } else if (ret) {
607 return kvm_skip_emulated_instruction(vcpu);
608 }
609
610 ret = kvm_skip_emulated_instruction(vcpu);
611
612 vmcb12 = map.hva;
613
614 if (WARN_ON_ONCE(!svm->nested.initialized))
615 return -EINVAL;
616
617 if (!nested_vmcb_checks(vcpu, vmcb12)) {
618 vmcb12->control.exit_code = SVM_EXIT_ERR;
619 vmcb12->control.exit_code_hi = 0;
620 vmcb12->control.exit_info_1 = 0;
621 vmcb12->control.exit_info_2 = 0;
622 goto out;
623 }
624
625
626 /* Clear internal status */
627 kvm_clear_exception_queue(vcpu);
628 kvm_clear_interrupt_queue(vcpu);
629
630 /*
631 * Since vmcb01 is not in use, we can use it to store some of the L1
632 * state.
633 */
634 svm->vmcb01.ptr->save.efer = vcpu->arch.efer;
635 svm->vmcb01.ptr->save.cr0 = kvm_read_cr0(vcpu);
636 svm->vmcb01.ptr->save.cr4 = vcpu->arch.cr4;
637 svm->vmcb01.ptr->save.rflags = kvm_get_rflags(vcpu);
638 svm->vmcb01.ptr->save.rip = kvm_rip_read(vcpu);
639
640 if (!npt_enabled)
641 svm->vmcb01.ptr->save.cr3 = kvm_read_cr3(vcpu);
642
643 svm->nested.nested_run_pending = 1;
644
645 if (enter_svm_guest_mode(vcpu, vmcb12_gpa, vmcb12))
646 goto out_exit_err;
647
648 if (nested_svm_vmrun_msrpm(svm))
649 goto out;
650
651 out_exit_err:
652 svm->nested.nested_run_pending = 0;
653
654 svm->vmcb->control.exit_code = SVM_EXIT_ERR;
655 svm->vmcb->control.exit_code_hi = 0;
656 svm->vmcb->control.exit_info_1 = 0;
657 svm->vmcb->control.exit_info_2 = 0;
658
659 nested_svm_vmexit(svm);
660
661 out:
662 kvm_vcpu_unmap(vcpu, &map, true);
663
664 return ret;
665 }
666
667 void nested_svm_vmloadsave(struct vmcb *from_vmcb, struct vmcb *to_vmcb)
668 {
669 to_vmcb->save.fs = from_vmcb->save.fs;
670 to_vmcb->save.gs = from_vmcb->save.gs;
671 to_vmcb->save.tr = from_vmcb->save.tr;
672 to_vmcb->save.ldtr = from_vmcb->save.ldtr;
673 to_vmcb->save.kernel_gs_base = from_vmcb->save.kernel_gs_base;
674 to_vmcb->save.star = from_vmcb->save.star;
675 to_vmcb->save.lstar = from_vmcb->save.lstar;
676 to_vmcb->save.cstar = from_vmcb->save.cstar;
677 to_vmcb->save.sfmask = from_vmcb->save.sfmask;
678 to_vmcb->save.sysenter_cs = from_vmcb->save.sysenter_cs;
679 to_vmcb->save.sysenter_esp = from_vmcb->save.sysenter_esp;
680 to_vmcb->save.sysenter_eip = from_vmcb->save.sysenter_eip;
681 }
682
683 int nested_svm_vmexit(struct vcpu_svm *svm)
684 {
685 struct kvm_vcpu *vcpu = &svm->vcpu;
686 struct vmcb *vmcb12;
687 struct vmcb *vmcb = svm->vmcb;
688 struct kvm_host_map map;
689 int rc;
690
691 /* Triple faults in L2 should never escape. */
