Merge tag 'kvm-3.10-1' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull kvm updates from Gleb Natapov: "Highlights of the updates are: general: - new emulated device API - legacy device assignment is now optional - irqfd interface is more generic and can be shared between arches x86: - VMCS shadow support and other nested VMX improvements - APIC virtualization and Posted Interrupt hardware support - Optimize mmio spte zapping ppc: - BookE: in-kernel MPIC emulation with irqfd support - Book3S: in-kernel XICS emulation (incomplete) - Book3S: HV: migration fixes - BookE: more debug support preparation - BookE: e6500 support ARM: - reworking of Hyp idmaps s390: - ioeventfd for virtio-ccw And many other bug fixes, cleanups and improvements" * tag 'kvm-3.10-1' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (204 commits) kvm: Add compat_ioctl for device control API KVM: x86: Account for failing enable_irq_window for NMI window request KVM: PPC: Book3S: Add API for in-kernel XICS emulation kvm/ppc/mpic: fix missing unlock in set_base_addr() kvm/ppc: Hold srcu lock when calling kvm_io_bus_read/write kvm/ppc/mpic: remove users kvm/ppc/mpic: fix mmio region lists when multiple guests used kvm/ppc/mpic: remove default routes from documentation kvm: KVM_CAP_IOMMU only available with device assignment ARM: KVM: iterate over all CPUs for CPU compatibility check KVM: ARM: Fix spelling in error message ARM: KVM: define KVM_ARM_MAX_VCPUS unconditionally KVM: ARM: Fix API documentation for ONE_REG encoding ARM: KVM: promote vfp_host pointer to generic host cpu context ARM: KVM: add architecture specific hook for capabilities ARM: KVM: perform HYP initilization for hotplugged CPUs ARM: KVM: switch to a dual-step HYP init code ARM: KVM: rework HYP page table freeing ARM: KVM: enforce maximum size for identity mapped code ARM: KVM: move to a KVM provided HYP idmap ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2013-05-05 17:47:31 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2013-05-05 17:47:31 -0400
commit: 01227a889ed56ae53aeebb9f93be9d54dd8b2de8 (patch)
tree: d5eba9359a9827e84d4112b84d48c54df5c5acde /arch/x86
parent: 9e6879460c8edb0cd3c24c09b83d06541b5af0dc (diff)
parent: db6ae6158186a17165ef990bda2895ae7594b039 (diff)
26 files changed, 1344 insertions, 521 deletions
diff --git a/arch/x86/include/asm/entry_arch.h b/arch/x86/include/asm/entry_arch.h
index 40afa0005c69..9bd4ecac72be 100644
--- a/arch/x86/include/asm/entry_arch.h
+++ b/arch/x86/include/asm/entry_arch.h
@@ -19,6 +19,10 @@ BUILD_INTERRUPT(reboot_interrupt,REBOOT_VECTOR)
 BUILD_INTERRUPT(x86_platform_ipi, X86_PLATFORM_IPI_VECTOR)
+#ifdef CONFIG_HAVE_KVM
+BUILD_INTERRUPT(kvm_posted_intr_ipi, POSTED_INTR_VECTOR)
+#endif
 /*
 * every pentium local APIC has two 'local interrupts', with a
 * soft-definable vector attached to both interrupts, one of
diff --git a/arch/x86/include/asm/hardirq.h b/arch/x86/include/asm/hardirq.h
index 81f04cee5f74..ab0ae1aa6d0a 100644
--- a/arch/x86/include/asm/hardirq.h
+++ b/arch/x86/include/asm/hardirq.h
@@ -12,6 +12,9 @@ typedef struct {
        unsigned int irq_spurious_count;
        unsigned int icr_read_retry_count;
 #endif
+#ifdef CONFIG_HAVE_KVM
+        unsigned int kvm_posted_intr_ipis;
+#endif
        unsigned int x86_platform_ipis; /* arch dependent */
        unsigned int apic_perf_irqs;
        unsigned int apic_irq_work_irqs;
diff --git a/arch/x86/include/asm/hw_irq.h b/arch/x86/include/asm/hw_irq.h
index 10a78c3d3d5a..1da97efad08a 100644
--- a/arch/x86/include/asm/hw_irq.h
+++ b/arch/x86/include/asm/hw_irq.h
@@ -28,6 +28,7 @@
 /* Interrupt handlers registered during init_IRQ */
 extern void apic_timer_interrupt(void);
 extern void x86_platform_ipi(void);
+extern void kvm_posted_intr_ipi(void);
 extern void error_interrupt(void);
 extern void irq_work_interrupt(void);
diff --git a/arch/x86/include/asm/irq_vectors.h b/arch/x86/include/asm/irq_vectors.h
index aac5fa62a86c..5702d7e3111d 100644
--- a/arch/x86/include/asm/irq_vectors.h
+++ b/arch/x86/include/asm/irq_vectors.h
@@ -102,6 +102,11 @@
 */
 #define X86_PLATFORM_IPI_VECTOR         0xf7
+/* Vector for KVM to deliver posted interrupt IPI */
+#ifdef CONFIG_HAVE_KVM
+#define POSTED_INTR_VECTOR              0xf2
+#endif
 /*
 * IRQ work vector:
 */
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 4979778cc7fb..3741c653767c 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -31,7 +31,7 @@
 #include <asm/msr-index.h>
 #include <asm/asm.h>
-#define KVM_MAX_VCPUS 254
+#define KVM_MAX_VCPUS 255
 #define KVM_SOFT_MAX_VCPUS 160
 #define KVM_USER_MEM_SLOTS 125
 /* memory slots that are not exposed to userspace */
@@ -43,6 +43,8 @@
 #define KVM_PIO_PAGE_OFFSET 1
 #define KVM_COALESCED_MMIO_PAGE_OFFSET 2
+#define KVM_IRQCHIP_NUM_PINS  KVM_IOAPIC_NUM_PINS
 #define CR0_RESERVED_BITS                                               \
        (~(unsigned long)(X86_CR0_PE | X86_CR0_MP | X86_CR0_EM | X86_CR0_TS \
                          | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM \
@@ -94,9 +96,6 @@
 #define ASYNC_PF_PER_VCPU 64
-extern raw_spinlock_t kvm_lock;
-extern struct list_head vm_list;
 struct kvm_vcpu;
 struct kvm;
 struct kvm_async_pf;
@@ -230,6 +229,7 @@ struct kvm_mmu_page {
 #endif
        int write_flooding_count;
+        bool mmio_cached;
 };
 struct kvm_pio_request {
@@ -345,7 +345,6 @@ struct kvm_vcpu_arch {
        unsigned long apic_attention;
        int32_t apic_arb_prio;
        int mp_state;
-        int sipi_vector;
        u64 ia32_misc_enable_msr;
        bool tpr_access_reporting;
@@ -643,7 +642,7 @@ struct kvm_x86_ops {
        /* Create, but do not attach this VCPU */
        struct kvm_vcpu *(*vcpu_create)(struct kvm *kvm, unsigned id);
        void (*vcpu_free)(struct kvm_vcpu *vcpu);
-        int (*vcpu_reset)(struct kvm_vcpu *vcpu);
+        void (*vcpu_reset)(struct kvm_vcpu *vcpu);
        void (*prepare_guest_switch)(struct kvm_vcpu *vcpu);
        void (*vcpu_load)(struct kvm_vcpu *vcpu, int cpu);
@@ -696,14 +695,16 @@ struct kvm_x86_ops {
        int (*nmi_allowed)(struct kvm_vcpu *vcpu);
        bool (*get_nmi_mask)(struct kvm_vcpu *vcpu);
        void (*set_nmi_mask)(struct kvm_vcpu *vcpu, bool masked);
-        void (*enable_nmi_window)(struct kvm_vcpu *vcpu);
+        int (*enable_nmi_window)(struct kvm_vcpu *vcpu);
-        void (*enable_irq_window)(struct kvm_vcpu *vcpu);
+        int (*enable_irq_window)(struct kvm_vcpu *vcpu);
        void (*update_cr8_intercept)(struct kvm_vcpu *vcpu, int tpr, int irr);
        int (*vm_has_apicv)(struct kvm *kvm);
        void (*hwapic_irr_update)(struct kvm_vcpu *vcpu, int max_irr);
        void (*hwapic_isr_update)(struct kvm *kvm, int isr);
        void (*load_eoi_exitmap)(struct kvm_vcpu *vcpu, u64 *eoi_exit_bitmap);
        void (*set_virtual_x2apic_mode)(struct kvm_vcpu *vcpu, bool set);
+        void (*deliver_posted_interrupt)(struct kvm_vcpu *vcpu, int vector);
+        void (*sync_pir_to_irr)(struct kvm_vcpu *vcpu);
        int (*set_tss_addr)(struct kvm *kvm, unsigned int addr);
        int (*get_tdp_level)(void);
        u64 (*get_mt_mask)(struct kvm_vcpu *vcpu, gfn_t gfn, bool is_mmio);
@@ -730,6 +731,7 @@ struct kvm_x86_ops {
        int (*check_intercept)(struct kvm_vcpu *vcpu,
                               struct x86_instruction_info *info,
                               enum x86_intercept_stage stage);
+        void (*handle_external_intr)(struct kvm_vcpu *vcpu);
 };
 struct kvm_arch_async_pf {
@@ -767,6 +769,7 @@ void kvm_mmu_write_protect_pt_masked(struct kvm *kvm,
                                     struct kvm_memory_slot *slot,
                                     gfn_t gfn_offset, unsigned long mask);
 void kvm_mmu_zap_all(struct kvm *kvm);
+void kvm_mmu_zap_mmio_sptes(struct kvm *kvm);
 unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm);
 void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int kvm_nr_mmu_pages);
@@ -797,6 +800,7 @@ enum emulation_result {
 #define EMULTYPE_TRAP_UD            (1 << 1)
 #define EMULTYPE_SKIP               (1 << 2)
 #define EMULTYPE_RETRY              (1 << 3)
+#define EMULTYPE_NO_REEXECUTE       (1 << 4)
 int x86_emulate_instruction(struct kvm_vcpu *vcpu, unsigned long cr2,
                            int emulation_type, void *insn, int insn_len);
@@ -807,6 +811,7 @@ static inline int emulate_instruction(struct kvm_vcpu *vcpu,
 }
 void kvm_enable_efer_bits(u64);
+bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer);
 int kvm_get_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *data);
 int kvm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr);
@@ -819,6 +824,7 @@ int kvm_emulate_wbinvd(struct kvm_vcpu *vcpu);
 void kvm_get_segment(struct kvm_vcpu *vcpu, struct kvm_segment *var, int seg);
 int kvm_load_segment_descriptor(struct kvm_vcpu *vcpu, u16 selector, int seg);
+void kvm_vcpu_deliver_sipi_vector(struct kvm_vcpu *vcpu, unsigned int vector);
 int kvm_task_switch(struct kvm_vcpu *vcpu, u16 tss_selector, int idt_index,
                    int reason, bool has_error_code, u32 error_code);
@@ -973,7 +979,6 @@ enum {
 * Trap the fault and ignore the instruction if that happens.
 */
 asmlinkage void kvm_spurious_fault(void);
-extern bool kvm_rebooting;
 #define ____kvm_handle_fault_on_reboot(insn, cleanup_insn)      \
        "666: " insn "\n\t" \
@@ -1002,6 +1007,7 @@ int kvm_cpu_has_injectable_intr(struct kvm_vcpu *v);
 int kvm_cpu_has_interrupt(struct kvm_vcpu *vcpu);
 int kvm_arch_interrupt_allowed(struct kvm_vcpu *vcpu);
 int kvm_cpu_get_interrupt(struct kvm_vcpu *v);
+void kvm_vcpu_reset(struct kvm_vcpu *vcpu);
 void kvm_define_shared_msr(unsigned index, u32 msr);
 void kvm_set_shared_msr(unsigned index, u64 val, u64 mask);
@@ -1027,7 +1033,7 @@ void kvm_pmu_reset(struct kvm_vcpu *vcpu);
 void kvm_pmu_cpuid_update(struct kvm_vcpu *vcpu);
 bool kvm_pmu_msr(struct kvm_vcpu *vcpu, u32 msr);
 int kvm_pmu_get_msr(struct kvm_vcpu *vcpu, u32 msr, u64 *data);
-int kvm_pmu_set_msr(struct kvm_vcpu *vcpu, u32 msr, u64 data);
+int kvm_pmu_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info);
 int kvm_pmu_read_pmc(struct kvm_vcpu *vcpu, unsigned pmc, u64 *data);
 void kvm_handle_pmu_event(struct kvm_vcpu *vcpu);
 void kvm_deliver_pmi(struct kvm_vcpu *vcpu);
diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
index b6fbf860e398..f3e01a2cbaa1 100644
--- a/arch/x86/include/asm/vmx.h
+++ b/arch/x86/include/asm/vmx.h
@@ -65,11 +65,16 @@
 #define SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY    0x00000200
 #define SECONDARY_EXEC_PAUSE_LOOP_EXITING       0x00000400
 #define SECONDARY_EXEC_ENABLE_INVPCID           0x00001000
+#define SECONDARY_EXEC_SHADOW_VMCS              0x00004000
 #define PIN_BASED_EXT_INTR_MASK                 0x00000001
 #define PIN_BASED_NMI_EXITING                   0x00000008
 #define PIN_BASED_VIRTUAL_NMIS                  0x00000020
+#define PIN_BASED_VMX_PREEMPTION_TIMER          0x00000040
+#define PIN_BASED_POSTED_INTR                   0x00000080
+#define PIN_BASED_ALWAYSON_WITHOUT_TRUE_MSR     0x00000016
 #define VM_EXIT_SAVE_DEBUG_CONTROLS             0x00000002
 #define VM_EXIT_HOST_ADDR_SPACE_SIZE            0x00000200
@@ -81,6 +86,8 @@
 #define VM_EXIT_LOAD_IA32_EFER                  0x00200000
 #define VM_EXIT_SAVE_VMX_PREEMPTION_TIMER       0x00400000
+#define VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR       0x00036dff
 #define VM_ENTRY_LOAD_DEBUG_CONTROLS            0x00000002
 #define VM_ENTRY_IA32E_MODE                     0x00000200
 #define VM_ENTRY_SMM                            0x00000400
@@ -89,9 +96,15 @@
 #define VM_ENTRY_LOAD_IA32_PAT                  0x00004000
 #define VM_ENTRY_LOAD_IA32_EFER                 0x00008000
+#define VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR      0x000011ff
+#define VMX_MISC_PREEMPTION_TIMER_RATE_MASK     0x0000001f
+#define VMX_MISC_SAVE_EFER_LMA                  0x00000020
 /* VMCS Encodings */
 enum vmcs_field {
        VIRTUAL_PROCESSOR_ID            = 0x00000000,
+        POSTED_INTR_NV                  = 0x00000002,
        GUEST_ES_SELECTOR               = 0x00000800,
        GUEST_CS_SELECTOR               = 0x00000802,
        GUEST_SS_SELECTOR               = 0x00000804,
@@ -126,6 +139,8 @@ enum vmcs_field {
        VIRTUAL_APIC_PAGE_ADDR_HIGH     = 0x00002013,
        APIC_ACCESS_ADDR                = 0x00002014,
        APIC_ACCESS_ADDR_HIGH           = 0x00002015,
+        POSTED_INTR_DESC_ADDR           = 0x00002016,
+        POSTED_INTR_DESC_ADDR_HIGH      = 0x00002017,
        EPT_POINTER                     = 0x0000201a,
        EPT_POINTER_HIGH                = 0x0000201b,
        EOI_EXIT_BITMAP0                = 0x0000201c,
@@ -136,6 +151,8 @@ enum vmcs_field {
        EOI_EXIT_BITMAP2_HIGH           = 0x00002021,
        EOI_EXIT_BITMAP3                = 0x00002022,
        EOI_EXIT_BITMAP3_HIGH           = 0x00002023,
+        VMREAD_BITMAP                   = 0x00002026,
+        VMWRITE_BITMAP                  = 0x00002028,
        GUEST_PHYSICAL_ADDRESS          = 0x00002400,
        GUEST_PHYSICAL_ADDRESS_HIGH     = 0x00002401,
        VMCS_LINK_POINTER               = 0x00002800,
@@ -209,6 +226,7 @@ enum vmcs_field {
        GUEST_INTERRUPTIBILITY_INFO     = 0x00004824,
        GUEST_ACTIVITY_STATE            = 0X00004826,
        GUEST_SYSENTER_CS               = 0x0000482A,
+        VMX_PREEMPTION_TIMER_VALUE      = 0x0000482E,
        HOST_IA32_SYSENTER_CS           = 0x00004c00,
        CR0_GUEST_HOST_MASK             = 0x00006000,
        CR4_GUEST_HOST_MASK             = 0x00006002,
diff --git a/arch/x86/include/uapi/asm/kvm.h b/arch/x86/include/uapi/asm/kvm.h
index a65ec29e6ffb..5d9a3033b3d7 100644
--- a/arch/x86/include/uapi/asm/kvm.h
+++ b/arch/x86/include/uapi/asm/kvm.h
@@ -29,7 +29,6 @@
 #define __KVM_HAVE_PIT
 #define __KVM_HAVE_IOAPIC
 #define __KVM_HAVE_IRQ_LINE
-#define __KVM_HAVE_DEVICE_ASSIGNMENT
 #define __KVM_HAVE_MSI
 #define __KVM_HAVE_USER_NMI
 #define __KVM_HAVE_GUEST_DEBUG
diff --git a/arch/x86/include/uapi/asm/msr-index.h b/arch/x86/include/uapi/asm/msr-index.h
index b5757885d7a4..b3a4866661c5 100644
--- a/arch/x86/include/uapi/asm/msr-index.h
+++ b/arch/x86/include/uapi/asm/msr-index.h
@@ -528,6 +528,8 @@
 #define VMX_BASIC_MEM_TYPE_WB   6LLU
 #define VMX_BASIC_INOUT         0x0040000000000000LLU
+/* MSR_IA32_VMX_MISC bits */
+#define MSR_IA32_VMX_MISC_VMWRITE_SHADOW_RO_FIELDS (1ULL << 29)
 /* AMD-V MSRs */
 #define MSR_VM_CR                       0xc0010114
diff --git a/arch/x86/include/uapi/asm/vmx.h b/arch/x86/include/uapi/asm/vmx.h
index 2871fccfee68..d651082c7cf7 100644
--- a/arch/x86/include/uapi/asm/vmx.h
+++ b/arch/x86/include/uapi/asm/vmx.h
@@ -65,6 +65,7 @@
 #define EXIT_REASON_EOI_INDUCED         45
 #define EXIT_REASON_EPT_VIOLATION       48
 #define EXIT_REASON_EPT_MISCONFIG       49
+#define EXIT_REASON_PREEMPTION_TIMER    52
 #define EXIT_REASON_WBINVD              54
 #define EXIT_REASON_XSETBV              55
 #define EXIT_REASON_APIC_WRITE          56
@@ -110,7 +111,7 @@
        { EXIT_REASON_EOI_INDUCED,           "EOI_INDUCED" }, \
        { EXIT_REASON_INVALID_STATE,         "INVALID_STATE" }, \
        { EXIT_REASON_INVD,                  "INVD" }, \
-        { EXIT_REASON_INVPCID,               "INVPCID" }
+        { EXIT_REASON_INVPCID,               "INVPCID" }, \
+        { EXIT_REASON_PREEMPTION_TIMER,      "PREEMPTION_TIMER" }
 #endif /* _UAPIVMX_H */
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index c1d01e6ca790..727208941030 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -1166,6 +1166,11 @@ apicinterrupt LOCAL_TIMER_VECTOR \
 apicinterrupt X86_PLATFORM_IPI_VECTOR \
        x86_platform_ipi smp_x86_platform_ipi
+#ifdef CONFIG_HAVE_KVM
+apicinterrupt POSTED_INTR_VECTOR \
+        kvm_posted_intr_ipi smp_kvm_posted_intr_ipi
+#endif
 apicinterrupt THRESHOLD_APIC_VECTOR \
        threshold_interrupt smp_threshold_interrupt
 apicinterrupt THERMAL_APIC_VECTOR \
diff --git a/arch/x86/kernel/irq.c b/arch/x86/kernel/irq.c
index 84b778962c66..ac0631d8996f 100644
--- a/arch/x86/kernel/irq.c
+++ b/arch/x86/kernel/irq.c
@@ -224,6 +224,28 @@ void smp_x86_platform_ipi(struct pt_regs *regs)
        set_irq_regs(old_regs);
 }
+#ifdef CONFIG_HAVE_KVM
+/*
+ * Handler for POSTED_INTERRUPT_VECTOR.
+ */
+void smp_kvm_posted_intr_ipi(struct pt_regs *regs)
+{
+        struct pt_regs *old_regs = set_irq_regs(regs);
+        ack_APIC_irq();
+        irq_enter();
+        exit_idle();
+        inc_irq_stat(kvm_posted_intr_ipis);
+        irq_exit();
+        set_irq_regs(old_regs);
+}
+#endif
 EXPORT_SYMBOL_GPL(vector_used_by_percpu_irq);
 #ifdef CONFIG_HOTPLUG_CPU
diff --git a/arch/x86/kernel/irqinit.c b/arch/x86/kernel/irqinit.c
index 7dc4e459c2b3..a2a1fbc594ff 100644
--- a/arch/x86/kernel/irqinit.c
+++ b/arch/x86/kernel/irqinit.c
@@ -172,6 +172,10 @@ static void __init apic_intr_init(void)
        /* IPI for X86 platform specific use */
        alloc_intr_gate(X86_PLATFORM_IPI_VECTOR, x86_platform_ipi);
+#ifdef CONFIG_HAVE_KVM
+        /* IPI for KVM to deliver posted interrupt */
+        alloc_intr_gate(POSTED_INTR_VECTOR, kvm_posted_intr_ipi);
+#endif
        /* IPI vectors for APIC spurious and error interrupts */
        alloc_intr_gate(SPURIOUS_APIC_VECTOR, spurious_interrupt);
diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c
index 0732f0089a3d..d2c381280e3c 100644
--- a/arch/x86/kernel/kvmclock.c
+++ b/arch/x86/kernel/kvmclock.c
@@ -160,8 +160,12 @@ int kvm_register_clock(char *txt)
 {
        int cpu = smp_processor_id();
        int low, high, ret;
-        struct pvclock_vcpu_time_info *src = &hv_clock[cpu].pvti;
+        struct pvclock_vcpu_time_info *src;
+        if (!hv_clock)
+                return 0;
+        src = &hv_clock[cpu].pvti;
        low = (int)slow_virt_to_phys(src) | 1;
        high = ((u64)slow_virt_to_phys(src) >> 32);
        ret = native_write_msr_safe(msr_kvm_system_time, low, high);
@@ -276,6 +280,9 @@ int __init kvm_setup_vsyscall_timeinfo(void)
        struct pvclock_vcpu_time_info *vcpu_time;
        unsigned int size;
+        if (!hv_clock)
+                return 0;
        size = PAGE_ALIGN(sizeof(struct pvclock_vsyscall_time_info)*NR_CPUS);
        preempt_disable();
diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig
index 586f00059805..a47a3e54b964 100644
--- a/arch/x86/kvm/Kconfig
+++ b/arch/x86/kvm/Kconfig
@@ -21,14 +21,13 @@ config KVM
        tristate "Kernel-based Virtual Machine (KVM) support"
        depends on HAVE_KVM
        depends on HIGH_RES_TIMERS
-        # for device assignment:
-        depends on PCI
        # for TASKSTATS/TASK_DELAY_ACCT:
        depends on NET
        select PREEMPT_NOTIFIERS
        select MMU_NOTIFIER
        select ANON_INODES
        select HAVE_KVM_IRQCHIP
+        select HAVE_KVM_IRQ_ROUTING
        select HAVE_KVM_EVENTFD
        select KVM_APIC_ARCHITECTURE
        select KVM_ASYNC_PF
@@ -82,6 +81,17 @@ config KVM_MMU_AUDIT
         This option adds a R/W kVM module parameter 'mmu_audit', which allows
         audit  KVM MMU at runtime.
