1 // SPDX-License-Identifier: GPL-2.0 2 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 3 4 #include "mmu.h" 5 #include "mmu_internal.h" 6 #include "mmutrace.h" 7 #include "tdp_iter.h" 8 #include "tdp_mmu.h" 9 #include "spte.h" 10 11 #include <asm/cmpxchg.h> 12 #include <trace/events/kvm.h> 13 14 /* Initializes the TDP MMU for the VM, if enabled. */ 15 int kvm_mmu_init_tdp_mmu(struct kvm *kvm) 16 { 17 struct workqueue_struct *wq; 18 19 wq = alloc_workqueue("kvm", WQ_UNBOUND|WQ_MEM_RECLAIM|WQ_CPU_INTENSIVE, 0); 20 if (!wq) 21 return -ENOMEM; 22 23 INIT_LIST_HEAD(&kvm->arch.tdp_mmu_roots); 24 spin_lock_init(&kvm->arch.tdp_mmu_pages_lock); 25 kvm->arch.tdp_mmu_zap_wq = wq; 26 return 1; 27 } 28 29 /* Arbitrarily returns true so that this may be used in if statements. */ 30 static __always_inline bool kvm_lockdep_assert_mmu_lock_held(struct kvm *kvm, 31 bool shared) 32 { 33 if (shared) 34 lockdep_assert_held_read(&kvm->mmu_lock); 35 else 36 lockdep_assert_held_write(&kvm->mmu_lock); 37 38 return true; 39 } 40 41 void kvm_mmu_uninit_tdp_mmu(struct kvm *kvm) 42 { 43 /* 44 * Invalidate all roots, which besides the obvious, schedules all roots 45 * for zapping and thus puts the TDP MMU's reference to each root, i.e. 46 * ultimately frees all roots. 47 */ 48 kvm_tdp_mmu_invalidate_all_roots(kvm); 49 50 /* 51 * Destroying a workqueue also first flushes the workqueue, i.e. no 52 * need to invoke kvm_tdp_mmu_zap_invalidated_roots(). 53 */ 54 destroy_workqueue(kvm->arch.tdp_mmu_zap_wq); 55 56 WARN_ON(atomic64_read(&kvm->arch.tdp_mmu_pages)); 57 WARN_ON(!list_empty(&kvm->arch.tdp_mmu_roots)); 58 59 /* 60 * Ensure that all the outstanding RCU callbacks to free shadow pages 61 * can run before the VM is torn down. Work items on tdp_mmu_zap_wq 62 * can call kvm_tdp_mmu_put_root and create new callbacks. 63 */ 64 rcu_barrier(); 65 } 66 67 static void tdp_mmu_free_sp(struct kvm_mmu_page *sp) 68 { 69 free_page((unsigned long)sp->spt); 70 kmem_cache_free(mmu_page_header_cache, sp); 71 } 72 73 /* 74 * This is called through call_rcu in order to free TDP page table memory 75 * safely with respect to other kernel threads that may be operating on 76 * the memory. 77 * By only accessing TDP MMU page table memory in an RCU read critical 78 * section, and freeing it after a grace period, lockless access to that 79 * memory won't use it after it is freed. 80 */ 81 static void tdp_mmu_free_sp_rcu_callback(struct rcu_head *head) 82 { 83 struct kvm_mmu_page *sp = container_of(head, struct kvm_mmu_page, 84 rcu_head); 85 86 tdp_mmu_free_sp(sp); 87 } 88 89 static void tdp_mmu_zap_root(struct kvm *kvm, struct kvm_mmu_page *root, 90 bool shared); 91 92 static void tdp_mmu_zap_root_work(struct work_struct *work) 93 { 94 struct kvm_mmu_page *root = container_of(work, struct kvm_mmu_page, 95 tdp_mmu_async_work); 96 struct kvm *kvm = root->tdp_mmu_async_data; 97 98 read_lock(&kvm->mmu_lock); 99 100 /* 101 * A TLB flush is not necessary as KVM performs a local TLB flush when 102 * allocating a new root (see kvm_mmu_load()), and when migrating vCPU 103 * to a different pCPU. Note, the local TLB flush on reuse also 104 * invalidates any paging-structure-cache entries, i.e. TLB entries for 105 * intermediate paging structures, that may be zapped, as such entries 106 * are associated with the ASID on both VMX and SVM. 107 */ 108 tdp_mmu_zap_root(kvm, root, true); 109 110 /* 111 * Drop the refcount using kvm_tdp_mmu_put_root() to test its logic for 112 * avoiding an infinite loop. By design, the root is reachable while 113 * it's being asynchronously zapped, thus a different task can put its 114 * last reference, i.e. flowing through kvm_tdp_mmu_put_root() for an 115 * asynchronously zapped root is unavoidable. 116 */ 117 kvm_tdp_mmu_put_root(kvm, root, true); 118 119 read_unlock(&kvm->mmu_lock); 120 } 121 122 static void tdp_mmu_schedule_zap_root(struct kvm *kvm, struct kvm_mmu_page *root) 123 { 124 root->tdp_mmu_async_data = kvm; 125 INIT_WORK(&root->tdp_mmu_async_work, tdp_mmu_zap_root_work); 126 queue_work(kvm->arch.tdp_mmu_zap_wq, &root->tdp_mmu_async_work); 127 } 128 129 void kvm_tdp_mmu_put_root(struct kvm *kvm, struct kvm_mmu_page *root, 130 bool shared) 131 { 132 kvm_lockdep_assert_mmu_lock_held(kvm, shared); 133 134 if (!refcount_dec_and_test(&root->tdp_mmu_root_count)) 135 return; 136 137 /* 138 * The TDP MMU itself holds a reference to each root until the root is 139 * explicitly invalidated, i.e. the final reference should be never be 140 * put for a valid root. 141 */ 142 KVM_BUG_ON(!is_tdp_mmu_page(root) || !root->role.invalid, kvm); 143 144 spin_lock(&kvm->arch.tdp_mmu_pages_lock); 145 list_del_rcu(&root->link); 146 spin_unlock(&kvm->arch.tdp_mmu_pages_lock); 147 call_rcu(&root->rcu_head, tdp_mmu_free_sp_rcu_callback); 148 } 149 150 /* 151 * Returns the next root after @prev_root (or the first root if @prev_root is 152 * NULL). A reference to the returned root is acquired, and the reference to 153 * @prev_root is released (the caller obviously must hold a reference to 154 * @prev_root if it's non-NULL). 155 * 156 * If @only_valid is true, invalid roots are skipped. 157 * 158 * Returns NULL if the end of tdp_mmu_roots was reached. 159 */ 160 static struct kvm_mmu_page *tdp_mmu_next_root(struct kvm *kvm, 161 struct kvm_mmu_page *prev_root, 162 bool shared, bool only_valid) 163 { 164 struct kvm_mmu_page *next_root; 165 166 rcu_read_lock(); 167 168 if (prev_root) 169 next_root = list_next_or_null_rcu(&kvm->arch.tdp_mmu_roots, 170 &prev_root->link, 171 typeof(*prev_root), link); 172 else 173 next_root = list_first_or_null_rcu(&kvm->arch.tdp_mmu_roots, 174 typeof(*next_root), link); 175 176 while (next_root) { 177 if ((!only_valid || !next_root->role.invalid) && 178 kvm_tdp_mmu_get_root(next_root)) 179 break; 180 181 next_root = list_next_or_null_rcu(&kvm->arch.tdp_mmu_roots, 182 &next_root->link, typeof(*next_root), link); 183 } 184 185 rcu_read_unlock(); 186 187 if (prev_root) 188 kvm_tdp_mmu_put_root(kvm, prev_root, shared); 189 190 return next_root; 191 } 192 193 /* 194 * Note: this iterator gets and puts references to the roots it iterates over. 195 * This makes it safe to release the MMU lock and yield within the loop, but 196 * if exiting the loop early, the caller must drop the reference to the most 197 * recent root. (Unless keeping a live reference is desirable.) 198 * 199 * If shared is set, this function is operating under the MMU lock in read 200 * mode. In the unlikely event that this thread must free a root, the lock 201 * will be temporarily dropped and reacquired in write mode. 202 */ 203 #define __for_each_tdp_mmu_root_yield_safe(_kvm, _root, _as_id, _shared, _only_valid)\ 204 for (_root = tdp_mmu_next_root(_kvm, NULL, _shared, _only_valid); \ 205 _root; \ 206 _root = tdp_mmu_next_root(_kvm, _root, _shared, _only_valid)) \ 207 if (kvm_lockdep_assert_mmu_lock_held(_kvm, _shared) && \ 208 kvm_mmu_page_as_id(_root) != _as_id) { \ 209 } else 210 211 #define for_each_valid_tdp_mmu_root_yield_safe(_kvm, _root, _as_id, _shared) \ 212 __for_each_tdp_mmu_root_yield_safe(_kvm, _root, _as_id, _shared, true) 213 214 #define for_each_tdp_mmu_root_yield_safe(_kvm, _root, _as_id) \ 215 __for_each_tdp_mmu_root_yield_safe(_kvm, _root, _as_id, false, false) 216 217 /* 218 * Iterate over all TDP MMU roots. Requires that mmu_lock be held for write, 219 * the implication being that any flow that holds mmu_lock for read is 220 * inherently yield-friendly and should use the yield-safe variant above. 221 * Holding mmu_lock for write obviates the need for RCU protection as the list 222 * is guaranteed to be stable. 