Hi all, I'm trying to build some tools on top of kvm in order to debug, monitor and reverse engineer the guest OS (ubuntu 12.04, 32 bits) One of my tools walks through (and prints) the guest paging data structures as following: cr3 -> pdpte -> pde -> pte -> page (PAE paging, 32 bits) According to my logs some accessed kernel PTEs are not present (pte = 9090909090909090) in all processes address spaces (even from init process cr3), however when I use the function kvm_read_guest_virt_helper on their corresponding virtual addresses (GVAs), I get a correct content (content correctness checked using system.map file). Just after calling kvm_read_guest_virt_helper, I check again the PTE corresponding to the read gva, I see that they are unmapped (invalid, always 9090909090909090) I investigated a little the code of kvm_read_guest_virt_helper, this function calls vcpu->arch.walk_mmu->gva_to_gpa(vcpu, gva, ...) which in turn calls other functions until FNAME(walk_addr_generic) which seems to do the translation. walk_addr_generic seems to do the translation starting from cr3 of the current process (in line: mmu->get_cr3(vcpu);) and works fine regardless of the identity of the current process (i.e. current cr3). So how the function gva_to_gpa is able to the read correctly any GVA that my tool sees invalid (unmapped) in the paging structures, knowing that my tool is able to read and display correctly a content of (thousands) many other GVAs ? I would be very thankful for any feedback :) -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
