xref: /linux/arch/loongarch/kvm/mmu.c (revision eb01fe7abbe2d0b38824d2a93fdb4cc3eaf2ccc1)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Copyright (C) 2020-2023 Loongson Technology Corporation Limited
4  */
5 
6 #include <linux/highmem.h>
7 #include <linux/hugetlb.h>
8 #include <linux/kvm_host.h>
9 #include <linux/page-flags.h>
10 #include <linux/uaccess.h>
11 #include <asm/mmu_context.h>
12 #include <asm/pgalloc.h>
13 #include <asm/tlb.h>
14 #include <asm/kvm_mmu.h>
15 
16 static inline bool kvm_hugepage_capable(struct kvm_memory_slot *slot)
17 {
18 	return slot->arch.flags & KVM_MEM_HUGEPAGE_CAPABLE;
19 }
20 
21 static inline bool kvm_hugepage_incapable(struct kvm_memory_slot *slot)
22 {
23 	return slot->arch.flags & KVM_MEM_HUGEPAGE_INCAPABLE;
24 }
25 
26 static inline void kvm_ptw_prepare(struct kvm *kvm, kvm_ptw_ctx *ctx)
27 {
28 	ctx->level = kvm->arch.root_level;
29 	/* pte table */
30 	ctx->invalid_ptes  = kvm->arch.invalid_ptes;
31 	ctx->pte_shifts    = kvm->arch.pte_shifts;
32 	ctx->pgtable_shift = ctx->pte_shifts[ctx->level];
33 	ctx->invalid_entry = ctx->invalid_ptes[ctx->level];
34 	ctx->opaque        = kvm;
35 }
36 
37 /*
38  * Mark a range of guest physical address space old (all accesses fault) in the
39  * VM's GPA page table to allow detection of commonly used pages.
40  */
41 static int kvm_mkold_pte(kvm_pte_t *pte, phys_addr_t addr, kvm_ptw_ctx *ctx)
42 {
43 	if (kvm_pte_young(*pte)) {
44 		*pte = kvm_pte_mkold(*pte);
45 		return 1;
46 	}
47 
48 	return 0;
49 }
50 
51 /*
52  * Mark a range of guest physical address space clean (writes fault) in the VM's
53  * GPA page table to allow dirty page tracking.
54  */
55 static int kvm_mkclean_pte(kvm_pte_t *pte, phys_addr_t addr, kvm_ptw_ctx *ctx)
56 {
57 	gfn_t offset;
58 	kvm_pte_t val;
59 
60 	val = *pte;
61 	/*
62 	 * For kvm_arch_mmu_enable_log_dirty_pt_masked with mask, start and end
63 	 * may cross hugepage, for first huge page parameter addr is equal to
64 	 * start, however for the second huge page addr is base address of
65 	 * this huge page, rather than start or end address
66 	 */
67 	if ((ctx->flag & _KVM_HAS_PGMASK) && !kvm_pte_huge(val)) {
68 		offset = (addr >> PAGE_SHIFT) - ctx->gfn;
69 		if (!(BIT(offset) & ctx->mask))
70 			return 0;
71 	}
72 
73 	/*
74 	 * Need not split huge page now, just set write-proect pte bit
75 	 * Split huge page until next write fault
76 	 */
77 	if (kvm_pte_dirty(val)) {
78 		*pte = kvm_pte_mkclean(val);
79 		return 1;
80 	}
81 
82 	return 0;
83 }
84 
85 /*
86  * Clear pte entry
87  */
88 static int kvm_flush_pte(kvm_pte_t *pte, phys_addr_t addr, kvm_ptw_ctx *ctx)
89 {
90 	struct kvm *kvm;
91 
92 	kvm = ctx->opaque;
93 	if (ctx->level)
94 		kvm->stat.hugepages--;
95 	else
96 		kvm->stat.pages--;
97 
98 	*pte = ctx->invalid_entry;
99 
100 	return 1;
101 }
102 
103 /*
104  * kvm_pgd_alloc() - Allocate and initialise a KVM GPA page directory.
105  *
106  * Allocate a blank KVM GPA page directory (PGD) for representing guest physical
107  * to host physical page mappings.
108  *
109  * Returns:	Pointer to new KVM GPA page directory.
110  *		NULL on allocation failure.
111  */
112 kvm_pte_t *kvm_pgd_alloc(void)
113 {
114 	kvm_pte_t *pgd;
115 
116 	pgd = (kvm_pte_t *)__get_free_pages(GFP_KERNEL, 0);
117 	if (pgd)
118 		pgd_init((void *)pgd);
119 
120 	return pgd;
121 }
122 
123 static void _kvm_pte_init(void *addr, unsigned long val)
124 {
125 	unsigned long *p, *end;
126 
127 	p = (unsigned long *)addr;
128 	end = p + PTRS_PER_PTE;
129 	do {
130 		p[0] = val;
131 		p[1] = val;
132 		p[2] = val;
133 		p[3] = val;
134 		p[4] = val;
135 		p += 8;
136 		p[-3] = val;
137 		p[-2] = val;
138 		p[-1] = val;
139 	} while (p != end);
140 }
141 
142 /*
143  * Caller must hold kvm->mm_lock
144  *
145  * Walk the page tables of kvm to find the PTE corresponding to the
146  * address @addr. If page tables don't exist for @addr, they will be created
147  * from the MMU cache if @cache is not NULL.