+config KVM_DEVICE_ASSIGNMENT
+        bool "KVM legacy PCI device assignment support"
+        depends on KVM && PCI && IOMMU_API
+        default y
+        ---help---
+          Provide support for legacy PCI device assignment through KVM.  The
+          kernel now also supports a full featured userspace device driver
+          framework through VFIO, which supersedes much of this support.
+          If unsure, say Y.
 # OK, it's a little counter-intuitive to do this, but it puts it neatly under
 # the virtualization menu.
 source drivers/vhost/Kconfig
diff --git a/arch/x86/kvm/Makefile b/arch/x86/kvm/Makefile
index 04d30401c5cb..d609e1d84048 100644
--- a/arch/x86/kvm/Makefile
+++ b/arch/x86/kvm/Makefile
@@ -7,8 +7,9 @@ CFLAGS_vmx.o := -I.
 kvm-y                   += $(addprefix ../../../virt/kvm/, kvm_main.o ioapic.o \
                                coalesced_mmio.o irq_comm.o eventfd.o \
-                                assigned-dev.o)
+                                irqchip.o)
-kvm-$(CONFIG_IOMMU_API) += $(addprefix ../../../virt/kvm/, iommu.o)
+kvm-$(CONFIG_KVM_DEVICE_ASSIGNMENT)     += $(addprefix ../../../virt/kvm/, \
+                                assigned-dev.o iommu.o)
 kvm-$(CONFIG_KVM_ASYNC_PF)      += $(addprefix ../../../virt/kvm/, async_pf.o)
 kvm-y                   += x86.o mmu.o emulate.o i8259.o irq.o lapic.o \
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index a335cc6cde72..8e517bba6a7c 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -132,8 +132,9 @@
 #define Priv        (1<<27) /* instruction generates #GP if current CPL != 0 */
 #define No64        (1<<28)
 #define PageTable   (1 << 29)   /* instruction used to write page table */
+#define NotImpl     (1 << 30)   /* instruction is not implemented */
 /* Source 2 operand type */
-#define Src2Shift   (30)
+#define Src2Shift   (31)
 #define Src2None    (OpNone << Src2Shift)
 #define Src2CL      (OpCL << Src2Shift)
 #define Src2ImmByte (OpImmByte << Src2Shift)
@@ -1578,12 +1579,21 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
        memset(&seg_desc, 0, sizeof seg_desc);
-        if ((seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86)
+        if (ctxt->mode == X86EMUL_MODE_REAL) {
-            || ctxt->mode == X86EMUL_MODE_REAL) {
+                /* set real mode segment descriptor (keep limit etc. for
-                /* set real mode segment descriptor */
+                 * unreal mode) */
                ctxt->ops->get_segment(ctxt, &dummy, &seg_desc, NULL, seg);
                set_desc_base(&seg_desc, selector << 4);
                goto load;
+        } else if (seg <= VCPU_SREG_GS && ctxt->mode == X86EMUL_MODE_VM86) {
+                /* VM86 needs a clean new segment descriptor */
+                set_desc_base(&seg_desc, selector << 4);
+                set_desc_limit(&seg_desc, 0xffff);
+                seg_desc.type = 3;
+                seg_desc.p = 1;
+                seg_desc.s = 1;
+                seg_desc.dpl = 3;
+                goto load;
        }
        rpl = selector & 3;
@@ -3615,7 +3625,7 @@ static int check_perm_out(struct x86_emulate_ctxt *ctxt)
 #define DI(_y, _i) { .flags = (_y), .intercept = x86_intercept_##_i }
 #define DIP(_y, _i, _p) { .flags = (_y), .intercept = x86_intercept_##_i, \
                      .check_perm = (_p) }
-#define N    D(0)
+#define N    D(NotImpl)
 #define EXT(_f, _e) { .flags = ((_f) | RMExt), .u.group = (_e) }
 #define G(_f, _g) { .flags = ((_f) | Group | ModRM), .u.group = (_g) }
 #define GD(_f, _g) { .flags = ((_f) | GroupDual | ModRM), .u.gdual = (_g) }
@@ -3713,7 +3723,7 @@ static const struct opcode group5[] = {
        I(SrcMemFAddr | ImplicitOps | Stack,    em_call_far),
        I(SrcMem | Stack,                       em_grp45),
        I(SrcMemFAddr | ImplicitOps,            em_grp45),
-        I(SrcMem | Stack,                       em_grp45), N,
+        I(SrcMem | Stack,                       em_grp45), D(Undefined),
 };
 static const struct opcode group6[] = {
@@ -4162,6 +4172,10 @@ static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
                break;
        case OpMem8:
                ctxt->memop.bytes = 1;
+                if (ctxt->memop.type == OP_REG) {
+                        ctxt->memop.addr.reg = decode_register(ctxt, ctxt->modrm_rm, 1);
+                        fetch_register_operand(&ctxt->memop);
+                }
                goto mem_common;
        case OpMem16:
                ctxt->memop.bytes = 2;
@@ -4373,7 +4387,7 @@ done_prefixes:
        ctxt->intercept = opcode.intercept;
        /* Unrecognised? */
-        if (ctxt->d == 0 || (ctxt->d & Undefined))
+        if (ctxt->d == 0 || (ctxt->d & NotImpl))
                return EMULATION_FAILED;
        if (!(ctxt->d & VendorSpecific) && ctxt->only_vendor_specific_insn)
@@ -4511,7 +4525,8 @@ int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
        ctxt->mem_read.pos = 0;
-        if (ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) {
+        if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
+                        (ctxt->d & Undefined)) {
                rc = emulate_ud(ctxt);
                goto done;
        }
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index c1d30b2fc9bb..412a5aa0ef94 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -290,8 +290,8 @@ static void pit_do_work(struct kthread_work *work)
        }
        spin_unlock(&ps->inject_lock);
        if (inject) {
-                kvm_set_irq(kvm, kvm->arch.vpit->irq_source_id, 0, 1);
+                kvm_set_irq(kvm, kvm->arch.vpit->irq_source_id, 0, 1, false);
-                kvm_set_irq(kvm, kvm->arch.vpit->irq_source_id, 0, 0);
+                kvm_set_irq(kvm, kvm->arch.vpit->irq_source_id, 0, 0, false);
                /*
                 * Provides NMI watchdog support via Virtual Wire mode.
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index f77df1c5de6e..e1adbb4aca75 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -94,6 +94,14 @@ static inline int apic_test_vector(int vec, void *bitmap)
        return test_bit(VEC_POS(vec), (bitmap) + REG_POS(vec));
 }
+bool kvm_apic_pending_eoi(struct kvm_vcpu *vcpu, int vector)
+{
+        struct kvm_lapic *apic = vcpu->arch.apic;
+        return apic_test_vector(vector, apic->regs + APIC_ISR) ||
+                apic_test_vector(vector, apic->regs + APIC_IRR);
+}
 static inline void apic_set_vector(int vec, void *bitmap)
 {
        set_bit(VEC_POS(vec), (bitmap) + REG_POS(vec));
@@ -145,53 +153,6 @@ static inline int kvm_apic_id(struct kvm_lapic *apic)
        return (kvm_apic_get_reg(apic, APIC_ID) >> 24) & 0xff;
 }
-void kvm_calculate_eoi_exitmap(struct kvm_vcpu *vcpu,
-                                struct kvm_lapic_irq *irq,
-                                u64 *eoi_exit_bitmap)
-{
-        struct kvm_lapic **dst;
-        struct kvm_apic_map *map;
-        unsigned long bitmap = 1;
-        int i;
-        rcu_read_lock();
-        map = rcu_dereference(vcpu->kvm->arch.apic_map);
-        if (unlikely(!map)) {
-                __set_bit(irq->vector, (unsigned long *)eoi_exit_bitmap);
-                goto out;
-        }
-        if (irq->dest_mode == 0) { /* physical mode */
-                if (irq->delivery_mode == APIC_DM_LOWEST ||
-                                irq->dest_id == 0xff) {
-                        __set_bit(irq->vector,
-                                  (unsigned long *)eoi_exit_bitmap);
-                        goto out;
-                }
-                dst = &map->phys_map[irq->dest_id & 0xff];
-        } else {
-                u32 mda = irq->dest_id << (32 - map->ldr_bits);
-                dst = map->logical_map[apic_cluster_id(map, mda)];
-                bitmap = apic_logical_id(map, mda);
-        }
-        for_each_set_bit(i, &bitmap, 16) {
-                if (!dst[i])
-                        continue;
-                if (dst[i]->vcpu == vcpu) {
-                        __set_bit(irq->vector,
-                                  (unsigned long *)eoi_exit_bitmap);
-                        break;
-                }
-        }
-out:
-        rcu_read_unlock();
-}
 static void recalculate_apic_map(struct kvm *kvm)
 {
        struct kvm_apic_map *new, *old = NULL;
@@ -256,7 +217,7 @@ out:
        if (old)
                kfree_rcu(old, rcu);
-        kvm_ioapic_make_eoibitmap_request(kvm);
+        kvm_vcpu_request_scan_ioapic(kvm);
 }
 static inline void kvm_apic_set_id(struct kvm_lapic *apic, u8 id)
@@ -357,6 +318,19 @@ static u8 count_vectors(void *bitmap)
        return count;
 }
+void kvm_apic_update_irr(struct kvm_vcpu *vcpu, u32 *pir)
+{
+        u32 i, pir_val;
+        struct kvm_lapic *apic = vcpu->arch.apic;
+        for (i = 0; i <= 7; i++) {
+                pir_val = xchg(&pir[i], 0);
+                if (pir_val)
+                        *((u32 *)(apic->regs + APIC_IRR + i * 0x10)) |= pir_val;
+        }
+}
+EXPORT_SYMBOL_GPL(kvm_apic_update_irr);
 static inline int apic_test_and_set_irr(int vec, struct kvm_lapic *apic)
 {
        apic->irr_pending = true;
@@ -379,6 +353,7 @@ static inline int apic_find_highest_irr(struct kvm_lapic *apic)
        if (!apic->irr_pending)
                return -1;
+        kvm_x86_ops->sync_pir_to_irr(apic->vcpu);
        result = apic_search_irr(apic);
        ASSERT(result == -1 || result >= 16);
@@ -431,14 +406,16 @@ int kvm_lapic_find_highest_irr(struct kvm_vcpu *vcpu)
 }
 static int __apic_accept_irq(struct kvm_lapic *apic, int delivery_mode,
-                             int vector, int level, int trig_mode);
+                             int vector, int level, int trig_mode,
+                             unsigned long *dest_map);
-int kvm_apic_set_irq(struct kvm_vcpu *vcpu, struct kvm_lapic_irq *irq)
+int kvm_apic_set_irq(struct kvm_vcpu *vcpu, struct kvm_lapic_irq *irq,
+                unsigned long *dest_map)
 {
        struct kvm_lapic *apic = vcpu->arch.apic;
        return __apic_accept_irq(apic, irq->delivery_mode, irq->vector,
-                        irq->level, irq->trig_mode);
+                        irq->level, irq->trig_mode, dest_map);
 }
 static int pv_eoi_put_user(struct kvm_vcpu *vcpu, u8 val)
@@ -505,6 +482,15 @@ static inline int apic_find_highest_isr(struct kvm_lapic *apic)
        return result;
 }
+void kvm_apic_update_tmr(struct kvm_vcpu *vcpu, u32 *tmr)
+{
+        struct kvm_lapic *apic = vcpu->arch.apic;
+        int i;
+        for (i = 0; i < 8; i++)
+                apic_set_reg(apic, APIC_TMR + 0x10 * i, tmr[i]);
+}
 static void apic_update_ppr(struct kvm_lapic *apic)
 {
        u32 tpr, isrv, ppr, old_ppr;
@@ -611,7 +597,7 @@ int kvm_apic_match_dest(struct kvm_vcpu *vcpu, struct kvm_lapic *source,
 }
 bool kvm_irq_delivery_to_apic_fast(struct kvm *kvm, struct kvm_lapic *src,
-                struct kvm_lapic_irq *irq, int *r)
+                struct kvm_lapic_irq *irq, int *r, unsigned long *dest_map)
 {
        struct kvm_apic_map *map;
        unsigned long bitmap = 1;
@@ -622,7 +608,7 @@ bool kvm_irq_delivery_to_apic_fast(struct kvm *kvm, struct kvm_lapic *src,
        *r = -1;
        if (irq->shorthand == APIC_DEST_SELF) {
-                *r = kvm_apic_set_irq(src->vcpu, irq);
+                *r = kvm_apic_set_irq(src->vcpu, irq, dest_map);
                return true;
        }
@@ -667,7 +653,7 @@ bool kvm_irq_delivery_to_apic_fast(struct kvm *kvm, struct kvm_lapic *src,
                        continue;
                if (*r < 0)
                        *r = 0;
-                *r += kvm_apic_set_irq(dst[i]->vcpu, irq);
+                *r += kvm_apic_set_irq(dst[i]->vcpu, irq, dest_map);
        }
        ret = true;
@@ -681,7 +667,8 @@ out:
 * Return 1 if successfully added and 0 if discarded.
 */
 static int __apic_accept_irq(struct kvm_lapic *apic, int delivery_mode,
-                             int vector, int level, int trig_mode)
+                             int vector, int level, int trig_mode,
+                             unsigned long *dest_map)
 {
        int result = 0;
        struct kvm_vcpu *vcpu = apic->vcpu;
@@ -694,24 +681,28 @@ static int __apic_accept_irq(struct kvm_lapic *apic, int delivery_mode,
                if (unlikely(!apic_enabled(apic)))
                        break;
-                if (trig_mode) {
+                if (dest_map)
-                        apic_debug("level trig mode for vector %d", vector);
+                        __set_bit(vcpu->vcpu_id, dest_map);
-                        apic_set_vector(vector, apic->regs + APIC_TMR);
-                } else
-                        apic_clear_vector(vector, apic->regs + APIC_TMR);
-                result = !apic_test_and_set_irr(vector, apic);
+                if (kvm_x86_ops->deliver_posted_interrupt) {
-                trace_kvm_apic_accept_irq(vcpu->vcpu_id, delivery_mode,
+                        result = 1;
-                                          trig_mode, vector, !result);
+                        kvm_x86_ops->deliver_posted_interrupt(vcpu, vector);
-                if (!result) {
+                } else {
-                        if (trig_mode)
+                        result = !apic_test_and_set_irr(vector, apic);
-                                apic_debug("level trig mode repeatedly for "
-                                                "vector %d", vector);
-                        break;
-                }
-                kvm_make_request(KVM_REQ_EVENT, vcpu);
+                        if (!result) {
-                kvm_vcpu_kick(vcpu);
+                                if (trig_mode)
+                                        apic_debug("level trig mode repeatedly "
+                                                "for vector %d", vector);
+                                goto out;
+                        }
+                        kvm_make_request(KVM_REQ_EVENT, vcpu);
+                        kvm_vcpu_kick(vcpu);
+                }
+out:
+                trace_kvm_apic_accept_irq(vcpu->vcpu_id, delivery_mode,
+                                trig_mode, vector, !result);
                break;
        case APIC_DM_REMRD:
@@ -731,7 +722,11 @@ static int __apic_accept_irq(struct kvm_lapic *apic, int delivery_mode,
        case APIC_DM_INIT:
                if (!trig_mode || level) {
                        result = 1;
-                        vcpu->arch.mp_state = KVM_MP_STATE_INIT_RECEIVED;
+                        /* assumes that there are only KVM_APIC_INIT/SIPI */
+                        apic->pending_events = (1UL << KVM_APIC_INIT);
+                        /* make sure pending_events is visible before sending
+                         * the request */
+                        smp_wmb();
                        kvm_make_request(KVM_REQ_EVENT, vcpu);
                        kvm_vcpu_kick(vcpu);
                } else {
@@ -743,13 +738,13 @@ static int __apic_accept_irq(struct kvm_lapic *apic, int delivery_mode,
        case APIC_DM_STARTUP:
                apic_debug("SIPI to vcpu %d vector 0x%02x\n",
                           vcpu->vcpu_id, vector);
-                if (vcpu->arch.mp_state == KVM_MP_STATE_INIT_RECEIVED) {
+                result = 1;
-                        result = 1;
+                apic->sipi_vector = vector;
-                        vcpu->arch.sipi_vector = vector;
+                /* make sure sipi_vector is visible for the receiver */
-                        vcpu->arch.mp_state = KVM_MP_STATE_SIPI_RECEIVED;
+                smp_wmb();
-                        kvm_make_request(KVM_REQ_EVENT, vcpu);
+                set_bit(KVM_APIC_SIPI, &apic->pending_events);
-                        kvm_vcpu_kick(vcpu);
+                kvm_make_request(KVM_REQ_EVENT, vcpu);
-                }
+                kvm_vcpu_kick(vcpu);
                break;
        case APIC_DM_EXTINT:
@@ -782,7 +777,7 @@ static void kvm_ioapic_send_eoi(struct kvm_lapic *apic, int vector)
                        trigger_mode = IOAPIC_LEVEL_TRIG;
                else
                        trigger_mode = IOAPIC_EDGE_TRIG;
-                kvm_ioapic_update_eoi(apic->vcpu->kvm, vector, trigger_mode);
+                kvm_ioapic_update_eoi(apic->vcpu, vector, trigger_mode);
        }
 }
@@ -848,7 +843,7 @@ static void apic_send_ipi(struct kvm_lapic *apic)
                   irq.trig_mode, irq.level, irq.dest_mode, irq.delivery_mode,
                   irq.vector);
-        kvm_irq_delivery_to_apic(apic->vcpu->kvm, apic, &irq);
+        kvm_irq_delivery_to_apic(apic->vcpu->kvm, apic, &irq, NULL);
 }
 static u32 apic_get_tmcct(struct kvm_lapic *apic)
@@ -1484,7 +1479,8 @@ int kvm_apic_local_deliver(struct kvm_lapic *apic, int lvt_type)
                vector = reg & APIC_VECTOR_MASK;
                mode = reg & APIC_MODE_MASK;
                trig_mode = reg & APIC_LVT_LEVEL_TRIGGER;
-                return __apic_accept_irq(apic, mode, vector, 1, trig_mode);
+                return __apic_accept_irq(apic, mode, vector, 1, trig_mode,
+                                        NULL);
        }
        return 0;
 }
@@ -1654,6 +1650,7 @@ void kvm_apic_post_state_restore(struct kvm_vcpu *vcpu,
        apic->highest_isr_cache = -1;
        kvm_x86_ops->hwapic_isr_update(vcpu->kvm, apic_find_highest_isr(apic));
        kvm_make_request(KVM_REQ_EVENT, vcpu);
+        kvm_rtc_eoi_tracking_restore_one(vcpu);
 }
 void __kvm_migrate_apic_timer(struct kvm_vcpu *vcpu)
@@ -1860,6 +1857,34 @@ int kvm_lapic_enable_pv_eoi(struct kvm_vcpu *vcpu, u64 data)
                                         addr, sizeof(u8));
 }
+void kvm_apic_accept_events(struct kvm_vcpu *vcpu)
+{
+        struct kvm_lapic *apic = vcpu->arch.apic;
+        unsigned int sipi_vector;
+        if (!kvm_vcpu_has_lapic(vcpu))
+                return;
+        if (test_and_clear_bit(KVM_APIC_INIT, &apic->pending_events)) {
+                kvm_lapic_reset(vcpu);
+                kvm_vcpu_reset(vcpu);
+                if (kvm_vcpu_is_bsp(apic->vcpu))
+                        vcpu->arch.mp_state = KVM_MP_STATE_RUNNABLE;
+                else
+                        vcpu->arch.mp_state = KVM_MP_STATE_INIT_RECEIVED;
+        }
+        if (test_and_clear_bit(KVM_APIC_SIPI, &apic->pending_events) &&
+            vcpu->arch.mp_state == KVM_MP_STATE_INIT_RECEIVED) {
+                /* evaluate pending_events before reading the vector */
+                smp_rmb();
+                sipi_vector = apic->sipi_vector;
+                pr_debug("vcpu %d received sipi with vector # %x\n",
+                         vcpu->vcpu_id, sipi_vector);
+                kvm_vcpu_deliver_sipi_vector(vcpu, sipi_vector);
+                vcpu->arch.mp_state = KVM_MP_STATE_RUNNABLE;
+        }
+}
 void kvm_lapic_init(void)
 {
        /* do not patch jump label more than once per second */
diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h
index 1676d34ddb4e..c730ac9fe801 100644
--- a/arch/x86/kvm/lapic.h
+++ b/arch/x86/kvm/lapic.h
@@ -5,6 +5,9 @@
 #include <linux/kvm_host.h>
+#define KVM_APIC_INIT           0
+#define KVM_APIC_SIPI           1
 struct kvm_timer {
        struct hrtimer timer;
        s64 period;                             /* unit: ns */
@@ -32,6 +35,8 @@ struct kvm_lapic {
        void *regs;
        gpa_t vapic_addr;
        struct page *vapic_page;
+        unsigned long pending_events;
+        unsigned int sipi_vector;
 };
 int kvm_create_lapic(struct kvm_vcpu *vcpu);
 void kvm_free_lapic(struct kvm_vcpu *vcpu);
@@ -39,6 +44,7 @@ void kvm_free_lapic(struct kvm_vcpu *vcpu);
 int kvm_apic_has_interrupt(struct kvm_vcpu *vcpu);
 int kvm_apic_accept_pic_intr(struct kvm_vcpu *vcpu);
 int kvm_get_apic_interrupt(struct kvm_vcpu *vcpu);
+void kvm_apic_accept_events(struct kvm_vcpu *vcpu);
 void kvm_lapic_reset(struct kvm_vcpu *vcpu);
 u64 kvm_lapic_get_cr8(struct kvm_vcpu *vcpu);
 void kvm_lapic_set_tpr(struct kvm_vcpu *vcpu, unsigned long cr8);
@@ -47,13 +53,16 @@ void kvm_lapic_set_base(struct kvm_vcpu *vcpu, u64 value);
 u64 kvm_lapic_get_base(struct kvm_vcpu *vcpu);
 void kvm_apic_set_version(struct kvm_vcpu *vcpu);
+void kvm_apic_update_tmr(struct kvm_vcpu *vcpu, u32 *tmr);
+void kvm_apic_update_irr(struct kvm_vcpu *vcpu, u32 *pir);
 int kvm_apic_match_physical_addr(struct kvm_lapic *apic, u16 dest);
 int kvm_apic_match_logical_addr(struct kvm_lapic *apic, u8 mda);
-int kvm_apic_set_irq(struct kvm_vcpu *vcpu, struct kvm_lapic_irq *irq);
+int kvm_apic_set_irq(struct kvm_vcpu *vcpu, struct kvm_lapic_irq *irq,
+                unsigned long *dest_map);
 int kvm_apic_local_deliver(struct kvm_lapic *apic, int lvt_type);
 bool kvm_irq_delivery_to_apic_fast(struct kvm *kvm, struct kvm_lapic *src,
-                struct kvm_lapic_irq *irq, int *r);
+                struct kvm_lapic_irq *irq, int *r, unsigned long *dest_map);
 u64 kvm_get_apic_base(struct kvm_vcpu *vcpu);
 void kvm_set_apic_base(struct kvm_vcpu *vcpu, u64 data);
@@ -154,8 +163,11 @@ static inline u16 apic_logical_id(struct kvm_apic_map *map, u32 ldr)
        return ldr & map->lid_mask;
 }
-void kvm_calculate_eoi_exitmap(struct kvm_vcpu *vcpu,
+static inline bool kvm_apic_has_events(struct kvm_vcpu *vcpu)
-                                struct kvm_lapic_irq *irq,
+{
-                                u64 *eoi_bitmap);
+        return vcpu->arch.apic->pending_events;
+}
+bool kvm_apic_pending_eoi(struct kvm_vcpu *vcpu, int vector);
 #endif
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 956ca358108a..004cc87b781c 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -199,8 +199,11 @@ EXPORT_SYMBOL_GPL(kvm_mmu_set_mmio_spte_mask);
 static void mark_mmio_spte(u64 *sptep, u64 gfn, unsigned access)
 {
+        struct kvm_mmu_page *sp =  page_header(__pa(sptep));
        access &= ACC_WRITE_MASK | ACC_USER_MASK;
+        sp->mmio_cached = true;
        trace_mark_mmio_spte(sptep, gfn, access);
        mmu_spte_set(sptep, shadow_mmio_mask | access | gfn << PAGE_SHIFT);
 }
