/*P:7001* The pagetable code, on the other hand, still shows the scars of2* previous encounters. It's functional, and as neat as it can be in the3* circumstances, but be wary, for these things are subtle and break easily.4* The Guest provides a virtual to physical mapping, but we can neither trust5* it nor use it: we verify and convert it here then point the CPU to the6* converted Guest pages when running the Guest.7:*/89/* Copyright (C) Rusty Russell IBM Corporation 2006.10* GPL v2 and any later version */11#include <linux/mm.h>12#include <linux/gfp.h>13#include <linux/types.h>14#include <linux/spinlock.h>15#include <linux/random.h>16#include <linux/percpu.h>17#include <asm/tlbflush.h>18#include <asm/uaccess.h>19#include <asm/bootparam.h>20#include "lg.h"2122/*M:00823* We hold reference to pages, which prevents them from being swapped.24* It'd be nice to have a callback in the "struct mm_struct" when Linux wants25* to swap out. If we had this, and a shrinker callback to trim PTE pages, we26* could probably consider launching Guests as non-root.27:*/2829/*H:30030* The Page Table Code31*32* We use two-level page tables for the Guest, or three-level with PAE. If33* you're not entirely comfortable with virtual addresses, physical addresses34* and page tables then I recommend you review arch/x86/lguest/boot.c's "Page35* Table Handling" (with diagrams!).36*37* The Guest keeps page tables, but we maintain the actual ones here: these are38* called "shadow" page tables. Which is a very Guest-centric name: these are39* the real page tables the CPU uses, although we keep them up to date to40* reflect the Guest's. (See what I mean about weird naming? Since when do41* shadows reflect anything?)42*43* Anyway, this is the most complicated part of the Host code. There are seven44* parts to this:45* (i) Looking up a page table entry when the Guest faults,46* (ii) Making sure the Guest stack is mapped,47* (iii) Setting up a page table entry when the Guest tells us one has changed,48* (iv) Switching page tables,49* (v) Flushing (throwing away) page tables,50* (vi) Mapping the Switcher when the Guest is about to run,51* (vii) Setting up the page tables initially.52:*/5354/*55* The Switcher uses the complete top PTE page. That's 1024 PTE entries (4MB)56* or 512 PTE entries with PAE (2MB).57*/58#define SWITCHER_PGD_INDEX (PTRS_PER_PGD - 1)5960/*61* For PAE we need the PMD index as well. We use the last 2MB, so we62* will need the last pmd entry of the last pmd page.63*/64#ifdef CONFIG_X86_PAE65#define SWITCHER_PMD_INDEX (PTRS_PER_PMD - 1)66#define RESERVE_MEM 2U67#define CHECK_GPGD_MASK _PAGE_PRESENT68#else69#define RESERVE_MEM 4U70#define CHECK_GPGD_MASK _PAGE_TABLE71#endif7273/*74* We actually need a separate PTE page for each CPU. Remember that after the75* Switcher code itself comes two pages for each CPU, and we don't want this76* CPU's guest to see the pages of any other CPU.77*/78static DEFINE_PER_CPU(pte_t *, switcher_pte_pages);79#define switcher_pte_page(cpu) per_cpu(switcher_pte_pages, cpu)8081/*H:32082* The page table code is curly enough to need helper functions to keep it83* clear and clean. The kernel itself provides many of them; one advantage84* of insisting that the Guest and Host use the same CONFIG_PAE setting.85*86* There are two functions which return pointers to the shadow (aka "real")87* page tables.88*89* spgd_addr() takes the virtual address and returns a pointer to the top-level90* page directory entry (PGD) for that address. Since we keep track of several91* page tables, the "i" argument tells us which one we're interested in (it's92* usually the current one).93*/94static pgd_t *spgd_addr(struct lg_cpu *cpu, u32 i, unsigned long vaddr)95{96unsigned int index = pgd_index(vaddr);9798#ifndef CONFIG_X86_PAE99/* We kill any Guest trying to touch the Switcher addresses. */100if (index >= SWITCHER_PGD_INDEX) {101kill_guest(cpu, "attempt to access switcher pages");102index = 0;103}104#endif105/* Return a pointer index'th pgd entry for the i'th page table. */106return &cpu->lg->pgdirs[i].pgdir[index];107}108109#ifdef CONFIG_X86_PAE110/*111* This routine then takes the PGD entry given above, which contains the112* address of the PMD page. It then returns a pointer to the PMD entry for the113* given address.114*/115static pmd_t *spmd_addr(struct lg_cpu *cpu, pgd_t spgd, unsigned long vaddr)116{117unsigned int index = pmd_index(vaddr);118pmd_t *page;119120/* We kill any Guest trying to touch the Switcher addresses. */121if (pgd_index(vaddr) == SWITCHER_PGD_INDEX &&122index >= SWITCHER_PMD_INDEX) {123kill_guest(cpu, "attempt to access switcher pages");124index = 0;125}126127/* You should never call this if the PGD entry wasn't valid */128BUG_ON(!(pgd_flags(spgd) & _PAGE_PRESENT));129page = __va(pgd_pfn(spgd) << PAGE_SHIFT);130131return &page[index];132}133#endif134135/*136* This routine then takes the page directory entry returned above, which137* contains the address of the page table entry (PTE) page. It then returns a138* pointer to the PTE entry for the given address.139*/140static pte_t *spte_addr(struct lg_cpu *cpu, pgd_t spgd, unsigned long vaddr)141{142#ifdef CONFIG_X86_PAE143pmd_t *pmd = spmd_addr(cpu, spgd, vaddr);144pte_t *page = __va(pmd_pfn(*pmd) << PAGE_SHIFT);145146/* You should never call this if the PMD entry wasn't valid */147BUG_ON(!