148  */
149 static kvm_pte_t *kvm_populate_gpa(struct kvm *kvm,
150 				struct kvm_mmu_memory_cache *cache,
151 				unsigned long addr, int level)
152 {
153 	kvm_ptw_ctx ctx;
154 	kvm_pte_t *entry, *child;
155 
156 	kvm_ptw_prepare(kvm, &ctx);
157 	child = kvm->arch.pgd;
158 	while (ctx.level > level) {
159 		entry = kvm_pgtable_offset(&ctx, child, addr);
160 		if (kvm_pte_none(&ctx, entry)) {
161 			if (!cache)
162 				return NULL;
163 
164 			child = kvm_mmu_memory_cache_alloc(cache);
165 			_kvm_pte_init(child, ctx.invalid_ptes[ctx.level - 1]);
166 			kvm_set_pte(entry, __pa(child));
167 		} else if (kvm_pte_huge(*entry)) {
168 			return entry;
169 		} else
170 			child = (kvm_pte_t *)__va(PHYSADDR(*entry));
171 		kvm_ptw_enter(&ctx);
172 	}
173 
174 	entry = kvm_pgtable_offset(&ctx, child, addr);
175 
176 	return entry;
177 }
178 
179 /*
180  * Page walker for VM shadow mmu at last level
181  * The last level is small pte page or huge pmd page
182  */
183 static int kvm_ptw_leaf(kvm_pte_t *dir, phys_addr_t addr, phys_addr_t end, kvm_ptw_ctx *ctx)
184 {
185 	int ret;
186 	phys_addr_t next, start, size;
187 	struct list_head *list;
188 	kvm_pte_t *entry, *child;
189 
190 	ret = 0;
191 	start = addr;
192 	child = (kvm_pte_t *)__va(PHYSADDR(*dir));
193 	entry = kvm_pgtable_offset(ctx, child, addr);
194 	do {
195 		next = addr + (0x1UL << ctx->pgtable_shift);
196 		if (!kvm_pte_present(ctx, entry))
197 			continue;
198 
199 		ret |= ctx->ops(entry, addr, ctx);
200 	} while (entry++, addr = next, addr < end);
201 
202 	if (kvm_need_flush(ctx)) {
203 		size = 0x1UL << (ctx->pgtable_shift + PAGE_SHIFT - 3);
204 		if (start + size == end) {
205 			list = (struct list_head *)child;
206 			list_add_tail(list, &ctx->list);
207 			*dir = ctx->invalid_ptes[ctx->level + 1];
208 		}
209 	}
210 
211 	return ret;
212 }
213 
214 /*
215  * Page walker for VM shadow mmu at page table dir level
216  */
217 static int kvm_ptw_dir(kvm_pte_t *dir, phys_addr_t addr, phys_addr_t end, kvm_ptw_ctx *ctx)
218 {
219 	int ret;
220 	phys_addr_t next, start, size;
221 	struct list_head *list;
222 	kvm_pte_t *entry, *child;
223 
224 	ret = 0;
225 	start = addr;
226 	child = (kvm_pte_t *)__va(PHYSADDR(*dir));
227 	entry = kvm_pgtable_offset(ctx, child, addr);
228 	do {
229 		next = kvm_pgtable_addr_end(ctx, addr, end);
230 		if (!kvm_pte_present(ctx, entry))
231 			continue;
232 
233 		if (kvm_pte_huge(*entry)) {
234 			ret |= ctx->ops(entry, addr, ctx);
235 			continue;
236 		}
237 
238 		kvm_ptw_enter(ctx);
239 		if (ctx->level == 0)
240 			ret |= kvm_ptw_leaf(entry, addr, next, ctx);
241 		else
242 			ret |= kvm_ptw_dir(entry, addr, next, ctx);
243 		kvm_ptw_exit(ctx);
244 	}  while (entry++, addr = next, addr < end);
245 
246 	if (kvm_need_flush(ctx)) {
247 		size = 0x1UL << (ctx->pgtable_shift + PAGE_SHIFT - 3);
248 		if (start + size == end) {
249 			list = (struct list_head *)child;
250 			list_add_tail(list, &ctx->list);
251 			*dir = ctx->invalid_ptes[ctx->level + 1];
252 		}
253 	}
254 
255 	return ret;
256 }
257 
258 /*
259  * Page walker for VM shadow mmu at page root table
260  */
261 static int kvm_ptw_top(kvm_pte_t *dir, phys_addr_t addr, phys_addr_t end, kvm_ptw_ctx *ctx)
262 {
263 	int ret;
264 	phys_addr_t next;
265 	kvm_pte_t *entry;
266 
267 	ret = 0;
268 	entry = kvm_pgtable_offset(ctx, dir, addr);
269 	do {
270 		next = kvm_pgtable_addr_end(ctx, addr, end);
271 		if (!kvm_pte_present(ctx, entry))
272 			continue;
273 
274 		kvm_ptw_enter(ctx);
275 		ret |= kvm_ptw_dir(entry, addr, next, ctx);
276 		kvm_ptw_exit(ctx);
277 	}  while (entry++, addr = next, addr < end);
278 
279 	return ret;
280 }
281 
282 /*
283  * kvm_flush_range() - Flush a range of guest physical addresses.
