1
// SPDX-License-Identifier: GPL-2.0-only
2
/*
3
 * Kernel-based Virtual Machine driver for Linux
4
 *
5
 * This module enables machines with Intel VT-x extensions to run virtual
6
 * machines without emulation or binary translation.
7
 *
8
 * MMU support
9
 *
10
 * Copyright (C) 2006 Qumranet, Inc.
11
 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
12
 *
13
 * Authors:
14
 *   Yaniv Kamay  <[email protected]>
15
 *   Avi Kivity   <[email protected]>
16
 */
17
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18

19
#include "irq.h"
20
#include "ioapic.h"
21
#include "mmu.h"
22
#include "mmu_internal.h"
23
#include "tdp_mmu.h"
24
#include "x86.h"
25
#include "kvm_cache_regs.h"
26
#include "smm.h"
27
#include "kvm_emulate.h"
28
#include "page_track.h"
29
#include "cpuid.h"
30
#include "spte.h"
31

32
#include <linux/kvm_host.h>
33
#include <linux/types.h>
34
#include <linux/string.h>
35
#include <linux/mm.h>
36
#include <linux/highmem.h>
37
#include <linux/moduleparam.h>
38
#include <linux/export.h>
39
#include <linux/swap.h>
40
#include <linux/hugetlb.h>
41
#include <linux/compiler.h>
42
#include <linux/srcu.h>
43
#include <linux/slab.h>
44
#include <linux/sched/signal.h>
45
#include <linux/uaccess.h>
46
#include <linux/hash.h>
47
#include <linux/kern_levels.h>
48
#include <linux/kstrtox.h>
49
#include <linux/kthread.h>
50
#include <linux/wordpart.h>
51

52
#include <asm/page.h>
53
#include <asm/memtype.h>
54
#include <asm/cmpxchg.h>
55
#include <asm/io.h>
56
#include <asm/set_memory.h>
57
#include <asm/spec-ctrl.h>
58
#include <asm/vmx.h>
59

60
#include "trace.h"
61

62
static bool nx_hugepage_mitigation_hard_disabled;
63

64
int __read_mostly nx_huge_pages = -1;
65
static uint __read_mostly nx_huge_pages_recovery_period_ms;
66
#ifdef CONFIG_PREEMPT_RT
67
/* Recovery can cause latency spikes, disable it for PREEMPT_RT.  */
68
static uint __read_mostly nx_huge_pages_recovery_ratio = 0;
69
#else
70
static uint __read_mostly nx_huge_pages_recovery_ratio = 60;
71
#endif
72

73
static int get_nx_huge_pages(char *buffer, const struct kernel_param *kp);
74
static int set_nx_huge_pages(const char *val, const struct kernel_param *kp);
75
static int set_nx_huge_pages_recovery_param(const char *val, const struct kernel_param *kp);
76

77
static const struct kernel_param_ops nx_huge_pages_ops = {
78
	.set = set_nx_huge_pages,
79
	.get = get_nx_huge_pages,
80
};
81

82
static const struct kernel_param_ops nx_huge_pages_recovery_param_ops = {
83
	.set = set_nx_huge_pages_recovery_param,
84
	.get = param_get_uint,
85
};
86

87
module_param_cb(nx_huge_pages, &nx_huge_pages_ops, &nx_huge_pages, 0644);
88
__MODULE_PARM_TYPE(nx_huge_pages, "bool");
89
module_param_cb(nx_huge_pages_recovery_ratio, &nx_huge_pages_recovery_param_ops,
90
		&nx_huge_pages_recovery_ratio, 0644);
91
__MODULE_PARM_TYPE(nx_huge_pages_recovery_ratio, "uint");
92
module_param_cb(nx_huge_pages_recovery_period_ms, &nx_huge_pages_recovery_param_ops,
93
		&nx_huge_pages_recovery_period_ms, 0644);
94
__MODULE_PARM_TYPE(nx_huge_pages_recovery_period_ms, "uint");
95

96
static bool __read_mostly force_flush_and_sync_on_reuse;
97
module_param_named(flush_on_reuse, force_flush_and_sync_on_reuse, bool, 0644);
98

99
/*
100
 * When setting this variable to true it enables Two-Dimensional-Paging
101
 * where the hardware walks 2 page tables:
102
 * 1. the guest-virtual to guest-physical
103
 * 2. while doing 1. it walks guest-physical to host-physical
104
 * If the hardware supports that we don't need to do shadow paging.
105
 */
106
bool tdp_enabled = false;
107

108
static bool __ro_after_init tdp_mmu_allowed;
109

110
#ifdef CONFIG_X86_64
111
bool __read_mostly tdp_mmu_enabled = true;
112
module_param_named(tdp_mmu, tdp_mmu_enabled, bool, 0444);
113
EXPORT_SYMBOL_GPL(tdp_mmu_enabled);
114
#endif
115

116
static int max_huge_page_level __read_mostly;
117
static int tdp_root_level __read_mostly;
118
static int max_tdp_level __read_mostly;
119

120
#define PTE_PREFETCH_NUM		8
121

122
#include <trace/events/kvm.h>
123

124
/* make pte_list_desc fit well in cache lines */
125
#define PTE_LIST_EXT 14
126

127
/*
128
 * struct pte_list_desc is the core data structure used to implement a custom
129
 * list for tracking a set of related SPTEs, e.g. all the SPTEs that map a
130
 * given GFN when used in the context of rmaps.  Using a custom list allows KVM
131
 * to optimize for the common case where many GFNs will have at most a handful
132
 * of SPTEs pointing at them, i.e. allows packing multiple SPTEs into a small
133
 * memory footprint, which in turn improves runtime performance by exploiting
134
 * cache locality.
135
 *
136
 * A list is comprised of one or more pte_list_desc objects (descriptors).
137
 * Each individual descriptor stores up to PTE_LIST_EXT SPTEs.  If a descriptor
138
 * is full and a new SPTEs needs to be added, a new descriptor is allocated and
139
 * becomes the head of the list.  This means that by definitions, all tail
140
 * descriptors are full.
141
 *
142
 * Note, the meta data fields are deliberately placed at the start of the
143
 * structure to optimize the cacheline layout; accessing the descriptor will
144
 * touch only a single cacheline so long as @spte_count<=6 (or if only the
145
 * descriptors metadata is accessed).
146
 */
147
struct pte_list_desc {
148
	struct pte_list_desc *more;
149
	/* The number of PTEs stored in _this_ descriptor. */
150
	u32 spte_count;
151
	/* The number of PTEs stored in all tails of this descriptor. */
152
	u32 tail_count;
153
	u64 *sptes[PTE_LIST_EXT];
154
};
155

156
struct kvm_shadow_walk_iterator {
157
	u64 addr;
158
	hpa_t shadow_addr;
159
	u64 *sptep;
160
	int level;
161
	unsigned index;
162
};
163

164
#define for_each_shadow_entry_using_root(_vcpu, _root, _addr, _walker)     \
165
	for (shadow_walk_init_using_root(&(_walker), (_vcpu),              \
166
					 (_root), (_addr));                \
167
	     shadow_walk_okay(&(_walker));			           \
168
	     shadow_walk_next(&(_walker)))
169

170
#define for_each_shadow_entry(_vcpu, _addr, _walker)            \
171
	for (shadow_walk_init(&(_walker), _vcpu, _addr);	\
172
	     shadow_walk_okay(&(_walker));			\
173
	     shadow_walk_next(&(_walker)))
174

175
#define for_each_shadow_entry_lockless(_vcpu, _addr, _walker, spte)	\
176
	for (shadow_walk_init(&(_walker), _vcpu, _addr);		\
177
	     shadow_walk_okay(&(_walker)) &&				\
178
		({ spte = mmu_spte_get_lockless(_walker.sptep); 1; });	\
179
	     __shadow_walk_next(&(_walker), spte))
180

181
static struct kmem_cache *pte_list_desc_cache;
182
struct kmem_cache *mmu_page_header_cache;
183

184
static void mmu_spte_set(u64 *sptep, u64 spte);
185

186
struct kvm_mmu_role_regs {
187
	const unsigned long cr0;
188
	const unsigned long cr4;
189
	const u64 efer;
190
};
191

192
#define CREATE_TRACE_POINTS
193
#include "mmutrace.h"
194

195
/*
196
 * Yes, lot's of underscores.  They're a hint that you probably shouldn't be
197
 * reading from the role_regs.  Once the root_role is constructed, it becomes
198
 * the single source of truth for the MMU's state.
199
 */
200
#define BUILD_MMU_ROLE_REGS_ACCESSOR(reg, name, flag)			\
201
static inline bool __maybe_unused					\
202
____is_##reg##_##name(const struct kvm_mmu_role_regs *regs)		\
203
{									\
204
	return !!(regs->reg & flag);					\
205
}
206
BUILD_MMU_ROLE_REGS_ACCESSOR(cr0, pg, X86_CR0_PG);
207
BUILD_MMU_ROLE_REGS_ACCESSOR(cr0, wp, X86_CR0_WP);
208
BUILD_MMU_ROLE_REGS_ACCESSOR(cr4, pse, X86_CR4_PSE);
209
BUILD_MMU_ROLE_REGS_ACCESSOR(cr4, pae, X86_CR4_PAE);
210
BUILD_MMU_ROLE_REGS_ACCESSOR(cr4, smep, X86_CR4_SMEP);
211
BUILD_MMU_ROLE_REGS_ACCESSOR(cr4, smap, X86_CR4_SMAP);
212
BUILD_MMU_ROLE_REGS_ACCESSOR(cr4, pke, X86_CR4_PKE);
213
BUILD_MMU_ROLE_REGS_ACCESSOR(cr4, la57, X86_CR4_LA57);
214
BUILD_MMU_ROLE_REGS_ACCESSOR(efer, nx, EFER_NX);
215
BUILD_MMU_ROLE_REGS_ACCESSOR(efer, lma, EFER_LMA);
216

217
/*
218
 * The MMU itself (with a valid role) is the single source of truth for the
219
 * MMU.  Do not use the regs used to build the MMU/role, nor the vCPU.  The
220
 * regs don't account for dependencies, e.g. clearing CR4 bits if CR0.PG=1,
221
 * and the vCPU may be incorrect/irrelevant.
222
 */
223
#define BUILD_MMU_ROLE_ACCESSOR(base_or_ext, reg, name)		\
224
static inline bool __maybe_unused is_##reg##_##name(struct kvm_mmu *mmu)	\
225
{								\
226
	return !!(mmu->cpu_role. base_or_ext . reg##_##name);	\
227
}
228
BUILD_MMU_ROLE_ACCESSOR(base, cr0, wp);
229
BUILD_MMU_ROLE_ACCESSOR(ext,  cr4, pse);
230
BUILD_MMU_ROLE_ACCESSOR(ext,  cr4, smep);
231
BUILD_MMU_ROLE_ACCESSOR(ext,  cr4, smap);
232
BUILD_MMU_ROLE_ACCESSOR(ext,  cr4, pke);
233
BUILD_MMU_ROLE_ACCESSOR(ext,  cr4, la57);
234
BUILD_MMU_ROLE_ACCESSOR(base, efer, nx);
235
BUILD_MMU_ROLE_ACCESSOR(ext,  efer, lma);
236

237
static inline bool is_cr0_pg(struct kvm_mmu *mmu)
238
{
239
        return mmu->cpu_role.base.level > 0;
240
}
241

242
static inline bool is_cr4_pae(struct kvm_mmu *mmu)
243
{
244
        return !mmu->cpu_role.base.has_4_byte_gpte;
245
}
246

247
static struct kvm_mmu_role_regs vcpu_to_role_regs(struct kvm_vcpu *vcpu)
248
{
249
	struct kvm_mmu_role_regs regs = {
250
		.cr0 = kvm_read_cr0_bits(vcpu, KVM_MMU_CR0_ROLE_BITS),
251
		.cr4 = kvm_read_cr4_bits(vcpu, KVM_MMU_CR4_ROLE_BITS),
252
		.efer = vcpu->arch.efer,
253
	};
254

255
	return regs;
256
}
257

258
static unsigned long get_guest_cr3(struct kvm_vcpu *vcpu)
259
{
260
	return kvm_read_cr3(vcpu);
261
}
262

263
static inline unsigned long kvm_mmu_get_guest_pgd(struct kvm_vcpu *vcpu,
264
						  struct kvm_mmu *mmu)
265
{
266
	if (IS_ENABLED(CONFIG_MITIGATION_RETPOLINE) && mmu->get_guest_pgd == get_guest_cr3)
267
		return kvm_read_cr3(vcpu);
268

269
	return mmu->get_guest_pgd(vcpu);
270
}
271

272
static inline bool kvm_available_flush_remote_tlbs_range(void)
273
{
274
#if IS_ENABLED(CONFIG_HYPERV)
275
	return kvm_x86_ops.flush_remote_tlbs_range;
276
#else
277
	return false;
278
#endif
279
}
280

281
static gfn_t kvm_mmu_page_get_gfn(struct kvm_mmu_page *sp, int index);
282

283
/* Flush the range of guest memory mapped by the given SPTE. */
284
static void kvm_flush_remote_tlbs_sptep(struct kvm *kvm, u64 *sptep)
285
{
286
	struct kvm_mmu_page *sp = sptep_to_sp(sptep);
287
	gfn_t gfn = kvm_mmu_page_get_gfn(sp, spte_index(sptep));
288

289
	kvm_flush_remote_tlbs_gfn(kvm, gfn, sp->role.level);
290
}
291

292
static void mark_mmio_spte(struct kvm_vcpu *vcpu, u64 *sptep, u64 gfn,
293
			   unsigned int access)
294
{
295
	u64 spte = make_mmio_spte(vcpu, gfn, access);
296

297
	trace_mark_mmio_spte(sptep, gfn, spte);
298
	mmu_spte_set(sptep, spte);
299
}
300

301
static gfn_t get_mmio_spte_gfn(u64 spte)
302
{
303
	u64 gpa = spte & shadow_nonpresent_or_rsvd_lower_gfn_mask;
304

305
	gpa |= (spte >> SHADOW_NONPRESENT_OR_RSVD_MASK_LEN)
306
	       & shadow_nonpresent_or_rsvd_mask;
307

308
	return gpa >> PAGE_SHIFT;
309
}
310

311
static unsigned get_mmio_spte_access(u64 spte)
312
{
313
	return spte & shadow_mmio_access_mask;
314
}
315

316
static bool check_mmio_spte(struct kvm_vcpu *vcpu, u64 spte)
317
{
318
	u64 kvm_gen, spte_gen, gen;
319

320
	gen = kvm_vcpu_memslots(vcpu)->generation;
321
	if (unlikely(gen & KVM_MEMSLOT_GEN_UPDATE_IN_PROGRESS))
322
		return false;
323

324
	kvm_gen = gen & MMIO_SPTE_GEN_MASK;
325
	spte_gen = get_mmio_spte_generation(spte);
326

327
	trace_check_mmio_spte(spte, kvm_gen, spte_gen);
328
	return likely(kvm_gen == spte_gen);
329
}
330

331
static int is_cpuid_PSE36(void)
332
{
333
	return 1;
334
}
335

336
#ifdef CONFIG_X86_64
337
static void __set_spte(u64 *sptep, u64 spte)
338
{
339
	KVM_MMU_WARN_ON(is_ept_ve_possible(spte));
340
	WRITE_ONCE(*sptep, spte);
341
}
342

343
static void __update_clear_spte_fast(u64 *sptep, u64 spte)
344
{
345
	KVM_MMU_WARN_ON(is_ept_ve_possible(spte));
346
	WRITE_ONCE(*sptep, spte);
347
}
348

349
static u64 __update_clear_spte_slow(u64 *sptep, u64 spte)
350
{
351
	KVM_MMU_WARN_ON(is_ept_ve_possible(spte));
352
	return xchg(sptep, spte);
353
}
354

355
static u64 __get_spte_lockless(u64 *sptep)
356
{
357
	return READ_ONCE(*sptep);
358
}
359
#else
360
union split_spte {
361
	struct {
362
		u32 spte_low;
363
		u32 spte_high;
364
	};
365
	u64 spte;
366
};
367

368
static void count_spte_clear(u64 *sptep, u64 spte)
369
{
370
	struct kvm_mmu_page *sp =  sptep_to_sp(sptep);
371

372
	if (is_shadow_present_pte(spte))
373
		return;
374

375
	/* Ensure the spte is completely set before we increase the count */
376
	smp_wmb();
377
	sp->clear_spte_count++;
378
}
379

380
static void __set_spte(u64 *sptep, u64 spte)
381
{
382
	union split_spte *ssptep, sspte;
383

384
	ssptep = (union split_spte *)sptep;
385
	sspte = (union split_spte)spte;
386

387
	ssptep->spte_high = sspte.spte_high;
388

389
	/*
390
	 * If we map the spte from nonpresent to present, We should store
391
	 * the high bits firstly, then set present bit, so cpu can not
392
	 * fetch this spte while we are setting the spte.
393
	 */
394
	smp_wmb();
395

396
	WRITE_ONCE(ssptep->spte_low, sspte.spte_low);
397
}
398

399
static void __update_clear_spte_fast(u64 *sptep, u64 spte)
400
{
401
	union split_spte *ssptep, sspte;
402

403
	ssptep = (union split_spte *)sptep;
404
	sspte = (union split_spte)spte;
405

406
	WRITE_ONCE(ssptep->spte_low, sspte.spte_low);
407

408
	/*
409
	 * If we map the spte from present to nonpresent, we should clear
410
	 * present bit firstly to avoid vcpu fetch the old high bits.
411
	 */
412
	smp_wmb();
413

414
	ssptep->spte_high = sspte.spte_high;
415
	count_spte_clear(sptep, spte);
416
}
417

418
static u64 __update_clear_spte_slow(u64 *sptep, u64 spte)
419
{
420
	union split_spte *ssptep, sspte, orig;
421

422
	ssptep = (union split_spte *)sptep;
423
	sspte = (union split_spte)spte;
424

425
	/* xchg acts as a barrier before the setting of the high bits */
426
	orig.spte_low = xchg(&ssptep->spte_low, sspte.spte_low);
427
	orig.spte_high = ssptep->spte_high;
428
	ssptep->spte_high = sspte.spte_high;
429
	count_spte_clear(sptep, spte);
430

431
	return orig.spte;
432
}
433

434
/*
435
 * The idea using the light way get the spte on x86_32 guest is from
436
 * gup_get_pte (mm/gup.c).
437
 *
438
 * An spte tlb flush may be pending, because they are coalesced and
439
 * we are running out of the MMU lock.  Therefore
440
 * we need to protect against in-progress updates of the spte.
441
 *
442
 * Reading the spte while an update is in progress may get the old value
443
 * for the high part of the spte.  The race is fine for a present->non-present
444
 * change (because the high part of the spte is ignored for non-present spte),
445
 * but for a present->present change we must reread the spte.
446
 *
447
 * All such changes are done in two steps (present->non-present and
448
 * non-present->present), hence it is enough to count the number of
449
 * present->non-present updates: if it changed while reading the spte,
450
 * we might have hit the race.  This is done using clear_spte_count.
451
 */
452
static u64 __get_spte_lockless(u64 *sptep)
453
{
454
	struct kvm_mmu_page *sp =  sptep_to_sp(sptep);
455
	union split_spte spte, *orig = (union split_spte *)sptep;
456
	int count;
457

458
retry:
459
	count = sp->clear_spte_count;
460
	smp_rmb();
461

462
	spte.spte_low = orig->spte_low;
463
	smp_rmb();
464

465
	spte.spte_high = orig->spte_high;
466
	smp_rmb();
467

468
	if (unlikely(spte.spte_low != orig->spte_low ||
469
	      count != sp->clear_spte_count))
470
		goto retry;
471

472
	return spte.spte;
473
}
474
#endif
475

476
/* Rules for using mmu_spte_set:
477
 * Set the sptep from nonpresent to present.
478
 * Note: the sptep being assigned *must* be either not present
479
 * or in a state where the hardware will not attempt to update
480
 * the spte.
481
 */
482
static void mmu_spte_set(u64 *sptep, u64 new_spte)
483
{
484
	WARN_ON_ONCE(is_shadow_present_pte(*sptep));
485
	__set_spte(sptep, new_spte);
486
}
487

488
/* Rules for using mmu_spte_update:
489
 * Update the state bits, it means the mapped pfn is not changed.
490
 *
491
 * Returns true if the TLB needs to be flushed
492
 */
493
static bool mmu_spte_update(u64 *sptep, u64 new_spte)
494
{
495
	u64 old_spte = *sptep;
496

497
	WARN_ON_ONCE(!is_shadow_present_pte(new_spte));
498
	check_spte_writable_invariants(new_spte);
499

500
	if (!is_shadow_present_pte(old_spte)) {
501
		mmu_spte_set(sptep, new_spte);
502
		return false;
503
	}
504

505
	if (!spte_needs_atomic_update(old_spte))
506
		__update_clear_spte_fast(sptep, new_spte);
507
	else
508
		old_spte = __update_clear_spte_slow(sptep, new_spte);
509

510
	WARN_ON_ONCE(!is_shadow_present_pte(old_spte) ||
511
		     spte_to_pfn(old_spte) != spte_to_pfn(new_spte));
512

513
	return leaf_spte_change_needs_tlb_flush(old_spte, new_spte);
514
}
515

516
/*
517
 * Rules for using mmu_spte_clear_track_bits:
518
 * It sets the sptep from present to nonpresent, and track the
519
 * state bits, it is used to clear the last level sptep.
520
 * Returns the old PTE.
521
 */
522
static u64 mmu_spte_clear_track_bits(struct kvm *kvm, u64 *sptep)
523
{
524
	u64 old_spte = *sptep;
525
	int level = sptep_to_sp(sptep)->role.level;
526

527
	if (!is_shadow_present_pte(old_spte) ||
528
	    !spte_needs_atomic_update(old_spte))
529
		__update_clear_spte_fast(sptep, SHADOW_NONPRESENT_VALUE);
530
	else
531
		old_spte = __update_clear_spte_slow(sptep, SHADOW_NONPRESENT_VALUE);
532

533
	if (!is_shadow_present_pte(old_spte))
534
		return old_spte;
535

536
	kvm_update_page_stats(kvm, level, -1);
537
	return old_spte;
538
}
539

540
/*
541
 * Rules for using mmu_spte_clear_no_track:
542
 * Directly clear spte without caring the state bits of sptep,
543
 * it is used to set the upper level spte.
544
 */
545
static void mmu_spte_clear_no_track(u64 *sptep)
546
{
547
	__update_clear_spte_fast(sptep, SHADOW_NONPRESENT_VALUE);
548
}
549

550
static u64 mmu_spte_get_lockless(u64 *sptep)
551
{
552
	return __get_spte_lockless(sptep);
553
}
554

555
static inline bool is_tdp_mmu_active(struct kvm_vcpu *vcpu)
556
{
557
	return tdp_mmu_enabled && vcpu->arch.mmu->root_role.direct;
558
}
559

560
static void walk_shadow_page_lockless_begin(struct kvm_vcpu *vcpu)
561
{
562
	if (is_tdp_mmu_active(vcpu)) {
563
		kvm_tdp_mmu_walk_lockless_begin();
564
	} else {
565
		/*
566
		 * Prevent page table teardown by making any free-er wait during
567
		 * kvm_flush_remote_tlbs() IPI to all active vcpus.
568
		 */
569
		local_irq_disable();
570

571
		/*
572
		 * Make sure a following spte read is not reordered ahead of the write
573
		 * to vcpu->mode.
574
		 */
575
		smp_store_mb(vcpu->mode, READING_SHADOW_PAGE_TABLES);
576
	}
577
}
578

579
static void walk_shadow_page_lockless_end(struct kvm_vcpu *vcpu)
580
{
581
	if (is_tdp_mmu_active(vcpu)) {
582
		kvm_tdp_mmu_walk_lockless_end();
583
	} else {
584
		/*
585
		 * Make sure the write to vcpu->mode is not reordered in front of
586
		 * reads to sptes.  If it does, kvm_mmu_commit_zap_page() can see us
587
		 * OUTSIDE_GUEST_MODE and proceed to free the shadow page table.
588
		 */
589
		smp_store_release(&vcpu->mode, OUTSIDE_GUEST_MODE);
590
		local_irq_enable();
591
	}
592
}
593

594
static int mmu_topup_memory_caches(struct kvm_vcpu *vcpu, bool maybe_indirect)
595
{
596
	int r;
597

598
	/* 1 rmap, 1 parent PTE per level, and the prefetched rmaps. */
599
	r = kvm_mmu_topup_memory_cache(&vcpu->arch.mmu_pte_list_desc_cache,
600
				       1 + PT64_ROOT_MAX_LEVEL + PTE_PREFETCH_NUM);
601
	if (r)
602
		return r;
603
	if (kvm_has_mirrored_tdp(vcpu->kvm)) {
604
		r = kvm_mmu_topup_memory_cache(&vcpu->arch.mmu_external_spt_cache,
605
					       PT64_ROOT_MAX_LEVEL);
606
		if (r)
607
			return r;
608
	}
609
	r = kvm_mmu_topup_memory_cache(&vcpu->arch.mmu_shadow_page_cache,
610
				       PT64_ROOT_MAX_LEVEL);
611
	if (r)
612
		return r;
613
	if (maybe_indirect) {
614
		r = kvm_mmu_topup_memory_cache(&vcpu->arch.mmu_shadowed_info_cache,
615
					       PT64_ROOT_MAX_LEVEL);
616
		if (r)
617
			return r;
618
	}
619
	return kvm_mmu_topup_memory_cache(&vcpu->arch.mmu_page_header_cache,
620
					  PT64_ROOT_MAX_LEVEL);
621
}
622

623
static void mmu_free_memory_caches(struct kvm_vcpu *vcpu)
624
{
625
	kvm_mmu_free_memory_cache(&vcpu->arch.mmu_pte_list_desc_cache);
626
	kvm_mmu_free_memory_cache(&vcpu->arch.mmu_shadow_page_cache);
627
	kvm_mmu_free_memory_cache(&vcpu->arch.mmu_shadowed_info_cache);
628
	kvm_mmu_free_memory_cache(&vcpu->arch.mmu_external_spt_cache);
629
	kvm_mmu_free_memory_cache(&vcpu->arch.mmu_page_header_cache);
630
}
631

632
static void mmu_free_pte_list_desc(struct pte_list_desc *pte_list_desc)
633
{
634
	kmem_cache_free(pte_list_desc_cache, pte_list_desc);
635
}
636

637
static bool sp_has_gptes(struct kvm_mmu_page *sp);
638

639
static gfn_t kvm_mmu_page_get_gfn(struct kvm_mmu_page *sp, int index)
640
{
641
	if (sp->role.passthrough)
642
		return sp->gfn;
643

644
	if (sp->shadowed_translation)
645
		return sp->shadowed_translation[index] >> PAGE_SHIFT;
646

647
	return sp->gfn + (index << ((sp->role.level - 1) * SPTE_LEVEL_BITS));
648
}
649

650
/*
651
 * For leaf SPTEs, fetch the *guest* access permissions being shadowed. Note
652
 * that the SPTE itself may have a more constrained access permissions that
653
 * what the guest enforces. For example, a guest may create an executable
654
 * huge PTE but KVM may disallow execution to mitigate iTLB multihit.
655
 */
656
static u32 kvm_mmu_page_get_access(struct kvm_mmu_page *sp, int index)
657
{
658
	if (sp->shadowed_translation)
659
		return sp->shadowed_translation[index] & ACC_ALL;
660

661
	/*
662
	 * For direct MMUs (e.g. TDP or non-paging guests) or passthrough SPs,
663
	 * KVM is not shadowing any guest page tables, so the "guest access
664
	 * permissions" are just ACC_ALL.
665
	 *
666
	 * For direct SPs in indirect MMUs (shadow paging), i.e. when KVM
667
	 * is shadowing a guest huge page with small pages, the guest access
668
	 * permissions being shadowed are the access permissions of the huge
669
	 * page.
670
	 *
671
	 * In both cases, sp->role.access contains the correct access bits.
672
	 */
673
	return sp->role.access;
674
}
675

676
static void kvm_mmu_page_set_translation(struct kvm_mmu_page *sp, int index,
677
					 gfn_t gfn, unsigned int access)
678
{
679
	if (sp->shadowed_translation) {
680
		sp->shadowed_translation[index] = (gfn << PAGE_SHIFT) | access;
681
		return;
682
	}
683

684
	WARN_ONCE(access != kvm_mmu_page_get_access(sp, index),
685
	          "access mismatch under %s page %llx (expected %u, got %u)\n",
686
	          sp->role.passthrough ? "passthrough" : "direct",
687
	          sp->gfn, kvm_mmu_page_get_access(sp, index), access);
688

689
	WARN_ONCE(gfn != kvm_mmu_page_get_gfn(sp, index),
690
	          "gfn mismatch under %s page %llx (expected %llx, got %llx)\n",
691
	          sp->role.passthrough ? "passthrough" : "direct",
692
	          sp->gfn, kvm_mmu_page_get_gfn(sp, index), gfn);
693
}
694

695
static void kvm_mmu_page_set_access(struct kvm_mmu_page *sp, int index,
696
				    unsigned int access)
697
{
698
	gfn_t gfn = kvm_mmu_page_get_gfn(sp, index);
699

700
	kvm_mmu_page_set_translation(sp, index, gfn, access);
701
}
702

703
/*
704
 * Return the pointer to the large page information for a given gfn,
705
 * handling slots that are not large page aligned.
706
 */
707
static struct kvm_lpage_info *lpage_info_slot(gfn_t gfn,
708
		const struct kvm_memory_slot *slot, int level)
709
{
710
	unsigned long idx;
711

712
	idx = gfn_to_index(gfn, slot->base_gfn, level);
713
	return &slot->arch.lpage_info[level - 2][idx];
714
}
715

716
/*
717
 * The most significant bit in disallow_lpage tracks whether or not memory
718
 * attributes are mixed, i.e. not identical for all gfns at the current level.
719
 * The lower order bits are used to refcount other cases where a hugepage is
720
 * disallowed, e.g. if KVM has shadow a page table at the gfn.
721
 */
722
#define KVM_LPAGE_MIXED_FLAG	BIT(31)
723

724
static void update_gfn_disallow_lpage_count(const struct kvm_memory_slot *slot,
725
					    gfn_t gfn, int count)
726
{
727
	struct kvm_lpage_info *linfo;
728
	int old, i;
729

730
	for (i = PG_LEVEL_2M; i <= KVM_MAX_HUGEPAGE_LEVEL; ++i) {
731
		linfo = lpage_info_slot(gfn, slot, i);
732

733
		old = linfo->disallow_lpage;
734
		linfo->disallow_lpage += count;
735
		WARN_ON_ONCE((old ^ linfo->disallow_lpage) & KVM_LPAGE_MIXED_FLAG);
736
	}
737
}
738

739
void kvm_mmu_gfn_disallow_lpage(const struct kvm_memory_slot *slot, gfn_t gfn)
740
{
741
	update_gfn_disallow_lpage_count(slot, gfn, 1);
742
}
743

744
void kvm_mmu_gfn_allow_lpage(const struct kvm_memory_slot *slot, gfn_t gfn)
745
{
746
	update_gfn_disallow_lpage_count(slot, gfn, -1);
747
}
748

749
static void account_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp)
750
{
751
	struct kvm_memslots *slots;
752
	struct kvm_memory_slot *slot;
753
	gfn_t gfn;
754

755
	kvm->arch.indirect_shadow_pages++;
756
	/*
757
	 * Ensure indirect_shadow_pages is elevated prior to re-reading guest
758
	 * child PTEs in FNAME(gpte_changed), i.e. guarantee either in-flight
759
	 * emulated writes are visible before re-reading guest PTEs, or that
760
	 * an emulated write will see the elevated count and acquire mmu_lock
761
	 * to update SPTEs.  Pairs with the smp_mb() in kvm_mmu_track_write().
762
	 */
763
	smp_mb();
764

765
	gfn = sp->gfn;
766
	slots = kvm_memslots_for_spte_role(kvm, sp->role);
767
	slot = __gfn_to_memslot(slots, gfn);
768

769
	/* the non-leaf shadow pages are keeping readonly. */
770
	if (sp->role.level > PG_LEVEL_4K)
771
		return __kvm_write_track_add_gfn(kvm, slot, gfn);
772

773
	kvm_mmu_gfn_disallow_lpage(slot, gfn);
774

775
	if (kvm_mmu_slot_gfn_write_protect(kvm, slot, gfn, PG_LEVEL_4K))
776
		kvm_flush_remote_tlbs_gfn(kvm, gfn, PG_LEVEL_4K);
777
}
778

779
void track_possible_nx_huge_page(struct kvm *kvm, struct kvm_mmu_page *sp)
780
{
781
	/*
782
	 * If it's possible to replace the shadow page with an NX huge page,
783
	 * i.e. if the shadow page is the only thing currently preventing KVM
784
	 * from using a huge page, add the shadow page to the list of "to be
785
	 * zapped for NX recovery" pages.  Note, the shadow page can already be
786
	 * on the list if KVM is reusing an existing shadow page, i.e. if KVM
787
	 * links a shadow page at multiple points.
788
	 */
789
	if (!list_empty(&sp->possible_nx_huge_page_link))
790
		return;
791

792
	++kvm->stat.nx_lpage_splits;
793
	list_add_tail(&sp->possible_nx_huge_page_link,
794
		      &kvm->arch.possible_nx_huge_pages);
795
}
796

797
static void account_nx_huge_page(struct kvm *kvm, struct kvm_mmu_page *sp,
798
				 bool nx_huge_page_possible)
799
{
800
	sp->nx_huge_page_disallowed = true;
801

802
	if (nx_huge_page_possible)
803
		track_possible_nx_huge_page(kvm, sp);
804
}
805

806
static void unaccount_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp)
807
{
808
	struct kvm_memslots *slots;
809
	struct kvm_memory_slot *slot;
810
	gfn_t gfn;
811

812
	kvm->arch.indirect_shadow_pages--;
813
	gfn = sp->gfn;
814
	slots = kvm_memslots_for_spte_role(kvm, sp->role);
815
	slot = __gfn_to_memslot(slots, gfn);
816
	if (sp->role.level > PG_LEVEL_4K)
817
		return __kvm_write_track_remove_gfn(kvm, slot, gfn);
818

819
	kvm_mmu_gfn_allow_lpage(slot, gfn);
820
}
821

822
void untrack_possible_nx_huge_page(struct kvm *kvm, struct kvm_mmu_page *sp)
823
{
824
	if (list_empty(&sp->possible_nx_huge_page_link))
825
		return;
826

827
	--kvm->stat.nx_lpage_splits;
828
	list_del_init(&sp->possible_nx_huge_page_link);
829
}
830

831
static void unaccount_nx_huge_page(struct kvm *kvm, struct kvm_mmu_page *sp)
832
{
833
	sp->nx_huge_page_disallowed = false;
834

835
	untrack_possible_nx_huge_page(kvm, sp);
836
}
837

838
static struct kvm_memory_slot *gfn_to_memslot_dirty_bitmap(struct kvm_vcpu *vcpu,
839
							   gfn_t gfn,
840
							   bool no_dirty_log)
841
{
842
	struct kvm_memory_slot *slot;
843

844
	slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);
845
	if (!slot || slot->flags & KVM_MEMSLOT_INVALID)
846
		return NULL;
847
	if (no_dirty_log && kvm_slot_dirty_track_enabled(slot))
848
		return NULL;
849

850
	return slot;
851
}
852

853
/*
854
 * About rmap_head encoding:
855
 *
856
 * If the bit zero of rmap_head->val is clear, then it points to the only spte
857
 * in this rmap chain. Otherwise, (rmap_head->val & ~3) points to a struct
858
 * pte_list_desc containing more mappings.
859
 */
860
#define KVM_RMAP_MANY	BIT(0)
861

862
/*
863
 * rmaps and PTE lists are mostly protected by mmu_lock (the shadow MMU always
864
 * operates with mmu_lock held for write), but rmaps can be walked without
865
 * holding mmu_lock so long as the caller can tolerate SPTEs in the rmap chain
866
 * being zapped/dropped _while the rmap is locked_.
867
 *
868
 * Other than the KVM_RMAP_LOCKED flag, modifications to rmap entries must be
869
 * done while holding mmu_lock for write.  This allows a task walking rmaps
870
 * without holding mmu_lock to concurrently walk the same entries as a task
871
 * that is holding mmu_lock but _not_ the rmap lock.  Neither task will modify
872
 * the rmaps, thus the walks are stable.
873
 *
874
 * As alluded to above, SPTEs in rmaps are _not_ protected by KVM_RMAP_LOCKED,
875
 * only the rmap chains themselves are protected.  E.g. holding an rmap's lock
876
 * ensures all "struct pte_list_desc" fields are stable.
877
 */
878
#define KVM_RMAP_LOCKED	BIT(1)
879

880
static unsigned long __kvm_rmap_lock(struct kvm_rmap_head *rmap_head)
881
{
882
	unsigned long old_val, new_val;
883

884
	lockdep_assert_preemption_disabled();
885

886
	/*
887
	 * Elide the lock if the rmap is empty, as lockless walkers (read-only
888
	 * mode) don't need to (and can't) walk an empty rmap, nor can they add
889
	 * entries to the rmap.  I.e. the only paths that process empty rmaps
890
	 * do so while holding mmu_lock for write, and are mutually exclusive.
891
	 */
892
	old_val = atomic_long_read(&rmap_head->val);
893
	if (!old_val)
894
		return 0;
895

896
	do {
897
		/*
898
		 * If the rmap is locked, wait for it to be unlocked before
899
		 * trying acquire the lock, e.g. to avoid bouncing the cache
900
		 * line.
901
		 */
902
		while (old_val & KVM_RMAP_LOCKED) {
903
			cpu_relax();
904
			old_val = atomic_long_read(&rmap_head->val);
905
		}
906

907
		/*
908
		 * Recheck for an empty rmap, it may have been purged by the
909
		 * task that held the lock.
910
		 */
911
		if (!old_val)
912
			return 0;
913

914
		new_val = old_val | KVM_RMAP_LOCKED;
915
	/*
916
	 * Use try_cmpxchg_acquire() to prevent reads and writes to the rmap
917
	 * from being reordered outside of the critical section created by
918
	 * __kvm_rmap_lock().
919
	 *
920
	 * Pairs with the atomic_long_set_release() in kvm_rmap_unlock().
921
	 *
922
	 * For the !old_val case, no ordering is needed, as there is no rmap
923
	 * to walk.
924
	 */
925
	} while (!atomic_long_try_cmpxchg_acquire(&rmap_head->val, &old_val, new_val));
926

927
	/*
928
	 * Return the old value, i.e. _without_ the LOCKED bit set.  It's
929
	 * impossible for the return value to be 0 (see above), i.e. the read-
930
	 * only unlock flow can't get a false positive and fail to unlock.
931
	 */
932
	return old_val;
933
}
934

935
static unsigned long kvm_rmap_lock(struct kvm *kvm,
936
				   struct kvm_rmap_head *rmap_head)
937
{
938
	lockdep_assert_held_write(&kvm->mmu_lock);
939

940
	return __kvm_rmap_lock(rmap_head);
941
}
942

943
static void __kvm_rmap_unlock(struct kvm_rmap_head *rmap_head,
944
			      unsigned long val)
945
{
946
	KVM_MMU_WARN_ON(val & KVM_RMAP_LOCKED);
947
	/*
948
	 * Ensure that all accesses to the rmap have completed before unlocking
949
	 * the rmap.
950
	 *
951
	 * Pairs with the atomic_long_try_cmpxchg_acquire() in __kvm_rmap_lock().
952
	 */
953
	atomic_long_set_release(&rmap_head->val, val);
954
}
955

956
static void kvm_rmap_unlock(struct kvm *kvm,
957
			    struct kvm_rmap_head *rmap_head,
958
			    unsigned long new_val)
959
{
960
	lockdep_assert_held_write(&kvm->mmu_lock);
961

962
	__kvm_rmap_unlock(rmap_head, new_val);
963
}
964

965
static unsigned long kvm_rmap_get(struct kvm_rmap_head *rmap_head)
966
{
967
	return atomic_long_read(&rmap_head->val) & ~KVM_RMAP_LOCKED;
968
}
969

970
/*
971
 * If mmu_lock isn't held, rmaps can only be locked in read-only mode.  The
972
 * actual locking is the same, but the caller is disallowed from modifying the
973
 * rmap, and so the unlock flow is a nop if the rmap is/was empty.
974
 */
975
static unsigned long kvm_rmap_lock_readonly(struct kvm_rmap_head *rmap_head)
976
{
977
	unsigned long rmap_val;
978

979
	preempt_disable();
980
	rmap_val = __kvm_rmap_lock(rmap_head);
981

982
	if (!rmap_val)
983
		preempt_enable();
984

985
	return rmap_val;
986
}
987

988
static void kvm_rmap_unlock_readonly(struct kvm_rmap_head *rmap_head,
989
				     unsigned long old_val)
990
{
991
	if (!old_val)
992
		return;
993

994
	KVM_MMU_WARN_ON(old_val != kvm_rmap_get(rmap_head));
995

996
	__kvm_rmap_unlock(rmap_head, old_val);
997
	preempt_enable();
998
}
999

1000
/*
1001
 * Returns the number of pointers in the rmap chain, not counting the new one.
1002
 */
1003
static int pte_list_add(struct kvm *kvm, struct kvm_mmu_memory_cache *cache,
1004
			u64 *spte, struct kvm_rmap_head *rmap_head)
1005
{
1006
	unsigned long old_val, new_val;
1007
	struct pte_list_desc *desc;
1008
	int count = 0;
1009

1010
	old_val = kvm_rmap_lock(kvm, rmap_head);
1011

1012
	if (!old_val) {
1013
		new_val = (unsigned long)spte;
1014
	} else if (!(old_val & KVM_RMAP_MANY)) {
1015
		desc = kvm_mmu_memory_cache_alloc(cache);
1016
		desc->sptes[0] = (u64 *)old_val;
1017
		desc->sptes[1] = spte;
1018
		desc->spte_count = 2;
1019
		desc->tail_count = 0;
1020
		new_val = (unsigned long)desc | KVM_RMAP_MANY;
1021
		++count;
1022
	} else {
1023
		desc = (struct pte_list_desc *)(old_val & ~KVM_RMAP_MANY);
1024
		count = desc->tail_count + desc->spte_count;
1025

1026
		/*
1027
		 * If the previous head is full, allocate a new head descriptor
1028
		 * as tail descriptors are always kept full.
1029
		 */
1030
		if (desc->spte_count == PTE_LIST_EXT) {
1031
			desc = kvm_mmu_memory_cache_alloc(cache);
1032
			desc->more = (struct pte_list_desc *)(old_val & ~KVM_RMAP_MANY);
1033
			desc->spte_count = 0;
1034
			desc->tail_count = count;
1035
			new_val = (unsigned long)desc | KVM_RMAP_MANY;
1036
		} else {
1037
			new_val = old_val;
1038
		}
1039
		desc->sptes[desc->spte_count++] = spte;
1040
	}
1041

1042
	kvm_rmap_unlock(kvm, rmap_head, new_val);
1043

1044
	return count;
1045
}
1046

1047
static void pte_list_desc_remove_entry(struct kvm *kvm, unsigned long *rmap_val,
1048
				       struct pte_list_desc *desc, int i)
1049
{
1050
	struct pte_list_desc *head_desc = (struct pte_list_desc *)(*rmap_val & ~KVM_RMAP_MANY);
1051
	int j = head_desc->spte_count - 1;
1052

1053
	/*
1054
	 * The head descriptor should never be empty.  A new head is added only
1055
	 * when adding an entry and the previous head is full, and heads are
1056
	 * removed (this flow) when they become empty.
1057
	 */
1058
	KVM_BUG_ON_DATA_CORRUPTION(j < 0, kvm);
1059

1060
	/*
1061
	 * Replace the to-be-freed SPTE with the last valid entry from the head
1062
	 * descriptor to ensure that tail descriptors are full at all times.
1063
	 * Note, this also means that tail_count is stable for each descriptor.
1064
	 */
1065
	desc->sptes[i] = head_desc->sptes[j];
1066
	head_desc->sptes[j] = NULL;
1067
	head_desc->spte_count--;
1068
	if (head_desc->spte_count)
1069
		return;
1070

1071
	/*
1072
	 * The head descriptor is empty.  If there are no tail descriptors,
1073
	 * nullify the rmap head to mark the list as empty, else point the rmap
1074
	 * head at the next descriptor, i.e. the new head.
1075
	 */
1076
	if (!head_desc->more)
1077
		*rmap_val = 0;
1078
	else
1079
		*rmap_val = (unsigned long)head_desc->more | KVM_RMAP_MANY;
1080
	mmu_free_pte_list_desc(head_desc);
1081
}
1082

1083
static void pte_list_remove(struct kvm *kvm, u64 *spte,
1084
			    struct kvm_rmap_head *rmap_head)
1085
{
1086
	struct pte_list_desc *desc;
1087
	unsigned long rmap_val;
1088
	int i;
1089

1090
	rmap_val = kvm_rmap_lock(kvm, rmap_head);
1091
	if (KVM_BUG_ON_DATA_CORRUPTION(!rmap_val, kvm))
1092
		goto out;
1093

1094
	if (!(rmap_val & KVM_RMAP_MANY)) {
1095
		if (KVM_BUG_ON_DATA_CORRUPTION((u64 *)rmap_val != spte, kvm))
1096
			goto out;
1097

1098
		rmap_val = 0;
1099
	} else {
1100
		desc = (struct pte_list_desc *)(rmap_val & ~KVM_RMAP_MANY);
1101
		while (desc) {
1102
			for (i = 0; i < desc->spte_count; ++i) {
1103
				if (desc->sptes[i] == spte) {
1104
					pte_list_desc_remove_entry(kvm, &rmap_val,
1105
								   desc, i);
1106
					goto out;
1107
				}
1108
			}
1109
			desc = desc->more;
1110
		}
1111

1112
		KVM_BUG_ON_DATA_CORRUPTION(true, kvm);
1113
	}
1114

1115
out:
1116
	kvm_rmap_unlock(kvm, rmap_head, rmap_val);
1117
}
1118

1119
static void kvm_zap_one_rmap_spte(struct kvm *kvm,
1120
				  struct kvm_rmap_head *rmap_head, u64 *sptep)
1121
{
1122
	mmu_spte_clear_track_bits(kvm, sptep);
1123
	pte_list_remove(kvm, sptep, rmap_head);
1124
}
1125

1126
/* Return true if at least one SPTE was zapped, false otherwise */
1127
static bool kvm_zap_all_rmap_sptes(struct kvm *kvm,
1128
				   struct kvm_rmap_head *rmap_head)
1129
{
1130
	struct pte_list_desc *desc, *next;
1131
	unsigned long rmap_val;
1132
	int i;
1133

1134
	rmap_val = kvm_rmap_lock(kvm, rmap_head);
1135
	if (!rmap_val)
1136
		return false;
1137

1138
	if (!(rmap_val & KVM_RMAP_MANY)) {
1139
		mmu_spte_clear_track_bits(kvm, (u64 *)rmap_val);
1140
		goto out;
1141
	}
1142

1143
	desc = (struct pte_list_desc *)(rmap_val & ~KVM_RMAP_MANY);
1144

1145
	for (; desc; desc = next) {
1146
		for (i = 0; i < desc->spte_count; i++)
1147
			mmu_spte_clear_track_bits(kvm, desc->sptes[i]);
1148
		next = desc->more;
1149
		mmu_free_pte_list_desc(desc);
1150
	}
1151
out:
1152
	/* rmap_head is meaningless now, remember to reset it */
1153
	kvm_rmap_unlock(kvm, rmap_head, 0);
1154
	return true;
1155
}
1156

1157
unsigned int pte_list_count(struct kvm_rmap_head *rmap_head)
1158
{
1159
	unsigned long rmap_val = kvm_rmap_get(rmap_head);
1160
	struct pte_list_desc *desc;
1161

1162
	if (!rmap_val)
1163
		return 0;
1164
	else if (!(rmap_val & KVM_RMAP_MANY))
1165
		return 1;
1166

1167
	desc = (struct pte_list_desc *)(rmap_val & ~KVM_RMAP_MANY);
1168
	return desc->tail_count + desc->spte_count;
1169
}
1170

1171
static struct kvm_rmap_head *gfn_to_rmap(gfn_t gfn, int level,
1172
					 const struct kvm_memory_slot *slot)
1173
{
1174
	unsigned long idx;
1175

1176
	idx = gfn_to_index(gfn, slot->base_gfn, level);
1177
	return &slot->arch.rmap[level - PG_LEVEL_4K][idx];
1178
}
1179

1180
static void rmap_remove(struct kvm *kvm, u64 *spte)
1181
{
1182
	struct kvm_memslots *slots;
1183
	struct kvm_memory_slot *slot;
1184
	struct kvm_mmu_page *sp;
1185
	gfn_t gfn;
1186
	struct kvm_rmap_head *rmap_head;
1187

1188
	sp = sptep_to_sp(spte);
1189
	gfn = kvm_mmu_page_get_gfn(sp, spte_index(spte));
1190

1191
	/*
1192
	 * Unlike rmap_add, rmap_remove does not run in the context of a vCPU
1193
	 * so we have to determine which memslots to use based on context
1194
	 * information in sp->role.
1195
	 */
1196
	slots = kvm_memslots_for_spte_role(kvm, sp->role);
1197

1198
	slot = __gfn_to_memslot(slots, gfn);
1199
	rmap_head = gfn_to_rmap(gfn, sp->role.level, slot);
1200

1201
	pte_list_remove(kvm, spte, rmap_head);
1202
}
1203

1204
/*
1205
 * Used by the following functions to iterate through the sptes linked by a
1206
 * rmap.  All fields are private and not assumed to be used outside.
1207
 */
1208
struct rmap_iterator {
1209
	/* private fields */
1210
	struct rmap_head *head;
1211
	struct pte_list_desc *desc;	/* holds the sptep if not NULL */
1212
	int pos;			/* index of the sptep */
1213
};
1214

1215
/*
1216
 * Iteration must be started by this function.  This should also be used after
1217
 * removing/dropping sptes from the rmap link because in such cases the
1218
 * information in the iterator may not be valid.
1219
 *
1220
 * Returns sptep if found, NULL otherwise.
1221
 */
1222
static u64 *rmap_get_first(struct kvm_rmap_head *rmap_head,
1223
			   struct rmap_iterator *iter)
1224
{
1225
	unsigned long rmap_val = kvm_rmap_get(rmap_head);
1226

1227
	if (!rmap_val)
1228
		return NULL;
1229

1230
	if (!(rmap_val & KVM_RMAP_MANY)) {
1231
		iter->desc = NULL;
1232
		return (u64 *)rmap_val;
1233
	}
1234

1235
	iter->desc = (struct pte_list_desc *)(rmap_val & ~KVM_RMAP_MANY);
1236
	iter->pos = 0;
1237
	return iter->desc->sptes[iter->pos];
1238
}
1239

1240
/*
1241
 * Must be used with a valid iterator: e.g. after rmap_get_first().
1242
 *
1243
 * Returns sptep if found, NULL otherwise.
1244
 */
1245
static u64 *rmap_get_next(struct rmap_iterator *iter)
1246
{
1247
	if (iter->desc) {
1248
		if (iter->pos < PTE_LIST_EXT - 1) {
1249
			++iter->pos;
1250
			if (iter->desc->sptes[iter->pos])
1251
				return iter->desc->sptes[iter->pos];
1252
		}
1253

1254
		iter->desc = iter->desc->more;
1255

1256
		if (iter->desc) {
1257
			iter->pos = 0;
1258
			/* desc->sptes[0] cannot be NULL */
1259
			return iter->desc->sptes[iter->pos];
1260
		}
1261
	}
1262

1263
	return NULL;
1264
}
1265

1266
#define __for_each_rmap_spte(_rmap_head_, _iter_, _sptep_)	\
1267
	for (_sptep_ = rmap_get_first(_rmap_head_, _iter_);	\
1268
	     _sptep_; _sptep_ = rmap_get_next(_iter_))
1269

1270
#define for_each_rmap_spte(_rmap_head_, _iter_, _sptep_)			\
1271
	__for_each_rmap_spte(_rmap_head_, _iter_, _sptep_)			\
1272
		if (!WARN_ON_ONCE(!is_shadow_present_pte(*(_sptep_))))	\
1273

1274
#define for_each_rmap_spte_lockless(_rmap_head_, _iter_, _sptep_, _spte_)	\
1275
	__for_each_rmap_spte(_rmap_head_, _iter_, _sptep_)			\
1276
		if (is_shadow_present_pte(_spte_ = mmu_spte_get_lockless(sptep)))
1277

1278
static void drop_spte(struct kvm *kvm, u64 *sptep)
1279
{
1280
	u64 old_spte = mmu_spte_clear_track_bits(kvm, sptep);
1281

1282
	if (is_shadow_present_pte(old_spte))
1283
		rmap_remove(kvm, sptep);
1284
}
1285

1286
static void drop_large_spte(struct kvm *kvm, u64 *sptep, bool flush)
1287
{
1288
	struct kvm_mmu_page *sp;
1289

1290
	sp = sptep_to_sp(sptep);
1291
	WARN_ON_ONCE(sp->role.level == PG_LEVEL_4K);
1292

1293
	drop_spte(kvm, sptep);
1294

1295
	if (flush)
1296
		kvm_flush_remote_tlbs_sptep(kvm, sptep);
1297
}
1298

1299
/*
1300
 * Write-protect on the specified @sptep, @pt_protect indicates whether
1301
 * spte write-protection is caused by protecting shadow page table.
1302
 *
1303
 * Note: write protection is difference between dirty logging and spte
1304
 * protection:
1305
 * - for dirty logging, the spte can be set to writable at anytime if
1306
 *   its dirty bitmap is properly set.
1307
 * - for spte protection, the spte can be writable only after unsync-ing
1308
 *   shadow page.
1309
 *
1310
 * Return true if tlb need be flushed.
1311
 */
1312
static bool spte_write_protect(u64 *sptep, bool pt_protect)
1313
{
1314
	u64 spte = *sptep;
1315

1316
	if (!is_writable_pte(spte) &&
1317
	    !(pt_protect && is_mmu_writable_spte(spte)))
1318
		return false;
1319

1320
	if (pt_protect)
1321
		spte &= ~shadow_mmu_writable_mask;
1322
	spte = spte & ~PT_WRITABLE_MASK;
1323

1324
	return mmu_spte_update(sptep, spte);
1325
}
1326

1327
static bool rmap_write_protect(struct kvm_rmap_head *rmap_head,
1328
			       bool pt_protect)
1329
{
1330
	u64 *sptep;
1331
	struct rmap_iterator iter;
1332
	bool flush = false;
1333

1334
	for_each_rmap_spte(rmap_head, &iter, sptep)
1335
		flush |= spte_write_protect(sptep, pt_protect);
1336

1337
	return flush;
1338
}
1339

1340
static bool spte_clear_dirty(u64 *sptep)
1341
{
1342
	u64 spte = *sptep;
1343

1344
	KVM_MMU_WARN_ON(!spte_ad_enabled(spte));
1345
	spte &= ~shadow_dirty_mask;
1346
	return mmu_spte_update(sptep, spte);
1347
}
1348

1349
/*
1350
 * Gets the GFN ready for another round of dirty logging by clearing the
1351
 *	- D bit on ad-enabled SPTEs, and
1352
 *	- W bit on ad-disabled SPTEs.
1353
 * Returns true iff any D or W bits were cleared.
1354
 */
1355
static bool __rmap_clear_dirty(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
1356
			       const struct kvm_memory_slot *slot)
1357
{
1358
	u64 *sptep;
1359
	struct rmap_iterator iter;
1360
	bool flush = false;
1361

1362
	for_each_rmap_spte(rmap_head, &iter, sptep) {
1363
		if (spte_ad_need_write_protect(*sptep))
1364
			flush |= test_and_clear_bit(PT_WRITABLE_SHIFT,
1365
						    (unsigned long *)sptep);
1366
		else
1367
			flush |= spte_clear_dirty(sptep);
1368
	}
1369

1370
	return flush;
1371
}
1372

1373
static void kvm_mmu_write_protect_pt_masked(struct kvm *kvm,
1374
				     struct kvm_memory_slot *slot,
1375
				     gfn_t gfn_offset, unsigned long mask)
1376
{
1377
	struct kvm_rmap_head *rmap_head;
1378

1379
	if (tdp_mmu_enabled)
1380
		kvm_tdp_mmu_clear_dirty_pt_masked(kvm, slot,
1381
				slot->base_gfn + gfn_offset, mask, true);
1382

1383
	if (!kvm_memslots_have_rmaps(kvm))
1384
		return;
1385

1386
	while (mask) {
1387
		rmap_head = gfn_to_rmap(slot->base_gfn + gfn_offset + __ffs(mask),
1388
					PG_LEVEL_4K, slot);
1389
		rmap_write_protect(rmap_head, false);
1390

1391
		/* clear the first set bit */
1392
		mask &= mask - 1;
1393
	}
1394
}
1395

1396
static void kvm_mmu_clear_dirty_pt_masked(struct kvm *kvm,
1397
					 struct kvm_memory_slot *slot,
1398
					 gfn_t gfn_offset, unsigned long mask)
1399
{
1400
	struct kvm_rmap_head *rmap_head;
1401

1402
	if (tdp_mmu_enabled)
1403
		kvm_tdp_mmu_clear_dirty_pt_masked(kvm, slot,
1404
				slot->base_gfn + gfn_offset, mask, false);
1405

1406
	if (!kvm_memslots_have_rmaps(kvm))
1407
		return;
1408

1409
	while (mask) {
1410
		rmap_head = gfn_to_rmap(slot->base_gfn + gfn_offset + __ffs(mask),
1411
					PG_LEVEL_4K, slot);
1412
		__rmap_clear_dirty(kvm, rmap_head, slot);
1413

1414
		/* clear the first set bit */
1415
		mask &= mask - 1;
1416
	}
1417
}
1418

1419
void kvm_arch_mmu_enable_log_dirty_pt_masked(struct kvm *kvm,
1420
				struct kvm_memory_slot *slot,
1421
				gfn_t gfn_offset, unsigned long mask)
1422
{
1423
	/*
1424
	 * If the slot was assumed to be "initially all dirty", write-protect
1425
	 * huge pages to ensure they are split to 4KiB on the first write (KVM
1426
	 * dirty logs at 4KiB granularity). If eager page splitting is enabled,
1427
	 * immediately try to split huge pages, e.g. so that vCPUs don't get
1428
	 * saddled with the cost of splitting.
1429
	 *
1430
	 * The gfn_offset is guaranteed to be aligned to 64, but the base_gfn
1431
	 * of memslot has no such restriction, so the range can cross two large
1432
	 * pages.
1433
	 */
1434
	if (kvm_dirty_log_manual_protect_and_init_set(kvm)) {
1435
		gfn_t start = slot->base_gfn + gfn_offset + __ffs(mask);
1436
		gfn_t end = slot->base_gfn + gfn_offset + __fls(mask);
1437

1438
		if (READ_ONCE(eager_page_split))
1439
			kvm_mmu_try_split_huge_pages(kvm, slot, start, end + 1, PG_LEVEL_4K);
1440

1441
		kvm_mmu_slot_gfn_write_protect(kvm, slot, start, PG_LEVEL_2M);
1442

1443
		/* Cross two large pages? */
1444
		if (ALIGN(start << PAGE_SHIFT, PMD_SIZE) !=
1445
		    ALIGN(end << PAGE_SHIFT, PMD_SIZE))
1446
			kvm_mmu_slot_gfn_write_protect(kvm, slot, end,
1447
						       PG_LEVEL_2M);
1448
	}
1449

1450
	/*
1451
	 * (Re)Enable dirty logging for all 4KiB SPTEs that map the GFNs in
1452
	 * mask.  If PML is enabled and the GFN doesn't need to be write-
1453
	 * protected for other reasons, e.g. shadow paging, clear the Dirty bit.
1454
	 * Otherwise clear the Writable bit.
1455
	 *
1456
	 * Note that kvm_mmu_clear_dirty_pt_masked() is called whenever PML is
1457
	 * enabled but it chooses between clearing the Dirty bit and Writeable
1458
	 * bit based on the context.
1459
	 */
1460
	if (kvm->arch.cpu_dirty_log_size)
1461
		kvm_mmu_clear_dirty_pt_masked(kvm, slot, gfn_offset, mask);
1462
	else
1463
		kvm_mmu_write_protect_pt_masked(kvm, slot, gfn_offset, mask);
1464
}
1465

1466
int kvm_cpu_dirty_log_size(struct kvm *kvm)
1467
{
1468
	return kvm->arch.cpu_dirty_log_size;
1469
}
1470

1471
bool kvm_mmu_slot_gfn_write_protect(struct kvm *kvm,
1472
				    struct kvm_memory_slot *slot, u64 gfn,
1473
				    int min_level)
1474
{
1475
	struct kvm_rmap_head *rmap_head;
1476
	int i;
1477
	bool write_protected = false;
1478

1479
	if (kvm_memslots_have_rmaps(kvm)) {
1480
		for (i = min_level; i <= KVM_MAX_HUGEPAGE_LEVEL; ++i) {
1481
			rmap_head = gfn_to_rmap(gfn, i, slot);
1482
			write_protected |= rmap_write_protect(rmap_head, true);
1483
		}
1484
	}
1485

1486
	if (tdp_mmu_enabled)
1487
		write_protected |=
1488
			kvm_tdp_mmu_write_protect_gfn(kvm, slot, gfn, min_level);
1489

1490
	return write_protected;
1491
}
1492

1493
static bool kvm_vcpu_write_protect_gfn(struct kvm_vcpu *vcpu, u64 gfn)
1494
{
1495
	struct kvm_memory_slot *slot;
1496

1497
	slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);
1498
	return kvm_mmu_slot_gfn_write_protect(vcpu->kvm, slot, gfn, PG_LEVEL_4K);
1499
}
1500

1501
static bool kvm_zap_rmap(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
1502
			 const struct kvm_memory_slot *slot)
1503
{
1504
	return kvm_zap_all_rmap_sptes(kvm, rmap_head);
1505
}
1506

1507
struct slot_rmap_walk_iterator {
1508
	/* input fields. */
1509
	const struct kvm_memory_slot *slot;
1510
	gfn_t start_gfn;
1511
	gfn_t end_gfn;
1512
	int start_level;
1513
	int end_level;
1514

1515
	/* output fields. */
1516
	gfn_t gfn;
1517
	struct kvm_rmap_head *rmap;
1518
	int level;
1519

1520
	/* private field. */
1521
	struct kvm_rmap_head *end_rmap;
1522
};
1523

1524
static void rmap_walk_init_level(struct slot_rmap_walk_iterator *iterator,
1525
				 int level)
1526
{
1527
	iterator->level = level;
1528
	iterator->gfn = iterator->start_gfn;
1529
	iterator->rmap = gfn_to_rmap(iterator->gfn, level, iterator->slot);
1530
	iterator->end_rmap = gfn_to_rmap(iterator->end_gfn, level, iterator->slot);
1531
}
1532

1533
static void slot_rmap_walk_init(struct slot_rmap_walk_iterator *iterator,
1534
				const struct kvm_memory_slot *slot,
1535
				int start_level, int end_level,
1536
				gfn_t start_gfn, gfn_t end_gfn)
1537
{
1538
	iterator->slot = slot;
1539
	iterator->start_level = start_level;
1540
	iterator->end_level = end_level;
1541
	iterator->start_gfn = start_gfn;
1542
	iterator->end_gfn = end_gfn;
1543

1544
	rmap_walk_init_level(iterator, iterator->start_level);
1545
}
1546

1547
static bool slot_rmap_walk_okay(struct slot_rmap_walk_iterator *iterator)
1548
{
1549
	return !!iterator->rmap;
1550
}
1551

1552
static void slot_rmap_walk_next(struct slot_rmap_walk_iterator *iterator)
1553
{
1554
	while (++iterator->rmap <= iterator->end_rmap) {
1555
		iterator->gfn += KVM_PAGES_PER_HPAGE(iterator->level);
1556

1557
		if (atomic_long_read(&iterator->rmap->val))
1558
			return;
1559
	}
1560

1561
	if (++iterator->level > iterator->end_level) {
1562
		iterator->rmap = NULL;
1563
		return;
1564
	}
1565

1566
	rmap_walk_init_level(iterator, iterator->level);
1567
}
1568

1569
#define for_each_slot_rmap_range(_slot_, _start_level_, _end_level_,	\
1570
	   _start_gfn, _end_gfn, _iter_)				\
1571
	for (slot_rmap_walk_init(_iter_, _slot_, _start_level_,		\
1572
				 _end_level_, _start_gfn, _end_gfn);	\
1573
	     slot_rmap_walk_okay(_iter_);				\
1574
	     slot_rmap_walk_next(_iter_))
1575

1576
/* The return value indicates if tlb flush on all vcpus is needed. */
1577
typedef bool (*slot_rmaps_handler) (struct kvm *kvm,
1578
				    struct kvm_rmap_head *rmap_head,
1579
				    const struct kvm_memory_slot *slot);
1580

1581
static __always_inline bool __walk_slot_rmaps(struct kvm *kvm,
1582
					      const struct kvm_memory_slot *slot,
1583
					      slot_rmaps_handler fn,
1584
					      int start_level, int end_level,
1585
					      gfn_t start_gfn, gfn_t end_gfn,
1586
					      bool can_yield, bool flush_on_yield,
1587
					      bool flush)
1588
{
1589
	struct slot_rmap_walk_iterator iterator;
1590

1591
	lockdep_assert_held_write(&kvm->mmu_lock);
1592

1593
	for_each_slot_rmap_range(slot, start_level, end_level, start_gfn,
1594
			end_gfn, &iterator) {
1595
		if (iterator.rmap)
1596
			flush |= fn(kvm, iterator.rmap, slot);
1597

1598
		if (!can_yield)
1599
			continue;
1600

1601
		if (need_resched() || rwlock_needbreak(&kvm->mmu_lock)) {
1602
			if (flush && flush_on_yield) {
1603
				kvm_flush_remote_tlbs_range(kvm, start_gfn,
1604
							    iterator.gfn - start_gfn + 1);
1605
				flush = false;
1606
			}
1607
			cond_resched_rwlock_write(&kvm->mmu_lock);
1608
		}
1609
	}
1610

1611
	return flush;
1612
}
1613

1614
static __always_inline bool walk_slot_rmaps(struct kvm *kvm,
1615
					    const struct kvm_memory_slot *slot,
1616
					    slot_rmaps_handler fn,
1617
					    int start_level, int end_level,
1618
					    bool flush_on_yield)
1619
{
1620
	return __walk_slot_rmaps(kvm, slot, fn, start_level, end_level,
1621
				 slot->base_gfn, slot->base_gfn + slot->npages - 1,
1622
				 true, flush_on_yield, false);
1623
}
1624

1625
static __always_inline bool walk_slot_rmaps_4k(struct kvm *kvm,
1626
					       const struct kvm_memory_slot *slot,
1627
					       slot_rmaps_handler fn,
1628
					       bool flush_on_yield)
1629
{
1630
	return walk_slot_rmaps(kvm, slot, fn, PG_LEVEL_4K, PG_LEVEL_4K, flush_on_yield);
1631
}
1632

1633
static bool __kvm_rmap_zap_gfn_range(struct kvm *kvm,
1634
				     const struct kvm_memory_slot *slot,
1635
				     gfn_t start, gfn_t end, bool can_yield,
1636
				     bool flush)
1637
{
1638
	return __walk_slot_rmaps(kvm, slot, kvm_zap_rmap,
1639
				 PG_LEVEL_4K, KVM_MAX_HUGEPAGE_LEVEL,
1640
				 start, end - 1, can_yield, true, flush);
1641
}
1642

1643
bool kvm_unmap_gfn_range(struct kvm *kvm, struct kvm_gfn_range *range)
1644
{
1645
	bool flush = false;
1646

1647
	/*
1648
	 * To prevent races with vCPUs faulting in a gfn using stale data,
1649
	 * zapping a gfn range must be protected by mmu_invalidate_in_progress
1650
	 * (and mmu_invalidate_seq).  The only exception is memslot deletion;
1651
	 * in that case, SRCU synchronization ensures that SPTEs are zapped
1652
	 * after all vCPUs have unlocked SRCU, guaranteeing that vCPUs see the
1653
	 * invalid slot.
1654
	 */
1655
	lockdep_assert_once(kvm->mmu_invalidate_in_progress ||
1656
			    lockdep_is_held(&kvm->slots_lock));
1657

1658
	if (kvm_memslots_have_rmaps(kvm))
1659
		flush = __kvm_rmap_zap_gfn_range(kvm, range->slot,
1660
						 range->start, range->end,
1661
						 range->may_block, flush);
1662

1663
	if (tdp_mmu_enabled)
1664
		flush = kvm_tdp_mmu_unmap_gfn_range(kvm, range, flush);
1665

1666
	if (kvm_x86_ops.set_apic_access_page_addr &&
1667
	    range->slot->id == APIC_ACCESS_PAGE_PRIVATE_MEMSLOT)
1668
		kvm_make_all_cpus_request(kvm, KVM_REQ_APIC_PAGE_RELOAD);
1669

1670
	return flush;
1671
}
1672

1673
#define RMAP_RECYCLE_THRESHOLD 1000
1674

1675
static void __rmap_add(struct kvm *kvm,
1676
		       struct kvm_mmu_memory_cache *cache,
1677
		       const struct kvm_memory_slot *slot,
1678
		       u64 *spte, gfn_t gfn, unsigned int access)
1679
{
1680
	struct kvm_mmu_page *sp;
1681
	struct kvm_rmap_head *rmap_head;
1682
	int rmap_count;
1683

1684
	sp = sptep_to_sp(spte);
1685
	kvm_mmu_page_set_translation(sp, spte_index(spte), gfn, access);
1686
	kvm_update_page_stats(kvm, sp->role.level, 1);
1687

1688
	rmap_head = gfn_to_rmap(gfn, sp->role.level, slot);
1689
	rmap_count = pte_list_add(kvm, cache, spte, rmap_head);
1690

1691
	if (rmap_count > kvm->stat.max_mmu_rmap_size)
1692
		kvm->stat.max_mmu_rmap_size = rmap_count;
1693
	if (rmap_count > RMAP_RECYCLE_THRESHOLD) {
1694
		kvm_zap_all_rmap_sptes(kvm, rmap_head);
1695
		kvm_flush_remote_tlbs_gfn(kvm, gfn, sp->role.level);
1696
	}
1697
}
1698

1699
static void rmap_add(struct kvm_vcpu *vcpu, const struct kvm_memory_slot *slot,
1700
		     u64 *spte, gfn_t gfn, unsigned int access)
1701
{
1702
	struct kvm_mmu_memory_cache *cache = &vcpu->arch.mmu_pte_list_desc_cache;
1703

1704
	__rmap_add(vcpu->kvm, cache, slot, spte, gfn, access);
1705
}
1706

1707
static bool kvm_rmap_age_gfn_range(struct kvm *kvm,
1708
				   struct kvm_gfn_range *range,
1709
				   bool test_only)
1710
{
1711
	struct kvm_rmap_head *rmap_head;
1712
	struct rmap_iterator iter;
1713
	unsigned long rmap_val;
1714
	bool young = false;
1715
	u64 *sptep;
1716
	gfn_t gfn;
1717
	int level;
1718
	u64 spte;
1719

1720
	for (level = PG_LEVEL_4K; level <= KVM_MAX_HUGEPAGE_LEVEL; level++) {
1721
		for (gfn = range->start; gfn < range->end;
1722
		     gfn += KVM_PAGES_PER_HPAGE(level)) {
1723
			rmap_head = gfn_to_rmap(gfn, level, range->slot);
1724
			rmap_val = kvm_rmap_lock_readonly(rmap_head);
1725

1726
			for_each_rmap_spte_lockless(rmap_head, &iter, sptep, spte) {
1727
				if (!is_accessed_spte(spte))
1728
					continue;
1729

1730
				if (test_only) {
1731
					kvm_rmap_unlock_readonly(rmap_head, rmap_val);
1732
					return true;
1733
				}
1734

1735
				if (spte_ad_enabled(spte))
1736
					clear_bit((ffs(shadow_accessed_mask) - 1),
1737
						  (unsigned long *)sptep);
1738
				else
1739
					/*
1740
					 * If the following cmpxchg fails, the
1741
					 * spte is being concurrently modified
1742
					 * and should most likely stay young.
1743
					 */
1744
					cmpxchg64(sptep, spte,
1745
					      mark_spte_for_access_track(spte));
1746
				young = true;
1747
			}
1748

1749
			kvm_rmap_unlock_readonly(rmap_head, rmap_val);
1750
		}
1751
	}
1752
	return young;
1753
}
1754

1755
static bool kvm_may_have_shadow_mmu_sptes(struct kvm *kvm)
1756
{
1757
	return !tdp_mmu_enabled || READ_ONCE(kvm->arch.indirect_shadow_pages);
1758
}
1759

1760
bool kvm_age_gfn(struct kvm *kvm, struct kvm_gfn_range *range)
1761
{
1762
	bool young = false;
1763

1764
	if (tdp_mmu_enabled)
1765
		young = kvm_tdp_mmu_age_gfn_range(kvm, range);
1766

1767
	if (kvm_may_have_shadow_mmu_sptes(kvm))
1768
		young |= kvm_rmap_age_gfn_range(kvm, range, false);
1769

1770
	return young;
1771
}
1772

1773
bool kvm_test_age_gfn(struct kvm *kvm, struct kvm_gfn_range *range)
1774
{
1775
	bool young = false;
1776

1777
	if (tdp_mmu_enabled)
1778
		young = kvm_tdp_mmu_test_age_gfn(kvm, range);
1779

1780
	if (young)
1781
		return young;
1782

1783
	if (kvm_may_have_shadow_mmu_sptes(kvm))
1784
		young |= kvm_rmap_age_gfn_range(kvm, range, true);
1785

1786
	return young;
1787
}
1788

1789
static void kvm_mmu_check_sptes_at_free(struct kvm_mmu_page *sp)
1790
{
1791
#ifdef CONFIG_KVM_PROVE_MMU
1792
	int i;
1793

1794
	for (i = 0; i < SPTE_ENT_PER_PAGE; i++) {
1795
		if (KVM_MMU_WARN_ON(is_shadow_present_pte(sp->spt[i])))
1796
			pr_err_ratelimited("SPTE %llx (@ %p) for gfn %llx shadow-present at free",
1797
					   sp->spt[i], &sp->spt[i],
1798
					   kvm_mmu_page_get_gfn(sp, i));
1799
	}
1800
#endif
1801
}
1802

1803
static void kvm_account_mmu_page(struct kvm *kvm, struct kvm_mmu_page *sp)
1804
{
1805
	kvm->arch.n_used_mmu_pages++;
1806
	kvm_account_pgtable_pages((void *)sp->spt, +1);
1807
}
1808

1809
static void kvm_unaccount_mmu_page(struct kvm *kvm, struct kvm_mmu_page *sp)
1810
{
1811
	kvm->arch.n_used_mmu_pages--;
1812
	kvm_account_pgtable_pages((void *)sp->spt, -1);
1813
}
1814

1815
static void kvm_mmu_free_shadow_page(struct kvm_mmu_page *sp)
1816
{
1817
	kvm_mmu_check_sptes_at_free(sp);
1818

1819
	hlist_del(&sp->hash_link);
1820
	list_del(&sp->link);
1821
	free_page((unsigned long)sp->spt);
1822
	free_page((unsigned long)sp->shadowed_translation);
1823
	kmem_cache_free(mmu_page_header_cache, sp);
1824
}
1825

1826
static unsigned kvm_page_table_hashfn(gfn_t gfn)
1827
{
1828
	return hash_64(gfn, KVM_MMU_HASH_SHIFT);
1829
}
1830

1831
static void mmu_page_add_parent_pte(struct kvm *kvm,
1832
				    struct kvm_mmu_memory_cache *cache,
1833
				    struct kvm_mmu_page *sp, u64 *parent_pte)
1834
{
1835
	if (!parent_pte)
1836
		return;
1837

1838
	pte_list_add(kvm, cache, parent_pte, &sp->parent_ptes);
1839
}
1840

1841
static void mmu_page_remove_parent_pte(struct kvm *kvm, struct kvm_mmu_page *sp,
1842
				       u64 *parent_pte)
1843
{
1844
	pte_list_remove(kvm, parent_pte, &sp->parent_ptes);
1845
}
1846

1847
static void drop_parent_pte(struct kvm *kvm, struct kvm_mmu_page *sp,
1848
			    u64 *parent_pte)
1849
{
1850
	mmu_page_remove_parent_pte(kvm, sp, parent_pte);
1851
	mmu_spte_clear_no_track(parent_pte);
1852
}
1853

1854
static void mark_unsync(u64 *spte);
1855
static void kvm_mmu_mark_parents_unsync(struct kvm_mmu_page *sp)
1856
{
1857
	u64 *sptep;
1858
	struct rmap_iterator iter;
1859

1860
	for_each_rmap_spte(&sp->parent_ptes, &iter, sptep) {
1861
		mark_unsync(sptep);
1862
	}
1863
}
1864

1865
static void mark_unsync(u64 *spte)
1866
{
1867
	struct kvm_mmu_page *sp;
1868

1869
	sp = sptep_to_sp(spte);
1870
	if (__test_and_set_bit(spte_index(spte), sp->unsync_child_bitmap))
1871
		return;
1872
	if (sp->unsync_children++)
1873
		return;
1874
	kvm_mmu_mark_parents_unsync(sp);
1875
}
1876

1877
#define KVM_PAGE_ARRAY_NR 16
1878

1879
struct kvm_mmu_pages {
1880
	struct mmu_page_and_offset {
1881
		struct kvm_mmu_page *sp;
1882
		unsigned int idx;
1883
	} page[KVM_PAGE_ARRAY_NR];
1884
	unsigned int nr;
1885
};
1886

1887
static int mmu_pages_add(struct kvm_mmu_pages *pvec, struct kvm_mmu_page *sp,
1888
			 int idx)
1889
{
1890
	int i;
1891

1892
	if (sp->unsync)
1893
		for (i=0; i < pvec->nr; i++)
1894
			if (pvec->page[i].sp == sp)
1895
				return 0;
1896

1897
	pvec->page[pvec->nr].sp = sp;
1898
	pvec->page[pvec->nr].idx = idx;
1899
	pvec->nr++;
1900
	return (pvec->nr == KVM_PAGE_ARRAY_NR);
1901
}
1902

1903
static inline void clear_unsync_child_bit(struct kvm_mmu_page *sp, int idx)
1904
{
1905
	--sp->unsync_children;
1906
	WARN_ON_ONCE((int)sp->unsync_children < 0);
1907
	__clear_bit(idx, sp->unsync_child_bitmap);
1908
}
1909

1910
static int __mmu_unsync_walk(struct kvm_mmu_page *sp,
1911
			   struct kvm_mmu_pages *pvec)
1912
{
1913
	int i, ret, nr_unsync_leaf = 0;
1914

1915
	for_each_set_bit(i, sp->unsync_child_bitmap, 512) {
1916
		struct kvm_mmu_page *child;
1917
		u64 ent = sp->spt[i];
1918

1919
		if (!is_shadow_present_pte(ent) || is_large_pte(ent)) {
1920
			clear_unsync_child_bit(sp, i);
1921
			continue;
1922
		}
1923

1924
		child = spte_to_child_sp(ent);
1925

1926
		if (child->unsync_children) {
1927
			if (mmu_pages_add(pvec, child, i))
1928
				return -ENOSPC;
1929

1930
			ret = __mmu_unsync_walk(child, pvec);
1931
			if (!ret) {
1932
				clear_unsync_child_bit(sp, i);
1933
				continue;
1934
			} else if (ret > 0) {
1935
				nr_unsync_leaf += ret;
1936
			} else
1937
				return ret;
1938
		} else if (child->unsync) {
1939
			nr_unsync_leaf++;
1940
			if (mmu_pages_add(pvec, child, i))
1941
				return -ENOSPC;
1942
		} else
1943
			clear_unsync_child_bit(sp, i);
1944
	}
1945

1946
	return nr_unsync_leaf;
1947
}
1948

1949
#define INVALID_INDEX (-1)
1950

1951
static int mmu_unsync_walk(struct kvm_mmu_page *sp,
1952
			   struct kvm_mmu_pages *pvec)
1953
{
1954
	pvec->nr = 0;
1955
	if (!sp->unsync_children)
1956
		return 0;
1957

1958
	mmu_pages_add(pvec, sp, INVALID_INDEX);
1959
	return __mmu_unsync_walk(sp, pvec);
1960
}
1961

1962
static void kvm_unlink_unsync_page(struct kvm *kvm, struct kvm_mmu_page *sp)
1963
{
1964
	WARN_ON_ONCE(!sp->unsync);
1965
	trace_kvm_mmu_sync_page(sp);
1966
	sp->unsync = 0;
1967
	--kvm->stat.mmu_unsync;
1968
}
1969

1970
static bool kvm_mmu_prepare_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp,
1971
				     struct list_head *invalid_list);
1972
static void kvm_mmu_commit_zap_page(struct kvm *kvm,
1973
				    struct list_head *invalid_list);
1974

1975
static bool sp_has_gptes(struct kvm_mmu_page *sp)
1976
{
1977
	if (sp->role.direct)
1978
		return false;
1979

1980
	if (sp->role.passthrough)
1981
		return false;
1982

1983
	return true;
1984
}
1985

1986
static __ro_after_init HLIST_HEAD(empty_page_hash);
1987

1988
static struct hlist_head *kvm_get_mmu_page_hash(struct kvm *kvm, gfn_t gfn)
1989
{
1990
	/*
1991
	 * Ensure the load of the hash table pointer itself is ordered before
1992
	 * loads to walk the table.  The pointer is set at runtime outside of
1993
	 * mmu_lock when the TDP MMU is enabled, i.e. when the hash table of
1994
	 * shadow pages becomes necessary only when KVM needs to shadow L1's
1995
	 * TDP for an L2 guest.  Pairs with the smp_store_release() in
1996
	 * kvm_mmu_alloc_page_hash().
1997
	 */
1998
	struct hlist_head *page_hash = smp_load_acquire(&kvm->arch.mmu_page_hash);
1999

2000
	lockdep_assert_held(&kvm->mmu_lock);
2001

2002
	if (!page_hash)
2003
		return &empty_page_hash;
2004

2005
	return &page_hash[kvm_page_table_hashfn(gfn)];
2006
}
2007

2008
#define for_each_valid_sp(_kvm, _sp, _list)				\
2009
	hlist_for_each_entry(_sp, _list, hash_link)			\
2010
		if (is_obsolete_sp((_kvm), (_sp))) {			\
2011
		} else
2012

2013
#define for_each_gfn_valid_sp_with_gptes(_kvm, _sp, _gfn)		\
2014
	for_each_valid_sp(_kvm, _sp, kvm_get_mmu_page_hash(_kvm, _gfn))	\
2015
		if ((_sp)->gfn != (_gfn) || !sp_has_gptes(_sp)) {} else
2016

2017
static bool kvm_sync_page_check(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
2018
{
2019
	union kvm_mmu_page_role root_role = vcpu->arch.mmu->root_role;
2020

2021
	/*
2022
	 * Ignore various flags when verifying that it's safe to sync a shadow
2023
	 * page using the current MMU context.
2024
	 *
2025
	 *  - level: not part of the overall MMU role and will never match as the MMU's
2026
	 *           level tracks the root level
2027
	 *  - access: updated based on the new guest PTE
2028
	 *  - quadrant: not part of the overall MMU role (similar to level)
2029
	 */
2030
	const union kvm_mmu_page_role sync_role_ign = {
2031
		.level = 0xf,
2032
		.access = 0x7,
2033
		.quadrant = 0x3,
2034
		.passthrough = 0x1,
2035
	};
2036

2037
	/*
2038
	 * Direct pages can never be unsync, and KVM should never attempt to
2039
	 * sync a shadow page for a different MMU context, e.g. if the role
2040
	 * differs then the memslot lookup (SMM vs. non-SMM) will be bogus, the
2041
	 * reserved bits checks will be wrong, etc...
2042
	 */
2043
	if (WARN_ON_ONCE(sp->role.direct || !vcpu->arch.mmu->sync_spte ||
2044
			 (sp->role.word ^ root_role.word) & ~sync_role_ign.word))
2045
		return false;
2046

2047
	return true;
2048
}
2049

2050
static int kvm_sync_spte(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp, int i)
2051
{
2052
	/* sp->spt[i] has initial value of shadow page table allocation */
2053
	if (sp->spt[i] == SHADOW_NONPRESENT_VALUE)
2054
		return 0;
2055

2056
	return vcpu->arch.mmu->sync_spte(vcpu, sp, i);
2057
}
2058

2059
static int __kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
2060
{
2061
	int flush = 0;
2062
	int i;
2063

2064
	if (!kvm_sync_page_check(vcpu, sp))
2065
		return -1;
2066

2067
	for (i = 0; i < SPTE_ENT_PER_PAGE; i++) {
2068
		int ret = kvm_sync_spte(vcpu, sp, i);
2069

2070
		if (ret < -1)
2071
			return -1;
2072
		flush |= ret;
2073
	}
2074

2075
	/*
2076
	 * Note, any flush is purely for KVM's correctness, e.g. when dropping
2077
	 * an existing SPTE or clearing W/A/D bits to ensure an mmu_notifier
2078
	 * unmap or dirty logging event doesn't fail to flush.  The guest is
2079
	 * responsible for flushing the TLB to ensure any changes in protection
2080
	 * bits are recognized, i.e. until the guest flushes or page faults on
2081
	 * a relevant address, KVM is architecturally allowed to let vCPUs use
2082
	 * cached translations with the old protection bits.
2083
	 */
2084
	return flush;
2085
}
2086

2087
static int kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
2088
			 struct list_head *invalid_list)
2089
{
2090
	int ret = __kvm_sync_page(vcpu, sp);
2091

2092
	if (ret < 0)
2093
		kvm_mmu_prepare_zap_page(vcpu->kvm, sp, invalid_list);
2094
	return ret;
2095
}
2096

2097
static bool kvm_mmu_remote_flush_or_zap(struct kvm *kvm,
2098
					struct list_head *invalid_list,
2099
					bool remote_flush)
2100
{
2101
	if (!remote_flush && list_empty(invalid_list))
2102
		return false;
2103

2104
	if (!list_empty(invalid_list))
2105
		kvm_mmu_commit_zap_page(kvm, invalid_list);
2106
	else
2107
		kvm_flush_remote_tlbs(kvm);
2108
	return true;
2109
}
2110

2111
static bool is_obsolete_sp(struct kvm *kvm, struct kvm_mmu_page *sp)
2112
{
2113
	if (sp->role.invalid)
2114
		return true;
2115

2116
	/* TDP MMU pages do not use the MMU generation. */
2117
	return !is_tdp_mmu_page(sp) &&
2118
	       unlikely(sp->mmu_valid_gen != kvm->arch.mmu_valid_gen);
2119
}
2120

2121
struct mmu_page_path {
2122
	struct kvm_mmu_page *parent[PT64_ROOT_MAX_LEVEL];
2123
	unsigned int idx[PT64_ROOT_MAX_LEVEL];
2124
};
2125

2126
#define for_each_sp(pvec, sp, parents, i)			\
2127
		for (i = mmu_pages_first(&pvec, &parents);	\
2128
			i < pvec.nr && ({ sp = pvec.page[i].sp; 1;});	\
2129
			i = mmu_pages_next(&pvec, &parents, i))
2130

2131
static int mmu_pages_next(struct kvm_mmu_pages *pvec,
2132
			  struct mmu_page_path *parents,
2133
			  int i)
2134
{
2135
	int n;
2136

2137
	for (n = i+1; n < pvec->nr; n++) {
2138
		struct kvm_mmu_page *sp = pvec->page[n].sp;
2139
		unsigned idx = pvec->page[n].idx;
2140
		int level = sp->role.level;
2141

2142
		parents->idx[level-1] = idx;
2143
		if (level == PG_LEVEL_4K)
2144
			break;
2145

2146
		parents->parent[level-2] = sp;
2147
	}
2148

2149
	return n;
2150
}
2151

2152
static int mmu_pages_first(struct kvm_mmu_pages *pvec,
2153
			   struct mmu_page_path *parents)
2154
{
2155
	struct kvm_mmu_page *sp;
2156
	int level;
2157

2158
	if (pvec->nr == 0)
2159
		return 0;
2160

2161
	WARN_ON_ONCE(pvec->page[0].idx != INVALID_INDEX);
2162

2163
	sp = pvec->page[0].sp;
2164
	level = sp->role.level;
2165
	WARN_ON_ONCE(level == PG_LEVEL_4K);
2166

2167
	parents->parent[level-2] = sp;
2168

2169
	/* Also set up a sentinel.  Further entries in pvec are all
2170
	 * children of sp, so this element is never overwritten.
2171
	 */
2172
	parents->parent[level-1] = NULL;
2173
	return mmu_pages_next(pvec, parents, 0);
2174
}
2175

2176
static void mmu_pages_clear_parents(struct mmu_page_path *parents)
2177
{
2178
	struct kvm_mmu_page *sp;
2179
	unsigned int level = 0;
2180

2181
	do {
2182
		unsigned int idx = parents->idx[level];
2183
		sp = parents->parent[level];
2184
		if (!sp)
2185
			return;
2186

2187
		WARN_ON_ONCE(idx == INVALID_INDEX);
2188
		clear_unsync_child_bit(sp, idx);
2189
		level++;
2190
	} while (!sp->unsync_children);
2191
}
2192

2193
static int mmu_sync_children(struct kvm_vcpu *vcpu,
2194
			     struct kvm_mmu_page *parent, bool can_yield)
2195
{
2196
	int i;
2197
	struct kvm_mmu_page *sp;
2198
	struct mmu_page_path parents;
2199
	struct kvm_mmu_pages pages;
2200
	LIST_HEAD(invalid_list);
2201
	bool flush = false;
2202

2203
	while (mmu_unsync_walk(parent, &pages)) {
2204
		bool protected = false;
2205

2206
		for_each_sp(pages, sp, parents, i)
2207
			protected |= kvm_vcpu_write_protect_gfn(vcpu, sp->gfn);
2208

2209
		if (protected) {
2210
			kvm_mmu_remote_flush_or_zap(vcpu->kvm, &invalid_list, true);
2211
			flush = false;
2212
		}
2213

2214
		for_each_sp(pages, sp, parents, i) {
2215
			kvm_unlink_unsync_page(vcpu->kvm, sp);
2216
			flush |= kvm_sync_page(vcpu, sp, &invalid_list) > 0;
2217
			mmu_pages_clear_parents(&parents);
2218
		}
2219
		if (need_resched() || rwlock_needbreak(&vcpu->kvm->mmu_lock)) {
2220
			kvm_mmu_remote_flush_or_zap(vcpu->kvm, &invalid_list, flush);
2221
			if (!can_yield) {
2222
				kvm_make_request(KVM_REQ_MMU_SYNC, vcpu);
2223
				return -EINTR;
2224
			}
2225

2226
			cond_resched_rwlock_write(&vcpu->kvm->mmu_lock);
2227
			flush = false;
2228
		}
2229
	}
2230

2231
	kvm_mmu_remote_flush_or_zap(vcpu->kvm, &invalid_list, flush);
2232
	return 0;
2233
}
2234

2235
static void __clear_sp_write_flooding_count(struct kvm_mmu_page *sp)
2236
{
2237
	atomic_set(&sp->write_flooding_count,  0);
2238
}
2239

2240
static void clear_sp_write_flooding_count(u64 *spte)
2241
{
2242
	__clear_sp_write_flooding_count(sptep_to_sp(spte));
2243
}
2244

2245
/*
2246
 * The vCPU is required when finding indirect shadow pages; the shadow
2247
 * page may already exist and syncing it needs the vCPU pointer in
2248
 * order to read guest page tables.  Direct shadow pages are never
2249
 * unsync, thus @vcpu can be NULL if @role.direct is true.
2250
 */
2251
static struct kvm_mmu_page *kvm_mmu_find_shadow_page(struct kvm *kvm,
2252
						     struct kvm_vcpu *vcpu,
2253
						     gfn_t gfn,
2254
						     struct hlist_head *sp_list,
2255
						     union kvm_mmu_page_role role)
2256
{
2257
	struct kvm_mmu_page *sp;
2258
	int ret;
2259
	int collisions = 0;
2260
	LIST_HEAD(invalid_list);
2261

2262
	for_each_valid_sp(kvm, sp, sp_list) {
2263
		if (sp->gfn != gfn) {
2264
			collisions++;
2265
			continue;
2266
		}
2267

2268
		if (sp->role.word != role.word) {
2269
			/*
2270
			 * If the guest is creating an upper-level page, zap
2271
			 * unsync pages for the same gfn.  While it's possible
2272
			 * the guest is using recursive page tables, in all
2273
			 * likelihood the guest has stopped using the unsync
2274
			 * page and is installing a completely unrelated page.
2275
			 * Unsync pages must not be left as is, because the new
2276
			 * upper-level page will be write-protected.
2277
			 */
2278
			if (role.level > PG_LEVEL_4K && sp->unsync)
2279
				kvm_mmu_prepare_zap_page(kvm, sp,
2280
							 &invalid_list);
2281
			continue;
2282
		}
2283

2284
		/* unsync and write-flooding only apply to indirect SPs. */
2285
		if (sp->role.direct)
2286
			goto out;
2287

2288
		if (sp->unsync) {
2289
			if (KVM_BUG_ON(!vcpu, kvm))
2290
				break;
2291

2292
			/*
2293
			 * The page is good, but is stale.  kvm_sync_page does
2294
			 * get the latest guest state, but (unlike mmu_unsync_children)
2295
			 * it doesn't write-protect the page or mark it synchronized!
2296
			 * This way the validity of the mapping is ensured, but the
2297
			 * overhead of write protection is not incurred until the
2298
			 * guest invalidates the TLB mapping.  This allows multiple
2299
			 * SPs for a single gfn to be unsync.
2300
			 *
2301
			 * If the sync fails, the page is zapped.  If so, break
2302
			 * in order to rebuild it.
2303
			 */
2304
			ret = kvm_sync_page(vcpu, sp, &invalid_list);
2305
			if (ret < 0)
2306
				break;
2307

2308
			WARN_ON_ONCE(!list_empty(&invalid_list));
2309
			if (ret > 0)
2310
				kvm_flush_remote_tlbs(kvm);
2311
		}
2312

2313
		__clear_sp_write_flooding_count(sp);
2314

2315
		goto out;
2316
	}
2317

2318
	sp = NULL;
2319
	++kvm->stat.mmu_cache_miss;
2320

2321
out:
2322
	kvm_mmu_commit_zap_page(kvm, &invalid_list);
2323

2324
	if (collisions > kvm->stat.max_mmu_page_hash_collisions)
2325
		kvm->stat.max_mmu_page_hash_collisions = collisions;
2326
	return sp;
2327
}
2328

2329
/* Caches used when allocating a new shadow page. */
2330
struct shadow_page_caches {
2331
	struct kvm_mmu_memory_cache *page_header_cache;
2332
	struct kvm_mmu_memory_cache *shadow_page_cache;
2333
	struct kvm_mmu_memory_cache *shadowed_info_cache;
2334
};
2335

2336
static struct kvm_mmu_page *kvm_mmu_alloc_shadow_page(struct kvm *kvm,
2337
						      struct shadow_page_caches *caches,
2338
						      gfn_t gfn,
2339
						      struct hlist_head *sp_list,
2340
						      union kvm_mmu_page_role role)
2341
{
2342
	struct kvm_mmu_page *sp;
2343

2344
	sp = kvm_mmu_memory_cache_alloc(caches->page_header_cache);
2345
	sp->spt = kvm_mmu_memory_cache_alloc(caches->shadow_page_cache);
2346
	if (!role.direct && role.level <= KVM_MAX_HUGEPAGE_LEVEL)
2347
		sp->shadowed_translation = kvm_mmu_memory_cache_alloc(caches->shadowed_info_cache);
2348

2349
	set_page_private(virt_to_page(sp->spt), (unsigned long)sp);
2350

2351
	INIT_LIST_HEAD(&sp->possible_nx_huge_page_link);
2352

2353
	/*
2354
	 * active_mmu_pages must be a FIFO list, as kvm_zap_obsolete_pages()
2355
	 * depends on valid pages being added to the head of the list.  See
2356
	 * comments in kvm_zap_obsolete_pages().
2357
	 */
2358
	sp->mmu_valid_gen = kvm->arch.mmu_valid_gen;
2359
	list_add(&sp->link, &kvm->arch.active_mmu_pages);
2360
	kvm_account_mmu_page(kvm, sp);
2361

2362
	sp->gfn = gfn;
2363
	sp->role = role;
2364
	hlist_add_head(&sp->hash_link, sp_list);
2365
	if (sp_has_gptes(sp))
2366
		account_shadowed(kvm, sp);
2367

2368
	return sp;
2369
}
2370

2371
/* Note, @vcpu may be NULL if @role.direct is true; see kvm_mmu_find_shadow_page. */
2372
static struct kvm_mmu_page *__kvm_mmu_get_shadow_page(struct kvm *kvm,
2373
						      struct kvm_vcpu *vcpu,
2374
						      struct shadow_page_caches *caches,
2375
						      gfn_t gfn,
2376
						      union kvm_mmu_page_role role)
2377
{
2378
	struct hlist_head *sp_list;
2379
	struct kvm_mmu_page *sp;
2380
	bool created = false;
2381

2382
	/*
2383
	 * No need for memory barriers, unlike in kvm_get_mmu_page_hash(), as
2384
	 * mmu_page_hash must be set prior to creating the first shadow root,
2385
	 * i.e. reaching this point is fully serialized by slots_arch_lock.
2386
	 */
2387
	BUG_ON(!kvm->arch.mmu_page_hash);
2388
	sp_list = &kvm->arch.mmu_page_hash[kvm_page_table_hashfn(gfn)];
2389

2390
	sp = kvm_mmu_find_shadow_page(kvm, vcpu, gfn, sp_list, role);
2391
	if (!sp) {
2392
		created = true;
2393
		sp = kvm_mmu_alloc_shadow_page(kvm, caches, gfn, sp_list, role);
2394
	}
2395

2396
	trace_kvm_mmu_get_page(sp, created);
2397
	return sp;
2398
}
2399

2400
static struct kvm_mmu_page *kvm_mmu_get_shadow_page(struct kvm_vcpu *vcpu,
2401
						    gfn_t gfn,
2402
						    union kvm_mmu_page_role role)
2403
{
2404
	struct shadow_page_caches caches = {
2405
		.page_header_cache = &vcpu->arch.mmu_page_header_cache,
2406
		.shadow_page_cache = &vcpu->arch.mmu_shadow_page_cache,
2407
		.shadowed_info_cache = &vcpu->arch.mmu_shadowed_info_cache,
2408
	};
2409

2410
	return __kvm_mmu_get_shadow_page(vcpu->kvm, vcpu, &caches, gfn, role);
2411
}
2412

2413
static union kvm_mmu_page_role kvm_mmu_child_role(u64 *sptep, bool direct,
2414
						  unsigned int access)
2415
{
2416
	struct kvm_mmu_page *parent_sp = sptep_to_sp(sptep);
2417
	union kvm_mmu_page_role role;
2418

2419
	role = parent_sp->role;
2420
	role.level--;
2421
	role.access = access;
2422
	role.direct = direct;
2423
	role.passthrough = 0;
2424

2425
	/*
2426
	 * If the guest has 4-byte PTEs then that means it's using 32-bit,
2427
	 * 2-level, non-PAE paging. KVM shadows such guests with PAE paging
2428
	 * (i.e. 8-byte PTEs). The difference in PTE size means that KVM must
2429
	 * shadow each guest page table with multiple shadow page tables, which
2430
	 * requires extra bookkeeping in the role.
2431
	 *
2432
	 * Specifically, to shadow the guest's page directory (which covers a
2433
	 * 4GiB address space), KVM uses 4 PAE page directories, each mapping
2434
	 * 1GiB of the address space. @role.quadrant encodes which quarter of
2435
	 * the address space each maps.
2436
	 *
2437
	 * To shadow the guest's page tables (which each map a 4MiB region), KVM
2438
	 * uses 2 PAE page tables, each mapping a 2MiB region. For these,
2439
	 * @role.quadrant encodes which half of the region they map.
2440
	 *
2441
	 * Concretely, a 4-byte PDE consumes bits 31:22, while an 8-byte PDE
2442
	 * consumes bits 29:21.  To consume bits 31:30, KVM's uses 4 shadow
2443
	 * PDPTEs; those 4 PAE page directories are pre-allocated and their
2444
	 * quadrant is assigned in mmu_alloc_root().   A 4-byte PTE consumes
2445
	 * bits 21:12, while an 8-byte PTE consumes bits 20:12.  To consume
2446
	 * bit 21 in the PTE (the child here), KVM propagates that bit to the
2447
	 * quadrant, i.e. sets quadrant to '0' or '1'.  The parent 8-byte PDE
2448
	 * covers bit 21 (see above), thus the quadrant is calculated from the
2449
	 * _least_ significant bit of the PDE index.
2450
	 */
2451
	if (role.has_4_byte_gpte) {
2452
		WARN_ON_ONCE(role.level != PG_LEVEL_4K);
2453
		role.quadrant = spte_index(sptep) & 1;
2454
	}
2455

2456
	return role;
2457
}
2458

2459
static struct kvm_mmu_page *kvm_mmu_get_child_sp(struct kvm_vcpu *vcpu,
2460
						 u64 *sptep, gfn_t gfn,
2461
						 bool direct, unsigned int access)
2462
{
2463
	union kvm_mmu_page_role role;
2464

2465
	if (is_shadow_present_pte(*sptep) && !is_large_pte(*sptep))
2466
		return ERR_PTR(-EEXIST);
2467

2468
	role = kvm_mmu_child_role(sptep, direct, access);
2469
	return kvm_mmu_get_shadow_page(vcpu, gfn, role);
2470
}
2471

2472
static void shadow_walk_init_using_root(struct kvm_shadow_walk_iterator *iterator,
2473
					struct kvm_vcpu *vcpu, hpa_t root,
2474
					u64 addr)
2475
{
2476
	iterator->addr = addr;
2477
	iterator->shadow_addr = root;
2478
	iterator->level = vcpu->arch.mmu->root_role.level;
2479

2480
	if (iterator->level >= PT64_ROOT_4LEVEL &&
2481
	    vcpu->arch.mmu->cpu_role.base.level < PT64_ROOT_4LEVEL &&
2482
	    !vcpu->arch.mmu->root_role.direct)
2483
		iterator->level = PT32E_ROOT_LEVEL;
2484

2485
	if (iterator->level == PT32E_ROOT_LEVEL) {
2486
		/*
2487
		 * prev_root is currently only used for 64-bit hosts. So only
2488
		 * the active root_hpa is valid here.
2489
		 */
2490
		BUG_ON(root != vcpu->arch.mmu->root.hpa);
2491

2492
		iterator->shadow_addr
2493
			= vcpu->arch.mmu->pae_root[(addr >> 30) & 3];
2494
		iterator->shadow_addr &= SPTE_BASE_ADDR_MASK;
2495
		--iterator->level;
2496
		if (!iterator->shadow_addr)
2497
			iterator->level = 0;
2498
	}
2499
}
2500

2501
static void shadow_walk_init(struct kvm_shadow_walk_iterator *iterator,
2502
			     struct kvm_vcpu *vcpu, u64 addr)
2503
{
2504
	shadow_walk_init_using_root(iterator, vcpu, vcpu->arch.mmu->root.hpa,
2505
				    addr);
2506
}
2507

2508
static bool shadow_walk_okay(struct kvm_shadow_walk_iterator *iterator)
2509
{
2510
	if (iterator->level < PG_LEVEL_4K)
2511
		return false;
2512

2513
	iterator->index = SPTE_INDEX(iterator->addr, iterator->level);
2514
	iterator->sptep	= ((u64 *)__va(iterator->shadow_addr)) + iterator->index;
2515
	return true;
2516
}
2517

2518
static void __shadow_walk_next(struct kvm_shadow_walk_iterator *iterator,
2519
			       u64 spte)
2520
{
2521
	if (!is_shadow_present_pte(spte) || is_last_spte(spte, iterator->level)) {
2522
		iterator->level = 0;
2523
		return;
2524
	}
2525

2526
	iterator->shadow_addr = spte & SPTE_BASE_ADDR_MASK;
2527
	--iterator->level;
2528
}
2529

2530
static void shadow_walk_next(struct kvm_shadow_walk_iterator *iterator)
2531
{
2532
	__shadow_walk_next(iterator, *iterator->sptep);
2533
}
2534

2535
static void __link_shadow_page(struct kvm *kvm,
2536
			       struct kvm_mmu_memory_cache *cache, u64 *sptep,
2537
			       struct kvm_mmu_page *sp, bool flush)
2538
{
2539
	u64 spte;
2540

2541
	BUILD_BUG_ON(VMX_EPT_WRITABLE_MASK != PT_WRITABLE_MASK);
2542

2543
	/*
2544
	 * If an SPTE is present already, it must be a leaf and therefore
2545
	 * a large one.  Drop it, and flush the TLB if needed, before
2546
	 * installing sp.
2547
	 */
2548
	if (is_shadow_present_pte(*sptep))
2549
		drop_large_spte(kvm, sptep, flush);
2550

2551
	spte = make_nonleaf_spte(sp->spt, sp_ad_disabled(sp));
2552

2553
	mmu_spte_set(sptep, spte);
2554

2555
	mmu_page_add_parent_pte(kvm, cache, sp, sptep);
2556

2557
	/*
2558
	 * The non-direct sub-pagetable must be updated before linking.  For
2559
	 * L1 sp, the pagetable is updated via kvm_sync_page() in
2560
	 * kvm_mmu_find_shadow_page() without write-protecting the gfn,
2561
	 * so sp->unsync can be true or false.  For higher level non-direct
2562
	 * sp, the pagetable is updated/synced via mmu_sync_children() in
2563
	 * FNAME(fetch)(), so sp->unsync_children can only be false.
2564
	 * WARN_ON_ONCE() if anything happens unexpectedly.
2565
	 */
2566
	if (WARN_ON_ONCE(sp->unsync_children) || sp->unsync)
2567
		mark_unsync(sptep);
2568
}
2569

2570
static void link_shadow_page(struct kvm_vcpu *vcpu, u64 *sptep,
2571
			     struct kvm_mmu_page *sp)
2572
{
2573
	__link_shadow_page(vcpu->kvm, &vcpu->arch.mmu_pte_list_desc_cache, sptep, sp, true);
2574
}
2575

2576
static void validate_direct_spte(struct kvm_vcpu *vcpu, u64 *sptep,
2577
				   unsigned direct_access)
2578
{
2579
	if (is_shadow_present_pte(*sptep) && !is_large_pte(*sptep)) {
2580
		struct kvm_mmu_page *child;
2581

2582
		/*
2583
		 * For the direct sp, if the guest pte's dirty bit
2584
		 * changed form clean to dirty, it will corrupt the
2585
		 * sp's access: allow writable in the read-only sp,
2586
		 * so we should update the spte at this point to get
2587
		 * a new sp with the correct access.
2588
		 */
2589
		child = spte_to_child_sp(*sptep);
2590
		if (child->role.access == direct_access)
2591
			return;
2592

2593
		drop_parent_pte(vcpu->kvm, child, sptep);
2594
		kvm_flush_remote_tlbs_sptep(vcpu->kvm, sptep);
2595
	}
2596
}
2597

2598
/* Returns the number of zapped non-leaf child shadow pages. */
2599
static int mmu_page_zap_pte(struct kvm *kvm, struct kvm_mmu_page *sp,
2600
			    u64 *spte, struct list_head *invalid_list)
2601
{
2602
	u64 pte;
2603
	struct kvm_mmu_page *child;
2604

2605
	pte = *spte;
2606
	if (is_shadow_present_pte(pte)) {
2607
		if (is_last_spte(pte, sp->role.level)) {
2608
			drop_spte(kvm, spte);
2609
		} else {
2610
			child = spte_to_child_sp(pte);
2611
			drop_parent_pte(kvm, child, spte);
2612

2613
			/*
2614
			 * Recursively zap nested TDP SPs, parentless SPs are
2615
			 * unlikely to be used again in the near future.  This
2616
			 * avoids retaining a large number of stale nested SPs.
2617
			 */
2618
			if (tdp_enabled && invalid_list &&
2619
			    child->role.guest_mode &&
2620
			    !atomic_long_read(&child->parent_ptes.val))
2621
				return kvm_mmu_prepare_zap_page(kvm, child,
2622
								invalid_list);
2623
		}
2624
	} else if (is_mmio_spte(kvm, pte)) {
2625
		mmu_spte_clear_no_track(spte);
2626
	}
2627
	return 0;
2628
}
2629

2630
static int kvm_mmu_page_unlink_children(struct kvm *kvm,
2631
					struct kvm_mmu_page *sp,
2632
					struct list_head *invalid_list)
2633
{
2634
	int zapped = 0;
2635
	unsigned i;
2636

2637
	for (i = 0; i < SPTE_ENT_PER_PAGE; ++i)
2638
		zapped += mmu_page_zap_pte(kvm, sp, sp->spt + i, invalid_list);
2639

2640
	return zapped;
2641
}
2642

2643
static void kvm_mmu_unlink_parents(struct kvm *kvm, struct kvm_mmu_page *sp)
2644
{
2645
	u64 *sptep;
2646
	struct rmap_iterator iter;
2647

2648
	while ((sptep = rmap_get_first(&sp->parent_ptes, &iter)))
2649
		drop_parent_pte(kvm, sp, sptep);
2650
}
2651

2652
static int mmu_zap_unsync_children(struct kvm *kvm,
2653
				   struct kvm_mmu_page *parent,
2654
				   struct list_head *invalid_list)
2655
{
2656
	int i, zapped = 0;
2657
	struct mmu_page_path parents;
2658
	struct kvm_mmu_pages pages;
2659

2660
	if (parent->role.level == PG_LEVEL_4K)
2661
		return 0;
2662

2663
	while (mmu_unsync_walk(parent, &pages)) {
2664
		struct kvm_mmu_page *sp;
2665

2666
		for_each_sp(pages, sp, parents, i) {
2667
			kvm_mmu_prepare_zap_page(kvm, sp, invalid_list);
2668
			mmu_pages_clear_parents(&parents);
2669
			zapped++;
2670
		}
2671
	}
2672

2673
	return zapped;
2674
}
2675

2676
static bool __kvm_mmu_prepare_zap_page(struct kvm *kvm,
2677
				       struct kvm_mmu_page *sp,
2678
				       struct list_head *invalid_list,
2679
				       int *nr_zapped)
2680
{
2681
	bool list_unstable, zapped_root = false;
2682

2683
	lockdep_assert_held_write(&kvm->mmu_lock);
2684
	trace_kvm_mmu_prepare_zap_page(sp);
2685
	++kvm->stat.mmu_shadow_zapped;
2686
	*nr_zapped = mmu_zap_unsync_children(kvm, sp, invalid_list);
2687
	*nr_zapped += kvm_mmu_page_unlink_children(kvm, sp, invalid_list);
2688
	kvm_mmu_unlink_parents(kvm, sp);
2689

2690
	/* Zapping children means active_mmu_pages has become unstable. */
2691
	list_unstable = *nr_zapped;
2692

2693
	if (!sp->role.invalid && sp_has_gptes(sp))
2694
		unaccount_shadowed(kvm, sp);
2695

2696
	if (sp->unsync)
2697
		kvm_unlink_unsync_page(kvm, sp);
2698
	if (!sp->root_count) {
2699
		/* Count self */
2700
		(*nr_zapped)++;
2701

2702
		/*
2703
		 * Already invalid pages (previously active roots) are not on
2704
		 * the active page list.  See list_del() in the "else" case of
2705
		 * !sp->root_count.
2706
		 */
2707
		if (sp->role.invalid)
2708
			list_add(&sp->link, invalid_list);
2709
		else
2710
			list_move(&sp->link, invalid_list);
2711
		kvm_unaccount_mmu_page(kvm, sp);
2712
	} else {
2713
		/*
2714
		 * Remove the active root from the active page list, the root
2715
		 * will be explicitly freed when the root_count hits zero.
2716
		 */
2717
		list_del(&sp->link);
2718

2719
		/*
2720
		 * Obsolete pages cannot be used on any vCPUs, see the comment
2721
		 * in kvm_mmu_zap_all_fast().  Note, is_obsolete_sp() also
2722
		 * treats invalid shadow pages as being obsolete.
2723
		 */
2724
		zapped_root = !is_obsolete_sp(kvm, sp);
2725
	}
2726

2727
	if (sp->nx_huge_page_disallowed)
2728
		unaccount_nx_huge_page(kvm, sp);
2729

2730
	sp->role.invalid = 1;
2731

2732
	/*
2733
	 * Make the request to free obsolete roots after marking the root
2734
	 * invalid, otherwise other vCPUs may not see it as invalid.
2735
	 */
2736
	if (zapped_root)
2737
		kvm_make_all_cpus_request(kvm, KVM_REQ_MMU_FREE_OBSOLETE_ROOTS);
2738
	return list_unstable;
2739
}
2740

2741
static bool kvm_mmu_prepare_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp,
2742
				     struct list_head *invalid_list)
2743
{
2744
	int nr_zapped;
2745

2746
	__kvm_mmu_prepare_zap_page(kvm, sp, invalid_list, &nr_zapped);
2747
	return nr_zapped;
2748
}
2749

2750
static void kvm_mmu_commit_zap_page(struct kvm *kvm,
2751
				    struct list_head *invalid_list)
2752
{
2753
	struct kvm_mmu_page *sp, *nsp;
2754

2755
	if (list_empty(invalid_list))
2756
		return;
2757

2758
	/*
2759
	 * We need to make sure everyone sees our modifications to
2760
	 * the page tables and see changes to vcpu->mode here. The barrier
2761
	 * in the kvm_flush_remote_tlbs() achieves this. This pairs
2762
	 * with vcpu_enter_guest and walk_shadow_page_lockless_begin/end.
2763
	 *
2764
	 * In addition, kvm_flush_remote_tlbs waits for all vcpus to exit
2765
	 * guest mode and/or lockless shadow page table walks.
2766
	 */
2767
	kvm_flush_remote_tlbs(kvm);
2768

2769
	list_for_each_entry_safe(sp, nsp, invalid_list, link) {
2770
		WARN_ON_ONCE(!sp->role.invalid || sp->root_count);
2771
		kvm_mmu_free_shadow_page(sp);
2772
	}
2773
}
2774

2775
static unsigned long kvm_mmu_zap_oldest_mmu_pages(struct kvm *kvm,
2776
						  unsigned long nr_to_zap)
2777
{
2778
	unsigned long total_zapped = 0;
2779
	struct kvm_mmu_page *sp, *tmp;
2780
	LIST_HEAD(invalid_list);
2781
	bool unstable;
2782
	int nr_zapped;
2783

2784
	if (list_empty(&kvm->arch.active_mmu_pages))
2785
		return 0;
2786

2787
restart:
2788
	list_for_each_entry_safe_reverse(sp, tmp, &kvm->arch.active_mmu_pages, link) {
2789
		/*
2790
		 * Don't zap active root pages, the page itself can't be freed
2791
		 * and zapping it will just force vCPUs to realloc and reload.
2792
		 */
2793
		if (sp->root_count)
2794
			continue;
2795

2796
		unstable = __kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list,
2797
						      &nr_zapped);
2798
		total_zapped += nr_zapped;
2799
		if (total_zapped >= nr_to_zap)
2800
			break;
2801

2802
		if (unstable)
2803
			goto restart;
2804
	}
2805

2806
	kvm_mmu_commit_zap_page(kvm, &invalid_list);
2807

2808
	kvm->stat.mmu_recycled += total_zapped;
2809
	return total_zapped;
2810
}
2811

2812
static inline unsigned long kvm_mmu_available_pages(struct kvm *kvm)
2813
{
2814
	if (kvm->arch.n_max_mmu_pages > kvm->arch.n_used_mmu_pages)
2815
		return kvm->arch.n_max_mmu_pages -
2816
			kvm->arch.n_used_mmu_pages;
2817

2818
	return 0;
2819
}
2820

2821
static int make_mmu_pages_available(struct kvm_vcpu *vcpu)
2822
{
2823
	unsigned long avail = kvm_mmu_available_pages(vcpu->kvm);
2824

2825
	if (likely(avail >= KVM_MIN_FREE_MMU_PAGES))
2826
		return 0;
2827

2828
	kvm_mmu_zap_oldest_mmu_pages(vcpu->kvm, KVM_REFILL_PAGES - avail);
2829

2830
	/*
2831
	 * Note, this check is intentionally soft, it only guarantees that one
2832
	 * page is available, while the caller may end up allocating as many as
2833
	 * four pages, e.g. for PAE roots or for 5-level paging.  Temporarily
2834
	 * exceeding the (arbitrary by default) limit will not harm the host,
2835
	 * being too aggressive may unnecessarily kill the guest, and getting an
2836
	 * exact count is far more trouble than it's worth, especially in the
2837
	 * page fault paths.
2838
	 */
2839
	if (!kvm_mmu_available_pages(vcpu->kvm))
2840
		return -ENOSPC;
2841
	return 0;
2842
}
2843

2844
/*
2845
 * Changing the number of mmu pages allocated to the vm
2846
 * Note: if goal_nr_mmu_pages is too small, you will get dead lock
2847
 */
2848
void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned long goal_nr_mmu_pages)
2849
{
2850
	write_lock(&kvm->mmu_lock);
2851

2852
	if (kvm->arch.n_used_mmu_pages > goal_nr_mmu_pages) {
2853
		kvm_mmu_zap_oldest_mmu_pages(kvm, kvm->arch.n_used_mmu_pages -
2854
						  goal_nr_mmu_pages);
2855

2856
		goal_nr_mmu_pages = kvm->arch.n_used_mmu_pages;
2857
	}
2858

2859
	kvm->arch.n_max_mmu_pages = goal_nr_mmu_pages;
2860

2861
	write_unlock(&kvm->mmu_lock);
2862
}
2863

2864
bool __kvm_mmu_unprotect_gfn_and_retry(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa,
2865
				       bool always_retry)
2866
{
2867
	struct kvm *kvm = vcpu->kvm;
2868
	LIST_HEAD(invalid_list);
2869
	struct kvm_mmu_page *sp;
2870
	gpa_t gpa = cr2_or_gpa;
2871
	bool r = false;
2872

2873
	/*
2874
	 * Bail early if there aren't any write-protected shadow pages to avoid
2875
	 * unnecessarily taking mmu_lock lock, e.g. if the gfn is write-tracked
2876
	 * by a third party.  Reading indirect_shadow_pages without holding
2877
	 * mmu_lock is safe, as this is purely an optimization, i.e. a false
2878
	 * positive is benign, and a false negative will simply result in KVM
2879
	 * skipping the unprotect+retry path, which is also an optimization.
2880
	 */
2881
	if (!READ_ONCE(kvm->arch.indirect_shadow_pages))
2882
		goto out;
2883

2884
	if (!vcpu->arch.mmu->root_role.direct) {
2885
		gpa = kvm_mmu_gva_to_gpa_write(vcpu, cr2_or_gpa, NULL);
2886
		if (gpa == INVALID_GPA)
2887
			goto out;
2888
	}
2889

2890
	write_lock(&kvm->mmu_lock);
2891
	for_each_gfn_valid_sp_with_gptes(kvm, sp, gpa_to_gfn(gpa))
2892
		kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list);
2893

2894
	/*
2895
	 * Snapshot the result before zapping, as zapping will remove all list
2896
	 * entries, i.e. checking the list later would yield a false negative.
2897
	 */
2898
	r = !list_empty(&invalid_list);
2899
	kvm_mmu_commit_zap_page(kvm, &invalid_list);
2900
	write_unlock(&kvm->mmu_lock);
2901

2902
out:
2903
	if (r || always_retry) {
2904
		vcpu->arch.last_retry_eip = kvm_rip_read(vcpu);
2905
		vcpu->arch.last_retry_addr = cr2_or_gpa;
2906
	}
2907
	return r;
2908
}
2909

2910
static void kvm_unsync_page(struct kvm *kvm, struct kvm_mmu_page *sp)
2911
{
2912
	trace_kvm_mmu_unsync_page(sp);
2913
	++kvm->stat.mmu_unsync;
2914
	sp->unsync = 1;
2915

2916
	kvm_mmu_mark_parents_unsync(sp);
2917
}
2918

2919
/*
2920
 * Attempt to unsync any shadow pages that can be reached by the specified gfn,
2921
 * KVM is creating a writable mapping for said gfn.  Returns 0 if all pages
2922
 * were marked unsync (or if there is no shadow page), -EPERM if the SPTE must
2923
 * be write-protected.
2924
 */
2925
int mmu_try_to_unsync_pages(struct kvm *kvm, const struct kvm_memory_slot *slot,
2926
			    gfn_t gfn, bool synchronizing, bool prefetch)
2927
{
2928
	struct kvm_mmu_page *sp;
2929
	bool locked = false;
2930

2931
	/*
2932
	 * Force write-protection if the page is being tracked.  Note, the page
2933
	 * track machinery is used to write-protect upper-level shadow pages,
2934
	 * i.e. this guards the role.level == 4K assertion below!
2935
	 */
2936
	if (kvm_gfn_is_write_tracked(kvm, slot, gfn))
2937
		return -EPERM;
2938

2939
	/*
2940
	 * The page is not write-tracked, mark existing shadow pages unsync
2941
	 * unless KVM is synchronizing an unsync SP.  In that case, KVM must
2942
	 * complete emulation of the guest TLB flush before allowing shadow
2943
	 * pages to become unsync (writable by the guest).
2944
	 */
2945
	for_each_gfn_valid_sp_with_gptes(kvm, sp, gfn) {
2946
		if (synchronizing)
2947
			return -EPERM;
2948

2949
		if (sp->unsync)
2950
			continue;
2951

2952
		if (prefetch)
2953
			return -EEXIST;
2954

2955
		/*
2956
		 * TDP MMU page faults require an additional spinlock as they
2957
		 * run with mmu_lock held for read, not write, and the unsync
2958
		 * logic is not thread safe.  Take the spinklock regardless of
2959
		 * the MMU type to avoid extra conditionals/parameters, there's
2960
		 * no meaningful penalty if mmu_lock is held for write.
2961
		 */
2962
		if (!locked) {
2963
			locked = true;
2964
			spin_lock(&kvm->arch.mmu_unsync_pages_lock);
2965

2966
			/*
2967
			 * Recheck after taking the spinlock, a different vCPU
2968
			 * may have since marked the page unsync.  A false
2969
			 * negative on the unprotected check above is not
2970
			 * possible as clearing sp->unsync _must_ hold mmu_lock
2971
			 * for write, i.e. unsync cannot transition from 1->0
2972
			 * while this CPU holds mmu_lock for read (or write).
2973
			 */
2974
			if (READ_ONCE(sp->unsync))
2975
				continue;
2976
		}
2977

2978
		WARN_ON_ONCE(sp->role.level != PG_LEVEL_4K);
2979
		kvm_unsync_page(kvm, sp);
2980
	}
2981
	if (locked)
2982
		spin_unlock(&kvm->arch.mmu_unsync_pages_lock);
2983

2984
	/*
2985
	 * We need to ensure that the marking of unsync pages is visible
2986
	 * before the SPTE is updated to allow writes because
2987
	 * kvm_mmu_sync_roots() checks the unsync flags without holding
2988
	 * the MMU lock and so can race with this. If the SPTE was updated
2989
	 * before the page had been marked as unsync-ed, something like the
2990
	 * following could happen:
2991
	 *
2992
	 * CPU 1                    CPU 2
2993
	 * ---------------------------------------------------------------------
2994
	 * 1.2 Host updates SPTE
2995
	 *     to be writable
2996
	 *                      2.1 Guest writes a GPTE for GVA X.
2997
	 *                          (GPTE being in the guest page table shadowed
2998
	 *                           by the SP from CPU 1.)
2999
	 *                          This reads SPTE during the page table walk.
3000
	 *                          Since SPTE.W is read as 1, there is no
3001
	 *                          fault.
3002
	 *
3003
	 *                      2.2 Guest issues TLB flush.
3004
	 *                          That causes a VM Exit.
3005
	 *
3006
	 *                      2.3 Walking of unsync pages sees sp->unsync is
3007
	 *                          false and skips the page.
3008
	 *
3009
	 *                      2.4 Guest accesses GVA X.
3010
	 *                          Since the mapping in the SP was not updated,
3011
	 *                          so the old mapping for GVA X incorrectly
3012
	 *                          gets used.
3013
	 * 1.1 Host marks SP
3014
	 *     as unsync
3015
	 *     (sp->unsync = true)
3016
	 *
3017
	 * The write barrier below ensures that 1.1 happens before 1.2 and thus
3018
	 * the situation in 2.4 does not arise.  It pairs with the read barrier
3019
	 * in is_unsync_root(), placed between 2.1's load of SPTE.W and 2.3.
3020
	 */
3021
	smp_wmb();
3022

3023
	return 0;
3024
}
3025

3026
static int mmu_set_spte(struct kvm_vcpu *vcpu, struct kvm_memory_slot *slot,
3027
			u64 *sptep, unsigned int pte_access, gfn_t gfn,
3028
			kvm_pfn_t pfn, struct kvm_page_fault *fault)
3029
{
3030
	struct kvm_mmu_page *sp = sptep_to_sp(sptep);
3031
	int level = sp->role.level;
3032
	int was_rmapped = 0;
3033
	int ret = RET_PF_FIXED;
3034
	bool flush = false;
3035
	bool wrprot;
3036
	u64 spte;
3037

3038
	/* Prefetching always gets a writable pfn.  */
3039
	bool host_writable = !fault || fault->map_writable;
3040
	bool prefetch = !fault || fault->prefetch;
3041
	bool write_fault = fault && fault->write;
3042

3043
	if (unlikely(is_noslot_pfn(pfn))) {
3044
		vcpu->stat.pf_mmio_spte_created++;
3045
		mark_mmio_spte(vcpu, sptep, gfn, pte_access);
3046
		return RET_PF_EMULATE;
3047
	}
3048

3049
	if (is_shadow_present_pte(*sptep)) {
3050
		if (prefetch && is_last_spte(*sptep, level) &&
3051
		    pfn == spte_to_pfn(*sptep))
3052
			return RET_PF_SPURIOUS;
3053

3054
		/*
3055
		 * If we overwrite a PTE page pointer with a 2MB PMD, unlink
3056
		 * the parent of the now unreachable PTE.
3057
		 */
3058
		if (level > PG_LEVEL_4K && !is_large_pte(*sptep)) {
3059
			struct kvm_mmu_page *child;
3060
			u64 pte = *sptep;
3061

3062
			child = spte_to_child_sp(pte);
3063
			drop_parent_pte(vcpu->kvm, child, sptep);
3064
			flush = true;
3065
		} else if (WARN_ON_ONCE(pfn != spte_to_pfn(*sptep))) {
3066
			drop_spte(vcpu->kvm, sptep);
3067
			flush = true;
3068
		} else
3069
			was_rmapped = 1;
3070
	}
3071

3072
	wrprot = make_spte(vcpu, sp, slot, pte_access, gfn, pfn, *sptep, prefetch,
3073
			   false, host_writable, &spte);
3074

3075
	if (*sptep == spte) {
3076
		ret = RET_PF_SPURIOUS;
3077
	} else {
3078
		flush |= mmu_spte_update(sptep, spte);
3079
		trace_kvm_mmu_set_spte(level, gfn, sptep);
3080
	}
3081

3082
	if (wrprot && write_fault)
3083
		ret = RET_PF_WRITE_PROTECTED;
3084

3085
	if (flush)
3086
		kvm_flush_remote_tlbs_gfn(vcpu->kvm, gfn, level);
3087

3088
	if (!was_rmapped) {
3089
		WARN_ON_ONCE(ret == RET_PF_SPURIOUS);
3090
		rmap_add(vcpu, slot, sptep, gfn, pte_access);
3091
	} else {
3092
		/* Already rmapped but the pte_access bits may have changed. */
3093
		kvm_mmu_page_set_access(sp, spte_index(sptep), pte_access);
3094
	}
3095

3096
	return ret;
3097
}
3098

3099
static bool kvm_mmu_prefetch_sptes(struct kvm_vcpu *vcpu, gfn_t gfn, u64 *sptep,
3100
				   int nr_pages, unsigned int access)
3101
{
3102
	struct page *pages[PTE_PREFETCH_NUM];
3103
	struct kvm_memory_slot *slot;
3104
	int i;
3105

3106
	if (WARN_ON_ONCE(nr_pages > PTE_PREFETCH_NUM))
3107
		return false;
3108

3109
	slot = gfn_to_memslot_dirty_bitmap(vcpu, gfn, access & ACC_WRITE_MASK);
3110
	if (!slot)
3111
		return false;
3112

3113
	nr_pages = kvm_prefetch_pages(slot, gfn, pages, nr_pages);
3114
	if (nr_pages <= 0)
3115
		return false;
3116

3117
	for (i = 0; i < nr_pages; i++, gfn++, sptep++) {
3118
		mmu_set_spte(vcpu, slot, sptep, access, gfn,
3119
			     page_to_pfn(pages[i]), NULL);
3120

3121
		/*
3122
		 * KVM always prefetches writable pages from the primary MMU,
3123
		 * and KVM can make its SPTE writable in the fast page handler,
3124
		 * without notifying the primary MMU.  Mark pages/folios dirty
3125
		 * now to ensure file data is written back if it ends up being
3126
		 * written by the guest.  Because KVM's prefetching GUPs
3127
		 * writable PTEs, the probability of unnecessary writeback is
3128
		 * extremely low.
3129
		 */
3130
		kvm_release_page_dirty(pages[i]);
3131
	}
3132

3133
	return true;
3134
}
3135

3136
static bool direct_pte_prefetch_many(struct kvm_vcpu *vcpu,
3137
				     struct kvm_mmu_page *sp,
3138
				     u64 *start, u64 *end)
3139
{
3140
	gfn_t gfn = kvm_mmu_page_get_gfn(sp, spte_index(start));
3141
	unsigned int access = sp->role.access;
3142

3143
	return kvm_mmu_prefetch_sptes(vcpu, gfn, start, end - start, access);
3144
}
3145

3146
static void __direct_pte_prefetch(struct kvm_vcpu *vcpu,
3147
				  struct kvm_mmu_page *sp, u64 *sptep)
3148
{
3149
	u64 *spte, *start = NULL;
3150
	int i;
3151

3152
	WARN_ON_ONCE(!sp->role.direct);
3153

3154
	i = spte_index(sptep) & ~(PTE_PREFETCH_NUM - 1);
3155
	spte = sp->spt + i;
3156

3157
	for (i = 0; i < PTE_PREFETCH_NUM; i++, spte++) {
3158
		if (is_shadow_present_pte(*spte) || spte == sptep) {
3159
			if (!start)
3160
				continue;
3161
			if (!direct_pte_prefetch_many(vcpu, sp, start, spte))
3162
				return;
3163

3164
			start = NULL;
3165
		} else if (!start)
3166
			start = spte;
3167
	}
3168
	if (start)
3169
		direct_pte_prefetch_many(vcpu, sp, start, spte);
3170
}
3171

3172
static void direct_pte_prefetch(struct kvm_vcpu *vcpu, u64 *sptep)
3173
{
3174
	struct kvm_mmu_page *sp;
3175

3176
	sp = sptep_to_sp(sptep);
3177

3178
	/*
3179
	 * Without accessed bits, there's no way to distinguish between
3180
	 * actually accessed translations and prefetched, so disable pte
3181
	 * prefetch if accessed bits aren't available.
3182
	 */
3183
	if (sp_ad_disabled(sp))
3184
		return;
3185

3186
	if (sp->role.level > PG_LEVEL_4K)
3187
		return;
3188

3189
	/*
3190
	 * If addresses are being invalidated, skip prefetching to avoid
3191
	 * accidentally prefetching those addresses.
3192
	 */
3193
	if (unlikely(vcpu->kvm->mmu_invalidate_in_progress))
3194
		return;
3195

3196
	__direct_pte_prefetch(vcpu, sp, sptep);
3197
}
3198

3199
/*
3200
 * Lookup the mapping level for @gfn in the current mm.
3201
 *
3202
 * WARNING!  Use of host_pfn_mapping_level() requires the caller and the end
3203
 * consumer to be tied into KVM's handlers for MMU notifier events!
3204
 *
3205
 * There are several ways to safely use this helper:
3206
 *
3207
 * - Check mmu_invalidate_retry_gfn() after grabbing the mapping level, before
3208
 *   consuming it.  In this case, mmu_lock doesn't need to be held during the
3209
 *   lookup, but it does need to be held while checking the MMU notifier.
3210
 *
3211
 * - Hold mmu_lock AND ensure there is no in-progress MMU notifier invalidation
3212
 *   event for the hva.  This can be done by explicit checking the MMU notifier
3213
 *   or by ensuring that KVM already has a valid mapping that covers the hva.
3214
 *
3215
 * - Do not use the result to install new mappings, e.g. use the host mapping
3216
 *   level only to decide whether or not to zap an entry.  In this case, it's
3217
 *   not required to hold mmu_lock (though it's highly likely the caller will
3218
 *   want to hold mmu_lock anyways, e.g. to modify SPTEs).
3219
 *
3220
 * Note!  The lookup can still race with modifications to host page tables, but
3221
 * the above "rules" ensure KVM will not _consume_ the result of the walk if a
3222
 * race with the primary MMU occurs.
3223
 */
3224
static int host_pfn_mapping_level(struct kvm *kvm, gfn_t gfn,
3225
				  const struct kvm_memory_slot *slot)
3226
{
3227
	int level = PG_LEVEL_4K;
3228
	unsigned long hva;
3229
	unsigned long flags;
3230
	pgd_t pgd;
3231
	p4d_t p4d;
3232
	pud_t pud;
3233
	pmd_t pmd;
3234

3235
	/*
3236
	 * Note, using the already-retrieved memslot and __gfn_to_hva_memslot()
3237
	 * is not solely for performance, it's also necessary to avoid the
3238
	 * "writable" check in __gfn_to_hva_many(), which will always fail on
3239
	 * read-only memslots due to gfn_to_hva() assuming writes.  Earlier
3240
	 * page fault steps have already verified the guest isn't writing a
3241
	 * read-only memslot.
3242
	 */
3243
	hva = __gfn_to_hva_memslot(slot, gfn);
3244

3245
	/*
3246
	 * Disable IRQs to prevent concurrent tear down of host page tables,
3247
	 * e.g. if the primary MMU promotes a P*D to a huge page and then frees
3248
	 * the original page table.
3249
	 */
3250
	local_irq_save(flags);
3251

3252
	/*
3253
	 * Read each entry once.  As above, a non-leaf entry can be promoted to
3254
	 * a huge page _during_ this walk.  Re-reading the entry could send the
3255
	 * walk into the weeks, e.g. p*d_leaf() returns false (sees the old
3256
	 * value) and then p*d_offset() walks into the target huge page instead
3257
	 * of the old page table (sees the new value).
3258
	 */
3259
	pgd = READ_ONCE(*pgd_offset(kvm->mm, hva));
3260
	if (pgd_none(pgd))
3261
		goto out;
3262

3263
	p4d = READ_ONCE(*p4d_offset(&pgd, hva));
3264
	if (p4d_none(p4d) || !p4d_present(p4d))
3265
		goto out;
3266

3267
	pud = READ_ONCE(*pud_offset(&p4d, hva));
3268
	if (pud_none(pud) || !pud_present(pud))
3269
		goto out;
3270

3271
	if (pud_leaf(pud)) {
3272
		level = PG_LEVEL_1G;
3273
		goto out;
3274
	}
3275

3276
	pmd = READ_ONCE(*pmd_offset(&pud, hva));
3277
	if (pmd_none(pmd) || !pmd_present(pmd))
3278
		goto out;
3279

3280
	if (pmd_leaf(pmd))
3281
		level = PG_LEVEL_2M;
3282

3283
out:
3284
	local_irq_restore(flags);
3285
	return level;
3286
}
3287

3288
static int __kvm_mmu_max_mapping_level(struct kvm *kvm,
3289
				       const struct kvm_memory_slot *slot,
3290
				       gfn_t gfn, int max_level, bool is_private)
3291
{
3292
	struct kvm_lpage_info *linfo;
3293
	int host_level;
3294

3295
	max_level = min(max_level, max_huge_page_level);
3296
	for ( ; max_level > PG_LEVEL_4K; max_level--) {
3297
		linfo = lpage_info_slot(gfn, slot, max_level);
3298
		if (!linfo->disallow_lpage)
3299
			break;
3300
	}
3301

3302
	if (is_private)
3303
		return max_level;
3304

3305
	if (max_level == PG_LEVEL_4K)
3306
		return PG_LEVEL_4K;
3307

3308
	host_level = host_pfn_mapping_level(kvm, gfn, slot);
3309
	return min(host_level, max_level);
3310
}
3311

3312
int kvm_mmu_max_mapping_level(struct kvm *kvm,
3313
			      const struct kvm_memory_slot *slot, gfn_t gfn)
3314
{
3315
	bool is_private = kvm_slot_can_be_private(slot) &&
3316
			  kvm_mem_is_private(kvm, gfn);
3317

3318
	return __kvm_mmu_max_mapping_level(kvm, slot, gfn, PG_LEVEL_NUM, is_private);
3319
}
3320

3321
void kvm_mmu_hugepage_adjust(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
3322
{
3323
	struct kvm_memory_slot *slot = fault->slot;
3324
	kvm_pfn_t mask;
3325

3326
	fault->huge_page_disallowed = fault->exec && fault->nx_huge_page_workaround_enabled;
3327

3328
	if (unlikely(fault->max_level == PG_LEVEL_4K))
3329
		return;
3330

3331
	if (is_error_noslot_pfn(fault->pfn))
3332
		return;
3333

3334
	if (kvm_slot_dirty_track_enabled(slot))
3335
		return;
3336

3337
	/*
3338
	 * Enforce the iTLB multihit workaround after capturing the requested
3339
	 * level, which will be used to do precise, accurate accounting.
3340
	 */
3341
	fault->req_level = __kvm_mmu_max_mapping_level(vcpu->kvm, slot,
3342
						       fault->gfn, fault->max_level,
3343
						       fault->is_private);
3344
	if (fault->req_level == PG_LEVEL_4K || fault->huge_page_disallowed)
3345
		return;
3346

3347
	/*
3348
	 * mmu_invalidate_retry() was successful and mmu_lock is held, so
3349
	 * the pmd can't be split from under us.
3350
	 */
3351
	fault->goal_level = fault->req_level;
3352
	mask = KVM_PAGES_PER_HPAGE(fault->goal_level) - 1;
3353
	VM_BUG_ON((fault->gfn & mask) != (fault->pfn & mask));
3354
	fault->pfn &= ~mask;
3355
}
3356

3357
void disallowed_hugepage_adjust(struct kvm_page_fault *fault, u64 spte, int cur_level)
3358
{
3359
	if (cur_level > PG_LEVEL_4K &&
3360
	    cur_level == fault->goal_level &&
3361
	    is_shadow_present_pte(spte) &&
3362
	    !is_large_pte(spte) &&
3363
	    spte_to_child_sp(spte)->nx_huge_page_disallowed) {
3364
		/*
3365
		 * A small SPTE exists for this pfn, but FNAME(fetch),
3366
		 * direct_map(), or kvm_tdp_mmu_map() would like to create a
3367
		 * large PTE instead: just force them to go down another level,
3368
		 * patching back for them into pfn the next 9 bits of the
3369
		 * address.
3370
		 */
3371
		u64 page_mask = KVM_PAGES_PER_HPAGE(cur_level) -
3372
				KVM_PAGES_PER_HPAGE(cur_level - 1);
3373
		fault->pfn |= fault->gfn & page_mask;
3374
		fault->goal_level--;
3375
	}
3376
}
3377

3378
static int direct_map(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
3379
{
3380
	struct kvm_shadow_walk_iterator it;
3381
	struct kvm_mmu_page *sp;
3382
	int ret;
3383
	gfn_t base_gfn = fault->gfn;
3384

3385
	kvm_mmu_hugepage_adjust(vcpu, fault);
3386

3387
	trace_kvm_mmu_spte_requested(fault);
3388
	for_each_shadow_entry(vcpu, fault->addr, it) {
3389
		/*
3390
		 * We cannot overwrite existing page tables with an NX
3391
		 * large page, as the leaf could be executable.
3392
		 */
3393
		if (fault->nx_huge_page_workaround_enabled)
3394
			disallowed_hugepage_adjust(fault, *it.sptep, it.level);
3395

3396
		base_gfn = gfn_round_for_level(fault->gfn, it.level);
3397
		if (it.level == fault->goal_level)
3398
			break;
3399

3400
		sp = kvm_mmu_get_child_sp(vcpu, it.sptep, base_gfn, true, ACC_ALL);
3401
		if (sp == ERR_PTR(-EEXIST))
3402
			continue;
3403

3404
		link_shadow_page(vcpu, it.sptep, sp);
3405
		if (fault->huge_page_disallowed)
3406
			account_nx_huge_page(vcpu->kvm, sp,
3407
					     fault->req_level >= it.level);
3408
	}
3409

3410
	if (WARN_ON_ONCE(it.level != fault->goal_level))
3411
		return -EFAULT;
3412

3413
	ret = mmu_set_spte(vcpu, fault->slot, it.sptep, ACC_ALL,
3414
			   base_gfn, fault->pfn, fault);
3415
	if (ret == RET_PF_SPURIOUS)
3416
		return ret;
3417

3418
	direct_pte_prefetch(vcpu, it.sptep);
3419
	return ret;
3420
}
3421

3422
static void kvm_send_hwpoison_signal(struct kvm_memory_slot *slot, gfn_t gfn)
3423
{
3424
	unsigned long hva = gfn_to_hva_memslot(slot, gfn);
3425

3426
	send_sig_mceerr(BUS_MCEERR_AR, (void __user *)hva, PAGE_SHIFT, current);
3427
}
3428

3429
static int kvm_handle_error_pfn(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
3430
{
3431
	if (is_sigpending_pfn(fault->pfn)) {
3432
		kvm_handle_signal_exit(vcpu);
3433
		return -EINTR;
3434
	}
3435

3436
	/*
3437
	 * Do not cache the mmio info caused by writing the readonly gfn
3438
	 * into the spte otherwise read access on readonly gfn also can
3439
	 * caused mmio page fault and treat it as mmio access.
3440
	 */
3441
	if (fault->pfn == KVM_PFN_ERR_RO_FAULT)
3442
		return RET_PF_EMULATE;
3443

3444
	if (fault->pfn == KVM_PFN_ERR_HWPOISON) {
3445
		kvm_send_hwpoison_signal(fault->slot, fault->gfn);
3446
		return RET_PF_RETRY;
3447
	}
3448

3449
	return -EFAULT;
3450
}
3451

3452
static int kvm_handle_noslot_fault(struct kvm_vcpu *vcpu,
3453
				   struct kvm_page_fault *fault,
3454
				   unsigned int access)
3455
{
3456
	gva_t gva = fault->is_tdp ? 0 : fault->addr;
3457

3458
	if (fault->is_private) {
3459
		kvm_mmu_prepare_memory_fault_exit(vcpu, fault);
3460
		return -EFAULT;
3461
	}
3462

3463
	vcpu_cache_mmio_info(vcpu, gva, fault->gfn,
3464
			     access & shadow_mmio_access_mask);
3465

3466
	fault->slot = NULL;
3467
	fault->pfn = KVM_PFN_NOSLOT;
3468
	fault->map_writable = false;
3469

3470
	/*
3471
	 * If MMIO caching is disabled, emulate immediately without
3472
	 * touching the shadow page tables as attempting to install an
3473
	 * MMIO SPTE will just be an expensive nop.
3474
	 */
3475
	if (unlikely(!enable_mmio_caching))
3476
		return RET_PF_EMULATE;
3477

3478
	/*
3479
	 * Do not create an MMIO SPTE for a gfn greater than host.MAXPHYADDR,
3480
	 * any guest that generates such gfns is running nested and is being
3481
	 * tricked by L0 userspace (you can observe gfn > L1.MAXPHYADDR if and
3482
	 * only if L1's MAXPHYADDR is inaccurate with respect to the
3483
	 * hardware's).
3484
	 */
3485
	if (unlikely(fault->gfn > kvm_mmu_max_gfn()))
3486
		return RET_PF_EMULATE;
3487

3488
	return RET_PF_CONTINUE;
3489
}
3490

3491
static bool page_fault_can_be_fast(struct kvm *kvm, struct kvm_page_fault *fault)
3492
{
3493
	/*
3494
	 * Page faults with reserved bits set, i.e. faults on MMIO SPTEs, only
3495
	 * reach the common page fault handler if the SPTE has an invalid MMIO
3496
	 * generation number.  Refreshing the MMIO generation needs to go down
3497
	 * the slow path.  Note, EPT Misconfigs do NOT set the PRESENT flag!
3498
	 */
3499
	if (fault->rsvd)
3500
		return false;
3501

3502
	/*
3503
	 * For hardware-protected VMs, certain conditions like attempting to
3504
	 * perform a write to a page which is not in the state that the guest
3505
	 * expects it to be in can result in a nested/extended #PF. In this
3506
	 * case, the below code might misconstrue this situation as being the
3507
	 * result of a write-protected access, and treat it as a spurious case
3508
	 * rather than taking any action to satisfy the real source of the #PF
3509
	 * such as generating a KVM_EXIT_MEMORY_FAULT. This can lead to the
3510
	 * guest spinning on a #PF indefinitely, so don't attempt the fast path
3511
	 * in this case.
3512
	 *
3513
	 * Note that the kvm_mem_is_private() check might race with an
3514
	 * attribute update, but this will either result in the guest spinning
3515
	 * on RET_PF_SPURIOUS until the update completes, or an actual spurious
3516
	 * case might go down the slow path. Either case will resolve itself.
3517
	 */
3518
	if (kvm->arch.has_private_mem &&
3519
	    fault->is_private != kvm_mem_is_private(kvm, fault->gfn))
3520
		return false;
3521

3522
	/*
3523
	 * #PF can be fast if:
3524
	 *
3525
	 * 1. The shadow page table entry is not present and A/D bits are
3526
	 *    disabled _by KVM_, which could mean that the fault is potentially
3527
	 *    caused by access tracking (if enabled).  If A/D bits are enabled
3528
	 *    by KVM, but disabled by L1 for L2, KVM is forced to disable A/D
3529
	 *    bits for L2 and employ access tracking, but the fast page fault
3530
	 *    mechanism only supports direct MMUs.
3531
	 * 2. The shadow page table entry is present, the access is a write,
3532
	 *    and no reserved bits are set (MMIO SPTEs cannot be "fixed"), i.e.
3533
	 *    the fault was caused by a write-protection violation.  If the
3534
	 *    SPTE is MMU-writable (determined later), the fault can be fixed
3535
	 *    by setting the Writable bit, which can be done out of mmu_lock.
3536
	 */
3537
	if (!fault->present)
3538
		return !kvm_ad_enabled;
3539

3540
	/*
3541
	 * Note, instruction fetches and writes are mutually exclusive, ignore
3542
	 * the "exec" flag.
3543
	 */
3544
	return fault->write;
3545
}
3546

3547
/*
3548
 * Returns true if the SPTE was fixed successfully. Otherwise,
3549
 * someone else modified the SPTE from its original value.
3550
 */
3551
static bool fast_pf_fix_direct_spte(struct kvm_vcpu *vcpu,
3552
				    struct kvm_page_fault *fault,
3553
				    u64 *sptep, u64 old_spte, u64 new_spte)
3554
{
3555
	/*
3556
	 * Theoretically we could also set dirty bit (and flush TLB) here in
3557
	 * order to eliminate unnecessary PML logging. See comments in
3558
	 * set_spte. But fast_page_fault is very unlikely to happen with PML
3559
	 * enabled, so we do not do this. This might result in the same GPA
3560
	 * to be logged in PML buffer again when the write really happens, and
3561
	 * eventually to be called by mark_page_dirty twice. But it's also no
3562
	 * harm. This also avoids the TLB flush needed after setting dirty bit
3563
	 * so non-PML cases won't be impacted.
3564
	 *
3565
	 * Compare with make_spte() where instead shadow_dirty_mask is set.
3566
	 */
3567
	if (!try_cmpxchg64(sptep, &old_spte, new_spte))
3568
		return false;
3569

3570
	if (is_writable_pte(new_spte) && !is_writable_pte(old_spte))
3571
		mark_page_dirty_in_slot(vcpu->kvm, fault->slot, fault->gfn);
3572

3573
	return true;
3574
}
3575

3576
/*
3577
 * Returns the last level spte pointer of the shadow page walk for the given
3578
 * gpa, and sets *spte to the spte value. This spte may be non-preset. If no
3579
 * walk could be performed, returns NULL and *spte does not contain valid data.
3580
 *
3581
 * Contract:
3582
 *  - Must be called between walk_shadow_page_lockless_{begin,end}.
3583
 *  - The returned sptep must not be used after walk_shadow_page_lockless_end.
3584
 */
3585
static u64 *fast_pf_get_last_sptep(struct kvm_vcpu *vcpu, gpa_t gpa, u64 *spte)
3586
{
3587
	struct kvm_shadow_walk_iterator iterator;
3588
	u64 old_spte;
3589
	u64 *sptep = NULL;
3590

3591
	for_each_shadow_entry_lockless(vcpu, gpa, iterator, old_spte) {
3592
		sptep = iterator.sptep;
3593
		*spte = old_spte;
3594
	}
3595

3596
	return sptep;
3597
}
3598

3599
/*
3600
 * Returns one of RET_PF_INVALID, RET_PF_FIXED or RET_PF_SPURIOUS.
3601
 */
3602
static int fast_page_fault(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
3603
{
3604
	struct kvm_mmu_page *sp;
3605
	int ret = RET_PF_INVALID;
3606
	u64 spte;
3607
	u64 *sptep;
3608
	uint retry_count = 0;
3609

3610
	if (!page_fault_can_be_fast(vcpu->kvm, fault))
3611
		return ret;
3612

3613
	walk_shadow_page_lockless_begin(vcpu);
3614

3615
	do {
3616
		u64 new_spte;
3617

3618
		if (tdp_mmu_enabled)
3619
			sptep = kvm_tdp_mmu_fast_pf_get_last_sptep(vcpu, fault->gfn, &spte);
3620
		else
3621
			sptep = fast_pf_get_last_sptep(vcpu, fault->addr, &spte);
3622

3623
		/*
3624
		 * It's entirely possible for the mapping to have been zapped
3625
		 * by a different task, but the root page should always be
3626
		 * available as the vCPU holds a reference to its root(s).
3627
		 */
3628
		if (WARN_ON_ONCE(!sptep))
3629
			spte = FROZEN_SPTE;
3630

3631
		if (!is_shadow_present_pte(spte))
3632
			break;
3633

3634
		sp = sptep_to_sp(sptep);
3635
		if (!is_last_spte(spte, sp->role.level))
3636
			break;
3637

3638
		/*
3639
		 * Check whether the memory access that caused the fault would
3640
		 * still cause it if it were to be performed right now. If not,
3641
		 * then this is a spurious fault caused by TLB lazily flushed,
3642
		 * or some other CPU has already fixed the PTE after the
3643
		 * current CPU took the fault.
3644
		 *
3645
		 * Need not check the access of upper level table entries since
3646
		 * they are always ACC_ALL.
3647
		 */
3648
		if (is_access_allowed(fault, spte)) {
3649
			ret = RET_PF_SPURIOUS;
3650
			break;
3651
		}
3652

3653
		new_spte = spte;
3654

3655
		/*
3656
		 * KVM only supports fixing page faults outside of MMU lock for
3657
		 * direct MMUs, nested MMUs are always indirect, and KVM always
3658
		 * uses A/D bits for non-nested MMUs.  Thus, if A/D bits are
3659
		 * enabled, the SPTE can't be an access-tracked SPTE.
3660
		 */
3661
		if (unlikely(!kvm_ad_enabled) && is_access_track_spte(spte))
3662
			new_spte = restore_acc_track_spte(new_spte) |
3663
				   shadow_accessed_mask;
3664

3665
		/*
3666
		 * To keep things simple, only SPTEs that are MMU-writable can
3667
		 * be made fully writable outside of mmu_lock, e.g. only SPTEs
3668
		 * that were write-protected for dirty-logging or access
3669
		 * tracking are handled here.  Don't bother checking if the
3670
		 * SPTE is writable to prioritize running with A/D bits enabled.
3671
		 * The is_access_allowed() check above handles the common case
3672
		 * of the fault being spurious, and the SPTE is known to be
3673
		 * shadow-present, i.e. except for access tracking restoration
3674
		 * making the new SPTE writable, the check is wasteful.
3675
		 */
3676
		if (fault->write && is_mmu_writable_spte(spte)) {
3677
			new_spte |= PT_WRITABLE_MASK;
3678

3679
			/*
3680
			 * Do not fix write-permission on the large spte when
3681
			 * dirty logging is enabled. Since we only dirty the
3682
			 * first page into the dirty-bitmap in
3683
			 * fast_pf_fix_direct_spte(), other pages are missed
3684
			 * if its slot has dirty logging enabled.
3685
			 *
3686
			 * Instead, we let the slow page fault path create a
3687
			 * normal spte to fix the access.
3688
			 */
3689
			if (sp->role.level > PG_LEVEL_4K &&
3690
			    kvm_slot_dirty_track_enabled(fault->slot))
3691
				break;
3692
		}
3693

3694
		/* Verify that the fault can be handled in the fast path */
3695
		if (new_spte == spte ||
3696
		    !is_access_allowed(fault, new_spte))
3697
			break;
3698

3699
		/*
3700
		 * Currently, fast page fault only works for direct mapping
3701
		 * since the gfn is not stable for indirect shadow page. See
3702
		 * Documentation/virt/kvm/locking.rst to get more detail.
3703
		 */
3704
		if (fast_pf_fix_direct_spte(vcpu, fault, sptep, spte, new_spte)) {
3705
			ret = RET_PF_FIXED;
3706
			break;
3707
		}
3708

3709
		if (++retry_count > 4) {
3710
			pr_warn_once("Fast #PF retrying more than 4 times.\n");
3711
			break;
3712
		}
3713

3714
	} while (true);
3715

3716
	trace_fast_page_fault(vcpu, fault, sptep, spte, ret);
3717
	walk_shadow_page_lockless_end(vcpu);
3718

3719
	if (ret != RET_PF_INVALID)
3720
		vcpu->stat.pf_fast++;
3721

3722
	return ret;
3723
}
3724

3725
static void mmu_free_root_page(struct kvm *kvm, hpa_t *root_hpa,
3726
			       struct list_head *invalid_list)
3727
{
3728
	struct kvm_mmu_page *sp;
3729

3730
	if (!VALID_PAGE(*root_hpa))
3731
		return;
3732

3733
	sp = root_to_sp(*root_hpa);
3734
	if (WARN_ON_ONCE(!sp))
3735
		return;
3736

3737
	if (is_tdp_mmu_page(sp)) {
3738
		lockdep_assert_held_read(&kvm->mmu_lock);
3739
		kvm_tdp_mmu_put_root(kvm, sp);
3740
	} else {
3741
		lockdep_assert_held_write(&kvm->mmu_lock);
3742
		if (!--sp->root_count && sp->role.invalid)
3743
			kvm_mmu_prepare_zap_page(kvm, sp, invalid_list);
3744
	}
3745

3746
	*root_hpa = INVALID_PAGE;
3747
}
3748

3749
/* roots_to_free must be some combination of the KVM_MMU_ROOT_* flags */
3750
void kvm_mmu_free_roots(struct kvm *kvm, struct kvm_mmu *mmu,
3751
			ulong roots_to_free)
3752
{
3753
	bool is_tdp_mmu = tdp_mmu_enabled && mmu->root_role.direct;
3754
	int i;
3755
	LIST_HEAD(invalid_list);
3756
	bool free_active_root;
3757

3758
	WARN_ON_ONCE(roots_to_free & ~KVM_MMU_ROOTS_ALL);
3759

3760
	BUILD_BUG_ON(KVM_MMU_NUM_PREV_ROOTS >= BITS_PER_LONG);
3761

3762
	/* Before acquiring the MMU lock, see if we need to do any real work. */
3763
	free_active_root = (roots_to_free & KVM_MMU_ROOT_CURRENT)
3764
		&& VALID_PAGE(mmu->root.hpa);
3765

3766
	if (!free_active_root) {
3767
		for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++)
3768
			if ((roots_to_free & KVM_MMU_ROOT_PREVIOUS(i)) &&
3769
			    VALID_PAGE(mmu->prev_roots[i].hpa))
3770
				break;
3771

3772
		if (i == KVM_MMU_NUM_PREV_ROOTS)
3773
			return;
3774
	}
3775

3776
	if (is_tdp_mmu)
3777
		read_lock(&kvm->mmu_lock);
3778
	else
3779
		write_lock(&kvm->mmu_lock);
3780

3781
	for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++)
3782
		if (roots_to_free & KVM_MMU_ROOT_PREVIOUS(i))
3783
			mmu_free_root_page(kvm, &mmu->prev_roots[i].hpa,
3784
					   &invalid_list);
3785

3786
	if (free_active_root) {
3787
		if (kvm_mmu_is_dummy_root(mmu->root.hpa)) {
3788
			/* Nothing to cleanup for dummy roots. */
3789
		} else if (root_to_sp(mmu->root.hpa)) {
3790
			mmu_free_root_page(kvm, &mmu->root.hpa, &invalid_list);
3791
		} else if (mmu->pae_root) {
3792
			for (i = 0; i < 4; ++i) {
3793
				if (!IS_VALID_PAE_ROOT(mmu->pae_root[i]))
3794
					continue;
3795

3796
				mmu_free_root_page(kvm, &mmu->pae_root[i],
3797
						   &invalid_list);
3798
				mmu->pae_root[i] = INVALID_PAE_ROOT;
3799
			}
3800
		}
3801
		mmu->root.hpa = INVALID_PAGE;
3802
		mmu->root.pgd = 0;
3803
	}
3804

3805
	if (is_tdp_mmu) {
3806
		read_unlock(&kvm->mmu_lock);
3807
		WARN_ON_ONCE(!list_empty(&invalid_list));
3808
	} else {
3809
		kvm_mmu_commit_zap_page(kvm, &invalid_list);
3810
		write_unlock(&kvm->mmu_lock);
3811
	}
3812
}
3813
EXPORT_SYMBOL_GPL(kvm_mmu_free_roots);
3814

3815
void kvm_mmu_free_guest_mode_roots(struct kvm *kvm, struct kvm_mmu *mmu)
3816
{
3817
	unsigned long roots_to_free = 0;
3818
	struct kvm_mmu_page *sp;
3819
	hpa_t root_hpa;
3820
	int i;
3821

3822
	/*
3823
	 * This should not be called while L2 is active, L2 can't invalidate
3824
	 * _only_ its own roots, e.g. INVVPID unconditionally exits.
3825
	 */
3826
	WARN_ON_ONCE(mmu->root_role.guest_mode);
3827

3828
	for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++) {
3829
		root_hpa = mmu->prev_roots[i].hpa;
3830
		if (!VALID_PAGE(root_hpa))
3831
			continue;
3832

3833
		sp = root_to_sp(root_hpa);
3834
		if (!sp || sp->role.guest_mode)
3835
			roots_to_free |= KVM_MMU_ROOT_PREVIOUS(i);
3836
	}
3837

3838
	kvm_mmu_free_roots(kvm, mmu, roots_to_free);
3839
}
3840
EXPORT_SYMBOL_GPL(kvm_mmu_free_guest_mode_roots);
3841

3842
static hpa_t mmu_alloc_root(struct kvm_vcpu *vcpu, gfn_t gfn, int quadrant,
3843
			    u8 level)
3844
{
3845
	union kvm_mmu_page_role role = vcpu->arch.mmu->root_role;
3846
	struct kvm_mmu_page *sp;
3847

3848
	role.level = level;
3849
	role.quadrant = quadrant;
3850

3851
	WARN_ON_ONCE(quadrant && !role.has_4_byte_gpte);
3852
	WARN_ON_ONCE(role.direct && role.has_4_byte_gpte);
3853

3854
	sp = kvm_mmu_get_shadow_page(vcpu, gfn, role);
3855
	++sp->root_count;
3856

3857
	return __pa(sp->spt);
3858
}
3859

3860
static int mmu_alloc_direct_roots(struct kvm_vcpu *vcpu)
3861
{
3862
	struct kvm_mmu *mmu = vcpu->arch.mmu;
3863
	u8 shadow_root_level = mmu->root_role.level;
3864
	hpa_t root;
3865
	unsigned i;
3866
	int r;
3867

3868
	if (tdp_mmu_enabled) {
3869
		if (kvm_has_mirrored_tdp(vcpu->kvm) &&
3870
		    !VALID_PAGE(mmu->mirror_root_hpa))
3871
			kvm_tdp_mmu_alloc_root(vcpu, true);
3872
		kvm_tdp_mmu_alloc_root(vcpu, false);
3873
		return 0;
3874
	}
3875

3876
	write_lock(&vcpu->kvm->mmu_lock);
3877
	r = make_mmu_pages_available(vcpu);
3878
	if (r < 0)
3879
		goto out_unlock;
3880

3881
	if (shadow_root_level >= PT64_ROOT_4LEVEL) {
3882
		root = mmu_alloc_root(vcpu, 0, 0, shadow_root_level);
3883
		mmu->root.hpa = root;
3884
	} else if (shadow_root_level == PT32E_ROOT_LEVEL) {
3885
		if (WARN_ON_ONCE(!mmu->pae_root)) {
3886
			r = -EIO;
3887
			goto out_unlock;
3888
		}
3889

3890
		for (i = 0; i < 4; ++i) {
3891
			WARN_ON_ONCE(IS_VALID_PAE_ROOT(mmu->pae_root[i]));
3892

3893
			root = mmu_alloc_root(vcpu, i << (30 - PAGE_SHIFT), 0,
3894
					      PT32_ROOT_LEVEL);
3895
			mmu->pae_root[i] = root | PT_PRESENT_MASK |
3896
					   shadow_me_value;
3897
		}
3898
		mmu->root.hpa = __pa(mmu->pae_root);
3899
	} else {
3900
		WARN_ONCE(1, "Bad TDP root level = %d\n", shadow_root_level);
3901
		r = -EIO;
3902
		goto out_unlock;
3903
	}
3904

3905
	/* root.pgd is ignored for direct MMUs. */
3906
	mmu->root.pgd = 0;
3907
out_unlock:
3908
	write_unlock(&vcpu->kvm->mmu_lock);
3909
	return r;
3910
}
3911

3912
static int kvm_mmu_alloc_page_hash(struct kvm *kvm)
3913
{
3914
	struct hlist_head *h;
3915

3916
	if (kvm->arch.mmu_page_hash)
3917
		return 0;
3918

3919
	h = kvcalloc(KVM_NUM_MMU_PAGES, sizeof(*h), GFP_KERNEL_ACCOUNT);
3920
	if (!h)
3921
		return -ENOMEM;
3922

3923
	/*
3924
	 * Ensure the hash table pointer is set only after all stores to zero
3925
	 * the memory are retired.  Pairs with the smp_load_acquire() in
3926
	 * kvm_get_mmu_page_hash().  Note, mmu_lock must be held for write to
3927
	 * add (or remove) shadow pages, and so readers are guaranteed to see
3928
	 * an empty list for their current mmu_lock critical section.
3929
	 */
3930
	smp_store_release(&kvm->arch.mmu_page_hash, h);
3931
	return 0;
3932
}
3933

3934
static int mmu_first_shadow_root_alloc(struct kvm *kvm)
3935
{
3936
	struct kvm_memslots *slots;
3937
	struct kvm_memory_slot *slot;
3938
	int r = 0, i, bkt;
3939

3940
	/*
3941
	 * Check if this is the first shadow root being allocated before
3942
	 * taking the lock.
3943
	 */
3944
	if (kvm_shadow_root_allocated(kvm))
3945
		return 0;
3946

3947
	mutex_lock(&kvm->slots_arch_lock);
3948

3949
	/* Recheck, under the lock, whether this is the first shadow root. */
3950
	if (kvm_shadow_root_allocated(kvm))
3951
		goto out_unlock;
3952

3953
	r = kvm_mmu_alloc_page_hash(kvm);
3954
	if (r)
3955
		goto out_unlock;
3956

3957
	/*
3958
	 * Check if memslot metadata actually needs to be allocated, e.g. all
3959
	 * metadata will be allocated upfront if TDP is disabled.
3960
	 */
3961
	if (kvm_memslots_have_rmaps(kvm) &&
3962
	    kvm_page_track_write_tracking_enabled(kvm))
3963
		goto out_success;
3964

3965
	for (i = 0; i < kvm_arch_nr_memslot_as_ids(kvm); i++) {
3966
		slots = __kvm_memslots(kvm, i);
3967
		kvm_for_each_memslot(slot, bkt, slots) {
3968
			/*
3969
			 * Both of these functions are no-ops if the target is
3970
			 * already allocated, so unconditionally calling both
3971
			 * is safe.  Intentionally do NOT free allocations on
3972
			 * failure to avoid having to track which allocations
3973
			 * were made now versus when the memslot was created.
3974
			 * The metadata is guaranteed to be freed when the slot
3975
			 * is freed, and will be kept/used if userspace retries
3976
			 * KVM_RUN instead of killing the VM.
3977
			 */
3978
			r = memslot_rmap_alloc(slot, slot->npages);
3979
			if (r)
3980
				goto out_unlock;
3981
			r = kvm_page_track_write_tracking_alloc(slot);
3982
			if (r)
3983
				goto out_unlock;
3984
		}
3985
	}
3986

3987
	/*
3988
	 * Ensure that shadow_root_allocated becomes true strictly after
3989
	 * all the related pointers are set.
3990
	 */
3991
out_success:
3992
	smp_store_release(&kvm->arch.shadow_root_allocated, true);
3993

3994
out_unlock:
3995
	mutex_unlock(&kvm->slots_arch_lock);
3996
	return r;
3997
}
3998

3999
static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu)
4000
{
4001
	struct kvm_mmu *mmu = vcpu->arch.mmu;
4002
	u64 pdptrs[4], pm_mask;
4003
	gfn_t root_gfn, root_pgd;
4004
	int quadrant, i, r;
4005
	hpa_t root;
4006

4007
	root_pgd = kvm_mmu_get_guest_pgd(vcpu, mmu);
4008
	root_gfn = (root_pgd & __PT_BASE_ADDR_MASK) >> PAGE_SHIFT;
4009

4010
	if (!kvm_vcpu_is_visible_gfn(vcpu, root_gfn)) {
4011
		mmu->root.hpa = kvm_mmu_get_dummy_root();
4012
		return 0;
4013
	}
4014

4015
	/*
4016
	 * On SVM, reading PDPTRs might access guest memory, which might fault
4017
	 * and thus might sleep.  Grab the PDPTRs before acquiring mmu_lock.
4018
	 */
4019
	if (mmu->cpu_role.base.level == PT32E_ROOT_LEVEL) {
4020
		for (i = 0; i < 4; ++i) {
4021
			pdptrs[i] = mmu->get_pdptr(vcpu, i);
4022
			if (!(pdptrs[i] & PT_PRESENT_MASK))
4023
				continue;
4024

4025
			if (!kvm_vcpu_is_visible_gfn(vcpu, pdptrs[i] >> PAGE_SHIFT))
4026
				pdptrs[i] = 0;
4027
		}
4028
	}
4029

4030
	r = mmu_first_shadow_root_alloc(vcpu->kvm);
4031
	if (r)
4032
		return r;
4033

4034
	write_lock(&vcpu->kvm->mmu_lock);
4035
	r = make_mmu_pages_available(vcpu);
4036
	if (r < 0)
4037
		goto out_unlock;
4038

4039
	/*
4040
	 * Do we shadow a long mode page table? If so we need to
4041
	 * write-protect the guests page table root.
4042
	 */
4043
	if (mmu->cpu_role.base.level >= PT64_ROOT_4LEVEL) {
4044
		root = mmu_alloc_root(vcpu, root_gfn, 0,
4045
				      mmu->root_role.level);
4046
		mmu->root.hpa = root;
4047
		goto set_root_pgd;
4048
	}
4049

4050
	if (WARN_ON_ONCE(!mmu->pae_root)) {
4051
		r = -EIO;
4052
		goto out_unlock;
4053
	}
4054

4055
	/*
4056
	 * We shadow a 32 bit page table. This may be a legacy 2-level
4057
	 * or a PAE 3-level page table. In either case we need to be aware that
4058
	 * the shadow page table may be a PAE or a long mode page table.
4059
	 */
4060
	pm_mask = PT_PRESENT_MASK | shadow_me_value;
4061
	if (mmu->root_role.level >= PT64_ROOT_4LEVEL) {
4062
		pm_mask |= PT_ACCESSED_MASK | PT_WRITABLE_MASK | PT_USER_MASK;
4063

4064
		if (WARN_ON_ONCE(!mmu->pml4_root)) {
4065
			r = -EIO;
4066
			goto out_unlock;
4067
		}
4068
		mmu->pml4_root[0] = __pa(mmu->pae_root) | pm_mask;
4069

4070
		if (mmu->root_role.level == PT64_ROOT_5LEVEL) {
4071
			if (WARN_ON_ONCE(!mmu->pml5_root)) {
4072
				r = -EIO;
4073
				goto out_unlock;
4074
			}
4075
			mmu->pml5_root[0] = __pa(mmu->pml4_root) | pm_mask;
4076
		}
4077
	}
4078

4079
	for (i = 0; i < 4; ++i) {
4080
		WARN_ON_ONCE(IS_VALID_PAE_ROOT(mmu->pae_root[i]));
4081

4082
		if (mmu->cpu_role.base.level == PT32E_ROOT_LEVEL) {
4083
			if (!(pdptrs[i] & PT_PRESENT_MASK)) {
4084
				mmu->pae_root[i] = INVALID_PAE_ROOT;
4085
				continue;
4086
			}
4087
			root_gfn = pdptrs[i] >> PAGE_SHIFT;
4088
		}
4089

4090
		/*
4091
		 * If shadowing 32-bit non-PAE page tables, each PAE page
4092
		 * directory maps one quarter of the guest's non-PAE page
4093
		 * directory. Othwerise each PAE page direct shadows one guest
4094
		 * PAE page directory so that quadrant should be 0.
4095
		 */
4096
		quadrant = (mmu->cpu_role.base.level == PT32_ROOT_LEVEL) ? i : 0;
4097

4098
		root = mmu_alloc_root(vcpu, root_gfn, quadrant, PT32_ROOT_LEVEL);
4099
		mmu->pae_root[i] = root | pm_mask;
4100
	}
4101

4102
	if (mmu->root_role.level == PT64_ROOT_5LEVEL)
4103
		mmu->root.hpa = __pa(mmu->pml5_root);
4104
	else if (mmu->root_role.level == PT64_ROOT_4LEVEL)
4105
		mmu->root.hpa = __pa(mmu->pml4_root);
4106
	else
4107
		mmu->root.hpa = __pa(mmu->pae_root);
4108

4109
set_root_pgd:
4110
	mmu->root.pgd = root_pgd;
4111
out_unlock:
4112
	write_unlock(&vcpu->kvm->mmu_lock);
4113

4114
	return r;
4115
}
4116

4117
static int mmu_alloc_special_roots(struct kvm_vcpu *vcpu)
4118
{
4119
	struct kvm_mmu *mmu = vcpu->arch.mmu;
4120
	bool need_pml5 = mmu->root_role.level > PT64_ROOT_4LEVEL;
4121
	u64 *pml5_root = NULL;
4122
	u64 *pml4_root = NULL;
4123
	u64 *pae_root;
4124

4125
	/*
4126
	 * When shadowing 32-bit or PAE NPT with 64-bit NPT, the PML4 and PDP
4127
	 * tables are allocated and initialized at root creation as there is no
4128
	 * equivalent level in the guest's NPT to shadow.  Allocate the tables
4129
	 * on demand, as running a 32-bit L1 VMM on 64-bit KVM is very rare.
4130
	 */
4131
	if (mmu->root_role.direct ||
4132
	    mmu->cpu_role.base.level >= PT64_ROOT_4LEVEL ||
4133
	    mmu->root_role.level < PT64_ROOT_4LEVEL)
4134
		return 0;
4135

4136
	/*
4137
	 * NPT, the only paging mode that uses this horror, uses a fixed number
4138
	 * of levels for the shadow page tables, e.g. all MMUs are 4-level or
4139
	 * all MMus are 5-level.  Thus, this can safely require that pml5_root
4140
	 * is allocated if the other roots are valid and pml5 is needed, as any
4141
	 * prior MMU would also have required pml5.
4142
	 */
4143
	if (mmu->pae_root && mmu->pml4_root && (!need_pml5 || mmu->pml5_root))
4144
		return 0;
4145

4146
	/*
4147
	 * The special roots should always be allocated in concert.  Yell and
4148
	 * bail if KVM ends up in a state where only one of the roots is valid.
4149
	 */
4150
	if (WARN_ON_ONCE(!tdp_enabled || mmu->pae_root || mmu->pml4_root ||
4151
			 (need_pml5 && mmu->pml5_root)))
4152
		return -EIO;
4153

4154
	/*
4155
	 * Unlike 32-bit NPT, the PDP table doesn't need to be in low mem, and
4156
	 * doesn't need to be decrypted.
4157
	 */
4158
	pae_root = (void *)get_zeroed_page(GFP_KERNEL_ACCOUNT);
4159
	if (!pae_root)
4160
		return -ENOMEM;
4161

4162
#ifdef CONFIG_X86_64
4163
	pml4_root = (void *)get_zeroed_page(GFP_KERNEL_ACCOUNT);
4164
	if (!pml4_root)
4165
		goto err_pml4;
4166

4167
	if (need_pml5) {
4168
		pml5_root = (void *)get_zeroed_page(GFP_KERNEL_ACCOUNT);
4169
		if (!pml5_root)
4170
			goto err_pml5;
4171
	}
4172
#endif
4173

4174
	mmu->pae_root = pae_root;
4175
	mmu->pml4_root = pml4_root;
4176
	mmu->pml5_root = pml5_root;
4177

4178
	return 0;
4179

4180
#ifdef CONFIG_X86_64
4181
err_pml5:
4182
	free_page((unsigned long)pml4_root);
4183
err_pml4:
4184
	free_page((unsigned long)pae_root);
4185
	return -ENOMEM;
4186
#endif
4187
}
4188

4189
static bool is_unsync_root(hpa_t root)
4190
{
4191
	struct kvm_mmu_page *sp;
4192

4193
	if (!VALID_PAGE(root) || kvm_mmu_is_dummy_root(root))
4194
		return false;
4195

4196
	/*
4197
	 * The read barrier orders the CPU's read of SPTE.W during the page table
4198
	 * walk before the reads of sp->unsync/sp->unsync_children here.
4199
	 *
4200
	 * Even if another CPU was marking the SP as unsync-ed simultaneously,
4201
	 * any guest page table changes are not guaranteed to be visible anyway
4202
	 * until this VCPU issues a TLB flush strictly after those changes are
4203
	 * made.  We only need to ensure that the other CPU sets these flags
4204
	 * before any actual changes to the page tables are made.  The comments
4205
	 * in mmu_try_to_unsync_pages() describe what could go wrong if this
4206
	 * requirement isn't satisfied.
4207
	 */
4208
	smp_rmb();
4209
	sp = root_to_sp(root);
4210

4211
	/*
4212
	 * PAE roots (somewhat arbitrarily) aren't backed by shadow pages, the
4213
	 * PDPTEs for a given PAE root need to be synchronized individually.
4214
	 */
4215
	if (WARN_ON_ONCE(!sp))
4216
		return false;
4217

4218
	if (sp->unsync || sp->unsync_children)
4219
		return true;
4220

4221
	return false;
4222
}
4223

4224
void kvm_mmu_sync_roots(struct kvm_vcpu *vcpu)
4225
{
4226
	int i;
4227
	struct kvm_mmu_page *sp;
4228

4229
	if (vcpu->arch.mmu->root_role.direct)
4230
		return;
4231

4232
	if (!VALID_PAGE(vcpu->arch.mmu->root.hpa))
4233
		return;
4234

4235
	vcpu_clear_mmio_info(vcpu, MMIO_GVA_ANY);
4236

4237
	if (vcpu->arch.mmu->cpu_role.base.level >= PT64_ROOT_4LEVEL) {
4238
		hpa_t root = vcpu->arch.mmu->root.hpa;
4239

4240
		if (!is_unsync_root(root))
4241
			return;
4242

4243
		sp = root_to_sp(root);
4244

4245
		write_lock(&vcpu->kvm->mmu_lock);
4246
		mmu_sync_children(vcpu, sp, true);
4247
		write_unlock(&vcpu->kvm->mmu_lock);
4248
		return;
4249
	}
4250

4251
	write_lock(&vcpu->kvm->mmu_lock);
4252

4253
	for (i = 0; i < 4; ++i) {
4254
		hpa_t root = vcpu->arch.mmu->pae_root[i];
4255

4256
		if (IS_VALID_PAE_ROOT(root)) {
4257
			sp = spte_to_child_sp(root);
4258
			mmu_sync_children(vcpu, sp, true);
4259
		}
4260
	}
4261

4262
	write_unlock(&vcpu->kvm->mmu_lock);
4263
}
4264

4265
void kvm_mmu_sync_prev_roots(struct kvm_vcpu *vcpu)
4266
{
4267
	unsigned long roots_to_free = 0;
4268
	int i;
4269

4270
	for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++)
4271
		if (is_unsync_root(vcpu->arch.mmu->prev_roots[i].hpa))
4272
			roots_to_free |= KVM_MMU_ROOT_PREVIOUS(i);
4273

4274
	/* sync prev_roots by simply freeing them */
4275
	kvm_mmu_free_roots(vcpu->kvm, vcpu->arch.mmu, roots_to_free);
4276
}
4277

4278
static gpa_t nonpaging_gva_to_gpa(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
4279
				  gpa_t vaddr, u64 access,
4280
				  struct x86_exception *exception)
4281
{
4282
	if (exception)
4283
		exception->error_code = 0;
4284
	return kvm_translate_gpa(vcpu, mmu, vaddr, access, exception);
4285
}
4286

4287
static bool mmio_info_in_cache(struct kvm_vcpu *vcpu, u64 addr, bool direct)
4288
{
4289
	/*
4290
	 * A nested guest cannot use the MMIO cache if it is using nested
4291
	 * page tables, because cr2 is a nGPA while the cache stores GPAs.
4292
	 */
4293
	if (mmu_is_nested(vcpu))
4294
		return false;
4295

4296
	if (direct)
4297
		return vcpu_match_mmio_gpa(vcpu, addr);
4298

4299
	return vcpu_match_mmio_gva(vcpu, addr);
4300
}
4301

4302
/*
4303
 * Return the level of the lowest level SPTE added to sptes.
4304
 * That SPTE may be non-present.
4305
 *
4306
 * Must be called between walk_shadow_page_lockless_{begin,end}.
4307
 */
4308
static int get_walk(struct kvm_vcpu *vcpu, u64 addr, u64 *sptes, int *root_level)
4309
{
4310
	struct kvm_shadow_walk_iterator iterator;
4311
	int leaf = -1;
4312
	u64 spte;
4313

4314
	for (shadow_walk_init(&iterator, vcpu, addr),
4315
	     *root_level = iterator.level;
4316
	     shadow_walk_okay(&iterator);
4317
	     __shadow_walk_next(&iterator, spte)) {
4318
		leaf = iterator.level;
4319
		spte = mmu_spte_get_lockless(iterator.sptep);
4320

4321
		sptes[leaf] = spte;
4322
	}
4323

4324
	return leaf;
4325
}
4326

4327
static int get_sptes_lockless(struct kvm_vcpu *vcpu, u64 addr, u64 *sptes,
4328
			      int *root_level)
4329
{
4330
	int leaf;
4331

4332
	walk_shadow_page_lockless_begin(vcpu);
4333

4334
	if (is_tdp_mmu_active(vcpu))
4335
		leaf = kvm_tdp_mmu_get_walk(vcpu, addr, sptes, root_level);
4336
	else
4337
		leaf = get_walk(vcpu, addr, sptes, root_level);
4338

4339
	walk_shadow_page_lockless_end(vcpu);
4340
	return leaf;
4341
}
4342

4343
/* return true if reserved bit(s) are detected on a valid, non-MMIO SPTE. */
4344
static bool get_mmio_spte(struct kvm_vcpu *vcpu, u64 addr, u64 *sptep)
4345
{
4346
	u64 sptes[PT64_ROOT_MAX_LEVEL + 1];
4347
	struct rsvd_bits_validate *rsvd_check;
4348
	int root, leaf, level;
4349
	bool reserved = false;
4350

4351
	leaf = get_sptes_lockless(vcpu, addr, sptes, &root);
4352
	if (unlikely(leaf < 0)) {
4353
		*sptep = 0ull;
4354
		return reserved;
4355
	}
4356

4357
	*sptep = sptes[leaf];
4358

4359
	/*
4360
	 * Skip reserved bits checks on the terminal leaf if it's not a valid
4361
	 * SPTE.  Note, this also (intentionally) skips MMIO SPTEs, which, by
4362
	 * design, always have reserved bits set.  The purpose of the checks is
4363
	 * to detect reserved bits on non-MMIO SPTEs. i.e. buggy SPTEs.
4364
	 */
4365
	if (!is_shadow_present_pte(sptes[leaf]))
4366
		leaf++;
4367

4368
	rsvd_check = &vcpu->arch.mmu->shadow_zero_check;
4369

4370
	for (level = root; level >= leaf; level--)
4371
		reserved |= is_rsvd_spte(rsvd_check, sptes[level], level);
4372

4373
	if (reserved) {
4374
		pr_err("%s: reserved bits set on MMU-present spte, addr 0x%llx, hierarchy:\n",
4375
		       __func__, addr);
4376
		for (level = root; level >= leaf; level--)
4377
			pr_err("------ spte = 0x%llx level = %d, rsvd bits = 0x%llx",
4378
			       sptes[level], level,
4379
			       get_rsvd_bits(rsvd_check, sptes[level], level));
4380
	}
4381

4382
	return reserved;
4383
}
4384

4385
static int handle_mmio_page_fault(struct kvm_vcpu *vcpu, u64 addr, bool direct)
4386
{
4387
	u64 spte;
4388
	bool reserved;
4389

4390
	if (mmio_info_in_cache(vcpu, addr, direct))
4391
		return RET_PF_EMULATE;
4392

4393
	reserved = get_mmio_spte(vcpu, addr, &spte);
4394
	if (WARN_ON_ONCE(reserved))
4395
		return -EINVAL;
4396

4397
	if (is_mmio_spte(vcpu->kvm, spte)) {
4398
		gfn_t gfn = get_mmio_spte_gfn(spte);
4399
		unsigned int access = get_mmio_spte_access(spte);
4400

4401
		if (!check_mmio_spte(vcpu, spte))
4402
			return RET_PF_INVALID;
4403

4404
		if (direct)
4405
			addr = 0;
4406

4407
		trace_handle_mmio_page_fault(addr, gfn, access);
4408
		vcpu_cache_mmio_info(vcpu, addr, gfn, access);
4409
		return RET_PF_EMULATE;
4410
	}
4411

4412
	/*
4413
	 * If the page table is zapped by other cpus, let CPU fault again on
4414
	 * the address.
4415
	 */
4416
	return RET_PF_RETRY;
4417
}
4418

4419
static bool page_fault_handle_page_track(struct kvm_vcpu *vcpu,
4420
					 struct kvm_page_fault *fault)
4421
{
4422
	if (unlikely(fault->rsvd))
4423
		return false;
4424

4425
	if (!fault->present || !fault->write)
4426
		return false;
4427

4428
	/*
4429
	 * guest is writing the page which is write tracked which can
4430
	 * not be fixed by page fault handler.
4431
	 */
4432
	if (kvm_gfn_is_write_tracked(vcpu->kvm, fault->slot, fault->gfn))
4433
		return true;
4434

4435
	return false;
4436
}
4437

4438
static void shadow_page_table_clear_flood(struct kvm_vcpu *vcpu, gva_t addr)
4439
{
4440
	struct kvm_shadow_walk_iterator iterator;
4441
	u64 spte;
4442

4443
	walk_shadow_page_lockless_begin(vcpu);
4444
	for_each_shadow_entry_lockless(vcpu, addr, iterator, spte)
4445
		clear_sp_write_flooding_count(iterator.sptep);
4446
	walk_shadow_page_lockless_end(vcpu);
4447
}
4448

4449
static u32 alloc_apf_token(struct kvm_vcpu *vcpu)
4450
{
4451
	/* make sure the token value is not 0 */
4452
	u32 id = vcpu->arch.apf.id;
4453

4454
	if (id << 12 == 0)
4455
		vcpu->arch.apf.id = 1;
4456

4457
	return (vcpu->arch.apf.id++ << 12) | vcpu->vcpu_id;
4458
}
4459

4460
static bool kvm_arch_setup_async_pf(struct kvm_vcpu *vcpu,
4461
				    struct kvm_page_fault *fault)
4462
{
4463
	struct kvm_arch_async_pf arch;
4464

4465
	arch.token = alloc_apf_token(vcpu);
4466
	arch.gfn = fault->gfn;
4467
	arch.error_code = fault->error_code;
4468
	arch.direct_map = vcpu->arch.mmu->root_role.direct;
4469
	arch.cr3 = kvm_mmu_get_guest_pgd(vcpu, vcpu->arch.mmu);
4470

4471
	return kvm_setup_async_pf(vcpu, fault->addr,
4472
				  kvm_vcpu_gfn_to_hva(vcpu, fault->gfn), &arch);
4473
}
4474

4475
void kvm_arch_async_page_ready(struct kvm_vcpu *vcpu, struct kvm_async_pf *work)
4476
{
4477
	int r;
4478

4479
	if (WARN_ON_ONCE(work->arch.error_code & PFERR_PRIVATE_ACCESS))
4480
		return;
4481

4482
	if ((vcpu->arch.mmu->root_role.direct != work->arch.direct_map) ||
4483
	      work->wakeup_all)
4484
		return;
4485

4486
	r = kvm_mmu_reload(vcpu);
4487
	if (unlikely(r))
4488
		return;
4489

4490
	if (!vcpu->arch.mmu->root_role.direct &&
4491
	      work->arch.cr3 != kvm_mmu_get_guest_pgd(vcpu, vcpu->arch.mmu))
4492
		return;
4493

4494
	r = kvm_mmu_do_page_fault(vcpu, work->cr2_or_gpa, work->arch.error_code,
4495
				  true, NULL, NULL);
4496

4497
	/*
4498
	 * Account fixed page faults, otherwise they'll never be counted, but
4499
	 * ignore stats for all other return times.  Page-ready "faults" aren't
4500
	 * truly spurious and never trigger emulation
4501
	 */
4502
	if (r == RET_PF_FIXED)
4503
		vcpu->stat.pf_fixed++;
4504
}
4505

4506
static inline u8 kvm_max_level_for_order(int order)
4507
{
4508
	BUILD_BUG_ON(KVM_MAX_HUGEPAGE_LEVEL > PG_LEVEL_1G);
4509

4510
	KVM_MMU_WARN_ON(order != KVM_HPAGE_GFN_SHIFT(PG_LEVEL_1G) &&
4511
			order != KVM_HPAGE_GFN_SHIFT(PG_LEVEL_2M) &&
4512
			order != KVM_HPAGE_GFN_SHIFT(PG_LEVEL_4K));
4513

4514
	if (order >= KVM_HPAGE_GFN_SHIFT(PG_LEVEL_1G))
4515
		return PG_LEVEL_1G;
4516

4517
	if (order >= KVM_HPAGE_GFN_SHIFT(PG_LEVEL_2M))
4518
		return PG_LEVEL_2M;
4519

4520
	return PG_LEVEL_4K;
4521
}
4522

4523
static u8 kvm_max_private_mapping_level(struct kvm *kvm, kvm_pfn_t pfn,
4524
					u8 max_level, int gmem_order)
4525
{
4526
	u8 req_max_level;
4527

4528
	if (max_level == PG_LEVEL_4K)
4529
		return PG_LEVEL_4K;
4530

4531
	max_level = min(kvm_max_level_for_order(gmem_order), max_level);
4532
	if (max_level == PG_LEVEL_4K)
4533
		return PG_LEVEL_4K;
4534

4535
	req_max_level = kvm_x86_call(private_max_mapping_level)(kvm, pfn);
4536
	if (req_max_level)
4537
		max_level = min(max_level, req_max_level);
4538

4539
	return max_level;
4540
}
4541

4542
static void kvm_mmu_finish_page_fault(struct kvm_vcpu *vcpu,
4543
				      struct kvm_page_fault *fault, int r)
4544
{
4545
	kvm_release_faultin_page(vcpu->kvm, fault->refcounted_page,
4546
				 r == RET_PF_RETRY, fault->map_writable);
4547
}
4548

4549
static int kvm_mmu_faultin_pfn_private(struct kvm_vcpu *vcpu,
4550
				       struct kvm_page_fault *fault)
4551
{
4552
	int max_order, r;
4553

4554
	if (!kvm_slot_can_be_private(fault->slot)) {
4555
		kvm_mmu_prepare_memory_fault_exit(vcpu, fault);
4556
		return -EFAULT;
4557
	}
4558

4559
	r = kvm_gmem_get_pfn(vcpu->kvm, fault->slot, fault->gfn, &fault->pfn,
4560
			     &fault->refcounted_page, &max_order);
4561
	if (r) {
4562
		kvm_mmu_prepare_memory_fault_exit(vcpu, fault);
4563
		return r;
4564
	}
4565

4566
	fault->map_writable = !(fault->slot->flags & KVM_MEM_READONLY);
4567
	fault->max_level = kvm_max_private_mapping_level(vcpu->kvm, fault->pfn,
4568
							 fault->max_level, max_order);
4569

4570
	return RET_PF_CONTINUE;
4571
}
4572

4573
static int __kvm_mmu_faultin_pfn(struct kvm_vcpu *vcpu,
4574
				 struct kvm_page_fault *fault)
4575
{
4576
	unsigned int foll = fault->write ? FOLL_WRITE : 0;
4577

4578
	if (fault->is_private)
4579
		return kvm_mmu_faultin_pfn_private(vcpu, fault);
4580

4581
	foll |= FOLL_NOWAIT;
4582
	fault->pfn = __kvm_faultin_pfn(fault->slot, fault->gfn, foll,
4583
				       &fault->map_writable, &fault->refcounted_page);
4584

4585
	/*
4586
	 * If resolving the page failed because I/O is needed to fault-in the
4587
	 * page, then either set up an asynchronous #PF to do the I/O, or if
4588
	 * doing an async #PF isn't possible, retry with I/O allowed.  All
4589
	 * other failures are terminal, i.e. retrying won't help.
4590
	 */
4591
	if (fault->pfn != KVM_PFN_ERR_NEEDS_IO)
4592
		return RET_PF_CONTINUE;
4593

4594
	if (!fault->prefetch && kvm_can_do_async_pf(vcpu)) {
4595
		trace_kvm_try_async_get_page(fault->addr, fault->gfn);
4596
		if (kvm_find_async_pf_gfn(vcpu, fault->gfn)) {
4597
			trace_kvm_async_pf_repeated_fault(fault->addr, fault->gfn);
4598
			kvm_make_request(KVM_REQ_APF_HALT, vcpu);
4599
			return RET_PF_RETRY;
4600
		} else if (kvm_arch_setup_async_pf(vcpu, fault)) {
4601
			return RET_PF_RETRY;
4602
		}
4603
	}
4604

4605
	/*
4606
	 * Allow gup to bail on pending non-fatal signals when it's also allowed
4607
	 * to wait for IO.  Note, gup always bails if it is unable to quickly
4608
	 * get a page and a fatal signal, i.e. SIGKILL, is pending.
4609
	 */
4610
	foll |= FOLL_INTERRUPTIBLE;
4611
	foll &= ~FOLL_NOWAIT;
4612
	fault->pfn = __kvm_faultin_pfn(fault->slot, fault->gfn, foll,
4613
				       &fault->map_writable, &fault->refcounted_page);
4614

4615
	return RET_PF_CONTINUE;
4616
}
4617

4618
static int kvm_mmu_faultin_pfn(struct kvm_vcpu *vcpu,
4619
			       struct kvm_page_fault *fault, unsigned int access)
4620
{
4621
	struct kvm_memory_slot *slot = fault->slot;
4622
	struct kvm *kvm = vcpu->kvm;
4623
	int ret;
4624

4625
	if (KVM_BUG_ON(kvm_is_gfn_alias(kvm, fault->gfn), kvm))
4626
		return -EFAULT;
4627

4628
	/*
4629
	 * Note that the mmu_invalidate_seq also serves to detect a concurrent
4630
	 * change in attributes.  is_page_fault_stale() will detect an
4631
	 * invalidation relate to fault->fn and resume the guest without
4632
	 * installing a mapping in the page tables.
4633
	 */
4634
	fault->mmu_seq = vcpu->kvm->mmu_invalidate_seq;
4635
	smp_rmb();
4636

4637
	/*
4638
	 * Now that we have a snapshot of mmu_invalidate_seq we can check for a
4639
	 * private vs. shared mismatch.
4640
	 */
4641
	if (fault->is_private != kvm_mem_is_private(kvm, fault->gfn)) {
4642
		kvm_mmu_prepare_memory_fault_exit(vcpu, fault);
4643
		return -EFAULT;
4644
	}
4645

4646
	if (unlikely(!slot))
4647
		return kvm_handle_noslot_fault(vcpu, fault, access);
4648

4649
	/*
4650
	 * Retry the page fault if the gfn hit a memslot that is being deleted
4651
	 * or moved.  This ensures any existing SPTEs for the old memslot will
4652
	 * be zapped before KVM inserts a new MMIO SPTE for the gfn.
4653
	 */
4654
	if (slot->flags & KVM_MEMSLOT_INVALID)
4655
		return RET_PF_RETRY;
4656

4657
	if (slot->id == APIC_ACCESS_PAGE_PRIVATE_MEMSLOT) {
4658
		/*
4659
		 * Don't map L1's APIC access page into L2, KVM doesn't support
4660
		 * using APICv/AVIC to accelerate L2 accesses to L1's APIC,
4661
		 * i.e. the access needs to be emulated.  Emulating access to
4662
		 * L1's APIC is also correct if L1 is accelerating L2's own
4663
		 * virtual APIC, but for some reason L1 also maps _L1's_ APIC
4664
		 * into L2.  Note, vcpu_is_mmio_gpa() always treats access to
4665
		 * the APIC as MMIO.  Allow an MMIO SPTE to be created, as KVM
4666
		 * uses different roots for L1 vs. L2, i.e. there is no danger
4667
		 * of breaking APICv/AVIC for L1.
4668
		 */
4669
		if (is_guest_mode(vcpu))
4670
			return kvm_handle_noslot_fault(vcpu, fault, access);
4671

4672
		/*
4673
		 * If the APIC access page exists but is disabled, go directly
4674
		 * to emulation without caching the MMIO access or creating a
4675
		 * MMIO SPTE.  That way the cache doesn't need to be purged
4676
		 * when the AVIC is re-enabled.
4677
		 */
4678
		if (!kvm_apicv_activated(vcpu->kvm))
4679
			return RET_PF_EMULATE;
4680
	}
4681

4682
	/*
4683
	 * Check for a relevant mmu_notifier invalidation event before getting
4684
	 * the pfn from the primary MMU, and before acquiring mmu_lock.
4685
	 *
4686
	 * For mmu_lock, if there is an in-progress invalidation and the kernel
4687
	 * allows preemption, the invalidation task may drop mmu_lock and yield
4688
	 * in response to mmu_lock being contended, which is *very* counter-
4689
	 * productive as this vCPU can't actually make forward progress until
4690
	 * the invalidation completes.
4691
	 *
4692
	 * Retrying now can also avoid unnessary lock contention in the primary
4693
	 * MMU, as the primary MMU doesn't necessarily hold a single lock for
4694
	 * the duration of the invalidation, i.e. faulting in a conflicting pfn
4695
	 * can cause the invalidation to take longer by holding locks that are
4696
	 * needed to complete the invalidation.
4697
	 *
4698
	 * Do the pre-check even for non-preemtible kernels, i.e. even if KVM
4699
	 * will never yield mmu_lock in response to contention, as this vCPU is
4700
	 * *guaranteed* to need to retry, i.e. waiting until mmu_lock is held
4701
	 * to detect retry guarantees the worst case latency for the vCPU.
4702
	 */
4703
	if (mmu_invalidate_retry_gfn_unsafe(kvm, fault->mmu_seq, fault->gfn))
4704
		return RET_PF_RETRY;
4705

4706
	ret = __kvm_mmu_faultin_pfn(vcpu, fault);
4707
	if (ret != RET_PF_CONTINUE)
4708
		return ret;
4709

4710
	if (unlikely(is_error_pfn(fault->pfn)))
4711
		return kvm_handle_error_pfn(vcpu, fault);
4712

4713
	if (WARN_ON_ONCE(!fault->slot || is_noslot_pfn(fault->pfn)))
4714
		return kvm_handle_noslot_fault(vcpu, fault, access);
4715

4716
	/*
4717
	 * Check again for a relevant mmu_notifier invalidation event purely to
4718
	 * avoid contending mmu_lock.  Most invalidations will be detected by
4719
	 * the previous check, but checking is extremely cheap relative to the
4720
	 * overall cost of failing to detect the invalidation until after
4721
	 * mmu_lock is acquired.
4722
	 */
4723
	if (mmu_invalidate_retry_gfn_unsafe(kvm, fault->mmu_seq, fault->gfn)) {
4724
		kvm_mmu_finish_page_fault(vcpu, fault, RET_PF_RETRY);
4725
		return RET_PF_RETRY;
4726
	}
4727

4728
	return RET_PF_CONTINUE;
4729
}
4730

4731
/*
4732
 * Returns true if the page fault is stale and needs to be retried, i.e. if the
4733
 * root was invalidated by a memslot update or a relevant mmu_notifier fired.
4734
 */
4735
static bool is_page_fault_stale(struct kvm_vcpu *vcpu,
4736
				struct kvm_page_fault *fault)
4737
{
4738
	struct kvm_mmu_page *sp = root_to_sp(vcpu->arch.mmu->root.hpa);
4739

4740
	/* Special roots, e.g. pae_root, are not backed by shadow pages. */
4741
	if (sp && is_obsolete_sp(vcpu->kvm, sp))
4742
		return true;
4743

4744
	/*
4745
	 * Roots without an associated shadow page are considered invalid if
4746
	 * there is a pending request to free obsolete roots.  The request is
4747
	 * only a hint that the current root _may_ be obsolete and needs to be
4748
	 * reloaded, e.g. if the guest frees a PGD that KVM is tracking as a
4749
	 * previous root, then __kvm_mmu_prepare_zap_page() signals all vCPUs
4750
	 * to reload even if no vCPU is actively using the root.
4751
	 */
4752
	if (!sp && kvm_test_request(KVM_REQ_MMU_FREE_OBSOLETE_ROOTS, vcpu))
4753
		return true;
4754

4755
	/*
4756
	 * Check for a relevant mmu_notifier invalidation event one last time
4757
	 * now that mmu_lock is held, as the "unsafe" checks performed without
4758
	 * holding mmu_lock can get false negatives.
4759
	 */
4760
	return fault->slot &&
4761
	       mmu_invalidate_retry_gfn(vcpu->kvm, fault->mmu_seq, fault->gfn);
4762
}
4763

4764
static int direct_page_fault(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
4765
{
4766
	int r;
4767

4768
	/* Dummy roots are used only for shadowing bad guest roots. */
4769
	if (WARN_ON_ONCE(kvm_mmu_is_dummy_root(vcpu->arch.mmu->root.hpa)))
4770
		return RET_PF_RETRY;
4771

4772
	if (page_fault_handle_page_track(vcpu, fault))
4773
		return RET_PF_WRITE_PROTECTED;
4774

4775
	r = fast_page_fault(vcpu, fault);
4776
	if (r != RET_PF_INVALID)
4777
		return r;
4778

4779
	r = mmu_topup_memory_caches(vcpu, false);
4780
	if (r)
4781
		return r;
4782

4783
	r = kvm_mmu_faultin_pfn(vcpu, fault, ACC_ALL);
4784
	if (r != RET_PF_CONTINUE)
4785
		return r;
4786

4787
	r = RET_PF_RETRY;
4788
	write_lock(&vcpu->kvm->mmu_lock);
4789

4790
	if (is_page_fault_stale(vcpu, fault))
4791
		goto out_unlock;
4792

4793
	r = make_mmu_pages_available(vcpu);
4794
	if (r)
4795
		goto out_unlock;
4796

4797
	r = direct_map(vcpu, fault);
4798

4799
out_unlock:
4800
	kvm_mmu_finish_page_fault(vcpu, fault, r);
4801
	write_unlock(&vcpu->kvm->mmu_lock);
4802
	return r;
4803
}
4804

4805
static int nonpaging_page_fault(struct kvm_vcpu *vcpu,
4806
				struct kvm_page_fault *fault)
4807
{
4808
	/* This path builds a PAE pagetable, we can map 2mb pages at maximum. */
4809
	fault->max_level = PG_LEVEL_2M;
4810
	return direct_page_fault(vcpu, fault);
4811
}
4812

4813
int kvm_handle_page_fault(struct kvm_vcpu *vcpu, u64 error_code,
4814
				u64 fault_address, char *insn, int insn_len)
4815
{
4816
	int r = 1;
4817
	u32 flags = vcpu->arch.apf.host_apf_flags;
4818

4819
#ifndef CONFIG_X86_64
4820
	/* A 64-bit CR2 should be impossible on 32-bit KVM. */
4821
	if (WARN_ON_ONCE(fault_address >> 32))
4822
		return -EFAULT;
4823
#endif
4824
	/*
4825
	 * Legacy #PF exception only have a 32-bit error code.  Simply drop the
4826
	 * upper bits as KVM doesn't use them for #PF (because they are never
4827
	 * set), and to ensure there are no collisions with KVM-defined bits.
4828
	 */
4829
	if (WARN_ON_ONCE(error_code >> 32))
4830
		error_code = lower_32_bits(error_code);
4831

4832
	/*
4833
	 * Restrict KVM-defined flags to bits 63:32 so that it's impossible for
4834
	 * them to conflict with #PF error codes, which are limited to 32 bits.
4835
	 */
4836
	BUILD_BUG_ON(lower_32_bits(PFERR_SYNTHETIC_MASK));
4837

4838
	vcpu->arch.l1tf_flush_l1d = true;
4839
	if (!flags) {
4840
		trace_kvm_page_fault(vcpu, fault_address, error_code);
4841

4842
		r = kvm_mmu_page_fault(vcpu, fault_address, error_code, insn,
4843
				insn_len);
4844
	} else if (flags & KVM_PV_REASON_PAGE_NOT_PRESENT) {
4845
		vcpu->arch.apf.host_apf_flags = 0;
4846
		local_irq_disable();
4847
		kvm_async_pf_task_wait_schedule(fault_address);
4848
		local_irq_enable();
4849
	} else {
4850
		WARN_ONCE(1, "Unexpected host async PF flags: %x\n", flags);
4851
	}
4852

4853
	return r;
4854
}
4855
EXPORT_SYMBOL_GPL(kvm_handle_page_fault);
4856

4857
#ifdef CONFIG_X86_64
4858
static int kvm_tdp_mmu_page_fault(struct kvm_vcpu *vcpu,
4859
				  struct kvm_page_fault *fault)
4860
{
4861
	int r;
4862

4863
	if (page_fault_handle_page_track(vcpu, fault))
4864
		return RET_PF_WRITE_PROTECTED;
4865

4866
	r = fast_page_fault(vcpu, fault);
4867
	if (r != RET_PF_INVALID)
4868
		return r;
4869

4870
	r = mmu_topup_memory_caches(vcpu, false);
4871
	if (r)
4872
		return r;
4873

4874
	r = kvm_mmu_faultin_pfn(vcpu, fault, ACC_ALL);
4875
	if (r != RET_PF_CONTINUE)
4876
		return r;
4877

4878
	r = RET_PF_RETRY;
4879
	read_lock(&vcpu->kvm->mmu_lock);
4880

4881
	if (is_page_fault_stale(vcpu, fault))
4882
		goto out_unlock;
4883

4884
	r = kvm_tdp_mmu_map(vcpu, fault);
4885

4886
out_unlock:
4887
	kvm_mmu_finish_page_fault(vcpu, fault, r);
4888
	read_unlock(&vcpu->kvm->mmu_lock);
4889
	return r;
4890
}
4891
#endif
4892

4893
int kvm_tdp_page_fault(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault)
4894
{
4895
#ifdef CONFIG_X86_64
4896
	if (tdp_mmu_enabled)
4897
		return kvm_tdp_mmu_page_fault(vcpu, fault);
4898
#endif
4899

4900
	return direct_page_fault(vcpu, fault);
4901
}
4902

4903
int kvm_tdp_map_page(struct kvm_vcpu *vcpu, gpa_t gpa, u64 error_code, u8 *level)
4904
{
4905
	int r;
4906

4907
	/*
4908
	 * Restrict to TDP page fault, since that's the only case where the MMU
4909
	 * is indexed by GPA.
4910
	 */
4911
	if (vcpu->arch.mmu->page_fault != kvm_tdp_page_fault)
4912
		return -EOPNOTSUPP;
4913

4914
	do {
4915
		if (signal_pending(current))
4916
			return -EINTR;
4917

4918
		if (kvm_check_request(KVM_REQ_VM_DEAD, vcpu))
4919
			return -EIO;
4920

4921
		cond_resched();
4922
		r = kvm_mmu_do_page_fault(vcpu, gpa, error_code, true, NULL, level);
4923
	} while (r == RET_PF_RETRY);
4924

4925
	if (r < 0)
4926
		return r;
4927

4928
	switch (r) {
4929
	case RET_PF_FIXED:
4930
	case RET_PF_SPURIOUS:
4931
	case RET_PF_WRITE_PROTECTED:
4932
		return 0;
4933

4934
	case RET_PF_EMULATE:
4935
		return -ENOENT;
4936

4937
	case RET_PF_RETRY:
4938
	case RET_PF_CONTINUE:
4939
	case RET_PF_INVALID:
4940
	default:
4941
		WARN_ONCE(1, "could not fix page fault during prefault");
4942
		return -EIO;
4943
	}
4944
}
4945
EXPORT_SYMBOL_GPL(kvm_tdp_map_page);
4946

4947
long kvm_arch_vcpu_pre_fault_memory(struct kvm_vcpu *vcpu,
4948
				    struct kvm_pre_fault_memory *range)
4949
{
4950
	u64 error_code = PFERR_GUEST_FINAL_MASK;
4951
	u8 level = PG_LEVEL_4K;
4952
	u64 direct_bits;
4953
	u64 end;
4954
	int r;
4955

4956
	if (!vcpu->kvm->arch.pre_fault_allowed)
4957
		return -EOPNOTSUPP;
4958

4959
	if (kvm_is_gfn_alias(vcpu->kvm, gpa_to_gfn(range->gpa)))
4960
		return -EINVAL;
4961

4962
	/*
4963
	 * reload is efficient when called repeatedly, so we can do it on
4964
	 * every iteration.
4965
	 */
4966
	r = kvm_mmu_reload(vcpu);
4967
	if (r)
4968
		return r;
4969

4970
	direct_bits = 0;
4971
	if (kvm_arch_has_private_mem(vcpu->kvm) &&
4972
	    kvm_mem_is_private(vcpu->kvm, gpa_to_gfn(range->gpa)))
4973
		error_code |= PFERR_PRIVATE_ACCESS;
4974
	else
4975
		direct_bits = gfn_to_gpa(kvm_gfn_direct_bits(vcpu->kvm));
4976

4977
	/*
4978
	 * Shadow paging uses GVA for kvm page fault, so restrict to
4979
	 * two-dimensional paging.
4980
	 */
4981
	r = kvm_tdp_map_page(vcpu, range->gpa | direct_bits, error_code, &level);
4982
	if (r < 0)
4983
		return r;
4984

4985
	/*
4986
	 * If the mapping that covers range->gpa can use a huge page, it
4987
	 * may start below it or end after range->gpa + range->size.
4988
	 */
4989
	end = (range->gpa & KVM_HPAGE_MASK(level)) + KVM_HPAGE_SIZE(level);
4990
	return min(range->size, end - range->gpa);
4991
}
4992

4993
static void nonpaging_init_context(struct kvm_mmu *context)
4994
{
4995
	context->page_fault = nonpaging_page_fault;
4996
	context->gva_to_gpa = nonpaging_gva_to_gpa;
4997
	context->sync_spte = NULL;
4998
}
4999

5000
static inline bool is_root_usable(struct kvm_mmu_root_info *root, gpa_t pgd,
5001
				  union kvm_mmu_page_role role)
5002
{
5003
	struct kvm_mmu_page *sp;
5004

5005
	if (!VALID_PAGE(root->hpa))
5006
		return false;
5007

5008
	if (!role.direct && pgd != root->pgd)
5009
		return false;
5010

5011
	sp = root_to_sp(root->hpa);
5012
	if (WARN_ON_ONCE(!sp))
5013
		return false;
5014

5015
	return role.word == sp->role.word;
5016
}
5017

5018
/*
5019
 * Find out if a previously cached root matching the new pgd/role is available,
5020
 * and insert the current root as the MRU in the cache.
5021
 * If a matching root is found, it is assigned to kvm_mmu->root and
5022
 * true is returned.
5023
 * If no match is found, kvm_mmu->root is left invalid, the LRU root is
5024
 * evicted to make room for the current root, and false is returned.
5025
 */
5026
static bool cached_root_find_and_keep_current(struct kvm *kvm, struct kvm_mmu *mmu,
5027
					      gpa_t new_pgd,
5028
					      union kvm_mmu_page_role new_role)
5029
{
5030
	uint i;
5031

5032
	if (is_root_usable(&mmu->root, new_pgd, new_role))
5033
		return true;
5034

5035
	for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++) {
5036
		/*
5037
		 * The swaps end up rotating the cache like this:
5038
		 *   C   0 1 2 3   (on entry to the function)
5039
		 *   0   C 1 2 3
5040
		 *   1   C 0 2 3
5041
		 *   2   C 0 1 3
5042
		 *   3   C 0 1 2   (on exit from the loop)
5043
		 */
5044
		swap(mmu->root, mmu->prev_roots[i]);
5045
		if (is_root_usable(&mmu->root, new_pgd, new_role))
5046
			return true;
5047
	}
5048

5049
	kvm_mmu_free_roots(kvm, mmu, KVM_MMU_ROOT_CURRENT);
5050
	return false;
5051
}
5052

5053
/*
5054
 * Find out if a previously cached root matching the new pgd/role is available.
5055
 * On entry, mmu->root is invalid.
5056
 * If a matching root is found, it is assigned to kvm_mmu->root, the LRU entry
5057
 * of the cache becomes invalid, and true is returned.
5058
 * If no match is found, kvm_mmu->root is left invalid and false is returned.
5059
 */
5060
static bool cached_root_find_without_current(struct kvm *kvm, struct kvm_mmu *mmu,
5061
					     gpa_t new_pgd,
5062
					     union kvm_mmu_page_role new_role)
5063
{
5064
	uint i;
5065

5066
	for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++)
5067
		if (is_root_usable(&mmu->prev_roots[i], new_pgd, new_role))
5068
			goto hit;
5069

5070
	return false;
5071

5072
hit:
5073
	swap(mmu->root, mmu->prev_roots[i]);
5074
	/* Bubble up the remaining roots.  */
5075
	for (; i < KVM_MMU_NUM_PREV_ROOTS - 1; i++)
5076
		mmu->prev_roots[i] = mmu->prev_roots[i + 1];
5077
	mmu->prev_roots[i].hpa = INVALID_PAGE;
5078
	return true;
5079
}
5080

5081
static bool fast_pgd_switch(struct kvm *kvm, struct kvm_mmu *mmu,
5082
			    gpa_t new_pgd, union kvm_mmu_page_role new_role)
5083
{
5084
	/*
5085
	 * Limit reuse to 64-bit hosts+VMs without "special" roots in order to
5086
	 * avoid having to deal with PDPTEs and other complexities.
5087
	 */
5088
	if (VALID_PAGE(mmu->root.hpa) && !root_to_sp(mmu->root.hpa))
5089
		kvm_mmu_free_roots(kvm, mmu, KVM_MMU_ROOT_CURRENT);
5090

5091
	if (VALID_PAGE(mmu->root.hpa))
5092
		return cached_root_find_and_keep_current(kvm, mmu, new_pgd, new_role);
5093
	else
5094
		return cached_root_find_without_current(kvm, mmu, new_pgd, new_role);
5095
}
5096

5097
void kvm_mmu_new_pgd(struct kvm_vcpu *vcpu, gpa_t new_pgd)
5098
{
5099
	struct kvm_mmu *mmu = vcpu->arch.mmu;
5100
	union kvm_mmu_page_role new_role = mmu->root_role;
5101

5102
	/*
5103
	 * Return immediately if no usable root was found, kvm_mmu_reload()
5104
	 * will establish a valid root prior to the next VM-Enter.
5105
	 */
5106
	if (!fast_pgd_switch(vcpu->kvm, mmu, new_pgd, new_role))
5107
		return;
5108

5109
	/*
5110
	 * It's possible that the cached previous root page is obsolete because
5111
	 * of a change in the MMU generation number. However, changing the
5112
	 * generation number is accompanied by KVM_REQ_MMU_FREE_OBSOLETE_ROOTS,
5113
	 * which will free the root set here and allocate a new one.
5114
	 */
5115
	kvm_make_request(KVM_REQ_LOAD_MMU_PGD, vcpu);
5116

5117
	if (force_flush_and_sync_on_reuse) {
5118
		kvm_make_request(KVM_REQ_MMU_SYNC, vcpu);
5119
		kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, vcpu);
5120
	}
5121

5122
	/*
5123
	 * The last MMIO access's GVA and GPA are cached in the VCPU. When
5124
	 * switching to a new CR3, that GVA->GPA mapping may no longer be
5125
	 * valid. So clear any cached MMIO info even when we don't need to sync
5126
	 * the shadow page tables.
5127
	 */
5128
	vcpu_clear_mmio_info(vcpu, MMIO_GVA_ANY);
5129

5130
	/*
5131
	 * If this is a direct root page, it doesn't have a write flooding
5132
	 * count. Otherwise, clear the write flooding count.
5133
	 */
5134
	if (!new_role.direct) {
5135
		struct kvm_mmu_page *sp = root_to_sp(vcpu->arch.mmu->root.hpa);
5136

5137
		if (!WARN_ON_ONCE(!sp))
5138
			__clear_sp_write_flooding_count(sp);
5139
	}
5140
}
5141
EXPORT_SYMBOL_GPL(kvm_mmu_new_pgd);
5142

5143
static bool sync_mmio_spte(struct kvm_vcpu *vcpu, u64 *sptep, gfn_t gfn,
5144
			   unsigned int access)
5145
{
5146
	if (unlikely(is_mmio_spte(vcpu->kvm, *sptep))) {
5147
		if (gfn != get_mmio_spte_gfn(*sptep)) {
5148
			mmu_spte_clear_no_track(sptep);
5149
			return true;
5150
		}
5151

5152
		mark_mmio_spte(vcpu, sptep, gfn, access);
5153
		return true;
5154
	}
5155

5156
	return false;
5157
}
5158

5159
#define PTTYPE_EPT 18 /* arbitrary */
5160
#define PTTYPE PTTYPE_EPT
5161
#include "paging_tmpl.h"
5162
#undef PTTYPE
5163

5164
#define PTTYPE 64
5165
#include "paging_tmpl.h"
5166
#undef PTTYPE
5167

5168
#define PTTYPE 32
5169
#include "paging_tmpl.h"
5170
#undef PTTYPE
5171

5172
static void __reset_rsvds_bits_mask(struct rsvd_bits_validate *rsvd_check,
5173
				    u64 pa_bits_rsvd, int level, bool nx,
5174
				    bool gbpages, bool pse, bool amd)
5175
{
5176
	u64 gbpages_bit_rsvd = 0;
5177
	u64 nonleaf_bit8_rsvd = 0;
5178
	u64 high_bits_rsvd;
5179

5180
	rsvd_check->bad_mt_xwr = 0;
5181

5182
	if (!gbpages)
5183
		gbpages_bit_rsvd = rsvd_bits(7, 7);
5184

5185
	if (level == PT32E_ROOT_LEVEL)
5186
		high_bits_rsvd = pa_bits_rsvd & rsvd_bits(0, 62);
5187
	else
5188
		high_bits_rsvd = pa_bits_rsvd & rsvd_bits(0, 51);
5189

5190
	/* Note, NX doesn't exist in PDPTEs, this is handled below. */
5191
	if (!nx)
5192
		high_bits_rsvd |= rsvd_bits(63, 63);
5193

5194
	/*
5195
	 * Non-leaf PML4Es and PDPEs reserve bit 8 (which would be the G bit for
5196
	 * leaf entries) on AMD CPUs only.
5197
	 */
5198
	if (amd)
5199
		nonleaf_bit8_rsvd = rsvd_bits(8, 8);
5200

5201
	switch (level) {
5202
	case PT32_ROOT_LEVEL:
5203
		/* no rsvd bits for 2 level 4K page table entries */
5204
		rsvd_check->rsvd_bits_mask[0][1] = 0;
5205
		rsvd_check->rsvd_bits_mask[0][0] = 0;
5206
		rsvd_check->rsvd_bits_mask[1][0] =
5207
			rsvd_check->rsvd_bits_mask[0][0];
5208

5209
		if (!pse) {
5210
			rsvd_check->rsvd_bits_mask[1][1] = 0;
5211
			break;
5212
		}
5213

5214
		if (is_cpuid_PSE36())
5215
			/* 36bits PSE 4MB page */
5216
			rsvd_check->rsvd_bits_mask[1][1] = rsvd_bits(17, 21);
5217
		else
5218
			/* 32 bits PSE 4MB page */
5219
			rsvd_check->rsvd_bits_mask[1][1] = rsvd_bits(13, 21);
5220
		break;
5221
	case PT32E_ROOT_LEVEL:
5222
		rsvd_check->rsvd_bits_mask[0][2] = rsvd_bits(63, 63) |
5223
						   high_bits_rsvd |
5224
						   rsvd_bits(5, 8) |
5225
						   rsvd_bits(1, 2);	/* PDPTE */
5226
		rsvd_check->rsvd_bits_mask[0][1] = high_bits_rsvd;	/* PDE */
5227
		rsvd_check->rsvd_bits_mask[0][0] = high_bits_rsvd;	/* PTE */
5228
		rsvd_check->rsvd_bits_mask[1][1] = high_bits_rsvd |
5229
						   rsvd_bits(13, 20);	/* large page */
5230
		rsvd_check->rsvd_bits_mask[1][0] =
5231
			rsvd_check->rsvd_bits_mask[0][0];
5232
		break;
5233
	case PT64_ROOT_5LEVEL:
5234
		rsvd_check->rsvd_bits_mask[0][4] = high_bits_rsvd |
5235
						   nonleaf_bit8_rsvd |
5236
						   rsvd_bits(7, 7);
5237
		rsvd_check->rsvd_bits_mask[1][4] =
5238
			rsvd_check->rsvd_bits_mask[0][4];
5239
		fallthrough;
5240
	case PT64_ROOT_4LEVEL:
5241
		rsvd_check->rsvd_bits_mask[0][3] = high_bits_rsvd |
5242
						   nonleaf_bit8_rsvd |
5243
						   rsvd_bits(7, 7);
5244
		rsvd_check->rsvd_bits_mask[0][2] = high_bits_rsvd |
5245
						   gbpages_bit_rsvd;
5246
		rsvd_check->rsvd_bits_mask[0][1] = high_bits_rsvd;
5247
		rsvd_check->rsvd_bits_mask[0][0] = high_bits_rsvd;
5248
		rsvd_check->rsvd_bits_mask[1][3] =
5249
			rsvd_check->rsvd_bits_mask[0][3];
5250
		rsvd_check->rsvd_bits_mask[1][2] = high_bits_rsvd |
5251
						   gbpages_bit_rsvd |
5252
						   rsvd_bits(13, 29);
5253
		rsvd_check->rsvd_bits_mask[1][1] = high_bits_rsvd |
5254
						   rsvd_bits(13, 20); /* large page */
5255
		rsvd_check->rsvd_bits_mask[1][0] =
5256
			rsvd_check->rsvd_bits_mask[0][0];
5257
		break;
5258
	}
5259
}
5260

5261
static void reset_guest_rsvds_bits_mask(struct kvm_vcpu *vcpu,
5262
					struct kvm_mmu *context)
5263
{
5264
	__reset_rsvds_bits_mask(&context->guest_rsvd_check,
5265
				vcpu->arch.reserved_gpa_bits,
5266
				context->cpu_role.base.level, is_efer_nx(context),
5267
				guest_cpu_cap_has(vcpu, X86_FEATURE_GBPAGES),
5268
				is_cr4_pse(context),
5269
				guest_cpuid_is_amd_compatible(vcpu));
5270
}
5271

5272
static void __reset_rsvds_bits_mask_ept(struct rsvd_bits_validate *rsvd_check,
5273
					u64 pa_bits_rsvd, bool execonly,
5274
					int huge_page_level)
5275
{
5276
	u64 high_bits_rsvd = pa_bits_rsvd & rsvd_bits(0, 51);
5277
	u64 large_1g_rsvd = 0, large_2m_rsvd = 0;
5278
	u64 bad_mt_xwr;
5279

5280
	if (huge_page_level < PG_LEVEL_1G)
5281
		large_1g_rsvd = rsvd_bits(7, 7);
5282
	if (huge_page_level < PG_LEVEL_2M)
5283
		large_2m_rsvd = rsvd_bits(7, 7);
5284

5285
	rsvd_check->rsvd_bits_mask[0][4] = high_bits_rsvd | rsvd_bits(3, 7);
5286
	rsvd_check->rsvd_bits_mask[0][3] = high_bits_rsvd | rsvd_bits(3, 7);
5287
	rsvd_check->rsvd_bits_mask[0][2] = high_bits_rsvd | rsvd_bits(3, 6) | large_1g_rsvd;
5288
	rsvd_check->rsvd_bits_mask[0][1] = high_bits_rsvd | rsvd_bits(3, 6) | large_2m_rsvd;
5289
	rsvd_check->rsvd_bits_mask[0][0] = high_bits_rsvd;
5290

5291
	/* large page */
5292
	rsvd_check->rsvd_bits_mask[1][4] = rsvd_check->rsvd_bits_mask[0][4];
5293
	rsvd_check->rsvd_bits_mask[1][3] = rsvd_check->rsvd_bits_mask[0][3];
5294
	rsvd_check->rsvd_bits_mask[1][2] = high_bits_rsvd | rsvd_bits(12, 29) | large_1g_rsvd;
5295
	rsvd_check->rsvd_bits_mask[1][1] = high_bits_rsvd | rsvd_bits(12, 20) | large_2m_rsvd;
5296
	rsvd_check->rsvd_bits_mask[1][0] = rsvd_check->rsvd_bits_mask[0][0];
5297

5298
	bad_mt_xwr = 0xFFull << (2 * 8);	/* bits 3..5 must not be 2 */
5299
	bad_mt_xwr |= 0xFFull << (3 * 8);	/* bits 3..5 must not be 3 */
5300
	bad_mt_xwr |= 0xFFull << (7 * 8);	/* bits 3..5 must not be 7 */
5301
	bad_mt_xwr |= REPEAT_BYTE(1ull << 2);	/* bits 0..2 must not be 010 */
5302
	bad_mt_xwr |= REPEAT_BYTE(1ull << 6);	/* bits 0..2 must not be 110 */
5303
	if (!execonly) {
5304
		/* bits 0..2 must not be 100 unless VMX capabilities allow it */
5305
		bad_mt_xwr |= REPEAT_BYTE(1ull << 4);
5306
	}
5307
	rsvd_check->bad_mt_xwr = bad_mt_xwr;
5308
}
5309

5310
static void reset_rsvds_bits_mask_ept(struct kvm_vcpu *vcpu,
5311
		struct kvm_mmu *context, bool execonly, int huge_page_level)
5312
{
5313
	__reset_rsvds_bits_mask_ept(&context->guest_rsvd_check,
5314
				    vcpu->arch.reserved_gpa_bits, execonly,
5315
				    huge_page_level);
5316
}
5317

5318
static inline u64 reserved_hpa_bits(void)
5319
{
5320
	return rsvd_bits(kvm_host.maxphyaddr, 63);
5321
}
5322

5323
/*
5324
 * the page table on host is the shadow page table for the page
5325
 * table in guest or amd nested guest, its mmu features completely
5326
 * follow the features in guest.
5327
 */
5328
static void reset_shadow_zero_bits_mask(struct kvm_vcpu *vcpu,
5329
					struct kvm_mmu *context)
5330
{
5331
	/* @amd adds a check on bit of SPTEs, which KVM shouldn't use anyways. */
5332
	bool is_amd = true;
5333
	/* KVM doesn't use 2-level page tables for the shadow MMU. */
5334
	bool is_pse = false;
5335
	struct rsvd_bits_validate *shadow_zero_check;
5336
	int i;
5337

5338
	WARN_ON_ONCE(context->root_role.level < PT32E_ROOT_LEVEL);
5339

5340
	shadow_zero_check = &context->shadow_zero_check;
5341
	__reset_rsvds_bits_mask(shadow_zero_check, reserved_hpa_bits(),
5342
				context->root_role.level,
5343
				context->root_role.efer_nx,
5344
				guest_cpu_cap_has(vcpu, X86_FEATURE_GBPAGES),
5345
				is_pse, is_amd);
5346

5347
	if (!shadow_me_mask)
5348
		return;
5349

5350
	for (i = context->root_role.level; --i >= 0;) {
5351
		/*
5352
		 * So far shadow_me_value is a constant during KVM's life
5353
		 * time.  Bits in shadow_me_value are allowed to be set.
5354
		 * Bits in shadow_me_mask but not in shadow_me_value are
5355
		 * not allowed to be set.
5356
		 */
5357
		shadow_zero_check->rsvd_bits_mask[0][i] |= shadow_me_mask;
5358
		shadow_zero_check->rsvd_bits_mask[1][i] |= shadow_me_mask;
5359
		shadow_zero_check->rsvd_bits_mask[0][i] &= ~shadow_me_value;
5360
		shadow_zero_check->rsvd_bits_mask[1][i] &= ~shadow_me_value;
5361
	}
5362

5363
}
5364

5365
static inline bool boot_cpu_is_amd(void)
5366
{
5367
	WARN_ON_ONCE(!tdp_enabled);
5368
	return shadow_x_mask == 0;
5369
}
5370

5371
/*
5372
 * the direct page table on host, use as much mmu features as
5373
 * possible, however, kvm currently does not do execution-protection.
5374
 */
5375
static void reset_tdp_shadow_zero_bits_mask(struct kvm_mmu *context)
5376
{
5377
	struct rsvd_bits_validate *shadow_zero_check;
5378
	int i;
5379

5380
	shadow_zero_check = &context->shadow_zero_check;
5381

5382
	if (boot_cpu_is_amd())
5383
		__reset_rsvds_bits_mask(shadow_zero_check, reserved_hpa_bits(),
5384
					context->root_role.level, true,
5385
					boot_cpu_has(X86_FEATURE_GBPAGES),
5386
					false, true);
5387
	else
5388
		__reset_rsvds_bits_mask_ept(shadow_zero_check,
5389
					    reserved_hpa_bits(), false,
5390
					    max_huge_page_level);
5391

5392
	if (!shadow_me_mask)
5393
		return;
5394

5395
	for (i = context->root_role.level; --i >= 0;) {
5396
		shadow_zero_check->rsvd_bits_mask[0][i] &= ~shadow_me_mask;
5397
		shadow_zero_check->rsvd_bits_mask[1][i] &= ~shadow_me_mask;
5398
	}
5399
}
5400

5401
/*
5402
 * as the comments in reset_shadow_zero_bits_mask() except it
5403
 * is the shadow page table for intel nested guest.
5404
 */
5405
static void
5406
reset_ept_shadow_zero_bits_mask(struct kvm_mmu *context, bool execonly)
5407
{
5408
	__reset_rsvds_bits_mask_ept(&context->shadow_zero_check,
5409
				    reserved_hpa_bits(), execonly,
5410
				    max_huge_page_level);
5411
}
5412

5413
#define BYTE_MASK(access) \
5414
	((1 & (access) ? 2 : 0) | \
5415
	 (2 & (access) ? 4 : 0) | \
5416
	 (3 & (access) ? 8 : 0) | \
5417
	 (4 & (access) ? 16 : 0) | \
5418
	 (5 & (access) ? 32 : 0) | \
5419
	 (6 & (access) ? 64 : 0) | \
5420
	 (7 & (access) ? 128 : 0))
5421

5422

5423
static void update_permission_bitmask(struct kvm_mmu *mmu, bool ept)
5424
{
5425
	unsigned byte;
5426

5427
	const u8 x = BYTE_MASK(ACC_EXEC_MASK);
5428
	const u8 w = BYTE_MASK(ACC_WRITE_MASK);
5429
	const u8 u = BYTE_MASK(ACC_USER_MASK);
5430

5431
	bool cr4_smep = is_cr4_smep(mmu);
5432
	bool cr4_smap = is_cr4_smap(mmu);
5433
	bool cr0_wp = is_cr0_wp(mmu);
5434
	bool efer_nx = is_efer_nx(mmu);
5435

5436
	for (byte = 0; byte < ARRAY_SIZE(mmu->permissions); ++byte) {
5437
		unsigned pfec = byte << 1;
5438

5439
		/*
5440
		 * Each "*f" variable has a 1 bit for each UWX value
5441
		 * that causes a fault with the given PFEC.
5442
		 */
5443

5444
		/* Faults from writes to non-writable pages */
5445
		u8 wf = (pfec & PFERR_WRITE_MASK) ? (u8)~w : 0;
5446
		/* Faults from user mode accesses to supervisor pages */
5447
		u8 uf = (pfec & PFERR_USER_MASK) ? (u8)~u : 0;
5448
		/* Faults from fetches of non-executable pages*/
5449
		u8 ff = (pfec & PFERR_FETCH_MASK) ? (u8)~x : 0;
5450
		/* Faults from kernel mode fetches of user pages */
5451
		u8 smepf = 0;
5452
		/* Faults from kernel mode accesses of user pages */
5453
		u8 smapf = 0;
5454

5455
		if (!ept) {
5456
			/* Faults from kernel mode accesses to user pages */
5457
			u8 kf = (pfec & PFERR_USER_MASK) ? 0 : u;
5458

5459
			/* Not really needed: !nx will cause pte.nx to fault */
5460
			if (!efer_nx)
5461
				ff = 0;
5462

5463
			/* Allow supervisor writes if !cr0.wp */
5464
			if (!cr0_wp)
5465
				wf = (pfec & PFERR_USER_MASK) ? wf : 0;
5466

5467
			/* Disallow supervisor fetches of user code if cr4.smep */
5468
			if (cr4_smep)
5469
				smepf = (pfec & PFERR_FETCH_MASK) ? kf : 0;
5470

5471
			/*
5472
			 * SMAP:kernel-mode data accesses from user-mode
5473
			 * mappings should fault. A fault is considered
5474
			 * as a SMAP violation if all of the following
5475
			 * conditions are true:
5476
			 *   - X86_CR4_SMAP is set in CR4
5477
			 *   - A user page is accessed
5478
			 *   - The access is not a fetch
5479
			 *   - The access is supervisor mode
5480
			 *   - If implicit supervisor access or X86_EFLAGS_AC is clear
5481
			 *
5482
			 * Here, we cover the first four conditions.
5483
			 * The fifth is computed dynamically in permission_fault();
5484
			 * PFERR_RSVD_MASK bit will be set in PFEC if the access is
5485
			 * *not* subject to SMAP restrictions.
5486
			 */
5487
			if (cr4_smap)
5488
				smapf = (pfec & (PFERR_RSVD_MASK|PFERR_FETCH_MASK)) ? 0 : kf;
5489
		}
5490

5491
		mmu->permissions[byte] = ff | uf | wf | smepf | smapf;
5492
	}
5493
}
5494

5495
/*
5496
* PKU is an additional mechanism by which the paging controls access to
5497
* user-mode addresses based on the value in the PKRU register.  Protection
5498
* key violations are reported through a bit in the page fault error code.
5499
* Unlike other bits of the error code, the PK bit is not known at the
5500
* call site of e.g. gva_to_gpa; it must be computed directly in
5501
* permission_fault based on two bits of PKRU, on some machine state (CR4,
5502
* CR0, EFER, CPL), and on other bits of the error code and the page tables.
5503
*
5504
* In particular the following conditions come from the error code, the
5505
* page tables and the machine state:
5506
* - PK is always zero unless CR4.PKE=1 and EFER.LMA=1
5507
* - PK is always zero if RSVD=1 (reserved bit set) or F=1 (instruction fetch)
5508
* - PK is always zero if U=0 in the page tables
5509
* - PKRU.WD is ignored if CR0.WP=0 and the access is a supervisor access.
5510
*
5511
* The PKRU bitmask caches the result of these four conditions.  The error
5512
* code (minus the P bit) and the page table's U bit form an index into the
5513
* PKRU bitmask.  Two bits of the PKRU bitmask are then extracted and ANDed
5514
* with the two bits of the PKRU register corresponding to the protection key.
5515
* For the first three conditions above the bits will be 00, thus masking
5516
* away both AD and WD.  For all reads or if the last condition holds, WD
5517
* only will be masked away.
5518
*/
5519
static void update_pkru_bitmask(struct kvm_mmu *mmu)
5520
{
5521
	unsigned bit;
5522
	bool wp;
5523

5524
	mmu->pkru_mask = 0;
5525

5526
	if (!is_cr4_pke(mmu))
5527
		return;
5528

5529
	wp = is_cr0_wp(mmu);
5530

5531
	for (bit = 0; bit < ARRAY_SIZE(mmu->permissions); ++bit) {
5532
		unsigned pfec, pkey_bits;
5533
		bool check_pkey, check_write, ff, uf, wf, pte_user;
5534

5535
		pfec = bit << 1;
5536
		ff = pfec & PFERR_FETCH_MASK;
5537
		uf = pfec & PFERR_USER_MASK;
5538
		wf = pfec & PFERR_WRITE_MASK;
5539

5540
		/* PFEC.RSVD is replaced by ACC_USER_MASK. */
5541
		pte_user = pfec & PFERR_RSVD_MASK;
5542

5543
		/*
5544
		 * Only need to check the access which is not an
5545
		 * instruction fetch and is to a user page.
5546
		 */
5547
		check_pkey = (!ff && pte_user);
5548
		/*
5549
		 * write access is controlled by PKRU if it is a
5550
		 * user access or CR0.WP = 1.
5551
		 */
5552
		check_write = check_pkey && wf && (uf || wp);
5553

5554
		/* PKRU.AD stops both read and write access. */
5555
		pkey_bits = !!check_pkey;
5556
		/* PKRU.WD stops write access. */
5557
		pkey_bits |= (!!check_write) << 1;
5558

5559
		mmu->pkru_mask |= (pkey_bits & 3) << pfec;
5560
	}
5561
}
5562

5563
static void reset_guest_paging_metadata(struct kvm_vcpu *vcpu,
5564
					struct kvm_mmu *mmu)
5565
{
5566
	if (!is_cr0_pg(mmu))
5567
		return;
5568

5569
	reset_guest_rsvds_bits_mask(vcpu, mmu);
5570
	update_permission_bitmask(mmu, false);
5571
	update_pkru_bitmask(mmu);
5572
}
5573

5574
static void paging64_init_context(struct kvm_mmu *context)
5575
{
5576
	context->page_fault = paging64_page_fault;
5577
	context->gva_to_gpa = paging64_gva_to_gpa;
5578
	context->sync_spte = paging64_sync_spte;
5579
}
5580

5581
static void paging32_init_context(struct kvm_mmu *context)
5582
{
5583
	context->page_fault = paging32_page_fault;
5584
	context->gva_to_gpa = paging32_gva_to_gpa;
5585
	context->sync_spte = paging32_sync_spte;
5586
}
5587

5588
static union kvm_cpu_role kvm_calc_cpu_role(struct kvm_vcpu *vcpu,
5589
					    const struct kvm_mmu_role_regs *regs)
5590
{
5591
	union kvm_cpu_role role = {0};
5592

5593
	role.base.access = ACC_ALL;
5594
	role.base.smm = is_smm(vcpu);
5595
	role.base.guest_mode = is_guest_mode(vcpu);
5596
	role.ext.valid = 1;
5597

5598
	if (!____is_cr0_pg(regs)) {
5599
		role.base.direct = 1;
5600
		return role;
5601
	}
5602

5603
	role.base.efer_nx = ____is_efer_nx(regs);
5604
	role.base.cr0_wp = ____is_cr0_wp(regs);
5605
	role.base.smep_andnot_wp = ____is_cr4_smep(regs) && !____is_cr0_wp(regs);
5606
	role.base.smap_andnot_wp = ____is_cr4_smap(regs) && !____is_cr0_wp(regs);
5607
	role.base.has_4_byte_gpte = !____is_cr4_pae(regs);
5608

5609
	if (____is_efer_lma(regs))
5610
		role.base.level = ____is_cr4_la57(regs) ? PT64_ROOT_5LEVEL
5611
							: PT64_ROOT_4LEVEL;
5612
	else if (____is_cr4_pae(regs))
5613
		role.base.level = PT32E_ROOT_LEVEL;
5614
	else
5615
		role.base.level = PT32_ROOT_LEVEL;
5616

5617
	role.ext.cr4_smep = ____is_cr4_smep(regs);
5618
	role.ext.cr4_smap = ____is_cr4_smap(regs);
5619
	role.ext.cr4_pse = ____is_cr4_pse(regs);
5620

5621
	/* PKEY and LA57 are active iff long mode is active. */
5622
	role.ext.cr4_pke = ____is_efer_lma(regs) && ____is_cr4_pke(regs);
5623
	role.ext.cr4_la57 = ____is_efer_lma(regs) && ____is_cr4_la57(regs);
5624
	role.ext.efer_lma = ____is_efer_lma(regs);
5625
	return role;
5626
}
5627

5628
void __kvm_mmu_refresh_passthrough_bits(struct kvm_vcpu *vcpu,
5629
					struct kvm_mmu *mmu)
5630
{
5631
	const bool cr0_wp = kvm_is_cr0_bit_set(vcpu, X86_CR0_WP);
5632

5633
	BUILD_BUG_ON((KVM_MMU_CR0_ROLE_BITS & KVM_POSSIBLE_CR0_GUEST_BITS) != X86_CR0_WP);
5634
	BUILD_BUG_ON((KVM_MMU_CR4_ROLE_BITS & KVM_POSSIBLE_CR4_GUEST_BITS));
5635

5636
	if (is_cr0_wp(mmu) == cr0_wp)
5637
		return;
5638

5639
	mmu->cpu_role.base.cr0_wp = cr0_wp;
5640
	reset_guest_paging_metadata(vcpu, mmu);
5641
}
5642

5643
static inline int kvm_mmu_get_tdp_level(struct kvm_vcpu *vcpu)
5644
{
5645
	int maxpa;
5646

5647
	if (vcpu->kvm->arch.vm_type == KVM_X86_TDX_VM)
5648
		maxpa = cpuid_query_maxguestphyaddr(vcpu);
5649
	else
5650
		maxpa = cpuid_maxphyaddr(vcpu);
5651

5652
	/* tdp_root_level is architecture forced level, use it if nonzero */
5653
	if (tdp_root_level)
5654
		return tdp_root_level;
5655

5656
	/* Use 5-level TDP if and only if it's useful/necessary. */
5657
	if (max_tdp_level == 5 && maxpa <= 48)
5658
		return 4;
5659

5660
	return max_tdp_level;
5661
}
5662

5663
u8 kvm_mmu_get_max_tdp_level(void)
5664
{
5665
	return tdp_root_level ? tdp_root_level : max_tdp_level;
5666
}
5667

5668
static union kvm_mmu_page_role
5669
kvm_calc_tdp_mmu_root_page_role(struct kvm_vcpu *vcpu,
5670
				union kvm_cpu_role cpu_role)
5671
{
5672
	union kvm_mmu_page_role role = {0};
5673

5674
	role.access = ACC_ALL;
5675
	role.cr0_wp = true;
5676
	role.efer_nx = true;
5677
	role.smm = cpu_role.base.smm;
5678
	role.guest_mode = cpu_role.base.guest_mode;
5679
	role.ad_disabled = !kvm_ad_enabled;
5680
	role.level = kvm_mmu_get_tdp_level(vcpu);
5681
	role.direct = true;
5682
	role.has_4_byte_gpte = false;
5683

5684
	return role;
5685
}
5686

5687
static void init_kvm_tdp_mmu(struct kvm_vcpu *vcpu,
5688
			     union kvm_cpu_role cpu_role)
5689
{
5690
	struct kvm_mmu *context = &vcpu->arch.root_mmu;
5691
	union kvm_mmu_page_role root_role = kvm_calc_tdp_mmu_root_page_role(vcpu, cpu_role);
5692

5693
	if (cpu_role.as_u64 == context->cpu_role.as_u64 &&
5694
	    root_role.word == context->root_role.word)
5695
		return;
5696

5697
	context->cpu_role.as_u64 = cpu_role.as_u64;
5698
	context->root_role.word = root_role.word;
5699
	context->page_fault = kvm_tdp_page_fault;
5700
	context->sync_spte = NULL;
5701
	context->get_guest_pgd = get_guest_cr3;
5702
	context->get_pdptr = kvm_pdptr_read;
5703
	context->inject_page_fault = kvm_inject_page_fault;
5704

5705
	if (!is_cr0_pg(context))
5706
		context->gva_to_gpa = nonpaging_gva_to_gpa;
5707
	else if (is_cr4_pae(context))
5708
		context->gva_to_gpa = paging64_gva_to_gpa;
5709
	else
5710
		context->gva_to_gpa = paging32_gva_to_gpa;
5711

5712
	reset_guest_paging_metadata(vcpu, context);
5713
	reset_tdp_shadow_zero_bits_mask(context);
5714
}
5715

5716
static void shadow_mmu_init_context(struct kvm_vcpu *vcpu, struct kvm_mmu *context,
5717
				    union kvm_cpu_role cpu_role,
5718
				    union kvm_mmu_page_role root_role)
5719
{
5720
	if (cpu_role.as_u64 == context->cpu_role.as_u64 &&
5721
	    root_role.word == context->root_role.word)
5722
		return;
5723

5724
	context->cpu_role.as_u64 = cpu_role.as_u64;
5725
	context->root_role.word = root_role.word;
5726

5727
	if (!is_cr0_pg(context))
5728
		nonpaging_init_context(context);
5729
	else if (is_cr4_pae(context))
5730
		paging64_init_context(context);
5731
	else
5732
		paging32_init_context(context);
5733

5734
	reset_guest_paging_metadata(vcpu, context);
5735
	reset_shadow_zero_bits_mask(vcpu, context);
5736
}
5737

5738
static void kvm_init_shadow_mmu(struct kvm_vcpu *vcpu,
5739
				union kvm_cpu_role cpu_role)
5740
{
5741
	struct kvm_mmu *context = &vcpu->arch.root_mmu;
5742
	union kvm_mmu_page_role root_role;
5743

5744
	root_role = cpu_role.base;
5745

5746
	/* KVM uses PAE paging whenever the guest isn't using 64-bit paging. */
5747
	root_role.level = max_t(u32, root_role.level, PT32E_ROOT_LEVEL);
5748

5749
	/*
5750
	 * KVM forces EFER.NX=1 when TDP is disabled, reflect it in the MMU role.
5751
	 * KVM uses NX when TDP is disabled to handle a variety of scenarios,
5752
	 * notably for huge SPTEs if iTLB multi-hit mitigation is enabled and
5753
	 * to generate correct permissions for CR0.WP=0/CR4.SMEP=1/EFER.NX=0.
5754
	 * The iTLB multi-hit workaround can be toggled at any time, so assume
5755
	 * NX can be used by any non-nested shadow MMU to avoid having to reset
5756
	 * MMU contexts.
5757
	 */
5758
	root_role.efer_nx = true;
5759

5760
	shadow_mmu_init_context(vcpu, context, cpu_role, root_role);
5761
}
5762

5763
void kvm_init_shadow_npt_mmu(struct kvm_vcpu *vcpu, unsigned long cr0,
5764
			     unsigned long cr4, u64 efer, gpa_t nested_cr3)
5765
{
5766
	struct kvm_mmu *context = &vcpu->arch.guest_mmu;
5767
	struct kvm_mmu_role_regs regs = {
5768
		.cr0 = cr0,
5769
		.cr4 = cr4 & ~X86_CR4_PKE,
5770
		.efer = efer,
5771
	};
5772
	union kvm_cpu_role cpu_role = kvm_calc_cpu_role(vcpu, &regs);
5773
	union kvm_mmu_page_role root_role;
5774

5775
	/* NPT requires CR0.PG=1. */
5776
	WARN_ON_ONCE(cpu_role.base.direct || !cpu_role.base.guest_mode);
5777

5778
	root_role = cpu_role.base;
5779
	root_role.level = kvm_mmu_get_tdp_level(vcpu);
5780
	if (root_role.level == PT64_ROOT_5LEVEL &&
5781
	    cpu_role.base.level == PT64_ROOT_4LEVEL)
5782
		root_role.passthrough = 1;
5783

5784
	shadow_mmu_init_context(vcpu, context, cpu_role, root_role);
5785
	kvm_mmu_new_pgd(vcpu, nested_cr3);
5786
}
5787
EXPORT_SYMBOL_GPL(kvm_init_shadow_npt_mmu);
5788

5789
static union kvm_cpu_role
5790
kvm_calc_shadow_ept_root_page_role(struct kvm_vcpu *vcpu, bool accessed_dirty,
5791
				   bool execonly, u8 level)
5792
{
5793
	union kvm_cpu_role role = {0};
5794

5795
	/*
5796
	 * KVM does not support SMM transfer monitors, and consequently does not
5797
	 * support the "entry to SMM" control either.  role.base.smm is always 0.
5798
	 */
5799
	WARN_ON_ONCE(is_smm(vcpu));
5800
	role.base.level = level;
5801
	role.base.has_4_byte_gpte = false;
5802
	role.base.direct = false;
5803
	role.base.ad_disabled = !accessed_dirty;
5804
	role.base.guest_mode = true;
5805
	role.base.access = ACC_ALL;
5806

5807
	role.ext.word = 0;
5808
	role.ext.execonly = execonly;
5809
	role.ext.valid = 1;
5810

5811
	return role;
5812
}
5813

5814
void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
5815
			     int huge_page_level, bool accessed_dirty,
5816
			     gpa_t new_eptp)
5817
{
5818
	struct kvm_mmu *context = &vcpu->arch.guest_mmu;
5819
	u8 level = vmx_eptp_page_walk_level(new_eptp);
5820
	union kvm_cpu_role new_mode =
5821
		kvm_calc_shadow_ept_root_page_role(vcpu, accessed_dirty,
5822
						   execonly, level);
5823

5824
	if (new_mode.as_u64 != context->cpu_role.as_u64) {
5825
		/* EPT, and thus nested EPT, does not consume CR0, CR4, nor EFER. */
5826
		context->cpu_role.as_u64 = new_mode.as_u64;
5827
		context->root_role.word = new_mode.base.word;
5828

5829
		context->page_fault = ept_page_fault;
5830
		context->gva_to_gpa = ept_gva_to_gpa;
5831
		context->sync_spte = ept_sync_spte;
5832

5833
		update_permission_bitmask(context, true);
5834
		context->pkru_mask = 0;
5835
		reset_rsvds_bits_mask_ept(vcpu, context, execonly, huge_page_level);
5836
		reset_ept_shadow_zero_bits_mask(context, execonly);
5837
	}
5838

5839
	kvm_mmu_new_pgd(vcpu, new_eptp);
5840
}
5841
EXPORT_SYMBOL_GPL(kvm_init_shadow_ept_mmu);
5842

5843
static void init_kvm_softmmu(struct kvm_vcpu *vcpu,
5844
			     union kvm_cpu_role cpu_role)
5845
{
5846
	struct kvm_mmu *context = &vcpu->arch.root_mmu;
5847

5848
	kvm_init_shadow_mmu(vcpu, cpu_role);
5849

5850
	context->get_guest_pgd     = get_guest_cr3;
5851
	context->get_pdptr         = kvm_pdptr_read;
5852
	context->inject_page_fault = kvm_inject_page_fault;
5853
}
5854

5855
static void init_kvm_nested_mmu(struct kvm_vcpu *vcpu,
5856
				union kvm_cpu_role new_mode)
5857
{
5858
	struct kvm_mmu *g_context = &vcpu->arch.nested_mmu;
5859

5860
	if (new_mode.as_u64 == g_context->cpu_role.as_u64)
5861
		return;
5862

5863
	g_context->cpu_role.as_u64   = new_mode.as_u64;
5864
	g_context->get_guest_pgd     = get_guest_cr3;
5865
	g_context->get_pdptr         = kvm_pdptr_read;
5866
	g_context->inject_page_fault = kvm_inject_page_fault;
5867

5868
	/*
5869
	 * L2 page tables are never shadowed, so there is no need to sync
5870
	 * SPTEs.
5871
	 */
5872
	g_context->sync_spte         = NULL;
5873

5874
	/*
5875
	 * Note that arch.mmu->gva_to_gpa translates l2_gpa to l1_gpa using
5876
	 * L1's nested page tables (e.g. EPT12). The nested translation
5877
	 * of l2_gva to l1_gpa is done by arch.nested_mmu.gva_to_gpa using
5878
	 * L2's page tables as the first level of translation and L1's
5879
	 * nested page tables as the second level of translation. Basically
5880
	 * the gva_to_gpa functions between mmu and nested_mmu are swapped.
5881
	 */
5882
	if (!is_paging(vcpu))
5883
		g_context->gva_to_gpa = nonpaging_gva_to_gpa;
5884
	else if (is_long_mode(vcpu))
5885
		g_context->gva_to_gpa = paging64_gva_to_gpa;
5886
	else if (is_pae(vcpu))
5887
		g_context->gva_to_gpa = paging64_gva_to_gpa;
5888
	else
5889
		g_context->gva_to_gpa = paging32_gva_to_gpa;
5890

5891
	reset_guest_paging_metadata(vcpu, g_context);
5892
}
5893

5894
void kvm_init_mmu(struct kvm_vcpu *vcpu)
5895
{
5896
	struct kvm_mmu_role_regs regs = vcpu_to_role_regs(vcpu);
5897
	union kvm_cpu_role cpu_role = kvm_calc_cpu_role(vcpu, &regs);
5898

5899
	if (mmu_is_nested(vcpu))
5900
		init_kvm_nested_mmu(vcpu, cpu_role);
5901
	else if (tdp_enabled)
5902
		init_kvm_tdp_mmu(vcpu, cpu_role);
5903
	else
5904
		init_kvm_softmmu(vcpu, cpu_role);
5905
}
5906
EXPORT_SYMBOL_GPL(kvm_init_mmu);
5907

5908
void kvm_mmu_after_set_cpuid(struct kvm_vcpu *vcpu)
5909
{
5910
	/*
5911
	 * Invalidate all MMU roles to force them to reinitialize as CPUID
5912
	 * information is factored into reserved bit calculations.
5913
	 *
5914
	 * Correctly handling multiple vCPU models with respect to paging and
5915
	 * physical address properties) in a single VM would require tracking
5916
	 * all relevant CPUID information in kvm_mmu_page_role. That is very
5917
	 * undesirable as it would increase the memory requirements for
5918
	 * gfn_write_track (see struct kvm_mmu_page_role comments).  For now
5919
	 * that problem is swept under the rug; KVM's CPUID API is horrific and
5920
	 * it's all but impossible to solve it without introducing a new API.
5921
	 */
5922
	vcpu->arch.root_mmu.root_role.invalid = 1;
5923
	vcpu->arch.guest_mmu.root_role.invalid = 1;
5924
	vcpu->arch.nested_mmu.root_role.invalid = 1;
5925
	vcpu->arch.root_mmu.cpu_role.ext.valid = 0;
5926
	vcpu->arch.guest_mmu.cpu_role.ext.valid = 0;
5927
	vcpu->arch.nested_mmu.cpu_role.ext.valid = 0;
5928
	kvm_mmu_reset_context(vcpu);
5929

5930
	/*
5931
	 * Changing guest CPUID after KVM_RUN is forbidden, see the comment in
5932
	 * kvm_arch_vcpu_ioctl().
5933
	 */
5934
	KVM_BUG_ON(kvm_vcpu_has_run(vcpu), vcpu->kvm);
5935
}
5936

5937
void kvm_mmu_reset_context(struct kvm_vcpu *vcpu)
5938
{
5939
	kvm_mmu_unload(vcpu);
5940
	kvm_init_mmu(vcpu);
5941
}
5942
EXPORT_SYMBOL_GPL(kvm_mmu_reset_context);
5943

5944
int kvm_mmu_load(struct kvm_vcpu *vcpu)
5945
{
5946
	int r;
5947

5948
	r = mmu_topup_memory_caches(vcpu, !vcpu->arch.mmu->root_role.direct);
5949
	if (r)
5950
		goto out;
5951
	r = mmu_alloc_special_roots(vcpu);
5952
	if (r)
5953
		goto out;
5954
	if (vcpu->arch.mmu->root_role.direct)
5955
		r = mmu_alloc_direct_roots(vcpu);
5956
	else
5957
		r = mmu_alloc_shadow_roots(vcpu);
5958
	if (r)
5959
		goto out;
5960

5961
	kvm_mmu_sync_roots(vcpu);
5962

5963
	kvm_mmu_load_pgd(vcpu);
5964

5965
	/*
5966
	 * Flush any TLB entries for the new root, the provenance of the root
5967
	 * is unknown.  Even if KVM ensures there are no stale TLB entries
5968
	 * for a freed root, in theory another hypervisor could have left
5969
	 * stale entries.  Flushing on alloc also allows KVM to skip the TLB
5970
	 * flush when freeing a root (see kvm_tdp_mmu_put_root()).
5971
	 */
5972
	kvm_x86_call(flush_tlb_current)(vcpu);
5973
out:
5974
	return r;
5975
}
5976
EXPORT_SYMBOL_GPL(kvm_mmu_load);
5977

5978
void kvm_mmu_unload(struct kvm_vcpu *vcpu)
5979
{
5980
	struct kvm *kvm = vcpu->kvm;
5981

5982
	kvm_mmu_free_roots(kvm, &vcpu->arch.root_mmu, KVM_MMU_ROOTS_ALL);
5983
	WARN_ON_ONCE(VALID_PAGE(vcpu->arch.root_mmu.root.hpa));
5984
	kvm_mmu_free_roots(kvm, &vcpu->arch.guest_mmu, KVM_MMU_ROOTS_ALL);
5985
	WARN_ON_ONCE(VALID_PAGE(vcpu->arch.guest_mmu.root.hpa));
5986
	vcpu_clear_mmio_info(vcpu, MMIO_GVA_ANY);
5987
}
5988

5989
static bool is_obsolete_root(struct kvm *kvm, hpa_t root_hpa)
5990
{
5991
	struct kvm_mmu_page *sp;
5992

5993
	if (!VALID_PAGE(root_hpa))
5994
		return false;
5995

5996
	/*
5997
	 * When freeing obsolete roots, treat roots as obsolete if they don't
5998
	 * have an associated shadow page, as it's impossible to determine if
5999
	 * such roots are fresh or stale.  This does mean KVM will get false
6000
	 * positives and free roots that don't strictly need to be freed, but
6001
	 * such false positives are relatively rare:
6002
	 *
6003
	 *  (a) only PAE paging and nested NPT have roots without shadow pages
6004
	 *      (or any shadow paging flavor with a dummy root, see note below)
6005
	 *  (b) remote reloads due to a memslot update obsoletes _all_ roots
6006
	 *  (c) KVM doesn't track previous roots for PAE paging, and the guest
6007
	 *      is unlikely to zap an in-use PGD.
6008
	 *
6009
	 * Note!  Dummy roots are unique in that they are obsoleted by memslot
6010
	 * _creation_!  See also FNAME(fetch).
6011
	 */
6012
	sp = root_to_sp(root_hpa);
6013
	return !sp || is_obsolete_sp(kvm, sp);
6014
}
6015

6016
static void __kvm_mmu_free_obsolete_roots(struct kvm *kvm, struct kvm_mmu *mmu)
6017
{
6018
	unsigned long roots_to_free = 0;
6019
	int i;
6020

6021
	if (is_obsolete_root(kvm, mmu->root.hpa))
6022
		roots_to_free |= KVM_MMU_ROOT_CURRENT;
6023

6024
	for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++) {
6025
		if (is_obsolete_root(kvm, mmu->prev_roots[i].hpa))
6026
			roots_to_free |= KVM_MMU_ROOT_PREVIOUS(i);
6027
	}
6028

6029
	if (roots_to_free)
6030
		kvm_mmu_free_roots(kvm, mmu, roots_to_free);
6031
}
6032

6033
void kvm_mmu_free_obsolete_roots(struct kvm_vcpu *vcpu)
6034
{
6035
	__kvm_mmu_free_obsolete_roots(vcpu->kvm, &vcpu->arch.root_mmu);
6036
	__kvm_mmu_free_obsolete_roots(vcpu->kvm, &vcpu->arch.guest_mmu);
6037
}
6038
EXPORT_SYMBOL_GPL(kvm_mmu_free_obsolete_roots);
6039

6040
static u64 mmu_pte_write_fetch_gpte(struct kvm_vcpu *vcpu, gpa_t *gpa,
6041
				    int *bytes)
6042
{
6043
	u64 gentry = 0;
6044
	int r;
6045

6046
	/*
6047
	 * Assume that the pte write on a page table of the same type
6048
	 * as the current vcpu paging mode since we update the sptes only
6049
	 * when they have the same mode.
6050
	 */
6051
	if (is_pae(vcpu) && *bytes == 4) {
6052
		/* Handle a 32-bit guest writing two halves of a 64-bit gpte */
6053
		*gpa &= ~(gpa_t)7;
6054
		*bytes = 8;
6055
	}
6056

6057
	if (*bytes == 4 || *bytes == 8) {
6058
		r = kvm_vcpu_read_guest_atomic(vcpu, *gpa, &gentry, *bytes);
6059
		if (r)
6060
			gentry = 0;
6061
	}
6062

6063
	return gentry;
6064
}
6065

6066
/*
6067
 * If we're seeing too many writes to a page, it may no longer be a page table,
6068
 * or we may be forking, in which case it is better to unmap the page.
6069
 */
6070
static bool detect_write_flooding(struct kvm_mmu_page *sp)
6071
{
6072
	/*
6073
	 * Skip write-flooding detected for the sp whose level is 1, because
6074
	 * it can become unsync, then the guest page is not write-protected.
6075
	 */
6076
	if (sp->role.level == PG_LEVEL_4K)
6077
		return false;
6078

6079
	atomic_inc(&sp->write_flooding_count);
6080
	return atomic_read(&sp->write_flooding_count) >= 3;
6081
}
6082

6083
/*
6084
 * Misaligned accesses are too much trouble to fix up; also, they usually
6085
 * indicate a page is not used as a page table.
6086
 */
6087
static bool detect_write_misaligned(struct kvm_mmu_page *sp, gpa_t gpa,
6088
				    int bytes)
6089
{
6090
	unsigned offset, pte_size, misaligned;
6091

6092
	offset = offset_in_page(gpa);
6093
	pte_size = sp->role.has_4_byte_gpte ? 4 : 8;
6094

6095
	/*
6096
	 * Sometimes, the OS only writes the last one bytes to update status
6097
	 * bits, for example, in linux, andb instruction is used in clear_bit().
6098
	 */
6099
	if (!(offset & (pte_size - 1)) && bytes == 1)
6100
		return false;
6101

6102
	misaligned = (offset ^ (offset + bytes - 1)) & ~(pte_size - 1);
6103
	misaligned |= bytes < 4;
6104

6105
	return misaligned;
6106
}
6107

6108
static u64 *get_written_sptes(struct kvm_mmu_page *sp, gpa_t gpa, int *nspte)
6109
{
6110
	unsigned page_offset, quadrant;
6111
	u64 *spte;
6112
	int level;
6113

6114
	page_offset = offset_in_page(gpa);
6115
	level = sp->role.level;
6116
	*nspte = 1;
6117
	if (sp->role.has_4_byte_gpte) {
6118
		page_offset <<= 1;	/* 32->64 */
6119
		/*
6120
		 * A 32-bit pde maps 4MB while the shadow pdes map
6121
		 * only 2MB.  So we need to double the offset again
6122
		 * and zap two pdes instead of one.
6123
		 */
6124
		if (level == PT32_ROOT_LEVEL) {
6125
			page_offset &= ~7; /* kill rounding error */
6126
			page_offset <<= 1;
6127
			*nspte = 2;
6128
		}
6129
		quadrant = page_offset >> PAGE_SHIFT;
6130
		page_offset &= ~PAGE_MASK;
6131
		if (quadrant != sp->role.quadrant)
6132
			return NULL;
6133
	}
6134

6135
	spte = &sp->spt[page_offset / sizeof(*spte)];
6136
	return spte;
6137
}
6138

6139
void kvm_mmu_track_write(struct kvm_vcpu *vcpu, gpa_t gpa, const u8 *new,
6140
			 int bytes)
6141
{
6142
	gfn_t gfn = gpa >> PAGE_SHIFT;
6143
	struct kvm_mmu_page *sp;
6144
	LIST_HEAD(invalid_list);
6145
	u64 entry, gentry, *spte;
6146
	int npte;
6147
	bool flush = false;
6148

6149
	/*
6150
	 * When emulating guest writes, ensure the written value is visible to
6151
	 * any task that is handling page faults before checking whether or not
6152
	 * KVM is shadowing a guest PTE.  This ensures either KVM will create
6153
	 * the correct SPTE in the page fault handler, or this task will see
6154
	 * a non-zero indirect_shadow_pages.  Pairs with the smp_mb() in
6155
	 * account_shadowed().
6156
	 */
6157
	smp_mb();
6158
	if (!vcpu->kvm->arch.indirect_shadow_pages)
6159
		return;
6160

6161
	write_lock(&vcpu->kvm->mmu_lock);
6162

6163
	gentry = mmu_pte_write_fetch_gpte(vcpu, &gpa, &bytes);
6164

6165
	++vcpu->kvm->stat.mmu_pte_write;
6166

6167
	for_each_gfn_valid_sp_with_gptes(vcpu->kvm, sp, gfn) {
6168
		if (detect_write_misaligned(sp, gpa, bytes) ||
6169
		      detect_write_flooding(sp)) {
6170
			kvm_mmu_prepare_zap_page(vcpu->kvm, sp, &invalid_list);
6171
			++vcpu->kvm->stat.mmu_flooded;
6172
			continue;
6173
		}
6174

6175
		spte = get_written_sptes(sp, gpa, &npte);
6176
		if (!spte)
6177
			continue;
6178

6179
		while (npte--) {
6180
			entry = *spte;
6181
			mmu_page_zap_pte(vcpu->kvm, sp, spte, NULL);
6182
			if (gentry && sp->role.level != PG_LEVEL_4K)
6183
				++vcpu->kvm->stat.mmu_pde_zapped;
6184
			if (is_shadow_present_pte(entry))
6185
				flush = true;
6186
			++spte;
6187
		}
6188
	}
6189
	kvm_mmu_remote_flush_or_zap(vcpu->kvm, &invalid_list, flush);
6190
	write_unlock(&vcpu->kvm->mmu_lock);
6191
}
6192

6193
static bool is_write_to_guest_page_table(u64 error_code)
6194
{
6195
	const u64 mask = PFERR_GUEST_PAGE_MASK | PFERR_WRITE_MASK | PFERR_PRESENT_MASK;
6196

6197
	return (error_code & mask) == mask;
6198
}
6199

6200
static int kvm_mmu_write_protect_fault(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa,
6201
				       u64 error_code, int *emulation_type)
6202
{
6203
	bool direct = vcpu->arch.mmu->root_role.direct;
6204

6205
	/*
6206
	 * Do not try to unprotect and retry if the vCPU re-faulted on the same
6207
	 * RIP with the same address that was previously unprotected, as doing
6208
	 * so will likely put the vCPU into an infinite.  E.g. if the vCPU uses
6209
	 * a non-page-table modifying instruction on the PDE that points to the
6210
	 * instruction, then unprotecting the gfn will unmap the instruction's
6211
	 * code, i.e. make it impossible for the instruction to ever complete.
6212
	 */
6213
	if (vcpu->arch.last_retry_eip == kvm_rip_read(vcpu) &&
6214
	    vcpu->arch.last_retry_addr == cr2_or_gpa)
6215
		return RET_PF_EMULATE;
6216

6217
	/*
6218
	 * Reset the unprotect+retry values that guard against infinite loops.
6219
	 * The values will be refreshed if KVM explicitly unprotects a gfn and
6220
	 * retries, in all other cases it's safe to retry in the future even if
6221
	 * the next page fault happens on the same RIP+address.
6222
	 */
6223
	vcpu->arch.last_retry_eip = 0;
6224
	vcpu->arch.last_retry_addr = 0;
6225

6226
	/*
6227
	 * It should be impossible to reach this point with an MMIO cache hit,
6228
	 * as RET_PF_WRITE_PROTECTED is returned if and only if there's a valid,
6229
	 * writable memslot, and creating a memslot should invalidate the MMIO
6230
	 * cache by way of changing the memslot generation.  WARN and disallow
6231
	 * retry if MMIO is detected, as retrying MMIO emulation is pointless
6232
	 * and could put the vCPU into an infinite loop because the processor
6233
	 * will keep faulting on the non-existent MMIO address.
6234
	 */
6235
	if (WARN_ON_ONCE(mmio_info_in_cache(vcpu, cr2_or_gpa, direct)))
6236
		return RET_PF_EMULATE;
6237

6238
	/*
6239
	 * Before emulating the instruction, check to see if the access was due
6240
	 * to a read-only violation while the CPU was walking non-nested NPT
6241
	 * page tables, i.e. for a direct MMU, for _guest_ page tables in L1.
6242
	 * If L1 is sharing (a subset of) its page tables with L2, e.g. by
6243
	 * having nCR3 share lower level page tables with hCR3, then when KVM
6244
	 * (L0) write-protects the nested NPTs, i.e. npt12 entries, KVM is also
6245
	 * unknowingly write-protecting L1's guest page tables, which KVM isn't
6246
	 * shadowing.
6247
	 *
6248
	 * Because the CPU (by default) walks NPT page tables using a write
6249
	 * access (to ensure the CPU can do A/D updates), page walks in L1 can
6250
	 * trigger write faults for the above case even when L1 isn't modifying
6251
	 * PTEs.  As a result, KVM will unnecessarily emulate (or at least, try
6252
	 * to emulate) an excessive number of L1 instructions; because L1's MMU
6253
	 * isn't shadowed by KVM, there is no need to write-protect L1's gPTEs
6254
	 * and thus no need to emulate in order to guarantee forward progress.
6255
	 *
6256
	 * Try to unprotect the gfn, i.e. zap any shadow pages, so that L1 can
6257
	 * proceed without triggering emulation.  If one or more shadow pages
6258
	 * was zapped, skip emulation and resume L1 to let it natively execute
6259
	 * the instruction.  If no shadow pages were zapped, then the write-
6260
	 * fault is due to something else entirely, i.e. KVM needs to emulate,
6261
	 * as resuming the guest will put it into an infinite loop.
6262
	 *
6263
	 * Note, this code also applies to Intel CPUs, even though it is *very*
6264
	 * unlikely that an L1 will share its page tables (IA32/PAE/paging64
6265
	 * format) with L2's page tables (EPT format).
6266
	 *
6267
	 * For indirect MMUs, i.e. if KVM is shadowing the current MMU, try to
6268
	 * unprotect the gfn and retry if an event is awaiting reinjection.  If
6269
	 * KVM emulates multiple instructions before completing event injection,
6270
	 * the event could be delayed beyond what is architecturally allowed,
6271
	 * e.g. KVM could inject an IRQ after the TPR has been raised.
6272
	 */
6273
	if (((direct && is_write_to_guest_page_table(error_code)) ||
6274
	     (!direct && kvm_event_needs_reinjection(vcpu))) &&
6275
	    kvm_mmu_unprotect_gfn_and_retry(vcpu, cr2_or_gpa))
6276
		return RET_PF_RETRY;
6277

6278
	/*
6279
	 * The gfn is write-protected, but if KVM detects its emulating an
6280
	 * instruction that is unlikely to be used to modify page tables, or if
6281
	 * emulation fails, KVM can try to unprotect the gfn and let the CPU
6282
	 * re-execute the instruction that caused the page fault.  Do not allow
6283
	 * retrying an instruction from a nested guest as KVM is only explicitly
6284
	 * shadowing L1's page tables, i.e. unprotecting something for L1 isn't
6285
	 * going to magically fix whatever issue caused L2 to fail.
6286
	 */
6287
	if (!is_guest_mode(vcpu))
6288
		*emulation_type |= EMULTYPE_ALLOW_RETRY_PF;
6289

6290
	return RET_PF_EMULATE;
6291
}
6292

6293
int noinline kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, u64 error_code,
6294
		       void *insn, int insn_len)
6295
{
6296
	int r, emulation_type = EMULTYPE_PF;
6297
	bool direct = vcpu->arch.mmu->root_role.direct;
6298

6299
	if (WARN_ON_ONCE(!VALID_PAGE(vcpu->arch.mmu->root.hpa)))
6300
		return RET_PF_RETRY;
6301

6302
	/*
6303
	 * Except for reserved faults (emulated MMIO is shared-only), set the
6304
	 * PFERR_PRIVATE_ACCESS flag for software-protected VMs based on the gfn's
6305
	 * current attributes, which are the source of truth for such VMs.  Note,
6306
	 * this wrong for nested MMUs as the GPA is an L2 GPA, but KVM doesn't
6307
	 * currently supported nested virtualization (among many other things)
6308
	 * for software-protected VMs.
6309
	 */
6310
	if (IS_ENABLED(CONFIG_KVM_SW_PROTECTED_VM) &&
6311
	    !(error_code & PFERR_RSVD_MASK) &&
6312
	    vcpu->kvm->arch.vm_type == KVM_X86_SW_PROTECTED_VM &&
6313
	    kvm_mem_is_private(vcpu->kvm, gpa_to_gfn(cr2_or_gpa)))
6314
		error_code |= PFERR_PRIVATE_ACCESS;
6315

6316
	r = RET_PF_INVALID;
6317
	if (unlikely(error_code & PFERR_RSVD_MASK)) {
6318
		if (WARN_ON_ONCE(error_code & PFERR_PRIVATE_ACCESS))
6319
			return -EFAULT;
6320

6321
		r = handle_mmio_page_fault(vcpu, cr2_or_gpa, direct);
6322
		if (r == RET_PF_EMULATE)
6323
			goto emulate;
6324
	}
6325

6326
	if (r == RET_PF_INVALID) {
6327
		vcpu->stat.pf_taken++;
6328

6329
		r = kvm_mmu_do_page_fault(vcpu, cr2_or_gpa, error_code, false,
6330
					  &emulation_type, NULL);
6331
		if (KVM_BUG_ON(r == RET_PF_INVALID, vcpu->kvm))
6332
			return -EIO;
6333
	}
6334

6335
	if (r < 0)
6336
		return r;
6337

6338
	if (r == RET_PF_WRITE_PROTECTED)
6339
		r = kvm_mmu_write_protect_fault(vcpu, cr2_or_gpa, error_code,
6340
						&emulation_type);
6341

6342
	if (r == RET_PF_FIXED)
6343
		vcpu->stat.pf_fixed++;
6344
	else if (r == RET_PF_EMULATE)
6345
		vcpu->stat.pf_emulate++;
6346
	else if (r == RET_PF_SPURIOUS)
6347
		vcpu->stat.pf_spurious++;
6348

6349
	/*
6350
	 * None of handle_mmio_page_fault(), kvm_mmu_do_page_fault(), or
6351
	 * kvm_mmu_write_protect_fault() return RET_PF_CONTINUE.
6352
	 * kvm_mmu_do_page_fault() only uses RET_PF_CONTINUE internally to
6353
	 * indicate continuing the page fault handling until to the final
6354
	 * page table mapping phase.
6355
	 */
6356
	WARN_ON_ONCE(r == RET_PF_CONTINUE);
6357
	if (r != RET_PF_EMULATE)
6358
		return r;
6359

6360
emulate:
6361
	return x86_emulate_instruction(vcpu, cr2_or_gpa, emulation_type, insn,
6362
				       insn_len);
6363
}
6364
EXPORT_SYMBOL_GPL(kvm_mmu_page_fault);
6365

6366
void kvm_mmu_print_sptes(struct kvm_vcpu *vcpu, gpa_t gpa, const char *msg)
6367
{
6368
	u64 sptes[PT64_ROOT_MAX_LEVEL + 1];
6369
	int root_level, leaf, level;
6370

6371
	leaf = get_sptes_lockless(vcpu, gpa, sptes, &root_level);
6372
	if (unlikely(leaf < 0))
6373
		return;
6374

6375
	pr_err("%s %llx", msg, gpa);
6376
	for (level = root_level; level >= leaf; level--)
6377
		pr_cont(", spte[%d] = 0x%llx", level, sptes[level]);
6378
	pr_cont("\n");
6379
}
6380
EXPORT_SYMBOL_GPL(kvm_mmu_print_sptes);
6381

6382
static void __kvm_mmu_invalidate_addr(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
6383
				      u64 addr, hpa_t root_hpa)
6384
{
6385
	struct kvm_shadow_walk_iterator iterator;
6386

6387
	vcpu_clear_mmio_info(vcpu, addr);
6388

6389
	/*
6390
	 * Walking and synchronizing SPTEs both assume they are operating in
6391
	 * the context of the current MMU, and would need to be reworked if
6392
	 * this is ever used to sync the guest_mmu, e.g. to emulate INVEPT.
6393
	 */
6394
	if (WARN_ON_ONCE(mmu != vcpu->arch.mmu))
6395
		return;
6396

6397
	if (!VALID_PAGE(root_hpa))
6398
		return;
6399

6400
	write_lock(&vcpu->kvm->mmu_lock);
6401
	for_each_shadow_entry_using_root(vcpu, root_hpa, addr, iterator) {
6402
		struct kvm_mmu_page *sp = sptep_to_sp(iterator.sptep);
6403

6404
		if (sp->unsync) {
6405
			int ret = kvm_sync_spte(vcpu, sp, iterator.index);
6406

6407
			if (ret < 0)
6408
				mmu_page_zap_pte(vcpu->kvm, sp, iterator.sptep, NULL);
6409
			if (ret)
6410
				kvm_flush_remote_tlbs_sptep(vcpu->kvm, iterator.sptep);
6411
		}
6412

6413
		if (!sp->unsync_children)
6414
			break;
6415
	}
6416
	write_unlock(&vcpu->kvm->mmu_lock);
6417
}
6418

6419
void kvm_mmu_invalidate_addr(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
6420
			     u64 addr, unsigned long roots)
6421
{
6422
	int i;
6423

6424
	WARN_ON_ONCE(roots & ~KVM_MMU_ROOTS_ALL);
6425

6426
	/* It's actually a GPA for vcpu->arch.guest_mmu.  */
6427
	if (mmu != &vcpu->arch.guest_mmu) {
6428
		/* INVLPG on a non-canonical address is a NOP according to the SDM.  */
6429
		if (is_noncanonical_invlpg_address(addr, vcpu))
6430
			return;
6431

6432
		kvm_x86_call(flush_tlb_gva)(vcpu, addr);
6433
	}
6434

6435
	if (!mmu->sync_spte)
6436
		return;
6437

6438
	if (roots & KVM_MMU_ROOT_CURRENT)
6439
		__kvm_mmu_invalidate_addr(vcpu, mmu, addr, mmu->root.hpa);
6440

6441
	for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++) {
6442
		if (roots & KVM_MMU_ROOT_PREVIOUS(i))
6443
			__kvm_mmu_invalidate_addr(vcpu, mmu, addr, mmu->prev_roots[i].hpa);
6444
	}
6445
}
6446
EXPORT_SYMBOL_GPL(kvm_mmu_invalidate_addr);
6447

6448
void kvm_mmu_invlpg(struct kvm_vcpu *vcpu, gva_t gva)
6449
{
6450
	/*
6451
	 * INVLPG is required to invalidate any global mappings for the VA,
6452
	 * irrespective of PCID.  Blindly sync all roots as it would take
6453
	 * roughly the same amount of work/time to determine whether any of the
6454
	 * previous roots have a global mapping.
6455
	 *
6456
	 * Mappings not reachable via the current or previous cached roots will
6457
	 * be synced when switching to that new cr3, so nothing needs to be
6458
	 * done here for them.
6459
	 */
6460
	kvm_mmu_invalidate_addr(vcpu, vcpu->arch.walk_mmu, gva, KVM_MMU_ROOTS_ALL);
6461
	++vcpu->stat.invlpg;
6462
}
6463
EXPORT_SYMBOL_GPL(kvm_mmu_invlpg);
6464

6465

6466
void kvm_mmu_invpcid_gva(struct kvm_vcpu *vcpu, gva_t gva, unsigned long pcid)
6467
{
6468
	struct kvm_mmu *mmu = vcpu->arch.mmu;
6469
	unsigned long roots = 0;
6470
	uint i;
6471

6472
	if (pcid == kvm_get_active_pcid(vcpu))
6473
		roots |= KVM_MMU_ROOT_CURRENT;
6474

6475
	for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++) {
6476
		if (VALID_PAGE(mmu->prev_roots[i].hpa) &&
6477
		    pcid == kvm_get_pcid(vcpu, mmu->prev_roots[i].pgd))
6478
			roots |= KVM_MMU_ROOT_PREVIOUS(i);
6479
	}
6480

6481
	if (roots)
6482
		kvm_mmu_invalidate_addr(vcpu, mmu, gva, roots);
6483
	++vcpu->stat.invlpg;
6484

6485
	/*
6486
	 * Mappings not reachable via the current cr3 or the prev_roots will be
6487
	 * synced when switching to that cr3, so nothing needs to be done here
6488
	 * for them.
6489
	 */
6490
}
6491

6492
void kvm_configure_mmu(bool enable_tdp, int tdp_forced_root_level,
6493
		       int tdp_max_root_level, int tdp_huge_page_level)
6494
{
6495
	tdp_enabled = enable_tdp;
6496
	tdp_root_level = tdp_forced_root_level;
6497
	max_tdp_level = tdp_max_root_level;
6498

6499
#ifdef CONFIG_X86_64
6500
	tdp_mmu_enabled = tdp_mmu_allowed && tdp_enabled;
6501
#endif
6502
	/*
6503
	 * max_huge_page_level reflects KVM's MMU capabilities irrespective
6504
	 * of kernel support, e.g. KVM may be capable of using 1GB pages when
6505
	 * the kernel is not.  But, KVM never creates a page size greater than
6506
	 * what is used by the kernel for any given HVA, i.e. the kernel's
6507
	 * capabilities are ultimately consulted by kvm_mmu_hugepage_adjust().
6508
	 */
6509
	if (tdp_enabled)
6510
		max_huge_page_level = tdp_huge_page_level;
6511
	else if (boot_cpu_has(X86_FEATURE_GBPAGES))
6512
		max_huge_page_level = PG_LEVEL_1G;
6513
	else
6514
		max_huge_page_level = PG_LEVEL_2M;
6515
}
6516
EXPORT_SYMBOL_GPL(kvm_configure_mmu);
6517

6518
static void free_mmu_pages(struct kvm_mmu *mmu)
6519
{
6520
	if (!tdp_enabled && mmu->pae_root)
6521
		set_memory_encrypted((unsigned long)mmu->pae_root, 1);
6522
	free_page((unsigned long)mmu->pae_root);
6523
	free_page((unsigned long)mmu->pml4_root);
6524
	free_page((unsigned long)mmu->pml5_root);
6525
}
6526

6527
static int __kvm_mmu_create(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu)
6528
{
6529
	struct page *page;
6530
	int i;
6531

6532
	mmu->root.hpa = INVALID_PAGE;
6533
	mmu->root.pgd = 0;
6534
	mmu->mirror_root_hpa = INVALID_PAGE;
6535
	for (i = 0; i < KVM_MMU_NUM_PREV_ROOTS; i++)
6536
		mmu->prev_roots[i] = KVM_MMU_ROOT_INFO_INVALID;
6537

6538
	/* vcpu->arch.guest_mmu isn't used when !tdp_enabled. */
6539
	if (!tdp_enabled && mmu == &vcpu->arch.guest_mmu)
6540
		return 0;
6541

6542
	/*
6543
	 * When using PAE paging, the four PDPTEs are treated as 'root' pages,
6544
	 * while the PDP table is a per-vCPU construct that's allocated at MMU
6545
	 * creation.  When emulating 32-bit mode, cr3 is only 32 bits even on
6546
	 * x86_64.  Therefore we need to allocate the PDP table in the first
6547
	 * 4GB of memory, which happens to fit the DMA32 zone.  TDP paging
6548
	 * generally doesn't use PAE paging and can skip allocating the PDP
6549
	 * table.  The main exception, handled here, is SVM's 32-bit NPT.  The
6550
	 * other exception is for shadowing L1's 32-bit or PAE NPT on 64-bit
6551
	 * KVM; that horror is handled on-demand by mmu_alloc_special_roots().
6552
	 */
6553
	if (tdp_enabled && kvm_mmu_get_tdp_level(vcpu) > PT32E_ROOT_LEVEL)
6554
		return 0;
6555

6556
	page = alloc_page(GFP_KERNEL_ACCOUNT | __GFP_DMA32);
6557
	if (!page)
6558
		return -ENOMEM;
6559

6560
	mmu->pae_root = page_address(page);
6561

6562
	/*
6563
	 * CR3 is only 32 bits when PAE paging is used, thus it's impossible to
6564
	 * get the CPU to treat the PDPTEs as encrypted.  Decrypt the page so
6565
	 * that KVM's writes and the CPU's reads get along.  Note, this is
6566
	 * only necessary when using shadow paging, as 64-bit NPT can get at
6567
	 * the C-bit even when shadowing 32-bit NPT, and SME isn't supported
6568
	 * by 32-bit kernels (when KVM itself uses 32-bit NPT).
6569
	 */
6570
	if (!tdp_enabled)
6571
		set_memory_decrypted((unsigned long)mmu->pae_root, 1);
6572
	else
6573
		WARN_ON_ONCE(shadow_me_value);
6574

6575
	for (i = 0; i < 4; ++i)
6576
		mmu->pae_root[i] = INVALID_PAE_ROOT;
6577

6578
	return 0;
6579
}
6580

6581
int kvm_mmu_create(struct kvm_vcpu *vcpu)
6582
{
6583
	int ret;
6584

6585
	vcpu->arch.mmu_pte_list_desc_cache.kmem_cache = pte_list_desc_cache;
6586
	vcpu->arch.mmu_pte_list_desc_cache.gfp_zero = __GFP_ZERO;
6587

6588
	vcpu->arch.mmu_page_header_cache.kmem_cache = mmu_page_header_cache;
6589
	vcpu->arch.mmu_page_header_cache.gfp_zero = __GFP_ZERO;
6590

6591
	vcpu->arch.mmu_shadow_page_cache.init_value =
6592
		SHADOW_NONPRESENT_VALUE;
6593
	if (!vcpu->arch.mmu_shadow_page_cache.init_value)
6594
		vcpu->arch.mmu_shadow_page_cache.gfp_zero = __GFP_ZERO;
6595

6596
	vcpu->arch.mmu = &vcpu->arch.root_mmu;
6597
	vcpu->arch.walk_mmu = &vcpu->arch.root_mmu;
6598

6599
	ret = __kvm_mmu_create(vcpu, &vcpu->arch.guest_mmu);
6600
	if (ret)
6601
		return ret;
6602

6603
	ret = __kvm_mmu_create(vcpu, &vcpu->arch.root_mmu);
6604
	if (ret)
6605
		goto fail_allocate_root;
6606

6607
	return ret;
6608
 fail_allocate_root:
6609
	free_mmu_pages(&vcpu->arch.guest_mmu);
6610
	return ret;
6611
}
6612

6613
#define BATCH_ZAP_PAGES	10
6614
static void kvm_zap_obsolete_pages(struct kvm *kvm)
6615
{
6616
	struct kvm_mmu_page *sp, *node;
6617
	int nr_zapped, batch = 0;
6618
	LIST_HEAD(invalid_list);
6619
	bool unstable;
6620

6621
	lockdep_assert_held(&kvm->slots_lock);
6622

6623
restart:
6624
	list_for_each_entry_safe_reverse(sp, node,
6625
	      &kvm->arch.active_mmu_pages, link) {
6626
		/*
6627
		 * No obsolete valid page exists before a newly created page
6628
		 * since active_mmu_pages is a FIFO list.
6629
		 */
6630
		if (!is_obsolete_sp(kvm, sp))
6631
			break;
6632

6633
		/*
6634
		 * Invalid pages should never land back on the list of active
6635
		 * pages.  Skip the bogus page, otherwise we'll get stuck in an
6636
		 * infinite loop if the page gets put back on the list (again).
6637
		 */
6638
		if (WARN_ON_ONCE(sp->role.invalid))
6639
			continue;
6640

6641
		/*
6642
		 * No need to flush the TLB since we're only zapping shadow
6643
		 * pages with an obsolete generation number and all vCPUS have
6644
		 * loaded a new root, i.e. the shadow pages being zapped cannot
6645
		 * be in active use by the guest.
6646
		 */
6647
		if (batch >= BATCH_ZAP_PAGES &&
6648
		    cond_resched_rwlock_write(&kvm->mmu_lock)) {
6649
			batch = 0;
6650
			goto restart;
6651
		}
6652

6653
		unstable = __kvm_mmu_prepare_zap_page(kvm, sp,
6654
				&invalid_list, &nr_zapped);
6655
		batch += nr_zapped;
6656

6657
		if (unstable)
6658
			goto restart;
6659
	}
6660

6661
	/*
6662
	 * Kick all vCPUs (via remote TLB flush) before freeing the page tables
6663
	 * to ensure KVM is not in the middle of a lockless shadow page table
6664
	 * walk, which may reference the pages.  The remote TLB flush itself is
6665
	 * not required and is simply a convenient way to kick vCPUs as needed.
6666
	 * KVM performs a local TLB flush when allocating a new root (see
6667
	 * kvm_mmu_load()), and the reload in the caller ensure no vCPUs are
6668
	 * running with an obsolete MMU.
6669
	 */
6670
	kvm_mmu_commit_zap_page(kvm, &invalid_list);
6671
}
6672

6673
/*
6674
 * Fast invalidate all shadow pages and use lock-break technique
6675
 * to zap obsolete pages.
6676
 *
6677
 * It's required when memslot is being deleted or VM is being
6678
 * destroyed, in these cases, we should ensure that KVM MMU does
6679
 * not use any resource of the being-deleted slot or all slots
6680
 * after calling the function.
6681
 */
6682
static void kvm_mmu_zap_all_fast(struct kvm *kvm)
6683
{
6684
	lockdep_assert_held(&kvm->slots_lock);
6685

6686
	write_lock(&kvm->mmu_lock);
6687
	trace_kvm_mmu_zap_all_fast(kvm);
6688

6689
	/*
6690
	 * Toggle mmu_valid_gen between '0' and '1'.  Because slots_lock is
6691
	 * held for the entire duration of zapping obsolete pages, it's
6692
	 * impossible for there to be multiple invalid generations associated
6693
	 * with *valid* shadow pages at any given time, i.e. there is exactly
6694
	 * one valid generation and (at most) one invalid generation.
6695
	 */
6696
	kvm->arch.mmu_valid_gen = kvm->arch.mmu_valid_gen ? 0 : 1;
6697

6698
	/*
6699
	 * In order to ensure all vCPUs drop their soon-to-be invalid roots,
6700
	 * invalidating TDP MMU roots must be done while holding mmu_lock for
6701
	 * write and in the same critical section as making the reload request,
6702
	 * e.g. before kvm_zap_obsolete_pages() could drop mmu_lock and yield.
6703
	 */
6704
	if (tdp_mmu_enabled) {
6705
		/*
6706
		 * External page tables don't support fast zapping, therefore
6707
		 * their mirrors must be invalidated separately by the caller.
6708
		 */
6709
		kvm_tdp_mmu_invalidate_roots(kvm, KVM_DIRECT_ROOTS);
6710
	}
6711

6712
	/*
6713
	 * Notify all vcpus to reload its shadow page table and flush TLB.
6714
	 * Then all vcpus will switch to new shadow page table with the new
6715
	 * mmu_valid_gen.
6716
	 *
6717
	 * Note: we need to do this under the protection of mmu_lock,
6718
	 * otherwise, vcpu would purge shadow page but miss tlb flush.
6719
	 */
6720
	kvm_make_all_cpus_request(kvm, KVM_REQ_MMU_FREE_OBSOLETE_ROOTS);
6721

6722
	kvm_zap_obsolete_pages(kvm);
6723

6724
	write_unlock(&kvm->mmu_lock);
6725

6726
	/*
6727
	 * Zap the invalidated TDP MMU roots, all SPTEs must be dropped before
6728
	 * returning to the caller, e.g. if the zap is in response to a memslot
6729
	 * deletion, mmu_notifier callbacks will be unable to reach the SPTEs
6730
	 * associated with the deleted memslot once the update completes, and
6731
	 * Deferring the zap until the final reference to the root is put would
6732
	 * lead to use-after-free.
6733
	 */
6734
	if (tdp_mmu_enabled)
6735
		kvm_tdp_mmu_zap_invalidated_roots(kvm, true);
6736
}
6737

6738
int kvm_mmu_init_vm(struct kvm *kvm)
6739
{
6740
	int r;
6741

6742
	kvm->arch.shadow_mmio_value = shadow_mmio_value;
6743
	INIT_LIST_HEAD(&kvm->arch.active_mmu_pages);
6744
	INIT_LIST_HEAD(&kvm->arch.possible_nx_huge_pages);
6745
	spin_lock_init(&kvm->arch.mmu_unsync_pages_lock);
6746

6747
	if (tdp_mmu_enabled) {
6748
		kvm_mmu_init_tdp_mmu(kvm);
6749
	} else {
6750
		r = kvm_mmu_alloc_page_hash(kvm);
6751
		if (r)
6752
			return r;
6753
	}
6754

6755
	kvm->arch.split_page_header_cache.kmem_cache = mmu_page_header_cache;
6756
	kvm->arch.split_page_header_cache.gfp_zero = __GFP_ZERO;
6757

6758
	kvm->arch.split_shadow_page_cache.gfp_zero = __GFP_ZERO;
6759

6760
	kvm->arch.split_desc_cache.kmem_cache = pte_list_desc_cache;
6761
	kvm->arch.split_desc_cache.gfp_zero = __GFP_ZERO;
6762
	return 0;
6763
}
6764

6765
static void mmu_free_vm_memory_caches(struct kvm *kvm)
6766
{
6767
	kvm_mmu_free_memory_cache(&kvm->arch.split_desc_cache);
6768
	kvm_mmu_free_memory_cache(&kvm->arch.split_page_header_cache);
6769
	kvm_mmu_free_memory_cache(&kvm->arch.split_shadow_page_cache);
6770
}
6771

6772
void kvm_mmu_uninit_vm(struct kvm *kvm)
6773
{
6774
	kvfree(kvm->arch.mmu_page_hash);
6775

6776
	if (tdp_mmu_enabled)
6777
		kvm_mmu_uninit_tdp_mmu(kvm);
6778

6779
	mmu_free_vm_memory_caches(kvm);
6780
}
6781

6782
static bool kvm_rmap_zap_gfn_range(struct kvm *kvm, gfn_t gfn_start, gfn_t gfn_end)
6783
{
6784
	const struct kvm_memory_slot *memslot;
6785
	struct kvm_memslots *slots;
6786
	struct kvm_memslot_iter iter;
6787
	bool flush = false;
6788
	gfn_t start, end;
6789
	int i;
6790

6791
	if (!kvm_memslots_have_rmaps(kvm))
6792
		return flush;
6793

6794
	for (i = 0; i < kvm_arch_nr_memslot_as_ids(kvm); i++) {
6795
		slots = __kvm_memslots(kvm, i);
6796

6797
		kvm_for_each_memslot_in_gfn_range(&iter, slots, gfn_start, gfn_end) {
6798
			memslot = iter.slot;
6799
			start = max(gfn_start, memslot->base_gfn);
6800
			end = min(gfn_end, memslot->base_gfn + memslot->npages);
6801
			if (WARN_ON_ONCE(start >= end))
6802
				continue;
6803

6804
			flush = __kvm_rmap_zap_gfn_range(kvm, memslot, start,
6805
							 end, true, flush);
6806
		}
6807
	}
6808

6809
	return flush;
6810
}
6811

6812
/*
6813
 * Invalidate (zap) SPTEs that cover GFNs from gfn_start and up to gfn_end
6814
 * (not including it)
6815
 */
6816
void kvm_zap_gfn_range(struct kvm *kvm, gfn_t gfn_start, gfn_t gfn_end)
6817
{
6818
	bool flush;
6819

6820
	if (WARN_ON_ONCE(gfn_end <= gfn_start))
6821
		return;
6822

6823
	write_lock(&kvm->mmu_lock);
6824

6825
	kvm_mmu_invalidate_begin(kvm);
6826

6827
	kvm_mmu_invalidate_range_add(kvm, gfn_start, gfn_end);
6828

6829
	flush = kvm_rmap_zap_gfn_range(kvm, gfn_start, gfn_end);
6830

6831
	if (tdp_mmu_enabled)
6832
		flush = kvm_tdp_mmu_zap_leafs(kvm, gfn_start, gfn_end, flush);
6833

6834
	if (flush)
6835
		kvm_flush_remote_tlbs_range(kvm, gfn_start, gfn_end - gfn_start);
6836

6837
	kvm_mmu_invalidate_end(kvm);
6838

6839
	write_unlock(&kvm->mmu_lock);
6840
}
6841

6842
static bool slot_rmap_write_protect(struct kvm *kvm,
6843
				    struct kvm_rmap_head *rmap_head,
6844
				    const struct kvm_memory_slot *slot)
6845
{
6846
	return rmap_write_protect(rmap_head, false);
6847
}
6848

6849
void kvm_mmu_slot_remove_write_access(struct kvm *kvm,
6850
				      const struct kvm_memory_slot *memslot,
6851
				      int start_level)
6852
{
6853
	if (kvm_memslots_have_rmaps(kvm)) {
6854
		write_lock(&kvm->mmu_lock);
6855
		walk_slot_rmaps(kvm, memslot, slot_rmap_write_protect,
6856
				start_level, KVM_MAX_HUGEPAGE_LEVEL, false);
6857
		write_unlock(&kvm->mmu_lock);
6858
	}
6859

6860
	if (tdp_mmu_enabled) {
6861
		read_lock(&kvm->mmu_lock);
6862
		kvm_tdp_mmu_wrprot_slot(kvm, memslot, start_level);
6863
		read_unlock(&kvm->mmu_lock);
6864
	}
6865
}
6866

6867
static inline bool need_topup(struct kvm_mmu_memory_cache *cache, int min)
6868
{
6869
	return kvm_mmu_memory_cache_nr_free_objects(cache) < min;
6870
}
6871

6872
static bool need_topup_split_caches_or_resched(struct kvm *kvm)
6873
{
6874
	if (need_resched() || rwlock_needbreak(&kvm->mmu_lock))
6875
		return true;
6876

6877
	/*
6878
	 * In the worst case, SPLIT_DESC_CACHE_MIN_NR_OBJECTS descriptors are needed
6879
	 * to split a single huge page. Calculating how many are actually needed
6880
	 * is possible but not worth the complexity.
6881
	 */
6882
	return need_topup(&kvm->arch.split_desc_cache, SPLIT_DESC_CACHE_MIN_NR_OBJECTS) ||
6883
	       need_topup(&kvm->arch.split_page_header_cache, 1) ||
6884
	       need_topup(&kvm->arch.split_shadow_page_cache, 1);
6885
}
6886

6887
static int topup_split_caches(struct kvm *kvm)
6888
{
6889
	/*
6890
	 * Allocating rmap list entries when splitting huge pages for nested
6891
	 * MMUs is uncommon as KVM needs to use a list if and only if there is
6892
	 * more than one rmap entry for a gfn, i.e. requires an L1 gfn to be
6893
	 * aliased by multiple L2 gfns and/or from multiple nested roots with
6894
	 * different roles.  Aliasing gfns when using TDP is atypical for VMMs;
6895
	 * a few gfns are often aliased during boot, e.g. when remapping BIOS,
6896
	 * but aliasing rarely occurs post-boot or for many gfns.  If there is
6897
	 * only one rmap entry, rmap->val points directly at that one entry and
6898
	 * doesn't need to allocate a list.  Buffer the cache by the default
6899
	 * capacity so that KVM doesn't have to drop mmu_lock to topup if KVM
6900
	 * encounters an aliased gfn or two.
6901
	 */
6902
	const int capacity = SPLIT_DESC_CACHE_MIN_NR_OBJECTS +
6903
			     KVM_ARCH_NR_OBJS_PER_MEMORY_CACHE;
6904
	int r;
6905

6906
	lockdep_assert_held(&kvm->slots_lock);
6907

6908
	r = __kvm_mmu_topup_memory_cache(&kvm->arch.split_desc_cache, capacity,
6909
					 SPLIT_DESC_CACHE_MIN_NR_OBJECTS);
6910
	if (r)
6911
		return r;
6912

6913
	r = kvm_mmu_topup_memory_cache(&kvm->arch.split_page_header_cache, 1);
6914
	if (r)
6915
		return r;
6916

6917
	return kvm_mmu_topup_memory_cache(&kvm->arch.split_shadow_page_cache, 1);
6918
}
6919

6920
static struct kvm_mmu_page *shadow_mmu_get_sp_for_split(struct kvm *kvm, u64 *huge_sptep)
6921
{
6922
	struct kvm_mmu_page *huge_sp = sptep_to_sp(huge_sptep);
6923
	struct shadow_page_caches caches = {};
6924
	union kvm_mmu_page_role role;
6925
	unsigned int access;
6926
	gfn_t gfn;
6927

6928
	gfn = kvm_mmu_page_get_gfn(huge_sp, spte_index(huge_sptep));
6929
	access = kvm_mmu_page_get_access(huge_sp, spte_index(huge_sptep));
6930

6931
	/*
6932
	 * Note, huge page splitting always uses direct shadow pages, regardless
6933
	 * of whether the huge page itself is mapped by a direct or indirect
6934
	 * shadow page, since the huge page region itself is being directly
6935
	 * mapped with smaller pages.
6936
	 */
6937
	role = kvm_mmu_child_role(huge_sptep, /*direct=*/true, access);
6938

6939
	/* Direct SPs do not require a shadowed_info_cache. */
6940
	caches.page_header_cache = &kvm->arch.split_page_header_cache;
6941
	caches.shadow_page_cache = &kvm->arch.split_shadow_page_cache;
6942

6943
	/* Safe to pass NULL for vCPU since requesting a direct SP. */
6944
	return __kvm_mmu_get_shadow_page(kvm, NULL, &caches, gfn, role);
6945
}
6946

6947
static void shadow_mmu_split_huge_page(struct kvm *kvm,
6948
				       const struct kvm_memory_slot *slot,
6949
				       u64 *huge_sptep)
6950

6951
{
6952
	struct kvm_mmu_memory_cache *cache = &kvm->arch.split_desc_cache;
6953
	u64 huge_spte = READ_ONCE(*huge_sptep);
6954
	struct kvm_mmu_page *sp;
6955
	bool flush = false;
6956
	u64 *sptep, spte;
6957
	gfn_t gfn;
6958
	int index;
6959

6960
	sp = shadow_mmu_get_sp_for_split(kvm, huge_sptep);
6961

6962
	for (index = 0; index < SPTE_ENT_PER_PAGE; index++) {
6963
		sptep = &sp->spt[index];
6964
		gfn = kvm_mmu_page_get_gfn(sp, index);
6965

6966
		/*
6967
		 * The SP may already have populated SPTEs, e.g. if this huge
6968
		 * page is aliased by multiple sptes with the same access
6969
		 * permissions. These entries are guaranteed to map the same
6970
		 * gfn-to-pfn translation since the SP is direct, so no need to
6971
		 * modify them.
6972
		 *
6973
		 * However, if a given SPTE points to a lower level page table,
6974
		 * that lower level page table may only be partially populated.
6975
		 * Installing such SPTEs would effectively unmap a potion of the
6976
		 * huge page. Unmapping guest memory always requires a TLB flush
6977
		 * since a subsequent operation on the unmapped regions would
6978
		 * fail to detect the need to flush.
6979
		 */
6980
		if (is_shadow_present_pte(*sptep)) {
6981
			flush |= !is_last_spte(*sptep, sp->role.level);
6982
			continue;
6983
		}
6984

6985
		spte = make_small_spte(kvm, huge_spte, sp->role, index);
6986
		mmu_spte_set(sptep, spte);
6987
		__rmap_add(kvm, cache, slot, sptep, gfn, sp->role.access);
6988
	}
6989

6990
	__link_shadow_page(kvm, cache, huge_sptep, sp, flush);
6991
}
6992

6993
static int shadow_mmu_try_split_huge_page(struct kvm *kvm,
6994
					  const struct kvm_memory_slot *slot,
6995
					  u64 *huge_sptep)
6996
{
6997
	struct kvm_mmu_page *huge_sp = sptep_to_sp(huge_sptep);
6998
	int level, r = 0;
6999
	gfn_t gfn;
7000
	u64 spte;
7001

7002
	/* Grab information for the tracepoint before dropping the MMU lock. */
7003
	gfn = kvm_mmu_page_get_gfn(huge_sp, spte_index(huge_sptep));
7004
	level = huge_sp->role.level;
7005
	spte = *huge_sptep;
7006

7007
	if (kvm_mmu_available_pages(kvm) <= KVM_MIN_FREE_MMU_PAGES) {
7008
		r = -ENOSPC;
7009
		goto out;
7010
	}
7011

7012
	if (need_topup_split_caches_or_resched(kvm)) {
7013
		write_unlock(&kvm->mmu_lock);
7014
		cond_resched();
7015
		/*
7016
		 * If the topup succeeds, return -EAGAIN to indicate that the
7017
		 * rmap iterator should be restarted because the MMU lock was
7018
		 * dropped.
7019
		 */
7020
		r = topup_split_caches(kvm) ?: -EAGAIN;
7021
		write_lock(&kvm->mmu_lock);
7022
		goto out;
7023
	}
7024

7025
	shadow_mmu_split_huge_page(kvm, slot, huge_sptep);
7026

7027
out:
7028
	trace_kvm_mmu_split_huge_page(gfn, spte, level, r);
7029
	return r;
7030
}
7031

7032
static bool shadow_mmu_try_split_huge_pages(struct kvm *kvm,
7033
					    struct kvm_rmap_head *rmap_head,
7034
					    const struct kvm_memory_slot *slot)
7035
{
7036
	struct rmap_iterator iter;
7037
	struct kvm_mmu_page *sp;
7038
	u64 *huge_sptep;
7039
	int r;
7040

7041
restart:
7042
	for_each_rmap_spte(rmap_head, &iter, huge_sptep) {
7043
		sp = sptep_to_sp(huge_sptep);
7044

7045
		/* TDP MMU is enabled, so rmap only contains nested MMU SPs. */
7046
		if (WARN_ON_ONCE(!sp->role.guest_mode))
7047
			continue;
7048

7049
		/* The rmaps should never contain non-leaf SPTEs. */
7050
		if (WARN_ON_ONCE(!is_large_pte(*huge_sptep)))
7051
			continue;
7052

7053
		/* SPs with level >PG_LEVEL_4K should never by unsync. */
7054
		if (WARN_ON_ONCE(sp->unsync))
7055
			continue;
7056

7057
		/* Don't bother splitting huge pages on invalid SPs. */
7058
		if (sp->role.invalid)
7059
			continue;
7060

7061
		r = shadow_mmu_try_split_huge_page(kvm, slot, huge_sptep);
7062

7063
		/*
7064
		 * The split succeeded or needs to be retried because the MMU
7065
		 * lock was dropped. Either way, restart the iterator to get it
7066
		 * back into a consistent state.
7067
		 */
7068
		if (!r || r == -EAGAIN)
7069
			goto restart;
7070

7071
		/* The split failed and shouldn't be retried (e.g. -ENOMEM). */
7072
		break;
7073
	}
7074

7075
	return false;
7076
}
7077

7078
static void kvm_shadow_mmu_try_split_huge_pages(struct kvm *kvm,
7079
						const struct kvm_memory_slot *slot,
7080
						gfn_t start, gfn_t end,
7081
						int target_level)
7082
{
7083
	int level;
7084

7085
	/*
7086
	 * Split huge pages starting with KVM_MAX_HUGEPAGE_LEVEL and working
7087
	 * down to the target level. This ensures pages are recursively split
7088
	 * all the way to the target level. There's no need to split pages
7089
	 * already at the target level.
7090
	 */
7091
	for (level = KVM_MAX_HUGEPAGE_LEVEL; level > target_level; level--)
7092
		__walk_slot_rmaps(kvm, slot, shadow_mmu_try_split_huge_pages,
7093
				  level, level, start, end - 1, true, true, false);
7094
}
7095

7096
/* Must be called with the mmu_lock held in write-mode. */
7097
void kvm_mmu_try_split_huge_pages(struct kvm *kvm,
7098
				   const struct kvm_memory_slot *memslot,
7099
				   u64 start, u64 end,
7100
				   int target_level)
7101
{
7102
	if (!tdp_mmu_enabled)
7103
		return;
7104

7105
	if (kvm_memslots_have_rmaps(kvm))
7106
		kvm_shadow_mmu_try_split_huge_pages(kvm, memslot, start, end, target_level);
7107

7108
	kvm_tdp_mmu_try_split_huge_pages(kvm, memslot, start, end, target_level, false);
7109

7110
	/*
7111
	 * A TLB flush is unnecessary at this point for the same reasons as in
7112
	 * kvm_mmu_slot_try_split_huge_pages().
7113
	 */
7114
}
7115

7116
void kvm_mmu_slot_try_split_huge_pages(struct kvm *kvm,
7117
					const struct kvm_memory_slot *memslot,
7118
					int target_level)
7119
{
7120
	u64 start = memslot->base_gfn;
7121
	u64 end = start + memslot->npages;
7122

7123
	if (!tdp_mmu_enabled)
7124
		return;
7125

7126
	if (kvm_memslots_have_rmaps(kvm)) {
7127
		write_lock(&kvm->mmu_lock);
7128
		kvm_shadow_mmu_try_split_huge_pages(kvm, memslot, start, end, target_level);
7129
		write_unlock(&kvm->mmu_lock);
7130
	}
7131

7132
	read_lock(&kvm->mmu_lock);
7133
	kvm_tdp_mmu_try_split_huge_pages(kvm, memslot, start, end, target_level, true);
7134
	read_unlock(&kvm->mmu_lock);
7135

7136
	/*
7137
	 * No TLB flush is necessary here. KVM will flush TLBs after
7138
	 * write-protecting and/or clearing dirty on the newly split SPTEs to
7139
	 * ensure that guest writes are reflected in the dirty log before the
7140
	 * ioctl to enable dirty logging on this memslot completes. Since the
7141
	 * split SPTEs retain the write and dirty bits of the huge SPTE, it is
7142
	 * safe for KVM to decide if a TLB flush is necessary based on the split
7143
	 * SPTEs.
7144
	 */
7145
}
7146

7147
static bool kvm_mmu_zap_collapsible_spte(struct kvm *kvm,
7148
					 struct kvm_rmap_head *rmap_head,
7149
					 const struct kvm_memory_slot *slot)
7150
{
7151
	u64 *sptep;
7152
	struct rmap_iterator iter;
7153
	int need_tlb_flush = 0;
7154
	struct kvm_mmu_page *sp;
7155

7156
restart:
7157
	for_each_rmap_spte(rmap_head, &iter, sptep) {
7158
		sp = sptep_to_sp(sptep);
7159

7160
		/*
7161
		 * We cannot do huge page mapping for indirect shadow pages,
7162
		 * which are found on the last rmap (level = 1) when not using
7163
		 * tdp; such shadow pages are synced with the page table in
7164
		 * the guest, and the guest page table is using 4K page size
7165
		 * mapping if the indirect sp has level = 1.
7166
		 */
7167
		if (sp->role.direct &&
7168
		    sp->role.level < kvm_mmu_max_mapping_level(kvm, slot, sp->gfn)) {
7169
			kvm_zap_one_rmap_spte(kvm, rmap_head, sptep);
7170

7171
			if (kvm_available_flush_remote_tlbs_range())
7172
				kvm_flush_remote_tlbs_sptep(kvm, sptep);
7173
			else
7174
				need_tlb_flush = 1;
7175

7176
			goto restart;
7177
		}
7178
	}
7179

7180
	return need_tlb_flush;
7181
}
7182
EXPORT_SYMBOL_GPL(kvm_zap_gfn_range);
7183

7184
static void kvm_rmap_zap_collapsible_sptes(struct kvm *kvm,
7185
					   const struct kvm_memory_slot *slot)
7186
{
7187
	/*
7188
	 * Note, use KVM_MAX_HUGEPAGE_LEVEL - 1 since there's no need to zap
7189
	 * pages that are already mapped at the maximum hugepage level.
7190
	 */
7191
	if (walk_slot_rmaps(kvm, slot, kvm_mmu_zap_collapsible_spte,
7192
			    PG_LEVEL_4K, KVM_MAX_HUGEPAGE_LEVEL - 1, true))
7193
		kvm_flush_remote_tlbs_memslot(kvm, slot);
7194
}
7195

7196
void kvm_mmu_recover_huge_pages(struct kvm *kvm,
7197
				const struct kvm_memory_slot *slot)
7198
{
7199
	if (kvm_memslots_have_rmaps(kvm)) {
7200
		write_lock(&kvm->mmu_lock);
7201
		kvm_rmap_zap_collapsible_sptes(kvm, slot);
7202
		write_unlock(&kvm->mmu_lock);
7203
	}
7204

7205
	if (tdp_mmu_enabled) {
7206
		read_lock(&kvm->mmu_lock);
7207
		kvm_tdp_mmu_recover_huge_pages(kvm, slot);
7208
		read_unlock(&kvm->mmu_lock);
7209
	}
7210
}
7211

7212
void kvm_mmu_slot_leaf_clear_dirty(struct kvm *kvm,
7213
				   const struct kvm_memory_slot *memslot)
7214
{
7215
	if (kvm_memslots_have_rmaps(kvm)) {
7216
		write_lock(&kvm->mmu_lock);
7217
		/*
7218
		 * Clear dirty bits only on 4k SPTEs since the legacy MMU only
7219
		 * support dirty logging at a 4k granularity.
7220
		 */
7221
		walk_slot_rmaps_4k(kvm, memslot, __rmap_clear_dirty, false);
7222
		write_unlock(&kvm->mmu_lock);
7223
	}
7224

7225
	if (tdp_mmu_enabled) {
7226
		read_lock(&kvm->mmu_lock);
7227
		kvm_tdp_mmu_clear_dirty_slot(kvm, memslot);
7228
		read_unlock(&kvm->mmu_lock);
7229
	}
7230

7231
	/*
7232
	 * The caller will flush the TLBs after this function returns.
7233
	 *
7234
	 * It's also safe to flush TLBs out of mmu lock here as currently this
7235
	 * function is only used for dirty logging, in which case flushing TLB
7236
	 * out of mmu lock also guarantees no dirty pages will be lost in
7237
	 * dirty_bitmap.
7238
	 */
7239
}
7240

7241
static void kvm_mmu_zap_all(struct kvm *kvm)
7242
{
7243
	struct kvm_mmu_page *sp, *node;
7244
	LIST_HEAD(invalid_list);
7245
	int ign;
7246

7247
	write_lock(&kvm->mmu_lock);
7248
restart:
7249
	list_for_each_entry_safe(sp, node, &kvm->arch.active_mmu_pages, link) {
7250
		if (WARN_ON_ONCE(sp->role.invalid))
7251
			continue;
7252
		if (__kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list, &ign))
7253
			goto restart;
7254
		if (cond_resched_rwlock_write(&kvm->mmu_lock))
7255
			goto restart;
7256
	}
7257

7258
	kvm_mmu_commit_zap_page(kvm, &invalid_list);
7259

7260
	if (tdp_mmu_enabled)
7261
		kvm_tdp_mmu_zap_all(kvm);
7262

7263
	write_unlock(&kvm->mmu_lock);
7264
}
7265

7266
void kvm_arch_flush_shadow_all(struct kvm *kvm)
7267
{
7268
	kvm_mmu_zap_all(kvm);
7269
}
7270

7271
static void kvm_mmu_zap_memslot_pages_and_flush(struct kvm *kvm,
7272
						struct kvm_memory_slot *slot,
7273
						bool flush)
7274
{
7275
	LIST_HEAD(invalid_list);
7276
	unsigned long i;
7277

7278
	if (list_empty(&kvm->arch.active_mmu_pages))
7279
		goto out_flush;
7280

7281
	/*
7282
	 * Since accounting information is stored in struct kvm_arch_memory_slot,
7283
	 * all MMU pages that are shadowing guest PTEs must be zapped before the
7284
	 * memslot is deleted, as freeing such pages after the memslot is freed
7285
	 * will result in use-after-free, e.g. in unaccount_shadowed().
7286
	 */
7287
	for (i = 0; i < slot->npages; i++) {
7288
		struct kvm_mmu_page *sp;
7289
		gfn_t gfn = slot->base_gfn + i;
7290

7291
		for_each_gfn_valid_sp_with_gptes(kvm, sp, gfn)
7292
			kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list);
7293

7294
		if (need_resched() || rwlock_needbreak(&kvm->mmu_lock)) {
7295
			kvm_mmu_remote_flush_or_zap(kvm, &invalid_list, flush);
7296
			flush = false;
7297
			cond_resched_rwlock_write(&kvm->mmu_lock);
7298
		}
7299
	}
7300

7301
out_flush:
7302
	kvm_mmu_remote_flush_or_zap(kvm, &invalid_list, flush);
7303
}
7304

7305
static void kvm_mmu_zap_memslot(struct kvm *kvm,
7306
				struct kvm_memory_slot *slot)
7307
{
7308
	struct kvm_gfn_range range = {
7309
		.slot = slot,
7310
		.start = slot->base_gfn,
7311
		.end = slot->base_gfn + slot->npages,
7312
		.may_block = true,
7313
		.attr_filter = KVM_FILTER_PRIVATE | KVM_FILTER_SHARED,
7314
	};
7315
	bool flush;
7316

7317
	write_lock(&kvm->mmu_lock);
7318
	flush = kvm_unmap_gfn_range(kvm, &range);
7319
	kvm_mmu_zap_memslot_pages_and_flush(kvm, slot, flush);
7320
	write_unlock(&kvm->mmu_lock);
7321
}
7322

7323
static inline bool kvm_memslot_flush_zap_all(struct kvm *kvm)
7324
{
7325
	return kvm->arch.vm_type == KVM_X86_DEFAULT_VM &&
7326
	       kvm_check_has_quirk(kvm, KVM_X86_QUIRK_SLOT_ZAP_ALL);
7327
}
7328

7329
void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
7330
				   struct kvm_memory_slot *slot)
7331
{
7332
	if (kvm_memslot_flush_zap_all(kvm))
7333
		kvm_mmu_zap_all_fast(kvm);
7334
	else
7335
		kvm_mmu_zap_memslot(kvm, slot);
7336
}
7337

7338
void kvm_mmu_invalidate_mmio_sptes(struct kvm *kvm, u64 gen)
7339
{
7340
	WARN_ON_ONCE(gen & KVM_MEMSLOT_GEN_UPDATE_IN_PROGRESS);
7341

7342
	gen &= MMIO_SPTE_GEN_MASK;
7343

7344
	/*
7345
	 * Generation numbers are incremented in multiples of the number of
7346
	 * address spaces in order to provide unique generations across all
7347
	 * address spaces.  Strip what is effectively the address space
7348
	 * modifier prior to checking for a wrap of the MMIO generation so
7349
	 * that a wrap in any address space is detected.
7350
	 */
7351
	gen &= ~((u64)kvm_arch_nr_memslot_as_ids(kvm) - 1);
7352

7353
	/*
7354
	 * The very rare case: if the MMIO generation number has wrapped,
7355
	 * zap all shadow pages.
7356
	 */
7357
	if (unlikely(gen == 0)) {
7358
		kvm_debug_ratelimited("zapping shadow pages for mmio generation wraparound\n");
7359
		kvm_mmu_zap_all_fast(kvm);
7360
	}
7361
}
7362

7363
static void mmu_destroy_caches(void)
7364
{
7365
	kmem_cache_destroy(pte_list_desc_cache);
7366
	kmem_cache_destroy(mmu_page_header_cache);
7367
}
7368

7369
static void kvm_wake_nx_recovery_thread(struct kvm *kvm)
7370
{
7371
	/*
7372
	 * The NX recovery thread is spawned on-demand at the first KVM_RUN and
7373
	 * may not be valid even though the VM is globally visible.  Do nothing,
7374
	 * as such a VM can't have any possible NX huge pages.
7375
	 */
7376
	struct vhost_task *nx_thread = READ_ONCE(kvm->arch.nx_huge_page_recovery_thread);
7377

7378
	if (nx_thread)
7379
		vhost_task_wake(nx_thread);
7380
}
7381

7382
static int get_nx_huge_pages(char *buffer, const struct kernel_param *kp)
7383
{
7384
	if (nx_hugepage_mitigation_hard_disabled)
7385
		return sysfs_emit(buffer, "never\n");
7386

7387
	return param_get_bool(buffer, kp);
7388
}
7389

7390
static bool get_nx_auto_mode(void)
7391
{
7392
	/* Return true when CPU has the bug, and mitigations are ON */
7393
	return boot_cpu_has_bug(X86_BUG_ITLB_MULTIHIT) && !cpu_mitigations_off();
7394
}
7395

7396
static void __set_nx_huge_pages(bool val)
7397
{
7398
	nx_huge_pages = itlb_multihit_kvm_mitigation = val;
7399
}
7400

7401
static int set_nx_huge_pages(const char *val, const struct kernel_param *kp)
7402
{
7403
	bool old_val = nx_huge_pages;
7404
	bool new_val;
7405

7406
	if (nx_hugepage_mitigation_hard_disabled)
7407
		return -EPERM;
7408

7409
	/* In "auto" mode deploy workaround only if CPU has the bug. */
7410
	if (sysfs_streq(val, "off")) {
7411
		new_val = 0;
7412
	} else if (sysfs_streq(val, "force")) {
7413
		new_val = 1;
7414
	} else if (sysfs_streq(val, "auto")) {
7415
		new_val = get_nx_auto_mode();
7416
	} else if (sysfs_streq(val, "never")) {
7417
		new_val = 0;
7418

7419
		mutex_lock(&kvm_lock);
7420
		if (!list_empty(&vm_list)) {
7421
			mutex_unlock(&kvm_lock);
7422
			return -EBUSY;
7423
		}
7424
		nx_hugepage_mitigation_hard_disabled = true;
7425
		mutex_unlock(&kvm_lock);
7426
	} else if (kstrtobool(val, &new_val) < 0) {
7427
		return -EINVAL;
7428
	}
7429

7430
	__set_nx_huge_pages(new_val);
7431

7432
	if (new_val != old_val) {
7433
		struct kvm *kvm;
7434

7435
		mutex_lock(&kvm_lock);
7436

7437
		list_for_each_entry(kvm, &vm_list, vm_list) {
7438
			mutex_lock(&kvm->slots_lock);
7439
			kvm_mmu_zap_all_fast(kvm);
7440
			mutex_unlock(&kvm->slots_lock);
7441

7442
			kvm_wake_nx_recovery_thread(kvm);
7443
		}
7444
		mutex_unlock(&kvm_lock);
7445
	}
7446

7447
	return 0;
7448
}
7449

7450
/*
7451
 * nx_huge_pages needs to be resolved to true/false when kvm.ko is loaded, as
7452
 * its default value of -1 is technically undefined behavior for a boolean.
7453
 * Forward the module init call to SPTE code so that it too can handle module
7454
 * params that need to be resolved/snapshot.
7455
 */
7456
void __init kvm_mmu_x86_module_init(void)
7457
{
7458
	if (nx_huge_pages == -1)
7459
		__set_nx_huge_pages(get_nx_auto_mode());
7460

7461
	/*
7462
	 * Snapshot userspace's desire to enable the TDP MMU. Whether or not the
7463
	 * TDP MMU is actually enabled is determined in kvm_configure_mmu()
7464
	 * when the vendor module is loaded.
7465
	 */
7466
	tdp_mmu_allowed = tdp_mmu_enabled;
7467

7468
	kvm_mmu_spte_module_init();
7469
}
7470

7471
/*
7472
 * The bulk of the MMU initialization is deferred until the vendor module is
7473
 * loaded as many of the masks/values may be modified by VMX or SVM, i.e. need
7474
 * to be reset when a potentially different vendor module is loaded.
7475
 */
7476
int kvm_mmu_vendor_module_init(void)
7477
{
7478
	int ret = -ENOMEM;
7479

7480
	/*
7481
	 * MMU roles use union aliasing which is, generally speaking, an
7482
	 * undefined behavior. However, we supposedly know how compilers behave
7483
	 * and the current status quo is unlikely to change. Guardians below are
7484
	 * supposed to let us know if the assumption becomes false.
7485
	 */
7486
	BUILD_BUG_ON(sizeof(union kvm_mmu_page_role) != sizeof(u32));
7487
	BUILD_BUG_ON(sizeof(union kvm_mmu_extended_role) != sizeof(u32));
7488
	BUILD_BUG_ON(sizeof(union kvm_cpu_role) != sizeof(u64));
7489

7490
	kvm_mmu_reset_all_pte_masks();
7491

7492
	pte_list_desc_cache = KMEM_CACHE(pte_list_desc, SLAB_ACCOUNT);
7493
	if (!pte_list_desc_cache)
7494
		goto out;
7495

7496
	mmu_page_header_cache = kmem_cache_create("kvm_mmu_page_header",
7497
						  sizeof(struct kvm_mmu_page),
7498
						  0, SLAB_ACCOUNT, NULL);
7499
	if (!mmu_page_header_cache)
7500
		goto out;
7501

7502
	return 0;
7503

7504
out:
7505
	mmu_destroy_caches();
7506
	return ret;
7507
}
7508

7509
void kvm_mmu_destroy(struct kvm_vcpu *vcpu)
7510
{
7511
	kvm_mmu_unload(vcpu);
7512
	if (tdp_mmu_enabled) {
7513
		read_lock(&vcpu->kvm->mmu_lock);
7514
		mmu_free_root_page(vcpu->kvm, &vcpu->arch.mmu->mirror_root_hpa,
7515
				   NULL);
7516
		read_unlock(&vcpu->kvm->mmu_lock);
7517
	}
7518
	free_mmu_pages(&vcpu->arch.root_mmu);
7519
	free_mmu_pages(&vcpu->arch.guest_mmu);
7520
	mmu_free_memory_caches(vcpu);
7521
}
7522

7523
void kvm_mmu_vendor_module_exit(void)
7524
{
7525
	mmu_destroy_caches();
7526
}
7527

7528
/*
7529
 * Calculate the effective recovery period, accounting for '0' meaning "let KVM
7530
 * select a halving time of 1 hour".  Returns true if recovery is enabled.
7531
 */
7532
static bool calc_nx_huge_pages_recovery_period(uint *period)
7533
{
7534
	/*
7535
	 * Use READ_ONCE to get the params, this may be called outside of the
7536
	 * param setters, e.g. by the kthread to compute its next timeout.
7537
	 */
7538
	bool enabled = READ_ONCE(nx_huge_pages);
7539
	uint ratio = READ_ONCE(nx_huge_pages_recovery_ratio);
7540

7541
	if (!enabled || !ratio)
7542
		return false;
7543

7544
	*period = READ_ONCE(nx_huge_pages_recovery_period_ms);
7545
	if (!*period) {
7546
		/* Make sure the period is not less than one second.  */
7547
		ratio = min(ratio, 3600u);
7548
		*period = 60 * 60 * 1000 / ratio;
7549
	}
7550
	return true;
7551
}
7552

7553
static int set_nx_huge_pages_recovery_param(const char *val, const struct kernel_param *kp)
7554
{
7555
	bool was_recovery_enabled, is_recovery_enabled;
7556
	uint old_period, new_period;
7557
	int err;
7558

7559
	if (nx_hugepage_mitigation_hard_disabled)
7560
		return -EPERM;
7561

7562
	was_recovery_enabled = calc_nx_huge_pages_recovery_period(&old_period);
7563

7564
	err = param_set_uint(val, kp);
7565
	if (err)
7566
		return err;
7567

7568
	is_recovery_enabled = calc_nx_huge_pages_recovery_period(&new_period);
7569

7570
	if (is_recovery_enabled &&
7571
	    (!was_recovery_enabled || old_period > new_period)) {
7572
		struct kvm *kvm;
7573

7574
		mutex_lock(&kvm_lock);
7575

7576
		list_for_each_entry(kvm, &vm_list, vm_list)
7577
			kvm_wake_nx_recovery_thread(kvm);
7578

7579
		mutex_unlock(&kvm_lock);
7580
	}
7581

7582
	return err;
7583
}
7584

7585
static void kvm_recover_nx_huge_pages(struct kvm *kvm)
7586
{
7587
	unsigned long nx_lpage_splits = kvm->stat.nx_lpage_splits;
7588
	struct kvm_memory_slot *slot;
7589
	int rcu_idx;
7590
	struct kvm_mmu_page *sp;
7591
	unsigned int ratio;
7592
	LIST_HEAD(invalid_list);
7593
	bool flush = false;
7594
	ulong to_zap;
7595

7596
	rcu_idx = srcu_read_lock(&kvm->srcu);
7597
	write_lock(&kvm->mmu_lock);
7598

7599
	/*
7600
	 * Zapping TDP MMU shadow pages, including the remote TLB flush, must
7601
	 * be done under RCU protection, because the pages are freed via RCU
7602
	 * callback.
7603
	 */
7604
	rcu_read_lock();
7605

7606
	ratio = READ_ONCE(nx_huge_pages_recovery_ratio);
7607
	to_zap = ratio ? DIV_ROUND_UP(nx_lpage_splits, ratio) : 0;
7608
	for ( ; to_zap; --to_zap) {
7609
		if (list_empty(&kvm->arch.possible_nx_huge_pages))
7610
			break;
7611

7612
		/*
7613
		 * We use a separate list instead of just using active_mmu_pages
7614
		 * because the number of shadow pages that be replaced with an
7615
		 * NX huge page is expected to be relatively small compared to
7616
		 * the total number of shadow pages.  And because the TDP MMU
7617
		 * doesn't use active_mmu_pages.
7618
		 */
7619
		sp = list_first_entry(&kvm->arch.possible_nx_huge_pages,
7620
				      struct kvm_mmu_page,
7621
				      possible_nx_huge_page_link);
7622
		WARN_ON_ONCE(!sp->nx_huge_page_disallowed);
7623
		WARN_ON_ONCE(!sp->role.direct);
7624

7625
		/*
7626
		 * Unaccount and do not attempt to recover any NX Huge Pages
7627
		 * that are being dirty tracked, as they would just be faulted
7628
		 * back in as 4KiB pages. The NX Huge Pages in this slot will be
7629
		 * recovered, along with all the other huge pages in the slot,
7630
		 * when dirty logging is disabled.
7631
		 *
7632
		 * Since gfn_to_memslot() is relatively expensive, it helps to
7633
		 * skip it if it the test cannot possibly return true.  On the
7634
		 * other hand, if any memslot has logging enabled, chances are
7635
		 * good that all of them do, in which case unaccount_nx_huge_page()
7636
		 * is much cheaper than zapping the page.
7637
		 *
7638
		 * If a memslot update is in progress, reading an incorrect value
7639
		 * of kvm->nr_memslots_dirty_logging is not a problem: if it is
7640
		 * becoming zero, gfn_to_memslot() will be done unnecessarily; if
7641
		 * it is becoming nonzero, the page will be zapped unnecessarily.
7642
		 * Either way, this only affects efficiency in racy situations,
7643
		 * and not correctness.
7644
		 */
7645
		slot = NULL;
7646
		if (atomic_read(&kvm->nr_memslots_dirty_logging)) {
7647
			struct kvm_memslots *slots;
7648

7649
			slots = kvm_memslots_for_spte_role(kvm, sp->role);
7650
			slot = __gfn_to_memslot(slots, sp->gfn);
7651
			WARN_ON_ONCE(!slot);
7652
		}
7653

7654
		if (slot && kvm_slot_dirty_track_enabled(slot))
7655
			unaccount_nx_huge_page(kvm, sp);
7656
		else if (is_tdp_mmu_page(sp))
7657
			flush |= kvm_tdp_mmu_zap_sp(kvm, sp);
7658
		else
7659
			kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list);
7660
		WARN_ON_ONCE(sp->nx_huge_page_disallowed);
7661

7662
		if (need_resched() || rwlock_needbreak(&kvm->mmu_lock)) {
7663
			kvm_mmu_remote_flush_or_zap(kvm, &invalid_list, flush);
7664
			rcu_read_unlock();
7665

7666
			cond_resched_rwlock_write(&kvm->mmu_lock);
7667
			flush = false;
7668

7669
			rcu_read_lock();
7670
		}
7671
	}
7672
	kvm_mmu_remote_flush_or_zap(kvm, &invalid_list, flush);
7673

7674
	rcu_read_unlock();
7675

7676
	write_unlock(&kvm->mmu_lock);
7677
	srcu_read_unlock(&kvm->srcu, rcu_idx);
7678
}
7679

7680
static void kvm_nx_huge_page_recovery_worker_kill(void *data)
7681
{
7682
}
7683

7684
static bool kvm_nx_huge_page_recovery_worker(void *data)
7685
{
7686
	struct kvm *kvm = data;
7687
	bool enabled;
7688
	uint period;
7689
	long remaining_time;
7690

7691
	enabled = calc_nx_huge_pages_recovery_period(&period);
7692
	if (!enabled)
7693
		return false;
7694

7695
	remaining_time = kvm->arch.nx_huge_page_last + msecs_to_jiffies(period)
7696
		- get_jiffies_64();
7697
	if (remaining_time > 0) {
7698
		schedule_timeout(remaining_time);
7699
		/* check for signals and come back */
7700
		return true;
7701
	}
7702

7703
	__set_current_state(TASK_RUNNING);
7704
	kvm_recover_nx_huge_pages(kvm);
7705
	kvm->arch.nx_huge_page_last = get_jiffies_64();
7706
	return true;
7707
}
7708

7709
static int kvm_mmu_start_lpage_recovery(struct once *once)
7710
{
7711
	struct kvm_arch *ka = container_of(once, struct kvm_arch, nx_once);
7712
	struct kvm *kvm = container_of(ka, struct kvm, arch);
7713
	struct vhost_task *nx_thread;
7714

7715
	kvm->arch.nx_huge_page_last = get_jiffies_64();
7716
	nx_thread = vhost_task_create(kvm_nx_huge_page_recovery_worker,
7717
				      kvm_nx_huge_page_recovery_worker_kill,
7718
				      kvm, "kvm-nx-lpage-recovery");
7719

7720
	if (IS_ERR(nx_thread))
7721
		return PTR_ERR(nx_thread);
7722

7723
	vhost_task_start(nx_thread);
7724

7725
	/* Make the task visible only once it is fully started. */
7726
	WRITE_ONCE(kvm->arch.nx_huge_page_recovery_thread, nx_thread);
7727
	return 0;
7728
}
7729

7730
int kvm_mmu_post_init_vm(struct kvm *kvm)
7731
{
7732
	if (nx_hugepage_mitigation_hard_disabled)
7733
		return 0;
7734

7735
	return call_once(&kvm->arch.nx_once, kvm_mmu_start_lpage_recovery);
7736
}
7737

7738
void kvm_mmu_pre_destroy_vm(struct kvm *kvm)
7739
{
7740
	if (kvm->arch.nx_huge_page_recovery_thread)
7741
		vhost_task_stop(kvm->arch.nx_huge_page_recovery_thread);
7742
}
7743

7744
#ifdef CONFIG_KVM_GENERIC_MEMORY_ATTRIBUTES
7745
static bool hugepage_test_mixed(struct kvm_memory_slot *slot, gfn_t gfn,
7746
				int level)
7747
{
7748
	return lpage_info_slot(gfn, slot, level)->disallow_lpage & KVM_LPAGE_MIXED_FLAG;
7749
}
7750

7751
static void hugepage_clear_mixed(struct kvm_memory_slot *slot, gfn_t gfn,
7752
				 int level)
7753
{
7754
	lpage_info_slot(gfn, slot, level)->disallow_lpage &= ~KVM_LPAGE_MIXED_FLAG;
7755
}
7756

7757
static void hugepage_set_mixed(struct kvm_memory_slot *slot, gfn_t gfn,
7758
			       int level)
7759
{
7760
	lpage_info_slot(gfn, slot, level)->disallow_lpage |= KVM_LPAGE_MIXED_FLAG;
7761
}
7762

7763
bool kvm_arch_pre_set_memory_attributes(struct kvm *kvm,
7764
					struct kvm_gfn_range *range)
7765
{
7766
	struct kvm_memory_slot *slot = range->slot;
7767
	int level;
7768

7769
	/*
7770
	 * Zap SPTEs even if the slot can't be mapped PRIVATE.  KVM x86 only
7771
	 * supports KVM_MEMORY_ATTRIBUTE_PRIVATE, and so it *seems* like KVM
7772
	 * can simply ignore such slots.  But if userspace is making memory
7773
	 * PRIVATE, then KVM must prevent the guest from accessing the memory
7774
	 * as shared.  And if userspace is making memory SHARED and this point
7775
	 * is reached, then at least one page within the range was previously
7776
	 * PRIVATE, i.e. the slot's possible hugepage ranges are changing.
7777
	 * Zapping SPTEs in this case ensures KVM will reassess whether or not
7778
	 * a hugepage can be used for affected ranges.
7779
	 */
7780
	if (WARN_ON_ONCE(!kvm_arch_has_private_mem(kvm)))
7781
		return false;
7782

7783
	if (WARN_ON_ONCE(range->end <= range->start))
7784
		return false;
7785

7786
	/*
7787
	 * If the head and tail pages of the range currently allow a hugepage,
7788
	 * i.e. reside fully in the slot and don't have mixed attributes, then
7789
	 * add each corresponding hugepage range to the ongoing invalidation,
7790
	 * e.g. to prevent KVM from creating a hugepage in response to a fault
7791
	 * for a gfn whose attributes aren't changing.  Note, only the range
7792
	 * of gfns whose attributes are being modified needs to be explicitly
7793
	 * unmapped, as that will unmap any existing hugepages.
7794
	 */
7795
	for (level = PG_LEVEL_2M; level <= KVM_MAX_HUGEPAGE_LEVEL; level++) {
7796
		gfn_t start = gfn_round_for_level(range->start, level);
7797
		gfn_t end = gfn_round_for_level(range->end - 1, level);
7798
		gfn_t nr_pages = KVM_PAGES_PER_HPAGE(level);
7799

7800
		if ((start != range->start || start + nr_pages > range->end) &&
7801
		    start >= slot->base_gfn &&
7802
		    start + nr_pages <= slot->base_gfn + slot->npages &&
7803
		    !hugepage_test_mixed(slot, start, level))
7804
			kvm_mmu_invalidate_range_add(kvm, start, start + nr_pages);
7805

7806
		if (end == start)
7807
			continue;
7808

7809
		if ((end + nr_pages) > range->end &&
7810
		    (end + nr_pages) <= (slot->base_gfn + slot->npages) &&
7811
		    !hugepage_test_mixed(slot, end, level))
7812
			kvm_mmu_invalidate_range_add(kvm, end, end + nr_pages);
7813
	}
7814

7815
	/* Unmap the old attribute page. */
7816
	if (range->arg.attributes & KVM_MEMORY_ATTRIBUTE_PRIVATE)
7817
		range->attr_filter = KVM_FILTER_SHARED;
7818
	else
7819
		range->attr_filter = KVM_FILTER_PRIVATE;
7820

7821
	return kvm_unmap_gfn_range(kvm, range);
7822
}
7823

7824

7825

7826
static bool hugepage_has_attrs(struct kvm *kvm, struct kvm_memory_slot *slot,
7827
			       gfn_t gfn, int level, unsigned long attrs)
7828
{
7829
	const unsigned long start = gfn;
7830
	const unsigned long end = start + KVM_PAGES_PER_HPAGE(level);
7831

7832
	if (level == PG_LEVEL_2M)
7833
		return kvm_range_has_memory_attributes(kvm, start, end, ~0, attrs);
7834

7835
	for (gfn = start; gfn < end; gfn += KVM_PAGES_PER_HPAGE(level - 1)) {
7836
		if (hugepage_test_mixed(slot, gfn, level - 1) ||
7837
		    attrs != kvm_get_memory_attributes(kvm, gfn))
7838
			return false;
7839
	}
7840
	return true;
7841
}
7842

7843
bool kvm_arch_post_set_memory_attributes(struct kvm *kvm,
7844
					 struct kvm_gfn_range *range)
7845
{
7846
	unsigned long attrs = range->arg.attributes;
7847
	struct kvm_memory_slot *slot = range->slot;
7848
	int level;
7849

7850
	lockdep_assert_held_write(&kvm->mmu_lock);
7851
	lockdep_assert_held(&kvm->slots_lock);
7852

7853
	/*
7854
	 * Calculate which ranges can be mapped with hugepages even if the slot
7855
	 * can't map memory PRIVATE.  KVM mustn't create a SHARED hugepage over
7856
	 * a range that has PRIVATE GFNs, and conversely converting a range to
7857
	 * SHARED may now allow hugepages.
7858
	 */
7859
	if (WARN_ON_ONCE(!kvm_arch_has_private_mem(kvm)))
7860
		return false;
7861

7862
	/*
7863
	 * The sequence matters here: upper levels consume the result of lower
7864
	 * level's scanning.
7865
	 */
7866
	for (level = PG_LEVEL_2M; level <= KVM_MAX_HUGEPAGE_LEVEL; level++) {
7867
		gfn_t nr_pages = KVM_PAGES_PER_HPAGE(level);
7868
		gfn_t gfn = gfn_round_for_level(range->start, level);
7869

7870
		/* Process the head page if it straddles the range. */
7871
		if (gfn != range->start || gfn + nr_pages > range->end) {
7872
			/*
7873
			 * Skip mixed tracking if the aligned gfn isn't covered
7874
			 * by the memslot, KVM can't use a hugepage due to the
7875
			 * misaligned address regardless of memory attributes.
7876
			 */
7877
			if (gfn >= slot->base_gfn &&
7878
			    gfn + nr_pages <= slot->base_gfn + slot->npages) {
7879
				if (hugepage_has_attrs(kvm, slot, gfn, level, attrs))
7880
					hugepage_clear_mixed(slot, gfn, level);
7881
				else
7882
					hugepage_set_mixed(slot, gfn, level);
7883
			}
7884
			gfn += nr_pages;
7885
		}
7886

7887
		/*
7888
		 * Pages entirely covered by the range are guaranteed to have
7889
		 * only the attributes which were just set.
7890
		 */
7891
		for ( ; gfn + nr_pages <= range->end; gfn += nr_pages)
7892
			hugepage_clear_mixed(slot, gfn, level);
7893

7894
		/*
7895
		 * Process the last tail page if it straddles the range and is
7896
		 * contained by the memslot.  Like the head page, KVM can't
7897
		 * create a hugepage if the slot size is misaligned.
7898
		 */
7899
		if (gfn < range->end &&
7900
		    (gfn + nr_pages) <= (slot->base_gfn + slot->npages)) {
7901
			if (hugepage_has_attrs(kvm, slot, gfn, level, attrs))
7902
				hugepage_clear_mixed(slot, gfn, level);
7903
			else
7904
				hugepage_set_mixed(slot, gfn, level);
7905
		}
7906
	}
7907
	return false;
7908
}
7909

7910
void kvm_mmu_init_memslot_memory_attributes(struct kvm *kvm,
7911
					    struct kvm_memory_slot *slot)
7912
{
7913
	int level;
7914

7915
	if (!kvm_arch_has_private_mem(kvm))
7916
		return;
7917

7918
	for (level = PG_LEVEL_2M; level <= KVM_MAX_HUGEPAGE_LEVEL; level++) {
7919
		/*
7920
		 * Don't bother tracking mixed attributes for pages that can't
7921
		 * be huge due to alignment, i.e. process only pages that are
7922
		 * entirely contained by the memslot.
7923
		 */
7924
		gfn_t end = gfn_round_for_level(slot->base_gfn + slot->npages, level);
7925
		gfn_t start = gfn_round_for_level(slot->base_gfn, level);
7926
		gfn_t nr_pages = KVM_PAGES_PER_HPAGE(level);
7927
		gfn_t gfn;
7928

7929
		if (start < slot->base_gfn)
7930
			start += nr_pages;
7931

7932
		/*
7933
		 * Unlike setting attributes, every potential hugepage needs to
7934
		 * be manually checked as the attributes may already be mixed.
7935
		 */
7936
		for (gfn = start; gfn < end; gfn += nr_pages) {
7937
			unsigned long attrs = kvm_get_memory_attributes(kvm, gfn);
7938

7939
			if (hugepage_has_attrs(kvm, slot, gfn, level, attrs))
7940
				hugepage_clear_mixed(slot, gfn, level);
7941
			else
7942
				hugepage_set_mixed(slot, gfn, level);
7943
		}
7944
	}
7945
}
7946
#endif
7947

7948