1// SPDX-License-Identifier: GPL-2.0
2#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
3
4#include <linux/objtool.h>
5#include <linux/percpu.h>
6
7#include <asm/debugreg.h>
8#include <asm/mmu_context.h>
9#include <asm/msr.h>
10
11#include "x86.h"
12#include "cpuid.h"
13#include "hyperv.h"
14#include "mmu.h"
15#include "nested.h"
16#include "pmu.h"
17#include "posted_intr.h"
18#include "sgx.h"
19#include "trace.h"
20#include "vmx.h"
21#include "smm.h"
22#include "x86_ops.h"
23
24static bool __read_mostly enable_shadow_vmcs = 1;
25module_param_named(enable_shadow_vmcs, enable_shadow_vmcs, bool, S_IRUGO);
26
27static bool __ro_after_init warn_on_missed_cc;
28module_param(warn_on_missed_cc, bool, 0444);
29
30#define CC KVM_NESTED_VMENTER_CONSISTENCY_CHECK
31
32/*
33 * Hyper-V requires all of these, so mark them as supported even though
34 * they are just treated the same as all-context.
35 */
36#define VMX_VPID_EXTENT_SUPPORTED_MASK \
37 (VMX_VPID_EXTENT_INDIVIDUAL_ADDR_BIT | \
38 VMX_VPID_EXTENT_SINGLE_CONTEXT_BIT | \
39 VMX_VPID_EXTENT_GLOBAL_CONTEXT_BIT | \
40 VMX_VPID_EXTENT_SINGLE_NON_GLOBAL_BIT)
41
42#define VMX_MISC_EMULATED_PREEMPTION_TIMER_RATE 5
43
44enum {
45 VMX_VMREAD_BITMAP,
46 VMX_VMWRITE_BITMAP,
47 VMX_BITMAP_NR
48};
49static unsigned long *vmx_bitmap[VMX_BITMAP_NR];
50
51#define vmx_vmread_bitmap (vmx_bitmap[VMX_VMREAD_BITMAP])
52#define vmx_vmwrite_bitmap (vmx_bitmap[VMX_VMWRITE_BITMAP])
53
54struct shadow_vmcs_field {
55 u16 encoding;
56 u16 offset;
57};
58static struct shadow_vmcs_field shadow_read_only_fields[] = {
59#define SHADOW_FIELD_RO(x, y) { x, offsetof(struct vmcs12, y) },
60#include "vmcs_shadow_fields.h"
61};
62static int max_shadow_read_only_fields =
63 ARRAY_SIZE(shadow_read_only_fields);
64
65static struct shadow_vmcs_field shadow_read_write_fields[] = {
66#define SHADOW_FIELD_RW(x, y) { x, offsetof(struct vmcs12, y) },
67#include "vmcs_shadow_fields.h"
68};
69static int max_shadow_read_write_fields =
70 ARRAY_SIZE(shadow_read_write_fields);
71
72static void init_vmcs_shadow_fields(void)
73{
74 int i, j;
75
76 memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE);
77 memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE);
78
79 for (i = j = 0; i < max_shadow_read_only_fields; i++) {
80 struct shadow_vmcs_field entry = shadow_read_only_fields[i];
81 u16 field = entry.encoding;
82
83 if (vmcs_field_width(field) == VMCS_FIELD_WIDTH_U64 &&
84 (i + 1 == max_shadow_read_only_fields ||
85 shadow_read_only_fields[i + 1].encoding != field + 1))
86 pr_err("Missing field from shadow_read_only_field %x\n",
87 field + 1);
88
89 clear_bit(nr: field, vmx_vmread_bitmap);
90 if (field & 1)
91#ifdef CONFIG_X86_64
92 continue;
93#else
94 entry.offset += sizeof(u32);
95#endif
96 shadow_read_only_fields[j++] = entry;
97 }
98 max_shadow_read_only_fields = j;
99
100 for (i = j = 0; i < max_shadow_read_write_fields; i++) {
101 struct shadow_vmcs_field entry = shadow_read_write_fields[i];
102 u16 field = entry.encoding;
103
104 if (vmcs_field_width(field) == VMCS_FIELD_WIDTH_U64 &&
105 (i + 1 == max_shadow_read_write_fields ||
106 shadow_read_write_fields[i + 1].encoding != field + 1))
107 pr_err("Missing field from shadow_read_write_field %x\n",
108 field + 1);
109
110 WARN_ONCE(field >= GUEST_ES_AR_BYTES &&
111 field <= GUEST_TR_AR_BYTES,
112 "Update vmcs12_write_any() to drop reserved bits from AR_BYTES");
113
114 /*
115 * PML and the preemption timer can be emulated, but the
116 * processor cannot vmwrite to fields that don't exist
117 * on bare metal.
118 */
119 switch (field) {
120 case GUEST_PML_INDEX:
121 if (!cpu_has_vmx_pml())
122 continue;
123 break;
124 case VMX_PREEMPTION_TIMER_VALUE:
125 if (!cpu_has_vmx_preemption_timer())
126 continue;
127 break;
128 case GUEST_INTR_STATUS:
129 if (!cpu_has_vmx_apicv())
130 continue;
131 break;
132 default:
133 break;
134 }
135
136 clear_bit(nr: field, vmx_vmwrite_bitmap);
137 clear_bit(nr: field, vmx_vmread_bitmap);
138 if (field & 1)
139#ifdef CONFIG_X86_64
140 continue;
141#else
142 entry.offset += sizeof(u32);
143#endif
144 shadow_read_write_fields[j++] = entry;
145 }
146 max_shadow_read_write_fields = j;
147}
148
149/*
150 * The following 3 functions, nested_vmx_succeed()/failValid()/failInvalid(),
151 * set the success or error code of an emulated VMX instruction (as specified
152 * by Vol 2B, VMX Instruction Reference, "Conventions"), and skip the emulated
153 * instruction.
154 */
155static int nested_vmx_succeed(struct kvm_vcpu *vcpu)
156{
157 vmx_set_rflags(vcpu, rflags: vmx_get_rflags(vcpu)
158 & ~(X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
159 X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_OF));
160 return kvm_skip_emulated_instruction(vcpu);
161}
162
163static int nested_vmx_failInvalid(struct kvm_vcpu *vcpu)
164{
165 vmx_set_rflags(vcpu, rflags: (vmx_get_rflags(vcpu)
166 & ~(X86_EFLAGS_PF | X86_EFLAGS_AF | X86_EFLAGS_ZF |
167 X86_EFLAGS_SF | X86_EFLAGS_OF))
168 | X86_EFLAGS_CF);
169 return kvm_skip_emulated_instruction(vcpu);
170}
171
172static int nested_vmx_failValid(struct kvm_vcpu *vcpu,
173 u32 vm_instruction_error)
174{
175 vmx_set_rflags(vcpu, rflags: (vmx_get_rflags(vcpu)
176 & ~(X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF |
177 X86_EFLAGS_SF | X86_EFLAGS_OF))
178 | X86_EFLAGS_ZF);
179 get_vmcs12(vcpu)->vm_instruction_error = vm_instruction_error;
180 /*
181 * We don't need to force sync to shadow VMCS because
182 * VM_INSTRUCTION_ERROR is not shadowed. Enlightened VMCS 'shadows' all
183 * fields and thus must be synced.
184 */
185 if (nested_vmx_is_evmptr12_set(vmx: to_vmx(vcpu)))
186 to_vmx(vcpu)->nested.need_vmcs12_to_shadow_sync = true;
187
188 return kvm_skip_emulated_instruction(vcpu);
189}
190
191static int nested_vmx_fail(struct kvm_vcpu *vcpu, u32 vm_instruction_error)
192{
193 struct vcpu_vmx *vmx = to_vmx(vcpu);
194
195 /*
196 * failValid writes the error number to the current VMCS, which
197 * can't be done if there isn't a current VMCS.
198 */
199 if (vmx->nested.current_vmptr == INVALID_GPA &&
200 !nested_vmx_is_evmptr12_valid(vmx))
201 return nested_vmx_failInvalid(vcpu);
202
203 return nested_vmx_failValid(vcpu, vm_instruction_error);
204}
205
206static void nested_vmx_abort(struct kvm_vcpu *vcpu, u32 indicator)
207{
208 /* TODO: not to reset guest simply here. */
209 kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
210 pr_debug_ratelimited("nested vmx abort, indicator %d\n", indicator);
211}
212
213static inline bool vmx_control_verify(u32 control, u32 low, u32 high)
214{
215 return fixed_bits_valid(val: control, fixed0: low, fixed1: high);
216}
217
218static inline u64 vmx_control_msr(u32 low, u32 high)
219{
220 return low | ((u64)high << 32);
221}
222
223static void vmx_disable_shadow_vmcs(struct vcpu_vmx *vmx)
224{
225 secondary_exec_controls_clearbit(vmx, SECONDARY_EXEC_SHADOW_VMCS);
226 vmcs_write64(field: VMCS_LINK_POINTER, INVALID_GPA);
227 vmx->nested.need_vmcs12_to_shadow_sync = false;
228}
229
230static inline void nested_release_evmcs(struct kvm_vcpu *vcpu)
231{
232#ifdef CONFIG_KVM_HYPERV
233 struct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu);
234 struct vcpu_vmx *vmx = to_vmx(vcpu);
235
236 kvm_vcpu_unmap(vcpu, map: &vmx->nested.hv_evmcs_map);
237 vmx->nested.hv_evmcs = NULL;
238 vmx->nested.hv_evmcs_vmptr = EVMPTR_INVALID;
239
240 if (hv_vcpu) {
241 hv_vcpu->nested.pa_page_gpa = INVALID_GPA;
242 hv_vcpu->nested.vm_id = 0;
243 hv_vcpu->nested.vp_id = 0;
244 }
245#endif
246}
247
248static bool nested_evmcs_handle_vmclear(struct kvm_vcpu *vcpu, gpa_t vmptr)
249{
250#ifdef CONFIG_KVM_HYPERV
251 struct vcpu_vmx *vmx = to_vmx(vcpu);
252 /*
253 * When Enlightened VMEntry is enabled on the calling CPU we treat
254 * memory area pointer by vmptr as Enlightened VMCS (as there's no good
255 * way to distinguish it from VMCS12) and we must not corrupt it by
256 * writing to the non-existent 'launch_state' field. The area doesn't
257 * have to be the currently active EVMCS on the calling CPU and there's
258 * nothing KVM has to do to transition it from 'active' to 'non-active'
259 * state. It is possible that the area will stay mapped as
260 * vmx->nested.hv_evmcs but this shouldn't be a problem.
261 */
262 if (!guest_cpu_cap_has_evmcs(vcpu) ||
263 !evmptr_is_valid(evmptr: nested_get_evmptr(vcpu)))
264 return false;
265
266 if (nested_vmx_evmcs(vmx) && vmptr == vmx->nested.hv_evmcs_vmptr)
267 nested_release_evmcs(vcpu);
268
269 return true;
270#else
271 return false;
272#endif
273}
274
275static void vmx_sync_vmcs_host_state(struct vcpu_vmx *vmx,
276 struct loaded_vmcs *prev)
277{
278 struct vmcs_host_state *dest, *src;
279
280 if (unlikely(!vmx->vt.guest_state_loaded))
281 return;
282
283 src = &prev->host_state;
284 dest = &vmx->loaded_vmcs->host_state;
285
286 vmx_set_host_fs_gs(host: dest, fs_sel: src->fs_sel, gs_sel: src->gs_sel, fs_base: src->fs_base, gs_base: src->gs_base);
287 dest->ldt_sel = src->ldt_sel;
288#ifdef CONFIG_X86_64
289 dest->ds_sel = src->ds_sel;
290 dest->es_sel = src->es_sel;
291#endif
292}
293
294static void vmx_switch_vmcs(struct kvm_vcpu *vcpu, struct loaded_vmcs *vmcs)
295{
296 struct vcpu_vmx *vmx = to_vmx(vcpu);
297 struct loaded_vmcs *prev;
298 int cpu;
299
300 if (WARN_ON_ONCE(vmx->loaded_vmcs == vmcs))
301 return;
302
303 cpu = get_cpu();
304 prev = vmx->loaded_vmcs;
305 vmx->loaded_vmcs = vmcs;
306 vmx_vcpu_load_vmcs(vcpu, cpu);
307 vmx_sync_vmcs_host_state(vmx, prev);
308 put_cpu();
309
310 vcpu->arch.regs_avail = ~VMX_REGS_LAZY_LOAD_SET;
311
312 /*
313 * All lazily updated registers will be reloaded from VMCS12 on both
314 * vmentry and vmexit.
315 */
316 vcpu->arch.regs_dirty = 0;
317}
318
319static void nested_put_vmcs12_pages(struct kvm_vcpu *vcpu)
320{
321 struct vcpu_vmx *vmx = to_vmx(vcpu);
322
323 kvm_vcpu_unmap(vcpu, map: &vmx->nested.apic_access_page_map);
324 kvm_vcpu_unmap(vcpu, map: &vmx->nested.virtual_apic_map);
325 kvm_vcpu_unmap(vcpu, map: &vmx->nested.pi_desc_map);
326 vmx->nested.pi_desc = NULL;
327}
328
329/*
330 * Free whatever needs to be freed from vmx->nested when L1 goes down, or
331 * just stops using VMX.
332 */
333static void free_nested(struct kvm_vcpu *vcpu)
334{
335 struct vcpu_vmx *vmx = to_vmx(vcpu);
336
337 if (WARN_ON_ONCE(vmx->loaded_vmcs != &vmx->vmcs01))
338 vmx_switch_vmcs(vcpu, vmcs: &vmx->vmcs01);
339
340 if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon)
341 return;
342
343 kvm_clear_request(KVM_REQ_GET_NESTED_STATE_PAGES, vcpu);
344
345 vmx->nested.vmxon = false;
346 vmx->nested.smm.vmxon = false;
347 vmx->nested.vmxon_ptr = INVALID_GPA;
348 free_vpid(vpid: vmx->nested.vpid02);
349 vmx->nested.posted_intr_nv = -1;
350 vmx->nested.current_vmptr = INVALID_GPA;
351 if (enable_shadow_vmcs) {
352 vmx_disable_shadow_vmcs(vmx);
353 vmcs_clear(vmcs: vmx->vmcs01.shadow_vmcs);
354 free_vmcs(vmcs: vmx->vmcs01.shadow_vmcs);
355 vmx->vmcs01.shadow_vmcs = NULL;
356 }
357 kfree(objp: vmx->nested.cached_vmcs12);
358 vmx->nested.cached_vmcs12 = NULL;
359 kfree(objp: vmx->nested.cached_shadow_vmcs12);
360 vmx->nested.cached_shadow_vmcs12 = NULL;
361
362 nested_put_vmcs12_pages(vcpu);
363
364 kvm_mmu_free_roots(kvm: vcpu->kvm, mmu: &vcpu->arch.guest_mmu, KVM_MMU_ROOTS_ALL);
365
366 nested_release_evmcs(vcpu);
367
368 free_loaded_vmcs(loaded_vmcs: &vmx->nested.vmcs02);
369}
370
371/*
372 * Ensure that the current vmcs of the logical processor is the
373 * vmcs01 of the vcpu before calling free_nested().
374 */
375void nested_vmx_free_vcpu(struct kvm_vcpu *vcpu)
376{
377 vcpu_load(vcpu);
378 vmx_leave_nested(vcpu);
379 vcpu_put(vcpu);
380}
381
382#define EPTP_PA_MASK GENMASK_ULL(51, 12)
383
384static bool nested_ept_root_matches(hpa_t root_hpa, u64 root_eptp, u64 eptp)
385{
386 return VALID_PAGE(root_hpa) &&
387 ((root_eptp & EPTP_PA_MASK) == (eptp & EPTP_PA_MASK));
388}
389
390static void nested_ept_invalidate_addr(struct kvm_vcpu *vcpu, gpa_t eptp,
391 gpa_t addr)
392{
393 unsigned long roots = 0;
394 uint i;
395 struct kvm_mmu_root_info *cached_root;
396
397 WARN_ON_ONCE(!mmu_is_nested(vcpu));
398
399 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++) {
400 cached_root = &vcpu->arch.mmu->prev_roots[i];
401
402 if (nested_ept_root_matches(root_hpa: cached_root->hpa, root_eptp: cached_root->pgd,
403 eptp))
404 roots |= KVM_MMU_ROOT_PREVIOUS(i);
405 }
406 if (roots)
407 kvm_mmu_invalidate_addr(vcpu, mmu: vcpu->arch.mmu, addr, roots);
408}
409
410static void nested_ept_inject_page_fault(struct kvm_vcpu *vcpu,
411 struct x86_exception *fault)
412{
413 struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
414 struct vcpu_vmx *vmx = to_vmx(vcpu);
415 unsigned long exit_qualification;
416 u32 vm_exit_reason;
417
418 if (vmx->nested.pml_full) {
419 vm_exit_reason = EXIT_REASON_PML_FULL;
420 vmx->nested.pml_full = false;
421
422 /*
423 * It should be impossible to trigger a nested PML Full VM-Exit
424 * for anything other than an EPT Violation from L2. KVM *can*
425 * trigger nEPT page fault injection in response to an EPT
426 * Misconfig, e.g. if the MMIO SPTE was stale and L1's EPT
427 * tables also changed, but KVM should not treat EPT Misconfig
428 * VM-Exits as writes.
429 */
430 WARN_ON_ONCE(vmx->vt.exit_reason.basic != EXIT_REASON_EPT_VIOLATION);
431
432 /*
433 * PML Full and EPT Violation VM-Exits both use bit 12 to report
434 * "NMI unblocking due to IRET", i.e. the bit can be propagated
435 * as-is from the original EXIT_QUALIFICATION.
436 */
437 exit_qualification = vmx_get_exit_qual(vcpu) & INTR_INFO_UNBLOCK_NMI;
438 } else {
439 if (fault->error_code & PFERR_RSVD_MASK) {
440 vm_exit_reason = EXIT_REASON_EPT_MISCONFIG;
441 exit_qualification = 0;
442 } else {
443 exit_qualification = fault->exit_qualification;
444 exit_qualification |= vmx_get_exit_qual(vcpu) &
445 (EPT_VIOLATION_GVA_IS_VALID |
446 EPT_VIOLATION_GVA_TRANSLATED);
447 vm_exit_reason = EXIT_REASON_EPT_VIOLATION;
448 }
449
450 /*
451 * Although the caller (kvm_inject_emulated_page_fault) would
452 * have already synced the faulting address in the shadow EPT
453 * tables for the current EPTP12, we also need to sync it for
454 * any other cached EPTP02s based on the same EP4TA, since the
455 * TLB associates mappings to the EP4TA rather than the full EPTP.
456 */
457 nested_ept_invalidate_addr(vcpu, eptp: vmcs12->ept_pointer,
458 addr: fault->address);
459 }
460
461 nested_vmx_vmexit(vcpu, vm_exit_reason, exit_intr_info: 0, exit_qualification);
462 vmcs12->guest_physical_address = fault->address;
463}
464
465static void nested_ept_new_eptp(struct kvm_vcpu *vcpu)
466{
467 struct vcpu_vmx *vmx = to_vmx(vcpu);
468 bool execonly = vmx->nested.msrs.ept_caps & VMX_EPT_EXECUTE_ONLY_BIT;
469 int ept_lpage_level = ept_caps_to_lpage_level(ept_caps: vmx->nested.msrs.ept_caps);
470
471 kvm_init_shadow_ept_mmu(vcpu, execonly, huge_page_level: ept_lpage_level,
472 accessed_dirty: nested_ept_ad_enabled(vcpu),
473 new_eptp: nested_ept_get_eptp(vcpu));
474}
475
476static void nested_ept_init_mmu_context(struct kvm_vcpu *vcpu)
477{
478 WARN_ON(mmu_is_nested(vcpu));
479
480 vcpu->arch.mmu = &vcpu->arch.guest_mmu;
481 nested_ept_new_eptp(vcpu);
482 vcpu->arch.mmu->get_guest_pgd = nested_ept_get_eptp;
483 vcpu->arch.mmu->inject_page_fault = nested_ept_inject_page_fault;
484 vcpu->arch.mmu->get_pdptr = kvm_pdptr_read;
485
486 vcpu->arch.walk_mmu = &vcpu->arch.nested_mmu;
487}
488
489static void nested_ept_uninit_mmu_context(struct kvm_vcpu *vcpu)
490{
491 vcpu->arch.mmu = &vcpu->arch.root_mmu;
492 vcpu->arch.walk_mmu = &vcpu->arch.root_mmu;
493}
494
495static bool nested_vmx_is_page_fault_vmexit(struct vmcs12 *vmcs12,
496 u16 error_code)
497{
498 bool inequality, bit;
499
500 bit = (vmcs12->exception_bitmap & (1u << PF_VECTOR)) != 0;
501 inequality =
502 (error_code & vmcs12->page_fault_error_code_mask) !=
503 vmcs12->page_fault_error_code_match;
504 return inequality ^ bit;
505}
506
507static bool nested_vmx_is_exception_vmexit(struct kvm_vcpu *vcpu, u8 vector,
508 u32 error_code)
509{
510 struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
511
512 /*
513 * Drop bits 31:16 of the error code when performing the #PF mask+match
514 * check. All VMCS fields involved are 32 bits, but Intel CPUs never
515 * set bits 31:16 and VMX disallows setting bits 31:16 in the injected
516 * error code. Including the to-be-dropped bits in the check might
517 * result in an "impossible" or missed exit from L1's perspective.
518 */
519 if (vector == PF_VECTOR)
520 return nested_vmx_is_page_fault_vmexit(vmcs12, error_code: (u16)error_code);
521
522 return (vmcs12->exception_bitmap & (1u << vector));
523}
524
525static int nested_vmx_check_io_bitmap_controls(struct kvm_vcpu *vcpu,
526 struct vmcs12 *vmcs12)
527{
528 if (!nested_cpu_has(vmcs12, CPU_BASED_USE_IO_BITMAPS))
529 return 0;
530
531 if (CC(!page_address_valid(vcpu, vmcs12->io_bitmap_a)) ||
532 CC(!page_address_valid(vcpu, vmcs12->io_bitmap_b)))
533 return -EINVAL;
534
535 return 0;
536}
537
538static int nested_vmx_check_msr_bitmap_controls(struct kvm_vcpu *vcpu,
539 struct vmcs12 *vmcs12)
540{
541 if (!nested_cpu_has(vmcs12, CPU_BASED_USE_MSR_BITMAPS))
542 return 0;
543
544 if (CC(!page_address_valid(vcpu, vmcs12->msr_bitmap)))
545 return -EINVAL;
546
547 return 0;
548}
549
550static int nested_vmx_check_tpr_shadow_controls(struct kvm_vcpu *vcpu,
551 struct vmcs12 *vmcs12)
552{
553 if (!nested_cpu_has(vmcs12, CPU_BASED_TPR_SHADOW))
554 return 0;
555
556 if (CC(!page_address_valid(vcpu, vmcs12->virtual_apic_page_addr)))
557 return -EINVAL;
558
559 if (CC(!nested_cpu_has_vid(vmcs12) && vmcs12->tpr_threshold >> 4))
560 return -EINVAL;
561
562 return 0;
563}
564
565/*
566 * For x2APIC MSRs, ignore the vmcs01 bitmap. L1 can enable x2APIC without L1
567 * itself utilizing x2APIC. All MSRs were previously set to be intercepted,
568 * only the "disable intercept" case needs to be handled.
569 */
570static void nested_vmx_disable_intercept_for_x2apic_msr(unsigned long *msr_bitmap_l1,
571 unsigned long *msr_bitmap_l0,
572 u32 msr, int type)
573{
574 if (type & MSR_TYPE_R && !vmx_test_msr_bitmap_read(bitmap: msr_bitmap_l1, msr))
575 vmx_clear_msr_bitmap_read(bitmap: msr_bitmap_l0, msr);
576
577 if (type & MSR_TYPE_W && !vmx_test_msr_bitmap_write(bitmap: msr_bitmap_l1, msr))
578 vmx_clear_msr_bitmap_write(bitmap: msr_bitmap_l0, msr);
579}
580
581static inline void enable_x2apic_msr_intercepts(unsigned long *msr_bitmap)
582{
583 int msr;
584
585 for (msr = 0x800; msr <= 0x8ff; msr += BITS_PER_LONG) {
586 unsigned word = msr / BITS_PER_LONG;
587
588 msr_bitmap[word] = ~0;
589 msr_bitmap[word + (0x800 / sizeof(long))] = ~0;
590 }
591}
592
593#define BUILD_NVMX_MSR_INTERCEPT_HELPER(rw) \
594static inline \
595void nested_vmx_set_msr_##rw##_intercept(struct vcpu_vmx *vmx, \
596 unsigned long *msr_bitmap_l1, \
597 unsigned long *msr_bitmap_l0, u32 msr) \
598{ \
599 if (vmx_test_msr_bitmap_##rw(vmx->vmcs01.msr_bitmap, msr) || \
600 vmx_test_msr_bitmap_##rw(msr_bitmap_l1, msr)) \
601 vmx_set_msr_bitmap_##rw(msr_bitmap_l0, msr); \
602 else \
603 vmx_clear_msr_bitmap_##rw(msr_bitmap_l0, msr); \
604}
605BUILD_NVMX_MSR_INTERCEPT_HELPER(read)
606BUILD_NVMX_MSR_INTERCEPT_HELPER(write)
607
608static inline void nested_vmx_set_intercept_for_msr(struct vcpu_vmx *vmx,
609 unsigned long *msr_bitmap_l1,
610 unsigned long *msr_bitmap_l0,
611 u32 msr, int types)
612{
613 if (types & MSR_TYPE_R)
614 nested_vmx_set_msr_read_intercept(vmx, msr_bitmap_l1,
615 msr_bitmap_l0, msr);
616 if (types & MSR_TYPE_W)
617 nested_vmx_set_msr_write_intercept(vmx, msr_bitmap_l1,
618 msr_bitmap_l0, msr);
619}
620
621/*
622 * Merge L0's and L1's MSR bitmap, return false to indicate that
623 * we do not use the hardware.
624 */
625static inline bool nested_vmx_prepare_msr_bitmap(struct kvm_vcpu *vcpu,
626 struct vmcs12 *vmcs12)
627{
628 struct vcpu_vmx *vmx = to_vmx(vcpu);
629 int msr;
630 unsigned long *msr_bitmap_l1;
631 unsigned long *msr_bitmap_l0 = vmx->nested.vmcs02.msr_bitmap;
632 struct kvm_host_map map;
633
634 /* Nothing to do if the MSR bitmap is not in use. */
635 if (!cpu_has_vmx_msr_bitmap() ||
636 !nested_cpu_has(vmcs12, CPU_BASED_USE_MSR_BITMAPS))
637 return false;
638
639 /*
640 * MSR bitmap update can be skipped when:
641 * - MSR bitmap for L1 hasn't changed.
642 * - Nested hypervisor (L1) is attempting to launch the same L2 as
643 * before.
644 * - Nested hypervisor (L1) has enabled 'Enlightened MSR Bitmap' feature
645 * and tells KVM (L0) there were no changes in MSR bitmap for L2.
646 */
647 if (!vmx->nested.force_msr_bitmap_recalc) {
648 struct hv_enlightened_vmcs *evmcs = nested_vmx_evmcs(vmx);
649
650 if (evmcs && evmcs->hv_enlightenments_control.msr_bitmap &&
651 evmcs->hv_clean_fields & HV_VMX_ENLIGHTENED_CLEAN_FIELD_MSR_BITMAP)
652 return true;
653 }
654
655 if (kvm_vcpu_map_readonly(vcpu, gpa: gpa_to_gfn(gpa: vmcs12->msr_bitmap), map: &map))
656 return false;
657
658 msr_bitmap_l1 = (unsigned long *)map.hva;
659
660 /*
661 * To keep the control flow simple, pay eight 8-byte writes (sixteen
662 * 4-byte writes on 32-bit systems) up front to enable intercepts for
663 * the x2APIC MSR range and selectively toggle those relevant to L2.
664 */
665 enable_x2apic_msr_intercepts(msr_bitmap: msr_bitmap_l0);
666
667 if (nested_cpu_has_virt_x2apic_mode(vmcs12)) {
668 if (nested_cpu_has_apic_reg_virt(vmcs12)) {
669 /*
670 * L0 need not intercept reads for MSRs between 0x800
671 * and 0x8ff, it just lets the processor take the value
672 * from the virtual-APIC page; take those 256 bits
673 * directly from the L1 bitmap.
674 */
675 for (msr = 0x800; msr <= 0x8ff; msr += BITS_PER_LONG) {
676 unsigned word = msr / BITS_PER_LONG;
677
678 msr_bitmap_l0[word] = msr_bitmap_l1[word];
679 }
680 }
681
682 nested_vmx_disable_intercept_for_x2apic_msr(
683 msr_bitmap_l1, msr_bitmap_l0,
684 X2APIC_MSR(APIC_TASKPRI),
685 type: MSR_TYPE_R | MSR_TYPE_W);
686
687 if (nested_cpu_has_vid(vmcs12)) {
688 nested_vmx_disable_intercept_for_x2apic_msr(
689 msr_bitmap_l1, msr_bitmap_l0,
690 X2APIC_MSR(APIC_EOI),
691 type: MSR_TYPE_W);
692 nested_vmx_disable_intercept_for_x2apic_msr(
693 msr_bitmap_l1, msr_bitmap_l0,
694 X2APIC_MSR(APIC_SELF_IPI),
695 type: MSR_TYPE_W);
696 }
697 }
698
699 /*
700 * Always check vmcs01's bitmap to honor userspace MSR filters and any
701 * other runtime changes to vmcs01's bitmap, e.g. dynamic pass-through.
702 */
703#ifdef CONFIG_X86_64
704 nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
705 MSR_FS_BASE, types: MSR_TYPE_RW);
706
707 nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
708 MSR_GS_BASE, types: MSR_TYPE_RW);
709
710 nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
711 MSR_KERNEL_GS_BASE, types: MSR_TYPE_RW);
712#endif
713 nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
714 MSR_IA32_SPEC_CTRL, types: MSR_TYPE_RW);
715
716 nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
717 MSR_IA32_PRED_CMD, types: MSR_TYPE_W);
718
719 nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
720 MSR_IA32_FLUSH_CMD, types: MSR_TYPE_W);
721
722 nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
723 MSR_IA32_APERF, types: MSR_TYPE_R);
724
725 nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
726 MSR_IA32_MPERF, types: MSR_TYPE_R);
727
728 nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
729 MSR_IA32_U_CET, types: MSR_TYPE_RW);
730
731 nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
732 MSR_IA32_S_CET, types: MSR_TYPE_RW);
733
734 nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
735 MSR_IA32_PL0_SSP, types: MSR_TYPE_RW);
736
737 nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
738 MSR_IA32_PL1_SSP, types: MSR_TYPE_RW);
739
740 nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
741 MSR_IA32_PL2_SSP, types: MSR_TYPE_RW);
742
743 nested_vmx_set_intercept_for_msr(vmx, msr_bitmap_l1, msr_bitmap_l0,
744 MSR_IA32_PL3_SSP, types: MSR_TYPE_RW);
745
746 kvm_vcpu_unmap(vcpu, map: &map);
747
748 vmx->nested.force_msr_bitmap_recalc = false;
749
750 return true;
751}
752
753static void nested_cache_shadow_vmcs12(struct kvm_vcpu *vcpu,
754 struct vmcs12 *vmcs12)
755{
756 struct vcpu_vmx *vmx = to_vmx(vcpu);
757 struct gfn_to_hva_cache *ghc = &vmx->nested.shadow_vmcs12_cache;
758
759 if (!nested_cpu_has_shadow_vmcs(vmcs12) ||
760 vmcs12->vmcs_link_pointer == INVALID_GPA)
761 return;
762
763 if (ghc->gpa != vmcs12->vmcs_link_pointer &&
764 kvm_gfn_to_hva_cache_init(kvm: vcpu->kvm, ghc,
765 gpa: vmcs12->vmcs_link_pointer, VMCS12_SIZE))
766 return;
767
768 kvm_read_guest_cached(kvm: vcpu->kvm, ghc, data: get_shadow_vmcs12(vcpu),
769 VMCS12_SIZE);
770}
771
772static void nested_flush_cached_shadow_vmcs12(struct kvm_vcpu *vcpu,
773 struct vmcs12 *vmcs12)
774{
775 struct vcpu_vmx *vmx = to_vmx(vcpu);
776 struct gfn_to_hva_cache *ghc = &vmx->nested.shadow_vmcs12_cache;
777
778 if (!nested_cpu_has_shadow_vmcs(vmcs12) ||
779 vmcs12->vmcs_link_pointer == INVALID_GPA)
780 return;
781
782 if (ghc->gpa != vmcs12->vmcs_link_pointer &&
783 kvm_gfn_to_hva_cache_init(kvm: vcpu->kvm, ghc,
784 gpa: vmcs12->vmcs_link_pointer, VMCS12_SIZE))
785 return;
786
787 kvm_write_guest_cached(kvm: vcpu->kvm, ghc, data: get_shadow_vmcs12(vcpu),
788 VMCS12_SIZE);
789}
790
791/*
792 * In nested virtualization, check if L1 has set
793 * VM_EXIT_ACK_INTR_ON_EXIT
794 */
795static bool nested_exit_intr_ack_set(struct kvm_vcpu *vcpu)
796{
797 return get_vmcs12(vcpu)->vm_exit_controls &
798 VM_EXIT_ACK_INTR_ON_EXIT;
799}
800
801static int nested_vmx_check_apic_access_controls(struct kvm_vcpu *vcpu,
802 struct vmcs12 *vmcs12)
803{
804 if (nested_cpu_has2(vmcs12, SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES) &&
805 CC(!page_address_valid(vcpu, vmcs12->apic_access_addr)))
806 return -EINVAL;
807 else
808 return 0;
809}
810
811static int nested_vmx_check_apicv_controls(struct kvm_vcpu *vcpu,
812 struct vmcs12 *vmcs12)
813{
814 if (!nested_cpu_has_virt_x2apic_mode(vmcs12) &&
815 !nested_cpu_has_apic_reg_virt(vmcs12) &&
816 !nested_cpu_has_vid(vmcs12) &&
817 !nested_cpu_has_posted_intr(vmcs12))
818 return 0;
819
820 /*
821 * If virtualize x2apic mode is enabled,
822 * virtualize apic access must be disabled.
823 */
824 if (CC(nested_cpu_has_virt_x2apic_mode(vmcs12) &&
825 nested_cpu_has2(vmcs12, SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES)))
826 return -EINVAL;
827
828 /*
829 * If virtual interrupt delivery is enabled,
830 * we must exit on external interrupts.
831 */
832 if (CC(nested_cpu_has_vid(vmcs12) && !nested_exit_on_intr(vcpu)))
833 return -EINVAL;
834
835 /*
836 * bits 15:8 should be zero in posted_intr_nv,
837 * the descriptor address has been already checked
838 * in nested_get_vmcs12_pages.
839 *
840 * bits 5:0 of posted_intr_desc_addr should be zero.
841 */
842 if (nested_cpu_has_posted_intr(vmcs12) &&
843 (CC(!nested_cpu_has_vid(vmcs12)) ||
844 CC(!nested_exit_intr_ack_set(vcpu)) ||
845 CC((vmcs12->posted_intr_nv & 0xff00)) ||
846 CC(!kvm_vcpu_is_legal_aligned_gpa(vcpu, vmcs12->posted_intr_desc_addr, 64))))
847 return -EINVAL;
848
849 /* tpr shadow is needed by all apicv features. */
850 if (CC(!nested_cpu_has(vmcs12, CPU_BASED_TPR_SHADOW)))
851 return -EINVAL;
852
853 return 0;
854}
855
856static u32 nested_vmx_max_atomic_switch_msrs(struct kvm_vcpu *vcpu)
857{
858 struct vcpu_vmx *vmx = to_vmx(vcpu);
859 u64 vmx_misc = vmx_control_msr(low: vmx->nested.msrs.misc_low,
860 high: vmx->nested.msrs.misc_high);
861
862 return (vmx_misc_max_msr(vmx_misc) + 1) * VMX_MISC_MSR_LIST_MULTIPLIER;
863}
864
865static int nested_vmx_check_msr_switch(struct kvm_vcpu *vcpu,
866 u32 count, u64 addr)
867{
868 if (count == 0)
869 return 0;
870
871 /*
872 * Exceeding the limit results in architecturally _undefined_ behavior,
873 * i.e. KVM is allowed to do literally anything in response to a bad
874 * limit. Immediately generate a consistency check so that code that
875 * consumes the count doesn't need to worry about extreme edge cases.
876 */
877 if (count > nested_vmx_max_atomic_switch_msrs(vcpu))
878 return -EINVAL;
879
880 if (!kvm_vcpu_is_legal_aligned_gpa(vcpu, gpa: addr, alignment: 16) ||
881 !kvm_vcpu_is_legal_gpa(vcpu, gpa: (addr + count * sizeof(struct vmx_msr_entry) - 1)))
882 return -EINVAL;
883
884 return 0;
885}
886
887static int nested_vmx_check_exit_msr_switch_controls(struct kvm_vcpu *vcpu,
888 struct vmcs12 *vmcs12)
889{
890 if (CC(nested_vmx_check_msr_switch(vcpu,
891 vmcs12->vm_exit_msr_load_count,
892 vmcs12->vm_exit_msr_load_addr)) ||
893 CC(nested_vmx_check_msr_switch(vcpu,
894 vmcs12->vm_exit_msr_store_count,
895 vmcs12->vm_exit_msr_store_addr)))
896 return -EINVAL;
897
898 return 0;
899}
900
901static int nested_vmx_check_entry_msr_switch_controls(struct kvm_vcpu *vcpu,
902 struct vmcs12 *vmcs12)
903{
904 if (CC(nested_vmx_check_msr_switch(vcpu,
905 vmcs12->vm_entry_msr_load_count,
906 vmcs12->vm_entry_msr_load_addr)))
907 return -EINVAL;
908
909 return 0;
910}
911
912static int nested_vmx_check_pml_controls(struct kvm_vcpu *vcpu,
913 struct vmcs12 *vmcs12)
914{
915 if (!nested_cpu_has_pml(vmcs12))
916 return 0;
917
918 if (CC(!nested_cpu_has_ept(vmcs12)) ||
919 CC(!page_address_valid(vcpu, vmcs12->pml_address)))
920 return -EINVAL;
921
922 return 0;
923}
924
925static int nested_vmx_check_unrestricted_guest_controls(struct kvm_vcpu *vcpu,
926 struct vmcs12 *vmcs12)
927{
928 if (CC(nested_cpu_has2(vmcs12, SECONDARY_EXEC_UNRESTRICTED_GUEST) &&
929 !nested_cpu_has_ept(vmcs12)))
930 return -EINVAL;
931 return 0;
932}
933
934static int nested_vmx_check_mode_based_ept_exec_controls(struct kvm_vcpu *vcpu,
935 struct vmcs12 *vmcs12)
936{
937 if (CC(nested_cpu_has2(vmcs12, SECONDARY_EXEC_MODE_BASED_EPT_EXEC) &&
938 !nested_cpu_has_ept(vmcs12)))
939 return -EINVAL;
940 return 0;
941}
942
943static int nested_vmx_check_shadow_vmcs_controls(struct kvm_vcpu *vcpu,
944 struct vmcs12 *vmcs12)
945{
946 if (!nested_cpu_has_shadow_vmcs(vmcs12))
947 return 0;
948
949 if (CC(!page_address_valid(vcpu, vmcs12->vmread_bitmap)) ||
950 CC(!page_address_valid(vcpu, vmcs12->vmwrite_bitmap)))
951 return -EINVAL;
952
953 return 0;
954}
955
956static int nested_vmx_msr_check_common(struct kvm_vcpu *vcpu,
957 struct vmx_msr_entry *e)
958{
959 /* x2APIC MSR accesses are not allowed */
960 if (CC(vcpu->arch.apic_base & X2APIC_ENABLE && e->index >> 8 == 0x8))
961 return -EINVAL;
962 if (CC(e->index == MSR_IA32_UCODE_WRITE) || /* SDM Table 35-2 */
963 CC(e->index == MSR_IA32_UCODE_REV))
964 return -EINVAL;
965 if (CC(e->reserved != 0))
966 return -EINVAL;
967 return 0;
968}
969
970static int nested_vmx_load_msr_check(struct kvm_vcpu *vcpu,
971 struct vmx_msr_entry *e)
972{
973 if (CC(e->index == MSR_FS_BASE) ||
974 CC(e->index == MSR_GS_BASE) ||
975 CC(e->index == MSR_IA32_SMM_MONITOR_CTL) || /* SMM is not supported */
976 nested_vmx_msr_check_common(vcpu, e))
977 return -EINVAL;
978 return 0;
979}
980
981static int nested_vmx_store_msr_check(struct kvm_vcpu *vcpu,
982 struct vmx_msr_entry *e)
983{
984 if (CC(e->index == MSR_IA32_SMBASE) || /* SMM is not supported */
985 nested_vmx_msr_check_common(vcpu, e))
986 return -EINVAL;
987 return 0;
988}
989
990/*
991 * Load guest's/host's msr at nested entry/exit.
992 * return 0 for success, entry index for failure.
993 *
994 * One of the failure modes for MSR load/store is when a list exceeds the
995 * virtual hardware's capacity. To maintain compatibility with hardware inasmuch
996 * as possible, process all valid entries before failing rather than precheck
997 * for a capacity violation.
998 */
999static u32 nested_vmx_load_msr(struct kvm_vcpu *vcpu, u64 gpa, u32 count)
1000{
1001 u32 i;
1002 struct vmx_msr_entry e;
1003 u32 max_msr_list_size = nested_vmx_max_atomic_switch_msrs(vcpu);
1004
1005 for (i = 0; i < count; i++) {
1006 if (WARN_ON_ONCE(i >= max_msr_list_size))
1007 goto fail;
1008
1009 if (kvm_vcpu_read_guest(vcpu, gpa: gpa + i * sizeof(e),
1010 data: &e, len: sizeof(e))) {
1011 pr_debug_ratelimited(
1012 "%s cannot read MSR entry (%u, 0x%08llx)\n",
1013 __func__, i, gpa + i * sizeof(e));
1014 goto fail;
1015 }
1016 if (nested_vmx_load_msr_check(vcpu, e: &e)) {
1017 pr_debug_ratelimited(
1018 "%s check failed (%u, 0x%x, 0x%x)\n",
1019 __func__, i, e.index, e.reserved);
1020 goto fail;
1021 }
1022 if (kvm_emulate_msr_write(vcpu, index: e.index, data: e.value)) {
1023 pr_debug_ratelimited(
1024 "%s cannot write MSR (%u, 0x%x, 0x%llx)\n",
1025 __func__, i, e.index, e.value);
1026 goto fail;
1027 }
1028 }
1029 return 0;
1030fail:
1031 /* Note, max_msr_list_size is at most 4096, i.e. this can't wrap. */
1032 return i + 1;
1033}
1034
1035static bool nested_vmx_get_vmexit_msr_value(struct kvm_vcpu *vcpu,
1036 u32 msr_index,
1037 u64 *data)
1038{
1039 struct vcpu_vmx *vmx = to_vmx(vcpu);
1040
1041 /*
1042 * If the L0 hypervisor stored a more accurate value for the TSC that
1043 * does not include the time taken for emulation of the L2->L1
1044 * VM-exit in L0, use the more accurate value.
