Merge branch 'mpi-master' into wip-k-fmlpwip-k-fmlp

Conflicts: litmus/sched_cedf.c
author: Glenn Elliott <gelliott@cs.unc.edu> 2012-03-04 19:47:13 -0500
committer: Glenn Elliott <gelliott@cs.unc.edu> 2012-03-04 19:47:13 -0500
commit: c71c03bda1e86c9d5198c5d83f712e695c4f2a1e (patch)
tree: ecb166cb3e2b7e2adb3b5e292245fefd23381ac8 /arch/x86/kvm
parent: ea53c912f8a86a8567697115b6a0d8152beee5c8 (diff)
parent: 6a00f206debf8a5c8899055726ad127dbeeed098 (diff)
22 files changed, 7051 insertions, 3424 deletions
diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig
index 970bbd479516..50f63648ce1b 100644
--- a/arch/x86/kvm/Kconfig
+++ b/arch/x86/kvm/Kconfig
@@ -28,6 +28,7 @@ config KVM
        select HAVE_KVM_IRQCHIP
        select HAVE_KVM_EVENTFD
        select KVM_APIC_ARCHITECTURE
+        select KVM_ASYNC_PF
        select USER_RETURN_NOTIFIER
        select KVM_MMIO
        ---help---
@@ -64,6 +65,13 @@ config KVM_AMD
          To compile this as a module, choose M here: the module
          will be called kvm-amd.
+config KVM_MMU_AUDIT
+        bool "Audit KVM MMU"
+        depends on KVM && TRACEPOINTS
+        ---help---
+         This option adds a R/W kVM module parameter 'mmu_audit', which allows
+         audit  KVM MMU at runtime.
 # OK, it's a little counter-intuitive to do this, but it puts it neatly under
 # the virtualization menu.
 source drivers/vhost/Kconfig
diff --git a/arch/x86/kvm/Makefile b/arch/x86/kvm/Makefile
index 31a7035c4bd9..f15501f431c8 100644
--- a/arch/x86/kvm/Makefile
+++ b/arch/x86/kvm/Makefile
@@ -1,5 +1,5 @@
-EXTRA_CFLAGS += -Ivirt/kvm -Iarch/x86/kvm
+ccflags-y += -Ivirt/kvm -Iarch/x86/kvm
 CFLAGS_x86.o := -I.
 CFLAGS_svm.o := -I.
@@ -9,6 +9,7 @@ kvm-y			+= $(addprefix ../../../virt/kvm/, kvm_main.o ioapic.o \
                                coalesced_mmio.o irq_comm.o eventfd.o \
                                assigned-dev.o)
 kvm-$(CONFIG_IOMMU_API) += $(addprefix ../../../virt/kvm/, iommu.o)
+kvm-$(CONFIG_KVM_ASYNC_PF)      += $(addprefix ../../../virt/kvm/, async_pf.o)
 kvm-y                   += x86.o mmu.o emulate.o i8259.o irq.o lapic.o \
                           i8254.o timer.o
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 66ca98aafdd6..adc98675cda0 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -9,7 +9,7 @@
 * privileged instructions:
 *
 * Copyright (C) 2006 Qumranet
- * Copyright 2010 Red Hat, Inc. and/or its affilates.
+ * Copyright 2010 Red Hat, Inc. and/or its affiliates.
 *
 *   Avi Kivity <avi@qumranet.com>
 *   Yaniv Kamay <yaniv@qumranet.com>
@@ -20,16 +20,8 @@
 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
 */
-#ifndef __KERNEL__
-#include <stdio.h>
-#include <stdint.h>
-#include <public/xen.h>
-#define DPRINTF(_f, _a ...) printf(_f , ## _a)
-#else
 #include <linux/kvm_host.h>
 #include "kvm_cache_regs.h"
-#define DPRINTF(x...) do {} while (0)
-#endif
 #include <linux/module.h>
 #include <asm/kvm_emulate.h>
@@ -51,39 +43,50 @@
 #define ImplicitOps (1<<1)      /* Implicit in opcode. No generic decode. */
 #define DstReg      (2<<1)      /* Register operand. */
 #define DstMem      (3<<1)      /* Memory operand. */
-#define DstAcc      (4<<1)      /* Destination Accumulator */
+#define DstAcc      (4<<1)      /* Destination Accumulator */
 #define DstDI       (5<<1)      /* Destination is in ES:(E)DI */
 #define DstMem64    (6<<1)      /* 64bit memory operand */
-#define DstMask     (7<<1)
+#define DstImmUByte (7<<1)      /* 8-bit unsigned immediate operand */
+#define DstDX       (8<<1)      /* Destination is in DX register */
+#define DstMask     (0xf<<1)
 /* Source operand type. */
-#define SrcNone     (0<<4)      /* No source operand. */
+#define SrcNone     (0<<5)      /* No source operand. */
-#define SrcImplicit (0<<4)      /* Source operand is implicit in the opcode. */
+#define SrcReg      (1<<5)      /* Register operand. */
-#define SrcReg      (1<<4)      /* Register operand. */
+#define SrcMem      (2<<5)      /* Memory operand. */
-#define SrcMem      (2<<4)      /* Memory operand. */
+#define SrcMem16    (3<<5)      /* Memory operand (16-bit). */
-#define SrcMem16    (3<<4)      /* Memory operand (16-bit). */
+#define SrcMem32    (4<<5)      /* Memory operand (32-bit). */
-#define SrcMem32    (4<<4)      /* Memory operand (32-bit). */
+#define SrcImm      (5<<5)      /* Immediate operand. */
-#define SrcImm      (5<<4)      /* Immediate operand. */
+#define SrcImmByte  (6<<5)      /* 8-bit sign-extended immediate operand. */
-#define SrcImmByte  (6<<4)      /* 8-bit sign-extended immediate operand. */
+#define SrcOne      (7<<5)      /* Implied '1' */
-#define SrcOne      (7<<4)      /* Implied '1' */
+#define SrcImmUByte (8<<5)      /* 8-bit unsigned immediate operand. */
-#define SrcImmUByte (8<<4)      /* 8-bit unsigned immediate operand. */
+#define SrcImmU     (9<<5)      /* Immediate operand, unsigned */
-#define SrcImmU     (9<<4)      /* Immediate operand, unsigned */
+#define SrcSI       (0xa<<5)    /* Source is in the DS:RSI */
-#define SrcSI       (0xa<<4)    /* Source is in the DS:RSI */
+#define SrcImmFAddr (0xb<<5)    /* Source is immediate far address */
-#define SrcImmFAddr (0xb<<4)    /* Source is immediate far address */
+#define SrcMemFAddr (0xc<<5)    /* Source is far address in memory */
-#define SrcMemFAddr (0xc<<4)    /* Source is far address in memory */
+#define SrcAcc      (0xd<<5)    /* Source Accumulator */
-#define SrcAcc      (0xd<<4)    /* Source Accumulator */
+#define SrcImmU16   (0xe<<5)    /* Immediate operand, unsigned, 16 bits */
-#define SrcMask     (0xf<<4)
+#define SrcDX       (0xf<<5)    /* Source is in DX register */
+#define SrcMask     (0xf<<5)
 /* Generic ModRM decode. */
-#define ModRM       (1<<8)
+#define ModRM       (1<<9)
 /* Destination is only written; never read. */
-#define Mov         (1<<9)
+#define Mov         (1<<10)
-#define BitOp       (1<<10)
+#define BitOp       (1<<11)
-#define MemAbs      (1<<11)      /* Memory operand is absolute displacement */
+#define MemAbs      (1<<12)      /* Memory operand is absolute displacement */
-#define String      (1<<12)     /* String instruction (rep capable) */
+#define String      (1<<13)     /* String instruction (rep capable) */
-#define Stack       (1<<13)     /* Stack instruction (push/pop) */
+#define Stack       (1<<14)     /* Stack instruction (push/pop) */
-#define Group       (1<<14)     /* Bits 3:5 of modrm byte extend opcode */
+#define GroupMask   (7<<15)     /* Opcode uses one of the group mechanisms */
-#define GroupDual   (1<<15)     /* Alternate decoding of mod == 3 */
+#define Group       (1<<15)     /* Bits 3:5 of modrm byte extend opcode */
-#define GroupMask   0xff        /* Group number stored in bits 0:7 */
+#define GroupDual   (2<<15)     /* Alternate decoding of mod == 3 */
+#define Prefix      (3<<15)     /* Instruction varies with 66/f2/f3 prefix */
+#define RMExt       (4<<15)     /* Opcode extension in ModRM r/m if mod == 3 */
+#define Sse         (1<<18)     /* SSE Vector instruction */
 /* Misc flags */
+#define Prot        (1<<21) /* instruction generates #UD if not in prot-mode */
+#define VendorSpecific (1<<22) /* Vendor specific instruction */
+#define NoAccess    (1<<23) /* Don't access memory (lea/invlpg/verr etc) */
+#define Op3264      (1<<24) /* Operand is 64b in long mode, 32b otherwise */
+#define Undefined   (1<<25) /* No Such Instruction */
 #define Lock        (1<<26) /* lock prefix is allowed for the instruction */
 #define Priv        (1<<27) /* instruction generates #GP if current CPL != 0 */
 #define No64        (1<<28)
@@ -92,285 +95,40 @@
 #define Src2CL      (1<<29)
 #define Src2ImmByte (2<<29)
 #define Src2One     (3<<29)
+#define Src2Imm     (4<<29)
 #define Src2Mask    (7<<29)
-enum {
+#define X2(x...) x, x
-        Group1_80, Group1_81, Group1_82, Group1_83,
+#define X3(x...) X2(x), x
-        Group1A, Group3_Byte, Group3, Group4, Group5, Group7,
+#define X4(x...) X2(x), X2(x)
-        Group8, Group9,
+#define X5(x...) X4(x), x
-};
+#define X6(x...) X4(x), X2(x)
+#define X7(x...) X4(x), X3(x)
-static u32 opcode_table[256] = {
+#define X8(x...) X4(x), X4(x)
-        /* 0x00 - 0x07 */
+#define X16(x...) X8(x), X8(x)
-        ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
-        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
+struct opcode {
-        ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
+        u32 flags;
-        ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
+        u8 intercept;
-        /* 0x08 - 0x0F */
+        union {
-        ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
+                int (*execute)(struct x86_emulate_ctxt *ctxt);
-        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
+                struct opcode *group;
-        ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
+                struct group_dual *gdual;
-        ImplicitOps | Stack | No64, 0,
+                struct gprefix *gprefix;
-        /* 0x10 - 0x17 */
+        } u;
-        ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
+        int (*check_perm)(struct x86_emulate_ctxt *ctxt);
-        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
-        ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
-        ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
-        /* 0x18 - 0x1F */
-        ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
-        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
-        ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
-        ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
-        /* 0x20 - 0x27 */
-        ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
-        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
-        ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
-        /* 0x28 - 0x2F */
-        ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
-        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
-        ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
-        /* 0x30 - 0x37 */
-        ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
-        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
-        ByteOp | DstAcc | SrcImmByte, DstAcc | SrcImm, 0, 0,
-        /* 0x38 - 0x3F */
-        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
-        ByteOp | DstReg | SrcMem | ModRM, DstReg | SrcMem | ModRM,
-        ByteOp | DstAcc | SrcImm, DstAcc | SrcImm,
-        0, 0,
-        /* 0x40 - 0x47 */
-        DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
-        /* 0x48 - 0x4F */
-        DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
-        /* 0x50 - 0x57 */
-        SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
-        SrcReg | Stack, SrcReg | Stack, SrcReg | Stack, SrcReg | Stack,
-        /* 0x58 - 0x5F */
-        DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
-        DstReg | Stack, DstReg | Stack, DstReg | Stack, DstReg | Stack,
-        /* 0x60 - 0x67 */
-        ImplicitOps | Stack | No64, ImplicitOps | Stack | No64,
-        0, DstReg | SrcMem32 | ModRM | Mov /* movsxd (x86/64) */ ,
-        0, 0, 0, 0,
-        /* 0x68 - 0x6F */
-        SrcImm | Mov | Stack, 0, SrcImmByte | Mov | Stack, 0,
-        DstDI | ByteOp | Mov | String, DstDI | Mov | String, /* insb, insw/insd */
-        SrcSI | ByteOp | ImplicitOps | String, SrcSI | ImplicitOps | String, /* outsb, outsw/outsd */
-        /* 0x70 - 0x77 */
-        SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
-        SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
-        /* 0x78 - 0x7F */
-        SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
-        SrcImmByte, SrcImmByte, SrcImmByte, SrcImmByte,
-        /* 0x80 - 0x87 */
-        Group | Group1_80, Group | Group1_81,
-        Group | Group1_82, Group | Group1_83,
-        ByteOp | DstMem | SrcReg | ModRM, DstMem | SrcReg | ModRM,
-        ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
-        /* 0x88 - 0x8F */
-        ByteOp | DstMem | SrcReg | ModRM | Mov, DstMem | SrcReg | ModRM | Mov,
-        ByteOp | DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
-        DstMem | SrcNone | ModRM | Mov, ModRM | DstReg,
-        ImplicitOps | SrcMem16 | ModRM, Group | Group1A,
-        /* 0x90 - 0x97 */
-        DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg, DstReg,
-        /* 0x98 - 0x9F */
-        0, 0, SrcImmFAddr | No64, 0,
-        ImplicitOps | Stack, ImplicitOps | Stack, 0, 0,
-        /* 0xA0 - 0xA7 */
-        ByteOp | DstAcc | SrcMem | Mov | MemAbs, DstAcc | SrcMem | Mov | MemAbs,
-        ByteOp | DstMem | SrcAcc | Mov | MemAbs, DstMem | SrcAcc | Mov | MemAbs,
-        ByteOp | SrcSI | DstDI | Mov | String, SrcSI | DstDI | Mov | String,
-        ByteOp | SrcSI | DstDI | String, SrcSI | DstDI | String,
-        /* 0xA8 - 0xAF */
-        DstAcc | SrcImmByte | ByteOp, DstAcc | SrcImm, ByteOp | DstDI | Mov | String, DstDI | Mov | String,
-        ByteOp | SrcSI | DstAcc | Mov | String, SrcSI | DstAcc | Mov | String,
-        ByteOp | DstDI | String, DstDI | String,
-        /* 0xB0 - 0xB7 */
-        ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
-        ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
-        ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
-        ByteOp | DstReg | SrcImm | Mov, ByteOp | DstReg | SrcImm | Mov,
-        /* 0xB8 - 0xBF */
-        DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
-        DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
-        DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
-        DstReg | SrcImm | Mov, DstReg | SrcImm | Mov,
-        /* 0xC0 - 0xC7 */
-        ByteOp | DstMem | SrcImm | ModRM, DstMem | SrcImmByte | ModRM,
-        0, ImplicitOps | Stack, 0, 0,
-        ByteOp | DstMem | SrcImm | ModRM | Mov, DstMem | SrcImm | ModRM | Mov,
-        /* 0xC8 - 0xCF */
-        0, 0, 0, ImplicitOps | Stack,
-        ImplicitOps, SrcImmByte, ImplicitOps | No64, ImplicitOps,
-        /* 0xD0 - 0xD7 */
-        ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
-        ByteOp | DstMem | SrcImplicit | ModRM, DstMem | SrcImplicit | ModRM,
-        0, 0, 0, 0,
-        /* 0xD8 - 0xDF */
-        0, 0, 0, 0, 0, 0, 0, 0,
-        /* 0xE0 - 0xE7 */
-        0, 0, 0, 0,
-        ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
-        ByteOp | SrcImmUByte | DstAcc, SrcImmUByte | DstAcc,
-        /* 0xE8 - 0xEF */
-        SrcImm | Stack, SrcImm | ImplicitOps,
-        SrcImmFAddr | No64, SrcImmByte | ImplicitOps,
-        SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
-        SrcNone | ByteOp | DstAcc, SrcNone | DstAcc,
-        /* 0xF0 - 0xF7 */
-        0, 0, 0, 0,
-        ImplicitOps | Priv, ImplicitOps, Group | Group3_Byte, Group | Group3,
-        /* 0xF8 - 0xFF */
-        ImplicitOps, 0, ImplicitOps, ImplicitOps,
-        ImplicitOps, ImplicitOps, Group | Group4, Group | Group5,
-};
-static u32 twobyte_table[256] = {
-        /* 0x00 - 0x0F */
-        0, Group | GroupDual | Group7, 0, 0,
-        0, ImplicitOps, ImplicitOps | Priv, 0,
-        ImplicitOps | Priv, ImplicitOps | Priv, 0, 0,
-        0, ImplicitOps | ModRM, 0, 0,
-        /* 0x10 - 0x1F */
-        0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
-        /* 0x20 - 0x2F */
-        ModRM | ImplicitOps | Priv, ModRM | Priv,
-        ModRM | ImplicitOps | Priv, ModRM | Priv,
-        0, 0, 0, 0,
-        0, 0, 0, 0, 0, 0, 0, 0,
-        /* 0x30 - 0x3F */
-        ImplicitOps | Priv, 0, ImplicitOps | Priv, 0,
-        ImplicitOps, ImplicitOps | Priv, 0, 0,
-        0, 0, 0, 0, 0, 0, 0, 0,
-        /* 0x40 - 0x47 */
-        DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
-        DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
-        DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
-        DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
-        /* 0x48 - 0x4F */
-        DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
-        DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
-        DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
-        DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
-        /* 0x50 - 0x5F */
-        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-        /* 0x60 - 0x6F */
-        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-        /* 0x70 - 0x7F */
-        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-        /* 0x80 - 0x8F */
-        SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
-        SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm, SrcImm,
-        /* 0x90 - 0x9F */
-        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-        /* 0xA0 - 0xA7 */
-        ImplicitOps | Stack, ImplicitOps | Stack,
-        0, DstMem | SrcReg | ModRM | BitOp,
-        DstMem | SrcReg | Src2ImmByte | ModRM,
-        DstMem | SrcReg | Src2CL | ModRM, 0, 0,
-        /* 0xA8 - 0xAF */
-        ImplicitOps | Stack, ImplicitOps | Stack,
-        0, DstMem | SrcReg | ModRM | BitOp | Lock,
-        DstMem | SrcReg | Src2ImmByte | ModRM,
-        DstMem | SrcReg | Src2CL | ModRM,
-        ModRM, 0,
-        /* 0xB0 - 0xB7 */
-        ByteOp | DstMem | SrcReg | ModRM | Lock, DstMem | SrcReg | ModRM | Lock,
-        0, DstMem | SrcReg | ModRM | BitOp | Lock,
-        0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
-            DstReg | SrcMem16 | ModRM | Mov,
-        /* 0xB8 - 0xBF */
-        0, 0,
-        Group | Group8, DstMem | SrcReg | ModRM | BitOp | Lock,
-        0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
-            DstReg | SrcMem16 | ModRM | Mov,
-        /* 0xC0 - 0xCF */
-        0, 0, 0, DstMem | SrcReg | ModRM | Mov,
-        0, 0, 0, Group | GroupDual | Group9,
-        0, 0, 0, 0, 0, 0, 0, 0,
-        /* 0xD0 - 0xDF */
-        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-        /* 0xE0 - 0xEF */
-        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-        /* 0xF0 - 0xFF */
-        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
 };
-static u32 group_table[] = {
+struct group_dual {
-        [Group1_80*8] =
+        struct opcode mod012[8];
-        ByteOp | DstMem | SrcImm | ModRM | Lock,
+        struct opcode mod3[8];
-        ByteOp | DstMem | SrcImm | ModRM | Lock,
-        ByteOp | DstMem | SrcImm | ModRM | Lock,
-        ByteOp | DstMem | SrcImm | ModRM | Lock,
-        ByteOp | DstMem | SrcImm | ModRM | Lock,
-        ByteOp | DstMem | SrcImm | ModRM | Lock,
-        ByteOp | DstMem | SrcImm | ModRM | Lock,
-        ByteOp | DstMem | SrcImm | ModRM,
-        [Group1_81*8] =
-        DstMem | SrcImm | ModRM | Lock,
-        DstMem | SrcImm | ModRM | Lock,
-        DstMem | SrcImm | ModRM | Lock,
-        DstMem | SrcImm | ModRM | Lock,
-        DstMem | SrcImm | ModRM | Lock,
-        DstMem | SrcImm | ModRM | Lock,
-        DstMem | SrcImm | ModRM | Lock,
-        DstMem | SrcImm | ModRM,
-        [Group1_82*8] =
-        ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
-        ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
-        ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
-        ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
-        ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
-        ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
-        ByteOp | DstMem | SrcImm | ModRM | No64 | Lock,
-        ByteOp | DstMem | SrcImm | ModRM | No64,
-        [Group1_83*8] =
-        DstMem | SrcImmByte | ModRM | Lock,
-        DstMem | SrcImmByte | ModRM | Lock,
-        DstMem | SrcImmByte | ModRM | Lock,
-        DstMem | SrcImmByte | ModRM | Lock,
-        DstMem | SrcImmByte | ModRM | Lock,
-        DstMem | SrcImmByte | ModRM | Lock,
-        DstMem | SrcImmByte | ModRM | Lock,
-        DstMem | SrcImmByte | ModRM,
-        [Group1A*8] =
-        DstMem | SrcNone | ModRM | Mov | Stack, 0, 0, 0, 0, 0, 0, 0,
-        [Group3_Byte*8] =
-        ByteOp | SrcImm | DstMem | ModRM, ByteOp | SrcImm | DstMem | ModRM,
-        ByteOp | DstMem | SrcNone | ModRM, ByteOp | DstMem | SrcNone | ModRM,
-        0, 0, 0, 0,
-        [Group3*8] =
-        DstMem | SrcImm | ModRM, DstMem | SrcImm | ModRM,
-        DstMem | SrcNone | ModRM, DstMem | SrcNone | ModRM,
-        0, 0, 0, 0,
-        [Group4*8] =
-        ByteOp | DstMem | SrcNone | ModRM | Lock, ByteOp | DstMem | SrcNone | ModRM | Lock,
-        0, 0, 0, 0, 0, 0,
-        [Group5*8] =
-        DstMem | SrcNone | ModRM | Lock, DstMem | SrcNone | ModRM | Lock,
-        SrcMem | ModRM | Stack, 0,
-        SrcMem | ModRM | Stack, SrcMemFAddr | ModRM | ImplicitOps,
-        SrcMem | ModRM | Stack, 0,
-        [Group7*8] =
-        0, 0, ModRM | SrcMem | Priv, ModRM | SrcMem | Priv,
-        SrcNone | ModRM | DstMem | Mov, 0,
-        SrcMem16 | ModRM | Mov | Priv, SrcMem | ModRM | ByteOp | Priv,
-        [Group8*8] =
-        0, 0, 0, 0,
-        DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM | Lock,
-        DstMem | SrcImmByte | ModRM | Lock, DstMem | SrcImmByte | ModRM | Lock,
-        [Group9*8] =
-        0, DstMem64 | ModRM | Lock, 0, 0, 0, 0, 0, 0,
 };
-static u32 group2_table[] = {
+struct gprefix {
-        [Group7*8] =
+        struct opcode pfx_no;
-        SrcNone | ModRM | Priv, 0, 0, SrcNone | ModRM | Priv,
+        struct opcode pfx_66;
-        SrcNone | ModRM | DstMem | Mov, 0,
+        struct opcode pfx_f2;
-        SrcMem16 | ModRM | Mov | Priv, 0,
+        struct opcode pfx_f3;
-        [Group9*8] =
-        0, 0, 0, 0, 0, 0, 0, 0,
 };
 /* EFLAGS bit definitions. */
@@ -392,6 +150,9 @@ static u32 group2_table[] = {
 #define EFLG_PF (1<<2)
 #define EFLG_CF (1<<0)
+#define EFLG_RESERVED_ZEROS_MASK 0xffc0802a
+#define EFLG_RESERVED_ONE_MASK 2
 /*
 * Instruction emulation:
 * Most instructions are emulated directly via a fragment of inline assembly
@@ -444,13 +205,13 @@ static u32 group2_table[] = {
 #define ON64(x)
 #endif
-#define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix)      \
+#define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
        do {                                                            \
                __asm__ __volatile__ (                                  \
                        _PRE_EFLAGS("0", "4", "2")                      \
                        _op _suffix " %"_x"3,%1; "                      \
                        _POST_EFLAGS("0", "4", "2")                     \
-                        : "=m" (_eflags), "=m" ((_dst).val),            \
+                        : "=m" (_eflags), "+q" (*(_dsttype*)&(_dst).val),\
                          "=&r" (_tmp)                                  \
                        : _y ((_src).val), "i" (EFLAGS_MASK));          \
        } while (0)
@@ -463,13 +224,13 @@ static u32 group2_table[] = {
                                                                        \
                switch ((_dst).bytes) {                                 \
                case 2:                                                 \
-                        ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
+                        ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
                        break;                                          \
                case 4:                                                 \
-                        ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l"); \
+                        ____emulate_2op(_op,_src,_dst,_eflags,_lx,_ly,"l",u32);\
                        break;                                          \
                case 8:                                                 \
-                        ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q")); \
+                        ON64(____emulate_2op(_op,_src,_dst,_eflags,_qx,_qy,"q",u64)); \
                        break;                                          \
                }                                                       \
        } while (0)
@@ -479,7 +240,7 @@ static u32 group2_table[] = {
                unsigned long _tmp;                                          \
                switch ((_dst).bytes) {                                      \
                case 1:                                                      \
-                        ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b");  \
+                        ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
                        break;                                               \
                default:                                                     \
                        __emulate_2op_nobyte(_op, _src, _dst, _eflags,       \
@@ -504,42 +265,42 @@ static u32 group2_table[] = {
                             "w", "r", _LO32, "r", "", "r")
 /* Instruction has three operands and one operand is stored in ECX register */
-#define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type)         \
+#define __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, _suffix, _type) \
-        do {                                                                    \
+        do {                                                            \
-                unsigned long _tmp;                                             \
+                unsigned long _tmp;                                     \
-                _type _clv  = (_cl).val;                                        \
+                _type _clv  = (_cl).val;                                \
-                _type _srcv = (_src).val;                                       \
+                _type _srcv = (_src).val;                               \
-                _type _dstv = (_dst).val;                                       \
+                _type _dstv = (_dst).val;                               \
-                                                                                \
+                                                                        \
-                __asm__ __volatile__ (                                          \
+                __asm__ __volatile__ (                                  \
-                        _PRE_EFLAGS("0", "5", "2")                              \
+                        _PRE_EFLAGS("0", "5", "2")                      \
-                        _op _suffix " %4,%1 \n"                                 \
+                        _op _suffix " %4,%1 \n"                         \
-                        _POST_EFLAGS("0", "5", "2")                             \
+                        _POST_EFLAGS("0", "5", "2")                     \
-                        : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp)            \
+                        : "=m" (_eflags), "+r" (_dstv), "=&r" (_tmp)    \
-                        : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK)           \
+                        : "c" (_clv) , "r" (_srcv), "i" (EFLAGS_MASK)   \
-                        );                                                      \
+                        );                                              \
-                                                                                \
+                                                                        \
-                (_cl).val  = (unsigned long) _clv;                              \
+                (_cl).val  = (unsigned long) _clv;                      \
-                (_src).val = (unsigned long) _srcv;                             \
+                (_src).val = (unsigned long) _srcv;                     \
-                (_dst).val = (unsigned long) _dstv;                             \
+                (_dst).val = (unsigned long) _dstv;                     \
        } while (0)
-#define emulate_2op_cl(_op, _cl, _src, _dst, _eflags)                           \
+#define emulate_2op_cl(_op, _cl, _src, _dst, _eflags)                   \
-        do {                                                                    \
+        do {                                                            \
-                switch ((_dst).bytes) {                                         \
+                switch ((_dst).bytes) {                                 \
-                case 2:                                                         \
+                case 2:                                                 \
-                        __emulate_2op_cl(_op, _cl, _src, _dst, _eflags,         \
+                        __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
-                                                "w", unsigned short);           \
+                                         "w", unsigned short);          \
-                        break;                                                  \
+                        break;                                          \
-                case 4:                                                         \
+                case 4:                                                 \
-                        __emulate_2op_cl(_op, _cl, _src, _dst, _eflags,         \
+                        __emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
-                                                "l", unsigned int);             \
+                                         "l", unsigned int);            \
-                        break;                                                  \
+                        break;                                          \
-                case 8:                                                         \
+                case 8:                                                 \
-                        ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags,    \
+                        ON64(__emulate_2op_cl(_op, _cl, _src, _dst, _eflags, \
-                                                "q", unsigned long));           \
+                                              "q", unsigned long));     \
-                        break;                                                  \
+                        break;                                          \
-                }                                                               \
+                }                                                       \
        } while (0)
 #define __emulate_1op(_op, _dst, _eflags, _suffix)                      \
@@ -566,6 +327,86 @@ static u32 group2_table[] = {
                }                                                       \
        } while (0)
+#define __emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags, _suffix)          \
+        do {                                                            \
+                unsigned long _tmp;                                     \
+                                                                        \
+                __asm__ __volatile__ (                                  \
+                        _PRE_EFLAGS("0", "4", "1")                      \
+                        _op _suffix " %5; "                             \
+                        _POST_EFLAGS("0", "4", "1")                     \
+                        : "=m" (_eflags), "=&r" (_tmp),                 \
+                          "+a" (_rax), "+d" (_rdx)                      \
+                        : "i" (EFLAGS_MASK), "m" ((_src).val),          \
+                          "a" (_rax), "d" (_rdx));                      \
+        } while (0)
+#define __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, _eflags, _suffix, _ex) \
+        do {                                                            \
+                unsigned long _tmp;                                     \
+                                                                        \
+                __asm__ __volatile__ (                                  \
+                        _PRE_EFLAGS("0", "5", "1")                      \
+                        "1: \n\t"                                       \
+                        _op _suffix " %6; "                             \
+                        "2: \n\t"                                       \
+                        _POST_EFLAGS("0", "5", "1")                     \
+                        ".pushsection .fixup,\"ax\" \n\t"               \
+                        "3: movb $1, %4 \n\t"                           \
+                        "jmp 2b \n\t"                                   \
+                        ".popsection \n\t"                              \
+                        _ASM_EXTABLE(1b, 3b)                            \
+                        : "=m" (_eflags), "=&r" (_tmp),                 \
+                          "+a" (_rax), "+d" (_rdx), "+qm"(_ex)          \
+                        : "i" (EFLAGS_MASK), "m" ((_src).val),          \
+                          "a" (_rax), "d" (_rdx));                      \
+        } while (0)
+/* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
+#define emulate_1op_rax_rdx(_op, _src, _rax, _rdx, _eflags)             \
+        do {                                                            \
+                switch((_src).bytes) {                                  \
+                case 1:                                                 \
+                        __emulate_1op_rax_rdx(_op, _src, _rax, _rdx,    \
+                                              _eflags, "b");            \
+                        break;                                          \
+                case 2:                                                 \
+                        __emulate_1op_rax_rdx(_op, _src, _rax, _rdx,    \
+                                              _eflags, "w");            \
+                        break;                                          \
+                case 4:                                                 \
+                        __emulate_1op_rax_rdx(_op, _src, _rax, _rdx,    \
+                                              _eflags, "l");            \
+                        break;                                          \
+                case 8:                                                 \
+                        ON64(__emulate_1op_rax_rdx(_op, _src, _rax, _rdx, \
+                                                   _eflags, "q"));      \
+                        break;                                          \
+                }                                                       \
+        } while (0)
+#define emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, _eflags, _ex)     \
+        do {                                                            \
+                switch((_src).bytes) {                                  \
+                case 1:                                                 \
+                        __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
+                                                 _eflags, "b", _ex);    \
+                        break;                                          \
+                case 2:                                                 \
+                        __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
+                                                 _eflags, "w", _ex);    \
+                        break;                                          \
+                case 4:                                                 \
+                        __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
+                                                 _eflags, "l", _ex);    \
+                        break;                                          \
+                case 8: ON64(                                           \
+                        __emulate_1op_rax_rdx_ex(_op, _src, _rax, _rdx, \
+                                                 _eflags, "q", _ex));   \
+                        break;                                          \
+                }                                                       \
+        } while (0)
 /* Fetch next part of the instruction being emulated. */
 #define insn_fetch(_type, _size, _eip)                                  \
 ({      unsigned long _x;                                               \
@@ -576,13 +417,33 @@ static u32 group2_table[] = {
        (_type)_x;                                                      \
 })
-#define insn_fetch_arr(_arr, _size, _eip)                                \
+#define insn_fetch_arr(_arr, _size, _eip)                               \
 ({      rc = do_insn_fetch(ctxt, ops, (_eip), _arr, (_size));           \
        if (rc != X86EMUL_CONTINUE)                                     \
                goto done;                                              \
        (_eip) += (_size);                                              \
 })
+static int emulator_check_intercept(struct x86_emulate_ctxt *ctxt,
+                                    enum x86_intercept intercept,
+                                    enum x86_intercept_stage stage)
+{
+        struct x86_instruction_info info = {
+                .intercept  = intercept,
+                .rep_prefix = ctxt->decode.rep_prefix,
+                .modrm_mod  = ctxt->decode.modrm_mod,
+                .modrm_reg  = ctxt->decode.modrm_reg,
+                .modrm_rm   = ctxt->decode.modrm_rm,
+                .src_val    = ctxt->decode.src.val64,
+                .src_bytes  = ctxt->decode.src.bytes,
+                .dst_bytes  = ctxt->decode.dst.bytes,
+                .ad_bytes   = ctxt->decode.ad_bytes,
+                .next_rip   = ctxt->eip,
+        };
+        return ctxt->ops->intercept(ctxt, &info, stage);
+}
 static inline unsigned long ad_mask(struct decode_cache *c)
 {
        return (1UL << (c->ad_bytes << 3)) - 1;
@@ -599,9 +460,9 @@ address_mask(struct decode_cache *c, unsigned long reg)
 }
 static inline unsigned long
-register_address(struct decode_cache *c, unsigned long base, unsigned long reg)
+register_address(struct decode_cache *c, unsigned long reg)
 {
-        return base + address_mask(c, reg);
+        return address_mask(c, reg);
 }
 static inline void
@@ -618,6 +479,13 @@ static inline void jmp_rel(struct decode_cache *c, int rel)
        register_address_increment(c, &c->eip, rel);
 }
+static u32 desc_limit_scaled(struct desc_struct *desc)
+{
+        u32 limit = get_desc_limit(desc);
+        return desc->g ? (limit << 12) | 0xfff : limit;
+}
 static void set_seg_override(struct decode_cache *c, int seg)
 {
        c->has_seg_override = true;
@@ -630,60 +498,177 @@ static unsigned long seg_base(struct x86_emulate_ctxt *ctxt,
        if (ctxt->mode == X86EMUL_MODE_PROT64 && seg < VCPU_SREG_FS)
                return 0;
-        return ops->get_cached_segment_base(seg, ctxt->vcpu);
+        return ops->get_cached_segment_base(ctxt, seg);
 }
-static unsigned long seg_override_base(struct x86_emulate_ctxt *ctxt,
+static unsigned seg_override(struct x86_emulate_ctxt *ctxt,
-                                       struct x86_emulate_ops *ops,
+                             struct decode_cache *c)
-                                       struct decode_cache *c)
 {
        if (!c->has_seg_override)
                return 0;
-        return seg_base(ctxt, ops, c->seg_override);
+        return c->seg_override;
 }
-static unsigned long es_base(struct x86_emulate_ctxt *ctxt,
+static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
-                             struct x86_emulate_ops *ops)
+                             u32 error, bool valid)
 {
-        return seg_base(ctxt, ops, VCPU_SREG_ES);
+        ctxt->exception.vector = vec;
+        ctxt->exception.error_code = error;
+        ctxt->exception.error_code_valid = valid;
+        return X86EMUL_PROPAGATE_FAULT;
 }
-static unsigned long ss_base(struct x86_emulate_ctxt *ctxt,
+static int emulate_db(struct x86_emulate_ctxt *ctxt)
-                             struct x86_emulate_ops *ops)
+{
+        return emulate_exception(ctxt, DB_VECTOR, 0, false);
+}
+static int emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
+{
+        return emulate_exception(ctxt, GP_VECTOR, err, true);
+}
+static int emulate_ss(struct x86_emulate_ctxt *ctxt, int err)
+{
+        return emulate_exception(ctxt, SS_VECTOR, err, true);
+}
+static int emulate_ud(struct x86_emulate_ctxt *ctxt)
+{
+        return emulate_exception(ctxt, UD_VECTOR, 0, false);
+}
+static int emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
+{
+        return emulate_exception(ctxt, TS_VECTOR, err, true);
+}
+static int emulate_de(struct x86_emulate_ctxt *ctxt)
 {
-        return seg_base(ctxt, ops, VCPU_SREG_SS);
+        return emulate_exception(ctxt, DE_VECTOR, 0, false);
 }
-static void emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
+static int emulate_nm(struct x86_emulate_ctxt *ctxt)
-                                      u32 error, bool valid)
 {
-        ctxt->exception = vec;
+        return emulate_exception(ctxt, NM_VECTOR, 0, false);
-        ctxt->error_code = error;
-        ctxt->error_code_valid = valid;
-        ctxt->restart = false;
 }
-static void emulate_gp(struct x86_emulate_ctxt *ctxt, int err)
+static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
 {
-        emulate_exception(ctxt, GP_VECTOR, err, true);
+        u16 selector;
+        struct desc_struct desc;
+        ctxt->ops->get_segment(ctxt, &selector, &desc, NULL, seg);
+        return selector;
 }
-static void emulate_pf(struct x86_emulate_ctxt *ctxt, unsigned long addr,
+static void set_segment_selector(struct x86_emulate_ctxt *ctxt, u16 selector,
-                       int err)
+                                 unsigned seg)
 {
-        ctxt->cr2 = addr;
+        u16 dummy;
-        emulate_exception(ctxt, PF_VECTOR, err, true);
+        u32 base3;
+        struct desc_struct desc;
+        ctxt->ops->get_segment(ctxt, &dummy, &desc, &base3, seg);
+        ctxt->ops->set_segment(ctxt, selector, &desc, base3, seg);
 }
-static void emulate_ud(struct x86_emulate_ctxt *ctxt)
+static int __linearize(struct x86_emulate_ctxt *ctxt,
+                     struct segmented_address addr,
+                     unsigned size, bool write, bool fetch,
+                     ulong *linear)
 {
-        emulate_exception(ctxt, UD_VECTOR, 0, false);
+        struct decode_cache *c = &ctxt->decode;
+        struct desc_struct desc;
+        bool usable;
+        ulong la;
+        u32 lim;
+        u16 sel;
+        unsigned cpl, rpl;
+        la = seg_base(ctxt, ctxt->ops, addr.seg) + addr.ea;
+        switch (ctxt->mode) {
+        case X86EMUL_MODE_REAL:
+                break;
+        case X86EMUL_MODE_PROT64:
+                if (((signed long)la << 16) >> 16 != la)
+                        return emulate_gp(ctxt, 0);
+                break;
+        default:
+                usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
+                                                addr.seg);
+                if (!usable)
+                        goto bad;
+                /* code segment or read-only data segment */
+                if (((desc.type & 8) || !(desc.type & 2)) && write)
+                        goto bad;
+                /* unreadable code segment */
+                if (!fetch && (desc.type & 8) && !(desc.type & 2))
+                        goto bad;
+                lim = desc_limit_scaled(&desc);
+                if ((desc.type & 8) || !(desc.type & 4)) {
+                        /* expand-up segment */
+                        if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
+                                goto bad;
+                } else {
+                        /* exapand-down segment */
+                        if (addr.ea <= lim || (u32)(addr.ea + size - 1) <= lim)
+                                goto bad;
+                        lim = desc.d ? 0xffffffff : 0xffff;
+                        if (addr.ea > lim || (u32)(addr.ea + size - 1) > lim)
+                                goto bad;
+                }
+                cpl = ctxt->ops->cpl(ctxt);
+                rpl = sel & 3;
+                cpl = max(cpl, rpl);
+                if (!(desc.type & 8)) {
+                        /* data segment */
+                        if (cpl > desc.dpl)
+                                goto bad;
+                } else if ((desc.type & 8) && !(desc.type & 4)) {
+                        /* nonconforming code segment */
+                        if (cpl != desc.dpl)
+                                goto bad;
+                } else if ((desc.type & 8) && (desc.type & 4)) {
+                        /* conforming code segment */
+                        if (cpl < desc.dpl)
+                                goto bad;
+                }
+                break;
+        }
+        if (fetch ? ctxt->mode != X86EMUL_MODE_PROT64 : c->ad_bytes != 8)
+                la &= (u32)-1;
+        *linear = la;
+        return X86EMUL_CONTINUE;
+bad:
+        if (addr.seg == VCPU_SREG_SS)
+                return emulate_ss(ctxt, addr.seg);
+        else
+                return emulate_gp(ctxt, addr.seg);
 }
-static void emulate_ts(struct x86_emulate_ctxt *ctxt, int err)
+static int linearize(struct x86_emulate_ctxt *ctxt,
+                     struct segmented_address addr,
+                     unsigned size, bool write,
+                     ulong *linear)
 {
-        emulate_exception(ctxt, TS_VECTOR, err, true);
+        return __linearize(ctxt, addr, size, write, false, linear);
+}
+static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
+                              struct segmented_address addr,
+                              void *data,
+                              unsigned size)
+{
+        int rc;
+        ulong linear;
+        rc = linearize(ctxt, addr, size, false, &linear);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
 }
 static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
@@ -695,10 +680,15 @@ static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
        int size, cur_size;
        if (eip == fc->end) {
+                unsigned long linear;
+                struct segmented_address addr = { .seg=VCPU_SREG_CS, .ea=eip};
                cur_size = fc->end - fc->start;
                size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
-                rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
+                rc = __linearize(ctxt, addr, size, false, true, &linear);
-                                size, ctxt->vcpu, NULL);
+                if (rc != X86EMUL_CONTINUE)
+                        return rc;
+                rc = ops->fetch(ctxt, linear, fc->data + cur_size,
+                                size, &ctxt->exception);
                if (rc != X86EMUL_CONTINUE)
                        return rc;
                fc->end += size;
@@ -741,8 +731,7 @@ static void *decode_register(u8 modrm_reg, unsigned long *regs,
 }
 static int read_descriptor(struct x86_emulate_ctxt *ctxt,
-                           struct x86_emulate_ops *ops,
+                           struct segmented_address addr,
-                           void *ptr,
                           u16 *size, unsigned long *address, int op_bytes)
 {
        int rc;
@@ -750,12 +739,11 @@ static int read_descriptor(struct x86_emulate_ctxt *ctxt,
        if (op_bytes == 2)
                op_bytes = 3;
        *address = 0;
-        rc = ops->read_std((unsigned long)ptr, (unsigned long *)size, 2,
+        rc = segmented_read_std(ctxt, addr, size, 2);
-                           ctxt->vcpu, NULL);
        if (rc != X86EMUL_CONTINUE)
                return rc;
-        rc = ops->read_std((unsigned long)ptr + 2, address, op_bytes,
+        addr.ea += 2;
-                           ctxt->vcpu, NULL);
+        rc = segmented_read_std(ctxt, addr, address, op_bytes);
        return rc;
 }
@@ -794,7 +782,81 @@ static int test_cc(unsigned int condition, unsigned int flags)
        return (!!rc ^ (condition & 1));
 }
-static void decode_register_operand(struct operand *op,
+static void fetch_register_operand(struct operand *op)
+{
+        switch (op->bytes) {
+        case 1:
+                op->val = *(u8 *)op->addr.reg;
+                break;
+        case 2:
+                op->val = *(u16 *)op->addr.reg;
+                break;
+        case 4:
+                op->val = *(u32 *)op->addr.reg;
+                break;
+        case 8:
+                op->val = *(u64 *)op->addr.reg;
+                break;
+        }
+}
+static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
+{
+        ctxt->ops->get_fpu(ctxt);
+        switch (reg) {
+        case 0: asm("movdqu %%xmm0, %0" : "=m"(*data)); break;
+        case 1: asm("movdqu %%xmm1, %0" : "=m"(*data)); break;
+        case 2: asm("movdqu %%xmm2, %0" : "=m"(*data)); break;
+        case 3: asm("movdqu %%xmm3, %0" : "=m"(*data)); break;
+        case 4: asm("movdqu %%xmm4, %0" : "=m"(*data)); break;
+        case 5: asm("movdqu %%xmm5, %0" : "=m"(*data)); break;
+        case 6: asm("movdqu %%xmm6, %0" : "=m"(*data)); break;
+        case 7: asm("movdqu %%xmm7, %0" : "=m"(*data)); break;
+#ifdef CONFIG_X86_64
+        case 8: asm("movdqu %%xmm8, %0" : "=m"(*data)); break;
+        case 9: asm("movdqu %%xmm9, %0" : "=m"(*data)); break;
+        case 10: asm("movdqu %%xmm10, %0" : "=m"(*data)); break;
+        case 11: asm("movdqu %%xmm11, %0" : "=m"(*data)); break;
+        case 12: asm("movdqu %%xmm12, %0" : "=m"(*data)); break;
+        case 13: asm("movdqu %%xmm13, %0" : "=m"(*data)); break;
+        case 14: asm("movdqu %%xmm14, %0" : "=m"(*data)); break;
+        case 15: asm("movdqu %%xmm15, %0" : "=m"(*data)); break;
+#endif
+        default: BUG();
+        }
+        ctxt->ops->put_fpu(ctxt);
+}
+static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
+                          int reg)
+{
+        ctxt->ops->get_fpu(ctxt);
+        switch (reg) {
+        case 0: asm("movdqu %0, %%xmm0" : : "m"(*data)); break;
+        case 1: asm("movdqu %0, %%xmm1" : : "m"(*data)); break;
+        case 2: asm("movdqu %0, %%xmm2" : : "m"(*data)); break;
+        case 3: asm("movdqu %0, %%xmm3" : : "m"(*data)); break;
+        case 4: asm("movdqu %0, %%xmm4" : : "m"(*data)); break;
+        case 5: asm("movdqu %0, %%xmm5" : : "m"(*data)); break;
+        case 6: asm("movdqu %0, %%xmm6" : : "m"(*data)); break;
+        case 7: asm("movdqu %0, %%xmm7" : : "m"(*data)); break;
+#ifdef CONFIG_X86_64
+        case 8: asm("movdqu %0, %%xmm8" : : "m"(*data)); break;
+        case 9: asm("movdqu %0, %%xmm9" : : "m"(*data)); break;
+        case 10: asm("movdqu %0, %%xmm10" : : "m"(*data)); break;
+        case 11: asm("movdqu %0, %%xmm11" : : "m"(*data)); break;
+        case 12: asm("movdqu %0, %%xmm12" : : "m"(*data)); break;
+        case 13: asm("movdqu %0, %%xmm13" : : "m"(*data)); break;
+        case 14: asm("movdqu %0, %%xmm14" : : "m"(*data)); break;
+        case 15: asm("movdqu %0, %%xmm15" : : "m"(*data)); break;
+#endif
+        default: BUG();
+        }
+        ctxt->ops->put_fpu(ctxt);
+}
+static void decode_register_operand(struct x86_emulate_ctxt *ctxt,
+                                    struct operand *op,
                                    struct decode_cache *c,
                                    int inhibit_bytereg)
 {
@@ -803,36 +865,36 @@ static void decode_register_operand(struct operand *op,
        if (!(c->d & ModRM))
                reg = (c->b & 7) | ((c->rex_prefix & 1) << 3);
+        if (c->d & Sse) {
+                op->type = OP_XMM;
+                op->bytes = 16;
+                op->addr.xmm = reg;
+                read_sse_reg(ctxt, &op->vec_val, reg);
+                return;
+        }
        op->type = OP_REG;
        if ((c->d & ByteOp) && !inhibit_bytereg) {
-                op->ptr = decode_register(reg, c->regs, highbyte_regs);
+                op->addr.reg = decode_register(reg, c->regs, highbyte_regs);
-                op->val = *(u8 *)op->ptr;
                op->bytes = 1;
        } else {
-                op->ptr = decode_register(reg, c->regs, 0);
+                op->addr.reg = decode_register(reg, c->regs, 0);
                op->bytes = c->op_bytes;
-                switch (op->bytes) {
-                case 2:
-                        op->val = *(u16 *)op->ptr;
-                        break;
-                case 4:
-                        op->val = *(u32 *)op->ptr;
-                        break;
-                case 8:
-                        op->val = *(u64 *) op->ptr;
-                        break;
-                }
        }
+        fetch_register_operand(op);
        op->orig_val = op->val;
 }
 static int decode_modrm(struct x86_emulate_ctxt *ctxt,
-                        struct x86_emulate_ops *ops)
+                        struct x86_emulate_ops *ops,
+                        struct operand *op)
 {
        struct decode_cache *c = &ctxt->decode;
        u8 sib;
        int index_reg = 0, base_reg = 0, scale;
        int rc = X86EMUL_CONTINUE;
+        ulong modrm_ea = 0;
        if (c->rex_prefix) {
                c->modrm_reg = (c->rex_prefix & 4) << 1;        /* REX.R */
@@ -844,16 +906,26 @@ static int decode_modrm(struct x86_emulate_ctxt *ctxt,
        c->modrm_mod |= (c->modrm & 0xc0) >> 6;
        c->modrm_reg |= (c->modrm & 0x38) >> 3;
        c->modrm_rm |= (c->modrm & 0x07);
-        c->modrm_ea = 0;
+        c->modrm_seg = VCPU_SREG_DS;
-        c->use_modrm_ea = 1;
        if (c->modrm_mod == 3) {
-                c->modrm_ptr = decode_register(c->modrm_rm,
+                op->type = OP_REG;
+                op->bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
+                op->addr.reg = decode_register(c->modrm_rm,
                                               c->regs, c->d & ByteOp);
-                c->modrm_val = *(unsigned long *)c->modrm_ptr;
+                if (c->d & Sse) {
+                        op->type = OP_XMM;
+                        op->bytes = 16;
+                        op->addr.xmm = c->modrm_rm;
+                        read_sse_reg(ctxt, &op->vec_val, c->modrm_rm);
+                        return rc;
+                }
+                fetch_register_operand(op);
                return rc;
        }
+        op->type = OP_MEM;
        if (c->ad_bytes == 2) {
                unsigned bx = c->regs[VCPU_REGS_RBX];
                unsigned bp = c->regs[VCPU_REGS_RBP];
@@ -864,47 +936,46 @@ static int decode_modrm(struct x86_emulate_ctxt *ctxt,
                switch (c->modrm_mod) {
                case 0:
                        if (c->modrm_rm == 6)
-                                c->modrm_ea += insn_fetch(u16, 2, c->eip);
+                                modrm_ea += insn_fetch(u16, 2, c->eip);
                        break;
                case 1:
-                        c->modrm_ea += insn_fetch(s8, 1, c->eip);
+                        modrm_ea += insn_fetch(s8, 1, c->eip);
                        break;
                case 2:
-                        c->modrm_ea += insn_fetch(u16, 2, c->eip);
+                        modrm_ea += insn_fetch(u16, 2, c->eip);
                        break;
                }
                switch (c->modrm_rm) {
                case 0:
-                        c->modrm_ea += bx + si;
+                        modrm_ea += bx + si;
                        break;
                case 1:
-                        c->modrm_ea += bx + di;
+                        modrm_ea += bx + di;
                        break;
                case 2:
-                        c->modrm_ea += bp + si;
+                        modrm_ea += bp + si;
                        break;
                case 3:
-                        c->modrm_ea += bp + di;
+                        modrm_ea += bp + di;
                        break;
                case 4:
-                        c->modrm_ea += si;
+                        modrm_ea += si;
                        break;
                case 5:
-                        c->modrm_ea += di;
+                        modrm_ea += di;
                        break;
                case 6:
                        if (c->modrm_mod != 0)
-                                c->modrm_ea += bp;
+                                modrm_ea += bp;
                        break;
                case 7:
-                        c->modrm_ea += bx;
+                        modrm_ea += bx;
                        break;
                }
                if (c->modrm_rm == 2 || c->modrm_rm == 3 ||
                    (c->modrm_rm == 6 && c->modrm_mod != 0))
-                        if (!c->has_seg_override)
+                        c->modrm_seg = VCPU_SREG_SS;
-                                set_seg_override(c, VCPU_SREG_SS);
+                modrm_ea = (u16)modrm_ea;
-                c->modrm_ea = (u16)c->modrm_ea;
        } else {
                /* 32/64-bit ModR/M decode. */
                if ((c->modrm_rm & 7) == 4) {
@@ -914,410 +985,74 @@ static int decode_modrm(struct x86_emulate_ctxt *ctxt,
                        scale = sib >> 6;
                        if ((base_reg & 7) == 5 && c->modrm_mod == 0)
-                                c->modrm_ea += insn_fetch(s32, 4, c->eip);
+                                modrm_ea += insn_fetch(s32, 4, c->eip);
                        else
-                                c->modrm_ea += c->regs[base_reg];
+                                modrm_ea += c->regs[base_reg];
                        if (index_reg != 4)
-                                c->modrm_ea += c->regs[index_reg] << scale;
+                                modrm_ea += c->regs[index_reg] << scale;
                } else if ((c->modrm_rm & 7) == 5 && c->modrm_mod == 0) {
                        if (ctxt->mode == X86EMUL_MODE_PROT64)
                                c->rip_relative = 1;
                } else
-                        c->modrm_ea += c->regs[c->modrm_rm];
+                        modrm_ea += c->regs[c->modrm_rm];
                switch (c->modrm_mod) {
                case 0:
                        if (c->modrm_rm == 5)
-                                c->modrm_ea += insn_fetch(s32, 4, c->eip);
+                                modrm_ea += insn_fetch(s32, 4, c->eip);
                        break;
                case 1:
-                        c->modrm_ea += insn_fetch(s8, 1, c->eip);
+                        modrm_ea += insn_fetch(s8, 1, c->eip);
                        break;
                case 2:
-                        c->modrm_ea += insn_fetch(s32, 4, c->eip);
+                        modrm_ea += insn_fetch(s32, 4, c->eip);
                        break;
                }
        }
+        op->addr.mem.ea = modrm_ea;
 done:
        return rc;
 }
 static int decode_abs(struct x86_emulate_ctxt *ctxt,
-                      struct x86_emulate_ops *ops)
+                      struct x86_emulate_ops *ops,
+                      struct operand *op)
 {
        struct decode_cache *c = &ctxt->decode;
        int rc = X86EMUL_CONTINUE;
+        op->type = OP_MEM;
        switch (c->ad_bytes) {
        case 2:
-                c->modrm_ea = insn_fetch(u16, 2, c->eip);
+                op->addr.mem.ea = insn_fetch(u16, 2, c->eip);
                break;
        case 4:
-                c->modrm_ea = insn_fetch(u32, 4, c->eip);
+                op->addr.mem.ea = insn_fetch(u32, 4, c->eip);
                break;
        case 8:
-                c->modrm_ea = insn_fetch(u64, 8, c->eip);
+                op->addr.mem.ea = insn_fetch(u64, 8, c->eip);
                break;
        }
 done:
        return rc;
 }
-int
+static void fetch_bit_operand(struct decode_cache *c)
-x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
 {
-        struct decode_cache *c = &ctxt->decode;
+        long sv = 0, mask;
-        int rc = X86EMUL_CONTINUE;
-        int mode = ctxt->mode;
-        int def_op_bytes, def_ad_bytes, group;
-        /* we cannot decode insn before we complete previous rep insn */
-        WARN_ON(ctxt->restart);
-        c->eip = ctxt->eip;
-        c->fetch.start = c->fetch.end = c->eip;
-        ctxt->cs_base = seg_base(ctxt, ops, VCPU_SREG_CS);
-        switch (mode) {
-        case X86EMUL_MODE_REAL:
-        case X86EMUL_MODE_VM86:
-        case X86EMUL_MODE_PROT16:
-                def_op_bytes = def_ad_bytes = 2;
-                break;
-        case X86EMUL_MODE_PROT32:
-                def_op_bytes = def_ad_bytes = 4;
-                break;
-#ifdef CONFIG_X86_64
-        case X86EMUL_MODE_PROT64:
-                def_op_bytes = 4;
-                def_ad_bytes = 8;
-                break;
-#endif
-        default:
-                return -1;
-        }
-        c->op_bytes = def_op_bytes;
-        c->ad_bytes = def_ad_bytes;
-        /* Legacy prefixes. */
-        for (;;) {
-                switch (c->b = insn_fetch(u8, 1, c->eip)) {
-                case 0x66:      /* operand-size override */
-                        /* switch between 2/4 bytes */
-                        c->op_bytes = def_op_bytes ^ 6;
-                        break;
-                case 0x67:      /* address-size override */
-                        if (mode == X86EMUL_MODE_PROT64)
-                                /* switch between 4/8 bytes */
-                                c->ad_bytes = def_ad_bytes ^ 12;
-                        else
-                                /* switch between 2/4 bytes */
-                                c->ad_bytes = def_ad_bytes ^ 6;
-                        break;
-                case 0x26:      /* ES override */
-                case 0x2e:      /* CS override */
-                case 0x36:      /* SS override */
-                case 0x3e:      /* DS override */
-                        set_seg_override(c, (c->b >> 3) & 3);
-                        break;
-                case 0x64:      /* FS override */
-                case 0x65:      /* GS override */
-                        set_seg_override(c, c->b & 7);
-                        break;
-                case 0x40 ... 0x4f: /* REX */
-                        if (mode != X86EMUL_MODE_PROT64)
-                                goto done_prefixes;
-                        c->rex_prefix = c->b;
-                        continue;
-                case 0xf0:      /* LOCK */
-                        c->lock_prefix = 1;
-                        break;
-                case 0xf2:      /* REPNE/REPNZ */
-                        c->rep_prefix = REPNE_PREFIX;
-                        break;
-                case 0xf3:      /* REP/REPE/REPZ */
-                        c->rep_prefix = REPE_PREFIX;
-                        break;
-                default:
-                        goto done_prefixes;
-                }
-                /* Any legacy prefix after a REX prefix nullifies its effect. */
-                c->rex_prefix = 0;
+        if (c->dst.type == OP_MEM && c->src.type == OP_REG) {
-        }
+                mask = ~(c->dst.bytes * 8 - 1);
-done_prefixes:
-        /* REX prefix. */
-        if (c->rex_prefix)
-                if (c->rex_prefix & 8)
-                        c->op_bytes = 8;        /* REX.W */
-        /* Opcode byte(s). */
+                if (c->src.bytes == 2)
-        c->d = opcode_table[c->b];
+                        sv = (s16)c->src.val & (s16)mask;
-        if (c->d == 0) {
+                else if (c->src.bytes == 4)
-                /* Two-byte opcode? */
+                        sv = (s32)c->src.val & (s32)mask;
-                if (c->b == 0x0f) {
-                        c->twobyte = 1;
-                        c->b = insn_fetch(u8, 1, c->eip);
-                        c->d = twobyte_table[c->b];
-                }
-        }
-        if (c->d & Group) {
-                group = c->d & GroupMask;
-                c->modrm = insn_fetch(u8, 1, c->eip);
-                --c->eip;
-                group = (group << 3) + ((c->modrm >> 3) & 7);
-                if ((c->d & GroupDual) && (c->modrm >> 6) == 3)
-                        c->d = group2_table[group];
-                else
-                        c->d = group_table[group];
-        }
-        /* Unrecognised? */
+                c->dst.addr.mem.ea += (sv >> 3);
-        if (c->d == 0) {
-                DPRINTF("Cannot emulate %02x\n", c->b);
-                return -1;
        }
-        if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
+        /* only subword offset */
-                c->op_bytes = 8;
+        c->src.val &= (c->dst.bytes << 3) - 1;
-        /* ModRM and SIB bytes. */
-        if (c->d & ModRM)
-                rc = decode_modrm(ctxt, ops);
-        else if (c->d & MemAbs)
-                rc = decode_abs(ctxt, ops);
-        if (rc != X86EMUL_CONTINUE)
-                goto done;
-        if (!c->has_seg_override)
-                set_seg_override(c, VCPU_SREG_DS);
-        if (!(!c->twobyte && c->b == 0x8d))
-                c->modrm_ea += seg_override_base(ctxt, ops, c);
-        if (c->ad_bytes != 8)
-                c->modrm_ea = (u32)c->modrm_ea;
-        if (c->rip_relative)
-                c->modrm_ea += c->eip;
-        /*
-         * Decode and fetch the source operand: register, memory
-         * or immediate.
-         */
-        switch (c->d & SrcMask) {
-        case SrcNone:
-                break;
-        case SrcReg:
-                decode_register_operand(&c->src, c, 0);
-                break;
-        case SrcMem16:
-                c->src.bytes = 2;
-                goto srcmem_common;
-        case SrcMem32:
-                c->src.bytes = 4;
-                goto srcmem_common;
-        case SrcMem:
-                c->src.bytes = (c->d & ByteOp) ? 1 :
-                                                           c->op_bytes;
-                /* Don't fetch the address for invlpg: it could be unmapped. */
-                if (c->twobyte && c->b == 0x01 && c->modrm_reg == 7)
-                        break;
-        srcmem_common:
-                /*
-                 * For instructions with a ModR/M byte, switch to register
-                 * access if Mod = 3.
-                 */
-                if ((c->d & ModRM) && c->modrm_mod == 3) {
-                        c->src.type = OP_REG;
-                        c->src.val = c->modrm_val;
-                        c->src.ptr = c->modrm_ptr;
-                        break;
-                }
-                c->src.type = OP_MEM;
-                c->src.ptr = (unsigned long *)c->modrm_ea;
-                c->src.val = 0;
-                break;
-        case SrcImm:
-        case SrcImmU:
-                c->src.type = OP_IMM;
-                c->src.ptr = (unsigned long *)c->eip;
-                c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
-                if (c->src.bytes == 8)
-                        c->src.bytes = 4;
-                /* NB. Immediates are sign-extended as necessary. */
-                switch (c->src.bytes) {
-                case 1:
-                        c->src.val = insn_fetch(s8, 1, c->eip);
-                        break;
-                case 2:
-                        c->src.val = insn_fetch(s16, 2, c->eip);
-                        break;
-                case 4:
-                        c->src.val = insn_fetch(s32, 4, c->eip);
-                        break;
-                }
-                if ((c->d & SrcMask) == SrcImmU) {
-                        switch (c->src.bytes) {
-                        case 1:
-                                c->src.val &= 0xff;
-                                break;
-                        case 2:
-                                c->src.val &= 0xffff;
-                                break;
-                        case 4:
-                                c->src.val &= 0xffffffff;
-                                break;
-                        }
-                }
-                break;
-        case SrcImmByte:
-        case SrcImmUByte:
-                c->src.type = OP_IMM;
-                c->src.ptr = (unsigned long *)c->eip;
-                c->src.bytes = 1;
-                if ((c->d & SrcMask) == SrcImmByte)
-                        c->src.val = insn_fetch(s8, 1, c->eip);
-                else
-                        c->src.val = insn_fetch(u8, 1, c->eip);
-                break;
-        case SrcAcc:
-                c->src.type = OP_REG;
-                c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
-                c->src.ptr = &c->regs[VCPU_REGS_RAX];
-                switch (c->src.bytes) {
-                        case 1:
-                                c->src.val = *(u8 *)c->src.ptr;
-                                break;
-                        case 2:
-                                c->src.val = *(u16 *)c->src.ptr;
-                                break;
-                        case 4:
-                                c->src.val = *(u32 *)c->src.ptr;
-                                break;
-                        case 8:
-                                c->src.val = *(u64 *)c->src.ptr;
-                                break;
-                }
-                break;
-        case SrcOne:
-                c->src.bytes = 1;
-                c->src.val = 1;
-                break;
-        case SrcSI:
-                c->src.type = OP_MEM;
-                c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
-                c->src.ptr = (unsigned long *)
-                        register_address(c,  seg_override_base(ctxt, ops, c),
-                                         c->regs[VCPU_REGS_RSI]);
-                c->src.val = 0;
-                break;
-        case SrcImmFAddr:
-                c->src.type = OP_IMM;
-                c->src.ptr = (unsigned long *)c->eip;
-                c->src.bytes = c->op_bytes + 2;
-                insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
-                break;
-        case SrcMemFAddr:
-                c->src.type = OP_MEM;
-                c->src.ptr = (unsigned long *)c->modrm_ea;
-                c->src.bytes = c->op_bytes + 2;
-                break;
-        }
-        /*
-         * Decode and fetch the second source operand: register, memory
-         * or immediate.
-         */
-        switch (c->d & Src2Mask) {
-        case Src2None:
-                break;
-        case Src2CL:
-                c->src2.bytes = 1;
-                c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
-                break;
-        case Src2ImmByte:
-                c->src2.type = OP_IMM;
-                c->src2.ptr = (unsigned long *)c->eip;
-                c->src2.bytes = 1;
-                c->src2.val = insn_fetch(u8, 1, c->eip);
-                break;
-        case Src2One:
-                c->src2.bytes = 1;
-                c->src2.val = 1;
-                break;
-        }
-        /* Decode and fetch the destination operand: register or memory. */
-        switch (c->d & DstMask) {
-        case ImplicitOps:
-                /* Special instructions do their own operand decoding. */
-                return 0;
-        case DstReg:
-                decode_register_operand(&c->dst, c,
-                         c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
-                break;
-        case DstMem:
-        case DstMem64:
-                if ((c->d & ModRM) && c->modrm_mod == 3) {
-                        c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
-                        c->dst.type = OP_REG;
-                        c->dst.val = c->dst.orig_val = c->modrm_val;
-                        c->dst.ptr = c->modrm_ptr;
-                        break;
-                }
-                c->dst.type = OP_MEM;
-                c->dst.ptr = (unsigned long *)c->modrm_ea;
-                if ((c->d & DstMask) == DstMem64)
-                        c->dst.bytes = 8;
-                else
-                        c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
-                c->dst.val = 0;
-                if (c->d & BitOp) {
-                        unsigned long mask = ~(c->dst.bytes * 8 - 1);
-                        c->dst.ptr = (void *)c->dst.ptr +
-                                                   (c->src.val & mask) / 8;
-                }
-                break;
-        case DstAcc:
-                c->dst.type = OP_REG;
-                c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
-                c->dst.ptr = &c->regs[VCPU_REGS_RAX];
-                switch (c->dst.bytes) {
-                        case 1:
-                                c->dst.val = *(u8 *)c->dst.ptr;
-                                break;
-                        case 2:
-                                c->dst.val = *(u16 *)c->dst.ptr;
-                                break;
-                        case 4:
-                                c->dst.val = *(u32 *)c->dst.ptr;
-                                break;
-                        case 8:
-                                c->dst.val = *(u64 *)c->dst.ptr;
-                                break;
-                }
-                c->dst.orig_val = c->dst.val;
-                break;
-        case DstDI:
-                c->dst.type = OP_MEM;
-                c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
-                c->dst.ptr = (unsigned long *)
-                        register_address(c, es_base(ctxt, ops),
-                                         c->regs[VCPU_REGS_RDI]);
-                c->dst.val = 0;
-                break;
-        }
-done:
-        return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
 }
 static int read_emulated(struct x86_emulate_ctxt *ctxt,
@@ -1326,7 +1061,6 @@ static int read_emulated(struct x86_emulate_ctxt *ctxt,
 {
        int rc;
        struct read_cache *mc = &ctxt->decode.mem_read;
-        u32 err;
        while (size) {
                int n = min(size, 8u);
@@ -1334,10 +1068,8 @@ static int read_emulated(struct x86_emulate_ctxt *ctxt,
                if (mc->pos < mc->end)
                        goto read_cached;
-                rc = ops->read_emulated(addr, mc->data + mc->end, n, &err,
+                rc = ops->read_emulated(ctxt, addr, mc->data + mc->end, n,
-                                        ctxt->vcpu);
+                                        &ctxt->exception);
-                if (rc == X86EMUL_PROPAGATE_FAULT)
-                        emulate_pf(ctxt, addr, err);
                if (rc != X86EMUL_CONTINUE)
                        return rc;
                mc->end += n;
@@ -1351,6 +1083,50 @@ static int read_emulated(struct x86_emulate_ctxt *ctxt,
        return X86EMUL_CONTINUE;
 }
+static int segmented_read(struct x86_emulate_ctxt *ctxt,
+                          struct segmented_address addr,
+                          void *data,
+                          unsigned size)
+{
+        int rc;
+        ulong linear;
+        rc = linearize(ctxt, addr, size, false, &linear);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        return read_emulated(ctxt, ctxt->ops, linear, data, size);
+}
+static int segmented_write(struct x86_emulate_ctxt *ctxt,
+                           struct segmented_address addr,
+                           const void *data,
+                           unsigned size)
+{
+        int rc;
+        ulong linear;
+        rc = linearize(ctxt, addr, size, true, &linear);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        return ctxt->ops->write_emulated(ctxt, linear, data, size,
+                                         &ctxt->exception);
+}
+static int segmented_cmpxchg(struct x86_emulate_ctxt *ctxt,
+                             struct segmented_address addr,
+                             const void *orig_data, const void *data,
+                             unsigned size)
+{
+        int rc;
+        ulong linear;
+        rc = linearize(ctxt, addr, size, true, &linear);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        return ctxt->ops->cmpxchg_emulated(ctxt, linear, orig_data, data,
+                                           size, &ctxt->exception);
+}
 static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
                           struct x86_emulate_ops *ops,
                           unsigned int size, unsigned short port,
@@ -1371,7 +1147,7 @@ static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
                if (n == 0)
                        n = 1;
                rc->pos = rc->end = 0;
-                if (!ops->pio_in_emulated(size, port, rc->data, n, ctxt->vcpu))
+                if (!ops->pio_in_emulated(ctxt, size, port, rc->data, n))
                        return 0;
                rc->end = n * size;
        }
@@ -1381,27 +1157,22 @@ static int pio_in_emulated(struct x86_emulate_ctxt *ctxt,
        return 1;
 }
-static u32 desc_limit_scaled(struct desc_struct *desc)
-{
-        u32 limit = get_desc_limit(desc);
-        return desc->g ? (limit << 12) | 0xfff : limit;
-}
 static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
                                     struct x86_emulate_ops *ops,
                                     u16 selector, struct desc_ptr *dt)
 {
        if (selector & 1 << 2) {
                struct desc_struct desc;
+                u16 sel;
                memset (dt, 0, sizeof *dt);
-                if (!ops->get_cached_descriptor(&desc, VCPU_SREG_LDTR, ctxt->vcpu))
+                if (!ops->get_segment(ctxt, &sel, &desc, NULL, VCPU_SREG_LDTR))
                        return;
                dt->size = desc_limit_scaled(&desc); /* what if limit > 65535? */
                dt->address = get_desc_base(&desc);
        } else
-                ops->get_gdt(dt, ctxt->vcpu);
+                ops->get_gdt(ctxt, dt);
 }
 /* allowed just for 8 bytes segments */
@@ -1412,19 +1183,14 @@ static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
        struct desc_ptr dt;
        u16 index = selector >> 3;
        int ret;
-        u32 err;
        ulong addr;
        get_descriptor_table_ptr(ctxt, ops, selector, &dt);
-        if (dt.size < index * 8 + 7) {
+        if (dt.size < index * 8 + 7)
-                emulate_gp(ctxt, selector & 0xfffc);
+                return emulate_gp(ctxt, selector & 0xfffc);
-                return X86EMUL_PROPAGATE_FAULT;
-        }
        addr = dt.address + index * 8;
-        ret = ops->read_std(addr, desc, sizeof *desc, ctxt->vcpu,  &err);
+        ret = ops->read_std(ctxt, addr, desc, sizeof *desc, &ctxt->exception);
-        if (ret == X86EMUL_PROPAGATE_FAULT)
-                emulate_pf(ctxt, addr, err);
       return ret;
 }
@@ -1436,25 +1202,21 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
 {
        struct desc_ptr dt;
        u16 index = selector >> 3;
-        u32 err;
        ulong addr;
        int ret;
        get_descriptor_table_ptr(ctxt, ops, selector, &dt);
-        if (dt.size < index * 8 + 7) {
+        if (dt.size < index * 8 + 7)
-                emulate_gp(ctxt, selector & 0xfffc);
+                return emulate_gp(ctxt, selector & 0xfffc);
-                return X86EMUL_PROPAGATE_FAULT;
-        }
        addr = dt.address + index * 8;
-        ret = ops->write_std(addr, desc, sizeof *desc, ctxt->vcpu, &err);
+        ret = ops->write_std(ctxt, addr, desc, sizeof *desc, &ctxt->exception);
-        if (ret == X86EMUL_PROPAGATE_FAULT)
-                emulate_pf(ctxt, addr, err);
        return ret;
 }
+/* Does not support long mode */
 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
                                   struct x86_emulate_ops *ops,
                                   u16 selector, int seg)
@@ -1509,7 +1271,7 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
        rpl = selector & 3;
        dpl = seg_desc.dpl;
-        cpl = ops->cpl(ctxt->vcpu);
+        cpl = ops->cpl(ctxt);
        switch (seg) {
        case VCPU_SREG_SS:
@@ -1565,63 +1327,59 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
                        return ret;
        }
 load:
-        ops->set_segment_selector(selector, seg, ctxt->vcpu);
+        ops->set_segment(ctxt, selector, &seg_desc, 0, seg);
-        ops->set_cached_descriptor(&seg_desc, seg, ctxt->vcpu);
        return X86EMUL_CONTINUE;
 exception:
        emulate_exception(ctxt, err_vec, err_code, true);
        return X86EMUL_PROPAGATE_FAULT;
 }
-static inline int writeback(struct x86_emulate_ctxt *ctxt,
+static void write_register_operand(struct operand *op)
-                            struct x86_emulate_ops *ops)
+{
+        /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
+        switch (op->bytes) {
+        case 1:
+                *(u8 *)op->addr.reg = (u8)op->val;
+                break;
+        case 2:
+                *(u16 *)op->addr.reg = (u16)op->val;
+                break;
+        case 4:
+                *op->addr.reg = (u32)op->val;
+                break;  /* 64b: zero-extend */
+        case 8:
+                *op->addr.reg = op->val;
+                break;
+        }
+}
+static int writeback(struct x86_emulate_ctxt *ctxt)
 {
        int rc;
        struct decode_cache *c = &ctxt->decode;
-        u32 err;
        switch (c->dst.type) {
        case OP_REG:
-                /* The 4-byte case *is* correct:
+                write_register_operand(&c->dst);
-                 * in 64-bit mode we zero-extend.
-                 */
-                switch (c->dst.bytes) {
-                case 1:
-                        *(u8 *)c->dst.ptr = (u8)c->dst.val;
-                        break;
-                case 2:
-                        *(u16 *)c->dst.ptr = (u16)c->dst.val;
-                        break;
-                case 4:
-                        *c->dst.ptr = (u32)c->dst.val;
-                        break;  /* 64b: zero-ext */
-                case 8:
-                        *c->dst.ptr = c->dst.val;
-                        break;
-                }
                break;
        case OP_MEM:
                if (c->lock_prefix)
-                        rc = ops->cmpxchg_emulated(
+                        rc = segmented_cmpxchg(ctxt,
-                                        (unsigned long)c->dst.ptr,
+                                               c->dst.addr.mem,
-                                        &c->dst.orig_val,
+                                               &c->dst.orig_val,
-                                        &c->dst.val,
+                                               &c->dst.val,
-                                        c->dst.bytes,
+                                               c->dst.bytes);
-                                        &err,
-                                        ctxt->vcpu);
                else
-                        rc = ops->write_emulated(
+                        rc = segmented_write(ctxt,
-                                        (unsigned long)c->dst.ptr,
+                                             c->dst.addr.mem,
-                                        &c->dst.val,
+                                             &c->dst.val,
-                                        c->dst.bytes,
+                                             c->dst.bytes);
-                                        &err,
-                                        ctxt->vcpu);
-                if (rc == X86EMUL_PROPAGATE_FAULT)
-                        emulate_pf(ctxt,
-                                              (unsigned long)c->dst.ptr, err);
                if (rc != X86EMUL_CONTINUE)
                        return rc;
                break;
+        case OP_XMM:
+                write_sse_reg(ctxt, &c->dst.vec_val, c->dst.addr.xmm);
+                break;
        case OP_NONE:
                /* no writeback */
                break;
@@ -1631,29 +1389,30 @@ static inline int writeback(struct x86_emulate_ctxt *ctxt,
        return X86EMUL_CONTINUE;
 }
-static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
+static int em_push(struct x86_emulate_ctxt *ctxt)
-                                struct x86_emulate_ops *ops)
 {
        struct decode_cache *c = &ctxt->decode;
+        struct segmented_address addr;
-        c->dst.type  = OP_MEM;
-        c->dst.bytes = c->op_bytes;
-        c->dst.val = c->src.val;
        register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
-        c->dst.ptr = (void *) register_address(c, ss_base(ctxt, ops),
+        addr.ea = register_address(c, c->regs[VCPU_REGS_RSP]);
-                                               c->regs[VCPU_REGS_RSP]);
+        addr.seg = VCPU_SREG_SS;
+        /* Disable writeback. */
+        c->dst.type = OP_NONE;
+        return segmented_write(ctxt, addr, &c->src.val, c->op_bytes);
 }
 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
-                       struct x86_emulate_ops *ops,
                       void *dest, int len)
 {
        struct decode_cache *c = &ctxt->decode;
        int rc;
+        struct segmented_address addr;
-        rc = read_emulated(ctxt, ops, register_address(c, ss_base(ctxt, ops),
+        addr.ea = register_address(c, c->regs[VCPU_REGS_RSP]);
-                                                       c->regs[VCPU_REGS_RSP]),
+        addr.seg = VCPU_SREG_SS;
-                           dest, len);
+        rc = segmented_read(ctxt, addr, dest, len);
        if (rc != X86EMUL_CONTINUE)
                return rc;
@@ -1661,6 +1420,13 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
        return rc;
 }
+static int em_pop(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        return emulate_pop(ctxt, &c->dst.val, c->op_bytes);
+}
 static int emulate_popf(struct x86_emulate_ctxt *ctxt,
                       struct x86_emulate_ops *ops,
                       void *dest, int len)
@@ -1668,9 +1434,9 @@ static int emulate_popf(struct x86_emulate_ctxt *ctxt,
        int rc;
        unsigned long val, change_mask;
        int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
-        int cpl = ops->cpl(ctxt->vcpu);
+        int cpl = ops->cpl(ctxt);
-        rc = emulate_pop(ctxt, ops, &val, len);
+        rc = emulate_pop(ctxt, &val, len);
        if (rc != X86EMUL_CONTINUE)
                return rc;
@@ -1687,10 +1453,8 @@ static int emulate_popf(struct x86_emulate_ctxt *ctxt,
                        change_mask |= EFLG_IF;
                break;
        case X86EMUL_MODE_VM86:
-                if (iopl < 3) {
+                if (iopl < 3)
-                        emulate_gp(ctxt, 0);
+                        return emulate_gp(ctxt, 0);
-                        return X86EMUL_PROPAGATE_FAULT;
-                }
                change_mask |= EFLG_IF;
                break;
        default: /* real mode */
@@ -1704,14 +1468,24 @@ static int emulate_popf(struct x86_emulate_ctxt *ctxt,
        return rc;
 }
-static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
+static int em_popf(struct x86_emulate_ctxt *ctxt)
-                              struct x86_emulate_ops *ops, int seg)
+{
+        struct decode_cache *c = &ctxt->decode;
+        c->dst.type = OP_REG;
+        c->dst.addr.reg = &ctxt->eflags;
+        c->dst.bytes = c->op_bytes;
+        return emulate_popf(ctxt, ctxt->ops, &c->dst.val, c->op_bytes);
+}
+static int emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
+                             struct x86_emulate_ops *ops, int seg)
 {
        struct decode_cache *c = &ctxt->decode;
-        c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
+        c->src.val = get_segment_selector(ctxt, seg);
-        emulate_push(ctxt, ops);
+        return em_push(ctxt);
 }
 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
@@ -1721,7 +1495,7 @@ static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
        unsigned long selector;
        int rc;
-        rc = emulate_pop(ctxt, ops, &selector, c->op_bytes);
+        rc = emulate_pop(ctxt, &selector, c->op_bytes);
        if (rc != X86EMUL_CONTINUE)
                return rc;
@@ -1729,8 +1503,7 @@ static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
        return rc;
 }
-static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
+static int em_pusha(struct x86_emulate_ctxt *ctxt)
-                          struct x86_emulate_ops *ops)
 {
        struct decode_cache *c = &ctxt->decode;
        unsigned long old_esp = c->regs[VCPU_REGS_RSP];
@@ -1741,23 +1514,25 @@ static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
                (reg == VCPU_REGS_RSP) ?
