// SPDX-License-Identifier: GPL-2.0-only
/*
 * Kernel-based Virtual Machine driver for Linux
 *
 * This module enables machines with Intel VT-x extensions to run virtual
 * machines without emulation or binary translation.
 *
 * MMU support
 *
 * Copyright (C) 2006 Qumranet, Inc.
 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
 *
 * Authors:
 *   Yaniv Kamay  <yaniv@qumranet.com>
 *   Avi Kivity   <avi@qumranet.com>
 */

#include "irq.h"
#include "mmu.h"
#include "x86.h"
#include "kvm_cache_regs.h"
#include "cpuid.h"

#include <linux/kvm_host.h>
#include <linux/types.h>
#include <linux/string.h>
#include <linux/mm.h>
#include <linux/highmem.h>
#include <linux/moduleparam.h>
#include <linux/export.h>
#include <linux/swap.h>
#include <linux/hugetlb.h>
#include <linux/compiler.h>
#include <linux/srcu.h>
#include <linux/slab.h>
#include <linux/sched/signal.h>
#include <linux/uaccess.h>
#include <linux/hash.h>
#include <linux/kern_levels.h>

#include <asm/page.h>
#include <asm/pat.h>
#include <asm/cmpxchg.h>
#include <asm/e820/api.h>
#include <asm/io.h>
#include <asm/vmx.h>
#include <asm/kvm_page_track.h>
#include "trace.h"

/*
 * When setting this variable to true it enables Two-Dimensional-Paging
 * where the hardware walks 2 page tables:
 * 1. the guest-virtual to guest-physical
 * 2. while doing 1. it walks guest-physical to host-physical
 * If the hardware supports that we don't need to do shadow paging.
 */
bool tdp_enabled = false;

enum {
        AUDIT_PRE_PAGE_FAULT,
        AUDIT_POST_PAGE_FAULT,
        AUDIT_PRE_PTE_WRITE,
        AUDIT_POST_PTE_WRITE,
        AUDIT_PRE_SYNC,
        AUDIT_POST_SYNC
};

#undef MMU_DEBUG

#ifdef MMU_DEBUG
static bool dbg = 0;
module_param(dbg, bool, 0644);

#define pgprintk(x...) do { if (dbg) printk(x); } while (0)
#define rmap_printk(x...) do { if (dbg) printk(x); } while (0)
#define MMU_WARN_ON(x) WARN_ON(x)
#else
#define pgprintk(x...) do { } while (0)
#define rmap_printk(x...) do { } while (0)
#define MMU_WARN_ON(x) do { } while (0)
#endif

#define PTE_PREFETCH_NUM                8

#define PT_FIRST_AVAIL_BITS_SHIFT 10
#define PT64_SECOND_AVAIL_BITS_SHIFT 52

#define PT64_LEVEL_BITS 9

#define PT64_LEVEL_SHIFT(level) \
                (PAGE_SHIFT + (level - 1) * PT64_LEVEL_BITS)

#define PT64_INDEX(address, level)\
        (((address) >> PT64_LEVEL_SHIFT(level)) & ((1 << PT64_LEVEL_BITS) - 1))


#define PT32_LEVEL_BITS 10

#define PT32_LEVEL_SHIFT(level) \
                (PAGE_SHIFT + (level - 1) * PT32_LEVEL_BITS)

#define PT32_LVL_OFFSET_MASK(level) \
        (PT32_BASE_ADDR_MASK & ((1ULL << (PAGE_SHIFT + (((level) - 1) \
                                                * PT32_LEVEL_BITS))) - 1))

#define PT32_INDEX(address, level)\
        (((address) >> PT32_LEVEL_SHIFT(level)) & ((1 << PT32_LEVEL_BITS) - 1))


#ifdef CONFIG_DYNAMIC_PHYSICAL_MASK
#define PT64_BASE_ADDR_MASK (physical_mask & ~(u64)(PAGE_SIZE-1))
#else
#define PT64_BASE_ADDR_MASK (((1ULL << 52) - 1) & ~(u64)(PAGE_SIZE-1))
#endif
#define PT64_LVL_ADDR_MASK(level) \
        (PT64_BASE_ADDR_MASK & ~((1ULL << (PAGE_SHIFT + (((level) - 1) \
                                                * PT64_LEVEL_BITS))) - 1))
#define PT64_LVL_OFFSET_MASK(level) \
        (PT64_BASE_ADDR_MASK & ((1ULL << (PAGE_SHIFT + (((level) - 1) \
                                                * PT64_LEVEL_BITS))) - 1))

#define PT32_BASE_ADDR_MASK PAGE_MASK
#define PT32_DIR_BASE_ADDR_MASK \
        (PAGE_MASK & ~((1ULL << (PAGE_SHIFT + PT32_LEVEL_BITS)) - 1))
#define PT32_LVL_ADDR_MASK(level) \
        (PAGE_MASK & ~((1ULL << (PAGE_SHIFT + (((level) - 1) \
                                            * PT32_LEVEL_BITS))) - 1))

#define PT64_PERM_MASK (PT_PRESENT_MASK | PT_WRITABLE_MASK | shadow_user_mask \
                        | shadow_x_mask | shadow_nx_mask | shadow_me_mask)

#define ACC_EXEC_MASK    1
#define ACC_WRITE_MASK   PT_WRITABLE_MASK
#define ACC_USER_MASK    PT_USER_MASK
#define ACC_ALL          (ACC_EXEC_MASK | ACC_WRITE_MASK | ACC_USER_MASK)

/* The mask for the R/X bits in EPT PTEs */
#define PT64_EPT_READABLE_MASK                  0x1ull
#define PT64_EPT_EXECUTABLE_MASK                0x4ull

#include <trace/events/kvm.h>

#define CREATE_TRACE_POINTS
#include "mmutrace.h"

#define SPTE_HOST_WRITEABLE     (1ULL << PT_FIRST_AVAIL_BITS_SHIFT)
#define SPTE_MMU_WRITEABLE      (1ULL << (PT_FIRST_AVAIL_BITS_SHIFT + 1))

#define SHADOW_PT_INDEX(addr, level) PT64_INDEX(addr, level)

/* make pte_list_desc fit well in cache line */
#define PTE_LIST_EXT 3

/*
 * Return values of handle_mmio_page_fault and mmu.page_fault:
 * RET_PF_RETRY: let CPU fault again on the address.
 * RET_PF_EMULATE: mmio page fault, emulate the instruction directly.
 *
 * For handle_mmio_page_fault only:
 * RET_PF_INVALID: the spte is invalid, let the real page fault path update it.
 */
enum {
        RET_PF_RETRY = 0,
        RET_PF_EMULATE = 1,
        RET_PF_INVALID = 2,
};

struct pte_list_desc {
        u64 *sptes[PTE_LIST_EXT];
        struct pte_list_desc *more;
};

struct kvm_shadow_walk_iterator {
        u64 addr;
        hpa_t shadow_addr;
        u64 *sptep;
        int level;
        unsigned index;
};

static const union kvm_mmu_page_role mmu_base_role_mask = {
        .cr0_wp = 1,
        .gpte_is_8_bytes = 1,
        .nxe = 1,
        .smep_andnot_wp = 1,
        .smap_andnot_wp = 1,
        .smm = 1,
        .guest_mode = 1,
        .ad_disabled = 1,
};

#define for_each_shadow_entry_using_root(_vcpu, _root, _addr, _walker)     \
        for (shadow_walk_init_using_root(&(_walker), (_vcpu),              \
                                         (_root), (_addr));                \
             shadow_walk_okay(&(_walker));                                 \
             shadow_walk_next(&(_walker)))

#define for_each_shadow_entry(_vcpu, _addr, _walker)            \
        for (shadow_walk_init(&(_walker), _vcpu, _addr);        \
             shadow_walk_okay(&(_walker));                      \
             shadow_walk_next(&(_walker)))

#define for_each_shadow_entry_lockless(_vcpu, _addr, _walker, spte)     \
        for (shadow_walk_init(&(_walker), _vcpu, _addr);                \
             shadow_walk_okay(&(_walker)) &&                            \
                ({ spte = mmu_spte_get_lockless(_walker.sptep); 1; });  \
             __shadow_walk_next(&(_walker), spte))

static struct kmem_cache *pte_list_desc_cache;
static struct kmem_cache *mmu_page_header_cache;
static struct percpu_counter kvm_total_used_mmu_pages;

static u64 __read_mostly shadow_nx_mask;
static u64 __read_mostly shadow_x_mask; /* mutual exclusive with nx_mask */
static u64 __read_mostly shadow_user_mask;
static u64 __read_mostly shadow_accessed_mask;
static u64 __read_mostly shadow_dirty_mask;
static u64 __read_mostly shadow_mmio_mask;
static u64 __read_mostly shadow_mmio_value;
static u64 __read_mostly shadow_present_mask;
static u64 __read_mostly shadow_me_mask;

/*
 * SPTEs used by MMUs without A/D bits are marked with shadow_acc_track_value.
 * Non-present SPTEs with shadow_acc_track_value set are in place for access
 * tracking.
 */
static u64 __read_mostly shadow_acc_track_mask;
static const u64 shadow_acc_track_value = SPTE_SPECIAL_MASK;

/*
 * The mask/shift to use for saving the original R/X bits when marking the PTE
 * as not-present for access tracking purposes. We do not save the W bit as the
 * PTEs being access tracked also need to be dirty tracked, so the W bit will be
 * restored only when a write is attempted to the page.
 */
static const u64 shadow_acc_track_saved_bits_mask = PT64_EPT_READABLE_MASK |
                                                    PT64_EPT_EXECUTABLE_MASK;
static const u64 shadow_acc_track_saved_bits_shift = PT64_SECOND_AVAIL_BITS_SHIFT;

/*
 * This mask must be set on all non-zero Non-Present or Reserved SPTEs in order
 * to guard against L1TF attacks.
 */
static u64 __read_mostly shadow_nonpresent_or_rsvd_mask;

/*
 * The number of high-order 1 bits to use in the mask above.
 */
static const u64 shadow_nonpresent_or_rsvd_mask_len = 5;

/*
 * In some cases, we need to preserve the GFN of a non-present or reserved
 * SPTE when we usurp the upper five bits of the physical address space to
 * defend against L1TF, e.g. for MMIO SPTEs.  To preserve the GFN, we'll
 * shift bits of the GFN that overlap with shadow_nonpresent_or_rsvd_mask
 * left into the reserved bits, i.e. the GFN in the SPTE will be split into
 * high and low parts.  This mask covers the lower bits of the GFN.
 */
static u64 __read_mostly shadow_nonpresent_or_rsvd_lower_gfn_mask;


static void mmu_spte_set(u64 *sptep, u64 spte);
static union kvm_mmu_page_role
kvm_mmu_calc_root_page_role(struct kvm_vcpu *vcpu);


static inline bool kvm_available_flush_tlb_with_range(void)
{
        return kvm_x86_ops->tlb_remote_flush_with_range;
}

static void kvm_flush_remote_tlbs_with_range(struct kvm *kvm,
                struct kvm_tlb_range *range)
{
        int ret = -ENOTSUPP;

        if (range && kvm_x86_ops->tlb_remote_flush_with_range)
                ret = kvm_x86_ops->tlb_remote_flush_with_range(kvm, range);

        if (ret)
                kvm_flush_remote_tlbs(kvm);
}

static void kvm_flush_remote_tlbs_with_address(struct kvm *kvm,
                u64 start_gfn, u64 pages)
{
        struct kvm_tlb_range range;

        range.start_gfn = start_gfn;
        range.pages = pages;

        kvm_flush_remote_tlbs_with_range(kvm, &range);
}

void kvm_mmu_set_mmio_spte_mask(u64 mmio_mask, u64 mmio_value)
{
        BUG_ON((mmio_mask & mmio_value) != mmio_value);
        shadow_mmio_value = mmio_value | SPTE_SPECIAL_MASK;
        shadow_mmio_mask = mmio_mask | SPTE_SPECIAL_MASK;
}
EXPORT_SYMBOL_GPL(kvm_mmu_set_mmio_spte_mask);

static inline bool sp_ad_disabled(struct kvm_mmu_page *sp)
{
        return sp->role.ad_disabled;
}

static inline bool spte_ad_enabled(u64 spte)
{
        MMU_WARN_ON((spte & shadow_mmio_mask) == shadow_mmio_value);
        return !(spte & shadow_acc_track_value);
}

static inline u64 spte_shadow_accessed_mask(u64 spte)
{
        MMU_WARN_ON((spte & shadow_mmio_mask) == shadow_mmio_value);
        return spte_ad_enabled(spte) ? shadow_accessed_mask : 0;
}

static inline u64 spte_shadow_dirty_mask(u64 spte)
{
        MMU_WARN_ON((spte & shadow_mmio_mask) == shadow_mmio_value);
        return spte_ad_enabled(spte) ? shadow_dirty_mask : 0;
}

static inline bool is_access_track_spte(u64 spte)
{
        return !spte_ad_enabled(spte) && (spte & shadow_acc_track_mask) == 0;
}