223 */ 224 #define for_each_tdp_mmu_root(_kvm, _root, _as_id) \ 225 list_for_each_entry(_root, &_kvm->arch.tdp_mmu_roots, link) \ 226 if (kvm_lockdep_assert_mmu_lock_held(_kvm, false) && \ 227 kvm_mmu_page_as_id(_root) != _as_id) { \ 228 } else 229 230 static struct kvm_mmu_page *tdp_mmu_alloc_sp(struct kvm_vcpu *vcpu) 231 { 232 struct kvm_mmu_page *sp; 233 234 sp = kvm_mmu_memory_cache_alloc(&vcpu->arch.mmu_page_header_cache); 235 sp->spt = kvm_mmu_memory_cache_alloc(&vcpu->arch.mmu_shadow_page_cache); 236 237 return sp; 238 } 239 240 static void tdp_mmu_init_sp(struct kvm_mmu_page *sp, tdp_ptep_t sptep, 241 gfn_t gfn, union kvm_mmu_page_role role) 242 { 243 INIT_LIST_HEAD(&sp->possible_nx_huge_page_link); 244 245 set_page_private(virt_to_page(sp->spt), (unsigned long)sp); 246 247 sp->role = role; 248 sp->gfn = gfn; 249 sp->ptep = sptep; 250 sp->tdp_mmu_page = true; 251 252 trace_kvm_mmu_get_page(sp, true); 253 } 254 255 static void tdp_mmu_init_child_sp(struct kvm_mmu_page *child_sp, 256 struct tdp_iter *iter) 257 { 258 struct kvm_mmu_page *parent_sp; 259 union kvm_mmu_page_role role; 260 261 parent_sp = sptep_to_sp(rcu_dereference(iter->sptep)); 262 263 role = parent_sp->role; 264 role.level--; 265 266 tdp_mmu_init_sp(child_sp, iter->sptep, iter->gfn, role); 267 } 268 269 hpa_t kvm_tdp_mmu_get_vcpu_root_hpa(struct kvm_vcpu *vcpu) 270 { 271 union kvm_mmu_page_role role = vcpu->arch.mmu->root_role; 272 struct kvm *kvm = vcpu->kvm; 273 struct kvm_mmu_page *root; 274 275 lockdep_assert_held_write(&kvm->mmu_lock); 276 277 /* 278 * Check for an existing root before allocating a new one. Note, the 279 * role check prevents consuming an invalid root. 280 */ 281 for_each_tdp_mmu_root(kvm, root, kvm_mmu_role_as_id(role)) { 282 if (root->role.word == role.word && 283 kvm_tdp_mmu_get_root(root)) 284 goto out; 285 } 286 287 root = tdp_mmu_alloc_sp(vcpu); 288 tdp_mmu_init_sp(root, NULL, 0, role); 289 290 /* 291 * TDP MMU roots are kept until they are explicitly invalidated, either 292 * by a memslot update or by the destruction of the VM. Initialize the 293 * refcount to two; one reference for the vCPU, and one reference for 294 * the TDP MMU itself, which is held until the root is invalidated and 295 * is ultimately put by tdp_mmu_zap_root_work(). 296 */ 297 refcount_set(&root->tdp_mmu_root_count, 2); 298 299 spin_lock(&kvm->arch.tdp_mmu_pages_lock); 300 list_add_rcu(&root->link, &kvm->arch.tdp_mmu_roots); 301 spin_unlock(&kvm->arch.tdp_mmu_pages_lock); 302 303 out: 304 return __pa(root->spt); 305 } 306 307 static void handle_changed_spte(struct kvm *kvm, int as_id, gfn_t gfn, 308 u64 old_spte, u64 new_spte, int level, 309 bool shared); 310 311 static void tdp_account_mmu_page(struct kvm *kvm, struct kvm_mmu_page *sp) 312 { 313 kvm_account_pgtable_pages((void *)sp->spt, +1); 314 atomic64_inc(&kvm->arch.tdp_mmu_pages); 315 } 316 317 static void tdp_unaccount_mmu_page(struct kvm *kvm, struct kvm_mmu_page *sp) 318 { 319 kvm_account_pgtable_pages((void *)sp->spt, -1); 320 atomic64_dec(&kvm->arch.tdp_mmu_pages); 321 } 322 323 /** 324 * tdp_mmu_unlink_sp() - Remove a shadow page from the list of used pages 325 * 326 * @kvm: kvm instance 327 * @sp: the page to be removed 328 * @shared: This operation may not be running under the exclusive use of 329 * the MMU lock and the operation must synchronize with other 330 * threads that might be adding or removing pages. 331 */ 332 static void tdp_mmu_unlink_sp(struct kvm *kvm, struct kvm_mmu_page *sp, 333 bool shared) 334 { 335 tdp_unaccount_mmu_page(kvm, sp); 336 337 if (!sp->nx_huge_page_disallowed) 338 return; 339 340 if (shared) 341 spin_lock(&kvm->arch.tdp_mmu_pages_lock); 342 else 343 lockdep_assert_held_write(&kvm->mmu_lock); 344 345 sp->nx_huge_page_disallowed = false; 346 untrack_possible_nx_huge_page(kvm, sp); 347 348 if (shared) 349 spin_unlock(&kvm->arch.tdp_mmu_pages_lock); 350 } 351 352 /** 353 * handle_removed_pt() - handle a page table removed from the TDP structure 354 * 355 * @kvm: kvm instance 356 * @pt: the page removed from the paging structure 357 * @shared: This operation may not be running under the exclusive use 358 * of the MMU lock and the operation must synchronize with other 359 * threads that might be modifying SPTEs. 360 * 361 * Given a page table that has been removed from the TDP paging structure, 362 * iterates through the page table to clear SPTEs and free child page tables. 363 * 364 * Note that pt is passed in as a tdp_ptep_t, but it does not need RCU 365 * protection. Since this thread removed it from the paging structure, 366 * this thread will be responsible for ensuring the page is freed. Hence the 367 * early rcu_dereferences in the function. 368 */ 369 static void handle_removed_pt(struct kvm *kvm, tdp_ptep_t pt, bool shared) 370 { 371 struct kvm_mmu_page *sp = sptep_to_sp(rcu_dereference(pt)); 372 int level = sp->role.level; 373 gfn_t base_gfn = sp->gfn; 374 int i; 375 376 trace_kvm_mmu_prepare_zap_page(sp); 377 378 tdp_mmu_unlink_sp(kvm, sp, shared); 379 380 for (i = 0; i < SPTE_ENT_PER_PAGE; i++) { 381 tdp_ptep_t sptep = pt + i; 382 gfn_t gfn = base_gfn + i * KVM_PAGES_PER_HPAGE(level); 383 u64 old_spte; 384 385 if (shared) { 386 /* 387 * Set the SPTE to a nonpresent value that other 388 * threads will not overwrite. If the SPTE was 389 * already marked as removed then another thread 390 * handling a page fault could overwrite it, so 391 * set the SPTE until it is set from some other 392 * value to the removed SPTE value. 393 */ 394 for (;;) { 395 old_spte = kvm_tdp_mmu_write_spte_atomic(sptep, REMOVED_SPTE); 396 if (!is_removed_spte(old_spte)) 397 break; 398 cpu_relax(); 399 } 400 } else { 401 /* 402 * If the SPTE is not MMU-present, there is no backing 403 * page associated with the SPTE and so no side effects 404 * that need to be recorded, and exclusive ownership of 405 * mmu_lock ensures the SPTE can't be made present. 406 * Note, zapping MMIO SPTEs is also unnecessary as they 407 * are guarded by the memslots generation, not by being 408 * unreachable. 409 */ 410 old_spte = kvm_tdp_mmu_read_spte(sptep); 411 if (!is_shadow_present_pte(old_spte)) 412 continue; 413 414 /* 415 * Use the common helper instead of a raw WRITE_ONCE as 416 * the SPTE needs to be updated atomically if it can be 417 * modified by a different vCPU outside of mmu_lock. 418 * Even though the parent SPTE is !PRESENT, the TLB 419 * hasn't yet been flushed, and both Intel and AMD 420 * document that A/D assists can use upper-level PxE 421 * entries that are cached in the TLB, i.e. the CPU can 422 * still access the page and mark it dirty. 423 * 424 * No retry is needed in the atomic update path as the 425 * sole concern is dropping a Dirty bit, i.e. no other 426 * task can zap/remove the SPTE as mmu_lock is held for 427 * write. Marking the SPTE as a removed SPTE is not 428 * strictly necessary for the same reason, but using 429 * the remove SPTE value keeps the shared/exclusive 430 * paths consistent and allows the handle_changed_spte() 431 * call below to hardcode the new value to REMOVED_SPTE. 432 * 433 * Note, even though dropping a Dirty bit is the only 434 * scenario where a non-atomic update could result in a 435 * functional bug, simply checking the Dirty bit isn't 436 * sufficient as a fast page fault could read the upper 437 * level SPTE before it is zapped, and then make this 438 * target SPTE writable, resume the guest, and set the 439 * Dirty bit between reading the SPTE above and writing 440 * it here. 441 */ 442 old_spte = kvm_tdp_mmu_write_spte(sptep, old_spte, 443 REMOVED_SPTE, level); 444 } 445 handle_changed_spte(kvm, kvm_mmu_page_as_id(sp), gfn, 446 old_spte, REMOVED_SPTE, level, shared); 447 } 448 449 call_rcu(&sp->rcu_head, tdp_mmu_free_sp_rcu_callback); 450 } 451 452 /** 453 * handle_changed_spte - handle bookkeeping associated with an SPTE change 454 * @kvm: kvm instance 455 * @as_id: the address space of the paging structure the SPTE was a part of 456 * @gfn: the base GFN that was mapped by the SPTE 457 * @old_spte: The value of the SPTE before the change 458 * @new_spte: The value of the SPTE after the change 459 * @level: the level of the PT the SPTE is part of in the paging structure 460 * @shared: This operation may not be running under the exclusive use of 461 * the MMU lock and the operation must synchronize with other 462 * threads that might be modifying SPTEs. 