692 WARN_ON_ONCE(kvm_check_request(KVM_REQ_TRIPLE_FAULT, vcpu));
693
694 rc = kvm_vcpu_map(vcpu, gpa_to_gfn(svm->nested.vmcb12_gpa), &map);
695 if (rc) {
696 if (rc == -EINVAL)
697 kvm_inject_gp(vcpu, 0);
698 return 1;
699 }
700
701 vmcb12 = map.hva;
702
703 /* Exit Guest-Mode */
704 leave_guest_mode(vcpu);
705 svm->nested.vmcb12_gpa = 0;
706 WARN_ON_ONCE(svm->nested.nested_run_pending);
707
708 kvm_clear_request(KVM_REQ_GET_NESTED_STATE_PAGES, vcpu);
709
710 /* in case we halted in L2 */
711 svm->vcpu.arch.mp_state = KVM_MP_STATE_RUNNABLE;
712
713 /* Give the current vmcb to the guest */
714
715 vmcb12->save.es = vmcb->save.es;
716 vmcb12->save.cs = vmcb->save.cs;
717 vmcb12->save.ss = vmcb->save.ss;
718 vmcb12->save.ds = vmcb->save.ds;
719 vmcb12->save.gdtr = vmcb->save.gdtr;
720 vmcb12->save.idtr = vmcb->save.idtr;
721 vmcb12->save.efer = svm->vcpu.arch.efer;
722 vmcb12->save.cr0 = kvm_read_cr0(vcpu);
723 vmcb12->save.cr3 = kvm_read_cr3(vcpu);
724 vmcb12->save.cr2 = vmcb->save.cr2;
725 vmcb12->save.cr4 = svm->vcpu.arch.cr4;
726 vmcb12->save.rflags = kvm_get_rflags(vcpu);
727 vmcb12->save.rip = kvm_rip_read(vcpu);
728 vmcb12->save.rsp = kvm_rsp_read(vcpu);
729 vmcb12->save.rax = kvm_rax_read(vcpu);
730 vmcb12->save.dr7 = vmcb->save.dr7;
731 vmcb12->save.dr6 = svm->vcpu.arch.dr6;
732 vmcb12->save.cpl = vmcb->save.cpl;
733
734 vmcb12->control.int_state = vmcb->control.int_state;
735 vmcb12->control.exit_code = vmcb->control.exit_code;
736 vmcb12->control.exit_code_hi = vmcb->control.exit_code_hi;
737 vmcb12->control.exit_info_1 = vmcb->control.exit_info_1;
738 vmcb12->control.exit_info_2 = vmcb->control.exit_info_2;
739
740 if (vmcb12->control.exit_code != SVM_EXIT_ERR)
741 nested_save_pending_event_to_vmcb12(svm, vmcb12);
742
743 if (svm->nrips_enabled)
744 vmcb12->control.next_rip = vmcb->control.next_rip;
745
746 vmcb12->control.int_ctl = svm->nested.ctl.int_ctl;
747 vmcb12->control.tlb_ctl = svm->nested.ctl.tlb_ctl;
748 vmcb12->control.event_inj = svm->nested.ctl.event_inj;
749 vmcb12->control.event_inj_err = svm->nested.ctl.event_inj_err;
750
751 vmcb12->control.pause_filter_count =
752 svm->vmcb->control.pause_filter_count;
753 vmcb12->control.pause_filter_thresh =
754 svm->vmcb->control.pause_filter_thresh;
755
756 nested_svm_copy_common_state(svm->nested.vmcb02.ptr, svm->vmcb01.ptr);
757
758 svm_switch_vmcb(svm, &svm->vmcb01);
759
760 /*
761 * On vmexit the GIF is set to false and
762 * no event can be injected in L1.
