1/*
2 * mmu_audit.c:
3 *
4 * Audit code for KVM MMU
5 *
6 * Copyright (C) 2006 Qumranet, Inc.
7 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
8 *
9 * Authors:
10 *   Yaniv Kamay  <yaniv@qumranet.com>
11 *   Avi Kivity   <avi@qumranet.com>
12 *   Marcelo Tosatti <mtosatti@redhat.com>
13 *   Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
14 *
15 * This work is licensed under the terms of the GNU GPL, version 2.  See
16 * the COPYING file in the top-level directory.
17 *
18 */
19
20#include <linux/ratelimit.h>
21
22char const *audit_point_name[] = {
23	"pre page fault",
24	"post page fault",
25	"pre pte write",
26	"post pte write",
27	"pre sync",
28	"post sync"
29};
30
31#define audit_printk(kvm, fmt, args...)		\
32	printk(KERN_ERR "audit: (%s) error: "	\
33		fmt, audit_point_name[kvm->arch.audit_point], ##args)
34
35typedef void (*inspect_spte_fn) (struct kvm_vcpu *vcpu, u64 *sptep, int level);
36
37static void __mmu_spte_walk(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
38			    inspect_spte_fn fn, int level)
39{
40	int i;
41
42	for (i = 0; i < PT64_ENT_PER_PAGE; ++i) {
43		u64 *ent = sp->spt;
44
45		fn(vcpu, ent + i, level);
46
47		if (is_shadow_present_pte(ent[i]) &&
48		      !is_last_spte(ent[i], level)) {
49			struct kvm_mmu_page *child;
50
51			child = page_header(ent[i] & PT64_BASE_ADDR_MASK);
52			__mmu_spte_walk(vcpu, child, fn, level - 1);
53		}
54	}
55}
56
57static void mmu_spte_walk(struct kvm_vcpu *vcpu, inspect_spte_fn fn)
58{
59	int i;
60	struct kvm_mmu_page *sp;
61
62	if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
63		return;
64
65	if (vcpu->arch.mmu.root_level == PT64_ROOT_LEVEL) {
66		hpa_t root = vcpu->arch.mmu.root_hpa;
67
68		sp = page_header(root);
69		__mmu_spte_walk(vcpu, sp, fn, PT64_ROOT_LEVEL);
70		return;
71	}
72
73	for (i = 0; i < 4; ++i) {
74		hpa_t root = vcpu->arch.mmu.pae_root[i];
75
76		if (root && VALID_PAGE(root)) {
77			root &= PT64_BASE_ADDR_MASK;
78			sp = page_header(root);
79			__mmu_spte_walk(vcpu, sp, fn, 2);
80		}
81	}
82
83	return;
84}
85
86typedef void (*sp_handler) (struct kvm *kvm, struct kvm_mmu_page *sp);
87
88static void walk_all_active_sps(struct kvm *kvm, sp_handler fn)
89{
90	struct kvm_mmu_page *sp;
91
92	list_for_each_entry(sp, &kvm->arch.active_mmu_pages, link)
93		fn(kvm, sp);
94}
95
96static void audit_mappings(struct kvm_vcpu *vcpu, u64 *sptep, int level)
97{
98	struct kvm_mmu_page *sp;
99	gfn_t gfn;
100	pfn_t pfn;
101	hpa_t hpa;
102
103	sp = page_header(__pa(sptep));
104
105	if (sp->unsync) {
106		if (level != PT_PAGE_TABLE_LEVEL) {
107			audit_printk(vcpu->kvm, "unsync sp: %p "
108				     "level = %d\n", sp, level);
109			return;
110		}
111	}
112
113	if (!is_shadow_present_pte(*sptep) || !is_last_spte(*sptep, level))
114		return;
115
116	gfn = kvm_mmu_page_get_gfn(sp, sptep - sp->spt);
117	pfn = gfn_to_pfn_atomic(vcpu->kvm, gfn);
118
119	if (is_error_pfn(pfn))
120		return;
121
122	hpa =  pfn << PAGE_SHIFT;
123	if ((*sptep & PT64_BASE_ADDR_MASK) != hpa)
124		audit_printk(vcpu->kvm, "levels %d pfn %llx hpa %llx "
125			     "ent %llxn", vcpu->arch.mmu.root_level, pfn,
126			     hpa, *sptep);
127}
128
129static void inspect_spte_has_rmap(struct kvm *kvm, u64 *sptep)
130{
131	static DEFINE_RATELIMIT_STATE(ratelimit_state, 5 * HZ, 10);
132	unsigned long *rmapp;
133	struct kvm_mmu_page *rev_sp;
134	gfn_t gfn;
135
136	rev_sp = page_header(__pa(sptep));
137	gfn = kvm_mmu_page_get_gfn(rev_sp, sptep - rev_sp->spt);
138
139	if (!gfn_to_memslot(kvm, gfn)) {
140		if (!__ratelimit(&ratelimit_state))
141			return;
142		audit_printk(kvm, "no memslot for gfn %llx\n", gfn);
143		audit_printk(kvm, "index %ld of sp (gfn=%llx)\n",
144		       (long int)(sptep - rev_sp->spt), rev_sp->gfn);
145		dump_stack();
146		return;
147	}
148
149	rmapp = gfn_to_rmap(kvm, gfn, rev_sp->role.level);
150	if (!*rmapp) {
151		if (!__ratelimit(&ratelimit_state))
152			return;
153		audit_printk(kvm, "no rmap for writable spte %llx\n",
154			     *sptep);
155		dump_stack();
156	}
157}
158
159static void audit_sptes_have_rmaps(struct kvm_vcpu *vcpu, u64 *sptep, int level)
160{
161	if (is_shadow_present_pte(*sptep) && is_last_spte(*sptep, level))
162		inspect_spte_has_rmap(vcpu->kvm, sptep);
163}
164
165static void audit_spte_after_sync(struct kvm_vcpu *vcpu, u64 *sptep, int level)
166{
167	struct kvm_mmu_page *sp = page_header(__pa(sptep));
168
169	if (vcpu->kvm->arch.audit_point == AUDIT_POST_SYNC && sp->unsync)
170		audit_printk(vcpu->kvm, "meet unsync sp(%p) after sync "
171			     "root.\n", sp);
172}
173
174static void check_mappings_rmap(struct kvm *kvm, struct kvm_mmu_page *sp)
175{
176	int i;
177
178	if (sp->role.level != PT_PAGE_TABLE_LEVEL)
179		return;
180
181	for (i = 0; i < PT64_ENT_PER_PAGE; ++i) {
182		if (!is_rmap_spte(sp->spt[i]))
183			continue;
184
185		inspect_spte_has_rmap(kvm, sp->spt + i);
186	}
187}
188
189static void audit_write_protection(struct kvm *kvm, struct kvm_mmu_page *sp)
190{
191	unsigned long *rmapp;
192	u64 *sptep;
193	struct rmap_iterator iter;
194
195	if (sp->role.direct || sp->unsync || sp->role.invalid)
196		return;
197
198	rmapp = gfn_to_rmap(kvm, sp->gfn, PT_PAGE_TABLE_LEVEL);
199
200	for (sptep = rmap_get_first(*rmapp, &iter); sptep;
201	     sptep = rmap_get_next(&iter)) {
202		if (is_writable_pte(*sptep))
203			audit_printk(kvm, "shadow page has writable "
204				     "mappings: gfn %llx role %x\n",
205				     sp->gfn, sp->role.word);
206	}
207}
208
209static void audit_sp(struct kvm *kvm, struct kvm_mmu_page *sp)
210{
211	check_mappings_rmap(kvm, sp);
212	audit_write_protection(kvm, sp);
213}
214
215static void audit_all_active_sps(struct kvm *kvm)
216{
217	walk_all_active_sps(kvm, audit_sp);
218}
219
220static void audit_spte(struct kvm_vcpu *vcpu, u64 *sptep, int level)
221{
222	audit_sptes_have_rmaps(vcpu, sptep, level);
223	audit_mappings(vcpu, sptep, level);
224	audit_spte_after_sync(vcpu, sptep, level);
225}
226
227static void audit_vcpu_spte(struct kvm_vcpu *vcpu)
228{
229	mmu_spte_walk(vcpu, audit_spte);
230}
231
232static bool mmu_audit;
233static struct static_key mmu_audit_key;
234
235static void __kvm_mmu_audit(struct kvm_vcpu *vcpu, int point)
236{
237	static DEFINE_RATELIMIT_STATE(ratelimit_state, 5 * HZ, 10);
238
239	if (!__ratelimit(&ratelimit_state))
240		return;
241
242	vcpu->kvm->arch.audit_point = point;
243	audit_all_active_sps(vcpu->kvm);
244	audit_vcpu_spte(vcpu);
245}
246
247static inline void kvm_mmu_audit(struct kvm_vcpu *vcpu, int point)
248{
249	if (static_key_false((&mmu_audit_key)))
250		__kvm_mmu_audit(vcpu, point);
251}
252
253static void mmu_audit_enable(void)
254{
255	if (mmu_audit)
256		return;
257
258	static_key_slow_inc(&mmu_audit_key);
259	mmu_audit = true;
260}
261
262static void mmu_audit_disable(void)
263{
264	if (!mmu_audit)
265		return;
266
267	static_key_slow_dec(&mmu_audit_key);
268	mmu_audit = false;
269}
270
271static int mmu_audit_set(const char *val, const struct kernel_param *kp)
272{
273	int ret;
274	unsigned long enable;
275
276	ret = kstrtoul(val, 10, &enable);
277	if (ret < 0)
278		return -EINVAL;
279
280	switch (enable) {
281	case 0:
282		mmu_audit_disable();
283		break;
284	case 1:
285		mmu_audit_enable();
286		break;
287	default:
288		return -EINVAL;
289	}
290
291	return 0;
292}
293
294static struct kernel_param_ops audit_param_ops = {
295	.set = mmu_audit_set,
296	.get = param_get_bool,
297};
298
299arch_param_cb(mmu_audit, &audit_param_ops, &mmu_audit, 0644);
300