aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRusty Russell <rusty@rustcorp.com.au>2007-07-26 13:41:04 -0400
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-07-26 14:35:17 -0400
commitbff672e630a015d5b54c8bfb16160b7edc39a57c (patch)
tree3af06baacb76809234a3e71033d14b7ed769dbd8
parentdde797899ac17ebb812b7566044124d785e98dc7 (diff)
lguest: documentation V: Host
Documentation: The Host Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--drivers/lguest/core.c273
-rw-r--r--drivers/lguest/hypercalls.c118
-rw-r--r--drivers/lguest/interrupts_and_traps.c176
-rw-r--r--drivers/lguest/lg.h19
-rw-r--r--drivers/lguest/page_tables.c314
-rw-r--r--drivers/lguest/segments.c109
6 files changed, 924 insertions, 85 deletions
diff --git a/drivers/lguest/core.c b/drivers/lguest/core.c
index 1eb05f9a56b..c0f50b4dd2f 100644
--- a/drivers/lguest/core.c
+++ b/drivers/lguest/core.c
@@ -64,11 +64,33 @@ static struct lguest_pages *lguest_pages(unsigned int cpu)
64 (SWITCHER_ADDR + SHARED_SWITCHER_PAGES*PAGE_SIZE))[cpu]); 64 (SWITCHER_ADDR + SHARED_SWITCHER_PAGES*PAGE_SIZE))[cpu]);
65} 65}
66 66
67/*H:010 We need to set up the Switcher at a high virtual address. Remember the
68 * Switcher is a few hundred bytes of assembler code which actually changes the
69 * CPU to run the Guest, and then changes back to the Host when a trap or
70 * interrupt happens.
71 *
72 * The Switcher code must be at the same virtual address in the Guest as the
73 * Host since it will be running as the switchover occurs.
74 *
75 * Trying to map memory at a particular address is an unusual thing to do, so
76 * it's not a simple one-liner. We also set up the per-cpu parts of the
77 * Switcher here.
78 */
67static __init int map_switcher(void) 79static __init int map_switcher(void)
68{ 80{
69 int i, err; 81 int i, err;
70 struct page **pagep; 82 struct page **pagep;
71 83
84 /*
85 * Map the Switcher in to high memory.
86 *
87 * It turns out that if we choose the address 0xFFC00000 (4MB under the
88 * top virtual address), it makes setting up the page tables really
89 * easy.
90 */
91
92 /* We allocate an array of "struct page"s. map_vm_area() wants the
93 * pages in this form, rather than just an array of pointers. */
72 switcher_page = kmalloc(sizeof(switcher_page[0])*TOTAL_SWITCHER_PAGES, 94 switcher_page = kmalloc(sizeof(switcher_page[0])*TOTAL_SWITCHER_PAGES,
73 GFP_KERNEL); 95 GFP_KERNEL);
74 if (!switcher_page) { 96 if (!switcher_page) {
@@ -76,6 +98,8 @@ static __init int map_switcher(void)
76 goto out; 98 goto out;
77 } 99 }
78 100
101 /* Now we actually allocate the pages. The Guest will see these pages,
102 * so we make sure they're zeroed. */
79 for (i = 0; i < TOTAL_SWITCHER_PAGES; i++) { 103 for (i = 0; i < TOTAL_SWITCHER_PAGES; i++) {
80 unsigned long addr = get_zeroed_page(GFP_KERNEL); 104 unsigned long addr = get_zeroed_page(GFP_KERNEL);
81 if (!addr) { 105 if (!addr) {
@@ -85,6 +109,9 @@ static __init int map_switcher(void)
85 switcher_page[i] = virt_to_page(addr); 109 switcher_page[i] = virt_to_page(addr);
86 } 110 }
87 111
112 /* Now we reserve the "virtual memory area" we want: 0xFFC00000
113 * (SWITCHER_ADDR). We might not get it in theory, but in practice
114 * it's worked so far. */
88 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE, 115 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
89 VM_ALLOC, SWITCHER_ADDR, VMALLOC_END); 116 VM_ALLOC, SWITCHER_ADDR, VMALLOC_END);
90 if (!switcher_vma) { 117 if (!switcher_vma) {
@@ -93,49 +120,105 @@ static __init int map_switcher(void)
93 goto free_pages; 120 goto free_pages;
94 } 121 }
95 122
123 /* This code actually sets up the pages we've allocated to appear at
124 * SWITCHER_ADDR. map_vm_area() takes the vma we allocated above, the
125 * kind of pages we're mapping (kernel pages), and a pointer to our
126 * array of struct pages. It increments that pointer, but we don't
127 * care. */
96 pagep = switcher_page; 128 pagep = switcher_page;
97 err = map_vm_area(switcher_vma, PAGE_KERNEL, &pagep); 129 err = map_vm_area(switcher_vma, PAGE_KERNEL, &pagep);
98 if (err) { 130 if (err) {
99 printk("lguest: map_vm_area failed: %i\n", err); 131 printk("lguest: map_vm_area failed: %i\n", err);
100 goto free_vma; 132 goto free_vma;
101 } 133 }
134
135 /* Now the switcher is mapped at the right address, we can't fail!
136 * Copy in the compiled-in Switcher code (from switcher.S). */
102 memcpy(switcher_vma->addr, start_switcher_text, 137 memcpy(switcher_vma->addr, start_switcher_text,
103 end_switcher_text - start_switcher_text); 138 end_switcher_text - start_switcher_text);
104 139
105 /* Fix up IDT entries to point into copied text. */ 140 /* Most of the switcher.S doesn't care that it's been moved; on Intel,
141 * jumps are relative, and it doesn't access any references to external
142 * code or data.
143 *
144 * The only exception is the interrupt handlers in switcher.S: their
145 * addresses are placed in a table (default_idt_entries), so we need to
146 * update the table with the new addresses. switcher_offset() is a
147 * convenience function which returns the distance between the builtin
148 * switcher code and the high-mapped copy we just made. */
106 for (i = 0; i < IDT_ENTRIES; i++) 149 for (i = 0; i < IDT_ENTRIES; i++)
107 default_idt_entries[i] += switcher_offset(); 150 default_idt_entries[i] += switcher_offset();
108 151
152 /*
153 * Set up the Switcher's per-cpu areas.
154 *
155 * Each CPU gets two pages of its own within the high-mapped region
156 * (aka. "struct lguest_pages"). Much of this can be initialized now,
157 * but some depends on what Guest we are running (which is set up in
158 * copy_in_guest_info()).
159 */
109 for_each_possible_cpu(i) { 160 for_each_possible_cpu(i) {
161 /* lguest_pages() returns this CPU's two pages. */
110 struct lguest_pages *pages = lguest_pages(i); 162 struct lguest_pages *pages = lguest_pages(i);
163 /* This is a convenience pointer to make the code fit one
164 * statement to a line. */
111 struct lguest_ro_state *state = &pages->state; 165 struct lguest_ro_state *state = &pages->state;
112 166
113 /* These fields are static: rest done in copy_in_guest_info */ 167 /* The Global Descriptor Table: the Host has a different one
168 * for each CPU. We keep a descriptor for the GDT which says
169 * where it is and how big it is (the size is actually the last
170 * byte, not the size, hence the "-1"). */
114 state->host_gdt_desc.size = GDT_SIZE-1; 171 state->host_gdt_desc.size = GDT_SIZE-1;
115 state->host_gdt_desc.address = (long)get_cpu_gdt_table(i); 172 state->host_gdt_desc.address = (long)get_cpu_gdt_table(i);
173
174 /* All CPUs on the Host use the same Interrupt Descriptor
175 * Table, so we just use store_idt(), which gets this CPU's IDT
176 * descriptor. */
116 store_idt(&state->host_idt_desc); 177 store_idt(&state->host_idt_desc);
178
179 /* The descriptors for the Guest's GDT and IDT can be filled
180 * out now, too. We copy the GDT & IDT into ->guest_gdt and
181 * ->guest_idt before actually running the Guest. */
117 state->guest_idt_desc.size = sizeof(state->guest_idt)-1; 182 state->guest_idt_desc.size = sizeof(state->guest_idt)-1;
118 state->guest_idt_desc.address = (long)&state->guest_idt; 183 state->guest_idt_desc.address = (long)&state->guest_idt;
119 state->guest_gdt_desc.size = sizeof(state->guest_gdt)-1; 184 state->guest_gdt_desc.size = sizeof(state->guest_gdt)-1;
120 state->guest_gdt_desc.address = (long)&state->guest_gdt; 185 state->guest_gdt_desc.address = (long)&state->guest_gdt;
186
187 /* We know where we want the stack to be when the Guest enters
188 * the switcher: in pages->regs. The stack grows upwards, so
189 * we start it at the end of that structure. */
121 state->guest_tss.esp0 = (long)(&pages->regs + 1); 190 state->guest_tss.esp0 = (long)(&pages->regs + 1);
191 /* And this is the GDT entry to use for the stack: we keep a
192 * couple of special LGUEST entries. */
122 state->guest_tss.ss0 = LGUEST_DS; 193 state->guest_tss.ss0 = LGUEST_DS;
123 /* No I/O for you! */ 194
195 /* x86 can have a finegrained bitmap which indicates what I/O
196 * ports the process can use. We set it to the end of our
197 * structure, meaning "none". */
124 state->guest_tss.io_bitmap_base = sizeof(state->guest_tss); 198 state->guest_tss.io_bitmap_base = sizeof(state->guest_tss);
199
200 /* Some GDT entries are the same across all Guests, so we can
201 * set them up now. */
125 setup_default_gdt_entries(state); 202 setup_default_gdt_entries(state);
203 /* Most IDT entries are the same for all Guests, too.*/
126 setup_default_idt_entries(state, default_idt_entries); 204 setup_default_idt_entries(state, default_idt_entries);
127 205
128 /* Setup LGUEST segments on all cpus */ 206 /* The Host needs to be able to use the LGUEST segments on this
207 * CPU, too, so put them in the Host GDT. */
129 get_cpu_gdt_table(i)[GDT_ENTRY_LGUEST_CS] = FULL_EXEC_SEGMENT; 208 get_cpu_gdt_table(i)[GDT_ENTRY_LGUEST_CS] = FULL_EXEC_SEGMENT;
130 get_cpu_gdt_table(i)[GDT_ENTRY_LGUEST_DS] = FULL_SEGMENT; 209 get_cpu_gdt_table(i)[GDT_ENTRY_LGUEST_DS] = FULL_SEGMENT;
131 } 210 }
132 211
133 /* Initialize entry point into switcher. */ 212 /* In the Switcher, we want the %cs segment register to use the
213 * LGUEST_CS GDT entry: we've put that in the Host and Guest GDTs, so
214 * it will be undisturbed when we switch. To change %cs and jump we
215 * need this structure to feed to Intel's "lcall" instruction. */
134 lguest_entry.offset = (long)switch_to_guest + switcher_offset(); 216 lguest_entry.offset = (long)switch_to_guest + switcher_offset();
135 lguest_entry.segment = LGUEST_CS; 217 lguest_entry.segment = LGUEST_CS;
136 218
137 printk(KERN_INFO "lguest: mapped switcher at %p\n", 219 printk(KERN_INFO "lguest: mapped switcher at %p\n",
138 switcher_vma->addr); 220 switcher_vma->addr);
221 /* And we succeeded... */
139 return 0; 222 return 0;
140 223
141free_vma: 224free_vma:
@@ -149,35 +232,58 @@ free_some_pages:
149out: 232out:
150 return err; 233 return err;
151} 234}
235/*:*/
152 236
237/* Cleaning up the mapping when the module is unloaded is almost...
238 * too easy. */
153static void unmap_switcher(void) 239static void unmap_switcher(void)
154{ 240{
155 unsigned int i; 241 unsigned int i;
156 242
243 /* vunmap() undoes *both* map_vm_area() and __get_vm_area(). */
157 vunmap(switcher_vma->addr); 244 vunmap(switcher_vma->addr);
245 /* Now we just need to free the pages we copied the switcher into */
158 for (i = 0; i < TOTAL_SWITCHER_PAGES; i++) 246 for (i = 0; i < TOTAL_SWITCHER_PAGES; i++)
159 __free_pages(switcher_page[i], 0); 247 __free_pages(switcher_page[i], 0);
160} 248}
161 249
162/* IN/OUT insns: enough to get us past boot-time probing. */ 250/*H:130 Our Guest is usually so well behaved; it never tries to do things it
251 * isn't allowed to. Unfortunately, "struct paravirt_ops" isn't quite
252 * complete, because it doesn't contain replacements for the Intel I/O
253 * instructions. As a result, the Guest sometimes fumbles across one during
254 * the boot process as it probes for various things which are usually attached
255 * to a PC.
256 *
257 * When the Guest uses one of these instructions, we get trap #13 (General
258 * Protection Fault) and come here. We see if it's one of those troublesome
259 * instructions and skip over it. We return true if we did. */
163static int emulate_insn(struct lguest *lg) 260static int emulate_insn(struct lguest *lg)
164{ 261{
165 u8 insn; 262 u8 insn;
166 unsigned int insnlen = 0, in = 0, shift = 0; 263 unsigned int insnlen = 0, in = 0, shift = 0;
264 /* The eip contains the *virtual* address of the Guest's instruction:
265 * guest_pa just subtracts the Guest's page_offset. */
167 unsigned long physaddr = guest_pa(lg, lg->regs->eip); 266 unsigned long physaddr = guest_pa(lg, lg->regs->eip);
168 267
169 /* This only works for addresses in linear mapping... */ 268 /* The guest_pa() function only works for Guest kernel addresses, but
269 * that's all we're trying to do anyway. */
170 if (lg->regs->eip < lg->page_offset) 270 if (lg->regs->eip < lg->page_offset)
171 return 0; 271 return 0;
272
273 /* Decoding x86 instructions is icky. */
172 lgread(lg, &insn, physaddr, 1); 274 lgread(lg, &insn, physaddr, 1);
173 275
174 /* Operand size prefix means it's actually for ax. */ 276 /* 0x66 is an "operand prefix". It means it's using the upper 16 bits
277 of the eax register. */
175 if (insn == 0x66) { 278 if (insn == 0x66) {
176 shift = 16; 279 shift = 16;
280 /* The instruction is 1 byte so far, read the next byte. */
177 insnlen = 1; 281 insnlen = 1;
178 lgread(lg, &insn, physaddr + insnlen, 1); 282 lgread(lg, &insn, physaddr + insnlen, 1);
179 } 283 }
180 284
285 /* We can ignore the lower bit for the moment and decode the 4 opcodes
286 * we need to emulate. */
181 switch (insn & 0xFE) { 287 switch (insn & 0xFE) {
182 case 0xE4: /* in <next byte>,%al */ 288 case 0xE4: /* in <next byte>,%al */
183 insnlen += 2; 289 insnlen += 2;
@@ -194,9 +300,13 @@ static int emulate_insn(struct lguest *lg)
194 insnlen += 1; 300 insnlen += 1;
195 break; 301 break;
196 default: 302 default:
303 /* OK, we don't know what this is, can't emulate. */
197 return 0; 304 return 0;
198 } 305 }
199 306
307 /* If it was an "IN" instruction, they expect the result to be read
308 * into %eax, so we change %eax. We always return all-ones, which
309 * traditionally means "there's nothing there". */
200 if (in) { 310 if (in) {
201 /* Lower bit tells is whether it's a 16 or 32 bit access */ 311 /* Lower bit tells is whether it's a 16 or 32 bit access */
202 if (insn & 0x1) 312 if (insn & 0x1)
@@ -204,9 +314,12 @@ static int emulate_insn(struct lguest *lg)
204 else 314 else
205 lg->regs->eax |= (0xFFFF << shift); 315 lg->regs->eax |= (0xFFFF << shift);
206 } 316 }
317 /* Finally, we've "done" the instruction, so move past it. */
207 lg->regs->eip += insnlen; 318 lg->regs->eip += insnlen;
319 /* Success! */
208 return 1; 320 return 1;
209} 321}
322/*:*/
210 323
211/*L:305 324/*L:305
212 * Dealing With Guest Memory. 325 * Dealing With Guest Memory.
@@ -321,13 +434,24 @@ static void run_guest_once(struct lguest *lg, struct lguest_pages *pages)
321 : "memory", "%edx", "%ecx", "%edi", "%esi"); 434 : "memory", "%edx", "%ecx", "%edi", "%esi");
322} 435}
323 436
437/*H:030 Let's jump straight to the the main loop which runs the Guest.
438 * Remember, this is called by the Launcher reading /dev/lguest, and we keep
439 * going around and around until something interesting happens. */
324int run_guest(struct lguest *lg, unsigned long __user *user) 440int run_guest(struct lguest *lg, unsigned long __user *user)
325{ 441{
442 /* We stop running once the Guest is dead. */
326 while (!lg->dead) { 443 while (!lg->dead) {
444 /* We need to initialize this, otherwise gcc complains. It's
445 * not (yet) clever enough to see that it's initialized when we
446 * need it. */
327 unsigned int cr2 = 0; /* Damn gcc */ 447 unsigned int cr2 = 0; /* Damn gcc */
328 448
329 /* Hypercalls first: we might have been out to userspace */ 449 /* First we run any hypercalls the Guest wants done: either in
450 * the hypercall ring in "struct lguest_data", or directly by
451 * using int 31 (LGUEST_TRAP_ENTRY). */
330 do_hypercalls(lg); 452 do_hypercalls(lg);
453 /* It's possible the Guest did a SEND_DMA hypercall to the
454 * Launcher, in which case we return from the read() now. */
331 if (lg->dma_is_pending) { 455 if (lg->dma_is_pending) {
332 if (put_user(lg->pending_dma, user) || 456 if (put_user(lg->pending_dma, user) ||
333 put_user(lg->pending_key, user+1)) 457 put_user(lg->pending_key, user+1))
@@ -335,6 +459,7 @@ int run_guest(struct lguest *lg, unsigned long __user *user)
335 return sizeof(unsigned long)*2; 459 return sizeof(unsigned long)*2;
336 } 460 }
337 461
462 /* Check for signals */
338 if (signal_pending(current)) 463 if (signal_pending(current))
339 return -ERESTARTSYS; 464 return -ERESTARTSYS;
340 465
@@ -342,77 +467,154 @@ int run_guest(struct lguest *lg, unsigned long __user *user)
342 if (lg->break_out) 467 if (lg->break_out)
343 return -EAGAIN; 468 return -EAGAIN;
344 469
470 /* Check if there are any interrupts which can be delivered
471 * now: if so, this sets up the hander to be executed when we
472 * next run the Guest. */
345 maybe_do_interrupt(lg); 473 maybe_do_interrupt(lg);
346 474
475 /* All long-lived kernel loops need to check with this horrible
476 * thing called the freezer. If the Host is trying to suspend,
477 * it stops us. */
347 try_to_freeze(); 478 try_to_freeze();
348 479
480 /* Just make absolutely sure the Guest is still alive. One of
481 * those hypercalls could have been fatal, for example. */
349 if (lg->dead) 482 if (lg->dead)
350 break; 483 break;
351 484
485 /* If the Guest asked to be stopped, we sleep. The Guest's
486 * clock timer or LHCALL_BREAK from the Waker will wake us. */
352 if (lg->halted) { 487 if (lg->halted) {
353 set_current_state(TASK_INTERRUPTIBLE); 488 set_current_state(TASK_INTERRUPTIBLE);
354 schedule(); 489 schedule();
355 continue; 490 continue;
356 } 491 }
357 492
493 /* OK, now we're ready to jump into the Guest. First we put up
494 * the "Do Not Disturb" sign: */
358 local_irq_disable(); 495 local_irq_disable();
359 496
360 /* Even if *we* don't want FPU trap, guest might... */ 497 /* Remember the awfully-named TS bit? If the Guest has asked
498 * to set it we set it now, so we can trap and pass that trap
499 * to the Guest if it uses the FPU. */
361 if (lg->ts) 500 if (lg->ts)
362 set_ts(); 501 set_ts();
363 502
364 /* Don't let Guest do SYSENTER: we can't handle it. */ 503 /* SYSENTER is an optimized way of doing system calls. We
504 * can't allow it because it always jumps to privilege level 0.
505 * A normal Guest won't try it because we don't advertise it in
506 * CPUID, but a malicious Guest (or malicious Guest userspace
507 * program) could, so we tell the CPU to disable it before
508 * running the Guest. */
365 if (boot_cpu_has(X86_FEATURE_SEP)) 509 if (boot_cpu_has(X86_FEATURE_SEP))
366 wrmsr(MSR_IA32_SYSENTER_CS, 0, 0); 510 wrmsr(MSR_IA32_SYSENTER_CS, 0, 0);
367 511
512 /* Now we actually run the Guest. It will pop back out when
513 * something interesting happens, and we can examine its
514 * registers to see what it was doing. */
368 run_guest_once(lg, lguest_pages(raw_smp_processor_id())); 515 run_guest_once(lg, lguest_pages(raw_smp_processor_id()));
369 516
370 /* Save cr2 now if we page-faulted. */ 517 /* The "regs" pointer contains two extra entries which are not
518 * really registers: a trap number which says what interrupt or
519 * trap made the switcher code come back, and an error code
520 * which some traps set. */
521
522 /* If the Guest page faulted, then the cr2 register will tell
523 * us the bad virtual address. We have to grab this now,
524 * because once we re-enable interrupts an interrupt could
525 * fault and thus overwrite cr2, or we could even move off to a
526 * different CPU. */
371 if (lg->regs->trapnum == 14) 527 if (lg->regs->trapnum == 14)
372 cr2 = read_cr2(); 528 cr2 = read_cr2();
529 /* Similarly, if we took a trap because the Guest used the FPU,
530 * we have to restore the FPU it expects to see. */
373 else if (lg->regs->trapnum == 7) 531 else if (lg->regs->trapnum == 7)
374 math_state_restore(); 532 math_state_restore();
375 533
534 /* Restore SYSENTER if it's supposed to be on. */
376 if (boot_cpu_has(X86_FEATURE_SEP)) 535 if (boot_cpu_has(X86_FEATURE_SEP))
377 wrmsr(MSR_IA32_SYSENTER_CS, __KERNEL_CS, 0); 536 wrmsr(MSR_IA32_SYSENTER_CS, __KERNEL_CS, 0);
537
538 /* Now we're ready to be interrupted or moved to other CPUs */
378 local_irq_enable(); 539 local_irq_enable();
379 540
541 /* OK, so what happened? */
380 switch (lg->regs->trapnum) { 542 switch (lg->regs->trapnum) {
381 case 13: /* We've intercepted a GPF. */ 543 case 13: /* We've intercepted a GPF. */
544 /* Check if this was one of those annoying IN or OUT
545 * instructions which we need to emulate. If so, we
546 * just go back into the Guest after we've done it. */
382 if (lg->regs->errcode == 0) { 547 if (lg->regs->errcode == 0) {
383 if (emulate_insn(lg)) 548 if (emulate_insn(lg))
384 continue; 549 continue;
385 } 550 }
386 break; 551 break;
387 case 14: /* We've intercepted a page fault. */ 552 case 14: /* We've intercepted a page fault. */
553 /* The Guest accessed a virtual address that wasn't
554 * mapped. This happens a lot: we don't actually set
555 * up most of the page tables for the Guest at all when
556 * we start: as it runs it asks for more and more, and
557 * we set them up as required. In this case, we don't
558 * even tell the Guest that the fault happened.
559 *
560 * The errcode tells whether this was a read or a
561 * write, and whether kernel or userspace code. */
388 if (demand_page(lg, cr2, lg->regs->errcode)) 562 if (demand_page(lg, cr2, lg->regs->errcode))
389 continue; 563 continue;
390 564
391 /* If lguest_data is NULL, this won't hurt. */ 565 /* OK, it's really not there (or not OK): the Guest
566 * needs to know. We write out the cr2 value so it
567 * knows where the fault occurred.
568 *
569 * Note that if the Guest were really messed up, this
570 * could happen before it's done the INITIALIZE
571 * hypercall, so lg->lguest_data will be NULL, so
572 * &lg->lguest_data->cr2 will be address 8. Writing
573 * into that address won't hurt the Host at all,
574 * though. */
392 if (put_user(cr2, &lg->lguest_data->cr2)) 575 if (put_user(cr2, &lg->lguest_data->cr2))
393 kill_guest(lg, "Writing cr2"); 576 kill_guest(lg, "Writing cr2");
394 break; 577 break;
395 case 7: /* We've intercepted a Device Not Available fault. */ 578 case 7: /* We've intercepted a Device Not Available fault. */
396 /* If they don't want to know, just absorb it. */ 579 /* If the Guest doesn't want to know, we already
580 * restored the Floating Point Unit, so we just
581 * continue without telling it. */
397 if (!lg->ts) 582 if (!lg->ts)
398 continue; 583 continue;
399 break; 584 break;
400 case 32 ... 255: /* Real interrupt, fall thru */ 585 case 32 ... 255:
586 /* These values mean a real interrupt occurred, in
587 * which case the Host handler has already been run.
588 * We just do a friendly check if another process
589 * should now be run, then fall through to loop
590 * around: */
401 cond_resched(); 591 cond_resched();
402 case LGUEST_TRAP_ENTRY: /* Handled at top of loop */ 592 case LGUEST_TRAP_ENTRY: /* Handled at top of loop */
403 continue; 593 continue;
404 } 594 }
405 595
596 /* If we get here, it's a trap the Guest wants to know
597 * about. */
406 if (deliver_trap(lg, lg->regs->trapnum)) 598 if (deliver_trap(lg, lg->regs->trapnum))
407 continue; 599 continue;
408 600
601 /* If the Guest doesn't have a handler (either it hasn't
602 * registered any yet, or it's one of the faults we don't let
603 * it handle), it dies with a cryptic error message. */
409 kill_guest(lg, "unhandled trap %li at %#lx (%#lx)", 604 kill_guest(lg, "unhandled trap %li at %#lx (%#lx)",
410 lg->regs->trapnum, lg->regs->eip, 605 lg->regs->trapnum, lg->regs->eip,
411 lg->regs->trapnum == 14 ? cr2 : lg->regs->errcode); 606 lg->regs->trapnum == 14 ? cr2 : lg->regs->errcode);
412 } 607 }
608 /* The Guest is dead => "No such file or directory" */
413 return -ENOENT; 609 return -ENOENT;
414} 610}
415 611
612/* Now we can look at each of the routines this calls, in increasing order of
613 * complexity: do_hypercalls(), emulate_insn(), maybe_do_interrupt(),
614 * deliver_trap() and demand_page(). After all those, we'll be ready to
615 * examine the Switcher, and our philosophical understanding of the Host/Guest
616 * duality will be complete. :*/
617
416int find_free_guest(void) 618int find_free_guest(void)
417{ 619{
418 unsigned int i; 620 unsigned int i;
@@ -430,55 +632,96 @@ static void adjust_pge(void *on)
430 write_cr4(read_cr4() & ~X86_CR4_PGE); 632 write_cr4(read_cr4() & ~X86_CR4_PGE);
431} 633}
432 634
635/*H:000
636 * Welcome to the Host!
637 *
638 * By this point your brain has been tickled by the Guest code and numbed by
639 * the Launcher code; prepare for it to be stretched by the Host code. This is
640 * the heart. Let's begin at the initialization routine for the Host's lg
641 * module.
642 */
433static int __init init(void) 643static int __init init(void)
434{ 644{
435 int err; 645 int err;
436 646
647 /* Lguest can't run under Xen, VMI or itself. It does Tricky Stuff. */
437 if (paravirt_enabled()) { 648 if (paravirt_enabled()) {
438 printk("lguest is afraid of %s\n", paravirt_ops.name); 649 printk("lguest is afraid of %s\n", paravirt_ops.name);
439 return -EPERM; 650 return -EPERM;
440 } 651 }
441 652
653 /* First we put the Switcher up in very high virtual memory. */
442 err = map_switcher(); 654 err = map_switcher();
443 if (err) 655 if (err)
444 return err; 656 return err;
445 657
658 /* Now we set up the pagetable implementation for the Guests. */
446 err = init_pagetables(switcher_page, SHARED_SWITCHER_PAGES); 659 err = init_pagetables(switcher_page, SHARED_SWITCHER_PAGES);
447 if (err) { 660 if (err) {
448 unmap_switcher(); 661 unmap_switcher();
449 return err; 662 return err;
450 } 663 }
664
665 /* The I/O subsystem needs some things initialized. */
451 lguest_io_init(); 666 lguest_io_init();
452 667
668 /* /dev/lguest needs to be registered. */
453 err = lguest_device_init(); 669 err = lguest_device_init();
454 if (err) { 670 if (err) {
455 free_pagetables(); 671 free_pagetables();
456 unmap_switcher(); 672 unmap_switcher();
457 return err; 673 return err;
458 } 674 }
675
676 /* Finally, we need to turn off "Page Global Enable". PGE is an
677 * optimization where page table entries are specially marked to show
678 * they never change. The Host kernel marks all the kernel pages this
679 * way because it's always present, even when userspace is running.
680 *
681 * Lguest breaks this: unbeknownst to the rest of the Host kernel, we
682 * switch to the Guest kernel. If you don't disable this on all CPUs,
683 * you'll get really weird bugs that you'll chase for two days.
684 *
685 * I used to turn PGE off every time we switched to the Guest and back
686 * on when we return, but that slowed the Switcher down noticibly. */
687
688 /* We don't need the complexity of CPUs coming and going while we're
689 * doing this. */
459 lock_cpu_hotplug(); 690 lock_cpu_hotplug();
460 if (cpu_has_pge) { /* We have a broader idea of "global". */ 691 if (cpu_has_pge) { /* We have a broader idea of "global". */
692 /* Remember that this was originally set (for cleanup). */
461 cpu_had_pge = 1; 693 cpu_had_pge = 1;
694 /* adjust_pge is a helper function which sets or unsets the PGE
695 * bit on its CPU, depending on the argument (0 == unset). */
462 on_each_cpu(adjust_pge, (void *)0, 0, 1); 696 on_each_cpu(adjust_pge, (void *)0, 0, 1);
697 /* Turn off the feature in the global feature set. */
463 clear_bit(X86_FEATURE_PGE, boot_cpu_data.x86_capability); 698 clear_bit(X86_FEATURE_PGE, boot_cpu_data.x86_capability);
464 } 699 }
465 unlock_cpu_hotplug(); 700 unlock_cpu_hotplug();
701
702 /* All good! */
466 return 0; 703 return 0;
467} 704}
468 705
706/* Cleaning up is just the same code, backwards. With a little French. */
469static void __exit fini(void) 707static void __exit fini(void)
470{ 708{
471 lguest_device_remove(); 709 lguest_device_remove();
472 free_pagetables(); 710 free_pagetables();
473 unmap_switcher(); 711 unmap_switcher();
712
713 /* If we had PGE before we started, turn it back on now. */
474 lock_cpu_hotplug(); 714 lock_cpu_hotplug();
475 if (cpu_had_pge) { 715 if (cpu_had_pge) {
476 set_bit(X86_FEATURE_PGE, boot_cpu_data.x86_capability); 716 set_bit(X86_FEATURE_PGE, boot_cpu_data.x86_capability);
717 /* adjust_pge's argument "1" means set PGE. */
477 on_each_cpu(adjust_pge, (void *)1, 0, 1); 718 on_each_cpu(adjust_pge, (void *)1, 0, 1);
478 } 719 }
479 unlock_cpu_hotplug(); 720 unlock_cpu_hotplug();
480} 721}
481 722
723/* The Host side of lguest can be a module. This is a nice way for people to
724 * play with it. */
482module_init(init); 725module_init(init);
483module_exit(fini); 726module_exit(fini);
484MODULE_LICENSE("GPL"); 727MODULE_LICENSE("GPL");
diff --git a/drivers/lguest/hypercalls.c b/drivers/lguest/hypercalls.c
index fb546b04644..7a5299f9679 100644
--- a/drivers/lguest/hypercalls.c
+++ b/drivers/lguest/hypercalls.c
@@ -28,37 +28,63 @@
28#include <irq_vectors.h> 28#include <irq_vectors.h>
29#include "lg.h" 29#include "lg.h"
30 30
31/*H:120 This is the core hypercall routine: where the Guest gets what it
32 * wants. Or gets killed. Or, in the case of LHCALL_CRASH, both.
33 *
34 * Remember from the Guest: %eax == which call to make, and the arguments are
35 * packed into %edx, %ebx and %ecx if needed. */
31static void do_hcall(struct lguest *lg, struct lguest_regs *regs) 36static void do_hcall(struct lguest *lg, struct lguest_regs *regs)
32{ 37{
33 switch (regs->eax) { 38 switch (regs->eax) {
34 case LHCALL_FLUSH_ASYNC: 39 case LHCALL_FLUSH_ASYNC:
40 /* This call does nothing, except by breaking out of the Guest
41 * it makes us process all the asynchronous hypercalls. */
35 break; 42 break;
36 case LHCALL_LGUEST_INIT: 43 case LHCALL_LGUEST_INIT:
44 /* You can't get here unless you're already initialized. Don't
45 * do that. */
37 kill_guest(lg, "already have lguest_data"); 46 kill_guest(lg, "already have lguest_data");
38 break; 47 break;
39 case LHCALL_CRASH: { 48 case LHCALL_CRASH: {
49 /* Crash is such a trivial hypercall that we do it in four
50 * lines right here. */
40 char msg[128]; 51 char msg[128];
52 /* If the lgread fails, it will call kill_guest() itself; the
53 * kill_guest() with the message will be ignored. */
41 lgread(lg, msg, regs->edx, sizeof(msg)); 54 lgread(lg, msg, regs->edx, sizeof(msg));
42 msg[sizeof(msg)-1] = '\0'; 55 msg[sizeof(msg)-1] = '\0';
43 kill_guest(lg, "CRASH: %s", msg); 56 kill_guest(lg, "CRASH: %s", msg);
44 break; 57 break;
45 } 58 }
46 case LHCALL_FLUSH_TLB: 59 case LHCALL_FLUSH_TLB:
60 /* FLUSH_TLB comes in two flavors, depending on the
61 * argument: */
47 if (regs->edx) 62 if (regs->edx)
48 guest_pagetable_clear_all(lg); 63 guest_pagetable_clear_all(lg);
49 else 64 else
50 guest_pagetable_flush_user(lg); 65 guest_pagetable_flush_user(lg);
51 break; 66 break;
52 case LHCALL_GET_WALLCLOCK: { 67 case LHCALL_GET_WALLCLOCK: {
68 /* The Guest wants to know the real time in seconds since 1970,
69 * in good Unix tradition. */
53 struct timespec ts; 70 struct timespec ts;
54 ktime_get_real_ts(&ts); 71 ktime_get_real_ts(&ts);
55 regs->eax = ts.tv_sec; 72 regs->eax = ts.tv_sec;
56 break; 73 break;
57 } 74 }
58 case LHCALL_BIND_DMA: 75 case LHCALL_BIND_DMA:
76 /* BIND_DMA really wants four arguments, but it's the only call
77 * which does. So the Guest packs the number of buffers and
78 * the interrupt number into the final argument, and we decode
79 * it here. This can legitimately fail, since we currently
80 * place a limit on the number of DMA pools a Guest can have.
81 * So we return true or false from this call. */
59 regs->eax = bind_dma(lg, regs->edx, regs->ebx, 82 regs->eax = bind_dma(lg, regs->edx, regs->ebx,
60 regs->ecx >> 8, regs->ecx & 0xFF); 83 regs->ecx >> 8, regs->ecx & 0xFF);
61 break; 84 break;
85
86 /* All these calls simply pass the arguments through to the right
87 * routines. */
62 case LHCALL_SEND_DMA: 88 case LHCALL_SEND_DMA:
63 send_dma(lg, regs->edx, regs->ebx); 89 send_dma(lg, regs->edx, regs->ebx);
64 break; 90 break;
@@ -86,10 +112,13 @@ static void do_hcall(struct lguest *lg, struct lguest_regs *regs)
86 case LHCALL_SET_CLOCKEVENT: 112 case LHCALL_SET_CLOCKEVENT:
87 guest_set_clockevent(lg, regs->edx); 113 guest_set_clockevent(lg, regs->edx);
88 break; 114 break;
115
89 case LHCALL_TS: 116 case LHCALL_TS:
117 /* This sets the TS flag, as we saw used in run_guest(). */
90 lg->ts = regs->edx; 118 lg->ts = regs->edx;
91 break; 119 break;
92 case LHCALL_HALT: 120 case LHCALL_HALT:
121 /* Similarly, this sets the halted flag for run_guest(). */
93 lg->halted = 1; 122 lg->halted = 1;
94 break; 123 break;
95 default: 124 default:
@@ -97,25 +126,42 @@ static void do_hcall(struct lguest *lg, struct lguest_regs *regs)
97 } 126 }
98} 127}
99 128
100/* We always do queued calls before actual hypercall. */ 129/* Asynchronous hypercalls are easy: we just look in the array in the Guest's
130 * "struct lguest_data" and see if there are any new ones marked "ready".
131 *
132 * We are careful to do these in order: obviously we respect the order the
133 * Guest put them in the ring, but we also promise the Guest that they will
134 * happen before any normal hypercall (which is why we check this before
135 * checking for a normal hcall). */
101static void do_async_hcalls(struct lguest *lg) 136static void do_async_hcalls(struct lguest *lg)
102{ 137{
103 unsigned int i; 138 unsigned int i;
104 u8 st[LHCALL_RING_SIZE]; 139 u8 st[LHCALL_RING_SIZE];
105 140
141 /* For simplicity, we copy the entire call status array in at once. */
106 if (copy_from_user(&st, &lg->lguest_data->hcall_status, sizeof(st))) 142 if (copy_from_user(&st, &lg->lguest_data->hcall_status, sizeof(st)))
107 return; 143 return;
108 144
145
146 /* We process "struct lguest_data"s hcalls[] ring once. */
109 for (i = 0; i < ARRAY_SIZE(st); i++) { 147 for (i = 0; i < ARRAY_SIZE(st); i++) {
110 struct lguest_regs regs; 148 struct lguest_regs regs;
149 /* We remember where we were up to from last time. This makes
150 * sure that the hypercalls are done in the order the Guest
151 * places them in the ring. */
111 unsigned int n = lg->next_hcall; 152 unsigned int n = lg->next_hcall;
112 153
154 /* 0xFF means there's no call here (yet). */
113 if (st[n] == 0xFF) 155 if (st[n] == 0xFF)
114 break; 156 break;
115 157
158 /* OK, we have hypercall. Increment the "next_hcall" cursor,
159 * and wrap back to 0 if we reach the end. */
116 if (++lg->next_hcall == LHCALL_RING_SIZE) 160 if (++lg->next_hcall == LHCALL_RING_SIZE)
117 lg->next_hcall = 0; 161 lg->next_hcall = 0;
118 162
163 /* We copy the hypercall arguments into a fake register
164 * structure. This makes life simple for do_hcall(). */
119 if (get_user(regs.eax, &lg->lguest_data->hcalls[n].eax) 165 if (get_user(regs.eax, &lg->lguest_data->hcalls[n].eax)
120 || get_user(regs.edx, &lg->lguest_data->hcalls[n].edx) 166 || get_user(regs.edx, &lg->lguest_data->hcalls[n].edx)
121 || get_user(regs.ecx, &lg->lguest_data->hcalls[n].ecx) 167 || get_user(regs.ecx, &lg->lguest_data->hcalls[n].ecx)
@@ -124,74 +170,126 @@ static void do_async_hcalls(struct lguest *lg)
124 break; 170 break;
125 } 171 }
126 172
173 /* Do the hypercall, same as a normal one. */
127 do_hcall(lg, &regs); 174 do_hcall(lg, &regs);
175
176 /* Mark the hypercall done. */
128 if (put_user(0xFF, &lg->lguest_data->hcall_status[n])) { 177 if (put_user(0xFF, &lg->lguest_data->hcall_status[n])) {
129 kill_guest(lg, "Writing result for async hypercall"); 178 kill_guest(lg, "Writing result for async hypercall");
130 break; 179 break;
131 } 180 }
132 181
182 /* Stop doing hypercalls if we've just done a DMA to the
183 * Launcher: it needs to service this first. */
133 if (lg->dma_is_pending) 184 if (lg->dma_is_pending)
134 break; 185 break;
135 } 186 }
136} 187}
137 188
189/* Last of all, we look at what happens first of all. The very first time the
190 * Guest makes a hypercall, we end up here to set things up: */
138static void initialize(struct lguest *lg) 191static void initialize(struct lguest *lg)
139{ 192{
140 u32 tsc_speed; 193 u32 tsc_speed;
141 194
195 /* You can't do anything until you're initialized. The Guest knows the
196 * rules, so we're unforgiving here. */
142 if (lg->regs->eax != LHCALL_LGUEST_INIT) { 197 if (lg->regs->eax != LHCALL_LGUEST_INIT) {
143 kill_guest(lg, "hypercall %li before LGUEST_INIT", 198 kill_guest(lg, "hypercall %li before LGUEST_INIT",
144 lg->regs->eax); 199 lg->regs->eax);
145 return; 200 return;
146 } 201 }
147 202
148 /* We only tell the guest to use the TSC if it's reliable. */ 203 /* We insist that the Time Stamp Counter exist and doesn't change with
204 * cpu frequency. Some devious chip manufacturers decided that TSC
205 * changes could be handled in software. I decided that time going
206 * backwards might be good for benchmarks, but it's bad for users.
207 *
208 * We also insist that the TSC be stable: the kernel detects unreliable
209 * TSCs for its own purposes, and we use that here. */
149 if (boot_cpu_has(X86_FEATURE_CONSTANT_TSC) && !check_tsc_unstable()) 210 if (boot_cpu_has(X86_FEATURE_CONSTANT_TSC) && !check_tsc_unstable())
150 tsc_speed = tsc_khz; 211 tsc_speed = tsc_khz;
151 else 212 else
152 tsc_speed = 0; 213 tsc_speed = 0;
153 214
215 /* The pointer to the Guest's "struct lguest_data" is the only
216 * argument. */
154 lg->lguest_data = (struct lguest_data __user *)lg->regs->edx; 217 lg->lguest_data = (struct lguest_data __user *)lg->regs->edx;
155 /* We check here so we can simply copy_to_user/from_user */ 218 /* If we check the address they gave is OK now, we can simply
219 * copy_to_user/from_user from now on rather than using lgread/lgwrite.
220 * I put this in to show that I'm not immune to writing stupid
221 * optimizations. */
156 if (!lguest_address_ok(lg, lg->regs->edx, sizeof(*lg->lguest_data))) { 222 if (!lguest_address_ok(lg, lg->regs->edx, sizeof(*lg->lguest_data))) {
157 kill_guest(lg, "bad guest page %p", lg->lguest_data); 223 kill_guest(lg, "bad guest page %p", lg->lguest_data);
158 return; 224 return;
159 } 225 }
226 /* The Guest tells us where we're not to deliver interrupts by putting
227 * the range of addresses into "struct lguest_data". */
160 if (get_user(lg->noirq_start, &lg->lguest_data->noirq_start) 228 if (get_user(lg->noirq_start, &lg->lguest_data->noirq_start)
161 || get_user(lg->noirq_end, &lg->lguest_data->noirq_end) 229 || get_user(lg->noirq_end, &lg->lguest_data->noirq_end)
162 /* We reserve the top pgd entry. */ 230 /* We tell the Guest that it can't use the top 4MB of virtual
231 * addresses used by the Switcher. */
163 || put_user(4U*1024*1024, &lg->lguest_data->reserve_mem) 232 || put_user(4U*1024*1024, &lg->lguest_data->reserve_mem)
164 || put_user(tsc_speed, &lg->lguest_data->tsc_khz) 233 || put_user(tsc_speed, &lg->lguest_data->tsc_khz)
234 /* We also give the Guest a unique id, as used in lguest_net.c. */
165 || put_user(lg->guestid, &lg->lguest_data->guestid)) 235 || put_user(lg->guestid, &lg->lguest_data->guestid))
166 kill_guest(lg, "bad guest page %p", lg->lguest_data); 236 kill_guest(lg, "bad guest page %p", lg->lguest_data);
167 237
168 /* This is the one case where the above accesses might have 238 /* This is the one case where the above accesses might have been the
169 * been the first write to a Guest page. This may have caused 239 * first write to a Guest page. This may have caused a copy-on-write
170 * a copy-on-write fault, but the Guest might be referring to 240 * fault, but the Guest might be referring to the old (read-only)
171 * the old (read-only) page. */ 241 * page. */
172 guest_pagetable_clear_all(lg); 242 guest_pagetable_clear_all(lg);
173} 243}
244/* Now we've examined the hypercall code; our Guest can make requests. There
245 * is one other way we can do things for the Guest, as we see in
246 * emulate_insn(). */
174 247
175/* Even if we go out to userspace and come back, we don't want to do 248/*H:110 Tricky point: we mark the hypercall as "done" once we've done it.
176 * the hypercall again. */ 249 * Normally we don't need to do this: the Guest will run again and update the
250 * trap number before we come back around the run_guest() loop to
251 * do_hypercalls().
252 *
253 * However, if we are signalled or the Guest sends DMA to the Launcher, that
254 * loop will exit without running the Guest. When it comes back it would try
255 * to re-run the hypercall. */
177static void clear_hcall(struct lguest *lg) 256static void clear_hcall(struct lguest *lg)
178{ 257{
179 lg->regs->trapnum = 255; 258 lg->regs->trapnum = 255;
180} 259}
181 260
261/*H:100
262 * Hypercalls
263 *
264 * Remember from the Guest, hypercalls come in two flavors: normal and
265 * asynchronous. This file handles both of types.
266 */
182void do_hypercalls(struct lguest *lg) 267void do_hypercalls(struct lguest *lg)
183{ 268{
269 /* Not initialized yet? */
184 if (unlikely(!lg->lguest_data)) { 270 if (unlikely(!lg->lguest_data)) {
271 /* Did the Guest make a hypercall? We might have come back for
272 * some other reason (an interrupt, a different trap). */
185 if (lg->regs->trapnum == LGUEST_TRAP_ENTRY) { 273 if (lg->regs->trapnum == LGUEST_TRAP_ENTRY) {
274 /* Set up the "struct lguest_data" */
186 initialize(lg); 275 initialize(lg);
276 /* The hypercall is done. */
187 clear_hcall(lg); 277 clear_hcall(lg);
188 } 278 }
189 return; 279 return;
190 } 280 }
191 281
282 /* The Guest has initialized.
283 *
284 * Look in the hypercall ring for the async hypercalls: */
192 do_async_hcalls(lg); 285 do_async_hcalls(lg);
286
287 /* If we stopped reading the hypercall ring because the Guest did a
288 * SEND_DMA to the Launcher, we want to return now. Otherwise if the
289 * Guest asked us to do a hypercall, we do it. */
193 if (!lg->dma_is_pending && lg->regs->trapnum == LGUEST_TRAP_ENTRY) { 290 if (!lg->dma_is_pending && lg->regs->trapnum == LGUEST_TRAP_ENTRY) {
194 do_hcall(lg, lg->regs); 291 do_hcall(lg, lg->regs);
292 /* The hypercall is done. */
195 clear_hcall(lg); 293 clear_hcall(lg);
196 } 294 }
197} 295}
diff --git a/drivers/lguest/interrupts_and_traps.c b/drivers/lguest/interrupts_and_traps.c
index b2647974e1a..3d983032264 100644
--- a/drivers/lguest/interrupts_and_traps.c
+++ b/drivers/lguest/interrupts_and_traps.c
@@ -14,100 +14,147 @@
14#include <linux/uaccess.h> 14#include <linux/uaccess.h>
15#include "lg.h" 15#include "lg.h"
16 16
17/* The address of the interrupt handler is split into two bits: */
17static unsigned long idt_address(u32 lo, u32 hi) 18static unsigned long idt_address(u32 lo, u32 hi)
18{ 19{
19 return (lo & 0x0000FFFF) | (hi & 0xFFFF0000); 20 return (lo & 0x0000FFFF) | (hi & 0xFFFF0000);
20} 21}
21 22
23/* The "type" of the interrupt handler is a 4 bit field: we only support a
24 * couple of types. */
22static int idt_type(u32 lo, u32 hi) 25static int idt_type(u32 lo, u32 hi)
23{ 26{
24 return (hi >> 8) & 0xF; 27 return (hi >> 8) & 0xF;
25} 28}
26 29
30/* An IDT entry can't be used unless the "present" bit is set. */
27static int idt_present(u32 lo, u32 hi) 31static int idt_present(u32 lo, u32 hi)
28{ 32{
29 return (hi & 0x8000); 33 return (hi & 0x8000);
30} 34}
31 35
36/* We need a helper to "push" a value onto the Guest's stack, since that's a
37 * big part of what delivering an interrupt does. */
32static void push_guest_stack(struct lguest *lg, unsigned long *gstack, u32 val) 38static void push_guest_stack(struct lguest *lg, unsigned long *gstack, u32 val)
33{ 39{
40 /* Stack grows upwards: move stack then write value. */
34 *gstack -= 4; 41 *gstack -= 4;
35 lgwrite_u32(lg, *gstack, val); 42 lgwrite_u32(lg, *gstack, val);
36} 43}
37 44
45/*H:210 The set_guest_interrupt() routine actually delivers the interrupt or
46 * trap. The mechanics of delivering traps and interrupts to the Guest are the
47 * same, except some traps have an "error code" which gets pushed onto the
48 * stack as well: the caller tells us if this is one.
49 *
50 * "lo" and "hi" are the two parts of the Interrupt Descriptor Table for this
51 * interrupt or trap. It's split into two parts for traditional reasons: gcc
52 * on i386 used to be frightened by 64 bit numbers.
53 *
54 * We set up the stack just like the CPU does for a real interrupt, so it's
55 * identical for the Guest (and the standard "iret" instruction will undo
56 * it). */
38static void set_guest_interrupt(struct lguest *lg, u32 lo, u32 hi, int has_err) 57static void set_guest_interrupt(struct lguest *lg, u32 lo, u32 hi, int has_err)
39{ 58{
40 unsigned long gstack; 59 unsigned long gstack;
41 u32 eflags, ss, irq_enable; 60 u32 eflags, ss, irq_enable;
42 61
43 /* If they want a ring change, we use new stack and push old ss/esp */ 62 /* There are two cases for interrupts: one where the Guest is already
63 * in the kernel, and a more complex one where the Guest is in
64 * userspace. We check the privilege level to find out. */
44 if ((lg->regs->ss&0x3) != GUEST_PL) { 65 if ((lg->regs->ss&0x3) != GUEST_PL) {
66 /* The Guest told us their kernel stack with the SET_STACK
67 * hypercall: both the virtual address and the segment */
45 gstack = guest_pa(lg, lg->esp1); 68 gstack = guest_pa(lg, lg->esp1);
46 ss = lg->ss1; 69 ss = lg->ss1;
70 /* We push the old stack segment and pointer onto the new
71 * stack: when the Guest does an "iret" back from the interrupt
72 * handler the CPU will notice they're dropping privilege
73 * levels and expect these here. */
47 push_guest_stack(lg, &gstack, lg->regs->ss); 74 push_guest_stack(lg, &gstack, lg->regs->ss);
48 push_guest_stack(lg, &gstack, lg->regs->esp); 75 push_guest_stack(lg, &gstack, lg->regs->esp);
49 } else { 76 } else {
77 /* We're staying on the same Guest (kernel) stack. */
50 gstack = guest_pa(lg, lg->regs->esp); 78 gstack = guest_pa(lg, lg->regs->esp);
51 ss = lg->regs->ss; 79 ss = lg->regs->ss;
52 } 80 }
53 81
54 /* We use IF bit in eflags to indicate whether irqs were enabled 82 /* Remember that we never let the Guest actually disable interrupts, so
55 (it's always 1, since irqs are enabled when guest is running). */ 83 * the "Interrupt Flag" bit is always set. We copy that bit from the
84 * Guest's "irq_enabled" field into the eflags word: the Guest copies
85 * it back in "lguest_iret". */
56 eflags = lg->regs->eflags; 86 eflags = lg->regs->eflags;
57 if (get_user(irq_enable, &lg->lguest_data->irq_enabled) == 0 87 if (get_user(irq_enable, &lg->lguest_data->irq_enabled) == 0
58 && !(irq_enable & X86_EFLAGS_IF)) 88 && !(irq_enable & X86_EFLAGS_IF))
59 eflags &= ~X86_EFLAGS_IF; 89 eflags &= ~X86_EFLAGS_IF;
60 90
91 /* An interrupt is expected to push three things on the stack: the old
92 * "eflags" word, the old code segment, and the old instruction
93 * pointer. */
61 push_guest_stack(lg, &gstack, eflags); 94 push_guest_stack(lg, &gstack, eflags);
62 push_guest_stack(lg, &gstack, lg->regs->cs); 95 push_guest_stack(lg, &gstack, lg->regs->cs);
63 push_guest_stack(lg, &gstack, lg->regs->eip); 96 push_guest_stack(lg, &gstack, lg->regs->eip);
64 97
98 /* For the six traps which supply an error code, we push that, too. */
65 if (has_err) 99 if (has_err)
66 push_guest_stack(lg, &gstack, lg->regs->errcode); 100 push_guest_stack(lg, &gstack, lg->regs->errcode);
67 101
68 /* Change the real stack so switcher returns to trap handler */ 102 /* Now we've pushed all the old state, we change the stack, the code
103 * segment and the address to execute. */
69 lg->regs->ss = ss; 104 lg->regs->ss = ss;
70 lg->regs->esp = gstack + lg->page_offset; 105 lg->regs->esp = gstack + lg->page_offset;
71 lg->regs->cs = (__KERNEL_CS|GUEST_PL); 106 lg->regs->cs = (__KERNEL_CS|GUEST_PL);
72 lg->regs->eip = idt_address(lo, hi); 107 lg->regs->eip = idt_address(lo, hi);
73 108
74 /* Disable interrupts for an interrupt gate. */ 109 /* There are two kinds of interrupt handlers: 0xE is an "interrupt
110 * gate" which expects interrupts to be disabled on entry. */
75 if (idt_type(lo, hi) == 0xE) 111 if (idt_type(lo, hi) == 0xE)
76 if (put_user(0, &lg->lguest_data->irq_enabled)) 112 if (put_user(0, &lg->lguest_data->irq_enabled))
77 kill_guest(lg, "Disabling interrupts"); 113 kill_guest(lg, "Disabling interrupts");
78} 114}
79 115
116/*H:200
117 * Virtual Interrupts.
118 *
119 * maybe_do_interrupt() gets called before every entry to the Guest, to see if
120 * we should divert the Guest to running an interrupt handler. */
80void maybe_do_interrupt(struct lguest *lg) 121void maybe_do_interrupt(struct lguest *lg)
81{ 122{
82 unsigned int irq; 123 unsigned int irq;
83 DECLARE_BITMAP(blk, LGUEST_IRQS); 124 DECLARE_BITMAP(blk, LGUEST_IRQS);
84 struct desc_struct *idt; 125 struct desc_struct *idt;
85 126
127 /* If the Guest hasn't even initialized yet, we can do nothing. */
86 if (!lg->lguest_data) 128 if (!lg->lguest_data)
87 return; 129 return;
88 130
89 /* Mask out any interrupts they have blocked. */ 131 /* Take our "irqs_pending" array and remove any interrupts the Guest
132 * wants blocked: the result ends up in "blk". */
90 if (copy_from_user(&blk, lg->lguest_data->blocked_interrupts, 133 if (copy_from_user(&blk, lg->lguest_data->blocked_interrupts,
91 sizeof(blk))) 134 sizeof(blk)))
92 return; 135 return;
93 136
94 bitmap_andnot(blk, lg->irqs_pending, blk, LGUEST_IRQS); 137 bitmap_andnot(blk, lg->irqs_pending, blk, LGUEST_IRQS);
95 138
139 /* Find the first interrupt. */
96 irq = find_first_bit(blk, LGUEST_IRQS); 140 irq = find_first_bit(blk, LGUEST_IRQS);
141 /* None? Nothing to do */
97 if (irq >= LGUEST_IRQS) 142 if (irq >= LGUEST_IRQS)
98 return; 143 return;
99 144
145 /* They may be in the middle of an iret, where they asked us never to
146 * deliver interrupts. */
100 if (lg->regs->eip >= lg->noirq_start && lg->regs->eip < lg->noirq_end) 147 if (lg->regs->eip >= lg->noirq_start && lg->regs->eip < lg->noirq_end)
101 return; 148 return;
102 149
103 /* If they're halted, we re-enable interrupts. */ 150 /* If they're halted, interrupts restart them. */
104 if (lg->halted) { 151 if (lg->halted) {
105 /* Re-enable interrupts. */ 152 /* Re-enable interrupts. */
106 if (put_user(X86_EFLAGS_IF, &lg->lguest_data->irq_enabled)) 153 if (put_user(X86_EFLAGS_IF, &lg->lguest_data->irq_enabled))
107 kill_guest(lg, "Re-enabling interrupts"); 154 kill_guest(lg, "Re-enabling interrupts");
108 lg->halted = 0; 155 lg->halted = 0;
109 } else { 156 } else {
110 /* Maybe they have interrupts disabled? */ 157 /* Otherwise we check if they have interrupts disabled. */
111 u32 irq_enabled; 158 u32 irq_enabled;
112 if (get_user(irq_enabled, &lg->lguest_data->irq_enabled)) 159 if (get_user(irq_enabled, &lg->lguest_data->irq_enabled))
113 irq_enabled = 0; 160 irq_enabled = 0;
@@ -115,112 +162,197 @@ void maybe_do_interrupt(struct lguest *lg)
115 return; 162 return;
116 } 163 }
117 164
165 /* Look at the IDT entry the Guest gave us for this interrupt. The
166 * first 32 (FIRST_EXTERNAL_VECTOR) entries are for traps, so we skip
167 * over them. */
118 idt = &lg->idt[FIRST_EXTERNAL_VECTOR+irq]; 168 idt = &lg->idt[FIRST_EXTERNAL_VECTOR+irq];
169 /* If they don't have a handler (yet?), we just ignore it */
119 if (idt_present(idt->a, idt->b)) { 170 if (idt_present(idt->a, idt->b)) {
171 /* OK, mark it no longer pending and deliver it. */
120 clear_bit(irq, lg->irqs_pending); 172 clear_bit(irq, lg->irqs_pending);
173 /* set_guest_interrupt() takes the interrupt descriptor and a
174 * flag to say whether this interrupt pushes an error code onto
175 * the stack as well: virtual interrupts never do. */
121 set_guest_interrupt(lg, idt->a, idt->b, 0); 176 set_guest_interrupt(lg, idt->a, idt->b, 0);
122 } 177 }
123} 178}
124 179
180/*H:220 Now we've got the routines to deliver interrupts, delivering traps
181 * like page fault is easy. The only trick is that Intel decided that some
182 * traps should have error codes: */
125static int has_err(unsigned int trap) 183static int has_err(unsigned int trap)
126{ 184{
127 return (trap == 8 || (trap >= 10 && trap <= 14) || trap == 17); 185 return (trap == 8 || (trap >= 10 && trap <= 14) || trap == 17);
128} 186}
129 187
188/* deliver_trap() returns true if it could deliver the trap. */
130int deliver_trap(struct lguest *lg, unsigned int num) 189int deliver_trap(struct lguest *lg, unsigned int num)
131{ 190{
132 u32 lo = lg->idt[num].a, hi = lg->idt[num].b; 191 u32 lo = lg->idt[num].a, hi = lg->idt[num].b;
133 192
193 /* Early on the Guest hasn't set the IDT entries (or maybe it put a
194 * bogus one in): if we fail here, the Guest will be killed. */
134 if (!idt_present(lo, hi)) 195 if (!idt_present(lo, hi))
135 return 0; 196 return 0;
136 set_guest_interrupt(lg, lo, hi, has_err(num)); 197 set_guest_interrupt(lg, lo, hi, has_err(num));
137 return 1; 198 return 1;
138} 199}
139 200
201/*H:250 Here's the hard part: returning to the Host every time a trap happens
202 * and then calling deliver_trap() and re-entering the Guest is slow.
203 * Particularly because Guest userspace system calls are traps (trap 128).
204 *
205 * So we'd like to set up the IDT to tell the CPU to deliver traps directly
206 * into the Guest. This is possible, but the complexities cause the size of
207 * this file to double! However, 150 lines of code is worth writing for taking
208 * system calls down from 1750ns to 270ns. Plus, if lguest didn't do it, all
209 * the other hypervisors would tease it.
210 *
211 * This routine determines if a trap can be delivered directly. */
140static int direct_trap(const struct lguest *lg, 212static int direct_trap(const struct lguest *lg,
141 const struct desc_struct *trap, 213 const struct desc_struct *trap,
142 unsigned int num) 214 unsigned int num)
143{ 215{
144 /* Hardware interrupts don't go to guest (except syscall). */ 216 /* Hardware interrupts don't go to the Guest at all (except system
217 * call). */
145 if (num >= FIRST_EXTERNAL_VECTOR && num != SYSCALL_VECTOR) 218 if (num >= FIRST_EXTERNAL_VECTOR && num != SYSCALL_VECTOR)
146 return 0; 219 return 0;
147 220
148 /* We intercept page fault (demand shadow paging & cr2 saving) 221 /* The Host needs to see page faults (for shadow paging and to save the
149 protection fault (in/out emulation) and device not 222 * fault address), general protection faults (in/out emulation) and
150 available (TS handling), and hypercall */ 223 * device not available (TS handling), and of course, the hypercall
224 * trap. */
151 if (num == 14 || num == 13 || num == 7 || num == LGUEST_TRAP_ENTRY) 225 if (num == 14 || num == 13 || num == 7 || num == LGUEST_TRAP_ENTRY)
152 return 0; 226 return 0;
153 227
154 /* Interrupt gates (0xE) or not present (0x0) can't go direct. */ 228 /* Only trap gates (type 15) can go direct to the Guest. Interrupt
229 * gates (type 14) disable interrupts as they are entered, which we
230 * never let the Guest do. Not present entries (type 0x0) also can't
231 * go direct, of course 8) */
155 return idt_type(trap->a, trap->b) == 0xF; 232 return idt_type(trap->a, trap->b) == 0xF;
156} 233}
157 234
235/*H:260 When we make traps go directly into the Guest, we need to make sure
236 * the kernel stack is valid (ie. mapped in the page tables). Otherwise, the
237 * CPU trying to deliver the trap will fault while trying to push the interrupt
238 * words on the stack: this is called a double fault, and it forces us to kill
239 * the Guest.
240 *
241 * Which is deeply unfair, because (literally!) it wasn't the Guests' fault. */
158void pin_stack_pages(struct lguest *lg) 242void pin_stack_pages(struct lguest *lg)
159{ 243{
160 unsigned int i; 244 unsigned int i;
161 245
246 /* Depending on the CONFIG_4KSTACKS option, the Guest can have one or
247 * two pages of stack space. */
162 for (i = 0; i < lg->stack_pages; i++) 248 for (i = 0; i < lg->stack_pages; i++)
249 /* The stack grows *upwards*, hence the subtraction */
163 pin_page(lg, lg->esp1 - i * PAGE_SIZE); 250 pin_page(lg, lg->esp1 - i * PAGE_SIZE);
164} 251}
165 252
253/* Direct traps also mean that we need to know whenever the Guest wants to use
254 * a different kernel stack, so we can change the IDT entries to use that
255 * stack. The IDT entries expect a virtual address, so unlike most addresses
256 * the Guest gives us, the "esp" (stack pointer) value here is virtual, not
257 * physical.
258 *
259 * In Linux each process has its own kernel stack, so this happens a lot: we
260 * change stacks on each context switch. */
166void guest_set_stack(struct lguest *lg, u32 seg, u32 esp, unsigned int pages) 261void guest_set_stack(struct lguest *lg, u32 seg, u32 esp, unsigned int pages)
167{ 262{
168 /* You cannot have a stack segment with priv level 0. */ 263 /* You are not allowd have a stack segment with privilege level 0: bad
264 * Guest! */
169 if ((seg & 0x3) != GUEST_PL) 265 if ((seg & 0x3) != GUEST_PL)
170 kill_guest(lg, "bad stack segment %i", seg); 266 kill_guest(lg, "bad stack segment %i", seg);
267 /* We only expect one or two stack pages. */
171 if (pages > 2) 268 if (pages > 2)
172 kill_guest(lg, "bad stack pages %u", pages); 269 kill_guest(lg, "bad stack pages %u", pages);
270 /* Save where the stack is, and how many pages */
173 lg->ss1 = seg; 271 lg->ss1 = seg;
174 lg->esp1 = esp; 272 lg->esp1 = esp;
175 lg->stack_pages = pages; 273 lg->stack_pages = pages;
274 /* Make sure the new stack pages are mapped */
176 pin_stack_pages(lg); 275 pin_stack_pages(lg);
177} 276}
178 277
179/* Set up trap in IDT. */ 278/* All this reference to mapping stacks leads us neatly into the other complex
279 * part of the Host: page table handling. */
280
281/*H:235 This is the routine which actually checks the Guest's IDT entry and
282 * transfers it into our entry in "struct lguest": */
180static void set_trap(struct lguest *lg, struct desc_struct *trap, 283static void set_trap(struct lguest *lg, struct desc_struct *trap,
181 unsigned int num, u32 lo, u32 hi) 284 unsigned int num, u32 lo, u32 hi)
182{ 285{
183 u8 type = idt_type(lo, hi); 286 u8 type = idt_type(lo, hi);
184 287
288 /* We zero-out a not-present entry */
185 if (!idt_present(lo, hi)) { 289 if (!idt_present(lo, hi)) {
186 trap->a = trap->b = 0; 290 trap->a = trap->b = 0;
187 return; 291 return;
188 } 292 }
189 293
294 /* We only support interrupt and trap gates. */
190 if (type != 0xE && type != 0xF) 295 if (type != 0xE && type != 0xF)
191 kill_guest(lg, "bad IDT type %i", type); 296 kill_guest(lg, "bad IDT type %i", type);
192 297
298 /* We only copy the handler address, present bit, privilege level and
299 * type. The privilege level controls where the trap can be triggered
300 * manually with an "int" instruction. This is usually GUEST_PL,
301 * except for system calls which userspace can use. */
193 trap->a = ((__KERNEL_CS|GUEST_PL)<<16) | (lo&0x0000FFFF); 302 trap->a = ((__KERNEL_CS|GUEST_PL)<<16) | (lo&0x0000FFFF);
194 trap->b = (hi&0xFFFFEF00); 303 trap->b = (hi&0xFFFFEF00);
195} 304}
196 305
306/*H:230 While we're here, dealing with delivering traps and interrupts to the
307 * Guest, we might as well complete the picture: how the Guest tells us where
308 * it wants them to go. This would be simple, except making traps fast
309 * requires some tricks.
310 *
311 * We saw the Guest setting Interrupt Descriptor Table (IDT) entries with the
312 * LHCALL_LOAD_IDT_ENTRY hypercall before: that comes here. */
197void load_guest_idt_entry(struct lguest *lg, unsigned int num, u32 lo, u32 hi) 313void load_guest_idt_entry(struct lguest *lg, unsigned int num, u32 lo, u32 hi)
198{ 314{
199 /* Guest never handles: NMI, doublefault, hypercall, spurious irq. */ 315 /* Guest never handles: NMI, doublefault, spurious interrupt or
316 * hypercall. We ignore when it tries to set them. */
200 if (num == 2 || num == 8 || num == 15 || num == LGUEST_TRAP_ENTRY) 317 if (num == 2 || num == 8 || num == 15 || num == LGUEST_TRAP_ENTRY)
201 return; 318 return;
202 319
320 /* Mark the IDT as changed: next time the Guest runs we'll know we have
321 * to copy this again. */
203 lg->changed |= CHANGED_IDT; 322 lg->changed |= CHANGED_IDT;
323
324 /* The IDT which we keep in "struct lguest" only contains 32 entries
325 * for the traps and LGUEST_IRQS (32) entries for interrupts. We
326 * ignore attempts to set handlers for higher interrupt numbers, except
327 * for the system call "interrupt" at 128: we have a special IDT entry
328 * for that. */
204 if (num < ARRAY_SIZE(lg->idt)) 329 if (num < ARRAY_SIZE(lg->idt))
205 set_trap(lg, &lg->idt[num], num, lo, hi); 330 set_trap(lg, &lg->idt[num], num, lo, hi);
206 else if (num == SYSCALL_VECTOR) 331 else if (num == SYSCALL_VECTOR)
207 set_trap(lg, &lg->syscall_idt, num, lo, hi); 332 set_trap(lg, &lg->syscall_idt, num, lo, hi);
208} 333}
209 334
335/* The default entry for each interrupt points into the Switcher routines which
336 * simply return to the Host. The run_guest() loop will then call
337 * deliver_trap() to bounce it back into the Guest. */
210static void default_idt_entry(struct desc_struct *idt, 338static void default_idt_entry(struct desc_struct *idt,
211 int trap, 339 int trap,
212 const unsigned long handler) 340 const unsigned long handler)
213{ 341{
342 /* A present interrupt gate. */
214 u32 flags = 0x8e00; 343 u32 flags = 0x8e00;
215 344
216 /* They can't "int" into any of them except hypercall. */ 345 /* Set the privilege level on the entry for the hypercall: this allows
346 * the Guest to use the "int" instruction to trigger it. */
217 if (trap == LGUEST_TRAP_ENTRY) 347 if (trap == LGUEST_TRAP_ENTRY)
218 flags |= (GUEST_PL << 13); 348 flags |= (GUEST_PL << 13);
219 349
350 /* Now pack it into the IDT entry in its weird format. */
220 idt->a = (LGUEST_CS<<16) | (handler&0x0000FFFF); 351 idt->a = (LGUEST_CS<<16) | (handler&0x0000FFFF);
221 idt->b = (handler&0xFFFF0000) | flags; 352 idt->b = (handler&0xFFFF0000) | flags;
222} 353}
223 354
355/* When the Guest first starts, we put default entries into the IDT. */
224void setup_default_idt_entries(struct lguest_ro_state *state, 356void setup_default_idt_entries(struct lguest_ro_state *state,
225 const unsigned long *def) 357 const unsigned long *def)
226{ 358{
@@ -230,19 +362,25 @@ void setup_default_idt_entries(struct lguest_ro_state *state,
230 default_idt_entry(&state->guest_idt[i], i, def[i]); 362 default_idt_entry(&state->guest_idt[i], i, def[i]);
231} 363}
232 364
365/*H:240 We don't use the IDT entries in the "struct lguest" directly, instead
366 * we copy them into the IDT which we've set up for Guests on this CPU, just
367 * before we run the Guest. This routine does that copy. */
233void copy_traps(const struct lguest *lg, struct desc_struct *idt, 368void copy_traps(const struct lguest *lg, struct desc_struct *idt,
234 const unsigned long *def) 369 const unsigned long *def)
235{ 370{
236 unsigned int i; 371 unsigned int i;
237 372
238 /* All hardware interrupts are same whatever the guest: only the 373 /* We can simply copy the direct traps, otherwise we use the default
239 * traps might be different. */ 374 * ones in the Switcher: they will return to the Host. */
240 for (i = 0; i < FIRST_EXTERNAL_VECTOR; i++) { 375 for (i = 0; i < FIRST_EXTERNAL_VECTOR; i++) {
241 if (direct_trap(lg, &lg->idt[i], i)) 376 if (direct_trap(lg, &lg->idt[i], i))
242 idt[i] = lg->idt[i]; 377 idt[i] = lg->idt[i];
243 else 378 else
244 default_idt_entry(&idt[i], i, def[i]); 379 default_idt_entry(&idt[i], i, def[i]);
245 } 380 }
381
382 /* Don't forget the system call trap! The IDT entries for other
383 * interupts never change, so no need to copy them. */
246 i = SYSCALL_VECTOR; 384 i = SYSCALL_VECTOR;
247 if (direct_trap(lg, &lg->syscall_idt, i)) 385 if (direct_trap(lg, &lg->syscall_idt, i))
248 idt[i] = lg->syscall_idt; 386 idt[i] = lg->syscall_idt;
diff --git a/drivers/lguest/lg.h b/drivers/lguest/lg.h
index 3b9dc123a7d..269116eee85 100644
--- a/drivers/lguest/lg.h
+++ b/drivers/lguest/lg.h
@@ -58,9 +58,18 @@ struct lguest_dma_info
58 u8 interrupt; /* 0 when not registered */ 58 u8 interrupt; /* 0 when not registered */
59}; 59};
60 60
61/* We have separate types for the guest's ptes & pgds and the shadow ptes & 61/*H:310 The page-table code owes a great debt of gratitude to Andi Kleen. He
62 * pgds. Since this host might use three-level pagetables and the guest and 62 * reviewed the original code which used "u32" for all page table entries, and
63 * shadow pagetables don't, we can't use the normal pte_t/pgd_t. */ 63 * insisted that it would be far clearer with explicit typing. I thought it
64 * was overkill, but he was right: it is much clearer than it was before.
65 *
66 * We have separate types for the Guest's ptes & pgds and the shadow ptes &
67 * pgds. There's already a Linux type for these (pte_t and pgd_t) but they
68 * change depending on kernel config options (PAE). */
69
70/* Each entry is identical: lower 12 bits of flags and upper 20 bits for the
71 * "page frame number" (0 == first physical page, etc). They are different
72 * types so the compiler will warn us if we mix them improperly. */
64typedef union { 73typedef union {
65 struct { unsigned flags:12, pfn:20; }; 74 struct { unsigned flags:12, pfn:20; };
66 struct { unsigned long val; } raw; 75 struct { unsigned long val; } raw;
@@ -77,8 +86,12 @@ typedef union {
77 struct { unsigned flags:12, pfn:20; }; 86 struct { unsigned flags:12, pfn:20; };
78 struct { unsigned long val; } raw; 87 struct { unsigned long val; } raw;
79} gpte_t; 88} gpte_t;
89
90/* We have two convenient macros to convert a "raw" value as handed to us by
91 * the Guest into the correct Guest PGD or PTE type. */
80#define mkgpte(_val) ((gpte_t){.raw.val = _val}) 92#define mkgpte(_val) ((gpte_t){.raw.val = _val})
81#define mkgpgd(_val) ((gpgd_t){.raw.val = _val}) 93#define mkgpgd(_val) ((gpgd_t){.raw.val = _val})
94/*:*/
82 95
83struct pgdir 96struct pgdir
84{ 97{
diff --git a/drivers/lguest/page_tables.c b/drivers/lguest/page_tables.c
index f9ca50d8046..cd047e81cd6 100644
--- a/drivers/lguest/page_tables.c
+++ b/drivers/lguest/page_tables.c
@@ -15,38 +15,91 @@
15#include <asm/tlbflush.h> 15#include <asm/tlbflush.h>
16#include "lg.h" 16#include "lg.h"
17 17
18/*H:300
19 * The Page Table Code
20 *
21 * We use two-level page tables for the Guest. If you're not entirely
22 * comfortable with virtual addresses, physical addresses and page tables then
23 * I recommend you review lguest.c's "Page Table Handling" (with diagrams!).
24 *
25 * The Guest keeps page tables, but we maintain the actual ones here: these are
26 * called "shadow" page tables. Which is a very Guest-centric name: these are
27 * the real page tables the CPU uses, although we keep them up to date to
28 * reflect the Guest's. (See what I mean about weird naming? Since when do
29 * shadows reflect anything?)
30 *
31 * Anyway, this is the most complicated part of the Host code. There are seven
32 * parts to this:
33 * (i) Setting up a page table entry for the Guest when it faults,
34 * (ii) Setting up the page table entry for the Guest stack,
35 * (iii) Setting up a page table entry when the Guest tells us it has changed,
36 * (iv) Switching page tables,
37 * (v) Flushing (thowing away) page tables,
38 * (vi) Mapping the Switcher when the Guest is about to run,
39 * (vii) Setting up the page tables initially.
40 :*/
41
42/* Pages a 4k long, and each page table entry is 4 bytes long, giving us 1024
43 * (or 2^10) entries per page. */
18#define PTES_PER_PAGE_SHIFT 10 44#define PTES_PER_PAGE_SHIFT 10
19#define PTES_PER_PAGE (1 << PTES_PER_PAGE_SHIFT) 45#define PTES_PER_PAGE (1 << PTES_PER_PAGE_SHIFT)
46
47/* 1024 entries in a page table page maps 1024 pages: 4MB. The Switcher is
48 * conveniently placed at the top 4MB, so it uses a separate, complete PTE
49 * page. */
20#define SWITCHER_PGD_INDEX (PTES_PER_PAGE - 1) 50#define SWITCHER_PGD_INDEX (PTES_PER_PAGE - 1)
21 51
52/* We actually need a separate PTE page for each CPU. Remember that after the
53 * Switcher code itself comes two pages for each CPU, and we don't want this
54 * CPU's guest to see the pages of any other CPU. */
22static DEFINE_PER_CPU(spte_t *, switcher_pte_pages); 55static DEFINE_PER_CPU(spte_t *, switcher_pte_pages);
23#define switcher_pte_page(cpu) per_cpu(switcher_pte_pages, cpu) 56#define switcher_pte_page(cpu) per_cpu(switcher_pte_pages, cpu)
24 57
58/*H:320 With our shadow and Guest types established, we need to deal with
59 * them: the page table code is curly enough to need helper functions to keep
60 * it clear and clean.
61 *
62 * The first helper takes a virtual address, and says which entry in the top
63 * level page table deals with that address. Since each top level entry deals
64 * with 4M, this effectively divides by 4M. */
25static unsigned vaddr_to_pgd_index(unsigned long vaddr) 65static unsigned vaddr_to_pgd_index(unsigned long vaddr)
26{ 66{
27 return vaddr >> (PAGE_SHIFT + PTES_PER_PAGE_SHIFT); 67 return vaddr >> (PAGE_SHIFT + PTES_PER_PAGE_SHIFT);
28} 68}
29 69
30/* These access the shadow versions (ie. the ones used by the CPU). */ 70/* There are two functions which return pointers to the shadow (aka "real")
71 * page tables.
72 *
73 * spgd_addr() takes the virtual address and returns a pointer to the top-level
74 * page directory entry for that address. Since we keep track of several page
75 * tables, the "i" argument tells us which one we're interested in (it's
76 * usually the current one). */
31static spgd_t *spgd_addr(struct lguest *lg, u32 i, unsigned long vaddr) 77static spgd_t *spgd_addr(struct lguest *lg, u32 i, unsigned long vaddr)
32{ 78{
33 unsigned int index = vaddr_to_pgd_index(vaddr); 79 unsigned int index = vaddr_to_pgd_index(vaddr);
34 80
81 /* We kill any Guest trying to touch the Switcher addresses. */
35 if (index >= SWITCHER_PGD_INDEX) { 82 if (index >= SWITCHER_PGD_INDEX) {
36 kill_guest(lg, "attempt to access switcher pages"); 83 kill_guest(lg, "attempt to access switcher pages");
37 index = 0; 84 index = 0;
38 } 85 }
86 /* Return a pointer index'th pgd entry for the i'th page table. */
39 return &lg->pgdirs[i].pgdir[index]; 87 return &lg->pgdirs[i].pgdir[index];
40} 88}
41 89
90/* This routine then takes the PGD entry given above, which contains the
91 * address of the PTE page. It then returns a pointer to the PTE entry for the
92 * given address. */
42static spte_t *spte_addr(struct lguest *lg, spgd_t spgd, unsigned long vaddr) 93static spte_t *spte_addr(struct lguest *lg, spgd_t spgd, unsigned long vaddr)
43{ 94{
44 spte_t *page = __va(spgd.pfn << PAGE_SHIFT); 95 spte_t *page = __va(spgd.pfn << PAGE_SHIFT);
96 /* You should never call this if the PGD entry wasn't valid */
45 BUG_ON(!(spgd.flags & _PAGE_PRESENT)); 97 BUG_ON(!(spgd.flags & _PAGE_PRESENT));
46 return &page[(vaddr >> PAGE_SHIFT) % PTES_PER_PAGE]; 98 return &page[(vaddr >> PAGE_SHIFT) % PTES_PER_PAGE];
47} 99}
48 100
49/* These access the guest versions. */ 101/* These two functions just like the above two, except they access the Guest
102 * page tables. Hence they return a Guest address. */
50static unsigned long gpgd_addr(struct lguest *lg, unsigned long vaddr) 103static unsigned long gpgd_addr(struct lguest *lg, unsigned long vaddr)
51{ 104{
52 unsigned int index = vaddr >> (PAGE_SHIFT + PTES_PER_PAGE_SHIFT); 105 unsigned int index = vaddr >> (PAGE_SHIFT + PTES_PER_PAGE_SHIFT);
@@ -61,12 +114,24 @@ static unsigned long gpte_addr(struct lguest *lg,
61 return gpage + ((vaddr>>PAGE_SHIFT) % PTES_PER_PAGE) * sizeof(gpte_t); 114 return gpage + ((vaddr>>PAGE_SHIFT) % PTES_PER_PAGE) * sizeof(gpte_t);
62} 115}
63 116
64/* Do a virtual -> physical mapping on a user page. */ 117/*H:350 This routine takes a page number given by the Guest and converts it to
118 * an actual, physical page number. It can fail for several reasons: the
119 * virtual address might not be mapped by the Launcher, the write flag is set
120 * and the page is read-only, or the write flag was set and the page was
121 * shared so had to be copied, but we ran out of memory.
122 *
123 * This holds a reference to the page, so release_pte() is careful to
124 * put that back. */
65static unsigned long get_pfn(unsigned long virtpfn, int write) 125static unsigned long get_pfn(unsigned long virtpfn, int write)
66{ 126{
67 struct page *page; 127 struct page *page;
128 /* This value indicates failure. */
68 unsigned long ret = -1UL; 129 unsigned long ret = -1UL;
69 130
131 /* get_user_pages() is a complex interface: it gets the "struct
132 * vm_area_struct" and "struct page" assocated with a range of pages.
133 * It also needs the task's mmap_sem held, and is not very quick.
134 * It returns the number of pages it got. */
70 down_read(&current->mm->mmap_sem); 135 down_read(&current->mm->mmap_sem);
71 if (get_user_pages(current, current->mm, virtpfn << PAGE_SHIFT, 136 if (get_user_pages(current, current->mm, virtpfn << PAGE_SHIFT,
72 1, write, 1, &page, NULL) == 1) 137 1, write, 1, &page, NULL) == 1)
@@ -75,28 +140,47 @@ static unsigned long get_pfn(unsigned long virtpfn, int write)
75 return ret; 140 return ret;
76} 141}
77 142
143/*H:340 Converting a Guest page table entry to a shadow (ie. real) page table
144 * entry can be a little tricky. The flags are (almost) the same, but the
145 * Guest PTE contains a virtual page number: the CPU needs the real page
146 * number. */
78static spte_t gpte_to_spte(struct lguest *lg, gpte_t gpte, int write) 147static spte_t gpte_to_spte(struct lguest *lg, gpte_t gpte, int write)
79{ 148{
80 spte_t spte; 149 spte_t spte;
81 unsigned long pfn; 150 unsigned long pfn;
82 151
83 /* We ignore the global flag. */ 152 /* The Guest sets the global flag, because it thinks that it is using
153 * PGE. We only told it to use PGE so it would tell us whether it was
154 * flushing a kernel mapping or a userspace mapping. We don't actually
155 * use the global bit, so throw it away. */
84 spte.flags = (gpte.flags & ~_PAGE_GLOBAL); 156 spte.flags = (gpte.flags & ~_PAGE_GLOBAL);
157
158 /* We need a temporary "unsigned long" variable to hold the answer from
159 * get_pfn(), because it returns 0xFFFFFFFF on failure, which wouldn't
160 * fit in spte.pfn. get_pfn() finds the real physical number of the
161 * page, given the virtual number. */
85 pfn = get_pfn(gpte.pfn, write); 162 pfn = get_pfn(gpte.pfn, write);
86 if (pfn == -1UL) { 163 if (pfn == -1UL) {
87 kill_guest(lg, "failed to get page %u", gpte.pfn); 164 kill_guest(lg, "failed to get page %u", gpte.pfn);
88 /* Must not put_page() bogus page on cleanup. */ 165 /* When we destroy the Guest, we'll go through the shadow page
166 * tables and release_pte() them. Make sure we don't think
167 * this one is valid! */
89 spte.flags = 0; 168 spte.flags = 0;
90 } 169 }
170 /* Now we assign the page number, and our shadow PTE is complete. */
91 spte.pfn = pfn; 171 spte.pfn = pfn;
92 return spte; 172 return spte;
93} 173}
94 174
175/*H:460 And to complete the chain, release_pte() looks like this: */
95static void release_pte(spte_t pte) 176static void release_pte(spte_t pte)
96{ 177{
178 /* Remember that get_user_pages() took a reference to the page, in
179 * get_pfn()? We have to put it back now. */
97 if (pte.flags & _PAGE_PRESENT) 180 if (pte.flags & _PAGE_PRESENT)
98 put_page(pfn_to_page(pte.pfn)); 181 put_page(pfn_to_page(pte.pfn));
99} 182}
183/*:*/
100 184
101static void check_gpte(struct lguest *lg, gpte_t gpte) 185static void check_gpte(struct lguest *lg, gpte_t gpte)
102{ 186{
@@ -110,11 +194,16 @@ static void check_gpgd(struct lguest *lg, gpgd_t gpgd)
110 kill_guest(lg, "bad page directory entry"); 194 kill_guest(lg, "bad page directory entry");
111} 195}
112 196
113/* FIXME: We hold reference to pages, which prevents them from being 197/*H:330
114 swapped. It'd be nice to have a callback when Linux wants to swap out. */ 198 * (i) Setting up a page table entry for the Guest when it faults
115 199 *
116/* We fault pages in, which allows us to update accessed/dirty bits. 200 * We saw this call in run_guest(): when we see a page fault in the Guest, we
117 * Return true if we got page. */ 201 * come here. That's because we only set up the shadow page tables lazily as
202 * they're needed, so we get page faults all the time and quietly fix them up
203 * and return to the Guest without it knowing.
204 *
205 * If we fixed up the fault (ie. we mapped the address), this routine returns
206 * true. */
118int demand_page(struct lguest *lg, unsigned long vaddr, int errcode) 207int demand_page(struct lguest *lg, unsigned long vaddr, int errcode)
119{ 208{
120 gpgd_t gpgd; 209 gpgd_t gpgd;
@@ -123,106 +212,161 @@ int demand_page(struct lguest *lg, unsigned long vaddr, int errcode)
123 gpte_t gpte; 212 gpte_t gpte;
124 spte_t *spte; 213 spte_t *spte;
125 214
215 /* First step: get the top-level Guest page table entry. */
126 gpgd = mkgpgd(lgread_u32(lg, gpgd_addr(lg, vaddr))); 216 gpgd = mkgpgd(lgread_u32(lg, gpgd_addr(lg, vaddr)));
217 /* Toplevel not present? We can't map it in. */
127 if (!(gpgd.flags & _PAGE_PRESENT)) 218 if (!(gpgd.flags & _PAGE_PRESENT))
128 return 0; 219 return 0;
129 220
221 /* Now look at the matching shadow entry. */
130 spgd = spgd_addr(lg, lg->pgdidx, vaddr); 222 spgd = spgd_addr(lg, lg->pgdidx, vaddr);
131 if (!(spgd->flags & _PAGE_PRESENT)) { 223 if (!(spgd->flags & _PAGE_PRESENT)) {
132 /* Get a page of PTEs for them. */ 224 /* No shadow entry: allocate a new shadow PTE page. */
133 unsigned long ptepage = get_zeroed_page(GFP_KERNEL); 225 unsigned long ptepage = get_zeroed_page(GFP_KERNEL);
134 /* FIXME: Steal from self in this case? */ 226 /* This is not really the Guest's fault, but killing it is
227 * simple for this corner case. */
135 if (!ptepage) { 228 if (!ptepage) {
136 kill_guest(lg, "out of memory allocating pte page"); 229 kill_guest(lg, "out of memory allocating pte page");
137 return 0; 230 return 0;
138 } 231 }
232 /* We check that the Guest pgd is OK. */
139 check_gpgd(lg, gpgd); 233 check_gpgd(lg, gpgd);
234 /* And we copy the flags to the shadow PGD entry. The page
235 * number in the shadow PGD is the page we just allocated. */
140 spgd->raw.val = (__pa(ptepage) | gpgd.flags); 236 spgd->raw.val = (__pa(ptepage) | gpgd.flags);
141 } 237 }
142 238
239 /* OK, now we look at the lower level in the Guest page table: keep its
240 * address, because we might update it later. */
143 gpte_ptr = gpte_addr(lg, gpgd, vaddr); 241 gpte_ptr = gpte_addr(lg, gpgd, vaddr);
144 gpte = mkgpte(lgread_u32(lg, gpte_ptr)); 242 gpte = mkgpte(lgread_u32(lg, gpte_ptr));
145 243
146 /* No page? */ 244 /* If this page isn't in the Guest page tables, we can't page it in. */
147 if (!(gpte.flags & _PAGE_PRESENT)) 245 if (!(gpte.flags & _PAGE_PRESENT))
148 return 0; 246 return 0;
149 247
150 /* Write to read-only page? */ 248 /* Check they're not trying to write to a page the Guest wants
249 * read-only (bit 2 of errcode == write). */
151 if ((errcode & 2) && !(gpte.flags & _PAGE_RW)) 250 if ((errcode & 2) && !(gpte.flags & _PAGE_RW))
152 return 0; 251 return 0;
153 252
154 /* User access to a non-user page? */ 253 /* User access to a kernel page? (bit 3 == user access) */
155 if ((errcode & 4) && !(gpte.flags & _PAGE_USER)) 254 if ((errcode & 4) && !(gpte.flags & _PAGE_USER))
156 return 0; 255 return 0;
157 256
257 /* Check that the Guest PTE flags are OK, and the page number is below
258 * the pfn_limit (ie. not mapping the Launcher binary). */
158 check_gpte(lg, gpte); 259 check_gpte(lg, gpte);
260 /* Add the _PAGE_ACCESSED and (for a write) _PAGE_DIRTY flag */
159 gpte.flags |= _PAGE_ACCESSED; 261 gpte.flags |= _PAGE_ACCESSED;
160 if (errcode & 2) 262 if (errcode & 2)
161 gpte.flags |= _PAGE_DIRTY; 263 gpte.flags |= _PAGE_DIRTY;
162 264
163 /* We're done with the old pte. */ 265 /* Get the pointer to the shadow PTE entry we're going to set. */
164 spte = spte_addr(lg, *spgd, vaddr); 266 spte = spte_addr(lg, *spgd, vaddr);
267 /* If there was a valid shadow PTE entry here before, we release it.
268 * This can happen with a write to a previously read-only entry. */
165 release_pte(*spte); 269 release_pte(*spte);
166 270
167 /* We don't make it writable if this isn't a write: later 271 /* If this is a write, we insist that the Guest page is writable (the
168 * write will fault so we can set dirty bit in guest. */ 272 * final arg to gpte_to_spte()). */
169 if (gpte.flags & _PAGE_DIRTY) 273 if (gpte.flags & _PAGE_DIRTY)
170 *spte = gpte_to_spte(lg, gpte, 1); 274 *spte = gpte_to_spte(lg, gpte, 1);
171 else { 275 else {
276 /* If this is a read, don't set the "writable" bit in the page
277 * table entry, even if the Guest says it's writable. That way
278 * we come back here when a write does actually ocur, so we can
279 * update the Guest's _PAGE_DIRTY flag. */
172 gpte_t ro_gpte = gpte; 280 gpte_t ro_gpte = gpte;
173 ro_gpte.flags &= ~_PAGE_RW; 281 ro_gpte.flags &= ~_PAGE_RW;
174 *spte = gpte_to_spte(lg, ro_gpte, 0); 282 *spte = gpte_to_spte(lg, ro_gpte, 0);
175 } 283 }
176 284
177 /* Now we update dirty/accessed on guest. */ 285 /* Finally, we write the Guest PTE entry back: we've set the
286 * _PAGE_ACCESSED and maybe the _PAGE_DIRTY flags. */
178 lgwrite_u32(lg, gpte_ptr, gpte.raw.val); 287 lgwrite_u32(lg, gpte_ptr, gpte.raw.val);
288
289 /* We succeeded in mapping the page! */
179 return 1; 290 return 1;
180} 291}
181 292
182/* This is much faster than the full demand_page logic. */ 293/*H:360 (ii) Setting up the page table entry for the Guest stack.
294 *
295 * Remember pin_stack_pages() which makes sure the stack is mapped? It could
296 * simply call demand_page(), but as we've seen that logic is quite long, and
297 * usually the stack pages are already mapped anyway, so it's not required.
298 *
299 * This is a quick version which answers the question: is this virtual address
300 * mapped by the shadow page tables, and is it writable? */
183static int page_writable(struct lguest *lg, unsigned long vaddr) 301static int page_writable(struct lguest *lg, unsigned long vaddr)
184{ 302{
185 spgd_t *spgd; 303 spgd_t *spgd;
186 unsigned long flags; 304 unsigned long flags;
187 305
306 /* Look at the top level entry: is it present? */
188 spgd = spgd_addr(lg, lg->pgdidx, vaddr); 307 spgd = spgd_addr(lg, lg->pgdidx, vaddr);
189 if (!(spgd->flags & _PAGE_PRESENT)) 308 if (!(spgd->flags & _PAGE_PRESENT))
190 return 0; 309 return 0;
191 310
311 /* Check the flags on the pte entry itself: it must be present and
312 * writable. */
192 flags = spte_addr(lg, *spgd, vaddr)->flags; 313 flags = spte_addr(lg, *spgd, vaddr)->flags;
193 return (flags & (_PAGE_PRESENT|_PAGE_RW)) == (_PAGE_PRESENT|_PAGE_RW); 314 return (flags & (_PAGE_PRESENT|_PAGE_RW)) == (_PAGE_PRESENT|_PAGE_RW);
194} 315}
195 316
317/* So, when pin_stack_pages() asks us to pin a page, we check if it's already
318 * in the page tables, and if not, we call demand_page() with error code 2
319 * (meaning "write"). */
196void pin_page(struct lguest *lg, unsigned long vaddr) 320void pin_page(struct lguest *lg, unsigned long vaddr)
197{ 321{
198 if (!page_writable(lg, vaddr) && !demand_page(lg, vaddr, 2)) 322 if (!page_writable(lg, vaddr) && !demand_page(lg, vaddr, 2))
199 kill_guest(lg, "bad stack page %#lx", vaddr); 323 kill_guest(lg, "bad stack page %#lx", vaddr);
200} 324}
201 325
326/*H:450 If we chase down the release_pgd() code, it looks like this: */
202static void release_pgd(struct lguest *lg, spgd_t *spgd) 327static void release_pgd(struct lguest *lg, spgd_t *spgd)
203{ 328{
329 /* If the entry's not present, there's nothing to release. */
204 if (spgd->flags & _PAGE_PRESENT) { 330 if (spgd->flags & _PAGE_PRESENT) {
205 unsigned int i; 331 unsigned int i;
332 /* Converting the pfn to find the actual PTE page is easy: turn
333 * the page number into a physical address, then convert to a
334 * virtual address (easy for kernel pages like this one). */
206 spte_t *ptepage = __va(spgd->pfn << PAGE_SHIFT); 335 spte_t *ptepage = __va(spgd->pfn << PAGE_SHIFT);
336 /* For each entry in the page, we might need to release it. */
207 for (i = 0; i < PTES_PER_PAGE; i++) 337 for (i = 0; i < PTES_PER_PAGE; i++)
208 release_pte(ptepage[i]); 338 release_pte(ptepage[i]);
339 /* Now we can free the page of PTEs */
209 free_page((long)ptepage); 340 free_page((long)ptepage);
341 /* And zero out the PGD entry we we never release it twice. */
210 spgd->raw.val = 0; 342 spgd->raw.val = 0;
211 } 343 }
212} 344}
213 345
346/*H:440 (v) Flushing (thowing away) page tables,
347 *
348 * We saw flush_user_mappings() called when we re-used a top-level pgdir page.
349 * It simply releases every PTE page from 0 up to the kernel address. */
214static void flush_user_mappings(struct lguest *lg, int idx) 350static void flush_user_mappings(struct lguest *lg, int idx)
215{ 351{
216 unsigned int i; 352 unsigned int i;
353 /* Release every pgd entry up to the kernel's address. */
217 for (i = 0; i < vaddr_to_pgd_index(lg->page_offset); i++) 354 for (i = 0; i < vaddr_to_pgd_index(lg->page_offset); i++)
218 release_pgd(lg, lg->pgdirs[idx].pgdir + i); 355 release_pgd(lg, lg->pgdirs[idx].pgdir + i);
219} 356}
220 357
358/* The Guest also has a hypercall to do this manually: it's used when a large
359 * number of mappings have been changed. */
221void guest_pagetable_flush_user(struct lguest *lg) 360void guest_pagetable_flush_user(struct lguest *lg)
222{ 361{
362 /* Drop the userspace part of the current page table. */
223 flush_user_mappings(lg, lg->pgdidx); 363 flush_user_mappings(lg, lg->pgdidx);
224} 364}
365/*:*/
225 366
367/* We keep several page tables. This is a simple routine to find the page
368 * table (if any) corresponding to this top-level address the Guest has given
369 * us. */
226static unsigned int find_pgdir(struct lguest *lg, unsigned long pgtable) 370static unsigned int find_pgdir(struct lguest *lg, unsigned long pgtable)
227{ 371{
228 unsigned int i; 372 unsigned int i;
@@ -232,21 +376,30 @@ static unsigned int find_pgdir(struct lguest *lg, unsigned long pgtable)
232 return i; 376 return i;
233} 377}
234 378
379/*H:435 And this is us, creating the new page directory. If we really do
380 * allocate a new one (and so the kernel parts are not there), we set
381 * blank_pgdir. */
235static unsigned int new_pgdir(struct lguest *lg, 382static unsigned int new_pgdir(struct lguest *lg,
236 unsigned long cr3, 383 unsigned long cr3,
237 int *blank_pgdir) 384 int *blank_pgdir)
238{ 385{
239 unsigned int next; 386 unsigned int next;
240 387
388 /* We pick one entry at random to throw out. Choosing the Least
389 * Recently Used might be better, but this is easy. */
241 next = random32() % ARRAY_SIZE(lg->pgdirs); 390 next = random32() % ARRAY_SIZE(lg->pgdirs);
391 /* If it's never been allocated at all before, try now. */
242 if (!lg->pgdirs[next].pgdir) { 392 if (!lg->pgdirs[next].pgdir) {
243 lg->pgdirs[next].pgdir = (spgd_t *)get_zeroed_page(GFP_KERNEL); 393 lg->pgdirs[next].pgdir = (spgd_t *)get_zeroed_page(GFP_KERNEL);
394 /* If the allocation fails, just keep using the one we have */
244 if (!lg->pgdirs[next].pgdir) 395 if (!lg->pgdirs[next].pgdir)
245 next = lg->pgdidx; 396 next = lg->pgdidx;
246 else 397 else
247 /* There are no mappings: you'll need to re-pin */ 398 /* This is a blank page, so there are no kernel
399 * mappings: caller must map the stack! */
248 *blank_pgdir = 1; 400 *blank_pgdir = 1;
249 } 401 }
402 /* Record which Guest toplevel this shadows. */
250 lg->pgdirs[next].cr3 = cr3; 403 lg->pgdirs[next].cr3 = cr3;
251 /* Release all the non-kernel mappings. */ 404 /* Release all the non-kernel mappings. */
252 flush_user_mappings(lg, next); 405 flush_user_mappings(lg, next);
@@ -254,82 +407,161 @@ static unsigned int new_pgdir(struct lguest *lg,
254 return next; 407 return next;
255} 408}
256 409
410/*H:430 (iv) Switching page tables
411 *
412 * This is what happens when the Guest changes page tables (ie. changes the
413 * top-level pgdir). This happens on almost every context switch. */
257void guest_new_pagetable(struct lguest *lg, unsigned long pgtable) 414void guest_new_pagetable(struct lguest *lg, unsigned long pgtable)
258{ 415{
259 int newpgdir, repin = 0; 416 int newpgdir, repin = 0;
260 417
418 /* Look to see if we have this one already. */
261 newpgdir = find_pgdir(lg, pgtable); 419 newpgdir = find_pgdir(lg, pgtable);
420 /* If not, we allocate or mug an existing one: if it's a fresh one,
421 * repin gets set to 1. */
262 if (newpgdir == ARRAY_SIZE(lg->pgdirs)) 422 if (newpgdir == ARRAY_SIZE(lg->pgdirs))
263 newpgdir = new_pgdir(lg, pgtable, &repin); 423 newpgdir = new_pgdir(lg, pgtable, &repin);
424 /* Change the current pgd index to the new one. */
264 lg->pgdidx = newpgdir; 425 lg->pgdidx = newpgdir;
426 /* If it was completely blank, we map in the Guest kernel stack */
265 if (repin) 427 if (repin)
266 pin_stack_pages(lg); 428 pin_stack_pages(lg);
267} 429}
268 430
431/*H:470 Finally, a routine which throws away everything: all PGD entries in all
432 * the shadow page tables. This is used when we destroy the Guest. */
269static void release_all_pagetables(struct lguest *lg) 433static void release_all_pagetables(struct lguest *lg)
270{ 434{
271 unsigned int i, j; 435 unsigned int i, j;
272 436
437 /* Every shadow pagetable this Guest has */
273 for (i = 0; i < ARRAY_SIZE(lg->pgdirs); i++) 438 for (i = 0; i < ARRAY_SIZE(lg->pgdirs); i++)
274 if (lg->pgdirs[i].pgdir) 439 if (lg->pgdirs[i].pgdir)
440 /* Every PGD entry except the Switcher at the top */
275 for (j = 0; j < SWITCHER_PGD_INDEX; j++) 441 for (j = 0; j < SWITCHER_PGD_INDEX; j++)
276 release_pgd(lg, lg->pgdirs[i].pgdir + j); 442 release_pgd(lg, lg->pgdirs[i].pgdir + j);
277} 443}
278 444
445/* We also throw away everything when a Guest tells us it's changed a kernel
446 * mapping. Since kernel mappings are in every page table, it's easiest to
447 * throw them all away. This is amazingly slow, but thankfully rare. */
279void guest_pagetable_clear_all(struct lguest *lg) 448void guest_pagetable_clear_all(struct lguest *lg)
280{ 449{
281 release_all_pagetables(lg); 450 release_all_pagetables(lg);
451 /* We need the Guest kernel stack mapped again. */
282 pin_stack_pages(lg); 452 pin_stack_pages(lg);
283} 453}
284 454
455/*H:420 This is the routine which actually sets the page table entry for then
456 * "idx"'th shadow page table.
457 *
458 * Normally, we can just throw out the old entry and replace it with 0: if they
459 * use it demand_page() will put the new entry in. We need to do this anyway:
460 * The Guest expects _PAGE_ACCESSED to be set on its PTE the first time a page
461 * is read from, and _PAGE_DIRTY when it's written to.
462 *
463 * But Avi Kivity pointed out that most Operating Systems (Linux included) set
464 * these bits on PTEs immediately anyway. This is done to save the CPU from
465 * having to update them, but it helps us the same way: if they set
466 * _PAGE_ACCESSED then we can put a read-only PTE entry in immediately, and if
467 * they set _PAGE_DIRTY then we can put a writable PTE entry in immediately.
468 */
285static void do_set_pte(struct lguest *lg, int idx, 469static void do_set_pte(struct lguest *lg, int idx,
286 unsigned long vaddr, gpte_t gpte) 470 unsigned long vaddr, gpte_t gpte)
287{ 471{
472 /* Look up the matching shadow page directot entry. */
288 spgd_t *spgd = spgd_addr(lg, idx, vaddr); 473 spgd_t *spgd = spgd_addr(lg, idx, vaddr);
474
475 /* If the top level isn't present, there's no entry to update. */
289 if (spgd->flags & _PAGE_PRESENT) { 476 if (spgd->flags & _PAGE_PRESENT) {
477 /* Otherwise, we start by releasing the existing entry. */
290 spte_t *spte = spte_addr(lg, *spgd, vaddr); 478 spte_t *spte = spte_addr(lg, *spgd, vaddr);
291 release_pte(*spte); 479 release_pte(*spte);
480
481 /* If they're setting this entry as dirty or accessed, we might
482 * as well put that entry they've given us in now. This shaves
483 * 10% off a copy-on-write micro-benchmark. */
292 if (gpte.flags & (_PAGE_DIRTY | _PAGE_ACCESSED)) { 484 if (gpte.flags & (_PAGE_DIRTY | _PAGE_ACCESSED)) {
293 check_gpte(lg, gpte); 485 check_gpte(lg, gpte);
294 *spte = gpte_to_spte(lg, gpte, gpte.flags&_PAGE_DIRTY); 486 *spte = gpte_to_spte(lg, gpte, gpte.flags&_PAGE_DIRTY);
295 } else 487 } else
488 /* Otherwise we can demand_page() it in later. */
296 spte->raw.val = 0; 489 spte->raw.val = 0;
297 } 490 }
298} 491}
299 492
493/*H:410 Updating a PTE entry is a little trickier.
494 *
495 * We keep track of several different page tables (the Guest uses one for each
496 * process, so it makes sense to cache at least a few). Each of these have
497 * identical kernel parts: ie. every mapping above PAGE_OFFSET is the same for
498 * all processes. So when the page table above that address changes, we update
499 * all the page tables, not just the current one. This is rare.
500 *
501 * The benefit is that when we have to track a new page table, we can copy keep
502 * all the kernel mappings. This speeds up context switch immensely. */
300void guest_set_pte(struct lguest *lg, 503void guest_set_pte(struct lguest *lg,
301 unsigned long cr3, unsigned long vaddr, gpte_t gpte) 504 unsigned long cr3, unsigned long vaddr, gpte_t gpte)
302{ 505{
303 /* Kernel mappings must be changed on all top levels. */ 506 /* Kernel mappings must be changed on all top levels. Slow, but
507 * doesn't happen often. */
304 if (vaddr >= lg->page_offset) { 508 if (vaddr >= lg->page_offset) {
305 unsigned int i; 509 unsigned int i;
306 for (i = 0; i < ARRAY_SIZE(lg->pgdirs); i++) 510 for (i = 0; i < ARRAY_SIZE(lg->pgdirs); i++)
307 if (lg->pgdirs[i].pgdir) 511 if (lg->pgdirs[i].pgdir)
308 do_set_pte(lg, i, vaddr, gpte); 512 do_set_pte(lg, i, vaddr, gpte);
309 } else { 513 } else {
514 /* Is this page table one we have a shadow for? */
310 int pgdir = find_pgdir(lg, cr3); 515 int pgdir = find_pgdir(lg, cr3);
311 if (pgdir != ARRAY_SIZE(lg->pgdirs)) 516 if (pgdir != ARRAY_SIZE(lg->pgdirs))
517 /* If so, do the update. */
312 do_set_pte(lg, pgdir, vaddr, gpte); 518 do_set_pte(lg, pgdir, vaddr, gpte);
313 } 519 }
314} 520}
315 521
522/*H:400
523 * (iii) Setting up a page table entry when the Guest tells us it has changed.
524 *
525 * Just like we did in interrupts_and_traps.c, it makes sense for us to deal
526 * with the other side of page tables while we're here: what happens when the
527 * Guest asks for a page table to be updated?
528 *
529 * We already saw that demand_page() will fill in the shadow page tables when
530 * needed, so we can simply remove shadow page table entries whenever the Guest
531 * tells us they've changed. When the Guest tries to use the new entry it will
532 * fault and demand_page() will fix it up.
533 *
534 * So with that in mind here's our code to to update a (top-level) PGD entry:
535 */
316void guest_set_pmd(struct lguest *lg, unsigned long cr3, u32 idx) 536void guest_set_pmd(struct lguest *lg, unsigned long cr3, u32 idx)
317{ 537{
318 int pgdir; 538 int pgdir;
319 539
540 /* The kernel seems to try to initialize this early on: we ignore its
541 * attempts to map over the Switcher. */
320 if (idx >= SWITCHER_PGD_INDEX) 542 if (idx >= SWITCHER_PGD_INDEX)
321 return; 543 return;
322 544
545 /* If they're talking about a page table we have a shadow for... */
323 pgdir = find_pgdir(lg, cr3); 546 pgdir = find_pgdir(lg, cr3);
324 if (pgdir < ARRAY_SIZE(lg->pgdirs)) 547 if (pgdir < ARRAY_SIZE(lg->pgdirs))
548 /* ... throw it away. */
325 release_pgd(lg, lg->pgdirs[pgdir].pgdir + idx); 549 release_pgd(lg, lg->pgdirs[pgdir].pgdir + idx);
326} 550}
327 551
552/*H:500 (vii) Setting up the page tables initially.
553 *
554 * When a Guest is first created, the Launcher tells us where the toplevel of
555 * its first page table is. We set some things up here: */
328int init_guest_pagetable(struct lguest *lg, unsigned long pgtable) 556int init_guest_pagetable(struct lguest *lg, unsigned long pgtable)
329{ 557{
330 /* We assume this in flush_user_mappings, so check now */ 558 /* In flush_user_mappings() we loop from 0 to
559 * "vaddr_to_pgd_index(lg->page_offset)". This assumes it won't hit
560 * the Switcher mappings, so check that now. */
331 if (vaddr_to_pgd_index(lg->page_offset) >= SWITCHER_PGD_INDEX) 561 if (vaddr_to_pgd_index(lg->page_offset) >= SWITCHER_PGD_INDEX)
332 return -EINVAL; 562 return -EINVAL;
563 /* We start on the first shadow page table, and give it a blank PGD
564 * page. */
333 lg->pgdidx = 0; 565 lg->pgdidx = 0;
334 lg->pgdirs[lg->pgdidx].cr3 = pgtable; 566 lg->pgdirs[lg->pgdidx].cr3 = pgtable;
335 lg->pgdirs[lg->pgdidx].pgdir = (spgd_t*)get_zeroed_page(GFP_KERNEL); 567 lg->pgdirs[lg->pgdidx].pgdir = (spgd_t*)get_zeroed_page(GFP_KERNEL);
@@ -338,33 +570,48 @@ int init_guest_pagetable(struct lguest *lg, unsigned long pgtable)
338 return 0; 570 return 0;
339} 571}
340 572
573/* When a Guest dies, our cleanup is fairly simple. */
341void free_guest_pagetable(struct lguest *lg) 574void free_guest_pagetable(struct lguest *lg)
342{ 575{
343 unsigned int i; 576 unsigned int i;
344 577
578 /* Throw away all page table pages. */
345 release_all_pagetables(lg); 579 release_all_pagetables(lg);
580 /* Now free the top levels: free_page() can handle 0 just fine. */
346 for (i = 0; i < ARRAY_SIZE(lg->pgdirs); i++) 581 for (i = 0; i < ARRAY_SIZE(lg->pgdirs); i++)
347 free_page((long)lg->pgdirs[i].pgdir); 582 free_page((long)lg->pgdirs[i].pgdir);
348} 583}
349 584
350/* Caller must be preempt-safe */ 585/*H:480 (vi) Mapping the Switcher when the Guest is about to run.
586 *
587 * The Switcher and the two pages for this CPU need to be available to the
588 * Guest (and not the pages for other CPUs). We have the appropriate PTE pages
589 * for each CPU already set up, we just need to hook them in. */
351void map_switcher_in_guest(struct lguest *lg, struct lguest_pages *pages) 590void map_switcher_in_guest(struct lguest *lg, struct lguest_pages *pages)
352{ 591{
353 spte_t *switcher_pte_page = __get_cpu_var(switcher_pte_pages); 592 spte_t *switcher_pte_page = __get_cpu_var(switcher_pte_pages);
354 spgd_t switcher_pgd; 593 spgd_t switcher_pgd;
355 spte_t regs_pte; 594 spte_t regs_pte;
356 595
357 /* Since switcher less that 4MB, we simply mug top pte page. */ 596 /* Make the last PGD entry for this Guest point to the Switcher's PTE
597 * page for this CPU (with appropriate flags). */
358 switcher_pgd.pfn = __pa(switcher_pte_page) >> PAGE_SHIFT; 598 switcher_pgd.pfn = __pa(switcher_pte_page) >> PAGE_SHIFT;
359 switcher_pgd.flags = _PAGE_KERNEL; 599 switcher_pgd.flags = _PAGE_KERNEL;
360 lg->pgdirs[lg->pgdidx].pgdir[SWITCHER_PGD_INDEX] = switcher_pgd; 600 lg->pgdirs[lg->pgdidx].pgdir[SWITCHER_PGD_INDEX] = switcher_pgd;
361 601
362 /* Map our regs page over stack page. */ 602 /* We also change the Switcher PTE page. When we're running the Guest,
603 * we want the Guest's "regs" page to appear where the first Switcher
604 * page for this CPU is. This is an optimization: when the Switcher
605 * saves the Guest registers, it saves them into the first page of this
606 * CPU's "struct lguest_pages": if we make sure the Guest's register
607 * page is already mapped there, we don't have to copy them out
608 * again. */
363 regs_pte.pfn = __pa(lg->regs_page) >> PAGE_SHIFT; 609 regs_pte.pfn = __pa(lg->regs_page) >> PAGE_SHIFT;
364 regs_pte.flags = _PAGE_KERNEL; 610 regs_pte.flags = _PAGE_KERNEL;
365 switcher_pte_page[(unsigned long)pages/PAGE_SIZE%PTES_PER_PAGE] 611 switcher_pte_page[(unsigned long)pages/PAGE_SIZE%PTES_PER_PAGE]
366 = regs_pte; 612 = regs_pte;
367} 613}
614/*:*/
368 615
369static void free_switcher_pte_pages(void) 616static void free_switcher_pte_pages(void)
370{ 617{
@@ -374,6 +621,10 @@ static void free_switcher_pte_pages(void)
374 free_page((long)switcher_pte_page(i)); 621 free_page((long)switcher_pte_page(i));
375} 622}
376 623
624/*H:520 Setting up the Switcher PTE page for given CPU is fairly easy, given
625 * the CPU number and the "struct page"s for the Switcher code itself.
626 *
627 * Currently the Switcher is less than a page long, so "pages" is always 1. */
377static __init void populate_switcher_pte_page(unsigned int cpu, 628static __init void populate_switcher_pte_page(unsigned int cpu,
378 struct page *switcher_page[], 629 struct page *switcher_page[],
379 unsigned int pages) 630 unsigned int pages)
@@ -381,21 +632,26 @@ static __init void populate_switcher_pte_page(unsigned int cpu,
381 unsigned int i; 632 unsigned int i;
382 spte_t *pte = switcher_pte_page(cpu); 633 spte_t *pte = switcher_pte_page(cpu);
383 634
635 /* The first entries are easy: they map the Switcher code. */
384 for (i = 0; i < pages; i++) { 636 for (i = 0; i < pages; i++) {
385 pte[i].pfn = page_to_pfn(switcher_page[i]); 637 pte[i].pfn = page_to_pfn(switcher_page[i]);
386 pte[i].flags = _PAGE_PRESENT|_PAGE_ACCESSED; 638 pte[i].flags = _PAGE_PRESENT|_PAGE_ACCESSED;
387 } 639 }
388 640
389 /* We only map this CPU's pages, so guest can't see others. */ 641 /* The only other thing we map is this CPU's pair of pages. */
390 i = pages + cpu*2; 642 i = pages + cpu*2;
391 643
392 /* First page (regs) is rw, second (state) is ro. */ 644 /* First page (Guest registers) is writable from the Guest */
393 pte[i].pfn = page_to_pfn(switcher_page[i]); 645 pte[i].pfn = page_to_pfn(switcher_page[i]);
394 pte[i].flags = _PAGE_PRESENT|_PAGE_ACCESSED|_PAGE_RW; 646 pte[i].flags = _PAGE_PRESENT|_PAGE_ACCESSED|_PAGE_RW;
647 /* The second page contains the "struct lguest_ro_state", and is
648 * read-only. */
395 pte[i+1].pfn = page_to_pfn(switcher_page[i+1]); 649 pte[i+1].pfn = page_to_pfn(switcher_page[i+1]);
396 pte[i+1].flags = _PAGE_PRESENT|_PAGE_ACCESSED; 650 pte[i+1].flags = _PAGE_PRESENT|_PAGE_ACCESSED;
397} 651}
398 652
653/*H:510 At boot or module load time, init_pagetables() allocates and populates
654 * the Switcher PTE page for each CPU. */
399__init int init_pagetables(struct page **switcher_page, unsigned int pages) 655__init int init_pagetables(struct page **switcher_page, unsigned int pages)
400{ 656{
401 unsigned int i; 657 unsigned int i;
@@ -410,7 +666,9 @@ __init int init_pagetables(struct page **switcher_page, unsigned int pages)
410 } 666 }
411 return 0; 667 return 0;
412} 668}
669/*:*/
413 670
671/* Cleaning up simply involves freeing the PTE page for each CPU. */
414void free_pagetables(void) 672void free_pagetables(void)
415{ 673{
416 free_switcher_pte_pages(); 674 free_switcher_pte_pages();
diff --git a/drivers/lguest/segments.c b/drivers/lguest/segments.c
index c4fc7293b84..4d4e5a4586f 100644
--- a/drivers/lguest/segments.c
+++ b/drivers/lguest/segments.c
@@ -11,17 +11,58 @@
11 * from frolicking through its parklike serenity. :*/ 11 * from frolicking through its parklike serenity. :*/
12#include "lg.h" 12#include "lg.h"
13 13
14/*H:600
15 * We've almost completed the Host; there's just one file to go!
16 *
17 * Segments & The Global Descriptor Table
18 *
19 * (That title sounds like a bad Nerdcore group. Not to suggest that there are
20 * any good Nerdcore groups, but in high school a friend of mine had a band
21 * called Joe Fish and the Chips, so there are definitely worse band names).
22 *
23 * To refresh: the GDT is a table of 8-byte values describing segments. Once
24 * set up, these segments can be loaded into one of the 6 "segment registers".
25 *
26 * GDT entries are passed around as "struct desc_struct"s, which like IDT
27 * entries are split into two 32-bit members, "a" and "b". One day, someone
28 * will clean that up, and be declared a Hero. (No pressure, I'm just saying).
29 *
30 * Anyway, the GDT entry contains a base (the start address of the segment), a
31 * limit (the size of the segment - 1), and some flags. Sounds simple, and it
32 * would be, except those zany Intel engineers decided that it was too boring
33 * to put the base at one end, the limit at the other, and the flags in
34 * between. They decided to shotgun the bits at random throughout the 8 bytes,
35 * like so:
36 *
37 * 0 16 40 48 52 56 63
38 * [ limit part 1 ][ base part 1 ][ flags ][li][fl][base ]
39 * mit ags part 2
40 * part 2
41 *
42 * As a result, this file contains a certain amount of magic numeracy. Let's
43 * begin.
44 */
45
46/* Is the descriptor the Guest wants us to put in OK?
47 *
48 * The flag which Intel says must be zero: must be zero. The descriptor must
49 * be present, (this is actually checked earlier but is here for thorougness),
50 * and the descriptor type must be 1 (a memory segment). */
14static int desc_ok(const struct desc_struct *gdt) 51static int desc_ok(const struct desc_struct *gdt)
15{ 52{
16 /* MBZ=0, P=1, DT=1 */
17 return ((gdt->b & 0x00209000) == 0x00009000); 53 return ((gdt->b & 0x00209000) == 0x00009000);
18} 54}
19 55
56/* Is the segment present? (Otherwise it can't be used by the Guest). */
20static int segment_present(const struct desc_struct *gdt) 57static int segment_present(const struct desc_struct *gdt)
21{ 58{
22 return gdt->b & 0x8000; 59 return gdt->b & 0x8000;
23} 60}
24 61
62/* There are several entries we don't let the Guest set. The TSS entry is the
63 * "Task State Segment" which controls all kinds of delicate things. The
64 * LGUEST_CS and LGUEST_DS entries are reserved for the Switcher, and the
65 * the Guest can't be trusted to deal with double faults. */
25static int ignored_gdt(unsigned int num) 66static int ignored_gdt(unsigned int num)
26{ 67{
27 return (num == GDT_ENTRY_TSS 68 return (num == GDT_ENTRY_TSS
@@ -30,9 +71,18 @@ static int ignored_gdt(unsigned int num)
30 || num == GDT_ENTRY_DOUBLEFAULT_TSS); 71 || num == GDT_ENTRY_DOUBLEFAULT_TSS);
31} 72}
32 73
33/* We don't allow removal of CS, DS or SS; it doesn't make sense. */ 74/* If the Guest asks us to remove an entry from the GDT, we have to be careful.
75 * If one of the segment registers is pointing at that entry the Switcher will
76 * crash when it tries to reload the segment registers for the Guest.
77 *
78 * It doesn't make much sense for the Guest to try to remove its own code, data
79 * or stack segments while they're in use: assume that's a Guest bug. If it's
80 * one of the lesser segment registers using the removed entry, we simply set
81 * that register to 0 (unusable). */
34static void check_segment_use(struct lguest *lg, unsigned int desc) 82static void check_segment_use(struct lguest *lg, unsigned int desc)
35{ 83{
84 /* GDT entries are 8 bytes long, so we divide to get the index and
85 * ignore the bottom bits. */
36 if (lg->regs->gs / 8 == desc) 86 if (lg->regs->gs / 8 == desc)
37 lg->regs->gs = 0; 87 lg->regs->gs = 0;
38 if (lg->regs->fs / 8 == desc) 88 if (lg->regs->fs / 8 == desc)
@@ -45,12 +95,16 @@ static void check_segment_use(struct lguest *lg, unsigned int desc)
45 kill_guest(lg, "Removed live GDT entry %u", desc); 95 kill_guest(lg, "Removed live GDT entry %u", desc);
46} 96}
47 97
98/*H:610 Once the GDT has been changed, we look through the changed entries and
99 * see if they're OK. If not, we'll call kill_guest() and the Guest will never
100 * get to use the invalid entries. */
48static void fixup_gdt_table(struct lguest *lg, unsigned start, unsigned end) 101static void fixup_gdt_table(struct lguest *lg, unsigned start, unsigned end)
49{ 102{
50 unsigned int i; 103 unsigned int i;
51 104
52 for (i = start; i < end; i++) { 105 for (i = start; i < end; i++) {
53 /* We never copy these ones to real gdt */ 106 /* We never copy these ones to real GDT, so we don't care what
107 * they say */
54 if (ignored_gdt(i)) 108 if (ignored_gdt(i))
55 continue; 109 continue;
56 110
@@ -64,41 +118,57 @@ static void fixup_gdt_table(struct lguest *lg, unsigned start, unsigned end)
64 if (!desc_ok(&lg->gdt[i])) 118 if (!desc_ok(&lg->gdt[i]))
65 kill_guest(lg, "Bad GDT descriptor %i", i); 119 kill_guest(lg, "Bad GDT descriptor %i", i);
66 120
67 /* DPL 0 presumably means "for use by guest". */ 121 /* Segment descriptors contain a privilege level: the Guest is
122 * sometimes careless and leaves this as 0, even though it's
123 * running at privilege level 1. If so, we fix it here. */
68 if ((lg->gdt[i].b & 0x00006000) == 0) 124 if ((lg->gdt[i].b & 0x00006000) == 0)
69 lg->gdt[i].b |= (GUEST_PL << 13); 125 lg->gdt[i].b |= (GUEST_PL << 13);
70 126
71 /* Set accessed bit, since gdt isn't writable. */ 127 /* Each descriptor has an "accessed" bit. If we don't set it
128 * now, the CPU will try to set it when the Guest first loads
129 * that entry into a segment register. But the GDT isn't
130 * writable by the Guest, so bad things can happen. */
72 lg->gdt[i].b |= 0x00000100; 131 lg->gdt[i].b |= 0x00000100;
73 } 132 }
74} 133}
75 134
135/* This routine is called at boot or modprobe time for each CPU to set up the
136 * "constant" GDT entries for Guests running on that CPU. */
76void setup_default_gdt_entries(struct lguest_ro_state *state) 137void setup_default_gdt_entries(struct lguest_ro_state *state)
77{ 138{
78 struct desc_struct *gdt = state->guest_gdt; 139 struct desc_struct *gdt = state->guest_gdt;
79 unsigned long tss = (unsigned long)&state->guest_tss; 140 unsigned long tss = (unsigned long)&state->guest_tss;
80 141
81 /* Hypervisor segments. */ 142 /* The hypervisor segments are full 0-4G segments, privilege level 0 */
82 gdt[GDT_ENTRY_LGUEST_CS] = FULL_EXEC_SEGMENT; 143 gdt[GDT_ENTRY_LGUEST_CS] = FULL_EXEC_SEGMENT;
83 gdt[GDT_ENTRY_LGUEST_DS] = FULL_SEGMENT; 144 gdt[GDT_ENTRY_LGUEST_DS] = FULL_SEGMENT;
84 145
85 /* This is the one which we *cannot* copy from guest, since tss 146 /* The TSS segment refers to the TSS entry for this CPU, so we cannot
86 is depended on this lguest_ro_state, ie. this cpu. */ 147 * copy it from the Guest. Forgive the magic flags */
87 gdt[GDT_ENTRY_TSS].a = 0x00000067 | (tss << 16); 148 gdt[GDT_ENTRY_TSS].a = 0x00000067 | (tss << 16);
88 gdt[GDT_ENTRY_TSS].b = 0x00008900 | (tss & 0xFF000000) 149 gdt[GDT_ENTRY_TSS].b = 0x00008900 | (tss & 0xFF000000)
89 | ((tss >> 16) & 0x000000FF); 150 | ((tss >> 16) & 0x000000FF);
90} 151}
91 152
153/* This routine is called before the Guest is run for the first time. */
92void setup_guest_gdt(struct lguest *lg) 154void setup_guest_gdt(struct lguest *lg)
93{ 155{
156 /* Start with full 0-4G segments... */
94 lg->gdt[GDT_ENTRY_KERNEL_CS] = FULL_EXEC_SEGMENT; 157 lg->gdt[GDT_ENTRY_KERNEL_CS] = FULL_EXEC_SEGMENT;
95 lg->gdt[GDT_ENTRY_KERNEL_DS] = FULL_SEGMENT; 158 lg->gdt[GDT_ENTRY_KERNEL_DS] = FULL_SEGMENT;
159 /* ...except the Guest is allowed to use them, so set the privilege
160 * level appropriately in the flags. */
96 lg->gdt[GDT_ENTRY_KERNEL_CS].b |= (GUEST_PL << 13); 161 lg->gdt[GDT_ENTRY_KERNEL_CS].b |= (GUEST_PL << 13);
97 lg->gdt[GDT_ENTRY_KERNEL_DS].b |= (GUEST_PL << 13); 162 lg->gdt[GDT_ENTRY_KERNEL_DS].b |= (GUEST_PL << 13);
98} 163}
99 164
100/* This is a fast version for the common case where only the three TLS entries 165/* Like the IDT, we never simply use the GDT the Guest gives us. We set up the
101 * have changed. */ 166 * GDTs for each CPU, then we copy across the entries each time we want to run
167 * a different Guest on that CPU. */
168
169/* A partial GDT load, for the three "thead-local storage" entries. Otherwise
170 * it's just like load_guest_gdt(). So much, in fact, it would probably be
171 * neater to have a single hypercall to cover both. */
102void copy_gdt_tls(const struct lguest *lg, struct desc_struct *gdt) 172void copy_gdt_tls(const struct lguest *lg, struct desc_struct *gdt)
103{ 173{
104 unsigned int i; 174 unsigned int i;
@@ -107,22 +177,31 @@ void copy_gdt_tls(const struct lguest *lg, struct desc_struct *gdt)
107 gdt[i] = lg->gdt[i]; 177 gdt[i] = lg->gdt[i];
108} 178}
109 179
180/* This is the full version */
110void copy_gdt(const struct lguest *lg, struct desc_struct *gdt) 181void copy_gdt(const struct lguest *lg, struct desc_struct *gdt)
111{ 182{
112 unsigned int i; 183 unsigned int i;
113 184
185 /* The default entries from setup_default_gdt_entries() are not
186 * replaced. See ignored_gdt() above. */
114 for (i = 0; i < GDT_ENTRIES; i++) 187 for (i = 0; i < GDT_ENTRIES; i++)
115 if (!ignored_gdt(i)) 188 if (!ignored_gdt(i))
116 gdt[i] = lg->gdt[i]; 189 gdt[i] = lg->gdt[i];
117} 190}
118 191
192/* This is where the Guest asks us to load a new GDT (LHCALL_LOAD_GDT). */
119void load_guest_gdt(struct lguest *lg, unsigned long table, u32 num) 193void load_guest_gdt(struct lguest *lg, unsigned long table, u32 num)
120{ 194{
195 /* We assume the Guest has the same number of GDT entries as the
196 * Host, otherwise we'd have to dynamically allocate the Guest GDT. */
121 if (num > ARRAY_SIZE(lg->gdt)) 197 if (num > ARRAY_SIZE(lg->gdt))
122 kill_guest(lg, "too many gdt entries %i", num); 198 kill_guest(lg, "too many gdt entries %i", num);
123 199
200 /* We read the whole thing in, then fix it up. */
124 lgread(lg, lg->gdt, table, num * sizeof(lg->gdt[0])); 201 lgread(lg, lg->gdt, table, num * sizeof(lg->gdt[0]));
125 fixup_gdt_table(lg, 0, ARRAY_SIZE(lg->gdt)); 202 fixup_gdt_table(lg, 0, ARRAY_SIZE(lg->gdt));
203 /* Mark that the GDT changed so the core knows it has to copy it again,
204 * even if the Guest is run on the same CPU. */
126 lg->changed |= CHANGED_GDT; 205 lg->changed |= CHANGED_GDT;
127} 206}
128 207
@@ -134,3 +213,13 @@ void guest_load_tls(struct lguest *lg, unsigned long gtls)
134 fixup_gdt_table(lg, GDT_ENTRY_TLS_MIN, GDT_ENTRY_TLS_MAX+1); 213 fixup_gdt_table(lg, GDT_ENTRY_TLS_MIN, GDT_ENTRY_TLS_MAX+1);
135 lg->changed |= CHANGED_GDT_TLS; 214 lg->changed |= CHANGED_GDT_TLS;
136} 215}
216
217/*
218 * With this, we have finished the Host.
219 *
220 * Five of the seven parts of our task are complete. You have made it through
221 * the Bit of Despair (I think that's somewhere in the page table code,
222 * myself).
223 *
224 * Next, we examine "make Switcher". It's short, but intense.
225 */