763 */
764 svm_set_gif(svm, false);
765 svm->vmcb->control.exit_int_info = 0;
766
767 svm->vcpu.arch.tsc_offset = svm->vcpu.arch.l1_tsc_offset;
768 if (svm->vmcb->control.tsc_offset != svm->vcpu.arch.tsc_offset) {
769 svm->vmcb->control.tsc_offset = svm->vcpu.arch.tsc_offset;
770 vmcb_mark_dirty(svm->vmcb, VMCB_INTERCEPTS);
771 }
772
773 svm->nested.ctl.nested_cr3 = 0;
774
775 /*
776 * Restore processor state that had been saved in vmcb01
777 */
778 kvm_set_rflags(vcpu, svm->vmcb->save.rflags);
779 svm_set_efer(vcpu, svm->vmcb->save.efer);
780 svm_set_cr0(vcpu, svm->vmcb->save.cr0 | X86_CR0_PE);
781 svm_set_cr4(vcpu, svm->vmcb->save.cr4);
782 kvm_rax_write(vcpu, svm->vmcb->save.rax);
783 kvm_rsp_write(vcpu, svm->vmcb->save.rsp);
784 kvm_rip_write(vcpu, svm->vmcb->save.rip);
785
786 svm->vcpu.arch.dr7 = DR7_FIXED_1;
787 kvm_update_dr7(&svm->vcpu);
788
789 trace_kvm_nested_vmexit_inject(vmcb12->control.exit_code,
790 vmcb12->control.exit_info_1,
791 vmcb12->control.exit_info_2,
792 vmcb12->control.exit_int_info,
793 vmcb12->control.exit_int_info_err,
794 KVM_ISA_SVM);
795
796 kvm_vcpu_unmap(vcpu, &map, true);
797
798 nested_svm_uninit_mmu_context(vcpu);
799
800 rc = nested_svm_load_cr3(vcpu, svm->vmcb->save.cr3, false);
801 if (rc)
802 return 1;
803
804 /*
805 * Drop what we picked up for L2 via svm_complete_interrupts() so it
806 * doesn't end up in L1.
807 */
808 svm->vcpu.arch.nmi_injected = false;
809 kvm_clear_exception_queue(vcpu);
810 kvm_clear_interrupt_queue(vcpu);
811
812 return 0;
813 }
814
815 static void nested_svm_triple_fault(struct kvm_vcpu *vcpu)
816 {
817 nested_svm_simple_vmexit(to_svm(vcpu), SVM_EXIT_SHUTDOWN);
818 }
819
820 int svm_allocate_nested(struct vcpu_svm *svm)
821 {
822 struct page *vmcb02_page;
823
824 if (svm->nested.initialized)
825 return 0;
826
827 vmcb02_page = alloc_page(GFP_KERNEL_ACCOUNT | __GFP_ZERO);
828 if (!vmcb02_page)
829 return -ENOMEM;
830 svm->nested.vmcb02.ptr = page_address(vmcb02_page);
831 svm->nested.vmcb02.pa = __sme_set(page_to_pfn(vmcb02_page) << PAGE_SHIFT);
832
833 svm->nested.msrpm = svm_vcpu_alloc_msrpm();
834 if (!svm->nested.msrpm)
835 goto err_free_vmcb02;
836 svm_vcpu_init_msrpm(&svm->vcpu, svm->nested.msrpm);
837
838 svm->nested.initialized = true;
839 return 0;
840
841 err_free_vmcb02:
842 __free_page(vmcb02_page);
843 return -ENOMEM;
844 }
845
846 void svm_free_nested(struct vcpu_svm *svm)
847 {
848 if (!svm->nested.initialized)
849 return;
850
851 svm_vcpu_free_msrpm(svm->nested.msrpm);
852 svm->nested.msrpm = NULL;
853
854 __free_page(virt_to_page(svm->nested.vmcb02.ptr));
855 svm->nested.vmcb02.ptr = NULL;
856
857 svm->nested.initialized = false;
858 }
859
860 /*
861 * Forcibly leave nested mode in order to be able to reset the VCPU later on.