                (c->src.val = old_esp) : (c->src.val = c->regs[reg]);
-                emulate_push(ctxt, ops);
+                rc = em_push(ctxt);
-                rc = writeback(ctxt, ops);
                if (rc != X86EMUL_CONTINUE)
                        return rc;
                ++reg;
        }
-        /* Disable writeback. */
-        c->dst.type = OP_NONE;
        return rc;
 }
-static int emulate_popa(struct x86_emulate_ctxt *ctxt,
+static int em_pushf(struct x86_emulate_ctxt *ctxt)
-                        struct x86_emulate_ops *ops)
+{
+        struct decode_cache *c = &ctxt->decode;
+        c->src.val =  (unsigned long)ctxt->eflags;
+        return em_push(ctxt);
+}
+static int em_popa(struct x86_emulate_ctxt *ctxt)
 {
        struct decode_cache *c = &ctxt->decode;
        int rc = X86EMUL_CONTINUE;
@@ -1770,7 +1545,7 @@ static int emulate_popa(struct x86_emulate_ctxt *ctxt,
                        --reg;
                }
-                rc = emulate_pop(ctxt, ops, &c->regs[reg], c->op_bytes);
+                rc = emulate_pop(ctxt, &c->regs[reg], c->op_bytes);
                if (rc != X86EMUL_CONTINUE)
                        break;
                --reg;
@@ -1778,15 +1553,167 @@ static int emulate_popa(struct x86_emulate_ctxt *ctxt,
        return rc;
 }
-static inline int emulate_grp1a(struct x86_emulate_ctxt *ctxt,
+int emulate_int_real(struct x86_emulate_ctxt *ctxt,
-                                struct x86_emulate_ops *ops)
+                               struct x86_emulate_ops *ops, int irq)
 {
        struct decode_cache *c = &ctxt->decode;
+        int rc;
+        struct desc_ptr dt;
+        gva_t cs_addr;
+        gva_t eip_addr;
+        u16 cs, eip;
-        return emulate_pop(ctxt, ops, &c->dst.val, c->dst.bytes);
+        /* TODO: Add limit checks */
+        c->src.val = ctxt->eflags;
+        rc = em_push(ctxt);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
+        c->src.val = get_segment_selector(ctxt, VCPU_SREG_CS);
+        rc = em_push(ctxt);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        c->src.val = c->eip;
+        rc = em_push(ctxt);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        ops->get_idt(ctxt, &dt);
+        eip_addr = dt.address + (irq << 2);
+        cs_addr = dt.address + (irq << 2) + 2;
+        rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        rc = load_segment_descriptor(ctxt, ops, cs, VCPU_SREG_CS);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        c->eip = eip;
+        return rc;
 }
-static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
+static int emulate_int(struct x86_emulate_ctxt *ctxt,
+                       struct x86_emulate_ops *ops, int irq)
+{
+        switch(ctxt->mode) {
+        case X86EMUL_MODE_REAL:
+                return emulate_int_real(ctxt, ops, irq);
+        case X86EMUL_MODE_VM86:
+        case X86EMUL_MODE_PROT16:
+        case X86EMUL_MODE_PROT32:
+        case X86EMUL_MODE_PROT64:
+        default:
+                /* Protected mode interrupts unimplemented yet */
+                return X86EMUL_UNHANDLEABLE;
+        }
+}
+static int emulate_iret_real(struct x86_emulate_ctxt *ctxt,
+                             struct x86_emulate_ops *ops)
+{
+        struct decode_cache *c = &ctxt->decode;
+        int rc = X86EMUL_CONTINUE;
+        unsigned long temp_eip = 0;
+        unsigned long temp_eflags = 0;
+        unsigned long cs = 0;
+        unsigned long mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_TF |
+                             EFLG_IF | EFLG_DF | EFLG_OF | EFLG_IOPL | EFLG_NT | EFLG_RF |
+                             EFLG_AC | EFLG_ID | (1 << 1); /* Last one is the reserved bit */
+        unsigned long vm86_mask = EFLG_VM | EFLG_VIF | EFLG_VIP;
+        /* TODO: Add stack limit check */
+        rc = emulate_pop(ctxt, &temp_eip, c->op_bytes);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        if (temp_eip & ~0xffff)
+                return emulate_gp(ctxt, 0);
+        rc = emulate_pop(ctxt, &cs, c->op_bytes);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        rc = emulate_pop(ctxt, &temp_eflags, c->op_bytes);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        c->eip = temp_eip;
+        if (c->op_bytes == 4)
+                ctxt->eflags = ((temp_eflags & mask) | (ctxt->eflags & vm86_mask));
+        else if (c->op_bytes == 2) {
+                ctxt->eflags &= ~0xffff;
+                ctxt->eflags |= temp_eflags;
+        }
+        ctxt->eflags &= ~EFLG_RESERVED_ZEROS_MASK; /* Clear reserved zeros */
+        ctxt->eflags |= EFLG_RESERVED_ONE_MASK;
+        return rc;
+}
+static inline int emulate_iret(struct x86_emulate_ctxt *ctxt,
+                                    struct x86_emulate_ops* ops)
+{
+        switch(ctxt->mode) {
+        case X86EMUL_MODE_REAL:
+                return emulate_iret_real(ctxt, ops);
+        case X86EMUL_MODE_VM86:
+        case X86EMUL_MODE_PROT16:
+        case X86EMUL_MODE_PROT32:
+        case X86EMUL_MODE_PROT64:
+        default:
+                /* iret from protected mode unimplemented yet */
+                return X86EMUL_UNHANDLEABLE;
+        }
+}
+static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        int rc;
+        unsigned short sel;
+        memcpy(&sel, c->src.valptr + c->op_bytes, 2);
+        rc = load_segment_descriptor(ctxt, ctxt->ops, sel, VCPU_SREG_CS);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        c->eip = 0;
+        memcpy(&c->eip, c->src.valptr, c->op_bytes);
+        return X86EMUL_CONTINUE;
+}
+static int em_grp1a(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        return emulate_pop(ctxt, &c->dst.val, c->dst.bytes);
+}
+static int em_grp2(struct x86_emulate_ctxt *ctxt)
 {
        struct decode_cache *c = &ctxt->decode;
        switch (c->modrm_reg) {
@@ -1813,12 +1740,15 @@ static inline void emulate_grp2(struct x86_emulate_ctxt *ctxt)
                emulate_2op_SrcB("sar", c->src, c->dst, ctxt->eflags);
                break;
        }
+        return X86EMUL_CONTINUE;
 }
-static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
+static int em_grp3(struct x86_emulate_ctxt *ctxt)
-                               struct x86_emulate_ops *ops)
 {
        struct decode_cache *c = &ctxt->decode;
+        unsigned long *rax = &c->regs[VCPU_REGS_RAX];
+        unsigned long *rdx = &c->regs[VCPU_REGS_RDX];
+        u8 de = 0;
        switch (c->modrm_reg) {
        case 0 ... 1:   /* test */
@@ -1830,16 +1760,32 @@ static inline int emulate_grp3(struct x86_emulate_ctxt *ctxt,
        case 3: /* neg */
                emulate_1op("neg", c->dst, ctxt->eflags);
                break;
+        case 4: /* mul */
+                emulate_1op_rax_rdx("mul", c->src, *rax, *rdx, ctxt->eflags);
+                break;
+        case 5: /* imul */
+                emulate_1op_rax_rdx("imul", c->src, *rax, *rdx, ctxt->eflags);
+                break;
+        case 6: /* div */
+                emulate_1op_rax_rdx_ex("div", c->src, *rax, *rdx,
+                                       ctxt->eflags, de);
+                break;
+        case 7: /* idiv */
+                emulate_1op_rax_rdx_ex("idiv", c->src, *rax, *rdx,
+                                       ctxt->eflags, de);
+                break;
        default:
-                return 0;
+                return X86EMUL_UNHANDLEABLE;
        }
-        return 1;
+        if (de)
+                return emulate_de(ctxt);
+        return X86EMUL_CONTINUE;
 }
-static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
+static int em_grp45(struct x86_emulate_ctxt *ctxt)
-                               struct x86_emulate_ops *ops)
 {
        struct decode_cache *c = &ctxt->decode;
+        int rc = X86EMUL_CONTINUE;
        switch (c->modrm_reg) {
        case 0: /* inc */
@@ -1853,21 +1799,23 @@ static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
                old_eip = c->eip;
                c->eip = c->src.val;
                c->src.val = old_eip;
-                emulate_push(ctxt, ops);
+                rc = em_push(ctxt);
                break;
        }
        case 4: /* jmp abs */
                c->eip = c->src.val;
                break;
+        case 5: /* jmp far */
+                rc = em_jmp_far(ctxt);
+                break;
        case 6: /* push */
-                emulate_push(ctxt, ops);
+                rc = em_push(ctxt);
                break;
        }
-        return X86EMUL_CONTINUE;
+        return rc;
 }
-static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
+static int em_grp9(struct x86_emulate_ctxt *ctxt)
-                               struct x86_emulate_ops *ops)
 {
        struct decode_cache *c = &ctxt->decode;
        u64 old = c->dst.orig_val64;
@@ -1893,25 +1841,44 @@ static int emulate_ret_far(struct x86_emulate_ctxt *ctxt,
        int rc;
        unsigned long cs;
-        rc = emulate_pop(ctxt, ops, &c->eip, c->op_bytes);
+        rc = emulate_pop(ctxt, &c->eip, c->op_bytes);
        if (rc != X86EMUL_CONTINUE)
                return rc;
        if (c->op_bytes == 4)
                c->eip = (u32)c->eip;
-        rc = emulate_pop(ctxt, ops, &cs, c->op_bytes);
+        rc = emulate_pop(ctxt, &cs, c->op_bytes);
        if (rc != X86EMUL_CONTINUE)
                return rc;
        rc = load_segment_descriptor(ctxt, ops, (u16)cs, VCPU_SREG_CS);
        return rc;
 }
+static int emulate_load_segment(struct x86_emulate_ctxt *ctxt,
+                           struct x86_emulate_ops *ops, int seg)
+{
+        struct decode_cache *c = &ctxt->decode;
+        unsigned short sel;
+        int rc;
+        memcpy(&sel, c->src.valptr + c->op_bytes, 2);
+        rc = load_segment_descriptor(ctxt, ops, sel, seg);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        c->dst.val = c->src.val;
+        return rc;
+}
 static inline void
 setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
                        struct x86_emulate_ops *ops, struct desc_struct *cs,
                        struct desc_struct *ss)
 {
+        u16 selector;
        memset(cs, 0, sizeof(struct desc_struct));
-        ops->get_cached_descriptor(cs, VCPU_SREG_CS, ctxt->vcpu);
+        ops->get_segment(ctxt, &selector, cs, NULL, VCPU_SREG_CS);
        memset(ss, 0, sizeof(struct desc_struct));
        cs->l = 0;              /* will be adjusted later */
@@ -1941,46 +1908,44 @@ emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
        struct desc_struct cs, ss;
        u64 msr_data;
        u16 cs_sel, ss_sel;
+        u64 efer = 0;
        /* syscall is not available in real mode */
        if (ctxt->mode == X86EMUL_MODE_REAL ||
-            ctxt->mode == X86EMUL_MODE_VM86) {
+            ctxt->mode == X86EMUL_MODE_VM86)
-                emulate_ud(ctxt);
+                return emulate_ud(ctxt);
-                return X86EMUL_PROPAGATE_FAULT;
-        }
+        ops->get_msr(ctxt, MSR_EFER, &efer);
        setup_syscalls_segments(ctxt, ops, &cs, &ss);
-        ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
+        ops->get_msr(ctxt, MSR_STAR, &msr_data);
        msr_data >>= 32;
        cs_sel = (u16)(msr_data & 0xfffc);
        ss_sel = (u16)(msr_data + 8);
-        if (is_long_mode(ctxt->vcpu)) {
+        if (efer & EFER_LMA) {
                cs.d = 0;
                cs.l = 1;
        }
-        ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
+        ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
-        ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
+        ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
-        ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
-        ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
        c->regs[VCPU_REGS_RCX] = c->eip;
-        if (is_long_mode(ctxt->vcpu)) {
+        if (efer & EFER_LMA) {
 #ifdef CONFIG_X86_64
                c->regs[VCPU_REGS_R11] = ctxt->eflags & ~EFLG_RF;
-                ops->get_msr(ctxt->vcpu,
+                ops->get_msr(ctxt,
                             ctxt->mode == X86EMUL_MODE_PROT64 ?
                             MSR_LSTAR : MSR_CSTAR, &msr_data);
                c->eip = msr_data;
-                ops->get_msr(ctxt->vcpu, MSR_SYSCALL_MASK, &msr_data);
+                ops->get_msr(ctxt, MSR_SYSCALL_MASK, &msr_data);
                ctxt->eflags &= ~(msr_data | EFLG_RF);
 #endif
        } else {
                /* legacy mode */
-                ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
+                ops->get_msr(ctxt, MSR_STAR, &msr_data);
                c->eip = (u32)msr_data;
                ctxt->eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
@@ -1996,36 +1961,30 @@ emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
        struct desc_struct cs, ss;
        u64 msr_data;
        u16 cs_sel, ss_sel;
+        u64 efer = 0;
+        ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
        /* inject #GP if in real mode */
-        if (ctxt->mode == X86EMUL_MODE_REAL) {
+        if (ctxt->mode == X86EMUL_MODE_REAL)
-                emulate_gp(ctxt, 0);
+                return emulate_gp(ctxt, 0);
-                return X86EMUL_PROPAGATE_FAULT;
-        }
        /* XXX sysenter/sysexit have not been tested in 64bit mode.
        * Therefore, we inject an #UD.
        */
-        if (ctxt->mode == X86EMUL_MODE_PROT64) {
+        if (ctxt->mode == X86EMUL_MODE_PROT64)
-                emulate_ud(ctxt);
+                return emulate_ud(ctxt);
-                return X86EMUL_PROPAGATE_FAULT;
-        }
        setup_syscalls_segments(ctxt, ops, &cs, &ss);
-        ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
+        ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
        switch (ctxt->mode) {
        case X86EMUL_MODE_PROT32:
-                if ((msr_data & 0xfffc) == 0x0) {
+                if ((msr_data & 0xfffc) == 0x0)
-                        emulate_gp(ctxt, 0);
+                        return emulate_gp(ctxt, 0);
-                        return X86EMUL_PROPAGATE_FAULT;
-                }
                break;
        case X86EMUL_MODE_PROT64:
-                if (msr_data == 0x0) {
+                if (msr_data == 0x0)
-                        emulate_gp(ctxt, 0);
+                        return emulate_gp(ctxt, 0);
-                        return X86EMUL_PROPAGATE_FAULT;
-                }
                break;
        }
@@ -2034,21 +1993,18 @@ emulate_sysenter(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
        cs_sel &= ~SELECTOR_RPL_MASK;
        ss_sel = cs_sel + 8;
        ss_sel &= ~SELECTOR_RPL_MASK;
-        if (ctxt->mode == X86EMUL_MODE_PROT64
+        if (ctxt->mode == X86EMUL_MODE_PROT64 || (efer & EFER_LMA)) {
-                || is_long_mode(ctxt->vcpu)) {
                cs.d = 0;
                cs.l = 1;
        }
-        ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
+        ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
-        ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
+        ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
-        ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
-        ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
-        ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_EIP, &msr_data);
+        ops->get_msr(ctxt, MSR_IA32_SYSENTER_EIP, &msr_data);
        c->eip = msr_data;
-        ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_ESP, &msr_data);
+        ops->get_msr(ctxt, MSR_IA32_SYSENTER_ESP, &msr_data);
        c->regs[VCPU_REGS_RSP] = msr_data;
        return X86EMUL_CONTINUE;
@@ -2065,10 +2021,8 @@ emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
        /* inject #GP if in real mode or Virtual 8086 mode */
        if (ctxt->mode == X86EMUL_MODE_REAL ||
-            ctxt->mode == X86EMUL_MODE_VM86) {
+            ctxt->mode == X86EMUL_MODE_VM86)
-                emulate_gp(ctxt, 0);
+                return emulate_gp(ctxt, 0);
-                return X86EMUL_PROPAGATE_FAULT;
-        }
        setup_syscalls_segments(ctxt, ops, &cs, &ss);
@@ -2079,22 +2033,18 @@ emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
        cs.dpl = 3;
        ss.dpl = 3;
-        ops->get_msr(ctxt->vcpu, MSR_IA32_SYSENTER_CS, &msr_data);
+        ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
        switch (usermode) {
        case X86EMUL_MODE_PROT32:
                cs_sel = (u16)(msr_data + 16);
-                if ((msr_data & 0xfffc) == 0x0) {
+                if ((msr_data & 0xfffc) == 0x0)
-                        emulate_gp(ctxt, 0);
+                        return emulate_gp(ctxt, 0);
-                        return X86EMUL_PROPAGATE_FAULT;
-                }
                ss_sel = (u16)(msr_data + 24);
                break;
        case X86EMUL_MODE_PROT64:
                cs_sel = (u16)(msr_data + 32);
-                if (msr_data == 0x0) {
+                if (msr_data == 0x0)
-                        emulate_gp(ctxt, 0);
+                        return emulate_gp(ctxt, 0);
-                        return X86EMUL_PROPAGATE_FAULT;
-                }
                ss_sel = cs_sel + 8;
                cs.d = 0;
                cs.l = 1;
@@ -2103,10 +2053,8 @@ emulate_sysexit(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
        cs_sel |= SELECTOR_RPL_MASK;
        ss_sel |= SELECTOR_RPL_MASK;
-        ops->set_cached_descriptor(&cs, VCPU_SREG_CS, ctxt->vcpu);
+        ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
-        ops->set_segment_selector(cs_sel, VCPU_SREG_CS, ctxt->vcpu);
+        ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
-        ops->set_cached_descriptor(&ss, VCPU_SREG_SS, ctxt->vcpu);
-        ops->set_segment_selector(ss_sel, VCPU_SREG_SS, ctxt->vcpu);
        c->eip = c->regs[VCPU_REGS_RDX];
        c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RCX];
@@ -2123,7 +2071,7 @@ static bool emulator_bad_iopl(struct x86_emulate_ctxt *ctxt,
        if (ctxt->mode == X86EMUL_MODE_VM86)
                return true;
        iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
-        return ops->cpl(ctxt->vcpu) > iopl;
+        return ops->cpl(ctxt) > iopl;
 }
 static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
@@ -2131,24 +2079,27 @@ static bool emulator_io_port_access_allowed(struct x86_emulate_ctxt *ctxt,
                                            u16 port, u16 len)
 {
        struct desc_struct tr_seg;
+        u32 base3;
        int r;
-        u16 io_bitmap_ptr;
+        u16 tr, io_bitmap_ptr, perm, bit_idx = port & 0x7;
-        u8 perm, bit_idx = port & 0x7;
        unsigned mask = (1 << len) - 1;
+        unsigned long base;
-        ops->get_cached_descriptor(&tr_seg, VCPU_SREG_TR, ctxt->vcpu);
+        ops->get_segment(ctxt, &tr, &tr_seg, &base3, VCPU_SREG_TR);
        if (!tr_seg.p)
                return false;
        if (desc_limit_scaled(&tr_seg) < 103)
                return false;
-        r = ops->read_std(get_desc_base(&tr_seg) + 102, &io_bitmap_ptr, 2,
+        base = get_desc_base(&tr_seg);
-                          ctxt->vcpu, NULL);
+#ifdef CONFIG_X86_64
+        base |= ((u64)base3) << 32;
+#endif
+        r = ops->read_std(ctxt, base + 102, &io_bitmap_ptr, 2, NULL);
        if (r != X86EMUL_CONTINUE)
                return false;
        if (io_bitmap_ptr + port/8 > desc_limit_scaled(&tr_seg))
                return false;
-        r = ops->read_std(get_desc_base(&tr_seg) + io_bitmap_ptr + port/8,
+        r = ops->read_std(ctxt, base + io_bitmap_ptr + port/8, &perm, 2, NULL);
-                          &perm, 1, ctxt->vcpu, NULL);
        if (r != X86EMUL_CONTINUE)
                return false;
        if ((perm >> bit_idx) & mask)
@@ -2160,9 +2111,15 @@ static bool emulator_io_permited(struct x86_emulate_ctxt *ctxt,
                                 struct x86_emulate_ops *ops,
                                 u16 port, u16 len)
 {
+        if (ctxt->perm_ok)
+                return true;
        if (emulator_bad_iopl(ctxt, ops))
                if (!emulator_io_port_access_allowed(ctxt, ops, port, len))
                        return false;
+        ctxt->perm_ok = true;
        return true;
 }
@@ -2183,11 +2140,11 @@ static void save_state_to_tss16(struct x86_emulate_ctxt *ctxt,
        tss->si = c->regs[VCPU_REGS_RSI];
        tss->di = c->regs[VCPU_REGS_RDI];
-        tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
+        tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
-        tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
+        tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
-        tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
+        tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
-        tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
+        tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
-        tss->ldt = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
+        tss->ldt = get_segment_selector(ctxt, VCPU_SREG_LDTR);
 }
 static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
@@ -2212,11 +2169,11 @@ static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
         * SDM says that segment selectors are loaded before segment
         * descriptors
         */
-        ops->set_segment_selector(tss->ldt, VCPU_SREG_LDTR, ctxt->vcpu);
+        set_segment_selector(ctxt, tss->ldt, VCPU_SREG_LDTR);
-        ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
+        set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
-        ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
+        set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
-        ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
+        set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
-        ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
+        set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
        /*
         * Now load segment descriptors. If fault happenes at this stage
@@ -2248,46 +2205,38 @@ static int task_switch_16(struct x86_emulate_ctxt *ctxt,
 {
        struct tss_segment_16 tss_seg;
        int ret;
-        u32 err, new_tss_base = get_desc_base(new_desc);
+        u32 new_tss_base = get_desc_base(new_desc);
-        ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
+        ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
-                            &err);
+                            &ctxt->exception);
-        if (ret == X86EMUL_PROPAGATE_FAULT) {
+        if (ret != X86EMUL_CONTINUE)
                /* FIXME: need to provide precise fault address */
-                emulate_pf(ctxt, old_tss_base, err);
                return ret;
-        }
        save_state_to_tss16(ctxt, ops, &tss_seg);
-        ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
+        ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
-                             &err);
+                             &ctxt->exception);
-        if (ret == X86EMUL_PROPAGATE_FAULT) {
+        if (ret != X86EMUL_CONTINUE)
                /* FIXME: need to provide precise fault address */
-                emulate_pf(ctxt, old_tss_base, err);
                return ret;
-        }
-        ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
+        ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
-                            &err);
+                            &ctxt->exception);
-        if (ret == X86EMUL_PROPAGATE_FAULT) {
+        if (ret != X86EMUL_CONTINUE)
                /* FIXME: need to provide precise fault address */
-                emulate_pf(ctxt, new_tss_base, err);
                return ret;
-        }
        if (old_tss_sel != 0xffff) {
                tss_seg.prev_task_link = old_tss_sel;
-                ret = ops->write_std(new_tss_base,
+                ret = ops->write_std(ctxt, new_tss_base,
                                     &tss_seg.prev_task_link,
                                     sizeof tss_seg.prev_task_link,
-                                     ctxt->vcpu, &err);
+                                     &ctxt->exception);
-                if (ret == X86EMUL_PROPAGATE_FAULT) {
+                if (ret != X86EMUL_CONTINUE)
                        /* FIXME: need to provide precise fault address */
-                        emulate_pf(ctxt, new_tss_base, err);
                        return ret;
-                }
        }
        return load_state_from_tss16(ctxt, ops, &tss_seg);
@@ -2299,7 +2248,7 @@ static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
 {
        struct decode_cache *c = &ctxt->decode;
-        tss->cr3 = ops->get_cr(3, ctxt->vcpu);
+        tss->cr3 = ops->get_cr(ctxt, 3);
        tss->eip = c->eip;
        tss->eflags = ctxt->eflags;
        tss->eax = c->regs[VCPU_REGS_RAX];
@@ -2311,13 +2260,13 @@ static void save_state_to_tss32(struct x86_emulate_ctxt *ctxt,
        tss->esi = c->regs[VCPU_REGS_RSI];
        tss->edi = c->regs[VCPU_REGS_RDI];
-        tss->es = ops->get_segment_selector(VCPU_SREG_ES, ctxt->vcpu);
+        tss->es = get_segment_selector(ctxt, VCPU_SREG_ES);
-        tss->cs = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
+        tss->cs = get_segment_selector(ctxt, VCPU_SREG_CS);
-        tss->ss = ops->get_segment_selector(VCPU_SREG_SS, ctxt->vcpu);
+        tss->ss = get_segment_selector(ctxt, VCPU_SREG_SS);
-        tss->ds = ops->get_segment_selector(VCPU_SREG_DS, ctxt->vcpu);
+        tss->ds = get_segment_selector(ctxt, VCPU_SREG_DS);
-        tss->fs = ops->get_segment_selector(VCPU_SREG_FS, ctxt->vcpu);
+        tss->fs = get_segment_selector(ctxt, VCPU_SREG_FS);
-        tss->gs = ops->get_segment_selector(VCPU_SREG_GS, ctxt->vcpu);
+        tss->gs = get_segment_selector(ctxt, VCPU_SREG_GS);
-        tss->ldt_selector = ops->get_segment_selector(VCPU_SREG_LDTR, ctxt->vcpu);
+        tss->ldt_selector = get_segment_selector(ctxt, VCPU_SREG_LDTR);
 }
 static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
@@ -2327,10 +2276,8 @@ static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
        struct decode_cache *c = &ctxt->decode;
        int ret;
-        if (ops->set_cr(3, tss->cr3, ctxt->vcpu)) {
+        if (ops->set_cr(ctxt, 3, tss->cr3))
-                emulate_gp(ctxt, 0);
+                return emulate_gp(ctxt, 0);
-                return X86EMUL_PROPAGATE_FAULT;
-        }
        c->eip = tss->eip;
        ctxt->eflags = tss->eflags | 2;
        c->regs[VCPU_REGS_RAX] = tss->eax;
@@ -2346,13 +2293,13 @@ static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
         * SDM says that segment selectors are loaded before segment
         * descriptors
         */
-        ops->set_segment_selector(tss->ldt_selector, VCPU_SREG_LDTR, ctxt->vcpu);
+        set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
-        ops->set_segment_selector(tss->es, VCPU_SREG_ES, ctxt->vcpu);
+        set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
-        ops->set_segment_selector(tss->cs, VCPU_SREG_CS, ctxt->vcpu);
+        set_segment_selector(ctxt, tss->cs, VCPU_SREG_CS);
-        ops->set_segment_selector(tss->ss, VCPU_SREG_SS, ctxt->vcpu);
+        set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
-        ops->set_segment_selector(tss->ds, VCPU_SREG_DS, ctxt->vcpu);
+        set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
-        ops->set_segment_selector(tss->fs, VCPU_SREG_FS, ctxt->vcpu);
+        set_segment_selector(ctxt, tss->fs, VCPU_SREG_FS);
-        ops->set_segment_selector(tss->gs, VCPU_SREG_GS, ctxt->vcpu);
+        set_segment_selector(ctxt, tss->gs, VCPU_SREG_GS);
        /*
         * Now load segment descriptors. If fault happenes at this stage
@@ -2390,46 +2337,38 @@ static int task_switch_32(struct x86_emulate_ctxt *ctxt,
 {
        struct tss_segment_32 tss_seg;
        int ret;
-        u32 err, new_tss_base = get_desc_base(new_desc);
+        u32 new_tss_base = get_desc_base(new_desc);
-        ret = ops->read_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
+        ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
-                            &err);
+                            &ctxt->exception);
-        if (ret == X86EMUL_PROPAGATE_FAULT) {
+        if (ret != X86EMUL_CONTINUE)
                /* FIXME: need to provide precise fault address */
-                emulate_pf(ctxt, old_tss_base, err);
                return ret;
-        }
        save_state_to_tss32(ctxt, ops, &tss_seg);
-        ret = ops->write_std(old_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
+        ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg,
-                             &err);
+                             &ctxt->exception);
-        if (ret == X86EMUL_PROPAGATE_FAULT) {
+        if (ret != X86EMUL_CONTINUE)
                /* FIXME: need to provide precise fault address */
-                emulate_pf(ctxt, old_tss_base, err);
                return ret;
-        }
-        ret = ops->read_std(new_tss_base, &tss_seg, sizeof tss_seg, ctxt->vcpu,
+        ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg,
-                            &err);
+                            &ctxt->exception);
-        if (ret == X86EMUL_PROPAGATE_FAULT) {
+        if (ret != X86EMUL_CONTINUE)
                /* FIXME: need to provide precise fault address */
-                emulate_pf(ctxt, new_tss_base, err);
                return ret;
-        }
        if (old_tss_sel != 0xffff) {
                tss_seg.prev_task_link = old_tss_sel;
-                ret = ops->write_std(new_tss_base,
+                ret = ops->write_std(ctxt, new_tss_base,
                                     &tss_seg.prev_task_link,
                                     sizeof tss_seg.prev_task_link,
-                                     ctxt->vcpu, &err);
+                                     &ctxt->exception);
-                if (ret == X86EMUL_PROPAGATE_FAULT) {
+                if (ret != X86EMUL_CONTINUE)
                        /* FIXME: need to provide precise fault address */
-                        emulate_pf(ctxt, new_tss_base, err);
                        return ret;
-                }
        }
        return load_state_from_tss32(ctxt, ops, &tss_seg);
@@ -2442,9 +2381,9 @@ static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
 {
        struct desc_struct curr_tss_desc, next_tss_desc;
        int ret;
-        u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
+        u16 old_tss_sel = get_segment_selector(ctxt, VCPU_SREG_TR);
        ulong old_tss_base =
-                ops->get_cached_segment_base(VCPU_SREG_TR, ctxt->vcpu);
+                ops->get_cached_segment_base(ctxt, VCPU_SREG_TR);
        u32 desc_limit;
        /* FIXME: old_tss_base == ~0 ? */
@@ -2460,10 +2399,8 @@ static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
        if (reason != TASK_SWITCH_IRET) {
                if ((tss_selector & 3) > next_tss_desc.dpl ||
-                    ops->cpl(ctxt->vcpu) > next_tss_desc.dpl) {
+                    ops->cpl(ctxt) > next_tss_desc.dpl)
-                        emulate_gp(ctxt, 0);
+                        return emulate_gp(ctxt, 0);
-                        return X86EMUL_PROPAGATE_FAULT;
-                }
        }
        desc_limit = desc_limit_scaled(&next_tss_desc);
@@ -2506,9 +2443,8 @@ static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
                                         &next_tss_desc);
        }
-        ops->set_cr(0,  ops->get_cr(0, ctxt->vcpu) | X86_CR0_TS, ctxt->vcpu);
+        ops->set_cr(ctxt, 0,  ops->get_cr(ctxt, 0) | X86_CR0_TS);
-        ops->set_cached_descriptor(&next_tss_desc, VCPU_SREG_TR, ctxt->vcpu);
+        ops->set_segment(ctxt, tss_selector, &next_tss_desc, 0, VCPU_SREG_TR);
-        ops->set_segment_selector(tss_selector, VCPU_SREG_TR, ctxt->vcpu);
        if (has_error_code) {
                struct decode_cache *c = &ctxt->decode;
@@ -2516,17 +2452,17 @@ static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
                c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
                c->lock_prefix = 0;
                c->src.val = (unsigned long) error_code;
-                emulate_push(ctxt, ops);
+                ret = em_push(ctxt);
        }
        return ret;
 }
 int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
-                         struct x86_emulate_ops *ops,
                         u16 tss_selector, int reason,
                         bool has_error_code, u32 error_code)
 {
+        struct x86_emulate_ops *ops = ctxt->ops;
        struct decode_cache *c = &ctxt->decode;
        int rc;
@@ -2536,91 +2472,1357 @@ int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
        rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
                                     has_error_code, error_code);
-        if (rc == X86EMUL_CONTINUE) {
+        if (rc == X86EMUL_CONTINUE)
-                rc = writeback(ctxt, ops);
+                ctxt->eip = c->eip;
-                if (rc == X86EMUL_CONTINUE)
-                        ctxt->eip = c->eip;
-        }
-        return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
+        return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
 }
-static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned long base,
+static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned seg,
                            int reg, struct operand *op)
 {
        struct decode_cache *c = &ctxt->decode;
        int df = (ctxt->eflags & EFLG_DF) ? -1 : 1;
        register_address_increment(c, &c->regs[reg], df * op->bytes);
-        op->ptr = (unsigned long *)register_address(c,  base, c->regs[reg]);
+        op->addr.mem.ea = register_address(c, c->regs[reg]);
+        op->addr.mem.seg = seg;
+}
+static int em_das(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        u8 al, old_al;
+        bool af, cf, old_cf;
+        cf = ctxt->eflags & X86_EFLAGS_CF;
+        al = c->dst.val;
+        old_al = al;
+        old_cf = cf;
+        cf = false;
+        af = ctxt->eflags & X86_EFLAGS_AF;
+        if ((al & 0x0f) > 9 || af) {
+                al -= 6;
+                cf = old_cf | (al >= 250);
+                af = true;
+        } else {
+                af = false;
+        }
+        if (old_al > 0x99 || old_cf) {
+                al -= 0x60;
+                cf = true;
+        }
+        c->dst.val = al;
+        /* Set PF, ZF, SF */
+        c->src.type = OP_IMM;
+        c->src.val = 0;
+        c->src.bytes = 1;
+        emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
+        ctxt->eflags &= ~(X86_EFLAGS_AF | X86_EFLAGS_CF);
+        if (cf)
+                ctxt->eflags |= X86_EFLAGS_CF;
+        if (af)
+                ctxt->eflags |= X86_EFLAGS_AF;
+        return X86EMUL_CONTINUE;
+}
+static int em_call_far(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        u16 sel, old_cs;
+        ulong old_eip;
+        int rc;
+        old_cs = get_segment_selector(ctxt, VCPU_SREG_CS);
+        old_eip = c->eip;
+        memcpy(&sel, c->src.valptr + c->op_bytes, 2);
+        if (load_segment_descriptor(ctxt, ctxt->ops, sel, VCPU_SREG_CS))
+                return X86EMUL_CONTINUE;
+        c->eip = 0;
+        memcpy(&c->eip, c->src.valptr, c->op_bytes);
+        c->src.val = old_cs;
+        rc = em_push(ctxt);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        c->src.val = old_eip;
+        return em_push(ctxt);
+}
+static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        int rc;
+        c->dst.type = OP_REG;
+        c->dst.addr.reg = &c->eip;
+        c->dst.bytes = c->op_bytes;
+        rc = emulate_pop(ctxt, &c->dst.val, c->op_bytes);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        register_address_increment(c, &c->regs[VCPU_REGS_RSP], c->src.val);
+        return X86EMUL_CONTINUE;
+}
+static int em_add(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
+        return X86EMUL_CONTINUE;
+}
+static int em_or(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
+        return X86EMUL_CONTINUE;
+}
+static int em_adc(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
+        return X86EMUL_CONTINUE;
+}
+static int em_sbb(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
+        return X86EMUL_CONTINUE;
+}
+static int em_and(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
+        return X86EMUL_CONTINUE;
+}
+static int em_sub(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
+        return X86EMUL_CONTINUE;
+}
+static int em_xor(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
+        return X86EMUL_CONTINUE;
+}
+static int em_cmp(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
+        /* Disable writeback. */
+        c->dst.type = OP_NONE;
+        return X86EMUL_CONTINUE;
+}
+static int em_imul(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        emulate_2op_SrcV_nobyte("imul", c->src, c->dst, ctxt->eflags);
+        return X86EMUL_CONTINUE;
+}
+static int em_imul_3op(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        c->dst.val = c->src2.val;
+        return em_imul(ctxt);
+}
+static int em_cwd(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        c->dst.type = OP_REG;
+        c->dst.bytes = c->src.bytes;
+        c->dst.addr.reg = &c->regs[VCPU_REGS_RDX];
+        c->dst.val = ~((c->src.val >> (c->src.bytes * 8 - 1)) - 1);
+        return X86EMUL_CONTINUE;
+}
+static int em_rdtsc(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        u64 tsc = 0;
+        ctxt->ops->get_msr(ctxt, MSR_IA32_TSC, &tsc);
+        c->regs[VCPU_REGS_RAX] = (u32)tsc;
+        c->regs[VCPU_REGS_RDX] = tsc >> 32;
+        return X86EMUL_CONTINUE;
+}
+static int em_mov(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        c->dst.val = c->src.val;
+        return X86EMUL_CONTINUE;
+}
+static int em_movdqu(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        memcpy(&c->dst.vec_val, &c->src.vec_val, c->op_bytes);
+        return X86EMUL_CONTINUE;
+}
+static int em_invlpg(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        int rc;
+        ulong linear;
+        rc = linearize(ctxt, c->src.addr.mem, 1, false, &linear);
+        if (rc == X86EMUL_CONTINUE)
+                ctxt->ops->invlpg(ctxt, linear);
+        /* Disable writeback. */
+        c->dst.type = OP_NONE;
+        return X86EMUL_CONTINUE;
+}
+static int em_clts(struct x86_emulate_ctxt *ctxt)
+{
+        ulong cr0;
+        cr0 = ctxt->ops->get_cr(ctxt, 0);
+        cr0 &= ~X86_CR0_TS;
+        ctxt->ops->set_cr(ctxt, 0, cr0);
+        return X86EMUL_CONTINUE;
+}
+static int em_vmcall(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        int rc;
+        if (c->modrm_mod != 3 || c->modrm_rm != 1)
+                return X86EMUL_UNHANDLEABLE;
+        rc = ctxt->ops->fix_hypercall(ctxt);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        /* Let the processor re-execute the fixed hypercall */
+        c->eip = ctxt->eip;
+        /* Disable writeback. */
+        c->dst.type = OP_NONE;
+        return X86EMUL_CONTINUE;
+}
+static int em_lgdt(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        struct desc_ptr desc_ptr;
+        int rc;
+        rc = read_descriptor(ctxt, c->src.addr.mem,
+                             &desc_ptr.size, &desc_ptr.address,
+                             c->op_bytes);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        ctxt->ops->set_gdt(ctxt, &desc_ptr);
+        /* Disable writeback. */
+        c->dst.type = OP_NONE;
+        return X86EMUL_CONTINUE;
+}
+static int em_vmmcall(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        int rc;
+        rc = ctxt->ops->fix_hypercall(ctxt);
+        /* Disable writeback. */
+        c->dst.type = OP_NONE;
+        return rc;
+}
+static int em_lidt(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        struct desc_ptr desc_ptr;
+        int rc;
+        rc = read_descriptor(ctxt, c->src.addr.mem,
+                             &desc_ptr.size, &desc_ptr.address,
+                             c->op_bytes);
+        if (rc != X86EMUL_CONTINUE)
+                return rc;
+        ctxt->ops->set_idt(ctxt, &desc_ptr);
+        /* Disable writeback. */
+        c->dst.type = OP_NONE;
+        return X86EMUL_CONTINUE;
+}
+static int em_smsw(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        c->dst.bytes = 2;
+        c->dst.val = ctxt->ops->get_cr(ctxt, 0);
+        return X86EMUL_CONTINUE;
+}
+static int em_lmsw(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        ctxt->ops->set_cr(ctxt, 0, (ctxt->ops->get_cr(ctxt, 0) & ~0x0eul)
+                          | (c->src.val & 0x0f));
+        c->dst.type = OP_NONE;
+        return X86EMUL_CONTINUE;
+}
+static bool valid_cr(int nr)
+{
+        switch (nr) {
+        case 0:
+        case 2 ... 4:
+        case 8:
+                return true;
+        default:
+                return false;
+        }
+}
+static int check_cr_read(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        if (!valid_cr(c->modrm_reg))
+                return emulate_ud(ctxt);
+        return X86EMUL_CONTINUE;
+}
+static int check_cr_write(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        u64 new_val = c->src.val64;
+        int cr = c->modrm_reg;
+        u64 efer = 0;
+        static u64 cr_reserved_bits[] = {
+                0xffffffff00000000ULL,
+                0, 0, 0, /* CR3 checked later */
+                CR4_RESERVED_BITS,
+                0, 0, 0,
+                CR8_RESERVED_BITS,
+        };
+        if (!valid_cr(cr))
+                return emulate_ud(ctxt);
+        if (new_val & cr_reserved_bits[cr])
+                return emulate_gp(ctxt, 0);
+        switch (cr) {
+        case 0: {
+                u64 cr4;
+                if (((new_val & X86_CR0_PG) && !(new_val & X86_CR0_PE)) ||
+                    ((new_val & X86_CR0_NW) && !(new_val & X86_CR0_CD)))
+                        return emulate_gp(ctxt, 0);
+                cr4 = ctxt->ops->get_cr(ctxt, 4);
+                ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
+                if ((new_val & X86_CR0_PG) && (efer & EFER_LME) &&
+                    !(cr4 & X86_CR4_PAE))
+                        return emulate_gp(ctxt, 0);
+                break;
+                }
+        case 3: {
+                u64 rsvd = 0;
+                ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
+                if (efer & EFER_LMA)
+                        rsvd = CR3_L_MODE_RESERVED_BITS;
+                else if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PAE)
+                        rsvd = CR3_PAE_RESERVED_BITS;
+                else if (ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PG)
+                        rsvd = CR3_NONPAE_RESERVED_BITS;
+                if (new_val & rsvd)
+                        return emulate_gp(ctxt, 0);
+                break;
+                }
+        case 4: {
+                u64 cr4;
+                cr4 = ctxt->ops->get_cr(ctxt, 4);
+                ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
+                if ((efer & EFER_LMA) && !(new_val & X86_CR4_PAE))
+                        return emulate_gp(ctxt, 0);
+                break;
+                }
+        }
+        return X86EMUL_CONTINUE;
+}
+static int check_dr7_gd(struct x86_emulate_ctxt *ctxt)
+{
+        unsigned long dr7;
+        ctxt->ops->get_dr(ctxt, 7, &dr7);
+        /* Check if DR7.Global_Enable is set */
+        return dr7 & (1 << 13);
+}
+static int check_dr_read(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        int dr = c->modrm_reg;
+        u64 cr4;
+        if (dr > 7)
+                return emulate_ud(ctxt);
+        cr4 = ctxt->ops->get_cr(ctxt, 4);
+        if ((cr4 & X86_CR4_DE) && (dr == 4 || dr == 5))
+                return emulate_ud(ctxt);
+        if (check_dr7_gd(ctxt))
+                return emulate_db(ctxt);
+        return X86EMUL_CONTINUE;
+}
+static int check_dr_write(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        u64 new_val = c->src.val64;
+        int dr = c->modrm_reg;
+        if ((dr == 6 || dr == 7) && (new_val & 0xffffffff00000000ULL))
+                return emulate_gp(ctxt, 0);
+        return check_dr_read(ctxt);
+}
+static int check_svme(struct x86_emulate_ctxt *ctxt)
+{
+        u64 efer;
+        ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
+        if (!(efer & EFER_SVME))
+                return emulate_ud(ctxt);
+        return X86EMUL_CONTINUE;
+}
+static int check_svme_pa(struct x86_emulate_ctxt *ctxt)
+{
+        u64 rax = ctxt->decode.regs[VCPU_REGS_RAX];
+        /* Valid physical address? */
+        if (rax & 0xffff000000000000ULL)
+                return emulate_gp(ctxt, 0);
+        return check_svme(ctxt);
+}
+static int check_rdtsc(struct x86_emulate_ctxt *ctxt)
+{
+        u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
+        if (cr4 & X86_CR4_TSD && ctxt->ops->cpl(ctxt))
+                return emulate_ud(ctxt);
+        return X86EMUL_CONTINUE;
+}
+static int check_rdpmc(struct x86_emulate_ctxt *ctxt)
+{
+        u64 cr4 = ctxt->ops->get_cr(ctxt, 4);
+        u64 rcx = ctxt->decode.regs[VCPU_REGS_RCX];
+        if ((!(cr4 & X86_CR4_PCE) && ctxt->ops->cpl(ctxt)) ||
+            (rcx > 3))
+                return emulate_gp(ctxt, 0);
+        return X86EMUL_CONTINUE;
+}
+static int check_perm_in(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        c->dst.bytes = min(c->dst.bytes, 4u);
+        if (!emulator_io_permited(ctxt, ctxt->ops, c->src.val, c->dst.bytes))
+                return emulate_gp(ctxt, 0);
+        return X86EMUL_CONTINUE;
+}
+static int check_perm_out(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        c->src.bytes = min(c->src.bytes, 4u);
+        if (!emulator_io_permited(ctxt, ctxt->ops, c->dst.val, c->src.bytes))
+                return emulate_gp(ctxt, 0);
+        return X86EMUL_CONTINUE;
+}
+#define D(_y) { .flags = (_y) }
+#define DI(_y, _i) { .flags = (_y), .intercept = x86_intercept_##_i }
+#define DIP(_y, _i, _p) { .flags = (_y), .intercept = x86_intercept_##_i, \
+                      .check_perm = (_p) }
+#define N    D(0)
+#define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
+#define G(_f, _g) { .flags = ((_f) | Group), .u.group = (_g) }
+#define GD(_f, _g) { .flags = ((_f) | GroupDual), .u.gdual = (_g) }
+#define I(_f, _e) { .flags = (_f), .u.execute = (_e) }
+#define II(_f, _e, _i) \
+        { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i }
+#define IIP(_f, _e, _i, _p) \
+        { .flags = (_f), .u.execute = (_e), .intercept = x86_intercept_##_i, \
+          .check_perm = (_p) }
+#define GP(_f, _g) { .flags = ((_f) | Prefix), .u.gprefix = (_g) }
+#define D2bv(_f)      D((_f) | ByteOp), D(_f)
+#define D2bvIP(_f, _i, _p) DIP((_f) | ByteOp, _i, _p), DIP(_f, _i, _p)
+#define I2bv(_f, _e)  I((_f) | ByteOp, _e), I(_f, _e)
+#define I6ALU(_f, _e) I2bv((_f) | DstMem | SrcReg | ModRM, _e),         \
+                I2bv(((_f) | DstReg | SrcMem | ModRM) & ~Lock, _e),     \
+                I2bv(((_f) & ~Lock) | DstAcc | SrcImm, _e)
+static struct opcode group7_rm1[] = {
+        DI(SrcNone | ModRM | Priv, monitor),
+        DI(SrcNone | ModRM | Priv, mwait),
+        N, N, N, N, N, N,
+};
+static struct opcode group7_rm3[] = {
+        DIP(SrcNone | ModRM | Prot | Priv, vmrun,   check_svme_pa),
+        II(SrcNone | ModRM | Prot | VendorSpecific, em_vmmcall, vmmcall),
+        DIP(SrcNone | ModRM | Prot | Priv, vmload,  check_svme_pa),
+        DIP(SrcNone | ModRM | Prot | Priv, vmsave,  check_svme_pa),
+        DIP(SrcNone | ModRM | Prot | Priv, stgi,    check_svme),
+        DIP(SrcNone | ModRM | Prot | Priv, clgi,    check_svme),
+        DIP(SrcNone | ModRM | Prot | Priv, skinit,  check_svme),
+        DIP(SrcNone | ModRM | Prot | Priv, invlpga, check_svme),
+};
+static struct opcode group7_rm7[] = {
+        N,
+        DIP(SrcNone | ModRM, rdtscp, check_rdtsc),
+        N, N, N, N, N, N,
+};
+static struct opcode group1[] = {
+        I(Lock, em_add),
+        I(Lock, em_or),
+        I(Lock, em_adc),
+        I(Lock, em_sbb),
+        I(Lock, em_and),
+        I(Lock, em_sub),
+        I(Lock, em_xor),
+        I(0, em_cmp),
+};
+static struct opcode group1A[] = {
+        D(DstMem | SrcNone | ModRM | Mov | Stack), N, N, N, N, N, N, N,
+};
+static struct opcode group3[] = {
+        D(DstMem | SrcImm | ModRM), D(DstMem | SrcImm | ModRM),
+        D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
+        X4(D(SrcMem | ModRM)),
+};
+static struct opcode group4[] = {
+        D(ByteOp | DstMem | SrcNone | ModRM | Lock), D(ByteOp | DstMem | SrcNone | ModRM | Lock),
+        N, N, N, N, N, N,
+};
+static struct opcode group5[] = {
+        D(DstMem | SrcNone | ModRM | Lock), D(DstMem | SrcNone | ModRM | Lock),
+        D(SrcMem | ModRM | Stack),
+        I(SrcMemFAddr | ModRM | ImplicitOps | Stack, em_call_far),
+        D(SrcMem | ModRM | Stack), D(SrcMemFAddr | ModRM | ImplicitOps),
+        D(SrcMem | ModRM | Stack), N,
+};
+static struct opcode group6[] = {
+        DI(ModRM | Prot,        sldt),
+        DI(ModRM | Prot,        str),
+        DI(ModRM | Prot | Priv, lldt),
+        DI(ModRM | Prot | Priv, ltr),
+        N, N, N, N,
+};
+static struct group_dual group7 = { {
+        DI(ModRM | Mov | DstMem | Priv, sgdt),
+        DI(ModRM | Mov | DstMem | Priv, sidt),
+        II(ModRM | SrcMem | Priv, em_lgdt, lgdt),
+        II(ModRM | SrcMem | Priv, em_lidt, lidt),
+        II(SrcNone | ModRM | DstMem | Mov, em_smsw, smsw), N,
+        II(SrcMem16 | ModRM | Mov | Priv, em_lmsw, lmsw),
+        II(SrcMem | ModRM | ByteOp | Priv | NoAccess, em_invlpg, invlpg),
+}, {
+        I(SrcNone | ModRM | Priv | VendorSpecific, em_vmcall),
+        EXT(0, group7_rm1),
+        N, EXT(0, group7_rm3),
+        II(SrcNone | ModRM | DstMem | Mov, em_smsw, smsw), N,
+        II(SrcMem16 | ModRM | Mov | Priv, em_lmsw, lmsw), EXT(0, group7_rm7),
+} };
+static struct opcode group8[] = {
+        N, N, N, N,
+        D(DstMem | SrcImmByte | ModRM), D(DstMem | SrcImmByte | ModRM | Lock),
+        D(DstMem | SrcImmByte | ModRM | Lock), D(DstMem | SrcImmByte | ModRM | Lock),
+};
+static struct group_dual group9 = { {
+        N, D(DstMem64 | ModRM | Lock), N, N, N, N, N, N,
+}, {
+        N, N, N, N, N, N, N, N,
+} };
+static struct opcode group11[] = {
+        I(DstMem | SrcImm | ModRM | Mov, em_mov), X7(D(Undefined)),
+};
+static struct gprefix pfx_0f_6f_0f_7f = {
+        N, N, N, I(Sse, em_movdqu),
+};
+static struct opcode opcode_table[256] = {
+        /* 0x00 - 0x07 */
+        I6ALU(Lock, em_add),
+        D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
+        /* 0x08 - 0x0F */
+        I6ALU(Lock, em_or),
+        D(ImplicitOps | Stack | No64), N,
+        /* 0x10 - 0x17 */
+        I6ALU(Lock, em_adc),
+        D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
+        /* 0x18 - 0x1F */
+        I6ALU(Lock, em_sbb),
+        D(ImplicitOps | Stack | No64), D(ImplicitOps | Stack | No64),
+        /* 0x20 - 0x27 */
+        I6ALU(Lock, em_and), N, N,
+        /* 0x28 - 0x2F */
+        I6ALU(Lock, em_sub), N, I(ByteOp | DstAcc | No64, em_das),
+        /* 0x30 - 0x37 */
+        I6ALU(Lock, em_xor), N, N,
+        /* 0x38 - 0x3F */
+        I6ALU(0, em_cmp), N, N,
+        /* 0x40 - 0x4F */
+        X16(D(DstReg)),
+        /* 0x50 - 0x57 */
+        X8(I(SrcReg | Stack, em_push)),
+        /* 0x58 - 0x5F */
+        X8(I(DstReg | Stack, em_pop)),
+        /* 0x60 - 0x67 */
+        I(ImplicitOps | Stack | No64, em_pusha),
+        I(ImplicitOps | Stack | No64, em_popa),
+        N, D(DstReg | SrcMem32 | ModRM | Mov) /* movsxd (x86/64) */ ,
+        N, N, N, N,
+        /* 0x68 - 0x6F */
+        I(SrcImm | Mov | Stack, em_push),
+        I(DstReg | SrcMem | ModRM | Src2Imm, em_imul_3op),
+        I(SrcImmByte | Mov | Stack, em_push),
+        I(DstReg | SrcMem | ModRM | Src2ImmByte, em_imul_3op),
+        D2bvIP(DstDI | SrcDX | Mov | String, ins, check_perm_in), /* insb, insw/insd */
+        D2bvIP(SrcSI | DstDX | String, outs, check_perm_out), /* outsb, outsw/outsd */
+        /* 0x70 - 0x7F */
+        X16(D(SrcImmByte)),
+        /* 0x80 - 0x87 */
+        G(ByteOp | DstMem | SrcImm | ModRM | Group, group1),
+        G(DstMem | SrcImm | ModRM | Group, group1),
+        G(ByteOp | DstMem | SrcImm | ModRM | No64 | Group, group1),
+        G(DstMem | SrcImmByte | ModRM | Group, group1),
+        D2bv(DstMem | SrcReg | ModRM), D2bv(DstMem | SrcReg | ModRM | Lock),
+        /* 0x88 - 0x8F */
+        I2bv(DstMem | SrcReg | ModRM | Mov, em_mov),
+        I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
+        D(DstMem | SrcNone | ModRM | Mov), D(ModRM | SrcMem | NoAccess | DstReg),
+        D(ImplicitOps | SrcMem16 | ModRM), G(0, group1A),
+        /* 0x90 - 0x97 */
+        DI(SrcAcc | DstReg, pause), X7(D(SrcAcc | DstReg)),
+        /* 0x98 - 0x9F */
+        D(DstAcc | SrcNone), I(ImplicitOps | SrcAcc, em_cwd),
+        I(SrcImmFAddr | No64, em_call_far), N,
+        II(ImplicitOps | Stack, em_pushf, pushf),
+        II(ImplicitOps | Stack, em_popf, popf), N, N,
+        /* 0xA0 - 0xA7 */
+        I2bv(DstAcc | SrcMem | Mov | MemAbs, em_mov),
+        I2bv(DstMem | SrcAcc | Mov | MemAbs, em_mov),
+        I2bv(SrcSI | DstDI | Mov | String, em_mov),
+        I2bv(SrcSI | DstDI | String, em_cmp),
+        /* 0xA8 - 0xAF */
+        D2bv(DstAcc | SrcImm),
+        I2bv(SrcAcc | DstDI | Mov | String, em_mov),
+        I2bv(SrcSI | DstAcc | Mov | String, em_mov),
+        I2bv(SrcAcc | DstDI | String, em_cmp),
+        /* 0xB0 - 0xB7 */
+        X8(I(ByteOp | DstReg | SrcImm | Mov, em_mov)),
+        /* 0xB8 - 0xBF */
+        X8(I(DstReg | SrcImm | Mov, em_mov)),
+        /* 0xC0 - 0xC7 */
+        D2bv(DstMem | SrcImmByte | ModRM),
+        I(ImplicitOps | Stack | SrcImmU16, em_ret_near_imm),
+        D(ImplicitOps | Stack),
+        D(DstReg | SrcMemFAddr | ModRM | No64), D(DstReg | SrcMemFAddr | ModRM | No64),
+        G(ByteOp, group11), G(0, group11),
+        /* 0xC8 - 0xCF */
+        N, N, N, D(ImplicitOps | Stack),
+        D(ImplicitOps), DI(SrcImmByte, intn),
+        D(ImplicitOps | No64), DI(ImplicitOps, iret),
+        /* 0xD0 - 0xD7 */
+        D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
+        N, N, N, N,
+        /* 0xD8 - 0xDF */
+        N, N, N, N, N, N, N, N,
+        /* 0xE0 - 0xE7 */
+        X4(D(SrcImmByte)),
+        D2bvIP(SrcImmUByte | DstAcc, in,  check_perm_in),
+        D2bvIP(SrcAcc | DstImmUByte, out, check_perm_out),
+        /* 0xE8 - 0xEF */
+        D(SrcImm | Stack), D(SrcImm | ImplicitOps),
+        D(SrcImmFAddr | No64), D(SrcImmByte | ImplicitOps),
+        D2bvIP(SrcDX | DstAcc, in,  check_perm_in),
+        D2bvIP(SrcAcc | DstDX, out, check_perm_out),
+        /* 0xF0 - 0xF7 */
+        N, DI(ImplicitOps, icebp), N, N,
+        DI(ImplicitOps | Priv, hlt), D(ImplicitOps),
+        G(ByteOp, group3), G(0, group3),
+        /* 0xF8 - 0xFF */
+        D(ImplicitOps), D(ImplicitOps), D(ImplicitOps), D(ImplicitOps),
+        D(ImplicitOps), D(ImplicitOps), G(0, group4), G(0, group5),
+};
+static struct opcode twobyte_table[256] = {
+        /* 0x00 - 0x0F */
+        G(0, group6), GD(0, &group7), N, N,
+        N, D(ImplicitOps | VendorSpecific), DI(ImplicitOps | Priv, clts), N,
+        DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
+        N, D(ImplicitOps | ModRM), N, N,
+        /* 0x10 - 0x1F */
+        N, N, N, N, N, N, N, N, D(ImplicitOps | ModRM), N, N, N, N, N, N, N,
+        /* 0x20 - 0x2F */
+        DIP(ModRM | DstMem | Priv | Op3264, cr_read, check_cr_read),
+        DIP(ModRM | DstMem | Priv | Op3264, dr_read, check_dr_read),
+        DIP(ModRM | SrcMem | Priv | Op3264, cr_write, check_cr_write),
+        DIP(ModRM | SrcMem | Priv | Op3264, dr_write, check_dr_write),
+        N, N, N, N,
+        N, N, N, N, N, N, N, N,
+        /* 0x30 - 0x3F */
+        DI(ImplicitOps | Priv, wrmsr),
+        IIP(ImplicitOps, em_rdtsc, rdtsc, check_rdtsc),
+        DI(ImplicitOps | Priv, rdmsr),
+        DIP(ImplicitOps | Priv, rdpmc, check_rdpmc),
+        D(ImplicitOps | VendorSpecific), D(ImplicitOps | Priv | VendorSpecific),
+        N, N,
+        N, N, N, N, N, N, N, N,
+        /* 0x40 - 0x4F */
+        X16(D(DstReg | SrcMem | ModRM | Mov)),
+        /* 0x50 - 0x5F */
+        N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
+        /* 0x60 - 0x6F */
+        N, N, N, N,
+        N, N, N, N,
+        N, N, N, N,
+        N, N, N, GP(SrcMem | DstReg | ModRM | Mov, &pfx_0f_6f_0f_7f),
+        /* 0x70 - 0x7F */
+        N, N, N, N,
+        N, N, N, N,
+        N, N, N, N,
+        N, N, N, GP(SrcReg | DstMem | ModRM | Mov, &pfx_0f_6f_0f_7f),
+        /* 0x80 - 0x8F */
+        X16(D(SrcImm)),
+        /* 0x90 - 0x9F */
+        X16(D(ByteOp | DstMem | SrcNone | ModRM| Mov)),
+        /* 0xA0 - 0xA7 */
+        D(ImplicitOps | Stack), D(ImplicitOps | Stack),
+        DI(ImplicitOps, cpuid), D(DstMem | SrcReg | ModRM | BitOp),
+        D(DstMem | SrcReg | Src2ImmByte | ModRM),
+        D(DstMem | SrcReg | Src2CL | ModRM), N, N,
+        /* 0xA8 - 0xAF */
+        D(ImplicitOps | Stack), D(ImplicitOps | Stack),
+        DI(ImplicitOps, rsm), D(DstMem | SrcReg | ModRM | BitOp | Lock),
+        D(DstMem | SrcReg | Src2ImmByte | ModRM),
+        D(DstMem | SrcReg | Src2CL | ModRM),
+        D(ModRM), I(DstReg | SrcMem | ModRM, em_imul),
+        /* 0xB0 - 0xB7 */
+        D2bv(DstMem | SrcReg | ModRM | Lock),
+        D(DstReg | SrcMemFAddr | ModRM), D(DstMem | SrcReg | ModRM | BitOp | Lock),
+        D(DstReg | SrcMemFAddr | ModRM), D(DstReg | SrcMemFAddr | ModRM),
+        D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
+        /* 0xB8 - 0xBF */
+        N, N,
+        G(BitOp, group8), D(DstMem | SrcReg | ModRM | BitOp | Lock),
+        D(DstReg | SrcMem | ModRM), D(DstReg | SrcMem | ModRM),
+        D(ByteOp | DstReg | SrcMem | ModRM | Mov), D(DstReg | SrcMem16 | ModRM | Mov),
+        /* 0xC0 - 0xCF */
+        D2bv(DstMem | SrcReg | ModRM | Lock),
+        N, D(DstMem | SrcReg | ModRM | Mov),
+        N, N, N, GD(0, &group9),
+        N, N, N, N, N, N, N, N,
+        /* 0xD0 - 0xDF */
+        N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
+        /* 0xE0 - 0xEF */
+        N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N,
+        /* 0xF0 - 0xFF */
+        N, N, N, N, N, N, N, N, N, N, N, N, N, N, N, N
+};
+#undef D
+#undef N
+#undef G
+#undef GD
+#undef I
+#undef GP
+#undef EXT
+#undef D2bv
+#undef D2bvIP
+#undef I2bv
+#undef I6ALU
+static unsigned imm_size(struct decode_cache *c)
+{
+        unsigned size;
+        size = (c->d & ByteOp) ? 1 : c->op_bytes;
+        if (size == 8)
+                size = 4;
+        return size;
+}
+static int decode_imm(struct x86_emulate_ctxt *ctxt, struct operand *op,
+                      unsigned size, bool sign_extension)
+{
+        struct decode_cache *c = &ctxt->decode;
+        struct x86_emulate_ops *ops = ctxt->ops;
+        int rc = X86EMUL_CONTINUE;
+        op->type = OP_IMM;
+        op->bytes = size;
+        op->addr.mem.ea = c->eip;
+        /* NB. Immediates are sign-extended as necessary. */
+        switch (op->bytes) {
+        case 1:
+                op->val = insn_fetch(s8, 1, c->eip);
+                break;
+        case 2:
+                op->val = insn_fetch(s16, 2, c->eip);
+                break;
+        case 4:
+                op->val = insn_fetch(s32, 4, c->eip);
+                break;
+        }
+        if (!sign_extension) {
+                switch (op->bytes) {
+                case 1:
+                        op->val &= 0xff;
+                        break;
+                case 2:
+                        op->val &= 0xffff;
+                        break;
+                case 4:
+                        op->val &= 0xffffffff;
+                        break;
+                }
+        }
+done:
+        return rc;
 }
 int
-x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
+x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
 {
+        struct x86_emulate_ops *ops = ctxt->ops;
+        struct decode_cache *c = &ctxt->decode;
+        int rc = X86EMUL_CONTINUE;
+        int mode = ctxt->mode;
+        int def_op_bytes, def_ad_bytes, goffset, simd_prefix;
+        bool op_prefix = false;
+        struct opcode opcode;
+        struct operand memop = { .type = OP_NONE }, *memopp = NULL;
+        c->eip = ctxt->eip;
+        c->fetch.start = c->eip;
+        c->fetch.end = c->fetch.start + insn_len;
+        if (insn_len > 0)
+                memcpy(c->fetch.data, insn, insn_len);
+        switch (mode) {
+        case X86EMUL_MODE_REAL:
+        case X86EMUL_MODE_VM86:
+        case X86EMUL_MODE_PROT16:
+                def_op_bytes = def_ad_bytes = 2;
+                break;
+        case X86EMUL_MODE_PROT32:
+                def_op_bytes = def_ad_bytes = 4;
+                break;
+#ifdef CONFIG_X86_64
+        case X86EMUL_MODE_PROT64:
+                def_op_bytes = 4;
+                def_ad_bytes = 8;
+                break;
+#endif
+        default:
+                return -1;
+        }
+        c->op_bytes = def_op_bytes;
+        c->ad_bytes = def_ad_bytes;
+        /* Legacy prefixes. */
+        for (;;) {
+                switch (c->b = insn_fetch(u8, 1, c->eip)) {
+                case 0x66:      /* operand-size override */
+                        op_prefix = true;
+                        /* switch between 2/4 bytes */
+                        c->op_bytes = def_op_bytes ^ 6;
+                        break;
+                case 0x67:      /* address-size override */
+                        if (mode == X86EMUL_MODE_PROT64)
+                                /* switch between 4/8 bytes */
+                                c->ad_bytes = def_ad_bytes ^ 12;
+                        else
+                                /* switch between 2/4 bytes */
+                                c->ad_bytes = def_ad_bytes ^ 6;
+                        break;
+                case 0x26:      /* ES override */
+                case 0x2e:      /* CS override */
+                case 0x36:      /* SS override */
+                case 0x3e:      /* DS override */
+                        set_seg_override(c, (c->b >> 3) & 3);
+                        break;
+                case 0x64:      /* FS override */
+                case 0x65:      /* GS override */
+                        set_seg_override(c, c->b & 7);
+                        break;
+                case 0x40 ... 0x4f: /* REX */
+                        if (mode != X86EMUL_MODE_PROT64)
+                                goto done_prefixes;
+                        c->rex_prefix = c->b;
+                        continue;
+                case 0xf0:      /* LOCK */
+                        c->lock_prefix = 1;
+                        break;
+                case 0xf2:      /* REPNE/REPNZ */
+                case 0xf3:      /* REP/REPE/REPZ */
+                        c->rep_prefix = c->b;
+                        break;
+                default:
+                        goto done_prefixes;
+                }
+                /* Any legacy prefix after a REX prefix nullifies its effect. */
+                c->rex_prefix = 0;
+        }
+done_prefixes:
+        /* REX prefix. */
+        if (c->rex_prefix & 8)
+                c->op_bytes = 8;        /* REX.W */
+        /* Opcode byte(s). */
+        opcode = opcode_table[c->b];
+        /* Two-byte opcode? */
+        if (c->b == 0x0f) {
+                c->twobyte = 1;
+                c->b = insn_fetch(u8, 1, c->eip);
+                opcode = twobyte_table[c->b];
+        }
+        c->d = opcode.flags;
+        while (c->d & GroupMask) {
+                switch (c->d & GroupMask) {
+                case Group:
+                        c->modrm = insn_fetch(u8, 1, c->eip);
+                        --c->eip;
+                        goffset = (c->modrm >> 3) & 7;
+                        opcode = opcode.u.group[goffset];
+                        break;
+                case GroupDual:
+                        c->modrm = insn_fetch(u8, 1, c->eip);
+                        --c->eip;
+                        goffset = (c->modrm >> 3) & 7;
+                        if ((c->modrm >> 6) == 3)
+                                opcode = opcode.u.gdual->mod3[goffset];
+                        else
+                                opcode = opcode.u.gdual->mod012[goffset];
+                        break;
+                case RMExt:
+                        goffset = c->modrm & 7;
+                        opcode = opcode.u.group[goffset];
+                        break;
+                case Prefix:
+                        if (c->rep_prefix && op_prefix)
+                                return X86EMUL_UNHANDLEABLE;
+                        simd_prefix = op_prefix ? 0x66 : c->rep_prefix;
+                        switch (simd_prefix) {
+                        case 0x00: opcode = opcode.u.gprefix->pfx_no; break;
+                        case 0x66: opcode = opcode.u.gprefix->pfx_66; break;
+                        case 0xf2: opcode = opcode.u.gprefix->pfx_f2; break;
+                        case 0xf3: opcode = opcode.u.gprefix->pfx_f3; break;
+                        }
+                        break;
+                default:
+                        return X86EMUL_UNHANDLEABLE;
+                }
+                c->d &= ~GroupMask;
+                c->d |= opcode.flags;
+        }
+        c->execute = opcode.u.execute;
+        c->check_perm = opcode.check_perm;
+        c->intercept = opcode.intercept;
+        /* Unrecognised? */
+        if (c->d == 0 || (c->d & Undefined))
+                return -1;
+        if (!(c->d & VendorSpecific) && ctxt->only_vendor_specific_insn)
+                return -1;
+        if (mode == X86EMUL_MODE_PROT64 && (c->d & Stack))
+                c->op_bytes = 8;
+        if (c->d & Op3264) {
+                if (mode == X86EMUL_MODE_PROT64)
+                        c->op_bytes = 8;
+                else
+                        c->op_bytes = 4;
+        }
+        if (c->d & Sse)
+                c->op_bytes = 16;
+        /* ModRM and SIB bytes. */
+        if (c->d & ModRM) {
+                rc = decode_modrm(ctxt, ops, &memop);
+                if (!c->has_seg_override)
+                        set_seg_override(c, c->modrm_seg);
+        } else if (c->d & MemAbs)
+                rc = decode_abs(ctxt, ops, &memop);
+        if (rc != X86EMUL_CONTINUE)
+                goto done;
+        if (!c->has_seg_override)
+                set_seg_override(c, VCPU_SREG_DS);
+        memop.addr.mem.seg = seg_override(ctxt, c);
+        if (memop.type == OP_MEM && c->ad_bytes != 8)
+                memop.addr.mem.ea = (u32)memop.addr.mem.ea;
+        /*
+         * Decode and fetch the source operand: register, memory
+         * or immediate.
+         */
+        switch (c->d & SrcMask) {
+        case SrcNone:
+                break;
+        case SrcReg:
+                decode_register_operand(ctxt, &c->src, c, 0);
+                break;
+        case SrcMem16:
+                memop.bytes = 2;
+                goto srcmem_common;
+        case SrcMem32:
+                memop.bytes = 4;
+                goto srcmem_common;
+        case SrcMem:
+                memop.bytes = (c->d & ByteOp) ? 1 :
+                                                           c->op_bytes;
+        srcmem_common:
+                c->src = memop;
+                memopp = &c->src;
+                break;
+        case SrcImmU16:
+                rc = decode_imm(ctxt, &c->src, 2, false);
+                break;
+        case SrcImm:
+                rc = decode_imm(ctxt, &c->src, imm_size(c), true);
+                break;
+        case SrcImmU:
+                rc = decode_imm(ctxt, &c->src, imm_size(c), false);
+                break;
+        case SrcImmByte:
+                rc = decode_imm(ctxt, &c->src, 1, true);
+                break;
+        case SrcImmUByte:
+                rc = decode_imm(ctxt, &c->src, 1, false);
+                break;
+        case SrcAcc:
+                c->src.type = OP_REG;
+                c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
+                c->src.addr.reg = &c->regs[VCPU_REGS_RAX];
+                fetch_register_operand(&c->src);
+                break;
+        case SrcOne:
+                c->src.bytes = 1;
+                c->src.val = 1;
+                break;
+        case SrcSI:
+                c->src.type = OP_MEM;
+                c->src.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
+                c->src.addr.mem.ea =
+                        register_address(c, c->regs[VCPU_REGS_RSI]);
+                c->src.addr.mem.seg = seg_override(ctxt, c);
+                c->src.val = 0;
+                break;
+        case SrcImmFAddr:
+                c->src.type = OP_IMM;
+                c->src.addr.mem.ea = c->eip;
+                c->src.bytes = c->op_bytes + 2;
+                insn_fetch_arr(c->src.valptr, c->src.bytes, c->eip);
+                break;
+        case SrcMemFAddr:
+                memop.bytes = c->op_bytes + 2;
+                goto srcmem_common;
+                break;
+        case SrcDX:
+                c->src.type = OP_REG;
+                c->src.bytes = 2;
+                c->src.addr.reg = &c->regs[VCPU_REGS_RDX];
+                fetch_register_operand(&c->src);
+                break;
+        }
+        if (rc != X86EMUL_CONTINUE)
+                goto done;
+        /*
+         * Decode and fetch the second source operand: register, memory
+         * or immediate.
+         */
+        switch (c->d & Src2Mask) {
+        case Src2None:
+                break;
+        case Src2CL:
+                c->src2.bytes = 1;
+                c->src2.val = c->regs[VCPU_REGS_RCX] & 0x8;
+                break;
+        case Src2ImmByte:
+                rc = decode_imm(ctxt, &c->src2, 1, true);
+                break;
+        case Src2One:
+                c->src2.bytes = 1;
+                c->src2.val = 1;
+                break;
+        case Src2Imm:
+                rc = decode_imm(ctxt, &c->src2, imm_size(c), true);
+                break;
+        }
+        if (rc != X86EMUL_CONTINUE)
+                goto done;
+        /* Decode and fetch the destination operand: register or memory. */
+        switch (c->d & DstMask) {
+        case DstReg:
+                decode_register_operand(ctxt, &c->dst, c,
+                         c->twobyte && (c->b == 0xb6 || c->b == 0xb7));
+                break;
+        case DstImmUByte:
+                c->dst.type = OP_IMM;
+                c->dst.addr.mem.ea = c->eip;
+                c->dst.bytes = 1;
+                c->dst.val = insn_fetch(u8, 1, c->eip);
+                break;
+        case DstMem:
+        case DstMem64:
+                c->dst = memop;
+                memopp = &c->dst;
+                if ((c->d & DstMask) == DstMem64)
+                        c->dst.bytes = 8;
+                else
+                        c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
+                if (c->d & BitOp)
+                        fetch_bit_operand(c);
+                c->dst.orig_val = c->dst.val;
+                break;
+        case DstAcc:
+                c->dst.type = OP_REG;
+                c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
+                c->dst.addr.reg = &c->regs[VCPU_REGS_RAX];
+                fetch_register_operand(&c->dst);
+                c->dst.orig_val = c->dst.val;
+                break;
+        case DstDI:
+                c->dst.type = OP_MEM;
+                c->dst.bytes = (c->d & ByteOp) ? 1 : c->op_bytes;
+                c->dst.addr.mem.ea =
+                        register_address(c, c->regs[VCPU_REGS_RDI]);
+                c->dst.addr.mem.seg = VCPU_SREG_ES;
+                c->dst.val = 0;
+                break;
+        case DstDX:
+                c->dst.type = OP_REG;
+                c->dst.bytes = 2;
+                c->dst.addr.reg = &c->regs[VCPU_REGS_RDX];
+                fetch_register_operand(&c->dst);
+                break;
+        case ImplicitOps:
+                /* Special instructions do their own operand decoding. */
+        default:
+                c->dst.type = OP_NONE; /* Disable writeback. */
+                break;
+        }
+done:
+        if (memopp && memopp->type == OP_MEM && c->rip_relative)
+                memopp->addr.mem.ea += c->eip;
+        return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
+}
+static bool string_insn_completed(struct x86_emulate_ctxt *ctxt)
+{
+        struct decode_cache *c = &ctxt->decode;
+        /* The second termination condition only applies for REPE
+         * and REPNE. Test if the repeat string operation prefix is
+         * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
+         * corresponding termination condition according to:
+         *      - if REPE/REPZ and ZF = 0 then done
+         *      - if REPNE/REPNZ and ZF = 1 then done
+         */
+        if (((c->b == 0xa6) || (c->b == 0xa7) ||
+             (c->b == 0xae) || (c->b == 0xaf))
+            && (((c->rep_prefix == REPE_PREFIX) &&
+                 ((ctxt->eflags & EFLG_ZF) == 0))
+                || ((c->rep_prefix == REPNE_PREFIX) &&
+                    ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))))
+                return true;
+        return false;
+}
+int
+x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
+{
+        struct x86_emulate_ops *ops = ctxt->ops;
        u64 msr_data;
        struct decode_cache *c = &ctxt->decode;
        int rc = X86EMUL_CONTINUE;
        int saved_dst_type = c->dst.type;
+        int irq; /* Used for int 3, int, and into */
        ctxt->decode.mem_read.pos = 0;
        if (ctxt->mode == X86EMUL_MODE_PROT64 && (c->d & No64)) {
-                emulate_ud(ctxt);
+                rc = emulate_ud(ctxt);
                goto done;
        }
        /* LOCK prefix is allowed only with some instructions */
        if (c->lock_prefix && (!(c->d & Lock) || c->dst.type != OP_MEM)) {
-                emulate_ud(ctxt);
+                rc = emulate_ud(ctxt);
+                goto done;
+        }
+        if ((c->d & SrcMask) == SrcMemFAddr && c->src.type != OP_MEM) {
+                rc = emulate_ud(ctxt);
+                goto done;
+        }
+        if ((c->d & Sse)
+            && ((ops->get_cr(ctxt, 0) & X86_CR0_EM)
+                || !(ops->get_cr(ctxt, 4) & X86_CR4_OSFXSR))) {
+                rc = emulate_ud(ctxt);
+                goto done;
+        }
+        if ((c->d & Sse) && (ops->get_cr(ctxt, 0) & X86_CR0_TS)) {
+                rc = emulate_nm(ctxt);
                goto done;
        }
+        if (unlikely(ctxt->guest_mode) && c->intercept) {
+                rc = emulator_check_intercept(ctxt, c->intercept,
+                                              X86_ICPT_PRE_EXCEPT);
+                if (rc != X86EMUL_CONTINUE)
+                        goto done;
+        }
        /* Privileged instruction can be executed only in CPL=0 */
-        if ((c->d & Priv) && ops->cpl(ctxt->vcpu)) {
+        if ((c->d & Priv) && ops->cpl(ctxt)) {
-                emulate_gp(ctxt, 0);
+                rc = emulate_gp(ctxt, 0);
                goto done;
        }
+        /* Instruction can only be executed in protected mode */
+        if ((c->d & Prot) && !(ctxt->mode & X86EMUL_MODE_PROT)) {
+                rc = emulate_ud(ctxt);
+                goto done;
+        }
+        /* Do instruction specific permission checks */
+        if (c->check_perm) {
+                rc = c->check_perm(ctxt);
+                if (rc != X86EMUL_CONTINUE)
+                        goto done;
+        }
+        if (unlikely(ctxt->guest_mode) && c->intercept) {
+                rc = emulator_check_intercept(ctxt, c->intercept,
+                                              X86_ICPT_POST_EXCEPT);
+                if (rc != X86EMUL_CONTINUE)
+                        goto done;
+        }
        if (c->rep_prefix && (c->d & String)) {
-                ctxt->restart = true;
                /* All REP prefixes have the same first termination condition */
                if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0) {
-                string_done:
-                        ctxt->restart = false;
                        ctxt->eip = c->eip;
                        goto done;
                }
-                /* The second termination condition only applies for REPE
-                 * and REPNE. Test if the repeat string operation prefix is
-                 * REPE/REPZ or REPNE/REPNZ and if it's the case it tests the
-                 * corresponding termination condition according to:
-                 *      - if REPE/REPZ and ZF = 0 then done
-                 *      - if REPNE/REPNZ and ZF = 1 then done
-                 */
-                if ((c->b == 0xa6) || (c->b == 0xa7) ||
-                    (c->b == 0xae) || (c->b == 0xaf)) {
-                        if ((c->rep_prefix == REPE_PREFIX) &&
-                            ((ctxt->eflags & EFLG_ZF) == 0))
-                                goto string_done;
-                        if ((c->rep_prefix == REPNE_PREFIX) &&
-                            ((ctxt->eflags & EFLG_ZF) == EFLG_ZF))
-                                goto string_done;
-                }
-                c->eip = ctxt->eip;
        }
-        if (c->src.type == OP_MEM) {
+        if ((c->src.type == OP_MEM) && !(c->d & NoAccess)) {
-                rc = read_emulated(ctxt, ops, (unsigned long)c->src.ptr,
+                rc = segmented_read(ctxt, c->src.addr.mem,
-                                        c->src.valptr, c->src.bytes);
+                                    c->src.valptr, c->src.bytes);
                if (rc != X86EMUL_CONTINUE)
                        goto done;
                c->src.orig_val64 = c->src.val64;
        }
        if (c->src2.type == OP_MEM) {
-                rc = read_emulated(ctxt, ops, (unsigned long)c->src2.ptr,
+                rc = segmented_read(ctxt, c->src2.addr.mem,
-                                        &c->src2.val, c->src2.bytes);
+                                    &c->src2.val, c->src2.bytes);
                if (rc != X86EMUL_CONTINUE)
                        goto done;
        }
@@ -2631,7 +3833,7 @@ x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
        if ((c->dst.type == OP_MEM) && !(c->d & Mov)) {
                /* optimisation - avoid slow emulated read if Mov */
-                rc = read_emulated(ctxt, ops, (unsigned long)c->dst.ptr,
+                rc = segmented_read(ctxt, c->dst.addr.mem,
                                   &c->dst.val, c->dst.bytes);
                if (rc != X86EMUL_CONTINUE)
                        goto done;
@@ -2640,68 +3842,44 @@ x86_emulate_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
 special_insn:
+        if (unlikely(ctxt->guest_mode) && c->intercept) {
+                rc = emulator_check_intercept(ctxt, c->intercept,
+                                              X86_ICPT_POST_MEMACCESS);
+                if (rc != X86EMUL_CONTINUE)
+                        goto done;
+        }
+        if (c->execute) {
+                rc = c->execute(ctxt);
+                if (rc != X86EMUL_CONTINUE)
+                        goto done;
+                goto writeback;
+        }
        if (c->twobyte)
                goto twobyte_insn;
        switch (c->b) {
-        case 0x00 ... 0x05:
-              add:              /* add */
-                emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
-                break;
        case 0x06:              /* push es */
-                emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
+                rc = emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
                break;
        case 0x07:              /* pop es */
                rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
-                if (rc != X86EMUL_CONTINUE)
-                        goto done;
-                break;
-        case 0x08 ... 0x0d:
-              or:               /* or */
-                emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
                break;
        case 0x0e:              /* push cs */
-                emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
+                rc = emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
-                break;
-        case 0x10 ... 0x15:
-              adc:              /* adc */
-                emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
                break;
        case 0x16:              /* push ss */
-                emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
+                rc = emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
                break;
        case 0x17:              /* pop ss */
                rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
-                if (rc != X86EMUL_CONTINUE)
-                        goto done;
-                break;
-        case 0x18 ... 0x1d:
-              sbb:              /* sbb */
-                emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
                break;
        case 0x1e:              /* push ds */
-                emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
+                rc = emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
                break;
        case 0x1f:              /* pop ds */
                rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
-                if (rc != X86EMUL_CONTINUE)
-                        goto done;
-                break;
-        case 0x20 ... 0x25:
-              and:              /* and */
-                emulate_2op_SrcV("and", c->src, c->dst, ctxt->eflags);
-                break;
-        case 0x28 ... 0x2d:
-              sub:              /* sub */
-                emulate_2op_SrcV("sub", c->src, c->dst, ctxt->eflags);
-                break;
-        case 0x30 ... 0x35:
-              xor:              /* xor */
-                emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
-                break;
-        case 0x38 ... 0x3d:
-              cmp:              /* cmp */
-                emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
                break;
        case 0x40 ... 0x47: /* inc r16/r32 */
                emulate_1op("inc", c->dst, ctxt->eflags);
@@ -2709,83 +3887,24 @@ special_insn:
        case 0x48 ... 0x4f: /* dec r16/r32 */
                emulate_1op("dec", c->dst, ctxt->eflags);
                break;
-        case 0x50 ... 0x57:  /* push reg */
-                emulate_push(ctxt, ops);
-                break;
-        case 0x58 ... 0x5f: /* pop reg */
-        pop_instruction:
-                rc = emulate_pop(ctxt, ops, &c->dst.val, c->op_bytes);
-                if (rc != X86EMUL_CONTINUE)
-                        goto done;
-                break;
-        case 0x60:      /* pusha */
-                rc = emulate_pusha(ctxt, ops);
-                if (rc != X86EMUL_CONTINUE)
-                        goto done;
-                break;
-        case 0x61:      /* popa */
-                rc = emulate_popa(ctxt, ops);
-                if (rc != X86EMUL_CONTINUE)
-                        goto done;
-                break;
        case 0x63:              /* movsxd */
                if (ctxt->mode != X86EMUL_MODE_PROT64)
                        goto cannot_emulate;
                c->dst.val = (s32) c->src.val;
                break;
-        case 0x68: /* push imm */
-        case 0x6a: /* push imm8 */
-                emulate_push(ctxt, ops);
-                break;
        case 0x6c:              /* insb */
        case 0x6d:              /* insw/insd */
-                c->dst.bytes = min(c->dst.bytes, 4u);
+                c->src.val = c->regs[VCPU_REGS_RDX];
-                if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
+                goto do_io_in;
-                                          c->dst.bytes)) {
-                        emulate_gp(ctxt, 0);
-                        goto done;
-                }
-                if (!pio_in_emulated(ctxt, ops, c->dst.bytes,
-                                     c->regs[VCPU_REGS_RDX], &c->dst.val))
-                        goto done; /* IO is needed, skip writeback */
-                break;
        case 0x6e:              /* outsb */
        case 0x6f:              /* outsw/outsd */
-                c->src.bytes = min(c->src.bytes, 4u);
+                c->dst.val = c->regs[VCPU_REGS_RDX];
-                if (!emulator_io_permited(ctxt, ops, c->regs[VCPU_REGS_RDX],
+                goto do_io_out;
-                                          c->src.bytes)) {
-                        emulate_gp(ctxt, 0);
-                        goto done;
-                }
-                ops->pio_out_emulated(c->src.bytes, c->regs[VCPU_REGS_RDX],
-                                      &c->src.val, 1, ctxt->vcpu);
-                c->dst.type = OP_NONE; /* nothing to writeback */
                break;
        case 0x70 ... 0x7f: /* jcc (short) */
                if (test_cc(c->b, ctxt->eflags))
                        jmp_rel(c, c->src.val);
                break;
-        case 0x80 ... 0x83:     /* Grp1 */
-                switch (c->modrm_reg) {
-                case 0:
-                        goto add;
-                case 1:
-                        goto or;
-                case 2:
-                        goto adc;
-                case 3:
-                        goto sbb;
-                case 4:
-                        goto and;
-                case 5:
-                        goto sub;
-                case 6:
-                        goto xor;
-                case 7:
-                        goto cmp;
-                }
-                break;
        case 0x84 ... 0x85:
        test:
                emulate_2op_SrcV("test", c->src, c->dst, ctxt->eflags);
@@ -2793,38 +3912,24 @@ special_insn:
        case 0x86 ... 0x87:     /* xchg */
        xchg:
                /* Write back the register source. */
-                switch (c->dst.bytes) {
+                c->src.val = c->dst.val;
-                case 1:
+                write_register_operand(&c->src);
-                        *(u8 *) c->src.ptr = (u8) c->dst.val;
-                        break;
-                case 2:
-                        *(u16 *) c->src.ptr = (u16) c->dst.val;
-                        break;
-                case 4:
-                        *c->src.ptr = (u32) c->dst.val;
-                        break;  /* 64b reg: zero-extend */
-                case 8:
-                        *c->src.ptr = c->dst.val;
-                        break;
-                }
                /*
                 * Write back the memory destination with implicit LOCK
                 * prefix.