1045 */
1046 if (msr_index == MSR_IA32_TSC) {
1047 int i = vmx_find_loadstore_msr_slot(m: &vmx->msr_autostore.guest,
1048 MSR_IA32_TSC);
1049
1050 if (i >= 0) {
1051 u64 val = vmx->msr_autostore.guest.val[i].value;
1052
1053 *data = kvm_read_l1_tsc(vcpu, host_tsc: val);
1054 return true;
1055 }
1056 }
1057
1058 if (kvm_emulate_msr_read(vcpu, index: msr_index, data)) {
1059 pr_debug_ratelimited("%s cannot read MSR (0x%x)\n", __func__,
1060 msr_index);
1061 return false;
1062 }
1063 return true;
1064}
1065
1066static bool read_and_check_msr_entry(struct kvm_vcpu *vcpu, u64 gpa, int i,
1067 struct vmx_msr_entry *e)
1068{
1069 if (kvm_vcpu_read_guest(vcpu,
1070 gpa: gpa + i * sizeof(*e),
1071 data: e, len: 2 * sizeof(u32))) {
1072 pr_debug_ratelimited(
1073 "%s cannot read MSR entry (%u, 0x%08llx)\n",
1074 __func__, i, gpa + i * sizeof(*e));
1075 return false;
1076 }
1077 if (nested_vmx_store_msr_check(vcpu, e)) {
1078 pr_debug_ratelimited(
1079 "%s check failed (%u, 0x%x, 0x%x)\n",
1080 __func__, i, e->index, e->reserved);
1081 return false;
1082 }
1083 return true;
1084}
1085
1086static int nested_vmx_store_msr(struct kvm_vcpu *vcpu, u64 gpa, u32 count)
1087{
1088 u64 data;
1089 u32 i;
1090 struct vmx_msr_entry e;
1091 u32 max_msr_list_size = nested_vmx_max_atomic_switch_msrs(vcpu);
1092
1093 for (i = 0; i < count; i++) {
1094 if (WARN_ON_ONCE(i >= max_msr_list_size))
1095 return -EINVAL;
1096
1097 if (!read_and_check_msr_entry(vcpu, gpa, i, e: &e))
1098 return -EINVAL;
1099
1100 if (!nested_vmx_get_vmexit_msr_value(vcpu, msr_index: e.index, data: &data))
1101 return -EINVAL;
1102
1103 if (kvm_vcpu_write_guest(vcpu,
1104 gpa: gpa + i * sizeof(e) +
1105 offsetof(struct vmx_msr_entry, value),
1106 data: &data, len: sizeof(data))) {
1107 pr_debug_ratelimited(
1108 "%s cannot write MSR (%u, 0x%x, 0x%llx)\n",
1109 __func__, i, e.index, data);
1110 return -EINVAL;
1111 }
1112 }
1113 return 0;
1114}
1115
1116static bool nested_msr_store_list_has_msr(struct kvm_vcpu *vcpu, u32 msr_index)
1117{
1118 struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
1119 u32 count = vmcs12->vm_exit_msr_store_count;
1120 u64 gpa = vmcs12->vm_exit_msr_store_addr;
1121 struct vmx_msr_entry e;
1122 u32 i;
1123
1124 for (i = 0; i < count; i++) {
1125 if (!read_and_check_msr_entry(vcpu, gpa, i, e: &e))
1126 return false;
1127
1128 if (e.index == msr_index)
1129 return true;
1130 }
1131 return false;
1132}
1133
1134static void prepare_vmx_msr_autostore_list(struct kvm_vcpu *vcpu,
1135 u32 msr_index)
1136{
1137 struct vcpu_vmx *vmx = to_vmx(vcpu);
1138 struct vmx_msrs *autostore = &vmx->msr_autostore.guest;
1139 bool in_vmcs12_store_list;
1140 int msr_autostore_slot;
1141 bool in_autostore_list;
1142 int last;
1143
1144 msr_autostore_slot = vmx_find_loadstore_msr_slot(m: autostore, msr: msr_index);
1145 in_autostore_list = msr_autostore_slot >= 0;
1146 in_vmcs12_store_list = nested_msr_store_list_has_msr(vcpu, msr_index);
1147
1148 if (in_vmcs12_store_list && !in_autostore_list) {
1149 if (autostore->nr == MAX_NR_LOADSTORE_MSRS) {
1150 /*
1151 * Emulated VMEntry does not fail here. Instead a less
1152 * accurate value will be returned by
1153 * nested_vmx_get_vmexit_msr_value() by reading KVM's
1154 * internal MSR state instead of reading the value from
1155 * the vmcs02 VMExit MSR-store area.
1156 */
1157 pr_warn_ratelimited(
1158 "Not enough msr entries in msr_autostore. Can't add msr %x\n",
1159 msr_index);
1160 return;
1161 }
1162 last = autostore->nr++;
1163 autostore->val[last].index = msr_index;
1164 } else if (!in_vmcs12_store_list && in_autostore_list) {
1165 last = --autostore->nr;
1166 autostore->val[msr_autostore_slot] = autostore->val[last];
1167 }
1168}
1169
1170/*
1171 * Load guest's/host's cr3 at nested entry/exit. @nested_ept is true if we are
1172 * emulating VM-Entry into a guest with EPT enabled. On failure, the expected
1173 * Exit Qualification (for a VM-Entry consistency check VM-Exit) is assigned to
1174 * @entry_failure_code.
1175 */
1176static int nested_vmx_load_cr3(struct kvm_vcpu *vcpu, unsigned long cr3,
1177 bool nested_ept, bool reload_pdptrs,
1178 enum vm_entry_failure_code *entry_failure_code)
1179{
1180 if (CC(!kvm_vcpu_is_legal_cr3(vcpu, cr3))) {
1181 *entry_failure_code = ENTRY_FAIL_DEFAULT;
1182 return -EINVAL;
1183 }
1184
1185 /*
1186 * If PAE paging and EPT are both on, CR3 is not used by the CPU and
1187 * must not be dereferenced.
1188 */
1189 if (reload_pdptrs && !nested_ept && is_pae_paging(vcpu) &&
1190 CC(!load_pdptrs(vcpu, cr3))) {
1191 *entry_failure_code = ENTRY_FAIL_PDPTE;
1192 return -EINVAL;
1193 }
1194
1195 vcpu->arch.cr3 = cr3;
1196 kvm_register_mark_dirty(vcpu, reg: VCPU_EXREG_CR3);
1197
1198 /* Re-initialize the MMU, e.g. to pick up CR4 MMU role changes. */
1199 kvm_init_mmu(vcpu);
1200
1201 if (!nested_ept)
1202 kvm_mmu_new_pgd(vcpu, new_pgd: cr3);
1203
1204 return 0;
1205}
1206
1207/*
1208 * Returns if KVM is able to config CPU to tag TLB entries
1209 * populated by L2 differently than TLB entries populated
1210 * by L1.
1211 *
1212 * If L0 uses EPT, L1 and L2 run with different EPTP because
1213 * guest_mode is part of kvm_mmu_page_role. Thus, TLB entries
1214 * are tagged with different EPTP.
1215 *
1216 * If L1 uses VPID and we allocated a vpid02, TLB entries are tagged
1217 * with different VPID (L1 entries are tagged with vmx->vpid
1218 * while L2 entries are tagged with vmx->nested.vpid02).
1219 */
1220static bool nested_has_guest_tlb_tag(struct kvm_vcpu *vcpu)
1221{
1222 struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
1223
1224 return enable_ept ||
1225 (nested_cpu_has_vpid(vmcs12) && to_vmx(vcpu)->nested.vpid02);
1226}
1227
1228static void nested_vmx_transition_tlb_flush(struct kvm_vcpu *vcpu,
1229 struct vmcs12 *vmcs12,
1230 bool is_vmenter)
1231{
1232 struct vcpu_vmx *vmx = to_vmx(vcpu);
1233
1234 /* Handle pending Hyper-V TLB flush requests */
1235 kvm_hv_nested_transtion_tlb_flush(vcpu, tdp_enabled: enable_ept);
1236
1237 /*
1238 * If VPID is disabled, then guest TLB accesses use VPID=0, i.e. the
1239 * same VPID as the host, and so architecturally, linear and combined
1240 * mappings for VPID=0 must be flushed at VM-Enter and VM-Exit. KVM
1241 * emulates L2 sharing L1's VPID=0 by using vpid01 while running L2,
1242 * and so KVM must also emulate TLB flush of VPID=0, i.e. vpid01. This
1243 * is required if VPID is disabled in KVM, as a TLB flush (there are no
1244 * VPIDs) still occurs from L1's perspective, and KVM may need to
1245 * synchronize the MMU in response to the guest TLB flush.
1246 *
1247 * Note, using TLB_FLUSH_GUEST is correct even if nested EPT is in use.
1248 * EPT is a special snowflake, as guest-physical mappings aren't
1249 * flushed on VPID invalidations, including VM-Enter or VM-Exit with
1250 * VPID disabled. As a result, KVM _never_ needs to sync nEPT
1251 * entries on VM-Enter because L1 can't rely on VM-Enter to flush
1252 * those mappings.
1253 */
1254 if (!nested_cpu_has_vpid(vmcs12)) {
1255 kvm_make_request(KVM_REQ_TLB_FLUSH_GUEST, vcpu);
1256 return;
1257 }
1258
1259 /* L2 should never have a VPID if VPID is disabled. */
1260 WARN_ON(!enable_vpid);
1261
1262 /*
1263 * VPID is enabled and in use by vmcs12. If vpid12 is changing, then
1264 * emulate a guest TLB flush as KVM does not track vpid12 history nor
1265 * is the VPID incorporated into the MMU context. I.e. KVM must assume
1266 * that the new vpid12 has never been used and thus represents a new
1267 * guest ASID that cannot have entries in the TLB.
1268 */
1269 if (is_vmenter && vmcs12->virtual_processor_id != vmx->nested.last_vpid) {
1270 vmx->nested.last_vpid = vmcs12->virtual_processor_id;
1271 kvm_make_request(KVM_REQ_TLB_FLUSH_GUEST, vcpu);
1272 return;
1273 }
1274
1275 /*
1276 * If VPID is enabled, used by vmc12, and vpid12 is not changing but
1277 * does not have a unique TLB tag (ASID), i.e. EPT is disabled and
1278 * KVM was unable to allocate a VPID for L2, flush the current context
1279 * as the effective ASID is common to both L1 and L2.
1280 */
1281 if (!nested_has_guest_tlb_tag(vcpu))
1282 kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, vcpu);
1283}
1284
1285static bool is_bitwise_subset(u64 superset, u64 subset, u64 mask)
1286{
1287 superset &= mask;
1288 subset &= mask;
1289
1290 return (superset | subset) == superset;
1291}
1292
1293static int vmx_restore_vmx_basic(struct vcpu_vmx *vmx, u64 data)
1294{
1295 const u64 feature_bits = VMX_BASIC_DUAL_MONITOR_TREATMENT |
1296 VMX_BASIC_INOUT |
1297 VMX_BASIC_TRUE_CTLS |
1298 VMX_BASIC_NO_HW_ERROR_CODE_CC;
1299
1300 const u64 reserved_bits = GENMASK_ULL(63, 57) |
1301 GENMASK_ULL(47, 45) |
1302 BIT_ULL(31);
1303
1304 u64 vmx_basic = vmcs_config.nested.basic;
1305
1306 BUILD_BUG_ON(feature_bits & reserved_bits);
1307
1308 /*
1309 * Except for 32BIT_PHYS_ADDR_ONLY, which is an anti-feature bit (has
1310 * inverted polarity), the incoming value must not set feature bits or
1311 * reserved bits that aren't allowed/supported by KVM. Fields, i.e.
1312 * multi-bit values, are explicitly checked below.
1313 */
1314 if (!is_bitwise_subset(superset: vmx_basic, subset: data, mask: feature_bits | reserved_bits))
1315 return -EINVAL;
1316
1317 /*
1318 * KVM does not emulate a version of VMX that constrains physical
1319 * addresses of VMX structures (e.g. VMCS) to 32-bits.
1320 */
1321 if (data & VMX_BASIC_32BIT_PHYS_ADDR_ONLY)
1322 return -EINVAL;
1323
1324 if (vmx_basic_vmcs_revision_id(vmx_basic) !=
1325 vmx_basic_vmcs_revision_id(vmx_basic: data))
1326 return -EINVAL;
1327
1328 if (vmx_basic_vmcs_size(vmx_basic) > vmx_basic_vmcs_size(vmx_basic: data))
1329 return -EINVAL;
1330
1331 vmx->nested.msrs.basic = data;
1332 return 0;
1333}
1334
1335static void vmx_get_control_msr(struct nested_vmx_msrs *msrs, u32 msr_index,
1336 u32 **low, u32 **high)
1337{
1338 switch (msr_index) {
1339 case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
1340 *low = &msrs->pinbased_ctls_low;
1341 *high = &msrs->pinbased_ctls_high;
1342 break;
1343 case MSR_IA32_VMX_TRUE_PROCBASED_CTLS:
1344 *low = &msrs->procbased_ctls_low;
1345 *high = &msrs->procbased_ctls_high;
1346 break;
1347 case MSR_IA32_VMX_TRUE_EXIT_CTLS:
1348 *low = &msrs->exit_ctls_low;
1349 *high = &msrs->exit_ctls_high;
1350 break;
1351 case MSR_IA32_VMX_TRUE_ENTRY_CTLS:
1352 *low = &msrs->entry_ctls_low;
1353 *high = &msrs->entry_ctls_high;
1354 break;
1355 case MSR_IA32_VMX_PROCBASED_CTLS2:
1356 *low = &msrs->secondary_ctls_low;
1357 *high = &msrs->secondary_ctls_high;
1358 break;
1359 default:
1360 BUG();
1361 }
1362}
1363
1364static int
1365vmx_restore_control_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data)
1366{
1367 u32 *lowp, *highp;
1368 u64 supported;
1369
1370 vmx_get_control_msr(msrs: &vmcs_config.nested, msr_index, low: &lowp, high: &highp);
1371
1372 supported = vmx_control_msr(low: *lowp, high: *highp);
1373
1374 /* Check must-be-1 bits are still 1. */
1375 if (!is_bitwise_subset(superset: data, subset: supported, GENMASK_ULL(31, 0)))
1376 return -EINVAL;
1377
1378 /* Check must-be-0 bits are still 0. */
1379 if (!is_bitwise_subset(superset: supported, subset: data, GENMASK_ULL(63, 32)))
1380 return -EINVAL;
1381
1382 vmx_get_control_msr(msrs: &vmx->nested.msrs, msr_index, low: &lowp, high: &highp);
1383 *lowp = data;
1384 *highp = data >> 32;
1385 return 0;
1386}
1387
1388static int vmx_restore_vmx_misc(struct vcpu_vmx *vmx, u64 data)
1389{
1390 const u64 feature_bits = VMX_MISC_SAVE_EFER_LMA |
1391 VMX_MISC_ACTIVITY_HLT |
1392 VMX_MISC_ACTIVITY_SHUTDOWN |
1393 VMX_MISC_ACTIVITY_WAIT_SIPI |
1394 VMX_MISC_INTEL_PT |
1395 VMX_MISC_RDMSR_IN_SMM |
1396 VMX_MISC_VMWRITE_SHADOW_RO_FIELDS |
1397 VMX_MISC_VMXOFF_BLOCK_SMI |
1398 VMX_MISC_ZERO_LEN_INS;
1399
1400 const u64 reserved_bits = BIT_ULL(31) | GENMASK_ULL(13, 9);
1401
1402 u64 vmx_misc = vmx_control_msr(low: vmcs_config.nested.misc_low,
1403 high: vmcs_config.nested.misc_high);
1404
1405 BUILD_BUG_ON(feature_bits & reserved_bits);
1406
1407 /*
1408 * The incoming value must not set feature bits or reserved bits that
1409 * aren't allowed/supported by KVM. Fields, i.e. multi-bit values, are
1410 * explicitly checked below.
1411 */
1412 if (!is_bitwise_subset(superset: vmx_misc, subset: data, mask: feature_bits | reserved_bits))
1413 return -EINVAL;
1414
1415 if ((vmx->nested.msrs.pinbased_ctls_high &
1416 PIN_BASED_VMX_PREEMPTION_TIMER) &&
1417 vmx_misc_preemption_timer_rate(vmx_misc: data) !=
1418 vmx_misc_preemption_timer_rate(vmx_misc))
1419 return -EINVAL;
1420
1421 if (vmx_misc_cr3_count(vmx_misc: data) > vmx_misc_cr3_count(vmx_misc))
1422 return -EINVAL;
1423
1424 if (vmx_misc_max_msr(vmx_misc: data) > vmx_misc_max_msr(vmx_misc))
1425 return -EINVAL;
1426
1427 if (vmx_misc_mseg_revid(vmx_misc: data) != vmx_misc_mseg_revid(vmx_misc))
1428 return -EINVAL;
1429
1430 vmx->nested.msrs.misc_low = data;
1431 vmx->nested.msrs.misc_high = data >> 32;
1432
1433 return 0;
1434}
1435
1436static int vmx_restore_vmx_ept_vpid_cap(struct vcpu_vmx *vmx, u64 data)
1437{
1438 u64 vmx_ept_vpid_cap = vmx_control_msr(low: vmcs_config.nested.ept_caps,
1439 high: vmcs_config.nested.vpid_caps);
1440
1441 /* Every bit is either reserved or a feature bit. */
1442 if (!is_bitwise_subset(superset: vmx_ept_vpid_cap, subset: data, mask: -1ULL))
1443 return -EINVAL;
1444
1445 vmx->nested.msrs.ept_caps = data;
1446 vmx->nested.msrs.vpid_caps = data >> 32;
1447 return 0;
1448}
1449
1450static u64 *vmx_get_fixed0_msr(struct nested_vmx_msrs *msrs, u32 msr_index)
1451{
1452 switch (msr_index) {
1453 case MSR_IA32_VMX_CR0_FIXED0:
1454 return &msrs->cr0_fixed0;
1455 case MSR_IA32_VMX_CR4_FIXED0:
1456 return &msrs->cr4_fixed0;
1457 default:
1458 BUG();
1459 }
1460}
1461
1462static int vmx_restore_fixed0_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data)
1463{
1464 const u64 *msr = vmx_get_fixed0_msr(msrs: &vmcs_config.nested, msr_index);
1465
1466 /*
1467 * 1 bits (which indicates bits which "must-be-1" during VMX operation)
1468 * must be 1 in the restored value.
1469 */
1470 if (!is_bitwise_subset(superset: data, subset: *msr, mask: -1ULL))
1471 return -EINVAL;
1472
1473 *vmx_get_fixed0_msr(msrs: &vmx->nested.msrs, msr_index) = data;
1474 return 0;
1475}
1476
1477/*
1478 * Called when userspace is restoring VMX MSRs.
1479 *
1480 * Returns 0 on success, non-0 otherwise.
1481 */
1482int vmx_set_vmx_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data)
1483{
1484 struct vcpu_vmx *vmx = to_vmx(vcpu);
1485
1486 /*
1487 * Don't allow changes to the VMX capability MSRs while the vCPU
1488 * is in VMX operation.
1489 */
1490 if (vmx->nested.vmxon)
1491 return -EBUSY;
1492
1493 switch (msr_index) {
1494 case MSR_IA32_VMX_BASIC:
1495 return vmx_restore_vmx_basic(vmx, data);
1496 case MSR_IA32_VMX_PINBASED_CTLS:
1497 case MSR_IA32_VMX_PROCBASED_CTLS:
1498 case MSR_IA32_VMX_EXIT_CTLS:
1499 case MSR_IA32_VMX_ENTRY_CTLS:
1500 /*
1501 * The "non-true" VMX capability MSRs are generated from the
1502 * "true" MSRs, so we do not support restoring them directly.
1503 *
1504 * If userspace wants to emulate VMX_BASIC[55]=0, userspace
1505 * should restore the "true" MSRs with the must-be-1 bits
1506 * set according to the SDM Vol 3. A.2 "RESERVED CONTROLS AND
1507 * DEFAULT SETTINGS".
1508 */
1509 return -EINVAL;
1510 case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
1511 case MSR_IA32_VMX_TRUE_PROCBASED_CTLS:
1512 case MSR_IA32_VMX_TRUE_EXIT_CTLS:
1513 case MSR_IA32_VMX_TRUE_ENTRY_CTLS:
1514 case MSR_IA32_VMX_PROCBASED_CTLS2:
1515 return vmx_restore_control_msr(vmx, msr_index, data);
1516 case MSR_IA32_VMX_MISC:
1517 return vmx_restore_vmx_misc(vmx, data);
1518 case MSR_IA32_VMX_CR0_FIXED0:
1519 case MSR_IA32_VMX_CR4_FIXED0:
1520 return vmx_restore_fixed0_msr(vmx, msr_index, data);
1521 case MSR_IA32_VMX_CR0_FIXED1:
1522 case MSR_IA32_VMX_CR4_FIXED1:
1523 /*
1524 * These MSRs are generated based on the vCPU's CPUID, so we
1525 * do not support restoring them directly.
1526 */
1527 return -EINVAL;
1528 case MSR_IA32_VMX_EPT_VPID_CAP:
1529 return vmx_restore_vmx_ept_vpid_cap(vmx, data);
1530 case MSR_IA32_VMX_VMCS_ENUM:
1531 vmx->nested.msrs.vmcs_enum = data;
1532 return 0;
1533 case MSR_IA32_VMX_VMFUNC:
1534 if (data & ~vmcs_config.nested.vmfunc_controls)
1535 return -EINVAL;
1536 vmx->nested.msrs.vmfunc_controls = data;
1537 return 0;
1538 default:
1539 /*
1540 * The rest of the VMX capability MSRs do not support restore.
1541 */
1542 return -EINVAL;
1543 }
1544}
1545
1546/* Returns 0 on success, non-0 otherwise. */
1547int vmx_get_vmx_msr(struct nested_vmx_msrs *msrs, u32 msr_index, u64 *pdata)
1548{
1549 switch (msr_index) {
1550 case MSR_IA32_VMX_BASIC:
1551 *pdata = msrs->basic;
1552 break;
1553 case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
1554 case MSR_IA32_VMX_PINBASED_CTLS:
1555 *pdata = vmx_control_msr(
1556 low: msrs->pinbased_ctls_low,
1557 high: msrs->pinbased_ctls_high);
1558 if (msr_index == MSR_IA32_VMX_PINBASED_CTLS)
1559 *pdata |= PIN_BASED_ALWAYSON_WITHOUT_TRUE_MSR;
1560 break;
1561 case MSR_IA32_VMX_TRUE_PROCBASED_CTLS:
1562 case MSR_IA32_VMX_PROCBASED_CTLS:
1563 *pdata = vmx_control_msr(
1564 low: msrs->procbased_ctls_low,
1565 high: msrs->procbased_ctls_high);
1566 if (msr_index == MSR_IA32_VMX_PROCBASED_CTLS)
1567 *pdata |= CPU_BASED_ALWAYSON_WITHOUT_TRUE_MSR;
1568 break;
1569 case MSR_IA32_VMX_TRUE_EXIT_CTLS:
1570 case MSR_IA32_VMX_EXIT_CTLS:
1571 *pdata = vmx_control_msr(
1572 low: msrs->exit_ctls_low,
1573 high: msrs->exit_ctls_high);
1574 if (msr_index == MSR_IA32_VMX_EXIT_CTLS)
1575 *pdata |= VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR;
1576 break;
1577 case MSR_IA32_VMX_TRUE_ENTRY_CTLS:
1578 case MSR_IA32_VMX_ENTRY_CTLS:
1579 *pdata = vmx_control_msr(
1580 low: msrs->entry_ctls_low,
1581 high: msrs->entry_ctls_high);
1582 if (msr_index == MSR_IA32_VMX_ENTRY_CTLS)
1583 *pdata |= VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR;
1584 break;
1585 case MSR_IA32_VMX_MISC:
1586 *pdata = vmx_control_msr(
1587 low: msrs->misc_low,
1588 high: msrs->misc_high);
1589 break;
1590 case MSR_IA32_VMX_CR0_FIXED0:
1591 *pdata = msrs->cr0_fixed0;
1592 break;
1593 case MSR_IA32_VMX_CR0_FIXED1:
1594 *pdata = msrs->cr0_fixed1;
1595 break;
1596 case MSR_IA32_VMX_CR4_FIXED0:
1597 *pdata = msrs->cr4_fixed0;
1598 break;
1599 case MSR_IA32_VMX_CR4_FIXED1:
1600 *pdata = msrs->cr4_fixed1;
1601 break;
1602 case MSR_IA32_VMX_VMCS_ENUM:
1603 *pdata = msrs->vmcs_enum;
1604 break;
1605 case MSR_IA32_VMX_PROCBASED_CTLS2:
1606 *pdata = vmx_control_msr(
1607 low: msrs->secondary_ctls_low,
1608 high: msrs->secondary_ctls_high);
1609 break;
1610 case MSR_IA32_VMX_EPT_VPID_CAP:
1611 *pdata = msrs->ept_caps |
1612 ((u64)msrs->vpid_caps << 32);
1613 break;
1614 case MSR_IA32_VMX_VMFUNC:
1615 *pdata = msrs->vmfunc_controls;
1616 break;
1617 default:
1618 return 1;
1619 }
1620
1621 return 0;
1622}
1623
1624/*
1625 * Copy the writable VMCS shadow fields back to the VMCS12, in case they have
1626 * been modified by the L1 guest. Note, "writable" in this context means
1627 * "writable by the guest", i.e. tagged SHADOW_FIELD_RW; the set of
1628 * fields tagged SHADOW_FIELD_RO may or may not align with the "read-only"
1629 * VM-exit information fields (which are actually writable if the vCPU is
1630 * configured to support "VMWRITE to any supported field in the VMCS").
1631 */
1632static void copy_shadow_to_vmcs12(struct vcpu_vmx *vmx)
1633{
1634 struct vmcs *shadow_vmcs = vmx->vmcs01.shadow_vmcs;
1635 struct vmcs12 *vmcs12 = get_vmcs12(vcpu: &vmx->vcpu);
1636 struct shadow_vmcs_field field;
1637 unsigned long val;
1638 int i;
1639
1640 if (WARN_ON(!shadow_vmcs))
1641 return;
1642
1643 preempt_disable();
1644
1645 vmcs_load(vmcs: shadow_vmcs);
1646
1647 for (i = 0; i < max_shadow_read_write_fields; i++) {
1648 field = shadow_read_write_fields[i];
1649 val = __vmcs_readl(field: field.encoding);
1650 vmcs12_write_any(vmcs12, field: field.encoding, offset: field.offset, field_value: val);
1651 }
1652
1653 vmcs_clear(vmcs: shadow_vmcs);
1654 vmcs_load(vmcs: vmx->loaded_vmcs->vmcs);
1655
1656 preempt_enable();
1657}
1658
1659static void copy_vmcs12_to_shadow(struct vcpu_vmx *vmx)
1660{
1661 const struct shadow_vmcs_field *fields[] = {
1662 shadow_read_write_fields,
1663 shadow_read_only_fields
1664 };
1665 const int max_fields[] = {
1666 max_shadow_read_write_fields,
1667 max_shadow_read_only_fields
1668 };
1669 struct vmcs *shadow_vmcs = vmx->vmcs01.shadow_vmcs;
1670 struct vmcs12 *vmcs12 = get_vmcs12(vcpu: &vmx->vcpu);
1671 struct shadow_vmcs_field field;
1672 unsigned long val;
1673 int i, q;
1674
1675 if (WARN_ON(!shadow_vmcs))
1676 return;
1677
1678 vmcs_load(vmcs: shadow_vmcs);
1679
1680 for (q = 0; q < ARRAY_SIZE(fields); q++) {
1681 for (i = 0; i < max_fields[q]; i++) {
1682 field = fields[q][i];
1683 val = vmcs12_read_any(vmcs12, field: field.encoding,
1684 offset: field.offset);
1685 __vmcs_writel(field: field.encoding, value: val);
1686 }
1687 }
1688
1689 vmcs_clear(vmcs: shadow_vmcs);
1690 vmcs_load(vmcs: vmx->loaded_vmcs->vmcs);
1691}
1692
1693static void copy_enlightened_to_vmcs12(struct vcpu_vmx *vmx, u32 hv_clean_fields)
1694{
1695#ifdef CONFIG_KVM_HYPERV
1696 struct vmcs12 *vmcs12 = vmx->nested.cached_vmcs12;
1697 struct hv_enlightened_vmcs *evmcs = nested_vmx_evmcs(vmx);
1698 struct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu: &vmx->vcpu);
1699
1700 /* HV_VMX_ENLIGHTENED_CLEAN_FIELD_NONE */
1701 vmcs12->tpr_threshold = evmcs->tpr_threshold;
1702 vmcs12->guest_rip = evmcs->guest_rip;
1703
1704 if (unlikely(!(hv_clean_fields &
1705 HV_VMX_ENLIGHTENED_CLEAN_FIELD_ENLIGHTENMENTSCONTROL))) {
1706 hv_vcpu->nested.pa_page_gpa = evmcs->partition_assist_page;
1707 hv_vcpu->nested.vm_id = evmcs->hv_vm_id;
1708 hv_vcpu->nested.vp_id = evmcs->hv_vp_id;
1709 }
1710
1711 if (unlikely(!(hv_clean_fields &
1712 HV_VMX_ENLIGHTENED_CLEAN_FIELD_GUEST_BASIC))) {
1713 vmcs12->guest_rsp = evmcs->guest_rsp;
1714 vmcs12->guest_rflags = evmcs->guest_rflags;
1715 vmcs12->guest_interruptibility_info =
1716 evmcs->guest_interruptibility_info;
1717 /*
1718 * Not present in struct vmcs12:
1719 * vmcs12->guest_ssp = evmcs->guest_ssp;
1720 */
1721 }
1722
1723 if (unlikely(!(hv_clean_fields &
1724 HV_VMX_ENLIGHTENED_CLEAN_FIELD_CONTROL_PROC))) {
1725 vmcs12->cpu_based_vm_exec_control =
1726 evmcs->cpu_based_vm_exec_control;
1727 }
1728
1729 if (unlikely(!(hv_clean_fields &
1730 HV_VMX_ENLIGHTENED_CLEAN_FIELD_CONTROL_EXCPN))) {
1731 vmcs12->exception_bitmap = evmcs->exception_bitmap;
1732 }
1733
1734 if (unlikely(!(hv_clean_fields &
1735 HV_VMX_ENLIGHTENED_CLEAN_FIELD_CONTROL_ENTRY))) {
1736 vmcs12->vm_entry_controls = evmcs->vm_entry_controls;
1737 }
1738
1739 if (unlikely(!(hv_clean_fields &
1740 HV_VMX_ENLIGHTENED_CLEAN_FIELD_CONTROL_EVENT))) {
1741 vmcs12->vm_entry_intr_info_field =
1742 evmcs->vm_entry_intr_info_field;
1743 vmcs12->vm_entry_exception_error_code =
1744 evmcs->vm_entry_exception_error_code;
1745 vmcs12->vm_entry_instruction_len =
1746 evmcs->vm_entry_instruction_len;
1747 }
1748
1749 if (unlikely(!(hv_clean_fields &
1750 HV_VMX_ENLIGHTENED_CLEAN_FIELD_HOST_GRP1))) {
1751 vmcs12->host_ia32_pat = evmcs->host_ia32_pat;
1752 vmcs12->host_ia32_efer = evmcs->host_ia32_efer;
1753 vmcs12->host_cr0 = evmcs->host_cr0;
1754 vmcs12->host_cr3 = evmcs->host_cr3;
1755 vmcs12->host_cr4 = evmcs->host_cr4;
1756 vmcs12->host_ia32_sysenter_esp = evmcs->host_ia32_sysenter_esp;
1757 vmcs12->host_ia32_sysenter_eip = evmcs->host_ia32_sysenter_eip;
1758 vmcs12->host_rip = evmcs->host_rip;
1759 vmcs12->host_ia32_sysenter_cs = evmcs->host_ia32_sysenter_cs;
1760 vmcs12->host_es_selector = evmcs->host_es_selector;
1761 vmcs12->host_cs_selector = evmcs->host_cs_selector;
1762 vmcs12->host_ss_selector = evmcs->host_ss_selector;
1763 vmcs12->host_ds_selector = evmcs->host_ds_selector;
1764 vmcs12->host_fs_selector = evmcs->host_fs_selector;
1765 vmcs12->host_gs_selector = evmcs->host_gs_selector;
1766 vmcs12->host_tr_selector = evmcs->host_tr_selector;
1767 vmcs12->host_ia32_perf_global_ctrl = evmcs->host_ia32_perf_global_ctrl;
1768 /*
1769 * Not present in struct vmcs12:
1770 * vmcs12->host_ia32_s_cet = evmcs->host_ia32_s_cet;
1771 * vmcs12->host_ssp = evmcs->host_ssp;
1772 * vmcs12->host_ia32_int_ssp_table_addr = evmcs->host_ia32_int_ssp_table_addr;
1773 */
1774 }
1775
1776 if (unlikely(!(hv_clean_fields &
1777 HV_VMX_ENLIGHTENED_CLEAN_FIELD_CONTROL_GRP1))) {
1778 vmcs12->pin_based_vm_exec_control =
1779 evmcs->pin_based_vm_exec_control;
1780 vmcs12->vm_exit_controls = evmcs->vm_exit_controls;
1781 vmcs12->secondary_vm_exec_control =
1782 evmcs->secondary_vm_exec_control;
1783 }
1784
1785 if (unlikely(!(hv_clean_fields &
1786 HV_VMX_ENLIGHTENED_CLEAN_FIELD_IO_BITMAP))) {
1787 vmcs12->io_bitmap_a = evmcs->io_bitmap_a;
1788 vmcs12->io_bitmap_b = evmcs->io_bitmap_b;
1789 }
1790
1791 if (unlikely(!(hv_clean_fields &
1792 HV_VMX_ENLIGHTENED_CLEAN_FIELD_MSR_BITMAP))) {
1793 vmcs12->msr_bitmap = evmcs->msr_bitmap;
1794 }
1795
1796 if (unlikely(!(hv_clean_fields &
1797 HV_VMX_ENLIGHTENED_CLEAN_FIELD_GUEST_GRP2))) {
1798 vmcs12->guest_es_base = evmcs->guest_es_base;
1799 vmcs12->guest_cs_base = evmcs->guest_cs_base;
1800 vmcs12->guest_ss_base = evmcs->guest_ss_base;
1801 vmcs12->guest_ds_base = evmcs->guest_ds_base;
1802 vmcs12->guest_fs_base = evmcs->guest_fs_base;
1803 vmcs12->guest_gs_base = evmcs->guest_gs_base;
1804 vmcs12->guest_ldtr_base = evmcs->guest_ldtr_base;
1805 vmcs12->guest_tr_base = evmcs->guest_tr_base;
1806 vmcs12->guest_gdtr_base = evmcs->guest_gdtr_base;
1807 vmcs12->guest_idtr_base = evmcs->guest_idtr_base;
1808 vmcs12->guest_es_limit = evmcs->guest_es_limit;
1809 vmcs12->guest_cs_limit = evmcs->guest_cs_limit;
1810 vmcs12->guest_ss_limit = evmcs->guest_ss_limit;
1811 vmcs12->guest_ds_limit = evmcs->guest_ds_limit;
1812 vmcs12->guest_fs_limit = evmcs->guest_fs_limit;
1813 vmcs12->guest_gs_limit = evmcs->guest_gs_limit;
1814 vmcs12->guest_ldtr_limit = evmcs->guest_ldtr_limit;
1815 vmcs12->guest_tr_limit = evmcs->guest_tr_limit;
1816 vmcs12->guest_gdtr_limit = evmcs->guest_gdtr_limit;
1817 vmcs12->guest_idtr_limit = evmcs->guest_idtr_limit;
1818 vmcs12->guest_es_ar_bytes = evmcs->guest_es_ar_bytes;
1819 vmcs12->guest_cs_ar_bytes = evmcs->guest_cs_ar_bytes;
1820 vmcs12->guest_ss_ar_bytes = evmcs->guest_ss_ar_bytes;
1821 vmcs12->guest_ds_ar_bytes = evmcs->guest_ds_ar_bytes;
1822 vmcs12->guest_fs_ar_bytes = evmcs->guest_fs_ar_bytes;
1823 vmcs12->guest_gs_ar_bytes = evmcs->guest_gs_ar_bytes;
1824 vmcs12->guest_ldtr_ar_bytes = evmcs->guest_ldtr_ar_bytes;
1825 vmcs12->guest_tr_ar_bytes = evmcs->guest_tr_ar_bytes;
1826 vmcs12->guest_es_selector = evmcs->guest_es_selector;
1827 vmcs12->guest_cs_selector = evmcs->guest_cs_selector;
1828 vmcs12->guest_ss_selector = evmcs->guest_ss_selector;
1829 vmcs12->guest_ds_selector = evmcs->guest_ds_selector;
1830 vmcs12->guest_fs_selector = evmcs->guest_fs_selector;
1831 vmcs12->guest_gs_selector = evmcs->guest_gs_selector;
1832 vmcs12->guest_ldtr_selector = evmcs->guest_ldtr_selector;
1833 vmcs12->guest_tr_selector = evmcs->guest_tr_selector;
1834 }
1835
1836 if (unlikely(!(hv_clean_fields &
1837 HV_VMX_ENLIGHTENED_CLEAN_FIELD_CONTROL_GRP2))) {
1838 vmcs12->tsc_offset = evmcs->tsc_offset;
1839 vmcs12->virtual_apic_page_addr = evmcs->virtual_apic_page_addr;
1840 vmcs12->xss_exit_bitmap = evmcs->xss_exit_bitmap;
1841 vmcs12->encls_exiting_bitmap = evmcs->encls_exiting_bitmap;
1842 vmcs12->tsc_multiplier = evmcs->tsc_multiplier;
1843 }
1844
1845 if (unlikely(!(hv_clean_fields &
1846 HV_VMX_ENLIGHTENED_CLEAN_FIELD_CRDR))) {
1847 vmcs12->cr0_guest_host_mask = evmcs->cr0_guest_host_mask;
1848 vmcs12->cr4_guest_host_mask = evmcs->cr4_guest_host_mask;
1849 vmcs12->cr0_read_shadow = evmcs->cr0_read_shadow;
1850 vmcs12->cr4_read_shadow = evmcs->cr4_read_shadow;
1851 vmcs12->guest_cr0 = evmcs->guest_cr0;
1852 vmcs12->guest_cr3 = evmcs->guest_cr3;
1853 vmcs12->guest_cr4 = evmcs->guest_cr4;
1854 vmcs12->guest_dr7 = evmcs->guest_dr7;
1855 }
1856
1857 if (unlikely(!(hv_clean_fields &
1858 HV_VMX_ENLIGHTENED_CLEAN_FIELD_HOST_POINTER))) {
1859 vmcs12->host_fs_base = evmcs->host_fs_base;
1860 vmcs12->host_gs_base = evmcs->host_gs_base;
1861 vmcs12->host_tr_base = evmcs->host_tr_base;
1862 vmcs12->host_gdtr_base = evmcs->host_gdtr_base;
1863 vmcs12->host_idtr_base = evmcs->host_idtr_base;
1864 vmcs12->host_rsp = evmcs->host_rsp;
1865 }
1866
1867 if (unlikely(!(hv_clean_fields &
1868 HV_VMX_ENLIGHTENED_CLEAN_FIELD_CONTROL_XLAT))) {
1869 vmcs12->ept_pointer = evmcs->ept_pointer;
1870 vmcs12->virtual_processor_id = evmcs->virtual_processor_id;
1871 }
1872
1873 if (unlikely(!(hv_clean_fields &
1874 HV_VMX_ENLIGHTENED_CLEAN_FIELD_GUEST_GRP1))) {
1875 vmcs12->vmcs_link_pointer = evmcs->vmcs_link_pointer;
1876 vmcs12->guest_ia32_debugctl = evmcs->guest_ia32_debugctl;
1877 vmcs12->guest_ia32_pat = evmcs->guest_ia32_pat;
1878 vmcs12->guest_ia32_efer = evmcs->guest_ia32_efer;
1879 vmcs12->guest_pdptr0 = evmcs->guest_pdptr0;
1880 vmcs12->guest_pdptr1 = evmcs->guest_pdptr1;
1881 vmcs12->guest_pdptr2 = evmcs->guest_pdptr2;
1882 vmcs12->guest_pdptr3 = evmcs->guest_pdptr3;
1883 vmcs12->guest_pending_dbg_exceptions =
1884 evmcs->guest_pending_dbg_exceptions;
1885 vmcs12->guest_sysenter_esp = evmcs->guest_sysenter_esp;
1886 vmcs12->guest_sysenter_eip = evmcs->guest_sysenter_eip;
1887 vmcs12->guest_bndcfgs = evmcs->guest_bndcfgs;
1888 vmcs12->guest_activity_state = evmcs->guest_activity_state;
1889 vmcs12->guest_sysenter_cs = evmcs->guest_sysenter_cs;
1890 vmcs12->guest_ia32_perf_global_ctrl = evmcs->guest_ia32_perf_global_ctrl;
1891 /*
1892 * Not present in struct vmcs12:
1893 * vmcs12->guest_ia32_s_cet = evmcs->guest_ia32_s_cet;
1894 * vmcs12->guest_ia32_lbr_ctl = evmcs->guest_ia32_lbr_ctl;
1895 * vmcs12->guest_ia32_int_ssp_table_addr = evmcs->guest_ia32_int_ssp_table_addr;
1896 */
1897 }
1898
1899 /*
1900 * Not used?
