Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM updates from Paolo Bonzini:
 "First round of KVM updates for 3.14; PPC parts will come next week.

  Nothing major here, just bugfixes all over the place.  The most
  interesting part is the ARM guys' virtualized interrupt controller
  overhaul, which lets userspace get/set the state and thus enables
  migration of ARM VMs"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (67 commits)
  kvm: make KVM_MMU_AUDIT help text more readable
  KVM: s390: Fix memory access error detection
  KVM: nVMX: Update guest activity state field on L2 exits
  KVM: nVMX: Fix nested_run_pending on activity state HLT
  KVM: nVMX: Clean up handling of VMX-related MSRs
  KVM: nVMX: Add tracepoints for nested_vmexit and nested_vmexit_inject
  KVM: nVMX: Pass vmexit parameters to nested_vmx_vmexit
  KVM: nVMX: Leave VMX mode on clearing of feature control MSR
  KVM: VMX: Fix DR6 update on #DB exception
  KVM: SVM: Fix reading of DR6
  KVM: x86: Sync DR7 on KVM_SET_DEBUGREGS
  add support for Hyper-V reference time counter
  KVM: remove useless write to vcpu->hv_clock.tsc_timestamp
  KVM: x86: fix tsc catchup issue with tsc scaling
  KVM: x86: limit PIT timer frequency
  KVM: x86: handle invalid root_hpa everywhere
  kvm: Provide kvm_vcpu_eligible_for_directed_yield() stub
  kvm: vfio: silence GCC warning
  KVM: ARM: Remove duplicate include
  arm/arm64: KVM: relax the requirements of VMA alignment for THP
  ...

13 files changed, 336 insertions, 172 deletions

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index ae5d7830855c..fdf83afbb7d9 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -605,6 +605,7 @@ struct kvm_arch {
         /* fields used by HYPER-V emulation */
         u64 hv_guest_os_id;
         u64 hv_hypercall;
+        u64 hv_tsc_page;
 
         #ifdef CONFIG_KVM_MMU_AUDIT
         int audit_point;
@@ -699,6 +700,8 @@ struct kvm_x86_ops {
         void (*set_idt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt);
         void (*get_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt);
         void (*set_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt);
+        u64 (*get_dr6)(struct kvm_vcpu *vcpu);
+        void (*set_dr6)(struct kvm_vcpu *vcpu, unsigned long value);
         void (*set_dr7)(struct kvm_vcpu *vcpu, unsigned long value);
         void (*cache_reg)(struct kvm_vcpu *vcpu, enum kvm_reg reg);
         unsigned long (*get_rflags)(struct kvm_vcpu *vcpu);
diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
index 966502d4682e..2067264fb7f5 100644
--- a/arch/x86/include/asm/vmx.h
+++ b/arch/x86/include/asm/vmx.h
@@ -100,6 +100,7 @@
 
 #define VMX_MISC_PREEMPTION_TIMER_RATE_MASK     0x0000001f
 #define VMX_MISC_SAVE_EFER_LMA                  0x00000020
+#define VMX_MISC_ACTIVITY_HLT                   0x00000040
 
 /* VMCS Encodings */
 enum vmcs_field {
diff --git a/arch/x86/include/uapi/asm/hyperv.h b/arch/x86/include/uapi/asm/hyperv.h
index b8f1c0176cbc..462efe746d77 100644
--- a/arch/x86/include/uapi/asm/hyperv.h
+++ b/arch/x86/include/uapi/asm/hyperv.h
@@ -28,6 +28,9 @@
 /* Partition Reference Counter (HV_X64_MSR_TIME_REF_COUNT) available*/
 #define HV_X64_MSR_TIME_REF_COUNT_AVAILABLE     (1 << 1)
 
+/* A partition's reference time stamp counter (TSC) page */
+#define HV_X64_MSR_REFERENCE_TSC                0x40000021
+
 /*
  * There is a single feature flag that signifies the presence of the MSR
  * that can be used to retrieve both the local APIC Timer frequency as
@@ -198,6 +201,9 @@
 #define HV_X64_MSR_APIC_ASSIST_PAGE_ADDRESS_MASK        \
                 (~((1ull << HV_X64_MSR_APIC_ASSIST_PAGE_ADDRESS_SHIFT) - 1))
 
+#define HV_X64_MSR_TSC_REFERENCE_ENABLE         0x00000001
+#define HV_X64_MSR_TSC_REFERENCE_ADDRESS_SHIFT  12
+
 #define HV_PROCESSOR_POWER_STATE_C0             0
 #define HV_PROCESSOR_POWER_STATE_C1             1
 #define HV_PROCESSOR_POWER_STATE_C2             2
@@ -210,4 +216,11 @@
 #define HV_STATUS_INVALID_ALIGNMENT             4
 #define HV_STATUS_INSUFFICIENT_BUFFERS          19
 
+typedef struct _HV_REFERENCE_TSC_PAGE {
+        __u32 tsc_sequence;
+        __u32 res1;
+        __u64 tsc_scale;
+        __s64 tsc_offset;
+} HV_REFERENCE_TSC_PAGE, *PHV_REFERENCE_TSC_PAGE;
+
 #endif
diff --git a/arch/x86/include/uapi/asm/msr-index.h b/arch/x86/include/uapi/asm/msr-index.h
index 59cea185ad1d..c19fc60ff062 100644
--- a/arch/x86/include/uapi/asm/msr-index.h
+++ b/arch/x86/include/uapi/asm/msr-index.h
@@ -528,6 +528,7 @@
 #define MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x0000048e
 #define MSR_IA32_VMX_TRUE_EXIT_CTLS      0x0000048f
 #define MSR_IA32_VMX_TRUE_ENTRY_CTLS     0x00000490
+#define MSR_IA32_VMX_VMFUNC             0x00000491
 
 /* VMX_BASIC bits and bitmasks */
 #define VMX_BASIC_VMCS_SIZE_SHIFT       32
diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig
index b89c5db2b832..287e4c85fff9 100644
--- a/arch/x86/kvm/Kconfig
+++ b/arch/x86/kvm/Kconfig
@@ -80,7 +80,7 @@ config KVM_MMU_AUDIT
         depends on KVM && TRACEPOINTS
         ---help---
          This option adds a R/W kVM module parameter 'mmu_audit', which allows
-         audit  KVM MMU at runtime.
+         auditing of KVM MMU events at runtime.
 
 config KVM_DEVICE_ASSIGNMENT
         bool "KVM legacy PCI device assignment support"
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index 412a5aa0ef94..518d86471b76 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -37,6 +37,7 @@
 
 #include "irq.h"
 #include "i8254.h"
+#include "x86.h"
 
 #ifndef CONFIG_X86_64
 #define mod_64(x, y) ((x) - (y) * div64_u64(x, y))
@@ -349,6 +350,23 @@ static void create_pit_timer(struct kvm *kvm, u32 val, int is_period)
         atomic_set(&ps->pending, 0);
         ps->irq_ack = 1;
 