                 */
-                c->dst.val = c->src.val;
+                c->dst.val = c->src.orig_val;
                c->lock_prefix = 1;
                break;
-        case 0x88 ... 0x8b:     /* mov */
-                goto mov;
        case 0x8c:  /* mov r/m, sreg */
                if (c->modrm_reg > VCPU_SREG_GS) {
-                        emulate_ud(ctxt);
+                        rc = emulate_ud(ctxt);
                        goto done;
                }
-                c->dst.val = ops->get_segment_selector(c->modrm_reg, ctxt->vcpu);
+                c->dst.val = get_segment_selector(ctxt, c->modrm_reg);
                break;
        case 0x8d: /* lea r16/r32, m */
-                c->dst.val = c->modrm_ea;
+                c->dst.val = c->src.addr.mem.ea;
                break;
        case 0x8e: { /* mov seg, r/m16 */
                uint16_t sel;
@@ -2833,7 +3938,7 @@ special_insn:
                if (c->modrm_reg == VCPU_SREG_CS ||
                    c->modrm_reg > VCPU_SREG_GS) {
-                        emulate_ud(ctxt);
+                        rc = emulate_ud(ctxt);
                        goto done;
                }
@@ -2846,76 +3951,72 @@ special_insn:
                break;
        }
        case 0x8f:              /* pop (sole member of Grp1a) */
-                rc = emulate_grp1a(ctxt, ops);
+                rc = em_grp1a(ctxt);
-                if (rc != X86EMUL_CONTINUE)
-                        goto done;
                break;
-        case 0x90: /* nop / xchg r8,rax */
+        case 0x90 ... 0x97: /* nop / xchg reg, rax */
-                if (c->dst.ptr == (unsigned long *)&c->regs[VCPU_REGS_RAX]) {
+                if (c->dst.addr.reg == &c->regs[VCPU_REGS_RAX])
-                        c->dst.type = OP_NONE;  /* nop */
                        break;
-                }
-        case 0x91 ... 0x97: /* xchg reg,rax */
-                c->src.type = OP_REG;
-                c->src.bytes = c->op_bytes;
-                c->src.ptr = (unsigned long *) &c->regs[VCPU_REGS_RAX];
-                c->src.val = *(c->src.ptr);
                goto xchg;
-        case 0x9c: /* pushf */
+        case 0x98: /* cbw/cwde/cdqe */
-                c->src.val =  (unsigned long) ctxt->eflags;
+                switch (c->op_bytes) {
-                emulate_push(ctxt, ops);
+                case 2: c->dst.val = (s8)c->dst.val; break;
-                break;
+                case 4: c->dst.val = (s16)c->dst.val; break;
-        case 0x9d: /* popf */
+                case 8: c->dst.val = (s32)c->dst.val; break;
-                c->dst.type = OP_REG;
+                }
-                c->dst.ptr = (unsigned long *) &ctxt->eflags;
-                c->dst.bytes = c->op_bytes;
-                rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
-                if (rc != X86EMUL_CONTINUE)
-                        goto done;
                break;
-        case 0xa0 ... 0xa3:     /* mov */
-        case 0xa4 ... 0xa5:     /* movs */
-                goto mov;
-        case 0xa6 ... 0xa7:     /* cmps */
-                c->dst.type = OP_NONE; /* Disable writeback. */
-                DPRINTF("cmps: mem1=0x%p mem2=0x%p\n", c->src.ptr, c->dst.ptr);
-                goto cmp;
        case 0xa8 ... 0xa9:     /* test ax, imm */
                goto test;
-        case 0xaa ... 0xab:     /* stos */
-                c->dst.val = c->regs[VCPU_REGS_RAX];
-                break;
-        case 0xac ... 0xad:     /* lods */
-                goto mov;
-        case 0xae ... 0xaf:     /* scas */
-                DPRINTF("Urk! I don't handle SCAS.\n");
-                goto cannot_emulate;
-        case 0xb0 ... 0xbf: /* mov r, imm */
-                goto mov;
        case 0xc0 ... 0xc1:
-                emulate_grp2(ctxt);
+                rc = em_grp2(ctxt);
                break;
        case 0xc3: /* ret */
                c->dst.type = OP_REG;
-                c->dst.ptr = &c->eip;
+                c->dst.addr.reg = &c->eip;
                c->dst.bytes = c->op_bytes;
-                goto pop_instruction;
+                rc = em_pop(ctxt);
-        case 0xc6 ... 0xc7:     /* mov (sole member of Grp11) */
+                break;
-        mov:
+        case 0xc4:              /* les */
-                c->dst.val = c->src.val;
+                rc = emulate_load_segment(ctxt, ops, VCPU_SREG_ES);
+                break;
+        case 0xc5:              /* lds */
+                rc = emulate_load_segment(ctxt, ops, VCPU_SREG_DS);
                break;
        case 0xcb:              /* ret far */
                rc = emulate_ret_far(ctxt, ops);
-                if (rc != X86EMUL_CONTINUE)
+                break;
-                        goto done;
+        case 0xcc:              /* int3 */
+                irq = 3;
+                goto do_interrupt;
+        case 0xcd:              /* int n */
+                irq = c->src.val;
+        do_interrupt:
+                rc = emulate_int(ctxt, ops, irq);
+                break;
+        case 0xce:              /* into */
+                if (ctxt->eflags & EFLG_OF) {
+                        irq = 4;
+                        goto do_interrupt;
+                }
+                break;
+        case 0xcf:              /* iret */
+                rc = emulate_iret(ctxt, ops);
                break;
        case 0xd0 ... 0xd1:     /* Grp2 */
-                c->src.val = 1;
+                rc = em_grp2(ctxt);
-                emulate_grp2(ctxt);
                break;
        case 0xd2 ... 0xd3:     /* Grp2 */
                c->src.val = c->regs[VCPU_REGS_RCX];
-                emulate_grp2(ctxt);
+                rc = em_grp2(ctxt);
+                break;
+        case 0xe0 ... 0xe2:     /* loop/loopz/loopnz */
+                register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
+                if (address_mask(c, c->regs[VCPU_REGS_RCX]) != 0 &&
+                    (c->b == 0xe2 || test_cc(c->b ^ 0x5, ctxt->eflags)))
+                        jmp_rel(c, c->src.val);
+                break;
+        case 0xe3:      /* jcxz/jecxz/jrcxz */
+                if (address_mask(c, c->regs[VCPU_REGS_RCX]) == 0)
+                        jmp_rel(c, c->src.val);
                break;
        case 0xe4:      /* inb */
        case 0xe5:      /* in */
@@ -2927,23 +4028,14 @@ special_insn:
                long int rel = c->src.val;
                c->src.val = (unsigned long) c->eip;
                jmp_rel(c, rel);
-                emulate_push(ctxt, ops);
+                rc = em_push(ctxt);
                break;
        }
        case 0xe9: /* jmp rel */
                goto jmp;
-        case 0xea: { /* jmp far */
+        case 0xea: /* jmp far */
-                unsigned short sel;
+                rc = em_jmp_far(ctxt);
-        jump_far:
-                memcpy(&sel, c->src.valptr + c->op_bytes, 2);
-                if (load_segment_descriptor(ctxt, ops, sel, VCPU_SREG_CS))
-                        goto done;
-                c->eip = 0;
-                memcpy(&c->eip, c->src.valptr, c->op_bytes);
                break;
-        }
        case 0xeb:
              jmp:              /* jmp rel short */
                jmp_rel(c, c->src.val);
@@ -2951,87 +4043,71 @@ special_insn:
                break;
        case 0xec: /* in al,dx */
        case 0xed: /* in (e/r)ax,dx */
-                c->src.val = c->regs[VCPU_REGS_RDX];
        do_io_in:
-                c->dst.bytes = min(c->dst.bytes, 4u);
-                if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
-                        emulate_gp(ctxt, 0);
-                        goto done;
-                }
                if (!pio_in_emulated(ctxt, ops, c->dst.bytes, c->src.val,
                                     &c->dst.val))
                        goto done; /* IO is needed */
                break;
        case 0xee: /* out dx,al */
        case 0xef: /* out dx,(e/r)ax */
-                c->src.val = c->regs[VCPU_REGS_RDX];
        do_io_out:
-                c->dst.bytes = min(c->dst.bytes, 4u);
+                ops->pio_out_emulated(ctxt, c->src.bytes, c->dst.val,
-                if (!emulator_io_permited(ctxt, ops, c->src.val, c->dst.bytes)) {
+                                      &c->src.val, 1);
-                        emulate_gp(ctxt, 0);
-                        goto done;
-                }
-                ops->pio_out_emulated(c->dst.bytes, c->src.val, &c->dst.val, 1,
-                                      ctxt->vcpu);
                c->dst.type = OP_NONE;  /* Disable writeback. */
                break;
        case 0xf4:              /* hlt */
-                ctxt->vcpu->arch.halt_request = 1;
+                ctxt->ops->halt(ctxt);
                break;
        case 0xf5:      /* cmc */
                /* complement carry flag from eflags reg */
                ctxt->eflags ^= EFLG_CF;
-                c->dst.type = OP_NONE;  /* Disable writeback. */
                break;
        case 0xf6 ... 0xf7:     /* Grp3 */
-                if (!emulate_grp3(ctxt, ops))
+                rc = em_grp3(ctxt);
-                        goto cannot_emulate;
                break;
        case 0xf8: /* clc */
                ctxt->eflags &= ~EFLG_CF;
-                c->dst.type = OP_NONE;  /* Disable writeback. */
+                break;
+        case 0xf9: /* stc */
+                ctxt->eflags |= EFLG_CF;
                break;
        case 0xfa: /* cli */
                if (emulator_bad_iopl(ctxt, ops)) {
-                        emulate_gp(ctxt, 0);
+                        rc = emulate_gp(ctxt, 0);
                        goto done;
-                } else {
+                } else
                        ctxt->eflags &= ~X86_EFLAGS_IF;
-                        c->dst.type = OP_NONE;  /* Disable writeback. */
-                }
                break;
        case 0xfb: /* sti */
                if (emulator_bad_iopl(ctxt, ops)) {
-                        emulate_gp(ctxt, 0);
+                        rc = emulate_gp(ctxt, 0);
                        goto done;
                } else {
                        ctxt->interruptibility = KVM_X86_SHADOW_INT_STI;
                        ctxt->eflags |= X86_EFLAGS_IF;
-                        c->dst.type = OP_NONE;  /* Disable writeback. */
                }
                break;
        case 0xfc: /* cld */
                ctxt->eflags &= ~EFLG_DF;
-                c->dst.type = OP_NONE;  /* Disable writeback. */
                break;
        case 0xfd: /* std */
                ctxt->eflags |= EFLG_DF;
-                c->dst.type = OP_NONE;  /* Disable writeback. */
                break;
        case 0xfe: /* Grp4 */
-        grp45:
+                rc = em_grp45(ctxt);
-                rc = emulate_grp45(ctxt, ops);
-                if (rc != X86EMUL_CONTINUE)
-                        goto done;
                break;
        case 0xff: /* Grp5 */
-                if (c->modrm_reg == 5)
+                rc = em_grp45(ctxt);
-                        goto jump_far;
+                break;
-                goto grp45;
+        default:
+                goto cannot_emulate;
        }
+        if (rc != X86EMUL_CONTINUE)
+                goto done;
 writeback:
-        rc = writeback(ctxt, ops);
+        rc = writeback(ctxt);
        if (rc != X86EMUL_CONTINUE)
                goto done;
@@ -3042,165 +4118,82 @@ writeback:
        c->dst.type = saved_dst_type;
        if ((c->d & SrcMask) == SrcSI)
-                string_addr_inc(ctxt, seg_override_base(ctxt, ops, c),
+                string_addr_inc(ctxt, seg_override(ctxt, c),
                                VCPU_REGS_RSI, &c->src);
        if ((c->d & DstMask) == DstDI)
-                string_addr_inc(ctxt, es_base(ctxt, ops), VCPU_REGS_RDI,
+                string_addr_inc(ctxt, VCPU_SREG_ES, VCPU_REGS_RDI,
                                &c->dst);
        if (c->rep_prefix && (c->d & String)) {
-                struct read_cache *rc = &ctxt->decode.io_read;
+                struct read_cache *r = &ctxt->decode.io_read;
                register_address_increment(c, &c->regs[VCPU_REGS_RCX], -1);
-                /*
-                 * Re-enter guest when pio read ahead buffer is empty or,
+                if (!string_insn_completed(ctxt)) {
-                 * if it is not used, after each 1024 iteration.
+                        /*
-                 */
+                         * Re-enter guest when pio read ahead buffer is empty
-                if ((rc->end == 0 && !(c->regs[VCPU_REGS_RCX] & 0x3ff)) ||
+                         * or, if it is not used, after each 1024 iteration.
-                    (rc->end != 0 && rc->end == rc->pos))
+                         */
-                        ctxt->restart = false;
+                        if ((r->end != 0 || c->regs[VCPU_REGS_RCX] & 0x3ff) &&
+                            (r->end == 0 || r->end != r->pos)) {
+                                /*
+                                 * Reset read cache. Usually happens before
+                                 * decode, but since instruction is restarted
+                                 * we have to do it here.
+                                 */
+                                ctxt->decode.mem_read.end = 0;
+                                return EMULATION_RESTART;
+                        }
+                        goto done; /* skip rip writeback */
+                }
        }
-        /*
-         * reset read cache here in case string instruction is restared
-         * without decoding
-         */
-        ctxt->decode.mem_read.end = 0;
        ctxt->eip = c->eip;
 done:
-        return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
+        if (rc == X86EMUL_PROPAGATE_FAULT)
+                ctxt->have_exception = true;
+        if (rc == X86EMUL_INTERCEPTED)
+                return EMULATION_INTERCEPTED;
+        return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
 twobyte_insn:
        switch (c->b) {
-        case 0x01: /* lgdt, lidt, lmsw */
-                switch (c->modrm_reg) {
-                        u16 size;
-                        unsigned long address;
-                case 0: /* vmcall */
-                        if (c->modrm_mod != 3 || c->modrm_rm != 1)
-                                goto cannot_emulate;
-                        rc = kvm_fix_hypercall(ctxt->vcpu);
-                        if (rc != X86EMUL_CONTINUE)
-                                goto done;
-                        /* Let the processor re-execute the fixed hypercall */
-                        c->eip = ctxt->eip;
-                        /* Disable writeback. */
-                        c->dst.type = OP_NONE;
-                        break;
-                case 2: /* lgdt */
-                        rc = read_descriptor(ctxt, ops, c->src.ptr,
-                                             &size, &address, c->op_bytes);
-                        if (rc != X86EMUL_CONTINUE)
-                                goto done;
-                        realmode_lgdt(ctxt->vcpu, size, address);
-                        /* Disable writeback. */
-                        c->dst.type = OP_NONE;
-                        break;
-                case 3: /* lidt/vmmcall */
-                        if (c->modrm_mod == 3) {
-                                switch (c->modrm_rm) {
-                                case 1:
-                                        rc = kvm_fix_hypercall(ctxt->vcpu);
-                                        if (rc != X86EMUL_CONTINUE)
-                                                goto done;
-                                        break;
-                                default:
-                                        goto cannot_emulate;
-                                }
-                        } else {
-                                rc = read_descriptor(ctxt, ops, c->src.ptr,
-                                                     &size, &address,
-                                                     c->op_bytes);
-                                if (rc != X86EMUL_CONTINUE)
-                                        goto done;
-                                realmode_lidt(ctxt->vcpu, size, address);
-                        }
-                        /* Disable writeback. */
-                        c->dst.type = OP_NONE;
-                        break;
-                case 4: /* smsw */
-                        c->dst.bytes = 2;
-                        c->dst.val = ops->get_cr(0, ctxt->vcpu);
-                        break;
-                case 6: /* lmsw */
-                        ops->set_cr(0, (ops->get_cr(0, ctxt->vcpu) & ~0x0ful) |
-                                    (c->src.val & 0x0f), ctxt->vcpu);
-                        c->dst.type = OP_NONE;
-                        break;
-                case 5: /* not defined */
-                        emulate_ud(ctxt);
-                        goto done;
-                case 7: /* invlpg*/
-                        emulate_invlpg(ctxt->vcpu, c->modrm_ea);
-                        /* Disable writeback. */
-                        c->dst.type = OP_NONE;
-                        break;
-                default:
-                        goto cannot_emulate;
-                }
-                break;
        case 0x05:              /* syscall */
                rc = emulate_syscall(ctxt, ops);
-                if (rc != X86EMUL_CONTINUE)
-                        goto done;
-                else
-                        goto writeback;
                break;
        case 0x06:
-                emulate_clts(ctxt->vcpu);
+                rc = em_clts(ctxt);
-                c->dst.type = OP_NONE;
                break;
        case 0x09:              /* wbinvd */
-                kvm_emulate_wbinvd(ctxt->vcpu);
+                (ctxt->ops->wbinvd)(ctxt);
-                c->dst.type = OP_NONE;
                break;
        case 0x08:              /* invd */
        case 0x0d:              /* GrpP (prefetch) */
        case 0x18:              /* Grp16 (prefetch/nop) */
-                c->dst.type = OP_NONE;
                break;
        case 0x20: /* mov cr, reg */
-                switch (c->modrm_reg) {
+                c->dst.val = ops->get_cr(ctxt, c->modrm_reg);
-                case 1:
-                case 5 ... 7:
-                case 9 ... 15:
-                        emulate_ud(ctxt);
-                        goto done;
-                }
-                c->regs[c->modrm_rm] = ops->get_cr(c->modrm_reg, ctxt->vcpu);
-                c->dst.type = OP_NONE;  /* no writeback */
                break;
        case 0x21: /* mov from dr to reg */
-                if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
+                ops->get_dr(ctxt, c->modrm_reg, &c->dst.val);
-                    (c->modrm_reg == 4 || c->modrm_reg == 5)) {
-                        emulate_ud(ctxt);
-                        goto done;
-                }
-                ops->get_dr(c->modrm_reg, &c->regs[c->modrm_rm], ctxt->vcpu);
-                c->dst.type = OP_NONE;  /* no writeback */
                break;
        case 0x22: /* mov reg, cr */
-                if (ops->set_cr(c->modrm_reg, c->modrm_val, ctxt->vcpu)) {
+                if (ops->set_cr(ctxt, c->modrm_reg, c->src.val)) {
                        emulate_gp(ctxt, 0);
+                        rc = X86EMUL_PROPAGATE_FAULT;
                        goto done;
                }
                c->dst.type = OP_NONE;
                break;
        case 0x23: /* mov from reg to dr */
-                if ((ops->get_cr(4, ctxt->vcpu) & X86_CR4_DE) &&
+                if (ops->set_dr(ctxt, c->modrm_reg, c->src.val &
-                    (c->modrm_reg == 4 || c->modrm_reg == 5)) {
-                        emulate_ud(ctxt);
-                        goto done;
-                }
-                if (ops->set_dr(c->modrm_reg, c->regs[c->modrm_rm] &
                                ((ctxt->mode == X86EMUL_MODE_PROT64) ?
-                                 ~0ULL : ~0U), ctxt->vcpu) < 0) {
+                                 ~0ULL : ~0U)) < 0) {
                        /* #UD condition is already handled by the code above */
                        emulate_gp(ctxt, 0);
+                        rc = X86EMUL_PROPAGATE_FAULT;
                        goto done;
                }
@@ -3210,38 +4203,30 @@ twobyte_insn:
                /* wrmsr */
                msr_data = (u32)c->regs[VCPU_REGS_RAX]
                        | ((u64)c->regs[VCPU_REGS_RDX] << 32);
-                if (ops->set_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], msr_data)) {
+                if (ops->set_msr(ctxt, c->regs[VCPU_REGS_RCX], msr_data)) {
                        emulate_gp(ctxt, 0);
+                        rc = X86EMUL_PROPAGATE_FAULT;
                        goto done;
                }
                rc = X86EMUL_CONTINUE;
-                c->dst.type = OP_NONE;
                break;
        case 0x32:
                /* rdmsr */
-                if (ops->get_msr(ctxt->vcpu, c->regs[VCPU_REGS_RCX], &msr_data)) {
+                if (ops->get_msr(ctxt, c->regs[VCPU_REGS_RCX], &msr_data)) {
                        emulate_gp(ctxt, 0);
+                        rc = X86EMUL_PROPAGATE_FAULT;
                        goto done;
                } else {
                        c->regs[VCPU_REGS_RAX] = (u32)msr_data;
                        c->regs[VCPU_REGS_RDX] = msr_data >> 32;
                }
                rc = X86EMUL_CONTINUE;
-                c->dst.type = OP_NONE;
                break;
        case 0x34:              /* sysenter */
                rc = emulate_sysenter(ctxt, ops);
-                if (rc != X86EMUL_CONTINUE)
-                        goto done;
-                else
-                        goto writeback;
                break;
        case 0x35:              /* sysexit */
                rc = emulate_sysexit(ctxt, ops);
-                if (rc != X86EMUL_CONTINUE)
-                        goto done;
-                else
-                        goto writeback;
                break;
        case 0x40 ... 0x4f:     /* cmov */
                c->dst.val = c->dst.orig_val = c->src.val;
@@ -3251,15 +4236,15 @@ twobyte_insn:
        case 0x80 ... 0x8f: /* jnz rel, etc*/
                if (test_cc(c->b, ctxt->eflags))
                        jmp_rel(c, c->src.val);
-                c->dst.type = OP_NONE;
+                break;
+        case 0x90 ... 0x9f:     /* setcc r/m8 */
+                c->dst.val = test_cc(c->b, ctxt->eflags);
                break;
        case 0xa0:        /* push fs */
-                emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
+                rc = emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
                break;
        case 0xa1:       /* pop fs */
                rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
-                if (rc != X86EMUL_CONTINUE)
-                        goto done;
                break;
        case 0xa3:
              bt:               /* bt */
@@ -3273,17 +4258,13 @@ twobyte_insn:
                emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
                break;
        case 0xa8:      /* push gs */
-                emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
+                rc = emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
                break;
        case 0xa9:      /* pop gs */
                rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
-                if (rc != X86EMUL_CONTINUE)
-                        goto done;
                break;
        case 0xab:
              bts:              /* bts */
-                /* only subword offset */
-                c->src.val &= (c->dst.bytes << 3) - 1;
                emulate_2op_SrcV_nobyte("bts", c->src, c->dst, ctxt->eflags);
                break;
        case 0xac: /* shrd imm8, r, r/m */
@@ -3306,15 +4287,22 @@ twobyte_insn:
                } else {
                        /* Failure: write the value we saw to EAX. */
                        c->dst.type = OP_REG;
-                        c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
+                        c->dst.addr.reg = (unsigned long *)&c->regs[VCPU_REGS_RAX];
                }
                break;
+        case 0xb2:              /* lss */
+                rc = emulate_load_segment(ctxt, ops, VCPU_SREG_SS);
+                break;
        case 0xb3:
              btr:              /* btr */
-                /* only subword offset */
-                c->src.val &= (c->dst.bytes << 3) - 1;
                emulate_2op_SrcV_nobyte("btr", c->src, c->dst, ctxt->eflags);
                break;
+        case 0xb4:              /* lfs */
+                rc = emulate_load_segment(ctxt, ops, VCPU_SREG_FS);
+                break;
+        case 0xb5:              /* lgs */
+                rc = emulate_load_segment(ctxt, ops, VCPU_SREG_GS);
+                break;
        case 0xb6 ... 0xb7:     /* movzx */
                c->dst.bytes = c->op_bytes;
                c->dst.val = (c->d & ByteOp) ? (u8) c->src.val
@@ -3334,29 +4322,60 @@ twobyte_insn:
                break;
        case 0xbb:
              btc:              /* btc */
-                /* only subword offset */
-                c->src.val &= (c->dst.bytes << 3) - 1;
                emulate_2op_SrcV_nobyte("btc", c->src, c->dst, ctxt->eflags);
                break;
+        case 0xbc: {            /* bsf */
+                u8 zf;
+                __asm__ ("bsf %2, %0; setz %1"
+                         : "=r"(c->dst.val), "=q"(zf)
+                         : "r"(c->src.val));
+                ctxt->eflags &= ~X86_EFLAGS_ZF;
+                if (zf) {
+                        ctxt->eflags |= X86_EFLAGS_ZF;
+                        c->dst.type = OP_NONE;  /* Disable writeback. */
+                }
+                break;
+        }
+        case 0xbd: {            /* bsr */
+                u8 zf;
+                __asm__ ("bsr %2, %0; setz %1"
+                         : "=r"(c->dst.val), "=q"(zf)
+                         : "r"(c->src.val));
+                ctxt->eflags &= ~X86_EFLAGS_ZF;
+                if (zf) {
+                        ctxt->eflags |= X86_EFLAGS_ZF;
+                        c->dst.type = OP_NONE;  /* Disable writeback. */
+                }
+                break;
+        }
        case 0xbe ... 0xbf:     /* movsx */
                c->dst.bytes = c->op_bytes;
                c->dst.val = (c->d & ByteOp) ? (s8) c->src.val :
                                                        (s16) c->src.val;
                break;
+        case 0xc0 ... 0xc1:     /* xadd */
+                emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
+                /* Write back the register source. */
+                c->src.val = c->dst.orig_val;
+                write_register_operand(&c->src);
+                break;
        case 0xc3:              /* movnti */
                c->dst.bytes = c->op_bytes;
                c->dst.val = (c->op_bytes == 4) ? (u32) c->src.val :
                                                        (u64) c->src.val;
                break;
        case 0xc7:              /* Grp9 (cmpxchg8b) */
-                rc = emulate_grp9(ctxt, ops);
+                rc = em_grp9(ctxt);
-                if (rc != X86EMUL_CONTINUE)
-                        goto done;
                break;
+        default:
+                goto cannot_emulate;
        }
+        if (rc != X86EMUL_CONTINUE)
+                goto done;
        goto writeback;
 cannot_emulate:
-        DPRINTF("Cannot emulate %02x\n", c->b);
+        return EMULATION_FAILED;
-        return -1;
 }
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index ddeb2314b522..efad72385058 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -5,7 +5,7 @@
 * Copyright (c) 2006 Intel Corporation
 * Copyright (c) 2007 Keir Fraser, XenSource Inc
 * Copyright (c) 2008 Intel Corporation
- * Copyright 2009 Red Hat, Inc. and/or its affilates.
+ * Copyright 2009 Red Hat, Inc. and/or its affiliates.
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
@@ -232,15 +232,6 @@ static void pit_latch_status(struct kvm *kvm, int channel)
        }
 }
-int pit_has_pending_timer(struct kvm_vcpu *vcpu)
-{
-        struct kvm_pit *pit = vcpu->kvm->arch.vpit;
-        if (pit && kvm_vcpu_is_bsp(vcpu) && pit->pit_state.irq_ack)
-                return atomic_read(&pit->pit_state.pit_timer.pending);
-        return 0;
-}
 static void kvm_pit_ack_irq(struct kvm_irq_ack_notifier *kian)
 {
        struct kvm_kpit_state *ps = container_of(kian, struct kvm_kpit_state,
diff --git a/arch/x86/kvm/i8254.h b/arch/x86/kvm/i8254.h
index 46d08ca0b48f..51a97426e791 100644
--- a/arch/x86/kvm/i8254.h
+++ b/arch/x86/kvm/i8254.h
@@ -33,7 +33,6 @@ struct kvm_kpit_state {
 };
 struct kvm_pit {
-        unsigned long base_addresss;
        struct kvm_io_device dev;
        struct kvm_io_device speaker_dev;
        struct kvm *kvm;
@@ -51,7 +50,6 @@ struct kvm_pit {
 #define KVM_MAX_PIT_INTR_INTERVAL   HZ / 100
 #define KVM_PIT_CHANNEL_MASK        0x3
-void kvm_inject_pit_timer_irqs(struct kvm_vcpu *vcpu);
 void kvm_pit_load_count(struct kvm *kvm, int channel, u32 val, int hpet_legacy_start);
 struct kvm_pit *kvm_create_pit(struct kvm *kvm, u32 flags);
 void kvm_free_pit(struct kvm *kvm);
diff --git a/arch/x86/kvm/i8259.c b/arch/x86/kvm/i8259.c
index 4b7b73ce2098..19fe855e7953 100644
--- a/arch/x86/kvm/i8259.c
+++ b/arch/x86/kvm/i8259.c
@@ -3,7 +3,7 @@
 *
 * Copyright (c) 2003-2004 Fabrice Bellard
 * Copyright (c) 2007 Intel Corporation
- * Copyright 2009 Red Hat, Inc. and/or its affilates.
+ * Copyright 2009 Red Hat, Inc. and/or its affiliates.
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
@@ -39,7 +39,7 @@ static void pic_irq_request(struct kvm *kvm, int level);
 static void pic_lock(struct kvm_pic *s)
        __acquires(&s->lock)
 {
-        raw_spin_lock(&s->lock);
+        spin_lock(&s->lock);
 }
 static void pic_unlock(struct kvm_pic *s)
@@ -51,7 +51,7 @@ static void pic_unlock(struct kvm_pic *s)
        s->wakeup_needed = false;
-        raw_spin_unlock(&s->lock);
+        spin_unlock(&s->lock);
        if (wakeup) {
                kvm_for_each_vcpu(i, vcpu, s->kvm) {
@@ -62,11 +62,9 @@ static void pic_unlock(struct kvm_pic *s)
                }
                if (!found)
-                        found = s->kvm->bsp_vcpu;
-                if (!found)
                        return;
+                kvm_make_request(KVM_REQ_EVENT, found);
                kvm_vcpu_kick(found);
        }
 }
@@ -74,7 +72,6 @@ static void pic_unlock(struct kvm_pic *s)
 static void pic_clear_isr(struct kvm_kpic_state *s, int irq)
 {
        s->isr &= ~(1 << irq);
-        s->isr_ack |= (1 << irq);
        if (s != &s->pics_state->pics[0])
                irq += 8;
        /*
@@ -88,16 +85,6 @@ static void pic_clear_isr(struct kvm_kpic_state *s, int irq)
        pic_lock(s->pics_state);
 }
-void kvm_pic_clear_isr_ack(struct kvm *kvm)
-{
-        struct kvm_pic *s = pic_irqchip(kvm);
-        pic_lock(s);
-        s->pics[0].isr_ack = 0xff;
-        s->pics[1].isr_ack = 0xff;
-        pic_unlock(s);
-}
 /*
 * set irq level. If an edge is detected, then the IRR is set to 1
 */
@@ -280,7 +267,6 @@ void kvm_pic_reset(struct kvm_kpic_state *s)
        s->irr = 0;
        s->imr = 0;
        s->isr = 0;
-        s->isr_ack = 0xff;
        s->priority_add = 0;
        s->irq_base = 0;
        s->read_reg_select = 0;
@@ -308,13 +294,17 @@ static void pic_ioport_write(void *opaque, u32 addr, u32 val)
        addr &= 1;
        if (addr == 0) {
                if (val & 0x10) {
-                        kvm_pic_reset(s);       /* init */
-                        /*
-                         * deassert a pending interrupt
-                         */
-                        pic_irq_request(s->pics_state->kvm, 0);
-                        s->init_state = 1;
                        s->init4 = val & 1;
+                        s->last_irr = 0;
+                        s->imr = 0;
+                        s->priority_add = 0;
+                        s->special_mask = 0;
+                        s->read_reg_select = 0;
+                        if (!s->init4) {
+                                s->special_fully_nested_mode = 0;
+                                s->auto_eoi = 0;
+                        }
+                        s->init_state = 1;
                        if (val & 0x02)
                                printk(KERN_ERR "single mode not supported");
                        if (val & 0x08)
@@ -540,15 +530,11 @@ static int picdev_read(struct kvm_io_device *this,
 */
 static void pic_irq_request(struct kvm *kvm, int level)
 {
-        struct kvm_vcpu *vcpu = kvm->bsp_vcpu;
        struct kvm_pic *s = pic_irqchip(kvm);
-        int irq = pic_get_irq(&s->pics[0]);
-        s->output = level;
+        if (!s->output)
-        if (vcpu && level && (s->pics[0].isr_ack & (1 << irq))) {
-                s->pics[0].isr_ack &= ~(1 << irq);
                s->wakeup_needed = true;
-        }
+        s->output = level;
 }
 static const struct kvm_io_device_ops picdev_ops = {
@@ -564,7 +550,7 @@ struct kvm_pic *kvm_create_pic(struct kvm *kvm)
        s = kzalloc(sizeof(struct kvm_pic), GFP_KERNEL);
        if (!s)
                return NULL;
-        raw_spin_lock_init(&s->lock);
+        spin_lock_init(&s->lock);
        s->kvm = kvm;
        s->pics[0].elcr_mask = 0xf8;
        s->pics[1].elcr_mask = 0xde;
diff --git a/arch/x86/kvm/irq.c b/arch/x86/kvm/irq.c
index 2095a049835e..7e06ba1618bd 100644
--- a/arch/x86/kvm/irq.c
+++ b/arch/x86/kvm/irq.c
@@ -1,7 +1,7 @@
 /*
 * irq.c: API for in kernel interrupt controller
 * Copyright (c) 2007, Intel Corporation.
- * Copyright 2009 Red Hat, Inc. and/or its affilates.
+ * Copyright 2009 Red Hat, Inc. and/or its affiliates.
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms and conditions of the GNU General Public License,
@@ -33,12 +33,7 @@
 */
 int kvm_cpu_has_pending_timer(struct kvm_vcpu *vcpu)
 {
-        int ret;
+        return apic_has_pending_timer(vcpu);
-        ret = pit_has_pending_timer(vcpu);
-        ret |= apic_has_pending_timer(vcpu);
-        return ret;
 }
 EXPORT_SYMBOL(kvm_cpu_has_pending_timer);
diff --git a/arch/x86/kvm/irq.h b/arch/x86/kvm/irq.h
index 63c314502993..53e2d084bffb 100644
--- a/arch/x86/kvm/irq.h
+++ b/arch/x86/kvm/irq.h
@@ -60,7 +60,7 @@ struct kvm_kpic_state {
 };
 struct kvm_pic {
-        raw_spinlock_t lock;
+        spinlock_t lock;
        bool wakeup_needed;
        unsigned pending_acks;
        struct kvm *kvm;
@@ -75,7 +75,6 @@ struct kvm_pic *kvm_create_pic(struct kvm *kvm);
 void kvm_destroy_pic(struct kvm *kvm);
 int kvm_pic_read_irq(struct kvm *kvm);
 void kvm_pic_update_irq(struct kvm_pic *s);
-void kvm_pic_clear_isr_ack(struct kvm *kvm);
 static inline struct kvm_pic *pic_irqchip(struct kvm *kvm)
 {
@@ -100,7 +99,6 @@ void __kvm_migrate_apic_timer(struct kvm_vcpu *vcpu);
 void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu);
 void __kvm_migrate_timers(struct kvm_vcpu *vcpu);
-int pit_has_pending_timer(struct kvm_vcpu *vcpu);
 int apic_has_pending_timer(struct kvm_vcpu *vcpu);
 #endif
diff --git a/arch/x86/kvm/kvm_cache_regs.h b/arch/x86/kvm/kvm_cache_regs.h
index 6491ac8e755b..3377d53fcd36 100644
--- a/arch/x86/kvm/kvm_cache_regs.h
+++ b/arch/x86/kvm/kvm_cache_regs.h
@@ -42,7 +42,14 @@ static inline u64 kvm_pdptr_read(struct kvm_vcpu *vcpu, int index)
                      (unsigned long *)&vcpu->arch.regs_avail))
                kvm_x86_ops->cache_reg(vcpu, VCPU_EXREG_PDPTR);
-        return vcpu->arch.pdptrs[index];
+        return vcpu->arch.walk_mmu->pdptrs[index];
+}
+static inline u64 kvm_pdptr_read_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, int index)
+{
+        load_pdptrs(vcpu, mmu, mmu->get_cr3(vcpu));
+        return mmu->pdptrs[index];
 }
 static inline ulong kvm_read_cr0_bits(struct kvm_vcpu *vcpu, ulong mask)
@@ -66,6 +73,13 @@ static inline ulong kvm_read_cr4_bits(struct kvm_vcpu *vcpu, ulong mask)
        return vcpu->arch.cr4 & mask;
 }
+static inline ulong kvm_read_cr3(struct kvm_vcpu *vcpu)
+{
+        if (!test_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail))
+                kvm_x86_ops->decache_cr3(vcpu);
+        return vcpu->arch.cr3;
+}
 static inline ulong kvm_read_cr4(struct kvm_vcpu *vcpu)
 {
        return kvm_read_cr4_bits(vcpu, ~0UL);
@@ -77,4 +91,19 @@ static inline u64 kvm_read_edx_eax(struct kvm_vcpu *vcpu)
                | ((u64)(kvm_register_read(vcpu, VCPU_REGS_RDX) & -1u) << 32);
 }
+static inline void enter_guest_mode(struct kvm_vcpu *vcpu)
+{
+        vcpu->arch.hflags |= HF_GUEST_MASK;
+}
+static inline void leave_guest_mode(struct kvm_vcpu *vcpu)
+{
+        vcpu->arch.hflags &= ~HF_GUEST_MASK;
+}
+static inline bool is_guest_mode(struct kvm_vcpu *vcpu)
+{
+        return vcpu->arch.hflags & HF_GUEST_MASK;
+}
 #endif
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 77d8c0f4817d..2b2255b1f04b 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -5,7 +5,7 @@
 * Copyright (C) 2006 Qumranet, Inc.
 * Copyright (C) 2007 Novell
 * Copyright (C) 2007 Intel
- * Copyright 2009 Red Hat, Inc. and/or its affilates.
+ * Copyright 2009 Red Hat, Inc. and/or its affiliates.
 *
 * Authors:
 *   Dor Laor <dor.laor@qumranet.com>
@@ -259,9 +259,10 @@ static inline int apic_find_highest_isr(struct kvm_lapic *apic)
 static void apic_update_ppr(struct kvm_lapic *apic)
 {
-        u32 tpr, isrv, ppr;
+        u32 tpr, isrv, ppr, old_ppr;
        int isr;
+        old_ppr = apic_get_reg(apic, APIC_PROCPRI);
        tpr = apic_get_reg(apic, APIC_TASKPRI);
        isr = apic_find_highest_isr(apic);
        isrv = (isr != -1) ? isr : 0;
@@ -274,7 +275,11 @@ static void apic_update_ppr(struct kvm_lapic *apic)
        apic_debug("vlapic %p, ppr 0x%x, isr 0x%x, isrv 0x%x",
                   apic, ppr, isr, isrv);
-        apic_set_reg(apic, APIC_PROCPRI, ppr);
+        if (old_ppr != ppr) {
+                apic_set_reg(apic, APIC_PROCPRI, ppr);
+                if (ppr < old_ppr)
+                        kvm_make_request(KVM_REQ_EVENT, apic->vcpu);
+        }
 }
 static void apic_set_tpr(struct kvm_lapic *apic, u32 tpr)
@@ -391,6 +396,7 @@ static int __apic_accept_irq(struct kvm_lapic *apic, int delivery_mode,
                        break;
                }
+                kvm_make_request(KVM_REQ_EVENT, vcpu);
                kvm_vcpu_kick(vcpu);
                break;
@@ -411,11 +417,8 @@ static int __apic_accept_irq(struct kvm_lapic *apic, int delivery_mode,
        case APIC_DM_INIT:
                if (level) {
                        result = 1;
-                        if (vcpu->arch.mp_state == KVM_MP_STATE_RUNNABLE)
-                                printk(KERN_DEBUG
-                                       "INIT on a runnable vcpu %d\n",
-                                       vcpu->vcpu_id);
                        vcpu->arch.mp_state = KVM_MP_STATE_INIT_RECEIVED;
+                        kvm_make_request(KVM_REQ_EVENT, vcpu);
                        kvm_vcpu_kick(vcpu);
                } else {
                        apic_debug("Ignoring de-assert INIT to vcpu %d\n",
@@ -430,6 +433,7 @@ static int __apic_accept_irq(struct kvm_lapic *apic, int delivery_mode,
                        result = 1;
                        vcpu->arch.sipi_vector = vector;
                        vcpu->arch.mp_state = KVM_MP_STATE_SIPI_RECEIVED;
+                        kvm_make_request(KVM_REQ_EVENT, vcpu);
                        kvm_vcpu_kick(vcpu);
                }
                break;
@@ -475,6 +479,7 @@ static void apic_set_eoi(struct kvm_lapic *apic)
                trigger_mode = IOAPIC_EDGE_TRIG;
        if (!(apic_get_reg(apic, APIC_SPIV) & APIC_SPIV_DIRECTED_EOI))
                kvm_ioapic_update_eoi(apic->vcpu->kvm, vector, trigger_mode);
+        kvm_make_request(KVM_REQ_EVENT, apic->vcpu);
 }
 static void apic_send_ipi(struct kvm_lapic *apic)
@@ -866,8 +871,8 @@ void kvm_free_lapic(struct kvm_vcpu *vcpu)
        hrtimer_cancel(&vcpu->arch.apic->lapic_timer.timer);
-        if (vcpu->arch.apic->regs_page)
+        if (vcpu->arch.apic->regs)
-                __free_page(vcpu->arch.apic->regs_page);
+                free_page((unsigned long)vcpu->arch.apic->regs);
        kfree(vcpu->arch.apic);
 }
@@ -1056,14 +1061,12 @@ int kvm_create_lapic(struct kvm_vcpu *vcpu)
        vcpu->arch.apic = apic;
-        apic->regs_page = alloc_page(GFP_KERNEL);
+        apic->regs = (void *)get_zeroed_page(GFP_KERNEL);
-        if (apic->regs_page == NULL) {
+        if (!apic->regs) {
                printk(KERN_ERR "malloc apic regs error for vcpu %x\n",
                       vcpu->vcpu_id);
                goto nomem_free_apic;
        }
-        apic->regs = page_address(apic->regs_page);
-        memset(apic->regs, 0, PAGE_SIZE);
        apic->vcpu = vcpu;
        hrtimer_init(&apic->lapic_timer.timer, CLOCK_MONOTONIC,
@@ -1152,6 +1155,7 @@ void kvm_apic_post_state_restore(struct kvm_vcpu *vcpu)
        update_divide_count(apic);
        start_apic_timer(apic);
        apic->irr_pending = true;
+        kvm_make_request(KVM_REQ_EVENT, vcpu);
 }
 void __kvm_migrate_apic_timer(struct kvm_vcpu *vcpu)
diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h
index f5fe32c5edad..52c9e6b9e725 100644
--- a/arch/x86/kvm/lapic.h
+++ b/arch/x86/kvm/lapic.h
@@ -13,7 +13,6 @@ struct kvm_lapic {
        u32 divide_count;
        struct kvm_vcpu *vcpu;
        bool irr_pending;
-        struct page *regs_page;
        void *regs;
        gpa_t vapic_addr;
        struct page *vapic_page;
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 311f6dad8951..aee38623b768 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -7,7 +7,7 @@
 * MMU support
 *
 * Copyright (C) 2006 Qumranet, Inc.
- * Copyright 2010 Red Hat, Inc. and/or its affilates.
+ * Copyright 2010 Red Hat, Inc. and/or its affiliates.
 *
 * Authors:
 *   Yaniv Kamay  <yaniv@qumranet.com>
@@ -18,9 +18,11 @@
 *
 */
+#include "irq.h"
 #include "mmu.h"
 #include "x86.h"
 #include "kvm_cache_regs.h"
+#include "x86.h"
 #include <linux/kvm_host.h>
 #include <linux/types.h>
@@ -49,15 +51,25 @@
 */
 bool tdp_enabled = false;
-#undef MMU_DEBUG
+enum {
+        AUDIT_PRE_PAGE_FAULT,
+        AUDIT_POST_PAGE_FAULT,
+        AUDIT_PRE_PTE_WRITE,
+        AUDIT_POST_PTE_WRITE,
+        AUDIT_PRE_SYNC,
+        AUDIT_POST_SYNC
+};
-#undef AUDIT
+char *audit_point_name[] = {
+        "pre page fault",
+        "post page fault",
+        "pre pte write",
+        "post pte write",
+        "pre sync",
+        "post sync"
+};
-#ifdef AUDIT
+#undef MMU_DEBUG
-static void kvm_mmu_audit(struct kvm_vcpu *vcpu, const char *msg);
-#else
-static void kvm_mmu_audit(struct kvm_vcpu *vcpu, const char *msg) {}
-#endif
 #ifdef MMU_DEBUG
@@ -71,7 +83,7 @@ static void kvm_mmu_audit(struct kvm_vcpu *vcpu, const char *msg) {}
 #endif
-#if defined(MMU_DEBUG) || defined(AUDIT)
+#ifdef MMU_DEBUG
 static int dbg = 0;
 module_param(dbg, bool, 0644);
 #endif
@@ -89,6 +101,8 @@ module_param(oos_shadow, bool, 0644);
        }
 #endif
+#define PTE_PREFETCH_NUM                8
 #define PT_FIRST_AVAIL_BITS_SHIFT 9
 #define PT64_SECOND_AVAIL_BITS_SHIFT 52
@@ -97,9 +111,6 @@ module_param(oos_shadow, bool, 0644);
 #define PT64_LEVEL_SHIFT(level) \
                (PAGE_SHIFT + (level - 1) * PT64_LEVEL_BITS)
-#define PT64_LEVEL_MASK(level) \
-                (((1ULL << PT64_LEVEL_BITS) - 1) << PT64_LEVEL_SHIFT(level))
 #define PT64_INDEX(address, level)\
        (((address) >> PT64_LEVEL_SHIFT(level)) & ((1 << PT64_LEVEL_BITS) - 1))
@@ -109,8 +120,6 @@ module_param(oos_shadow, bool, 0644);
 #define PT32_LEVEL_SHIFT(level) \
                (PAGE_SHIFT + (level - 1) * PT32_LEVEL_BITS)
-#define PT32_LEVEL_MASK(level) \
-                (((1ULL << PT32_LEVEL_BITS) - 1) << PT32_LEVEL_SHIFT(level))
 #define PT32_LVL_OFFSET_MASK(level) \
        (PT32_BASE_ADDR_MASK & ((1ULL << (PAGE_SHIFT + (((level) - 1) \
                                                * PT32_LEVEL_BITS))) - 1))
@@ -178,10 +187,10 @@ typedef void (*mmu_parent_walk_fn) (struct kvm_mmu_page *sp, u64 *spte);
 static struct kmem_cache *pte_chain_cache;
 static struct kmem_cache *rmap_desc_cache;
 static struct kmem_cache *mmu_page_header_cache;
+static struct percpu_counter kvm_total_used_mmu_pages;
 static u64 __read_mostly shadow_trap_nonpresent_pte;
 static u64 __read_mostly shadow_notrap_nonpresent_pte;
-static u64 __read_mostly shadow_base_present_pte;
 static u64 __read_mostly shadow_nx_mask;
 static u64 __read_mostly shadow_x_mask; /* mutual exclusive with nx_mask */
 static u64 __read_mostly shadow_user_mask;
@@ -200,12 +209,6 @@ void kvm_mmu_set_nonpresent_ptes(u64 trap_pte, u64 notrap_pte)
 }
 EXPORT_SYMBOL_GPL(kvm_mmu_set_nonpresent_ptes);
-void kvm_mmu_set_base_ptes(u64 base_pte)
-{
-        shadow_base_present_pte = base_pte;
-}
-EXPORT_SYMBOL_GPL(kvm_mmu_set_base_ptes);
 void kvm_mmu_set_mask_ptes(u64 user_mask, u64 accessed_mask,
                u64 dirty_mask, u64 nx_mask, u64 x_mask)
 {
@@ -299,18 +302,50 @@ static u64 __xchg_spte(u64 *sptep, u64 new_spte)
 #endif
 }
+static bool spte_has_volatile_bits(u64 spte)
+{
+        if (!shadow_accessed_mask)
+                return false;
+        if (!is_shadow_present_pte(spte))
+                return false;
+        if ((spte & shadow_accessed_mask) &&
+              (!is_writable_pte(spte) || (spte & shadow_dirty_mask)))
+                return false;
+        return true;
+}
+static bool spte_is_bit_cleared(u64 old_spte, u64 new_spte, u64 bit_mask)
+{
+        return (old_spte & bit_mask) && !(new_spte & bit_mask);
+}
 static void update_spte(u64 *sptep, u64 new_spte)
 {
-        u64 old_spte;
+        u64 mask, old_spte = *sptep;
+        WARN_ON(!is_rmap_spte(new_spte));
+        new_spte |= old_spte & shadow_dirty_mask;
+        mask = shadow_accessed_mask;
+        if (is_writable_pte(old_spte))
+                mask |= shadow_dirty_mask;
-        if (!shadow_accessed_mask || (new_spte & shadow_accessed_mask) ||
+        if (!spte_has_volatile_bits(old_spte) || (new_spte & mask) == mask)
-              !is_rmap_spte(*sptep))
                __set_spte(sptep, new_spte);
-        else {
+        else
                old_spte = __xchg_spte(sptep, new_spte);
-                if (old_spte & shadow_accessed_mask)
-                        mark_page_accessed(pfn_to_page(spte_to_pfn(old_spte)));
+        if (!shadow_accessed_mask)
-        }
+                return;
+        if (spte_is_bit_cleared(old_spte, new_spte, shadow_accessed_mask))
+                kvm_set_pfn_accessed(spte_to_pfn(old_spte));
+        if (spte_is_bit_cleared(old_spte, new_spte, shadow_dirty_mask))
+                kvm_set_pfn_dirty(spte_to_pfn(old_spte));
 }
 static int mmu_topup_memory_cache(struct kvm_mmu_memory_cache *cache,
@@ -339,15 +374,15 @@ static void mmu_free_memory_cache(struct kvm_mmu_memory_cache *mc,
 static int mmu_topup_memory_cache_page(struct kvm_mmu_memory_cache *cache,
                                       int min)
 {
-        struct page *page;
+        void *page;
        if (cache->nobjs >= min)
                return 0;
        while (cache->nobjs < ARRAY_SIZE(cache->objects)) {
-                page = alloc_page(GFP_KERNEL);
+                page = (void *)__get_free_page(GFP_KERNEL);
                if (!page)
                        return -ENOMEM;
-                cache->objects[cache->nobjs++] = page_address(page);
+                cache->objects[cache->nobjs++] = page;
        }
        return 0;
 }
@@ -367,7 +402,7 @@ static int mmu_topup_memory_caches(struct kvm_vcpu *vcpu)
        if (r)
                goto out;
        r = mmu_topup_memory_cache(&vcpu->arch.mmu_rmap_desc_cache,
-                                   rmap_desc_cache, 4);
+                                   rmap_desc_cache, 4 + PTE_PREFETCH_NUM);
        if (r)
                goto out;
        r = mmu_topup_memory_cache_page(&vcpu->arch.mmu_page_cache, 8);
@@ -437,46 +472,46 @@ static void kvm_mmu_page_set_gfn(struct kvm_mmu_page *sp, int index, gfn_t gfn)
 }
 /*
- * Return the pointer to the largepage write count for a given
+ * Return the pointer to the large page information for a given gfn,
- * gfn, handling slots that are not large page aligned.
+ * handling slots that are not large page aligned.
 */
-static int *slot_largepage_idx(gfn_t gfn,
+static struct kvm_lpage_info *lpage_info_slot(gfn_t gfn,
-                               struct kvm_memory_slot *slot,
+                                              struct kvm_memory_slot *slot,
-                               int level)
+                                              int level)
 {
        unsigned long idx;
        idx = (gfn >> KVM_HPAGE_GFN_SHIFT(level)) -
              (slot->base_gfn >> KVM_HPAGE_GFN_SHIFT(level));
-        return &slot->lpage_info[level - 2][idx].write_count;
+        return &slot->lpage_info[level - 2][idx];
 }
 static void account_shadowed(struct kvm *kvm, gfn_t gfn)
 {
        struct kvm_memory_slot *slot;
-        int *write_count;
+        struct kvm_lpage_info *linfo;
        int i;
        slot = gfn_to_memslot(kvm, gfn);
        for (i = PT_DIRECTORY_LEVEL;
             i < PT_PAGE_TABLE_LEVEL + KVM_NR_PAGE_SIZES; ++i) {
-                write_count   = slot_largepage_idx(gfn, slot, i);
+                linfo = lpage_info_slot(gfn, slot, i);
-                *write_count += 1;
+                linfo->write_count += 1;
        }
 }
 static void unaccount_shadowed(struct kvm *kvm, gfn_t gfn)
 {
        struct kvm_memory_slot *slot;
-        int *write_count;
+        struct kvm_lpage_info *linfo;
        int i;
        slot = gfn_to_memslot(kvm, gfn);
        for (i = PT_DIRECTORY_LEVEL;
             i < PT_PAGE_TABLE_LEVEL + KVM_NR_PAGE_SIZES; ++i) {
-                write_count   = slot_largepage_idx(gfn, slot, i);
+                linfo = lpage_info_slot(gfn, slot, i);
-                *write_count -= 1;
+                linfo->write_count -= 1;
-                WARN_ON(*write_count < 0);
+                WARN_ON(linfo->write_count < 0);
        }
 }
@@ -485,12 +520,12 @@ static int has_wrprotected_page(struct kvm *kvm,
                                int level)
 {
        struct kvm_memory_slot *slot;
-        int *largepage_idx;
+        struct kvm_lpage_info *linfo;
        slot = gfn_to_memslot(kvm, gfn);
        if (slot) {
-                largepage_idx = slot_largepage_idx(gfn, slot, level);
+                linfo = lpage_info_slot(gfn, slot, level);
-                return *largepage_idx;
+                return linfo->write_count;
        }
        return 1;
@@ -514,14 +549,28 @@ static int host_mapping_level(struct kvm *kvm, gfn_t gfn)
        return ret;
 }
-static int mapping_level(struct kvm_vcpu *vcpu, gfn_t large_gfn)
+static struct kvm_memory_slot *
+gfn_to_memslot_dirty_bitmap(struct kvm_vcpu *vcpu, gfn_t gfn,
+                            bool no_dirty_log)
 {
        struct kvm_memory_slot *slot;
-        int host_level, level, max_level;
-        slot = gfn_to_memslot(vcpu->kvm, large_gfn);
+        slot = gfn_to_memslot(vcpu->kvm, gfn);
-        if (slot && slot->dirty_bitmap)
+        if (!slot || slot->flags & KVM_MEMSLOT_INVALID ||
-                return PT_PAGE_TABLE_LEVEL;
+              (no_dirty_log && slot->dirty_bitmap))
+                slot = NULL;
+        return slot;
+}
+static bool mapping_level_dirty_bitmap(struct kvm_vcpu *vcpu, gfn_t large_gfn)
+{
+        return !gfn_to_memslot_dirty_bitmap(vcpu, large_gfn, true);
+}
+static int mapping_level(struct kvm_vcpu *vcpu, gfn_t large_gfn)
+{
+        int host_level, level, max_level;
        host_level = host_mapping_level(vcpu->kvm, large_gfn);
@@ -545,16 +594,15 @@ static int mapping_level(struct kvm_vcpu *vcpu, gfn_t large_gfn)
 static unsigned long *gfn_to_rmap(struct kvm *kvm, gfn_t gfn, int level)
 {
        struct kvm_memory_slot *slot;
-        unsigned long idx;
+        struct kvm_lpage_info *linfo;
        slot = gfn_to_memslot(kvm, gfn);
        if (likely(level == PT_PAGE_TABLE_LEVEL))
                return &slot->rmap[gfn - slot->base_gfn];
-        idx = (gfn >> KVM_HPAGE_GFN_SHIFT(level)) -
+        linfo = lpage_info_slot(gfn, slot, level);
-                (slot->base_gfn >> KVM_HPAGE_GFN_SHIFT(level));
-        return &slot->lpage_info[level - 2][idx].rmap_pde;
+        return &linfo->rmap_pde;
 }
 /*
@@ -591,6 +639,7 @@ static int rmap_add(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn)
                desc->sptes[0] = (u64 *)*rmapp;
                desc->sptes[1] = spte;
                *rmapp = (unsigned long)desc | 1;
+                ++count;
        } else {
                rmap_printk("rmap_add: %p %llx many->many\n", spte, *spte);
                desc = (struct kvm_rmap_desc *)(*rmapp & ~1ul);
@@ -603,7 +652,7 @@ static int rmap_add(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn)
                        desc = desc->more;
                }
                for (i = 0; desc->sptes[i]; ++i)
-                        ;
+                        ++count;
                desc->sptes[i] = spte;
        }
        return count;
@@ -645,18 +694,17 @@ static void rmap_remove(struct kvm *kvm, u64 *spte)
        gfn = kvm_mmu_page_get_gfn(sp, spte - sp->spt);
        rmapp = gfn_to_rmap(kvm, gfn, sp->role.level);
        if (!*rmapp) {
-                printk(KERN_ERR "rmap_remove: %p %llx 0->BUG\n", spte, *spte);
+                printk(KERN_ERR "rmap_remove: %p 0->BUG\n", spte);
                BUG();
        } else if (!(*rmapp & 1)) {
-                rmap_printk("rmap_remove:  %p %llx 1->0\n", spte, *spte);
+                rmap_printk("rmap_remove:  %p 1->0\n", spte);
                if ((u64 *)*rmapp != spte) {
-                        printk(KERN_ERR "rmap_remove:  %p %llx 1->BUG\n",
+                        printk(KERN_ERR "rmap_remove:  %p 1->BUG\n", spte);
-                               spte, *spte);
                        BUG();
                }
                *rmapp = 0;
        } else {
-                rmap_printk("rmap_remove:  %p %llx many->many\n", spte, *spte);
+                rmap_printk("rmap_remove:  %p many->many\n", spte);
                desc = (struct kvm_rmap_desc *)(*rmapp & ~1ul);
                prev_desc = NULL;
                while (desc) {
@@ -670,35 +718,36 @@ static void rmap_remove(struct kvm *kvm, u64 *spte)
                        prev_desc = desc;
                        desc = desc->more;
                }
-                pr_err("rmap_remove: %p %llx many->many\n", spte, *spte);
+                pr_err("rmap_remove: %p many->many\n", spte);
                BUG();
        }
 }
-static void set_spte_track_bits(u64 *sptep, u64 new_spte)
+static int set_spte_track_bits(u64 *sptep, u64 new_spte)
 {
        pfn_t pfn;
        u64 old_spte = *sptep;
-        if (!shadow_accessed_mask || !is_shadow_present_pte(old_spte) ||
+        if (!spte_has_volatile_bits(old_spte))
-              old_spte & shadow_accessed_mask) {
                __set_spte(sptep, new_spte);
-        } else
+        else
                old_spte = __xchg_spte(sptep, new_spte);
        if (!is_rmap_spte(old_spte))
-                return;
+                return 0;
        pfn = spte_to_pfn(old_spte);
        if (!shadow_accessed_mask || old_spte & shadow_accessed_mask)
                kvm_set_pfn_accessed(pfn);
-        if (is_writable_pte(old_spte))
+        if (!shadow_dirty_mask || (old_spte & shadow_dirty_mask))
                kvm_set_pfn_dirty(pfn);
+        return 1;
 }
 static void drop_spte(struct kvm *kvm, u64 *sptep, u64 new_spte)
 {
-        set_spte_track_bits(sptep, new_spte);
+        if (set_spte_track_bits(sptep, new_spte))
-        rmap_remove(kvm, sptep);
+                rmap_remove(kvm, sptep);
 }
 static u64 *rmap_next(struct kvm *kvm, unsigned long *rmapp, u64 *spte)
@@ -746,13 +795,6 @@ static int rmap_write_protect(struct kvm *kvm, u64 gfn)
                }
                spte = rmap_next(kvm, rmapp, spte);
        }
-        if (write_protected) {
-                pfn_t pfn;
-                spte = rmap_next(kvm, rmapp, NULL);
-                pfn = spte_to_pfn(*spte);
-                kvm_set_pfn_dirty(pfn);
-        }
        /* check for huge page mappings */
        for (i = PT_DIRECTORY_LEVEL;
@@ -848,19 +890,16 @@ static int kvm_handle_hva(struct kvm *kvm, unsigned long hva,
                end = start + (memslot->npages << PAGE_SHIFT);
                if (hva >= start && hva < end) {
                        gfn_t gfn_offset = (hva - start) >> PAGE_SHIFT;
+                        gfn_t gfn = memslot->base_gfn + gfn_offset;
                        ret = handler(kvm, &memslot->rmap[gfn_offset], data);
                        for (j = 0; j < KVM_NR_PAGE_SIZES - 1; ++j) {
-                                unsigned long idx;
+                                struct kvm_lpage_info *linfo;
-                                int sh;
+                                linfo = lpage_info_slot(gfn, memslot,
-                                sh = KVM_HPAGE_GFN_SHIFT(PT_DIRECTORY_LEVEL+j);
+                                                        PT_DIRECTORY_LEVEL + j);
-                                idx = ((memslot->base_gfn+gfn_offset) >> sh) -
+                                ret |= handler(kvm, &linfo->rmap_pde, data);
-                                        (memslot->base_gfn >> sh);
-                                ret |= handler(kvm,
-                                        &memslot->lpage_info[j][idx].rmap_pde,
-                                        data);
                        }
                        trace_kvm_age_page(hva, memslot, ret);
                        retval |= ret;
@@ -911,6 +950,35 @@ static int kvm_age_rmapp(struct kvm *kvm, unsigned long *rmapp,
        return young;
 }
+static int kvm_test_age_rmapp(struct kvm *kvm, unsigned long *rmapp,
+                              unsigned long data)
+{
+        u64 *spte;
+        int young = 0;
+        /*
+         * If there's no access bit in the secondary pte set by the
+         * hardware it's up to gup-fast/gup to set the access bit in
+         * the primary pte or in the page structure.
+         */
+        if (!shadow_accessed_mask)
+                goto out;
+        spte = rmap_next(kvm, rmapp, NULL);
+        while (spte) {
+                u64 _spte = *spte;
+                BUG_ON(!(_spte & PT_PRESENT_MASK));
+                young = _spte & PT_ACCESSED_MASK;
+                if (young) {
+                        young = 1;
+                        break;
+                }
+                spte = rmap_next(kvm, rmapp, spte);
+        }
+out:
+        return young;
+}
 #define RMAP_RECYCLE_THRESHOLD 1000
 static void rmap_recycle(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn)
@@ -931,6 +999,11 @@ int kvm_age_hva(struct kvm *kvm, unsigned long hva)
        return kvm_handle_hva(kvm, hva, 0, kvm_age_rmapp);
 }
+int kvm_test_age_hva(struct kvm *kvm, unsigned long hva)
+{
+        return kvm_handle_hva(kvm, hva, 0, kvm_test_age_rmapp);
+}
 #ifdef MMU_DEBUG
 static int is_empty_shadow_page(u64 *spt)
 {
@@ -947,16 +1020,28 @@ static int is_empty_shadow_page(u64 *spt)
 }
 #endif
+/*
+ * This value is the sum of all of the kvm instances's
+ * kvm->arch.n_used_mmu_pages values.  We need a global,
+ * aggregate version in order to make the slab shrinker
+ * faster
+ */
+static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, int nr)
+{
+        kvm->arch.n_used_mmu_pages += nr;
+        percpu_counter_add(&kvm_total_used_mmu_pages, nr);
+}
 static void kvm_mmu_free_page(struct kvm *kvm, struct kvm_mmu_page *sp)
 {
        ASSERT(is_empty_shadow_page(sp->spt));
        hlist_del(&sp->hash_link);
        list_del(&sp->link);
-        __free_page(virt_to_page(sp->spt));
+        free_page((unsigned long)sp->spt);
        if (!sp->role.direct)
-                __free_page(virt_to_page(sp->gfns));
+                free_page((unsigned long)sp->gfns);
        kmem_cache_free(mmu_page_header_cache, sp);
-        ++kvm->arch.n_free_mmu_pages;
+        kvm_mod_used_mmu_pages(kvm, -1);
 }
 static unsigned kvm_page_table_hashfn(gfn_t gfn)
@@ -979,7 +1064,7 @@ static struct kvm_mmu_page *kvm_mmu_alloc_page(struct kvm_vcpu *vcpu,
        bitmap_zero(sp->slot_bitmap, KVM_MEMORY_SLOTS + KVM_PRIVATE_MEM_SLOTS);
        sp->multimapped = 0;
        sp->parent_pte = parent_pte;
-        --vcpu->kvm->arch.n_free_mmu_pages;
+        kvm_mod_used_mmu_pages(vcpu->kvm, +1);
        return sp;
 }
@@ -1110,7 +1195,7 @@ static void nonpaging_prefetch_page(struct kvm_vcpu *vcpu,
 }
 static int nonpaging_sync_page(struct kvm_vcpu *vcpu,
-                               struct kvm_mmu_page *sp, bool clear_unsync)
+                               struct kvm_mmu_page *sp)
 {
        return 1;
 }
@@ -1119,6 +1204,13 @@ static void nonpaging_invlpg(struct kvm_vcpu *vcpu, gva_t gva)
 {
 }
+static void nonpaging_update_pte(struct kvm_vcpu *vcpu,
+                                 struct kvm_mmu_page *sp, u64 *spte,
+                                 const void *pte)
+{
+        WARN_ON(1);
+}
 #define KVM_PAGE_ARRAY_NR 16
 struct kvm_mmu_pages {
@@ -1240,7 +1332,7 @@ static int __kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
        if (clear_unsync)
                kvm_unlink_unsync_page(vcpu->kvm, sp);
-        if (vcpu->arch.mmu.sync_page(vcpu, sp, clear_unsync)) {
+        if (vcpu->arch.mmu.sync_page(vcpu, sp)) {
                kvm_mmu_prepare_zap_page(vcpu->kvm, sp, invalid_list);
                return 1;
        }
@@ -1281,12 +1373,12 @@ static void kvm_sync_pages(struct kvm_vcpu *vcpu,  gfn_t gfn)
                        continue;
                WARN_ON(s->role.level != PT_PAGE_TABLE_LEVEL);
+                kvm_unlink_unsync_page(vcpu->kvm, s);
                if ((s->role.cr4_pae != !!is_pae(vcpu)) ||
-                        (vcpu->arch.mmu.sync_page(vcpu, s, true))) {
+                        (vcpu->arch.mmu.sync_page(vcpu, s))) {
                        kvm_mmu_prepare_zap_page(vcpu->kvm, s, &invalid_list);
                        continue;
                }
-                kvm_unlink_unsync_page(vcpu->kvm, s);
                flush = true;
        }
@@ -1403,7 +1495,8 @@ static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
        if (role.direct)
                role.cr4_pae = 0;
        role.access = access;
-        if (!tdp_enabled && vcpu->arch.mmu.root_level <= PT32_ROOT_LEVEL) {
+        if (!vcpu->arch.mmu.direct_map
+            && vcpu->arch.mmu.root_level <= PT32_ROOT_LEVEL) {
                quadrant = gaddr >> (PAGE_SHIFT + (PT64_PT_BITS * level));
                quadrant &= (1 << ((PT32_PT_BITS - PT64_PT_BITS) * level)) - 1;
                role.quadrant = quadrant;
@@ -1458,6 +1551,12 @@ static void shadow_walk_init(struct kvm_shadow_walk_iterator *iterator,
        iterator->addr = addr;
        iterator->shadow_addr = vcpu->arch.mmu.root_hpa;
        iterator->level = vcpu->arch.mmu.shadow_root_level;
+        if (iterator->level == PT64_ROOT_LEVEL &&
+            vcpu->arch.mmu.root_level < PT64_ROOT_LEVEL &&
+            !vcpu->arch.mmu.direct_map)
+                --iterator->level;
        if (iterator->level == PT32E_ROOT_LEVEL) {
                iterator->shadow_addr
                        = vcpu->arch.mmu.pae_root[(addr >> 30) & 3];
@@ -1665,41 +1764,31 @@ static void kvm_mmu_commit_zap_page(struct kvm *kvm,
 /*
 * Changing the number of mmu pages allocated to the vm
- * Note: if kvm_nr_mmu_pages is too small, you will get dead lock
+ * Note: if goal_nr_mmu_pages is too small, you will get dead lock
 */
-void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int kvm_nr_mmu_pages)
+void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int goal_nr_mmu_pages)
 {
-        int used_pages;
        LIST_HEAD(invalid_list);
-        used_pages = kvm->arch.n_alloc_mmu_pages - kvm->arch.n_free_mmu_pages;
-        used_pages = max(0, used_pages);
        /*
         * If we set the number of mmu pages to be smaller be than the
         * number of actived pages , we must to free some mmu pages before we
         * change the value
         */
-        if (used_pages > kvm_nr_mmu_pages) {
+        if (kvm->arch.n_used_mmu_pages > goal_nr_mmu_pages) {
-                while (used_pages > kvm_nr_mmu_pages &&
+                while (kvm->arch.n_used_mmu_pages > goal_nr_mmu_pages &&
                        !list_empty(&kvm->arch.active_mmu_pages)) {
                        struct kvm_mmu_page *page;
                        page = container_of(kvm->arch.active_mmu_pages.prev,
                                            struct kvm_mmu_page, link);
-                        used_pages -= kvm_mmu_prepare_zap_page(kvm, page,
+                        kvm_mmu_prepare_zap_page(kvm, page, &invalid_list);
-                                                               &invalid_list);
+                        kvm_mmu_commit_zap_page(kvm, &invalid_list);
                }
-                kvm_mmu_commit_zap_page(kvm, &invalid_list);
+                goal_nr_mmu_pages = kvm->arch.n_used_mmu_pages;
-                kvm_nr_mmu_pages = used_pages;
-                kvm->arch.n_free_mmu_pages = 0;
        }
-        else
-                kvm->arch.n_free_mmu_pages += kvm_nr_mmu_pages
-                                         - kvm->arch.n_alloc_mmu_pages;
-        kvm->arch.n_alloc_mmu_pages = kvm_nr_mmu_pages;
+        kvm->arch.n_max_mmu_pages = goal_nr_mmu_pages;
 }
 static int kvm_mmu_unprotect_page(struct kvm *kvm, gfn_t gfn)
@@ -1709,11 +1798,11 @@ static int kvm_mmu_unprotect_page(struct kvm *kvm, gfn_t gfn)
        LIST_HEAD(invalid_list);
        int r;
-        pgprintk("%s: looking for gfn %lx\n", __func__, gfn);
+        pgprintk("%s: looking for gfn %llx\n", __func__, gfn);
        r = 0;
        for_each_gfn_indirect_valid_sp(kvm, sp, gfn, node) {
-                pgprintk("%s: gfn %lx role %x\n", __func__, gfn,
+                pgprintk("%s: gfn %llx role %x\n", __func__, gfn,
                         sp->role.word);
                r = 1;
                kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list);
@@ -1729,7 +1818,7 @@ static void mmu_unshadow(struct kvm *kvm, gfn_t gfn)
        LIST_HEAD(invalid_list);
        for_each_gfn_indirect_valid_sp(kvm, sp, gfn, node) {
-                pgprintk("%s: zap %lx %x\n",
+                pgprintk("%s: zap %llx %x\n",
                         __func__, gfn, sp->role.word);
                kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list);
        }
@@ -1915,9 +2004,9 @@ static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
                    unsigned pte_access, int user_fault,
                    int write_fault, int dirty, int level,
                    gfn_t gfn, pfn_t pfn, bool speculative,
-                    bool can_unsync, bool reset_host_protection)
+                    bool can_unsync, bool host_writable)
 {
-        u64 spte;
+        u64 spte, entry = *sptep;
        int ret = 0;
        /*
@@ -1925,7 +2014,7 @@ static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
         * whether the guest actually used the pte (in order to detect
         * demand paging).
         */
-        spte = shadow_base_present_pte | shadow_dirty_mask;
+        spte = PT_PRESENT_MASK;
        if (!speculative)
                spte |= shadow_accessed_mask;
        if (!dirty)
@@ -1942,14 +2031,16 @@ static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
                spte |= kvm_x86_ops->get_mt_mask(vcpu, gfn,
                        kvm_is_mmio_pfn(pfn));
-        if (reset_host_protection)
+        if (host_writable)
                spte |= SPTE_HOST_WRITEABLE;
+        else
+                pte_access &= ~ACC_WRITE_MASK;
        spte |= (u64)pfn << PAGE_SHIFT;
        if ((pte_access & ACC_WRITE_MASK)
-            || (!tdp_enabled && write_fault && !is_write_protection(vcpu)
+            || (!vcpu->arch.mmu.direct_map && write_fault
-                && !user_fault)) {
+                && !is_write_protection(vcpu) && !user_fault)) {
                if (level > PT_PAGE_TABLE_LEVEL &&
                    has_wrprotected_page(vcpu->kvm, gfn, level)) {
@@ -1960,7 +2051,8 @@ static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
                spte |= PT_WRITABLE_MASK;
-                if (!tdp_enabled && !(pte_access & ACC_WRITE_MASK))
+                if (!vcpu->arch.mmu.direct_map
+                    && !(pte_access & ACC_WRITE_MASK))
                        spte &= ~PT_USER_MASK;
                /*
@@ -1973,7 +2065,7 @@ static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
                        goto set_pte;
                if (mmu_need_write_protect(vcpu, gfn, can_unsync)) {
-                        pgprintk("%s: found shadow page for %lx, marking ro\n",
+                        pgprintk("%s: found shadow page for %llx, marking ro\n",
                                 __func__, gfn);
                        ret = 1;
                        pte_access &= ~ACC_WRITE_MASK;
@@ -1986,9 +2078,15 @@ static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
                mark_page_dirty(vcpu->kvm, gfn);
 set_pte:
-        if (is_writable_pte(*sptep) && !is_writable_pte(spte))
-                kvm_set_pfn_dirty(pfn);
        update_spte(sptep, spte);
+        /*
+         * If we overwrite a writable spte with a read-only one we
+         * should flush remote TLBs. Otherwise rmap_write_protect
+         * will find a read-only spte, even though the writable spte
+         * might be cached on a CPU's TLB.
+         */
+        if (is_writable_pte(entry) && !is_writable_pte(*sptep))
+                kvm_flush_remote_tlbs(vcpu->kvm);
 done:
        return ret;
 }
@@ -1998,13 +2096,13 @@ static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
                         int user_fault, int write_fault, int dirty,
                         int *ptwrite, int level, gfn_t gfn,
                         pfn_t pfn, bool speculative,
-                         bool reset_host_protection)
+                         bool host_writable)
 {
        int was_rmapped = 0;
        int rmap_count;
        pgprintk("%s: spte %llx access %x write_fault %d"
-                 " user_fault %d gfn %lx\n",
+                 " user_fault %d gfn %llx\n",
                 __func__, *sptep, pt_access,
                 write_fault, user_fault, gfn);
@@ -2023,7 +2121,7 @@ static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
                        __set_spte(sptep, shadow_trap_nonpresent_pte);
                        kvm_flush_remote_tlbs(vcpu->kvm);
                } else if (pfn != spte_to_pfn(*sptep)) {
-                        pgprintk("hfn old %lx new %lx\n",
+                        pgprintk("hfn old %llx new %llx\n",
                                 spte_to_pfn(*sptep), pfn);
                        drop_spte(vcpu->kvm, sptep, shadow_trap_nonpresent_pte);
                        kvm_flush_remote_tlbs(vcpu->kvm);
@@ -2033,14 +2131,14 @@ static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
        if (set_spte(vcpu, sptep, pte_access, user_fault, write_fault,
                      dirty, level, gfn, pfn, speculative, true,
-                      reset_host_protection)) {
+                      host_writable)) {
                if (write_fault)
                        *ptwrite = 1;
                kvm_mmu_flush_tlb(vcpu);
        }
        pgprintk("%s: setting spte %llx\n", __func__, *sptep);
-        pgprintk("instantiating %s PTE (%s) at %ld (%llx) addr %p\n",
+        pgprintk("instantiating %s PTE (%s) at %llx (%llx) addr %p\n",
                 is_large_pte(*sptep)? "2MB" : "4kB",
                 *sptep & PT_PRESENT_MASK ?"RW":"R", gfn,
                 *sptep, sptep);
@@ -2064,8 +2162,95 @@ static void nonpaging_new_cr3(struct kvm_vcpu *vcpu)
 {
 }
+static pfn_t pte_prefetch_gfn_to_pfn(struct kvm_vcpu *vcpu, gfn_t gfn,
+                                     bool no_dirty_log)
+{
+        struct kvm_memory_slot *slot;
+        unsigned long hva;
+        slot = gfn_to_memslot_dirty_bitmap(vcpu, gfn, no_dirty_log);
+        if (!slot) {
+                get_page(bad_page);
+                return page_to_pfn(bad_page);
+        }
+        hva = gfn_to_hva_memslot(slot, gfn);
+        return hva_to_pfn_atomic(vcpu->kvm, hva);
+}
+static int direct_pte_prefetch_many(struct kvm_vcpu *vcpu,
+                                    struct kvm_mmu_page *sp,
+                                    u64 *start, u64 *end)
+{
+        struct page *pages[PTE_PREFETCH_NUM];
+        unsigned access = sp->role.access;
+        int i, ret;
+        gfn_t gfn;
+        gfn = kvm_mmu_page_get_gfn(sp, start - sp->spt);
+        if (!gfn_to_memslot_dirty_bitmap(vcpu, gfn, access & ACC_WRITE_MASK))
+                return -1;
+        ret = gfn_to_page_many_atomic(vcpu->kvm, gfn, pages, end - start);
+        if (ret <= 0)
+                return -1;
+        for (i = 0; i < ret; i++, gfn++, start++)
+                mmu_set_spte(vcpu, start, ACC_ALL,
+                             access, 0, 0, 1, NULL,
+                             sp->role.level, gfn,
+                             page_to_pfn(pages[i]), true, true);
+        return 0;
+}
+static void __direct_pte_prefetch(struct kvm_vcpu *vcpu,
+                                  struct kvm_mmu_page *sp, u64 *sptep)
+{
+        u64 *spte, *start = NULL;
+        int i;
+        WARN_ON(!sp->role.direct);
+        i = (sptep - sp->spt) & ~(PTE_PREFETCH_NUM - 1);
+        spte = sp->spt + i;
+        for (i = 0; i < PTE_PREFETCH_NUM; i++, spte++) {
+                if (*spte != shadow_trap_nonpresent_pte || spte == sptep) {
+                        if (!start)
+                                continue;
+                        if (direct_pte_prefetch_many(vcpu, sp, start, spte) < 0)
+                                break;
+                        start = NULL;
+                } else if (!start)
+                        start = spte;
+        }
+}
+static void direct_pte_prefetch(struct kvm_vcpu *vcpu, u64 *sptep)
+{
+        struct kvm_mmu_page *sp;
+        /*
+         * Since it's no accessed bit on EPT, it's no way to
+         * distinguish between actually accessed translations
+         * and prefetched, so disable pte prefetch if EPT is
+         * enabled.
+         */
+        if (!shadow_accessed_mask)
+                return;
+        sp = page_header(__pa(sptep));
+        if (sp->role.level > PT_PAGE_TABLE_LEVEL)
+                return;
+        __direct_pte_prefetch(vcpu, sp, sptep);
+}
 static int __direct_map(struct kvm_vcpu *vcpu, gpa_t v, int write,
-                        int level, gfn_t gfn, pfn_t pfn)
+                        int map_writable, int level, gfn_t gfn, pfn_t pfn,
+                        bool prefault)
 {
        struct kvm_shadow_walk_iterator iterator;
        struct kvm_mmu_page *sp;
@@ -2074,9 +2259,12 @@ static int __direct_map(struct kvm_vcpu *vcpu, gpa_t v, int write,
        for_each_shadow_entry(vcpu, (u64)gfn << PAGE_SHIFT, iterator) {
                if (iterator.level == level) {
-                        mmu_set_spte(vcpu, iterator.sptep, ACC_ALL, ACC_ALL,
+                        unsigned pte_access = ACC_ALL;
+                        mmu_set_spte(vcpu, iterator.sptep, ACC_ALL, pte_access,
                                     0, write, 1, &pt_write,
-                                     level, gfn, pfn, false, true);
+                                     level, gfn, pfn, prefault, map_writable);
+                        direct_pte_prefetch(vcpu, iterator.sptep);
                        ++vcpu->stat.pf_fixed;
                        break;
                }
@@ -2098,28 +2286,31 @@ static int __direct_map(struct kvm_vcpu *vcpu, gpa_t v, int write,
                        __set_spte(iterator.sptep,
                                   __pa(sp->spt)
                                   | PT_PRESENT_MASK | PT_WRITABLE_MASK
-                                   | shadow_user_mask | shadow_x_mask);
+                                   | shadow_user_mask | shadow_x_mask
+                                   | shadow_accessed_mask);
                }
        }
        return pt_write;
 }
-static void kvm_send_hwpoison_signal(struct kvm *kvm, gfn_t gfn)
+static void kvm_send_hwpoison_signal(unsigned long address, struct task_struct *tsk)
 {
-        char buf[1];
+        siginfo_t info;
-        void __user *hva;
-        int r;
-        /* Touch the page, so send SIGBUS */
+        info.si_signo   = SIGBUS;
-        hva = (void __user *)gfn_to_hva(kvm, gfn);
+        info.si_errno   = 0;
-        r = copy_from_user(buf, hva, 1);
+        info.si_code    = BUS_MCEERR_AR;
+        info.si_addr    = (void __user *)address;
+        info.si_addr_lsb = PAGE_SHIFT;
+        send_sig_info(SIGBUS, &info, tsk);
 }
 static int kvm_handle_bad_page(struct kvm *kvm, gfn_t gfn, pfn_t pfn)
 {
        kvm_release_pfn_clean(pfn);
        if (is_hwpoison_pfn(pfn)) {
-                kvm_send_hwpoison_signal(kvm, gfn);
+                kvm_send_hwpoison_signal(gfn_to_hva(kvm, gfn), current);
                return 0;
        } else if (is_fault_pfn(pfn))
                return -EFAULT;
@@ -2127,27 +2318,81 @@ static int kvm_handle_bad_page(struct kvm *kvm, gfn_t gfn, pfn_t pfn)
        return 1;
 }
-static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, int write, gfn_t gfn)
+static void transparent_hugepage_adjust(struct kvm_vcpu *vcpu,
+                                        gfn_t *gfnp, pfn_t *pfnp, int *levelp)
+{
+        pfn_t pfn = *pfnp;
+        gfn_t gfn = *gfnp;
+        int level = *levelp;
+        /*
+         * Check if it's a transparent hugepage. If this would be an
+         * hugetlbfs page, level wouldn't be set to
+         * PT_PAGE_TABLE_LEVEL and there would be no adjustment done
+         * here.
+         */
+        if (!is_error_pfn(pfn) && !kvm_is_mmio_pfn(pfn) &&
+            level == PT_PAGE_TABLE_LEVEL &&
+            PageTransCompound(pfn_to_page(pfn)) &&
+            !has_wrprotected_page(vcpu->kvm, gfn, PT_DIRECTORY_LEVEL)) {
+                unsigned long mask;
+                /*
+                 * mmu_notifier_retry was successful and we hold the
+                 * mmu_lock here, so the pmd can't become splitting
+                 * from under us, and in turn
+                 * __split_huge_page_refcount() can't run from under
+                 * us and we can safely transfer the refcount from
+                 * PG_tail to PG_head as we switch the pfn to tail to
+                 * head.
+                 */
+                *levelp = level = PT_DIRECTORY_LEVEL;
+                mask = KVM_PAGES_PER_HPAGE(level) - 1;
+                VM_BUG_ON((gfn & mask) != (pfn & mask));
+                if (pfn & mask) {
+                        gfn &= ~mask;
+                        *gfnp = gfn;
+                        kvm_release_pfn_clean(pfn);
+                        pfn &= ~mask;
+                        if (!get_page_unless_zero(pfn_to_page(pfn)))
+                                BUG();
+                        *pfnp = pfn;
+                }
+        }
+}
+static bool try_async_pf(struct kvm_vcpu *vcpu, bool prefault, gfn_t gfn,
+                         gva_t gva, pfn_t *pfn, bool write, bool *writable);
+static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, int write, gfn_t gfn,
+                         bool prefault)
 {
        int r;
        int level;
+        int force_pt_level;
        pfn_t pfn;
        unsigned long mmu_seq;
+        bool map_writable;
-        level = mapping_level(vcpu, gfn);
+        force_pt_level = mapping_level_dirty_bitmap(vcpu, gfn);
+        if (likely(!force_pt_level)) {
-        /*
+                level = mapping_level(vcpu, gfn);
-         * This path builds a PAE pagetable - so we can map 2mb pages at
+                /*
-         * maximum. Therefore check if the level is larger than that.
+                 * This path builds a PAE pagetable - so we can map
-         */
+                 * 2mb pages at maximum. Therefore check if the level
-        if (level > PT_DIRECTORY_LEVEL)
+                 * is larger than that.