463 * 464 * Handle bookkeeping that might result from the modification of a SPTE. Note, 465 * dirty logging updates are handled in common code, not here (see make_spte() 466 * and fast_pf_fix_direct_spte()). 467 */ 468 static void handle_changed_spte(struct kvm *kvm, int as_id, gfn_t gfn, 469 u64 old_spte, u64 new_spte, int level, 470 bool shared) 471 { 472 bool was_present = is_shadow_present_pte(old_spte); 473 bool is_present = is_shadow_present_pte(new_spte); 474 bool was_leaf = was_present && is_last_spte(old_spte, level); 475 bool is_leaf = is_present && is_last_spte(new_spte, level); 476 bool pfn_changed = spte_to_pfn(old_spte) != spte_to_pfn(new_spte); 477 478 WARN_ON(level > PT64_ROOT_MAX_LEVEL); 479 WARN_ON(level < PG_LEVEL_4K); 480 WARN_ON(gfn & (KVM_PAGES_PER_HPAGE(level) - 1)); 481 482 /* 483 * If this warning were to trigger it would indicate that there was a 484 * missing MMU notifier or a race with some notifier handler. 485 * A present, leaf SPTE should never be directly replaced with another 486 * present leaf SPTE pointing to a different PFN. A notifier handler 487 * should be zapping the SPTE before the main MM's page table is 488 * changed, or the SPTE should be zeroed, and the TLBs flushed by the 489 * thread before replacement. 490 */ 491 if (was_leaf && is_leaf && pfn_changed) { 492 pr_err("Invalid SPTE change: cannot replace a present leaf\n" 493 "SPTE with another present leaf SPTE mapping a\n" 494 "different PFN!\n" 495 "as_id: %d gfn: %llx old_spte: %llx new_spte: %llx level: %d", 496 as_id, gfn, old_spte, new_spte, level); 497 498 /* 499 * Crash the host to prevent error propagation and guest data 500 * corruption. 501 */ 502 BUG(); 503 } 504 505 if (old_spte == new_spte) 506 return; 507 508 trace_kvm_tdp_mmu_spte_changed(as_id, gfn, level, old_spte, new_spte); 509 510 if (is_leaf) 511 check_spte_writable_invariants(new_spte); 512 513 /* 514 * The only times a SPTE should be changed from a non-present to 515 * non-present state is when an MMIO entry is installed/modified/ 516 * removed. In that case, there is nothing to do here. 517 */ 518 if (!was_present && !is_present) { 519 /* 520 * If this change does not involve a MMIO SPTE or removed SPTE, 521 * it is unexpected. Log the change, though it should not 522 * impact the guest since both the former and current SPTEs 523 * are nonpresent. 524 */ 525 if (WARN_ON(!is_mmio_spte(old_spte) && 526 !is_mmio_spte(new_spte) && 527 !is_removed_spte(new_spte))) 528 pr_err("Unexpected SPTE change! Nonpresent SPTEs\n" 529 "should not be replaced with another,\n" 530 "different nonpresent SPTE, unless one or both\n" 531 "are MMIO SPTEs, or the new SPTE is\n" 532 "a temporary removed SPTE.\n" 533 "as_id: %d gfn: %llx old_spte: %llx new_spte: %llx level: %d", 534 as_id, gfn, old_spte, new_spte, level); 535 return; 536 } 537 538 if (is_leaf != was_leaf) 539 kvm_update_page_stats(kvm, level, is_leaf ? 1 : -1); 540 541 if (was_leaf && is_dirty_spte(old_spte) && 542 (!is_present || !is_dirty_spte(new_spte) || pfn_changed)) 543 kvm_set_pfn_dirty(spte_to_pfn(old_spte)); 544 545 /* 546 * Recursively handle child PTs if the change removed a subtree from 547 * the paging structure. Note the WARN on the PFN changing without the 548 * SPTE being converted to a hugepage (leaf) or being zapped. Shadow 549 * pages are kernel allocations and should never be migrated. 550 */ 551 if (was_present && !was_leaf && 552 (is_leaf || !is_present || WARN_ON_ONCE(pfn_changed))) 553 handle_removed_pt(kvm, spte_to_child_pt(old_spte, level), shared); 554 555 if (was_leaf && is_accessed_spte(old_spte) && 556 (!is_present || !is_accessed_spte(new_spte) || pfn_changed)) 557 kvm_set_pfn_accessed(spte_to_pfn(old_spte)); 558 } 559 560 /* 561 * tdp_mmu_set_spte_atomic - Set a TDP MMU SPTE atomically 562 * and handle the associated bookkeeping. Do not mark the page dirty 563 * in KVM's dirty bitmaps. 564 * 565 * If setting the SPTE fails because it has changed, iter->old_spte will be 566 * refreshed to the current value of the spte. 567 * 568 * @kvm: kvm instance 569 * @iter: a tdp_iter instance currently on the SPTE that should be set 570 * @new_spte: The value the SPTE should be set to 571 * Return: 572 * * 0 - If the SPTE was set. 573 * * -EBUSY - If the SPTE cannot be set. In this case this function will have 574 * no side-effects other than setting iter->old_spte to the last 575 * known value of the spte. 576 */ 577 static inline int tdp_mmu_set_spte_atomic(struct kvm *kvm, 578 struct tdp_iter *iter, 579 u64 new_spte) 580 { 581 u64 *sptep = rcu_dereference(iter->sptep); 582 583 /* 584 * The caller is responsible for ensuring the old SPTE is not a REMOVED 585 * SPTE. KVM should never attempt to zap or manipulate a REMOVED SPTE, 586 * and pre-checking before inserting a new SPTE is advantageous as it 587 * avoids unnecessary work. 588 */ 589 WARN_ON_ONCE(iter->yielded || is_removed_spte(iter->old_spte)); 590 591 lockdep_assert_held_read(&kvm->mmu_lock); 592 593 /* 594 * Note, fast_pf_fix_direct_spte() can also modify TDP MMU SPTEs and 595 * does not hold the mmu_lock. 596 */ 597 if (!try_cmpxchg64(sptep, &iter->old_spte, new_spte)) 598 return -EBUSY; 599 600 handle_changed_spte(kvm, iter->as_id, iter->gfn, iter->old_spte, 601 new_spte, iter->level, true); 602 603 return 0; 604 } 605 606 static inline int tdp_mmu_zap_spte_atomic(struct kvm *kvm, 607 struct tdp_iter *iter) 608 { 609 int ret; 610 611 /* 612 * Freeze the SPTE by setting it to a special, 613 * non-present value. This will stop other threads from 614 * immediately installing a present entry in its place 615 * before the TLBs are flushed. 616 */ 617 ret = tdp_mmu_set_spte_atomic(kvm, iter, REMOVED_SPTE); 618 if (ret) 619 return ret; 620 621 kvm_flush_remote_tlbs_gfn(kvm, iter->gfn, iter->level); 622 623 /* 624 * No other thread can overwrite the removed SPTE as they must either 625 * wait on the MMU lock or use tdp_mmu_set_spte_atomic() which will not 626 * overwrite the special removed SPTE value. No bookkeeping is needed 627 * here since the SPTE is going from non-present to non-present. Use 628 * the raw write helper to avoid an unnecessary check on volatile bits. 629 */ 630 __kvm_tdp_mmu_write_spte(iter->sptep, 0); 631 632 return 0; 633 } 634 635 636 /* 637 * tdp_mmu_set_spte - Set a TDP MMU SPTE and handle the associated bookkeeping 638 * @kvm: KVM instance 639 * @as_id: Address space ID, i.e. regular vs. SMM 640 * @sptep: Pointer to the SPTE 641 * @old_spte: The current value of the SPTE 642 * @new_spte: The new value that will be set for the SPTE 643 * @gfn: The base GFN that was (or will be) mapped by the SPTE 644 * @level: The level _containing_ the SPTE (its parent PT's level) 645 * 646 * Returns the old SPTE value, which _may_ be different than @old_spte if the 647 * SPTE had voldatile bits. 648 */ 649 static u64 tdp_mmu_set_spte(struct kvm *kvm, int as_id, tdp_ptep_t sptep, 650 u64 old_spte, u64 new_spte, gfn_t gfn, int level) 651 { 652 lockdep_assert_held_write(&kvm->mmu_lock); 653 654 /* 655 * No thread should be using this function to set SPTEs to or from the 656 * temporary removed SPTE value. 657 * If operating under the MMU lock in read mode, tdp_mmu_set_spte_atomic 658 * should be used. If operating under the MMU lock in write mode, the 659 * use of the removed SPTE should not be necessary. 660 */ 661 WARN_ON(is_removed_spte(old_spte) || is_removed_spte(new_spte)); 662 663 old_spte = kvm_tdp_mmu_write_spte(sptep, old_spte, new_spte, level); 664 665 handle_changed_spte(kvm, as_id, gfn, old_spte, new_spte, level, false); 666 return old_spte; 667 } 668 669 static inline void tdp_mmu_iter_set_spte(struct kvm *kvm, struct tdp_iter *iter, 670 u64 new_spte) 671 { 672 WARN_ON_ONCE(iter->yielded); 673 iter->old_spte = tdp_mmu_set_spte(kvm, iter->as_id, iter->sptep, 674 iter->old_spte, new_spte, 675 iter->gfn, iter->level); 676 } 677 678 #define tdp_root_for_each_pte(_iter, _root, _start, _end) \ 679 for_each_tdp_pte(_iter, _root, _start, _end) 680 681 #define tdp_root_for_each_leaf_pte(_iter, _root, _start, _end) \ 682 tdp_root_for_each_pte(_iter, _root, _start, _end) \ 683 if (!is_shadow_present_pte(_iter.old_spte) || \ 684 !is_last_spte(_iter.old_spte, _iter.level)) \ 685 continue; \ 686 else 687 688 #define tdp_mmu_for_each_pte(_iter, _mmu, _start, _end) \ 689 for_each_tdp_pte(_iter, to_shadow_page(_mmu->root.hpa), _start, _end) 690 691 /* 692 * Yield if the MMU lock is contended or this thread needs to return control 693 * to the scheduler. 694 * 695 * If this function should yield and flush is set, it will perform a remote 696 * TLB flush before yielding. 697 * 698 * If this function yields, iter->yielded is set and the caller must skip to 699 * the next iteration, where tdp_iter_next() will reset the tdp_iter's walk 700 * over the paging structures to allow the iterator to continue its traversal 701 * from the paging structure root. 702 * 703 * Returns true if this function yielded. 704 */ 705 static inline bool __must_check tdp_mmu_iter_cond_resched(struct kvm *kvm, 706 struct tdp_iter *iter, 707 bool flush, bool shared) 708 { 709 WARN_ON(iter->yielded); 710 711 /* Ensure forward progress has been made before yielding. */ 712 if (iter->next_last_level_gfn == iter->yielded_gfn) 713 return false; 714 715 if (need_resched() || rwlock_needbreak(&kvm->mmu_lock)) { 716 if (flush) 717 kvm_flush_remote_tlbs(kvm); 718 719 rcu_read_unlock(); 720 721 if (shared) 722 cond_resched_rwlock_read(&kvm->mmu_lock); 723 else 724 cond_resched_rwlock_write(&kvm->mmu_lock); 725 726 rcu_read_lock(); 727 728 WARN_ON(iter->gfn > iter->next_last_level_gfn); 729 730 iter->yielded = true; 731 } 732 733 return iter->yielded; 734 } 735 736 static inline gfn_t tdp_mmu_max_gfn_exclusive(void) 737 { 738 /* 739 * Bound TDP MMU walks at host.MAXPHYADDR. KVM disallows memslots with 740 * a gpa range that would exceed the max gfn, and KVM does not create 741 * MMIO SPTEs for "impossible" gfns, instead sending such accesses down 742 * the slow emulation path every time. 743 */ 744 return kvm_mmu_max_gfn() + 1; 745 } 746 747 static void __tdp_mmu_zap_root(struct kvm *kvm, struct kvm_mmu_page *root, 748 bool shared, int zap_level) 749 { 750 struct tdp_iter iter; 751 752 gfn_t end = tdp_mmu_max_gfn_exclusive(); 753 gfn_t start = 0; 754 755 for_each_tdp_pte_min_level(iter, root, zap_level, start, end) { 756 retry: 757 if (tdp_mmu_iter_cond_resched(kvm, &iter, false, shared)) 758 continue; 759 760 if (!is_shadow_present_pte(iter.old_spte)) 761 continue; 762 763 if (iter.level > zap_level) 764 continue; 765 766 if (!shared) 767 tdp_mmu_iter_set_spte(kvm, &iter, 0); 768 else if (tdp_mmu_set_spte_atomic(kvm, &iter, 0)) 769 goto retry; 770 } 771 } 772 773 static void tdp_mmu_zap_root(struct kvm *kvm, struct kvm_mmu_page *root, 774 bool shared) 775 { 776 777 /* 778 * The root must have an elevated refcount so that it's reachable via 779 * mmu_notifier callbacks, which allows this path to yield and drop 780 * mmu_lock. When handling an unmap/release mmu_notifier command, KVM 781 * must drop all references to relevant pages prior to completing the 782 * callback. Dropping mmu_lock with an unreachable root would result 783 * in zapping SPTEs after a relevant mmu_notifier callback completes 784 * and lead to use-after-free as zapping a SPTE triggers "writeback" of 785 * dirty accessed bits to the SPTE's associated struct page. 786 */ 787 WARN_ON_ONCE(!refcount_read(&root->tdp_mmu_root_count)); 788 789 kvm_lockdep_assert_mmu_lock_held(kvm, shared); 790 791 rcu_read_lock(); 792 793 /* 794 * To avoid RCU stalls due to recursively removing huge swaths of SPs, 795 * split the zap into two passes. On the first pass, zap at the 1gb 796 * level, and then zap top-level SPs on the second pass. "1gb" is not 797 * arbitrary, as KVM must be able to zap a 1gb shadow page without 798 * inducing a stall to allow in-place replacement with a 1gb hugepage. 799 * 800 * Because zapping a SP recurses on its children, stepping down to 801 * PG_LEVEL_4K in the iterator itself is unnecessary. 802 */ 803 __tdp_mmu_zap_root(kvm, root, shared, PG_LEVEL_1G); 804 __tdp_mmu_zap_root(kvm, root, shared, root->role.level); 805 806 rcu_read_unlock(); 807 } 808 809 bool kvm_tdp_mmu_zap_sp(struct kvm *kvm, struct kvm_mmu_page *sp) 810 { 811 u64 old_spte; 812 813 /* 814 * This helper intentionally doesn't allow zapping a root shadow page, 815 * which doesn't have a parent page table and thus no associated entry. 816 */ 817 if (WARN_ON_ONCE(!sp->ptep)) 818 return false; 819 820 old_spte = kvm_tdp_mmu_read_spte(sp->ptep); 821 if (WARN_ON_ONCE(!is_shadow_present_pte(old_spte))) 822 return false; 823 824 tdp_mmu_set_spte(kvm, kvm_mmu_page_as_id(sp), sp->ptep, old_spte, 0, 825 sp->gfn, sp->role.level + 1); 826 827 return true; 828 } 829 830 /* 831 * If can_yield is true, will release the MMU lock and reschedule if the 832 * scheduler needs the CPU or there is contention on the MMU lock. If this 833 * function cannot yield, it will not release the MMU lock or reschedule and 834 * the caller must ensure it does not supply too large a GFN range, or the 835 * operation can cause a soft lockup. 836 */ 837 static bool tdp_mmu_zap_leafs(struct kvm *kvm, struct kvm_mmu_page *root, 838 gfn_t start, gfn_t end, bool can_yield, bool flush) 839 { 840 struct tdp_iter iter; 841 842 end = min(end, tdp_mmu_max_gfn_exclusive()); 843 844 lockdep_assert_held_write(&kvm->mmu_lock); 845 846 rcu_read_lock(); 847 848 for_each_tdp_pte_min_level(iter, root, PG_LEVEL_4K, start, end) { 849 if (can_yield && 850 tdp_mmu_iter_cond_resched(kvm, &iter, flush, false)) { 851 flush = false; 852 continue; 853 } 854 855 if (!is_shadow_present_pte(iter.old_spte) || 856 !is_last_spte(iter.old_spte, iter.level)) 857 continue; 858 859 tdp_mmu_iter_set_spte(kvm, &iter, 0); 860 flush = true; 861 } 862 863 rcu_read_unlock(); 864 865 /* 866 * Because this flow zaps _only_ leaf SPTEs, the caller doesn't need 867 * to provide RCU protection as no 'struct kvm_mmu_page' will be freed. 868 */ 869 return flush; 870 } 871 872 /* 873 * Zap leaf SPTEs for the range of gfns, [start, end), for all roots. Returns 874 * true if a TLB flush is needed before releasing the MMU lock, i.e. if one or 875 * more SPTEs were zapped since the MMU lock was last acquired. 876 */ 877 bool kvm_tdp_mmu_zap_leafs(struct kvm *kvm, int as_id, gfn_t start, gfn_t end, 878 bool can_yield, bool flush) 879 { 880 struct kvm_mmu_page *root; 881 882 for_each_tdp_mmu_root_yield_safe(kvm, root, as_id) 883 flush = tdp_mmu_zap_leafs(kvm, root, start, end, can_yield, flush); 884 885 return flush; 886 } 887 888 void kvm_tdp_mmu_zap_all(struct kvm *kvm) 889 { 890 struct kvm_mmu_page *root; 891 int i; 892 893 /* 894 * Zap all roots, including invalid roots, as all SPTEs must be dropped 895 * before returning to the caller. Zap directly even if the root is 896 * also being zapped by a worker. Walking zapped top-level SPTEs isn't 897 * all that expensive and mmu_lock is already held, which means the 898 * worker has yielded, i.e. flushing the work instead of zapping here 899 * isn't guaranteed to be any faster. 900 * 901 * A TLB flush is unnecessary, KVM zaps everything if and only the VM 902 * is being destroyed or the userspace VMM has exited. In both cases, 903 * KVM_RUN is unreachable, i.e. no vCPUs will ever service the request. 904 */ 905 for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) { 906 for_each_tdp_mmu_root_yield_safe(kvm, root, i) 907 tdp_mmu_zap_root(kvm, root, false); 908 } 909 } 910 911 /* 912 * Zap all invalidated roots to ensure all SPTEs are dropped before the "fast 913 * zap" completes. 914 */ 915 void kvm_tdp_mmu_zap_invalidated_roots(struct kvm *kvm) 916 { 917 flush_workqueue(kvm->arch.tdp_mmu_zap_wq); 918 } 919 920 /* 921 * Mark each TDP MMU root as invalid to prevent vCPUs from reusing a root that 922 * is about to be zapped, e.g. in response to a memslots update. The actual 923 * zapping is performed asynchronously. Using a separate workqueue makes it 924 * easy to ensure that the destruction is performed before the "fast zap" 925 * completes, without keeping a separate list of invalidated roots; the list is 926 * effectively the list of work items in the workqueue. 927 * 928 * Note, the asynchronous worker is gifted the TDP MMU's reference. 929 * See kvm_tdp_mmu_get_vcpu_root_hpa(). 930 */ 931 void kvm_tdp_mmu_invalidate_all_roots(struct kvm *kvm) 932 { 933 struct kvm_mmu_page *root; 934 935 /* 936 * mmu_lock must be held for write to ensure that a root doesn't become 937 * invalid while there are active readers (invalidating a root while 938 * there are active readers may or may not be problematic in practice, 939 * but it's uncharted territory and not supported). 940 * 941 * Waive the assertion if there are no users of @kvm, i.e. the VM is 942 * being destroyed after all references have been put, or if no vCPUs 943 * have been created (which means there are no roots), i.e. the VM is 944 * being destroyed in an error path of KVM_CREATE_VM. 945 */ 946 if (IS_ENABLED(CONFIG_PROVE_LOCKING) && 947 refcount_read(&kvm->users_count) && kvm->created_vcpus) 948 lockdep_assert_held_write(&kvm->mmu_lock); 949 950 /* 951 * As above, mmu_lock isn't held when destroying the VM! There can't 952 * be other references to @kvm, i.e. nothing else can invalidate roots 953 * or be consuming roots, but walking the list of roots does need to be 954 * guarded against roots being deleted by the asynchronous zap worker. 955 */ 956 rcu_read_lock(); 957 958 list_for_each_entry_rcu(root, &kvm->arch.tdp_mmu_roots, link) { 959 if (!root->role.invalid) { 960 root->role.invalid = true; 961 tdp_mmu_schedule_zap_root(kvm, root); 962 } 963 } 964 965 rcu_read_unlock(); 966 } 967 968 /* 969 * Installs a last-level SPTE to handle a TDP page fault. 970 * (NPT/EPT violation/misconfiguration) 971 */ 972 static int tdp_mmu_map_handle_target_level(struct kvm_vcpu *vcpu, 973 struct kvm_page_fault *fault, 974 struct tdp_iter *iter) 975 { 976 struct kvm_mmu_page *sp = sptep_to_sp(rcu_dereference(iter->sptep)); 977 u64 new_spte; 978 int ret = RET_PF_FIXED; 979 bool wrprot = false; 980 981 if (WARN_ON_ONCE(sp->role.level != fault->goal_level)) 982 return RET_PF_RETRY; 983 984 if (unlikely(!fault->slot)) 985 new_spte = make_mmio_spte(vcpu, iter->gfn, ACC_ALL); 986 else 987 wrprot = make_spte(vcpu, sp, fault->slot, ACC_ALL, iter->gfn, 988 fault->pfn, iter->old_spte, fault->prefetch, true, 989 fault->map_writable, &new_spte); 990 991 if (new_spte == iter->old_spte) 992 ret = RET_PF_SPURIOUS; 993 else if (tdp_mmu_set_spte_atomic(vcpu->kvm, iter, new_spte)) 994 return RET_PF_RETRY; 995 else if (is_shadow_present_pte(iter->old_spte) && 996 !is_last_spte(iter->old_spte, iter->level)) 997 kvm_flush_remote_tlbs_gfn(vcpu->kvm, iter->gfn, iter->level); 998 999 /* 1000 * If the page fault was caused by a write but the page is write 1001 * protected, emulation is needed. If the emulation was skipped, 1002 * the vCPU would have the same fault again. 1003 */ 1004 if (wrprot) { 1005 if (fault->write) 1006 ret = RET_PF_EMULATE; 1007 } 1008 1009 /* If a MMIO SPTE is installed, the MMIO will need to be emulated. */ 1010 if (unlikely(is_mmio_spte(new_spte))) { 1011 vcpu->stat.pf_mmio_spte_created++; 1012 trace_mark_mmio_spte(rcu_dereference(iter->sptep), iter->gfn, 1013 new_spte); 1014 ret = RET_PF_EMULATE; 1015 } else { 1016 trace_kvm_mmu_set_spte(iter->level, iter->gfn, 1017 rcu_dereference(iter->sptep)); 1018 } 1019 1020 return ret; 1021 } 1022 1023 /* 1024 * tdp_mmu_link_sp - Replace the given spte with an spte pointing to the 1025 * provided page table. 1026 * 1027 * @kvm: kvm instance 1028 * @iter: a tdp_iter instance currently on the SPTE that should be set 1029 * @sp: The new TDP page table to install. 1030 * @shared: This operation is running under the MMU lock in read mode. 1031 * 1032 * Returns: 0 if the new page table was installed. Non-0 if the page table 1033 * could not be installed (e.g. the atomic compare-exchange failed). 1034 */ 1035 static int tdp_mmu_link_sp(struct kvm *kvm, struct tdp_iter *iter, 1036 struct kvm_mmu_page *sp, bool shared) 1037 { 1038 u64 spte = make_nonleaf_spte(sp->spt, !kvm_ad_enabled()); 1039 int ret = 0; 1040 1041 if (shared) { 1042 ret = tdp_mmu_set_spte_atomic(kvm, iter, spte); 1043 if (ret) 1044 return ret; 1045 } else { 1046 tdp_mmu_iter_set_spte(kvm, iter, spte); 1047 } 1048 1049 tdp_account_mmu_page(kvm, sp); 1050 1051 return 0; 1052 } 1053 1054 static int tdp_mmu_split_huge_page(struct kvm *kvm, struct tdp_iter *iter, 1055 struct kvm_mmu_page *sp, bool shared); 1056 1057 /* 1058 * Handle a TDP page fault (NPT/EPT violation/misconfiguration) by installing 1059 * page tables and SPTEs to translate the faulting guest physical address. 1060 */ 1061 int kvm_tdp_mmu_map(struct kvm_vcpu *vcpu, struct kvm_page_fault *fault) 1062 { 1063 struct kvm_mmu *mmu = vcpu->arch.mmu; 1064 struct kvm *kvm = vcpu->kvm; 1065 struct tdp_iter iter; 1066 struct kvm_mmu_page *sp; 1067 int ret = RET_PF_RETRY; 1068 1069 kvm_mmu_hugepage_adjust(vcpu, fault); 1070 1071 trace_kvm_mmu_spte_requested(fault); 1072 1073 rcu_read_lock(); 1074 1075 tdp_mmu_for_each_pte(iter, mmu, fault->gfn, fault->gfn + 1) { 1076 int r; 1077 1078 if (fault->nx_huge_page_workaround_enabled) 1079 disallowed_hugepage_adjust(fault, iter.old_spte, iter.level); 1080 1081 /* 1082 * If SPTE has been frozen by another thread, just give up and 1083 * retry, avoiding unnecessary page table allocation and free. 1084 */ 1085 if (is_removed_spte(iter.old_spte)) 1086 goto retry; 1087 1088 if (iter.level == fault->goal_level) 1089 goto map_target_level; 1090 1091 /* Step down into the lower level page table if it exists. */ 1092 if (is_shadow_present_pte(iter.old_spte) && 1093 !is_large_pte(iter.old_spte)) 1094 continue; 1095 1096 /* 1097 * The SPTE is either non-present or points to a huge page that 1098 * needs to be split. 1099 */ 1100 sp = tdp_mmu_alloc_sp(vcpu); 1101 tdp_mmu_init_child_sp(sp, &iter); 1102 1103 sp->nx_huge_page_disallowed = fault->huge_page_disallowed; 1104 1105 if (is_shadow_present_pte(iter.old_spte)) 1106 r = tdp_mmu_split_huge_page(kvm, &iter, sp, true); 1107 else 1108 r = tdp_mmu_link_sp(kvm, &iter, sp, true); 1109 1110 /* 1111 * Force the guest to retry if installing an upper level SPTE 1112 * failed, e.g. because a different task modified the SPTE. 1113 */ 1114 if (r) { 1115 tdp_mmu_free_sp(sp); 1116 goto retry; 1117 } 1118 1119 if (fault->huge_page_disallowed && 1120 fault->req_level >= iter.level) { 1121 spin_lock(&kvm->arch.tdp_mmu_pages_lock); 1122 if (sp->nx_huge_page_disallowed) 1123 track_possible_nx_huge_page(kvm, sp); 1124 spin_unlock(&kvm->arch.tdp_mmu_pages_lock); 1125 } 1126 } 1127 1128 /* 1129 * The walk aborted before reaching the target level, e.g. because the 1130 * iterator detected an upper level SPTE was frozen during traversal. 1131 */ 1132 WARN_ON_ONCE(iter.level == fault->goal_level); 1133 goto retry; 1134 1135 map_target_level: 1136 ret = tdp_mmu_map_handle_target_level(vcpu, fault, &iter); 1137 1138 retry: 1139 rcu_read_unlock(); 1140 return ret; 1141 } 1142 1143 bool kvm_tdp_mmu_unmap_gfn_range(struct kvm *kvm, struct kvm_gfn_range *range, 1144 bool flush) 1145 { 1146 return kvm_tdp_mmu_zap_leafs(kvm, range->slot->as_id, range->start, 1147 range->end, range->may_block, flush); 1148 } 1149 1150 typedef bool (*tdp_handler_t)(struct kvm *kvm, struct tdp_iter *iter, 1151 struct kvm_gfn_range *range); 1152 1153 static __always_inline bool kvm_tdp_mmu_handle_gfn(struct kvm *kvm, 1154 struct kvm_gfn_range *range, 1155 tdp_handler_t handler) 1156 { 1157 struct kvm_mmu_page *root; 1158 struct tdp_iter iter; 1159 bool ret = false; 1160 1161 /* 1162 * Don't support rescheduling, none of the MMU notifiers that funnel 1163 * into this helper allow blocking; it'd be dead, wasteful code. 1164 */ 1165 for_each_tdp_mmu_root(kvm, root, range->slot->as_id) { 1166 rcu_read_lock(); 1167 1168 tdp_root_for_each_leaf_pte(iter, root, range->start, range->end) 1169 ret |= handler(kvm, &iter, range); 1170 1171 rcu_read_unlock(); 1172 } 1173 1174 return ret; 1175 } 1176 1177 /* 1178 * Mark the SPTEs range of GFNs [start, end) unaccessed and return non-zero 1179 * if any of the GFNs in the range have been accessed. 1180 * 1181 * No need to mark the corresponding PFN as accessed as this call is coming 1182 * from the clear_young() or clear_flush_young() notifier, which uses the 1183 * return value to determine if the page has been accessed. 1184 */ 1185 static bool age_gfn_range(struct kvm *kvm, struct tdp_iter *iter, 1186 struct kvm_gfn_range *range) 1187 { 1188 u64 new_spte; 1189 1190 /* If we have a non-accessed entry we don't need to change the pte. */ 1191 if (!is_accessed_spte(iter->old_spte)) 1192 return false; 1193 1194 if (spte_ad_enabled(iter->old_spte)) { 1195 iter->old_spte = tdp_mmu_clear_spte_bits(iter->sptep, 1196 iter->old_spte, 1197 shadow_accessed_mask, 1198 iter->level); 1199 new_spte = iter->old_spte & ~shadow_accessed_mask; 1200 } else { 1201 /* 1202 * Capture the dirty status of the page, so that it doesn't get 1203 * lost when the SPTE is marked for access tracking. 1204 */ 1205 if (is_writable_pte(iter->old_spte)) 1206 kvm_set_pfn_dirty(spte_to_pfn(iter->old_spte)); 1207 1208 new_spte = mark_spte_for_access_track(iter->old_spte); 1209 iter->old_spte = kvm_tdp_mmu_write_spte(iter->sptep, 1210 iter->old_spte, new_spte, 1211 iter->level); 1212 } 1213 1214 trace_kvm_tdp_mmu_spte_changed(iter->as_id, iter->gfn, iter->level, 1215 iter->old_spte, new_spte); 1216 return true; 1217 } 1218 1219 bool kvm_tdp_mmu_age_gfn_range(struct kvm *kvm, struct kvm_gfn_range *range) 1220 { 1221 return kvm_tdp_mmu_handle_gfn(kvm, range, age_gfn_range); 1222 } 1223 1224 static bool test_age_gfn(struct kvm *kvm, struct tdp_iter *iter, 1225 struct kvm_gfn_range *range) 1226 { 1227 return is_accessed_spte(iter->old_spte); 1228 } 1229 1230 bool kvm_tdp_mmu_test_age_gfn(struct kvm *kvm, struct kvm_gfn_range *range) 1231 { 1232 return kvm_tdp_mmu_handle_gfn(kvm, range, test_age_gfn); 1233 } 1234 1235 static bool set_spte_gfn(struct kvm *kvm, struct tdp_iter *iter, 1236 struct kvm_gfn_range *range) 1237 { 1238 u64 new_spte; 1239 1240 /* Huge pages aren't expected to be modified without first being zapped. */ 1241 WARN_ON(pte_huge(range->pte) || range->start + 1 != range->end); 1242 1243 if (iter->level != PG_LEVEL_4K || 1244 !is_shadow_present_pte(iter->old_spte)) 1245 return false; 1246 1247 /* 1248 * Note, when changing a read-only SPTE, it's not strictly necessary to 1249 * zero the SPTE before setting the new PFN, but doing so preserves the 1250 * invariant that the PFN of a present * leaf SPTE can never change. 1251 * See handle_changed_spte(). 1252 */ 1253 tdp_mmu_iter_set_spte(kvm, iter, 0); 1254 1255 if (!pte_write(range->pte)) { 1256 new_spte = kvm_mmu_changed_pte_notifier_make_spte(iter->old_spte, 1257 pte_pfn(range->pte)); 1258 1259 tdp_mmu_iter_set_spte(kvm, iter, new_spte); 1260 } 1261 1262 return true; 1263 } 1264 1265 /* 1266 * Handle the changed_pte MMU notifier for the TDP MMU. 1267 * data is a pointer to the new pte_t mapping the HVA specified by the MMU 1268 * notifier. 1269 * Returns non-zero if a flush is needed before releasing the MMU lock. 1270 */ 1271 bool kvm_tdp_mmu_set_spte_gfn(struct kvm *kvm, struct kvm_gfn_range *range) 1272 { 1273 /* 1274 * No need to handle the remote TLB flush under RCU protection, the 1275 * target SPTE _must_ be a leaf SPTE, i.e. cannot result in freeing a 1276 * shadow page. See the WARN on pfn_changed in handle_changed_spte(). 1277 */ 1278 return kvm_tdp_mmu_handle_gfn(kvm, range, set_spte_gfn); 1279 } 1280 1281 /* 1282 * Remove write access from all SPTEs at or above min_level that map GFNs 1283 * [start, end). Returns true if an SPTE has been changed and the TLBs need to 1284 * be flushed. 1285 */ 1286 static bool wrprot_gfn_range(struct kvm *kvm, struct kvm_mmu_page *root, 1287 gfn_t start, gfn_t end, int min_level) 1288 { 1289 struct tdp_iter iter; 1290 u64 new_spte; 1291 bool spte_set = false; 1292 1293 rcu_read_lock(); 1294 1295 BUG_ON(min_level > KVM_MAX_HUGEPAGE_LEVEL); 1296 1297 for_each_tdp_pte_min_level(iter, root, min_level, start, end) { 1298 retry: 1299 if (tdp_mmu_iter_cond_resched(kvm, &iter, false, true)) 1300 continue; 1301 1302 if (!is_shadow_present_pte(iter.old_spte) || 1303 !is_last_spte(iter.old_spte, iter.level) || 1304 !(iter.old_spte & PT_WRITABLE_MASK)) 1305 continue; 1306 1307 new_spte = iter.old_spte & ~PT_WRITABLE_MASK; 1308 1309 if (tdp_mmu_set_spte_atomic(kvm, &iter, new_spte)) 1310 goto retry; 1311 1312 spte_set = true; 1313 } 1314 1315 rcu_read_unlock(); 1316 return spte_set; 1317 } 1318 1319 /* 1320 * Remove write access from all the SPTEs mapping GFNs in the memslot. Will 1321 * only affect leaf SPTEs down to min_level. 1322 * Returns true if an SPTE has been changed and the TLBs need to be flushed. 1323 */ 1324 bool kvm_tdp_mmu_wrprot_slot(struct kvm *kvm, 1325 const struct kvm_memory_slot *slot, int min_level) 1326 { 1327 struct kvm_mmu_page *root; 1328 bool spte_set = false; 1329 1330 lockdep_assert_held_read(&kvm->mmu_lock); 1331 1332 for_each_valid_tdp_mmu_root_yield_safe(kvm, root, slot->as_id, true) 1333 spte_set |= wrprot_gfn_range(kvm, root, slot->base_gfn, 1334 slot->base_gfn + slot->npages, min_level); 1335 1336 return spte_set; 1337 } 1338 1339 static struct kvm_mmu_page *__tdp_mmu_alloc_sp_for_split(gfp_t gfp) 1340 { 1341 struct kvm_mmu_page *sp; 1342 1343 gfp |= __GFP_ZERO; 1344 1345 sp = kmem_cache_alloc(mmu_page_header_cache, gfp); 1346 if (!sp) 1347 return NULL; 1348 1349 sp->spt = (void *)__get_free_page(gfp); 1350 if (!sp->spt) { 1351 kmem_cache_free(mmu_page_header_cache, sp); 1352 return NULL; 1353 } 1354 1355 return sp; 1356 } 1357 1358 static struct kvm_mmu_page *tdp_mmu_alloc_sp_for_split(struct kvm *kvm, 1359 struct tdp_iter *iter, 1360 bool shared) 1361 { 1362 struct kvm_mmu_page *sp; 1363 1364 /* 1365 * Since we are allocating while under the MMU lock we have to be 1366 * careful about GFP flags. Use GFP_NOWAIT to avoid blocking on direct 1367 * reclaim and to avoid making any filesystem callbacks (which can end 1368 * up invoking KVM MMU notifiers, resulting in a deadlock). 1369 * 1370 * If this allocation fails we drop the lock and retry with reclaim 1371 * allowed. 1372 */ 1373 sp = __tdp_mmu_alloc_sp_for_split(GFP_NOWAIT | __GFP_ACCOUNT); 1374 if (sp) 1375 return sp; 1376 1377 rcu_read_unlock(); 1378 1379 if (shared) 1380 read_unlock(&kvm->mmu_lock); 1381 else 1382 write_unlock(&kvm->mmu_lock); 1383 1384 iter->yielded = true; 1385 sp = __tdp_mmu_alloc_sp_for_split(GFP_KERNEL_ACCOUNT); 1386 1387 if (shared) 1388 read_lock(&kvm->mmu_lock); 1389 else 1390 write_lock(&kvm->mmu_lock); 1391 1392 rcu_read_lock(); 1393 1394 return sp; 1395 } 1396 1397 /* Note, the caller is responsible for initializing @sp. */ 1398 static int tdp_mmu_split_huge_page(struct kvm *kvm, struct tdp_iter *iter, 1399 struct kvm_mmu_page *sp, bool shared) 1400 { 1401 const u64 huge_spte = iter->old_spte; 1402 const int level = iter->level; 1403 int ret, i; 1404 1405 /* 1406 * No need for atomics when writing to sp->spt since the page table has 1407 * not been linked in yet and thus is not reachable from any other CPU. 1408 */ 1409 for (i = 0; i < SPTE_ENT_PER_PAGE; i++) 1410 sp->spt[i] = make_huge_page_split_spte(kvm, huge_spte, sp->role, i); 1411 1412 /* 1413 * Replace the huge spte with a pointer to the populated lower level 1414 * page table. Since we are making this change without a TLB flush vCPUs 1415 * will see a mix of the split mappings and the original huge mapping, 1416 * depending on what's currently in their TLB. This is fine from a 1417 * correctness standpoint since the translation will be the same either 1418 * way. 1419 */ 1420 ret = tdp_mmu_link_sp(kvm, iter, sp, shared); 1421 if (ret) 1422 goto out; 1423 1424 /* 1425 * tdp_mmu_link_sp_atomic() will handle subtracting the huge page we 1426 * are overwriting from the page stats. But we have to manually update 1427 * the page stats with the new present child pages. 1428 */ 1429 kvm_update_page_stats(kvm, level - 1, SPTE_ENT_PER_PAGE); 1430 1431 out: 1432 trace_kvm_mmu_split_huge_page(iter->gfn, huge_spte, level, ret); 1433 return ret; 1434 } 1435 1436 static int tdp_mmu_split_huge_pages_root(struct kvm *kvm, 1437 struct kvm_mmu_page *root, 1438 gfn_t start, gfn_t end, 1439 int target_level, bool shared) 1440 { 1441 struct kvm_mmu_page *sp = NULL; 1442 struct tdp_iter iter; 1443 int ret = 0; 1444 1445 rcu_read_lock(); 1446 1447 /* 1448 * Traverse the page table splitting all huge pages above the target 1449 * level into one lower level. For example, if we encounter a 1GB page 1450 * we split it into 512 2MB pages. 1451 * 1452 * Since the TDP iterator uses a pre-order traversal, we are guaranteed 1453 * to visit an SPTE before ever visiting its children, which means we 1454 * will correctly recursively split huge pages that are more than one 1455 * level above the target level (e.g. splitting a 1GB to 512 2MB pages, 1456 * and then splitting each of those to 512 4KB pages). 1457 */ 1458 for_each_tdp_pte_min_level(iter, root, target_level + 1, start, end) { 1459 retry: 1460 if (tdp_mmu_iter_cond_resched(kvm, &iter, false, shared)) 1461 continue; 1462 1463 if (!is_shadow_present_pte(iter.old_spte) || !is_large_pte(iter.old_spte)) 1464 continue; 1465 1466 if (!sp) { 1467 sp = tdp_mmu_alloc_sp_for_split(kvm, &iter, shared); 1468 if (!sp) { 1469 ret = -ENOMEM; 1470 trace_kvm_mmu_split_huge_page(iter.gfn, 1471 iter.old_spte, 1472 iter.level, ret); 1473 break; 1474 } 1475 1476 if (iter.yielded) 1477 continue; 1478 } 1479 1480 tdp_mmu_init_child_sp(sp, &iter); 1481 1482 if (tdp_mmu_split_huge_page(kvm, &iter, sp, shared)) 1483 goto retry; 1484 1485 sp = NULL; 1486 } 1487 1488 rcu_read_unlock(); 1489 1490 /* 1491 * It's possible to exit the loop having never used the last sp if, for 1492 * example, a vCPU doing HugePage NX splitting wins the race and 1493 * installs its own sp in place of the last sp we tried to split. 1494 */ 1495 if (sp) 1496 tdp_mmu_free_sp(sp); 1497 1498 return ret; 1499 } 1500 1501 1502 /* 1503 * Try to split all huge pages mapped by the TDP MMU down to the target level. 1504 */ 1505 void kvm_tdp_mmu_try_split_huge_pages(struct kvm *kvm, 1506 const struct kvm_memory_slot *slot, 1507 gfn_t start, gfn_t end, 1508 int target_level, bool shared) 1509 { 1510 struct kvm_mmu_page *root; 1511 int r = 0; 1512 1513 kvm_lockdep_assert_mmu_lock_held(kvm, shared); 1514 1515 for_each_valid_tdp_mmu_root_yield_safe(kvm, root, slot->as_id, shared) { 1516 r = tdp_mmu_split_huge_pages_root(kvm, root, start, end, target_level, shared); 1517 if (r) { 1518 kvm_tdp_mmu_put_root(kvm, root, shared); 1519 break; 1520 } 1521 } 1522 } 1523 1524 /* 1525 * Clear the dirty status of all the SPTEs mapping GFNs in the memslot. If 1526 * AD bits are enabled, this will involve clearing the dirty bit on each SPTE. 1527 * If AD bits are not enabled, this will require clearing the writable bit on 1528 * each SPTE. Returns true if an SPTE has been changed and the TLBs need to 1529 * be flushed. 1530 */ 1531 static bool clear_dirty_gfn_range(struct kvm *kvm, struct kvm_mmu_page *root, 1532 gfn_t start, gfn_t end) 1533 { 1534 u64 dbit = kvm_ad_enabled() ? shadow_dirty_mask : PT_WRITABLE_MASK; 1535 struct tdp_iter iter; 1536 bool spte_set = false; 1537 1538 rcu_read_lock(); 1539 1540 tdp_root_for_each_leaf_pte(iter, root, start, end) { 1541 retry: 1542 if (tdp_mmu_iter_cond_resched(kvm, &iter, false, true)) 1543 continue; 1544 1545 if (!is_shadow_present_pte(iter.old_spte)) 1546 continue; 1547 1548 MMU_WARN_ON(kvm_ad_enabled() && 1549 spte_ad_need_write_protect(iter.old_spte)); 1550 1551 if (!(iter.old_spte & dbit)) 1552 continue; 1553 1554 if (tdp_mmu_set_spte_atomic(kvm, &iter, iter.old_spte & ~dbit)) 1555 goto retry; 1556 1557 spte_set = true; 1558 } 1559 1560 rcu_read_unlock(); 1561 return spte_set; 1562 } 1563 1564 /* 1565 * Clear the dirty status of all the SPTEs mapping GFNs in the memslot. If 1566 * AD bits are enabled, this will involve clearing the dirty bit on each SPTE. 1567 * If AD bits are not enabled, this will require clearing the writable bit on 1568 * each SPTE. Returns true if an SPTE has been changed and the TLBs need to 1569 * be flushed. 1570 */ 1571 bool kvm_tdp_mmu_clear_dirty_slot(struct kvm *kvm, 1572 const struct kvm_memory_slot *slot) 1573 { 1574 struct kvm_mmu_page *root; 1575 bool spte_set = false; 1576 1577 lockdep_assert_held_read(&kvm->mmu_lock); 1578 1579 for_each_valid_tdp_mmu_root_yield_safe(kvm, root, slot->as_id, true) 1580 spte_set |= clear_dirty_gfn_range(kvm, root, slot->base_gfn, 1581 slot->base_gfn + slot->npages); 1582 1583 return spte_set; 1584 } 1585 1586 /* 1587 * Clears the dirty status of all the 4k SPTEs mapping GFNs for which a bit is 1588 * set in mask, starting at gfn. The given memslot is expected to contain all 1589 * the GFNs represented by set bits in the mask. If AD bits are enabled, 1590 * clearing the dirty status will involve clearing the dirty bit on each SPTE 1591 * or, if AD bits are not enabled, clearing the writable bit on each SPTE. 1592 */ 1593 static void clear_dirty_pt_masked(struct kvm *kvm, struct kvm_mmu_page *root, 1594 gfn_t gfn, unsigned long mask, bool wrprot) 1595 { 1596 u64 dbit = (wrprot || !kvm_ad_enabled()) ? PT_WRITABLE_MASK : 1597 shadow_dirty_mask; 1598 struct tdp_iter iter; 1599 1600 rcu_read_lock(); 1601 1602 tdp_root_for_each_leaf_pte(iter, root, gfn + __ffs(mask), 1603 gfn + BITS_PER_LONG) { 1604 if (!mask) 1605 break; 1606 1607 MMU_WARN_ON(kvm_ad_enabled() && 1608 spte_ad_need_write_protect(iter.old_spte)); 1609 1610 if (iter.level > PG_LEVEL_4K || 1611 !(mask & (1UL << (iter.gfn - gfn)))) 1612 continue; 1613 1614 mask &= ~(1UL << (iter.gfn - gfn)); 1615 1616 if (!(iter.old_spte & dbit)) 1617 continue; 1618 1619 iter.old_spte = tdp_mmu_clear_spte_bits(iter.sptep, 1620 iter.old_spte, dbit, 1621 iter.level); 1622 1623 trace_kvm_tdp_mmu_spte_changed(iter.as_id, iter.gfn, iter.level, 1624 iter.old_spte, 1625 iter.old_spte & ~dbit); 1626 kvm_set_pfn_dirty(spte_to_pfn(iter.old_spte)); 1627 } 1628 1629 rcu_read_unlock(); 1630 } 1631 1632 /* 1633 * Clears the dirty status of all the 4k SPTEs mapping GFNs for which a bit is 1634 * set in mask, starting at gfn. The given memslot is expected to contain all 1635 * the GFNs represented by set bits in the mask. If AD bits are enabled, 1636 * clearing the dirty status will involve clearing the dirty bit on each SPTE 1637 * or, if AD bits are not enabled, clearing the writable bit on each SPTE. 1638 */ 1639 void kvm_tdp_mmu_clear_dirty_pt_masked(struct kvm *kvm, 1640 struct kvm_memory_slot *slot, 1641 gfn_t gfn, unsigned long mask, 1642 bool wrprot) 1643 { 1644 struct kvm_mmu_page *root; 1645 1646 lockdep_assert_held_write(&kvm->mmu_lock); 1647 for_each_tdp_mmu_root(kvm, root, slot->as_id) 1648 clear_dirty_pt_masked(kvm, root, gfn, mask, wrprot); 1649 } 1650 1651 static void zap_collapsible_spte_range(struct kvm *kvm, 1652 struct kvm_mmu_page *root, 1653 const struct kvm_memory_slot *slot) 1654 { 1655 gfn_t start = slot->base_gfn; 1656 gfn_t end = start + slot->npages; 1657 struct tdp_iter iter; 1658 int max_mapping_level; 1659 1660 rcu_read_lock(); 1661 1662 for_each_tdp_pte_min_level(iter, root, PG_LEVEL_2M, start, end) { 1663 retry: 1664 if (tdp_mmu_iter_cond_resched(kvm, &iter, false, true)) 1665 continue; 1666 1667 if (iter.level > KVM_MAX_HUGEPAGE_LEVEL || 1668 !is_shadow_present_pte(iter.old_spte)) 1669 continue; 1670 1671 /* 1672 * Don't zap leaf SPTEs, if a leaf SPTE could be replaced with 1673 * a large page size, then its parent would have been zapped 1674 * instead of stepping down. 1675 */ 1676 if (is_last_spte(iter.old_spte, iter.level)) 1677 continue; 1678 1679 /* 1680 * If iter.gfn resides outside of the slot, i.e. the page for 1681 * the current level overlaps but is not contained by the slot, 1682 * then the SPTE can't be made huge. More importantly, trying 1683 * to query that info from slot->arch.lpage_info will cause an 1684 * out-of-bounds access. 1685 */ 1686 if (iter.gfn < start || iter.gfn >= end) 1687 continue; 1688 1689 max_mapping_level = kvm_mmu_max_mapping_level(kvm, slot, 1690 iter.gfn, PG_LEVEL_NUM); 1691 if (max_mapping_level < iter.level) 1692 continue; 1693 1694 /* Note, a successful atomic zap also does a remote TLB flush. */ 1695 if (tdp_mmu_zap_spte_atomic(kvm, &iter)) 1696 goto retry; 1697 } 1698 1699 rcu_read_unlock(); 1700 } 1701 1702 /* 1703 * Zap non-leaf SPTEs (and free their associated page tables) which could 1704 * be replaced by huge pages, for GFNs within the slot. 1705 */ 1706 void kvm_tdp_mmu_zap_collapsible_sptes(struct kvm *kvm, 1707 const struct kvm_memory_slot *slot) 1708 { 1709 struct kvm_mmu_page *root; 1710 1711 lockdep_assert_held_read(&kvm->mmu_lock); 1712 1713 for_each_valid_tdp_mmu_root_yield_safe(kvm, root, slot->as_id, true) 1714 zap_collapsible_spte_range(kvm, root, slot); 1715 } 1716 1717 /* 1718 * Removes write access on the last level SPTE mapping this GFN and unsets the 1719 * MMU-writable bit to ensure future writes continue to be intercepted. 1720 * Returns true if an SPTE was set and a TLB flush is needed. 1721 */ 1722 static bool write_protect_gfn(struct kvm *kvm, struct kvm_mmu_page *root, 1723 gfn_t gfn, int min_level) 1724 { 1725 struct tdp_iter iter; 1726 u64 new_spte; 1727 bool spte_set = false; 1728 1729 BUG_ON(min_level > KVM_MAX_HUGEPAGE_LEVEL); 1730 1731 rcu_read_lock(); 1732 1733 for_each_tdp_pte_min_level(iter, root, min_level, gfn, gfn + 1) { 1734 if (!is_shadow_present_pte(iter.old_spte) || 1735 !is_last_spte(iter.old_spte, iter.level)) 1736 continue; 1737 1738 new_spte = iter.old_spte & 1739 ~(PT_WRITABLE_MASK | shadow_mmu_writable_mask); 1740 1741 if (new_spte == iter.old_spte) 1742 break; 1743 1744 tdp_mmu_iter_set_spte(kvm, &iter, new_spte); 1745 spte_set = true; 1746 } 1747 1748 rcu_read_unlock(); 1749 1750 return spte_set; 1751 } 1752 1753 /* 1754 * Removes write access on the last level SPTE mapping this GFN and unsets the 1755 * MMU-writable bit to ensure future writes continue to be intercepted. 1756 * Returns true if an SPTE was set and a TLB flush is needed. 1757 */ 1758 bool kvm_tdp_mmu_write_protect_gfn(struct kvm *kvm, 1759 struct kvm_memory_slot *slot, gfn_t gfn, 1760 int min_level) 1761 { 1762 struct kvm_mmu_page *root; 1763 bool spte_set = false; 1764 1765 lockdep_assert_held_write(&kvm->mmu_lock); 1766 for_each_tdp_mmu_root(kvm, root, slot->as_id) 1767 spte_set |= write_protect_gfn(kvm, root, gfn, min_level); 1768 1769 return spte_set; 1770 } 1771 1772 /* 1773 * Return the level of the lowest level SPTE added to sptes. 1774 * That SPTE may be non-present. 1775 * 1776 * Must be called between kvm_tdp_mmu_walk_lockless_{begin,end}. 1777 */ 1778 int kvm_tdp_mmu_get_walk(struct kvm_vcpu *vcpu, u64 addr, u64 *sptes, 1779 int *root_level) 1780 { 1781 struct tdp_iter iter; 1782 struct kvm_mmu *mmu = vcpu->arch.mmu; 1783 gfn_t gfn = addr >> PAGE_SHIFT; 1784 int leaf = -1; 1785 1786 *root_level = vcpu->arch.mmu->root_role.level; 1787 1788 tdp_mmu_for_each_pte(iter, mmu, gfn, gfn + 1) { 1789 leaf = iter.level; 1790 sptes[leaf] = iter.old_spte; 1791 } 1792 1793 return leaf; 1794 } 1795 1796 /* 1797 * Returns the last level spte pointer of the shadow page walk for the given 1798 * gpa, and sets *spte to the spte value. This spte may be non-preset. If no 1799 * walk could be performed, returns NULL and *spte does not contain valid data. 1800 * 1801 * Contract: 1802 * - Must be called between kvm_tdp_mmu_walk_lockless_{begin,end}. 1803 * - The returned sptep must not be used after kvm_tdp_mmu_walk_lockless_end. 1804 * 1805 * WARNING: This function is only intended to be called during fast_page_fault. 1806 */ 1807 u64 *kvm_tdp_mmu_fast_pf_get_last_sptep(struct kvm_vcpu *vcpu, u64 addr, 1808 u64 *spte) 1809 { 1810 struct tdp_iter iter; 1811 struct kvm_mmu *mmu = vcpu->arch.mmu; 1812 gfn_t gfn = addr >> PAGE_SHIFT; 1813 tdp_ptep_t sptep = NULL; 1814 1815 tdp_mmu_for_each_pte(iter, mmu, gfn, gfn + 1) { 1816 *spte = iter.old_spte; 1817 sptep = iter.sptep; 1818 } 1819 1820 /* 1821 * Perform the rcu_dereference to get the raw spte pointer value since 1822 * we are passing it up to fast_page_fault, which is shared with the 1823 * legacy MMU and thus does not retain the TDP MMU-specific __rcu 1824 * annotation. 1825 * 1826 * This is safe since fast_page_fault obeys the contracts of this 1827 * function as well as all TDP MMU contracts around modifying SPTEs 1828 * outside of mmu_lock. 1829 */ 1830 return rcu_dereference(sptep); 1831 } 1832