/*
 * Due to limited space in PTEs, the MMIO generation is a 19 bit subset of
 * the memslots generation and is derived as follows:
 *
 * Bits 0-8 of the MMIO generation are propagated to spte bits 3-11
 * Bits 9-18 of the MMIO generation are propagated to spte bits 52-61
 *
 * The KVM_MEMSLOT_GEN_UPDATE_IN_PROGRESS flag is intentionally not included in
 * the MMIO generation number, as doing so would require stealing a bit from
 * the "real" generation number and thus effectively halve the maximum number
 * of MMIO generations that can be handled before encountering a wrap (which
 * requires a full MMU zap).  The flag is instead explicitly queried when
 * checking for MMIO spte cache hits.
 */
#define MMIO_SPTE_GEN_MASK              GENMASK_ULL(18, 0)

#define MMIO_SPTE_GEN_LOW_START         3
#define MMIO_SPTE_GEN_LOW_END           11
#define MMIO_SPTE_GEN_LOW_MASK          GENMASK_ULL(MMIO_SPTE_GEN_LOW_END, \
                                                    MMIO_SPTE_GEN_LOW_START)

#define MMIO_SPTE_GEN_HIGH_START        52
#define MMIO_SPTE_GEN_HIGH_END          61
#define MMIO_SPTE_GEN_HIGH_MASK         GENMASK_ULL(MMIO_SPTE_GEN_HIGH_END, \
                                                    MMIO_SPTE_GEN_HIGH_START)
static u64 generation_mmio_spte_mask(u64 gen)
{
        u64 mask;

        WARN_ON(gen & ~MMIO_SPTE_GEN_MASK);

        mask = (gen << MMIO_SPTE_GEN_LOW_START) & MMIO_SPTE_GEN_LOW_MASK;
        mask |= (gen << MMIO_SPTE_GEN_HIGH_START) & MMIO_SPTE_GEN_HIGH_MASK;
        return mask;
}

static u64 get_mmio_spte_generation(u64 spte)
{
        u64 gen;

        spte &= ~shadow_mmio_mask;

        gen = (spte & MMIO_SPTE_GEN_LOW_MASK) >> MMIO_SPTE_GEN_LOW_START;
        gen |= (spte & MMIO_SPTE_GEN_HIGH_MASK) >> MMIO_SPTE_GEN_HIGH_START;
        return gen;
}

static void mark_mmio_spte(struct kvm_vcpu *vcpu, u64 *sptep, u64 gfn,
                           unsigned access)
{
        u64 gen = kvm_vcpu_memslots(vcpu)->generation & MMIO_SPTE_GEN_MASK;
        u64 mask = generation_mmio_spte_mask(gen);
        u64 gpa = gfn << PAGE_SHIFT;

        access &= ACC_WRITE_MASK | ACC_USER_MASK;
        mask |= shadow_mmio_value | access;
        mask |= gpa | shadow_nonpresent_or_rsvd_mask;
        mask |= (gpa & shadow_nonpresent_or_rsvd_mask)
                << shadow_nonpresent_or_rsvd_mask_len;

        page_header(__pa(sptep))->mmio_cached = true;

        trace_mark_mmio_spte(sptep, gfn, access, gen);
        mmu_spte_set(sptep, mask);
}

static bool is_mmio_spte(u64 spte)
{
        return (spte & shadow_mmio_mask) == shadow_mmio_value;
}

static gfn_t get_mmio_spte_gfn(u64 spte)
{
        u64 gpa = spte & shadow_nonpresent_or_rsvd_lower_gfn_mask;

        gpa |= (spte >> shadow_nonpresent_or_rsvd_mask_len)
               & shadow_nonpresent_or_rsvd_mask;

        return gpa >> PAGE_SHIFT;
}

static unsigned get_mmio_spte_access(u64 spte)
{
        u64 mask = generation_mmio_spte_mask(MMIO_SPTE_GEN_MASK) | shadow_mmio_mask;
        return (spte & ~mask) & ~PAGE_MASK;
}

static bool set_mmio_spte(struct kvm_vcpu *vcpu, u64 *sptep, gfn_t gfn,
                          kvm_pfn_t pfn, unsigned access)
{
        if (unlikely(is_noslot_pfn(pfn))) {
                mark_mmio_spte(vcpu, sptep, gfn, access);
                return true;
        }

        return false;
}

static bool check_mmio_spte(struct kvm_vcpu *vcpu, u64 spte)
{
        u64 kvm_gen, spte_gen, gen;

        gen = kvm_vcpu_memslots(vcpu)->generation;
        if (unlikely(gen & KVM_MEMSLOT_GEN_UPDATE_IN_PROGRESS))
                return false;

        kvm_gen = gen & MMIO_SPTE_GEN_MASK;
        spte_gen = get_mmio_spte_generation(spte);

        trace_check_mmio_spte(spte, kvm_gen, spte_gen);
        return likely(kvm_gen == spte_gen);
}

/*
 * Sets the shadow PTE masks used by the MMU.
 *
 * Assumptions:
 *  - Setting either @accessed_mask or @dirty_mask requires setting both
 *  - At least one of @accessed_mask or @acc_track_mask must be set
 */
void kvm_mmu_set_mask_ptes(u64 user_mask, u64 accessed_mask,
                u64 dirty_mask, u64 nx_mask, u64 x_mask, u64 p_mask,
                u64 acc_track_mask, u64 me_mask)
{
        BUG_ON(!dirty_mask != !accessed_mask);
        BUG_ON(!accessed_mask && !acc_track_mask);
        BUG_ON(acc_track_mask & shadow_acc_track_value);

        shadow_user_mask = user_mask;
        shadow_accessed_mask = accessed_mask;
        shadow_dirty_mask = dirty_mask;
        shadow_nx_mask = nx_mask;
        shadow_x_mask = x_mask;
        shadow_present_mask = p_mask;
        shadow_acc_track_mask = acc_track_mask;
        shadow_me_mask = me_mask;
}
EXPORT_SYMBOL_GPL(kvm_mmu_set_mask_ptes);

static void kvm_mmu_reset_all_pte_masks(void)
{
        u8 low_phys_bits;

        shadow_user_mask = 0;
        shadow_accessed_mask = 0;
        shadow_dirty_mask = 0;
        shadow_nx_mask = 0;
        shadow_x_mask = 0;
        shadow_mmio_mask = 0;
        shadow_present_mask = 0;
        shadow_acc_track_mask = 0;

        /*
         * If the CPU has 46 or less physical address bits, then set an
         * appropriate mask to guard against L1TF attacks. Otherwise, it is
         * assumed that the CPU is not vulnerable to L1TF.
         *
         * Some Intel CPUs address the L1 cache using more PA bits than are
         * reported by CPUID. Use the PA width of the L1 cache when possible
         * to achieve more effective mitigation, e.g. if system RAM overlaps
         * the most significant bits of legal physical address space.
         */
        shadow_nonpresent_or_rsvd_mask = 0;
        low_phys_bits = boot_cpu_data.x86_cache_bits;
        if (boot_cpu_data.x86_cache_bits <
            52 - shadow_nonpresent_or_rsvd_mask_len) {
                shadow_nonpresent_or_rsvd_mask =
                        rsvd_bits(boot_cpu_data.x86_cache_bits -
                                  shadow_nonpresent_or_rsvd_mask_len,
                                  boot_cpu_data.x86_cache_bits - 1);
                low_phys_bits -= shadow_nonpresent_or_rsvd_mask_len;
        } else
                WARN_ON_ONCE(boot_cpu_has_bug(X86_BUG_L1TF));

        shadow_nonpresent_or_rsvd_lower_gfn_mask =
                GENMASK_ULL(low_phys_bits - 1, PAGE_SHIFT);
}

static int is_cpuid_PSE36(void)
{
        return 1;
}

static int is_nx(struct kvm_vcpu *vcpu)
{
        return vcpu->arch.efer & EFER_NX;
}

static int is_shadow_present_pte(u64 pte)
{
        return (pte != 0) && !is_mmio_spte(pte);
}

static int is_large_pte(u64 pte)
{
        return pte & PT_PAGE_SIZE_MASK;
}

static int is_last_spte(u64 pte, int level)
{
        if (level == PT_PAGE_TABLE_LEVEL)
                return 1;
        if (is_large_pte(pte))
                return 1;
        return 0;
}

static bool is_executable_pte(u64 spte)
{
        return (spte & (shadow_x_mask | shadow_nx_mask)) == shadow_x_mask;
}

static kvm_pfn_t spte_to_pfn(u64 pte)
{
        return (pte & PT64_BASE_ADDR_MASK) >> PAGE_SHIFT;
}

static gfn_t pse36_gfn_delta(u32 gpte)
{
        int shift = 32 - PT32_DIR_PSE36_SHIFT - PAGE_SHIFT;

        return (gpte & PT32_DIR_PSE36_MASK) << shift;
}

#ifdef CONFIG_X86_64
static void __set_spte(u64 *sptep, u64 spte)
{
        WRITE_ONCE(*sptep, spte);
}

static void __update_clear_spte_fast(u64 *sptep, u64 spte)
{
        WRITE_ONCE(*sptep, spte);
}

static u64 __update_clear_spte_slow(u64 *sptep, u64 spte)
{
        return xchg(sptep, spte);
}

static u64 __get_spte_lockless(u64 *sptep)
{
        return READ_ONCE(*sptep);
}
#else
union split_spte {
        struct {
                u32 spte_low;
                u32 spte_high;
        };
        u64 spte;
};

static void count_spte_clear(u64 *sptep, u64 spte)
{
        struct kvm_mmu_page *sp =  page_header(__pa(sptep));

        if (is_shadow_present_pte(spte))
                return;

        /* Ensure the spte is completely set before we increase the count */
        smp_wmb();
        sp->clear_spte_count++;
}

static void __set_spte(u64 *sptep, u64 spte)
{
        union split_spte *ssptep, sspte;

        ssptep = (union split_spte *)sptep;
        sspte = (union split_spte)spte;

        ssptep->spte_high = sspte.spte_high;

        /*
         * If we map the spte from nonpresent to present, We should store
         * the high bits firstly, then set present bit, so cpu can not
         * fetch this spte while we are setting the spte.
         */
        smp_wmb();

        WRITE_ONCE(ssptep->spte_low, sspte.spte_low);
}

static void __update_clear_spte_fast(u64 *sptep, u64 spte)
{
        union split_spte *ssptep, sspte;

        ssptep = (union split_spte *)sptep;
        sspte = (union split_spte)spte;

        WRITE_ONCE(ssptep->spte_low, sspte.spte_low);

        /*
         * If we map the spte from present to nonpresent, we should clear
         * present bit firstly to avoid vcpu fetch the old high bits.
         */
        smp_wmb();

        ssptep->spte_high = sspte.spte_high;
        count_spte_clear(sptep, spte);
}

static u64 __update_clear_spte_slow(u64 *sptep, u64 spte)
{
        union split_spte *ssptep, sspte, orig;

        ssptep = (union split_spte *)sptep;
        sspte = (union split_spte)spte;

        /* xchg acts as a barrier before the setting of the high bits */
        orig.spte_low = xchg(&ssptep->spte_low, sspte.spte_low);
        orig.spte_high = ssptep->spte_high;
        ssptep->spte_high = sspte.spte_high;
        count_spte_clear(sptep, spte);

        return orig.spte;
}

/*
 * The idea using the light way get the spte on x86_32 guest is from
 * gup_get_pte(arch/x86/mm/gup.c).
 *
 * An spte tlb flush may be pending, because kvm_set_pte_rmapp
 * coalesces them and we are running out of the MMU lock.  Therefore
 * we need to protect against in-progress updates of the spte.
 *
 * Reading the spte while an update is in progress may get the old value
 * for the high part of the spte.  The race is fine for a present->non-present
 * change (because the high part of the spte is ignored for non-present spte),
 * but for a present->present change we must reread the spte.
 *
 * All such changes are done in two steps (present->non-present and
 * non-present->present), hence it is enough to count the number of
 * present->non-present updates: if it changed while reading the spte,
 * we might have hit the race.  This is done using clear_spte_count.
 */
static u64 __get_spte_lockless(u64 *sptep)
{
        struct kvm_mmu_page *sp =  page_header(__pa(sptep));
        union split_spte spte, *orig = (union split_spte *)sptep;
        int count;

retry:
        count = sp->clear_spte_count;
        smp_rmb();

        spte.spte_low = orig->spte_low;
        smp_rmb();

        spte.spte_high = orig->spte_high;
        smp_rmb();

        if (unlikely(spte.spte_low != orig->spte_low ||
              count != sp->clear_spte_count))
                goto retry;

        return spte.spte;
}
#endif

static bool spte_can_locklessly_be_made_writable(u64 spte)
{
        return (spte & (SPTE_HOST_WRITEABLE | SPTE_MMU_WRITEABLE)) ==
                (SPTE_HOST_WRITEABLE | SPTE_MMU_WRITEABLE);
}

static bool spte_has_volatile_bits(u64 spte)
{
        if (!is_shadow_present_pte(spte))
                return false;