@@ -1502,6 +1505,7 @@ static struct kvm_mmu_page *kvm_mmu_alloc_page(struct kvm_vcpu *vcpu,
                                               u64 *parent_pte, int direct)
 {
        struct kvm_mmu_page *sp;
        sp = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_header_cache);
        sp->spt = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_cache);
        if (!direct)
@@ -1644,16 +1648,14 @@ static int kvm_mmu_prepare_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp,
 static void kvm_mmu_commit_zap_page(struct kvm *kvm,
                                    struct list_head *invalid_list);
-#define for_each_gfn_sp(kvm, sp, gfn)                                   \
+#define for_each_gfn_sp(_kvm, _sp, _gfn)                                \
-  hlist_for_each_entry(sp,                                              \
+        hlist_for_each_entry(_sp,                                       \
-   &(kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(gfn)], hash_link)   \
+          &(_kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(_gfn)], hash_link) \
-        if ((sp)->gfn != (gfn)) {} else
+                if ((_sp)->gfn != (_gfn)) {} else
-#define for_each_gfn_indirect_valid_sp(kvm, sp, gfn)                    \
+#define for_each_gfn_indirect_valid_sp(_kvm, _sp, _gfn)                 \
-  hlist_for_each_entry(sp,                                              \
+        for_each_gfn_sp(_kvm, _sp, _gfn)                                \
-   &(kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(gfn)], hash_link)   \
+                if ((_sp)->role.direct || (_sp)->role.invalid) {} else
-                if ((sp)->gfn != (gfn) || (sp)->role.direct ||          \
-                        (sp)->role.invalid) {} else
 /* @sp->gfn should be write-protected at the call site */
 static int __kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
@@ -2089,7 +2091,7 @@ static int kvm_mmu_prepare_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp,
 static void kvm_mmu_commit_zap_page(struct kvm *kvm,
                                    struct list_head *invalid_list)
 {
-        struct kvm_mmu_page *sp;
+        struct kvm_mmu_page *sp, *nsp;
        if (list_empty(invalid_list))
                return;
@@ -2106,11 +2108,25 @@ static void kvm_mmu_commit_zap_page(struct kvm *kvm,
         */
        kvm_flush_remote_tlbs(kvm);
-        do {
+        list_for_each_entry_safe(sp, nsp, invalid_list, link) {
-                sp = list_first_entry(invalid_list, struct kvm_mmu_page, link);
                WARN_ON(!sp->role.invalid || sp->root_count);
                kvm_mmu_free_page(sp);
-        } while (!list_empty(invalid_list));
+        }
+}
+static bool prepare_zap_oldest_mmu_page(struct kvm *kvm,
+                                        struct list_head *invalid_list)
+{
+        struct kvm_mmu_page *sp;
+        if (list_empty(&kvm->arch.active_mmu_pages))
+                return false;
+        sp = list_entry(kvm->arch.active_mmu_pages.prev,
+                        struct kvm_mmu_page, link);
+        kvm_mmu_prepare_zap_page(kvm, sp, invalid_list);
+        return true;
 }
 /*
@@ -2120,23 +2136,15 @@ static void kvm_mmu_commit_zap_page(struct kvm *kvm,
 void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int goal_nr_mmu_pages)
 {
        LIST_HEAD(invalid_list);
-        /*
-         * If we set the number of mmu pages to be smaller be than the
-         * number of actived pages , we must to free some mmu pages before we
-         * change the value
-         */
        spin_lock(&kvm->mmu_lock);
        if (kvm->arch.n_used_mmu_pages > goal_nr_mmu_pages) {
-                while (kvm->arch.n_used_mmu_pages > goal_nr_mmu_pages &&
+                /* Need to free some mmu pages to achieve the goal. */
-                        !list_empty(&kvm->arch.active_mmu_pages)) {
+                while (kvm->arch.n_used_mmu_pages > goal_nr_mmu_pages)
-                        struct kvm_mmu_page *page;
+                        if (!prepare_zap_oldest_mmu_page(kvm, &invalid_list))
+                                break;
-                        page = container_of(kvm->arch.active_mmu_pages.prev,
-                                            struct kvm_mmu_page, link);
-                        kvm_mmu_prepare_zap_page(kvm, page, &invalid_list);
-                }
                kvm_mmu_commit_zap_page(kvm, &invalid_list);
                goal_nr_mmu_pages = kvm->arch.n_used_mmu_pages;
        }
@@ -2794,6 +2802,7 @@ exit:
 static bool try_async_pf(struct kvm_vcpu *vcpu, bool prefault, gfn_t gfn,
                         gva_t gva, pfn_t *pfn, bool write, bool *writable);
+static void make_mmu_pages_available(struct kvm_vcpu *vcpu);
 static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, u32 error_code,
                         gfn_t gfn, bool prefault)
@@ -2835,7 +2844,7 @@ static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, u32 error_code,
        spin_lock(&vcpu->kvm->mmu_lock);
        if (mmu_notifier_retry(vcpu->kvm, mmu_seq))
                goto out_unlock;
-        kvm_mmu_free_some_pages(vcpu);
+        make_mmu_pages_available(vcpu);
        if (likely(!force_pt_level))
                transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
        r = __direct_map(vcpu, v, write, map_writable, level, gfn, pfn,
@@ -2913,7 +2922,7 @@ static int mmu_alloc_direct_roots(struct kvm_vcpu *vcpu)
        if (vcpu->arch.mmu.shadow_root_level == PT64_ROOT_LEVEL) {
                spin_lock(&vcpu->kvm->mmu_lock);
-                kvm_mmu_free_some_pages(vcpu);
+                make_mmu_pages_available(vcpu);
                sp = kvm_mmu_get_page(vcpu, 0, 0, PT64_ROOT_LEVEL,
                                      1, ACC_ALL, NULL);
                ++sp->root_count;
@@ -2925,7 +2934,7 @@ static int mmu_alloc_direct_roots(struct kvm_vcpu *vcpu)
                        ASSERT(!VALID_PAGE(root));
                        spin_lock(&vcpu->kvm->mmu_lock);
-                        kvm_mmu_free_some_pages(vcpu);
+                        make_mmu_pages_available(vcpu);
                        sp = kvm_mmu_get_page(vcpu, i << (30 - PAGE_SHIFT),
                                              i << 30,
                                              PT32_ROOT_LEVEL, 1, ACC_ALL,
@@ -2964,7 +2973,7 @@ static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu)
                ASSERT(!VALID_PAGE(root));
                spin_lock(&vcpu->kvm->mmu_lock);
-                kvm_mmu_free_some_pages(vcpu);
+                make_mmu_pages_available(vcpu);
                sp = kvm_mmu_get_page(vcpu, root_gfn, 0, PT64_ROOT_LEVEL,
                                      0, ACC_ALL, NULL);
                root = __pa(sp->spt);
@@ -2998,7 +3007,7 @@ static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu)
                                return 1;
                }
                spin_lock(&vcpu->kvm->mmu_lock);
-                kvm_mmu_free_some_pages(vcpu);
+                make_mmu_pages_available(vcpu);
                sp = kvm_mmu_get_page(vcpu, root_gfn, i << 30,
                                      PT32_ROOT_LEVEL, 0,
                                      ACC_ALL, NULL);
@@ -3304,7 +3313,7 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa, u32 error_code,
        spin_lock(&vcpu->kvm->mmu_lock);
        if (mmu_notifier_retry(vcpu->kvm, mmu_seq))
                goto out_unlock;
-        kvm_mmu_free_some_pages(vcpu);
+        make_mmu_pages_available(vcpu);
        if (likely(!force_pt_level))
                transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
        r = __direct_map(vcpu, gpa, write, map_writable,
@@ -4006,17 +4015,17 @@ int kvm_mmu_unprotect_page_virt(struct kvm_vcpu *vcpu, gva_t gva)
 }
 EXPORT_SYMBOL_GPL(kvm_mmu_unprotect_page_virt);
-void __kvm_mmu_free_some_pages(struct kvm_vcpu *vcpu)
+static void make_mmu_pages_available(struct kvm_vcpu *vcpu)
 {
        LIST_HEAD(invalid_list);
-        while (kvm_mmu_available_pages(vcpu->kvm) < KVM_REFILL_PAGES &&
+        if (likely(kvm_mmu_available_pages(vcpu->kvm) >= KVM_MIN_FREE_MMU_PAGES))
-               !list_empty(&vcpu->kvm->arch.active_mmu_pages)) {
+                return;
-                struct kvm_mmu_page *sp;
+        while (kvm_mmu_available_pages(vcpu->kvm) < KVM_REFILL_PAGES) {
+                if (!prepare_zap_oldest_mmu_page(vcpu->kvm, &invalid_list))
+                        break;
-                sp = container_of(vcpu->kvm->arch.active_mmu_pages.prev,
-                                  struct kvm_mmu_page, link);
-                kvm_mmu_prepare_zap_page(vcpu->kvm, sp, &invalid_list);
                ++vcpu->kvm->stat.mmu_recycled;
        }
        kvm_mmu_commit_zap_page(vcpu->kvm, &invalid_list);
@@ -4185,17 +4194,22 @@ restart:
        spin_unlock(&kvm->mmu_lock);
 }
-static void kvm_mmu_remove_some_alloc_mmu_pages(struct kvm *kvm,
+void kvm_mmu_zap_mmio_sptes(struct kvm *kvm)
-                                                struct list_head *invalid_list)
 {
-        struct kvm_mmu_page *page;
+        struct kvm_mmu_page *sp, *node;
+        LIST_HEAD(invalid_list);
-        if (list_empty(&kvm->arch.active_mmu_pages))
+        spin_lock(&kvm->mmu_lock);
-                return;
+restart:
+        list_for_each_entry_safe(sp, node, &kvm->arch.active_mmu_pages, link) {
+                if (!sp->mmio_cached)
+                        continue;
+                if (kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list))
+                        goto restart;
+        }
-        page = container_of(kvm->arch.active_mmu_pages.prev,
+        kvm_mmu_commit_zap_page(kvm, &invalid_list);
-                            struct kvm_mmu_page, link);
+        spin_unlock(&kvm->mmu_lock);
-        kvm_mmu_prepare_zap_page(kvm, page, invalid_list);
 }
 static int mmu_shrink(struct shrinker *shrink, struct shrink_control *sc)
@@ -4232,7 +4246,7 @@ static int mmu_shrink(struct shrinker *shrink, struct shrink_control *sc)
                idx = srcu_read_lock(&kvm->srcu);
                spin_lock(&kvm->mmu_lock);
-                kvm_mmu_remove_some_alloc_mmu_pages(kvm, &invalid_list);
+                prepare_zap_oldest_mmu_page(kvm, &invalid_list);
                kvm_mmu_commit_zap_page(kvm, &invalid_list);
                spin_unlock(&kvm->mmu_lock);
diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h
index 69871080e866..2adcbc2cac6d 100644
--- a/arch/x86/kvm/mmu.h
+++ b/arch/x86/kvm/mmu.h
@@ -57,14 +57,11 @@ int kvm_init_shadow_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context);
 static inline unsigned int kvm_mmu_available_pages(struct kvm *kvm)
 {
-        return kvm->arch.n_max_mmu_pages -
+        if (kvm->arch.n_max_mmu_pages > kvm->arch.n_used_mmu_pages)
-                kvm->arch.n_used_mmu_pages;
+                return kvm->arch.n_max_mmu_pages -
-}
+                        kvm->arch.n_used_mmu_pages;
-static inline void kvm_mmu_free_some_pages(struct kvm_vcpu *vcpu)
+        return 0;
-{
-        if (unlikely(kvm_mmu_available_pages(vcpu->kvm)< KVM_MIN_FREE_MMU_PAGES))
-                __kvm_mmu_free_some_pages(vcpu);
 }
 static inline int kvm_mmu_reload(struct kvm_vcpu *vcpu)
diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
index 105dd5bd550e..da20860b457a 100644
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -627,7 +627,7 @@ static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr, u32 error_code,
                goto out_unlock;
        kvm_mmu_audit(vcpu, AUDIT_PRE_PAGE_FAULT);
-        kvm_mmu_free_some_pages(vcpu);
+        make_mmu_pages_available(vcpu);
        if (!force_pt_level)
                transparent_hugepage_adjust(vcpu, &walker.gfn, &pfn, &level);
        r = FNAME(fetch)(vcpu, addr, &walker, write_fault,
diff --git a/arch/x86/kvm/pmu.c b/arch/x86/kvm/pmu.c
index cfc258a6bf97..c53e797e7369 100644
--- a/arch/x86/kvm/pmu.c
+++ b/arch/x86/kvm/pmu.c
@@ -360,10 +360,12 @@ int kvm_pmu_get_msr(struct kvm_vcpu *vcpu, u32 index, u64 *data)
        return 1;
 }
-int kvm_pmu_set_msr(struct kvm_vcpu *vcpu, u32 index, u64 data)
+int kvm_pmu_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
 {
        struct kvm_pmu *pmu = &vcpu->arch.pmu;
        struct kvm_pmc *pmc;
+        u32 index = msr_info->index;
+        u64 data = msr_info->data;
        switch (index) {
        case MSR_CORE_PERF_FIXED_CTR_CTRL:
@@ -375,6 +377,10 @@ int kvm_pmu_set_msr(struct kvm_vcpu *vcpu, u32 index, u64 data)
                }
                break;
        case MSR_CORE_PERF_GLOBAL_STATUS:
+                if (msr_info->host_initiated) {
+                        pmu->global_status = data;
+                        return 0;
+                }
                break; /* RO MSR */
        case MSR_CORE_PERF_GLOBAL_CTRL:
                if (pmu->global_ctrl == data)
@@ -386,7 +392,8 @@ int kvm_pmu_set_msr(struct kvm_vcpu *vcpu, u32 index, u64 data)
                break;
        case MSR_CORE_PERF_GLOBAL_OVF_CTRL:
                if (!(data & (pmu->global_ctrl_mask & ~(3ull<<62)))) {
-                        pmu->global_status &= ~data;
+                        if (!msr_info->host_initiated)
+                                pmu->global_status &= ~data;
                        pmu->global_ovf_ctrl = data;
                        return 0;
                }
@@ -394,7 +401,8 @@ int kvm_pmu_set_msr(struct kvm_vcpu *vcpu, u32 index, u64 data)
        default:
                if ((pmc = get_gp_pmc(pmu, index, MSR_IA32_PERFCTR0)) ||
                                (pmc = get_fixed_pmc(pmu, index))) {
-                        data = (s64)(s32)data;
+                        if (!msr_info->host_initiated)
+                                data = (s64)(s32)data;
                        pmc->counter += data - read_pmc(pmc);
                        return 0;
                } else if ((pmc = get_gp_pmc(pmu, index, MSR_P6_EVNTSEL0))) {
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 7d39d70647e3..a14a6eaf871d 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1131,17 +1131,11 @@ static void init_vmcb(struct vcpu_svm *svm)
        init_seg(&save->gs);
        save->cs.selector = 0xf000;
+        save->cs.base = 0xffff0000;
        /* Executable/Readable Code Segment */
        save->cs.attrib = SVM_SELECTOR_READ_MASK | SVM_SELECTOR_P_MASK |
                SVM_SELECTOR_S_MASK | SVM_SELECTOR_CODE_MASK;
        save->cs.limit = 0xffff;
-        /*
-         * cs.base should really be 0xffff0000, but vmx can't handle that, so
-         * be consistent with it.
-         *
-         * Replace when we have real mode working for vmx.
-         */
-        save->cs.base = 0xf0000;
        save->gdtr.limit = 0xffff;
        save->idtr.limit = 0xffff;
@@ -1191,7 +1185,7 @@ static void init_vmcb(struct vcpu_svm *svm)
        enable_gif(svm);
 }
-static int svm_vcpu_reset(struct kvm_vcpu *vcpu)
+static void svm_vcpu_reset(struct kvm_vcpu *vcpu)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
        u32 dummy;
@@ -1199,16 +1193,8 @@ static int svm_vcpu_reset(struct kvm_vcpu *vcpu)
        init_vmcb(svm);
-        if (!kvm_vcpu_is_bsp(vcpu)) {
-                kvm_rip_write(vcpu, 0);
-                svm->vmcb->save.cs.base = svm->vcpu.arch.sipi_vector << 12;
-                svm->vmcb->save.cs.selector = svm->vcpu.arch.sipi_vector << 8;
-        }
        kvm_cpuid(vcpu, &eax, &dummy, &dummy, &dummy);
        kvm_register_write(vcpu, VCPU_REGS_RDX, eax);
-        return 0;
 }
 static struct kvm_vcpu *svm_create_vcpu(struct kvm *kvm, unsigned int id)
@@ -3487,7 +3473,7 @@ static int handle_exit(struct kvm_vcpu *vcpu)
            exit_code != SVM_EXIT_EXCP_BASE + PF_VECTOR &&
            exit_code != SVM_EXIT_NPF && exit_code != SVM_EXIT_TASK_SWITCH &&
            exit_code != SVM_EXIT_INTR && exit_code != SVM_EXIT_NMI)
-                printk(KERN_ERR "%s: unexpected exit_ini_info 0x%x "
+                printk(KERN_ERR "%s: unexpected exit_int_info 0x%x "
                       "exit_code 0x%x\n",
                       __func__, svm->vmcb->control.exit_int_info,
                       exit_code);
@@ -3591,6 +3577,11 @@ static void svm_hwapic_isr_update(struct kvm *kvm, int isr)
        return;
 }
+static void svm_sync_pir_to_irr(struct kvm_vcpu *vcpu)
+{
+        return;
+}
 static int svm_nmi_allowed(struct kvm_vcpu *vcpu)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
@@ -3641,7 +3632,7 @@ static int svm_interrupt_allowed(struct kvm_vcpu *vcpu)
        return ret;
 }
-static void enable_irq_window(struct kvm_vcpu *vcpu)
+static int enable_irq_window(struct kvm_vcpu *vcpu)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
@@ -3655,15 +3646,16 @@ static void enable_irq_window(struct kvm_vcpu *vcpu)
                svm_set_vintr(svm);
                svm_inject_irq(svm, 0x0);
        }
+        return 0;
 }
-static void enable_nmi_window(struct kvm_vcpu *vcpu)
+static int enable_nmi_window(struct kvm_vcpu *vcpu)
 {
        struct vcpu_svm *svm = to_svm(vcpu);
        if ((svm->vcpu.arch.hflags & (HF_NMI_MASK | HF_IRET_MASK))
            == HF_NMI_MASK)
-                return; /* IRET will cause a vm exit */
+                return 0; /* IRET will cause a vm exit */
        /*
         * Something prevents NMI from been injected. Single step over possible
@@ -3672,6 +3664,7 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
        svm->nmi_singlestep = true;
        svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
        update_db_bp_intercept(vcpu);
+        return 0;
 }
 static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
@@ -4247,6 +4240,11 @@ out:
        return ret;
 }
+static void svm_handle_external_intr(struct kvm_vcpu *vcpu)
+{
+        local_irq_enable();
+}
 static struct kvm_x86_ops svm_x86_ops = {
        .cpu_has_kvm_support = has_svm,
        .disabled_by_bios = is_disabled,
@@ -4314,6 +4312,7 @@ static struct kvm_x86_ops svm_x86_ops = {
        .vm_has_apicv = svm_vm_has_apicv,
        .load_eoi_exitmap = svm_load_eoi_exitmap,
        .hwapic_isr_update = svm_hwapic_isr_update,
+        .sync_pir_to_irr = svm_sync_pir_to_irr,
        .set_tss_addr = svm_set_tss_addr,
        .get_tdp_level = get_npt_level,
@@ -4342,6 +4341,7 @@ static struct kvm_x86_ops svm_x86_ops = {
        .set_tdp_cr3 = set_tdp_cr3,
        .check_intercept = svm_check_intercept,
+        .handle_external_intr = svm_handle_external_intr,
 };
 static int __init svm_init(void)
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 867b81037f96..25a791ed21c8 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -84,8 +84,11 @@ module_param(vmm_exclusive, bool, S_IRUGO);
 static bool __read_mostly fasteoi = 1;
 module_param(fasteoi, bool, S_IRUGO);
-static bool __read_mostly enable_apicv_reg_vid;
+static bool __read_mostly enable_apicv = 1;
+module_param(enable_apicv, bool, S_IRUGO);
+static bool __read_mostly enable_shadow_vmcs = 1;
+module_param_named(enable_shadow_vmcs, enable_shadow_vmcs, bool, S_IRUGO);
 /*
 * If nested=1, nested virtualization is supported, i.e., guests may use
 * VMX and be a hypervisor for its own guests. If nested=0, guests may not
@@ -298,7 +301,8 @@ struct __packed vmcs12 {
        u32 guest_activity_state;
        u32 guest_sysenter_cs;
        u32 host_ia32_sysenter_cs;
-        u32 padding32[8]; /* room for future expansion */
+        u32 vmx_preemption_timer_value;
+        u32 padding32[7]; /* room for future expansion */
        u16 virtual_processor_id;
        u16 guest_es_selector;
        u16 guest_cs_selector;
@@ -351,6 +355,12 @@ struct nested_vmx {
        /* The host-usable pointer to the above */
        struct page *current_vmcs12_page;
        struct vmcs12 *current_vmcs12;
+        struct vmcs *current_shadow_vmcs;
+        /*
+         * Indicates if the shadow vmcs must be updated with the
+         * data hold by vmcs12
+         */
+        bool sync_shadow_vmcs;
        /* vmcs02_list cache of VMCSs recently used to run L2 guests */
        struct list_head vmcs02_pool;
@@ -365,6 +375,31 @@ struct nested_vmx {
        struct page *apic_access_page;
 };
+#define POSTED_INTR_ON  0
+/* Posted-Interrupt Descriptor */
+struct pi_desc {
+        u32 pir[8];     /* Posted interrupt requested */
+        u32 control;    /* bit 0 of control is outstanding notification bit */
+        u32 rsvd[7];
+} __aligned(64);
+static bool pi_test_and_set_on(struct pi_desc *pi_desc)
+{
+        return test_and_set_bit(POSTED_INTR_ON,
+                        (unsigned long *)&pi_desc->control);
+}
+static bool pi_test_and_clear_on(struct pi_desc *pi_desc)
+{
+        return test_and_clear_bit(POSTED_INTR_ON,
+                        (unsigned long *)&pi_desc->control);
+}
+static int pi_test_and_set_pir(int vector, struct pi_desc *pi_desc)
+{
+        return test_and_set_bit(vector, (unsigned long *)pi_desc->pir);
+}
 struct vcpu_vmx {
        struct kvm_vcpu       vcpu;
        unsigned long         host_rsp;
@@ -377,6 +412,7 @@ struct vcpu_vmx {
        struct shared_msr_entry *guest_msrs;
        int                   nmsrs;
        int                   save_nmsrs;
+        unsigned long         host_idt_base;
 #ifdef CONFIG_X86_64
        u64                   msr_host_kernel_gs_base;
        u64                   msr_guest_kernel_gs_base;
@@ -428,6 +464,9 @@ struct vcpu_vmx {
        bool rdtscp_enabled;
+        /* Posted interrupt descriptor */
+        struct pi_desc pi_desc;
        /* Support for a guest hypervisor (nested VMX) */
        struct nested_vmx nested;
 };
@@ -451,6 +490,64 @@ static inline struct vcpu_vmx *to_vmx(struct kvm_vcpu *vcpu)
 #define FIELD64(number, name)   [number] = VMCS12_OFFSET(name), \
                                [number##_HIGH] = VMCS12_OFFSET(name)+4
+static const unsigned long shadow_read_only_fields[] = {
+        /*
+         * We do NOT shadow fields that are modified when L0
+         * traps and emulates any vmx instruction (e.g. VMPTRLD,
+         * VMXON...) executed by L1.
