1 // SPDX-License-Identifier: GPL-2.0-only
3 * Kernel-based Virtual Machine driver for Linux
5 * This module enables machines with Intel VT-x extensions to run virtual
6 * machines without emulation or binary translation.
10 * Copyright (C) 2006 Qumranet, Inc.
11 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
14 * Yaniv Kamay <yaniv@qumranet.com>
15 * Avi Kivity <avi@qumranet.com>
21 #include "mmu_internal.h"
24 #include "kvm_cache_regs.h"
25 #include "kvm_emulate.h"
29 #include <linux/kvm_host.h>
30 #include <linux/types.h>
31 #include <linux/string.h>
33 #include <linux/highmem.h>
34 #include <linux/moduleparam.h>
35 #include <linux/export.h>
36 #include <linux/swap.h>
37 #include <linux/hugetlb.h>
38 #include <linux/compiler.h>
39 #include <linux/srcu.h>
40 #include <linux/slab.h>
41 #include <linux/sched/signal.h>
42 #include <linux/uaccess.h>
43 #include <linux/hash.h>
44 #include <linux/kern_levels.h>
45 #include <linux/kthread.h>
48 #include <asm/memtype.h>
49 #include <asm/cmpxchg.h>
51 #include <asm/set_memory.h>
53 #include <asm/kvm_page_track.h>
56 extern bool itlb_multihit_kvm_mitigation;
58 static int __read_mostly nx_huge_pages = -1;
59 #ifdef CONFIG_PREEMPT_RT
60 /* Recovery can cause latency spikes, disable it for PREEMPT_RT. */
61 static uint __read_mostly nx_huge_pages_recovery_ratio = 0;
63 static uint __read_mostly nx_huge_pages_recovery_ratio = 60;
66 static int set_nx_huge_pages(const char *val, const struct kernel_param *kp);
67 static int set_nx_huge_pages_recovery_ratio(const char *val, const struct kernel_param *kp);
69 static const struct kernel_param_ops nx_huge_pages_ops = {
70 .set = set_nx_huge_pages,
71 .get = param_get_bool,
74 static const struct kernel_param_ops nx_huge_pages_recovery_ratio_ops = {
75 .set = set_nx_huge_pages_recovery_ratio,
76 .get = param_get_uint,
79 module_param_cb(nx_huge_pages, &nx_huge_pages_ops, &nx_huge_pages, 0644);
80 __MODULE_PARM_TYPE(nx_huge_pages, "bool");
81 module_param_cb(nx_huge_pages_recovery_ratio, &nx_huge_pages_recovery_ratio_ops,
82 &nx_huge_pages_recovery_ratio, 0644);
83 __MODULE_PARM_TYPE(nx_huge_pages_recovery_ratio, "uint");
85 static bool __read_mostly force_flush_and_sync_on_reuse;
86 module_param_named(flush_on_reuse, force_flush_and_sync_on_reuse, bool, 0644);
89 * When setting this variable to true it enables Two-Dimensional-Paging
90 * where the hardware walks 2 page tables:
91 * 1. the guest-virtual to guest-physical
92 * 2. while doing 1. it walks guest-physical to host-physical
93 * If the hardware supports that we don't need to do shadow paging.
95 bool tdp_enabled = false;
97 static int max_huge_page_level __read_mostly;
98 static int max_tdp_level __read_mostly;
101 AUDIT_PRE_PAGE_FAULT,
102 AUDIT_POST_PAGE_FAULT,
104 AUDIT_POST_PTE_WRITE,
111 module_param(dbg, bool, 0644);
114 #define PTE_PREFETCH_NUM 8
116 #define PT32_LEVEL_BITS 10
118 #define PT32_LEVEL_SHIFT(level) \
119 (PAGE_SHIFT + (level - 1) * PT32_LEVEL_BITS)
121 #define PT32_LVL_OFFSET_MASK(level) \
122 (PT32_BASE_ADDR_MASK & ((1ULL << (PAGE_SHIFT + (((level) - 1) \
123 * PT32_LEVEL_BITS))) - 1))
125 #define PT32_INDEX(address, level)\
126 (((address) >> PT32_LEVEL_SHIFT(level)) & ((1 << PT32_LEVEL_BITS) - 1))
129 #define PT32_BASE_ADDR_MASK PAGE_MASK
130 #define PT32_DIR_BASE_ADDR_MASK \
131 (PAGE_MASK & ~((1ULL << (PAGE_SHIFT + PT32_LEVEL_BITS)) - 1))
132 #define PT32_LVL_ADDR_MASK(level) \
133 (PAGE_MASK & ~((1ULL << (PAGE_SHIFT + (((level) - 1) \
134 * PT32_LEVEL_BITS))) - 1))
136 #include <trace/events/kvm.h>
138 /* make pte_list_desc fit well in cache line */
139 #define PTE_LIST_EXT 3
141 struct pte_list_desc {
142 u64 *sptes[PTE_LIST_EXT];
143 struct pte_list_desc *more;
146 struct kvm_shadow_walk_iterator {
154 #define for_each_shadow_entry_using_root(_vcpu, _root, _addr, _walker) \
155 for (shadow_walk_init_using_root(&(_walker), (_vcpu), \
157 shadow_walk_okay(&(_walker)); \
158 shadow_walk_next(&(_walker)))
160 #define for_each_shadow_entry(_vcpu, _addr, _walker) \
161 for (shadow_walk_init(&(_walker), _vcpu, _addr); \
162 shadow_walk_okay(&(_walker)); \
163 shadow_walk_next(&(_walker)))
165 #define for_each_shadow_entry_lockless(_vcpu, _addr, _walker, spte) \
166 for (shadow_walk_init(&(_walker), _vcpu, _addr); \
167 shadow_walk_okay(&(_walker)) && \
168 ({ spte = mmu_spte_get_lockless(_walker.sptep); 1; }); \
169 __shadow_walk_next(&(_walker), spte))
171 static struct kmem_cache *pte_list_desc_cache;
172 struct kmem_cache *mmu_page_header_cache;
173 static struct percpu_counter kvm_total_used_mmu_pages;
175 static void mmu_spte_set(u64 *sptep, u64 spte);
176 static union kvm_mmu_page_role
177 kvm_mmu_calc_root_page_role(struct kvm_vcpu *vcpu);
179 #define CREATE_TRACE_POINTS
180 #include "mmutrace.h"
183 static inline bool kvm_available_flush_tlb_with_range(void)
185 return kvm_x86_ops.tlb_remote_flush_with_range;
188 static void kvm_flush_remote_tlbs_with_range(struct kvm *kvm,
189 struct kvm_tlb_range *range)
193 if (range && kvm_x86_ops.tlb_remote_flush_with_range)
194 ret = static_call(kvm_x86_tlb_remote_flush_with_range)(kvm, range);
197 kvm_flush_remote_tlbs(kvm);
200 void kvm_flush_remote_tlbs_with_address(struct kvm *kvm,
201 u64 start_gfn, u64 pages)
203 struct kvm_tlb_range range;
205 range.start_gfn = start_gfn;
208 kvm_flush_remote_tlbs_with_range(kvm, &range);
211 bool is_nx_huge_page_enabled(void)
213 return READ_ONCE(nx_huge_pages);
216 static void mark_mmio_spte(struct kvm_vcpu *vcpu, u64 *sptep, u64 gfn,
219 u64 spte = make_mmio_spte(vcpu, gfn, access);
221 trace_mark_mmio_spte(sptep, gfn, spte);
222 mmu_spte_set(sptep, spte);
225 static gfn_t get_mmio_spte_gfn(u64 spte)
227 u64 gpa = spte & shadow_nonpresent_or_rsvd_lower_gfn_mask;
229 gpa |= (spte >> SHADOW_NONPRESENT_OR_RSVD_MASK_LEN)
230 & shadow_nonpresent_or_rsvd_mask;
232 return gpa >> PAGE_SHIFT;
235 static unsigned get_mmio_spte_access(u64 spte)
237 return spte & shadow_mmio_access_mask;
240 static bool check_mmio_spte(struct kvm_vcpu *vcpu, u64 spte)
242 u64 kvm_gen, spte_gen, gen;
244 gen = kvm_vcpu_memslots(vcpu)->generation;
245 if (unlikely(gen & KVM_MEMSLOT_GEN_UPDATE_IN_PROGRESS))
248 kvm_gen = gen & MMIO_SPTE_GEN_MASK;
249 spte_gen = get_mmio_spte_generation(spte);
251 trace_check_mmio_spte(spte, kvm_gen, spte_gen);
252 return likely(kvm_gen == spte_gen);
255 static gpa_t translate_gpa(struct kvm_vcpu *vcpu, gpa_t gpa, u32 access,
256 struct x86_exception *exception)
258 /* Check if guest physical address doesn't exceed guest maximum */
259 if (kvm_vcpu_is_illegal_gpa(vcpu, gpa)) {
260 exception->error_code |= PFERR_RSVD_MASK;
267 static int is_cpuid_PSE36(void)
272 static int is_nx(struct kvm_vcpu *vcpu)
274 return vcpu->arch.efer & EFER_NX;
277 static gfn_t pse36_gfn_delta(u32 gpte)
279 int shift = 32 - PT32_DIR_PSE36_SHIFT - PAGE_SHIFT;
281 return (gpte & PT32_DIR_PSE36_MASK) << shift;
285 static void __set_spte(u64 *sptep, u64 spte)
287 WRITE_ONCE(*sptep, spte);
290 static void __update_clear_spte_fast(u64 *sptep, u64 spte)
292 WRITE_ONCE(*sptep, spte);
295 static u64 __update_clear_spte_slow(u64 *sptep, u64 spte)
297 return xchg(sptep, spte);
300 static u64 __get_spte_lockless(u64 *sptep)
302 return READ_ONCE(*sptep);
313 static void count_spte_clear(u64 *sptep, u64 spte)
315 struct kvm_mmu_page *sp = sptep_to_sp(sptep);
317 if (is_shadow_present_pte(spte))
320 /* Ensure the spte is completely set before we increase the count */
322 sp->clear_spte_count++;
325 static void __set_spte(u64 *sptep, u64 spte)
327 union split_spte *ssptep, sspte;
329 ssptep = (union split_spte *)sptep;
330 sspte = (union split_spte)spte;
332 ssptep->spte_high = sspte.spte_high;
335 * If we map the spte from nonpresent to present, We should store
336 * the high bits firstly, then set present bit, so cpu can not
337 * fetch this spte while we are setting the spte.
341 WRITE_ONCE(ssptep->spte_low, sspte.spte_low);
344 static void __update_clear_spte_fast(u64 *sptep, u64 spte)
346 union split_spte *ssptep, sspte;
348 ssptep = (union split_spte *)sptep;
349 sspte = (union split_spte)spte;
351 WRITE_ONCE(ssptep->spte_low, sspte.spte_low);
354 * If we map the spte from present to nonpresent, we should clear
355 * present bit firstly to avoid vcpu fetch the old high bits.
359 ssptep->spte_high = sspte.spte_high;
360 count_spte_clear(sptep, spte);
363 static u64 __update_clear_spte_slow(u64 *sptep, u64 spte)
365 union split_spte *ssptep, sspte, orig;
367 ssptep = (union split_spte *)sptep;
368 sspte = (union split_spte)spte;
370 /* xchg acts as a barrier before the setting of the high bits */
371 orig.spte_low = xchg(&ssptep->spte_low, sspte.spte_low);
372 orig.spte_high = ssptep->spte_high;
373 ssptep->spte_high = sspte.spte_high;
374 count_spte_clear(sptep, spte);
380 * The idea using the light way get the spte on x86_32 guest is from
381 * gup_get_pte (mm/gup.c).
383 * An spte tlb flush may be pending, because kvm_set_pte_rmapp
384 * coalesces them and we are running out of the MMU lock. Therefore
385 * we need to protect against in-progress updates of the spte.
387 * Reading the spte while an update is in progress may get the old value
388 * for the high part of the spte. The race is fine for a present->non-present
389 * change (because the high part of the spte is ignored for non-present spte),
390 * but for a present->present change we must reread the spte.
392 * All such changes are done in two steps (present->non-present and
393 * non-present->present), hence it is enough to count the number of
394 * present->non-present updates: if it changed while reading the spte,
395 * we might have hit the race. This is done using clear_spte_count.
397 static u64 __get_spte_lockless(u64 *sptep)
399 struct kvm_mmu_page *sp = sptep_to_sp(sptep);
400 union split_spte spte, *orig = (union split_spte *)sptep;
404 count = sp->clear_spte_count;
407 spte.spte_low = orig->spte_low;
410 spte.spte_high = orig->spte_high;
413 if (unlikely(spte.spte_low != orig->spte_low ||
414 count != sp->clear_spte_count))
421 static bool spte_has_volatile_bits(u64 spte)
423 if (!is_shadow_present_pte(spte))
427 * Always atomically update spte if it can be updated
428 * out of mmu-lock, it can ensure dirty bit is not lost,
429 * also, it can help us to get a stable is_writable_pte()
430 * to ensure tlb flush is not missed.
432 if (spte_can_locklessly_be_made_writable(spte) ||
433 is_access_track_spte(spte))
436 if (spte_ad_enabled(spte)) {
437 if ((spte & shadow_accessed_mask) == 0 ||
438 (is_writable_pte(spte) && (spte & shadow_dirty_mask) == 0))
445 /* Rules for using mmu_spte_set:
446 * Set the sptep from nonpresent to present.
447 * Note: the sptep being assigned *must* be either not present
448 * or in a state where the hardware will not attempt to update
451 static void mmu_spte_set(u64 *sptep, u64 new_spte)
453 WARN_ON(is_shadow_present_pte(*sptep));
454 __set_spte(sptep, new_spte);
458 * Update the SPTE (excluding the PFN), but do not track changes in its
459 * accessed/dirty status.
461 static u64 mmu_spte_update_no_track(u64 *sptep, u64 new_spte)
463 u64 old_spte = *sptep;
465 WARN_ON(!is_shadow_present_pte(new_spte));
467 if (!is_shadow_present_pte(old_spte)) {
468 mmu_spte_set(sptep, new_spte);
472 if (!spte_has_volatile_bits(old_spte))
473 __update_clear_spte_fast(sptep, new_spte);
475 old_spte = __update_clear_spte_slow(sptep, new_spte);
477 WARN_ON(spte_to_pfn(old_spte) != spte_to_pfn(new_spte));
482 /* Rules for using mmu_spte_update:
483 * Update the state bits, it means the mapped pfn is not changed.
485 * Whenever we overwrite a writable spte with a read-only one we
486 * should flush remote TLBs. Otherwise rmap_write_protect
487 * will find a read-only spte, even though the writable spte
488 * might be cached on a CPU's TLB, the return value indicates this
491 * Returns true if the TLB needs to be flushed
493 static bool mmu_spte_update(u64 *sptep, u64 new_spte)
496 u64 old_spte = mmu_spte_update_no_track(sptep, new_spte);
498 if (!is_shadow_present_pte(old_spte))
502 * For the spte updated out of mmu-lock is safe, since
503 * we always atomically update it, see the comments in
504 * spte_has_volatile_bits().
506 if (spte_can_locklessly_be_made_writable(old_spte) &&
507 !is_writable_pte(new_spte))
511 * Flush TLB when accessed/dirty states are changed in the page tables,
512 * to guarantee consistency between TLB and page tables.
515 if (is_accessed_spte(old_spte) && !is_accessed_spte(new_spte)) {
517 kvm_set_pfn_accessed(spte_to_pfn(old_spte));
520 if (is_dirty_spte(old_spte) && !is_dirty_spte(new_spte)) {
522 kvm_set_pfn_dirty(spte_to_pfn(old_spte));
529 * Rules for using mmu_spte_clear_track_bits:
530 * It sets the sptep from present to nonpresent, and track the
531 * state bits, it is used to clear the last level sptep.
532 * Returns non-zero if the PTE was previously valid.
534 static int mmu_spte_clear_track_bits(u64 *sptep)
537 u64 old_spte = *sptep;
539 if (!spte_has_volatile_bits(old_spte))
540 __update_clear_spte_fast(sptep, 0ull);
542 old_spte = __update_clear_spte_slow(sptep, 0ull);
544 if (!is_shadow_present_pte(old_spte))
547 pfn = spte_to_pfn(old_spte);
550 * KVM does not hold the refcount of the page used by
551 * kvm mmu, before reclaiming the page, we should
552 * unmap it from mmu first.
554 WARN_ON(!kvm_is_reserved_pfn(pfn) && !page_count(pfn_to_page(pfn)));
556 if (is_accessed_spte(old_spte))
557 kvm_set_pfn_accessed(pfn);
559 if (is_dirty_spte(old_spte))
560 kvm_set_pfn_dirty(pfn);
566 * Rules for using mmu_spte_clear_no_track:
567 * Directly clear spte without caring the state bits of sptep,
568 * it is used to set the upper level spte.
570 static void mmu_spte_clear_no_track(u64 *sptep)
572 __update_clear_spte_fast(sptep, 0ull);
575 static u64 mmu_spte_get_lockless(u64 *sptep)
577 return __get_spte_lockless(sptep);
580 /* Restore an acc-track PTE back to a regular PTE */
581 static u64 restore_acc_track_spte(u64 spte)
584 u64 saved_bits = (spte >> SHADOW_ACC_TRACK_SAVED_BITS_SHIFT)
585 & SHADOW_ACC_TRACK_SAVED_BITS_MASK;
587 WARN_ON_ONCE(spte_ad_enabled(spte));
588 WARN_ON_ONCE(!is_access_track_spte(spte));
590 new_spte &= ~shadow_acc_track_mask;
591 new_spte &= ~(SHADOW_ACC_TRACK_SAVED_BITS_MASK <<
592 SHADOW_ACC_TRACK_SAVED_BITS_SHIFT);
593 new_spte |= saved_bits;
598 /* Returns the Accessed status of the PTE and resets it at the same time. */
599 static bool mmu_spte_age(u64 *sptep)
601 u64 spte = mmu_spte_get_lockless(sptep);
603 if (!is_accessed_spte(spte))
606 if (spte_ad_enabled(spte)) {
607 clear_bit((ffs(shadow_accessed_mask) - 1),
608 (unsigned long *)sptep);
611 * Capture the dirty status of the page, so that it doesn't get
612 * lost when the SPTE is marked for access tracking.
614 if (is_writable_pte(spte))
615 kvm_set_pfn_dirty(spte_to_pfn(spte));
617 spte = mark_spte_for_access_track(spte);
618 mmu_spte_update_no_track(sptep, spte);
624 static void walk_shadow_page_lockless_begin(struct kvm_vcpu *vcpu)
627 * Prevent page table teardown by making any free-er wait during
628 * kvm_flush_remote_tlbs() IPI to all active vcpus.
633 * Make sure a following spte read is not reordered ahead of the write
636 smp_store_mb(vcpu->mode, READING_SHADOW_PAGE_TABLES);
639 static void walk_shadow_page_lockless_end(struct kvm_vcpu *vcpu)
642 * Make sure the write to vcpu->mode is not reordered in front of
643 * reads to sptes. If it does, kvm_mmu_commit_zap_page() can see us
644 * OUTSIDE_GUEST_MODE and proceed to free the shadow page table.
646 smp_store_release(&vcpu->mode, OUTSIDE_GUEST_MODE);
650 static int mmu_topup_memory_caches(struct kvm_vcpu *vcpu, bool maybe_indirect)
654 /* 1 rmap, 1 parent PTE per level, and the prefetched rmaps. */
655 r = kvm_mmu_topup_memory_cache(&vcpu->arch.mmu_pte_list_desc_cache,
656 1 + PT64_ROOT_MAX_LEVEL + PTE_PREFETCH_NUM);
659 r = kvm_mmu_topup_memory_cache(&vcpu->arch.mmu_shadow_page_cache,
660 PT64_ROOT_MAX_LEVEL);
663 if (maybe_indirect) {
664 r = kvm_mmu_topup_memory_cache(&vcpu->arch.mmu_gfn_array_cache,
665 PT64_ROOT_MAX_LEVEL);
669 return kvm_mmu_topup_memory_cache(&vcpu->arch.mmu_page_header_cache,
670 PT64_ROOT_MAX_LEVEL);
673 static void mmu_free_memory_caches(struct kvm_vcpu *vcpu)
675 kvm_mmu_free_memory_cache(&vcpu->arch.mmu_pte_list_desc_cache);
676 kvm_mmu_free_memory_cache(&vcpu->arch.mmu_shadow_page_cache);
677 kvm_mmu_free_memory_cache(&vcpu->arch.mmu_gfn_array_cache);
678 kvm_mmu_free_memory_cache(&vcpu->arch.mmu_page_header_cache);
681 static struct pte_list_desc *mmu_alloc_pte_list_desc(struct kvm_vcpu *vcpu)
683 return kvm_mmu_memory_cache_alloc(&vcpu->arch.mmu_pte_list_desc_cache);
686 static void mmu_free_pte_list_desc(struct pte_list_desc *pte_list_desc)
688 kmem_cache_free(pte_list_desc_cache, pte_list_desc);
691 static gfn_t kvm_mmu_page_get_gfn(struct kvm_mmu_page *sp, int index)
693 if (!sp->role.direct)
694 return sp->gfns[index];
696 return sp->gfn + (index << ((sp->role.level - 1) * PT64_LEVEL_BITS));
699 static void kvm_mmu_page_set_gfn(struct kvm_mmu_page *sp, int index, gfn_t gfn)
701 if (!sp->role.direct) {
702 sp->gfns[index] = gfn;
706 if (WARN_ON(gfn != kvm_mmu_page_get_gfn(sp, index)))
707 pr_err_ratelimited("gfn mismatch under direct page %llx "
708 "(expected %llx, got %llx)\n",
710 kvm_mmu_page_get_gfn(sp, index), gfn);
714 * Return the pointer to the large page information for a given gfn,
715 * handling slots that are not large page aligned.
717 static struct kvm_lpage_info *lpage_info_slot(gfn_t gfn,
718 struct kvm_memory_slot *slot,
723 idx = gfn_to_index(gfn, slot->base_gfn, level);
724 return &slot->arch.lpage_info[level - 2][idx];
727 static void update_gfn_disallow_lpage_count(struct kvm_memory_slot *slot,
728 gfn_t gfn, int count)
730 struct kvm_lpage_info *linfo;
733 for (i = PG_LEVEL_2M; i <= KVM_MAX_HUGEPAGE_LEVEL; ++i) {
734 linfo = lpage_info_slot(gfn, slot, i);
735 linfo->disallow_lpage += count;
736 WARN_ON(linfo->disallow_lpage < 0);
740 void kvm_mmu_gfn_disallow_lpage(struct kvm_memory_slot *slot, gfn_t gfn)
742 update_gfn_disallow_lpage_count(slot, gfn, 1);
745 void kvm_mmu_gfn_allow_lpage(struct kvm_memory_slot *slot, gfn_t gfn)
747 update_gfn_disallow_lpage_count(slot, gfn, -1);
750 static void account_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp)
752 struct kvm_memslots *slots;
753 struct kvm_memory_slot *slot;
756 kvm->arch.indirect_shadow_pages++;
758 slots = kvm_memslots_for_spte_role(kvm, sp->role);
759 slot = __gfn_to_memslot(slots, gfn);
761 /* the non-leaf shadow pages are keeping readonly. */
762 if (sp->role.level > PG_LEVEL_4K)
763 return kvm_slot_page_track_add_page(kvm, slot, gfn,
764 KVM_PAGE_TRACK_WRITE);
766 kvm_mmu_gfn_disallow_lpage(slot, gfn);
769 void account_huge_nx_page(struct kvm *kvm, struct kvm_mmu_page *sp)
771 if (sp->lpage_disallowed)
774 ++kvm->stat.nx_lpage_splits;
775 list_add_tail(&sp->lpage_disallowed_link,
776 &kvm->arch.lpage_disallowed_mmu_pages);
777 sp->lpage_disallowed = true;
780 static void unaccount_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp)
782 struct kvm_memslots *slots;
783 struct kvm_memory_slot *slot;
786 kvm->arch.indirect_shadow_pages--;
788 slots = kvm_memslots_for_spte_role(kvm, sp->role);
789 slot = __gfn_to_memslot(slots, gfn);
790 if (sp->role.level > PG_LEVEL_4K)
791 return kvm_slot_page_track_remove_page(kvm, slot, gfn,
792 KVM_PAGE_TRACK_WRITE);
794 kvm_mmu_gfn_allow_lpage(slot, gfn);
797 void unaccount_huge_nx_page(struct kvm *kvm, struct kvm_mmu_page *sp)
799 --kvm->stat.nx_lpage_splits;
800 sp->lpage_disallowed = false;
801 list_del(&sp->lpage_disallowed_link);
804 static struct kvm_memory_slot *
805 gfn_to_memslot_dirty_bitmap(struct kvm_vcpu *vcpu, gfn_t gfn,
808 struct kvm_memory_slot *slot;
810 slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);
811 if (!slot || slot->flags & KVM_MEMSLOT_INVALID)
813 if (no_dirty_log && kvm_slot_dirty_track_enabled(slot))
820 * About rmap_head encoding:
822 * If the bit zero of rmap_head->val is clear, then it points to the only spte
823 * in this rmap chain. Otherwise, (rmap_head->val & ~1) points to a struct
824 * pte_list_desc containing more mappings.