862 */
863 void svm_leave_nested(struct vcpu_svm *svm)
864 {
865 struct kvm_vcpu *vcpu = &svm->vcpu;
866
867 if (is_guest_mode(vcpu)) {
868 svm->nested.nested_run_pending = 0;
869 leave_guest_mode(vcpu);
870
871 svm_switch_vmcb(svm, &svm->nested.vmcb02);
872
873 nested_svm_uninit_mmu_context(vcpu);
874 vmcb_mark_all_dirty(svm->vmcb);
875 }
876
877 kvm_clear_request(KVM_REQ_GET_NESTED_STATE_PAGES, vcpu);
878 }
879
880 static int nested_svm_exit_handled_msr(struct vcpu_svm *svm)
881 {
882 u32 offset, msr, value;
883 int write, mask;
884
885 if (!(vmcb_is_intercept(&svm->nested.ctl, INTERCEPT_MSR_PROT)))
886 return NESTED_EXIT_HOST;
887
888 msr = svm->vcpu.arch.regs[VCPU_REGS_RCX];
889 offset = svm_msrpm_offset(msr);
890 write = svm->vmcb->control.exit_info_1 & 1;
891 mask = 1 << ((2 * (msr & 0xf)) + write);
892
893 if (offset == MSR_INVALID)
894 return NESTED_EXIT_DONE;
895
896 /* Offset is in 32 bit units but need in 8 bit units */
897 offset *= 4;
898
899 if (kvm_vcpu_read_guest(&svm->vcpu, svm->nested.ctl.msrpm_base_pa + offset, &value, 4))
900 return NESTED_EXIT_DONE;
901
902 return (value & mask) ? NESTED_EXIT_DONE : NESTED_EXIT_HOST;
903 }
904
905 static int nested_svm_intercept_ioio(struct vcpu_svm *svm)
906 {
907 unsigned port, size, iopm_len;
908 u16 val, mask;
909 u8 start_bit;
910 u64 gpa;
911
912 if (!(vmcb_is_intercept(&svm->nested.ctl, INTERCEPT_IOIO_PROT)))
913 return NESTED_EXIT_HOST;
914
915 port = svm->vmcb->control.exit_info_1 >> 16;
916 size = (svm->vmcb->control.exit_info_1 & SVM_IOIO_SIZE_MASK) >>
917 SVM_IOIO_SIZE_SHIFT;
918 gpa = svm->nested.ctl.iopm_base_pa + (port / 8);
919 start_bit = port % 8;
920 iopm_len = (start_bit + size > 8) ? 2 : 1;
921 mask = (0xf >> (4 - size)) << start_bit;
922 val = 0;
923
924 if (kvm_vcpu_read_guest(&svm->vcpu, gpa, &val, iopm_len))
925 return NESTED_EXIT_DONE;
926
927 return (val & mask) ? NESTED_EXIT_DONE : NESTED_EXIT_HOST;
928 }
929
930 static int nested_svm_intercept(struct vcpu_svm *svm)
931 {
932 u32 exit_code = svm->vmcb->control.exit_code;
933 int vmexit = NESTED_EXIT_HOST;
934
935 switch (exit_code) {
936 case SVM_EXIT_MSR:
937 vmexit = nested_svm_exit_handled_msr(svm);
938 break;
939 case SVM_EXIT_IOIO:
940 vmexit = nested_svm_intercept_ioio(svm);
941 break;
942 case SVM_EXIT_READ_CR0 ... SVM_EXIT_WRITE_CR8: {
943 if (vmcb_is_intercept(&svm->nested.ctl, exit_code))
944 vmexit = NESTED_EXIT_DONE;
945 break;
946 }
947 case SVM_EXIT_READ_DR0 ... SVM_EXIT_WRITE_DR7: {
948 if (vmcb_is_intercept(&svm->nested.ctl, exit_code))
949 vmexit = NESTED_EXIT_DONE;
950 break;
951 }
952 case SVM_EXIT_EXCP_BASE ... SVM_EXIT_EXCP_BASE + 0x1f: {
953 /*
954 * Host-intercepted exceptions have been checked already in
955 * nested_svm_exit_special. There is nothing to do here,
956 * the vmexit is injected by svm_check_nested_events.