+         * For example, VM_INSTRUCTION_ERROR is read
+         * by L1 if a vmx instruction fails (part of the error path).
+         * Note the code assumes this logic. If for some reason
+         * we start shadowing these fields then we need to
+         * force a shadow sync when L0 emulates vmx instructions
+         * (e.g. force a sync if VM_INSTRUCTION_ERROR is modified
+         * by nested_vmx_failValid)
+         */
+        VM_EXIT_REASON,
+        VM_EXIT_INTR_INFO,
+        VM_EXIT_INSTRUCTION_LEN,
+        IDT_VECTORING_INFO_FIELD,
+        IDT_VECTORING_ERROR_CODE,
+        VM_EXIT_INTR_ERROR_CODE,
+        EXIT_QUALIFICATION,
+        GUEST_LINEAR_ADDRESS,
+        GUEST_PHYSICAL_ADDRESS
+};
+static const int max_shadow_read_only_fields =
+        ARRAY_SIZE(shadow_read_only_fields);
+static const unsigned long shadow_read_write_fields[] = {
+        GUEST_RIP,
+        GUEST_RSP,
+        GUEST_CR0,
+        GUEST_CR3,
+        GUEST_CR4,
+        GUEST_INTERRUPTIBILITY_INFO,
+        GUEST_RFLAGS,
+        GUEST_CS_SELECTOR,
+        GUEST_CS_AR_BYTES,
+        GUEST_CS_LIMIT,
+        GUEST_CS_BASE,
+        GUEST_ES_BASE,
+        CR0_GUEST_HOST_MASK,
+        CR0_READ_SHADOW,
+        CR4_READ_SHADOW,
+        TSC_OFFSET,
+        EXCEPTION_BITMAP,
+        CPU_BASED_VM_EXEC_CONTROL,
+        VM_ENTRY_EXCEPTION_ERROR_CODE,
+        VM_ENTRY_INTR_INFO_FIELD,
+        VM_ENTRY_INSTRUCTION_LEN,
+        VM_ENTRY_EXCEPTION_ERROR_CODE,
+        HOST_FS_BASE,
+        HOST_GS_BASE,
+        HOST_FS_SELECTOR,
+        HOST_GS_SELECTOR
+};
+static const int max_shadow_read_write_fields =
+        ARRAY_SIZE(shadow_read_write_fields);
 static const unsigned short vmcs_field_to_offset_table[] = {
        FIELD(VIRTUAL_PROCESSOR_ID, virtual_processor_id),
        FIELD(GUEST_ES_SELECTOR, guest_es_selector),
@@ -537,6 +634,7 @@ static const unsigned short vmcs_field_to_offset_table[] = {
        FIELD(GUEST_ACTIVITY_STATE, guest_activity_state),
        FIELD(GUEST_SYSENTER_CS, guest_sysenter_cs),
        FIELD(HOST_IA32_SYSENTER_CS, host_ia32_sysenter_cs),
+        FIELD(VMX_PREEMPTION_TIMER_VALUE, vmx_preemption_timer_value),
        FIELD(CR0_GUEST_HOST_MASK, cr0_guest_host_mask),
        FIELD(CR4_GUEST_HOST_MASK, cr4_guest_host_mask),
        FIELD(CR0_READ_SHADOW, cr0_read_shadow),
@@ -624,6 +722,9 @@ static void vmx_get_segment(struct kvm_vcpu *vcpu,
                            struct kvm_segment *var, int seg);
 static bool guest_state_valid(struct kvm_vcpu *vcpu);
 static u32 vmx_segment_access_rights(struct kvm_segment *var);
+static void vmx_sync_pir_to_irr_dummy(struct kvm_vcpu *vcpu);
+static void copy_vmcs12_to_shadow(struct vcpu_vmx *vmx);
+static void copy_shadow_to_vmcs12(struct vcpu_vmx *vmx);
 static DEFINE_PER_CPU(struct vmcs *, vmxarea);
 static DEFINE_PER_CPU(struct vmcs *, current_vmcs);
@@ -640,6 +741,8 @@ static unsigned long *vmx_msr_bitmap_legacy;
 static unsigned long *vmx_msr_bitmap_longmode;
 static unsigned long *vmx_msr_bitmap_legacy_x2apic;
 static unsigned long *vmx_msr_bitmap_longmode_x2apic;
+static unsigned long *vmx_vmread_bitmap;
+static unsigned long *vmx_vmwrite_bitmap;
 static bool cpu_has_load_ia32_efer;
 static bool cpu_has_load_perf_global_ctrl;
@@ -782,6 +885,18 @@ static inline bool cpu_has_vmx_virtual_intr_delivery(void)
                SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY;
 }
+static inline bool cpu_has_vmx_posted_intr(void)
+{
+        return vmcs_config.pin_based_exec_ctrl & PIN_BASED_POSTED_INTR;
+}
+static inline bool cpu_has_vmx_apicv(void)
+{
+        return cpu_has_vmx_apic_register_virt() &&
+                cpu_has_vmx_virtual_intr_delivery() &&
+                cpu_has_vmx_posted_intr();
+}
 static inline bool cpu_has_vmx_flexpriority(void)
 {
        return cpu_has_vmx_tpr_shadow() &&
@@ -895,6 +1010,18 @@ static inline bool cpu_has_vmx_wbinvd_exit(void)
                SECONDARY_EXEC_WBINVD_EXITING;
 }
+static inline bool cpu_has_vmx_shadow_vmcs(void)
+{
+        u64 vmx_msr;
+        rdmsrl(MSR_IA32_VMX_MISC, vmx_msr);
+        /* check if the cpu supports writing r/o exit information fields */
+        if (!(vmx_msr & MSR_IA32_VMX_MISC_VMWRITE_SHADOW_RO_FIELDS))
+                return false;
+        return vmcs_config.cpu_based_2nd_exec_ctrl &
+                SECONDARY_EXEC_SHADOW_VMCS;
+}
 static inline bool report_flexpriority(void)
 {
        return flexpriority_enabled;
@@ -1790,7 +1917,7 @@ static void vmx_queue_exception(struct kvm_vcpu *vcpu, unsigned nr,
        u32 intr_info = nr | INTR_INFO_VALID_MASK;
        if (nr == PF_VECTOR && is_guest_mode(vcpu) &&
-                nested_pf_handled(vcpu))
+            !vmx->nested.nested_run_pending && nested_pf_handled(vcpu))
                return;
        if (has_error_code) {
@@ -2022,6 +2149,7 @@ static u32 nested_vmx_secondary_ctls_low, nested_vmx_secondary_ctls_high;
 static u32 nested_vmx_pinbased_ctls_low, nested_vmx_pinbased_ctls_high;
 static u32 nested_vmx_exit_ctls_low, nested_vmx_exit_ctls_high;
 static u32 nested_vmx_entry_ctls_low, nested_vmx_entry_ctls_high;
+static u32 nested_vmx_misc_low, nested_vmx_misc_high;
 static __init void nested_vmx_setup_ctls_msrs(void)
 {
        /*
@@ -2040,30 +2168,40 @@ static __init void nested_vmx_setup_ctls_msrs(void)
         */
        /* pin-based controls */
+        rdmsr(MSR_IA32_VMX_PINBASED_CTLS,
+              nested_vmx_pinbased_ctls_low, nested_vmx_pinbased_ctls_high);
        /*
         * According to the Intel spec, if bit 55 of VMX_BASIC is off (as it is
         * in our case), bits 1, 2 and 4 (i.e., 0x16) must be 1 in this MSR.
         */
-        nested_vmx_pinbased_ctls_low = 0x16 ;
+        nested_vmx_pinbased_ctls_low |= PIN_BASED_ALWAYSON_WITHOUT_TRUE_MSR;
-        nested_vmx_pinbased_ctls_high = 0x16 |
+        nested_vmx_pinbased_ctls_high &= PIN_BASED_EXT_INTR_MASK |
-                PIN_BASED_EXT_INTR_MASK | PIN_BASED_NMI_EXITING |
+                PIN_BASED_NMI_EXITING | PIN_BASED_VIRTUAL_NMIS |
-                PIN_BASED_VIRTUAL_NMIS;
+                PIN_BASED_VMX_PREEMPTION_TIMER;
+        nested_vmx_pinbased_ctls_high |= PIN_BASED_ALWAYSON_WITHOUT_TRUE_MSR;
-        /* exit controls */
+        /*
-        nested_vmx_exit_ctls_low = 0;
+         * Exit controls
+         * If bit 55 of VMX_BASIC is off, bits 0-8 and 10, 11, 13, 14, 16 and
+         * 17 must be 1.
+         */
+        nested_vmx_exit_ctls_low = VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR;
        /* Note that guest use of VM_EXIT_ACK_INTR_ON_EXIT is not supported. */
 #ifdef CONFIG_X86_64
        nested_vmx_exit_ctls_high = VM_EXIT_HOST_ADDR_SPACE_SIZE;
 #else
        nested_vmx_exit_ctls_high = 0;
 #endif
+        nested_vmx_exit_ctls_high |= VM_EXIT_ALWAYSON_WITHOUT_TRUE_MSR;
        /* entry controls */
        rdmsr(MSR_IA32_VMX_ENTRY_CTLS,
                nested_vmx_entry_ctls_low, nested_vmx_entry_ctls_high);
-        nested_vmx_entry_ctls_low = 0;
+        /* If bit 55 of VMX_BASIC is off, bits 0-8 and 12 must be 1. */
+        nested_vmx_entry_ctls_low = VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR;
        nested_vmx_entry_ctls_high &=
                VM_ENTRY_LOAD_IA32_PAT | VM_ENTRY_IA32E_MODE;
+        nested_vmx_entry_ctls_high |= VM_ENTRY_ALWAYSON_WITHOUT_TRUE_MSR;
        /* cpu-based controls */
        rdmsr(MSR_IA32_VMX_PROCBASED_CTLS,
@@ -2080,6 +2218,7 @@ static __init void nested_vmx_setup_ctls_msrs(void)
                CPU_BASED_MOV_DR_EXITING | CPU_BASED_UNCOND_IO_EXITING |
                CPU_BASED_USE_IO_BITMAPS | CPU_BASED_MONITOR_EXITING |
                CPU_BASED_RDPMC_EXITING | CPU_BASED_RDTSC_EXITING |
+                CPU_BASED_PAUSE_EXITING |
                CPU_BASED_ACTIVATE_SECONDARY_CONTROLS;
        /*
         * We can allow some features even when not supported by the
@@ -2094,7 +2233,14 @@ static __init void nested_vmx_setup_ctls_msrs(void)
                nested_vmx_secondary_ctls_low, nested_vmx_secondary_ctls_high);
        nested_vmx_secondary_ctls_low = 0;
        nested_vmx_secondary_ctls_high &=
-                SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES;
+                SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES |
+                SECONDARY_EXEC_WBINVD_EXITING;
+        /* miscellaneous data */
+        rdmsr(MSR_IA32_VMX_MISC, nested_vmx_misc_low, nested_vmx_misc_high);
+        nested_vmx_misc_low &= VMX_MISC_PREEMPTION_TIMER_RATE_MASK |
+                VMX_MISC_SAVE_EFER_LMA;
+        nested_vmx_misc_high = 0;
 }
 static inline bool vmx_control_verify(u32 control, u32 low, u32 high)
@@ -2165,7 +2311,8 @@ static int vmx_get_vmx_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
                                        nested_vmx_entry_ctls_high);
                break;
        case MSR_IA32_VMX_MISC:
-                *pdata = 0;
+                *pdata = vmx_control_msr(nested_vmx_misc_low,
+                                         nested_vmx_misc_high);
                break;
        /*
         * These MSRs specify bits which the guest must keep fixed (on or off)
@@ -2529,12 +2676,6 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
        u32 _vmexit_control = 0;
        u32 _vmentry_control = 0;
-        min = PIN_BASED_EXT_INTR_MASK | PIN_BASED_NMI_EXITING;
-        opt = PIN_BASED_VIRTUAL_NMIS;
-        if (adjust_vmx_controls(min, opt, MSR_IA32_VMX_PINBASED_CTLS,
-                                &_pin_based_exec_control) < 0)
-                return -EIO;
        min = CPU_BASED_HLT_EXITING |
 #ifdef CONFIG_X86_64
              CPU_BASED_CR8_LOAD_EXITING |
@@ -2573,7 +2714,8 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
                        SECONDARY_EXEC_RDTSCP |
                        SECONDARY_EXEC_ENABLE_INVPCID |
                        SECONDARY_EXEC_APIC_REGISTER_VIRT |
-                        SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY;
+                        SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY |
+                        SECONDARY_EXEC_SHADOW_VMCS;
                if (adjust_vmx_controls(min2, opt2,
                                        MSR_IA32_VMX_PROCBASED_CTLS2,
                                        &_cpu_based_2nd_exec_control) < 0)
@@ -2605,11 +2747,23 @@ static __init int setup_vmcs_config(struct vmcs_config *vmcs_conf)
 #ifdef CONFIG_X86_64
        min |= VM_EXIT_HOST_ADDR_SPACE_SIZE;
 #endif
-        opt = VM_EXIT_SAVE_IA32_PAT | VM_EXIT_LOAD_IA32_PAT;
+        opt = VM_EXIT_SAVE_IA32_PAT | VM_EXIT_LOAD_IA32_PAT |
+                VM_EXIT_ACK_INTR_ON_EXIT;
        if (adjust_vmx_controls(min, opt, MSR_IA32_VMX_EXIT_CTLS,
                                &_vmexit_control) < 0)
                return -EIO;
+        min = PIN_BASED_EXT_INTR_MASK | PIN_BASED_NMI_EXITING;
+        opt = PIN_BASED_VIRTUAL_NMIS | PIN_BASED_POSTED_INTR;
+        if (adjust_vmx_controls(min, opt, MSR_IA32_VMX_PINBASED_CTLS,
+                                &_pin_based_exec_control) < 0)
+                return -EIO;
+        if (!(_cpu_based_2nd_exec_control &
+                SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY) ||
+                !(_vmexit_control & VM_EXIT_ACK_INTR_ON_EXIT))
+                _pin_based_exec_control &= ~PIN_BASED_POSTED_INTR;
        min = 0;
        opt = VM_ENTRY_LOAD_IA32_PAT;
        if (adjust_vmx_controls(min, opt, MSR_IA32_VMX_ENTRY_CTLS,
@@ -2762,6 +2916,8 @@ static __init int hardware_setup(void)
        if (!cpu_has_vmx_vpid())
                enable_vpid = 0;
+        if (!cpu_has_vmx_shadow_vmcs())
+                enable_shadow_vmcs = 0;
        if (!cpu_has_vmx_ept() ||
            !cpu_has_vmx_ept_4levels()) {
@@ -2788,14 +2944,16 @@ static __init int hardware_setup(void)
        if (!cpu_has_vmx_ple())
                ple_gap = 0;
-        if (!cpu_has_vmx_apic_register_virt() ||
+        if (!cpu_has_vmx_apicv())
-                                !cpu_has_vmx_virtual_intr_delivery())
+                enable_apicv = 0;
-                enable_apicv_reg_vid = 0;
-        if (enable_apicv_reg_vid)
+        if (enable_apicv)
                kvm_x86_ops->update_cr8_intercept = NULL;
-        else
+        else {
                kvm_x86_ops->hwapic_irr_update = NULL;
+                kvm_x86_ops->deliver_posted_interrupt = NULL;
+                kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy;
+        }
        if (nested)
                nested_vmx_setup_ctls_msrs();
@@ -2876,22 +3034,6 @@ static void enter_pmode(struct kvm_vcpu *vcpu)
        vmx->cpl = 0;
 }
-static gva_t rmode_tss_base(struct kvm *kvm)
-{
-        if (!kvm->arch.tss_addr) {
-                struct kvm_memslots *slots;
-                struct kvm_memory_slot *slot;
-                gfn_t base_gfn;
-                slots = kvm_memslots(kvm);
-                slot = id_to_memslot(slots, 0);
-                base_gfn = slot->base_gfn + slot->npages - 3;
-                return base_gfn << PAGE_SHIFT;
-        }
-        return kvm->arch.tss_addr;
-}
 static void fix_rmode_seg(int seg, struct kvm_segment *save)
 {
        const struct kvm_vmx_segment_field *sf = &kvm_vmx_segment_fields[seg];
@@ -2942,19 +3084,15 @@ static void enter_rmode(struct kvm_vcpu *vcpu)
        /*
         * Very old userspace does not call KVM_SET_TSS_ADDR before entering
-         * vcpu. Call it here with phys address pointing 16M below 4G.
+         * vcpu. Warn the user that an update is overdue.
         */
-        if (!vcpu->kvm->arch.tss_addr) {
+        if (!vcpu->kvm->arch.tss_addr)
                printk_once(KERN_WARNING "kvm: KVM_SET_TSS_ADDR need to be "
                             "called before entering vcpu\n");
-                srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);
-                vmx_set_tss_addr(vcpu->kvm, 0xfeffd000);
-                vcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
-        }
        vmx_segment_cache_clear(vmx);
-        vmcs_writel(GUEST_TR_BASE, rmode_tss_base(vcpu->kvm));
+        vmcs_writel(GUEST_TR_BASE, vcpu->kvm->arch.tss_addr);
        vmcs_write32(GUEST_TR_LIMIT, RMODE_TSS_SIZE - 1);
        vmcs_write32(GUEST_TR_AR_BYTES, 0x008b);
@@ -3214,7 +3352,9 @@ static int vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
                 */
                if (!nested_vmx_allowed(vcpu))
                        return 1;
-        } else if (to_vmx(vcpu)->nested.vmxon)
+        }
+        if (to_vmx(vcpu)->nested.vmxon &&
+            ((cr4 & VMXON_CR4_ALWAYSON) != VMXON_CR4_ALWAYSON))
                return 1;
        vcpu->arch.cr4 = cr4;
@@ -3550,7 +3690,7 @@ static bool guest_state_valid(struct kvm_vcpu *vcpu)
                return true;
        /* real mode guest state checks */
-        if (!is_protmode(vcpu)) {
+        if (!is_protmode(vcpu) || (vmx_get_rflags(vcpu) & X86_EFLAGS_VM)) {
                if (!rmode_segment_valid(vcpu, VCPU_SREG_CS))
                        return false;
                if (!rmode_segment_valid(vcpu, VCPU_SREG_SS))
@@ -3599,7 +3739,7 @@ static int init_rmode_tss(struct kvm *kvm)
        int r, idx, ret = 0;
        idx = srcu_read_lock(&kvm->srcu);
-        fn = rmode_tss_base(kvm) >> PAGE_SHIFT;
+        fn = kvm->arch.tss_addr >> PAGE_SHIFT;
        r = kvm_clear_guest_page(kvm, fn, 0, PAGE_SIZE);
        if (r < 0)
                goto out;
@@ -3692,7 +3832,7 @@ static int alloc_apic_access_page(struct kvm *kvm)
        kvm_userspace_mem.flags = 0;
        kvm_userspace_mem.guest_phys_addr = 0xfee00000ULL;
        kvm_userspace_mem.memory_size = PAGE_SIZE;
-        r = __kvm_set_memory_region(kvm, &kvm_userspace_mem, false);
+        r = __kvm_set_memory_region(kvm, &kvm_userspace_mem);
        if (r)
                goto out;
@@ -3722,7 +3862,7 @@ static int alloc_identity_pagetable(struct kvm *kvm)
        kvm_userspace_mem.guest_phys_addr =
                kvm->arch.ept_identity_map_addr;
        kvm_userspace_mem.memory_size = PAGE_SIZE;
-        r = __kvm_set_memory_region(kvm, &kvm_userspace_mem, false);
+        r = __kvm_set_memory_region(kvm, &kvm_userspace_mem);
        if (r)
                goto out;
@@ -3869,13 +4009,59 @@ static void vmx_disable_intercept_msr_write_x2apic(u32 msr)
                        msr, MSR_TYPE_W);
 }
+static int vmx_vm_has_apicv(struct kvm *kvm)
+{
+        return enable_apicv && irqchip_in_kernel(kvm);
+}
+/*
+ * Send interrupt to vcpu via posted interrupt way.