(pmd_flags(*pmd) & _PAGE_PRESENT));148#else149pte_t *page = __va(pgd_pfn(spgd) << PAGE_SHIFT);150/* You should never call this if the PGD entry wasn't valid */151BUG_ON(!(pgd_flags(spgd) & _PAGE_PRESENT));152#endif153154return &page[pte_index(vaddr)];155}156157/*158* These functions are just like the above two, except they access the Guest159* page tables. Hence they return a Guest address.160*/161static unsigned long gpgd_addr(struct lg_cpu *cpu, unsigned long vaddr)162{163unsigned int index = vaddr >> (PGDIR_SHIFT);164return cpu->lg->pgdirs[cpu->cpu_pgd].gpgdir + index * sizeof(pgd_t);165}166167#ifdef CONFIG_X86_PAE168/* Follow the PGD to the PMD. */169static unsigned long gpmd_addr(pgd_t gpgd, unsigned long vaddr)170{171unsigned long gpage = pgd_pfn(gpgd) << PAGE_SHIFT;172BUG_ON(!(pgd_flags(gpgd) & _PAGE_PRESENT));173return gpage + pmd_index(vaddr) * sizeof(pmd_t);174}175176/* Follow the PMD to the PTE. */177static unsigned long gpte_addr(struct lg_cpu *cpu,178pmd_t gpmd, unsigned long vaddr)179{180unsigned long gpage = pmd_pfn(gpmd) << PAGE_SHIFT;181182BUG_ON(!(pmd_flags(gpmd) & _PAGE_PRESENT));183return gpage + pte_index(vaddr) * sizeof(pte_t);184}185#else186/* Follow the PGD to the PTE (no mid-level for !PAE). */187static unsigned long gpte_addr(struct lg_cpu *cpu,188pgd_t gpgd, unsigned long vaddr)189{190unsigned long gpage = pgd_pfn(gpgd) << PAGE_SHIFT;191192BUG_ON(!(pgd_flags(gpgd) & _PAGE_PRESENT));193return gpage + pte_index(vaddr) * sizeof(pte_t);194}195#endif196/*:*/197198/*M:014199* get_pfn is slow: we could probably try to grab batches of pages here as200* an optimization (ie. pre-faulting).201:*/202203/*H:350204* This routine takes a page number given by the Guest and converts it to205* an actual, physical page number. It can fail for several reasons: the206* virtual address might not be mapped by the Launcher, the write flag is set207* and the page is read-only, or the write flag was set and the page was208* shared so had to be copied, but we ran out of memory.209*210* This holds a reference to the page, so release_pte() is careful to put that211* back.212*/213static unsigned long get_pfn(unsigned long virtpfn, int write)214{215struct page *page;216217/* gup me one page at this address please! */218if (get_user_pages_fast(virtpfn << PAGE_SHIFT, 1, write, &page) == 1)219return page_to_pfn(page);220221/* This value indicates failure. */222return -1UL;223}224225/*H:340226* Converting a Guest page table entry to a shadow (ie. real) page table227* entry can be a little tricky. The flags are (almost) the same, but the228* Guest PTE contains a virtual page number: the CPU needs the real page229* number.230*/231static pte_t gpte_to_spte(struct lg_cpu *cpu, pte_t gpte, int write)232{233unsigned long pfn, base, flags;234235/*236* The Guest sets the global flag, because it thinks that it is using237* PGE. We only told it to use PGE so it would tell us whether it was238* flushing a kernel mapping or a userspace mapping. We don't actually239* use the global bit, so throw it away.240*/241flags = (pte_flags(gpte) & ~_PAGE_GLOBAL);242243/* The Guest's pages are offset inside the Launcher. */244base = (unsigned long)cpu->lg->mem_base / PAGE_SIZE;245246/*247* We need a temporary "unsigned long" variable to hold the answer from248* get_pfn(), because it returns 0xFFFFFFFF on failure, which wouldn't249* fit in spte.pfn. get_pfn() finds the real physical number of the250* page, given the virtual number.251*/252pfn = get_pfn(base + pte_pfn(gpte), write);253if (pfn == -1UL) {254kill_guest(cpu, "failed to get page %lu", pte_pfn(gpte));255/*256* When we destroy the Guest, we'll go through the shadow page257* tables and release_pte() them. Make sure we don't think258* this one is valid!259*/260flags = 0;261}262/* Now we assemble our shadow PTE from the page number and flags. */263return pfn_pte(pfn, __pgprot(flags));264}265266/*H:460 And to complete the chain, release_pte() looks like this: */267static void release_pte(pte_t pte)268{269/*270* Remember that get_user_pages_fast() took a reference to the page, in271* get_pfn()? We have to put it back now.272*/273if (pte_flags(pte) & _PAGE_PRESENT)274put_page(pte_page(pte));275}276/*:*/277278static void check_gpte(struct lg_cpu *cpu, pte_t gpte)279{280if ((pte_flags(gpte) & _PAGE_PSE) ||281pte_pfn(gpte) >= cpu->lg->pfn_limit)282kill_guest(cpu, "bad page table entry");283}284285static void check_gpgd(struct lg_cpu *cpu, pgd_t gpgd)286{287if ((pgd_flags(gpgd) & ~CHECK_GPGD_MASK) ||288(pgd_pfn(gpgd) >= cpu->lg->pfn_limit))289kill_guest(cpu, "bad page directory entry");290}291292#ifdef CONFIG_X86_PAE293static void check_gpmd(struct lg_cpu *cpu, pmd_t gpmd)294{295if ((pmd_flags(gpmd) & ~_PAGE_TABLE) ||296(pmd_pfn(gpmd) >= cpu->lg->pfn_limit))297kill_guest(cpu, "bad page middle directory entry");298}299#endif300301/*H:330302* (i) Looking