828 * Returns the number of pointers in the rmap chain, not counting the new one.
830 static int pte_list_add(struct kvm_vcpu *vcpu, u64 *spte,
831 struct kvm_rmap_head *rmap_head)
833 struct pte_list_desc *desc;
836 if (!rmap_head->val) {
837 rmap_printk("%p %llx 0->1\n", spte, *spte);
838 rmap_head->val = (unsigned long)spte;
839 } else if (!(rmap_head->val & 1)) {
840 rmap_printk("%p %llx 1->many\n", spte, *spte);
841 desc = mmu_alloc_pte_list_desc(vcpu);
842 desc->sptes[0] = (u64 *)rmap_head->val;
843 desc->sptes[1] = spte;
844 rmap_head->val = (unsigned long)desc | 1;
847 rmap_printk("%p %llx many->many\n", spte, *spte);
848 desc = (struct pte_list_desc *)(rmap_head->val & ~1ul);
849 while (desc->sptes[PTE_LIST_EXT-1]) {
850 count += PTE_LIST_EXT;
853 desc->more = mmu_alloc_pte_list_desc(vcpu);
859 for (i = 0; desc->sptes[i]; ++i)
861 desc->sptes[i] = spte;
867 pte_list_desc_remove_entry(struct kvm_rmap_head *rmap_head,
868 struct pte_list_desc *desc, int i,
869 struct pte_list_desc *prev_desc)
873 for (j = PTE_LIST_EXT - 1; !desc->sptes[j] && j > i; --j)
875 desc->sptes[i] = desc->sptes[j];
876 desc->sptes[j] = NULL;
879 if (!prev_desc && !desc->more)
883 prev_desc->more = desc->more;
885 rmap_head->val = (unsigned long)desc->more | 1;
886 mmu_free_pte_list_desc(desc);
889 static void __pte_list_remove(u64 *spte, struct kvm_rmap_head *rmap_head)
891 struct pte_list_desc *desc;
892 struct pte_list_desc *prev_desc;
895 if (!rmap_head->val) {
896 pr_err("%s: %p 0->BUG\n", __func__, spte);
898 } else if (!(rmap_head->val & 1)) {
899 rmap_printk("%p 1->0\n", spte);
900 if ((u64 *)rmap_head->val != spte) {
901 pr_err("%s: %p 1->BUG\n", __func__, spte);
906 rmap_printk("%p many->many\n", spte);
907 desc = (struct pte_list_desc *)(rmap_head->val & ~1ul);
910 for (i = 0; i < PTE_LIST_EXT && desc->sptes[i]; ++i) {
911 if (desc->sptes[i] == spte) {
912 pte_list_desc_remove_entry(rmap_head,
920 pr_err("%s: %p many->many\n", __func__, spte);
925 static void pte_list_remove(struct kvm_rmap_head *rmap_head, u64 *sptep)
927 mmu_spte_clear_track_bits(sptep);
928 __pte_list_remove(sptep, rmap_head);
931 static struct kvm_rmap_head *__gfn_to_rmap(gfn_t gfn, int level,
932 struct kvm_memory_slot *slot)
936 idx = gfn_to_index(gfn, slot->base_gfn, level);
937 return &slot->arch.rmap[level - PG_LEVEL_4K][idx];
940 static struct kvm_rmap_head *gfn_to_rmap(struct kvm *kvm, gfn_t gfn,
941 struct kvm_mmu_page *sp)
943 struct kvm_memslots *slots;
944 struct kvm_memory_slot *slot;
946 slots = kvm_memslots_for_spte_role(kvm, sp->role);
947 slot = __gfn_to_memslot(slots, gfn);
948 return __gfn_to_rmap(gfn, sp->role.level, slot);
951 static bool rmap_can_add(struct kvm_vcpu *vcpu)
953 struct kvm_mmu_memory_cache *mc;
955 mc = &vcpu->arch.mmu_pte_list_desc_cache;
956 return kvm_mmu_memory_cache_nr_free_objects(mc);
959 static int rmap_add(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn)
961 struct kvm_mmu_page *sp;
962 struct kvm_rmap_head *rmap_head;
964 sp = sptep_to_sp(spte);
965 kvm_mmu_page_set_gfn(sp, spte - sp->spt, gfn);
966 rmap_head = gfn_to_rmap(vcpu->kvm, gfn, sp);
967 return pte_list_add(vcpu, spte, rmap_head);
970 static void rmap_remove(struct kvm *kvm, u64 *spte)
972 struct kvm_mmu_page *sp;
974 struct kvm_rmap_head *rmap_head;
976 sp = sptep_to_sp(spte);
977 gfn = kvm_mmu_page_get_gfn(sp, spte - sp->spt);
978 rmap_head = gfn_to_rmap(kvm, gfn, sp);
979 __pte_list_remove(spte, rmap_head);
983 * Used by the following functions to iterate through the sptes linked by a
984 * rmap. All fields are private and not assumed to be used outside.
986 struct rmap_iterator {
988 struct pte_list_desc *desc; /* holds the sptep if not NULL */
989 int pos; /* index of the sptep */
993 * Iteration must be started by this function. This should also be used after
994 * removing/dropping sptes from the rmap link because in such cases the
995 * information in the iterator may not be valid.
997 * Returns sptep if found, NULL otherwise.
999 static u64 *rmap_get_first(struct kvm_rmap_head *rmap_head,
1000 struct rmap_iterator *iter)
1004 if (!rmap_head->val)
1007 if (!(rmap_head->val & 1)) {
1009 sptep = (u64 *)rmap_head->val;
1013 iter->desc = (struct pte_list_desc *)(rmap_head->val & ~1ul);
1015 sptep = iter->desc->sptes[iter->pos];
1017 BUG_ON(!is_shadow_present_pte(*sptep));
1022 * Must be used with a valid iterator: e.g. after rmap_get_first().
1024 * Returns sptep if found, NULL otherwise.
1026 static u64 *rmap_get_next(struct rmap_iterator *iter)
1031 if (iter->pos < PTE_LIST_EXT - 1) {
1033 sptep = iter->desc->sptes[iter->pos];
1038 iter->desc = iter->desc->more;
1042 /* desc->sptes[0] cannot be NULL */
1043 sptep = iter->desc->sptes[iter->pos];
1050 BUG_ON(!is_shadow_present_pte(*sptep));
1054 #define for_each_rmap_spte(_rmap_head_, _iter_, _spte_) \
1055 for (_spte_ = rmap_get_first(_rmap_head_, _iter_); \
1056 _spte_; _spte_ = rmap_get_next(_iter_))
1058 static void drop_spte(struct kvm *kvm, u64 *sptep)
1060 if (mmu_spte_clear_track_bits(sptep))
1061 rmap_remove(kvm, sptep);
1065 static bool __drop_large_spte(struct kvm *kvm, u64 *sptep)
1067 if (is_large_pte(*sptep)) {
1068 WARN_ON(sptep_to_sp(sptep)->role.level == PG_LEVEL_4K);
1069 drop_spte(kvm, sptep);
1077 static void drop_large_spte(struct kvm_vcpu *vcpu, u64 *sptep)
1079 if (__drop_large_spte(vcpu->kvm, sptep)) {
1080 struct kvm_mmu_page *sp = sptep_to_sp(sptep);
1082 kvm_flush_remote_tlbs_with_address(vcpu->kvm, sp->gfn,
1083 KVM_PAGES_PER_HPAGE(sp->role.level));
1088 * Write-protect on the specified @sptep, @pt_protect indicates whether
1089 * spte write-protection is caused by protecting shadow page table.
1091 * Note: write protection is difference between dirty logging and spte
1093 * - for dirty logging, the spte can be set to writable at anytime if
1094 * its dirty bitmap is properly set.
1095 * - for spte protection, the spte can be writable only after unsync-ing
1098 * Return true if tlb need be flushed.
1100 static bool spte_write_protect(u64 *sptep, bool pt_protect)
1104 if (!is_writable_pte(spte) &&
1105 !(pt_protect && spte_can_locklessly_be_made_writable(spte)))
1108 rmap_printk("spte %p %llx\n", sptep, *sptep);
1111 spte &= ~shadow_mmu_writable_mask;
1112 spte = spte & ~PT_WRITABLE_MASK;
1114 return mmu_spte_update(sptep, spte);
1117 static bool __rmap_write_protect(struct kvm *kvm,
1118 struct kvm_rmap_head *rmap_head,
1122 struct rmap_iterator iter;
1125 for_each_rmap_spte(rmap_head, &iter, sptep)
1126 flush |= spte_write_protect(sptep, pt_protect);
1131 static bool spte_clear_dirty(u64 *sptep)
1135 rmap_printk("spte %p %llx\n", sptep, *sptep);
1137 MMU_WARN_ON(!spte_ad_enabled(spte));
1138 spte &= ~shadow_dirty_mask;
1139 return mmu_spte_update(sptep, spte);
1142 static bool spte_wrprot_for_clear_dirty(u64 *sptep)
1144 bool was_writable = test_and_clear_bit(PT_WRITABLE_SHIFT,
1145 (unsigned long *)sptep);
1146 if (was_writable && !spte_ad_enabled(*sptep))
1147 kvm_set_pfn_dirty(spte_to_pfn(*sptep));
1149 return was_writable;
1153 * Gets the GFN ready for another round of dirty logging by clearing the
1154 * - D bit on ad-enabled SPTEs, and
1155 * - W bit on ad-disabled SPTEs.
1156 * Returns true iff any D or W bits were cleared.
1158 static bool __rmap_clear_dirty(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
1159 struct kvm_memory_slot *slot)
1162 struct rmap_iterator iter;
1165 for_each_rmap_spte(rmap_head, &iter, sptep)
1166 if (spte_ad_need_write_protect(*sptep))
1167 flush |= spte_wrprot_for_clear_dirty(sptep);
1169 flush |= spte_clear_dirty(sptep);
1175 * kvm_mmu_write_protect_pt_masked - write protect selected PT level pages
1176 * @kvm: kvm instance
1177 * @slot: slot to protect
1178 * @gfn_offset: start of the BITS_PER_LONG pages we care about
1179 * @mask: indicates which pages we should protect
1181 * Used when we do not need to care about huge page mappings: e.g. during dirty
1182 * logging we do not have any such mappings.
1184 static void kvm_mmu_write_protect_pt_masked(struct kvm *kvm,
1185 struct kvm_memory_slot *slot,
1186 gfn_t gfn_offset, unsigned long mask)
1188 struct kvm_rmap_head *rmap_head;
1190 if (is_tdp_mmu_enabled(kvm))
1191 kvm_tdp_mmu_clear_dirty_pt_masked(kvm, slot,
1192 slot->base_gfn + gfn_offset, mask, true);
1194 rmap_head = __gfn_to_rmap(slot->base_gfn + gfn_offset + __ffs(mask),
1196 __rmap_write_protect(kvm, rmap_head, false);
1198 /* clear the first set bit */
1204 * kvm_mmu_clear_dirty_pt_masked - clear MMU D-bit for PT level pages, or write
1205 * protect the page if the D-bit isn't supported.
1206 * @kvm: kvm instance
1207 * @slot: slot to clear D-bit
1208 * @gfn_offset: start of the BITS_PER_LONG pages we care about
1209 * @mask: indicates which pages we should clear D-bit
1211 * Used for PML to re-log the dirty GPAs after userspace querying dirty_bitmap.
1213 static void kvm_mmu_clear_dirty_pt_masked(struct kvm *kvm,
1214 struct kvm_memory_slot *slot,
1215 gfn_t gfn_offset, unsigned long mask)
1217 struct kvm_rmap_head *rmap_head;
1219 if (is_tdp_mmu_enabled(kvm))
1220 kvm_tdp_mmu_clear_dirty_pt_masked(kvm, slot,
1221 slot->base_gfn + gfn_offset, mask, false);
1223 rmap_head = __gfn_to_rmap(slot->base_gfn + gfn_offset + __ffs(mask),
1225 __rmap_clear_dirty(kvm, rmap_head, slot);
1227 /* clear the first set bit */
1233 * kvm_arch_mmu_enable_log_dirty_pt_masked - enable dirty logging for selected
1236 * It calls kvm_mmu_write_protect_pt_masked to write protect selected pages to
1237 * enable dirty logging for them.
1239 * Used when we do not need to care about huge page mappings: e.g. during dirty
1240 * logging we do not have any such mappings.
1242 void kvm_arch_mmu_enable_log_dirty_pt_masked(struct kvm *kvm,
1243 struct kvm_memory_slot *slot,
1244 gfn_t gfn_offset, unsigned long mask)
1246 if (kvm_x86_ops.cpu_dirty_log_size)
1247 kvm_mmu_clear_dirty_pt_masked(kvm, slot, gfn_offset, mask);
1249 kvm_mmu_write_protect_pt_masked(kvm, slot, gfn_offset, mask);
1252 int kvm_cpu_dirty_log_size(void)
1254 return kvm_x86_ops.cpu_dirty_log_size;
1257 bool kvm_mmu_slot_gfn_write_protect(struct kvm *kvm,
1258 struct kvm_memory_slot *slot, u64 gfn)
1260 struct kvm_rmap_head *rmap_head;
1262 bool write_protected = false;
1264 for (i = PG_LEVEL_4K; i <= KVM_MAX_HUGEPAGE_LEVEL; ++i) {
1265 rmap_head = __gfn_to_rmap(gfn, i, slot);
1266 write_protected |= __rmap_write_protect(kvm, rmap_head, true);
1269 if (is_tdp_mmu_enabled(kvm))
1271 kvm_tdp_mmu_write_protect_gfn(kvm, slot, gfn);
1273 return write_protected;
1276 static bool rmap_write_protect(struct kvm_vcpu *vcpu, u64 gfn)
1278 struct kvm_memory_slot *slot;
1280 slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);
1281 return kvm_mmu_slot_gfn_write_protect(vcpu->kvm, slot, gfn);
1284 static bool kvm_zap_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
1285 struct kvm_memory_slot *slot)
1288 struct rmap_iterator iter;
1291 while ((sptep = rmap_get_first(rmap_head, &iter))) {
1292 rmap_printk("spte %p %llx.\n", sptep, *sptep);
1294 pte_list_remove(rmap_head, sptep);
1301 static int kvm_unmap_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
1302 struct kvm_memory_slot *slot, gfn_t gfn, int level,
1305 return kvm_zap_rmapp(kvm, rmap_head, slot);
1308 static int kvm_set_pte_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
1309 struct kvm_memory_slot *slot, gfn_t gfn, int level,
1313 struct rmap_iterator iter;
1316 pte_t *ptep = (pte_t *)data;
1319 WARN_ON(pte_huge(*ptep));
1320 new_pfn = pte_pfn(*ptep);
1323 for_each_rmap_spte(rmap_head, &iter, sptep) {
1324 rmap_printk("spte %p %llx gfn %llx (%d)\n",
1325 sptep, *sptep, gfn, level);
1329 if (pte_write(*ptep)) {
1330 pte_list_remove(rmap_head, sptep);
1333 new_spte = kvm_mmu_changed_pte_notifier_make_spte(
1336 mmu_spte_clear_track_bits(sptep);
1337 mmu_spte_set(sptep, new_spte);
1341 if (need_flush && kvm_available_flush_tlb_with_range()) {
1342 kvm_flush_remote_tlbs_with_address(kvm, gfn, 1);
1349 struct slot_rmap_walk_iterator {
1351 struct kvm_memory_slot *slot;
1357 /* output fields. */
1359 struct kvm_rmap_head *rmap;
1362 /* private field. */
1363 struct kvm_rmap_head *end_rmap;
1367 rmap_walk_init_level(struct slot_rmap_walk_iterator *iterator, int level)
1369 iterator->level = level;
1370 iterator->gfn = iterator->start_gfn;
1371 iterator->rmap = __gfn_to_rmap(iterator->gfn, level, iterator->slot);
1372 iterator->end_rmap = __gfn_to_rmap(iterator->end_gfn, level,
1377 slot_rmap_walk_init(struct slot_rmap_walk_iterator *iterator,
1378 struct kvm_memory_slot *slot, int start_level,
1379 int end_level, gfn_t start_gfn, gfn_t end_gfn)
1381 iterator->slot = slot;
1382 iterator->start_level = start_level;
1383 iterator->end_level = end_level;
1384 iterator->start_gfn = start_gfn;
1385 iterator->end_gfn = end_gfn;
1387 rmap_walk_init_level(iterator, iterator->start_level);
1390 static bool slot_rmap_walk_okay(struct slot_rmap_walk_iterator *iterator)
1392 return !!iterator->rmap;
1395 static void slot_rmap_walk_next(struct slot_rmap_walk_iterator *iterator)
1397 if (++iterator->rmap <= iterator->end_rmap) {
1398 iterator->gfn += (1UL << KVM_HPAGE_GFN_SHIFT(iterator->level));
1402 if (++iterator->level > iterator->end_level) {
1403 iterator->rmap = NULL;
1407 rmap_walk_init_level(iterator, iterator->level);
1410 #define for_each_slot_rmap_range(_slot_, _start_level_, _end_level_, \
1411 _start_gfn, _end_gfn, _iter_) \
1412 for (slot_rmap_walk_init(_iter_, _slot_, _start_level_, \
1413 _end_level_, _start_gfn, _end_gfn); \
1414 slot_rmap_walk_okay(_iter_); \
1415 slot_rmap_walk_next(_iter_))
1417 typedef int (*rmap_handler_t)(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
1418 struct kvm_memory_slot *slot, gfn_t gfn,
1419 int level, unsigned long data);
1421 static __always_inline int kvm_handle_hva_range(struct kvm *kvm,
1422 unsigned long start,
1425 rmap_handler_t handler)
1427 struct kvm_memslots *slots;
1428 struct kvm_memory_slot *memslot;
1429 struct slot_rmap_walk_iterator iterator;
1433 for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) {
1434 slots = __kvm_memslots(kvm, i);
1435 kvm_for_each_memslot(memslot, slots) {
1436 unsigned long hva_start, hva_end;
1437 gfn_t gfn_start, gfn_end;
1439 hva_start = max(start, memslot->userspace_addr);
1440 hva_end = min(end, memslot->userspace_addr +
1441 (memslot->npages << PAGE_SHIFT));
1442 if (hva_start >= hva_end)
1445 * {gfn(page) | page intersects with [hva_start, hva_end)} =
1446 * {gfn_start, gfn_start+1, ..., gfn_end-1}.
1448 gfn_start = hva_to_gfn_memslot(hva_start, memslot);
1449 gfn_end = hva_to_gfn_memslot(hva_end + PAGE_SIZE - 1, memslot);
1451 for_each_slot_rmap_range(memslot, PG_LEVEL_4K,
1452 KVM_MAX_HUGEPAGE_LEVEL,
1453 gfn_start, gfn_end - 1,
1455 ret |= handler(kvm, iterator.rmap, memslot,
1456 iterator.gfn, iterator.level, data);
1463 static int kvm_handle_hva(struct kvm *kvm, unsigned long hva,
1464 unsigned long data, rmap_handler_t handler)
1466 return kvm_handle_hva_range(kvm, hva, hva + 1, data, handler);
1469 int kvm_unmap_hva_range(struct kvm *kvm, unsigned long start, unsigned long end,
1474 r = kvm_handle_hva_range(kvm, start, end, 0, kvm_unmap_rmapp);
1476 if (is_tdp_mmu_enabled(kvm))
1477 r |= kvm_tdp_mmu_zap_hva_range(kvm, start, end);
1482 int kvm_set_spte_hva(struct kvm *kvm, unsigned long hva, pte_t pte)
1486 r = kvm_handle_hva(kvm, hva, (unsigned long)&pte, kvm_set_pte_rmapp);
1488 if (is_tdp_mmu_enabled(kvm))
1489 r |= kvm_tdp_mmu_set_spte_hva(kvm, hva, &pte);
1494 static int kvm_age_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
1495 struct kvm_memory_slot *slot, gfn_t gfn, int level,
1499 struct rmap_iterator iter;
1502 for_each_rmap_spte(rmap_head, &iter, sptep)
1503 young |= mmu_spte_age(sptep);
1505 trace_kvm_age_page(gfn, level, slot, young);
1509 static int kvm_test_age_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
1510 struct kvm_memory_slot *slot, gfn_t gfn,
1511 int level, unsigned long data)
1514 struct rmap_iterator iter;
1516 for_each_rmap_spte(rmap_head, &iter, sptep)
1517 if (is_accessed_spte(*sptep))
1522 #define RMAP_RECYCLE_THRESHOLD 1000
1524 static void rmap_recycle(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn)
1526 struct kvm_rmap_head *rmap_head;
1527 struct kvm_mmu_page *sp;
1529 sp = sptep_to_sp(spte);
1531 rmap_head = gfn_to_rmap(vcpu->kvm, gfn, sp);
1533 kvm_unmap_rmapp(vcpu->kvm, rmap_head, NULL, gfn, sp->role.level, 0);
1534 kvm_flush_remote_tlbs_with_address(vcpu->kvm, sp->gfn,
1535 KVM_PAGES_PER_HPAGE(sp->role.level));
1538 int kvm_age_hva(struct kvm *kvm, unsigned long start, unsigned long end)
1542 young = kvm_handle_hva_range(kvm, start, end, 0, kvm_age_rmapp);
1543 if (is_tdp_mmu_enabled(kvm))
1544 young |= kvm_tdp_mmu_age_hva_range(kvm, start, end);
1549 int kvm_test_age_hva(struct kvm *kvm, unsigned long hva)
1553 young = kvm_handle_hva(kvm, hva, 0, kvm_test_age_rmapp);
1554 if (is_tdp_mmu_enabled(kvm))
1555 young |= kvm_tdp_mmu_test_age_hva(kvm, hva);
1561 static int is_empty_shadow_page(u64 *spt)
1566 for (pos = spt, end = pos + PAGE_SIZE / sizeof(u64); pos != end; pos++)
1567 if (is_shadow_present_pte(*pos)) {
1568 printk(KERN_ERR "%s: %p %llx\n", __func__,
1577 * This value is the sum of all of the kvm instances's
1578 * kvm->arch.n_used_mmu_pages values. We need a global,
1579 * aggregate version in order to make the slab shrinker
1582 static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, unsigned long nr)
1584 kvm->arch.n_used_mmu_pages += nr;
1585 percpu_counter_add(&kvm_total_used_mmu_pages, nr);
1588 static void kvm_mmu_free_page(struct kvm_mmu_page *sp)
1590 MMU_WARN_ON(!is_empty_shadow_page(sp->spt));
1591 hlist_del(&sp->hash_link);
1592 list_del(&sp->link);
1593 free_page((unsigned long)sp->spt);
1594 if (!sp->role.direct)
1595 free_page((unsigned long)sp->gfns);
1596 kmem_cache_free(mmu_page_header_cache, sp);
1599 static unsigned kvm_page_table_hashfn(gfn_t gfn)
1601 return hash_64(gfn, KVM_MMU_HASH_SHIFT);
1604 static void mmu_page_add_parent_pte(struct kvm_vcpu *vcpu,
1605 struct kvm_mmu_page *sp, u64 *parent_pte)
1610 pte_list_add(vcpu, parent_pte, &sp->parent_ptes);
1613 static void mmu_page_remove_parent_pte(struct kvm_mmu_page *sp,
1616 __pte_list_remove(parent_pte, &sp->parent_ptes);
1619 static void drop_parent_pte(struct kvm_mmu_page *sp,
1622 mmu_page_remove_parent_pte(sp, parent_pte);
1623 mmu_spte_clear_no_track(parent_pte);
1626 static struct kvm_mmu_page *kvm_mmu_alloc_page(struct kvm_vcpu *vcpu, int direct)
1628 struct kvm_mmu_page *sp;
1630 sp = kvm_mmu_memory_cache_alloc(&vcpu->arch.mmu_page_header_cache);
1631 sp->spt = kvm_mmu_memory_cache_alloc(&vcpu->arch.mmu_shadow_page_cache);
1633 sp->gfns = kvm_mmu_memory_cache_alloc(&vcpu->arch.mmu_gfn_array_cache);
1634 set_page_private(virt_to_page(sp->spt), (unsigned long)sp);
1637 * active_mmu_pages must be a FIFO list, as kvm_zap_obsolete_pages()
1638 * depends on valid pages being added to the head of the list. See
1639 * comments in kvm_zap_obsolete_pages().
