1 // SPDX-License-Identifier: GPL-2.0-only
3 * Kernel-based Virtual Machine driver for Linux
5 * This module enables machines with Intel VT-x extensions to run virtual
6 * machines without emulation or binary translation.
10 * Copyright (C) 2006 Qumranet, Inc.
11 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
14 * Yaniv Kamay <yaniv@qumranet.com>
15 * Avi Kivity <avi@qumranet.com>
21 #include "mmu_internal.h"
24 #include "kvm_cache_regs.h"
25 #include "kvm_emulate.h"
29 #include <linux/kvm_host.h>
30 #include <linux/types.h>
31 #include <linux/string.h>
33 #include <linux/highmem.h>
34 #include <linux/moduleparam.h>
35 #include <linux/export.h>
36 #include <linux/swap.h>
37 #include <linux/hugetlb.h>
38 #include <linux/compiler.h>
39 #include <linux/srcu.h>
40 #include <linux/slab.h>
41 #include <linux/sched/signal.h>
42 #include <linux/uaccess.h>
43 #include <linux/hash.h>
44 #include <linux/kern_levels.h>
45 #include <linux/kthread.h>
48 #include <asm/memtype.h>
49 #include <asm/cmpxchg.h>
51 #include <asm/set_memory.h>
53 #include <asm/kvm_page_track.h>
58 extern bool itlb_multihit_kvm_mitigation;
60 int __read_mostly nx_huge_pages = -1;
61 static uint __read_mostly nx_huge_pages_recovery_period_ms;
62 #ifdef CONFIG_PREEMPT_RT
63 /* Recovery can cause latency spikes, disable it for PREEMPT_RT. */
64 static uint __read_mostly nx_huge_pages_recovery_ratio = 0;
66 static uint __read_mostly nx_huge_pages_recovery_ratio = 60;
69 static int set_nx_huge_pages(const char *val, const struct kernel_param *kp);
70 static int set_nx_huge_pages_recovery_param(const char *val, const struct kernel_param *kp);
72 static const struct kernel_param_ops nx_huge_pages_ops = {
73 .set = set_nx_huge_pages,
74 .get = param_get_bool,
77 static const struct kernel_param_ops nx_huge_pages_recovery_param_ops = {
78 .set = set_nx_huge_pages_recovery_param,
79 .get = param_get_uint,
82 module_param_cb(nx_huge_pages, &nx_huge_pages_ops, &nx_huge_pages, 0644);
83 __MODULE_PARM_TYPE(nx_huge_pages, "bool");
84 module_param_cb(nx_huge_pages_recovery_ratio, &nx_huge_pages_recovery_param_ops,
85 &nx_huge_pages_recovery_ratio, 0644);
86 __MODULE_PARM_TYPE(nx_huge_pages_recovery_ratio, "uint");
87 module_param_cb(nx_huge_pages_recovery_period_ms, &nx_huge_pages_recovery_param_ops,
88 &nx_huge_pages_recovery_period_ms, 0644);
89 __MODULE_PARM_TYPE(nx_huge_pages_recovery_period_ms, "uint");
91 static bool __read_mostly force_flush_and_sync_on_reuse;
92 module_param_named(flush_on_reuse, force_flush_and_sync_on_reuse, bool, 0644);
95 * When setting this variable to true it enables Two-Dimensional-Paging
96 * where the hardware walks 2 page tables:
97 * 1. the guest-virtual to guest-physical
98 * 2. while doing 1. it walks guest-physical to host-physical
99 * If the hardware supports that we don't need to do shadow paging.
101 bool tdp_enabled = false;
103 static int max_huge_page_level __read_mostly;
104 static int tdp_root_level __read_mostly;
105 static int max_tdp_level __read_mostly;
109 module_param(dbg, bool, 0644);
112 #define PTE_PREFETCH_NUM 8
114 #define PT32_LEVEL_BITS 10
116 #define PT32_LEVEL_SHIFT(level) \
117 (PAGE_SHIFT + (level - 1) * PT32_LEVEL_BITS)
119 #define PT32_LVL_OFFSET_MASK(level) \
120 (PT32_BASE_ADDR_MASK & ((1ULL << (PAGE_SHIFT + (((level) - 1) \
121 * PT32_LEVEL_BITS))) - 1))
123 #define PT32_INDEX(address, level)\
124 (((address) >> PT32_LEVEL_SHIFT(level)) & ((1 << PT32_LEVEL_BITS) - 1))
127 #define PT32_BASE_ADDR_MASK PAGE_MASK
128 #define PT32_DIR_BASE_ADDR_MASK \
129 (PAGE_MASK & ~((1ULL << (PAGE_SHIFT + PT32_LEVEL_BITS)) - 1))
130 #define PT32_LVL_ADDR_MASK(level) \
131 (PAGE_MASK & ~((1ULL << (PAGE_SHIFT + (((level) - 1) \
132 * PT32_LEVEL_BITS))) - 1))
134 #include <trace/events/kvm.h>
136 /* make pte_list_desc fit well in cache lines */
137 #define PTE_LIST_EXT 14
140 * Slight optimization of cacheline layout, by putting `more' and `spte_count'
141 * at the start; then accessing it will only use one single cacheline for
142 * either full (entries==PTE_LIST_EXT) case or entries<=6.
144 struct pte_list_desc {
145 struct pte_list_desc *more;
147 * Stores number of entries stored in the pte_list_desc. No need to be
148 * u64 but just for easier alignment. When PTE_LIST_EXT, means full.
151 u64 *sptes[PTE_LIST_EXT];
154 struct kvm_shadow_walk_iterator {
162 #define for_each_shadow_entry_using_root(_vcpu, _root, _addr, _walker) \
163 for (shadow_walk_init_using_root(&(_walker), (_vcpu), \
165 shadow_walk_okay(&(_walker)); \
166 shadow_walk_next(&(_walker)))
168 #define for_each_shadow_entry(_vcpu, _addr, _walker) \
169 for (shadow_walk_init(&(_walker), _vcpu, _addr); \
170 shadow_walk_okay(&(_walker)); \
171 shadow_walk_next(&(_walker)))
173 #define for_each_shadow_entry_lockless(_vcpu, _addr, _walker, spte) \
174 for (shadow_walk_init(&(_walker), _vcpu, _addr); \
175 shadow_walk_okay(&(_walker)) && \
176 ({ spte = mmu_spte_get_lockless(_walker.sptep); 1; }); \
177 __shadow_walk_next(&(_walker), spte))
179 static struct kmem_cache *pte_list_desc_cache;
180 struct kmem_cache *mmu_page_header_cache;
181 static struct percpu_counter kvm_total_used_mmu_pages;
183 static void mmu_spte_set(u64 *sptep, u64 spte);
185 struct kvm_mmu_role_regs {
186 const unsigned long cr0;
187 const unsigned long cr4;
191 #define CREATE_TRACE_POINTS
192 #include "mmutrace.h"
195 * Yes, lot's of underscores. They're a hint that you probably shouldn't be
196 * reading from the role_regs. Once the root_role is constructed, it becomes
197 * the single source of truth for the MMU's state.
199 #define BUILD_MMU_ROLE_REGS_ACCESSOR(reg, name, flag) \
200 static inline bool __maybe_unused \
201 ____is_##reg##_##name(const struct kvm_mmu_role_regs *regs) \
203 return !!(regs->reg & flag); \
205 BUILD_MMU_ROLE_REGS_ACCESSOR(cr0, pg, X86_CR0_PG);
206 BUILD_MMU_ROLE_REGS_ACCESSOR(cr0, wp, X86_CR0_WP);
207 BUILD_MMU_ROLE_REGS_ACCESSOR(cr4, pse, X86_CR4_PSE);
208 BUILD_MMU_ROLE_REGS_ACCESSOR(cr4, pae, X86_CR4_PAE);
209 BUILD_MMU_ROLE_REGS_ACCESSOR(cr4, smep, X86_CR4_SMEP);
210 BUILD_MMU_ROLE_REGS_ACCESSOR(cr4, smap, X86_CR4_SMAP);
211 BUILD_MMU_ROLE_REGS_ACCESSOR(cr4, pke, X86_CR4_PKE);
212 BUILD_MMU_ROLE_REGS_ACCESSOR(cr4, la57, X86_CR4_LA57);
213 BUILD_MMU_ROLE_REGS_ACCESSOR(efer, nx, EFER_NX);
214 BUILD_MMU_ROLE_REGS_ACCESSOR(efer, lma, EFER_LMA);
217 * The MMU itself (with a valid role) is the single source of truth for the
218 * MMU. Do not use the regs used to build the MMU/role, nor the vCPU. The
219 * regs don't account for dependencies, e.g. clearing CR4 bits if CR0.PG=1,
220 * and the vCPU may be incorrect/irrelevant.
222 #define BUILD_MMU_ROLE_ACCESSOR(base_or_ext, reg, name) \
223 static inline bool __maybe_unused is_##reg##_##name(struct kvm_mmu *mmu) \
225 return !!(mmu->cpu_role. base_or_ext . reg##_##name); \
227 BUILD_MMU_ROLE_ACCESSOR(base, cr0, wp);
228 BUILD_MMU_ROLE_ACCESSOR(ext, cr4, pse);
229 BUILD_MMU_ROLE_ACCESSOR(ext, cr4, smep);
230 BUILD_MMU_ROLE_ACCESSOR(ext, cr4, smap);
231 BUILD_MMU_ROLE_ACCESSOR(ext, cr4, pke);
232 BUILD_MMU_ROLE_ACCESSOR(ext, cr4, la57);
233 BUILD_MMU_ROLE_ACCESSOR(base, efer, nx);
234 BUILD_MMU_ROLE_ACCESSOR(ext, efer, lma);
236 static inline bool is_cr0_pg(struct kvm_mmu *mmu)
238 return mmu->cpu_role.base.level > 0;
241 static inline bool is_cr4_pae(struct kvm_mmu *mmu)
243 return !mmu->cpu_role.base.has_4_byte_gpte;
246 static struct kvm_mmu_role_regs vcpu_to_role_regs(struct kvm_vcpu *vcpu)
248 struct kvm_mmu_role_regs regs = {
249 .cr0 = kvm_read_cr0_bits(vcpu, KVM_MMU_CR0_ROLE_BITS),
250 .cr4 = kvm_read_cr4_bits(vcpu, KVM_MMU_CR4_ROLE_BITS),
251 .efer = vcpu->arch.efer,
257 static inline bool kvm_available_flush_tlb_with_range(void)
259 return kvm_x86_ops.tlb_remote_flush_with_range;
262 static void kvm_flush_remote_tlbs_with_range(struct kvm *kvm,
263 struct kvm_tlb_range *range)
267 if (range && kvm_x86_ops.tlb_remote_flush_with_range)
268 ret = static_call(kvm_x86_tlb_remote_flush_with_range)(kvm, range);
271 kvm_flush_remote_tlbs(kvm);
274 void kvm_flush_remote_tlbs_with_address(struct kvm *kvm,
275 u64 start_gfn, u64 pages)
277 struct kvm_tlb_range range;
279 range.start_gfn = start_gfn;
282 kvm_flush_remote_tlbs_with_range(kvm, &range);
285 static void mark_mmio_spte(struct kvm_vcpu *vcpu, u64 *sptep, u64 gfn,
288 u64 spte = make_mmio_spte(vcpu, gfn, access);
290 trace_mark_mmio_spte(sptep, gfn, spte);
291 mmu_spte_set(sptep, spte);
294 static gfn_t get_mmio_spte_gfn(u64 spte)
296 u64 gpa = spte & shadow_nonpresent_or_rsvd_lower_gfn_mask;
298 gpa |= (spte >> SHADOW_NONPRESENT_OR_RSVD_MASK_LEN)
299 & shadow_nonpresent_or_rsvd_mask;
301 return gpa >> PAGE_SHIFT;
304 static unsigned get_mmio_spte_access(u64 spte)
306 return spte & shadow_mmio_access_mask;
309 static bool check_mmio_spte(struct kvm_vcpu *vcpu, u64 spte)
311 u64 kvm_gen, spte_gen, gen;
313 gen = kvm_vcpu_memslots(vcpu)->generation;
314 if (unlikely(gen & KVM_MEMSLOT_GEN_UPDATE_IN_PROGRESS))
317 kvm_gen = gen & MMIO_SPTE_GEN_MASK;
318 spte_gen = get_mmio_spte_generation(spte);
320 trace_check_mmio_spte(spte, kvm_gen, spte_gen);
321 return likely(kvm_gen == spte_gen);
324 static int is_cpuid_PSE36(void)
329 static gfn_t pse36_gfn_delta(u32 gpte)
331 int shift = 32 - PT32_DIR_PSE36_SHIFT - PAGE_SHIFT;
333 return (gpte & PT32_DIR_PSE36_MASK) << shift;
337 static void __set_spte(u64 *sptep, u64 spte)
339 WRITE_ONCE(*sptep, spte);
342 static void __update_clear_spte_fast(u64 *sptep, u64 spte)
344 WRITE_ONCE(*sptep, spte);
347 static u64 __update_clear_spte_slow(u64 *sptep, u64 spte)
349 return xchg(sptep, spte);
352 static u64 __get_spte_lockless(u64 *sptep)
354 return READ_ONCE(*sptep);
365 static void count_spte_clear(u64 *sptep, u64 spte)
367 struct kvm_mmu_page *sp = sptep_to_sp(sptep);
369 if (is_shadow_present_pte(spte))
372 /* Ensure the spte is completely set before we increase the count */
374 sp->clear_spte_count++;
377 static void __set_spte(u64 *sptep, u64 spte)
379 union split_spte *ssptep, sspte;
381 ssptep = (union split_spte *)sptep;
382 sspte = (union split_spte)spte;
384 ssptep->spte_high = sspte.spte_high;
387 * If we map the spte from nonpresent to present, We should store
388 * the high bits firstly, then set present bit, so cpu can not
389 * fetch this spte while we are setting the spte.
393 WRITE_ONCE(ssptep->spte_low, sspte.spte_low);
396 static void __update_clear_spte_fast(u64 *sptep, u64 spte)
398 union split_spte *ssptep, sspte;
400 ssptep = (union split_spte *)sptep;
401 sspte = (union split_spte)spte;
403 WRITE_ONCE(ssptep->spte_low, sspte.spte_low);
406 * If we map the spte from present to nonpresent, we should clear
407 * present bit firstly to avoid vcpu fetch the old high bits.
411 ssptep->spte_high = sspte.spte_high;
412 count_spte_clear(sptep, spte);
415 static u64 __update_clear_spte_slow(u64 *sptep, u64 spte)
417 union split_spte *ssptep, sspte, orig;
419 ssptep = (union split_spte *)sptep;
420 sspte = (union split_spte)spte;
422 /* xchg acts as a barrier before the setting of the high bits */
423 orig.spte_low = xchg(&ssptep->spte_low, sspte.spte_low);
424 orig.spte_high = ssptep->spte_high;
425 ssptep->spte_high = sspte.spte_high;
426 count_spte_clear(sptep, spte);
432 * The idea using the light way get the spte on x86_32 guest is from
433 * gup_get_pte (mm/gup.c).
435 * An spte tlb flush may be pending, because kvm_set_pte_rmapp
436 * coalesces them and we are running out of the MMU lock. Therefore
437 * we need to protect against in-progress updates of the spte.
439 * Reading the spte while an update is in progress may get the old value
440 * for the high part of the spte. The race is fine for a present->non-present
441 * change (because the high part of the spte is ignored for non-present spte),
442 * but for a present->present change we must reread the spte.
444 * All such changes are done in two steps (present->non-present and
445 * non-present->present), hence it is enough to count the number of
446 * present->non-present updates: if it changed while reading the spte,
447 * we might have hit the race. This is done using clear_spte_count.
449 static u64 __get_spte_lockless(u64 *sptep)
451 struct kvm_mmu_page *sp = sptep_to_sp(sptep);
452 union split_spte spte, *orig = (union split_spte *)sptep;
456 count = sp->clear_spte_count;
459 spte.spte_low = orig->spte_low;
462 spte.spte_high = orig->spte_high;
465 if (unlikely(spte.spte_low != orig->spte_low ||
466 count != sp->clear_spte_count))
473 static bool spte_has_volatile_bits(u64 spte)
475 if (!is_shadow_present_pte(spte))
479 * Always atomically update spte if it can be updated
480 * out of mmu-lock, it can ensure dirty bit is not lost,
481 * also, it can help us to get a stable is_writable_pte()
482 * to ensure tlb flush is not missed.
484 if (spte_can_locklessly_be_made_writable(spte) ||
485 is_access_track_spte(spte))
488 if (spte_ad_enabled(spte)) {
489 if ((spte & shadow_accessed_mask) == 0 ||
490 (is_writable_pte(spte) && (spte & shadow_dirty_mask) == 0))
497 /* Rules for using mmu_spte_set:
498 * Set the sptep from nonpresent to present.
499 * Note: the sptep being assigned *must* be either not present
500 * or in a state where the hardware will not attempt to update
503 static void mmu_spte_set(u64 *sptep, u64 new_spte)
505 WARN_ON(is_shadow_present_pte(*sptep));
506 __set_spte(sptep, new_spte);
510 * Update the SPTE (excluding the PFN), but do not track changes in its
511 * accessed/dirty status.
513 static u64 mmu_spte_update_no_track(u64 *sptep, u64 new_spte)
515 u64 old_spte = *sptep;
517 WARN_ON(!is_shadow_present_pte(new_spte));
518 check_spte_writable_invariants(new_spte);
520 if (!is_shadow_present_pte(old_spte)) {
521 mmu_spte_set(sptep, new_spte);
525 if (!spte_has_volatile_bits(old_spte))
526 __update_clear_spte_fast(sptep, new_spte);
528 old_spte = __update_clear_spte_slow(sptep, new_spte);
530 WARN_ON(spte_to_pfn(old_spte) != spte_to_pfn(new_spte));
535 /* Rules for using mmu_spte_update:
536 * Update the state bits, it means the mapped pfn is not changed.
538 * Whenever an MMU-writable SPTE is overwritten with a read-only SPTE, remote
539 * TLBs must be flushed. Otherwise rmap_write_protect will find a read-only
540 * spte, even though the writable spte might be cached on a CPU's TLB.
542 * Returns true if the TLB needs to be flushed
544 static bool mmu_spte_update(u64 *sptep, u64 new_spte)
547 u64 old_spte = mmu_spte_update_no_track(sptep, new_spte);
549 if (!is_shadow_present_pte(old_spte))
553 * For the spte updated out of mmu-lock is safe, since
554 * we always atomically update it, see the comments in
555 * spte_has_volatile_bits().
557 if (spte_can_locklessly_be_made_writable(old_spte) &&
558 !is_writable_pte(new_spte))
562 * Flush TLB when accessed/dirty states are changed in the page tables,
563 * to guarantee consistency between TLB and page tables.
566 if (is_accessed_spte(old_spte) && !is_accessed_spte(new_spte)) {
568 kvm_set_pfn_accessed(spte_to_pfn(old_spte));
571 if (is_dirty_spte(old_spte) && !is_dirty_spte(new_spte)) {
573 kvm_set_pfn_dirty(spte_to_pfn(old_spte));
580 * Rules for using mmu_spte_clear_track_bits:
581 * It sets the sptep from present to nonpresent, and track the
582 * state bits, it is used to clear the last level sptep.
583 * Returns the old PTE.
585 static int mmu_spte_clear_track_bits(struct kvm *kvm, u64 *sptep)
588 u64 old_spte = *sptep;
589 int level = sptep_to_sp(sptep)->role.level;
591 if (!spte_has_volatile_bits(old_spte))
592 __update_clear_spte_fast(sptep, 0ull);
594 old_spte = __update_clear_spte_slow(sptep, 0ull);
596 if (!is_shadow_present_pte(old_spte))
599 kvm_update_page_stats(kvm, level, -1);
601 pfn = spte_to_pfn(old_spte);
604 * KVM does not hold the refcount of the page used by
605 * kvm mmu, before reclaiming the page, we should
606 * unmap it from mmu first.
608 WARN_ON(!kvm_is_reserved_pfn(pfn) && !page_count(pfn_to_page(pfn)));
610 if (is_accessed_spte(old_spte))
611 kvm_set_pfn_accessed(pfn);
613 if (is_dirty_spte(old_spte))
614 kvm_set_pfn_dirty(pfn);
620 * Rules for using mmu_spte_clear_no_track:
621 * Directly clear spte without caring the state bits of sptep,
622 * it is used to set the upper level spte.
624 static void mmu_spte_clear_no_track(u64 *sptep)
626 __update_clear_spte_fast(sptep, 0ull);
629 static u64 mmu_spte_get_lockless(u64 *sptep)
631 return __get_spte_lockless(sptep);
634 /* Returns the Accessed status of the PTE and resets it at the same time. */
635 static bool mmu_spte_age(u64 *sptep)
637 u64 spte = mmu_spte_get_lockless(sptep);
639 if (!is_accessed_spte(spte))
642 if (spte_ad_enabled(spte)) {
643 clear_bit((ffs(shadow_accessed_mask) - 1),
644 (unsigned long *)sptep);
647 * Capture the dirty status of the page, so that it doesn't get
648 * lost when the SPTE is marked for access tracking.
650 if (is_writable_pte(spte))
651 kvm_set_pfn_dirty(spte_to_pfn(spte));
653 spte = mark_spte_for_access_track(spte);
654 mmu_spte_update_no_track(sptep, spte);
660 static void walk_shadow_page_lockless_begin(struct kvm_vcpu *vcpu)
662 if (is_tdp_mmu(vcpu->arch.mmu)) {
663 kvm_tdp_mmu_walk_lockless_begin();
666 * Prevent page table teardown by making any free-er wait during
667 * kvm_flush_remote_tlbs() IPI to all active vcpus.
672 * Make sure a following spte read is not reordered ahead of the write
675 smp_store_mb(vcpu->mode, READING_SHADOW_PAGE_TABLES);
679 static void walk_shadow_page_lockless_end(struct kvm_vcpu *vcpu)
681 if (is_tdp_mmu(vcpu->arch.mmu)) {
682 kvm_tdp_mmu_walk_lockless_end();
685 * Make sure the write to vcpu->mode is not reordered in front of
686 * reads to sptes. If it does, kvm_mmu_commit_zap_page() can see us
687 * OUTSIDE_GUEST_MODE and proceed to free the shadow page table.
689 smp_store_release(&vcpu->mode, OUTSIDE_GUEST_MODE);
694 static int mmu_topup_memory_caches(struct kvm_vcpu *vcpu, bool maybe_indirect)
698 /* 1 rmap, 1 parent PTE per level, and the prefetched rmaps. */
699 r = kvm_mmu_topup_memory_cache(&vcpu->arch.mmu_pte_list_desc_cache,
700 1 + PT64_ROOT_MAX_LEVEL + PTE_PREFETCH_NUM);
703 r = kvm_mmu_topup_memory_cache(&vcpu->arch.mmu_shadow_page_cache,
704 PT64_ROOT_MAX_LEVEL);
707 if (maybe_indirect) {
708 r = kvm_mmu_topup_memory_cache(&vcpu->arch.mmu_gfn_array_cache,
709 PT64_ROOT_MAX_LEVEL);
713 return kvm_mmu_topup_memory_cache(&vcpu->arch.mmu_page_header_cache,
714 PT64_ROOT_MAX_LEVEL);
717 static void mmu_free_memory_caches(struct kvm_vcpu *vcpu)
719 kvm_mmu_free_memory_cache(&vcpu->arch.mmu_pte_list_desc_cache);
720 kvm_mmu_free_memory_cache(&vcpu->arch.mmu_shadow_page_cache);
721 kvm_mmu_free_memory_cache(&vcpu->arch.mmu_gfn_array_cache);
722 kvm_mmu_free_memory_cache(&vcpu->arch.mmu_page_header_cache);
725 static struct pte_list_desc *mmu_alloc_pte_list_desc(struct kvm_vcpu *vcpu)
727 return kvm_mmu_memory_cache_alloc(&vcpu->arch.mmu_pte_list_desc_cache);
730 static void mmu_free_pte_list_desc(struct pte_list_desc *pte_list_desc)
732 kmem_cache_free(pte_list_desc_cache, pte_list_desc);
735 static gfn_t kvm_mmu_page_get_gfn(struct kvm_mmu_page *sp, int index)
737 if (!sp->role.direct)
738 return sp->gfns[index];
740 return sp->gfn + (index << ((sp->role.level - 1) * PT64_LEVEL_BITS));
743 static void kvm_mmu_page_set_gfn(struct kvm_mmu_page *sp, int index, gfn_t gfn)
745 if (!sp->role.direct) {
746 sp->gfns[index] = gfn;
750 if (WARN_ON(gfn != kvm_mmu_page_get_gfn(sp, index)))
751 pr_err_ratelimited("gfn mismatch under direct page %llx "
752 "(expected %llx, got %llx)\n",
754 kvm_mmu_page_get_gfn(sp, index), gfn);
758 * Return the pointer to the large page information for a given gfn,
759 * handling slots that are not large page aligned.
761 static struct kvm_lpage_info *lpage_info_slot(gfn_t gfn,
762 const struct kvm_memory_slot *slot, int level)
766 idx = gfn_to_index(gfn, slot->base_gfn, level);
767 return &slot->arch.lpage_info[level - 2][idx];
770 static void update_gfn_disallow_lpage_count(const struct kvm_memory_slot *slot,
771 gfn_t gfn, int count)
773 struct kvm_lpage_info *linfo;
776 for (i = PG_LEVEL_2M; i <= KVM_MAX_HUGEPAGE_LEVEL; ++i) {
777 linfo = lpage_info_slot(gfn, slot, i);
778 linfo->disallow_lpage += count;
779 WARN_ON(linfo->disallow_lpage < 0);
783 void kvm_mmu_gfn_disallow_lpage(const struct kvm_memory_slot *slot, gfn_t gfn)
785 update_gfn_disallow_lpage_count(slot, gfn, 1);
788 void kvm_mmu_gfn_allow_lpage(const struct kvm_memory_slot *slot, gfn_t gfn)
790 update_gfn_disallow_lpage_count(slot, gfn, -1);
793 static void account_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp)
795 struct kvm_memslots *slots;
796 struct kvm_memory_slot *slot;
799 kvm->arch.indirect_shadow_pages++;
801 slots = kvm_memslots_for_spte_role(kvm, sp->role);
802 slot = __gfn_to_memslot(slots, gfn);
804 /* the non-leaf shadow pages are keeping readonly. */
805 if (sp->role.level > PG_LEVEL_4K)
806 return kvm_slot_page_track_add_page(kvm, slot, gfn,
807 KVM_PAGE_TRACK_WRITE);
809 kvm_mmu_gfn_disallow_lpage(slot, gfn);
812 void account_huge_nx_page(struct kvm *kvm, struct kvm_mmu_page *sp)
814 if (sp->lpage_disallowed)
817 ++kvm->stat.nx_lpage_splits;
818 list_add_tail(&sp->lpage_disallowed_link,
819 &kvm->arch.lpage_disallowed_mmu_pages);
820 sp->lpage_disallowed = true;
823 static void unaccount_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp)
825 struct kvm_memslots *slots;
826 struct kvm_memory_slot *slot;
829 kvm->arch.indirect_shadow_pages--;
831 slots = kvm_memslots_for_spte_role(kvm, sp->role);
832 slot = __gfn_to_memslot(slots, gfn);
833 if (sp->role.level > PG_LEVEL_4K)
834 return kvm_slot_page_track_remove_page(kvm, slot, gfn,
835 KVM_PAGE_TRACK_WRITE);
837 kvm_mmu_gfn_allow_lpage(slot, gfn);
840 void unaccount_huge_nx_page(struct kvm *kvm, struct kvm_mmu_page *sp)
842 --kvm->stat.nx_lpage_splits;
843 sp->lpage_disallowed = false;
844 list_del(&sp->lpage_disallowed_link);
847 static struct kvm_memory_slot *
848 gfn_to_memslot_dirty_bitmap(struct kvm_vcpu *vcpu, gfn_t gfn,
851 struct kvm_memory_slot *slot;
853 slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);
854 if (!slot || slot->flags & KVM_MEMSLOT_INVALID)
856 if (no_dirty_log && kvm_slot_dirty_track_enabled(slot))
863 * About rmap_head encoding:
865 * If the bit zero of rmap_head->val is clear, then it points to the only spte
866 * in this rmap chain. Otherwise, (rmap_head->val & ~1) points to a struct
867 * pte_list_desc containing more mappings.
871 * Returns the number of pointers in the rmap chain, not counting the new one.
873 static int pte_list_add(struct kvm_vcpu *vcpu, u64 *spte,
874 struct kvm_rmap_head *rmap_head)
876 struct pte_list_desc *desc;
879 if (!rmap_head->val) {
880 rmap_printk("%p %llx 0->1\n", spte, *spte);
881 rmap_head->val = (unsigned long)spte;
882 } else if (!(rmap_head->val & 1)) {
883 rmap_printk("%p %llx 1->many\n", spte, *spte);
884 desc = mmu_alloc_pte_list_desc(vcpu);
885 desc->sptes[0] = (u64 *)rmap_head->val;
886 desc->sptes[1] = spte;
887 desc->spte_count = 2;
888 rmap_head->val = (unsigned long)desc | 1;
891 rmap_printk("%p %llx many->many\n", spte, *spte);
892 desc = (struct pte_list_desc *)(rmap_head->val & ~1ul);
893 while (desc->spte_count == PTE_LIST_EXT) {
894 count += PTE_LIST_EXT;
896 desc->more = mmu_alloc_pte_list_desc(vcpu);
898 desc->spte_count = 0;
903 count += desc->spte_count;
904 desc->sptes[desc->spte_count++] = spte;
910 pte_list_desc_remove_entry(struct kvm_rmap_head *rmap_head,
911 struct pte_list_desc *desc, int i,
912 struct pte_list_desc *prev_desc)
914 int j = desc->spte_count - 1;
916 desc->sptes[i] = desc->sptes[j];
917 desc->sptes[j] = NULL;
919 if (desc->spte_count)
921 if (!prev_desc && !desc->more)
925 prev_desc->more = desc->more;
927 rmap_head->val = (unsigned long)desc->more | 1;
928 mmu_free_pte_list_desc(desc);
931 static void __pte_list_remove(u64 *spte, struct kvm_rmap_head *rmap_head)
933 struct pte_list_desc *desc;
934 struct pte_list_desc *prev_desc;
937 if (!rmap_head->val) {
938 pr_err("%s: %p 0->BUG\n", __func__, spte);
940 } else if (!(rmap_head->val & 1)) {
941 rmap_printk("%p 1->0\n", spte);
942 if ((u64 *)rmap_head->val != spte) {
943 pr_err("%s: %p 1->BUG\n", __func__, spte);
948 rmap_printk("%p many->many\n", spte);
949 desc = (struct pte_list_desc *)(rmap_head->val & ~1ul);
952 for (i = 0; i < desc->spte_count; ++i) {
953 if (desc->sptes[i] == spte) {
954 pte_list_desc_remove_entry(rmap_head,
962 pr_err("%s: %p many->many\n", __func__, spte);
967 static void pte_list_remove(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
970 mmu_spte_clear_track_bits(kvm, sptep);
971 __pte_list_remove(sptep, rmap_head);
974 /* Return true if rmap existed, false otherwise */
975 static bool pte_list_destroy(struct kvm *kvm, struct kvm_rmap_head *rmap_head)
977 struct pte_list_desc *desc, *next;
983 if (!(rmap_head->val & 1)) {
984 mmu_spte_clear_track_bits(kvm, (u64 *)rmap_head->val);
988 desc = (struct pte_list_desc *)(rmap_head->val & ~1ul);
990 for (; desc; desc = next) {
991 for (i = 0; i < desc->spte_count; i++)
992 mmu_spte_clear_track_bits(kvm, desc->sptes[i]);
994 mmu_free_pte_list_desc(desc);
997 /* rmap_head is meaningless now, remember to reset it */
1002 unsigned int pte_list_count(struct kvm_rmap_head *rmap_head)
1004 struct pte_list_desc *desc;
1005 unsigned int count = 0;
1007 if (!rmap_head->val)
1009 else if (!(rmap_head->val & 1))
1012 desc = (struct pte_list_desc *)(rmap_head->val & ~1ul);
1015 count += desc->spte_count;
1022 static struct kvm_rmap_head *gfn_to_rmap(gfn_t gfn, int level,
1023 const struct kvm_memory_slot *slot)
1027 idx = gfn_to_index(gfn, slot->base_gfn, level);
1028 return &slot->arch.rmap[level - PG_LEVEL_4K][idx];
1031 static bool rmap_can_add(struct kvm_vcpu *vcpu)
1033 struct kvm_mmu_memory_cache *mc;
1035 mc = &vcpu->arch.mmu_pte_list_desc_cache;
1036 return kvm_mmu_memory_cache_nr_free_objects(mc);
1039 static void rmap_remove(struct kvm *kvm, u64 *spte)
1041 struct kvm_memslots *slots;
1042 struct kvm_memory_slot *slot;
1043 struct kvm_mmu_page *sp;
1045 struct kvm_rmap_head *rmap_head;
1047 sp = sptep_to_sp(spte);
1048 gfn = kvm_mmu_page_get_gfn(sp, spte - sp->spt);
1051 * Unlike rmap_add, rmap_remove does not run in the context of a vCPU
1052 * so we have to determine which memslots to use based on context
1053 * information in sp->role.
1055 slots = kvm_memslots_for_spte_role(kvm, sp->role);
1057 slot = __gfn_to_memslot(slots, gfn);
1058 rmap_head = gfn_to_rmap(gfn, sp->role.level, slot);
1060 __pte_list_remove(spte, rmap_head);
1064 * Used by the following functions to iterate through the sptes linked by a
1065 * rmap. All fields are private and not assumed to be used outside.
1067 struct rmap_iterator {
1068 /* private fields */
1069 struct pte_list_desc *desc; /* holds the sptep if not NULL */
1070 int pos; /* index of the sptep */
1074 * Iteration must be started by this function. This should also be used after
1075 * removing/dropping sptes from the rmap link because in such cases the
1076 * information in the iterator may not be valid.
1078 * Returns sptep if found, NULL otherwise.
1080 static u64 *rmap_get_first(struct kvm_rmap_head *rmap_head,
1081 struct rmap_iterator *iter)
1085 if (!rmap_head->val)
1088 if (!(rmap_head->val & 1)) {
1090 sptep = (u64 *)rmap_head->val;
1094 iter->desc = (struct pte_list_desc *)(rmap_head->val & ~1ul);
1096 sptep = iter->desc->sptes[iter->pos];
1098 BUG_ON(!is_shadow_present_pte(*sptep));
1103 * Must be used with a valid iterator: e.g. after rmap_get_first().
1105 * Returns sptep if found, NULL otherwise.
1107 static u64 *rmap_get_next(struct rmap_iterator *iter)
1112 if (iter->pos < PTE_LIST_EXT - 1) {
1114 sptep = iter->desc->sptes[iter->pos];
1119 iter->desc = iter->desc->more;
1123 /* desc->sptes[0] cannot be NULL */
1124 sptep = iter->desc->sptes[iter->pos];
1131 BUG_ON(!is_shadow_present_pte(*sptep));
1135 #define for_each_rmap_spte(_rmap_head_, _iter_, _spte_) \
1136 for (_spte_ = rmap_get_first(_rmap_head_, _iter_); \
1137 _spte_; _spte_ = rmap_get_next(_iter_))
1139 static void drop_spte(struct kvm *kvm, u64 *sptep)
1141 u64 old_spte = mmu_spte_clear_track_bits(kvm, sptep);
1143 if (is_shadow_present_pte(old_spte))
1144 rmap_remove(kvm, sptep);
1148 static bool __drop_large_spte(struct kvm *kvm, u64 *sptep)
1150 if (is_large_pte(*sptep)) {
1151 WARN_ON(sptep_to_sp(sptep)->role.level == PG_LEVEL_4K);
1152 drop_spte(kvm, sptep);
1159 static void drop_large_spte(struct kvm_vcpu *vcpu, u64 *sptep)
1161 if (__drop_large_spte(vcpu->kvm, sptep)) {
1162 struct kvm_mmu_page *sp = sptep_to_sp(sptep);
1164 kvm_flush_remote_tlbs_with_address(vcpu->kvm, sp->gfn,
1165 KVM_PAGES_PER_HPAGE(sp->role.level));
1170 * Write-protect on the specified @sptep, @pt_protect indicates whether
1171 * spte write-protection is caused by protecting shadow page table.
1173 * Note: write protection is difference between dirty logging and spte
1175 * - for dirty logging, the spte can be set to writable at anytime if
1176 * its dirty bitmap is properly set.
1177 * - for spte protection, the spte can be writable only after unsync-ing
1180 * Return true if tlb need be flushed.
1182 static bool spte_write_protect(u64 *sptep, bool pt_protect)
1186 if (!is_writable_pte(spte) &&
1187 !(pt_protect && spte_can_locklessly_be_made_writable(spte)))
1190 rmap_printk("spte %p %llx\n", sptep, *sptep);
1193 spte &= ~shadow_mmu_writable_mask;
1194 spte = spte & ~PT_WRITABLE_MASK;
1196 return mmu_spte_update(sptep, spte);
1199 static bool rmap_write_protect(struct kvm_rmap_head *rmap_head,
1203 struct rmap_iterator iter;
1206 for_each_rmap_spte(rmap_head, &iter, sptep)
1207 flush |= spte_write_protect(sptep, pt_protect);
1212 static bool spte_clear_dirty(u64 *sptep)
1216 rmap_printk("spte %p %llx\n", sptep, *sptep);
1218 MMU_WARN_ON(!spte_ad_enabled(spte));
1219 spte &= ~shadow_dirty_mask;
1220 return mmu_spte_update(sptep, spte);
1223 static bool spte_wrprot_for_clear_dirty(u64 *sptep)
1225 bool was_writable = test_and_clear_bit(PT_WRITABLE_SHIFT,
1226 (unsigned long *)sptep);
1227 if (was_writable && !spte_ad_enabled(*sptep))
1228 kvm_set_pfn_dirty(spte_to_pfn(*sptep));
1230 return was_writable;
1234 * Gets the GFN ready for another round of dirty logging by clearing the
1235 * - D bit on ad-enabled SPTEs, and
1236 * - W bit on ad-disabled SPTEs.
1237 * Returns true iff any D or W bits were cleared.
1239 static bool __rmap_clear_dirty(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
1240 const struct kvm_memory_slot *slot)
1243 struct rmap_iterator iter;
1246 for_each_rmap_spte(rmap_head, &iter, sptep)
1247 if (spte_ad_need_write_protect(*sptep))
1248 flush |= spte_wrprot_for_clear_dirty(sptep);
1250 flush |= spte_clear_dirty(sptep);
1256 * kvm_mmu_write_protect_pt_masked - write protect selected PT level pages
1257 * @kvm: kvm instance
1258 * @slot: slot to protect
1259 * @gfn_offset: start of the BITS_PER_LONG pages we care about
1260 * @mask: indicates which pages we should protect
1262 * Used when we do not need to care about huge page mappings.
1264 static void kvm_mmu_write_protect_pt_masked(struct kvm *kvm,
1265 struct kvm_memory_slot *slot,
1266 gfn_t gfn_offset, unsigned long mask)
1268 struct kvm_rmap_head *rmap_head;
1270 if (is_tdp_mmu_enabled(kvm))
1271 kvm_tdp_mmu_clear_dirty_pt_masked(kvm, slot,
1272 slot->base_gfn + gfn_offset, mask, true);
1274 if (!kvm_memslots_have_rmaps(kvm))
1278 rmap_head = gfn_to_rmap(slot->base_gfn + gfn_offset + __ffs(mask),
1280 rmap_write_protect(rmap_head, false);
1282 /* clear the first set bit */
1288 * kvm_mmu_clear_dirty_pt_masked - clear MMU D-bit for PT level pages, or write
1289 * protect the page if the D-bit isn't supported.
1290 * @kvm: kvm instance
1291 * @slot: slot to clear D-bit
1292 * @gfn_offset: start of the BITS_PER_LONG pages we care about
1293 * @mask: indicates which pages we should clear D-bit
1295 * Used for PML to re-log the dirty GPAs after userspace querying dirty_bitmap.
1297 static void kvm_mmu_clear_dirty_pt_masked(struct kvm *kvm,
1298 struct kvm_memory_slot *slot,
1299 gfn_t gfn_offset, unsigned long mask)
1301 struct kvm_rmap_head *rmap_head;
1303 if (is_tdp_mmu_enabled(kvm))
1304 kvm_tdp_mmu_clear_dirty_pt_masked(kvm, slot,
1305 slot->base_gfn + gfn_offset, mask, false);
1307 if (!kvm_memslots_have_rmaps(kvm))
1311 rmap_head = gfn_to_rmap(slot->base_gfn + gfn_offset + __ffs(mask),
1313 __rmap_clear_dirty(kvm, rmap_head, slot);
1315 /* clear the first set bit */
1321 * kvm_arch_mmu_enable_log_dirty_pt_masked - enable dirty logging for selected
1324 * It calls kvm_mmu_write_protect_pt_masked to write protect selected pages to
1325 * enable dirty logging for them.
1327 * We need to care about huge page mappings: e.g. during dirty logging we may
1328 * have such mappings.
1330 void kvm_arch_mmu_enable_log_dirty_pt_masked(struct kvm *kvm,
1331 struct kvm_memory_slot *slot,
1332 gfn_t gfn_offset, unsigned long mask)
1335 * Huge pages are NOT write protected when we start dirty logging in
1336 * initially-all-set mode; must write protect them here so that they
1337 * are split to 4K on the first write.
1339 * The gfn_offset is guaranteed to be aligned to 64, but the base_gfn
1340 * of memslot has no such restriction, so the range can cross two large
1343 if (kvm_dirty_log_manual_protect_and_init_set(kvm)) {
1344 gfn_t start = slot->base_gfn + gfn_offset + __ffs(mask);
1345 gfn_t end = slot->base_gfn + gfn_offset + __fls(mask);
1347 if (READ_ONCE(eager_page_split))
1348 kvm_mmu_try_split_huge_pages(kvm, slot, start, end, PG_LEVEL_4K);
1350 kvm_mmu_slot_gfn_write_protect(kvm, slot, start, PG_LEVEL_2M);
1352 /* Cross two large pages? */
1353 if (ALIGN(start << PAGE_SHIFT, PMD_SIZE) !=
1354 ALIGN(end << PAGE_SHIFT, PMD_SIZE))
1355 kvm_mmu_slot_gfn_write_protect(kvm, slot, end,
1359 /* Now handle 4K PTEs. */
1360 if (kvm_x86_ops.cpu_dirty_log_size)
1361 kvm_mmu_clear_dirty_pt_masked(kvm, slot, gfn_offset, mask);
1363 kvm_mmu_write_protect_pt_masked(kvm, slot, gfn_offset, mask);
1366 int kvm_cpu_dirty_log_size(void)
1368 return kvm_x86_ops.cpu_dirty_log_size;
1371 bool kvm_mmu_slot_gfn_write_protect(struct kvm *kvm,
1372 struct kvm_memory_slot *slot, u64 gfn,
1375 struct kvm_rmap_head *rmap_head;
1377 bool write_protected = false;
1379 if (kvm_memslots_have_rmaps(kvm)) {
1380 for (i = min_level; i <= KVM_MAX_HUGEPAGE_LEVEL; ++i) {
1381 rmap_head = gfn_to_rmap(gfn, i, slot);
1382 write_protected |= rmap_write_protect(rmap_head, true);
1386 if (is_tdp_mmu_enabled(kvm))
1388 kvm_tdp_mmu_write_protect_gfn(kvm, slot, gfn, min_level);
1390 return write_protected;
1393 static bool kvm_vcpu_write_protect_gfn(struct kvm_vcpu *vcpu, u64 gfn)
1395 struct kvm_memory_slot *slot;
1397 slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);
1398 return kvm_mmu_slot_gfn_write_protect(vcpu->kvm, slot, gfn, PG_LEVEL_4K);
1401 static bool kvm_zap_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
1402 const struct kvm_memory_slot *slot)
1404 return pte_list_destroy(kvm, rmap_head);
1407 static bool kvm_unmap_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
1408 struct kvm_memory_slot *slot, gfn_t gfn, int level,
1411 return kvm_zap_rmapp(kvm, rmap_head, slot);
1414 static bool kvm_set_pte_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
1415 struct kvm_memory_slot *slot, gfn_t gfn, int level,
1419 struct rmap_iterator iter;
1420 bool need_flush = false;
1424 WARN_ON(pte_huge(pte));
1425 new_pfn = pte_pfn(pte);
1428 for_each_rmap_spte(rmap_head, &iter, sptep) {
1429 rmap_printk("spte %p %llx gfn %llx (%d)\n",
1430 sptep, *sptep, gfn, level);
1434 if (pte_write(pte)) {
1435 pte_list_remove(kvm, rmap_head, sptep);
1438 new_spte = kvm_mmu_changed_pte_notifier_make_spte(
1441 mmu_spte_clear_track_bits(kvm, sptep);
1442 mmu_spte_set(sptep, new_spte);
1446 if (need_flush && kvm_available_flush_tlb_with_range()) {
1447 kvm_flush_remote_tlbs_with_address(kvm, gfn, 1);
1454 struct slot_rmap_walk_iterator {
1456 const struct kvm_memory_slot *slot;
1462 /* output fields. */
1464 struct kvm_rmap_head *rmap;
1467 /* private field. */
1468 struct kvm_rmap_head *end_rmap;
1472 rmap_walk_init_level(struct slot_rmap_walk_iterator *iterator, int level)
1474 iterator->level = level;
1475 iterator->gfn = iterator->start_gfn;
1476 iterator->rmap = gfn_to_rmap(iterator->gfn, level, iterator->slot);
1477 iterator->end_rmap = gfn_to_rmap(iterator->end_gfn, level, iterator->slot);
1481 slot_rmap_walk_init(struct slot_rmap_walk_iterator *iterator,
1482 const struct kvm_memory_slot *slot, int start_level,
1483 int end_level, gfn_t start_gfn, gfn_t end_gfn)
1485 iterator->slot = slot;
1486 iterator->start_level = start_level;
1487 iterator->end_level = end_level;
1488 iterator->start_gfn = start_gfn;
1489 iterator->end_gfn = end_gfn;
1491 rmap_walk_init_level(iterator, iterator->start_level);
1494 static bool slot_rmap_walk_okay(struct slot_rmap_walk_iterator *iterator)
1496 return !!iterator->rmap;
1499 static void slot_rmap_walk_next(struct slot_rmap_walk_iterator *iterator)
1501 if (++iterator->rmap <= iterator->end_rmap) {
1502 iterator->gfn += (1UL << KVM_HPAGE_GFN_SHIFT(iterator->level));
1506 if (++iterator->level > iterator->end_level) {
1507 iterator->rmap = NULL;
1511 rmap_walk_init_level(iterator, iterator->level);
1514 #define for_each_slot_rmap_range(_slot_, _start_level_, _end_level_, \
1515 _start_gfn, _end_gfn, _iter_) \
1516 for (slot_rmap_walk_init(_iter_, _slot_, _start_level_, \
1517 _end_level_, _start_gfn, _end_gfn); \
1518 slot_rmap_walk_okay(_iter_); \
1519 slot_rmap_walk_next(_iter_))
1521 typedef bool (*rmap_handler_t)(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
1522 struct kvm_memory_slot *slot, gfn_t gfn,
1523 int level, pte_t pte);
1525 static __always_inline bool kvm_handle_gfn_range(struct kvm *kvm,
1526 struct kvm_gfn_range *range,
1527 rmap_handler_t handler)
1529 struct slot_rmap_walk_iterator iterator;
1532 for_each_slot_rmap_range(range->slot, PG_LEVEL_4K, KVM_MAX_HUGEPAGE_LEVEL,
1533 range->start, range->end - 1, &iterator)
1534 ret |= handler(kvm, iterator.rmap, range->slot, iterator.gfn,
1535 iterator.level, range->pte);
1540 bool kvm_unmap_gfn_range(struct kvm *kvm, struct kvm_gfn_range *range)
1544 if (kvm_memslots_have_rmaps(kvm))
1545 flush = kvm_handle_gfn_range(kvm, range, kvm_unmap_rmapp);
1547 if (is_tdp_mmu_enabled(kvm))
1548 flush = kvm_tdp_mmu_unmap_gfn_range(kvm, range, flush);
1553 bool kvm_set_spte_gfn(struct kvm *kvm, struct kvm_gfn_range *range)
1557 if (kvm_memslots_have_rmaps(kvm))
1558 flush = kvm_handle_gfn_range(kvm, range, kvm_set_pte_rmapp);
1560 if (is_tdp_mmu_enabled(kvm))
1561 flush |= kvm_tdp_mmu_set_spte_gfn(kvm, range);
1566 static bool kvm_age_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
1567 struct kvm_memory_slot *slot, gfn_t gfn, int level,
1571 struct rmap_iterator iter;
1574 for_each_rmap_spte(rmap_head, &iter, sptep)
1575 young |= mmu_spte_age(sptep);
1580 static bool kvm_test_age_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
1581 struct kvm_memory_slot *slot, gfn_t gfn,
1582 int level, pte_t unused)
1585 struct rmap_iterator iter;
1587 for_each_rmap_spte(rmap_head, &iter, sptep)
1588 if (is_accessed_spte(*sptep))
1593 #define RMAP_RECYCLE_THRESHOLD 1000
1595 static void rmap_add(struct kvm_vcpu *vcpu, struct kvm_memory_slot *slot,
1596 u64 *spte, gfn_t gfn)
1598 struct kvm_mmu_page *sp;
1599 struct kvm_rmap_head *rmap_head;
1602 sp = sptep_to_sp(spte);
1603 kvm_mmu_page_set_gfn(sp, spte - sp->spt, gfn);
1604 rmap_head = gfn_to_rmap(gfn, sp->role.level, slot);
1605 rmap_count = pte_list_add(vcpu, spte, rmap_head);
1607 if (rmap_count > RMAP_RECYCLE_THRESHOLD) {
1608 kvm_unmap_rmapp(vcpu->kvm, rmap_head, NULL, gfn, sp->role.level, __pte(0));
1609 kvm_flush_remote_tlbs_with_address(
1610 vcpu->kvm, sp->gfn, KVM_PAGES_PER_HPAGE(sp->role.level));
1614 bool kvm_age_gfn(struct kvm *kvm, struct kvm_gfn_range *range)
1618 if (kvm_memslots_have_rmaps(kvm))
1619 young = kvm_handle_gfn_range(kvm, range, kvm_age_rmapp);
1621 if (is_tdp_mmu_enabled(kvm))
1622 young |= kvm_tdp_mmu_age_gfn_range(kvm, range);
1627 bool kvm_test_age_gfn(struct kvm *kvm, struct kvm_gfn_range *range)
1631 if (kvm_memslots_have_rmaps(kvm))
1632 young = kvm_handle_gfn_range(kvm, range, kvm_test_age_rmapp);
1634 if (is_tdp_mmu_enabled(kvm))
1635 young |= kvm_tdp_mmu_test_age_gfn(kvm, range);
1641 static int is_empty_shadow_page(u64 *spt)
1646 for (pos = spt, end = pos + PAGE_SIZE / sizeof(u64); pos != end; pos++)
1647 if (is_shadow_present_pte(*pos)) {
1648 printk(KERN_ERR "%s: %p %llx\n", __func__,
1657 * This value is the sum of all of the kvm instances's
1658 * kvm->arch.n_used_mmu_pages values. We need a global,
1659 * aggregate version in order to make the slab shrinker
1662 static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, long nr)
1664 kvm->arch.n_used_mmu_pages += nr;
1665 percpu_counter_add(&kvm_total_used_mmu_pages, nr);
1668 static void kvm_mmu_free_page(struct kvm_mmu_page *sp)
1670 MMU_WARN_ON(!is_empty_shadow_page(sp->spt));
1671 hlist_del(&sp->hash_link);
1672 list_del(&sp->link);
1673 free_page((unsigned long)sp->spt);
1674 if (!sp->role.direct)
1675 free_page((unsigned long)sp->gfns);
1676 kmem_cache_free(mmu_page_header_cache, sp);
1679 static unsigned kvm_page_table_hashfn(gfn_t gfn)
1681 return hash_64(gfn, KVM_MMU_HASH_SHIFT);
1684 static void mmu_page_add_parent_pte(struct kvm_vcpu *vcpu,
1685 struct kvm_mmu_page *sp, u64 *parent_pte)
1690 pte_list_add(vcpu, parent_pte, &sp->parent_ptes);
1693 static void mmu_page_remove_parent_pte(struct kvm_mmu_page *sp,
1696 __pte_list_remove(parent_pte, &sp->parent_ptes);
1699 static void drop_parent_pte(struct kvm_mmu_page *sp,
1702 mmu_page_remove_parent_pte(sp, parent_pte);
1703 mmu_spte_clear_no_track(parent_pte);
1706 static struct kvm_mmu_page *kvm_mmu_alloc_page(struct kvm_vcpu *vcpu, int direct)
1708 struct kvm_mmu_page *sp;
1710 sp = kvm_mmu_memory_cache_alloc(&vcpu->arch.mmu_page_header_cache);
1711 sp->spt = kvm_mmu_memory_cache_alloc(&vcpu->arch.mmu_shadow_page_cache);
1713 sp->gfns = kvm_mmu_memory_cache_alloc(&vcpu->arch.mmu_gfn_array_cache);
1714 set_page_private(virt_to_page(sp->spt), (unsigned long)sp);
1717 * active_mmu_pages must be a FIFO list, as kvm_zap_obsolete_pages()
1718 * depends on valid pages being added to the head of the list. See
1719 * comments in kvm_zap_obsolete_pages().
1721 sp->mmu_valid_gen = vcpu->kvm->arch.mmu_valid_gen;
1722 list_add(&sp->link, &vcpu->kvm->arch.active_mmu_pages);
1723 kvm_mod_used_mmu_pages(vcpu->kvm, +1);
1727 static void mark_unsync(u64 *spte);
1728 static void kvm_mmu_mark_parents_unsync(struct kvm_mmu_page *sp)
1731 struct rmap_iterator iter;
1733 for_each_rmap_spte(&sp->parent_ptes, &iter, sptep) {
1738 static void mark_unsync(u64 *spte)
1740 struct kvm_mmu_page *sp;
1743 sp = sptep_to_sp(spte);
1744 index = spte - sp->spt;
1745 if (__test_and_set_bit(index, sp->unsync_child_bitmap))
1747 if (sp->unsync_children++)
1749 kvm_mmu_mark_parents_unsync(sp);
1752 static int nonpaging_sync_page(struct kvm_vcpu *vcpu,
1753 struct kvm_mmu_page *sp)
1758 #define KVM_PAGE_ARRAY_NR 16
1760 struct kvm_mmu_pages {
1761 struct mmu_page_and_offset {
1762 struct kvm_mmu_page *sp;
1764 } page[KVM_PAGE_ARRAY_NR];
1768 static int mmu_pages_add(struct kvm_mmu_pages *pvec, struct kvm_mmu_page *sp,
1774 for (i=0; i < pvec->nr; i++)
1775 if (pvec->page[i].sp == sp)
1778 pvec->page[pvec->nr].sp = sp;
1779 pvec->page[pvec->nr].idx = idx;
1781 return (pvec->nr == KVM_PAGE_ARRAY_NR);
1784 static inline void clear_unsync_child_bit(struct kvm_mmu_page *sp, int idx)
1786 --sp->unsync_children;
1787 WARN_ON((int)sp->unsync_children < 0);
1788 __clear_bit(idx, sp->unsync_child_bitmap);
1791 static int __mmu_unsync_walk(struct kvm_mmu_page *sp,
1792 struct kvm_mmu_pages *pvec)
1794 int i, ret, nr_unsync_leaf = 0;
1796 for_each_set_bit(i, sp->unsync_child_bitmap, 512) {
1797 struct kvm_mmu_page *child;
1798 u64 ent = sp->spt[i];
1800 if (!is_shadow_present_pte(ent) || is_large_pte(ent)) {
1801 clear_unsync_child_bit(sp, i);
1805 child = to_shadow_page(ent & PT64_BASE_ADDR_MASK);
1807 if (child->unsync_children) {
1808 if (mmu_pages_add(pvec, child, i))
1811 ret = __mmu_unsync_walk(child, pvec);
1813 clear_unsync_child_bit(sp, i);
1815 } else if (ret > 0) {
1816 nr_unsync_leaf += ret;
1819 } else if (child->unsync) {
1821 if (mmu_pages_add(pvec, child, i))
1824 clear_unsync_child_bit(sp, i);
1827 return nr_unsync_leaf;
1830 #define INVALID_INDEX (-1)
1832 static int mmu_unsync_walk(struct kvm_mmu_page *sp,
1833 struct kvm_mmu_pages *pvec)
1836 if (!sp->unsync_children)
1839 mmu_pages_add(pvec, sp, INVALID_INDEX);
1840 return __mmu_unsync_walk(sp, pvec);
1843 static void kvm_unlink_unsync_page(struct kvm *kvm, struct kvm_mmu_page *sp)
1845 WARN_ON(!sp->unsync);
1846 trace_kvm_mmu_sync_page(sp);
1848 --kvm->stat.mmu_unsync;
1851 static bool kvm_mmu_prepare_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp,
1852 struct list_head *invalid_list);
1853 static void kvm_mmu_commit_zap_page(struct kvm *kvm,
1854 struct list_head *invalid_list);
1856 #define for_each_valid_sp(_kvm, _sp, _list) \
1857 hlist_for_each_entry(_sp, _list, hash_link) \
1858 if (is_obsolete_sp((_kvm), (_sp))) { \
1861 #define for_each_gfn_indirect_valid_sp(_kvm, _sp, _gfn) \
1862 for_each_valid_sp(_kvm, _sp, \
1863 &(_kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(_gfn)]) \
1864 if ((_sp)->gfn != (_gfn) || (_sp)->role.direct) {} else
1866 static int kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
1867 struct list_head *invalid_list)
1869 int ret = vcpu->arch.mmu->sync_page(vcpu, sp);
1872 kvm_mmu_prepare_zap_page(vcpu->kvm, sp, invalid_list);
1876 static bool kvm_mmu_remote_flush_or_zap(struct kvm *kvm,
1877 struct list_head *invalid_list,
1880 if (!remote_flush && list_empty(invalid_list))
1883 if (!list_empty(invalid_list))
1884 kvm_mmu_commit_zap_page(kvm, invalid_list);
1886 kvm_flush_remote_tlbs(kvm);
1890 static bool is_obsolete_sp(struct kvm *kvm, struct kvm_mmu_page *sp)
1892 if (sp->role.invalid)
1895 /* TDP MMU pages due not use the MMU generation. */
1896 return !sp->tdp_mmu_page &&
1897 unlikely(sp->mmu_valid_gen != kvm->arch.mmu_valid_gen);
1900 struct mmu_page_path {
1901 struct kvm_mmu_page *parent[PT64_ROOT_MAX_LEVEL];
1902 unsigned int idx[PT64_ROOT_MAX_LEVEL];
1905 #define for_each_sp(pvec, sp, parents, i) \
1906 for (i = mmu_pages_first(&pvec, &parents); \
1907 i < pvec.nr && ({ sp = pvec.page[i].sp; 1;}); \
1908 i = mmu_pages_next(&pvec, &parents, i))
1910 static int mmu_pages_next(struct kvm_mmu_pages *pvec,
1911 struct mmu_page_path *parents,
1916 for (n = i+1; n < pvec->nr; n++) {
1917 struct kvm_mmu_page *sp = pvec->page[n].sp;
1918 unsigned idx = pvec->page[n].idx;
1919 int level = sp->role.level;
1921 parents->idx[level-1] = idx;
1922 if (level == PG_LEVEL_4K)
1925 parents->parent[level-2] = sp;
1931 static int mmu_pages_first(struct kvm_mmu_pages *pvec,
1932 struct mmu_page_path *parents)
1934 struct kvm_mmu_page *sp;
1940 WARN_ON(pvec->page[0].idx != INVALID_INDEX);
1942 sp = pvec->page[0].sp;
1943 level = sp->role.level;
1944 WARN_ON(level == PG_LEVEL_4K);
1946 parents->parent[level-2] = sp;
1948 /* Also set up a sentinel. Further entries in pvec are all
1949 * children of sp, so this element is never overwritten.
1951 parents->parent[level-1] = NULL;
1952 return mmu_pages_next(pvec, parents, 0);
1955 static void mmu_pages_clear_parents(struct mmu_page_path *parents)
1957 struct kvm_mmu_page *sp;
1958 unsigned int level = 0;
1961 unsigned int idx = parents->idx[level];
1962 sp = parents->parent[level];
1966 WARN_ON(idx == INVALID_INDEX);
1967 clear_unsync_child_bit(sp, idx);
1969 } while (!sp->unsync_children);
1972 static int mmu_sync_children(struct kvm_vcpu *vcpu,
1973 struct kvm_mmu_page *parent, bool can_yield)
1976 struct kvm_mmu_page *sp;
1977 struct mmu_page_path parents;
1978 struct kvm_mmu_pages pages;
1979 LIST_HEAD(invalid_list);
1982 while (mmu_unsync_walk(parent, &pages)) {
1983 bool protected = false;
1985 for_each_sp(pages, sp, parents, i)
1986 protected |= kvm_vcpu_write_protect_gfn(vcpu, sp->gfn);
1989 kvm_mmu_remote_flush_or_zap(vcpu->kvm, &invalid_list, true);
1993 for_each_sp(pages, sp, parents, i) {
1994 kvm_unlink_unsync_page(vcpu->kvm, sp);
1995 flush |= kvm_sync_page(vcpu, sp, &invalid_list) > 0;
1996 mmu_pages_clear_parents(&parents);
1998 if (need_resched() || rwlock_needbreak(&vcpu->kvm->mmu_lock)) {
1999 kvm_mmu_remote_flush_or_zap(vcpu->kvm, &invalid_list, flush);
2001 kvm_make_request(KVM_REQ_MMU_SYNC, vcpu);
2005 cond_resched_rwlock_write(&vcpu->kvm->mmu_lock);
2010 kvm_mmu_remote_flush_or_zap(vcpu->kvm, &invalid_list, flush);
2014 static void __clear_sp_write_flooding_count(struct kvm_mmu_page *sp)
2016 atomic_set(&sp->write_flooding_count, 0);
2019 static void clear_sp_write_flooding_count(u64 *spte)
2021 __clear_sp_write_flooding_count(sptep_to_sp(spte));
2024 static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
2029 unsigned int access)
2031 bool direct_mmu = vcpu->arch.mmu->direct_map;
2032 union kvm_mmu_page_role role;
2033 struct hlist_head *sp_list;
2035 struct kvm_mmu_page *sp;
2038 LIST_HEAD(invalid_list);
2040 role = vcpu->arch.mmu->root_role;
2042 role.direct = direct;
2043 role.access = access;
2044 if (role.has_4_byte_gpte) {
2045 quadrant = gaddr >> (PAGE_SHIFT + (PT64_PT_BITS * level));
2046 quadrant &= (1 << ((PT32_PT_BITS - PT64_PT_BITS) * level)) - 1;
2047 role.quadrant = quadrant;
2050 sp_list = &vcpu->kvm->arch.mmu_page_hash[kvm_page_table_hashfn(gfn)];
2051 for_each_valid_sp(vcpu->kvm, sp, sp_list) {
2052 if (sp->gfn != gfn) {
2057 if (sp->role.word != role.word) {
2059 * If the guest is creating an upper-level page, zap
2060 * unsync pages for the same gfn. While it's possible
2061 * the guest is using recursive page tables, in all
2062 * likelihood the guest has stopped using the unsync
2063 * page and is installing a completely unrelated page.
2064 * Unsync pages must not be left as is, because the new
2065 * upper-level page will be write-protected.
2067 if (level > PG_LEVEL_4K && sp->unsync)
2068 kvm_mmu_prepare_zap_page(vcpu->kvm, sp,
2074 goto trace_get_page;
2078 * The page is good, but is stale. kvm_sync_page does
2079 * get the latest guest state, but (unlike mmu_unsync_children)
2080 * it doesn't write-protect the page or mark it synchronized!
2081 * This way the validity of the mapping is ensured, but the
2082 * overhead of write protection is not incurred until the
2083 * guest invalidates the TLB mapping. This allows multiple
2084 * SPs for a single gfn to be unsync.
2086 * If the sync fails, the page is zapped. If so, break
2087 * in order to rebuild it.
2089 ret = kvm_sync_page(vcpu, sp, &invalid_list);
2093 WARN_ON(!list_empty(&invalid_list));
2095 kvm_flush_remote_tlbs(vcpu->kvm);
2098 __clear_sp_write_flooding_count(sp);
2101 trace_kvm_mmu_get_page(sp, false);
2105 ++vcpu->kvm->stat.mmu_cache_miss;
2107 sp = kvm_mmu_alloc_page(vcpu, direct);
2111 hlist_add_head(&sp->hash_link, sp_list);
2113 account_shadowed(vcpu->kvm, sp);
2114 if (level == PG_LEVEL_4K && kvm_vcpu_write_protect_gfn(vcpu, gfn))
2115 kvm_flush_remote_tlbs_with_address(vcpu->kvm, gfn, 1);
2117 trace_kvm_mmu_get_page(sp, true);
2119 kvm_mmu_commit_zap_page(vcpu->kvm, &invalid_list);
2121 if (collisions > vcpu->kvm->stat.max_mmu_page_hash_collisions)
2122 vcpu->kvm->stat.max_mmu_page_hash_collisions = collisions;
2126 static void shadow_walk_init_using_root(struct kvm_shadow_walk_iterator *iterator,
2127 struct kvm_vcpu *vcpu, hpa_t root,
2130 iterator->addr = addr;
2131 iterator->shadow_addr = root;
2132 iterator->level = vcpu->arch.mmu->root_role.level;
2134 if (iterator->level >= PT64_ROOT_4LEVEL &&
2135 vcpu->arch.mmu->cpu_role.base.level < PT64_ROOT_4LEVEL &&
2136 !vcpu->arch.mmu->direct_map)
2137 iterator->level = PT32E_ROOT_LEVEL;
2139 if (iterator->level == PT32E_ROOT_LEVEL) {
2141 * prev_root is currently only used for 64-bit hosts. So only
2142 * the active root_hpa is valid here.
2144 BUG_ON(root != vcpu->arch.mmu->root.hpa);
2146 iterator->shadow_addr
2147 = vcpu->arch.mmu->pae_root[(addr >> 30) & 3];
2148 iterator->shadow_addr &= PT64_BASE_ADDR_MASK;
2150 if (!iterator->shadow_addr)
2151 iterator->level = 0;
2155 static void shadow_walk_init(struct kvm_shadow_walk_iterator *iterator,
2156 struct kvm_vcpu *vcpu, u64 addr)
2158 shadow_walk_init_using_root(iterator, vcpu, vcpu->arch.mmu->root.hpa,
2162 static bool shadow_walk_okay(struct kvm_shadow_walk_iterator *iterator)
2164 if (iterator->level < PG_LEVEL_4K)
2167 iterator->index = SHADOW_PT_INDEX(iterator->addr, iterator->level);
2168 iterator->sptep = ((u64 *)__va(iterator->shadow_addr)) + iterator->index;
2172 static void __shadow_walk_next(struct kvm_shadow_walk_iterator *iterator,
2175 if (!is_shadow_present_pte(spte) || is_last_spte(spte, iterator->level)) {
2176 iterator->level = 0;
2180 iterator->shadow_addr = spte & PT64_BASE_ADDR_MASK;
2184 static void shadow_walk_next(struct kvm_shadow_walk_iterator *iterator)
2186 __shadow_walk_next(iterator, *iterator->sptep);
2189 static void link_shadow_page(struct kvm_vcpu *vcpu, u64 *sptep,
2190 struct kvm_mmu_page *sp)
2194 BUILD_BUG_ON(VMX_EPT_WRITABLE_MASK != PT_WRITABLE_MASK);
2196 spte = make_nonleaf_spte(sp->spt, sp_ad_disabled(sp));
2198 mmu_spte_set(sptep, spte);
2200 mmu_page_add_parent_pte(vcpu, sp, sptep);
2202 if (sp->unsync_children || sp->unsync)
2206 static void validate_direct_spte(struct kvm_vcpu *vcpu, u64 *sptep,
2207 unsigned direct_access)
2209 if (is_shadow_present_pte(*sptep) && !is_large_pte(*sptep)) {
2210 struct kvm_mmu_page *child;
2213 * For the direct sp, if the guest pte's dirty bit
2214 * changed form clean to dirty, it will corrupt the
2215 * sp's access: allow writable in the read-only sp,
2216 * so we should update the spte at this point to get
2217 * a new sp with the correct access.
2219 child = to_shadow_page(*sptep & PT64_BASE_ADDR_MASK);
2220 if (child->role.access == direct_access)
2223 drop_parent_pte(child, sptep);
2224 kvm_flush_remote_tlbs_with_address(vcpu->kvm, child->gfn, 1);
2228 /* Returns the number of zapped non-leaf child shadow pages. */
2229 static int mmu_page_zap_pte(struct kvm *kvm, struct kvm_mmu_page *sp,
2230 u64 *spte, struct list_head *invalid_list)
2233 struct kvm_mmu_page *child;
2236 if (is_shadow_present_pte(pte)) {
2237 if (is_last_spte(pte, sp->role.level)) {
2238 drop_spte(kvm, spte);
2240 child = to_shadow_page(pte & PT64_BASE_ADDR_MASK);
2241 drop_parent_pte(child, spte);
2244 * Recursively zap nested TDP SPs, parentless SPs are
2245 * unlikely to be used again in the near future. This
2246 * avoids retaining a large number of stale nested SPs.
2248 if (tdp_enabled && invalid_list &&
2249 child->role.guest_mode && !child->parent_ptes.val)
2250 return kvm_mmu_prepare_zap_page(kvm, child,
2253 } else if (is_mmio_spte(pte)) {
2254 mmu_spte_clear_no_track(spte);
2259 static int kvm_mmu_page_unlink_children(struct kvm *kvm,
2260 struct kvm_mmu_page *sp,
2261 struct list_head *invalid_list)
2266 for (i = 0; i < PT64_ENT_PER_PAGE; ++i)
2267 zapped += mmu_page_zap_pte(kvm, sp, sp->spt + i, invalid_list);
2272 static void kvm_mmu_unlink_parents(struct kvm_mmu_page *sp)
2275 struct rmap_iterator iter;
2277 while ((sptep = rmap_get_first(&sp->parent_ptes, &iter)))
2278 drop_parent_pte(sp, sptep);
2281 static int mmu_zap_unsync_children(struct kvm *kvm,
2282 struct kvm_mmu_page *parent,
2283 struct list_head *invalid_list)
2286 struct mmu_page_path parents;
2287 struct kvm_mmu_pages pages;
2289 if (parent->role.level == PG_LEVEL_4K)
2292 while (mmu_unsync_walk(parent, &pages)) {
2293 struct kvm_mmu_page *sp;
2295 for_each_sp(pages, sp, parents, i) {
2296 kvm_mmu_prepare_zap_page(kvm, sp, invalid_list);
2297 mmu_pages_clear_parents(&parents);
2305 static bool __kvm_mmu_prepare_zap_page(struct kvm *kvm,
2306 struct kvm_mmu_page *sp,
2307 struct list_head *invalid_list,
2310 bool list_unstable, zapped_root = false;
2312 trace_kvm_mmu_prepare_zap_page(sp);
2313 ++kvm->stat.mmu_shadow_zapped;
2314 *nr_zapped = mmu_zap_unsync_children(kvm, sp, invalid_list);
2315 *nr_zapped += kvm_mmu_page_unlink_children(kvm, sp, invalid_list);
2316 kvm_mmu_unlink_parents(sp);
2318 /* Zapping children means active_mmu_pages has become unstable. */
2319 list_unstable = *nr_zapped;
2321 if (!sp->role.invalid && !sp->role.direct)
2322 unaccount_shadowed(kvm, sp);
2325 kvm_unlink_unsync_page(kvm, sp);
2326 if (!sp->root_count) {
2331 * Already invalid pages (previously active roots) are not on
2332 * the active page list. See list_del() in the "else" case of
2335 if (sp->role.invalid)
2336 list_add(&sp->link, invalid_list);
2338 list_move(&sp->link, invalid_list);
2339 kvm_mod_used_mmu_pages(kvm, -1);
2342 * Remove the active root from the active page list, the root
2343 * will be explicitly freed when the root_count hits zero.
2345 list_del(&sp->link);
2348 * Obsolete pages cannot be used on any vCPUs, see the comment
2349 * in kvm_mmu_zap_all_fast(). Note, is_obsolete_sp() also
2350 * treats invalid shadow pages as being obsolete.
2352 zapped_root = !is_obsolete_sp(kvm, sp);
2355 if (sp->lpage_disallowed)
2356 unaccount_huge_nx_page(kvm, sp);
2358 sp->role.invalid = 1;
2361 * Make the request to free obsolete roots after marking the root
2362 * invalid, otherwise other vCPUs may not see it as invalid.
2365 kvm_make_all_cpus_request(kvm, KVM_REQ_MMU_FREE_OBSOLETE_ROOTS);
2366 return list_unstable;
2369 static bool kvm_mmu_prepare_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp,
2370 struct list_head *invalid_list)
2374 __kvm_mmu_prepare_zap_page(kvm, sp, invalid_list, &nr_zapped);
2378 static void kvm_mmu_commit_zap_page(struct kvm *kvm,
2379 struct list_head *invalid_list)
2381 struct kvm_mmu_page *sp, *nsp;
2383 if (list_empty(invalid_list))
2387 * We need to make sure everyone sees our modifications to
2388 * the page tables and see changes to vcpu->mode here. The barrier
2389 * in the kvm_flush_remote_tlbs() achieves this. This pairs
2390 * with vcpu_enter_guest and walk_shadow_page_lockless_begin/end.
2392 * In addition, kvm_flush_remote_tlbs waits for all vcpus to exit
2393 * guest mode and/or lockless shadow page table walks.
2395 kvm_flush_remote_tlbs(kvm);
2397 list_for_each_entry_safe(sp, nsp, invalid_list, link) {
2398 WARN_ON(!sp->role.invalid || sp->root_count);
2399 kvm_mmu_free_page(sp);
2403 static unsigned long kvm_mmu_zap_oldest_mmu_pages(struct kvm *kvm,
2404 unsigned long nr_to_zap)
2406 unsigned long total_zapped = 0;
2407 struct kvm_mmu_page *sp, *tmp;
2408 LIST_HEAD(invalid_list);
2412 if (list_empty(&kvm->arch.active_mmu_pages))
2416 list_for_each_entry_safe_reverse(sp, tmp, &kvm->arch.active_mmu_pages, link) {
2418 * Don't zap active root pages, the page itself can't be freed
2419 * and zapping it will just force vCPUs to realloc and reload.
2424 unstable = __kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list,
2426 total_zapped += nr_zapped;
2427 if (total_zapped >= nr_to_zap)
2434 kvm_mmu_commit_zap_page(kvm, &invalid_list);
2436 kvm->stat.mmu_recycled += total_zapped;
2437 return total_zapped;
2440 static inline unsigned long kvm_mmu_available_pages(struct kvm *kvm)
2442 if (kvm->arch.n_max_mmu_pages > kvm->arch.n_used_mmu_pages)
2443 return kvm->arch.n_max_mmu_pages -
2444 kvm->arch.n_used_mmu_pages;
2449 static int make_mmu_pages_available(struct kvm_vcpu *vcpu)
2451 unsigned long avail = kvm_mmu_available_pages(vcpu->kvm);
2453 if (likely(avail >= KVM_MIN_FREE_MMU_PAGES))
2456 kvm_mmu_zap_oldest_mmu_pages(vcpu->kvm, KVM_REFILL_PAGES - avail);
2459 * Note, this check is intentionally soft, it only guarantees that one
2460 * page is available, while the caller may end up allocating as many as
2461 * four pages, e.g. for PAE roots or for 5-level paging. Temporarily
2462 * exceeding the (arbitrary by default) limit will not harm the host,
2463 * being too aggressive may unnecessarily kill the guest, and getting an
2464 * exact count is far more trouble than it's worth, especially in the
2467 if (!kvm_mmu_available_pages(vcpu->kvm))
2473 * Changing the number of mmu pages allocated to the vm
2474 * Note: if goal_nr_mmu_pages is too small, you will get dead lock
2476 void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned long goal_nr_mmu_pages)
2478 write_lock(&kvm->mmu_lock);
2480 if (kvm->arch.n_used_mmu_pages > goal_nr_mmu_pages) {
2481 kvm_mmu_zap_oldest_mmu_pages(kvm, kvm->arch.n_used_mmu_pages -
2484 goal_nr_mmu_pages = kvm->arch.n_used_mmu_pages;
2487 kvm->arch.n_max_mmu_pages = goal_nr_mmu_pages;
2489 write_unlock(&kvm->mmu_lock);
2492 int kvm_mmu_unprotect_page(struct kvm *kvm, gfn_t gfn)
2494 struct kvm_mmu_page *sp;
2495 LIST_HEAD(invalid_list);
2498 pgprintk("%s: looking for gfn %llx\n", __func__, gfn);
2500 write_lock(&kvm->mmu_lock);
2501 for_each_gfn_indirect_valid_sp(kvm, sp, gfn) {
2502 pgprintk("%s: gfn %llx role %x\n", __func__, gfn,
2505 kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list);
2507 kvm_mmu_commit_zap_page(kvm, &invalid_list);
2508 write_unlock(&kvm->mmu_lock);
2513 static int kvm_mmu_unprotect_page_virt(struct kvm_vcpu *vcpu, gva_t gva)
2518 if (vcpu->arch.mmu->direct_map)
2521 gpa = kvm_mmu_gva_to_gpa_read(vcpu, gva, NULL);
2523 r = kvm_mmu_unprotect_page(vcpu->kvm, gpa >> PAGE_SHIFT);
2528 static void kvm_unsync_page(struct kvm *kvm, struct kvm_mmu_page *sp)
2530 trace_kvm_mmu_unsync_page(sp);
2531 ++kvm->stat.mmu_unsync;
2534 kvm_mmu_mark_parents_unsync(sp);
2538 * Attempt to unsync any shadow pages that can be reached by the specified gfn,
2539 * KVM is creating a writable mapping for said gfn. Returns 0 if all pages
2540 * were marked unsync (or if there is no shadow page), -EPERM if the SPTE must
2541 * be write-protected.
2543 int mmu_try_to_unsync_pages(struct kvm *kvm, const struct kvm_memory_slot *slot,
2544 gfn_t gfn, bool can_unsync, bool prefetch)
2546 struct kvm_mmu_page *sp;
2547 bool locked = false;
2550 * Force write-protection if the page is being tracked. Note, the page
2551 * track machinery is used to write-protect upper-level shadow pages,
2552 * i.e. this guards the role.level == 4K assertion below!
2554 if (kvm_slot_page_track_is_active(kvm, slot, gfn, KVM_PAGE_TRACK_WRITE))
2558 * The page is not write-tracked, mark existing shadow pages unsync
2559 * unless KVM is synchronizing an unsync SP (can_unsync = false). In
2560 * that case, KVM must complete emulation of the guest TLB flush before
2561 * allowing shadow pages to become unsync (writable by the guest).
2563 for_each_gfn_indirect_valid_sp(kvm, sp, gfn) {
2574 * TDP MMU page faults require an additional spinlock as they
2575 * run with mmu_lock held for read, not write, and the unsync
2576 * logic is not thread safe. Take the spinklock regardless of
2577 * the MMU type to avoid extra conditionals/parameters, there's
2578 * no meaningful penalty if mmu_lock is held for write.
2582 spin_lock(&kvm->arch.mmu_unsync_pages_lock);
2585 * Recheck after taking the spinlock, a different vCPU
2586 * may have since marked the page unsync. A false
2587 * positive on the unprotected check above is not
2588 * possible as clearing sp->unsync _must_ hold mmu_lock
2589 * for write, i.e. unsync cannot transition from 0->1
2590 * while this CPU holds mmu_lock for read (or write).
2592 if (READ_ONCE(sp->unsync))
2596 WARN_ON(sp->role.level != PG_LEVEL_4K);
2597 kvm_unsync_page(kvm, sp);
2600 spin_unlock(&kvm->arch.mmu_unsync_pages_lock);
2603 * We need to ensure that the marking of unsync pages is visible
2604 * before the SPTE is updated to allow writes because
2605 * kvm_mmu_sync_roots() checks the unsync flags without holding
2606 * the MMU lock and so can race with this. If the SPTE was updated
2607 * before the page had been marked as unsync-ed, something like the
2608 * following could happen:
2611 * ---------------------------------------------------------------------
2612 * 1.2 Host updates SPTE
2614 * 2.1 Guest writes a GPTE for GVA X.
2615 * (GPTE being in the guest page table shadowed
2616 * by the SP from CPU 1.)
2617 * This reads SPTE during the page table walk.
2618 * Since SPTE.W is read as 1, there is no
2621 * 2.2 Guest issues TLB flush.
2622 * That causes a VM Exit.
2624 * 2.3 Walking of unsync pages sees sp->unsync is
2625 * false and skips the page.
2627 * 2.4 Guest accesses GVA X.
2628 * Since the mapping in the SP was not updated,
2629 * so the old mapping for GVA X incorrectly
2633 * (sp->unsync = true)
2635 * The write barrier below ensures that 1.1 happens before 1.2 and thus
2636 * the situation in 2.4 does not arise. It pairs with the read barrier
2637 * in is_unsync_root(), placed between 2.1's load of SPTE.W and 2.3.
2644 static int mmu_set_spte(struct kvm_vcpu *vcpu, struct kvm_memory_slot *slot,
2645 u64 *sptep, unsigned int pte_access, gfn_t gfn,
2646 kvm_pfn_t pfn, struct kvm_page_fault *fault)
2648 struct kvm_mmu_page *sp = sptep_to_sp(sptep);
2649 int level = sp->role.level;
2650 int was_rmapped = 0;
2651 int ret = RET_PF_FIXED;
2656 /* Prefetching always gets a writable pfn. */
2657 bool host_writable = !fault || fault->map_writable;
2658 bool prefetch = !fault || fault->prefetch;
2659 bool write_fault = fault && fault->write;
2661 pgprintk("%s: spte %llx write_fault %d gfn %llx\n", __func__,
2662 *sptep, write_fault, gfn);
2664 if (unlikely(is_noslot_pfn(pfn))) {
2665 mark_mmio_spte(vcpu, sptep, gfn, pte_access);
2666 return RET_PF_EMULATE;
2669 if (is_shadow_present_pte(*sptep)) {
2671 * If we overwrite a PTE page pointer with a 2MB PMD, unlink
2672 * the parent of the now unreachable PTE.
2674 if (level > PG_LEVEL_4K && !is_large_pte(*sptep)) {
2675 struct kvm_mmu_page *child;
2678 child = to_shadow_page(pte & PT64_BASE_ADDR_MASK);
2679 drop_parent_pte(child, sptep);
2681 } else if (pfn != spte_to_pfn(*sptep)) {
2682 pgprintk("hfn old %llx new %llx\n",
2683 spte_to_pfn(*sptep), pfn);
2684 drop_spte(vcpu->kvm, sptep);
2690 wrprot = make_spte(vcpu, sp, slot, pte_access, gfn, pfn, *sptep, prefetch,
2691 true, host_writable, &spte);
2693 if (*sptep == spte) {
2694 ret = RET_PF_SPURIOUS;
2696 flush |= mmu_spte_update(sptep, spte);
2697 trace_kvm_mmu_set_spte(level, gfn, sptep);
2702 ret = RET_PF_EMULATE;
2706 kvm_flush_remote_tlbs_with_address(vcpu->kvm, gfn,
2707 KVM_PAGES_PER_HPAGE(level));
2709 pgprintk("%s: setting spte %llx\n", __func__, *sptep);
2712 WARN_ON_ONCE(ret == RET_PF_SPURIOUS);
2713 kvm_update_page_stats(vcpu->kvm, level, 1);
2714 rmap_add(vcpu, slot, sptep, gfn);
2720 static int direct_pte_prefetch_many(struct kvm_vcpu *vcpu,
2721 struct kvm_mmu_page *sp,
2722 u64 *start, u64 *end)
2724 struct page *pages[PTE_PREFETCH_NUM];
2725 struct kvm_memory_slot *slot;
2726 unsigned int access = sp->role.access;
2730 gfn = kvm_mmu_page_get_gfn(sp, start - sp->spt);
2731 slot = gfn_to_memslot_dirty_bitmap(vcpu, gfn, access & ACC_WRITE_MASK);
2735 ret = gfn_to_page_many_atomic(slot, gfn, pages, end - start);
2739 for (i = 0; i < ret; i++, gfn++, start++) {
2740 mmu_set_spte(vcpu, slot, start, access, gfn,
2741 page_to_pfn(pages[i]), NULL);
2748 static void __direct_pte_prefetch(struct kvm_vcpu *vcpu,
2749 struct kvm_mmu_page *sp, u64 *sptep)
2751 u64 *spte, *start = NULL;
2754 WARN_ON(!sp->role.direct);
2756 i = (sptep - sp->spt) & ~(PTE_PREFETCH_NUM - 1);
2759 for (i = 0; i < PTE_PREFETCH_NUM; i++, spte++) {
2760 if (is_shadow_present_pte(*spte) || spte == sptep) {
2763 if (direct_pte_prefetch_many(vcpu, sp, start, spte) < 0)
2770 direct_pte_prefetch_many(vcpu, sp, start, spte);
2773 static void direct_pte_prefetch(struct kvm_vcpu *vcpu, u64 *sptep)
2775 struct kvm_mmu_page *sp;
2777 sp = sptep_to_sp(sptep);
2780 * Without accessed bits, there's no way to distinguish between
2781 * actually accessed translations and prefetched, so disable pte
2782 * prefetch if accessed bits aren't available.
2784 if (sp_ad_disabled(sp))
2787 if (sp->role.level > PG_LEVEL_4K)
2791 * If addresses are being invalidated, skip prefetching to avoid
2792 * accidentally prefetching those addresses.
2794 if (unlikely(vcpu->kvm->mmu_notifier_count))
2797 __direct_pte_prefetch(vcpu, sp, sptep);
2800 static int host_pfn_mapping_level(struct kvm *kvm, gfn_t gfn, kvm_pfn_t pfn,
2801 const struct kvm_memory_slot *slot)
2804 unsigned long flags;
2805 int level = PG_LEVEL_4K;
2811 if (!PageCompound(pfn_to_page(pfn)) && !kvm_is_zone_device_pfn(pfn))
2815 * Note, using the already-retrieved memslot and __gfn_to_hva_memslot()
2816 * is not solely for performance, it's also necessary to avoid the
2817 * "writable" check in __gfn_to_hva_many(), which will always fail on
2818 * read-only memslots due to gfn_to_hva() assuming writes. Earlier
2819 * page fault steps have already verified the guest isn't writing a
2820 * read-only memslot.
2822 hva = __gfn_to_hva_memslot(slot, gfn);
2825 * Lookup the mapping level in the current mm. The information
2826 * may become stale soon, but it is safe to use as long as
2827 * 1) mmu_notifier_retry was checked after taking mmu_lock, and
2828 * 2) mmu_lock is taken now.
2830 * We still need to disable IRQs to prevent concurrent tear down
2833 local_irq_save(flags);
2835 pgd = READ_ONCE(*pgd_offset(kvm->mm, hva));
2839 p4d = READ_ONCE(*p4d_offset(&pgd, hva));
2840 if (p4d_none(p4d) || !p4d_present(p4d))
2843 pud = READ_ONCE(*pud_offset(&p4d, hva));
2844 if (pud_none(pud) || !pud_present(pud))
2847 if (pud_large(pud)) {
2848 level = PG_LEVEL_1G;
2852 pmd = READ_ONCE(*pmd_offset(&pud, hva));
2853 if (pmd_none(pmd) || !pmd_present(pmd))
2857 level = PG_LEVEL_2M;
2860 local_irq_restore(flags);
2864 int kvm_mmu_max_mapping_level(struct kvm *kvm,
2865 const struct kvm_memory_slot *slot, gfn_t gfn,
2866 kvm_pfn_t pfn, int max_level)
2868 struct kvm_lpage_info *linfo;
2871 max_level = min(max_level, max_huge_page_level);
2872 for ( ; max_level > PG_LEVEL_4K; max_level--) {
2873 linfo = lpage_info_slot(gfn, slot, max_level);
2874 if (!linfo->disallow_lpage)
2878 if (max_level == PG_LEVEL_4K)
2881 host_level = host_pfn_mapping_level(kvm, gfn, pfn, slot);
2882 return min(host_level, max_level);
2885 void kvm_mmu_hugepage_adjust(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
2887 struct kvm_memory_slot *slot = fault->slot;
2890 fault->huge_page_disallowed = fault->exec && fault->nx_huge_page_workaround_enabled;
2892 if (unlikely(fault->max_level == PG_LEVEL_4K))
2895 if (is_error_noslot_pfn(fault->pfn) || kvm_is_reserved_pfn(fault->pfn))
2898 if (kvm_slot_dirty_track_enabled(slot))
2902 * Enforce the iTLB multihit workaround after capturing the requested
2903 * level, which will be used to do precise, accurate accounting.
2905 fault->req_level = kvm_mmu_max_mapping_level(vcpu->kvm, slot,
2906 fault->gfn, fault->pfn,
2908 if (fault->req_level == PG_LEVEL_4K || fault->huge_page_disallowed)
2912 * mmu_notifier_retry() was successful and mmu_lock is held, so
2913 * the pmd can't be split from under us.
2915 fault->goal_level = fault->req_level;
2916 mask = KVM_PAGES_PER_HPAGE(fault->goal_level) - 1;
2917 VM_BUG_ON((fault->gfn & mask) != (fault->pfn & mask));
2918 fault->pfn &= ~mask;
2921 void disallowed_hugepage_adjust(struct kvm_page_fault *fault, u64 spte, int cur_level)
2923 if (cur_level > PG_LEVEL_4K &&
2924 cur_level == fault->goal_level &&
2925 is_shadow_present_pte(spte) &&
2926 !is_large_pte(spte)) {
2928 * A small SPTE exists for this pfn, but FNAME(fetch)
2929 * and __direct_map would like to create a large PTE
2930 * instead: just force them to go down another level,
2931 * patching back for them into pfn the next 9 bits of
2934 u64 page_mask = KVM_PAGES_PER_HPAGE(cur_level) -
2935 KVM_PAGES_PER_HPAGE(cur_level - 1);
2936 fault->pfn |= fault->gfn & page_mask;
2937 fault->goal_level--;
2941 static int __direct_map(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
2943 struct kvm_shadow_walk_iterator it;
2944 struct kvm_mmu_page *sp;
2946 gfn_t base_gfn = fault->gfn;
2948 kvm_mmu_hugepage_adjust(vcpu, fault);
2950 trace_kvm_mmu_spte_requested(fault);
2951 for_each_shadow_entry(vcpu, fault->addr, it) {
2953 * We cannot overwrite existing page tables with an NX
2954 * large page, as the leaf could be executable.
2956 if (fault->nx_huge_page_workaround_enabled)
2957 disallowed_hugepage_adjust(fault, *it.sptep, it.level);
2959 base_gfn = fault->gfn & ~(KVM_PAGES_PER_HPAGE(it.level) - 1);
2960 if (it.level == fault->goal_level)
2963 drop_large_spte(vcpu, it.sptep);
2964 if (is_shadow_present_pte(*it.sptep))
2967 sp = kvm_mmu_get_page(vcpu, base_gfn, it.addr,
2968 it.level - 1, true, ACC_ALL);
2970 link_shadow_page(vcpu, it.sptep, sp);
2971 if (fault->is_tdp && fault->huge_page_disallowed &&
2972 fault->req_level >= it.level)
2973 account_huge_nx_page(vcpu->kvm, sp);
2976 if (WARN_ON_ONCE(it.level != fault->goal_level))
2979 ret = mmu_set_spte(vcpu, fault->slot, it.sptep, ACC_ALL,
2980 base_gfn, fault->pfn, fault);
2981 if (ret == RET_PF_SPURIOUS)
2984 direct_pte_prefetch(vcpu, it.sptep);
2985 ++vcpu->stat.pf_fixed;
2989 static void kvm_send_hwpoison_signal(unsigned long address, struct task_struct *tsk)
2991 send_sig_mceerr(BUS_MCEERR_AR, (void __user *)address, PAGE_SHIFT, tsk);
2994 static int kvm_handle_bad_page(struct kvm_vcpu *vcpu, gfn_t gfn, kvm_pfn_t pfn)
2997 * Do not cache the mmio info caused by writing the readonly gfn
2998 * into the spte otherwise read access on readonly gfn also can
2999 * caused mmio page fault and treat it as mmio access.
3001 if (pfn == KVM_PFN_ERR_RO_FAULT)
3002 return RET_PF_EMULATE;
3004 if (pfn == KVM_PFN_ERR_HWPOISON) {
3005 kvm_send_hwpoison_signal(kvm_vcpu_gfn_to_hva(vcpu, gfn), current);
3006 return RET_PF_RETRY;
3012 static bool handle_abnormal_pfn(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault,
3013 unsigned int access, int *ret_val)
3015 /* The pfn is invalid, report the error! */
3016 if (unlikely(is_error_pfn(fault->pfn))) {
3017 *ret_val = kvm_handle_bad_page(vcpu, fault->gfn, fault->pfn);
3021 if (unlikely(!fault->slot)) {
3022 gva_t gva = fault->is_tdp ? 0 : fault->addr;
3024 vcpu_cache_mmio_info(vcpu, gva, fault->gfn,
3025 access & shadow_mmio_access_mask);
3027 * If MMIO caching is disabled, emulate immediately without
3028 * touching the shadow page tables as attempting to install an
3029 * MMIO SPTE will just be an expensive nop. Do not cache MMIO
3030 * whose gfn is greater than host.MAXPHYADDR, any guest that
3031 * generates such gfns is running nested and is being tricked
3032 * by L0 userspace (you can observe gfn > L1.MAXPHYADDR if
3033 * and only if L1's MAXPHYADDR is inaccurate with respect to
3036 if (unlikely(!enable_mmio_caching) ||
3037 unlikely(fault->gfn > kvm_mmu_max_gfn())) {
3038 *ret_val = RET_PF_EMULATE;
3046 static bool page_fault_can_be_fast(struct kvm_page_fault *fault)
3049 * Do not fix the mmio spte with invalid generation number which
3050 * need to be updated by slow page fault path.
3055 /* See if the page fault is due to an NX violation */
3056 if (unlikely(fault->exec && fault->present))
3060 * #PF can be fast if:
3061 * 1. The shadow page table entry is not present, which could mean that
3062 * the fault is potentially caused by access tracking (if enabled).
3063 * 2. The shadow page table entry is present and the fault
3064 * is caused by write-protect, that means we just need change the W
3065 * bit of the spte which can be done out of mmu-lock.
3067 * However, if access tracking is disabled we know that a non-present
3068 * page must be a genuine page fault where we have to create a new SPTE.
3069 * So, if access tracking is disabled, we return true only for write
3070 * accesses to a present page.
3073 return shadow_acc_track_mask != 0 || (fault->write && fault->present);
3077 * Returns true if the SPTE was fixed successfully. Otherwise,
3078 * someone else modified the SPTE from its original value.
3081 fast_pf_fix_direct_spte(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault,
3082 u64 *sptep, u64 old_spte, u64 new_spte)
3085 * Theoretically we could also set dirty bit (and flush TLB) here in
3086 * order to eliminate unnecessary PML logging. See comments in
3087 * set_spte. But fast_page_fault is very unlikely to happen with PML
3088 * enabled, so we do not do this. This might result in the same GPA
3089 * to be logged in PML buffer again when the write really happens, and
3090 * eventually to be called by mark_page_dirty twice. But it's also no
3091 * harm. This also avoids the TLB flush needed after setting dirty bit
3092 * so non-PML cases won't be impacted.
3094 * Compare with set_spte where instead shadow_dirty_mask is set.
3096 if (cmpxchg64(sptep, old_spte, new_spte) != old_spte)
3099 if (is_writable_pte(new_spte) && !is_writable_pte(old_spte))
3100 mark_page_dirty_in_slot(vcpu->kvm, fault->slot, fault->gfn);
3105 static bool is_access_allowed(struct kvm_page_fault *fault, u64 spte)
3108 return is_executable_pte(spte);
3111 return is_writable_pte(spte);
3113 /* Fault was on Read access */
3114 return spte & PT_PRESENT_MASK;
3118 * Returns the last level spte pointer of the shadow page walk for the given
3119 * gpa, and sets *spte to the spte value. This spte may be non-preset. If no
3120 * walk could be performed, returns NULL and *spte does not contain valid data.
3123 * - Must be called between walk_shadow_page_lockless_{begin,end}.
3124 * - The returned sptep must not be used after walk_shadow_page_lockless_end.
3126 static u64 *fast_pf_get_last_sptep(struct kvm_vcpu *vcpu, gpa_t gpa, u64 *spte)
3128 struct kvm_shadow_walk_iterator iterator;
3132 for_each_shadow_entry_lockless(vcpu, gpa, iterator, old_spte) {
3133 sptep = iterator.sptep;
3141 * Returns one of RET_PF_INVALID, RET_PF_FIXED or RET_PF_SPURIOUS.
3143 static int fast_page_fault(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
3145 struct kvm_mmu_page *sp;
3146 int ret = RET_PF_INVALID;
3149 uint retry_count = 0;
3151 if (!page_fault_can_be_fast(fault))
3154 walk_shadow_page_lockless_begin(vcpu);
3159 if (is_tdp_mmu(vcpu->arch.mmu))
3160 sptep = kvm_tdp_mmu_fast_pf_get_last_sptep(vcpu, fault->addr, &spte);
3162 sptep = fast_pf_get_last_sptep(vcpu, fault->addr, &spte);
3164 if (!is_shadow_present_pte(spte))
3167 sp = sptep_to_sp(sptep);
3168 if (!is_last_spte(spte, sp->role.level))
3172 * Check whether the memory access that caused the fault would
3173 * still cause it if it were to be performed right now. If not,
3174 * then this is a spurious fault caused by TLB lazily flushed,
3175 * or some other CPU has already fixed the PTE after the
3176 * current CPU took the fault.
3178 * Need not check the access of upper level table entries since
3179 * they are always ACC_ALL.
3181 if (is_access_allowed(fault, spte)) {
3182 ret = RET_PF_SPURIOUS;
3188 if (is_access_track_spte(spte))
3189 new_spte = restore_acc_track_spte(new_spte);
3192 * Currently, to simplify the code, write-protection can
3193 * be removed in the fast path only if the SPTE was
3194 * write-protected for dirty-logging or access tracking.
3197 spte_can_locklessly_be_made_writable(spte)) {
3198 new_spte |= PT_WRITABLE_MASK;
3201 * Do not fix write-permission on the large spte when
3202 * dirty logging is enabled. Since we only dirty the
3203 * first page into the dirty-bitmap in
3204 * fast_pf_fix_direct_spte(), other pages are missed
3205 * if its slot has dirty logging enabled.
3207 * Instead, we let the slow page fault path create a
3208 * normal spte to fix the access.
3210 if (sp->role.level > PG_LEVEL_4K &&
3211 kvm_slot_dirty_track_enabled(fault->slot))
3215 /* Verify that the fault can be handled in the fast path */
3216 if (new_spte == spte ||
3217 !is_access_allowed(fault, new_spte))
3221 * Currently, fast page fault only works for direct mapping
3222 * since the gfn is not stable for indirect shadow page. See
3223 * Documentation/virt/kvm/locking.rst to get more detail.
3225 if (fast_pf_fix_direct_spte(vcpu, fault, sptep, spte, new_spte)) {
3230 if (++retry_count > 4) {
3231 printk_once(KERN_WARNING
3232 "kvm: Fast #PF retrying more than 4 times.\n");
3238 trace_fast_page_fault(vcpu, fault, sptep, spte, ret);
3239 walk_shadow_page_lockless_end(vcpu);
3244 static void mmu_free_root_page(struct kvm *kvm, hpa_t *root_hpa,
3245 struct list_head *invalid_list)
3247 struct kvm_mmu_page *sp;
3249 if (!VALID_PAGE(*root_hpa))
3252 sp = to_shadow_page(*root_hpa & PT64_BASE_ADDR_MASK);
3256 if (is_tdp_mmu_page(sp))
3257 kvm_tdp_mmu_put_root(kvm, sp, false);
3258 else if (!--sp->root_count && sp->role.invalid)
3259 kvm_mmu_prepare_zap_page(kvm, sp, invalid_list);
3261 *root_hpa = INVALID_PAGE;
3264 /* roots_to_free must be some combination of the KVM_MMU_ROOT_* flags */
3265 void kvm_mmu_free_roots(struct kvm *kvm, struct kvm_mmu *mmu,
3266 ulong roots_to_free)
3269 LIST_HEAD(invalid_list);
3270 bool free_active_root;
3272 BUILD_BUG_ON(KVM_MMU_NUM_PREV_ROOTS >= BITS_PER_LONG);
3274 /* Before acquiring the MMU lock, see if we need to do any real work. */
3275 free_active_root = (roots_to_free & KVM_MMU_ROOT_CURRENT)
3276 && VALID_PAGE(mmu->root.hpa);
3278 if (!free_active_root) {
3279 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++)
3280 if ((roots_to_free & KVM_MMU_ROOT_PREVIOUS(i)) &&
3281 VALID_PAGE(mmu->prev_roots[i].hpa))
3284 if (i == KVM_MMU_NUM_PREV_ROOTS)
3288 write_lock(&kvm->mmu_lock);
3290 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++)
3291 if (roots_to_free & KVM_MMU_ROOT_PREVIOUS(i))
3292 mmu_free_root_page(kvm, &mmu->prev_roots[i].hpa,
3295 if (free_active_root) {
3296 if (to_shadow_page(mmu->root.hpa)) {
3297 mmu_free_root_page(kvm, &mmu->root.hpa, &invalid_list);
3298 } else if (mmu->pae_root) {
3299 for (i = 0; i < 4; ++i) {
3300 if (!IS_VALID_PAE_ROOT(mmu->pae_root[i]))
3303 mmu_free_root_page(kvm, &mmu->pae_root[i],
3305 mmu->pae_root[i] = INVALID_PAE_ROOT;
3308 mmu->root.hpa = INVALID_PAGE;
3312 kvm_mmu_commit_zap_page(kvm, &invalid_list);
3313 write_unlock(&kvm->mmu_lock);
3315 EXPORT_SYMBOL_GPL(kvm_mmu_free_roots);
3317 void kvm_mmu_free_guest_mode_roots(struct kvm *kvm, struct kvm_mmu *mmu)
3319 unsigned long roots_to_free = 0;
3324 * This should not be called while L2 is active, L2 can't invalidate
3325 * _only_ its own roots, e.g. INVVPID unconditionally exits.
3327 WARN_ON_ONCE(mmu->root_role.guest_mode);
3329 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++) {
3330 root_hpa = mmu->prev_roots[i].hpa;
3331 if (!VALID_PAGE(root_hpa))
3334 if (!to_shadow_page(root_hpa) ||
3335 to_shadow_page(root_hpa)->role.guest_mode)
3336 roots_to_free |= KVM_MMU_ROOT_PREVIOUS(i);
3339 kvm_mmu_free_roots(kvm, mmu, roots_to_free);
3341 EXPORT_SYMBOL_GPL(kvm_mmu_free_guest_mode_roots);
3344 static int mmu_check_root(struct kvm_vcpu *vcpu, gfn_t root_gfn)
3348 if (!kvm_vcpu_is_visible_gfn(vcpu, root_gfn)) {
3349 kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
3356 static hpa_t mmu_alloc_root(struct kvm_vcpu *vcpu, gfn_t gfn, gva_t gva,
3357 u8 level, bool direct)
3359 struct kvm_mmu_page *sp;
3361 sp = kvm_mmu_get_page(vcpu, gfn, gva, level, direct, ACC_ALL);
3364 return __pa(sp->spt);
3367 static int mmu_alloc_direct_roots(struct kvm_vcpu *vcpu)
3369 struct kvm_mmu *mmu = vcpu->arch.mmu;
3370 u8 shadow_root_level = mmu->root_role.level;
3375 write_lock(&vcpu->kvm->mmu_lock);
3376 r = make_mmu_pages_available(vcpu);
3380 if (is_tdp_mmu_enabled(vcpu->kvm)) {
3381 root = kvm_tdp_mmu_get_vcpu_root_hpa(vcpu);
3382 mmu->root.hpa = root;
3383 } else if (shadow_root_level >= PT64_ROOT_4LEVEL) {
3384 root = mmu_alloc_root(vcpu, 0, 0, shadow_root_level, true);
3385 mmu->root.hpa = root;
3386 } else if (shadow_root_level == PT32E_ROOT_LEVEL) {
3387 if (WARN_ON_ONCE(!mmu->pae_root)) {
3392 for (i = 0; i < 4; ++i) {
3393 WARN_ON_ONCE(IS_VALID_PAE_ROOT(mmu->pae_root[i]));
3395 root = mmu_alloc_root(vcpu, i << (30 - PAGE_SHIFT),
3396 i << 30, PT32_ROOT_LEVEL, true);
3397 mmu->pae_root[i] = root | PT_PRESENT_MASK |
3400 mmu->root.hpa = __pa(mmu->pae_root);
3402 WARN_ONCE(1, "Bad TDP root level = %d\n", shadow_root_level);
3407 /* root.pgd is ignored for direct MMUs. */
3410 write_unlock(&vcpu->kvm->mmu_lock);
3414 static int mmu_first_shadow_root_alloc(struct kvm *kvm)
3416 struct kvm_memslots *slots;
3417 struct kvm_memory_slot *slot;
3421 * Check if this is the first shadow root being allocated before
3424 if (kvm_shadow_root_allocated(kvm))
3427 mutex_lock(&kvm->slots_arch_lock);
3429 /* Recheck, under the lock, whether this is the first shadow root. */
3430 if (kvm_shadow_root_allocated(kvm))
3434 * Check if anything actually needs to be allocated, e.g. all metadata
3435 * will be allocated upfront if TDP is disabled.
3437 if (kvm_memslots_have_rmaps(kvm) &&
3438 kvm_page_track_write_tracking_enabled(kvm))
3441 for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) {
3442 slots = __kvm_memslots(kvm, i);
3443 kvm_for_each_memslot(slot, bkt, slots) {
3445 * Both of these functions are no-ops if the target is
3446 * already allocated, so unconditionally calling both
3447 * is safe. Intentionally do NOT free allocations on
3448 * failure to avoid having to track which allocations
3449 * were made now versus when the memslot was created.
3450 * The metadata is guaranteed to be freed when the slot
3451 * is freed, and will be kept/used if userspace retries
3452 * KVM_RUN instead of killing the VM.
3454 r = memslot_rmap_alloc(slot, slot->npages);
3457 r = kvm_page_track_write_tracking_alloc(slot);
3464 * Ensure that shadow_root_allocated becomes true strictly after
3465 * all the related pointers are set.
3468 smp_store_release(&kvm->arch.shadow_root_allocated, true);
3471 mutex_unlock(&kvm->slots_arch_lock);
3475 static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu)
3477 struct kvm_mmu *mmu = vcpu->arch.mmu;
3478 u64 pdptrs[4], pm_mask;
3479 gfn_t root_gfn, root_pgd;
3484 root_pgd = mmu->get_guest_pgd(vcpu);
3485 root_gfn = root_pgd >> PAGE_SHIFT;
3487 if (mmu_check_root(vcpu, root_gfn))
3491 * On SVM, reading PDPTRs might access guest memory, which might fault
3492 * and thus might sleep. Grab the PDPTRs before acquiring mmu_lock.
3494 if (mmu->cpu_role.base.level == PT32E_ROOT_LEVEL) {
3495 for (i = 0; i < 4; ++i) {
3496 pdptrs[i] = mmu->get_pdptr(vcpu, i);
3497 if (!(pdptrs[i] & PT_PRESENT_MASK))
3500 if (mmu_check_root(vcpu, pdptrs[i] >> PAGE_SHIFT))
3505 r = mmu_first_shadow_root_alloc(vcpu->kvm);
3509 write_lock(&vcpu->kvm->mmu_lock);
3510 r = make_mmu_pages_available(vcpu);
3515 * Do we shadow a long mode page table? If so we need to
3516 * write-protect the guests page table root.
3518 if (mmu->cpu_role.base.level >= PT64_ROOT_4LEVEL) {
3519 root = mmu_alloc_root(vcpu, root_gfn, 0,
3520 mmu->root_role.level, false);
3521 mmu->root.hpa = root;
3525 if (WARN_ON_ONCE(!mmu->pae_root)) {
3531 * We shadow a 32 bit page table. This may be a legacy 2-level
3532 * or a PAE 3-level page table. In either case we need to be aware that
3533 * the shadow page table may be a PAE or a long mode page table.
3535 pm_mask = PT_PRESENT_MASK | shadow_me_mask;
3536 if (mmu->root_role.level >= PT64_ROOT_4LEVEL) {
3537 pm_mask |= PT_ACCESSED_MASK | PT_WRITABLE_MASK | PT_USER_MASK;
3539 if (WARN_ON_ONCE(!mmu->pml4_root)) {
3543 mmu->pml4_root[0] = __pa(mmu->pae_root) | pm_mask;
3545 if (mmu->root_role.level == PT64_ROOT_5LEVEL) {
3546 if (WARN_ON_ONCE(!mmu->pml5_root)) {
3550 mmu->pml5_root[0] = __pa(mmu->pml4_root) | pm_mask;
3554 for (i = 0; i < 4; ++i) {
3555 WARN_ON_ONCE(IS_VALID_PAE_ROOT(mmu->pae_root[i]));
3557 if (mmu->cpu_role.base.level == PT32E_ROOT_LEVEL) {
3558 if (!(pdptrs[i] & PT_PRESENT_MASK)) {
3559 mmu->pae_root[i] = INVALID_PAE_ROOT;
3562 root_gfn = pdptrs[i] >> PAGE_SHIFT;
3565 root = mmu_alloc_root(vcpu, root_gfn, i << 30,
3566 PT32_ROOT_LEVEL, false);
3567 mmu->pae_root[i] = root | pm_mask;
3570 if (mmu->root_role.level == PT64_ROOT_5LEVEL)
3571 mmu->root.hpa = __pa(mmu->pml5_root);
3572 else if (mmu->root_role.level == PT64_ROOT_4LEVEL)
3573 mmu->root.hpa = __pa(mmu->pml4_root);
3575 mmu->root.hpa = __pa(mmu->pae_root);
3578 mmu->root.pgd = root_pgd;
3580 write_unlock(&vcpu->kvm->mmu_lock);
3585 static int mmu_alloc_special_roots(struct kvm_vcpu *vcpu)
3587 struct kvm_mmu *mmu = vcpu->arch.mmu;
3588 bool need_pml5 = mmu->root_role.level > PT64_ROOT_4LEVEL;
3589 u64 *pml5_root = NULL;
3590 u64 *pml4_root = NULL;
3594 * When shadowing 32-bit or PAE NPT with 64-bit NPT, the PML4 and PDP
3595 * tables are allocated and initialized at root creation as there is no
3596 * equivalent level in the guest's NPT to shadow. Allocate the tables
3597 * on demand, as running a 32-bit L1 VMM on 64-bit KVM is very rare.
3599 if (mmu->direct_map || mmu->cpu_role.base.level >= PT64_ROOT_4LEVEL ||
3600 mmu->root_role.level < PT64_ROOT_4LEVEL)
3604 * NPT, the only paging mode that uses this horror, uses a fixed number
3605 * of levels for the shadow page tables, e.g. all MMUs are 4-level or
3606 * all MMus are 5-level. Thus, this can safely require that pml5_root
3607 * is allocated if the other roots are valid and pml5 is needed, as any
3608 * prior MMU would also have required pml5.
3610 if (mmu->pae_root && mmu->pml4_root && (!need_pml5 || mmu->pml5_root))
3614 * The special roots should always be allocated in concert. Yell and
3615 * bail if KVM ends up in a state where only one of the roots is valid.
3617 if (WARN_ON_ONCE(!tdp_enabled || mmu->pae_root || mmu->pml4_root ||
3618 (need_pml5 && mmu->pml5_root)))
3622 * Unlike 32-bit NPT, the PDP table doesn't need to be in low mem, and
3623 * doesn't need to be decrypted.
3625 pae_root = (void *)get_zeroed_page(GFP_KERNEL_ACCOUNT);
3629 #ifdef CONFIG_X86_64
3630 pml4_root = (void *)get_zeroed_page(GFP_KERNEL_ACCOUNT);
3635 pml5_root = (void *)get_zeroed_page(GFP_KERNEL_ACCOUNT);
3641 mmu->pae_root = pae_root;
3642 mmu->pml4_root = pml4_root;
3643 mmu->pml5_root = pml5_root;
3647 #ifdef CONFIG_X86_64
3649 free_page((unsigned long)pml4_root);
3651 free_page((unsigned long)pae_root);
3656 static bool is_unsync_root(hpa_t root)
3658 struct kvm_mmu_page *sp;
3660 if (!VALID_PAGE(root))
3664 * The read barrier orders the CPU's read of SPTE.W during the page table
3665 * walk before the reads of sp->unsync/sp->unsync_children here.
3667 * Even if another CPU was marking the SP as unsync-ed simultaneously,
3668 * any guest page table changes are not guaranteed to be visible anyway
3669 * until this VCPU issues a TLB flush strictly after those changes are
3670 * made. We only need to ensure that the other CPU sets these flags
3671 * before any actual changes to the page tables are made. The comments
3672 * in mmu_try_to_unsync_pages() describe what could go wrong if this
3673 * requirement isn't satisfied.
3676 sp = to_shadow_page(root);
3679 * PAE roots (somewhat arbitrarily) aren't backed by shadow pages, the
3680 * PDPTEs for a given PAE root need to be synchronized individually.
3682 if (WARN_ON_ONCE(!sp))
3685 if (sp->unsync || sp->unsync_children)
3691 void kvm_mmu_sync_roots(struct kvm_vcpu *vcpu)
3694 struct kvm_mmu_page *sp;
3696 if (vcpu->arch.mmu->direct_map)
3699 if (!VALID_PAGE(vcpu->arch.mmu->root.hpa))
3702 vcpu_clear_mmio_info(vcpu, MMIO_GVA_ANY);
3704 if (vcpu->arch.mmu->cpu_role.base.level >= PT64_ROOT_4LEVEL) {
3705 hpa_t root = vcpu->arch.mmu->root.hpa;
3706 sp = to_shadow_page(root);
3708 if (!is_unsync_root(root))
3711 write_lock(&vcpu->kvm->mmu_lock);
3712 mmu_sync_children(vcpu, sp, true);
3713 write_unlock(&vcpu->kvm->mmu_lock);
3717 write_lock(&vcpu->kvm->mmu_lock);
3719 for (i = 0; i < 4; ++i) {
3720 hpa_t root = vcpu->arch.mmu->pae_root[i];
3722 if (IS_VALID_PAE_ROOT(root)) {
3723 root &= PT64_BASE_ADDR_MASK;
3724 sp = to_shadow_page(root);
3725 mmu_sync_children(vcpu, sp, true);
3729 write_unlock(&vcpu->kvm->mmu_lock);
3732 void kvm_mmu_sync_prev_roots(struct kvm_vcpu *vcpu)
3734 unsigned long roots_to_free = 0;
3737 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++)
3738 if (is_unsync_root(vcpu->arch.mmu->prev_roots[i].hpa))
3739 roots_to_free |= KVM_MMU_ROOT_PREVIOUS(i);
3741 /* sync prev_roots by simply freeing them */
3742 kvm_mmu_free_roots(vcpu->kvm, vcpu->arch.mmu, roots_to_free);
3745 static gpa_t nonpaging_gva_to_gpa(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
3746 gpa_t vaddr, u64 access,
3747 struct x86_exception *exception)
3750 exception->error_code = 0;
3751 return kvm_translate_gpa(vcpu, mmu, vaddr, access, exception);
3754 static bool mmio_info_in_cache(struct kvm_vcpu *vcpu, u64 addr, bool direct)
3757 * A nested guest cannot use the MMIO cache if it is using nested
3758 * page tables, because cr2 is a nGPA while the cache stores GPAs.
3760 if (mmu_is_nested(vcpu))
3764 return vcpu_match_mmio_gpa(vcpu, addr);
3766 return vcpu_match_mmio_gva(vcpu, addr);
3770 * Return the level of the lowest level SPTE added to sptes.
3771 * That SPTE may be non-present.
3773 * Must be called between walk_shadow_page_lockless_{begin,end}.
3775 static int get_walk(struct kvm_vcpu *vcpu, u64 addr, u64 *sptes, int *root_level)
3777 struct kvm_shadow_walk_iterator iterator;
3781 for (shadow_walk_init(&iterator, vcpu, addr),
3782 *root_level = iterator.level;
3783 shadow_walk_okay(&iterator);
3784 __shadow_walk_next(&iterator, spte)) {
3785 leaf = iterator.level;
3786 spte = mmu_spte_get_lockless(iterator.sptep);
3794 /* return true if reserved bit(s) are detected on a valid, non-MMIO SPTE. */
3795 static bool get_mmio_spte(struct kvm_vcpu *vcpu, u64 addr, u64 *sptep)
3797 u64 sptes[PT64_ROOT_MAX_LEVEL + 1];
3798 struct rsvd_bits_validate *rsvd_check;
3799 int root, leaf, level;
3800 bool reserved = false;
3802 walk_shadow_page_lockless_begin(vcpu);
3804 if (is_tdp_mmu(vcpu->arch.mmu))
3805 leaf = kvm_tdp_mmu_get_walk(vcpu, addr, sptes, &root);
3807 leaf = get_walk(vcpu, addr, sptes, &root);
3809 walk_shadow_page_lockless_end(vcpu);
3811 if (unlikely(leaf < 0)) {
3816 *sptep = sptes[leaf];
3819 * Skip reserved bits checks on the terminal leaf if it's not a valid
3820 * SPTE. Note, this also (intentionally) skips MMIO SPTEs, which, by
3821 * design, always have reserved bits set. The purpose of the checks is
3822 * to detect reserved bits on non-MMIO SPTEs. i.e. buggy SPTEs.
3824 if (!is_shadow_present_pte(sptes[leaf]))
3827 rsvd_check = &vcpu->arch.mmu->shadow_zero_check;
3829 for (level = root; level >= leaf; level--)
3830 reserved |= is_rsvd_spte(rsvd_check, sptes[level], level);
3833 pr_err("%s: reserved bits set on MMU-present spte, addr 0x%llx, hierarchy:\n",
3835 for (level = root; level >= leaf; level--)
3836 pr_err("------ spte = 0x%llx level = %d, rsvd bits = 0x%llx",
3837 sptes[level], level,
3838 get_rsvd_bits(rsvd_check, sptes[level], level));
3844 static int handle_mmio_page_fault(struct kvm_vcpu *vcpu, u64 addr, bool direct)
3849 if (mmio_info_in_cache(vcpu, addr, direct))
3850 return RET_PF_EMULATE;
3852 reserved = get_mmio_spte(vcpu, addr, &spte);
3853 if (WARN_ON(reserved))
3856 if (is_mmio_spte(spte)) {
3857 gfn_t gfn = get_mmio_spte_gfn(spte);
3858 unsigned int access = get_mmio_spte_access(spte);
3860 if (!check_mmio_spte(vcpu, spte))
3861 return RET_PF_INVALID;
3866 trace_handle_mmio_page_fault(addr, gfn, access);
3867 vcpu_cache_mmio_info(vcpu, addr, gfn, access);
3868 return RET_PF_EMULATE;
3872 * If the page table is zapped by other cpus, let CPU fault again on
3875 return RET_PF_RETRY;
3878 static bool page_fault_handle_page_track(struct kvm_vcpu *vcpu,
3879 struct kvm_page_fault *fault)
3881 if (unlikely(fault->rsvd))
3884 if (!fault->present || !fault->write)
3888 * guest is writing the page which is write tracked which can
3889 * not be fixed by page fault handler.
3891 if (kvm_slot_page_track_is_active(vcpu->kvm, fault->slot, fault->gfn, KVM_PAGE_TRACK_WRITE))
3897 static void shadow_page_table_clear_flood(struct kvm_vcpu *vcpu, gva_t addr)
3899 struct kvm_shadow_walk_iterator iterator;
3902 walk_shadow_page_lockless_begin(vcpu);
3903 for_each_shadow_entry_lockless(vcpu, addr, iterator, spte)
3904 clear_sp_write_flooding_count(iterator.sptep);
3905 walk_shadow_page_lockless_end(vcpu);
3908 static u32 alloc_apf_token(struct kvm_vcpu *vcpu)
3910 /* make sure the token value is not 0 */
3911 u32 id = vcpu->arch.apf.id;
3914 vcpu->arch.apf.id = 1;
3916 return (vcpu->arch.apf.id++ << 12) | vcpu->vcpu_id;
3919 static bool kvm_arch_setup_async_pf(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa,
3922 struct kvm_arch_async_pf arch;
3924 arch.token = alloc_apf_token(vcpu);
3926 arch.direct_map = vcpu->arch.mmu->direct_map;
3927 arch.cr3 = vcpu->arch.mmu->get_guest_pgd(vcpu);
3929 return kvm_setup_async_pf(vcpu, cr2_or_gpa,
3930 kvm_vcpu_gfn_to_hva(vcpu, gfn), &arch);
3933 static bool kvm_faultin_pfn(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault, int *r)
3935 struct kvm_memory_slot *slot = fault->slot;
3939 * Retry the page fault if the gfn hit a memslot that is being deleted
3940 * or moved. This ensures any existing SPTEs for the old memslot will
3941 * be zapped before KVM inserts a new MMIO SPTE for the gfn.
3943 if (slot && (slot->flags & KVM_MEMSLOT_INVALID))
3946 if (!kvm_is_visible_memslot(slot)) {
3947 /* Don't expose private memslots to L2. */
3948 if (is_guest_mode(vcpu)) {
3950 fault->pfn = KVM_PFN_NOSLOT;
3951 fault->map_writable = false;
3955 * If the APIC access page exists but is disabled, go directly
3956 * to emulation without caching the MMIO access or creating a
3957 * MMIO SPTE. That way the cache doesn't need to be purged
3958 * when the AVIC is re-enabled.
3960 if (slot && slot->id == APIC_ACCESS_PAGE_PRIVATE_MEMSLOT &&
3961 !kvm_apicv_activated(vcpu->kvm)) {
3962 *r = RET_PF_EMULATE;
3968 fault->pfn = __gfn_to_pfn_memslot(slot, fault->gfn, false, &async,
3969 fault->write, &fault->map_writable,
3972 return false; /* *pfn has correct page already */
3974 if (!fault->prefetch && kvm_can_do_async_pf(vcpu)) {
3975 trace_kvm_try_async_get_page(fault->addr, fault->gfn);
3976 if (kvm_find_async_pf_gfn(vcpu, fault->gfn)) {
3977 trace_kvm_async_pf_doublefault(fault->addr, fault->gfn);
3978 kvm_make_request(KVM_REQ_APF_HALT, vcpu);
3980 } else if (kvm_arch_setup_async_pf(vcpu, fault->addr, fault->gfn))
3984 fault->pfn = __gfn_to_pfn_memslot(slot, fault->gfn, false, NULL,
3985 fault->write, &fault->map_writable,
3995 * Returns true if the page fault is stale and needs to be retried, i.e. if the
3996 * root was invalidated by a memslot update or a relevant mmu_notifier fired.
3998 static bool is_page_fault_stale(struct kvm_vcpu *vcpu,
3999 struct kvm_page_fault *fault, int mmu_seq)
4001 struct kvm_mmu_page *sp = to_shadow_page(vcpu->arch.mmu->root.hpa);
4003 /* Special roots, e.g. pae_root, are not backed by shadow pages. */
4004 if (sp && is_obsolete_sp(vcpu->kvm, sp))
4008 * Roots without an associated shadow page are considered invalid if
4009 * there is a pending request to free obsolete roots. The request is
4010 * only a hint that the current root _may_ be obsolete and needs to be
4011 * reloaded, e.g. if the guest frees a PGD that KVM is tracking as a
4012 * previous root, then __kvm_mmu_prepare_zap_page() signals all vCPUs
4013 * to reload even if no vCPU is actively using the root.
4015 if (!sp && kvm_test_request(KVM_REQ_MMU_FREE_OBSOLETE_ROOTS, vcpu))
4018 return fault->slot &&
4019 mmu_notifier_retry_hva(vcpu->kvm, mmu_seq, fault->hva);
4022 static int direct_page_fault(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
4024 bool is_tdp_mmu_fault = is_tdp_mmu(vcpu->arch.mmu);
4026 unsigned long mmu_seq;
4029 fault->gfn = fault->addr >> PAGE_SHIFT;
4030 fault->slot = kvm_vcpu_gfn_to_memslot(vcpu, fault->gfn);
4032 if (page_fault_handle_page_track(vcpu, fault))
4033 return RET_PF_EMULATE;
4035 r = fast_page_fault(vcpu, fault);
4036 if (r != RET_PF_INVALID)
4039 r = mmu_topup_memory_caches(vcpu, false);
4043 mmu_seq = vcpu->kvm->mmu_notifier_seq;
4046 if (kvm_faultin_pfn(vcpu, fault, &r))
4049 if (handle_abnormal_pfn(vcpu, fault, ACC_ALL, &r))
4054 if (is_tdp_mmu_fault)
4055 read_lock(&vcpu->kvm->mmu_lock);
4057 write_lock(&vcpu->kvm->mmu_lock);
4059 if (is_page_fault_stale(vcpu, fault, mmu_seq))
4062 r = make_mmu_pages_available(vcpu);
4066 if (is_tdp_mmu_fault)
4067 r = kvm_tdp_mmu_map(vcpu, fault);
4069 r = __direct_map(vcpu, fault);
4072 if (is_tdp_mmu_fault)
4073 read_unlock(&vcpu->kvm->mmu_lock);
4075 write_unlock(&vcpu->kvm->mmu_lock);
4076 kvm_release_pfn_clean(fault->pfn);
4080 static int nonpaging_page_fault(struct kvm_vcpu *vcpu,
4081 struct kvm_page_fault *fault)
4083 pgprintk("%s: gva %lx error %x\n", __func__, fault->addr, fault->error_code);
4085 /* This path builds a PAE pagetable, we can map 2mb pages at maximum. */
4086 fault->max_level = PG_LEVEL_2M;
4087 return direct_page_fault(vcpu, fault);
4090 int kvm_handle_page_fault(struct kvm_vcpu *vcpu, u64 error_code,
4091 u64 fault_address, char *insn, int insn_len)
4094 u32 flags = vcpu->arch.apf.host_apf_flags;
4096 #ifndef CONFIG_X86_64
4097 /* A 64-bit CR2 should be impossible on 32-bit KVM. */
4098 if (WARN_ON_ONCE(fault_address >> 32))
4102 vcpu->arch.l1tf_flush_l1d = true;
4104 trace_kvm_page_fault(fault_address, error_code);
4106 if (kvm_event_needs_reinjection(vcpu))
4107 kvm_mmu_unprotect_page_virt(vcpu, fault_address);
4108 r = kvm_mmu_page_fault(vcpu, fault_address, error_code, insn,
4110 } else if (flags & KVM_PV_REASON_PAGE_NOT_PRESENT) {
4111 vcpu->arch.apf.host_apf_flags = 0;
4112 local_irq_disable();
4113 kvm_async_pf_task_wait_schedule(fault_address);
4116 WARN_ONCE(1, "Unexpected host async PF flags: %x\n", flags);
4121 EXPORT_SYMBOL_GPL(kvm_handle_page_fault);
4123 int kvm_tdp_page_fault(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
4125 while (fault->max_level > PG_LEVEL_4K) {
4126 int page_num = KVM_PAGES_PER_HPAGE(fault->max_level);
4127 gfn_t base = (fault->addr >> PAGE_SHIFT) & ~(page_num - 1);
4129 if (kvm_mtrr_check_gfn_range_consistency(vcpu, base, page_num))
4135 return direct_page_fault(vcpu, fault);
4138 static void nonpaging_init_context(struct kvm_mmu *context)
4140 context->page_fault = nonpaging_page_fault;
4141 context->gva_to_gpa = nonpaging_gva_to_gpa;
4142 context->sync_page = nonpaging_sync_page;
4143 context->invlpg = NULL;
4144 context->direct_map = true;
4147 static inline bool is_root_usable(struct kvm_mmu_root_info *root, gpa_t pgd,
4148 union kvm_mmu_page_role role)
4150 return (role.direct || pgd == root->pgd) &&
4151 VALID_PAGE(root->hpa) &&
4152 role.word == to_shadow_page(root->hpa)->role.word;
4156 * Find out if a previously cached root matching the new pgd/role is available,
4157 * and insert the current root as the MRU in the cache.
4158 * If a matching root is found, it is assigned to kvm_mmu->root and
4160 * If no match is found, kvm_mmu->root is left invalid, the LRU root is
4161 * evicted to make room for the current root, and false is returned.
4163 static bool cached_root_find_and_keep_current(struct kvm *kvm, struct kvm_mmu *mmu,
4165 union kvm_mmu_page_role new_role)
4169 if (is_root_usable(&mmu->root, new_pgd, new_role))
4172 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++) {
4174 * The swaps end up rotating the cache like this:
4175 * C 0 1 2 3 (on entry to the function)
4179 * 3 C 0 1 2 (on exit from the loop)
4181 swap(mmu->root, mmu->prev_roots[i]);
4182 if (is_root_usable(&mmu->root, new_pgd, new_role))
4186 kvm_mmu_free_roots(kvm, mmu, KVM_MMU_ROOT_CURRENT);
4191 * Find out if a previously cached root matching the new pgd/role is available.
4192 * On entry, mmu->root is invalid.
4193 * If a matching root is found, it is assigned to kvm_mmu->root, the LRU entry
4194 * of the cache becomes invalid, and true is returned.
4195 * If no match is found, kvm_mmu->root is left invalid and false is returned.
4197 static bool cached_root_find_without_current(struct kvm *kvm, struct kvm_mmu *mmu,
4199 union kvm_mmu_page_role new_role)
4203 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++)
4204 if (is_root_usable(&mmu->prev_roots[i], new_pgd, new_role))
4210 swap(mmu->root, mmu->prev_roots[i]);
4211 /* Bubble up the remaining roots. */
4212 for (; i < KVM_MMU_NUM_PREV_ROOTS - 1; i++)
4213 mmu->prev_roots[i] = mmu->prev_roots[i + 1];
4214 mmu->prev_roots[i].hpa = INVALID_PAGE;
4218 static bool fast_pgd_switch(struct kvm *kvm, struct kvm_mmu *mmu,
4219 gpa_t new_pgd, union kvm_mmu_page_role new_role)
4222 * For now, limit the caching to 64-bit hosts+VMs in order to avoid
4223 * having to deal with PDPTEs. We may add support for 32-bit hosts/VMs
4224 * later if necessary.
4226 if (VALID_PAGE(mmu->root.hpa) && !to_shadow_page(mmu->root.hpa))
4227 kvm_mmu_free_roots(kvm, mmu, KVM_MMU_ROOT_CURRENT);
4229 if (VALID_PAGE(mmu->root.hpa))
4230 return cached_root_find_and_keep_current(kvm, mmu, new_pgd, new_role);
4232 return cached_root_find_without_current(kvm, mmu, new_pgd, new_role);
4235 void kvm_mmu_new_pgd(struct kvm_vcpu *vcpu, gpa_t new_pgd)
4237 struct kvm_mmu *mmu = vcpu->arch.mmu;
4238 union kvm_mmu_page_role new_role = mmu->root_role;
4240 if (!fast_pgd_switch(vcpu->kvm, mmu, new_pgd, new_role)) {
4241 /* kvm_mmu_ensure_valid_pgd will set up a new root. */
4246 * It's possible that the cached previous root page is obsolete because
4247 * of a change in the MMU generation number. However, changing the
4248 * generation number is accompanied by KVM_REQ_MMU_FREE_OBSOLETE_ROOTS,
4249 * which will free the root set here and allocate a new one.
4251 kvm_make_request(KVM_REQ_LOAD_MMU_PGD, vcpu);
4253 if (force_flush_and_sync_on_reuse) {
4254 kvm_make_request(KVM_REQ_MMU_SYNC, vcpu);
4255 kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, vcpu);
4259 * The last MMIO access's GVA and GPA are cached in the VCPU. When
4260 * switching to a new CR3, that GVA->GPA mapping may no longer be
4261 * valid. So clear any cached MMIO info even when we don't need to sync
4262 * the shadow page tables.
4264 vcpu_clear_mmio_info(vcpu, MMIO_GVA_ANY);
4267 * If this is a direct root page, it doesn't have a write flooding
4268 * count. Otherwise, clear the write flooding count.
4270 if (!new_role.direct)
4271 __clear_sp_write_flooding_count(
4272 to_shadow_page(vcpu->arch.mmu->root.hpa));
4274 EXPORT_SYMBOL_GPL(kvm_mmu_new_pgd);
4276 static unsigned long get_cr3(struct kvm_vcpu *vcpu)
4278 return kvm_read_cr3(vcpu);
4281 static bool sync_mmio_spte(struct kvm_vcpu *vcpu, u64 *sptep, gfn_t gfn,
4282 unsigned int access)
4284 if (unlikely(is_mmio_spte(*sptep))) {
4285 if (gfn != get_mmio_spte_gfn(*sptep)) {
4286 mmu_spte_clear_no_track(sptep);
4290 mark_mmio_spte(vcpu, sptep, gfn, access);
4297 #define PTTYPE_EPT 18 /* arbitrary */
4298 #define PTTYPE PTTYPE_EPT
4299 #include "paging_tmpl.h"
4303 #include "paging_tmpl.h"
4307 #include "paging_tmpl.h"
4311 __reset_rsvds_bits_mask(struct rsvd_bits_validate *rsvd_check,
4312 u64 pa_bits_rsvd, int level, bool nx, bool gbpages,
4315 u64 gbpages_bit_rsvd = 0;
4316 u64 nonleaf_bit8_rsvd = 0;
4319 rsvd_check->bad_mt_xwr = 0;
4322 gbpages_bit_rsvd = rsvd_bits(7, 7);
4324 if (level == PT32E_ROOT_LEVEL)
4325 high_bits_rsvd = pa_bits_rsvd & rsvd_bits(0, 62);
4327 high_bits_rsvd = pa_bits_rsvd & rsvd_bits(0, 51);
4329 /* Note, NX doesn't exist in PDPTEs, this is handled below. */
4331 high_bits_rsvd |= rsvd_bits(63, 63);
4334 * Non-leaf PML4Es and PDPEs reserve bit 8 (which would be the G bit for
4335 * leaf entries) on AMD CPUs only.
4338 nonleaf_bit8_rsvd = rsvd_bits(8, 8);
4341 case PT32_ROOT_LEVEL:
4342 /* no rsvd bits for 2 level 4K page table entries */
4343 rsvd_check->rsvd_bits_mask[0][1] = 0;
4344 rsvd_check->rsvd_bits_mask[0][0] = 0;
4345 rsvd_check->rsvd_bits_mask[1][0] =
4346 rsvd_check->rsvd_bits_mask[0][0];
4349 rsvd_check->rsvd_bits_mask[1][1] = 0;
4353 if (is_cpuid_PSE36())
4354 /* 36bits PSE 4MB page */
4355 rsvd_check->rsvd_bits_mask[1][1] = rsvd_bits(17, 21);
4357 /* 32 bits PSE 4MB page */
4358 rsvd_check->rsvd_bits_mask[1][1] = rsvd_bits(13, 21);
4360 case PT32E_ROOT_LEVEL:
4361 rsvd_check->rsvd_bits_mask[0][2] = rsvd_bits(63, 63) |
4364 rsvd_bits(1, 2); /* PDPTE */
4365 rsvd_check->rsvd_bits_mask[0][1] = high_bits_rsvd; /* PDE */
4366 rsvd_check->rsvd_bits_mask[0][0] = high_bits_rsvd; /* PTE */
4367 rsvd_check->rsvd_bits_mask[1][1] = high_bits_rsvd |
4368 rsvd_bits(13, 20); /* large page */
4369 rsvd_check->rsvd_bits_mask[1][0] =
4370 rsvd_check->rsvd_bits_mask[0][0];
4372 case PT64_ROOT_5LEVEL:
4373 rsvd_check->rsvd_bits_mask[0][4] = high_bits_rsvd |
4376 rsvd_check->rsvd_bits_mask[1][4] =
4377 rsvd_check->rsvd_bits_mask[0][4];
4379 case PT64_ROOT_4LEVEL:
4380 rsvd_check->rsvd_bits_mask[0][3] = high_bits_rsvd |
4383 rsvd_check->rsvd_bits_mask[0][2] = high_bits_rsvd |
4385 rsvd_check->rsvd_bits_mask[0][1] = high_bits_rsvd;
4386 rsvd_check->rsvd_bits_mask[0][0] = high_bits_rsvd;
4387 rsvd_check->rsvd_bits_mask[1][3] =
4388 rsvd_check->rsvd_bits_mask[0][3];
4389 rsvd_check->rsvd_bits_mask[1][2] = high_bits_rsvd |
4392 rsvd_check->rsvd_bits_mask[1][1] = high_bits_rsvd |
4393 rsvd_bits(13, 20); /* large page */
4394 rsvd_check->rsvd_bits_mask[1][0] =
4395 rsvd_check->rsvd_bits_mask[0][0];
4400 static bool guest_can_use_gbpages(struct kvm_vcpu *vcpu)
4403 * If TDP is enabled, let the guest use GBPAGES if they're supported in
4404 * hardware. The hardware page walker doesn't let KVM disable GBPAGES,
4405 * i.e. won't treat them as reserved, and KVM doesn't redo the GVA->GPA
4406 * walk for performance and complexity reasons. Not to mention KVM
4407 * _can't_ solve the problem because GVA->GPA walks aren't visible to
4408 * KVM once a TDP translation is installed. Mimic hardware behavior so
4409 * that KVM's is at least consistent, i.e. doesn't randomly inject #PF.
4411 return tdp_enabled ? boot_cpu_has(X86_FEATURE_GBPAGES) :
4412 guest_cpuid_has(vcpu, X86_FEATURE_GBPAGES);
4415 static void reset_rsvds_bits_mask(struct kvm_vcpu *vcpu,
4416 struct kvm_mmu *context)
4418 __reset_rsvds_bits_mask(&context->guest_rsvd_check,
4419 vcpu->arch.reserved_gpa_bits,
4420 context->cpu_role.base.level, is_efer_nx(context),
4421 guest_can_use_gbpages(vcpu),
4422 is_cr4_pse(context),
4423 guest_cpuid_is_amd_or_hygon(vcpu));
4427 __reset_rsvds_bits_mask_ept(struct rsvd_bits_validate *rsvd_check,
4428 u64 pa_bits_rsvd, bool execonly, int huge_page_level)
4430 u64 high_bits_rsvd = pa_bits_rsvd & rsvd_bits(0, 51);
4431 u64 large_1g_rsvd = 0, large_2m_rsvd = 0;
4434 if (huge_page_level < PG_LEVEL_1G)
4435 large_1g_rsvd = rsvd_bits(7, 7);
4436 if (huge_page_level < PG_LEVEL_2M)
4437 large_2m_rsvd = rsvd_bits(7, 7);
4439 rsvd_check->rsvd_bits_mask[0][4] = high_bits_rsvd | rsvd_bits(3, 7);
4440 rsvd_check->rsvd_bits_mask[0][3] = high_bits_rsvd | rsvd_bits(3, 7);
4441 rsvd_check->rsvd_bits_mask[0][2] = high_bits_rsvd | rsvd_bits(3, 6) | large_1g_rsvd;
4442 rsvd_check->rsvd_bits_mask[0][1] = high_bits_rsvd | rsvd_bits(3, 6) | large_2m_rsvd;
4443 rsvd_check->rsvd_bits_mask[0][0] = high_bits_rsvd;
4446 rsvd_check->rsvd_bits_mask[1][4] = rsvd_check->rsvd_bits_mask[0][4];
4447 rsvd_check->rsvd_bits_mask[1][3] = rsvd_check->rsvd_bits_mask[0][3];
4448 rsvd_check->rsvd_bits_mask[1][2] = high_bits_rsvd | rsvd_bits(12, 29) | large_1g_rsvd;
4449 rsvd_check->rsvd_bits_mask[1][1] = high_bits_rsvd | rsvd_bits(12, 20) | large_2m_rsvd;
4450 rsvd_check->rsvd_bits_mask[1][0] = rsvd_check->rsvd_bits_mask[0][0];
4452 bad_mt_xwr = 0xFFull << (2 * 8); /* bits 3..5 must not be 2 */
4453 bad_mt_xwr |= 0xFFull << (3 * 8); /* bits 3..5 must not be 3 */
4454 bad_mt_xwr |= 0xFFull << (7 * 8); /* bits 3..5 must not be 7 */
4455 bad_mt_xwr |= REPEAT_BYTE(1ull << 2); /* bits 0..2 must not be 010 */
4456 bad_mt_xwr |= REPEAT_BYTE(1ull << 6); /* bits 0..2 must not be 110 */
4458 /* bits 0..2 must not be 100 unless VMX capabilities allow it */
4459 bad_mt_xwr |= REPEAT_BYTE(1ull << 4);
4461 rsvd_check->bad_mt_xwr = bad_mt_xwr;
4464 static void reset_rsvds_bits_mask_ept(struct kvm_vcpu *vcpu,
4465 struct kvm_mmu *context, bool execonly, int huge_page_level)
4467 __reset_rsvds_bits_mask_ept(&context->guest_rsvd_check,
4468 vcpu->arch.reserved_gpa_bits, execonly,
4472 static inline u64 reserved_hpa_bits(void)
4474 return rsvd_bits(shadow_phys_bits, 63);
4478 * the page table on host is the shadow page table for the page
4479 * table in guest or amd nested guest, its mmu features completely
4480 * follow the features in guest.
4482 static void reset_shadow_zero_bits_mask(struct kvm_vcpu *vcpu,
4483 struct kvm_mmu *context)
4485 /* @amd adds a check on bit of SPTEs, which KVM shouldn't use anyways. */
4487 /* KVM doesn't use 2-level page tables for the shadow MMU. */
4488 bool is_pse = false;
4489 struct rsvd_bits_validate *shadow_zero_check;
4492 WARN_ON_ONCE(context->root_role.level < PT32E_ROOT_LEVEL);
4494 shadow_zero_check = &context->shadow_zero_check;
4495 __reset_rsvds_bits_mask(shadow_zero_check, reserved_hpa_bits(),
4496 context->root_role.level,
4497 context->root_role.efer_nx,
4498 guest_can_use_gbpages(vcpu), is_pse, is_amd);
4500 if (!shadow_me_mask)
4503 for (i = context->root_role.level; --i >= 0;) {
4504 shadow_zero_check->rsvd_bits_mask[0][i] &= ~shadow_me_mask;
4505 shadow_zero_check->rsvd_bits_mask[1][i] &= ~shadow_me_mask;
4510 static inline bool boot_cpu_is_amd(void)
4512 WARN_ON_ONCE(!tdp_enabled);
4513 return shadow_x_mask == 0;
4517 * the direct page table on host, use as much mmu features as
4518 * possible, however, kvm currently does not do execution-protection.
4521 reset_tdp_shadow_zero_bits_mask(struct kvm_mmu *context)
4523 struct rsvd_bits_validate *shadow_zero_check;
4526 shadow_zero_check = &context->shadow_zero_check;
4528 if (boot_cpu_is_amd())
4529 __reset_rsvds_bits_mask(shadow_zero_check, reserved_hpa_bits(),
4530 context->root_role.level, false,
4531 boot_cpu_has(X86_FEATURE_GBPAGES),
4534 __reset_rsvds_bits_mask_ept(shadow_zero_check,
4535 reserved_hpa_bits(), false,
4536 max_huge_page_level);
4538 if (!shadow_me_mask)
4541 for (i = context->root_role.level; --i >= 0;) {
4542 shadow_zero_check->rsvd_bits_mask[0][i] &= ~shadow_me_mask;
4543 shadow_zero_check->rsvd_bits_mask[1][i] &= ~shadow_me_mask;
4548 * as the comments in reset_shadow_zero_bits_mask() except it
4549 * is the shadow page table for intel nested guest.
4552 reset_ept_shadow_zero_bits_mask(struct kvm_mmu *context, bool execonly)
4554 __reset_rsvds_bits_mask_ept(&context->shadow_zero_check,
4555 reserved_hpa_bits(), execonly,
4556 max_huge_page_level);
4559 #define BYTE_MASK(access) \
4560 ((1 & (access) ? 2 : 0) | \
4561 (2 & (access) ? 4 : 0) | \
4562 (3 & (access) ? 8 : 0) | \
4563 (4 & (access) ? 16 : 0) | \
4564 (5 & (access) ? 32 : 0) | \
4565 (6 & (access) ? 64 : 0) | \
4566 (7 & (access) ? 128 : 0))
4569 static void update_permission_bitmask(struct kvm_mmu *mmu, bool ept)
4573 const u8 x = BYTE_MASK(ACC_EXEC_MASK);
4574 const u8 w = BYTE_MASK(ACC_WRITE_MASK);
4575 const u8 u = BYTE_MASK(ACC_USER_MASK);
4577 bool cr4_smep = is_cr4_smep(mmu);
4578 bool cr4_smap = is_cr4_smap(mmu);
4579 bool cr0_wp = is_cr0_wp(mmu);
4580 bool efer_nx = is_efer_nx(mmu);
4582 for (byte = 0; byte < ARRAY_SIZE(mmu->permissions); ++byte) {
4583 unsigned pfec = byte << 1;
4586 * Each "*f" variable has a 1 bit for each UWX value
4587 * that causes a fault with the given PFEC.
4590 /* Faults from writes to non-writable pages */
4591 u8 wf = (pfec & PFERR_WRITE_MASK) ? (u8)~w : 0;
4592 /* Faults from user mode accesses to supervisor pages */
4593 u8 uf = (pfec & PFERR_USER_MASK) ? (u8)~u : 0;
4594 /* Faults from fetches of non-executable pages*/
4595 u8 ff = (pfec & PFERR_FETCH_MASK) ? (u8)~x : 0;
4596 /* Faults from kernel mode fetches of user pages */
4598 /* Faults from kernel mode accesses of user pages */
4602 /* Faults from kernel mode accesses to user pages */
4603 u8 kf = (pfec & PFERR_USER_MASK) ? 0 : u;
4605 /* Not really needed: !nx will cause pte.nx to fault */
4609 /* Allow supervisor writes if !cr0.wp */
4611 wf = (pfec & PFERR_USER_MASK) ? wf : 0;
4613 /* Disallow supervisor fetches of user code if cr4.smep */
4615 smepf = (pfec & PFERR_FETCH_MASK) ? kf : 0;
4618 * SMAP:kernel-mode data accesses from user-mode
4619 * mappings should fault. A fault is considered
4620 * as a SMAP violation if all of the following
4621 * conditions are true:
4622 * - X86_CR4_SMAP is set in CR4
4623 * - A user page is accessed
4624 * - The access is not a fetch
4625 * - The access is supervisor mode
4626 * - If implicit supervisor access or X86_EFLAGS_AC is clear
4628 * Here, we cover the first four conditions.
4629 * The fifth is computed dynamically in permission_fault();
4630 * PFERR_RSVD_MASK bit will be set in PFEC if the access is
4631 * *not* subject to SMAP restrictions.
4634 smapf = (pfec & (PFERR_RSVD_MASK|PFERR_FETCH_MASK)) ? 0 : kf;
4637 mmu->permissions[byte] = ff | uf | wf | smepf | smapf;
4642 * PKU is an additional mechanism by which the paging controls access to
4643 * user-mode addresses based on the value in the PKRU register. Protection
4644 * key violations are reported through a bit in the page fault error code.
4645 * Unlike other bits of the error code, the PK bit is not known at the
4646 * call site of e.g. gva_to_gpa; it must be computed directly in
4647 * permission_fault based on two bits of PKRU, on some machine state (CR4,
4648 * CR0, EFER, CPL), and on other bits of the error code and the page tables.
4650 * In particular the following conditions come from the error code, the
4651 * page tables and the machine state:
4652 * - PK is always zero unless CR4.PKE=1 and EFER.LMA=1
4653 * - PK is always zero if RSVD=1 (reserved bit set) or F=1 (instruction fetch)
4654 * - PK is always zero if U=0 in the page tables
4655 * - PKRU.WD is ignored if CR0.WP=0 and the access is a supervisor access.
4657 * The PKRU bitmask caches the result of these four conditions. The error
4658 * code (minus the P bit) and the page table's U bit form an index into the
4659 * PKRU bitmask. Two bits of the PKRU bitmask are then extracted and ANDed
4660 * with the two bits of the PKRU register corresponding to the protection key.
4661 * For the first three conditions above the bits will be 00, thus masking
4662 * away both AD and WD. For all reads or if the last condition holds, WD
4663 * only will be masked away.
4665 static void update_pkru_bitmask(struct kvm_mmu *mmu)
4672 if (!is_cr4_pke(mmu))
4675 wp = is_cr0_wp(mmu);
4677 for (bit = 0; bit < ARRAY_SIZE(mmu->permissions); ++bit) {
4678 unsigned pfec, pkey_bits;
4679 bool check_pkey, check_write, ff, uf, wf, pte_user;
4682 ff = pfec & PFERR_FETCH_MASK;
4683 uf = pfec & PFERR_USER_MASK;
4684 wf = pfec & PFERR_WRITE_MASK;
4686 /* PFEC.RSVD is replaced by ACC_USER_MASK. */
4687 pte_user = pfec & PFERR_RSVD_MASK;
4690 * Only need to check the access which is not an
4691 * instruction fetch and is to a user page.
4693 check_pkey = (!ff && pte_user);
4695 * write access is controlled by PKRU if it is a
4696 * user access or CR0.WP = 1.
4698 check_write = check_pkey && wf && (uf || wp);
4700 /* PKRU.AD stops both read and write access. */
4701 pkey_bits = !!check_pkey;
4702 /* PKRU.WD stops write access. */
4703 pkey_bits |= (!!check_write) << 1;
4705 mmu->pkru_mask |= (pkey_bits & 3) << pfec;
4709 static void reset_guest_paging_metadata(struct kvm_vcpu *vcpu,
4710 struct kvm_mmu *mmu)
4712 if (!is_cr0_pg(mmu))
4715 reset_rsvds_bits_mask(vcpu, mmu);
4716 update_permission_bitmask(mmu, false);
4717 update_pkru_bitmask(mmu);
4720 static void paging64_init_context(struct kvm_mmu *context)
4722 context->page_fault = paging64_page_fault;
4723 context->gva_to_gpa = paging64_gva_to_gpa;
4724 context->sync_page = paging64_sync_page;
4725 context->invlpg = paging64_invlpg;
4726 context->direct_map = false;
4729 static void paging32_init_context(struct kvm_mmu *context)
4731 context->page_fault = paging32_page_fault;
4732 context->gva_to_gpa = paging32_gva_to_gpa;
4733 context->sync_page = paging32_sync_page;
4734 context->invlpg = paging32_invlpg;
4735 context->direct_map = false;
4738 static union kvm_cpu_role
4739 kvm_calc_cpu_role(struct kvm_vcpu *vcpu, const struct kvm_mmu_role_regs *regs)
4741 union kvm_cpu_role role = {0};
4743 role.base.access = ACC_ALL;
4744 role.base.smm = is_smm(vcpu);
4745 role.base.guest_mode = is_guest_mode(vcpu);
4748 if (!____is_cr0_pg(regs)) {
4749 role.base.direct = 1;
4753 role.base.efer_nx = ____is_efer_nx(regs);
4754 role.base.cr0_wp = ____is_cr0_wp(regs);
4755 role.base.smep_andnot_wp = ____is_cr4_smep(regs) && !____is_cr0_wp(regs);
4756 role.base.smap_andnot_wp = ____is_cr4_smap(regs) && !____is_cr0_wp(regs);
4757 role.base.has_4_byte_gpte = !____is_cr4_pae(regs);
4759 if (____is_efer_lma(regs))
4760 role.base.level = ____is_cr4_la57(regs) ? PT64_ROOT_5LEVEL
4762 else if (____is_cr4_pae(regs))
4763 role.base.level = PT32E_ROOT_LEVEL;
4765 role.base.level = PT32_ROOT_LEVEL;
4767 role.ext.cr4_smep = ____is_cr4_smep(regs);
4768 role.ext.cr4_smap = ____is_cr4_smap(regs);
4769 role.ext.cr4_pse = ____is_cr4_pse(regs);
4771 /* PKEY and LA57 are active iff long mode is active. */
4772 role.ext.cr4_pke = ____is_efer_lma(regs) && ____is_cr4_pke(regs);
4773 role.ext.cr4_la57 = ____is_efer_lma(regs) && ____is_cr4_la57(regs);
4774 role.ext.efer_lma = ____is_efer_lma(regs);
4778 static inline int kvm_mmu_get_tdp_level(struct kvm_vcpu *vcpu)
4780 /* tdp_root_level is architecture forced level, use it if nonzero */
4782 return tdp_root_level;
4784 /* Use 5-level TDP if and only if it's useful/necessary. */
4785 if (max_tdp_level == 5 && cpuid_maxphyaddr(vcpu) <= 48)
4788 return max_tdp_level;
4791 static union kvm_mmu_page_role
4792 kvm_calc_tdp_mmu_root_page_role(struct kvm_vcpu *vcpu,
4793 union kvm_cpu_role cpu_role)
4795 union kvm_mmu_page_role role = {0};
4797 role.access = ACC_ALL;
4799 role.efer_nx = true;
4800 role.smm = cpu_role.base.smm;
4801 role.guest_mode = cpu_role.base.guest_mode;
4802 role.ad_disabled = (shadow_accessed_mask == 0);
4803 role.level = kvm_mmu_get_tdp_level(vcpu);
4805 role.has_4_byte_gpte = false;
4810 static void init_kvm_tdp_mmu(struct kvm_vcpu *vcpu,
4811 union kvm_cpu_role cpu_role)
4813 struct kvm_mmu *context = &vcpu->arch.root_mmu;
4814 union kvm_mmu_page_role root_role = kvm_calc_tdp_mmu_root_page_role(vcpu, cpu_role);
4816 if (cpu_role.as_u64 == context->cpu_role.as_u64 &&
4817 root_role.word == context->root_role.word)
4820 context->cpu_role.as_u64 = cpu_role.as_u64;
4821 context->root_role.word = root_role.word;
4822 context->page_fault = kvm_tdp_page_fault;
4823 context->sync_page = nonpaging_sync_page;
4824 context->invlpg = NULL;
4825 context->direct_map = true;
4826 context->get_guest_pgd = get_cr3;
4827 context->get_pdptr = kvm_pdptr_read;
4828 context->inject_page_fault = kvm_inject_page_fault;
4830 if (!is_cr0_pg(context))
4831 context->gva_to_gpa = nonpaging_gva_to_gpa;
4832 else if (is_cr4_pae(context))
4833 context->gva_to_gpa = paging64_gva_to_gpa;
4835 context->gva_to_gpa = paging32_gva_to_gpa;
4837 reset_guest_paging_metadata(vcpu, context);
4838 reset_tdp_shadow_zero_bits_mask(context);
4841 static void shadow_mmu_init_context(struct kvm_vcpu *vcpu, struct kvm_mmu *context,
4842 union kvm_cpu_role cpu_role,
4843 union kvm_mmu_page_role root_role)
4845 if (cpu_role.as_u64 == context->cpu_role.as_u64 &&
4846 root_role.word == context->root_role.word)
4849 context->cpu_role.as_u64 = cpu_role.as_u64;
4850 context->root_role.word = root_role.word;
4852 if (!is_cr0_pg(context))
4853 nonpaging_init_context(context);
4854 else if (is_cr4_pae(context))
4855 paging64_init_context(context);
4857 paging32_init_context(context);
4859 reset_guest_paging_metadata(vcpu, context);
4860 reset_shadow_zero_bits_mask(vcpu, context);
4863 static void kvm_init_shadow_mmu(struct kvm_vcpu *vcpu,
4864 union kvm_cpu_role cpu_role)
4866 struct kvm_mmu *context = &vcpu->arch.root_mmu;
4867 union kvm_mmu_page_role root_role;
4869 root_role = cpu_role.base;
4871 /* KVM uses PAE paging whenever the guest isn't using 64-bit paging. */
4872 root_role.level = max_t(u32, root_role.level, PT32E_ROOT_LEVEL);
4875 * KVM forces EFER.NX=1 when TDP is disabled, reflect it in the MMU role.
4876 * KVM uses NX when TDP is disabled to handle a variety of scenarios,
4877 * notably for huge SPTEs if iTLB multi-hit mitigation is enabled and
4878 * to generate correct permissions for CR0.WP=0/CR4.SMEP=1/EFER.NX=0.
4879 * The iTLB multi-hit workaround can be toggled at any time, so assume
4880 * NX can be used by any non-nested shadow MMU to avoid having to reset
4883 root_role.efer_nx = true;
4885 shadow_mmu_init_context(vcpu, context, cpu_role, root_role);
4888 void kvm_init_shadow_npt_mmu(struct kvm_vcpu *vcpu, unsigned long cr0,
4889 unsigned long cr4, u64 efer, gpa_t nested_cr3)
4891 struct kvm_mmu *context = &vcpu->arch.guest_mmu;
4892 struct kvm_mmu_role_regs regs = {
4894 .cr4 = cr4 & ~X86_CR4_PKE,
4897 union kvm_cpu_role cpu_role = kvm_calc_cpu_role(vcpu, ®s);
4898 union kvm_mmu_page_role root_role;
4900 /* NPT requires CR0.PG=1. */
4901 WARN_ON_ONCE(cpu_role.base.direct);
4903 root_role = cpu_role.base;
4904 root_role.level = kvm_mmu_get_tdp_level(vcpu);
4906 shadow_mmu_init_context(vcpu, context, cpu_role, root_role);
4907 kvm_mmu_new_pgd(vcpu, nested_cr3);
4909 EXPORT_SYMBOL_GPL(kvm_init_shadow_npt_mmu);
4911 static union kvm_cpu_role
4912 kvm_calc_shadow_ept_root_page_role(struct kvm_vcpu *vcpu, bool accessed_dirty,
4913 bool execonly, u8 level)
4915 union kvm_cpu_role role = {0};
4918 * KVM does not support SMM transfer monitors, and consequently does not
4919 * support the "entry to SMM" control either. role.base.smm is always 0.
4921 WARN_ON_ONCE(is_smm(vcpu));
4922 role.base.level = level;
4923 role.base.has_4_byte_gpte = false;
4924 role.base.direct = false;
4925 role.base.ad_disabled = !accessed_dirty;
4926 role.base.guest_mode = true;
4927 role.base.access = ACC_ALL;
4930 role.ext.execonly = execonly;
4936 void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
4937 int huge_page_level, bool accessed_dirty,
4940 struct kvm_mmu *context = &vcpu->arch.guest_mmu;
4941 u8 level = vmx_eptp_page_walk_level(new_eptp);
4942 union kvm_cpu_role new_mode =
4943 kvm_calc_shadow_ept_root_page_role(vcpu, accessed_dirty,
4946 if (new_mode.as_u64 != context->cpu_role.as_u64) {
4947 /* EPT, and thus nested EPT, does not consume CR0, CR4, nor EFER. */
4948 context->cpu_role.as_u64 = new_mode.as_u64;
4949 context->root_role.word = new_mode.base.word;
4951 context->page_fault = ept_page_fault;
4952 context->gva_to_gpa = ept_gva_to_gpa;
4953 context->sync_page = ept_sync_page;
4954 context->invlpg = ept_invlpg;
4955 context->direct_map = false;
4956 update_permission_bitmask(context, true);
4957 context->pkru_mask = 0;
4958 reset_rsvds_bits_mask_ept(vcpu, context, execonly, huge_page_level);
4959 reset_ept_shadow_zero_bits_mask(context, execonly);
4962 kvm_mmu_new_pgd(vcpu, new_eptp);
4964 EXPORT_SYMBOL_GPL(kvm_init_shadow_ept_mmu);
4966 static void init_kvm_softmmu(struct kvm_vcpu *vcpu,
4967 union kvm_cpu_role cpu_role)
4969 struct kvm_mmu *context = &vcpu->arch.root_mmu;
4971 kvm_init_shadow_mmu(vcpu, cpu_role);
4973 context->get_guest_pgd = get_cr3;
4974 context->get_pdptr = kvm_pdptr_read;
4975 context->inject_page_fault = kvm_inject_page_fault;
4978 static void init_kvm_nested_mmu(struct kvm_vcpu *vcpu,
4979 union kvm_cpu_role new_mode)
4981 struct kvm_mmu *g_context = &vcpu->arch.nested_mmu;
4983 if (new_mode.as_u64 == g_context->cpu_role.as_u64)
4986 g_context->cpu_role.as_u64 = new_mode.as_u64;
4987 g_context->get_guest_pgd = get_cr3;
4988 g_context->get_pdptr = kvm_pdptr_read;
4989 g_context->inject_page_fault = kvm_inject_page_fault;
4992 * L2 page tables are never shadowed, so there is no need to sync
4995 g_context->invlpg = NULL;
4998 * Note that arch.mmu->gva_to_gpa translates l2_gpa to l1_gpa using
4999 * L1's nested page tables (e.g. EPT12). The nested translation
5000 * of l2_gva to l1_gpa is done by arch.nested_mmu.gva_to_gpa using
5001 * L2's page tables as the first level of translation and L1's
5002 * nested page tables as the second level of translation. Basically
5003 * the gva_to_gpa functions between mmu and nested_mmu are swapped.
5005 if (!is_paging(vcpu))
5006 g_context->gva_to_gpa = nonpaging_gva_to_gpa;
5007 else if (is_long_mode(vcpu))
5008 g_context->gva_to_gpa = paging64_gva_to_gpa;
5009 else if (is_pae(vcpu))
5010 g_context->gva_to_gpa = paging64_gva_to_gpa;
5012 g_context->gva_to_gpa = paging32_gva_to_gpa;
5014 reset_guest_paging_metadata(vcpu, g_context);
5017 void kvm_init_mmu(struct kvm_vcpu *vcpu)
5019 struct kvm_mmu_role_regs regs = vcpu_to_role_regs(vcpu);
5020 union kvm_cpu_role cpu_role = kvm_calc_cpu_role(vcpu, ®s);
5022 if (mmu_is_nested(vcpu))
5023 init_kvm_nested_mmu(vcpu, cpu_role);
5024 else if (tdp_enabled)
5025 init_kvm_tdp_mmu(vcpu, cpu_role);
5027 init_kvm_softmmu(vcpu, cpu_role);
5029 EXPORT_SYMBOL_GPL(kvm_init_mmu);
5031 void kvm_mmu_after_set_cpuid(struct kvm_vcpu *vcpu)
5034 * Invalidate all MMU roles to force them to reinitialize as CPUID
5035 * information is factored into reserved bit calculations.
5037 * Correctly handling multiple vCPU models with respect to paging and
5038 * physical address properties) in a single VM would require tracking
5039 * all relevant CPUID information in kvm_mmu_page_role. That is very
5040 * undesirable as it would increase the memory requirements for
5041 * gfn_track (see struct kvm_mmu_page_role comments). For now that
5042 * problem is swept under the rug; KVM's CPUID API is horrific and
5043 * it's all but impossible to solve it without introducing a new API.
5045 vcpu->arch.root_mmu.root_role.word = 0;
5046 vcpu->arch.guest_mmu.root_role.word = 0;
5047 vcpu->arch.nested_mmu.root_role.word = 0;
5048 vcpu->arch.root_mmu.cpu_role.ext.valid = 0;
5049 vcpu->arch.guest_mmu.cpu_role.ext.valid = 0;
5050 vcpu->arch.nested_mmu.cpu_role.ext.valid = 0;
5051 kvm_mmu_reset_context(vcpu);
5054 * Changing guest CPUID after KVM_RUN is forbidden, see the comment in
5055 * kvm_arch_vcpu_ioctl().
5057 KVM_BUG_ON(vcpu->arch.last_vmentry_cpu != -1, vcpu->kvm);
5060 void kvm_mmu_reset_context(struct kvm_vcpu *vcpu)
5062 kvm_mmu_unload(vcpu);
5065 EXPORT_SYMBOL_GPL(kvm_mmu_reset_context);
5067 int kvm_mmu_load(struct kvm_vcpu *vcpu)
5071 r = mmu_topup_memory_caches(vcpu, !vcpu->arch.mmu->direct_map);
5074 r = mmu_alloc_special_roots(vcpu);
5077 if (vcpu->arch.mmu->direct_map)
5078 r = mmu_alloc_direct_roots(vcpu);
5080 r = mmu_alloc_shadow_roots(vcpu);
5084 kvm_mmu_sync_roots(vcpu);
5086 kvm_mmu_load_pgd(vcpu);
5089 * Flush any TLB entries for the new root, the provenance of the root
5090 * is unknown. Even if KVM ensures there are no stale TLB entries
5091 * for a freed root, in theory another hypervisor could have left
5092 * stale entries. Flushing on alloc also allows KVM to skip the TLB
5093 * flush when freeing a root (see kvm_tdp_mmu_put_root()).
5095 static_call(kvm_x86_flush_tlb_current)(vcpu);
5100 void kvm_mmu_unload(struct kvm_vcpu *vcpu)
5102 struct kvm *kvm = vcpu->kvm;
5104 kvm_mmu_free_roots(kvm, &vcpu->arch.root_mmu, KVM_MMU_ROOTS_ALL);
5105 WARN_ON(VALID_PAGE(vcpu->arch.root_mmu.root.hpa));
5106 kvm_mmu_free_roots(kvm, &vcpu->arch.guest_mmu, KVM_MMU_ROOTS_ALL);
5107 WARN_ON(VALID_PAGE(vcpu->arch.guest_mmu.root.hpa));
5108 vcpu_clear_mmio_info(vcpu, MMIO_GVA_ANY);
5111 static bool is_obsolete_root(struct kvm *kvm, hpa_t root_hpa)
5113 struct kvm_mmu_page *sp;
5115 if (!VALID_PAGE(root_hpa))
5119 * When freeing obsolete roots, treat roots as obsolete if they don't
5120 * have an associated shadow page. This does mean KVM will get false
5121 * positives and free roots that don't strictly need to be freed, but
5122 * such false positives are relatively rare:
5124 * (a) only PAE paging and nested NPT has roots without shadow pages
5125 * (b) remote reloads due to a memslot update obsoletes _all_ roots
5126 * (c) KVM doesn't track previous roots for PAE paging, and the guest
5127 * is unlikely to zap an in-use PGD.
5129 sp = to_shadow_page(root_hpa);
5130 return !sp || is_obsolete_sp(kvm, sp);
5133 static void __kvm_mmu_free_obsolete_roots(struct kvm *kvm, struct kvm_mmu *mmu)
5135 unsigned long roots_to_free = 0;
5138 if (is_obsolete_root(kvm, mmu->root.hpa))
5139 roots_to_free |= KVM_MMU_ROOT_CURRENT;
5141 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++) {
5142 if (is_obsolete_root(kvm, mmu->root.hpa))
5143 roots_to_free |= KVM_MMU_ROOT_PREVIOUS(i);
5147 kvm_mmu_free_roots(kvm, mmu, roots_to_free);
5150 void kvm_mmu_free_obsolete_roots(struct kvm_vcpu *vcpu)
5152 __kvm_mmu_free_obsolete_roots(vcpu->kvm, &vcpu->arch.root_mmu);
5153 __kvm_mmu_free_obsolete_roots(vcpu->kvm, &vcpu->arch.guest_mmu);
5156 static bool need_remote_flush(u64 old, u64 new)
5158 if (!is_shadow_present_pte(old))
5160 if (!is_shadow_present_pte(new))
5162 if ((old ^ new) & PT64_BASE_ADDR_MASK)
5164 old ^= shadow_nx_mask;
5165 new ^= shadow_nx_mask;
5166 return (old & ~new & PT64_PERM_MASK) != 0;
5169 static u64 mmu_pte_write_fetch_gpte(struct kvm_vcpu *vcpu, gpa_t *gpa,
5176 * Assume that the pte write on a page table of the same type
5177 * as the current vcpu paging mode since we update the sptes only
5178 * when they have the same mode.
5180 if (is_pae(vcpu) && *bytes == 4) {
5181 /* Handle a 32-bit guest writing two halves of a 64-bit gpte */
5186 if (*bytes == 4 || *bytes == 8) {
5187 r = kvm_vcpu_read_guest_atomic(vcpu, *gpa, &gentry, *bytes);
5196 * If we're seeing too many writes to a page, it may no longer be a page table,
5197 * or we may be forking, in which case it is better to unmap the page.
5199 static bool detect_write_flooding(struct kvm_mmu_page *sp)
5202 * Skip write-flooding detected for the sp whose level is 1, because
5203 * it can become unsync, then the guest page is not write-protected.
5205 if (sp->role.level == PG_LEVEL_4K)
5208 atomic_inc(&sp->write_flooding_count);
5209 return atomic_read(&sp->write_flooding_count) >= 3;
5213 * Misaligned accesses are too much trouble to fix up; also, they usually
5214 * indicate a page is not used as a page table.
5216 static bool detect_write_misaligned(struct kvm_mmu_page *sp, gpa_t gpa,
5219 unsigned offset, pte_size, misaligned;
5221 pgprintk("misaligned: gpa %llx bytes %d role %x\n",
5222 gpa, bytes, sp->role.word);
5224 offset = offset_in_page(gpa);
5225 pte_size = sp->role.has_4_byte_gpte ? 4 : 8;
5228 * Sometimes, the OS only writes the last one bytes to update status
5229 * bits, for example, in linux, andb instruction is used in clear_bit().
5231 if (!(offset & (pte_size - 1)) && bytes == 1)
5234 misaligned = (offset ^ (offset + bytes - 1)) & ~(pte_size - 1);
5235 misaligned |= bytes < 4;
5240 static u64 *get_written_sptes(struct kvm_mmu_page *sp, gpa_t gpa, int *nspte)
5242 unsigned page_offset, quadrant;
5246 page_offset = offset_in_page(gpa);
5247 level = sp->role.level;
5249 if (sp->role.has_4_byte_gpte) {
5250 page_offset <<= 1; /* 32->64 */
5252 * A 32-bit pde maps 4MB while the shadow pdes map
5253 * only 2MB. So we need to double the offset again
5254 * and zap two pdes instead of one.
5256 if (level == PT32_ROOT_LEVEL) {
5257 page_offset &= ~7; /* kill rounding error */
5261 quadrant = page_offset >> PAGE_SHIFT;
5262 page_offset &= ~PAGE_MASK;
5263 if (quadrant != sp->role.quadrant)
5267 spte = &sp->spt[page_offset / sizeof(*spte)];
5271 static void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
5272 const u8 *new, int bytes,
5273 struct kvm_page_track_notifier_node *node)
5275 gfn_t gfn = gpa >> PAGE_SHIFT;
5276 struct kvm_mmu_page *sp;
5277 LIST_HEAD(invalid_list);
5278 u64 entry, gentry, *spte;
5283 * If we don't have indirect shadow pages, it means no page is
5284 * write-protected, so we can exit simply.
5286 if (!READ_ONCE(vcpu->kvm->arch.indirect_shadow_pages))
5289 pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
5292 * No need to care whether allocation memory is successful
5293 * or not since pte prefetch is skipped if it does not have
5294 * enough objects in the cache.
5296 mmu_topup_memory_caches(vcpu, true);
5298 write_lock(&vcpu->kvm->mmu_lock);
5300 gentry = mmu_pte_write_fetch_gpte(vcpu, &gpa, &bytes);
5302 ++vcpu->kvm->stat.mmu_pte_write;
5304 for_each_gfn_indirect_valid_sp(vcpu->kvm, sp, gfn) {
5305 if (detect_write_misaligned(sp, gpa, bytes) ||
5306 detect_write_flooding(sp)) {
5307 kvm_mmu_prepare_zap_page(vcpu->kvm, sp, &invalid_list);
5308 ++vcpu->kvm->stat.mmu_flooded;
5312 spte = get_written_sptes(sp, gpa, &npte);
5318 mmu_page_zap_pte(vcpu->kvm, sp, spte, NULL);
5319 if (gentry && sp->role.level != PG_LEVEL_4K)
5320 ++vcpu->kvm->stat.mmu_pde_zapped;
5321 if (need_remote_flush(entry, *spte))
5326 kvm_mmu_remote_flush_or_zap(vcpu->kvm, &invalid_list, flush);
5327 write_unlock(&vcpu->kvm->mmu_lock);
5330 int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, u64 error_code,
5331 void *insn, int insn_len)
5333 int r, emulation_type = EMULTYPE_PF;
5334 bool direct = vcpu->arch.mmu->direct_map;
5336 if (WARN_ON(!VALID_PAGE(vcpu->arch.mmu->root.hpa)))
5337 return RET_PF_RETRY;
5340 if (unlikely(error_code & PFERR_RSVD_MASK)) {
5341 r = handle_mmio_page_fault(vcpu, cr2_or_gpa, direct);
5342 if (r == RET_PF_EMULATE)
5346 if (r == RET_PF_INVALID) {
5347 r = kvm_mmu_do_page_fault(vcpu, cr2_or_gpa,
5348 lower_32_bits(error_code), false);
5349 if (KVM_BUG_ON(r == RET_PF_INVALID, vcpu->kvm))
5355 if (r != RET_PF_EMULATE)
5359 * Before emulating the instruction, check if the error code
5360 * was due to a RO violation while translating the guest page.
5361 * This can occur when using nested virtualization with nested
5362 * paging in both guests. If true, we simply unprotect the page
5363 * and resume the guest.
5365 if (vcpu->arch.mmu->direct_map &&
5366 (error_code & PFERR_NESTED_GUEST_PAGE) == PFERR_NESTED_GUEST_PAGE) {
5367 kvm_mmu_unprotect_page(vcpu->kvm, gpa_to_gfn(cr2_or_gpa));
5372 * vcpu->arch.mmu.page_fault returned RET_PF_EMULATE, but we can still
5373 * optimistically try to just unprotect the page and let the processor
5374 * re-execute the instruction that caused the page fault. Do not allow
5375 * retrying MMIO emulation, as it's not only pointless but could also
5376 * cause us to enter an infinite loop because the processor will keep
5377 * faulting on the non-existent MMIO address. Retrying an instruction
5378 * from a nested guest is also pointless and dangerous as we are only
5379 * explicitly shadowing L1's page tables, i.e. unprotecting something
5380 * for L1 isn't going to magically fix whatever issue cause L2 to fail.
5382 if (!mmio_info_in_cache(vcpu, cr2_or_gpa, direct) && !is_guest_mode(vcpu))
5383 emulation_type |= EMULTYPE_ALLOW_RETRY_PF;
5385 return x86_emulate_instruction(vcpu, cr2_or_gpa, emulation_type, insn,
5388 EXPORT_SYMBOL_GPL(kvm_mmu_page_fault);
5390 void kvm_mmu_invalidate_gva(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
5391 gva_t gva, hpa_t root_hpa)
5395 /* It's actually a GPA for vcpu->arch.guest_mmu. */
5396 if (mmu != &vcpu->arch.guest_mmu) {
5397 /* INVLPG on a non-canonical address is a NOP according to the SDM. */
5398 if (is_noncanonical_address(gva, vcpu))
5401 static_call(kvm_x86_flush_tlb_gva)(vcpu, gva);
5407 if (root_hpa == INVALID_PAGE) {
5408 mmu->invlpg(vcpu, gva, mmu->root.hpa);
5411 * INVLPG is required to invalidate any global mappings for the VA,
5412 * irrespective of PCID. Since it would take us roughly similar amount
5413 * of work to determine whether any of the prev_root mappings of the VA
5414 * is marked global, or to just sync it blindly, so we might as well
5415 * just always sync it.
5417 * Mappings not reachable via the current cr3 or the prev_roots will be
5418 * synced when switching to that cr3, so nothing needs to be done here
5421 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++)
5422 if (VALID_PAGE(mmu->prev_roots[i].hpa))
5423 mmu->invlpg(vcpu, gva, mmu->prev_roots[i].hpa);
5425 mmu->invlpg(vcpu, gva, root_hpa);
5429 void kvm_mmu_invlpg(struct kvm_vcpu *vcpu, gva_t gva)
5431 kvm_mmu_invalidate_gva(vcpu, vcpu->arch.walk_mmu, gva, INVALID_PAGE);
5432 ++vcpu->stat.invlpg;
5434 EXPORT_SYMBOL_GPL(kvm_mmu_invlpg);
5437 void kvm_mmu_invpcid_gva(struct kvm_vcpu *vcpu, gva_t gva, unsigned long pcid)
5439 struct kvm_mmu *mmu = vcpu->arch.mmu;
5440 bool tlb_flush = false;
5443 if (pcid == kvm_get_active_pcid(vcpu)) {
5444 mmu->invlpg(vcpu, gva, mmu->root.hpa);
5448 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++) {
5449 if (VALID_PAGE(mmu->prev_roots[i].hpa) &&
5450 pcid == kvm_get_pcid(vcpu, mmu->prev_roots[i].pgd)) {
5451 mmu->invlpg(vcpu, gva, mmu->prev_roots[i].hpa);
5457 static_call(kvm_x86_flush_tlb_gva)(vcpu, gva);
5459 ++vcpu->stat.invlpg;
5462 * Mappings not reachable via the current cr3 or the prev_roots will be
5463 * synced when switching to that cr3, so nothing needs to be done here
5468 void kvm_configure_mmu(bool enable_tdp, int tdp_forced_root_level,
5469 int tdp_max_root_level, int tdp_huge_page_level)
5471 tdp_enabled = enable_tdp;
5472 tdp_root_level = tdp_forced_root_level;
5473 max_tdp_level = tdp_max_root_level;
5476 * max_huge_page_level reflects KVM's MMU capabilities irrespective
5477 * of kernel support, e.g. KVM may be capable of using 1GB pages when
5478 * the kernel is not. But, KVM never creates a page size greater than
5479 * what is used by the kernel for any given HVA, i.e. the kernel's
5480 * capabilities are ultimately consulted by kvm_mmu_hugepage_adjust().
5483 max_huge_page_level = tdp_huge_page_level;
5484 else if (boot_cpu_has(X86_FEATURE_GBPAGES))
5485 max_huge_page_level = PG_LEVEL_1G;
5487 max_huge_page_level = PG_LEVEL_2M;
5489 EXPORT_SYMBOL_GPL(kvm_configure_mmu);
5491 /* The return value indicates if tlb flush on all vcpus is needed. */
5492 typedef bool (*slot_level_handler) (struct kvm *kvm,
5493 struct kvm_rmap_head *rmap_head,
5494 const struct kvm_memory_slot *slot);
5496 /* The caller should hold mmu-lock before calling this function. */
5497 static __always_inline bool
5498 slot_handle_level_range(struct kvm *kvm, const struct kvm_memory_slot *memslot,
5499 slot_level_handler fn, int start_level, int end_level,
5500 gfn_t start_gfn, gfn_t end_gfn, bool flush_on_yield,
5503 struct slot_rmap_walk_iterator iterator;
5505 for_each_slot_rmap_range(memslot, start_level, end_level, start_gfn,
5506 end_gfn, &iterator) {
5508 flush |= fn(kvm, iterator.rmap, memslot);
5510 if (need_resched() || rwlock_needbreak(&kvm->mmu_lock)) {
5511 if (flush && flush_on_yield) {
5512 kvm_flush_remote_tlbs_with_address(kvm,
5514 iterator.gfn - start_gfn + 1);
5517 cond_resched_rwlock_write(&kvm->mmu_lock);
5524 static __always_inline bool
5525 slot_handle_level(struct kvm *kvm, const struct kvm_memory_slot *memslot,
5526 slot_level_handler fn, int start_level, int end_level,
5527 bool flush_on_yield)
5529 return slot_handle_level_range(kvm, memslot, fn, start_level,
5530 end_level, memslot->base_gfn,
5531 memslot->base_gfn + memslot->npages - 1,
5532 flush_on_yield, false);
5535 static __always_inline bool
5536 slot_handle_level_4k(struct kvm *kvm, const struct kvm_memory_slot *memslot,
5537 slot_level_handler fn, bool flush_on_yield)
5539 return slot_handle_level(kvm, memslot, fn, PG_LEVEL_4K,
5540 PG_LEVEL_4K, flush_on_yield);
5543 static void free_mmu_pages(struct kvm_mmu *mmu)
5545 if (!tdp_enabled && mmu->pae_root)
5546 set_memory_encrypted((unsigned long)mmu->pae_root, 1);
5547 free_page((unsigned long)mmu->pae_root);
5548 free_page((unsigned long)mmu->pml4_root);
5549 free_page((unsigned long)mmu->pml5_root);
5552 static int __kvm_mmu_create(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu)
5557 mmu->root.hpa = INVALID_PAGE;
5559 for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++)
5560 mmu->prev_roots[i] = KVM_MMU_ROOT_INFO_INVALID;
5562 /* vcpu->arch.guest_mmu isn't used when !tdp_enabled. */
5563 if (!tdp_enabled && mmu == &vcpu->arch.guest_mmu)
5567 * When using PAE paging, the four PDPTEs are treated as 'root' pages,
5568 * while the PDP table is a per-vCPU construct that's allocated at MMU
5569 * creation. When emulating 32-bit mode, cr3 is only 32 bits even on
5570 * x86_64. Therefore we need to allocate the PDP table in the first
5571 * 4GB of memory, which happens to fit the DMA32 zone. TDP paging
5572 * generally doesn't use PAE paging and can skip allocating the PDP
5573 * table. The main exception, handled here, is SVM's 32-bit NPT. The
5574 * other exception is for shadowing L1's 32-bit or PAE NPT on 64-bit
5575 * KVM; that horror is handled on-demand by mmu_alloc_special_roots().
5577 if (tdp_enabled && kvm_mmu_get_tdp_level(vcpu) > PT32E_ROOT_LEVEL)
5580 page = alloc_page(GFP_KERNEL_ACCOUNT | __GFP_DMA32);
5584 mmu->pae_root = page_address(page);
5587 * CR3 is only 32 bits when PAE paging is used, thus it's impossible to
5588 * get the CPU to treat the PDPTEs as encrypted. Decrypt the page so
5589 * that KVM's writes and the CPU's reads get along. Note, this is
5590 * only necessary when using shadow paging, as 64-bit NPT can get at
5591 * the C-bit even when shadowing 32-bit NPT, and SME isn't supported
5592 * by 32-bit kernels (when KVM itself uses 32-bit NPT).
5595 set_memory_decrypted((unsigned long)mmu->pae_root, 1);
5597 WARN_ON_ONCE(shadow_me_mask);
5599 for (i = 0; i < 4; ++i)
5600 mmu->pae_root[i] = INVALID_PAE_ROOT;
5605 int kvm_mmu_create(struct kvm_vcpu *vcpu)
5609 vcpu->arch.mmu_pte_list_desc_cache.kmem_cache = pte_list_desc_cache;
5610 vcpu->arch.mmu_pte_list_desc_cache.gfp_zero = __GFP_ZERO;
5612 vcpu->arch.mmu_page_header_cache.kmem_cache = mmu_page_header_cache;
5613 vcpu->arch.mmu_page_header_cache.gfp_zero = __GFP_ZERO;
5615 vcpu->arch.mmu_shadow_page_cache.gfp_zero = __GFP_ZERO;
5617 vcpu->arch.mmu = &vcpu->arch.root_mmu;
5618 vcpu->arch.walk_mmu = &vcpu->arch.root_mmu;
5620 ret = __kvm_mmu_create(vcpu, &vcpu->arch.guest_mmu);
5624 ret = __kvm_mmu_create(vcpu, &vcpu->arch.root_mmu);
5626 goto fail_allocate_root;
5630 free_mmu_pages(&vcpu->arch.guest_mmu);
5634 #define BATCH_ZAP_PAGES 10
5635 static void kvm_zap_obsolete_pages(struct kvm *kvm)
5637 struct kvm_mmu_page *sp, *node;
5638 int nr_zapped, batch = 0;
5641 list_for_each_entry_safe_reverse(sp, node,
5642 &kvm->arch.active_mmu_pages, link) {
5644 * No obsolete valid page exists before a newly created page
5645 * since active_mmu_pages is a FIFO list.
5647 if (!is_obsolete_sp(kvm, sp))
5651 * Invalid pages should never land back on the list of active
5652 * pages. Skip the bogus page, otherwise we'll get stuck in an
5653 * infinite loop if the page gets put back on the list (again).
5655 if (WARN_ON(sp->role.invalid))
5659 * No need to flush the TLB since we're only zapping shadow
5660 * pages with an obsolete generation number and all vCPUS have
5661 * loaded a new root, i.e. the shadow pages being zapped cannot
5662 * be in active use by the guest.
5664 if (batch >= BATCH_ZAP_PAGES &&
5665 cond_resched_rwlock_write(&kvm->mmu_lock)) {
5670 if (__kvm_mmu_prepare_zap_page(kvm, sp,
5671 &kvm->arch.zapped_obsolete_pages, &nr_zapped)) {
5678 * Kick all vCPUs (via remote TLB flush) before freeing the page tables
5679 * to ensure KVM is not in the middle of a lockless shadow page table
5680 * walk, which may reference the pages. The remote TLB flush itself is
5681 * not required and is simply a convenient way to kick vCPUs as needed.
5682 * KVM performs a local TLB flush when allocating a new root (see
5683 * kvm_mmu_load()), and the reload in the caller ensure no vCPUs are
5684 * running with an obsolete MMU.
5686 kvm_mmu_commit_zap_page(kvm, &kvm->arch.zapped_obsolete_pages);
5690 * Fast invalidate all shadow pages and use lock-break technique
5691 * to zap obsolete pages.
5693 * It's required when memslot is being deleted or VM is being
5694 * destroyed, in these cases, we should ensure that KVM MMU does
5695 * not use any resource of the being-deleted slot or all slots
5696 * after calling the function.
5698 static void kvm_mmu_zap_all_fast(struct kvm *kvm)
5700 lockdep_assert_held(&kvm->slots_lock);
5702 write_lock(&kvm->mmu_lock);
5703 trace_kvm_mmu_zap_all_fast(kvm);
5706 * Toggle mmu_valid_gen between '0' and '1'. Because slots_lock is
5707 * held for the entire duration of zapping obsolete pages, it's
5708 * impossible for there to be multiple invalid generations associated
5709 * with *valid* shadow pages at any given time, i.e. there is exactly
5710 * one valid generation and (at most) one invalid generation.
5712 kvm->arch.mmu_valid_gen = kvm->arch.mmu_valid_gen ? 0 : 1;
5715 * In order to ensure all vCPUs drop their soon-to-be invalid roots,
5716 * invalidating TDP MMU roots must be done while holding mmu_lock for
5717 * write and in the same critical section as making the reload request,
5718 * e.g. before kvm_zap_obsolete_pages() could drop mmu_lock and yield.
5720 if (is_tdp_mmu_enabled(kvm))
5721 kvm_tdp_mmu_invalidate_all_roots(kvm);
5724 * Notify all vcpus to reload its shadow page table and flush TLB.
5725 * Then all vcpus will switch to new shadow page table with the new
5728 * Note: we need to do this under the protection of mmu_lock,
5729 * otherwise, vcpu would purge shadow page but miss tlb flush.
5731 kvm_make_all_cpus_request(kvm, KVM_REQ_MMU_FREE_OBSOLETE_ROOTS);
5733 kvm_zap_obsolete_pages(kvm);
5735 write_unlock(&kvm->mmu_lock);
5738 * Zap the invalidated TDP MMU roots, all SPTEs must be dropped before
5739 * returning to the caller, e.g. if the zap is in response to a memslot
5740 * deletion, mmu_notifier callbacks will be unable to reach the SPTEs
5741 * associated with the deleted memslot once the update completes, and
5742 * Deferring the zap until the final reference to the root is put would
5743 * lead to use-after-free.
5745 if (is_tdp_mmu_enabled(kvm))
5746 kvm_tdp_mmu_zap_invalidated_roots(kvm);
5749 static bool kvm_has_zapped_obsolete_pages(struct kvm *kvm)
5751 return unlikely(!list_empty_careful(&kvm->arch.zapped_obsolete_pages));
5754 static void kvm_mmu_invalidate_zap_pages_in_memslot(struct kvm *kvm,
5755 struct kvm_memory_slot *slot,
5756 struct kvm_page_track_notifier_node *node)
5758 kvm_mmu_zap_all_fast(kvm);
5761 int kvm_mmu_init_vm(struct kvm *kvm)
5763 struct kvm_page_track_notifier_node *node = &kvm->arch.mmu_sp_tracker;
5766 INIT_LIST_HEAD(&kvm->arch.active_mmu_pages);
5767 INIT_LIST_HEAD(&kvm->arch.zapped_obsolete_pages);
5768 INIT_LIST_HEAD(&kvm->arch.lpage_disallowed_mmu_pages);
5769 spin_lock_init(&kvm->arch.mmu_unsync_pages_lock);
5771 r = kvm_mmu_init_tdp_mmu(kvm);
5775 node->track_write = kvm_mmu_pte_write;
5776 node->track_flush_slot = kvm_mmu_invalidate_zap_pages_in_memslot;
5777 kvm_page_track_register_notifier(kvm, node);
5781 void kvm_mmu_uninit_vm(struct kvm *kvm)
5783 struct kvm_page_track_notifier_node *node = &kvm->arch.mmu_sp_tracker;
5785 kvm_page_track_unregister_notifier(kvm, node);
5787 kvm_mmu_uninit_tdp_mmu(kvm);
5790 static bool __kvm_zap_rmaps(struct kvm *kvm, gfn_t gfn_start, gfn_t gfn_end)
5792 const struct kvm_memory_slot *memslot;
5793 struct kvm_memslots *slots;
5794 struct kvm_memslot_iter iter;
5799 if (!kvm_memslots_have_rmaps(kvm))
5802 for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) {
5803 slots = __kvm_memslots(kvm, i);
5805 kvm_for_each_memslot_in_gfn_range(&iter, slots, gfn_start, gfn_end) {
5806 memslot = iter.slot;
5807 start = max(gfn_start, memslot->base_gfn);
5808 end = min(gfn_end, memslot->base_gfn + memslot->npages);
5809 if (WARN_ON_ONCE(start >= end))
5812 flush = slot_handle_level_range(kvm, memslot, kvm_zap_rmapp,
5814 PG_LEVEL_4K, KVM_MAX_HUGEPAGE_LEVEL,
5815 start, end - 1, true, flush);
5823 * Invalidate (zap) SPTEs that cover GFNs from gfn_start and up to gfn_end
5824 * (not including it)
5826 void kvm_zap_gfn_range(struct kvm *kvm, gfn_t gfn_start, gfn_t gfn_end)
5831 if (WARN_ON_ONCE(gfn_end <= gfn_start))
5834 write_lock(&kvm->mmu_lock);
5836 kvm_inc_notifier_count(kvm, gfn_start, gfn_end);
5838 flush = __kvm_zap_rmaps(kvm, gfn_start, gfn_end);
5840 if (is_tdp_mmu_enabled(kvm)) {
5841 for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++)
5842 flush = kvm_tdp_mmu_zap_leafs(kvm, i, gfn_start,
5843 gfn_end, true, flush);
5847 kvm_flush_remote_tlbs_with_address(kvm, gfn_start,
5848 gfn_end - gfn_start);
5850 kvm_dec_notifier_count(kvm, gfn_start, gfn_end);
5852 write_unlock(&kvm->mmu_lock);
5855 static bool slot_rmap_write_protect(struct kvm *kvm,
5856 struct kvm_rmap_head *rmap_head,
5857 const struct kvm_memory_slot *slot)
5859 return rmap_write_protect(rmap_head, false);
5862 void kvm_mmu_slot_remove_write_access(struct kvm *kvm,
5863 const struct kvm_memory_slot *memslot,
5868 if (kvm_memslots_have_rmaps(kvm)) {
5869 write_lock(&kvm->mmu_lock);
5870 flush = slot_handle_level(kvm, memslot, slot_rmap_write_protect,
5871 start_level, KVM_MAX_HUGEPAGE_LEVEL,
5873 write_unlock(&kvm->mmu_lock);
5876 if (is_tdp_mmu_enabled(kvm)) {
5877 read_lock(&kvm->mmu_lock);
5878 flush |= kvm_tdp_mmu_wrprot_slot(kvm, memslot, start_level);
5879 read_unlock(&kvm->mmu_lock);
5883 * Flush TLBs if any SPTEs had to be write-protected to ensure that
5884 * guest writes are reflected in the dirty bitmap before the memslot
5885 * update completes, i.e. before enabling dirty logging is visible to
5888 * Perform the TLB flush outside the mmu_lock to reduce the amount of
5889 * time the lock is held. However, this does mean that another CPU can
5890 * now grab mmu_lock and encounter a write-protected SPTE while CPUs
5891 * still have a writable mapping for the associated GFN in their TLB.
5893 * This is safe but requires KVM to be careful when making decisions
5894 * based on the write-protection status of an SPTE. Specifically, KVM
5895 * also write-protects SPTEs to monitor changes to guest page tables
5896 * during shadow paging, and must guarantee no CPUs can write to those
5897 * page before the lock is dropped. As mentioned in the previous
5898 * paragraph, a write-protected SPTE is no guarantee that CPU cannot
5899 * perform writes. So to determine if a TLB flush is truly required, KVM
5900 * will clear a separate software-only bit (MMU-writable) and skip the
5901 * flush if-and-only-if this bit was already clear.
5903 * See is_writable_pte() for more details.
5906 kvm_arch_flush_remote_tlbs_memslot(kvm, memslot);
5909 /* Must be called with the mmu_lock held in write-mode. */
5910 void kvm_mmu_try_split_huge_pages(struct kvm *kvm,
5911 const struct kvm_memory_slot *memslot,
5915 if (is_tdp_mmu_enabled(kvm))
5916 kvm_tdp_mmu_try_split_huge_pages(kvm, memslot, start, end,
5917 target_level, false);
5920 * A TLB flush is unnecessary at this point for the same resons as in
5921 * kvm_mmu_slot_try_split_huge_pages().
5925 void kvm_mmu_slot_try_split_huge_pages(struct kvm *kvm,
5926 const struct kvm_memory_slot *memslot,
5929 u64 start = memslot->base_gfn;
5930 u64 end = start + memslot->npages;
5932 if (is_tdp_mmu_enabled(kvm)) {
5933 read_lock(&kvm->mmu_lock);
5934 kvm_tdp_mmu_try_split_huge_pages(kvm, memslot, start, end, target_level, true);
5935 read_unlock(&kvm->mmu_lock);
5939 * No TLB flush is necessary here. KVM will flush TLBs after
5940 * write-protecting and/or clearing dirty on the newly split SPTEs to
5941 * ensure that guest writes are reflected in the dirty log before the
5942 * ioctl to enable dirty logging on this memslot completes. Since the
5943 * split SPTEs retain the write and dirty bits of the huge SPTE, it is
5944 * safe for KVM to decide if a TLB flush is necessary based on the split
5949 static bool kvm_mmu_zap_collapsible_spte(struct kvm *kvm,
5950 struct kvm_rmap_head *rmap_head,
5951 const struct kvm_memory_slot *slot)
5954 struct rmap_iterator iter;
5955 int need_tlb_flush = 0;
5957 struct kvm_mmu_page *sp;
5960 for_each_rmap_spte(rmap_head, &iter, sptep) {
5961 sp = sptep_to_sp(sptep);
5962 pfn = spte_to_pfn(*sptep);
5965 * We cannot do huge page mapping for indirect shadow pages,
5966 * which are found on the last rmap (level = 1) when not using
5967 * tdp; such shadow pages are synced with the page table in
5968 * the guest, and the guest page table is using 4K page size
5969 * mapping if the indirect sp has level = 1.
5971 if (sp->role.direct && !kvm_is_reserved_pfn(pfn) &&
5972 sp->role.level < kvm_mmu_max_mapping_level(kvm, slot, sp->gfn,
5973 pfn, PG_LEVEL_NUM)) {
5974 pte_list_remove(kvm, rmap_head, sptep);
5976 if (kvm_available_flush_tlb_with_range())
5977 kvm_flush_remote_tlbs_with_address(kvm, sp->gfn,
5978 KVM_PAGES_PER_HPAGE(sp->role.level));
5986 return need_tlb_flush;
5989 void kvm_mmu_zap_collapsible_sptes(struct kvm *kvm,
5990 const struct kvm_memory_slot *slot)
5992 if (kvm_memslots_have_rmaps(kvm)) {
5993 write_lock(&kvm->mmu_lock);
5995 * Zap only 4k SPTEs since the legacy MMU only supports dirty
5996 * logging at a 4k granularity and never creates collapsible
5997 * 2m SPTEs during dirty logging.
5999 if (slot_handle_level_4k(kvm, slot, kvm_mmu_zap_collapsible_spte, true))
6000 kvm_arch_flush_remote_tlbs_memslot(kvm, slot);
6001 write_unlock(&kvm->mmu_lock);
6004 if (is_tdp_mmu_enabled(kvm)) {
6005 read_lock(&kvm->mmu_lock);
6006 kvm_tdp_mmu_zap_collapsible_sptes(kvm, slot);
6007 read_unlock(&kvm->mmu_lock);
6011 void kvm_arch_flush_remote_tlbs_memslot(struct kvm *kvm,
6012 const struct kvm_memory_slot *memslot)
6015 * All current use cases for flushing the TLBs for a specific memslot
6016 * related to dirty logging, and many do the TLB flush out of mmu_lock.
6017 * The interaction between the various operations on memslot must be
6018 * serialized by slots_locks to ensure the TLB flush from one operation
6019 * is observed by any other operation on the same memslot.
6021 lockdep_assert_held(&kvm->slots_lock);
6022 kvm_flush_remote_tlbs_with_address(kvm, memslot->base_gfn,
6026 void kvm_mmu_slot_leaf_clear_dirty(struct kvm *kvm,
6027 const struct kvm_memory_slot *memslot)
6031 if (kvm_memslots_have_rmaps(kvm)) {
6032 write_lock(&kvm->mmu_lock);
6034 * Clear dirty bits only on 4k SPTEs since the legacy MMU only
6035 * support dirty logging at a 4k granularity.
6037 flush = slot_handle_level_4k(kvm, memslot, __rmap_clear_dirty, false);
6038 write_unlock(&kvm->mmu_lock);
6041 if (is_tdp_mmu_enabled(kvm)) {
6042 read_lock(&kvm->mmu_lock);
6043 flush |= kvm_tdp_mmu_clear_dirty_slot(kvm, memslot);
6044 read_unlock(&kvm->mmu_lock);
6048 * It's also safe to flush TLBs out of mmu lock here as currently this
6049 * function is only used for dirty logging, in which case flushing TLB
6050 * out of mmu lock also guarantees no dirty pages will be lost in
6054 kvm_arch_flush_remote_tlbs_memslot(kvm, memslot);
6057 void kvm_mmu_zap_all(struct kvm *kvm)
6059 struct kvm_mmu_page *sp, *node;
6060 LIST_HEAD(invalid_list);
6063 write_lock(&kvm->mmu_lock);
6065 list_for_each_entry_safe(sp, node, &kvm->arch.active_mmu_pages, link) {
6066 if (WARN_ON(sp->role.invalid))
6068 if (__kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list, &ign))
6070 if (cond_resched_rwlock_write(&kvm->mmu_lock))
6074 kvm_mmu_commit_zap_page(kvm, &invalid_list);
6076 if (is_tdp_mmu_enabled(kvm))
6077 kvm_tdp_mmu_zap_all(kvm);
6079 write_unlock(&kvm->mmu_lock);
6082 void kvm_mmu_invalidate_mmio_sptes(struct kvm *kvm, u64 gen)
6084 WARN_ON(gen & KVM_MEMSLOT_GEN_UPDATE_IN_PROGRESS);
6086 gen &= MMIO_SPTE_GEN_MASK;
6089 * Generation numbers are incremented in multiples of the number of
6090 * address spaces in order to provide unique generations across all
6091 * address spaces. Strip what is effectively the address space
6092 * modifier prior to checking for a wrap of the MMIO generation so
6093 * that a wrap in any address space is detected.
6095 gen &= ~((u64)KVM_ADDRESS_SPACE_NUM - 1);
6098 * The very rare case: if the MMIO generation number has wrapped,
6099 * zap all shadow pages.
6101 if (unlikely(gen == 0)) {
6102 kvm_debug_ratelimited("kvm: zapping shadow pages for mmio generation wraparound\n");
6103 kvm_mmu_zap_all_fast(kvm);
6107 static unsigned long
6108 mmu_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
6111 int nr_to_scan = sc->nr_to_scan;
6112 unsigned long freed = 0;
6114 mutex_lock(&kvm_lock);
6116 list_for_each_entry(kvm, &vm_list, vm_list) {
6118 LIST_HEAD(invalid_list);
6121 * Never scan more than sc->nr_to_scan VM instances.
6122 * Will not hit this condition practically since we do not try
6123 * to shrink more than one VM and it is very unlikely to see
6124 * !n_used_mmu_pages so many times.
6129 * n_used_mmu_pages is accessed without holding kvm->mmu_lock
6130 * here. We may skip a VM instance errorneosly, but we do not
6131 * want to shrink a VM that only started to populate its MMU
6134 if (!kvm->arch.n_used_mmu_pages &&
6135 !kvm_has_zapped_obsolete_pages(kvm))
6138 idx = srcu_read_lock(&kvm->srcu);
6139 write_lock(&kvm->mmu_lock);
6141 if (kvm_has_zapped_obsolete_pages(kvm)) {
6142 kvm_mmu_commit_zap_page(kvm,
6143 &kvm->arch.zapped_obsolete_pages);
6147 freed = kvm_mmu_zap_oldest_mmu_pages(kvm, sc->nr_to_scan);
6150 write_unlock(&kvm->mmu_lock);
6151 srcu_read_unlock(&kvm->srcu, idx);
6154 * unfair on small ones
6155 * per-vm shrinkers cry out
6156 * sadness comes quickly
6158 list_move_tail(&kvm->vm_list, &vm_list);
6162 mutex_unlock(&kvm_lock);
6166 static unsigned long
6167 mmu_shrink_count(struct shrinker *shrink, struct shrink_control *sc)
6169 return percpu_counter_read_positive(&kvm_total_used_mmu_pages);
6172 static struct shrinker mmu_shrinker = {
6173 .count_objects = mmu_shrink_count,
6174 .scan_objects = mmu_shrink_scan,
6175 .seeks = DEFAULT_SEEKS * 10,
6178 static void mmu_destroy_caches(void)
6180 kmem_cache_destroy(pte_list_desc_cache);
6181 kmem_cache_destroy(mmu_page_header_cache);
6184 static bool get_nx_auto_mode(void)
6186 /* Return true when CPU has the bug, and mitigations are ON */
6187 return boot_cpu_has_bug(X86_BUG_ITLB_MULTIHIT) && !cpu_mitigations_off();
6190 static void __set_nx_huge_pages(bool val)
6192 nx_huge_pages = itlb_multihit_kvm_mitigation = val;
6195 static int set_nx_huge_pages(const char *val, const struct kernel_param *kp)
6197 bool old_val = nx_huge_pages;
6200 /* In "auto" mode deploy workaround only if CPU has the bug. */
6201 if (sysfs_streq(val, "off"))
6203 else if (sysfs_streq(val, "force"))
6205 else if (sysfs_streq(val, "auto"))
6206 new_val = get_nx_auto_mode();
6207 else if (strtobool(val, &new_val) < 0)
6210 __set_nx_huge_pages(new_val);
6212 if (new_val != old_val) {
6215 mutex_lock(&kvm_lock);
6217 list_for_each_entry(kvm, &vm_list, vm_list) {
6218 mutex_lock(&kvm->slots_lock);
6219 kvm_mmu_zap_all_fast(kvm);
6220 mutex_unlock(&kvm->slots_lock);
6222 wake_up_process(kvm->arch.nx_lpage_recovery_thread);
6224 mutex_unlock(&kvm_lock);
6231 * nx_huge_pages needs to be resolved to true/false when kvm.ko is loaded, as
6232 * its default value of -1 is technically undefined behavior for a boolean.
6234 void kvm_mmu_x86_module_init(void)
6236 if (nx_huge_pages == -1)
6237 __set_nx_huge_pages(get_nx_auto_mode());
6241 * The bulk of the MMU initialization is deferred until the vendor module is
6242 * loaded as many of the masks/values may be modified by VMX or SVM, i.e. need
6243 * to be reset when a potentially different vendor module is loaded.
6245 int kvm_mmu_vendor_module_init(void)
6250 * MMU roles use union aliasing which is, generally speaking, an
6251 * undefined behavior. However, we supposedly know how compilers behave
6252 * and the current status quo is unlikely to change. Guardians below are
6253 * supposed to let us know if the assumption becomes false.
6255 BUILD_BUG_ON(sizeof(union kvm_mmu_page_role) != sizeof(u32));
6256 BUILD_BUG_ON(sizeof(union kvm_mmu_extended_role) != sizeof(u32));
6257 BUILD_BUG_ON(sizeof(union kvm_cpu_role) != sizeof(u64));
6259 kvm_mmu_reset_all_pte_masks();
6261 pte_list_desc_cache = kmem_cache_create("pte_list_desc",
6262 sizeof(struct pte_list_desc),
6263 0, SLAB_ACCOUNT, NULL);
6264 if (!pte_list_desc_cache)
6267 mmu_page_header_cache = kmem_cache_create("kvm_mmu_page_header",
6268 sizeof(struct kvm_mmu_page),
6269 0, SLAB_ACCOUNT, NULL);
6270 if (!mmu_page_header_cache)
6273 if (percpu_counter_init(&kvm_total_used_mmu_pages, 0, GFP_KERNEL))
6276 ret = register_shrinker(&mmu_shrinker);
6283 mmu_destroy_caches();
6287 void kvm_mmu_destroy(struct kvm_vcpu *vcpu)
6289 kvm_mmu_unload(vcpu);
6290 free_mmu_pages(&vcpu->arch.root_mmu);
6291 free_mmu_pages(&vcpu->arch.guest_mmu);
6292 mmu_free_memory_caches(vcpu);
6295 void kvm_mmu_vendor_module_exit(void)
6297 mmu_destroy_caches();
6298 percpu_counter_destroy(&kvm_total_used_mmu_pages);
6299 unregister_shrinker(&mmu_shrinker);
6303 * Calculate the effective recovery period, accounting for '0' meaning "let KVM
6304 * select a halving time of 1 hour". Returns true if recovery is enabled.
6306 static bool calc_nx_huge_pages_recovery_period(uint *period)
6309 * Use READ_ONCE to get the params, this may be called outside of the
6310 * param setters, e.g. by the kthread to compute its next timeout.
6312 bool enabled = READ_ONCE(nx_huge_pages);
6313 uint ratio = READ_ONCE(nx_huge_pages_recovery_ratio);
6315 if (!enabled || !ratio)
6318 *period = READ_ONCE(nx_huge_pages_recovery_period_ms);
6320 /* Make sure the period is not less than one second. */
6321 ratio = min(ratio, 3600u);
6322 *period = 60 * 60 * 1000 / ratio;
6327 static int set_nx_huge_pages_recovery_param(const char *val, const struct kernel_param *kp)
6329 bool was_recovery_enabled, is_recovery_enabled;
6330 uint old_period, new_period;
6333 was_recovery_enabled = calc_nx_huge_pages_recovery_period(&old_period);
6335 err = param_set_uint(val, kp);
6339 is_recovery_enabled = calc_nx_huge_pages_recovery_period(&new_period);
6341 if (is_recovery_enabled &&
6342 (!was_recovery_enabled || old_period > new_period)) {
6345 mutex_lock(&kvm_lock);
6347 list_for_each_entry(kvm, &vm_list, vm_list)
6348 wake_up_process(kvm->arch.nx_lpage_recovery_thread);
6350 mutex_unlock(&kvm_lock);
6356 static void kvm_recover_nx_lpages(struct kvm *kvm)
6358 unsigned long nx_lpage_splits = kvm->stat.nx_lpage_splits;
6360 struct kvm_mmu_page *sp;
6362 LIST_HEAD(invalid_list);
6366 rcu_idx = srcu_read_lock(&kvm->srcu);
6367 write_lock(&kvm->mmu_lock);
6370 * Zapping TDP MMU shadow pages, including the remote TLB flush, must
6371 * be done under RCU protection, because the pages are freed via RCU
6376 ratio = READ_ONCE(nx_huge_pages_recovery_ratio);
6377 to_zap = ratio ? DIV_ROUND_UP(nx_lpage_splits, ratio) : 0;
6378 for ( ; to_zap; --to_zap) {
6379 if (list_empty(&kvm->arch.lpage_disallowed_mmu_pages))
6383 * We use a separate list instead of just using active_mmu_pages
6384 * because the number of lpage_disallowed pages is expected to
6385 * be relatively small compared to the total.
6387 sp = list_first_entry(&kvm->arch.lpage_disallowed_mmu_pages,
6388 struct kvm_mmu_page,
6389 lpage_disallowed_link);
6390 WARN_ON_ONCE(!sp->lpage_disallowed);
6391 if (is_tdp_mmu_page(sp)) {
6392 flush |= kvm_tdp_mmu_zap_sp(kvm, sp);
6394 kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list);
6395 WARN_ON_ONCE(sp->lpage_disallowed);
6398 if (need_resched() || rwlock_needbreak(&kvm->mmu_lock)) {
6399 kvm_mmu_remote_flush_or_zap(kvm, &invalid_list, flush);
6402 cond_resched_rwlock_write(&kvm->mmu_lock);
6408 kvm_mmu_remote_flush_or_zap(kvm, &invalid_list, flush);
6412 write_unlock(&kvm->mmu_lock);
6413 srcu_read_unlock(&kvm->srcu, rcu_idx);
6416 static long get_nx_lpage_recovery_timeout(u64 start_time)
6421 enabled = calc_nx_huge_pages_recovery_period(&period);
6423 return enabled ? start_time + msecs_to_jiffies(period) - get_jiffies_64()
6424 : MAX_SCHEDULE_TIMEOUT;
6427 static int kvm_nx_lpage_recovery_worker(struct kvm *kvm, uintptr_t data)
6430 long remaining_time;
6433 start_time = get_jiffies_64();
6434 remaining_time = get_nx_lpage_recovery_timeout(start_time);
6436 set_current_state(TASK_INTERRUPTIBLE);
6437 while (!kthread_should_stop() && remaining_time > 0) {
6438 schedule_timeout(remaining_time);
6439 remaining_time = get_nx_lpage_recovery_timeout(start_time);
6440 set_current_state(TASK_INTERRUPTIBLE);
6443 set_current_state(TASK_RUNNING);
6445 if (kthread_should_stop())
6448 kvm_recover_nx_lpages(kvm);
6452 int kvm_mmu_post_init_vm(struct kvm *kvm)
6456 err = kvm_vm_create_worker_thread(kvm, kvm_nx_lpage_recovery_worker, 0,
6457 "kvm-nx-lpage-recovery",
6458 &kvm->arch.nx_lpage_recovery_thread);
6460 kthread_unpark(kvm->arch.nx_lpage_recovery_thread);
6465 void kvm_mmu_pre_destroy_vm(struct kvm *kvm)
6467 if (kvm->arch.nx_lpage_recovery_thread)
6468 kthread_stop(kvm->arch.nx_lpage_recovery_thread);
projects / linux-2.6-microblaze.git / blob