-                level = PT_DIRECTORY_LEVEL;
+                 */
+                if (level > PT_DIRECTORY_LEVEL)
+                        level = PT_DIRECTORY_LEVEL;
-        gfn &= ~(KVM_PAGES_PER_HPAGE(level) - 1);
+                gfn &= ~(KVM_PAGES_PER_HPAGE(level) - 1);
+        } else
+                level = PT_PAGE_TABLE_LEVEL;
        mmu_seq = vcpu->kvm->mmu_notifier_seq;
        smp_rmb();
-        pfn = gfn_to_pfn(vcpu->kvm, gfn);
+        if (try_async_pf(vcpu, prefault, gfn, v, &pfn, write, &map_writable))
+                return 0;
        /* mmio */
        if (is_error_pfn(pfn))
@@ -2157,7 +2402,10 @@ static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, int write, gfn_t gfn)
        if (mmu_notifier_retry(vcpu, mmu_seq))
                goto out_unlock;
        kvm_mmu_free_some_pages(vcpu);
-        r = __direct_map(vcpu, v, write, level, gfn, pfn);
+        if (likely(!force_pt_level))
+                transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
+        r = __direct_map(vcpu, v, write, map_writable, level, gfn, pfn,
+                         prefault);
        spin_unlock(&vcpu->kvm->mmu_lock);
@@ -2179,7 +2427,9 @@ static void mmu_free_roots(struct kvm_vcpu *vcpu)
        if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
                return;
        spin_lock(&vcpu->kvm->mmu_lock);
-        if (vcpu->arch.mmu.shadow_root_level == PT64_ROOT_LEVEL) {
+        if (vcpu->arch.mmu.shadow_root_level == PT64_ROOT_LEVEL &&
+            (vcpu->arch.mmu.root_level == PT64_ROOT_LEVEL ||
+             vcpu->arch.mmu.direct_map)) {
                hpa_t root = vcpu->arch.mmu.root_hpa;
                sp = page_header(root);
@@ -2222,83 +2472,163 @@ static int mmu_check_root(struct kvm_vcpu *vcpu, gfn_t root_gfn)
        return ret;
 }
-static int mmu_alloc_roots(struct kvm_vcpu *vcpu)
+static int mmu_alloc_direct_roots(struct kvm_vcpu *vcpu)
 {
-        int i;
-        gfn_t root_gfn;
        struct kvm_mmu_page *sp;
-        int direct = 0;
+        unsigned i;
-        u64 pdptr;
-        root_gfn = vcpu->arch.cr3 >> PAGE_SHIFT;
        if (vcpu->arch.mmu.shadow_root_level == PT64_ROOT_LEVEL) {
+                spin_lock(&vcpu->kvm->mmu_lock);
+                kvm_mmu_free_some_pages(vcpu);
+                sp = kvm_mmu_get_page(vcpu, 0, 0, PT64_ROOT_LEVEL,
+                                      1, ACC_ALL, NULL);
+                ++sp->root_count;
+                spin_unlock(&vcpu->kvm->mmu_lock);
+                vcpu->arch.mmu.root_hpa = __pa(sp->spt);
+        } else if (vcpu->arch.mmu.shadow_root_level == PT32E_ROOT_LEVEL) {
+                for (i = 0; i < 4; ++i) {
+                        hpa_t root = vcpu->arch.mmu.pae_root[i];
+                        ASSERT(!VALID_PAGE(root));
+                        spin_lock(&vcpu->kvm->mmu_lock);
+                        kvm_mmu_free_some_pages(vcpu);
+                        sp = kvm_mmu_get_page(vcpu, i << (30 - PAGE_SHIFT),
+                                              i << 30,
+                                              PT32_ROOT_LEVEL, 1, ACC_ALL,
+                                              NULL);
+                        root = __pa(sp->spt);
+                        ++sp->root_count;
+                        spin_unlock(&vcpu->kvm->mmu_lock);
+                        vcpu->arch.mmu.pae_root[i] = root | PT_PRESENT_MASK;
+                }
+                vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root);
+        } else
+                BUG();
+        return 0;
+}
+static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu)
+{
+        struct kvm_mmu_page *sp;
+        u64 pdptr, pm_mask;
+        gfn_t root_gfn;
+        int i;
+        root_gfn = vcpu->arch.mmu.get_cr3(vcpu) >> PAGE_SHIFT;
+        if (mmu_check_root(vcpu, root_gfn))
+                return 1;
+        /*
+         * Do we shadow a long mode page table? If so we need to
+         * write-protect the guests page table root.
+         */
+        if (vcpu->arch.mmu.root_level == PT64_ROOT_LEVEL) {
                hpa_t root = vcpu->arch.mmu.root_hpa;
                ASSERT(!VALID_PAGE(root));
-                if (mmu_check_root(vcpu, root_gfn))
-                        return 1;
-                if (tdp_enabled) {
-                        direct = 1;
-                        root_gfn = 0;
-                }
                spin_lock(&vcpu->kvm->mmu_lock);
                kvm_mmu_free_some_pages(vcpu);
-                sp = kvm_mmu_get_page(vcpu, root_gfn, 0,
+                sp = kvm_mmu_get_page(vcpu, root_gfn, 0, PT64_ROOT_LEVEL,
-                                      PT64_ROOT_LEVEL, direct,
+                                      0, ACC_ALL, NULL);
-                                      ACC_ALL, NULL);
                root = __pa(sp->spt);
                ++sp->root_count;
                spin_unlock(&vcpu->kvm->mmu_lock);
                vcpu->arch.mmu.root_hpa = root;
                return 0;
        }
-        direct = !is_paging(vcpu);
+        /*
+         * We shadow a 32 bit page table. This may be a legacy 2-level
+         * or a PAE 3-level page table. In either case we need to be aware that
+         * the shadow page table may be a PAE or a long mode page table.
+         */
+        pm_mask = PT_PRESENT_MASK;
+        if (vcpu->arch.mmu.shadow_root_level == PT64_ROOT_LEVEL)
+                pm_mask |= PT_ACCESSED_MASK | PT_WRITABLE_MASK | PT_USER_MASK;
        for (i = 0; i < 4; ++i) {
                hpa_t root = vcpu->arch.mmu.pae_root[i];
                ASSERT(!VALID_PAGE(root));
                if (vcpu->arch.mmu.root_level == PT32E_ROOT_LEVEL) {
-                        pdptr = kvm_pdptr_read(vcpu, i);
+                        pdptr = kvm_pdptr_read_mmu(vcpu, &vcpu->arch.mmu, i);
                        if (!is_present_gpte(pdptr)) {
                                vcpu->arch.mmu.pae_root[i] = 0;
                                continue;
                        }
                        root_gfn = pdptr >> PAGE_SHIFT;
-                } else if (vcpu->arch.mmu.root_level == 0)
+                        if (mmu_check_root(vcpu, root_gfn))
-                        root_gfn = 0;
+                                return 1;
-                if (mmu_check_root(vcpu, root_gfn))
-                        return 1;
-                if (tdp_enabled) {
-                        direct = 1;
-                        root_gfn = i << 30;
                }
                spin_lock(&vcpu->kvm->mmu_lock);
                kvm_mmu_free_some_pages(vcpu);
                sp = kvm_mmu_get_page(vcpu, root_gfn, i << 30,
-                                      PT32_ROOT_LEVEL, direct,
+                                      PT32_ROOT_LEVEL, 0,
                                      ACC_ALL, NULL);
                root = __pa(sp->spt);
                ++sp->root_count;
                spin_unlock(&vcpu->kvm->mmu_lock);
-                vcpu->arch.mmu.pae_root[i] = root | PT_PRESENT_MASK;
+                vcpu->arch.mmu.pae_root[i] = root | pm_mask;
        }
        vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root);
+        /*
+         * If we shadow a 32 bit page table with a long mode page
+         * table we enter this path.
+         */
+        if (vcpu->arch.mmu.shadow_root_level == PT64_ROOT_LEVEL) {
+                if (vcpu->arch.mmu.lm_root == NULL) {
+                        /*
+                         * The additional page necessary for this is only
+                         * allocated on demand.
+                         */
+                        u64 *lm_root;
+                        lm_root = (void*)get_zeroed_page(GFP_KERNEL);
+                        if (lm_root == NULL)
+                                return 1;
+                        lm_root[0] = __pa(vcpu->arch.mmu.pae_root) | pm_mask;
+                        vcpu->arch.mmu.lm_root = lm_root;
+                }
+                vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.lm_root);
+        }
        return 0;
 }
+static int mmu_alloc_roots(struct kvm_vcpu *vcpu)
+{
+        if (vcpu->arch.mmu.direct_map)
+                return mmu_alloc_direct_roots(vcpu);
+        else
+                return mmu_alloc_shadow_roots(vcpu);
+}
 static void mmu_sync_roots(struct kvm_vcpu *vcpu)
 {
        int i;
        struct kvm_mmu_page *sp;
+        if (vcpu->arch.mmu.direct_map)
+                return;
        if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
                return;
-        if (vcpu->arch.mmu.shadow_root_level == PT64_ROOT_LEVEL) {
+        trace_kvm_mmu_audit(vcpu, AUDIT_PRE_SYNC);
+        if (vcpu->arch.mmu.root_level == PT64_ROOT_LEVEL) {
                hpa_t root = vcpu->arch.mmu.root_hpa;
                sp = page_header(root);
                mmu_sync_children(vcpu, sp);
+                trace_kvm_mmu_audit(vcpu, AUDIT_POST_SYNC);
                return;
        }
        for (i = 0; i < 4; ++i) {
@@ -2310,6 +2640,7 @@ static void mmu_sync_roots(struct kvm_vcpu *vcpu)
                        mmu_sync_children(vcpu, sp);
                }
        }
+        trace_kvm_mmu_audit(vcpu, AUDIT_POST_SYNC);
 }
 void kvm_mmu_sync_roots(struct kvm_vcpu *vcpu)
@@ -2320,15 +2651,24 @@ void kvm_mmu_sync_roots(struct kvm_vcpu *vcpu)
 }
 static gpa_t nonpaging_gva_to_gpa(struct kvm_vcpu *vcpu, gva_t vaddr,
-                                  u32 access, u32 *error)
+                                  u32 access, struct x86_exception *exception)
 {
-        if (error)
+        if (exception)
-                *error = 0;
+                exception->error_code = 0;
        return vaddr;
 }
+static gpa_t nonpaging_gva_to_gpa_nested(struct kvm_vcpu *vcpu, gva_t vaddr,
+                                         u32 access,
+                                         struct x86_exception *exception)
+{
+        if (exception)
+                exception->error_code = 0;
+        return vcpu->arch.nested_mmu.translate_gpa(vcpu, vaddr, access);
+}
 static int nonpaging_page_fault(struct kvm_vcpu *vcpu, gva_t gva,
-                                u32 error_code)
+                                u32 error_code, bool prefault)
 {
        gfn_t gfn;
        int r;
@@ -2344,17 +2684,68 @@ static int nonpaging_page_fault(struct kvm_vcpu *vcpu, gva_t gva,
        gfn = gva >> PAGE_SHIFT;
        return nonpaging_map(vcpu, gva & PAGE_MASK,
-                             error_code & PFERR_WRITE_MASK, gfn);
+                             error_code & PFERR_WRITE_MASK, gfn, prefault);
+}
+static int kvm_arch_setup_async_pf(struct kvm_vcpu *vcpu, gva_t gva, gfn_t gfn)
+{
+        struct kvm_arch_async_pf arch;
+        arch.token = (vcpu->arch.apf.id++ << 12) | vcpu->vcpu_id;
+        arch.gfn = gfn;
+        arch.direct_map = vcpu->arch.mmu.direct_map;
+        arch.cr3 = vcpu->arch.mmu.get_cr3(vcpu);
+        return kvm_setup_async_pf(vcpu, gva, gfn, &arch);
+}
+static bool can_do_async_pf(struct kvm_vcpu *vcpu)
+{
+        if (unlikely(!irqchip_in_kernel(vcpu->kvm) ||
+                     kvm_event_needs_reinjection(vcpu)))
+                return false;
+        return kvm_x86_ops->interrupt_allowed(vcpu);
+}
+static bool try_async_pf(struct kvm_vcpu *vcpu, bool prefault, gfn_t gfn,
+                         gva_t gva, pfn_t *pfn, bool write, bool *writable)
+{
+        bool async;
+        *pfn = gfn_to_pfn_async(vcpu->kvm, gfn, &async, write, writable);
+        if (!async)
+                return false; /* *pfn has correct page already */
+        put_page(pfn_to_page(*pfn));
+        if (!prefault && can_do_async_pf(vcpu)) {
+                trace_kvm_try_async_get_page(gva, gfn);
+                if (kvm_find_async_pf_gfn(vcpu, gfn)) {
+                        trace_kvm_async_pf_doublefault(gva, gfn);
+                        kvm_make_request(KVM_REQ_APF_HALT, vcpu);
+                        return true;
+                } else if (kvm_arch_setup_async_pf(vcpu, gva, gfn))
+                        return true;
+        }
+        *pfn = gfn_to_pfn_prot(vcpu->kvm, gfn, write, writable);
+        return false;
 }
-static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa,
+static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa, u32 error_code,
-                                u32 error_code)
+                          bool prefault)
 {
        pfn_t pfn;
        int r;
        int level;
+        int force_pt_level;
        gfn_t gfn = gpa >> PAGE_SHIFT;
        unsigned long mmu_seq;
+        int write = error_code & PFERR_WRITE_MASK;
+        bool map_writable;
        ASSERT(vcpu);
        ASSERT(VALID_PAGE(vcpu->arch.mmu.root_hpa));
@@ -2363,21 +2754,30 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa,
        if (r)
                return r;
-        level = mapping_level(vcpu, gfn);
+        force_pt_level = mapping_level_dirty_bitmap(vcpu, gfn);
+        if (likely(!force_pt_level)) {
-        gfn &= ~(KVM_PAGES_PER_HPAGE(level) - 1);
+                level = mapping_level(vcpu, gfn);
+                gfn &= ~(KVM_PAGES_PER_HPAGE(level) - 1);
+        } else
+                level = PT_PAGE_TABLE_LEVEL;
        mmu_seq = vcpu->kvm->mmu_notifier_seq;
        smp_rmb();
-        pfn = gfn_to_pfn(vcpu->kvm, gfn);
+        if (try_async_pf(vcpu, prefault, gfn, gpa, &pfn, write, &map_writable))
+                return 0;
+        /* mmio */
        if (is_error_pfn(pfn))
                return kvm_handle_bad_page(vcpu->kvm, gfn, pfn);
        spin_lock(&vcpu->kvm->mmu_lock);
        if (mmu_notifier_retry(vcpu, mmu_seq))
                goto out_unlock;
        kvm_mmu_free_some_pages(vcpu);
-        r = __direct_map(vcpu, gpa, error_code & PFERR_WRITE_MASK,
+        if (likely(!force_pt_level))
-                         level, gfn, pfn);
+                transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
+        r = __direct_map(vcpu, gpa, write, map_writable,
+                         level, gfn, pfn, prefault);
        spin_unlock(&vcpu->kvm->mmu_lock);
        return r;
@@ -2393,10 +2793,9 @@ static void nonpaging_free(struct kvm_vcpu *vcpu)
        mmu_free_roots(vcpu);
 }
-static int nonpaging_init_context(struct kvm_vcpu *vcpu)
+static int nonpaging_init_context(struct kvm_vcpu *vcpu,
+                                  struct kvm_mmu *context)
 {
-        struct kvm_mmu *context = &vcpu->arch.mmu;
        context->new_cr3 = nonpaging_new_cr3;
        context->page_fault = nonpaging_page_fault;
        context->gva_to_gpa = nonpaging_gva_to_gpa;
@@ -2404,9 +2803,12 @@ static int nonpaging_init_context(struct kvm_vcpu *vcpu)
        context->prefetch_page = nonpaging_prefetch_page;
        context->sync_page = nonpaging_sync_page;
        context->invlpg = nonpaging_invlpg;
+        context->update_pte = nonpaging_update_pte;
        context->root_level = 0;
        context->shadow_root_level = PT32E_ROOT_LEVEL;
        context->root_hpa = INVALID_PAGE;
+        context->direct_map = true;
+        context->nx = false;
        return 0;
 }
@@ -2418,15 +2820,19 @@ void kvm_mmu_flush_tlb(struct kvm_vcpu *vcpu)
 static void paging_new_cr3(struct kvm_vcpu *vcpu)
 {
-        pgprintk("%s: cr3 %lx\n", __func__, vcpu->arch.cr3);
+        pgprintk("%s: cr3 %lx\n", __func__, kvm_read_cr3(vcpu));
        mmu_free_roots(vcpu);
 }
+static unsigned long get_cr3(struct kvm_vcpu *vcpu)
+{
+        return kvm_read_cr3(vcpu);
+}
 static void inject_page_fault(struct kvm_vcpu *vcpu,
-                              u64 addr,
+                              struct x86_exception *fault)
-                              u32 err_code)
 {
-        kvm_inject_page_fault(vcpu, addr, err_code);
+        vcpu->arch.mmu.inject_page_fault(vcpu, fault);
 }
 static void paging_free(struct kvm_vcpu *vcpu)
@@ -2434,12 +2840,12 @@ static void paging_free(struct kvm_vcpu *vcpu)
        nonpaging_free(vcpu);
 }
-static bool is_rsvd_bits_set(struct kvm_vcpu *vcpu, u64 gpte, int level)
+static bool is_rsvd_bits_set(struct kvm_mmu *mmu, u64 gpte, int level)
 {
        int bit7;
        bit7 = (gpte >> 7) & 1;
-        return (gpte & vcpu->arch.mmu.rsvd_bits_mask[bit7][level-1]) != 0;
+        return (gpte & mmu->rsvd_bits_mask[bit7][level-1]) != 0;
 }
 #define PTTYPE 64
@@ -2450,13 +2856,14 @@ static bool is_rsvd_bits_set(struct kvm_vcpu *vcpu, u64 gpte, int level)
 #include "paging_tmpl.h"
 #undef PTTYPE
-static void reset_rsvds_bits_mask(struct kvm_vcpu *vcpu, int level)
+static void reset_rsvds_bits_mask(struct kvm_vcpu *vcpu,
+                                  struct kvm_mmu *context,
+                                  int level)
 {
-        struct kvm_mmu *context = &vcpu->arch.mmu;
        int maxphyaddr = cpuid_maxphyaddr(vcpu);
        u64 exb_bit_rsvd = 0;
-        if (!is_nx(vcpu))
+        if (!context->nx)
                exb_bit_rsvd = rsvd_bits(63, 63);
        switch (level) {
        case PT32_ROOT_LEVEL:
@@ -2511,9 +2918,13 @@ static void reset_rsvds_bits_mask(struct kvm_vcpu *vcpu, int level)
        }
 }
-static int paging64_init_context_common(struct kvm_vcpu *vcpu, int level)
+static int paging64_init_context_common(struct kvm_vcpu *vcpu,
+                                        struct kvm_mmu *context,
+                                        int level)
 {
-        struct kvm_mmu *context = &vcpu->arch.mmu;
+        context->nx = is_nx(vcpu);
+        reset_rsvds_bits_mask(vcpu, context, level);
        ASSERT(is_pae(vcpu));
        context->new_cr3 = paging_new_cr3;
@@ -2522,24 +2933,28 @@ static int paging64_init_context_common(struct kvm_vcpu *vcpu, int level)
        context->prefetch_page = paging64_prefetch_page;
        context->sync_page = paging64_sync_page;
        context->invlpg = paging64_invlpg;
+        context->update_pte = paging64_update_pte;
        context->free = paging_free;
        context->root_level = level;
        context->shadow_root_level = level;
        context->root_hpa = INVALID_PAGE;
+        context->direct_map = false;
        return 0;
 }
-static int paging64_init_context(struct kvm_vcpu *vcpu)
+static int paging64_init_context(struct kvm_vcpu *vcpu,
+                                 struct kvm_mmu *context)
 {
-        reset_rsvds_bits_mask(vcpu, PT64_ROOT_LEVEL);
+        return paging64_init_context_common(vcpu, context, PT64_ROOT_LEVEL);
-        return paging64_init_context_common(vcpu, PT64_ROOT_LEVEL);
 }
-static int paging32_init_context(struct kvm_vcpu *vcpu)
+static int paging32_init_context(struct kvm_vcpu *vcpu,
+                                 struct kvm_mmu *context)
 {
-        struct kvm_mmu *context = &vcpu->arch.mmu;
+        context->nx = false;
+        reset_rsvds_bits_mask(vcpu, context, PT32_ROOT_LEVEL);
-        reset_rsvds_bits_mask(vcpu, PT32_ROOT_LEVEL);
        context->new_cr3 = paging_new_cr3;
        context->page_fault = paging32_page_fault;
        context->gva_to_gpa = paging32_gva_to_gpa;
@@ -2547,44 +2962,57 @@ static int paging32_init_context(struct kvm_vcpu *vcpu)
        context->prefetch_page = paging32_prefetch_page;
        context->sync_page = paging32_sync_page;
        context->invlpg = paging32_invlpg;
+        context->update_pte = paging32_update_pte;
        context->root_level = PT32_ROOT_LEVEL;
        context->shadow_root_level = PT32E_ROOT_LEVEL;
        context->root_hpa = INVALID_PAGE;
+        context->direct_map = false;
        return 0;
 }
-static int paging32E_init_context(struct kvm_vcpu *vcpu)
+static int paging32E_init_context(struct kvm_vcpu *vcpu,
+                                  struct kvm_mmu *context)
 {
-        reset_rsvds_bits_mask(vcpu, PT32E_ROOT_LEVEL);
+        return paging64_init_context_common(vcpu, context, PT32E_ROOT_LEVEL);
-        return paging64_init_context_common(vcpu, PT32E_ROOT_LEVEL);
 }
 static int init_kvm_tdp_mmu(struct kvm_vcpu *vcpu)
 {
-        struct kvm_mmu *context = &vcpu->arch.mmu;
+        struct kvm_mmu *context = vcpu->arch.walk_mmu;
+        context->base_role.word = 0;
        context->new_cr3 = nonpaging_new_cr3;
        context->page_fault = tdp_page_fault;
        context->free = nonpaging_free;
        context->prefetch_page = nonpaging_prefetch_page;
        context->sync_page = nonpaging_sync_page;
        context->invlpg = nonpaging_invlpg;
+        context->update_pte = nonpaging_update_pte;
        context->shadow_root_level = kvm_x86_ops->get_tdp_level();
        context->root_hpa = INVALID_PAGE;
+        context->direct_map = true;
+        context->set_cr3 = kvm_x86_ops->set_tdp_cr3;
+        context->get_cr3 = get_cr3;
+        context->inject_page_fault = kvm_inject_page_fault;
+        context->nx = is_nx(vcpu);
        if (!is_paging(vcpu)) {
+                context->nx = false;
                context->gva_to_gpa = nonpaging_gva_to_gpa;
                context->root_level = 0;
        } else if (is_long_mode(vcpu)) {
-                reset_rsvds_bits_mask(vcpu, PT64_ROOT_LEVEL);
+                context->nx = is_nx(vcpu);
+                reset_rsvds_bits_mask(vcpu, context, PT64_ROOT_LEVEL);
                context->gva_to_gpa = paging64_gva_to_gpa;
                context->root_level = PT64_ROOT_LEVEL;
        } else if (is_pae(vcpu)) {
-                reset_rsvds_bits_mask(vcpu, PT32E_ROOT_LEVEL);
+                context->nx = is_nx(vcpu);
+                reset_rsvds_bits_mask(vcpu, context, PT32E_ROOT_LEVEL);
                context->gva_to_gpa = paging64_gva_to_gpa;
                context->root_level = PT32E_ROOT_LEVEL;
        } else {
-                reset_rsvds_bits_mask(vcpu, PT32_ROOT_LEVEL);
+                context->nx = false;
+                reset_rsvds_bits_mask(vcpu, context, PT32_ROOT_LEVEL);
                context->gva_to_gpa = paging32_gva_to_gpa;
                context->root_level = PT32_ROOT_LEVEL;
        }
@@ -2592,33 +3020,81 @@ static int init_kvm_tdp_mmu(struct kvm_vcpu *vcpu)
        return 0;
 }
-static int init_kvm_softmmu(struct kvm_vcpu *vcpu)
+int kvm_init_shadow_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context)
 {
        int r;
        ASSERT(vcpu);
        ASSERT(!VALID_PAGE(vcpu->arch.mmu.root_hpa));
        if (!is_paging(vcpu))
-                r = nonpaging_init_context(vcpu);
+                r = nonpaging_init_context(vcpu, context);
        else if (is_long_mode(vcpu))
-                r = paging64_init_context(vcpu);
+                r = paging64_init_context(vcpu, context);
        else if (is_pae(vcpu))
-                r = paging32E_init_context(vcpu);
+                r = paging32E_init_context(vcpu, context);
        else
-                r = paging32_init_context(vcpu);
+                r = paging32_init_context(vcpu, context);
        vcpu->arch.mmu.base_role.cr4_pae = !!is_pae(vcpu);
-        vcpu->arch.mmu.base_role.cr0_wp = is_write_protection(vcpu);
+        vcpu->arch.mmu.base_role.cr0_wp  = is_write_protection(vcpu);
        return r;
 }
+EXPORT_SYMBOL_GPL(kvm_init_shadow_mmu);
-static int init_kvm_mmu(struct kvm_vcpu *vcpu)
+static int init_kvm_softmmu(struct kvm_vcpu *vcpu)
 {
-        vcpu->arch.update_pte.pfn = bad_pfn;
+        int r = kvm_init_shadow_mmu(vcpu, vcpu->arch.walk_mmu);
-        if (tdp_enabled)
+        vcpu->arch.walk_mmu->set_cr3           = kvm_x86_ops->set_cr3;
+        vcpu->arch.walk_mmu->get_cr3           = get_cr3;
+        vcpu->arch.walk_mmu->inject_page_fault = kvm_inject_page_fault;
+        return r;
+}
+static int init_kvm_nested_mmu(struct kvm_vcpu *vcpu)
+{
+        struct kvm_mmu *g_context = &vcpu->arch.nested_mmu;
+        g_context->get_cr3           = get_cr3;
+        g_context->inject_page_fault = kvm_inject_page_fault;
+        /*
+         * Note that arch.mmu.gva_to_gpa translates l2_gva to l1_gpa. The
+         * translation of l2_gpa to l1_gpa addresses is done using the
+         * arch.nested_mmu.gva_to_gpa function. Basically the gva_to_gpa
+         * functions between mmu and nested_mmu are swapped.
+         */
+        if (!is_paging(vcpu)) {
+                g_context->nx = false;
+                g_context->root_level = 0;
+                g_context->gva_to_gpa = nonpaging_gva_to_gpa_nested;
+        } else if (is_long_mode(vcpu)) {
+                g_context->nx = is_nx(vcpu);
+                reset_rsvds_bits_mask(vcpu, g_context, PT64_ROOT_LEVEL);
+                g_context->root_level = PT64_ROOT_LEVEL;
+                g_context->gva_to_gpa = paging64_gva_to_gpa_nested;
+        } else if (is_pae(vcpu)) {
+                g_context->nx = is_nx(vcpu);
+                reset_rsvds_bits_mask(vcpu, g_context, PT32E_ROOT_LEVEL);
+                g_context->root_level = PT32E_ROOT_LEVEL;
+                g_context->gva_to_gpa = paging64_gva_to_gpa_nested;
+        } else {
+                g_context->nx = false;
+                reset_rsvds_bits_mask(vcpu, g_context, PT32_ROOT_LEVEL);
+                g_context->root_level = PT32_ROOT_LEVEL;
+                g_context->gva_to_gpa = paging32_gva_to_gpa_nested;
+        }
+        return 0;
+}
+static int init_kvm_mmu(struct kvm_vcpu *vcpu)
+{
+        if (mmu_is_nested(vcpu))
+                return init_kvm_nested_mmu(vcpu);
+        else if (tdp_enabled)
                return init_kvm_tdp_mmu(vcpu);
        else
                return init_kvm_softmmu(vcpu);
@@ -2653,7 +3129,7 @@ int kvm_mmu_load(struct kvm_vcpu *vcpu)
        if (r)
                goto out;
        /* set_cr3() should ensure TLB has been flushed */
-        kvm_x86_ops->set_cr3(vcpu, vcpu->arch.mmu.root_hpa);
+        vcpu->arch.mmu.set_cr3(vcpu, vcpu->arch.mmu.root_hpa);
 out:
        return r;
 }
@@ -2663,6 +3139,7 @@ void kvm_mmu_unload(struct kvm_vcpu *vcpu)
 {
        mmu_free_roots(vcpu);
 }
+EXPORT_SYMBOL_GPL(kvm_mmu_unload);
 static void mmu_pte_write_zap_pte(struct kvm_vcpu *vcpu,
                                  struct kvm_mmu_page *sp,
@@ -2686,8 +3163,7 @@ static void mmu_pte_write_zap_pte(struct kvm_vcpu *vcpu,
 }
 static void mmu_pte_write_new_pte(struct kvm_vcpu *vcpu,
-                                  struct kvm_mmu_page *sp,
+                                  struct kvm_mmu_page *sp, u64 *spte,
-                                  u64 *spte,
                                  const void *new)
 {
        if (sp->role.level != PT_PAGE_TABLE_LEVEL) {
@@ -2695,14 +3171,8 @@ static void mmu_pte_write_new_pte(struct kvm_vcpu *vcpu,
                return;
        }
-        if (is_rsvd_bits_set(vcpu, *(u64 *)new, PT_PAGE_TABLE_LEVEL))
-                return;
        ++vcpu->kvm->stat.mmu_pte_updated;
-        if (!sp->role.cr4_pae)
+        vcpu->arch.mmu.update_pte(vcpu, sp, spte, new);
-                paging32_update_pte(vcpu, sp, spte, new);
-        else
-                paging64_update_pte(vcpu, sp, spte, new);
 }
 static bool need_remote_flush(u64 old, u64 new)
@@ -2737,28 +3207,6 @@ static bool last_updated_pte_accessed(struct kvm_vcpu *vcpu)
        return !!(spte && (*spte & shadow_accessed_mask));
 }
-static void mmu_guess_page_from_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
-                                          u64 gpte)
-{
-        gfn_t gfn;
-        pfn_t pfn;
-        if (!is_present_gpte(gpte))
-                return;
-        gfn = (gpte & PT64_BASE_ADDR_MASK) >> PAGE_SHIFT;
-        vcpu->arch.update_pte.mmu_seq = vcpu->kvm->mmu_notifier_seq;
-        smp_rmb();
-        pfn = gfn_to_pfn(vcpu->kvm, gfn);
-        if (is_error_pfn(pfn)) {
-                kvm_release_pfn_clean(pfn);
-                return;
-        }
-        vcpu->arch.update_pte.gfn = gfn;
-        vcpu->arch.update_pte.pfn = pfn;
-}
 static void kvm_mmu_access_page(struct kvm_vcpu *vcpu, gfn_t gfn)
 {
        u64 *spte = vcpu->arch.last_pte_updated;
@@ -2780,21 +3228,13 @@ void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
        struct kvm_mmu_page *sp;
        struct hlist_node *node;
        LIST_HEAD(invalid_list);
-        u64 entry, gentry;
+        u64 entry, gentry, *spte;
-        u64 *spte;
+        unsigned pte_size, page_offset, misaligned, quadrant, offset;
-        unsigned offset = offset_in_page(gpa);
+        int level, npte, invlpg_counter, r, flooded = 0;
-        unsigned pte_size;
-        unsigned page_offset;
-        unsigned misaligned;
-        unsigned quadrant;
-        int level;
-        int flooded = 0;
-        int npte;
-        int r;
-        int invlpg_counter;
        bool remote_flush, local_flush, zap_page;
        zap_page = remote_flush = local_flush = false;
+        offset = offset_in_page(gpa);
        pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
@@ -2802,9 +3242,8 @@ void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
        /*
         * Assume that the pte write on a page table of the same type
-         * as the current vcpu paging mode.  This is nearly always true
+         * as the current vcpu paging mode since we update the sptes only
-         * (might be false while changing modes).  Note it is verified later
+         * when they have the same mode.
-         * by update_pte().
         */
        if ((is_pae(vcpu) && bytes == 4) || !new) {
                /* Handle a 32-bit guest writing two halves of a 64-bit gpte */
@@ -2830,15 +3269,14 @@ void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
                break;
        }
-        mmu_guess_page_from_pte_write(vcpu, gpa, gentry);
        spin_lock(&vcpu->kvm->mmu_lock);
        if (atomic_read(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
                gentry = 0;
-        kvm_mmu_access_page(vcpu, gfn);
        kvm_mmu_free_some_pages(vcpu);
        ++vcpu->kvm->stat.mmu_pte_write;
-        kvm_mmu_audit(vcpu, "pre pte write");
+        trace_kvm_mmu_audit(vcpu, AUDIT_PRE_PTE_WRITE);
        if (guest_initiated) {
+                kvm_mmu_access_page(vcpu, gfn);
                if (gfn == vcpu->arch.last_pt_write_gfn
                    && !last_updated_pte_accessed(vcpu)) {
                        ++vcpu->arch.last_pt_write_count;
@@ -2910,12 +3348,8 @@ void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
        }
        mmu_pte_write_flush_tlb(vcpu, zap_page, remote_flush, local_flush);
        kvm_mmu_commit_zap_page(vcpu->kvm, &invalid_list);
-        kvm_mmu_audit(vcpu, "post pte write");
+        trace_kvm_mmu_audit(vcpu, AUDIT_POST_PTE_WRITE);
        spin_unlock(&vcpu->kvm->mmu_lock);
-        if (!is_error_pfn(vcpu->arch.update_pte.pfn)) {
-                kvm_release_pfn_clean(vcpu->arch.update_pte.pfn);
-                vcpu->arch.update_pte.pfn = bad_pfn;
-        }
 }
 int kvm_mmu_unprotect_page_virt(struct kvm_vcpu *vcpu, gva_t gva)
@@ -2923,7 +3357,7 @@ int kvm_mmu_unprotect_page_virt(struct kvm_vcpu *vcpu, gva_t gva)
        gpa_t gpa;
        int r;
-        if (tdp_enabled)
+        if (vcpu->arch.mmu.direct_map)
                return 0;
        gpa = kvm_mmu_gva_to_gpa_read(vcpu, gva, NULL);
@@ -2937,29 +3371,27 @@ EXPORT_SYMBOL_GPL(kvm_mmu_unprotect_page_virt);
 void __kvm_mmu_free_some_pages(struct kvm_vcpu *vcpu)
 {
-        int free_pages;
        LIST_HEAD(invalid_list);
-        free_pages = vcpu->kvm->arch.n_free_mmu_pages;
+        while (kvm_mmu_available_pages(vcpu->kvm) < KVM_REFILL_PAGES &&
-        while (free_pages < KVM_REFILL_PAGES &&
               !list_empty(&vcpu->kvm->arch.active_mmu_pages)) {
                struct kvm_mmu_page *sp;
                sp = container_of(vcpu->kvm->arch.active_mmu_pages.prev,
                                  struct kvm_mmu_page, link);
-                free_pages += kvm_mmu_prepare_zap_page(vcpu->kvm, sp,
+                kvm_mmu_prepare_zap_page(vcpu->kvm, sp, &invalid_list);
-                                                       &invalid_list);
+                kvm_mmu_commit_zap_page(vcpu->kvm, &invalid_list);
                ++vcpu->kvm->stat.mmu_recycled;
        }
-        kvm_mmu_commit_zap_page(vcpu->kvm, &invalid_list);
 }
-int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u32 error_code)
+int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u32 error_code,
+                       void *insn, int insn_len)
 {
        int r;
        enum emulation_result er;
-        r = vcpu->arch.mmu.page_fault(vcpu, cr2, error_code);
+        r = vcpu->arch.mmu.page_fault(vcpu, cr2, error_code, false);
        if (r < 0)
                goto out;
@@ -2972,7 +3404,7 @@ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u32 error_code)
        if (r)
                goto out;
-        er = emulate_instruction(vcpu, cr2, error_code, 0);
+        er = x86_emulate_instruction(vcpu, cr2, 0, insn, insn_len);
        switch (er) {
        case EMULATE_DONE:
@@ -3013,6 +3445,8 @@ EXPORT_SYMBOL_GPL(kvm_disable_tdp);
 static void free_mmu_pages(struct kvm_vcpu *vcpu)
 {
        free_page((unsigned long)vcpu->arch.mmu.pae_root);
+        if (vcpu->arch.mmu.lm_root != NULL)
+                free_page((unsigned long)vcpu->arch.mmu.lm_root);
 }
 static int alloc_mmu_pages(struct kvm_vcpu *vcpu)
@@ -3054,15 +3488,6 @@ int kvm_mmu_setup(struct kvm_vcpu *vcpu)
        return init_kvm_mmu(vcpu);
 }
-void kvm_mmu_destroy(struct kvm_vcpu *vcpu)
-{
-        ASSERT(vcpu);
-        destroy_kvm_mmu(vcpu);
-        free_mmu_pages(vcpu);
-        mmu_free_memory_caches(vcpu);
-}
 void kvm_mmu_slot_remove_write_access(struct kvm *kvm, int slot)
 {
        struct kvm_mmu_page *sp;
@@ -3075,10 +3500,22 @@ void kvm_mmu_slot_remove_write_access(struct kvm *kvm, int slot)
                        continue;
                pt = sp->spt;
-                for (i = 0; i < PT64_ENT_PER_PAGE; ++i)
+                for (i = 0; i < PT64_ENT_PER_PAGE; ++i) {
+                        if (!is_shadow_present_pte(pt[i]) ||
+                              !is_last_spte(pt[i], sp->role.level))
+                                continue;
+                        if (is_large_pte(pt[i])) {
+                                drop_spte(kvm, &pt[i],
+                                          shadow_trap_nonpresent_pte);
+                                --kvm->stat.lpages;
+                                continue;
+                        }
                        /* avoid RMW */
                        if (is_writable_pte(pt[i]))
-                                pt[i] &= ~PT_WRITABLE_MASK;
+                                update_spte(&pt[i], pt[i] & ~PT_WRITABLE_MASK);
+                }
        }
        kvm_flush_remote_tlbs(kvm);
 }
@@ -3108,27 +3545,27 @@ static int kvm_mmu_remove_some_alloc_mmu_pages(struct kvm *kvm,
        return kvm_mmu_prepare_zap_page(kvm, page, invalid_list);
 }
-static int mmu_shrink(struct shrinker *shrink, int nr_to_scan, gfp_t gfp_mask)
+static int mmu_shrink(struct shrinker *shrink, struct shrink_control *sc)
 {
        struct kvm *kvm;
        struct kvm *kvm_freed = NULL;
-        int cache_count = 0;
+        int nr_to_scan = sc->nr_to_scan;
+        if (nr_to_scan == 0)
+                goto out;
-        spin_lock(&kvm_lock);
+        raw_spin_lock(&kvm_lock);
        list_for_each_entry(kvm, &vm_list, vm_list) {
-                int npages, idx, freed_pages;
+                int idx, freed_pages;
                LIST_HEAD(invalid_list);
                idx = srcu_read_lock(&kvm->srcu);
                spin_lock(&kvm->mmu_lock);
-                npages = kvm->arch.n_alloc_mmu_pages -
+                if (!kvm_freed && nr_to_scan > 0 &&
-                         kvm->arch.n_free_mmu_pages;
+                    kvm->arch.n_used_mmu_pages > 0) {
-                cache_count += npages;
-                if (!kvm_freed && nr_to_scan > 0 && npages > 0) {
                        freed_pages = kvm_mmu_remove_some_alloc_mmu_pages(kvm,
                                                          &invalid_list);
-                        cache_count -= freed_pages;
                        kvm_freed = kvm;
                }
                nr_to_scan--;
@@ -3140,9 +3577,10 @@ static int mmu_shrink(struct shrinker *shrink, int nr_to_scan, gfp_t gfp_mask)
        if (kvm_freed)
                list_move_tail(&kvm_freed->vm_list, &vm_list);
-        spin_unlock(&kvm_lock);
+        raw_spin_unlock(&kvm_lock);
-        return cache_count;
+out:
+        return percpu_counter_read_positive(&kvm_total_used_mmu_pages);
 }
 static struct shrinker mmu_shrinker = {
@@ -3160,12 +3598,6 @@ static void mmu_destroy_caches(void)
                kmem_cache_destroy(mmu_page_header_cache);
 }
-void kvm_mmu_module_exit(void)
-{
-        mmu_destroy_caches();
-        unregister_shrinker(&mmu_shrinker);
-}
 int kvm_mmu_module_init(void)
 {
        pte_chain_cache = kmem_cache_create("kvm_pte_chain",
@@ -3185,6 +3617,9 @@ int kvm_mmu_module_init(void)
        if (!mmu_page_header_cache)
                goto nomem;
+        if (percpu_counter_init(&kvm_total_used_mmu_pages, 0))
+                goto nomem;
        register_shrinker(&mmu_shrinker);
        return 0;
@@ -3259,7 +3694,7 @@ static int kvm_pv_mmu_write(struct kvm_vcpu *vcpu,
 static int kvm_pv_mmu_flush_tlb(struct kvm_vcpu *vcpu)
 {
-        (void)kvm_set_cr3(vcpu, vcpu->arch.cr3);
+        (void)kvm_set_cr3(vcpu, kvm_read_cr3(vcpu));
        return 1;
 }
@@ -3355,271 +3790,25 @@ int kvm_mmu_get_spte_hierarchy(struct kvm_vcpu *vcpu, u64 addr, u64 sptes[4])
 }
 EXPORT_SYMBOL_GPL(kvm_mmu_get_spte_hierarchy);
-#ifdef AUDIT
+void kvm_mmu_destroy(struct kvm_vcpu *vcpu)
-static const char *audit_msg;
-static gva_t canonicalize(gva_t gva)
-{
-#ifdef CONFIG_X86_64
-        gva = (long long)(gva << 16) >> 16;
-#endif
-        return gva;
-}
-typedef void (*inspect_spte_fn) (struct kvm *kvm, u64 *sptep);
-static void __mmu_spte_walk(struct kvm *kvm, struct kvm_mmu_page *sp,
-                            inspect_spte_fn fn)
-{
-        int i;
-        for (i = 0; i < PT64_ENT_PER_PAGE; ++i) {
-                u64 ent = sp->spt[i];
-                if (is_shadow_present_pte(ent)) {
-                        if (!is_last_spte(ent, sp->role.level)) {
-                                struct kvm_mmu_page *child;
-                                child = page_header(ent & PT64_BASE_ADDR_MASK);
-                                __mmu_spte_walk(kvm, child, fn);
-                        } else
-                                fn(kvm, &sp->spt[i]);
-                }
-        }
-}
-static void mmu_spte_walk(struct kvm_vcpu *vcpu, inspect_spte_fn fn)
-{
-        int i;
-        struct kvm_mmu_page *sp;
-        if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
-                return;
-        if (vcpu->arch.mmu.shadow_root_level == PT64_ROOT_LEVEL) {
-                hpa_t root = vcpu->arch.mmu.root_hpa;
-                sp = page_header(root);
-                __mmu_spte_walk(vcpu->kvm, sp, fn);
-                return;
-        }
-        for (i = 0; i < 4; ++i) {
-                hpa_t root = vcpu->arch.mmu.pae_root[i];
-                if (root && VALID_PAGE(root)) {
-                        root &= PT64_BASE_ADDR_MASK;
-                        sp = page_header(root);
-                        __mmu_spte_walk(vcpu->kvm, sp, fn);
-                }
-        }
-        return;
-}
-static void audit_mappings_page(struct kvm_vcpu *vcpu, u64 page_pte,
-                                gva_t va, int level)
-{
-        u64 *pt = __va(page_pte & PT64_BASE_ADDR_MASK);
-        int i;
-        gva_t va_delta = 1ul << (PAGE_SHIFT + 9 * (level - 1));
-        for (i = 0; i < PT64_ENT_PER_PAGE; ++i, va += va_delta) {
-                u64 ent = pt[i];
-                if (ent == shadow_trap_nonpresent_pte)
-                        continue;
-                va = canonicalize(va);
-                if (is_shadow_present_pte(ent) && !is_last_spte(ent, level))
-                        audit_mappings_page(vcpu, ent, va, level - 1);
-                else {
-                        gpa_t gpa = kvm_mmu_gva_to_gpa_read(vcpu, va, NULL);
-                        gfn_t gfn = gpa >> PAGE_SHIFT;
-                        pfn_t pfn = gfn_to_pfn(vcpu->kvm, gfn);
-                        hpa_t hpa = (hpa_t)pfn << PAGE_SHIFT;
-                        if (is_error_pfn(pfn)) {
-                                kvm_release_pfn_clean(pfn);
-                                continue;
-                        }
-                        if (is_shadow_present_pte(ent)
-                            && (ent & PT64_BASE_ADDR_MASK) != hpa)
-                                printk(KERN_ERR "xx audit error: (%s) levels %d"
-                                       " gva %lx gpa %llx hpa %llx ent %llx %d\n",
-                                       audit_msg, vcpu->arch.mmu.root_level,
-                                       va, gpa, hpa, ent,
-                                       is_shadow_present_pte(ent));
-                        else if (ent == shadow_notrap_nonpresent_pte
-                                 && !is_error_hpa(hpa))
-                                printk(KERN_ERR "audit: (%s) notrap shadow,"
-                                       " valid guest gva %lx\n", audit_msg, va);
-                        kvm_release_pfn_clean(pfn);
-                }
-        }
-}
-static void audit_mappings(struct kvm_vcpu *vcpu)
-{
-        unsigned i;
-        if (vcpu->arch.mmu.root_level == 4)
-                audit_mappings_page(vcpu, vcpu->arch.mmu.root_hpa, 0, 4);
-        else
-                for (i = 0; i < 4; ++i)
-                        if (vcpu->arch.mmu.pae_root[i] & PT_PRESENT_MASK)
-                                audit_mappings_page(vcpu,
-                                                    vcpu->arch.mmu.pae_root[i],
-                                                    i << 30,
-                                                    2);
-}
-static int count_rmaps(struct kvm_vcpu *vcpu)
-{
-        struct kvm *kvm = vcpu->kvm;
-        struct kvm_memslots *slots;
-        int nmaps = 0;
-        int i, j, k, idx;
-        idx = srcu_read_lock(&kvm->srcu);
-        slots = kvm_memslots(kvm);
-        for (i = 0; i < KVM_MEMORY_SLOTS; ++i) {
-                struct kvm_memory_slot *m = &slots->memslots[i];
-                struct kvm_rmap_desc *d;
-                for (j = 0; j < m->npages; ++j) {
-                        unsigned long *rmapp = &m->rmap[j];
-                        if (!*rmapp)
-                                continue;
-                        if (!(*rmapp & 1)) {
-                                ++nmaps;
-                                continue;
-                        }
-                        d = (struct kvm_rmap_desc *)(*rmapp & ~1ul);
-                        while (d) {
-                                for (k = 0; k < RMAP_EXT; ++k)
-                                        if (d->sptes[k])
-                                                ++nmaps;
-                                        else
-                                                break;
-                                d = d->more;
-                        }
-                }
-        }
-        srcu_read_unlock(&kvm->srcu, idx);
-        return nmaps;
-}
-void inspect_spte_has_rmap(struct kvm *kvm, u64 *sptep)
-{
-        unsigned long *rmapp;
-        struct kvm_mmu_page *rev_sp;
-        gfn_t gfn;
-        if (is_writable_pte(*sptep)) {
-                rev_sp = page_header(__pa(sptep));
-                gfn = kvm_mmu_page_get_gfn(rev_sp, sptep - rev_sp->spt);
-                if (!gfn_to_memslot(kvm, gfn)) {
-                        if (!printk_ratelimit())
-                                return;
-                        printk(KERN_ERR "%s: no memslot for gfn %ld\n",
-                                         audit_msg, gfn);
-                        printk(KERN_ERR "%s: index %ld of sp (gfn=%lx)\n",
-                               audit_msg, (long int)(sptep - rev_sp->spt),
-                                        rev_sp->gfn);
-                        dump_stack();
-                        return;
-                }
-                rmapp = gfn_to_rmap(kvm, gfn, rev_sp->role.level);
-                if (!*rmapp) {
-                        if (!printk_ratelimit())
-                                return;
-                        printk(KERN_ERR "%s: no rmap for writable spte %llx\n",
-                                         audit_msg, *sptep);
-                        dump_stack();
-                }
-        }
-}
-void audit_writable_sptes_have_rmaps(struct kvm_vcpu *vcpu)
-{
-        mmu_spte_walk(vcpu, inspect_spte_has_rmap);
-}
-static void check_writable_mappings_rmap(struct kvm_vcpu *vcpu)
 {
-        struct kvm_mmu_page *sp;
+        ASSERT(vcpu);
-        int i;
-        list_for_each_entry(sp, &vcpu->kvm->arch.active_mmu_pages, link) {
-                u64 *pt = sp->spt;
-                if (sp->role.level != PT_PAGE_TABLE_LEVEL)
-                        continue;
-                for (i = 0; i < PT64_ENT_PER_PAGE; ++i) {
-                        u64 ent = pt[i];
-                        if (!(ent & PT_PRESENT_MASK))
-                                continue;
-                        if (!is_writable_pte(ent))
-                                continue;
-                        inspect_spte_has_rmap(vcpu->kvm, &pt[i]);
-                }
-        }
-        return;
-}
-static void audit_rmap(struct kvm_vcpu *vcpu)
+        destroy_kvm_mmu(vcpu);
-{
+        free_mmu_pages(vcpu);
-        check_writable_mappings_rmap(vcpu);
+        mmu_free_memory_caches(vcpu);
-        count_rmaps(vcpu);
 }
-static void audit_write_protection(struct kvm_vcpu *vcpu)
+#ifdef CONFIG_KVM_MMU_AUDIT
-{
+#include "mmu_audit.c"
-        struct kvm_mmu_page *sp;
+#else
-        struct kvm_memory_slot *slot;
+static void mmu_audit_disable(void) { }
-        unsigned long *rmapp;
+#endif
-        u64 *spte;
-        gfn_t gfn;
-        list_for_each_entry(sp, &vcpu->kvm->arch.active_mmu_pages, link) {
-                if (sp->role.direct)
-                        continue;
-                if (sp->unsync)
-                        continue;
-                slot = gfn_to_memslot(vcpu->kvm, sp->gfn);
-                rmapp = &slot->rmap[gfn - slot->base_gfn];
-                spte = rmap_next(vcpu->kvm, rmapp, NULL);
-                while (spte) {
-                        if (is_writable_pte(*spte))
-                                printk(KERN_ERR "%s: (%s) shadow page has "
-                                "writable mappings: gfn %lx role %x\n",
-                               __func__, audit_msg, sp->gfn,
-                               sp->role.word);
-                        spte = rmap_next(vcpu->kvm, rmapp, spte);
-                }
-        }
-}
-static void kvm_mmu_audit(struct kvm_vcpu *vcpu, const char *msg)
+void kvm_mmu_module_exit(void)
 {
-        int olddbg = dbg;
+        mmu_destroy_caches();
+        percpu_counter_destroy(&kvm_total_used_mmu_pages);
-        dbg = 0;
+        unregister_shrinker(&mmu_shrinker);
-        audit_msg = msg;
+        mmu_audit_disable();
-        audit_rmap(vcpu);
-        audit_write_protection(vcpu);
-        if (strcmp("pre pte write", audit_msg) != 0)
-                audit_mappings(vcpu);
-        audit_writable_sptes_have_rmaps(vcpu);
-        dbg = olddbg;
 }
-#endif
diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h
index be66759321a5..7086ca85d3e7 100644
--- a/arch/x86/kvm/mmu.h
+++ b/arch/x86/kvm/mmu.h
@@ -49,10 +49,17 @@
 #define PFERR_FETCH_MASK (1U << 4)
 int kvm_mmu_get_spte_hierarchy(struct kvm_vcpu *vcpu, u64 addr, u64 sptes[4]);
+int kvm_init_shadow_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context);
+static inline unsigned int kvm_mmu_available_pages(struct kvm *kvm)
+{
+        return kvm->arch.n_max_mmu_pages -
+                kvm->arch.n_used_mmu_pages;
+}
 static inline void kvm_mmu_free_some_pages(struct kvm_vcpu *vcpu)
 {
-        if (unlikely(vcpu->kvm->arch.n_free_mmu_pages < KVM_MIN_FREE_MMU_PAGES))
+        if (unlikely(kvm_mmu_available_pages(vcpu->kvm)< KVM_MIN_FREE_MMU_PAGES))
                __kvm_mmu_free_some_pages(vcpu);
 }
diff --git a/arch/x86/kvm/mmu_audit.c b/arch/x86/kvm/mmu_audit.c
new file mode 100644
index 000000000000..5f6223b8bcf7
--- /dev/null
+++ b/arch/x86/kvm/mmu_audit.c
@@ -0,0 +1,304 @@
+/*
+ * mmu_audit.c:
+ *
+ * Audit code for KVM MMU
+ *
+ * Copyright (C) 2006 Qumranet, Inc.
+ * Copyright 2010 Red Hat, Inc. and/or its affiliates.
+ *
+ * Authors:
+ *   Yaniv Kamay  <yaniv@qumranet.com>
+ *   Avi Kivity   <avi@qumranet.com>
+ *   Marcelo Tosatti <mtosatti@redhat.com>
+ *   Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ */
+#include <linux/ratelimit.h>
+#define audit_printk(kvm, fmt, args...)         \
+        printk(KERN_ERR "audit: (%s) error: "   \
+                fmt, audit_point_name[kvm->arch.audit_point], ##args)
+typedef void (*inspect_spte_fn) (struct kvm_vcpu *vcpu, u64 *sptep, int level);
+static void __mmu_spte_walk(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
+                            inspect_spte_fn fn, int level)
+{
+        int i;
+        for (i = 0; i < PT64_ENT_PER_PAGE; ++i) {
+                u64 *ent = sp->spt;
+                fn(vcpu, ent + i, level);
+                if (is_shadow_present_pte(ent[i]) &&
+                      !is_last_spte(ent[i], level)) {
+                        struct kvm_mmu_page *child;
+                        child = page_header(ent[i] & PT64_BASE_ADDR_MASK);
+                        __mmu_spte_walk(vcpu, child, fn, level - 1);
+                }
+        }
+}
+static void mmu_spte_walk(struct kvm_vcpu *vcpu, inspect_spte_fn fn)
+{
+        int i;
+        struct kvm_mmu_page *sp;
+        if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
+                return;
+        if (vcpu->arch.mmu.root_level == PT64_ROOT_LEVEL) {
+                hpa_t root = vcpu->arch.mmu.root_hpa;
+                sp = page_header(root);
+                __mmu_spte_walk(vcpu, sp, fn, PT64_ROOT_LEVEL);
+                return;
+        }
+        for (i = 0; i < 4; ++i) {
+                hpa_t root = vcpu->arch.mmu.pae_root[i];
+                if (root && VALID_PAGE(root)) {
+                        root &= PT64_BASE_ADDR_MASK;
+                        sp = page_header(root);
+                        __mmu_spte_walk(vcpu, sp, fn, 2);
+                }
+        }
+        return;
+}
+typedef void (*sp_handler) (struct kvm *kvm, struct kvm_mmu_page *sp);
+static void walk_all_active_sps(struct kvm *kvm, sp_handler fn)
+{
+        struct kvm_mmu_page *sp;
+        list_for_each_entry(sp, &kvm->arch.active_mmu_pages, link)
+                fn(kvm, sp);
+}
+static void audit_mappings(struct kvm_vcpu *vcpu, u64 *sptep, int level)
+{
+        struct kvm_mmu_page *sp;
+        gfn_t gfn;
+        pfn_t pfn;
+        hpa_t hpa;
+        sp = page_header(__pa(sptep));
+        if (sp->unsync) {
+                if (level != PT_PAGE_TABLE_LEVEL) {
+                        audit_printk(vcpu->kvm, "unsync sp: %p "
+                                     "level = %d\n", sp, level);
+                        return;
+                }
+                if (*sptep == shadow_notrap_nonpresent_pte) {
+                        audit_printk(vcpu->kvm, "notrap spte in unsync "
+                                     "sp: %p\n", sp);
+                        return;
+                }
+        }
+        if (sp->role.direct && *sptep == shadow_notrap_nonpresent_pte) {
+                audit_printk(vcpu->kvm, "notrap spte in direct sp: %p\n",
+                             sp);
+                return;
+        }
+        if (!is_shadow_present_pte(*sptep) || !is_last_spte(*sptep, level))
+                return;
+        gfn = kvm_mmu_page_get_gfn(sp, sptep - sp->spt);
+        pfn = gfn_to_pfn_atomic(vcpu->kvm, gfn);
+        if (is_error_pfn(pfn)) {
+                kvm_release_pfn_clean(pfn);
+                return;
+        }
+        hpa =  pfn << PAGE_SHIFT;
+        if ((*sptep & PT64_BASE_ADDR_MASK) != hpa)
+                audit_printk(vcpu->kvm, "levels %d pfn %llx hpa %llx "
+                             "ent %llxn", vcpu->arch.mmu.root_level, pfn,
+                             hpa, *sptep);
+}
+static void inspect_spte_has_rmap(struct kvm *kvm, u64 *sptep)
+{
+        unsigned long *rmapp;
+        struct kvm_mmu_page *rev_sp;
+        gfn_t gfn;
+        rev_sp = page_header(__pa(sptep));
+        gfn = kvm_mmu_page_get_gfn(rev_sp, sptep - rev_sp->spt);
+        if (!gfn_to_memslot(kvm, gfn)) {
+                if (!printk_ratelimit())
+                        return;
+                audit_printk(kvm, "no memslot for gfn %llx\n", gfn);
+                audit_printk(kvm, "index %ld of sp (gfn=%llx)\n",
+                       (long int)(sptep - rev_sp->spt), rev_sp->gfn);
+                dump_stack();
+                return;
+        }
+        rmapp = gfn_to_rmap(kvm, gfn, rev_sp->role.level);
+        if (!*rmapp) {
+                if (!printk_ratelimit())
+                        return;
+                audit_printk(kvm, "no rmap for writable spte %llx\n",
+                             *sptep);
+                dump_stack();
+        }
+}
+static void audit_sptes_have_rmaps(struct kvm_vcpu *vcpu, u64 *sptep, int level)
+{
+        if (is_shadow_present_pte(*sptep) && is_last_spte(*sptep, level))
+                inspect_spte_has_rmap(vcpu->kvm, sptep);
+}
+static void audit_spte_after_sync(struct kvm_vcpu *vcpu, u64 *sptep, int level)
+{
+        struct kvm_mmu_page *sp = page_header(__pa(sptep));
+        if (vcpu->kvm->arch.audit_point == AUDIT_POST_SYNC && sp->unsync)
+                audit_printk(vcpu->kvm, "meet unsync sp(%p) after sync "
+                             "root.\n", sp);
+}
+static void check_mappings_rmap(struct kvm *kvm, struct kvm_mmu_page *sp)
+{
+        int i;
+        if (sp->role.level != PT_PAGE_TABLE_LEVEL)
+                return;
+        for (i = 0; i < PT64_ENT_PER_PAGE; ++i) {
+                if (!is_rmap_spte(sp->spt[i]))
+                        continue;
+                inspect_spte_has_rmap(kvm, sp->spt + i);
+        }
+}
+static void audit_write_protection(struct kvm *kvm, struct kvm_mmu_page *sp)
+{
+        struct kvm_memory_slot *slot;
+        unsigned long *rmapp;
+        u64 *spte;
+        if (sp->role.direct || sp->unsync || sp->role.invalid)
+                return;
+        slot = gfn_to_memslot(kvm, sp->gfn);
+        rmapp = &slot->rmap[sp->gfn - slot->base_gfn];
+        spte = rmap_next(kvm, rmapp, NULL);
+        while (spte) {
+                if (is_writable_pte(*spte))
+                        audit_printk(kvm, "shadow page has writable "
+                                     "mappings: gfn %llx role %x\n",
+                                     sp->gfn, sp->role.word);
+                spte = rmap_next(kvm, rmapp, spte);
+        }
+}
+static void audit_sp(struct kvm *kvm, struct kvm_mmu_page *sp)
+{
+        check_mappings_rmap(kvm, sp);
+        audit_write_protection(kvm, sp);
+}
+static void audit_all_active_sps(struct kvm *kvm)
+{
+        walk_all_active_sps(kvm, audit_sp);
+}
+static void audit_spte(struct kvm_vcpu *vcpu, u64 *sptep, int level)
+{
+        audit_sptes_have_rmaps(vcpu, sptep, level);
+        audit_mappings(vcpu, sptep, level);
+        audit_spte_after_sync(vcpu, sptep, level);
+}
+static void audit_vcpu_spte(struct kvm_vcpu *vcpu)
+{
+        mmu_spte_walk(vcpu, audit_spte);
+}
+static void kvm_mmu_audit(void *ignore, struct kvm_vcpu *vcpu, int point)
+{
+        static DEFINE_RATELIMIT_STATE(ratelimit_state, 5 * HZ, 10);
+        if (!__ratelimit(&ratelimit_state))
+                return;
+        vcpu->kvm->arch.audit_point = point;
+        audit_all_active_sps(vcpu->kvm);
+        audit_vcpu_spte(vcpu);
+}
+static bool mmu_audit;
+static void mmu_audit_enable(void)
+{
+        int ret;
+        if (mmu_audit)
+                return;
+        ret = register_trace_kvm_mmu_audit(kvm_mmu_audit, NULL);
+        WARN_ON(ret);
+        mmu_audit = true;
+}
+static void mmu_audit_disable(void)
+{
+        if (!mmu_audit)
+                return;
+        unregister_trace_kvm_mmu_audit(kvm_mmu_audit, NULL);
+        tracepoint_synchronize_unregister();
+        mmu_audit = false;
+}
+static int mmu_audit_set(const char *val, const struct kernel_param *kp)
+{
+        int ret;
+        unsigned long enable;
+        ret = strict_strtoul(val, 10, &enable);
+        if (ret < 0)
+                return -EINVAL;
+        switch (enable) {
+        case 0:
+                mmu_audit_disable();
+                break;
+        case 1:
+                mmu_audit_enable();
+                break;
+        default:
+                return -EINVAL;
+        }
+        return 0;
+}
+static struct kernel_param_ops audit_param_ops = {
+        .set = mmu_audit_set,
+        .get = param_get_bool,
+};
+module_param_cb(mmu_audit, &audit_param_ops, &mmu_audit, 0644);
diff --git a/arch/x86/kvm/mmutrace.h b/arch/x86/kvm/mmutrace.h
index 3aab0f0930ef..b60b4fdb3eda 100644
--- a/arch/x86/kvm/mmutrace.h
+++ b/arch/x86/kvm/mmutrace.h
@@ -195,6 +195,25 @@ DEFINE_EVENT(kvm_mmu_page_class, kvm_mmu_prepare_zap_page,
        TP_ARGS(sp)
 );
+TRACE_EVENT(
+        kvm_mmu_audit,
+        TP_PROTO(struct kvm_vcpu *vcpu, int audit_point),
+        TP_ARGS(vcpu, audit_point),
+        TP_STRUCT__entry(
+                __field(struct kvm_vcpu *, vcpu)
+                __field(int, audit_point)
+        ),
+        TP_fast_assign(
+                __entry->vcpu = vcpu;
+                __entry->audit_point = audit_point;
+        ),
+        TP_printk("vcpu:%d %s", __entry->vcpu->cpu,
+                  audit_point_name[__entry->audit_point])
+);
 #endif /* _TRACE_KVMMMU_H */
 #undef TRACE_INCLUDE_PATH
diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
index 51ef9097960d..9d03ad4dd5ec 100644
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -7,7 +7,7 @@
 * MMU support
 *
 * Copyright (C) 2006 Qumranet, Inc.
- * Copyright 2010 Red Hat, Inc. and/or its affilates.
+ * Copyright 2010 Red Hat, Inc. and/or its affiliates.
 *
 * Authors:
 *   Yaniv Kamay  <yaniv@qumranet.com>
@@ -31,7 +31,6 @@
        #define PT_LVL_ADDR_MASK(lvl) PT64_LVL_ADDR_MASK(lvl)
        #define PT_LVL_OFFSET_MASK(lvl) PT64_LVL_OFFSET_MASK(lvl)
        #define PT_INDEX(addr, level) PT64_INDEX(addr, level)
-        #define PT_LEVEL_MASK(level) PT64_LEVEL_MASK(level)
        #define PT_LEVEL_BITS PT64_LEVEL_BITS
        #ifdef CONFIG_X86_64
        #define PT_MAX_FULL_LEVELS 4
@@ -48,7 +47,6 @@
        #define PT_LVL_ADDR_MASK(lvl) PT32_LVL_ADDR_MASK(lvl)
        #define PT_LVL_OFFSET_MASK(lvl) PT32_LVL_OFFSET_MASK(lvl)
        #define PT_INDEX(addr, level) PT32_INDEX(addr, level)
-        #define PT_LEVEL_MASK(level) PT32_LEVEL_MASK(level)
        #define PT_LEVEL_BITS PT32_LEVEL_BITS
        #define PT_MAX_FULL_LEVELS 2
        #define CMPXCHG cmpxchg
@@ -67,11 +65,12 @@ struct guest_walker {
        int level;
        gfn_t table_gfn[PT_MAX_FULL_LEVELS];
        pt_element_t ptes[PT_MAX_FULL_LEVELS];
+        pt_element_t prefetch_ptes[PTE_PREFETCH_NUM];
        gpa_t pte_gpa[PT_MAX_FULL_LEVELS];
        unsigned pt_access;
        unsigned pte_access;
        gfn_t gfn;
-        u32 error_code;
+        struct x86_exception fault;
 };
 static gfn_t gpte_to_gfn_lvl(pt_element_t gpte, int lvl)
@@ -79,15 +78,19 @@ static gfn_t gpte_to_gfn_lvl(pt_element_t gpte, int lvl)
        return (gpte & PT_LVL_ADDR_MASK(lvl)) >> PAGE_SHIFT;
 }
-static bool FNAME(cmpxchg_gpte)(struct kvm *kvm,
+static int FNAME(cmpxchg_gpte)(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
-                         gfn_t table_gfn, unsigned index,
+                               pt_element_t __user *ptep_user, unsigned index,
-                         pt_element_t orig_pte, pt_element_t new_pte)
+                               pt_element_t orig_pte, pt_element_t new_pte)
 {
+        int npages;
        pt_element_t ret;
        pt_element_t *table;
        struct page *page;
-        page = gfn_to_page(kvm, table_gfn);
+        npages = get_user_pages_fast((unsigned long)ptep_user, 1, 1, &page);
+        /* Check if the user is doing something meaningless. */
+        if (unlikely(npages != 1))
+                return -EFAULT;
        table = kmap_atomic(page, KM_USER0);
        ret = CMPXCHG(&table[index], orig_pte, new_pte);
@@ -104,7 +107,7 @@ static unsigned FNAME(gpte_access)(struct kvm_vcpu *vcpu, pt_element_t gpte)
        access = (gpte & (PT_WRITABLE_MASK | PT_USER_MASK)) | ACC_EXEC_MASK;
 #if PTTYPE == 64
-        if (is_nx(vcpu))
+        if (vcpu->arch.mmu.nx)
                access &= ~(gpte >> PT64_NX_SHIFT);
 #endif
        return access;
@@ -113,26 +116,33 @@ static unsigned FNAME(gpte_access)(struct kvm_vcpu *vcpu, pt_element_t gpte)
 /*
 * Fetch a guest pte for a guest virtual address
 */
-static int FNAME(walk_addr)(struct guest_walker *walker,
+static int FNAME(walk_addr_generic)(struct guest_walker *walker,
-                            struct kvm_vcpu *vcpu, gva_t addr,
+                                    struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
-                            int write_fault, int user_fault, int fetch_fault)
+                                    gva_t addr, u32 access)
 {
        pt_element_t pte;
+        pt_element_t __user *uninitialized_var(ptep_user);
        gfn_t table_gfn;
        unsigned index, pt_access, uninitialized_var(pte_access);
        gpa_t pte_gpa;
        bool eperm, present, rsvd_fault;
+        int offset, write_fault, user_fault, fetch_fault;
+        write_fault = access & PFERR_WRITE_MASK;
+        user_fault = access & PFERR_USER_MASK;
+        fetch_fault = access & PFERR_FETCH_MASK;
        trace_kvm_mmu_pagetable_walk(addr, write_fault, user_fault,
                                     fetch_fault);
 walk:
        present = true;
        eperm = rsvd_fault = false;
-        walker->level = vcpu->arch.mmu.root_level;
+        walker->level = mmu->root_level;
-        pte = vcpu->arch.cr3;
+        pte           = mmu->get_cr3(vcpu);
 #if PTTYPE == 64
-        if (!is_long_mode(vcpu)) {
+        if (walker->level == PT32E_ROOT_LEVEL) {
-                pte = kvm_pdptr_read(vcpu, (addr >> 30) & 3);
+                pte = kvm_pdptr_read_mmu(vcpu, mmu, (addr >> 30) & 3);
                trace_kvm_mmu_paging_element(pte, walker->level);
                if (!is_present_gpte(pte)) {
                        present = false;
@@ -142,54 +152,80 @@ walk:
        }
 #endif
        ASSERT((!is_long_mode(vcpu) && is_pae(vcpu)) ||
-               (vcpu->arch.cr3 & CR3_NONPAE_RESERVED_BITS) == 0);
+               (mmu->get_cr3(vcpu) & CR3_NONPAE_RESERVED_BITS) == 0);
        pt_access = ACC_ALL;
        for (;;) {
+                gfn_t real_gfn;
+                unsigned long host_addr;
                index = PT_INDEX(addr, walker->level);
                table_gfn = gpte_to_gfn(pte);
-                pte_gpa = gfn_to_gpa(table_gfn);
+                offset    = index * sizeof(pt_element_t);
-                pte_gpa += index * sizeof(pt_element_t);
+                pte_gpa   = gfn_to_gpa(table_gfn) + offset;
                walker->table_gfn[walker->level - 1] = table_gfn;
                walker->pte_gpa[walker->level - 1] = pte_gpa;
-                if (kvm_read_guest(vcpu->kvm, pte_gpa, &pte, sizeof(pte))) {
+                real_gfn = mmu->translate_gpa(vcpu, gfn_to_gpa(table_gfn),
+                                              PFERR_USER_MASK|PFERR_WRITE_MASK);
+                if (unlikely(real_gfn == UNMAPPED_GVA)) {
+                        present = false;
+                        break;
+                }
+                real_gfn = gpa_to_gfn(real_gfn);
+                host_addr = gfn_to_hva(vcpu->kvm, real_gfn);
+                if (unlikely(kvm_is_error_hva(host_addr))) {
+                        present = false;
+                        break;
+                }
+                ptep_user = (pt_element_t __user *)((void *)host_addr + offset);
+                if (unlikely(__copy_from_user(&pte, ptep_user, sizeof(pte)))) {
                        present = false;
                        break;
                }
                trace_kvm_mmu_paging_element(pte, walker->level);
-                if (!is_present_gpte(pte)) {
+                if (unlikely(!is_present_gpte(pte))) {
                        present = false;
                        break;
                }
-                if (is_rsvd_bits_set(vcpu, pte, walker->level)) {
+                if (unlikely(is_rsvd_bits_set(&vcpu->arch.mmu, pte,
+                                              walker->level))) {
                        rsvd_fault = true;
                        break;
                }
-                if (write_fault && !is_writable_pte(pte))
+                if (unlikely(write_fault && !is_writable_pte(pte)
-                        if (user_fault || is_write_protection(vcpu))
+                             && (user_fault || is_write_protection(vcpu))))
-                                eperm = true;
+                        eperm = true;
-                if (user_fault && !(pte & PT_USER_MASK))
+                if (unlikely(user_fault && !(pte & PT_USER_MASK)))
                        eperm = true;
 #if PTTYPE == 64
-                if (fetch_fault && (pte & PT64_NX_MASK))
+                if (unlikely(fetch_fault && (pte & PT64_NX_MASK)))
                        eperm = true;
 #endif
-                if (!eperm && !rsvd_fault && !(pte & PT_ACCESSED_MASK)) {
+                if (!eperm && !rsvd_fault
+                    && unlikely(!(pte & PT_ACCESSED_MASK))) {
+                        int ret;
                        trace_kvm_mmu_set_accessed_bit(table_gfn, index,
                                                       sizeof(pte));
-                        if (FNAME(cmpxchg_gpte)(vcpu->kvm, table_gfn,
+                        ret = FNAME(cmpxchg_gpte)(vcpu, mmu, ptep_user, index,
-                            index, pte, pte|PT_ACCESSED_MASK))
+                                                  pte, pte|PT_ACCESSED_MASK);
+                        if (unlikely(ret < 0)) {
+                                present = false;
+                                break;
+                        } else if (ret)
                                goto walk;
                        mark_page_dirty(vcpu->kvm, table_gfn);
                        pte |= PT_ACCESSED_MASK;
                }
@@ -204,17 +240,28 @@ walk:
                                (PTTYPE == 64 || is_pse(vcpu))) ||
                    ((walker->level == PT_PDPE_LEVEL) &&
                                is_large_pte(pte) &&
-                                is_long_mode(vcpu))) {
+                                mmu->root_level == PT64_ROOT_LEVEL)) {
                        int lvl = walker->level;
+                        gpa_t real_gpa;
+                        gfn_t gfn;
+                        u32 ac;
-                        walker->gfn = gpte_to_gfn_lvl(pte, lvl);
+                        gfn = gpte_to_gfn_lvl(pte, lvl);
-                        walker->gfn += (addr & PT_LVL_OFFSET_MASK(lvl))
+                        gfn += (addr & PT_LVL_OFFSET_MASK(lvl)) >> PAGE_SHIFT;
-                                        >> PAGE_SHIFT;
                        if (PTTYPE == 32 &&
                            walker->level == PT_DIRECTORY_LEVEL &&
                            is_cpuid_PSE36())
-                                walker->gfn += pse36_gfn_delta(pte);
+                                gfn += pse36_gfn_delta(pte);
+                        ac = write_fault | fetch_fault | user_fault;
+                        real_gpa = mmu->translate_gpa(vcpu, gfn_to_gpa(gfn),
+                                                      ac);
+                        if (real_gpa == UNMAPPED_GVA)
+                                return 0;
+                        walker->gfn = real_gpa >> PAGE_SHIFT;
                        break;
                }
@@ -223,17 +270,21 @@ walk:
                --walker->level;
        }
-        if (!present || eperm || rsvd_fault)
+        if (unlikely(!present || eperm || rsvd_fault))
                goto error;
-        if (write_fault && !is_dirty_gpte(pte)) {
+        if (write_fault && unlikely(!is_dirty_gpte(pte))) {
-                bool ret;
+                int ret;
                trace_kvm_mmu_set_dirty_bit(table_gfn, index, sizeof(pte));
-                ret = FNAME(cmpxchg_gpte)(vcpu->kvm, table_gfn, index, pte,
+                ret = FNAME(cmpxchg_gpte)(vcpu, mmu, ptep_user, index,
-                            pte|PT_DIRTY_MASK);
+                                          pte, pte|PT_DIRTY_MASK);
-                if (ret)
+                if (unlikely(ret < 0)) {
+                        present = false;
+                        goto error;
+                } else if (ret)
                        goto walk;
                mark_page_dirty(vcpu->kvm, table_gfn);
                pte |= PT_DIRTY_MASK;
                walker->ptes[walker->level - 1] = pte;
@@ -246,52 +297,87 @@ walk:
        return 1;
 error:
-        walker->error_code = 0;
+        walker->fault.vector = PF_VECTOR;
+        walker->fault.error_code_valid = true;
+        walker->fault.error_code = 0;
        if (present)
-                walker->error_code |= PFERR_PRESENT_MASK;
+                walker->fault.error_code |= PFERR_PRESENT_MASK;
-        if (write_fault)
-                walker->error_code |= PFERR_WRITE_MASK;
+        walker->fault.error_code |= write_fault | user_fault;
-        if (user_fault)
-                walker->error_code |= PFERR_USER_MASK;
+        if (fetch_fault && mmu->nx)
-        if (fetch_fault && is_nx(vcpu))
+                walker->fault.error_code |= PFERR_FETCH_MASK;
-                walker->error_code |= PFERR_FETCH_MASK;
        if (rsvd_fault)
-                walker->error_code |= PFERR_RSVD_MASK;
+                walker->fault.error_code |= PFERR_RSVD_MASK;
-        trace_kvm_mmu_walker_error(walker->error_code);
+        walker->fault.address = addr;
+        walker->fault.nested_page_fault = mmu != vcpu->arch.walk_mmu;
+        trace_kvm_mmu_walker_error(walker->fault.error_code);
        return 0;
 }
+static int FNAME(walk_addr)(struct guest_walker *walker,
+                            struct kvm_vcpu *vcpu, gva_t addr, u32 access)
+{
+        return FNAME(walk_addr_generic)(walker, vcpu, &vcpu->arch.mmu, addr,
+                                        access);
+}
+static int FNAME(walk_addr_nested)(struct guest_walker *walker,
+                                   struct kvm_vcpu *vcpu, gva_t addr,
+                                   u32 access)
+{
+        return FNAME(walk_addr_generic)(walker, vcpu, &vcpu->arch.nested_mmu,
+                                        addr, access);
+}
+static bool FNAME(prefetch_invalid_gpte)(struct kvm_vcpu *vcpu,
+                                    struct kvm_mmu_page *sp, u64 *spte,
+                                    pt_element_t gpte)
+{
+        u64 nonpresent = shadow_trap_nonpresent_pte;
+        if (is_rsvd_bits_set(&vcpu->arch.mmu, gpte, PT_PAGE_TABLE_LEVEL))
+                goto no_present;
+        if (!is_present_gpte(gpte)) {
+                if (!sp->unsync)
+                        nonpresent = shadow_notrap_nonpresent_pte;
+                goto no_present;
+        }
+        if (!(gpte & PT_ACCESSED_MASK))
+                goto no_present;
+        return false;
+no_present:
+        drop_spte(vcpu->kvm, spte, nonpresent);
+        return true;
+}
 static void FNAME(update_pte)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
                              u64 *spte, const void *pte)
 {
        pt_element_t gpte;
        unsigned pte_access;
        pfn_t pfn;
-        u64 new_spte;
        gpte = *(const pt_element_t *)pte;
-        if (~gpte & (PT_PRESENT_MASK | PT_ACCESSED_MASK)) {
+        if (FNAME(prefetch_invalid_gpte)(vcpu, sp, spte, gpte))
-                if (!is_present_gpte(gpte)) {
-                        if (sp->unsync)
-                                new_spte = shadow_trap_nonpresent_pte;
-                        else
-                                new_spte = shadow_notrap_nonpresent_pte;
-                        __set_spte(spte, new_spte);
-                }
                return;
-        }
        pgprintk("%s: gpte %llx spte %p\n", __func__, (u64)gpte, spte);
        pte_access = sp->role.access & FNAME(gpte_access)(vcpu, gpte);
-        if (gpte_to_gfn(gpte) != vcpu->arch.update_pte.gfn)
+        pfn = gfn_to_pfn_atomic(vcpu->kvm, gpte_to_gfn(gpte));
+        if (is_error_pfn(pfn)) {
+                kvm_release_pfn_clean(pfn);
                return;
-        pfn = vcpu->arch.update_pte.pfn;
+        }
-        if (is_error_pfn(pfn))
-                return;
-        if (mmu_notifier_retry(vcpu, vcpu->arch.update_pte.mmu_seq))
-                return;
-        kvm_get_pfn(pfn);
        /*
-         * we call mmu_set_spte() with reset_host_protection = true beacuse that
+         * we call mmu_set_spte() with host_writable = true because that
         * vcpu->arch.update_pte.pfn was fetched from get_user_pages(write = 1).
         */
        mmu_set_spte(vcpu, spte, sp->role.access, pte_access, 0, 0,
@@ -302,21 +388,87 @@ static void FNAME(update_pte)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
 static bool FNAME(gpte_changed)(struct kvm_vcpu *vcpu,
                                struct guest_walker *gw, int level)
 {
-        int r;
        pt_element_t curr_pte;
+        gpa_t base_gpa, pte_gpa = gw->pte_gpa[level - 1];
-        r = kvm_read_guest_atomic(vcpu->kvm, gw->pte_gpa[level - 1],
+        u64 mask;
+        int r, index;
+        if (level == PT_PAGE_TABLE_LEVEL) {
+                mask = PTE_PREFETCH_NUM * sizeof(pt_element_t) - 1;
+                base_gpa = pte_gpa & ~mask;
+                index = (pte_gpa - base_gpa) / sizeof(pt_element_t);
+                r = kvm_read_guest_atomic(vcpu->kvm, base_gpa,
+                                gw->prefetch_ptes, sizeof(gw->prefetch_ptes));
+                curr_pte = gw->prefetch_ptes[index];
+        } else
+                r = kvm_read_guest_atomic(vcpu->kvm, pte_gpa,
                                  &curr_pte, sizeof(curr_pte));
        return r || curr_pte != gw->ptes[level - 1];
 }
+static void FNAME(pte_prefetch)(struct kvm_vcpu *vcpu, struct guest_walker *gw,
+                                u64 *sptep)
+{
+        struct kvm_mmu_page *sp;
+        pt_element_t *gptep = gw->prefetch_ptes;
+        u64 *spte;
+        int i;
+        sp = page_header(__pa(sptep));
+        if (sp->role.level > PT_PAGE_TABLE_LEVEL)
+                return;
+        if (sp->role.direct)
+                return __direct_pte_prefetch(vcpu, sp, sptep);
+        i = (sptep - sp->spt) & ~(PTE_PREFETCH_NUM - 1);
+        spte = sp->spt + i;
+        for (i = 0; i < PTE_PREFETCH_NUM; i++, spte++) {
+                pt_element_t gpte;
+                unsigned pte_access;
+                gfn_t gfn;
+                pfn_t pfn;
+                bool dirty;
+                if (spte == sptep)
+                        continue;
+                if (*spte != shadow_trap_nonpresent_pte)
+                        continue;
+                gpte = gptep[i];
+                if (FNAME(prefetch_invalid_gpte)(vcpu, sp, spte, gpte))
+                        continue;
+                pte_access = sp->role.access & FNAME(gpte_access)(vcpu, gpte);
+                gfn = gpte_to_gfn(gpte);
+                dirty = is_dirty_gpte(gpte);
+                pfn = pte_prefetch_gfn_to_pfn(vcpu, gfn,
+                                      (pte_access & ACC_WRITE_MASK) && dirty);
+                if (is_error_pfn(pfn)) {
+                        kvm_release_pfn_clean(pfn);
+                        break;
+                }
+                mmu_set_spte(vcpu, spte, sp->role.access, pte_access, 0, 0,
+                             dirty, NULL, PT_PAGE_TABLE_LEVEL, gfn,
+                             pfn, true, true);
+        }
+}
 /*
 * Fetch a shadow pte for a specific level in the paging hierarchy.
 */
 static u64 *FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
                         struct guest_walker *gw,
                         int user_fault, int write_fault, int hlevel,
-                         int *ptwrite, pfn_t pfn)
+                         int *ptwrite, pfn_t pfn, bool map_writable,
+                         bool prefault)
 {
        unsigned access = gw->pt_access;
        struct kvm_mmu_page *sp = NULL;
@@ -390,7 +542,8 @@ static u64 *FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
        mmu_set_spte(vcpu, it.sptep, access, gw->pte_access & access,
                     user_fault, write_fault, dirty, ptwrite, it.level,
-                     gw->gfn, pfn, false, true);
+                     gw->gfn, pfn, prefault, map_writable);
+        FNAME(pte_prefetch)(vcpu, gw, it.sptep);
        return it.sptep;
@@ -415,22 +568,22 @@ out_gpte_changed:
 *  Returns: 1 if we need to emulate the instruction, 0 otherwise, or
 *           a negative value on error.
 */
-static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr,
+static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr, u32 error_code,
-                               u32 error_code)
+                             bool prefault)
 {
        int write_fault = error_code & PFERR_WRITE_MASK;
        int user_fault = error_code & PFERR_USER_MASK;
-        int fetch_fault = error_code & PFERR_FETCH_MASK;
        struct guest_walker walker;
        u64 *sptep;
        int write_pt = 0;
        int r;
        pfn_t pfn;
        int level = PT_PAGE_TABLE_LEVEL;
+        int force_pt_level;
        unsigned long mmu_seq;
+        bool map_writable;
        pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
-        kvm_mmu_audit(vcpu, "pre page fault");
        r = mmu_topup_memory_caches(vcpu);
        if (r)
@@ -439,27 +592,36 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr,
        /*
         * Look up the guest pte for the faulting address.
         */
-        r = FNAME(walk_addr)(&walker, vcpu, addr, write_fault, user_fault,
+        r = FNAME(walk_addr)(&walker, vcpu, addr, error_code);
-                             fetch_fault);
        /*
         * The page is not mapped by the guest.  Let the guest handle it.
         */
        if (!r) {
                pgprintk("%s: guest page fault\n", __func__);
-                inject_page_fault(vcpu, addr, walker.error_code);
+                if (!prefault) {
-                vcpu->arch.last_pt_write_count = 0; /* reset fork detector */
+                        inject_page_fault(vcpu, &walker.fault);
+                        /* reset fork detector */
+                        vcpu->arch.last_pt_write_count = 0;
+                }
                return 0;
        }
-        if (walker.level >= PT_DIRECTORY_LEVEL) {
+        if (walker.level >= PT_DIRECTORY_LEVEL)
+                force_pt_level = mapping_level_dirty_bitmap(vcpu, walker.gfn);
+        else
+                force_pt_level = 1;
+        if (!force_pt_level) {
                level = min(walker.level, mapping_level(vcpu, walker.gfn));
                walker.gfn = walker.gfn & ~(KVM_PAGES_PER_HPAGE(level) - 1);
        }
        mmu_seq = vcpu->kvm->mmu_notifier_seq;
        smp_rmb();
-        pfn = gfn_to_pfn(vcpu->kvm, walker.gfn);
+        if (try_async_pf(vcpu, prefault, walker.gfn, addr, &pfn, write_fault,
+                         &map_writable))
+                return 0;
        /* mmio */
        if (is_error_pfn(pfn))
@@ -468,9 +630,13 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr,
        spin_lock(&vcpu->kvm->mmu_lock);
        if (mmu_notifier_retry(vcpu, mmu_seq))
                goto out_unlock;
+        trace_kvm_mmu_audit(vcpu, AUDIT_PRE_PAGE_FAULT);
        kvm_mmu_free_some_pages(vcpu);
+        if (!force_pt_level)
+                transparent_hugepage_adjust(vcpu, &walker.gfn, &pfn, &level);
        sptep = FNAME(fetch)(vcpu, addr, &walker, user_fault, write_fault,
-                             level, &write_pt, pfn);
+                             level, &write_pt, pfn, map_writable, prefault);
        (void)sptep;
        pgprintk("%s: shadow pte %p %llx ptwrite %d\n", __func__,
                 sptep, *sptep, write_pt);
@@ -479,7 +645,7 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr,
                vcpu->arch.last_pt_write_count = 0; /* reset fork detector */
        ++vcpu->stat.pf_fixed;
-        kvm_mmu_audit(vcpu, "post page fault (fixed)");
+        trace_kvm_mmu_audit(vcpu, AUDIT_POST_PAGE_FAULT);
        spin_unlock(&vcpu->kvm->mmu_lock);
        return write_pt;
@@ -550,22 +716,38 @@ static void FNAME(invlpg)(struct kvm_vcpu *vcpu, gva_t gva)
 }
 static gpa_t FNAME(gva_to_gpa)(struct kvm_vcpu *vcpu, gva_t vaddr, u32 access,
-                               u32 *error)
+                               struct x86_exception *exception)
+{
+        struct guest_walker walker;
+        gpa_t gpa = UNMAPPED_GVA;
+        int r;
+        r = FNAME(walk_addr)(&walker, vcpu, vaddr, access);
+        if (r) {
+                gpa = gfn_to_gpa(walker.gfn);
+                gpa |= vaddr & ~PAGE_MASK;
+        } else if (exception)
+                *exception = walker.fault;
+        return gpa;
+}
+static gpa_t FNAME(gva_to_gpa_nested)(struct kvm_vcpu *vcpu, gva_t vaddr,
+                                      u32 access,
+                                      struct x86_exception *exception)
 {
        struct guest_walker walker;
        gpa_t gpa = UNMAPPED_GVA;
        int r;
-        r = FNAME(walk_addr)(&walker, vcpu, vaddr,
+        r = FNAME(walk_addr_nested)(&walker, vcpu, vaddr, access);
-                             !!(access & PFERR_WRITE_MASK),
-                             !!(access & PFERR_USER_MASK),
-                             !!(access & PFERR_FETCH_MASK));
        if (r) {
                gpa = gfn_to_gpa(walker.gfn);
                gpa |= vaddr & ~PAGE_MASK;
-        } else if (error)
+        } else if (exception)
-                *error = walker.error_code;
+                *exception = walker.fault;
        return gpa;
 }
@@ -604,12 +786,19 @@ static void FNAME(prefetch_page)(struct kvm_vcpu *vcpu,
 * Using the cached information from sp->gfns is safe because:
 * - The spte has a reference to the struct page, so the pfn for a given gfn
 *   can't change unless all sptes pointing to it are nuked first.
+ *
+ * Note:
+ *   We should flush all tlbs if spte is dropped even though guest is
+ *   responsible for it. Since if we don't, kvm_mmu_notifier_invalidate_page
+ *   and kvm_mmu_notifier_invalidate_range_start detect the mapping page isn't
+ *   used by guest then tlbs are not flushed, so guest is allowed to access the
+ *   freed pages.
+ *   And we increase kvm->tlbs_dirty to delay tlbs flush in this case.
 */
-static int FNAME(sync_page)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
+static int FNAME(sync_page)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
-                            bool clear_unsync)
 {
        int i, offset, nr_present;
-        bool reset_host_protection;
+        bool host_writable;
        gpa_t first_pte_gpa;
        offset = nr_present = 0;
@@ -638,31 +827,27 @@ static int FNAME(sync_page)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
                        return -EINVAL;
                gfn = gpte_to_gfn(gpte);
-                if (is_rsvd_bits_set(vcpu, gpte, PT_PAGE_TABLE_LEVEL)
-                      || gfn != sp->gfns[i] || !is_present_gpte(gpte)
-                      || !(gpte & PT_ACCESSED_MASK)) {
-                        u64 nonpresent;
-                        if (is_present_gpte(gpte) || !clear_unsync)
+                if (FNAME(prefetch_invalid_gpte)(vcpu, sp, &sp->spt[i], gpte)) {
-                                nonpresent = shadow_trap_nonpresent_pte;
+                        vcpu->kvm->tlbs_dirty++;
-                        else
+                        continue;
-                                nonpresent = shadow_notrap_nonpresent_pte;
+                }
-                        drop_spte(vcpu->kvm, &sp->spt[i], nonpresent);
+                if (gfn != sp->gfns[i]) {
+                        drop_spte(vcpu->kvm, &sp->spt[i],
+                                      shadow_trap_nonpresent_pte);
+                        vcpu->kvm->tlbs_dirty++;
                        continue;
                }
                nr_present++;
                pte_access = sp->role.access & FNAME(gpte_access)(vcpu, gpte);
-                if (!(sp->spt[i] & SPTE_HOST_WRITEABLE)) {
+                host_writable = sp->spt[i] & SPTE_HOST_WRITEABLE;
-                        pte_access &= ~ACC_WRITE_MASK;
-                        reset_host_protection = 0;
-                } else {
-                        reset_host_protection = 1;
-                }
                set_spte(vcpu, &sp->spt[i], pte_access, 0, 0,
                         is_dirty_gpte(gpte), PT_PAGE_TABLE_LEVEL, gfn,
                         spte_to_pfn(sp->spt[i]), true, false,
-                         reset_host_protection);
+                         host_writable);
        }
        return !nr_present;
@@ -673,7 +858,6 @@ static int FNAME(sync_page)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
 #undef FNAME
 #undef PT_BASE_ADDR_MASK
 #undef PT_INDEX
-#undef PT_LEVEL_MASK
 #undef PT_LVL_ADDR_MASK
 #undef PT_LVL_OFFSET_MASK
 #undef PT_LEVEL_BITS
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 8a3f9f64f86f..506e4fe23adc 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -4,7 +4,7 @@
 * AMD SVM support
 *
 * Copyright (C) 2006 Qumranet, Inc.
- * Copyright 2010 Red Hat, Inc. and/or its affilates.
+ * Copyright 2010 Red Hat, Inc. and/or its affiliates.
 *
 * Authors:
 *   Yaniv Kamay  <yaniv@qumranet.com>
@@ -31,6 +31,7 @@
 #include <asm/tlbflush.h>
 #include <asm/desc.h>
+#include <asm/kvm_para.h>
 #include <asm/virtext.h>
 #include "trace.h"
@@ -50,6 +51,10 @@ MODULE_LICENSE("GPL");
 #define SVM_FEATURE_LBRV           (1 <<  1)
 #define SVM_FEATURE_SVML           (1 <<  2)
 #define SVM_FEATURE_NRIP           (1 <<  3)
+#define SVM_FEATURE_TSC_RATE       (1 <<  4)
+#define SVM_FEATURE_VMCB_CLEAN     (1 <<  5)
+#define SVM_FEATURE_FLUSH_ASID     (1 <<  6)
+#define SVM_FEATURE_DECODE_ASSIST  (1 <<  7)
 #define SVM_FEATURE_PAUSE_FILTER   (1 << 10)
 #define NESTED_EXIT_HOST        0       /* Exit handled on host level */
@@ -58,6 +63,10 @@ MODULE_LICENSE("GPL");
 #define DEBUGCTL_RESERVED_BITS (~(0x3fULL))
+#define TSC_RATIO_RSVD          0xffffff0000000000ULL
+#define TSC_RATIO_MIN           0x0000000000000001ULL
+#define TSC_RATIO_MAX           0x000000ffffffffffULL
 static bool erratum_383_found __read_mostly;
 static const u32 host_save_user_msrs[] = {
@@ -89,13 +98,13 @@ struct nested_state {
        bool exit_required;
        /* cache for intercepts of the guest */
-        u16 intercept_cr_read;
+        u32 intercept_cr;
-        u16 intercept_cr_write;
+        u32 intercept_dr;
-        u16 intercept_dr_read;
-        u16 intercept_dr_write;
        u32 intercept_exceptions;
        u64 intercept;
+        /* Nested Paging related state */
+        u64 nested_cr3;
 };
 #define MSRPM_OFFSETS   16
@@ -113,18 +122,31 @@ struct vcpu_svm {
        u64 next_rip;
        u64 host_user_msrs[NR_HOST_SAVE_USER_MSRS];
-        u64 host_gs_base;
+        struct {
+                u16 fs;
+                u16 gs;
+                u16 ldt;
+                u64 gs_base;
+        } host;
        u32 *msrpm;
+        ulong nmi_iret_rip;
        struct nested_state nested;
        bool nmi_singlestep;
        unsigned int3_injected;
        unsigned long int3_rip;
+        u32 apf_reason;
+        u64  tsc_ratio;
 };
+static DEFINE_PER_CPU(u64, current_tsc_ratio);
+#define TSC_RATIO_DEFAULT       0x0100000000ULL
 #define MSR_INVALID                     0xffffffffU
 static struct svm_direct_access_msrs {
@@ -169,15 +191,153 @@ static int nested_svm_intercept(struct vcpu_svm *svm);
 static int nested_svm_vmexit(struct vcpu_svm *svm);
 static int nested_svm_check_exception(struct vcpu_svm *svm, unsigned nr,
                                      bool has_error_code, u32 error_code);
+static u64 __scale_tsc(u64 ratio, u64 tsc);
+enum {
+        VMCB_INTERCEPTS, /* Intercept vectors, TSC offset,
+                            pause filter count */
+        VMCB_PERM_MAP,   /* IOPM Base and MSRPM Base */
+        VMCB_ASID,       /* ASID */
+        VMCB_INTR,       /* int_ctl, int_vector */
+        VMCB_NPT,        /* npt_en, nCR3, gPAT */
+        VMCB_CR,         /* CR0, CR3, CR4, EFER */
+        VMCB_DR,         /* DR6, DR7 */
+        VMCB_DT,         /* GDT, IDT */
+        VMCB_SEG,        /* CS, DS, SS, ES, CPL */
+        VMCB_CR2,        /* CR2 only */
+        VMCB_LBR,        /* DBGCTL, BR_FROM, BR_TO, LAST_EX_FROM, LAST_EX_TO */
+        VMCB_DIRTY_MAX,
+};
+/* TPR and CR2 are always written before VMRUN */
+#define VMCB_ALWAYS_DIRTY_MASK  ((1U << VMCB_INTR) | (1U << VMCB_CR2))
+static inline void mark_all_dirty(struct vmcb *vmcb)
+{
+        vmcb->control.clean = 0;
+}
+static inline void mark_all_clean(struct vmcb *vmcb)
+{
+        vmcb->control.clean = ((1 << VMCB_DIRTY_MAX) - 1)
+                               & ~VMCB_ALWAYS_DIRTY_MASK;
+}
+static inline void mark_dirty(struct vmcb *vmcb, int bit)
+{
+        vmcb->control.clean &= ~(1 << bit);
+}
 static inline struct vcpu_svm *to_svm(struct kvm_vcpu *vcpu)
 {
        return container_of(vcpu, struct vcpu_svm, vcpu);
 }
-static inline bool is_nested(struct vcpu_svm *svm)
+static void recalc_intercepts(struct vcpu_svm *svm)
+{
+        struct vmcb_control_area *c, *h;
+        struct nested_state *g;
+        mark_dirty(svm->vmcb, VMCB_INTERCEPTS);
+        if (!is_guest_mode(&svm->vcpu))
+                return;
+        c = &svm->vmcb->control;
+        h = &svm->nested.hsave->control;
+        g = &svm->nested;
+        c->intercept_cr = h->intercept_cr | g->intercept_cr;
+        c->intercept_dr = h->intercept_dr | g->intercept_dr;
+        c->intercept_exceptions = h->intercept_exceptions | g->intercept_exceptions;
+        c->intercept = h->intercept | g->intercept;
+}
+static inline struct vmcb *get_host_vmcb(struct vcpu_svm *svm)
+{
+        if (is_guest_mode(&svm->vcpu))
+                return svm->nested.hsave;
+        else
+                return svm->vmcb;
+}
+static inline void set_cr_intercept(struct vcpu_svm *svm, int bit)
+{
+        struct vmcb *vmcb = get_host_vmcb(svm);
+        vmcb->control.intercept_cr |= (1U << bit);
+        recalc_intercepts(svm);
+}
+static inline void clr_cr_intercept(struct vcpu_svm *svm, int bit)
+{
+        struct vmcb *vmcb = get_host_vmcb(svm);
+        vmcb->control.intercept_cr &= ~(1U << bit);
+        recalc_intercepts(svm);
+}
+static inline bool is_cr_intercept(struct vcpu_svm *svm, int bit)
 {
-        return svm->nested.vmcb;
+        struct vmcb *vmcb = get_host_vmcb(svm);
+        return vmcb->control.intercept_cr & (1U << bit);
+}
+static inline void set_dr_intercept(struct vcpu_svm *svm, int bit)
+{
+        struct vmcb *vmcb = get_host_vmcb(svm);
+        vmcb->control.intercept_dr |= (1U << bit);
+        recalc_intercepts(svm);
+}
+static inline void clr_dr_intercept(struct vcpu_svm *svm, int bit)
+{
+        struct vmcb *vmcb = get_host_vmcb(svm);
+        vmcb->control.intercept_dr &= ~(1U << bit);
+        recalc_intercepts(svm);
+}
+static inline void set_exception_intercept(struct vcpu_svm *svm, int bit)
+{
+        struct vmcb *vmcb = get_host_vmcb(svm);
+        vmcb->control.intercept_exceptions |= (1U << bit);
+        recalc_intercepts(svm);
+}
+static inline void clr_exception_intercept(struct vcpu_svm *svm, int bit)
+{
+        struct vmcb *vmcb = get_host_vmcb(svm);
+        vmcb->control.intercept_exceptions &= ~(1U << bit);
+        recalc_intercepts(svm);
+}
+static inline void set_intercept(struct vcpu_svm *svm, int bit)
+{
+        struct vmcb *vmcb = get_host_vmcb(svm);
+        vmcb->control.intercept |= (1ULL << bit);
+        recalc_intercepts(svm);
+}
+static inline void clr_intercept(struct vcpu_svm *svm, int bit)
+{
+        struct vmcb *vmcb = get_host_vmcb(svm);
+        vmcb->control.intercept &= ~(1ULL << bit);
+        recalc_intercepts(svm);
 }
 static inline void enable_gif(struct vcpu_svm *svm)
@@ -218,7 +378,6 @@ struct svm_cpu_data {
 };
 static DEFINE_PER_CPU(struct svm_cpu_data *, svm_data);
-static uint32_t svm_features;
 struct svm_init_data {
        int cpu;
@@ -254,11 +413,6 @@ static u32 svm_msrpm_offset(u32 msr)
 #define MAX_INST_SIZE 15
-static inline u32 svm_has(u32 feat)
-{
-        return svm_features & feat;
-}
 static inline void clgi(void)
 {
        asm volatile (__ex(SVM_CLGI));
@@ -274,14 +428,13 @@ static inline void invlpga(unsigned long addr, u32 asid)
        asm volatile (__ex(SVM_INVLPGA) : : "a"(addr), "c"(asid));
 }
-static inline void force_new_asid(struct kvm_vcpu *vcpu)
+static int get_npt_level(void)
-{
-        to_svm(vcpu)->asid_generation--;
-}
-static inline void flush_guest_tlb(struct kvm_vcpu *vcpu)
 {
-        force_new_asid(vcpu);
+#ifdef CONFIG_X86_64
+        return PT64_ROOT_LEVEL;
+#else
+        return PT32E_ROOT_LEVEL;
+#endif
 }
 static void svm_set_efer(struct kvm_vcpu *vcpu, u64 efer)
@@ -291,6 +444,7 @@ static void svm_set_efer(struct kvm_vcpu *vcpu, u64 efer)
                efer &= ~EFER_LME;
        to_svm(vcpu)->vmcb->save.efer = efer | EFER_SVME;
+        mark_dirty(to_svm(vcpu)->vmcb, VMCB_CR);
 }
 static int is_external_interrupt(u32 info)
@@ -328,7 +482,7 @@ static void skip_emulated_instruction(struct kvm_vcpu *vcpu)
                svm->next_rip = svm->vmcb->control.next_rip;
        if (!svm->next_rip) {
-                if (emulate_instruction(vcpu, 0, 0, EMULTYPE_SKIP) !=
+                if (emulate_instruction(vcpu, EMULTYPE_SKIP) !=
                                EMULATE_DONE)
                        printk(KERN_DEBUG "%s: NOP\n", __func__);
                return;
@@ -355,7 +509,7 @@ static void svm_queue_exception(struct kvm_vcpu *vcpu, unsigned nr,
            nested_svm_check_exception(svm, nr, has_error_code, error_code))
                return;
-        if (nr == BP_VECTOR && !svm_has(SVM_FEATURE_NRIP)) {
+        if (nr == BP_VECTOR && !static_cpu_has(X86_FEATURE_NRIPS)) {
                unsigned long rip, old_rip = kvm_rip_read(&svm->vcpu);
                /*
@@ -416,6 +570,10 @@ static int has_svm(void)
 static void svm_hardware_disable(void *garbage)
 {
+        /* Make sure we clean up behind us */
+        if (static_cpu_has(X86_FEATURE_TSCRATEMSR))
+                wrmsrl(MSR_AMD64_TSC_RATIO, TSC_RATIO_DEFAULT);
        cpu_svm_disable();
 }
@@ -457,6 +615,11 @@ static int svm_hardware_enable(void *garbage)
        wrmsrl(MSR_VM_HSAVE_PA, page_to_pfn(sd->save_area) << PAGE_SHIFT);
+        if (static_cpu_has(X86_FEATURE_TSCRATEMSR)) {
+                wrmsrl(MSR_AMD64_TSC_RATIO, TSC_RATIO_DEFAULT);
+                __get_cpu_var(current_tsc_ratio) = TSC_RATIO_DEFAULT;
+        }
        svm_init_erratum_383();
        return 0;
@@ -638,6 +801,23 @@ static __init int svm_hardware_setup(void)
        if (boot_cpu_has(X86_FEATURE_FXSR_OPT))
                kvm_enable_efer_bits(EFER_FFXSR);
+        if (boot_cpu_has(X86_FEATURE_TSCRATEMSR)) {
+                u64 max;
+                kvm_has_tsc_control = true;
+                /*
+                 * Make sure the user can only configure tsc_khz values that
+                 * fit into a signed integer.
+                 * A min value is not calculated needed because it will always
+                 * be 1 on all machines and a value of 0 is used to disable
+                 * tsc-scaling for the vcpu.
+                 */
+                max = min(0x7fffffffULL, __scale_tsc(tsc_khz, TSC_RATIO_MAX));
+                kvm_max_guest_tsc_khz = max;
+        }
        if (nested) {
                printk(KERN_INFO "kvm: Nested Virtualization enabled\n");
                kvm_enable_efer_bits(EFER_SVME | EFER_LMSLE);
@@ -649,9 +829,7 @@ static __init int svm_hardware_setup(void)
                        goto err;
        }
-        svm_features = cpuid_edx(SVM_CPUID_FUNC);
+        if (!boot_cpu_has(X86_FEATURE_NPT))
-        if (!svm_has(SVM_FEATURE_NPT))
                npt_enabled = false;
        if (npt_enabled && !npt) {
@@ -701,68 +879,161 @@ static void init_sys_seg(struct vmcb_seg *seg, uint32_t type)
        seg->base = 0;
 }
+static u64 __scale_tsc(u64 ratio, u64 tsc)
+{
+        u64 mult, frac, _tsc;
+        mult  = ratio >> 32;
+        frac  = ratio & ((1ULL << 32) - 1);
+        _tsc  = tsc;
+        _tsc *= mult;
+        _tsc += (tsc >> 32) * frac;
+        _tsc += ((tsc & ((1ULL << 32) - 1)) * frac) >> 32;
+        return _tsc;
+}
+static u64 svm_scale_tsc(struct kvm_vcpu *vcpu, u64 tsc)
+{
+        struct vcpu_svm *svm = to_svm(vcpu);
+        u64 _tsc = tsc;
+        if (svm->tsc_ratio != TSC_RATIO_DEFAULT)
+                _tsc = __scale_tsc(svm->tsc_ratio, tsc);
+        return _tsc;
+}
+static void svm_set_tsc_khz(struct kvm_vcpu *vcpu, u32 user_tsc_khz)
+{
+        struct vcpu_svm *svm = to_svm(vcpu);
+        u64 ratio;
+        u64 khz;
+        /* TSC scaling supported? */
+        if (!boot_cpu_has(X86_FEATURE_TSCRATEMSR))
+                return;
+        /* TSC-Scaling disabled or guest TSC same frequency as host TSC? */
+        if (user_tsc_khz == 0) {
+                vcpu->arch.virtual_tsc_khz = 0;
+                svm->tsc_ratio = TSC_RATIO_DEFAULT;
+                return;
+        }
+        khz = user_tsc_khz;
+        /* TSC scaling required  - calculate ratio */
+        ratio = khz << 32;
+        do_div(ratio, tsc_khz);
+        if (ratio == 0 || ratio & TSC_RATIO_RSVD) {
+                WARN_ONCE(1, "Invalid TSC ratio - virtual-tsc-khz=%u\n",
+                                user_tsc_khz);
+                return;
+        }
+        vcpu->arch.virtual_tsc_khz = user_tsc_khz;
+        svm->tsc_ratio             = ratio;
+}
+static void svm_write_tsc_offset(struct kvm_vcpu *vcpu, u64 offset)
+{
+        struct vcpu_svm *svm = to_svm(vcpu);
+        u64 g_tsc_offset = 0;
+        if (is_guest_mode(vcpu)) {
+                g_tsc_offset = svm->vmcb->control.tsc_offset -
+                               svm->nested.hsave->control.tsc_offset;
+                svm->nested.hsave->control.tsc_offset = offset;
+        }
+        svm->vmcb->control.tsc_offset = offset + g_tsc_offset;
+        mark_dirty(svm->vmcb, VMCB_INTERCEPTS);
+}
+static void svm_adjust_tsc_offset(struct kvm_vcpu *vcpu, s64 adjustment)
+{
+        struct vcpu_svm *svm = to_svm(vcpu);
+        svm->vmcb->control.tsc_offset += adjustment;
+        if (is_guest_mode(vcpu))
+                svm->nested.hsave->control.tsc_offset += adjustment;
+        mark_dirty(svm->vmcb, VMCB_INTERCEPTS);
+}
+static u64 svm_compute_tsc_offset(struct kvm_vcpu *vcpu, u64 target_tsc)
+{
+        u64 tsc;
+        tsc = svm_scale_tsc(vcpu, native_read_tsc());
+        return target_tsc - tsc;
+}
 static void init_vmcb(struct vcpu_svm *svm)
 {
        struct vmcb_control_area *control = &svm->vmcb->control;
        struct vmcb_save_area *save = &svm->vmcb->save;
        svm->vcpu.fpu_active = 1;
+        svm->vcpu.arch.hflags = 0;
-        control->intercept_cr_read =    INTERCEPT_CR0_MASK |
+        set_cr_intercept(svm, INTERCEPT_CR0_READ);
-                                        INTERCEPT_CR3_MASK |
+        set_cr_intercept(svm, INTERCEPT_CR3_READ);
-                                        INTERCEPT_CR4_MASK;
+        set_cr_intercept(svm, INTERCEPT_CR4_READ);
+        set_cr_intercept(svm, INTERCEPT_CR0_WRITE);
-        control->intercept_cr_write =   INTERCEPT_CR0_MASK |
+        set_cr_intercept(svm, INTERCEPT_CR3_WRITE);
-                                        INTERCEPT_CR3_MASK |
+        set_cr_intercept(svm, INTERCEPT_CR4_WRITE);
-                                        INTERCEPT_CR4_MASK |
+        set_cr_intercept(svm, INTERCEPT_CR8_WRITE);
-                                        INTERCEPT_CR8_MASK;
+        set_dr_intercept(svm, INTERCEPT_DR0_READ);
-        control->intercept_dr_read =    INTERCEPT_DR0_MASK |
+        set_dr_intercept(svm, INTERCEPT_DR1_READ);
-                                        INTERCEPT_DR1_MASK |
+        set_dr_intercept(svm, INTERCEPT_DR2_READ);
-                                        INTERCEPT_DR2_MASK |
+        set_dr_intercept(svm, INTERCEPT_DR3_READ);
-                                        INTERCEPT_DR3_MASK |
+        set_dr_intercept(svm, INTERCEPT_DR4_READ);
-                                        INTERCEPT_DR4_MASK |
+        set_dr_intercept(svm, INTERCEPT_DR5_READ);
-                                        INTERCEPT_DR5_MASK |
+        set_dr_intercept(svm, INTERCEPT_DR6_READ);
-                                        INTERCEPT_DR6_MASK |
+        set_dr_intercept(svm, INTERCEPT_DR7_READ);
-                                        INTERCEPT_DR7_MASK;
+        set_dr_intercept(svm, INTERCEPT_DR0_WRITE);
-        control->intercept_dr_write =   INTERCEPT_DR0_MASK |
+        set_dr_intercept(svm, INTERCEPT_DR1_WRITE);
-                                        INTERCEPT_DR1_MASK |
+        set_dr_intercept(svm, INTERCEPT_DR2_WRITE);
-                                        INTERCEPT_DR2_MASK |
+        set_dr_intercept(svm, INTERCEPT_DR3_WRITE);
-                                        INTERCEPT_DR3_MASK |
+        set_dr_intercept(svm, INTERCEPT_DR4_WRITE);
-                                        INTERCEPT_DR4_MASK |
+        set_dr_intercept(svm, INTERCEPT_DR5_WRITE);
-                                        INTERCEPT_DR5_MASK |
+        set_dr_intercept(svm, INTERCEPT_DR6_WRITE);
-                                        INTERCEPT_DR6_MASK |
+        set_dr_intercept(svm, INTERCEPT_DR7_WRITE);
-                                        INTERCEPT_DR7_MASK;
+        set_exception_intercept(svm, PF_VECTOR);
-        control->intercept_exceptions = (1 << PF_VECTOR) |
+        set_exception_intercept(svm, UD_VECTOR);
-                                        (1 << UD_VECTOR) |
+        set_exception_intercept(svm, MC_VECTOR);
-                                        (1 << MC_VECTOR);
+        set_intercept(svm, INTERCEPT_INTR);
+        set_intercept(svm, INTERCEPT_NMI);
-        control->intercept =    (1ULL << INTERCEPT_INTR) |
+        set_intercept(svm, INTERCEPT_SMI);
-                                (1ULL << INTERCEPT_NMI) |
+        set_intercept(svm, INTERCEPT_SELECTIVE_CR0);
-                                (1ULL << INTERCEPT_SMI) |
+        set_intercept(svm, INTERCEPT_CPUID);
-                                (1ULL << INTERCEPT_SELECTIVE_CR0) |
+        set_intercept(svm, INTERCEPT_INVD);
-                                (1ULL << INTERCEPT_CPUID) |
+        set_intercept(svm, INTERCEPT_HLT);
-                                (1ULL << INTERCEPT_INVD) |
+        set_intercept(svm, INTERCEPT_INVLPG);
-                                (1ULL << INTERCEPT_HLT) |
+        set_intercept(svm, INTERCEPT_INVLPGA);
-                                (1ULL << INTERCEPT_INVLPG) |
+        set_intercept(svm, INTERCEPT_IOIO_PROT);
-                                (1ULL << INTERCEPT_INVLPGA) |
+        set_intercept(svm, INTERCEPT_MSR_PROT);
-                                (1ULL << INTERCEPT_IOIO_PROT) |
+        set_intercept(svm, INTERCEPT_TASK_SWITCH);
-                                (1ULL << INTERCEPT_MSR_PROT) |
+        set_intercept(svm, INTERCEPT_SHUTDOWN);
-                                (1ULL << INTERCEPT_TASK_SWITCH) |
+        set_intercept(svm, INTERCEPT_VMRUN);
-                                (1ULL << INTERCEPT_SHUTDOWN) |
+        set_intercept(svm, INTERCEPT_VMMCALL);
-                                (1ULL << INTERCEPT_VMRUN) |
+        set_intercept(svm, INTERCEPT_VMLOAD);
-                                (1ULL << INTERCEPT_VMMCALL) |
+        set_intercept(svm, INTERCEPT_VMSAVE);
-                                (1ULL << INTERCEPT_VMLOAD) |
+        set_intercept(svm, INTERCEPT_STGI);
-                                (1ULL << INTERCEPT_VMSAVE) |
+        set_intercept(svm, INTERCEPT_CLGI);
-                                (1ULL << INTERCEPT_STGI) |
+        set_intercept(svm, INTERCEPT_SKINIT);
-                                (1ULL << INTERCEPT_CLGI) |
+        set_intercept(svm, INTERCEPT_WBINVD);
-                                (1ULL << INTERCEPT_SKINIT) |
+        set_intercept(svm, INTERCEPT_MONITOR);
-                                (1ULL << INTERCEPT_WBINVD) |
+        set_intercept(svm, INTERCEPT_MWAIT);
-                                (1ULL << INTERCEPT_MONITOR) |
+        set_intercept(svm, INTERCEPT_XSETBV);
-                                (1ULL << INTERCEPT_MWAIT);
        control->iopm_base_pa = iopm_base;
        control->msrpm_base_pa = __pa(svm->msrpm);
@@ -793,10 +1064,10 @@ static void init_vmcb(struct vcpu_svm *svm)
        init_sys_seg(&save->ldtr, SEG_TYPE_LDT);
        init_sys_seg(&save->tr, SEG_TYPE_BUSY_TSS16);
-        save->efer = EFER_SVME;
+        svm_set_efer(&svm->vcpu, 0);
        save->dr6 = 0xffff0ff0;
        save->dr7 = 0x400;
-        save->rflags = 2;
+        kvm_set_rflags(&svm->vcpu, 2);
        save->rip = 0x0000fff0;
        svm->vcpu.arch.regs[VCPU_REGS_RIP] = save->rip;
@@ -804,8 +1075,8 @@ static void init_vmcb(struct vcpu_svm *svm)
         * This is the guest-visible cr0 value.
         * svm_set_cr0() sets PG and WP and clears NW and CD on save->cr0.
         */
-        svm->vcpu.arch.cr0 = X86_CR0_NW | X86_CR0_CD | X86_CR0_ET;
+        svm->vcpu.arch.cr0 = 0;
-        (void)kvm_set_cr0(&svm->vcpu, svm->vcpu.arch.cr0);
+        (void)kvm_set_cr0(&svm->vcpu, X86_CR0_NW | X86_CR0_CD | X86_CR0_ET);
        save->cr4 = X86_CR4_PAE;
        /* rdx = ?? */
@@ -813,25 +1084,27 @@ static void init_vmcb(struct vcpu_svm *svm)
        if (npt_enabled) {
                /* Setup VMCB for Nested Paging */
                control->nested_ctl = 1;
-                control->intercept &= ~((1ULL << INTERCEPT_TASK_SWITCH) |
+                clr_intercept(svm, INTERCEPT_TASK_SWITCH);
-                                        (1ULL << INTERCEPT_INVLPG));
+                clr_intercept(svm, INTERCEPT_INVLPG);
-                control->intercept_exceptions &= ~(1 << PF_VECTOR);
+                clr_exception_intercept(svm, PF_VECTOR);
-                control->intercept_cr_read &= ~INTERCEPT_CR3_MASK;
+                clr_cr_intercept(svm, INTERCEPT_CR3_READ);
-                control->intercept_cr_write &= ~INTERCEPT_CR3_MASK;
+                clr_cr_intercept(svm, INTERCEPT_CR3_WRITE);
                save->g_pat = 0x0007040600070406ULL;
                save->cr3 = 0;
                save->cr4 = 0;
        }
-        force_new_asid(&svm->vcpu);
+        svm->asid_generation = 0;
        svm->nested.vmcb = 0;
        svm->vcpu.arch.hflags = 0;
-        if (svm_has(SVM_FEATURE_PAUSE_FILTER)) {
+        if (boot_cpu_has(X86_FEATURE_PAUSEFILTER)) {
                control->pause_filter_count = 3000;
-                control->intercept |= (1ULL << INTERCEPT_PAUSE);
+                set_intercept(svm, INTERCEPT_PAUSE);
        }
+        mark_all_dirty(svm->vmcb);
        enable_gif(svm);
 }
@@ -867,6 +1140,8 @@ static struct kvm_vcpu *svm_create_vcpu(struct kvm *kvm, unsigned int id)
                goto out;
        }
+        svm->tsc_ratio = TSC_RATIO_DEFAULT;
        err = kvm_vcpu_init(&svm->vcpu, kvm, id);
        if (err)
                goto free_svm;
@@ -901,7 +1176,7 @@ static struct kvm_vcpu *svm_create_vcpu(struct kvm *kvm, unsigned int id)
        svm->vmcb_pa = page_to_pfn(page) << PAGE_SHIFT;
        svm->asid_generation = 0;
        init_vmcb(svm);
-        svm->vmcb->control.tsc_offset = 0-native_read_tsc();
+        kvm_write_tsc(&svm->vcpu, 0);
        err = fx_init(&svm->vcpu);
        if (err)
@@ -947,25 +1222,25 @@ static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
        int i;
        if (unlikely(cpu != vcpu->cpu)) {
-                u64 delta;
-                if (check_tsc_unstable()) {
-                        /*
-                         * Make sure that the guest sees a monotonically
-                         * increasing TSC.
-                         */
-                        delta = vcpu->arch.host_tsc - native_read_tsc();
-                        svm->vmcb->control.tsc_offset += delta;
-                        if (is_nested(svm))
-                                svm->nested.hsave->control.tsc_offset += delta;
-                }
-                vcpu->cpu = cpu;
-                kvm_migrate_timers(vcpu);
                svm->asid_generation = 0;
+                mark_all_dirty(svm->vmcb);
        }
+#ifdef CONFIG_X86_64
+        rdmsrl(MSR_GS_BASE, to_svm(vcpu)->host.gs_base);
+#endif
+        savesegment(fs, svm->host.fs);
+        savesegment(gs, svm->host.gs);
+        svm->host.ldt = kvm_read_ldt();
        for (i = 0; i < NR_HOST_SAVE_USER_MSRS; i++)
                rdmsrl(host_save_user_msrs[i], svm->host_user_msrs[i]);
+        if (static_cpu_has(X86_FEATURE_TSCRATEMSR) &&
+            svm->tsc_ratio != __get_cpu_var(current_tsc_ratio)) {
+                __get_cpu_var(current_tsc_ratio) = svm->tsc_ratio;
+                wrmsrl(MSR_AMD64_TSC_RATIO, svm->tsc_ratio);
+        }
 }
 static void svm_vcpu_put(struct kvm_vcpu *vcpu)
@@ -974,10 +1249,18 @@ static void svm_vcpu_put(struct kvm_vcpu *vcpu)
        int i;
        ++vcpu->stat.host_state_reload;
+        kvm_load_ldt(svm->host.ldt);
+#ifdef CONFIG_X86_64
+        loadsegment(fs, svm->host.fs);
+        wrmsrl(MSR_KERNEL_GS_BASE, current->thread.gs);
+        load_gs_index(svm->host.gs);
+#else
+#ifdef CONFIG_X86_32_LAZY_GS
+        loadsegment(gs, svm->host.gs);
+#endif
+#endif
        for (i = 0; i < NR_HOST_SAVE_USER_MSRS; i++)
                wrmsrl(host_save_user_msrs[i], svm->host_user_msrs[i]);
-        vcpu->arch.host_tsc = native_read_tsc();
 }
 static unsigned long svm_get_rflags(struct kvm_vcpu *vcpu)
@@ -995,7 +1278,7 @@ static void svm_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg)
        switch (reg) {
        case VCPU_EXREG_PDPTR:
                BUG_ON(!npt_enabled);
-                load_pdptrs(vcpu, vcpu->arch.cr3);
+                load_pdptrs(vcpu, vcpu->arch.walk_mmu, kvm_read_cr3(vcpu));
                break;
        default:
                BUG();
@@ -1004,12 +1287,12 @@ static void svm_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg)
 static void svm_set_vintr(struct vcpu_svm *svm)
 {
-        svm->vmcb->control.intercept |= 1ULL << INTERCEPT_VINTR;
+        set_intercept(svm, INTERCEPT_VINTR);
 }
 static void svm_clear_vintr(struct vcpu_svm *svm)
 {
-        svm->vmcb->control.intercept &= ~(1ULL << INTERCEPT_VINTR);
+        clr_intercept(svm, INTERCEPT_VINTR);
 }
 static struct vmcb_seg *svm_seg(struct kvm_vcpu *vcpu, int seg)
@@ -1124,6 +1407,7 @@ static void svm_set_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt)
        svm->vmcb->save.idtr.limit = dt->size;
        svm->vmcb->save.idtr.base = dt->address ;
+        mark_dirty(svm->vmcb, VMCB_DT);
 }
 static void svm_get_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt)
@@ -1140,19 +1424,23 @@ static void svm_set_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt)
        svm->vmcb->save.gdtr.limit = dt->size;
        svm->vmcb->save.gdtr.base = dt->address ;
+        mark_dirty(svm->vmcb, VMCB_DT);
 }
 static void svm_decache_cr0_guest_bits(struct kvm_vcpu *vcpu)
 {
 }
+static void svm_decache_cr3(struct kvm_vcpu *vcpu)
+{
+}
 static void svm_decache_cr4_guest_bits(struct kvm_vcpu *vcpu)
 {
 }
 static void update_cr0_intercept(struct vcpu_svm *svm)
 {
-        struct vmcb *vmcb = svm->vmcb;
        ulong gcr0 = svm->vcpu.arch.cr0;
        u64 *hcr0 = &svm->vmcb->save.cr0;
@@ -1162,27 +1450,14 @@ static void update_cr0_intercept(struct vcpu_svm *svm)
                *hcr0 = (*hcr0 & ~SVM_CR0_SELECTIVE_MASK)
                        | (gcr0 & SVM_CR0_SELECTIVE_MASK);
+        mark_dirty(svm->vmcb, VMCB_CR);
        if (gcr0 == *hcr0 && svm->vcpu.fpu_active) {
-                vmcb->control.intercept_cr_read &= ~INTERCEPT_CR0_MASK;
+                clr_cr_intercept(svm, INTERCEPT_CR0_READ);
-                vmcb->control.intercept_cr_write &= ~INTERCEPT_CR0_MASK;
+                clr_cr_intercept(svm, INTERCEPT_CR0_WRITE);
-                if (is_nested(svm)) {
-                        struct vmcb *hsave = svm->nested.hsave;
-                        hsave->control.intercept_cr_read  &= ~INTERCEPT_CR0_MASK;
-                        hsave->control.intercept_cr_write &= ~INTERCEPT_CR0_MASK;
-                        vmcb->control.intercept_cr_read  |= svm->nested.intercept_cr_read;
-                        vmcb->control.intercept_cr_write |= svm->nested.intercept_cr_write;
-                }
        } else {
-                svm->vmcb->control.intercept_cr_read |= INTERCEPT_CR0_MASK;
+                set_cr_intercept(svm, INTERCEPT_CR0_READ);
-                svm->vmcb->control.intercept_cr_write |= INTERCEPT_CR0_MASK;
+                set_cr_intercept(svm, INTERCEPT_CR0_WRITE);
-                if (is_nested(svm)) {
-                        struct vmcb *hsave = svm->nested.hsave;
-                        hsave->control.intercept_cr_read |= INTERCEPT_CR0_MASK;
-                        hsave->control.intercept_cr_write |= INTERCEPT_CR0_MASK;
-                }
        }
 }
@@ -1190,27 +1465,6 @@ static void svm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
-        if (is_nested(svm)) {
-                /*
-                 * We are here because we run in nested mode, the host kvm
-                 * intercepts cr0 writes but the l1 hypervisor does not.
-                 * But the L1 hypervisor may intercept selective cr0 writes.
-                 * This needs to be checked here.
-                 */
-                unsigned long old, new;
-                /* Remove bits that would trigger a real cr0 write intercept */
-                old = vcpu->arch.cr0 & SVM_CR0_SELECTIVE_MASK;
-                new = cr0 & SVM_CR0_SELECTIVE_MASK;
-                if (old == new) {
-                        /* cr0 write with ts and mp unchanged */
-                        svm->vmcb->control.exit_code = SVM_EXIT_CR0_SEL_WRITE;
-                        if (nested_svm_exit_handled(svm) == NESTED_EXIT_DONE)
-                                return;
-                }
-        }
 #ifdef CONFIG_X86_64
        if (vcpu->arch.efer & EFER_LME) {
                if (!is_paging(vcpu) && (cr0 & X86_CR0_PG)) {
@@ -1238,6 +1492,7 @@ static void svm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)
         */
        cr0 &= ~(X86_CR0_CD | X86_CR0_NW);
        svm->vmcb->save.cr0 = cr0;
+        mark_dirty(svm->vmcb, VMCB_CR);
        update_cr0_intercept(svm);
 }
@@ -1247,13 +1502,14 @@ static void svm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
        unsigned long old_cr4 = to_svm(vcpu)->vmcb->save.cr4;
        if (npt_enabled && ((old_cr4 ^ cr4) & X86_CR4_PGE))
-                force_new_asid(vcpu);
+                svm_flush_tlb(vcpu);
        vcpu->arch.cr4 = cr4;
        if (!npt_enabled)
                cr4 |= X86_CR4_PAE;
        cr4 |= host_cr4_mce;
        to_svm(vcpu)->vmcb->save.cr4 = cr4;
+        mark_dirty(to_svm(vcpu)->vmcb, VMCB_CR);
 }
 static void svm_set_segment(struct kvm_vcpu *vcpu,
@@ -1282,26 +1538,25 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
                        = (svm->vmcb->save.cs.attrib
                           >> SVM_SELECTOR_DPL_SHIFT) & 3;
+        mark_dirty(svm->vmcb, VMCB_SEG);
 }
 static void update_db_intercept(struct kvm_vcpu *vcpu)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
-        svm->vmcb->control.intercept_exceptions &=
+        clr_exception_intercept(svm, DB_VECTOR);
-                ~((1 << DB_VECTOR) | (1 << BP_VECTOR));
+        clr_exception_intercept(svm, BP_VECTOR);
        if (svm->nmi_singlestep)
-                svm->vmcb->control.intercept_exceptions |= (1 << DB_VECTOR);
+                set_exception_intercept(svm, DB_VECTOR);
        if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
                if (vcpu->guest_debug &
                    (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
-                        svm->vmcb->control.intercept_exceptions |=
+                        set_exception_intercept(svm, DB_VECTOR);
-                                1 << DB_VECTOR;
                if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
-                        svm->vmcb->control.intercept_exceptions |=
+                        set_exception_intercept(svm, BP_VECTOR);
-                                1 << BP_VECTOR;
        } else
                vcpu->guest_debug = 0;
 }
@@ -1315,21 +1570,9 @@ static void svm_guest_debug(struct kvm_vcpu *vcpu, struct kvm_guest_debug *dbg)
        else
                svm->vmcb->save.dr7 = vcpu->arch.dr7;
-        update_db_intercept(vcpu);
+        mark_dirty(svm->vmcb, VMCB_DR);
-}
-static void load_host_msrs(struct kvm_vcpu *vcpu)
-{
-#ifdef CONFIG_X86_64
-        wrmsrl(MSR_GS_BASE, to_svm(vcpu)->host_gs_base);
-#endif
-}
-static void save_host_msrs(struct kvm_vcpu *vcpu)
+        update_db_intercept(vcpu);
-{
-#ifdef CONFIG_X86_64
-        rdmsrl(MSR_GS_BASE, to_svm(vcpu)->host_gs_base);
-#endif
 }
 static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *sd)
@@ -1342,6 +1585,8 @@ static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *sd)
        svm->asid_generation = sd->asid_generation;
        svm->vmcb->control.asid = sd->next_asid++;
+        mark_dirty(svm->vmcb, VMCB_ASID);
 }
 static void svm_set_dr7(struct kvm_vcpu *vcpu, unsigned long value)
@@ -1349,20 +1594,40 @@ static void svm_set_dr7(struct kvm_vcpu *vcpu, unsigned long value)
        struct vcpu_svm *svm = to_svm(vcpu);
        svm->vmcb->save.dr7 = value;
+        mark_dirty(svm->vmcb, VMCB_DR);
 }
 static int pf_interception(struct vcpu_svm *svm)
 {
-        u64 fault_address;
+        u64 fault_address = svm->vmcb->control.exit_info_2;
        u32 error_code;
+        int r = 1;
-        fault_address  = svm->vmcb->control.exit_info_2;
+        switch (svm->apf_reason) {
-        error_code = svm->vmcb->control.exit_info_1;
+        default:
+                error_code = svm->vmcb->control.exit_info_1;
-        trace_kvm_page_fault(fault_address, error_code);
-        if (!npt_enabled && kvm_event_needs_reinjection(&svm->vcpu))
+                trace_kvm_page_fault(fault_address, error_code);
-                kvm_mmu_unprotect_page_virt(&svm->vcpu, fault_address);
+                if (!npt_enabled && kvm_event_needs_reinjection(&svm->vcpu))
-        return kvm_mmu_page_fault(&svm->vcpu, fault_address, error_code);
+                        kvm_mmu_unprotect_page_virt(&svm->vcpu, fault_address);
+                r = kvm_mmu_page_fault(&svm->vcpu, fault_address, error_code,
+                        svm->vmcb->control.insn_bytes,
+                        svm->vmcb->control.insn_len);
+                break;
+        case KVM_PV_REASON_PAGE_NOT_PRESENT:
+                svm->apf_reason = 0;
+                local_irq_disable();
+                kvm_async_pf_task_wait(fault_address);
+                local_irq_enable();
+                break;
+        case KVM_PV_REASON_PAGE_READY:
+                svm->apf_reason = 0;
+                local_irq_disable();
+                kvm_async_pf_task_wake(fault_address);
+                local_irq_enable();
+                break;
+        }
+        return r;
 }
 static int db_interception(struct vcpu_svm *svm)
@@ -1410,7 +1675,7 @@ static int ud_interception(struct vcpu_svm *svm)
 {
        int er;
-        er = emulate_instruction(&svm->vcpu, 0, 0, EMULTYPE_TRAP_UD);
+        er = emulate_instruction(&svm->vcpu, EMULTYPE_TRAP_UD);
        if (er != EMULATE_DONE)
                kvm_queue_exception(&svm->vcpu, UD_VECTOR);
        return 1;
@@ -1419,21 +1684,8 @@ static int ud_interception(struct vcpu_svm *svm)
 static void svm_fpu_activate(struct kvm_vcpu *vcpu)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
-        u32 excp;
-        if (is_nested(svm)) {
-                u32 h_excp, n_excp;
-                h_excp  = svm->nested.hsave->control.intercept_exceptions;
-                n_excp  = svm->nested.intercept_exceptions;
-                h_excp &= ~(1 << NM_VECTOR);
-                excp    = h_excp | n_excp;
-        } else {
-                excp  = svm->vmcb->control.intercept_exceptions;
-                excp &= ~(1 << NM_VECTOR);
-        }
-        svm->vmcb->control.intercept_exceptions = excp;
+        clr_exception_intercept(svm, NM_VECTOR);
        svm->vcpu.fpu_active = 1;
        update_cr0_intercept(svm);
@@ -1540,7 +1792,7 @@ static int io_interception(struct vcpu_svm *svm)
        string = (io_info & SVM_IOIO_STR_MASK) != 0;
        in = (io_info & SVM_IOIO_TYPE_MASK) != 0;
        if (string || in)
-                return emulate_instruction(vcpu, 0, 0, 0) == EMULATE_DONE;
+                return emulate_instruction(vcpu, 0) == EMULATE_DONE;
        port = io_info >> 16;
        size = (io_info & SVM_IOIO_SIZE_MASK) >> SVM_IOIO_SIZE_SHIFT;
@@ -1581,6 +1833,56 @@ static int vmmcall_interception(struct vcpu_svm *svm)
        return 1;
 }
+static unsigned long nested_svm_get_tdp_cr3(struct kvm_vcpu *vcpu)
+{
+        struct vcpu_svm *svm = to_svm(vcpu);
+        return svm->nested.nested_cr3;
+}
+static void nested_svm_set_tdp_cr3(struct kvm_vcpu *vcpu,
+                                   unsigned long root)
+{
+        struct vcpu_svm *svm = to_svm(vcpu);
+        svm->vmcb->control.nested_cr3 = root;
+        mark_dirty(svm->vmcb, VMCB_NPT);
+        svm_flush_tlb(vcpu);
+}
+static void nested_svm_inject_npf_exit(struct kvm_vcpu *vcpu,
+                                       struct x86_exception *fault)
+{
+        struct vcpu_svm *svm = to_svm(vcpu);
+        svm->vmcb->control.exit_code = SVM_EXIT_NPF;
+        svm->vmcb->control.exit_code_hi = 0;
+        svm->vmcb->control.exit_info_1 = fault->error_code;
+        svm->vmcb->control.exit_info_2 = fault->address;
+        nested_svm_vmexit(svm);
+}
+static int nested_svm_init_mmu_context(struct kvm_vcpu *vcpu)
+{
+        int r;
+        r = kvm_init_shadow_mmu(vcpu, &vcpu->arch.mmu);
+        vcpu->arch.mmu.set_cr3           = nested_svm_set_tdp_cr3;
+        vcpu->arch.mmu.get_cr3           = nested_svm_get_tdp_cr3;
+        vcpu->arch.mmu.inject_page_fault = nested_svm_inject_npf_exit;
+        vcpu->arch.mmu.shadow_root_level = get_npt_level();
+        vcpu->arch.walk_mmu              = &vcpu->arch.nested_mmu;
+        return r;
+}
+static void nested_svm_uninit_mmu_context(struct kvm_vcpu *vcpu)
+{
+        vcpu->arch.walk_mmu = &vcpu->arch.mmu;
+}
 static int nested_svm_check_permissions(struct vcpu_svm *svm)
 {
        if (!(svm->vcpu.arch.efer & EFER_SVME)
@@ -1602,7 +1904,7 @@ static int nested_svm_check_exception(struct vcpu_svm *svm, unsigned nr,
 {
        int vmexit;
-        if (!is_nested(svm))
+        if (!is_guest_mode(&svm->vcpu))
                return 0;
        svm->vmcb->control.exit_code = SVM_EXIT_EXCP_BASE + nr;
@@ -1620,7 +1922,7 @@ static int nested_svm_check_exception(struct vcpu_svm *svm, unsigned nr,
 /* This function returns true if it is save to enable the irq window */
 static inline bool nested_svm_intr(struct vcpu_svm *svm)
 {
-        if (!is_nested(svm))
+        if (!is_guest_mode(&svm->vcpu))
                return true;
        if (!(svm->vcpu.arch.hflags & HF_VINTR_MASK))
@@ -1629,6 +1931,14 @@ static inline bool nested_svm_intr(struct vcpu_svm *svm)
        if (!(svm->vcpu.arch.hflags & HF_HIF_MASK))
                return false;
+        /*
+         * if vmexit was already requested (by intercepted exception
+         * for instance) do not overwrite it with "external interrupt"
+         * vmexit.
+         */
+        if (svm->nested.exit_required)
+                return false;
        svm->vmcb->control.exit_code   = SVM_EXIT_INTR;
        svm->vmcb->control.exit_info_1 = 0;
        svm->vmcb->control.exit_info_2 = 0;
@@ -1651,7 +1961,7 @@ static inline bool nested_svm_intr(struct vcpu_svm *svm)
 /* This function returns true if it is save to enable the nmi window */
 static inline bool nested_svm_nmi(struct vcpu_svm *svm)
 {
-        if (!is_nested(svm))
+        if (!is_guest_mode(&svm->vcpu))
                return true;
        if (!(svm->nested.intercept & (1ULL << INTERCEPT_NMI)))
@@ -1750,8 +2060,8 @@ static int nested_svm_exit_special(struct vcpu_svm *svm)
                        return NESTED_EXIT_HOST;
                break;
        case SVM_EXIT_EXCP_BASE + PF_VECTOR:
-                /* When we're shadowing, trap PFs */
+                /* When we're shadowing, trap PFs, but not async PF */
-                if (!npt_enabled)
+                if (!npt_enabled && svm->apf_reason == 0)
                        return NESTED_EXIT_HOST;
                break;
        case SVM_EXIT_EXCP_BASE + NM_VECTOR:
@@ -1779,27 +2089,15 @@ static int nested_svm_intercept(struct vcpu_svm *svm)
        case SVM_EXIT_IOIO:
                vmexit = nested_svm_intercept_ioio(svm);
                break;
-        case SVM_EXIT_READ_CR0 ... SVM_EXIT_READ_CR8: {
+        case SVM_EXIT_READ_CR0 ... SVM_EXIT_WRITE_CR8: {
-                u32 cr_bits = 1 << (exit_code - SVM_EXIT_READ_CR0);
+                u32 bit = 1U << (exit_code - SVM_EXIT_READ_CR0);
-                if (svm->nested.intercept_cr_read & cr_bits)
+                if (svm->nested.intercept_cr & bit)
-                        vmexit = NESTED_EXIT_DONE;
-                break;
-        }
-        case SVM_EXIT_WRITE_CR0 ... SVM_EXIT_WRITE_CR8: {
-                u32 cr_bits = 1 << (exit_code - SVM_EXIT_WRITE_CR0);
-                if (svm->nested.intercept_cr_write & cr_bits)
-                        vmexit = NESTED_EXIT_DONE;
-                break;
-        }
-        case SVM_EXIT_READ_DR0 ... SVM_EXIT_READ_DR7: {
-                u32 dr_bits = 1 << (exit_code - SVM_EXIT_READ_DR0);
-                if (svm->nested.intercept_dr_read & dr_bits)
                        vmexit = NESTED_EXIT_DONE;
                break;
        }
-        case SVM_EXIT_WRITE_DR0 ... SVM_EXIT_WRITE_DR7: {
+        case SVM_EXIT_READ_DR0 ... SVM_EXIT_WRITE_DR7: {
-                u32 dr_bits = 1 << (exit_code - SVM_EXIT_WRITE_DR0);
+                u32 bit = 1U << (exit_code - SVM_EXIT_READ_DR0);
-                if (svm->nested.intercept_dr_write & dr_bits)
+                if (svm->nested.intercept_dr & bit)
                        vmexit = NESTED_EXIT_DONE;
                break;
        }
@@ -1807,6 +2105,10 @@ static int nested_svm_intercept(struct vcpu_svm *svm)
                u32 excp_bits = 1 << (exit_code - SVM_EXIT_EXCP_BASE);
                if (svm->nested.intercept_exceptions & excp_bits)
                        vmexit = NESTED_EXIT_DONE;
+                /* async page fault always cause vmexit */
+                else if ((exit_code == SVM_EXIT_EXCP_BASE + PF_VECTOR) &&
+                         svm->apf_reason != 0)
+                        vmexit = NESTED_EXIT_DONE;
                break;
        }
        case SVM_EXIT_ERR: {
@@ -1840,10 +2142,8 @@ static inline void copy_vmcb_control_area(struct vmcb *dst_vmcb, struct vmcb *fr
        struct vmcb_control_area *dst  = &dst_vmcb->control;
        struct vmcb_control_area *from = &from_vmcb->control;
-        dst->intercept_cr_read    = from->intercept_cr_read;
+        dst->intercept_cr         = from->intercept_cr;
-        dst->intercept_cr_write   = from->intercept_cr_write;
+        dst->intercept_dr         = from->intercept_dr;
-        dst->intercept_dr_read    = from->intercept_dr_read;
-        dst->intercept_dr_write   = from->intercept_dr_write;
        dst->intercept_exceptions = from->intercept_exceptions;
        dst->intercept            = from->intercept;
        dst->iopm_base_pa         = from->iopm_base_pa;
@@ -1884,7 +2184,8 @@ static int nested_svm_vmexit(struct vcpu_svm *svm)
        if (!nested_vmcb)
                return 1;
-        /* Exit nested SVM mode */
+        /* Exit Guest-Mode */
+        leave_guest_mode(&svm->vcpu);
        svm->nested.vmcb = 0;
        /* Give the current vmcb to the guest */
@@ -1896,11 +2197,12 @@ static int nested_svm_vmexit(struct vcpu_svm *svm)
        nested_vmcb->save.ds     = vmcb->save.ds;
        nested_vmcb->save.gdtr   = vmcb->save.gdtr;
        nested_vmcb->save.idtr   = vmcb->save.idtr;
+        nested_vmcb->save.efer   = svm->vcpu.arch.efer;
        nested_vmcb->save.cr0    = kvm_read_cr0(&svm->vcpu);
-        nested_vmcb->save.cr3    = svm->vcpu.arch.cr3;
+        nested_vmcb->save.cr3    = kvm_read_cr3(&svm->vcpu);
        nested_vmcb->save.cr2    = vmcb->save.cr2;
        nested_vmcb->save.cr4    = svm->vcpu.arch.cr4;
-        nested_vmcb->save.rflags = vmcb->save.rflags;
+        nested_vmcb->save.rflags = kvm_get_rflags(&svm->vcpu);
        nested_vmcb->save.rip    = vmcb->save.rip;
        nested_vmcb->save.rsp    = vmcb->save.rsp;
        nested_vmcb->save.rax    = vmcb->save.rax;
@@ -1917,6 +2219,7 @@ static int nested_svm_vmexit(struct vcpu_svm *svm)
        nested_vmcb->control.exit_info_2       = vmcb->control.exit_info_2;
        nested_vmcb->control.exit_int_info     = vmcb->control.exit_int_info;
        nested_vmcb->control.exit_int_info_err = vmcb->control.exit_int_info_err;
+        nested_vmcb->control.next_rip          = vmcb->control.next_rip;
        /*
         * If we emulate a VMRUN/#VMEXIT in the same host #vmexit cycle we have
@@ -1947,6 +2250,8 @@ static int nested_svm_vmexit(struct vcpu_svm *svm)
        kvm_clear_exception_queue(&svm->vcpu);
        kvm_clear_interrupt_queue(&svm->vcpu);
+        svm->nested.nested_cr3 = 0;
        /* Restore selected save entries */
        svm->vmcb->save.es = hsave->save.es;
        svm->vmcb->save.cs = hsave->save.cs;
@@ -1954,7 +2259,7 @@ static int nested_svm_vmexit(struct vcpu_svm *svm)
        svm->vmcb->save.ds = hsave->save.ds;
        svm->vmcb->save.gdtr = hsave->save.gdtr;
        svm->vmcb->save.idtr = hsave->save.idtr;
-        svm->vmcb->save.rflags = hsave->save.rflags;
+        kvm_set_rflags(&svm->vcpu, hsave->save.rflags);
        svm_set_efer(&svm->vcpu, hsave->save.efer);
        svm_set_cr0(&svm->vcpu, hsave->save.cr0 | X86_CR0_PE);
        svm_set_cr4(&svm->vcpu, hsave->save.cr4);
@@ -1971,8 +2276,11 @@ static int nested_svm_vmexit(struct vcpu_svm *svm)
        svm->vmcb->save.cpl = 0;
        svm->vmcb->control.exit_int_info = 0;
+        mark_all_dirty(svm->vmcb);
        nested_svm_unmap(page);
+        nested_svm_uninit_mmu_context(&svm->vcpu);
        kvm_mmu_reset_context(&svm->vcpu);
        kvm_mmu_load(&svm->vcpu);
@@ -2012,6 +2320,20 @@ static bool nested_svm_vmrun_msrpm(struct vcpu_svm *svm)
        return true;
 }
+static bool nested_vmcb_checks(struct vmcb *vmcb)
+{
+        if ((vmcb->control.intercept & (1ULL << INTERCEPT_VMRUN)) == 0)
+                return false;
+        if (vmcb->control.asid == 0)
+                return false;
+        if (vmcb->control.nested_ctl && !npt_enabled)
+                return false;
+        return true;
+}
 static bool nested_svm_vmrun(struct vcpu_svm *svm)
 {
        struct vmcb *nested_vmcb;
@@ -2026,14 +2348,25 @@ static bool nested_svm_vmrun(struct vcpu_svm *svm)
        if (!nested_vmcb)
                return false;
-        trace_kvm_nested_vmrun(svm->vmcb->save.rip - 3, vmcb_gpa,
+        if (!nested_vmcb_checks(nested_vmcb)) {
+                nested_vmcb->control.exit_code    = SVM_EXIT_ERR;
+                nested_vmcb->control.exit_code_hi = 0;
+                nested_vmcb->control.exit_info_1  = 0;
+                nested_vmcb->control.exit_info_2  = 0;
+                nested_svm_unmap(page);
+                return false;
+        }
+        trace_kvm_nested_vmrun(svm->vmcb->save.rip, vmcb_gpa,
                               nested_vmcb->save.rip,
                               nested_vmcb->control.int_ctl,
                               nested_vmcb->control.event_inj,
                               nested_vmcb->control.nested_ctl);
-        trace_kvm_nested_intercepts(nested_vmcb->control.intercept_cr_read,
+        trace_kvm_nested_intercepts(nested_vmcb->control.intercept_cr & 0xffff,
-                                    nested_vmcb->control.intercept_cr_write,
+                                    nested_vmcb->control.intercept_cr >> 16,
                                    nested_vmcb->control.intercept_exceptions,
                                    nested_vmcb->control.intercept);
@@ -2054,22 +2387,28 @@ static bool nested_svm_vmrun(struct vcpu_svm *svm)
        hsave->save.efer   = svm->vcpu.arch.efer;
        hsave->save.cr0    = kvm_read_cr0(&svm->vcpu);
        hsave->save.cr4    = svm->vcpu.arch.cr4;
-        hsave->save.rflags = vmcb->save.rflags;
+        hsave->save.rflags = kvm_get_rflags(&svm->vcpu);
-        hsave->save.rip    = svm->next_rip;
+        hsave->save.rip    = kvm_rip_read(&svm->vcpu);
        hsave->save.rsp    = vmcb->save.rsp;
        hsave->save.rax    = vmcb->save.rax;
        if (npt_enabled)
                hsave->save.cr3    = vmcb->save.cr3;
        else
-                hsave->save.cr3    = svm->vcpu.arch.cr3;
+                hsave->save.cr3    = kvm_read_cr3(&svm->vcpu);
        copy_vmcb_control_area(hsave, vmcb);
-        if (svm->vmcb->save.rflags & X86_EFLAGS_IF)
+        if (kvm_get_rflags(&svm->vcpu) & X86_EFLAGS_IF)
                svm->vcpu.arch.hflags |= HF_HIF_MASK;
        else
                svm->vcpu.arch.hflags &= ~HF_HIF_MASK;
+        if (nested_vmcb->control.nested_ctl) {
+                kvm_mmu_unload(&svm->vcpu);
+                svm->nested.nested_cr3 = nested_vmcb->control.nested_cr3;
+                nested_svm_init_mmu_context(&svm->vcpu);
+        }
        /* Load the nested guest state */
        svm->vmcb->save.es = nested_vmcb->save.es;
        svm->vmcb->save.cs = nested_vmcb->save.cs;
@@ -2077,7 +2416,7 @@ static bool nested_svm_vmrun(struct vcpu_svm *svm)
        svm->vmcb->save.ds = nested_vmcb->save.ds;
        svm->vmcb->save.gdtr = nested_vmcb->save.gdtr;
        svm->vmcb->save.idtr = nested_vmcb->save.idtr;
-        svm->vmcb->save.rflags = nested_vmcb->save.rflags;
+        kvm_set_rflags(&svm->vcpu, nested_vmcb->save.rflags);
        svm_set_efer(&svm->vcpu, nested_vmcb->save.efer);
        svm_set_cr0(&svm->vcpu, nested_vmcb->save.cr0);
        svm_set_cr4(&svm->vcpu, nested_vmcb->save.cr4);
@@ -2107,14 +2446,12 @@ static bool nested_svm_vmrun(struct vcpu_svm *svm)
        svm->nested.vmcb_iopm  = nested_vmcb->control.iopm_base_pa  & ~0x0fffULL;
        /* cache intercepts */
-        svm->nested.intercept_cr_read    = nested_vmcb->control.intercept_cr_read;
+        svm->nested.intercept_cr         = nested_vmcb->control.intercept_cr;
-        svm->nested.intercept_cr_write   = nested_vmcb->control.intercept_cr_write;
+        svm->nested.intercept_dr         = nested_vmcb->control.intercept_dr;
-        svm->nested.intercept_dr_read    = nested_vmcb->control.intercept_dr_read;
-        svm->nested.intercept_dr_write   = nested_vmcb->control.intercept_dr_write;
        svm->nested.intercept_exceptions = nested_vmcb->control.intercept_exceptions;
        svm->nested.intercept            = nested_vmcb->control.intercept;
-        force_new_asid(&svm->vcpu);
+        svm_flush_tlb(&svm->vcpu);
        svm->vmcb->control.int_ctl = nested_vmcb->control.int_ctl | V_INTR_MASKING_MASK;
        if (nested_vmcb->control.int_ctl & V_INTR_MASKING_MASK)
                svm->vcpu.arch.hflags |= HF_VINTR_MASK;
@@ -2123,29 +2460,12 @@ static bool nested_svm_vmrun(struct vcpu_svm *svm)
        if (svm->vcpu.arch.hflags & HF_VINTR_MASK) {
                /* We only want the cr8 intercept bits of the guest */
-                svm->vmcb->control.intercept_cr_read &= ~INTERCEPT_CR8_MASK;
+                clr_cr_intercept(svm, INTERCEPT_CR8_READ);
-                svm->vmcb->control.intercept_cr_write &= ~INTERCEPT_CR8_MASK;
+                clr_cr_intercept(svm, INTERCEPT_CR8_WRITE);
        }
        /* We don't want to see VMMCALLs from a nested guest */
-        svm->vmcb->control.intercept &= ~(1ULL << INTERCEPT_VMMCALL);
+        clr_intercept(svm, INTERCEPT_VMMCALL);
-        /*
-         * We don't want a nested guest to be more powerful than the guest, so
-         * all intercepts are ORed
-         */
-        svm->vmcb->control.intercept_cr_read |=
-                nested_vmcb->control.intercept_cr_read;
-        svm->vmcb->control.intercept_cr_write |=
-                nested_vmcb->control.intercept_cr_write;
-        svm->vmcb->control.intercept_dr_read |=
-                nested_vmcb->control.intercept_dr_read;
-        svm->vmcb->control.intercept_dr_write |=
-                nested_vmcb->control.intercept_dr_write;
-        svm->vmcb->control.intercept_exceptions |=
-                nested_vmcb->control.intercept_exceptions;
-        svm->vmcb->control.intercept |= nested_vmcb->control.intercept;
        svm->vmcb->control.lbr_ctl = nested_vmcb->control.lbr_ctl;
        svm->vmcb->control.int_vector = nested_vmcb->control.int_vector;
@@ -2156,11 +2476,21 @@ static bool nested_svm_vmrun(struct vcpu_svm *svm)
        nested_svm_unmap(page);
-        /* nested_vmcb is our indicator if nested SVM is activated */
+        /* Enter Guest-Mode */
+        enter_guest_mode(&svm->vcpu);
+        /*
+         * Merge guest and host intercepts - must be called  with vcpu in
+         * guest-mode to take affect here
+         */
+        recalc_intercepts(svm);
        svm->nested.vmcb = vmcb_gpa;
        enable_gif(svm);
+        mark_all_dirty(svm->vmcb);
        return true;
 }
@@ -2188,13 +2518,13 @@ static int vmload_interception(struct vcpu_svm *svm)
        if (nested_svm_check_permissions(svm))
                return 1;
-        svm->next_rip = kvm_rip_read(&svm->vcpu) + 3;
-        skip_emulated_instruction(&svm->vcpu);
        nested_vmcb = nested_svm_map(svm, svm->vmcb->save.rax, &page);
        if (!nested_vmcb)
                return 1;
+        svm->next_rip = kvm_rip_read(&svm->vcpu) + 3;
+        skip_emulated_instruction(&svm->vcpu);
        nested_svm_vmloadsave(nested_vmcb, svm->vmcb);
        nested_svm_unmap(page);
@@ -2209,13 +2539,13 @@ static int vmsave_interception(struct vcpu_svm *svm)
        if (nested_svm_check_permissions(svm))
                return 1;
-        svm->next_rip = kvm_rip_read(&svm->vcpu) + 3;
-        skip_emulated_instruction(&svm->vcpu);
        nested_vmcb = nested_svm_map(svm, svm->vmcb->save.rax, &page);
        if (!nested_vmcb)
                return 1;
+        svm->next_rip = kvm_rip_read(&svm->vcpu) + 3;
+        skip_emulated_instruction(&svm->vcpu);
        nested_svm_vmloadsave(svm->vmcb, nested_vmcb);
        nested_svm_unmap(page);
@@ -2227,8 +2557,8 @@ static int vmrun_interception(struct vcpu_svm *svm)
        if (nested_svm_check_permissions(svm))
                return 1;
-        svm->next_rip = kvm_rip_read(&svm->vcpu) + 3;
+        /* Save rip after vmrun instruction */
-        skip_emulated_instruction(&svm->vcpu);
+        kvm_rip_write(&svm->vcpu, kvm_rip_read(&svm->vcpu) + 3);
        if (!nested_svm_vmrun(svm))
                return 1;
@@ -2257,6 +2587,7 @@ static int stgi_interception(struct vcpu_svm *svm)
        svm->next_rip = kvm_rip_read(&svm->vcpu) + 3;
        skip_emulated_instruction(&svm->vcpu);
+        kvm_make_request(KVM_REQ_EVENT, &svm->vcpu);
        enable_gif(svm);
@@ -2277,6 +2608,8 @@ static int clgi_interception(struct vcpu_svm *svm)
        svm_clear_vintr(svm);
        svm->vmcb->control.int_ctl &= ~V_IRQ_MASK;
+        mark_dirty(svm->vmcb, VMCB_INTR);
        return 1;
 }
@@ -2303,6 +2636,19 @@ static int skinit_interception(struct vcpu_svm *svm)
        return 1;
 }
+static int xsetbv_interception(struct vcpu_svm *svm)
+{
+        u64 new_bv = kvm_read_edx_eax(&svm->vcpu);
+        u32 index = kvm_register_read(&svm->vcpu, VCPU_REGS_RCX);
+        if (kvm_set_xcr(&svm->vcpu, index, new_bv) == 0) {
+                svm->next_rip = kvm_rip_read(&svm->vcpu) + 3;
+                skip_emulated_instruction(&svm->vcpu);
+        }
+        return 1;
+}
 static int invalid_op_interception(struct vcpu_svm *svm)
 {
        kvm_queue_exception(&svm->vcpu, UD_VECTOR);
@@ -2384,34 +2730,162 @@ static int cpuid_interception(struct vcpu_svm *svm)
 static int iret_interception(struct vcpu_svm *svm)
 {
        ++svm->vcpu.stat.nmi_window_exits;
-        svm->vmcb->control.intercept &= ~(1ULL << INTERCEPT_IRET);
+        clr_intercept(svm, INTERCEPT_IRET);
        svm->vcpu.arch.hflags |= HF_IRET_MASK;
+        svm->nmi_iret_rip = kvm_rip_read(&svm->vcpu);
        return 1;
 }
 static int invlpg_interception(struct vcpu_svm *svm)
 {
-        return emulate_instruction(&svm->vcpu, 0, 0, 0) == EMULATE_DONE;
+        if (!static_cpu_has(X86_FEATURE_DECODEASSISTS))
+                return emulate_instruction(&svm->vcpu, 0) == EMULATE_DONE;
+        kvm_mmu_invlpg(&svm->vcpu, svm->vmcb->control.exit_info_1);
+        skip_emulated_instruction(&svm->vcpu);
+        return 1;
 }
 static int emulate_on_interception(struct vcpu_svm *svm)
 {
-        return emulate_instruction(&svm->vcpu, 0, 0, 0) == EMULATE_DONE;
+        return emulate_instruction(&svm->vcpu, 0) == EMULATE_DONE;
+}
+bool check_selective_cr0_intercepted(struct vcpu_svm *svm, unsigned long val)
+{
+        unsigned long cr0 = svm->vcpu.arch.cr0;
+        bool ret = false;
+        u64 intercept;
+        intercept = svm->nested.intercept;
+        if (!is_guest_mode(&svm->vcpu) ||
+            (!(intercept & (1ULL << INTERCEPT_SELECTIVE_CR0))))
+                return false;
+        cr0 &= ~SVM_CR0_SELECTIVE_MASK;
+        val &= ~SVM_CR0_SELECTIVE_MASK;
+        if (cr0 ^ val) {
+                svm->vmcb->control.exit_code = SVM_EXIT_CR0_SEL_WRITE;
+                ret = (nested_svm_exit_handled(svm) == NESTED_EXIT_DONE);
+        }
+        return ret;
+}
+#define CR_VALID (1ULL << 63)
+static int cr_interception(struct vcpu_svm *svm)
+{
+        int reg, cr;
+        unsigned long val;
+        int err;
+        if (!static_cpu_has(X86_FEATURE_DECODEASSISTS))
+                return emulate_on_interception(svm);
+        if (unlikely((svm->vmcb->control.exit_info_1 & CR_VALID) == 0))
+                return emulate_on_interception(svm);
+        reg = svm->vmcb->control.exit_info_1 & SVM_EXITINFO_REG_MASK;
+        cr = svm->vmcb->control.exit_code - SVM_EXIT_READ_CR0;
+        err = 0;
+        if (cr >= 16) { /* mov to cr */
+                cr -= 16;
+                val = kvm_register_read(&svm->vcpu, reg);
+                switch (cr) {
+                case 0:
+                        if (!check_selective_cr0_intercepted(svm, val))
+                                err = kvm_set_cr0(&svm->vcpu, val);
+                        else
+                                return 1;
+                        break;
+                case 3:
+                        err = kvm_set_cr3(&svm->vcpu, val);
+                        break;
+                case 4:
+                        err = kvm_set_cr4(&svm->vcpu, val);
+                        break;
+                case 8:
+                        err = kvm_set_cr8(&svm->vcpu, val);
+                        break;
+                default:
+                        WARN(1, "unhandled write to CR%d", cr);
+                        kvm_queue_exception(&svm->vcpu, UD_VECTOR);
+                        return 1;
+                }
+        } else { /* mov from cr */
+                switch (cr) {
+                case 0:
+                        val = kvm_read_cr0(&svm->vcpu);
+                        break;
+                case 2:
+                        val = svm->vcpu.arch.cr2;
+                        break;
+                case 3:
+                        val = kvm_read_cr3(&svm->vcpu);
+                        break;
+                case 4:
+                        val = kvm_read_cr4(&svm->vcpu);
+                        break;
+                case 8:
+                        val = kvm_get_cr8(&svm->vcpu);
+                        break;
+                default:
+                        WARN(1, "unhandled read from CR%d", cr);
+                        kvm_queue_exception(&svm->vcpu, UD_VECTOR);
+                        return 1;
+                }
+                kvm_register_write(&svm->vcpu, reg, val);
+        }
+        kvm_complete_insn_gp(&svm->vcpu, err);
+        return 1;
+}
+static int dr_interception(struct vcpu_svm *svm)
+{
+        int reg, dr;
+        unsigned long val;
+        int err;
+        if (!boot_cpu_has(X86_FEATURE_DECODEASSISTS))
+                return emulate_on_interception(svm);
+        reg = svm->vmcb->control.exit_info_1 & SVM_EXITINFO_REG_MASK;
+        dr = svm->vmcb->control.exit_code - SVM_EXIT_READ_DR0;
+        if (dr >= 16) { /* mov to DRn */
+                val = kvm_register_read(&svm->vcpu, reg);
+                kvm_set_dr(&svm->vcpu, dr - 16, val);
+        } else {
+                err = kvm_get_dr(&svm->vcpu, dr, &val);
+                if (!err)
+                        kvm_register_write(&svm->vcpu, reg, val);
+        }
+        skip_emulated_instruction(&svm->vcpu);
+        return 1;
 }
 static int cr8_write_interception(struct vcpu_svm *svm)
 {
        struct kvm_run *kvm_run = svm->vcpu.run;
+        int r;
        u8 cr8_prev = kvm_get_cr8(&svm->vcpu);
        /* instruction emulation calls kvm_set_cr8() */
-        emulate_instruction(&svm->vcpu, 0, 0, 0);
+        r = cr_interception(svm);
        if (irqchip_in_kernel(svm->vcpu.kvm)) {
-                svm->vmcb->control.intercept_cr_write &= ~INTERCEPT_CR8_MASK;
+                clr_cr_intercept(svm, INTERCEPT_CR8_WRITE);
-                return 1;
+                return r;
        }
        if (cr8_prev <= kvm_get_cr8(&svm->vcpu))
-                return 1;
+                return r;
        kvm_run->exit_reason = KVM_EXIT_SET_TPR;
        return 0;
 }
@@ -2422,14 +2896,11 @@ static int svm_get_msr(struct kvm_vcpu *vcpu, unsigned ecx, u64 *data)
        switch (ecx) {
        case MSR_IA32_TSC: {
-                u64 tsc_offset;
+                struct vmcb *vmcb = get_host_vmcb(svm);
-                if (is_nested(svm))
+                *data = vmcb->control.tsc_offset +
-                        tsc_offset = svm->nested.hsave->control.tsc_offset;
+                        svm_scale_tsc(vcpu, native_read_tsc());
-                else
-                        tsc_offset = svm->vmcb->control.tsc_offset;
-                *data = tsc_offset + native_read_tsc();
                break;
        }
        case MSR_STAR:
@@ -2542,20 +3013,9 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, unsigned ecx, u64 data)
        struct vcpu_svm *svm = to_svm(vcpu);
        switch (ecx) {
-        case MSR_IA32_TSC: {
+        case MSR_IA32_TSC:
-                u64 tsc_offset = data - native_read_tsc();
+                kvm_write_tsc(vcpu, data);
-                u64 g_tsc_offset = 0;
-                if (is_nested(svm)) {
-                        g_tsc_offset = svm->vmcb->control.tsc_offset -
-                                       svm->nested.hsave->control.tsc_offset;
-                        svm->nested.hsave->control.tsc_offset = tsc_offset;
-                }
-                svm->vmcb->control.tsc_offset = tsc_offset + g_tsc_offset;
                break;
-        }
        case MSR_STAR:
                svm->vmcb->save.star = data;
                break;
@@ -2585,7 +3045,7 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, unsigned ecx, u64 data)
                svm->vmcb->save.sysenter_esp = data;
                break;
        case MSR_IA32_DEBUGCTLMSR:
-                if (!svm_has(SVM_FEATURE_LBRV)) {
+                if (!boot_cpu_has(X86_FEATURE_LBRV)) {
                        pr_unimpl(vcpu, "%s: MSR_IA32_DEBUGCTL 0x%llx, nop\n",
                                        __func__, data);
                        break;
@@ -2594,6 +3054,7 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, unsigned ecx, u64 data)
                        return 1;
                svm->vmcb->save.dbgctl = data;
+                mark_dirty(svm->vmcb, VMCB_LBR);
                if (data & (1ULL<<0))
                        svm_enable_lbrv(svm);
                else
@@ -2643,8 +3104,10 @@ static int interrupt_window_interception(struct vcpu_svm *svm)
 {
        struct kvm_run *kvm_run = svm->vcpu.run;
+        kvm_make_request(KVM_REQ_EVENT, &svm->vcpu);
        svm_clear_vintr(svm);
        svm->vmcb->control.int_ctl &= ~V_IRQ_MASK;
+        mark_dirty(svm->vmcb, VMCB_INTR);
        /*
         * If the user space waits to inject interrupts, exit as soon as
         * possible
@@ -2667,31 +3130,31 @@ static int pause_interception(struct vcpu_svm *svm)
 }
 static int (*svm_exit_handlers[])(struct vcpu_svm *svm) = {
-        [SVM_EXIT_READ_CR0]                     = emulate_on_interception,
+        [SVM_EXIT_READ_CR0]                     = cr_interception,
-        [SVM_EXIT_READ_CR3]                     = emulate_on_interception,
+        [SVM_EXIT_READ_CR3]                     = cr_interception,
-        [SVM_EXIT_READ_CR4]                     = emulate_on_interception,
+        [SVM_EXIT_READ_CR4]                     = cr_interception,
-        [SVM_EXIT_READ_CR8]                     = emulate_on_interception,
+        [SVM_EXIT_READ_CR8]                     = cr_interception,
        [SVM_EXIT_CR0_SEL_WRITE]                = emulate_on_interception,
-        [SVM_EXIT_WRITE_CR0]                    = emulate_on_interception,
+        [SVM_EXIT_WRITE_CR0]                    = cr_interception,
-        [SVM_EXIT_WRITE_CR3]                    = emulate_on_interception,
+        [SVM_EXIT_WRITE_CR3]                    = cr_interception,
-        [SVM_EXIT_WRITE_CR4]                    = emulate_on_interception,
+        [SVM_EXIT_WRITE_CR4]                    = cr_interception,
        [SVM_EXIT_WRITE_CR8]                    = cr8_write_interception,
-        [SVM_EXIT_READ_DR0]                     = emulate_on_interception,
+        [SVM_EXIT_READ_DR0]                     = dr_interception,
-        [SVM_EXIT_READ_DR1]                     = emulate_on_interception,
+        [SVM_EXIT_READ_DR1]                     = dr_interception,
-        [SVM_EXIT_READ_DR2]                     = emulate_on_interception,
+        [SVM_EXIT_READ_DR2]                     = dr_interception,
-        [SVM_EXIT_READ_DR3]                     = emulate_on_interception,
+        [SVM_EXIT_READ_DR3]                     = dr_interception,
-        [SVM_EXIT_READ_DR4]                     = emulate_on_interception,
+        [SVM_EXIT_READ_DR4]                     = dr_interception,
-        [SVM_EXIT_READ_DR5]                     = emulate_on_interception,
+        [SVM_EXIT_READ_DR5]                     = dr_interception,
-        [SVM_EXIT_READ_DR6]                     = emulate_on_interception,
+        [SVM_EXIT_READ_DR6]                     = dr_interception,
-        [SVM_EXIT_READ_DR7]                     = emulate_on_interception,
+        [SVM_EXIT_READ_DR7]                     = dr_interception,
-        [SVM_EXIT_WRITE_DR0]                    = emulate_on_interception,
+        [SVM_EXIT_WRITE_DR0]                    = dr_interception,
-        [SVM_EXIT_WRITE_DR1]                    = emulate_on_interception,
+        [SVM_EXIT_WRITE_DR1]                    = dr_interception,
-        [SVM_EXIT_WRITE_DR2]                    = emulate_on_interception,
+        [SVM_EXIT_WRITE_DR2]                    = dr_interception,
-        [SVM_EXIT_WRITE_DR3]                    = emulate_on_interception,
+        [SVM_EXIT_WRITE_DR3]                    = dr_interception,
-        [SVM_EXIT_WRITE_DR4]                    = emulate_on_interception,
+        [SVM_EXIT_WRITE_DR4]                    = dr_interception,
-        [SVM_EXIT_WRITE_DR5]                    = emulate_on_interception,
+        [SVM_EXIT_WRITE_DR5]                    = dr_interception,
-        [SVM_EXIT_WRITE_DR6]                    = emulate_on_interception,
+        [SVM_EXIT_WRITE_DR6]                    = dr_interception,
-        [SVM_EXIT_WRITE_DR7]                    = emulate_on_interception,
+        [SVM_EXIT_WRITE_DR7]                    = dr_interception,
        [SVM_EXIT_EXCP_BASE + DB_VECTOR]        = db_interception,
        [SVM_EXIT_EXCP_BASE + BP_VECTOR]        = bp_interception,
        [SVM_EXIT_EXCP_BASE + UD_VECTOR]        = ud_interception,
@@ -2724,100 +3187,121 @@ static int (*svm_exit_handlers[])(struct vcpu_svm *svm) = {
        [SVM_EXIT_WBINVD]                       = emulate_on_interception,
        [SVM_EXIT_MONITOR]                      = invalid_op_interception,
        [SVM_EXIT_MWAIT]                        = invalid_op_interception,
+        [SVM_EXIT_XSETBV]                       = xsetbv_interception,
        [SVM_EXIT_NPF]                          = pf_interception,
 };
-void dump_vmcb(struct kvm_vcpu *vcpu)
+static void dump_vmcb(struct kvm_vcpu *vcpu)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
        struct vmcb_control_area *control = &svm->vmcb->control;
        struct vmcb_save_area *save = &svm->vmcb->save;
        pr_err("VMCB Control Area:\n");
-        pr_err("cr_read:            %04x\n", control->intercept_cr_read);
+        pr_err("%-20s%04x\n", "cr_read:", control->intercept_cr & 0xffff);
-        pr_err("cr_write:           %04x\n", control->intercept_cr_write);
+        pr_err("%-20s%04x\n", "cr_write:", control->intercept_cr >> 16);
-        pr_err("dr_read:            %04x\n", control->intercept_dr_read);
+        pr_err("%-20s%04x\n", "dr_read:", control->intercept_dr & 0xffff);
-        pr_err("dr_write:           %04x\n", control->intercept_dr_write);
+        pr_err("%-20s%04x\n", "dr_write:", control->intercept_dr >> 16);
-        pr_err("exceptions:         %08x\n", control->intercept_exceptions);
+        pr_err("%-20s%08x\n", "exceptions:", control->intercept_exceptions);
-        pr_err("intercepts:         %016llx\n", control->intercept);
+        pr_err("%-20s%016llx\n", "intercepts:", control->intercept);
-        pr_err("pause filter count: %d\n", control->pause_filter_count);
+        pr_err("%-20s%d\n", "pause filter count:", control->pause_filter_count);
-        pr_err("iopm_base_pa:       %016llx\n", control->iopm_base_pa);
+        pr_err("%-20s%016llx\n", "iopm_base_pa:", control->iopm_base_pa);
-        pr_err("msrpm_base_pa:      %016llx\n", control->msrpm_base_pa);
+        pr_err("%-20s%016llx\n", "msrpm_base_pa:", control->msrpm_base_pa);
-        pr_err("tsc_offset:         %016llx\n", control->tsc_offset);
+        pr_err("%-20s%016llx\n", "tsc_offset:", control->tsc_offset);
-        pr_err("asid:               %d\n", control->asid);
+        pr_err("%-20s%d\n", "asid:", control->asid);
-        pr_err("tlb_ctl:            %d\n", control->tlb_ctl);
+        pr_err("%-20s%d\n", "tlb_ctl:", control->tlb_ctl);
-        pr_err("int_ctl:            %08x\n", control->int_ctl);
+        pr_err("%-20s%08x\n", "int_ctl:", control->int_ctl);
-        pr_err("int_vector:         %08x\n", control->int_vector);
+        pr_err("%-20s%08x\n", "int_vector:", control->int_vector);
-        pr_err("int_state:          %08x\n", control->int_state);
+        pr_err("%-20s%08x\n", "int_state:", control->int_state);
-        pr_err("exit_code:          %08x\n", control->exit_code);
+        pr_err("%-20s%08x\n", "exit_code:", control->exit_code);
-        pr_err("exit_info1:         %016llx\n", control->exit_info_1);
+        pr_err("%-20s%016llx\n", "exit_info1:", control->exit_info_1);
-        pr_err("exit_info2:         %016llx\n", control->exit_info_2);
+        pr_err("%-20s%016llx\n", "exit_info2:", control->exit_info_2);
-        pr_err("exit_int_info:      %08x\n", control->exit_int_info);
+        pr_err("%-20s%08x\n", "exit_int_info:", control->exit_int_info);
-        pr_err("exit_int_info_err:  %08x\n", control->exit_int_info_err);
+        pr_err("%-20s%08x\n", "exit_int_info_err:", control->exit_int_info_err);
-        pr_err("nested_ctl:         %lld\n", control->nested_ctl);
+        pr_err("%-20s%lld\n", "nested_ctl:", control->nested_ctl);
-        pr_err("nested_cr3:         %016llx\n", control->nested_cr3);
+        pr_err("%-20s%016llx\n", "nested_cr3:", control->nested_cr3);
-        pr_err("event_inj:          %08x\n", control->event_inj);
+        pr_err("%-20s%08x\n", "event_inj:", control->event_inj);
-        pr_err("event_inj_err:      %08x\n", control->event_inj_err);
+        pr_err("%-20s%08x\n", "event_inj_err:", control->event_inj_err);
-        pr_err("lbr_ctl:            %lld\n", control->lbr_ctl);
+        pr_err("%-20s%lld\n", "lbr_ctl:", control->lbr_ctl);
-        pr_err("next_rip:           %016llx\n", control->next_rip);
+        pr_err("%-20s%016llx\n", "next_rip:", control->next_rip);
        pr_err("VMCB State Save Area:\n");
-        pr_err("es:   s: %04x a: %04x l: %08x b: %016llx\n",
+        pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
-                save->es.selector, save->es.attrib,
+               "es:",
-                save->es.limit, save->es.base);
+               save->es.selector, save->es.attrib,
-        pr_err("cs:   s: %04x a: %04x l: %08x b: %016llx\n",
+               save->es.limit, save->es.base);
-                save->cs.selector, save->cs.attrib,
+        pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
-                save->cs.limit, save->cs.base);
+               "cs:",
-        pr_err("ss:   s: %04x a: %04x l: %08x b: %016llx\n",
+               save->cs.selector, save->cs.attrib,
-                save->ss.selector, save->ss.attrib,
+               save->cs.limit, save->cs.base);
-                save->ss.limit, save->ss.base);
+        pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
-        pr_err("ds:   s: %04x a: %04x l: %08x b: %016llx\n",
+               "ss:",
-                save->ds.selector, save->ds.attrib,
+               save->ss.selector, save->ss.attrib,
-                save->ds.limit, save->ds.base);
+               save->ss.limit, save->ss.base);
-        pr_err("fs:   s: %04x a: %04x l: %08x b: %016llx\n",
+        pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
-                save->fs.selector, save->fs.attrib,
+               "ds:",
-                save->fs.limit, save->fs.base);
+               save->ds.selector, save->ds.attrib,
-        pr_err("gs:   s: %04x a: %04x l: %08x b: %016llx\n",
+               save->ds.limit, save->ds.base);
-                save->gs.selector, save->gs.attrib,
+        pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
-                save->gs.limit, save->gs.base);
+               "fs:",
-        pr_err("gdtr: s: %04x a: %04x l: %08x b: %016llx\n",
+               save->fs.selector, save->fs.attrib,
-                save->gdtr.selector, save->gdtr.attrib,
+               save->fs.limit, save->fs.base);
-                save->gdtr.limit, save->gdtr.base);
+        pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
-        pr_err("ldtr: s: %04x a: %04x l: %08x b: %016llx\n",
+               "gs:",
-                save->ldtr.selector, save->ldtr.attrib,
+               save->gs.selector, save->gs.attrib,
-                save->ldtr.limit, save->ldtr.base);
+               save->gs.limit, save->gs.base);
-        pr_err("idtr: s: %04x a: %04x l: %08x b: %016llx\n",
+        pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
-                save->idtr.selector, save->idtr.attrib,
+               "gdtr:",
-                save->idtr.limit, save->idtr.base);
+               save->gdtr.selector, save->gdtr.attrib,
-        pr_err("tr:   s: %04x a: %04x l: %08x b: %016llx\n",
+               save->gdtr.limit, save->gdtr.base);
-                save->tr.selector, save->tr.attrib,
+        pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
-                save->tr.limit, save->tr.base);
+               "ldtr:",
+               save->ldtr.selector, save->ldtr.attrib,
+               save->ldtr.limit, save->ldtr.base);
+        pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
+               "idtr:",
+               save->idtr.selector, save->idtr.attrib,
+               save->idtr.limit, save->idtr.base);
+        pr_err("%-5s s: %04x a: %04x l: %08x b: %016llx\n",
+               "tr:",
+               save->tr.selector, save->tr.attrib,
+               save->tr.limit, save->tr.base);
        pr_err("cpl:            %d                efer:         %016llx\n",
                save->cpl, save->efer);
-        pr_err("cr0:            %016llx cr2:          %016llx\n",
+        pr_err("%-15s %016llx %-13s %016llx\n",
-                save->cr0, save->cr2);
+               "cr0:", save->cr0, "cr2:", save->cr2);
-        pr_err("cr3:            %016llx cr4:          %016llx\n",
+        pr_err("%-15s %016llx %-13s %016llx\n",
-                save->cr3, save->cr4);
+               "cr3:", save->cr3, "cr4:", save->cr4);
-        pr_err("dr6:            %016llx dr7:          %016llx\n",
+        pr_err("%-15s %016llx %-13s %016llx\n",
-                save->dr6, save->dr7);
+               "dr6:", save->dr6, "dr7:", save->dr7);
-        pr_err("rip:            %016llx rflags:       %016llx\n",
+        pr_err("%-15s %016llx %-13s %016llx\n",
-                save->rip, save->rflags);
+               "rip:", save->rip, "rflags:", save->rflags);
-        pr_err("rsp:            %016llx rax:          %016llx\n",
+        pr_err("%-15s %016llx %-13s %016llx\n",
-                save->rsp, save->rax);
+               "rsp:", save->rsp, "rax:", save->rax);
-        pr_err("star:           %016llx lstar:        %016llx\n",
+        pr_err("%-15s %016llx %-13s %016llx\n",
-                save->star, save->lstar);
+               "star:", save->star, "lstar:", save->lstar);
-        pr_err("cstar:          %016llx sfmask:       %016llx\n",
+        pr_err("%-15s %016llx %-13s %016llx\n",
-                save->cstar, save->sfmask);
+               "cstar:", save->cstar, "sfmask:", save->sfmask);
-        pr_err("kernel_gs_base: %016llx sysenter_cs:  %016llx\n",
+        pr_err("%-15s %016llx %-13s %016llx\n",
-                save->kernel_gs_base, save->sysenter_cs);
+               "kernel_gs_base:", save->kernel_gs_base,
-        pr_err("sysenter_esp:   %016llx sysenter_eip: %016llx\n",
+               "sysenter_cs:", save->sysenter_cs);
-                save->sysenter_esp, save->sysenter_eip);
+        pr_err("%-15s %016llx %-13s %016llx\n",
-        pr_err("gpat:           %016llx dbgctl:       %016llx\n",
+               "sysenter_esp:", save->sysenter_esp,
-                save->g_pat, save->dbgctl);
+               "sysenter_eip:", save->sysenter_eip);
-        pr_err("br_from:        %016llx br_to:        %016llx\n",
+        pr_err("%-15s %016llx %-13s %016llx\n",
-                save->br_from, save->br_to);
+               "gpat:", save->g_pat, "dbgctl:", save->dbgctl);
-        pr_err("excp_from:      %016llx excp_to:      %016llx\n",
+        pr_err("%-15s %016llx %-13s %016llx\n",
-                save->last_excp_from, save->last_excp_to);
+               "br_from:", save->br_from, "br_to:", save->br_to);
+        pr_err("%-15s %016llx %-13s %016llx\n",
+               "excp_from:", save->last_excp_from,
+               "excp_to:", save->last_excp_to);
+}
+static void svm_get_exit_info(struct kvm_vcpu *vcpu, u64 *info1, u64 *info2)
+{
+        struct vmcb_control_area *control = &to_svm(vcpu)->vmcb->control;
+        *info1 = control->exit_info_1;
+        *info2 = control->exit_info_2;
 }
 static int handle_exit(struct kvm_vcpu *vcpu)
@@ -2826,9 +3310,9 @@ static int handle_exit(struct kvm_vcpu *vcpu)
        struct kvm_run *kvm_run = vcpu->run;
        u32 exit_code = svm->vmcb->control.exit_code;
-        trace_kvm_exit(exit_code, vcpu);
+        trace_kvm_exit(exit_code, vcpu, KVM_ISA_SVM);
-        if (!(svm->vmcb->control.intercept_cr_write & INTERCEPT_CR0_MASK))
+        if (!is_cr_intercept(svm, INTERCEPT_CR0_WRITE))
                vcpu->arch.cr0 = svm->vmcb->save.cr0;
        if (npt_enabled)
                vcpu->arch.cr3 = svm->vmcb->save.cr3;
@@ -2840,7 +3324,7 @@ static int handle_exit(struct kvm_vcpu *vcpu)
                return 1;
        }
-        if (is_nested(svm)) {
+        if (is_guest_mode(vcpu)) {
                int vmexit;
                trace_kvm_nested_vmexit(svm->vmcb->save.rip, exit_code,
@@ -2871,7 +3355,8 @@ static int handle_exit(struct kvm_vcpu *vcpu)
        if (is_external_interrupt(svm->vmcb->control.exit_int_info) &&
            exit_code != SVM_EXIT_EXCP_BASE + PF_VECTOR &&
-            exit_code != SVM_EXIT_NPF && exit_code != SVM_EXIT_TASK_SWITCH)
+            exit_code != SVM_EXIT_NPF && exit_code != SVM_EXIT_TASK_SWITCH &&
+            exit_code != SVM_EXIT_INTR && exit_code != SVM_EXIT_NMI)
                printk(KERN_ERR "%s: unexpected exit_ini_info 0x%x "
                       "exit_code 0x%x\n",
                       __func__, svm->vmcb->control.exit_int_info,
@@ -2902,7 +3387,6 @@ static void pre_svm_run(struct vcpu_svm *svm)
        struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
-        svm->vmcb->control.tlb_ctl = TLB_CONTROL_DO_NOTHING;
        /* FIXME: handle wraparound of asid_generation */
        if (svm->asid_generation != sd->asid_generation)
                new_asid(svm, sd);
@@ -2914,7 +3398,7 @@ static void svm_inject_nmi(struct kvm_vcpu *vcpu)
        svm->vmcb->control.event_inj = SVM_EVTINJ_VALID | SVM_EVTINJ_TYPE_NMI;
        vcpu->arch.hflags |= HF_NMI_MASK;
-        svm->vmcb->control.intercept |= (1ULL << INTERCEPT_IRET);
+        set_intercept(svm, INTERCEPT_IRET);
        ++vcpu->stat.nmi_injections;
 }
@@ -2927,6 +3411,7 @@ static inline void svm_inject_irq(struct vcpu_svm *svm, int irq)
        control->int_ctl &= ~V_INTR_PRIO_MASK;
        control->int_ctl |= V_IRQ_MASK |
                ((/*control->int_vector >> 4*/ 0xf) << V_INTR_PRIO_SHIFT);
+        mark_dirty(svm->vmcb, VMCB_INTR);
 }
 static void svm_set_irq(struct kvm_vcpu *vcpu)
@@ -2946,14 +3431,14 @@ static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
-        if (is_nested(svm) && (vcpu->arch.hflags & HF_VINTR_MASK))
+        if (is_guest_mode(vcpu) && (vcpu->arch.hflags & HF_VINTR_MASK))
                return;
        if (irr == -1)
                return;
        if (tpr >= irr)
-                svm->vmcb->control.intercept_cr_write |= INTERCEPT_CR8_MASK;
+                set_cr_intercept(svm, INTERCEPT_CR8_WRITE);
 }
 static int svm_nmi_allowed(struct kvm_vcpu *vcpu)
@@ -2981,10 +3466,10 @@ static void svm_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)
        if (masked) {
                svm->vcpu.arch.hflags |= HF_NMI_MASK;
-                svm->vmcb->control.intercept |= (1ULL << INTERCEPT_IRET);
+                set_intercept(svm, INTERCEPT_IRET);
        } else {
                svm->vcpu.arch.hflags &= ~HF_NMI_MASK;
-                svm->vmcb->control.intercept &= ~(1ULL << INTERCEPT_IRET);
+                clr_intercept(svm, INTERCEPT_IRET);
        }
 }
@@ -2998,9 +3483,9 @@ static int svm_interrupt_allowed(struct kvm_vcpu *vcpu)
             (vmcb->control.int_state & SVM_INTERRUPT_SHADOW_MASK))
                return 0;
-        ret = !!(vmcb->save.rflags & X86_EFLAGS_IF);
+        ret = !!(kvm_get_rflags(vcpu) & X86_EFLAGS_IF);
-        if (is_nested(svm))
+        if (is_guest_mode(vcpu))
                return ret && !(svm->vcpu.arch.hflags & HF_VINTR_MASK);
        return ret;
@@ -3046,7 +3531,12 @@ static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
 static void svm_flush_tlb(struct kvm_vcpu *vcpu)
 {
-        force_new_asid(vcpu);
+        struct vcpu_svm *svm = to_svm(vcpu);
+        if (static_cpu_has(X86_FEATURE_FLUSHBYASID))
+                svm->vmcb->control.tlb_ctl = TLB_CONTROL_FLUSH_ASID;
+        else
+                svm->asid_generation--;
 }
 static void svm_prepare_guest_switch(struct kvm_vcpu *vcpu)
@@ -3057,10 +3547,10 @@ static inline void sync_cr8_to_lapic(struct kvm_vcpu *vcpu)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
-        if (is_nested(svm) && (vcpu->arch.hflags & HF_VINTR_MASK))
+        if (is_guest_mode(vcpu) && (vcpu->arch.hflags & HF_VINTR_MASK))
                return;
-        if (!(svm->vmcb->control.intercept_cr_write & INTERCEPT_CR8_MASK)) {
+        if (!is_cr_intercept(svm, INTERCEPT_CR8_WRITE)) {
                int cr8 = svm->vmcb->control.int_ctl & V_TPR_MASK;
                kvm_set_cr8(vcpu, cr8);
        }
@@ -3071,7 +3561,7 @@ static inline void sync_lapic_to_cr8(struct kvm_vcpu *vcpu)
        struct vcpu_svm *svm = to_svm(vcpu);
        u64 cr8;
-        if (is_nested(svm) && (vcpu->arch.hflags & HF_VINTR_MASK))
+        if (is_guest_mode(vcpu) && (vcpu->arch.hflags & HF_VINTR_MASK))
                return;
        cr8 = kvm_get_cr8(vcpu);
@@ -3088,8 +3578,15 @@ static void svm_complete_interrupts(struct vcpu_svm *svm)
        svm->int3_injected = 0;
-        if (svm->vcpu.arch.hflags & HF_IRET_MASK)
+        /*
+         * If we've made progress since setting HF_IRET_MASK, we've
+         * executed an IRET and can allow NMI injection.
+         */
+        if ((svm->vcpu.arch.hflags & HF_IRET_MASK)
+            && kvm_rip_read(&svm->vcpu) != svm->nmi_iret_rip) {
                svm->vcpu.arch.hflags &= ~(HF_NMI_MASK | HF_IRET_MASK);
+                kvm_make_request(KVM_REQ_EVENT, &svm->vcpu);
+        }
        svm->vcpu.arch.nmi_injected = false;
        kvm_clear_exception_queue(&svm->vcpu);
@@ -3098,6 +3595,8 @@ static void svm_complete_interrupts(struct vcpu_svm *svm)
        if (!(exitintinfo & SVM_EXITINTINFO_VALID))
                return;
+        kvm_make_request(KVM_REQ_EVENT, &svm->vcpu);
        vector = exitintinfo & SVM_EXITINTINFO_VEC_MASK;
        type = exitintinfo & SVM_EXITINTINFO_TYPE_MASK;
@@ -3134,6 +3633,17 @@ static void svm_complete_interrupts(struct vcpu_svm *svm)
        }
 }
+static void svm_cancel_injection(struct kvm_vcpu *vcpu)
+{
+        struct vcpu_svm *svm = to_svm(vcpu);
+        struct vmcb_control_area *control = &svm->vmcb->control;
+        control->exit_int_info = control->event_inj;
+        control->exit_int_info_err = control->event_inj_err;
+        control->event_inj = 0;
+        svm_complete_interrupts(svm);
+}
 #ifdef CONFIG_X86_64
 #define R "r"
 #else
@@ -3143,9 +3653,6 @@ static void svm_complete_interrupts(struct vcpu_svm *svm)
 static void svm_vcpu_run(struct kvm_vcpu *vcpu)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
-        u16 fs_selector;
-        u16 gs_selector;
-        u16 ldt_selector;
        svm->vmcb->save.rax = vcpu->arch.regs[VCPU_REGS_RAX];
        svm->vmcb->save.rsp = vcpu->arch.regs[VCPU_REGS_RSP];
@@ -3162,14 +3669,7 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
        sync_lapic_to_cr8(vcpu);
-        save_host_msrs(vcpu);
-        savesegment(fs, fs_selector);
-        savesegment(gs, gs_selector);
-        ldt_selector = kvm_read_ldt();
        svm->vmcb->save.cr2 = vcpu->arch.cr2;
-        /* required for live migration with NPT */
-        if (npt_enabled)
-                svm->vmcb->save.cr3 = vcpu->arch.cr3;
        clgi();
@@ -3246,31 +3746,44 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
 #endif
                );
-        vcpu->arch.cr2 = svm->vmcb->save.cr2;
-        vcpu->arch.regs[VCPU_REGS_RAX] = svm->vmcb->save.rax;
-        vcpu->arch.regs[VCPU_REGS_RSP] = svm->vmcb->save.rsp;
-        vcpu->arch.regs[VCPU_REGS_RIP] = svm->vmcb->save.rip;
-        load_host_msrs(vcpu);
-        loadsegment(fs, fs_selector);
 #ifdef CONFIG_X86_64
-        load_gs_index(gs_selector);
+        wrmsrl(MSR_GS_BASE, svm->host.gs_base);
-        wrmsrl(MSR_KERNEL_GS_BASE, current->thread.gs);
 #else
-        loadsegment(gs, gs_selector);
+        loadsegment(fs, svm->host.fs);
+#ifndef CONFIG_X86_32_LAZY_GS
+        loadsegment(gs, svm->host.gs);
+#endif
 #endif
-        kvm_load_ldt(ldt_selector);
        reload_tss(vcpu);
        local_irq_disable();
+        vcpu->arch.cr2 = svm->vmcb->save.cr2;
+        vcpu->arch.regs[VCPU_REGS_RAX] = svm->vmcb->save.rax;
+        vcpu->arch.regs[VCPU_REGS_RSP] = svm->vmcb->save.rsp;
+        vcpu->arch.regs[VCPU_REGS_RIP] = svm->vmcb->save.rip;
+        if (unlikely(svm->vmcb->control.exit_code == SVM_EXIT_NMI))
+                kvm_before_handle_nmi(&svm->vcpu);
        stgi();
+        /* Any pending NMI will happen here */
+        if (unlikely(svm->vmcb->control.exit_code == SVM_EXIT_NMI))
+                kvm_after_handle_nmi(&svm->vcpu);
        sync_cr8_to_lapic(vcpu);
        svm->next_rip = 0;
+        svm->vmcb->control.tlb_ctl = TLB_CONTROL_DO_NOTHING;
+        /* if exit due to PF check for async PF */
+        if (svm->vmcb->control.exit_code == SVM_EXIT_EXCP_BASE + PF_VECTOR)
+                svm->apf_reason = kvm_read_and_reset_pf_reason();
        if (npt_enabled) {
                vcpu->arch.regs_avail &= ~(1 << VCPU_EXREG_PDPTR);
                vcpu->arch.regs_dirty &= ~(1 << VCPU_EXREG_PDPTR);
@@ -3283,6 +3796,8 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
        if (unlikely(svm->vmcb->control.exit_code ==
                     SVM_EXIT_EXCP_BASE + MC_VECTOR))
                svm_handle_mce(svm);
+        mark_all_clean(svm->vmcb);
 }
 #undef R
@@ -3291,14 +3806,23 @@ static void svm_set_cr3(struct kvm_vcpu *vcpu, unsigned long root)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
-        if (npt_enabled) {
-                svm->vmcb->control.nested_cr3 = root;
-                force_new_asid(vcpu);
-                return;
-        }
        svm->vmcb->save.cr3 = root;
-        force_new_asid(vcpu);
+        mark_dirty(svm->vmcb, VMCB_CR);
+        svm_flush_tlb(vcpu);
+}
+static void set_tdp_cr3(struct kvm_vcpu *vcpu, unsigned long root)
+{
+        struct vcpu_svm *svm = to_svm(vcpu);
+        svm->vmcb->control.nested_cr3 = root;
+        mark_dirty(svm->vmcb, VMCB_NPT);
+        /* Also sync guest cr3 here in case we live migrate */
+        svm->vmcb->save.cr3 = kvm_read_cr3(vcpu);
+        mark_dirty(svm->vmcb, VMCB_CR);
+        svm_flush_tlb(vcpu);
 }
 static int is_disabled(void)
@@ -3333,15 +3857,6 @@ static bool svm_cpu_has_accelerated_tpr(void)
        return false;
 }
-static int get_npt_level(void)
-{
-#ifdef CONFIG_X86_64
-        return PT64_ROOT_LEVEL;
-#else
-        return PT32E_ROOT_LEVEL;
-#endif
-}
 static u64 svm_get_mt_mask(struct kvm_vcpu *vcpu, gfn_t gfn, bool is_mmio)
 {
        return 0;
@@ -3354,12 +3869,25 @@ static void svm_cpuid_update(struct kvm_vcpu *vcpu)
 static void svm_set_supported_cpuid(u32 func, struct kvm_cpuid_entry2 *entry)
 {
        switch (func) {
+        case 0x80000001:
+                if (nested)
+                        entry->ecx |= (1 << 2); /* Set SVM bit */
+                break;
        case 0x8000000A:
                entry->eax = 1; /* SVM revision 1 */
                entry->ebx = 8; /* Lets support 8 ASIDs in case we add proper
                                   ASID emulation to nested SVM */
                entry->ecx = 0; /* Reserved */
-                entry->edx = 0; /* Do not support any additional features */
+                entry->edx = 0; /* Per default do not support any
+                                   additional features */
+                /* Support next_rip if host supports it */
+                if (boot_cpu_has(X86_FEATURE_NRIPS))
+                        entry->edx |= SVM_FEATURE_NRIP;
+                /* Support NPT for the guest if enabled */
+                if (npt_enabled)
+                        entry->edx |= SVM_FEATURE_NPT;
                break;
        }
@@ -3414,6 +3942,7 @@ static const struct trace_print_flags svm_exit_reasons_str[] = {
        { SVM_EXIT_WBINVD,                      "wbinvd" },
        { SVM_EXIT_MONITOR,                     "monitor" },
        { SVM_EXIT_MWAIT,                       "mwait" },
+        { SVM_EXIT_XSETBV,                      "xsetbv" },
        { SVM_EXIT_NPF,                         "npf" },
        { -1, NULL }
 };
@@ -3437,12 +3966,190 @@ static void svm_fpu_deactivate(struct kvm_vcpu *vcpu)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
-        svm->vmcb->control.intercept_exceptions |= 1 << NM_VECTOR;
+        set_exception_intercept(svm, NM_VECTOR);
-        if (is_nested(svm))
-                svm->nested.hsave->control.intercept_exceptions |= 1 << NM_VECTOR;
        update_cr0_intercept(svm);
 }
+#define PRE_EX(exit)  { .exit_code = (exit), \
+                        .stage = X86_ICPT_PRE_EXCEPT, }
+#define POST_EX(exit) { .exit_code = (exit), \
+                        .stage = X86_ICPT_POST_EXCEPT, }
+#define POST_MEM(exit) { .exit_code = (exit), \
+                        .stage = X86_ICPT_POST_MEMACCESS, }
+static struct __x86_intercept {
+        u32 exit_code;
+        enum x86_intercept_stage stage;
+} x86_intercept_map[] = {
+        [x86_intercept_cr_read]         = POST_EX(SVM_EXIT_READ_CR0),
+        [x86_intercept_cr_write]        = POST_EX(SVM_EXIT_WRITE_CR0),
+        [x86_intercept_clts]            = POST_EX(SVM_EXIT_WRITE_CR0),
+        [x86_intercept_lmsw]            = POST_EX(SVM_EXIT_WRITE_CR0),
+        [x86_intercept_smsw]            = POST_EX(SVM_EXIT_READ_CR0),
+        [x86_intercept_dr_read]         = POST_EX(SVM_EXIT_READ_DR0),
+        [x86_intercept_dr_write]        = POST_EX(SVM_EXIT_WRITE_DR0),
+        [x86_intercept_sldt]            = POST_EX(SVM_EXIT_LDTR_READ),
+        [x86_intercept_str]             = POST_EX(SVM_EXIT_TR_READ),
+        [x86_intercept_lldt]            = POST_EX(SVM_EXIT_LDTR_WRITE),
+        [x86_intercept_ltr]             = POST_EX(SVM_EXIT_TR_WRITE),
+        [x86_intercept_sgdt]            = POST_EX(SVM_EXIT_GDTR_READ),
+        [x86_intercept_sidt]            = POST_EX(SVM_EXIT_IDTR_READ),
+        [x86_intercept_lgdt]            = POST_EX(SVM_EXIT_GDTR_WRITE),
+        [x86_intercept_lidt]            = POST_EX(SVM_EXIT_IDTR_WRITE),
+        [x86_intercept_vmrun]           = POST_EX(SVM_EXIT_VMRUN),
+        [x86_intercept_vmmcall]         = POST_EX(SVM_EXIT_VMMCALL),
+        [x86_intercept_vmload]          = POST_EX(SVM_EXIT_VMLOAD),
+        [x86_intercept_vmsave]          = POST_EX(SVM_EXIT_VMSAVE),
+        [x86_intercept_stgi]            = POST_EX(SVM_EXIT_STGI),
+        [x86_intercept_clgi]            = POST_EX(SVM_EXIT_CLGI),
+        [x86_intercept_skinit]          = POST_EX(SVM_EXIT_SKINIT),
+        [x86_intercept_invlpga]         = POST_EX(SVM_EXIT_INVLPGA),
+        [x86_intercept_rdtscp]          = POST_EX(SVM_EXIT_RDTSCP),
+        [x86_intercept_monitor]         = POST_MEM(SVM_EXIT_MONITOR),
+        [x86_intercept_mwait]           = POST_EX(SVM_EXIT_MWAIT),
+        [x86_intercept_invlpg]          = POST_EX(SVM_EXIT_INVLPG),
+        [x86_intercept_invd]            = POST_EX(SVM_EXIT_INVD),
+        [x86_intercept_wbinvd]          = POST_EX(SVM_EXIT_WBINVD),
+        [x86_intercept_wrmsr]           = POST_EX(SVM_EXIT_MSR),
+        [x86_intercept_rdtsc]           = POST_EX(SVM_EXIT_RDTSC),
+        [x86_intercept_rdmsr]           = POST_EX(SVM_EXIT_MSR),
+        [x86_intercept_rdpmc]           = POST_EX(SVM_EXIT_RDPMC),
+        [x86_intercept_cpuid]           = PRE_EX(SVM_EXIT_CPUID),
+        [x86_intercept_rsm]             = PRE_EX(SVM_EXIT_RSM),
+        [x86_intercept_pause]           = PRE_EX(SVM_EXIT_PAUSE),
+        [x86_intercept_pushf]           = PRE_EX(SVM_EXIT_PUSHF),
+        [x86_intercept_popf]            = PRE_EX(SVM_EXIT_POPF),
+        [x86_intercept_intn]            = PRE_EX(SVM_EXIT_SWINT),
+        [x86_intercept_iret]            = PRE_EX(SVM_EXIT_IRET),
+        [x86_intercept_icebp]           = PRE_EX(SVM_EXIT_ICEBP),
+        [x86_intercept_hlt]             = POST_EX(SVM_EXIT_HLT),
+        [x86_intercept_in]              = POST_EX(SVM_EXIT_IOIO),
+        [x86_intercept_ins]             = POST_EX(SVM_EXIT_IOIO),
+        [x86_intercept_out]             = POST_EX(SVM_EXIT_IOIO),
+        [x86_intercept_outs]            = POST_EX(SVM_EXIT_IOIO),
+};
+#undef PRE_EX
+#undef POST_EX
+#undef POST_MEM
+static int svm_check_intercept(struct kvm_vcpu *vcpu,
+                               struct x86_instruction_info *info,
+                               enum x86_intercept_stage stage)
+{
+        struct vcpu_svm *svm = to_svm(vcpu);
+        int vmexit, ret = X86EMUL_CONTINUE;
+        struct __x86_intercept icpt_info;
+        struct vmcb *vmcb = svm->vmcb;
+        if (info->intercept >= ARRAY_SIZE(x86_intercept_map))
+                goto out;
+        icpt_info = x86_intercept_map[info->intercept];
+        if (stage != icpt_info.stage)
+                goto out;
+        switch (icpt_info.exit_code) {
+        case SVM_EXIT_READ_CR0:
+                if (info->intercept == x86_intercept_cr_read)
+                        icpt_info.exit_code += info->modrm_reg;
+                break;
+        case SVM_EXIT_WRITE_CR0: {
+                unsigned long cr0, val;
+                u64 intercept;
+                if (info->intercept == x86_intercept_cr_write)
+                        icpt_info.exit_code += info->modrm_reg;
+                if (icpt_info.exit_code != SVM_EXIT_WRITE_CR0)
+                        break;
+                intercept = svm->nested.intercept;
+                if (!(intercept & (1ULL << INTERCEPT_SELECTIVE_CR0)))
+                        break;
+                cr0 = vcpu->arch.cr0 & ~SVM_CR0_SELECTIVE_MASK;
+                val = info->src_val  & ~SVM_CR0_SELECTIVE_MASK;
+                if (info->intercept == x86_intercept_lmsw) {
+                        cr0 &= 0xfUL;
+                        val &= 0xfUL;
+                        /* lmsw can't clear PE - catch this here */
+                        if (cr0 & X86_CR0_PE)
+                                val |= X86_CR0_PE;
+                }
+                if (cr0 ^ val)
+                        icpt_info.exit_code = SVM_EXIT_CR0_SEL_WRITE;
+                break;
+        }
+        case SVM_EXIT_READ_DR0:
+        case SVM_EXIT_WRITE_DR0:
+                icpt_info.exit_code += info->modrm_reg;
+                break;
+        case SVM_EXIT_MSR:
+                if (info->intercept == x86_intercept_wrmsr)
+                        vmcb->control.exit_info_1 = 1;
+                else
+                        vmcb->control.exit_info_1 = 0;
+                break;
+        case SVM_EXIT_PAUSE:
+                /*
+                 * We get this for NOP only, but pause
+                 * is rep not, check this here
+                 */
+                if (info->rep_prefix != REPE_PREFIX)
+                        goto out;
+        case SVM_EXIT_IOIO: {
+                u64 exit_info;
+                u32 bytes;
+                exit_info = (vcpu->arch.regs[VCPU_REGS_RDX] & 0xffff) << 16;
+                if (info->intercept == x86_intercept_in ||
+                    info->intercept == x86_intercept_ins) {
+                        exit_info |= SVM_IOIO_TYPE_MASK;
+                        bytes = info->src_bytes;
+                } else {
+                        bytes = info->dst_bytes;
+                }
+                if (info->intercept == x86_intercept_outs ||
+                    info->intercept == x86_intercept_ins)
+                        exit_info |= SVM_IOIO_STR_MASK;
+                if (info->rep_prefix)
+                        exit_info |= SVM_IOIO_REP_MASK;
+                bytes = min(bytes, 4u);
+                exit_info |= bytes << SVM_IOIO_SIZE_SHIFT;
+                exit_info |= (u32)info->ad_bytes << (SVM_IOIO_ASIZE_SHIFT - 1);
+                vmcb->control.exit_info_1 = exit_info;
+                vmcb->control.exit_info_2 = info->next_rip;
+                break;
+        }
+        default:
+                break;
+        }
+        vmcb->control.next_rip  = info->next_rip;
+        vmcb->control.exit_code = icpt_info.exit_code;
+        vmexit = nested_svm_exit_handled(svm);
+        ret = (vmexit == NESTED_EXIT_DONE) ? X86EMUL_INTERCEPTED
+                                           : X86EMUL_CONTINUE;
+out:
+        return ret;
+}
 static struct kvm_x86_ops svm_x86_ops = {
        .cpu_has_kvm_support = has_svm,
        .disabled_by_bios = is_disabled,
@@ -3470,6 +4177,7 @@ static struct kvm_x86_ops svm_x86_ops = {
        .get_cpl = svm_get_cpl,
        .get_cs_db_l_bits = kvm_get_cs_db_l_bits,
        .decache_cr0_guest_bits = svm_decache_cr0_guest_bits,
+        .decache_cr3 = svm_decache_cr3,
        .decache_cr4_guest_bits = svm_decache_cr4_guest_bits,
        .set_cr0 = svm_set_cr0,
        .set_cr3 = svm_set_cr3,
@@ -3497,6 +4205,7 @@ static struct kvm_x86_ops svm_x86_ops = {
        .set_irq = svm_set_irq,
        .set_nmi = svm_inject_nmi,
        .queue_exception = svm_queue_exception,
+        .cancel_injection = svm_cancel_injection,
        .interrupt_allowed = svm_interrupt_allowed,
        .nmi_allowed = svm_nmi_allowed,
        .get_nmi_mask = svm_get_nmi_mask,
@@ -3509,7 +4218,9 @@ static struct kvm_x86_ops svm_x86_ops = {
        .get_tdp_level = get_npt_level,
        .get_mt_mask = svm_get_mt_mask,
+        .get_exit_info = svm_get_exit_info,
        .exit_reasons_str = svm_exit_reasons_str,
        .get_lpage_level = svm_get_lpage_level,
        .cpuid_update = svm_cpuid_update,
@@ -3519,6 +4230,15 @@ static struct kvm_x86_ops svm_x86_ops = {
        .set_supported_cpuid = svm_set_supported_cpuid,
        .has_wbinvd_exit = svm_has_wbinvd_exit,
+        .set_tsc_khz = svm_set_tsc_khz,
+        .write_tsc_offset = svm_write_tsc_offset,
+        .adjust_tsc_offset = svm_adjust_tsc_offset,
+        .compute_tsc_offset = svm_compute_tsc_offset,
+        .set_tdp_cr3 = set_tdp_cr3,
+        .check_intercept = svm_check_intercept,
 };
 static int __init svm_init(void)
diff --git a/arch/x86/kvm/timer.c b/arch/x86/kvm/timer.c
index e16a0dbe74d8..abd86e865be3 100644
--- a/arch/x86/kvm/timer.c
+++ b/arch/x86/kvm/timer.c
@@ -6,7 +6,7 @@
 *
 * timer support
 *
- * Copyright 2010 Red Hat, Inc. and/or its affilates.
+ * Copyright 2010 Red Hat, Inc. and/or its affiliates.
 *
 * This work is licensed under the terms of the GNU GPL, version 2.  See
 * the COPYING file in the top-level directory.
@@ -25,7 +25,7 @@ static int __kvm_timer_fn(struct kvm_vcpu *vcpu, struct kvm_timer *ktimer)
        /*
         * There is a race window between reading and incrementing, but we do
-         * not care about potentially loosing timer events in the !reinject
+         * not care about potentially losing timer events in the !reinject
         * case anyway. Note: KVM_REQ_PENDING_TIMER is implicitly checked
         * in vcpu_enter_guest.
         */
diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h
index a6544b8e7c0f..db932760ea82 100644
--- a/arch/x86/kvm/trace.h
+++ b/arch/x86/kvm/trace.h
@@ -62,21 +62,21 @@ TRACE_EVENT(kvm_hv_hypercall,
        TP_ARGS(code, fast, rep_cnt, rep_idx, ingpa, outgpa),
        TP_STRUCT__entry(
-                __field(        __u16,          code            )
-                __field(        bool,           fast            )
                __field(        __u16,          rep_cnt         )
                __field(        __u16,          rep_idx         )
                __field(        __u64,          ingpa           )
                __field(        __u64,          outgpa          )
+                __field(        __u16,          code            )
+                __field(        bool,           fast            )
        ),
        TP_fast_assign(
-                __entry->code           = code;
-                __entry->fast           = fast;
                __entry->rep_cnt        = rep_cnt;
                __entry->rep_idx        = rep_idx;
                __entry->ingpa          = ingpa;
                __entry->outgpa         = outgpa;
+                __entry->code           = code;
+                __entry->fast           = fast;
        ),
        TP_printk("code 0x%x %s cnt 0x%x idx 0x%x in 0x%llx out 0x%llx",
@@ -178,27 +178,36 @@ TRACE_EVENT(kvm_apic,
 #define trace_kvm_apic_read(reg, val)           trace_kvm_apic(0, reg, val)
 #define trace_kvm_apic_write(reg, val)          trace_kvm_apic(1, reg, val)
+#define KVM_ISA_VMX   1
+#define KVM_ISA_SVM   2
 /*
 * Tracepoint for kvm guest exit:
 */
 TRACE_EVENT(kvm_exit,
-        TP_PROTO(unsigned int exit_reason, struct kvm_vcpu *vcpu),
+        TP_PROTO(unsigned int exit_reason, struct kvm_vcpu *vcpu, u32 isa),
-        TP_ARGS(exit_reason, vcpu),
+        TP_ARGS(exit_reason, vcpu, isa),
        TP_STRUCT__entry(
                __field(        unsigned int,   exit_reason     )
                __field(        unsigned long,  guest_rip       )
+                __field(        u32,            isa             )
+                __field(        u64,            info1           )
+                __field(        u64,            info2           )
        ),
        TP_fast_assign(
                __entry->exit_reason    = exit_reason;
                __entry->guest_rip      = kvm_rip_read(vcpu);
+                __entry->isa            = isa;
+                kvm_x86_ops->get_exit_info(vcpu, &__entry->info1,
+                                           &__entry->info2);
        ),
-        TP_printk("reason %s rip 0x%lx",
+        TP_printk("reason %s rip 0x%lx info %llx %llx",
                 ftrace_print_symbols_seq(p, __entry->exit_reason,
                                          kvm_x86_ops->exit_reasons_str),
-                 __entry->guest_rip)
+                 __entry->guest_rip, __entry->info1, __entry->info2)
 );
 /*
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 7bddfab12013..d48ec60ea421 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -5,7 +5,7 @@
 * machines without emulation or binary translation.
 *
 * Copyright (C) 2006 Qumranet, Inc.
- * Copyright 2010 Red Hat, Inc. and/or its affilates.
+ * Copyright 2010 Red Hat, Inc. and/or its affiliates.
 *
 * Authors:
 *   Avi Kivity   <avi@qumranet.com>
@@ -69,6 +69,9 @@ module_param(emulate_invalid_guest_state, bool, S_IRUGO);
 static int __read_mostly vmm_exclusive = 1;
 module_param(vmm_exclusive, bool, S_IRUGO);
+static int __read_mostly yield_on_hlt = 1;
+module_param(yield_on_hlt, bool, S_IRUGO);
 #define KVM_GUEST_CR0_MASK_UNRESTRICTED_GUEST                           \
        (X86_CR0_WP | X86_CR0_NE | X86_CR0_NW | X86_CR0_CD)
 #define KVM_GUEST_CR0_MASK                                              \
@@ -90,14 +93,14 @@ module_param(vmm_exclusive, bool, S_IRUGO);
 * These 2 parameters are used to config the controls for Pause-Loop Exiting:
 * ple_gap:    upper bound on the amount of time between two successive
 *             executions of PAUSE in a loop. Also indicate if ple enabled.
- *             According to test, this time is usually small than 41 cycles.
+ *             According to test, this time is usually smaller than 128 cycles.
 * ple_window: upper bound on the amount of time a guest is allowed to execute
 *             in a PAUSE loop. Tests indicate that most spinlocks are held for
 *             less than 2^12 cycles
 * Time is measured based on a counter that runs at the same rate as the TSC,
 * refer SDM volume 3b section 21.6.13 & 22.1.3.
 */
-#define KVM_VMX_DEFAULT_PLE_GAP    41
+#define KVM_VMX_DEFAULT_PLE_GAP    128
 #define KVM_VMX_DEFAULT_PLE_WINDOW 4096
 static int ple_gap = KVM_VMX_DEFAULT_PLE_GAP;
 module_param(ple_gap, int, S_IRUGO);
@@ -125,7 +128,11 @@ struct vcpu_vmx {
        unsigned long         host_rsp;
        int                   launched;
        u8                    fail;
+        u8                    cpl;
+        bool                  nmi_known_unmasked;
+        u32                   exit_intr_info;
        u32                   idt_vectoring_info;
+        ulong                 rflags;
        struct shared_msr_entry *guest_msrs;
        int                   nmsrs;
        int                   save_nmsrs;
@@ -154,12 +161,11 @@ struct vcpu_vmx {
                        u32 limit;
                        u32 ar;
                } tr, es, ds, fs, gs;
-                struct {
-                        bool pending;
-                        u8 vector;
-                        unsigned rip;
-                } irq;
        } rmode;
+        struct {
+                u32 bitmask; /* 4 bits per segment (1 bit per field) */
+                struct kvm_save_segment seg[8];
+        } segment_cache;
        int vpid;
        bool emulation_required;
@@ -172,15 +178,25 @@ struct vcpu_vmx {
        bool rdtscp_enabled;
 };
+enum segment_cache_field {
+        SEG_FIELD_SEL = 0,
+        SEG_FIELD_BASE = 1,
+        SEG_FIELD_LIMIT = 2,
+        SEG_FIELD_AR = 3,
+        SEG_FIELD_NR = 4
+};
 static inline struct vcpu_vmx *to_vmx(struct kvm_vcpu *vcpu)
 {
        return container_of(vcpu, struct vcpu_vmx, vcpu);
 }
-static int init_rmode(struct kvm *kvm);
 static u64 construct_eptp(unsigned long root_hpa);
 static void kvm_cpu_vmxon(u64 addr);
 static void kvm_cpu_vmxoff(void);
+static void vmx_set_cr3(struct kvm_vcpu *vcpu, unsigned long cr3);
+static int vmx_set_tss_addr(struct kvm *kvm, unsigned int addr);
 static DEFINE_PER_CPU(struct vmcs *, vmxarea);
 static DEFINE_PER_CPU(struct vmcs *, current_vmcs);
@@ -192,6 +208,8 @@ static unsigned long *vmx_io_bitmap_b;
 static unsigned long *vmx_msr_bitmap_legacy;
 static unsigned long *vmx_msr_bitmap_longmode;
+static bool cpu_has_load_ia32_efer;
 static DECLARE_BITMAP(vmx_vpid_bitmap, VMX_NR_VPIDS);
 static DEFINE_SPINLOCK(vmx_vpid_lock);
@@ -476,7 +494,7 @@ static void vmcs_clear(struct vmcs *vmcs)
        u8 error;
        asm volatile (__ex(ASM_VMX_VMCLEAR_RAX) "; setna %0"
-                      : "=g"(error) : "a"(&phys_addr), "m"(phys_addr)
+                      : "=qm"(error) : "a"(&phys_addr), "m"(phys_addr)
                      : "cc", "memory");
        if (error)
                printk(KERN_ERR "kvm: vmclear fail: %p/%llx\n",
@@ -489,7 +507,7 @@ static void vmcs_load(struct vmcs *vmcs)
        u8 error;
        asm volatile (__ex(ASM_VMX_VMPTRLD_RAX) "; setna %0"
-                        : "=g"(error) : "a"(&phys_addr), "m"(phys_addr)
+                        : "=qm"(error) : "a"(&phys_addr), "m"(phys_addr)
                        : "cc", "memory");
        if (error)
                printk(KERN_ERR "kvm: vmptrld %p/%llx fail\n",
@@ -505,7 +523,6 @@ static void __vcpu_clear(void *arg)
                vmcs_clear(vmx->vmcs);
        if (per_cpu(current_vmcs, cpu) == vmx->vmcs)
                per_cpu(current_vmcs, cpu) = NULL;
-        rdtscll(vmx->vcpu.arch.host_tsc);
        list_del(&vmx->local_vcpus_link);
        vmx->vcpu.cpu = -1;
        vmx->launched = 0;
@@ -570,10 +587,10 @@ static inline void ept_sync_individual_addr(u64 eptp, gpa_t gpa)
 static unsigned long vmcs_readl(unsigned long field)
 {
-        unsigned long value;
+        unsigned long value = 0;
        asm volatile (__ex(ASM_VMX_VMREAD_RDX_RAX)
-                      : "=a"(value) : "d"(field) : "cc");
+                      : "+a"(value) : "d"(field) : "cc");
        return value;
 }
@@ -642,6 +659,62 @@ static void vmcs_set_bits(unsigned long field, u32 mask)
        vmcs_writel(field, vmcs_readl(field) | mask);
 }
+static void vmx_segment_cache_clear(struct vcpu_vmx *vmx)
+{
+        vmx->segment_cache.bitmask = 0;
+}
+static bool vmx_segment_cache_test_set(struct vcpu_vmx *vmx, unsigned seg,
+                                       unsigned field)
+{
+        bool ret;
+        u32 mask = 1 << (seg * SEG_FIELD_NR + field);
+        if (!(vmx->vcpu.arch.regs_avail & (1 << VCPU_EXREG_SEGMENTS))) {
+                vmx->vcpu.arch.regs_avail |= (1 << VCPU_EXREG_SEGMENTS);
+                vmx->segment_cache.bitmask = 0;
+        }
+        ret = vmx->segment_cache.bitmask & mask;
+        vmx->segment_cache.bitmask |= mask;
+        return ret;
+}
+static u16 vmx_read_guest_seg_selector(struct vcpu_vmx *vmx, unsigned seg)
+{
+        u16 *p = &vmx->segment_cache.seg[seg].selector;
+        if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_SEL))
+                *p = vmcs_read16(kvm_vmx_segment_fields[seg].selector);
+        return *p;
+}
+static ulong vmx_read_guest_seg_base(struct vcpu_vmx *vmx, unsigned seg)
+{
+        ulong *p = &vmx->segment_cache.seg[seg].base;
+        if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_BASE))
+                *p = vmcs_readl(kvm_vmx_segment_fields[seg].base);
+        return *p;
+}
+static u32 vmx_read_guest_seg_limit(struct vcpu_vmx *vmx, unsigned seg)
+{
+        u32 *p = &vmx->segment_cache.seg[seg].limit;
+        if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_LIMIT))
+                *p = vmcs_read32(kvm_vmx_segment_fields[seg].limit);
+        return *p;
+}
+static u32 vmx_read_guest_seg_ar(struct vcpu_vmx *vmx, unsigned seg)
+{
+        u32 *p = &vmx->segment_cache.seg[seg].ar;
+        if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_AR))
+                *p = vmcs_read32(kvm_vmx_segment_fields[seg].ar_bytes);
+        return *p;
+}
 static void update_exception_bitmap(struct kvm_vcpu *vcpu)
 {
        u32 eb;
@@ -666,6 +739,12 @@ static void clear_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr)
        unsigned i;
        struct msr_autoload *m = &vmx->msr_autoload;
+        if (msr == MSR_EFER && cpu_has_load_ia32_efer) {
+                vmcs_clear_bits(VM_ENTRY_CONTROLS, VM_ENTRY_LOAD_IA32_EFER);
+                vmcs_clear_bits(VM_EXIT_CONTROLS, VM_EXIT_LOAD_IA32_EFER);
+                return;
+        }
        for (i = 0; i < m->nr; ++i)
                if (m->guest[i].index == msr)
                        break;
@@ -685,6 +764,14 @@ static void add_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr,
        unsigned i;
        struct msr_autoload *m = &vmx->msr_autoload;
+        if (msr == MSR_EFER && cpu_has_load_ia32_efer) {
+                vmcs_write64(GUEST_IA32_EFER, guest_val);
+                vmcs_write64(HOST_IA32_EFER, host_val);
+                vmcs_set_bits(VM_ENTRY_CONTROLS, VM_ENTRY_LOAD_IA32_EFER);
+                vmcs_set_bits(VM_EXIT_CONTROLS, VM_EXIT_LOAD_IA32_EFER);
+                return;
+        }
        for (i = 0; i < m->nr; ++i)
                if (m->guest[i].index == msr)
                        break;
@@ -706,11 +793,10 @@ static void reload_tss(void)
        /*
         * VT restores TR but not its size.  Useless.
         */
-        struct desc_ptr gdt;
+        struct desc_ptr *gdt = &__get_cpu_var(host_gdt);
        struct desc_struct *descs;
-        native_store_gdt(&gdt);
+        descs = (void *)gdt->address;
-        descs = (void *)gdt.address;
        descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
        load_TR_desc();
 }
@@ -753,7 +839,7 @@ static bool update_transition_efer(struct vcpu_vmx *vmx, int efer_offset)
 static unsigned long segment_base(u16 selector)
 {
-        struct desc_ptr gdt;
+        struct desc_ptr *gdt = &__get_cpu_var(host_gdt);
        struct desc_struct *d;
        unsigned long table_base;
        unsigned long v;
@@ -761,8 +847,7 @@ static unsigned long segment_base(u16 selector)
        if (!(selector & ~3))
                return 0;
-        native_store_gdt(&gdt);
+        table_base = gdt->address;
-        table_base = gdt.address;
        if (selector & 4) {           /* from ldt */
                u16 ldt_selector = kvm_read_ldt();
@@ -828,10 +913,9 @@ static void vmx_save_host_state(struct kvm_vcpu *vcpu)
 #endif
 #ifdef CONFIG_X86_64
-        if (is_long_mode(&vmx->vcpu)) {
+        rdmsrl(MSR_KERNEL_GS_BASE, vmx->msr_host_kernel_gs_base);
-                rdmsrl(MSR_KERNEL_GS_BASE, vmx->msr_host_kernel_gs_base);
+        if (is_long_mode(&vmx->vcpu))
                wrmsrl(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base);
-        }
 #endif
        for (i = 0; i < vmx->save_nmsrs; ++i)
                kvm_set_shared_msr(vmx->guest_msrs[i].index,
@@ -846,23 +930,23 @@ static void __vmx_load_host_state(struct vcpu_vmx *vmx)
        ++vmx->vcpu.stat.host_state_reload;
        vmx->host_state.loaded = 0;
-        if (vmx->host_state.fs_reload_needed)
+#ifdef CONFIG_X86_64
-                loadsegment(fs, vmx->host_state.fs_sel);
+        if (is_long_mode(&vmx->vcpu))
+                rdmsrl(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base);
+#endif
        if (vmx->host_state.gs_ldt_reload_needed) {
                kvm_load_ldt(vmx->host_state.ldt_sel);
 #ifdef CONFIG_X86_64
                load_gs_index(vmx->host_state.gs_sel);
-                wrmsrl(MSR_KERNEL_GS_BASE, current->thread.gs);
 #else
                loadsegment(gs, vmx->host_state.gs_sel);
 #endif
        }
+        if (vmx->host_state.fs_reload_needed)
+                loadsegment(fs, vmx->host_state.fs_sel);
        reload_tss();
 #ifdef CONFIG_X86_64
-        if (is_long_mode(&vmx->vcpu)) {
+        wrmsrl(MSR_KERNEL_GS_BASE, vmx->msr_host_kernel_gs_base);
-                rdmsrl(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base);
-                wrmsrl(MSR_KERNEL_GS_BASE, vmx->msr_host_kernel_gs_base);
-        }
 #endif
        if (current_thread_info()->status & TS_USEDFPU)
                clts();
@@ -883,7 +967,6 @@ static void vmx_load_host_state(struct vcpu_vmx *vmx)
 static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
 {
        struct vcpu_vmx *vmx = to_vmx(vcpu);
-        u64 tsc_this, delta, new_offset;
        u64 phys_addr = __pa(per_cpu(vmxarea, cpu));
        if (!vmm_exclusive)
@@ -897,37 +980,24 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
        }
        if (vcpu->cpu != cpu) {
-                struct desc_ptr dt;
+                struct desc_ptr *gdt = &__get_cpu_var(host_gdt);
                unsigned long sysenter_esp;
-                kvm_migrate_timers(vcpu);
                kvm_make_request(KVM_REQ_TLB_FLUSH, vcpu);
                local_irq_disable();
                list_add(&vmx->local_vcpus_link,
                         &per_cpu(vcpus_on_cpu, cpu));
                local_irq_enable();
-                vcpu->cpu = cpu;
                /*
                 * Linux uses per-cpu TSS and GDT, so set these when switching
                 * processors.
                 */
                vmcs_writel(HOST_TR_BASE, kvm_read_tr_base()); /* 22.2.4 */
-                native_store_gdt(&dt);
+                vmcs_writel(HOST_GDTR_BASE, gdt->address);   /* 22.2.4 */
-                vmcs_writel(HOST_GDTR_BASE, dt.address);   /* 22.2.4 */
                rdmsrl(MSR_IA32_SYSENTER_ESP, sysenter_esp);
                vmcs_writel(HOST_IA32_SYSENTER_ESP, sysenter_esp); /* 22.2.3 */
-                /*
-                 * Make sure the time stamp counter is monotonous.
-                 */
-                rdtscll(tsc_this);
-                if (tsc_this < vcpu->arch.host_tsc) {
-                        delta = vcpu->arch.host_tsc - tsc_this;
-                        new_offset = vmcs_read64(TSC_OFFSET) + delta;
-                        vmcs_write64(TSC_OFFSET, new_offset);
-                }
        }
 }
@@ -972,17 +1042,24 @@ static unsigned long vmx_get_rflags(struct kvm_vcpu *vcpu)
 {
        unsigned long rflags, save_rflags;
-        rflags = vmcs_readl(GUEST_RFLAGS);
+        if (!test_bit(VCPU_EXREG_RFLAGS, (ulong *)&vcpu->arch.regs_avail)) {
-        if (to_vmx(vcpu)->rmode.vm86_active) {
+                __set_bit(VCPU_EXREG_RFLAGS, (ulong *)&vcpu->arch.regs_avail);
-                rflags &= RMODE_GUEST_OWNED_EFLAGS_BITS;
+                rflags = vmcs_readl(GUEST_RFLAGS);
-                save_rflags = to_vmx(vcpu)->rmode.save_rflags;
+                if (to_vmx(vcpu)->rmode.vm86_active) {
-                rflags |= save_rflags & ~RMODE_GUEST_OWNED_EFLAGS_BITS;
+                        rflags &= RMODE_GUEST_OWNED_EFLAGS_BITS;
+                        save_rflags = to_vmx(vcpu)->rmode.save_rflags;
+                        rflags |= save_rflags & ~RMODE_GUEST_OWNED_EFLAGS_BITS;
+                }
+                to_vmx(vcpu)->rflags = rflags;
        }
-        return rflags;
+        return to_vmx(vcpu)->rflags;
 }
 static void vmx_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags)
 {
+        __set_bit(VCPU_EXREG_RFLAGS, (ulong *)&vcpu->arch.regs_avail);
+        __clear_bit(VCPU_EXREG_CPL, (ulong *)&vcpu->arch.regs_avail);
+        to_vmx(vcpu)->rflags = rflags;
        if (to_vmx(vcpu)->rmode.vm86_active) {
                to_vmx(vcpu)->rmode.save_rflags = rflags;
                rflags |= X86_EFLAGS_IOPL | X86_EFLAGS_VM;
@@ -1031,6 +1108,17 @@ static void skip_emulated_instruction(struct kvm_vcpu *vcpu)
        vmx_set_interrupt_shadow(vcpu, 0);
 }
+static void vmx_clear_hlt(struct kvm_vcpu *vcpu)
+{
+        /* Ensure that we clear the HLT state in the VMCS.  We don't need to
+         * explicitly skip the instruction because if the HLT state is set, then
+         * the instruction is already executing and RIP has already been
+         * advanced. */
+        if (!yield_on_hlt &&
+            vmcs_read32(GUEST_ACTIVITY_STATE) == GUEST_ACTIVITY_HLT)
+                vmcs_write32(GUEST_ACTIVITY_STATE, GUEST_ACTIVITY_ACTIVE);
+}
 static void vmx_queue_exception(struct kvm_vcpu *vcpu, unsigned nr,
                                bool has_error_code, u32 error_code,
                                bool reinject)
@@ -1044,16 +1132,11 @@ static void vmx_queue_exception(struct kvm_vcpu *vcpu, unsigned nr,
        }
        if (vmx->rmode.vm86_active) {
-                vmx->rmode.irq.pending = true;
+                int inc_eip = 0;
-                vmx->rmode.irq.vector = nr;
-                vmx->rmode.irq.rip = kvm_rip_read(vcpu);
                if (kvm_exception_is_soft(nr))
-                        vmx->rmode.irq.rip +=
+                        inc_eip = vcpu->arch.event_exit_inst_len;
-                                vmx->vcpu.arch.event_exit_inst_len;
+                if (kvm_inject_realmode_interrupt(vcpu, nr, inc_eip) != EMULATE_DONE)
-                intr_info |= INTR_TYPE_SOFT_INTR;
+                        kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
-                vmcs_write32(VM_ENTRY_INTR_INFO_FIELD, intr_info);
-                vmcs_write32(VM_ENTRY_INSTRUCTION_LEN, 1);
-                kvm_rip_write(vcpu, vmx->rmode.irq.rip - 1);
                return;
        }
@@ -1065,6 +1148,7 @@ static void vmx_queue_exception(struct kvm_vcpu *vcpu, unsigned nr,
                intr_info |= INTR_TYPE_HARD_EXCEPTION;
        vmcs_write32(VM_ENTRY_INTR_INFO_FIELD, intr_info);
+        vmx_clear_hlt(vcpu);
 }
 static bool vmx_rdtscp_supported(void)
@@ -1149,12 +1233,32 @@ static u64 guest_read_tsc(void)
 }
 /*
- * writes 'guest_tsc' into guest's timestamp counter "register"
+ * Empty call-back. Needs to be implemented when VMX enables the SET_TSC_KHZ
- * guest_tsc = host_tsc + tsc_offset ==> tsc_offset = guest_tsc - host_tsc
+ * ioctl. In this case the call-back should update internal vmx state to make
+ * the changes effective.
+ */
+static void vmx_set_tsc_khz(struct kvm_vcpu *vcpu, u32 user_tsc_khz)
+{
+        /* Nothing to do here */
+}
+/*
+ * writes 'offset' into guest's timestamp counter offset register
 */
-static void guest_write_tsc(u64 guest_tsc, u64 host_tsc)
+static void vmx_write_tsc_offset(struct kvm_vcpu *vcpu, u64 offset)
 {
-        vmcs_write64(TSC_OFFSET, guest_tsc - host_tsc);
+        vmcs_write64(TSC_OFFSET, offset);
+}
+static void vmx_adjust_tsc_offset(struct kvm_vcpu *vcpu, s64 adjustment)
+{
+        u64 offset = vmcs_read64(TSC_OFFSET);
+        vmcs_write64(TSC_OFFSET, offset + adjustment);
+}
+static u64 vmx_compute_tsc_offset(struct kvm_vcpu *vcpu, u64 target_tsc)
+{
+        return target_tsc - native_read_tsc();
 }
 /*
@@ -1227,7 +1331,6 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data)
 {
        struct vcpu_vmx *vmx = to_vmx(vcpu);
        struct shared_msr_entry *msr;
-        u64 host_tsc;
        int ret = 0;
        switch (msr_index) {
@@ -1237,9 +1340,11 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data)
                break;
 #ifdef CONFIG_X86_64
        case MSR_FS_BASE:
+                vmx_segment_cache_clear(vmx);
                vmcs_writel(GUEST_FS_BASE, data);
                break;
        case MSR_GS_BASE:
+                vmx_segment_cache_clear(vmx);
                vmcs_writel(GUEST_GS_BASE, data);
                break;
        case MSR_KERNEL_GS_BASE:
@@ -1257,8 +1362,7 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data)
                vmcs_writel(GUEST_SYSENTER_ESP, data);
                break;
        case MSR_IA32_TSC:
-                rdtscll(host_tsc);
+                kvm_write_tsc(vcpu, data);
-                guest_write_tsc(data, host_tsc);
                break;
        case MSR_IA32_CR_PAT:
                if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) {
@@ -1328,16 +1432,25 @@ static __init int vmx_disabled_by_bios(void)
        rdmsrl(MSR_IA32_FEATURE_CONTROL, msr);
        if (msr & FEATURE_CONTROL_LOCKED) {
+                /* launched w/ TXT and VMX disabled */
                if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX)
                        && tboot_enabled())
                        return 1;
+                /* launched w/o TXT and VMX only enabled w/ TXT */
+                if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
+                        && (msr & FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX)
+                        && !tboot_enabled()) {
+                        printk(KERN_WARNING "kvm: disable TXT in the BIOS or "
+                                "activate TXT before enabling KVM\n");
+                        return 1;
+                }
+                /* launched w/o TXT and VMX disabled */
                if (!(msr & FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX)
                        && !tboot_enabled())
                        return 1;
        }
        return 0;
-        /* locked but not enabled */
 }
 static void kvm_cpu_vmxon(u64 addr)
@@ -1427,6 +1540,14 @@ static __init int adjust_vmx_controls(u32 ctl_min, u32 ctl_opt,
        return 0;
 }
+static __init bool allow_1_setting(u32 msr, u32 ctl)
+{
+        u32 vmx_msr_low, vmx_msr_high;
+        rdmsr(msr, vmx_msr_low, vmx_msr_high);
+        return vmx_msr_high & ctl;
+}
 static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
 {
        u32 vmx_msr_low, vmx_msr_high;
@@ -1443,7 +1564,7 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
                                &_pin_based_exec_control) < 0)
                return -EIO;
-        min = CPU_BASED_HLT_EXITING |
+        min =
 #ifdef CONFIG_X86_64
              CPU_BASED_CR8_LOAD_EXITING |
              CPU_BASED_CR8_STORE_EXITING |
@@ -1456,6 +1577,10 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
              CPU_BASED_MWAIT_EXITING |
              CPU_BASED_MONITOR_EXITING |
              CPU_BASED_INVLPG_EXITING;
+        if (yield_on_hlt)
+                min |= CPU_BASED_HLT_EXITING;
        opt = CPU_BASED_TPR_SHADOW |
              CPU_BASED_USE_MSR_BITMAPS |
              CPU_BASED_ACTIVATE_SECONDARY_CONTROLS;
@@ -1537,6 +1662,12 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
        vmcs_conf->vmexit_ctrl         = _vmexit_control;
        vmcs_conf->vmentry_ctrl        = _vmentry_control;
+        cpu_has_load_ia32_efer =
+                allow_1_setting(MSR_IA32_VMX_ENTRY_CTLS,
+                                VM_ENTRY_LOAD_IA32_EFER)
+                && allow_1_setting(MSR_IA32_VMX_EXIT_CTLS,
+                                   VM_EXIT_LOAD_IA32_EFER);
        return 0;
 }
@@ -1657,6 +1788,9 @@ static void enter_pmode(struct kvm_vcpu *vcpu)
        vmx->emulation_required = 1;
        vmx->rmode.vm86_active = 0;
+        vmx_segment_cache_clear(vmx);
+        vmcs_write16(GUEST_TR_SELECTOR, vmx->rmode.tr.selector);
        vmcs_writel(GUEST_TR_BASE, vmx->rmode.tr.base);
        vmcs_write32(GUEST_TR_LIMIT, vmx->rmode.tr.limit);
        vmcs_write32(GUEST_TR_AR_BYTES, vmx->rmode.tr.ar);
@@ -1679,6 +1813,8 @@ static void enter_pmode(struct kvm_vcpu *vcpu)
        fix_pmode_dataseg(VCPU_SREG_GS, &vmx->rmode.gs);
        fix_pmode_dataseg(VCPU_SREG_FS, &vmx->rmode.fs);
+        vmx_segment_cache_clear(vmx);
        vmcs_write16(GUEST_SS_SELECTOR, 0);
        vmcs_write32(GUEST_SS_AR_BYTES, 0x93);
@@ -1710,9 +1846,13 @@ static void fix_rmode_seg(int seg, struct kvm_save_segment *save)
        save->limit = vmcs_read32(sf->limit);
        save->ar = vmcs_read32(sf->ar_bytes);
        vmcs_write16(sf->selector, save->base >> 4);
-        vmcs_write32(sf->base, save->base & 0xfffff);
+        vmcs_write32(sf->base, save->base & 0xffff0);
        vmcs_write32(sf->limit, 0xffff);
        vmcs_write32(sf->ar_bytes, 0xf3);
+        if (save->base & 0xf)
+                printk_once(KERN_WARNING "kvm: segment base is not paragraph"
+                            " aligned when entering protected mode (seg=%d)",
+                            seg);
 }
 static void enter_rmode(struct kvm_vcpu *vcpu)
@@ -1726,6 +1866,21 @@ static void enter_rmode(struct kvm_vcpu *vcpu)
        vmx->emulation_required = 1;
        vmx->rmode.vm86_active = 1;
+        /*
+         * Very old userspace does not call KVM_SET_TSS_ADDR before entering
+         * vcpu. Call it here with phys address pointing 16M below 4G.
+         */
+        if (!vcpu->kvm->arch.tss_addr) {
+                printk_once(KERN_WARNING "kvm: KVM_SET_TSS_ADDR need to be "
+                             "called before entering vcpu\n");
+                srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);
+                vmx_set_tss_addr(vcpu->kvm, 0xfeffd000);
+                vcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
+        }
+        vmx_segment_cache_clear(vmx);
+        vmx->rmode.tr.selector = vmcs_read16(GUEST_TR_SELECTOR);
        vmx->rmode.tr.base = vmcs_readl(GUEST_TR_BASE);
        vmcs_writel(GUEST_TR_BASE, rmode_tss_base(vcpu->kvm));
@@ -1764,7 +1919,6 @@ static void enter_rmode(struct kvm_vcpu *vcpu)
 continue_rmode:
        kvm_mmu_reset_context(vcpu);
-        init_rmode(vcpu->kvm);
 }
 static void vmx_set_efer(struct kvm_vcpu *vcpu, u64 efer)
@@ -1802,6 +1956,8 @@ static void enter_lmode(struct kvm_vcpu *vcpu)
 {
        u32 guest_tr_ar;
+        vmx_segment_cache_clear(to_vmx(vcpu));
        guest_tr_ar = vmcs_read32(GUEST_TR_AR_BYTES);
        if ((guest_tr_ar & AR_TYPE_MASK) != AR_TYPE_BUSY_64_TSS) {
                printk(KERN_DEBUG "%s: tss fixup for long mode. \n",
@@ -1841,6 +1997,13 @@ static void vmx_decache_cr0_guest_bits(struct kvm_vcpu *vcpu)
        vcpu->arch.cr0 |= vmcs_readl(GUEST_CR0) & cr0_guest_owned_bits;
 }
+static void vmx_decache_cr3(struct kvm_vcpu *vcpu)
+{
+        if (enable_ept && is_paging(vcpu))
+                vcpu->arch.cr3 = vmcs_readl(GUEST_CR3);
+        __set_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail);
+}
 static void vmx_decache_cr4_guest_bits(struct kvm_vcpu *vcpu)
 {
        ulong cr4_guest_owned_bits = vcpu->arch.cr4_guest_owned_bits;
@@ -1856,20 +2019,20 @@ static void ept_load_pdptrs(struct kvm_vcpu *vcpu)
                return;
        if (is_paging(vcpu) && is_pae(vcpu) && !is_long_mode(vcpu)) {
-                vmcs_write64(GUEST_PDPTR0, vcpu->arch.pdptrs[0]);
+                vmcs_write64(GUEST_PDPTR0, vcpu->arch.mmu.pdptrs[0]);
-                vmcs_write64(GUEST_PDPTR1, vcpu->arch.pdptrs[1]);
+                vmcs_write64(GUEST_PDPTR1, vcpu->arch.mmu.pdptrs[1]);
-                vmcs_write64(GUEST_PDPTR2, vcpu->arch.pdptrs[2]);
+                vmcs_write64(GUEST_PDPTR2, vcpu->arch.mmu.pdptrs[2]);
-                vmcs_write64(GUEST_PDPTR3, vcpu->arch.pdptrs[3]);
+                vmcs_write64(GUEST_PDPTR3, vcpu->arch.mmu.pdptrs[3]);
        }
 }
 static void ept_save_pdptrs(struct kvm_vcpu *vcpu)
 {
        if (is_paging(vcpu) && is_pae(vcpu) && !is_long_mode(vcpu)) {
-                vcpu->arch.pdptrs[0] = vmcs_read64(GUEST_PDPTR0);
+                vcpu->arch.mmu.pdptrs[0] = vmcs_read64(GUEST_PDPTR0);
-                vcpu->arch.pdptrs[1] = vmcs_read64(GUEST_PDPTR1);
+                vcpu->arch.mmu.pdptrs[1] = vmcs_read64(GUEST_PDPTR1);
-                vcpu->arch.pdptrs[2] = vmcs_read64(GUEST_PDPTR2);
+                vcpu->arch.mmu.pdptrs[2] = vmcs_read64(GUEST_PDPTR2);
-                vcpu->arch.pdptrs[3] = vmcs_read64(GUEST_PDPTR3);
+                vcpu->arch.mmu.pdptrs[3] = vmcs_read64(GUEST_PDPTR3);
        }
        __set_bit(VCPU_EXREG_PDPTR,
@@ -1884,6 +2047,8 @@ static void ept_update_paging_mode_cr0(unsigned long *hw_cr0,
                                        unsigned long cr0,
                                        struct kvm_vcpu *vcpu)
 {
+        if (!test_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail))
+                vmx_decache_cr3(vcpu);
        if (!(cr0 & X86_CR0_PG)) {
                /* From paging/starting to nonpaging */
                vmcs_write32(CPU_BASED_VM_EXEC_CONTROL,
@@ -1941,6 +2106,7 @@ static void vmx_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)
        vmcs_writel(CR0_READ_SHADOW, cr0);
        vmcs_writel(GUEST_CR0, hw_cr0);
        vcpu->arch.cr0 = cr0;
+        __clear_bit(VCPU_EXREG_CPL, (ulong *)&vcpu->arch.regs_avail);
 }
 static u64 construct_eptp(unsigned long root_hpa)
@@ -1964,7 +2130,7 @@ static void vmx_set_cr3(struct kvm_vcpu *vcpu, unsigned long cr3)
        if (enable_ept) {
                eptp = construct_eptp(cr3);
                vmcs_write64(EPT_POINTER, eptp);
-                guest_cr3 = is_paging(vcpu) ? vcpu->arch.cr3 :
+                guest_cr3 = is_paging(vcpu) ? kvm_read_cr3(vcpu) :
                        vcpu->kvm->arch.ept_identity_map_addr;
                ept_load_pdptrs(vcpu);
        }
@@ -1992,23 +2158,39 @@ static void vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
        vmcs_writel(GUEST_CR4, hw_cr4);
 }
-static u64 vmx_get_segment_base(struct kvm_vcpu *vcpu, int seg)
-{
-        struct kvm_vmx_segment_field *sf = &kvm_vmx_segment_fields[seg];
-        return vmcs_readl(sf->base);
-}
 static void vmx_get_segment(struct kvm_vcpu *vcpu,
                            struct kvm_segment *var, int seg)
 {
-        struct kvm_vmx_segment_field *sf = &kvm_vmx_segment_fields[seg];
+        struct vcpu_vmx *vmx = to_vmx(vcpu);
+        struct kvm_save_segment *save;
        u32 ar;
-        var->base = vmcs_readl(sf->base);
+        if (vmx->rmode.vm86_active
-        var->limit = vmcs_read32(sf->limit);
+            && (seg == VCPU_SREG_TR || seg == VCPU_SREG_ES
-        var->selector = vmcs_read16(sf->selector);
+                || seg == VCPU_SREG_DS || seg == VCPU_SREG_FS
-        ar = vmcs_read32(sf->ar_bytes);
+                || seg == VCPU_SREG_GS)
+            && !emulate_invalid_guest_state) {
+                switch (seg) {
+                case VCPU_SREG_TR: save = &vmx->rmode.tr; break;
+                case VCPU_SREG_ES: save = &vmx->rmode.es; break;
+                case VCPU_SREG_DS: save = &vmx->rmode.ds; break;
+                case VCPU_SREG_FS: save = &vmx->rmode.fs; break;
+                case VCPU_SREG_GS: save = &vmx->rmode.gs; break;
+                default: BUG();
+                }
+                var->selector = save->selector;
+                var->base = save->base;
+                var->limit = save->limit;
+                ar = save->ar;
+                if (seg == VCPU_SREG_TR
+                    || var->selector == vmx_read_guest_seg_selector(vmx, seg))
+                        goto use_saved_rmode_seg;
+        }
+        var->base = vmx_read_guest_seg_base(vmx, seg);
+        var->limit = vmx_read_guest_seg_limit(vmx, seg);
+        var->selector = vmx_read_guest_seg_selector(vmx, seg);
+        ar = vmx_read_guest_seg_ar(vmx, seg);
+use_saved_rmode_seg:
        if ((ar & AR_UNUSABLE_MASK) && !emulate_invalid_guest_state)
                ar = 0;
        var->type = ar & 15;
@@ -2022,17 +2204,39 @@ static void vmx_get_segment(struct kvm_vcpu *vcpu,
        var->unusable = (ar >> 16) & 1;
 }
-static int vmx_get_cpl(struct kvm_vcpu *vcpu)
+static u64 vmx_get_segment_base(struct kvm_vcpu *vcpu, int seg)
+{
+        struct kvm_segment s;
+        if (to_vmx(vcpu)->rmode.vm86_active) {
+                vmx_get_segment(vcpu, &s, seg);
+                return s.base;
+        }
+        return vmx_read_guest_seg_base(to_vmx(vcpu), seg);
+}
+static int __vmx_get_cpl(struct kvm_vcpu *vcpu)
 {
        if (!is_protmode(vcpu))
                return 0;
-        if (vmx_get_rflags(vcpu) & X86_EFLAGS_VM) /* if virtual 8086 */
+        if (!is_long_mode(vcpu)
+            && (kvm_get_rflags(vcpu) & X86_EFLAGS_VM)) /* if virtual 8086 */
                return 3;
-        return vmcs_read16(GUEST_CS_SELECTOR) & 3;
+        return vmx_read_guest_seg_selector(to_vmx(vcpu), VCPU_SREG_CS) & 3;
 }
+static int vmx_get_cpl(struct kvm_vcpu *vcpu)
+{
+        if (!test_bit(VCPU_EXREG_CPL, (ulong *)&vcpu->arch.regs_avail)) {
+                __set_bit(VCPU_EXREG_CPL, (ulong *)&vcpu->arch.regs_avail);
+                to_vmx(vcpu)->cpl = __vmx_get_cpl(vcpu);
+        }
+        return to_vmx(vcpu)->cpl;
+}
 static u32 vmx_segment_access_rights(struct kvm_segment *var)
 {
        u32 ar;
@@ -2062,7 +2266,10 @@ static void vmx_set_segment(struct kvm_vcpu *vcpu,
        struct kvm_vmx_segment_field *sf = &kvm_vmx_segment_fields[seg];
        u32 ar;
+        vmx_segment_cache_clear(vmx);
        if (vmx->rmode.vm86_active && seg == VCPU_SREG_TR) {
+                vmcs_write16(sf->selector, var->selector);
                vmx->rmode.tr.selector = var->selector;
                vmx->rmode.tr.base = var->base;
                vmx->rmode.tr.limit = var->limit;
@@ -2097,11 +2304,12 @@ static void vmx_set_segment(struct kvm_vcpu *vcpu,
                ar |= 0x1; /* Accessed */
        vmcs_write32(sf->ar_bytes, ar);
+        __clear_bit(VCPU_EXREG_CPL, (ulong *)&vcpu->arch.regs_avail);
 }
 static void vmx_get_cs_db_l_bits(struct kvm_vcpu *vcpu, int *db, int *l)
 {
-        u32 ar = vmcs_read32(GUEST_CS_AR_BYTES);
+        u32 ar = vmx_read_guest_seg_ar(to_vmx(vcpu), VCPU_SREG_CS);
        *db = (ar >> 14) & 1;
        *l = (ar >> 13) & 1;
@@ -2323,11 +2531,12 @@ static bool guest_state_valid(struct kvm_vcpu *vcpu)
 static int init_rmode_tss(struct kvm *kvm)
 {
-        gfn_t fn = rmode_tss_base(kvm) >> PAGE_SHIFT;
+        gfn_t fn;
        u16 data = 0;
-        int ret = 0;
+        int r, idx, ret = 0;
-        int r;
+        idx = srcu_read_lock(&kvm->srcu);
+        fn = rmode_tss_base(kvm) >> PAGE_SHIFT;
        r = kvm_clear_guest_page(kvm, fn, 0, PAGE_SIZE);
        if (r < 0)
                goto out;
@@ -2351,12 +2560,13 @@ static int init_rmode_tss(struct kvm *kvm)
        ret = 1;
 out:
+        srcu_read_unlock(&kvm->srcu, idx);
        return ret;
 }
 static int init_rmode_identity_map(struct kvm *kvm)
 {
-        int i, r, ret;
+        int i, idx, r, ret;
        pfn_t identity_map_pfn;
        u32 tmp;
@@ -2371,6 +2581,7 @@ static int init_rmode_identity_map(struct kvm *kvm)
                return 1;
        ret = 0;
        identity_map_pfn = kvm->arch.ept_identity_map_addr >> PAGE_SHIFT;
+        idx = srcu_read_lock(&kvm->srcu);
        r = kvm_clear_guest_page(kvm, identity_map_pfn, 0, PAGE_SIZE);
        if (r < 0)
                goto out;
@@ -2386,6 +2597,7 @@ static int init_rmode_identity_map(struct kvm *kvm)
        kvm->arch.ept_identity_pagetable_done = true;
        ret = 1;
 out:
+        srcu_read_unlock(&kvm->srcu, idx);
        return ret;
 }
@@ -2515,7 +2727,7 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
 {
        u32 host_sysenter_cs, msr_low, msr_high;
        u32 junk;
-        u64 host_pat, tsc_this, tsc_base;
+        u64 host_pat;
        unsigned long a;
        struct desc_ptr dt;
        int i;
@@ -2656,32 +2868,11 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
                vmx->vcpu.arch.cr4_guest_owned_bits |= X86_CR4_PGE;
        vmcs_writel(CR4_GUEST_HOST_MASK, ~vmx->vcpu.arch.cr4_guest_owned_bits);
-        tsc_base = vmx->vcpu.kvm->arch.vm_init_tsc;
+        kvm_write_tsc(&vmx->vcpu, 0);
-        rdtscll(tsc_this);
-        if (tsc_this < vmx->vcpu.kvm->arch.vm_init_tsc)
-                tsc_base = tsc_this;
-        guest_write_tsc(0, tsc_base);
        return 0;
 }
-static int init_rmode(struct kvm *kvm)
-{
-        int idx, ret = 0;
-        idx = srcu_read_lock(&kvm->srcu);
-        if (!init_rmode_tss(kvm))
-                goto exit;
-        if (!init_rmode_identity_map(kvm))
-                goto exit;
-        ret = 1;
-exit:
-        srcu_read_unlock(&kvm->srcu, idx);
-        return ret;
-}
 static int vmx_vcpu_reset(struct kvm_vcpu *vcpu)
 {
        struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -2689,10 +2880,6 @@ static int vmx_vcpu_reset(struct kvm_vcpu *vcpu)
        int ret;
        vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP));
-        if (!init_rmode(vmx->vcpu.kvm)) {
-                ret = -ENOMEM;
-                goto out;
-        }
        vmx->rmode.vm86_active = 0;
@@ -2709,6 +2896,8 @@ static int vmx_vcpu_reset(struct kvm_vcpu *vcpu)
        if (ret != 0)
                goto out;
+        vmx_segment_cache_clear(vmx);
        seg_setup(VCPU_SREG_CS);
        /*
         * GUEST_CS_BASE should really be 0xffff0000, but VT vm86 mode
@@ -2757,7 +2946,7 @@ static int vmx_vcpu_reset(struct kvm_vcpu *vcpu)
        vmcs_writel(GUEST_IDTR_BASE, 0);
        vmcs_write32(GUEST_IDTR_LIMIT, 0xffff);
-        vmcs_write32(GUEST_ACTIVITY_STATE, 0);
+        vmcs_write32(GUEST_ACTIVITY_STATE, GUEST_ACTIVITY_ACTIVE);
        vmcs_write32(GUEST_INTERRUPTIBILITY_INFO, 0);
        vmcs_write32(GUEST_PENDING_DBG_EXCEPTIONS, 0);
@@ -2772,7 +2961,7 @@ static int vmx_vcpu_reset(struct kvm_vcpu *vcpu)
                vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, 0);
                if (vm_need_tpr_shadow(vmx->vcpu.kvm))
                        vmcs_write64(VIRTUAL_APIC_PAGE_ADDR,
-                                page_to_phys(vmx->vcpu.arch.apic->regs_page));
+                                     __pa(vmx->vcpu.arch.apic->regs));
                vmcs_write32(TPR_THRESHOLD, 0);
        }
@@ -2819,6 +3008,10 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
                return;
        }
+        if (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & GUEST_INTR_STATE_STI) {
+                enable_irq_window(vcpu);
+                return;
+        }
        cpu_based_vm_exec_control = vmcs_read32(CPU_BASED_VM_EXEC_CONTROL);
        cpu_based_vm_exec_control |= CPU_BASED_VIRTUAL_NMI_PENDING;
        vmcs_write32(CPU_BASED_VM_EXEC_CONTROL, cpu_based_vm_exec_control);
@@ -2834,16 +3027,11 @@ static void vmx_inject_irq(struct kvm_vcpu *vcpu)
        ++vcpu->stat.irq_injections;
        if (vmx->rmode.vm86_active) {
-                vmx->rmode.irq.pending = true;
+                int inc_eip = 0;
-                vmx->rmode.irq.vector = irq;
-                vmx->rmode.irq.rip = kvm_rip_read(vcpu);
                if (vcpu->arch.interrupt.soft)
-                        vmx->rmode.irq.rip +=
+                        inc_eip = vcpu->arch.event_exit_inst_len;
-                                vmx->vcpu.arch.event_exit_inst_len;
+                if (kvm_inject_realmode_interrupt(vcpu, irq, inc_eip) != EMULATE_DONE)
-                vmcs_write32(VM_ENTRY_INTR_INFO_FIELD,
+                        kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
-                             irq | INTR_TYPE_SOFT_INTR | INTR_INFO_VALID_MASK);
-                vmcs_write32(VM_ENTRY_INSTRUCTION_LEN, 1);
-                kvm_rip_write(vcpu, vmx->rmode.irq.rip - 1);
                return;
        }
        intr = irq | INTR_INFO_VALID_MASK;
@@ -2854,6 +3042,7 @@ static void vmx_inject_irq(struct kvm_vcpu *vcpu)
        } else
                intr |= INTR_TYPE_EXT_INTR;
        vmcs_write32(VM_ENTRY_INTR_INFO_FIELD, intr);
+        vmx_clear_hlt(vcpu);
 }
 static void vmx_inject_nmi(struct kvm_vcpu *vcpu)
@@ -2874,19 +3063,15 @@ static void vmx_inject_nmi(struct kvm_vcpu *vcpu)
        }
        ++vcpu->stat.nmi_injections;
+        vmx->nmi_known_unmasked = false;
        if (vmx->rmode.vm86_active) {
-                vmx->rmode.irq.pending = true;
+                if (kvm_inject_realmode_interrupt(vcpu, NMI_VECTOR, 0) != EMULATE_DONE)
-                vmx->rmode.irq.vector = NMI_VECTOR;
+                        kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
-                vmx->rmode.irq.rip = kvm_rip_read(vcpu);
-                vmcs_write32(VM_ENTRY_INTR_INFO_FIELD,
-                             NMI_VECTOR | INTR_TYPE_SOFT_INTR |
-                             INTR_INFO_VALID_MASK);
-                vmcs_write32(VM_ENTRY_INSTRUCTION_LEN, 1);
-                kvm_rip_write(vcpu, vmx->rmode.irq.rip - 1);
                return;
        }
        vmcs_write32(VM_ENTRY_INTR_INFO_FIELD,
                        INTR_TYPE_NMI_INTR | INTR_INFO_VALID_MASK | NMI_VECTOR);
+        vmx_clear_hlt(vcpu);
 }
 static int vmx_nmi_allowed(struct kvm_vcpu *vcpu)
@@ -2895,13 +3080,16 @@ static int vmx_nmi_allowed(struct kvm_vcpu *vcpu)
                return 0;
        return  !(vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) &
-                        (GUEST_INTR_STATE_MOV_SS | GUEST_INTR_STATE_NMI));
+                  (GUEST_INTR_STATE_MOV_SS | GUEST_INTR_STATE_STI
+                   | GUEST_INTR_STATE_NMI));
 }
 static bool vmx_get_nmi_mask(struct kvm_vcpu *vcpu)
 {
        if (!cpu_has_virtual_nmis())
                return to_vmx(vcpu)->soft_vnmi_blocked;
+        if (to_vmx(vcpu)->nmi_known_unmasked)
+                return false;
        return vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & GUEST_INTR_STATE_NMI;
 }
@@ -2915,6 +3103,7 @@ static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)
                        vmx->vnmi_blocked_time = 0;
                }
        } else {
+                vmx->nmi_known_unmasked = !masked;
                if (masked)
                        vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO,
                                      GUEST_INTR_STATE_NMI);
@@ -2945,6 +3134,9 @@ static int vmx_set_tss_addr(struct kvm *kvm, unsigned int addr)
        if (ret)
                return ret;
        kvm->arch.tss_addr = addr;
+        if (!init_rmode_tss(kvm))
+                return  -ENOMEM;
        return 0;
 }
@@ -2956,7 +3148,7 @@ static int handle_rmode_exception(struct kvm_vcpu *vcpu,
         * Cause the #SS fault with 0 error code in VM86 mode.
