VirtualBox

source: vbox/trunk/src/VBox/VMM/VMMAll/PGMAllPool.cpp@ 45312

Last change on this file since 45312 was 45276, checked in by vboxsync, 12 years ago

Ring-1 compression patches, courtesy of trivirt AG:

  • main: diff to remove the hwvirt requirement for QNX
  • rem: diff for dealing with raw ring 0/1 selectors and general changes to allowed guest execution states
  • vmm: changes for using the guest's TSS selector index as our hypervisor TSS selector (makes str safe) (VBOX_WITH_SAFE_STR )
  • vmm: changes for dealing with guest ring 1 code (VBOX_WITH_RAW_RING1)
  • vmm: change to emulate smsw in RC/R0 (QNX uses this old style instruction a lot so going to qemu for emulation is very expensive)
  • vmm: change (hack) to kick out patm virtual handlers in case they conflict with guest GDT/TSS write monitors; we should allow multiple handlers per page, but that change would be rather invasive
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id Revision
File size: 210.2 KB
Line 
1/* $Id: PGMAllPool.cpp 45276 2013-04-02 08:17:11Z vboxsync $ */
2/** @file
3 * PGM Shadow Page Pool.
4 */
5
6/*
7 * Copyright (C) 2006-2013 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 */
17
18
19/*******************************************************************************
20* Header Files *
21*******************************************************************************/
22#define LOG_GROUP LOG_GROUP_PGM_POOL
23#include <VBox/vmm/pgm.h>
24#include <VBox/vmm/mm.h>
25#include <VBox/vmm/em.h>
26#include <VBox/vmm/cpum.h>
27#ifdef IN_RC
28# include <VBox/vmm/patm.h>
29#endif
30#include "PGMInternal.h"
31#include <VBox/vmm/vm.h>
32#include "PGMInline.h"
33#include <VBox/disopcode.h>
34#include <VBox/vmm/hm_vmx.h>
35
36#include <VBox/log.h>
37#include <VBox/err.h>
38#include <iprt/asm.h>
39#include <iprt/asm-amd64-x86.h>
40#include <iprt/string.h>
41
42
43/*******************************************************************************
44* Internal Functions *
45*******************************************************************************/
46RT_C_DECLS_BEGIN
47DECLINLINE(unsigned) pgmPoolTrackGetShadowEntrySize(PGMPOOLKIND enmKind);
48DECLINLINE(unsigned) pgmPoolTrackGetGuestEntrySize(PGMPOOLKIND enmKind);
49static void pgmPoolTrackDeref(PPGMPOOL pPool, PPGMPOOLPAGE pPage);
50static int pgmPoolTrackAddUser(PPGMPOOL pPool, PPGMPOOLPAGE pPage, uint16_t iUser, uint32_t iUserTable);
51static void pgmPoolMonitorModifiedRemove(PPGMPOOL pPool, PPGMPOOLPAGE pPage);
52#ifndef IN_RING3
53DECLEXPORT(int) pgmPoolAccessHandler(PVM pVM, RTGCUINT uErrorCode, PCPUMCTXCORE pRegFrame, RTGCPTR pvFault, RTGCPHYS GCPhysFault, void *pvUser);
54#endif
55#ifdef LOG_ENABLED
56static const char *pgmPoolPoolKindToStr(uint8_t enmKind);
57#endif
58#if 0 /*defined(VBOX_STRICT) && defined(PGMPOOL_WITH_OPTIMIZED_DIRTY_PT)*/
59static void pgmPoolTrackCheckPTPaePae(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PPGMSHWPTPAE pShwPT, PCX86PTPAE pGstPT);
60#endif
61
62int pgmPoolTrackFlushGCPhysPTsSlow(PVM pVM, PPGMPAGE pPhysPage);
63PPGMPOOLPHYSEXT pgmPoolTrackPhysExtAlloc(PVM pVM, uint16_t *piPhysExt);
64void pgmPoolTrackPhysExtFree(PVM pVM, uint16_t iPhysExt);
65void pgmPoolTrackPhysExtFreeList(PVM pVM, uint16_t iPhysExt);
66
67RT_C_DECLS_END
68
69
70/**
71 * Checks if the specified page pool kind is for a 4MB or 2MB guest page.
72 *
73 * @returns true if it's the shadow of a 4MB or 2MB guest page, otherwise false.
74 * @param enmKind The page kind.
75 */
76DECLINLINE(bool) pgmPoolIsBigPage(PGMPOOLKIND enmKind)
77{
78 switch (enmKind)
79 {
80 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_4MB:
81 case PGMPOOLKIND_PAE_PT_FOR_32BIT_4MB:
82 case PGMPOOLKIND_PAE_PT_FOR_PAE_2MB:
83 return true;
84 default:
85 return false;
86 }
87}
88
89
90/**
91 * Flushes a chain of pages sharing the same access monitor.
92 *
93 * @returns VBox status code suitable for scheduling.
94 * @param pPool The pool.
95 * @param pPage A page in the chain.
96 * @todo VBOXSTRICTRC
97 */
98int pgmPoolMonitorChainFlush(PPGMPOOL pPool, PPGMPOOLPAGE pPage)
99{
100 LogFlow(("pgmPoolMonitorChainFlush: Flush page %RGp type=%d\n", pPage->GCPhys, pPage->enmKind));
101
102 /*
103 * Find the list head.
104 */
105 uint16_t idx = pPage->idx;
106 if (pPage->iMonitoredPrev != NIL_PGMPOOL_IDX)
107 {
108 while (pPage->iMonitoredPrev != NIL_PGMPOOL_IDX)
109 {
110 idx = pPage->iMonitoredPrev;
111 Assert(idx != pPage->idx);
112 pPage = &pPool->aPages[idx];
113 }
114 }
115
116 /*
117 * Iterate the list flushing each shadow page.
118 */
119 int rc = VINF_SUCCESS;
120 for (;;)
121 {
122 idx = pPage->iMonitoredNext;
123 Assert(idx != pPage->idx);
124 if (pPage->idx >= PGMPOOL_IDX_FIRST)
125 {
126 int rc2 = pgmPoolFlushPage(pPool, pPage);
127 AssertRC(rc2);
128 }
129 /* next */
130 if (idx == NIL_PGMPOOL_IDX)
131 break;
132 pPage = &pPool->aPages[idx];
133 }
134 return rc;
135}
136
137
138/**
139 * Wrapper for getting the current context pointer to the entry being modified.
140 *
141 * @returns VBox status code suitable for scheduling.
142 * @param pVM Pointer to the VM.
143 * @param pvDst Destination address
144 * @param pvSrc Source guest virtual address.
145 * @param GCPhysSrc The source guest physical address.
146 * @param cb Size of data to read
147 */
148DECLINLINE(int) pgmPoolPhysSimpleReadGCPhys(PVM pVM, void *pvDst, CTXTYPE(RTGCPTR, RTHCPTR, RTGCPTR) pvSrc,
149 RTGCPHYS GCPhysSrc, size_t cb)
150{
151#if defined(IN_RING3)
152 NOREF(pVM); NOREF(GCPhysSrc);
153 memcpy(pvDst, (RTHCPTR)((uintptr_t)pvSrc & ~(RTHCUINTPTR)(cb - 1)), cb);
154 return VINF_SUCCESS;
155#else
156 /* @todo in RC we could attempt to use the virtual address, although this can cause many faults (PAE Windows XP guest). */
157 NOREF(pvSrc);
158 return PGMPhysSimpleReadGCPhys(pVM, pvDst, GCPhysSrc & ~(RTGCPHYS)(cb - 1), cb);
159#endif
160}
161
162
163/**
164 * Process shadow entries before they are changed by the guest.
165 *
166 * For PT entries we will clear them. For PD entries, we'll simply check
167 * for mapping conflicts and set the SyncCR3 FF if found.
168 *
169 * @param pVCpu Pointer to the VMCPU.
170 * @param pPool The pool.
171 * @param pPage The head page.
172 * @param GCPhysFault The guest physical fault address.
173 * @param uAddress In R0 and GC this is the guest context fault address (flat).
174 * In R3 this is the host context 'fault' address.
175 * @param cbWrite Write size; might be zero if the caller knows we're not crossing entry boundaries
176 */
177void pgmPoolMonitorChainChanging(PVMCPU pVCpu, PPGMPOOL pPool, PPGMPOOLPAGE pPage, RTGCPHYS GCPhysFault,
178 CTXTYPE(RTGCPTR, RTHCPTR, RTGCPTR) pvAddress, unsigned cbWrite)
179{
180 AssertMsg(pPage->iMonitoredPrev == NIL_PGMPOOL_IDX, ("%u (idx=%u)\n", pPage->iMonitoredPrev, pPage->idx));
181 const unsigned off = GCPhysFault & PAGE_OFFSET_MASK;
182 PVM pVM = pPool->CTX_SUFF(pVM);
183 NOREF(pVCpu);
184
185 LogFlow(("pgmPoolMonitorChainChanging: %RGv phys=%RGp cbWrite=%d\n", (RTGCPTR)(CTXTYPE(RTGCPTR, uintptr_t, RTGCPTR))pvAddress, GCPhysFault, cbWrite));
186
187 for (;;)
188 {
189 union
190 {
191 void *pv;
192 PX86PT pPT;
193 PPGMSHWPTPAE pPTPae;
194 PX86PD pPD;
195 PX86PDPAE pPDPae;
196 PX86PDPT pPDPT;
197 PX86PML4 pPML4;
198 } uShw;
199
200 LogFlow(("pgmPoolMonitorChainChanging: page idx=%d phys=%RGp (next=%d) kind=%s\n", pPage->idx, pPage->GCPhys, pPage->iMonitoredNext, pgmPoolPoolKindToStr(pPage->enmKind), cbWrite));
201
202 uShw.pv = NULL;
203 switch (pPage->enmKind)
204 {
205 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_PT:
206 {
207 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPT));
208 uShw.pv = PGMPOOL_PAGE_2_PTR(pVM, pPage);
209 const unsigned iShw = off / sizeof(X86PTE);
210 LogFlow(("PGMPOOLKIND_32BIT_PT_FOR_32BIT_PT iShw=%x\n", iShw));
211 if (uShw.pPT->a[iShw].n.u1Present)
212 {
213 X86PTE GstPte;
214
215 int rc = pgmPoolPhysSimpleReadGCPhys(pVM, &GstPte, pvAddress, GCPhysFault, sizeof(GstPte));
216 AssertRC(rc);
217 Log4(("pgmPoolMonitorChainChanging 32_32: deref %016RX64 GCPhys %08RX32\n", uShw.pPT->a[iShw].u & X86_PTE_PAE_PG_MASK, GstPte.u & X86_PTE_PG_MASK));
218 pgmPoolTracDerefGCPhysHint(pPool, pPage,
219 uShw.pPT->a[iShw].u & X86_PTE_PAE_PG_MASK,
220 GstPte.u & X86_PTE_PG_MASK,
221 iShw);
222 ASMAtomicWriteU32(&uShw.pPT->a[iShw].u, 0);
223 }
224 break;
225 }
226
227 /* page/2 sized */
228 case PGMPOOLKIND_PAE_PT_FOR_32BIT_PT:
229 {
230 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPT));
231 uShw.pv = PGMPOOL_PAGE_2_PTR(pVM, pPage);
232 if (!((off ^ pPage->GCPhys) & (PAGE_SIZE / 2)))
233 {
234 const unsigned iShw = (off / sizeof(X86PTE)) & (X86_PG_PAE_ENTRIES - 1);
235 LogFlow(("PGMPOOLKIND_PAE_PT_FOR_32BIT_PT iShw=%x\n", iShw));
236 if (PGMSHWPTEPAE_IS_P(uShw.pPTPae->a[iShw]))
237 {
238 X86PTE GstPte;
239 int rc = pgmPoolPhysSimpleReadGCPhys(pVM, &GstPte, pvAddress, GCPhysFault, sizeof(GstPte));
240 AssertRC(rc);
241
242 Log4(("pgmPoolMonitorChainChanging pae_32: deref %016RX64 GCPhys %08RX32\n", uShw.pPT->a[iShw].u & X86_PTE_PAE_PG_MASK, GstPte.u & X86_PTE_PG_MASK));
243 pgmPoolTracDerefGCPhysHint(pPool, pPage,
244 PGMSHWPTEPAE_GET_HCPHYS(uShw.pPTPae->a[iShw]),
245 GstPte.u & X86_PTE_PG_MASK,
246 iShw);
247 PGMSHWPTEPAE_ATOMIC_SET(uShw.pPTPae->a[iShw], 0);
248 }
249 }
250 break;
251 }
252
253 case PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD:
254 case PGMPOOLKIND_PAE_PD1_FOR_32BIT_PD:
255 case PGMPOOLKIND_PAE_PD2_FOR_32BIT_PD:
256 case PGMPOOLKIND_PAE_PD3_FOR_32BIT_PD:
257 {
258 unsigned iGst = off / sizeof(X86PDE);
259 unsigned iShwPdpt = iGst / 256;
260 unsigned iShw = (iGst % 256) * 2;
261 uShw.pv = PGMPOOL_PAGE_2_PTR(pVM, pPage);
262
263 LogFlow(("pgmPoolMonitorChainChanging PAE for 32 bits: iGst=%x iShw=%x idx = %d page idx=%d\n", iGst, iShw, iShwPdpt, pPage->enmKind - PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD));
264 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPD));
265 if (iShwPdpt == pPage->enmKind - (unsigned)PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD)
266 {
267 for (unsigned i = 0; i < 2; i++)
268 {
269# ifdef VBOX_WITH_RAW_MODE_NOT_R0
270 if ((uShw.pPDPae->a[iShw + i].u & (PGM_PDFLAGS_MAPPING | X86_PDE_P)) == (PGM_PDFLAGS_MAPPING | X86_PDE_P))
271 {
272 Assert(pgmMapAreMappingsEnabled(pVM));
273 VMCPU_FF_SET(pVCpu, VMCPU_FF_PGM_SYNC_CR3);
274 LogFlow(("pgmPoolMonitorChainChanging: Detected conflict at iShwPdpt=%#x iShw=%#x!\n", iShwPdpt, iShw+i));
275 break;
276 }
277# endif /* VBOX_WITH_RAW_MODE_NOT_R0 */
278 if (uShw.pPDPae->a[iShw+i].n.u1Present)
279 {
280 LogFlow(("pgmPoolMonitorChainChanging: pae pd iShw=%#x: %RX64 -> freeing it!\n", iShw+i, uShw.pPDPae->a[iShw+i].u));
281 pgmPoolFree(pVM,
282 uShw.pPDPae->a[iShw+i].u & X86_PDE_PAE_PG_MASK,
283 pPage->idx,
284 iShw + i);
285 ASMAtomicWriteU64(&uShw.pPDPae->a[iShw+i].u, 0);
286 }
287
288 /* paranoia / a bit assumptive. */
289 if ( (off & 3)
290 && (off & 3) + cbWrite > 4)
291 {
292 const unsigned iShw2 = iShw + 2 + i;
293 if (iShw2 < RT_ELEMENTS(uShw.pPDPae->a))
294 {
295# ifdef VBOX_WITH_RAW_MODE_NOT_R0
296 if ((uShw.pPDPae->a[iShw2].u & (PGM_PDFLAGS_MAPPING | X86_PDE_P)) == (PGM_PDFLAGS_MAPPING | X86_PDE_P))
297 {
298 Assert(pgmMapAreMappingsEnabled(pVM));
299 VMCPU_FF_SET(pVCpu, VMCPU_FF_PGM_SYNC_CR3);
300 LogFlow(("pgmPoolMonitorChainChanging: Detected conflict at iShwPdpt=%#x iShw2=%#x!\n", iShwPdpt, iShw2));
301 break;
302 }
303# endif /* VBOX_WITH_RAW_MODE_NOT_R0 */
304 if (uShw.pPDPae->a[iShw2].n.u1Present)
305 {
306 LogFlow(("pgmPoolMonitorChainChanging: pae pd iShw=%#x: %RX64 -> freeing it!\n", iShw2, uShw.pPDPae->a[iShw2].u));
307 pgmPoolFree(pVM,
308 uShw.pPDPae->a[iShw2].u & X86_PDE_PAE_PG_MASK,
309 pPage->idx,
310 iShw2);
311 ASMAtomicWriteU64(&uShw.pPDPae->a[iShw2].u, 0);
312 }
313 }
314 }
315 }
316 }
317 break;
318 }
319
320 case PGMPOOLKIND_PAE_PT_FOR_PAE_PT:
321 {
322 uShw.pv = PGMPOOL_PAGE_2_PTR(pVM, pPage);
323 const unsigned iShw = off / sizeof(X86PTEPAE);
324 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPT));
325 if (PGMSHWPTEPAE_IS_P(uShw.pPTPae->a[iShw]))
326 {
327 X86PTEPAE GstPte;
328 int rc = pgmPoolPhysSimpleReadGCPhys(pVM, &GstPte, pvAddress, GCPhysFault, sizeof(GstPte));
329 AssertRC(rc);
330
331 Log4(("pgmPoolMonitorChainChanging pae: deref %016RX64 GCPhys %016RX64\n", PGMSHWPTEPAE_GET_HCPHYS(uShw.pPTPae->a[iShw]), GstPte.u & X86_PTE_PAE_PG_MASK));
332 pgmPoolTracDerefGCPhysHint(pPool, pPage,
333 PGMSHWPTEPAE_GET_HCPHYS(uShw.pPTPae->a[iShw]),
334 GstPte.u & X86_PTE_PAE_PG_MASK,
335 iShw);
336 PGMSHWPTEPAE_ATOMIC_SET(uShw.pPTPae->a[iShw], 0);
337 }
338
339 /* paranoia / a bit assumptive. */
340 if ( (off & 7)
341 && (off & 7) + cbWrite > sizeof(X86PTEPAE))
342 {
343 const unsigned iShw2 = (off + cbWrite - 1) / sizeof(X86PTEPAE);
344 AssertBreak(iShw2 < RT_ELEMENTS(uShw.pPTPae->a));
345
346 if (PGMSHWPTEPAE_IS_P(uShw.pPTPae->a[iShw2]))
347 {
348 X86PTEPAE GstPte;
349# ifdef IN_RING3
350 int rc = pgmPoolPhysSimpleReadGCPhys(pVM, &GstPte, (RTHCPTR)((RTHCUINTPTR)pvAddress + sizeof(GstPte)), GCPhysFault + sizeof(GstPte), sizeof(GstPte));
351# else
352 int rc = pgmPoolPhysSimpleReadGCPhys(pVM, &GstPte, pvAddress + sizeof(GstPte), GCPhysFault + sizeof(GstPte), sizeof(GstPte));
353# endif
354 AssertRC(rc);
355 Log4(("pgmPoolMonitorChainChanging pae: deref %016RX64 GCPhys %016RX64\n", PGMSHWPTEPAE_GET_HCPHYS(uShw.pPTPae->a[iShw2]), GstPte.u & X86_PTE_PAE_PG_MASK));
356 pgmPoolTracDerefGCPhysHint(pPool, pPage,
357 PGMSHWPTEPAE_GET_HCPHYS(uShw.pPTPae->a[iShw2]),
358 GstPte.u & X86_PTE_PAE_PG_MASK,
359 iShw2);
360 PGMSHWPTEPAE_ATOMIC_SET(uShw.pPTPae->a[iShw2], 0);
361 }
362 }
363 break;
364 }
365
366 case PGMPOOLKIND_32BIT_PD:
367 {
368 uShw.pv = PGMPOOL_PAGE_2_PTR(pVM, pPage);
369 const unsigned iShw = off / sizeof(X86PTE); // ASSUMING 32-bit guest paging!
370
371 LogFlow(("pgmPoolMonitorChainChanging: PGMPOOLKIND_32BIT_PD %x\n", iShw));
372 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPD));
373# ifdef VBOX_WITH_RAW_MODE_NOT_R0
374 if (uShw.pPD->a[iShw].u & PGM_PDFLAGS_MAPPING)
375 {
376 Assert(pgmMapAreMappingsEnabled(pVM));
377 VMCPU_FF_SET(pVCpu, VMCPU_FF_PGM_SYNC_CR3);
378 STAM_COUNTER_INC(&(pVCpu->pgm.s.CTX_SUFF(pStats)->StatRZGuestCR3WriteConflict));
379 LogFlow(("pgmPoolMonitorChainChanging: Detected conflict at iShw=%#x!\n", iShw));
380 break;
381 }
382 else
383# endif /* VBOX_WITH_RAW_MODE_NOT_R0 */
384 {
385 if (uShw.pPD->a[iShw].n.u1Present)
386 {
387 LogFlow(("pgmPoolMonitorChainChanging: 32 bit pd iShw=%#x: %RX64 -> freeing it!\n", iShw, uShw.pPD->a[iShw].u));
388 pgmPoolFree(pVM,
389 uShw.pPD->a[iShw].u & X86_PDE_PAE_PG_MASK,
390 pPage->idx,
391 iShw);
392 ASMAtomicWriteU32(&uShw.pPD->a[iShw].u, 0);
393 }
394 }
395 /* paranoia / a bit assumptive. */
396 if ( (off & 3)
397 && (off & 3) + cbWrite > sizeof(X86PTE))
398 {
399 const unsigned iShw2 = (off + cbWrite - 1) / sizeof(X86PTE);
400 if ( iShw2 != iShw
401 && iShw2 < RT_ELEMENTS(uShw.pPD->a))
402 {
403# ifdef VBOX_WITH_RAW_MODE_NOT_R0
404 if (uShw.pPD->a[iShw2].u & PGM_PDFLAGS_MAPPING)
405 {
406 Assert(pgmMapAreMappingsEnabled(pVM));
407 STAM_COUNTER_INC(&(pVCpu->pgm.s.CTX_SUFF(pStats)->StatRZGuestCR3WriteConflict));
408 VMCPU_FF_SET(pVCpu, VMCPU_FF_PGM_SYNC_CR3);
409 LogFlow(("pgmPoolMonitorChainChanging: Detected conflict at iShw2=%#x!\n", iShw2));
410 break;
411 }
412# endif /* VBOX_WITH_RAW_MODE_NOT_R0 */
413 if (uShw.pPD->a[iShw2].n.u1Present)
414 {
415 LogFlow(("pgmPoolMonitorChainChanging: 32 bit pd iShw=%#x: %RX64 -> freeing it!\n", iShw2, uShw.pPD->a[iShw2].u));
416 pgmPoolFree(pVM,
417 uShw.pPD->a[iShw2].u & X86_PDE_PAE_PG_MASK,
418 pPage->idx,
419 iShw2);
420 ASMAtomicWriteU32(&uShw.pPD->a[iShw2].u, 0);
421 }
422 }
423 }
424#if 0 /* useful when running PGMAssertCR3(), a bit too troublesome for general use (TLBs). */
425 if ( uShw.pPD->a[iShw].n.u1Present
426 && !VMCPU_FF_ISSET(pVCpu, VMCPU_FF_PGM_SYNC_CR3))
427 {
428 LogFlow(("pgmPoolMonitorChainChanging: iShw=%#x: %RX32 -> freeing it!\n", iShw, uShw.pPD->a[iShw].u));
429# ifdef IN_RC /* TLB load - we're pushing things a bit... */
430 ASMProbeReadByte(pvAddress);
431# endif
432 pgmPoolFree(pVM, uShw.pPD->a[iShw].u & X86_PDE_PG_MASK, pPage->idx, iShw);
433 ASMAtomicWriteU32(&uShw.pPD->a[iShw].u, 0);
434 }
435#endif
436 break;
437 }
438
439 case PGMPOOLKIND_PAE_PD_FOR_PAE_PD:
440 {
441 uShw.pv = PGMPOOL_PAGE_2_PTR(pVM, pPage);
442 const unsigned iShw = off / sizeof(X86PDEPAE);
443 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPD));
444#ifdef VBOX_WITH_RAW_MODE_NOT_R0
445 if (uShw.pPDPae->a[iShw].u & PGM_PDFLAGS_MAPPING)
446 {
447 Assert(pgmMapAreMappingsEnabled(pVM));
448 VMCPU_FF_SET(pVCpu, VMCPU_FF_PGM_SYNC_CR3);
449 STAM_COUNTER_INC(&(pVCpu->pgm.s.CTX_SUFF(pStats)->StatRZGuestCR3WriteConflict));
450 LogFlow(("pgmPoolMonitorChainChanging: Detected conflict at iShw=%#x!\n", iShw));
451 break;
452 }
453#endif /* VBOX_WITH_RAW_MODE_NOT_R0 */
454 /*
455 * Causes trouble when the guest uses a PDE to refer to the whole page table level
456 * structure. (Invalidate here; faults later on when it tries to change the page
457 * table entries -> recheck; probably only applies to the RC case.)
458 */
459#ifdef VBOX_WITH_RAW_MODE_NOT_R0
460 else
461#endif
462 {
463 if (uShw.pPDPae->a[iShw].n.u1Present)
464 {
465 LogFlow(("pgmPoolMonitorChainChanging: pae pd iShw=%#x: %RX64 -> freeing it!\n", iShw, uShw.pPDPae->a[iShw].u));
466 pgmPoolFree(pVM,
467 uShw.pPDPae->a[iShw].u & X86_PDE_PAE_PG_MASK,
468 pPage->idx,
469 iShw);
470 ASMAtomicWriteU64(&uShw.pPDPae->a[iShw].u, 0);
471 }
472 }
473 /* paranoia / a bit assumptive. */
474 if ( (off & 7)
475 && (off & 7) + cbWrite > sizeof(X86PDEPAE))
476 {
477 const unsigned iShw2 = (off + cbWrite - 1) / sizeof(X86PDEPAE);
478 AssertBreak(iShw2 < RT_ELEMENTS(uShw.pPDPae->a));
479
480#ifdef VBOX_WITH_RAW_MODE_NOT_R0
481 if ( iShw2 != iShw
482 && uShw.pPDPae->a[iShw2].u & PGM_PDFLAGS_MAPPING)
483 {
484 Assert(pgmMapAreMappingsEnabled(pVM));
485 VMCPU_FF_SET(pVCpu, VMCPU_FF_PGM_SYNC_CR3);
486 STAM_COUNTER_INC(&(pVCpu->pgm.s.CTX_SUFF(pStats)->StatRZGuestCR3WriteConflict));
487 LogFlow(("pgmPoolMonitorChainChanging: Detected conflict at iShw2=%#x!\n", iShw2));
488 break;
489 }
490 else
491#endif /* VBOX_WITH_RAW_MODE_NOT_R0 */
492 if (uShw.pPDPae->a[iShw2].n.u1Present)
493 {
494 LogFlow(("pgmPoolMonitorChainChanging: pae pd iShw2=%#x: %RX64 -> freeing it!\n", iShw2, uShw.pPDPae->a[iShw2].u));
495 pgmPoolFree(pVM,
496 uShw.pPDPae->a[iShw2].u & X86_PDE_PAE_PG_MASK,
497 pPage->idx,
498 iShw2);
499 ASMAtomicWriteU64(&uShw.pPDPae->a[iShw2].u, 0);
500 }
501 }
502 break;
503 }
504
505 case PGMPOOLKIND_PAE_PDPT:
506 {
507 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPDPT));
508 /*
509 * Hopefully this doesn't happen very often:
510 * - touching unused parts of the page
511 * - messing with the bits of pd pointers without changing the physical address
512 */
513 /* PDPT roots are not page aligned; 32 byte only! */
514 const unsigned offPdpt = GCPhysFault - pPage->GCPhys;
515
516 uShw.pv = PGMPOOL_PAGE_2_PTR(pVM, pPage);
517 const unsigned iShw = offPdpt / sizeof(X86PDPE);
518 if (iShw < X86_PG_PAE_PDPE_ENTRIES) /* don't use RT_ELEMENTS(uShw.pPDPT->a), because that's for long mode only */
519 {
520# ifdef VBOX_WITH_RAW_MODE_NOT_R0
521 if (uShw.pPDPT->a[iShw].u & PGM_PLXFLAGS_MAPPING)
522 {
523 Assert(pgmMapAreMappingsEnabled(pVM));
524 STAM_COUNTER_INC(&(pVCpu->pgm.s.CTX_SUFF(pStats)->StatRZGuestCR3WriteConflict));
525 VMCPU_FF_SET(pVCpu, VMCPU_FF_PGM_SYNC_CR3);
526 LogFlow(("pgmPoolMonitorChainChanging: Detected pdpt conflict at iShw=%#x!\n", iShw));
527 break;
528 }
529 else
530# endif /* VBOX_WITH_RAW_MODE_NOT_R0 */
531 if (uShw.pPDPT->a[iShw].n.u1Present)
532 {
533 LogFlow(("pgmPoolMonitorChainChanging: pae pdpt iShw=%#x: %RX64 -> freeing it!\n", iShw, uShw.pPDPT->a[iShw].u));
534 pgmPoolFree(pVM,
535 uShw.pPDPT->a[iShw].u & X86_PDPE_PG_MASK,
536 pPage->idx,
537 iShw);
538 ASMAtomicWriteU64(&uShw.pPDPT->a[iShw].u, 0);
539 }
540
541 /* paranoia / a bit assumptive. */
542 if ( (offPdpt & 7)
543 && (offPdpt & 7) + cbWrite > sizeof(X86PDPE))
544 {
545 const unsigned iShw2 = (offPdpt + cbWrite - 1) / sizeof(X86PDPE);
546 if ( iShw2 != iShw
547 && iShw2 < X86_PG_PAE_PDPE_ENTRIES)
548 {
549# ifdef VBOX_WITH_RAW_MODE_NOT_R0
550 if (uShw.pPDPT->a[iShw2].u & PGM_PLXFLAGS_MAPPING)
551 {
552 Assert(pgmMapAreMappingsEnabled(pVM));
553 STAM_COUNTER_INC(&(pVCpu->pgm.s.CTX_SUFF(pStats)->StatRZGuestCR3WriteConflict));
554 VMCPU_FF_SET(pVCpu, VMCPU_FF_PGM_SYNC_CR3);
555 LogFlow(("pgmPoolMonitorChainChanging: Detected conflict at iShw2=%#x!\n", iShw2));
556 break;
557 }
558 else
559# endif /* VBOX_WITH_RAW_MODE_NOT_R0 */
560 if (uShw.pPDPT->a[iShw2].n.u1Present)
561 {
562 LogFlow(("pgmPoolMonitorChainChanging: pae pdpt iShw=%#x: %RX64 -> freeing it!\n", iShw2, uShw.pPDPT->a[iShw2].u));
563 pgmPoolFree(pVM,
564 uShw.pPDPT->a[iShw2].u & X86_PDPE_PG_MASK,
565 pPage->idx,
566 iShw2);
567 ASMAtomicWriteU64(&uShw.pPDPT->a[iShw2].u, 0);
568 }
569 }
570 }
571 }
572 break;
573 }
574
575#ifndef IN_RC
576 case PGMPOOLKIND_64BIT_PD_FOR_64BIT_PD:
577 {
578 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPD));
579 uShw.pv = PGMPOOL_PAGE_2_PTR(pVM, pPage);
580 const unsigned iShw = off / sizeof(X86PDEPAE);
581 Assert(!(uShw.pPDPae->a[iShw].u & PGM_PDFLAGS_MAPPING));
582 if (uShw.pPDPae->a[iShw].n.u1Present)
583 {
584 LogFlow(("pgmPoolMonitorChainChanging: pae pd iShw=%#x: %RX64 -> freeing it!\n", iShw, uShw.pPDPae->a[iShw].u));
585 pgmPoolFree(pVM,
586 uShw.pPDPae->a[iShw].u & X86_PDE_PAE_PG_MASK,
587 pPage->idx,
588 iShw);
589 ASMAtomicWriteU64(&uShw.pPDPae->a[iShw].u, 0);
590 }
591 /* paranoia / a bit assumptive. */
592 if ( (off & 7)
593 && (off & 7) + cbWrite > sizeof(X86PDEPAE))
594 {
595 const unsigned iShw2 = (off + cbWrite - 1) / sizeof(X86PDEPAE);
596 AssertBreak(iShw2 < RT_ELEMENTS(uShw.pPDPae->a));
597
598 Assert(!(uShw.pPDPae->a[iShw2].u & PGM_PDFLAGS_MAPPING));
599 if (uShw.pPDPae->a[iShw2].n.u1Present)
600 {
601 LogFlow(("pgmPoolMonitorChainChanging: pae pd iShw2=%#x: %RX64 -> freeing it!\n", iShw2, uShw.pPDPae->a[iShw2].u));
602 pgmPoolFree(pVM,
603 uShw.pPDPae->a[iShw2].u & X86_PDE_PAE_PG_MASK,
604 pPage->idx,
605 iShw2);
606 ASMAtomicWriteU64(&uShw.pPDPae->a[iShw2].u, 0);
607 }
608 }
609 break;
610 }
611
612 case PGMPOOLKIND_64BIT_PDPT_FOR_64BIT_PDPT:
613 {
614 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPDPT));
615 /*
616 * Hopefully this doesn't happen very often:
617 * - messing with the bits of pd pointers without changing the physical address
618 */
619 uShw.pv = PGMPOOL_PAGE_2_PTR(pVM, pPage);
620 const unsigned iShw = off / sizeof(X86PDPE);
621 if (uShw.pPDPT->a[iShw].n.u1Present)
622 {
623 LogFlow(("pgmPoolMonitorChainChanging: pdpt iShw=%#x: %RX64 -> freeing it!\n", iShw, uShw.pPDPT->a[iShw].u));
624 pgmPoolFree(pVM, uShw.pPDPT->a[iShw].u & X86_PDPE_PG_MASK, pPage->idx, iShw);
625 ASMAtomicWriteU64(&uShw.pPDPT->a[iShw].u, 0);
626 }
627 /* paranoia / a bit assumptive. */
628 if ( (off & 7)
629 && (off & 7) + cbWrite > sizeof(X86PDPE))
630 {
631 const unsigned iShw2 = (off + cbWrite - 1) / sizeof(X86PDPE);
632 if (uShw.pPDPT->a[iShw2].n.u1Present)
633 {
634 LogFlow(("pgmPoolMonitorChainChanging: pdpt iShw2=%#x: %RX64 -> freeing it!\n", iShw2, uShw.pPDPT->a[iShw2].u));
635 pgmPoolFree(pVM, uShw.pPDPT->a[iShw2].u & X86_PDPE_PG_MASK, pPage->idx, iShw2);
636 ASMAtomicWriteU64(&uShw.pPDPT->a[iShw2].u, 0);
637 }
638 }
639 break;
640 }
641
642 case PGMPOOLKIND_64BIT_PML4:
643 {
644 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPML4));
645 /*
646 * Hopefully this doesn't happen very often:
647 * - messing with the bits of pd pointers without changing the physical address
648 */
649 uShw.pv = PGMPOOL_PAGE_2_PTR(pVM, pPage);
650 const unsigned iShw = off / sizeof(X86PDPE);
651 if (uShw.pPML4->a[iShw].n.u1Present)
652 {
653 LogFlow(("pgmPoolMonitorChainChanging: pml4 iShw=%#x: %RX64 -> freeing it!\n", iShw, uShw.pPML4->a[iShw].u));
654 pgmPoolFree(pVM, uShw.pPML4->a[iShw].u & X86_PML4E_PG_MASK, pPage->idx, iShw);
655 ASMAtomicWriteU64(&uShw.pPML4->a[iShw].u, 0);
656 }
657 /* paranoia / a bit assumptive. */
658 if ( (off & 7)
659 && (off & 7) + cbWrite > sizeof(X86PDPE))
660 {
661 const unsigned iShw2 = (off + cbWrite - 1) / sizeof(X86PML4E);
662 if (uShw.pPML4->a[iShw2].n.u1Present)
663 {
664 LogFlow(("pgmPoolMonitorChainChanging: pml4 iShw2=%#x: %RX64 -> freeing it!\n", iShw2, uShw.pPML4->a[iShw2].u));
665 pgmPoolFree(pVM, uShw.pPML4->a[iShw2].u & X86_PML4E_PG_MASK, pPage->idx, iShw2);
666 ASMAtomicWriteU64(&uShw.pPML4->a[iShw2].u, 0);
667 }
668 }
669 break;
670 }
671#endif /* IN_RING0 */
672
673 default:
674 AssertFatalMsgFailed(("enmKind=%d\n", pPage->enmKind));
675 }
676 PGM_DYNMAP_UNUSED_HINT_VM(pVM, uShw.pv);
677
678 /* next */
679 if (pPage->iMonitoredNext == NIL_PGMPOOL_IDX)
680 return;
681 pPage = &pPool->aPages[pPage->iMonitoredNext];
682 }
683}
684
685# ifndef IN_RING3
686
687/**
688 * Checks if a access could be a fork operation in progress.