+        /*
+         * Do not allow the guest to program periodic timers with small
+         * interval, since the hrtimers are not throttled by the host
+         * scheduler.
+         */
+        if (ps->is_periodic) {
+                s64 min_period = min_timer_period_us * 1000LL;
+
+                if (ps->period < min_period) {
+                        pr_info_ratelimited(
+                            "kvm: requested %lld ns "
+                            "i8254 timer period limited to %lld ns\n",
+                            ps->period, min_period);
+                        ps->period = min_period;
+                }
+        }
+
         hrtimer_start(&ps->timer, ktime_add_ns(ktime_get(), interval),
                       HRTIMER_MODE_ABS);
 }
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 775702f649ca..9736529ade08 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -71,9 +71,6 @@
 #define VEC_POS(v) ((v) & (32 - 1))
 #define REG_POS(v) (((v) >> 5) << 4)
 
-static unsigned int min_timer_period_us = 500;
-module_param(min_timer_period_us, uint, S_IRUGO | S_IWUSR);
-
 static inline void apic_set_reg(struct kvm_lapic *apic, int reg_off, u32 val)
 {
         *((u32 *) (apic->regs + reg_off)) = val;
@@ -435,7 +432,7 @@ static bool pv_eoi_get_pending(struct kvm_vcpu *vcpu)
         u8 val;
         if (pv_eoi_get_user(vcpu, &val) < 0)
                 apic_debug("Can't read EOI MSR value: 0x%llx\n",
-                           (unsigned long long)vcpi->arch.pv_eoi.msr_val);
+                           (unsigned long long)vcpu->arch.pv_eoi.msr_val);
         return val & 0x1;
 }
 
@@ -443,7 +440,7 @@ static void pv_eoi_set_pending(struct kvm_vcpu *vcpu)
 {
         if (pv_eoi_put_user(vcpu, KVM_PV_EOI_ENABLED) < 0) {
                 apic_debug("Can't set EOI MSR value: 0x%llx\n",
-                           (unsigned long long)vcpi->arch.pv_eoi.msr_val);
+                           (unsigned long long)vcpu->arch.pv_eoi.msr_val);
                 return;
         }
         __set_bit(KVM_APIC_PV_EOI_PENDING, &vcpu->arch.apic_attention);
@@ -453,7 +450,7 @@ static void pv_eoi_clr_pending(struct kvm_vcpu *vcpu)
 {
         if (pv_eoi_put_user(vcpu, KVM_PV_EOI_DISABLED) < 0) {
                 apic_debug("Can't clear EOI MSR value: 0x%llx\n",
-                           (unsigned long long)vcpi->arch.pv_eoi.msr_val);
+                           (unsigned long long)vcpu->arch.pv_eoi.msr_val);
                 return;
         }
         __clear_bit(KVM_APIC_PV_EOI_PENDING, &vcpu->arch.apic_attention);
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 40772ef0f2b1..e50425d0f5f7 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -2659,6 +2659,9 @@ static int __direct_map(struct kvm_vcpu *vcpu, gpa_t v, int write,
         int emulate = 0;
         gfn_t pseudo_gfn;
 
+        if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
+                return 0;
+
         for_each_shadow_entry(vcpu, (u64)gfn << PAGE_SHIFT, iterator) {
                 if (iterator.level == level) {
                         mmu_set_spte(vcpu, iterator.sptep, ACC_ALL,
@@ -2829,6 +2832,9 @@ static bool fast_page_fault(struct kvm_vcpu *vcpu, gva_t gva, int level,
         bool ret = false;
         u64 spte = 0ull;
 
+        if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
+                return false;
+
         if (!page_fault_can_be_fast(error_code))
                 return false;
 
@@ -3224,6 +3230,9 @@ static u64 walk_shadow_page_get_mmio_spte(struct kvm_vcpu *vcpu, u64 addr)
         struct kvm_shadow_walk_iterator iterator;
         u64 spte = 0ull;
 
+        if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
+                return spte;
+
         walk_shadow_page_lockless_begin(vcpu);
         for_each_shadow_entry_lockless(vcpu, addr, iterator, spte)
                 if (!is_shadow_present_pte(spte))
@@ -4510,6 +4519,9 @@ int kvm_mmu_get_spte_hierarchy(struct kvm_vcpu *vcpu, u64 addr, u64 sptes[4])
         u64 spte;
         int nr_sptes = 0;
 
+        if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
+                return nr_sptes;
+
         walk_shadow_page_lockless_begin(vcpu);
         for_each_shadow_entry_lockless(vcpu, addr, iterator, spte) {
                 sptes[iterator.level-1] = spte;
diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
index ad75d77999d0..cba218a2f08d 100644
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -569,6 +569,9 @@ static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
         if (FNAME(gpte_changed)(vcpu, gw, top_level))
                 goto out_gpte_changed;
 
+        if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
+                goto out_gpte_changed;
+
         for (shadow_walk_init(&it, vcpu, addr);
              shadow_walk_okay(&it) && it.level > gw->level;
              shadow_walk_next(&it)) {
@@ -820,6 +823,11 @@ static void FNAME(invlpg)(struct kvm_vcpu *vcpu, gva_t gva)
          */
         mmu_topup_memory_caches(vcpu);
 
+        if (!VALID_PAGE(vcpu->arch.mmu.root_hpa)) {
+                WARN_ON(1);
+                return;
+        }
+
         spin_lock(&vcpu->kvm->mmu_lock);
         for_each_shadow_entry(vcpu, gva, iterator) {
                 level = iterator.level;
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index c7168a5cff1b..e81df8fce027 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1671,6 +1671,19 @@ static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *sd)
         mark_dirty(svm->vmcb, VMCB_ASID);
 }
 
+static u64 svm_get_dr6(struct kvm_vcpu *vcpu)
+{
+        return to_svm(vcpu)->vmcb->save.dr6;
+}
+
+static void svm_set_dr6(struct kvm_vcpu *vcpu, unsigned long value)
+{
+        struct vcpu_svm *svm = to_svm(vcpu);
+
+        svm->vmcb->save.dr6 = value;
+        mark_dirty(svm->vmcb, VMCB_DR);
+}
+
 static void svm_set_dr7(struct kvm_vcpu *vcpu, unsigned long value)
 {
         struct vcpu_svm *svm = to_svm(vcpu);
@@ -4286,6 +4299,8 @@ static struct kvm_x86_ops svm_x86_ops = {
         .set_idt = svm_set_idt,
         .get_gdt = svm_get_gdt,
         .set_gdt = svm_set_gdt,
+        .get_dr6 = svm_get_dr6,
+        .set_dr6 = svm_set_dr6,
         .set_dr7 = svm_set_dr7,
         .cache_reg = svm_cache_reg,
         .get_rflags = svm_get_rflags,
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index da7837e1349d..5c8879127cfa 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -418,6 +418,8 @@ struct vcpu_vmx {
         u64                   msr_host_kernel_gs_base;
         u64                   msr_guest_kernel_gs_base;
 #endif
+        u32 vm_entry_controls_shadow;
+        u32 vm_exit_controls_shadow;
         /*
          * loaded_vmcs points to the VMCS currently used in this vcpu. For a
          * non-nested (L1) guest, it always points to vmcs01. For a nested
@@ -1056,7 +1058,9 @@ static inline bool is_exception(u32 intr_info)
                 == (INTR_TYPE_HARD_EXCEPTION | INTR_INFO_VALID_MASK);
 }
 
