Hello list, (Apologies if this appears twice!) I'm currently doing some research into guest memory allocation, specifically trying to determine when guests write data into certain memory locations, and I'm trying to get my head around how KVM updates the extended page tables, and where within the KVM code the actual updates occur. I'm working on an Intel box with VT extensions, and Debian 3.6.6 kernel. After going through the code, I can see that a lot of the existing shadow page table code is resued, however I'm a little confused over how exactly that is. As an example, I can see the function vmx_set_cr3 (vmx.c) being called, which is setting the host CR3 to the base of the PML4 table. Then from that address, the EPTP is created, essentially setting the bottom 12 bits to various flags. Then, handle_ept_violation is called which contains the GPA that generated the page fault. I've looked into the function kvm_mmu_page_fault which contains the value in the CR2, I'm assuming this to be the guest's CR2 value, which I think is the guest physical address that caused the page fault. However this is where I lose the chase slightly. I know from studying the Intel developers manuals that the top level of the 4 level hierarchy for the EPTs is the PML4 table, which can contain a maximum of 512 64-bit entries, with each entry in turn pointing to the base address of a PDPT. The first address that the function pte_list_add sees is the base address of the PML4 table, so I was expecting to be able to read 512 64-bit entries from that base address and see at least one 64-bit entry written into that page. However, after a number of different attempts, I'm unable to determine the function that is actually responsible for updating the EPTs. I was hoping somebody might be able to point me to the correct location within the KVM source code to track when EPT entries are actually written to the various tables in the 4 level hierarchy. The function pte_list_add seems to do nothing more than change the value of a pointer, but only the first address passed to it is page aligned (the PML4 base) and the rest of the addresses appear to be pointers into existing pages, often seeming to be outside of the PML4 page range. I might be completely misunderstanding something, but any advice on how to effectively monitor EPT entries within KVM would be greatly appreciated. Thanks muchly. Tony -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html