up a page table entry when the Guest faults.303*304* We saw this call in run_guest(): when we see a page fault in the Guest, we305* come here. That's because we only set up the shadow page tables lazily as306* they're needed, so we get page faults all the time and quietly fix them up307* and return to the Guest without it knowing.308*309* If we fixed up the fault (ie. we mapped the address), this routine returns310* true. Otherwise, it was a real fault and we need to tell the Guest.311*/312bool demand_page(struct lg_cpu *cpu, unsigned long vaddr, int errcode)313{314pgd_t gpgd;315pgd_t *spgd;316unsigned long gpte_ptr;317pte_t gpte;318pte_t *spte;319320/* Mid level for PAE. */321#ifdef CONFIG_X86_PAE322pmd_t *spmd;323pmd_t gpmd;324#endif325326/* First step: get the top-level Guest page table entry. */327gpgd = lgread(cpu, gpgd_addr(cpu, vaddr), pgd_t);328/* Toplevel not present? We can't map it in. */329if (!(pgd_flags(gpgd) & _PAGE_PRESENT))330return false;331332/* Now look at the matching shadow entry. */333spgd = spgd_addr(cpu, cpu->cpu_pgd, vaddr);334if (!(pgd_flags(*spgd) & _PAGE_PRESENT)) {335/* No shadow entry: allocate a new shadow PTE page. */336unsigned long ptepage = get_zeroed_page(GFP_KERNEL);337/*338* This is not really the Guest's fault, but killing it is339* simple for this corner case.340*/341if (!ptepage) {342kill_guest(cpu, "out of memory allocating pte page");343return false;344}345/* We check that the Guest pgd is OK. */346check_gpgd(cpu, gpgd);347/*348* And we copy the flags to the shadow PGD entry. The page349* number in the shadow PGD is the page we just allocated.350*/351set_pgd(spgd, __pgd(__pa(ptepage) | pgd_flags(gpgd)));352}353354#ifdef CONFIG_X86_PAE355gpmd = lgread(cpu, gpmd_addr(gpgd, vaddr), pmd_t);356/* Middle level not present? We can't map it in. */357if (!(pmd_flags(gpmd) & _PAGE_PRESENT))358return false;359360/* Now look at the matching shadow entry. */361spmd = spmd_addr(cpu, *spgd, vaddr);362363if (!(pmd_flags(*spmd) & _PAGE_PRESENT)) {364/* No shadow entry: allocate a new shadow PTE page. */365unsigned long ptepage = get_zeroed_page(GFP_KERNEL);366367/*368* This is not really the Guest's fault, but killing it is369* simple for this corner case.370*/371if (!ptepage) {372kill_guest(cpu, "out of memory allocating pte page");373return false;374}375376/* We check that the Guest pmd is OK. */377check_gpmd(cpu, gpmd);378379/*380* And we copy the flags to the shadow PMD entry. The page381* number in the shadow PMD is the page we just allocated.382*/383set_pmd(spmd, __pmd(__pa(ptepage) | pmd_flags(gpmd)));384}385386/*387* OK, now we look at the lower level in the Guest page table: keep its388* address, because we might update it later.389*/390gpte_ptr = gpte_addr(cpu, gpmd, vaddr);391#else392/*393* OK, now we look at the lower level in the Guest page table: keep its394* address, because we might update it later.395*/396gpte_ptr = gpte_addr(cpu, gpgd, vaddr);397#endif398399/* Read the actual PTE value. */400gpte = lgread(cpu, gpte_ptr, pte_t);401402/* If this page isn't in the Guest page tables, we can't page it in. */403if (!(pte_flags(gpte) & _PAGE_PRESENT))404return false;405406/*407* Check they're not trying to write to a page the Guest wants408* read-only (bit 2 of errcode == write).409*/410if ((errcode & 2) && !(pte_flags(gpte) & _PAGE_RW))411return false;412413/* User access to a kernel-only page? (bit 3 == user access) */414if ((errcode & 4) && !(pte_flags(gpte) & _PAGE_USER))415return false;416417/*418* Check that the Guest PTE flags are OK, and the page number is below419* the pfn_limit (ie. not mapping the Launcher binary).420*/421check_gpte(cpu, gpte);422423/* Add the _PAGE_ACCESSED and (for a write) _PAGE_DIRTY flag */424gpte = pte_mkyoung(gpte);425if (errcode & 2)426gpte = pte_mkdirty(gpte);427428/* Get the pointer to the shadow PTE entry we're going to set. */429spte = spte_addr(cpu, *spgd, vaddr);430431/*432* If there was a valid shadow PTE entry here before, we release it.433* This can happen with a write to a previously read-only entry.434*/435release_pte(*spte);436437/*438* If this is a write, we insist that the Guest page is writable (the439* final arg to gpte_to_spte()).440*/441if (pte_dirty(gpte))442*spte = gpte_to_spte(cpu, gpte, 1);443else444/*445* If this is a read, don't set the "writable" bit in the page446* table entry, even if the Guest says it's writable. That way447* we will come back here when a write does actually occur, so448* we can update the Guest's _PAGE_DIRTY flag.449*/450set_pte(spte, gpte_to_spte(cpu, pte_wrprotect(gpte), 0));451452/*453* Finally, we write the Guest PTE entry back: we've set the454* _PAGE_ACCESSED and maybe the _PAGE_DIRTY flags.455*/456lgwrite(cpu, gpte_ptr, pte_t, gpte);457458/*459* The fault is fixed, the page table is populated, the mapping460* manipulated, the result returned and the code complete. A small461* delay and a trace of alliteration are the only indications the Guest462* has that a page fault occurred at all.463*/464return true;465}466467/*H:360468* (ii) Making sure the Guest stack is mapped.469*470* Remember that direct traps into the Guest need a mapped Guest kernel stack.471* pin_stack_pages() calls us here: we could simply call demand_page(), but as472* we've seen that logic is quite long, and usually the stack pages are already473* mapped, so it's overkill.474*475* This is a quick version which answers the question: is this virtual address476* mapped by the shadow page tables, and is it writable?477*/478static bool page_writable(struct lg_cpu *cpu, unsigned long vaddr)479{480pgd_t *spgd;481unsigned long flags;482483#ifdef CONFIG_X86_PAE484pmd_t *spmd;485#endif486/* Look at the current top level entry: is it present? */487spgd = spgd_addr(cpu, cpu->cpu_pgd, vaddr);488if (!