689 *
690 * Meaning, that the guest is setting up the parent process for Copy-On-Write.
691 *
692 * @returns true if it's likely that we're forking, otherwise false.
693 * @param pPool The pool.
694 * @param pDis The disassembled instruction.
695 * @param offFault The access offset.
696 */
697DECLINLINE(bool) pgmPoolMonitorIsForking(PPGMPOOL pPool, PDISCPUSTATE pDis, unsigned offFault)
698{
699 /*
700 * i386 linux is using btr to clear X86_PTE_RW.
701 * The functions involved are (2.6.16 source inspection):
702 * clear_bit
703 * ptep_set_wrprotect
704 * copy_one_pte
705 * copy_pte_range
706 * copy_pmd_range
707 * copy_pud_range
708 * copy_page_range
709 * dup_mmap
710 * dup_mm
711 * copy_mm
712 * copy_process
713 * do_fork
714 */
715 if ( pDis->pCurInstr->uOpcode == OP_BTR
716 && !(offFault & 4)
717 /** @todo Validate that the bit index is X86_PTE_RW. */
718 )
719 {
720 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,Fork));
721 return true;
722 }
723 return false;
724}
725
726
727/**
728 * Determine whether the page is likely to have been reused.
729 *
730 * @returns true if we consider the page as being reused for a different purpose.
731 * @returns false if we consider it to still be a paging page.
732 * @param pVM Pointer to the VM.
733 * @param pVCpu Pointer to the VMCPU.
734 * @param pRegFrame Trap register frame.
735 * @param pDis The disassembly info for the faulting instruction.
736 * @param pvFault The fault address.
737 *
738 * @remark The REP prefix check is left to the caller because of STOSD/W.
739 */
740DECLINLINE(bool) pgmPoolMonitorIsReused(PVM pVM, PVMCPU pVCpu, PCPUMCTXCORE pRegFrame, PDISCPUSTATE pDis, RTGCPTR pvFault)
741{
742#ifndef IN_RC
743 /** @todo could make this general, faulting close to rsp should be a safe reuse heuristic. */
744 if ( HMHasPendingIrq(pVM)
745 && (pRegFrame->rsp - pvFault) < 32)
746 {
747 /* Fault caused by stack writes while trying to inject an interrupt event. */
748 Log(("pgmPoolMonitorIsReused: reused %RGv for interrupt stack (rsp=%RGv).\n", pvFault, pRegFrame->rsp));
749 return true;
750 }
751#else
752 NOREF(pVM); NOREF(pvFault);
753#endif
754
755 LogFlow(("Reused instr %RGv %d at %RGv param1.fUse=%llx param1.reg=%d\n", pRegFrame->rip, pDis->pCurInstr->uOpcode, pvFault, pDis->Param1.fUse, pDis->Param1.Base.idxGenReg));
756
757 /* Non-supervisor mode write means it's used for something else. */
758 if (CPUMGetGuestCPL(pVCpu) == 3)
759 return true;
760
761 switch (pDis->pCurInstr->uOpcode)
762 {
763 /* call implies the actual push of the return address faulted */
764 case OP_CALL:
765 Log4(("pgmPoolMonitorIsReused: CALL\n"));
766 return true;
767 case OP_PUSH:
768 Log4(("pgmPoolMonitorIsReused: PUSH\n"));
769 return true;
770 case OP_PUSHF:
771 Log4(("pgmPoolMonitorIsReused: PUSHF\n"));
772 return true;
773 case OP_PUSHA:
774 Log4(("pgmPoolMonitorIsReused: PUSHA\n"));
775 return true;
776 case OP_FXSAVE:
777 Log4(("pgmPoolMonitorIsReused: FXSAVE\n"));
778 return true;
779 case OP_MOVNTI: /* solaris - block_zero_no_xmm */
780 Log4(("pgmPoolMonitorIsReused: MOVNTI\n"));
781 return true;
782 case OP_MOVNTDQ: /* solaris - hwblkclr & hwblkpagecopy */
783 Log4(("pgmPoolMonitorIsReused: MOVNTDQ\n"));
784 return true;
785 case OP_MOVSWD:
786 case OP_STOSWD:
787 if ( pDis->fPrefix == (DISPREFIX_REP|DISPREFIX_REX)
788 && pRegFrame->rcx >= 0x40
789 )
790 {
791 Assert(pDis->uCpuMode == DISCPUMODE_64BIT);
792
793 Log(("pgmPoolMonitorIsReused: OP_STOSQ\n"));
794 return true;
795 }
796 return false;
797 }
798 if ( ( (pDis->Param1.fUse & DISUSE_REG_GEN32)
799 || (pDis->Param1.fUse & DISUSE_REG_GEN64))
800 && (pDis->Param1.Base.idxGenReg == DISGREG_ESP))
801 {
802 Log4(("pgmPoolMonitorIsReused: ESP\n"));
803 return true;
804 }
805
806 return false;
807}
808
809
810/**
811 * Flushes the page being accessed.
812 *
813 * @returns VBox status code suitable for scheduling.
814 * @param pVM Pointer to the VM.
815 * @param pVCpu Pointer to the VMCPU.
816 * @param pPool The pool.
817 * @param pPage The pool page (head).
818 * @param pDis The disassembly of the write instruction.
819 * @param pRegFrame The trap register frame.
820 * @param GCPhysFault The fault address as guest physical address.
821 * @param pvFault The fault address.
822 * @todo VBOXSTRICTRC
823 */
824static int pgmPoolAccessHandlerFlush(PVM pVM, PVMCPU pVCpu, PPGMPOOL pPool, PPGMPOOLPAGE pPage, PDISCPUSTATE pDis,
825 PCPUMCTXCORE pRegFrame, RTGCPHYS GCPhysFault, RTGCPTR pvFault)
826{
827 NOREF(GCPhysFault);
828
829 /*
830 * First, do the flushing.
831 */
832 int rc = pgmPoolMonitorChainFlush(pPool, pPage);
833
834 /*
835 * Emulate the instruction (xp/w2k problem, requires pc/cr2/sp detection).
836 * Must do this in raw mode (!); XP boot will fail otherwise.
837 */
838 VBOXSTRICTRC rc2 = EMInterpretInstructionDisasState(pVCpu, pDis, pRegFrame, pvFault, EMCODETYPE_ALL);
839 if (rc2 == VINF_SUCCESS)
840 { /* do nothing */ }
841#ifdef VBOX_WITH_IEM
842 else if (rc2 == VINF_EM_RESCHEDULE)
843 {
844 if (rc == VINF_SUCCESS)
845 rc = rc2;
846# ifndef IN_RING3
847 VMCPU_FF_SET(pVCpu, VMCPU_FF_TO_R3);
848# endif
849 }
850#endif
851 else if (rc2 == VERR_EM_INTERPRETER)
852 {
853#ifdef IN_RC
854 if (PATMIsPatchGCAddr(pVM, pRegFrame->eip))
855 {
856 LogFlow(("pgmPoolAccessHandlerPTWorker: Interpretation failed for patch code %04x:%RGv, ignoring.\n",
857 pRegFrame->cs.Sel, (RTGCPTR)pRegFrame->eip));
858 rc = VINF_SUCCESS;
859 STAM_COUNTER_INC(&pPool->StatMonitorRZIntrFailPatch2);
860 }
861 else
862#endif
863 {
864 rc = VINF_EM_RAW_EMULATE_INSTR;
865 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,EmulateInstr));
866 }
867 }
868 else if (RT_FAILURE_NP(rc2))
869 rc = VBOXSTRICTRC_VAL(rc2);
870 else
871 AssertMsgFailed(("%Rrc\n", VBOXSTRICTRC_VAL(rc2))); /* ASSUMES no complicated stuff here. */
872
873 LogFlow(("pgmPoolAccessHandlerPT: returns %Rrc (flushed)\n", rc));
874 return rc;
875}
876
877
878/**
879 * Handles the STOSD write accesses.
880 *
881 * @returns VBox status code suitable for scheduling.
882 * @param pVM Pointer to the VM.
883 * @param pPool The pool.
884 * @param pPage The pool page (head).
885 * @param pDis The disassembly of the write instruction.
886 * @param pRegFrame The trap register frame.
887 * @param GCPhysFault The fault address as guest physical address.
888 * @param pvFault The fault address.
889 */
890DECLINLINE(int) pgmPoolAccessHandlerSTOSD(PVM pVM, PPGMPOOL pPool, PPGMPOOLPAGE pPage, PDISCPUSTATE pDis,
891 PCPUMCTXCORE pRegFrame, RTGCPHYS GCPhysFault, RTGCPTR pvFault)
892{
893 unsigned uIncrement = pDis->Param1.cb;
894 NOREF(pVM);
895
896 Assert(pDis->uCpuMode == DISCPUMODE_32BIT || pDis->uCpuMode == DISCPUMODE_64BIT);
897 Assert(pRegFrame->rcx <= 0x20);
898
899#ifdef VBOX_STRICT
900 if (pDis->uOpMode == DISCPUMODE_32BIT)
901 Assert(uIncrement == 4);
902 else
903 Assert(uIncrement == 8);
904#endif
905
906 Log3(("pgmPoolAccessHandlerSTOSD\n"));
907
908 /*
909 * Increment the modification counter and insert it into the list
910 * of modified pages the first time.
911 */
912 if (!pPage->cModifications++)
913 pgmPoolMonitorModifiedInsert(pPool, pPage);
914
915 /*
916 * Execute REP STOSD.
917 *
918 * This ASSUMES that we're not invoked by Trap0e on in a out-of-sync
919 * write situation, meaning that it's safe to write here.
920 */
921 PVMCPU pVCpu = VMMGetCpu(pPool->CTX_SUFF(pVM));
922 RTGCUINTPTR pu32 = (RTGCUINTPTR)pvFault;
923 while (pRegFrame->rcx)
924 {
925#if defined(VBOX_WITH_2X_4GB_ADDR_SPACE_IN_R0) || defined(IN_RC)
926 uint32_t iPrevSubset = PGMRZDynMapPushAutoSubset(pVCpu);
927 pgmPoolMonitorChainChanging(pVCpu, pPool, pPage, GCPhysFault, (RTGCPTR)pu32, uIncrement);
928 PGMRZDynMapPopAutoSubset(pVCpu, iPrevSubset);
929#else
930 pgmPoolMonitorChainChanging(pVCpu, pPool, pPage, GCPhysFault, (RTGCPTR)pu32, uIncrement);
931#endif
932#ifdef IN_RC
933 *(uint32_t *)(uintptr_t)pu32 = pRegFrame->eax;
934#else
935 PGMPhysSimpleWriteGCPhys(pVM, GCPhysFault, &pRegFrame->rax, uIncrement);
936#endif
937 pu32 += uIncrement;
938 GCPhysFault += uIncrement;
939 pRegFrame->rdi += uIncrement;
940 pRegFrame->rcx--;
941 }
942 pRegFrame->rip += pDis->cbInstr;
943
944 LogFlow(("pgmPoolAccessHandlerSTOSD: returns\n"));
945 return VINF_SUCCESS;
946}
947
948
949/**
950 * Handles the simple write accesses.
951 *
952 * @returns VBox status code suitable for scheduling.
953 * @param pVM Pointer to the VM.
954 * @param pVCpu Pointer to the VMCPU.
955 * @param pPool The pool.
956 * @param pPage The pool page (head).
957 * @param pDis The disassembly of the write instruction.
958 * @param pRegFrame The trap register frame.
959 * @param GCPhysFault The fault address as guest physical address.
960 * @param pvFault The fault address.
961 * @param pfReused Reused state (in/out)
962 */
963DECLINLINE(int) pgmPoolAccessHandlerSimple(PVM pVM, PVMCPU pVCpu, PPGMPOOL pPool, PPGMPOOLPAGE pPage, PDISCPUSTATE pDis,
964 PCPUMCTXCORE pRegFrame, RTGCPHYS GCPhysFault, RTGCPTR pvFault, bool *pfReused)
965{
966 Log3(("pgmPoolAccessHandlerSimple\n"));
967 NOREF(pfReused); /* initialized by caller */
968
969 /*
970 * Increment the modification counter and insert it into the list
971 * of modified pages the first time.
972 */
973 if (!pPage->cModifications++)
974 pgmPoolMonitorModifiedInsert(pPool, pPage);
975
976 /*
977 * Clear all the pages. ASSUMES that pvFault is readable.
978 */
979#if defined(VBOX_WITH_2X_4GB_ADDR_SPACE_IN_R0) || defined(IN_RC)
980 uint32_t iPrevSubset = PGMRZDynMapPushAutoSubset(pVCpu);
981 pgmPoolMonitorChainChanging(pVCpu, pPool, pPage, GCPhysFault, pvFault, DISGetParamSize(pDis, &pDis->Param1));
982 PGMRZDynMapPopAutoSubset(pVCpu, iPrevSubset);
983#else
984 pgmPoolMonitorChainChanging(pVCpu, pPool, pPage, GCPhysFault, pvFault, DISGetParamSize(pDis, &pDis->Param1));
985#endif
986
987 /*
988 * Interpret the instruction.
989 */
990 VBOXSTRICTRC rc = EMInterpretInstructionDisasState(pVCpu, pDis, pRegFrame, pvFault, EMCODETYPE_ALL);
991 if (RT_SUCCESS(rc))
992 AssertMsg(rc == VINF_SUCCESS, ("%Rrc\n", VBOXSTRICTRC_VAL(rc))); /* ASSUMES no complicated stuff here. */
993 else if (rc == VERR_EM_INTERPRETER)
994 {
995 LogFlow(("pgmPoolAccessHandlerPTWorker: Interpretation failed for %04x:%RGv - opcode=%d\n",
996 pRegFrame->cs.Sel, (RTGCPTR)pRegFrame->rip, pDis->pCurInstr->uOpcode));
997 rc = VINF_EM_RAW_EMULATE_INSTR;
998 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,EmulateInstr));
999 }
1000
1001#if 0 /* experimental code */
1002 if (rc == VINF_SUCCESS)
1003 {
1004 switch (pPage->enmKind)
1005 {
1006 case PGMPOOLKIND_PAE_PT_FOR_PAE_PT:
1007 {
1008 X86PTEPAE GstPte;
1009 int rc = pgmPoolPhysSimpleReadGCPhys(pVM, &GstPte, pvFault, GCPhysFault, sizeof(GstPte));
1010 AssertRC(rc);
1011
1012 /* Check the new value written by the guest. If present and with a bogus physical address, then
1013 * it's fairly safe to assume the guest is reusing the PT.
1014 */
1015 if (GstPte.n.u1Present)
1016 {
1017 RTHCPHYS HCPhys = -1;
1018 int rc = PGMPhysGCPhys2HCPhys(pVM, GstPte.u & X86_PTE_PAE_PG_MASK, &HCPhys);
1019 if (rc != VINF_SUCCESS)
1020 {
1021 *pfReused = true;
1022 STAM_COUNTER_INC(&pPool->StatForceFlushReused);
1023 }
1024 }
1025 break;
1026 }
1027 }
1028 }
1029#endif
1030
1031 LogFlow(("pgmPoolAccessHandlerSimple: returns %Rrc\n", VBOXSTRICTRC_VAL(rc)));
1032 return VBOXSTRICTRC_VAL(rc);
1033}
1034
1035
1036/**
1037 * \#PF Handler callback for PT write accesses.
1038 *
1039 * @returns VBox status code (appropriate for GC return).
1040 * @param pVM Pointer to the VM.
1041 * @param uErrorCode CPU Error code.
1042 * @param pRegFrame Trap register frame.
1043 * NULL on DMA and other non CPU access.
1044 * @param pvFault The fault address (cr2).
1045 * @param GCPhysFault The GC physical address corresponding to pvFault.
1046 * @param pvUser User argument.
1047 */
1048DECLEXPORT(int) pgmPoolAccessHandler(PVM pVM, RTGCUINT uErrorCode, PCPUMCTXCORE pRegFrame, RTGCPTR pvFault,
1049 RTGCPHYS GCPhysFault, void *pvUser)
1050{
1051 STAM_PROFILE_START(&pVM->pgm.s.CTX_SUFF(pPool)->CTX_SUFF_Z(StatMonitor), a);
1052 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
1053 PPGMPOOLPAGE pPage = (PPGMPOOLPAGE)pvUser;
1054 PVMCPU pVCpu = VMMGetCpu(pVM);
1055 unsigned cMaxModifications;
1056 bool fForcedFlush = false;
1057 NOREF(uErrorCode);
1058
1059 LogFlow(("pgmPoolAccessHandler: pvFault=%RGv pPage=%p:{.idx=%d} GCPhysFault=%RGp\n", pvFault, pPage, pPage->idx, GCPhysFault));
1060
1061 pgmLock(pVM);
1062 if (PHYS_PAGE_ADDRESS(GCPhysFault) != PHYS_PAGE_ADDRESS(pPage->GCPhys))
1063 {
1064 /* Pool page changed while we were waiting for the lock; ignore. */
1065 Log(("CPU%d: pgmPoolAccessHandler pgm pool page for %RGp changed (to %RGp) while waiting!\n", pVCpu->idCpu, PHYS_PAGE_ADDRESS(GCPhysFault), PHYS_PAGE_ADDRESS(pPage->GCPhys)));
1066 STAM_PROFILE_STOP_EX(&pVM->pgm.s.CTX_SUFF(pPool)->CTX_SUFF_Z(StatMonitor), &pPool->CTX_MID_Z(StatMonitor,Handled), a);
1067 pgmUnlock(pVM);
1068 return VINF_SUCCESS;
1069 }
1070#ifdef PGMPOOL_WITH_OPTIMIZED_DIRTY_PT
1071 if (pPage->fDirty)
1072 {
1073 Assert(VMCPU_FF_ISSET(pVCpu, VMCPU_FF_TLB_FLUSH));
1074 pgmUnlock(pVM);
1075 return VINF_SUCCESS; /* SMP guest case where we were blocking on the pgm lock while the same page was being marked dirty. */
1076 }
1077#endif
1078
1079#if 0 /* test code defined(VBOX_STRICT) && defined(PGMPOOL_WITH_OPTIMIZED_DIRTY_PT) */
1080 if (pPage->enmKind == PGMPOOLKIND_PAE_PT_FOR_PAE_PT)
1081 {
1082 void *pvShw = PGMPOOL_PAGE_2_PTR(pPool->CTX_SUFF(pVM), pPage);
1083 void *pvGst;
1084 int rc = PGM_GCPHYS_2_PTR(pPool->CTX_SUFF(pVM), pPage->GCPhys, &pvGst); AssertReleaseRC(rc);
1085 pgmPoolTrackCheckPTPaePae(pPool, pPage, (PPGMSHWPTPAE)pvShw, (PCX86PTPAE)pvGst);
1086 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pvGst);
1087 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pvShw);
1088 }
1089#endif
1090
1091 /*
1092 * Disassemble the faulting instruction.
1093 */
1094 PDISCPUSTATE pDis = &pVCpu->pgm.s.DisState;
1095 int rc = EMInterpretDisasCurrent(pVM, pVCpu, pDis, NULL);
1096 if (RT_UNLIKELY(rc != VINF_SUCCESS))
1097 {
1098 AssertMsg(rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT, ("Unexpected rc %d\n", rc));
1099 pgmUnlock(pVM);
1100 return rc;
1101 }
1102
1103 Assert(pPage->enmKind != PGMPOOLKIND_FREE);
1104
1105 /*
1106 * We should ALWAYS have the list head as user parameter. This
1107 * is because we use that page to record the changes.
1108 */
1109 Assert(pPage->iMonitoredPrev == NIL_PGMPOOL_IDX);
1110
1111#ifdef IN_RING0
1112 /* Maximum nr of modifications depends on the page type. */
1113 if ( pPage->enmKind == PGMPOOLKIND_PAE_PT_FOR_PAE_PT
1114 || pPage->enmKind == PGMPOOLKIND_PAE_PT_FOR_32BIT_PT)
1115 cMaxModifications = 4;
1116 else
1117 cMaxModifications = 24;
1118#else
1119 cMaxModifications = 48;
1120#endif
1121
1122 /*
1123 * Incremental page table updates should weigh more than random ones.
1124 * (Only applies when started from offset 0)
1125 */
1126 pVCpu->pgm.s.cPoolAccessHandler++;
1127 if ( pPage->GCPtrLastAccessHandlerRip >= pRegFrame->rip - 0x40 /* observed loops in Windows 7 x64 */
1128 && pPage->GCPtrLastAccessHandlerRip < pRegFrame->rip + 0x40
1129 && pvFault == (pPage->GCPtrLastAccessHandlerFault + pDis->Param1.cb)
1130 && pVCpu->pgm.s.cPoolAccessHandler == pPage->cLastAccessHandler + 1)
1131 {
1132 Log(("Possible page reuse cMods=%d -> %d (locked=%d type=%s)\n", pPage->cModifications, pPage->cModifications * 2, pgmPoolIsPageLocked(pPage), pgmPoolPoolKindToStr(pPage->enmKind)));
1133 Assert(pPage->cModifications < 32000);
1134 pPage->cModifications = pPage->cModifications * 2;
1135 pPage->GCPtrLastAccessHandlerFault = pvFault;
1136 pPage->cLastAccessHandler = pVCpu->pgm.s.cPoolAccessHandler;
1137 if (pPage->cModifications >= cMaxModifications)
1138 {
1139 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FlushReinit));
1140 fForcedFlush = true;
1141 }
1142 }
1143
1144 if (pPage->cModifications >= cMaxModifications)
1145 Log(("Mod overflow %RGv cMods=%d (locked=%d type=%s)\n", pvFault, pPage->cModifications, pgmPoolIsPageLocked(pPage), pgmPoolPoolKindToStr(pPage->enmKind)));
1146
1147 /*
1148 * Check if it's worth dealing with.
1149 */
1150 bool fReused = false;
1151 bool fNotReusedNotForking = false;
1152 if ( ( pPage->cModifications < cMaxModifications /** @todo #define */ /** @todo need to check that it's not mapping EIP. */ /** @todo adjust this! */
1153 || pgmPoolIsPageLocked(pPage)
1154 )
1155 && !(fReused = pgmPoolMonitorIsReused(pVM, pVCpu, pRegFrame, pDis, pvFault))
1156 && !pgmPoolMonitorIsForking(pPool, pDis, GCPhysFault & PAGE_OFFSET_MASK))
1157 {
1158 /*
1159 * Simple instructions, no REP prefix.
1160 */
1161 if (!(pDis->fPrefix & (DISPREFIX_REP | DISPREFIX_REPNE)))
1162 {
1163 rc = pgmPoolAccessHandlerSimple(pVM, pVCpu, pPool, pPage, pDis, pRegFrame, GCPhysFault, pvFault, &fReused);
1164 if (fReused)
1165 goto flushPage;
1166
1167 /* A mov instruction to change the first page table entry will be remembered so we can detect
1168 * full page table changes early on. This will reduce the amount of unnecessary traps we'll take.
1169 */
1170 if ( rc == VINF_SUCCESS
1171 && !pPage->cLocked /* only applies to unlocked pages as we can't free locked ones (e.g. cr3 root). */
1172 && pDis->pCurInstr->uOpcode == OP_MOV
1173 && (pvFault & PAGE_OFFSET_MASK) == 0)
1174 {
1175 pPage->GCPtrLastAccessHandlerFault = pvFault;
1176 pPage->cLastAccessHandler = pVCpu->pgm.s.cPoolAccessHandler;
1177 pPage->GCPtrLastAccessHandlerRip = pRegFrame->rip;
1178 /* Make sure we don't kick out a page too quickly. */
1179 if (pPage->cModifications > 8)
1180 pPage->cModifications = 2;
1181 }
1182 else if (pPage->GCPtrLastAccessHandlerFault == pvFault)
1183 {
1184 /* ignore the 2nd write to this page table entry. */
1185 pPage->cLastAccessHandler = pVCpu->pgm.s.cPoolAccessHandler;
1186 }
1187 else
1188 {
1189 pPage->GCPtrLastAccessHandlerFault = NIL_RTGCPTR;
1190 pPage->GCPtrLastAccessHandlerRip = 0;
1191 }
1192
1193 STAM_PROFILE_STOP_EX(&pVM->pgm.s.CTX_SUFF(pPool)->CTX_SUFF_Z(StatMonitor), &pPool->CTX_MID_Z(StatMonitor,Handled), a);
1194 pgmUnlock(pVM);
1195 return rc;
1196 }
1197
1198 /*
1199 * Windows is frequently doing small memset() operations (netio test 4k+).
1200 * We have to deal with these or we'll kill the cache and performance.
1201 */
1202 if ( pDis->pCurInstr->uOpcode == OP_STOSWD
1203 && !pRegFrame->eflags.Bits.u1DF
1204 && pDis->uOpMode == pDis->uCpuMode
1205 && pDis->uAddrMode == pDis->uCpuMode)
1206 {
1207 bool fValidStosd = false;
1208
1209 if ( pDis->uCpuMode == DISCPUMODE_32BIT
1210 && pDis->fPrefix == DISPREFIX_REP
1211 && pRegFrame->ecx <= 0x20
1212 && pRegFrame->ecx * 4 <= PAGE_SIZE - ((uintptr_t)pvFault & PAGE_OFFSET_MASK)
1213 && !((uintptr_t)pvFault & 3)
1214 && (pRegFrame->eax == 0 || pRegFrame->eax == 0x80) /* the two values observed. */
1215 )
1216 {
1217 fValidStosd = true;
1218 pRegFrame->rcx &= 0xffffffff; /* paranoia */
1219 }
1220 else
1221 if ( pDis->uCpuMode == DISCPUMODE_64BIT
1222 && pDis->fPrefix == (DISPREFIX_REP | DISPREFIX_REX)
1223 && pRegFrame->rcx <= 0x20
1224 && pRegFrame->rcx * 8 <= PAGE_SIZE - ((uintptr_t)pvFault & PAGE_OFFSET_MASK)
1225 && !((uintptr_t)pvFault & 7)
1226 && (pRegFrame->rax == 0 || pRegFrame->rax == 0x80) /* the two values observed. */
1227 )
1228 {
1229 fValidStosd = true;
1230 }
1231
1232 if (fValidStosd)
1233 {
1234 rc = pgmPoolAccessHandlerSTOSD(pVM, pPool, pPage, pDis, pRegFrame, GCPhysFault, pvFault);
1235 STAM_PROFILE_STOP_EX(&pVM->pgm.s.CTX_SUFF(pPool)->CTX_SUFF_Z(StatMonitor), &pPool->CTX_MID_Z(StatMonitor,RepStosd), a);
1236 pgmUnlock(pVM);
1237 return rc;
1238 }
1239 }
1240
1241 /* REP prefix, don't bother. */
1242 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,RepPrefix));
1243 Log4(("pgmPoolAccessHandler: eax=%#x ecx=%#x edi=%#x esi=%#x rip=%RGv opcode=%d prefix=%#x\n",
1244 pRegFrame->eax, pRegFrame->ecx, pRegFrame->edi, pRegFrame->esi, (RTGCPTR)pRegFrame->rip, pDis->pCurInstr->uOpcode, pDis->fPrefix));
1245 fNotReusedNotForking = true;
1246 }
1247
1248#if defined(PGMPOOL_WITH_OPTIMIZED_DIRTY_PT) && defined(IN_RING0)
1249 /* E.g. Windows 7 x64 initializes page tables and touches some pages in the table during the process. This
1250 * leads to pgm pool trashing and an excessive amount of write faults due to page monitoring.
1251 */
1252 if ( pPage->cModifications >= cMaxModifications
1253 && !fForcedFlush
1254 && (pPage->enmKind == PGMPOOLKIND_PAE_PT_FOR_PAE_PT || pPage->enmKind == PGMPOOLKIND_PAE_PT_FOR_32BIT_PT)
1255 && ( fNotReusedNotForking
1256 || ( !pgmPoolMonitorIsReused(pVM, pVCpu, pRegFrame, pDis, pvFault)
1257 && !pgmPoolMonitorIsForking(pPool, pDis, GCPhysFault & PAGE_OFFSET_MASK))
1258 )
1259 )
1260 {
1261 Assert(!pgmPoolIsPageLocked(pPage));
1262 Assert(pPage->fDirty == false);
1263
1264 /* Flush any monitored duplicates as we will disable write protection. */
1265 if ( pPage->iMonitoredNext != NIL_PGMPOOL_IDX
1266 || pPage->iMonitoredPrev != NIL_PGMPOOL_IDX)
1267 {
1268 PPGMPOOLPAGE pPageHead = pPage;
1269
1270 /* Find the monitor head. */
1271 while (pPageHead->iMonitoredPrev != NIL_PGMPOOL_IDX)
1272 pPageHead = &pPool->aPages[pPageHead->iMonitoredPrev];
1273
1274 while (pPageHead)
1275 {
1276 unsigned idxNext = pPageHead->iMonitoredNext;
1277
1278 if (pPageHead != pPage)
1279 {
1280 STAM_COUNTER_INC(&pPool->StatDirtyPageDupFlush);
1281 Log(("Flush duplicate page idx=%d GCPhys=%RGp type=%s\n", pPageHead->idx, pPageHead->GCPhys, pgmPoolPoolKindToStr(pPageHead->enmKind)));
1282 int rc2 = pgmPoolFlushPage(pPool, pPageHead);
1283 AssertRC(rc2);
1284 }
1285
1286 if (idxNext == NIL_PGMPOOL_IDX)
1287 break;
1288
1289 pPageHead = &pPool->aPages[idxNext];
1290 }
1291 }
1292
1293 /* The flushing above might fail for locked pages, so double check. */
1294 if ( pPage->iMonitoredNext == NIL_PGMPOOL_IDX
1295 && pPage->iMonitoredPrev == NIL_PGMPOOL_IDX)
1296 {
1297 pgmPoolAddDirtyPage(pVM, pPool, pPage);
1298
1299 /* Temporarily allow write access to the page table again. */
1300 rc = PGMHandlerPhysicalPageTempOff(pVM, pPage->GCPhys & PAGE_BASE_GC_MASK, pPage->GCPhys & PAGE_BASE_GC_MASK);
1301 if (rc == VINF_SUCCESS)
1302 {
1303 rc = PGMShwMakePageWritable(pVCpu, pvFault, PGM_MK_PG_IS_WRITE_FAULT);
1304 AssertMsg(rc == VINF_SUCCESS
1305 /* In the SMP case the page table might be removed while we wait for the PGM lock in the trap handler. */
1306 || rc == VERR_PAGE_TABLE_NOT_PRESENT
1307 || rc == VERR_PAGE_NOT_PRESENT,
1308 ("PGMShwModifyPage -> GCPtr=%RGv rc=%d\n", pvFault, rc));
1309# ifdef VBOX_STRICT
1310 pPage->GCPtrDirtyFault = pvFault;
1311# endif
1312
1313 STAM_PROFILE_STOP(&pVM->pgm.s.CTX_SUFF(pPool)->CTX_SUFF_Z(StatMonitor), a);
1314 pgmUnlock(pVM);
1315 return rc;
1316 }
1317 }
1318 }
1319#endif /* PGMPOOL_WITH_OPTIMIZED_DIRTY_PT */
1320
1321 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FlushModOverflow));
1322flushPage:
1323 /*
1324 * Not worth it, so flush it.
1325 *
1326 * If we considered it to be reused, don't go back to ring-3
1327 * to emulate failed instructions since we usually cannot
1328 * interpret then. This may be a bit risky, in which case
1329 * the reuse detection must be fixed.
1330 */
1331 rc = pgmPoolAccessHandlerFlush(pVM, pVCpu, pPool, pPage, pDis, pRegFrame, GCPhysFault, pvFault);
1332 if ( rc == VINF_EM_RAW_EMULATE_INSTR
1333 && fReused)
1334 {
1335 /* Make sure that the current instruction still has shadow page backing, otherwise we'll end up in a loop. */
1336 if (PGMShwGetPage(pVCpu, pRegFrame->rip, NULL, NULL) == VINF_SUCCESS)
1337 rc = VINF_SUCCESS; /* safe to restart the instruction. */
1338 }
1339 STAM_PROFILE_STOP_EX(&pVM->pgm.s.CTX_SUFF(pPool)->CTX_SUFF_Z(StatMonitor), &pPool->CTX_MID_Z(StatMonitor,FlushPage), a);
1340 pgmUnlock(pVM);
1341 return rc;
1342}
1343
1344# endif /* !IN_RING3 */
1345
1346# ifdef PGMPOOL_WITH_OPTIMIZED_DIRTY_PT
1347
1348# if defined(VBOX_STRICT) && !defined(IN_RING3)
1349
1350/**
1351 * Check references to guest physical memory in a PAE / PAE page table.
1352 *
1353 * @param pPool The pool.
1354 * @param pPage The page.
1355 * @param pShwPT The shadow page table (mapping of the page).
1356 * @param pGstPT The guest page table.
1357 */
1358static void pgmPoolTrackCheckPTPaePae(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PPGMSHWPTPAE pShwPT, PCX86PTPAE pGstPT)
1359{
1360 unsigned cErrors = 0;
1361 int LastRc = -1; /* initialized to shut up gcc */
1362 unsigned LastPTE = ~0U; /* initialized to shut up gcc */
1363 RTHCPHYS LastHCPhys = NIL_RTHCPHYS; /* initialized to shut up gcc */
1364 PVM pVM = pPool->CTX_SUFF(pVM);
1365
1366#ifdef VBOX_STRICT
1367 for (unsigned i = 0; i < RT_MIN(RT_ELEMENTS(pShwPT->a), pPage->iFirstPresent); i++)
1368 AssertMsg(!PGMSHWPTEPAE_IS_P(pShwPT->a[i]), ("Unexpected PTE: idx=%d %RX64 (first=%d)\n", i, PGMSHWPTEPAE_GET_LOG(pShwPT->a[i]), pPage->iFirstPresent));
1369#endif
1370 for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pShwPT->a); i++)
1371 {
1372 if (PGMSHWPTEPAE_IS_P(pShwPT->a[i]))
1373 {
1374 RTHCPHYS HCPhys = NIL_RTHCPHYS;
1375 int rc = PGMPhysGCPhys2HCPhys(pVM, pGstPT->a[i].u & X86_PTE_PAE_PG_MASK, &HCPhys);
1376 if ( rc != VINF_SUCCESS
1377 || PGMSHWPTEPAE_GET_HCPHYS(pShwPT->a[i]) != HCPhys)
1378 {
1379 Log(("rc=%d idx=%d guest %RX64 shw=%RX64 vs %RHp\n", rc, i, pGstPT->a[i].u, PGMSHWPTEPAE_GET_LOG(pShwPT->a[i]), HCPhys));
1380 LastPTE = i;
1381 LastRc = rc;
1382 LastHCPhys = HCPhys;
1383 cErrors++;
1384
1385 RTHCPHYS HCPhysPT = NIL_RTHCPHYS;
1386 rc = PGMPhysGCPhys2HCPhys(pVM, pPage->GCPhys, &HCPhysPT);
1387 AssertRC(rc);
1388
1389 for (unsigned iPage = 0; iPage < pPool->cCurPages; iPage++)
1390 {
1391 PPGMPOOLPAGE pTempPage = &pPool->aPages[iPage];
1392
1393 if (pTempPage->enmKind == PGMPOOLKIND_PAE_PT_FOR_PAE_PT)
1394 {
1395 PPGMSHWPTPAE pShwPT2 = (PPGMSHWPTPAE)PGMPOOL_PAGE_2_PTR(pVM, pTempPage);
1396
1397 for (unsigned j = 0; j < RT_ELEMENTS(pShwPT->a); j++)
1398 {
1399 if ( PGMSHWPTEPAE_IS_P_RW(pShwPT2->a[j])
1400 && PGMSHWPTEPAE_GET_HCPHYS(pShwPT2->a[j]) == HCPhysPT)
1401 {
1402 Log(("GCPhys=%RGp idx=%d %RX64 vs %RX64\n", pTempPage->GCPhys, j, PGMSHWPTEPAE_GET_LOG(pShwPT->a[j]), PGMSHWPTEPAE_GET_LOG(pShwPT2->a[j])));
1403 }
1404 }
1405
1406 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pShwPT2);
1407 }
1408 }
1409 }
1410 }
1411 }
1412 AssertMsg(!cErrors, ("cErrors=%d: last rc=%d idx=%d guest %RX64 shw=%RX64 vs %RHp\n", cErrors, LastRc, LastPTE, pGstPT->a[LastPTE].u, PGMSHWPTEPAE_GET_LOG(pShwPT->a[LastPTE]), LastHCPhys));
1413}
1414
1415
1416/**
1417 * Check references to guest physical memory in a PAE / 32-bit page table.