1901 * vmcs12->vm_exit_msr_store_addr = evmcs->vm_exit_msr_store_addr;
1902 * vmcs12->vm_exit_msr_load_addr = evmcs->vm_exit_msr_load_addr;
1903 * vmcs12->vm_entry_msr_load_addr = evmcs->vm_entry_msr_load_addr;
1904 * vmcs12->page_fault_error_code_mask =
1905 * evmcs->page_fault_error_code_mask;
1906 * vmcs12->page_fault_error_code_match =
1907 * evmcs->page_fault_error_code_match;
1908 * vmcs12->cr3_target_count = evmcs->cr3_target_count;
1909 * vmcs12->vm_exit_msr_store_count = evmcs->vm_exit_msr_store_count;
1910 * vmcs12->vm_exit_msr_load_count = evmcs->vm_exit_msr_load_count;
1911 * vmcs12->vm_entry_msr_load_count = evmcs->vm_entry_msr_load_count;
1912 */
1913
1914 /*
1915 * Read only fields:
1916 * vmcs12->guest_physical_address = evmcs->guest_physical_address;
1917 * vmcs12->vm_instruction_error = evmcs->vm_instruction_error;
1918 * vmcs12->vm_exit_reason = evmcs->vm_exit_reason;
1919 * vmcs12->vm_exit_intr_info = evmcs->vm_exit_intr_info;
1920 * vmcs12->vm_exit_intr_error_code = evmcs->vm_exit_intr_error_code;
1921 * vmcs12->idt_vectoring_info_field = evmcs->idt_vectoring_info_field;
1922 * vmcs12->idt_vectoring_error_code = evmcs->idt_vectoring_error_code;
1923 * vmcs12->vm_exit_instruction_len = evmcs->vm_exit_instruction_len;
1924 * vmcs12->vmx_instruction_info = evmcs->vmx_instruction_info;
1925 * vmcs12->exit_qualification = evmcs->exit_qualification;
1926 * vmcs12->guest_linear_address = evmcs->guest_linear_address;
1927 *
1928 * Not present in struct vmcs12:
1929 * vmcs12->exit_io_instruction_ecx = evmcs->exit_io_instruction_ecx;
1930 * vmcs12->exit_io_instruction_esi = evmcs->exit_io_instruction_esi;
1931 * vmcs12->exit_io_instruction_edi = evmcs->exit_io_instruction_edi;
1932 * vmcs12->exit_io_instruction_eip = evmcs->exit_io_instruction_eip;
1933 */
1934
1935 return;
1936#else /* CONFIG_KVM_HYPERV */
1937 KVM_BUG_ON(1, vmx->vcpu.kvm);
1938#endif /* CONFIG_KVM_HYPERV */
1939}
1940
1941static void copy_vmcs12_to_enlightened(struct vcpu_vmx *vmx)
1942{
1943#ifdef CONFIG_KVM_HYPERV
1944 struct vmcs12 *vmcs12 = vmx->nested.cached_vmcs12;
1945 struct hv_enlightened_vmcs *evmcs = nested_vmx_evmcs(vmx);
1946
1947 /*
1948 * Should not be changed by KVM:
1949 *
1950 * evmcs->host_es_selector = vmcs12->host_es_selector;
1951 * evmcs->host_cs_selector = vmcs12->host_cs_selector;
1952 * evmcs->host_ss_selector = vmcs12->host_ss_selector;
1953 * evmcs->host_ds_selector = vmcs12->host_ds_selector;
1954 * evmcs->host_fs_selector = vmcs12->host_fs_selector;
1955 * evmcs->host_gs_selector = vmcs12->host_gs_selector;
1956 * evmcs->host_tr_selector = vmcs12->host_tr_selector;
1957 * evmcs->host_ia32_pat = vmcs12->host_ia32_pat;
1958 * evmcs->host_ia32_efer = vmcs12->host_ia32_efer;
1959 * evmcs->host_cr0 = vmcs12->host_cr0;
1960 * evmcs->host_cr3 = vmcs12->host_cr3;
1961 * evmcs->host_cr4 = vmcs12->host_cr4;
1962 * evmcs->host_ia32_sysenter_esp = vmcs12->host_ia32_sysenter_esp;
1963 * evmcs->host_ia32_sysenter_eip = vmcs12->host_ia32_sysenter_eip;
1964 * evmcs->host_rip = vmcs12->host_rip;
1965 * evmcs->host_ia32_sysenter_cs = vmcs12->host_ia32_sysenter_cs;
1966 * evmcs->host_fs_base = vmcs12->host_fs_base;
1967 * evmcs->host_gs_base = vmcs12->host_gs_base;
1968 * evmcs->host_tr_base = vmcs12->host_tr_base;
1969 * evmcs->host_gdtr_base = vmcs12->host_gdtr_base;
1970 * evmcs->host_idtr_base = vmcs12->host_idtr_base;
1971 * evmcs->host_rsp = vmcs12->host_rsp;
1972 * sync_vmcs02_to_vmcs12() doesn't read these:
1973 * evmcs->io_bitmap_a = vmcs12->io_bitmap_a;
1974 * evmcs->io_bitmap_b = vmcs12->io_bitmap_b;
1975 * evmcs->msr_bitmap = vmcs12->msr_bitmap;
1976 * evmcs->ept_pointer = vmcs12->ept_pointer;
1977 * evmcs->xss_exit_bitmap = vmcs12->xss_exit_bitmap;
1978 * evmcs->vm_exit_msr_store_addr = vmcs12->vm_exit_msr_store_addr;
1979 * evmcs->vm_exit_msr_load_addr = vmcs12->vm_exit_msr_load_addr;
1980 * evmcs->vm_entry_msr_load_addr = vmcs12->vm_entry_msr_load_addr;
1981 * evmcs->tpr_threshold = vmcs12->tpr_threshold;
1982 * evmcs->virtual_processor_id = vmcs12->virtual_processor_id;
1983 * evmcs->exception_bitmap = vmcs12->exception_bitmap;
1984 * evmcs->vmcs_link_pointer = vmcs12->vmcs_link_pointer;
1985 * evmcs->pin_based_vm_exec_control = vmcs12->pin_based_vm_exec_control;
1986 * evmcs->vm_exit_controls = vmcs12->vm_exit_controls;
1987 * evmcs->secondary_vm_exec_control = vmcs12->secondary_vm_exec_control;
1988 * evmcs->page_fault_error_code_mask =
1989 * vmcs12->page_fault_error_code_mask;
1990 * evmcs->page_fault_error_code_match =
1991 * vmcs12->page_fault_error_code_match;
1992 * evmcs->cr3_target_count = vmcs12->cr3_target_count;
1993 * evmcs->virtual_apic_page_addr = vmcs12->virtual_apic_page_addr;
1994 * evmcs->tsc_offset = vmcs12->tsc_offset;
1995 * evmcs->guest_ia32_debugctl = vmcs12->guest_ia32_debugctl;
1996 * evmcs->cr0_guest_host_mask = vmcs12->cr0_guest_host_mask;
1997 * evmcs->cr4_guest_host_mask = vmcs12->cr4_guest_host_mask;
1998 * evmcs->cr0_read_shadow = vmcs12->cr0_read_shadow;
1999 * evmcs->cr4_read_shadow = vmcs12->cr4_read_shadow;
2000 * evmcs->vm_exit_msr_store_count = vmcs12->vm_exit_msr_store_count;
2001 * evmcs->vm_exit_msr_load_count = vmcs12->vm_exit_msr_load_count;
2002 * evmcs->vm_entry_msr_load_count = vmcs12->vm_entry_msr_load_count;
2003 * evmcs->guest_ia32_perf_global_ctrl = vmcs12->guest_ia32_perf_global_ctrl;
2004 * evmcs->host_ia32_perf_global_ctrl = vmcs12->host_ia32_perf_global_ctrl;
2005 * evmcs->encls_exiting_bitmap = vmcs12->encls_exiting_bitmap;
2006 * evmcs->tsc_multiplier = vmcs12->tsc_multiplier;
2007 *
2008 * Not present in struct vmcs12:
2009 * evmcs->exit_io_instruction_ecx = vmcs12->exit_io_instruction_ecx;
2010 * evmcs->exit_io_instruction_esi = vmcs12->exit_io_instruction_esi;
2011 * evmcs->exit_io_instruction_edi = vmcs12->exit_io_instruction_edi;
2012 * evmcs->exit_io_instruction_eip = vmcs12->exit_io_instruction_eip;
2013 * evmcs->host_ia32_s_cet = vmcs12->host_ia32_s_cet;
2014 * evmcs->host_ssp = vmcs12->host_ssp;
2015 * evmcs->host_ia32_int_ssp_table_addr = vmcs12->host_ia32_int_ssp_table_addr;
2016 * evmcs->guest_ia32_s_cet = vmcs12->guest_ia32_s_cet;
2017 * evmcs->guest_ia32_lbr_ctl = vmcs12->guest_ia32_lbr_ctl;
2018 * evmcs->guest_ia32_int_ssp_table_addr = vmcs12->guest_ia32_int_ssp_table_addr;
2019 * evmcs->guest_ssp = vmcs12->guest_ssp;
2020 */
2021
2022 evmcs->guest_es_selector = vmcs12->guest_es_selector;
2023 evmcs->guest_cs_selector = vmcs12->guest_cs_selector;
2024 evmcs->guest_ss_selector = vmcs12->guest_ss_selector;
2025 evmcs->guest_ds_selector = vmcs12->guest_ds_selector;
2026 evmcs->guest_fs_selector = vmcs12->guest_fs_selector;
2027 evmcs->guest_gs_selector = vmcs12->guest_gs_selector;
2028 evmcs->guest_ldtr_selector = vmcs12->guest_ldtr_selector;
2029 evmcs->guest_tr_selector = vmcs12->guest_tr_selector;
2030
2031 evmcs->guest_es_limit = vmcs12->guest_es_limit;
2032 evmcs->guest_cs_limit = vmcs12->guest_cs_limit;
2033 evmcs->guest_ss_limit = vmcs12->guest_ss_limit;
2034 evmcs->guest_ds_limit = vmcs12->guest_ds_limit;
2035 evmcs->guest_fs_limit = vmcs12->guest_fs_limit;
2036 evmcs->guest_gs_limit = vmcs12->guest_gs_limit;
2037 evmcs->guest_ldtr_limit = vmcs12->guest_ldtr_limit;
2038 evmcs->guest_tr_limit = vmcs12->guest_tr_limit;
2039 evmcs->guest_gdtr_limit = vmcs12->guest_gdtr_limit;
2040 evmcs->guest_idtr_limit = vmcs12->guest_idtr_limit;
2041
2042 evmcs->guest_es_ar_bytes = vmcs12->guest_es_ar_bytes;
2043 evmcs->guest_cs_ar_bytes = vmcs12->guest_cs_ar_bytes;
2044 evmcs->guest_ss_ar_bytes = vmcs12->guest_ss_ar_bytes;
2045 evmcs->guest_ds_ar_bytes = vmcs12->guest_ds_ar_bytes;
2046 evmcs->guest_fs_ar_bytes = vmcs12->guest_fs_ar_bytes;
2047 evmcs->guest_gs_ar_bytes = vmcs12->guest_gs_ar_bytes;
2048 evmcs->guest_ldtr_ar_bytes = vmcs12->guest_ldtr_ar_bytes;
2049 evmcs->guest_tr_ar_bytes = vmcs12->guest_tr_ar_bytes;
2050
2051 evmcs->guest_es_base = vmcs12->guest_es_base;
2052 evmcs->guest_cs_base = vmcs12->guest_cs_base;
2053 evmcs->guest_ss_base = vmcs12->guest_ss_base;
2054 evmcs->guest_ds_base = vmcs12->guest_ds_base;
2055 evmcs->guest_fs_base = vmcs12->guest_fs_base;
2056 evmcs->guest_gs_base = vmcs12->guest_gs_base;
2057 evmcs->guest_ldtr_base = vmcs12->guest_ldtr_base;
2058 evmcs->guest_tr_base = vmcs12->guest_tr_base;
2059 evmcs->guest_gdtr_base = vmcs12->guest_gdtr_base;
2060 evmcs->guest_idtr_base = vmcs12->guest_idtr_base;
2061
2062 evmcs->guest_ia32_pat = vmcs12->guest_ia32_pat;
2063 evmcs->guest_ia32_efer = vmcs12->guest_ia32_efer;
2064
2065 evmcs->guest_pdptr0 = vmcs12->guest_pdptr0;
2066 evmcs->guest_pdptr1 = vmcs12->guest_pdptr1;
2067 evmcs->guest_pdptr2 = vmcs12->guest_pdptr2;
2068 evmcs->guest_pdptr3 = vmcs12->guest_pdptr3;
2069
2070 evmcs->guest_pending_dbg_exceptions =
2071 vmcs12->guest_pending_dbg_exceptions;
2072 evmcs->guest_sysenter_esp = vmcs12->guest_sysenter_esp;
2073 evmcs->guest_sysenter_eip = vmcs12->guest_sysenter_eip;
2074
2075 evmcs->guest_activity_state = vmcs12->guest_activity_state;
2076 evmcs->guest_sysenter_cs = vmcs12->guest_sysenter_cs;
2077
2078 evmcs->guest_cr0 = vmcs12->guest_cr0;
2079 evmcs->guest_cr3 = vmcs12->guest_cr3;
2080 evmcs->guest_cr4 = vmcs12->guest_cr4;
2081 evmcs->guest_dr7 = vmcs12->guest_dr7;
2082
2083 evmcs->guest_physical_address = vmcs12->guest_physical_address;
2084
2085 evmcs->vm_instruction_error = vmcs12->vm_instruction_error;
2086 evmcs->vm_exit_reason = vmcs12->vm_exit_reason;
2087 evmcs->vm_exit_intr_info = vmcs12->vm_exit_intr_info;
2088 evmcs->vm_exit_intr_error_code = vmcs12->vm_exit_intr_error_code;
2089 evmcs->idt_vectoring_info_field = vmcs12->idt_vectoring_info_field;
2090 evmcs->idt_vectoring_error_code = vmcs12->idt_vectoring_error_code;
2091 evmcs->vm_exit_instruction_len = vmcs12->vm_exit_instruction_len;
2092 evmcs->vmx_instruction_info = vmcs12->vmx_instruction_info;
2093
2094 evmcs->exit_qualification = vmcs12->exit_qualification;
2095
2096 evmcs->guest_linear_address = vmcs12->guest_linear_address;
2097 evmcs->guest_rsp = vmcs12->guest_rsp;
2098 evmcs->guest_rflags = vmcs12->guest_rflags;
2099
2100 evmcs->guest_interruptibility_info =
2101 vmcs12->guest_interruptibility_info;
2102 evmcs->cpu_based_vm_exec_control = vmcs12->cpu_based_vm_exec_control;
2103 evmcs->vm_entry_controls = vmcs12->vm_entry_controls;
2104 evmcs->vm_entry_intr_info_field = vmcs12->vm_entry_intr_info_field;
2105 evmcs->vm_entry_exception_error_code =
2106 vmcs12->vm_entry_exception_error_code;
2107 evmcs->vm_entry_instruction_len = vmcs12->vm_entry_instruction_len;
2108
2109 evmcs->guest_rip = vmcs12->guest_rip;
2110
2111 evmcs->guest_bndcfgs = vmcs12->guest_bndcfgs;
2112
2113 return;
2114#else /* CONFIG_KVM_HYPERV */
2115 KVM_BUG_ON(1, vmx->vcpu.kvm);
2116#endif /* CONFIG_KVM_HYPERV */
2117}
2118
2119/*
2120 * This is an equivalent of the nested hypervisor executing the vmptrld
2121 * instruction.
2122 */
2123static enum nested_evmptrld_status nested_vmx_handle_enlightened_vmptrld(
2124 struct kvm_vcpu *vcpu, bool from_launch)
2125{
2126#ifdef CONFIG_KVM_HYPERV
2127 struct vcpu_vmx *vmx = to_vmx(vcpu);
2128 bool evmcs_gpa_changed = false;
2129 u64 evmcs_gpa;
2130
2131 if (likely(!guest_cpu_cap_has_evmcs(vcpu)))
2132 return EVMPTRLD_DISABLED;
2133
2134 evmcs_gpa = nested_get_evmptr(vcpu);
2135 if (!evmptr_is_valid(evmptr: evmcs_gpa)) {
2136 nested_release_evmcs(vcpu);
2137 return EVMPTRLD_DISABLED;
2138 }
2139
2140 if (unlikely(evmcs_gpa != vmx->nested.hv_evmcs_vmptr)) {
2141 vmx->nested.current_vmptr = INVALID_GPA;
2142
2143 nested_release_evmcs(vcpu);
2144
2145 if (kvm_vcpu_map(vcpu, gpa: gpa_to_gfn(gpa: evmcs_gpa),
2146 map: &vmx->nested.hv_evmcs_map))
2147 return EVMPTRLD_ERROR;
2148
2149 vmx->nested.hv_evmcs = vmx->nested.hv_evmcs_map.hva;
2150
2151 /*
2152 * Currently, KVM only supports eVMCS version 1
2153 * (== KVM_EVMCS_VERSION) and thus we expect guest to set this
2154 * value to first u32 field of eVMCS which should specify eVMCS
2155 * VersionNumber.
2156 *
2157 * Guest should be aware of supported eVMCS versions by host by
2158 * examining CPUID.0x4000000A.EAX[0:15]. Host userspace VMM is
2159 * expected to set this CPUID leaf according to the value
2160 * returned in vmcs_version from nested_enable_evmcs().
2161 *
2162 * However, it turns out that Microsoft Hyper-V fails to comply
2163 * to their own invented interface: When Hyper-V use eVMCS, it
2164 * just sets first u32 field of eVMCS to revision_id specified
2165 * in MSR_IA32_VMX_BASIC. Instead of used eVMCS version number
2166 * which is one of the supported versions specified in
2167 * CPUID.0x4000000A.EAX[0:15].
2168 *
2169 * To overcome Hyper-V bug, we accept here either a supported
2170 * eVMCS version or VMCS12 revision_id as valid values for first
2171 * u32 field of eVMCS.
2172 */
2173 if ((vmx->nested.hv_evmcs->revision_id != KVM_EVMCS_VERSION) &&
2174 (vmx->nested.hv_evmcs->revision_id != VMCS12_REVISION)) {
2175 nested_release_evmcs(vcpu);
2176 return EVMPTRLD_VMFAIL;
2177 }
2178
2179 vmx->nested.hv_evmcs_vmptr = evmcs_gpa;
2180
2181 evmcs_gpa_changed = true;
2182 /*
2183 * Unlike normal vmcs12, enlightened vmcs12 is not fully
2184 * reloaded from guest's memory (read only fields, fields not
2185 * present in struct hv_enlightened_vmcs, ...). Make sure there
2186 * are no leftovers.
2187 */
2188 if (from_launch) {
2189 struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
2190 memset(vmcs12, 0, sizeof(*vmcs12));
2191 vmcs12->hdr.revision_id = VMCS12_REVISION;
2192 }
2193
2194 }
2195
2196 /*
2197 * Clean fields data can't be used on VMLAUNCH and when we switch
2198 * between different L2 guests as KVM keeps a single VMCS12 per L1.
2199 */
2200 if (from_launch || evmcs_gpa_changed) {
2201 vmx->nested.hv_evmcs->hv_clean_fields &=
2202 ~HV_VMX_ENLIGHTENED_CLEAN_FIELD_ALL;
2203
2204 vmx->nested.force_msr_bitmap_recalc = true;
2205 }
2206
2207 return EVMPTRLD_SUCCEEDED;
2208#else
2209 return EVMPTRLD_DISABLED;
2210#endif
2211}
2212
2213void nested_sync_vmcs12_to_shadow(struct kvm_vcpu *vcpu)
2214{
2215 struct vcpu_vmx *vmx = to_vmx(vcpu);
2216
2217 if (nested_vmx_is_evmptr12_valid(vmx))
2218 copy_vmcs12_to_enlightened(vmx);
2219 else
2220 copy_vmcs12_to_shadow(vmx);
2221
2222 vmx->nested.need_vmcs12_to_shadow_sync = false;
2223}
2224
2225static enum hrtimer_restart vmx_preemption_timer_fn(struct hrtimer *timer)
2226{
2227 struct vcpu_vmx *vmx =
2228 container_of(timer, struct vcpu_vmx, nested.preemption_timer);
2229
2230 vmx->nested.preemption_timer_expired = true;
2231 kvm_make_request(KVM_REQ_EVENT, vcpu: &vmx->vcpu);
2232 kvm_vcpu_kick(vcpu: &vmx->vcpu);
2233
2234 return HRTIMER_NORESTART;
2235}
2236
2237static u64 vmx_calc_preemption_timer_value(struct kvm_vcpu *vcpu)
2238{
2239 struct vcpu_vmx *vmx = to_vmx(vcpu);
2240 struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
2241
2242 u64 l1_scaled_tsc = kvm_read_l1_tsc(vcpu, host_tsc: rdtsc()) >>
2243 VMX_MISC_EMULATED_PREEMPTION_TIMER_RATE;
2244
2245 if (!vmx->nested.has_preemption_timer_deadline) {
2246 vmx->nested.preemption_timer_deadline =
2247 vmcs12->vmx_preemption_timer_value + l1_scaled_tsc;
2248 vmx->nested.has_preemption_timer_deadline = true;
2249 }
2250 return vmx->nested.preemption_timer_deadline - l1_scaled_tsc;
2251}
2252
2253static void vmx_start_preemption_timer(struct kvm_vcpu *vcpu,
2254 u64 preemption_timeout)
2255{
2256 struct vcpu_vmx *vmx = to_vmx(vcpu);
2257
2258 /*
2259 * A timer value of zero is architecturally guaranteed to cause
2260 * a VMExit prior to executing any instructions in the guest.
2261 */
2262 if (preemption_timeout == 0) {
2263 vmx_preemption_timer_fn(timer: &vmx->nested.preemption_timer);
2264 return;
2265 }
2266
2267 if (vcpu->arch.virtual_tsc_khz == 0)
2268 return;
2269
2270 preemption_timeout <<= VMX_MISC_EMULATED_PREEMPTION_TIMER_RATE;
2271 preemption_timeout *= 1000000;
2272 do_div(preemption_timeout, vcpu->arch.virtual_tsc_khz);
2273 hrtimer_start(timer: &vmx->nested.preemption_timer,
2274 ktime_add_ns(ktime_get(), preemption_timeout),
2275 mode: HRTIMER_MODE_ABS_PINNED);
2276}
2277
2278static u64 nested_vmx_calc_efer(struct vcpu_vmx *vmx, struct vmcs12 *vmcs12)
2279{
2280 if (vmx->nested.nested_run_pending &&
2281 (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_EFER))
2282 return vmcs12->guest_ia32_efer;
2283 else if (vmcs12->vm_entry_controls & VM_ENTRY_IA32E_MODE)
2284 return vmx->vcpu.arch.efer | (EFER_LMA | EFER_LME);
2285 else
2286 return vmx->vcpu.arch.efer & ~(EFER_LMA | EFER_LME);
2287}
2288
2289static void prepare_vmcs02_constant_state(struct vcpu_vmx *vmx)
2290{
2291 struct kvm *kvm = vmx->vcpu.kvm;
2292
2293 /*
2294 * If vmcs02 hasn't been initialized, set the constant vmcs02 state
2295 * according to L0's settings (vmcs12 is irrelevant here). Host
2296 * fields that come from L0 and are not constant, e.g. HOST_CR3,
2297 * will be set as needed prior to VMLAUNCH/VMRESUME.
2298 */
2299 if (vmx->nested.vmcs02_initialized)
2300 return;
2301 vmx->nested.vmcs02_initialized = true;
2302
2303 if (vmx->ve_info)
2304 vmcs_write64(field: VE_INFORMATION_ADDRESS, __pa(vmx->ve_info));
2305
2306 /* All VMFUNCs are currently emulated through L0 vmexits. */
2307 if (cpu_has_vmx_vmfunc())
2308 vmcs_write64(field: VM_FUNCTION_CONTROL, value: 0);
2309
2310 if (cpu_has_vmx_posted_intr())
2311 vmcs_write16(field: POSTED_INTR_NV, POSTED_INTR_NESTED_VECTOR);
2312
2313 if (cpu_has_vmx_msr_bitmap())
2314 vmcs_write64(field: MSR_BITMAP, __pa(vmx->nested.vmcs02.msr_bitmap));
2315
2316 /*
2317 * PML is emulated for L2, but never enabled in hardware as the MMU
2318 * handles A/D emulation. Disabling PML for L2 also avoids having to
2319 * deal with filtering out L2 GPAs from the buffer.
2320 */
2321 if (enable_pml) {
2322 vmcs_write64(field: PML_ADDRESS, value: 0);
2323 vmcs_write16(field: GUEST_PML_INDEX, value: -1);
2324 }
2325
2326 if (cpu_has_vmx_encls_vmexit())
2327 vmcs_write64(field: ENCLS_EXITING_BITMAP, INVALID_GPA);
2328
2329 if (kvm_notify_vmexit_enabled(kvm))
2330 vmcs_write32(field: NOTIFY_WINDOW, value: kvm->arch.notify_window);
2331
2332 /*
2333 * Set the MSR load/store lists to match L0's settings. Only the
2334 * addresses are constant (for vmcs02), the counts can change based
2335 * on L2's behavior, e.g. switching to/from long mode.
2336 */
2337 vmcs_write64(field: VM_EXIT_MSR_STORE_ADDR, __pa(vmx->msr_autostore.guest.val));
2338 vmcs_write64(field: VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host.val));
2339 vmcs_write64(field: VM_ENTRY_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.guest.val));
2340
2341 vmx_set_constant_host_state(vmx);
2342}
2343
2344static void prepare_vmcs02_early_rare(struct vcpu_vmx *vmx,
2345 struct vmcs12 *vmcs12)
2346{
2347 prepare_vmcs02_constant_state(vmx);
2348
2349 vmcs_write64(field: VMCS_LINK_POINTER, INVALID_GPA);
2350
2351 /*
2352 * If VPID is disabled, then guest TLB accesses use VPID=0, i.e. the
2353 * same VPID as the host. Emulate this behavior by using vpid01 for L2
2354 * if VPID is disabled in vmcs12. Note, if VPID is disabled, VM-Enter
2355 * and VM-Exit are architecturally required to flush VPID=0, but *only*
2356 * VPID=0. I.e. using vpid02 would be ok (so long as KVM emulates the
2357 * required flushes), but doing so would cause KVM to over-flush. E.g.
2358 * if L1 runs L2 X with VPID12=1, then runs L2 Y with VPID12 disabled,
2359 * and then runs L2 X again, then KVM can and should retain TLB entries
2360 * for VPID12=1.
2361 */
2362 if (enable_vpid) {
2363 if (nested_cpu_has_vpid(vmcs12) && vmx->nested.vpid02)
2364 vmcs_write16(field: VIRTUAL_PROCESSOR_ID, value: vmx->nested.vpid02);
2365 else
2366 vmcs_write16(field: VIRTUAL_PROCESSOR_ID, value: vmx->vpid);
2367 }
2368}
2369
2370static void prepare_vmcs02_early(struct vcpu_vmx *vmx, struct loaded_vmcs *vmcs01,
2371 struct vmcs12 *vmcs12)
2372{
2373 u32 exec_control;
2374 u64 guest_efer = nested_vmx_calc_efer(vmx, vmcs12);
2375
2376 if (vmx->nested.dirty_vmcs12 || nested_vmx_is_evmptr12_valid(vmx))
2377 prepare_vmcs02_early_rare(vmx, vmcs12);
2378
2379 /*
2380 * PIN CONTROLS
2381 */
2382 exec_control = __pin_controls_get(vmcs: vmcs01);
2383 exec_control |= (vmcs12->pin_based_vm_exec_control &
2384 ~PIN_BASED_VMX_PREEMPTION_TIMER);
2385
2386 /* Posted interrupts setting is only taken from vmcs12. */
2387 vmx->nested.pi_pending = false;
2388 if (nested_cpu_has_posted_intr(vmcs12)) {
2389 vmx->nested.posted_intr_nv = vmcs12->posted_intr_nv;
2390 } else {
2391 vmx->nested.posted_intr_nv = -1;
2392 exec_control &= ~PIN_BASED_POSTED_INTR;
2393 }
2394 pin_controls_set(vmx, val: exec_control);
2395
2396 /*
2397 * EXEC CONTROLS
2398 */
2399 exec_control = __exec_controls_get(vmcs: vmcs01); /* L0's desires */
2400 exec_control &= ~CPU_BASED_INTR_WINDOW_EXITING;
2401 exec_control &= ~CPU_BASED_NMI_WINDOW_EXITING;
2402 exec_control &= ~CPU_BASED_TPR_SHADOW;
2403 exec_control |= vmcs12->cpu_based_vm_exec_control;
2404
2405 vmx->nested.l1_tpr_threshold = -1;
2406 if (exec_control & CPU_BASED_TPR_SHADOW)
2407 vmcs_write32(field: TPR_THRESHOLD, value: vmcs12->tpr_threshold);
2408#ifdef CONFIG_X86_64
2409 else
2410 exec_control |= CPU_BASED_CR8_LOAD_EXITING |
2411 CPU_BASED_CR8_STORE_EXITING;
2412#endif
2413
2414 /*
2415 * A vmexit (to either L1 hypervisor or L0 userspace) is always needed
2416 * for I/O port accesses.
2417 */
2418 exec_control |= CPU_BASED_UNCOND_IO_EXITING;
2419 exec_control &= ~CPU_BASED_USE_IO_BITMAPS;
2420
2421 /*
2422 * This bit will be computed in nested_get_vmcs12_pages, because
2423 * we do not have access to L1's MSR bitmap yet. For now, keep
2424 * the same bit as before, hoping to avoid multiple VMWRITEs that
2425 * only set/clear this bit.
2426 */
2427 exec_control &= ~CPU_BASED_USE_MSR_BITMAPS;
2428 exec_control |= exec_controls_get(vmx) & CPU_BASED_USE_MSR_BITMAPS;
2429
2430 exec_controls_set(vmx, val: exec_control);
2431
2432 /*
2433 * SECONDARY EXEC CONTROLS
2434 */
2435 if (cpu_has_secondary_exec_ctrls()) {
2436 exec_control = __secondary_exec_controls_get(vmcs: vmcs01);
2437
2438 /* Take the following fields only from vmcs12 */
2439 exec_control &= ~(SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES |
2440 SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE |
2441 SECONDARY_EXEC_ENABLE_INVPCID |
2442 SECONDARY_EXEC_ENABLE_RDTSCP |
2443 SECONDARY_EXEC_ENABLE_XSAVES |
2444 SECONDARY_EXEC_ENABLE_USR_WAIT_PAUSE |
2445 SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY |
2446 SECONDARY_EXEC_APIC_REGISTER_VIRT |
2447 SECONDARY_EXEC_ENABLE_VMFUNC |
2448 SECONDARY_EXEC_DESC);
2449
2450 if (nested_cpu_has(vmcs12,
2451 CPU_BASED_ACTIVATE_SECONDARY_CONTROLS))
2452 exec_control |= vmcs12->secondary_vm_exec_control;
2453
2454 /* PML is emulated and never enabled in hardware for L2. */
2455 exec_control &= ~SECONDARY_EXEC_ENABLE_PML;
2456
2457 /* VMCS shadowing for L2 is emulated for now */
2458 exec_control &= ~SECONDARY_EXEC_SHADOW_VMCS;
2459
2460 /*
2461 * Preset *DT exiting when emulating UMIP, so that vmx_set_cr4()
2462 * will not have to rewrite the controls just for this bit.
2463 */
2464 if (vmx_umip_emulated() && (vmcs12->guest_cr4 & X86_CR4_UMIP))
2465 exec_control |= SECONDARY_EXEC_DESC;
2466
2467 if (exec_control & SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY)
2468 vmcs_write16(field: GUEST_INTR_STATUS,
2469 value: vmcs12->guest_intr_status);
2470
2471 if (!nested_cpu_has2(vmcs12, SECONDARY_EXEC_UNRESTRICTED_GUEST))
2472 exec_control &= ~SECONDARY_EXEC_UNRESTRICTED_GUEST;
2473
2474 if (exec_control & SECONDARY_EXEC_ENCLS_EXITING)
2475 vmx_write_encls_bitmap(vcpu: &vmx->vcpu, vmcs12);
2476
2477 secondary_exec_controls_set(vmx, val: exec_control);
2478 }
2479
2480 /*
2481 * ENTRY CONTROLS
2482 *
2483 * vmcs12's VM_{ENTRY,EXIT}_LOAD_IA32_EFER and VM_ENTRY_IA32E_MODE
2484 * are emulated by vmx_set_efer() in prepare_vmcs02(), but speculate
2485 * on the related bits (if supported by the CPU) in the hope that
2486 * we can avoid VMWrites during vmx_set_efer().
2487 *
2488 * Similarly, take vmcs01's PERF_GLOBAL_CTRL in the hope that if KVM is
2489 * loading PERF_GLOBAL_CTRL via the VMCS for L1, then KVM will want to
2490 * do the same for L2.
2491 */
2492 exec_control = __vm_entry_controls_get(vmcs: vmcs01);
2493 exec_control |= (vmcs12->vm_entry_controls &
2494 ~VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL);
2495 exec_control &= ~(VM_ENTRY_IA32E_MODE | VM_ENTRY_LOAD_IA32_EFER);
2496 if (cpu_has_load_ia32_efer()) {
2497 if (guest_efer & EFER_LMA)
2498 exec_control |= VM_ENTRY_IA32E_MODE;
2499 if (guest_efer != kvm_host.efer)
2500 exec_control |= VM_ENTRY_LOAD_IA32_EFER;
2501 }
2502 vm_entry_controls_set(vmx, val: exec_control);
2503
2504 /*
2505 * EXIT CONTROLS
2506 *
2507 * L2->L1 exit controls are emulated - the hardware exit is to L0 so
2508 * we should use its exit controls. Note that VM_EXIT_LOAD_IA32_EFER
2509 * bits may be modified by vmx_set_efer() in prepare_vmcs02().
2510 */
2511 exec_control = __vm_exit_controls_get(vmcs: vmcs01);
2512 if (cpu_has_load_ia32_efer() && guest_efer != kvm_host.efer)
2513 exec_control |= VM_EXIT_LOAD_IA32_EFER;
2514 else
2515 exec_control &= ~VM_EXIT_LOAD_IA32_EFER;
2516 vm_exit_controls_set(vmx, val: exec_control);
2517
2518 /*
2519 * Interrupt/Exception Fields
2520 */
2521 if (vmx->nested.nested_run_pending) {
2522 vmcs_write32(field: VM_ENTRY_INTR_INFO_FIELD,
2523 value: vmcs12->vm_entry_intr_info_field);
2524 vmcs_write32(field: VM_ENTRY_EXCEPTION_ERROR_CODE,
2525 value: vmcs12->vm_entry_exception_error_code);
2526 vmcs_write32(field: VM_ENTRY_INSTRUCTION_LEN,
2527 value: vmcs12->vm_entry_instruction_len);
2528 vmcs_write32(field: GUEST_INTERRUPTIBILITY_INFO,
2529 value: vmcs12->guest_interruptibility_info);
2530 vmx->loaded_vmcs->nmi_known_unmasked =
2531 !(vmcs12->guest_interruptibility_info & GUEST_INTR_STATE_NMI);
2532 } else {
2533 vmcs_write32(field: VM_ENTRY_INTR_INFO_FIELD, value: 0);
2534 }
2535}
2536
2537static void vmcs_read_cet_state(struct kvm_vcpu *vcpu, u64 *s_cet,
2538 u64 *ssp, u64 *ssp_tbl)
2539{
2540 if (guest_cpu_cap_has(vcpu, X86_FEATURE_IBT) ||
2541 guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK))
2542 *s_cet = vmcs_readl(field: GUEST_S_CET);
2543
2544 if (guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK)) {
2545 *ssp = vmcs_readl(field: GUEST_SSP);
2546 *ssp_tbl = vmcs_readl(field: GUEST_INTR_SSP_TABLE);
2547 }
2548}
2549
2550static void vmcs_write_cet_state(struct kvm_vcpu *vcpu, u64 s_cet,
2551 u64 ssp, u64 ssp_tbl)
2552{
2553 if (guest_cpu_cap_has(vcpu, X86_FEATURE_IBT) ||
2554 guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK))
2555 vmcs_writel(field: GUEST_S_CET, value: s_cet);
2556
2557 if (guest_cpu_cap_has(vcpu, X86_FEATURE_SHSTK)) {
2558 vmcs_writel(field: GUEST_SSP, value: ssp);
2559 vmcs_writel(field: GUEST_INTR_SSP_TABLE, value: ssp_tbl);
2560 }
2561}
2562
2563static void prepare_vmcs02_rare(struct vcpu_vmx *vmx, struct vmcs12 *vmcs12)
2564{
2565 struct hv_enlightened_vmcs *hv_evmcs = nested_vmx_evmcs(vmx);
2566
2567 if (!hv_evmcs || !(hv_evmcs->hv_clean_fields &
2568 HV_VMX_ENLIGHTENED_CLEAN_FIELD_GUEST_GRP2)) {
2569
2570 vmcs_write16(field: GUEST_ES_SELECTOR, value: vmcs12->guest_es_selector);
2571 vmcs_write16(field: GUEST_CS_SELECTOR, value: vmcs12->guest_cs_selector);
2572 vmcs_write16(field: GUEST_SS_SELECTOR, value: vmcs12->guest_ss_selector);
2573 vmcs_write16(field: GUEST_DS_SELECTOR, value: vmcs12->guest_ds_selector);
2574 vmcs_write16(field: GUEST_FS_SELECTOR, value: vmcs12->guest_fs_selector);
2575 vmcs_write16(field: GUEST_GS_SELECTOR, value: vmcs12->guest_gs_selector);
2576 vmcs_write16(field: GUEST_LDTR_SELECTOR, value: vmcs12->guest_ldtr_selector);
2577 vmcs_write16(field: GUEST_TR_SELECTOR, value: vmcs12->guest_tr_selector);
2578 vmcs_write32(field: GUEST_ES_LIMIT, value: vmcs12->guest_es_limit);
2579 vmcs_write32(field: GUEST_CS_LIMIT, value: vmcs12->guest_cs_limit);
2580 vmcs_write32(field: GUEST_SS_LIMIT, value: vmcs12->guest_ss_limit);
2581 vmcs_write32(field: GUEST_DS_LIMIT, value: vmcs12->guest_ds_limit);
2582 vmcs_write32(field: GUEST_FS_LIMIT, value: vmcs12->guest_fs_limit);
2583 vmcs_write32(field: GUEST_GS_LIMIT, value: vmcs12->guest_gs_limit);
2584 vmcs_write32(field: GUEST_LDTR_LIMIT, value: vmcs12->guest_ldtr_limit);
2585 vmcs_write32(field: GUEST_TR_LIMIT, value: vmcs12->guest_tr_limit);
2586 vmcs_write32(field: GUEST_GDTR_LIMIT, value: vmcs12->guest_gdtr_limit);
2587 vmcs_write32(field: GUEST_IDTR_LIMIT, value: vmcs12->guest_idtr_limit);
2588 vmcs_write32(field: GUEST_CS_AR_BYTES, value: vmcs12->guest_cs_ar_bytes);
2589 vmcs_write32(field: GUEST_SS_AR_BYTES, value: vmcs12->guest_ss_ar_bytes);
2590 vmcs_write32(field: GUEST_ES_AR_BYTES, value: vmcs12->guest_es_ar_bytes);
2591 vmcs_write32(field: GUEST_DS_AR_BYTES, value: vmcs12->guest_ds_ar_bytes);
2592 vmcs_write32(field: GUEST_FS_AR_BYTES, value: vmcs12->guest_fs_ar_bytes);
2593 vmcs_write32(field: GUEST_GS_AR_BYTES, value: vmcs12->guest_gs_ar_bytes);
2594 vmcs_write32(field: GUEST_LDTR_AR_BYTES, value: vmcs12->guest_ldtr_ar_bytes);
2595 vmcs_write32(field: GUEST_TR_AR_BYTES, value: vmcs12->guest_tr_ar_bytes);
2596 vmcs_writel(field: GUEST_ES_BASE, value: vmcs12->guest_es_base);
2597 vmcs_writel(field: GUEST_CS_BASE, value: vmcs12->guest_cs_base);
2598 vmcs_writel(field: GUEST_SS_BASE, value: vmcs12->guest_ss_base);
2599 vmcs_writel(field: GUEST_DS_BASE, value: vmcs12->guest_ds_base);
2600 vmcs_writel(field: GUEST_FS_BASE, value: vmcs12->guest_fs_base);
2601 vmcs_writel(field: GUEST_GS_BASE, value: vmcs12->guest_gs_base);
2602 vmcs_writel(field: GUEST_LDTR_BASE, value: vmcs12->guest_ldtr_base);
2603 vmcs_writel(field: GUEST_TR_BASE, value: vmcs12->guest_tr_base);
2604 vmcs_writel(field: GUEST_GDTR_BASE, value: vmcs12->guest_gdtr_base);
2605 vmcs_writel(field: GUEST_IDTR_BASE, value: vmcs12->guest_idtr_base);
2606
2607 vmx_segment_cache_clear(vmx);
2608 }
2609
2610 if (!hv_evmcs || !(hv_evmcs->hv_clean_fields &
2611 HV_VMX_ENLIGHTENED_CLEAN_FIELD_GUEST_GRP1)) {
2612 vmcs_write32(field: GUEST_SYSENTER_CS, value: vmcs12->guest_sysenter_cs);
2613 vmcs_writel(field: GUEST_PENDING_DBG_EXCEPTIONS,
2614 value: vmcs12->guest_pending_dbg_exceptions);
2615 vmcs_writel(field: GUEST_SYSENTER_ESP, value: vmcs12->guest_sysenter_esp);
2616 vmcs_writel(field: GUEST_SYSENTER_EIP, value: vmcs12->guest_sysenter_eip);
2617
2618 /*
2619 * L1 may access the L2's PDPTR, so save them to construct
2620 * vmcs12
2621 */
2622 if (enable_ept) {
2623 vmcs_write64(field: GUEST_PDPTR0, value: vmcs12->guest_pdptr0);
2624 vmcs_write64(field: GUEST_PDPTR1, value: vmcs12->guest_pdptr1);
2625 vmcs_write64(field: GUEST_PDPTR2, value: vmcs12->guest_pdptr2);
2626 vmcs_write64(field: GUEST_PDPTR3, value: vmcs12->guest_pdptr3);
2627 }
2628
2629 if (kvm_mpx_supported() && vmx->nested.nested_run_pending &&
2630 (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))
2631 vmcs_write64(field: GUEST_BNDCFGS, value: vmcs12->guest_bndcfgs);
2632 }
2633
2634 if (nested_cpu_has_xsaves(vmcs12))
2635 vmcs_write64(field: XSS_EXIT_BITMAP, value: vmcs12->xss_exit_bitmap);
2636
2637 /*
2638 * Whether page-faults are trapped is determined by a combination of
2639 * 3 settings: PFEC_MASK, PFEC_MATCH and EXCEPTION_BITMAP.PF. If L0
2640 * doesn't care about page faults then we should set all of these to
2641 * L1's desires. However, if L0 does care about (some) page faults, it
2642 * is not easy (if at all possible?) to merge L0 and L1's desires, we
2643 * simply ask to exit on each and every L2 page fault. This is done by
2644 * setting MASK=MATCH=0 and (see below) EB.PF=1.
2645 * Note that below we don't need special code to set EB.PF beyond the
2646 * "or"ing of the EB of vmcs01 and vmcs12, because when enable_ept,
2647 * vmcs01's EB.PF is 0 so the "or" will take vmcs12's value, and when
2648 * !enable_ept, EB.PF is 1, so the "or" will always be 1.
2649 */
2650 if (vmx_need_pf_intercept(vcpu: &vmx->vcpu)) {
2651 /*
2652 * TODO: if both L0 and L1 need the same MASK and MATCH,
2653 * go ahead and use it?
2654 */
2655 vmcs_write32(field: PAGE_FAULT_ERROR_CODE_MASK, value: 0);
2656 vmcs_write32(field: PAGE_FAULT_ERROR_CODE_MATCH, value: 0);
2657 } else {
2658 vmcs_write32(field: PAGE_FAULT_ERROR_CODE_MASK, value: vmcs12->page_fault_error_code_mask);
2659 vmcs_write32(field: PAGE_FAULT_ERROR_CODE_MATCH, value: vmcs12->page_fault_error_code_match);
2660 }
2661
2662 if (cpu_has_vmx_apicv()) {
2663 vmcs_write64(field: EOI_EXIT_BITMAP0, value: vmcs12->eoi_exit_bitmap0);
2664 vmcs_write64(field: EOI_EXIT_BITMAP1, value: vmcs12->eoi_exit_bitmap1);
2665 vmcs_write64(field: EOI_EXIT_BITMAP2, value: vmcs12->eoi_exit_bitmap2);
2666 vmcs_write64(field: EOI_EXIT_BITMAP3, value: vmcs12->eoi_exit_bitmap3);
2667 }
2668
2669 /*
2670 * Make sure the msr_autostore list is up to date before we set the
2671 * count in the vmcs02.
2672 */
2673 prepare_vmx_msr_autostore_list(vcpu: &vmx->vcpu, MSR_IA32_TSC);
2674
2675 vmcs_write32(field: VM_EXIT_MSR_STORE_COUNT, value: vmx->msr_autostore.guest.nr);
2676 vmcs_write32(field: VM_EXIT_MSR_LOAD_COUNT, value: vmx->msr_autoload.host.nr);
2677 vmcs_write32(field: VM_ENTRY_MSR_LOAD_COUNT, value: vmx->msr_autoload.guest.nr);
2678
2679 if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_CET_STATE)
2680 vmcs_write_cet_state(vcpu: &vmx->vcpu, s_cet: vmcs12->guest_s_cet,
2681 ssp: vmcs12->guest_ssp, ssp_tbl: vmcs12->guest_ssp_tbl);
2682
2683 set_cr4_guest_host_mask(vmx);
2684}
2685
2686/*
2687 * prepare_vmcs02 is called when the L1 guest hypervisor runs its nested
2688 * L2 guest. L1 has a vmcs for L2 (vmcs12), and this function "merges" it
2689 * with L0's requirements for its guest (a.k.a. vmcs01), so we can run the L2
2690 * guest in a way that will both be appropriate to L1's requests, and our
2691 * needs. In addition to modifying the active vmcs (which is vmcs02), this
2692 * function also has additional necessary side-effects, like setting various
2693 * vcpu->arch fields.
2694 * Returns 0 on success, 1 on failure. Invalid state exit qualification code
2695 * is assigned to entry_failure_code on failure.
2696 */
2697static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12,
2698 bool from_vmentry,
2699 enum vm_entry_failure_code *entry_failure_code)
2700{
2701 struct vcpu_vmx *vmx = to_vmx(vcpu);
2702 struct hv_enlightened_vmcs *evmcs = nested_vmx_evmcs(vmx);
2703 bool load_guest_pdptrs_vmcs12 = false;
2704
2705 if (vmx->nested.dirty_vmcs12 || nested_vmx_is_evmptr12_valid(vmx)) {
2706 prepare_vmcs02_rare(vmx, vmcs12);
2707 vmx->nested.dirty_vmcs12 = false;
2708
2709 load_guest_pdptrs_vmcs12 = !nested_vmx_is_evmptr12_valid(vmx) ||
2710 !(evmcs->hv_clean_fields & HV_VMX_ENLIGHTENED_CLEAN_FIELD_GUEST_GRP1);
2711 }
2712
2713 if (vmx->nested.nested_run_pending &&
2714 (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) {
2715 kvm_set_dr(vcpu, dr: 7, val: vmcs12->guest_dr7);
2716 vmx_guest_debugctl_write(vcpu, val: vmcs12->guest_ia32_debugctl &
2717 vmx_get_supported_debugctl(vcpu, host_initiated: false));
2718 } else {
2719 kvm_set_dr(vcpu, dr: 7, val: vcpu->arch.dr7);
2720 vmx_guest_debugctl_write(vcpu, val: vmx->nested.pre_vmenter_debugctl);
2721 }
2722
2723 if (!vmx->nested.nested_run_pending ||
2724 !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_CET_STATE))
2725 vmcs_write_cet_state(vcpu, s_cet: vmx->nested.pre_vmenter_s_cet,
2726 ssp: vmx->nested.pre_vmenter_ssp,
2727 ssp_tbl: vmx->nested.pre_vmenter_ssp_tbl);
2728
2729 if (kvm_mpx_supported() && (!vmx->nested.nested_run_pending ||
2730 !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS)))
2731 vmcs_write64(field: GUEST_BNDCFGS, value: vmx->nested.pre_vmenter_bndcfgs);
2732 vmx_set_rflags(vcpu, rflags: vmcs12->guest_rflags);
2733
2734 /* EXCEPTION_BITMAP and CR0_GUEST_HOST_MASK should basically be the
2735 * bitwise-or of what L1 wants to trap for L2, and what we want to
2736 * trap. Note that CR0.TS also needs updating - we do this later.