(pgd_flags(*spgd) & _PAGE_PRESENT))489return false;490491#ifdef CONFIG_X86_PAE492spmd = spmd_addr(cpu, *spgd, vaddr);493if (!(pmd_flags(*spmd) & _PAGE_PRESENT))494return false;495#endif496497/*498* Check the flags on the pte entry itself: it must be present and499* writable.500*/501flags = pte_flags(*(spte_addr(cpu, *spgd, vaddr)));502503return (flags & (_PAGE_PRESENT|_PAGE_RW)) == (_PAGE_PRESENT|_PAGE_RW);504}505506/*507* So, when pin_stack_pages() asks us to pin a page, we check if it's already508* in the page tables, and if not, we call demand_page() with error code 2509* (meaning "write").510*/511void pin_page(struct lg_cpu *cpu, unsigned long vaddr)512{513if (!page_writable(cpu, vaddr) && !demand_page(cpu, vaddr, 2))514kill_guest(cpu, "bad stack page %#lx", vaddr);515}516/*:*/517518#ifdef CONFIG_X86_PAE519static void release_pmd(pmd_t *spmd)520{521/* If the entry's not present, there's nothing to release. */522if (pmd_flags(*spmd) & _PAGE_PRESENT) {523unsigned int i;524pte_t *ptepage = __va(pmd_pfn(*spmd) << PAGE_SHIFT);525/* For each entry in the page, we might need to release it. */526for (i = 0; i < PTRS_PER_PTE; i++)527release_pte(ptepage[i]);528/* Now we can free the page of PTEs */529free_page((long)ptepage);530/* And zero out the PMD entry so we never release it twice. */531set_pmd(spmd, __pmd(0));532}533}534535static void release_pgd(pgd_t *spgd)536{537/* If the entry's not present, there's nothing to release. */538if (pgd_flags(*spgd) & _PAGE_PRESENT) {539unsigned int i;540pmd_t *pmdpage = __va(pgd_pfn(*spgd) << PAGE_SHIFT);541542for (i = 0; i < PTRS_PER_PMD; i++)543release_pmd(&pmdpage[i]);544545/* Now we can free the page of PMDs */546free_page((long)pmdpage);547/* And zero out the PGD entry so we never release it twice. */548set_pgd(spgd, __pgd(0));549}550}551552#else /* !CONFIG_X86_PAE */553/*H:450554* If we chase down the release_pgd() code, the non-PAE version looks like555* this. The PAE version is almost identical, but instead of calling556* release_pte it calls release_pmd(), which looks much like this.557*/558static void release_pgd(pgd_t *spgd)559{560/* If the entry's not present, there's nothing to release. */561if (pgd_flags(*spgd) & _PAGE_PRESENT) {562unsigned int i;563/*564* Converting the pfn to find the actual PTE page is easy: turn565* the page number into a physical address, then convert to a566* virtual address (easy for kernel pages like this one).567*/568pte_t *ptepage = __va(pgd_pfn(*spgd) << PAGE_SHIFT);569/* For each entry in the page, we might need to release it. */570for (i = 0; i < PTRS_PER_PTE; i++)571release_pte(ptepage[i]);572/* Now we can free the page of PTEs */573free_page((long)ptepage);574/* And zero out the PGD entry so we never release it twice. */575*spgd = __pgd(0);576}577}578#endif579580/*H:445581* We saw flush_user_mappings() twice: once from the flush_user_mappings()582* hypercall and once in new_pgdir() when we re-used a top-level pgdir page.583* It simply releases every PTE page from 0 up to the Guest's kernel address.584*/585static void flush_user_mappings(struct lguest *lg, int idx)586{587unsigned int i;588/* Release every pgd entry up to the kernel's address. */589for (i = 0; i < pgd_index(lg->kernel_address); i++)590release_pgd(lg->pgdirs[idx].pgdir + i);591}592593/*H:440594* (v) Flushing (throwing away) page tables,595*596* The Guest has a hypercall to throw away the page tables: it's used when a597* large number of mappings have been changed.598*/599void guest_pagetable_flush_user(struct lg_cpu *cpu)600{601/* Drop the userspace part of the current page table. */602flush_user_mappings(cpu->lg, cpu->cpu_pgd);603}604/*:*/605606/* We walk down the guest page tables to get a guest-physical address */607unsigned long guest_pa(struct lg_cpu *cpu, unsigned long vaddr)608{609pgd_t gpgd;610pte_t gpte;611#ifdef CONFIG_X86_PAE612pmd_t gpmd;613#endif614/* First step: get the top-level Guest page table entry. */615gpgd = lgread(cpu, gpgd_addr(cpu, vaddr), pgd_t);616/* Toplevel not present? We can't map it in. */617if (!(pgd_flags(gpgd) & _PAGE_PRESENT)) {618kill_guest(cpu, "Bad address %#lx", vaddr);619return -1UL;620}621622#ifdef CONFIG_X86_PAE623gpmd = lgread(cpu, gpmd_addr(gpgd, vaddr), pmd_t);624if (!(pmd_flags(gpmd) & _PAGE_PRESENT))625kill_guest(cpu, "Bad address %#lx", vaddr);626gpte = lgread(cpu, gpte_addr(cpu, gpmd, vaddr), pte_t);627#else628gpte = lgread(cpu, gpte_addr(cpu, gpgd, vaddr), pte_t);629#endif630if (!