1641 sp->mmu_valid_gen = vcpu->kvm->arch.mmu_valid_gen;
1642 list_add(&sp->link, &vcpu->kvm->arch.active_mmu_pages);
1643 kvm_mod_used_mmu_pages(vcpu->kvm, +1);
1647 static void mark_unsync(u64 *spte);
1648 static void kvm_mmu_mark_parents_unsync(struct kvm_mmu_page *sp)
1651 struct rmap_iterator iter;
1653 for_each_rmap_spte(&sp->parent_ptes, &iter, sptep) {
1658 static void mark_unsync(u64 *spte)
1660 struct kvm_mmu_page *sp;
1663 sp = sptep_to_sp(spte);
1664 index = spte - sp->spt;
1665 if (__test_and_set_bit(index, sp->unsync_child_bitmap))
1667 if (sp->unsync_children++)
1669 kvm_mmu_mark_parents_unsync(sp);
1672 static int nonpaging_sync_page(struct kvm_vcpu *vcpu,
1673 struct kvm_mmu_page *sp)
1678 #define KVM_PAGE_ARRAY_NR 16
1680 struct kvm_mmu_pages {
1681 struct mmu_page_and_offset {
1682 struct kvm_mmu_page *sp;
1684 } page[KVM_PAGE_ARRAY_NR];
1688 static int mmu_pages_add(struct kvm_mmu_pages *pvec, struct kvm_mmu_page *sp,
1694 for (i=0; i < pvec->nr; i++)
1695 if (pvec->page[i].sp == sp)
1698 pvec->page[pvec->nr].sp = sp;
1699 pvec->page[pvec->nr].idx = idx;
1701 return (pvec->nr == KVM_PAGE_ARRAY_NR);
1704 static inline void clear_unsync_child_bit(struct kvm_mmu_page *sp, int idx)
1706 --sp->unsync_children;
1707 WARN_ON((int)sp->unsync_children < 0);
1708 __clear_bit(idx, sp->unsync_child_bitmap);
1711 static int __mmu_unsync_walk(struct kvm_mmu_page *sp,
1712 struct kvm_mmu_pages *pvec)
1714 int i, ret, nr_unsync_leaf = 0;
1716 for_each_set_bit(i, sp->unsync_child_bitmap, 512) {
1717 struct kvm_mmu_page *child;
1718 u64 ent = sp->spt[i];
1720 if (!is_shadow_present_pte(ent) || is_large_pte(ent)) {
1721 clear_unsync_child_bit(sp, i);
1725 child = to_shadow_page(ent & PT64_BASE_ADDR_MASK);
1727 if (child->unsync_children) {
1728 if (mmu_pages_add(pvec, child, i))
1731 ret = __mmu_unsync_walk(child, pvec);
1733 clear_unsync_child_bit(sp, i);
1735 } else if (ret > 0) {
1736 nr_unsync_leaf += ret;
1739 } else if (child->unsync) {
1741 if (mmu_pages_add(pvec, child, i))
1744 clear_unsync_child_bit(sp, i);
1747 return nr_unsync_leaf;
1750 #define INVALID_INDEX (-1)
1752 static int mmu_unsync_walk(struct kvm_mmu_page *sp,
1753 struct kvm_mmu_pages *pvec)
1756 if (!sp->unsync_children)
1759 mmu_pages_add(pvec, sp, INVALID_INDEX);
1760 return __mmu_unsync_walk(sp, pvec);
1763 static void kvm_unlink_unsync_page(struct kvm *kvm, struct kvm_mmu_page *sp)
1765 WARN_ON(!sp->unsync);
1766 trace_kvm_mmu_sync_page(sp);
1768 --kvm->stat.mmu_unsync;
1771 static bool kvm_mmu_prepare_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp,
1772 struct list_head *invalid_list);
1773 static void kvm_mmu_commit_zap_page(struct kvm *kvm,
1774 struct list_head *invalid_list);
1776 #define for_each_valid_sp(_kvm, _sp, _list) \
1777 hlist_for_each_entry(_sp, _list, hash_link) \
1778 if (is_obsolete_sp((_kvm), (_sp))) { \
1781 #define for_each_gfn_indirect_valid_sp(_kvm, _sp, _gfn) \
1782 for_each_valid_sp(_kvm, _sp, \
1783 &(_kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(_gfn)]) \
1784 if ((_sp)->gfn != (_gfn) || (_sp)->role.direct) {} else
1786 static inline bool is_ept_sp(struct kvm_mmu_page *sp)
1788 return sp->role.cr0_wp && sp->role.smap_andnot_wp;
1791 /* @sp->gfn should be write-protected at the call site */
1792 static bool __kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
1793 struct list_head *invalid_list)
1795 if ((!is_ept_sp(sp) && sp->role.gpte_is_8_bytes != !!is_pae(vcpu)) ||
1796 vcpu->arch.mmu->sync_page(vcpu, sp) == 0) {
1797 kvm_mmu_prepare_zap_page(vcpu->kvm, sp, invalid_list);
1804 static bool kvm_mmu_remote_flush_or_zap(struct kvm *kvm,
1805 struct list_head *invalid_list,
1808 if (!remote_flush && list_empty(invalid_list))
1811 if (!list_empty(invalid_list))
1812 kvm_mmu_commit_zap_page(kvm, invalid_list);
1814 kvm_flush_remote_tlbs(kvm);
1818 static void kvm_mmu_flush_or_zap(struct kvm_vcpu *vcpu,
1819 struct list_head *invalid_list,
1820 bool remote_flush, bool local_flush)
1822 if (kvm_mmu_remote_flush_or_zap(vcpu->kvm, invalid_list, remote_flush))
1826 kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, vcpu);
1829 #ifdef CONFIG_KVM_MMU_AUDIT
1830 #include "mmu_audit.c"
1832 static void kvm_mmu_audit(struct kvm_vcpu *vcpu, int point) { }
1833 static void mmu_audit_disable(void) { }
1836 static bool is_obsolete_sp(struct kvm *kvm, struct kvm_mmu_page *sp)
1838 return sp->role.invalid ||
1839 unlikely(sp->mmu_valid_gen != kvm->arch.mmu_valid_gen);
1842 static bool kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
1843 struct list_head *invalid_list)
1845 kvm_unlink_unsync_page(vcpu->kvm, sp);
1846 return __kvm_sync_page(vcpu, sp, invalid_list);
1849 /* @gfn should be write-protected at the call site */
1850 static bool kvm_sync_pages(struct kvm_vcpu *vcpu, gfn_t gfn,
1851 struct list_head *invalid_list)
1853 struct kvm_mmu_page *s;
1856 for_each_gfn_indirect_valid_sp(vcpu->kvm, s, gfn) {
1860 WARN_ON(s->role.level != PG_LEVEL_4K);
1861 ret |= kvm_sync_page(vcpu, s, invalid_list);
1867 struct mmu_page_path {
1868 struct kvm_mmu_page *parent[PT64_ROOT_MAX_LEVEL];
1869 unsigned int idx[PT64_ROOT_MAX_LEVEL];
1872 #define for_each_sp(pvec, sp, parents, i) \
1873 for (i = mmu_pages_first(&pvec, &parents); \
1874 i < pvec.nr && ({ sp = pvec.page[i].sp; 1;}); \
1875 i = mmu_pages_next(&pvec, &parents, i))
1877 static int mmu_pages_next(struct kvm_mmu_pages *pvec,
1878 struct mmu_page_path *parents,
1883 for (n = i+1; n < pvec->nr; n++) {
1884 struct kvm_mmu_page *sp = pvec->page[n].sp;
1885 unsigned idx = pvec->page[n].idx;
1886 int level = sp->role.level;
1888 parents->idx[level-1] = idx;
1889 if (level == PG_LEVEL_4K)
1892 parents->parent[level-2] = sp;
1898 static int mmu_pages_first(struct kvm_mmu_pages *pvec,
1899 struct mmu_page_path *parents)
1901 struct kvm_mmu_page *sp;
1907 WARN_ON(pvec->page[0].idx != INVALID_INDEX);
1909 sp = pvec->page[0].sp;
1910 level = sp->role.level;
1911 WARN_ON(level == PG_LEVEL_4K);
1913 parents->parent[level-2] = sp;
1915 /* Also set up a sentinel. Further entries in pvec are all
1916 * children of sp, so this element is never overwritten.
1918 parents->parent[level-1] = NULL;
1919 return mmu_pages_next(pvec, parents, 0);
1922 static void mmu_pages_clear_parents(struct mmu_page_path *parents)
1924 struct kvm_mmu_page *sp;
1925 unsigned int level = 0;
1928 unsigned int idx = parents->idx[level];
1929 sp = parents->parent[level];
1933 WARN_ON(idx == INVALID_INDEX);
1934 clear_unsync_child_bit(sp, idx);
1936 } while (!sp->unsync_children);
1939 static void mmu_sync_children(struct kvm_vcpu *vcpu,
1940 struct kvm_mmu_page *parent)
1943 struct kvm_mmu_page *sp;
1944 struct mmu_page_path parents;
1945 struct kvm_mmu_pages pages;
1946 LIST_HEAD(invalid_list);
1949 while (mmu_unsync_walk(parent, &pages)) {
1950 bool protected = false;
1952 for_each_sp(pages, sp, parents, i)
1953 protected |= rmap_write_protect(vcpu, sp->gfn);
1956 kvm_flush_remote_tlbs(vcpu->kvm);
1960 for_each_sp(pages, sp, parents, i) {
1961 flush |= kvm_sync_page(vcpu, sp, &invalid_list);
1962 mmu_pages_clear_parents(&parents);
1964 if (need_resched() || rwlock_needbreak(&vcpu->kvm->mmu_lock)) {
1965 kvm_mmu_flush_or_zap(vcpu, &invalid_list, false, flush);
1966 cond_resched_rwlock_write(&vcpu->kvm->mmu_lock);
1971 kvm_mmu_flush_or_zap(vcpu, &invalid_list, false, flush);
1974 static void __clear_sp_write_flooding_count(struct kvm_mmu_page *sp)
1976 atomic_set(&sp->write_flooding_count, 0);
1979 static void clear_sp_write_flooding_count(u64 *spte)
1981 __clear_sp_write_flooding_count(sptep_to_sp(spte));
1984 static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
1989 unsigned int access)
1991 bool direct_mmu = vcpu->arch.mmu->direct_map;
1992 union kvm_mmu_page_role role;
1993 struct hlist_head *sp_list;
1995 struct kvm_mmu_page *sp;
1996 bool need_sync = false;
1999 LIST_HEAD(invalid_list);
2001 role = vcpu->arch.mmu->mmu_role.base;
2003 role.direct = direct;
2005 role.gpte_is_8_bytes = true;
2006 role.access = access;
2007 if (!direct_mmu && vcpu->arch.mmu->root_level <= PT32_ROOT_LEVEL) {
2008 quadrant = gaddr >> (PAGE_SHIFT + (PT64_PT_BITS * level));
2009 quadrant &= (1 << ((PT32_PT_BITS - PT64_PT_BITS) * level)) - 1;
2010 role.quadrant = quadrant;
2013 sp_list = &vcpu->kvm->arch.mmu_page_hash[kvm_page_table_hashfn(gfn)];
2014 for_each_valid_sp(vcpu->kvm, sp, sp_list) {
2015 if (sp->gfn != gfn) {
2020 if (!need_sync && sp->unsync)
2023 if (sp->role.word != role.word)
2027 goto trace_get_page;
2030 /* The page is good, but __kvm_sync_page might still end
2031 * up zapping it. If so, break in order to rebuild it.
2033 if (!__kvm_sync_page(vcpu, sp, &invalid_list))
2036 WARN_ON(!list_empty(&invalid_list));
2037 kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, vcpu);
2040 if (sp->unsync_children)
2041 kvm_make_request(KVM_REQ_MMU_SYNC, vcpu);
2043 __clear_sp_write_flooding_count(sp);
2046 trace_kvm_mmu_get_page(sp, false);
2050 ++vcpu->kvm->stat.mmu_cache_miss;
2052 sp = kvm_mmu_alloc_page(vcpu, direct);
2056 hlist_add_head(&sp->hash_link, sp_list);
2059 * we should do write protection before syncing pages
2060 * otherwise the content of the synced shadow page may
2061 * be inconsistent with guest page table.
2063 account_shadowed(vcpu->kvm, sp);
2064 if (level == PG_LEVEL_4K && rmap_write_protect(vcpu, gfn))
2065 kvm_flush_remote_tlbs_with_address(vcpu->kvm, gfn, 1);
2067 if (level > PG_LEVEL_4K && need_sync)
2068 flush |= kvm_sync_pages(vcpu, gfn, &invalid_list);
2070 trace_kvm_mmu_get_page(sp, true);
2072 kvm_mmu_flush_or_zap(vcpu, &invalid_list, false, flush);
2074 if (collisions > vcpu->kvm->stat.max_mmu_page_hash_collisions)
2075 vcpu->kvm->stat.max_mmu_page_hash_collisions = collisions;
2079 static void shadow_walk_init_using_root(struct kvm_shadow_walk_iterator *iterator,
2080 struct kvm_vcpu *vcpu, hpa_t root,
2083 iterator->addr = addr;
2084 iterator->shadow_addr = root;
2085 iterator->level = vcpu->arch.mmu->shadow_root_level;
2087 if (iterator->level == PT64_ROOT_4LEVEL &&
2088 vcpu->arch.mmu->root_level < PT64_ROOT_4LEVEL &&
2089 !vcpu->arch.mmu->direct_map)
2092 if (iterator->level == PT32E_ROOT_LEVEL) {
2094 * prev_root is currently only used for 64-bit hosts. So only
2095 * the active root_hpa is valid here.
2097 BUG_ON(root != vcpu->arch.mmu->root_hpa);
2099 iterator->shadow_addr
2100 = vcpu->arch.mmu->pae_root[(addr >> 30) & 3];
2101 iterator->shadow_addr &= PT64_BASE_ADDR_MASK;
2103 if (!iterator->shadow_addr)
2104 iterator->level = 0;
2108 static void shadow_walk_init(struct kvm_shadow_walk_iterator *iterator,
2109 struct kvm_vcpu *vcpu, u64 addr)
2111 shadow_walk_init_using_root(iterator, vcpu, vcpu->arch.mmu->root_hpa,
2115 static bool shadow_walk_okay(struct kvm_shadow_walk_iterator *iterator)
2117 if (iterator->level < PG_LEVEL_4K)
2120 iterator->index = SHADOW_PT_INDEX(iterator->addr, iterator->level);
2121 iterator->sptep = ((u64 *)__va(iterator->shadow_addr)) + iterator->index;
2125 static void __shadow_walk_next(struct kvm_shadow_walk_iterator *iterator,
2128 if (is_last_spte(spte, iterator->level)) {
2129 iterator->level = 0;
2133 iterator->shadow_addr = spte & PT64_BASE_ADDR_MASK;
2137 static void shadow_walk_next(struct kvm_shadow_walk_iterator *iterator)
2139 __shadow_walk_next(iterator, *iterator->sptep);
2142 static void link_shadow_page(struct kvm_vcpu *vcpu, u64 *sptep,
2143 struct kvm_mmu_page *sp)
2147 BUILD_BUG_ON(VMX_EPT_WRITABLE_MASK != PT_WRITABLE_MASK);
2149 spte = make_nonleaf_spte(sp->spt, sp_ad_disabled(sp));
2151 mmu_spte_set(sptep, spte);
2153 mmu_page_add_parent_pte(vcpu, sp, sptep);
2155 if (sp->unsync_children || sp->unsync)
2159 static void validate_direct_spte(struct kvm_vcpu *vcpu, u64 *sptep,
2160 unsigned direct_access)
2162 if (is_shadow_present_pte(*sptep) && !is_large_pte(*sptep)) {
2163 struct kvm_mmu_page *child;
2166 * For the direct sp, if the guest pte's dirty bit
2167 * changed form clean to dirty, it will corrupt the
2168 * sp's access: allow writable in the read-only sp,
2169 * so we should update the spte at this point to get
2170 * a new sp with the correct access.
2172 child = to_shadow_page(*sptep & PT64_BASE_ADDR_MASK);
2173 if (child->role.access == direct_access)
2176 drop_parent_pte(child, sptep);
2177 kvm_flush_remote_tlbs_with_address(vcpu->kvm, child->gfn, 1);
2181 /* Returns the number of zapped non-leaf child shadow pages. */
2182 static int mmu_page_zap_pte(struct kvm *kvm, struct kvm_mmu_page *sp,
2183 u64 *spte, struct list_head *invalid_list)
2186 struct kvm_mmu_page *child;
2189 if (is_shadow_present_pte(pte)) {
2190 if (is_last_spte(pte, sp->role.level)) {
2191 drop_spte(kvm, spte);
2192 if (is_large_pte(pte))
2195 child = to_shadow_page(pte & PT64_BASE_ADDR_MASK);
2196 drop_parent_pte(child, spte);
2199 * Recursively zap nested TDP SPs, parentless SPs are
2200 * unlikely to be used again in the near future. This
2201 * avoids retaining a large number of stale nested SPs.
2203 if (tdp_enabled && invalid_list &&
2204 child->role.guest_mode && !child->parent_ptes.val)
2205 return kvm_mmu_prepare_zap_page(kvm, child,
2208 } else if (is_mmio_spte(pte)) {
2209 mmu_spte_clear_no_track(spte);
2214 static int kvm_mmu_page_unlink_children(struct kvm *kvm,
2215 struct kvm_mmu_page *sp,
2216 struct list_head *invalid_list)
2221 for (i = 0; i < PT64_ENT_PER_PAGE; ++i)
2222 zapped += mmu_page_zap_pte(kvm, sp, sp->spt + i, invalid_list);
2227 static void kvm_mmu_unlink_parents(struct kvm *kvm, struct kvm_mmu_page *sp)
2230 struct rmap_iterator iter;
2232 while ((sptep = rmap_get_first(&sp->parent_ptes, &iter)))
2233 drop_parent_pte(sp, sptep);
2236 static int mmu_zap_unsync_children(struct kvm *kvm,
2237 struct kvm_mmu_page *parent,
2238 struct list_head *invalid_list)
2241 struct mmu_page_path parents;
2242 struct kvm_mmu_pages pages;
2244 if (parent->role.level == PG_LEVEL_4K)
2247 while (mmu_unsync_walk(parent, &pages)) {
2248 struct kvm_mmu_page *sp;
2250 for_each_sp(pages, sp, parents, i) {
2251 kvm_mmu_prepare_zap_page(kvm, sp, invalid_list);
2252 mmu_pages_clear_parents(&parents);
2260 static bool __kvm_mmu_prepare_zap_page(struct kvm *kvm,
2261 struct kvm_mmu_page *sp,
2262 struct list_head *invalid_list,
2267 trace_kvm_mmu_prepare_zap_page(sp);
2268 ++kvm->stat.mmu_shadow_zapped;
2269 *nr_zapped = mmu_zap_unsync_children(kvm, sp, invalid_list);
2270 *nr_zapped += kvm_mmu_page_unlink_children(kvm, sp, invalid_list);
2271 kvm_mmu_unlink_parents(kvm, sp);
2273 /* Zapping children means active_mmu_pages has become unstable. */
2274 list_unstable = *nr_zapped;
2276 if (!sp->role.invalid && !sp->role.direct)
2277 unaccount_shadowed(kvm, sp);
2280 kvm_unlink_unsync_page(kvm, sp);
2281 if (!sp->root_count) {
2286 * Already invalid pages (previously active roots) are not on
2287 * the active page list. See list_del() in the "else" case of
2290 if (sp->role.invalid)
2291 list_add(&sp->link, invalid_list);
2293 list_move(&sp->link, invalid_list);
2294 kvm_mod_used_mmu_pages(kvm, -1);
2297 * Remove the active root from the active page list, the root
2298 * will be explicitly freed when the root_count hits zero.
2300 list_del(&sp->link);
2303 * Obsolete pages cannot be used on any vCPUs, see the comment
2304 * in kvm_mmu_zap_all_fast(). Note, is_obsolete_sp() also
2305 * treats invalid shadow pages as being obsolete.
2307 if (!is_obsolete_sp(kvm, sp))
2308 kvm_reload_remote_mmus(kvm);
2311 if (sp->lpage_disallowed)
2312 unaccount_huge_nx_page(kvm, sp);
2314 sp->role.invalid = 1;
2315 return list_unstable;
2318 static bool kvm_mmu_prepare_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp,
2319 struct list_head *invalid_list)
2323 __kvm_mmu_prepare_zap_page(kvm, sp, invalid_list, &nr_zapped);
2327 static void kvm_mmu_commit_zap_page(struct kvm *kvm,
2328 struct list_head *invalid_list)
2330 struct kvm_mmu_page *sp, *nsp;
2332 if (list_empty(invalid_list))
2336 * We need to make sure everyone sees our modifications to
2337 * the page tables and see changes to vcpu->mode here. The barrier
2338 * in the kvm_flush_remote_tlbs() achieves this. This pairs
2339 * with vcpu_enter_guest and walk_shadow_page_lockless_begin/end.
2341 * In addition, kvm_flush_remote_tlbs waits for all vcpus to exit
2342 * guest mode and/or lockless shadow page table walks.
2344 kvm_flush_remote_tlbs(kvm);
2346 list_for_each_entry_safe(sp, nsp, invalid_list, link) {
2347 WARN_ON(!sp->role.invalid || sp->root_count);
2348 kvm_mmu_free_page(sp);
2352 static unsigned long kvm_mmu_zap_oldest_mmu_pages(struct kvm *kvm,
2353 unsigned long nr_to_zap)
2355 unsigned long total_zapped = 0;
2356 struct kvm_mmu_page *sp, *tmp;
2357 LIST_HEAD(invalid_list);
2361 if (list_empty(&kvm->arch.active_mmu_pages))
2365 list_for_each_entry_safe_reverse(sp, tmp, &kvm->arch.active_mmu_pages, link) {
2367 * Don't zap active root pages, the page itself can't be freed
2368 * and zapping it will just force vCPUs to realloc and reload.
2373 unstable = __kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list,
2375 total_zapped += nr_zapped;
2376 if (total_zapped >= nr_to_zap)
2383 kvm_mmu_commit_zap_page(kvm, &invalid_list);
2385 kvm->stat.mmu_recycled += total_zapped;
2386 return total_zapped;
2389 static inline unsigned long kvm_mmu_available_pages(struct kvm *kvm)
2391 if (kvm->arch.n_max_mmu_pages > kvm->arch.n_used_mmu_pages)
2392 return kvm->arch.n_max_mmu_pages -
2393 kvm->arch.n_used_mmu_pages;
2398 static int make_mmu_pages_available(struct kvm_vcpu *vcpu)
2400 unsigned long avail = kvm_mmu_available_pages(vcpu->kvm);
2402 if (likely(avail >= KVM_MIN_FREE_MMU_PAGES))
2405 kvm_mmu_zap_oldest_mmu_pages(vcpu->kvm, KVM_REFILL_PAGES - avail);
2408 * Note, this check is intentionally soft, it only guarantees that one
2409 * page is available, while the caller may end up allocating as many as
2410 * four pages, e.g. for PAE roots or for 5-level paging. Temporarily
2411 * exceeding the (arbitrary by default) limit will not harm the host,
2412 * being too agressive may unnecessarily kill the guest, and getting an
2413 * exact count is far more trouble than it's worth, especially in the
2416 if (!kvm_mmu_available_pages(vcpu->kvm))
2422 * Changing the number of mmu pages allocated to the vm
2423 * Note: if goal_nr_mmu_pages is too small, you will get dead lock
2425 void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned long goal_nr_mmu_pages)
2427 write_lock(&kvm->mmu_lock);
2429 if (kvm->arch.n_used_mmu_pages > goal_nr_mmu_pages) {
2430 kvm_mmu_zap_oldest_mmu_pages(kvm, kvm->arch.n_used_mmu_pages -
2433 goal_nr_mmu_pages = kvm->arch.n_used_mmu_pages;
2436 kvm->arch.n_max_mmu_pages = goal_nr_mmu_pages;
2438 write_unlock(&kvm->mmu_lock);
2441 int kvm_mmu_unprotect_page(struct kvm *kvm, gfn_t gfn)
2443 struct kvm_mmu_page *sp;
2444 LIST_HEAD(invalid_list);
2447 pgprintk("%s: looking for gfn %llx\n", __func__, gfn);
2449 write_lock(&kvm->mmu_lock);
2450 for_each_gfn_indirect_valid_sp(kvm, sp, gfn) {
2451 pgprintk("%s: gfn %llx role %x\n", __func__, gfn,
2454 kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list);
2456 kvm_mmu_commit_zap_page(kvm, &invalid_list);
2457 write_unlock(&kvm->mmu_lock);
2462 static int kvm_mmu_unprotect_page_virt(struct kvm_vcpu *vcpu, gva_t gva)
2467 if (vcpu->arch.mmu->direct_map)
2470 gpa = kvm_mmu_gva_to_gpa_read(vcpu, gva, NULL);
2472 r = kvm_mmu_unprotect_page(vcpu->kvm, gpa >> PAGE_SHIFT);
2477 static void kvm_unsync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
2479 trace_kvm_mmu_unsync_page(sp);
2480 ++vcpu->kvm->stat.mmu_unsync;
2483 kvm_mmu_mark_parents_unsync(sp);
2486 bool mmu_need_write_protect(struct kvm_vcpu *vcpu, gfn_t gfn,
2489 struct kvm_mmu_page *sp;
2491 if (kvm_page_track_is_active(vcpu, gfn, KVM_PAGE_TRACK_WRITE))
2494 for_each_gfn_indirect_valid_sp(vcpu->kvm, sp, gfn) {
2501 WARN_ON(sp->role.level != PG_LEVEL_4K);
2502 kvm_unsync_page(vcpu, sp);
2506 * We need to ensure that the marking of unsync pages is visible
2507 * before the SPTE is updated to allow writes because
2508 * kvm_mmu_sync_roots() checks the unsync flags without holding
2509 * the MMU lock and so can race with this. If the SPTE was updated
2510 * before the page had been marked as unsync-ed, something like the
2511 * following could happen:
2514 * ---------------------------------------------------------------------
2515 * 1.2 Host updates SPTE
2517 * 2.1 Guest writes a GPTE for GVA X.
2518 * (GPTE being in the guest page table shadowed
2519 * by the SP from CPU 1.)
2520 * This reads SPTE during the page table walk.
2521 * Since SPTE.W is read as 1, there is no
2524 * 2.2 Guest issues TLB flush.
2525 * That causes a VM Exit.
2527 * 2.3 kvm_mmu_sync_pages() reads sp->unsync.
2528 * Since it is false, so it just returns.
2530 * 2.4 Guest accesses GVA X.
2531 * Since the mapping in the SP was not updated,
2532 * so the old mapping for GVA X incorrectly
2536 * (sp->unsync = true)
2538 * The write barrier below ensures that 1.1 happens before 1.2 and thus
2539 * the situation in 2.4 does not arise. The implicit barrier in 2.2
2540 * pairs with this write barrier.
2547 static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
2548 unsigned int pte_access, int level,
2549 gfn_t gfn, kvm_pfn_t pfn, bool speculative,
2550 bool can_unsync, bool host_writable)
2553 struct kvm_mmu_page *sp;
2556 sp = sptep_to_sp(sptep);
2558 ret = make_spte(vcpu, pte_access, level, gfn, pfn, *sptep, speculative,
2559 can_unsync, host_writable, sp_ad_disabled(sp), &spte);
2561 if (spte & PT_WRITABLE_MASK)
2562 kvm_vcpu_mark_page_dirty(vcpu, gfn);
2565 ret |= SET_SPTE_SPURIOUS;
2566 else if (mmu_spte_update(sptep, spte))
2567 ret |= SET_SPTE_NEED_REMOTE_TLB_FLUSH;
2571 static int mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
2572 unsigned int pte_access, bool write_fault, int level,
2573 gfn_t gfn, kvm_pfn_t pfn, bool speculative,
2576 int was_rmapped = 0;
2579 int ret = RET_PF_FIXED;
2582 pgprintk("%s: spte %llx write_fault %d gfn %llx\n", __func__,
2583 *sptep, write_fault, gfn);
2585 if (unlikely(is_noslot_pfn(pfn))) {
2586 mark_mmio_spte(vcpu, sptep, gfn, pte_access);
2587 return RET_PF_EMULATE;
2590 if (is_shadow_present_pte(*sptep)) {
2592 * If we overwrite a PTE page pointer with a 2MB PMD, unlink
2593 * the parent of the now unreachable PTE.
2595 if (level > PG_LEVEL_4K && !is_large_pte(*sptep)) {
2596 struct kvm_mmu_page *child;
2599 child = to_shadow_page(pte & PT64_BASE_ADDR_MASK);
2600 drop_parent_pte(child, sptep);
2602 } else if (pfn != spte_to_pfn(*sptep)) {
2603 pgprintk("hfn old %llx new %llx\n",
2604 spte_to_pfn(*sptep), pfn);
2605 drop_spte(vcpu->kvm, sptep);
2611 set_spte_ret = set_spte(vcpu, sptep, pte_access, level, gfn, pfn,
2612 speculative, true, host_writable);
2613 if (set_spte_ret & SET_SPTE_WRITE_PROTECTED_PT) {
2615 ret = RET_PF_EMULATE;
2616 kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, vcpu);
2619 if (set_spte_ret & SET_SPTE_NEED_REMOTE_TLB_FLUSH || flush)
2620 kvm_flush_remote_tlbs_with_address(vcpu->kvm, gfn,
2621 KVM_PAGES_PER_HPAGE(level));
2624 * The fault is fully spurious if and only if the new SPTE and old SPTE
2625 * are identical, and emulation is not required.
2627 if ((set_spte_ret & SET_SPTE_SPURIOUS) && ret == RET_PF_FIXED) {
2628 WARN_ON_ONCE(!was_rmapped);
2629 return RET_PF_SPURIOUS;
2632 pgprintk("%s: setting spte %llx\n", __func__, *sptep);
2633 trace_kvm_mmu_set_spte(level, gfn, sptep);
2634 if (!was_rmapped && is_large_pte(*sptep))
2635 ++vcpu->kvm->stat.lpages;
2637 if (is_shadow_present_pte(*sptep)) {
2639 rmap_count = rmap_add(vcpu, sptep, gfn);
2640 if (rmap_count > RMAP_RECYCLE_THRESHOLD)
2641 rmap_recycle(vcpu, sptep, gfn);
2648 static kvm_pfn_t pte_prefetch_gfn_to_pfn(struct kvm_vcpu *vcpu, gfn_t gfn,
2651 struct kvm_memory_slot *slot;
2653 slot = gfn_to_memslot_dirty_bitmap(vcpu, gfn, no_dirty_log);
2655 return KVM_PFN_ERR_FAULT;
2657 return gfn_to_pfn_memslot_atomic(slot, gfn);
2660 static int direct_pte_prefetch_many(struct kvm_vcpu *vcpu,
2661 struct kvm_mmu_page *sp,
2662 u64 *start, u64 *end)
2664 struct page *pages[PTE_PREFETCH_NUM];
2665 struct kvm_memory_slot *slot;
2666 unsigned int access = sp->role.access;
2670 gfn = kvm_mmu_page_get_gfn(sp, start - sp->spt);
2671 slot = gfn_to_memslot_dirty_bitmap(vcpu, gfn, access & ACC_WRITE_MASK);
2675 ret = gfn_to_page_many_atomic(slot, gfn, pages, end - start);
2679 for (i = 0; i < ret; i++, gfn++, start++) {
2680 mmu_set_spte(vcpu, start, access, false, sp->role.level, gfn,
2681 page_to_pfn(pages[i]), true, true);
2688 static void __direct_pte_prefetch(struct kvm_vcpu *vcpu,
2689 struct kvm_mmu_page *sp, u64 *sptep)
2691 u64 *spte, *start = NULL;
2694 WARN_ON(!sp->role.direct);
2696 i = (sptep - sp->spt) & ~(PTE_PREFETCH_NUM - 1);
2699 for (i = 0; i < PTE_PREFETCH_NUM; i++, spte++) {
2700 if (is_shadow_present_pte(*spte) || spte == sptep) {
2703 if (direct_pte_prefetch_many(vcpu, sp, start, spte) < 0)
2711 static void direct_pte_prefetch(struct kvm_vcpu *vcpu, u64 *sptep)
2713 struct kvm_mmu_page *sp;
2715 sp = sptep_to_sp(sptep);
2718 * Without accessed bits, there's no way to distinguish between
2719 * actually accessed translations and prefetched, so disable pte
2720 * prefetch if accessed bits aren't available.
2722 if (sp_ad_disabled(sp))
2725 if (sp->role.level > PG_LEVEL_4K)
2729 * If addresses are being invalidated, skip prefetching to avoid
2730 * accidentally prefetching those addresses.
2732 if (unlikely(vcpu->kvm->mmu_notifier_count))
2735 __direct_pte_prefetch(vcpu, sp, sptep);
2738 static int host_pfn_mapping_level(struct kvm *kvm, gfn_t gfn, kvm_pfn_t pfn,
2739 struct kvm_memory_slot *slot)
2745 if (!PageCompound(pfn_to_page(pfn)) && !kvm_is_zone_device_pfn(pfn))
2749 * Note, using the already-retrieved memslot and __gfn_to_hva_memslot()
2750 * is not solely for performance, it's also necessary to avoid the
2751 * "writable" check in __gfn_to_hva_many(), which will always fail on
2752 * read-only memslots due to gfn_to_hva() assuming writes. Earlier
2753 * page fault steps have already verified the guest isn't writing a
2754 * read-only memslot.
2756 hva = __gfn_to_hva_memslot(slot, gfn);
2758 pte = lookup_address_in_mm(kvm->mm, hva, &level);
2765 int kvm_mmu_max_mapping_level(struct kvm *kvm, struct kvm_memory_slot *slot,
2766 gfn_t gfn, kvm_pfn_t pfn, int max_level)
2768 struct kvm_lpage_info *linfo;
2770 max_level = min(max_level, max_huge_page_level);
2771 for ( ; max_level > PG_LEVEL_4K; max_level--) {
2772 linfo = lpage_info_slot(gfn, slot, max_level);
2773 if (!linfo->disallow_lpage)
2777 if (max_level == PG_LEVEL_4K)
2780 return host_pfn_mapping_level(kvm, gfn, pfn, slot);
2783 int kvm_mmu_hugepage_adjust(struct kvm_vcpu *vcpu, gfn_t gfn,
2784 int max_level, kvm_pfn_t *pfnp,
2785 bool huge_page_disallowed, int *req_level)
2787 struct kvm_memory_slot *slot;
2788 kvm_pfn_t pfn = *pfnp;
2792 *req_level = PG_LEVEL_4K;
2794 if (unlikely(max_level == PG_LEVEL_4K))
2797 if (is_error_noslot_pfn(pfn) || kvm_is_reserved_pfn(pfn))
2800 slot = gfn_to_memslot_dirty_bitmap(vcpu, gfn, true);
2804 level = kvm_mmu_max_mapping_level(vcpu->kvm, slot, gfn, pfn, max_level);
2805 if (level == PG_LEVEL_4K)
2808 *req_level = level = min(level, max_level);
2811 * Enforce the iTLB multihit workaround after capturing the requested
2812 * level, which will be used to do precise, accurate accounting.
2814 if (huge_page_disallowed)
2818 * mmu_notifier_retry() was successful and mmu_lock is held, so
2819 * the pmd can't be split from under us.
2821 mask = KVM_PAGES_PER_HPAGE(level) - 1;
2822 VM_BUG_ON((gfn & mask) != (pfn & mask));
2823 *pfnp = pfn & ~mask;
2828 void disallowed_hugepage_adjust(u64 spte, gfn_t gfn, int cur_level,
2829 kvm_pfn_t *pfnp, int *goal_levelp)
2831 int level = *goal_levelp;
2833 if (cur_level == level && level > PG_LEVEL_4K &&
2834 is_shadow_present_pte(spte) &&
2835 !is_large_pte(spte)) {
2837 * A small SPTE exists for this pfn, but FNAME(fetch)
2838 * and __direct_map would like to create a large PTE
2839 * instead: just force them to go down another level,
2840 * patching back for them into pfn the next 9 bits of
2843 u64 page_mask = KVM_PAGES_PER_HPAGE(level) -
2844 KVM_PAGES_PER_HPAGE(level - 1);
2845 *pfnp |= gfn & page_mask;
2850 static int __direct_map(struct kvm_vcpu *vcpu, gpa_t gpa, u32 error_code,
2851 int map_writable, int max_level, kvm_pfn_t pfn,
2852 bool prefault, bool is_tdp)
2854 bool nx_huge_page_workaround_enabled = is_nx_huge_page_enabled();
2855 bool write = error_code & PFERR_WRITE_MASK;
2856 bool exec = error_code & PFERR_FETCH_MASK;
2857 bool huge_page_disallowed = exec && nx_huge_page_workaround_enabled;
2858 struct kvm_shadow_walk_iterator it;
2859 struct kvm_mmu_page *sp;
2860 int level, req_level, ret;
2861 gfn_t gfn = gpa >> PAGE_SHIFT;
2862 gfn_t base_gfn = gfn;
2864 if (WARN_ON(!VALID_PAGE(vcpu->arch.mmu->root_hpa)))
2865 return RET_PF_RETRY;
2867 level = kvm_mmu_hugepage_adjust(vcpu, gfn, max_level, &pfn,
2868 huge_page_disallowed, &req_level);
2870 trace_kvm_mmu_spte_requested(gpa, level, pfn);
2871 for_each_shadow_entry(vcpu, gpa, it) {
2873 * We cannot overwrite existing page tables with an NX
2874 * large page, as the leaf could be executable.
2876 if (nx_huge_page_workaround_enabled)
2877 disallowed_hugepage_adjust(*it.sptep, gfn, it.level,
2880 base_gfn = gfn & ~(KVM_PAGES_PER_HPAGE(it.level) - 1);
2881 if (it.level == level)
2884 drop_large_spte(vcpu, it.sptep);
2885 if (!is_shadow_present_pte(*it.sptep)) {
2886 sp = kvm_mmu_get_page(vcpu, base_gfn, it.addr,
2887 it.level - 1, true, ACC_ALL);
2889 link_shadow_page(vcpu, it.sptep, sp);
2890 if (is_tdp && huge_page_disallowed &&
2891 req_level >= it.level)
2892 account_huge_nx_page(vcpu->kvm, sp);
2896 ret = mmu_set_spte(vcpu, it.sptep, ACC_ALL,
2897 write, level, base_gfn, pfn, prefault,
2899 if (ret == RET_PF_SPURIOUS)
2902 direct_pte_prefetch(vcpu, it.sptep);
2903 ++vcpu->stat.pf_fixed;
2907 static void kvm_send_hwpoison_signal(unsigned long address, struct task_struct *tsk)
2909 send_sig_mceerr(BUS_MCEERR_AR, (void __user *)address, PAGE_SHIFT, tsk);
2912 static int kvm_handle_bad_page(struct kvm_vcpu *vcpu, gfn_t gfn, kvm_pfn_t pfn)
2915 * Do not cache the mmio info caused by writing the readonly gfn
2916 * into the spte otherwise read access on readonly gfn also can
2917 * caused mmio page fault and treat it as mmio access.
2919 if (pfn == KVM_PFN_ERR_RO_FAULT)
2920 return RET_PF_EMULATE;
2922 if (pfn == KVM_PFN_ERR_HWPOISON) {
2923 kvm_send_hwpoison_signal(kvm_vcpu_gfn_to_hva(vcpu, gfn), current);
2924 return RET_PF_RETRY;
2930 static bool handle_abnormal_pfn(struct kvm_vcpu *vcpu, gva_t gva, gfn_t gfn,
2931 kvm_pfn_t pfn, unsigned int access,
2934 /* The pfn is invalid, report the error! */
2935 if (unlikely(is_error_pfn(pfn))) {
2936 *ret_val = kvm_handle_bad_page(vcpu, gfn, pfn);
2940 if (unlikely(is_noslot_pfn(pfn))) {
2941 vcpu_cache_mmio_info(vcpu, gva, gfn,
2942 access & shadow_mmio_access_mask);
2944 * If MMIO caching is disabled, emulate immediately without
2945 * touching the shadow page tables as attempting to install an
2946 * MMIO SPTE will just be an expensive nop.
2948 if (unlikely(!shadow_mmio_value)) {
2949 *ret_val = RET_PF_EMULATE;
2957 static bool page_fault_can_be_fast(u32 error_code)
2960 * Do not fix the mmio spte with invalid generation number which
2961 * need to be updated by slow page fault path.
2963 if (unlikely(error_code & PFERR_RSVD_MASK))
2966 /* See if the page fault is due to an NX violation */
2967 if (unlikely(((error_code & (PFERR_FETCH_MASK | PFERR_PRESENT_MASK))
2968 == (PFERR_FETCH_MASK | PFERR_PRESENT_MASK))))
2972 * #PF can be fast if:
2973 * 1. The shadow page table entry is not present, which could mean that
2974 * the fault is potentially caused by access tracking (if enabled).
2975 * 2. The shadow page table entry is present and the fault
2976 * is caused by write-protect, that means we just need change the W
2977 * bit of the spte which can be done out of mmu-lock.
2979 * However, if access tracking is disabled we know that a non-present
2980 * page must be a genuine page fault where we have to create a new SPTE.
2981 * So, if access tracking is disabled, we return true only for write
2982 * accesses to a present page.
2985 return shadow_acc_track_mask != 0 ||
2986 ((error_code & (PFERR_WRITE_MASK | PFERR_PRESENT_MASK))
2987 == (PFERR_WRITE_MASK | PFERR_PRESENT_MASK));
2991 * Returns true if the SPTE was fixed successfully. Otherwise,
2992 * someone else modified the SPTE from its original value.
2995 fast_pf_fix_direct_spte(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
2996 u64 *sptep, u64 old_spte, u64 new_spte)
3000 WARN_ON(!sp->role.direct);
3003 * Theoretically we could also set dirty bit (and flush TLB) here in
3004 * order to eliminate unnecessary PML logging. See comments in
3005 * set_spte. But fast_page_fault is very unlikely to happen with PML
3006 * enabled, so we do not do this. This might result in the same GPA
3007 * to be logged in PML buffer again when the write really happens, and
3008 * eventually to be called by mark_page_dirty twice. But it's also no
3009 * harm. This also avoids the TLB flush needed after setting dirty bit
3010 * so non-PML cases won't be impacted.
3012 * Compare with set_spte where instead shadow_dirty_mask is set.
3014 if (cmpxchg64(sptep, old_spte, new_spte) != old_spte)
3017 if (is_writable_pte(new_spte) && !is_writable_pte(old_spte)) {
3019 * The gfn of direct spte is stable since it is
3020 * calculated by sp->gfn.
3022 gfn = kvm_mmu_page_get_gfn(sp, sptep - sp->spt);
3023 kvm_vcpu_mark_page_dirty(vcpu, gfn);
3029 static bool is_access_allowed(u32 fault_err_code, u64 spte)
3031 if (fault_err_code & PFERR_FETCH_MASK)
3032 return is_executable_pte(spte);
3034 if (fault_err_code & PFERR_WRITE_MASK)
3035 return is_writable_pte(spte);
3037 /* Fault was on Read access */
3038 return spte & PT_PRESENT_MASK;
3042 * Returns one of RET_PF_INVALID, RET_PF_FIXED or RET_PF_SPURIOUS.
3044 static int fast_page_fault(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa,
3047 struct kvm_shadow_walk_iterator iterator;
3048 struct kvm_mmu_page *sp;
3049 int ret = RET_PF_INVALID;
3051 uint retry_count = 0;
3053 if (!page_fault_can_be_fast(error_code))
3056 walk_shadow_page_lockless_begin(vcpu);
3061 for_each_shadow_entry_lockless(vcpu, cr2_or_gpa, iterator, spte)
3062 if (!is_shadow_present_pte(spte))
3065 if (!is_shadow_present_pte(spte))
3068 sp = sptep_to_sp(iterator.sptep);
3069 if (!is_last_spte(spte, sp->role.level))
3073 * Check whether the memory access that caused the fault would
3074 * still cause it if it were to be performed right now. If not,
3075 * then this is a spurious fault caused by TLB lazily flushed,
3076 * or some other CPU has already fixed the PTE after the
3077 * current CPU took the fault.
3079 * Need not check the access of upper level table entries since
3080 * they are always ACC_ALL.
3082 if (is_access_allowed(error_code, spte)) {
3083 ret = RET_PF_SPURIOUS;
3089 if (is_access_track_spte(spte))
3090 new_spte = restore_acc_track_spte(new_spte);
3093 * Currently, to simplify the code, write-protection can
3094 * be removed in the fast path only if the SPTE was
3095 * write-protected for dirty-logging or access tracking.
3097 if ((error_code & PFERR_WRITE_MASK) &&
3098 spte_can_locklessly_be_made_writable(spte)) {
3099 new_spte |= PT_WRITABLE_MASK;
3102 * Do not fix write-permission on the large spte. Since
3103 * we only dirty the first page into the dirty-bitmap in
3104 * fast_pf_fix_direct_spte(), other pages are missed
3105 * if its slot has dirty logging enabled.
3107 * Instead, we let the slow page fault path create a
3108 * normal spte to fix the access.
3110 * See the comments in kvm_arch_commit_memory_region().
3112 if (sp->role.level > PG_LEVEL_4K)
3116 /* Verify that the fault can be handled in the fast path */
3117 if (new_spte == spte ||
3118 !is_access_allowed(error_code, new_spte))
3122 * Currently, fast page fault only works for direct mapping
3123 * since the gfn is not stable for indirect shadow page. See
3124 * Documentation/virt/kvm/locking.rst to get more detail.
3126 if (fast_pf_fix_direct_spte(vcpu, sp, iterator.sptep, spte,
3132 if (++retry_count > 4) {
3133 printk_once(KERN_WARNING
3134 "kvm: Fast #PF retrying more than 4 times.\n");
3140 trace_fast_page_fault(vcpu, cr2_or_gpa, error_code, iterator.sptep,
3142 walk_shadow_page_lockless_end(vcpu);
3147 static void mmu_free_root_page(struct kvm *kvm, hpa_t *root_hpa,
3148 struct list_head *invalid_list)
3150 struct kvm_mmu_page *sp;
3152 if (!VALID_PAGE(*root_hpa))
3155 sp = to_shadow_page(*root_hpa & PT64_BASE_ADDR_MASK);
3157 if (kvm_mmu_put_root(kvm, sp)) {
3158 if (is_tdp_mmu_page(sp))
3159 kvm_tdp_mmu_free_root(kvm, sp);
3160 else if (sp->role.invalid)
3161 kvm_mmu_prepare_zap_page(kvm, sp, invalid_list);
3164 *root_hpa = INVALID_PAGE;
3167 /* roots_to_free must be some combination of the KVM_MMU_ROOT_* flags */
3168 void kvm_mmu_free_roots(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
3169 ulong roots_to_free)
3171 struct kvm *kvm = vcpu->kvm;
3173 LIST_HEAD(invalid_list);
3174 bool free_active_root = roots_to_free & KVM_MMU_ROOT_CURRENT;
3176 BUILD_BUG_ON(KVM_MMU_NUM_PREV_ROOTS >= BITS_PER_LONG);
3178 /* Before acquiring the MMU lock, see if we need to do any real work. */
3179 if (!(free_active_root && VALID_PAGE(mmu->root_hpa))) {
3180 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++)
3181 if ((roots_to_free & KVM_MMU_ROOT_PREVIOUS(i)) &&
3182 VALID_PAGE(mmu->prev_roots[i].hpa))
3185 if (i == KVM_MMU_NUM_PREV_ROOTS)
3189 write_lock(&kvm->mmu_lock);
3191 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++)
3192 if (roots_to_free & KVM_MMU_ROOT_PREVIOUS(i))
3193 mmu_free_root_page(kvm, &mmu->prev_roots[i].hpa,
3196 if (free_active_root) {
3197 if (mmu->shadow_root_level >= PT64_ROOT_4LEVEL &&
3198 (mmu->root_level >= PT64_ROOT_4LEVEL || mmu->direct_map)) {
3199 mmu_free_root_page(kvm, &mmu->root_hpa, &invalid_list);
3200 } else if (mmu->pae_root) {
3201 for (i = 0; i < 4; ++i) {
3202 if (!IS_VALID_PAE_ROOT(mmu->pae_root[i]))
3205 mmu_free_root_page(kvm, &mmu->pae_root[i],
3207 mmu->pae_root[i] = INVALID_PAE_ROOT;
3210 mmu->root_hpa = INVALID_PAGE;
3214 kvm_mmu_commit_zap_page(kvm, &invalid_list);
3215 write_unlock(&kvm->mmu_lock);
3217 EXPORT_SYMBOL_GPL(kvm_mmu_free_roots);
3219 static int mmu_check_root(struct kvm_vcpu *vcpu, gfn_t root_gfn)
3223 if (!kvm_vcpu_is_visible_gfn(vcpu, root_gfn)) {
3224 kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
3231 static hpa_t mmu_alloc_root(struct kvm_vcpu *vcpu, gfn_t gfn, gva_t gva,
3232 u8 level, bool direct)
3234 struct kvm_mmu_page *sp;
3236 sp = kvm_mmu_get_page(vcpu, gfn, gva, level, direct, ACC_ALL);
3239 return __pa(sp->spt);
3242 static int mmu_alloc_direct_roots(struct kvm_vcpu *vcpu)
3244 struct kvm_mmu *mmu = vcpu->arch.mmu;
3245 u8 shadow_root_level = mmu->shadow_root_level;
3249 if (is_tdp_mmu_enabled(vcpu->kvm)) {
3250 root = kvm_tdp_mmu_get_vcpu_root_hpa(vcpu);
3251 mmu->root_hpa = root;
3252 } else if (shadow_root_level >= PT64_ROOT_4LEVEL) {
3253 root = mmu_alloc_root(vcpu, 0, 0, shadow_root_level, true);
3254 mmu->root_hpa = root;
3255 } else if (shadow_root_level == PT32E_ROOT_LEVEL) {
3256 if (WARN_ON_ONCE(!mmu->pae_root))
3259 for (i = 0; i < 4; ++i) {
3260 WARN_ON_ONCE(IS_VALID_PAE_ROOT(mmu->pae_root[i]));
3262 root = mmu_alloc_root(vcpu, i << (30 - PAGE_SHIFT),
3263 i << 30, PT32_ROOT_LEVEL, true);
3264 mmu->pae_root[i] = root | PT_PRESENT_MASK |
3267 mmu->root_hpa = __pa(mmu->pae_root);
3269 WARN_ONCE(1, "Bad TDP root level = %d\n", shadow_root_level);
3273 /* root_pgd is ignored for direct MMUs. */
3279 static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu)
3281 struct kvm_mmu *mmu = vcpu->arch.mmu;
3282 u64 pdptrs[4], pm_mask;
3283 gfn_t root_gfn, root_pgd;
3287 root_pgd = mmu->get_guest_pgd(vcpu);
3288 root_gfn = root_pgd >> PAGE_SHIFT;
3290 if (mmu_check_root(vcpu, root_gfn))
3293 if (mmu->root_level == PT32E_ROOT_LEVEL) {
3294 for (i = 0; i < 4; ++i) {
3295 pdptrs[i] = mmu->get_pdptr(vcpu, i);
3296 if (!(pdptrs[i] & PT_PRESENT_MASK))
3299 if (mmu_check_root(vcpu, pdptrs[i] >> PAGE_SHIFT))
3305 * Do we shadow a long mode page table? If so we need to
3306 * write-protect the guests page table root.
3308 if (mmu->root_level >= PT64_ROOT_4LEVEL) {
3309 root = mmu_alloc_root(vcpu, root_gfn, 0,
3310 mmu->shadow_root_level, false);
3311 mmu->root_hpa = root;
3315 if (WARN_ON_ONCE(!mmu->pae_root))
3319 * We shadow a 32 bit page table. This may be a legacy 2-level
3320 * or a PAE 3-level page table. In either case we need to be aware that
3321 * the shadow page table may be a PAE or a long mode page table.
3323 pm_mask = PT_PRESENT_MASK | shadow_me_mask;
3324 if (mmu->shadow_root_level == PT64_ROOT_4LEVEL) {
3325 pm_mask |= PT_ACCESSED_MASK | PT_WRITABLE_MASK | PT_USER_MASK;
3327 if (WARN_ON_ONCE(!mmu->lm_root))
3330 mmu->lm_root[0] = __pa(mmu->pae_root) | pm_mask;
3333 for (i = 0; i < 4; ++i) {
3334 WARN_ON_ONCE(IS_VALID_PAE_ROOT(mmu->pae_root[i]));
3336 if (mmu->root_level == PT32E_ROOT_LEVEL) {
3337 if (!(pdptrs[i] & PT_PRESENT_MASK)) {
3338 mmu->pae_root[i] = INVALID_PAE_ROOT;
3341 root_gfn = pdptrs[i] >> PAGE_SHIFT;
3344 root = mmu_alloc_root(vcpu, root_gfn, i << 30,
3345 PT32_ROOT_LEVEL, false);
3346 mmu->pae_root[i] = root | pm_mask;
3349 if (mmu->shadow_root_level == PT64_ROOT_4LEVEL)
3350 mmu->root_hpa = __pa(mmu->lm_root);
3352 mmu->root_hpa = __pa(mmu->pae_root);
3355 mmu->root_pgd = root_pgd;
3360 static int mmu_alloc_special_roots(struct kvm_vcpu *vcpu)
3362 struct kvm_mmu *mmu = vcpu->arch.mmu;
3363 u64 *lm_root, *pae_root;
3366 * When shadowing 32-bit or PAE NPT with 64-bit NPT, the PML4 and PDP
3367 * tables are allocated and initialized at root creation as there is no
3368 * equivalent level in the guest's NPT to shadow. Allocate the tables
3369 * on demand, as running a 32-bit L1 VMM on 64-bit KVM is very rare.
3371 if (mmu->direct_map || mmu->root_level >= PT64_ROOT_4LEVEL ||
3372 mmu->shadow_root_level < PT64_ROOT_4LEVEL)
3376 * This mess only works with 4-level paging and needs to be updated to
3377 * work with 5-level paging.
3379 if (WARN_ON_ONCE(mmu->shadow_root_level != PT64_ROOT_4LEVEL))
3382 if (mmu->pae_root && mmu->lm_root)
3386 * The special roots should always be allocated in concert. Yell and
3387 * bail if KVM ends up in a state where only one of the roots is valid.
3389 if (WARN_ON_ONCE(!tdp_enabled || mmu->pae_root || mmu->lm_root))
3393 * Unlike 32-bit NPT, the PDP table doesn't need to be in low mem, and
3394 * doesn't need to be decrypted.
3396 pae_root = (void *)get_zeroed_page(GFP_KERNEL_ACCOUNT);
3400 lm_root = (void *)get_zeroed_page(GFP_KERNEL_ACCOUNT);
3402 free_page((unsigned long)pae_root);
3406 mmu->pae_root = pae_root;
3407 mmu->lm_root = lm_root;
3412 void kvm_mmu_sync_roots(struct kvm_vcpu *vcpu)
3415 struct kvm_mmu_page *sp;
3417 if (vcpu->arch.mmu->direct_map)
3420 if (!VALID_PAGE(vcpu->arch.mmu->root_hpa))
3423 vcpu_clear_mmio_info(vcpu, MMIO_GVA_ANY);
3425 if (vcpu->arch.mmu->root_level >= PT64_ROOT_4LEVEL) {
3426 hpa_t root = vcpu->arch.mmu->root_hpa;
3427 sp = to_shadow_page(root);
3430 * Even if another CPU was marking the SP as unsync-ed
3431 * simultaneously, any guest page table changes are not
3432 * guaranteed to be visible anyway until this VCPU issues a TLB
3433 * flush strictly after those changes are made. We only need to
3434 * ensure that the other CPU sets these flags before any actual
3435 * changes to the page tables are made. The comments in
3436 * mmu_need_write_protect() describe what could go wrong if this
3437 * requirement isn't satisfied.
3439 if (!smp_load_acquire(&sp->unsync) &&
3440 !smp_load_acquire(&sp->unsync_children))
3443 write_lock(&vcpu->kvm->mmu_lock);
3444 kvm_mmu_audit(vcpu, AUDIT_PRE_SYNC);
3446 mmu_sync_children(vcpu, sp);
3448 kvm_mmu_audit(vcpu, AUDIT_POST_SYNC);
3449 write_unlock(&vcpu->kvm->mmu_lock);
3453 write_lock(&vcpu->kvm->mmu_lock);
3454 kvm_mmu_audit(vcpu, AUDIT_PRE_SYNC);
3456 for (i = 0; i < 4; ++i) {
3457 hpa_t root = vcpu->arch.mmu->pae_root[i];
3459 if (IS_VALID_PAE_ROOT(root)) {
3460 root &= PT64_BASE_ADDR_MASK;
3461 sp = to_shadow_page(root);
3462 mmu_sync_children(vcpu, sp);
3466 kvm_mmu_audit(vcpu, AUDIT_POST_SYNC);
3467 write_unlock(&vcpu->kvm->mmu_lock);
3470 static gpa_t nonpaging_gva_to_gpa(struct kvm_vcpu *vcpu, gpa_t vaddr,
3471 u32 access, struct x86_exception *exception)
3474 exception->error_code = 0;
3478 static gpa_t nonpaging_gva_to_gpa_nested(struct kvm_vcpu *vcpu, gpa_t vaddr,
3480 struct x86_exception *exception)
3483 exception->error_code = 0;
3484 return vcpu->arch.nested_mmu.translate_gpa(vcpu, vaddr, access, exception);
3488 __is_rsvd_bits_set(struct rsvd_bits_validate *rsvd_check, u64 pte, int level)
3490 int bit7 = (pte >> 7) & 1;
3492 return pte & rsvd_check->rsvd_bits_mask[bit7][level-1];
3495 static bool __is_bad_mt_xwr(struct rsvd_bits_validate *rsvd_check, u64 pte)
3497 return rsvd_check->bad_mt_xwr & BIT_ULL(pte & 0x3f);
3500 static bool mmio_info_in_cache(struct kvm_vcpu *vcpu, u64 addr, bool direct)
3503 * A nested guest cannot use the MMIO cache if it is using nested
3504 * page tables, because cr2 is a nGPA while the cache stores GPAs.
3506 if (mmu_is_nested(vcpu))
3510 return vcpu_match_mmio_gpa(vcpu, addr);
3512 return vcpu_match_mmio_gva(vcpu, addr);
3516 * Return the level of the lowest level SPTE added to sptes.
3517 * That SPTE may be non-present.
3519 static int get_walk(struct kvm_vcpu *vcpu, u64 addr, u64 *sptes, int *root_level)
3521 struct kvm_shadow_walk_iterator iterator;
3525 walk_shadow_page_lockless_begin(vcpu);
3527 for (shadow_walk_init(&iterator, vcpu, addr),
3528 *root_level = iterator.level;
3529 shadow_walk_okay(&iterator);
3530 __shadow_walk_next(&iterator, spte)) {
3531 leaf = iterator.level;
3532 spte = mmu_spte_get_lockless(iterator.sptep);
3536 if (!is_shadow_present_pte(spte))
3540 walk_shadow_page_lockless_end(vcpu);
3545 /* return true if reserved bit(s) are detected on a valid, non-MMIO SPTE. */
3546 static bool get_mmio_spte(struct kvm_vcpu *vcpu, u64 addr, u64 *sptep)
3548 u64 sptes[PT64_ROOT_MAX_LEVEL + 1];
3549 struct rsvd_bits_validate *rsvd_check;
3550 int root, leaf, level;
3551 bool reserved = false;
3553 if (!VALID_PAGE(vcpu->arch.mmu->root_hpa)) {
3558 if (is_tdp_mmu_root(vcpu->kvm, vcpu->arch.mmu->root_hpa))
3559 leaf = kvm_tdp_mmu_get_walk(vcpu, addr, sptes, &root);
3561 leaf = get_walk(vcpu, addr, sptes, &root);
3563 if (unlikely(leaf < 0)) {
3568 *sptep = sptes[leaf];
3571 * Skip reserved bits checks on the terminal leaf if it's not a valid
3572 * SPTE. Note, this also (intentionally) skips MMIO SPTEs, which, by
3573 * design, always have reserved bits set. The purpose of the checks is
3574 * to detect reserved bits on non-MMIO SPTEs. i.e. buggy SPTEs.
3576 if (!is_shadow_present_pte(sptes[leaf]))
3579 rsvd_check = &vcpu->arch.mmu->shadow_zero_check;
3581 for (level = root; level >= leaf; level--)
3583 * Use a bitwise-OR instead of a logical-OR to aggregate the
3584 * reserved bit and EPT's invalid memtype/XWR checks to avoid
3585 * adding a Jcc in the loop.
3587 reserved |= __is_bad_mt_xwr(rsvd_check, sptes[level]) |
3588 __is_rsvd_bits_set(rsvd_check, sptes[level], level);
3591 pr_err("%s: reserved bits set on MMU-present spte, addr 0x%llx, hierarchy:\n",
3593 for (level = root; level >= leaf; level--)
3594 pr_err("------ spte = 0x%llx level = %d, rsvd bits = 0x%llx",
3595 sptes[level], level,
3596 rsvd_check->rsvd_bits_mask[(sptes[level] >> 7) & 1][level-1]);
3602 static int handle_mmio_page_fault(struct kvm_vcpu *vcpu, u64 addr, bool direct)
3607 if (mmio_info_in_cache(vcpu, addr, direct))
3608 return RET_PF_EMULATE;
3610 reserved = get_mmio_spte(vcpu, addr, &spte);
3611 if (WARN_ON(reserved))
3614 if (is_mmio_spte(spte)) {
3615 gfn_t gfn = get_mmio_spte_gfn(spte);
3616 unsigned int access = get_mmio_spte_access(spte);
3618 if (!check_mmio_spte(vcpu, spte))
3619 return RET_PF_INVALID;
3624 trace_handle_mmio_page_fault(addr, gfn, access);
3625 vcpu_cache_mmio_info(vcpu, addr, gfn, access);
3626 return RET_PF_EMULATE;
3630 * If the page table is zapped by other cpus, let CPU fault again on
3633 return RET_PF_RETRY;
3636 static bool page_fault_handle_page_track(struct kvm_vcpu *vcpu,
3637 u32 error_code, gfn_t gfn)
3639 if (unlikely(error_code & PFERR_RSVD_MASK))
3642 if (!(error_code & PFERR_PRESENT_MASK) ||
3643 !(error_code & PFERR_WRITE_MASK))
3647 * guest is writing the page which is write tracked which can
3648 * not be fixed by page fault handler.
3650 if (kvm_page_track_is_active(vcpu, gfn, KVM_PAGE_TRACK_WRITE))
3656 static void shadow_page_table_clear_flood(struct kvm_vcpu *vcpu, gva_t addr)
3658 struct kvm_shadow_walk_iterator iterator;
3661 walk_shadow_page_lockless_begin(vcpu);
3662 for_each_shadow_entry_lockless(vcpu, addr, iterator, spte) {
3663 clear_sp_write_flooding_count(iterator.sptep);
3664 if (!is_shadow_present_pte(spte))
3667 walk_shadow_page_lockless_end(vcpu);
3670 static bool kvm_arch_setup_async_pf(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa,
3673 struct kvm_arch_async_pf arch;
3675 arch.token = (vcpu->arch.apf.id++ << 12) | vcpu->vcpu_id;
3677 arch.direct_map = vcpu->arch.mmu->direct_map;
3678 arch.cr3 = vcpu->arch.mmu->get_guest_pgd(vcpu);
3680 return kvm_setup_async_pf(vcpu, cr2_or_gpa,
3681 kvm_vcpu_gfn_to_hva(vcpu, gfn), &arch);
3684 static bool try_async_pf(struct kvm_vcpu *vcpu, bool prefault, gfn_t gfn,
3685 gpa_t cr2_or_gpa, kvm_pfn_t *pfn, hva_t *hva,
3686 bool write, bool *writable)
3688 struct kvm_memory_slot *slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);
3692 * Retry the page fault if the gfn hit a memslot that is being deleted
3693 * or moved. This ensures any existing SPTEs for the old memslot will
3694 * be zapped before KVM inserts a new MMIO SPTE for the gfn.
3696 if (slot && (slot->flags & KVM_MEMSLOT_INVALID))
3699 /* Don't expose private memslots to L2. */
3700 if (is_guest_mode(vcpu) && !kvm_is_visible_memslot(slot)) {
3701 *pfn = KVM_PFN_NOSLOT;
3707 *pfn = __gfn_to_pfn_memslot(slot, gfn, false, &async,
3708 write, writable, hva);
3710 return false; /* *pfn has correct page already */
3712 if (!prefault && kvm_can_do_async_pf(vcpu)) {
3713 trace_kvm_try_async_get_page(cr2_or_gpa, gfn);
3714 if (kvm_find_async_pf_gfn(vcpu, gfn)) {
3715 trace_kvm_async_pf_doublefault(cr2_or_gpa, gfn);
3716 kvm_make_request(KVM_REQ_APF_HALT, vcpu);
3718 } else if (kvm_arch_setup_async_pf(vcpu, cr2_or_gpa, gfn))
3722 *pfn = __gfn_to_pfn_memslot(slot, gfn, false, NULL,
3723 write, writable, hva);
3727 static int direct_page_fault(struct kvm_vcpu *vcpu, gpa_t gpa, u32 error_code,
3728 bool prefault, int max_level, bool is_tdp)
3730 bool write = error_code & PFERR_WRITE_MASK;
3733 gfn_t gfn = gpa >> PAGE_SHIFT;
3734 unsigned long mmu_seq;
3739 if (page_fault_handle_page_track(vcpu, error_code, gfn))
3740 return RET_PF_EMULATE;
3742 if (!is_tdp_mmu_root(vcpu->kvm, vcpu->arch.mmu->root_hpa)) {
3743 r = fast_page_fault(vcpu, gpa, error_code);
3744 if (r != RET_PF_INVALID)
3748 r = mmu_topup_memory_caches(vcpu, false);
3752 mmu_seq = vcpu->kvm->mmu_notifier_seq;
3755 if (try_async_pf(vcpu, prefault, gfn, gpa, &pfn, &hva,
3756 write, &map_writable))
3757 return RET_PF_RETRY;
3759 if (handle_abnormal_pfn(vcpu, is_tdp ? 0 : gpa, gfn, pfn, ACC_ALL, &r))
3764 if (is_tdp_mmu_root(vcpu->kvm, vcpu->arch.mmu->root_hpa))
3765 read_lock(&vcpu->kvm->mmu_lock);
3767 write_lock(&vcpu->kvm->mmu_lock);
3769 if (!is_noslot_pfn(pfn) && mmu_notifier_retry_hva(vcpu->kvm, mmu_seq, hva))
3771 r = make_mmu_pages_available(vcpu);
3775 if (is_tdp_mmu_root(vcpu->kvm, vcpu->arch.mmu->root_hpa))
3776 r = kvm_tdp_mmu_map(vcpu, gpa, error_code, map_writable, max_level,
3779 r = __direct_map(vcpu, gpa, error_code, map_writable, max_level, pfn,
3783 if (is_tdp_mmu_root(vcpu->kvm, vcpu->arch.mmu->root_hpa))
3784 read_unlock(&vcpu->kvm->mmu_lock);
3786 write_unlock(&vcpu->kvm->mmu_lock);
3787 kvm_release_pfn_clean(pfn);
3791 static int nonpaging_page_fault(struct kvm_vcpu *vcpu, gpa_t gpa,
3792 u32 error_code, bool prefault)
3794 pgprintk("%s: gva %lx error %x\n", __func__, gpa, error_code);
3796 /* This path builds a PAE pagetable, we can map 2mb pages at maximum. */
3797 return direct_page_fault(vcpu, gpa & PAGE_MASK, error_code, prefault,
3798 PG_LEVEL_2M, false);
3801 int kvm_handle_page_fault(struct kvm_vcpu *vcpu, u64 error_code,
3802 u64 fault_address, char *insn, int insn_len)
3805 u32 flags = vcpu->arch.apf.host_apf_flags;
3807 #ifndef CONFIG_X86_64
3808 /* A 64-bit CR2 should be impossible on 32-bit KVM. */
3809 if (WARN_ON_ONCE(fault_address >> 32))
3813 vcpu->arch.l1tf_flush_l1d = true;
3815 trace_kvm_page_fault(fault_address, error_code);
3817 if (kvm_event_needs_reinjection(vcpu))
3818 kvm_mmu_unprotect_page_virt(vcpu, fault_address);
3819 r = kvm_mmu_page_fault(vcpu, fault_address, error_code, insn,
3821 } else if (flags & KVM_PV_REASON_PAGE_NOT_PRESENT) {
3822 vcpu->arch.apf.host_apf_flags = 0;
3823 local_irq_disable();
3824 kvm_async_pf_task_wait_schedule(fault_address);
3827 WARN_ONCE(1, "Unexpected host async PF flags: %x\n", flags);
3832 EXPORT_SYMBOL_GPL(kvm_handle_page_fault);
3834 int kvm_tdp_page_fault(struct kvm_vcpu *vcpu, gpa_t gpa, u32 error_code,
3839 for (max_level = KVM_MAX_HUGEPAGE_LEVEL;
3840 max_level > PG_LEVEL_4K;
3842 int page_num = KVM_PAGES_PER_HPAGE(max_level);
3843 gfn_t base = (gpa >> PAGE_SHIFT) & ~(page_num - 1);
3845 if (kvm_mtrr_check_gfn_range_consistency(vcpu, base, page_num))
3849 return direct_page_fault(vcpu, gpa, error_code, prefault,
3853 static void nonpaging_init_context(struct kvm_vcpu *vcpu,
3854 struct kvm_mmu *context)
3856 context->page_fault = nonpaging_page_fault;
3857 context->gva_to_gpa = nonpaging_gva_to_gpa;
3858 context->sync_page = nonpaging_sync_page;
3859 context->invlpg = NULL;
3860 context->root_level = 0;
3861 context->shadow_root_level = PT32E_ROOT_LEVEL;
3862 context->direct_map = true;
3863 context->nx = false;
3866 static inline bool is_root_usable(struct kvm_mmu_root_info *root, gpa_t pgd,
3867 union kvm_mmu_page_role role)
3869 return (role.direct || pgd == root->pgd) &&
3870 VALID_PAGE(root->hpa) && to_shadow_page(root->hpa) &&
3871 role.word == to_shadow_page(root->hpa)->role.word;
3875 * Find out if a previously cached root matching the new pgd/role is available.
3876 * The current root is also inserted into the cache.
3877 * If a matching root was found, it is assigned to kvm_mmu->root_hpa and true is
3879 * Otherwise, the LRU root from the cache is assigned to kvm_mmu->root_hpa and
3880 * false is returned. This root should now be freed by the caller.
3882 static bool cached_root_available(struct kvm_vcpu *vcpu, gpa_t new_pgd,
3883 union kvm_mmu_page_role new_role)
3886 struct kvm_mmu_root_info root;
3887 struct kvm_mmu *mmu = vcpu->arch.mmu;
3889 root.pgd = mmu->root_pgd;
3890 root.hpa = mmu->root_hpa;
3892 if (is_root_usable(&root, new_pgd, new_role))
3895 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++) {
3896 swap(root, mmu->prev_roots[i]);
3898 if (is_root_usable(&root, new_pgd, new_role))
3902 mmu->root_hpa = root.hpa;
3903 mmu->root_pgd = root.pgd;
3905 return i < KVM_MMU_NUM_PREV_ROOTS;
3908 static bool fast_pgd_switch(struct kvm_vcpu *vcpu, gpa_t new_pgd,
3909 union kvm_mmu_page_role new_role)
3911 struct kvm_mmu *mmu = vcpu->arch.mmu;
3914 * For now, limit the fast switch to 64-bit hosts+VMs in order to avoid
3915 * having to deal with PDPTEs. We may add support for 32-bit hosts/VMs
3916 * later if necessary.
3918 if (mmu->shadow_root_level >= PT64_ROOT_4LEVEL &&
3919 mmu->root_level >= PT64_ROOT_4LEVEL)
3920 return cached_root_available(vcpu, new_pgd, new_role);
3925 static void __kvm_mmu_new_pgd(struct kvm_vcpu *vcpu, gpa_t new_pgd,
3926 union kvm_mmu_page_role new_role,
3927 bool skip_tlb_flush, bool skip_mmu_sync)
3929 if (!fast_pgd_switch(vcpu, new_pgd, new_role)) {
3930 kvm_mmu_free_roots(vcpu, vcpu->arch.mmu, KVM_MMU_ROOT_CURRENT);
3935 * It's possible that the cached previous root page is obsolete because
3936 * of a change in the MMU generation number. However, changing the
3937 * generation number is accompanied by KVM_REQ_MMU_RELOAD, which will
3938 * free the root set here and allocate a new one.
3940 kvm_make_request(KVM_REQ_LOAD_MMU_PGD, vcpu);
3942 if (!skip_mmu_sync || force_flush_and_sync_on_reuse)
3943 kvm_make_request(KVM_REQ_MMU_SYNC, vcpu);
3944 if (!skip_tlb_flush || force_flush_and_sync_on_reuse)
3945 kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, vcpu);
3948 * The last MMIO access's GVA and GPA are cached in the VCPU. When
3949 * switching to a new CR3, that GVA->GPA mapping may no longer be
3950 * valid. So clear any cached MMIO info even when we don't need to sync
3951 * the shadow page tables.
3953 vcpu_clear_mmio_info(vcpu, MMIO_GVA_ANY);
3956 * If this is a direct root page, it doesn't have a write flooding
3957 * count. Otherwise, clear the write flooding count.
