3

That is, given a physical address, can I tell whether this address is from userspace or not?

As far as I know, in virtual address space, the kernel will use the upper half and the userspace will use the lower half. But what about in physical address space?

What makes the problem complicated is that I want to check the guest physical address in KVM, which means that I can't call some kernel functions in the guest OS. So I want to know whether there is an explict split line?

Ciro Santilli OurBigBook.com
  • 347,512
  • 102
  • 1,199
  • 985
tamlok
  • 697
  • 1
  • 5
  • 15

1 Answers1

7

No.

Almost any physical page frame can be mapped to a userspace virtual address or a kernel virtual address, or even both at the same time.

caf
  • 233,326
  • 40
  • 323
  • 462
  • Thanks very much! And what about the virtual address? Is a virtual address with bit 47 to bit 63 being 1 within kernel space and being 0 within userspace? – tamlok May 27 '15 at 07:10
  • @tamlok: Yes, unless you have a kernel using `vsyscall=native`, in which case the vsyscall page is mapped into userspace tasks with a high virtual address. Since you are looking from the hypervisor you can also walk the page tables yourself and check the User/Supervisor bit in the PTE to tell what kind of virtual address you have. – caf May 27 '15 at 07:20
  • How to tell if the kernel is using `vsyscall=native`? – tamlok May 27 '15 at 12:03
  • @tamlok: I think the only way is to check if the `[vsyscall]` page appears in `/proc//maps` in the guest. You can't check the kernel command line, because `native` was default for some kernel versions and not for others. – caf May 27 '15 at 13:14
  • Yes, the kernel is using `vsyscall=native`. I walked the guest page table in KVM and found something interesting and confusing. The physical addresses of some `PML4E/PDPTE/PDE/PTE` are mapped in the page table while some are not mapped. For example, the val of `cr3` is `0x1c0e000`, one `PML4E` is `0x1fdd067` and one `PDE` is `0x36913063`. And there are `PTE`s `0x8000000001c0e163` and `0x8000000001fdd163` that map to virtual address `0xffff81c0e000` and `0xffff81fdd000` but no `PTE` for the address in `PDE` `0x36913063`. Why? – tamlok May 29 '15 at 01:41
  • Why the addresses of some page tables are mapped in the page table and some are not? I doubt that if there is something wrong with my code that walks the page table. Thanks very much! – tamlok May 29 '15 at 01:50
  • I'm not sure, it could have something to do with the way KVM virtualises the page tables for the guest. – caf May 29 '15 at 02:49
  • I think it is nothing about the KVM because the guest page tables are maintained by the guest totally and the guest is not aware of the virtualization. If not considering the virtualization, will this happen in a normal Linux machine? Thanks very much. – tamlok May 29 '15 at 03:26
  • I'm having trouble deciphering what you're actually asking, but perhaps you could try asking it as a new question? – caf May 29 '15 at 03:29
  • I ask a new question [here](http://stackoverflow.com/q/30541036/1117663). Thanks very much! – tamlok May 30 '15 at 00:44