xref: /linux/virt/kvm/guest_memfd.c (revision c31f4aa8fed048fa70e742c4bb49bb48dc489ab3) 
1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/anon_inodes.h>
3 #include <linux/backing-dev.h>
4 #include <linux/falloc.h>
5 #include <linux/fs.h>
6 #include <linux/kvm_host.h>
7 #include <linux/mempolicy.h>
8 #include <linux/pseudo_fs.h>
9 #include <linux/pagemap.h>
10 
11 #include "kvm_mm.h"
12 
13 static struct vfsmount *kvm_gmem_mnt;
14 
15 /*
16  * A guest_memfd instance can be associated multiple VMs, each with its own
17  * "view" of the underlying physical memory.
18  *
19  * The gmem's inode is effectively the raw underlying physical storage, and is
20  * used to track properties of the physical memory, while each gmem file is
21  * effectively a single VM's view of that storage, and is used to track assets
22  * specific to its associated VM, e.g. memslots=>gmem bindings.
23  */
24 struct gmem_file {
25 	struct kvm *kvm;
26 	struct xarray bindings;
27 	struct list_head entry;
28 };
29 
30 struct gmem_inode {
31 	struct shared_policy policy;
32 	struct inode vfs_inode;
33 
34 	u64 flags;
35 };
36 
37 static __always_inline struct gmem_inode *GMEM_I(struct inode *inode)
38 {
39 	return container_of(inode, struct gmem_inode, vfs_inode);
40 }
41 
42 #define kvm_gmem_for_each_file(f, mapping) \
43 	list_for_each_entry(f, &(mapping)->i_private_list, entry)
44 
45 /**
46  * folio_file_pfn - like folio_file_page, but return a pfn.
47  * @folio: The folio which contains this index.
48  * @index: The index we want to look up.
49  *
50  * Return: The pfn for this index.
51  */
52 static inline kvm_pfn_t folio_file_pfn(struct folio *folio, pgoff_t index)
53 {
54 	return folio_pfn(folio) + (index & (folio_nr_pages(folio) - 1));
55 }
56 
57 static pgoff_t kvm_gmem_get_index(struct kvm_memory_slot *slot, gfn_t gfn)
58 {
59 	return gfn - slot->base_gfn + slot->gmem.pgoff;
60 }
61 
62 static int __kvm_gmem_prepare_folio(struct kvm *kvm, struct kvm_memory_slot *slot,
63 				    pgoff_t index, struct folio *folio)
64 {
65 #ifdef CONFIG_HAVE_KVM_ARCH_GMEM_PREPARE
66 	kvm_pfn_t pfn = folio_file_pfn(folio, index);
67 	gfn_t gfn = slot->base_gfn + index - slot->gmem.pgoff;
68 	int rc = kvm_arch_gmem_prepare(kvm, gfn, pfn, folio_order(folio));
69 	if (rc) {
70 		pr_warn_ratelimited("gmem: Failed to prepare folio for index %lx GFN %llx PFN %llx error %d.\n",
71 				    index, gfn, pfn, rc);
72 		return rc;
73 	}
74 #endif
75 
76 	return 0;
77 }
78 
79 static inline void kvm_gmem_mark_prepared(struct folio *folio)
80 {
81 	folio_mark_uptodate(folio);
82 }
83 
84 /*
85  * Process @folio, which contains @gfn, so that the guest can use it.
86  * The folio must be locked and the gfn must be contained in @slot.
87  * On successful return the guest sees a zero page so as to avoid
88  * leaking host data and the up-to-date flag is set.
89  */
90 static int kvm_gmem_prepare_folio(struct kvm *kvm, struct kvm_memory_slot *slot,
91 				  gfn_t gfn, struct folio *folio)
92 {
93 	unsigned long nr_pages, i;
94 	pgoff_t index;
95 	int r;
96 
97 	nr_pages = folio_nr_pages(folio);
98 	for (i = 0; i < nr_pages; i++)
99 		clear_highpage(folio_page(folio, i));
100 
101 	/*
102 	 * Preparing huge folios should always be safe, since it should
103 	 * be possible to split them later if needed.
104 	 *
105 	 * Right now the folio order is always going to be zero, but the
106 	 * code is ready for huge folios.  The only assumption is that
107 	 * the base pgoff of memslots is naturally aligned with the
108 	 * requested page order, ensuring that huge folios can also use
109 	 * huge page table entries for GPA->HPA mapping.
110 	 *
111 	 * The order will be passed when creating the guest_memfd, and
112 	 * checked when creating memslots.
113 	 */
114 	WARN_ON(!IS_ALIGNED(slot->gmem.pgoff, folio_nr_pages(folio)));
115 	index = kvm_gmem_get_index(slot, gfn);
116 	index = ALIGN_DOWN(index, folio_nr_pages(folio));
117 	r = __kvm_gmem_prepare_folio(kvm, slot, index, folio);
118 	if (!r)
119 		kvm_gmem_mark_prepared(folio);
120 
121 	return r;
122 }
123 
124 /*
125  * Returns a locked folio on success.  The caller is responsible for
126  * setting the up-to-date flag before the memory is mapped into the guest.
127  * There is no backing storage for the memory, so the folio will remain
128  * up-to-date until it's removed.
129  *
130  * Ignore accessed, referenced, and dirty flags.  The memory is
131  * unevictable and there is no storage to write back to.
132  */
133 static struct folio *kvm_gmem_get_folio(struct inode *inode, pgoff_t index)
134 {
135 	/* TODO: Support huge pages. */
136 	struct mempolicy *policy;
137 	struct folio *folio;
138 
139 	/*
140 	 * Fast-path: See if folio is already present in mapping to avoid
141 	 * policy_lookup.
142 	 */
143 	folio = __filemap_get_folio(inode->i_mapping, index,
144 				    FGP_LOCK | FGP_ACCESSED, 0);
145 	if (!IS_ERR(folio))
146 		return folio;
147 
148 	policy = mpol_shared_policy_lookup(&GMEM_I(inode)->policy, index);
149 	folio = __filemap_get_folio_mpol(inode->i_mapping, index,
150 					 FGP_LOCK | FGP_ACCESSED | FGP_CREAT,
151 					 mapping_gfp_mask(inode->i_mapping), policy);
152 	mpol_cond_put(policy);
153 
154 	return folio;
155 }
156 
157 static enum kvm_gfn_range_filter kvm_gmem_get_invalidate_filter(struct inode *inode)
158 {
159 	if (GMEM_I(inode)->flags & GUEST_MEMFD_FLAG_INIT_SHARED)
160 		return KVM_FILTER_SHARED;
161 
162 	return KVM_FILTER_PRIVATE;
163 }
164 
165 static void __kvm_gmem_invalidate_begin(struct gmem_file *f, pgoff_t start,
166 					pgoff_t end,
167 					enum kvm_gfn_range_filter attr_filter)
168 {
169 	bool flush = false, found_memslot = false;
170 	struct kvm_memory_slot *slot;
171 	struct kvm *kvm = f->kvm;
172 	unsigned long index;
173 
174 	xa_for_each_range(&f->bindings, index, slot, start, end - 1) {
175 		pgoff_t pgoff = slot->gmem.pgoff;
176 
177 		struct kvm_gfn_range gfn_range = {
178 			.start = slot->base_gfn + max(pgoff, start) - pgoff,
179 			.end = slot->base_gfn + min(pgoff + slot->npages, end) - pgoff,
180 			.slot = slot,
181 			.may_block = true,
182 			.attr_filter = attr_filter,
183 		};
184 
185 		if (!found_memslot) {
186 			found_memslot = true;
187 
188 			KVM_MMU_LOCK(kvm);
189 			kvm_mmu_invalidate_begin(kvm);
190 		}
191 
192 		flush |= kvm_mmu_unmap_gfn_range(kvm, &gfn_range);
193 	}
194 
195 	if (flush)
196 		kvm_flush_remote_tlbs(kvm);
197 
198 	if (found_memslot)
199 		KVM_MMU_UNLOCK(kvm);
200 }
201 
202 static void kvm_gmem_invalidate_begin(struct inode *inode, pgoff_t start,
203 				      pgoff_t end)
204 {
205 	enum kvm_gfn_range_filter attr_filter;
206 	struct gmem_file *f;
207 
208 	attr_filter = kvm_gmem_get_invalidate_filter(inode);
209 
210 	kvm_gmem_for_each_file(f, inode->i_mapping)
211 		__kvm_gmem_invalidate_begin(f, start, end, attr_filter);
212 }
213 
214 static void __kvm_gmem_invalidate_end(struct gmem_file *f, pgoff_t start,
215 				      pgoff_t end)
216 {
217 	struct kvm *kvm = f->kvm;
218 
219 	if (xa_find(&f->bindings, &start, end - 1, XA_PRESENT)) {
220 		KVM_MMU_LOCK(kvm);
221 		kvm_mmu_invalidate_end(kvm);
222 		KVM_MMU_UNLOCK(kvm);
223 	}
224 }
225 
226 static void kvm_gmem_invalidate_end(struct inode *inode, pgoff_t start,
227 				    pgoff_t end)
228 {
229 	struct gmem_file *f;
230 
231 	kvm_gmem_for_each_file(f, inode->i_mapping)
232 		__kvm_gmem_invalidate_end(f, start, end);
233 }
234 
235 static long kvm_gmem_punch_hole(struct inode *inode, loff_t offset, loff_t len)
236 {
237 	pgoff_t start = offset >> PAGE_SHIFT;
238 	pgoff_t end = (offset + len) >> PAGE_SHIFT;
239 
240 	/*
241 	 * Bindings must be stable across invalidation to ensure the start+end
242 	 * are balanced.
243 	 */
244 	filemap_invalidate_lock(inode->i_mapping);
245 
246 	kvm_gmem_invalidate_begin(inode, start, end);
247 
248 	truncate_inode_pages_range(inode->i_mapping, offset, offset + len - 1);
249 
250 	kvm_gmem_invalidate_end(inode, start, end);
251 
252 	filemap_invalidate_unlock(inode->i_mapping);
253 
254 	return 0;
255 }
256 
257 static long kvm_gmem_allocate(struct inode *inode, loff_t offset, loff_t len)
258 {
259 	struct address_space *mapping = inode->i_mapping;
260 	pgoff_t start, index, end;
261 	int r;
262 
263 	/* Dedicated guest is immutable by default. */
264 	if (offset + len > i_size_read(inode))
265 		return -EINVAL;
266 
267 	filemap_invalidate_lock_shared(mapping);
268 
269 	start = offset >> PAGE_SHIFT;
270 	end = (offset + len) >> PAGE_SHIFT;
271 
272 	r = 0;
273 	for (index = start; index < end; ) {
274 		struct folio *folio;
275 
276 		if (signal_pending(current)) {
277 			r = -EINTR;
278 			break;
279 		}
280 
281 		folio = kvm_gmem_get_folio(inode, index);
282 		if (IS_ERR(folio)) {
283 			r = PTR_ERR(folio);
284 			break;
285 		}
286 
287 		index = folio_next_index(folio);
288 
289 		folio_unlock(folio);
290 		folio_put(folio);
291 
292 		/* 64-bit only, wrapping the index should be impossible. */
293 		if (WARN_ON_ONCE(!index))
294 			break;
295 
296 		cond_resched();
297 	}
298 
299 	filemap_invalidate_unlock_shared(mapping);
300 
301 	return r;
302 }
303 
304 static long kvm_gmem_fallocate(struct file *file, int mode, loff_t offset,
305 			       loff_t len)
306 {
307 	int ret;
308 
309 	if (!(mode & FALLOC_FL_KEEP_SIZE))
310 		return -EOPNOTSUPP;
311 
312 	if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE))
313 		return -EOPNOTSUPP;
314 
315 	if (!PAGE_ALIGNED(offset) || !PAGE_ALIGNED(len))
316 		return -EINVAL;
317 
318 	if (mode & FALLOC_FL_PUNCH_HOLE)
319 		ret = kvm_gmem_punch_hole(file_inode(file), offset, len);
320 	else
321 		ret = kvm_gmem_allocate(file_inode(file), offset, len);
322 
323 	if (!ret)
324 		file_modified(file);
325 	return ret;
326 }
327 
328 static int kvm_gmem_release(struct inode *inode, struct file *file)
329 {
330 	struct gmem_file *f = file->private_data;
331 	struct kvm_memory_slot *slot;
332 	struct kvm *kvm = f->kvm;
333 	unsigned long index;
334 
335 	/*
336 	 * Prevent concurrent attempts to *unbind* a memslot.  This is the last
337 	 * reference to the file and thus no new bindings can be created, but
338 	 * dereferencing the slot for existing bindings needs to be protected
339 	 * against memslot updates, specifically so that unbind doesn't race
340 	 * and free the memslot (kvm_gmem_get_file() will return NULL).
341 	 *
342 	 * Since .release is called only when the reference count is zero,
343 	 * after which file_ref_get() and get_file_active() fail,
344 	 * kvm_gmem_get_pfn() cannot be using the file concurrently.
345 	 * file_ref_put() provides a full barrier, and get_file_active() the
346 	 * matching acquire barrier.
347 	 */
348 	mutex_lock(&kvm->slots_lock);
349 
350 	filemap_invalidate_lock(inode->i_mapping);
351 
352 	xa_for_each(&f->bindings, index, slot)
353 		WRITE_ONCE(slot->gmem.file, NULL);
354 
355 	/*
356 	 * All in-flight operations are gone and new bindings can be created.
357 	 * Zap all SPTEs pointed at by this file.  Do not free the backing
358 	 * memory, as its lifetime is associated with the inode, not the file.
359 	 */
360 	__kvm_gmem_invalidate_begin(f, 0, -1ul,
361 				    kvm_gmem_get_invalidate_filter(inode));
362 	__kvm_gmem_invalidate_end(f, 0, -1ul);
363 
364 	list_del(&f->entry);
365 
366 	filemap_invalidate_unlock(inode->i_mapping);
367 
368 	mutex_unlock(&kvm->slots_lock);
369 
370 	xa_destroy(&f->bindings);
371 	kfree(f);
372 
373 	kvm_put_kvm(kvm);
374 
375 	return 0;
376 }
377 
378 static inline struct file *kvm_gmem_get_file(struct kvm_memory_slot *slot)
379 {
380 	/*
381 	 * Do not return slot->gmem.file if it has already been closed;
382 	 * there might be some time between the last fput() and when
383 	 * kvm_gmem_release() clears slot->gmem.file.
384 	 */
385 	return get_file_active(&slot->gmem.file);
386 }
387 
388 DEFINE_CLASS(gmem_get_file, struct file *, if (_T) fput(_T),
389 	     kvm_gmem_get_file(slot), struct kvm_memory_slot *slot);
390 
391 static bool kvm_gmem_supports_mmap(struct inode *inode)
392 {
393 	return GMEM_I(inode)->flags & GUEST_MEMFD_FLAG_MMAP;
394 }
395 
396 static vm_fault_t kvm_gmem_fault_user_mapping(struct vm_fault *vmf)
397 {
398 	struct inode *inode = file_inode(vmf->vma->vm_file);
399 	struct folio *folio;
400 	vm_fault_t ret = VM_FAULT_LOCKED;
401 
402 	if (((loff_t)vmf->pgoff << PAGE_SHIFT) >= i_size_read(inode))
403 		return VM_FAULT_SIGBUS;
404 
405 	if (!(GMEM_I(inode)->flags & GUEST_MEMFD_FLAG_INIT_SHARED))
406 		return VM_FAULT_SIGBUS;
407 
408 	folio = kvm_gmem_get_folio(inode, vmf->pgoff);
409 	if (IS_ERR(folio)) {
410 		if (PTR_ERR(folio) == -EAGAIN)
411 			return VM_FAULT_RETRY;
412 
413 		return vmf_error(PTR_ERR(folio));
414 	}
415 
416 	if (WARN_ON_ONCE(folio_test_large(folio))) {
417 		ret = VM_FAULT_SIGBUS;
418 		goto out_folio;
419 	}
420 
421 	if (!folio_test_uptodate(folio)) {
422 		clear_highpage(folio_page(folio, 0));
423 		kvm_gmem_mark_prepared(folio);
424 	}
425 
426 	vmf->page = folio_file_page(folio, vmf->pgoff);
427 
428 out_folio:
429 	if (ret != VM_FAULT_LOCKED) {
430 		folio_unlock(folio);
431 		folio_put(folio);
432 	}
433 
434 	return ret;
435 }
436 
437 #ifdef CONFIG_NUMA
438 static int kvm_gmem_set_policy(struct vm_area_struct *vma, struct mempolicy *mpol)
439 {
440 	struct inode *inode = file_inode(vma->vm_file);
441 
442 	return mpol_set_shared_policy(&GMEM_I(inode)->policy, vma, mpol);
443 }
444 
445 static struct mempolicy *kvm_gmem_get_policy(struct vm_area_struct *vma,
446 					     unsigned long addr, pgoff_t *pgoff)
447 {
448 	struct inode *inode = file_inode(vma->vm_file);
449 
450 	*pgoff = vma->vm_pgoff + ((addr - vma->vm_start) >> PAGE_SHIFT);
451 
452 	/*
453 	 * Return the memory policy for this index, or NULL if none is set.
454 	 *
455 	 * Returning NULL, e.g. instead of the current task's memory policy, is
456 	 * important for the .get_policy kernel ABI: it indicates that no
457 	 * explicit policy has been set via mbind() for this memory. The caller
458 	 * can then replace NULL with the default memory policy instead of the
459 	 * current task's memory policy.
460 	 */
461 	return mpol_shared_policy_lookup(&GMEM_I(inode)->policy, *pgoff);
462 }
463 #endif /* CONFIG_NUMA */
464 
465 static const struct vm_operations_struct kvm_gmem_vm_ops = {
466 	.fault		= kvm_gmem_fault_user_mapping,
467 #ifdef CONFIG_NUMA
468 	.get_policy	= kvm_gmem_get_policy,
469 	.set_policy	= kvm_gmem_set_policy,
470 #endif
471 };
472 
473 static int kvm_gmem_mmap(struct file *file, struct vm_area_struct *vma)
474 {
475 	if (!kvm_gmem_supports_mmap(file_inode(file)))
476 		return -ENODEV;
477 
478 	if ((vma->vm_flags & (VM_SHARED | VM_MAYSHARE)) !=
479 	    (VM_SHARED | VM_MAYSHARE)) {
480 		return -EINVAL;
481 	}
482 
483 	vma->vm_ops = &kvm_gmem_vm_ops;
484 
485 	return 0;
486 }
487 
488 static struct file_operations kvm_gmem_fops = {
489 	.mmap		= kvm_gmem_mmap,
490 	.open		= generic_file_open,
491 	.release	= kvm_gmem_release,
492 	.fallocate	= kvm_gmem_fallocate,
493 };
494 
495 static int kvm_gmem_migrate_folio(struct address_space *mapping,
496 				  struct folio *dst, struct folio *src,
497 				  enum migrate_mode mode)
498 {
499 	WARN_ON_ONCE(1);
500 	return -EINVAL;
501 }
502 
503 static int kvm_gmem_error_folio(struct address_space *mapping, struct folio *folio)
504 {
505 	pgoff_t start, end;
506 
507 	filemap_invalidate_lock_shared(mapping);
508 
509 	start = folio->index;
510 	end = start + folio_nr_pages(folio);
511 
512 	kvm_gmem_invalidate_begin(mapping->host, start, end);
513 
514 	/*
515 	 * Do not truncate the range, what action is taken in response to the
516 	 * error is userspace's decision (assuming the architecture supports
517 	 * gracefully handling memory errors).  If/when the guest attempts to
518 	 * access a poisoned page, kvm_gmem_get_pfn() will return -EHWPOISON,
519 	 * at which point KVM can either terminate the VM or propagate the
520 	 * error to userspace.
521 	 */
522 
523 	kvm_gmem_invalidate_end(mapping->host, start, end);
524 
525 	filemap_invalidate_unlock_shared(mapping);
526 
527 	return MF_DELAYED;
528 }
529 
530 #ifdef CONFIG_HAVE_KVM_ARCH_GMEM_INVALIDATE
531 static void kvm_gmem_free_folio(struct folio *folio)
532 {
533 	struct page *page = folio_page(folio, 0);
534 	kvm_pfn_t pfn = page_to_pfn(page);
535 	int order = folio_order(folio);
536 
537 	kvm_arch_gmem_invalidate(pfn, pfn + (1ul << order));
538 }
539 #endif
540 
541 static const struct address_space_operations kvm_gmem_aops = {
542 	.dirty_folio = noop_dirty_folio,
543 	.migrate_folio	= kvm_gmem_migrate_folio,
544 	.error_remove_folio = kvm_gmem_error_folio,
545 #ifdef CONFIG_HAVE_KVM_ARCH_GMEM_INVALIDATE
546 	.free_folio = kvm_gmem_free_folio,
547 #endif
548 };
549 
550 static int kvm_gmem_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
551 			    struct iattr *attr)
552 {
553 	return -EINVAL;
554 }
555 static const struct inode_operations kvm_gmem_iops = {
556 	.setattr	= kvm_gmem_setattr,
557 };
558 
559 bool __weak kvm_arch_supports_gmem_init_shared(struct kvm *kvm)
560 {
561 	return true;
562 }
563 
564 static int __kvm_gmem_create(struct kvm *kvm, loff_t size, u64 flags)
565 {
566 	static const char *name = "[kvm-gmem]";
567 	struct gmem_file *f;
568 	struct inode *inode;
569 	struct file *file;
570 	int fd, err;
571 
572 	fd = get_unused_fd_flags(0);
573 	if (fd < 0)
574 		return fd;
575 
576 	f = kzalloc(sizeof(*f), GFP_KERNEL);
577 	if (!f) {
578 		err = -ENOMEM;
579 		goto err_fd;
580 	}
581 
582 	/* __fput() will take care of fops_put(). */
583 	if (!fops_get(&kvm_gmem_fops)) {
584 		err = -ENOENT;
585 		goto err_gmem;
586 	}
587 
588 	inode = anon_inode_make_secure_inode(kvm_gmem_mnt->mnt_sb, name, NULL);
589 	if (IS_ERR(inode)) {
590 		err = PTR_ERR(inode);
591 		goto err_fops;
592 	}
593 
594 	inode->i_op = &kvm_gmem_iops;
595 	inode->i_mapping->a_ops = &kvm_gmem_aops;
596 	inode->i_mode |= S_IFREG;
597 	inode->i_size = size;
598 	mapping_set_gfp_mask(inode->i_mapping, GFP_HIGHUSER);
599 	mapping_set_inaccessible(inode->i_mapping);
600 	/* Unmovable mappings are supposed to be marked unevictable as well. */
601 	WARN_ON_ONCE(!mapping_unevictable(inode->i_mapping));
602 
603 	GMEM_I(inode)->flags = flags;
604 
605 	file = alloc_file_pseudo(inode, kvm_gmem_mnt, name, O_RDWR, &kvm_gmem_fops);
606 	if (IS_ERR(file)) {
607 		err = PTR_ERR(file);
608 		goto err_inode;
609 	}
610 
611 	file->f_flags |= O_LARGEFILE;
612 	file->private_data = f;
613 
614 	kvm_get_kvm(kvm);
615 	f->kvm = kvm;
616 	xa_init(&f->bindings);
617 	list_add(&f->entry, &inode->i_mapping->i_private_list);
618 
619 	fd_install(fd, file);
620 	return fd;
621 
622 err_inode:
623 	iput(inode);
624 err_fops:
625 	fops_put(&kvm_gmem_fops);
626 err_gmem:
627 	kfree(f);
628 err_fd:
629 	put_unused_fd(fd);
630 	return err;
631 }
632 
633 int kvm_gmem_create(struct kvm *kvm, struct kvm_create_guest_memfd *args)
634 {
635 	loff_t size = args->size;
636 	u64 flags = args->flags;
637 
638 	if (flags & ~kvm_gmem_get_supported_flags(kvm))
639 		return -EINVAL;
640 
641 	if (size <= 0 || !PAGE_ALIGNED(size))
642 		return -EINVAL;
643 
644 	return __kvm_gmem_create(kvm, size, flags);
645 }
646 
647 int kvm_gmem_bind(struct kvm *kvm, struct kvm_memory_slot *slot,
648 		  unsigned int fd, loff_t offset)
649 {
650 	loff_t size = slot->npages << PAGE_SHIFT;
651 	unsigned long start, end;
652 	struct gmem_file *f;
653 	struct inode *inode;
654 	struct file *file;
655 	int r = -EINVAL;
656 
657 	BUILD_BUG_ON(sizeof(gfn_t) != sizeof(slot->gmem.pgoff));
658 
659 	file = fget(fd);
660 	if (!file)
661 		return -EBADF;
662 
663 	if (file->f_op != &kvm_gmem_fops)
664 		goto err;
665 
666 	f = file->private_data;
667 	if (f->kvm != kvm)
668 		goto err;
669 
670 	inode = file_inode(file);
671 
672 	if (offset < 0 || !PAGE_ALIGNED(offset) ||
673 	    offset + size > i_size_read(inode))
674 		goto err;
675 
676 	filemap_invalidate_lock(inode->i_mapping);
677 
678 	start = offset >> PAGE_SHIFT;
679 	end = start + slot->npages;
680 
681 	if (!xa_empty(&f->bindings) &&
682 	    xa_find(&f->bindings, &start, end - 1, XA_PRESENT)) {
683 		filemap_invalidate_unlock(inode->i_mapping);
684 		goto err;
685 	}
686 
687 	/*
688 	 * memslots of flag KVM_MEM_GUEST_MEMFD are immutable to change, so
689 	 * kvm_gmem_bind() must occur on a new memslot.  Because the memslot
690 	 * is not visible yet, kvm_gmem_get_pfn() is guaranteed to see the file.
691 	 */
692 	WRITE_ONCE(slot->gmem.file, file);
693 	slot->gmem.pgoff = start;
694 	if (kvm_gmem_supports_mmap(inode))
695 		slot->flags |= KVM_MEMSLOT_GMEM_ONLY;
696 
697 	xa_store_range(&f->bindings, start, end - 1, slot, GFP_KERNEL);
698 	filemap_invalidate_unlock(inode->i_mapping);
699 
700 	/*
701 	 * Drop the reference to the file, even on success.  The file pins KVM,
702 	 * not the other way 'round.  Active bindings are invalidated if the
703 	 * file is closed before memslots are destroyed.
704 	 */
705 	r = 0;
706 err:
707 	fput(file);
708 	return r;
709 }
710 
711 static void __kvm_gmem_unbind(struct kvm_memory_slot *slot, struct gmem_file *f)
712 {
713 	unsigned long start = slot->gmem.pgoff;
714 	unsigned long end = start + slot->npages;
715 
716 	xa_store_range(&f->bindings, start, end - 1, NULL, GFP_KERNEL);
717 
718 	/*
719 	 * synchronize_srcu(&kvm->srcu) ensured that kvm_gmem_get_pfn()
720 	 * cannot see this memslot.
721 	 */
722 	WRITE_ONCE(slot->gmem.file, NULL);
723 }
724 
725 void kvm_gmem_unbind(struct kvm_memory_slot *slot)
726 {
727 	/*
728 	 * Nothing to do if the underlying file was _already_ closed, as
729 	 * kvm_gmem_release() invalidates and nullifies all bindings.
730 	 */
731 	if (!slot->gmem.file)
732 		return;
733 
734 	CLASS(gmem_get_file, file)(slot);
735 
736 	/*
737 	 * However, if the file is _being_ closed, then the bindings need to be
738 	 * removed as kvm_gmem_release() might not run until after the memslot
739 	 * is freed.  Note, modifying the bindings is safe even though the file
740 	 * is dying as kvm_gmem_release() nullifies slot->gmem.file under
741 	 * slots_lock, and only puts its reference to KVM after destroying all
742 	 * bindings.  I.e. reaching this point means kvm_gmem_release() hasn't
743 	 * yet destroyed the bindings or freed the gmem_file, and can't do so
744 	 * until the caller drops slots_lock.
745 	 */
746 	if (!file) {
747 		__kvm_gmem_unbind(slot, slot->gmem.file->private_data);
748 		return;
749 	}
750 
751 	filemap_invalidate_lock(file->f_mapping);
752 	__kvm_gmem_unbind(slot, file->private_data);
753 	filemap_invalidate_unlock(file->f_mapping);
754 }
755 
756 /* Returns a locked folio on success.  */
757 static struct folio *__kvm_gmem_get_pfn(struct file *file,
758 					struct kvm_memory_slot *slot,
759 					pgoff_t index, kvm_pfn_t *pfn,
760 					bool *is_prepared, int *max_order)
761 {
762 	struct file *slot_file = READ_ONCE(slot->gmem.file);
763 	struct gmem_file *f = file->private_data;
764 	struct folio *folio;
765 
766 	if (file != slot_file) {
767 		WARN_ON_ONCE(slot_file);
768 		return ERR_PTR(-EFAULT);
769 	}
770 
771 	if (xa_load(&f->bindings, index) != slot) {
772 		WARN_ON_ONCE(xa_load(&f->bindings, index));
773 		return ERR_PTR(-EIO);
774 	}
775 
776 	folio = kvm_gmem_get_folio(file_inode(file), index);
777 	if (IS_ERR(folio))
778 		return folio;
779 
780 	if (folio_test_hwpoison(folio)) {
781 		folio_unlock(folio);
782 		folio_put(folio);
783 		return ERR_PTR(-EHWPOISON);
784 	}
785 
786 	*pfn = folio_file_pfn(folio, index);
787 	if (max_order)
788 		*max_order = 0;
789 
790 	*is_prepared = folio_test_uptodate(folio);
791 	return folio;
792 }
793 
794 int kvm_gmem_get_pfn(struct kvm *kvm, struct kvm_memory_slot *slot,
795 		     gfn_t gfn, kvm_pfn_t *pfn, struct page **page,
796 		     int *max_order)
797 {
798 	pgoff_t index = kvm_gmem_get_index(slot, gfn);
799 	struct folio *folio;
800 	bool is_prepared = false;
801 	int r = 0;
802 
803 	CLASS(gmem_get_file, file)(slot);
804 	if (!file)
805 		return -EFAULT;
806 
807 	folio = __kvm_gmem_get_pfn(file, slot, index, pfn, &is_prepared, max_order);
808 	if (IS_ERR(folio))
809 		return PTR_ERR(folio);
810 
811 	if (!is_prepared)
812 		r = kvm_gmem_prepare_folio(kvm, slot, gfn, folio);
813 
814 	folio_unlock(folio);
815 
816 	if (!r)
817 		*page = folio_file_page(folio, index);
818 	else
819 		folio_put(folio);
820 
821 	return r;
822 }
823 EXPORT_SYMBOL_FOR_KVM_INTERNAL(kvm_gmem_get_pfn);
824 
825 #ifdef CONFIG_HAVE_KVM_ARCH_GMEM_POPULATE
826 long kvm_gmem_populate(struct kvm *kvm, gfn_t start_gfn, void __user *src, long npages,
827 		       kvm_gmem_populate_cb post_populate, void *opaque)
828 {
829 	struct kvm_memory_slot *slot;
830 	void __user *p;
831 
832 	int ret = 0, max_order;
833 	long i;
834 
835 	lockdep_assert_held(&kvm->slots_lock);
836 
837 	if (WARN_ON_ONCE(npages <= 0))
838 		return -EINVAL;
839 
840 	slot = gfn_to_memslot(kvm, start_gfn);
841 	if (!kvm_slot_has_gmem(slot))
842 		return -EINVAL;
843 
844 	CLASS(gmem_get_file, file)(slot);
845 	if (!file)
846 		return -EFAULT;
847 
848 	filemap_invalidate_lock(file->f_mapping);
849 
850 	npages = min_t(ulong, slot->npages - (start_gfn - slot->base_gfn), npages);
851 	for (i = 0; i < npages; i += (1 << max_order)) {
852 		struct folio *folio;
853 		gfn_t gfn = start_gfn + i;
854 		pgoff_t index = kvm_gmem_get_index(slot, gfn);
855 		bool is_prepared = false;
856 		kvm_pfn_t pfn;
857 
858 		if (signal_pending(current)) {
859 			ret = -EINTR;
860 			break;
861 		}
862 
863 		folio = __kvm_gmem_get_pfn(file, slot, index, &pfn, &is_prepared, &max_order);
864 		if (IS_ERR(folio)) {
865 			ret = PTR_ERR(folio);
866 			break;
867 		}
868 
869 		if (is_prepared) {
870 			folio_unlock(folio);
871 			folio_put(folio);
872 			ret = -EEXIST;
873 			break;
874 		}
875 
876 		folio_unlock(folio);
877 		WARN_ON(!IS_ALIGNED(gfn, 1 << max_order) ||
878 			(npages - i) < (1 << max_order));
879 
880 		ret = -EINVAL;
881 		while (!kvm_range_has_memory_attributes(kvm, gfn, gfn + (1 << max_order),
882 							KVM_MEMORY_ATTRIBUTE_PRIVATE,
883 							KVM_MEMORY_ATTRIBUTE_PRIVATE)) {
884 			if (!max_order)
885 				goto put_folio_and_exit;
886 			max_order--;
887 		}
888 
889 		p = src ? src + i * PAGE_SIZE : NULL;
890 		ret = post_populate(kvm, gfn, pfn, p, max_order, opaque);
891 		if (!ret)
892 			kvm_gmem_mark_prepared(folio);
893 
894 put_folio_and_exit:
895 		folio_put(folio);
896 		if (ret)
897 			break;
898 	}
899 
900 	filemap_invalidate_unlock(file->f_mapping);
901 
902 	return ret && !i ? ret : i;
903 }
904 EXPORT_SYMBOL_FOR_KVM_INTERNAL(kvm_gmem_populate);
905 #endif
906 
907 static struct kmem_cache *kvm_gmem_inode_cachep;
908 
909 static void kvm_gmem_init_inode_once(void *__gi)
910 {
911 	struct gmem_inode *gi = __gi;
912 
913 	/*
914 	 * Note!  Don't initialize the inode with anything specific to the
915 	 * guest_memfd instance, or that might be specific to how the inode is
916 	 * used (from the VFS-layer's perspective).  This hook is called only
917 	 * during the initial slab allocation, i.e. only fields/state that are
918 	 * idempotent across _all_ use of the inode _object_ can be initialized
919 	 * at this time!
920 	 */
921 	inode_init_once(&gi->vfs_inode);
922 }
923 
924 static struct inode *kvm_gmem_alloc_inode(struct super_block *sb)
925 {
926 	struct gmem_inode *gi;
927 
928 	gi = alloc_inode_sb(sb, kvm_gmem_inode_cachep, GFP_KERNEL);
929 	if (!gi)
930 		return NULL;
931 
932 	mpol_shared_policy_init(&gi->policy, NULL);
933 
934 	gi->flags = 0;
935 	return &gi->vfs_inode;
936 }
937 
938 static void kvm_gmem_destroy_inode(struct inode *inode)
939 {
940 	mpol_free_shared_policy(&GMEM_I(inode)->policy);
941 }
942 
943 static void kvm_gmem_free_inode(struct inode *inode)
944 {
945 	kmem_cache_free(kvm_gmem_inode_cachep, GMEM_I(inode));
946 }
947 
948 static const struct super_operations kvm_gmem_super_operations = {
949 	.statfs		= simple_statfs,
950 	.alloc_inode	= kvm_gmem_alloc_inode,
951 	.destroy_inode	= kvm_gmem_destroy_inode,
952 	.free_inode	= kvm_gmem_free_inode,
953 };
954 
955 static int kvm_gmem_init_fs_context(struct fs_context *fc)
956 {
957 	struct pseudo_fs_context *ctx;
958 
959 	if (!init_pseudo(fc, GUEST_MEMFD_MAGIC))
960 		return -ENOMEM;
961 
962 	fc->s_iflags |= SB_I_NOEXEC;
963 	fc->s_iflags |= SB_I_NODEV;
964 	ctx = fc->fs_private;
965 	ctx->ops = &kvm_gmem_super_operations;
966 
967 	return 0;
968 }
969 
970 static struct file_system_type kvm_gmem_fs = {
971 	.name		 = "guest_memfd",
972 	.init_fs_context = kvm_gmem_init_fs_context,
973 	.kill_sb	 = kill_anon_super,
974 };
975 
976 static int kvm_gmem_init_mount(void)
977 {
978 	kvm_gmem_mnt = kern_mount(&kvm_gmem_fs);
979 
980 	if (IS_ERR(kvm_gmem_mnt))
981 		return PTR_ERR(kvm_gmem_mnt);
982 
983 	kvm_gmem_mnt->mnt_flags |= MNT_NOEXEC;
984 	return 0;
985 }
986 
987 int kvm_gmem_init(struct module *module)
988 {
989 	struct kmem_cache_args args = {
990 		.align = 0,
991 		.ctor = kvm_gmem_init_inode_once,
992 	};
993 	int ret;
994 
995 	kvm_gmem_fops.owner = module;
996 	kvm_gmem_inode_cachep = kmem_cache_create("kvm_gmem_inode_cache",
997 						  sizeof(struct gmem_inode),
998 						  &args, SLAB_ACCOUNT);
999 	if (!kvm_gmem_inode_cachep)
1000 		return -ENOMEM;
1001 
1002 	ret = kvm_gmem_init_mount();
1003 	if (ret) {
1004 		kmem_cache_destroy(kvm_gmem_inode_cachep);
1005 		return ret;
1006 	}
1007 	return 0;
1008 }
1009 
1010 void kvm_gmem_exit(void)
1011 {
1012 	kern_unmount(kvm_gmem_mnt);
1013 	kvm_gmem_mnt = NULL;
1014 	rcu_barrier();
1015 	kmem_cache_destroy(kvm_gmem_inode_cachep);
1016 }
1017