-static void nested_vmx_vmexit(struct kvm_vcpu *vcpu);
+static void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 exit_reason,
+                              u32 exit_intr_info,
+                              unsigned long exit_qualification);
 static void nested_vmx_entry_failure(struct kvm_vcpu *vcpu,
                         struct vmcs12 *vmcs12,
                         u32 reason, unsigned long qualification);
@@ -1326,6 +1330,62 @@ static void vmcs_set_bits(unsigned long field, u32 mask)
         vmcs_writel(field, vmcs_readl(field) | mask);
 }
 
+static inline void vm_entry_controls_init(struct vcpu_vmx *vmx, u32 val)
+{
+        vmcs_write32(VM_ENTRY_CONTROLS, val);
+        vmx->vm_entry_controls_shadow = val;
+}
+
+static inline void vm_entry_controls_set(struct vcpu_vmx *vmx, u32 val)
+{
+        if (vmx->vm_entry_controls_shadow != val)
+                vm_entry_controls_init(vmx, val);
+}
+
+static inline u32 vm_entry_controls_get(struct vcpu_vmx *vmx)
+{
+        return vmx->vm_entry_controls_shadow;
+}
+
+
+static inline void vm_entry_controls_setbit(struct vcpu_vmx *vmx, u32 val)
+{
+        vm_entry_controls_set(vmx, vm_entry_controls_get(vmx) | val);
+}
+
+static inline void vm_entry_controls_clearbit(struct vcpu_vmx *vmx, u32 val)
+{
+        vm_entry_controls_set(vmx, vm_entry_controls_get(vmx) & ~val);
+}
+
+static inline void vm_exit_controls_init(struct vcpu_vmx *vmx, u32 val)
+{
+        vmcs_write32(VM_EXIT_CONTROLS, val);
+        vmx->vm_exit_controls_shadow = val;
+}
+
+static inline void vm_exit_controls_set(struct vcpu_vmx *vmx, u32 val)
+{
+        if (vmx->vm_exit_controls_shadow != val)
+                vm_exit_controls_init(vmx, val);
+}
+
+static inline u32 vm_exit_controls_get(struct vcpu_vmx *vmx)
+{
+        return vmx->vm_exit_controls_shadow;
+}
+
+
+static inline void vm_exit_controls_setbit(struct vcpu_vmx *vmx, u32 val)
+{
+        vm_exit_controls_set(vmx, vm_exit_controls_get(vmx) | val);
+}
+
+static inline void vm_exit_controls_clearbit(struct vcpu_vmx *vmx, u32 val)
+{
+        vm_exit_controls_set(vmx, vm_exit_controls_get(vmx) & ~val);
+}
+
 static void vmx_segment_cache_clear(struct vcpu_vmx *vmx)
 {
         vmx->segment_cache.bitmask = 0;
@@ -1410,11 +1470,11 @@ static void update_exception_bitmap(struct kvm_vcpu *vcpu)
         vmcs_write32(EXCEPTION_BITMAP, eb);
 }
 
-static void clear_atomic_switch_msr_special(unsigned long entry,
-                unsigned long exit)
+static void clear_atomic_switch_msr_special(struct vcpu_vmx *vmx,
+                unsigned long entry, unsigned long exit)
 {
-        vmcs_clear_bits(VM_ENTRY_CONTROLS, entry);
-        vmcs_clear_bits(VM_EXIT_CONTROLS, exit);
+        vm_entry_controls_clearbit(vmx, entry);
+        vm_exit_controls_clearbit(vmx, exit);
 }
 
 static void clear_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr)
@@ -1425,14 +1485,15 @@ static void clear_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr)
         switch (msr) {
         case MSR_EFER:
                 if (cpu_has_load_ia32_efer) {
-                        clear_atomic_switch_msr_special(VM_ENTRY_LOAD_IA32_EFER,
+                        clear_atomic_switch_msr_special(vmx,
+                                        VM_ENTRY_LOAD_IA32_EFER,
                                         VM_EXIT_LOAD_IA32_EFER);
                         return;
                 }
                 break;
         case MSR_CORE_PERF_GLOBAL_CTRL:
                 if (cpu_has_load_perf_global_ctrl) {
-                        clear_atomic_switch_msr_special(
+                        clear_atomic_switch_msr_special(vmx,
                                         VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL,
                                         VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL);
                         return;
@@ -1453,14 +1514,15 @@ static void clear_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr)
         vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, m->nr);
 }
 
-static void add_atomic_switch_msr_special(unsigned long entry,
-                unsigned long exit, unsigned long guest_val_vmcs,
-                unsigned long host_val_vmcs, u64 guest_val, u64 host_val)
+static void add_atomic_switch_msr_special(struct vcpu_vmx *vmx,
+                unsigned long entry, unsigned long exit,
+                unsigned long guest_val_vmcs, unsigned long host_val_vmcs,
+                u64 guest_val, u64 host_val)
 {
         vmcs_write64(guest_val_vmcs, guest_val);
         vmcs_write64(host_val_vmcs, host_val);
-        vmcs_set_bits(VM_ENTRY_CONTROLS, entry);
-        vmcs_set_bits(VM_EXIT_CONTROLS, exit);
+        vm_entry_controls_setbit(vmx, entry);
+        vm_exit_controls_setbit(vmx, exit);
 }
 
 static void add_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr,
@@ -1472,7 +1534,8 @@ static void add_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr,
         switch (msr) {
         case MSR_EFER:
                 if (cpu_has_load_ia32_efer) {
-                        add_atomic_switch_msr_special(VM_ENTRY_LOAD_IA32_EFER,
+                        add_atomic_switch_msr_special(vmx,
+                                        VM_ENTRY_LOAD_IA32_EFER,
                                         VM_EXIT_LOAD_IA32_EFER,
                                         GUEST_IA32_EFER,
                                         HOST_IA32_EFER,
@@ -1482,7 +1545,7 @@ static void add_atomic_switch_msr(struct vcpu_vmx *vmx, unsigned msr,
                 break;
         case MSR_CORE_PERF_GLOBAL_CTRL:
                 if (cpu_has_load_perf_global_ctrl) {
-                        add_atomic_switch_msr_special(
+                        add_atomic_switch_msr_special(vmx,
                                         VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL,
                                         VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL,
                                         GUEST_IA32_PERF_GLOBAL_CTRL,
@@ -1906,7 +1969,9 @@ static int nested_vmx_check_exception(struct kvm_vcpu *vcpu, unsigned nr)
         if (!(vmcs12->exception_bitmap & (1u << nr)))
                 return 0;
 
-        nested_vmx_vmexit(vcpu);
+        nested_vmx_vmexit(vcpu, to_vmx(vcpu)->exit_reason,
+                          vmcs_read32(VM_EXIT_INTR_INFO),
+                          vmcs_readl(EXIT_QUALIFICATION));
         return 1;
 }
 