284  * @kvm:	KVM pointer.
285  * @start_gfn:	Guest frame number of first page in GPA range to flush.
286  * @end_gfn:	Guest frame number of last page in GPA range to flush.
287  * @lock:	Whether to hold mmu_lock or not
288  *
289  * Flushes a range of GPA mappings from the GPA page tables.
290  */
291 static void kvm_flush_range(struct kvm *kvm, gfn_t start_gfn, gfn_t end_gfn, int lock)
292 {
293 	int ret;
294 	kvm_ptw_ctx ctx;
295 	struct list_head *pos, *temp;
296 
297 	ctx.ops = kvm_flush_pte;
298 	ctx.flag = _KVM_FLUSH_PGTABLE;
299 	kvm_ptw_prepare(kvm, &ctx);
300 	INIT_LIST_HEAD(&ctx.list);
301 
302 	if (lock) {
303 		spin_lock(&kvm->mmu_lock);
304 		ret = kvm_ptw_top(kvm->arch.pgd, start_gfn << PAGE_SHIFT,
305 					end_gfn << PAGE_SHIFT, &ctx);
306 		spin_unlock(&kvm->mmu_lock);
307 	} else
308 		ret = kvm_ptw_top(kvm->arch.pgd, start_gfn << PAGE_SHIFT,
309 					end_gfn << PAGE_SHIFT, &ctx);
310 
311 	/* Flush vpid for each vCPU individually */
312 	if (ret)
313 		kvm_flush_remote_tlbs(kvm);
314 
315 	/*
316 	 * free pte table page after mmu_lock
317 	 * the pte table page is linked together with ctx.list
318 	 */
319 	list_for_each_safe(pos, temp, &ctx.list) {
320 		list_del(pos);
321 		free_page((unsigned long)pos);
322 	}
323 }
324 
325 /*
326  * kvm_mkclean_gpa_pt() - Make a range of guest physical addresses clean.
327  * @kvm:	KVM pointer.
328  * @start_gfn:	Guest frame number of first page in GPA range to flush.
329  * @end_gfn:	Guest frame number of last page in GPA range to flush.
330  *
331  * Make a range of GPA mappings clean so that guest writes will fault and
332  * trigger dirty page logging.
333  *
334  * The caller must hold the @kvm->mmu_lock spinlock.
335  *
336  * Returns:	Whether any GPA mappings were modified, which would require
337  *		derived mappings (GVA page tables & TLB enties) to be
338  *		invalidated.
339  */
340 static int kvm_mkclean_gpa_pt(struct kvm *kvm, gfn_t start_gfn, gfn_t end_gfn)
341 {
342 	kvm_ptw_ctx ctx;
343 
344 	ctx.ops = kvm_mkclean_pte;
345 	ctx.flag = 0;
346 	kvm_ptw_prepare(kvm, &ctx);
347 	return kvm_ptw_top(kvm->arch.pgd, start_gfn << PAGE_SHIFT, end_gfn << PAGE_SHIFT, &ctx);
348 }
349 
350 /*
351  * kvm_arch_mmu_enable_log_dirty_pt_masked() - write protect dirty pages
352  * @kvm:	The KVM pointer
353  * @slot:	The memory slot associated with mask
354  * @gfn_offset:	The gfn offset in memory slot
355  * @mask:	The mask of dirty pages at offset 'gfn_offset' in this memory
356  *		slot to be write protected
357  *
358  * Walks bits set in mask write protects the associated pte's. Caller must
359  * acquire @kvm->mmu_lock.
360  */
361 void kvm_arch_mmu_enable_log_dirty_pt_masked(struct kvm *kvm,
362 		struct kvm_memory_slot *slot, gfn_t gfn_offset, unsigned long mask)
363 {
364 	kvm_ptw_ctx ctx;
365 	gfn_t base_gfn = slot->base_gfn + gfn_offset;
366 	gfn_t start = base_gfn + __ffs(mask);
367 	gfn_t end = base_gfn + __fls(mask) + 1;
368 
369 	ctx.ops = kvm_mkclean_pte;
370 	ctx.flag = _KVM_HAS_PGMASK;
371 	ctx.mask = mask;
372 	ctx.gfn = base_gfn;
373 	kvm_ptw_prepare(kvm, &ctx);
374 
375 	kvm_ptw_top(kvm->arch.pgd, start << PAGE_SHIFT, end << PAGE_SHIFT, &ctx);
376 }
377 
378 int kvm_arch_prepare_memory_region(struct kvm *kvm, const struct kvm_memory_slot *old,
379 				   struct kvm_memory_slot *new, enum kvm_mr_change change)
380 {
381 	gpa_t gpa_start;
382 	hva_t hva_start;
383 	size_t size, gpa_offset, hva_offset;
384 
385 	if ((change != KVM_MR_MOVE) && (change != KVM_MR_CREATE))
386 		return 0;
387 	/*
388 	 * Prevent userspace from creating a memory region outside of the
389 	 * VM GPA address space
390 	 */
391 	if ((new->base_gfn + new->npages) > (kvm->arch.gpa_size >> PAGE_SHIFT))
392 		return -ENOMEM;
393 
394 	new->arch.flags = 0;
395 	size = new->npages * PAGE_SIZE;
396 	gpa_start = new->base_gfn << PAGE_SHIFT;
397 	hva_start = new->userspace_addr;
398 	if (IS_ALIGNED(size, PMD_SIZE) && IS_ALIGNED(gpa_start, PMD_SIZE)
399 			&& IS_ALIGNED(hva_start, PMD_SIZE))
400 		new->arch.flags |= KVM_MEM_HUGEPAGE_CAPABLE;
401 	else {
402 		/*
403 		 * Pages belonging to memslots that don't have the same
404 		 * alignment within a PMD for userspace and GPA cannot be
405 		 * mapped with PMD entries, because we'll end up mapping
406 		 * the wrong pages.
407 		 *
408 		 * Consider a layout like the following:
409 		 *
410 		 *    memslot->userspace_addr:
411 		 *    +-----+--------------------+--------------------+---+
412 		 *    |abcde|fgh  Stage-1 block  |    Stage-1 block tv|xyz|
413 		 *    +-----+--------------------+--------------------+---+
414 		 *
415 		 *    memslot->base_gfn << PAGE_SIZE:
416 		 *      +---+--------------------+--------------------+-----+
417 		 *      |abc|def  Stage-2 block  |    Stage-2 block   |tvxyz|
418 		 *      +---+--------------------+--------------------+-----+
419 		 *
420 		 * If we create those stage-2 blocks, we'll end up with this
421 		 * incorrect mapping:
422 		 *   d -> f
423 		 *   e -> g
424 		 *   f -> h
425 		 */
426 		gpa_offset = gpa_start & (PMD_SIZE - 1);
427 		hva_offset = hva_start & (PMD_SIZE - 1);
428 		if (gpa_offset != hva_offset) {
429 			new->arch.flags |= KVM_MEM_HUGEPAGE_INCAPABLE;
430 		} else {
431 			if (gpa_offset == 0)
432 				gpa_offset = PMD_SIZE;
433 			if ((size + gpa_offset) < (PMD_SIZE * 2))
434 				new->arch.flags |= KVM_MEM_HUGEPAGE_INCAPABLE;
435 		}
436 	}
437 
438 	return 0;
439 }
440 
441 void kvm_arch_commit_memory_region(struct kvm *kvm,
442 				   struct kvm_memory_slot *old,
443 				   const struct kvm_memory_slot *new,
444 				   enum kvm_mr_change change)
445 {
446 	int needs_flush;
447 
448 	/*
449 	 * If dirty page logging is enabled, write protect all pages in the slot
450 	 * ready for dirty logging.
451 	 *
452 	 * There is no need to do this in any of the following cases:
453 	 * CREATE:	No dirty mappings will already exist.
454 	 * MOVE/DELETE:	The old mappings will already have been cleaned up by
455 	 *		kvm_arch_flush_shadow_memslot()
456 	 */
457 	if (change == KVM_MR_FLAGS_ONLY &&
458 	    (!(old->flags & KVM_MEM_LOG_DIRTY_PAGES) &&
459 	     new->flags & KVM_MEM_LOG_DIRTY_PAGES)) {
460 		spin_lock(&kvm->mmu_lock);
461 		/* Write protect GPA page table entries */
462 		needs_flush = kvm_mkclean_gpa_pt(kvm, new->base_gfn,
463 					new->base_gfn + new->npages);
464 		spin_unlock(&kvm->mmu_lock);
465 		if (needs_flush)
466 			kvm_flush_remote_tlbs(kvm);
467 	}
468 }
469 
470 void kvm_arch_flush_shadow_all(struct kvm *kvm)
471 {
472 	kvm_flush_range(kvm, 0, kvm->arch.gpa_size >> PAGE_SHIFT, 0);
473 }
474 
475 void kvm_arch_flush_shadow_memslot(struct kvm *kvm, struct kvm_memory_slot *slot)
476 {
477 	/*
478 	 * The slot has been made invalid (ready for moving or deletion), so we
479 	 * need to ensure that it can no longer be accessed by any guest vCPUs.
480 	 */
481 	kvm_flush_range(kvm, slot->base_gfn, slot->base_gfn + slot->npages, 1);
482 }
483 
484 bool kvm_unmap_gfn_range(struct kvm *kvm, struct kvm_gfn_range *range)
485 {
486 	kvm_ptw_ctx ctx;
487 
488 	ctx.flag = 0;
489 	ctx.ops = kvm_flush_pte;
490 	kvm_ptw_prepare(kvm, &ctx);
491 	INIT_LIST_HEAD(&ctx.list);
492 
493 	return kvm_ptw_top(kvm->arch.pgd, range->start << PAGE_SHIFT,
494 			range->end << PAGE_SHIFT, &ctx);
495 }
496 
497 bool kvm_set_spte_gfn(struct kvm *kvm, struct kvm_gfn_range *range)
498 {
499 	unsigned long prot_bits;
500 	kvm_pte_t *ptep;
501 	kvm_pfn_t pfn = pte_pfn(range->arg.pte);
502 	gpa_t gpa = range->start << PAGE_SHIFT;
503 
504 	ptep = kvm_populate_gpa(kvm, NULL, gpa, 0);
505 	if (!ptep)
506 		return false;
507 
508 	/* Replacing an absent or old page doesn't need flushes */
509 	if (!kvm_pte_present(NULL, ptep) || !kvm_pte_young(*ptep)) {
510 		kvm_set_pte(ptep, 0);
511 		return false;
512 	}
513 
514 	/* Fill new pte if write protected or page migrated */
515 	prot_bits = _PAGE_PRESENT | __READABLE;
516 	prot_bits |= _CACHE_MASK & pte_val(range->arg.pte);
517 
518 	/*
519 	 * Set _PAGE_WRITE or _PAGE_DIRTY iff old and new pte both support
520 	 * _PAGE_WRITE for map_page_fast if next page write fault
521 	 * _PAGE_DIRTY since gpa has already recorded as dirty page
522 	 */
523 	prot_bits |= __WRITEABLE & *ptep & pte_val(range->arg.pte);
524 	kvm_set_pte(ptep, kvm_pfn_pte(pfn, __pgprot(prot_bits)));
525 
526 	return true;
527 }
528 
529 bool kvm_age_gfn(struct kvm *kvm, struct kvm_gfn_range *range)
530 {
531 	kvm_ptw_ctx ctx;
532 
533 	ctx.flag = 0;
534 	ctx.ops = kvm_mkold_pte;
535 	kvm_ptw_prepare(kvm, &ctx);
536 
537 	return kvm_ptw_top(kvm->arch.pgd, range->start << PAGE_SHIFT,
538 				range->end << PAGE_SHIFT, &ctx);
539 }
540 
541 bool kvm_test_age_gfn(struct kvm *kvm, struct kvm_gfn_range *range)
542 {
543 	gpa_t gpa = range->start << PAGE_SHIFT;
544 	kvm_pte_t *ptep = kvm_populate_gpa(kvm, NULL, gpa, 0);
545 
546 	if (ptep && kvm_pte_present(NULL, ptep) && kvm_pte_young(*ptep))
547 		return true;
548 
549 	return false;
550 }
551 
552 /*
553  * kvm_map_page_fast() - Fast path GPA fault handler.
554  * @vcpu:		vCPU pointer.
555  * @gpa:		Guest physical address of fault.
556  * @write:	Whether the fault was due to a write.
557  *
558  * Perform fast path GPA fault handling, doing all that can be done without
559  * calling into KVM. This handles marking old pages young (for idle page
560  * tracking), and dirtying of clean pages (for dirty page logging).
561  *
562  * Returns:	0 on success, in which case we can update derived mappings and
563  *		resume guest execution.
564  *		-EFAULT on failure due to absent GPA mapping or write to
565  *		read-only page, in which case KVM must be consulted.
566  */
567 static int kvm_map_page_fast(struct kvm_vcpu *vcpu, unsigned long gpa, bool write)
568 {
569 	int ret = 0;
570 	kvm_pfn_t pfn = 0;
571 	kvm_pte_t *ptep, changed, new;
572 	gfn_t gfn = gpa >> PAGE_SHIFT;
573 	struct kvm *kvm = vcpu->kvm;
574 	struct kvm_memory_slot *slot;
575 
576 	spin_lock(&kvm->mmu_lock);
577 
578 	/* Fast path - just check GPA page table for an existing entry */
579 	ptep = kvm_populate_gpa(kvm, NULL, gpa, 0);
580 	if (!ptep || !kvm_pte_present(NULL, ptep)) {
581 		ret = -EFAULT;
582 		goto out;
583 	}
584 
585 	/* Track access to pages marked old */
586 	new = *ptep;
587 	if (!kvm_pte_young(new))
588 		new = kvm_pte_mkyoung(new);
589 		/* call kvm_set_pfn_accessed() after unlock */
590 
591 	if (write && !kvm_pte_dirty(new)) {
592 		if (!kvm_pte_write(new)) {
593 			ret = -EFAULT;
594 			goto out;
595 		}
596 
597 		if (kvm_pte_huge(new)) {
598 			/*
599 			 * Do not set write permission when dirty logging is
600 			 * enabled for HugePages
601 			 */
602 			slot = gfn_to_memslot(kvm, gfn);
603 			if (kvm_slot_dirty_track_enabled(slot)) {
604 				ret = -EFAULT;
605 				goto out;
606 			}
607 		}
608 
609 		/* Track dirtying of writeable pages */
610 		new = kvm_pte_mkdirty(new);
611 	}
612 
613 	changed = new ^ (*ptep);
614 	if (changed) {
615 		kvm_set_pte(ptep, new);
616 		pfn = kvm_pte_pfn(new);
617 	}
618 	spin_unlock(&kvm->mmu_lock);
619 
620 	/*
621 	 * Fixme: pfn may be freed after mmu_lock
622 	 * kvm_try_get_pfn(pfn)/kvm_release_pfn pair to prevent this?
623 	 */
624 	if (kvm_pte_young(changed))
625 		kvm_set_pfn_accessed(pfn);
626 
627 	if (kvm_pte_dirty(changed)) {
628 		mark_page_dirty(kvm, gfn);
629 		kvm_set_pfn_dirty(pfn);
630 	}
631 	return ret;
632 out:
633 	spin_unlock(&kvm->mmu_lock);
634 	return ret;
635 }
636 
637 static bool fault_supports_huge_mapping(struct kvm_memory_slot *memslot,
638 				unsigned long hva, bool write)
639 {
640 	hva_t start, end;
641 
642 	/* Disable dirty logging on HugePages */
643 	if (kvm_slot_dirty_track_enabled(memslot) && write)
644 		return false;
645 
646 	if (kvm_hugepage_capable(memslot))
647 		return true;
648 
649 	if (kvm_hugepage_incapable(memslot))
650 		return false;
651 
652 	start = memslot->userspace_addr;
653 	end = start + memslot->npages * PAGE_SIZE;
654 
655 	/*
656 	 * Next, let's make sure we're not trying to map anything not covered
657 	 * by the memslot. This means we have to prohibit block size mappings
658 	 * for the beginning and end of a non-block aligned and non-block sized
659 	 * memory slot (illustrated by the head and tail parts of the
660 	 * userspace view above containing pages 'abcde' and 'xyz',
661 	 * respectively).
662 	 *
663 	 * Note that it doesn't matter if we do the check using the
664 	 * userspace_addr or the base_gfn, as both are equally aligned (per
665 	 * the check above) and equally sized.
666 	 */
667 	return (hva >= ALIGN(start, PMD_SIZE)) && (hva < ALIGN_DOWN(end, PMD_SIZE));
668 }
669 
670 /*
671  * Lookup the mapping level for @gfn in the current mm.
672  *
673  * WARNING!  Use of host_pfn_mapping_level() requires the caller and the end
674  * consumer to be tied into KVM's handlers for MMU notifier events!
675  *
676  * There are several ways to safely use this helper:
677  *
678  * - Check mmu_invalidate_retry_gfn() after grabbing the mapping level, before
679  *   consuming it.  In this case, mmu_lock doesn't need to be held during the
680  *   lookup, but it does need to be held while checking the MMU notifier.
681  *
682  * - Hold mmu_lock AND ensure there is no in-progress MMU notifier invalidation
683  *   event for the hva.  This can be done by explicit checking the MMU notifier
684  *   or by ensuring that KVM already has a valid mapping that covers the hva.
685  *
686  * - Do not use the result to install new mappings, e.g. use the host mapping
687  *   level only to decide whether or not to zap an entry.  In this case, it's
688  *   not required to hold mmu_lock (though it's highly likely the caller will
689  *   want to hold mmu_lock anyways, e.g. to modify SPTEs).
690  *
691  * Note!  The lookup can still race with modifications to host page tables, but
692  * the above "rules" ensure KVM will not _consume_ the result of the walk if a
693  * race with the primary MMU occurs.
694  */
695 static int host_pfn_mapping_level(struct kvm *kvm, gfn_t gfn,
696 				const struct kvm_memory_slot *slot)
697 {
698 	int level = 0;
699 	unsigned long hva;
700 	unsigned long flags;
701 	pgd_t pgd;
702 	p4d_t p4d;
703 	pud_t pud;
704 	pmd_t pmd;
705 
706 	/*
707 	 * Note, using the already-retrieved memslot and __gfn_to_hva_memslot()
708 	 * is not solely for performance, it's also necessary to avoid the
709 	 * "writable" check in __gfn_to_hva_many(), which will always fail on
710 	 * read-only memslots due to gfn_to_hva() assuming writes.  Earlier
711 	 * page fault steps have already verified the guest isn't writing a
712 	 * read-only memslot.
713 	 */
714 	hva = __gfn_to_hva_memslot(slot, gfn);
715 
716 	/*
717 	 * Disable IRQs to prevent concurrent tear down of host page tables,
718 	 * e.g. if the primary MMU promotes a P*D to a huge page and then frees
719 	 * the original page table.
720 	 */
721 	local_irq_save(flags);
722 
723 	/*
724 	 * Read each entry once.  As above, a non-leaf entry can be promoted to
725 	 * a huge page _during_ this walk.  Re-reading the entry could send the
726 	 * walk into the weeks, e.g. p*d_leaf() returns false (sees the old
727 	 * value) and then p*d_offset() walks into the target huge page instead
728 	 * of the old page table (sees the new value).
729 	 */
730 	pgd = READ_ONCE(*pgd_offset(kvm->mm, hva));
731 	if (pgd_none(pgd))
732 		goto out;
733 
734 	p4d = READ_ONCE(*p4d_offset(&pgd, hva));
735 	if (p4d_none(p4d) || !p4d_present(p4d))
736 		goto out;
737 
738 	pud = READ_ONCE(*pud_offset(&p4d, hva));
739 	if (pud_none(pud) || !pud_present(pud))
740 		goto out;
741 
742 	pmd = READ_ONCE(*pmd_offset(&pud, hva));
743 	if (pmd_none(pmd) || !pmd_present(pmd))
744 		goto out;
745 
746 	if (kvm_pte_huge(pmd_val(pmd)))
747 		level = 1;
748 
749 out:
750 	local_irq_restore(flags);
751 	return level;
752 }
753 
754 /*
755  * Split huge page
756  */
757 static kvm_pte_t *kvm_split_huge(struct kvm_vcpu *vcpu, kvm_pte_t *ptep, gfn_t gfn)
758 {
759 	int i;
760 	kvm_pte_t val, *child;
761 	struct kvm *kvm = vcpu->kvm;
762 	struct kvm_mmu_memory_cache *memcache;
763 
764 	memcache = &vcpu->arch.mmu_page_cache;
765 	child = kvm_mmu_memory_cache_alloc(memcache);
766 	val = kvm_pte_mksmall(*ptep);
767 	for (i = 0; i < PTRS_PER_PTE; i++) {
768 		kvm_set_pte(child + i, val);
769 		val += PAGE_SIZE;
770 	}
771 
772 	/* The later kvm_flush_tlb_gpa() will flush hugepage tlb */
773 	kvm_set_pte(ptep, __pa(child));
774 
775 	kvm->stat.hugepages--;
776 	kvm->stat.pages += PTRS_PER_PTE;
777 
778 	return child + (gfn & (PTRS_PER_PTE - 1));
779 }
780 
781 /*
782  * kvm_map_page() - Map a guest physical page.
783  * @vcpu:		vCPU pointer.
784  * @gpa:		Guest physical address of fault.
785  * @write:	Whether the fault was due to a write.
786  *
787  * Handle GPA faults by creating a new GPA mapping (or updating an existing
788  * one).
789  *
790  * This takes care of marking pages young or dirty (idle/dirty page tracking),
791  * asking KVM for the corresponding PFN, and creating a mapping in the GPA page
792  * tables. Derived mappings (GVA page tables and TLBs) must be handled by the
793  * caller.
794  *
795  * Returns:	0 on success
796  *		-EFAULT if there is no memory region at @gpa or a write was
797  *		attempted to a read-only memory region. This is usually handled
798  *		as an MMIO access.
799  */
800 static int kvm_map_page(struct kvm_vcpu *vcpu, unsigned long gpa, bool write)
801 {
802 	bool writeable;
803 	int srcu_idx, err, retry_no = 0, level;
804 	unsigned long hva, mmu_seq, prot_bits;
805 	kvm_pfn_t pfn;
806 	kvm_pte_t *ptep, new_pte;
807 	gfn_t gfn = gpa >> PAGE_SHIFT;
808 	struct kvm *kvm = vcpu->kvm;
809 	struct kvm_memory_slot *memslot;
810 	struct kvm_mmu_memory_cache *memcache = &vcpu->arch.mmu_page_cache;
811 
812 	/* Try the fast path to handle old / clean pages */
813 	srcu_idx = srcu_read_lock(&kvm->srcu);
814 	err = kvm_map_page_fast(vcpu, gpa, write);
815 	if (!err)
816 		goto out;
817 
818 	memslot = gfn_to_memslot(kvm, gfn);
819 	hva = gfn_to_hva_memslot_prot(memslot, gfn, &writeable);
820 	if (kvm_is_error_hva(hva) || (write && !writeable)) {
821 		err = -EFAULT;
822 		goto out;
823 	}
824 
825 	/* We need a minimum of cached pages ready for page table creation */
826 	err = kvm_mmu_topup_memory_cache(memcache, KVM_MMU_CACHE_MIN_PAGES);
827 	if (err)
828 		goto out;
829 
830 retry:
831 	/*
832 	 * Used to check for invalidations in progress, of the pfn that is
833 	 * returned by pfn_to_pfn_prot below.
834 	 */
835 	mmu_seq = kvm->mmu_invalidate_seq;
836 	/*
837 	 * Ensure the read of mmu_invalidate_seq isn't reordered with PTE reads in
838 	 * gfn_to_pfn_prot() (which calls get_user_pages()), so that we don't
839 	 * risk the page we get a reference to getting unmapped before we have a
840 	 * chance to grab the mmu_lock without mmu_invalidate_retry() noticing.
841 	 *
842 	 * This smp_rmb() pairs with the effective smp_wmb() of the combination
843 	 * of the pte_unmap_unlock() after the PTE is zapped, and the
844 	 * spin_lock() in kvm_mmu_invalidate_invalidate_<page|range_end>() before
845 	 * mmu_invalidate_seq is incremented.
846 	 */
847 	smp_rmb();
848 
849 	/* Slow path - ask KVM core whether we can access this GPA */
850 	pfn = gfn_to_pfn_prot(kvm, gfn, write, &writeable);
851 	if (is_error_noslot_pfn(pfn)) {
852 		err = -EFAULT;
853 		goto out;
854 	}
855 
856 	/* Check if an invalidation has taken place since we got pfn */
857 	spin_lock(&kvm->mmu_lock);
858 	if (mmu_invalidate_retry_gfn(kvm, mmu_seq, gfn)) {
859 		/*
860 		 * This can happen when mappings are changed asynchronously, but
861 		 * also synchronously if a COW is triggered by
862 		 * gfn_to_pfn_prot().
863 		 */
864 		spin_unlock(&kvm->mmu_lock);
865 		kvm_release_pfn_clean(pfn);
866 		if (retry_no > 100) {
867 			retry_no = 0;
868 			schedule();
869 		}
870 		retry_no++;
871 		goto retry;
872 	}
873 
874 	/*
875 	 * For emulated devices such virtio device, actual cache attribute is
876 	 * determined by physical machine.
877 	 * For pass through physical device, it should be uncachable
878 	 */
879 	prot_bits = _PAGE_PRESENT | __READABLE;
880 	if (pfn_valid(pfn))
881 		prot_bits |= _CACHE_CC;
882 	else
883 		prot_bits |= _CACHE_SUC;
884 
885 	if (writeable) {
886 		prot_bits |= _PAGE_WRITE;
887 		if (write)
888 			prot_bits |= __WRITEABLE;
889 	}
890 
891 	/* Disable dirty logging on HugePages */
892 	level = 0;
893 	if (!fault_supports_huge_mapping(memslot, hva, write)) {
894 		level = 0;
895 	} else {
896 		level = host_pfn_mapping_level(kvm, gfn, memslot);
897 		if (level == 1) {
898 			gfn = gfn & ~(PTRS_PER_PTE - 1);
899 			pfn = pfn & ~(PTRS_PER_PTE - 1);
900 		}
901 	}
902 
903 	/* Ensure page tables are allocated */
904 	ptep = kvm_populate_gpa(kvm, memcache, gpa, level);
905 	new_pte = kvm_pfn_pte(pfn, __pgprot(prot_bits));
906 	if (level == 1) {
907 		new_pte = kvm_pte_mkhuge(new_pte);
908 		/*
909 		 * previous pmd entry is invalid_pte_table
910 		 * there is invalid tlb with small page
911 		 * need flush these invalid tlbs for current vcpu
912 		 */
913 		kvm_make_request(KVM_REQ_TLB_FLUSH, vcpu);
914 		++kvm->stat.hugepages;
915 	}  else if (kvm_pte_huge(*ptep) && write)
916 		ptep = kvm_split_huge(vcpu, ptep, gfn);
917 	else
918 		++kvm->stat.pages;
919 	kvm_set_pte(ptep, new_pte);
920 	spin_unlock(&kvm->mmu_lock);
921 
922 	if (prot_bits & _PAGE_DIRTY) {
923 		mark_page_dirty_in_slot(kvm, memslot, gfn);
924 		kvm_set_pfn_dirty(pfn);
925 	}
926 
927 	kvm_set_pfn_accessed(pfn);
928 	kvm_release_pfn_clean(pfn);
929 out:
930 	srcu_read_unlock(&kvm->srcu, srcu_idx);
931 	return err;
932 }
933 
934 int kvm_handle_mm_fault(struct kvm_vcpu *vcpu, unsigned long gpa, bool write)
935 {
936 	int ret;
937 
938 	ret = kvm_map_page(vcpu, gpa, write);
939 	if (ret)
940 		return ret;
941 
942 	/* Invalidate this entry in the TLB */
943 	kvm_flush_tlb_gpa(vcpu, gpa);
944 
945 	return 0;
946 }
947 
948 void kvm_arch_sync_dirty_log(struct kvm *kvm, struct kvm_memory_slot *memslot)
949 {
950 }
951 
952 void kvm_arch_flush_remote_tlbs_memslot(struct kvm *kvm,
953 					const struct kvm_memory_slot *memslot)
954 {
955 	kvm_flush_remote_tlbs(kvm);
956 }
957