(pte_flags(gpte) & _PAGE_PRESENT))631kill_guest(cpu, "Bad address %#lx", vaddr);632633return pte_pfn(gpte) * PAGE_SIZE | (vaddr & ~PAGE_MASK);634}635636/*637* We keep several page tables. This is a simple routine to find the page638* table (if any) corresponding to this top-level address the Guest has given639* us.640*/641static unsigned int find_pgdir(struct lguest *lg, unsigned long pgtable)642{643unsigned int i;644for (i = 0; i < ARRAY_SIZE(lg->pgdirs); i++)645if (lg->pgdirs[i].pgdir && lg->pgdirs[i].gpgdir == pgtable)646break;647return i;648}649650/*H:435651* And this is us, creating the new page directory. If we really do652* allocate a new one (and so the kernel parts are not there), we set653* blank_pgdir.654*/655static unsigned int new_pgdir(struct lg_cpu *cpu,656unsigned long gpgdir,657int *blank_pgdir)658{659unsigned int next;660#ifdef CONFIG_X86_PAE661pmd_t *pmd_table;662#endif663664/*665* We pick one entry at random to throw out. Choosing the Least666* Recently Used might be better, but this is easy.667*/668next = random32() % ARRAY_SIZE(cpu->lg->pgdirs);669/* If it's never been allocated at all before, try now. */670if (!cpu->lg->pgdirs[next].pgdir) {671cpu->lg->pgdirs[next].pgdir =672(pgd_t *)get_zeroed_page(GFP_KERNEL);673/* If the allocation fails, just keep using the one we have */674if (!cpu->lg->pgdirs[next].pgdir)675next = cpu->cpu_pgd;676else {677#ifdef CONFIG_X86_PAE678/*679* In PAE mode, allocate a pmd page and populate the680* last pgd entry.681*/682pmd_table = (pmd_t *)get_zeroed_page(GFP_KERNEL);683if (!pmd_table) {684free_page((long)cpu->lg->pgdirs[next].pgdir);685set_pgd(cpu->lg->pgdirs[next].pgdir, __pgd(0));686next = cpu->cpu_pgd;687} else {688set_pgd(cpu->lg->pgdirs[next].pgdir +689SWITCHER_PGD_INDEX,690__pgd(__pa(pmd_table) | _PAGE_PRESENT));691/*692* This is a blank page, so there are no kernel693* mappings: caller must map the stack!694*/695*blank_pgdir = 1;696}697#else698*blank_pgdir = 1;699#endif700}701}702/* Record which Guest toplevel this shadows. */703cpu->lg->pgdirs[next].gpgdir = gpgdir;704/* Release all the non-kernel mappings. */705flush_user_mappings(cpu->lg, next);706707return next;708}709710/*H:430711* (iv) Switching page tables712*713* Now we've seen all the page table setting and manipulation, let's see714* what happens when the Guest changes page tables (ie. changes the top-level715* pgdir). This occurs on almost every context switch.716*/717void guest_new_pagetable(struct lg_cpu *cpu, unsigned long pgtable)718{719int newpgdir, repin = 0;720721/* Look to see if we have this one already. */722newpgdir = find_pgdir(cpu->lg, pgtable);723/*724* If not, we allocate or mug an existing one: if it's a fresh one,725* repin gets set to 1.726*/727if (newpgdir == ARRAY_SIZE(cpu->lg->pgdirs))728newpgdir = new_pgdir(cpu, pgtable, &repin);729/* Change the current pgd index to the new one. */730cpu->cpu_pgd = newpgdir;731/* If it was completely blank, we map in the Guest kernel stack */732if (repin)733pin_stack_pages(cpu);734}735736/*H:470737* Finally, a routine which throws away everything: all PGD entries in all738* the shadow page tables, including the Guest's kernel mappings. This is used739* when we destroy the Guest.740*/741static void release_all_pagetables(struct lguest *lg)742{743unsigned int i, j;744745/* Every shadow pagetable this Guest has */746for (i = 0; i < ARRAY_SIZE(lg->pgdirs); i++)747if (lg->pgdirs[i].pgdir) {748#ifdef CONFIG_X86_PAE749pgd_t *spgd;750pmd_t *pmdpage;751unsigned int k;752753/* Get the last pmd page. */754spgd = lg->pgdirs[i].pgdir + SWITCHER_PGD_INDEX;755pmdpage = __va(pgd_pfn(*spgd) << PAGE_SHIFT);756757/*758* And release the pmd entries of that pmd page,759* except for the switcher pmd.760*/761for (k = 0; k < SWITCHER_PMD_INDEX; k++)762release_pmd(&pmdpage[k]);763#endif764/* Every PGD entry except the Switcher at the top */765for (j = 0; j < SWITCHER_PGD_INDEX; j++)766release_pgd(lg->pgdirs[i].pgdir + j);767}768}769770/*771* We also throw away everything when a Guest tells us it's changed a kernel772* mapping. Since kernel mappings are in every page table, it's easiest to773* throw them all away. This traps the Guest in amber for a while as774* everything faults back in, but it's rare.775*/776void guest_pagetable_clear_all(struct lg_cpu *cpu)777{778release_all_pagetables(cpu->lg);779/* We need the Guest kernel stack mapped again. */780pin_stack_pages(cpu);781}782/*:*/783784/*M:009785* Since we throw away all mappings when a kernel mapping changes, our786* performance sucks for guests using highmem. In fact, a guest with787* PAGE_OFFSET 0xc0000000 (the default) and more than about 700MB of RAM is788* usually slower than a Guest with less memory.789*790* This, of course, cannot be fixed. It would take some kind of... well, I791* don't know, but the term "puissant code-fu" comes to mind.792:*/793794/*H:420795* This is the routine which actually sets the page table entry for then796* "idx"'th shadow page table.797*798* Normally, we can just throw out the old entry and replace it with 0: if they799* use it demand_page() will put the new entry in. We need to do this anyway:800* The Guest expects _PAGE_ACCESSED to be set on its PTE the first time a page801* is read from, and _PAGE_DIRTY when it's written to.802*803* But Avi Kivity pointed out that most Operating Systems (Linux included) set804* these bits on PTEs immediately anyway. This is done to save the CPU from805* having to update them, but it helps us the same way: if they set806* _PAGE_ACCESSED then we can put a read-only PTE entry in immediately, and if807* they set _PAGE_DIRTY then we can put a writable PTE entry in immediately.808*/809static void do_set_pte(struct lg_cpu *cpu, int idx,810unsigned long vaddr, pte_t gpte)811{812/* Look up the matching shadow page directory entry. */813pgd_t *spgd = spgd_addr(cpu, idx, vaddr);814#ifdef CONFIG_X86_PAE815pmd_t *spmd;816#endif817818/* If the top level isn't present, there's no entry to update. */819if (pgd_flags(*spgd) & _PAGE_PRESENT) {820#ifdef CONFIG_X86_PAE821spmd = spmd_addr(cpu, *spgd, vaddr);822if (pmd_flags(*spmd) & _PAGE_PRESENT) {823#endif824/* Otherwise, start by releasing the existing entry. */825pte_t *spte = spte_addr(cpu, *spgd, vaddr);826release_pte(*spte);827828/*829* If they're setting this entry as dirty or accessed,830* we might as well put that entry they've given us in831* now. This shaves 10% off a copy-on-write832* micro-benchmark.833*/834if (pte_flags(gpte) & (_PAGE_DIRTY | _PAGE_ACCESSED)) {835check_gpte(cpu, gpte);836set_pte(spte,837gpte_to_spte(cpu, gpte,838pte_flags(gpte) & _PAGE_DIRTY));839} else {840/*841* Otherwise kill it and we can demand_page()842* it in later.843*/844set_pte(spte, __pte(0));845}846#ifdef CONFIG_X86_PAE847}848#endif849}850}851852/*H:410853* Updating a PTE entry is a little trickier.854*855* We keep track of several different page tables (the Guest uses one for each856* process, so it makes sense to cache at least a few). Each of these have857* identical kernel parts: ie. every mapping above PAGE_OFFSET is the same for858* all processes. So when the page table above that address changes, we update859* all the page tables, not just the current one. This is rare.860*861* The benefit is that when we have to track a new page table, we can keep all862* the kernel mappings. This speeds up context switch immensely.863*/864void guest_set_pte(struct lg_cpu *cpu,865unsigned long gpgdir, unsigned long vaddr, pte_t gpte)866{867/*868* Kernel mappings must be changed on all top levels. Slow, but doesn't869* happen often.870*/871if (vaddr >= cpu->lg->kernel_address) {872unsigned int i;873for (i = 0; i < ARRAY_SIZE(cpu->lg->pgdirs); i++)874if (cpu->lg->pgdirs[i].pgdir)875do_set_pte(cpu, i, vaddr, gpte);876} else {877/* Is this page table one we have a shadow for? */878int pgdir = find_pgdir(cpu->lg, gpgdir);879if (pgdir != ARRAY_SIZE(cpu->lg->pgdirs))880/* If so, do the update. */881do_set_pte(cpu, pgdir, vaddr, gpte);882}883}884885/*H:400886* (iii) Setting up a page table entry when the Guest tells us one has changed.887*888* Just like we did in interrupts_and_traps.c, it makes sense for us to deal889* with the other side of page tables while we're here: what happens when the890* Guest asks for a page table to be updated?891*892* We already saw that demand_page() will fill in the shadow page tables when893* needed, so we can simply remove shadow page table entries whenever the Guest894* tells us they've changed. When the Guest tries to use the new entry it will895* fault and demand_page() will fix it up.896*897* So with that in mind here's our code to update a (top-level) PGD entry:898*/899void guest_set_pgd(struct lguest *lg, unsigned long gpgdir, u32 idx)900{901int pgdir;902903if (idx >= SWITCHER_PGD_INDEX)904return;905906/* If they're talking about a page table we have a shadow for... */907pgdir = find_pgdir(lg, gpgdir);908if (pgdir < ARRAY_SIZE(lg->pgdirs))909/* ... throw it away. */910release_pgd(lg->pgdirs[pgdir].pgdir + idx);911}912913#ifdef CONFIG_X86_PAE914/* For setting a mid-level, we just throw everything away. It's easy. */915void guest_set_pmd(struct lguest *lg, unsigned long pmdp, u32 idx)916{917guest_pagetable_clear_all(&lg->cpus[0]);918}919#endif920921/*H:505922* To get through boot, we construct simple identity page mappings (which923* set virtual == physical) and linear mappings which will get the Guest far924* enough into the boot to create its own. The linear mapping means we925* simplify the Guest boot, but it makes assumptions about their PAGE_OFFSET,926* as you'll see.927*928* We lay them out of the way, just below the initrd (which is why we need to929* know its size here).930*/931static unsigned long setup_pagetables(struct lguest *lg,932unsigned long mem,933unsigned long initrd_size)934{935pgd_t __user *pgdir;936pte_t __user *linear;937unsigned long mem_base = (unsigned long)lg->mem_base;938unsigned int mapped_pages, i, linear_pages;939#ifdef CONFIG_X86_PAE940pmd_t __user *pmds;941unsigned int j;942pgd_t pgd;943pmd_t pmd;944#else945unsigned int phys_linear;946#endif947948/*949* We have mapped_pages frames to map, so we need linear_pages page950* tables to map them.951*/952mapped_pages = mem / PAGE_SIZE;953linear_pages = (mapped_pages + PTRS_PER_PTE - 1) / PTRS_PER_PTE;954955/* We put the toplevel page directory page at the top of memory. */956pgdir = (pgd_t *)(mem + mem_base - initrd_size - PAGE_SIZE);957958/* Now we use the next linear_pages pages as pte pages */959linear = (void *)pgdir - linear_pages * PAGE_SIZE;960961#ifdef CONFIG_X86_PAE962/*963* And the single mid page goes below that. We only use one, but964* that's enough to map 1G, which definitely gets us through boot.965*/966pmds = (void *)linear - PAGE_SIZE;967#endif968/*969* Linear mapping is easy: put every page's address into the970* mapping in order.971*/972for (i = 0; i < mapped_pages; i++) {973pte_t pte;974pte = pfn_pte(i, __pgprot(_PAGE_PRESENT|_PAGE_RW|_PAGE_USER));975if (copy_to_user(&linear[i], &pte, sizeof(pte)) != 0)976return -EFAULT;977}978979#ifdef CONFIG_X86_PAE980/*981* Make the Guest PMD entries point to the corresponding place in the982* linear mapping (up to one page worth of PMD).983*/984for (i = j = 0; i < mapped_pages && j < PTRS_PER_PMD;985i += PTRS_PER_PTE, j++) {986pmd = pfn_pmd(((unsigned long)&linear[i] - mem_base)/PAGE_SIZE,987__pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER));988989if (copy_to_user(&pmds[j], &pmd, sizeof(pmd)) != 0)990return -EFAULT;991}992993/* One PGD entry, pointing to that PMD page. */994pgd = __pgd(((unsigned long)pmds - mem_base) | _PAGE_PRESENT);995/* Copy it in as the first PGD entry (ie. addresses 0-1G). */996if (copy_to_user(&pgdir[0], &pgd, sizeof(pgd)) != 0)997return -EFAULT;998/*999* And the other PGD entry to make the linear mapping at PAGE_OFFSET1000*/1001if (copy_to_user(&pgdir[KERNEL_PGD_BOUNDARY], &pgd, sizeof(pgd)))1002return -EFAULT;1003#else1004/*1005* The top level points to the linear page table pages above.1006* We setup the identity and linear mappings here.1007*/1008phys_linear = (unsigned long)linear - mem_base;1009for (i = 0; i < mapped_pages; i += PTRS_PER_PTE) {1010pgd_t pgd;1011/*1012* Create a PGD entry which points to the right part of the1013* linear PTE pages.1014*/1015pgd = __pgd((phys_linear + i * sizeof(pte_t)) |1016(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER));10171018/*1019* Copy it into the PGD page at 0 and PAGE_OFFSET.1020*/1021if (copy_to_user(&pgdir[i / PTRS_PER_PTE], &pgd, sizeof(pgd))1022|| copy_to_user(&pgdir[pgd_index(PAGE_OFFSET)1023+ i / PTRS_PER_PTE],1024&pgd, sizeof(pgd)))1025return -EFAULT;1026}1027#endif10281029/*1030* We return the top level (guest-physical) address: we remember where1031* this is to write it into lguest_data when the Guest initializes.1032*/1033return (unsigned long)pgdir - mem_base;1034}10351036/*H:5001037* (vii) Setting up the page tables initially.1038*1039* When a Guest is first created, the Launcher tells us where the toplevel of1040* its first page table is. We set some things up here:1041*/1042int init_guest_pagetable(struct lguest *lg)1043{1044u64 mem;1045u32 initrd_size;1046struct boot_params __user *boot = (struct boot_params *)lg->mem_base;1047#ifdef CONFIG_X86_PAE1048pgd_t *pgd;1049pmd_t *pmd_table;1050#endif1051/*1052* Get the Guest memory size and the ramdisk size from the boot header1053* located at lg->mem_base (Guest address 0).1054*/1055if (copy_from_user(&mem, &boot->e820_map[0].size, sizeof(mem))1056|| get_user(initrd_size, &boot->hdr.ramdisk_size))1057return -EFAULT;10581059/*1060* We start on the first shadow page table, and give it a blank PGD1061* page.1062*/1063lg->pgdirs[0].gpgdir = setup_pagetables(lg, mem, initrd_size);1064if (IS_ERR_VALUE(lg->pgdirs[0].gpgdir))1065return lg->pgdirs[0].gpgdir;1066lg->pgdirs[0].pgdir = (pgd_t *)get_zeroed_page(GFP_KERNEL);1067if (!lg->pgdirs[0].pgdir)1068return -ENOMEM;10691070#ifdef CONFIG_X86_PAE1071/* For PAE, we also create the initial mid-level. */1072pgd = lg->pgdirs[0].pgdir;1073pmd_table = (pmd_t *) get_zeroed_page(GFP_KERNEL);1074if (!pmd_table)1075return -ENOMEM;10761077set_pgd(pgd + SWITCHER_PGD_INDEX,1078__pgd(__pa(pmd_table) | _PAGE_PRESENT));1079#endif10801081/* This is the current page table. */1082lg->cpus[0].cpu_pgd = 0;1083return 0;1084}10851086/*H:508 When the Guest calls LHCALL_LGUEST_INIT we do more setup. */1087void page_table_guest_data_init(struct lg_cpu *cpu)1088{1089/* We get the kernel address: above this is all kernel memory. */1090if (get_user(cpu->lg->kernel_address,1091&cpu->lg->lguest_data->kernel_address)1092/*1093* We tell the Guest that it can't use the top 2 or 4 MB1094* of virtual addresses used by the Switcher.1095*/1096|| put_user(RESERVE_MEM * 1024 * 1024,1097&cpu->lg->lguest_data->reserve_mem)1098|| put_user(cpu->lg->pgdirs[0].gpgdir,1099&cpu->lg->lguest_data->pgdir))1100kill_guest(cpu, "bad guest page %p", cpu->lg->lguest_data);11011102/*1103* In flush_user_mappings() we loop from 0 to1104* "pgd_index(lg->kernel_address)". This assumes it won't hit the1105* Switcher mappings, so check that now.1106*/1107#ifdef CONFIG_X86_PAE1108if (pgd_index(cpu->lg->kernel_address) == SWITCHER_PGD_INDEX &&1109pmd_index(cpu->lg->kernel_address) == SWITCHER_PMD_INDEX)1110#else1111if (pgd_index(cpu->lg->kernel_address) >= SWITCHER_PGD_INDEX)1112#endif1113kill_guest(cpu, "bad kernel address %#lx",1114cpu->lg->kernel_address);1115}11161117/* When a Guest dies, our cleanup is fairly simple. */1118void free_guest_pagetable(struct lguest *lg)1119{1120unsigned int i;11211122/* Throw away all page table pages. */1123release_all_pagetables(lg);1124/* Now free the top levels: free_page() can handle 0 just fine. */1125for (i = 0; i < ARRAY_SIZE(lg->pgdirs); i++)1126free_page((long)lg->pgdirs[i].pgdir);1127}11281129/*H:4801130* (vi) Mapping the Switcher when the Guest is about to run.1131*1132* The Switcher and the two pages for this CPU need to be visible in the1133* Guest (and not the pages for other CPUs). We have the appropriate PTE pages1134* for each CPU already set up, we just need to hook them in now we know which1135* Guest is about to run on this CPU.1136*/1137void map_switcher_in_guest(struct lg_cpu *cpu, struct lguest_pages *pages)1138{1139pte_t *switcher_pte_page = __this_cpu_read(switcher_pte_pages);1140pte_t regs_pte;11411142#ifdef CONFIG_X86_PAE1143pmd_t switcher_pmd;1144pmd_t *pmd_table;11451146switcher_pmd = pfn_pmd(__pa(switcher_pte_page) >> PAGE_SHIFT,1147PAGE_KERNEL_EXEC);11481149/* Figure out where the pmd page is, by reading the PGD, and converting1150* it to a virtual address. */1151pmd_table = __va(pgd_pfn(cpu->lg->1152pgdirs[cpu->cpu_pgd].pgdir[SWITCHER_PGD_INDEX])1153<< PAGE_SHIFT);1154/* Now write it into the shadow page table. */1155set_pmd(&pmd_table[SWITCHER_PMD_INDEX], switcher_pmd);1156#else1157pgd_t switcher_pgd;11581159/*1160* Make the last PGD entry for this Guest point to the Switcher's PTE1161* page for this CPU (with appropriate flags).1162*/1163switcher_pgd = __pgd(__pa(switcher_pte_page) | __PAGE_KERNEL_EXEC);11641165cpu->lg->pgdirs[cpu->cpu_pgd].pgdir[SWITCHER_PGD_INDEX] = switcher_pgd;11661167#endif1168/*1169* We also change the Switcher PTE page. When we're running the Guest,1170* we want the Guest's "regs" page to appear where the first Switcher1171* page for this CPU is. This is an optimization: when the Switcher1172* saves the Guest registers, it saves them into the first page of this1173* CPU's "struct lguest_pages": if we make sure the Guest's register1174* page is already mapped there, we don't have to copy them out1175* again.1176*/1177regs_pte = pfn_pte(__pa(cpu->regs_page) >> PAGE_SHIFT, PAGE_KERNEL);1178set_pte(&switcher_pte_page[pte_index((unsigned long)pages)], regs_pte);1179}1180/*:*/11811182static void free_switcher_pte_pages(void)1183{1184unsigned int i;11851186for_each_possible_cpu(i)1187free_page((long)switcher_pte_page(i));1188}11891190/*H:5201191* Setting up the Switcher PTE page for given CPU is fairly easy, given1192* the CPU number and the "struct page"s for the Switcher code itself.1193*1194* Currently the Switcher is less than a page long, so "pages" is always 1.1195*/1196static __init void populate_switcher_pte_page(unsigned int cpu,1197struct page *switcher_page[],1198unsigned int pages)1199{1200unsigned int i;1201pte_t *pte = switcher_pte_page(cpu);12021203/* The first entries are easy: they map the Switcher code. */1204for (i = 0; i < pages; i++) {1205set_pte(&pte[i], mk_pte(switcher_page[i],1206__pgprot(_PAGE_PRESENT|_PAGE_ACCESSED)));1207}12081209/* The only other thing we map is this CPU's pair of pages. */1210i = pages + cpu*2;12111212/* First page (Guest registers) is writable from the Guest */1213set_pte(&pte[i], pfn_pte(page_to_pfn(switcher_page[i]),1214__pgprot(_PAGE_PRESENT|_PAGE_ACCESSED|_PAGE_RW)));12151216/*1217* The second page contains the "struct lguest_ro_state", and is1218* read-only.1219*/1220set_pte(&pte[i+1], pfn_pte(page_to_pfn(switcher_page[i+1]),1221__pgprot(_PAGE_PRESENT|_PAGE_ACCESSED)));1222}12231224/*1225* We've made it through the page table code. Perhaps our tired brains are1226* still processing the details, or perhaps we're simply glad it's over.1227*1228* If nothing else, note that all this complexity in juggling shadow page tables1229* in sync with the Guest's page tables is for one reason: for most Guests this1230* page table dance determines how bad performance will be. This is why Xen1231* uses exotic direct Guest pagetable manipulation, and why both Intel and AMD1232* have implemented shadow page table support directly into hardware.1233*1234* There is just one file remaining in the Host.1235*/12361237/*H:5101238* At boot or module load time, init_pagetables() allocates and populates1239* the Switcher PTE page for each CPU.1240*/1241__init int init_pagetables(struct page **switcher_page, unsigned int pages)1242{1243unsigned int i;12441245for_each_possible_cpu(i) {1246switcher_pte_page(i) = (pte_t *)get_zeroed_page(GFP_KERNEL);1247if (!switcher_pte_page(i)) {1248free_switcher_pte_pages();1249return -ENOMEM;1250}1251populate_switcher_pte_page(i, switcher_page, pages);1252}1253return 0;1254}1255/*:*/12561257/* Cleaning up simply involves freeing the PTE page for each CPU. */1258void free_pagetables(void)1259{1260free_switcher_pte_pages();1261}126212631264