From mboxrd@z Thu Jan 1 00:00:00 1970 From: Yacine HEBBAL Subject: =?utf-8?b?Z3ZhX3RvX2dwYQ==?= function internals Date: Tue, 1 Dec 2015 18:30:17 +0000 (UTC) Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: kvm@vger.kernel.org Return-path: Received: from plane.gmane.org ([80.91.229.3]:49756 "EHLO plane.gmane.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753740AbbLASau (ORCPT ); Tue, 1 Dec 2015 13:30:50 -0500 Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1a3phD-00046F-HY for kvm@vger.kernel.org; Tue, 01 Dec 2015 19:30:35 +0100 Received: from machine107.orange-labs.com ([161.106.0.5]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 01 Dec 2015 19:30:35 +0100 Received: from y_hebbal by machine107.orange-labs.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 01 Dec 2015 19:30:35 +0100 Sender: kvm-owner@vger.kernel.org List-ID: Hi all, I'm trying to build some tools on top of kvm in order to debug, monitor and reverse engineer the guest OS (ubuntu 12.04, 32 bits) One of my tools walks through (and prints) the guest paging data structures as following: cr3 -> pdpte -> pde -> pte -> page (PAE paging, 32 bits) According to my logs some accessed kernel PTEs are not present (pte = 9090909090909090) in all processes address spaces (even from init process cr3), however when I use the function kvm_read_guest_virt_helper on their corresponding virtual addresses (GVAs), I get a correct content (content correctness checked using system.map file). Just after calling kvm_read_guest_virt_helper, I check again the PTE corresponding to the read gva, I see that they are unmapped (invalid, always 9090909090909090) I investigated a little the code of kvm_read_guest_virt_helper, this function calls vcpu->arch.walk_mmu->gva_to_gpa(vcpu, gva, ...) which in turn calls other functions until FNAME(walk_addr_generic) which seems to do the translation. walk_addr_generic seems to do the translation starting from cr3 of the current process (in line: mmu->get_cr3(vcpu);) and works fine regardless of the identity of the current process (i.e. current cr3). So how the function gva_to_gpa is able to the read correctly any GVA that my tool sees invalid (unmapped) in the paging structures, knowing that my tool is able to read and display correctly a content of (thousands) many other GVAs ? I would be very thankful for any feedback :)