2737 */
2738 vmx_update_exception_bitmap(vcpu);
2739 vcpu->arch.cr0_guest_owned_bits &= ~vmcs12->cr0_guest_host_mask;
2740 vmcs_writel(field: CR0_GUEST_HOST_MASK, value: ~vcpu->arch.cr0_guest_owned_bits);
2741
2742 if (vmx->nested.nested_run_pending &&
2743 (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_PAT)) {
2744 vmcs_write64(field: GUEST_IA32_PAT, value: vmcs12->guest_ia32_pat);
2745 vcpu->arch.pat = vmcs12->guest_ia32_pat;
2746 } else if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) {
2747 vmcs_write64(field: GUEST_IA32_PAT, value: vcpu->arch.pat);
2748 }
2749
2750 vcpu->arch.tsc_offset = kvm_calc_nested_tsc_offset(
2751 l1_offset: vcpu->arch.l1_tsc_offset,
2752 l2_offset: vmx_get_l2_tsc_offset(vcpu),
2753 l2_multiplier: vmx_get_l2_tsc_multiplier(vcpu));
2754
2755 vcpu->arch.tsc_scaling_ratio = kvm_calc_nested_tsc_multiplier(
2756 l1_multiplier: vcpu->arch.l1_tsc_scaling_ratio,
2757 l2_multiplier: vmx_get_l2_tsc_multiplier(vcpu));
2758
2759 vmcs_write64(field: TSC_OFFSET, value: vcpu->arch.tsc_offset);
2760 if (kvm_caps.has_tsc_control)
2761 vmcs_write64(field: TSC_MULTIPLIER, value: vcpu->arch.tsc_scaling_ratio);
2762
2763 nested_vmx_transition_tlb_flush(vcpu, vmcs12, is_vmenter: true);
2764
2765 if (nested_cpu_has_ept(vmcs12))
2766 nested_ept_init_mmu_context(vcpu);
2767
2768 /*
2769 * Override the CR0/CR4 read shadows after setting the effective guest
2770 * CR0/CR4. The common helpers also set the shadows, but they don't
2771 * account for vmcs12's cr0/4_guest_host_mask.
2772 */
2773 vmx_set_cr0(vcpu, cr0: vmcs12->guest_cr0);
2774 vmcs_writel(field: CR0_READ_SHADOW, value: nested_read_cr0(fields: vmcs12));
2775
2776 vmx_set_cr4(vcpu, cr4: vmcs12->guest_cr4);
2777 vmcs_writel(field: CR4_READ_SHADOW, value: nested_read_cr4(fields: vmcs12));
2778
2779 vcpu->arch.efer = nested_vmx_calc_efer(vmx, vmcs12);
2780 /* Note: may modify VM_ENTRY/EXIT_CONTROLS and GUEST/HOST_IA32_EFER */
2781 vmx_set_efer(vcpu, efer: vcpu->arch.efer);
2782
2783 /*
2784 * Guest state is invalid and unrestricted guest is disabled,
2785 * which means L1 attempted VMEntry to L2 with invalid state.
2786 * Fail the VMEntry.
2787 *
2788 * However when force loading the guest state (SMM exit or
2789 * loading nested state after migration, it is possible to
2790 * have invalid guest state now, which will be later fixed by
2791 * restoring L2 register state
2792 */
2793 if (CC(from_vmentry && !vmx_guest_state_valid(vcpu))) {
2794 *entry_failure_code = ENTRY_FAIL_DEFAULT;
2795 return -EINVAL;
2796 }
2797
2798 /* Shadow page tables on either EPT or shadow page tables. */
2799 if (nested_vmx_load_cr3(vcpu, cr3: vmcs12->guest_cr3, nested_ept: nested_cpu_has_ept(vmcs12),
2800 reload_pdptrs: from_vmentry, entry_failure_code))
2801 return -EINVAL;
2802
2803 /*
2804 * Immediately write vmcs02.GUEST_CR3. It will be propagated to vmcs12
2805 * on nested VM-Exit, which can occur without actually running L2 and
2806 * thus without hitting vmx_load_mmu_pgd(), e.g. if L1 is entering L2 with
2807 * vmcs12.GUEST_ACTIVITYSTATE=HLT, in which case KVM will intercept the
2808 * transition to HLT instead of running L2.
2809 */
2810 if (enable_ept)
2811 vmcs_writel(field: GUEST_CR3, value: vmcs12->guest_cr3);
2812
2813 /* Late preparation of GUEST_PDPTRs now that EFER and CRs are set. */
2814 if (load_guest_pdptrs_vmcs12 && nested_cpu_has_ept(vmcs12) &&
2815 is_pae_paging(vcpu)) {
2816 vmcs_write64(field: GUEST_PDPTR0, value: vmcs12->guest_pdptr0);
2817 vmcs_write64(field: GUEST_PDPTR1, value: vmcs12->guest_pdptr1);
2818 vmcs_write64(field: GUEST_PDPTR2, value: vmcs12->guest_pdptr2);
2819 vmcs_write64(field: GUEST_PDPTR3, value: vmcs12->guest_pdptr3);
2820 }
2821
2822 if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL) &&
2823 kvm_pmu_has_perf_global_ctrl(vcpu_to_pmu(vcpu)) &&
2824 WARN_ON_ONCE(__kvm_emulate_msr_write(vcpu, MSR_CORE_PERF_GLOBAL_CTRL,
2825 vmcs12->guest_ia32_perf_global_ctrl))) {
2826 *entry_failure_code = ENTRY_FAIL_DEFAULT;
2827 return -EINVAL;
2828 }
2829
2830 kvm_rsp_write(vcpu, val: vmcs12->guest_rsp);
2831 kvm_rip_write(vcpu, val: vmcs12->guest_rip);
2832
2833 /*
2834 * It was observed that genuine Hyper-V running in L1 doesn't reset
2835 * 'hv_clean_fields' by itself, it only sets the corresponding dirty
2836 * bits when it changes a field in eVMCS. Mark all fields as clean
2837 * here.
2838 */
2839 if (nested_vmx_is_evmptr12_valid(vmx))
2840 evmcs->hv_clean_fields |= HV_VMX_ENLIGHTENED_CLEAN_FIELD_ALL;
2841
2842 return 0;
2843}
2844
2845static int nested_vmx_check_nmi_controls(struct vmcs12 *vmcs12)
2846{
2847 if (CC(!nested_cpu_has_nmi_exiting(vmcs12) &&
2848 nested_cpu_has_virtual_nmis(vmcs12)))
2849 return -EINVAL;
2850
2851 if (CC(!nested_cpu_has_virtual_nmis(vmcs12) &&
2852 nested_cpu_has(vmcs12, CPU_BASED_NMI_WINDOW_EXITING)))
2853 return -EINVAL;
2854
2855 return 0;
2856}
2857
2858static bool nested_vmx_check_eptp(struct kvm_vcpu *vcpu, u64 new_eptp)
2859{
2860 struct vcpu_vmx *vmx = to_vmx(vcpu);
2861
2862 /* Check for memory type validity */
2863 switch (new_eptp & VMX_EPTP_MT_MASK) {
2864 case VMX_EPTP_MT_UC:
2865 if (CC(!(vmx->nested.msrs.ept_caps & VMX_EPTP_UC_BIT)))
2866 return false;
2867 break;
2868 case VMX_EPTP_MT_WB:
2869 if (CC(!(vmx->nested.msrs.ept_caps & VMX_EPTP_WB_BIT)))
2870 return false;
2871 break;
2872 default:
2873 return false;
2874 }
2875
2876 /* Page-walk levels validity. */
2877 switch (new_eptp & VMX_EPTP_PWL_MASK) {
2878 case VMX_EPTP_PWL_5:
2879 if (CC(!(vmx->nested.msrs.ept_caps & VMX_EPT_PAGE_WALK_5_BIT)))
2880 return false;
2881 break;
2882 case VMX_EPTP_PWL_4:
2883 if (CC(!(vmx->nested.msrs.ept_caps & VMX_EPT_PAGE_WALK_4_BIT)))
2884 return false;
2885 break;
2886 default:
2887 return false;
2888 }
2889
2890 /* Reserved bits should not be set */
2891 if (CC(!kvm_vcpu_is_legal_gpa(vcpu, new_eptp) || ((new_eptp >> 7) & 0x1f)))
2892 return false;
2893
2894 /* AD, if set, should be supported */
2895 if (new_eptp & VMX_EPTP_AD_ENABLE_BIT) {
2896 if (CC(!(vmx->nested.msrs.ept_caps & VMX_EPT_AD_BIT)))
2897 return false;
2898 }
2899
2900 return true;
2901}
2902
2903/*
2904 * Checks related to VM-Execution Control Fields
2905 */
2906static int nested_check_vm_execution_controls(struct kvm_vcpu *vcpu,
2907 struct vmcs12 *vmcs12)
2908{
2909 struct vcpu_vmx *vmx = to_vmx(vcpu);
2910
2911 if (CC(!vmx_control_verify(vmcs12->pin_based_vm_exec_control,
2912 vmx->nested.msrs.pinbased_ctls_low,
2913 vmx->nested.msrs.pinbased_ctls_high)) ||
2914 CC(!vmx_control_verify(vmcs12->cpu_based_vm_exec_control,
2915 vmx->nested.msrs.procbased_ctls_low,
2916 vmx->nested.msrs.procbased_ctls_high)))
2917 return -EINVAL;
2918
2919 if (nested_cpu_has(vmcs12, CPU_BASED_ACTIVATE_SECONDARY_CONTROLS) &&
2920 CC(!vmx_control_verify(vmcs12->secondary_vm_exec_control,
2921 vmx->nested.msrs.secondary_ctls_low,
2922 vmx->nested.msrs.secondary_ctls_high)))
2923 return -EINVAL;
2924
2925 if (CC(vmcs12->cr3_target_count > nested_cpu_vmx_misc_cr3_count(vcpu)) ||
2926 nested_vmx_check_io_bitmap_controls(vcpu, vmcs12) ||
2927 nested_vmx_check_msr_bitmap_controls(vcpu, vmcs12) ||
2928 nested_vmx_check_tpr_shadow_controls(vcpu, vmcs12) ||
2929 nested_vmx_check_apic_access_controls(vcpu, vmcs12) ||
2930 nested_vmx_check_apicv_controls(vcpu, vmcs12) ||
2931 nested_vmx_check_nmi_controls(vmcs12) ||
2932 nested_vmx_check_pml_controls(vcpu, vmcs12) ||
2933 nested_vmx_check_unrestricted_guest_controls(vcpu, vmcs12) ||
2934 nested_vmx_check_mode_based_ept_exec_controls(vcpu, vmcs12) ||
2935 nested_vmx_check_shadow_vmcs_controls(vcpu, vmcs12) ||
2936 CC(nested_cpu_has_vpid(vmcs12) && !vmcs12->virtual_processor_id))
2937 return -EINVAL;
2938
2939 if (!nested_cpu_has_preemption_timer(vmcs12) &&
2940 nested_cpu_has_save_preemption_timer(vmcs12))
2941 return -EINVAL;
2942
2943 if (nested_cpu_has_ept(vmcs12) &&
2944 CC(!nested_vmx_check_eptp(vcpu, vmcs12->ept_pointer)))
2945 return -EINVAL;
2946
2947 if (nested_cpu_has_vmfunc(vmcs12)) {
2948 if (CC(vmcs12->vm_function_control &
2949 ~vmx->nested.msrs.vmfunc_controls))
2950 return -EINVAL;
2951
2952 if (nested_cpu_has_eptp_switching(vmcs12)) {
2953 if (CC(!nested_cpu_has_ept(vmcs12)) ||
2954 CC(!page_address_valid(vcpu, vmcs12->eptp_list_address)))
2955 return -EINVAL;
2956 }
2957 }
2958
2959 if (nested_cpu_has2(vmcs12, SECONDARY_EXEC_TSC_SCALING) &&
2960 CC(!vmcs12->tsc_multiplier))
2961 return -EINVAL;
2962
2963 return 0;
2964}
2965
2966/*
2967 * Checks related to VM-Exit Control Fields
2968 */
2969static int nested_check_vm_exit_controls(struct kvm_vcpu *vcpu,
2970 struct vmcs12 *vmcs12)
2971{
2972 struct vcpu_vmx *vmx = to_vmx(vcpu);
2973
2974 if (CC(!vmx_control_verify(vmcs12->vm_exit_controls,
2975 vmx->nested.msrs.exit_ctls_low,
2976 vmx->nested.msrs.exit_ctls_high)) ||
2977 CC(nested_vmx_check_exit_msr_switch_controls(vcpu, vmcs12)))
2978 return -EINVAL;
2979
2980 return 0;
2981}
2982
2983/*
2984 * Checks related to VM-Entry Control Fields
2985 */
2986static int nested_check_vm_entry_controls(struct kvm_vcpu *vcpu,
2987 struct vmcs12 *vmcs12)
2988{
2989 struct vcpu_vmx *vmx = to_vmx(vcpu);
2990
2991 if (CC(!vmx_control_verify(vmcs12->vm_entry_controls,
2992 vmx->nested.msrs.entry_ctls_low,
2993 vmx->nested.msrs.entry_ctls_high)))
2994 return -EINVAL;
2995
2996 /*
2997 * From the Intel SDM, volume 3:
2998 * Fields relevant to VM-entry event injection must be set properly.
2999 * These fields are the VM-entry interruption-information field, the
3000 * VM-entry exception error code, and the VM-entry instruction length.
3001 */
3002 if (vmcs12->vm_entry_intr_info_field & INTR_INFO_VALID_MASK) {
3003 u32 intr_info = vmcs12->vm_entry_intr_info_field;
3004 u8 vector = intr_info & INTR_INFO_VECTOR_MASK;
3005 u32 intr_type = intr_info & INTR_INFO_INTR_TYPE_MASK;
3006 bool has_error_code = intr_info & INTR_INFO_DELIVER_CODE_MASK;
3007 bool urg = nested_cpu_has2(vmcs12,
3008 SECONDARY_EXEC_UNRESTRICTED_GUEST);
3009 bool prot_mode = !urg || vmcs12->guest_cr0 & X86_CR0_PE;
3010
3011 /* VM-entry interruption-info field: interruption type */
3012 if (CC(intr_type == INTR_TYPE_RESERVED) ||
3013 CC(intr_type == INTR_TYPE_OTHER_EVENT &&
3014 !nested_cpu_supports_monitor_trap_flag(vcpu)))
3015 return -EINVAL;
3016
3017 /* VM-entry interruption-info field: vector */
3018 if (CC(intr_type == INTR_TYPE_NMI_INTR && vector != NMI_VECTOR) ||
3019 CC(intr_type == INTR_TYPE_HARD_EXCEPTION && vector > 31) ||
3020 CC(intr_type == INTR_TYPE_OTHER_EVENT && vector != 0))
3021 return -EINVAL;
3022
3023 /*
3024 * Cannot deliver error code in real mode or if the interrupt
3025 * type is not hardware exception. For other cases, do the
3026 * consistency check only if the vCPU doesn't enumerate
3027 * VMX_BASIC_NO_HW_ERROR_CODE_CC.
3028 */
3029 if (!prot_mode || intr_type != INTR_TYPE_HARD_EXCEPTION) {
3030 if (CC(has_error_code))
3031 return -EINVAL;
3032 } else if (!nested_cpu_has_no_hw_errcode_cc(vcpu)) {
3033 if (CC(has_error_code != x86_exception_has_error_code(vector)))
3034 return -EINVAL;
3035 }
3036
3037 /* VM-entry exception error code */
3038 if (CC(has_error_code &&
3039 vmcs12->vm_entry_exception_error_code & GENMASK(31, 16)))
3040 return -EINVAL;
3041
3042 /* VM-entry interruption-info field: reserved bits */
3043 if (CC(intr_info & INTR_INFO_RESVD_BITS_MASK))
3044 return -EINVAL;
3045
3046 /* VM-entry instruction length */
3047 switch (intr_type) {
3048 case INTR_TYPE_SOFT_EXCEPTION:
3049 case INTR_TYPE_SOFT_INTR:
3050 case INTR_TYPE_PRIV_SW_EXCEPTION:
3051 if (CC(vmcs12->vm_entry_instruction_len > X86_MAX_INSTRUCTION_LENGTH) ||
3052 CC(vmcs12->vm_entry_instruction_len == 0 &&
3053 CC(!nested_cpu_has_zero_length_injection(vcpu))))
3054 return -EINVAL;
3055 }
3056 }
3057
3058 if (nested_vmx_check_entry_msr_switch_controls(vcpu, vmcs12))
3059 return -EINVAL;
3060
3061 return 0;
3062}
3063
3064static int nested_vmx_check_controls(struct kvm_vcpu *vcpu,
3065 struct vmcs12 *vmcs12)
3066{
3067 if (nested_check_vm_execution_controls(vcpu, vmcs12) ||
3068 nested_check_vm_exit_controls(vcpu, vmcs12) ||
3069 nested_check_vm_entry_controls(vcpu, vmcs12))
3070 return -EINVAL;
3071
3072#ifdef CONFIG_KVM_HYPERV
3073 if (guest_cpu_cap_has_evmcs(vcpu))
3074 return nested_evmcs_check_controls(vmcs12);
3075#endif
3076
3077 return 0;
3078}
3079
3080static int nested_vmx_check_controls_late(struct kvm_vcpu *vcpu,
3081 struct vmcs12 *vmcs12)
3082{
3083 void *vapic = to_vmx(vcpu)->nested.virtual_apic_map.hva;
3084 u32 vtpr = vapic ? (*(u32 *)(vapic + APIC_TASKPRI)) >> 4 : 0;
3085
3086 /*
3087 * Don't bother with the consistency checks if KVM isn't configured to
3088 * WARN on missed consistency checks, as KVM needs to rely on hardware
3089 * to fully detect an illegal vTPR vs. TRP Threshold combination due to
3090 * the vTPR being writable by L1 at all times (it's an in-memory value,
3091 * not a VMCS field). I.e. even if the check passes now, it might fail
3092 * at the actual VM-Enter.
3093 *
3094 * Keying off the module param also allows treating an invalid vAPIC
3095 * mapping as a consistency check failure without increasing the risk
3096 * of breaking a "real" VM.
3097 */
3098 if (!warn_on_missed_cc)
3099 return 0;
3100
3101 if ((exec_controls_get(vmx: to_vmx(vcpu)) & CPU_BASED_TPR_SHADOW) &&
3102 nested_cpu_has(vmcs12, CPU_BASED_TPR_SHADOW) &&
3103 !nested_cpu_has_vid(vmcs12) &&
3104 !nested_cpu_has2(vmcs12, SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES) &&
3105 (CC(!vapic) ||
3106 CC((vmcs12->tpr_threshold & GENMASK(3, 0)) > (vtpr & GENMASK(3, 0)))))
3107 return -EINVAL;
3108
3109 return 0;
3110}
3111
3112static int nested_vmx_check_address_space_size(struct kvm_vcpu *vcpu,
3113 struct vmcs12 *vmcs12)
3114{
3115#ifdef CONFIG_X86_64
3116 if (CC(!!(vmcs12->vm_exit_controls & VM_EXIT_HOST_ADDR_SPACE_SIZE) !=
3117 !!(vcpu->arch.efer & EFER_LMA)))
3118 return -EINVAL;
3119#endif
3120 return 0;
3121}
3122
3123static bool is_l1_noncanonical_address_on_vmexit(u64 la, struct vmcs12 *vmcs12)
3124{
3125 /*
3126 * Check that the given linear address is canonical after a VM exit
3127 * from L2, based on HOST_CR4.LA57 value that will be loaded for L1.
3128 */
3129 u8 l1_address_bits_on_exit = (vmcs12->host_cr4 & X86_CR4_LA57) ? 57 : 48;
3130
3131 return !__is_canonical_address(vaddr: la, vaddr_bits: l1_address_bits_on_exit);
3132}
3133
3134static int nested_vmx_check_cet_state_common(struct kvm_vcpu *vcpu, u64 s_cet,
3135 u64 ssp, u64 ssp_tbl)
3136{
3137 if (CC(!kvm_is_valid_u_s_cet(vcpu, s_cet)) || CC(!IS_ALIGNED(ssp, 4)) ||
3138 CC(is_noncanonical_msr_address(ssp_tbl, vcpu)))
3139 return -EINVAL;
3140
3141 return 0;
3142}
3143
3144static int nested_vmx_check_host_state(struct kvm_vcpu *vcpu,
3145 struct vmcs12 *vmcs12)
3146{
3147 bool ia32e = !!(vmcs12->vm_exit_controls & VM_EXIT_HOST_ADDR_SPACE_SIZE);
3148
3149 if (CC(!nested_host_cr0_valid(vcpu, vmcs12->host_cr0)) ||
3150 CC(!nested_host_cr4_valid(vcpu, vmcs12->host_cr4)) ||
3151 CC(!kvm_vcpu_is_legal_cr3(vcpu, vmcs12->host_cr3)))
3152 return -EINVAL;
3153
3154 if (CC(vmcs12->host_cr4 & X86_CR4_CET && !(vmcs12->host_cr0 & X86_CR0_WP)))
3155 return -EINVAL;
3156
3157 if (CC(is_noncanonical_msr_address(vmcs12->host_ia32_sysenter_esp, vcpu)) ||
3158 CC(is_noncanonical_msr_address(vmcs12->host_ia32_sysenter_eip, vcpu)))
3159 return -EINVAL;
3160
3161 if ((vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_PAT) &&
3162 CC(!kvm_pat_valid(vmcs12->host_ia32_pat)))
3163 return -EINVAL;
3164
3165 if ((vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL) &&
3166 CC(!kvm_valid_perf_global_ctrl(vcpu_to_pmu(vcpu),
3167 vmcs12->host_ia32_perf_global_ctrl)))
3168 return -EINVAL;
3169
3170 if (ia32e) {
3171 if (CC(!(vmcs12->host_cr4 & X86_CR4_PAE)))
3172 return -EINVAL;
3173 } else {
3174 if (CC(vmcs12->vm_entry_controls & VM_ENTRY_IA32E_MODE) ||
3175 CC(vmcs12->host_cr4 & X86_CR4_PCIDE) ||
3176 CC((vmcs12->host_rip) >> 32))
3177 return -EINVAL;
3178 }
3179
3180 if (CC(vmcs12->host_cs_selector & (SEGMENT_RPL_MASK | SEGMENT_TI_MASK)) ||
3181 CC(vmcs12->host_ss_selector & (SEGMENT_RPL_MASK | SEGMENT_TI_MASK)) ||
3182 CC(vmcs12->host_ds_selector & (SEGMENT_RPL_MASK | SEGMENT_TI_MASK)) ||
3183 CC(vmcs12->host_es_selector & (SEGMENT_RPL_MASK | SEGMENT_TI_MASK)) ||
3184 CC(vmcs12->host_fs_selector & (SEGMENT_RPL_MASK | SEGMENT_TI_MASK)) ||
3185 CC(vmcs12->host_gs_selector & (SEGMENT_RPL_MASK | SEGMENT_TI_MASK)) ||
3186 CC(vmcs12->host_tr_selector & (SEGMENT_RPL_MASK | SEGMENT_TI_MASK)) ||
3187 CC(vmcs12->host_cs_selector == 0) ||
3188 CC(vmcs12->host_tr_selector == 0) ||
3189 CC(vmcs12->host_ss_selector == 0 && !ia32e))
3190 return -EINVAL;
3191
3192 if (CC(is_noncanonical_base_address(vmcs12->host_fs_base, vcpu)) ||
3193 CC(is_noncanonical_base_address(vmcs12->host_gs_base, vcpu)) ||
3194 CC(is_noncanonical_base_address(vmcs12->host_gdtr_base, vcpu)) ||
3195 CC(is_noncanonical_base_address(vmcs12->host_idtr_base, vcpu)) ||
3196 CC(is_noncanonical_base_address(vmcs12->host_tr_base, vcpu)) ||
3197 CC(is_l1_noncanonical_address_on_vmexit(vmcs12->host_rip, vmcs12)))
3198 return -EINVAL;
3199
3200 /*
3201 * If the load IA32_EFER VM-exit control is 1, bits reserved in the
3202 * IA32_EFER MSR must be 0 in the field for that register. In addition,
3203 * the values of the LMA and LME bits in the field must each be that of
3204 * the host address-space size VM-exit control.
3205 */
3206 if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_EFER) {
3207 if (CC(!kvm_valid_efer(vcpu, vmcs12->host_ia32_efer)) ||
3208 CC(ia32e != !!(vmcs12->host_ia32_efer & EFER_LMA)) ||
3209 CC(ia32e != !!(vmcs12->host_ia32_efer & EFER_LME)))
3210 return -EINVAL;
3211 }
3212
3213 if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_CET_STATE) {
3214 if (nested_vmx_check_cet_state_common(vcpu, s_cet: vmcs12->host_s_cet,
3215 ssp: vmcs12->host_ssp,
3216 ssp_tbl: vmcs12->host_ssp_tbl))
3217 return -EINVAL;
3218
3219 /*
3220 * IA32_S_CET and SSP must be canonical if the host will
3221 * enter 64-bit mode after VM-exit; otherwise, higher
3222 * 32-bits must be all 0s.
3223 */
3224 if (ia32e) {
3225 if (CC(is_noncanonical_msr_address(vmcs12->host_s_cet, vcpu)) ||
3226 CC(is_noncanonical_msr_address(vmcs12->host_ssp, vcpu)))
3227 return -EINVAL;
3228 } else {
3229 if (CC(vmcs12->host_s_cet >> 32) || CC(vmcs12->host_ssp >> 32))
3230 return -EINVAL;
3231 }
3232 }
3233
3234 return 0;
3235}
3236
3237static int nested_vmx_check_vmcs_link_ptr(struct kvm_vcpu *vcpu,
3238 struct vmcs12 *vmcs12)
3239{
3240 struct vcpu_vmx *vmx = to_vmx(vcpu);
3241 struct gfn_to_hva_cache *ghc = &vmx->nested.shadow_vmcs12_cache;
3242 struct vmcs_hdr hdr;
3243
3244 if (vmcs12->vmcs_link_pointer == INVALID_GPA)
3245 return 0;
3246
3247 if (CC(!page_address_valid(vcpu, vmcs12->vmcs_link_pointer)))
3248 return -EINVAL;
3249
3250 if (ghc->gpa != vmcs12->vmcs_link_pointer &&
3251 CC(kvm_gfn_to_hva_cache_init(vcpu->kvm, ghc,
3252 vmcs12->vmcs_link_pointer, VMCS12_SIZE)))
3253 return -EINVAL;
3254
3255 if (CC(kvm_read_guest_offset_cached(vcpu->kvm, ghc, &hdr,
3256 offsetof(struct vmcs12, hdr),
3257 sizeof(hdr))))
3258 return -EINVAL;
3259
3260 if (CC(hdr.revision_id != VMCS12_REVISION) ||
3261 CC(hdr.shadow_vmcs != nested_cpu_has_shadow_vmcs(vmcs12)))
3262 return -EINVAL;
3263
3264 return 0;
3265}
3266
3267/*
3268 * Checks related to Guest Non-register State
3269 */
3270static int nested_check_guest_non_reg_state(struct vmcs12 *vmcs12)
3271{
3272 if (CC(vmcs12->guest_activity_state != GUEST_ACTIVITY_ACTIVE &&
3273 vmcs12->guest_activity_state != GUEST_ACTIVITY_HLT &&
3274 vmcs12->guest_activity_state != GUEST_ACTIVITY_WAIT_SIPI))
3275 return -EINVAL;
3276
3277 return 0;
3278}
3279
3280static int nested_vmx_check_guest_state(struct kvm_vcpu *vcpu,
3281 struct vmcs12 *vmcs12,
3282 enum vm_entry_failure_code *entry_failure_code)
3283{
3284 bool ia32e = !!(vmcs12->vm_entry_controls & VM_ENTRY_IA32E_MODE);
3285
3286 *entry_failure_code = ENTRY_FAIL_DEFAULT;
3287
3288 if (CC(!nested_guest_cr0_valid(vcpu, vmcs12->guest_cr0)) ||
3289 CC(!nested_guest_cr4_valid(vcpu, vmcs12->guest_cr4)))
3290 return -EINVAL;
3291
3292 if (CC(vmcs12->guest_cr4 & X86_CR4_CET && !(vmcs12->guest_cr0 & X86_CR0_WP)))
3293 return -EINVAL;
3294
3295 if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) &&
3296 (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) ||
3297 CC(!vmx_is_valid_debugctl(vcpu, vmcs12->guest_ia32_debugctl, false))))
3298 return -EINVAL;
3299
3300 if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_PAT) &&
3301 CC(!kvm_pat_valid(vmcs12->guest_ia32_pat)))
3302 return -EINVAL;
3303
3304 if (nested_vmx_check_vmcs_link_ptr(vcpu, vmcs12)) {
3305 *entry_failure_code = ENTRY_FAIL_VMCS_LINK_PTR;
3306 return -EINVAL;
3307 }
3308
3309 if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL) &&
3310 CC(!kvm_valid_perf_global_ctrl(vcpu_to_pmu(vcpu),
3311 vmcs12->guest_ia32_perf_global_ctrl)))
3312 return -EINVAL;
3313
3314 if (CC((vmcs12->guest_cr0 & (X86_CR0_PG | X86_CR0_PE)) == X86_CR0_PG))
3315 return -EINVAL;
3316
3317 if (CC(ia32e && !(vmcs12->guest_cr4 & X86_CR4_PAE)) ||
3318 CC(ia32e && !(vmcs12->guest_cr0 & X86_CR0_PG)))
3319 return -EINVAL;
3320
3321 /*
3322 * If the load IA32_EFER VM-entry control is 1, the following checks
3323 * are performed on the field for the IA32_EFER MSR:
3324 * - Bits reserved in the IA32_EFER MSR must be 0.
3325 * - Bit 10 (corresponding to IA32_EFER.LMA) must equal the value of
3326 * the IA-32e mode guest VM-exit control. It must also be identical
3327 * to bit 8 (LME) if bit 31 in the CR0 field (corresponding to
3328 * CR0.PG) is 1.
3329 */
3330 if (to_vmx(vcpu)->nested.nested_run_pending &&
3331 (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_EFER)) {
3332 if (CC(!kvm_valid_efer(vcpu, vmcs12->guest_ia32_efer)) ||
3333 CC(ia32e != !!(vmcs12->guest_ia32_efer & EFER_LMA)) ||
3334 CC(((vmcs12->guest_cr0 & X86_CR0_PG) &&
3335 ia32e != !!(vmcs12->guest_ia32_efer & EFER_LME))))
3336 return -EINVAL;
3337 }
3338
3339 if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS) &&
3340 (CC(is_noncanonical_msr_address(vmcs12->guest_bndcfgs & PAGE_MASK, vcpu)) ||
3341 CC((vmcs12->guest_bndcfgs & MSR_IA32_BNDCFGS_RSVD))))
3342 return -EINVAL;
3343
3344 if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_CET_STATE) {
3345 if (nested_vmx_check_cet_state_common(vcpu, s_cet: vmcs12->guest_s_cet,
3346 ssp: vmcs12->guest_ssp,
3347 ssp_tbl: vmcs12->guest_ssp_tbl))
3348 return -EINVAL;
3349
3350 /*
3351 * Guest SSP must have 63:N bits identical, rather than
3352 * be canonical (i.e., 63:N-1 bits identical), where N is
3353 * the CPU's maximum linear-address width. Similar to
3354 * is_noncanonical_msr_address(), use the host's
3355 * linear-address width.
3356 */
3357 if (CC(!__is_canonical_address(vmcs12->guest_ssp, max_host_virt_addr_bits() + 1)))
3358 return -EINVAL;
3359 }
3360
3361 if (nested_check_guest_non_reg_state(vmcs12))
3362 return -EINVAL;
3363
3364 return 0;
3365}
3366
3367#ifdef CONFIG_KVM_HYPERV
3368static bool nested_get_evmcs_page(struct kvm_vcpu *vcpu)
3369{
3370 struct vcpu_vmx *vmx = to_vmx(vcpu);
3371
3372 /*
3373 * hv_evmcs may end up being not mapped after migration (when
3374 * L2 was running), map it here to make sure vmcs12 changes are
3375 * properly reflected.
3376 */
3377 if (guest_cpu_cap_has_evmcs(vcpu) &&
3378 vmx->nested.hv_evmcs_vmptr == EVMPTR_MAP_PENDING) {
3379 enum nested_evmptrld_status evmptrld_status =
3380 nested_vmx_handle_enlightened_vmptrld(vcpu, from_launch: false);
3381
3382 if (evmptrld_status == EVMPTRLD_VMFAIL ||
3383 evmptrld_status == EVMPTRLD_ERROR)
3384 return false;
3385
3386 /*
3387 * Post migration VMCS12 always provides the most actual
3388 * information, copy it to eVMCS upon entry.
3389 */
3390 vmx->nested.need_vmcs12_to_shadow_sync = true;
3391 }
3392
3393 return true;
3394}
3395#endif
3396
3397static bool nested_get_vmcs12_pages(struct kvm_vcpu *vcpu)
3398{
3399 struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
3400 struct vcpu_vmx *vmx = to_vmx(vcpu);
3401 struct kvm_host_map *map;
3402
3403 if (!vcpu->arch.pdptrs_from_userspace &&
3404 !nested_cpu_has_ept(vmcs12) && is_pae_paging(vcpu)) {
3405 /*
3406 * Reload the guest's PDPTRs since after a migration
3407 * the guest CR3 might be restored prior to setting the nested
3408 * state which can lead to a load of wrong PDPTRs.
3409 */
3410 if (CC(!load_pdptrs(vcpu, vcpu->arch.cr3)))
3411 return false;
3412 }
3413
3414
3415 if (nested_cpu_has2(vmcs12, SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES)) {
3416 map = &vmx->nested.apic_access_page_map;
3417
3418 if (!kvm_vcpu_map(vcpu, gpa: gpa_to_gfn(gpa: vmcs12->apic_access_addr), map)) {
3419 vmcs_write64(field: APIC_ACCESS_ADDR, value: pfn_to_hpa(pfn: map->pfn));
3420 } else {
3421 pr_debug_ratelimited("%s: no backing for APIC-access address in vmcs12\n",
3422 __func__);
3423 vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
3424 vcpu->run->internal.suberror =
3425 KVM_INTERNAL_ERROR_EMULATION;
3426 vcpu->run->internal.ndata = 0;
3427 return false;
3428 }
3429 }
3430
3431 if (nested_cpu_has(vmcs12, CPU_BASED_TPR_SHADOW)) {
3432 map = &vmx->nested.virtual_apic_map;
3433
3434 if (!kvm_vcpu_map(vcpu, gpa: gpa_to_gfn(gpa: vmcs12->virtual_apic_page_addr), map)) {
3435 vmcs_write64(field: VIRTUAL_APIC_PAGE_ADDR, value: pfn_to_hpa(pfn: map->pfn));
3436 } else if (nested_cpu_has(vmcs12, CPU_BASED_CR8_LOAD_EXITING) &&
3437 nested_cpu_has(vmcs12, CPU_BASED_CR8_STORE_EXITING) &&
3438 !nested_cpu_has2(vmcs12, SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES)) {
3439 /*
3440 * The processor will never use the TPR shadow, simply
3441 * clear the bit from the execution control. Such a
3442 * configuration is useless, but it happens in tests.
3443 * For any other configuration, failing the vm entry is
3444 * _not_ what the processor does but it's basically the
3445 * only possibility we have.
3446 */
3447 exec_controls_clearbit(vmx, CPU_BASED_TPR_SHADOW);
3448 } else {
3449 /*
3450 * Write an illegal value to VIRTUAL_APIC_PAGE_ADDR to
3451 * force VM-Entry to fail.
3452 */
3453 vmcs_write64(field: VIRTUAL_APIC_PAGE_ADDR, INVALID_GPA);
3454 }
3455 }
3456
3457 if (nested_cpu_has_posted_intr(vmcs12)) {
3458 map = &vmx->nested.pi_desc_map;
3459
3460 if (!kvm_vcpu_map(vcpu, gpa: gpa_to_gfn(gpa: vmcs12->posted_intr_desc_addr), map)) {
3461 vmx->nested.pi_desc =
3462 (struct pi_desc *)(((void *)map->hva) +
3463 offset_in_page(vmcs12->posted_intr_desc_addr));
3464 vmcs_write64(field: POSTED_INTR_DESC_ADDR,
3465 value: pfn_to_hpa(pfn: map->pfn) + offset_in_page(vmcs12->posted_intr_desc_addr));
3466 } else {
3467 /*
3468 * Defer the KVM_INTERNAL_EXIT until KVM tries to
3469 * access the contents of the VMCS12 posted interrupt
3470 * descriptor. (Note that KVM may do this when it
3471 * should not, per the architectural specification.)
3472 */
3473 vmx->nested.pi_desc = NULL;
3474 pin_controls_clearbit(vmx, PIN_BASED_POSTED_INTR);
3475 }
3476 }
3477 if (nested_vmx_prepare_msr_bitmap(vcpu, vmcs12))
3478 exec_controls_setbit(vmx, CPU_BASED_USE_MSR_BITMAPS);
3479 else
3480 exec_controls_clearbit(vmx, CPU_BASED_USE_MSR_BITMAPS);
3481
3482 return true;
3483}
3484
3485static bool vmx_get_nested_state_pages(struct kvm_vcpu *vcpu)
3486{
3487#ifdef CONFIG_KVM_HYPERV
3488 /*
3489 * Note: nested_get_evmcs_page() also updates 'vp_assist_page' copy
3490 * in 'struct kvm_vcpu_hv' in case eVMCS is in use, this is mandatory
3491 * to make nested_evmcs_l2_tlb_flush_enabled() work correctly post
3492 * migration.
3493 */
3494 if (!nested_get_evmcs_page(vcpu)) {
3495 pr_debug_ratelimited("%s: enlightened vmptrld failed\n",
3496 __func__);
3497 vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
3498 vcpu->run->internal.suberror =
3499 KVM_INTERNAL_ERROR_EMULATION;
3500 vcpu->run->internal.ndata = 0;
3501
3502 return false;
3503 }
3504#endif
3505
3506 if (is_guest_mode(vcpu) && !nested_get_vmcs12_pages(vcpu))
3507 return false;
3508
3509 return true;
3510}
3511
3512static int nested_vmx_write_pml_buffer(struct kvm_vcpu *vcpu, gpa_t gpa)
3513{
3514 struct vmcs12 *vmcs12;
3515 struct vcpu_vmx *vmx = to_vmx(vcpu);
3516 gpa_t dst;
3517
3518 if (WARN_ON_ONCE(!is_guest_mode(vcpu)))
3519 return 0;
3520
3521 if (WARN_ON_ONCE(vmx->nested.pml_full))
3522 return 1;
3523
3524 /*
3525 * Check if PML is enabled for the nested guest. Whether eptp bit 6 is
3526 * set is already checked as part of A/D emulation.
3527 */
3528 vmcs12 = get_vmcs12(vcpu);
3529 if (!nested_cpu_has_pml(vmcs12))
3530 return 0;
3531
3532 if (vmcs12->guest_pml_index >= PML_LOG_NR_ENTRIES) {
3533 vmx->nested.pml_full = true;
3534 return 1;
3535 }
3536
3537 gpa &= ~0xFFFull;
3538 dst = vmcs12->pml_address + sizeof(u64) * vmcs12->guest_pml_index;
3539
3540 if (kvm_write_guest_page(kvm: vcpu->kvm, gfn: gpa_to_gfn(gpa: dst), data: &gpa,
3541 offset_in_page(dst), len: sizeof(gpa)))
3542 return 0;
3543
3544 vmcs12->guest_pml_index--;
3545
3546 return 0;
3547}
3548
3549/*
3550 * Intel's VMX Instruction Reference specifies a common set of prerequisites
3551 * for running VMX instructions (except VMXON, whose prerequisites are
3552 * slightly different). It also specifies what exception to inject otherwise.
3553 * Note that many of these exceptions have priority over VM exits, so they
3554 * don't have to be checked again here.
3555 */
3556static int nested_vmx_check_permission(struct kvm_vcpu *vcpu)
3557{
3558 if (!to_vmx(vcpu)->nested.vmxon) {
3559 kvm_queue_exception(vcpu, UD_VECTOR);
3560 return 0;
3561 }
3562
3563 if (vmx_get_cpl(vcpu)) {
3564 kvm_inject_gp(vcpu, error_code: 0);
3565 return 0;
3566 }
3567
3568 return 1;
3569}
3570
3571static void load_vmcs12_host_state(struct kvm_vcpu *vcpu,
3572 struct vmcs12 *vmcs12);
3573
3574/*
3575 * If from_vmentry is false, this is being called from state restore (either RSM
3576 * or KVM_SET_NESTED_STATE). Otherwise it's called from vmlaunch/vmresume.
3577 *
3578 * Returns:
3579 * NVMX_VMENTRY_SUCCESS: Entered VMX non-root mode
3580 * NVMX_VMENTRY_VMFAIL: Consistency check VMFail
3581 * NVMX_VMENTRY_VMEXIT: Consistency check VMExit
3582 * NVMX_VMENTRY_KVM_INTERNAL_ERROR: KVM internal error
3583 */
3584enum nvmx_vmentry_status nested_vmx_enter_non_root_mode(struct kvm_vcpu *vcpu,
3585 bool from_vmentry)
3586{
3587 struct vcpu_vmx *vmx = to_vmx(vcpu);
3588 struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
3589 enum vm_entry_failure_code entry_failure_code;
3590 union vmx_exit_reason exit_reason = {
3591 .basic = EXIT_REASON_INVALID_STATE,
3592 .failed_vmentry = 1,
3593 };
3594 u32 failed_index;
3595
3596 trace_kvm_nested_vmenter(kvm_rip_read(vcpu),
3597 vmx->nested.current_vmptr,
3598 vmcs12->guest_rip,
3599 vmcs12->guest_intr_status,
3600 vmcs12->vm_entry_intr_info_field,
3601 vmcs12->secondary_vm_exec_control & SECONDARY_EXEC_ENABLE_EPT,
3602 vmcs12->ept_pointer,
3603 vmcs12->guest_cr3,
3604 KVM_ISA_VMX);
3605
3606 kvm_service_local_tlb_flush_requests(vcpu);
3607
3608 if (!vmx->nested.nested_run_pending ||
3609 !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
3610 vmx->nested.pre_vmenter_debugctl = vmx_guest_debugctl_read();
3611 if (kvm_mpx_supported() &&
3612 (!vmx->nested.nested_run_pending ||
3613 !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS)))
3614 vmx->nested.pre_vmenter_bndcfgs = vmcs_read64(field: GUEST_BNDCFGS);
3615
3616 if (!vmx->nested.nested_run_pending ||
3617 !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_CET_STATE))
3618 vmcs_read_cet_state(vcpu, s_cet: &vmx->nested.pre_vmenter_s_cet,
3619 ssp: &vmx->nested.pre_vmenter_ssp,
3620 ssp_tbl: &vmx->nested.pre_vmenter_ssp_tbl);
3621
3622 /*
3623 * Overwrite vmcs01.GUEST_CR3 with L1's CR3 if EPT is disabled. In the
3624 * event of a "late" VM-Fail, i.e. a VM-Fail detected by hardware but
3625 * not KVM, KVM must unwind its software model to the pre-VM-Entry host
3626 * state. When EPT is disabled, GUEST_CR3 holds KVM's shadow CR3, not
3627 * L1's "real" CR3, which causes nested_vmx_restore_host_state() to
3628 * corrupt vcpu->arch.cr3. Stuffing vmcs01.GUEST_CR3 results in the
3629 * unwind naturally setting arch.cr3 to the correct value. Smashing
3630 * vmcs01.GUEST_CR3 is safe because nested VM-Exits, and the unwind,
3631 * reset KVM's MMU, i.e. vmcs01.GUEST_CR3 is guaranteed to be
3632 * overwritten with a shadow CR3 prior to re-entering L1.
3633 */
3634 if (!enable_ept)
3635 vmcs_writel(field: GUEST_CR3, value: vcpu->arch.cr3);
3636
3637 vmx_switch_vmcs(vcpu, vmcs: &vmx->nested.vmcs02);
3638
3639 prepare_vmcs02_early(vmx, vmcs01: &vmx->vmcs01, vmcs12);
3640
3641 if (from_vmentry) {
3642 if (unlikely(!nested_get_vmcs12_pages(vcpu))) {
3643 vmx_switch_vmcs(vcpu, vmcs: &vmx->vmcs01);
3644 return NVMX_VMENTRY_KVM_INTERNAL_ERROR;
3645 }
3646
3647 if (nested_vmx_check_controls_late(vcpu, vmcs12)) {
3648 vmx_switch_vmcs(vcpu, vmcs: &vmx->vmcs01);
3649 return NVMX_VMENTRY_VMFAIL;
3650 }
3651
3652 if (nested_vmx_check_guest_state(vcpu, vmcs12,
3653 entry_failure_code: &entry_failure_code)) {
3654 exit_reason.basic = EXIT_REASON_INVALID_STATE;
3655 vmcs12->exit_qualification = entry_failure_code;
3656 goto vmentry_fail_vmexit;
3657 }
3658 }
3659
3660 enter_guest_mode(vcpu);
3661
3662 if (prepare_vmcs02(vcpu, vmcs12, from_vmentry, entry_failure_code: &entry_failure_code)) {
3663 exit_reason.basic = EXIT_REASON_INVALID_STATE;
3664 vmcs12->exit_qualification = entry_failure_code;
3665 goto vmentry_fail_vmexit_guest_mode;
3666 }
3667
3668 if (from_vmentry) {
3669 failed_index = nested_vmx_load_msr(vcpu,
3670 gpa: vmcs12->vm_entry_msr_load_addr,
3671 count: vmcs12->vm_entry_msr_load_count);
3672 if (failed_index) {
3673 exit_reason.basic = EXIT_REASON_MSR_LOAD_FAIL;
3674 vmcs12->exit_qualification = failed_index;
3675 goto vmentry_fail_vmexit_guest_mode;
3676 }
3677 } else {
3678 /*
3679 * The MMU is not initialized to point at the right entities yet and
3680 * "get pages" would need to read data from the guest (i.e. we will
3681 * need to perform gpa to hpa translation). Request a call
3682 * to nested_get_vmcs12_pages before the next VM-entry. The MSRs
3683 * have already been set at vmentry time and should not be reset.
3684 */
3685 kvm_make_request(KVM_REQ_GET_NESTED_STATE_PAGES, vcpu);
3686 }
3687
3688 /*
3689 * Re-evaluate pending events if L1 had a pending IRQ/NMI/INIT/SIPI
3690 * when it executed VMLAUNCH/VMRESUME, as entering non-root mode can
3691 * effectively unblock various events, e.g. INIT/SIPI cause VM-Exit
3692 * unconditionally. Take care to pull data from vmcs01 as appropriate,
3693 * e.g. when checking for interrupt windows, as vmcs02 is now loaded.
3694 */
3695 if ((__exec_controls_get(vmcs: &vmx->vmcs01) & (CPU_BASED_INTR_WINDOW_EXITING |
3696 CPU_BASED_NMI_WINDOW_EXITING)) ||
3697 kvm_apic_has_pending_init_or_sipi(vcpu) ||
3698 kvm_apic_has_interrupt(vcpu))
3699 kvm_make_request(KVM_REQ_EVENT, vcpu);
3700
3701 /*
3702 * Do not start the preemption timer hrtimer until after we know
3703 * we are successful, so that only nested_vmx_vmexit needs to cancel
3704 * the timer.
3705 */
3706 vmx->nested.preemption_timer_expired = false;
3707 if (nested_cpu_has_preemption_timer(vmcs12)) {
3708 u64 timer_value = vmx_calc_preemption_timer_value(vcpu);
3709 vmx_start_preemption_timer(vcpu, preemption_timeout: timer_value);
3710 }
3711
3712 /*
3713 * Note no nested_vmx_succeed or nested_vmx_fail here. At this point
3714 * we are no longer running L1, and VMLAUNCH/VMRESUME has not yet
3715 * returned as far as L1 is concerned. It will only return (and set
3716 * the success flag) when L2 exits (see nested_vmx_vmexit()).
3717 */
3718 return NVMX_VMENTRY_SUCCESS;
3719
3720 /*
3721 * A failed consistency check that leads to a VMExit during L1's
3722 * VMEnter to L2 is a variation of a normal VMexit, as explained in
3723 * 26.7 "VM-entry failures during or after loading guest state".
3724 */
3725vmentry_fail_vmexit_guest_mode:
3726 if (vmcs12->cpu_based_vm_exec_control & CPU_BASED_USE_TSC_OFFSETTING)
3727 vcpu->arch.tsc_offset -= vmcs12->tsc_offset;
3728 leave_guest_mode(vcpu);
3729
3730vmentry_fail_vmexit:
3731 vmx_switch_vmcs(vcpu, vmcs: &vmx->vmcs01);
3732
3733 if (!from_vmentry)
3734 return NVMX_VMENTRY_VMEXIT;
3735
3736 load_vmcs12_host_state(vcpu, vmcs12);
3737 vmcs12->vm_exit_reason = exit_reason.full;
3738 if (enable_shadow_vmcs || nested_vmx_is_evmptr12_valid(vmx))
3739 vmx->nested.need_vmcs12_to_shadow_sync = true;
3740 return NVMX_VMENTRY_VMEXIT;
3741}
3742
3743/*
3744 * nested_vmx_run() handles a nested entry, i.e., a VMLAUNCH or VMRESUME on L1
3745 * for running an L2 nested guest.
3746 */
3747static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
3748{
3749 struct vmcs12 *vmcs12;
3750 enum nvmx_vmentry_status status;
3751 struct vcpu_vmx *vmx = to_vmx(vcpu);
3752 u32 interrupt_shadow = vmx_get_interrupt_shadow(vcpu);
3753 enum nested_evmptrld_status evmptrld_status;
3754
3755 if (!nested_vmx_check_permission(vcpu))
3756 return 1;
3757
3758 evmptrld_status = nested_vmx_handle_enlightened_vmptrld(vcpu, from_launch: launch);
3759 if (evmptrld_status == EVMPTRLD_ERROR) {
3760 kvm_queue_exception(vcpu, UD_VECTOR);
3761 return 1;
3762 }
3763
3764 kvm_pmu_branch_retired(vcpu);
3765
3766 if (CC(evmptrld_status == EVMPTRLD_VMFAIL))
3767 return nested_vmx_failInvalid(vcpu);
3768
3769 if (CC(!nested_vmx_is_evmptr12_valid(vmx) &&
3770 vmx->nested.current_vmptr == INVALID_GPA))
3771 return nested_vmx_failInvalid(vcpu);
3772
3773 vmcs12 = get_vmcs12(vcpu);
3774
3775 /*
3776 * Can't VMLAUNCH or VMRESUME a shadow VMCS. Despite the fact
3777 * that there *is* a valid VMCS pointer, RFLAGS.CF is set
3778 * rather than RFLAGS.ZF, and no error number is stored to the
3779 * VM-instruction error field.
3780 */
3781 if (CC(vmcs12->hdr.shadow_vmcs))
3782 return nested_vmx_failInvalid(vcpu);
3783
3784 if (nested_vmx_is_evmptr12_valid(vmx)) {
3785 struct hv_enlightened_vmcs *evmcs = nested_vmx_evmcs(vmx);
3786
3787 copy_enlightened_to_vmcs12(vmx, hv_clean_fields: evmcs->hv_clean_fields);
3788 /* Enlightened VMCS doesn't have launch state */
3789 vmcs12->launch_state = !launch;
3790 } else if (enable_shadow_vmcs) {
3791 copy_shadow_to_vmcs12(vmx);
3792 }
3793
3794 /*
3795 * The nested entry process starts with enforcing various prerequisites
3796 * on vmcs12 as required by the Intel SDM, and act appropriately when
3797 * they fail: As the SDM explains, some conditions should cause the
3798 * instruction to fail, while others will cause the instruction to seem
3799 * to succeed, but return an EXIT_REASON_INVALID_STATE.
3800 * To speed up the normal (success) code path, we should avoid checking
3801 * for misconfigurations which will anyway be caught by the processor
3802 * when using the merged vmcs02.
3803 */
3804 if (CC(interrupt_shadow & KVM_X86_SHADOW_INT_MOV_SS))
3805 return nested_vmx_fail(vcpu, vm_instruction_error: VMXERR_ENTRY_EVENTS_BLOCKED_BY_MOV_SS);
3806
3807 if (CC(vmcs12->launch_state == launch))
3808 return nested_vmx_fail(vcpu,
3809 vm_instruction_error: launch ? VMXERR_VMLAUNCH_NONCLEAR_VMCS
3810 : VMXERR_VMRESUME_NONLAUNCHED_VMCS);
3811
3812 if (nested_vmx_check_controls(vcpu, vmcs12))
3813 return nested_vmx_fail(vcpu, vm_instruction_error: VMXERR_ENTRY_INVALID_CONTROL_FIELD);
3814
3815 if (nested_vmx_check_address_space_size(vcpu, vmcs12))
3816 return nested_vmx_fail(vcpu, vm_instruction_error: VMXERR_ENTRY_INVALID_HOST_STATE_FIELD);
3817
3818 if (nested_vmx_check_host_state(vcpu, vmcs12))
3819 return nested_vmx_fail(vcpu, vm_instruction_error: VMXERR_ENTRY_INVALID_HOST_STATE_FIELD);
3820
3821 /*
3822 * We're finally done with prerequisite checking, and can start with
3823 * the nested entry.
3824 */
3825 vmx->nested.nested_run_pending = 1;
3826 vmx->nested.has_preemption_timer_deadline = false;
3827 status = nested_vmx_enter_non_root_mode(vcpu, from_vmentry: true);
3828 if (unlikely(status != NVMX_VMENTRY_SUCCESS))
3829 goto vmentry_failed;
3830
3831 /* Hide L1D cache contents from the nested guest. */
3832 kvm_request_l1tf_flush_l1d();
3833
3834 /*
3835 * Must happen outside of nested_vmx_enter_non_root_mode() as it will
3836 * also be used as part of restoring nVMX state for
3837 * snapshot restore (migration).
3838 *
3839 * In this flow, it is assumed that vmcs12 cache was
3840 * transferred as part of captured nVMX state and should
3841 * therefore not be read from guest memory (which may not
3842 * exist on destination host yet).
3843 */
3844 nested_cache_shadow_vmcs12(vcpu, vmcs12);
3845
3846 switch (vmcs12->guest_activity_state) {
3847 case GUEST_ACTIVITY_HLT:
3848 /*
3849 * If we're entering a halted L2 vcpu and the L2 vcpu won't be
3850 * awakened by event injection or by an NMI-window VM-exit or
3851 * by an interrupt-window VM-exit, halt the vcpu.
3852 */
3853 if (!(vmcs12->vm_entry_intr_info_field & INTR_INFO_VALID_MASK) &&
3854 !nested_cpu_has(vmcs12, CPU_BASED_NMI_WINDOW_EXITING) &&
3855 !(nested_cpu_has(vmcs12, CPU_BASED_INTR_WINDOW_EXITING) &&
3856 (vmcs12->guest_rflags & X86_EFLAGS_IF))) {
3857 vmx->nested.nested_run_pending = 0;
3858 return kvm_emulate_halt_noskip(vcpu);
3859 }
3860 break;
3861 case GUEST_ACTIVITY_WAIT_SIPI:
3862 vmx->nested.nested_run_pending = 0;
3863 kvm_set_mp_state(vcpu, KVM_MP_STATE_INIT_RECEIVED);
3864 break;
3865 default:
3866 break;
3867 }
3868
3869 return 1;
3870
3871vmentry_failed:
3872 vmx->nested.nested_run_pending = 0;
3873 if (status == NVMX_VMENTRY_KVM_INTERNAL_ERROR)
3874 return 0;
3875 if (status == NVMX_VMENTRY_VMEXIT)
3876 return 1;
3877 WARN_ON_ONCE(status != NVMX_VMENTRY_VMFAIL);
3878 return nested_vmx_fail(vcpu, vm_instruction_error: VMXERR_ENTRY_INVALID_CONTROL_FIELD);
3879}
3880
3881/*
3882 * On a nested exit from L2 to L1, vmcs12.guest_cr0 might not be up-to-date
3883 * because L2 may have changed some cr0 bits directly (CR0_GUEST_HOST_MASK).
3884 * This function returns the new value we should put in vmcs12.guest_cr0.
3885 * It's not enough to just return the vmcs02 GUEST_CR0. Rather,
3886 * 1. Bits that neither L0 nor L1 trapped, were set directly by L2 and are now
3887 * available in vmcs02 GUEST_CR0. (Note: It's enough to check that L0
3888 * didn't trap the bit, because if L1 did, so would L0).
3889 * 2. Bits that L1 asked to trap (and therefore L0 also did) could not have
3890 * been modified by L2, and L1 knows it. So just leave the old value of
3891 * the bit from vmcs12.guest_cr0. Note that the bit from vmcs02 GUEST_CR0
3892 * isn't relevant, because if L0 traps this bit it can set it to anything.
3893 * 3. Bits that L1 didn't trap, but L0 did. L1 believes the guest could have
3894 * changed these bits, and therefore they need to be updated, but L0
3895 * didn't necessarily allow them to be changed in GUEST_CR0 - and rather
3896 * put them in vmcs02 CR0_READ_SHADOW. So take these bits from there.
3897 */
3898static inline unsigned long
3899vmcs12_guest_cr0(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
3900{
3901 return
3902 /*1*/ (vmcs_readl(field: GUEST_CR0) & vcpu->arch.cr0_guest_owned_bits) |
3903 /*2*/ (vmcs12->guest_cr0 & vmcs12->cr0_guest_host_mask) |
3904 /*3*/ (vmcs_readl(field: CR0_READ_SHADOW) & ~(vmcs12->cr0_guest_host_mask |
3905 vcpu->arch.cr0_guest_owned_bits));
3906}
3907
3908static inline unsigned long
3909vmcs12_guest_cr4(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
3910{
3911 return
3912 /*1*/ (vmcs_readl(field: GUEST_CR4) & vcpu->arch.cr4_guest_owned_bits) |
3913 /*2*/ (vmcs12->guest_cr4 & vmcs12->cr4_guest_host_mask) |
3914 /*3*/ (vmcs_readl(field: CR4_READ_SHADOW) & ~(vmcs12->cr4_guest_host_mask |
3915 vcpu->arch.cr4_guest_owned_bits));
3916}
3917
3918static void vmcs12_save_pending_event(struct kvm_vcpu *vcpu,
3919 struct vmcs12 *vmcs12,
3920 u32 vm_exit_reason, u32 exit_intr_info)
3921{
3922 u32 idt_vectoring;
3923 unsigned int nr;
3924
3925 /*
3926 * Per the SDM, VM-Exits due to double and triple faults are never
3927 * considered to occur during event delivery, even if the double/triple
3928 * fault is the result of an escalating vectoring issue.
3929 *
3930 * Note, the SDM qualifies the double fault behavior with "The original
3931 * event results in a double-fault exception". It's unclear why the
3932 * qualification exists since exits due to double fault can occur only
3933 * while vectoring a different exception (injected events are never
3934 * subject to interception), i.e. there's _always_ an original event.
3935 *
3936 * The SDM also uses NMI as a confusing example for the "original event
3937 * causes the VM exit directly" clause. NMI isn't special in any way,
3938 * the same rule applies to all events that cause an exit directly.
3939 * NMI is an odd choice for the example because NMIs can only occur on
3940 * instruction boundaries, i.e. they _can't_ occur during vectoring.
3941 */
3942 if ((u16)vm_exit_reason == EXIT_REASON_TRIPLE_FAULT ||
3943 ((u16)vm_exit_reason == EXIT_REASON_EXCEPTION_NMI &&
3944 is_double_fault(intr_info: exit_intr_info))) {
3945 vmcs12->idt_vectoring_info_field = 0;
3946 } else if (vcpu->arch.exception.injected) {
3947 nr = vcpu->arch.exception.vector;
3948 idt_vectoring = nr | VECTORING_INFO_VALID_MASK;
3949
3950 if (kvm_exception_is_soft(nr)) {
3951 vmcs12->vm_exit_instruction_len =
3952 vcpu->arch.event_exit_inst_len;
3953 idt_vectoring |= INTR_TYPE_SOFT_EXCEPTION;
3954 } else
3955 idt_vectoring |= INTR_TYPE_HARD_EXCEPTION;
3956
3957 if (vcpu->arch.exception.has_error_code) {
3958 idt_vectoring |= VECTORING_INFO_DELIVER_CODE_MASK;
3959 vmcs12->idt_vectoring_error_code =
3960 vcpu->arch.exception.error_code;
3961 }
3962
3963 vmcs12->idt_vectoring_info_field = idt_vectoring;
3964 } else if (vcpu->arch.nmi_injected) {
3965 vmcs12->idt_vectoring_info_field =
3966 INTR_TYPE_NMI_INTR | INTR_INFO_VALID_MASK | NMI_VECTOR;
3967 } else if (vcpu->arch.interrupt.injected) {
3968 nr = vcpu->arch.interrupt.nr;
3969 idt_vectoring = nr | VECTORING_INFO_VALID_MASK;
3970
3971 if (vcpu->arch.interrupt.soft) {
3972 idt_vectoring |= INTR_TYPE_SOFT_INTR;
3973 vmcs12->vm_entry_instruction_len =
3974 vcpu->arch.event_exit_inst_len;
3975 } else
3976 idt_vectoring |= INTR_TYPE_EXT_INTR;
3977
3978 vmcs12->idt_vectoring_info_field = idt_vectoring;
3979 } else {
3980 vmcs12->idt_vectoring_info_field = 0;
3981 }
3982}
3983
3984
3985void nested_mark_vmcs12_pages_dirty(struct kvm_vcpu *vcpu)
3986{
3987 struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
3988 gfn_t gfn;
3989
3990 /*
3991 * Don't need to mark the APIC access page dirty; it is never
3992 * written to by the CPU during APIC virtualization.
3993 */
3994
3995 if (nested_cpu_has(vmcs12, CPU_BASED_TPR_SHADOW)) {
3996 gfn = vmcs12->virtual_apic_page_addr >> PAGE_SHIFT;
3997 kvm_vcpu_mark_page_dirty(vcpu, gfn);
3998 }
3999
4000 if (nested_cpu_has_posted_intr(vmcs12)) {
4001 gfn = vmcs12->posted_intr_desc_addr >> PAGE_SHIFT;
4002 kvm_vcpu_mark_page_dirty(vcpu, gfn);
4003 }
4004}
4005
4006static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
4007{
4008 struct vcpu_vmx *vmx = to_vmx(vcpu);
4009 int max_irr;
4010 void *vapic_page;
4011 u16 status;
4012
4013 if (!vmx->nested.pi_pending)
4014 return 0;
4015
4016 if (!vmx->nested.pi_desc)
4017 goto mmio_needed;
4018
4019 vmx->nested.pi_pending = false;
4020
4021 if (!pi_test_and_clear_on(pi_desc: vmx->nested.pi_desc))
4022 return 0;
4023
4024 max_irr = pi_find_highest_vector(pi_desc: vmx->nested.pi_desc);
4025 if (max_irr > 0) {
4026 vapic_page = vmx->nested.virtual_apic_map.hva;
4027 if (!vapic_page)
4028 goto mmio_needed;
4029
4030 __kvm_apic_update_irr(pir: vmx->nested.pi_desc->pir,
4031 regs: vapic_page, max_irr: &max_irr);
4032 status = vmcs_read16(field: GUEST_INTR_STATUS);
4033 if ((u8)max_irr > ((u8)status & 0xff)) {
4034 status &= ~0xff;
4035 status |= (u8)max_irr;
4036 vmcs_write16(field: GUEST_INTR_STATUS, value: status);
4037 }
4038 }
4039
4040 nested_mark_vmcs12_pages_dirty(vcpu);
4041 return 0;
4042
4043mmio_needed:
4044 kvm_handle_memory_failure(vcpu, X86EMUL_IO_NEEDED, NULL);
4045 return -ENXIO;
4046}
4047
4048static void nested_vmx_inject_exception_vmexit(struct kvm_vcpu *vcpu)
4049{
4050 struct kvm_queued_exception *ex = &vcpu->arch.exception_vmexit;
4051 u32 intr_info = ex->vector | INTR_INFO_VALID_MASK;
4052 struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
4053 unsigned long exit_qual;
4054
4055 if (ex->has_payload) {
4056 exit_qual = ex->payload;
4057 } else if (ex->vector == PF_VECTOR) {
4058 exit_qual = vcpu->arch.cr2;
4059 } else if (ex->vector == DB_VECTOR) {
4060 exit_qual = vcpu->arch.dr6;
4061 exit_qual &= ~DR6_BT;
4062 exit_qual ^= DR6_ACTIVE_LOW;
4063 } else {
4064 exit_qual = 0;
4065 }
4066
4067 /*
4068 * Unlike AMD's Paged Real Mode, which reports an error code on #PF
4069 * VM-Exits even if the CPU is in Real Mode, Intel VMX never sets the
4070 * "has error code" flags on VM-Exit if the CPU is in Real Mode.
4071 */
4072 if (ex->has_error_code && is_protmode(vcpu)) {
4073 /*
4074 * Intel CPUs do not generate error codes with bits 31:16 set,
4075 * and more importantly VMX disallows setting bits 31:16 in the
4076 * injected error code for VM-Entry. Drop the bits to mimic
4077 * hardware and avoid inducing failure on nested VM-Entry if L1
4078 * chooses to inject the exception back to L2. AMD CPUs _do_
4079 * generate "full" 32-bit error codes, so KVM allows userspace
4080 * to inject exception error codes with bits 31:16 set.
4081 */
4082 vmcs12->vm_exit_intr_error_code = (u16)ex->error_code;
4083 intr_info |= INTR_INFO_DELIVER_CODE_MASK;
4084 }
4085
4086 if (kvm_exception_is_soft(nr: ex->vector))
4087 intr_info |= INTR_TYPE_SOFT_EXCEPTION;
4088 else
4089 intr_info |= INTR_TYPE_HARD_EXCEPTION;
4090
4091 if (!(vmcs12->idt_vectoring_info_field & VECTORING_INFO_VALID_MASK) &&
4092 vmx_get_nmi_mask(vcpu))
4093 intr_info |= INTR_INFO_UNBLOCK_NMI;
4094
4095 nested_vmx_vmexit(vcpu, EXIT_REASON_EXCEPTION_NMI, exit_intr_info: intr_info, exit_qualification: exit_qual);
4096}
4097
4098/*
4099 * Returns true if a debug trap is (likely) pending delivery. Infer the class
4100 * of a #DB (trap-like vs. fault-like) from the exception payload (to-be-DR6).
4101 * Using the payload is flawed because code breakpoints (fault-like) and data
4102 * breakpoints (trap-like) set the same bits in DR6 (breakpoint detected), i.e.
4103 * this will return false positives if a to-be-injected code breakpoint #DB is
4104 * pending (from KVM's perspective, but not "pending" across an instruction
4105 * boundary). ICEBP, a.k.a. INT1, is also not reflected here even though it
4106 * too is trap-like.
4107 *
4108 * KVM "works" despite these flaws as ICEBP isn't currently supported by the
4109 * emulator, Monitor Trap Flag is not marked pending on intercepted #DBs (the
4110 * #DB has already happened), and MTF isn't marked pending on code breakpoints
4111 * from the emulator (because such #DBs are fault-like and thus don't trigger
4112 * actions that fire on instruction retire).
4113 */
4114static unsigned long vmx_get_pending_dbg_trap(struct kvm_queued_exception *ex)
4115{
4116 if (!ex->pending || ex->vector != DB_VECTOR)
4117 return 0;
4118
4119 /* General Detect #DBs are always fault-like. */
4120 return ex->payload & ~DR6_BD;
4121}
4122
4123/*
4124 * Returns true if there's a pending #DB exception that is lower priority than
4125 * a pending Monitor Trap Flag VM-Exit. TSS T-flag #DBs are not emulated by
4126 * KVM, but could theoretically be injected by userspace. Note, this code is
4127 * imperfect, see above.
4128 */
4129static bool vmx_is_low_priority_db_trap(struct kvm_queued_exception *ex)
4130{
4131 return vmx_get_pending_dbg_trap(ex) & ~DR6_BT;
4132}
4133
4134/*
4135 * Certain VM-exits set the 'pending debug exceptions' field to indicate a
4136 * recognized #DB (data or single-step) that has yet to be delivered. Since KVM
4137 * represents these debug traps with a payload that is said to be compatible
4138 * with the 'pending debug exceptions' field, write the payload to the VMCS
4139 * field if a VM-exit is delivered before the debug trap.
4140 */
4141static void nested_vmx_update_pending_dbg(struct kvm_vcpu *vcpu)
4142{
4143 unsigned long pending_dbg;
4144
4145 pending_dbg = vmx_get_pending_dbg_trap(ex: &vcpu->arch.exception);
4146 if (pending_dbg)
4147 vmcs_writel(field: GUEST_PENDING_DBG_EXCEPTIONS, value: pending_dbg);
4148}
4149
4150static bool nested_vmx_preemption_timer_pending(struct kvm_vcpu *vcpu)
4151{
4152 return nested_cpu_has_preemption_timer(vmcs12: get_vmcs12(vcpu)) &&
4153 to_vmx(vcpu)->nested.preemption_timer_expired;
4154}
4155
4156static bool vmx_has_nested_events(struct kvm_vcpu *vcpu, bool for_injection)
4157{
4158 struct vcpu_vmx *vmx = to_vmx(vcpu);
4159 void *vapic = vmx->nested.virtual_apic_map.hva;
4160 int max_irr, vppr;
4161
4162 if (nested_vmx_preemption_timer_pending(vcpu) ||
4163 vmx->nested.mtf_pending)
4164 return true;
4165
4166 /*
4167 * Virtual Interrupt Delivery doesn't require manual injection. Either
4168 * the interrupt is already in GUEST_RVI and will be recognized by CPU
4169 * at VM-Entry, or there is a KVM_REQ_EVENT pending and KVM will move
4170 * the interrupt from the PIR to RVI prior to entering the guest.
4171 */
4172 if (for_injection)
4173 return false;
4174
4175 if (!nested_cpu_has_vid(vmcs12: get_vmcs12(vcpu)) ||
4176 __vmx_interrupt_blocked(vcpu))
4177 return false;
4178
4179 if (!vapic)
4180 return false;
4181
4182 vppr = *((u32 *)(vapic + APIC_PROCPRI));
4183
4184 max_irr = vmx_get_rvi();
4185 if ((max_irr & 0xf0) > (vppr & 0xf0))
4186 return true;
4187
4188 if (vmx->nested.pi_pending && vmx->nested.pi_desc &&
4189 pi_test_on(pi_desc: vmx->nested.pi_desc)) {
4190 max_irr = pi_find_highest_vector(pi_desc: vmx->nested.pi_desc);
4191 if (max_irr > 0 && (max_irr & 0xf0) > (vppr & 0xf0))
4192 return true;
4193 }
4194
4195 return false;
4196}
4197
4198/*
4199 * Per the Intel SDM's table "Priority Among Concurrent Events", with minor
4200 * edits to fill in missing examples, e.g. #DB due to split-lock accesses,
4201 * and less minor edits to splice in the priority of VMX Non-Root specific
4202 * events, e.g. MTF and NMI/INTR-window exiting.
4203 *
4204 * 1 Hardware Reset and Machine Checks
4205 * - RESET
4206 * - Machine Check
4207 *
4208 * 2 Trap on Task Switch
4209 * - T flag in TSS is set (on task switch)
4210 *
4211 * 3 External Hardware Interventions
4212 * - FLUSH
4213 * - STOPCLK
4214 * - SMI
4215 * - INIT
4216 *
4217 * 3.5 Monitor Trap Flag (MTF) VM-exit[1]
4218 *
4219 * 4 Traps on Previous Instruction
4220 * - Breakpoints
4221 * - Trap-class Debug Exceptions (#DB due to TF flag set, data/I-O
4222 * breakpoint, or #DB due to a split-lock access)
4223 *
4224 * 4.3 VMX-preemption timer expired VM-exit
4225 *
4226 * 4.6 NMI-window exiting VM-exit[2]
4227 *
4228 * 5 Nonmaskable Interrupts (NMI)
4229 *
4230 * 5.5 Interrupt-window exiting VM-exit and Virtual-interrupt delivery
4231 *
4232 * 6 Maskable Hardware Interrupts
4233 *
4234 * 7 Code Breakpoint Fault
4235 *
4236 * 8 Faults from Fetching Next Instruction
4237 * - Code-Segment Limit Violation
4238 * - Code Page Fault
4239 * - Control protection exception (missing ENDBRANCH at target of indirect
4240 * call or jump)
4241 *
4242 * 9 Faults from Decoding Next Instruction
4243 * - Instruction length > 15 bytes
4244 * - Invalid Opcode
4245 * - Coprocessor Not Available
4246 *
4247 *10 Faults on Executing Instruction
4248 * - Overflow
4249 * - Bound error
4250 * - Invalid TSS
4251 * - Segment Not Present
4252 * - Stack fault
4253 * - General Protection
4254 * - Data Page Fault
4255 * - Alignment Check
4256 * - x86 FPU Floating-point exception
4257 * - SIMD floating-point exception
4258 * - Virtualization exception
4259 * - Control protection exception
4260 *
4261 * [1] Per the "Monitor Trap Flag" section: System-management interrupts (SMIs),
4262 * INIT signals, and higher priority events take priority over MTF VM exits.
4263 * MTF VM exits take priority over debug-trap exceptions and lower priority
4264 * events.
4265 *
4266 * [2] Debug-trap exceptions and higher priority events take priority over VM exits
4267 * caused by the VMX-preemption timer. VM exits caused by the VMX-preemption
4268 * timer take priority over VM exits caused by the "NMI-window exiting"
4269 * VM-execution control and lower priority events.
4270 *
4271 * [3] Debug-trap exceptions and higher priority events take priority over VM exits
4272 * caused by "NMI-window exiting". VM exits caused by this control take
4273 * priority over non-maskable interrupts (NMIs) and lower priority events.
4274 *
4275 * [4] Virtual-interrupt delivery has the same priority as that of VM exits due to
4276 * the 1-setting of the "interrupt-window exiting" VM-execution control. Thus,
4277 * non-maskable interrupts (NMIs) and higher priority events take priority over
4278 * delivery of a virtual interrupt; delivery of a virtual interrupt takes
4279 * priority over external interrupts and lower priority events.
4280 */
4281static int vmx_check_nested_events(struct kvm_vcpu *vcpu)
4282{
4283 struct kvm_lapic *apic = vcpu->arch.apic;
4284 struct vcpu_vmx *vmx = to_vmx(vcpu);
4285 /*
4286 * Only a pending nested run blocks a pending exception. If there is a
4287 * previously injected event, the pending exception occurred while said
4288 * event was being delivered and thus needs to be handled.
4289 */
4290 bool block_nested_exceptions = vmx->nested.nested_run_pending;
4291 /*
4292 * Events that don't require injection, i.e. that are virtualized by
4293 * hardware, aren't blocked by a pending VM-Enter as KVM doesn't need
4294 * to regain control in order to deliver the event, and hardware will
4295 * handle event ordering, e.g. with respect to injected exceptions.
4296 *
4297 * But, new events (not exceptions) are only recognized at instruction
4298 * boundaries. If an event needs reinjection, then KVM is handling a
4299 * VM-Exit that occurred _during_ instruction execution; new events,
4300 * irrespective of whether or not they're injected, are blocked until
4301 * the instruction completes.
4302 */
4303 bool block_non_injected_events = kvm_event_needs_reinjection(vcpu);
4304 /*
4305 * Inject events are blocked by nested VM-Enter, as KVM is responsible
4306 * for managing priority between concurrent events, i.e. KVM needs to
4307 * wait until after VM-Enter completes to deliver injected events.
4308 */
4309 bool block_nested_events = block_nested_exceptions ||
4310 block_non_injected_events;
4311
4312 if (lapic_in_kernel(vcpu) &&
4313 test_bit(KVM_APIC_INIT, &apic->pending_events)) {
4314 if (block_nested_events)
4315 return -EBUSY;
4316 nested_vmx_update_pending_dbg(vcpu);
4317 clear_bit(KVM_APIC_INIT, addr: &apic->pending_events);
4318 if (vcpu->arch.mp_state != KVM_MP_STATE_INIT_RECEIVED)
4319 nested_vmx_vmexit(vcpu, EXIT_REASON_INIT_SIGNAL, exit_intr_info: 0, exit_qualification: 0);
4320
4321 /* MTF is discarded if the vCPU is in WFS. */
4322 vmx->nested.mtf_pending = false;
4323 return 0;
4324 }
4325
4326 if (lapic_in_kernel(vcpu) &&
4327 test_bit(KVM_APIC_SIPI, &apic->pending_events)) {
4328 if (block_nested_events)
4329 return -EBUSY;
4330
4331 clear_bit(KVM_APIC_SIPI, addr: &apic->pending_events);
4332 if (vcpu->arch.mp_state == KVM_MP_STATE_INIT_RECEIVED) {
4333 nested_vmx_vmexit(vcpu, EXIT_REASON_SIPI_SIGNAL, exit_intr_info: 0,
4334 exit_qualification: apic->sipi_vector & 0xFFUL);
4335 return 0;
4336 }
4337 /* Fallthrough, the SIPI is completely ignored. */
4338 }
4339
4340 /*
4341 * Process exceptions that are higher priority than Monitor Trap Flag:
4342 * fault-like exceptions, TSS T flag #DB (not emulated by KVM, but
4343 * could theoretically come in from userspace), and ICEBP (INT1).
4344 *
4345 * TODO: SMIs have higher priority than MTF and trap-like #DBs (except
4346 * for TSS T flag #DBs). KVM also doesn't save/restore pending MTF
4347 * across SMI/RSM as it should; that needs to be addressed in order to
4348 * prioritize SMI over MTF and trap-like #DBs.
4349 */
4350 if (vcpu->arch.exception_vmexit.pending &&
4351 !vmx_is_low_priority_db_trap(ex: &vcpu->arch.exception_vmexit)) {
4352 if (block_nested_exceptions)
4353 return -EBUSY;
4354
4355 nested_vmx_inject_exception_vmexit(vcpu);
4356 return 0;
4357 }
4358
4359 if (vcpu->arch.exception.pending &&
4360 !vmx_is_low_priority_db_trap(ex: &vcpu->arch.exception)) {
4361 if (block_nested_exceptions)
4362 return -EBUSY;
4363 goto no_vmexit;
4364 }
4365
4366 if (vmx->nested.mtf_pending) {
4367 if (block_nested_events)
4368 return -EBUSY;
4369 nested_vmx_update_pending_dbg(vcpu);
4370 nested_vmx_vmexit(vcpu, EXIT_REASON_MONITOR_TRAP_FLAG, exit_intr_info: 0, exit_qualification: 0);
4371 return 0;
4372 }
4373
4374 if (vcpu->arch.exception_vmexit.pending) {
4375 if (block_nested_exceptions)
4376 return -EBUSY;
4377
4378 nested_vmx_inject_exception_vmexit(vcpu);
4379 return 0;
4380 }
4381
4382 if (vcpu->arch.exception.pending) {
4383 if (block_nested_exceptions)
4384 return -EBUSY;
4385 goto no_vmexit;
4386 }
4387
4388 if (nested_vmx_preemption_timer_pending(vcpu)) {
4389 if (block_nested_events)
4390 return -EBUSY;
4391 nested_vmx_vmexit(vcpu, EXIT_REASON_PREEMPTION_TIMER, exit_intr_info: 0, exit_qualification: 0);
4392 return 0;
4393 }
4394
4395 if (vcpu->arch.smi_pending && !is_smm(vcpu)) {
4396 if (block_nested_events)
4397 return -EBUSY;
4398 goto no_vmexit;
4399 }
4400
4401 if (vcpu->arch.nmi_pending && !vmx_nmi_blocked(vcpu)) {
4402 if (block_nested_events)
4403 return -EBUSY;
4404 if (!nested_exit_on_nmi(vcpu))
4405 goto no_vmexit;
4406
4407 nested_vmx_vmexit(vcpu, EXIT_REASON_EXCEPTION_NMI,
4408 NMI_VECTOR | INTR_TYPE_NMI_INTR |
4409 INTR_INFO_VALID_MASK, exit_qualification: 0);
4410 /*
4411 * The NMI-triggered VM exit counts as injection:
4412 * clear this one and block further NMIs.
4413 */
4414 vcpu->arch.nmi_pending = 0;
4415 vmx_set_nmi_mask(vcpu, masked: true);
4416 return 0;
4417 }
4418
4419 if (kvm_cpu_has_interrupt(vcpu) && !vmx_interrupt_blocked(vcpu)) {
4420 int irq;
4421
4422 if (!nested_exit_on_intr(vcpu)) {
4423 if (block_nested_events)
4424 return -EBUSY;
4425
4426 goto no_vmexit;
4427 }
4428
4429 if (!nested_exit_intr_ack_set(vcpu)) {
4430 if (block_nested_events)
4431 return -EBUSY;
4432
4433 nested_vmx_vmexit(vcpu, EXIT_REASON_EXTERNAL_INTERRUPT, exit_intr_info: 0, exit_qualification: 0);
4434 return 0;
4435 }
4436
4437 irq = kvm_cpu_get_extint(v: vcpu);
4438 if (irq != -1) {
4439 if (block_nested_events)
4440 return -EBUSY;
4441
4442 nested_vmx_vmexit(vcpu, EXIT_REASON_EXTERNAL_INTERRUPT,
4443 INTR_INFO_VALID_MASK | INTR_TYPE_EXT_INTR | irq, exit_qualification: 0);
4444 return 0;
4445 }
4446
4447 irq = kvm_apic_has_interrupt(vcpu);
4448 if (WARN_ON_ONCE(irq < 0))
4449 goto no_vmexit;
4450
4451 /*
4452 * If the IRQ is L2's PI notification vector, process posted
4453 * interrupts for L2 instead of injecting VM-Exit, as the
4454 * detection/morphing architecturally occurs when the IRQ is
4455 * delivered to the CPU. Note, only interrupts that are routed
4456 * through the local APIC trigger posted interrupt processing,
4457 * and enabling posted interrupts requires ACK-on-exit.
4458 */
4459 if (irq == vmx->nested.posted_intr_nv) {
4460 /*
4461 * Nested posted interrupts are delivered via RVI, i.e.
4462 * aren't injected by KVM, and so can be queued even if
4463 * manual event injection is disallowed.
4464 */
4465 if (block_non_injected_events)
4466 return -EBUSY;
4467
4468 vmx->nested.pi_pending = true;
4469 kvm_apic_clear_irr(vcpu, vec: irq);
4470 goto no_vmexit;
4471 }
4472
4473 if (block_nested_events)
4474 return -EBUSY;
4475
4476 nested_vmx_vmexit(vcpu, EXIT_REASON_EXTERNAL_INTERRUPT,
4477 INTR_INFO_VALID_MASK | INTR_TYPE_EXT_INTR | irq, exit_qualification: 0);
4478
4479 /*
4480 * ACK the interrupt _after_ emulating VM-Exit, as the IRQ must
4481 * be marked as in-service in vmcs01.GUEST_INTERRUPT_STATUS.SVI
4482 * if APICv is active.
4483 */
4484 kvm_apic_ack_interrupt(vcpu, vector: irq);
4485 return 0;
4486 }
4487
4488no_vmexit:
4489 return vmx_complete_nested_posted_interrupt(vcpu);
4490}
4491
4492static u32 vmx_get_preemption_timer_value(struct kvm_vcpu *vcpu)
4493{
4494 ktime_t remaining =
4495 hrtimer_get_remaining(timer: &to_vmx(vcpu)->nested.preemption_timer);
4496 u64 value;
4497
4498 if (ktime_to_ns(kt: remaining) <= 0)
4499 return 0;
4500
4501 value = ktime_to_ns(kt: remaining) * vcpu->arch.virtual_tsc_khz;
4502 do_div(value, 1000000);
4503 return value >> VMX_MISC_EMULATED_PREEMPTION_TIMER_RATE;
4504}
4505
4506static bool is_vmcs12_ext_field(unsigned long field)
4507{
4508 switch (field) {
4509 case GUEST_ES_SELECTOR:
4510 case GUEST_CS_SELECTOR:
4511 case GUEST_SS_SELECTOR:
4512 case GUEST_DS_SELECTOR:
4513 case GUEST_FS_SELECTOR:
4514 case GUEST_GS_SELECTOR:
4515 case GUEST_LDTR_SELECTOR:
4516 case GUEST_TR_SELECTOR:
4517 case GUEST_ES_LIMIT:
4518 case GUEST_CS_LIMIT:
4519 case GUEST_SS_LIMIT:
4520 case GUEST_DS_LIMIT:
4521 case GUEST_FS_LIMIT:
4522 case GUEST_GS_LIMIT:
4523 case GUEST_LDTR_LIMIT:
4524 case GUEST_TR_LIMIT:
4525 case GUEST_GDTR_LIMIT:
4526 case GUEST_IDTR_LIMIT:
4527 case GUEST_ES_AR_BYTES:
4528 case GUEST_DS_AR_BYTES:
4529 case GUEST_FS_AR_BYTES:
4530 case GUEST_GS_AR_BYTES:
4531 case GUEST_LDTR_AR_BYTES:
4532 case GUEST_TR_AR_BYTES:
4533 case GUEST_ES_BASE:
4534 case GUEST_CS_BASE:
4535 case GUEST_SS_BASE:
4536 case GUEST_DS_BASE:
4537 case GUEST_FS_BASE:
4538 case GUEST_GS_BASE:
4539 case GUEST_LDTR_BASE:
4540 case GUEST_TR_BASE:
4541 case GUEST_GDTR_BASE:
4542 case GUEST_IDTR_BASE:
4543 case GUEST_PENDING_DBG_EXCEPTIONS:
4544 case GUEST_BNDCFGS:
4545 return true;
4546 default:
4547 break;
4548 }
4549
4550 return false;
4551}
4552
4553static void sync_vmcs02_to_vmcs12_rare(struct kvm_vcpu *vcpu,
4554 struct vmcs12 *vmcs12)
4555{
4556 struct vcpu_vmx *vmx = to_vmx(vcpu);
4557
4558 vmcs12->guest_es_selector = vmcs_read16(field: GUEST_ES_SELECTOR);
4559 vmcs12->guest_cs_selector = vmcs_read16(field: GUEST_CS_SELECTOR);
4560 vmcs12->guest_ss_selector = vmcs_read16(field: GUEST_SS_SELECTOR);
4561 vmcs12->guest_ds_selector = vmcs_read16(field: GUEST_DS_SELECTOR);
4562 vmcs12->guest_fs_selector = vmcs_read16(field: GUEST_FS_SELECTOR);
4563 vmcs12->guest_gs_selector = vmcs_read16(field: GUEST_GS_SELECTOR);
4564 vmcs12->guest_ldtr_selector = vmcs_read16(field: GUEST_LDTR_SELECTOR);
4565 vmcs12->guest_tr_selector = vmcs_read16(field: GUEST_TR_SELECTOR);
4566 vmcs12->guest_es_limit = vmcs_read32(field: GUEST_ES_LIMIT);
4567 vmcs12->guest_cs_limit = vmcs_read32(field: GUEST_CS_LIMIT);
4568 vmcs12->guest_ss_limit = vmcs_read32(field: GUEST_SS_LIMIT);
4569 vmcs12->guest_ds_limit = vmcs_read32(field: GUEST_DS_LIMIT);
4570 vmcs12->guest_fs_limit = vmcs_read32(field: GUEST_FS_LIMIT);
4571 vmcs12->guest_gs_limit = vmcs_read32(field: GUEST_GS_LIMIT);
4572 vmcs12->guest_ldtr_limit = vmcs_read32(field: GUEST_LDTR_LIMIT);
4573 vmcs12->guest_tr_limit = vmcs_read32(field: GUEST_TR_LIMIT);
4574 vmcs12->guest_gdtr_limit = vmcs_read32(field: GUEST_GDTR_LIMIT);
4575 vmcs12->guest_idtr_limit = vmcs_read32(field: GUEST_IDTR_LIMIT);
4576 vmcs12->guest_es_ar_bytes = vmcs_read32(field: GUEST_ES_AR_BYTES);
4577 vmcs12->guest_ds_ar_bytes = vmcs_read32(field: GUEST_DS_AR_BYTES);
4578 vmcs12->guest_fs_ar_bytes = vmcs_read32(field: GUEST_FS_AR_BYTES);
4579 vmcs12->guest_gs_ar_bytes = vmcs_read32(field: GUEST_GS_AR_BYTES);
4580 vmcs12->guest_ldtr_ar_bytes = vmcs_read32(field: GUEST_LDTR_AR_BYTES);
4581 vmcs12->guest_tr_ar_bytes = vmcs_read32(field: GUEST_TR_AR_BYTES);
4582 vmcs12->guest_es_base = vmcs_readl(field: GUEST_ES_BASE);
4583 vmcs12->guest_cs_base = vmcs_readl(field: GUEST_CS_BASE);
4584 vmcs12->guest_ss_base = vmcs_readl(field: GUEST_SS_BASE);
4585 vmcs12->guest_ds_base = vmcs_readl(field: GUEST_DS_BASE);
4586 vmcs12->guest_fs_base = vmcs_readl(field: GUEST_FS_BASE);
4587 vmcs12->guest_gs_base = vmcs_readl(field: GUEST_GS_BASE);
4588 vmcs12->guest_ldtr_base = vmcs_readl(field: GUEST_LDTR_BASE);
4589 vmcs12->guest_tr_base = vmcs_readl(field: GUEST_TR_BASE);
4590 vmcs12->guest_gdtr_base = vmcs_readl(field: GUEST_GDTR_BASE);
4591 vmcs12->guest_idtr_base = vmcs_readl(field: GUEST_IDTR_BASE);
4592 vmcs12->guest_pending_dbg_exceptions =
4593 vmcs_readl(field: GUEST_PENDING_DBG_EXCEPTIONS);
4594
4595 vmx->nested.need_sync_vmcs02_to_vmcs12_rare = false;
4596}
4597
4598static void copy_vmcs02_to_vmcs12_rare(struct kvm_vcpu *vcpu,
4599 struct vmcs12 *vmcs12)
4600{
4601 struct vcpu_vmx *vmx = to_vmx(vcpu);
4602 int cpu;
4603
4604 if (!vmx->nested.need_sync_vmcs02_to_vmcs12_rare)
4605 return;
4606
4607
4608 WARN_ON_ONCE(vmx->loaded_vmcs != &vmx->vmcs01);
4609
4610 cpu = get_cpu();
4611 vmx->loaded_vmcs = &vmx->nested.vmcs02;
4612 vmx_vcpu_load_vmcs(vcpu, cpu);
4613
4614 sync_vmcs02_to_vmcs12_rare(vcpu, vmcs12);
4615
4616 vmx->loaded_vmcs = &vmx->vmcs01;
4617 vmx_vcpu_load_vmcs(vcpu, cpu);
4618 put_cpu();
4619}
4620
4621/*
4622 * Update the guest state fields of vmcs12 to reflect changes that
4623 * occurred while L2 was running. (The "IA-32e mode guest" bit of the
4624 * VM-entry controls is also updated, since this is really a guest
4625 * state bit.)
4626 */
4627static void sync_vmcs02_to_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
4628{
4629 struct vcpu_vmx *vmx = to_vmx(vcpu);
4630
4631 if (nested_vmx_is_evmptr12_valid(vmx))
4632 sync_vmcs02_to_vmcs12_rare(vcpu, vmcs12);
4633
4634 vmx->nested.need_sync_vmcs02_to_vmcs12_rare =
4635 !nested_vmx_is_evmptr12_valid(vmx);
4636
4637 vmcs12->guest_cr0 = vmcs12_guest_cr0(vcpu, vmcs12);
4638 vmcs12->guest_cr4 = vmcs12_guest_cr4(vcpu, vmcs12);
4639
4640 vmcs12->guest_rsp = kvm_rsp_read(vcpu);
4641 vmcs12->guest_rip = kvm_rip_read(vcpu);
4642 vmcs12->guest_rflags = vmcs_readl(field: GUEST_RFLAGS);
4643
4644 vmcs12->guest_cs_ar_bytes = vmcs_read32(field: GUEST_CS_AR_BYTES);
4645 vmcs12->guest_ss_ar_bytes = vmcs_read32(field: GUEST_SS_AR_BYTES);
4646
4647 vmcs12->guest_interruptibility_info =
4648 vmcs_read32(field: GUEST_INTERRUPTIBILITY_INFO);
4649
4650 if (vcpu->arch.mp_state == KVM_MP_STATE_HALTED)
4651 vmcs12->guest_activity_state = GUEST_ACTIVITY_HLT;
4652 else if (vcpu->arch.mp_state == KVM_MP_STATE_INIT_RECEIVED)
4653 vmcs12->guest_activity_state = GUEST_ACTIVITY_WAIT_SIPI;
4654 else
4655 vmcs12->guest_activity_state = GUEST_ACTIVITY_ACTIVE;
4656
4657 if (nested_cpu_has_preemption_timer(vmcs12) &&
4658 vmcs12->vm_exit_controls & VM_EXIT_SAVE_VMX_PREEMPTION_TIMER &&
4659 !vmx->nested.nested_run_pending)
4660 vmcs12->vmx_preemption_timer_value =
4661 vmx_get_preemption_timer_value(vcpu);
4662
4663 /*
4664 * In some cases (usually, nested EPT), L2 is allowed to change its
4665 * own CR3 without exiting. If it has changed it, we must keep it.
4666 * Of course, if L0 is using shadow page tables, GUEST_CR3 was defined
4667 * by L0, not L1 or L2, so we mustn't unconditionally copy it to vmcs12.
4668 *
4669 * Additionally, restore L2's PDPTR to vmcs12.
4670 */
4671 if (enable_ept) {
4672 vmcs12->guest_cr3 = vmcs_readl(field: GUEST_CR3);
4673 if (nested_cpu_has_ept(vmcs12) && is_pae_paging(vcpu)) {
4674 vmcs12->guest_pdptr0 = vmcs_read64(field: GUEST_PDPTR0);
4675 vmcs12->guest_pdptr1 = vmcs_read64(field: GUEST_PDPTR1);
4676 vmcs12->guest_pdptr2 = vmcs_read64(field: GUEST_PDPTR2);
4677 vmcs12->guest_pdptr3 = vmcs_read64(field: GUEST_PDPTR3);
4678 }
4679 }
4680
4681 vmcs12->guest_linear_address = vmcs_readl(field: GUEST_LINEAR_ADDRESS);
4682
4683 if (nested_cpu_has_vid(vmcs12))
4684 vmcs12->guest_intr_status = vmcs_read16(field: GUEST_INTR_STATUS);
4685
4686 vmcs12->vm_entry_controls =
4687 (vmcs12->vm_entry_controls & ~VM_ENTRY_IA32E_MODE) |
4688 (vm_entry_controls_get(vmx: to_vmx(vcpu)) & VM_ENTRY_IA32E_MODE);
4689
4690 /*
4691 * Note! Save DR7, but intentionally don't grab DEBUGCTL from vmcs02.
4692 * Writes to DEBUGCTL that aren't intercepted by L1 are immediately
4693 * propagated to vmcs12 (see vmx_set_msr()), as the value loaded into
4694 * vmcs02 doesn't strictly track vmcs12.
4695 */
4696 if (vmcs12->vm_exit_controls & VM_EXIT_SAVE_DEBUG_CONTROLS)
4697 vmcs12->guest_dr7 = vcpu->arch.dr7;
4698
4699 if (vmcs12->vm_exit_controls & VM_EXIT_SAVE_IA32_EFER)
4700 vmcs12->guest_ia32_efer = vcpu->arch.efer;
4701
4702 vmcs_read_cet_state(vcpu: &vmx->vcpu, s_cet: &vmcs12->guest_s_cet,
4703 ssp: &vmcs12->guest_ssp,
4704 ssp_tbl: &vmcs12->guest_ssp_tbl);
4705}
4706
4707/*
4708 * prepare_vmcs12 is part of what we need to do when the nested L2 guest exits
4709 * and we want to prepare to run its L1 parent. L1 keeps a vmcs for L2 (vmcs12),
4710 * and this function updates it to reflect the changes to the guest state while
4711 * L2 was running (and perhaps made some exits which were handled directly by L0
4712 * without going back to L1), and to reflect the exit reason.
4713 * Note that we do not have to copy here all VMCS fields, just those that
4714 * could have changed by the L2 guest or the exit - i.e., the guest-state and
4715 * exit-information fields only. Other fields are modified by L1 with VMWRITE,
4716 * which already writes to vmcs12 directly.
4717 */
4718static void prepare_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12,
4719 u32 vm_exit_reason, u32 exit_intr_info,
4720 unsigned long exit_qualification, u32 exit_insn_len)
4721{
4722 /* update exit information fields: */
4723 vmcs12->vm_exit_reason = vm_exit_reason;
4724 if (vmx_get_exit_reason(vcpu).enclave_mode)
4725 vmcs12->vm_exit_reason |= VMX_EXIT_REASONS_SGX_ENCLAVE_MODE;
4726 vmcs12->exit_qualification = exit_qualification;
4727
4728 /*
4729 * On VM-Exit due to a failed VM-Entry, the VMCS isn't marked launched
4730 * and only EXIT_REASON and EXIT_QUALIFICATION are updated, all other
4731 * exit info fields are unmodified.
4732 */
4733 if (!(vmcs12->vm_exit_reason & VMX_EXIT_REASONS_FAILED_VMENTRY)) {
4734 vmcs12->launch_state = 1;
4735
4736 /* vm_entry_intr_info_field is cleared on exit. Emulate this
4737 * instead of reading the real value. */
4738 vmcs12->vm_entry_intr_info_field &= ~INTR_INFO_VALID_MASK;
4739
4740 /*
4741 * Transfer the event that L0 or L1 may wanted to inject into
4742 * L2 to IDT_VECTORING_INFO_FIELD.
4743 */
4744 vmcs12_save_pending_event(vcpu, vmcs12,
4745 vm_exit_reason, exit_intr_info);
4746
4747 vmcs12->vm_exit_intr_info = exit_intr_info;
4748 vmcs12->vm_exit_instruction_len = exit_insn_len;
4749 vmcs12->vmx_instruction_info = vmcs_read32(field: VMX_INSTRUCTION_INFO);
4750
4751 /*
4752 * According to spec, there's no need to store the guest's
4753 * MSRs if the exit is due to a VM-entry failure that occurs
4754 * during or after loading the guest state. Since this exit
4755 * does not fall in that category, we need to save the MSRs.
4756 */
4757 if (nested_vmx_store_msr(vcpu,
4758 gpa: vmcs12->vm_exit_msr_store_addr,
4759 count: vmcs12->vm_exit_msr_store_count))
4760 nested_vmx_abort(vcpu,
4761 VMX_ABORT_SAVE_GUEST_MSR_FAIL);
4762 }
4763}
4764
4765/*
4766 * A part of what we need to when the nested L2 guest exits and we want to
4767 * run its L1 parent, is to reset L1's guest state to the host state specified
4768 * in vmcs12.
4769 * This function is to be called not only on normal nested exit, but also on
4770 * a nested entry failure, as explained in Intel's spec, 3B.23.7 ("VM-Entry
4771 * Failures During or After Loading Guest State").
4772 * This function should be called when the active VMCS is L1's (vmcs01).
4773 */
4774static void load_vmcs12_host_state(struct kvm_vcpu *vcpu,
4775 struct vmcs12 *vmcs12)
4776{
4777 enum vm_entry_failure_code ignored;
4778 struct kvm_segment seg;
4779
4780 if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_EFER)
4781 vcpu->arch.efer = vmcs12->host_ia32_efer;
4782 else if (vmcs12->vm_exit_controls & VM_EXIT_HOST_ADDR_SPACE_SIZE)
4783 vcpu->arch.efer |= (EFER_LMA | EFER_LME);
4784 else
4785 vcpu->arch.efer &= ~(EFER_LMA | EFER_LME);
4786 vmx_set_efer(vcpu, efer: vcpu->arch.efer);
4787
4788 kvm_rsp_write(vcpu, val: vmcs12->host_rsp);
4789 kvm_rip_write(vcpu, val: vmcs12->host_rip);
4790 vmx_set_rflags(vcpu, X86_EFLAGS_FIXED);
4791 vmx_set_interrupt_shadow(vcpu, mask: 0);
4792
4793 /*
4794 * Note that calling vmx_set_cr0 is important, even if cr0 hasn't
4795 * actually changed, because vmx_set_cr0 refers to efer set above.
4796 *
4797 * CR0_GUEST_HOST_MASK is already set in the original vmcs01
4798 * (KVM doesn't change it);
4799 */
4800 vcpu->arch.cr0_guest_owned_bits = vmx_l1_guest_owned_cr0_bits();
4801 vmx_set_cr0(vcpu, cr0: vmcs12->host_cr0);
4802
4803 /* Same as above - no reason to call set_cr4_guest_host_mask(). */
4804 vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(field: CR4_GUEST_HOST_MASK);
4805 vmx_set_cr4(vcpu, cr4: vmcs12->host_cr4);
4806
4807 nested_ept_uninit_mmu_context(vcpu);
4808
4809 /*
4810 * Only PDPTE load can fail as the value of cr3 was checked on entry and
4811 * couldn't have changed.
4812 */
4813 if (nested_vmx_load_cr3(vcpu, cr3: vmcs12->host_cr3, nested_ept: false, reload_pdptrs: true, entry_failure_code: &ignored))
4814 nested_vmx_abort(vcpu, VMX_ABORT_LOAD_HOST_PDPTE_FAIL);
4815
4816 nested_vmx_transition_tlb_flush(vcpu, vmcs12, is_vmenter: false);
4817
4818 vmcs_write32(field: GUEST_SYSENTER_CS, value: vmcs12->host_ia32_sysenter_cs);
4819 vmcs_writel(field: GUEST_SYSENTER_ESP, value: vmcs12->host_ia32_sysenter_esp);
4820 vmcs_writel(field: GUEST_SYSENTER_EIP, value: vmcs12->host_ia32_sysenter_eip);
4821 vmcs_writel(field: GUEST_IDTR_BASE, value: vmcs12->host_idtr_base);
4822 vmcs_writel(field: GUEST_GDTR_BASE, value: vmcs12->host_gdtr_base);
4823 vmcs_write32(field: GUEST_IDTR_LIMIT, value: 0xFFFF);
4824 vmcs_write32(field: GUEST_GDTR_LIMIT, value: 0xFFFF);
4825
4826 /* If not VM_EXIT_CLEAR_BNDCFGS, the L2 value propagates to L1. */
4827 if (vmcs12->vm_exit_controls & VM_EXIT_CLEAR_BNDCFGS)
4828 vmcs_write64(field: GUEST_BNDCFGS, value: 0);
4829
4830 /*
4831 * Load CET state from host state if VM_EXIT_LOAD_CET_STATE is set.
4832 * otherwise CET state should be retained across VM-exit, i.e.,
4833 * guest values should be propagated from vmcs12 to vmcs01.
4834 */
4835 if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_CET_STATE)
4836 vmcs_write_cet_state(vcpu, s_cet: vmcs12->host_s_cet, ssp: vmcs12->host_ssp,
4837 ssp_tbl: vmcs12->host_ssp_tbl);
4838 else
4839 vmcs_write_cet_state(vcpu, s_cet: vmcs12->guest_s_cet, ssp: vmcs12->guest_ssp,
4840 ssp_tbl: vmcs12->guest_ssp_tbl);
4841
4842 if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_PAT) {
4843 vmcs_write64(field: GUEST_IA32_PAT, value: vmcs12->host_ia32_pat);
4844 vcpu->arch.pat = vmcs12->host_ia32_pat;
4845 }
4846 if ((vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL) &&
4847 kvm_pmu_has_perf_global_ctrl(vcpu_to_pmu(vcpu)))
4848 WARN_ON_ONCE(__kvm_emulate_msr_write(vcpu, MSR_CORE_PERF_GLOBAL_CTRL,
4849 vmcs12->host_ia32_perf_global_ctrl));
4850
4851 /* Set L1 segment info according to Intel SDM
4852 27.5.2 Loading Host Segment and Descriptor-Table Registers */
4853 seg = (struct kvm_segment) {
4854 .base = 0,
4855 .limit = 0xFFFFFFFF,
4856 .selector = vmcs12->host_cs_selector,
4857 .type = 11,
4858 .present = 1,
4859 .s = 1,
4860 .g = 1
4861 };
4862 if (vmcs12->vm_exit_controls & VM_EXIT_HOST_ADDR_SPACE_SIZE)
4863 seg.l = 1;
4864 else
4865 seg.db = 1;
4866 __vmx_set_segment(vcpu, var: &seg, seg: VCPU_SREG_CS);
4867 seg = (struct kvm_segment) {
4868 .base = 0,
4869 .limit = 0xFFFFFFFF,
4870 .type = 3,
4871 .present = 1,
4872 .s = 1,
4873 .db = 1,
4874 .g = 1
4875 };
4876 seg.selector = vmcs12->host_ds_selector;
4877 __vmx_set_segment(vcpu, var: &seg, seg: VCPU_SREG_DS);
4878 seg.selector = vmcs12->host_es_selector;
4879 __vmx_set_segment(vcpu, var: &seg, seg: VCPU_SREG_ES);
4880 seg.selector = vmcs12->host_ss_selector;
4881 __vmx_set_segment(vcpu, var: &seg, seg: VCPU_SREG_SS);
4882 seg.selector = vmcs12->host_fs_selector;
4883 seg.base = vmcs12->host_fs_base;
4884 __vmx_set_segment(vcpu, var: &seg, seg: VCPU_SREG_FS);
4885 seg.selector = vmcs12->host_gs_selector;
4886 seg.base = vmcs12->host_gs_base;
4887 __vmx_set_segment(vcpu, var: &seg, seg: VCPU_SREG_GS);
4888 seg = (struct kvm_segment) {
4889 .base = vmcs12->host_tr_base,
4890 .limit = 0x67,
4891 .selector = vmcs12->host_tr_selector,
4892 .type = 11,
4893 .present = 1
4894 };
4895 __vmx_set_segment(vcpu, var: &seg, seg: VCPU_SREG_TR);
4896
4897 memset(&seg, 0, sizeof(seg));
4898 seg.unusable = 1;
4899 __vmx_set_segment(vcpu, var: &seg, seg: VCPU_SREG_LDTR);
4900
4901 kvm_set_dr(vcpu, dr: 7, val: 0x400);
4902 vmx_guest_debugctl_write(vcpu, val: 0);
4903
4904 if (nested_vmx_load_msr(vcpu, gpa: vmcs12->vm_exit_msr_load_addr,
4905 count: vmcs12->vm_exit_msr_load_count))
4906 nested_vmx_abort(vcpu, VMX_ABORT_LOAD_HOST_MSR_FAIL);
4907
4908 to_vt(vcpu)->emulation_required = vmx_emulation_required(vcpu);
4909}
4910
4911static inline u64 nested_vmx_get_vmcs01_guest_efer(struct vcpu_vmx *vmx)
4912{
4913 struct vmx_uret_msr *efer_msr;
4914 unsigned int i;
4915
4916 if (vm_entry_controls_get(vmx) & VM_ENTRY_LOAD_IA32_EFER)
4917 return vmcs_read64(field: GUEST_IA32_EFER);
4918
4919 if (cpu_has_load_ia32_efer())
4920 return kvm_host.efer;
4921
4922 for (i = 0; i < vmx->msr_autoload.guest.nr; ++i) {
4923 if (vmx->msr_autoload.guest.val[i].index == MSR_EFER)
4924 return vmx->msr_autoload.guest.val[i].value;
4925 }
4926
4927 efer_msr = vmx_find_uret_msr(vmx, MSR_EFER);
4928 if (efer_msr)
4929 return efer_msr->data;
4930
4931 return kvm_host.efer;
4932}
4933
4934static void nested_vmx_restore_host_state(struct kvm_vcpu *vcpu)
4935{
4936 struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
4937 struct vcpu_vmx *vmx = to_vmx(vcpu);
4938 struct vmx_msr_entry g, h;
4939 gpa_t gpa;
4940 u32 i, j;
4941
4942 vcpu->arch.pat = vmcs_read64(field: GUEST_IA32_PAT);
4943
4944 if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) {
4945 /*
4946 * L1's host DR7 is lost if KVM_GUESTDBG_USE_HW_BP is set
4947 * as vmcs01.GUEST_DR7 contains a userspace defined value
4948 * and vcpu->arch.dr7 is not squirreled away before the
4949 * nested VMENTER (not worth adding a variable in nested_vmx).
4950 */
4951 if (vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP)
4952 kvm_set_dr(vcpu, dr: 7, DR7_FIXED_1);
4953 else
4954 WARN_ON(kvm_set_dr(vcpu, 7, vmcs_readl(GUEST_DR7)));
4955 }
4956
4957 /* Reload DEBUGCTL to ensure vmcs01 has a fresh FREEZE_IN_SMM value. */
4958 vmx_reload_guest_debugctl(vcpu);
4959
4960 /*
4961 * Note that calling vmx_set_{efer,cr0,cr4} is important as they
4962 * handle a variety of side effects to KVM's software model.
4963 */
4964 vmx_set_efer(vcpu, efer: nested_vmx_get_vmcs01_guest_efer(vmx));
4965
4966 vcpu->arch.cr0_guest_owned_bits = vmx_l1_guest_owned_cr0_bits();
4967 vmx_set_cr0(vcpu, cr0: vmcs_readl(field: CR0_READ_SHADOW));
4968
4969 vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(field: CR4_GUEST_HOST_MASK);
4970 vmx_set_cr4(vcpu, cr4: vmcs_readl(field: CR4_READ_SHADOW));
4971
4972 nested_ept_uninit_mmu_context(vcpu);
4973 vcpu->arch.cr3 = vmcs_readl(field: GUEST_CR3);
4974 kvm_register_mark_available(vcpu, reg: VCPU_EXREG_CR3);
4975
4976 /*
4977 * Use ept_save_pdptrs(vcpu) to load the MMU's cached PDPTRs
4978 * from vmcs01 (if necessary). The PDPTRs are not loaded on
4979 * VMFail, like everything else we just need to ensure our
4980 * software model is up-to-date.
4981 */
4982 if (enable_ept && is_pae_paging(vcpu))
4983 ept_save_pdptrs(vcpu);
4984
4985 kvm_mmu_reset_context(vcpu);
4986
4987 /*
4988 * This nasty bit of open coding is a compromise between blindly
4989 * loading L1's MSRs using the exit load lists (incorrect emulation
4990 * of VMFail), leaving the nested VM's MSRs in the software model
4991 * (incorrect behavior) and snapshotting the modified MSRs (too
4992 * expensive since the lists are unbound by hardware). For each
4993 * MSR that was (prematurely) loaded from the nested VMEntry load
4994 * list, reload it from the exit load list if it exists and differs
4995 * from the guest value. The intent is to stuff host state as
4996 * silently as possible, not to fully process the exit load list.
4997 */
4998 for (i = 0; i < vmcs12->vm_entry_msr_load_count; i++) {
4999 gpa = vmcs12->vm_entry_msr_load_addr + (i * sizeof(g));
5000 if (kvm_vcpu_read_guest(vcpu, gpa, data: &g, len: sizeof(g))) {
5001 pr_debug_ratelimited(
5002 "%s read MSR index failed (%u, 0x%08llx)\n",
5003 __func__, i, gpa);
5004 goto vmabort;
5005 }
5006
5007 for (j = 0; j < vmcs12->vm_exit_msr_load_count; j++) {
5008 gpa = vmcs12->vm_exit_msr_load_addr + (j * sizeof(h));
5009 if (kvm_vcpu_read_guest(vcpu, gpa, data: &h, len: sizeof(h))) {
5010 pr_debug_ratelimited(
5011 "%s read MSR failed (%u, 0x%08llx)\n",
5012 __func__, j, gpa);
5013 goto vmabort;
5014 }
5015 if (h.index != g.index)
5016 continue;
5017 if (h.value == g.value)
5018 break;
5019
5020 if (nested_vmx_load_msr_check(vcpu, e: &h)) {
5021 pr_debug_ratelimited(
5022 "%s check failed (%u, 0x%x, 0x%x)\n",
5023 __func__, j, h.index, h.reserved);
5024 goto vmabort;
5025 }
5026
5027 if (kvm_emulate_msr_write(vcpu, index: h.index, data: h.value)) {
5028 pr_debug_ratelimited(
5029 "%s WRMSR failed (%u, 0x%x, 0x%llx)\n",
5030 __func__, j, h.index, h.value);
5031 goto vmabort;
5032 }
5033 }
5034 }
5035
5036 return;
5037
5038vmabort:
5039 nested_vmx_abort(vcpu, VMX_ABORT_LOAD_HOST_MSR_FAIL);
5040}
5041
5042/*
5043 * Emulate an exit from nested guest (L2) to L1, i.e., prepare to run L1
5044 * and modify vmcs12 to make it see what it would expect to see there if
5045 * L2 was its real guest. Must only be called when in L2 (is_guest_mode())
5046 */
5047void __nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 vm_exit_reason,
5048 u32 exit_intr_info, unsigned long exit_qualification,
5049 u32 exit_insn_len)
5050{
5051 struct vcpu_vmx *vmx = to_vmx(vcpu);
5052 struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
5053
5054 /* Pending MTF traps are discarded on VM-Exit. */
5055 vmx->nested.mtf_pending = false;
5056
5057 /* trying to cancel vmlaunch/vmresume is a bug */
5058 WARN_ON_ONCE(vmx->nested.nested_run_pending);
5059
5060#ifdef CONFIG_KVM_HYPERV
5061 if (kvm_check_request(KVM_REQ_GET_NESTED_STATE_PAGES, vcpu)) {
5062 /*
5063 * KVM_REQ_GET_NESTED_STATE_PAGES is also used to map
5064 * Enlightened VMCS after migration and we still need to
5065 * do that when something is forcing L2->L1 exit prior to
5066 * the first L2 run.
5067 */
5068 (void)nested_get_evmcs_page(vcpu);
5069 }
5070#endif
5071
5072 /* Service pending TLB flush requests for L2 before switching to L1. */
5073 kvm_service_local_tlb_flush_requests(vcpu);
5074
5075 /*
5076 * VCPU_EXREG_PDPTR will be clobbered in arch/x86/kvm/vmx/vmx.h between
5077 * now and the new vmentry. Ensure that the VMCS02 PDPTR fields are
5078 * up-to-date before switching to L1.
5079 */
5080 if (enable_ept && is_pae_paging(vcpu))
5081 vmx_ept_load_pdptrs(vcpu);
5082
5083 leave_guest_mode(vcpu);
5084
5085 if (nested_cpu_has_preemption_timer(vmcs12))
5086 hrtimer_cancel(timer: &to_vmx(vcpu)->nested.preemption_timer);
5087
5088 if (nested_cpu_has(vmcs12, CPU_BASED_USE_TSC_OFFSETTING)) {
5089 vcpu->arch.tsc_offset = vcpu->arch.l1_tsc_offset;
5090 if (nested_cpu_has2(vmcs12, SECONDARY_EXEC_TSC_SCALING))
5091 vcpu->arch.tsc_scaling_ratio = vcpu->arch.l1_tsc_scaling_ratio;
5092 }
5093
5094 if (likely(!vmx->fail)) {
5095 sync_vmcs02_to_vmcs12(vcpu, vmcs12);
5096
5097 if (vm_exit_reason != -1)
5098 prepare_vmcs12(vcpu, vmcs12, vm_exit_reason,
5099 exit_intr_info, exit_qualification,
5100 exit_insn_len);
5101
5102 /*
5103 * Must happen outside of sync_vmcs02_to_vmcs12() as it will
5104 * also be used to capture vmcs12 cache as part of
5105 * capturing nVMX state for snapshot (migration).
5106 *
5107 * Otherwise, this flush will dirty guest memory at a
5108 * point it is already assumed by user-space to be
5109 * immutable.
5110 */
5111 nested_flush_cached_shadow_vmcs12(vcpu, vmcs12);
5112 } else {
5113 /*
5114 * The only expected VM-instruction error is "VM entry with
5115 * invalid control field(s)." Anything else indicates a
5116 * problem with L0.
5117 */
5118 WARN_ON_ONCE(vmcs_read32(VM_INSTRUCTION_ERROR) !=
5119 VMXERR_ENTRY_INVALID_CONTROL_FIELD);
5120
5121 /* VM-Fail at VM-Entry means KVM missed a consistency check. */
5122 WARN_ON_ONCE(warn_on_missed_cc);
5123 }
5124
5125 /*
5126 * Drop events/exceptions that were queued for re-injection to L2
5127 * (picked up via vmx_complete_interrupts()), as well as exceptions
5128 * that were pending for L2. Note, this must NOT be hoisted above
5129 * prepare_vmcs12(), events/exceptions queued for re-injection need to
5130 * be captured in vmcs12 (see vmcs12_save_pending_event()).
5131 */
5132 vcpu->arch.nmi_injected = false;
5133 kvm_clear_exception_queue(vcpu);
5134 kvm_clear_interrupt_queue(vcpu);
5135
5136 vmx_switch_vmcs(vcpu, vmcs: &vmx->vmcs01);
5137
5138 kvm_nested_vmexit_handle_ibrs(vcpu);
5139
5140 /* Update any VMCS fields that might have changed while L2 ran */
5141 vmcs_write32(field: VM_EXIT_MSR_LOAD_COUNT, value: vmx->msr_autoload.host.nr);
5142 vmcs_write32(field: VM_ENTRY_MSR_LOAD_COUNT, value: vmx->msr_autoload.guest.nr);
5143 vmcs_write64(field: TSC_OFFSET, value: vcpu->arch.tsc_offset);
5144 if (kvm_caps.has_tsc_control)
5145 vmcs_write64(field: TSC_MULTIPLIER, value: vcpu->arch.tsc_scaling_ratio);
5146
5147 if (vmx->nested.l1_tpr_threshold != -1)
5148 vmcs_write32(field: TPR_THRESHOLD, value: vmx->nested.l1_tpr_threshold);
5149
5150 if (vmx->nested.change_vmcs01_virtual_apic_mode) {
5151 vmx->nested.change_vmcs01_virtual_apic_mode = false;
5152 vmx_set_virtual_apic_mode(vcpu);
5153 }
5154
5155 if (vmx->nested.update_vmcs01_cpu_dirty_logging) {
5156 vmx->nested.update_vmcs01_cpu_dirty_logging = false;
5157 vmx_update_cpu_dirty_logging(vcpu);
5158 }
5159
5160 nested_put_vmcs12_pages(vcpu);
5161
5162 if (vmx->nested.reload_vmcs01_apic_access_page) {
5163 vmx->nested.reload_vmcs01_apic_access_page = false;
5164 kvm_make_request(KVM_REQ_APIC_PAGE_RELOAD, vcpu);
5165 }
5166
5167 if (vmx->nested.update_vmcs01_apicv_status) {
5168 vmx->nested.update_vmcs01_apicv_status = false;
5169 vmx_refresh_apicv_exec_ctrl(vcpu);
5170 }
5171
5172 if (vmx->nested.update_vmcs01_hwapic_isr) {
5173 vmx->nested.update_vmcs01_hwapic_isr = false;
5174 kvm_apic_update_hwapic_isr(vcpu);
5175 }
5176
5177 if ((vm_exit_reason != -1) &&
5178 (enable_shadow_vmcs || nested_vmx_is_evmptr12_valid(vmx)))
5179 vmx->nested.need_vmcs12_to_shadow_sync = true;
5180
5181 /* in case we halted in L2 */
5182 kvm_set_mp_state(vcpu, KVM_MP_STATE_RUNNABLE);
5183
5184 if (likely(!vmx->fail)) {
5185 if (vm_exit_reason != -1)
5186 trace_kvm_nested_vmexit_inject(vmcs12->vm_exit_reason,
5187 vmcs12->exit_qualification,
5188 vmcs12->idt_vectoring_info_field,
5189 vmcs12->vm_exit_intr_info,
5190 vmcs12->vm_exit_intr_error_code,
5191 KVM_ISA_VMX);
5192
5193 load_vmcs12_host_state(vcpu, vmcs12);
5194
5195 /*
5196 * Process events if an injectable IRQ or NMI is pending, even
5197 * if the event is blocked (RFLAGS.IF is cleared on VM-Exit).
5198 * If an event became pending while L2 was active, KVM needs to
5199 * either inject the event or request an IRQ/NMI window. SMIs
5200 * don't need to be processed as SMM is mutually exclusive with
5201 * non-root mode. INIT/SIPI don't need to be checked as INIT
5202 * is blocked post-VMXON, and SIPIs are ignored.
5203 */
5204 if (kvm_cpu_has_injectable_intr(v: vcpu) || vcpu->arch.nmi_pending)
5205 kvm_make_request(KVM_REQ_EVENT, vcpu);
5206 return;
5207 }
5208
5209 /*
5210 * After an early L2 VM-entry failure, we're now back
5211 * in L1 which thinks it just finished a VMLAUNCH or
5212 * VMRESUME instruction, so we need to set the failure
5213 * flag and the VM-instruction error field of the VMCS
5214 * accordingly, and skip the emulated instruction.
5215 */
5216 (void)nested_vmx_fail(vcpu, vm_instruction_error: VMXERR_ENTRY_INVALID_CONTROL_FIELD);
5217
5218 /*
5219 * Restore L1's host state to KVM's software model. We're here
5220 * because a consistency check was caught by hardware, which
5221 * means some amount of guest state has been propagated to KVM's
5222 * model and needs to be unwound to the host's state.
5223 */
5224 nested_vmx_restore_host_state(vcpu);
5225
5226 vmx->fail = 0;
5227}
5228
5229static void nested_vmx_triple_fault(struct kvm_vcpu *vcpu)
5230{
5231 kvm_clear_request(KVM_REQ_TRIPLE_FAULT, vcpu);
5232 nested_vmx_vmexit(vcpu, EXIT_REASON_TRIPLE_FAULT, exit_intr_info: 0, exit_qualification: 0);
5233}
5234
5235/*
5236 * Decode the memory-address operand of a vmx instruction, as recorded on an
5237 * exit caused by such an instruction (run by a guest hypervisor).
5238 * On success, returns 0. When the operand is invalid, returns 1 and throws
5239 * #UD, #GP, or #SS.
5240 */
5241int get_vmx_mem_address(struct kvm_vcpu *vcpu, unsigned long exit_qualification,
5242 u32 vmx_instruction_info, bool wr, int len, gva_t *ret)
5243{
5244 gva_t off;
5245 bool exn;
5246 struct kvm_segment s;
5247
5248 /*
5249 * According to Vol. 3B, "Information for VM Exits Due to Instruction
5250 * Execution", on an exit, vmx_instruction_info holds most of the
5251 * addressing components of the operand. Only the displacement part
5252 * is put in exit_qualification (see 3B, "Basic VM-Exit Information").
5253 * For how an actual address is calculated from all these components,
5254 * refer to Vol. 1, "Operand Addressing".
5255 */
5256 int scaling = vmx_instruction_info & 3;
5257 int addr_size = (vmx_instruction_info >> 7) & 7;
5258 bool is_reg = vmx_instruction_info & (1u << 10);
5259 int seg_reg = (vmx_instruction_info >> 15) & 7;
5260 int index_reg = (vmx_instruction_info >> 18) & 0xf;
5261 bool index_is_valid = !(vmx_instruction_info & (1u << 22));
5262 int base_reg = (vmx_instruction_info >> 23) & 0xf;
5263 bool base_is_valid = !(vmx_instruction_info & (1u << 27));
5264
5265 if (is_reg) {
5266 kvm_queue_exception(vcpu, UD_VECTOR);
5267 return 1;
5268 }
5269
5270 /* Addr = segment_base + offset */
5271 /* offset = base + [index * scale] + displacement */
5272 off = exit_qualification; /* holds the displacement */
5273 if (addr_size == 1)
5274 off = (gva_t)sign_extend64(value: off, index: 31);
5275 else if (addr_size == 0)
5276 off = (gva_t)sign_extend64(value: off, index: 15);
5277 if (base_is_valid)
5278 off += kvm_register_read(vcpu, reg: base_reg);
5279 if (index_is_valid)
5280 off += kvm_register_read(vcpu, reg: index_reg) << scaling;
5281 vmx_get_segment(vcpu, var: &s, seg: seg_reg);
5282
5283 /*
5284 * The effective address, i.e. @off, of a memory operand is truncated
5285 * based on the address size of the instruction. Note that this is
5286 * the *effective address*, i.e. the address prior to accounting for
5287 * the segment's base.
5288 */
5289 if (addr_size == 1) /* 32 bit */
5290 off &= 0xffffffff;
5291 else if (addr_size == 0) /* 16 bit */
5292 off &= 0xffff;
5293
5294 /* Checks for #GP/#SS exceptions. */
5295 exn = false;
5296 if (is_long_mode(vcpu)) {
5297 /*
5298 * The virtual/linear address is never truncated in 64-bit
5299 * mode, e.g. a 32-bit address size can yield a 64-bit virtual
5300 * address when using FS/GS with a non-zero base.
5301 */
5302 if (seg_reg == VCPU_SREG_FS || seg_reg == VCPU_SREG_GS)
5303 *ret = s.base + off;
5304 else
5305 *ret = off;
5306
5307 *ret = vmx_get_untagged_addr(vcpu, gva: *ret, flags: 0);
5308 /* Long mode: #GP(0)/#SS(0) if the memory address is in a
5309 * non-canonical form. This is the only check on the memory
5310 * destination for long mode!
5311 */
5312 exn = is_noncanonical_address(la: *ret, vcpu, flags: 0);
5313 } else {
5314 /*
5315 * When not in long mode, the virtual/linear address is
5316 * unconditionally truncated to 32 bits regardless of the
5317 * address size.
5318 */
5319 *ret = (s.base + off) & 0xffffffff;
5320
5321 /* Protected mode: apply checks for segment validity in the
5322 * following order:
5323 * - segment type check (#GP(0) may be thrown)
5324 * - usability check (#GP(0)/#SS(0))
5325 * - limit check (#GP(0)/#SS(0))
5326 */
5327 if (wr)
5328 /* #GP(0) if the destination operand is located in a
5329 * read-only data segment or any code segment.
5330 */
5331 exn = ((s.type & 0xa) == 0 || (s.type & 8));
5332 else
5333 /* #GP(0) if the source operand is located in an
5334 * execute-only code segment
5335 */
5336 exn = ((s.type & 0xa) == 8);
5337 if (exn) {
5338 kvm_queue_exception_e(vcpu, GP_VECTOR, error_code: 0);
5339 return 1;
5340 }
5341 /* Protected mode: #GP(0)/#SS(0) if the segment is unusable.
5342 */
5343 exn = (s.unusable != 0);
5344
5345 /*
5346 * Protected mode: #GP(0)/#SS(0) if the memory operand is
5347 * outside the segment limit. All CPUs that support VMX ignore
5348 * limit checks for flat segments, i.e. segments with base==0,
5349 * limit==0xffffffff and of type expand-up data or code.
5350 */
5351 if (!(s.base == 0 && s.limit == 0xffffffff &&
5352 ((s.type & 8) || !(s.type & 4))))
5353 exn = exn || ((u64)off + len - 1 > s.limit);
5354 }
5355 if (exn) {
5356 kvm_queue_exception_e(vcpu,
5357 nr: seg_reg == VCPU_SREG_SS ?
5358 SS_VECTOR : GP_VECTOR,
5359 error_code: 0);
5360 return 1;
5361 }
5362
5363 return 0;
5364}
5365
5366static int nested_vmx_get_vmptr(struct kvm_vcpu *vcpu, gpa_t *vmpointer,
5367 int *ret)
5368{
5369 gva_t gva;
5370 struct x86_exception e;
5371 int r;
5372
5373 if (get_vmx_mem_address(vcpu, exit_qualification: vmx_get_exit_qual(vcpu),
5374 vmx_instruction_info: vmcs_read32(field: VMX_INSTRUCTION_INFO), wr: false,
5375 len: sizeof(*vmpointer), ret: &gva)) {
5376 *ret = 1;
5377 return -EINVAL;
5378 }
5379
5380 r = kvm_read_guest_virt(vcpu, addr: gva, val: vmpointer, bytes: sizeof(*vmpointer), exception: &e);
5381 if (r != X86EMUL_CONTINUE) {
5382 *ret = kvm_handle_memory_failure(vcpu, r, e: &e);
5383 return -EINVAL;
5384 }
5385
5386 return 0;
5387}
5388
5389/*
5390 * Allocate a shadow VMCS and associate it with the currently loaded
5391 * VMCS, unless such a shadow VMCS already exists. The newly allocated
5392 * VMCS is also VMCLEARed, so that it is ready for use.
5393 */
5394static struct vmcs *alloc_shadow_vmcs(struct kvm_vcpu *vcpu)
5395{
5396 struct vcpu_vmx *vmx = to_vmx(vcpu);
5397 struct loaded_vmcs *loaded_vmcs = vmx->loaded_vmcs;
5398
5399 /*
5400 * KVM allocates a shadow VMCS only when L1 executes VMXON and frees it
5401 * when L1 executes VMXOFF or the vCPU is forced out of nested
5402 * operation. VMXON faults if the CPU is already post-VMXON, so it
5403 * should be impossible to already have an allocated shadow VMCS. KVM
5404 * doesn't support virtualization of VMCS shadowing, so vmcs01 should
5405 * always be the loaded VMCS.
5406 */
5407 if (WARN_ON(loaded_vmcs != &vmx->vmcs01 || loaded_vmcs->shadow_vmcs))
5408 return loaded_vmcs->shadow_vmcs;
5409
5410 loaded_vmcs->shadow_vmcs = alloc_vmcs(shadow: true);
5411 if (loaded_vmcs->shadow_vmcs)
5412 vmcs_clear(vmcs: loaded_vmcs->shadow_vmcs);
5413
5414 return loaded_vmcs->shadow_vmcs;
5415}
5416
5417static int enter_vmx_operation(struct kvm_vcpu *vcpu)
5418{
5419 struct vcpu_vmx *vmx = to_vmx(vcpu);
5420 int r;
5421
5422 r = alloc_loaded_vmcs(loaded_vmcs: &vmx->nested.vmcs02);
5423 if (r < 0)
5424 goto out_vmcs02;
5425
5426 vmx->nested.cached_vmcs12 = kzalloc(VMCS12_SIZE, GFP_KERNEL_ACCOUNT);
5427 if (!vmx->nested.cached_vmcs12)
5428 goto out_cached_vmcs12;
5429
5430 vmx->nested.shadow_vmcs12_cache.gpa = INVALID_GPA;
5431 vmx->nested.cached_shadow_vmcs12 = kzalloc(VMCS12_SIZE, GFP_KERNEL_ACCOUNT);
5432 if (!vmx->nested.cached_shadow_vmcs12)
5433 goto out_cached_shadow_vmcs12;
5434
5435 if (enable_shadow_vmcs && !alloc_shadow_vmcs(vcpu))
5436 goto out_shadow_vmcs;
5437
5438 hrtimer_setup(timer: &vmx->nested.preemption_timer, function: vmx_preemption_timer_fn, CLOCK_MONOTONIC,
5439 mode: HRTIMER_MODE_ABS_PINNED);
5440
5441 vmx->nested.vpid02 = allocate_vpid();
5442
5443 vmx->nested.vmcs02_initialized = false;
5444 vmx->nested.vmxon = true;
5445
5446 if (vmx_pt_mode_is_host_guest()) {
5447 vmx->pt_desc.guest.ctl = 0;
5448 pt_update_intercept_for_msr(vcpu);
5449 }
5450
5451 return 0;
5452
5453out_shadow_vmcs:
5454 kfree(objp: vmx->nested.cached_shadow_vmcs12);
5455
5456out_cached_shadow_vmcs12:
5457 kfree(objp: vmx->nested.cached_vmcs12);
5458
5459out_cached_vmcs12:
5460 free_loaded_vmcs(loaded_vmcs: &vmx->nested.vmcs02);
5461
5462out_vmcs02:
5463 return -ENOMEM;
5464}
5465
5466/* Emulate the VMXON instruction. */
5467static int handle_vmxon(struct kvm_vcpu *vcpu)
5468{
5469 int ret;
5470 gpa_t vmptr;
5471 uint32_t revision;
5472 struct vcpu_vmx *vmx = to_vmx(vcpu);
5473 const u64 VMXON_NEEDED_FEATURES = FEAT_CTL_LOCKED
5474 | FEAT_CTL_VMX_ENABLED_OUTSIDE_SMX;
5475
5476 /*
5477 * Manually check CR4.VMXE checks, KVM must force CR4.VMXE=1 to enter
5478 * the guest and so cannot rely on hardware to perform the check,
5479 * which has higher priority than VM-Exit (see Intel SDM's pseudocode
5480 * for VMXON).
5481 *
5482 * Rely on hardware for the other pre-VM-Exit checks, CR0.PE=1, !VM86
5483 * and !COMPATIBILITY modes. For an unrestricted guest, KVM doesn't
5484 * force any of the relevant guest state. For a restricted guest, KVM
5485 * does force CR0.PE=1, but only to also force VM86 in order to emulate
5486 * Real Mode, and so there's no need to check CR0.PE manually.
5487 */
5488 if (!kvm_is_cr4_bit_set(vcpu, X86_CR4_VMXE)) {
5489 kvm_queue_exception(vcpu, UD_VECTOR);
5490 return 1;
5491 }
5492
5493 /*
5494 * The CPL is checked for "not in VMX operation" and for "in VMX root",
5495 * and has higher priority than the VM-Fail due to being post-VMXON,
5496 * i.e. VMXON #GPs outside of VMX non-root if CPL!=0. In VMX non-root,
5497 * VMXON causes VM-Exit and KVM unconditionally forwards VMXON VM-Exits
5498 * from L2 to L1, i.e. there's no need to check for the vCPU being in
5499 * VMX non-root.
5500 *
5501 * Forwarding the VM-Exit unconditionally, i.e. without performing the
5502 * #UD checks (see above), is functionally ok because KVM doesn't allow
5503 * L1 to run L2 without CR4.VMXE=0, and because KVM never modifies L2's
5504 * CR0 or CR4, i.e. it's L2's responsibility to emulate #UDs that are
5505 * missed by hardware due to shadowing CR0 and/or CR4.
5506 */
5507 if (vmx_get_cpl(vcpu)) {
5508 kvm_inject_gp(vcpu, error_code: 0);
5509 return 1;
5510 }
5511
5512 if (vmx->nested.vmxon)
5513 return nested_vmx_fail(vcpu, vm_instruction_error: VMXERR_VMXON_IN_VMX_ROOT_OPERATION);
5514
5515 /*
5516 * Invalid CR0/CR4 generates #GP. These checks are performed if and
5517 * only if the vCPU isn't already in VMX operation, i.e. effectively
5518 * have lower priority than the VM-Fail above.
5519 */
5520 if (!nested_host_cr0_valid(vcpu, val: kvm_read_cr0(vcpu)) ||
5521 !nested_host_cr4_valid(vcpu, val: kvm_read_cr4(vcpu))) {
5522 kvm_inject_gp(vcpu, error_code: 0);
5523 return 1;
5524 }
5525
5526 if ((vmx->msr_ia32_feature_control & VMXON_NEEDED_FEATURES)
5527 != VMXON_NEEDED_FEATURES) {
5528 kvm_inject_gp(vcpu, error_code: 0);
5529 return 1;
5530 }
5531
5532 if (nested_vmx_get_vmptr(vcpu, vmpointer: &vmptr, ret: &ret))
5533 return ret;
5534
5535 /*
5536 * SDM 3: 24.11.5
5537 * The first 4 bytes of VMXON region contain the supported
5538 * VMCS revision identifier
5539 *
5540 * Note - IA32_VMX_BASIC[48] will never be 1 for the nested case;
5541 * which replaces physical address width with 32
5542 */
5543 if (!page_address_valid(vcpu, gpa: vmptr))
5544 return nested_vmx_failInvalid(vcpu);
5545
5546 if (kvm_read_guest(kvm: vcpu->kvm, gpa: vmptr, data: &revision, len: sizeof(revision)) ||
5547 revision != VMCS12_REVISION)
5548 return nested_vmx_failInvalid(vcpu);
5549
5550 vmx->nested.vmxon_ptr = vmptr;
5551 ret = enter_vmx_operation(vcpu);
5552 if (ret)
5553 return ret;
5554
5555 return nested_vmx_succeed(vcpu);
5556}
5557
5558static inline void nested_release_vmcs12(struct kvm_vcpu *vcpu)
5559{
5560 struct vcpu_vmx *vmx = to_vmx(vcpu);
5561
5562 if (vmx->nested.current_vmptr == INVALID_GPA)
5563 return;
5564
5565 copy_vmcs02_to_vmcs12_rare(vcpu, vmcs12: get_vmcs12(vcpu));
5566
5567 if (enable_shadow_vmcs) {
5568 /* copy to memory all shadowed fields in case
5569 they were modified */
5570 copy_shadow_to_vmcs12(vmx);
5571 vmx_disable_shadow_vmcs(vmx);
5572 }
5573 vmx->nested.posted_intr_nv = -1;
5574
5575 /* Flush VMCS12 to guest memory */
5576 kvm_vcpu_write_guest_page(vcpu,
5577 gfn: vmx->nested.current_vmptr >> PAGE_SHIFT,
5578 data: vmx->nested.cached_vmcs12, offset: 0, VMCS12_SIZE);
5579
5580 kvm_mmu_free_roots(kvm: vcpu->kvm, mmu: &vcpu->arch.guest_mmu, KVM_MMU_ROOTS_ALL);
5581
5582 vmx->nested.current_vmptr = INVALID_GPA;
5583}
5584
5585/* Emulate the VMXOFF instruction */
5586static int handle_vmxoff(struct kvm_vcpu *vcpu)
5587{
5588 if (!nested_vmx_check_permission(vcpu))
5589 return 1;
5590
5591 free_nested(vcpu);
5592
5593 if (kvm_apic_has_pending_init_or_sipi(vcpu))
5594 kvm_make_request(KVM_REQ_EVENT, vcpu);
5595
5596 return nested_vmx_succeed(vcpu);
5597}
5598
5599/* Emulate the VMCLEAR instruction */
5600static int handle_vmclear(struct kvm_vcpu *vcpu)
5601{
5602 struct vcpu_vmx *vmx = to_vmx(vcpu);
5603 u32 zero = 0;
5604 gpa_t vmptr;
5605 int r;
5606
5607 if (!nested_vmx_check_permission(vcpu))
5608 return 1;
5609
5610 if (nested_vmx_get_vmptr(vcpu, vmpointer: &vmptr, ret: &r))
5611 return r;
5612
5613 if (!page_address_valid(vcpu, gpa: vmptr))
5614 return nested_vmx_fail(vcpu, vm_instruction_error: VMXERR_VMCLEAR_INVALID_ADDRESS);
5615
5616 if (vmptr == vmx->nested.vmxon_ptr)
5617 return nested_vmx_fail(vcpu, vm_instruction_error: VMXERR_VMCLEAR_VMXON_POINTER);
5618
5619 if (likely(!nested_evmcs_handle_vmclear(vcpu, vmptr))) {
5620 if (vmptr == vmx->nested.current_vmptr)
5621 nested_release_vmcs12(vcpu);
5622
5623 /*
5624 * Silently ignore memory errors on VMCLEAR, Intel's pseudocode
5625 * for VMCLEAR includes a "ensure that data for VMCS referenced
5626 * by the operand is in memory" clause that guards writes to
5627 * memory, i.e. doing nothing for I/O is architecturally valid.
5628 *
5629 * FIXME: Suppress failures if and only if no memslot is found,
5630 * i.e. exit to userspace if __copy_to_user() fails.
5631 */
5632 (void)kvm_vcpu_write_guest(vcpu,
5633 gpa: vmptr + offsetof(struct vmcs12,
5634 launch_state),
5635 data: &zero, len: sizeof(zero));
5636 }
5637
5638 return nested_vmx_succeed(vcpu);
5639}
5640
5641/* Emulate the VMLAUNCH instruction */
5642static int handle_vmlaunch(struct kvm_vcpu *vcpu)
5643{
5644 return nested_vmx_run(vcpu, launch: true);
5645}
5646
5647/* Emulate the VMRESUME instruction */
5648static int handle_vmresume(struct kvm_vcpu *vcpu)
5649{
5650
5651 return nested_vmx_run(vcpu, launch: false);
5652}
5653
5654static int handle_vmread(struct kvm_vcpu *vcpu)
5655{
5656 struct vmcs12 *vmcs12 = is_guest_mode(vcpu) ? get_shadow_vmcs12(vcpu)
5657 : get_vmcs12(vcpu);
5658 unsigned long exit_qualification = vmx_get_exit_qual(vcpu);
5659 u32 instr_info = vmcs_read32(field: VMX_INSTRUCTION_INFO);
5660 struct vcpu_vmx *vmx = to_vmx(vcpu);
5661 struct x86_exception e;
5662 unsigned long field;
5663 u64 value;
5664 gva_t gva = 0;
5665 short offset;
5666 int len, r;
5667
5668 if (!nested_vmx_check_permission(vcpu))
5669 return 1;
5670
5671 /* Decode instruction info and find the field to read */
5672 field = kvm_register_read(vcpu, reg: (((instr_info) >> 28) & 0xf));
5673
5674 if (!nested_vmx_is_evmptr12_valid(vmx)) {
5675 /*
5676 * In VMX non-root operation, when the VMCS-link pointer is INVALID_GPA,
5677 * any VMREAD sets the ALU flags for VMfailInvalid.
5678 */
5679 if (vmx->nested.current_vmptr == INVALID_GPA ||
5680 (is_guest_mode(vcpu) &&
5681 get_vmcs12(vcpu)->vmcs_link_pointer == INVALID_GPA))
5682 return nested_vmx_failInvalid(vcpu);
5683
5684 offset = get_vmcs12_field_offset(field);
5685 if (offset < 0)
5686 return nested_vmx_fail(vcpu, vm_instruction_error: VMXERR_UNSUPPORTED_VMCS_COMPONENT);
5687
5688 if (!is_guest_mode(vcpu) && is_vmcs12_ext_field(field))
5689 copy_vmcs02_to_vmcs12_rare(vcpu, vmcs12);
5690
5691 /* Read the field, zero-extended to a u64 value */
5692 value = vmcs12_read_any(vmcs12, field, offset);
5693 } else {
5694 /*
5695 * Hyper-V TLFS (as of 6.0b) explicitly states, that while an
5696 * enlightened VMCS is active VMREAD/VMWRITE instructions are
5697 * unsupported. Unfortunately, certain versions of Windows 11
5698 * don't comply with this requirement which is not enforced in
5699 * genuine Hyper-V. Allow VMREAD from an enlightened VMCS as a
5700 * workaround, as misbehaving guests will panic on VM-Fail.
5701 * Note, enlightened VMCS is incompatible with shadow VMCS so
5702 * all VMREADs from L2 should go to L1.
5703 */
5704 if (WARN_ON_ONCE(is_guest_mode(vcpu)))
5705 return nested_vmx_failInvalid(vcpu);
5706
5707 offset = evmcs_field_offset(field, NULL);
5708 if (offset < 0)
5709 return nested_vmx_fail(vcpu, vm_instruction_error: VMXERR_UNSUPPORTED_VMCS_COMPONENT);
5710
5711 /* Read the field, zero-extended to a u64 value */
5712 value = evmcs_read_any(evmcs: nested_vmx_evmcs(vmx), field, offset);
5713 }
5714
5715 /*
5716 * Now copy part of this value to register or memory, as requested.
5717 * Note that the number of bits actually copied is 32 or 64 depending
5718 * on the guest's mode (32 or 64 bit), not on the given field's length.
5719 */
5720 if (instr_info & BIT(10)) {
5721 kvm_register_write(vcpu, reg: (((instr_info) >> 3) & 0xf), val: value);
5722 } else {
5723 len = is_64_bit_mode(vcpu) ? 8 : 4;
5724 if (get_vmx_mem_address(vcpu, exit_qualification,
5725 vmx_instruction_info: instr_info, wr: true, len, ret: &gva))
5726 return 1;
5727 /* _system ok, nested_vmx_check_permission has verified cpl=0 */
5728 r = kvm_write_guest_virt_system(vcpu, addr: gva, val: &value, bytes: len, exception: &e);
5729 if (r != X86EMUL_CONTINUE)
5730 return kvm_handle_memory_failure(vcpu, r, e: &e);
5731 }
5732
5733 return nested_vmx_succeed(vcpu);
5734}
5735
5736static bool is_shadow_field_rw(unsigned long field)
5737{
5738 switch (field) {
5739#define SHADOW_FIELD_RW(x, y) case x:
5740#include "vmcs_shadow_fields.h"
5741 return true;
5742 default:
5743 break;
5744 }
5745 return false;
5746}
5747
5748static bool is_shadow_field_ro(unsigned long field)
5749{
5750 switch (field) {
5751#define SHADOW_FIELD_RO(x, y) case x:
5752#include "vmcs_shadow_fields.h"
5753 return true;
5754 default:
5755 break;
5756 }
5757 return false;
5758}
5759
5760static int handle_vmwrite(struct kvm_vcpu *vcpu)
5761{
5762 struct vmcs12 *vmcs12 = is_guest_mode(vcpu) ? get_shadow_vmcs12(vcpu)
5763 : get_vmcs12(vcpu);
5764 unsigned long exit_qualification = vmx_get_exit_qual(vcpu);
5765 u32 instr_info = vmcs_read32(field: VMX_INSTRUCTION_INFO);
5766 struct vcpu_vmx *vmx = to_vmx(vcpu);
5767 struct x86_exception e;
5768 unsigned long field;
5769 short offset;
5770 gva_t gva;
5771 int len, r;
5772
5773 /*
5774 * The value to write might be 32 or 64 bits, depending on L1's long
5775 * mode, and eventually we need to write that into a field of several
5776 * possible lengths. The code below first zero-extends the value to 64
5777 * bit (value), and then copies only the appropriate number of
5778 * bits into the vmcs12 field.
5779 */
5780 u64 value = 0;
5781
5782 if (!nested_vmx_check_permission(vcpu))
5783 return 1;
5784
5785 /*
5786 * In VMX non-root operation, when the VMCS-link pointer is INVALID_GPA,
5787 * any VMWRITE sets the ALU flags for VMfailInvalid.
5788 */
5789 if (vmx->nested.current_vmptr == INVALID_GPA ||
5790 (is_guest_mode(vcpu) &&
5791 get_vmcs12(vcpu)->vmcs_link_pointer == INVALID_GPA))
5792 return nested_vmx_failInvalid(vcpu);
5793
5794 if (instr_info & BIT(10))
5795 value = kvm_register_read(vcpu, reg: (((instr_info) >> 3) & 0xf));
5796 else {
5797 len = is_64_bit_mode(vcpu) ? 8 : 4;
5798 if (get_vmx_mem_address(vcpu, exit_qualification,
5799 vmx_instruction_info: instr_info, wr: false, len, ret: &gva))
5800 return 1;
5801 r = kvm_read_guest_virt(vcpu, addr: gva, val: &value, bytes: len, exception: &e);
5802 if (r != X86EMUL_CONTINUE)
5803 return kvm_handle_memory_failure(vcpu, r, e: &e);
5804 }
5805
5806 field = kvm_register_read(vcpu, reg: (((instr_info) >> 28) & 0xf));
5807
5808 offset = get_vmcs12_field_offset(field);
5809 if (offset < 0)
5810 return nested_vmx_fail(vcpu, vm_instruction_error: VMXERR_UNSUPPORTED_VMCS_COMPONENT);
5811
5812 /*
5813 * If the vCPU supports "VMWRITE to any supported field in the
5814 * VMCS," then the "read-only" fields are actually read/write.
5815 */
5816 if (vmcs_field_readonly(field) &&
5817 !nested_cpu_has_vmwrite_any_field(vcpu))
5818 return nested_vmx_fail(vcpu, vm_instruction_error: VMXERR_VMWRITE_READ_ONLY_VMCS_COMPONENT);
5819
5820 /*
5821 * Ensure vmcs12 is up-to-date before any VMWRITE that dirties
5822 * vmcs12, else we may crush a field or consume a stale value.
5823 */
5824 if (!is_guest_mode(vcpu) && !is_shadow_field_rw(field))
5825 copy_vmcs02_to_vmcs12_rare(vcpu, vmcs12);
5826
5827 /*
5828 * Some Intel CPUs intentionally drop the reserved bits of the AR byte
5829 * fields on VMWRITE. Emulate this behavior to ensure consistent KVM
5830 * behavior regardless of the underlying hardware, e.g. if an AR_BYTE
5831 * field is intercepted for VMWRITE but not VMREAD (in L1), then VMREAD
5832 * from L1 will return a different value than VMREAD from L2 (L1 sees
5833 * the stripped down value, L2 sees the full value as stored by KVM).
5834 */
5835 if (field >= GUEST_ES_AR_BYTES && field <= GUEST_TR_AR_BYTES)
5836 value &= 0x1f0ff;
5837
5838 vmcs12_write_any(vmcs12, field, offset, field_value: value);
5839
5840 /*
5841 * Do not track vmcs12 dirty-state if in guest-mode as we actually
5842 * dirty shadow vmcs12 instead of vmcs12. Fields that can be updated
5843 * by L1 without a vmexit are always updated in the vmcs02, i.e. don't
5844 * "dirty" vmcs12, all others go down the prepare_vmcs02() slow path.
5845 */
5846 if (!is_guest_mode(vcpu) && !is_shadow_field_rw(field)) {
5847 /*
5848 * L1 can read these fields without exiting, ensure the
5849 * shadow VMCS is up-to-date.
5850 */
5851 if (enable_shadow_vmcs && is_shadow_field_ro(field)) {
5852 preempt_disable();
5853 vmcs_load(vmcs: vmx->vmcs01.shadow_vmcs);
5854
5855 __vmcs_writel(field, value);
5856
5857 vmcs_clear(vmcs: vmx->vmcs01.shadow_vmcs);
5858 vmcs_load(vmcs: vmx->loaded_vmcs->vmcs);
5859 preempt_enable();
5860 }
5861 vmx->nested.dirty_vmcs12 = true;
5862 }
5863
5864 return nested_vmx_succeed(vcpu);
5865}
5866
5867static void set_current_vmptr(struct vcpu_vmx *vmx, gpa_t vmptr)
5868{
5869 vmx->nested.current_vmptr = vmptr;
5870 if (enable_shadow_vmcs) {
5871 secondary_exec_controls_setbit(vmx, SECONDARY_EXEC_SHADOW_VMCS);
5872 vmcs_write64(field: VMCS_LINK_POINTER,
5873 __pa(vmx->vmcs01.shadow_vmcs));
5874 vmx->nested.need_vmcs12_to_shadow_sync = true;
5875 }
5876 vmx->nested.dirty_vmcs12 = true;
5877 vmx->nested.force_msr_bitmap_recalc = true;
5878}
5879
5880/* Emulate the VMPTRLD instruction */
5881static int handle_vmptrld(struct kvm_vcpu *vcpu)
5882{
5883 struct vcpu_vmx *vmx = to_vmx(vcpu);
5884 gpa_t vmptr;
5885 int r;
5886
5887 if (!nested_vmx_check_permission(vcpu))
5888 return 1;
5889
5890 if (nested_vmx_get_vmptr(vcpu, vmpointer: &vmptr, ret: &r))
5891 return r;
5892
5893 if (!page_address_valid(vcpu, gpa: vmptr))
5894 return nested_vmx_fail(vcpu, vm_instruction_error: VMXERR_VMPTRLD_INVALID_ADDRESS);
5895
5896 if (vmptr == vmx->nested.vmxon_ptr)
5897 return nested_vmx_fail(vcpu, vm_instruction_error: VMXERR_VMPTRLD_VMXON_POINTER);
5898
5899 /* Forbid normal VMPTRLD if Enlightened version was used */
5900 if (nested_vmx_is_evmptr12_valid(vmx))
5901 return 1;
5902
5903 if (vmx->nested.current_vmptr != vmptr) {
5904 struct gfn_to_hva_cache *ghc = &vmx->nested.vmcs12_cache;
5905 struct vmcs_hdr hdr;
5906
5907 if (kvm_gfn_to_hva_cache_init(kvm: vcpu->kvm, ghc, gpa: vmptr, VMCS12_SIZE)) {
5908 /*
5909 * Reads from an unbacked page return all 1s,
5910 * which means that the 32 bits located at the
5911 * given physical address won't match the required
5912 * VMCS12_REVISION identifier.
5913 */
5914 return nested_vmx_fail(vcpu,
5915 vm_instruction_error: VMXERR_VMPTRLD_INCORRECT_VMCS_REVISION_ID);
5916 }
5917
5918 if (kvm_read_guest_offset_cached(kvm: vcpu->kvm, ghc, data: &hdr,
5919 offsetof(struct vmcs12, hdr),
5920 len: sizeof(hdr))) {
5921 return nested_vmx_fail(vcpu,
5922 vm_instruction_error: VMXERR_VMPTRLD_INCORRECT_VMCS_REVISION_ID);
5923 }
5924
5925 if (hdr.revision_id != VMCS12_REVISION ||
5926 (hdr.shadow_vmcs &&
5927 !nested_cpu_has_vmx_shadow_vmcs(vcpu))) {
5928 return nested_vmx_fail(vcpu,
5929 vm_instruction_error: VMXERR_VMPTRLD_INCORRECT_VMCS_REVISION_ID);
5930 }
5931
5932 nested_release_vmcs12(vcpu);
5933
5934 /*
5935 * Load VMCS12 from guest memory since it is not already
5936 * cached.
5937 */
5938 if (kvm_read_guest_cached(kvm: vcpu->kvm, ghc, data: vmx->nested.cached_vmcs12,
5939 VMCS12_SIZE)) {
5940 return nested_vmx_fail(vcpu,
5941 vm_instruction_error: VMXERR_VMPTRLD_INCORRECT_VMCS_REVISION_ID);
5942 }
5943
5944 set_current_vmptr(vmx, vmptr);
5945 }
5946
5947 return nested_vmx_succeed(vcpu);
5948}
5949
5950/* Emulate the VMPTRST instruction */
5951static int handle_vmptrst(struct kvm_vcpu *vcpu)
5952{
5953 unsigned long exit_qual = vmx_get_exit_qual(vcpu);
5954 u32 instr_info = vmcs_read32(field: VMX_INSTRUCTION_INFO);
5955 gpa_t current_vmptr = to_vmx(vcpu)->nested.current_vmptr;
5956 struct x86_exception e;
5957 gva_t gva;
5958 int r;
5959
5960 if (!nested_vmx_check_permission(vcpu))
5961 return 1;
5962
5963 if (unlikely(nested_vmx_is_evmptr12_valid(to_vmx(vcpu))))
5964 return 1;
5965
5966 if (get_vmx_mem_address(vcpu, exit_qualification: exit_qual, vmx_instruction_info: instr_info,
5967 wr: true, len: sizeof(gpa_t), ret: &gva))
5968 return 1;
5969 /* *_system ok, nested_vmx_check_permission has verified cpl=0 */
5970 r = kvm_write_guest_virt_system(vcpu, addr: gva, val: (void *)&current_vmptr,
5971 bytes: sizeof(gpa_t), exception: &e);
5972 if (r != X86EMUL_CONTINUE)
5973 return kvm_handle_memory_failure(vcpu, r, e: &e);
5974
5975 return nested_vmx_succeed(vcpu);
5976}
5977
5978/* Emulate the INVEPT instruction */
5979static int handle_invept(struct kvm_vcpu *vcpu)
5980{
5981 struct vcpu_vmx *vmx = to_vmx(vcpu);
5982 u32 vmx_instruction_info, types;
5983 unsigned long type, roots_to_free;
5984 struct kvm_mmu *mmu;
5985 gva_t gva;
5986 struct x86_exception e;
5987 struct {
5988 u64 eptp, gpa;
5989 } operand;
5990 int i, r, gpr_index;
5991
5992 if (!(vmx->nested.msrs.secondary_ctls_high &
5993 SECONDARY_EXEC_ENABLE_EPT) ||
5994 !(vmx->nested.msrs.ept_caps & VMX_EPT_INVEPT_BIT)) {
5995 kvm_queue_exception(vcpu, UD_VECTOR);
5996 return 1;
5997 }
5998
5999 if (!nested_vmx_check_permission(vcpu))
6000 return 1;
6001
6002 vmx_instruction_info = vmcs_read32(field: VMX_INSTRUCTION_INFO);
6003 gpr_index = vmx_get_instr_info_reg2(vmx_instr_info: vmx_instruction_info);
6004 type = kvm_register_read(vcpu, reg: gpr_index);
6005
6006 types = (vmx->nested.msrs.ept_caps >> VMX_EPT_EXTENT_SHIFT) & 6;
6007
6008 if (type >= 32 || !(types & (1 << type)))
6009 return nested_vmx_fail(vcpu, vm_instruction_error: VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
6010
6011 /* According to the Intel VMX instruction reference, the memory
6012 * operand is read even if it isn't needed (e.g., for type==global)
6013 */
6014 if (get_vmx_mem_address(vcpu, exit_qualification: vmx_get_exit_qual(vcpu),
6015 vmx_instruction_info, wr: false, len: sizeof(operand), ret: &gva))
6016 return 1;
6017 r = kvm_read_guest_virt(vcpu, addr: gva, val: &operand, bytes: sizeof(operand), exception: &e);
6018 if (r != X86EMUL_CONTINUE)
6019 return kvm_handle_memory_failure(vcpu, r, e: &e);
6020
6021 /*
6022 * Nested EPT roots are always held through guest_mmu,
6023 * not root_mmu.
6024 */
6025 mmu = &vcpu->arch.guest_mmu;
6026
6027 switch (type) {
6028 case VMX_EPT_EXTENT_CONTEXT:
6029 if (!nested_vmx_check_eptp(vcpu, new_eptp: operand.eptp))
6030 return nested_vmx_fail(vcpu,
6031 vm_instruction_error: VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
6032
6033 roots_to_free = 0;
6034 if (nested_ept_root_matches(root_hpa: mmu->root.hpa, root_eptp: mmu->root.pgd,
6035 eptp: operand.eptp))
6036 roots_to_free |= KVM_MMU_ROOT_CURRENT;
6037
6038 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++) {
6039 if (nested_ept_root_matches(root_hpa: mmu->prev_roots[i].hpa,
6040 root_eptp: mmu->prev_roots[i].pgd,
6041 eptp: operand.eptp))
6042 roots_to_free |= KVM_MMU_ROOT_PREVIOUS(i);
6043 }
6044 break;
6045 case VMX_EPT_EXTENT_GLOBAL:
6046 roots_to_free = KVM_MMU_ROOTS_ALL;
6047 break;
6048 default:
6049 BUG();
6050 break;
6051 }
6052
6053 if (roots_to_free)
6054 kvm_mmu_free_roots(kvm: vcpu->kvm, mmu, roots_to_free);
6055
6056 return nested_vmx_succeed(vcpu);
6057}
6058
6059static int handle_invvpid(struct kvm_vcpu *vcpu)
6060{
6061 struct vcpu_vmx *vmx = to_vmx(vcpu);
6062 u32 vmx_instruction_info;
6063 unsigned long type, types;
6064 gva_t gva;
6065 struct x86_exception e;
6066 struct {
6067 u64 vpid;
6068 u64 gla;
6069 } operand;
6070 u16 vpid02;
6071 int r, gpr_index;
6072
6073 if (!(vmx->nested.msrs.secondary_ctls_high &
6074 SECONDARY_EXEC_ENABLE_VPID) ||
6075 !(vmx->nested.msrs.vpid_caps & VMX_VPID_INVVPID_BIT)) {
6076 kvm_queue_exception(vcpu, UD_VECTOR);
6077 return 1;
6078 }
6079
6080 if (!nested_vmx_check_permission(vcpu))
6081 return 1;
6082
6083 vmx_instruction_info = vmcs_read32(field: VMX_INSTRUCTION_INFO);
6084 gpr_index = vmx_get_instr_info_reg2(vmx_instr_info: vmx_instruction_info);
6085 type = kvm_register_read(vcpu, reg: gpr_index);
6086
6087 types = (vmx->nested.msrs.vpid_caps &
6088 VMX_VPID_EXTENT_SUPPORTED_MASK) >> 8;
6089
6090 if (type >= 32 || !(types & (1 << type)))
6091 return nested_vmx_fail(vcpu,
6092 vm_instruction_error: VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
6093
6094 /* according to the intel vmx instruction reference, the memory
6095 * operand is read even if it isn't needed (e.g., for type==global)
6096 */
6097 if (get_vmx_mem_address(vcpu, exit_qualification: vmx_get_exit_qual(vcpu),
6098 vmx_instruction_info, wr: false, len: sizeof(operand), ret: &gva))
6099 return 1;
6100 r = kvm_read_guest_virt(vcpu, addr: gva, val: &operand, bytes: sizeof(operand), exception: &e);
6101 if (r != X86EMUL_CONTINUE)
6102 return kvm_handle_memory_failure(vcpu, r, e: &e);
6103
6104 if (operand.vpid >> 16)
6105 return nested_vmx_fail(vcpu,
6106 vm_instruction_error: VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
6107
6108 /*
6109 * Always flush the effective vpid02, i.e. never flush the current VPID
6110 * and never explicitly flush vpid01. INVVPID targets a VPID, not a
6111 * VMCS, and so whether or not the current vmcs12 has VPID enabled is
6112 * irrelevant (and there may not be a loaded vmcs12).
6113 */
6114 vpid02 = nested_get_vpid02(vcpu);
6115 switch (type) {
6116 case VMX_VPID_EXTENT_INDIVIDUAL_ADDR:
6117 /*
6118 * LAM doesn't apply to addresses that are inputs to TLB
6119 * invalidation.
6120 */
6121 if (!operand.vpid ||
6122 is_noncanonical_invlpg_address(la: operand.gla, vcpu))
6123 return nested_vmx_fail(vcpu,
6124 vm_instruction_error: VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
6125 vpid_sync_vcpu_addr(vpid: vpid02, addr: operand.gla);
6126 break;
6127 case VMX_VPID_EXTENT_SINGLE_CONTEXT:
6128 case VMX_VPID_EXTENT_SINGLE_NON_GLOBAL:
6129 if (!operand.vpid)
6130 return nested_vmx_fail(vcpu,
6131 vm_instruction_error: VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
6132 vpid_sync_context(vpid: vpid02);
6133 break;
6134 case VMX_VPID_EXTENT_ALL_CONTEXT:
6135 vpid_sync_context(vpid: vpid02);
6136 break;
6137 default:
6138 WARN_ON_ONCE(1);
6139 return kvm_skip_emulated_instruction(vcpu);
6140 }
6141
6142 /*
6143 * Sync the shadow page tables if EPT is disabled, L1 is invalidating
6144 * linear mappings for L2 (tagged with L2's VPID). Free all guest
6145 * roots as VPIDs are not tracked in the MMU role.
6146 *
6147 * Note, this operates on root_mmu, not guest_mmu, as L1 and L2 share
6148 * an MMU when EPT is disabled.
6149 *
6150 * TODO: sync only the affected SPTEs for INVDIVIDUAL_ADDR.
6151 */
6152 if (!enable_ept)
6153 kvm_mmu_free_guest_mode_roots(kvm: vcpu->kvm, mmu: &vcpu->arch.root_mmu);
6154
6155 return nested_vmx_succeed(vcpu);
6156}
6157
6158static int nested_vmx_eptp_switching(struct kvm_vcpu *vcpu,
6159 struct vmcs12 *vmcs12)
6160{
6161 u32 index = kvm_rcx_read(vcpu);
6162 u64 new_eptp;
6163
6164 if (WARN_ON_ONCE(!nested_cpu_has_ept(vmcs12)))
6165 return 1;
6166 if (index >= VMFUNC_EPTP_ENTRIES)
6167 return 1;
6168
6169 if (kvm_vcpu_read_guest_page(vcpu, gfn: vmcs12->eptp_list_address >> PAGE_SHIFT,
6170 data: &new_eptp, offset: index * 8, len: 8))
6171 return 1;
6172
6173 /*
6174 * If the (L2) guest does a vmfunc to the currently
6175 * active ept pointer, we don't have to do anything else
6176 */
6177 if (vmcs12->ept_pointer != new_eptp) {
6178 if (!nested_vmx_check_eptp(vcpu, new_eptp))
6179 return 1;
6180
6181 vmcs12->ept_pointer = new_eptp;
6182 nested_ept_new_eptp(vcpu);
6183
6184 if (!nested_cpu_has_vpid(vmcs12))
6185 kvm_make_request(KVM_REQ_TLB_FLUSH_GUEST, vcpu);
6186 }
6187
6188 return 0;
6189}
6190
6191static int handle_vmfunc(struct kvm_vcpu *vcpu)
6192{
6193 struct vcpu_vmx *vmx = to_vmx(vcpu);
6194 struct vmcs12 *vmcs12;
6195 u32 function = kvm_rax_read(vcpu);
6196
6197 /*
6198 * VMFUNC should never execute cleanly while L1 is active; KVM supports
6199 * VMFUNC for nested VMs, but not for L1.
6200 */
6201 if (WARN_ON_ONCE(!is_guest_mode(vcpu))) {
6202 kvm_queue_exception(vcpu, UD_VECTOR);
6203 return 1;
6204 }
6205
6206 vmcs12 = get_vmcs12(vcpu);
6207
6208 /*
6209 * #UD on out-of-bounds function has priority over VM-Exit, and VMFUNC
6210 * is enabled in vmcs02 if and only if it's enabled in vmcs12.
6211 */
6212 if (WARN_ON_ONCE((function > 63) || !nested_cpu_has_vmfunc(vmcs12))) {
6213 kvm_queue_exception(vcpu, UD_VECTOR);
6214 return 1;
6215 }
6216
6217 if (!(vmcs12->vm_function_control & BIT_ULL(function)))
6218 goto fail;
6219
6220 switch (function) {
6221 case 0:
6222 if (nested_vmx_eptp_switching(vcpu, vmcs12))
6223 goto fail;
6224 break;
6225 default:
6226 goto fail;
6227 }
6228 return kvm_skip_emulated_instruction(vcpu);
6229
6230fail:
6231 /*
6232 * This is effectively a reflected VM-Exit, as opposed to a synthesized
6233 * nested VM-Exit. Pass the original exit reason, i.e. don't hardcode
6234 * EXIT_REASON_VMFUNC as the exit reason.
6235 */
6236 nested_vmx_vmexit(vcpu, vm_exit_reason: vmx->vt.exit_reason.full,
6237 exit_intr_info: vmx_get_intr_info(vcpu),
6238 exit_qualification: vmx_get_exit_qual(vcpu));
6239 return 1;
6240}
6241
6242/*
6243 * Return true if an IO instruction with the specified port and size should cause
6244 * a VM-exit into L1.
6245 */
6246bool nested_vmx_check_io_bitmaps(struct kvm_vcpu *vcpu, unsigned int port,
6247 int size)
6248{
6249 struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
6250 gpa_t bitmap, last_bitmap;
6251 u8 b;
6252
6253 last_bitmap = INVALID_GPA;
6254 b = -1;
6255
6256 while (size > 0) {
6257 if (port < 0x8000)
6258 bitmap = vmcs12->io_bitmap_a;
6259 else if (port < 0x10000)
6260 bitmap = vmcs12->io_bitmap_b;
6261 else
6262 return true;
6263 bitmap += (port & 0x7fff) / 8;
6264
6265 if (last_bitmap != bitmap)
6266 if (kvm_vcpu_read_guest(vcpu, gpa: bitmap, data: &b, len: 1))
6267 return true;
6268 if (b & (1 << (port & 7)))
6269 return true;
6270
6271 port++;
6272 size--;
6273 last_bitmap = bitmap;
6274 }
6275
6276 return false;
6277}
6278
6279static bool nested_vmx_exit_handled_io(struct kvm_vcpu *vcpu,
6280 struct vmcs12 *vmcs12)
6281{
6282 unsigned long exit_qualification;
6283 unsigned short port;
6284 int size;
6285
6286 if (!nested_cpu_has(vmcs12, CPU_BASED_USE_IO_BITMAPS))
6287 return nested_cpu_has(vmcs12, CPU_BASED_UNCOND_IO_EXITING);
6288
6289 exit_qualification = vmx_get_exit_qual(vcpu);
6290
6291 port = exit_qualification >> 16;
6292 size = (exit_qualification & 7) + 1;
6293
6294 return nested_vmx_check_io_bitmaps(vcpu, port, size);
6295}
6296
6297/*
6298 * Return 1 if we should exit from L2 to L1 to handle an MSR access,
6299 * rather than handle it ourselves in L0. I.e., check whether L1 expressed
6300 * disinterest in the current event (read or write a specific MSR) by using an
6301 * MSR bitmap. This may be the case even when L0 doesn't use MSR bitmaps.
6302 */
6303static bool nested_vmx_exit_handled_msr(struct kvm_vcpu *vcpu,
6304 struct vmcs12 *vmcs12,
6305 union vmx_exit_reason exit_reason)
6306{
6307 u32 msr_index;
6308 gpa_t bitmap;
6309
6310 if (!nested_cpu_has(vmcs12, CPU_BASED_USE_MSR_BITMAPS))
6311 return true;
6312
6313 if (exit_reason.basic == EXIT_REASON_MSR_READ_IMM ||
6314 exit_reason.basic == EXIT_REASON_MSR_WRITE_IMM)
6315 msr_index = vmx_get_exit_qual(vcpu);
6316 else
6317 msr_index = kvm_rcx_read(vcpu);
6318
6319 /*
6320 * The MSR_BITMAP page is divided into four 1024-byte bitmaps,
6321 * for the four combinations of read/write and low/high MSR numbers.
6322 * First we need to figure out which of the four to use:
6323 */
6324 bitmap = vmcs12->msr_bitmap;
6325 if (exit_reason.basic == EXIT_REASON_MSR_WRITE ||
6326 exit_reason.basic == EXIT_REASON_MSR_WRITE_IMM)
6327 bitmap += 2048;
6328 if (msr_index >= 0xc0000000) {
6329 msr_index -= 0xc0000000;
6330 bitmap += 1024;
6331 }
6332
6333 /* Then read the msr_index'th bit from this bitmap: */
6334 if (msr_index < 1024*8) {
6335 unsigned char b;
6336 if (kvm_vcpu_read_guest(vcpu, gpa: bitmap + msr_index/8, data: &b, len: 1))
6337 return true;
6338 return 1 & (b >> (msr_index & 7));
6339 } else
6340 return true; /* let L1 handle the wrong parameter */
6341}
6342
6343/*
6344 * Return 1 if we should exit from L2 to L1 to handle a CR access exit,
6345 * rather than handle it ourselves in L0. I.e., check if L1 wanted to
6346 * intercept (via guest_host_mask etc.) the current event.
6347 */
6348static bool nested_vmx_exit_handled_cr(struct kvm_vcpu *vcpu,
6349 struct vmcs12 *vmcs12)
6350{
6351 unsigned long exit_qualification = vmx_get_exit_qual(vcpu);
6352 int cr = exit_qualification & 15;
6353 int reg;
6354 unsigned long val;
6355
6356 switch ((exit_qualification >> 4) & 3) {
6357 case 0: /* mov to cr */
6358 reg = (exit_qualification >> 8) & 15;
6359 val = kvm_register_read(vcpu, reg);
6360 switch (cr) {
6361 case 0:
6362 if (vmcs12->cr0_guest_host_mask &
6363 (val ^ vmcs12->cr0_read_shadow))
6364 return true;
6365 break;
6366 case 3:
6367 if (nested_cpu_has(vmcs12, CPU_BASED_CR3_LOAD_EXITING))
6368 return true;
6369 break;
6370 case 4:
6371 if (vmcs12->cr4_guest_host_mask &
6372 (vmcs12->cr4_read_shadow ^ val))
6373 return true;
6374 break;
6375 case 8:
6376 if (nested_cpu_has(vmcs12, CPU_BASED_CR8_LOAD_EXITING))
6377 return true;
6378 break;
6379 }
6380 break;
6381 case 2: /* clts */
6382 if ((vmcs12->cr0_guest_host_mask & X86_CR0_TS) &&
6383 (vmcs12->cr0_read_shadow & X86_CR0_TS))
6384 return true;
6385 break;
6386 case 1: /* mov from cr */
6387 switch (cr) {
6388 case 3:
6389 if (vmcs12->cpu_based_vm_exec_control &
6390 CPU_BASED_CR3_STORE_EXITING)
6391 return true;
6392 break;
6393 case 8:
6394 if (vmcs12->cpu_based_vm_exec_control &
6395 CPU_BASED_CR8_STORE_EXITING)
6396 return true;
6397 break;
6398 }
6399 break;
6400 case 3: /* lmsw */
6401 /*
6402 * lmsw can change bits 1..3 of cr0, and only set bit 0 of
6403 * cr0. Other attempted changes are ignored, with no exit.
6404 */
6405 val = (exit_qualification >> LMSW_SOURCE_DATA_SHIFT) & 0x0f;
6406 if (vmcs12->cr0_guest_host_mask & 0xe &
6407 (val ^ vmcs12->cr0_read_shadow))
6408 return true;
6409 if ((vmcs12->cr0_guest_host_mask & 0x1) &&
6410 !(vmcs12->cr0_read_shadow & 0x1) &&
6411 (val & 0x1))
6412 return true;
6413 break;
6414 }
6415 return false;
6416}
6417
6418static bool nested_vmx_exit_handled_encls(struct kvm_vcpu *vcpu,
6419 struct vmcs12 *vmcs12)
6420{
6421 u32 encls_leaf;
6422
6423 if (!guest_cpu_cap_has(vcpu, X86_FEATURE_SGX) ||
6424 !nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENCLS_EXITING))
6425 return false;
6426
6427 encls_leaf = kvm_rax_read(vcpu);
6428 if (encls_leaf > 62)
6429 encls_leaf = 63;
6430 return vmcs12->encls_exiting_bitmap & BIT_ULL(encls_leaf);
6431}
6432
6433static bool nested_vmx_exit_handled_vmcs_access(struct kvm_vcpu *vcpu,
6434 struct vmcs12 *vmcs12, gpa_t bitmap)
6435{
6436 u32 vmx_instruction_info;
6437 unsigned long field;
6438 u8 b;
6439
6440 if (!nested_cpu_has_shadow_vmcs(vmcs12))
6441 return true;
6442
6443 /* Decode instruction info and find the field to access */
6444 vmx_instruction_info = vmcs_read32(field: VMX_INSTRUCTION_INFO);
6445 field = kvm_register_read(vcpu, reg: (((vmx_instruction_info) >> 28) & 0xf));
6446
6447 /* Out-of-range fields always cause a VM exit from L2 to L1 */
6448 if (field >> 15)
6449 return true;
6450
6451 if (kvm_vcpu_read_guest(vcpu, gpa: bitmap + field/8, data: &b, len: 1))
6452 return true;
6453
6454 return 1 & (b >> (field & 7));
6455}
6456
6457static bool nested_vmx_exit_handled_mtf(struct vmcs12 *vmcs12)
6458{
6459 u32 entry_intr_info = vmcs12->vm_entry_intr_info_field;
6460
6461 if (nested_cpu_has_mtf(vmcs12))
6462 return true;
6463
6464 /*
6465 * An MTF VM-exit may be injected into the guest by setting the
6466 * interruption-type to 7 (other event) and the vector field to 0. Such
6467 * is the case regardless of the 'monitor trap flag' VM-execution
6468 * control.
6469 */
6470 return entry_intr_info == (INTR_INFO_VALID_MASK
6471 | INTR_TYPE_OTHER_EVENT);
6472}
6473
6474/*
6475 * Return true if L0 wants to handle an exit from L2 regardless of whether or not
6476 * L1 wants the exit. Only call this when in is_guest_mode (L2).
6477 */
6478static bool nested_vmx_l0_wants_exit(struct kvm_vcpu *vcpu,
6479 union vmx_exit_reason exit_reason)
6480{
6481 u32 intr_info;
6482
6483 switch ((u16)exit_reason.basic) {
6484 case EXIT_REASON_EXCEPTION_NMI:
6485 intr_info = vmx_get_intr_info(vcpu);
6486 if (is_nmi(intr_info))
6487 return true;
6488 else if (is_page_fault(intr_info))
6489 return vcpu->arch.apf.host_apf_flags ||
6490 vmx_need_pf_intercept(vcpu);
6491 else if (is_debug(intr_info) &&
6492 vcpu->guest_debug &
6493 (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
6494 return true;
6495 else if (is_breakpoint(intr_info) &&
6496 vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
6497 return true;
6498 else if (is_alignment_check(intr_info) &&
6499 !vmx_guest_inject_ac(vcpu))
6500 return true;
6501 else if (is_ve_fault(intr_info))
6502 return true;
6503 return false;
6504 case EXIT_REASON_EXTERNAL_INTERRUPT:
6505 return true;
6506 case EXIT_REASON_MCE_DURING_VMENTRY:
6507 return true;
6508 case EXIT_REASON_EPT_VIOLATION:
6509 /*
6510 * L0 always deals with the EPT violation. If nested EPT is
6511 * used, and the nested mmu code discovers that the address is
6512 * missing in the guest EPT table (EPT12), the EPT violation
6513 * will be injected with nested_ept_inject_page_fault()
6514 */
6515 return true;
6516 case EXIT_REASON_EPT_MISCONFIG:
6517 /*
6518 * L2 never uses directly L1's EPT, but rather L0's own EPT
6519 * table (shadow on EPT) or a merged EPT table that L0 built
6520 * (EPT on EPT). So any problems with the structure of the
6521 * table is L0's fault.
6522 */
6523 return true;
6524 case EXIT_REASON_PREEMPTION_TIMER:
6525 return true;
6526 case EXIT_REASON_PML_FULL:
6527 /*
6528 * PML is emulated for an L1 VMM and should never be enabled in
6529 * vmcs02, always "handle" PML_FULL by exiting to userspace.
6530 */
6531 return true;
6532 case EXIT_REASON_VMFUNC:
6533 /* VM functions are emulated through L2->L0 vmexits. */
6534 return true;
6535 case EXIT_REASON_BUS_LOCK:
6536 /*
6537 * At present, bus lock VM exit is never exposed to L1.
6538 * Handle L2's bus locks in L0 directly.
6539 */
6540 return true;
6541#ifdef CONFIG_KVM_HYPERV
6542 case EXIT_REASON_VMCALL:
6543 /* Hyper-V L2 TLB flush hypercall is handled by L0 */
6544 return guest_hv_cpuid_has_l2_tlb_flush(vcpu) &&
6545 nested_evmcs_l2_tlb_flush_enabled(vcpu) &&
6546 kvm_hv_is_tlb_flush_hcall(vcpu);
6547#endif
6548 default:
6549 break;
6550 }
6551 return false;
6552}
6553
6554/*
6555 * Return 1 if L1 wants to intercept an exit from L2. Only call this when in
6556 * is_guest_mode (L2).
6557 */
6558static bool nested_vmx_l1_wants_exit(struct kvm_vcpu *vcpu,
6559 union vmx_exit_reason exit_reason)
6560{
6561 struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
6562 u32 intr_info;
6563
6564 switch ((u16)exit_reason.basic) {
6565 case EXIT_REASON_EXCEPTION_NMI:
6566 intr_info = vmx_get_intr_info(vcpu);
6567 if (is_nmi(intr_info))
6568 return true;
6569 else if (is_page_fault(intr_info))
6570 return true;
6571 return vmcs12->exception_bitmap &
6572 (1u << (intr_info & INTR_INFO_VECTOR_MASK));
6573 case EXIT_REASON_EXTERNAL_INTERRUPT:
6574 return nested_exit_on_intr(vcpu);
6575 case EXIT_REASON_TRIPLE_FAULT:
6576 return true;
6577 case EXIT_REASON_INTERRUPT_WINDOW:
6578 return nested_cpu_has(vmcs12, CPU_BASED_INTR_WINDOW_EXITING);
6579 case EXIT_REASON_NMI_WINDOW:
6580 return nested_cpu_has(vmcs12, CPU_BASED_NMI_WINDOW_EXITING);
6581 case EXIT_REASON_TASK_SWITCH:
6582 return true;
6583 case EXIT_REASON_CPUID:
6584 return true;
6585 case EXIT_REASON_HLT:
6586 return nested_cpu_has(vmcs12, CPU_BASED_HLT_EXITING);
6587 case EXIT_REASON_INVD:
6588 return true;
6589 case EXIT_REASON_INVLPG:
6590 return nested_cpu_has(vmcs12, CPU_BASED_INVLPG_EXITING);
6591 case EXIT_REASON_RDPMC:
6592 return nested_cpu_has(vmcs12, CPU_BASED_RDPMC_EXITING);
6593 case EXIT_REASON_RDRAND:
6594 return nested_cpu_has2(vmcs12, SECONDARY_EXEC_RDRAND_EXITING);
6595 case EXIT_REASON_RDSEED:
6596 return nested_cpu_has2(vmcs12, SECONDARY_EXEC_RDSEED_EXITING);
6597 case EXIT_REASON_RDTSC: case EXIT_REASON_RDTSCP:
6598 return nested_cpu_has(vmcs12, CPU_BASED_RDTSC_EXITING);
6599 case EXIT_REASON_VMREAD:
6600 return nested_vmx_exit_handled_vmcs_access(vcpu, vmcs12,
6601 bitmap: vmcs12->vmread_bitmap);
6602 case EXIT_REASON_VMWRITE:
6603 return nested_vmx_exit_handled_vmcs_access(vcpu, vmcs12,
6604 bitmap: vmcs12->vmwrite_bitmap);
6605 case EXIT_REASON_VMCALL: case EXIT_REASON_VMCLEAR:
6606 case EXIT_REASON_VMLAUNCH: case EXIT_REASON_VMPTRLD:
6607 case EXIT_REASON_VMPTRST: case EXIT_REASON_VMRESUME:
6608 case EXIT_REASON_VMOFF: case EXIT_REASON_VMON:
6609 case EXIT_REASON_INVEPT: case EXIT_REASON_INVVPID:
6610 /*
6611 * VMX instructions trap unconditionally. This allows L1 to
6612 * emulate them for its L2 guest, i.e., allows 3-level nesting!
6613 */
6614 return true;
6615 case EXIT_REASON_CR_ACCESS:
6616 return nested_vmx_exit_handled_cr(vcpu, vmcs12);
6617 case EXIT_REASON_DR_ACCESS:
6618 return nested_cpu_has(vmcs12, CPU_BASED_MOV_DR_EXITING);
6619 case EXIT_REASON_IO_INSTRUCTION:
6620 return nested_vmx_exit_handled_io(vcpu, vmcs12);
6621 case EXIT_REASON_GDTR_IDTR: case EXIT_REASON_LDTR_TR:
6622 return nested_cpu_has2(vmcs12, SECONDARY_EXEC_DESC);
6623 case EXIT_REASON_MSR_READ:
6624 case EXIT_REASON_MSR_WRITE:
6625 case EXIT_REASON_MSR_READ_IMM:
6626 case EXIT_REASON_MSR_WRITE_IMM:
6627 return nested_vmx_exit_handled_msr(vcpu, vmcs12, exit_reason);
6628 case EXIT_REASON_INVALID_STATE:
6629 return true;
6630 case EXIT_REASON_MWAIT_INSTRUCTION:
6631 return nested_cpu_has(vmcs12, CPU_BASED_MWAIT_EXITING);
6632 case EXIT_REASON_MONITOR_TRAP_FLAG:
6633 return nested_vmx_exit_handled_mtf(vmcs12);
6634 case EXIT_REASON_MONITOR_INSTRUCTION:
6635 return nested_cpu_has(vmcs12, CPU_BASED_MONITOR_EXITING);
6636 case EXIT_REASON_PAUSE_INSTRUCTION:
6637 return nested_cpu_has(vmcs12, CPU_BASED_PAUSE_EXITING) ||
6638 nested_cpu_has2(vmcs12,
6639 SECONDARY_EXEC_PAUSE_LOOP_EXITING);
6640 case EXIT_REASON_MCE_DURING_VMENTRY:
6641 return true;
6642 case EXIT_REASON_TPR_BELOW_THRESHOLD:
6643 return nested_cpu_has(vmcs12, CPU_BASED_TPR_SHADOW);
6644 case EXIT_REASON_APIC_ACCESS:
6645 case EXIT_REASON_APIC_WRITE:
6646 case EXIT_REASON_EOI_INDUCED:
6647 /*
6648 * The controls for "virtualize APIC accesses," "APIC-
6649 * register virtualization," and "virtual-interrupt
6650 * delivery" only come from vmcs12.
6651 */
6652 return true;
6653 case EXIT_REASON_INVPCID:
6654 return
6655 nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENABLE_INVPCID) &&
6656 nested_cpu_has(vmcs12, CPU_BASED_INVLPG_EXITING);
6657 case EXIT_REASON_WBINVD:
6658 return nested_cpu_has2(vmcs12, SECONDARY_EXEC_WBINVD_EXITING);
6659 case EXIT_REASON_XSETBV:
6660 return true;
6661 case EXIT_REASON_XSAVES:
6662 case EXIT_REASON_XRSTORS:
6663 /*
6664 * Always forward XSAVES/XRSTORS to L1 as KVM doesn't utilize
6665 * XSS-bitmap, and always loads vmcs02 with vmcs12's XSS-bitmap
6666 * verbatim, i.e. any exit is due to L1's bitmap. WARN if
6667 * XSAVES isn't enabled, as the CPU is supposed to inject #UD
6668 * in that case, before consulting the XSS-bitmap.
6669 */
6670 WARN_ON_ONCE(!nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENABLE_XSAVES));
6671 return true;
6672 case EXIT_REASON_UMWAIT:
6673 case EXIT_REASON_TPAUSE:
6674 return nested_cpu_has2(vmcs12,
6675 SECONDARY_EXEC_ENABLE_USR_WAIT_PAUSE);
6676 case EXIT_REASON_ENCLS:
6677 return nested_vmx_exit_handled_encls(vcpu, vmcs12);
6678 case EXIT_REASON_NOTIFY:
6679 /* Notify VM exit is not exposed to L1 */
6680 return false;
6681 case EXIT_REASON_SEAMCALL:
6682 case EXIT_REASON_TDCALL:
6683 /*
6684 * SEAMCALL and TDCALL unconditionally VM-Exit, but aren't
6685 * virtualized by KVM for L1 hypervisors, i.e. L1 should
6686 * never want or expect such an exit.
6687 */
6688 return false;
6689 default:
6690 return true;
6691 }
6692}
6693
6694/*
6695 * Conditionally reflect a VM-Exit into L1. Returns %true if the VM-Exit was
6696 * reflected into L1.
6697 */
6698bool nested_vmx_reflect_vmexit(struct kvm_vcpu *vcpu)
6699{
6700 struct vcpu_vmx *vmx = to_vmx(vcpu);
6701 union vmx_exit_reason exit_reason = vmx->vt.exit_reason;
6702 unsigned long exit_qual;
6703 u32 exit_intr_info;
6704
6705 WARN_ON_ONCE(vmx->nested.nested_run_pending);
6706
6707 /*
6708 * Late nested VM-Fail shares the same flow as nested VM-Exit since KVM
6709 * has already loaded L2's state.
6710 */
6711 if (unlikely(vmx->fail)) {
6712 trace_kvm_nested_vmenter_failed(
6713 "hardware VM-instruction error: ",
6714 vmcs_read32(field: VM_INSTRUCTION_ERROR));
6715 exit_intr_info = 0;
6716 exit_qual = 0;
6717 goto reflect_vmexit;
6718 }
6719
6720 trace_kvm_nested_vmexit(vcpu, KVM_ISA_VMX);
6721
6722 /* If L0 (KVM) wants the exit, it trumps L1's desires. */
6723 if (nested_vmx_l0_wants_exit(vcpu, exit_reason))
6724 return false;
6725
6726 /* If L1 doesn't want the exit, handle it in L0. */
6727 if (!nested_vmx_l1_wants_exit(vcpu, exit_reason))
6728 return false;
6729
6730 /*
6731 * vmcs.VM_EXIT_INTR_INFO is only valid for EXCEPTION_NMI exits. For
6732 * EXTERNAL_INTERRUPT, the value for vmcs12->vm_exit_intr_info would
6733 * need to be synthesized by querying the in-kernel LAPIC, but external
6734 * interrupts are never reflected to L1 so it's a non-issue.
6735 */
6736 exit_intr_info = vmx_get_intr_info(vcpu);
6737 if (is_exception_with_error_code(intr_info: exit_intr_info)) {
6738 struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
6739
6740 vmcs12->vm_exit_intr_error_code =
6741 vmcs_read32(field: VM_EXIT_INTR_ERROR_CODE);
6742 }
6743 exit_qual = vmx_get_exit_qual(vcpu);
6744
6745reflect_vmexit:
6746 nested_vmx_vmexit(vcpu, vm_exit_reason: exit_reason.full, exit_intr_info, exit_qualification: exit_qual);
6747 return true;
6748}
6749
6750static int vmx_get_nested_state(struct kvm_vcpu *vcpu,
6751 struct kvm_nested_state __user *user_kvm_nested_state,
6752 u32 user_data_size)
6753{
6754 struct vcpu_vmx *vmx;
6755 struct vmcs12 *vmcs12;
6756 struct kvm_nested_state kvm_state = {
6757 .flags = 0,
6758 .format = KVM_STATE_NESTED_FORMAT_VMX,
6759 .size = sizeof(kvm_state),
6760 .hdr.vmx.flags = 0,
6761 .hdr.vmx.vmxon_pa = INVALID_GPA,
6762 .hdr.vmx.vmcs12_pa = INVALID_GPA,
6763 .hdr.vmx.preemption_timer_deadline = 0,
6764 };
6765 struct kvm_vmx_nested_state_data __user *user_vmx_nested_state =
6766 &user_kvm_nested_state->data.vmx[0];
6767
6768 if (!vcpu)
6769 return kvm_state.size + sizeof(*user_vmx_nested_state);
6770
6771 vmx = to_vmx(vcpu);
6772 vmcs12 = get_vmcs12(vcpu);
6773
6774 if (guest_cpu_cap_has(vcpu, X86_FEATURE_VMX) &&
6775 (vmx->nested.vmxon || vmx->nested.smm.vmxon)) {
6776 kvm_state.hdr.vmx.vmxon_pa = vmx->nested.vmxon_ptr;
6777 kvm_state.hdr.vmx.vmcs12_pa = vmx->nested.current_vmptr;
6778
6779 if (vmx_has_valid_vmcs12(vcpu)) {
6780 kvm_state.size += sizeof(user_vmx_nested_state->vmcs12);
6781
6782 /* 'hv_evmcs_vmptr' can also be EVMPTR_MAP_PENDING here */
6783 if (nested_vmx_is_evmptr12_set(vmx))
6784 kvm_state.flags |= KVM_STATE_NESTED_EVMCS;
6785
6786 if (is_guest_mode(vcpu) &&
6787 nested_cpu_has_shadow_vmcs(vmcs12) &&
6788 vmcs12->vmcs_link_pointer != INVALID_GPA)
6789 kvm_state.size += sizeof(user_vmx_nested_state->shadow_vmcs12);
6790 }
6791
6792 if (vmx->nested.smm.vmxon)
6793 kvm_state.hdr.vmx.smm.flags |= KVM_STATE_NESTED_SMM_VMXON;
6794
6795 if (vmx->nested.smm.guest_mode)
6796 kvm_state.hdr.vmx.smm.flags |= KVM_STATE_NESTED_SMM_GUEST_MODE;
6797
6798 if (is_guest_mode(vcpu)) {
6799 kvm_state.flags |= KVM_STATE_NESTED_GUEST_MODE;
6800
6801 if (vmx->nested.nested_run_pending)
6802 kvm_state.flags |= KVM_STATE_NESTED_RUN_PENDING;
6803
6804 if (vmx->nested.mtf_pending)
6805 kvm_state.flags |= KVM_STATE_NESTED_MTF_PENDING;
6806
6807 if (nested_cpu_has_preemption_timer(vmcs12) &&
6808 vmx->nested.has_preemption_timer_deadline) {
6809 kvm_state.hdr.vmx.flags |=
6810 KVM_STATE_VMX_PREEMPTION_TIMER_DEADLINE;
6811 kvm_state.hdr.vmx.preemption_timer_deadline =
6812 vmx->nested.preemption_timer_deadline;
6813 }
6814 }
6815 }
6816
6817 if (user_data_size < kvm_state.size)
6818 goto out;
6819
6820 if (copy_to_user(to: user_kvm_nested_state, from: &kvm_state, n: sizeof(kvm_state)))
6821 return -EFAULT;
6822
6823 if (!vmx_has_valid_vmcs12(vcpu))
6824 goto out;
6825
6826 /*
6827 * When running L2, the authoritative vmcs12 state is in the
6828 * vmcs02. When running L1, the authoritative vmcs12 state is
6829 * in the shadow or enlightened vmcs linked to vmcs01, unless
6830 * need_vmcs12_to_shadow_sync is set, in which case, the authoritative
6831 * vmcs12 state is in the vmcs12 already.
6832 */
6833 if (is_guest_mode(vcpu)) {
6834 sync_vmcs02_to_vmcs12(vcpu, vmcs12);
6835 sync_vmcs02_to_vmcs12_rare(vcpu, vmcs12);
6836 } else {
6837 copy_vmcs02_to_vmcs12_rare(vcpu, vmcs12: get_vmcs12(vcpu));
6838 if (!vmx->nested.need_vmcs12_to_shadow_sync) {
6839 if (nested_vmx_is_evmptr12_valid(vmx))
6840 /*
6841 * L1 hypervisor is not obliged to keep eVMCS
6842 * clean fields data always up-to-date while
6843 * not in guest mode, 'hv_clean_fields' is only
6844 * supposed to be actual upon vmentry so we need
6845 * to ignore it here and do full copy.
6846 */
6847 copy_enlightened_to_vmcs12(vmx, hv_clean_fields: 0);
6848 else if (enable_shadow_vmcs)
6849 copy_shadow_to_vmcs12(vmx);
6850 }
6851 }
6852
6853 BUILD_BUG_ON(sizeof(user_vmx_nested_state->vmcs12) < VMCS12_SIZE);
6854 BUILD_BUG_ON(sizeof(user_vmx_nested_state->shadow_vmcs12) < VMCS12_SIZE);
6855
6856 /*
6857 * Copy over the full allocated size of vmcs12 rather than just the size
6858 * of the struct.
6859 */
6860 if (copy_to_user(to: user_vmx_nested_state->vmcs12, from: vmcs12, VMCS12_SIZE))
6861 return -EFAULT;
6862
6863 if (nested_cpu_has_shadow_vmcs(vmcs12) &&
6864 vmcs12->vmcs_link_pointer != INVALID_GPA) {
6865 if (copy_to_user(to: user_vmx_nested_state->shadow_vmcs12,
6866 from: get_shadow_vmcs12(vcpu), VMCS12_SIZE))
6867 return -EFAULT;
6868 }
6869out:
6870 return kvm_state.size;
6871}
6872
6873void vmx_leave_nested(struct kvm_vcpu *vcpu)
6874{
6875 if (is_guest_mode(vcpu)) {
6876 to_vmx(vcpu)->nested.nested_run_pending = 0;
6877 nested_vmx_vmexit(vcpu, vm_exit_reason: -1, exit_intr_info: 0, exit_qualification: 0);
6878 }
6879 free_nested(vcpu);
6880}
6881
6882static int vmx_set_nested_state(struct kvm_vcpu *vcpu,
6883 struct kvm_nested_state __user *user_kvm_nested_state,
6884 struct kvm_nested_state *kvm_state)
6885{
6886 struct vcpu_vmx *vmx = to_vmx(vcpu);
6887 struct vmcs12 *vmcs12;
6888 enum vm_entry_failure_code ignored;
6889 struct kvm_vmx_nested_state_data __user *user_vmx_nested_state =
6890 &user_kvm_nested_state->data.vmx[0];
6891 int ret;
6892
6893 if (kvm_state->format != KVM_STATE_NESTED_FORMAT_VMX)
6894 return -EINVAL;
6895
6896 if (kvm_state->hdr.vmx.vmxon_pa == INVALID_GPA) {
6897 if (kvm_state->hdr.vmx.smm.flags)
6898 return -EINVAL;
6899
6900 if (kvm_state->hdr.vmx.vmcs12_pa != INVALID_GPA)
6901 return -EINVAL;
6902
6903 /*
6904 * KVM_STATE_NESTED_EVMCS used to signal that KVM should
6905 * enable eVMCS capability on vCPU. However, since then
6906 * code was changed such that flag signals vmcs12 should
6907 * be copied into eVMCS in guest memory.
6908 *
6909 * To preserve backwards compatibility, allow user
6910 * to set this flag even when there is no VMXON region.
6911 */
6912 if (kvm_state->flags & ~KVM_STATE_NESTED_EVMCS)
6913 return -EINVAL;
6914 } else {
6915 if (!guest_cpu_cap_has(vcpu, X86_FEATURE_VMX))
6916 return -EINVAL;
6917
6918 if (!page_address_valid(vcpu, gpa: kvm_state->hdr.vmx.vmxon_pa))
6919 return -EINVAL;
6920 }
6921
6922 if ((kvm_state->hdr.vmx.smm.flags & KVM_STATE_NESTED_SMM_GUEST_MODE) &&
6923 (kvm_state->flags & KVM_STATE_NESTED_GUEST_MODE))
6924 return -EINVAL;
6925
6926 if (kvm_state->hdr.vmx.smm.flags &
6927 ~(KVM_STATE_NESTED_SMM_GUEST_MODE | KVM_STATE_NESTED_SMM_VMXON))
6928 return -EINVAL;
6929
6930 if (kvm_state->hdr.vmx.flags & ~KVM_STATE_VMX_PREEMPTION_TIMER_DEADLINE)
6931 return -EINVAL;
6932
6933 /*
6934 * SMM temporarily disables VMX, so we cannot be in guest mode,
6935 * nor can VMLAUNCH/VMRESUME be pending. Outside SMM, SMM flags
6936 * must be zero.
6937 */
6938 if (is_smm(vcpu) ?
6939 (kvm_state->flags &
6940 (KVM_STATE_NESTED_GUEST_MODE | KVM_STATE_NESTED_RUN_PENDING))
6941 : kvm_state->hdr.vmx.smm.flags)
6942 return -EINVAL;
6943
6944 if ((kvm_state->hdr.vmx.smm.flags & KVM_STATE_NESTED_SMM_GUEST_MODE) &&
6945 !(kvm_state->hdr.vmx.smm.flags & KVM_STATE_NESTED_SMM_VMXON))
6946 return -EINVAL;
6947
6948 if ((kvm_state->flags & KVM_STATE_NESTED_EVMCS) &&
6949 (!guest_cpu_cap_has(vcpu, X86_FEATURE_VMX) ||
6950 !vmx->nested.enlightened_vmcs_enabled))
6951 return -EINVAL;
6952
6953 vmx_leave_nested(vcpu);
6954
6955 if (kvm_state->hdr.vmx.vmxon_pa == INVALID_GPA)
6956 return 0;
6957
6958 vmx->nested.vmxon_ptr = kvm_state->hdr.vmx.vmxon_pa;
6959 ret = enter_vmx_operation(vcpu);
6960 if (ret)
6961 return ret;
6962
6963 /* Empty 'VMXON' state is permitted if no VMCS loaded */
6964 if (kvm_state->size < sizeof(*kvm_state) + sizeof(*vmcs12)) {
6965 /* See vmx_has_valid_vmcs12. */
6966 if ((kvm_state->flags & KVM_STATE_NESTED_GUEST_MODE) ||
6967 (kvm_state->flags & KVM_STATE_NESTED_EVMCS) ||
6968 (kvm_state->hdr.vmx.vmcs12_pa != INVALID_GPA))
6969 return -EINVAL;
6970 else
6971 return 0;
6972 }
6973
6974 if (kvm_state->hdr.vmx.vmcs12_pa != INVALID_GPA) {
6975 if (kvm_state->hdr.vmx.vmcs12_pa == kvm_state->hdr.vmx.vmxon_pa ||
6976 !page_address_valid(vcpu, gpa: kvm_state->hdr.vmx.vmcs12_pa))
6977 return -EINVAL;
6978
6979 set_current_vmptr(vmx, vmptr: kvm_state->hdr.vmx.vmcs12_pa);
6980#ifdef CONFIG_KVM_HYPERV
6981 } else if (kvm_state->flags & KVM_STATE_NESTED_EVMCS) {
6982 /*
6983 * nested_vmx_handle_enlightened_vmptrld() cannot be called
6984 * directly from here as HV_X64_MSR_VP_ASSIST_PAGE may not be
6985 * restored yet. EVMCS will be mapped from
6986 * nested_get_vmcs12_pages().
6987 */
6988 vmx->nested.hv_evmcs_vmptr = EVMPTR_MAP_PENDING;
6989 kvm_make_request(KVM_REQ_GET_NESTED_STATE_PAGES, vcpu);
6990#endif
6991 } else {
6992 return -EINVAL;
6993 }
6994
6995 if (kvm_state->hdr.vmx.smm.flags & KVM_STATE_NESTED_SMM_VMXON) {
6996 vmx->nested.smm.vmxon = true;
6997 vmx->nested.vmxon = false;
6998
6999 if (kvm_state->hdr.vmx.smm.flags & KVM_STATE_NESTED_SMM_GUEST_MODE)
7000 vmx->nested.smm.guest_mode = true;
7001 }
7002
7003 vmcs12 = get_vmcs12(vcpu);
7004 if (copy_from_user(to: vmcs12, from: user_vmx_nested_state->vmcs12, n: sizeof(*vmcs12)))
7005 return -EFAULT;
7006
7007 if (vmcs12->hdr.revision_id != VMCS12_REVISION)
7008 return -EINVAL;
7009
7010 if (!(kvm_state->flags & KVM_STATE_NESTED_GUEST_MODE))
7011 return 0;
7012
7013 vmx->nested.nested_run_pending =
7014 !!(kvm_state->flags & KVM_STATE_NESTED_RUN_PENDING);
7015
7016 vmx->nested.mtf_pending =
7017 !!(kvm_state->flags & KVM_STATE_NESTED_MTF_PENDING);
7018
7019 ret = -EINVAL;
7020 if (nested_cpu_has_shadow_vmcs(vmcs12) &&
7021 vmcs12->vmcs_link_pointer != INVALID_GPA) {
7022 struct vmcs12 *shadow_vmcs12 = get_shadow_vmcs12(vcpu);
7023
7024 if (kvm_state->size <
7025 sizeof(*kvm_state) +
7026 sizeof(user_vmx_nested_state->vmcs12) + sizeof(*shadow_vmcs12))
7027 goto error_guest_mode;
7028
7029 if (copy_from_user(to: shadow_vmcs12,
7030 from: user_vmx_nested_state->shadow_vmcs12,
7031 n: sizeof(*shadow_vmcs12))) {
7032 ret = -EFAULT;
7033 goto error_guest_mode;
7034 }
7035
7036 if (shadow_vmcs12->hdr.revision_id != VMCS12_REVISION ||
7037 !shadow_vmcs12->hdr.shadow_vmcs)
7038 goto error_guest_mode;
7039 }
7040
7041 vmx->nested.has_preemption_timer_deadline = false;
7042 if (kvm_state->hdr.vmx.flags & KVM_STATE_VMX_PREEMPTION_TIMER_DEADLINE) {
7043 vmx->nested.has_preemption_timer_deadline = true;
7044 vmx->nested.preemption_timer_deadline =
7045 kvm_state->hdr.vmx.preemption_timer_deadline;
7046 }
7047
7048 if (nested_vmx_check_controls(vcpu, vmcs12) ||
7049 nested_vmx_check_host_state(vcpu, vmcs12) ||
7050 nested_vmx_check_guest_state(vcpu, vmcs12, entry_failure_code: &ignored))
7051 goto error_guest_mode;
7052
7053 vmx->nested.dirty_vmcs12 = true;
7054 vmx->nested.force_msr_bitmap_recalc = true;
7055 ret = nested_vmx_enter_non_root_mode(vcpu, from_vmentry: false);
7056 if (ret)
7057 goto error_guest_mode;
7058
7059 if (vmx->nested.mtf_pending)
7060 kvm_make_request(KVM_REQ_EVENT, vcpu);
7061
7062 return 0;
7063
7064error_guest_mode:
7065 vmx->nested.nested_run_pending = 0;
7066 return ret;
7067}
7068
7069void nested_vmx_set_vmcs_shadowing_bitmap(void)
7070{
7071 if (enable_shadow_vmcs) {
7072 vmcs_write64(field: VMREAD_BITMAP, __pa(vmx_vmread_bitmap));
7073 vmcs_write64(field: VMWRITE_BITMAP, __pa(vmx_vmwrite_bitmap));
7074 }
7075}
7076
7077/*
7078 * Indexing into the vmcs12 uses the VMCS encoding rotated left by 6. Undo
7079 * that madness to get the encoding for comparison.
7080 */
7081#define VMCS12_IDX_TO_ENC(idx) ((u16)(((u16)(idx) >> 6) | ((u16)(idx) << 10)))
7082
7083static u64 nested_vmx_calc_vmcs_enum_msr(void)
7084{
7085 /*
7086 * Note these are the so called "index" of the VMCS field encoding, not
7087 * the index into vmcs12.
7088 */
7089 unsigned int max_idx, idx;
7090 int i;
7091
7092 /*
7093 * For better or worse, KVM allows VMREAD/VMWRITE to all fields in
7094 * vmcs12, regardless of whether or not the associated feature is
7095 * exposed to L1. Simply find the field with the highest index.
7096 */
7097 max_idx = 0;
7098 for (i = 0; i < nr_vmcs12_fields; i++) {
7099 /* The vmcs12 table is very, very sparsely populated. */
7100 if (!vmcs12_field_offsets[i])
7101 continue;
7102
7103 idx = vmcs_field_index(VMCS12_IDX_TO_ENC(i));
7104 if (idx > max_idx)
7105 max_idx = idx;
7106 }
7107
7108 return (u64)max_idx << VMCS_FIELD_INDEX_SHIFT;
7109}
7110
7111static void nested_vmx_setup_pinbased_ctls(struct vmcs_config *vmcs_conf,
7112 struct nested_vmx_msrs *msrs)
7113{
7114 msrs->pinbased_ctls_low =
7115 PIN_BASED_ALWAYSON_WITHOUT_TRUE_MSR;
7116
7117 msrs->pinbased_ctls_high = vmcs_conf->pin_based_exec_ctrl;
7118 msrs->pinbased_ctls_high &=
7119 PIN_BASED_EXT_INTR_MASK |
7120 PIN_BASED_NMI_EXITING |
7121 PIN_BASED_VIRTUAL_NMIS |
7122 (enable_apicv ? PIN_BASED_POSTED_INTR : 0);
7123 msrs->pinbased_ctls_high |=
7124 PIN_BASED_ALWAYSON_WITHOUT_TRUE_MSR |
7125 PIN_BASED_VMX_PREEMPTION_TIMER;
7126}
7127
7128static void nested_vmx_setup_exit_ctls(struct vmcs_config *vmcs_conf,
7129 struct nested_vmx_msrs *msrs)
7130{
7131 msrs->exit_ctls_low =
7132 VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR;
7133
7134 msrs->exit_ctls_high = vmcs_conf->vmexit_ctrl;
7135 msrs->exit_ctls_high &=
7136#ifdef CONFIG_X86_64
7137 VM_EXIT_HOST_ADDR_SPACE_SIZE |
7138#endif
7139 VM_EXIT_LOAD_IA32_PAT | VM_EXIT_SAVE_IA32_PAT |
7140 VM_EXIT_CLEAR_BNDCFGS | VM_EXIT_LOAD_CET_STATE;
7141 msrs->exit_ctls_high |=
7142 VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR |
7143 VM_EXIT_LOAD_IA32_EFER | VM_EXIT_SAVE_IA32_EFER |
7144 VM_EXIT_SAVE_VMX_PREEMPTION_TIMER | VM_EXIT_ACK_INTR_ON_EXIT |
7145 VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL;
7146
7147 if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK) &&
7148 !kvm_cpu_cap_has(X86_FEATURE_IBT))
7149 msrs->exit_ctls_high &= ~VM_EXIT_LOAD_CET_STATE;
7150
7151 /* We support free control of debug control saving. */
7152 msrs->exit_ctls_low &= ~VM_EXIT_SAVE_DEBUG_CONTROLS;
7153}
7154
7155static void nested_vmx_setup_entry_ctls(struct vmcs_config *vmcs_conf,
7156 struct nested_vmx_msrs *msrs)
7157{
7158 msrs->entry_ctls_low =
7159 VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR;
7160
7161 msrs->entry_ctls_high = vmcs_conf->vmentry_ctrl;
7162 msrs->entry_ctls_high &=
7163#ifdef CONFIG_X86_64
7164 VM_ENTRY_IA32E_MODE |
7165#endif
7166 VM_ENTRY_LOAD_IA32_PAT | VM_ENTRY_LOAD_BNDCFGS |
7167 VM_ENTRY_LOAD_CET_STATE;
7168 msrs->entry_ctls_high |=
7169 (VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR | VM_ENTRY_LOAD_IA32_EFER |
7170 VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL);
7171
7172 if (!kvm_cpu_cap_has(X86_FEATURE_SHSTK) &&
7173 !kvm_cpu_cap_has(X86_FEATURE_IBT))
7174 msrs->entry_ctls_high &= ~VM_ENTRY_LOAD_CET_STATE;
7175
7176 /* We support free control of debug control loading. */
7177 msrs->entry_ctls_low &= ~VM_ENTRY_LOAD_DEBUG_CONTROLS;
7178}
7179
7180static void nested_vmx_setup_cpubased_ctls(struct vmcs_config *vmcs_conf,
7181 struct nested_vmx_msrs *msrs)
7182{
7183 msrs->procbased_ctls_low =
7184 CPU_BASED_ALWAYSON_WITHOUT_TRUE_MSR;
7185
7186 msrs->procbased_ctls_high = vmcs_conf->cpu_based_exec_ctrl;
7187 msrs->procbased_ctls_high &=
7188 CPU_BASED_INTR_WINDOW_EXITING |
7189 CPU_BASED_NMI_WINDOW_EXITING | CPU_BASED_USE_TSC_OFFSETTING |
7190 CPU_BASED_HLT_EXITING | CPU_BASED_INVLPG_EXITING |
7191 CPU_BASED_MWAIT_EXITING | CPU_BASED_CR3_LOAD_EXITING |
7192 CPU_BASED_CR3_STORE_EXITING |
7193#ifdef CONFIG_X86_64
7194 CPU_BASED_CR8_LOAD_EXITING | CPU_BASED_CR8_STORE_EXITING |
7195#endif
7196 CPU_BASED_MOV_DR_EXITING | CPU_BASED_UNCOND_IO_EXITING |
7197 CPU_BASED_USE_IO_BITMAPS | CPU_BASED_MONITOR_TRAP_FLAG |
7198 CPU_BASED_MONITOR_EXITING | CPU_BASED_RDPMC_EXITING |
7199 CPU_BASED_RDTSC_EXITING | CPU_BASED_PAUSE_EXITING |
7200 CPU_BASED_TPR_SHADOW | CPU_BASED_ACTIVATE_SECONDARY_CONTROLS;
7201 /*
7202 * We can allow some features even when not supported by the
7203 * hardware. For example, L1 can specify an MSR bitmap - and we
7204 * can use it to avoid exits to L1 - even when L0 runs L2
7205 * without MSR bitmaps.
7206 */
7207 msrs->procbased_ctls_high |=
7208 CPU_BASED_ALWAYSON_WITHOUT_TRUE_MSR |
7209 CPU_BASED_USE_MSR_BITMAPS;
7210
7211 /* We support free control of CR3 access interception. */
7212 msrs->procbased_ctls_low &=
7213 ~(CPU_BASED_CR3_LOAD_EXITING | CPU_BASED_CR3_STORE_EXITING);
7214}
7215
7216static void nested_vmx_setup_secondary_ctls(u32 ept_caps,
7217 struct vmcs_config *vmcs_conf,
7218 struct nested_vmx_msrs *msrs)
7219{
7220 msrs->secondary_ctls_low = 0;
7221
7222 msrs->secondary_ctls_high = vmcs_conf->cpu_based_2nd_exec_ctrl;
7223 msrs->secondary_ctls_high &=
7224 SECONDARY_EXEC_DESC |
7225 SECONDARY_EXEC_ENABLE_RDTSCP |
7226 SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE |
7227 SECONDARY_EXEC_WBINVD_EXITING |
7228 SECONDARY_EXEC_APIC_REGISTER_VIRT |
7229 SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY |
7230 SECONDARY_EXEC_RDRAND_EXITING |
7231 SECONDARY_EXEC_ENABLE_INVPCID |
7232 SECONDARY_EXEC_ENABLE_VMFUNC |
7233 SECONDARY_EXEC_RDSEED_EXITING |
7234 SECONDARY_EXEC_ENABLE_XSAVES |
7235 SECONDARY_EXEC_TSC_SCALING |
7236 SECONDARY_EXEC_ENABLE_USR_WAIT_PAUSE;
7237
7238 /*
7239 * We can emulate "VMCS shadowing," even if the hardware
7240 * doesn't support it.
7241 */
7242 msrs->secondary_ctls_high |=
7243 SECONDARY_EXEC_SHADOW_VMCS;
7244
7245 if (enable_ept) {
7246 /* nested EPT: emulate EPT also to L1 */
7247 msrs->secondary_ctls_high |=
7248 SECONDARY_EXEC_ENABLE_EPT;
7249 msrs->ept_caps =
7250 VMX_EPT_PAGE_WALK_4_BIT |
7251 VMX_EPT_PAGE_WALK_5_BIT |
7252 VMX_EPTP_WB_BIT |
7253 VMX_EPT_INVEPT_BIT |
7254 VMX_EPT_EXECUTE_ONLY_BIT;
7255
7256 msrs->ept_caps &= ept_caps;
7257 msrs->ept_caps |= VMX_EPT_EXTENT_GLOBAL_BIT |
7258 VMX_EPT_EXTENT_CONTEXT_BIT | VMX_EPT_2MB_PAGE_BIT |
7259 VMX_EPT_1GB_PAGE_BIT;
7260 if (enable_ept_ad_bits) {
7261 msrs->secondary_ctls_high |=
7262 SECONDARY_EXEC_ENABLE_PML;
7263 msrs->ept_caps |= VMX_EPT_AD_BIT;
7264 }
7265
7266 /*
7267 * Advertise EPTP switching irrespective of hardware support,
7268 * KVM emulates it in software so long as VMFUNC is supported.
7269 */
7270 if (cpu_has_vmx_vmfunc())
7271 msrs->vmfunc_controls = VMX_VMFUNC_EPTP_SWITCHING;
7272 }
7273
7274 /*
7275 * Old versions of KVM use the single-context version without
7276 * checking for support, so declare that it is supported even
7277 * though it is treated as global context. The alternative is
7278 * not failing the single-context invvpid, and it is worse.
7279 */
7280 if (enable_vpid) {
7281 msrs->secondary_ctls_high |=
7282 SECONDARY_EXEC_ENABLE_VPID;
7283 msrs->vpid_caps = VMX_VPID_INVVPID_BIT |
7284 VMX_VPID_EXTENT_SUPPORTED_MASK;
7285 }
7286
7287 if (enable_unrestricted_guest)
7288 msrs->secondary_ctls_high |=
7289 SECONDARY_EXEC_UNRESTRICTED_GUEST;
7290
7291 if (flexpriority_enabled)
7292 msrs->secondary_ctls_high |=
7293 SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
7294
7295 if (enable_sgx)
7296 msrs->secondary_ctls_high |= SECONDARY_EXEC_ENCLS_EXITING;
7297}
7298
7299static void nested_vmx_setup_misc_data(struct vmcs_config *vmcs_conf,
7300 struct nested_vmx_msrs *msrs)
7301{
7302 msrs->misc_low = (u32)vmcs_conf->misc & VMX_MISC_SAVE_EFER_LMA;
7303 msrs->misc_low |=
7304 VMX_MISC_VMWRITE_SHADOW_RO_FIELDS |
7305 VMX_MISC_EMULATED_PREEMPTION_TIMER_RATE |
7306 VMX_MISC_ACTIVITY_HLT |
7307 VMX_MISC_ACTIVITY_WAIT_SIPI;
7308 msrs->misc_high = 0;
7309}
7310
7311static void nested_vmx_setup_basic(struct nested_vmx_msrs *msrs)
7312{
7313 /*
7314 * This MSR reports some information about VMX support. We
7315 * should return information about the VMX we emulate for the
7316 * guest, and the VMCS structure we give it - not about the
7317 * VMX support of the underlying hardware.
7318 */
7319 msrs->basic = vmx_basic_encode_vmcs_info(VMCS12_REVISION, VMCS12_SIZE,
7320 X86_MEMTYPE_WB);
7321
7322 msrs->basic |= VMX_BASIC_TRUE_CTLS;
7323 if (cpu_has_vmx_basic_inout())
7324 msrs->basic |= VMX_BASIC_INOUT;
7325 if (cpu_has_vmx_basic_no_hw_errcode_cc())
7326 msrs->basic |= VMX_BASIC_NO_HW_ERROR_CODE_CC;
7327}
7328
7329static void nested_vmx_setup_cr_fixed(struct nested_vmx_msrs *msrs)
7330{
7331 /*
7332 * These MSRs specify bits which the guest must keep fixed on
7333 * while L1 is in VMXON mode (in L1's root mode, or running an L2).
7334 * We picked the standard core2 setting.
7335 */
7336#define VMXON_CR0_ALWAYSON (X86_CR0_PE | X86_CR0_PG | X86_CR0_NE)
7337#define VMXON_CR4_ALWAYSON X86_CR4_VMXE
7338 msrs->cr0_fixed0 = VMXON_CR0_ALWAYSON;
7339 msrs->cr4_fixed0 = VMXON_CR4_ALWAYSON;
7340
7341 /* These MSRs specify bits which the guest must keep fixed off. */
7342 rdmsrq(MSR_IA32_VMX_CR0_FIXED1, msrs->cr0_fixed1);
7343 rdmsrq(MSR_IA32_VMX_CR4_FIXED1, msrs->cr4_fixed1);
7344
7345 if (vmx_umip_emulated())
7346 msrs->cr4_fixed1 |= X86_CR4_UMIP;
7347}
7348
7349/*
7350 * nested_vmx_setup_ctls_msrs() sets up variables containing the values to be
7351 * returned for the various VMX controls MSRs when nested VMX is enabled.
7352 * The same values should also be used to verify that vmcs12 control fields are
7353 * valid during nested entry from L1 to L2.
7354 * Each of these control msrs has a low and high 32-bit half: A low bit is on
7355 * if the corresponding bit in the (32-bit) control field *must* be on, and a
7356 * bit in the high half is on if the corresponding bit in the control field
7357 * may be on. See also vmx_control_verify().
7358 */
7359void nested_vmx_setup_ctls_msrs(struct vmcs_config *vmcs_conf, u32 ept_caps)
7360{
7361 struct nested_vmx_msrs *msrs = &vmcs_conf->nested;
7362
7363 /*
7364 * Note that as a general rule, the high half of the MSRs (bits in
7365 * the control fields which may be 1) should be initialized by the
7366 * intersection of the underlying hardware's MSR (i.e., features which
7367 * can be supported) and the list of features we want to expose -
7368 * because they are known to be properly supported in our code.
7369 * Also, usually, the low half of the MSRs (bits which must be 1) can
7370 * be set to 0, meaning that L1 may turn off any of these bits. The
7371 * reason is that if one of these bits is necessary, it will appear
7372 * in vmcs01 and prepare_vmcs02, when it bitwise-or's the control
7373 * fields of vmcs01 and vmcs02, will turn these bits off - and
7374 * nested_vmx_l1_wants_exit() will not pass related exits to L1.
7375 * These rules have exceptions below.
7376 */
7377 nested_vmx_setup_pinbased_ctls(vmcs_conf, msrs);
7378
7379 nested_vmx_setup_exit_ctls(vmcs_conf, msrs);
7380
7381 nested_vmx_setup_entry_ctls(vmcs_conf, msrs);
7382
7383 nested_vmx_setup_cpubased_ctls(vmcs_conf, msrs);
7384
7385 nested_vmx_setup_secondary_ctls(ept_caps, vmcs_conf, msrs);
7386
7387 nested_vmx_setup_misc_data(vmcs_conf, msrs);
7388
7389 nested_vmx_setup_basic(msrs);
7390
7391 nested_vmx_setup_cr_fixed(msrs);
7392
7393 msrs->vmcs_enum = nested_vmx_calc_vmcs_enum_msr();
7394}
7395
7396void nested_vmx_hardware_unsetup(void)
7397{
7398 int i;
7399
7400 if (enable_shadow_vmcs) {
7401 for (i = 0; i < VMX_BITMAP_NR; i++)
7402 free_page((unsigned long)vmx_bitmap[i]);
7403 }
7404}
7405
7406__init int nested_vmx_hardware_setup(int (*exit_handlers[])(struct kvm_vcpu *))
7407{
7408 int i;
7409
7410 if (!cpu_has_vmx_shadow_vmcs())
7411 enable_shadow_vmcs = 0;
7412 if (enable_shadow_vmcs) {
7413 for (i = 0; i < VMX_BITMAP_NR; i++) {
7414 /*
7415 * The vmx_bitmap is not tied to a VM and so should
7416 * not be charged to a memcg.
7417 */
7418 vmx_bitmap[i] = (unsigned long *)
7419 __get_free_page(GFP_KERNEL);
7420 if (!vmx_bitmap[i]) {
7421 nested_vmx_hardware_unsetup();
7422 return -ENOMEM;
7423 }
7424 }
7425
7426 init_vmcs_shadow_fields();
7427 }
7428
7429 exit_handlers[EXIT_REASON_VMCLEAR] = handle_vmclear;
7430 exit_handlers[EXIT_REASON_VMLAUNCH] = handle_vmlaunch;
7431 exit_handlers[EXIT_REASON_VMPTRLD] = handle_vmptrld;
7432 exit_handlers[EXIT_REASON_VMPTRST] = handle_vmptrst;
7433 exit_handlers[EXIT_REASON_VMREAD] = handle_vmread;
7434 exit_handlers[EXIT_REASON_VMRESUME] = handle_vmresume;
7435 exit_handlers[EXIT_REASON_VMWRITE] = handle_vmwrite;
7436 exit_handlers[EXIT_REASON_VMOFF] = handle_vmxoff;
7437 exit_handlers[EXIT_REASON_VMON] = handle_vmxon;
7438 exit_handlers[EXIT_REASON_INVEPT] = handle_invept;
7439 exit_handlers[EXIT_REASON_INVVPID] = handle_invvpid;
7440 exit_handlers[EXIT_REASON_VMFUNC] = handle_vmfunc;
7441
7442 return 0;
7443}
7444
7445struct kvm_x86_nested_ops vmx_nested_ops = {
7446 .leave_nested = vmx_leave_nested,
7447 .is_exception_vmexit = nested_vmx_is_exception_vmexit,
7448 .check_events = vmx_check_nested_events,
7449 .has_events = vmx_has_nested_events,
7450 .triple_fault = nested_vmx_triple_fault,
7451 .get_state = vmx_get_nested_state,
7452 .set_state = vmx_set_nested_state,
7453 .get_nested_state_pages = vmx_get_nested_state_pages,
7454 .write_log_dirty = nested_vmx_write_pml_buffer,
7455#ifdef CONFIG_KVM_HYPERV
7456 .enable_evmcs = nested_enable_evmcs,
7457 .get_evmcs_version = nested_get_evmcs_version,
7458 .hv_inject_synthetic_vmexit_post_tlb_flush = vmx_hv_inject_synthetic_vmexit_post_tlb_flush,
7459#endif
7460};
7461

source code of linux/arch/x86/kvm/vmx/nested.c