1418 *
1419 * @param pPool The pool.
1420 * @param pPage The page.
1421 * @param pShwPT The shadow page table (mapping of the page).
1422 * @param pGstPT The guest page table.
1423 */
1424static void pgmPoolTrackCheckPTPae32Bit(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PPGMSHWPTPAE pShwPT, PCX86PT pGstPT)
1425{
1426 unsigned cErrors = 0;
1427 int LastRc = -1; /* initialized to shut up gcc */
1428 unsigned LastPTE = ~0U; /* initialized to shut up gcc */
1429 RTHCPHYS LastHCPhys = NIL_RTHCPHYS; /* initialized to shut up gcc */
1430 PVM pVM = pPool->CTX_SUFF(pVM);
1431
1432#ifdef VBOX_STRICT
1433 for (unsigned i = 0; i < RT_MIN(RT_ELEMENTS(pShwPT->a), pPage->iFirstPresent); i++)
1434 AssertMsg(!PGMSHWPTEPAE_IS_P(pShwPT->a[i]), ("Unexpected PTE: idx=%d %RX64 (first=%d)\n", i, PGMSHWPTEPAE_GET_LOG(pShwPT->a[i]), pPage->iFirstPresent));
1435#endif
1436 for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pShwPT->a); i++)
1437 {
1438 if (PGMSHWPTEPAE_IS_P(pShwPT->a[i]))
1439 {
1440 RTHCPHYS HCPhys = NIL_RTHCPHYS;
1441 int rc = PGMPhysGCPhys2HCPhys(pVM, pGstPT->a[i].u & X86_PTE_PG_MASK, &HCPhys);
1442 if ( rc != VINF_SUCCESS
1443 || PGMSHWPTEPAE_GET_HCPHYS(pShwPT->a[i]) != HCPhys)
1444 {
1445 Log(("rc=%d idx=%d guest %x shw=%RX64 vs %RHp\n", rc, i, pGstPT->a[i].u, PGMSHWPTEPAE_GET_LOG(pShwPT->a[i]), HCPhys));
1446 LastPTE = i;
1447 LastRc = rc;
1448 LastHCPhys = HCPhys;
1449 cErrors++;
1450
1451 RTHCPHYS HCPhysPT = NIL_RTHCPHYS;
1452 rc = PGMPhysGCPhys2HCPhys(pVM, pPage->GCPhys, &HCPhysPT);
1453 AssertRC(rc);
1454
1455 for (unsigned iPage = 0; iPage < pPool->cCurPages; iPage++)
1456 {
1457 PPGMPOOLPAGE pTempPage = &pPool->aPages[iPage];
1458
1459 if (pTempPage->enmKind == PGMPOOLKIND_PAE_PT_FOR_32BIT_PT)
1460 {
1461 PPGMSHWPTPAE pShwPT2 = (PPGMSHWPTPAE)PGMPOOL_PAGE_2_PTR(pVM, pTempPage);
1462
1463 for (unsigned j = 0; j < RT_ELEMENTS(pShwPT->a); j++)
1464 {
1465 if ( PGMSHWPTEPAE_IS_P_RW(pShwPT2->a[j])
1466 && PGMSHWPTEPAE_GET_HCPHYS(pShwPT2->a[j]) == HCPhysPT)
1467 {
1468 Log(("GCPhys=%RGp idx=%d %RX64 vs %RX64\n", pTempPage->GCPhys, j, PGMSHWPTEPAE_GET_LOG(pShwPT->a[j]), PGMSHWPTEPAE_GET_LOG(pShwPT2->a[j])));
1469 }
1470 }
1471
1472 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pShwPT2);
1473 }
1474 }
1475 }
1476 }
1477 }
1478 AssertMsg(!cErrors, ("cErrors=%d: last rc=%d idx=%d guest %x shw=%RX64 vs %RHp\n", cErrors, LastRc, LastPTE, pGstPT->a[LastPTE].u, PGMSHWPTEPAE_GET_LOG(pShwPT->a[LastPTE]), LastHCPhys));
1479}
1480
1481# endif /* VBOX_STRICT && !IN_RING3 */
1482
1483/**
1484 * Clear references to guest physical memory in a PAE / PAE page table.
1485 *
1486 * @returns nr of changed PTEs
1487 * @param pPool The pool.
1488 * @param pPage The page.
1489 * @param pShwPT The shadow page table (mapping of the page).
1490 * @param pGstPT The guest page table.
1491 * @param pOldGstPT The old cached guest page table.
1492 * @param fAllowRemoval Bail out as soon as we encounter an invalid PTE
1493 * @param pfFlush Flush reused page table (out)
1494 */
1495DECLINLINE(unsigned) pgmPoolTrackFlushPTPaePae(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PPGMSHWPTPAE pShwPT, PCX86PTPAE pGstPT,
1496 PCX86PTPAE pOldGstPT, bool fAllowRemoval, bool *pfFlush)
1497{
1498 unsigned cChanged = 0;
1499
1500#ifdef VBOX_STRICT
1501 for (unsigned i = 0; i < RT_MIN(RT_ELEMENTS(pShwPT->a), pPage->iFirstPresent); i++)
1502 AssertMsg(!PGMSHWPTEPAE_IS_P(pShwPT->a[i]), ("Unexpected PTE: idx=%d %RX64 (first=%d)\n", i, PGMSHWPTEPAE_GET_LOG(pShwPT->a[i]), pPage->iFirstPresent));
1503#endif
1504 *pfFlush = false;
1505
1506 for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pShwPT->a); i++)
1507 {
1508 /* Check the new value written by the guest. If present and with a bogus physical address, then
1509 * it's fairly safe to assume the guest is reusing the PT.
1510 */
1511 if ( fAllowRemoval
1512 && pGstPT->a[i].n.u1Present)
1513 {
1514 if (!PGMPhysIsGCPhysValid(pPool->CTX_SUFF(pVM), pGstPT->a[i].u & X86_PTE_PAE_PG_MASK))
1515 {
1516 *pfFlush = true;
1517 return ++cChanged;
1518 }
1519 }
1520 if (PGMSHWPTEPAE_IS_P(pShwPT->a[i]))
1521 {
1522 /* If the old cached PTE is identical, then there's no need to flush the shadow copy. */
1523 if ((pGstPT->a[i].u & X86_PTE_PAE_PG_MASK) == (pOldGstPT->a[i].u & X86_PTE_PAE_PG_MASK))
1524 {
1525#ifdef VBOX_STRICT
1526 RTHCPHYS HCPhys = NIL_RTGCPHYS;
1527 int rc = PGMPhysGCPhys2HCPhys(pPool->CTX_SUFF(pVM), pGstPT->a[i].u & X86_PTE_PAE_PG_MASK, &HCPhys);
1528 AssertMsg(rc == VINF_SUCCESS && PGMSHWPTEPAE_GET_HCPHYS(pShwPT->a[i]) == HCPhys, ("rc=%d guest %RX64 old %RX64 shw=%RX64 vs %RHp\n", rc, pGstPT->a[i].u, pOldGstPT->a[i].u, PGMSHWPTEPAE_GET_LOG(pShwPT->a[i]), HCPhys));
1529#endif
1530 uint64_t uHostAttr = PGMSHWPTEPAE_GET_U(pShwPT->a[i]) & (X86_PTE_P | X86_PTE_US | X86_PTE_A | X86_PTE_D | X86_PTE_G | X86_PTE_PAE_NX);
1531 bool fHostRW = !!(PGMSHWPTEPAE_GET_U(pShwPT->a[i]) & X86_PTE_RW);
1532 uint64_t uGuestAttr = pGstPT->a[i].u & (X86_PTE_P | X86_PTE_US | X86_PTE_A | X86_PTE_D | X86_PTE_G | X86_PTE_PAE_NX);
1533 bool fGuestRW = !!(pGstPT->a[i].u & X86_PTE_RW);
1534
1535 if ( uHostAttr == uGuestAttr
1536 && fHostRW <= fGuestRW)
1537 continue;
1538 }
1539 cChanged++;
1540 /* Something was changed, so flush it. */
1541 Log4(("pgmPoolTrackDerefPTPaePae: i=%d pte=%RX64 hint=%RX64\n",
1542 i, PGMSHWPTEPAE_GET_HCPHYS(pShwPT->a[i]), pOldGstPT->a[i].u & X86_PTE_PAE_PG_MASK));
1543 pgmPoolTracDerefGCPhysHint(pPool, pPage, PGMSHWPTEPAE_GET_HCPHYS(pShwPT->a[i]), pOldGstPT->a[i].u & X86_PTE_PAE_PG_MASK, i);
1544 PGMSHWPTEPAE_ATOMIC_SET(pShwPT->a[i], 0);
1545 }
1546 }
1547 return cChanged;
1548}
1549
1550
1551/**
1552 * Clear references to guest physical memory in a PAE / PAE page table.
1553 *
1554 * @returns nr of changed PTEs
1555 * @param pPool The pool.
1556 * @param pPage The page.
1557 * @param pShwPT The shadow page table (mapping of the page).
1558 * @param pGstPT The guest page table.
1559 * @param pOldGstPT The old cached guest page table.
1560 * @param fAllowRemoval Bail out as soon as we encounter an invalid PTE
1561 * @param pfFlush Flush reused page table (out)
1562 */
1563DECLINLINE(unsigned) pgmPoolTrackFlushPTPae32Bit(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PPGMSHWPTPAE pShwPT, PCX86PT pGstPT,
1564 PCX86PT pOldGstPT, bool fAllowRemoval, bool *pfFlush)
1565{
1566 unsigned cChanged = 0;
1567
1568#ifdef VBOX_STRICT
1569 for (unsigned i = 0; i < RT_MIN(RT_ELEMENTS(pShwPT->a), pPage->iFirstPresent); i++)
1570 AssertMsg(!PGMSHWPTEPAE_IS_P(pShwPT->a[i]), ("Unexpected PTE: idx=%d %RX64 (first=%d)\n", i, PGMSHWPTEPAE_GET_LOG(pShwPT->a[i]), pPage->iFirstPresent));
1571#endif
1572 *pfFlush = false;
1573
1574 for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pShwPT->a); i++)
1575 {
1576 /* Check the new value written by the guest. If present and with a bogus physical address, then
1577 * it's fairly safe to assume the guest is reusing the PT.
1578 */
1579 if ( fAllowRemoval
1580 && pGstPT->a[i].n.u1Present)
1581 {
1582 if (!PGMPhysIsGCPhysValid(pPool->CTX_SUFF(pVM), pGstPT->a[i].u & X86_PTE_PG_MASK))
1583 {
1584 *pfFlush = true;
1585 return ++cChanged;
1586 }
1587 }
1588 if (PGMSHWPTEPAE_IS_P(pShwPT->a[i]))
1589 {
1590 /* If the old cached PTE is identical, then there's no need to flush the shadow copy. */
1591 if ((pGstPT->a[i].u & X86_PTE_PG_MASK) == (pOldGstPT->a[i].u & X86_PTE_PG_MASK))
1592 {
1593#ifdef VBOX_STRICT
1594 RTHCPHYS HCPhys = NIL_RTGCPHYS;
1595 int rc = PGMPhysGCPhys2HCPhys(pPool->CTX_SUFF(pVM), pGstPT->a[i].u & X86_PTE_PG_MASK, &HCPhys);
1596 AssertMsg(rc == VINF_SUCCESS && PGMSHWPTEPAE_GET_HCPHYS(pShwPT->a[i]) == HCPhys, ("rc=%d guest %x old %x shw=%RX64 vs %RHp\n", rc, pGstPT->a[i].u, pOldGstPT->a[i].u, PGMSHWPTEPAE_GET_LOG(pShwPT->a[i]), HCPhys));
1597#endif
1598 uint64_t uHostAttr = PGMSHWPTEPAE_GET_U(pShwPT->a[i]) & (X86_PTE_P | X86_PTE_US | X86_PTE_A | X86_PTE_D | X86_PTE_G);
1599 bool fHostRW = !!(PGMSHWPTEPAE_GET_U(pShwPT->a[i]) & X86_PTE_RW);
1600 uint64_t uGuestAttr = pGstPT->a[i].u & (X86_PTE_P | X86_PTE_US | X86_PTE_A | X86_PTE_D | X86_PTE_G);
1601 bool fGuestRW = !!(pGstPT->a[i].u & X86_PTE_RW);
1602
1603 if ( uHostAttr == uGuestAttr
1604 && fHostRW <= fGuestRW)
1605 continue;
1606 }
1607 cChanged++;
1608 /* Something was changed, so flush it. */
1609 Log4(("pgmPoolTrackDerefPTPaePae: i=%d pte=%RX64 hint=%x\n",
1610 i, PGMSHWPTEPAE_GET_HCPHYS(pShwPT->a[i]), pOldGstPT->a[i].u & X86_PTE_PG_MASK));
1611 pgmPoolTracDerefGCPhysHint(pPool, pPage, PGMSHWPTEPAE_GET_HCPHYS(pShwPT->a[i]), pOldGstPT->a[i].u & X86_PTE_PG_MASK, i);
1612 PGMSHWPTEPAE_ATOMIC_SET(pShwPT->a[i], 0);
1613 }
1614 }
1615 return cChanged;
1616}
1617
1618
1619/**
1620 * Flush a dirty page
1621 *
1622 * @param pVM Pointer to the VM.
1623 * @param pPool The pool.
1624 * @param idxSlot Dirty array slot index
1625 * @param fAllowRemoval Allow a reused page table to be removed
1626 */
1627static void pgmPoolFlushDirtyPage(PVM pVM, PPGMPOOL pPool, unsigned idxSlot, bool fAllowRemoval = false)
1628{
1629 PPGMPOOLPAGE pPage;
1630 unsigned idxPage;
1631
1632 Assert(idxSlot < RT_ELEMENTS(pPool->aDirtyPages));
1633 if (pPool->aDirtyPages[idxSlot].uIdx == NIL_PGMPOOL_IDX)
1634 return;
1635
1636 idxPage = pPool->aDirtyPages[idxSlot].uIdx;
1637 AssertRelease(idxPage != NIL_PGMPOOL_IDX);
1638 pPage = &pPool->aPages[idxPage];
1639 Assert(pPage->idx == idxPage);
1640 Assert(pPage->iMonitoredNext == NIL_PGMPOOL_IDX && pPage->iMonitoredPrev == NIL_PGMPOOL_IDX);
1641
1642 AssertMsg(pPage->fDirty, ("Page %RGp (slot=%d) not marked dirty!", pPage->GCPhys, idxSlot));
1643 Log(("Flush dirty page %RGp cMods=%d\n", pPage->GCPhys, pPage->cModifications));
1644
1645#if defined(VBOX_WITH_2X_4GB_ADDR_SPACE_IN_R0) || defined(IN_RC)
1646 PVMCPU pVCpu = VMMGetCpu(pVM);
1647 uint32_t iPrevSubset = PGMRZDynMapPushAutoSubset(pVCpu);
1648#endif
1649
1650 /* First write protect the page again to catch all write accesses. (before checking for changes -> SMP) */
1651 int rc = PGMHandlerPhysicalReset(pVM, pPage->GCPhys & PAGE_BASE_GC_MASK);
1652 Assert(rc == VINF_SUCCESS);
1653 pPage->fDirty = false;
1654
1655#ifdef VBOX_STRICT
1656 uint64_t fFlags = 0;
1657 RTHCPHYS HCPhys;
1658 rc = PGMShwGetPage(VMMGetCpu(pVM), pPage->GCPtrDirtyFault, &fFlags, &HCPhys);
1659 AssertMsg( ( rc == VINF_SUCCESS
1660 && (!(fFlags & X86_PTE_RW) || HCPhys != pPage->Core.Key))
1661 /* In the SMP case the page table might be removed while we wait for the PGM lock in the trap handler. */
1662 || rc == VERR_PAGE_TABLE_NOT_PRESENT
1663 || rc == VERR_PAGE_NOT_PRESENT,
1664 ("PGMShwGetPage -> GCPtr=%RGv rc=%d flags=%RX64\n", pPage->GCPtrDirtyFault, rc, fFlags));
1665#endif
1666
1667 /* Flush those PTEs that have changed. */
1668 STAM_PROFILE_START(&pPool->StatTrackDeref,a);
1669 void *pvShw = PGMPOOL_PAGE_2_PTR(pVM, pPage);
1670 void *pvGst;
1671 rc = PGM_GCPHYS_2_PTR_EX(pVM, pPage->GCPhys, &pvGst); AssertReleaseRC(rc);
1672 bool fFlush;
1673 unsigned cChanges;
1674
1675 if (pPage->enmKind == PGMPOOLKIND_PAE_PT_FOR_PAE_PT)
1676 cChanges = pgmPoolTrackFlushPTPaePae(pPool, pPage, (PPGMSHWPTPAE)pvShw, (PCX86PTPAE)pvGst,
1677 (PCX86PTPAE)&pPool->aDirtyPages[idxSlot].aPage[0], fAllowRemoval, &fFlush);
1678 else
1679 cChanges = pgmPoolTrackFlushPTPae32Bit(pPool, pPage, (PPGMSHWPTPAE)pvShw, (PCX86PT)pvGst,
1680 (PCX86PT)&pPool->aDirtyPages[idxSlot].aPage[0], fAllowRemoval, &fFlush);
1681
1682 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pvGst);
1683 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pvShw);
1684 STAM_PROFILE_STOP(&pPool->StatTrackDeref,a);
1685 /* Note: we might want to consider keeping the dirty page active in case there were many changes. */
1686
1687 /* This page is likely to be modified again, so reduce the nr of modifications just a bit here. */
1688 Assert(pPage->cModifications);
1689 if (cChanges < 4)
1690 pPage->cModifications = 1; /* must use > 0 here */
1691 else
1692 pPage->cModifications = RT_MAX(1, pPage->cModifications / 2);
1693
1694 STAM_COUNTER_INC(&pPool->StatResetDirtyPages);
1695 if (pPool->cDirtyPages == RT_ELEMENTS(pPool->aDirtyPages))
1696 pPool->idxFreeDirtyPage = idxSlot;
1697
1698 pPool->cDirtyPages--;
1699 pPool->aDirtyPages[idxSlot].uIdx = NIL_PGMPOOL_IDX;
1700 Assert(pPool->cDirtyPages <= RT_ELEMENTS(pPool->aDirtyPages));
1701 if (fFlush)
1702 {
1703 Assert(fAllowRemoval);
1704 Log(("Flush reused page table!\n"));
1705 pgmPoolFlushPage(pPool, pPage);
1706 STAM_COUNTER_INC(&pPool->StatForceFlushReused);
1707 }
1708 else
1709 Log(("Removed dirty page %RGp cMods=%d cChanges=%d\n", pPage->GCPhys, pPage->cModifications, cChanges));
1710
1711#if defined(VBOX_WITH_2X_4GB_ADDR_SPACE_IN_R0) || defined(IN_RC)
1712 PGMRZDynMapPopAutoSubset(pVCpu, iPrevSubset);
1713#endif
1714}
1715
1716
1717# ifndef IN_RING3
1718/**
1719 * Add a new dirty page
1720 *
1721 * @param pVM Pointer to the VM.
1722 * @param pPool The pool.
1723 * @param pPage The page.
1724 */
1725void pgmPoolAddDirtyPage(PVM pVM, PPGMPOOL pPool, PPGMPOOLPAGE pPage)
1726{
1727 unsigned idxFree;
1728
1729 PGM_LOCK_ASSERT_OWNER(pVM);
1730 AssertCompile(RT_ELEMENTS(pPool->aDirtyPages) == 8 || RT_ELEMENTS(pPool->aDirtyPages) == 16);
1731 Assert(!pPage->fDirty);
1732
1733 idxFree = pPool->idxFreeDirtyPage;
1734 Assert(idxFree < RT_ELEMENTS(pPool->aDirtyPages));
1735 Assert(pPage->iMonitoredNext == NIL_PGMPOOL_IDX && pPage->iMonitoredPrev == NIL_PGMPOOL_IDX);
1736
1737 if (pPool->cDirtyPages >= RT_ELEMENTS(pPool->aDirtyPages))
1738 {
1739 STAM_COUNTER_INC(&pPool->StatDirtyPageOverFlowFlush);
1740 pgmPoolFlushDirtyPage(pVM, pPool, idxFree, true /* allow removal of reused page tables*/);
1741 }
1742 Assert(pPool->cDirtyPages < RT_ELEMENTS(pPool->aDirtyPages));
1743 AssertMsg(pPool->aDirtyPages[idxFree].uIdx == NIL_PGMPOOL_IDX, ("idxFree=%d cDirtyPages=%d\n", idxFree, pPool->cDirtyPages));
1744
1745 Log(("Add dirty page %RGp (slot=%d)\n", pPage->GCPhys, idxFree));
1746
1747 /*
1748 * Make a copy of the guest page table as we require valid GCPhys addresses
1749 * when removing references to physical pages.
1750 * (The HCPhys linear lookup is *extremely* expensive!)
1751 */
1752 void *pvGst;
1753 int rc = PGM_GCPHYS_2_PTR_EX(pVM, pPage->GCPhys, &pvGst); AssertReleaseRC(rc);
1754 memcpy(&pPool->aDirtyPages[idxFree].aPage[0], pvGst, (pPage->enmKind == PGMPOOLKIND_PAE_PT_FOR_PAE_PT) ? PAGE_SIZE : PAGE_SIZE/2);
1755# ifdef VBOX_STRICT
1756 void *pvShw = PGMPOOL_PAGE_2_PTR(pVM, pPage);
1757 if (pPage->enmKind == PGMPOOLKIND_PAE_PT_FOR_PAE_PT)
1758 pgmPoolTrackCheckPTPaePae(pPool, pPage, (PPGMSHWPTPAE)pvShw, (PCX86PTPAE)pvGst);
1759 else
1760 pgmPoolTrackCheckPTPae32Bit(pPool, pPage, (PPGMSHWPTPAE)pvShw, (PCX86PT)pvGst);
1761 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pvShw);
1762# endif
1763 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pvGst);
1764
1765 STAM_COUNTER_INC(&pPool->StatDirtyPage);
1766 pPage->fDirty = true;
1767 pPage->idxDirtyEntry = (uint8_t)idxFree; Assert(pPage->idxDirtyEntry == idxFree);
1768 pPool->aDirtyPages[idxFree].uIdx = pPage->idx;
1769 pPool->cDirtyPages++;
1770
1771 pPool->idxFreeDirtyPage = (pPool->idxFreeDirtyPage + 1) & (RT_ELEMENTS(pPool->aDirtyPages) - 1);
1772 if ( pPool->cDirtyPages < RT_ELEMENTS(pPool->aDirtyPages)
1773 && pPool->aDirtyPages[pPool->idxFreeDirtyPage].uIdx != NIL_PGMPOOL_IDX)
1774 {
1775 unsigned i;
1776 for (i = 1; i < RT_ELEMENTS(pPool->aDirtyPages); i++)
1777 {
1778 idxFree = (pPool->idxFreeDirtyPage + i) & (RT_ELEMENTS(pPool->aDirtyPages) - 1);
1779 if (pPool->aDirtyPages[idxFree].uIdx == NIL_PGMPOOL_IDX)
1780 {
1781 pPool->idxFreeDirtyPage = idxFree;
1782 break;
1783 }
1784 }
1785 Assert(i != RT_ELEMENTS(pPool->aDirtyPages));
1786 }
1787
1788 Assert(pPool->cDirtyPages == RT_ELEMENTS(pPool->aDirtyPages) || pPool->aDirtyPages[pPool->idxFreeDirtyPage].uIdx == NIL_PGMPOOL_IDX);
1789 return;
1790}
1791# endif /* !IN_RING3 */
1792
1793
1794/**
1795 * Check if the specified page is dirty (not write monitored)
1796 *
1797 * @return dirty or not
1798 * @param pVM Pointer to the VM.
1799 * @param GCPhys Guest physical address
1800 */
1801bool pgmPoolIsDirtyPage(PVM pVM, RTGCPHYS GCPhys)
1802{
1803 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
1804 PGM_LOCK_ASSERT_OWNER(pVM);
1805 if (!pPool->cDirtyPages)
1806 return false;
1807
1808 GCPhys = GCPhys & ~(RTGCPHYS)PAGE_OFFSET_MASK;
1809
1810 for (unsigned i = 0; i < RT_ELEMENTS(pPool->aDirtyPages); i++)
1811 {
1812 if (pPool->aDirtyPages[i].uIdx != NIL_PGMPOOL_IDX)
1813 {
1814 PPGMPOOLPAGE pPage;
1815 unsigned idxPage = pPool->aDirtyPages[i].uIdx;
1816
1817 pPage = &pPool->aPages[idxPage];
1818 if (pPage->GCPhys == GCPhys)
1819 return true;
1820 }
1821 }
1822 return false;
1823}
1824
1825
1826/**
1827 * Reset all dirty pages by reinstating page monitoring.
1828 *
1829 * @param pVM Pointer to the VM.
1830 */
1831void pgmPoolResetDirtyPages(PVM pVM)
1832{
1833 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
1834 PGM_LOCK_ASSERT_OWNER(pVM);
1835 Assert(pPool->cDirtyPages <= RT_ELEMENTS(pPool->aDirtyPages));
1836
1837 if (!pPool->cDirtyPages)
1838 return;
1839
1840 Log(("pgmPoolResetDirtyPages\n"));
1841 for (unsigned i = 0; i < RT_ELEMENTS(pPool->aDirtyPages); i++)
1842 pgmPoolFlushDirtyPage(pVM, pPool, i, true /* allow removal of reused page tables*/);
1843
1844 pPool->idxFreeDirtyPage = 0;
1845 if ( pPool->cDirtyPages != RT_ELEMENTS(pPool->aDirtyPages)
1846 && pPool->aDirtyPages[pPool->idxFreeDirtyPage].uIdx != NIL_PGMPOOL_IDX)
1847 {
1848 unsigned i;
1849 for (i = 1; i < RT_ELEMENTS(pPool->aDirtyPages); i++)
1850 {
1851 if (pPool->aDirtyPages[i].uIdx == NIL_PGMPOOL_IDX)
1852 {
1853 pPool->idxFreeDirtyPage = i;
1854 break;
1855 }
1856 }
1857 AssertMsg(i != RT_ELEMENTS(pPool->aDirtyPages), ("cDirtyPages %d", pPool->cDirtyPages));
1858 }
1859
1860 Assert(pPool->aDirtyPages[pPool->idxFreeDirtyPage].uIdx == NIL_PGMPOOL_IDX || pPool->cDirtyPages == RT_ELEMENTS(pPool->aDirtyPages));
1861 return;
1862}
1863
1864
1865/**
1866 * Invalidate the PT entry for the specified page
1867 *
1868 * @param pVM Pointer to the VM.
1869 * @param GCPtrPage Guest page to invalidate
1870 */
1871void pgmPoolResetDirtyPage(PVM pVM, RTGCPTR GCPtrPage)
1872{
1873 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
1874 PGM_LOCK_ASSERT_OWNER(pVM);
1875 Assert(pPool->cDirtyPages <= RT_ELEMENTS(pPool->aDirtyPages));
1876
1877 if (!pPool->cDirtyPages)
1878 return;
1879
1880 Log(("pgmPoolResetDirtyPage %RGv\n", GCPtrPage));
1881 for (unsigned i = 0; i < RT_ELEMENTS(pPool->aDirtyPages); i++)
1882 {
1883 }
1884}
1885
1886
1887/**
1888 * Reset all dirty pages by reinstating page monitoring.
1889 *
1890 * @param pVM Pointer to the VM.
1891 * @param GCPhysPT Physical address of the page table
1892 */
1893void pgmPoolInvalidateDirtyPage(PVM pVM, RTGCPHYS GCPhysPT)
1894{
1895 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
1896 PGM_LOCK_ASSERT_OWNER(pVM);
1897 Assert(pPool->cDirtyPages <= RT_ELEMENTS(pPool->aDirtyPages));
1898 unsigned idxDirtyPage = RT_ELEMENTS(pPool->aDirtyPages);
1899
1900 if (!pPool->cDirtyPages)
1901 return;
1902
1903 GCPhysPT = GCPhysPT & ~(RTGCPHYS)PAGE_OFFSET_MASK;
1904
1905 for (unsigned i = 0; i < RT_ELEMENTS(pPool->aDirtyPages); i++)
1906 {
1907 if (pPool->aDirtyPages[i].uIdx != NIL_PGMPOOL_IDX)
1908 {
1909 unsigned idxPage = pPool->aDirtyPages[i].uIdx;
1910
1911 PPGMPOOLPAGE pPage = &pPool->aPages[idxPage];
1912 if (pPage->GCPhys == GCPhysPT)
1913 {
1914 idxDirtyPage = i;
1915 break;
1916 }
1917 }
1918 }
1919
1920 if (idxDirtyPage != RT_ELEMENTS(pPool->aDirtyPages))
1921 {
1922 pgmPoolFlushDirtyPage(pVM, pPool, idxDirtyPage, true /* allow removal of reused page tables*/);
1923 if ( pPool->cDirtyPages != RT_ELEMENTS(pPool->aDirtyPages)
1924 && pPool->aDirtyPages[pPool->idxFreeDirtyPage].uIdx != NIL_PGMPOOL_IDX)
1925 {
1926 unsigned i;
1927 for (i = 0; i < RT_ELEMENTS(pPool->aDirtyPages); i++)
1928 {
1929 if (pPool->aDirtyPages[i].uIdx == NIL_PGMPOOL_IDX)
1930 {
1931 pPool->idxFreeDirtyPage = i;
1932 break;
1933 }
1934 }
1935 AssertMsg(i != RT_ELEMENTS(pPool->aDirtyPages), ("cDirtyPages %d", pPool->cDirtyPages));
1936 }
1937 }
1938}
1939
1940# endif /* PGMPOOL_WITH_OPTIMIZED_DIRTY_PT */
1941
1942/**
1943 * Inserts a page into the GCPhys hash table.
1944 *
1945 * @param pPool The pool.
1946 * @param pPage The page.
1947 */
1948DECLINLINE(void) pgmPoolHashInsert(PPGMPOOL pPool, PPGMPOOLPAGE pPage)
1949{
1950 Log3(("pgmPoolHashInsert: %RGp\n", pPage->GCPhys));
1951 Assert(pPage->GCPhys != NIL_RTGCPHYS); Assert(pPage->iNext == NIL_PGMPOOL_IDX);
1952 uint16_t iHash = PGMPOOL_HASH(pPage->GCPhys);
1953 pPage->iNext = pPool->aiHash[iHash];
1954 pPool->aiHash[iHash] = pPage->idx;
1955}
1956
1957
1958/**
1959 * Removes a page from the GCPhys hash table.
1960 *
1961 * @param pPool The pool.
1962 * @param pPage The page.
1963 */
1964DECLINLINE(void) pgmPoolHashRemove(PPGMPOOL pPool, PPGMPOOLPAGE pPage)
1965{
1966 Log3(("pgmPoolHashRemove: %RGp\n", pPage->GCPhys));
1967 uint16_t iHash = PGMPOOL_HASH(pPage->GCPhys);
1968 if (pPool->aiHash[iHash] == pPage->idx)
1969 pPool->aiHash[iHash] = pPage->iNext;
1970 else
1971 {
1972 uint16_t iPrev = pPool->aiHash[iHash];
1973 for (;;)
1974 {
1975 const int16_t i = pPool->aPages[iPrev].iNext;
1976 if (i == pPage->idx)
1977 {
1978 pPool->aPages[iPrev].iNext = pPage->iNext;
1979 break;
1980 }
1981 if (i == NIL_PGMPOOL_IDX)
1982 {
1983 AssertReleaseMsgFailed(("GCPhys=%RGp idx=%d\n", pPage->GCPhys, pPage->idx));
1984 break;
1985 }
1986 iPrev = i;
1987 }
1988 }
1989 pPage->iNext = NIL_PGMPOOL_IDX;
1990}
1991
1992
1993/**
1994 * Frees up one cache page.
1995 *
1996 * @returns VBox status code.
1997 * @retval VINF_SUCCESS on success.
1998 * @param pPool The pool.
1999 * @param iUser The user index.
2000 */
2001static int pgmPoolCacheFreeOne(PPGMPOOL pPool, uint16_t iUser)
2002{
2003#ifndef IN_RC
2004 const PVM pVM = pPool->CTX_SUFF(pVM);
2005#endif
2006 Assert(pPool->iAgeHead != pPool->iAgeTail); /* We shouldn't be here if there < 2 cached entries! */
2007 STAM_COUNTER_INC(&pPool->StatCacheFreeUpOne);
2008
2009 /*
2010 * Select one page from the tail of the age list.
2011 */
2012 PPGMPOOLPAGE pPage;
2013 for (unsigned iLoop = 0; ; iLoop++)
2014 {
2015 uint16_t iToFree = pPool->iAgeTail;
2016 if (iToFree == iUser && iUser != NIL_PGMPOOL_IDX)
2017 iToFree = pPool->aPages[iToFree].iAgePrev;
2018/* This is the alternative to the SyncCR3 pgmPoolCacheUsed calls.
2019 if (pPool->aPages[iToFree].iUserHead != NIL_PGMPOOL_USER_INDEX)
2020 {
2021 uint16_t i = pPool->aPages[iToFree].iAgePrev;
2022 for (unsigned j = 0; j < 10 && i != NIL_PGMPOOL_USER_INDEX; j++, i = pPool->aPages[i].iAgePrev)
2023 {
2024 if (pPool->aPages[iToFree].iUserHead == NIL_PGMPOOL_USER_INDEX)
2025 continue;
2026 iToFree = i;
2027 break;
2028 }
2029 }
2030*/
2031 Assert(iToFree != iUser);
2032 AssertRelease(iToFree != NIL_PGMPOOL_IDX);
2033 pPage = &pPool->aPages[iToFree];
2034
2035 /*
2036 * Reject any attempts at flushing the currently active shadow CR3 mapping.
2037 * Call pgmPoolCacheUsed to move the page to the head of the age list.