        /*
         * Always atomically update spte if it can be updated
         * out of mmu-lock, it can ensure dirty bit is not lost,
         * also, it can help us to get a stable is_writable_pte()
         * to ensure tlb flush is not missed.
         */
        if (spte_can_locklessly_be_made_writable(spte) ||
            is_access_track_spte(spte))
                return true;

        if (spte_ad_enabled(spte)) {
                if ((spte & shadow_accessed_mask) == 0 ||
                    (is_writable_pte(spte) && (spte & shadow_dirty_mask) == 0))
                        return true;
        }

        return false;
}

static bool is_accessed_spte(u64 spte)
{
        u64 accessed_mask = spte_shadow_accessed_mask(spte);

        return accessed_mask ? spte & accessed_mask
                             : !is_access_track_spte(spte);
}

static bool is_dirty_spte(u64 spte)
{
        u64 dirty_mask = spte_shadow_dirty_mask(spte);

        return dirty_mask ? spte & dirty_mask : spte & PT_WRITABLE_MASK;
}

/* Rules for using mmu_spte_set:
 * Set the sptep from nonpresent to present.
 * Note: the sptep being assigned *must* be either not present
 * or in a state where the hardware will not attempt to update
 * the spte.
 */
static void mmu_spte_set(u64 *sptep, u64 new_spte)
{
        WARN_ON(is_shadow_present_pte(*sptep));
        __set_spte(sptep, new_spte);
}

/*
 * Update the SPTE (excluding the PFN), but do not track changes in its
 * accessed/dirty status.
 */
static u64 mmu_spte_update_no_track(u64 *sptep, u64 new_spte)
{
        u64 old_spte = *sptep;

        WARN_ON(!is_shadow_present_pte(new_spte));

        if (!is_shadow_present_pte(old_spte)) {
                mmu_spte_set(sptep, new_spte);
                return old_spte;
        }

        if (!spte_has_volatile_bits(old_spte))
                __update_clear_spte_fast(sptep, new_spte);
        else
                old_spte = __update_clear_spte_slow(sptep, new_spte);

        WARN_ON(spte_to_pfn(old_spte) != spte_to_pfn(new_spte));

        return old_spte;
}

/* Rules for using mmu_spte_update:
 * Update the state bits, it means the mapped pfn is not changed.
 *
 * Whenever we overwrite a writable spte with a read-only one we
 * should flush remote TLBs. Otherwise rmap_write_protect
 * will find a read-only spte, even though the writable spte
 * might be cached on a CPU's TLB, the return value indicates this
 * case.
 *
 * Returns true if the TLB needs to be flushed
 */
static bool mmu_spte_update(u64 *sptep, u64 new_spte)
{
        bool flush = false;
        u64 old_spte = mmu_spte_update_no_track(sptep, new_spte);

        if (!is_shadow_present_pte(old_spte))
                return false;

        /*
         * For the spte updated out of mmu-lock is safe, since
         * we always atomically update it, see the comments in
         * spte_has_volatile_bits().
         */
        if (spte_can_locklessly_be_made_writable(old_spte) &&
              !is_writable_pte(new_spte))
                flush = true;

        /*
         * Flush TLB when accessed/dirty states are changed in the page tables,
         * to guarantee consistency between TLB and page tables.
         */

        if (is_accessed_spte(old_spte) && !is_accessed_spte(new_spte)) {
                flush = true;
                kvm_set_pfn_accessed(spte_to_pfn(old_spte));
        }

        if (is_dirty_spte(old_spte) && !is_dirty_spte(new_spte)) {
                flush = true;
                kvm_set_pfn_dirty(spte_to_pfn(old_spte));
        }

        return flush;
}

/*
 * Rules for using mmu_spte_clear_track_bits:
 * It sets the sptep from present to nonpresent, and track the
 * state bits, it is used to clear the last level sptep.
 * Returns non-zero if the PTE was previously valid.
 */
static int mmu_spte_clear_track_bits(u64 *sptep)
{
        kvm_pfn_t pfn;
        u64 old_spte = *sptep;

        if (!spte_has_volatile_bits(old_spte))
                __update_clear_spte_fast(sptep, 0ull);
        else
                old_spte = __update_clear_spte_slow(sptep, 0ull);

        if (!is_shadow_present_pte(old_spte))
                return 0;

        pfn = spte_to_pfn(old_spte);

        /*
         * KVM does not hold the refcount of the page used by
         * kvm mmu, before reclaiming the page, we should
         * unmap it from mmu first.
         */
        WARN_ON(!kvm_is_reserved_pfn(pfn) && !page_count(pfn_to_page(pfn)));

        if (is_accessed_spte(old_spte))
                kvm_set_pfn_accessed(pfn);

        if (is_dirty_spte(old_spte))
                kvm_set_pfn_dirty(pfn);

        return 1;
}

/*
 * Rules for using mmu_spte_clear_no_track:
 * Directly clear spte without caring the state bits of sptep,
 * it is used to set the upper level spte.
 */
static void mmu_spte_clear_no_track(u64 *sptep)
{
        __update_clear_spte_fast(sptep, 0ull);
}

static u64 mmu_spte_get_lockless(u64 *sptep)
{
        return __get_spte_lockless(sptep);
}

static u64 mark_spte_for_access_track(u64 spte)
{
        if (spte_ad_enabled(spte))
                return spte & ~shadow_accessed_mask;

        if (is_access_track_spte(spte))
                return spte;

        /*
         * Making an Access Tracking PTE will result in removal of write access
         * from the PTE. So, verify that we will be able to restore the write
         * access in the fast page fault path later on.
         */
        WARN_ONCE((spte & PT_WRITABLE_MASK) &&
                  !spte_can_locklessly_be_made_writable(spte),
                  "kvm: Writable SPTE is not locklessly dirty-trackable\n");

        WARN_ONCE(spte & (shadow_acc_track_saved_bits_mask <<
                          shadow_acc_track_saved_bits_shift),
                  "kvm: Access Tracking saved bit locations are not zero\n");

        spte |= (spte & shadow_acc_track_saved_bits_mask) <<
                shadow_acc_track_saved_bits_shift;
        spte &= ~shadow_acc_track_mask;

        return spte;
}

/* Restore an acc-track PTE back to a regular PTE */
static u64 restore_acc_track_spte(u64 spte)
{
        u64 new_spte = spte;
        u64 saved_bits = (spte >> shadow_acc_track_saved_bits_shift)
                         & shadow_acc_track_saved_bits_mask;

        WARN_ON_ONCE(spte_ad_enabled(spte));
        WARN_ON_ONCE(!is_access_track_spte(spte));

        new_spte &= ~shadow_acc_track_mask;
        new_spte &= ~(shadow_acc_track_saved_bits_mask <<
                      shadow_acc_track_saved_bits_shift);
        new_spte |= saved_bits;

        return new_spte;
}

/* Returns the Accessed status of the PTE and resets it at the same time. */
static bool mmu_spte_age(u64 *sptep)
{
        u64 spte = mmu_spte_get_lockless(sptep);

        if (!is_accessed_spte(spte))
                return false;

        if (spte_ad_enabled(spte)) {
                clear_bit((ffs(shadow_accessed_mask) - 1),
                          (unsigned long *)sptep);
        } else {
                /*
                 * Capture the dirty status of the page, so that it doesn't get
                 * lost when the SPTE is marked for access tracking.
                 */
                if (is_writable_pte(spte))
                        kvm_set_pfn_dirty(spte_to_pfn(spte));

                spte = mark_spte_for_access_track(spte);
                mmu_spte_update_no_track(sptep, spte);
        }

        return true;
}

static void walk_shadow_page_lockless_begin(struct kvm_vcpu *vcpu)
{
        /*
         * Prevent page table teardown by making any free-er wait during
         * kvm_flush_remote_tlbs() IPI to all active vcpus.
         */
        local_irq_disable();

        /*
         * Make sure a following spte read is not reordered ahead of the write
         * to vcpu->mode.
         */
        smp_store_mb(vcpu->mode, READING_SHADOW_PAGE_TABLES);
}

static void walk_shadow_page_lockless_end(struct kvm_vcpu *vcpu)
{
        /*
         * Make sure the write to vcpu->mode is not reordered in front of
         * reads to sptes.  If it does, kvm_mmu_commit_zap_page() can see us
         * OUTSIDE_GUEST_MODE and proceed to free the shadow page table.
         */
        smp_store_release(&vcpu->mode, OUTSIDE_GUEST_MODE);
        local_irq_enable();
}

static int mmu_topup_memory_cache(struct kvm_mmu_memory_cache *cache,
                                  struct kmem_cache *base_cache, int min)
{
        void *obj;

        if (cache->nobjs >= min)
                return 0;
        while (cache->nobjs < ARRAY_SIZE(cache->objects)) {
                obj = kmem_cache_zalloc(base_cache, GFP_KERNEL_ACCOUNT);
                if (!obj)
                        return cache->nobjs >= min ? 0 : -ENOMEM;
                cache->objects[cache->nobjs++] = obj;
        }
        return 0;
}

static int mmu_memory_cache_free_objects(struct kvm_mmu_memory_cache *cache)
{
        return cache->nobjs;
}

static void mmu_free_memory_cache(struct kvm_mmu_memory_cache *mc,
                                  struct kmem_cache *cache)
{
        while (mc->nobjs)
                kmem_cache_free(cache, mc->objects[--mc->nobjs]);
}

static int mmu_topup_memory_cache_page(struct kvm_mmu_memory_cache *cache,
                                       int min)

{
        void *page;

        if (cache->nobjs >= min)
                return 0;
        while (cache->nobjs < ARRAY_SIZE(cache->objects)) {
                page = (void *)__get_free_page(GFP_KERNEL_ACCOUNT);
                if (!page)
                        return cache->nobjs >= min ? 0 : -ENOMEM;
                cache->objects[cache->nobjs++] = page;
        }
        return 0;
}

static void mmu_free_memory_cache_page(struct kvm_mmu_memory_cache *mc)
{
        while (mc->nobjs)
                free_page((unsigned long)mc->objects[--mc->nobjs]);
}

static int mmu_topup_memory_caches(struct kvm_vcpu *vcpu)
{
        int r;

        r = mmu_topup_memory_cache(&vcpu->arch.mmu_pte_list_desc_cache,
                                   pte_list_desc_cache, 8 + PTE_PREFETCH_NUM);
        if (r)
                goto out;
        r = mmu_topup_memory_cache_page(&vcpu->arch.mmu_page_cache, 8);
        if (r)
                goto out;
        r = mmu_topup_memory_cache(&vcpu->arch.mmu_page_header_cache,
                                   mmu_page_header_cache, 4);
out:
        return r;
}

static void mmu_free_memory_caches(struct kvm_vcpu *vcpu)
{
        mmu_free_memory_cache(&vcpu->arch.mmu_pte_list_desc_cache,
                                pte_list_desc_cache);
        mmu_free_memory_cache_page(&vcpu->arch.mmu_page_cache);
        mmu_free_memory_cache(&vcpu->arch.mmu_page_header_cache,
                                mmu_page_header_cache);
}

static void *mmu_memory_cache_alloc(struct kvm_mmu_memory_cache *mc)
{
        void *p;

        BUG_ON(!mc->nobjs);
        p = mc->objects[--mc->nobjs];
        return p;
}

static struct pte_list_desc *mmu_alloc_pte_list_desc(struct kvm_vcpu *vcpu)
{
        return mmu_memory_cache_alloc(&vcpu->arch.mmu_pte_list_desc_cache);
}

static void mmu_free_pte_list_desc(struct pte_list_desc *pte_list_desc)
{
        kmem_cache_free(pte_list_desc_cache, pte_list_desc);
}

static gfn_t kvm_mmu_page_get_gfn(struct kvm_mmu_page *sp, int index)
{
        if (!sp->role.direct)
                return sp->gfns[index];

        return sp->gfn + (index << ((sp->role.level - 1) * PT64_LEVEL_BITS));
}

static void kvm_mmu_page_set_gfn(struct kvm_mmu_page *sp, int index, gfn_t gfn)
{
        if (sp->role.direct)
                BUG_ON(gfn != kvm_mmu_page_get_gfn(sp, index));
        else
                sp->gfns[index] = gfn;
}

/*
 * Return the pointer to the large page information for a given gfn,
 * handling slots that are not large page aligned.
 */
static struct kvm_lpage_info *lpage_info_slot(gfn_t gfn,
                                              struct kvm_memory_slot *slot,
                                              int level)
{
        unsigned long idx;

        idx = gfn_to_index(gfn, slot->base_gfn, level);
        return &slot->arch.lpage_info[level - 2][idx];
}

static void update_gfn_disallow_lpage_count(struct kvm_memory_slot *slot,
                                            gfn_t gfn, int count)
{
        struct kvm_lpage_info *linfo;
        int i;

        for (i = PT_DIRECTORY_LEVEL; i <= PT_MAX_HUGEPAGE_LEVEL; ++i) {
                linfo = lpage_info_slot(gfn, slot, i);
                linfo->disallow_lpage += count;
                WARN_ON(linfo->disallow_lpage < 0);
        }
}

void kvm_mmu_gfn_disallow_lpage(struct kvm_memory_slot *slot, gfn_t gfn)
{
        update_gfn_disallow_lpage_count(slot, gfn, 1);
}

void kvm_mmu_gfn_allow_lpage(struct kvm_memory_slot *slot, gfn_t gfn)
{
        update_gfn_disallow_lpage_count(slot, gfn, -1);
}

static void account_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp)
{
        struct kvm_memslots *slots;
        struct kvm_memory_slot *slot;
        gfn_t gfn;

        kvm->arch.indirect_shadow_pages++;
        gfn = sp->gfn;
        slots = kvm_memslots_for_spte_role(kvm, sp->role);
        slot = __gfn_to_memslot(slots, gfn);

        /* the non-leaf shadow pages are keeping readonly. */
        if (sp->role.level > PT_PAGE_TABLE_LEVEL)
                return kvm_slot_page_track_add_page(kvm, slot, gfn,
                                                    KVM_PAGE_TRACK_WRITE);

        kvm_mmu_gfn_disallow_lpage(slot, gfn);
}

static void unaccount_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp)
{
        struct kvm_memslots *slots;
        struct kvm_memory_slot *slot;
        gfn_t gfn;

        kvm->arch.indirect_shadow_pages--;
        gfn = sp->gfn;
        slots = kvm_memslots_for_spte_role(kvm, sp->role);
        slot = __gfn_to_memslot(slots, gfn);
        if (sp->role.level > PT_PAGE_TABLE_LEVEL)
                return kvm_slot_page_track_remove_page(kvm, slot, gfn,
                                                       KVM_PAGE_TRACK_WRITE);

        kvm_mmu_gfn_allow_lpage(slot, gfn);
}

static bool __mmu_gfn_lpage_is_disallowed(gfn_t gfn, int level,
                                          struct kvm_memory_slot *slot)
{
        struct kvm_lpage_info *linfo;

        if (slot) {
                linfo = lpage_info_slot(gfn, slot, level);
                return !!linfo->disallow_lpage;
        }

        return true;
}

static bool mmu_gfn_lpage_is_disallowed(struct kvm_vcpu *vcpu, gfn_t gfn,
                                        int level)
{
        struct kvm_memory_slot *slot;

        slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);
        return __mmu_gfn_lpage_is_disallowed(gfn, level, slot);
}

static int host_mapping_level(struct kvm *kvm, gfn_t gfn)
{
        unsigned long page_size;
        int i, ret = 0;

        page_size = kvm_host_page_size(kvm, gfn);

        for (i = PT_PAGE_TABLE_LEVEL; i <= PT_MAX_HUGEPAGE_LEVEL; ++i) {
                if (page_size >= KVM_HPAGE_SIZE(i))
                        ret = i;
                else
                        break;
        }

        return ret;
}

static inline bool memslot_valid_for_gpte(struct kvm_memory_slot *slot,
                                          bool no_dirty_log)
{
        if (!slot || slot->flags & KVM_MEMSLOT_INVALID)
                return false;
        if (no_dirty_log && slot->dirty_bitmap)
                return false;

        return true;
}

static struct kvm_memory_slot *
gfn_to_memslot_dirty_bitmap(struct kvm_vcpu *vcpu, gfn_t gfn,
                            bool no_dirty_log)
{
        struct kvm_memory_slot *slot;

        slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);
        if (!memslot_valid_for_gpte(slot, no_dirty_log))
                slot = NULL;

        return slot;
}

static int mapping_level(struct kvm_vcpu *vcpu, gfn_t large_gfn,
                         bool *force_pt_level)
{
        int host_level, level, max_level;
        struct kvm_memory_slot *slot;

        if (unlikely(*force_pt_level))
                return PT_PAGE_TABLE_LEVEL;

        slot = kvm_vcpu_gfn_to_memslot(vcpu, large_gfn);
        *force_pt_level = !memslot_valid_for_gpte(slot, true);
        if (unlikely(*force_pt_level))
                return PT_PAGE_TABLE_LEVEL;

        host_level = host_mapping_level(vcpu->kvm, large_gfn);

        if (host_level == PT_PAGE_TABLE_LEVEL)
                return host_level;

        max_level = min(kvm_x86_ops->get_lpage_level(), host_level);

        for (level = PT_DIRECTORY_LEVEL; level <= max_level; ++level)
                if (__mmu_gfn_lpage_is_disallowed(large_gfn, level, slot))
                        break;

        return level - 1;
}

/*
 * About rmap_head encoding:
 *
 * If the bit zero of rmap_head->val is clear, then it points to the only spte
 * in this rmap chain. Otherwise, (rmap_head->val & ~1) points to a struct
 * pte_list_desc containing more mappings.
 */

/*
 * Returns the number of pointers in the rmap chain, not counting the new one.
 */
static int pte_list_add(struct kvm_vcpu *vcpu, u64 *spte,
                        struct kvm_rmap_head *rmap_head)
{
        struct pte_list_desc *desc;
        int i, count = 0;

        if (!rmap_head->val) {
                rmap_printk("pte_list_add: %p %llx 0->1\n", spte, *spte);
                rmap_head->val = (unsigned long)spte;
        } else if (!(rmap_head->val & 1)) {
                rmap_printk("pte_list_add: %p %llx 1->many\n", spte, *spte);
                desc = mmu_alloc_pte_list_desc(vcpu);
                desc->sptes[0] = (u64 *)rmap_head->val;
                desc->sptes[1] = spte;
                rmap_head->val = (unsigned long)desc | 1;
                ++count;
        } else {
                rmap_printk("pte_list_add: %p %llx many->many\n", spte, *spte);
                desc = (struct pte_list_desc *)(rmap_head->val & ~1ul);
                while (desc->sptes[PTE_LIST_EXT-1] && desc->more) {
                        desc = desc->more;
                        count += PTE_LIST_EXT;
                }
                if (desc->sptes[PTE_LIST_EXT-1]) {
                        desc->more = mmu_alloc_pte_list_desc(vcpu);
                        desc = desc->more;
                }
                for (i = 0; desc->sptes[i]; ++i)
                        ++count;
                desc->sptes[i] = spte;
        }
        return count;
}

static void
pte_list_desc_remove_entry(struct kvm_rmap_head *rmap_head,
                           struct pte_list_desc *desc, int i,
                           struct pte_list_desc *prev_desc)
{
        int j;

        for (j = PTE_LIST_EXT - 1; !desc->sptes[j] && j > i; --j)
                ;
        desc->sptes[i] = desc->sptes[j];
        desc->sptes[j] = NULL;
        if (j != 0)
                return;
        if (!prev_desc && !desc->more)
                rmap_head->val = (unsigned long)desc->sptes[0];
        else
                if (prev_desc)
                        prev_desc->more = desc->more;
                else
                        rmap_head->val = (unsigned long)desc->more | 1;
        mmu_free_pte_list_desc(desc);
}

static void __pte_list_remove(u64 *spte, struct kvm_rmap_head *rmap_head)
{
        struct pte_list_desc *desc;
        struct pte_list_desc *prev_desc;
        int i;

        if (!rmap_head->val) {
                pr_err("%s: %p 0->BUG\n", __func__, spte);
                BUG();
        } else if (!(rmap_head->val & 1)) {
                rmap_printk("%s:  %p 1->0\n", __func__, spte);
                if ((u64 *)rmap_head->val != spte) {
                        pr_err("%s:  %p 1->BUG\n", __func__, spte);
                        BUG();
                }
                rmap_head->val = 0;
        } else {
                rmap_printk("%s:  %p many->many\n", __func__, spte);
                desc = (struct pte_list_desc *)(rmap_head->val & ~1ul);
                prev_desc = NULL;
                while (desc) {
                        for (i = 0; i < PTE_LIST_EXT && desc->sptes[i]; ++i) {
                                if (desc->sptes[i] == spte) {
                                        pte_list_desc_remove_entry(rmap_head,
                                                        desc, i, prev_desc);
                                        return;
                                }
                        }
                        prev_desc = desc;
                        desc = desc->more;
                }
                pr_err("%s: %p many->many\n", __func__, spte);
                BUG();
        }
}

static void pte_list_remove(struct kvm_rmap_head *rmap_head, u64 *sptep)
{
        mmu_spte_clear_track_bits(sptep);
        __pte_list_remove(sptep, rmap_head);
}

static struct kvm_rmap_head *__gfn_to_rmap(gfn_t gfn, int level,
                                           struct kvm_memory_slot *slot)
{
        unsigned long idx;

        idx = gfn_to_index(gfn, slot->base_gfn, level);
        return &slot->arch.rmap[level - PT_PAGE_TABLE_LEVEL][idx];
}

static struct kvm_rmap_head *gfn_to_rmap(struct kvm *kvm, gfn_t gfn,
                                         struct kvm_mmu_page *sp)
{
        struct kvm_memslots *slots;
        struct kvm_memory_slot *slot;

        slots = kvm_memslots_for_spte_role(kvm, sp->role);
        slot = __gfn_to_memslot(slots, gfn);
        return __gfn_to_rmap(gfn, sp->role.level, slot);
}

static bool rmap_can_add(struct kvm_vcpu *vcpu)
{
        struct kvm_mmu_memory_cache *cache;

        cache = &vcpu->arch.mmu_pte_list_desc_cache;
        return mmu_memory_cache_free_objects(cache);
}

static int rmap_add(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn)
{
        struct kvm_mmu_page *sp;
        struct kvm_rmap_head *rmap_head;

        sp = page_header(__pa(spte));
        kvm_mmu_page_set_gfn(sp, spte - sp->spt, gfn);
        rmap_head = gfn_to_rmap(vcpu->kvm, gfn, sp);
        return pte_list_add(vcpu, spte, rmap_head);
}

static void rmap_remove(struct kvm *kvm, u64 *spte)
{
        struct kvm_mmu_page *sp;
        gfn_t gfn;
        struct kvm_rmap_head *rmap_head;

        sp = page_header(__pa(spte));
        gfn = kvm_mmu_page_get_gfn(sp, spte - sp->spt);
        rmap_head = gfn_to_rmap(kvm, gfn, sp);
        __pte_list_remove(spte, rmap_head);
}

/*
 * Used by the following functions to iterate through the sptes linked by a
 * rmap.  All fields are private and not assumed to be used outside.
 */
struct rmap_iterator {
        /* private fields */
        struct pte_list_desc *desc;     /* holds the sptep if not NULL */
        int pos;                        /* index of the sptep */
};

/*
 * Iteration must be started by this function.  This should also be used after
 * removing/dropping sptes from the rmap link because in such cases the
 * information in the itererator may not be valid.
 *
 * Returns sptep if found, NULL otherwise.
 */
static u64 *rmap_get_first(struct kvm_rmap_head *rmap_head,
                           struct rmap_iterator *iter)
{
        u64 *sptep;

        if (!rmap_head->val)
                return NULL;

        if (!(rmap_head->val & 1)) {
                iter->desc = NULL;
                sptep = (u64 *)rmap_head->val;
                goto out;
        }

        iter->desc = (struct pte_list_desc *)(rmap_head->val & ~1ul);
        iter->pos = 0;
        sptep = iter->desc->sptes[iter->pos];
out:
        BUG_ON(!is_shadow_present_pte(*sptep));
        return sptep;
}

/*
 * Must be used with a valid iterator: e.g. after rmap_get_first().
 *
 * Returns sptep if found, NULL otherwise.
 */
static u64 *rmap_get_next(struct rmap_iterator *iter)
{
        u64 *sptep;

        if (iter->desc) {
                if (iter->pos < PTE_LIST_EXT - 1) {
                        ++iter->pos;
                        sptep = iter->desc->sptes[iter->pos];
                        if (sptep)
                                goto out;
                }

                iter->desc = iter->desc->more;

                if (iter->desc) {
                        iter->pos = 0;
                        /* desc->sptes[0] cannot be NULL */
                        sptep = iter->desc->sptes[iter->pos];
                        goto out;
                }
        }

        return NULL;
out:
        BUG_ON(!is_shadow_present_pte(*sptep));
        return sptep;
}

#define for_each_rmap_spte(_rmap_head_, _iter_, _spte_)                 \
        for (_spte_ = rmap_get_first(_rmap_head_, _iter_);              \
             _spte_; _spte_ = rmap_get_next(_iter_))

static void drop_spte(struct kvm *kvm, u64 *sptep)
{
        if (mmu_spte_clear_track_bits(sptep))
                rmap_remove(kvm, sptep);
}


static bool __drop_large_spte(struct kvm *kvm, u64 *sptep)
{
        if (is_large_pte(*sptep)) {
                WARN_ON(page_header(__pa(sptep))->role.level ==
                        PT_PAGE_TABLE_LEVEL);
                drop_spte(kvm, sptep);
                --kvm->stat.lpages;
                return true;
        }

        return false;
}

static void drop_large_spte(struct kvm_vcpu *vcpu, u64 *sptep)
{
        if (__drop_large_spte(vcpu->kvm, sptep)) {
                struct kvm_mmu_page *sp = page_header(__pa(sptep));

                kvm_flush_remote_tlbs_with_address(vcpu->kvm, sp->gfn,
                        KVM_PAGES_PER_HPAGE(sp->role.level));
        }
}

/*
 * Write-protect on the specified @sptep, @pt_protect indicates whether
 * spte write-protection is caused by protecting shadow page table.
 *
 * Note: write protection is difference between dirty logging and spte
 * protection:
 * - for dirty logging, the spte can be set to writable at anytime if
 *   its dirty bitmap is properly set.
 * - for spte protection, the spte can be writable only after unsync-ing
 *   shadow page.
 *
 * Return true if tlb need be flushed.
 */
static bool spte_write_protect(u64 *sptep, bool pt_protect)
{
        u64 spte = *sptep;

        if (!is_writable_pte(spte) &&
              !(pt_protect && spte_can_locklessly_be_made_writable(spte)))
                return false;

        rmap_printk("rmap_write_protect: spte %p %llx\n", sptep, *sptep);

        if (pt_protect)
                spte &= ~SPTE_MMU_WRITEABLE;
        spte = spte & ~PT_WRITABLE_MASK;

        return mmu_spte_update(sptep, spte);
}

static bool __rmap_write_protect(struct kvm *kvm,
                                 struct kvm_rmap_head *rmap_head,
                                 bool pt_protect)
{
        u64 *sptep;
        struct rmap_iterator iter;
        bool flush = false;

        for_each_rmap_spte(rmap_head, &iter, sptep)
                flush |= spte_write_protect(sptep, pt_protect);

        return flush;
}

static bool spte_clear_dirty(u64 *sptep)
{
        u64 spte = *sptep;

        rmap_printk("rmap_clear_dirty: spte %p %llx\n", sptep, *sptep);

        spte &= ~shadow_dirty_mask;

        return mmu_spte_update(sptep, spte);
}

static bool wrprot_ad_disabled_spte(u64 *sptep)
{
        bool was_writable = test_and_clear_bit(PT_WRITABLE_SHIFT,
                                               (unsigned long *)sptep);
        if (was_writable)
                kvm_set_pfn_dirty(spte_to_pfn(*sptep));

        return was_writable;
}

/*
 * Gets the GFN ready for another round of dirty logging by clearing the
 *      - D bit on ad-enabled SPTEs, and
 *      - W bit on ad-disabled SPTEs.
 * Returns true iff any D or W bits were cleared.
 */
static bool __rmap_clear_dirty(struct kvm *kvm, struct kvm_rmap_head *rmap_head)
{
        u64 *sptep;
        struct rmap_iterator iter;
        bool flush = false;

        for_each_rmap_spte(rmap_head, &iter, sptep)
                if (spte_ad_enabled(*sptep))
                        flush |= spte_clear_dirty(sptep);
                else
                        flush |= wrprot_ad_disabled_spte(sptep);

        return flush;
}

static bool spte_set_dirty(u64 *sptep)
{
        u64 spte = *sptep;

        rmap_printk("rmap_set_dirty: spte %p %llx\n", sptep, *sptep);

        spte |= shadow_dirty_mask;

        return mmu_spte_update(sptep, spte);
}

static bool __rmap_set_dirty(struct kvm *kvm, struct kvm_rmap_head *rmap_head)
{
        u64 *sptep;
        struct rmap_iterator iter;
        bool flush = false;

        for_each_rmap_spte(rmap_head, &iter, sptep)
                if (spte_ad_enabled(*sptep))
                        flush |= spte_set_dirty(sptep);

        return flush;
}

/**
 * kvm_mmu_write_protect_pt_masked - write protect selected PT level pages
 * @kvm: kvm instance
 * @slot: slot to protect
 * @gfn_offset: start of the BITS_PER_LONG pages we care about
 * @mask: indicates which pages we should protect
 *
 * Used when we do not need to care about huge page mappings: e.g. during dirty
 * logging we do not have any such mappings.
 */
static void kvm_mmu_write_protect_pt_masked(struct kvm *kvm,
                                     struct kvm_memory_slot *slot,
                                     gfn_t gfn_offset, unsigned long mask)
{
        struct kvm_rmap_head *rmap_head;

        while (mask) {
                rmap_head = __gfn_to_rmap(slot->base_gfn + gfn_offset + __ffs(mask),
                                          PT_PAGE_TABLE_LEVEL, slot);
                __rmap_write_protect(kvm, rmap_head, false);

                /* clear the first set bit */
                mask &= mask - 1;
        }
}

/**
 * kvm_mmu_clear_dirty_pt_masked - clear MMU D-bit for PT level pages, or write
 * protect the page if the D-bit isn't supported.
 * @kvm: kvm instance
 * @slot: slot to clear D-bit
 * @gfn_offset: start of the BITS_PER_LONG pages we care about
 * @mask: indicates which pages we should clear D-bit
 *
 * Used for PML to re-log the dirty GPAs after userspace querying dirty_bitmap.
 */
void kvm_mmu_clear_dirty_pt_masked(struct kvm *kvm,
                                     struct kvm_memory_slot *slot,
                                     gfn_t gfn_offset, unsigned long mask)
{
        struct kvm_rmap_head *rmap_head;

        while (mask) {
                rmap_head = __gfn_to_rmap(slot->base_gfn + gfn_offset + __ffs(mask),
                                          PT_PAGE_TABLE_LEVEL, slot);
                __rmap_clear_dirty(kvm, rmap_head);

                /* clear the first set bit */
                mask &= mask - 1;
        }
}
EXPORT_SYMBOL_GPL(kvm_mmu_clear_dirty_pt_masked);

/**
 * kvm_arch_mmu_enable_log_dirty_pt_masked - enable dirty logging for selected
 * PT level pages.
 *
 * It calls kvm_mmu_write_protect_pt_masked to write protect selected pages to
 * enable dirty logging for them.
 *
 * Used when we do not need to care about huge page mappings: e.g. during dirty
 * logging we do not have any such mappings.
 */
void kvm_arch_mmu_enable_log_dirty_pt_masked(struct kvm *kvm,
                                struct kvm_memory_slot *slot,
                                gfn_t gfn_offset, unsigned long mask)
{
        if (kvm_x86_ops->enable_log_dirty_pt_masked)
                kvm_x86_ops->enable_log_dirty_pt_masked(kvm, slot, gfn_offset,
                                mask);
        else
                kvm_mmu_write_protect_pt_masked(kvm, slot, gfn_offset, mask);
}

/**
 * kvm_arch_write_log_dirty - emulate dirty page logging
 * @vcpu: Guest mode vcpu
 *
 * Emulate arch specific page modification logging for the
 * nested hypervisor
 */
int kvm_arch_write_log_dirty(struct kvm_vcpu *vcpu)
{
        if (kvm_x86_ops->write_log_dirty)
                return kvm_x86_ops->write_log_dirty(vcpu);

        return 0;
}

bool kvm_mmu_slot_gfn_write_protect(struct kvm *kvm,
                                    struct kvm_memory_slot *slot, u64 gfn)
{
        struct kvm_rmap_head *rmap_head;
        int i;
        bool write_protected = false;

        for (i = PT_PAGE_TABLE_LEVEL; i <= PT_MAX_HUGEPAGE_LEVEL; ++i) {
                rmap_head = __gfn_to_rmap(gfn, i, slot);
                write_protected |= __rmap_write_protect(kvm, rmap_head, true);
        }

        return write_protected;
}

static bool rmap_write_protect(struct kvm_vcpu *vcpu, u64 gfn)
{
        struct kvm_memory_slot *slot;

        slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);
        return kvm_mmu_slot_gfn_write_protect(vcpu->kvm, slot, gfn);
}

static bool kvm_zap_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head)
{
        u64 *sptep;
        struct rmap_iterator iter;
        bool flush = false;

        while ((sptep = rmap_get_first(rmap_head, &iter))) {
                rmap_printk("%s: spte %p %llx.\n", __func__, sptep, *sptep);

                pte_list_remove(rmap_head, sptep);
                flush = true;
        }

        return flush;
}

static int kvm_unmap_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
                           struct kvm_memory_slot *slot, gfn_t gfn, int level,
                           unsigned long data)
{
        return kvm_zap_rmapp(kvm, rmap_head);
}

static int kvm_set_pte_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
                             struct kvm_memory_slot *slot, gfn_t gfn, int level,
                             unsigned long data)
{
        u64 *sptep;
        struct rmap_iterator iter;
        int need_flush = 0;
        u64 new_spte;
        pte_t *ptep = (pte_t *)data;
        kvm_pfn_t new_pfn;

        WARN_ON(pte_huge(*ptep));
        new_pfn = pte_pfn(*ptep);

restart:
        for_each_rmap_spte(rmap_head, &iter, sptep) {
                rmap_printk("kvm_set_pte_rmapp: spte %p %llx gfn %llx (%d)\n",
                            sptep, *sptep, gfn, level);

                need_flush = 1;

                if (pte_write(*ptep)) {
                        pte_list_remove(rmap_head, sptep);
                        goto restart;
                } else {
                        new_spte = *sptep & ~PT64_BASE_ADDR_MASK;
                        new_spte |= (u64)new_pfn << PAGE_SHIFT;

                        new_spte &= ~PT_WRITABLE_MASK;
                        new_spte &= ~SPTE_HOST_WRITEABLE;

                        new_spte = mark_spte_for_access_track(new_spte);

                        mmu_spte_clear_track_bits(sptep);
                        mmu_spte_set(sptep, new_spte);
                }
        }

        if (need_flush && kvm_available_flush_tlb_with_range()) {
                kvm_flush_remote_tlbs_with_address(kvm, gfn, 1);
                return 0;
        }

        return need_flush;
}

struct slot_rmap_walk_iterator {
        /* input fields. */
        struct kvm_memory_slot *slot;
        gfn_t start_gfn;
        gfn_t end_gfn;
        int start_level;
        int end_level;

        /* output fields. */
        gfn_t gfn;
        struct kvm_rmap_head *rmap;
        int level;

        /* private field. */
        struct kvm_rmap_head *end_rmap;
};

static void
rmap_walk_init_level(struct slot_rmap_walk_iterator *iterator, int level)
{
        iterator->level = level;
        iterator->gfn = iterator->start_gfn;
        iterator->rmap = __gfn_to_rmap(iterator->gfn, level, iterator->slot);
        iterator->end_rmap = __gfn_to_rmap(iterator->end_gfn, level,
                                           iterator->slot);
}

static void
slot_rmap_walk_init(struct slot_rmap_walk_iterator *iterator,
                    struct kvm_memory_slot *slot, int start_level,
                    int end_level, gfn_t start_gfn, gfn_t end_gfn)
{
        iterator->slot = slot;
        iterator->start_level = start_level;
        iterator->end_level = end_level;
        iterator->start_gfn = start_gfn;
        iterator->end_gfn = end_gfn;

        rmap_walk_init_level(iterator, iterator->start_level);
}

static bool slot_rmap_walk_okay(struct slot_rmap_walk_iterator *iterator)
{
        return !!iterator->rmap;
}

static void slot_rmap_walk_next(struct slot_rmap_walk_iterator *iterator)
{
        if (++iterator->rmap <= iterator->end_rmap) {
                iterator->gfn += (1UL << KVM_HPAGE_GFN_SHIFT(iterator->level));
                return;
        }

        if (++iterator->level > iterator->end_level) {
                iterator->rmap = NULL;
                return;
        }

        rmap_walk_init_level(iterator, iterator->level);
}

#define for_each_slot_rmap_range(_slot_, _start_level_, _end_level_,    \
           _start_gfn, _end_gfn, _iter_)                                \
        for (slot_rmap_walk_init(_iter_, _slot_, _start_level_,         \
                                 _end_level_, _start_gfn, _end_gfn);    \
             slot_rmap_walk_okay(_iter_);                               \
             slot_rmap_walk_next(_iter_))

static int kvm_handle_hva_range(struct kvm *kvm,
                                unsigned long start,
                                unsigned long end,
                                unsigned long data,
                                int (*handler)(struct kvm *kvm,
                                               struct kvm_rmap_head *rmap_head,
                                               struct kvm_memory_slot *slot,
                                               gfn_t gfn,
                                               int level,
                                               unsigned long data))
{
        struct kvm_memslots *slots;
        struct kvm_memory_slot *memslot;
        struct slot_rmap_walk_iterator iterator;
        int ret = 0;
        int i;

        for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) {
                slots = __kvm_memslots(kvm, i);
                kvm_for_each_memslot(memslot, slots) {
                        unsigned long hva_start, hva_end;
                        gfn_t gfn_start, gfn_end;

                        hva_start = max(start, memslot->userspace_addr);
                        hva_end = min(end, memslot->userspace_addr +
                                      (memslot->npages << PAGE_SHIFT));
                        if (hva_start >= hva_end)
                                continue;
                        /*
                         * {gfn(page) | page intersects with [hva_start, hva_end)} =
                         * {gfn_start, gfn_start+1, ..., gfn_end-1}.
                         */
                        gfn_start = hva_to_gfn_memslot(hva_start, memslot);
                        gfn_end = hva_to_gfn_memslot(hva_end + PAGE_SIZE - 1, memslot);

                        for_each_slot_rmap_range(memslot, PT_PAGE_TABLE_LEVEL,
                                                 PT_MAX_HUGEPAGE_LEVEL,
                                                 gfn_start, gfn_end - 1,
                                                 &iterator)
                                ret |= handler(kvm, iterator.rmap, memslot,
                                               iterator.gfn, iterator.level, data);
                }
        }

        return ret;
}

static int kvm_handle_hva(struct kvm *kvm, unsigned long hva,
                          unsigned long data,
                          int (*handler)(struct kvm *kvm,
                                         struct kvm_rmap_head *rmap_head,
                                         struct kvm_memory_slot *slot,
                                         gfn_t gfn, int level,
                                         unsigned long data))
{
        return kvm_handle_hva_range(kvm, hva, hva + 1, data, handler);
}

int kvm_unmap_hva_range(struct kvm *kvm, unsigned long start, unsigned long end)
{
        return kvm_handle_hva_range(kvm, start, end, 0, kvm_unmap_rmapp);
}

int kvm_set_spte_hva(struct kvm *kvm, unsigned long hva, pte_t pte)
{
        return kvm_handle_hva(kvm, hva, (unsigned long)&pte, kvm_set_pte_rmapp);
}

static int kvm_age_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
                         struct kvm_memory_slot *slot, gfn_t gfn, int level,
                         unsigned long data)
{
        u64 *sptep;
        struct rmap_iterator uninitialized_var(iter);
        int young = 0;

        for_each_rmap_spte(rmap_head, &iter, sptep)
                young |= mmu_spte_age(sptep);

        trace_kvm_age_page(gfn, level, slot, young);
        return young;
}

static int kvm_test_age_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
                              struct kvm_memory_slot *slot, gfn_t gfn,
                              int level, unsigned long data)
{
        u64 *sptep;
        struct rmap_iterator iter;

        for_each_rmap_spte(rmap_head, &iter, sptep)
                if (is_accessed_spte(*sptep))
                        return 1;
        return 0;
}

#define RMAP_RECYCLE_THRESHOLD 1000

static void rmap_recycle(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn)
{
        struct kvm_rmap_head *rmap_head;
        struct kvm_mmu_page *sp;

        sp = page_header(__pa(spte));

        rmap_head = gfn_to_rmap(vcpu->kvm, gfn, sp);

        kvm_unmap_rmapp(vcpu->kvm, rmap_head, NULL, gfn, sp->role.level, 0);
        kvm_flush_remote_tlbs_with_address(vcpu->kvm, sp->gfn,
                        KVM_PAGES_PER_HPAGE(sp->role.level));
}

int kvm_age_hva(struct kvm *kvm, unsigned long start, unsigned long end)
{
        return kvm_handle_hva_range(kvm, start, end, 0, kvm_age_rmapp);
}

int kvm_test_age_hva(struct kvm *kvm, unsigned long hva)
{
        return kvm_handle_hva(kvm, hva, 0, kvm_test_age_rmapp);
}

#ifdef MMU_DEBUG
static int is_empty_shadow_page(u64 *spt)
{
        u64 *pos;
        u64 *end;

        for (pos = spt, end = pos + PAGE_SIZE / sizeof(u64); pos != end; pos++)

                if (is_shadow_present_pte(*pos)) {
                        printk(KERN_ERR "%s: %p %llx\n", __func__,
                               pos, *pos);
                        return 0;
                }
        return 1;
}
#endif

/*
 * This value is the sum of all of the kvm instances's
 * kvm->arch.n_used_mmu_pages values.  We need a global,
 * aggregate version in order to make the slab shrinker
 * faster
 */
static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, unsigned long nr)
{
        kvm->arch.n_used_mmu_pages += nr;
        percpu_counter_add(&kvm_total_used_mmu_pages, nr);
}

static void kvm_mmu_free_page(struct kvm_mmu_page *sp)
{
        MMU_WARN_ON(!is_empty_shadow_page(sp->spt));
        hlist_del(&sp->hash_link);
        list_del(&sp->link);
        free_page((unsigned long)sp->spt);
        if (!sp->role.direct)
                free_page((unsigned long)sp->gfns);
        kmem_cache_free(mmu_page_header_cache, sp);
}

static unsigned kvm_page_table_hashfn(gfn_t gfn)
{
        return hash_64(gfn, KVM_MMU_HASH_SHIFT);
}

static void mmu_page_add_parent_pte(struct kvm_vcpu *vcpu,
                                    struct kvm_mmu_page *sp, u64 *parent_pte)
{
        if (!parent_pte)
                return;

        pte_list_add(vcpu, parent_pte, &sp->parent_ptes);
}

static void mmu_page_remove_parent_pte(struct kvm_mmu_page *sp,
                                       u64 *parent_pte)
{
        __pte_list_remove(parent_pte, &sp->parent_ptes);
}

static void drop_parent_pte(struct kvm_mmu_page *sp,
                            u64 *parent_pte)
{
        mmu_page_remove_parent_pte(sp, parent_pte);
        mmu_spte_clear_no_track(parent_pte);
}

static struct kvm_mmu_page *kvm_mmu_alloc_page(struct kvm_vcpu *vcpu, int direct)
{
        struct kvm_mmu_page *sp;

        sp = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_header_cache);
        sp->spt = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_cache);
        if (!direct)
                sp->gfns = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_cache);
        set_page_private(virt_to_page(sp->spt), (unsigned long)sp);
        list_add(&sp->link, &vcpu->kvm->arch.active_mmu_pages);
        kvm_mod_used_mmu_pages(vcpu->kvm, +1);
        return sp;
}

static void mark_unsync(u64 *spte);
static void kvm_mmu_mark_parents_unsync(struct kvm_mmu_page *sp)
{
        u64 *sptep;
        struct rmap_iterator iter;

        for_each_rmap_spte(&sp->parent_ptes, &iter, sptep) {
                mark_unsync(sptep);
        }
}

static void mark_unsync(u64 *spte)
{
        struct kvm_mmu_page *sp;
        unsigned int index;

        sp = page_header(__pa(spte));
        index = spte - sp->spt;
        if (__test_and_set_bit(index, sp->unsync_child_bitmap))
                return;
        if (sp->unsync_children++)
                return;
        kvm_mmu_mark_parents_unsync(sp);
}

static int nonpaging_sync_page(struct kvm_vcpu *vcpu,
                               struct kvm_mmu_page *sp)
{
        return 0;
}

static void nonpaging_invlpg(struct kvm_vcpu *vcpu, gva_t gva, hpa_t root)
{
}

static void nonpaging_update_pte(struct kvm_vcpu *vcpu,
                                 struct kvm_mmu_page *sp, u64 *spte,
                                 const void *pte)
{
        WARN_ON(1);
}

#define KVM_PAGE_ARRAY_NR 16

struct kvm_mmu_pages {
        struct mmu_page_and_offset {
                struct kvm_mmu_page *sp;
                unsigned int idx;
        } page[KVM_PAGE_ARRAY_NR];
        unsigned int nr;
};

static int mmu_pages_add(struct kvm_mmu_pages *pvec, struct kvm_mmu_page *sp,
                         int idx)
{
        int i;

        if (sp->unsync)
                for (i=0; i < pvec->nr; i++)
                        if (pvec->page[i].sp == sp)
                                return 0;

        pvec->page[pvec->nr].sp = sp;
        pvec->page[pvec->nr].idx = idx;
        pvec->nr++;
        return (pvec->nr == KVM_PAGE_ARRAY_NR);
}

static inline void clear_unsync_child_bit(struct kvm_mmu_page *sp, int idx)
{
        --sp->unsync_children;
        WARN_ON((int)sp->unsync_children < 0);
        __clear_bit(idx, sp->unsync_child_bitmap);
}

static int __mmu_unsync_walk(struct kvm_mmu_page *sp,
                           struct kvm_mmu_pages *pvec)
{
        int i, ret, nr_unsync_leaf = 0;

        for_each_set_bit(i, sp->unsync_child_bitmap, 512) {
                struct kvm_mmu_page *child;
                u64 ent = sp->spt[i];

                if (!is_shadow_present_pte(ent) || is_large_pte(ent)) {
                        clear_unsync_child_bit(sp, i);
                        continue;
                }

                child = page_header(ent & PT64_BASE_ADDR_MASK);

                if (child->unsync_children) {
                        if (mmu_pages_add(pvec, child, i))
                                return -ENOSPC;

                        ret = __mmu_unsync_walk(child, pvec);
                        if (!ret) {
                                clear_unsync_child_bit(sp, i);
                                continue;
                        } else if (ret > 0) {
                                nr_unsync_leaf += ret;
                        } else
                                return ret;
                } else if (child->unsync) {
                        nr_unsync_leaf++;
                        if (mmu_pages_add(pvec, child, i))
                                return -ENOSPC;
                } else
                        clear_unsync_child_bit(sp, i);
        }

        return nr_unsync_leaf;
}

#define INVALID_INDEX (-1)

static int mmu_unsync_walk(struct kvm_mmu_page *sp,
                           struct kvm_mmu_pages *pvec)
{
        pvec->nr = 0;
        if (!sp->unsync_children)
                return 0;

        mmu_pages_add(pvec, sp, INVALID_INDEX);
        return __mmu_unsync_walk(sp, pvec);
}

static void kvm_unlink_unsync_page(struct kvm *kvm, struct kvm_mmu_page *sp)
{
        WARN_ON(!sp->unsync);
        trace_kvm_mmu_sync_page(sp);
        sp->unsync = 0;
        --kvm->stat.mmu_unsync;
}

static bool kvm_mmu_prepare_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp,
                                     struct list_head *invalid_list);
static void kvm_mmu_commit_zap_page(struct kvm *kvm,
                                    struct list_head *invalid_list);


#define for_each_valid_sp(_kvm, _sp, _gfn)                              \
        hlist_for_each_entry(_sp,                                       \
          &(_kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(_gfn)], hash_link) \
                if ((_sp)->role.invalid) {    \
                } else

#define for_each_gfn_indirect_valid_sp(_kvm, _sp, _gfn)                 \
        for_each_valid_sp(_kvm, _sp, _gfn)                              \
                if ((_sp)->gfn != (_gfn) || (_sp)->role.direct) {} else

static inline bool is_ept_sp(struct kvm_mmu_page *sp)
{
        return sp->role.cr0_wp && sp->role.smap_andnot_wp;
}

/* @sp->gfn should be write-protected at the call site */
static bool __kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
                            struct list_head *invalid_list)
{
        if ((!is_ept_sp(sp) && sp->role.gpte_is_8_bytes != !!is_pae(vcpu)) ||
            vcpu->arch.mmu->sync_page(vcpu, sp) == 0) {
                kvm_mmu_prepare_zap_page(vcpu->kvm, sp, invalid_list);
                return false;
        }

        return true;
}

static bool kvm_mmu_remote_flush_or_zap(struct kvm *kvm,
                                        struct list_head *invalid_list,
                                        bool remote_flush)
{
        if (!remote_flush && list_empty(invalid_list))
                return false;

        if (!list_empty(invalid_list))
                kvm_mmu_commit_zap_page(kvm, invalid_list);
        else
                kvm_flush_remote_tlbs(kvm);
        return true;
}

static void kvm_mmu_flush_or_zap(struct kvm_vcpu *vcpu,
                                 struct list_head *invalid_list,
                                 bool remote_flush, bool local_flush)
{
        if (kvm_mmu_remote_flush_or_zap(vcpu->kvm, invalid_list, remote_flush))
                return;

        if (local_flush)
                kvm_make_request(KVM_REQ_TLB_FLUSH, vcpu);
}

#ifdef CONFIG_KVM_MMU_AUDIT
#include "mmu_audit.c"
#else
static void kvm_mmu_audit(struct kvm_vcpu *vcpu, int point) { }
static void mmu_audit_disable(void) { }
#endif

static bool kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
                         struct list_head *invalid_list)
{
        kvm_unlink_unsync_page(vcpu->kvm, sp);
        return __kvm_sync_page(vcpu, sp, invalid_list);
}

/* @gfn should be write-protected at the call site */
static bool kvm_sync_pages(struct kvm_vcpu *vcpu, gfn_t gfn,
                           struct list_head *invalid_list)
{
        struct kvm_mmu_page *s;
        bool ret = false;

        for_each_gfn_indirect_valid_sp(vcpu->kvm, s, gfn) {
                if (!s->unsync)
                        continue;

                WARN_ON(s->role.level != PT_PAGE_TABLE_LEVEL);
                ret |= kvm_sync_page(vcpu, s, invalid_list);
        }

        return ret;
}

struct mmu_page_path {
        struct kvm_mmu_page *parent[PT64_ROOT_MAX_LEVEL];
        unsigned int idx[PT64_ROOT_MAX_LEVEL];
};

#define for_each_sp(pvec, sp, parents, i)                       \
                for (i = mmu_pages_first(&pvec, &parents);      \
                        i < pvec.nr && ({ sp = pvec.page[i].sp; 1;});   \
                        i = mmu_pages_next(&pvec, &parents, i))

static int mmu_pages_next(struct kvm_mmu_pages *pvec,
                          struct mmu_page_path *parents,
                          int i)
{
        int n;

        for (n = i+1; n < pvec->nr; n++) {
                struct kvm_mmu_page *sp = pvec->page[n].sp;
                unsigned idx = pvec->page[n].idx;
                int level = sp->role.level;

                parents->idx[level-1] = idx;
                if (level == PT_PAGE_TABLE_LEVEL)
                        break;

                parents->parent[level-2] = sp;
        }

        return n;
}

static int mmu_pages_first(struct kvm_mmu_pages *pvec,
                           struct mmu_page_path *parents)
{
        struct kvm_mmu_page *sp;
        int level;

        if (pvec->nr == 0)
                return 0;

        WARN_ON(pvec->page[0].idx != INVALID_INDEX);

        sp = pvec->page[0].sp;
        level = sp->role.level;
        WARN_ON(level == PT_PAGE_TABLE_LEVEL);

        parents->parent[level-2] = sp;

        /* Also set up a sentinel.  Further entries in pvec are all
         * children of sp, so this element is never overwritten.
         */
        parents->parent[level-1] = NULL;
        return mmu_pages_next(pvec, parents, 0);
}

static void mmu_pages_clear_parents(struct mmu_page_path *parents)
{
        struct kvm_mmu_page *sp;
        unsigned int level = 0;

        do {
                unsigned int idx = parents->idx[level];
                sp = parents->parent[level];
                if (!sp)
                        return;

                WARN_ON(idx == INVALID_INDEX);
                clear_unsync_child_bit(sp, idx);
                level++;
        } while (!sp->unsync_children);
}

static void mmu_sync_children(struct kvm_vcpu *vcpu,
                              struct kvm_mmu_page *parent)
{
        int i;
        struct kvm_mmu_page *sp;
        struct mmu_page_path parents;
        struct kvm_mmu_pages pages;
        LIST_HEAD(invalid_list);
        bool flush = false;

        while (mmu_unsync_walk(parent, &pages)) {
                bool protected = false;

                for_each_sp(pages, sp, parents, i)
                        protected |= rmap_write_protect(vcpu, sp->gfn);

                if (protected) {
                        kvm_flush_remote_tlbs(vcpu->kvm);
                        flush = false;
                }

                for_each_sp(pages, sp, parents, i) {
                        flush |= kvm_sync_page(vcpu, sp, &invalid_list);
                        mmu_pages_clear_parents(&parents);
                }
                if (need_resched() || spin_needbreak(&vcpu->kvm->mmu_lock)) {
                        kvm_mmu_flush_or_zap(vcpu, &invalid_list, false, flush);
                        cond_resched_lock(&vcpu->kvm->mmu_lock);
                        flush = false;
                }
        }

        kvm_mmu_flush_or_zap(vcpu, &invalid_list, false, flush);
}

static void __clear_sp_write_flooding_count(struct kvm_mmu_page *sp)
{
        atomic_set(&sp->write_flooding_count,  0);
}

static void clear_sp_write_flooding_count(u64 *spte)
{
        struct kvm_mmu_page *sp =  page_header(__pa(spte));

        __clear_sp_write_flooding_count(sp);
}

static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
                                             gfn_t gfn,
                                             gva_t gaddr,
                                             unsigned level,
                                             int direct,
                                             unsigned access)
{
        union kvm_mmu_page_role role;
        unsigned quadrant;
        struct kvm_mmu_page *sp;
        bool need_sync = false;
        bool flush = false;
        int collisions = 0;
        LIST_HEAD(invalid_list);

        role = vcpu->arch.mmu->mmu_role.base;
        role.level = level;
        role.direct = direct;
        if (role.direct)
                role.gpte_is_8_bytes = true;
        role.access = access;
        if (!vcpu->arch.mmu->direct_map
            && vcpu->arch.mmu->root_level <= PT32_ROOT_LEVEL) {
                quadrant = gaddr >> (PAGE_SHIFT + (PT64_PT_BITS * level));
                quadrant &= (1 << ((PT32_PT_BITS - PT64_PT_BITS) * level)) - 1;
                role.quadrant = quadrant;
        }
        for_each_valid_sp(vcpu->kvm, sp, gfn) {
                if (sp->gfn != gfn) {
                        collisions++;
                        continue;
                }

                if (!need_sync && sp->unsync)
                        need_sync = true;

                if (sp->role.word != role.word)
                        continue;

                if (sp->unsync) {
                        /* The page is good, but __kvm_sync_page might still end
                         * up zapping it.  If so, break in order to rebuild it.
                         */
                        if (!__kvm_sync_page(vcpu, sp, &invalid_list))
                                break;

                        WARN_ON(!list_empty(&invalid_list));
                        kvm_make_request(KVM_REQ_TLB_FLUSH, vcpu);
                }

                if (sp->unsync_children)
                        kvm_make_request(KVM_REQ_MMU_SYNC, vcpu);

                __clear_sp_write_flooding_count(sp);
                trace_kvm_mmu_get_page(sp, false);
                goto out;
        }

        ++vcpu->kvm->stat.mmu_cache_miss;

        sp = kvm_mmu_alloc_page(vcpu, direct);

        sp->gfn = gfn;
        sp->role = role;
        hlist_add_head(&sp->hash_link,
                &vcpu->kvm->arch.mmu_page_hash[kvm_page_table_hashfn(gfn)]);
        if (!direct) {
                /*
                 * we should do write protection before syncing pages
                 * otherwise the content of the synced shadow page may
                 * be inconsistent with guest page table.
                 */
                account_shadowed(vcpu->kvm, sp);
                if (level == PT_PAGE_TABLE_LEVEL &&
                      rmap_write_protect(vcpu, gfn))
                        kvm_flush_remote_tlbs_with_address(vcpu->kvm, gfn, 1);

                if (level > PT_PAGE_TABLE_LEVEL && need_sync)
                        flush |= kvm_sync_pages(vcpu, gfn, &invalid_list);
        }
        clear_page(sp->spt);
        trace_kvm_mmu_get_page(sp, true);

        kvm_mmu_flush_or_zap(vcpu, &invalid_list, false, flush);
out:
        if (collisions > vcpu->kvm->stat.max_mmu_page_hash_collisions)
                vcpu->kvm->stat.max_mmu_page_hash_collisions = collisions;
        return sp;
}

static void shadow_walk_init_using_root(struct kvm_shadow_walk_iterator *iterator,
                                        struct kvm_vcpu *vcpu, hpa_t root,
                                        u64 addr)
{
        iterator->addr = addr;
        iterator->shadow_addr = root;
        iterator->level = vcpu->arch.mmu->shadow_root_level;

        if (iterator->level == PT64_ROOT_4LEVEL &&
            vcpu->arch.mmu->root_level < PT64_ROOT_4LEVEL &&
            !vcpu->arch.mmu->direct_map)
                --iterator->level;

        if (iterator->level == PT32E_ROOT_LEVEL) {
                /*
                 * prev_root is currently only used for 64-bit hosts. So only
                 * the active root_hpa is valid here.
                 */
                BUG_ON(root != vcpu->arch.mmu->root_hpa);

                iterator->shadow_addr
                        = vcpu->arch.mmu->pae_root[(addr >> 30) & 3];
                iterator->shadow_addr &= PT64_BASE_ADDR_MASK;
                --iterator->level;
                if (!iterator->shadow_addr)
                        iterator->level = 0;
        }
}

static void shadow_walk_init(struct kvm_shadow_walk_iterator *iterator,
                             struct kvm_vcpu *vcpu, u64 addr)
{
        shadow_walk_init_using_root(iterator, vcpu, vcpu->arch.mmu->root_hpa,
                                    addr);
}

static bool shadow_walk_okay(struct kvm_shadow_walk_iterator *iterator)
{
        if (iterator->level < PT_PAGE_TABLE_LEVEL)
                return false;

        iterator->index = SHADOW_PT_INDEX(iterator->addr, iterator->level);
        iterator->sptep = ((u64 *)__va(iterator->shadow_addr)) + iterator->index;
        return true;
}

static void __shadow_walk_next(struct kvm_shadow_walk_iterator *iterator,
                               u64 spte)
{
        if (is_last_spte(spte, iterator->level)) {
                iterator->level = 0;
                return;
        }

        iterator->shadow_addr = spte & PT64_BASE_ADDR_MASK;
        --iterator->level;
}

static void shadow_walk_next(struct kvm_shadow_walk_iterator *iterator)
{
        __shadow_walk_next(iterator, *iterator->sptep);
}

static void link_shadow_page(struct kvm_vcpu *vcpu, u64 *sptep,
                             struct kvm_mmu_page *sp)
{
        u64 spte;

        BUILD_BUG_ON(VMX_EPT_WRITABLE_MASK != PT_WRITABLE_MASK);

        spte = __pa(sp->spt) | shadow_present_mask | PT_WRITABLE_MASK |
               shadow_user_mask | shadow_x_mask | shadow_me_mask;

        if (sp_ad_disabled(sp))
                spte |= shadow_acc_track_value;
        else
                spte |= shadow_accessed_mask;

        mmu_spte_set(sptep, spte);

        mmu_page_add_parent_pte(vcpu, sp, sptep);

        if (sp->unsync_children || sp->unsync)
                mark_unsync(sptep);
}

static void validate_direct_spte(struct kvm_vcpu *vcpu, u64 *sptep,
                                   unsigned direct_access)
{
        if (is_shadow_present_pte(*sptep) && !is_large_pte(*sptep)) {
                struct kvm_mmu_page *child;

                /*
                 * For the direct sp, if the guest pte's dirty bit
                 * changed form clean to dirty, it will corrupt the
                 * sp's access: allow writable in the read-only sp,
                 * so we should update the spte at this point to get
                 * a new sp with the correct access.
                 */
                child = page_header(*sptep & PT64_BASE_ADDR_MASK);
                if (child->role.access == direct_access)
                        return;

                drop_parent_pte(child, sptep);
                kvm_flush_remote_tlbs_with_address(vcpu->kvm, child->gfn, 1);
        }
}

static bool mmu_page_zap_pte(struct kvm *kvm, struct kvm_mmu_page *sp,
                             u64 *spte)
{
        u64 pte;
        struct kvm_mmu_page *child;

        pte = *spte;
        if (is_shadow_present_pte(pte)) {
                if (is_last_spte(pte, sp->role.level)) {
                        drop_spte(kvm, spte);
                        if (is_large_pte(pte))
                                --kvm->stat.lpages;
                } else {
                        child = page_header(pte & PT64_BASE_ADDR_MASK);
                        drop_parent_pte(child, spte);
                }
                return true;
        }

        if (is_mmio_spte(pte))
                mmu_spte_clear_no_track(spte);

        return false;
}

static void kvm_mmu_page_unlink_children(struct kvm *kvm,
                                         struct kvm_mmu_page *sp)
{
        unsigned i;

        for (i = 0; i < PT64_ENT_PER_PAGE; ++i)
                mmu_page_zap_pte(kvm, sp, sp->spt + i);
}

static void kvm_mmu_unlink_parents(struct kvm *kvm, struct kvm_mmu_page *sp)
{
        u64 *sptep;
        struct rmap_iterator iter;

        while ((sptep = rmap_get_first(&sp->parent_ptes, &iter)))
                drop_parent_pte(sp, sptep);
}

static int mmu_zap_unsync_children(struct kvm *kvm,
                                   struct kvm_mmu_page *parent,
                                   struct list_head *invalid_list)
{
        int i, zapped = 0;
        struct mmu_page_path parents;
        struct kvm_mmu_pages pages;

        if (parent->role.level == PT_PAGE_TABLE_LEVEL)
                return 0;

        while (mmu_unsync_walk(parent, &pages)) {
                struct kvm_mmu_page *sp;

                for_each_sp(pages, sp, parents, i) {
                        kvm_mmu_prepare_zap_page(kvm, sp, invalid_list);
                        mmu_pages_clear_parents(&parents);
                        zapped++;
                }
        }

        return zapped;
}

static bool __kvm_mmu_prepare_zap_page(struct kvm *kvm,
                                       struct kvm_mmu_page *sp,
                                       struct list_head *invalid_list,
                                       int *nr_zapped)
{
        bool list_unstable;

        trace_kvm_mmu_prepare_zap_page(sp);
        ++kvm->stat.mmu_shadow_zapped;
        *nr_zapped = mmu_zap_unsync_children(kvm, sp, invalid_list);
        kvm_mmu_page_unlink_children(kvm, sp);
        kvm_mmu_unlink_parents(kvm, sp);

        /* Zapping children means active_mmu_pages has become unstable. */
        list_unstable = *nr_zapped;

        if (!sp->role.invalid && !sp->role.direct)
                unaccount_shadowed(kvm, sp);

        if (sp->unsync)
                kvm_unlink_unsync_page(kvm, sp);
        if (!sp->root_count) {
                /* Count self */
                (*nr_zapped)++;
                list_move(&sp->link, invalid_list);
                kvm_mod_used_mmu_pages(kvm, -1);
        } else {
                list_move(&sp->link, &kvm->arch.active_mmu_pages);

                if (!sp->role.invalid)
                        kvm_reload_remote_mmus(kvm);
        }

        sp->role.invalid = 1;
        return list_unstable;
}

static bool kvm_mmu_prepare_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp,
                                     struct list_head *invalid_list)
{
        int nr_zapped;

        __kvm_mmu_prepare_zap_page(kvm, sp, invalid_list, &nr_zapped);
        return nr_zapped;
}

static void kvm_mmu_commit_zap_page(struct kvm *kvm,
                                    struct list_head *invalid_list)
{
        struct kvm_mmu_page *sp, *nsp;

        if (list_empty(invalid_list))
                return;

        /*
         * We need to make sure everyone sees our modifications to
         * the page tables and see changes to vcpu->mode here. The barrier
         * in the kvm_flush_remote_tlbs() achieves this. This pairs
         * with vcpu_enter_guest and walk_shadow_page_lockless_begin/end.
         *
         * In addition, kvm_flush_remote_tlbs waits for all vcpus to exit
         * guest mode and/or lockless shadow page table walks.
         */
        kvm_flush_remote_tlbs(kvm);

        list_for_each_entry_safe(sp, nsp, invalid_list, link) {
                WARN_ON(!sp->role.invalid || sp->root_count);
                kvm_mmu_free_page(sp);
        }
}

static bool prepare_zap_oldest_mmu_page(struct kvm *kvm,
                                        struct list_head *invalid_list)
{
        struct kvm_mmu_page *sp;

        if (list_empty(&kvm->arch.active_mmu_pages))
                return false;

        sp = list_last_entry(&kvm->arch.active_mmu_pages,
                             struct kvm_mmu_page, link);
        return kvm_mmu_prepare_zap_page(kvm, sp, invalid_list);
}

/*
 * Changing the number of mmu pages allocated to the vm
 * Note: if goal_nr_mmu_pages is too small, you will get dead lock
 */
void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned long goal_nr_mmu_pages)
{
        LIST_HEAD(invalid_list);

        spin_lock(&kvm->mmu_lock);

        if (kvm->arch.n_used_mmu_pages > goal_nr_mmu_pages) {
                /* Need to free some mmu pages to achieve the goal. */
                while (kvm->arch.n_used_mmu_pages > goal_nr_mmu_pages)
                        if (!prepare_zap_oldest_mmu_page(kvm, &invalid_list))
                                break;

                kvm_mmu_commit_zap_page(kvm, &invalid_list);
                goal_nr_mmu_pages = kvm->arch.n_used_mmu_pages;
        }

        kvm->arch.n_max_mmu_pages = goal_nr_mmu_pages;

        spin_unlock(&kvm->mmu_lock);
}

int kvm_mmu_unprotect_page(struct kvm *kvm, gfn_t gfn)
{
        struct kvm_mmu_page *sp;
        LIST_HEAD(invalid_list);
        int r;

        pgprintk("%s: looking for gfn %llx\n", __func__, gfn);
        r = 0;
        spin_lock(&kvm->mmu_lock);
        for_each_gfn_indirect_valid_sp(kvm, sp, gfn) {
                pgprintk("%s: gfn %llx role %x\n", __func__, gfn,
                         sp->role.word);
                r = 1;
                kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list);
        }
        kvm_mmu_commit_zap_page(kvm, &invalid_list);
        spin_unlock(&kvm->mmu_lock);

        return r;
}
EXPORT_SYMBOL_GPL(kvm_mmu_unprotect_page);

static void kvm_unsync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
{
        trace_kvm_mmu_unsync_page(sp);
        ++vcpu->kvm->stat.mmu_unsync;
        sp->unsync = 1;

        kvm_mmu_mark_parents_unsync(sp);
}

static bool mmu_need_write_protect(struct kvm_vcpu *vcpu, gfn_t gfn,
                                   bool can_unsync)
{
        struct kvm_mmu_page *sp;

        if (kvm_page_track_is_active(vcpu, gfn, KVM_PAGE_TRACK_WRITE))
                return true;

        for_each_gfn_indirect_valid_sp(vcpu->kvm, sp, gfn) {
                if (!can_unsync)
                        return true;

                if (sp->unsync)
                        continue;

                WARN_ON(sp->role.level != PT_PAGE_TABLE_LEVEL);
                kvm_unsync_page(vcpu, sp);
        }

        /*
         * We need to ensure that the marking of unsync pages is visible
         * before the SPTE is updated to allow writes because
         * kvm_mmu_sync_roots() checks the unsync flags without holding
         * the MMU lock and so can race with this. If the SPTE was updated
         * before the page had been marked as unsync-ed, something like the
         * following could happen:
         *
         * CPU 1                    CPU 2
         * ---------------------------------------------------------------------
         * 1.2 Host updates SPTE
         *     to be writable
         *                      2.1 Guest writes a GPTE for GVA X.
         *                          (GPTE being in the guest page table shadowed
         *                           by the SP from CPU 1.)
         *                          This reads SPTE during the page table walk.
         *                          Since SPTE.W is read as 1, there is no
         *                          fault.
         *
         *                      2.2 Guest issues TLB flush.
         *                          That causes a VM Exit.
         *
         *                      2.3 kvm_mmu_sync_pages() reads sp->unsync.
         *                          Since it is false, so it just returns.
         *
         *                      2.4 Guest accesses GVA X.
         *                          Since the mapping in the SP was not updated,
         *                          so the old mapping for GVA X incorrectly
         *                          gets used.
         * 1.1 Host marks SP
         *     as unsync
         *     (sp->unsync = true)
         *
         * The write barrier below ensures that 1.1 happens before 1.2 and thus
         * the situation in 2.4 does not arise. The implicit barrier in 2.2
         * pairs with this write barrier.
         */
        smp_wmb();

        return false;
}

static bool kvm_is_mmio_pfn(kvm_pfn_t pfn)
{
        if (pfn_valid(pfn))
                return !is_zero_pfn(pfn) && PageReserved(pfn_to_page(pfn)) &&
                        /*
                         * Some reserved pages, such as those from NVDIMM
                         * DAX devices, are not for MMIO, and can be mapped
                         * with cached memory type for better performance.
                         * However, the above check misconceives those pages
                         * as MMIO, and results in KVM mapping them with UC
                         * memory type, which would hurt the performance.
                         * Therefore, we check the host memory type in addition
                         * and only treat UC/UC-/WC pages as MMIO.
                         */
                        (!pat_enabled() || pat_pfn_immune_to_uc_mtrr(pfn));

        return !e820__mapped_raw_any(pfn_to_hpa(pfn),
                                     pfn_to_hpa(pfn + 1) - 1,
                                     E820_TYPE_RAM);
}

/* Bits which may be returned by set_spte() */
#define SET_SPTE_WRITE_PROTECTED_PT     BIT(0)
#define SET_SPTE_NEED_REMOTE_TLB_FLUSH  BIT(1)

static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
                    unsigned pte_access, int level,
                    gfn_t gfn, kvm_pfn_t pfn, bool speculative,
                    bool can_unsync, bool host_writable)
{
        u64 spte = 0;
        int ret = 0;
        struct kvm_mmu_page *sp;

        if (set_mmio_spte(vcpu, sptep, gfn, pfn, pte_access))
                return 0;

        sp = page_header(__pa(sptep));
        if (sp_ad_disabled(sp))
                spte |= shadow_acc_track_value;

        /*
         * For the EPT case, shadow_present_mask is 0 if hardware
         * supports exec-only page table entries.  In that case,
         * ACC_USER_MASK and shadow_user_mask are used to represent
         * read access.  See FNAME(gpte_access) in paging_tmpl.h.
         */
        spte |= shadow_present_mask;
        if (!speculative)
                spte |= spte_shadow_accessed_mask(spte);

        if (pte_access & ACC_EXEC_MASK)
                spte |= shadow_x_mask;
        else
                spte |= shadow_nx_mask;

        if (pte_access & ACC_USER_MASK)
                spte |= shadow_user_mask;

        if (level > PT_PAGE_TABLE_LEVEL)
                spte |= PT_PAGE_SIZE_MASK;
        if (tdp_enabled)
                spte |= kvm_x86_ops->get_mt_mask(vcpu, gfn,
                        kvm_is_mmio_pfn(pfn));

        if (host_writable)
                spte |= SPTE_HOST_WRITEABLE;
        else
                pte_access &= ~ACC_WRITE_MASK;

        if (!kvm_is_mmio_pfn(pfn))
                spte |= shadow_me_mask;

        spte |= (u64)pfn << PAGE_SHIFT;

        if (pte_access & ACC_WRITE_MASK) {

                /*
                 * Other vcpu creates new sp in the window between
                 * mapping_level() and acquiring mmu-lock. We can
                 * allow guest to retry the access, the mapping can
                 * be fixed if guest refault.
                 */
                if (level > PT_PAGE_TABLE_LEVEL &&
                    mmu_gfn_lpage_is_disallowed(vcpu, gfn, level))
                        goto done;

                spte |= PT_WRITABLE_MASK | SPTE_MMU_WRITEABLE;

                /*
                 * Optimization: for pte sync, if spte was writable the hash
                 * lookup is unnecessary (and expensive). Write protection
                 * is responsibility of mmu_get_page / kvm_sync_page.
                 * Same reasoning can be applied to dirty page accounting.
                 */
                if (!can_unsync && is_writable_pte(*sptep))
                        goto set_pte;

                if (mmu_need_write_protect(vcpu, gfn, can_unsync)) {
                        pgprintk("%s: found shadow page for %llx, marking ro\n",
                                 __func__, gfn);
                        ret |= SET_SPTE_WRITE_PROTECTED_PT;
                        pte_access &= ~ACC_WRITE_MASK;
                        spte &= ~(PT_WRITABLE_MASK | SPTE_MMU_WRITEABLE);
                }
        }

        if (pte_access & ACC_WRITE_MASK) {
                kvm_vcpu_mark_page_dirty(vcpu, gfn);
                spte |= spte_shadow_dirty_mask(spte);
        }

        if (speculative)
                spte = mark_spte_for_access_track(spte);

set_pte: