1.. SPDX-License-Identifier: GPL-2.0 2 3================= 4Memory Management 5================= 6 7Complete virtual memory map with 4-level page tables 8==================================================== 9 10.. note:: 11 12 - Negative addresses such as "-23 TB" are absolute addresses in bytes, counted down 13 from the top of the 64-bit address space. It's easier to understand the layout 14 when seen both in absolute addresses and in distance-from-top notation. 15 16 For example 0xffffe90000000000 == -23 TB, it's 23 TB lower than the top of the 17 64-bit address space (ffffffffffffffff). 18 19 Note that as we get closer to the top of the address space, the notation changes 20 from TB to GB and then MB/KB. 21 22 - "16M TB" might look weird at first sight, but it's an easier way to visualize size 23 notation than "16 EB", which few will recognize at first sight as 16 exabytes. 24 It also shows it nicely how incredibly large 64-bit address space is. 25 26:: 27 28 ======================================================================================================================== 29 Start addr | Offset | End addr | Size | VM area description 30 ======================================================================================================================== 31 | | | | 32 0000000000000000 | 0 | 00007fffffffefff | ~128 TB | user-space virtual memory, different per mm 33 00007ffffffff000 | ~128 TB | 00007fffffffffff | 4 kB | ... guard hole 34 __________________|____________|__________________|_________|___________________________________________________________ 35 | | | | 36 0000800000000000 | +128 TB | 7fffffffffffffff | ~8 EB | ... huge, almost 63 bits wide hole of non-canonical 37 | | | | virtual memory addresses up to the -8 EB 38 | | | | starting offset of kernel mappings. 39 | | | | 40 | | | | LAM relaxes canonicallity check allowing to create aliases 41 | | | | for userspace memory here. 42 __________________|____________|__________________|_________|___________________________________________________________ 43 | 44 | Kernel-space virtual memory, shared between all processes: 45 __________________|____________|__________________|_________|___________________________________________________________ 46 | | | | 47 8000000000000000 | -8 EB | ffff7fffffffffff | ~8 EB | ... huge, almost 63 bits wide hole of non-canonical 48 | | | | virtual memory addresses up to the -128 TB 49 | | | | starting offset of kernel mappings. 50 | | | | 51 | | | | LAM_SUP relaxes canonicallity check allowing to create 52 | | | | aliases for kernel memory here. 53 ____________________________________________________________|___________________________________________________________ 54 | | | | 55 ffff800000000000 | -128 TB | ffff87ffffffffff | 8 TB | ... guard hole, also reserved for hypervisor 56 ffff880000000000 | -120 TB | ffff887fffffffff | 0.5 TB | LDT remap for PTI 57 ffff888000000000 | -119.5 TB | ffffc87fffffffff | 64 TB | direct mapping of all physical memory (page_offset_base) 58 ffffc88000000000 | -55.5 TB | ffffc8ffffffffff | 0.5 TB | ... unused hole 59 ffffc90000000000 | -55 TB | ffffe8ffffffffff | 32 TB | vmalloc/ioremap space (vmalloc_base) 60 ffffe90000000000 | -23 TB | ffffe9ffffffffff | 1 TB | ... unused hole 61 ffffea0000000000 | -22 TB | ffffeaffffffffff | 1 TB | virtual memory map (vmemmap_base) 62 ffffeb0000000000 | -21 TB | ffffebffffffffff | 1 TB | ... unused hole 63 ffffec0000000000 | -20 TB | fffffbffffffffff | 16 TB | KASAN shadow memory 64 __________________|____________|__________________|_________|____________________________________________________________ 65 | 66 | Identical layout to the 56-bit one from here on: 67 ____________________________________________________________|____________________________________________________________ 68 | | | | 69 fffffc0000000000 | -4 TB | fffffdffffffffff | 2 TB | ... unused hole 70 | | | | vaddr_end for KASLR 71 fffffe0000000000 | -2 TB | fffffe7fffffffff | 0.5 TB | cpu_entry_area mapping 72 fffffe8000000000 | -1.5 TB | fffffeffffffffff | 0.5 TB | ... unused hole 73 ffffff0000000000 | -1 TB | ffffff7fffffffff | 0.5 TB | %esp fixup stacks 74 ffffff8000000000 | -512 GB | ffffffeeffffffff | 444 GB | ... unused hole 75 ffffffef00000000 | -68 GB | fffffffeffffffff | 64 GB | EFI region mapping space 76 ffffffff00000000 | -4 GB | ffffffff7fffffff | 2 GB | ... unused hole 77 ffffffff80000000 | -2 GB | ffffffff9fffffff | 512 MB | kernel text mapping, mapped to physical address 0 78 ffffffff80000000 |-2048 MB | | | 79 ffffffffa0000000 |-1536 MB | fffffffffeffffff | 1520 MB | module mapping space 80 ffffffffff000000 | -16 MB | | | 81 FIXADDR_START | ~-11 MB | ffffffffff5fffff | ~0.5 MB | kernel-internal fixmap range, variable size and offset 82 ffffffffff600000 | -10 MB | ffffffffff600fff | 4 kB | legacy vsyscall ABI 83 ffffffffffe00000 | -2 MB | ffffffffffffffff | 2 MB | ... unused hole 84 __________________|____________|__________________|_________|___________________________________________________________ 85 86 87Complete virtual memory map with 5-level page tables 88==================================================== 89 90.. note:: 91 92 - With 56-bit addresses, user-space memory gets expanded by a factor of 512x, 93 from 0.125 PB to 64 PB. All kernel mappings shift down to the -64 PB starting 94 offset and many of the regions expand to support the much larger physical 95 memory supported. 96 97:: 98 99 ======================================================================================================================== 100 Start addr | Offset | End addr | Size | VM area description 101 ======================================================================================================================== 102 | | | | 103 0000000000000000 | 0 | 00fffffffffff000 | ~64 PB | user-space virtual memory, different per mm 104 00fffffffffff000 | ~64 PB | 00ffffffffffffff | 4 kB | ... guard hole 105 __________________|____________|__________________|_________|___________________________________________________________ 106 | | | | 107 0100000000000000 | +64 PB | 7fffffffffffffff | ~8 EB | ... huge, almost 63 bits wide hole of non-canonical 108 | | | | virtual memory addresses up to the -8EB TB 109 | | | | starting offset of kernel mappings. 110 | | | | 111 | | | | LAM relaxes canonicallity check allowing to create aliases 112 | | | | for userspace memory here. 113 __________________|____________|__________________|_________|___________________________________________________________ 114 | 115 | Kernel-space virtual memory, shared between all processes: 116 ____________________________________________________________|___________________________________________________________ 117 8000000000000000 | -8 EB | feffffffffffffff | ~8 EB | ... huge, almost 63 bits wide hole of non-canonical 118 | | | | virtual memory addresses up to the -64 PB 119 | | | | starting offset of kernel mappings. 120 | | | | 121 | | | | LAM_SUP relaxes canonicallity check allowing to create 122 | | | | aliases for kernel memory here. 123 ____________________________________________________________|___________________________________________________________ 124 | | | | 125 ff00000000000000 | -64 PB | ff0fffffffffffff | 4 PB | ... guard hole, also reserved for hypervisor 126 ff10000000000000 | -60 PB | ff10ffffffffffff | 0.25 PB | LDT remap for PTI 127 ff11000000000000 | -59.75 PB | ff90ffffffffffff | 32 PB | direct mapping of all physical memory (page_offset_base) 128 ff91000000000000 | -27.75 PB | ff9fffffffffffff | 3.75 PB | ... unused hole 129 ffa0000000000000 | -24 PB | ffd1ffffffffffff | 12.5 PB | vmalloc/ioremap space (vmalloc_base) 130 ffd2000000000000 | -11.5 PB | ffd3ffffffffffff | 0.5 PB | ... unused hole 131 ffd4000000000000 | -11 PB | ffd5ffffffffffff | 0.5 PB | virtual memory map (vmemmap_base) 132 ffd6000000000000 | -10.5 PB | ffdeffffffffffff | 2.25 PB | ... unused hole 133 ffdf000000000000 | -8.25 PB | fffffbffffffffff | ~8 PB | KASAN shadow memory 134 __________________|____________|__________________|_________|____________________________________________________________ 135 | 136 | Identical layout to the 47-bit one from here on: 137 ____________________________________________________________|____________________________________________________________ 138 | | | | 139 fffffc0000000000 | -4 TB | fffffdffffffffff | 2 TB | ... unused hole 140 | | | | vaddr_end for KASLR 141 fffffe0000000000 | -2 TB | fffffe7fffffffff | 0.5 TB | cpu_entry_area mapping 142 fffffe8000000000 | -1.5 TB | fffffeffffffffff | 0.5 TB | ... unused hole 143 ffffff0000000000 | -1 TB | ffffff7fffffffff | 0.5 TB | %esp fixup stacks 144 ffffff8000000000 | -512 GB | ffffffeeffffffff | 444 GB | ... unused hole 145 ffffffef00000000 | -68 GB | fffffffeffffffff | 64 GB | EFI region mapping space 146 ffffffff00000000 | -4 GB | ffffffff7fffffff | 2 GB | ... unused hole 147 ffffffff80000000 | -2 GB | ffffffff9fffffff | 512 MB | kernel text mapping, mapped to physical address 0 148 ffffffff80000000 |-2048 MB | | | 149 ffffffffa0000000 |-1536 MB | fffffffffeffffff | 1520 MB | module mapping space 150 ffffffffff000000 | -16 MB | | | 151 FIXADDR_START | ~-11 MB | ffffffffff5fffff | ~0.5 MB | kernel-internal fixmap range, variable size and offset 152 ffffffffff600000 | -10 MB | ffffffffff600fff | 4 kB | legacy vsyscall ABI 153 ffffffffffe00000 | -2 MB | ffffffffffffffff | 2 MB | ... unused hole 154 __________________|____________|__________________|_________|___________________________________________________________ 155 156Architecture defines a 64-bit virtual address. Implementations can support 157less. Currently supported are 48- and 57-bit virtual addresses. Bits 63 158through to the most-significant implemented bit are sign extended. 159This causes hole between user space and kernel addresses if you interpret them 160as unsigned. 161 162The direct mapping covers all memory in the system up to the highest 163memory address (this means in some cases it can also include PCI memory 164holes). 165 166We map EFI runtime services in the 'efi_pgd' PGD in a 64GB large virtual 167memory window (this size is arbitrary, it can be raised later if needed). 168The mappings are not part of any other kernel PGD and are only available 169during EFI runtime calls. 170 171Note that if CONFIG_RANDOMIZE_MEMORY is enabled, the direct mapping of all 172physical memory, vmalloc/ioremap space and virtual memory map are randomized. 173Their order is preserved but their base will be offset early at boot time. 174 175Be very careful vs. KASLR when changing anything here. The KASLR address 176range must not overlap with anything except the KASAN shadow area, which is 177correct as KASAN disables KASLR. 178 179For both 4- and 5-level layouts, the STACKLEAK_POISON value in the last 2MB 180hole: ffffffffffff4111 181