2038 */
2039 if ( !pgmPoolIsPageLocked(pPage)
2040 && pPage->idx >= PGMPOOL_IDX_FIRST /* paranoia (#6349) */)
2041 break;
2042 LogFlow(("pgmPoolCacheFreeOne: refuse CR3 mapping\n"));
2043 pgmPoolCacheUsed(pPool, pPage);
2044 AssertLogRelReturn(iLoop < 8192, VERR_PGM_POOL_TOO_MANY_LOOPS);
2045 }
2046
2047 /*
2048 * Found a usable page, flush it and return.
2049 */
2050 int rc = pgmPoolFlushPage(pPool, pPage);
2051 /* This flush was initiated by us and not the guest, so explicitly flush the TLB. */
2052 /* todo: find out why this is necessary; pgmPoolFlushPage should trigger a flush if one is really needed. */
2053 if (rc == VINF_SUCCESS)
2054 PGM_INVL_ALL_VCPU_TLBS(pVM);
2055 return rc;
2056}
2057
2058
2059/**
2060 * Checks if a kind mismatch is really a page being reused
2061 * or if it's just normal remappings.
2062 *
2063 * @returns true if reused and the cached page (enmKind1) should be flushed
2064 * @returns false if not reused.
2065 * @param enmKind1 The kind of the cached page.
2066 * @param enmKind2 The kind of the requested page.
2067 */
2068static bool pgmPoolCacheReusedByKind(PGMPOOLKIND enmKind1, PGMPOOLKIND enmKind2)
2069{
2070 switch (enmKind1)
2071 {
2072 /*
2073 * Never reuse them. There is no remapping in non-paging mode.
2074 */
2075 case PGMPOOLKIND_32BIT_PT_FOR_PHYS:
2076 case PGMPOOLKIND_32BIT_PD_PHYS:
2077 case PGMPOOLKIND_PAE_PT_FOR_PHYS:
2078 case PGMPOOLKIND_PAE_PD_PHYS:
2079 case PGMPOOLKIND_PAE_PDPT_PHYS:
2080 case PGMPOOLKIND_64BIT_PDPT_FOR_PHYS:
2081 case PGMPOOLKIND_64BIT_PD_FOR_PHYS:
2082 case PGMPOOLKIND_EPT_PT_FOR_PHYS:
2083 case PGMPOOLKIND_EPT_PD_FOR_PHYS:
2084 case PGMPOOLKIND_EPT_PDPT_FOR_PHYS:
2085 case PGMPOOLKIND_PAE_PDPT_FOR_32BIT: /* never reuse them for other types */
2086 return false;
2087
2088 /*
2089 * It's perfectly fine to reuse these, except for PAE and non-paging stuff.
2090 */
2091 case PGMPOOLKIND_PAE_PT_FOR_32BIT_4MB:
2092 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_4MB:
2093 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_PT:
2094 case PGMPOOLKIND_PAE_PT_FOR_32BIT_PT:
2095 case PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD:
2096 case PGMPOOLKIND_PAE_PD1_FOR_32BIT_PD:
2097 case PGMPOOLKIND_PAE_PD2_FOR_32BIT_PD:
2098 case PGMPOOLKIND_PAE_PD3_FOR_32BIT_PD:
2099 case PGMPOOLKIND_32BIT_PD:
2100 case PGMPOOLKIND_PAE_PDPT:
2101 switch (enmKind2)
2102 {
2103 case PGMPOOLKIND_PAE_PD_FOR_PAE_PD:
2104 case PGMPOOLKIND_PAE_PT_FOR_PAE_PT:
2105 case PGMPOOLKIND_64BIT_PD_FOR_64BIT_PD:
2106 case PGMPOOLKIND_64BIT_PDPT_FOR_64BIT_PDPT:
2107 case PGMPOOLKIND_64BIT_PML4:
2108 case PGMPOOLKIND_PAE_PT_FOR_PAE_2MB:
2109 case PGMPOOLKIND_32BIT_PT_FOR_PHYS:
2110 case PGMPOOLKIND_PAE_PT_FOR_PHYS:
2111 case PGMPOOLKIND_64BIT_PDPT_FOR_PHYS:
2112 case PGMPOOLKIND_64BIT_PD_FOR_PHYS:
2113 case PGMPOOLKIND_EPT_PDPT_FOR_PHYS:
2114 case PGMPOOLKIND_EPT_PD_FOR_PHYS:
2115 case PGMPOOLKIND_EPT_PT_FOR_PHYS:
2116 return true;
2117 default:
2118 return false;
2119 }
2120
2121 /*
2122 * It's perfectly fine to reuse these, except for PAE and non-paging stuff.
2123 */
2124 case PGMPOOLKIND_PAE_PD_FOR_PAE_PD:
2125 case PGMPOOLKIND_PAE_PT_FOR_PAE_PT:
2126 case PGMPOOLKIND_64BIT_PD_FOR_64BIT_PD:
2127 case PGMPOOLKIND_64BIT_PDPT_FOR_64BIT_PDPT:
2128 case PGMPOOLKIND_64BIT_PML4:
2129 case PGMPOOLKIND_PAE_PT_FOR_PAE_2MB:
2130 switch (enmKind2)
2131 {
2132 case PGMPOOLKIND_PAE_PT_FOR_32BIT_4MB:
2133 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_4MB:
2134 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_PT:
2135 case PGMPOOLKIND_PAE_PT_FOR_32BIT_PT:
2136 case PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD:
2137 case PGMPOOLKIND_PAE_PD1_FOR_32BIT_PD:
2138 case PGMPOOLKIND_PAE_PD2_FOR_32BIT_PD:
2139 case PGMPOOLKIND_PAE_PD3_FOR_32BIT_PD:
2140 case PGMPOOLKIND_32BIT_PT_FOR_PHYS:
2141 case PGMPOOLKIND_PAE_PT_FOR_PHYS:
2142 case PGMPOOLKIND_64BIT_PDPT_FOR_PHYS:
2143 case PGMPOOLKIND_64BIT_PD_FOR_PHYS:
2144 case PGMPOOLKIND_EPT_PDPT_FOR_PHYS:
2145 case PGMPOOLKIND_EPT_PD_FOR_PHYS:
2146 case PGMPOOLKIND_EPT_PT_FOR_PHYS:
2147 return true;
2148 default:
2149 return false;
2150 }
2151
2152 /*
2153 * These cannot be flushed, and it's common to reuse the PDs as PTs.
2154 */
2155 case PGMPOOLKIND_ROOT_NESTED:
2156 return false;
2157
2158 default:
2159 AssertFatalMsgFailed(("enmKind1=%d\n", enmKind1));
2160 }
2161}
2162
2163
2164/**
2165 * Attempts to satisfy a pgmPoolAlloc request from the cache.
2166 *
2167 * @returns VBox status code.
2168 * @retval VINF_PGM_CACHED_PAGE on success.
2169 * @retval VERR_FILE_NOT_FOUND if not found.
2170 * @param pPool The pool.
2171 * @param GCPhys The GC physical address of the page we're gonna shadow.
2172 * @param enmKind The kind of mapping.
2173 * @param enmAccess Access type for the mapping (only relevant for big pages)
2174 * @param fA20Enabled Whether the CPU has the A20 gate enabled.
2175 * @param iUser The shadow page pool index of the user table. This is
2176 * NIL_PGMPOOL_IDX for root pages.
2177 * @param iUserTable The index into the user table (shadowed). Ignored if
2178 * root page
2179 * @param ppPage Where to store the pointer to the page.
2180 */
2181static int pgmPoolCacheAlloc(PPGMPOOL pPool, RTGCPHYS GCPhys, PGMPOOLKIND enmKind, PGMPOOLACCESS enmAccess, bool fA20Enabled,
2182 uint16_t iUser, uint32_t iUserTable, PPPGMPOOLPAGE ppPage)
2183{
2184 /*
2185 * Look up the GCPhys in the hash.
2186 */
2187 unsigned i = pPool->aiHash[PGMPOOL_HASH(GCPhys)];
2188 Log3(("pgmPoolCacheAlloc: %RGp kind %s iUser=%d iUserTable=%x SLOT=%d\n", GCPhys, pgmPoolPoolKindToStr(enmKind), iUser, iUserTable, i));
2189 if (i != NIL_PGMPOOL_IDX)
2190 {
2191 do
2192 {
2193 PPGMPOOLPAGE pPage = &pPool->aPages[i];
2194 Log4(("pgmPoolCacheAlloc: slot %d found page %RGp\n", i, pPage->GCPhys));
2195 if (pPage->GCPhys == GCPhys)
2196 {
2197 if ( (PGMPOOLKIND)pPage->enmKind == enmKind
2198 && (PGMPOOLACCESS)pPage->enmAccess == enmAccess
2199 && pPage->fA20Enabled == fA20Enabled)
2200 {
2201 /* Put it at the start of the use list to make sure pgmPoolTrackAddUser
2202 * doesn't flush it in case there are no more free use records.
2203 */
2204 pgmPoolCacheUsed(pPool, pPage);
2205
2206 int rc = VINF_SUCCESS;
2207 if (iUser != NIL_PGMPOOL_IDX)
2208 rc = pgmPoolTrackAddUser(pPool, pPage, iUser, iUserTable);
2209 if (RT_SUCCESS(rc))
2210 {
2211 Assert((PGMPOOLKIND)pPage->enmKind == enmKind);
2212 *ppPage = pPage;
2213 if (pPage->cModifications)
2214 pPage->cModifications = 1; /* reset counter (can't use 0, or else it will be reinserted in the modified list) */
2215 STAM_COUNTER_INC(&pPool->StatCacheHits);
2216 return VINF_PGM_CACHED_PAGE;
2217 }
2218 return rc;
2219 }
2220
2221 if ((PGMPOOLKIND)pPage->enmKind != enmKind)
2222 {
2223 /*
2224 * The kind is different. In some cases we should now flush the page
2225 * as it has been reused, but in most cases this is normal remapping
2226 * of PDs as PT or big pages using the GCPhys field in a slightly
2227 * different way than the other kinds.
2228 */
2229 if (pgmPoolCacheReusedByKind((PGMPOOLKIND)pPage->enmKind, enmKind))
2230 {
2231 STAM_COUNTER_INC(&pPool->StatCacheKindMismatches);
2232 pgmPoolFlushPage(pPool, pPage);
2233 break;
2234 }
2235 }
2236 }
2237
2238 /* next */
2239 i = pPage->iNext;
2240 } while (i != NIL_PGMPOOL_IDX);
2241 }
2242
2243 Log3(("pgmPoolCacheAlloc: Missed GCPhys=%RGp enmKind=%s\n", GCPhys, pgmPoolPoolKindToStr(enmKind)));
2244 STAM_COUNTER_INC(&pPool->StatCacheMisses);
2245 return VERR_FILE_NOT_FOUND;
2246}
2247
2248
2249/**
2250 * Inserts a page into the cache.
2251 *
2252 * @param pPool The pool.
2253 * @param pPage The cached page.
2254 * @param fCanBeCached Set if the page is fit for caching from the caller's point of view.
2255 */
2256static void pgmPoolCacheInsert(PPGMPOOL pPool, PPGMPOOLPAGE pPage, bool fCanBeCached)
2257{
2258 /*
2259 * Insert into the GCPhys hash if the page is fit for that.
2260 */
2261 Assert(!pPage->fCached);
2262 if (fCanBeCached)
2263 {
2264 pPage->fCached = true;
2265 pgmPoolHashInsert(pPool, pPage);
2266 Log3(("pgmPoolCacheInsert: Caching %p:{.Core=%RHp, .idx=%d, .enmKind=%s, GCPhys=%RGp}\n",
2267 pPage, pPage->Core.Key, pPage->idx, pgmPoolPoolKindToStr(pPage->enmKind), pPage->GCPhys));
2268 STAM_COUNTER_INC(&pPool->StatCacheCacheable);
2269 }
2270 else
2271 {
2272 Log3(("pgmPoolCacheInsert: Not caching %p:{.Core=%RHp, .idx=%d, .enmKind=%s, GCPhys=%RGp}\n",
2273 pPage, pPage->Core.Key, pPage->idx, pgmPoolPoolKindToStr(pPage->enmKind), pPage->GCPhys));
2274 STAM_COUNTER_INC(&pPool->StatCacheUncacheable);
2275 }
2276
2277 /*
2278 * Insert at the head of the age list.
2279 */
2280 pPage->iAgePrev = NIL_PGMPOOL_IDX;
2281 pPage->iAgeNext = pPool->iAgeHead;
2282 if (pPool->iAgeHead != NIL_PGMPOOL_IDX)
2283 pPool->aPages[pPool->iAgeHead].iAgePrev = pPage->idx;
2284 else
2285 pPool->iAgeTail = pPage->idx;
2286 pPool->iAgeHead = pPage->idx;
2287}
2288
2289
2290/**
2291 * Flushes a cached page.
2292 *
2293 * @param pPool The pool.
2294 * @param pPage The cached page.
2295 */
2296static void pgmPoolCacheFlushPage(PPGMPOOL pPool, PPGMPOOLPAGE pPage)
2297{
2298 Log3(("pgmPoolCacheFlushPage: %RGp\n", pPage->GCPhys));
2299
2300 /*
2301 * Remove the page from the hash.
2302 */
2303 if (pPage->fCached)
2304 {
2305 pPage->fCached = false;
2306 pgmPoolHashRemove(pPool, pPage);
2307 }
2308 else
2309 Assert(pPage->iNext == NIL_PGMPOOL_IDX);
2310
2311 /*
2312 * Remove it from the age list.
2313 */
2314 if (pPage->iAgeNext != NIL_PGMPOOL_IDX)
2315 pPool->aPages[pPage->iAgeNext].iAgePrev = pPage->iAgePrev;
2316 else
2317 pPool->iAgeTail = pPage->iAgePrev;
2318 if (pPage->iAgePrev != NIL_PGMPOOL_IDX)
2319 pPool->aPages[pPage->iAgePrev].iAgeNext = pPage->iAgeNext;
2320 else
2321 pPool->iAgeHead = pPage->iAgeNext;
2322 pPage->iAgeNext = NIL_PGMPOOL_IDX;
2323 pPage->iAgePrev = NIL_PGMPOOL_IDX;
2324}
2325
2326
2327/**
2328 * Looks for pages sharing the monitor.
2329 *
2330 * @returns Pointer to the head page.
2331 * @returns NULL if not found.
2332 * @param pPool The Pool
2333 * @param pNewPage The page which is going to be monitored.
2334 */
2335static PPGMPOOLPAGE pgmPoolMonitorGetPageByGCPhys(PPGMPOOL pPool, PPGMPOOLPAGE pNewPage)
2336{
2337 /*
2338 * Look up the GCPhys in the hash.
2339 */
2340 RTGCPHYS GCPhys = pNewPage->GCPhys & ~(RTGCPHYS)PAGE_OFFSET_MASK;
2341 unsigned i = pPool->aiHash[PGMPOOL_HASH(GCPhys)];
2342 if (i == NIL_PGMPOOL_IDX)
2343 return NULL;
2344 do
2345 {
2346 PPGMPOOLPAGE pPage = &pPool->aPages[i];
2347 if ( pPage->GCPhys - GCPhys < PAGE_SIZE
2348 && pPage != pNewPage)
2349 {
2350 switch (pPage->enmKind)
2351 {
2352 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_PT:
2353 case PGMPOOLKIND_PAE_PT_FOR_32BIT_PT:
2354 case PGMPOOLKIND_PAE_PT_FOR_PAE_PT:
2355 case PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD:
2356 case PGMPOOLKIND_PAE_PD1_FOR_32BIT_PD:
2357 case PGMPOOLKIND_PAE_PD2_FOR_32BIT_PD:
2358 case PGMPOOLKIND_PAE_PD3_FOR_32BIT_PD:
2359 case PGMPOOLKIND_PAE_PD_FOR_PAE_PD:
2360 case PGMPOOLKIND_64BIT_PD_FOR_64BIT_PD:
2361 case PGMPOOLKIND_64BIT_PDPT_FOR_64BIT_PDPT:
2362 case PGMPOOLKIND_64BIT_PML4:
2363 case PGMPOOLKIND_32BIT_PD:
2364 case PGMPOOLKIND_PAE_PDPT:
2365 {
2366 /* find the head */
2367 while (pPage->iMonitoredPrev != NIL_PGMPOOL_IDX)
2368 {
2369 Assert(pPage->iMonitoredPrev != pPage->idx);
2370 pPage = &pPool->aPages[pPage->iMonitoredPrev];
2371 }
2372 return pPage;
2373 }
2374
2375 /* ignore, no monitoring. */
2376 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_4MB:
2377 case PGMPOOLKIND_PAE_PT_FOR_PAE_2MB:
2378 case PGMPOOLKIND_PAE_PT_FOR_32BIT_4MB:
2379 case PGMPOOLKIND_32BIT_PT_FOR_PHYS:
2380 case PGMPOOLKIND_PAE_PT_FOR_PHYS:
2381 case PGMPOOLKIND_64BIT_PDPT_FOR_PHYS:
2382 case PGMPOOLKIND_64BIT_PD_FOR_PHYS:
2383 case PGMPOOLKIND_EPT_PDPT_FOR_PHYS:
2384 case PGMPOOLKIND_EPT_PD_FOR_PHYS:
2385 case PGMPOOLKIND_EPT_PT_FOR_PHYS:
2386 case PGMPOOLKIND_ROOT_NESTED:
2387 case PGMPOOLKIND_PAE_PD_PHYS:
2388 case PGMPOOLKIND_PAE_PDPT_PHYS:
2389 case PGMPOOLKIND_32BIT_PD_PHYS:
2390 case PGMPOOLKIND_PAE_PDPT_FOR_32BIT:
2391 break;
2392 default:
2393 AssertFatalMsgFailed(("enmKind=%d idx=%d\n", pPage->enmKind, pPage->idx));
2394 }
2395 }
2396
2397 /* next */
2398 i = pPage->iNext;
2399 } while (i != NIL_PGMPOOL_IDX);
2400 return NULL;
2401}
2402
2403
2404/**
2405 * Enabled write monitoring of a guest page.
2406 *
2407 * @returns VBox status code.
2408 * @retval VINF_SUCCESS on success.
2409 * @param pPool The pool.
2410 * @param pPage The cached page.
2411 */
2412static int pgmPoolMonitorInsert(PPGMPOOL pPool, PPGMPOOLPAGE pPage)
2413{
2414 LogFlow(("pgmPoolMonitorInsert %RGp\n", pPage->GCPhys & ~(RTGCPHYS)PAGE_OFFSET_MASK));
2415
2416 /*
2417 * Filter out the relevant kinds.
2418 */
2419 switch (pPage->enmKind)
2420 {
2421 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_PT:
2422 case PGMPOOLKIND_PAE_PT_FOR_32BIT_PT:
2423 case PGMPOOLKIND_PAE_PD_FOR_PAE_PD:
2424 case PGMPOOLKIND_PAE_PT_FOR_PAE_PT:
2425 case PGMPOOLKIND_64BIT_PD_FOR_64BIT_PD:
2426 case PGMPOOLKIND_64BIT_PDPT_FOR_64BIT_PDPT:
2427 case PGMPOOLKIND_64BIT_PML4:
2428 case PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD:
2429 case PGMPOOLKIND_PAE_PD1_FOR_32BIT_PD:
2430 case PGMPOOLKIND_PAE_PD2_FOR_32BIT_PD:
2431 case PGMPOOLKIND_PAE_PD3_FOR_32BIT_PD:
2432 case PGMPOOLKIND_32BIT_PD:
2433 case PGMPOOLKIND_PAE_PDPT:
2434 break;
2435
2436 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_4MB:
2437 case PGMPOOLKIND_PAE_PT_FOR_32BIT_4MB:
2438 case PGMPOOLKIND_PAE_PT_FOR_PAE_2MB:
2439 case PGMPOOLKIND_32BIT_PT_FOR_PHYS:
2440 case PGMPOOLKIND_PAE_PT_FOR_PHYS:
2441 case PGMPOOLKIND_64BIT_PDPT_FOR_PHYS:
2442 case PGMPOOLKIND_64BIT_PD_FOR_PHYS:
2443 case PGMPOOLKIND_EPT_PDPT_FOR_PHYS:
2444 case PGMPOOLKIND_EPT_PD_FOR_PHYS:
2445 case PGMPOOLKIND_EPT_PT_FOR_PHYS:
2446 case PGMPOOLKIND_ROOT_NESTED:
2447 /* Nothing to monitor here. */
2448 return VINF_SUCCESS;
2449
2450 case PGMPOOLKIND_32BIT_PD_PHYS:
2451 case PGMPOOLKIND_PAE_PDPT_PHYS:
2452 case PGMPOOLKIND_PAE_PD_PHYS:
2453 case PGMPOOLKIND_PAE_PDPT_FOR_32BIT:
2454 /* Nothing to monitor here. */
2455 return VINF_SUCCESS;
2456 default:
2457 AssertFatalMsgFailed(("This can't happen! enmKind=%d\n", pPage->enmKind));
2458 }
2459
2460 /*
2461 * Install handler.
2462 */
2463 int rc;
2464 PPGMPOOLPAGE pPageHead = pgmPoolMonitorGetPageByGCPhys(pPool, pPage);
2465 if (pPageHead)
2466 {
2467 Assert(pPageHead != pPage); Assert(pPageHead->iMonitoredNext != pPage->idx);
2468 Assert(pPageHead->iMonitoredPrev != pPage->idx);
2469
2470#ifdef PGMPOOL_WITH_OPTIMIZED_DIRTY_PT
2471 if (pPageHead->fDirty)
2472 pgmPoolFlushDirtyPage(pPool->CTX_SUFF(pVM), pPool, pPageHead->idxDirtyEntry, false /* do not remove */);
2473#endif
2474
2475 pPage->iMonitoredPrev = pPageHead->idx;
2476 pPage->iMonitoredNext = pPageHead->iMonitoredNext;
2477 if (pPageHead->iMonitoredNext != NIL_PGMPOOL_IDX)
2478 pPool->aPages[pPageHead->iMonitoredNext].iMonitoredPrev = pPage->idx;
2479 pPageHead->iMonitoredNext = pPage->idx;
2480 rc = VINF_SUCCESS;
2481 }
2482 else
2483 {
2484 Assert(pPage->iMonitoredNext == NIL_PGMPOOL_IDX); Assert(pPage->iMonitoredPrev == NIL_PGMPOOL_IDX);
2485 PVM pVM = pPool->CTX_SUFF(pVM);
2486 const RTGCPHYS GCPhysPage = pPage->GCPhys & ~(RTGCPHYS)PAGE_OFFSET_MASK;
2487 rc = PGMHandlerPhysicalRegisterEx(pVM, PGMPHYSHANDLERTYPE_PHYSICAL_WRITE,
2488 GCPhysPage, GCPhysPage + PAGE_OFFSET_MASK,
2489 pPool->pfnAccessHandlerR3, MMHyperCCToR3(pVM, pPage),
2490 pPool->pfnAccessHandlerR0, MMHyperCCToR0(pVM, pPage),
2491 pPool->pfnAccessHandlerRC, MMHyperCCToRC(pVM, pPage),
2492 pPool->pszAccessHandler);
2493 /** @todo we should probably deal with out-of-memory conditions here, but for now increasing
2494 * the heap size should suffice. */
2495 AssertFatalMsgRC(rc, ("PGMHandlerPhysicalRegisterEx %RGp failed with %Rrc\n", GCPhysPage, rc));
2496 PVMCPU pVCpu = VMMGetCpu(pVM);
2497 AssertFatalMsg(!(pVCpu->pgm.s.fSyncFlags & PGM_SYNC_CLEAR_PGM_POOL) || VMCPU_FF_ISSET(pVCpu, VMCPU_FF_PGM_SYNC_CR3), ("fSyncFlags=%x syncff=%d\n", pVCpu->pgm.s.fSyncFlags, VMCPU_FF_ISSET(pVCpu, VMCPU_FF_PGM_SYNC_CR3)));
2498 }
2499 pPage->fMonitored = true;
2500 return rc;
2501}
2502
2503
2504/**
2505 * Disables write monitoring of a guest page.
2506 *
2507 * @returns VBox status code.
2508 * @retval VINF_SUCCESS on success.
2509 * @param pPool The pool.
2510 * @param pPage The cached page.
2511 */
2512static int pgmPoolMonitorFlush(PPGMPOOL pPool, PPGMPOOLPAGE pPage)
2513{
2514 /*
2515 * Filter out the relevant kinds.
2516 */
2517 switch (pPage->enmKind)
2518 {
2519 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_PT:
2520 case PGMPOOLKIND_PAE_PT_FOR_32BIT_PT:
2521 case PGMPOOLKIND_PAE_PD_FOR_PAE_PD:
2522 case PGMPOOLKIND_PAE_PT_FOR_PAE_PT:
2523 case PGMPOOLKIND_64BIT_PD_FOR_64BIT_PD:
2524 case PGMPOOLKIND_64BIT_PDPT_FOR_64BIT_PDPT:
2525 case PGMPOOLKIND_64BIT_PML4:
2526 case PGMPOOLKIND_32BIT_PD:
2527 case PGMPOOLKIND_PAE_PDPT:
2528 case PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD:
2529 case PGMPOOLKIND_PAE_PD1_FOR_32BIT_PD:
2530 case PGMPOOLKIND_PAE_PD2_FOR_32BIT_PD:
2531 case PGMPOOLKIND_PAE_PD3_FOR_32BIT_PD:
2532 break;
2533
2534 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_4MB:
2535 case PGMPOOLKIND_PAE_PT_FOR_32BIT_4MB:
2536 case PGMPOOLKIND_PAE_PT_FOR_PAE_2MB:
2537 case PGMPOOLKIND_32BIT_PT_FOR_PHYS:
2538 case PGMPOOLKIND_PAE_PT_FOR_PHYS:
2539 case PGMPOOLKIND_64BIT_PDPT_FOR_PHYS:
2540 case PGMPOOLKIND_64BIT_PD_FOR_PHYS:
2541 case PGMPOOLKIND_EPT_PDPT_FOR_PHYS:
2542 case PGMPOOLKIND_EPT_PD_FOR_PHYS:
2543 case PGMPOOLKIND_EPT_PT_FOR_PHYS:
2544 case PGMPOOLKIND_ROOT_NESTED:
2545 case PGMPOOLKIND_PAE_PD_PHYS:
2546 case PGMPOOLKIND_PAE_PDPT_PHYS:
2547 case PGMPOOLKIND_32BIT_PD_PHYS:
2548 /* Nothing to monitor here. */
2549 Assert(!pPage->fMonitored);
2550 return VINF_SUCCESS;
2551
2552 default:
2553 AssertFatalMsgFailed(("This can't happen! enmKind=%d\n", pPage->enmKind));
2554 }
2555 Assert(pPage->fMonitored);
2556
2557 /*
2558 * Remove the page from the monitored list or uninstall it if last.
2559 */
2560 const PVM pVM = pPool->CTX_SUFF(pVM);
2561 int rc;
2562 if ( pPage->iMonitoredNext != NIL_PGMPOOL_IDX
2563 || pPage->iMonitoredPrev != NIL_PGMPOOL_IDX)
2564 {
2565 if (pPage->iMonitoredPrev == NIL_PGMPOOL_IDX)
2566 {
2567 PPGMPOOLPAGE pNewHead = &pPool->aPages[pPage->iMonitoredNext];
2568 pNewHead->iMonitoredPrev = NIL_PGMPOOL_IDX;
2569 rc = PGMHandlerPhysicalChangeCallbacks(pVM, pPage->GCPhys & ~(RTGCPHYS)PAGE_OFFSET_MASK,
2570 pPool->pfnAccessHandlerR3, MMHyperCCToR3(pVM, pNewHead),
2571 pPool->pfnAccessHandlerR0, MMHyperCCToR0(pVM, pNewHead),
2572 pPool->pfnAccessHandlerRC, MMHyperCCToRC(pVM, pNewHead),
2573 pPool->pszAccessHandler);
2574 AssertFatalRCSuccess(rc);
2575 pPage->iMonitoredNext = NIL_PGMPOOL_IDX;
2576 }
2577 else
2578 {
2579 pPool->aPages[pPage->iMonitoredPrev].iMonitoredNext = pPage->iMonitoredNext;
2580 if (pPage->iMonitoredNext != NIL_PGMPOOL_IDX)
2581 {
2582 pPool->aPages[pPage->iMonitoredNext].iMonitoredPrev = pPage->iMonitoredPrev;
2583 pPage->iMonitoredNext = NIL_PGMPOOL_IDX;
2584 }
2585 pPage->iMonitoredPrev = NIL_PGMPOOL_IDX;
2586 rc = VINF_SUCCESS;
2587 }
2588 }
2589 else
2590 {
2591 rc = PGMHandlerPhysicalDeregister(pVM, pPage->GCPhys & ~(RTGCPHYS)PAGE_OFFSET_MASK);
2592 AssertFatalRC(rc);
2593 PVMCPU pVCpu = VMMGetCpu(pVM);
2594 AssertFatalMsg(!(pVCpu->pgm.s.fSyncFlags & PGM_SYNC_CLEAR_PGM_POOL) || VMCPU_FF_ISSET(pVCpu, VMCPU_FF_PGM_SYNC_CR3),
2595 ("%#x %#x\n", pVCpu->pgm.s.fSyncFlags, pVM->fGlobalForcedActions));
2596 }
2597 pPage->fMonitored = false;
2598
2599 /*
2600 * Remove it from the list of modified pages (if in it).
2601 */
2602 pgmPoolMonitorModifiedRemove(pPool, pPage);
2603
2604 return rc;
2605}
2606
2607
2608/**
2609 * Inserts the page into the list of modified pages.
2610 *
2611 * @param pPool The pool.
2612 * @param pPage The page.
2613 */
2614void pgmPoolMonitorModifiedInsert(PPGMPOOL pPool, PPGMPOOLPAGE pPage)
2615{
2616 Log3(("pgmPoolMonitorModifiedInsert: idx=%d\n", pPage->idx));
2617 AssertMsg( pPage->iModifiedNext == NIL_PGMPOOL_IDX
2618 && pPage->iModifiedPrev == NIL_PGMPOOL_IDX
2619 && pPool->iModifiedHead != pPage->idx,
2620 ("Next=%d Prev=%d idx=%d cModifications=%d Head=%d cModifiedPages=%d\n",
2621 pPage->iModifiedNext, pPage->iModifiedPrev, pPage->idx, pPage->cModifications,
2622 pPool->iModifiedHead, pPool->cModifiedPages));
2623
2624 pPage->iModifiedNext = pPool->iModifiedHead;
2625 if (pPool->iModifiedHead != NIL_PGMPOOL_IDX)
2626 pPool->aPages[pPool->iModifiedHead].iModifiedPrev = pPage->idx;
2627 pPool->iModifiedHead = pPage->idx;
2628 pPool->cModifiedPages++;
2629#ifdef VBOX_WITH_STATISTICS
2630 if (pPool->cModifiedPages > pPool->cModifiedPagesHigh)
2631 pPool->cModifiedPagesHigh = pPool->cModifiedPages;
2632#endif
2633}
2634
2635
2636/**
2637 * Removes the page from the list of modified pages and resets the
2638 * modification counter.
2639 *
2640 * @param pPool The pool.
2641 * @param pPage The page which is believed to be in the list of modified pages.
2642 */
2643static void pgmPoolMonitorModifiedRemove(PPGMPOOL pPool, PPGMPOOLPAGE pPage)
2644{
2645 Log3(("pgmPoolMonitorModifiedRemove: idx=%d cModifications=%d\n", pPage->idx, pPage->cModifications));
2646 if (pPool->iModifiedHead == pPage->idx)
2647 {
2648 Assert(pPage->iModifiedPrev == NIL_PGMPOOL_IDX);
2649 pPool->iModifiedHead = pPage->iModifiedNext;
2650 if (pPage->iModifiedNext != NIL_PGMPOOL_IDX)
2651 {
2652 pPool->aPages[pPage->iModifiedNext].iModifiedPrev = NIL_PGMPOOL_IDX;
2653 pPage->iModifiedNext = NIL_PGMPOOL_IDX;
2654 }
2655 pPool->cModifiedPages--;
2656 }
2657 else if (pPage->iModifiedPrev != NIL_PGMPOOL_IDX)
2658 {
2659 pPool->aPages[pPage->iModifiedPrev].iModifiedNext = pPage->iModifiedNext;
2660 if (pPage->iModifiedNext != NIL_PGMPOOL_IDX)
2661 {
2662 pPool->aPages[pPage->iModifiedNext].iModifiedPrev = pPage->iModifiedPrev;
2663 pPage->iModifiedNext = NIL_PGMPOOL_IDX;
2664 }
2665 pPage->iModifiedPrev = NIL_PGMPOOL_IDX;
2666 pPool->cModifiedPages--;
2667 }
2668 else
2669 Assert(pPage->iModifiedPrev == NIL_PGMPOOL_IDX);
2670 pPage->cModifications = 0;
2671}
2672
2673
2674/**
2675 * Zaps the list of modified pages, resetting their modification counters in the process.
2676 *
2677 * @param pVM Pointer to the VM.
2678 */
2679static void pgmPoolMonitorModifiedClearAll(PVM pVM)
2680{
2681 pgmLock(pVM);
2682 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
2683 LogFlow(("pgmPoolMonitorModifiedClearAll: cModifiedPages=%d\n", pPool->cModifiedPages));
2684
2685 unsigned cPages = 0; NOREF(cPages);
2686
2687#ifdef PGMPOOL_WITH_OPTIMIZED_DIRTY_PT
2688 pgmPoolResetDirtyPages(pVM);
2689#endif
2690
2691 uint16_t idx = pPool->iModifiedHead;
2692 pPool->iModifiedHead = NIL_PGMPOOL_IDX;
2693 while (idx != NIL_PGMPOOL_IDX)
2694 {
2695 PPGMPOOLPAGE pPage = &pPool->aPages[idx];
2696 idx = pPage->iModifiedNext;
2697 pPage->iModifiedNext = NIL_PGMPOOL_IDX;
2698 pPage->iModifiedPrev = NIL_PGMPOOL_IDX;
2699 pPage->cModifications = 0;
2700 Assert(++cPages);
2701 }
2702 AssertMsg(cPages == pPool->cModifiedPages, ("%d != %d\n", cPages, pPool->cModifiedPages));
2703 pPool->cModifiedPages = 0;
2704 pgmUnlock(pVM);
2705}
2706
2707
2708/**
2709 * Handle SyncCR3 pool tasks
2710 *
2711 * @returns VBox status code.
2712 * @retval VINF_SUCCESS if successfully added.
2713 * @retval VINF_PGM_SYNC_CR3 is it needs to be deferred to ring 3 (GC only)
2714 * @param pVCpu Pointer to the VMCPU.
2715 * @remark Should only be used when monitoring is available, thus placed in
2716 * the PGMPOOL_WITH_MONITORING #ifdef.
2717 */
2718int pgmPoolSyncCR3(PVMCPU pVCpu)
2719{
2720 PVM pVM = pVCpu->CTX_SUFF(pVM);
2721 LogFlow(("pgmPoolSyncCR3 fSyncFlags=%x\n", pVCpu->pgm.s.fSyncFlags));
2722
2723 /*
2724 * When monitoring shadowed pages, we reset the modification counters on CR3 sync.
2725 * Occasionally we will have to clear all the shadow page tables because we wanted
2726 * to monitor a page which was mapped by too many shadowed page tables. This operation
2727 * sometimes referred to as a 'lightweight flush'.