+ * 1. If target vcpu is running(non-root mode), send posted interrupt
+ * notification to vcpu and hardware will sync PIR to vIRR atomically.
+ * 2. If target vcpu isn't running(root mode), kick it to pick up the
+ * interrupt from PIR in next vmentry.
+ */
+static void vmx_deliver_posted_interrupt(struct kvm_vcpu *vcpu, int vector)
+{
+        struct vcpu_vmx *vmx = to_vmx(vcpu);
+        int r;
+        if (pi_test_and_set_pir(vector, &vmx->pi_desc))
+                return;
+        r = pi_test_and_set_on(&vmx->pi_desc);
+        kvm_make_request(KVM_REQ_EVENT, vcpu);
+#ifdef CONFIG_SMP
+        if (!r && (vcpu->mode == IN_GUEST_MODE))
+                apic->send_IPI_mask(get_cpu_mask(vcpu->cpu),
+                                POSTED_INTR_VECTOR);
+        else
+#endif
+                kvm_vcpu_kick(vcpu);
+}
+static void vmx_sync_pir_to_irr(struct kvm_vcpu *vcpu)
+{
+        struct vcpu_vmx *vmx = to_vmx(vcpu);
+        if (!pi_test_and_clear_on(&vmx->pi_desc))
+                return;
+        kvm_apic_update_irr(vcpu, vmx->pi_desc.pir);
+}
+static void vmx_sync_pir_to_irr_dummy(struct kvm_vcpu *vcpu)
+{
+        return;
+}
 /*
 * Set up the vmcs's constant host-state fields, i.e., host-state fields that
 * will not change in the lifetime of the guest.
 * Note that host-state that does change is set elsewhere. E.g., host-state
 * that is set differently for each CPU is set in vmx_vcpu_load(), not here.
 */
-static void vmx_set_constant_host_state(void)
+static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
 {
        u32 low32, high32;
        unsigned long tmpl;
@@ -3903,6 +4089,7 @@ static void vmx_set_constant_host_state(void)
        native_store_idt(&dt);
        vmcs_writel(HOST_IDTR_BASE, dt.address);   /* 22.2.4 */
+        vmx->host_idt_base = dt.address;
        vmcs_writel(HOST_RIP, vmx_return); /* 22.2.5 */
@@ -3928,6 +4115,15 @@ static void set_cr4_guest_host_mask(struct vcpu_vmx *vmx)
        vmcs_writel(CR4_GUEST_HOST_MASK, ~vmx->vcpu.arch.cr4_guest_owned_bits);
 }
+static u32 vmx_pin_based_exec_ctrl(struct vcpu_vmx *vmx)
+{
+        u32 pin_based_exec_ctrl = vmcs_config.pin_based_exec_ctrl;
+        if (!vmx_vm_has_apicv(vmx->vcpu.kvm))
+                pin_based_exec_ctrl &= ~PIN_BASED_POSTED_INTR;
+        return pin_based_exec_ctrl;
+}
 static u32 vmx_exec_control(struct vcpu_vmx *vmx)
 {
        u32 exec_control = vmcs_config.cpu_based_exec_ctrl;
@@ -3945,11 +4141,6 @@ static u32 vmx_exec_control(struct vcpu_vmx *vmx)
        return exec_control;
 }
-static int vmx_vm_has_apicv(struct kvm *kvm)
-{
-        return enable_apicv_reg_vid && irqchip_in_kernel(kvm);
-}
 static u32 vmx_secondary_exec_control(struct vcpu_vmx *vmx)
 {
        u32 exec_control = vmcs_config.cpu_based_2nd_exec_ctrl;
@@ -3971,6 +4162,12 @@ static u32 vmx_secondary_exec_control(struct vcpu_vmx *vmx)
                exec_control &= ~(SECONDARY_EXEC_APIC_REGISTER_VIRT |
                                  SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY);
        exec_control &= ~SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE;
+        /* SECONDARY_EXEC_SHADOW_VMCS is enabled when L1 executes VMPTRLD
+           (handle_vmptrld).
+           We can NOT enable shadow_vmcs here because we don't have yet
+           a current VMCS12
+        */
+        exec_control &= ~SECONDARY_EXEC_SHADOW_VMCS;
        return exec_control;
 }
@@ -3999,14 +4196,17 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
        vmcs_write64(IO_BITMAP_A, __pa(vmx_io_bitmap_a));
        vmcs_write64(IO_BITMAP_B, __pa(vmx_io_bitmap_b));
+        if (enable_shadow_vmcs) {
+                vmcs_write64(VMREAD_BITMAP, __pa(vmx_vmread_bitmap));
+                vmcs_write64(VMWRITE_BITMAP, __pa(vmx_vmwrite_bitmap));
+        }
        if (cpu_has_vmx_msr_bitmap())
                vmcs_write64(MSR_BITMAP, __pa(vmx_msr_bitmap_legacy));
        vmcs_write64(VMCS_LINK_POINTER, -1ull); /* 22.3.1.5 */
        /* Control */
-        vmcs_write32(PIN_BASED_VM_EXEC_CONTROL,
+        vmcs_write32(PIN_BASED_VM_EXEC_CONTROL, vmx_pin_based_exec_ctrl(vmx));
-                vmcs_config.pin_based_exec_ctrl);
        vmcs_write32(CPU_BASED_VM_EXEC_CONTROL, vmx_exec_control(vmx));
@@ -4015,13 +4215,16 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
                                vmx_secondary_exec_control(vmx));
        }
-        if (enable_apicv_reg_vid) {
+        if (vmx_vm_has_apicv(vmx->vcpu.kvm)) {
                vmcs_write64(EOI_EXIT_BITMAP0, 0);
                vmcs_write64(EOI_EXIT_BITMAP1, 0);
                vmcs_write64(EOI_EXIT_BITMAP2, 0);
                vmcs_write64(EOI_EXIT_BITMAP3, 0);
                vmcs_write16(GUEST_INTR_STATUS, 0);
+                vmcs_write64(POSTED_INTR_NV, POSTED_INTR_VECTOR);
+                vmcs_write64(POSTED_INTR_DESC_ADDR, __pa((&vmx->pi_desc)));
        }
        if (ple_gap) {
@@ -4035,7 +4238,7 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
        vmcs_write16(HOST_FS_SELECTOR, 0);            /* 22.2.4 */
        vmcs_write16(HOST_GS_SELECTOR, 0);            /* 22.2.4 */
-        vmx_set_constant_host_state();
+        vmx_set_constant_host_state(vmx);
 #ifdef CONFIG_X86_64
        rdmsrl(MSR_FS_BASE, a);
        vmcs_writel(HOST_FS_BASE, a); /* 22.2.4 */
@@ -4089,11 +4292,10 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
        return 0;
 }
-static int vmx_vcpu_reset(struct kvm_vcpu *vcpu)
+static void vmx_vcpu_reset(struct kvm_vcpu *vcpu)
 {
        struct vcpu_vmx *vmx = to_vmx(vcpu);
        u64 msr;
-        int ret;
        vmx->rmode.vm86_active = 0;
@@ -4109,12 +4311,8 @@ static int vmx_vcpu_reset(struct kvm_vcpu *vcpu)
        vmx_segment_cache_clear(vmx);
        seg_setup(VCPU_SREG_CS);
-        if (kvm_vcpu_is_bsp(&vmx->vcpu))
+        vmcs_write16(GUEST_CS_SELECTOR, 0xf000);
-                vmcs_write16(GUEST_CS_SELECTOR, 0xf000);
+        vmcs_write32(GUEST_CS_BASE, 0xffff0000);
-        else {
-                vmcs_write16(GUEST_CS_SELECTOR, vmx->vcpu.arch.sipi_vector << 8);
-                vmcs_writel(GUEST_CS_BASE, vmx->vcpu.arch.sipi_vector << 12);
-        }
        seg_setup(VCPU_SREG_DS);
        seg_setup(VCPU_SREG_ES);
@@ -4137,10 +4335,7 @@ static int vmx_vcpu_reset(struct kvm_vcpu *vcpu)
        vmcs_writel(GUEST_SYSENTER_EIP, 0);
        vmcs_writel(GUEST_RFLAGS, 0x02);
-        if (kvm_vcpu_is_bsp(&vmx->vcpu))
+        kvm_rip_write(vcpu, 0xfff0);
-                kvm_rip_write(vcpu, 0xfff0);
-        else
-                kvm_rip_write(vcpu, 0);
        vmcs_writel(GUEST_GDTR_BASE, 0);
        vmcs_write32(GUEST_GDTR_LIMIT, 0xffff);
@@ -4171,23 +4366,20 @@ static int vmx_vcpu_reset(struct kvm_vcpu *vcpu)
                vmcs_write64(APIC_ACCESS_ADDR,
                             page_to_phys(vmx->vcpu.kvm->arch.apic_access_page));
+        if (vmx_vm_has_apicv(vcpu->kvm))
+                memset(&vmx->pi_desc, 0, sizeof(struct pi_desc));
        if (vmx->vpid != 0)
                vmcs_write16(VIRTUAL_PROCESSOR_ID, vmx->vpid);
        vmx->vcpu.arch.cr0 = X86_CR0_NW | X86_CR0_CD | X86_CR0_ET;
-        vcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
        vmx_set_cr0(&vmx->vcpu, kvm_read_cr0(vcpu)); /* enter rmode */
-        srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);
        vmx_set_cr4(&vmx->vcpu, 0);
        vmx_set_efer(&vmx->vcpu, 0);
        vmx_fpu_activate(&vmx->vcpu);
        update_exception_bitmap(&vmx->vcpu);
        vpid_sync_context(vmx);
-        ret = 0;
-        return ret;
 }
 /*
@@ -4200,40 +4392,45 @@ static bool nested_exit_on_intr(struct kvm_vcpu *vcpu)
                PIN_BASED_EXT_INTR_MASK;
 }
-static void enable_irq_window(struct kvm_vcpu *vcpu)
+static bool nested_exit_on_nmi(struct kvm_vcpu *vcpu)
+{
+        return get_vmcs12(vcpu)->pin_based_vm_exec_control &
+                PIN_BASED_NMI_EXITING;
+}
+static int enable_irq_window(struct kvm_vcpu *vcpu)
 {
        u32 cpu_based_vm_exec_control;
-        if (is_guest_mode(vcpu) && nested_exit_on_intr(vcpu)) {
+        if (is_guest_mode(vcpu) && nested_exit_on_intr(vcpu))
                /*
                 * We get here if vmx_interrupt_allowed() said we can't
-                 * inject to L1 now because L2 must run. Ask L2 to exit
+                 * inject to L1 now because L2 must run. The caller will have
-                 * right after entry, so we can inject to L1 more promptly.
+                 * to make L2 exit right after entry, so we can inject to L1
+                 * more promptly.
                 */
-                kvm_make_request(KVM_REQ_IMMEDIATE_EXIT, vcpu);
+                return -EBUSY;
-                return;
-        }
        cpu_based_vm_exec_control = vmcs_read32(CPU_BASED_VM_EXEC_CONTROL);
        cpu_based_vm_exec_control |= CPU_BASED_VIRTUAL_INTR_PENDING;
        vmcs_write32(CPU_BASED_VM_EXEC_CONTROL, cpu_based_vm_exec_control);
+        return 0;
 }
-static void enable_nmi_window(struct kvm_vcpu *vcpu)
+static int enable_nmi_window(struct kvm_vcpu *vcpu)
 {
        u32 cpu_based_vm_exec_control;
-        if (!cpu_has_virtual_nmis()) {
+        if (!cpu_has_virtual_nmis())
-                enable_irq_window(vcpu);
+                return enable_irq_window(vcpu);
-                return;
-        }
+        if (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & GUEST_INTR_STATE_STI)
+                return enable_irq_window(vcpu);
-        if (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & GUEST_INTR_STATE_STI) {
-                enable_irq_window(vcpu);
-                return;
-        }
        cpu_based_vm_exec_control = vmcs_read32(CPU_BASED_VM_EXEC_CONTROL);
        cpu_based_vm_exec_control |= CPU_BASED_VIRTUAL_NMI_PENDING;
        vmcs_write32(CPU_BASED_VM_EXEC_CONTROL, cpu_based_vm_exec_control);
+        return 0;
 }
 static void vmx_inject_irq(struct kvm_vcpu *vcpu)
@@ -4294,16 +4491,6 @@ static void vmx_inject_nmi(struct kvm_vcpu *vcpu)
                        INTR_TYPE_NMI_INTR | INTR_INFO_VALID_MASK | NMI_VECTOR);
 }
-static int vmx_nmi_allowed(struct kvm_vcpu *vcpu)
-{
-        if (!cpu_has_virtual_nmis() && to_vmx(vcpu)->soft_vnmi_blocked)
-                return 0;
-        return  !(vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) &
-                  (GUEST_INTR_STATE_MOV_SS | GUEST_INTR_STATE_STI
-                   | GUEST_INTR_STATE_NMI));
-}
 static bool vmx_get_nmi_mask(struct kvm_vcpu *vcpu)
 {
        if (!cpu_has_virtual_nmis())
@@ -4333,18 +4520,52 @@ static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)
        }
 }
+static int vmx_nmi_allowed(struct kvm_vcpu *vcpu)
+{
+        if (is_guest_mode(vcpu)) {
+                struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
+                if (to_vmx(vcpu)->nested.nested_run_pending)
+                        return 0;
+                if (nested_exit_on_nmi(vcpu)) {
+                        nested_vmx_vmexit(vcpu);
+                        vmcs12->vm_exit_reason = EXIT_REASON_EXCEPTION_NMI;
+                        vmcs12->vm_exit_intr_info = NMI_VECTOR |
+                                INTR_TYPE_NMI_INTR | INTR_INFO_VALID_MASK;
+                        /*
+                         * The NMI-triggered VM exit counts as injection:
+                         * clear this one and block further NMIs.
+                         */
+                        vcpu->arch.nmi_pending = 0;
+                        vmx_set_nmi_mask(vcpu, true);
+                        return 0;
+                }
+        }
+        if (!cpu_has_virtual_nmis() && to_vmx(vcpu)->soft_vnmi_blocked)
+                return 0;
+        return  !(vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) &
+                  (GUEST_INTR_STATE_MOV_SS | GUEST_INTR_STATE_STI
+                   | GUEST_INTR_STATE_NMI));
+}
 static int vmx_interrupt_allowed(struct kvm_vcpu *vcpu)
 {
-        if (is_guest_mode(vcpu) && nested_exit_on_intr(vcpu)) {
+        if (is_guest_mode(vcpu)) {
                struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
-                if (to_vmx(vcpu)->nested.nested_run_pending ||
-                    (vmcs12->idt_vectoring_info_field &
+                if (to_vmx(vcpu)->nested.nested_run_pending)
-                     VECTORING_INFO_VALID_MASK))
                        return 0;
-                nested_vmx_vmexit(vcpu);
+                if (nested_exit_on_intr(vcpu)) {
-                vmcs12->vm_exit_reason = EXIT_REASON_EXTERNAL_INTERRUPT;
+                        nested_vmx_vmexit(vcpu);
-                vmcs12->vm_exit_intr_info = 0;
+                        vmcs12->vm_exit_reason =
-                /* fall through to normal code, but now in L1, not L2 */
+                                EXIT_REASON_EXTERNAL_INTERRUPT;
+                        vmcs12->vm_exit_intr_info = 0;
+                        /*
+                         * fall through to normal code, but now in L1, not L2
+                         */
+                }
        }
        return (vmcs_readl(GUEST_RFLAGS) & X86_EFLAGS_IF) &&
@@ -4362,7 +4583,7 @@ static int vmx_set_tss_addr(struct kvm *kvm, unsigned int addr)
                .flags = 0,
        };
-        ret = kvm_set_memory_region(kvm, &tss_mem, false);
+        ret = kvm_set_memory_region(kvm, &tss_mem);
        if (ret)
                return ret;
        kvm->arch.tss_addr = addr;
@@ -4603,34 +4824,50 @@ vmx_patch_hypercall(struct kvm_vcpu *vcpu, unsigned char *hypercall)
 /* called to set cr0 as appropriate for a mov-to-cr0 exit. */
 static int handle_set_cr0(struct kvm_vcpu *vcpu, unsigned long val)
 {
-        if (to_vmx(vcpu)->nested.vmxon &&
-            ((val & VMXON_CR0_ALWAYSON) != VMXON_CR0_ALWAYSON))
-                return 1;
        if (is_guest_mode(vcpu)) {
+                struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
+                unsigned long orig_val = val;
                /*
                 * We get here when L2 changed cr0 in a way that did not change
                 * any of L1's shadowed bits (see nested_vmx_exit_handled_cr),
-                 * but did change L0 shadowed bits. This can currently happen
+                 * but did change L0 shadowed bits. So we first calculate the
-                 * with the TS bit: L0 may want to leave TS on (for lazy fpu
+                 * effective cr0 value that L1 would like to write into the
-                 * loading) while pretending to allow the guest to change it.
+                 * hardware. It consists of the L2-owned bits from the new
+                 * value combined with the L1-owned bits from L1's guest_cr0.
                 */
-                if (kvm_set_cr0(vcpu, (val & vcpu->arch.cr0_guest_owned_bits) |
+                val = (val & ~vmcs12->cr0_guest_host_mask) |
-                         (vcpu->arch.cr0 & ~vcpu->arch.cr0_guest_owned_bits)))
+                        (vmcs12->guest_cr0 & vmcs12->cr0_guest_host_mask);
+                /* TODO: will have to take unrestricted guest mode into
+                 * account */
+                if ((val & VMXON_CR0_ALWAYSON) != VMXON_CR0_ALWAYSON)
                        return 1;
-                vmcs_writel(CR0_READ_SHADOW, val);
+                if (kvm_set_cr0(vcpu, val))
+                        return 1;
+                vmcs_writel(CR0_READ_SHADOW, orig_val);
                return 0;
-        } else
+        } else {
+                if (to_vmx(vcpu)->nested.vmxon &&
+                    ((val & VMXON_CR0_ALWAYSON) != VMXON_CR0_ALWAYSON))
+                        return 1;
                return kvm_set_cr0(vcpu, val);
+        }
 }
 static int handle_set_cr4(struct kvm_vcpu *vcpu, unsigned long val)
 {
        if (is_guest_mode(vcpu)) {
-                if (kvm_set_cr4(vcpu, (val & vcpu->arch.cr4_guest_owned_bits) |
+                struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
-                         (vcpu->arch.cr4 & ~vcpu->arch.cr4_guest_owned_bits)))
+                unsigned long orig_val = val;
+                /* analogously to handle_set_cr0 */
+                val = (val & ~vmcs12->cr4_guest_host_mask) |
+                        (vmcs12->guest_cr4 & vmcs12->cr4_guest_host_mask);
+                if (kvm_set_cr4(vcpu, val))
                        return 1;
-                vmcs_writel(CR4_READ_SHADOW, val);
+                vmcs_writel(CR4_READ_SHADOW, orig_val);
                return 0;
        } else
                return kvm_set_cr4(vcpu, val);
@@ -5183,7 +5420,7 @@ static int handle_invalid_guest_state(struct kvm_vcpu *vcpu)
                if (test_bit(KVM_REQ_EVENT, &vcpu->requests))
                        return 1;
-                err = emulate_instruction(vcpu, 0);
+                err = emulate_instruction(vcpu, EMULTYPE_NO_REEXECUTE);
                if (err == EMULATE_DO_MMIO) {
                        ret = 0;
@@ -5259,8 +5496,7 @@ static struct loaded_vmcs *nested_get_current_vmcs02(struct vcpu_vmx *vmx)
        }
        /* Create a new VMCS */
-        item = (struct vmcs02_list *)
+        item = kmalloc(sizeof(struct vmcs02_list), GFP_KERNEL);
-                kmalloc(sizeof(struct vmcs02_list), GFP_KERNEL);
        if (!item)
                return NULL;
        item->vmcs02.vmcs = alloc_vmcs();
@@ -5309,6 +5545,9 @@ static void nested_free_all_saved_vmcss(struct vcpu_vmx *vmx)
                free_loaded_vmcs(&vmx->vmcs01);
 }
+static void nested_vmx_failValid(struct kvm_vcpu *vcpu,
+                                 u32 vm_instruction_error);
 /*
 * Emulate the VMXON instruction.
 * Currently, we just remember that VMX is active, and do not save or even
@@ -5321,6 +5560,7 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
 {
        struct kvm_segment cs;
        struct vcpu_vmx *vmx = to_vmx(vcpu);
+        struct vmcs *shadow_vmcs;
        /* The Intel VMX Instruction Reference lists a bunch of bits that
         * are prerequisite to running VMXON, most notably cr4.VMXE must be
@@ -5344,6 +5584,21 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
                kvm_inject_gp(vcpu, 0);
                return 1;
        }
+        if (vmx->nested.vmxon) {
+                nested_vmx_failValid(vcpu, VMXERR_VMXON_IN_VMX_ROOT_OPERATION);
+                skip_emulated_instruction(vcpu);
+                return 1;
+        }
+        if (enable_shadow_vmcs) {
+                shadow_vmcs = alloc_vmcs();
+                if (!shadow_vmcs)
+                        return -ENOMEM;
+                /* mark vmcs as shadow */
+                shadow_vmcs->revision_id |= (1u << 31);
+                /* init shadow vmcs */
+                vmcs_clear(shadow_vmcs);
+                vmx->nested.current_shadow_vmcs = shadow_vmcs;
+        }
        INIT_LIST_HEAD(&(vmx->nested.vmcs02_pool));
        vmx->nested.vmcs02_num = 0;
@@ -5384,6 +5639,25 @@ static int nested_vmx_check_permission(struct kvm_vcpu *vcpu)
        return 1;
 }
+static inline void nested_release_vmcs12(struct vcpu_vmx *vmx)
+{
+        u32 exec_control;
+        if (enable_shadow_vmcs) {
+                if (vmx->nested.current_vmcs12 != NULL) {
+                        /* copy to memory all shadowed fields in case
+                           they were modified */
+                        copy_shadow_to_vmcs12(vmx);
+                        vmx->nested.sync_shadow_vmcs = false;
+                        exec_control = vmcs_read32(SECONDARY_VM_EXEC_CONTROL);
+                        exec_control &= ~SECONDARY_EXEC_SHADOW_VMCS;
+                        vmcs_write32(SECONDARY_VM_EXEC_CONTROL, exec_control);
+                        vmcs_write64(VMCS_LINK_POINTER, -1ull);
+                }
+        }
+        kunmap(vmx->nested.current_vmcs12_page);
+        nested_release_page(vmx->nested.current_vmcs12_page);
+}
 /*
 * Free whatever needs to be freed from vmx->nested when L1 goes down, or
 * just stops using VMX.