957 */
958 vmexit = NESTED_EXIT_DONE;
959 break;
960 }
961 case SVM_EXIT_ERR: {
962 vmexit = NESTED_EXIT_DONE;
963 break;
964 }
965 default: {
966 if (vmcb_is_intercept(&svm->nested.ctl, exit_code))
967 vmexit = NESTED_EXIT_DONE;
968 }
969 }
970
971 return vmexit;
972 }
973
974 int nested_svm_exit_handled(struct vcpu_svm *svm)
975 {
976 int vmexit;
977
978 vmexit = nested_svm_intercept(svm);
979
980 if (vmexit == NESTED_EXIT_DONE)
981 nested_svm_vmexit(svm);
982
983 return vmexit;
984 }
985
986 int nested_svm_check_permissions(struct kvm_vcpu *vcpu)
987 {
988 if (!(vcpu->arch.efer & EFER_SVME) || !is_paging(vcpu)) {
989 kvm_queue_exception(vcpu, UD_VECTOR);
990 return 1;
991 }
992
993 if (to_svm(vcpu)->vmcb->save.cpl) {
994 kvm_inject_gp(vcpu, 0);
995 return 1;
996 }
997
998 return 0;
999 }
1000
1001 static bool nested_exit_on_exception(struct vcpu_svm *svm)
1002 {
1003 unsigned int nr = svm->vcpu.arch.exception.nr;
1004
1005 return (svm->nested.ctl.intercepts[INTERCEPT_EXCEPTION] & BIT(nr));
1006 }
1007
1008 static void nested_svm_inject_exception_vmexit(struct vcpu_svm *svm)
1009 {
1010 unsigned int nr = svm->vcpu.arch.exception.nr;
1011
1012 svm->vmcb->control.exit_code = SVM_EXIT_EXCP_BASE + nr;
1013 svm->vmcb->control.exit_code_hi = 0;
1014
1015 if (svm->vcpu.arch.exception.has_error_code)
1016 svm->vmcb->control.exit_info_1 = svm->vcpu.arch.exception.error_code;
1017
1018 /*
1019 * EXITINFO2 is undefined for all exception intercepts other
1020 * than #PF.
1021 */
1022 if (nr == PF_VECTOR) {
1023 if (svm->vcpu.arch.exception.nested_apf)
1024 svm->vmcb->control.exit_info_2 = svm->vcpu.arch.apf.nested_apf_token;
1025 else if (svm->vcpu.arch.exception.has_payload)
1026 svm->vmcb->control.exit_info_2 = svm->vcpu.arch.exception.payload;
1027 else
1028 svm->vmcb->control.exit_info_2 = svm->vcpu.arch.cr2;
1029 } else if (nr == DB_VECTOR) {
1030 /* See inject_pending_event. */
1031 kvm_deliver_exception_payload(&svm->vcpu);
1032 if (svm->vcpu.arch.dr7 & DR7_GD) {
1033 svm->vcpu.arch.dr7 &= ~DR7_GD;
1034 kvm_update_dr7(&svm->vcpu);
1035 }
1036 } else
1037 WARN_ON(svm->vcpu.arch.exception.has_payload);
1038
1039 nested_svm_vmexit(svm);
1040 }
1041
1042 static inline bool nested_exit_on_init(struct vcpu_svm *svm)
1043 {
1044 return vmcb_is_intercept(&svm->nested.ctl, INTERCEPT_INIT);
1045 }
1046
1047 static int svm_check_nested_events(struct kvm_vcpu *vcpu)
1048 {
1049 struct vcpu_svm *svm = to_svm(vcpu);
1050 bool block_nested_events =
1051 kvm_event_needs_reinjection(vcpu) || svm->nested.nested_run_pending;
1052 struct kvm_lapic *apic = vcpu->arch.apic;
1053
1054 if (lapic_in_kernel(vcpu) &&
1055 test_bit(KVM_APIC_INIT, &apic->pending_events)) {
1056 if (block_nested_events)
1057 return -EBUSY;
1058 if (!nested_exit_on_init(svm))
1059 return 0;
1060 nested_svm_simple_vmexit(svm, SVM_EXIT_INIT);
1061 return 0;
1062 }
1063
1064 if (vcpu->arch.exception.pending) {
1065 if (block_nested_events)
1066 return -EBUSY;
1067 if (!nested_exit_on_exception(svm))