2728 */
2729# ifdef IN_RING3 /* Don't flush in ring-0 or raw mode, it's taking too long. */
2730 if (pVCpu->pgm.s.fSyncFlags & PGM_SYNC_CLEAR_PGM_POOL)
2731 pgmR3PoolClearAll(pVM, false /*fFlushRemTlb*/);
2732# else /* !IN_RING3 */
2733 if (pVCpu->pgm.s.fSyncFlags & PGM_SYNC_CLEAR_PGM_POOL)
2734 {
2735 Log(("SyncCR3: PGM_SYNC_CLEAR_PGM_POOL is set -> VINF_PGM_SYNC_CR3\n"));
2736 VMCPU_FF_SET(pVCpu, VMCPU_FF_PGM_SYNC_CR3); /** @todo no need to do global sync, right? */
2737
2738 /* Make sure all other VCPUs return to ring 3. */
2739 if (pVM->cCpus > 1)
2740 {
2741 VM_FF_SET(pVM, VM_FF_PGM_POOL_FLUSH_PENDING);
2742 PGM_INVL_ALL_VCPU_TLBS(pVM);
2743 }
2744 return VINF_PGM_SYNC_CR3;
2745 }
2746# endif /* !IN_RING3 */
2747 else
2748 {
2749 pgmPoolMonitorModifiedClearAll(pVM);
2750
2751 /* pgmPoolMonitorModifiedClearAll can cause a pgm pool flush (dirty page clearing), so make sure we handle this! */
2752 if (pVCpu->pgm.s.fSyncFlags & PGM_SYNC_CLEAR_PGM_POOL)
2753 {
2754 Log(("pgmPoolMonitorModifiedClearAll caused a pgm flush -> call pgmPoolSyncCR3 again!\n"));
2755 return pgmPoolSyncCR3(pVCpu);
2756 }
2757 }
2758 return VINF_SUCCESS;
2759}
2760
2761
2762/**
2763 * Frees up at least one user entry.
2764 *
2765 * @returns VBox status code.
2766 * @retval VINF_SUCCESS if successfully added.
2767 * @retval VERR_PGM_POOL_FLUSHED if the pool was flushed.
2768 * @param pPool The pool.
2769 * @param iUser The user index.
2770 */
2771static int pgmPoolTrackFreeOneUser(PPGMPOOL pPool, uint16_t iUser)
2772{
2773 STAM_COUNTER_INC(&pPool->StatTrackFreeUpOneUser);
2774 /*
2775 * Just free cached pages in a braindead fashion.
2776 */
2777 /** @todo walk the age list backwards and free the first with usage. */
2778 int rc = VINF_SUCCESS;
2779 do
2780 {
2781 int rc2 = pgmPoolCacheFreeOne(pPool, iUser);
2782 if (RT_FAILURE(rc2) && rc == VINF_SUCCESS)
2783 rc = rc2;
2784 } while (pPool->iUserFreeHead == NIL_PGMPOOL_USER_INDEX);
2785 return rc;
2786}
2787
2788
2789/**
2790 * Inserts a page into the cache.
2791 *
2792 * This will create user node for the page, insert it into the GCPhys
2793 * hash, and insert it into the age list.
2794 *
2795 * @returns VBox status code.
2796 * @retval VINF_SUCCESS if successfully added.
2797 * @retval VERR_PGM_POOL_FLUSHED if the pool was flushed.
2798 * @param pPool The pool.
2799 * @param pPage The cached page.
2800 * @param GCPhys The GC physical address of the page we're gonna shadow.
2801 * @param iUser The user index.
2802 * @param iUserTable The user table index.
2803 */
2804DECLINLINE(int) pgmPoolTrackInsert(PPGMPOOL pPool, PPGMPOOLPAGE pPage, RTGCPHYS GCPhys, uint16_t iUser, uint32_t iUserTable)
2805{
2806 int rc = VINF_SUCCESS;
2807 PPGMPOOLUSER paUsers = pPool->CTX_SUFF(paUsers);
2808
2809 LogFlow(("pgmPoolTrackInsert GCPhys=%RGp iUser=%d iUserTable=%x\n", GCPhys, iUser, iUserTable));
2810
2811 if (iUser != NIL_PGMPOOL_IDX)
2812 {
2813#ifdef VBOX_STRICT
2814 /*
2815 * Check that the entry doesn't already exists.
2816 */
2817 if (pPage->iUserHead != NIL_PGMPOOL_USER_INDEX)
2818 {
2819 uint16_t i = pPage->iUserHead;
2820 do
2821 {
2822 Assert(i < pPool->cMaxUsers);
2823 AssertMsg(paUsers[i].iUser != iUser || paUsers[i].iUserTable != iUserTable, ("%x %x vs new %x %x\n", paUsers[i].iUser, paUsers[i].iUserTable, iUser, iUserTable));
2824 i = paUsers[i].iNext;
2825 } while (i != NIL_PGMPOOL_USER_INDEX);
2826 }
2827#endif
2828
2829 /*
2830 * Find free a user node.
2831 */
2832 uint16_t i = pPool->iUserFreeHead;
2833 if (i == NIL_PGMPOOL_USER_INDEX)
2834 {
2835 rc = pgmPoolTrackFreeOneUser(pPool, iUser);
2836 if (RT_FAILURE(rc))
2837 return rc;
2838 i = pPool->iUserFreeHead;
2839 }
2840
2841 /*
2842 * Unlink the user node from the free list,
2843 * initialize and insert it into the user list.
2844 */
2845 pPool->iUserFreeHead = paUsers[i].iNext;
2846 paUsers[i].iNext = NIL_PGMPOOL_USER_INDEX;
2847 paUsers[i].iUser = iUser;
2848 paUsers[i].iUserTable = iUserTable;
2849 pPage->iUserHead = i;
2850 }
2851 else
2852 pPage->iUserHead = NIL_PGMPOOL_USER_INDEX;
2853
2854
2855 /*
2856 * Insert into cache and enable monitoring of the guest page if enabled.
2857 *
2858 * Until we implement caching of all levels, including the CR3 one, we'll
2859 * have to make sure we don't try monitor & cache any recursive reuse of
2860 * a monitored CR3 page. Because all windows versions are doing this we'll
2861 * have to be able to do combined access monitoring, CR3 + PT and
2862 * PD + PT (guest PAE).
2863 *
2864 * Update:
2865 * We're now cooperating with the CR3 monitor if an uncachable page is found.
2866 */
2867 const bool fCanBeMonitored = true;
2868 pgmPoolCacheInsert(pPool, pPage, fCanBeMonitored); /* This can be expanded. */
2869 if (fCanBeMonitored)
2870 {
2871 rc = pgmPoolMonitorInsert(pPool, pPage);
2872 AssertRC(rc);
2873 }
2874 return rc;
2875}
2876
2877
2878/**
2879 * Adds a user reference to a page.
2880 *
2881 * This will move the page to the head of the
2882 *
2883 * @returns VBox status code.
2884 * @retval VINF_SUCCESS if successfully added.
2885 * @retval VERR_PGM_POOL_FLUSHED if the pool was flushed.
2886 * @param pPool The pool.
2887 * @param pPage The cached page.
2888 * @param iUser The user index.
2889 * @param iUserTable The user table.
2890 */
2891static int pgmPoolTrackAddUser(PPGMPOOL pPool, PPGMPOOLPAGE pPage, uint16_t iUser, uint32_t iUserTable)
2892{
2893 Log3(("pgmPoolTrackAddUser: GCPhys=%RGp iUser=%%x iUserTable=%x\n", pPage->GCPhys, iUser, iUserTable));
2894 PPGMPOOLUSER paUsers = pPool->CTX_SUFF(paUsers);
2895 Assert(iUser != NIL_PGMPOOL_IDX);
2896
2897# ifdef VBOX_STRICT
2898 /*
2899 * Check that the entry doesn't already exists. We only allow multiple
2900 * users of top-level paging structures (SHW_POOL_ROOT_IDX).
2901 */
2902 if (pPage->iUserHead != NIL_PGMPOOL_USER_INDEX)
2903 {
2904 uint16_t i = pPage->iUserHead;
2905 do
2906 {
2907 Assert(i < pPool->cMaxUsers);
2908 /** @todo this assertion looks odd... Shouldn't it be && here? */
2909 AssertMsg(paUsers[i].iUser != iUser || paUsers[i].iUserTable != iUserTable, ("%x %x vs new %x %x\n", paUsers[i].iUser, paUsers[i].iUserTable, iUser, iUserTable));
2910 i = paUsers[i].iNext;
2911 } while (i != NIL_PGMPOOL_USER_INDEX);
2912 }
2913# endif
2914
2915 /*
2916 * Allocate a user node.
2917 */
2918 uint16_t i = pPool->iUserFreeHead;
2919 if (i == NIL_PGMPOOL_USER_INDEX)
2920 {
2921 int rc = pgmPoolTrackFreeOneUser(pPool, iUser);
2922 if (RT_FAILURE(rc))
2923 return rc;
2924 i = pPool->iUserFreeHead;
2925 }
2926 pPool->iUserFreeHead = paUsers[i].iNext;
2927
2928 /*
2929 * Initialize the user node and insert it.
2930 */
2931 paUsers[i].iNext = pPage->iUserHead;
2932 paUsers[i].iUser = iUser;
2933 paUsers[i].iUserTable = iUserTable;
2934 pPage->iUserHead = i;
2935
2936# ifdef PGMPOOL_WITH_OPTIMIZED_DIRTY_PT
2937 if (pPage->fDirty)
2938 pgmPoolFlushDirtyPage(pPool->CTX_SUFF(pVM), pPool, pPage->idxDirtyEntry, false /* do not remove */);
2939# endif
2940
2941 /*
2942 * Tell the cache to update its replacement stats for this page.
2943 */
2944 pgmPoolCacheUsed(pPool, pPage);
2945 return VINF_SUCCESS;
2946}
2947
2948
2949/**
2950 * Frees a user record associated with a page.
2951 *
2952 * This does not clear the entry in the user table, it simply replaces the
2953 * user record to the chain of free records.
2954 *
2955 * @param pPool The pool.
2956 * @param HCPhys The HC physical address of the shadow page.
2957 * @param iUser The shadow page pool index of the user table.
2958 * @param iUserTable The index into the user table (shadowed).
2959 *
2960 * @remarks Don't call this for root pages.
2961 */
2962static void pgmPoolTrackFreeUser(PPGMPOOL pPool, PPGMPOOLPAGE pPage, uint16_t iUser, uint32_t iUserTable)
2963{
2964 Log3(("pgmPoolTrackFreeUser %RGp %x %x\n", pPage->GCPhys, iUser, iUserTable));
2965 PPGMPOOLUSER paUsers = pPool->CTX_SUFF(paUsers);
2966 Assert(iUser != NIL_PGMPOOL_IDX);
2967
2968 /*
2969 * Unlink and free the specified user entry.
2970 */
2971
2972 /* Special: For PAE and 32-bit paging, there is usually no more than one user. */
2973 uint16_t i = pPage->iUserHead;
2974 if ( i != NIL_PGMPOOL_USER_INDEX
2975 && paUsers[i].iUser == iUser
2976 && paUsers[i].iUserTable == iUserTable)
2977 {
2978 pPage->iUserHead = paUsers[i].iNext;
2979
2980 paUsers[i].iUser = NIL_PGMPOOL_IDX;
2981 paUsers[i].iNext = pPool->iUserFreeHead;
2982 pPool->iUserFreeHead = i;
2983 return;
2984 }
2985
2986 /* General: Linear search. */
2987 uint16_t iPrev = NIL_PGMPOOL_USER_INDEX;
2988 while (i != NIL_PGMPOOL_USER_INDEX)
2989 {
2990 if ( paUsers[i].iUser == iUser
2991 && paUsers[i].iUserTable == iUserTable)
2992 {
2993 if (iPrev != NIL_PGMPOOL_USER_INDEX)
2994 paUsers[iPrev].iNext = paUsers[i].iNext;
2995 else
2996 pPage->iUserHead = paUsers[i].iNext;
2997
2998 paUsers[i].iUser = NIL_PGMPOOL_IDX;
2999 paUsers[i].iNext = pPool->iUserFreeHead;
3000 pPool->iUserFreeHead = i;
3001 return;
3002 }
3003 iPrev = i;
3004 i = paUsers[i].iNext;
3005 }
3006
3007 /* Fatal: didn't find it */
3008 AssertFatalMsgFailed(("Didn't find the user entry! iUser=%d iUserTable=%#x GCPhys=%RGp\n",
3009 iUser, iUserTable, pPage->GCPhys));
3010}
3011
3012
3013/**
3014 * Gets the entry size of a shadow table.
3015 *
3016 * @param enmKind The kind of page.
3017 *
3018 * @returns The size of the entry in bytes. That is, 4 or 8.
3019 * @returns If the kind is not for a table, an assertion is raised and 0 is
3020 * returned.
3021 */
3022DECLINLINE(unsigned) pgmPoolTrackGetShadowEntrySize(PGMPOOLKIND enmKind)
3023{
3024 switch (enmKind)
3025 {
3026 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_PT:
3027 case PGMPOOLKIND_32BIT_PT_FOR_PHYS:
3028 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_4MB:
3029 case PGMPOOLKIND_32BIT_PD:
3030 case PGMPOOLKIND_32BIT_PD_PHYS:
3031 return 4;
3032
3033 case PGMPOOLKIND_PAE_PT_FOR_PHYS:
3034 case PGMPOOLKIND_PAE_PT_FOR_32BIT_PT:
3035 case PGMPOOLKIND_PAE_PT_FOR_32BIT_4MB:
3036 case PGMPOOLKIND_PAE_PT_FOR_PAE_PT:
3037 case PGMPOOLKIND_PAE_PT_FOR_PAE_2MB:
3038 case PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD:
3039 case PGMPOOLKIND_PAE_PD1_FOR_32BIT_PD:
3040 case PGMPOOLKIND_PAE_PD2_FOR_32BIT_PD:
3041 case PGMPOOLKIND_PAE_PD3_FOR_32BIT_PD:
3042 case PGMPOOLKIND_PAE_PD_FOR_PAE_PD:
3043 case PGMPOOLKIND_64BIT_PD_FOR_64BIT_PD:
3044 case PGMPOOLKIND_64BIT_PDPT_FOR_64BIT_PDPT:
3045 case PGMPOOLKIND_64BIT_PML4:
3046 case PGMPOOLKIND_PAE_PDPT:
3047 case PGMPOOLKIND_ROOT_NESTED:
3048 case PGMPOOLKIND_64BIT_PDPT_FOR_PHYS:
3049 case PGMPOOLKIND_64BIT_PD_FOR_PHYS:
3050 case PGMPOOLKIND_EPT_PDPT_FOR_PHYS:
3051 case PGMPOOLKIND_EPT_PD_FOR_PHYS:
3052 case PGMPOOLKIND_EPT_PT_FOR_PHYS:
3053 case PGMPOOLKIND_PAE_PD_PHYS:
3054 case PGMPOOLKIND_PAE_PDPT_PHYS:
3055 return 8;
3056
3057 default:
3058 AssertFatalMsgFailed(("enmKind=%d\n", enmKind));
3059 }
3060}
3061
3062
3063/**
3064 * Gets the entry size of a guest table.
3065 *
3066 * @param enmKind The kind of page.
3067 *
3068 * @returns The size of the entry in bytes. That is, 0, 4 or 8.
3069 * @returns If the kind is not for a table, an assertion is raised and 0 is
3070 * returned.
3071 */
3072DECLINLINE(unsigned) pgmPoolTrackGetGuestEntrySize(PGMPOOLKIND enmKind)
3073{
3074 switch (enmKind)
3075 {
3076 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_PT:
3077 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_4MB:
3078 case PGMPOOLKIND_32BIT_PD:
3079 case PGMPOOLKIND_PAE_PT_FOR_32BIT_PT:
3080 case PGMPOOLKIND_PAE_PT_FOR_32BIT_4MB:
3081 case PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD:
3082 case PGMPOOLKIND_PAE_PD1_FOR_32BIT_PD:
3083 case PGMPOOLKIND_PAE_PD2_FOR_32BIT_PD:
3084 case PGMPOOLKIND_PAE_PD3_FOR_32BIT_PD:
3085 return 4;
3086
3087 case PGMPOOLKIND_PAE_PT_FOR_PAE_PT:
3088 case PGMPOOLKIND_PAE_PT_FOR_PAE_2MB:
3089 case PGMPOOLKIND_PAE_PD_FOR_PAE_PD:
3090 case PGMPOOLKIND_64BIT_PD_FOR_64BIT_PD:
3091 case PGMPOOLKIND_64BIT_PDPT_FOR_64BIT_PDPT:
3092 case PGMPOOLKIND_64BIT_PML4:
3093 case PGMPOOLKIND_PAE_PDPT:
3094 return 8;
3095
3096 case PGMPOOLKIND_32BIT_PT_FOR_PHYS:
3097 case PGMPOOLKIND_PAE_PT_FOR_PHYS:
3098 case PGMPOOLKIND_64BIT_PDPT_FOR_PHYS:
3099 case PGMPOOLKIND_64BIT_PD_FOR_PHYS:
3100 case PGMPOOLKIND_EPT_PDPT_FOR_PHYS:
3101 case PGMPOOLKIND_EPT_PD_FOR_PHYS:
3102 case PGMPOOLKIND_EPT_PT_FOR_PHYS:
3103 case PGMPOOLKIND_ROOT_NESTED:
3104 case PGMPOOLKIND_PAE_PD_PHYS:
3105 case PGMPOOLKIND_PAE_PDPT_PHYS:
3106 case PGMPOOLKIND_32BIT_PD_PHYS:
3107 /** @todo can we return 0? (nobody is calling this...) */
3108 AssertFailed();
3109 return 0;
3110
3111 default:
3112 AssertFatalMsgFailed(("enmKind=%d\n", enmKind));
3113 }
3114}
3115
3116
3117/**
3118 * Checks one shadow page table entry for a mapping of a physical page.
3119 *
3120 * @returns true / false indicating removal of all relevant PTEs
3121 *
3122 * @param pVM Pointer to the VM.
3123 * @param pPhysPage The guest page in question.
3124 * @param fFlushPTEs Flush PTEs or allow them to be updated (e.g. in case of an RW bit change)
3125 * @param iShw The shadow page table.
3126 * @param iPte Page table entry or NIL_PGMPOOL_PHYSEXT_IDX_PTE if unknown
3127 */
3128static bool pgmPoolTrackFlushGCPhysPTInt(PVM pVM, PCPGMPAGE pPhysPage, bool fFlushPTEs, uint16_t iShw, uint16_t iPte)
3129{
3130 LogFlow(("pgmPoolTrackFlushGCPhysPTInt: pPhysPage=%RHp iShw=%d iPte=%d\n", PGM_PAGE_GET_HCPHYS(pPhysPage), iShw, iPte));
3131 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
3132 bool fRet = false;
3133
3134 /*
3135 * Assert sanity.
3136 */
3137 Assert(iPte != NIL_PGMPOOL_PHYSEXT_IDX_PTE);
3138 AssertFatalMsg(iShw < pPool->cCurPages && iShw != NIL_PGMPOOL_IDX, ("iShw=%d\n", iShw));
3139 PPGMPOOLPAGE pPage = &pPool->aPages[iShw];
3140
3141 /*
3142 * Then, clear the actual mappings to the page in the shadow PT.
3143 */
3144 switch (pPage->enmKind)
3145 {
3146 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_PT:
3147 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_4MB:
3148 case PGMPOOLKIND_32BIT_PT_FOR_PHYS:
3149 {
3150 const uint32_t u32 = PGM_PAGE_GET_HCPHYS(pPhysPage) | X86_PTE_P;
3151 PX86PT pPT = (PX86PT)PGMPOOL_PAGE_2_PTR(pVM, pPage);
3152 uint32_t u32AndMask = 0;
3153 uint32_t u32OrMask = 0;
3154
3155 if (!fFlushPTEs)
3156 {
3157 switch (PGM_PAGE_GET_HNDL_PHYS_STATE(pPhysPage))
3158 {
3159 case PGM_PAGE_HNDL_PHYS_STATE_NONE: /** No handler installed. */
3160 case PGM_PAGE_HNDL_PHYS_STATE_DISABLED: /** Monitoring is temporarily disabled. */
3161 u32OrMask = X86_PTE_RW;
3162 u32AndMask = UINT32_MAX;
3163 fRet = true;
3164 STAM_COUNTER_INC(&pPool->StatTrackFlushEntryKeep);
3165 break;
3166
3167 case PGM_PAGE_HNDL_PHYS_STATE_WRITE: /** Write access is monitored. */
3168 u32OrMask = 0;
3169 u32AndMask = ~X86_PTE_RW;
3170 fRet = true;
3171 STAM_COUNTER_INC(&pPool->StatTrackFlushEntryKeep);
3172 break;
3173 default:
3174 /* (shouldn't be here, will assert below) */
3175 STAM_COUNTER_INC(&pPool->StatTrackFlushEntry);
3176 break;
3177 }
3178 }
3179 else
3180 STAM_COUNTER_INC(&pPool->StatTrackFlushEntry);
3181
3182 /* Update the counter if we're removing references. */
3183 if (!u32AndMask)
3184 {
3185 Assert(pPage->cPresent);
3186 Assert(pPool->cPresent);
3187 pPage->cPresent--;
3188 pPool->cPresent--;
3189 }
3190
3191 if ((pPT->a[iPte].u & (X86_PTE_PG_MASK | X86_PTE_P)) == u32)
3192 {
3193 X86PTE Pte;
3194
3195 Log4(("pgmPoolTrackFlushGCPhysPTs: i=%d pte=%RX32\n", iPte, pPT->a[iPte]));
3196 Pte.u = (pPT->a[iPte].u & u32AndMask) | u32OrMask;
3197 if (Pte.u & PGM_PTFLAGS_TRACK_DIRTY)
3198 Pte.n.u1Write = 0; /* need to disallow writes when dirty bit tracking is still active. */
3199
3200 ASMAtomicWriteU32(&pPT->a[iPte].u, Pte.u);
3201 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pPT);
3202 return fRet;
3203 }
3204#ifdef LOG_ENABLED
3205 Log(("iFirstPresent=%d cPresent=%d\n", pPage->iFirstPresent, pPage->cPresent));
3206 for (unsigned i = 0, cFound = 0; i < RT_ELEMENTS(pPT->a); i++)
3207 if ((pPT->a[i].u & (X86_PTE_PG_MASK | X86_PTE_P)) == u32)
3208 {
3209 Log(("i=%d cFound=%d\n", i, ++cFound));
3210 }
3211#endif
3212 AssertFatalMsgFailed(("iFirstPresent=%d cPresent=%d u32=%RX32 poolkind=%x\n", pPage->iFirstPresent, pPage->cPresent, u32, pPage->enmKind));
3213 /*PGM_DYNMAP_UNUSED_HINT_VM(pVM, pPT);*/
3214 break;
3215 }
3216
3217 case PGMPOOLKIND_PAE_PT_FOR_32BIT_PT:
3218 case PGMPOOLKIND_PAE_PT_FOR_32BIT_4MB:
3219 case PGMPOOLKIND_PAE_PT_FOR_PAE_PT:
3220 case PGMPOOLKIND_PAE_PT_FOR_PAE_2MB:
3221 case PGMPOOLKIND_PAE_PT_FOR_PHYS:
3222 case PGMPOOLKIND_EPT_PT_FOR_PHYS: /* physical mask the same as PAE; RW bit as well; be careful! */
3223 {
3224 const uint64_t u64 = PGM_PAGE_GET_HCPHYS(pPhysPage) | X86_PTE_P;
3225 PPGMSHWPTPAE pPT = (PPGMSHWPTPAE)PGMPOOL_PAGE_2_PTR(pVM, pPage);
3226 uint64_t u64OrMask = 0;
3227 uint64_t u64AndMask = 0;
3228
3229 if (!fFlushPTEs)
3230 {
3231 switch (PGM_PAGE_GET_HNDL_PHYS_STATE(pPhysPage))
3232 {
3233 case PGM_PAGE_HNDL_PHYS_STATE_NONE: /* No handler installed. */
3234 case PGM_PAGE_HNDL_PHYS_STATE_DISABLED: /* Monitoring is temporarily disabled. */
3235 u64OrMask = X86_PTE_RW;
3236 u64AndMask = UINT64_MAX;
3237 fRet = true;
3238 STAM_COUNTER_INC(&pPool->StatTrackFlushEntryKeep);
3239 break;
3240
3241 case PGM_PAGE_HNDL_PHYS_STATE_WRITE: /* Write access is monitored. */
3242 u64OrMask = 0;
3243 u64AndMask = ~(uint64_t)X86_PTE_RW;
3244 fRet = true;
3245 STAM_COUNTER_INC(&pPool->StatTrackFlushEntryKeep);
3246 break;
3247
3248 default:
3249 /* (shouldn't be here, will assert below) */
3250 STAM_COUNTER_INC(&pPool->StatTrackFlushEntry);
3251 break;
3252 }
3253 }
3254 else
3255 STAM_COUNTER_INC(&pPool->StatTrackFlushEntry);
3256
3257 /* Update the counter if we're removing references. */
3258 if (!u64AndMask)
3259 {
3260 Assert(pPage->cPresent);
3261 Assert(pPool->cPresent);
3262 pPage->cPresent--;
3263 pPool->cPresent--;
3264 }
3265
3266 if ((PGMSHWPTEPAE_GET_U(pPT->a[iPte]) & (X86_PTE_PAE_PG_MASK | X86_PTE_P | X86_PTE_PAE_MBZ_MASK_NX)) == u64)
3267 {
3268 X86PTEPAE Pte;
3269
3270 Log4(("pgmPoolTrackFlushGCPhysPTs: i=%d pte=%RX64\n", iPte, PGMSHWPTEPAE_GET_LOG(pPT->a[iPte])));
3271 Pte.u = (PGMSHWPTEPAE_GET_U(pPT->a[iPte]) & u64AndMask) | u64OrMask;
3272 if (Pte.u & PGM_PTFLAGS_TRACK_DIRTY)
3273 Pte.n.u1Write = 0; /* need to disallow writes when dirty bit tracking is still active. */
3274
3275 PGMSHWPTEPAE_ATOMIC_SET(pPT->a[iPte], Pte.u);
3276 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pPT);
3277 return fRet;
3278 }
3279#ifdef LOG_ENABLED
3280 Log(("iFirstPresent=%d cPresent=%d\n", pPage->iFirstPresent, pPage->cPresent));
3281 Log(("Found %RX64 expected %RX64\n", PGMSHWPTEPAE_GET_U(pPT->a[iPte]) & (X86_PTE_PAE_PG_MASK | X86_PTE_P | X86_PTE_PAE_MBZ_MASK_NX), u64));
3282 for (unsigned i = 0, cFound = 0; i < RT_ELEMENTS(pPT->a); i++)
3283 if ((PGMSHWPTEPAE_GET_U(pPT->a[i]) & (X86_PTE_PAE_PG_MASK | X86_PTE_P | X86_PTE_PAE_MBZ_MASK_NX)) == u64)
3284 Log(("i=%d cFound=%d\n", i, ++cFound));
3285#endif
3286 AssertFatalMsgFailed(("iFirstPresent=%d cPresent=%d u64=%RX64 poolkind=%x iPte=%d PT=%RX64\n", pPage->iFirstPresent, pPage->cPresent, u64, pPage->enmKind, iPte, PGMSHWPTEPAE_GET_LOG(pPT->a[iPte])));
3287 /*PGM_DYNMAP_UNUSED_HINT_VM(pVM, pPT);*/
3288 break;
3289 }
3290
3291#ifdef PGM_WITH_LARGE_PAGES
3292 /* Large page case only. */
3293 case PGMPOOLKIND_EPT_PD_FOR_PHYS:
3294 {
3295 Assert(pVM->pgm.s.fNestedPaging);
3296
3297 const uint64_t u64 = PGM_PAGE_GET_HCPHYS(pPhysPage) | X86_PDE4M_P | X86_PDE4M_PS;
3298 PEPTPD pPD = (PEPTPD)PGMPOOL_PAGE_2_PTR(pVM, pPage);
3299
3300 if ((pPD->a[iPte].u & (EPT_PDE2M_PG_MASK | X86_PDE4M_P | X86_PDE4M_PS)) == u64)
3301 {
3302 Log4(("pgmPoolTrackFlushGCPhysPTs: i=%d pde=%RX64\n", iPte, pPD->a[iPte]));
3303 STAM_COUNTER_INC(&pPool->StatTrackFlushEntry);
3304 pPD->a[iPte].u = 0;
3305 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pPD);
3306
3307 /* Update the counter as we're removing references. */
3308 Assert(pPage->cPresent);
3309 Assert(pPool->cPresent);
3310 pPage->cPresent--;
3311 pPool->cPresent--;
3312
3313 return fRet;
3314 }
3315# ifdef LOG_ENABLED
3316 Log(("iFirstPresent=%d cPresent=%d\n", pPage->iFirstPresent, pPage->cPresent));
3317 for (unsigned i = 0, cFound = 0; i < RT_ELEMENTS(pPD->a); i++)
3318 if ((pPD->a[i].u & (EPT_PDE2M_PG_MASK | X86_PDE4M_P | X86_PDE4M_PS)) == u64)
3319 Log(("i=%d cFound=%d\n", i, ++cFound));
3320# endif
3321 AssertFatalMsgFailed(("iFirstPresent=%d cPresent=%d\n", pPage->iFirstPresent, pPage->cPresent));
3322 /*PGM_DYNMAP_UNUSED_HINT_VM(pVM, pPD);*/
3323 break;
3324 }
3325
3326 /* AMD-V nested paging */ /** @todo merge with EPT as we only check the parts that are identical. */
3327 case PGMPOOLKIND_PAE_PD_PHYS:
3328 {
3329 Assert(pVM->pgm.s.fNestedPaging);
3330
3331 const uint64_t u64 = PGM_PAGE_GET_HCPHYS(pPhysPage) | X86_PDE4M_P | X86_PDE4M_PS;
3332 PX86PD pPD = (PX86PD)PGMPOOL_PAGE_2_PTR(pVM, pPage);
3333
3334 if ((pPD->a[iPte].u & (X86_PDE2M_PAE_PG_MASK | X86_PDE4M_P | X86_PDE4M_PS)) == u64)
3335 {
3336 Log4(("pgmPoolTrackFlushGCPhysPTs: i=%d pde=%RX64\n", iPte, pPD->a[iPte]));
3337 STAM_COUNTER_INC(&pPool->StatTrackFlushEntry);
3338 pPD->a[iPte].u = 0;
3339 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pPD);
3340
3341 /* Update the counter as we're removing references. */
3342 Assert(pPage->cPresent);
3343 Assert(pPool->cPresent);
3344 pPage->cPresent--;
3345 pPool->cPresent--;
3346 return fRet;
3347 }
3348# ifdef LOG_ENABLED
3349 Log(("iFirstPresent=%d cPresent=%d\n", pPage->iFirstPresent, pPage->cPresent));
3350 for (unsigned i = 0, cFound = 0; i < RT_ELEMENTS(pPD->a); i++)
3351 if ((pPD->a[i].u & (X86_PDE2M_PAE_PG_MASK | X86_PDE4M_P | X86_PDE4M_PS)) == u64)
3352 Log(("i=%d cFound=%d\n", i, ++cFound));
3353# endif
3354 AssertFatalMsgFailed(("iFirstPresent=%d cPresent=%d\n", pPage->iFirstPresent, pPage->cPresent));
3355 /*PGM_DYNMAP_UNUSED_HINT_VM(pVM, pPD);*/
3356 break;
3357 }
3358#endif /* PGM_WITH_LARGE_PAGES */
3359
3360 default:
3361 AssertFatalMsgFailed(("enmKind=%d iShw=%d\n", pPage->enmKind, iShw));
3362 }
3363
3364 /* not reached. */
3365#ifndef _MSC_VER
3366 return fRet;
3367#endif
3368}
3369
3370
3371/**
3372 * Scans one shadow page table for mappings of a physical page.
3373 *
3374 * @param pVM Pointer to the VM.
3375 * @param pPhysPage The guest page in question.
3376 * @param fFlushPTEs Flush PTEs or allow them to be updated (e.g. in case of an RW bit change)
3377 * @param iShw The shadow page table.
3378 */
3379static void pgmPoolTrackFlushGCPhysPT(PVM pVM, PPGMPAGE pPhysPage, bool fFlushPTEs, uint16_t iShw)
3380{
3381 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool); NOREF(pPool);
3382
3383 /* We should only come here with when there's only one reference to this physical page. */
3384 Assert(PGMPOOL_TD_GET_CREFS(PGM_PAGE_GET_TRACKING(pPhysPage)) == 1);
3385
3386 Log2(("pgmPoolTrackFlushGCPhysPT: pPhysPage=%RHp iShw=%d\n", PGM_PAGE_GET_HCPHYS(pPhysPage), iShw));
3387 STAM_PROFILE_START(&pPool->StatTrackFlushGCPhysPT, f);
3388 bool fKeptPTEs = pgmPoolTrackFlushGCPhysPTInt(pVM, pPhysPage, fFlushPTEs, iShw, PGM_PAGE_GET_PTE_INDEX(pPhysPage));
3389 if (!fKeptPTEs)
3390 PGM_PAGE_SET_TRACKING(pVM, pPhysPage, 0);
3391 STAM_PROFILE_STOP(&pPool->StatTrackFlushGCPhysPT, f);
3392}
3393
3394
3395/**
3396 * Flushes a list of shadow page tables mapping the same physical page.
3397 *
3398 * @param pVM Pointer to the VM.
3399 * @param pPhysPage The guest page in question.
3400 * @param fFlushPTEs Flush PTEs or allow them to be updated (e.g. in case of an RW bit change)
3401 * @param iPhysExt The physical cross reference extent list to flush.
3402 */
3403static void pgmPoolTrackFlushGCPhysPTs(PVM pVM, PPGMPAGE pPhysPage, bool fFlushPTEs, uint16_t iPhysExt)
3404{
3405 PGM_LOCK_ASSERT_OWNER(pVM);
3406 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
3407 bool fKeepList = false;
3408
3409 STAM_PROFILE_START(&pPool->StatTrackFlushGCPhysPTs, f);
3410 Log2(("pgmPoolTrackFlushGCPhysPTs: pPhysPage=%RHp iPhysExt\n", PGM_PAGE_GET_HCPHYS(pPhysPage), iPhysExt));
3411
3412 const uint16_t iPhysExtStart = iPhysExt;
3413 PPGMPOOLPHYSEXT pPhysExt;
3414 do
3415 {
3416 Assert(iPhysExt < pPool->cMaxPhysExts);
3417 pPhysExt = &pPool->CTX_SUFF(paPhysExts)[iPhysExt];
3418 for (unsigned i = 0; i < RT_ELEMENTS(pPhysExt->aidx); i++)
3419 {
3420 if (pPhysExt->aidx[i] != NIL_PGMPOOL_IDX)
3421 {
3422 bool fKeptPTEs = pgmPoolTrackFlushGCPhysPTInt(pVM, pPhysPage, fFlushPTEs, pPhysExt->aidx[i], pPhysExt->apte[i]);
3423 if (!fKeptPTEs)
3424 {
3425 pPhysExt->aidx[i] = NIL_PGMPOOL_IDX;
3426 pPhysExt->apte[i] = NIL_PGMPOOL_PHYSEXT_IDX_PTE;
3427 }
3428 else
3429 fKeepList = true;
3430 }
3431 }
3432 /* next */
3433 iPhysExt = pPhysExt->iNext;
3434 } while (iPhysExt != NIL_PGMPOOL_PHYSEXT_INDEX);
3435
3436 if (!fKeepList)
3437 {
3438 /* insert the list into the free list and clear the ram range entry. */
3439 pPhysExt->iNext = pPool->iPhysExtFreeHead;
3440 pPool->iPhysExtFreeHead = iPhysExtStart;
3441 /* Invalidate the tracking data. */
3442 PGM_PAGE_SET_TRACKING(pVM, pPhysPage, 0);
3443 }
3444
3445 STAM_PROFILE_STOP(&pPool->StatTrackFlushGCPhysPTs, f);
3446}
3447
3448
3449/**
3450 * Flushes all shadow page table mappings of the given guest page.