@@ -5394,11 +5668,12 @@ static void free_nested(struct vcpu_vmx *vmx)
                return;
        vmx->nested.vmxon = false;
        if (vmx->nested.current_vmptr != -1ull) {
-                kunmap(vmx->nested.current_vmcs12_page);
+                nested_release_vmcs12(vmx);
-                nested_release_page(vmx->nested.current_vmcs12_page);
                vmx->nested.current_vmptr = -1ull;
                vmx->nested.current_vmcs12 = NULL;
        }
+        if (enable_shadow_vmcs)
+                free_vmcs(vmx->nested.current_shadow_vmcs);
        /* Unpin physical memory we referred to in current vmcs02 */
        if (vmx->nested.apic_access_page) {
                nested_release_page(vmx->nested.apic_access_page);
@@ -5507,6 +5782,10 @@ static void nested_vmx_failValid(struct kvm_vcpu *vcpu,
                            X86_EFLAGS_SF | X86_EFLAGS_OF))
                        | X86_EFLAGS_ZF);
        get_vmcs12(vcpu)->vm_instruction_error = vm_instruction_error;
+        /*
+         * We don't need to force a shadow sync because
+         * VM_INSTRUCTION_ERROR is not shadowed
+         */
 }
 /* Emulate the VMCLEAR instruction */
@@ -5539,8 +5818,7 @@ static int handle_vmclear(struct kvm_vcpu *vcpu)
        }
        if (vmptr == vmx->nested.current_vmptr) {
-                kunmap(vmx->nested.current_vmcs12_page);
+                nested_release_vmcs12(vmx);
-                nested_release_page(vmx->nested.current_vmcs12_page);
                vmx->nested.current_vmptr = -1ull;
                vmx->nested.current_vmcs12 = NULL;
        }
@@ -5639,6 +5917,111 @@ static inline bool vmcs12_read_any(struct kvm_vcpu *vcpu,
        }
 }
+static inline bool vmcs12_write_any(struct kvm_vcpu *vcpu,
+                                    unsigned long field, u64 field_value){
+        short offset = vmcs_field_to_offset(field);
+        char *p = ((char *) get_vmcs12(vcpu)) + offset;
+        if (offset < 0)
+                return false;
+        switch (vmcs_field_type(field)) {
+        case VMCS_FIELD_TYPE_U16:
+                *(u16 *)p = field_value;
+                return true;
+        case VMCS_FIELD_TYPE_U32:
+                *(u32 *)p = field_value;
+                return true;
+        case VMCS_FIELD_TYPE_U64:
+                *(u64 *)p = field_value;
+                return true;
+        case VMCS_FIELD_TYPE_NATURAL_WIDTH:
+                *(natural_width *)p = field_value;
+                return true;
+        default:
+                return false; /* can never happen. */
+        }
+}
+static void copy_shadow_to_vmcs12(struct vcpu_vmx *vmx)
+{
+        int i;
+        unsigned long field;
+        u64 field_value;
+        struct vmcs *shadow_vmcs = vmx->nested.current_shadow_vmcs;
+        unsigned long *fields = (unsigned long *)shadow_read_write_fields;
+        int num_fields = max_shadow_read_write_fields;
+        vmcs_load(shadow_vmcs);
+        for (i = 0; i < num_fields; i++) {
+                field = fields[i];
+                switch (vmcs_field_type(field)) {
+                case VMCS_FIELD_TYPE_U16:
+                        field_value = vmcs_read16(field);
+                        break;
+                case VMCS_FIELD_TYPE_U32:
+                        field_value = vmcs_read32(field);
+                        break;
+                case VMCS_FIELD_TYPE_U64:
+                        field_value = vmcs_read64(field);
+                        break;
+                case VMCS_FIELD_TYPE_NATURAL_WIDTH:
+                        field_value = vmcs_readl(field);
+                        break;
+                }
+                vmcs12_write_any(&vmx->vcpu, field, field_value);
+        }
+        vmcs_clear(shadow_vmcs);
+        vmcs_load(vmx->loaded_vmcs->vmcs);
+}
+static void copy_vmcs12_to_shadow(struct vcpu_vmx *vmx)
+{
+        unsigned long *fields[] = {
+                (unsigned long *)shadow_read_write_fields,
+                (unsigned long *)shadow_read_only_fields
+        };
+        int num_lists =  ARRAY_SIZE(fields);
+        int max_fields[] = {
+                max_shadow_read_write_fields,
+                max_shadow_read_only_fields
+        };
+        int i, q;
+        unsigned long field;
+        u64 field_value = 0;
+        struct vmcs *shadow_vmcs = vmx->nested.current_shadow_vmcs;
+        vmcs_load(shadow_vmcs);
+        for (q = 0; q < num_lists; q++) {
+                for (i = 0; i < max_fields[q]; i++) {
+                        field = fields[q][i];
+                        vmcs12_read_any(&vmx->vcpu, field, &field_value);
+                        switch (vmcs_field_type(field)) {
+                        case VMCS_FIELD_TYPE_U16:
+                                vmcs_write16(field, (u16)field_value);
+                                break;
+                        case VMCS_FIELD_TYPE_U32:
+                                vmcs_write32(field, (u32)field_value);
+                                break;
+                        case VMCS_FIELD_TYPE_U64:
+                                vmcs_write64(field, (u64)field_value);
+                                break;
+                        case VMCS_FIELD_TYPE_NATURAL_WIDTH:
+                                vmcs_writel(field, (long)field_value);
+                                break;
+                        }
+                }
+        }
+        vmcs_clear(shadow_vmcs);
+        vmcs_load(vmx->loaded_vmcs->vmcs);
+}
 /*
 * VMX instructions which assume a current vmcs12 (i.e., that VMPTRLD was
 * used before) all generate the same failure when it is missing.
@@ -5703,8 +6086,6 @@ static int handle_vmwrite(struct kvm_vcpu *vcpu)
        gva_t gva;
        unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
        u32 vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO);
-        char *p;
-        short offset;
        /* The value to write might be 32 or 64 bits, depending on L1's long
         * mode, and eventually we need to write that into a field of several
         * possible lengths. The code below first zero-extends the value to 64
@@ -5741,28 +6122,7 @@ static int handle_vmwrite(struct kvm_vcpu *vcpu)
                return 1;
        }
-        offset = vmcs_field_to_offset(field);
+        if (!vmcs12_write_any(vcpu, field, field_value)) {
-        if (offset < 0) {
-                nested_vmx_failValid(vcpu, VMXERR_UNSUPPORTED_VMCS_COMPONENT);
-                skip_emulated_instruction(vcpu);
-                return 1;
-        }
-        p = ((char *) get_vmcs12(vcpu)) + offset;
-        switch (vmcs_field_type(field)) {
-        case VMCS_FIELD_TYPE_U16:
-                *(u16 *)p = field_value;
-                break;
-        case VMCS_FIELD_TYPE_U32:
-                *(u32 *)p = field_value;
-                break;
-        case VMCS_FIELD_TYPE_U64:
-                *(u64 *)p = field_value;
-                break;
-        case VMCS_FIELD_TYPE_NATURAL_WIDTH:
-                *(natural_width *)p = field_value;
-                break;
-        default:
                nested_vmx_failValid(vcpu, VMXERR_UNSUPPORTED_VMCS_COMPONENT);
                skip_emulated_instruction(vcpu);
                return 1;
@@ -5780,6 +6140,7 @@ static int handle_vmptrld(struct kvm_vcpu *vcpu)
        gva_t gva;
        gpa_t vmptr;
        struct x86_exception e;
+        u32 exec_control;
        if (!nested_vmx_check_permission(vcpu))
                return 1;
@@ -5818,14 +6179,20 @@ static int handle_vmptrld(struct kvm_vcpu *vcpu)
                        skip_emulated_instruction(vcpu);
                        return 1;
                }
-                if (vmx->nested.current_vmptr != -1ull) {
+                if (vmx->nested.current_vmptr != -1ull)
-                        kunmap(vmx->nested.current_vmcs12_page);
+                        nested_release_vmcs12(vmx);
-                        nested_release_page(vmx->nested.current_vmcs12_page);
-                }
                vmx->nested.current_vmptr = vmptr;
                vmx->nested.current_vmcs12 = new_vmcs12;
                vmx->nested.current_vmcs12_page = page;
+                if (enable_shadow_vmcs) {
+                        exec_control = vmcs_read32(SECONDARY_VM_EXEC_CONTROL);
+                        exec_control |= SECONDARY_EXEC_SHADOW_VMCS;
+                        vmcs_write32(SECONDARY_VM_EXEC_CONTROL, exec_control);
+                        vmcs_write64(VMCS_LINK_POINTER,
+                                     __pa(vmx->nested.current_shadow_vmcs));
+                        vmx->nested.sync_shadow_vmcs = true;
+                }
        }
        nested_vmx_succeed(vcpu);
@@ -5908,6 +6275,52 @@ static int (*const kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu) = {
 static const int kvm_vmx_max_exit_handlers =
        ARRAY_SIZE(kvm_vmx_exit_handlers);
+static bool nested_vmx_exit_handled_io(struct kvm_vcpu *vcpu,
+                                       struct vmcs12 *vmcs12)
+{
+        unsigned long exit_qualification;
+        gpa_t bitmap, last_bitmap;
+        unsigned int port;
+        int size;
+        u8 b;
+        if (nested_cpu_has(vmcs12, CPU_BASED_UNCOND_IO_EXITING))
+                return 1;
+        if (!nested_cpu_has(vmcs12, CPU_BASED_USE_IO_BITMAPS))
+                return 0;
+        exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
+        port = exit_qualification >> 16;
+        size = (exit_qualification & 7) + 1;
+        last_bitmap = (gpa_t)-1;
+        b = -1;
+        while (size > 0) {
+                if (port < 0x8000)
+                        bitmap = vmcs12->io_bitmap_a;
+                else if (port < 0x10000)
+                        bitmap = vmcs12->io_bitmap_b;
+                else
+                        return 1;
+                bitmap += (port & 0x7fff) / 8;
+                if (last_bitmap != bitmap)
+                        if (kvm_read_guest(vcpu->kvm, bitmap, &b, 1))
+                                return 1;
+                if (b & (1 << (port & 7)))
+                        return 1;
+                port++;
+                size--;
+                last_bitmap = bitmap;
+        }
+        return 0;
+}
 /*
 * Return 1 if we should exit from L2 to L1 to handle an MSR access access,
 * rather than handle it ourselves in L0. I.e., check whether L1 expressed
@@ -5939,7 +6352,8 @@ static bool nested_vmx_exit_handled_msr(struct kvm_vcpu *vcpu,
        /* Then read the msr_index'th bit from this bitmap: */
        if (msr_index < 1024*8) {
                unsigned char b;
-                kvm_read_guest(vcpu->kvm, bitmap + msr_index/8, &b, 1);
+                if (kvm_read_guest(vcpu->kvm, bitmap + msr_index/8, &b, 1))
+                        return 1;
                return 1 & (b >> (msr_index & 7));
        } else
                return 1; /* let L1 handle the wrong parameter */
@@ -6033,10 +6447,10 @@ static bool nested_vmx_exit_handled_cr(struct kvm_vcpu *vcpu,
 */
 static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu)
 {
-        u32 exit_reason = vmcs_read32(VM_EXIT_REASON);
        u32 intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
        struct vcpu_vmx *vmx = to_vmx(vcpu);
        struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
+        u32 exit_reason = vmx->exit_reason;
        if (vmx->nested.nested_run_pending)
                return 0;
@@ -6060,14 +6474,9 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu)
        case EXIT_REASON_TRIPLE_FAULT:
                return 1;
        case EXIT_REASON_PENDING_INTERRUPT:
+                return nested_cpu_has(vmcs12, CPU_BASED_VIRTUAL_INTR_PENDING);
        case EXIT_REASON_NMI_WINDOW:
-                /*
+                return nested_cpu_has(vmcs12, CPU_BASED_VIRTUAL_NMI_PENDING);
-                 * prepare_vmcs02() set the CPU_BASED_VIRTUAL_INTR_PENDING bit
-                 * (aka Interrupt Window Exiting) only when L1 turned it on,
-                 * so if we got a PENDING_INTERRUPT exit, this must be for L1.
-                 * Same for NMI Window Exiting.
-                 */
-                return 1;
        case EXIT_REASON_TASK_SWITCH:
                return 1;
        case EXIT_REASON_CPUID:
@@ -6097,8 +6506,7 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu)
        case EXIT_REASON_DR_ACCESS:
                return nested_cpu_has(vmcs12, CPU_BASED_MOV_DR_EXITING);
        case EXIT_REASON_IO_INSTRUCTION:
-                /* TODO: support IO bitmaps */
+                return nested_vmx_exit_handled_io(vcpu, vmcs12);
-                return 1;
        case EXIT_REASON_MSR_READ:
        case EXIT_REASON_MSR_WRITE:
                return nested_vmx_exit_handled_msr(vcpu, vmcs12, exit_reason);
@@ -6122,6 +6530,9 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu)
        case EXIT_REASON_EPT_VIOLATION:
        case EXIT_REASON_EPT_MISCONFIG:
                return 0;
+        case EXIT_REASON_PREEMPTION_TIMER:
+                return vmcs12->pin_based_vm_exec_control &
+                        PIN_BASED_VMX_PREEMPTION_TIMER;
        case EXIT_REASON_WBINVD:
                return nested_cpu_has2(vmcs12, SECONDARY_EXEC_WBINVD_EXITING);
        case EXIT_REASON_XSETBV:
@@ -6316,6 +6727,9 @@ static void vmx_hwapic_irr_update(struct kvm_vcpu *vcpu, int max_irr)
 static void vmx_load_eoi_exitmap(struct kvm_vcpu *vcpu, u64 *eoi_exit_bitmap)
 {
+        if (!vmx_vm_has_apicv(vcpu->kvm))
+                return;
        vmcs_write64(EOI_EXIT_BITMAP0, eoi_exit_bitmap[0]);
        vmcs_write64(EOI_EXIT_BITMAP1, eoi_exit_bitmap[1]);
        vmcs_write64(EOI_EXIT_BITMAP2, eoi_exit_bitmap[2]);
@@ -6346,6 +6760,52 @@ static void vmx_complete_atomic_exit(struct vcpu_vmx *vmx)
        }
 }
+static void vmx_handle_external_intr(struct kvm_vcpu *vcpu)
+{
+        u32 exit_intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
+        /*
+         * If external interrupt exists, IF bit is set in rflags/eflags on the
+         * interrupt stack frame, and interrupt will be enabled on a return
+         * from interrupt handler.
+         */
+        if ((exit_intr_info & (INTR_INFO_VALID_MASK | INTR_INFO_INTR_TYPE_MASK))
+                        == (INTR_INFO_VALID_MASK | INTR_TYPE_EXT_INTR)) {
+                unsigned int vector;
+                unsigned long entry;
+                gate_desc *desc;
+                struct vcpu_vmx *vmx = to_vmx(vcpu);
+#ifdef CONFIG_X86_64
+                unsigned long tmp;
+#endif
+                vector =  exit_intr_info & INTR_INFO_VECTOR_MASK;
+                desc = (gate_desc *)vmx->host_idt_base + vector;
+                entry = gate_offset(*desc);
+                asm volatile(
+#ifdef CONFIG_X86_64
+                        "mov %%" _ASM_SP ", %[sp]\n\t"
+                        "and $0xfffffffffffffff0, %%" _ASM_SP "\n\t"
+                        "push $%c[ss]\n\t"
+                        "push %[sp]\n\t"
+#endif
+                        "pushf\n\t"
+                        "orl $0x200, (%%" _ASM_SP ")\n\t"
+                        __ASM_SIZE(push) " $%c[cs]\n\t"
+                        "call *%[entry]\n\t"
+                        :
+#ifdef CONFIG_X86_64
+                        [sp]"=&r"(tmp)
+#endif
+                        :
+                        [entry]"r"(entry),
+                        [ss]"i"(__KERNEL_DS),
+                        [cs]"i"(__KERNEL_CS)
+                        );
+        } else
+                local_irq_enable();
+}
 static void vmx_recover_nmi_blocking(struct vcpu_vmx *vmx)
 {
        u32 exit_intr_info;
@@ -6388,7 +6848,7 @@ static void vmx_recover_nmi_blocking(struct vcpu_vmx *vmx)
                        ktime_to_ns(ktime_sub(ktime_get(), vmx->entry_time));
 }
-static void __vmx_complete_interrupts(struct vcpu_vmx *vmx,
+static void __vmx_complete_interrupts(struct kvm_vcpu *vcpu,
                                      u32 idt_vectoring_info,
                                      int instr_len_field,
                                      int error_code_field)
@@ -6399,46 +6859,43 @@ static void __vmx_complete_interrupts(struct vcpu_vmx *vmx,
        idtv_info_valid = idt_vectoring_info & VECTORING_INFO_VALID_MASK;
-        vmx->vcpu.arch.nmi_injected = false;
+        vcpu->arch.nmi_injected = false;
-        kvm_clear_exception_queue(&vmx->vcpu);
+        kvm_clear_exception_queue(vcpu);
-        kvm_clear_interrupt_queue(&vmx->vcpu);
+        kvm_clear_interrupt_queue(vcpu);
        if (!idtv_info_valid)
                return;
-        kvm_make_request(KVM_REQ_EVENT, &vmx->vcpu);
+        kvm_make_request(KVM_REQ_EVENT, vcpu);
        vector = idt_vectoring_info & VECTORING_INFO_VECTOR_MASK;
        type = idt_vectoring_info & VECTORING_INFO_TYPE_MASK;
        switch (type) {
        case INTR_TYPE_NMI_INTR:
-                vmx->vcpu.arch.nmi_injected = true;
+                vcpu->arch.nmi_injected = true;
                /*
                 * SDM 3: 27.7.1.2 (September 2008)
                 * Clear bit "block by NMI" before VM entry if a NMI
                 * delivery faulted.
                 */
-                vmx_set_nmi_mask(&vmx->vcpu, false);
+                vmx_set_nmi_mask(vcpu, false);
                break;
        case INTR_TYPE_SOFT_EXCEPTION:
-                vmx->vcpu.arch.event_exit_inst_len =
+                vcpu->arch.event_exit_inst_len = vmcs_read32(instr_len_field);
-                        vmcs_read32(instr_len_field);
                /* fall through */
        case INTR_TYPE_HARD_EXCEPTION:
                if (idt_vectoring_info & VECTORING_INFO_DELIVER_CODE_MASK) {
                        u32 err = vmcs_read32(error_code_field);
-                        kvm_queue_exception_e(&vmx->vcpu, vector, err);
+                        kvm_queue_exception_e(vcpu, vector, err);
                } else
-                        kvm_queue_exception(&vmx->vcpu, vector);
+                        kvm_queue_exception(vcpu, vector);
                break;
        case INTR_TYPE_SOFT_INTR:
-                vmx->vcpu.arch.event_exit_inst_len =
+                vcpu->arch.event_exit_inst_len = vmcs_read32(instr_len_field);
-                        vmcs_read32(instr_len_field);
                /* fall through */
        case INTR_TYPE_EXT_INTR:
-                kvm_queue_interrupt(&vmx->vcpu, vector,
+                kvm_queue_interrupt(vcpu, vector, type == INTR_TYPE_SOFT_INTR);
-                        type == INTR_TYPE_SOFT_INTR);
                break;
        default:
                break;
@@ -6447,18 +6904,14 @@ static void __vmx_complete_interrupts(struct vcpu_vmx *vmx,
 static void vmx_complete_interrupts(struct vcpu_vmx *vmx)
 {
-        if (is_guest_mode(&vmx->vcpu))
+        __vmx_complete_interrupts(&vmx->vcpu, vmx->idt_vectoring_info,
-                return;
-        __vmx_complete_interrupts(vmx, vmx->idt_vectoring_info,
                                  VM_EXIT_INSTRUCTION_LEN,
                                  IDT_VECTORING_ERROR_CODE);
 }
 static void vmx_cancel_injection(struct kvm_vcpu *vcpu)
 {
-        if (is_guest_mode(vcpu))
+        __vmx_complete_interrupts(vcpu,
-                return;
-        __vmx_complete_interrupts(to_vmx(vcpu),
                                  vmcs_read32(VM_ENTRY_INTR_INFO_FIELD),
                                  VM_ENTRY_INSTRUCTION_LEN,
                                  VM_ENTRY_EXCEPTION_ERROR_CODE);
@@ -6489,21 +6942,6 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
        struct vcpu_vmx *vmx = to_vmx(vcpu);
        unsigned long debugctlmsr;
-        if (is_guest_mode(vcpu) && !vmx->nested.nested_run_pending) {
-                struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
-                if (vmcs12->idt_vectoring_info_field &
-                                VECTORING_INFO_VALID_MASK) {
-                        vmcs_write32(VM_ENTRY_INTR_INFO_FIELD,
-                                vmcs12->idt_vectoring_info_field);
-                        vmcs_write32(VM_ENTRY_INSTRUCTION_LEN,
-                                vmcs12->vm_exit_instruction_len);
-                        if (vmcs12->idt_vectoring_info_field &
-                                        VECTORING_INFO_DELIVER_CODE_MASK)
-                                vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE,
-                                        vmcs12->idt_vectoring_error_code);
-                }
-        }
        /* Record the guest's net vcpu time for enforced NMI injections. */
        if (unlikely(!cpu_has_virtual_nmis() && vmx->soft_vnmi_blocked))
                vmx->entry_time = ktime_get();
@@ -6513,6 +6951,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
        if (vmx->emulation_required)
                return;
+        if (vmx->nested.sync_shadow_vmcs) {
+                copy_vmcs12_to_shadow(vmx);
+                vmx->nested.sync_shadow_vmcs = false;
+        }
        if (test_bit(VCPU_REGS_RSP, (unsigned long *)&vcpu->arch.regs_dirty))
                vmcs_writel(GUEST_RSP, vcpu->arch.regs[VCPU_REGS_RSP]);
        if (test_bit(VCPU_REGS_RIP, (unsigned long *)&vcpu->arch.regs_dirty))
@@ -6662,17 +7105,6 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
        vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
-        if (is_guest_mode(vcpu)) {
-                struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
-                vmcs12->idt_vectoring_info_field = vmx->idt_vectoring_info;
-                if (vmx->idt_vectoring_info & VECTORING_INFO_VALID_MASK) {
-                        vmcs12->idt_vectoring_error_code =
-                                vmcs_read32(IDT_VECTORING_ERROR_CODE);
-                        vmcs12->vm_exit_instruction_len =
-                                vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
-                }
-        }
        vmx->loaded_vmcs->launched = 1;
        vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
@@ -6734,10 +7166,11 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
        put_cpu();
        if (err)
                goto free_vmcs;
-        if (vm_need_virtualize_apic_accesses(kvm))
+        if (vm_need_virtualize_apic_accesses(kvm)) {
                err = alloc_apic_access_page(kvm);
                if (err)
                        goto free_vmcs;
+        }
        if (enable_ept) {
                if (!kvm->arch.ept_identity_map_addr)
@@ -6931,9 +7364,8 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
                vmcs12->vm_entry_instruction_len);
        vmcs_write32(GUEST_INTERRUPTIBILITY_INFO,
                vmcs12->guest_interruptibility_info);
-        vmcs_write32(GUEST_ACTIVITY_STATE, vmcs12->guest_activity_state);
        vmcs_write32(GUEST_SYSENTER_CS, vmcs12->guest_sysenter_cs);
-        vmcs_writel(GUEST_DR7, vmcs12->guest_dr7);
+        kvm_set_dr(vcpu, 7, vmcs12->guest_dr7);
        vmcs_writel(GUEST_RFLAGS, vmcs12->guest_rflags);
        vmcs_writel(GUEST_PENDING_DBG_EXCEPTIONS,
                vmcs12->guest_pending_dbg_exceptions);
@@ -6946,6 +7378,10 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
                (vmcs_config.pin_based_exec_ctrl |
                 vmcs12->pin_based_vm_exec_control));
+        if (vmcs12->pin_based_vm_exec_control & PIN_BASED_VMX_PREEMPTION_TIMER)
+                vmcs_write32(VMX_PREEMPTION_TIMER_VALUE,
+                             vmcs12->vmx_preemption_timer_value);
        /*
         * Whether page-faults are trapped is determined by a combination of
         * 3 settings: PFEC_MASK, PFEC_MATCH and EXCEPTION_BITMAP.PF.
@@ -7016,7 +7452,7 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
         * Other fields are different per CPU, and will be set later when
         * vmx_vcpu_load() is called, and when vmx_save_host_state() is called.
         */
-        vmx_set_constant_host_state();
+        vmx_set_constant_host_state(vmx);
        /*
         * HOST_RSP is normally set correctly in vmx_vcpu_run() just before
@@ -7082,7 +7518,7 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
        if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_EFER)
                vcpu->arch.efer = vmcs12->guest_ia32_efer;
-        if (vmcs12->vm_entry_controls & VM_ENTRY_IA32E_MODE)
+        else if (vmcs12->vm_entry_controls & VM_ENTRY_IA32E_MODE)
                vcpu->arch.efer |= (EFER_LMA | EFER_LME);
        else
                vcpu->arch.efer &= ~(EFER_LMA | EFER_LME);
@@ -7121,6 +7557,7 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
        struct vcpu_vmx *vmx = to_vmx(vcpu);
        int cpu;
        struct loaded_vmcs *vmcs02;
+        bool ia32e;
        if (!nested_vmx_check_permission(vcpu) ||
            !nested_vmx_check_vmcs12(vcpu))
@@ -7129,6 +7566,9 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
        skip_emulated_instruction(vcpu);
        vmcs12 = get_vmcs12(vcpu);
+        if (enable_shadow_vmcs)
+                copy_shadow_to_vmcs12(vmx);
        /*
         * The nested entry process starts with enforcing various prerequisites
         * on vmcs12 as required by the Intel SDM, and act appropriately when
@@ -7146,6 +7586,11 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
                return 1;
        }
+        if (vmcs12->guest_activity_state != GUEST_ACTIVITY_ACTIVE) {
+                nested_vmx_failValid(vcpu, VMXERR_ENTRY_INVALID_CONTROL_FIELD);
+                return 1;
+        }
        if ((vmcs12->cpu_based_vm_exec_control & CPU_BASED_USE_MSR_BITMAPS) &&
                        !IS_ALIGNED(vmcs12->msr_bitmap, PAGE_SIZE)) {
                /*TODO: Also verify bits beyond physical address width are 0*/
@@ -7204,6 +7649,45 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
        }
        /*
+         * If the load IA32_EFER VM-entry control is 1, the following checks
+         * are performed on the field for the IA32_EFER MSR:
+         * - Bits reserved in the IA32_EFER MSR must be 0.
+         * - Bit 10 (corresponding to IA32_EFER.LMA) must equal the value of
+         *   the IA-32e mode guest VM-exit control. It must also be identical
+         *   to bit 8 (LME) if bit 31 in the CR0 field (corresponding to
+         *   CR0.PG) is 1.
+         */
+        if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_EFER) {
+                ia32e = (vmcs12->vm_entry_controls & VM_ENTRY_IA32E_MODE) != 0;
+                if (!kvm_valid_efer(vcpu, vmcs12->guest_ia32_efer) ||
+                    ia32e != !!(vmcs12->guest_ia32_efer & EFER_LMA) ||
+                    ((vmcs12->guest_cr0 & X86_CR0_PG) &&
+                     ia32e != !!(vmcs12->guest_ia32_efer & EFER_LME))) {
+                        nested_vmx_entry_failure(vcpu, vmcs12,
+                                EXIT_REASON_INVALID_STATE, ENTRY_FAIL_DEFAULT);
+                        return 1;
+                }
+        }
+        /*
+         * If the load IA32_EFER VM-exit control is 1, bits reserved in the
+         * IA32_EFER MSR must be 0 in the field for that register. In addition,
+         * the values of the LMA and LME bits in the field must each be that of
+         * the host address-space size VM-exit control.
+         */
+        if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_EFER) {
+                ia32e = (vmcs12->vm_exit_controls &
+                         VM_EXIT_HOST_ADDR_SPACE_SIZE) != 0;
+                if (!kvm_valid_efer(vcpu, vmcs12->host_ia32_efer) ||
+                    ia32e != !!(vmcs12->host_ia32_efer & EFER_LMA) ||
+                    ia32e != !!(vmcs12->host_ia32_efer & EFER_LME)) {
+                        nested_vmx_entry_failure(vcpu, vmcs12,
+                                EXIT_REASON_INVALID_STATE, ENTRY_FAIL_DEFAULT);
+                        return 1;
+                }
+        }
+        /*
         * We're finally done with prerequisite checking, and can start with
         * the nested entry.
         */
@@ -7223,6 +7707,8 @@ static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch)
        vcpu->cpu = cpu;
        put_cpu();
+        vmx_segment_cache_clear(vmx);
        vmcs12->launch_state = 1;
        prepare_vmcs02(vcpu, vmcs12);
@@ -7273,6 +7759,48 @@ vmcs12_guest_cr4(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
                        vcpu->arch.cr4_guest_owned_bits));
 }
+static void vmcs12_save_pending_event(struct kvm_vcpu *vcpu,
+                                       struct vmcs12 *vmcs12)
+{
+        u32 idt_vectoring;
+        unsigned int nr;
+        if (vcpu->arch.exception.pending) {
+                nr = vcpu->arch.exception.nr;
+                idt_vectoring = nr | VECTORING_INFO_VALID_MASK;
+                if (kvm_exception_is_soft(nr)) {
+                        vmcs12->vm_exit_instruction_len =
+                                vcpu->arch.event_exit_inst_len;
+                        idt_vectoring |= INTR_TYPE_SOFT_EXCEPTION;
+                } else
+                        idt_vectoring |= INTR_TYPE_HARD_EXCEPTION;
+                if (vcpu->arch.exception.has_error_code) {
+                        idt_vectoring |= VECTORING_INFO_DELIVER_CODE_MASK;
+                        vmcs12->idt_vectoring_error_code =
+                                vcpu->arch.exception.error_code;
+                }
+                vmcs12->idt_vectoring_info_field = idt_vectoring;
+        } else if (vcpu->arch.nmi_pending) {
+                vmcs12->idt_vectoring_info_field =
+                        INTR_TYPE_NMI_INTR | INTR_INFO_VALID_MASK | NMI_VECTOR;
+        } else if (vcpu->arch.interrupt.pending) {
+                nr = vcpu->arch.interrupt.nr;
+                idt_vectoring = nr | VECTORING_INFO_VALID_MASK;
+                if (vcpu->arch.interrupt.soft) {
+                        idt_vectoring |= INTR_TYPE_SOFT_INTR;
+                        vmcs12->vm_entry_instruction_len =
+                                vcpu->arch.event_exit_inst_len;
+                } else
+                        idt_vectoring |= INTR_TYPE_EXT_INTR;
+                vmcs12->idt_vectoring_info_field = idt_vectoring;
+        }
+}
 /*
 * prepare_vmcs12 is part of what we need to do when the nested L2 guest exits
 * and we want to prepare to run its L1 parent. L1 keeps a vmcs for L2 (vmcs12),
@@ -7284,7 +7812,7 @@ vmcs12_guest_cr4(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
 * exit-information fields only. Other fields are modified by L1 with VMWRITE,
 * which already writes to vmcs12 directly.
 */
-void prepare_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
+static void prepare_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
 {
        /* update guest state fields: */
        vmcs12->guest_cr0 = vmcs12_guest_cr0(vcpu, vmcs12);
@@ -7332,16 +7860,19 @@ void prepare_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
        vmcs12->guest_gdtr_base = vmcs_readl(GUEST_GDTR_BASE);
        vmcs12->guest_idtr_base = vmcs_readl(GUEST_IDTR_BASE);
-        vmcs12->guest_activity_state = vmcs_read32(GUEST_ACTIVITY_STATE);
        vmcs12->guest_interruptibility_info =
                vmcs_read32(GUEST_INTERRUPTIBILITY_INFO);
        vmcs12->guest_pending_dbg_exceptions =
                vmcs_readl(GUEST_PENDING_DBG_EXCEPTIONS);
+        vmcs12->vm_entry_controls =
+                (vmcs12->vm_entry_controls & ~VM_ENTRY_IA32E_MODE) |
+                (vmcs_read32(VM_ENTRY_CONTROLS) & VM_ENTRY_IA32E_MODE);
        /* TODO: These cannot have changed unless we have MSR bitmaps and
         * the relevant bit asks not to trap the change */
        vmcs12->guest_ia32_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL);
-        if (vmcs12->vm_entry_controls & VM_EXIT_SAVE_IA32_PAT)
+        if (vmcs12->vm_exit_controls & VM_EXIT_SAVE_IA32_PAT)
                vmcs12->guest_ia32_pat = vmcs_read64(GUEST_IA32_PAT);
        vmcs12->guest_sysenter_cs = vmcs_read32(GUEST_SYSENTER_CS);
        vmcs12->guest_sysenter_esp = vmcs_readl(GUEST_SYSENTER_ESP);
@@ -7349,21 +7880,38 @@ void prepare_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
        /* update exit information fields: */
-        vmcs12->vm_exit_reason  = vmcs_read32(VM_EXIT_REASON);
+        vmcs12->vm_exit_reason  = to_vmx(vcpu)->exit_reason;
        vmcs12->exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
        vmcs12->vm_exit_intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
-        vmcs12->vm_exit_intr_error_code = vmcs_read32(VM_EXIT_INTR_ERROR_CODE);
+        if ((vmcs12->vm_exit_intr_info &
-        vmcs12->idt_vectoring_info_field =
+             (INTR_INFO_VALID_MASK | INTR_INFO_DELIVER_CODE_MASK)) ==
-                vmcs_read32(IDT_VECTORING_INFO_FIELD);
+            (INTR_INFO_VALID_MASK | INTR_INFO_DELIVER_CODE_MASK))
-        vmcs12->idt_vectoring_error_code =
+                vmcs12->vm_exit_intr_error_code =
-                vmcs_read32(IDT_VECTORING_ERROR_CODE);
+                        vmcs_read32(VM_EXIT_INTR_ERROR_CODE);
+        vmcs12->idt_vectoring_info_field = 0;
        vmcs12->vm_exit_instruction_len = vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
        vmcs12->vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO);
-        /* clear vm-entry fields which are to be cleared on exit */
+        if (!(vmcs12->vm_exit_reason & VMX_EXIT_REASONS_FAILED_VMENTRY)) {
-        if (!(vmcs12->vm_exit_reason & VMX_EXIT_REASONS_FAILED_VMENTRY))
+                /* vm_entry_intr_info_field is cleared on exit. Emulate this
+                 * instead of reading the real value. */
                vmcs12->vm_entry_intr_info_field &= ~INTR_INFO_VALID_MASK;
+                /*
+                 * Transfer the event that L0 or L1 may wanted to inject into
+                 * L2 to IDT_VECTORING_INFO_FIELD.
+                 */
+                vmcs12_save_pending_event(vcpu, vmcs12);
+        }
+        /*
+         * Drop what we picked up for L2 via vmx_complete_interrupts. It is
+         * preserved above and would only end up incorrectly in L1.
+         */
+        vcpu->arch.nmi_injected = false;
+        kvm_clear_exception_queue(vcpu);
+        kvm_clear_interrupt_queue(vcpu);
 }
 /*
@@ -7375,11 +7923,12 @@ void prepare_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
 * Failures During or After Loading Guest State").
 * This function should be called when the active VMCS is L1's (vmcs01).
 */
-void load_vmcs12_host_state(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
+static void load_vmcs12_host_state(struct kvm_vcpu *vcpu,
+                                   struct vmcs12 *vmcs12)
 {
        if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_EFER)
                vcpu->arch.efer = vmcs12->host_ia32_efer;
-        if (vmcs12->vm_exit_controls & VM_EXIT_HOST_ADDR_SPACE_SIZE)
+        else if (vmcs12->vm_exit_controls & VM_EXIT_HOST_ADDR_SPACE_SIZE)
                vcpu->arch.efer |= (EFER_LMA | EFER_LME);
        else
                vcpu->arch.efer &= ~(EFER_LMA | EFER_LME);
@@ -7387,6 +7936,7 @@ void load_vmcs12_host_state(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
        kvm_register_write(vcpu, VCPU_REGS_RSP, vmcs12->host_rsp);
        kvm_register_write(vcpu, VCPU_REGS_RIP, vmcs12->host_rip);
+        vmx_set_rflags(vcpu, X86_EFLAGS_BIT1);
        /*
         * Note that calling vmx_set_cr0 is important, even if cr0 hasn't
         * actually changed, because it depends on the current state of
@@ -7445,6 +7995,9 @@ void load_vmcs12_host_state(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
        if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL)
                vmcs_write64(GUEST_IA32_PERF_GLOBAL_CTRL,
                        vmcs12->host_ia32_perf_global_ctrl);
+        kvm_set_dr(vcpu, 7, 0x400);
+        vmcs_write64(GUEST_IA32_DEBUGCTL, 0);
 }
 /*
@@ -7458,6 +8011,9 @@ static void nested_vmx_vmexit(struct kvm_vcpu *vcpu)
        int cpu;
        struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
+        /* trying to cancel vmlaunch/vmresume is a bug */
+        WARN_ON_ONCE(vmx->nested.nested_run_pending);
        leave_guest_mode(vcpu);
        prepare_vmcs12(vcpu, vmcs12);
@@ -7468,6 +8024,8 @@ static void nested_vmx_vmexit(struct kvm_vcpu *vcpu)
        vcpu->cpu = cpu;
        put_cpu();
+        vmx_segment_cache_clear(vmx);
        /* if no vmcs02 cache requested, remove the one we used */
        if (VMCS02_POOL_SIZE == 0)
                nested_free_vmcs02(vmx, vmx->nested.current_vmptr);
@@ -7496,6 +8054,8 @@ static void nested_vmx_vmexit(struct kvm_vcpu *vcpu)
                nested_vmx_failValid(vcpu, vmcs_read32(VM_INSTRUCTION_ERROR));
        } else
                nested_vmx_succeed(vcpu);
+        if (enable_shadow_vmcs)
+                vmx->nested.sync_shadow_vmcs = true;
 }
 /*
@@ -7513,6 +8073,8 @@ static void nested_vmx_entry_failure(struct kvm_vcpu *vcpu,
        vmcs12->vm_exit_reason = reason | VMX_EXIT_REASONS_FAILED_VMENTRY;
        vmcs12->exit_qualification = qualification;
        nested_vmx_succeed(vcpu);
+        if (enable_shadow_vmcs)
+                to_vmx(vcpu)->nested.sync_shadow_vmcs = true;
 }
 static int vmx_check_intercept(struct kvm_vcpu *vcpu,
@@ -7590,6 +8152,8 @@ static struct kvm_x86_ops vmx_x86_ops = {
        .load_eoi_exitmap = vmx_load_eoi_exitmap,
        .hwapic_irr_update = vmx_hwapic_irr_update,
        .hwapic_isr_update = vmx_hwapic_isr_update,
+        .sync_pir_to_irr = vmx_sync_pir_to_irr,
+        .deliver_posted_interrupt = vmx_deliver_posted_interrupt,
        .set_tss_addr = vmx_set_tss_addr,
        .get_tdp_level = get_ept_level,
@@ -7618,6 +8182,7 @@ static struct kvm_x86_ops vmx_x86_ops = {
        .set_tdp_cr3 = vmx_set_cr3,
        .check_intercept = vmx_check_intercept,
+        .handle_external_intr = vmx_handle_external_intr,
 };
 static int __init vmx_init(void)
@@ -7656,6 +8221,24 @@ static int __init vmx_init(void)
                                (unsigned long *)__get_free_page(GFP_KERNEL);
        if (!vmx_msr_bitmap_longmode_x2apic)
                goto out4;
+        vmx_vmread_bitmap = (unsigned long *)__get_free_page(GFP_KERNEL);
+        if (!vmx_vmread_bitmap)
+                goto out5;
+        vmx_vmwrite_bitmap = (unsigned long *)__get_free_page(GFP_KERNEL);
+        if (!vmx_vmwrite_bitmap)
+                goto out6;
+        memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE);
+        memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE);
+        /* shadowed read/write fields */
+        for (i = 0; i < max_shadow_read_write_fields; i++) {
+                clear_bit(shadow_read_write_fields[i], vmx_vmwrite_bitmap);
+                clear_bit(shadow_read_write_fields[i], vmx_vmread_bitmap);
+        }
+        /* shadowed read only fields */
+        for (i = 0; i < max_shadow_read_only_fields; i++)
+                clear_bit(shadow_read_only_fields[i], vmx_vmread_bitmap);
        /*
         * Allow direct access to the PC debug port (it is often used for I/O
@@ -7674,7 +8257,7 @@ static int __init vmx_init(void)
        r = kvm_init(&vmx_x86_ops, sizeof(struct vcpu_vmx),
                     __alignof__(struct vcpu_vmx), THIS_MODULE);
        if (r)
-                goto out3;
+                goto out7;
 #ifdef CONFIG_KEXEC
        rcu_assign_pointer(crash_vmclear_loaded_vmcss,
@@ -7692,7 +8275,7 @@ static int __init vmx_init(void)
        memcpy(vmx_msr_bitmap_longmode_x2apic,
                        vmx_msr_bitmap_longmode, PAGE_SIZE);
-        if (enable_apicv_reg_vid) {
+        if (enable_apicv) {
                for (msr = 0x800; msr <= 0x8ff; msr++)
                        vmx_disable_intercept_msr_read_x2apic(msr);
@@ -7722,6 +8305,12 @@ static int __init vmx_init(void)
        return 0;
+out7:
+        free_page((unsigned long)vmx_vmwrite_bitmap);
+out6:
+        free_page((unsigned long)vmx_vmread_bitmap);
+out5:
+        free_page((unsigned long)vmx_msr_bitmap_longmode_x2apic);
 out4:
        free_page((unsigned long)vmx_msr_bitmap_longmode);
 out3:
@@ -7743,6 +8332,8 @@ static void __exit vmx_exit(void)
        free_page((unsigned long)vmx_msr_bitmap_longmode);
        free_page((unsigned long)vmx_io_bitmap_b);
        free_page((unsigned long)vmx_io_bitmap_a);
+        free_page((unsigned long)vmx_vmwrite_bitmap);
+        free_page((unsigned long)vmx_vmread_bitmap);
 #ifdef CONFIG_KEXEC
        rcu_assign_pointer(crash_vmclear_loaded_vmcss, NULL);
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index e1721324c271..05a8b1a2300d 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -162,8 +162,6 @@ u64 __read_mostly host_xcr0;
 static int emulator_fix_hypercall(struct x86_emulate_ctxt *ctxt);
-static int kvm_vcpu_reset(struct kvm_vcpu *vcpu);
 static inline void kvm_async_pf_hash_reset(struct kvm_vcpu *vcpu)
 {
        int i;
@@ -263,6 +261,13 @@ void kvm_set_apic_base(struct kvm_vcpu *vcpu, u64 data)
 }
 EXPORT_SYMBOL_GPL(kvm_set_apic_base);
+asmlinkage void kvm_spurious_fault(void)
+{
+        /* Fault while not rebooting.  We want the trace. */
+        BUG();
+}
+EXPORT_SYMBOL_GPL(kvm_spurious_fault);
 #define EXCPT_BENIGN            0
 #define EXCPT_CONTRIBUTORY      1
 #define EXCPT_PF                2
@@ -840,23 +845,17 @@ static const u32 emulated_msrs[] = {
        MSR_IA32_MCG_CTL,
 };
-static int set_efer(struct kvm_vcpu *vcpu, u64 efer)
+bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer)
 {
-        u64 old_efer = vcpu->arch.efer;
        if (efer & efer_reserved_bits)
-                return 1;
+                return false;
-        if (is_paging(vcpu)
-            && (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME))
-                return 1;
        if (efer & EFER_FFXSR) {
                struct kvm_cpuid_entry2 *feat;
                feat = kvm_find_cpuid_entry(vcpu, 0x80000001, 0);
                if (!feat || !(feat->edx & bit(X86_FEATURE_FXSR_OPT)))
-                        return 1;
+                        return false;
        }
        if (efer & EFER_SVME) {
@@ -864,9 +863,24 @@ static int set_efer(struct kvm_vcpu *vcpu, u64 efer)
                feat = kvm_find_cpuid_entry(vcpu, 0x80000001, 0);
                if (!feat || !(feat->ecx & bit(X86_FEATURE_SVM)))
-                        return 1;
+                        return false;
        }
+        return true;
+}
+EXPORT_SYMBOL_GPL(kvm_valid_efer);
+static int set_efer(struct kvm_vcpu *vcpu, u64 efer)
+{
+        u64 old_efer = vcpu->arch.efer;
+        if (!kvm_valid_efer(vcpu, efer))
+                return 1;
+        if (is_paging(vcpu)
+            && (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME))
+                return 1;
        efer &= ~EFER_LMA;
        efer |= vcpu->arch.efer & EFER_LMA;
@@ -1079,6 +1093,10 @@ static void kvm_set_tsc_khz(struct kvm_vcpu *vcpu, u32 this_tsc_khz)
        u32 thresh_lo, thresh_hi;
        int use_scaling = 0;
+        /* tsc_khz can be zero if TSC calibration fails */
+        if (this_tsc_khz == 0)
+                return;
        /* Compute a scale to convert nanoseconds in TSC cycles */
        kvm_get_time_scale(this_tsc_khz, NSEC_PER_SEC / 1000,
                           &vcpu->arch.virtual_tsc_shift,
@@ -1156,20 +1174,23 @@ void kvm_write_tsc(struct kvm_vcpu *vcpu, struct msr_data *msr)
        ns = get_kernel_ns();
        elapsed = ns - kvm->arch.last_tsc_nsec;
-        /* n.b - signed multiplication and division required */
+        if (vcpu->arch.virtual_tsc_khz) {
-        usdiff = data - kvm->arch.last_tsc_write;
+                /* n.b - signed multiplication and division required */
+                usdiff = data - kvm->arch.last_tsc_write;
 #ifdef CONFIG_X86_64
-        usdiff = (usdiff * 1000) / vcpu->arch.virtual_tsc_khz;
+                usdiff = (usdiff * 1000) / vcpu->arch.virtual_tsc_khz;
 #else
-        /* do_div() only does unsigned */
+                /* do_div() only does unsigned */
-        asm("idivl %2; xor %%edx, %%edx"
+                asm("idivl %2; xor %%edx, %%edx"
-            : "=A"(usdiff)
+                : "=A"(usdiff)
-            : "A"(usdiff * 1000), "rm"(vcpu->arch.virtual_tsc_khz));
+                : "A"(usdiff * 1000), "rm"(vcpu->arch.virtual_tsc_khz));
 #endif
-        do_div(elapsed, 1000);
+                do_div(elapsed, 1000);
-        usdiff -= elapsed;
+                usdiff -= elapsed;
-        if (usdiff < 0)
+                if (usdiff < 0)
-                usdiff = -usdiff;
+                        usdiff = -usdiff;
+        } else
+                usdiff = USEC_PER_SEC; /* disable TSC match window below */
        /*
         * Special case: TSC write with a small delta (1 second) of virtual
@@ -2034,7 +2055,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
        case MSR_P6_EVNTSEL0:
        case MSR_P6_EVNTSEL1:
                if (kvm_pmu_msr(vcpu, msr))
-                        return kvm_pmu_set_msr(vcpu, msr, data);
+                        return kvm_pmu_set_msr(vcpu, msr_info);
                if (pr || data != 0)
                        vcpu_unimpl(vcpu, "disabled perfctr wrmsr: "
@@ -2080,7 +2101,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
                if (msr && (msr == vcpu->kvm->arch.xen_hvm_config.msr))
                        return xen_hvm_config(vcpu, data);
                if (kvm_pmu_msr(vcpu, msr))
-                        return kvm_pmu_set_msr(vcpu, msr, data);
+                        return kvm_pmu_set_msr(vcpu, msr_info);
                if (!ignore_msrs) {
                        vcpu_unimpl(vcpu, "unhandled wrmsr: 0x%x data %llx\n",
                                    msr, data);
@@ -2479,7 +2500,6 @@ int kvm_dev_ioctl_check_extension(long ext)
        case KVM_CAP_USER_NMI:
        case KVM_CAP_REINJECT_CONTROL:
        case KVM_CAP_IRQ_INJECT_STATUS:
-        case KVM_CAP_ASSIGN_DEV_IRQ:
        case KVM_CAP_IRQFD:
        case KVM_CAP_IOEVENTFD:
        case KVM_CAP_PIT2:
@@ -2497,10 +2517,12 @@ int kvm_dev_ioctl_check_extension(long ext)
        case KVM_CAP_XSAVE:
        case KVM_CAP_ASYNC_PF:
        case KVM_CAP_GET_TSC_KHZ:
-        case KVM_CAP_PCI_2_3:
        case KVM_CAP_KVMCLOCK_CTRL:
        case KVM_CAP_READONLY_MEM:
-        case KVM_CAP_IRQFD_RESAMPLE:
+#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
+        case KVM_CAP_ASSIGN_DEV_IRQ:
+        case KVM_CAP_PCI_2_3:
+#endif
                r = 1;
                break;
        case KVM_CAP_COALESCED_MMIO:
@@ -2521,9 +2543,11 @@ int kvm_dev_ioctl_check_extension(long ext)
        case KVM_CAP_PV_MMU:    /* obsolete */
                r = 0;
                break;
+#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
        case KVM_CAP_IOMMU:
                r = iommu_present(&pci_bus_type);
                break;
+#endif
        case KVM_CAP_MCE:
                r = KVM_MAX_MCE_BANKS;
                break;
@@ -2679,6 +2703,7 @@ void kvm_arch_vcpu_put(struct kvm_vcpu *vcpu)
 static int kvm_vcpu_ioctl_get_lapic(struct kvm_vcpu *vcpu,
                                    struct kvm_lapic_state *s)
 {
+        kvm_x86_ops->sync_pir_to_irr(vcpu);
        memcpy(s->regs, vcpu->arch.apic->regs, sizeof *s);
        return 0;
@@ -2696,7 +2721,7 @@ static int kvm_vcpu_ioctl_set_lapic(struct kvm_vcpu *vcpu,
 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
                                    struct kvm_interrupt *irq)
 {
-        if (irq->irq < 0 || irq->irq >= KVM_NR_INTERRUPTS)
+        if (irq->irq >= KVM_NR_INTERRUPTS)
                return -EINVAL;
        if (irqchip_in_kernel(vcpu->kvm))
                return -ENXIO;
@@ -2819,10 +2844,9 @@ static void kvm_vcpu_ioctl_x86_get_vcpu_events(struct kvm_vcpu *vcpu,
        events->nmi.masked = kvm_x86_ops->get_nmi_mask(vcpu);
        events->nmi.pad = 0;
-        events->sipi_vector = vcpu->arch.sipi_vector;
+        events->sipi_vector = 0; /* never valid when reporting to user space */
        events->flags = (KVM_VCPUEVENT_VALID_NMI_PENDING
-                         | KVM_VCPUEVENT_VALID_SIPI_VECTOR
                         | KVM_VCPUEVENT_VALID_SHADOW);
        memset(&events->reserved, 0, sizeof(events->reserved));
 }
@@ -2853,8 +2877,9 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu,
                vcpu->arch.nmi_pending = events->nmi.pending;
        kvm_x86_ops->set_nmi_mask(vcpu, events->nmi.masked);
-        if (events->flags & KVM_VCPUEVENT_VALID_SIPI_VECTOR)
+        if (events->flags & KVM_VCPUEVENT_VALID_SIPI_VECTOR &&
-                vcpu->arch.sipi_vector = events->sipi_vector;
+            kvm_vcpu_has_lapic(vcpu))
+                vcpu->arch.apic->sipi_vector = events->sipi_vector;
        kvm_make_request(KVM_REQ_EVENT, vcpu);
@@ -3478,13 +3503,15 @@ out:
        return r;
 }
-int kvm_vm_ioctl_irq_line(struct kvm *kvm, struct kvm_irq_level *irq_event)
+int kvm_vm_ioctl_irq_line(struct kvm *kvm, struct kvm_irq_level *irq_event,
+                        bool line_status)
 {
        if (!irqchip_in_kernel(kvm))
                return -ENXIO;
        irq_event->status = kvm_set_irq(kvm, KVM_USERSPACE_IRQ_SOURCE_ID,
-                                        irq_event->irq, irq_event->level);
+                                        irq_event->irq, irq_event->level,
+                                        line_status);
        return 0;
 }
@@ -4752,11 +4779,15 @@ static int handle_emulation_failure(struct kvm_vcpu *vcpu)
 }
 static bool reexecute_instruction(struct kvm_vcpu *vcpu, gva_t cr2,
-                                  bool write_fault_to_shadow_pgtable)
+                                  bool write_fault_to_shadow_pgtable,
+                                  int emulation_type)
 {
        gpa_t gpa = cr2;
        pfn_t pfn;
+        if (emulation_type & EMULTYPE_NO_REEXECUTE)
+                return false;
        if (!vcpu->arch.mmu.direct_map) {
                /*
                 * Write permission should be allowed since only
@@ -4899,8 +4930,8 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu,
                if (r != EMULATION_OK)  {
                        if (emulation_type & EMULTYPE_TRAP_UD)
                                return EMULATE_FAIL;
-                        if (reexecute_instruction(vcpu, cr2,
+                        if (reexecute_instruction(vcpu, cr2, write_fault_to_spt,
-                                                  write_fault_to_spt))
+                                                emulation_type))
                                return EMULATE_DONE;
                        if (emulation_type & EMULTYPE_SKIP)
                                return EMULATE_FAIL;
@@ -4930,7 +4961,8 @@ restart:
                return EMULATE_DONE;
        if (r == EMULATION_FAILED) {
-                if (reexecute_instruction(vcpu, cr2, write_fault_to_spt))
+                if (reexecute_instruction(vcpu, cr2, write_fault_to_spt,
+                                        emulation_type))
                        return EMULATE_DONE;
                return handle_emulation_failure(vcpu);
@@ -5641,14 +5673,20 @@ static void kvm_gen_update_masterclock(struct kvm *kvm)
 #endif
 }
-static void update_eoi_exitmap(struct kvm_vcpu *vcpu)
+static void vcpu_scan_ioapic(struct kvm_vcpu *vcpu)
 {
        u64 eoi_exit_bitmap[4];
+        u32 tmr[8];
+        if (!kvm_apic_hw_enabled(vcpu->arch.apic))
+                return;
        memset(eoi_exit_bitmap, 0, 32);
+        memset(tmr, 0, 32);
-        kvm_ioapic_calculate_eoi_exitmap(vcpu, eoi_exit_bitmap);
+        kvm_ioapic_scan_entry(vcpu, eoi_exit_bitmap, tmr);
        kvm_x86_ops->load_eoi_exitmap(vcpu, eoi_exit_bitmap);
+        kvm_apic_update_tmr(vcpu, tmr);
 }
 static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
@@ -5656,7 +5694,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
        int r;
        bool req_int_win = !irqchip_in_kernel(vcpu->kvm) &&
                vcpu->run->request_interrupt_window;
-        bool req_immediate_exit = 0;
+        bool req_immediate_exit = false;
        if (vcpu->requests) {
                if (kvm_check_request(KVM_REQ_MMU_RELOAD, vcpu))
@@ -5698,24 +5736,30 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
                        record_steal_time(vcpu);
                if (kvm_check_request(KVM_REQ_NMI, vcpu))
                        process_nmi(vcpu);
-                req_immediate_exit =
-                        kvm_check_request(KVM_REQ_IMMEDIATE_EXIT, vcpu);
                if (kvm_check_request(KVM_REQ_PMU, vcpu))
                        kvm_handle_pmu_event(vcpu);
                if (kvm_check_request(KVM_REQ_PMI, vcpu))
                        kvm_deliver_pmi(vcpu);
-                if (kvm_check_request(KVM_REQ_EOIBITMAP, vcpu))
+                if (kvm_check_request(KVM_REQ_SCAN_IOAPIC, vcpu))
-                        update_eoi_exitmap(vcpu);
+                        vcpu_scan_ioapic(vcpu);
        }
        if (kvm_check_request(KVM_REQ_EVENT, vcpu) || req_int_win) {
+                kvm_apic_accept_events(vcpu);
+                if (vcpu->arch.mp_state == KVM_MP_STATE_INIT_RECEIVED) {
+                        r = 1;
+                        goto out;
+                }
                inject_pending_event(vcpu);
                /* enable NMI/IRQ window open exits if needed */
                if (vcpu->arch.nmi_pending)
-                        kvm_x86_ops->enable_nmi_window(vcpu);
+                        req_immediate_exit =
+                                kvm_x86_ops->enable_nmi_window(vcpu) != 0;
                else if (kvm_cpu_has_injectable_intr(vcpu) || req_int_win)
-                        kvm_x86_ops->enable_irq_window(vcpu);
+                        req_immediate_exit =
+                                kvm_x86_ops->enable_irq_window(vcpu) != 0;
                if (kvm_lapic_enabled(vcpu)) {
                        /*
@@ -5794,7 +5838,9 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
        vcpu->mode = OUTSIDE_GUEST_MODE;
        smp_wmb();
-        local_irq_enable();
+        /* Interrupt is enabled by handle_external_intr() */
+        kvm_x86_ops->handle_external_intr(vcpu);
        ++vcpu->stat.exits;
@@ -5843,16 +5889,6 @@ static int __vcpu_run(struct kvm_vcpu *vcpu)
        int r;
        struct kvm *kvm = vcpu->kvm;
-        if (unlikely(vcpu->arch.mp_state == KVM_MP_STATE_SIPI_RECEIVED)) {
-                pr_debug("vcpu %d received sipi with vector # %x\n",
-                         vcpu->vcpu_id, vcpu->arch.sipi_vector);
-                kvm_lapic_reset(vcpu);
-                r = kvm_vcpu_reset(vcpu);
-                if (r)
-                        return r;
-                vcpu->arch.mp_state = KVM_MP_STATE_RUNNABLE;
-        }
        vcpu->srcu_idx = srcu_read_lock(&kvm->srcu);
        r = vapic_enter(vcpu);
        if (r) {
@@ -5869,8 +5905,8 @@ static int __vcpu_run(struct kvm_vcpu *vcpu)
                        srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx);
                        kvm_vcpu_block(vcpu);
                        vcpu->srcu_idx = srcu_read_lock(&kvm->srcu);
-                        if (kvm_check_request(KVM_REQ_UNHALT, vcpu))
+                        if (kvm_check_request(KVM_REQ_UNHALT, vcpu)) {
-                        {
+                                kvm_apic_accept_events(vcpu);
                                switch(vcpu->arch.mp_state) {
                                case KVM_MP_STATE_HALTED:
                                        vcpu->arch.mp_state =
@@ -5878,7 +5914,8 @@ static int __vcpu_run(struct kvm_vcpu *vcpu)
                                case KVM_MP_STATE_RUNNABLE:
                                        vcpu->arch.apf.halted = false;
                                        break;
-                                case KVM_MP_STATE_SIPI_RECEIVED:
+                                case KVM_MP_STATE_INIT_RECEIVED:
+                                        break;
                                default:
                                        r = -EINTR;
                                        break;
@@ -6013,6 +6050,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        if (unlikely(vcpu->arch.mp_state == KVM_MP_STATE_UNINITIALIZED)) {
                kvm_vcpu_block(vcpu);
+                kvm_apic_accept_events(vcpu);
                clear_bit(KVM_REQ_UNHALT, &vcpu->requests);
                r = -EAGAIN;
                goto out;
@@ -6169,6 +6207,7 @@ int kvm_arch_vcpu_ioctl_get_sregs(struct kvm_vcpu *vcpu,
 int kvm_arch_vcpu_ioctl_get_mpstate(struct kvm_vcpu *vcpu,
                                    struct kvm_mp_state *mp_state)
 {
+        kvm_apic_accept_events(vcpu);
        mp_state->mp_state = vcpu->arch.mp_state;
        return 0;
 }
@@ -6176,7 +6215,15 @@ int kvm_arch_vcpu_ioctl_get_mpstate(struct kvm_vcpu *vcpu,
 int kvm_arch_vcpu_ioctl_set_mpstate(struct kvm_vcpu *vcpu,
                                    struct kvm_mp_state *mp_state)
 {
-        vcpu->arch.mp_state = mp_state->mp_state;
+        if (!kvm_vcpu_has_lapic(vcpu) &&
+            mp_state->mp_state != KVM_MP_STATE_RUNNABLE)
+                return -EINVAL;
+        if (mp_state->mp_state == KVM_MP_STATE_SIPI_RECEIVED) {
+                vcpu->arch.mp_state = KVM_MP_STATE_INIT_RECEIVED;
+                set_bit(KVM_APIC_SIPI, &vcpu->arch.apic->pending_events);
+        } else
+                vcpu->arch.mp_state = mp_state->mp_state;
        kvm_make_request(KVM_REQ_EVENT, vcpu);
        return 0;
 }
@@ -6475,9 +6522,8 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu)
        r = vcpu_load(vcpu);
        if (r)
                return r;
-        r = kvm_vcpu_reset(vcpu);
+        kvm_vcpu_reset(vcpu);
-        if (r == 0)
+        r = kvm_mmu_setup(vcpu);
-                r = kvm_mmu_setup(vcpu);
        vcpu_put(vcpu);
        return r;
@@ -6514,7 +6560,7 @@ void kvm_arch_vcpu_destroy(struct kvm_vcpu *vcpu)
        kvm_x86_ops->vcpu_free(vcpu);
 }
-static int kvm_vcpu_reset(struct kvm_vcpu *vcpu)
+void kvm_vcpu_reset(struct kvm_vcpu *vcpu)
 {
        atomic_set(&vcpu->arch.nmi_queued, 0);
        vcpu->arch.nmi_pending = 0;
@@ -6541,7 +6587,18 @@ static int kvm_vcpu_reset(struct kvm_vcpu *vcpu)
        vcpu->arch.regs_avail = ~0;
        vcpu->arch.regs_dirty = ~0;
-        return kvm_x86_ops->vcpu_reset(vcpu);
+        kvm_x86_ops->vcpu_reset(vcpu);
+}
+void kvm_vcpu_deliver_sipi_vector(struct kvm_vcpu *vcpu, unsigned int vector)
+{
+        struct kvm_segment cs;
+        kvm_get_segment(vcpu, &cs, VCPU_SREG_CS);
+        cs.selector = vector << 8;
+        cs.base = vector << 12;
+        kvm_set_segment(vcpu, &cs, VCPU_SREG_CS);
+        kvm_rip_write(vcpu, 0);
 }
 int kvm_arch_hardware_enable(void *garbage)
@@ -6706,8 +6763,10 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
        }
        vcpu->arch.mcg_cap = KVM_MAX_MCE_BANKS;
-        if (!zalloc_cpumask_var(&vcpu->arch.wbinvd_dirty_mask, GFP_KERNEL))
+        if (!zalloc_cpumask_var(&vcpu->arch.wbinvd_dirty_mask, GFP_KERNEL)) {
+                r = -ENOMEM;
                goto fail_free_mce_banks;
+        }
        r = fx_init(vcpu);
        if (r)
@@ -6811,6 +6870,23 @@ void kvm_arch_sync_events(struct kvm *kvm)
 void kvm_arch_destroy_vm(struct kvm *kvm)
 {
+        if (current->mm == kvm->mm) {
+                /*
+                 * Free memory regions allocated on behalf of userspace,
+                 * unless the the memory map has changed due to process exit
+                 * or fd copying.
+                 */
+                struct kvm_userspace_memory_region mem;
+                memset(&mem, 0, sizeof(mem));
+                mem.slot = APIC_ACCESS_PAGE_PRIVATE_MEMSLOT;
+                kvm_set_memory_region(kvm, &mem);
+                mem.slot = IDENTITY_PAGETABLE_PRIVATE_MEMSLOT;
+                kvm_set_memory_region(kvm, &mem);
+                mem.slot = TSS_PRIVATE_MEMSLOT;
+                kvm_set_memory_region(kvm, &mem);
+        }
        kvm_iommu_unmap_guest(kvm);
        kfree(kvm->arch.vpic);
        kfree(kvm->arch.vioapic);
@@ -6903,24 +6979,21 @@ out_free:
 int kvm_arch_prepare_memory_region(struct kvm *kvm,
                                struct kvm_memory_slot *memslot,
-                                struct kvm_memory_slot old,
                                struct kvm_userspace_memory_region *mem,
-                                bool user_alloc)
+                                enum kvm_mr_change change)
 {
-        int npages = memslot->npages;
        /*
         * Only private memory slots need to be mapped here since
         * KVM_SET_MEMORY_REGION ioctl is no longer supported.
         */
-        if ((memslot->id >= KVM_USER_MEM_SLOTS) && npages && !old.npages) {
+        if ((memslot->id >= KVM_USER_MEM_SLOTS) && (change == KVM_MR_CREATE)) {
                unsigned long userspace_addr;
                /*
                 * MAP_SHARED to prevent internal slot pages from being moved
                 * by fork()/COW.
                 */
-                userspace_addr = vm_mmap(NULL, 0, npages * PAGE_SIZE,
+                userspace_addr = vm_mmap(NULL, 0, memslot->npages * PAGE_SIZE,
                                         PROT_READ | PROT_WRITE,
                                         MAP_SHARED | MAP_ANONYMOUS, 0);
@@ -6935,17 +7008,17 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm,
 void kvm_arch_commit_memory_region(struct kvm *kvm,
                                struct kvm_userspace_memory_region *mem,
-                                struct kvm_memory_slot old,
+                                const struct kvm_memory_slot *old,
-                                bool user_alloc)
+                                enum kvm_mr_change change)
 {
-        int nr_mmu_pages = 0, npages = mem->memory_size >> PAGE_SHIFT;
+        int nr_mmu_pages = 0;
-        if ((mem->slot >= KVM_USER_MEM_SLOTS) && old.npages && !npages) {
+        if ((mem->slot >= KVM_USER_MEM_SLOTS) && (change == KVM_MR_DELETE)) {
                int ret;
-                ret = vm_munmap(old.userspace_addr,
+                ret = vm_munmap(old->userspace_addr,
-                                old.npages * PAGE_SIZE);
+                                old->npages * PAGE_SIZE);
                if (ret < 0)
                        printk(KERN_WARNING
                               "kvm_vm_ioctl_set_memory_region: "
@@ -6962,14 +7035,14 @@ void kvm_arch_commit_memory_region(struct kvm *kvm,
         * Existing largepage mappings are destroyed here and new ones will
         * not be created until the end of the logging.
         */
-        if (npages && (mem->flags & KVM_MEM_LOG_DIRTY_PAGES))
+        if ((change != KVM_MR_DELETE) && (mem->flags & KVM_MEM_LOG_DIRTY_PAGES))
                kvm_mmu_slot_remove_write_access(kvm, mem->slot);
        /*
         * If memory slot is created, or moved, we need to clear all
         * mmio sptes.
         */
-        if (npages && old.base_gfn != mem->guest_phys_addr >> PAGE_SHIFT) {
+        if ((change == KVM_MR_CREATE) || (change == KVM_MR_MOVE)) {
-                kvm_mmu_zap_all(kvm);
+                kvm_mmu_zap_mmio_sptes(kvm);
                kvm_reload_remote_mmus(kvm);
        }
 }
@@ -6991,7 +7064,7 @@ int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu)
        return (vcpu->arch.mp_state == KVM_MP_STATE_RUNNABLE &&
                !vcpu->arch.apf.halted)
                || !list_empty_careful(&vcpu->async_pf.done)
-                || vcpu->arch.mp_state == KVM_MP_STATE_SIPI_RECEIVED
+                || kvm_apic_has_events(vcpu)
                || atomic_read(&vcpu->arch.nmi_queued) ||
                (kvm_arch_interrupt_allowed(vcpu) &&
                 kvm_cpu_has_interrupt(vcpu));
author	Linus Torvalds <torvalds@linux-foundation.org>	2013-05-05 17:47:31 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2013-05-05 17:47:31 -0400
commit	01227a889ed56ae53aeebb9f93be9d54dd8b2de8 (patch)
tree	d5eba9359a9827e84d4112b84d48c54df5c5acde /arch/x86
parent	9e6879460c8edb0cd3c24c09b83d06541b5af0dc (diff)
parent	db6ae6158186a17165ef990bda2895ae7594b039 (diff)