1068 return 0;
1069 nested_svm_inject_exception_vmexit(svm);
1070 return 0;
1071 }
1072
1073 if (vcpu->arch.smi_pending && !svm_smi_blocked(vcpu)) {
1074 if (block_nested_events)
1075 return -EBUSY;
1076 if (!nested_exit_on_smi(svm))
1077 return 0;
1078 nested_svm_simple_vmexit(svm, SVM_EXIT_SMI);
1079 return 0;
1080 }
1081
1082 if (vcpu->arch.nmi_pending && !svm_nmi_blocked(vcpu)) {
1083 if (block_nested_events)
1084 return -EBUSY;
1085 if (!nested_exit_on_nmi(svm))
1086 return 0;
1087 nested_svm_simple_vmexit(svm, SVM_EXIT_NMI);
1088 return 0;
1089 }
1090
1091 if (kvm_cpu_has_interrupt(vcpu) && !svm_interrupt_blocked(vcpu)) {
1092 if (block_nested_events)
1093 return -EBUSY;
1094 if (!nested_exit_on_intr(svm))
1095 return 0;
1096 trace_kvm_nested_intr_vmexit(svm->vmcb->save.rip);
1097 nested_svm_simple_vmexit(svm, SVM_EXIT_INTR);
1098 return 0;
1099 }
1100
1101 return 0;
1102 }
1103
1104 int nested_svm_exit_special(struct vcpu_svm *svm)
1105 {
1106 u32 exit_code = svm->vmcb->control.exit_code;
1107
1108 switch (exit_code) {
1109 case SVM_EXIT_INTR:
1110 case SVM_EXIT_NMI:
1111 case SVM_EXIT_NPF:
1112 return NESTED_EXIT_HOST;
1113 case SVM_EXIT_EXCP_BASE ... SVM_EXIT_EXCP_BASE + 0x1f: {
1114 u32 excp_bits = 1 << (exit_code - SVM_EXIT_EXCP_BASE);
1115
1116 if (svm->vmcb01.ptr->control.intercepts[INTERCEPT_EXCEPTION] &
1117 excp_bits)
1118 return NESTED_EXIT_HOST;
1119 else if (exit_code == SVM_EXIT_EXCP_BASE + PF_VECTOR &&
1120 svm->vcpu.arch.apf.host_apf_flags)
1121 /* Trap async PF even if not shadowing */
1122 return NESTED_EXIT_HOST;
1123 break;
1124 }
1125 default:
1126 break;
1127 }
1128
1129 return NESTED_EXIT_CONTINUE;
1130 }
1131
1132 static int svm_get_nested_state(struct kvm_vcpu *vcpu,
1133 struct kvm_nested_state __user *user_kvm_nested_state,
1134 u32 user_data_size)
1135 {
1136 struct vcpu_svm *svm;
1137 struct kvm_nested_state kvm_state = {
1138 .flags = 0,
1139 .format = KVM_STATE_NESTED_FORMAT_SVM,
1140 .size = sizeof(kvm_state),
1141 };
1142 struct vmcb __user *user_vmcb = (struct vmcb __user *)
1143 &user_kvm_nested_state->data.svm[0];
1144
1145 if (!vcpu)
1146 return kvm_state.size + KVM_STATE_NESTED_SVM_VMCB_SIZE;
1147
1148 svm = to_svm(vcpu);
1149
1150 if (user_data_size < kvm_state.size)
1151 goto out;
1152
1153 /* First fill in the header and copy it out. */
1154 if (is_guest_mode(vcpu)) {
1155 kvm_state.hdr.svm.vmcb_pa = svm->nested.vmcb12_gpa;
1156 kvm_state.size += KVM_STATE_NESTED_SVM_VMCB_SIZE;
1157 kvm_state.flags |= KVM_STATE_NESTED_GUEST_MODE;
1158
1159 if (svm->nested.nested_run_pending)
1160 kvm_state.flags |= KVM_STATE_NESTED_RUN_PENDING;
1161 }
1162
1163 if (gif_set(svm))
1164 kvm_state.flags |= KVM_STATE_NESTED_GIF_SET;
1165
1166 if (copy_to_user(user_kvm_nested_state, &kvm_state, sizeof(kvm_state)))
1167 return -EFAULT;
1168
1169 if (!is_guest_mode(vcpu))
1170 goto out;
1171
1172 /*
1173 * Copy over the full size of the VMCB rather than just the size
1174 * of the structs.
1175 */
1176 if (clear_user(user_vmcb, KVM_STATE_NESTED_SVM_VMCB_SIZE))
1177 return -EFAULT;
1178 if (copy_to_user(&user_vmcb->control, &svm->nested.ctl,
1179 sizeof(user_vmcb->control)))
1180 return -EFAULT;
1181 if (copy_to_user(&user_vmcb->save, &svm->vmcb01.ptr->save,
1182 sizeof(user_vmcb->save)))
1183 return -EFAULT;
1184 out:
1185 return kvm_state.size;
1186 }
1187
1188 static int svm_set_nested_state(struct kvm_vcpu *vcpu,
1189 struct kvm_nested_state __user *user_kvm_nested_state,
1190 struct kvm_nested_state *kvm_state)
1191 {
1192 struct vcpu_svm *svm = to_svm(vcpu);
1193 struct vmcb __user *user_vmcb = (struct vmcb __user *)
1194 &user_kvm_nested_state->data.svm[0];
1195 struct vmcb_control_area *ctl;
1196 struct vmcb_save_area *save;
1197 int ret;
1198 u32 cr0;
1199
1200 BUILD_BUG_ON(sizeof(struct vmcb_control_area) + sizeof(struct vmcb_save_area) >
1201 KVM_STATE_NESTED_SVM_VMCB_SIZE);
1202
1203 if (kvm_state->format != KVM_STATE_NESTED_FORMAT_SVM)
1204 return -EINVAL;
1205
1206 if (kvm_state->flags & ~(KVM_STATE_NESTED_GUEST_MODE |
1207 KVM_STATE_NESTED_RUN_PENDING |
1208 KVM_STATE_NESTED_GIF_SET))
1209 return -EINVAL;
1210
1211 /*
1212 * If in guest mode, vcpu->arch.efer actually refers to the L2 guest's
1213 * EFER.SVME, but EFER.SVME still has to be 1 for VMRUN to succeed.
1214 */
1215 if (!(vcpu->arch.efer & EFER_SVME)) {
1216 /* GIF=1 and no guest mode are required if SVME=0. */
1217 if (kvm_state->flags != KVM_STATE_NESTED_GIF_SET)
1218 return -EINVAL;
1219 }
1220
1221 /* SMM temporarily disables SVM, so we cannot be in guest mode. */
1222 if (is_smm(vcpu) && (kvm_state->flags & KVM_STATE_NESTED_GUEST_MODE))
1223 return -EINVAL;
1224
1225 if (!(kvm_state->flags & KVM_STATE_NESTED_GUEST_MODE)) {
1226 svm_leave_nested(svm);
1227 svm_set_gif(svm, !!(kvm_state->flags & KVM_STATE_NESTED_GIF_SET));
1228 return 0;
1229 }
1230
1231 if (!page_address_valid(vcpu, kvm_state->hdr.svm.vmcb_pa))
1232 return -EINVAL;
1233 if (kvm_state->size < sizeof(*kvm_state) + KVM_STATE_NESTED_SVM_VMCB_SIZE)
1234 return -EINVAL;
1235
1236 ret = -ENOMEM;
1237 ctl = kzalloc(sizeof(*ctl), GFP_KERNEL);
1238 save = kzalloc(sizeof(*save), GFP_KERNEL);
1239 if (!ctl || !save)
1240 goto out_free;
1241
1242 ret = -EFAULT;
1243 if (copy_from_user(ctl, &user_vmcb->control, sizeof(*ctl)))
1244 goto out_free;
1245 if (copy_from_user(save, &user_vmcb->save, sizeof(*save)))
1246 goto out_free;
1247
1248 ret = -EINVAL;
1249 if (!nested_vmcb_check_controls(ctl))
1250 goto out_free;
1251
1252 /*
1253 * Processor state contains L2 state. Check that it is
1254 * valid for guest mode (see nested_vmcb_checks).
1255 */
1256 cr0 = kvm_read_cr0(vcpu);
1257 if (((cr0 & X86_CR0_CD) == 0) && (cr0 & X86_CR0_NW))
1258 goto out_free;
1259
1260 /*
1261 * Validate host state saved from before VMRUN (see
1262 * nested_svm_check_permissions).
1263 */
1264 if (!(save->cr0 & X86_CR0_PG) ||
1265 !(save->cr0 & X86_CR0_PE) ||
1266 (save->rflags & X86_EFLAGS_VM) ||
1267 !nested_vmcb_valid_sregs(vcpu, save))
1268 goto out_free;
1269
1270 /*
1271 * All checks done, we can enter guest mode. Userspace provides
1272 * vmcb12.control, which will be combined with L1 and stored into
1273 * vmcb02, and the L1 save state which we store in vmcb01.
1274 * L2 registers if needed are moved from the current VMCB to VMCB02.
1275 */
1276
1277 svm->nested.nested_run_pending =
1278 !!(kvm_state->flags & KVM_STATE_NESTED_RUN_PENDING);
1279
1280 svm->nested.vmcb12_gpa = kvm_state->hdr.svm.vmcb_pa;
1281 if (svm->current_vmcb == &svm->vmcb01)
1282 svm->nested.vmcb02.ptr->save = svm->vmcb01.ptr->save;
1283
1284 svm->vmcb01.ptr->save.es = save->es;
1285 svm->vmcb01.ptr->save.cs = save->cs;
1286 svm->vmcb01.ptr->save.ss = save->ss;
1287 svm->vmcb01.ptr->save.ds = save->ds;
1288 svm->vmcb01.ptr->save.gdtr = save->gdtr;
1289 svm->vmcb01.ptr->save.idtr = save->idtr;
1290 svm->vmcb01.ptr->save.rflags = save->rflags | X86_EFLAGS_FIXED;
1291 svm->vmcb01.ptr->save.efer = save->efer;
1292 svm->vmcb01.ptr->save.cr0 = save->cr0;
1293 svm->vmcb01.ptr->save.cr3 = save->cr3;
1294 svm->vmcb01.ptr->save.cr4 = save->cr4;
1295 svm->vmcb01.ptr->save.rax = save->rax;
1296 svm->vmcb01.ptr->save.rsp = save->rsp;
1297 svm->vmcb01.ptr->save.rip = save->rip;
1298 svm->vmcb01.ptr->save.cpl = 0;
1299
1300 nested_load_control_from_vmcb12(svm, ctl);
1301
1302 svm_switch_vmcb(svm, &svm->nested.vmcb02);
1303
1304 nested_vmcb02_prepare_control(svm);
1305
1306 kvm_make_request(KVM_REQ_GET_NESTED_STATE_PAGES, vcpu);
1307 ret = 0;
1308 out_free:
1309 kfree(save);
1310 kfree(ctl);
1311
1312 return ret;
1313 }
1314
1315 struct kvm_x86_nested_ops svm_nested_ops = {
1316 .check_events = svm_check_nested_events,
1317 .triple_fault = nested_svm_triple_fault,
1318 .get_nested_state_pages = svm_get_nested_state_pages,
1319 .get_state = svm_get_nested_state,
1320 .set_state = svm_set_nested_state,
1321 };
Ubuntu Jammy Linux kernel mirror