3451 *
3452 * This is typically called when the host page backing the guest one has been
3453 * replaced or when the page protection was changed due to a guest access
3454 * caught by the monitoring.
3455 *
3456 * @returns VBox status code.
3457 * @retval VINF_SUCCESS if all references has been successfully cleared.
3458 * @retval VINF_PGM_SYNC_CR3 if we're better off with a CR3 sync and a page
3459 * pool cleaning. FF and sync flags are set.
3460 *
3461 * @param pVM Pointer to the VM.
3462 * @param GCPhysPage GC physical address of the page in question
3463 * @param pPhysPage The guest page in question.
3464 * @param fFlushPTEs Flush PTEs or allow them to be updated (e.g. in case of an RW bit change)
3465 * @param pfFlushTLBs This is set to @a true if the shadow TLBs should be
3466 * flushed, it is NOT touched if this isn't necessary.
3467 * The caller MUST initialized this to @a false.
3468 */
3469int pgmPoolTrackUpdateGCPhys(PVM pVM, RTGCPHYS GCPhysPage, PPGMPAGE pPhysPage, bool fFlushPTEs, bool *pfFlushTLBs)
3470{
3471 PVMCPU pVCpu = VMMGetCpu(pVM);
3472 pgmLock(pVM);
3473 int rc = VINF_SUCCESS;
3474
3475#ifdef PGM_WITH_LARGE_PAGES
3476 /* Is this page part of a large page? */
3477 if (PGM_PAGE_GET_PDE_TYPE(pPhysPage) == PGM_PAGE_PDE_TYPE_PDE)
3478 {
3479 RTGCPHYS GCPhysBase = GCPhysPage & X86_PDE2M_PAE_PG_MASK;
3480 GCPhysPage &= X86_PDE_PAE_PG_MASK;
3481
3482 /* Fetch the large page base. */
3483 PPGMPAGE pLargePage;
3484 if (GCPhysBase != GCPhysPage)
3485 {
3486 pLargePage = pgmPhysGetPage(pVM, GCPhysBase);
3487 AssertFatal(pLargePage);
3488 }
3489 else
3490 pLargePage = pPhysPage;
3491
3492 Log(("pgmPoolTrackUpdateGCPhys: update large page PDE for %RGp (%RGp)\n", GCPhysBase, GCPhysPage));
3493
3494 if (PGM_PAGE_GET_PDE_TYPE(pLargePage) == PGM_PAGE_PDE_TYPE_PDE)
3495 {
3496 /* Mark the large page as disabled as we need to break it up to change a single page in the 2 MB range. */
3497 PGM_PAGE_SET_PDE_TYPE(pVM, pLargePage, PGM_PAGE_PDE_TYPE_PDE_DISABLED);
3498 pVM->pgm.s.cLargePagesDisabled++;
3499
3500 /* Update the base as that *only* that one has a reference and there's only one PDE to clear. */
3501 rc = pgmPoolTrackUpdateGCPhys(pVM, GCPhysBase, pLargePage, fFlushPTEs, pfFlushTLBs);
3502
3503 *pfFlushTLBs = true;
3504 pgmUnlock(pVM);
3505 return rc;
3506 }
3507 }
3508#else
3509 NOREF(GCPhysPage);
3510#endif /* PGM_WITH_LARGE_PAGES */
3511
3512 const uint16_t u16 = PGM_PAGE_GET_TRACKING(pPhysPage);
3513 if (u16)
3514 {
3515 /*
3516 * The zero page is currently screwing up the tracking and we'll
3517 * have to flush the whole shebang. Unless VBOX_WITH_NEW_LAZY_PAGE_ALLOC
3518 * is defined, zero pages won't normally be mapped. Some kind of solution
3519 * will be needed for this problem of course, but it will have to wait...
3520 */
3521 if ( PGM_PAGE_IS_ZERO(pPhysPage)
3522 || PGM_PAGE_IS_BALLOONED(pPhysPage))
3523 rc = VINF_PGM_GCPHYS_ALIASED;
3524 else
3525 {
3526# if defined(VBOX_WITH_2X_4GB_ADDR_SPACE_IN_R0) || defined(IN_RC) /** @todo we can drop this now. */
3527 /* Start a subset here because pgmPoolTrackFlushGCPhysPTsSlow and
3528 pgmPoolTrackFlushGCPhysPTs will/may kill the pool otherwise. */
3529 uint32_t iPrevSubset = PGMRZDynMapPushAutoSubset(pVCpu);
3530# endif
3531
3532 if (PGMPOOL_TD_GET_CREFS(u16) != PGMPOOL_TD_CREFS_PHYSEXT)
3533 {
3534 Assert(PGMPOOL_TD_GET_CREFS(u16) == 1);
3535 pgmPoolTrackFlushGCPhysPT(pVM,
3536 pPhysPage,
3537 fFlushPTEs,
3538 PGMPOOL_TD_GET_IDX(u16));
3539 }
3540 else if (u16 != PGMPOOL_TD_MAKE(PGMPOOL_TD_CREFS_PHYSEXT, PGMPOOL_TD_IDX_OVERFLOWED))
3541 pgmPoolTrackFlushGCPhysPTs(pVM, pPhysPage, fFlushPTEs, PGMPOOL_TD_GET_IDX(u16));
3542 else
3543 rc = pgmPoolTrackFlushGCPhysPTsSlow(pVM, pPhysPage);
3544 *pfFlushTLBs = true;
3545
3546# if defined(VBOX_WITH_2X_4GB_ADDR_SPACE_IN_R0) || defined(IN_RC)
3547 PGMRZDynMapPopAutoSubset(pVCpu, iPrevSubset);
3548# endif
3549 }
3550 }
3551
3552 if (rc == VINF_PGM_GCPHYS_ALIASED)
3553 {
3554 pVCpu->pgm.s.fSyncFlags |= PGM_SYNC_CLEAR_PGM_POOL;
3555 VMCPU_FF_SET(pVCpu, VMCPU_FF_PGM_SYNC_CR3);
3556 rc = VINF_PGM_SYNC_CR3;
3557 }
3558 pgmUnlock(pVM);
3559 return rc;
3560}
3561
3562
3563/**
3564 * Scans all shadow page tables for mappings of a physical page.
3565 *
3566 * This may be slow, but it's most likely more efficient than cleaning
3567 * out the entire page pool / cache.
3568 *
3569 * @returns VBox status code.
3570 * @retval VINF_SUCCESS if all references has been successfully cleared.
3571 * @retval VINF_PGM_GCPHYS_ALIASED if we're better off with a CR3 sync and
3572 * a page pool cleaning.
3573 *
3574 * @param pVM Pointer to the VM.
3575 * @param pPhysPage The guest page in question.
3576 */
3577int pgmPoolTrackFlushGCPhysPTsSlow(PVM pVM, PPGMPAGE pPhysPage)
3578{
3579 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
3580 STAM_PROFILE_START(&pPool->StatTrackFlushGCPhysPTsSlow, s);
3581 LogFlow(("pgmPoolTrackFlushGCPhysPTsSlow: cUsedPages=%d cPresent=%d pPhysPage=%R[pgmpage]\n",
3582 pPool->cUsedPages, pPool->cPresent, pPhysPage));
3583
3584 /*
3585 * There is a limit to what makes sense.
3586 */
3587 if ( pPool->cPresent > 1024
3588 && pVM->cCpus == 1)
3589 {
3590 LogFlow(("pgmPoolTrackFlushGCPhysPTsSlow: giving up... (cPresent=%d)\n", pPool->cPresent));
3591 STAM_PROFILE_STOP(&pPool->StatTrackFlushGCPhysPTsSlow, s);
3592 return VINF_PGM_GCPHYS_ALIASED;
3593 }
3594
3595 /*
3596 * Iterate all the pages until we've encountered all that in use.
3597 * This is simple but not quite optimal solution.
3598 */
3599 const uint64_t u64 = PGM_PAGE_GET_HCPHYS(pPhysPage) | X86_PTE_P; /** @todo drop X86_PTE_P here as we always test if present separately, anyway. */
3600 const uint32_t u32 = u64; /** @todo move into the 32BIT_PT_xx case */
3601 unsigned cLeft = pPool->cUsedPages;
3602 unsigned iPage = pPool->cCurPages;
3603 while (--iPage >= PGMPOOL_IDX_FIRST)
3604 {
3605 PPGMPOOLPAGE pPage = &pPool->aPages[iPage];
3606 if ( pPage->GCPhys != NIL_RTGCPHYS
3607 && pPage->cPresent)
3608 {
3609 switch (pPage->enmKind)
3610 {
3611 /*
3612 * We only care about shadow page tables.
3613 */
3614 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_PT:
3615 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_4MB:
3616 case PGMPOOLKIND_32BIT_PT_FOR_PHYS:
3617 {
3618 unsigned cPresent = pPage->cPresent;
3619 PX86PT pPT = (PX86PT)PGMPOOL_PAGE_2_PTR(pVM, pPage);
3620 for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pPT->a); i++)
3621 if (pPT->a[i].n.u1Present)
3622 {
3623 if ((pPT->a[i].u & (X86_PTE_PG_MASK | X86_PTE_P)) == u32)
3624 {
3625 //Log4(("pgmPoolTrackFlushGCPhysPTsSlow: idx=%d i=%d pte=%RX32\n", iPage, i, pPT->a[i]));
3626 pPT->a[i].u = 0;
3627
3628 /* Update the counter as we're removing references. */
3629 Assert(pPage->cPresent);
3630 Assert(pPool->cPresent);
3631 pPage->cPresent--;
3632 pPool->cPresent--;
3633 }
3634 if (!--cPresent)
3635 break;
3636 }
3637 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pPT);
3638 break;
3639 }
3640
3641 case PGMPOOLKIND_PAE_PT_FOR_32BIT_PT:
3642 case PGMPOOLKIND_PAE_PT_FOR_32BIT_4MB:
3643 case PGMPOOLKIND_PAE_PT_FOR_PAE_PT:
3644 case PGMPOOLKIND_PAE_PT_FOR_PAE_2MB:
3645 case PGMPOOLKIND_PAE_PT_FOR_PHYS:
3646 {
3647 unsigned cPresent = pPage->cPresent;
3648 PPGMSHWPTPAE pPT = (PPGMSHWPTPAE)PGMPOOL_PAGE_2_PTR(pVM, pPage);
3649 for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pPT->a); i++)
3650 if (PGMSHWPTEPAE_IS_P(pPT->a[i]))
3651 {
3652 if ((PGMSHWPTEPAE_GET_U(pPT->a[i]) & (X86_PTE_PAE_PG_MASK | X86_PTE_P)) == u64)
3653 {
3654 //Log4(("pgmPoolTrackFlushGCPhysPTsSlow: idx=%d i=%d pte=%RX64\n", iPage, i, pPT->a[i]));
3655 PGMSHWPTEPAE_SET(pPT->a[i], 0); /// @todo why not atomic?
3656
3657 /* Update the counter as we're removing references. */
3658 Assert(pPage->cPresent);
3659 Assert(pPool->cPresent);
3660 pPage->cPresent--;
3661 pPool->cPresent--;
3662 }
3663 if (!--cPresent)
3664 break;
3665 }
3666 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pPT);
3667 break;
3668 }
3669#ifndef IN_RC
3670 case PGMPOOLKIND_EPT_PT_FOR_PHYS:
3671 {
3672 unsigned cPresent = pPage->cPresent;
3673 PEPTPT pPT = (PEPTPT)PGMPOOL_PAGE_2_PTR(pVM, pPage);
3674 for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pPT->a); i++)
3675 if (pPT->a[i].n.u1Present)
3676 {
3677 if ((pPT->a[i].u & (EPT_PTE_PG_MASK | X86_PTE_P)) == u64)
3678 {
3679 //Log4(("pgmPoolTrackFlushGCPhysPTsSlow: idx=%d i=%d pte=%RX64\n", iPage, i, pPT->a[i]));
3680 pPT->a[i].u = 0;
3681
3682 /* Update the counter as we're removing references. */
3683 Assert(pPage->cPresent);
3684 Assert(pPool->cPresent);
3685 pPage->cPresent--;
3686 pPool->cPresent--;
3687 }
3688 if (!--cPresent)
3689 break;
3690 }
3691 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pPT);
3692 break;
3693 }
3694#endif
3695 }
3696 if (!--cLeft)
3697 break;
3698 }
3699 }
3700
3701 PGM_PAGE_SET_TRACKING(pVM, pPhysPage, 0);
3702 STAM_PROFILE_STOP(&pPool->StatTrackFlushGCPhysPTsSlow, s);
3703
3704 /*
3705 * There is a limit to what makes sense. The above search is very expensive, so force a pgm pool flush.
3706 */
3707 if (pPool->cPresent > 1024)
3708 {
3709 LogFlow(("pgmPoolTrackFlushGCPhysPTsSlow: giving up... (cPresent=%d)\n", pPool->cPresent));
3710 return VINF_PGM_GCPHYS_ALIASED;
3711 }
3712
3713 return VINF_SUCCESS;
3714}
3715
3716
3717/**
3718 * Clears the user entry in a user table.
3719 *
3720 * This is used to remove all references to a page when flushing it.
3721 */
3722static void pgmPoolTrackClearPageUser(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PCPGMPOOLUSER pUser)
3723{
3724 Assert(pUser->iUser != NIL_PGMPOOL_IDX);
3725 Assert(pUser->iUser < pPool->cCurPages);
3726 uint32_t iUserTable = pUser->iUserTable;
3727
3728 /*
3729 * Map the user page. Ignore references made by fictitious pages.
3730 */
3731 PPGMPOOLPAGE pUserPage = &pPool->aPages[pUser->iUser];
3732 LogFlow(("pgmPoolTrackClearPageUser: clear %x in %s (%RGp) (flushing %s)\n", iUserTable, pgmPoolPoolKindToStr(pUserPage->enmKind), pUserPage->Core.Key, pgmPoolPoolKindToStr(pPage->enmKind)));
3733 union
3734 {
3735 uint64_t *pau64;
3736 uint32_t *pau32;
3737 } u;
3738 if (pUserPage->idx < PGMPOOL_IDX_FIRST)
3739 {
3740 Assert(!pUserPage->pvPageR3);
3741 return;
3742 }
3743 u.pau64 = (uint64_t *)PGMPOOL_PAGE_2_PTR(pPool->CTX_SUFF(pVM), pUserPage);
3744
3745
3746 /* Safety precaution in case we change the paging for other modes too in the future. */
3747 Assert(!pgmPoolIsPageLocked(pPage));
3748
3749#ifdef VBOX_STRICT
3750 /*
3751 * Some sanity checks.
3752 */
3753 switch (pUserPage->enmKind)
3754 {
3755 case PGMPOOLKIND_32BIT_PD:
3756 case PGMPOOLKIND_32BIT_PD_PHYS:
3757 Assert(iUserTable < X86_PG_ENTRIES);
3758 break;
3759 case PGMPOOLKIND_PAE_PDPT:
3760 case PGMPOOLKIND_PAE_PDPT_FOR_32BIT:
3761 case PGMPOOLKIND_PAE_PDPT_PHYS:
3762 Assert(iUserTable < 4);
3763 Assert(!(u.pau64[iUserTable] & PGM_PLXFLAGS_PERMANENT));
3764 break;
3765 case PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD:
3766 case PGMPOOLKIND_PAE_PD1_FOR_32BIT_PD:
3767 case PGMPOOLKIND_PAE_PD2_FOR_32BIT_PD:
3768 case PGMPOOLKIND_PAE_PD3_FOR_32BIT_PD:
3769 case PGMPOOLKIND_PAE_PD_FOR_PAE_PD:
3770 case PGMPOOLKIND_PAE_PD_PHYS:
3771 Assert(iUserTable < X86_PG_PAE_ENTRIES);
3772 break;
3773 case PGMPOOLKIND_64BIT_PD_FOR_64BIT_PD:
3774 Assert(iUserTable < X86_PG_PAE_ENTRIES);
3775 Assert(!(u.pau64[iUserTable] & PGM_PDFLAGS_MAPPING));
3776 break;
3777 case PGMPOOLKIND_64BIT_PDPT_FOR_64BIT_PDPT:
3778 Assert(iUserTable < X86_PG_PAE_ENTRIES);
3779 Assert(!(u.pau64[iUserTable] & PGM_PLXFLAGS_PERMANENT));
3780 break;
3781 case PGMPOOLKIND_64BIT_PML4:
3782 Assert(!(u.pau64[iUserTable] & PGM_PLXFLAGS_PERMANENT));
3783 /* GCPhys >> PAGE_SHIFT is the index here */
3784 break;
3785 case PGMPOOLKIND_64BIT_PDPT_FOR_PHYS:
3786 case PGMPOOLKIND_64BIT_PD_FOR_PHYS:
3787 Assert(iUserTable < X86_PG_PAE_ENTRIES);
3788 break;
3789
3790 case PGMPOOLKIND_EPT_PDPT_FOR_PHYS:
3791 case PGMPOOLKIND_EPT_PD_FOR_PHYS:
3792 Assert(iUserTable < X86_PG_PAE_ENTRIES);
3793 break;
3794
3795 case PGMPOOLKIND_ROOT_NESTED:
3796 Assert(iUserTable < X86_PG_PAE_ENTRIES);
3797 break;
3798
3799 default:
3800 AssertMsgFailed(("enmKind=%d\n", pUserPage->enmKind));
3801 break;
3802 }
3803#endif /* VBOX_STRICT */
3804
3805 /*
3806 * Clear the entry in the user page.
3807 */
3808 switch (pUserPage->enmKind)
3809 {
3810 /* 32-bit entries */
3811 case PGMPOOLKIND_32BIT_PD:
3812 case PGMPOOLKIND_32BIT_PD_PHYS:
3813 ASMAtomicWriteU32(&u.pau32[iUserTable], 0);
3814 break;
3815
3816 /* 64-bit entries */
3817 case PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD:
3818 case PGMPOOLKIND_PAE_PD1_FOR_32BIT_PD:
3819 case PGMPOOLKIND_PAE_PD2_FOR_32BIT_PD:
3820 case PGMPOOLKIND_PAE_PD3_FOR_32BIT_PD:
3821 case PGMPOOLKIND_PAE_PD_FOR_PAE_PD:
3822#ifdef IN_RC
3823 /*
3824 * In 32 bits PAE mode we *must* invalidate the TLB when changing a
3825 * PDPT entry; the CPU fetches them only during cr3 load, so any
3826 * non-present PDPT will continue to cause page faults.
3827 */
3828 ASMReloadCR3();
3829 /* no break */
3830#endif
3831 case PGMPOOLKIND_PAE_PD_PHYS:
3832 case PGMPOOLKIND_PAE_PDPT_PHYS:
3833 case PGMPOOLKIND_64BIT_PD_FOR_64BIT_PD:
3834 case PGMPOOLKIND_64BIT_PDPT_FOR_64BIT_PDPT:
3835 case PGMPOOLKIND_64BIT_PML4:
3836 case PGMPOOLKIND_64BIT_PDPT_FOR_PHYS:
3837 case PGMPOOLKIND_64BIT_PD_FOR_PHYS:
3838 case PGMPOOLKIND_PAE_PDPT:
3839 case PGMPOOLKIND_PAE_PDPT_FOR_32BIT:
3840 case PGMPOOLKIND_ROOT_NESTED:
3841 case PGMPOOLKIND_EPT_PDPT_FOR_PHYS:
3842 case PGMPOOLKIND_EPT_PD_FOR_PHYS:
3843 ASMAtomicWriteU64(&u.pau64[iUserTable], 0);
3844 break;
3845
3846 default:
3847 AssertFatalMsgFailed(("enmKind=%d iUser=%d iUserTable=%#x\n", pUserPage->enmKind, pUser->iUser, pUser->iUserTable));
3848 }
3849 PGM_DYNMAP_UNUSED_HINT_VM(pPool->CTX_SUFF(pVM), u.pau64);
3850}
3851
3852
3853/**
3854 * Clears all users of a page.
3855 */
3856static void pgmPoolTrackClearPageUsers(PPGMPOOL pPool, PPGMPOOLPAGE pPage)
3857{
3858 /*
3859 * Free all the user records.
3860 */
3861 LogFlow(("pgmPoolTrackClearPageUsers %RGp\n", pPage->GCPhys));
3862
3863 PPGMPOOLUSER paUsers = pPool->CTX_SUFF(paUsers);
3864 uint16_t i = pPage->iUserHead;
3865 while (i != NIL_PGMPOOL_USER_INDEX)
3866 {
3867 /* Clear enter in user table. */
3868 pgmPoolTrackClearPageUser(pPool, pPage, &paUsers[i]);
3869
3870 /* Free it. */
3871 const uint16_t iNext = paUsers[i].iNext;
3872 paUsers[i].iUser = NIL_PGMPOOL_IDX;
3873 paUsers[i].iNext = pPool->iUserFreeHead;
3874 pPool->iUserFreeHead = i;
3875
3876 /* Next. */
3877 i = iNext;
3878 }
3879 pPage->iUserHead = NIL_PGMPOOL_USER_INDEX;
3880}
3881
3882
3883/**
3884 * Allocates a new physical cross reference extent.
3885 *
3886 * @returns Pointer to the allocated extent on success. NULL if we're out of them.
3887 * @param pVM Pointer to the VM.
3888 * @param piPhysExt Where to store the phys ext index.
3889 */
3890PPGMPOOLPHYSEXT pgmPoolTrackPhysExtAlloc(PVM pVM, uint16_t *piPhysExt)
3891{
3892 PGM_LOCK_ASSERT_OWNER(pVM);
3893 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
3894 uint16_t iPhysExt = pPool->iPhysExtFreeHead;
3895 if (iPhysExt == NIL_PGMPOOL_PHYSEXT_INDEX)
3896 {
3897 STAM_COUNTER_INC(&pPool->StamTrackPhysExtAllocFailures);
3898 return NULL;
3899 }
3900 PPGMPOOLPHYSEXT pPhysExt = &pPool->CTX_SUFF(paPhysExts)[iPhysExt];
3901 pPool->iPhysExtFreeHead = pPhysExt->iNext;
3902 pPhysExt->iNext = NIL_PGMPOOL_PHYSEXT_INDEX;
3903 *piPhysExt = iPhysExt;
3904 return pPhysExt;
3905}
3906
3907
3908/**
3909 * Frees a physical cross reference extent.
3910 *
3911 * @param pVM Pointer to the VM.
3912 * @param iPhysExt The extent to free.
3913 */
3914void pgmPoolTrackPhysExtFree(PVM pVM, uint16_t iPhysExt)
3915{
3916 PGM_LOCK_ASSERT_OWNER(pVM);
3917 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
3918 Assert(iPhysExt < pPool->cMaxPhysExts);
3919 PPGMPOOLPHYSEXT pPhysExt = &pPool->CTX_SUFF(paPhysExts)[iPhysExt];
3920 for (unsigned i = 0; i < RT_ELEMENTS(pPhysExt->aidx); i++)
3921 {
3922 pPhysExt->aidx[i] = NIL_PGMPOOL_IDX;
3923 pPhysExt->apte[i] = NIL_PGMPOOL_PHYSEXT_IDX_PTE;
3924 }
3925 pPhysExt->iNext = pPool->iPhysExtFreeHead;
3926 pPool->iPhysExtFreeHead = iPhysExt;
3927}
3928
3929
3930/**
3931 * Frees a physical cross reference extent.
3932 *
3933 * @param pVM Pointer to the VM.
3934 * @param iPhysExt The extent to free.
3935 */
3936void pgmPoolTrackPhysExtFreeList(PVM pVM, uint16_t iPhysExt)
3937{
3938 PGM_LOCK_ASSERT_OWNER(pVM);
3939 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
3940
3941 const uint16_t iPhysExtStart = iPhysExt;
3942 PPGMPOOLPHYSEXT pPhysExt;
3943 do
3944 {
3945 Assert(iPhysExt < pPool->cMaxPhysExts);
3946 pPhysExt = &pPool->CTX_SUFF(paPhysExts)[iPhysExt];
3947 for (unsigned i = 0; i < RT_ELEMENTS(pPhysExt->aidx); i++)
3948 {
3949 pPhysExt->aidx[i] = NIL_PGMPOOL_IDX;
3950 pPhysExt->apte[i] = NIL_PGMPOOL_PHYSEXT_IDX_PTE;
3951 }
3952
3953 /* next */
3954 iPhysExt = pPhysExt->iNext;
3955 } while (iPhysExt != NIL_PGMPOOL_PHYSEXT_INDEX);
3956
3957 pPhysExt->iNext = pPool->iPhysExtFreeHead;
3958 pPool->iPhysExtFreeHead = iPhysExtStart;
3959}
3960
3961
3962/**
3963 * Insert a reference into a list of physical cross reference extents.
3964 *
3965 * @returns The new tracking data for PGMPAGE.
3966 *
3967 * @param pVM Pointer to the VM.
3968 * @param iPhysExt The physical extent index of the list head.
3969 * @param iShwPT The shadow page table index.
3970 * @param iPte Page table entry
3971 *
3972 */
3973static uint16_t pgmPoolTrackPhysExtInsert(PVM pVM, uint16_t iPhysExt, uint16_t iShwPT, uint16_t iPte)
3974{
3975 PGM_LOCK_ASSERT_OWNER(pVM);
3976 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
3977 PPGMPOOLPHYSEXT paPhysExts = pPool->CTX_SUFF(paPhysExts);
3978
3979 /*
3980 * Special common cases.
3981 */
3982 if (paPhysExts[iPhysExt].aidx[1] == NIL_PGMPOOL_IDX)
3983 {
3984 paPhysExts[iPhysExt].aidx[1] = iShwPT;
3985 paPhysExts[iPhysExt].apte[1] = iPte;
3986 STAM_COUNTER_INC(&pVM->pgm.s.CTX_SUFF(pStats)->StatTrackAliasedMany);
3987 LogFlow(("pgmPoolTrackPhysExtInsert: %d:{,%d pte %d,}\n", iPhysExt, iShwPT, iPte));
3988 return PGMPOOL_TD_MAKE(PGMPOOL_TD_CREFS_PHYSEXT, iPhysExt);
3989 }
3990 if (paPhysExts[iPhysExt].aidx[2] == NIL_PGMPOOL_IDX)
3991 {
3992 paPhysExts[iPhysExt].aidx[2] = iShwPT;
3993 paPhysExts[iPhysExt].apte[2] = iPte;
3994 STAM_COUNTER_INC(&pVM->pgm.s.CTX_SUFF(pStats)->StatTrackAliasedMany);
3995 LogFlow(("pgmPoolTrackPhysExtInsert: %d:{,,%d pte %d}\n", iPhysExt, iShwPT, iPte));
3996 return PGMPOOL_TD_MAKE(PGMPOOL_TD_CREFS_PHYSEXT, iPhysExt);
3997 }
3998 AssertCompile(RT_ELEMENTS(paPhysExts[iPhysExt].aidx) == 3);
3999
4000 /*
4001 * General treatment.
4002 */
4003 const uint16_t iPhysExtStart = iPhysExt;
4004 unsigned cMax = 15;
4005 for (;;)
4006 {
4007 Assert(iPhysExt < pPool->cMaxPhysExts);
4008 for (unsigned i = 0; i < RT_ELEMENTS(paPhysExts[iPhysExt].aidx); i++)
4009 if (paPhysExts[iPhysExt].aidx[i] == NIL_PGMPOOL_IDX)
4010 {
4011 paPhysExts[iPhysExt].aidx[i] = iShwPT;
4012 paPhysExts[iPhysExt].apte[i] = iPte;
4013 STAM_COUNTER_INC(&pVM->pgm.s.CTX_SUFF(pStats)->StatTrackAliasedMany);
4014 LogFlow(("pgmPoolTrackPhysExtInsert: %d:{%d pte %d} i=%d cMax=%d\n", iPhysExt, iShwPT, iPte, i, cMax));
4015 return PGMPOOL_TD_MAKE(PGMPOOL_TD_CREFS_PHYSEXT, iPhysExtStart);
4016 }
4017 if (!--cMax)
4018 {
4019 STAM_COUNTER_INC(&pVM->pgm.s.CTX_SUFF(pStats)->StatTrackOverflows);
4020 pgmPoolTrackPhysExtFreeList(pVM, iPhysExtStart);
4021 LogFlow(("pgmPoolTrackPhysExtInsert: overflow (1) iShwPT=%d\n", iShwPT));
4022 return PGMPOOL_TD_MAKE(PGMPOOL_TD_CREFS_PHYSEXT, PGMPOOL_TD_IDX_OVERFLOWED);
4023 }
4024
4025 /* advance */
4026 iPhysExt = paPhysExts[iPhysExt].iNext;
4027 if (iPhysExt == NIL_PGMPOOL_PHYSEXT_INDEX)
4028 break;
4029 }
4030
4031 /*
4032 * Add another extent to the list.
4033 */
4034 PPGMPOOLPHYSEXT pNew = pgmPoolTrackPhysExtAlloc(pVM, &iPhysExt);
4035 if (!pNew)
4036 {
4037 STAM_COUNTER_INC(&pVM->pgm.s.CTX_SUFF(pStats)->StatTrackNoExtentsLeft);
4038 pgmPoolTrackPhysExtFreeList(pVM, iPhysExtStart);
4039 LogFlow(("pgmPoolTrackPhysExtInsert: pgmPoolTrackPhysExtAlloc failed iShwPT=%d\n", iShwPT));
4040 return PGMPOOL_TD_MAKE(PGMPOOL_TD_CREFS_PHYSEXT, PGMPOOL_TD_IDX_OVERFLOWED);
4041 }
4042 pNew->iNext = iPhysExtStart;
4043 pNew->aidx[0] = iShwPT;
4044 pNew->apte[0] = iPte;
4045 LogFlow(("pgmPoolTrackPhysExtInsert: added new extent %d:{%d pte %d}->%d\n", iPhysExt, iShwPT, iPte, iPhysExtStart));
4046 return PGMPOOL_TD_MAKE(PGMPOOL_TD_CREFS_PHYSEXT, iPhysExt);
4047}
4048
4049
4050/**
4051 * Add a reference to guest physical page where extents are in use.
4052 *
4053 * @returns The new tracking data for PGMPAGE.
4054 *
4055 * @param pVM Pointer to the VM.
4056 * @param pPhysPage Pointer to the aPages entry in the ram range.
4057 * @param u16 The ram range flags (top 16-bits).
4058 * @param iShwPT The shadow page table index.
4059 * @param iPte Page table entry
4060 */
4061uint16_t pgmPoolTrackPhysExtAddref(PVM pVM, PPGMPAGE pPhysPage, uint16_t u16, uint16_t iShwPT, uint16_t iPte)
4062{
4063 pgmLock(pVM);
4064 if (PGMPOOL_TD_GET_CREFS(u16) != PGMPOOL_TD_CREFS_PHYSEXT)
4065 {
4066 /*
4067 * Convert to extent list.
4068 */
4069 Assert(PGMPOOL_TD_GET_CREFS(u16) == 1);
4070 uint16_t iPhysExt;
4071 PPGMPOOLPHYSEXT pPhysExt = pgmPoolTrackPhysExtAlloc(pVM, &iPhysExt);
4072 if (pPhysExt)
4073 {
4074 LogFlow(("pgmPoolTrackPhysExtAddref: new extent: %d:{%d, %d}\n", iPhysExt, PGMPOOL_TD_GET_IDX(u16), iShwPT));
4075 STAM_COUNTER_INC(&pVM->pgm.s.CTX_SUFF(pStats)->StatTrackAliased);
4076 pPhysExt->aidx[0] = PGMPOOL_TD_GET_IDX(u16);
4077 pPhysExt->apte[0] = PGM_PAGE_GET_PTE_INDEX(pPhysPage);
4078 pPhysExt->aidx[1] = iShwPT;
4079 pPhysExt->apte[1] = iPte;
4080 u16 = PGMPOOL_TD_MAKE(PGMPOOL_TD_CREFS_PHYSEXT, iPhysExt);
4081 }
4082 else
4083 u16 = PGMPOOL_TD_MAKE(PGMPOOL_TD_CREFS_PHYSEXT, PGMPOOL_TD_IDX_OVERFLOWED);
4084 }
4085 else if (u16 != PGMPOOL_TD_MAKE(PGMPOOL_TD_CREFS_PHYSEXT, PGMPOOL_TD_IDX_OVERFLOWED))
4086 {
4087 /*
4088 * Insert into the extent list.
4089 */
4090 u16 = pgmPoolTrackPhysExtInsert(pVM, PGMPOOL_TD_GET_IDX(u16), iShwPT, iPte);
4091 }
4092 else
4093 STAM_COUNTER_INC(&pVM->pgm.s.CTX_SUFF(pStats)->StatTrackAliasedLots);
4094 pgmUnlock(pVM);
4095 return u16;
4096}
4097
4098
4099/**
4100 * Clear references to guest physical memory.
4101 *
4102 * @param pPool The pool.
4103 * @param pPage The page.
4104 * @param pPhysPage Pointer to the aPages entry in the ram range.
4105 * @param iPte Shadow PTE index
4106 */
4107void pgmPoolTrackPhysExtDerefGCPhys(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PPGMPAGE pPhysPage, uint16_t iPte)
4108{
4109 PVM pVM = pPool->CTX_SUFF(pVM);
4110 const unsigned cRefs = PGM_PAGE_GET_TD_CREFS(pPhysPage);
4111 AssertFatalMsg(cRefs == PGMPOOL_TD_CREFS_PHYSEXT, ("cRefs=%d pPhysPage=%R[pgmpage] pPage=%p:{.idx=%d}\n", cRefs, pPhysPage, pPage, pPage->idx));
4112
4113 uint16_t iPhysExt = PGM_PAGE_GET_TD_IDX(pPhysPage);
4114 if (iPhysExt != PGMPOOL_TD_IDX_OVERFLOWED)
4115 {
4116 pgmLock(pVM);
4117
4118 uint16_t iPhysExtPrev = NIL_PGMPOOL_PHYSEXT_INDEX;
4119 PPGMPOOLPHYSEXT paPhysExts = pPool->CTX_SUFF(paPhysExts);
4120 do
4121 {
4122 Assert(iPhysExt < pPool->cMaxPhysExts);
4123
4124 /*
4125 * Look for the shadow page and check if it's all freed.