@@ -2279,6 +2344,7 @@ static __init void nested_vmx_setup_ctls_msrs(void)
         rdmsr(MSR_IA32_VMX_MISC, nested_vmx_misc_low, nested_vmx_misc_high);
         nested_vmx_misc_low &= VMX_MISC_PREEMPTION_TIMER_RATE_MASK |
                 VMX_MISC_SAVE_EFER_LMA;
+        nested_vmx_misc_low |= VMX_MISC_ACTIVITY_HLT;
         nested_vmx_misc_high = 0;
 }
 
@@ -2295,32 +2361,10 @@ static inline u64 vmx_control_msr(u32 low, u32 high)
         return low | ((u64)high << 32);
 }
 
-/*
- * If we allow our guest to use VMX instructions (i.e., nested VMX), we should
- * also let it use VMX-specific MSRs.
- * vmx_get_vmx_msr() and vmx_set_vmx_msr() return 1 when we handled a
- * VMX-specific MSR, or 0 when we haven't (and the caller should handle it
- * like all other MSRs).
- */
+/* Returns 0 on success, non-0 otherwise. */
 static int vmx_get_vmx_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
 {
-        if (!nested_vmx_allowed(vcpu) && msr_index >= MSR_IA32_VMX_BASIC &&
-                     msr_index <= MSR_IA32_VMX_TRUE_ENTRY_CTLS) {
-                /*
-                 * According to the spec, processors which do not support VMX
-                 * should throw a #GP(0) when VMX capability MSRs are read.
-                 */
-                kvm_queue_exception_e(vcpu, GP_VECTOR, 0);
-                return 1;
-        }
-
         switch (msr_index) {
-        case MSR_IA32_FEATURE_CONTROL:
-                if (nested_vmx_allowed(vcpu)) {
-                        *pdata = to_vmx(vcpu)->nested.msr_ia32_feature_control;
-                        break;
-                }
-                return 0;
         case MSR_IA32_VMX_BASIC:
                 /*
                  * This MSR reports some information about VMX support. We
@@ -2387,34 +2431,9 @@ static int vmx_get_vmx_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
                 *pdata = nested_vmx_ept_caps;
                 break;
         default:
-                return 0;
-        }
-
-        return 1;
-}
-
-static int vmx_set_vmx_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
-{
-        u32 msr_index = msr_info->index;
-        u64 data = msr_info->data;
-        bool host_initialized = msr_info->host_initiated;
-
-        if (!nested_vmx_allowed(vcpu))
-                return 0;
-
-        if (msr_index == MSR_IA32_FEATURE_CONTROL) {
-                if (!host_initialized &&
-                                to_vmx(vcpu)->nested.msr_ia32_feature_control
-                                & FEATURE_CONTROL_LOCKED)
-                        return 0;
-                to_vmx(vcpu)->nested.msr_ia32_feature_control = data;
                 return 1;
         }
 
-        /*
-         * No need to treat VMX capability MSRs specially: If we don't handle
-         * them, handle_wrmsr will #GP(0), which is correct (they are readonly)
-         */
         return 0;
 }
 
@@ -2460,13 +2479,20 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
         case MSR_IA32_SYSENTER_ESP:
                 data = vmcs_readl(GUEST_SYSENTER_ESP);
                 break;
+        case MSR_IA32_FEATURE_CONTROL:
+                if (!nested_vmx_allowed(vcpu))
+                        return 1;
+                data = to_vmx(vcpu)->nested.msr_ia32_feature_control;
+                break;
+        case MSR_IA32_VMX_BASIC ... MSR_IA32_VMX_VMFUNC:
+                if (!nested_vmx_allowed(vcpu))
+                        return 1;
+                return vmx_get_vmx_msr(vcpu, msr_index, pdata);
         case MSR_TSC_AUX:
                 if (!to_vmx(vcpu)->rdtscp_enabled)
                         return 1;
                 /* Otherwise falls through */
         default:
-                if (vmx_get_vmx_msr(vcpu, msr_index, pdata))
-                        return 0;
                 msr = find_msr_entry(to_vmx(vcpu), msr_index);
                 if (msr) {
                         data = msr->data;
@@ -2479,6 +2505,8 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
         return 0;
 }
 
+static void vmx_leave_nested(struct kvm_vcpu *vcpu);
+
 /*
  * Writes msr value into into the appropriate "register".
  * Returns 0 on success, non-0 otherwise.
@@ -2533,6 +2561,17 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
         case MSR_IA32_TSC_ADJUST:
                 ret = kvm_set_msr_common(vcpu, msr_info);
                 break;
+        case MSR_IA32_FEATURE_CONTROL:
+                if (!nested_vmx_allowed(vcpu) ||
+                    (to_vmx(vcpu)->nested.msr_ia32_feature_control &
+                     FEATURE_CONTROL_LOCKED && !msr_info->host_initiated))
+                        return 1;
+                vmx->nested.msr_ia32_feature_control = data;
+                if (msr_info->host_initiated && data == 0)
+                        vmx_leave_nested(vcpu);
+                break;
+        case MSR_IA32_VMX_BASIC ... MSR_IA32_VMX_VMFUNC:
+                return 1; /* they are read-only */
         case MSR_TSC_AUX:
                 if (!vmx->rdtscp_enabled)
                         return 1;
@@ -2541,8 +2580,6 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
                         return 1;
                 /* Otherwise falls through */
         default:
-                if (vmx_set_vmx_msr(vcpu, msr_info))
-                        break;
                 msr = find_msr_entry(vmx, msr_index);
                 if (msr) {
                         msr->data = data;
@@ -3182,14 +3219,10 @@ static void vmx_set_efer(struct kvm_vcpu *vcpu, u64 efer)
         vmx_load_host_state(to_vmx(vcpu));
         vcpu->arch.efer = efer;
         if (efer & EFER_LMA) {
-                vmcs_write32(VM_ENTRY_CONTROLS,
-                             vmcs_read32(VM_ENTRY_CONTROLS) |
-                             VM_ENTRY_IA32E_MODE);
+                vm_entry_controls_setbit(to_vmx(vcpu), VM_ENTRY_IA32E_MODE);
                 msr->data = efer;
         } else {
-                vmcs_write32(VM_ENTRY_CONTROLS,
-                             vmcs_read32(VM_ENTRY_CONTROLS) &
-                             ~VM_ENTRY_IA32E_MODE);
+                vm_entry_controls_clearbit(to_vmx(vcpu), VM_ENTRY_IA32E_MODE);
 
                 msr->data = efer & ~EFER_LME;
         }
@@ -3217,9 +3250,7 @@ static void enter_lmode(struct kvm_vcpu *vcpu)
 
 static void exit_lmode(struct kvm_vcpu *vcpu)
 {
-        vmcs_write32(VM_ENTRY_CONTROLS,
-                     vmcs_read32(VM_ENTRY_CONTROLS)
-                     & ~VM_ENTRY_IA32E_MODE);
+        vm_entry_controls_clearbit(to_vmx(vcpu), VM_ENTRY_IA32E_MODE);
         vmx_set_efer(vcpu, vcpu->arch.efer & ~EFER_LMA);
 }
 
@@ -4346,10 +4377,11 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
                 ++vmx->nmsrs;
         }
 
-        vmcs_write32(VM_EXIT_CONTROLS, vmcs_config.vmexit_ctrl);
+
+        vm_exit_controls_init(vmx, vmcs_config.vmexit_ctrl);
 
         /* 22.2.1, 20.8.1 */
-        vmcs_write32(VM_ENTRY_CONTROLS, vmcs_config.vmentry_ctrl);
+        vm_entry_controls_init(vmx, vmcs_config.vmentry_ctrl);
 
         vmcs_writel(CR0_GUEST_HOST_MASK, ~0UL);
         set_cr4_guest_host_mask(vmx);
@@ -4588,15 +4620,12 @@ static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)
 static int vmx_nmi_allowed(struct kvm_vcpu *vcpu)
 {
         if (is_guest_mode(vcpu)) {
-                struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
-
                 if (to_vmx(vcpu)->nested.nested_run_pending)
                         return 0;
                 if (nested_exit_on_nmi(vcpu)) {
-                        nested_vmx_vmexit(vcpu);
-                        vmcs12->vm_exit_reason = EXIT_REASON_EXCEPTION_NMI;
-                        vmcs12->vm_exit_intr_info = NMI_VECTOR |
-                                INTR_TYPE_NMI_INTR | INTR_INFO_VALID_MASK;
+                        nested_vmx_vmexit(vcpu, EXIT_REASON_EXCEPTION_NMI,
+                                          NMI_VECTOR | INTR_TYPE_NMI_INTR |
+                                          INTR_INFO_VALID_MASK, 0);
                         /*
                          * The NMI-triggered VM exit counts as injection:
                          * clear this one and block further NMIs.
@@ -4618,15 +4647,11 @@ static int vmx_nmi_allowed(struct kvm_vcpu *vcpu)
 static int vmx_interrupt_allowed(struct kvm_vcpu *vcpu)
 {
         if (is_guest_mode(vcpu)) {
-                struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
-
                 if (to_vmx(vcpu)->nested.nested_run_pending)
                         return 0;
                 if (nested_exit_on_intr(vcpu)) {
-                        nested_vmx_vmexit(vcpu);
-                        vmcs12->vm_exit_reason =
-                                EXIT_REASON_EXTERNAL_INTERRUPT;
-                        vmcs12->vm_exit_intr_info = 0;
+                        nested_vmx_vmexit(vcpu, EXIT_REASON_EXTERNAL_INTERRUPT,
+                                          0, 0);
                         /*
                          * fall through to normal code, but now in L1, not L2
                          */
@@ -4812,7 +4837,8 @@ static int handle_exception(struct kvm_vcpu *vcpu)
                 dr6 = vmcs_readl(EXIT_QUALIFICATION);
                 if (!(vcpu->guest_debug &
                       (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))) {
-                        vcpu->arch.dr6 = dr6 | DR6_FIXED_1;
+                        vcpu->arch.dr6 &= ~15;
+                        vcpu->arch.dr6 |= dr6;
                         kvm_queue_exception(vcpu, DB_VECTOR);
                         return 1;
                 }
@@ -5080,14 +5106,27 @@ static int handle_dr(struct kvm_vcpu *vcpu)
         reg = DEBUG_REG_ACCESS_REG(exit_qualification);
         if (exit_qualification & TYPE_MOV_FROM_DR) {
                 unsigned long val;
-                if (!kvm_get_dr(vcpu, dr, &val))
-                        kvm_register_write(vcpu, reg, val);
+
+                if (kvm_get_dr(vcpu, dr, &val))
+                        return 1;
+                kvm_register_write(vcpu, reg, val);
         } else
-                kvm_set_dr(vcpu, dr, vcpu->arch.regs[reg]);
+                if (kvm_set_dr(vcpu, dr, vcpu->arch.regs[reg]))
+                        return 1;
+
         skip_emulated_instruction(vcpu);
         return 1;
 }
 
+static u64 vmx_get_dr6(struct kvm_vcpu *vcpu)
+{
+        return vcpu->arch.dr6;
+}
+
+static void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val)
+{
+}
+
 static void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val)
 {
         vmcs_writel(GUEST_DR7, val);
@@ -6460,11 +6499,8 @@ static bool nested_vmx_exit_handled_io(struct kvm_vcpu *vcpu,
         int size;
         u8 b;
 
-        if (nested_cpu_has(vmcs12, CPU_BASED_UNCOND_IO_EXITING))
-                return 1;
-
         if (!nested_cpu_has(vmcs12, CPU_BASED_USE_IO_BITMAPS))
-                return 0;
+                return nested_cpu_has(vmcs12, CPU_BASED_UNCOND_IO_EXITING);
 
         exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
 
@@ -6628,6 +6664,13 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu)
         struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
         u32 exit_reason = vmx->exit_reason;
 
+        trace_kvm_nested_vmexit(kvm_rip_read(vcpu), exit_reason,
+                                vmcs_readl(EXIT_QUALIFICATION),
+                                vmx->idt_vectoring_info,
+                                intr_info,
+                                vmcs_read32(VM_EXIT_INTR_ERROR_CODE),
+                                KVM_ISA_VMX);
+
         if (vmx->nested.nested_run_pending)
                 return 0;
 
@@ -6777,7 +6820,9 @@ static int vmx_handle_exit(struct kvm_vcpu *vcpu)
                 return handle_invalid_guest_state(vcpu);
 
         if (is_guest_mode(vcpu) && nested_vmx_exit_handled(vcpu)) {
-                nested_vmx_vmexit(vcpu);
+                nested_vmx_vmexit(vcpu, exit_reason,
+                                  vmcs_read32(VM_EXIT_INTR_INFO),
+                                  vmcs_readl(EXIT_QUALIFICATION));
                 return 1;
         }
 
@@ -7332,8 +7377,8 @@ static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
         struct vcpu_vmx *vmx = to_vmx(vcpu);
 
         free_vpid(vmx);
-        free_nested(vmx);
         free_loaded_vmcs(vmx->loaded_vmcs);
+        free_nested(vmx);
         kfree(vmx->guest_msrs);
         kvm_vcpu_uninit(vcpu);
         kmem_cache_free(kvm_vcpu_cache, vmx);
@@ -7518,15 +7563,14 @@ static void vmx_set_supported_cpuid(u32 func, struct kvm_cpuid_entry2 *entry)
 static void nested_ept_inject_page_fault(struct kvm_vcpu *vcpu,
                 struct x86_exception *fault)
 {
-        struct vmcs12 *vmcs12;
-        nested_vmx_vmexit(vcpu);
-        vmcs12 = get_vmcs12(vcpu);
+        struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
+        u32 exit_reason;
 
         if (fault->error_code & PFERR_RSVD_MASK)
-                vmcs12->vm_exit_reason = EXIT_REASON_EPT_MISCONFIG;
+                exit_reason = EXIT_REASON_EPT_MISCONFIG;
         else
-                vmcs12->vm_exit_reason = EXIT_REASON_EPT_VIOLATION;
-        vmcs12->exit_qualification = vcpu->arch.exit_qualification;
+                exit_reason = EXIT_REASON_EPT_VIOLATION;
+        nested_vmx_vmexit(vcpu, exit_reason, 0, vcpu->arch.exit_qualification);
         vmcs12->guest_physical_address = fault->address;
 }
 
@@ -7564,7 +7608,9 @@ static void vmx_inject_page_fault_nested(struct kvm_vcpu *vcpu,
 
         /* TODO: also check PFEC_MATCH/MASK, not just EB.PF. */
         if (vmcs12->exception_bitmap & (1u << PF_VECTOR))
-                nested_vmx_vmexit(vcpu);
+                nested_vmx_vmexit(vcpu, to_vmx(vcpu)->exit_reason,
+                                  vmcs_read32(VM_EXIT_INTR_INFO),
+                                  vmcs_readl(EXIT_QUALIFICATION));
         else
                 kvm_inject_page_fault(vcpu, fault);
 }
@@ -7706,6 +7752,11 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
                         else
                                 vmcs_write64(APIC_ACCESS_ADDR,
                                   page_to_phys(vmx->nested.apic_access_page));
+                } else if (vm_need_virtualize_apic_accesses(vmx->vcpu.kvm)) {
+                        exec_control |=
+                                SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
+                        vmcs_write64(APIC_ACCESS_ADDR,
+                                page_to_phys(vcpu->kvm->arch.apic_access_page));
                 }
 
                 vmcs_write32(SECONDARY_VM_EXEC_CONTROL, exec_control);
@@ -7759,12 +7810,12 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
         exit_control = vmcs_config.vmexit_ctrl;
         if (vmcs12->pin_based_vm_exec_control & PIN_BASED_VMX_PREEMPTION_TIMER)
                 exit_control |= VM_EXIT_SAVE_VMX_PREEMPTION_TIMER;
-        vmcs_write32(VM_EXIT_CONTROLS, exit_control);
+        vm_exit_controls_init(vmx, exit_control);
 
         /* vmcs12's VM_ENTRY_LOAD_IA32_EFER and VM_ENTRY_IA32E_MODE are
          * emulated by vmx_set_efer(), below.
          */
-        vmcs_write32(VM_ENTRY_CONTROLS,
+        vm_entry_controls_init(vmx, 
                 (vmcs12->vm_entry_controls & ~VM_ENTRY_LOAD_IA32_EFER &
                         ~VM_ENTRY_IA32E_MODE) |
                 (vmcs_config.vmentry_ctrl & ~VM_ENTRY_IA32E_MODE));
@@ -7882,7 +7933,8 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
                 return 1;
         }
 
-        if (vmcs12->guest_activity_state != GUEST_ACTIVITY_ACTIVE) {
+        if (vmcs12->guest_activity_state != GUEST_ACTIVITY_ACTIVE &&
+            vmcs12->guest_activity_state != GUEST_ACTIVITY_HLT) {
                 nested_vmx_failValid(vcpu, VMXERR_ENTRY_INVALID_CONTROL_FIELD);
                 return 1;
         }
@@ -7994,8 +8046,6 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
 
         enter_guest_mode(vcpu);
 
-        vmx->nested.nested_run_pending = 1;
-
         vmx->nested.vmcs01_tsc_offset = vmcs_read64(TSC_OFFSET);
 
         cpu = get_cpu();
@@ -8011,6 +8061,11 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
 
         prepare_vmcs02(vcpu, vmcs12);
 
+        if (vmcs12->guest_activity_state == GUEST_ACTIVITY_HLT)
+                return kvm_emulate_halt(vcpu);
+
+        vmx->nested.nested_run_pending = 1;
+
         /*
          * Note no nested_vmx_succeed or nested_vmx_fail here. At this point
          * we are no longer running L1, and VMLAUNCH/VMRESUME has not yet
@@ -8110,7 +8165,9 @@ static void vmcs12_save_pending_event(struct kvm_vcpu *vcpu,
  * exit-information fields only. Other fields are modified by L1 with VMWRITE,
  * which already writes to vmcs12 directly.
  */
-static void prepare_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
+static void prepare_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12,
+                           u32 exit_reason, u32 exit_intr_info,
+                           unsigned long exit_qualification)
 {
         /* update guest state fields: */
         vmcs12->guest_cr0 = vmcs12_guest_cr0(vcpu, vmcs12);
@@ -8162,6 +8219,10 @@ static void prepare_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
                 vmcs_read32(GUEST_INTERRUPTIBILITY_INFO);
         vmcs12->guest_pending_dbg_exceptions =
                 vmcs_readl(GUEST_PENDING_DBG_EXCEPTIONS);
+        if (vcpu->arch.mp_state == KVM_MP_STATE_HALTED)
+                vmcs12->guest_activity_state = GUEST_ACTIVITY_HLT;
+        else
+                vmcs12->guest_activity_state = GUEST_ACTIVITY_ACTIVE;
 
         if ((vmcs12->pin_based_vm_exec_control & PIN_BASED_VMX_PREEMPTION_TIMER) &&
             (vmcs12->vm_exit_controls & VM_EXIT_SAVE_VMX_PREEMPTION_TIMER))
@@ -8186,7 +8247,7 @@ static void prepare_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
 
         vmcs12->vm_entry_controls =
                 (vmcs12->vm_entry_controls & ~VM_ENTRY_IA32E_MODE) |
-                (vmcs_read32(VM_ENTRY_CONTROLS) & VM_ENTRY_IA32E_MODE);
+                (vm_entry_controls_get(to_vmx(vcpu)) & VM_ENTRY_IA32E_MODE);
 
         /* TODO: These cannot have changed unless we have MSR bitmaps and
          * the relevant bit asks not to trap the change */
@@ -8201,10 +8262,10 @@ static void prepare_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
 
         /* update exit information fields: */
 
-        vmcs12->vm_exit_reason  = to_vmx(vcpu)->exit_reason;
-        vmcs12->exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
+        vmcs12->vm_exit_reason = exit_reason;
+        vmcs12->exit_qualification = exit_qualification;
 
-        vmcs12->vm_exit_intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
+        vmcs12->vm_exit_intr_info = exit_intr_info;
         if ((vmcs12->vm_exit_intr_info &
              (INTR_INFO_VALID_MASK | INTR_INFO_DELIVER_CODE_MASK)) ==
             (INTR_INFO_VALID_MASK | INTR_INFO_DELIVER_CODE_MASK))
@@ -8370,7 +8431,9 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu,
  * and modify vmcs12 to make it see what it would expect to see there if
  * L2 was its real guest. Must only be called when in L2 (is_guest_mode())
  */
-static void nested_vmx_vmexit(struct kvm_vcpu *vcpu)
+static void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 exit_reason,
+                              u32 exit_intr_info,
+                              unsigned long exit_qualification)
 {
         struct vcpu_vmx *vmx = to_vmx(vcpu);
         int cpu;
@@ -8380,7 +8443,15 @@ static void nested_vmx_vmexit(struct kvm_vcpu *vcpu)
         WARN_ON_ONCE(vmx->nested.nested_run_pending);
 
         leave_guest_mode(vcpu);
-        prepare_vmcs12(vcpu, vmcs12);
+        prepare_vmcs12(vcpu, vmcs12, exit_reason, exit_intr_info,
+                       exit_qualification);
+
+        trace_kvm_nested_vmexit_inject(vmcs12->vm_exit_reason,
+                                       vmcs12->exit_qualification,
+                                       vmcs12->idt_vectoring_info_field,
+                                       vmcs12->vm_exit_intr_info,
+                                       vmcs12->vm_exit_intr_error_code,
+                                       KVM_ISA_VMX);
 
         cpu = get_cpu();
         vmx->loaded_vmcs = &vmx->vmcs01;
@@ -8389,6 +8460,8 @@ static void nested_vmx_vmexit(struct kvm_vcpu *vcpu)
         vcpu->cpu = cpu;
         put_cpu();
 
+        vm_entry_controls_init(vmx, vmcs_read32(VM_ENTRY_CONTROLS));
+        vm_exit_controls_init(vmx, vmcs_read32(VM_EXIT_CONTROLS));
         vmx_segment_cache_clear(vmx);
 
         /* if no vmcs02 cache requested, remove the one we used */
@@ -8424,6 +8497,16 @@ static void nested_vmx_vmexit(struct kvm_vcpu *vcpu)
 }
 
 /*
+ * Forcibly leave nested mode in order to be able to reset the VCPU later on.
+ */
+static void vmx_leave_nested(struct kvm_vcpu *vcpu)
+{
+        if (is_guest_mode(vcpu))
+                nested_vmx_vmexit(vcpu, -1, 0, 0);
+        free_nested(to_vmx(vcpu));
+}
+
+/*
  * L1's failure to enter L2 is a subset of a normal exit, as explained in
  * 23.7 "VM-entry failures during or after loading guest state" (this also
  * lists the acceptable exit-reason and exit-qualification parameters).
@@ -8486,6 +8569,8 @@ static struct kvm_x86_ops vmx_x86_ops = {
         .set_idt = vmx_set_idt,
         .get_gdt = vmx_get_gdt,
         .set_gdt = vmx_set_gdt,
+        .get_dr6 = vmx_get_dr6,
+        .set_dr6 = vmx_set_dr6,
         .set_dr7 = vmx_set_dr7,
         .cache_reg = vmx_cache_reg,
         .get_rflags = vmx_get_rflags,
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 5d004da1e35d..0c76f7cfdb32 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -94,6 +94,9 @@ EXPORT_SYMBOL_GPL(kvm_x86_ops);
 static bool ignore_msrs = 0;
 module_param(ignore_msrs, bool, S_IRUGO | S_IWUSR);
 
+unsigned int min_timer_period_us = 500;
+module_param(min_timer_period_us, uint, S_IRUGO | S_IWUSR);
+
 bool kvm_has_tsc_control;
 EXPORT_SYMBOL_GPL(kvm_has_tsc_control);
 u32  kvm_max_guest_tsc_khz;
@@ -719,6 +722,12 @@ unsigned long kvm_get_cr8(struct kvm_vcpu *vcpu)
 }
 EXPORT_SYMBOL_GPL(kvm_get_cr8);
 
+static void kvm_update_dr6(struct kvm_vcpu *vcpu)
+{
+        if (!(vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP))
+                kvm_x86_ops->set_dr6(vcpu, vcpu->arch.dr6);
+}
+
 static void kvm_update_dr7(struct kvm_vcpu *vcpu)
 {
         unsigned long dr7;
@@ -747,6 +756,7 @@ static int __kvm_set_dr(struct kvm_vcpu *vcpu, int dr, unsigned long val)
                 if (val & 0xffffffff00000000ULL)
                         return -1; /* #GP */
                 vcpu->arch.dr6 = (val & DR6_VOLATILE) | DR6_FIXED_1;
+                kvm_update_dr6(vcpu);
                 break;
         case 5:
                 if (kvm_read_cr4_bits(vcpu, X86_CR4_DE))
@@ -788,7 +798,10 @@ static int _kvm_get_dr(struct kvm_vcpu *vcpu, int dr, unsigned long *val)
                         return 1;
                 /* fall through */
         case 6:
-                *val = vcpu->arch.dr6;
+                if (vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP)
+                        *val = vcpu->arch.dr6;
+                else
+                        *val = kvm_x86_ops->get_dr6(vcpu);
                 break;
         case 5:
                 if (kvm_read_cr4_bits(vcpu, X86_CR4_DE))
@@ -836,11 +849,12 @@ EXPORT_SYMBOL_GPL(kvm_rdpmc);
  * kvm-specific. Those are put in the beginning of the list.
  */
 
-#define KVM_SAVE_MSRS_BEGIN     10
+#define KVM_SAVE_MSRS_BEGIN     12
 static u32 msrs_to_save[] = {
         MSR_KVM_SYSTEM_TIME, MSR_KVM_WALL_CLOCK,
         MSR_KVM_SYSTEM_TIME_NEW, MSR_KVM_WALL_CLOCK_NEW,
         HV_X64_MSR_GUEST_OS_ID, HV_X64_MSR_HYPERCALL,
+        HV_X64_MSR_TIME_REF_COUNT, HV_X64_MSR_REFERENCE_TSC,
         HV_X64_MSR_APIC_ASSIST_PAGE, MSR_KVM_ASYNC_PF_EN, MSR_KVM_STEAL_TIME,
         MSR_KVM_PV_EOI_EN,
         MSR_IA32_SYSENTER_CS, MSR_IA32_SYSENTER_ESP, MSR_IA32_SYSENTER_EIP,
@@ -1275,8 +1289,6 @@ void kvm_write_tsc(struct kvm_vcpu *vcpu, struct msr_data *msr)
         kvm->arch.last_tsc_write = data;
         kvm->arch.last_tsc_khz = vcpu->arch.virtual_tsc_khz;
 
-        /* Reset of TSC must disable overshoot protection below */
-        vcpu->arch.hv_clock.tsc_timestamp = 0;
         vcpu->arch.last_guest_tsc = data;
 
         /* Keep track of which generation this VCPU has synchronized to */
@@ -1484,7 +1496,7 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
         unsigned long flags, this_tsc_khz;
         struct kvm_vcpu_arch *vcpu = &v->arch;
         struct kvm_arch *ka = &v->kvm->arch;
-        s64 kernel_ns, max_kernel_ns;
+        s64 kernel_ns;
         u64 tsc_timestamp, host_tsc;
         struct pvclock_vcpu_time_info guest_hv_clock;
         u8 pvclock_flags;
@@ -1543,37 +1555,6 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
         if (!vcpu->pv_time_enabled)
                 return 0;
 
-        /*
-         * Time as measured by the TSC may go backwards when resetting the base
-         * tsc_timestamp.  The reason for this is that the TSC resolution is
-         * higher than the resolution of the other clock scales.  Thus, many
-         * possible measurments of the TSC correspond to one measurement of any
-         * other clock, and so a spread of values is possible.  This is not a
-         * problem for the computation of the nanosecond clock; with TSC rates
-         * around 1GHZ, there can only be a few cycles which correspond to one
-         * nanosecond value, and any path through this code will inevitably
-         * take longer than that.  However, with the kernel_ns value itself,
-         * the precision may be much lower, down to HZ granularity.  If the
-         * first sampling of TSC against kernel_ns ends in the low part of the
-         * range, and the second in the high end of the range, we can get:
-         *
-         * (TSC - offset_low) * S + kns_old > (TSC - offset_high) * S + kns_new
-         *
-         * As the sampling errors potentially range in the thousands of cycles,
-         * it is possible such a time value has already been observed by the
-         * guest.  To protect against this, we must compute the system time as
-         * observed by the guest and ensure the new system time is greater.
-         */
-        max_kernel_ns = 0;
-        if (vcpu->hv_clock.tsc_timestamp) {
-                max_kernel_ns = vcpu->last_guest_tsc -
-                                vcpu->hv_clock.tsc_timestamp;
-                max_kernel_ns = pvclock_scale_delta(max_kernel_ns,
-                                    vcpu->hv_clock.tsc_to_system_mul,
-                                    vcpu->hv_clock.tsc_shift);
-                max_kernel_ns += vcpu->last_kernel_ns;
-        }
-
         if (unlikely(vcpu->hw_tsc_khz != this_tsc_khz)) {
                 kvm_get_time_scale(NSEC_PER_SEC / 1000, this_tsc_khz,
                                    &vcpu->hv_clock.tsc_shift,
@@ -1581,14 +1562,6 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
                 vcpu->hw_tsc_khz = this_tsc_khz;
         }
 
-        /* with a master <monotonic time, tsc value> tuple,
-         * pvclock clock reads always increase at the (scaled) rate
-         * of guest TSC - no need to deal with sampling errors.
-         */
-        if (!use_master_clock) {
-                if (max_kernel_ns > kernel_ns)
-                        kernel_ns = max_kernel_ns;
-        }
         /* With all the info we got, fill in the values */
         vcpu->hv_clock.tsc_timestamp = tsc_timestamp;
         vcpu->hv_clock.system_time = kernel_ns + v->kvm->arch.kvmclock_offset;
@@ -1826,6 +1799,8 @@ static bool kvm_hv_msr_partition_wide(u32 msr)
         switch (msr) {
         case HV_X64_MSR_GUEST_OS_ID:
         case HV_X64_MSR_HYPERCALL:
+        case HV_X64_MSR_REFERENCE_TSC:
+        case HV_X64_MSR_TIME_REF_COUNT:
                 r = true;
                 break;
         }
@@ -1867,6 +1842,20 @@ static int set_msr_hyperv_pw(struct kvm_vcpu *vcpu, u32 msr, u64 data)
                 kvm->arch.hv_hypercall = data;
                 break;
         }
+        case HV_X64_MSR_REFERENCE_TSC: {
+                u64 gfn;
+                HV_REFERENCE_TSC_PAGE tsc_ref;
+                memset(&tsc_ref, 0, sizeof(tsc_ref));
+                kvm->arch.hv_tsc_page = data;
+                if (!(data & HV_X64_MSR_TSC_REFERENCE_ENABLE))
+                        break;
+                gfn = data >> HV_X64_MSR_TSC_REFERENCE_ADDRESS_SHIFT;
+                if (kvm_write_guest(kvm, data,
+                        &tsc_ref, sizeof(tsc_ref)))
+                        return 1;
+                mark_page_dirty(kvm, gfn);
+                break;
+        }
         default:
                 vcpu_unimpl(vcpu, "HYPER-V unimplemented wrmsr: 0x%x "
                             "data 0x%llx\n", msr, data);
@@ -2291,6 +2280,14 @@ static int get_msr_hyperv_pw(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata)
         case HV_X64_MSR_HYPERCALL:
                 data = kvm->arch.hv_hypercall;
                 break;
+        case HV_X64_MSR_TIME_REF_COUNT: {
+                data =
+                     div_u64(get_kernel_ns() + kvm->arch.kvmclock_offset, 100);
+                break;
+        }
+        case HV_X64_MSR_REFERENCE_TSC:
+                data = kvm->arch.hv_tsc_page;
+                break;
         default:
                 vcpu_unimpl(vcpu, "Hyper-V unhandled rdmsr: 0x%x\n", msr);
                 return 1;
@@ -2604,6 +2601,7 @@ int kvm_dev_ioctl_check_extension(long ext)
 #ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
         case KVM_CAP_ASSIGN_DEV_IRQ:
         case KVM_CAP_PCI_2_3:
+        case KVM_CAP_HYPERV_TIME:
 #endif
                 r = 1;
                 break;
@@ -2972,8 +2970,11 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu,
 static void kvm_vcpu_ioctl_x86_get_debugregs(struct kvm_vcpu *vcpu,
                                              struct kvm_debugregs *dbgregs)
 {
+        unsigned long val;
+
         memcpy(dbgregs->db, vcpu->arch.db, sizeof(vcpu->arch.db));
-        dbgregs->dr6 = vcpu->arch.dr6;
+        _kvm_get_dr(vcpu, 6, &val);
+        dbgregs->dr6 = val;
         dbgregs->dr7 = vcpu->arch.dr7;
         dbgregs->flags = 0;
         memset(&dbgregs->reserved, 0, sizeof(dbgregs->reserved));
@@ -2987,7 +2988,9 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
 
         memcpy(vcpu->arch.db, dbgregs->db, sizeof(vcpu->arch.db));
         vcpu->arch.dr6 = dbgregs->dr6;
+        kvm_update_dr6(vcpu);
         vcpu->arch.dr7 = dbgregs->dr7;
+        kvm_update_dr7(vcpu);
 
         return 0;
 }
@@ -5834,6 +5837,11 @@ static void vcpu_scan_ioapic(struct kvm_vcpu *vcpu)
         kvm_apic_update_tmr(vcpu, tmr);
 }
 
+/*
+ * Returns 1 to let __vcpu_run() continue the guest execution loop without
+ * exiting to the userspace.  Otherwise, the value will be returned to the
+ * userspace.
+ */
 static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
 {
         int r;
@@ -6089,7 +6097,7 @@ static int __vcpu_run(struct kvm_vcpu *vcpu)
                 }
                 if (need_resched()) {
                         srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx);
-                        kvm_resched(vcpu);
+                        cond_resched();
                         vcpu->srcu_idx = srcu_read_lock(&kvm->srcu);
                 }
         }
@@ -6717,6 +6725,7 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu)
 
         memset(vcpu->arch.db, 0, sizeof(vcpu->arch.db));
         vcpu->arch.dr6 = DR6_FIXED_1;
+        kvm_update_dr6(vcpu);
         vcpu->arch.dr7 = DR7_FIXED_1;
         kvm_update_dr7(vcpu);
 
diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
index 587fb9ede436..8da5823bcde6 100644
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -125,5 +125,7 @@ int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt,
 #define KVM_SUPPORTED_XCR0      (XSTATE_FP | XSTATE_SSE | XSTATE_YMM)
 extern u64 host_xcr0;
 
+extern unsigned int min_timer_period_us;
+
 extern struct static_key kvm_no_apic_vcpu;
 #endif