3959 if (!new_role.direct)
3960 __clear_sp_write_flooding_count(
3961 to_shadow_page(vcpu->arch.mmu->root_hpa));
3964 void kvm_mmu_new_pgd(struct kvm_vcpu *vcpu, gpa_t new_pgd, bool skip_tlb_flush,
3967 __kvm_mmu_new_pgd(vcpu, new_pgd, kvm_mmu_calc_root_page_role(vcpu),
3968 skip_tlb_flush, skip_mmu_sync);
3970 EXPORT_SYMBOL_GPL(kvm_mmu_new_pgd);
3972 static unsigned long get_cr3(struct kvm_vcpu *vcpu)
3974 return kvm_read_cr3(vcpu);
3977 static bool sync_mmio_spte(struct kvm_vcpu *vcpu, u64 *sptep, gfn_t gfn,
3978 unsigned int access, int *nr_present)
3980 if (unlikely(is_mmio_spte(*sptep))) {
3981 if (gfn != get_mmio_spte_gfn(*sptep)) {
3982 mmu_spte_clear_no_track(sptep);
3987 mark_mmio_spte(vcpu, sptep, gfn, access);
3994 static inline bool is_last_gpte(struct kvm_mmu *mmu,
3995 unsigned level, unsigned gpte)
3998 * The RHS has bit 7 set iff level < mmu->last_nonleaf_level.
3999 * If it is clear, there are no large pages at this level, so clear
4000 * PT_PAGE_SIZE_MASK in gpte if that is the case.
4002 gpte &= level - mmu->last_nonleaf_level;
4005 * PG_LEVEL_4K always terminates. The RHS has bit 7 set
4006 * iff level <= PG_LEVEL_4K, which for our purpose means
4007 * level == PG_LEVEL_4K; set PT_PAGE_SIZE_MASK in gpte then.
4009 gpte |= level - PG_LEVEL_4K - 1;
4011 return gpte & PT_PAGE_SIZE_MASK;
4014 #define PTTYPE_EPT 18 /* arbitrary */
4015 #define PTTYPE PTTYPE_EPT
4016 #include "paging_tmpl.h"
4020 #include "paging_tmpl.h"
4024 #include "paging_tmpl.h"
4028 __reset_rsvds_bits_mask(struct kvm_vcpu *vcpu,
4029 struct rsvd_bits_validate *rsvd_check,
4030 u64 pa_bits_rsvd, int level, bool nx, bool gbpages,
4033 u64 gbpages_bit_rsvd = 0;
4034 u64 nonleaf_bit8_rsvd = 0;
4037 rsvd_check->bad_mt_xwr = 0;
4040 gbpages_bit_rsvd = rsvd_bits(7, 7);
4042 if (level == PT32E_ROOT_LEVEL)
4043 high_bits_rsvd = pa_bits_rsvd & rsvd_bits(0, 62);
4045 high_bits_rsvd = pa_bits_rsvd & rsvd_bits(0, 51);
4047 /* Note, NX doesn't exist in PDPTEs, this is handled below. */
4049 high_bits_rsvd |= rsvd_bits(63, 63);
4052 * Non-leaf PML4Es and PDPEs reserve bit 8 (which would be the G bit for
4053 * leaf entries) on AMD CPUs only.
4056 nonleaf_bit8_rsvd = rsvd_bits(8, 8);
4059 case PT32_ROOT_LEVEL:
4060 /* no rsvd bits for 2 level 4K page table entries */
4061 rsvd_check->rsvd_bits_mask[0][1] = 0;
4062 rsvd_check->rsvd_bits_mask[0][0] = 0;
4063 rsvd_check->rsvd_bits_mask[1][0] =
4064 rsvd_check->rsvd_bits_mask[0][0];
4067 rsvd_check->rsvd_bits_mask[1][1] = 0;
4071 if (is_cpuid_PSE36())
4072 /* 36bits PSE 4MB page */
4073 rsvd_check->rsvd_bits_mask[1][1] = rsvd_bits(17, 21);
4075 /* 32 bits PSE 4MB page */
4076 rsvd_check->rsvd_bits_mask[1][1] = rsvd_bits(13, 21);
4078 case PT32E_ROOT_LEVEL:
4079 rsvd_check->rsvd_bits_mask[0][2] = rsvd_bits(63, 63) |
4082 rsvd_bits(1, 2); /* PDPTE */
4083 rsvd_check->rsvd_bits_mask[0][1] = high_bits_rsvd; /* PDE */
4084 rsvd_check->rsvd_bits_mask[0][0] = high_bits_rsvd; /* PTE */
4085 rsvd_check->rsvd_bits_mask[1][1] = high_bits_rsvd |
4086 rsvd_bits(13, 20); /* large page */
4087 rsvd_check->rsvd_bits_mask[1][0] =
4088 rsvd_check->rsvd_bits_mask[0][0];
4090 case PT64_ROOT_5LEVEL:
4091 rsvd_check->rsvd_bits_mask[0][4] = high_bits_rsvd |
4094 rsvd_check->rsvd_bits_mask[1][4] =
4095 rsvd_check->rsvd_bits_mask[0][4];
4097 case PT64_ROOT_4LEVEL:
4098 rsvd_check->rsvd_bits_mask[0][3] = high_bits_rsvd |
4101 rsvd_check->rsvd_bits_mask[0][2] = high_bits_rsvd |
4103 rsvd_check->rsvd_bits_mask[0][1] = high_bits_rsvd;
4104 rsvd_check->rsvd_bits_mask[0][0] = high_bits_rsvd;
4105 rsvd_check->rsvd_bits_mask[1][3] =
4106 rsvd_check->rsvd_bits_mask[0][3];
4107 rsvd_check->rsvd_bits_mask[1][2] = high_bits_rsvd |
4110 rsvd_check->rsvd_bits_mask[1][1] = high_bits_rsvd |
4111 rsvd_bits(13, 20); /* large page */
4112 rsvd_check->rsvd_bits_mask[1][0] =
4113 rsvd_check->rsvd_bits_mask[0][0];
4118 static void reset_rsvds_bits_mask(struct kvm_vcpu *vcpu,
4119 struct kvm_mmu *context)
4121 __reset_rsvds_bits_mask(vcpu, &context->guest_rsvd_check,
4122 vcpu->arch.reserved_gpa_bits,
4123 context->root_level, context->nx,
4124 guest_cpuid_has(vcpu, X86_FEATURE_GBPAGES),
4126 guest_cpuid_is_amd_or_hygon(vcpu));
4130 __reset_rsvds_bits_mask_ept(struct rsvd_bits_validate *rsvd_check,
4131 u64 pa_bits_rsvd, bool execonly)
4133 u64 high_bits_rsvd = pa_bits_rsvd & rsvd_bits(0, 51);
4136 rsvd_check->rsvd_bits_mask[0][4] = high_bits_rsvd | rsvd_bits(3, 7);
4137 rsvd_check->rsvd_bits_mask[0][3] = high_bits_rsvd | rsvd_bits(3, 7);
4138 rsvd_check->rsvd_bits_mask[0][2] = high_bits_rsvd | rsvd_bits(3, 6);
4139 rsvd_check->rsvd_bits_mask[0][1] = high_bits_rsvd | rsvd_bits(3, 6);
4140 rsvd_check->rsvd_bits_mask[0][0] = high_bits_rsvd;
4143 rsvd_check->rsvd_bits_mask[1][4] = rsvd_check->rsvd_bits_mask[0][4];
4144 rsvd_check->rsvd_bits_mask[1][3] = rsvd_check->rsvd_bits_mask[0][3];
4145 rsvd_check->rsvd_bits_mask[1][2] = high_bits_rsvd | rsvd_bits(12, 29);
4146 rsvd_check->rsvd_bits_mask[1][1] = high_bits_rsvd | rsvd_bits(12, 20);
4147 rsvd_check->rsvd_bits_mask[1][0] = rsvd_check->rsvd_bits_mask[0][0];
4149 bad_mt_xwr = 0xFFull << (2 * 8); /* bits 3..5 must not be 2 */
4150 bad_mt_xwr |= 0xFFull << (3 * 8); /* bits 3..5 must not be 3 */
4151 bad_mt_xwr |= 0xFFull << (7 * 8); /* bits 3..5 must not be 7 */
4152 bad_mt_xwr |= REPEAT_BYTE(1ull << 2); /* bits 0..2 must not be 010 */
4153 bad_mt_xwr |= REPEAT_BYTE(1ull << 6); /* bits 0..2 must not be 110 */
4155 /* bits 0..2 must not be 100 unless VMX capabilities allow it */
4156 bad_mt_xwr |= REPEAT_BYTE(1ull << 4);
4158 rsvd_check->bad_mt_xwr = bad_mt_xwr;
4161 static void reset_rsvds_bits_mask_ept(struct kvm_vcpu *vcpu,
4162 struct kvm_mmu *context, bool execonly)
4164 __reset_rsvds_bits_mask_ept(&context->guest_rsvd_check,
4165 vcpu->arch.reserved_gpa_bits, execonly);
4168 static inline u64 reserved_hpa_bits(void)
4170 return rsvd_bits(shadow_phys_bits, 63);
4174 * the page table on host is the shadow page table for the page
4175 * table in guest or amd nested guest, its mmu features completely
4176 * follow the features in guest.
4179 reset_shadow_zero_bits_mask(struct kvm_vcpu *vcpu, struct kvm_mmu *context)
4181 bool uses_nx = context->nx ||
4182 context->mmu_role.base.smep_andnot_wp;
4183 struct rsvd_bits_validate *shadow_zero_check;
4187 * Passing "true" to the last argument is okay; it adds a check
4188 * on bit 8 of the SPTEs which KVM doesn't use anyway.
4190 shadow_zero_check = &context->shadow_zero_check;
4191 __reset_rsvds_bits_mask(vcpu, shadow_zero_check,
4192 reserved_hpa_bits(),
4193 context->shadow_root_level, uses_nx,
4194 guest_cpuid_has(vcpu, X86_FEATURE_GBPAGES),
4195 is_pse(vcpu), true);
4197 if (!shadow_me_mask)
4200 for (i = context->shadow_root_level; --i >= 0;) {
4201 shadow_zero_check->rsvd_bits_mask[0][i] &= ~shadow_me_mask;
4202 shadow_zero_check->rsvd_bits_mask[1][i] &= ~shadow_me_mask;
4206 EXPORT_SYMBOL_GPL(reset_shadow_zero_bits_mask);
4208 static inline bool boot_cpu_is_amd(void)
4210 WARN_ON_ONCE(!tdp_enabled);
4211 return shadow_x_mask == 0;
4215 * the direct page table on host, use as much mmu features as
4216 * possible, however, kvm currently does not do execution-protection.
4219 reset_tdp_shadow_zero_bits_mask(struct kvm_vcpu *vcpu,
4220 struct kvm_mmu *context)
4222 struct rsvd_bits_validate *shadow_zero_check;
4225 shadow_zero_check = &context->shadow_zero_check;
4227 if (boot_cpu_is_amd())
4228 __reset_rsvds_bits_mask(vcpu, shadow_zero_check,
4229 reserved_hpa_bits(),
4230 context->shadow_root_level, false,
4231 boot_cpu_has(X86_FEATURE_GBPAGES),
4234 __reset_rsvds_bits_mask_ept(shadow_zero_check,
4235 reserved_hpa_bits(), false);
4237 if (!shadow_me_mask)
4240 for (i = context->shadow_root_level; --i >= 0;) {
4241 shadow_zero_check->rsvd_bits_mask[0][i] &= ~shadow_me_mask;
4242 shadow_zero_check->rsvd_bits_mask[1][i] &= ~shadow_me_mask;
4247 * as the comments in reset_shadow_zero_bits_mask() except it
4248 * is the shadow page table for intel nested guest.
4251 reset_ept_shadow_zero_bits_mask(struct kvm_vcpu *vcpu,
4252 struct kvm_mmu *context, bool execonly)
4254 __reset_rsvds_bits_mask_ept(&context->shadow_zero_check,
4255 reserved_hpa_bits(), execonly);
4258 #define BYTE_MASK(access) \
4259 ((1 & (access) ? 2 : 0) | \
4260 (2 & (access) ? 4 : 0) | \
4261 (3 & (access) ? 8 : 0) | \
4262 (4 & (access) ? 16 : 0) | \
4263 (5 & (access) ? 32 : 0) | \
4264 (6 & (access) ? 64 : 0) | \
4265 (7 & (access) ? 128 : 0))
4268 static void update_permission_bitmask(struct kvm_vcpu *vcpu,
4269 struct kvm_mmu *mmu, bool ept)
4273 const u8 x = BYTE_MASK(ACC_EXEC_MASK);
4274 const u8 w = BYTE_MASK(ACC_WRITE_MASK);
4275 const u8 u = BYTE_MASK(ACC_USER_MASK);
4277 bool cr4_smep = kvm_read_cr4_bits(vcpu, X86_CR4_SMEP) != 0;
4278 bool cr4_smap = kvm_read_cr4_bits(vcpu, X86_CR4_SMAP) != 0;
4279 bool cr0_wp = is_write_protection(vcpu);
4281 for (byte = 0; byte < ARRAY_SIZE(mmu->permissions); ++byte) {
4282 unsigned pfec = byte << 1;
4285 * Each "*f" variable has a 1 bit for each UWX value
4286 * that causes a fault with the given PFEC.
4289 /* Faults from writes to non-writable pages */
4290 u8 wf = (pfec & PFERR_WRITE_MASK) ? (u8)~w : 0;
4291 /* Faults from user mode accesses to supervisor pages */
4292 u8 uf = (pfec & PFERR_USER_MASK) ? (u8)~u : 0;
4293 /* Faults from fetches of non-executable pages*/
4294 u8 ff = (pfec & PFERR_FETCH_MASK) ? (u8)~x : 0;
4295 /* Faults from kernel mode fetches of user pages */
4297 /* Faults from kernel mode accesses of user pages */
4301 /* Faults from kernel mode accesses to user pages */
4302 u8 kf = (pfec & PFERR_USER_MASK) ? 0 : u;
4304 /* Not really needed: !nx will cause pte.nx to fault */
4308 /* Allow supervisor writes if !cr0.wp */
4310 wf = (pfec & PFERR_USER_MASK) ? wf : 0;
4312 /* Disallow supervisor fetches of user code if cr4.smep */
4314 smepf = (pfec & PFERR_FETCH_MASK) ? kf : 0;
4317 * SMAP:kernel-mode data accesses from user-mode
4318 * mappings should fault. A fault is considered
4319 * as a SMAP violation if all of the following
4320 * conditions are true:
4321 * - X86_CR4_SMAP is set in CR4
4322 * - A user page is accessed
4323 * - The access is not a fetch
4324 * - Page fault in kernel mode
4325 * - if CPL = 3 or X86_EFLAGS_AC is clear
4327 * Here, we cover the first three conditions.
4328 * The fourth is computed dynamically in permission_fault();
4329 * PFERR_RSVD_MASK bit will be set in PFEC if the access is
4330 * *not* subject to SMAP restrictions.
4333 smapf = (pfec & (PFERR_RSVD_MASK|PFERR_FETCH_MASK)) ? 0 : kf;
4336 mmu->permissions[byte] = ff | uf | wf | smepf | smapf;
4341 * PKU is an additional mechanism by which the paging controls access to
4342 * user-mode addresses based on the value in the PKRU register. Protection
4343 * key violations are reported through a bit in the page fault error code.
4344 * Unlike other bits of the error code, the PK bit is not known at the
4345 * call site of e.g. gva_to_gpa; it must be computed directly in
4346 * permission_fault based on two bits of PKRU, on some machine state (CR4,
4347 * CR0, EFER, CPL), and on other bits of the error code and the page tables.
4349 * In particular the following conditions come from the error code, the
4350 * page tables and the machine state:
4351 * - PK is always zero unless CR4.PKE=1 and EFER.LMA=1
4352 * - PK is always zero if RSVD=1 (reserved bit set) or F=1 (instruction fetch)
4353 * - PK is always zero if U=0 in the page tables
4354 * - PKRU.WD is ignored if CR0.WP=0 and the access is a supervisor access.
4356 * The PKRU bitmask caches the result of these four conditions. The error
4357 * code (minus the P bit) and the page table's U bit form an index into the
4358 * PKRU bitmask. Two bits of the PKRU bitmask are then extracted and ANDed
4359 * with the two bits of the PKRU register corresponding to the protection key.
4360 * For the first three conditions above the bits will be 00, thus masking
4361 * away both AD and WD. For all reads or if the last condition holds, WD
4362 * only will be masked away.
4364 static void update_pkru_bitmask(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
4375 /* PKEY is enabled only if CR4.PKE and EFER.LMA are both set. */
4376 if (!kvm_read_cr4_bits(vcpu, X86_CR4_PKE) || !is_long_mode(vcpu)) {
4381 wp = is_write_protection(vcpu);
4383 for (bit = 0; bit < ARRAY_SIZE(mmu->permissions); ++bit) {
4384 unsigned pfec, pkey_bits;
4385 bool check_pkey, check_write, ff, uf, wf, pte_user;
4388 ff = pfec & PFERR_FETCH_MASK;
4389 uf = pfec & PFERR_USER_MASK;
4390 wf = pfec & PFERR_WRITE_MASK;
4392 /* PFEC.RSVD is replaced by ACC_USER_MASK. */
4393 pte_user = pfec & PFERR_RSVD_MASK;
4396 * Only need to check the access which is not an
4397 * instruction fetch and is to a user page.
4399 check_pkey = (!ff && pte_user);
4401 * write access is controlled by PKRU if it is a
4402 * user access or CR0.WP = 1.
4404 check_write = check_pkey && wf && (uf || wp);
4406 /* PKRU.AD stops both read and write access. */
4407 pkey_bits = !!check_pkey;
4408 /* PKRU.WD stops write access. */
4409 pkey_bits |= (!!check_write) << 1;
4411 mmu->pkru_mask |= (pkey_bits & 3) << pfec;
4415 static void update_last_nonleaf_level(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu)
4417 unsigned root_level = mmu->root_level;
4419 mmu->last_nonleaf_level = root_level;
4420 if (root_level == PT32_ROOT_LEVEL && is_pse(vcpu))
4421 mmu->last_nonleaf_level++;
4424 static void paging64_init_context_common(struct kvm_vcpu *vcpu,
4425 struct kvm_mmu *context,
4428 context->nx = is_nx(vcpu);
4429 context->root_level = level;
4431 reset_rsvds_bits_mask(vcpu, context);
4432 update_permission_bitmask(vcpu, context, false);
4433 update_pkru_bitmask(vcpu, context, false);
4434 update_last_nonleaf_level(vcpu, context);
4436 MMU_WARN_ON(!is_pae(vcpu));
4437 context->page_fault = paging64_page_fault;
4438 context->gva_to_gpa = paging64_gva_to_gpa;
4439 context->sync_page = paging64_sync_page;
4440 context->invlpg = paging64_invlpg;
4441 context->shadow_root_level = level;
4442 context->direct_map = false;
4445 static void paging64_init_context(struct kvm_vcpu *vcpu,
4446 struct kvm_mmu *context)
4448 int root_level = is_la57_mode(vcpu) ?
4449 PT64_ROOT_5LEVEL : PT64_ROOT_4LEVEL;
4451 paging64_init_context_common(vcpu, context, root_level);
4454 static void paging32_init_context(struct kvm_vcpu *vcpu,
4455 struct kvm_mmu *context)
4457 context->nx = false;
4458 context->root_level = PT32_ROOT_LEVEL;
4460 reset_rsvds_bits_mask(vcpu, context);
4461 update_permission_bitmask(vcpu, context, false);
4462 update_pkru_bitmask(vcpu, context, false);
4463 update_last_nonleaf_level(vcpu, context);
4465 context->page_fault = paging32_page_fault;
4466 context->gva_to_gpa = paging32_gva_to_gpa;
4467 context->sync_page = paging32_sync_page;
4468 context->invlpg = paging32_invlpg;
4469 context->shadow_root_level = PT32E_ROOT_LEVEL;
4470 context->direct_map = false;
4473 static void paging32E_init_context(struct kvm_vcpu *vcpu,
4474 struct kvm_mmu *context)
4476 paging64_init_context_common(vcpu, context, PT32E_ROOT_LEVEL);
4479 static union kvm_mmu_extended_role kvm_calc_mmu_role_ext(struct kvm_vcpu *vcpu)
4481 union kvm_mmu_extended_role ext = {0};
4483 ext.cr0_pg = !!is_paging(vcpu);
4484 ext.cr4_pae = !!is_pae(vcpu);
4485 ext.cr4_smep = !!kvm_read_cr4_bits(vcpu, X86_CR4_SMEP);
4486 ext.cr4_smap = !!kvm_read_cr4_bits(vcpu, X86_CR4_SMAP);
4487 ext.cr4_pse = !!is_pse(vcpu);
4488 ext.cr4_pke = !!kvm_read_cr4_bits(vcpu, X86_CR4_PKE);
4489 ext.maxphyaddr = cpuid_maxphyaddr(vcpu);
4496 static union kvm_mmu_role kvm_calc_mmu_role_common(struct kvm_vcpu *vcpu,
4499 union kvm_mmu_role role = {0};
4501 role.base.access = ACC_ALL;
4502 role.base.nxe = !!is_nx(vcpu);
4503 role.base.cr0_wp = is_write_protection(vcpu);
4504 role.base.smm = is_smm(vcpu);
4505 role.base.guest_mode = is_guest_mode(vcpu);
4510 role.ext = kvm_calc_mmu_role_ext(vcpu);
4515 static inline int kvm_mmu_get_tdp_level(struct kvm_vcpu *vcpu)
4517 /* Use 5-level TDP if and only if it's useful/necessary. */
4518 if (max_tdp_level == 5 && cpuid_maxphyaddr(vcpu) <= 48)
4521 return max_tdp_level;
4524 static union kvm_mmu_role
4525 kvm_calc_tdp_mmu_root_page_role(struct kvm_vcpu *vcpu, bool base_only)
4527 union kvm_mmu_role role = kvm_calc_mmu_role_common(vcpu, base_only);
4529 role.base.ad_disabled = (shadow_accessed_mask == 0);
4530 role.base.level = kvm_mmu_get_tdp_level(vcpu);
4531 role.base.direct = true;
4532 role.base.gpte_is_8_bytes = true;
4537 static void init_kvm_tdp_mmu(struct kvm_vcpu *vcpu)
4539 struct kvm_mmu *context = &vcpu->arch.root_mmu;
4540 union kvm_mmu_role new_role =
4541 kvm_calc_tdp_mmu_root_page_role(vcpu, false);
4543 if (new_role.as_u64 == context->mmu_role.as_u64)
4546 context->mmu_role.as_u64 = new_role.as_u64;
4547 context->page_fault = kvm_tdp_page_fault;
4548 context->sync_page = nonpaging_sync_page;
4549 context->invlpg = NULL;
4550 context->shadow_root_level = kvm_mmu_get_tdp_level(vcpu);
4551 context->direct_map = true;
4552 context->get_guest_pgd = get_cr3;
4553 context->get_pdptr = kvm_pdptr_read;
4554 context->inject_page_fault = kvm_inject_page_fault;
4556 if (!is_paging(vcpu)) {
4557 context->nx = false;
4558 context->gva_to_gpa = nonpaging_gva_to_gpa;
4559 context->root_level = 0;
4560 } else if (is_long_mode(vcpu)) {
4561 context->nx = is_nx(vcpu);
4562 context->root_level = is_la57_mode(vcpu) ?
4563 PT64_ROOT_5LEVEL : PT64_ROOT_4LEVEL;
4564 reset_rsvds_bits_mask(vcpu, context);
4565 context->gva_to_gpa = paging64_gva_to_gpa;
4566 } else if (is_pae(vcpu)) {
4567 context->nx = is_nx(vcpu);
4568 context->root_level = PT32E_ROOT_LEVEL;
4569 reset_rsvds_bits_mask(vcpu, context);
4570 context->gva_to_gpa = paging64_gva_to_gpa;
4572 context->nx = false;
4573 context->root_level = PT32_ROOT_LEVEL;
4574 reset_rsvds_bits_mask(vcpu, context);
4575 context->gva_to_gpa = paging32_gva_to_gpa;
4578 update_permission_bitmask(vcpu, context, false);
4579 update_pkru_bitmask(vcpu, context, false);
4580 update_last_nonleaf_level(vcpu, context);
4581 reset_tdp_shadow_zero_bits_mask(vcpu, context);
4584 static union kvm_mmu_role
4585 kvm_calc_shadow_root_page_role_common(struct kvm_vcpu *vcpu, bool base_only)
4587 union kvm_mmu_role role = kvm_calc_mmu_role_common(vcpu, base_only);
4589 role.base.smep_andnot_wp = role.ext.cr4_smep &&
4590 !is_write_protection(vcpu);
4591 role.base.smap_andnot_wp = role.ext.cr4_smap &&
4592 !is_write_protection(vcpu);
4593 role.base.gpte_is_8_bytes = !!is_pae(vcpu);
4598 static union kvm_mmu_role
4599 kvm_calc_shadow_mmu_root_page_role(struct kvm_vcpu *vcpu, bool base_only)
4601 union kvm_mmu_role role =
4602 kvm_calc_shadow_root_page_role_common(vcpu, base_only);
4604 role.base.direct = !is_paging(vcpu);
4606 if (!is_long_mode(vcpu))
4607 role.base.level = PT32E_ROOT_LEVEL;
4608 else if (is_la57_mode(vcpu))
4609 role.base.level = PT64_ROOT_5LEVEL;
4611 role.base.level = PT64_ROOT_4LEVEL;
4616 static void shadow_mmu_init_context(struct kvm_vcpu *vcpu, struct kvm_mmu *context,
4617 u32 cr0, u32 cr4, u32 efer,
4618 union kvm_mmu_role new_role)
4620 if (!(cr0 & X86_CR0_PG))
4621 nonpaging_init_context(vcpu, context);
4622 else if (efer & EFER_LMA)
4623 paging64_init_context(vcpu, context);
4624 else if (cr4 & X86_CR4_PAE)
4625 paging32E_init_context(vcpu, context);
4627 paging32_init_context(vcpu, context);
4629 context->mmu_role.as_u64 = new_role.as_u64;
4630 reset_shadow_zero_bits_mask(vcpu, context);
4633 static void kvm_init_shadow_mmu(struct kvm_vcpu *vcpu, u32 cr0, u32 cr4, u32 efer)
4635 struct kvm_mmu *context = &vcpu->arch.root_mmu;
4636 union kvm_mmu_role new_role =
4637 kvm_calc_shadow_mmu_root_page_role(vcpu, false);
4639 if (new_role.as_u64 != context->mmu_role.as_u64)
4640 shadow_mmu_init_context(vcpu, context, cr0, cr4, efer, new_role);
4643 static union kvm_mmu_role
4644 kvm_calc_shadow_npt_root_page_role(struct kvm_vcpu *vcpu)
4646 union kvm_mmu_role role =
4647 kvm_calc_shadow_root_page_role_common(vcpu, false);
4649 role.base.direct = false;
4650 role.base.level = kvm_mmu_get_tdp_level(vcpu);
4655 void kvm_init_shadow_npt_mmu(struct kvm_vcpu *vcpu, u32 cr0, u32 cr4, u32 efer,
4658 struct kvm_mmu *context = &vcpu->arch.guest_mmu;
4659 union kvm_mmu_role new_role = kvm_calc_shadow_npt_root_page_role(vcpu);
4661 __kvm_mmu_new_pgd(vcpu, nested_cr3, new_role.base, false, false);
4663 if (new_role.as_u64 != context->mmu_role.as_u64) {
4664 shadow_mmu_init_context(vcpu, context, cr0, cr4, efer, new_role);
4667 * Override the level set by the common init helper, nested TDP
4668 * always uses the host's TDP configuration.
4670 context->shadow_root_level = new_role.base.level;
4673 EXPORT_SYMBOL_GPL(kvm_init_shadow_npt_mmu);
4675 static union kvm_mmu_role
4676 kvm_calc_shadow_ept_root_page_role(struct kvm_vcpu *vcpu, bool accessed_dirty,
4677 bool execonly, u8 level)
4679 union kvm_mmu_role role = {0};
4681 /* SMM flag is inherited from root_mmu */
4682 role.base.smm = vcpu->arch.root_mmu.mmu_role.base.smm;
4684 role.base.level = level;
4685 role.base.gpte_is_8_bytes = true;
4686 role.base.direct = false;
4687 role.base.ad_disabled = !accessed_dirty;
4688 role.base.guest_mode = true;
4689 role.base.access = ACC_ALL;
4692 * WP=1 and NOT_WP=1 is an impossible combination, use WP and the
4693 * SMAP variation to denote shadow EPT entries.
4695 role.base.cr0_wp = true;
4696 role.base.smap_andnot_wp = true;
4698 role.ext = kvm_calc_mmu_role_ext(vcpu);
4699 role.ext.execonly = execonly;
4704 void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
4705 bool accessed_dirty, gpa_t new_eptp)
4707 struct kvm_mmu *context = &vcpu->arch.guest_mmu;
4708 u8 level = vmx_eptp_page_walk_level(new_eptp);
4709 union kvm_mmu_role new_role =
4710 kvm_calc_shadow_ept_root_page_role(vcpu, accessed_dirty,
4713 __kvm_mmu_new_pgd(vcpu, new_eptp, new_role.base, true, true);
4715 if (new_role.as_u64 == context->mmu_role.as_u64)
4718 context->shadow_root_level = level;
4721 context->ept_ad = accessed_dirty;
4722 context->page_fault = ept_page_fault;
4723 context->gva_to_gpa = ept_gva_to_gpa;
4724 context->sync_page = ept_sync_page;
4725 context->invlpg = ept_invlpg;
4726 context->root_level = level;
4727 context->direct_map = false;
4728 context->mmu_role.as_u64 = new_role.as_u64;
4730 update_permission_bitmask(vcpu, context, true);
4731 update_pkru_bitmask(vcpu, context, true);
4732 update_last_nonleaf_level(vcpu, context);
4733 reset_rsvds_bits_mask_ept(vcpu, context, execonly);
4734 reset_ept_shadow_zero_bits_mask(vcpu, context, execonly);
4736 EXPORT_SYMBOL_GPL(kvm_init_shadow_ept_mmu);
4738 static void init_kvm_softmmu(struct kvm_vcpu *vcpu)
4740 struct kvm_mmu *context = &vcpu->arch.root_mmu;
4742 kvm_init_shadow_mmu(vcpu,
4743 kvm_read_cr0_bits(vcpu, X86_CR0_PG),
4744 kvm_read_cr4_bits(vcpu, X86_CR4_PAE),
4747 context->get_guest_pgd = get_cr3;
4748 context->get_pdptr = kvm_pdptr_read;
4749 context->inject_page_fault = kvm_inject_page_fault;
4752 static void init_kvm_nested_mmu(struct kvm_vcpu *vcpu)
4754 union kvm_mmu_role new_role = kvm_calc_mmu_role_common(vcpu, false);
4755 struct kvm_mmu *g_context = &vcpu->arch.nested_mmu;
4757 if (new_role.as_u64 == g_context->mmu_role.as_u64)
4760 g_context->mmu_role.as_u64 = new_role.as_u64;
4761 g_context->get_guest_pgd = get_cr3;
4762 g_context->get_pdptr = kvm_pdptr_read;
4763 g_context->inject_page_fault = kvm_inject_page_fault;
4766 * L2 page tables are never shadowed, so there is no need to sync
4769 g_context->invlpg = NULL;
4772 * Note that arch.mmu->gva_to_gpa translates l2_gpa to l1_gpa using
4773 * L1's nested page tables (e.g. EPT12). The nested translation
4774 * of l2_gva to l1_gpa is done by arch.nested_mmu.gva_to_gpa using
4775 * L2's page tables as the first level of translation and L1's
4776 * nested page tables as the second level of translation. Basically
4777 * the gva_to_gpa functions between mmu and nested_mmu are swapped.
4779 if (!is_paging(vcpu)) {
4780 g_context->nx = false;
4781 g_context->root_level = 0;
4782 g_context->gva_to_gpa = nonpaging_gva_to_gpa_nested;
4783 } else if (is_long_mode(vcpu)) {
4784 g_context->nx = is_nx(vcpu);
4785 g_context->root_level = is_la57_mode(vcpu) ?
4786 PT64_ROOT_5LEVEL : PT64_ROOT_4LEVEL;
4787 reset_rsvds_bits_mask(vcpu, g_context);
4788 g_context->gva_to_gpa = paging64_gva_to_gpa_nested;
4789 } else if (is_pae(vcpu)) {
4790 g_context->nx = is_nx(vcpu);
4791 g_context->root_level = PT32E_ROOT_LEVEL;
4792 reset_rsvds_bits_mask(vcpu, g_context);
4793 g_context->gva_to_gpa = paging64_gva_to_gpa_nested;
4795 g_context->nx = false;
4796 g_context->root_level = PT32_ROOT_LEVEL;
4797 reset_rsvds_bits_mask(vcpu, g_context);
4798 g_context->gva_to_gpa = paging32_gva_to_gpa_nested;
4801 update_permission_bitmask(vcpu, g_context, false);
4802 update_pkru_bitmask(vcpu, g_context, false);
4803 update_last_nonleaf_level(vcpu, g_context);
4806 void kvm_init_mmu(struct kvm_vcpu *vcpu, bool reset_roots)
4811 vcpu->arch.mmu->root_hpa = INVALID_PAGE;
4813 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++)
4814 vcpu->arch.mmu->prev_roots[i] = KVM_MMU_ROOT_INFO_INVALID;
4817 if (mmu_is_nested(vcpu))
4818 init_kvm_nested_mmu(vcpu);
4819 else if (tdp_enabled)
4820 init_kvm_tdp_mmu(vcpu);
4822 init_kvm_softmmu(vcpu);
4824 EXPORT_SYMBOL_GPL(kvm_init_mmu);
4826 static union kvm_mmu_page_role
4827 kvm_mmu_calc_root_page_role(struct kvm_vcpu *vcpu)
4829 union kvm_mmu_role role;
4832 role = kvm_calc_tdp_mmu_root_page_role(vcpu, true);
4834 role = kvm_calc_shadow_mmu_root_page_role(vcpu, true);
4839 void kvm_mmu_reset_context(struct kvm_vcpu *vcpu)
4841 kvm_mmu_unload(vcpu);
4842 kvm_init_mmu(vcpu, true);
4844 EXPORT_SYMBOL_GPL(kvm_mmu_reset_context);
4846 int kvm_mmu_load(struct kvm_vcpu *vcpu)
4850 r = mmu_topup_memory_caches(vcpu, !vcpu->arch.mmu->direct_map);
4853 r = mmu_alloc_special_roots(vcpu);
4856 write_lock(&vcpu->kvm->mmu_lock);
4857 if (make_mmu_pages_available(vcpu))
4859 else if (vcpu->arch.mmu->direct_map)
4860 r = mmu_alloc_direct_roots(vcpu);
4862 r = mmu_alloc_shadow_roots(vcpu);
4863 write_unlock(&vcpu->kvm->mmu_lock);
4867 kvm_mmu_sync_roots(vcpu);
4869 kvm_mmu_load_pgd(vcpu);
4870 static_call(kvm_x86_tlb_flush_current)(vcpu);
4875 void kvm_mmu_unload(struct kvm_vcpu *vcpu)
4877 kvm_mmu_free_roots(vcpu, &vcpu->arch.root_mmu, KVM_MMU_ROOTS_ALL);
4878 WARN_ON(VALID_PAGE(vcpu->arch.root_mmu.root_hpa));
4879 kvm_mmu_free_roots(vcpu, &vcpu->arch.guest_mmu, KVM_MMU_ROOTS_ALL);
4880 WARN_ON(VALID_PAGE(vcpu->arch.guest_mmu.root_hpa));
4883 static bool need_remote_flush(u64 old, u64 new)
4885 if (!is_shadow_present_pte(old))
4887 if (!is_shadow_present_pte(new))
4889 if ((old ^ new) & PT64_BASE_ADDR_MASK)
4891 old ^= shadow_nx_mask;
4892 new ^= shadow_nx_mask;
4893 return (old & ~new & PT64_PERM_MASK) != 0;
4896 static u64 mmu_pte_write_fetch_gpte(struct kvm_vcpu *vcpu, gpa_t *gpa,
4903 * Assume that the pte write on a page table of the same type
4904 * as the current vcpu paging mode since we update the sptes only
4905 * when they have the same mode.
4907 if (is_pae(vcpu) && *bytes == 4) {
4908 /* Handle a 32-bit guest writing two halves of a 64-bit gpte */
4913 if (*bytes == 4 || *bytes == 8) {
4914 r = kvm_vcpu_read_guest_atomic(vcpu, *gpa, &gentry, *bytes);
4923 * If we're seeing too many writes to a page, it may no longer be a page table,
4924 * or we may be forking, in which case it is better to unmap the page.
4926 static bool detect_write_flooding(struct kvm_mmu_page *sp)
4929 * Skip write-flooding detected for the sp whose level is 1, because
4930 * it can become unsync, then the guest page is not write-protected.
4932 if (sp->role.level == PG_LEVEL_4K)
4935 atomic_inc(&sp->write_flooding_count);
4936 return atomic_read(&sp->write_flooding_count) >= 3;
4940 * Misaligned accesses are too much trouble to fix up; also, they usually
4941 * indicate a page is not used as a page table.
4943 static bool detect_write_misaligned(struct kvm_mmu_page *sp, gpa_t gpa,
4946 unsigned offset, pte_size, misaligned;
4948 pgprintk("misaligned: gpa %llx bytes %d role %x\n",
4949 gpa, bytes, sp->role.word);
4951 offset = offset_in_page(gpa);
4952 pte_size = sp->role.gpte_is_8_bytes ? 8 : 4;
4955 * Sometimes, the OS only writes the last one bytes to update status
4956 * bits, for example, in linux, andb instruction is used in clear_bit().
4958 if (!(offset & (pte_size - 1)) && bytes == 1)
4961 misaligned = (offset ^ (offset + bytes - 1)) & ~(pte_size - 1);
4962 misaligned |= bytes < 4;
4967 static u64 *get_written_sptes(struct kvm_mmu_page *sp, gpa_t gpa, int *nspte)
4969 unsigned page_offset, quadrant;
4973 page_offset = offset_in_page(gpa);
4974 level = sp->role.level;
4976 if (!sp->role.gpte_is_8_bytes) {
4977 page_offset <<= 1; /* 32->64 */
4979 * A 32-bit pde maps 4MB while the shadow pdes map
4980 * only 2MB. So we need to double the offset again
4981 * and zap two pdes instead of one.
4983 if (level == PT32_ROOT_LEVEL) {
4984 page_offset &= ~7; /* kill rounding error */
4988 quadrant = page_offset >> PAGE_SHIFT;
4989 page_offset &= ~PAGE_MASK;
4990 if (quadrant != sp->role.quadrant)
4994 spte = &sp->spt[page_offset / sizeof(*spte)];
4998 static void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
4999 const u8 *new, int bytes,
5000 struct kvm_page_track_notifier_node *node)
5002 gfn_t gfn = gpa >> PAGE_SHIFT;
5003 struct kvm_mmu_page *sp;
5004 LIST_HEAD(invalid_list);
5005 u64 entry, gentry, *spte;
5007 bool remote_flush, local_flush;
5010 * If we don't have indirect shadow pages, it means no page is
5011 * write-protected, so we can exit simply.
5013 if (!READ_ONCE(vcpu->kvm->arch.indirect_shadow_pages))
5016 remote_flush = local_flush = false;
5018 pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
5021 * No need to care whether allocation memory is successful
5022 * or not since pte prefetch is skiped if it does not have
5023 * enough objects in the cache.
5025 mmu_topup_memory_caches(vcpu, true);
5027 write_lock(&vcpu->kvm->mmu_lock);
5029 gentry = mmu_pte_write_fetch_gpte(vcpu, &gpa, &bytes);
5031 ++vcpu->kvm->stat.mmu_pte_write;
5032 kvm_mmu_audit(vcpu, AUDIT_PRE_PTE_WRITE);
5034 for_each_gfn_indirect_valid_sp(vcpu->kvm, sp, gfn) {
5035 if (detect_write_misaligned(sp, gpa, bytes) ||
5036 detect_write_flooding(sp)) {
5037 kvm_mmu_prepare_zap_page(vcpu->kvm, sp, &invalid_list);
5038 ++vcpu->kvm->stat.mmu_flooded;
5042 spte = get_written_sptes(sp, gpa, &npte);
5049 mmu_page_zap_pte(vcpu->kvm, sp, spte, NULL);
5050 if (gentry && sp->role.level != PG_LEVEL_4K)
5051 ++vcpu->kvm->stat.mmu_pde_zapped;
5052 if (need_remote_flush(entry, *spte))
5053 remote_flush = true;
5057 kvm_mmu_flush_or_zap(vcpu, &invalid_list, remote_flush, local_flush);
5058 kvm_mmu_audit(vcpu, AUDIT_POST_PTE_WRITE);
5059 write_unlock(&vcpu->kvm->mmu_lock);
5062 int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, u64 error_code,
5063 void *insn, int insn_len)
5065 int r, emulation_type = EMULTYPE_PF;
5066 bool direct = vcpu->arch.mmu->direct_map;
5068 if (WARN_ON(!VALID_PAGE(vcpu->arch.mmu->root_hpa)))
5069 return RET_PF_RETRY;
5072 if (unlikely(error_code & PFERR_RSVD_MASK)) {
5073 r = handle_mmio_page_fault(vcpu, cr2_or_gpa, direct);
5074 if (r == RET_PF_EMULATE)
5078 if (r == RET_PF_INVALID) {
5079 r = kvm_mmu_do_page_fault(vcpu, cr2_or_gpa,
5080 lower_32_bits(error_code), false);
5081 if (WARN_ON_ONCE(r == RET_PF_INVALID))
5087 if (r != RET_PF_EMULATE)
5091 * Before emulating the instruction, check if the error code
5092 * was due to a RO violation while translating the guest page.
5093 * This can occur when using nested virtualization with nested
5094 * paging in both guests. If true, we simply unprotect the page
5095 * and resume the guest.
5097 if (vcpu->arch.mmu->direct_map &&
5098 (error_code & PFERR_NESTED_GUEST_PAGE) == PFERR_NESTED_GUEST_PAGE) {
5099 kvm_mmu_unprotect_page(vcpu->kvm, gpa_to_gfn(cr2_or_gpa));
5104 * vcpu->arch.mmu.page_fault returned RET_PF_EMULATE, but we can still
5105 * optimistically try to just unprotect the page and let the processor
5106 * re-execute the instruction that caused the page fault. Do not allow
5107 * retrying MMIO emulation, as it's not only pointless but could also
5108 * cause us to enter an infinite loop because the processor will keep
5109 * faulting on the non-existent MMIO address. Retrying an instruction
5110 * from a nested guest is also pointless and dangerous as we are only
5111 * explicitly shadowing L1's page tables, i.e. unprotecting something
5112 * for L1 isn't going to magically fix whatever issue cause L2 to fail.
5114 if (!mmio_info_in_cache(vcpu, cr2_or_gpa, direct) && !is_guest_mode(vcpu))
5115 emulation_type |= EMULTYPE_ALLOW_RETRY_PF;
5117 return x86_emulate_instruction(vcpu, cr2_or_gpa, emulation_type, insn,
5120 EXPORT_SYMBOL_GPL(kvm_mmu_page_fault);
5122 void kvm_mmu_invalidate_gva(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
5123 gva_t gva, hpa_t root_hpa)
5127 /* It's actually a GPA for vcpu->arch.guest_mmu. */
5128 if (mmu != &vcpu->arch.guest_mmu) {
5129 /* INVLPG on a non-canonical address is a NOP according to the SDM. */
5130 if (is_noncanonical_address(gva, vcpu))
5133 static_call(kvm_x86_tlb_flush_gva)(vcpu, gva);
5139 if (root_hpa == INVALID_PAGE) {
5140 mmu->invlpg(vcpu, gva, mmu->root_hpa);
5143 * INVLPG is required to invalidate any global mappings for the VA,
5144 * irrespective of PCID. Since it would take us roughly similar amount
5145 * of work to determine whether any of the prev_root mappings of the VA
5146 * is marked global, or to just sync it blindly, so we might as well
5147 * just always sync it.
5149 * Mappings not reachable via the current cr3 or the prev_roots will be
5150 * synced when switching to that cr3, so nothing needs to be done here
5153 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++)
5154 if (VALID_PAGE(mmu->prev_roots[i].hpa))
5155 mmu->invlpg(vcpu, gva, mmu->prev_roots[i].hpa);
5157 mmu->invlpg(vcpu, gva, root_hpa);
5161 void kvm_mmu_invlpg(struct kvm_vcpu *vcpu, gva_t gva)
5163 kvm_mmu_invalidate_gva(vcpu, vcpu->arch.mmu, gva, INVALID_PAGE);
5164 ++vcpu->stat.invlpg;
5166 EXPORT_SYMBOL_GPL(kvm_mmu_invlpg);
5169 void kvm_mmu_invpcid_gva(struct kvm_vcpu *vcpu, gva_t gva, unsigned long pcid)
5171 struct kvm_mmu *mmu = vcpu->arch.mmu;
5172 bool tlb_flush = false;
5175 if (pcid == kvm_get_active_pcid(vcpu)) {
5176 mmu->invlpg(vcpu, gva, mmu->root_hpa);
5180 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++) {
5181 if (VALID_PAGE(mmu->prev_roots[i].hpa) &&
5182 pcid == kvm_get_pcid(vcpu, mmu->prev_roots[i].pgd)) {
5183 mmu->invlpg(vcpu, gva, mmu->prev_roots[i].hpa);
5189 static_call(kvm_x86_tlb_flush_gva)(vcpu, gva);
5191 ++vcpu->stat.invlpg;
5194 * Mappings not reachable via the current cr3 or the prev_roots will be
5195 * synced when switching to that cr3, so nothing needs to be done here
5200 void kvm_configure_mmu(bool enable_tdp, int tdp_max_root_level,
5201 int tdp_huge_page_level)
5203 tdp_enabled = enable_tdp;
5204 max_tdp_level = tdp_max_root_level;
5207 * max_huge_page_level reflects KVM's MMU capabilities irrespective
5208 * of kernel support, e.g. KVM may be capable of using 1GB pages when
5209 * the kernel is not. But, KVM never creates a page size greater than
5210 * what is used by the kernel for any given HVA, i.e. the kernel's
5211 * capabilities are ultimately consulted by kvm_mmu_hugepage_adjust().
5214 max_huge_page_level = tdp_huge_page_level;
5215 else if (boot_cpu_has(X86_FEATURE_GBPAGES))
5216 max_huge_page_level = PG_LEVEL_1G;
5218 max_huge_page_level = PG_LEVEL_2M;
5220 EXPORT_SYMBOL_GPL(kvm_configure_mmu);
5222 /* The return value indicates if tlb flush on all vcpus is needed. */
5223 typedef bool (*slot_level_handler) (struct kvm *kvm, struct kvm_rmap_head *rmap_head,
5224 struct kvm_memory_slot *slot);
5226 /* The caller should hold mmu-lock before calling this function. */
5227 static __always_inline bool
5228 slot_handle_level_range(struct kvm *kvm, struct kvm_memory_slot *memslot,
5229 slot_level_handler fn, int start_level, int end_level,
5230 gfn_t start_gfn, gfn_t end_gfn, bool lock_flush_tlb)
5232 struct slot_rmap_walk_iterator iterator;
5235 for_each_slot_rmap_range(memslot, start_level, end_level, start_gfn,
5236 end_gfn, &iterator) {
5238 flush |= fn(kvm, iterator.rmap, memslot);
5240 if (need_resched() || rwlock_needbreak(&kvm->mmu_lock)) {
5241 if (flush && lock_flush_tlb) {
5242 kvm_flush_remote_tlbs_with_address(kvm,
5244 iterator.gfn - start_gfn + 1);
5247 cond_resched_rwlock_write(&kvm->mmu_lock);
5251 if (flush && lock_flush_tlb) {
5252 kvm_flush_remote_tlbs_with_address(kvm, start_gfn,
5253 end_gfn - start_gfn + 1);
5260 static __always_inline bool
5261 slot_handle_level(struct kvm *kvm, struct kvm_memory_slot *memslot,
5262 slot_level_handler fn, int start_level, int end_level,
5263 bool lock_flush_tlb)
5265 return slot_handle_level_range(kvm, memslot, fn, start_level,
5266 end_level, memslot->base_gfn,
5267 memslot->base_gfn + memslot->npages - 1,
5271 static __always_inline bool
5272 slot_handle_leaf(struct kvm *kvm, struct kvm_memory_slot *memslot,
5273 slot_level_handler fn, bool lock_flush_tlb)
5275 return slot_handle_level(kvm, memslot, fn, PG_LEVEL_4K,
5276 PG_LEVEL_4K, lock_flush_tlb);
5279 static void free_mmu_pages(struct kvm_mmu *mmu)
5281 if (!tdp_enabled && mmu->pae_root)
5282 set_memory_encrypted((unsigned long)mmu->pae_root, 1);
5283 free_page((unsigned long)mmu->pae_root);
5284 free_page((unsigned long)mmu->lm_root);
5287 static int __kvm_mmu_create(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu)
5292 mmu->root_hpa = INVALID_PAGE;
5294 mmu->translate_gpa = translate_gpa;
5295 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++)
5296 mmu->prev_roots[i] = KVM_MMU_ROOT_INFO_INVALID;
5299 * When using PAE paging, the four PDPTEs are treated as 'root' pages,
5300 * while the PDP table is a per-vCPU construct that's allocated at MMU
5301 * creation. When emulating 32-bit mode, cr3 is only 32 bits even on
5302 * x86_64. Therefore we need to allocate the PDP table in the first
5303 * 4GB of memory, which happens to fit the DMA32 zone. TDP paging
5304 * generally doesn't use PAE paging and can skip allocating the PDP
5305 * table. The main exception, handled here, is SVM's 32-bit NPT. The
5306 * other exception is for shadowing L1's 32-bit or PAE NPT on 64-bit
5307 * KVM; that horror is handled on-demand by mmu_alloc_shadow_roots().
5309 if (tdp_enabled && kvm_mmu_get_tdp_level(vcpu) > PT32E_ROOT_LEVEL)
5312 page = alloc_page(GFP_KERNEL_ACCOUNT | __GFP_DMA32);
5316 mmu->pae_root = page_address(page);
5319 * CR3 is only 32 bits when PAE paging is used, thus it's impossible to
5320 * get the CPU to treat the PDPTEs as encrypted. Decrypt the page so
5321 * that KVM's writes and the CPU's reads get along. Note, this is
5322 * only necessary when using shadow paging, as 64-bit NPT can get at
5323 * the C-bit even when shadowing 32-bit NPT, and SME isn't supported
5324 * by 32-bit kernels (when KVM itself uses 32-bit NPT).
5327 set_memory_decrypted((unsigned long)mmu->pae_root, 1);
5329 WARN_ON_ONCE(shadow_me_mask);
5331 for (i = 0; i < 4; ++i)
5332 mmu->pae_root[i] = INVALID_PAE_ROOT;
5337 int kvm_mmu_create(struct kvm_vcpu *vcpu)
5341 vcpu->arch.mmu_pte_list_desc_cache.kmem_cache = pte_list_desc_cache;
5342 vcpu->arch.mmu_pte_list_desc_cache.gfp_zero = __GFP_ZERO;
5344 vcpu->arch.mmu_page_header_cache.kmem_cache = mmu_page_header_cache;
5345 vcpu->arch.mmu_page_header_cache.gfp_zero = __GFP_ZERO;
5347 vcpu->arch.mmu_shadow_page_cache.gfp_zero = __GFP_ZERO;
5349 vcpu->arch.mmu = &vcpu->arch.root_mmu;
5350 vcpu->arch.walk_mmu = &vcpu->arch.root_mmu;
5352 vcpu->arch.nested_mmu.translate_gpa = translate_nested_gpa;
5354 ret = __kvm_mmu_create(vcpu, &vcpu->arch.guest_mmu);
5358 ret = __kvm_mmu_create(vcpu, &vcpu->arch.root_mmu);
5360 goto fail_allocate_root;
5364 free_mmu_pages(&vcpu->arch.guest_mmu);
5368 #define BATCH_ZAP_PAGES 10
5369 static void kvm_zap_obsolete_pages(struct kvm *kvm)
5371 struct kvm_mmu_page *sp, *node;
5372 int nr_zapped, batch = 0;
5375 list_for_each_entry_safe_reverse(sp, node,
5376 &kvm->arch.active_mmu_pages, link) {
5378 * No obsolete valid page exists before a newly created page
5379 * since active_mmu_pages is a FIFO list.
5381 if (!is_obsolete_sp(kvm, sp))
5385 * Invalid pages should never land back on the list of active
5386 * pages. Skip the bogus page, otherwise we'll get stuck in an
5387 * infinite loop if the page gets put back on the list (again).
5389 if (WARN_ON(sp->role.invalid))
5393 * No need to flush the TLB since we're only zapping shadow
5394 * pages with an obsolete generation number and all vCPUS have
5395 * loaded a new root, i.e. the shadow pages being zapped cannot
5396 * be in active use by the guest.
5398 if (batch >= BATCH_ZAP_PAGES &&
5399 cond_resched_rwlock_write(&kvm->mmu_lock)) {
5404 if (__kvm_mmu_prepare_zap_page(kvm, sp,
5405 &kvm->arch.zapped_obsolete_pages, &nr_zapped)) {
5412 * Trigger a remote TLB flush before freeing the page tables to ensure
5413 * KVM is not in the middle of a lockless shadow page table walk, which
5414 * may reference the pages.
5416 kvm_mmu_commit_zap_page(kvm, &kvm->arch.zapped_obsolete_pages);
5420 * Fast invalidate all shadow pages and use lock-break technique
5421 * to zap obsolete pages.
5423 * It's required when memslot is being deleted or VM is being
5424 * destroyed, in these cases, we should ensure that KVM MMU does
5425 * not use any resource of the being-deleted slot or all slots
5426 * after calling the function.
5428 static void kvm_mmu_zap_all_fast(struct kvm *kvm)
5430 lockdep_assert_held(&kvm->slots_lock);
5432 write_lock(&kvm->mmu_lock);
5433 trace_kvm_mmu_zap_all_fast(kvm);
5436 * Toggle mmu_valid_gen between '0' and '1'. Because slots_lock is
5437 * held for the entire duration of zapping obsolete pages, it's
5438 * impossible for there to be multiple invalid generations associated
5439 * with *valid* shadow pages at any given time, i.e. there is exactly
5440 * one valid generation and (at most) one invalid generation.
5442 kvm->arch.mmu_valid_gen = kvm->arch.mmu_valid_gen ? 0 : 1;
5445 * Notify all vcpus to reload its shadow page table and flush TLB.
5446 * Then all vcpus will switch to new shadow page table with the new
5449 * Note: we need to do this under the protection of mmu_lock,
5450 * otherwise, vcpu would purge shadow page but miss tlb flush.
5452 kvm_reload_remote_mmus(kvm);
5454 kvm_zap_obsolete_pages(kvm);
5456 if (is_tdp_mmu_enabled(kvm))
5457 kvm_tdp_mmu_zap_all(kvm);
5459 write_unlock(&kvm->mmu_lock);
5462 static bool kvm_has_zapped_obsolete_pages(struct kvm *kvm)
5464 return unlikely(!list_empty_careful(&kvm->arch.zapped_obsolete_pages));
5467 static void kvm_mmu_invalidate_zap_pages_in_memslot(struct kvm *kvm,
5468 struct kvm_memory_slot *slot,
5469 struct kvm_page_track_notifier_node *node)
5471 kvm_mmu_zap_all_fast(kvm);
5474 void kvm_mmu_init_vm(struct kvm *kvm)
5476 struct kvm_page_track_notifier_node *node = &kvm->arch.mmu_sp_tracker;
5478 kvm_mmu_init_tdp_mmu(kvm);
5480 node->track_write = kvm_mmu_pte_write;
5481 node->track_flush_slot = kvm_mmu_invalidate_zap_pages_in_memslot;
5482 kvm_page_track_register_notifier(kvm, node);
5485 void kvm_mmu_uninit_vm(struct kvm *kvm)
5487 struct kvm_page_track_notifier_node *node = &kvm->arch.mmu_sp_tracker;
5489 kvm_page_track_unregister_notifier(kvm, node);
5491 kvm_mmu_uninit_tdp_mmu(kvm);
5494 void kvm_zap_gfn_range(struct kvm *kvm, gfn_t gfn_start, gfn_t gfn_end)
5496 struct kvm_memslots *slots;
5497 struct kvm_memory_slot *memslot;
5501 write_lock(&kvm->mmu_lock);
5502 for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) {
5503 slots = __kvm_memslots(kvm, i);
5504 kvm_for_each_memslot(memslot, slots) {
5507 start = max(gfn_start, memslot->base_gfn);
5508 end = min(gfn_end, memslot->base_gfn + memslot->npages);
5512 slot_handle_level_range(kvm, memslot, kvm_zap_rmapp,
5514 KVM_MAX_HUGEPAGE_LEVEL,
5515 start, end - 1, true);
5519 if (is_tdp_mmu_enabled(kvm)) {
5520 flush = kvm_tdp_mmu_zap_gfn_range(kvm, gfn_start, gfn_end);
5522 kvm_flush_remote_tlbs(kvm);
5525 write_unlock(&kvm->mmu_lock);
5528 static bool slot_rmap_write_protect(struct kvm *kvm,
5529 struct kvm_rmap_head *rmap_head,
5530 struct kvm_memory_slot *slot)
5532 return __rmap_write_protect(kvm, rmap_head, false);
5535 void kvm_mmu_slot_remove_write_access(struct kvm *kvm,
5536 struct kvm_memory_slot *memslot,
5541 write_lock(&kvm->mmu_lock);
5542 flush = slot_handle_level(kvm, memslot, slot_rmap_write_protect,
5543 start_level, KVM_MAX_HUGEPAGE_LEVEL, false);
5544 if (is_tdp_mmu_enabled(kvm))
5545 flush |= kvm_tdp_mmu_wrprot_slot(kvm, memslot, PG_LEVEL_4K);
5546 write_unlock(&kvm->mmu_lock);
5549 * We can flush all the TLBs out of the mmu lock without TLB
5550 * corruption since we just change the spte from writable to
5551 * readonly so that we only need to care the case of changing
5552 * spte from present to present (changing the spte from present
5553 * to nonpresent will flush all the TLBs immediately), in other
5554 * words, the only case we care is mmu_spte_update() where we
5555 * have checked Host-writable | MMU-writable instead of
5556 * PT_WRITABLE_MASK, that means it does not depend on PT_WRITABLE_MASK
5560 kvm_arch_flush_remote_tlbs_memslot(kvm, memslot);
5563 static bool kvm_mmu_zap_collapsible_spte(struct kvm *kvm,
5564 struct kvm_rmap_head *rmap_head,
5565 struct kvm_memory_slot *slot)
5568 struct rmap_iterator iter;
5569 int need_tlb_flush = 0;
5571 struct kvm_mmu_page *sp;
5574 for_each_rmap_spte(rmap_head, &iter, sptep) {
5575 sp = sptep_to_sp(sptep);
5576 pfn = spte_to_pfn(*sptep);
5579 * We cannot do huge page mapping for indirect shadow pages,
5580 * which are found on the last rmap (level = 1) when not using
5581 * tdp; such shadow pages are synced with the page table in
5582 * the guest, and the guest page table is using 4K page size
5583 * mapping if the indirect sp has level = 1.
5585 if (sp->role.direct && !kvm_is_reserved_pfn(pfn) &&
5586 sp->role.level < kvm_mmu_max_mapping_level(kvm, slot, sp->gfn,
5587 pfn, PG_LEVEL_NUM)) {
5588 pte_list_remove(rmap_head, sptep);
5590 if (kvm_available_flush_tlb_with_range())
5591 kvm_flush_remote_tlbs_with_address(kvm, sp->gfn,
5592 KVM_PAGES_PER_HPAGE(sp->role.level));
5600 return need_tlb_flush;
5603 void kvm_mmu_zap_collapsible_sptes(struct kvm *kvm,
5604 const struct kvm_memory_slot *memslot)
5606 /* FIXME: const-ify all uses of struct kvm_memory_slot. */
5607 struct kvm_memory_slot *slot = (struct kvm_memory_slot *)memslot;
5609 write_lock(&kvm->mmu_lock);
5610 slot_handle_leaf(kvm, slot, kvm_mmu_zap_collapsible_spte, true);
5612 if (is_tdp_mmu_enabled(kvm))
5613 kvm_tdp_mmu_zap_collapsible_sptes(kvm, slot);
5614 write_unlock(&kvm->mmu_lock);
5617 void kvm_arch_flush_remote_tlbs_memslot(struct kvm *kvm,
5618 struct kvm_memory_slot *memslot)
5621 * All current use cases for flushing the TLBs for a specific memslot
5622 * are related to dirty logging, and do the TLB flush out of mmu_lock.
5623 * The interaction between the various operations on memslot must be
5624 * serialized by slots_locks to ensure the TLB flush from one operation
5625 * is observed by any other operation on the same memslot.
5627 lockdep_assert_held(&kvm->slots_lock);
5628 kvm_flush_remote_tlbs_with_address(kvm, memslot->base_gfn,
5632 void kvm_mmu_slot_leaf_clear_dirty(struct kvm *kvm,
5633 struct kvm_memory_slot *memslot)
5637 write_lock(&kvm->mmu_lock);
5638 flush = slot_handle_leaf(kvm, memslot, __rmap_clear_dirty, false);
5639 if (is_tdp_mmu_enabled(kvm))
5640 flush |= kvm_tdp_mmu_clear_dirty_slot(kvm, memslot);
5641 write_unlock(&kvm->mmu_lock);
5644 * It's also safe to flush TLBs out of mmu lock here as currently this
5645 * function is only used for dirty logging, in which case flushing TLB
5646 * out of mmu lock also guarantees no dirty pages will be lost in
5650 kvm_arch_flush_remote_tlbs_memslot(kvm, memslot);
5653 void kvm_mmu_zap_all(struct kvm *kvm)
5655 struct kvm_mmu_page *sp, *node;
5656 LIST_HEAD(invalid_list);
5659 write_lock(&kvm->mmu_lock);
5661 list_for_each_entry_safe(sp, node, &kvm->arch.active_mmu_pages, link) {
5662 if (WARN_ON(sp->role.invalid))
5664 if (__kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list, &ign))
5666 if (cond_resched_rwlock_write(&kvm->mmu_lock))
5670 kvm_mmu_commit_zap_page(kvm, &invalid_list);
5672 if (is_tdp_mmu_enabled(kvm))
5673 kvm_tdp_mmu_zap_all(kvm);
5675 write_unlock(&kvm->mmu_lock);
5678 void kvm_mmu_invalidate_mmio_sptes(struct kvm *kvm, u64 gen)
5680 WARN_ON(gen & KVM_MEMSLOT_GEN_UPDATE_IN_PROGRESS);
5682 gen &= MMIO_SPTE_GEN_MASK;
5685 * Generation numbers are incremented in multiples of the number of
5686 * address spaces in order to provide unique generations across all
5687 * address spaces. Strip what is effectively the address space
5688 * modifier prior to checking for a wrap of the MMIO generation so
5689 * that a wrap in any address space is detected.
5691 gen &= ~((u64)KVM_ADDRESS_SPACE_NUM - 1);
5694 * The very rare case: if the MMIO generation number has wrapped,
5695 * zap all shadow pages.
5697 if (unlikely(gen == 0)) {
5698 kvm_debug_ratelimited("kvm: zapping shadow pages for mmio generation wraparound\n");
5699 kvm_mmu_zap_all_fast(kvm);
5703 static unsigned long
5704 mmu_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
5707 int nr_to_scan = sc->nr_to_scan;
5708 unsigned long freed = 0;
5710 mutex_lock(&kvm_lock);
5712 list_for_each_entry(kvm, &vm_list, vm_list) {
5714 LIST_HEAD(invalid_list);
5717 * Never scan more than sc->nr_to_scan VM instances.
5718 * Will not hit this condition practically since we do not try
5719 * to shrink more than one VM and it is very unlikely to see
5720 * !n_used_mmu_pages so many times.
5725 * n_used_mmu_pages is accessed without holding kvm->mmu_lock
5726 * here. We may skip a VM instance errorneosly, but we do not
5727 * want to shrink a VM that only started to populate its MMU
5730 if (!kvm->arch.n_used_mmu_pages &&
5731 !kvm_has_zapped_obsolete_pages(kvm))
5734 idx = srcu_read_lock(&kvm->srcu);
5735 write_lock(&kvm->mmu_lock);
5737 if (kvm_has_zapped_obsolete_pages(kvm)) {
5738 kvm_mmu_commit_zap_page(kvm,
5739 &kvm->arch.zapped_obsolete_pages);
5743 freed = kvm_mmu_zap_oldest_mmu_pages(kvm, sc->nr_to_scan);
5746 write_unlock(&kvm->mmu_lock);
5747 srcu_read_unlock(&kvm->srcu, idx);
5750 * unfair on small ones
5751 * per-vm shrinkers cry out
5752 * sadness comes quickly
5754 list_move_tail(&kvm->vm_list, &vm_list);
5758 mutex_unlock(&kvm_lock);
5762 static unsigned long
5763 mmu_shrink_count(struct shrinker *shrink, struct shrink_control *sc)
5765 return percpu_counter_read_positive(&kvm_total_used_mmu_pages);
5768 static struct shrinker mmu_shrinker = {
5769 .count_objects = mmu_shrink_count,
5770 .scan_objects = mmu_shrink_scan,
5771 .seeks = DEFAULT_SEEKS * 10,
5774 static void mmu_destroy_caches(void)
5776 kmem_cache_destroy(pte_list_desc_cache);
5777 kmem_cache_destroy(mmu_page_header_cache);
5780 static bool get_nx_auto_mode(void)
5782 /* Return true when CPU has the bug, and mitigations are ON */
5783 return boot_cpu_has_bug(X86_BUG_ITLB_MULTIHIT) && !cpu_mitigations_off();
5786 static void __set_nx_huge_pages(bool val)
5788 nx_huge_pages = itlb_multihit_kvm_mitigation = val;
5791 static int set_nx_huge_pages(const char *val, const struct kernel_param *kp)
5793 bool old_val = nx_huge_pages;
5796 /* In "auto" mode deploy workaround only if CPU has the bug. */
5797 if (sysfs_streq(val, "off"))
5799 else if (sysfs_streq(val, "force"))
5801 else if (sysfs_streq(val, "auto"))
5802 new_val = get_nx_auto_mode();
5803 else if (strtobool(val, &new_val) < 0)
5806 __set_nx_huge_pages(new_val);
5808 if (new_val != old_val) {
5811 mutex_lock(&kvm_lock);
5813 list_for_each_entry(kvm, &vm_list, vm_list) {
5814 mutex_lock(&kvm->slots_lock);
5815 kvm_mmu_zap_all_fast(kvm);
5816 mutex_unlock(&kvm->slots_lock);
5818 wake_up_process(kvm->arch.nx_lpage_recovery_thread);
5820 mutex_unlock(&kvm_lock);
5826 int kvm_mmu_module_init(void)
5830 if (nx_huge_pages == -1)
5831 __set_nx_huge_pages(get_nx_auto_mode());
5834 * MMU roles use union aliasing which is, generally speaking, an
5835 * undefined behavior. However, we supposedly know how compilers behave
5836 * and the current status quo is unlikely to change. Guardians below are
5837 * supposed to let us know if the assumption becomes false.
5839 BUILD_BUG_ON(sizeof(union kvm_mmu_page_role) != sizeof(u32));
5840 BUILD_BUG_ON(sizeof(union kvm_mmu_extended_role) != sizeof(u32));
5841 BUILD_BUG_ON(sizeof(union kvm_mmu_role) != sizeof(u64));
5843 kvm_mmu_reset_all_pte_masks();
5845 pte_list_desc_cache = kmem_cache_create("pte_list_desc",
5846 sizeof(struct pte_list_desc),
5847 0, SLAB_ACCOUNT, NULL);
5848 if (!pte_list_desc_cache)
5851 mmu_page_header_cache = kmem_cache_create("kvm_mmu_page_header",
5852 sizeof(struct kvm_mmu_page),
5853 0, SLAB_ACCOUNT, NULL);
5854 if (!mmu_page_header_cache)
5857 if (percpu_counter_init(&kvm_total_used_mmu_pages, 0, GFP_KERNEL))
5860 ret = register_shrinker(&mmu_shrinker);
5867 mmu_destroy_caches();
5872 * Calculate mmu pages needed for kvm.
5874 unsigned long kvm_mmu_calculate_default_mmu_pages(struct kvm *kvm)
5876 unsigned long nr_mmu_pages;
5877 unsigned long nr_pages = 0;
5878 struct kvm_memslots *slots;
5879 struct kvm_memory_slot *memslot;
5882 for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) {
5883 slots = __kvm_memslots(kvm, i);
5885 kvm_for_each_memslot(memslot, slots)
5886 nr_pages += memslot->npages;
5889 nr_mmu_pages = nr_pages * KVM_PERMILLE_MMU_PAGES / 1000;
5890 nr_mmu_pages = max(nr_mmu_pages, KVM_MIN_ALLOC_MMU_PAGES);
5892 return nr_mmu_pages;
5895 void kvm_mmu_destroy(struct kvm_vcpu *vcpu)
5897 kvm_mmu_unload(vcpu);
5898 free_mmu_pages(&vcpu->arch.root_mmu);
5899 free_mmu_pages(&vcpu->arch.guest_mmu);
5900 mmu_free_memory_caches(vcpu);
5903 void kvm_mmu_module_exit(void)
5905 mmu_destroy_caches();
5906 percpu_counter_destroy(&kvm_total_used_mmu_pages);
5907 unregister_shrinker(&mmu_shrinker);
5908 mmu_audit_disable();
5911 static int set_nx_huge_pages_recovery_ratio(const char *val, const struct kernel_param *kp)
5913 unsigned int old_val;
5916 old_val = nx_huge_pages_recovery_ratio;
5917 err = param_set_uint(val, kp);
5921 if (READ_ONCE(nx_huge_pages) &&
5922 !old_val && nx_huge_pages_recovery_ratio) {
5925 mutex_lock(&kvm_lock);
5927 list_for_each_entry(kvm, &vm_list, vm_list)
5928 wake_up_process(kvm->arch.nx_lpage_recovery_thread);
5930 mutex_unlock(&kvm_lock);
5936 static void kvm_recover_nx_lpages(struct kvm *kvm)
5939 struct kvm_mmu_page *sp;
5941 LIST_HEAD(invalid_list);
5945 rcu_idx = srcu_read_lock(&kvm->srcu);
5946 write_lock(&kvm->mmu_lock);
5948 ratio = READ_ONCE(nx_huge_pages_recovery_ratio);
5949 to_zap = ratio ? DIV_ROUND_UP(kvm->stat.nx_lpage_splits, ratio) : 0;
5950 for ( ; to_zap; --to_zap) {
5951 if (list_empty(&kvm->arch.lpage_disallowed_mmu_pages))
5955 * We use a separate list instead of just using active_mmu_pages
5956 * because the number of lpage_disallowed pages is expected to
5957 * be relatively small compared to the total.
5959 sp = list_first_entry(&kvm->arch.lpage_disallowed_mmu_pages,
5960 struct kvm_mmu_page,
5961 lpage_disallowed_link);
5962 WARN_ON_ONCE(!sp->lpage_disallowed);
5963 if (is_tdp_mmu_page(sp)) {
5964 flush = kvm_tdp_mmu_zap_sp(kvm, sp);
5966 kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list);
5967 WARN_ON_ONCE(sp->lpage_disallowed);
5970 if (need_resched() || rwlock_needbreak(&kvm->mmu_lock)) {
5971 kvm_mmu_remote_flush_or_zap(kvm, &invalid_list, flush);
5972 cond_resched_rwlock_write(&kvm->mmu_lock);
5976 kvm_mmu_remote_flush_or_zap(kvm, &invalid_list, flush);
5978 write_unlock(&kvm->mmu_lock);
5979 srcu_read_unlock(&kvm->srcu, rcu_idx);
5982 static long get_nx_lpage_recovery_timeout(u64 start_time)
5984 return READ_ONCE(nx_huge_pages) && READ_ONCE(nx_huge_pages_recovery_ratio)
5985 ? start_time + 60 * HZ - get_jiffies_64()
5986 : MAX_SCHEDULE_TIMEOUT;
5989 static int kvm_nx_lpage_recovery_worker(struct kvm *kvm, uintptr_t data)
5992 long remaining_time;
5995 start_time = get_jiffies_64();
5996 remaining_time = get_nx_lpage_recovery_timeout(start_time);
5998 set_current_state(TASK_INTERRUPTIBLE);
5999 while (!kthread_should_stop() && remaining_time > 0) {
6000 schedule_timeout(remaining_time);
6001 remaining_time = get_nx_lpage_recovery_timeout(start_time);
6002 set_current_state(TASK_INTERRUPTIBLE);
6005 set_current_state(TASK_RUNNING);
6007 if (kthread_should_stop())
6010 kvm_recover_nx_lpages(kvm);
6014 int kvm_mmu_post_init_vm(struct kvm *kvm)
6018 err = kvm_vm_create_worker_thread(kvm, kvm_nx_lpage_recovery_worker, 0,
6019 "kvm-nx-lpage-recovery",
6020 &kvm->arch.nx_lpage_recovery_thread);
6022 kthread_unpark(kvm->arch.nx_lpage_recovery_thread);
6027 void kvm_mmu_pre_destroy_vm(struct kvm *kvm)
6029 if (kvm->arch.nx_lpage_recovery_thread)
6030 kthread_stop(kvm->arch.nx_lpage_recovery_thread);
projects / linux-2.6-microblaze.git / blob