4126 */
4127 for (unsigned i = 0; i < RT_ELEMENTS(paPhysExts[iPhysExt].aidx); i++)
4128 {
4129 if ( paPhysExts[iPhysExt].aidx[i] == pPage->idx
4130 && paPhysExts[iPhysExt].apte[i] == iPte)
4131 {
4132 paPhysExts[iPhysExt].aidx[i] = NIL_PGMPOOL_IDX;
4133 paPhysExts[iPhysExt].apte[i] = NIL_PGMPOOL_PHYSEXT_IDX_PTE;
4134
4135 for (i = 0; i < RT_ELEMENTS(paPhysExts[iPhysExt].aidx); i++)
4136 if (paPhysExts[iPhysExt].aidx[i] != NIL_PGMPOOL_IDX)
4137 {
4138 Log2(("pgmPoolTrackPhysExtDerefGCPhys: pPhysPage=%R[pgmpage] idx=%d\n", pPhysPage, pPage->idx));
4139 pgmUnlock(pVM);
4140 return;
4141 }
4142
4143 /* we can free the node. */
4144 const uint16_t iPhysExtNext = paPhysExts[iPhysExt].iNext;
4145 if ( iPhysExtPrev == NIL_PGMPOOL_PHYSEXT_INDEX
4146 && iPhysExtNext == NIL_PGMPOOL_PHYSEXT_INDEX)
4147 {
4148 /* lonely node */
4149 pgmPoolTrackPhysExtFree(pVM, iPhysExt);
4150 Log2(("pgmPoolTrackPhysExtDerefGCPhys: pPhysPage=%R[pgmpage] idx=%d lonely\n", pPhysPage, pPage->idx));
4151 PGM_PAGE_SET_TRACKING(pVM, pPhysPage, 0);
4152 }
4153 else if (iPhysExtPrev == NIL_PGMPOOL_PHYSEXT_INDEX)
4154 {
4155 /* head */
4156 Log2(("pgmPoolTrackPhysExtDerefGCPhys: pPhysPage=%R[pgmpage] idx=%d head\n", pPhysPage, pPage->idx));
4157 PGM_PAGE_SET_TRACKING(pVM, pPhysPage, PGMPOOL_TD_MAKE(PGMPOOL_TD_CREFS_PHYSEXT, iPhysExtNext));
4158 pgmPoolTrackPhysExtFree(pVM, iPhysExt);
4159 }
4160 else
4161 {
4162 /* in list */
4163 Log2(("pgmPoolTrackPhysExtDerefGCPhys: pPhysPage=%R[pgmpage] idx=%d in list\n", pPhysPage, pPage->idx));
4164 paPhysExts[iPhysExtPrev].iNext = iPhysExtNext;
4165 pgmPoolTrackPhysExtFree(pVM, iPhysExt);
4166 }
4167 iPhysExt = iPhysExtNext;
4168 pgmUnlock(pVM);
4169 return;
4170 }
4171 }
4172
4173 /* next */
4174 iPhysExtPrev = iPhysExt;
4175 iPhysExt = paPhysExts[iPhysExt].iNext;
4176 } while (iPhysExt != NIL_PGMPOOL_PHYSEXT_INDEX);
4177
4178 pgmUnlock(pVM);
4179 AssertFatalMsgFailed(("not-found! cRefs=%d pPhysPage=%R[pgmpage] pPage=%p:{.idx=%d}\n", cRefs, pPhysPage, pPage, pPage->idx));
4180 }
4181 else /* nothing to do */
4182 Log2(("pgmPoolTrackPhysExtDerefGCPhys: pPhysPage=%R[pgmpage]\n", pPhysPage));
4183}
4184
4185/**
4186 * Clear references to guest physical memory.
4187 *
4188 * This is the same as pgmPoolTracDerefGCPhysHint except that the guest
4189 * physical address is assumed to be correct, so the linear search can be
4190 * skipped and we can assert at an earlier point.
4191 *
4192 * @param pPool The pool.
4193 * @param pPage The page.
4194 * @param HCPhys The host physical address corresponding to the guest page.
4195 * @param GCPhys The guest physical address corresponding to HCPhys.
4196 * @param iPte Shadow PTE index
4197 */
4198static void pgmPoolTracDerefGCPhys(PPGMPOOL pPool, PPGMPOOLPAGE pPage, RTHCPHYS HCPhys, RTGCPHYS GCPhys, uint16_t iPte)
4199{
4200 /*
4201 * Lookup the page and check if it checks out before derefing it.
4202 */
4203 PVM pVM = pPool->CTX_SUFF(pVM);
4204 PPGMPAGE pPhysPage = pgmPhysGetPage(pVM, GCPhys);
4205 if (pPhysPage)
4206 {
4207 Assert(PGM_PAGE_GET_HCPHYS(pPhysPage));
4208#ifdef LOG_ENABLED
4209 RTHCPHYS HCPhysPage = PGM_PAGE_GET_HCPHYS(pPhysPage);
4210 Log2(("pgmPoolTracDerefGCPhys %RHp vs %RHp\n", HCPhysPage, HCPhys));
4211#endif
4212 if (PGM_PAGE_GET_HCPHYS(pPhysPage) == HCPhys)
4213 {
4214 Assert(pPage->cPresent);
4215 Assert(pPool->cPresent);
4216 pPage->cPresent--;
4217 pPool->cPresent--;
4218 pgmTrackDerefGCPhys(pPool, pPage, pPhysPage, iPte);
4219 return;
4220 }
4221
4222 AssertFatalMsgFailed(("HCPhys=%RHp GCPhys=%RGp; found page has HCPhys=%RHp\n",
4223 HCPhys, GCPhys, PGM_PAGE_GET_HCPHYS(pPhysPage)));
4224 }
4225 AssertFatalMsgFailed(("HCPhys=%RHp GCPhys=%RGp\n", HCPhys, GCPhys));
4226}
4227
4228
4229/**
4230 * Clear references to guest physical memory.
4231 *
4232 * @param pPool The pool.
4233 * @param pPage The page.
4234 * @param HCPhys The host physical address corresponding to the guest page.
4235 * @param GCPhysHint The guest physical address which may corresponding to HCPhys.
4236 * @param iPte Shadow pte index
4237 */
4238void pgmPoolTracDerefGCPhysHint(PPGMPOOL pPool, PPGMPOOLPAGE pPage, RTHCPHYS HCPhys, RTGCPHYS GCPhysHint, uint16_t iPte)
4239{
4240 Log4(("pgmPoolTracDerefGCPhysHint %RHp %RGp\n", HCPhys, GCPhysHint));
4241
4242 /*
4243 * Try the hint first.
4244 */
4245 RTHCPHYS HCPhysHinted;
4246 PVM pVM = pPool->CTX_SUFF(pVM);
4247 PPGMPAGE pPhysPage = pgmPhysGetPage(pVM, GCPhysHint);
4248 if (pPhysPage)
4249 {
4250 HCPhysHinted = PGM_PAGE_GET_HCPHYS(pPhysPage);
4251 Assert(HCPhysHinted);
4252 if (HCPhysHinted == HCPhys)
4253 {
4254 Assert(pPage->cPresent);
4255 Assert(pPool->cPresent);
4256 pPage->cPresent--;
4257 pPool->cPresent--;
4258 pgmTrackDerefGCPhys(pPool, pPage, pPhysPage, iPte);
4259 return;
4260 }
4261 }
4262 else
4263 HCPhysHinted = UINT64_C(0xdeadbeefdeadbeef);
4264
4265 /*
4266 * Damn, the hint didn't work. We'll have to do an expensive linear search.
4267 */
4268 STAM_COUNTER_INC(&pPool->StatTrackLinearRamSearches);
4269 PPGMRAMRANGE pRam = pPool->CTX_SUFF(pVM)->pgm.s.CTX_SUFF(pRamRangesX);
4270 while (pRam)
4271 {
4272 unsigned iPage = pRam->cb >> PAGE_SHIFT;
4273 while (iPage-- > 0)
4274 {
4275 if (PGM_PAGE_GET_HCPHYS(&pRam->aPages[iPage]) == HCPhys)
4276 {
4277 Log4(("pgmPoolTracDerefGCPhysHint: Linear HCPhys=%RHp GCPhysHint=%RGp GCPhysReal=%RGp\n",
4278 HCPhys, GCPhysHint, pRam->GCPhys + (iPage << PAGE_SHIFT)));
4279 Assert(pPage->cPresent);
4280 Assert(pPool->cPresent);
4281 pPage->cPresent--;
4282 pPool->cPresent--;
4283 pgmTrackDerefGCPhys(pPool, pPage, &pRam->aPages[iPage], iPte);
4284 return;
4285 }
4286 }
4287 pRam = pRam->CTX_SUFF(pNext);
4288 }
4289
4290 AssertFatalMsgFailed(("HCPhys=%RHp GCPhysHint=%RGp (Hinted page has HCPhys = %RHp)\n", HCPhys, GCPhysHint, HCPhysHinted));
4291}
4292
4293
4294/**
4295 * Clear references to guest physical memory in a 32-bit / 32-bit page table.
4296 *
4297 * @param pPool The pool.
4298 * @param pPage The page.
4299 * @param pShwPT The shadow page table (mapping of the page).
4300 * @param pGstPT The guest page table.
4301 */
4302DECLINLINE(void) pgmPoolTrackDerefPT32Bit32Bit(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PX86PT pShwPT, PCX86PT pGstPT)
4303{
4304 RTGCPHYS32 const fPgMask = pPage->fA20Enabled ? X86_PTE_PG_MASK : X86_PTE_PG_MASK & ~RT_BIT_32(20);
4305 for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pShwPT->a); i++)
4306 {
4307 Assert(!(pShwPT->a[i].u & RT_BIT_32(10)));
4308 if (pShwPT->a[i].n.u1Present)
4309 {
4310 Log4(("pgmPoolTrackDerefPT32Bit32Bit: i=%d pte=%RX32 hint=%RX32\n",
4311 i, pShwPT->a[i].u & X86_PTE_PG_MASK, pGstPT->a[i].u & X86_PTE_PG_MASK));
4312 pgmPoolTracDerefGCPhysHint(pPool, pPage, pShwPT->a[i].u & X86_PTE_PG_MASK, pGstPT->a[i].u & fPgMask, i);
4313 if (!pPage->cPresent)
4314 break;
4315 }
4316 }
4317}
4318
4319
4320/**
4321 * Clear references to guest physical memory in a PAE / 32-bit page table.
4322 *
4323 * @param pPool The pool.
4324 * @param pPage The page.
4325 * @param pShwPT The shadow page table (mapping of the page).
4326 * @param pGstPT The guest page table (just a half one).
4327 */
4328DECLINLINE(void) pgmPoolTrackDerefPTPae32Bit(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PPGMSHWPTPAE pShwPT, PCX86PT pGstPT)
4329{
4330 RTGCPHYS32 const fPgMask = pPage->fA20Enabled ? X86_PTE_PG_MASK : X86_PTE_PG_MASK & ~RT_BIT_32(20);
4331 for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pShwPT->a); i++)
4332 {
4333 Assert( (PGMSHWPTEPAE_GET_U(pShwPT->a[i]) & UINT64_C(0x7ff0000000000400)) == 0
4334 || (PGMSHWPTEPAE_GET_U(pShwPT->a[i]) & UINT64_C(0x7ff0000000000400)) == UINT64_C(0x7ff0000000000000));
4335 if (PGMSHWPTEPAE_IS_P(pShwPT->a[i]))
4336 {
4337 Log4(("pgmPoolTrackDerefPTPae32Bit: i=%d pte=%RX64 hint=%RX32\n",
4338 i, PGMSHWPTEPAE_GET_HCPHYS(pShwPT->a[i]), pGstPT->a[i].u & X86_PTE_PG_MASK));
4339 pgmPoolTracDerefGCPhysHint(pPool, pPage, PGMSHWPTEPAE_GET_HCPHYS(pShwPT->a[i]), pGstPT->a[i].u & fPgMask, i);
4340 if (!pPage->cPresent)
4341 break;
4342 }
4343 }
4344}
4345
4346
4347/**
4348 * Clear references to guest physical memory in a PAE / PAE page table.
4349 *
4350 * @param pPool The pool.
4351 * @param pPage The page.
4352 * @param pShwPT The shadow page table (mapping of the page).
4353 * @param pGstPT The guest page table.
4354 */
4355DECLINLINE(void) pgmPoolTrackDerefPTPaePae(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PPGMSHWPTPAE pShwPT, PCX86PTPAE pGstPT)
4356{
4357 RTGCPHYS const fPgMask = pPage->fA20Enabled ? X86_PTE_PAE_PG_MASK : X86_PTE_PAE_PG_MASK & ~RT_BIT_64(20);
4358 for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pShwPT->a); i++)
4359 {
4360 Assert( (PGMSHWPTEPAE_GET_U(pShwPT->a[i]) & UINT64_C(0x7ff0000000000400)) == 0
4361 || (PGMSHWPTEPAE_GET_U(pShwPT->a[i]) & UINT64_C(0x7ff0000000000400)) == UINT64_C(0x7ff0000000000000));
4362 if (PGMSHWPTEPAE_IS_P(pShwPT->a[i]))
4363 {
4364 Log4(("pgmPoolTrackDerefPTPaePae: i=%d pte=%RX32 hint=%RX32\n",
4365 i, PGMSHWPTEPAE_GET_HCPHYS(pShwPT->a[i]), pGstPT->a[i].u & X86_PTE_PAE_PG_MASK));
4366 pgmPoolTracDerefGCPhysHint(pPool, pPage, PGMSHWPTEPAE_GET_HCPHYS(pShwPT->a[i]), pGstPT->a[i].u & fPgMask, i);
4367 if (!pPage->cPresent)
4368 break;
4369 }
4370 }
4371}
4372
4373
4374/**
4375 * Clear references to guest physical memory in a 32-bit / 4MB page table.
4376 *
4377 * @param pPool The pool.
4378 * @param pPage The page.
4379 * @param pShwPT The shadow page table (mapping of the page).
4380 */
4381DECLINLINE(void) pgmPoolTrackDerefPT32Bit4MB(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PX86PT pShwPT)
4382{
4383 RTGCPHYS const GCPhysA20Mask = pPage->fA20Enabled ? UINT64_MAX : ~RT_BIT_64(20);
4384 RTGCPHYS GCPhys = pPage->GCPhys + PAGE_SIZE * pPage->iFirstPresent;
4385 for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pShwPT->a); i++, GCPhys += PAGE_SIZE)
4386 {
4387 Assert(!(pShwPT->a[i].u & RT_BIT_32(10)));
4388 if (pShwPT->a[i].n.u1Present)
4389 {
4390 Log4(("pgmPoolTrackDerefPT32Bit4MB: i=%d pte=%RX32 GCPhys=%RGp\n",
4391 i, pShwPT->a[i].u & X86_PTE_PG_MASK, GCPhys));
4392 pgmPoolTracDerefGCPhys(pPool, pPage, pShwPT->a[i].u & X86_PTE_PG_MASK, GCPhys & GCPhysA20Mask, i);
4393 if (!pPage->cPresent)
4394 break;
4395 }
4396 }
4397}
4398
4399
4400/**
4401 * Clear references to guest physical memory in a PAE / 2/4MB page table.
4402 *
4403 * @param pPool The pool.
4404 * @param pPage The page.
4405 * @param pShwPT The shadow page table (mapping of the page).
4406 */
4407DECLINLINE(void) pgmPoolTrackDerefPTPaeBig(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PPGMSHWPTPAE pShwPT)
4408{
4409 RTGCPHYS const GCPhysA20Mask = pPage->fA20Enabled ? UINT64_MAX : ~RT_BIT_64(20);
4410 RTGCPHYS GCPhys = pPage->GCPhys + PAGE_SIZE * pPage->iFirstPresent;
4411 for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pShwPT->a); i++, GCPhys += PAGE_SIZE)
4412 {
4413 Assert( (PGMSHWPTEPAE_GET_U(pShwPT->a[i]) & UINT64_C(0x7ff0000000000400)) == 0
4414 || (PGMSHWPTEPAE_GET_U(pShwPT->a[i]) & UINT64_C(0x7ff0000000000400)) == UINT64_C(0x7ff0000000000000));
4415 if (PGMSHWPTEPAE_IS_P(pShwPT->a[i]))
4416 {
4417 Log4(("pgmPoolTrackDerefPTPaeBig: i=%d pte=%RX64 hint=%RGp\n",
4418 i, PGMSHWPTEPAE_GET_HCPHYS(pShwPT->a[i]), GCPhys));
4419 pgmPoolTracDerefGCPhys(pPool, pPage, PGMSHWPTEPAE_GET_HCPHYS(pShwPT->a[i]), GCPhys & GCPhysA20Mask, i);
4420 if (!pPage->cPresent)
4421 break;
4422 }
4423 }
4424}
4425
4426
4427/**
4428 * Clear references to shadowed pages in an EPT page table.
4429 *
4430 * @param pPool The pool.
4431 * @param pPage The page.
4432 * @param pShwPML4 The shadow page directory pointer table (mapping of the page).
4433 */
4434DECLINLINE(void) pgmPoolTrackDerefPTEPT(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PEPTPT pShwPT)
4435{
4436 RTGCPHYS const GCPhysA20Mask = pPage->fA20Enabled ? UINT64_MAX : ~RT_BIT_64(20);
4437 RTGCPHYS GCPhys = pPage->GCPhys + PAGE_SIZE * pPage->iFirstPresent;
4438 for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pShwPT->a); i++, GCPhys += PAGE_SIZE)
4439 {
4440 Assert((pShwPT->a[i].u & UINT64_C(0xfff0000000000f80)) == 0);
4441 if (pShwPT->a[i].n.u1Present)
4442 {
4443 Log4(("pgmPoolTrackDerefPTEPT: i=%d pte=%RX64 GCPhys=%RX64\n",
4444 i, pShwPT->a[i].u & EPT_PTE_PG_MASK, pPage->GCPhys));
4445 pgmPoolTracDerefGCPhys(pPool, pPage, pShwPT->a[i].u & EPT_PTE_PG_MASK, GCPhys & GCPhysA20Mask, i);
4446 if (!pPage->cPresent)
4447 break;
4448 }
4449 }
4450}
4451
4452
4453/**
4454 * Clear references to shadowed pages in a 32 bits page directory.
4455 *
4456 * @param pPool The pool.
4457 * @param pPage The page.
4458 * @param pShwPD The shadow page directory (mapping of the page).
4459 */
4460DECLINLINE(void) pgmPoolTrackDerefPD(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PX86PD pShwPD)
4461{
4462 for (unsigned i = 0; i < RT_ELEMENTS(pShwPD->a); i++)
4463 {
4464 Assert(!(pShwPD->a[i].u & RT_BIT_32(9)));
4465 if ( pShwPD->a[i].n.u1Present
4466 && !(pShwPD->a[i].u & PGM_PDFLAGS_MAPPING)
4467 )
4468 {
4469 PPGMPOOLPAGE pSubPage = (PPGMPOOLPAGE)RTAvloHCPhysGet(&pPool->HCPhysTree, pShwPD->a[i].u & X86_PDE_PG_MASK);
4470 if (pSubPage)
4471 pgmPoolTrackFreeUser(pPool, pSubPage, pPage->idx, i);
4472 else
4473 AssertFatalMsgFailed(("%x\n", pShwPD->a[i].u & X86_PDE_PG_MASK));
4474 }
4475 }
4476}
4477
4478
4479/**
4480 * Clear references to shadowed pages in a PAE (legacy or 64 bits) page directory.
4481 *
4482 * @param pPool The pool.
4483 * @param pPage The page.
4484 * @param pShwPD The shadow page directory (mapping of the page).
4485 */
4486DECLINLINE(void) pgmPoolTrackDerefPDPae(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PX86PDPAE pShwPD)
4487{
4488 for (unsigned i = 0; i < RT_ELEMENTS(pShwPD->a); i++)
4489 {
4490 if ( pShwPD->a[i].n.u1Present
4491 && !(pShwPD->a[i].u & PGM_PDFLAGS_MAPPING))
4492 {
4493#ifdef PGM_WITH_LARGE_PAGES
4494 if (pShwPD->a[i].b.u1Size)
4495 {
4496 Log4(("pgmPoolTrackDerefPDPae: i=%d pde=%RX64 GCPhys=%RX64\n",
4497 i, pShwPD->a[i].u & X86_PDE2M_PAE_PG_MASK, pPage->GCPhys));
4498 pgmPoolTracDerefGCPhys(pPool, pPage, pShwPD->a[i].u & X86_PDE2M_PAE_PG_MASK,
4499 pPage->GCPhys + i * 2 * _1M /* pPage->GCPhys = base address of the memory described by the PD */,
4500 i);
4501 }
4502 else
4503#endif
4504 {
4505 Assert((pShwPD->a[i].u & (X86_PDE_PAE_MBZ_MASK_NX | UINT64_C(0x7ff0000000000200))) == 0);
4506 PPGMPOOLPAGE pSubPage = (PPGMPOOLPAGE)RTAvloHCPhysGet(&pPool->HCPhysTree, pShwPD->a[i].u & X86_PDE_PAE_PG_MASK);
4507 if (pSubPage)
4508 pgmPoolTrackFreeUser(pPool, pSubPage, pPage->idx, i);
4509 else
4510 AssertFatalMsgFailed(("%RX64\n", pShwPD->a[i].u & X86_PDE_PAE_PG_MASK));
4511 /** @todo 64-bit guests: have to ensure that we're not exhausting the dynamic mappings! */
4512 }
4513 }
4514 }
4515}
4516
4517
4518/**
4519 * Clear references to shadowed pages in a PAE page directory pointer table.
4520 *
4521 * @param pPool The pool.
4522 * @param pPage The page.
4523 * @param pShwPDPT The shadow page directory pointer table (mapping of the page).
4524 */
4525DECLINLINE(void) pgmPoolTrackDerefPDPTPae(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PX86PDPT pShwPDPT)
4526{
4527 for (unsigned i = 0; i < X86_PG_PAE_PDPE_ENTRIES; i++)
4528 {
4529 Assert((pShwPDPT->a[i].u & (X86_PDPE_PAE_MBZ_MASK | UINT64_C(0x7ff0000000000200))) == 0);
4530 if ( pShwPDPT->a[i].n.u1Present
4531 && !(pShwPDPT->a[i].u & PGM_PLXFLAGS_MAPPING)
4532 )
4533 {
4534 PPGMPOOLPAGE pSubPage = (PPGMPOOLPAGE)RTAvloHCPhysGet(&pPool->HCPhysTree, pShwPDPT->a[i].u & X86_PDPE_PG_MASK);
4535 if (pSubPage)
4536 pgmPoolTrackFreeUser(pPool, pSubPage, pPage->idx, i);
4537 else
4538 AssertFatalMsgFailed(("%RX64\n", pShwPDPT->a[i].u & X86_PDPE_PG_MASK));
4539 }
4540 }
4541}
4542
4543
4544/**
4545 * Clear references to shadowed pages in a 64-bit page directory pointer table.
4546 *
4547 * @param pPool The pool.
4548 * @param pPage The page.
4549 * @param pShwPDPT The shadow page directory pointer table (mapping of the page).
4550 */
4551DECLINLINE(void) pgmPoolTrackDerefPDPT64Bit(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PX86PDPT pShwPDPT)
4552{
4553 for (unsigned i = 0; i < RT_ELEMENTS(pShwPDPT->a); i++)
4554 {
4555 Assert((pShwPDPT->a[i].u & (X86_PDPE_LM_MBZ_MASK_NX | UINT64_C(0x7ff0000000000200))) == 0);
4556 if (pShwPDPT->a[i].n.u1Present)
4557 {
4558 PPGMPOOLPAGE pSubPage = (PPGMPOOLPAGE)RTAvloHCPhysGet(&pPool->HCPhysTree, pShwPDPT->a[i].u & X86_PDPE_PG_MASK);
4559 if (pSubPage)
4560 pgmPoolTrackFreeUser(pPool, pSubPage, pPage->idx, i);
4561 else
4562 AssertFatalMsgFailed(("%RX64\n", pShwPDPT->a[i].u & X86_PDPE_PG_MASK));
4563 /** @todo 64-bit guests: have to ensure that we're not exhausting the dynamic mappings! */
4564 }
4565 }
4566}
4567
4568
4569/**
4570 * Clear references to shadowed pages in a 64-bit level 4 page table.
4571 *
4572 * @param pPool The pool.
4573 * @param pPage The page.
4574 * @param pShwPML4 The shadow page directory pointer table (mapping of the page).
4575 */
4576DECLINLINE(void) pgmPoolTrackDerefPML464Bit(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PX86PML4 pShwPML4)
4577{
4578 for (unsigned i = 0; i < RT_ELEMENTS(pShwPML4->a); i++)
4579 {
4580 Assert((pShwPML4->a[i].u & (X86_PML4E_MBZ_MASK_NX | UINT64_C(0x7ff0000000000200))) == 0);
4581 if (pShwPML4->a[i].n.u1Present)
4582 {
4583 PPGMPOOLPAGE pSubPage = (PPGMPOOLPAGE)RTAvloHCPhysGet(&pPool->HCPhysTree, pShwPML4->a[i].u & X86_PDPE_PG_MASK);
4584 if (pSubPage)
4585 pgmPoolTrackFreeUser(pPool, pSubPage, pPage->idx, i);
4586 else
4587 AssertFatalMsgFailed(("%RX64\n", pShwPML4->a[i].u & X86_PML4E_PG_MASK));
4588 /** @todo 64-bit guests: have to ensure that we're not exhausting the dynamic mappings! */
4589 }
4590 }
4591}
4592
4593
4594/**
4595 * Clear references to shadowed pages in an EPT page directory.
4596 *
4597 * @param pPool The pool.
4598 * @param pPage The page.
4599 * @param pShwPD The shadow page directory (mapping of the page).
4600 */
4601DECLINLINE(void) pgmPoolTrackDerefPDEPT(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PEPTPD pShwPD)
4602{
4603 for (unsigned i = 0; i < RT_ELEMENTS(pShwPD->a); i++)
4604 {
4605 Assert((pShwPD->a[i].u & UINT64_C(0xfff0000000000f80)) == 0);
4606 if (pShwPD->a[i].n.u1Present)
4607 {
4608#ifdef PGM_WITH_LARGE_PAGES
4609 if (pShwPD->a[i].b.u1Size)
4610 {
4611 Log4(("pgmPoolTrackDerefPDEPT: i=%d pde=%RX64 GCPhys=%RX64\n",
4612 i, pShwPD->a[i].u & X86_PDE2M_PAE_PG_MASK, pPage->GCPhys));
4613 pgmPoolTracDerefGCPhys(pPool, pPage, pShwPD->a[i].u & X86_PDE2M_PAE_PG_MASK,
4614 pPage->GCPhys + i * 2 * _1M /* pPage->GCPhys = base address of the memory described by the PD */,
4615 i);
4616 }
4617 else
4618#endif
4619 {
4620 PPGMPOOLPAGE pSubPage = (PPGMPOOLPAGE)RTAvloHCPhysGet(&pPool->HCPhysTree, pShwPD->a[i].u & EPT_PDE_PG_MASK);
4621 if (pSubPage)
4622 pgmPoolTrackFreeUser(pPool, pSubPage, pPage->idx, i);
4623 else
4624 AssertFatalMsgFailed(("%RX64\n", pShwPD->a[i].u & EPT_PDE_PG_MASK));
4625 }
4626 /** @todo 64-bit guests: have to ensure that we're not exhausting the dynamic mappings! */
4627 }
4628 }
4629}
4630
4631
4632/**
4633 * Clear references to shadowed pages in an EPT page directory pointer table.
4634 *
4635 * @param pPool The pool.
4636 * @param pPage The page.
4637 * @param pShwPDPT The shadow page directory pointer table (mapping of the page).
4638 */
4639DECLINLINE(void) pgmPoolTrackDerefPDPTEPT(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PEPTPDPT pShwPDPT)
4640{
4641 for (unsigned i = 0; i < RT_ELEMENTS(pShwPDPT->a); i++)
4642 {
4643 Assert((pShwPDPT->a[i].u & UINT64_C(0xfff0000000000f80)) == 0);
4644 if (pShwPDPT->a[i].n.u1Present)
4645 {
4646 PPGMPOOLPAGE pSubPage = (PPGMPOOLPAGE)RTAvloHCPhysGet(&pPool->HCPhysTree, pShwPDPT->a[i].u & EPT_PDPTE_PG_MASK);
4647 if (pSubPage)
4648 pgmPoolTrackFreeUser(pPool, pSubPage, pPage->idx, i);
4649 else
4650 AssertFatalMsgFailed(("%RX64\n", pShwPDPT->a[i].u & EPT_PDPTE_PG_MASK));
4651 /** @todo 64-bit guests: have to ensure that we're not exhausting the dynamic mappings! */
4652 }
4653 }
4654}
4655
4656
4657/**
4658 * Clears all references made by this page.
4659 *
4660 * This includes other shadow pages and GC physical addresses.
4661 *
4662 * @param pPool The pool.
4663 * @param pPage The page.
4664 */
4665static void pgmPoolTrackDeref(PPGMPOOL pPool, PPGMPOOLPAGE pPage)
4666{
4667 /*
4668 * Map the shadow page and take action according to the page kind.
4669 */
4670 PVM pVM = pPool->CTX_SUFF(pVM);
4671 void *pvShw = PGMPOOL_PAGE_2_PTR(pVM, pPage);
4672 switch (pPage->enmKind)
4673 {
4674 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_PT:
4675 {
4676 STAM_PROFILE_START(&pPool->StatTrackDerefGCPhys, g);
4677 void *pvGst;
4678 int rc = PGM_GCPHYS_2_PTR(pVM, pPage->GCPhys, &pvGst); AssertReleaseRC(rc);
4679 pgmPoolTrackDerefPT32Bit32Bit(pPool, pPage, (PX86PT)pvShw, (PCX86PT)pvGst);
4680 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pvGst);
4681 STAM_PROFILE_STOP(&pPool->StatTrackDerefGCPhys, g);
4682 break;
4683 }
4684
4685 case PGMPOOLKIND_PAE_PT_FOR_32BIT_PT:
4686 {
4687 STAM_PROFILE_START(&pPool->StatTrackDerefGCPhys, g);
4688 void *pvGst;
4689 int rc = PGM_GCPHYS_2_PTR_EX(pVM, pPage->GCPhys, &pvGst); AssertReleaseRC(rc);
4690 pgmPoolTrackDerefPTPae32Bit(pPool, pPage, (PPGMSHWPTPAE)pvShw, (PCX86PT)pvGst);
4691 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pvGst);
4692 STAM_PROFILE_STOP(&pPool->StatTrackDerefGCPhys, g);
4693 break;
4694 }
4695
4696 case PGMPOOLKIND_PAE_PT_FOR_PAE_PT:
4697 {
4698 STAM_PROFILE_START(&pPool->StatTrackDerefGCPhys, g);
4699 void *pvGst;
4700 int rc = PGM_GCPHYS_2_PTR(pVM, pPage->GCPhys, &pvGst); AssertReleaseRC(rc);
4701 pgmPoolTrackDerefPTPaePae(pPool, pPage, (PPGMSHWPTPAE)pvShw, (PCX86PTPAE)pvGst);
4702 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pvGst);
4703 STAM_PROFILE_STOP(&pPool->StatTrackDerefGCPhys, g);
4704 break;
4705 }
4706
4707 case PGMPOOLKIND_32BIT_PT_FOR_PHYS: /* treat it like a 4 MB page */
4708 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_4MB:
4709 {
4710 STAM_PROFILE_START(&pPool->StatTrackDerefGCPhys, g);
4711 pgmPoolTrackDerefPT32Bit4MB(pPool, pPage, (PX86PT)pvShw);
4712 STAM_PROFILE_STOP(&pPool->StatTrackDerefGCPhys, g);
4713 break;
4714 }
4715
4716 case PGMPOOLKIND_PAE_PT_FOR_PHYS: /* treat it like a 2 MB page */
4717 case PGMPOOLKIND_PAE_PT_FOR_PAE_2MB:
4718 case PGMPOOLKIND_PAE_PT_FOR_32BIT_4MB:
4719 {
4720 STAM_PROFILE_START(&pPool->StatTrackDerefGCPhys, g);
4721 pgmPoolTrackDerefPTPaeBig(pPool, pPage, (PPGMSHWPTPAE)pvShw);
4722 STAM_PROFILE_STOP(&pPool->StatTrackDerefGCPhys, g);
4723 break;
4724 }
4725
4726 case PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD:
4727 case PGMPOOLKIND_PAE_PD1_FOR_32BIT_PD:
4728 case PGMPOOLKIND_PAE_PD2_FOR_32BIT_PD:
4729 case PGMPOOLKIND_PAE_PD3_FOR_32BIT_PD:
4730 case PGMPOOLKIND_PAE_PD_FOR_PAE_PD:
4731 case PGMPOOLKIND_PAE_PD_PHYS:
4732 case PGMPOOLKIND_64BIT_PD_FOR_64BIT_PD:
4733 case PGMPOOLKIND_64BIT_PD_FOR_PHYS:
4734 pgmPoolTrackDerefPDPae(pPool, pPage, (PX86PDPAE)pvShw);
4735 break;
4736
4737 case PGMPOOLKIND_32BIT_PD_PHYS:
4738 case PGMPOOLKIND_32BIT_PD:
4739 pgmPoolTrackDerefPD(pPool, pPage, (PX86PD)pvShw);
4740 break;
4741
4742 case PGMPOOLKIND_PAE_PDPT_FOR_32BIT:
4743 case PGMPOOLKIND_PAE_PDPT:
4744 case PGMPOOLKIND_PAE_PDPT_PHYS:
4745 pgmPoolTrackDerefPDPTPae(pPool, pPage, (PX86PDPT)pvShw);
4746 break;
4747
4748 case PGMPOOLKIND_64BIT_PDPT_FOR_PHYS:
4749 case PGMPOOLKIND_64BIT_PDPT_FOR_64BIT_PDPT:
4750 pgmPoolTrackDerefPDPT64Bit(pPool, pPage, (PX86PDPT)pvShw);
4751 break;
4752
4753 case PGMPOOLKIND_64BIT_PML4:
4754 pgmPoolTrackDerefPML464Bit(pPool, pPage, (PX86PML4)pvShw);
4755 break;
4756
4757 case PGMPOOLKIND_EPT_PT_FOR_PHYS:
4758 pgmPoolTrackDerefPTEPT(pPool, pPage, (PEPTPT)pvShw);
4759 break;
4760
4761 case PGMPOOLKIND_EPT_PD_FOR_PHYS:
4762 pgmPoolTrackDerefPDEPT(pPool, pPage, (PEPTPD)pvShw);
4763 break;
4764
4765 case PGMPOOLKIND_EPT_PDPT_FOR_PHYS:
4766 pgmPoolTrackDerefPDPTEPT(pPool, pPage, (PEPTPDPT)pvShw);
4767 break;
4768
4769 default:
4770 AssertFatalMsgFailed(("enmKind=%d\n", pPage->enmKind));
4771 }
4772
4773 /* paranoia, clear the shadow page. Remove this laser (i.e. let Alloc and ClearAll do it). */
4774 STAM_PROFILE_START(&pPool->StatZeroPage, z);
4775 ASMMemZeroPage(pvShw);
4776 STAM_PROFILE_STOP(&pPool->StatZeroPage, z);
4777 pPage->fZeroed = true;
4778 Assert(!pPage->cPresent);
4779 PGM_DYNMAP_UNUSED_HINT_VM(pVM, pvShw);
4780}
4781
4782
4783/**
4784 * Flushes a pool page.
4785 *
4786 * This moves the page to the free list after removing all user references to it.
4787 *
4788 * @returns VBox status code.
4789 * @retval VINF_SUCCESS on success.
4790 * @param pPool The pool.
4791 * @param HCPhys The HC physical address of the shadow page.
4792 * @param fFlush Flush the TLBS when required (should only be false in very specific use cases!!)
4793 */
4794int pgmPoolFlushPage(PPGMPOOL pPool, PPGMPOOLPAGE pPage, bool fFlush)
4795{
4796 PVM pVM = pPool->CTX_SUFF(pVM);
4797 bool fFlushRequired = false;
4798
4799 int rc = VINF_SUCCESS;
4800 STAM_PROFILE_START(&pPool->StatFlushPage, f);
4801 LogFlow(("pgmPoolFlushPage: pPage=%p:{.Key=%RHp, .idx=%d, .enmKind=%s, .GCPhys=%RGp}\n",
4802 pPage, pPage->Core.Key, pPage->idx, pgmPoolPoolKindToStr(pPage->enmKind), pPage->GCPhys));
4803
4804 /*
4805 * Reject any attempts at flushing any of the special root pages (shall
4806 * not happen).