         */
        if (((vec == GP_VECTOR) || (vec == SS_VECTOR)) && err_code == 0)
-                if (emulate_instruction(vcpu, 0, 0, 0) == EMULATE_DONE)
+                if (emulate_instruction(vcpu, 0) == EMULATE_DONE)
                        return 1;
        /*
         * Forward all other exceptions that are valid in real mode.
@@ -3029,7 +3221,7 @@ static int handle_exception(struct kvm_vcpu *vcpu)
        enum emulation_result er;
        vect_info = vmx->idt_vectoring_info;
-        intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
+        intr_info = vmx->exit_intr_info;
        if (is_machine_check(intr_info))
                return handle_machine_check(vcpu);
@@ -3053,14 +3245,13 @@ static int handle_exception(struct kvm_vcpu *vcpu)
        }
        if (is_invalid_opcode(intr_info)) {
-                er = emulate_instruction(vcpu, 0, 0, EMULTYPE_TRAP_UD);
+                er = emulate_instruction(vcpu, EMULTYPE_TRAP_UD);
                if (er != EMULATE_DONE)
                        kvm_queue_exception(vcpu, UD_VECTOR);
                return 1;
        }
        error_code = 0;
-        rip = kvm_rip_read(vcpu);
        if (intr_info & INTR_INFO_DELIVER_CODE_MASK)
                error_code = vmcs_read32(VM_EXIT_INTR_ERROR_CODE);
        if (is_page_fault(intr_info)) {
@@ -3072,7 +3263,7 @@ static int handle_exception(struct kvm_vcpu *vcpu)
                if (kvm_event_needs_reinjection(vcpu))
                        kvm_mmu_unprotect_page_virt(vcpu, cr2);
-                return kvm_mmu_page_fault(vcpu, cr2, error_code);
+                return kvm_mmu_page_fault(vcpu, cr2, error_code, NULL, 0);
        }
        if (vmx->rmode.vm86_active &&
@@ -3107,6 +3298,7 @@ static int handle_exception(struct kvm_vcpu *vcpu)
                vmx->vcpu.arch.event_exit_inst_len =
                        vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
                kvm_run->exit_reason = KVM_EXIT_DEBUG;
+                rip = kvm_rip_read(vcpu);
                kvm_run->debug.arch.pc = vmcs_readl(GUEST_CS_BASE) + rip;
                kvm_run->debug.arch.exception = ex_no;
                break;
@@ -3144,7 +3336,7 @@ static int handle_io(struct kvm_vcpu *vcpu)
        ++vcpu->stat.io_exits;
        if (string || in)
-                return emulate_instruction(vcpu, 0, 0, 0) == EMULATE_DONE;
+                return emulate_instruction(vcpu, 0) == EMULATE_DONE;
        port = exit_qualification >> 16;
        size = (exit_qualification & 7) + 1;
@@ -3164,14 +3356,6 @@ vmx_patch_hypercall(struct kvm_vcpu *vcpu, unsigned char *hypercall)
        hypercall[2] = 0xc1;
 }
-static void complete_insn_gp(struct kvm_vcpu *vcpu, int err)
-{
-        if (err)
-                kvm_inject_gp(vcpu, 0);
-        else
-                skip_emulated_instruction(vcpu);
-}
 static int handle_cr(struct kvm_vcpu *vcpu)
 {
        unsigned long exit_qualification, val;
@@ -3189,21 +3373,21 @@ static int handle_cr(struct kvm_vcpu *vcpu)
                switch (cr) {
                case 0:
                        err = kvm_set_cr0(vcpu, val);
-                        complete_insn_gp(vcpu, err);
+                        kvm_complete_insn_gp(vcpu, err);
                        return 1;
                case 3:
                        err = kvm_set_cr3(vcpu, val);
-                        complete_insn_gp(vcpu, err);
+                        kvm_complete_insn_gp(vcpu, err);
                        return 1;
                case 4:
                        err = kvm_set_cr4(vcpu, val);
-                        complete_insn_gp(vcpu, err);
+                        kvm_complete_insn_gp(vcpu, err);
                        return 1;
                case 8: {
                                u8 cr8_prev = kvm_get_cr8(vcpu);
                                u8 cr8 = kvm_register_read(vcpu, reg);
-                                kvm_set_cr8(vcpu, cr8);
+                                err = kvm_set_cr8(vcpu, cr8);
-                                skip_emulated_instruction(vcpu);
+                                kvm_complete_insn_gp(vcpu, err);
                                if (irqchip_in_kernel(vcpu->kvm))
                                        return 1;
                                if (cr8_prev <= cr8)
@@ -3222,8 +3406,9 @@ static int handle_cr(struct kvm_vcpu *vcpu)
        case 1: /*mov from cr*/
                switch (cr) {
                case 3:
-                        kvm_register_write(vcpu, reg, vcpu->arch.cr3);
+                        val = kvm_read_cr3(vcpu);
-                        trace_kvm_cr_read(cr, vcpu->arch.cr3);
+                        kvm_register_write(vcpu, reg, val);
+                        trace_kvm_cr_read(cr, val);
                        skip_emulated_instruction(vcpu);
                        return 1;
                case 8:
@@ -3346,6 +3531,7 @@ static int handle_wrmsr(struct kvm_vcpu *vcpu)
 static int handle_tpr_below_threshold(struct kvm_vcpu *vcpu)
 {
+        kvm_make_request(KVM_REQ_EVENT, vcpu);
        return 1;
 }
@@ -3358,6 +3544,8 @@ static int handle_interrupt_window(struct kvm_vcpu *vcpu)
        cpu_based_vm_exec_control &= ~CPU_BASED_VIRTUAL_INTR_PENDING;
        vmcs_write32(CPU_BASED_VM_EXEC_CONTROL, cpu_based_vm_exec_control);
+        kvm_make_request(KVM_REQ_EVENT, vcpu);
        ++vcpu->stat.irq_window_exits;
        /*
@@ -3392,6 +3580,11 @@ static int handle_vmx_insn(struct kvm_vcpu *vcpu)
        return 1;
 }
+static int handle_invd(struct kvm_vcpu *vcpu)
+{
+        return emulate_instruction(vcpu, 0) == EMULATE_DONE;
+}
 static int handle_invlpg(struct kvm_vcpu *vcpu)
 {
        unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
@@ -3420,7 +3613,7 @@ static int handle_xsetbv(struct kvm_vcpu *vcpu)
 static int handle_apic_access(struct kvm_vcpu *vcpu)
 {
-        return emulate_instruction(vcpu, 0, 0, 0) == EMULATE_DONE;
+        return emulate_instruction(vcpu, 0) == EMULATE_DONE;
 }
 static int handle_task_switch(struct kvm_vcpu *vcpu)
@@ -3442,9 +3635,7 @@ static int handle_task_switch(struct kvm_vcpu *vcpu)
                switch (type) {
                case INTR_TYPE_NMI_INTR:
                        vcpu->arch.nmi_injected = false;
-                        if (cpu_has_virtual_nmis())
+                        vmx_set_nmi_mask(vcpu, true);
-                                vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO,
-                                              GUEST_INTR_STATE_NMI);
                        break;
                case INTR_TYPE_EXT_INTR:
                case INTR_TYPE_SOFT_INTR:
@@ -3519,7 +3710,7 @@ static int handle_ept_violation(struct kvm_vcpu *vcpu)
        gpa = vmcs_read64(GUEST_PHYSICAL_ADDRESS);
        trace_kvm_page_fault(gpa, exit_qualification);
-        return kvm_mmu_page_fault(vcpu, gpa & PAGE_MASK, 0);
+        return kvm_mmu_page_fault(vcpu, gpa, exit_qualification & 0x3, NULL, 0);
 }
 static u64 ept_rsvd_mask(u64 spte, int level)
@@ -3614,6 +3805,7 @@ static int handle_nmi_window(struct kvm_vcpu *vcpu)
        cpu_based_vm_exec_control &= ~CPU_BASED_VIRTUAL_NMI_PENDING;
        vmcs_write32(CPU_BASED_VM_EXEC_CONTROL, cpu_based_vm_exec_control);
        ++vcpu->stat.nmi_window_exits;
+        kvm_make_request(KVM_REQ_EVENT, vcpu);
        return 1;
 }
@@ -3623,9 +3815,18 @@ static int handle_invalid_guest_state(struct kvm_vcpu *vcpu)
        struct vcpu_vmx *vmx = to_vmx(vcpu);
        enum emulation_result err = EMULATE_DONE;
        int ret = 1;
+        u32 cpu_exec_ctrl;
+        bool intr_window_requested;
+        cpu_exec_ctrl = vmcs_read32(CPU_BASED_VM_EXEC_CONTROL);
+        intr_window_requested = cpu_exec_ctrl & CPU_BASED_VIRTUAL_INTR_PENDING;
        while (!guest_state_valid(vcpu)) {
-                err = emulate_instruction(vcpu, 0, 0, 0);
+                if (intr_window_requested
+                    && (kvm_get_rflags(&vmx->vcpu) & X86_EFLAGS_IF))
+                        return handle_interrupt_window(&vmx->vcpu);
+                err = emulate_instruction(vcpu, 0);
                if (err == EMULATE_DO_MMIO) {
                        ret = 0;
@@ -3682,6 +3883,7 @@ static int (*kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu) = {
        [EXIT_REASON_MSR_WRITE]               = handle_wrmsr,
        [EXIT_REASON_PENDING_INTERRUPT]       = handle_interrupt_window,
        [EXIT_REASON_HLT]                     = handle_halt,
+        [EXIT_REASON_INVD]                    = handle_invd,
        [EXIT_REASON_INVLPG]                  = handle_invlpg,
        [EXIT_REASON_VMCALL]                  = handle_vmcall,
        [EXIT_REASON_VMCLEAR]                 = handle_vmx_insn,
@@ -3709,6 +3911,12 @@ static int (*kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu) = {
 static const int kvm_vmx_max_exit_handlers =
        ARRAY_SIZE(kvm_vmx_exit_handlers);
+static void vmx_get_exit_info(struct kvm_vcpu *vcpu, u64 *info1, u64 *info2)
+{
+        *info1 = vmcs_readl(EXIT_QUALIFICATION);
+        *info2 = vmcs_read32(VM_EXIT_INTR_INFO);
+}
 /*
 * The guest has exited.  See if we can fix it or if we need userspace
 * assistance.
@@ -3719,17 +3927,12 @@ static int vmx_handle_exit(struct kvm_vcpu *vcpu)
        u32 exit_reason = vmx->exit_reason;
        u32 vectoring_info = vmx->idt_vectoring_info;
-        trace_kvm_exit(exit_reason, vcpu);
+        trace_kvm_exit(exit_reason, vcpu, KVM_ISA_VMX);
        /* If guest state is invalid, start emulating */
        if (vmx->emulation_required && emulate_invalid_guest_state)
                return handle_invalid_guest_state(vcpu);
-        /* Access CR3 don't cause VMExit in paging mode, so we need
-         * to sync with guest real CR3. */
-        if (enable_ept && is_paging(vcpu))
-                vcpu->arch.cr3 = vmcs_readl(GUEST_CR3);
        if (exit_reason & VMX_EXIT_REASONS_FAILED_VMENTRY) {
                vcpu->run->exit_reason = KVM_EXIT_FAIL_ENTRY;
                vcpu->run->fail_entry.hardware_entry_failure_reason
@@ -3790,23 +3993,19 @@ static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr)
        vmcs_write32(TPR_THRESHOLD, irr);
 }
-static void vmx_complete_interrupts(struct vcpu_vmx *vmx)
+static void vmx_complete_atomic_exit(struct vcpu_vmx *vmx)
 {
        u32 exit_intr_info;
-        u32 idt_vectoring_info = vmx->idt_vectoring_info;
-        bool unblock_nmi;
-        u8 vector;
-        int type;
-        bool idtv_info_valid;
-        exit_intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
+        if (!(vmx->exit_reason == EXIT_REASON_MCE_DURING_VMENTRY
+              || vmx->exit_reason == EXIT_REASON_EXCEPTION_NMI))
+                return;
-        vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
+        vmx->exit_intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
+        exit_intr_info = vmx->exit_intr_info;
        /* Handle machine checks before interrupts are enabled */
-        if ((vmx->exit_reason == EXIT_REASON_MCE_DURING_VMENTRY)
+        if (is_machine_check(exit_intr_info))
-            || (vmx->exit_reason == EXIT_REASON_EXCEPTION_NMI
-                && is_machine_check(exit_intr_info)))
                kvm_machine_check();
        /* We need to handle NMIs before interrupts are enabled */
@@ -3816,10 +4015,25 @@ static void vmx_complete_interrupts(struct vcpu_vmx *vmx)
                asm("int $2");
                kvm_after_handle_nmi(&vmx->vcpu);
        }
+}
-        idtv_info_valid = idt_vectoring_info & VECTORING_INFO_VALID_MASK;
+static void vmx_recover_nmi_blocking(struct vcpu_vmx *vmx)
+{
+        u32 exit_intr_info;
+        bool unblock_nmi;
+        u8 vector;
+        bool idtv_info_valid;
+        idtv_info_valid = vmx->idt_vectoring_info & VECTORING_INFO_VALID_MASK;
        if (cpu_has_virtual_nmis()) {
+                if (vmx->nmi_known_unmasked)
+                        return;
+                /*
+                 * Can't use vmx->exit_intr_info since we're not sure what
+                 * the exit reason is.
+                 */
+                exit_intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
                unblock_nmi = (exit_intr_info & INTR_INFO_UNBLOCK_NMI) != 0;
                vector = exit_intr_info & INTR_INFO_VECTOR_MASK;
                /*
@@ -3836,9 +4050,25 @@ static void vmx_complete_interrupts(struct vcpu_vmx *vmx)
                    vector != DF_VECTOR && !idtv_info_valid)
                        vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO,
                                      GUEST_INTR_STATE_NMI);
+                else
+                        vmx->nmi_known_unmasked =
+                                !(vmcs_read32(GUEST_INTERRUPTIBILITY_INFO)
+                                  & GUEST_INTR_STATE_NMI);
        } else if (unlikely(vmx->soft_vnmi_blocked))
                vmx->vnmi_blocked_time +=
                        ktime_to_ns(ktime_sub(ktime_get(), vmx->entry_time));
+}
+static void __vmx_complete_interrupts(struct vcpu_vmx *vmx,
+                                      u32 idt_vectoring_info,
+                                      int instr_len_field,
+                                      int error_code_field)
+{
+        u8 vector;
+        int type;
+        bool idtv_info_valid;
+        idtv_info_valid = idt_vectoring_info & VECTORING_INFO_VALID_MASK;
        vmx->vcpu.arch.nmi_injected = false;
        kvm_clear_exception_queue(&vmx->vcpu);
@@ -3847,6 +4077,8 @@ static void vmx_complete_interrupts(struct vcpu_vmx *vmx)
        if (!idtv_info_valid)
                return;
+        kvm_make_request(KVM_REQ_EVENT, &vmx->vcpu);
        vector = idt_vectoring_info & VECTORING_INFO_VECTOR_MASK;
        type = idt_vectoring_info & VECTORING_INFO_TYPE_MASK;
@@ -3858,23 +4090,22 @@ static void vmx_complete_interrupts(struct vcpu_vmx *vmx)
                 * Clear bit "block by NMI" before VM entry if a NMI
                 * delivery faulted.
                 */
-                vmcs_clear_bits(GUEST_INTERRUPTIBILITY_INFO,
+                vmx_set_nmi_mask(&vmx->vcpu, false);
-                                GUEST_INTR_STATE_NMI);
                break;
        case INTR_TYPE_SOFT_EXCEPTION:
                vmx->vcpu.arch.event_exit_inst_len =
-                        vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
+                        vmcs_read32(instr_len_field);
                /* fall through */
        case INTR_TYPE_HARD_EXCEPTION:
                if (idt_vectoring_info & VECTORING_INFO_DELIVER_CODE_MASK) {
-                        u32 err = vmcs_read32(IDT_VECTORING_ERROR_CODE);
+                        u32 err = vmcs_read32(error_code_field);
                        kvm_queue_exception_e(&vmx->vcpu, vector, err);
                } else
                        kvm_queue_exception(&vmx->vcpu, vector);
                break;
        case INTR_TYPE_SOFT_INTR:
                vmx->vcpu.arch.event_exit_inst_len =
-                        vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
+                        vmcs_read32(instr_len_field);
                /* fall through */
        case INTR_TYPE_EXT_INTR:
                kvm_queue_interrupt(&vmx->vcpu, vector,
@@ -3885,27 +4116,21 @@ static void vmx_complete_interrupts(struct vcpu_vmx *vmx)
        }
 }
-/*
+static void vmx_complete_interrupts(struct vcpu_vmx *vmx)
- * Failure to inject an interrupt should give us the information
- * in IDT_VECTORING_INFO_FIELD.  However, if the failure occurs
- * when fetching the interrupt redirection bitmap in the real-mode
- * tss, this doesn't happen.  So we do it ourselves.
- */
-static void fixup_rmode_irq(struct vcpu_vmx *vmx)
 {
-        vmx->rmode.irq.pending = 0;
+        __vmx_complete_interrupts(vmx, vmx->idt_vectoring_info,
-        if (kvm_rip_read(&vmx->vcpu) + 1 != vmx->rmode.irq.rip)
+                                  VM_EXIT_INSTRUCTION_LEN,
-                return;
+                                  IDT_VECTORING_ERROR_CODE);
-        kvm_rip_write(&vmx->vcpu, vmx->rmode.irq.rip);
+}
-        if (vmx->idt_vectoring_info & VECTORING_INFO_VALID_MASK) {
-                vmx->idt_vectoring_info &= ~VECTORING_INFO_TYPE_MASK;
+static void vmx_cancel_injection(struct kvm_vcpu *vcpu)
-                vmx->idt_vectoring_info |= INTR_TYPE_EXT_INTR;
+{
-                return;
+        __vmx_complete_interrupts(to_vmx(vcpu),
-        }
+                                  vmcs_read32(VM_ENTRY_INTR_INFO_FIELD),
-        vmx->idt_vectoring_info =
+                                  VM_ENTRY_INSTRUCTION_LEN,
-                VECTORING_INFO_VALID_MASK
+                                  VM_ENTRY_EXCEPTION_ERROR_CODE);
-                | INTR_TYPE_EXT_INTR
-                | vmx->rmode.irq.vector;
+        vmcs_write32(VM_ENTRY_INTR_INFO_FIELD, 0);
 }
 #ifdef CONFIG_X86_64
@@ -3916,7 +4141,7 @@ static void fixup_rmode_irq(struct vcpu_vmx *vmx)
 #define Q "l"
 #endif
-static void vmx_vcpu_run(struct kvm_vcpu *vcpu)
+static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
 {
        struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -3945,6 +4170,7 @@ static void vmx_vcpu_run(struct kvm_vcpu *vcpu)
        asm(
                /* Store host registers */
                "push %%"R"dx; push %%"R"bp;"
+                "push %%"R"cx \n\t" /* placeholder for guest rcx */
                "push %%"R"cx \n\t"
                "cmp %%"R"sp, %c[host_rsp](%0) \n\t"
                "je 1f \n\t"
@@ -3986,10 +4212,11 @@ static void vmx_vcpu_run(struct kvm_vcpu *vcpu)
                ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
                ".Lkvm_vmx_return: "
                /* Save guest registers, load host registers, keep flags */
-                "xchg %0,     (%%"R"sp) \n\t"
+                "mov %0, %c[wordsize](%%"R"sp) \n\t"
+                "pop %0 \n\t"
                "mov %%"R"ax, %c[rax](%0) \n\t"
                "mov %%"R"bx, %c[rbx](%0) \n\t"
-                "push"Q" (%%"R"sp); pop"Q" %c[rcx](%0) \n\t"
+                "pop"Q" %c[rcx](%0) \n\t"
                "mov %%"R"dx, %c[rdx](%0) \n\t"
                "mov %%"R"si, %c[rsi](%0) \n\t"
                "mov %%"R"di, %c[rdi](%0) \n\t"
@@ -4007,7 +4234,7 @@ static void vmx_vcpu_run(struct kvm_vcpu *vcpu)
                "mov %%cr2, %%"R"ax   \n\t"
                "mov %%"R"ax, %c[cr2](%0) \n\t"
-                "pop  %%"R"bp; pop  %%"R"bp; pop  %%"R"dx \n\t"
+                "pop  %%"R"bp; pop  %%"R"dx \n\t"
                "setbe %c[fail](%0) \n\t"
              : : "c"(vmx), "d"((unsigned long)HOST_RSP),
                [launched]"i"(offsetof(struct vcpu_vmx, launched)),
@@ -4030,25 +4257,32 @@ static void vmx_vcpu_run(struct kvm_vcpu *vcpu)
                [r14]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R14])),
                [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
 #endif
-                [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
+                [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
+                [wordsize]"i"(sizeof(ulong))
              : "cc", "memory"
-                , R"bx", R"di", R"si"
+                , R"ax", R"bx", R"di", R"si"
 #ifdef CONFIG_X86_64
                , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
 #endif
              );
        vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
-                                  | (1 << VCPU_EXREG_PDPTR));
+                                  | (1 << VCPU_EXREG_RFLAGS)
+                                  | (1 << VCPU_EXREG_CPL)
+                                  | (1 << VCPU_EXREG_PDPTR)
+                                  | (1 << VCPU_EXREG_SEGMENTS)
+                                  | (1 << VCPU_EXREG_CR3));
        vcpu->arch.regs_dirty = 0;
        vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
-        if (vmx->rmode.irq.pending)
-                fixup_rmode_irq(vmx);
        asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
        vmx->launched = 1;
+        vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
+        vmx_complete_atomic_exit(vmx);
+        vmx_recover_nmi_blocking(vmx);
        vmx_complete_interrupts(vmx);
 }
@@ -4106,8 +4340,8 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
                goto free_vcpu;
        vmx->guest_msrs = kmalloc(PAGE_SIZE, GFP_KERNEL);
+        err = -ENOMEM;
        if (!vmx->guest_msrs) {
-                err = -ENOMEM;
                goto uninit_vcpu;
        }
@@ -4119,21 +4353,26 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
        cpu = get_cpu();
        vmx_vcpu_load(&vmx->vcpu, cpu);
+        vmx->vcpu.cpu = cpu;
        err = vmx_vcpu_setup(vmx);
        vmx_vcpu_put(&vmx->vcpu);
        put_cpu();
        if (err)
                goto free_vmcs;
        if (vm_need_virtualize_apic_accesses(kvm))
-                if (alloc_apic_access_page(kvm) != 0)
+                err = alloc_apic_access_page(kvm);
+                if (err)
                        goto free_vmcs;
        if (enable_ept) {
                if (!kvm->arch.ept_identity_map_addr)
                        kvm->arch.ept_identity_map_addr =
                                VMX_EPT_IDENTITY_PAGETABLE_ADDR;
+                err = -ENOMEM;
                if (alloc_identity_pagetable(kvm) != 0)
                        goto free_vmcs;
+                if (!init_rmode_identity_map(kvm))
+                        goto free_vmcs;
        }
        return &vmx->vcpu;
@@ -4249,11 +4488,6 @@ static int vmx_get_lpage_level(void)
                return PT_PDPE_LEVEL;
 }
-static inline u32 bit(int bitno)
-{
-        return 1 << (bitno & 31);
-}
 static void vmx_cpuid_update(struct kvm_vcpu *vcpu)
 {
        struct kvm_cpuid_entry2 *best;
@@ -4280,6 +4514,13 @@ static void vmx_set_supported_cpuid(u32 func, struct kvm_cpuid_entry2 *entry)
 {
 }
+static int vmx_check_intercept(struct kvm_vcpu *vcpu,
+                               struct x86_instruction_info *info,
+                               enum x86_intercept_stage stage)
+{
+        return X86EMUL_CONTINUE;
+}
 static struct kvm_x86_ops vmx_x86_ops = {
        .cpu_has_kvm_support = cpu_has_kvm_support,
        .disabled_by_bios = vmx_disabled_by_bios,
@@ -4307,6 +4548,7 @@ static struct kvm_x86_ops vmx_x86_ops = {
        .get_cpl = vmx_get_cpl,
        .get_cs_db_l_bits = vmx_get_cs_db_l_bits,
        .decache_cr0_guest_bits = vmx_decache_cr0_guest_bits,
+        .decache_cr3 = vmx_decache_cr3,
        .decache_cr4_guest_bits = vmx_decache_cr4_guest_bits,
        .set_cr0 = vmx_set_cr0,
        .set_cr3 = vmx_set_cr3,
@@ -4334,6 +4576,7 @@ static struct kvm_x86_ops vmx_x86_ops = {
        .set_irq = vmx_inject_irq,
        .set_nmi = vmx_inject_nmi,
        .queue_exception = vmx_queue_exception,
+        .cancel_injection = vmx_cancel_injection,
        .interrupt_allowed = vmx_interrupt_allowed,
        .nmi_allowed = vmx_nmi_allowed,
        .get_nmi_mask = vmx_get_nmi_mask,
@@ -4346,7 +4589,9 @@ static struct kvm_x86_ops vmx_x86_ops = {
        .get_tdp_level = get_ept_level,
        .get_mt_mask = vmx_get_mt_mask,
+        .get_exit_info = vmx_get_exit_info,
        .exit_reasons_str = vmx_exit_reasons_str,
        .get_lpage_level = vmx_get_lpage_level,
        .cpuid_update = vmx_cpuid_update,
@@ -4356,6 +4601,15 @@ static struct kvm_x86_ops vmx_x86_ops = {
        .set_supported_cpuid = vmx_set_supported_cpuid,
        .has_wbinvd_exit = cpu_has_vmx_wbinvd_exit,
+        .set_tsc_khz = vmx_set_tsc_khz,
+        .write_tsc_offset = vmx_write_tsc_offset,
+        .adjust_tsc_offset = vmx_adjust_tsc_offset,
+        .compute_tsc_offset = vmx_compute_tsc_offset,
+        .set_tdp_cr3 = vmx_set_cr3,
+        .check_intercept = vmx_check_intercept,
 };
 static int __init vmx_init(void)
@@ -4417,8 +4671,6 @@ static int __init vmx_init(void)
        if (enable_ept) {
                bypass_guest_pf = 0;
-                kvm_mmu_set_base_ptes(VMX_EPT_READABLE_MASK |
-                        VMX_EPT_WRITABLE_MASK);
                kvm_mmu_set_mask_ptes(0ull, 0ull, 0ull, 0ull,
                                VMX_EPT_EXECUTABLE_MASK);
                kvm_enable_tdp();
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 3a09c625d526..77c9d8673dc4 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6,7 +6,7 @@
 * Copyright (C) 2006 Qumranet, Inc.
 * Copyright (C) 2008 Qumranet, Inc.
 * Copyright IBM Corporation, 2008
- * Copyright 2010 Red Hat, Inc. and/or its affilates.
+ * Copyright 2010 Red Hat, Inc. and/or its affiliates.
 *
 * Authors:
 *   Avi Kivity   <avi@qumranet.com>
@@ -43,6 +43,7 @@
 #include <linux/slab.h>
 #include <linux/perf_event.h>
 #include <linux/uaccess.h>
+#include <linux/hash.h>
 #include <trace/events/kvm.h>
 #define CREATE_TRACE_POINTS
@@ -55,32 +56,25 @@
 #include <asm/mce.h>
 #include <asm/i387.h>
 #include <asm/xcr.h>
+#include <asm/pvclock.h>
+#include <asm/div64.h>
 #define MAX_IO_MSRS 256
-#define CR0_RESERVED_BITS                                               \
-        (~(unsigned long)(X86_CR0_PE | X86_CR0_MP | X86_CR0_EM | X86_CR0_TS \
-                          | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM \
-                          | X86_CR0_NW | X86_CR0_CD | X86_CR0_PG))
-#define CR4_RESERVED_BITS                                               \
-        (~(unsigned long)(X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE\
-                          | X86_CR4_PSE | X86_CR4_PAE | X86_CR4_MCE     \
-                          | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR  \
-                          | X86_CR4_OSXSAVE \
-                          | X86_CR4_OSXMMEXCPT | X86_CR4_VMXE))
-#define CR8_RESERVED_BITS (~(unsigned long)X86_CR8_TPR)
 #define KVM_MAX_MCE_BANKS 32
-#define KVM_MCE_CAP_SUPPORTED MCG_CTL_P
+#define KVM_MCE_CAP_SUPPORTED (MCG_CTL_P | MCG_SER_P)
+#define emul_to_vcpu(ctxt) \
+        container_of(ctxt, struct kvm_vcpu, arch.emulate_ctxt)
 /* EFER defaults:
 * - enable syscall per default because its emulated by KVM
 * - enable LME and LMA per default on 64 bit KVM
 */
 #ifdef CONFIG_X86_64
-static u64 __read_mostly efer_reserved_bits = 0xfffffffffffffafeULL;
+static
+u64 __read_mostly efer_reserved_bits = ~((u64)(EFER_SCE | EFER_LME | EFER_LMA));
 #else
-static u64 __read_mostly efer_reserved_bits = 0xfffffffffffffffeULL;
+static u64 __read_mostly efer_reserved_bits = ~((u64)EFER_SCE);
 #endif
 #define VM_STAT(x) offsetof(struct kvm, stat.x), KVM_STAT_VM
@@ -96,6 +90,11 @@ EXPORT_SYMBOL_GPL(kvm_x86_ops);
 int ignore_msrs = 0;
 module_param_named(ignore_msrs, ignore_msrs, bool, S_IRUGO | S_IWUSR);
+bool kvm_has_tsc_control;
+EXPORT_SYMBOL_GPL(kvm_has_tsc_control);
+u32  kvm_max_guest_tsc_khz;
+EXPORT_SYMBOL_GPL(kvm_max_guest_tsc_khz);
 #define KVM_NR_SHARED_MSRS 16
 struct kvm_shared_msrs_global {
@@ -153,9 +152,13 @@ struct kvm_stats_debugfs_item debugfs_entries[] = {
 u64 __read_mostly host_xcr0;
-static inline u32 bit(int bitno)
+int emulator_fix_hypercall(struct x86_emulate_ctxt *ctxt);
+static inline void kvm_async_pf_hash_reset(struct kvm_vcpu *vcpu)
 {
-        return 1 << (bitno & 31);
+        int i;
+        for (i = 0; i < roundup_pow_of_two(ASYNC_PF_PER_VCPU); i++)
+                vcpu->arch.apf.gfns[i] = ~0;
 }
 static void kvm_on_user_return(struct user_return_notifier *urn)
@@ -282,6 +285,8 @@ static void kvm_multiple_exception(struct kvm_vcpu *vcpu,
        u32 prev_nr;
        int class1, class2;
+        kvm_make_request(KVM_REQ_EVENT, vcpu);
        if (!vcpu->arch.exception.pending) {
        queue:
                vcpu->arch.exception.pending = true;
@@ -327,16 +332,33 @@ void kvm_requeue_exception(struct kvm_vcpu *vcpu, unsigned nr)
 }
 EXPORT_SYMBOL_GPL(kvm_requeue_exception);
-void kvm_inject_page_fault(struct kvm_vcpu *vcpu, unsigned long addr,
+void kvm_complete_insn_gp(struct kvm_vcpu *vcpu, int err)
-                           u32 error_code)
+{
+        if (err)
+                kvm_inject_gp(vcpu, 0);
+        else
+                kvm_x86_ops->skip_emulated_instruction(vcpu);
+}
+EXPORT_SYMBOL_GPL(kvm_complete_insn_gp);
+void kvm_inject_page_fault(struct kvm_vcpu *vcpu, struct x86_exception *fault)
 {
        ++vcpu->stat.pf_guest;
-        vcpu->arch.cr2 = addr;
+        vcpu->arch.cr2 = fault->address;
-        kvm_queue_exception_e(vcpu, PF_VECTOR, error_code);
+        kvm_queue_exception_e(vcpu, PF_VECTOR, fault->error_code);
+}
+void kvm_propagate_fault(struct kvm_vcpu *vcpu, struct x86_exception *fault)
+{
+        if (mmu_is_nested(vcpu) && !fault->nested_page_fault)
+                vcpu->arch.nested_mmu.inject_page_fault(vcpu, fault);
+        else
+                vcpu->arch.mmu.inject_page_fault(vcpu, fault);
 }
 void kvm_inject_nmi(struct kvm_vcpu *vcpu)
 {
+        kvm_make_request(KVM_REQ_EVENT, vcpu);
        vcpu->arch.nmi_pending = 1;
 }
 EXPORT_SYMBOL_GPL(kvm_inject_nmi);
@@ -367,18 +389,49 @@ bool kvm_require_cpl(struct kvm_vcpu *vcpu, int required_cpl)
 EXPORT_SYMBOL_GPL(kvm_require_cpl);
 /*
+ * This function will be used to read from the physical memory of the currently
+ * running guest. The difference to kvm_read_guest_page is that this function
+ * can read from guest physical or from the guest's guest physical memory.
+ */
+int kvm_read_guest_page_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
+                            gfn_t ngfn, void *data, int offset, int len,
+                            u32 access)
+{
+        gfn_t real_gfn;
+        gpa_t ngpa;
+        ngpa     = gfn_to_gpa(ngfn);
+        real_gfn = mmu->translate_gpa(vcpu, ngpa, access);
+        if (real_gfn == UNMAPPED_GVA)
+                return -EFAULT;
+        real_gfn = gpa_to_gfn(real_gfn);
+        return kvm_read_guest_page(vcpu->kvm, real_gfn, data, offset, len);
+}
+EXPORT_SYMBOL_GPL(kvm_read_guest_page_mmu);
+int kvm_read_nested_guest_page(struct kvm_vcpu *vcpu, gfn_t gfn,
+                               void *data, int offset, int len, u32 access)
+{
+        return kvm_read_guest_page_mmu(vcpu, vcpu->arch.walk_mmu, gfn,
+                                       data, offset, len, access);
+}
+/*
 * Load the pae pdptrs.  Return true is they are all valid.
 */
-int load_pdptrs(struct kvm_vcpu *vcpu, unsigned long cr3)
+int load_pdptrs(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, unsigned long cr3)
 {
        gfn_t pdpt_gfn = cr3 >> PAGE_SHIFT;
        unsigned offset = ((cr3 & (PAGE_SIZE-1)) >> 5) << 2;
        int i;
        int ret;
-        u64 pdpte[ARRAY_SIZE(vcpu->arch.pdptrs)];
+        u64 pdpte[ARRAY_SIZE(mmu->pdptrs)];
-        ret = kvm_read_guest_page(vcpu->kvm, pdpt_gfn, pdpte,
+        ret = kvm_read_guest_page_mmu(vcpu, mmu, pdpt_gfn, pdpte,
-                                  offset * sizeof(u64), sizeof(pdpte));
+                                      offset * sizeof(u64), sizeof(pdpte),
+                                      PFERR_USER_MASK|PFERR_WRITE_MASK);
        if (ret < 0) {
                ret = 0;
                goto out;
@@ -392,7 +445,7 @@ int load_pdptrs(struct kvm_vcpu *vcpu, unsigned long cr3)
        }
        ret = 1;
-        memcpy(vcpu->arch.pdptrs, pdpte, sizeof(vcpu->arch.pdptrs));
+        memcpy(mmu->pdptrs, pdpte, sizeof(mmu->pdptrs));
        __set_bit(VCPU_EXREG_PDPTR,
                  (unsigned long *)&vcpu->arch.regs_avail);
        __set_bit(VCPU_EXREG_PDPTR,
@@ -405,8 +458,10 @@ EXPORT_SYMBOL_GPL(load_pdptrs);
 static bool pdptrs_changed(struct kvm_vcpu *vcpu)
 {
-        u64 pdpte[ARRAY_SIZE(vcpu->arch.pdptrs)];
+        u64 pdpte[ARRAY_SIZE(vcpu->arch.walk_mmu->pdptrs)];
        bool changed = true;
+        int offset;
+        gfn_t gfn;
        int r;
        if (is_long_mode(vcpu) || !is_pae(vcpu))
@@ -416,10 +471,13 @@ static bool pdptrs_changed(struct kvm_vcpu *vcpu)
                      (unsigned long *)&vcpu->arch.regs_avail))
                return true;
-        r = kvm_read_guest(vcpu->kvm, vcpu->arch.cr3 & ~31u, pdpte, sizeof(pdpte));
+        gfn = (kvm_read_cr3(vcpu) & ~31u) >> PAGE_SHIFT;
+        offset = (kvm_read_cr3(vcpu) & ~31u) & (PAGE_SIZE - 1);
+        r = kvm_read_nested_guest_page(vcpu, gfn, pdpte, offset, sizeof(pdpte),
+                                       PFERR_USER_MASK | PFERR_WRITE_MASK);
        if (r < 0)
                goto out;
-        changed = memcmp(pdpte, vcpu->arch.pdptrs, sizeof(pdpte)) != 0;
+        changed = memcmp(pdpte, vcpu->arch.walk_mmu->pdptrs, sizeof(pdpte)) != 0;
 out:
        return changed;
@@ -458,12 +516,18 @@ int kvm_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)
                                return 1;
                } else
 #endif
-                if (is_pae(vcpu) && !load_pdptrs(vcpu, vcpu->arch.cr3))
+                if (is_pae(vcpu) && !load_pdptrs(vcpu, vcpu->arch.walk_mmu,
+                                                 kvm_read_cr3(vcpu)))
                        return 1;
        }
        kvm_x86_ops->set_cr0(vcpu, cr0);
+        if ((cr0 ^ old_cr0) & X86_CR0_PG) {
+                kvm_clear_async_pf_completion_queue(vcpu);
+                kvm_async_pf_hash_reset(vcpu);
+        }
        if ((cr0 ^ old_cr0) & update_bits)
                kvm_mmu_reset_context(vcpu);
        return 0;
@@ -547,7 +611,8 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
                        return 1;
        } else if (is_paging(vcpu) && (cr4 & X86_CR4_PAE)
                   && ((cr4 ^ old_cr4) & pdptr_bits)
-                   && !load_pdptrs(vcpu, vcpu->arch.cr3))
+                   && !load_pdptrs(vcpu, vcpu->arch.walk_mmu,
+                                   kvm_read_cr3(vcpu)))
                return 1;
        if (cr4 & X86_CR4_VMXE)
@@ -567,7 +632,7 @@ EXPORT_SYMBOL_GPL(kvm_set_cr4);
 int kvm_set_cr3(struct kvm_vcpu *vcpu, unsigned long cr3)
 {
-        if (cr3 == vcpu->arch.cr3 && !pdptrs_changed(vcpu)) {
+        if (cr3 == kvm_read_cr3(vcpu) && !pdptrs_changed(vcpu)) {
                kvm_mmu_sync_roots(vcpu);
                kvm_mmu_flush_tlb(vcpu);
                return 0;
@@ -580,7 +645,8 @@ int kvm_set_cr3(struct kvm_vcpu *vcpu, unsigned long cr3)
                if (is_pae(vcpu)) {
                        if (cr3 & CR3_PAE_RESERVED_BITS)
                                return 1;
-                        if (is_paging(vcpu) && !load_pdptrs(vcpu, cr3))
+                        if (is_paging(vcpu) &&
+                            !load_pdptrs(vcpu, vcpu->arch.walk_mmu, cr3))
                                return 1;
                }
                /*
@@ -601,12 +667,13 @@ int kvm_set_cr3(struct kvm_vcpu *vcpu, unsigned long cr3)
        if (unlikely(!gfn_to_memslot(vcpu->kvm, cr3 >> PAGE_SHIFT)))
                return 1;
        vcpu->arch.cr3 = cr3;
+        __set_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail);
        vcpu->arch.mmu.new_cr3(vcpu);
        return 0;
 }
 EXPORT_SYMBOL_GPL(kvm_set_cr3);
-int __kvm_set_cr8(struct kvm_vcpu *vcpu, unsigned long cr8)
+int kvm_set_cr8(struct kvm_vcpu *vcpu, unsigned long cr8)
 {
        if (cr8 & CR8_RESERVED_BITS)
                return 1;
@@ -616,12 +683,6 @@ int __kvm_set_cr8(struct kvm_vcpu *vcpu, unsigned long cr8)
                vcpu->arch.cr8 = cr8;
        return 0;
 }
-void kvm_set_cr8(struct kvm_vcpu *vcpu, unsigned long cr8)
-{
-        if (__kvm_set_cr8(vcpu, cr8))
-                kvm_inject_gp(vcpu, 0);
-}
 EXPORT_SYMBOL_GPL(kvm_set_cr8);
 unsigned long kvm_get_cr8(struct kvm_vcpu *vcpu)
@@ -726,18 +787,18 @@ EXPORT_SYMBOL_GPL(kvm_get_dr);
 * kvm-specific. Those are put in the beginning of the list.
 */
-#define KVM_SAVE_MSRS_BEGIN     7
+#define KVM_SAVE_MSRS_BEGIN     8
 static u32 msrs_to_save[] = {
        MSR_KVM_SYSTEM_TIME, MSR_KVM_WALL_CLOCK,
        MSR_KVM_SYSTEM_TIME_NEW, MSR_KVM_WALL_CLOCK_NEW,
        HV_X64_MSR_GUEST_OS_ID, HV_X64_MSR_HYPERCALL,
-        HV_X64_MSR_APIC_ASSIST_PAGE,
+        HV_X64_MSR_APIC_ASSIST_PAGE, MSR_KVM_ASYNC_PF_EN,
        MSR_IA32_SYSENTER_CS, MSR_IA32_SYSENTER_ESP, MSR_IA32_SYSENTER_EIP,
        MSR_STAR,
 #ifdef CONFIG_X86_64
        MSR_CSTAR, MSR_KERNEL_GS_BASE, MSR_SYSCALL_MASK, MSR_LSTAR,
 #endif
-        MSR_IA32_TSC, MSR_IA32_PERF_STATUS, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA
+        MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA
 };
 static unsigned num_msrs_to_save;
@@ -781,7 +842,6 @@ static int set_efer(struct kvm_vcpu *vcpu, u64 efer)
        kvm_x86_ops->set_efer(vcpu, efer);
        vcpu->arch.mmu.base_role.nxe = (efer & EFER_NX) && !tdp_enabled;
-        kvm_mmu_reset_context(vcpu);
        /* Update reserved bits */
        if ((efer ^ old_efer) & EFER_NX)
@@ -838,7 +898,7 @@ static void kvm_write_wall_clock(struct kvm *kvm, gpa_t wall_clock)
        /*
         * The guest calculates current wall clock time by adding
-         * system time (updated by kvm_write_guest_time below) to the
+         * system time (updated by kvm_guest_time_update below) to the
         * wall clock specified here.  guest system time equals host
         * system time for us, thus we must fill in host boot time here.
         */
@@ -866,65 +926,235 @@ static uint32_t div_frac(uint32_t dividend, uint32_t divisor)
        return quotient;
 }
-static void kvm_set_time_scale(uint32_t tsc_khz, struct pvclock_vcpu_time_info *hv_clock)
+static void kvm_get_time_scale(uint32_t scaled_khz, uint32_t base_khz,
+                               s8 *pshift, u32 *pmultiplier)
 {
-        uint64_t nsecs = 1000000000LL;
+        uint64_t scaled64;
        int32_t  shift = 0;
        uint64_t tps64;
        uint32_t tps32;
-        tps64 = tsc_khz * 1000LL;
+        tps64 = base_khz * 1000LL;
-        while (tps64 > nsecs*2) {
+        scaled64 = scaled_khz * 1000LL;
+        while (tps64 > scaled64*2 || tps64 & 0xffffffff00000000ULL) {
                tps64 >>= 1;
                shift--;
        }
        tps32 = (uint32_t)tps64;
-        while (tps32 <= (uint32_t)nsecs) {
+        while (tps32 <= scaled64 || scaled64 & 0xffffffff00000000ULL) {
-                tps32 <<= 1;
+                if (scaled64 & 0xffffffff00000000ULL || tps32 & 0x80000000)
+                        scaled64 >>= 1;
+                else
+                        tps32 <<= 1;
                shift++;
        }
-        hv_clock->tsc_shift = shift;
+        *pshift = shift;
-        hv_clock->tsc_to_system_mul = div_frac(nsecs, tps32);
+        *pmultiplier = div_frac(scaled64, tps32);
-        pr_debug("%s: tsc_khz %u, tsc_shift %d, tsc_mul %u\n",
+        pr_debug("%s: base_khz %u => %u, shift %d, mul %u\n",
-                 __func__, tsc_khz, hv_clock->tsc_shift,
+                 __func__, base_khz, scaled_khz, shift, *pmultiplier);
-                 hv_clock->tsc_to_system_mul);
+}
+static inline u64 get_kernel_ns(void)
+{
+        struct timespec ts;
+        WARN_ON(preemptible());
+        ktime_get_ts(&ts);
+        monotonic_to_bootbased(&ts);
+        return timespec_to_ns(&ts);
 }
 static DEFINE_PER_CPU(unsigned long, cpu_tsc_khz);
+unsigned long max_tsc_khz;
-static void kvm_write_guest_time(struct kvm_vcpu *v)
+static inline int kvm_tsc_changes_freq(void)
+{
+        int cpu = get_cpu();
+        int ret = !boot_cpu_has(X86_FEATURE_CONSTANT_TSC) &&
+                  cpufreq_quick_get(cpu) != 0;
+        put_cpu();
+        return ret;
+}
+static u64 vcpu_tsc_khz(struct kvm_vcpu *vcpu)
+{
+        if (vcpu->arch.virtual_tsc_khz)
+                return vcpu->arch.virtual_tsc_khz;
+        else
+                return __this_cpu_read(cpu_tsc_khz);
+}
+static inline u64 nsec_to_cycles(struct kvm_vcpu *vcpu, u64 nsec)
+{
+        u64 ret;
+        WARN_ON(preemptible());
+        if (kvm_tsc_changes_freq())
+                printk_once(KERN_WARNING
+                 "kvm: unreliable cycle conversion on adjustable rate TSC\n");
+        ret = nsec * vcpu_tsc_khz(vcpu);
+        do_div(ret, USEC_PER_SEC);
+        return ret;
+}
+static void kvm_init_tsc_catchup(struct kvm_vcpu *vcpu, u32 this_tsc_khz)
+{
+        /* Compute a scale to convert nanoseconds in TSC cycles */
+        kvm_get_time_scale(this_tsc_khz, NSEC_PER_SEC / 1000,
+                           &vcpu->arch.tsc_catchup_shift,
+                           &vcpu->arch.tsc_catchup_mult);
+}
+static u64 compute_guest_tsc(struct kvm_vcpu *vcpu, s64 kernel_ns)
+{
+        u64 tsc = pvclock_scale_delta(kernel_ns-vcpu->arch.last_tsc_nsec,
+                                      vcpu->arch.tsc_catchup_mult,
+                                      vcpu->arch.tsc_catchup_shift);
+        tsc += vcpu->arch.last_tsc_write;
+        return tsc;
+}
+void kvm_write_tsc(struct kvm_vcpu *vcpu, u64 data)
+{
+        struct kvm *kvm = vcpu->kvm;
+        u64 offset, ns, elapsed;
+        unsigned long flags;
+        s64 sdiff;
+        raw_spin_lock_irqsave(&kvm->arch.tsc_write_lock, flags);
+        offset = kvm_x86_ops->compute_tsc_offset(vcpu, data);
+        ns = get_kernel_ns();
+        elapsed = ns - kvm->arch.last_tsc_nsec;
+        sdiff = data - kvm->arch.last_tsc_write;
+        if (sdiff < 0)
+                sdiff = -sdiff;
+        /*
+         * Special case: close write to TSC within 5 seconds of
+         * another CPU is interpreted as an attempt to synchronize
+         * The 5 seconds is to accommodate host load / swapping as
+         * well as any reset of TSC during the boot process.
+         *
+         * In that case, for a reliable TSC, we can match TSC offsets,
+         * or make a best guest using elapsed value.
+         */
+        if (sdiff < nsec_to_cycles(vcpu, 5ULL * NSEC_PER_SEC) &&
+            elapsed < 5ULL * NSEC_PER_SEC) {
+                if (!check_tsc_unstable()) {
+                        offset = kvm->arch.last_tsc_offset;
+                        pr_debug("kvm: matched tsc offset for %llu\n", data);
+                } else {
+                        u64 delta = nsec_to_cycles(vcpu, elapsed);
+                        offset += delta;
+                        pr_debug("kvm: adjusted tsc offset by %llu\n", delta);
+                }
+                ns = kvm->arch.last_tsc_nsec;
+        }
+        kvm->arch.last_tsc_nsec = ns;
+        kvm->arch.last_tsc_write = data;
+        kvm->arch.last_tsc_offset = offset;
+        kvm_x86_ops->write_tsc_offset(vcpu, offset);
+        raw_spin_unlock_irqrestore(&kvm->arch.tsc_write_lock, flags);
+        /* Reset of TSC must disable overshoot protection below */
+        vcpu->arch.hv_clock.tsc_timestamp = 0;
+        vcpu->arch.last_tsc_write = data;
+        vcpu->arch.last_tsc_nsec = ns;
+}
+EXPORT_SYMBOL_GPL(kvm_write_tsc);
+static int kvm_guest_time_update(struct kvm_vcpu *v)
 {
-        struct timespec ts;
        unsigned long flags;
        struct kvm_vcpu_arch *vcpu = &v->arch;
        void *shared_kaddr;
        unsigned long this_tsc_khz;
+        s64 kernel_ns, max_kernel_ns;
+        u64 tsc_timestamp;
-        if ((!vcpu->time_page))
+        /* Keep irq disabled to prevent changes to the clock */
-                return;
+        local_irq_save(flags);
+        kvm_get_msr(v, MSR_IA32_TSC, &tsc_timestamp);
+        kernel_ns = get_kernel_ns();
+        this_tsc_khz = vcpu_tsc_khz(v);
+        if (unlikely(this_tsc_khz == 0)) {
+                local_irq_restore(flags);
+                kvm_make_request(KVM_REQ_CLOCK_UPDATE, v);
+                return 1;
+        }
-        this_tsc_khz = get_cpu_var(cpu_tsc_khz);
+        /*
-        if (unlikely(vcpu->hv_clock_tsc_khz != this_tsc_khz)) {
+         * We may have to catch up the TSC to match elapsed wall clock
-                kvm_set_time_scale(this_tsc_khz, &vcpu->hv_clock);
+         * time for two reasons, even if kvmclock is used.
-                vcpu->hv_clock_tsc_khz = this_tsc_khz;
+         *   1) CPU could have been running below the maximum TSC rate
+         *   2) Broken TSC compensation resets the base at each VCPU
+         *      entry to avoid unknown leaps of TSC even when running
+         *      again on the same CPU.  This may cause apparent elapsed
+         *      time to disappear, and the guest to stand still or run
+         *      very slowly.
+         */
+        if (vcpu->tsc_catchup) {
+                u64 tsc = compute_guest_tsc(v, kernel_ns);
+                if (tsc > tsc_timestamp) {
+                        kvm_x86_ops->adjust_tsc_offset(v, tsc - tsc_timestamp);
+                        tsc_timestamp = tsc;
+                }
        }
-        put_cpu_var(cpu_tsc_khz);
-        /* Keep irq disabled to prevent changes to the clock */
-        local_irq_save(flags);
-        kvm_get_msr(v, MSR_IA32_TSC, &vcpu->hv_clock.tsc_timestamp);
-        ktime_get_ts(&ts);
-        monotonic_to_bootbased(&ts);
        local_irq_restore(flags);
-        /* With all the info we got, fill in the values */
+        if (!vcpu->time_page)
+                return 0;
-        vcpu->hv_clock.system_time = ts.tv_nsec +
+        /*
-                                     (NSEC_PER_SEC * (u64)ts.tv_sec) + v->kvm->arch.kvmclock_offset;
+         * Time as measured by the TSC may go backwards when resetting the base
+         * tsc_timestamp.  The reason for this is that the TSC resolution is
+         * higher than the resolution of the other clock scales.  Thus, many
+         * possible measurments of the TSC correspond to one measurement of any
+         * other clock, and so a spread of values is possible.  This is not a
+         * problem for the computation of the nanosecond clock; with TSC rates
+         * around 1GHZ, there can only be a few cycles which correspond to one
+         * nanosecond value, and any path through this code will inevitably
+         * take longer than that.  However, with the kernel_ns value itself,
+         * the precision may be much lower, down to HZ granularity.  If the
+         * first sampling of TSC against kernel_ns ends in the low part of the
+         * range, and the second in the high end of the range, we can get:
+         *
+         * (TSC - offset_low) * S + kns_old > (TSC - offset_high) * S + kns_new
+         *
+         * As the sampling errors potentially range in the thousands of cycles,
+         * it is possible such a time value has already been observed by the
+         * guest.  To protect against this, we must compute the system time as
+         * observed by the guest and ensure the new system time is greater.
+         */
+        max_kernel_ns = 0;
+        if (vcpu->hv_clock.tsc_timestamp && vcpu->last_guest_tsc) {
+                max_kernel_ns = vcpu->last_guest_tsc -
+                                vcpu->hv_clock.tsc_timestamp;
+                max_kernel_ns = pvclock_scale_delta(max_kernel_ns,
+                                    vcpu->hv_clock.tsc_to_system_mul,
+                                    vcpu->hv_clock.tsc_shift);
+                max_kernel_ns += vcpu->last_kernel_ns;
+        }
+        if (unlikely(vcpu->hw_tsc_khz != this_tsc_khz)) {
+                kvm_get_time_scale(NSEC_PER_SEC / 1000, this_tsc_khz,
+                                   &vcpu->hv_clock.tsc_shift,
+                                   &vcpu->hv_clock.tsc_to_system_mul);
+                vcpu->hw_tsc_khz = this_tsc_khz;
+        }
+        if (max_kernel_ns > kernel_ns)
+                kernel_ns = max_kernel_ns;
+        /* With all the info we got, fill in the values */
+        vcpu->hv_clock.tsc_timestamp = tsc_timestamp;
+        vcpu->hv_clock.system_time = kernel_ns + v->kvm->arch.kvmclock_offset;
+        vcpu->last_kernel_ns = kernel_ns;
+        vcpu->last_guest_tsc = tsc_timestamp;
        vcpu->hv_clock.flags = 0;
        /*
@@ -942,16 +1172,7 @@ static void kvm_write_guest_time(struct kvm_vcpu *v)
        kunmap_atomic(shared_kaddr, KM_USER0);
        mark_page_dirty(v->kvm, vcpu->time >> PAGE_SHIFT);
-}
+        return 0;
-static int kvm_request_guest_time_update(struct kvm_vcpu *v)
-{
-        struct kvm_vcpu_arch *vcpu = &v->arch;
-        if (!vcpu->time_page)
-                return 0;
-        kvm_make_request(KVM_REQ_KVMCLOCK_UPDATE, v);
-        return 1;
 }
 static bool msr_mtrr_valid(unsigned msr)
@@ -1214,6 +1435,38 @@ static int set_msr_hyperv(struct kvm_vcpu *vcpu, u32 msr, u64 data)
        return 0;
 }
+static int kvm_pv_enable_async_pf(struct kvm_vcpu *vcpu, u64 data)
+{
+        gpa_t gpa = data & ~0x3f;
+        /* Bits 2:5 are resrved, Should be zero */
+        if (data & 0x3c)
+                return 1;
+        vcpu->arch.apf.msr_val = data;
+        if (!(data & KVM_ASYNC_PF_ENABLED)) {
+                kvm_clear_async_pf_completion_queue(vcpu);
+                kvm_async_pf_hash_reset(vcpu);
+                return 0;
+        }
+        if (kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.apf.data, gpa))
+                return 1;
+        vcpu->arch.apf.send_user_only = !(data & KVM_ASYNC_PF_SEND_ALWAYS);
+        kvm_async_pf_wakeup_all(vcpu);
+        return 0;
+}
+static void kvmclock_reset(struct kvm_vcpu *vcpu)
+{
+        if (vcpu->arch.time_page) {
+                kvm_release_page_dirty(vcpu->arch.time_page);
+                vcpu->arch.time_page = NULL;
+        }
+}
 int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data)
 {
        switch (msr) {
@@ -1271,12 +1524,10 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data)
                break;
        case MSR_KVM_SYSTEM_TIME_NEW:
        case MSR_KVM_SYSTEM_TIME: {
-                if (vcpu->arch.time_page) {
+                kvmclock_reset(vcpu);
-                        kvm_release_page_dirty(vcpu->arch.time_page);
-                        vcpu->arch.time_page = NULL;
-                }
                vcpu->arch.time = data;
+                kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu);
                /* we verify if the enable bit is set... */
                if (!(data & 1))
@@ -1292,10 +1543,12 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data)
                        kvm_release_page_clean(vcpu->arch.time_page);
                        vcpu->arch.time_page = NULL;
                }
-                kvm_request_guest_time_update(vcpu);
                break;
        }
+        case MSR_KVM_ASYNC_PF_EN:
+                if (kvm_pv_enable_async_pf(vcpu, data))
+                        return 1;
+                break;
        case MSR_IA32_MCG_CTL:
        case MSR_IA32_MCG_STATUS:
        case MSR_IA32_MC0_CTL ... MSR_IA32_MC0_CTL + 4 * KVM_MAX_MCE_BANKS - 1:
@@ -1330,6 +1583,16 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data)
                pr_unimpl(vcpu, "unimplemented perfctr wrmsr: "
                        "0x%x data 0x%llx\n", msr, data);
                break;
+        case MSR_K7_CLK_CTL:
+                /*
+                 * Ignore all writes to this no longer documented MSR.
+                 * Writes are only relevant for old K7 processors,
+                 * all pre-dating SVM, but a recommended workaround from
+                 * AMD for these chips. It is possible to speicify the
+                 * affected processor models on the command line, hence
+                 * the need to ignore the workaround.
+                 */
+                break;
        case HV_X64_MSR_GUEST_OS_ID ... HV_X64_MSR_SINT15:
                if (kvm_hv_msr_partition_wide(msr)) {
                        int r;
@@ -1340,6 +1603,12 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data)
                } else
                        return set_msr_hyperv(vcpu, msr, data);
                break;
+        case MSR_IA32_BBL_CR_CTL3:
+                /* Drop writes to this legacy MSR -- see rdmsr
+                 * counterpart for further detail.
+                 */
+                pr_unimpl(vcpu, "ignored wrmsr: 0x%x data %llx\n", msr, data);
+                break;
        default:
                if (msr && (msr == vcpu->kvm->arch.xen_hvm_config.msr))
                        return xen_hvm_config(vcpu, data);
@@ -1522,6 +1791,20 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata)
        case 0xcd: /* fsb frequency */
                data = 3;
                break;
+                /*
+                 * MSR_EBC_FREQUENCY_ID
+                 * Conservative value valid for even the basic CPU models.
+                 * Models 0,1: 000 in bits 23:21 indicating a bus speed of
+                 * 100MHz, model 2 000 in bits 18:16 indicating 100MHz,
+                 * and 266MHz for model 3, or 4. Set Core Clock
+                 * Frequency to System Bus Frequency Ratio to 1 (bits
+                 * 31:24) even though these are only valid for CPU
+                 * models > 2, however guests may end up dividing or
+                 * multiplying by zero otherwise.
+                 */
+        case MSR_EBC_FREQUENCY_ID:
+                data = 1 << 24;
+                break;
        case MSR_IA32_APICBASE:
                data = kvm_get_apic_base(vcpu);
                break;
@@ -1548,6 +1831,9 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata)
        case MSR_KVM_SYSTEM_TIME_NEW:
                data = vcpu->arch.time;
                break;
+        case MSR_KVM_ASYNC_PF_EN:
+                data = vcpu->arch.apf.msr_val;
+                break;
        case MSR_IA32_P5_MC_ADDR:
        case MSR_IA32_P5_MC_TYPE:
        case MSR_IA32_MCG_CAP:
@@ -1555,6 +1841,18 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata)
        case MSR_IA32_MCG_STATUS:
        case MSR_IA32_MC0_CTL ... MSR_IA32_MC0_CTL + 4 * KVM_MAX_MCE_BANKS - 1:
                return get_msr_mce(vcpu, msr, pdata);
+        case MSR_K7_CLK_CTL:
+                /*
+                 * Provide expected ramp-up count for K7. All other
+                 * are set to zero, indicating minimum divisors for
+                 * every field.
+                 *
+                 * This prevents guest kernels on AMD host with CPU
+                 * type 6, model 8 and higher from exploding due to
+                 * the rdmsr failing.
+                 */
+                data = 0x20000000;
+                break;
        case HV_X64_MSR_GUEST_OS_ID ... HV_X64_MSR_SINT15:
                if (kvm_hv_msr_partition_wide(msr)) {
                        int r;
@@ -1565,6 +1863,19 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata)
                } else
                        return get_msr_hyperv(vcpu, msr, pdata);
                break;
+        case MSR_IA32_BBL_CR_CTL3:
+                /* This legacy MSR exists but isn't fully documented in current
+                 * silicon.  It is however accessed by winxp in very narrow
+                 * scenarios where it sets bit #19, itself documented as
+                 * a "reserved" bit.  Best effort attempt to source coherent
+                 * read data here should the balance of the register be
+                 * interpreted by the guest:
+                 *
+                 * L2 cache control register 3: 64GB range, 256KB size,
+                 * enabled, latency 0x1, configured
+                 */
+                data = 0xbe702111;
+                break;
        default:
                if (!ignore_msrs) {
                        pr_unimpl(vcpu, "unhandled rdmsr: 0x%x\n", msr);
@@ -1665,6 +1976,7 @@ int kvm_dev_ioctl_check_extension(long ext)
        case KVM_CAP_NOP_IO_DELAY:
        case KVM_CAP_MP_STATE:
        case KVM_CAP_SYNC_MMU:
+        case KVM_CAP_USER_NMI:
        case KVM_CAP_REINJECT_CONTROL:
        case KVM_CAP_IRQ_INJECT_STATUS:
        case KVM_CAP_ASSIGN_DEV_IRQ:
@@ -1683,6 +1995,8 @@ int kvm_dev_ioctl_check_extension(long ext)
        case KVM_CAP_DEBUGREGS:
        case KVM_CAP_X86_ROBUST_SINGLESTEP:
        case KVM_CAP_XSAVE:
+        case KVM_CAP_ASYNC_PF:
+        case KVM_CAP_GET_TSC_KHZ:
                r = 1;
                break;
        case KVM_CAP_COALESCED_MMIO:
@@ -1709,6 +2023,9 @@ int kvm_dev_ioctl_check_extension(long ext)
        case KVM_CAP_XCRS:
                r = cpu_has_xsave;
                break;
+        case KVM_CAP_TSC_CONTROL:
+                r = kvm_has_tsc_control;
+                break;
        default:
                r = 0;
                break;
@@ -1808,19 +2125,33 @@ void kvm_arch_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
        }
        kvm_x86_ops->vcpu_load(vcpu, cpu);
-        if (unlikely(per_cpu(cpu_tsc_khz, cpu) == 0)) {
+        if (unlikely(vcpu->cpu != cpu) || check_tsc_unstable()) {
-                unsigned long khz = cpufreq_quick_get(cpu);
+                /* Make sure TSC doesn't go backwards */
-                if (!khz)
+                s64 tsc_delta;
-                        khz = tsc_khz;
+                u64 tsc;
-                per_cpu(cpu_tsc_khz, cpu) = khz;
+                kvm_get_msr(vcpu, MSR_IA32_TSC, &tsc);
+                tsc_delta = !vcpu->arch.last_guest_tsc ? 0 :
+                             tsc - vcpu->arch.last_guest_tsc;
+                if (tsc_delta < 0)
+                        mark_tsc_unstable("KVM discovered backwards TSC");
+                if (check_tsc_unstable()) {
+                        kvm_x86_ops->adjust_tsc_offset(vcpu, -tsc_delta);
+                        vcpu->arch.tsc_catchup = 1;
+                }
+                kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu);
+                if (vcpu->cpu != cpu)
+                        kvm_migrate_timers(vcpu);
+                vcpu->cpu = cpu;
        }
-        kvm_request_guest_time_update(vcpu);
 }
 void kvm_arch_vcpu_put(struct kvm_vcpu *vcpu)
 {
        kvm_x86_ops->vcpu_put(vcpu);
        kvm_put_guest_fpu(vcpu);
+        kvm_get_msr(vcpu, MSR_IA32_TSC, &vcpu->arch.last_guest_tsc);
 }
 static int is_efer_nx(void)
@@ -1937,6 +2268,11 @@ out:
        return r;
 }
+static void cpuid_mask(u32 *word, int wordnum)
+{
+        *word &= boot_cpu_data.x86_capability[wordnum];
+}
 static void do_cpuid_1_ent(struct kvm_cpuid_entry2 *entry, u32 function,
                           u32 index)
 {
@@ -1991,13 +2327,20 @@ static void do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
                0 /* Reserved */ | F(CX16) | 0 /* xTPR Update, PDCM */ |
                0 /* Reserved, DCA */ | F(XMM4_1) |
                F(XMM4_2) | F(X2APIC) | F(MOVBE) | F(POPCNT) |
-                0 /* Reserved, AES */ | F(XSAVE) | 0 /* OSXSAVE */ | F(AVX);
+                0 /* Reserved*/ | F(AES) | F(XSAVE) | 0 /* OSXSAVE */ | F(AVX) |
+                F(F16C);
        /* cpuid 0x80000001.ecx */
        const u32 kvm_supported_word6_x86_features =
-                F(LAHF_LM) | F(CMP_LEGACY) | F(SVM) | 0 /* ExtApicSpace */ |
+                F(LAHF_LM) | F(CMP_LEGACY) | 0 /*SVM*/ | 0 /* ExtApicSpace */ |
                F(CR8_LEGACY) | F(ABM) | F(SSE4A) | F(MISALIGNSSE) |
-                F(3DNOWPREFETCH) | 0 /* OSVW */ | 0 /* IBS */ | F(SSE5) |
+                F(3DNOWPREFETCH) | 0 /* OSVW */ | 0 /* IBS */ | F(XOP) |
-                0 /* SKINIT */ | 0 /* WDT */;
+                0 /* SKINIT, WDT, LWP */ | F(FMA4) | F(TBM);
+        /* cpuid 0xC0000001.edx */
+        const u32 kvm_supported_word5_x86_features =
+                F(XSTORE) | F(XSTORE_EN) | F(XCRYPT) | F(XCRYPT_EN) |
+                F(ACE2) | F(ACE2_EN) | F(PHE) | F(PHE_EN) |
+                F(PMM) | F(PMM_EN);
        /* all calls to cpuid_count() should be made on the same cpu */
        get_cpu();
@@ -2010,7 +2353,9 @@ static void do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
                break;
        case 1:
                entry->edx &= kvm_supported_word0_x86_features;
+                cpuid_mask(&entry->edx, 0);
                entry->ecx &= kvm_supported_word4_x86_features;
+                cpuid_mask(&entry->ecx, 4);
                /* we support x2apic emulation even if host does not support
                 * it since we emulate x2apic in software */
                entry->ecx |= F(X2APIC);
@@ -2068,9 +2413,9 @@ static void do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
                int i;
                entry->flags |= KVM_CPUID_FLAG_SIGNIFCANT_INDEX;
-                for (i = 1; *nent < maxnent; ++i) {
+                for (i = 1; *nent < maxnent && i < 64; ++i) {
-                        if (entry[i - 1].eax == 0 && i != 2)
+                        if (entry[i].eax == 0)
-                                break;
+                                continue;
                        do_cpuid_1_ent(&entry[i], function, i);
                        entry[i].flags |=
                               KVM_CPUID_FLAG_SIGNIFCANT_INDEX;
@@ -2091,6 +2436,7 @@ static void do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
                entry->eax = (1 << KVM_FEATURE_CLOCKSOURCE) |
                             (1 << KVM_FEATURE_NOP_IO_DELAY) |
                             (1 << KVM_FEATURE_CLOCKSOURCE2) |
+                             (1 << KVM_FEATURE_ASYNC_PF) |
                             (1 << KVM_FEATURE_CLOCKSOURCE_STABLE_BIT);
                entry->ebx = 0;
                entry->ecx = 0;
@@ -2101,7 +2447,23 @@ static void do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
                break;
        case 0x80000001:
                entry->edx &= kvm_supported_word1_x86_features;
+                cpuid_mask(&entry->edx, 1);
                entry->ecx &= kvm_supported_word6_x86_features;
+                cpuid_mask(&entry->ecx, 6);
+                break;
+        /*Add support for Centaur's CPUID instruction*/
+        case 0xC0000000:
+                /*Just support up to 0xC0000004 now*/
+                entry->eax = min(entry->eax, 0xC0000004);
+                break;
+        case 0xC0000001:
+                entry->edx &= kvm_supported_word5_x86_features;
+                cpuid_mask(&entry->edx, 5);
+                break;
+        case 0xC0000002:
+        case 0xC0000003:
+        case 0xC0000004:
+                /*Now nothing to do, reserved for the future*/
                break;
        }
@@ -2149,6 +2511,26 @@ static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
        if (nent >= cpuid->nent)
                goto out_free;
+        /* Add support for Centaur's CPUID instruction. */
+        if (boot_cpu_data.x86_vendor == X86_VENDOR_CENTAUR) {
+                do_cpuid_ent(&cpuid_entries[nent], 0xC0000000, 0,
+                                &nent, cpuid->nent);
+                r = -E2BIG;
+                if (nent >= cpuid->nent)
+                        goto out_free;
+                limit = cpuid_entries[nent - 1].eax;
+                for (func = 0xC0000001;
+                        func <= limit && nent < cpuid->nent; ++func)
+                        do_cpuid_ent(&cpuid_entries[nent], func, 0,
+                                        &nent, cpuid->nent);
+                r = -E2BIG;
+                if (nent >= cpuid->nent)
+                        goto out_free;
+        }
        do_cpuid_ent(&cpuid_entries[nent], KVM_CPUID_SIGNATURE, 0, &nent,
                     cpuid->nent);
@@ -2203,6 +2585,7 @@ static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
                return -ENXIO;
        kvm_queue_interrupt(vcpu, irq->irq, false);
+        kvm_make_request(KVM_REQ_EVENT, vcpu);
        return 0;
 }
@@ -2272,9 +2655,6 @@ static int kvm_vcpu_ioctl_x86_set_mce(struct kvm_vcpu *vcpu,
        if (mce->status & MCI_STATUS_UC) {
                if ((vcpu->arch.mcg_status & MCG_STATUS_MCIP) ||
                    !kvm_read_cr4_bits(vcpu, X86_CR4_MCE)) {
-                        printk(KERN_DEBUG "kvm: set_mce: "
-                               "injects mce exception while "
-                               "previous one is in progress!\n");
                        kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
                        return 0;
                }
@@ -2305,6 +2685,7 @@ static void kvm_vcpu_ioctl_x86_get_vcpu_events(struct kvm_vcpu *vcpu,
                !kvm_exception_is_soft(vcpu->arch.exception.nr);
        events->exception.nr = vcpu->arch.exception.nr;
        events->exception.has_error_code = vcpu->arch.exception.has_error_code;
+        events->exception.pad = 0;
        events->exception.error_code = vcpu->arch.exception.error_code;
        events->interrupt.injected =
@@ -2318,12 +2699,14 @@ static void kvm_vcpu_ioctl_x86_get_vcpu_events(struct kvm_vcpu *vcpu,
        events->nmi.injected = vcpu->arch.nmi_injected;
        events->nmi.pending = vcpu->arch.nmi_pending;
        events->nmi.masked = kvm_x86_ops->get_nmi_mask(vcpu);
+        events->nmi.pad = 0;
        events->sipi_vector = vcpu->arch.sipi_vector;
        events->flags = (KVM_VCPUEVENT_VALID_NMI_PENDING
                         | KVM_VCPUEVENT_VALID_SIPI_VECTOR
                         | KVM_VCPUEVENT_VALID_SHADOW);
+        memset(&events->reserved, 0, sizeof(events->reserved));
 }
 static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu,
@@ -2342,8 +2725,6 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu,
        vcpu->arch.interrupt.pending = events->interrupt.injected;
        vcpu->arch.interrupt.nr = events->interrupt.nr;
        vcpu->arch.interrupt.soft = events->interrupt.soft;
-        if (vcpu->arch.interrupt.pending && irqchip_in_kernel(vcpu->kvm))
-                kvm_pic_clear_isr_ack(vcpu->kvm);
        if (events->flags & KVM_VCPUEVENT_VALID_SHADOW)
                kvm_x86_ops->set_interrupt_shadow(vcpu,
                                                  events->interrupt.shadow);
@@ -2356,6 +2737,8 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu,
        if (events->flags & KVM_VCPUEVENT_VALID_SIPI_VECTOR)
                vcpu->arch.sipi_vector = events->sipi_vector;
+        kvm_make_request(KVM_REQ_EVENT, vcpu);
        return 0;
 }
@@ -2366,6 +2749,7 @@ static void kvm_vcpu_ioctl_x86_get_debugregs(struct kvm_vcpu *vcpu,
        dbgregs->dr6 = vcpu->arch.dr6;
        dbgregs->dr7 = vcpu->arch.dr7;
        dbgregs->flags = 0;
+        memset(&dbgregs->reserved, 0, sizeof(dbgregs->reserved));
 }
 static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
@@ -2715,6 +3099,32 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
                r = kvm_vcpu_ioctl_x86_set_xcrs(vcpu, u.xcrs);
                break;
        }
+        case KVM_SET_TSC_KHZ: {
+                u32 user_tsc_khz;
+                r = -EINVAL;
+                if (!kvm_has_tsc_control)
+                        break;
+                user_tsc_khz = (u32)arg;
+                if (user_tsc_khz >= kvm_max_guest_tsc_khz)
+                        goto out;
+                kvm_x86_ops->set_tsc_khz(vcpu, user_tsc_khz);
+                r = 0;
+                goto out;
+        }
+        case KVM_GET_TSC_KHZ: {
+                r = -EIO;
+                if (check_tsc_unstable())
+                        goto out;
+                r = vcpu_tsc_khz(vcpu);
+                goto out;
+        }
        default:
                r = -EINVAL;
        }
@@ -2759,7 +3169,7 @@ static int kvm_vm_ioctl_set_nr_mmu_pages(struct kvm *kvm,
 static int kvm_vm_ioctl_get_nr_mmu_pages(struct kvm *kvm)
 {
-        return kvm->arch.n_alloc_mmu_pages;
+        return kvm->arch.n_max_mmu_pages;
 }
 static int kvm_vm_ioctl_get_irqchip(struct kvm *kvm, struct kvm_irqchip *chip)
@@ -2795,18 +3205,18 @@ static int kvm_vm_ioctl_set_irqchip(struct kvm *kvm, struct kvm_irqchip *chip)
        r = 0;
        switch (chip->chip_id) {
        case KVM_IRQCHIP_PIC_MASTER:
-                raw_spin_lock(&pic_irqchip(kvm)->lock);
+                spin_lock(&pic_irqchip(kvm)->lock);
                memcpy(&pic_irqchip(kvm)->pics[0],
                        &chip->chip.pic,
                        sizeof(struct kvm_pic_state));
-                raw_spin_unlock(&pic_irqchip(kvm)->lock);
+                spin_unlock(&pic_irqchip(kvm)->lock);
                break;
        case KVM_IRQCHIP_PIC_SLAVE:
-                raw_spin_lock(&pic_irqchip(kvm)->lock);
+                spin_lock(&pic_irqchip(kvm)->lock);
                memcpy(&pic_irqchip(kvm)->pics[1],
                        &chip->chip.pic,
                        sizeof(struct kvm_pic_state));
-                raw_spin_unlock(&pic_irqchip(kvm)->lock);
+                spin_unlock(&pic_irqchip(kvm)->lock);
                break;
        case KVM_IRQCHIP_IOAPIC:
                r = kvm_set_ioapic(kvm, &chip->chip.ioapic);
@@ -2849,6 +3259,7 @@ static int kvm_vm_ioctl_get_pit2(struct kvm *kvm, struct kvm_pit_state2 *ps)
                sizeof(ps->channels));
        ps->flags = kvm->arch.vpit->pit_state.flags;
        mutex_unlock(&kvm->arch.vpit->pit_state.lock);
+        memset(&ps->reserved, 0, sizeof(ps->reserved));
        return r;
 }
@@ -2912,24 +3323,18 @@ int kvm_vm_ioctl_get_dirty_log(struct kvm *kvm,
                struct kvm_memslots *slots, *old_slots;
                unsigned long *dirty_bitmap;
-                spin_lock(&kvm->mmu_lock);
+                dirty_bitmap = memslot->dirty_bitmap_head;
-                kvm_mmu_slot_remove_write_access(kvm, log->slot);
+                if (memslot->dirty_bitmap == dirty_bitmap)
-                spin_unlock(&kvm->mmu_lock);
+                        dirty_bitmap += n / sizeof(long);
-                r = -ENOMEM;
-                dirty_bitmap = vmalloc(n);
-                if (!dirty_bitmap)
-                        goto out;
                memset(dirty_bitmap, 0, n);
                r = -ENOMEM;
                slots = kzalloc(sizeof(struct kvm_memslots), GFP_KERNEL);
-                if (!slots) {
+                if (!slots)
-                        vfree(dirty_bitmap);
                        goto out;
-                }
                memcpy(slots, kvm->memslots, sizeof(struct kvm_memslots));
                slots->memslots[log->slot].dirty_bitmap = dirty_bitmap;
+                slots->generation++;
                old_slots = kvm->memslots;
                rcu_assign_pointer(kvm->memslots, slots);
@@ -2937,12 +3342,13 @@ int kvm_vm_ioctl_get_dirty_log(struct kvm *kvm,
                dirty_bitmap = old_slots->memslots[log->slot].dirty_bitmap;
                kfree(old_slots);
+                spin_lock(&kvm->mmu_lock);
+                kvm_mmu_slot_remove_write_access(kvm, log->slot);
+                spin_unlock(&kvm->mmu_lock);
                r = -EFAULT;
-                if (copy_to_user(log->dirty_bitmap, dirty_bitmap, n)) {
+                if (copy_to_user(log->dirty_bitmap, dirty_bitmap, n))
-                        vfree(dirty_bitmap);
                        goto out;
-                }
-                vfree(dirty_bitmap);
        } else {
                r = -EFAULT;
                if (clear_user(log->dirty_bitmap, n))
@@ -3009,8 +3415,10 @@ long kvm_arch_vm_ioctl(struct file *filp,
                if (vpic) {
                        r = kvm_ioapic_init(kvm);
                        if (r) {
+                                mutex_lock(&kvm->slots_lock);
                                kvm_io_bus_unregister_dev(kvm, KVM_PIO_BUS,
                                                          &vpic->dev);
+                                mutex_unlock(&kvm->slots_lock);
                                kfree(vpic);
                                goto create_irqchip_unlock;
                        }
@@ -3021,10 +3429,12 @@ long kvm_arch_vm_ioctl(struct file *filp,
                smp_wmb();
                r = kvm_setup_default_irq_routing(kvm);
                if (r) {
+                        mutex_lock(&kvm->slots_lock);
                        mutex_lock(&kvm->irq_lock);
                        kvm_ioapic_destroy(kvm);
                        kvm_destroy_pic(kvm);
                        mutex_unlock(&kvm->irq_lock);
+                        mutex_unlock(&kvm->slots_lock);
                }
        create_irqchip_unlock:
                mutex_unlock(&kvm->lock);
@@ -3200,7 +3610,6 @@ long kvm_arch_vm_ioctl(struct file *filp,
                break;
        }
        case KVM_SET_CLOCK: {
-                struct timespec now;
                struct kvm_clock_data user_ns;
                u64 now_ns;
                s64 delta;
@@ -3214,21 +3623,23 @@ long kvm_arch_vm_ioctl(struct file *filp,
                        goto out;
                r = 0;
-                ktime_get_ts(&now);
+                local_irq_disable();
-                now_ns = timespec_to_ns(&now);
+                now_ns = get_kernel_ns();
                delta = user_ns.clock - now_ns;
+                local_irq_enable();
                kvm->arch.kvmclock_offset = delta;
                break;
        }
        case KVM_GET_CLOCK: {
-                struct timespec now;
                struct kvm_clock_data user_ns;
                u64 now_ns;
-                ktime_get_ts(&now);
+                local_irq_disable();
-                now_ns = timespec_to_ns(&now);
+                now_ns = get_kernel_ns();
                user_ns.clock = kvm->arch.kvmclock_offset + now_ns;
+                local_irq_enable();
                user_ns.flags = 0;
+                memset(&user_ns.pad, 0, sizeof(user_ns.pad));
                r = -EFAULT;
                if (copy_to_user(argp, &user_ns, sizeof(user_ns)))
@@ -3263,20 +3674,43 @@ static void kvm_init_msr_list(void)
 static int vcpu_mmio_write(struct kvm_vcpu *vcpu, gpa_t addr, int len,
                           const void *v)
 {
-        if (vcpu->arch.apic &&
+        int handled = 0;
-            !kvm_iodevice_write(&vcpu->arch.apic->dev, addr, len, v))
+        int n;
-                return 0;
+        do {
+                n = min(len, 8);
+                if (!(vcpu->arch.apic &&
+                      !kvm_iodevice_write(&vcpu->arch.apic->dev, addr, n, v))
+                    && kvm_io_bus_write(vcpu->kvm, KVM_MMIO_BUS, addr, n, v))
+                        break;
+                handled += n;
+                addr += n;
+                len -= n;
+                v += n;
+        } while (len);
-        return kvm_io_bus_write(vcpu->kvm, KVM_MMIO_BUS, addr, len, v);
+        return handled;
 }
 static int vcpu_mmio_read(struct kvm_vcpu *vcpu, gpa_t addr, int len, void *v)
 {
-        if (vcpu->arch.apic &&
+        int handled = 0;
-            !kvm_iodevice_read(&vcpu->arch.apic->dev, addr, len, v))
+        int n;
-                return 0;
+        do {
+                n = min(len, 8);
+                if (!(vcpu->arch.apic &&
+                      !kvm_iodevice_read(&vcpu->arch.apic->dev, addr, n, v))
+                    && kvm_io_bus_read(vcpu->kvm, KVM_MMIO_BUS, addr, n, v))
+                        break;
+                trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v);
+                handled += n;
+                addr += n;
+                len -= n;
+                v += n;
+        } while (len);
-        return kvm_io_bus_read(vcpu->kvm, KVM_MMIO_BUS, addr, len, v);
+        return handled;
 }
 static void kvm_set_segment(struct kvm_vcpu *vcpu,
@@ -3291,49 +3725,71 @@ void kvm_get_segment(struct kvm_vcpu *vcpu,
        kvm_x86_ops->get_segment(vcpu, var, seg);
 }
-gpa_t kvm_mmu_gva_to_gpa_read(struct kvm_vcpu *vcpu, gva_t gva, u32 *error)
+static gpa_t translate_gpa(struct kvm_vcpu *vcpu, gpa_t gpa, u32 access)
+{
+        return gpa;
+}
+static gpa_t translate_nested_gpa(struct kvm_vcpu *vcpu, gpa_t gpa, u32 access)
+{
+        gpa_t t_gpa;
+        struct x86_exception exception;
+        BUG_ON(!mmu_is_nested(vcpu));
+        /* NPT walks are always user-walks */
+        access |= PFERR_USER_MASK;
+        t_gpa  = vcpu->arch.mmu.gva_to_gpa(vcpu, gpa, access, &exception);
+        return t_gpa;
+}
+gpa_t kvm_mmu_gva_to_gpa_read(struct kvm_vcpu *vcpu, gva_t gva,
+                              struct x86_exception *exception)
 {
        u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
-        return vcpu->arch.mmu.gva_to_gpa(vcpu, gva, access, error);
+        return vcpu->arch.walk_mmu->gva_to_gpa(vcpu, gva, access, exception);
 }
- gpa_t kvm_mmu_gva_to_gpa_fetch(struct kvm_vcpu *vcpu, gva_t gva, u32 *error)
+ gpa_t kvm_mmu_gva_to_gpa_fetch(struct kvm_vcpu *vcpu, gva_t gva,
+                                struct x86_exception *exception)
 {
        u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
        access |= PFERR_FETCH_MASK;
-        return vcpu->arch.mmu.gva_to_gpa(vcpu, gva, access, error);
+        return vcpu->arch.walk_mmu->gva_to_gpa(vcpu, gva, access, exception);
 }
-gpa_t kvm_mmu_gva_to_gpa_write(struct kvm_vcpu *vcpu, gva_t gva, u32 *error)
+gpa_t kvm_mmu_gva_to_gpa_write(struct kvm_vcpu *vcpu, gva_t gva,
+                               struct x86_exception *exception)
 {
        u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
        access |= PFERR_WRITE_MASK;
-        return vcpu->arch.mmu.gva_to_gpa(vcpu, gva, access, error);
+        return vcpu->arch.walk_mmu->gva_to_gpa(vcpu, gva, access, exception);
 }
 /* uses this to access any guest's mapped memory without checking CPL */
-gpa_t kvm_mmu_gva_to_gpa_system(struct kvm_vcpu *vcpu, gva_t gva, u32 *error)
+gpa_t kvm_mmu_gva_to_gpa_system(struct kvm_vcpu *vcpu, gva_t gva,
+                                struct x86_exception *exception)
 {
-        return vcpu->arch.mmu.gva_to_gpa(vcpu, gva, 0, error);
+        return vcpu->arch.walk_mmu->gva_to_gpa(vcpu, gva, 0, exception);
 }
 static int kvm_read_guest_virt_helper(gva_t addr, void *val, unsigned int bytes,
                                      struct kvm_vcpu *vcpu, u32 access,
-                                      u32 *error)
+                                      struct x86_exception *exception)
 {
        void *data = val;
        int r = X86EMUL_CONTINUE;
        while (bytes) {
-                gpa_t gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, addr, access, error);
+                gpa_t gpa = vcpu->arch.walk_mmu->gva_to_gpa(vcpu, addr, access,
+                                                            exception);
                unsigned offset = addr & (PAGE_SIZE-1);
                unsigned toread = min(bytes, (unsigned)PAGE_SIZE - offset);
                int ret;
-                if (gpa == UNMAPPED_GVA) {
+                if (gpa == UNMAPPED_GVA)
-                        r = X86EMUL_PROPAGATE_FAULT;
+                        return X86EMUL_PROPAGATE_FAULT;
-                        goto out;
-                }
                ret = kvm_read_guest(vcpu->kvm, gpa, data, toread);
                if (ret < 0) {
                        r = X86EMUL_IO_NEEDED;
@@ -3349,47 +3805,56 @@ out:
 }
 /* used for instruction fetching */
-static int kvm_fetch_guest_virt(gva_t addr, void *val, unsigned int bytes,
+static int kvm_fetch_guest_virt(struct x86_emulate_ctxt *ctxt,
-                                struct kvm_vcpu *vcpu, u32 *error)
+                                gva_t addr, void *val, unsigned int bytes,
+                                struct x86_exception *exception)
 {
+        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
        u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
        return kvm_read_guest_virt_helper(addr, val, bytes, vcpu,
-                                          access | PFERR_FETCH_MASK, error);
+                                          access | PFERR_FETCH_MASK,
+                                          exception);
 }
-static int kvm_read_guest_virt(gva_t addr, void *val, unsigned int bytes,
+static int kvm_read_guest_virt(struct x86_emulate_ctxt *ctxt,
-                               struct kvm_vcpu *vcpu, u32 *error)
+                               gva_t addr, void *val, unsigned int bytes,
+                               struct x86_exception *exception)
 {
+        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
        u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0;
        return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access,
-                                          error);
+                                          exception);
 }
-static int kvm_read_guest_virt_system(gva_t addr, void *val, unsigned int bytes,
+static int kvm_read_guest_virt_system(struct x86_emulate_ctxt *ctxt,
-                               struct kvm_vcpu *vcpu, u32 *error)
+                                      gva_t addr, void *val, unsigned int bytes,
+                                      struct x86_exception *exception)
 {
-        return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, error);
+        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
+        return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception);
 }
-static int kvm_write_guest_virt_system(gva_t addr, void *val,
+static int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt,
+                                       gva_t addr, void *val,
                                       unsigned int bytes,
-                                       struct kvm_vcpu *vcpu,
+                                       struct x86_exception *exception)
-                                       u32 *error)
 {
+        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
        void *data = val;
        int r = X86EMUL_CONTINUE;
        while (bytes) {
-                gpa_t gpa =  vcpu->arch.mmu.gva_to_gpa(vcpu, addr,
+                gpa_t gpa =  vcpu->arch.walk_mmu->gva_to_gpa(vcpu, addr,
-                                                       PFERR_WRITE_MASK, error);
+                                                             PFERR_WRITE_MASK,
+                                                             exception);
                unsigned offset = addr & (PAGE_SIZE-1);
                unsigned towrite = min(bytes, (unsigned)PAGE_SIZE - offset);
                int ret;
-                if (gpa == UNMAPPED_GVA) {
+                if (gpa == UNMAPPED_GVA)
-                        r = X86EMUL_PROPAGATE_FAULT;
+                        return X86EMUL_PROPAGATE_FAULT;
-                        goto out;
-                }
                ret = kvm_write_guest(vcpu->kvm, gpa, data, towrite);
                if (ret < 0) {
                        r = X86EMUL_IO_NEEDED;
@@ -3404,13 +3869,15 @@ out:
        return r;
 }
-static int emulator_read_emulated(unsigned long addr,
+static int emulator_read_emulated(struct x86_emulate_ctxt *ctxt,
+                                  unsigned long addr,
                                  void *val,
                                  unsigned int bytes,
-                                  unsigned int *error_code,
+                                  struct x86_exception *exception)
-                                  struct kvm_vcpu *vcpu)
 {
+        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
        gpa_t                 gpa;
+        int handled;
        if (vcpu->mmio_read_completed) {
                memcpy(val, vcpu->mmio_data, bytes);
@@ -3420,7 +3887,7 @@ static int emulator_read_emulated(unsigned long addr,
                return X86EMUL_CONTINUE;
        }
-        gpa = kvm_mmu_gva_to_gpa_read(vcpu, addr, error_code);
+        gpa = kvm_mmu_gva_to_gpa_read(vcpu, addr, exception);
        if (gpa == UNMAPPED_GVA)
                return X86EMUL_PROPAGATE_FAULT;
@@ -3429,32 +3896,38 @@ static int emulator_read_emulated(unsigned long addr,
        if ((gpa & PAGE_MASK) == APIC_DEFAULT_PHYS_BASE)
                goto mmio;
-        if (kvm_read_guest_virt(addr, val, bytes, vcpu, NULL)
+        if (kvm_read_guest_virt(ctxt, addr, val, bytes, exception)
-                                == X86EMUL_CONTINUE)
+            == X86EMUL_CONTINUE)
                return X86EMUL_CONTINUE;
 mmio:
        /*
         * Is this MMIO handled locally?
         */
-        if (!vcpu_mmio_read(vcpu, gpa, bytes, val)) {
+        handled = vcpu_mmio_read(vcpu, gpa, bytes, val);
-                trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes, gpa, *(u64 *)val);
+        if (handled == bytes)
                return X86EMUL_CONTINUE;
-        }
+        gpa += handled;
+        bytes -= handled;
+        val += handled;
        trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0);
        vcpu->mmio_needed = 1;
        vcpu->run->exit_reason = KVM_EXIT_MMIO;
        vcpu->run->mmio.phys_addr = vcpu->mmio_phys_addr = gpa;
-        vcpu->run->mmio.len = vcpu->mmio_size = bytes;
+        vcpu->mmio_size = bytes;
+        vcpu->run->mmio.len = min(vcpu->mmio_size, 8);
        vcpu->run->mmio.is_write = vcpu->mmio_is_write = 0;
+        vcpu->mmio_index = 0;
        return X86EMUL_IO_NEEDED;
 }
 int emulator_write_phys(struct kvm_vcpu *vcpu, gpa_t gpa,
-                          const void *val, int bytes)
+                        const void *val, int bytes)
 {
        int ret;
@@ -3468,12 +3941,13 @@ int emulator_write_phys(struct kvm_vcpu *vcpu, gpa_t gpa,
 static int emulator_write_emulated_onepage(unsigned long addr,
                                           const void *val,
                                           unsigned int bytes,
-                                           unsigned int *error_code,
+                                           struct x86_exception *exception,
                                           struct kvm_vcpu *vcpu)
 {
        gpa_t                 gpa;
+        int handled;
-        gpa = kvm_mmu_gva_to_gpa_write(vcpu, addr, error_code);
+        gpa = kvm_mmu_gva_to_gpa_write(vcpu, addr, exception);
        if (gpa == UNMAPPED_GVA)
                return X86EMUL_PROPAGATE_FAULT;
@@ -3490,31 +3964,41 @@ mmio:
        /*
         * Is this MMIO handled locally?
         */
-        if (!vcpu_mmio_write(vcpu, gpa, bytes, val))
+        handled = vcpu_mmio_write(vcpu, gpa, bytes, val);
+        if (handled == bytes)
                return X86EMUL_CONTINUE;
+        gpa += handled;
+        bytes -= handled;
+        val += handled;
        vcpu->mmio_needed = 1;
+        memcpy(vcpu->mmio_data, val, bytes);
        vcpu->run->exit_reason = KVM_EXIT_MMIO;
        vcpu->run->mmio.phys_addr = vcpu->mmio_phys_addr = gpa;
-        vcpu->run->mmio.len = vcpu->mmio_size = bytes;
+        vcpu->mmio_size = bytes;
+        vcpu->run->mmio.len = min(vcpu->mmio_size, 8);
        vcpu->run->mmio.is_write = vcpu->mmio_is_write = 1;
-        memcpy(vcpu->run->mmio.data, val, bytes);
+        memcpy(vcpu->run->mmio.data, vcpu->mmio_data, 8);
+        vcpu->mmio_index = 0;
        return X86EMUL_CONTINUE;
 }
-int emulator_write_emulated(unsigned long addr,
+int emulator_write_emulated(struct x86_emulate_ctxt *ctxt,
+                            unsigned long addr,
                            const void *val,
                            unsigned int bytes,
-                            unsigned int *error_code,
+                            struct x86_exception *exception)
-                            struct kvm_vcpu *vcpu)
 {
+        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
        /* Crossing a page boundary? */
        if (((addr + bytes - 1) ^ addr) & PAGE_MASK) {
                int rc, now;
                now = -addr & ~PAGE_MASK;
-                rc = emulator_write_emulated_onepage(addr, val, now, error_code,
+                rc = emulator_write_emulated_onepage(addr, val, now, exception,
                                                     vcpu);
                if (rc != X86EMUL_CONTINUE)
                        return rc;
@@ -3522,7 +4006,7 @@ int emulator_write_emulated(unsigned long addr,
                val += now;
                bytes -= now;
        }
-        return emulator_write_emulated_onepage(addr, val, bytes, error_code,
+        return emulator_write_emulated_onepage(addr, val, bytes, exception,
                                               vcpu);
 }
@@ -3536,13 +4020,14 @@ int emulator_write_emulated(unsigned long addr,
        (cmpxchg64((u64 *)(ptr), *(u64 *)(old), *(u64 *)(new)) == *(u64 *)(old))
 #endif
-static int emulator_cmpxchg_emulated(unsigned long addr,
+static int emulator_cmpxchg_emulated(struct x86_emulate_ctxt *ctxt,
+                                     unsigned long addr,
                                     const void *old,
                                     const void *new,
                                     unsigned int bytes,
-                                     unsigned int *error_code,
+                                     struct x86_exception *exception)
-                                     struct kvm_vcpu *vcpu)
 {
+        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
        gpa_t gpa;
        struct page *page;
        char *kaddr;
@@ -3598,7 +4083,7 @@ static int emulator_cmpxchg_emulated(unsigned long addr,
 emul_write:
        printk_once(KERN_WARNING "kvm: emulating exchange as write\n");
-        return emulator_write_emulated(addr, new, bytes, error_code, vcpu);
+        return emulator_write_emulated(ctxt, addr, new, bytes, exception);
 }
 static int kernel_pio(struct kvm_vcpu *vcpu, void *pd)
@@ -3617,13 +4102,16 @@ static int kernel_pio(struct kvm_vcpu *vcpu, void *pd)
 }
-static int emulator_pio_in_emulated(int size, unsigned short port, void *val,
+static int emulator_pio_in_emulated(struct x86_emulate_ctxt *ctxt,
-                             unsigned int count, struct kvm_vcpu *vcpu)
+                                    int size, unsigned short port, void *val,
+                                    unsigned int count)
 {
+        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
        if (vcpu->arch.pio.count)
                goto data_avail;
-        trace_kvm_pio(1, port, size, 1);
+        trace_kvm_pio(0, port, size, count);
        vcpu->arch.pio.port = port;
        vcpu->arch.pio.in = 1;
@@ -3647,11 +4135,13 @@ static int emulator_pio_in_emulated(int size, unsigned short port, void *val,
        return 0;
 }
-static int emulator_pio_out_emulated(int size, unsigned short port,
+static int emulator_pio_out_emulated(struct x86_emulate_ctxt *ctxt,
-                              const void *val, unsigned int count,
+                                     int size, unsigned short port,
-                              struct kvm_vcpu *vcpu)
+                                     const void *val, unsigned int count)
 {
-        trace_kvm_pio(0, port, size, 1);
+        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
+        trace_kvm_pio(1, port, size, count);
        vcpu->arch.pio.port = port;
        vcpu->arch.pio.in = 0;
@@ -3680,10 +4170,9 @@ static unsigned long get_segment_base(struct kvm_vcpu *vcpu, int seg)
        return kvm_x86_ops->get_segment_base(vcpu, seg);
 }
-int emulate_invlpg(struct kvm_vcpu *vcpu, gva_t address)
+static void emulator_invlpg(struct x86_emulate_ctxt *ctxt, ulong address)
 {
-        kvm_mmu_invlpg(vcpu, address);
+        kvm_mmu_invlpg(emul_to_vcpu(ctxt), address);
-        return X86EMUL_CONTINUE;
 }
 int kvm_emulate_wbinvd(struct kvm_vcpu *vcpu)
@@ -3692,31 +4181,33 @@ int kvm_emulate_wbinvd(struct kvm_vcpu *vcpu)
                return X86EMUL_CONTINUE;
        if (kvm_x86_ops->has_wbinvd_exit()) {
+                int cpu = get_cpu();
+                cpumask_set_cpu(cpu, vcpu->arch.wbinvd_dirty_mask);
                smp_call_function_many(vcpu->arch.wbinvd_dirty_mask,
                                wbinvd_ipi, NULL, 1);
+                put_cpu();
                cpumask_clear(vcpu->arch.wbinvd_dirty_mask);
-        }
+        } else
-        wbinvd();
+                wbinvd();
        return X86EMUL_CONTINUE;
 }
 EXPORT_SYMBOL_GPL(kvm_emulate_wbinvd);
-int emulate_clts(struct kvm_vcpu *vcpu)
+static void emulator_wbinvd(struct x86_emulate_ctxt *ctxt)
 {
-        kvm_x86_ops->set_cr0(vcpu, kvm_read_cr0_bits(vcpu, ~X86_CR0_TS));
+        kvm_emulate_wbinvd(emul_to_vcpu(ctxt));
-        kvm_x86_ops->fpu_activate(vcpu);
-        return X86EMUL_CONTINUE;
 }
-int emulator_get_dr(int dr, unsigned long *dest, struct kvm_vcpu *vcpu)
+int emulator_get_dr(struct x86_emulate_ctxt *ctxt, int dr, unsigned long *dest)
 {
-        return _kvm_get_dr(vcpu, dr, dest);
+        return _kvm_get_dr(emul_to_vcpu(ctxt), dr, dest);
 }
-int emulator_set_dr(int dr, unsigned long value, struct kvm_vcpu *vcpu)
+int emulator_set_dr(struct x86_emulate_ctxt *ctxt, int dr, unsigned long value)
 {
-        return __kvm_set_dr(vcpu, dr, value);
+        return __kvm_set_dr(emul_to_vcpu(ctxt), dr, value);
 }
 static u64 mk_cr_64(u64 curr_cr, u32 new_val)
@@ -3724,8 +4215,9 @@ static u64 mk_cr_64(u64 curr_cr, u32 new_val)
        return (curr_cr & ~((1ULL << 32) - 1)) | new_val;
 }
-static unsigned long emulator_get_cr(int cr, struct kvm_vcpu *vcpu)
+static unsigned long emulator_get_cr(struct x86_emulate_ctxt *ctxt, int cr)
 {
+        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
        unsigned long value;
        switch (cr) {
@@ -3736,7 +4228,7 @@ static unsigned long emulator_get_cr(int cr, struct kvm_vcpu *vcpu)
                value = vcpu->arch.cr2;
                break;
        case 3:
-                value = vcpu->arch.cr3;
+                value = kvm_read_cr3(vcpu);
                break;
        case 4:
                value = kvm_read_cr4(vcpu);
@@ -3752,8 +4244,9 @@ static unsigned long emulator_get_cr(int cr, struct kvm_vcpu *vcpu)
        return value;
 }
-static int emulator_set_cr(int cr, unsigned long val, struct kvm_vcpu *vcpu)
+static int emulator_set_cr(struct x86_emulate_ctxt *ctxt, int cr, ulong val)
 {
+        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
        int res = 0;
        switch (cr) {
@@ -3770,7 +4263,7 @@ static int emulator_set_cr(int cr, unsigned long val, struct kvm_vcpu *vcpu)
                res = kvm_set_cr4(vcpu, mk_cr_64(kvm_read_cr4(vcpu), val));
                break;
        case 8:
-                res = __kvm_set_cr8(vcpu, val & 0xfUL);
+                res = kvm_set_cr8(vcpu, val);
                break;
        default:
                vcpu_printf(vcpu, "%s: unexpected cr %u\n", __func__, cr);
@@ -3780,28 +4273,45 @@ static int emulator_set_cr(int cr, unsigned long val, struct kvm_vcpu *vcpu)
        return res;
 }
-static int emulator_get_cpl(struct kvm_vcpu *vcpu)
+static int emulator_get_cpl(struct x86_emulate_ctxt *ctxt)
 {
-        return kvm_x86_ops->get_cpl(vcpu);
+        return kvm_x86_ops->get_cpl(emul_to_vcpu(ctxt));
 }
-static void emulator_get_gdt(struct desc_ptr *dt, struct kvm_vcpu *vcpu)
+static void emulator_get_gdt(struct x86_emulate_ctxt *ctxt, struct desc_ptr *dt)
 {
-        kvm_x86_ops->get_gdt(vcpu, dt);
+        kvm_x86_ops->get_gdt(emul_to_vcpu(ctxt), dt);
 }
-static unsigned long emulator_get_cached_segment_base(int seg,
+static void emulator_get_idt(struct x86_emulate_ctxt *ctxt, struct desc_ptr *dt)
-                                                      struct kvm_vcpu *vcpu)
 {
-        return get_segment_base(vcpu, seg);
+        kvm_x86_ops->get_idt(emul_to_vcpu(ctxt), dt);
 }
-static bool emulator_get_cached_descriptor(struct desc_struct *desc, int seg,
+static void emulator_set_gdt(struct x86_emulate_ctxt *ctxt, struct desc_ptr *dt)
-                                           struct kvm_vcpu *vcpu)
+{
+        kvm_x86_ops->set_gdt(emul_to_vcpu(ctxt), dt);
+}
+static void emulator_set_idt(struct x86_emulate_ctxt *ctxt, struct desc_ptr *dt)
+{
+        kvm_x86_ops->set_idt(emul_to_vcpu(ctxt), dt);
+}
+static unsigned long emulator_get_cached_segment_base(
+        struct x86_emulate_ctxt *ctxt, int seg)
+{
+        return get_segment_base(emul_to_vcpu(ctxt), seg);
+}
+static bool emulator_get_segment(struct x86_emulate_ctxt *ctxt, u16 *selector,
+                                 struct desc_struct *desc, u32 *base3,
+                                 int seg)
 {
        struct kvm_segment var;
-        kvm_get_segment(vcpu, &var, seg);
+        kvm_get_segment(emul_to_vcpu(ctxt), &var, seg);
+        *selector = var.selector;
        if (var.unusable)
                return false;
@@ -3810,6 +4320,10 @@ static bool emulator_get_cached_descriptor(struct desc_struct *desc, int seg,
                var.limit >>= 12;
        set_desc_limit(desc, var.limit);
        set_desc_base(desc, (unsigned long)var.base);
+#ifdef CONFIG_X86_64
+        if (base3)
+                *base3 = var.base >> 32;
+#endif
        desc->type = var.type;
        desc->s = var.s;
        desc->dpl = var.dpl;
@@ -3822,15 +4336,18 @@ static bool emulator_get_cached_descriptor(struct desc_struct *desc, int seg,
        return true;
 }
-static void emulator_set_cached_descriptor(struct desc_struct *desc, int seg,
+static void emulator_set_segment(struct x86_emulate_ctxt *ctxt, u16 selector,
-                                           struct kvm_vcpu *vcpu)
+                                 struct desc_struct *desc, u32 base3,
+                                 int seg)
 {
+        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
        struct kvm_segment var;
-        /* needed to preserve selector */
+        var.selector = selector;
-        kvm_get_segment(vcpu, &var, seg);
        var.base = get_desc_base(desc);
+#ifdef CONFIG_X86_64
+        var.base |= ((u64)base3) << 32;
+#endif
        var.limit = get_desc_limit(desc);
        if (desc->g)
                var.limit = (var.limit << 12) | 0xfff;
@@ -3850,22 +4367,44 @@ static void emulator_set_cached_descriptor(struct desc_struct *desc, int seg,
        return;
 }
-static u16 emulator_get_segment_selector(int seg, struct kvm_vcpu *vcpu)
+static int emulator_get_msr(struct x86_emulate_ctxt *ctxt,
+                            u32 msr_index, u64 *pdata)
 {
-        struct kvm_segment kvm_seg;
+        return kvm_get_msr(emul_to_vcpu(ctxt), msr_index, pdata);
+}
-        kvm_get_segment(vcpu, &kvm_seg, seg);
+static int emulator_set_msr(struct x86_emulate_ctxt *ctxt,
-        return kvm_seg.selector;
+                            u32 msr_index, u64 data)
+{
+        return kvm_set_msr(emul_to_vcpu(ctxt), msr_index, data);
+}
+static void emulator_halt(struct x86_emulate_ctxt *ctxt)
+{
+        emul_to_vcpu(ctxt)->arch.halt_request = 1;
+}
+static void emulator_get_fpu(struct x86_emulate_ctxt *ctxt)
+{
+        preempt_disable();
+        kvm_load_guest_fpu(emul_to_vcpu(ctxt));
+        /*
+         * CR0.TS may reference the host fpu state, not the guest fpu state,
+         * so it may be clear at this point.
+         */
+        clts();
 }
-static void emulator_set_segment_selector(u16 sel, int seg,
+static void emulator_put_fpu(struct x86_emulate_ctxt *ctxt)
-                                          struct kvm_vcpu *vcpu)
 {
-        struct kvm_segment kvm_seg;
+        preempt_enable();
+}
-        kvm_get_segment(vcpu, &kvm_seg, seg);
+static int emulator_intercept(struct x86_emulate_ctxt *ctxt,
-        kvm_seg.selector = sel;
+                              struct x86_instruction_info *info,
-        kvm_set_segment(vcpu, &kvm_seg, seg);
+                              enum x86_intercept_stage stage)
+{
+        return kvm_x86_ops->check_intercept(emul_to_vcpu(ctxt), info, stage);
 }
 static struct x86_emulate_ops emulate_ops = {
@@ -3875,21 +4414,29 @@ static struct x86_emulate_ops emulate_ops = {
        .read_emulated       = emulator_read_emulated,
        .write_emulated      = emulator_write_emulated,
        .cmpxchg_emulated    = emulator_cmpxchg_emulated,
+        .invlpg              = emulator_invlpg,
        .pio_in_emulated     = emulator_pio_in_emulated,
        .pio_out_emulated    = emulator_pio_out_emulated,
-        .get_cached_descriptor = emulator_get_cached_descriptor,
+        .get_segment         = emulator_get_segment,
-        .set_cached_descriptor = emulator_set_cached_descriptor,
+        .set_segment         = emulator_set_segment,
-        .get_segment_selector = emulator_get_segment_selector,
-        .set_segment_selector = emulator_set_segment_selector,
        .get_cached_segment_base = emulator_get_cached_segment_base,
        .get_gdt             = emulator_get_gdt,
+        .get_idt             = emulator_get_idt,
+        .set_gdt             = emulator_set_gdt,
+        .set_idt             = emulator_set_idt,
        .get_cr              = emulator_get_cr,
        .set_cr              = emulator_set_cr,
        .cpl                 = emulator_get_cpl,
        .get_dr              = emulator_get_dr,
        .set_dr              = emulator_set_dr,
-        .set_msr             = kvm_set_msr,
+        .set_msr             = emulator_set_msr,
-        .get_msr             = kvm_get_msr,
+        .get_msr             = emulator_get_msr,
+        .halt                = emulator_halt,
+        .wbinvd              = emulator_wbinvd,
+        .fix_hypercall       = emulator_fix_hypercall,
+        .get_fpu             = emulator_get_fpu,
+        .put_fpu             = emulator_put_fpu,
+        .intercept           = emulator_intercept,
 };
 static void cache_all_regs(struct kvm_vcpu *vcpu)
@@ -3917,23 +4464,89 @@ static void toggle_interruptibility(struct kvm_vcpu *vcpu, u32 mask)
 static void inject_emulated_exception(struct kvm_vcpu *vcpu)
 {
        struct x86_emulate_ctxt *ctxt = &vcpu->arch.emulate_ctxt;
-        if (ctxt->exception == PF_VECTOR)
+        if (ctxt->exception.vector == PF_VECTOR)
-                kvm_inject_page_fault(vcpu, ctxt->cr2, ctxt->error_code);
+                kvm_propagate_fault(vcpu, &ctxt->exception);
-        else if (ctxt->error_code_valid)
+        else if (ctxt->exception.error_code_valid)
-                kvm_queue_exception_e(vcpu, ctxt->exception, ctxt->error_code);
+                kvm_queue_exception_e(vcpu, ctxt->exception.vector,
+                                      ctxt->exception.error_code);
+        else
+                kvm_queue_exception(vcpu, ctxt->exception.vector);
+}
+static void init_emulate_ctxt(struct kvm_vcpu *vcpu)
+{
+        struct decode_cache *c = &vcpu->arch.emulate_ctxt.decode;
+        int cs_db, cs_l;
+        /*
+         * TODO: fix emulate.c to use guest_read/write_register
+         * instead of direct ->regs accesses, can save hundred cycles
+         * on Intel for instructions that don't read/change RSP, for
+         * for example.
+         */
+        cache_all_regs(vcpu);
+        kvm_x86_ops->get_cs_db_l_bits(vcpu, &cs_db, &cs_l);
+        vcpu->arch.emulate_ctxt.eflags = kvm_get_rflags(vcpu);
+        vcpu->arch.emulate_ctxt.eip = kvm_rip_read(vcpu);
+        vcpu->arch.emulate_ctxt.mode =
+                (!is_protmode(vcpu)) ? X86EMUL_MODE_REAL :
+                (vcpu->arch.emulate_ctxt.eflags & X86_EFLAGS_VM)
+                ? X86EMUL_MODE_VM86 : cs_l
+                ? X86EMUL_MODE_PROT64 : cs_db
+                ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16;
+        vcpu->arch.emulate_ctxt.guest_mode = is_guest_mode(vcpu);
+        memset(c, 0, sizeof(struct decode_cache));
+        memcpy(c->regs, vcpu->arch.regs, sizeof c->regs);
+        vcpu->arch.emulate_regs_need_sync_from_vcpu = false;
+}
+int kvm_inject_realmode_interrupt(struct kvm_vcpu *vcpu, int irq, int inc_eip)
+{
+        struct decode_cache *c = &vcpu->arch.emulate_ctxt.decode;
+        int ret;
+        init_emulate_ctxt(vcpu);
+        vcpu->arch.emulate_ctxt.decode.op_bytes = 2;
+        vcpu->arch.emulate_ctxt.decode.ad_bytes = 2;
+        vcpu->arch.emulate_ctxt.decode.eip = vcpu->arch.emulate_ctxt.eip +
+                                                                 inc_eip;
+        ret = emulate_int_real(&vcpu->arch.emulate_ctxt, &emulate_ops, irq);
+        if (ret != X86EMUL_CONTINUE)
+                return EMULATE_FAIL;
+        vcpu->arch.emulate_ctxt.eip = c->eip;
+        memcpy(vcpu->arch.regs, c->regs, sizeof c->regs);
+        kvm_rip_write(vcpu, vcpu->arch.emulate_ctxt.eip);
+        kvm_set_rflags(vcpu, vcpu->arch.emulate_ctxt.eflags);
+        if (irq == NMI_VECTOR)
+                vcpu->arch.nmi_pending = false;
        else
-                kvm_queue_exception(vcpu, ctxt->exception);
+                vcpu->arch.interrupt.pending = false;
+        return EMULATE_DONE;
 }
+EXPORT_SYMBOL_GPL(kvm_inject_realmode_interrupt);
 static int handle_emulation_failure(struct kvm_vcpu *vcpu)
 {
+        int r = EMULATE_DONE;
        ++vcpu->stat.insn_emulation_fail;
        trace_kvm_emulate_insn_failed(vcpu);
-        vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+        if (!is_guest_mode(vcpu)) {
-        vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
+                vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
-        vcpu->run->internal.ndata = 0;
+                vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
+                vcpu->run->internal.ndata = 0;
+                r = EMULATE_FAIL;
+        }
        kvm_queue_exception(vcpu, UD_VECTOR);
-        return EMULATE_FAIL;
+        return r;
 }
 static bool reexecute_instruction(struct kvm_vcpu *vcpu, gva_t gva)
@@ -3962,74 +4575,34 @@ static bool reexecute_instruction(struct kvm_vcpu *vcpu, gva_t gva)
        return false;
 }
-int emulate_instruction(struct kvm_vcpu *vcpu,
+int x86_emulate_instruction(struct kvm_vcpu *vcpu,
-                        unsigned long cr2,
+                            unsigned long cr2,
-                        u16 error_code,
+                            int emulation_type,
-                        int emulation_type)
+                            void *insn,
+                            int insn_len)
 {
        int r;
        struct decode_cache *c = &vcpu->arch.emulate_ctxt.decode;
+        bool writeback = true;
        kvm_clear_exception_queue(vcpu);
-        vcpu->arch.mmio_fault_cr2 = cr2;
-        /*
-         * TODO: fix emulate.c to use guest_read/write_register
-         * instead of direct ->regs accesses, can save hundred cycles
-         * on Intel for instructions that don't read/change RSP, for
-         * for example.
-         */
-        cache_all_regs(vcpu);
        if (!(emulation_type & EMULTYPE_NO_DECODE)) {
-                int cs_db, cs_l;
+                init_emulate_ctxt(vcpu);
-                kvm_x86_ops->get_cs_db_l_bits(vcpu, &cs_db, &cs_l);
-                vcpu->arch.emulate_ctxt.vcpu = vcpu;
-                vcpu->arch.emulate_ctxt.eflags = kvm_x86_ops->get_rflags(vcpu);
-                vcpu->arch.emulate_ctxt.eip = kvm_rip_read(vcpu);
-                vcpu->arch.emulate_ctxt.mode =
-                        (!is_protmode(vcpu)) ? X86EMUL_MODE_REAL :
-                        (vcpu->arch.emulate_ctxt.eflags & X86_EFLAGS_VM)
-                        ? X86EMUL_MODE_VM86 : cs_l
-                        ? X86EMUL_MODE_PROT64 : cs_db
-                        ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16;
-                memset(c, 0, sizeof(struct decode_cache));
-                memcpy(c->regs, vcpu->arch.regs, sizeof c->regs);
                vcpu->arch.emulate_ctxt.interruptibility = 0;
-                vcpu->arch.emulate_ctxt.exception = -1;
+                vcpu->arch.emulate_ctxt.have_exception = false;
+                vcpu->arch.emulate_ctxt.perm_ok = false;
-                r = x86_decode_insn(&vcpu->arch.emulate_ctxt, &emulate_ops);
-                trace_kvm_emulate_insn_start(vcpu);
-                /* Only allow emulation of specific instructions on #UD
+                vcpu->arch.emulate_ctxt.only_vendor_specific_insn
-                 * (namely VMMCALL, sysenter, sysexit, syscall)*/
+                        = emulation_type & EMULTYPE_TRAP_UD;
-                if (emulation_type & EMULTYPE_TRAP_UD) {
-                        if (!c->twobyte)
-                                return EMULATE_FAIL;
-                        switch (c->b) {
-                        case 0x01: /* VMMCALL */
-                                if (c->modrm_mod != 3 || c->modrm_rm != 1)
-                                        return EMULATE_FAIL;
-                                break;
-                        case 0x34: /* sysenter */
-                        case 0x35: /* sysexit */
-                                if (c->modrm_mod != 0 || c->modrm_rm != 0)
-                                        return EMULATE_FAIL;
-                                break;
-                        case 0x05: /* syscall */
-                                if (c->modrm_mod != 0 || c->modrm_rm != 0)
-                                        return EMULATE_FAIL;
-                                break;
-                        default:
-                                return EMULATE_FAIL;
-                        }
-                        if (!(c->modrm_reg == 0 || c->modrm_reg == 3))
+                r = x86_decode_insn(&vcpu->arch.emulate_ctxt, insn, insn_len);
-                                return EMULATE_FAIL;
-                }
+                trace_kvm_emulate_insn_start(vcpu);
                ++vcpu->stat.insn_emulation;
                if (r)  {
+                        if (emulation_type & EMULTYPE_TRAP_UD)
+                                return EMULATE_FAIL;
                        if (reexecute_instruction(vcpu, cr2))
                                return EMULATE_DONE;
                        if (emulation_type & EMULTYPE_SKIP)
@@ -4043,62 +4616,87 @@ int emulate_instruction(struct kvm_vcpu *vcpu,
                return EMULATE_DONE;
        }
-        /* this is needed for vmware backdor interface to work since it
+        /* this is needed for vmware backdoor interface to work since it
           changes registers values  during IO operation */
-        memcpy(c->regs, vcpu->arch.regs, sizeof c->regs);
+        if (vcpu->arch.emulate_regs_need_sync_from_vcpu) {
+                vcpu->arch.emulate_regs_need_sync_from_vcpu = false;
+                memcpy(c->regs, vcpu->arch.regs, sizeof c->regs);
+        }
 restart:
-        r = x86_emulate_insn(&vcpu->arch.emulate_ctxt, &emulate_ops);
+        r = x86_emulate_insn(&vcpu->arch.emulate_ctxt);
+        if (r == EMULATION_INTERCEPTED)
+                return EMULATE_DONE;
-        if (r) { /* emulation failed */
+        if (r == EMULATION_FAILED) {
                if (reexecute_instruction(vcpu, cr2))
                        return EMULATE_DONE;
                return handle_emulation_failure(vcpu);
        }
-        toggle_interruptibility(vcpu, vcpu->arch.emulate_ctxt.interruptibility);
+        if (vcpu->arch.emulate_ctxt.have_exception) {
-        kvm_x86_ops->set_rflags(vcpu, vcpu->arch.emulate_ctxt.eflags);
-        memcpy(vcpu->arch.regs, c->regs, sizeof c->regs);
-        kvm_rip_write(vcpu, vcpu->arch.emulate_ctxt.eip);
-        if (vcpu->arch.emulate_ctxt.exception >= 0) {
                inject_emulated_exception(vcpu);
-                return EMULATE_DONE;
+                r = EMULATE_DONE;
-        }
+        } else if (vcpu->arch.pio.count) {
-        if (vcpu->arch.pio.count) {
                if (!vcpu->arch.pio.in)
                        vcpu->arch.pio.count = 0;
-                return EMULATE_DO_MMIO;
+                else
-        }
+                        writeback = false;
+                r = EMULATE_DO_MMIO;
-        if (vcpu->mmio_needed) {
+        } else if (vcpu->mmio_needed) {
-                if (vcpu->mmio_is_write)
+                if (!vcpu->mmio_is_write)
-                        vcpu->mmio_needed = 0;
+                        writeback = false;
-                return EMULATE_DO_MMIO;
+                r = EMULATE_DO_MMIO;
-        }
+        } else if (r == EMULATION_RESTART)
-        if (vcpu->arch.emulate_ctxt.restart)
                goto restart;
+        else
+                r = EMULATE_DONE;
+        if (writeback) {
+                toggle_interruptibility(vcpu,
+                                vcpu->arch.emulate_ctxt.interruptibility);
+                kvm_set_rflags(vcpu, vcpu->arch.emulate_ctxt.eflags);
+                kvm_make_request(KVM_REQ_EVENT, vcpu);
+                memcpy(vcpu->arch.regs, c->regs, sizeof c->regs);
+                vcpu->arch.emulate_regs_need_sync_to_vcpu = false;
+                kvm_rip_write(vcpu, vcpu->arch.emulate_ctxt.eip);
+        } else
+                vcpu->arch.emulate_regs_need_sync_to_vcpu = true;
-        return EMULATE_DONE;
+        return r;
 }
-EXPORT_SYMBOL_GPL(emulate_instruction);
+EXPORT_SYMBOL_GPL(x86_emulate_instruction);
 int kvm_fast_pio_out(struct kvm_vcpu *vcpu, int size, unsigned short port)
 {
        unsigned long val = kvm_register_read(vcpu, VCPU_REGS_RAX);
-        int ret = emulator_pio_out_emulated(size, port, &val, 1, vcpu);
+        int ret = emulator_pio_out_emulated(&vcpu->arch.emulate_ctxt,
+                                            size, port, &val, 1);
        /* do not return to emulator after return from userspace */
        vcpu->arch.pio.count = 0;
        return ret;
 }
 EXPORT_SYMBOL_GPL(kvm_fast_pio_out);
-static void bounce_off(void *info)
+static void tsc_bad(void *info)
 {
-        /* nothing */
+        __this_cpu_write(cpu_tsc_khz, 0);
+}
+static void tsc_khz_changed(void *data)
+{
+        struct cpufreq_freqs *freq = data;
+        unsigned long khz = 0;
+        if (data)
+                khz = freq->new;
+        else if (!boot_cpu_has(X86_FEATURE_CONSTANT_TSC))
+                khz = cpufreq_quick_get(raw_smp_processor_id());
+        if (!khz)
+                khz = tsc_khz;
+        __this_cpu_write(cpu_tsc_khz, khz);
 }
 static int kvmclock_cpufreq_notifier(struct notifier_block *nb, unsigned long val,
@@ -4109,24 +4707,63 @@ static int kvmclock_cpufreq_notifier(struct notifier_block *nb, unsigned long va
        struct kvm_vcpu *vcpu;
        int i, send_ipi = 0;
+        /*
+         * We allow guests to temporarily run on slowing clocks,
+         * provided we notify them after, or to run on accelerating
+         * clocks, provided we notify them before.  Thus time never
+         * goes backwards.
+         *
+         * However, we have a problem.  We can't atomically update
+         * the frequency of a given CPU from this function; it is
+         * merely a notifier, which can be called from any CPU.
+         * Changing the TSC frequency at arbitrary points in time
+         * requires a recomputation of local variables related to
+         * the TSC for each VCPU.  We must flag these local variables
+         * to be updated and be sure the update takes place with the
+         * new frequency before any guests proceed.
+         *
+         * Unfortunately, the combination of hotplug CPU and frequency
+         * change creates an intractable locking scenario; the order
+         * of when these callouts happen is undefined with respect to
+         * CPU hotplug, and they can race with each other.  As such,
+         * merely setting per_cpu(cpu_tsc_khz) = X during a hotadd is
+         * undefined; you can actually have a CPU frequency change take
+         * place in between the computation of X and the setting of the
+         * variable.  To protect against this problem, all updates of
+         * the per_cpu tsc_khz variable are done in an interrupt
+         * protected IPI, and all callers wishing to update the value
+         * must wait for a synchronous IPI to complete (which is trivial
+         * if the caller is on the CPU already).  This establishes the
+         * necessary total order on variable updates.
+         *
+         * Note that because a guest time update may take place
+         * anytime after the setting of the VCPU's request bit, the
+         * correct TSC value must be set before the request.  However,
+         * to ensure the update actually makes it to any guest which
+         * starts running in hardware virtualization between the set
+         * and the acquisition of the spinlock, we must also ping the
+         * CPU after setting the request bit.
+         *
+         */
        if (val == CPUFREQ_PRECHANGE && freq->old > freq->new)
                return 0;
        if (val == CPUFREQ_POSTCHANGE && freq->old < freq->new)
                return 0;
-        per_cpu(cpu_tsc_khz, freq->cpu) = freq->new;
-        spin_lock(&kvm_lock);
+        smp_call_function_single(freq->cpu, tsc_khz_changed, freq, 1);
+        raw_spin_lock(&kvm_lock);
        list_for_each_entry(kvm, &vm_list, vm_list) {
                kvm_for_each_vcpu(i, vcpu, kvm) {
                        if (vcpu->cpu != freq->cpu)
                                continue;
-                        if (!kvm_request_guest_time_update(vcpu))
+                        kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu);
-                                continue;
                        if (vcpu->cpu != smp_processor_id())
-                                send_ipi++;
+                                send_ipi = 1;
                }
        }
-        spin_unlock(&kvm_lock);
+        raw_spin_unlock(&kvm_lock);
        if (freq->old < freq->new && send_ipi) {
                /*
@@ -4141,32 +4778,59 @@ static int kvmclock_cpufreq_notifier(struct notifier_block *nb, unsigned long va
                 * guest context is entered kvmclock will be updated,
                 * so the guest will not see stale values.
                 */
-                smp_call_function_single(freq->cpu, bounce_off, NULL, 1);
+                smp_call_function_single(freq->cpu, tsc_khz_changed, freq, 1);
        }
        return 0;
 }
 static struct notifier_block kvmclock_cpufreq_notifier_block = {
-        .notifier_call  = kvmclock_cpufreq_notifier
+        .notifier_call  = kvmclock_cpufreq_notifier
+};
+static int kvmclock_cpu_notifier(struct notifier_block *nfb,
+                                        unsigned long action, void *hcpu)
+{
+        unsigned int cpu = (unsigned long)hcpu;
+        switch (action) {
+                case CPU_ONLINE:
+                case CPU_DOWN_FAILED:
+                        smp_call_function_single(cpu, tsc_khz_changed, NULL, 1);
+                        break;
+                case CPU_DOWN_PREPARE:
+                        smp_call_function_single(cpu, tsc_bad, NULL, 1);
+                        break;
+        }
+        return NOTIFY_OK;
+}
+static struct notifier_block kvmclock_cpu_notifier_block = {
+        .notifier_call  = kvmclock_cpu_notifier,
+        .priority = -INT_MAX
 };
 static void kvm_timer_init(void)
 {
        int cpu;
+        max_tsc_khz = tsc_khz;
+        register_hotcpu_notifier(&kvmclock_cpu_notifier_block);
        if (!boot_cpu_has(X86_FEATURE_CONSTANT_TSC)) {
+#ifdef CONFIG_CPU_FREQ
+                struct cpufreq_policy policy;
+                memset(&policy, 0, sizeof(policy));
+                cpu = get_cpu();
+                cpufreq_get_policy(&policy, cpu);
+                if (policy.cpuinfo.max_freq)
+                        max_tsc_khz = policy.cpuinfo.max_freq;
+                put_cpu();
+#endif
                cpufreq_register_notifier(&kvmclock_cpufreq_notifier_block,
                                          CPUFREQ_TRANSITION_NOTIFIER);
-                for_each_online_cpu(cpu) {
-                        unsigned long khz = cpufreq_get(cpu);
-                        if (!khz)
-                                khz = tsc_khz;
-                        per_cpu(cpu_tsc_khz, cpu) = khz;
-                }
-        } else {
-                for_each_possible_cpu(cpu)
-                        per_cpu(cpu_tsc_khz, cpu) = tsc_khz;
        }
+        pr_debug("kvm: max_tsc_khz = %ld\n", max_tsc_khz);
+        for_each_online_cpu(cpu)
+                smp_call_function_single(cpu, tsc_khz_changed, NULL, 1);
 }
 static DEFINE_PER_CPU(struct kvm_vcpu *, current_vcpu);
@@ -4244,7 +4908,6 @@ int kvm_arch_init(void *opaque)
        kvm_x86_ops = ops;
        kvm_mmu_set_nonpresent_ptes(0ull, 0ull);
-        kvm_mmu_set_base_ptes(PT_PRESENT_MASK);
        kvm_mmu_set_mask_ptes(PT_USER_MASK, PT_ACCESSED_MASK,
                        PT_DIRTY_MASK, PT64_NX_MASK, 0);
@@ -4268,6 +4931,7 @@ void kvm_arch_exit(void)
        if (!boot_cpu_has(X86_FEATURE_CONSTANT_TSC))
                cpufreq_unregister_notifier(&kvmclock_cpufreq_notifier_block,
                                            CPUFREQ_TRANSITION_NOTIFIER);
+        unregister_hotcpu_notifier(&kvmclock_cpu_notifier_block);
        kvm_x86_ops = NULL;
        kvm_mmu_module_exit();
 }
@@ -4403,8 +5067,9 @@ out:
 }
 EXPORT_SYMBOL_GPL(kvm_emulate_hypercall);
-int kvm_fix_hypercall(struct kvm_vcpu *vcpu)
+int emulator_fix_hypercall(struct x86_emulate_ctxt *ctxt)
 {
+        struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
        char instruction[3];
        unsigned long rip = kvm_rip_read(vcpu);
@@ -4417,21 +5082,8 @@ int kvm_fix_hypercall(struct kvm_vcpu *vcpu)
        kvm_x86_ops->patch_hypercall(vcpu, instruction);
-        return emulator_write_emulated(rip, instruction, 3, NULL, vcpu);
+        return emulator_write_emulated(&vcpu->arch.emulate_ctxt,
-}
+                                       rip, instruction, 3, NULL);
-void realmode_lgdt(struct kvm_vcpu *vcpu, u16 limit, unsigned long base)
-{
-        struct desc_ptr dt = { limit, base };
-        kvm_x86_ops->set_gdt(vcpu, &dt);
-}
-void realmode_lidt(struct kvm_vcpu *vcpu, u16 limit, unsigned long base)
-{
-        struct desc_ptr dt = { limit, base };
-        kvm_x86_ops->set_idt(vcpu, &dt);
 }
 static int move_to_next_stateful_cpuid_entry(struct kvm_vcpu *vcpu, int i)
@@ -4482,12 +5134,6 @@ struct kvm_cpuid_entry2 *kvm_find_cpuid_entry(struct kvm_vcpu *vcpu,
                        best = e;
                        break;
                }
-                /*
-                 * Both basic or both extended?
-                 */
-                if (((e->function ^ function) & 0x80000000) == 0)
-                        if (!best || e->function > best->function)
-                                best = e;
        }
        return best;
 }
@@ -4507,6 +5153,27 @@ not_found:
        return 36;
 }
+/*
+ * If no match is found, check whether we exceed the vCPU's limit
+ * and return the content of the highest valid _standard_ leaf instead.
+ * This is to satisfy the CPUID specification.
+ */
+static struct kvm_cpuid_entry2* check_cpuid_limit(struct kvm_vcpu *vcpu,
+                                                  u32 function, u32 index)
+{
+        struct kvm_cpuid_entry2 *maxlevel;
+        maxlevel = kvm_find_cpuid_entry(vcpu, function & 0x80000000, 0);
+        if (!maxlevel || maxlevel->eax >= function)
+                return NULL;
+        if (function & 0x80000000) {
+                maxlevel = kvm_find_cpuid_entry(vcpu, 0, 0);
+                if (!maxlevel)
+                        return NULL;
+        }
+        return kvm_find_cpuid_entry(vcpu, maxlevel->eax, index);
+}
 void kvm_emulate_cpuid(struct kvm_vcpu *vcpu)
 {
        u32 function, index;
@@ -4519,6 +5186,10 @@ void kvm_emulate_cpuid(struct kvm_vcpu *vcpu)
        kvm_register_write(vcpu, VCPU_REGS_RCX, 0);
        kvm_register_write(vcpu, VCPU_REGS_RDX, 0);
        best = kvm_find_cpuid_entry(vcpu, function, index);
+        if (!best)
+                best = check_cpuid_limit(vcpu, function, index);
        if (best) {
                kvm_register_write(vcpu, VCPU_REGS_RAX, best->eax);
                kvm_register_write(vcpu, VCPU_REGS_RBX, best->ebx);
@@ -4675,6 +5346,7 @@ static void kvm_put_guest_xcr0(struct kvm_vcpu *vcpu)
 static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
 {
        int r;
+        bool nmi_pending;
        bool req_int_win = !irqchip_in_kernel(vcpu->kvm) &&
                vcpu->run->request_interrupt_window;
@@ -4683,8 +5355,11 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
                        kvm_mmu_unload(vcpu);
                if (kvm_check_request(KVM_REQ_MIGRATE_TIMER, vcpu))
                        __kvm_migrate_timers(vcpu);
-                if (kvm_check_request(KVM_REQ_KVMCLOCK_UPDATE, vcpu))
+                if (kvm_check_request(KVM_REQ_CLOCK_UPDATE, vcpu)) {
-                        kvm_write_guest_time(vcpu);
+                        r = kvm_guest_time_update(vcpu);
+                        if (unlikely(r))
+                                goto out;
+                }
                if (kvm_check_request(KVM_REQ_MMU_SYNC, vcpu))
                        kvm_mmu_sync_roots(vcpu);
                if (kvm_check_request(KVM_REQ_TLB_FLUSH, vcpu))
@@ -4703,12 +5378,41 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
                        vcpu->fpu_active = 0;
                        kvm_x86_ops->fpu_deactivate(vcpu);
                }
+                if (kvm_check_request(KVM_REQ_APF_HALT, vcpu)) {
+                        /* Page is swapped out. Do synthetic halt */
+                        vcpu->arch.apf.halted = true;
+                        r = 1;
+                        goto out;
+                }
        }
        r = kvm_mmu_reload(vcpu);
        if (unlikely(r))
                goto out;
+        /*
+         * An NMI can be injected between local nmi_pending read and
+         * vcpu->arch.nmi_pending read inside inject_pending_event().
+         * But in that case, KVM_REQ_EVENT will be set, which makes
+         * the race described above benign.
+         */
+        nmi_pending = ACCESS_ONCE(vcpu->arch.nmi_pending);
+        if (kvm_check_request(KVM_REQ_EVENT, vcpu) || req_int_win) {
+                inject_pending_event(vcpu);
+                /* enable NMI/IRQ window open exits if needed */
+                if (nmi_pending)
+                        kvm_x86_ops->enable_nmi_window(vcpu);
+                else if (kvm_cpu_has_interrupt(vcpu) || req_int_win)
+                        kvm_x86_ops->enable_irq_window(vcpu);
+                if (kvm_lapic_enabled(vcpu)) {
+                        update_cr8_intercept(vcpu);
+                        kvm_lapic_sync_to_vapic(vcpu);
+                }
+        }
        preempt_disable();
        kvm_x86_ops->prepare_guest_switch(vcpu);
@@ -4716,34 +5420,26 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
                kvm_load_guest_fpu(vcpu);
        kvm_load_guest_xcr0(vcpu);
-        atomic_set(&vcpu->guest_mode, 1);
+        vcpu->mode = IN_GUEST_MODE;
-        smp_wmb();
+        /* We should set ->mode before check ->requests,
+         * see the comment in make_all_cpus_request.
+         */
+        smp_mb();
        local_irq_disable();
-        if (!atomic_read(&vcpu->guest_mode) || vcpu->requests
+        if (vcpu->mode == EXITING_GUEST_MODE || vcpu->requests
            || need_resched() || signal_pending(current)) {
-                atomic_set(&vcpu->guest_mode, 0);
+                vcpu->mode = OUTSIDE_GUEST_MODE;
                smp_wmb();
                local_irq_enable();
                preempt_enable();
+                kvm_x86_ops->cancel_injection(vcpu);
                r = 1;
                goto out;
        }
-        inject_pending_event(vcpu);
-        /* enable NMI/IRQ window open exits if needed */
-        if (vcpu->arch.nmi_pending)
-                kvm_x86_ops->enable_nmi_window(vcpu);
-        else if (kvm_cpu_has_interrupt(vcpu) || req_int_win)
-                kvm_x86_ops->enable_irq_window(vcpu);
-        if (kvm_lapic_enabled(vcpu)) {
-                update_cr8_intercept(vcpu);
-                kvm_lapic_sync_to_vapic(vcpu);
-        }
        srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);
        kvm_guest_enter();
@@ -4769,7 +5465,9 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
        if (hw_breakpoint_active())
                hw_breakpoint_restore();
-        atomic_set(&vcpu->guest_mode, 0);
+        kvm_get_msr(vcpu, MSR_IA32_TSC, &vcpu->arch.last_guest_tsc);
+        vcpu->mode = OUTSIDE_GUEST_MODE;
        smp_wmb();
        local_irq_enable();
@@ -4826,7 +5524,8 @@ static int __vcpu_run(struct kvm_vcpu *vcpu)
        r = 1;
        while (r > 0) {
-                if (vcpu->arch.mp_state == KVM_MP_STATE_RUNNABLE)
+                if (vcpu->arch.mp_state == KVM_MP_STATE_RUNNABLE &&
+                    !vcpu->arch.apf.halted)
                        r = vcpu_enter_guest(vcpu);
                else {
                        srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx);
@@ -4839,6 +5538,7 @@ static int __vcpu_run(struct kvm_vcpu *vcpu)
                                        vcpu->arch.mp_state =
                                                KVM_MP_STATE_RUNNABLE;
                                case KVM_MP_STATE_RUNNABLE:
+                                        vcpu->arch.apf.halted = false;
                                        break;
                                case KVM_MP_STATE_SIPI_RECEIVED:
                                default:
@@ -4860,6 +5560,9 @@ static int __vcpu_run(struct kvm_vcpu *vcpu)
                        vcpu->run->exit_reason = KVM_EXIT_INTR;
                        ++vcpu->stat.request_irq_exits;
                }
+                kvm_check_async_pf_completion(vcpu);
                if (signal_pending(current)) {
                        r = -EINTR;
                        vcpu->run->exit_reason = KVM_EXIT_INTR;
@@ -4879,11 +5582,49 @@ static int __vcpu_run(struct kvm_vcpu *vcpu)
        return r;
 }
+static int complete_mmio(struct kvm_vcpu *vcpu)
+{
+        struct kvm_run *run = vcpu->run;
+        int r;
+        if (!(vcpu->arch.pio.count || vcpu->mmio_needed))
+                return 1;
+        if (vcpu->mmio_needed) {
+                vcpu->mmio_needed = 0;
+                if (!vcpu->mmio_is_write)
+                        memcpy(vcpu->mmio_data + vcpu->mmio_index,
+                               run->mmio.data, 8);
+                vcpu->mmio_index += 8;
+                if (vcpu->mmio_index < vcpu->mmio_size) {
+                        run->exit_reason = KVM_EXIT_MMIO;
+                        run->mmio.phys_addr = vcpu->mmio_phys_addr + vcpu->mmio_index;
+                        memcpy(run->mmio.data, vcpu->mmio_data + vcpu->mmio_index, 8);
+                        run->mmio.len = min(vcpu->mmio_size - vcpu->mmio_index, 8);
+                        run->mmio.is_write = vcpu->mmio_is_write;
+                        vcpu->mmio_needed = 1;
+                        return 0;
+                }
+                if (vcpu->mmio_is_write)
+                        return 1;
+                vcpu->mmio_read_completed = 1;
+        }
+        vcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
+        r = emulate_instruction(vcpu, EMULTYPE_NO_DECODE);
+        srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);
+        if (r != EMULATE_DONE)
+                return 0;
+        return 1;
+}
 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
 {
        int r;
        sigset_t sigsaved;
+        if (!tsk_used_math(current) && init_fpu(current))
+                return -ENOMEM;
        if (vcpu->sigset_active)
                sigprocmask(SIG_SETMASK, &vcpu->sigset, &sigsaved);
@@ -4895,24 +5636,17 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        }
        /* re-sync apic's tpr */
-        if (!irqchip_in_kernel(vcpu->kvm))
+        if (!irqchip_in_kernel(vcpu->kvm)) {
-                kvm_set_cr8(vcpu, kvm_run->cr8);
+                if (kvm_set_cr8(vcpu, kvm_run->cr8) != 0) {
+                        r = -EINVAL;
-        if (vcpu->arch.pio.count || vcpu->mmio_needed ||
-            vcpu->arch.emulate_ctxt.restart) {
-                if (vcpu->mmio_needed) {
-                        memcpy(vcpu->mmio_data, kvm_run->mmio.data, 8);
-                        vcpu->mmio_read_completed = 1;
-                        vcpu->mmio_needed = 0;
-                }
-                vcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
-                r = emulate_instruction(vcpu, 0, 0, EMULTYPE_NO_DECODE);
-                srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);
-                if (r != EMULATE_DONE) {
-                        r = 0;
                        goto out;
                }
        }
+        r = complete_mmio(vcpu);
+        if (r <= 0)
+                goto out;
        if (kvm_run->exit_reason == KVM_EXIT_HYPERCALL)
                kvm_register_write(vcpu, VCPU_REGS_RAX,
                                     kvm_run->hypercall.ret);
@@ -4929,6 +5663,18 @@ out:
 int kvm_arch_vcpu_ioctl_get_regs(struct kvm_vcpu *vcpu, struct kvm_regs *regs)
 {
+        if (vcpu->arch.emulate_regs_need_sync_to_vcpu) {
+                /*
+                 * We are here if userspace calls get_regs() in the middle of
+                 * instruction emulation. Registers state needs to be copied
+                 * back from emulation context to vcpu. Usrapace shouldn't do
+                 * that usually, but some bad designed PV devices (vmware
+                 * backdoor interface) need this to work
+                 */
+                struct decode_cache *c = &vcpu->arch.emulate_ctxt.decode;
+                memcpy(vcpu->arch.regs, c->regs, sizeof c->regs);
+                vcpu->arch.emulate_regs_need_sync_to_vcpu = false;
+        }
        regs->rax = kvm_register_read(vcpu, VCPU_REGS_RAX);
        regs->rbx = kvm_register_read(vcpu, VCPU_REGS_RBX);
        regs->rcx = kvm_register_read(vcpu, VCPU_REGS_RCX);
@@ -4956,6 +5702,9 @@ int kvm_arch_vcpu_ioctl_get_regs(struct kvm_vcpu *vcpu, struct kvm_regs *regs)
 int kvm_arch_vcpu_ioctl_set_regs(struct kvm_vcpu *vcpu, struct kvm_regs *regs)
 {
+        vcpu->arch.emulate_regs_need_sync_from_vcpu = true;
+        vcpu->arch.emulate_regs_need_sync_to_vcpu = false;
        kvm_register_write(vcpu, VCPU_REGS_RAX, regs->rax);
        kvm_register_write(vcpu, VCPU_REGS_RBX, regs->rbx);
        kvm_register_write(vcpu, VCPU_REGS_RCX, regs->rcx);
@@ -4980,6 +5729,8 @@ int kvm_arch_vcpu_ioctl_set_regs(struct kvm_vcpu *vcpu, struct kvm_regs *regs)
        vcpu->arch.exception.pending = false;
+        kvm_make_request(KVM_REQ_EVENT, vcpu);
        return 0;
 }
@@ -5017,7 +5768,7 @@ int kvm_arch_vcpu_ioctl_get_sregs(struct kvm_vcpu *vcpu,
        sregs->cr0 = kvm_read_cr0(vcpu);
        sregs->cr2 = vcpu->arch.cr2;
-        sregs->cr3 = vcpu->arch.cr3;
+        sregs->cr3 = kvm_read_cr3(vcpu);
        sregs->cr4 = kvm_read_cr4(vcpu);
        sregs->cr8 = kvm_get_cr8(vcpu);
        sregs->efer = vcpu->arch.efer;
@@ -5043,6 +5794,7 @@ int kvm_arch_vcpu_ioctl_set_mpstate(struct kvm_vcpu *vcpu,
                                    struct kvm_mp_state *mp_state)
 {
        vcpu->arch.mp_state = mp_state->mp_state;
+        kvm_make_request(KVM_REQ_EVENT, vcpu);
        return 0;
 }
@@ -5050,24 +5802,11 @@ int kvm_task_switch(struct kvm_vcpu *vcpu, u16 tss_selector, int reason,
                    bool has_error_code, u32 error_code)
 {
        struct decode_cache *c = &vcpu->arch.emulate_ctxt.decode;
-        int cs_db, cs_l, ret;
+        int ret;
-        cache_all_regs(vcpu);
-        kvm_x86_ops->get_cs_db_l_bits(vcpu, &cs_db, &cs_l);
-        vcpu->arch.emulate_ctxt.vcpu = vcpu;
+        init_emulate_ctxt(vcpu);
-        vcpu->arch.emulate_ctxt.eflags = kvm_x86_ops->get_rflags(vcpu);
-        vcpu->arch.emulate_ctxt.eip = kvm_rip_read(vcpu);
-        vcpu->arch.emulate_ctxt.mode =
-                (!is_protmode(vcpu)) ? X86EMUL_MODE_REAL :
-                (vcpu->arch.emulate_ctxt.eflags & X86_EFLAGS_VM)
-                ? X86EMUL_MODE_VM86 : cs_l
-                ? X86EMUL_MODE_PROT64 : cs_db
-                ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16;
-        memset(c, 0, sizeof(struct decode_cache));
-        memcpy(c->regs, vcpu->arch.regs, sizeof c->regs);
-        ret = emulator_task_switch(&vcpu->arch.emulate_ctxt, &emulate_ops,
+        ret = emulator_task_switch(&vcpu->arch.emulate_ctxt,
                                   tss_selector, reason, has_error_code,
                                   error_code);
@@ -5076,7 +5815,8 @@ int kvm_task_switch(struct kvm_vcpu *vcpu, u16 tss_selector, int reason,
        memcpy(vcpu->arch.regs, c->regs, sizeof c->regs);
        kvm_rip_write(vcpu, vcpu->arch.emulate_ctxt.eip);
-        kvm_x86_ops->set_rflags(vcpu, vcpu->arch.emulate_ctxt.eflags);
+        kvm_set_rflags(vcpu, vcpu->arch.emulate_ctxt.eflags);
+        kvm_make_request(KVM_REQ_EVENT, vcpu);
        return EMULATE_DONE;
 }
 EXPORT_SYMBOL_GPL(kvm_task_switch);
@@ -5085,7 +5825,7 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,
                                  struct kvm_sregs *sregs)
 {
        int mmu_reset_needed = 0;
-        int pending_vec, max_bits;
+        int pending_vec, max_bits, idx;
        struct desc_ptr dt;
        dt.size = sregs->idt.limit;
@@ -5096,8 +5836,9 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,
        kvm_x86_ops->set_gdt(vcpu, &dt);
        vcpu->arch.cr2 = sregs->cr2;
-        mmu_reset_needed |= vcpu->arch.cr3 != sregs->cr3;
+        mmu_reset_needed |= kvm_read_cr3(vcpu) != sregs->cr3;
        vcpu->arch.cr3 = sregs->cr3;
+        __set_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail);
        kvm_set_cr8(vcpu, sregs->cr8);
@@ -5111,10 +5852,15 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,
        mmu_reset_needed |= kvm_read_cr4(vcpu) != sregs->cr4;
        kvm_x86_ops->set_cr4(vcpu, sregs->cr4);
+        if (sregs->cr4 & X86_CR4_OSXSAVE)
+                update_cpuid(vcpu);
+        idx = srcu_read_lock(&vcpu->kvm->srcu);
        if (!is_long_mode(vcpu) && is_pae(vcpu)) {
-                load_pdptrs(vcpu, vcpu->arch.cr3);
+                load_pdptrs(vcpu, vcpu->arch.walk_mmu, kvm_read_cr3(vcpu));
                mmu_reset_needed = 1;
        }
+        srcu_read_unlock(&vcpu->kvm->srcu, idx);
        if (mmu_reset_needed)
                kvm_mmu_reset_context(vcpu);
@@ -5125,8 +5871,6 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,
        if (pending_vec < max_bits) {
                kvm_queue_interrupt(vcpu, pending_vec, false);
                pr_debug("Set back pending irq %d\n", pending_vec);
-                if (irqchip_in_kernel(vcpu->kvm))
-                        kvm_pic_clear_isr_ack(vcpu->kvm);
        }
        kvm_set_segment(vcpu, &sregs->cs, VCPU_SREG_CS);
@@ -5147,6 +5891,8 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,
            !is_protmode(vcpu))
                vcpu->arch.mp_state = KVM_MP_STATE_RUNNABLE;
+        kvm_make_request(KVM_REQ_EVENT, vcpu);
        return 0;
 }
@@ -5320,10 +6066,7 @@ void kvm_put_guest_fpu(struct kvm_vcpu *vcpu)
 void kvm_arch_vcpu_free(struct kvm_vcpu *vcpu)
 {
-        if (vcpu->arch.time_page) {
+        kvmclock_reset(vcpu);
-                kvm_release_page_dirty(vcpu->arch.time_page);
-                vcpu->arch.time_page = NULL;
-        }
        free_cpumask_var(vcpu->arch.wbinvd_dirty_mask);
        fx_free(vcpu);
@@ -5333,6 +6076,10 @@ void kvm_arch_vcpu_free(struct kvm_vcpu *vcpu)
 struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm,
                                                unsigned int id)
 {
+        if (check_tsc_unstable() && atomic_read(&kvm->online_vcpus) != 0)
+                printk_once(KERN_WARNING
+                "kvm: SMP vm created on host with unstable TSC; "
+                "guest TSC will not be reliable\n");
        return kvm_x86_ops->vcpu_create(kvm, id);
 }
@@ -5357,6 +6104,8 @@ free_vcpu:
 void kvm_arch_vcpu_destroy(struct kvm_vcpu *vcpu)
 {
+        vcpu->arch.apf.msr_val = 0;
        vcpu_load(vcpu);
        kvm_mmu_unload(vcpu);
        vcpu_put(vcpu);
@@ -5375,22 +6124,29 @@ int kvm_arch_vcpu_reset(struct kvm_vcpu *vcpu)
        vcpu->arch.dr6 = DR6_FIXED_1;
        vcpu->arch.dr7 = DR7_FIXED_1;
+        kvm_make_request(KVM_REQ_EVENT, vcpu);
+        vcpu->arch.apf.msr_val = 0;
+        kvmclock_reset(vcpu);
+        kvm_clear_async_pf_completion_queue(vcpu);
+        kvm_async_pf_hash_reset(vcpu);
+        vcpu->arch.apf.halted = false;
        return kvm_x86_ops->vcpu_reset(vcpu);
 }
 int kvm_arch_hardware_enable(void *garbage)
 {
-        /*
+        struct kvm *kvm;
-         * Since this may be called from a hotplug notifcation,
+        struct kvm_vcpu *vcpu;
-         * we can't get the CPU frequency directly.
+        int i;
-         */
-        if (!boot_cpu_has(X86_FEATURE_CONSTANT_TSC)) {
-                int cpu = raw_smp_processor_id();
-                per_cpu(cpu_tsc_khz, cpu) = 0;
-        }
        kvm_shared_msr_cpu_online();
+        list_for_each_entry(kvm, &vm_list, vm_list)
+                kvm_for_each_vcpu(i, vcpu, kvm)
+                        if (vcpu->cpu == smp_processor_id())
+                                kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu);
        return kvm_x86_ops->hardware_enable(garbage);
 }
@@ -5424,7 +6180,11 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
        BUG_ON(vcpu->kvm == NULL);
        kvm = vcpu->kvm;
+        vcpu->arch.emulate_ctxt.ops = &emulate_ops;
+        vcpu->arch.walk_mmu = &vcpu->arch.mmu;
        vcpu->arch.mmu.root_hpa = INVALID_PAGE;
+        vcpu->arch.mmu.translate_gpa = translate_gpa;
+        vcpu->arch.nested_mmu.translate_gpa = translate_nested_gpa;
        if (!irqchip_in_kernel(kvm) || kvm_vcpu_is_bsp(vcpu))
                vcpu->arch.mp_state = KVM_MP_STATE_RUNNABLE;
        else
@@ -5437,6 +6197,8 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
        }
        vcpu->arch.pio_data = page_address(page);
+        kvm_init_tsc_catchup(vcpu, max_tsc_khz);
        r = kvm_mmu_create(vcpu);
        if (r < 0)
                goto fail_free_pio_data;
@@ -5458,6 +6220,8 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
        if (!zalloc_cpumask_var(&vcpu->arch.wbinvd_dirty_mask, GFP_KERNEL))
                goto fail_free_mce_banks;
+        kvm_async_pf_hash_reset(vcpu);
        return 0;
 fail_free_mce_banks:
        kfree(vcpu->arch.mce_banks);
@@ -5483,22 +6247,17 @@ void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu)
        free_page((unsigned long)vcpu->arch.pio_data);
 }
-struct  kvm *kvm_arch_create_vm(void)
+int kvm_arch_init_vm(struct kvm *kvm)
 {
-        struct kvm *kvm = kzalloc(sizeof(struct kvm), GFP_KERNEL);
-        if (!kvm)
-                return ERR_PTR(-ENOMEM);
        INIT_LIST_HEAD(&kvm->arch.active_mmu_pages);
        INIT_LIST_HEAD(&kvm->arch.assigned_dev_head);
        /* Reserve bit 0 of irq_sources_bitmap for userspace irq source */
        set_bit(KVM_USERSPACE_IRQ_SOURCE_ID, &kvm->arch.irq_sources_bitmap);
-        rdtscll(kvm->arch.vm_init_tsc);
+        raw_spin_lock_init(&kvm->arch.tsc_write_lock);
-        return kvm;
+        return 0;
 }
 static void kvm_unload_vcpu_mmu(struct kvm_vcpu *vcpu)
@@ -5516,8 +6275,10 @@ static void kvm_free_vcpus(struct kvm *kvm)
        /*
         * Unpin any mmu pages first.
         */
-        kvm_for_each_vcpu(i, vcpu, kvm)
+        kvm_for_each_vcpu(i, vcpu, kvm) {
+                kvm_clear_async_pf_completion_queue(vcpu);
                kvm_unload_vcpu_mmu(vcpu);
+        }
        kvm_for_each_vcpu(i, vcpu, kvm)
                kvm_arch_vcpu_free(vcpu);
@@ -5541,13 +6302,10 @@ void kvm_arch_destroy_vm(struct kvm *kvm)
        kfree(kvm->arch.vpic);
        kfree(kvm->arch.vioapic);
        kvm_free_vcpus(kvm);
-        kvm_free_physmem(kvm);
        if (kvm->arch.apic_access_page)
                put_page(kvm->arch.apic_access_page);
        if (kvm->arch.ept_identity_pagetable)
                put_page(kvm->arch.ept_identity_pagetable);
-        cleanup_srcu_struct(&kvm->srcu);
-        kfree(kvm);
 }
 int kvm_arch_prepare_memory_region(struct kvm *kvm,
@@ -5595,7 +6353,7 @@ void kvm_arch_commit_memory_region(struct kvm *kvm,
                                int user_alloc)
 {
-        int npages = mem->memory_size >> PAGE_SHIFT;
+        int nr_mmu_pages = 0, npages = mem->memory_size >> PAGE_SHIFT;
        if (!user_alloc && !old.user_alloc && old.rmap && !npages) {
                int ret;
@@ -5610,12 +6368,12 @@ void kvm_arch_commit_memory_region(struct kvm *kvm,
                               "failed to munmap memory\n");
        }
+        if (!kvm->arch.n_requested_mmu_pages)
+                nr_mmu_pages = kvm_mmu_calculate_mmu_pages(kvm);
        spin_lock(&kvm->mmu_lock);
-        if (!kvm->arch.n_requested_mmu_pages) {
+        if (nr_mmu_pages)
-                unsigned int nr_mmu_pages = kvm_mmu_calculate_mmu_pages(kvm);
                kvm_mmu_change_mmu_pages(kvm, nr_mmu_pages);
-        }
        kvm_mmu_slot_remove_write_access(kvm, mem->slot);
        spin_unlock(&kvm->mmu_lock);
 }
@@ -5628,7 +6386,9 @@ void kvm_arch_flush_shadow(struct kvm *kvm)
 int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu)
 {
-        return vcpu->arch.mp_state == KVM_MP_STATE_RUNNABLE
+        return (vcpu->arch.mp_state == KVM_MP_STATE_RUNNABLE &&
+                !vcpu->arch.apf.halted)
+                || !list_empty_careful(&vcpu->async_pf.done)
                || vcpu->arch.mp_state == KVM_MP_STATE_SIPI_RECEIVED
                || vcpu->arch.nmi_pending ||
                (kvm_arch_interrupt_allowed(vcpu) &&
@@ -5647,7 +6407,7 @@ void kvm_vcpu_kick(struct kvm_vcpu *vcpu)
        me = get_cpu();
        if (cpu != me && (unsigned)cpu < nr_cpu_ids && cpu_online(cpu))
-                if (atomic_xchg(&vcpu->guest_mode, 0))
+                if (kvm_vcpu_exiting_guest_mode(vcpu) == IN_GUEST_MODE)
                        smp_send_reschedule(cpu);
        put_cpu();
 }
@@ -5683,9 +6443,151 @@ void kvm_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags)
            kvm_is_linear_rip(vcpu, vcpu->arch.singlestep_rip))
                rflags |= X86_EFLAGS_TF;
        kvm_x86_ops->set_rflags(vcpu, rflags);
+        kvm_make_request(KVM_REQ_EVENT, vcpu);
 }
 EXPORT_SYMBOL_GPL(kvm_set_rflags);
+void kvm_arch_async_page_ready(struct kvm_vcpu *vcpu, struct kvm_async_pf *work)
+{
+        int r;
+        if ((vcpu->arch.mmu.direct_map != work->arch.direct_map) ||
+              is_error_page(work->page))
+                return;
+        r = kvm_mmu_reload(vcpu);
+        if (unlikely(r))
+                return;
+        if (!vcpu->arch.mmu.direct_map &&
+              work->arch.cr3 != vcpu->arch.mmu.get_cr3(vcpu))
+                return;
+        vcpu->arch.mmu.page_fault(vcpu, work->gva, 0, true);
+}
+static inline u32 kvm_async_pf_hash_fn(gfn_t gfn)
+{
+        return hash_32(gfn & 0xffffffff, order_base_2(ASYNC_PF_PER_VCPU));
+}
+static inline u32 kvm_async_pf_next_probe(u32 key)
+{
+        return (key + 1) & (roundup_pow_of_two(ASYNC_PF_PER_VCPU) - 1);
+}
+static void kvm_add_async_pf_gfn(struct kvm_vcpu *vcpu, gfn_t gfn)
+{
+        u32 key = kvm_async_pf_hash_fn(gfn);
+        while (vcpu->arch.apf.gfns[key] != ~0)
+                key = kvm_async_pf_next_probe(key);
+        vcpu->arch.apf.gfns[key] = gfn;
+}
+static u32 kvm_async_pf_gfn_slot(struct kvm_vcpu *vcpu, gfn_t gfn)
+{
+        int i;
+        u32 key = kvm_async_pf_hash_fn(gfn);
+        for (i = 0; i < roundup_pow_of_two(ASYNC_PF_PER_VCPU) &&
+                     (vcpu->arch.apf.gfns[key] != gfn &&
+                      vcpu->arch.apf.gfns[key] != ~0); i++)
+                key = kvm_async_pf_next_probe(key);
+        return key;
+}
+bool kvm_find_async_pf_gfn(struct kvm_vcpu *vcpu, gfn_t gfn)
+{
+        return vcpu->arch.apf.gfns[kvm_async_pf_gfn_slot(vcpu, gfn)] == gfn;
+}
+static void kvm_del_async_pf_gfn(struct kvm_vcpu *vcpu, gfn_t gfn)
+{
+        u32 i, j, k;
+        i = j = kvm_async_pf_gfn_slot(vcpu, gfn);
+        while (true) {
+                vcpu->arch.apf.gfns[i] = ~0;
+                do {
+                        j = kvm_async_pf_next_probe(j);
+                        if (vcpu->arch.apf.gfns[j] == ~0)
+                                return;
+                        k = kvm_async_pf_hash_fn(vcpu->arch.apf.gfns[j]);
+                        /*
+                         * k lies cyclically in ]i,j]
+                         * |    i.k.j |
+                         * |....j i.k.| or  |.k..j i...|
+                         */
+                } while ((i <= j) ? (i < k && k <= j) : (i < k || k <= j));
+                vcpu->arch.apf.gfns[i] = vcpu->arch.apf.gfns[j];
+                i = j;
+        }
+}
+static int apf_put_user(struct kvm_vcpu *vcpu, u32 val)
+{
+        return kvm_write_guest_cached(vcpu->kvm, &vcpu->arch.apf.data, &val,
+                                      sizeof(val));
+}
+void kvm_arch_async_page_not_present(struct kvm_vcpu *vcpu,
+                                     struct kvm_async_pf *work)
+{
+        struct x86_exception fault;
+        trace_kvm_async_pf_not_present(work->arch.token, work->gva);
+        kvm_add_async_pf_gfn(vcpu, work->arch.gfn);
+        if (!(vcpu->arch.apf.msr_val & KVM_ASYNC_PF_ENABLED) ||
+            (vcpu->arch.apf.send_user_only &&
+             kvm_x86_ops->get_cpl(vcpu) == 0))
+                kvm_make_request(KVM_REQ_APF_HALT, vcpu);
+        else if (!apf_put_user(vcpu, KVM_PV_REASON_PAGE_NOT_PRESENT)) {
+                fault.vector = PF_VECTOR;
+                fault.error_code_valid = true;
+                fault.error_code = 0;
+                fault.nested_page_fault = false;
+                fault.address = work->arch.token;
+                kvm_inject_page_fault(vcpu, &fault);
+        }
+}
+void kvm_arch_async_page_present(struct kvm_vcpu *vcpu,
+                                 struct kvm_async_pf *work)
+{
+        struct x86_exception fault;
+        trace_kvm_async_pf_ready(work->arch.token, work->gva);
+        if (is_error_page(work->page))
+                work->arch.token = ~0; /* broadcast wakeup */
+        else
+                kvm_del_async_pf_gfn(vcpu, work->arch.gfn);
+        if ((vcpu->arch.apf.msr_val & KVM_ASYNC_PF_ENABLED) &&
+            !apf_put_user(vcpu, KVM_PV_REASON_PAGE_READY)) {
+                fault.vector = PF_VECTOR;
+                fault.error_code_valid = true;
+                fault.error_code = 0;
+                fault.nested_page_fault = false;
+                fault.address = work->arch.token;
+                kvm_inject_page_fault(vcpu, &fault);
+        }
+        vcpu->arch.apf.halted = false;
+}
+bool kvm_arch_can_inject_async_page_present(struct kvm_vcpu *vcpu)
+{
+        if (!(vcpu->arch.apf.msr_val & KVM_ASYNC_PF_ENABLED))
+                return true;
+        else
+                return !kvm_event_needs_reinjection(vcpu) &&
+                        kvm_x86_ops->interrupt_allowed(vcpu);
+}
 EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_exit);
 EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_inj_virq);
 EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_page_fault);
diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
index b7a404722d2b..e407ed3df817 100644
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -50,6 +50,11 @@ static inline int is_long_mode(struct kvm_vcpu *vcpu)
 #endif
 }
+static inline bool mmu_is_nested(struct kvm_vcpu *vcpu)
+{
+        return vcpu->arch.walk_mmu == &vcpu->arch.nested_mmu;
+}
 static inline int is_pae(struct kvm_vcpu *vcpu)
 {
        return kvm_read_cr4_bits(vcpu, X86_CR4_PAE);
@@ -65,7 +70,15 @@ static inline int is_paging(struct kvm_vcpu *vcpu)
        return kvm_read_cr0_bits(vcpu, X86_CR0_PG);
 }
+static inline u32 bit(int bitno)
+{
+        return 1 << (bitno & 31);
+}
 void kvm_before_handle_nmi(struct kvm_vcpu *vcpu);
 void kvm_after_handle_nmi(struct kvm_vcpu *vcpu);
+int kvm_inject_realmode_interrupt(struct kvm_vcpu *vcpu, int irq, int inc_eip);
+void kvm_write_tsc(struct kvm_vcpu *vcpu, u64 data);
 #endif
author	Glenn Elliott <gelliott@cs.unc.edu>	2012-03-04 19:47:13 -0500
committer	Glenn Elliott <gelliott@cs.unc.edu>	2012-03-04 19:47:13 -0500
commit	c71c03bda1e86c9d5198c5d83f712e695c4f2a1e (patch)
tree	ecb166cb3e2b7e2adb3b5e292245fefd23381ac8 /arch/x86/kvm
parent	ea53c912f8a86a8567697115b6a0d8152beee5c8 (diff)
parent	6a00f206debf8a5c8899055726ad127dbeeed098 (diff)