4807 */
4808 AssertMsgReturn(pPage->idx >= PGMPOOL_IDX_FIRST,
4809 ("pgmPoolFlushPage: special root page, rejected. enmKind=%s idx=%d\n",
4810 pgmPoolPoolKindToStr(pPage->enmKind), pPage->idx),
4811 VINF_SUCCESS);
4812
4813 pgmLock(pVM);
4814
4815 /*
4816 * Quietly reject any attempts at flushing the currently active shadow CR3 mapping
4817 */
4818 if (pgmPoolIsPageLocked(pPage))
4819 {
4820 AssertMsg( pPage->enmKind == PGMPOOLKIND_64BIT_PML4
4821 || pPage->enmKind == PGMPOOLKIND_PAE_PDPT
4822 || pPage->enmKind == PGMPOOLKIND_PAE_PDPT_FOR_32BIT
4823 || pPage->enmKind == PGMPOOLKIND_32BIT_PD
4824 || pPage->enmKind == PGMPOOLKIND_PAE_PD_FOR_PAE_PD
4825 || pPage->enmKind == PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD
4826 || pPage->enmKind == PGMPOOLKIND_PAE_PD1_FOR_32BIT_PD
4827 || pPage->enmKind == PGMPOOLKIND_PAE_PD2_FOR_32BIT_PD
4828 || pPage->enmKind == PGMPOOLKIND_PAE_PD3_FOR_32BIT_PD
4829 || pPage->enmKind == PGMPOOLKIND_ROOT_NESTED,
4830 ("Can't free the shadow CR3! (%RHp vs %RHp kind=%d\n", PGMGetHyperCR3(VMMGetCpu(pVM)), pPage->Core.Key, pPage->enmKind));
4831 Log(("pgmPoolFlushPage: current active shadow CR3, rejected. enmKind=%s idx=%d\n", pgmPoolPoolKindToStr(pPage->enmKind), pPage->idx));
4832 pgmUnlock(pVM);
4833 return VINF_SUCCESS;
4834 }
4835
4836#if defined(VBOX_WITH_2X_4GB_ADDR_SPACE_IN_R0) || defined(IN_RC)
4837 /* Start a subset so we won't run out of mapping space. */
4838 PVMCPU pVCpu = VMMGetCpu(pVM);
4839 uint32_t iPrevSubset = PGMRZDynMapPushAutoSubset(pVCpu);
4840#endif
4841
4842 /*
4843 * Mark the page as being in need of an ASMMemZeroPage().
4844 */
4845 pPage->fZeroed = false;
4846
4847#ifdef PGMPOOL_WITH_OPTIMIZED_DIRTY_PT
4848 if (pPage->fDirty)
4849 pgmPoolFlushDirtyPage(pVM, pPool, pPage->idxDirtyEntry, false /* do not remove */);
4850#endif
4851
4852 /* If there are any users of this table, then we *must* issue a tlb flush on all VCPUs. */
4853 if (pPage->iUserHead != NIL_PGMPOOL_USER_INDEX)
4854 fFlushRequired = true;
4855
4856 /*
4857 * Clear the page.
4858 */
4859 pgmPoolTrackClearPageUsers(pPool, pPage);
4860 STAM_PROFILE_START(&pPool->StatTrackDeref,a);
4861 pgmPoolTrackDeref(pPool, pPage);
4862 STAM_PROFILE_STOP(&pPool->StatTrackDeref,a);
4863
4864 /*
4865 * Flush it from the cache.
4866 */
4867 pgmPoolCacheFlushPage(pPool, pPage);
4868
4869#if defined(VBOX_WITH_2X_4GB_ADDR_SPACE_IN_R0) || defined(IN_RC)
4870 /* Heavy stuff done. */
4871 PGMRZDynMapPopAutoSubset(pVCpu, iPrevSubset);
4872#endif
4873
4874 /*
4875 * Deregistering the monitoring.
4876 */
4877 if (pPage->fMonitored)
4878 rc = pgmPoolMonitorFlush(pPool, pPage);
4879
4880 /*
4881 * Free the page.
4882 */
4883 Assert(pPage->iNext == NIL_PGMPOOL_IDX);
4884 pPage->iNext = pPool->iFreeHead;
4885 pPool->iFreeHead = pPage->idx;
4886 pPage->enmKind = PGMPOOLKIND_FREE;
4887 pPage->enmAccess = PGMPOOLACCESS_DONTCARE;
4888 pPage->GCPhys = NIL_RTGCPHYS;
4889 pPage->fReusedFlushPending = false;
4890
4891 pPool->cUsedPages--;
4892
4893 /* Flush the TLBs of all VCPUs if required. */
4894 if ( fFlushRequired
4895 && fFlush)
4896 {
4897 PGM_INVL_ALL_VCPU_TLBS(pVM);
4898 }
4899
4900 pgmUnlock(pVM);
4901 STAM_PROFILE_STOP(&pPool->StatFlushPage, f);
4902 return rc;
4903}
4904
4905
4906/**
4907 * Frees a usage of a pool page.
4908 *
4909 * The caller is responsible to updating the user table so that it no longer
4910 * references the shadow page.
4911 *
4912 * @param pPool The pool.
4913 * @param HCPhys The HC physical address of the shadow page.
4914 * @param iUser The shadow page pool index of the user table.
4915 * NIL_PGMPOOL_IDX for root pages.
4916 * @param iUserTable The index into the user table (shadowed). Ignored if
4917 * root page.
4918 */
4919void pgmPoolFreeByPage(PPGMPOOL pPool, PPGMPOOLPAGE pPage, uint16_t iUser, uint32_t iUserTable)
4920{
4921 PVM pVM = pPool->CTX_SUFF(pVM);
4922
4923 STAM_PROFILE_START(&pPool->StatFree, a);
4924 LogFlow(("pgmPoolFreeByPage: pPage=%p:{.Key=%RHp, .idx=%d, enmKind=%s} iUser=%d iUserTable=%#x\n",
4925 pPage, pPage->Core.Key, pPage->idx, pgmPoolPoolKindToStr(pPage->enmKind), iUser, iUserTable));
4926 AssertReturnVoid(pPage->idx >= PGMPOOL_IDX_FIRST); /* paranoia (#6349) */
4927
4928 pgmLock(pVM);
4929 if (iUser != NIL_PGMPOOL_IDX)
4930 pgmPoolTrackFreeUser(pPool, pPage, iUser, iUserTable);
4931 if (!pPage->fCached)
4932 pgmPoolFlushPage(pPool, pPage);
4933 pgmUnlock(pVM);
4934 STAM_PROFILE_STOP(&pPool->StatFree, a);
4935}
4936
4937
4938/**
4939 * Makes one or more free page free.
4940 *
4941 * @returns VBox status code.
4942 * @retval VINF_SUCCESS on success.
4943 * @retval VERR_PGM_POOL_FLUSHED if the pool was flushed.
4944 *
4945 * @param pPool The pool.
4946 * @param enmKind Page table kind
4947 * @param iUser The user of the page.
4948 */
4949static int pgmPoolMakeMoreFreePages(PPGMPOOL pPool, PGMPOOLKIND enmKind, uint16_t iUser)
4950{
4951 PVM pVM = pPool->CTX_SUFF(pVM);
4952 LogFlow(("pgmPoolMakeMoreFreePages: enmKind=%d iUser=%d\n", enmKind, iUser));
4953 NOREF(enmKind);
4954
4955 /*
4956 * If the pool isn't full grown yet, expand it.
4957 */
4958 if ( pPool->cCurPages < pPool->cMaxPages
4959#if defined(IN_RC)
4960 /* Hack alert: we can't deal with jumps to ring 3 when called from MapCR3 and allocating pages for PAE PDs. */
4961 && enmKind != PGMPOOLKIND_PAE_PD_FOR_PAE_PD
4962 && (enmKind < PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD || enmKind > PGMPOOLKIND_PAE_PD3_FOR_32BIT_PD)
4963#endif
4964 )
4965 {
4966 STAM_PROFILE_ADV_SUSPEND(&pPool->StatAlloc, a);
4967#ifdef IN_RING3
4968 int rc = PGMR3PoolGrow(pVM);
4969#else
4970 int rc = VMMRZCallRing3NoCpu(pVM, VMMCALLRING3_PGM_POOL_GROW, 0);
4971#endif
4972 if (RT_FAILURE(rc))
4973 return rc;
4974 STAM_PROFILE_ADV_RESUME(&pPool->StatAlloc, a);
4975 if (pPool->iFreeHead != NIL_PGMPOOL_IDX)
4976 return VINF_SUCCESS;
4977 }
4978
4979 /*
4980 * Free one cached page.
4981 */
4982 return pgmPoolCacheFreeOne(pPool, iUser);
4983}
4984
4985
4986/**
4987 * Allocates a page from the pool.
4988 *
4989 * This page may actually be a cached page and not in need of any processing
4990 * on the callers part.
4991 *
4992 * @returns VBox status code.
4993 * @retval VINF_SUCCESS if a NEW page was allocated.
4994 * @retval VINF_PGM_CACHED_PAGE if a CACHED page was returned.
4995 * @retval VERR_PGM_POOL_FLUSHED if the pool was flushed.
4996 *
4997 * @param pVM Pointer to the VM.
4998 * @param GCPhys The GC physical address of the page we're gonna shadow.
4999 * For 4MB and 2MB PD entries, it's the first address the
5000 * shadow PT is covering.
5001 * @param enmKind The kind of mapping.
5002 * @param enmAccess Access type for the mapping (only relevant for big pages)
5003 * @param fA20Enabled Whether the A20 gate is enabled or not.
5004 * @param iUser The shadow page pool index of the user table. Root
5005 * pages should pass NIL_PGMPOOL_IDX.
5006 * @param iUserTable The index into the user table (shadowed). Ignored for
5007 * root pages (iUser == NIL_PGMPOOL_IDX).
5008 * @param fLockPage Lock the page
5009 * @param ppPage Where to store the pointer to the page. NULL is stored here on failure.
5010 */
5011int pgmPoolAlloc(PVM pVM, RTGCPHYS GCPhys, PGMPOOLKIND enmKind, PGMPOOLACCESS enmAccess, bool fA20Enabled,
5012 uint16_t iUser, uint32_t iUserTable, bool fLockPage, PPPGMPOOLPAGE ppPage)
5013{
5014 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
5015 STAM_PROFILE_ADV_START(&pPool->StatAlloc, a);
5016 LogFlow(("pgmPoolAlloc: GCPhys=%RGp enmKind=%s iUser=%d iUserTable=%#x\n", GCPhys, pgmPoolPoolKindToStr(enmKind), iUser, iUserTable));
5017 *ppPage = NULL;
5018 /** @todo CSAM/PGMPrefetchPage messes up here during CSAMR3CheckGates
5019 * (TRPMR3SyncIDT) because of FF priority. Try fix that?
5020 * Assert(!(pVM->pgm.s.fGlobalSyncFlags & PGM_SYNC_CLEAR_PGM_POOL)); */
5021
5022 pgmLock(pVM);
5023
5024 if (pPool->fCacheEnabled)
5025 {
5026 int rc2 = pgmPoolCacheAlloc(pPool, GCPhys, enmKind, enmAccess, fA20Enabled, iUser, iUserTable, ppPage);
5027 if (RT_SUCCESS(rc2))
5028 {
5029 if (fLockPage)
5030 pgmPoolLockPage(pPool, *ppPage);
5031 pgmUnlock(pVM);
5032 STAM_PROFILE_ADV_STOP(&pPool->StatAlloc, a);
5033 LogFlow(("pgmPoolAlloc: cached returns %Rrc *ppPage=%p:{.Key=%RHp, .idx=%d}\n", rc2, *ppPage, (*ppPage)->Core.Key, (*ppPage)->idx));
5034 return rc2;
5035 }
5036 }
5037
5038 /*
5039 * Allocate a new one.
5040 */
5041 int rc = VINF_SUCCESS;
5042 uint16_t iNew = pPool->iFreeHead;
5043 if (iNew == NIL_PGMPOOL_IDX)
5044 {
5045 rc = pgmPoolMakeMoreFreePages(pPool, enmKind, iUser);
5046 if (RT_FAILURE(rc))
5047 {
5048 pgmUnlock(pVM);
5049 Log(("pgmPoolAlloc: returns %Rrc (Free)\n", rc));
5050 STAM_PROFILE_ADV_STOP(&pPool->StatAlloc, a);
5051 return rc;
5052 }
5053 iNew = pPool->iFreeHead;
5054 AssertReleaseReturn(iNew != NIL_PGMPOOL_IDX, VERR_PGM_POOL_IPE);
5055 }
5056
5057 /* unlink the free head */
5058 PPGMPOOLPAGE pPage = &pPool->aPages[iNew];
5059 pPool->iFreeHead = pPage->iNext;
5060 pPage->iNext = NIL_PGMPOOL_IDX;
5061
5062 /*
5063 * Initialize it.
5064 */
5065 pPool->cUsedPages++; /* physical handler registration / pgmPoolTrackFlushGCPhysPTsSlow requirement. */
5066 pPage->enmKind = enmKind;
5067 pPage->enmAccess = enmAccess;
5068 pPage->GCPhys = GCPhys;
5069 pPage->fA20Enabled = fA20Enabled;
5070 pPage->fSeenNonGlobal = false; /* Set this to 'true' to disable this feature. */
5071 pPage->fMonitored = false;
5072 pPage->fCached = false;
5073 pPage->fDirty = false;
5074 pPage->fReusedFlushPending = false;
5075 pPage->cModifications = 0;
5076 pPage->iModifiedNext = NIL_PGMPOOL_IDX;
5077 pPage->iModifiedPrev = NIL_PGMPOOL_IDX;
5078 pPage->cPresent = 0;
5079 pPage->iFirstPresent = NIL_PGMPOOL_PRESENT_INDEX;
5080 pPage->idxDirtyEntry = 0;
5081 pPage->GCPtrLastAccessHandlerFault = NIL_RTGCPTR;
5082 pPage->GCPtrLastAccessHandlerRip = NIL_RTGCPTR;
5083 pPage->cLastAccessHandler = 0;
5084 pPage->cLocked = 0;
5085# ifdef VBOX_STRICT
5086 pPage->GCPtrDirtyFault = NIL_RTGCPTR;
5087# endif
5088
5089 /*
5090 * Insert into the tracking and cache. If this fails, free the page.
5091 */
5092 int rc3 = pgmPoolTrackInsert(pPool, pPage, GCPhys, iUser, iUserTable);
5093 if (RT_FAILURE(rc3))
5094 {
5095 pPool->cUsedPages--;
5096 pPage->enmKind = PGMPOOLKIND_FREE;
5097 pPage->enmAccess = PGMPOOLACCESS_DONTCARE;
5098 pPage->GCPhys = NIL_RTGCPHYS;
5099 pPage->iNext = pPool->iFreeHead;
5100 pPool->iFreeHead = pPage->idx;
5101 pgmUnlock(pVM);
5102 STAM_PROFILE_ADV_STOP(&pPool->StatAlloc, a);
5103 Log(("pgmPoolAlloc: returns %Rrc (Insert)\n", rc3));
5104 return rc3;
5105 }
5106
5107 /*
5108 * Commit the allocation, clear the page and return.
5109 */
5110#ifdef VBOX_WITH_STATISTICS
5111 if (pPool->cUsedPages > pPool->cUsedPagesHigh)
5112 pPool->cUsedPagesHigh = pPool->cUsedPages;
5113#endif
5114
5115 if (!pPage->fZeroed)
5116 {
5117 STAM_PROFILE_START(&pPool->StatZeroPage, z);
5118 void *pv = PGMPOOL_PAGE_2_PTR(pVM, pPage);
5119 ASMMemZeroPage(pv);
5120 STAM_PROFILE_STOP(&pPool->StatZeroPage, z);
5121 }
5122
5123 *ppPage = pPage;
5124 if (fLockPage)
5125 pgmPoolLockPage(pPool, pPage);
5126 pgmUnlock(pVM);
5127 LogFlow(("pgmPoolAlloc: returns %Rrc *ppPage=%p:{.Key=%RHp, .idx=%d, .fCached=%RTbool, .fMonitored=%RTbool}\n",
5128 rc, pPage, pPage->Core.Key, pPage->idx, pPage->fCached, pPage->fMonitored));
5129 STAM_PROFILE_ADV_STOP(&pPool->StatAlloc, a);
5130 return rc;
5131}
5132
5133
5134/**
5135 * Frees a usage of a pool page.
5136 *
5137 * @param pVM Pointer to the VM.
5138 * @param HCPhys The HC physical address of the shadow page.
5139 * @param iUser The shadow page pool index of the user table.
5140 * NIL_PGMPOOL_IDX if root page.
5141 * @param iUserTable The index into the user table (shadowed). Ignored if
5142 * root page.
5143 */
5144void pgmPoolFree(PVM pVM, RTHCPHYS HCPhys, uint16_t iUser, uint32_t iUserTable)
5145{
5146 LogFlow(("pgmPoolFree: HCPhys=%RHp iUser=%d iUserTable=%#x\n", HCPhys, iUser, iUserTable));
5147 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
5148 pgmPoolFreeByPage(pPool, pgmPoolGetPage(pPool, HCPhys), iUser, iUserTable);
5149}
5150
5151
5152/**
5153 * Internal worker for finding a 'in-use' shadow page give by it's physical address.
5154 *
5155 * @returns Pointer to the shadow page structure.
5156 * @param pPool The pool.
5157 * @param HCPhys The HC physical address of the shadow page.
5158 */
5159PPGMPOOLPAGE pgmPoolGetPage(PPGMPOOL pPool, RTHCPHYS HCPhys)
5160{
5161 PGM_LOCK_ASSERT_OWNER(pPool->CTX_SUFF(pVM));
5162
5163 /*
5164 * Look up the page.
5165 */
5166 PPGMPOOLPAGE pPage = (PPGMPOOLPAGE)RTAvloHCPhysGet(&pPool->HCPhysTree, HCPhys & X86_PTE_PAE_PG_MASK);
5167
5168 AssertFatalMsg(pPage && pPage->enmKind != PGMPOOLKIND_FREE, ("HCPhys=%RHp pPage=%p idx=%d\n", HCPhys, pPage, (pPage) ? pPage->idx : 0));
5169 return pPage;
5170}
5171
5172
5173/**
5174 * Internal worker for finding a page for debugging purposes, no assertions.
5175 *
5176 * @returns Pointer to the shadow page structure. NULL on if not found.
5177 * @param pPool The pool.
5178 * @param HCPhys The HC physical address of the shadow page.
5179 */
5180PPGMPOOLPAGE pgmPoolQueryPageForDbg(PPGMPOOL pPool, RTHCPHYS HCPhys)
5181{
5182 PGM_LOCK_ASSERT_OWNER(pPool->CTX_SUFF(pVM));
5183 return (PPGMPOOLPAGE)RTAvloHCPhysGet(&pPool->HCPhysTree, HCPhys & X86_PTE_PAE_PG_MASK);
5184}
5185
5186#ifdef IN_RING3 /* currently only used in ring 3; save some space in the R0 & GC modules (left it here as we might need it elsewhere later on) */
5187
5188/**
5189 * Flush the specified page if present
5190 *
5191 * @param pVM Pointer to the VM.
5192 * @param GCPhys Guest physical address of the page to flush
5193 */
5194void pgmPoolFlushPageByGCPhys(PVM pVM, RTGCPHYS GCPhys)
5195{
5196 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
5197
5198 VM_ASSERT_EMT(pVM);
5199
5200 /*
5201 * Look up the GCPhys in the hash.
5202 */
5203 GCPhys = GCPhys & ~(RTGCPHYS)PAGE_OFFSET_MASK;
5204 unsigned i = pPool->aiHash[PGMPOOL_HASH(GCPhys)];
5205 if (i == NIL_PGMPOOL_IDX)
5206 return;
5207
5208 do
5209 {
5210 PPGMPOOLPAGE pPage = &pPool->aPages[i];
5211 if (pPage->GCPhys - GCPhys < PAGE_SIZE)
5212 {
5213 switch (pPage->enmKind)
5214 {
5215 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_PT:
5216 case PGMPOOLKIND_PAE_PT_FOR_32BIT_PT:
5217 case PGMPOOLKIND_PAE_PT_FOR_PAE_PT:
5218 case PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD:
5219 case PGMPOOLKIND_PAE_PD1_FOR_32BIT_PD:
5220 case PGMPOOLKIND_PAE_PD2_FOR_32BIT_PD:
5221 case PGMPOOLKIND_PAE_PD3_FOR_32BIT_PD:
5222 case PGMPOOLKIND_PAE_PD_FOR_PAE_PD:
5223 case PGMPOOLKIND_64BIT_PD_FOR_64BIT_PD:
5224 case PGMPOOLKIND_64BIT_PDPT_FOR_64BIT_PDPT:
5225 case PGMPOOLKIND_64BIT_PML4:
5226 case PGMPOOLKIND_32BIT_PD:
5227 case PGMPOOLKIND_PAE_PDPT:
5228 {
5229 Log(("PGMPoolFlushPage: found pgm pool pages for %RGp\n", GCPhys));
5230#ifdef PGMPOOL_WITH_OPTIMIZED_DIRTY_PT
5231 if (pPage->fDirty)
5232 STAM_COUNTER_INC(&pPool->StatForceFlushDirtyPage);
5233 else
5234#endif
5235 STAM_COUNTER_INC(&pPool->StatForceFlushPage);
5236 Assert(!pgmPoolIsPageLocked(pPage));
5237 pgmPoolMonitorChainFlush(pPool, pPage);
5238 return;
5239 }
5240
5241 /* ignore, no monitoring. */
5242 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_4MB:
5243 case PGMPOOLKIND_PAE_PT_FOR_PAE_2MB:
5244 case PGMPOOLKIND_PAE_PT_FOR_32BIT_4MB:
5245 case PGMPOOLKIND_32BIT_PT_FOR_PHYS:
5246 case PGMPOOLKIND_PAE_PT_FOR_PHYS:
5247 case PGMPOOLKIND_64BIT_PDPT_FOR_PHYS:
5248 case PGMPOOLKIND_64BIT_PD_FOR_PHYS:
5249 case PGMPOOLKIND_EPT_PDPT_FOR_PHYS:
5250 case PGMPOOLKIND_EPT_PD_FOR_PHYS:
5251 case PGMPOOLKIND_EPT_PT_FOR_PHYS:
5252 case PGMPOOLKIND_ROOT_NESTED:
5253 case PGMPOOLKIND_PAE_PD_PHYS:
5254 case PGMPOOLKIND_PAE_PDPT_PHYS:
5255 case PGMPOOLKIND_32BIT_PD_PHYS:
5256 case PGMPOOLKIND_PAE_PDPT_FOR_32BIT:
5257 break;
5258
5259 default:
5260 AssertFatalMsgFailed(("enmKind=%d idx=%d\n", pPage->enmKind, pPage->idx));
5261 }
5262 }
5263
5264 /* next */
5265 i = pPage->iNext;
5266 } while (i != NIL_PGMPOOL_IDX);
5267 return;
5268}
5269
5270#endif /* IN_RING3 */
5271#ifdef IN_RING3
5272
5273/**
5274 * Reset CPU on hot plugging.
5275 *
5276 * @param pVM Pointer to the VM.
5277 * @param pVCpu The virtual CPU.
5278 */
5279void pgmR3PoolResetUnpluggedCpu(PVM pVM, PVMCPU pVCpu)
5280{
5281 pgmR3ExitShadowModeBeforePoolFlush(pVCpu);
5282
5283 pgmR3ReEnterShadowModeAfterPoolFlush(pVM, pVCpu);
5284 VMCPU_FF_SET(pVCpu, VMCPU_FF_PGM_SYNC_CR3);
5285 VMCPU_FF_SET(pVCpu, VMCPU_FF_TLB_FLUSH);
5286}
5287
5288
5289/**
5290 * Flushes the entire cache.
5291 *
5292 * It will assert a global CR3 flush (FF) and assumes the caller is aware of
5293 * this and execute this CR3 flush.
5294 *
5295 * @param pPool The pool.
5296 */
5297void pgmR3PoolReset(PVM pVM)
5298{
5299 PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
5300
5301 PGM_LOCK_ASSERT_OWNER(pVM);
5302 STAM_PROFILE_START(&pPool->StatR3Reset, a);
5303 LogFlow(("pgmR3PoolReset:\n"));
5304
5305 /*
5306 * If there are no pages in the pool, there is nothing to do.
5307 */
5308 if (pPool->cCurPages <= PGMPOOL_IDX_FIRST)
5309 {
5310 STAM_PROFILE_STOP(&pPool->StatR3Reset, a);
5311 return;
5312 }
5313
5314 /*
5315 * Exit the shadow mode since we're going to clear everything,
5316 * including the root page.
5317 */
5318 for (VMCPUID i = 0; i < pVM->cCpus; i++)
5319 pgmR3ExitShadowModeBeforePoolFlush(&pVM->aCpus[i]);
5320
5321 /*
5322 * Nuke the free list and reinsert all pages into it.
5323 */
5324 for (unsigned i = pPool->cCurPages - 1; i >= PGMPOOL_IDX_FIRST; i--)
5325 {
5326 PPGMPOOLPAGE pPage = &pPool->aPages[i];
5327
5328 Assert(pPage->Core.Key == MMPage2Phys(pVM, pPage->pvPageR3));
5329 if (pPage->fMonitored)
5330 pgmPoolMonitorFlush(pPool, pPage);
5331 pPage->iModifiedNext = NIL_PGMPOOL_IDX;
5332 pPage->iModifiedPrev = NIL_PGMPOOL_IDX;
5333 pPage->iMonitoredNext = NIL_PGMPOOL_IDX;
5334 pPage->iMonitoredPrev = NIL_PGMPOOL_IDX;
5335 pPage->cModifications = 0;
5336 pPage->GCPhys = NIL_RTGCPHYS;
5337 pPage->enmKind = PGMPOOLKIND_FREE;
5338 pPage->enmAccess = PGMPOOLACCESS_DONTCARE;
5339 Assert(pPage->idx == i);
5340 pPage->iNext = i + 1;
5341 pPage->fA20Enabled = true;
5342 pPage->fZeroed = false; /* This could probably be optimized, but better safe than sorry. */
5343 pPage->fSeenNonGlobal = false;
5344 pPage->fMonitored = false;
5345 pPage->fDirty = false;
5346 pPage->fCached = false;
5347 pPage->fReusedFlushPending = false;
5348 pPage->iUserHead = NIL_PGMPOOL_USER_INDEX;
5349 pPage->iAgeNext = NIL_PGMPOOL_IDX;
5350 pPage->iAgePrev = NIL_PGMPOOL_IDX;
5351 pPage->GCPtrLastAccessHandlerRip = NIL_RTGCPTR;
5352 pPage->GCPtrLastAccessHandlerFault = NIL_RTGCPTR;
5353 pPage->cLastAccessHandler = 0;
5354 pPage->cLocked = 0;
5355#ifdef VBOX_STRICT
5356 pPage->GCPtrDirtyFault = NIL_RTGCPTR;
5357#endif
5358 }
5359 pPool->aPages[pPool->cCurPages - 1].iNext = NIL_PGMPOOL_IDX;
5360 pPool->iFreeHead = PGMPOOL_IDX_FIRST;
5361 pPool->cUsedPages = 0;
5362
5363 /*
5364 * Zap and reinitialize the user records.
5365 */
5366 pPool->cPresent = 0;
5367 pPool->iUserFreeHead = 0;
5368 PPGMPOOLUSER paUsers = pPool->CTX_SUFF(paUsers);
5369 const unsigned cMaxUsers = pPool->cMaxUsers;
5370 for (unsigned i = 0; i < cMaxUsers; i++)
5371 {
5372 paUsers[i].iNext = i + 1;
5373 paUsers[i].iUser = NIL_PGMPOOL_IDX;
5374 paUsers[i].iUserTable = 0xfffffffe;
5375 }
5376 paUsers[cMaxUsers - 1].iNext = NIL_PGMPOOL_USER_INDEX;
5377
5378 /*
5379 * Clear all the GCPhys links and rebuild the phys ext free list.
5380 */
5381 for (PPGMRAMRANGE pRam = pVM->pgm.s.CTX_SUFF(pRamRangesX);
5382 pRam;
5383 pRam = pRam->CTX_SUFF(pNext))
5384 {
5385 unsigned iPage = pRam->cb >> PAGE_SHIFT;
5386 while (iPage-- > 0)
5387 PGM_PAGE_SET_TRACKING(pVM, &pRam->aPages[iPage], 0);
5388 }
5389
5390 pPool->iPhysExtFreeHead = 0;
5391 PPGMPOOLPHYSEXT paPhysExts = pPool->CTX_SUFF(paPhysExts);
5392 const unsigned cMaxPhysExts = pPool->cMaxPhysExts;
5393 for (unsigned i = 0; i < cMaxPhysExts; i++)
5394 {
5395 paPhysExts[i].iNext = i + 1;
5396 paPhysExts[i].aidx[0] = NIL_PGMPOOL_IDX;
5397 paPhysExts[i].apte[0] = NIL_PGMPOOL_PHYSEXT_IDX_PTE;
5398 paPhysExts[i].aidx[1] = NIL_PGMPOOL_IDX;
5399 paPhysExts[i].apte[1] = NIL_PGMPOOL_PHYSEXT_IDX_PTE;
5400 paPhysExts[i].aidx[2] = NIL_PGMPOOL_IDX;
5401 paPhysExts[i].apte[2] = NIL_PGMPOOL_PHYSEXT_IDX_PTE;
5402 }
5403 paPhysExts[cMaxPhysExts - 1].iNext = NIL_PGMPOOL_PHYSEXT_INDEX;
5404
5405 /*
5406 * Just zap the modified list.
5407 */
5408 pPool->cModifiedPages = 0;
5409 pPool->iModifiedHead = NIL_PGMPOOL_IDX;
5410
5411 /*
5412 * Clear the GCPhys hash and the age list.
5413 */
5414 for (unsigned i = 0; i < RT_ELEMENTS(pPool->aiHash); i++)
5415 pPool->aiHash[i] = NIL_PGMPOOL_IDX;
5416 pPool->iAgeHead = NIL_PGMPOOL_IDX;
5417 pPool->iAgeTail = NIL_PGMPOOL_IDX;
5418
5419#ifdef PGMPOOL_WITH_OPTIMIZED_DIRTY_PT
5420 /* Clear all dirty pages. */
5421 pPool->idxFreeDirtyPage = 0;
5422 pPool->cDirtyPages = 0;
5423 for (unsigned i = 0; i < RT_ELEMENTS(pPool->aDirtyPages); i++)
5424 pPool->aDirtyPages[i].uIdx = NIL_PGMPOOL_IDX;
5425#endif
5426
5427 /*
5428 * Reinsert active pages into the hash and ensure monitoring chains are correct.
5429 */
5430 for (VMCPUID i = 0; i < pVM->cCpus; i++)
5431 {
5432 /*
5433 * Re-enter the shadowing mode and assert Sync CR3 FF.
5434 */
5435 PVMCPU pVCpu = &pVM->aCpus[i];
5436 pgmR3ReEnterShadowModeAfterPoolFlush(pVM, pVCpu);
5437 VMCPU_FF_SET(pVCpu, VMCPU_FF_PGM_SYNC_CR3);
5438 VMCPU_FF_SET(pVCpu, VMCPU_FF_TLB_FLUSH);
5439 }
5440
5441 STAM_PROFILE_STOP(&pPool->StatR3Reset, a);
5442}
5443
5444#endif /* IN_RING3 */
5445
5446#ifdef LOG_ENABLED
5447/**
5448 * Stringifies a PGMPOOLKIND value.
5449 */
5450static const char *pgmPoolPoolKindToStr(uint8_t enmKind)
5451{
5452 switch ((PGMPOOLKIND)enmKind)
5453 {
5454 case PGMPOOLKIND_INVALID:
5455 return "PGMPOOLKIND_INVALID";
5456 case PGMPOOLKIND_FREE:
5457 return "PGMPOOLKIND_FREE";
5458 case PGMPOOLKIND_32BIT_PT_FOR_PHYS:
5459 return "PGMPOOLKIND_32BIT_PT_FOR_PHYS";
5460 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_PT:
5461 return "PGMPOOLKIND_32BIT_PT_FOR_32BIT_PT";
5462 case PGMPOOLKIND_32BIT_PT_FOR_32BIT_4MB:
5463 return "PGMPOOLKIND_32BIT_PT_FOR_32BIT_4MB";
5464 case PGMPOOLKIND_PAE_PT_FOR_PHYS:
5465 return "PGMPOOLKIND_PAE_PT_FOR_PHYS";
5466 case PGMPOOLKIND_PAE_PT_FOR_32BIT_PT:
5467 return "PGMPOOLKIND_PAE_PT_FOR_32BIT_PT";
5468 case PGMPOOLKIND_PAE_PT_FOR_32BIT_4MB:
5469 return "PGMPOOLKIND_PAE_PT_FOR_32BIT_4MB";
5470 case PGMPOOLKIND_PAE_PT_FOR_PAE_PT:
5471 return "PGMPOOLKIND_PAE_PT_FOR_PAE_PT";
5472 case PGMPOOLKIND_PAE_PT_FOR_PAE_2MB:
5473 return "PGMPOOLKIND_PAE_PT_FOR_PAE_2MB";
5474 case PGMPOOLKIND_32BIT_PD:
5475 return "PGMPOOLKIND_32BIT_PD";
5476 case PGMPOOLKIND_32BIT_PD_PHYS:
5477 return "PGMPOOLKIND_32BIT_PD_PHYS";
5478 case PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD:
5479 return "PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD";
5480 case PGMPOOLKIND_PAE_PD1_FOR_32BIT_PD:
5481 return "PGMPOOLKIND_PAE_PD1_FOR_32BIT_PD";
5482 case PGMPOOLKIND_PAE_PD2_FOR_32BIT_PD:
5483 return "PGMPOOLKIND_PAE_PD2_FOR_32BIT_PD";
5484 case PGMPOOLKIND_PAE_PD3_FOR_32BIT_PD:
5485 return "PGMPOOLKIND_PAE_PD3_FOR_32BIT_PD";
5486 case PGMPOOLKIND_PAE_PD_FOR_PAE_PD:
5487 return "PGMPOOLKIND_PAE_PD_FOR_PAE_PD";
5488 case PGMPOOLKIND_PAE_PD_PHYS:
5489 return "PGMPOOLKIND_PAE_PD_PHYS";
5490 case PGMPOOLKIND_PAE_PDPT_FOR_32BIT:
5491 return "PGMPOOLKIND_PAE_PDPT_FOR_32BIT";
5492 case PGMPOOLKIND_PAE_PDPT:
5493 return "PGMPOOLKIND_PAE_PDPT";
5494 case PGMPOOLKIND_PAE_PDPT_PHYS:
5495 return "PGMPOOLKIND_PAE_PDPT_PHYS";
5496 case PGMPOOLKIND_64BIT_PDPT_FOR_64BIT_PDPT:
5497 return "PGMPOOLKIND_64BIT_PDPT_FOR_64BIT_PDPT";
5498 case PGMPOOLKIND_64BIT_PDPT_FOR_PHYS:
5499 return "PGMPOOLKIND_64BIT_PDPT_FOR_PHYS";
5500 case PGMPOOLKIND_64BIT_PD_FOR_64BIT_PD:
5501 return "PGMPOOLKIND_64BIT_PD_FOR_64BIT_PD";
5502 case PGMPOOLKIND_64BIT_PD_FOR_PHYS:
5503 return "PGMPOOLKIND_64BIT_PD_FOR_PHYS";
5504 case PGMPOOLKIND_64BIT_PML4:
5505 return "PGMPOOLKIND_64BIT_PML4";
5506 case PGMPOOLKIND_EPT_PDPT_FOR_PHYS:
5507 return "PGMPOOLKIND_EPT_PDPT_FOR_PHYS";
5508 case PGMPOOLKIND_EPT_PD_FOR_PHYS:
5509 return "PGMPOOLKIND_EPT_PD_FOR_PHYS";
5510 case PGMPOOLKIND_EPT_PT_FOR_PHYS:
5511 return "PGMPOOLKIND_EPT_PT_FOR_PHYS";
5512 case PGMPOOLKIND_ROOT_NESTED:
5513 return "PGMPOOLKIND_ROOT_NESTED";
5514 }
5515 return "Unknown kind!";
5516}
5517#endif /* LOG_ENABLED*/
5518
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette