2 * SPDX-License-Identifier: BSD-4-Clause
4 * Copyright (c) 1991 Regents of the University of California.
6 * Copyright (c) 1994 John S. Dyson
8 * Copyright (c) 1994 David Greenman
10 * Copyright (c) 2003 Peter Wemm
11 * All rights reserved.
12 * Copyright (c) 2005-2010 Alan L. Cox <alc@cs.rice.edu>
13 * All rights reserved.
15 * This code is derived from software contributed to Berkeley by
16 * the Systems Programming Group of the University of Utah Computer
17 * Science Department and William Jolitz of UUNET Technologies Inc.
19 * Redistribution and use in source and binary forms, with or without
20 * modification, are permitted provided that the following conditions
22 * 1. Redistributions of source code must retain the above copyright
23 * notice, this list of conditions and the following disclaimer.
24 * 2. Redistributions in binary form must reproduce the above copyright
25 * notice, this list of conditions and the following disclaimer in the
26 * documentation and/or other materials provided with the distribution.
27 * 3. All advertising materials mentioning features or use of this software
28 * must display the following acknowledgement:
29 * This product includes software developed by the University of
30 * California, Berkeley and its contributors.
31 * 4. Neither the name of the University nor the names of its contributors
32 * may be used to endorse or promote products derived from this software
33 * without specific prior written permission.
35 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
36 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
38 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
39 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
40 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
41 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
42 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
43 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
44 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
47 * from: @(#)pmap.c 7.7 (Berkeley) 5/12/91
50 * Copyright (c) 2003 Networks Associates Technology, Inc.
51 * Copyright (c) 2014-2020 The FreeBSD Foundation
52 * All rights reserved.
54 * This software was developed for the FreeBSD Project by Jake Burkholder,
55 * Safeport Network Services, and Network Associates Laboratories, the
56 * Security Research Division of Network Associates, Inc. under
57 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
58 * CHATS research program.
60 * Portions of this software were developed by
61 * Konstantin Belousov <kib@FreeBSD.org> under sponsorship from
62 * the FreeBSD Foundation.
64 * Redistribution and use in source and binary forms, with or without
65 * modification, are permitted provided that the following conditions
67 * 1. Redistributions of source code must retain the above copyright
68 * notice, this list of conditions and the following disclaimer.
69 * 2. Redistributions in binary form must reproduce the above copyright
70 * notice, this list of conditions and the following disclaimer in the
71 * documentation and/or other materials provided with the distribution.
73 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
74 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
75 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
76 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
77 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
78 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
79 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
80 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
81 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
82 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
86 #define AMD64_NPT_AWARE
88 #include <sys/cdefs.h>
89 __FBSDID("$FreeBSD$");
92 * Manages physical address maps.
94 * Since the information managed by this module is
95 * also stored by the logical address mapping module,
96 * this module may throw away valid virtual-to-physical
97 * mappings at almost any time. However, invalidations
98 * of virtual-to-physical mappings must be done as
101 * In order to cope with hardware architectures which
102 * make virtual-to-physical map invalidates expensive,
103 * this module may delay invalidate or reduced protection
104 * operations until such time as they are actually
105 * necessary. This module is given full information as
106 * to which processors are currently using which maps,
107 * and to when physical maps must be made correct.
111 #include "opt_pmap.h"
114 #include <sys/param.h>
115 #include <sys/bitstring.h>
117 #include <sys/systm.h>
118 #include <sys/kernel.h>
120 #include <sys/lock.h>
121 #include <sys/malloc.h>
122 #include <sys/mman.h>
123 #include <sys/mutex.h>
124 #include <sys/proc.h>
125 #include <sys/rangeset.h>
126 #include <sys/rwlock.h>
127 #include <sys/sbuf.h>
130 #include <sys/turnstile.h>
131 #include <sys/vmem.h>
132 #include <sys/vmmeter.h>
133 #include <sys/sched.h>
134 #include <sys/sysctl.h>
142 #include <vm/vm_param.h>
143 #include <vm/vm_kern.h>
144 #include <vm/vm_page.h>
145 #include <vm/vm_map.h>
146 #include <vm/vm_object.h>
147 #include <vm/vm_extern.h>
148 #include <vm/vm_pageout.h>
149 #include <vm/vm_pager.h>
150 #include <vm/vm_phys.h>
151 #include <vm/vm_radix.h>
152 #include <vm/vm_reserv.h>
153 #include <vm/vm_dumpset.h>
156 #include <machine/intr_machdep.h>
157 #include <x86/apicvar.h>
158 #include <x86/ifunc.h>
159 #include <machine/cpu.h>
160 #include <machine/cputypes.h>
161 #include <machine/intr_machdep.h>
162 #include <machine/md_var.h>
163 #include <machine/pcb.h>
164 #include <machine/specialreg.h>
166 #include <machine/smp.h>
168 #include <machine/sysarch.h>
169 #include <machine/tss.h>
172 #define PMAP_MEMDOM MAXMEMDOM
174 #define PMAP_MEMDOM 1
177 static __inline boolean_t
178 pmap_type_guest(pmap_t pmap)
181 return ((pmap->pm_type == PT_EPT) || (pmap->pm_type == PT_RVI));
184 static __inline boolean_t
185 pmap_emulate_ad_bits(pmap_t pmap)
188 return ((pmap->pm_flags & PMAP_EMULATE_AD_BITS) != 0);
191 static __inline pt_entry_t
192 pmap_valid_bit(pmap_t pmap)
196 switch (pmap->pm_type) {
202 if (pmap_emulate_ad_bits(pmap))
203 mask = EPT_PG_EMUL_V;
208 panic("pmap_valid_bit: invalid pm_type %d", pmap->pm_type);
214 static __inline pt_entry_t
215 pmap_rw_bit(pmap_t pmap)
219 switch (pmap->pm_type) {
225 if (pmap_emulate_ad_bits(pmap))
226 mask = EPT_PG_EMUL_RW;
231 panic("pmap_rw_bit: invalid pm_type %d", pmap->pm_type);
237 static pt_entry_t pg_g;
239 static __inline pt_entry_t
240 pmap_global_bit(pmap_t pmap)
244 switch (pmap->pm_type) {
253 panic("pmap_global_bit: invalid pm_type %d", pmap->pm_type);
259 static __inline pt_entry_t
260 pmap_accessed_bit(pmap_t pmap)
264 switch (pmap->pm_type) {
270 if (pmap_emulate_ad_bits(pmap))
276 panic("pmap_accessed_bit: invalid pm_type %d", pmap->pm_type);
282 static __inline pt_entry_t
283 pmap_modified_bit(pmap_t pmap)
287 switch (pmap->pm_type) {
293 if (pmap_emulate_ad_bits(pmap))
299 panic("pmap_modified_bit: invalid pm_type %d", pmap->pm_type);
305 static __inline pt_entry_t
306 pmap_pku_mask_bit(pmap_t pmap)
309 return (pmap->pm_type == PT_X86 ? X86_PG_PKU_MASK : 0);
312 #if !defined(DIAGNOSTIC)
313 #ifdef __GNUC_GNU_INLINE__
314 #define PMAP_INLINE __attribute__((__gnu_inline__)) inline
316 #define PMAP_INLINE extern inline
323 #define PV_STAT(x) do { x ; } while (0)
325 #define PV_STAT(x) do { } while (0)
330 #define pa_index(pa) ({ \
331 KASSERT((pa) <= vm_phys_segs[vm_phys_nsegs - 1].end, \
332 ("address %lx beyond the last segment", (pa))); \
335 #define pa_to_pmdp(pa) (&pv_table[pa_index(pa)])
336 #define pa_to_pvh(pa) (&(pa_to_pmdp(pa)->pv_page))
337 #define PHYS_TO_PV_LIST_LOCK(pa) ({ \
338 struct rwlock *_lock; \
339 if (__predict_false((pa) > pmap_last_pa)) \
340 _lock = &pv_dummy_large.pv_lock; \
342 _lock = &(pa_to_pmdp(pa)->pv_lock); \
346 #define pa_index(pa) ((pa) >> PDRSHIFT)
347 #define pa_to_pvh(pa) (&pv_table[pa_index(pa)])
349 #define NPV_LIST_LOCKS MAXCPU
351 #define PHYS_TO_PV_LIST_LOCK(pa) \
352 (&pv_list_locks[pa_index(pa) % NPV_LIST_LOCKS])
355 #define CHANGE_PV_LIST_LOCK_TO_PHYS(lockp, pa) do { \
356 struct rwlock **_lockp = (lockp); \
357 struct rwlock *_new_lock; \
359 _new_lock = PHYS_TO_PV_LIST_LOCK(pa); \
360 if (_new_lock != *_lockp) { \
361 if (*_lockp != NULL) \
362 rw_wunlock(*_lockp); \
363 *_lockp = _new_lock; \
368 #define CHANGE_PV_LIST_LOCK_TO_VM_PAGE(lockp, m) \
369 CHANGE_PV_LIST_LOCK_TO_PHYS(lockp, VM_PAGE_TO_PHYS(m))
371 #define RELEASE_PV_LIST_LOCK(lockp) do { \
372 struct rwlock **_lockp = (lockp); \
374 if (*_lockp != NULL) { \
375 rw_wunlock(*_lockp); \
380 #define VM_PAGE_TO_PV_LIST_LOCK(m) \
381 PHYS_TO_PV_LIST_LOCK(VM_PAGE_TO_PHYS(m))
383 struct pmap kernel_pmap_store;
385 vm_offset_t virtual_avail; /* VA of first avail page (after kernel bss) */
386 vm_offset_t virtual_end; /* VA of last avail page (end of kernel AS) */
389 SYSCTL_INT(_machdep, OID_AUTO, nkpt, CTLFLAG_RD, &nkpt, 0,
390 "Number of kernel page table pages allocated on bootup");
393 vm_paddr_t dmaplimit;
394 vm_offset_t kernel_vm_end = VM_MIN_KERNEL_ADDRESS;
397 static SYSCTL_NODE(_vm, OID_AUTO, pmap, CTLFLAG_RD | CTLFLAG_MPSAFE, 0,
398 "VM/pmap parameters");
400 static int pg_ps_enabled = 1;
401 SYSCTL_INT(_vm_pmap, OID_AUTO, pg_ps_enabled, CTLFLAG_RDTUN | CTLFLAG_NOFETCH,
402 &pg_ps_enabled, 0, "Are large page mappings enabled?");
404 int __read_frequently la57 = 0;
405 SYSCTL_INT(_vm_pmap, OID_AUTO, la57, CTLFLAG_RDTUN | CTLFLAG_NOFETCH,
407 "5-level paging for host is enabled");
410 pmap_is_la57(pmap_t pmap)
412 if (pmap->pm_type == PT_X86)
414 return (false); /* XXXKIB handle EPT */
417 #define PAT_INDEX_SIZE 8
418 static int pat_index[PAT_INDEX_SIZE]; /* cache mode to PAT index conversion */
420 static u_int64_t KPTphys; /* phys addr of kernel level 1 */
421 static u_int64_t KPDphys; /* phys addr of kernel level 2 */
422 static u_int64_t KPDPphys; /* phys addr of kernel level 3 */
423 u_int64_t KPML4phys; /* phys addr of kernel level 4 */
424 u_int64_t KPML5phys; /* phys addr of kernel level 5,
427 static pml4_entry_t *kernel_pml4;
428 static u_int64_t DMPDphys; /* phys addr of direct mapped level 2 */
429 static u_int64_t DMPDPphys; /* phys addr of direct mapped level 3 */
430 static int ndmpdpphys; /* number of DMPDPphys pages */
432 vm_paddr_t kernphys; /* phys addr of start of bootstrap data */
433 vm_paddr_t KERNend; /* and the end */
436 * pmap_mapdev support pre initialization (i.e. console)
438 #define PMAP_PREINIT_MAPPING_COUNT 8
439 static struct pmap_preinit_mapping {
444 } pmap_preinit_mapping[PMAP_PREINIT_MAPPING_COUNT];
445 static int pmap_initialized;
448 * Data for the pv entry allocation mechanism.
449 * Updates to pv_invl_gen are protected by the pv list lock but reads are not.
453 pc_to_domain(struct pv_chunk *pc)
456 return (vm_phys_domain(DMAP_TO_PHYS((vm_offset_t)pc)));
460 pc_to_domain(struct pv_chunk *pc __unused)
467 struct pv_chunks_list {
469 TAILQ_HEAD(pch, pv_chunk) pvc_list;
471 } __aligned(CACHE_LINE_SIZE);
473 struct pv_chunks_list __exclusive_cache_line pv_chunks[PMAP_MEMDOM];
476 struct pmap_large_md_page {
477 struct rwlock pv_lock;
478 struct md_page pv_page;
481 __exclusive_cache_line static struct pmap_large_md_page pv_dummy_large;
482 #define pv_dummy pv_dummy_large.pv_page
483 __read_mostly static struct pmap_large_md_page *pv_table;
484 __read_mostly vm_paddr_t pmap_last_pa;
486 static struct rwlock __exclusive_cache_line pv_list_locks[NPV_LIST_LOCKS];
487 static u_long pv_invl_gen[NPV_LIST_LOCKS];
488 static struct md_page *pv_table;
489 static struct md_page pv_dummy;
493 * All those kernel PT submaps that BSD is so fond of
495 pt_entry_t *CMAP1 = NULL;
497 static vm_offset_t qframe = 0;
498 static struct mtx qframe_mtx;
500 static int pmap_flags = PMAP_PDE_SUPERPAGE; /* flags for x86 pmaps */
502 static vmem_t *large_vmem;
503 static u_int lm_ents;
504 #define PMAP_ADDRESS_IN_LARGEMAP(va) ((va) >= LARGEMAP_MIN_ADDRESS && \
505 (va) < LARGEMAP_MIN_ADDRESS + NBPML4 * (u_long)lm_ents)
507 int pmap_pcid_enabled = 1;
508 SYSCTL_INT(_vm_pmap, OID_AUTO, pcid_enabled, CTLFLAG_RDTUN | CTLFLAG_NOFETCH,
509 &pmap_pcid_enabled, 0, "Is TLB Context ID enabled ?");
510 int invpcid_works = 0;
511 SYSCTL_INT(_vm_pmap, OID_AUTO, invpcid_works, CTLFLAG_RD, &invpcid_works, 0,
512 "Is the invpcid instruction available ?");
514 int __read_frequently pti = 0;
515 SYSCTL_INT(_vm_pmap, OID_AUTO, pti, CTLFLAG_RDTUN | CTLFLAG_NOFETCH,
517 "Page Table Isolation enabled");
518 static vm_object_t pti_obj;
519 static pml4_entry_t *pti_pml4;
520 static vm_pindex_t pti_pg_idx;
521 static bool pti_finalized;
523 struct pmap_pkru_range {
524 struct rs_el pkru_rs_el;
529 static uma_zone_t pmap_pkru_ranges_zone;
530 static bool pmap_pkru_same(pmap_t pmap, vm_offset_t sva, vm_offset_t eva);
531 static pt_entry_t pmap_pkru_get(pmap_t pmap, vm_offset_t va);
532 static void pmap_pkru_on_remove(pmap_t pmap, vm_offset_t sva, vm_offset_t eva);
533 static void *pkru_dup_range(void *ctx, void *data);
534 static void pkru_free_range(void *ctx, void *node);
535 static int pmap_pkru_copy(pmap_t dst_pmap, pmap_t src_pmap);
536 static int pmap_pkru_deassign(pmap_t pmap, vm_offset_t sva, vm_offset_t eva);
537 static void pmap_pkru_deassign_all(pmap_t pmap);
540 pmap_pcid_save_cnt_proc(SYSCTL_HANDLER_ARGS)
547 res += cpuid_to_pcpu[i]->pc_pm_save_cnt;
549 return (sysctl_handle_64(oidp, &res, 0, req));
551 SYSCTL_PROC(_vm_pmap, OID_AUTO, pcid_save_cnt, CTLTYPE_U64 | CTLFLAG_RD |
552 CTLFLAG_MPSAFE, NULL, 0, pmap_pcid_save_cnt_proc, "QU",
553 "Count of saved TLB context on switch");
555 static LIST_HEAD(, pmap_invl_gen) pmap_invl_gen_tracker =
556 LIST_HEAD_INITIALIZER(&pmap_invl_gen_tracker);
557 static struct mtx invl_gen_mtx;
558 /* Fake lock object to satisfy turnstiles interface. */
559 static struct lock_object invl_gen_ts = {
562 static struct pmap_invl_gen pmap_invl_gen_head = {
566 static u_long pmap_invl_gen = 1;
567 static int pmap_invl_waiters;
568 static struct callout pmap_invl_callout;
569 static bool pmap_invl_callout_inited;
571 #define PMAP_ASSERT_NOT_IN_DI() \
572 KASSERT(pmap_not_in_di(), ("DI already started"))
579 if ((cpu_feature2 & CPUID2_CX16) == 0)
582 TUNABLE_INT_FETCH("vm.pmap.di_locked", &tun);
587 sysctl_pmap_di_locked(SYSCTL_HANDLER_ARGS)
591 locked = pmap_di_locked();
592 return (sysctl_handle_int(oidp, &locked, 0, req));
594 SYSCTL_PROC(_vm_pmap, OID_AUTO, di_locked, CTLTYPE_INT | CTLFLAG_RDTUN |
595 CTLFLAG_MPSAFE, 0, 0, sysctl_pmap_di_locked, "",
596 "Locked delayed invalidation");
598 static bool pmap_not_in_di_l(void);
599 static bool pmap_not_in_di_u(void);
600 DEFINE_IFUNC(, bool, pmap_not_in_di, (void))
603 return (pmap_di_locked() ? pmap_not_in_di_l : pmap_not_in_di_u);
607 pmap_not_in_di_l(void)
609 struct pmap_invl_gen *invl_gen;
611 invl_gen = &curthread->td_md.md_invl_gen;
612 return (invl_gen->gen == 0);
616 pmap_thread_init_invl_gen_l(struct thread *td)
618 struct pmap_invl_gen *invl_gen;
620 invl_gen = &td->td_md.md_invl_gen;
625 pmap_delayed_invl_wait_block(u_long *m_gen, u_long *invl_gen)
627 struct turnstile *ts;
629 ts = turnstile_trywait(&invl_gen_ts);
630 if (*m_gen > atomic_load_long(invl_gen))
631 turnstile_wait(ts, NULL, TS_SHARED_QUEUE);
633 turnstile_cancel(ts);
637 pmap_delayed_invl_finish_unblock(u_long new_gen)
639 struct turnstile *ts;
641 turnstile_chain_lock(&invl_gen_ts);
642 ts = turnstile_lookup(&invl_gen_ts);
644 pmap_invl_gen = new_gen;
646 turnstile_broadcast(ts, TS_SHARED_QUEUE);
647 turnstile_unpend(ts);
649 turnstile_chain_unlock(&invl_gen_ts);
653 * Start a new Delayed Invalidation (DI) block of code, executed by
654 * the current thread. Within a DI block, the current thread may
655 * destroy both the page table and PV list entries for a mapping and
656 * then release the corresponding PV list lock before ensuring that
657 * the mapping is flushed from the TLBs of any processors with the
661 pmap_delayed_invl_start_l(void)
663 struct pmap_invl_gen *invl_gen;
666 invl_gen = &curthread->td_md.md_invl_gen;
667 PMAP_ASSERT_NOT_IN_DI();
668 mtx_lock(&invl_gen_mtx);
669 if (LIST_EMPTY(&pmap_invl_gen_tracker))
670 currgen = pmap_invl_gen;
672 currgen = LIST_FIRST(&pmap_invl_gen_tracker)->gen;
673 invl_gen->gen = currgen + 1;
674 LIST_INSERT_HEAD(&pmap_invl_gen_tracker, invl_gen, link);
675 mtx_unlock(&invl_gen_mtx);
679 * Finish the DI block, previously started by the current thread. All
680 * required TLB flushes for the pages marked by
681 * pmap_delayed_invl_page() must be finished before this function is
684 * This function works by bumping the global DI generation number to
685 * the generation number of the current thread's DI, unless there is a
686 * pending DI that started earlier. In the latter case, bumping the
687 * global DI generation number would incorrectly signal that the
688 * earlier DI had finished. Instead, this function bumps the earlier
689 * DI's generation number to match the generation number of the
690 * current thread's DI.
693 pmap_delayed_invl_finish_l(void)
695 struct pmap_invl_gen *invl_gen, *next;
697 invl_gen = &curthread->td_md.md_invl_gen;
698 KASSERT(invl_gen->gen != 0, ("missed invl_start"));
699 mtx_lock(&invl_gen_mtx);
700 next = LIST_NEXT(invl_gen, link);
702 pmap_delayed_invl_finish_unblock(invl_gen->gen);
704 next->gen = invl_gen->gen;
705 LIST_REMOVE(invl_gen, link);
706 mtx_unlock(&invl_gen_mtx);
711 pmap_not_in_di_u(void)
713 struct pmap_invl_gen *invl_gen;
715 invl_gen = &curthread->td_md.md_invl_gen;
716 return (((uintptr_t)invl_gen->next & PMAP_INVL_GEN_NEXT_INVALID) != 0);
720 pmap_thread_init_invl_gen_u(struct thread *td)
722 struct pmap_invl_gen *invl_gen;
724 invl_gen = &td->td_md.md_invl_gen;
726 invl_gen->next = (void *)PMAP_INVL_GEN_NEXT_INVALID;
730 pmap_di_load_invl(struct pmap_invl_gen *ptr, struct pmap_invl_gen *out)
732 uint64_t new_high, new_low, old_high, old_low;
735 old_low = new_low = 0;
736 old_high = new_high = (uintptr_t)0;
738 __asm volatile("lock;cmpxchg16b\t%1"
739 : "=@cce" (res), "+m" (*ptr), "+a" (old_low), "+d" (old_high)
740 : "b"(new_low), "c" (new_high)
743 if ((old_high & PMAP_INVL_GEN_NEXT_INVALID) != 0)
746 out->next = (void *)old_high;
749 out->next = (void *)new_high;
755 pmap_di_store_invl(struct pmap_invl_gen *ptr, struct pmap_invl_gen *old_val,
756 struct pmap_invl_gen *new_val)
758 uint64_t new_high, new_low, old_high, old_low;
761 new_low = new_val->gen;
762 new_high = (uintptr_t)new_val->next;
763 old_low = old_val->gen;
764 old_high = (uintptr_t)old_val->next;
766 __asm volatile("lock;cmpxchg16b\t%1"
767 : "=@cce" (res), "+m" (*ptr), "+a" (old_low), "+d" (old_high)
768 : "b"(new_low), "c" (new_high)
774 static long invl_start_restart;
775 SYSCTL_LONG(_vm_pmap, OID_AUTO, invl_start_restart, CTLFLAG_RD,
776 &invl_start_restart, 0,
778 static long invl_finish_restart;
779 SYSCTL_LONG(_vm_pmap, OID_AUTO, invl_finish_restart, CTLFLAG_RD,
780 &invl_finish_restart, 0,
782 static int invl_max_qlen;
783 SYSCTL_INT(_vm_pmap, OID_AUTO, invl_max_qlen, CTLFLAG_RD,
788 #define di_delay locks_delay
791 pmap_delayed_invl_start_u(void)
793 struct pmap_invl_gen *invl_gen, *p, prev, new_prev;
795 struct lock_delay_arg lda;
803 invl_gen = &td->td_md.md_invl_gen;
804 PMAP_ASSERT_NOT_IN_DI();
805 lock_delay_arg_init(&lda, &di_delay);
806 invl_gen->saved_pri = 0;
807 pri = td->td_base_pri;
810 pri = td->td_base_pri;
812 invl_gen->saved_pri = pri;
819 for (p = &pmap_invl_gen_head;; p = prev.next) {
821 prevl = (uintptr_t)atomic_load_ptr(&p->next);
822 if ((prevl & PMAP_INVL_GEN_NEXT_INVALID) != 0) {
823 PV_STAT(atomic_add_long(&invl_start_restart, 1));
829 prev.next = (void *)prevl;
832 if ((ii = invl_max_qlen) < i)
833 atomic_cmpset_int(&invl_max_qlen, ii, i);
836 if (!pmap_di_load_invl(p, &prev) || prev.next != NULL) {
837 PV_STAT(atomic_add_long(&invl_start_restart, 1));
842 new_prev.gen = prev.gen;
843 new_prev.next = invl_gen;
844 invl_gen->gen = prev.gen + 1;
846 /* Formal fence between store to invl->gen and updating *p. */
847 atomic_thread_fence_rel();
850 * After inserting an invl_gen element with invalid bit set,
851 * this thread blocks any other thread trying to enter the
852 * delayed invalidation block. Do not allow to remove us from
853 * the CPU, because it causes starvation for other threads.
858 * ABA for *p is not possible there, since p->gen can only
859 * increase. So if the *p thread finished its di, then
860 * started a new one and got inserted into the list at the
861 * same place, its gen will appear greater than the previously
864 if (!pmap_di_store_invl(p, &prev, &new_prev)) {
866 PV_STAT(atomic_add_long(&invl_start_restart, 1));
872 * There we clear PMAP_INVL_GEN_NEXT_INVALID in
873 * invl_gen->next, allowing other threads to iterate past us.
874 * pmap_di_store_invl() provides fence between the generation
875 * write and the update of next.
877 invl_gen->next = NULL;
882 pmap_delayed_invl_finish_u_crit(struct pmap_invl_gen *invl_gen,
883 struct pmap_invl_gen *p)
885 struct pmap_invl_gen prev, new_prev;
889 * Load invl_gen->gen after setting invl_gen->next
890 * PMAP_INVL_GEN_NEXT_INVALID. This prevents larger
891 * generations to propagate to our invl_gen->gen. Lock prefix
892 * in atomic_set_ptr() worked as seq_cst fence.
894 mygen = atomic_load_long(&invl_gen->gen);
896 if (!pmap_di_load_invl(p, &prev) || prev.next != invl_gen)
899 KASSERT(prev.gen < mygen,
900 ("invalid di gen sequence %lu %lu", prev.gen, mygen));
901 new_prev.gen = mygen;
902 new_prev.next = (void *)((uintptr_t)invl_gen->next &
903 ~PMAP_INVL_GEN_NEXT_INVALID);
905 /* Formal fence between load of prev and storing update to it. */
906 atomic_thread_fence_rel();
908 return (pmap_di_store_invl(p, &prev, &new_prev));
912 pmap_delayed_invl_finish_u(void)
914 struct pmap_invl_gen *invl_gen, *p;
916 struct lock_delay_arg lda;
920 invl_gen = &td->td_md.md_invl_gen;
921 KASSERT(invl_gen->gen != 0, ("missed invl_start: gen 0"));
922 KASSERT(((uintptr_t)invl_gen->next & PMAP_INVL_GEN_NEXT_INVALID) == 0,
923 ("missed invl_start: INVALID"));
924 lock_delay_arg_init(&lda, &di_delay);
927 for (p = &pmap_invl_gen_head; p != NULL; p = (void *)prevl) {
928 prevl = (uintptr_t)atomic_load_ptr(&p->next);
929 if ((prevl & PMAP_INVL_GEN_NEXT_INVALID) != 0) {
930 PV_STAT(atomic_add_long(&invl_finish_restart, 1));
934 if ((void *)prevl == invl_gen)
939 * It is legitimate to not find ourself on the list if a
940 * thread before us finished its DI and started it again.
942 if (__predict_false(p == NULL)) {
943 PV_STAT(atomic_add_long(&invl_finish_restart, 1));
949 atomic_set_ptr((uintptr_t *)&invl_gen->next,
950 PMAP_INVL_GEN_NEXT_INVALID);
951 if (!pmap_delayed_invl_finish_u_crit(invl_gen, p)) {
952 atomic_clear_ptr((uintptr_t *)&invl_gen->next,
953 PMAP_INVL_GEN_NEXT_INVALID);
955 PV_STAT(atomic_add_long(&invl_finish_restart, 1));
960 if (atomic_load_int(&pmap_invl_waiters) > 0)
961 pmap_delayed_invl_finish_unblock(0);
962 if (invl_gen->saved_pri != 0) {
964 sched_prio(td, invl_gen->saved_pri);
970 DB_SHOW_COMMAND(di_queue, pmap_di_queue)
972 struct pmap_invl_gen *p, *pn;
977 for (p = &pmap_invl_gen_head, first = true; p != NULL; p = pn,
979 nextl = (uintptr_t)atomic_load_ptr(&p->next);
980 pn = (void *)(nextl & ~PMAP_INVL_GEN_NEXT_INVALID);
981 td = first ? NULL : __containerof(p, struct thread,
983 db_printf("gen %lu inv %d td %p tid %d\n", p->gen,
984 (nextl & PMAP_INVL_GEN_NEXT_INVALID) != 0, td,
985 td != NULL ? td->td_tid : -1);
991 static long invl_wait;
992 SYSCTL_LONG(_vm_pmap, OID_AUTO, invl_wait, CTLFLAG_RD, &invl_wait, 0,
993 "Number of times DI invalidation blocked pmap_remove_all/write");
994 static long invl_wait_slow;
995 SYSCTL_LONG(_vm_pmap, OID_AUTO, invl_wait_slow, CTLFLAG_RD, &invl_wait_slow, 0,
996 "Number of slow invalidation waits for lockless DI");
1001 pmap_delayed_invl_genp(vm_page_t m)
1006 pa = VM_PAGE_TO_PHYS(m);
1007 if (__predict_false((pa) > pmap_last_pa))
1008 gen = &pv_dummy_large.pv_invl_gen;
1010 gen = &(pa_to_pmdp(pa)->pv_invl_gen);
1016 pmap_delayed_invl_genp(vm_page_t m)
1019 return (&pv_invl_gen[pa_index(VM_PAGE_TO_PHYS(m)) % NPV_LIST_LOCKS]);
1024 pmap_delayed_invl_callout_func(void *arg __unused)
1027 if (atomic_load_int(&pmap_invl_waiters) == 0)
1029 pmap_delayed_invl_finish_unblock(0);
1033 pmap_delayed_invl_callout_init(void *arg __unused)
1036 if (pmap_di_locked())
1038 callout_init(&pmap_invl_callout, 1);
1039 pmap_invl_callout_inited = true;
1041 SYSINIT(pmap_di_callout, SI_SUB_CPU + 1, SI_ORDER_ANY,
1042 pmap_delayed_invl_callout_init, NULL);
1045 * Ensure that all currently executing DI blocks, that need to flush
1046 * TLB for the given page m, actually flushed the TLB at the time the
1047 * function returned. If the page m has an empty PV list and we call
1048 * pmap_delayed_invl_wait(), upon its return we know that no CPU has a
1049 * valid mapping for the page m in either its page table or TLB.
1051 * This function works by blocking until the global DI generation
1052 * number catches up with the generation number associated with the
1053 * given page m and its PV list. Since this function's callers
1054 * typically own an object lock and sometimes own a page lock, it
1055 * cannot sleep. Instead, it blocks on a turnstile to relinquish the
1059 pmap_delayed_invl_wait_l(vm_page_t m)
1063 bool accounted = false;
1066 m_gen = pmap_delayed_invl_genp(m);
1067 while (*m_gen > pmap_invl_gen) {
1070 atomic_add_long(&invl_wait, 1);
1074 pmap_delayed_invl_wait_block(m_gen, &pmap_invl_gen);
1079 pmap_delayed_invl_wait_u(vm_page_t m)
1082 struct lock_delay_arg lda;
1086 m_gen = pmap_delayed_invl_genp(m);
1087 lock_delay_arg_init(&lda, &di_delay);
1088 while (*m_gen > atomic_load_long(&pmap_invl_gen_head.gen)) {
1089 if (fast || !pmap_invl_callout_inited) {
1090 PV_STAT(atomic_add_long(&invl_wait, 1));
1095 * The page's invalidation generation number
1096 * is still below the current thread's number.
1097 * Prepare to block so that we do not waste
1098 * CPU cycles or worse, suffer livelock.
1100 * Since it is impossible to block without
1101 * racing with pmap_delayed_invl_finish_u(),
1102 * prepare for the race by incrementing
1103 * pmap_invl_waiters and arming a 1-tick
1104 * callout which will unblock us if we lose
1107 atomic_add_int(&pmap_invl_waiters, 1);
1110 * Re-check the current thread's invalidation
1111 * generation after incrementing
1112 * pmap_invl_waiters, so that there is no race
1113 * with pmap_delayed_invl_finish_u() setting
1114 * the page generation and checking
1115 * pmap_invl_waiters. The only race allowed
1116 * is for a missed unblock, which is handled
1120 atomic_load_long(&pmap_invl_gen_head.gen)) {
1121 callout_reset(&pmap_invl_callout, 1,
1122 pmap_delayed_invl_callout_func, NULL);
1123 PV_STAT(atomic_add_long(&invl_wait_slow, 1));
1124 pmap_delayed_invl_wait_block(m_gen,
1125 &pmap_invl_gen_head.gen);
1127 atomic_add_int(&pmap_invl_waiters, -1);
1132 DEFINE_IFUNC(, void, pmap_thread_init_invl_gen, (struct thread *))
1135 return (pmap_di_locked() ? pmap_thread_init_invl_gen_l :
1136 pmap_thread_init_invl_gen_u);
1139 DEFINE_IFUNC(static, void, pmap_delayed_invl_start, (void))
1142 return (pmap_di_locked() ? pmap_delayed_invl_start_l :
1143 pmap_delayed_invl_start_u);
1146 DEFINE_IFUNC(static, void, pmap_delayed_invl_finish, (void))
1149 return (pmap_di_locked() ? pmap_delayed_invl_finish_l :
1150 pmap_delayed_invl_finish_u);
1153 DEFINE_IFUNC(static, void, pmap_delayed_invl_wait, (vm_page_t))
1156 return (pmap_di_locked() ? pmap_delayed_invl_wait_l :
1157 pmap_delayed_invl_wait_u);
1161 * Mark the page m's PV list as participating in the current thread's
1162 * DI block. Any threads concurrently using m's PV list to remove or
1163 * restrict all mappings to m will wait for the current thread's DI
1164 * block to complete before proceeding.
1166 * The function works by setting the DI generation number for m's PV
1167 * list to at least the DI generation number of the current thread.
1168 * This forces a caller of pmap_delayed_invl_wait() to block until
1169 * current thread calls pmap_delayed_invl_finish().
1172 pmap_delayed_invl_page(vm_page_t m)
1176 rw_assert(VM_PAGE_TO_PV_LIST_LOCK(m), RA_WLOCKED);
1177 gen = curthread->td_md.md_invl_gen.gen;
1180 m_gen = pmap_delayed_invl_genp(m);
1188 static caddr_t crashdumpmap;
1191 * Internal flags for pmap_enter()'s helper functions.
1193 #define PMAP_ENTER_NORECLAIM 0x1000000 /* Don't reclaim PV entries. */
1194 #define PMAP_ENTER_NOREPLACE 0x2000000 /* Don't replace mappings. */
1197 * Internal flags for pmap_mapdev_internal() and
1198 * pmap_change_props_locked().
1200 #define MAPDEV_FLUSHCACHE 0x00000001 /* Flush cache after mapping. */
1201 #define MAPDEV_SETATTR 0x00000002 /* Modify existing attrs. */
1202 #define MAPDEV_ASSERTVALID 0x00000004 /* Assert mapping validity. */
1204 TAILQ_HEAD(pv_chunklist, pv_chunk);
1206 static void free_pv_chunk(struct pv_chunk *pc);
1207 static void free_pv_chunk_batch(struct pv_chunklist *batch);
1208 static void free_pv_entry(pmap_t pmap, pv_entry_t pv);
1209 static pv_entry_t get_pv_entry(pmap_t pmap, struct rwlock **lockp);
1210 static int popcnt_pc_map_pq(uint64_t *map);
1211 static vm_page_t reclaim_pv_chunk(pmap_t locked_pmap, struct rwlock **lockp);
1212 static void reserve_pv_entries(pmap_t pmap, int needed,
1213 struct rwlock **lockp);
1214 static void pmap_pv_demote_pde(pmap_t pmap, vm_offset_t va, vm_paddr_t pa,
1215 struct rwlock **lockp);
1216 static bool pmap_pv_insert_pde(pmap_t pmap, vm_offset_t va, pd_entry_t pde,
1217 u_int flags, struct rwlock **lockp);
1218 #if VM_NRESERVLEVEL > 0
1219 static void pmap_pv_promote_pde(pmap_t pmap, vm_offset_t va, vm_paddr_t pa,
1220 struct rwlock **lockp);
1222 static void pmap_pvh_free(struct md_page *pvh, pmap_t pmap, vm_offset_t va);
1223 static pv_entry_t pmap_pvh_remove(struct md_page *pvh, pmap_t pmap,
1226 static void pmap_abort_ptp(pmap_t pmap, vm_offset_t va, vm_page_t mpte);
1227 static int pmap_change_props_locked(vm_offset_t va, vm_size_t size,
1228 vm_prot_t prot, int mode, int flags);
1229 static boolean_t pmap_demote_pde(pmap_t pmap, pd_entry_t *pde, vm_offset_t va);
1230 static boolean_t pmap_demote_pde_locked(pmap_t pmap, pd_entry_t *pde,
1231 vm_offset_t va, struct rwlock **lockp);
1232 static boolean_t pmap_demote_pdpe(pmap_t pmap, pdp_entry_t *pdpe,
1234 static bool pmap_enter_2mpage(pmap_t pmap, vm_offset_t va, vm_page_t m,
1235 vm_prot_t prot, struct rwlock **lockp);
1236 static int pmap_enter_pde(pmap_t pmap, vm_offset_t va, pd_entry_t newpde,
1237 u_int flags, vm_page_t m, struct rwlock **lockp);
1238 static vm_page_t pmap_enter_quick_locked(pmap_t pmap, vm_offset_t va,
1239 vm_page_t m, vm_prot_t prot, vm_page_t mpte, struct rwlock **lockp);
1240 static void pmap_fill_ptp(pt_entry_t *firstpte, pt_entry_t newpte);
1241 static int pmap_insert_pt_page(pmap_t pmap, vm_page_t mpte, bool promoted);
1242 static void pmap_invalidate_cache_range_selfsnoop(vm_offset_t sva,
1244 static void pmap_invalidate_cache_range_all(vm_offset_t sva,
1246 static void pmap_invalidate_pde_page(pmap_t pmap, vm_offset_t va,
1248 static void pmap_kenter_attr(vm_offset_t va, vm_paddr_t pa, int mode);
1249 static vm_page_t pmap_large_map_getptp_unlocked(void);
1250 static vm_paddr_t pmap_large_map_kextract(vm_offset_t va);
1251 #if VM_NRESERVLEVEL > 0
1252 static void pmap_promote_pde(pmap_t pmap, pd_entry_t *pde, vm_offset_t va,
1253 struct rwlock **lockp);
1255 static boolean_t pmap_protect_pde(pmap_t pmap, pd_entry_t *pde, vm_offset_t sva,
1257 static void pmap_pte_props(pt_entry_t *pte, u_long bits, u_long mask);
1258 static void pmap_pti_add_kva_locked(vm_offset_t sva, vm_offset_t eva,
1260 static pdp_entry_t *pmap_pti_pdpe(vm_offset_t va);
1261 static pd_entry_t *pmap_pti_pde(vm_offset_t va);
1262 static void pmap_pti_wire_pte(void *pte);
1263 static int pmap_remove_pde(pmap_t pmap, pd_entry_t *pdq, vm_offset_t sva,
1264 struct spglist *free, struct rwlock **lockp);
1265 static int pmap_remove_pte(pmap_t pmap, pt_entry_t *ptq, vm_offset_t sva,
1266 pd_entry_t ptepde, struct spglist *free, struct rwlock **lockp);
1267 static vm_page_t pmap_remove_pt_page(pmap_t pmap, vm_offset_t va);
1268 static void pmap_remove_page(pmap_t pmap, vm_offset_t va, pd_entry_t *pde,
1269 struct spglist *free);
1270 static bool pmap_remove_ptes(pmap_t pmap, vm_offset_t sva, vm_offset_t eva,
1271 pd_entry_t *pde, struct spglist *free,
1272 struct rwlock **lockp);
1273 static boolean_t pmap_try_insert_pv_entry(pmap_t pmap, vm_offset_t va,
1274 vm_page_t m, struct rwlock **lockp);
1275 static void pmap_update_pde(pmap_t pmap, vm_offset_t va, pd_entry_t *pde,
1277 static void pmap_update_pde_invalidate(pmap_t, vm_offset_t va, pd_entry_t pde);
1279 static pd_entry_t *pmap_alloc_pde(pmap_t pmap, vm_offset_t va, vm_page_t *pdpgp,
1280 struct rwlock **lockp);
1281 static vm_page_t pmap_allocpte_alloc(pmap_t pmap, vm_pindex_t ptepindex,
1282 struct rwlock **lockp, vm_offset_t va);
1283 static vm_page_t pmap_allocpte_nosleep(pmap_t pmap, vm_pindex_t ptepindex,
1284 struct rwlock **lockp, vm_offset_t va);
1285 static vm_page_t pmap_allocpte(pmap_t pmap, vm_offset_t va,
1286 struct rwlock **lockp);
1288 static void _pmap_unwire_ptp(pmap_t pmap, vm_offset_t va, vm_page_t m,
1289 struct spglist *free);
1290 static int pmap_unuse_pt(pmap_t, vm_offset_t, pd_entry_t, struct spglist *);
1292 /********************/
1293 /* Inline functions */
1294 /********************/
1297 * Return a non-clipped indexes for a given VA, which are page table
1298 * pages indexes at the corresponding level.
1300 static __inline vm_pindex_t
1301 pmap_pde_pindex(vm_offset_t va)
1303 return (va >> PDRSHIFT);
1306 static __inline vm_pindex_t
1307 pmap_pdpe_pindex(vm_offset_t va)
1309 return (NUPDE + (va >> PDPSHIFT));
1312 static __inline vm_pindex_t
1313 pmap_pml4e_pindex(vm_offset_t va)
1315 return (NUPDE + NUPDPE + (va >> PML4SHIFT));
1318 static __inline vm_pindex_t
1319 pmap_pml5e_pindex(vm_offset_t va)
1321 return (NUPDE + NUPDPE + NUPML4E + (va >> PML5SHIFT));
1324 static __inline pml4_entry_t *
1325 pmap_pml5e(pmap_t pmap, vm_offset_t va)
1328 MPASS(pmap_is_la57(pmap));
1329 return (&pmap->pm_pmltop[pmap_pml5e_index(va)]);
1332 static __inline pml4_entry_t *
1333 pmap_pml5e_u(pmap_t pmap, vm_offset_t va)
1336 MPASS(pmap_is_la57(pmap));
1337 return (&pmap->pm_pmltopu[pmap_pml5e_index(va)]);
1340 static __inline pml4_entry_t *
1341 pmap_pml5e_to_pml4e(pml5_entry_t *pml5e, vm_offset_t va)
1343 pml4_entry_t *pml4e;
1345 /* XXX MPASS(pmap_is_la57(pmap); */
1346 pml4e = (pml4_entry_t *)PHYS_TO_DMAP(*pml5e & PG_FRAME);
1347 return (&pml4e[pmap_pml4e_index(va)]);
1350 /* Return a pointer to the PML4 slot that corresponds to a VA */
1351 static __inline pml4_entry_t *
1352 pmap_pml4e(pmap_t pmap, vm_offset_t va)
1354 pml5_entry_t *pml5e;
1355 pml4_entry_t *pml4e;
1358 if (pmap_is_la57(pmap)) {
1359 pml5e = pmap_pml5e(pmap, va);
1360 PG_V = pmap_valid_bit(pmap);
1361 if ((*pml5e & PG_V) == 0)
1363 pml4e = (pml4_entry_t *)PHYS_TO_DMAP(*pml5e & PG_FRAME);
1365 pml4e = pmap->pm_pmltop;
1367 return (&pml4e[pmap_pml4e_index(va)]);
1370 static __inline pml4_entry_t *
1371 pmap_pml4e_u(pmap_t pmap, vm_offset_t va)
1373 MPASS(!pmap_is_la57(pmap));
1374 return (&pmap->pm_pmltopu[pmap_pml4e_index(va)]);
1377 /* Return a pointer to the PDP slot that corresponds to a VA */
1378 static __inline pdp_entry_t *
1379 pmap_pml4e_to_pdpe(pml4_entry_t *pml4e, vm_offset_t va)
1383 pdpe = (pdp_entry_t *)PHYS_TO_DMAP(*pml4e & PG_FRAME);
1384 return (&pdpe[pmap_pdpe_index(va)]);
1387 /* Return a pointer to the PDP slot that corresponds to a VA */
1388 static __inline pdp_entry_t *
1389 pmap_pdpe(pmap_t pmap, vm_offset_t va)
1391 pml4_entry_t *pml4e;
1394 PG_V = pmap_valid_bit(pmap);
1395 pml4e = pmap_pml4e(pmap, va);
1396 if (pml4e == NULL || (*pml4e & PG_V) == 0)
1398 return (pmap_pml4e_to_pdpe(pml4e, va));
1401 /* Return a pointer to the PD slot that corresponds to a VA */
1402 static __inline pd_entry_t *
1403 pmap_pdpe_to_pde(pdp_entry_t *pdpe, vm_offset_t va)
1407 KASSERT((*pdpe & PG_PS) == 0,
1408 ("%s: pdpe %#lx is a leaf", __func__, *pdpe));
1409 pde = (pd_entry_t *)PHYS_TO_DMAP(*pdpe & PG_FRAME);
1410 return (&pde[pmap_pde_index(va)]);
1413 /* Return a pointer to the PD slot that corresponds to a VA */
1414 static __inline pd_entry_t *
1415 pmap_pde(pmap_t pmap, vm_offset_t va)
1420 PG_V = pmap_valid_bit(pmap);
1421 pdpe = pmap_pdpe(pmap, va);
1422 if (pdpe == NULL || (*pdpe & PG_V) == 0)
1424 KASSERT((*pdpe & PG_PS) == 0,
1425 ("pmap_pde for 1G page, pmap %p va %#lx", pmap, va));
1426 return (pmap_pdpe_to_pde(pdpe, va));
1429 /* Return a pointer to the PT slot that corresponds to a VA */
1430 static __inline pt_entry_t *
1431 pmap_pde_to_pte(pd_entry_t *pde, vm_offset_t va)
1435 KASSERT((*pde & PG_PS) == 0,
1436 ("%s: pde %#lx is a leaf", __func__, *pde));
1437 pte = (pt_entry_t *)PHYS_TO_DMAP(*pde & PG_FRAME);
1438 return (&pte[pmap_pte_index(va)]);
1441 /* Return a pointer to the PT slot that corresponds to a VA */
1442 static __inline pt_entry_t *
1443 pmap_pte(pmap_t pmap, vm_offset_t va)
1448 PG_V = pmap_valid_bit(pmap);
1449 pde = pmap_pde(pmap, va);
1450 if (pde == NULL || (*pde & PG_V) == 0)
1452 if ((*pde & PG_PS) != 0) /* compat with i386 pmap_pte() */
1453 return ((pt_entry_t *)pde);
1454 return (pmap_pde_to_pte(pde, va));
1457 static __inline void
1458 pmap_resident_count_inc(pmap_t pmap, int count)
1461 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
1462 pmap->pm_stats.resident_count += count;
1465 static __inline void
1466 pmap_resident_count_dec(pmap_t pmap, int count)
1469 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
1470 KASSERT(pmap->pm_stats.resident_count >= count,
1471 ("pmap %p resident count underflow %ld %d", pmap,
1472 pmap->pm_stats.resident_count, count));
1473 pmap->pm_stats.resident_count -= count;
1476 PMAP_INLINE pt_entry_t *
1477 vtopte(vm_offset_t va)
1481 KASSERT(va >= VM_MAXUSER_ADDRESS, ("vtopte on a uva/gpa 0x%0lx", va));
1484 mask = ((1ul << (NPTEPGSHIFT + NPDEPGSHIFT + NPDPEPGSHIFT +
1485 NPML4EPGSHIFT + NPML5EPGSHIFT)) - 1);
1486 return (P5Tmap + ((va >> PAGE_SHIFT) & mask));
1488 mask = ((1ul << (NPTEPGSHIFT + NPDEPGSHIFT + NPDPEPGSHIFT +
1489 NPML4EPGSHIFT)) - 1);
1490 return (P4Tmap + ((va >> PAGE_SHIFT) & mask));
1494 static __inline pd_entry_t *
1495 vtopde(vm_offset_t va)
1499 KASSERT(va >= VM_MAXUSER_ADDRESS, ("vtopde on a uva/gpa 0x%0lx", va));
1502 mask = ((1ul << (NPDEPGSHIFT + NPDPEPGSHIFT +
1503 NPML4EPGSHIFT + NPML5EPGSHIFT)) - 1);
1504 return (P5Dmap + ((va >> PDRSHIFT) & mask));
1506 mask = ((1ul << (NPDEPGSHIFT + NPDPEPGSHIFT +
1507 NPML4EPGSHIFT)) - 1);
1508 return (P4Dmap + ((va >> PDRSHIFT) & mask));
1513 allocpages(vm_paddr_t *firstaddr, int n)
1518 bzero((void *)ret, n * PAGE_SIZE);
1519 *firstaddr += n * PAGE_SIZE;
1523 CTASSERT(powerof2(NDMPML4E));
1525 /* number of kernel PDP slots */
1526 #define NKPDPE(ptpgs) howmany(ptpgs, NPDEPG)
1529 nkpt_init(vm_paddr_t addr)
1536 pt_pages = howmany(addr - kernphys, NBPDR) + 1; /* +1 for 2M hole @0 */
1537 pt_pages += NKPDPE(pt_pages);
1540 * Add some slop beyond the bare minimum required for bootstrapping
1543 * This is quite important when allocating KVA for kernel modules.
1544 * The modules are required to be linked in the negative 2GB of
1545 * the address space. If we run out of KVA in this region then
1546 * pmap_growkernel() will need to allocate page table pages to map
1547 * the entire 512GB of KVA space which is an unnecessary tax on
1550 * Secondly, device memory mapped as part of setting up the low-
1551 * level console(s) is taken from KVA, starting at virtual_avail.
1552 * This is because cninit() is called after pmap_bootstrap() but
1553 * before vm_init() and pmap_init(). 20MB for a frame buffer is
1556 pt_pages += 32; /* 64MB additional slop. */
1562 * Returns the proper write/execute permission for a physical page that is
1563 * part of the initial boot allocations.
1565 * If the page has kernel text, it is marked as read-only. If the page has
1566 * kernel read-only data, it is marked as read-only/not-executable. If the
1567 * page has only read-write data, it is marked as read-write/not-executable.
1568 * If the page is below/above the kernel range, it is marked as read-write.
1570 * This function operates on 2M pages, since we map the kernel space that
1573 static inline pt_entry_t
1574 bootaddr_rwx(vm_paddr_t pa)
1577 * The kernel is loaded at a 2MB-aligned address, and memory below that
1578 * need not be executable. The .bss section is padded to a 2MB
1579 * boundary, so memory following the kernel need not be executable
1580 * either. Preloaded kernel modules have their mapping permissions
1581 * fixed up by the linker.
1583 if (pa < trunc_2mpage(kernphys + btext - KERNSTART) ||
1584 pa >= trunc_2mpage(kernphys + _end - KERNSTART))
1585 return (X86_PG_RW | pg_nx);
1588 * The linker should ensure that the read-only and read-write
1589 * portions don't share the same 2M page, so this shouldn't
1590 * impact read-only data. However, in any case, any page with
1591 * read-write data needs to be read-write.
1593 if (pa >= trunc_2mpage(kernphys + brwsection - KERNSTART))
1594 return (X86_PG_RW | pg_nx);
1597 * Mark any 2M page containing kernel text as read-only. Mark
1598 * other pages with read-only data as read-only and not executable.
1599 * (It is likely a small portion of the read-only data section will
1600 * be marked as read-only, but executable. This should be acceptable
1601 * since the read-only protection will keep the data from changing.)
1602 * Note that fixups to the .text section will still work until we
1605 if (pa < round_2mpage(kernphys + etext - KERNSTART))
1611 create_pagetables(vm_paddr_t *firstaddr)
1616 uint64_t DMPDkernphys;
1618 int i, j, ndm1g, nkpdpe, nkdmpde;
1620 /* Allocate page table pages for the direct map */
1621 ndmpdp = howmany(ptoa(Maxmem), NBPDP);
1622 if (ndmpdp < 4) /* Minimum 4GB of dirmap */
1624 ndmpdpphys = howmany(ndmpdp, NPDPEPG);
1625 if (ndmpdpphys > NDMPML4E) {
1627 * Each NDMPML4E allows 512 GB, so limit to that,
1628 * and then readjust ndmpdp and ndmpdpphys.
1630 printf("NDMPML4E limits system to %d GB\n", NDMPML4E * 512);
1631 Maxmem = atop(NDMPML4E * NBPML4);
1632 ndmpdpphys = NDMPML4E;
1633 ndmpdp = NDMPML4E * NPDEPG;
1635 DMPDPphys = allocpages(firstaddr, ndmpdpphys);
1637 if ((amd_feature & AMDID_PAGE1GB) != 0) {
1639 * Calculate the number of 1G pages that will fully fit in
1642 ndm1g = ptoa(Maxmem) >> PDPSHIFT;
1645 * Allocate 2M pages for the kernel. These will be used in
1646 * place of the one or more 1G pages from ndm1g that maps
1647 * kernel memory into DMAP.
1649 nkdmpde = howmany((vm_offset_t)brwsection - KERNSTART +
1650 kernphys - rounddown2(kernphys, NBPDP), NBPDP);
1651 DMPDkernphys = allocpages(firstaddr, nkdmpde);
1654 DMPDphys = allocpages(firstaddr, ndmpdp - ndm1g);
1655 dmaplimit = (vm_paddr_t)ndmpdp << PDPSHIFT;
1657 /* Allocate pages */
1658 KPML4phys = allocpages(firstaddr, 1);
1659 KPDPphys = allocpages(firstaddr, NKPML4E);
1662 * Allocate the initial number of kernel page table pages required to
1663 * bootstrap. We defer this until after all memory-size dependent
1664 * allocations are done (e.g. direct map), so that we don't have to
1665 * build in too much slop in our estimate.
1667 * Note that when NKPML4E > 1, we have an empty page underneath
1668 * all but the KPML4I'th one, so we need NKPML4E-1 extra (zeroed)
1669 * pages. (pmap_enter requires a PD page to exist for each KPML4E.)
1671 nkpt_init(*firstaddr);
1672 nkpdpe = NKPDPE(nkpt);
1674 KPTphys = allocpages(firstaddr, nkpt);
1675 KPDphys = allocpages(firstaddr, nkpdpe);
1678 * Connect the zero-filled PT pages to their PD entries. This
1679 * implicitly maps the PT pages at their correct locations within
1682 pd_p = (pd_entry_t *)KPDphys;
1683 for (i = 0; i < nkpt; i++)
1684 pd_p[i] = (KPTphys + ptoa(i)) | X86_PG_RW | X86_PG_V;
1687 * Map from start of the kernel in physical memory (staging
1688 * area) to the end of loader preallocated memory using 2MB
1689 * pages. This replaces some of the PD entries created above.
1690 * For compatibility, identity map 2M at the start.
1692 pd_p[0] = X86_PG_V | PG_PS | pg_g | X86_PG_M | X86_PG_A |
1694 for (i = 1, pax = kernphys; pax < KERNend; i++, pax += NBPDR) {
1695 /* Preset PG_M and PG_A because demotion expects it. */
1696 pd_p[i] = pax | X86_PG_V | PG_PS | pg_g | X86_PG_M |
1697 X86_PG_A | bootaddr_rwx(pax);
1701 * Because we map the physical blocks in 2M pages, adjust firstaddr
1702 * to record the physical blocks we've actually mapped into kernel
1703 * virtual address space.
1705 if (*firstaddr < round_2mpage(KERNend))
1706 *firstaddr = round_2mpage(KERNend);
1708 /* And connect up the PD to the PDP (leaving room for L4 pages) */
1709 pdp_p = (pdp_entry_t *)(KPDPphys + ptoa(KPML4I - KPML4BASE));
1710 for (i = 0; i < nkpdpe; i++)
1711 pdp_p[i + KPDPI] = (KPDphys + ptoa(i)) | X86_PG_RW | X86_PG_V;
1714 * Now, set up the direct map region using 2MB and/or 1GB pages. If
1715 * the end of physical memory is not aligned to a 1GB page boundary,
1716 * then the residual physical memory is mapped with 2MB pages. Later,
1717 * if pmap_mapdev{_attr}() uses the direct map for non-write-back
1718 * memory, pmap_change_attr() will demote any 2MB or 1GB page mappings
1719 * that are partially used.
1721 pd_p = (pd_entry_t *)DMPDphys;
1722 for (i = NPDEPG * ndm1g, j = 0; i < NPDEPG * ndmpdp; i++, j++) {
1723 pd_p[j] = (vm_paddr_t)i << PDRSHIFT;
1724 /* Preset PG_M and PG_A because demotion expects it. */
1725 pd_p[j] |= X86_PG_RW | X86_PG_V | PG_PS | pg_g |
1726 X86_PG_M | X86_PG_A | pg_nx;
1728 pdp_p = (pdp_entry_t *)DMPDPphys;
1729 for (i = 0; i < ndm1g; i++) {
1730 pdp_p[i] = (vm_paddr_t)i << PDPSHIFT;
1731 /* Preset PG_M and PG_A because demotion expects it. */
1732 pdp_p[i] |= X86_PG_RW | X86_PG_V | PG_PS | pg_g |
1733 X86_PG_M | X86_PG_A | pg_nx;
1735 for (j = 0; i < ndmpdp; i++, j++) {
1736 pdp_p[i] = DMPDphys + ptoa(j);
1737 pdp_p[i] |= X86_PG_RW | X86_PG_V | pg_nx;
1741 * Instead of using a 1G page for the memory containing the kernel,
1742 * use 2M pages with read-only and no-execute permissions. (If using 1G
1743 * pages, this will partially overwrite the PDPEs above.)
1746 pd_p = (pd_entry_t *)DMPDkernphys;
1747 for (i = 0, pax = rounddown2(kernphys, NBPDP);
1748 i < NPDEPG * nkdmpde; i++, pax += NBPDR) {
1749 pd_p[i] = pax | X86_PG_V | PG_PS | pg_g | X86_PG_M |
1750 X86_PG_A | pg_nx | bootaddr_rwx(pax);
1752 j = rounddown2(kernphys, NBPDP) >> PDPSHIFT;
1753 for (i = 0; i < nkdmpde; i++) {
1754 pdp_p[i + j] = (DMPDkernphys + ptoa(i)) |
1755 X86_PG_RW | X86_PG_V | pg_nx;
1759 /* And recursively map PML4 to itself in order to get PTmap */
1760 p4_p = (pml4_entry_t *)KPML4phys;
1761 p4_p[PML4PML4I] = KPML4phys;
1762 p4_p[PML4PML4I] |= X86_PG_RW | X86_PG_V | pg_nx;
1764 /* Connect the Direct Map slot(s) up to the PML4. */
1765 for (i = 0; i < ndmpdpphys; i++) {
1766 p4_p[DMPML4I + i] = DMPDPphys + ptoa(i);
1767 p4_p[DMPML4I + i] |= X86_PG_RW | X86_PG_V | pg_nx;
1770 /* Connect the KVA slots up to the PML4 */
1771 for (i = 0; i < NKPML4E; i++) {
1772 p4_p[KPML4BASE + i] = KPDPphys + ptoa(i);
1773 p4_p[KPML4BASE + i] |= X86_PG_RW | X86_PG_V;
1776 kernel_pml4 = (pml4_entry_t *)PHYS_TO_DMAP(KPML4phys);
1780 * Bootstrap the system enough to run with virtual memory.
1782 * On amd64 this is called after mapping has already been enabled
1783 * and just syncs the pmap module with what has already been done.
1784 * [We can't call it easily with mapping off since the kernel is not
1785 * mapped with PA == VA, hence we would have to relocate every address
1786 * from the linked base (virtual) address "KERNBASE" to the actual
1787 * (physical) address starting relative to 0]
1790 pmap_bootstrap(vm_paddr_t *firstaddr)
1793 pt_entry_t *pte, *pcpu_pte;
1794 struct region_descriptor r_gdt;
1795 uint64_t cr4, pcpu_phys;
1799 KERNend = *firstaddr;
1800 res = atop(KERNend - (vm_paddr_t)kernphys);
1806 * Create an initial set of page tables to run the kernel in.
1808 create_pagetables(firstaddr);
1810 pcpu_phys = allocpages(firstaddr, MAXCPU);
1813 * Add a physical memory segment (vm_phys_seg) corresponding to the
1814 * preallocated kernel page table pages so that vm_page structures
1815 * representing these pages will be created. The vm_page structures
1816 * are required for promotion of the corresponding kernel virtual
1817 * addresses to superpage mappings.
1819 vm_phys_early_add_seg(KPTphys, KPTphys + ptoa(nkpt));
1822 * Account for the virtual addresses mapped by create_pagetables().
1824 virtual_avail = (vm_offset_t)KERNSTART + round_2mpage(KERNend -
1825 (vm_paddr_t)kernphys);
1826 virtual_end = VM_MAX_KERNEL_ADDRESS;
1829 * Enable PG_G global pages, then switch to the kernel page
1830 * table from the bootstrap page table. After the switch, it
1831 * is possible to enable SMEP and SMAP since PG_U bits are
1837 load_cr3(KPML4phys);
1838 if (cpu_stdext_feature & CPUID_STDEXT_SMEP)
1840 if (cpu_stdext_feature & CPUID_STDEXT_SMAP)
1845 * Initialize the kernel pmap (which is statically allocated).
1846 * Count bootstrap data as being resident in case any of this data is
1847 * later unmapped (using pmap_remove()) and freed.
1849 PMAP_LOCK_INIT(kernel_pmap);
1850 kernel_pmap->pm_pmltop = kernel_pml4;
1851 kernel_pmap->pm_cr3 = KPML4phys;
1852 kernel_pmap->pm_ucr3 = PMAP_NO_CR3;
1853 CPU_FILL(&kernel_pmap->pm_active); /* don't allow deactivation */
1854 TAILQ_INIT(&kernel_pmap->pm_pvchunk);
1855 kernel_pmap->pm_stats.resident_count = res;
1856 kernel_pmap->pm_flags = pmap_flags;
1859 * Initialize the TLB invalidations generation number lock.
1861 mtx_init(&invl_gen_mtx, "invlgn", NULL, MTX_DEF);
1864 * Reserve some special page table entries/VA space for temporary
1867 #define SYSMAP(c, p, v, n) \
1868 v = (c)va; va += ((n)*PAGE_SIZE); p = pte; pte += (n);
1874 * Crashdump maps. The first page is reused as CMAP1 for the
1877 SYSMAP(caddr_t, CMAP1, crashdumpmap, MAXDUMPPGS)
1878 CADDR1 = crashdumpmap;
1880 SYSMAP(struct pcpu *, pcpu_pte, __pcpu, MAXCPU);
1883 for (i = 0; i < MAXCPU; i++) {
1884 pcpu_pte[i] = (pcpu_phys + ptoa(i)) | X86_PG_V | X86_PG_RW |
1885 pg_g | pg_nx | X86_PG_M | X86_PG_A;
1889 * Re-initialize PCPU area for BSP after switching.
1890 * Make hardware use gdt and common_tss from the new PCPU.
1892 STAILQ_INIT(&cpuhead);
1893 wrmsr(MSR_GSBASE, (uint64_t)&__pcpu[0]);
1894 pcpu_init(&__pcpu[0], 0, sizeof(struct pcpu));
1895 amd64_bsp_pcpu_init1(&__pcpu[0]);
1896 amd64_bsp_ist_init(&__pcpu[0]);
1897 __pcpu[0].pc_common_tss.tss_iobase = sizeof(struct amd64tss) +
1899 memcpy(__pcpu[0].pc_gdt, temp_bsp_pcpu.pc_gdt, NGDT *
1900 sizeof(struct user_segment_descriptor));
1901 gdt_segs[GPROC0_SEL].ssd_base = (uintptr_t)&__pcpu[0].pc_common_tss;
1902 ssdtosyssd(&gdt_segs[GPROC0_SEL],
1903 (struct system_segment_descriptor *)&__pcpu[0].pc_gdt[GPROC0_SEL]);
1904 r_gdt.rd_limit = NGDT * sizeof(struct user_segment_descriptor) - 1;
1905 r_gdt.rd_base = (long)__pcpu[0].pc_gdt;
1907 wrmsr(MSR_GSBASE, (uint64_t)&__pcpu[0]);
1908 ltr(GSEL(GPROC0_SEL, SEL_KPL));
1909 __pcpu[0].pc_dynamic = temp_bsp_pcpu.pc_dynamic;
1910 __pcpu[0].pc_acpi_id = temp_bsp_pcpu.pc_acpi_id;
1913 * Initialize the PAT MSR.
1914 * pmap_init_pat() clears and sets CR4_PGE, which, as a
1915 * side-effect, invalidates stale PG_G TLB entries that might
1916 * have been created in our pre-boot environment.
1920 /* Initialize TLB Context Id. */
1921 if (pmap_pcid_enabled) {
1922 for (i = 0; i < MAXCPU; i++) {
1923 kernel_pmap->pm_pcids[i].pm_pcid = PMAP_PCID_KERN;
1924 kernel_pmap->pm_pcids[i].pm_gen = 1;
1928 * PMAP_PCID_KERN + 1 is used for initialization of
1929 * proc0 pmap. The pmap' pcid state might be used by
1930 * EFIRT entry before first context switch, so it
1931 * needs to be valid.
1933 PCPU_SET(pcid_next, PMAP_PCID_KERN + 2);
1934 PCPU_SET(pcid_gen, 1);
1937 * pcpu area for APs is zeroed during AP startup.
1938 * pc_pcid_next and pc_pcid_gen are initialized by AP
1939 * during pcpu setup.
1941 load_cr4(rcr4() | CR4_PCIDE);
1946 * Setup the PAT MSR.
1955 /* Bail if this CPU doesn't implement PAT. */
1956 if ((cpu_feature & CPUID_PAT) == 0)
1959 /* Set default PAT index table. */
1960 for (i = 0; i < PAT_INDEX_SIZE; i++)
1962 pat_index[PAT_WRITE_BACK] = 0;
1963 pat_index[PAT_WRITE_THROUGH] = 1;
1964 pat_index[PAT_UNCACHEABLE] = 3;
1965 pat_index[PAT_WRITE_COMBINING] = 6;
1966 pat_index[PAT_WRITE_PROTECTED] = 5;
1967 pat_index[PAT_UNCACHED] = 2;
1970 * Initialize default PAT entries.
1971 * Leave the indices 0-3 at the default of WB, WT, UC-, and UC.
1972 * Program 5 and 6 as WP and WC.
1974 * Leave 4 and 7 as WB and UC. Note that a recursive page table
1975 * mapping for a 2M page uses a PAT value with the bit 3 set due
1976 * to its overload with PG_PS.
1978 pat_msr = PAT_VALUE(0, PAT_WRITE_BACK) |
1979 PAT_VALUE(1, PAT_WRITE_THROUGH) |
1980 PAT_VALUE(2, PAT_UNCACHED) |
1981 PAT_VALUE(3, PAT_UNCACHEABLE) |
1982 PAT_VALUE(4, PAT_WRITE_BACK) |
1983 PAT_VALUE(5, PAT_WRITE_PROTECTED) |
1984 PAT_VALUE(6, PAT_WRITE_COMBINING) |
1985 PAT_VALUE(7, PAT_UNCACHEABLE);
1989 load_cr4(cr4 & ~CR4_PGE);
1991 /* Disable caches (CD = 1, NW = 0). */
1993 load_cr0((cr0 & ~CR0_NW) | CR0_CD);
1995 /* Flushes caches and TLBs. */
1999 /* Update PAT and index table. */
2000 wrmsr(MSR_PAT, pat_msr);
2002 /* Flush caches and TLBs again. */
2006 /* Restore caches and PGE. */
2012 pmap_page_alloc_below_4g(bool zeroed)
2016 m = vm_page_alloc_contig(NULL, 0, (zeroed ? VM_ALLOC_ZERO : 0) |
2017 VM_ALLOC_NORMAL | VM_ALLOC_NOBUSY | VM_ALLOC_NOOBJ,
2018 1, 0, (1ULL << 32), PAGE_SIZE, 0, VM_MEMATTR_DEFAULT);
2019 if (m != NULL && zeroed && (m->flags & PG_ZERO) == 0)
2024 extern const char la57_trampoline[], la57_trampoline_gdt_desc[],
2025 la57_trampoline_gdt[], la57_trampoline_end[];
2028 pmap_bootstrap_la57(void *arg __unused)
2031 pml5_entry_t *v_pml5;
2032 pml4_entry_t *v_pml4;
2036 vm_page_t m_code, m_pml4, m_pdp, m_pd, m_pt, m_pml5;
2037 void (*la57_tramp)(uint64_t pml5);
2038 struct region_descriptor r_gdt;
2040 if ((cpu_stdext_feature2 & CPUID_STDEXT2_LA57) == 0)
2042 TUNABLE_INT_FETCH("vm.pmap.la57", &la57);
2046 r_gdt.rd_limit = NGDT * sizeof(struct user_segment_descriptor) - 1;
2047 r_gdt.rd_base = (long)__pcpu[0].pc_gdt;
2049 m_code = pmap_page_alloc_below_4g(true);
2050 v_code = (char *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(m_code));
2051 m_pml5 = pmap_page_alloc_below_4g(true);
2052 KPML5phys = VM_PAGE_TO_PHYS(m_pml5);
2053 v_pml5 = (pml5_entry_t *)PHYS_TO_DMAP(KPML5phys);
2054 m_pml4 = pmap_page_alloc_below_4g(true);
2055 v_pml4 = (pdp_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(m_pml4));
2056 m_pdp = pmap_page_alloc_below_4g(true);
2057 v_pdp = (pdp_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(m_pdp));
2058 m_pd = pmap_page_alloc_below_4g(true);
2059 v_pd = (pdp_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(m_pd));
2060 m_pt = pmap_page_alloc_below_4g(true);
2061 v_pt = (pt_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(m_pt));
2064 * Map m_code 1:1, it appears below 4G in KVA due to physical
2065 * address being below 4G. Since kernel KVA is in upper half,
2066 * the pml4e should be zero and free for temporary use.
2068 kernel_pmap->pm_pmltop[pmap_pml4e_index(VM_PAGE_TO_PHYS(m_code))] =
2069 VM_PAGE_TO_PHYS(m_pdp) | X86_PG_V | X86_PG_RW | X86_PG_A |
2071 v_pdp[pmap_pdpe_index(VM_PAGE_TO_PHYS(m_code))] =
2072 VM_PAGE_TO_PHYS(m_pd) | X86_PG_V | X86_PG_RW | X86_PG_A |
2074 v_pd[pmap_pde_index(VM_PAGE_TO_PHYS(m_code))] =
2075 VM_PAGE_TO_PHYS(m_pt) | X86_PG_V | X86_PG_RW | X86_PG_A |
2077 v_pt[pmap_pte_index(VM_PAGE_TO_PHYS(m_code))] =
2078 VM_PAGE_TO_PHYS(m_code) | X86_PG_V | X86_PG_RW | X86_PG_A |
2082 * Add pml5 entry at top of KVA pointing to existing pml4 table,
2083 * entering all existing kernel mappings into level 5 table.
2085 v_pml5[pmap_pml5e_index(UPT_MAX_ADDRESS)] = KPML4phys | X86_PG_V |
2086 X86_PG_RW | X86_PG_A | X86_PG_M | pg_g;
2089 * Add pml5 entry for 1:1 trampoline mapping after LA57 is turned on.
2091 v_pml5[pmap_pml5e_index(VM_PAGE_TO_PHYS(m_code))] =
2092 VM_PAGE_TO_PHYS(m_pml4) | X86_PG_V | X86_PG_RW | X86_PG_A |
2094 v_pml4[pmap_pml4e_index(VM_PAGE_TO_PHYS(m_code))] =
2095 VM_PAGE_TO_PHYS(m_pdp) | X86_PG_V | X86_PG_RW | X86_PG_A |
2099 * Copy and call the 48->57 trampoline, hope we return there, alive.
2101 bcopy(la57_trampoline, v_code, la57_trampoline_end - la57_trampoline);
2102 *(u_long *)(v_code + 2 + (la57_trampoline_gdt_desc - la57_trampoline)) =
2103 la57_trampoline_gdt - la57_trampoline + VM_PAGE_TO_PHYS(m_code);
2104 la57_tramp = (void (*)(uint64_t))VM_PAGE_TO_PHYS(m_code);
2105 invlpg((vm_offset_t)la57_tramp);
2106 la57_tramp(KPML5phys);
2109 * gdt was necessary reset, switch back to our gdt.
2112 wrmsr(MSR_GSBASE, (uint64_t)&__pcpu[0]);
2116 ssdtosyssd(&gdt_segs[GPROC0_SEL],
2117 (struct system_segment_descriptor *)&__pcpu[0].pc_gdt[GPROC0_SEL]);
2118 ltr(GSEL(GPROC0_SEL, SEL_KPL));
2121 * Now unmap the trampoline, and free the pages.
2122 * Clear pml5 entry used for 1:1 trampoline mapping.
2124 pte_clear(&v_pml5[pmap_pml5e_index(VM_PAGE_TO_PHYS(m_code))]);
2125 invlpg((vm_offset_t)v_code);
2126 vm_page_free(m_code);
2127 vm_page_free(m_pdp);
2132 * Recursively map PML5 to itself in order to get PTmap and
2135 v_pml5[PML5PML5I] = KPML5phys | X86_PG_RW | X86_PG_V | pg_nx;
2137 kernel_pmap->pm_cr3 = KPML5phys;
2138 kernel_pmap->pm_pmltop = v_pml5;
2140 SYSINIT(la57, SI_SUB_KMEM, SI_ORDER_ANY, pmap_bootstrap_la57, NULL);
2143 * Initialize a vm_page's machine-dependent fields.
2146 pmap_page_init(vm_page_t m)
2149 TAILQ_INIT(&m->md.pv_list);
2150 m->md.pat_mode = PAT_WRITE_BACK;
2153 static int pmap_allow_2m_x_ept;
2154 SYSCTL_INT(_vm_pmap, OID_AUTO, allow_2m_x_ept, CTLFLAG_RWTUN | CTLFLAG_NOFETCH,
2155 &pmap_allow_2m_x_ept, 0,
2156 "Allow executable superpage mappings in EPT");
2159 pmap_allow_2m_x_ept_recalculate(void)
2162 * SKL002, SKL012S. Since the EPT format is only used by
2163 * Intel CPUs, the vendor check is merely a formality.
2165 if (!(cpu_vendor_id != CPU_VENDOR_INTEL ||
2166 (cpu_ia32_arch_caps & IA32_ARCH_CAP_IF_PSCHANGE_MC_NO) != 0 ||
2167 (CPUID_TO_FAMILY(cpu_id) == 0x6 &&
2168 (CPUID_TO_MODEL(cpu_id) == 0x26 || /* Atoms */
2169 CPUID_TO_MODEL(cpu_id) == 0x27 ||
2170 CPUID_TO_MODEL(cpu_id) == 0x35 ||
2171 CPUID_TO_MODEL(cpu_id) == 0x36 ||
2172 CPUID_TO_MODEL(cpu_id) == 0x37 ||
2173 CPUID_TO_MODEL(cpu_id) == 0x86 ||
2174 CPUID_TO_MODEL(cpu_id) == 0x1c ||
2175 CPUID_TO_MODEL(cpu_id) == 0x4a ||
2176 CPUID_TO_MODEL(cpu_id) == 0x4c ||
2177 CPUID_TO_MODEL(cpu_id) == 0x4d ||
2178 CPUID_TO_MODEL(cpu_id) == 0x5a ||
2179 CPUID_TO_MODEL(cpu_id) == 0x5c ||
2180 CPUID_TO_MODEL(cpu_id) == 0x5d ||
2181 CPUID_TO_MODEL(cpu_id) == 0x5f ||
2182 CPUID_TO_MODEL(cpu_id) == 0x6e ||
2183 CPUID_TO_MODEL(cpu_id) == 0x7a ||
2184 CPUID_TO_MODEL(cpu_id) == 0x57 || /* Knights */
2185 CPUID_TO_MODEL(cpu_id) == 0x85))))
2186 pmap_allow_2m_x_ept = 1;
2187 TUNABLE_INT_FETCH("hw.allow_2m_x_ept", &pmap_allow_2m_x_ept);
2191 pmap_allow_2m_x_page(pmap_t pmap, bool executable)
2194 return (pmap->pm_type != PT_EPT || !executable ||
2195 !pmap_allow_2m_x_ept);
2200 pmap_init_pv_table(void)
2202 struct pmap_large_md_page *pvd;
2204 long start, end, highest, pv_npg;
2205 int domain, i, j, pages;
2208 * We strongly depend on the size being a power of two, so the assert
2209 * is overzealous. However, should the struct be resized to a
2210 * different power of two, the code below needs to be revisited.
2212 CTASSERT((sizeof(*pvd) == 64));
2215 * Calculate the size of the array.
2217 pmap_last_pa = vm_phys_segs[vm_phys_nsegs - 1].end;
2218 pv_npg = howmany(pmap_last_pa, NBPDR);
2219 s = (vm_size_t)pv_npg * sizeof(struct pmap_large_md_page);
2221 pv_table = (struct pmap_large_md_page *)kva_alloc(s);
2222 if (pv_table == NULL)
2223 panic("%s: kva_alloc failed\n", __func__);
2226 * Iterate physical segments to allocate space for respective pages.
2230 for (i = 0; i < vm_phys_nsegs; i++) {
2231 end = vm_phys_segs[i].end / NBPDR;
2232 domain = vm_phys_segs[i].domain;
2237 start = highest + 1;
2238 pvd = &pv_table[start];
2240 pages = end - start + 1;
2241 s = round_page(pages * sizeof(*pvd));
2242 highest = start + (s / sizeof(*pvd)) - 1;
2244 for (j = 0; j < s; j += PAGE_SIZE) {
2245 vm_page_t m = vm_page_alloc_domain(NULL, 0,
2246 domain, VM_ALLOC_NORMAL | VM_ALLOC_NOOBJ);
2248 panic("vm_page_alloc_domain failed for %lx\n", (vm_offset_t)pvd + j);
2249 pmap_qenter((vm_offset_t)pvd + j, &m, 1);
2252 for (j = 0; j < s / sizeof(*pvd); j++) {
2253 rw_init_flags(&pvd->pv_lock, "pmap pv list", RW_NEW);
2254 TAILQ_INIT(&pvd->pv_page.pv_list);
2255 pvd->pv_page.pv_gen = 0;
2256 pvd->pv_page.pat_mode = 0;
2257 pvd->pv_invl_gen = 0;
2261 pvd = &pv_dummy_large;
2262 rw_init_flags(&pvd->pv_lock, "pmap pv list dummy", RW_NEW);
2263 TAILQ_INIT(&pvd->pv_page.pv_list);
2264 pvd->pv_page.pv_gen = 0;
2265 pvd->pv_page.pat_mode = 0;
2266 pvd->pv_invl_gen = 0;
2270 pmap_init_pv_table(void)
2276 * Initialize the pool of pv list locks.
2278 for (i = 0; i < NPV_LIST_LOCKS; i++)
2279 rw_init(&pv_list_locks[i], "pmap pv list");
2282 * Calculate the size of the pv head table for superpages.
2284 pv_npg = howmany(vm_phys_segs[vm_phys_nsegs - 1].end, NBPDR);
2287 * Allocate memory for the pv head table for superpages.
2289 s = (vm_size_t)pv_npg * sizeof(struct md_page);
2291 pv_table = (struct md_page *)kmem_malloc(s, M_WAITOK | M_ZERO);
2292 for (i = 0; i < pv_npg; i++)
2293 TAILQ_INIT(&pv_table[i].pv_list);
2294 TAILQ_INIT(&pv_dummy.pv_list);
2299 * Initialize the pmap module.
2300 * Called by vm_init, to initialize any structures that the pmap
2301 * system needs to map virtual memory.
2306 struct pmap_preinit_mapping *ppim;
2308 int error, i, ret, skz63;
2310 /* L1TF, reserve page @0 unconditionally */
2311 vm_page_blacklist_add(0, bootverbose);
2313 /* Detect bare-metal Skylake Server and Skylake-X. */
2314 if (vm_guest == VM_GUEST_NO && cpu_vendor_id == CPU_VENDOR_INTEL &&
2315 CPUID_TO_FAMILY(cpu_id) == 0x6 && CPUID_TO_MODEL(cpu_id) == 0x55) {
2317 * Skylake-X errata SKZ63. Processor May Hang When
2318 * Executing Code In an HLE Transaction Region between
2319 * 40000000H and 403FFFFFH.
2321 * Mark the pages in the range as preallocated. It
2322 * seems to be impossible to distinguish between
2323 * Skylake Server and Skylake X.
2326 TUNABLE_INT_FETCH("hw.skz63_enable", &skz63);
2329 printf("SKZ63: skipping 4M RAM starting "
2330 "at physical 1G\n");
2331 for (i = 0; i < atop(0x400000); i++) {
2332 ret = vm_page_blacklist_add(0x40000000 +
2334 if (!ret && bootverbose)
2335 printf("page at %#lx already used\n",
2336 0x40000000 + ptoa(i));
2342 pmap_allow_2m_x_ept_recalculate();
2345 * Initialize the vm page array entries for the kernel pmap's
2348 PMAP_LOCK(kernel_pmap);
2349 for (i = 0; i < nkpt; i++) {
2350 mpte = PHYS_TO_VM_PAGE(KPTphys + (i << PAGE_SHIFT));
2351 KASSERT(mpte >= vm_page_array &&
2352 mpte < &vm_page_array[vm_page_array_size],
2353 ("pmap_init: page table page is out of range"));
2354 mpte->pindex = pmap_pde_pindex(KERNBASE) + i;
2355 mpte->phys_addr = KPTphys + (i << PAGE_SHIFT);
2356 mpte->ref_count = 1;
2359 * Collect the page table pages that were replaced by a 2MB
2360 * page in create_pagetables(). They are zero filled.
2363 kernphys + ((vm_paddr_t)(i - 1) << PDRSHIFT) < KERNend) &&
2364 pmap_insert_pt_page(kernel_pmap, mpte, false))
2365 panic("pmap_init: pmap_insert_pt_page failed");
2367 PMAP_UNLOCK(kernel_pmap);
2371 * If the kernel is running on a virtual machine, then it must assume
2372 * that MCA is enabled by the hypervisor. Moreover, the kernel must
2373 * be prepared for the hypervisor changing the vendor and family that
2374 * are reported by CPUID. Consequently, the workaround for AMD Family
2375 * 10h Erratum 383 is enabled if the processor's feature set does not
2376 * include at least one feature that is only supported by older Intel
2377 * or newer AMD processors.
2379 if (vm_guest != VM_GUEST_NO && (cpu_feature & CPUID_SS) == 0 &&
2380 (cpu_feature2 & (CPUID2_SSSE3 | CPUID2_SSE41 | CPUID2_AESNI |
2381 CPUID2_AVX | CPUID2_XSAVE)) == 0 && (amd_feature2 & (AMDID2_XOP |
2383 workaround_erratum383 = 1;
2386 * Are large page mappings enabled?
2388 TUNABLE_INT_FETCH("vm.pmap.pg_ps_enabled", &pg_ps_enabled);
2389 if (pg_ps_enabled) {
2390 KASSERT(MAXPAGESIZES > 1 && pagesizes[1] == 0,
2391 ("pmap_init: can't assign to pagesizes[1]"));
2392 pagesizes[1] = NBPDR;
2393 if ((amd_feature & AMDID_PAGE1GB) != 0) {
2394 KASSERT(MAXPAGESIZES > 2 && pagesizes[2] == 0,
2395 ("pmap_init: can't assign to pagesizes[2]"));
2396 pagesizes[2] = NBPDP;
2401 * Initialize pv chunk lists.
2403 for (i = 0; i < PMAP_MEMDOM; i++) {
2404 mtx_init(&pv_chunks[i].pvc_lock, "pmap pv chunk list", NULL, MTX_DEF);
2405 TAILQ_INIT(&pv_chunks[i].pvc_list);
2407 pmap_init_pv_table();
2409 pmap_initialized = 1;
2410 for (i = 0; i < PMAP_PREINIT_MAPPING_COUNT; i++) {
2411 ppim = pmap_preinit_mapping + i;
2414 /* Make the direct map consistent */
2415 if (ppim->pa < dmaplimit && ppim->pa + ppim->sz <= dmaplimit) {
2416 (void)pmap_change_attr(PHYS_TO_DMAP(ppim->pa),
2417 ppim->sz, ppim->mode);
2421 printf("PPIM %u: PA=%#lx, VA=%#lx, size=%#lx, mode=%#x\n", i,
2422 ppim->pa, ppim->va, ppim->sz, ppim->mode);
2425 mtx_init(&qframe_mtx, "qfrmlk", NULL, MTX_SPIN);
2426 error = vmem_alloc(kernel_arena, PAGE_SIZE, M_BESTFIT | M_WAITOK,
2427 (vmem_addr_t *)&qframe);
2429 panic("qframe allocation failed");
2432 TUNABLE_INT_FETCH("vm.pmap.large_map_pml4_entries", &lm_ents);
2433 if (lm_ents > LMEPML4I - LMSPML4I + 1)
2434 lm_ents = LMEPML4I - LMSPML4I + 1;
2436 printf("pmap: large map %u PML4 slots (%lu GB)\n",
2437 lm_ents, (u_long)lm_ents * (NBPML4 / 1024 / 1024 / 1024));
2439 large_vmem = vmem_create("large", LARGEMAP_MIN_ADDRESS,
2440 (vmem_size_t)lm_ents * NBPML4, PAGE_SIZE, 0, M_WAITOK);
2441 if (large_vmem == NULL) {
2442 printf("pmap: cannot create large map\n");
2445 for (i = 0; i < lm_ents; i++) {
2446 m = pmap_large_map_getptp_unlocked();
2448 kernel_pml4[LMSPML4I + i] = X86_PG_V |
2449 X86_PG_RW | X86_PG_A | X86_PG_M | pg_nx |
2455 SYSCTL_UINT(_vm_pmap, OID_AUTO, large_map_pml4_entries,
2456 CTLFLAG_RDTUN | CTLFLAG_NOFETCH, &lm_ents, 0,
2457 "Maximum number of PML4 entries for use by large map (tunable). "
2458 "Each entry corresponds to 512GB of address space.");
2460 static SYSCTL_NODE(_vm_pmap, OID_AUTO, pde, CTLFLAG_RD | CTLFLAG_MPSAFE, 0,
2461 "2MB page mapping counters");
2463 static u_long pmap_pde_demotions;
2464 SYSCTL_ULONG(_vm_pmap_pde, OID_AUTO, demotions, CTLFLAG_RD,
2465 &pmap_pde_demotions, 0, "2MB page demotions");
2467 static u_long pmap_pde_mappings;
2468 SYSCTL_ULONG(_vm_pmap_pde, OID_AUTO, mappings, CTLFLAG_RD,
2469 &pmap_pde_mappings, 0, "2MB page mappings");
2471 static u_long pmap_pde_p_failures;
2472 SYSCTL_ULONG(_vm_pmap_pde, OID_AUTO, p_failures, CTLFLAG_RD,
2473 &pmap_pde_p_failures, 0, "2MB page promotion failures");
2475 static u_long pmap_pde_promotions;
2476 SYSCTL_ULONG(_vm_pmap_pde, OID_AUTO, promotions, CTLFLAG_RD,
2477 &pmap_pde_promotions, 0, "2MB page promotions");
2479 static SYSCTL_NODE(_vm_pmap, OID_AUTO, pdpe, CTLFLAG_RD | CTLFLAG_MPSAFE, 0,
2480 "1GB page mapping counters");
2482 static u_long pmap_pdpe_demotions;
2483 SYSCTL_ULONG(_vm_pmap_pdpe, OID_AUTO, demotions, CTLFLAG_RD,
2484 &pmap_pdpe_demotions, 0, "1GB page demotions");
2486 /***************************************************
2487 * Low level helper routines.....
2488 ***************************************************/
2491 pmap_swap_pat(pmap_t pmap, pt_entry_t entry)
2493 int x86_pat_bits = X86_PG_PTE_PAT | X86_PG_PDE_PAT;
2495 switch (pmap->pm_type) {
2498 /* Verify that both PAT bits are not set at the same time */
2499 KASSERT((entry & x86_pat_bits) != x86_pat_bits,
2500 ("Invalid PAT bits in entry %#lx", entry));
2502 /* Swap the PAT bits if one of them is set */
2503 if ((entry & x86_pat_bits) != 0)
2504 entry ^= x86_pat_bits;
2508 * Nothing to do - the memory attributes are represented
2509 * the same way for regular pages and superpages.
2513 panic("pmap_switch_pat_bits: bad pm_type %d", pmap->pm_type);
2520 pmap_is_valid_memattr(pmap_t pmap __unused, vm_memattr_t mode)
2523 return (mode >= 0 && mode < PAT_INDEX_SIZE &&
2524 pat_index[(int)mode] >= 0);
2528 * Determine the appropriate bits to set in a PTE or PDE for a specified
2532 pmap_cache_bits(pmap_t pmap, int mode, boolean_t is_pde)
2534 int cache_bits, pat_flag, pat_idx;
2536 if (!pmap_is_valid_memattr(pmap, mode))
2537 panic("Unknown caching mode %d\n", mode);
2539 switch (pmap->pm_type) {
2542 /* The PAT bit is different for PTE's and PDE's. */
2543 pat_flag = is_pde ? X86_PG_PDE_PAT : X86_PG_PTE_PAT;
2545 /* Map the caching mode to a PAT index. */
2546 pat_idx = pat_index[mode];
2548 /* Map the 3-bit index value into the PAT, PCD, and PWT bits. */
2551 cache_bits |= pat_flag;
2553 cache_bits |= PG_NC_PCD;
2555 cache_bits |= PG_NC_PWT;
2559 cache_bits = EPT_PG_IGNORE_PAT | EPT_PG_MEMORY_TYPE(mode);
2563 panic("unsupported pmap type %d", pmap->pm_type);
2566 return (cache_bits);
2570 pmap_cache_mask(pmap_t pmap, boolean_t is_pde)
2574 switch (pmap->pm_type) {
2577 mask = is_pde ? X86_PG_PDE_CACHE : X86_PG_PTE_CACHE;
2580 mask = EPT_PG_IGNORE_PAT | EPT_PG_MEMORY_TYPE(0x7);
2583 panic("pmap_cache_mask: invalid pm_type %d", pmap->pm_type);
2590 pmap_pat_index(pmap_t pmap, pt_entry_t pte, bool is_pde)
2592 int pat_flag, pat_idx;
2595 switch (pmap->pm_type) {
2598 /* The PAT bit is different for PTE's and PDE's. */
2599 pat_flag = is_pde ? X86_PG_PDE_PAT : X86_PG_PTE_PAT;
2601 if ((pte & pat_flag) != 0)
2603 if ((pte & PG_NC_PCD) != 0)
2605 if ((pte & PG_NC_PWT) != 0)
2609 if ((pte & EPT_PG_IGNORE_PAT) != 0)
2610 panic("EPT PTE %#lx has no PAT memory type", pte);
2611 pat_idx = (pte & EPT_PG_MEMORY_TYPE(0x7)) >> 3;
2615 /* See pmap_init_pat(). */
2625 pmap_ps_enabled(pmap_t pmap)
2628 return (pg_ps_enabled && (pmap->pm_flags & PMAP_PDE_SUPERPAGE) != 0);
2632 pmap_update_pde_store(pmap_t pmap, pd_entry_t *pde, pd_entry_t newpde)
2635 switch (pmap->pm_type) {
2642 * This is a little bogus since the generation number is
2643 * supposed to be bumped up when a region of the address
2644 * space is invalidated in the page tables.
2646 * In this case the old PDE entry is valid but yet we want
2647 * to make sure that any mappings using the old entry are
2648 * invalidated in the TLB.
2650 * The reason this works as expected is because we rendezvous
2651 * "all" host cpus and force any vcpu context to exit as a
2654 atomic_add_long(&pmap->pm_eptgen, 1);
2657 panic("pmap_update_pde_store: bad pm_type %d", pmap->pm_type);
2659 pde_store(pde, newpde);
2663 * After changing the page size for the specified virtual address in the page
2664 * table, flush the corresponding entries from the processor's TLB. Only the
2665 * calling processor's TLB is affected.
2667 * The calling thread must be pinned to a processor.
2670 pmap_update_pde_invalidate(pmap_t pmap, vm_offset_t va, pd_entry_t newpde)
2674 if (pmap_type_guest(pmap))
2677 KASSERT(pmap->pm_type == PT_X86,
2678 ("pmap_update_pde_invalidate: invalid type %d", pmap->pm_type));
2680 PG_G = pmap_global_bit(pmap);
2682 if ((newpde & PG_PS) == 0)
2683 /* Demotion: flush a specific 2MB page mapping. */
2685 else if ((newpde & PG_G) == 0)
2687 * Promotion: flush every 4KB page mapping from the TLB
2688 * because there are too many to flush individually.
2693 * Promotion: flush every 4KB page mapping from the TLB,
2694 * including any global (PG_G) mappings.
2701 * The amd64 pmap uses different approaches to TLB invalidation
2702 * depending on the kernel configuration, available hardware features,
2703 * and known hardware errata. The kernel configuration option that
2704 * has the greatest operational impact on TLB invalidation is PTI,
2705 * which is enabled automatically on affected Intel CPUs. The most
2706 * impactful hardware features are first PCID, and then INVPCID
2707 * instruction presence. PCID usage is quite different for PTI
2710 * * Kernel Page Table Isolation (PTI or KPTI) is used to mitigate
2711 * the Meltdown bug in some Intel CPUs. Under PTI, each user address
2712 * space is served by two page tables, user and kernel. The user
2713 * page table only maps user space and a kernel trampoline. The
2714 * kernel trampoline includes the entirety of the kernel text but
2715 * only the kernel data that is needed to switch from user to kernel
2716 * mode. The kernel page table maps the user and kernel address
2717 * spaces in their entirety. It is identical to the per-process
2718 * page table used in non-PTI mode.
2720 * User page tables are only used when the CPU is in user mode.
2721 * Consequently, some TLB invalidations can be postponed until the
2722 * switch from kernel to user mode. In contrast, the user
2723 * space part of the kernel page table is used for copyout(9), so
2724 * TLB invalidations on this page table cannot be similarly postponed.
2726 * The existence of a user mode page table for the given pmap is
2727 * indicated by a pm_ucr3 value that differs from PMAP_NO_CR3, in
2728 * which case pm_ucr3 contains the %cr3 register value for the user
2729 * mode page table's root.
2731 * * The pm_active bitmask indicates which CPUs currently have the
2732 * pmap active. A CPU's bit is set on context switch to the pmap, and
2733 * cleared on switching off this CPU. For the kernel page table,
2734 * the pm_active field is immutable and contains all CPUs. The
2735 * kernel page table is always logically active on every processor,
2736 * but not necessarily in use by the hardware, e.g., in PTI mode.
2738 * When requesting invalidation of virtual addresses with
2739 * pmap_invalidate_XXX() functions, the pmap sends shootdown IPIs to
2740 * all CPUs recorded as active in pm_active. Updates to and reads
2741 * from pm_active are not synchronized, and so they may race with
2742 * each other. Shootdown handlers are prepared to handle the race.
2744 * * PCID is an optional feature of the long mode x86 MMU where TLB
2745 * entries are tagged with the 'Process ID' of the address space
2746 * they belong to. This feature provides a limited namespace for
2747 * process identifiers, 12 bits, supporting 4095 simultaneous IDs
2750 * Allocation of a PCID to a pmap is done by an algorithm described
2751 * in section 15.12, "Other TLB Consistency Algorithms", of
2752 * Vahalia's book "Unix Internals". A PCID cannot be allocated for
2753 * the whole lifetime of a pmap in pmap_pinit() due to the limited
2754 * namespace. Instead, a per-CPU, per-pmap PCID is assigned when
2755 * the CPU is about to start caching TLB entries from a pmap,
2756 * i.e., on the context switch that activates the pmap on the CPU.
2758 * The PCID allocator maintains a per-CPU, per-pmap generation
2759 * count, pm_gen, which is incremented each time a new PCID is
2760 * allocated. On TLB invalidation, the generation counters for the
2761 * pmap are zeroed, which signals the context switch code that the
2762 * previously allocated PCID is no longer valid. Effectively,
2763 * zeroing any of these counters triggers a TLB shootdown for the
2764 * given CPU/address space, due to the allocation of a new PCID.
2766 * Zeroing can be performed remotely. Consequently, if a pmap is
2767 * inactive on a CPU, then a TLB shootdown for that pmap and CPU can
2768 * be initiated by an ordinary memory access to reset the target
2769 * CPU's generation count within the pmap. The CPU initiating the
2770 * TLB shootdown does not need to send an IPI to the target CPU.
2772 * * PTI + PCID. The available PCIDs are divided into two sets: PCIDs
2773 * for complete (kernel) page tables, and PCIDs for user mode page
2774 * tables. A user PCID value is obtained from the kernel PCID value
2775 * by setting the highest bit, 11, to 1 (0x800 == PMAP_PCID_USER_PT).
2777 * User space page tables are activated on return to user mode, by
2778 * loading pm_ucr3 into %cr3. If the PCPU(ucr3_load_mask) requests
2779 * clearing bit 63 of the loaded ucr3, this effectively causes
2780 * complete invalidation of the user mode TLB entries for the
2781 * current pmap. In which case, local invalidations of individual
2782 * pages in the user page table are skipped.
2784 * * Local invalidation, all modes. If the requested invalidation is
2785 * for a specific address or the total invalidation of a currently
2786 * active pmap, then the TLB is flushed using INVLPG for a kernel
2787 * page table, and INVPCID(INVPCID_CTXGLOB)/invltlb_glob() for a
2788 * user space page table(s).
2790 * If the INVPCID instruction is available, it is used to flush entries
2791 * from the kernel page table.
2793 * * mode: PTI disabled, PCID present. The kernel reserves PCID 0 for its
2794 * address space, all other 4095 PCIDs are used for user mode spaces
2795 * as described above. A context switch allocates a new PCID if
2796 * the recorded PCID is zero or the recorded generation does not match
2797 * the CPU's generation, effectively flushing the TLB for this address space.
2798 * Total remote invalidation is performed by zeroing pm_gen for all CPUs.
2799 * local user page: INVLPG
2800 * local kernel page: INVLPG
2801 * local user total: INVPCID(CTX)
2802 * local kernel total: INVPCID(CTXGLOB) or invltlb_glob()
2803 * remote user page, inactive pmap: zero pm_gen
2804 * remote user page, active pmap: zero pm_gen + IPI:INVLPG
2805 * (Both actions are required to handle the aforementioned pm_active races.)
2806 * remote kernel page: IPI:INVLPG
2807 * remote user total, inactive pmap: zero pm_gen
2808 * remote user total, active pmap: zero pm_gen + IPI:(INVPCID(CTX) or
2810 * (See note above about pm_active races.)
2811 * remote kernel total: IPI:(INVPCID(CTXGLOB) or invltlb_glob())
2813 * PTI enabled, PCID present.
2814 * local user page: INVLPG for kpt, INVPCID(ADDR) or (INVLPG for ucr3)
2816 * local kernel page: INVLPG
2817 * local user total: INVPCID(CTX) or reload %cr3 for kpt, clear PCID_SAVE
2818 * on loading UCR3 into %cr3 for upt
2819 * local kernel total: INVPCID(CTXGLOB) or invltlb_glob()
2820 * remote user page, inactive pmap: zero pm_gen
2821 * remote user page, active pmap: zero pm_gen + IPI:(INVLPG for kpt,
2822 * INVPCID(ADDR) for upt)
2823 * remote kernel page: IPI:INVLPG
2824 * remote user total, inactive pmap: zero pm_gen
2825 * remote user total, active pmap: zero pm_gen + IPI:(INVPCID(CTX) for kpt,
2826 * clear PCID_SAVE on loading UCR3 into $cr3 for upt)
2827 * remote kernel total: IPI:(INVPCID(CTXGLOB) or invltlb_glob())
2830 * local user page: INVLPG
2831 * local kernel page: INVLPG
2832 * local user total: reload %cr3
2833 * local kernel total: invltlb_glob()
2834 * remote user page, inactive pmap: -
2835 * remote user page, active pmap: IPI:INVLPG
2836 * remote kernel page: IPI:INVLPG
2837 * remote user total, inactive pmap: -
2838 * remote user total, active pmap: IPI:(reload %cr3)
2839 * remote kernel total: IPI:invltlb_glob()
2840 * Since on return to user mode, the reload of %cr3 with ucr3 causes
2841 * TLB invalidation, no specific action is required for user page table.
2843 * EPT. EPT pmaps do not map KVA, all mappings are userspace.
2849 * Interrupt the cpus that are executing in the guest context.
2850 * This will force the vcpu to exit and the cached EPT mappings
2851 * will be invalidated by the host before the next vmresume.
2853 static __inline void
2854 pmap_invalidate_ept(pmap_t pmap)
2860 KASSERT(!CPU_ISSET(curcpu, &pmap->pm_active),
2861 ("pmap_invalidate_ept: absurd pm_active"));
2864 * The TLB mappings associated with a vcpu context are not
2865 * flushed each time a different vcpu is chosen to execute.
2867 * This is in contrast with a process's vtop mappings that
2868 * are flushed from the TLB on each context switch.
2870 * Therefore we need to do more than just a TLB shootdown on
2871 * the active cpus in 'pmap->pm_active'. To do this we keep
2872 * track of the number of invalidations performed on this pmap.
2874 * Each vcpu keeps a cache of this counter and compares it
2875 * just before a vmresume. If the counter is out-of-date an
2876 * invept will be done to flush stale mappings from the TLB.
2878 * To ensure that all vCPU threads have observed the new counter
2879 * value before returning, we use SMR. Ordering is important here:
2880 * the VMM enters an SMR read section before loading the counter
2881 * and after updating the pm_active bit set. Thus, pm_active is
2882 * a superset of active readers, and any reader that has observed
2883 * the goal has observed the new counter value.
2885 atomic_add_long(&pmap->pm_eptgen, 1);
2887 goal = smr_advance(pmap->pm_eptsmr);
2890 * Force the vcpu to exit and trap back into the hypervisor.
2892 ipinum = pmap->pm_flags & PMAP_NESTED_IPIMASK;
2893 ipi_selected(pmap->pm_active, ipinum);
2897 * Ensure that all active vCPUs will observe the new generation counter
2898 * value before executing any more guest instructions.
2900 smr_wait(pmap->pm_eptsmr, goal);
2904 pmap_invalidate_cpu_mask(pmap_t pmap)
2906 return (pmap == kernel_pmap ? all_cpus : pmap->pm_active);
2910 pmap_invalidate_preipi_pcid(pmap_t pmap)
2916 cpuid = PCPU_GET(cpuid);
2917 if (pmap != PCPU_GET(curpmap))
2918 cpuid = 0xffffffff; /* An impossible value */
2922 pmap->pm_pcids[i].pm_gen = 0;
2926 * The fence is between stores to pm_gen and the read of the
2927 * pm_active mask. We need to ensure that it is impossible
2928 * for us to miss the bit update in pm_active and
2929 * simultaneously observe a non-zero pm_gen in
2930 * pmap_activate_sw(), otherwise TLB update is missed.
2931 * Without the fence, IA32 allows such an outcome. Note that
2932 * pm_active is updated by a locked operation, which provides
2933 * the reciprocal fence.
2935 atomic_thread_fence_seq_cst();
2939 pmap_invalidate_preipi_nopcid(pmap_t pmap __unused)
2944 DEFINE_IFUNC(static, void, pmap_invalidate_preipi, (pmap_t))
2946 return (pmap_pcid_enabled ? pmap_invalidate_preipi_pcid :
2947 pmap_invalidate_preipi_nopcid);
2951 pmap_invalidate_page_pcid_cb(pmap_t pmap, vm_offset_t va,
2952 const bool invpcid_works1)
2954 struct invpcid_descr d;
2955 uint64_t kcr3, ucr3;
2960 * Because pm_pcid is recalculated on a context switch, we
2961 * must ensure there is no preemption, not just pinning.
2962 * Otherwise, we might use a stale value below.
2964 CRITICAL_ASSERT(curthread);
2967 * No need to do anything with user page tables invalidation
2968 * if there is no user page table, or invalidation is deferred
2969 * until the return to userspace. ucr3_load_mask is stable
2970 * because we have preemption disabled.
2972 if (pmap->pm_ucr3 == PMAP_NO_CR3 ||
2973 PCPU_GET(ucr3_load_mask) != PMAP_UCR3_NOMASK)
2976 cpuid = PCPU_GET(cpuid);
2978 pcid = pmap->pm_pcids[cpuid].pm_pcid;
2979 if (invpcid_works1) {
2980 d.pcid = pcid | PMAP_PCID_USER_PT;
2983 invpcid(&d, INVPCID_ADDR);
2985 kcr3 = pmap->pm_cr3 | pcid | CR3_PCID_SAVE;
2986 ucr3 = pmap->pm_ucr3 | pcid | PMAP_PCID_USER_PT | CR3_PCID_SAVE;
2987 pmap_pti_pcid_invlpg(ucr3, kcr3, va);
2992 pmap_invalidate_page_pcid_invpcid_cb(pmap_t pmap, vm_offset_t va)
2994 pmap_invalidate_page_pcid_cb(pmap, va, true);
2998 pmap_invalidate_page_pcid_noinvpcid_cb(pmap_t pmap, vm_offset_t va)
3000 pmap_invalidate_page_pcid_cb(pmap, va, false);
3004 pmap_invalidate_page_nopcid_cb(pmap_t pmap __unused, vm_offset_t va __unused)
3008 DEFINE_IFUNC(static, void, pmap_invalidate_page_cb, (pmap_t, vm_offset_t))
3010 if (pmap_pcid_enabled)
3011 return (invpcid_works ? pmap_invalidate_page_pcid_invpcid_cb :
3012 pmap_invalidate_page_pcid_noinvpcid_cb);
3013 return (pmap_invalidate_page_nopcid_cb);
3017 pmap_invalidate_page_curcpu_cb(pmap_t pmap, vm_offset_t va,
3018 vm_offset_t addr2 __unused)
3020 if (pmap == kernel_pmap) {
3022 } else if (pmap == PCPU_GET(curpmap)) {
3024 pmap_invalidate_page_cb(pmap, va);
3029 pmap_invalidate_page(pmap_t pmap, vm_offset_t va)
3031 if (pmap_type_guest(pmap)) {
3032 pmap_invalidate_ept(pmap);
3036 KASSERT(pmap->pm_type == PT_X86,
3037 ("pmap_invalidate_page: invalid type %d", pmap->pm_type));
3039 pmap_invalidate_preipi(pmap);
3040 smp_masked_invlpg(pmap_invalidate_cpu_mask(pmap), va, pmap,
3041 pmap_invalidate_page_curcpu_cb);
3044 /* 4k PTEs -- Chosen to exceed the total size of Broadwell L2 TLB */
3045 #define PMAP_INVLPG_THRESHOLD (4 * 1024 * PAGE_SIZE)
3048 pmap_invalidate_range_pcid_cb(pmap_t pmap, vm_offset_t sva, vm_offset_t eva,
3049 const bool invpcid_works1)
3051 struct invpcid_descr d;
3052 uint64_t kcr3, ucr3;
3056 CRITICAL_ASSERT(curthread);
3058 if (pmap != PCPU_GET(curpmap) ||
3059 pmap->pm_ucr3 == PMAP_NO_CR3 ||
3060 PCPU_GET(ucr3_load_mask) != PMAP_UCR3_NOMASK)
3063 cpuid = PCPU_GET(cpuid);
3065 pcid = pmap->pm_pcids[cpuid].pm_pcid;
3066 if (invpcid_works1) {
3067 d.pcid = pcid | PMAP_PCID_USER_PT;
3069 for (d.addr = sva; d.addr < eva; d.addr += PAGE_SIZE)
3070 invpcid(&d, INVPCID_ADDR);
3072 kcr3 = pmap->pm_cr3 | pcid | CR3_PCID_SAVE;
3073 ucr3 = pmap->pm_ucr3 | pcid | PMAP_PCID_USER_PT | CR3_PCID_SAVE;
3074 pmap_pti_pcid_invlrng(ucr3, kcr3, sva, eva);
3079 pmap_invalidate_range_pcid_invpcid_cb(pmap_t pmap, vm_offset_t sva,
3082 pmap_invalidate_range_pcid_cb(pmap, sva, eva, true);
3086 pmap_invalidate_range_pcid_noinvpcid_cb(pmap_t pmap, vm_offset_t sva,
3089 pmap_invalidate_range_pcid_cb(pmap, sva, eva, false);
3093 pmap_invalidate_range_nopcid_cb(pmap_t pmap __unused, vm_offset_t sva __unused,
3094 vm_offset_t eva __unused)
3098 DEFINE_IFUNC(static, void, pmap_invalidate_range_cb, (pmap_t, vm_offset_t,
3101 if (pmap_pcid_enabled)
3102 return (invpcid_works ? pmap_invalidate_range_pcid_invpcid_cb :
3103 pmap_invalidate_range_pcid_noinvpcid_cb);
3104 return (pmap_invalidate_range_nopcid_cb);
3108 pmap_invalidate_range_curcpu_cb(pmap_t pmap, vm_offset_t sva, vm_offset_t eva)
3112 if (pmap == kernel_pmap) {
3113 for (addr = sva; addr < eva; addr += PAGE_SIZE)
3115 } else if (pmap == PCPU_GET(curpmap)) {
3116 for (addr = sva; addr < eva; addr += PAGE_SIZE)
3118 pmap_invalidate_range_cb(pmap, sva, eva);
3123 pmap_invalidate_range(pmap_t pmap, vm_offset_t sva, vm_offset_t eva)
3125 if (eva - sva >= PMAP_INVLPG_THRESHOLD) {
3126 pmap_invalidate_all(pmap);
3130 if (pmap_type_guest(pmap)) {
3131 pmap_invalidate_ept(pmap);
3135 KASSERT(pmap->pm_type == PT_X86,
3136 ("pmap_invalidate_range: invalid type %d", pmap->pm_type));
3138 pmap_invalidate_preipi(pmap);
3139 smp_masked_invlpg_range(pmap_invalidate_cpu_mask(pmap), sva, eva, pmap,
3140 pmap_invalidate_range_curcpu_cb);
3144 pmap_invalidate_all_pcid_cb(pmap_t pmap, bool invpcid_works1)
3146 struct invpcid_descr d;
3151 if (pmap == kernel_pmap) {
3152 if (invpcid_works1) {
3153 bzero(&d, sizeof(d));
3154 invpcid(&d, INVPCID_CTXGLOB);
3158 } else if (pmap == PCPU_GET(curpmap)) {
3159 CRITICAL_ASSERT(curthread);
3160 cpuid = PCPU_GET(cpuid);
3162 pcid = pmap->pm_pcids[cpuid].pm_pcid;
3163 if (invpcid_works1) {
3167 invpcid(&d, INVPCID_CTX);
3169 kcr3 = pmap->pm_cr3 | pcid;
3172 if (pmap->pm_ucr3 != PMAP_NO_CR3)
3173 PCPU_SET(ucr3_load_mask, ~CR3_PCID_SAVE);
3178 pmap_invalidate_all_pcid_invpcid_cb(pmap_t pmap)
3180 pmap_invalidate_all_pcid_cb(pmap, true);
3184 pmap_invalidate_all_pcid_noinvpcid_cb(pmap_t pmap)
3186 pmap_invalidate_all_pcid_cb(pmap, false);
3190 pmap_invalidate_all_nopcid_cb(pmap_t pmap)
3192 if (pmap == kernel_pmap)
3194 else if (pmap == PCPU_GET(curpmap))
3198 DEFINE_IFUNC(static, void, pmap_invalidate_all_cb, (pmap_t))
3200 if (pmap_pcid_enabled)
3201 return (invpcid_works ? pmap_invalidate_all_pcid_invpcid_cb :
3202 pmap_invalidate_all_pcid_noinvpcid_cb);
3203 return (pmap_invalidate_all_nopcid_cb);
3207 pmap_invalidate_all_curcpu_cb(pmap_t pmap, vm_offset_t addr1 __unused,
3208 vm_offset_t addr2 __unused)
3210 pmap_invalidate_all_cb(pmap);
3214 pmap_invalidate_all(pmap_t pmap)
3216 if (pmap_type_guest(pmap)) {
3217 pmap_invalidate_ept(pmap);
3221 KASSERT(pmap->pm_type == PT_X86,
3222 ("pmap_invalidate_all: invalid type %d", pmap->pm_type));
3224 pmap_invalidate_preipi(pmap);
3225 smp_masked_invltlb(pmap_invalidate_cpu_mask(pmap), pmap,
3226 pmap_invalidate_all_curcpu_cb);
3230 pmap_invalidate_cache_curcpu_cb(pmap_t pmap __unused, vm_offset_t va __unused,
3231 vm_offset_t addr2 __unused)
3237 pmap_invalidate_cache(void)
3240 smp_cache_flush(pmap_invalidate_cache_curcpu_cb);
3244 cpuset_t invalidate; /* processors that invalidate their TLB */
3249 u_int store; /* processor that updates the PDE */
3253 pmap_update_pde_action(void *arg)
3255 struct pde_action *act = arg;
3257 if (act->store == PCPU_GET(cpuid))
3258 pmap_update_pde_store(act->pmap, act->pde, act->newpde);
3262 pmap_update_pde_teardown(void *arg)
3264 struct pde_action *act = arg;
3266 if (CPU_ISSET(PCPU_GET(cpuid), &act->invalidate))
3267 pmap_update_pde_invalidate(act->pmap, act->va, act->newpde);
3271 * Change the page size for the specified virtual address in a way that
3272 * prevents any possibility of the TLB ever having two entries that map the
3273 * same virtual address using different page sizes. This is the recommended
3274 * workaround for Erratum 383 on AMD Family 10h processors. It prevents a
3275 * machine check exception for a TLB state that is improperly diagnosed as a
3279 pmap_update_pde(pmap_t pmap, vm_offset_t va, pd_entry_t *pde, pd_entry_t newpde)
3281 struct pde_action act;
3282 cpuset_t active, other_cpus;
3286 cpuid = PCPU_GET(cpuid);
3287 other_cpus = all_cpus;
3288 CPU_CLR(cpuid, &other_cpus);
3289 if (pmap == kernel_pmap || pmap_type_guest(pmap))
3292 active = pmap->pm_active;
3294 if (CPU_OVERLAP(&active, &other_cpus)) {
3296 act.invalidate = active;
3300 act.newpde = newpde;
3301 CPU_SET(cpuid, &active);
3302 smp_rendezvous_cpus(active,
3303 smp_no_rendezvous_barrier, pmap_update_pde_action,
3304 pmap_update_pde_teardown, &act);
3306 pmap_update_pde_store(pmap, pde, newpde);
3307 if (CPU_ISSET(cpuid, &active))
3308 pmap_update_pde_invalidate(pmap, va, newpde);
3314 * Normal, non-SMP, invalidation functions.
3317 pmap_invalidate_page(pmap_t pmap, vm_offset_t va)
3319 struct invpcid_descr d;
3320 uint64_t kcr3, ucr3;
3323 if (pmap->pm_type == PT_RVI || pmap->pm_type == PT_EPT) {
3327 KASSERT(pmap->pm_type == PT_X86,
3328 ("pmap_invalidate_range: unknown type %d", pmap->pm_type));
3330 if (pmap == kernel_pmap || pmap == PCPU_GET(curpmap)) {
3332 if (pmap == PCPU_GET(curpmap) && pmap_pcid_enabled &&
3333 pmap->pm_ucr3 != PMAP_NO_CR3) {
3335 pcid = pmap->pm_pcids[0].pm_pcid;
3336 if (invpcid_works) {
3337 d.pcid = pcid | PMAP_PCID_USER_PT;
3340 invpcid(&d, INVPCID_ADDR);
3342 kcr3 = pmap->pm_cr3 | pcid | CR3_PCID_SAVE;
3343 ucr3 = pmap->pm_ucr3 | pcid |
3344 PMAP_PCID_USER_PT | CR3_PCID_SAVE;
3345 pmap_pti_pcid_invlpg(ucr3, kcr3, va);
3349 } else if (pmap_pcid_enabled)
3350 pmap->pm_pcids[0].pm_gen = 0;
3354 pmap_invalidate_range(pmap_t pmap, vm_offset_t sva, vm_offset_t eva)
3356 struct invpcid_descr d;
3358 uint64_t kcr3, ucr3;
3360 if (pmap->pm_type == PT_RVI || pmap->pm_type == PT_EPT) {
3364 KASSERT(pmap->pm_type == PT_X86,
3365 ("pmap_invalidate_range: unknown type %d", pmap->pm_type));
3367 if (pmap == kernel_pmap || pmap == PCPU_GET(curpmap)) {
3368 for (addr = sva; addr < eva; addr += PAGE_SIZE)
3370 if (pmap == PCPU_GET(curpmap) && pmap_pcid_enabled &&
3371 pmap->pm_ucr3 != PMAP_NO_CR3) {
3373 if (invpcid_works) {
3374 d.pcid = pmap->pm_pcids[0].pm_pcid |
3378 for (; d.addr < eva; d.addr += PAGE_SIZE)
3379 invpcid(&d, INVPCID_ADDR);
3381 kcr3 = pmap->pm_cr3 | pmap->pm_pcids[0].
3382 pm_pcid | CR3_PCID_SAVE;
3383 ucr3 = pmap->pm_ucr3 | pmap->pm_pcids[0].
3384 pm_pcid | PMAP_PCID_USER_PT | CR3_PCID_SAVE;
3385 pmap_pti_pcid_invlrng(ucr3, kcr3, sva, eva);
3389 } else if (pmap_pcid_enabled) {
3390 pmap->pm_pcids[0].pm_gen = 0;
3395 pmap_invalidate_all(pmap_t pmap)
3397 struct invpcid_descr d;
3398 uint64_t kcr3, ucr3;
3400 if (pmap->pm_type == PT_RVI || pmap->pm_type == PT_EPT) {
3404 KASSERT(pmap->pm_type == PT_X86,
3405 ("pmap_invalidate_all: unknown type %d", pmap->pm_type));
3407 if (pmap == kernel_pmap) {
3408 if (pmap_pcid_enabled && invpcid_works) {
3409 bzero(&d, sizeof(d));
3410 invpcid(&d, INVPCID_CTXGLOB);
3414 } else if (pmap == PCPU_GET(curpmap)) {
3415 if (pmap_pcid_enabled) {
3417 if (invpcid_works) {
3418 d.pcid = pmap->pm_pcids[0].pm_pcid;
3421 invpcid(&d, INVPCID_CTX);
3422 if (pmap->pm_ucr3 != PMAP_NO_CR3) {
3423 d.pcid |= PMAP_PCID_USER_PT;
3424 invpcid(&d, INVPCID_CTX);
3427 kcr3 = pmap->pm_cr3 | pmap->pm_pcids[0].pm_pcid;
3428 if (pmap->pm_ucr3 != PMAP_NO_CR3) {
3429 ucr3 = pmap->pm_ucr3 | pmap->pm_pcids[
3430 0].pm_pcid | PMAP_PCID_USER_PT;
3431 pmap_pti_pcid_invalidate(ucr3, kcr3);
3439 } else if (pmap_pcid_enabled) {
3440 pmap->pm_pcids[0].pm_gen = 0;
3445 pmap_invalidate_cache(void)
3452 pmap_update_pde(pmap_t pmap, vm_offset_t va, pd_entry_t *pde, pd_entry_t newpde)
3455 pmap_update_pde_store(pmap, pde, newpde);
3456 if (pmap == kernel_pmap || pmap == PCPU_GET(curpmap))
3457 pmap_update_pde_invalidate(pmap, va, newpde);
3459 pmap->pm_pcids[0].pm_gen = 0;
3464 pmap_invalidate_pde_page(pmap_t pmap, vm_offset_t va, pd_entry_t pde)
3468 * When the PDE has PG_PROMOTED set, the 2MB page mapping was created
3469 * by a promotion that did not invalidate the 512 4KB page mappings
3470 * that might exist in the TLB. Consequently, at this point, the TLB
3471 * may hold both 4KB and 2MB page mappings for the address range [va,
3472 * va + NBPDR). Therefore, the entire range must be invalidated here.
3473 * In contrast, when PG_PROMOTED is clear, the TLB will not hold any
3474 * 4KB page mappings for the address range [va, va + NBPDR), and so a
3475 * single INVLPG suffices to invalidate the 2MB page mapping from the
3478 if ((pde & PG_PROMOTED) != 0)
3479 pmap_invalidate_range(pmap, va, va + NBPDR - 1);
3481 pmap_invalidate_page(pmap, va);
3484 DEFINE_IFUNC(, void, pmap_invalidate_cache_range,
3485 (vm_offset_t sva, vm_offset_t eva))
3488 if ((cpu_feature & CPUID_SS) != 0)
3489 return (pmap_invalidate_cache_range_selfsnoop);
3490 if ((cpu_feature & CPUID_CLFSH) != 0)
3491 return (pmap_force_invalidate_cache_range);
3492 return (pmap_invalidate_cache_range_all);
3495 #define PMAP_CLFLUSH_THRESHOLD (2 * 1024 * 1024)
3498 pmap_invalidate_cache_range_check_align(vm_offset_t sva, vm_offset_t eva)
3501 KASSERT((sva & PAGE_MASK) == 0,
3502 ("pmap_invalidate_cache_range: sva not page-aligned"));
3503 KASSERT((eva & PAGE_MASK) == 0,
3504 ("pmap_invalidate_cache_range: eva not page-aligned"));
3508 pmap_invalidate_cache_range_selfsnoop(vm_offset_t sva, vm_offset_t eva)
3511 pmap_invalidate_cache_range_check_align(sva, eva);
3515 pmap_force_invalidate_cache_range(vm_offset_t sva, vm_offset_t eva)
3518 sva &= ~(vm_offset_t)(cpu_clflush_line_size - 1);
3521 * XXX: Some CPUs fault, hang, or trash the local APIC
3522 * registers if we use CLFLUSH on the local APIC range. The
3523 * local APIC is always uncached, so we don't need to flush
3524 * for that range anyway.
3526 if (pmap_kextract(sva) == lapic_paddr)
3529 if ((cpu_stdext_feature & CPUID_STDEXT_CLFLUSHOPT) != 0) {
3531 * Do per-cache line flush. Use a locked
3532 * instruction to insure that previous stores are
3533 * included in the write-back. The processor
3534 * propagates flush to other processors in the cache
3537 atomic_thread_fence_seq_cst();
3538 for (; sva < eva; sva += cpu_clflush_line_size)
3540 atomic_thread_fence_seq_cst();
3543 * Writes are ordered by CLFLUSH on Intel CPUs.
3545 if (cpu_vendor_id != CPU_VENDOR_INTEL)
3547 for (; sva < eva; sva += cpu_clflush_line_size)
3549 if (cpu_vendor_id != CPU_VENDOR_INTEL)
3555 pmap_invalidate_cache_range_all(vm_offset_t sva, vm_offset_t eva)
3558 pmap_invalidate_cache_range_check_align(sva, eva);
3559 pmap_invalidate_cache();
3563 * Remove the specified set of pages from the data and instruction caches.
3565 * In contrast to pmap_invalidate_cache_range(), this function does not
3566 * rely on the CPU's self-snoop feature, because it is intended for use
3567 * when moving pages into a different cache domain.
3570 pmap_invalidate_cache_pages(vm_page_t *pages, int count)
3572 vm_offset_t daddr, eva;
3576 useclflushopt = (cpu_stdext_feature & CPUID_STDEXT_CLFLUSHOPT) != 0;
3577 if (count >= PMAP_CLFLUSH_THRESHOLD / PAGE_SIZE ||
3578 ((cpu_feature & CPUID_CLFSH) == 0 && !useclflushopt))
3579 pmap_invalidate_cache();
3582 atomic_thread_fence_seq_cst();
3583 else if (cpu_vendor_id != CPU_VENDOR_INTEL)
3585 for (i = 0; i < count; i++) {
3586 daddr = PHYS_TO_DMAP(VM_PAGE_TO_PHYS(pages[i]));
3587 eva = daddr + PAGE_SIZE;
3588 for (; daddr < eva; daddr += cpu_clflush_line_size) {
3596 atomic_thread_fence_seq_cst();
3597 else if (cpu_vendor_id != CPU_VENDOR_INTEL)
3603 pmap_flush_cache_range(vm_offset_t sva, vm_offset_t eva)
3606 pmap_invalidate_cache_range_check_align(sva, eva);
3608 if ((cpu_stdext_feature & CPUID_STDEXT_CLWB) == 0) {
3609 pmap_force_invalidate_cache_range(sva, eva);
3613 /* See comment in pmap_force_invalidate_cache_range(). */
3614 if (pmap_kextract(sva) == lapic_paddr)
3617 atomic_thread_fence_seq_cst();
3618 for (; sva < eva; sva += cpu_clflush_line_size)
3620 atomic_thread_fence_seq_cst();
3624 pmap_flush_cache_phys_range(vm_paddr_t spa, vm_paddr_t epa, vm_memattr_t mattr)
3628 int error, pte_bits;
3630 KASSERT((spa & PAGE_MASK) == 0,
3631 ("pmap_flush_cache_phys_range: spa not page-aligned"));
3632 KASSERT((epa & PAGE_MASK) == 0,
3633 ("pmap_flush_cache_phys_range: epa not page-aligned"));
3635 if (spa < dmaplimit) {
3636 pmap_flush_cache_range(PHYS_TO_DMAP(spa), PHYS_TO_DMAP(MIN(
3638 if (dmaplimit >= epa)
3643 pte_bits = pmap_cache_bits(kernel_pmap, mattr, 0) | X86_PG_RW |
3645 error = vmem_alloc(kernel_arena, PAGE_SIZE, M_BESTFIT | M_WAITOK,
3647 KASSERT(error == 0, ("vmem_alloc failed: %d", error));
3648 pte = vtopte(vaddr);
3649 for (; spa < epa; spa += PAGE_SIZE) {
3651 pte_store(pte, spa | pte_bits);
3653 /* XXXKIB atomic inside flush_cache_range are excessive */
3654 pmap_flush_cache_range(vaddr, vaddr + PAGE_SIZE);
3657 vmem_free(kernel_arena, vaddr, PAGE_SIZE);
3661 * Routine: pmap_extract
3663 * Extract the physical page address associated
3664 * with the given map/virtual_address pair.
3667 pmap_extract(pmap_t pmap, vm_offset_t va)
3671 pt_entry_t *pte, PG_V;
3675 PG_V = pmap_valid_bit(pmap);
3677 pdpe = pmap_pdpe(pmap, va);
3678 if (pdpe != NULL && (*pdpe & PG_V) != 0) {
3679 if ((*pdpe & PG_PS) != 0)
3680 pa = (*pdpe & PG_PS_FRAME) | (va & PDPMASK);
3682 pde = pmap_pdpe_to_pde(pdpe, va);
3683 if ((*pde & PG_V) != 0) {
3684 if ((*pde & PG_PS) != 0) {
3685 pa = (*pde & PG_PS_FRAME) |
3688 pte = pmap_pde_to_pte(pde, va);
3689 pa = (*pte & PG_FRAME) |
3700 * Routine: pmap_extract_and_hold
3702 * Atomically extract and hold the physical page
3703 * with the given pmap and virtual address pair
3704 * if that mapping permits the given protection.
3707 pmap_extract_and_hold(pmap_t pmap, vm_offset_t va, vm_prot_t prot)
3709 pdp_entry_t pdpe, *pdpep;
3710 pd_entry_t pde, *pdep;
3711 pt_entry_t pte, PG_RW, PG_V;
3715 PG_RW = pmap_rw_bit(pmap);
3716 PG_V = pmap_valid_bit(pmap);
3719 pdpep = pmap_pdpe(pmap, va);
3720 if (pdpep == NULL || ((pdpe = *pdpep) & PG_V) == 0)
3722 if ((pdpe & PG_PS) != 0) {
3723 if ((pdpe & PG_RW) == 0 && (prot & VM_PROT_WRITE) != 0)
3725 m = PHYS_TO_VM_PAGE((pdpe & PG_PS_FRAME) | (va & PDPMASK));
3729 pdep = pmap_pdpe_to_pde(pdpep, va);
3730 if (pdep == NULL || ((pde = *pdep) & PG_V) == 0)
3732 if ((pde & PG_PS) != 0) {
3733 if ((pde & PG_RW) == 0 && (prot & VM_PROT_WRITE) != 0)
3735 m = PHYS_TO_VM_PAGE((pde & PG_PS_FRAME) | (va & PDRMASK));
3739 pte = *pmap_pde_to_pte(pdep, va);
3740 if ((pte & PG_V) == 0 ||
3741 ((pte & PG_RW) == 0 && (prot & VM_PROT_WRITE) != 0))
3743 m = PHYS_TO_VM_PAGE(pte & PG_FRAME);
3746 if (m != NULL && !vm_page_wire_mapped(m))
3754 pmap_kextract(vm_offset_t va)
3759 if (va >= DMAP_MIN_ADDRESS && va < DMAP_MAX_ADDRESS) {
3760 pa = DMAP_TO_PHYS(va);
3761 } else if (PMAP_ADDRESS_IN_LARGEMAP(va)) {
3762 pa = pmap_large_map_kextract(va);
3766 pa = (pde & PG_PS_FRAME) | (va & PDRMASK);
3769 * Beware of a concurrent promotion that changes the
3770 * PDE at this point! For example, vtopte() must not
3771 * be used to access the PTE because it would use the
3772 * new PDE. It is, however, safe to use the old PDE
3773 * because the page table page is preserved by the
3776 pa = *pmap_pde_to_pte(&pde, va);
3777 pa = (pa & PG_FRAME) | (va & PAGE_MASK);
3783 /***************************************************
3784 * Low level mapping routines.....
3785 ***************************************************/
3788 * Add a wired page to the kva.
3789 * Note: not SMP coherent.
3792 pmap_kenter(vm_offset_t va, vm_paddr_t pa)
3797 pte_store(pte, pa | X86_PG_RW | X86_PG_V | pg_g | pg_nx);
3800 static __inline void
3801 pmap_kenter_attr(vm_offset_t va, vm_paddr_t pa, int mode)
3807 cache_bits = pmap_cache_bits(kernel_pmap, mode, 0);
3808 pte_store(pte, pa | X86_PG_RW | X86_PG_V | pg_g | pg_nx | cache_bits);
3812 * Remove a page from the kernel pagetables.
3813 * Note: not SMP coherent.
3816 pmap_kremove(vm_offset_t va)
3825 * Used to map a range of physical addresses into kernel
3826 * virtual address space.
3828 * The value passed in '*virt' is a suggested virtual address for
3829 * the mapping. Architectures which can support a direct-mapped
3830 * physical to virtual region can return the appropriate address
3831 * within that region, leaving '*virt' unchanged. Other
3832 * architectures should map the pages starting at '*virt' and
3833 * update '*virt' with the first usable address after the mapped
3837 pmap_map(vm_offset_t *virt, vm_paddr_t start, vm_paddr_t end, int prot)
3839 return PHYS_TO_DMAP(start);
3843 * Add a list of wired pages to the kva
3844 * this routine is only used for temporary
3845 * kernel mappings that do not need to have
3846 * page modification or references recorded.
3847 * Note that old mappings are simply written
3848 * over. The page *must* be wired.
3849 * Note: SMP coherent. Uses a ranged shootdown IPI.
3852 pmap_qenter(vm_offset_t sva, vm_page_t *ma, int count)
3854 pt_entry_t *endpte, oldpte, pa, *pte;
3860 endpte = pte + count;
3861 while (pte < endpte) {
3863 cache_bits = pmap_cache_bits(kernel_pmap, m->md.pat_mode, 0);
3864 pa = VM_PAGE_TO_PHYS(m) | cache_bits;
3865 if ((*pte & (PG_FRAME | X86_PG_PTE_CACHE)) != pa) {
3867 pte_store(pte, pa | pg_g | pg_nx | X86_PG_RW | X86_PG_V);
3871 if (__predict_false((oldpte & X86_PG_V) != 0))
3872 pmap_invalidate_range(kernel_pmap, sva, sva + count *
3877 * This routine tears out page mappings from the
3878 * kernel -- it is meant only for temporary mappings.
3879 * Note: SMP coherent. Uses a ranged shootdown IPI.
3882 pmap_qremove(vm_offset_t sva, int count)
3887 while (count-- > 0) {
3888 KASSERT(va >= VM_MIN_KERNEL_ADDRESS, ("usermode va %lx", va));
3892 pmap_invalidate_range(kernel_pmap, sva, va);
3895 /***************************************************
3896 * Page table page management routines.....
3897 ***************************************************/
3899 * Schedule the specified unused page table page to be freed. Specifically,
3900 * add the page to the specified list of pages that will be released to the
3901 * physical memory manager after the TLB has been updated.
3903 static __inline void
3904 pmap_add_delayed_free_list(vm_page_t m, struct spglist *free,
3905 boolean_t set_PG_ZERO)
3909 m->flags |= PG_ZERO;
3911 m->flags &= ~PG_ZERO;
3912 SLIST_INSERT_HEAD(free, m, plinks.s.ss);
3916 * Inserts the specified page table page into the specified pmap's collection
3917 * of idle page table pages. Each of a pmap's page table pages is responsible
3918 * for mapping a distinct range of virtual addresses. The pmap's collection is
3919 * ordered by this virtual address range.
3921 * If "promoted" is false, then the page table page "mpte" must be zero filled.
3924 pmap_insert_pt_page(pmap_t pmap, vm_page_t mpte, bool promoted)
3927 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
3928 mpte->valid = promoted ? VM_PAGE_BITS_ALL : 0;
3929 return (vm_radix_insert(&pmap->pm_root, mpte));
3933 * Removes the page table page mapping the specified virtual address from the
3934 * specified pmap's collection of idle page table pages, and returns it.
3935 * Otherwise, returns NULL if there is no page table page corresponding to the
3936 * specified virtual address.
3938 static __inline vm_page_t
3939 pmap_remove_pt_page(pmap_t pmap, vm_offset_t va)
3942 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
3943 return (vm_radix_remove(&pmap->pm_root, pmap_pde_pindex(va)));
3947 * Decrements a page table page's reference count, which is used to record the
3948 * number of valid page table entries within the page. If the reference count
3949 * drops to zero, then the page table page is unmapped. Returns TRUE if the
3950 * page table page was unmapped and FALSE otherwise.
3952 static inline boolean_t
3953 pmap_unwire_ptp(pmap_t pmap, vm_offset_t va, vm_page_t m, struct spglist *free)
3957 if (m->ref_count == 0) {
3958 _pmap_unwire_ptp(pmap, va, m, free);
3965 _pmap_unwire_ptp(pmap_t pmap, vm_offset_t va, vm_page_t m, struct spglist *free)
3971 vm_page_t pdpg, pdppg, pml4pg;
3973 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
3976 * unmap the page table page
3978 if (m->pindex >= NUPDE + NUPDPE + NUPML4E) {
3980 MPASS(pmap_is_la57(pmap));
3981 pml5 = pmap_pml5e(pmap, va);
3983 if (pmap->pm_pmltopu != NULL && va <= VM_MAXUSER_ADDRESS) {
3984 pml5 = pmap_pml5e_u(pmap, va);
3987 } else if (m->pindex >= NUPDE + NUPDPE) {
3989 pml4 = pmap_pml4e(pmap, va);
3991 if (!pmap_is_la57(pmap) && pmap->pm_pmltopu != NULL &&
3992 va <= VM_MAXUSER_ADDRESS) {
3993 pml4 = pmap_pml4e_u(pmap, va);
3996 } else if (m->pindex >= NUPDE) {
3998 pdp = pmap_pdpe(pmap, va);
4002 pd = pmap_pde(pmap, va);
4005 pmap_resident_count_dec(pmap, 1);
4006 if (m->pindex < NUPDE) {
4007 /* We just released a PT, unhold the matching PD */
4008 pdpg = PHYS_TO_VM_PAGE(*pmap_pdpe(pmap, va) & PG_FRAME);
4009 pmap_unwire_ptp(pmap, va, pdpg, free);
4010 } else if (m->pindex < NUPDE + NUPDPE) {
4011 /* We just released a PD, unhold the matching PDP */
4012 pdppg = PHYS_TO_VM_PAGE(*pmap_pml4e(pmap, va) & PG_FRAME);
4013 pmap_unwire_ptp(pmap, va, pdppg, free);
4014 } else if (m->pindex < NUPDE + NUPDPE + NUPML4E && pmap_is_la57(pmap)) {
4015 /* We just released a PDP, unhold the matching PML4 */
4016 pml4pg = PHYS_TO_VM_PAGE(*pmap_pml5e(pmap, va) & PG_FRAME);
4017 pmap_unwire_ptp(pmap, va, pml4pg, free);
4021 * Put page on a list so that it is released after
4022 * *ALL* TLB shootdown is done
4024 pmap_add_delayed_free_list(m, free, TRUE);
4028 * After removing a page table entry, this routine is used to
4029 * conditionally free the page, and manage the reference count.
4032 pmap_unuse_pt(pmap_t pmap, vm_offset_t va, pd_entry_t ptepde,
4033 struct spglist *free)
4037 if (va >= VM_MAXUSER_ADDRESS)
4039 KASSERT(ptepde != 0, ("pmap_unuse_pt: ptepde != 0"));
4040 mpte = PHYS_TO_VM_PAGE(ptepde & PG_FRAME);
4041 return (pmap_unwire_ptp(pmap, va, mpte, free));
4045 * Release a page table page reference after a failed attempt to create a
4049 pmap_abort_ptp(pmap_t pmap, vm_offset_t va, vm_page_t mpte)
4051 struct spglist free;
4054 if (pmap_unwire_ptp(pmap, va, mpte, &free)) {
4056 * Although "va" was never mapped, paging-structure caches
4057 * could nonetheless have entries that refer to the freed
4058 * page table pages. Invalidate those entries.
4060 pmap_invalidate_page(pmap, va);
4061 vm_page_free_pages_toq(&free, true);
4066 pmap_pinit0(pmap_t pmap)
4072 PMAP_LOCK_INIT(pmap);
4073 pmap->pm_pmltop = kernel_pmap->pm_pmltop;
4074 pmap->pm_pmltopu = NULL;
4075 pmap->pm_cr3 = kernel_pmap->pm_cr3;
4076 /* hack to keep pmap_pti_pcid_invalidate() alive */
4077 pmap->pm_ucr3 = PMAP_NO_CR3;
4078 pmap->pm_root.rt_root = 0;
4079 CPU_ZERO(&pmap->pm_active);
4080 TAILQ_INIT(&pmap->pm_pvchunk);
4081 bzero(&pmap->pm_stats, sizeof pmap->pm_stats);
4082 pmap->pm_flags = pmap_flags;
4084 pmap->pm_pcids[i].pm_pcid = PMAP_PCID_KERN + 1;
4085 pmap->pm_pcids[i].pm_gen = 1;
4087 pmap_activate_boot(pmap);
4092 p->p_md.md_flags |= P_MD_KPTI;
4095 pmap_thread_init_invl_gen(td);
4097 if ((cpu_stdext_feature2 & CPUID_STDEXT2_PKU) != 0) {
4098 pmap_pkru_ranges_zone = uma_zcreate("pkru ranges",
4099 sizeof(struct pmap_pkru_range), NULL, NULL, NULL, NULL,
4105 pmap_pinit_pml4(vm_page_t pml4pg)
4107 pml4_entry_t *pm_pml4;
4110 pm_pml4 = (pml4_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(pml4pg));
4112 /* Wire in kernel global address entries. */
4113 for (i = 0; i < NKPML4E; i++) {
4114 pm_pml4[KPML4BASE + i] = (KPDPphys + ptoa(i)) | X86_PG_RW |
4117 for (i = 0; i < ndmpdpphys; i++) {
4118 pm_pml4[DMPML4I + i] = (DMPDPphys + ptoa(i)) | X86_PG_RW |
4122 /* install self-referential address mapping entry(s) */
4123 pm_pml4[PML4PML4I] = VM_PAGE_TO_PHYS(pml4pg) | X86_PG_V | X86_PG_RW |
4124 X86_PG_A | X86_PG_M;
4126 /* install large map entries if configured */
4127 for (i = 0; i < lm_ents; i++)
4128 pm_pml4[LMSPML4I + i] = kernel_pmap->pm_pmltop[LMSPML4I + i];
4132 pmap_pinit_pml5(vm_page_t pml5pg)
4134 pml5_entry_t *pm_pml5;
4136 pm_pml5 = (pml5_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(pml5pg));
4139 * Add pml5 entry at top of KVA pointing to existing pml4 table,
4140 * entering all existing kernel mappings into level 5 table.
4142 pm_pml5[pmap_pml5e_index(UPT_MAX_ADDRESS)] = KPML4phys | X86_PG_V |
4143 X86_PG_RW | X86_PG_A | X86_PG_M | pg_g |
4144 pmap_cache_bits(kernel_pmap, VM_MEMATTR_DEFAULT, FALSE);
4147 * Install self-referential address mapping entry.
4149 pm_pml5[PML5PML5I] = VM_PAGE_TO_PHYS(pml5pg) |
4150 X86_PG_RW | X86_PG_V | X86_PG_M | X86_PG_A |
4151 pmap_cache_bits(kernel_pmap, VM_MEMATTR_DEFAULT, FALSE);
4155 pmap_pinit_pml4_pti(vm_page_t pml4pgu)
4157 pml4_entry_t *pm_pml4u;
4160 pm_pml4u = (pml4_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(pml4pgu));
4161 for (i = 0; i < NPML4EPG; i++)
4162 pm_pml4u[i] = pti_pml4[i];
4166 pmap_pinit_pml5_pti(vm_page_t pml5pgu)
4168 pml5_entry_t *pm_pml5u;
4170 pm_pml5u = (pml5_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(pml5pgu));
4173 * Add pml5 entry at top of KVA pointing to existing pml4 pti
4174 * table, entering all kernel mappings needed for usermode
4175 * into level 5 table.
4177 pm_pml5u[pmap_pml5e_index(UPT_MAX_ADDRESS)] =
4178 pmap_kextract((vm_offset_t)pti_pml4) |
4179 X86_PG_V | X86_PG_RW | X86_PG_A | X86_PG_M | pg_g |
4180 pmap_cache_bits(kernel_pmap, VM_MEMATTR_DEFAULT, FALSE);
4184 * Initialize a preallocated and zeroed pmap structure,
4185 * such as one in a vmspace structure.
4188 pmap_pinit_type(pmap_t pmap, enum pmap_type pm_type, int flags)
4190 vm_page_t pmltop_pg, pmltop_pgu;
4191 vm_paddr_t pmltop_phys;
4195 * allocate the page directory page
4197 pmltop_pg = vm_page_alloc(NULL, 0, VM_ALLOC_NORMAL | VM_ALLOC_NOOBJ |
4198 VM_ALLOC_WIRED | VM_ALLOC_ZERO | VM_ALLOC_WAITOK);
4200 pmltop_phys = VM_PAGE_TO_PHYS(pmltop_pg);
4201 pmap->pm_pmltop = (pml5_entry_t *)PHYS_TO_DMAP(pmltop_phys);
4204 pmap->pm_pcids[i].pm_pcid = PMAP_PCID_NONE;
4205 pmap->pm_pcids[i].pm_gen = 0;
4207 pmap->pm_cr3 = PMAP_NO_CR3; /* initialize to an invalid value */
4208 pmap->pm_ucr3 = PMAP_NO_CR3;
4209 pmap->pm_pmltopu = NULL;
4211 pmap->pm_type = pm_type;
4212 if ((pmltop_pg->flags & PG_ZERO) == 0)
4213 pagezero(pmap->pm_pmltop);
4216 * Do not install the host kernel mappings in the nested page
4217 * tables. These mappings are meaningless in the guest physical
4219 * Install minimal kernel mappings in PTI case.
4223 pmap->pm_cr3 = pmltop_phys;
4224 if (pmap_is_la57(pmap))
4225 pmap_pinit_pml5(pmltop_pg);
4227 pmap_pinit_pml4(pmltop_pg);
4228 if ((curproc->p_md.md_flags & P_MD_KPTI) != 0) {
4229 pmltop_pgu = vm_page_alloc(NULL, 0, VM_ALLOC_NORMAL |
4230 VM_ALLOC_NOOBJ | VM_ALLOC_WIRED | VM_ALLOC_WAITOK);
4231 pmap->pm_pmltopu = (pml4_entry_t *)PHYS_TO_DMAP(
4232 VM_PAGE_TO_PHYS(pmltop_pgu));
4233 if (pmap_is_la57(pmap))
4234 pmap_pinit_pml5_pti(pmltop_pgu);
4236 pmap_pinit_pml4_pti(pmltop_pgu);
4237 pmap->pm_ucr3 = VM_PAGE_TO_PHYS(pmltop_pgu);
4239 if ((cpu_stdext_feature2 & CPUID_STDEXT2_PKU) != 0) {
4240 rangeset_init(&pmap->pm_pkru, pkru_dup_range,
4241 pkru_free_range, pmap, M_NOWAIT);
4246 pmap->pm_eptsmr = smr_create("pmap", 0, 0);
4250 pmap->pm_root.rt_root = 0;
4251 CPU_ZERO(&pmap->pm_active);
4252 TAILQ_INIT(&pmap->pm_pvchunk);
4253 bzero(&pmap->pm_stats, sizeof pmap->pm_stats);
4254 pmap->pm_flags = flags;
4255 pmap->pm_eptgen = 0;
4261 pmap_pinit(pmap_t pmap)
4264 return (pmap_pinit_type(pmap, PT_X86, pmap_flags));
4268 pmap_allocpte_free_unref(pmap_t pmap, vm_offset_t va, pt_entry_t *pte)
4271 struct spglist free;
4273 mpg = PHYS_TO_VM_PAGE(*pte & PG_FRAME);
4274 if (mpg->ref_count != 0)
4277 _pmap_unwire_ptp(pmap, va, mpg, &free);
4278 pmap_invalidate_page(pmap, va);
4279 vm_page_free_pages_toq(&free, true);
4282 static pml4_entry_t *
4283 pmap_allocpte_getpml4(pmap_t pmap, struct rwlock **lockp, vm_offset_t va,
4286 vm_pindex_t pml5index;
4293 if (!pmap_is_la57(pmap))
4294 return (&pmap->pm_pmltop[pmap_pml4e_index(va)]);
4296 PG_V = pmap_valid_bit(pmap);
4297 pml5index = pmap_pml5e_index(va);
4298 pml5 = &pmap->pm_pmltop[pml5index];
4299 if ((*pml5 & PG_V) == 0) {
4300 if (pmap_allocpte_nosleep(pmap, pmap_pml5e_pindex(va), lockp,
4307 pml4 = (pml4_entry_t *)PHYS_TO_DMAP(*pml5 & PG_FRAME);
4308 pml4 = &pml4[pmap_pml4e_index(va)];
4309 if ((*pml4 & PG_V) == 0) {
4310 pml4pg = PHYS_TO_VM_PAGE(*pml5 & PG_FRAME);
4311 if (allocated && !addref)
4312 pml4pg->ref_count--;
4313 else if (!allocated && addref)
4314 pml4pg->ref_count++;
4319 static pdp_entry_t *
4320 pmap_allocpte_getpdp(pmap_t pmap, struct rwlock **lockp, vm_offset_t va,
4329 PG_V = pmap_valid_bit(pmap);
4331 pml4 = pmap_allocpte_getpml4(pmap, lockp, va, false);
4335 if ((*pml4 & PG_V) == 0) {
4336 /* Have to allocate a new pdp, recurse */
4337 if (pmap_allocpte_nosleep(pmap, pmap_pml4e_pindex(va), lockp,
4339 if (pmap_is_la57(pmap))
4340 pmap_allocpte_free_unref(pmap, va,
4341 pmap_pml5e(pmap, va));
4348 pdp = (pdp_entry_t *)PHYS_TO_DMAP(*pml4 & PG_FRAME);
4349 pdp = &pdp[pmap_pdpe_index(va)];
4350 if ((*pdp & PG_V) == 0) {
4351 pdppg = PHYS_TO_VM_PAGE(*pml4 & PG_FRAME);
4352 if (allocated && !addref)
4354 else if (!allocated && addref)
4361 * The ptepindexes, i.e. page indices, of the page table pages encountered
4362 * while translating virtual address va are defined as follows:
4363 * - for the page table page (last level),
4364 * ptepindex = pmap_pde_pindex(va) = va >> PDRSHIFT,
4365 * in other words, it is just the index of the PDE that maps the page
4367 * - for the page directory page,
4368 * ptepindex = NUPDE (number of userland PD entries) +
4369 * (pmap_pde_index(va) >> NPDEPGSHIFT)
4370 * i.e. index of PDPE is put after the last index of PDE,
4371 * - for the page directory pointer page,
4372 * ptepindex = NUPDE + NUPDPE + (pmap_pde_index(va) >> (NPDEPGSHIFT +
4374 * i.e. index of pml4e is put after the last index of PDPE,
4375 * - for the PML4 page (if LA57 mode is enabled),
4376 * ptepindex = NUPDE + NUPDPE + NUPML4E + (pmap_pde_index(va) >>
4377 * (NPDEPGSHIFT + NPML4EPGSHIFT + NPML5EPGSHIFT),
4378 * i.e. index of pml5e is put after the last index of PML4E.
4380 * Define an order on the paging entries, where all entries of the
4381 * same height are put together, then heights are put from deepest to
4382 * root. Then ptexpindex is the sequential number of the
4383 * corresponding paging entry in this order.
4385 * The values of NUPDE, NUPDPE, and NUPML4E are determined by the size of
4386 * LA57 paging structures even in LA48 paging mode. Moreover, the
4387 * ptepindexes are calculated as if the paging structures were 5-level
4388 * regardless of the actual mode of operation.
4390 * The root page at PML4/PML5 does not participate in this indexing scheme,
4391 * since it is statically allocated by pmap_pinit() and not by pmap_allocpte().
4394 pmap_allocpte_nosleep(pmap_t pmap, vm_pindex_t ptepindex, struct rwlock **lockp,
4397 vm_pindex_t pml5index, pml4index;
4398 pml5_entry_t *pml5, *pml5u;
4399 pml4_entry_t *pml4, *pml4u;
4403 pt_entry_t PG_A, PG_M, PG_RW, PG_V;
4405 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
4407 PG_A = pmap_accessed_bit(pmap);
4408 PG_M = pmap_modified_bit(pmap);
4409 PG_V = pmap_valid_bit(pmap);
4410 PG_RW = pmap_rw_bit(pmap);
4413 * Allocate a page table page.
4415 if ((m = vm_page_alloc(NULL, ptepindex, VM_ALLOC_NOOBJ |
4416 VM_ALLOC_WIRED | VM_ALLOC_ZERO)) == NULL)
4418 if ((m->flags & PG_ZERO) == 0)
4422 * Map the pagetable page into the process address space, if
4423 * it isn't already there.
4425 if (ptepindex >= NUPDE + NUPDPE + NUPML4E) {
4426 MPASS(pmap_is_la57(pmap));
4428 pml5index = pmap_pml5e_index(va);
4429 pml5 = &pmap->pm_pmltop[pml5index];
4430 KASSERT((*pml5 & PG_V) == 0,
4431 ("pmap %p va %#lx pml5 %#lx", pmap, va, *pml5));
4432 *pml5 = VM_PAGE_TO_PHYS(m) | PG_U | PG_RW | PG_V | PG_A | PG_M;
4434 if (pmap->pm_pmltopu != NULL && pml5index < NUPML5E) {
4435 if (pmap->pm_ucr3 != PMAP_NO_CR3)
4438 pml5u = &pmap->pm_pmltopu[pml5index];
4439 *pml5u = VM_PAGE_TO_PHYS(m) | PG_U | PG_RW | PG_V |
4442 } else if (ptepindex >= NUPDE + NUPDPE) {
4443 pml4index = pmap_pml4e_index(va);
4444 /* Wire up a new PDPE page */
4445 pml4 = pmap_allocpte_getpml4(pmap, lockp, va, true);
4447 vm_page_unwire_noq(m);
4448 vm_page_free_zero(m);
4451 KASSERT((*pml4 & PG_V) == 0,
4452 ("pmap %p va %#lx pml4 %#lx", pmap, va, *pml4));
4453 *pml4 = VM_PAGE_TO_PHYS(m) | PG_U | PG_RW | PG_V | PG_A | PG_M;
4455 if (!pmap_is_la57(pmap) && pmap->pm_pmltopu != NULL &&
4456 pml4index < NUPML4E) {
4458 * PTI: Make all user-space mappings in the
4459 * kernel-mode page table no-execute so that
4460 * we detect any programming errors that leave
4461 * the kernel-mode page table active on return
4464 if (pmap->pm_ucr3 != PMAP_NO_CR3)
4467 pml4u = &pmap->pm_pmltopu[pml4index];
4468 *pml4u = VM_PAGE_TO_PHYS(m) | PG_U | PG_RW | PG_V |
4471 } else if (ptepindex >= NUPDE) {
4472 /* Wire up a new PDE page */
4473 pdp = pmap_allocpte_getpdp(pmap, lockp, va, true);
4475 vm_page_unwire_noq(m);
4476 vm_page_free_zero(m);
4479 KASSERT((*pdp & PG_V) == 0,
4480 ("pmap %p va %#lx pdp %#lx", pmap, va, *pdp));
4481 *pdp = VM_PAGE_TO_PHYS(m) | PG_U | PG_RW | PG_V | PG_A | PG_M;
4483 /* Wire up a new PTE page */
4484 pdp = pmap_allocpte_getpdp(pmap, lockp, va, false);
4486 vm_page_unwire_noq(m);
4487 vm_page_free_zero(m);
4490 if ((*pdp & PG_V) == 0) {
4491 /* Have to allocate a new pd, recurse */
4492 if (pmap_allocpte_nosleep(pmap, pmap_pdpe_pindex(va),
4493 lockp, va) == NULL) {
4494 pmap_allocpte_free_unref(pmap, va,
4495 pmap_pml4e(pmap, va));
4496 vm_page_unwire_noq(m);
4497 vm_page_free_zero(m);
4501 /* Add reference to the pd page */
4502 pdpg = PHYS_TO_VM_PAGE(*pdp & PG_FRAME);
4505 pd = (pd_entry_t *)PHYS_TO_DMAP(*pdp & PG_FRAME);
4507 /* Now we know where the page directory page is */
4508 pd = &pd[pmap_pde_index(va)];
4509 KASSERT((*pd & PG_V) == 0,
4510 ("pmap %p va %#lx pd %#lx", pmap, va, *pd));
4511 *pd = VM_PAGE_TO_PHYS(m) | PG_U | PG_RW | PG_V | PG_A | PG_M;
4514 pmap_resident_count_inc(pmap, 1);
4519 * This routine is called if the desired page table page does not exist.
4521 * If page table page allocation fails, this routine may sleep before
4522 * returning NULL. It sleeps only if a lock pointer was given. Sleep
4523 * occurs right before returning to the caller. This way, we never
4524 * drop pmap lock to sleep while a page table page has ref_count == 0,
4525 * which prevents the page from being freed under us.
4528 pmap_allocpte_alloc(pmap_t pmap, vm_pindex_t ptepindex, struct rwlock **lockp,
4533 m = pmap_allocpte_nosleep(pmap, ptepindex, lockp, va);
4534 if (m == NULL && lockp != NULL) {
4535 RELEASE_PV_LIST_LOCK(lockp);
4537 PMAP_ASSERT_NOT_IN_DI();
4545 pmap_alloc_pde(pmap_t pmap, vm_offset_t va, vm_page_t *pdpgp,
4546 struct rwlock **lockp)
4548 pdp_entry_t *pdpe, PG_V;
4551 vm_pindex_t pdpindex;
4553 PG_V = pmap_valid_bit(pmap);
4556 pdpe = pmap_pdpe(pmap, va);
4557 if (pdpe != NULL && (*pdpe & PG_V) != 0) {
4558 pde = pmap_pdpe_to_pde(pdpe, va);
4559 if (va < VM_MAXUSER_ADDRESS) {
4560 /* Add a reference to the pd page. */
4561 pdpg = PHYS_TO_VM_PAGE(*pdpe & PG_FRAME);
4565 } else if (va < VM_MAXUSER_ADDRESS) {
4566 /* Allocate a pd page. */
4567 pdpindex = pmap_pde_pindex(va) >> NPDPEPGSHIFT;
4568 pdpg = pmap_allocpte_alloc(pmap, NUPDE + pdpindex, lockp, va);
4575 pde = (pd_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(pdpg));
4576 pde = &pde[pmap_pde_index(va)];
4578 panic("pmap_alloc_pde: missing page table page for va %#lx",
4585 pmap_allocpte(pmap_t pmap, vm_offset_t va, struct rwlock **lockp)
4587 vm_pindex_t ptepindex;
4588 pd_entry_t *pd, PG_V;
4591 PG_V = pmap_valid_bit(pmap);
4594 * Calculate pagetable page index
4596 ptepindex = pmap_pde_pindex(va);
4599 * Get the page directory entry
4601 pd = pmap_pde(pmap, va);
4604 * This supports switching from a 2MB page to a
4607 if (pd != NULL && (*pd & (PG_PS | PG_V)) == (PG_PS | PG_V)) {
4608 if (!pmap_demote_pde_locked(pmap, pd, va, lockp)) {
4610 * Invalidation of the 2MB page mapping may have caused
4611 * the deallocation of the underlying PD page.
4618 * If the page table page is mapped, we just increment the
4619 * hold count, and activate it.
4621 if (pd != NULL && (*pd & PG_V) != 0) {
4622 m = PHYS_TO_VM_PAGE(*pd & PG_FRAME);
4626 * Here if the pte page isn't mapped, or if it has been
4629 m = pmap_allocpte_alloc(pmap, ptepindex, lockp, va);
4630 if (m == NULL && lockp != NULL)
4636 /***************************************************
4637 * Pmap allocation/deallocation routines.
4638 ***************************************************/
4641 * Release any resources held by the given physical map.
4642 * Called when a pmap initialized by pmap_pinit is being released.
4643 * Should only be called if the map contains no valid mappings.
4646 pmap_release(pmap_t pmap)
4651 KASSERT(pmap->pm_stats.resident_count == 0,
4652 ("pmap_release: pmap %p resident count %ld != 0",
4653 pmap, pmap->pm_stats.resident_count));
4654 KASSERT(vm_radix_is_empty(&pmap->pm_root),
4655 ("pmap_release: pmap %p has reserved page table page(s)",
4657 KASSERT(CPU_EMPTY(&pmap->pm_active),
4658 ("releasing active pmap %p", pmap));
4660 m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((vm_offset_t)pmap->pm_pmltop));
4662 if (pmap_is_la57(pmap)) {
4663 pmap->pm_pmltop[pmap_pml5e_index(UPT_MAX_ADDRESS)] = 0;
4664 pmap->pm_pmltop[PML5PML5I] = 0;
4666 for (i = 0; i < NKPML4E; i++) /* KVA */
4667 pmap->pm_pmltop[KPML4BASE + i] = 0;
4668 for (i = 0; i < ndmpdpphys; i++)/* Direct Map */
4669 pmap->pm_pmltop[DMPML4I + i] = 0;
4670 pmap->pm_pmltop[PML4PML4I] = 0; /* Recursive Mapping */
4671 for (i = 0; i < lm_ents; i++) /* Large Map */
4672 pmap->pm_pmltop[LMSPML4I + i] = 0;
4675 vm_page_unwire_noq(m);
4676 vm_page_free_zero(m);
4678 if (pmap->pm_pmltopu != NULL) {
4679 m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((vm_offset_t)pmap->
4681 vm_page_unwire_noq(m);
4684 if (pmap->pm_type == PT_X86 &&
4685 (cpu_stdext_feature2 & CPUID_STDEXT2_PKU) != 0)
4686 rangeset_fini(&pmap->pm_pkru);
4690 kvm_size(SYSCTL_HANDLER_ARGS)
4692 unsigned long ksize = VM_MAX_KERNEL_ADDRESS - VM_MIN_KERNEL_ADDRESS;
4694 return sysctl_handle_long(oidp, &ksize, 0, req);
4696 SYSCTL_PROC(_vm, OID_AUTO, kvm_size, CTLTYPE_LONG | CTLFLAG_RD | CTLFLAG_MPSAFE,
4697 0, 0, kvm_size, "LU",
4701 kvm_free(SYSCTL_HANDLER_ARGS)
4703 unsigned long kfree = VM_MAX_KERNEL_ADDRESS - kernel_vm_end;
4705 return sysctl_handle_long(oidp, &kfree, 0, req);
4707 SYSCTL_PROC(_vm, OID_AUTO, kvm_free, CTLTYPE_LONG | CTLFLAG_RD | CTLFLAG_MPSAFE,
4708 0, 0, kvm_free, "LU",
4709 "Amount of KVM free");
4712 * Allocate physical memory for the vm_page array and map it into KVA,
4713 * attempting to back the vm_pages with domain-local memory.
4716 pmap_page_array_startup(long pages)
4719 pd_entry_t *pde, newpdir;
4720 vm_offset_t va, start, end;
4725 vm_page_array_size = pages;
4727 start = VM_MIN_KERNEL_ADDRESS;
4728 end = start + pages * sizeof(struct vm_page);
4729 for (va = start; va < end; va += NBPDR) {
4730 pfn = first_page + (va - start) / sizeof(struct vm_page);
4731 domain = vm_phys_domain(ptoa(pfn));
4732 pdpe = pmap_pdpe(kernel_pmap, va);
4733 if ((*pdpe & X86_PG_V) == 0) {
4734 pa = vm_phys_early_alloc(domain, PAGE_SIZE);
4736 pagezero((void *)PHYS_TO_DMAP(pa));
4737 *pdpe = (pdp_entry_t)(pa | X86_PG_V | X86_PG_RW |
4738 X86_PG_A | X86_PG_M);
4740 pde = pmap_pdpe_to_pde(pdpe, va);
4741 if ((*pde & X86_PG_V) != 0)
4742 panic("Unexpected pde");
4743 pa = vm_phys_early_alloc(domain, NBPDR);
4744 for (i = 0; i < NPDEPG; i++)
4745 dump_add_page(pa + i * PAGE_SIZE);
4746 newpdir = (pd_entry_t)(pa | X86_PG_V | X86_PG_RW | X86_PG_A |
4747 X86_PG_M | PG_PS | pg_g | pg_nx);
4748 pde_store(pde, newpdir);
4750 vm_page_array = (vm_page_t)start;
4754 * grow the number of kernel page table entries, if needed
4757 pmap_growkernel(vm_offset_t addr)
4761 pd_entry_t *pde, newpdir;
4764 mtx_assert(&kernel_map->system_mtx, MA_OWNED);
4767 * Return if "addr" is within the range of kernel page table pages
4768 * that were preallocated during pmap bootstrap. Moreover, leave
4769 * "kernel_vm_end" and the kernel page table as they were.
4771 * The correctness of this action is based on the following
4772 * argument: vm_map_insert() allocates contiguous ranges of the
4773 * kernel virtual address space. It calls this function if a range
4774 * ends after "kernel_vm_end". If the kernel is mapped between
4775 * "kernel_vm_end" and "addr", then the range cannot begin at
4776 * "kernel_vm_end". In fact, its beginning address cannot be less
4777 * than the kernel. Thus, there is no immediate need to allocate
4778 * any new kernel page table pages between "kernel_vm_end" and
4781 if (KERNBASE < addr && addr <= KERNBASE + nkpt * NBPDR)
4784 addr = roundup2(addr, NBPDR);
4785 if (addr - 1 >= vm_map_max(kernel_map))
4786 addr = vm_map_max(kernel_map);
4787 while (kernel_vm_end < addr) {
4788 pdpe = pmap_pdpe(kernel_pmap, kernel_vm_end);
4789 if ((*pdpe & X86_PG_V) == 0) {
4790 /* We need a new PDP entry */
4791 nkpg = vm_page_alloc(NULL, kernel_vm_end >> PDPSHIFT,
4792 VM_ALLOC_INTERRUPT | VM_ALLOC_NOOBJ |
4793 VM_ALLOC_WIRED | VM_ALLOC_ZERO);
4795 panic("pmap_growkernel: no memory to grow kernel");
4796 if ((nkpg->flags & PG_ZERO) == 0)
4797 pmap_zero_page(nkpg);
4798 paddr = VM_PAGE_TO_PHYS(nkpg);
4799 *pdpe = (pdp_entry_t)(paddr | X86_PG_V | X86_PG_RW |
4800 X86_PG_A | X86_PG_M);
4801 continue; /* try again */
4803 pde = pmap_pdpe_to_pde(pdpe, kernel_vm_end);
4804 if ((*pde & X86_PG_V) != 0) {
4805 kernel_vm_end = (kernel_vm_end + NBPDR) & ~PDRMASK;
4806 if (kernel_vm_end - 1 >= vm_map_max(kernel_map)) {
4807 kernel_vm_end = vm_map_max(kernel_map);
4813 nkpg = vm_page_alloc(NULL, pmap_pde_pindex(kernel_vm_end),
4814 VM_ALLOC_INTERRUPT | VM_ALLOC_NOOBJ | VM_ALLOC_WIRED |
4817 panic("pmap_growkernel: no memory to grow kernel");
4818 if ((nkpg->flags & PG_ZERO) == 0)
4819 pmap_zero_page(nkpg);
4820 paddr = VM_PAGE_TO_PHYS(nkpg);
4821 newpdir = paddr | X86_PG_V | X86_PG_RW | X86_PG_A | X86_PG_M;
4822 pde_store(pde, newpdir);
4824 kernel_vm_end = (kernel_vm_end + NBPDR) & ~PDRMASK;
4825 if (kernel_vm_end - 1 >= vm_map_max(kernel_map)) {
4826 kernel_vm_end = vm_map_max(kernel_map);
4832 /***************************************************
4833 * page management routines.
4834 ***************************************************/
4836 CTASSERT(sizeof(struct pv_chunk) == PAGE_SIZE);
4837 CTASSERT(_NPCM == 3);
4838 CTASSERT(_NPCPV == 168);
4840 static __inline struct pv_chunk *
4841 pv_to_chunk(pv_entry_t pv)
4844 return ((struct pv_chunk *)((uintptr_t)pv & ~(uintptr_t)PAGE_MASK));
4847 #define PV_PMAP(pv) (pv_to_chunk(pv)->pc_pmap)
4849 #define PC_FREE0 0xfffffffffffffffful
4850 #define PC_FREE1 0xfffffffffffffffful
4851 #define PC_FREE2 0x000000fffffffffful
4853 static const uint64_t pc_freemask[_NPCM] = { PC_FREE0, PC_FREE1, PC_FREE2 };
4856 static int pc_chunk_count, pc_chunk_allocs, pc_chunk_frees, pc_chunk_tryfail;
4858 SYSCTL_INT(_vm_pmap, OID_AUTO, pc_chunk_count, CTLFLAG_RD, &pc_chunk_count, 0,
4859 "Current number of pv entry chunks");
4860 SYSCTL_INT(_vm_pmap, OID_AUTO, pc_chunk_allocs, CTLFLAG_RD, &pc_chunk_allocs, 0,
4861 "Current number of pv entry chunks allocated");
4862 SYSCTL_INT(_vm_pmap, OID_AUTO, pc_chunk_frees, CTLFLAG_RD, &pc_chunk_frees, 0,
4863 "Current number of pv entry chunks frees");
4864 SYSCTL_INT(_vm_pmap, OID_AUTO, pc_chunk_tryfail, CTLFLAG_RD, &pc_chunk_tryfail, 0,
4865 "Number of times tried to get a chunk page but failed.");
4867 static long pv_entry_frees, pv_entry_allocs, pv_entry_count;
4868 static int pv_entry_spare;
4870 SYSCTL_LONG(_vm_pmap, OID_AUTO, pv_entry_frees, CTLFLAG_RD, &pv_entry_frees, 0,
4871 "Current number of pv entry frees");
4872 SYSCTL_LONG(_vm_pmap, OID_AUTO, pv_entry_allocs, CTLFLAG_RD, &pv_entry_allocs, 0,
4873 "Current number of pv entry allocs");
4874 SYSCTL_LONG(_vm_pmap, OID_AUTO, pv_entry_count, CTLFLAG_RD, &pv_entry_count, 0,
4875 "Current number of pv entries");
4876 SYSCTL_INT(_vm_pmap, OID_AUTO, pv_entry_spare, CTLFLAG_RD, &pv_entry_spare, 0,
4877 "Current number of spare pv entries");
4881 reclaim_pv_chunk_leave_pmap(pmap_t pmap, pmap_t locked_pmap, bool start_di)
4886 pmap_invalidate_all(pmap);
4887 if (pmap != locked_pmap)
4890 pmap_delayed_invl_finish();
4894 * We are in a serious low memory condition. Resort to
4895 * drastic measures to free some pages so we can allocate
4896 * another pv entry chunk.
4898 * Returns NULL if PV entries were reclaimed from the specified pmap.
4900 * We do not, however, unmap 2mpages because subsequent accesses will
4901 * allocate per-page pv entries until repromotion occurs, thereby
4902 * exacerbating the shortage of free pv entries.
4905 reclaim_pv_chunk_domain(pmap_t locked_pmap, struct rwlock **lockp, int domain)
4907 struct pv_chunks_list *pvc;
4908 struct pv_chunk *pc, *pc_marker, *pc_marker_end;
4909 struct pv_chunk_header pc_marker_b, pc_marker_end_b;
4910 struct md_page *pvh;
4912 pmap_t next_pmap, pmap;
4913 pt_entry_t *pte, tpte;
4914 pt_entry_t PG_G, PG_A, PG_M, PG_RW;
4918 struct spglist free;
4920 int bit, field, freed;
4921 bool start_di, restart;
4923 PMAP_LOCK_ASSERT(locked_pmap, MA_OWNED);
4924 KASSERT(lockp != NULL, ("reclaim_pv_chunk: lockp is NULL"));
4927 PG_G = PG_A = PG_M = PG_RW = 0;
4929 bzero(&pc_marker_b, sizeof(pc_marker_b));
4930 bzero(&pc_marker_end_b, sizeof(pc_marker_end_b));
4931 pc_marker = (struct pv_chunk *)&pc_marker_b;
4932 pc_marker_end = (struct pv_chunk *)&pc_marker_end_b;
4935 * A delayed invalidation block should already be active if
4936 * pmap_advise() or pmap_remove() called this function by way
4937 * of pmap_demote_pde_locked().
4939 start_di = pmap_not_in_di();
4941 pvc = &pv_chunks[domain];
4942 mtx_lock(&pvc->pvc_lock);
4943 pvc->active_reclaims++;
4944 TAILQ_INSERT_HEAD(&pvc->pvc_list, pc_marker, pc_lru);
4945 TAILQ_INSERT_TAIL(&pvc->pvc_list, pc_marker_end, pc_lru);
4946 while ((pc = TAILQ_NEXT(pc_marker, pc_lru)) != pc_marker_end &&
4947 SLIST_EMPTY(&free)) {
4948 next_pmap = pc->pc_pmap;
4949 if (next_pmap == NULL) {
4951 * The next chunk is a marker. However, it is
4952 * not our marker, so active_reclaims must be
4953 * > 1. Consequently, the next_chunk code
4954 * will not rotate the pv_chunks list.
4958 mtx_unlock(&pvc->pvc_lock);
4961 * A pv_chunk can only be removed from the pc_lru list
4962 * when both pc_chunks_mutex is owned and the
4963 * corresponding pmap is locked.
4965 if (pmap != next_pmap) {
4967 reclaim_pv_chunk_leave_pmap(pmap, locked_pmap,
4970 /* Avoid deadlock and lock recursion. */
4971 if (pmap > locked_pmap) {
4972 RELEASE_PV_LIST_LOCK(lockp);
4975 pmap_delayed_invl_start();
4976 mtx_lock(&pvc->pvc_lock);
4978 } else if (pmap != locked_pmap) {
4979 if (PMAP_TRYLOCK(pmap)) {
4981 pmap_delayed_invl_start();
4982 mtx_lock(&pvc->pvc_lock);
4985 pmap = NULL; /* pmap is not locked */
4986 mtx_lock(&pvc->pvc_lock);
4987 pc = TAILQ_NEXT(pc_marker, pc_lru);
4989 pc->pc_pmap != next_pmap)
4993 } else if (start_di)
4994 pmap_delayed_invl_start();
4995 PG_G = pmap_global_bit(pmap);
4996 PG_A = pmap_accessed_bit(pmap);
4997 PG_M = pmap_modified_bit(pmap);
4998 PG_RW = pmap_rw_bit(pmap);
5004 * Destroy every non-wired, 4 KB page mapping in the chunk.
5007 for (field = 0; field < _NPCM; field++) {
5008 for (inuse = ~pc->pc_map[field] & pc_freemask[field];
5009 inuse != 0; inuse &= ~(1UL << bit)) {
5011 pv = &pc->pc_pventry[field * 64 + bit];
5013 pde = pmap_pde(pmap, va);
5014 if ((*pde & PG_PS) != 0)
5016 pte = pmap_pde_to_pte(pde, va);
5017 if ((*pte & PG_W) != 0)
5019 tpte = pte_load_clear(pte);
5020 if ((tpte & PG_G) != 0)
5021 pmap_invalidate_page(pmap, va);
5022 m = PHYS_TO_VM_PAGE(tpte & PG_FRAME);
5023 if ((tpte & (PG_M | PG_RW)) == (PG_M | PG_RW))
5025 if ((tpte & PG_A) != 0)
5026 vm_page_aflag_set(m, PGA_REFERENCED);
5027 CHANGE_PV_LIST_LOCK_TO_VM_PAGE(lockp, m);
5028 TAILQ_REMOVE(&m->md.pv_list, pv, pv_next);
5030 if (TAILQ_EMPTY(&m->md.pv_list) &&
5031 (m->flags & PG_FICTITIOUS) == 0) {
5032 pvh = pa_to_pvh(VM_PAGE_TO_PHYS(m));
5033 if (TAILQ_EMPTY(&pvh->pv_list)) {
5034 vm_page_aflag_clear(m,
5038 pmap_delayed_invl_page(m);
5039 pc->pc_map[field] |= 1UL << bit;
5040 pmap_unuse_pt(pmap, va, *pde, &free);
5045 mtx_lock(&pvc->pvc_lock);
5048 /* Every freed mapping is for a 4 KB page. */
5049 pmap_resident_count_dec(pmap, freed);
5050 PV_STAT(atomic_add_long(&pv_entry_frees, freed));
5051 PV_STAT(atomic_add_int(&pv_entry_spare, freed));
5052 PV_STAT(atomic_subtract_long(&pv_entry_count, freed));
5053 TAILQ_REMOVE(&pmap->pm_pvchunk, pc, pc_list);
5054 if (pc->pc_map[0] == PC_FREE0 && pc->pc_map[1] == PC_FREE1 &&
5055 pc->pc_map[2] == PC_FREE2) {
5056 PV_STAT(atomic_subtract_int(&pv_entry_spare, _NPCPV));
5057 PV_STAT(atomic_subtract_int(&pc_chunk_count, 1));
5058 PV_STAT(atomic_add_int(&pc_chunk_frees, 1));
5059 /* Entire chunk is free; return it. */
5060 m_pc = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((vm_offset_t)pc));
5061 dump_drop_page(m_pc->phys_addr);
5062 mtx_lock(&pvc->pvc_lock);
5063 TAILQ_REMOVE(&pvc->pvc_list, pc, pc_lru);
5066 TAILQ_INSERT_HEAD(&pmap->pm_pvchunk, pc, pc_list);
5067 mtx_lock(&pvc->pvc_lock);
5068 /* One freed pv entry in locked_pmap is sufficient. */
5069 if (pmap == locked_pmap)
5072 TAILQ_REMOVE(&pvc->pvc_list, pc_marker, pc_lru);
5073 TAILQ_INSERT_AFTER(&pvc->pvc_list, pc, pc_marker, pc_lru);
5074 if (pvc->active_reclaims == 1 && pmap != NULL) {
5076 * Rotate the pv chunks list so that we do not
5077 * scan the same pv chunks that could not be
5078 * freed (because they contained a wired
5079 * and/or superpage mapping) on every
5080 * invocation of reclaim_pv_chunk().
5082 while ((pc = TAILQ_FIRST(&pvc->pvc_list)) != pc_marker) {
5083 MPASS(pc->pc_pmap != NULL);
5084 TAILQ_REMOVE(&pvc->pvc_list, pc, pc_lru);
5085 TAILQ_INSERT_TAIL(&pvc->pvc_list, pc, pc_lru);
5089 TAILQ_REMOVE(&pvc->pvc_list, pc_marker, pc_lru);
5090 TAILQ_REMOVE(&pvc->pvc_list, pc_marker_end, pc_lru);
5091 pvc->active_reclaims--;
5092 mtx_unlock(&pvc->pvc_lock);
5093 reclaim_pv_chunk_leave_pmap(pmap, locked_pmap, start_di);
5094 if (m_pc == NULL && !SLIST_EMPTY(&free)) {
5095 m_pc = SLIST_FIRST(&free);
5096 SLIST_REMOVE_HEAD(&free, plinks.s.ss);
5097 /* Recycle a freed page table page. */
5098 m_pc->ref_count = 1;
5100 vm_page_free_pages_toq(&free, true);
5105 reclaim_pv_chunk(pmap_t locked_pmap, struct rwlock **lockp)
5110 domain = PCPU_GET(domain);
5111 for (i = 0; i < vm_ndomains; i++) {
5112 m = reclaim_pv_chunk_domain(locked_pmap, lockp, domain);
5115 domain = (domain + 1) % vm_ndomains;
5122 * free the pv_entry back to the free list
5125 free_pv_entry(pmap_t pmap, pv_entry_t pv)
5127 struct pv_chunk *pc;
5128 int idx, field, bit;
5130 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
5131 PV_STAT(atomic_add_long(&pv_entry_frees, 1));
5132 PV_STAT(atomic_add_int(&pv_entry_spare, 1));
5133 PV_STAT(atomic_subtract_long(&pv_entry_count, 1));
5134 pc = pv_to_chunk(pv);
5135 idx = pv - &pc->pc_pventry[0];
5138 pc->pc_map[field] |= 1ul << bit;
5139 if (pc->pc_map[0] != PC_FREE0 || pc->pc_map[1] != PC_FREE1 ||
5140 pc->pc_map[2] != PC_FREE2) {
5141 /* 98% of the time, pc is already at the head of the list. */
5142 if (__predict_false(pc != TAILQ_FIRST(&pmap->pm_pvchunk))) {
5143 TAILQ_REMOVE(&pmap->pm_pvchunk, pc, pc_list);
5144 TAILQ_INSERT_HEAD(&pmap->pm_pvchunk, pc, pc_list);
5148 TAILQ_REMOVE(&pmap->pm_pvchunk, pc, pc_list);
5153 free_pv_chunk_dequeued(struct pv_chunk *pc)
5157 PV_STAT(atomic_subtract_int(&pv_entry_spare, _NPCPV));
5158 PV_STAT(atomic_subtract_int(&pc_chunk_count, 1));
5159 PV_STAT(atomic_add_int(&pc_chunk_frees, 1));
5160 /* entire chunk is free, return it */
5161 m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((vm_offset_t)pc));
5162 dump_drop_page(m->phys_addr);
5163 vm_page_unwire_noq(m);
5168 free_pv_chunk(struct pv_chunk *pc)
5170 struct pv_chunks_list *pvc;
5172 pvc = &pv_chunks[pc_to_domain(pc)];
5173 mtx_lock(&pvc->pvc_lock);
5174 TAILQ_REMOVE(&pvc->pvc_list, pc, pc_lru);
5175 mtx_unlock(&pvc->pvc_lock);
5176 free_pv_chunk_dequeued(pc);
5180 free_pv_chunk_batch(struct pv_chunklist *batch)
5182 struct pv_chunks_list *pvc;
5183 struct pv_chunk *pc, *npc;
5186 for (i = 0; i < vm_ndomains; i++) {
5187 if (TAILQ_EMPTY(&batch[i]))
5189 pvc = &pv_chunks[i];
5190 mtx_lock(&pvc->pvc_lock);
5191 TAILQ_FOREACH(pc, &batch[i], pc_list) {
5192 TAILQ_REMOVE(&pvc->pvc_list, pc, pc_lru);
5194 mtx_unlock(&pvc->pvc_lock);
5197 for (i = 0; i < vm_ndomains; i++) {
5198 TAILQ_FOREACH_SAFE(pc, &batch[i], pc_list, npc) {
5199 free_pv_chunk_dequeued(pc);
5205 * Returns a new PV entry, allocating a new PV chunk from the system when
5206 * needed. If this PV chunk allocation fails and a PV list lock pointer was
5207 * given, a PV chunk is reclaimed from an arbitrary pmap. Otherwise, NULL is
5210 * The given PV list lock may be released.
5213 get_pv_entry(pmap_t pmap, struct rwlock **lockp)
5215 struct pv_chunks_list *pvc;
5218 struct pv_chunk *pc;
5221 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
5222 PV_STAT(atomic_add_long(&pv_entry_allocs, 1));
5224 pc = TAILQ_FIRST(&pmap->pm_pvchunk);
5226 for (field = 0; field < _NPCM; field++) {
5227 if (pc->pc_map[field]) {
5228 bit = bsfq(pc->pc_map[field]);
5232 if (field < _NPCM) {
5233 pv = &pc->pc_pventry[field * 64 + bit];
5234 pc->pc_map[field] &= ~(1ul << bit);
5235 /* If this was the last item, move it to tail */
5236 if (pc->pc_map[0] == 0 && pc->pc_map[1] == 0 &&
5237 pc->pc_map[2] == 0) {
5238 TAILQ_REMOVE(&pmap->pm_pvchunk, pc, pc_list);
5239 TAILQ_INSERT_TAIL(&pmap->pm_pvchunk, pc,
5242 PV_STAT(atomic_add_long(&pv_entry_count, 1));
5243 PV_STAT(atomic_subtract_int(&pv_entry_spare, 1));
5247 /* No free items, allocate another chunk */
5248 m = vm_page_alloc(NULL, 0, VM_ALLOC_NORMAL | VM_ALLOC_NOOBJ |
5251 if (lockp == NULL) {
5252 PV_STAT(pc_chunk_tryfail++);
5255 m = reclaim_pv_chunk(pmap, lockp);
5259 PV_STAT(atomic_add_int(&pc_chunk_count, 1));
5260 PV_STAT(atomic_add_int(&pc_chunk_allocs, 1));
5261 dump_add_page(m->phys_addr);
5262 pc = (void *)PHYS_TO_DMAP(m->phys_addr);
5264 pc->pc_map[0] = PC_FREE0 & ~1ul; /* preallocated bit 0 */
5265 pc->pc_map[1] = PC_FREE1;
5266 pc->pc_map[2] = PC_FREE2;
5267 pvc = &pv_chunks[vm_page_domain(m)];
5268 mtx_lock(&pvc->pvc_lock);
5269 TAILQ_INSERT_TAIL(&pvc->pvc_list, pc, pc_lru);
5270 mtx_unlock(&pvc->pvc_lock);
5271 pv = &pc->pc_pventry[0];
5272 TAILQ_INSERT_HEAD(&pmap->pm_pvchunk, pc, pc_list);
5273 PV_STAT(atomic_add_long(&pv_entry_count, 1));
5274 PV_STAT(atomic_add_int(&pv_entry_spare, _NPCPV - 1));
5279 * Returns the number of one bits within the given PV chunk map.
5281 * The erratas for Intel processors state that "POPCNT Instruction May
5282 * Take Longer to Execute Than Expected". It is believed that the
5283 * issue is the spurious dependency on the destination register.
5284 * Provide a hint to the register rename logic that the destination
5285 * value is overwritten, by clearing it, as suggested in the
5286 * optimization manual. It should be cheap for unaffected processors
5289 * Reference numbers for erratas are
5290 * 4th Gen Core: HSD146
5291 * 5th Gen Core: BDM85
5292 * 6th Gen Core: SKL029
5295 popcnt_pc_map_pq(uint64_t *map)
5299 __asm __volatile("xorl %k0,%k0;popcntq %2,%0;"
5300 "xorl %k1,%k1;popcntq %3,%1;addl %k1,%k0;"
5301 "xorl %k1,%k1;popcntq %4,%1;addl %k1,%k0"
5302 : "=&r" (result), "=&r" (tmp)
5303 : "m" (map[0]), "m" (map[1]), "m" (map[2]));
5308 * Ensure that the number of spare PV entries in the specified pmap meets or
5309 * exceeds the given count, "needed".
5311 * The given PV list lock may be released.
5314 reserve_pv_entries(pmap_t pmap, int needed, struct rwlock **lockp)
5316 struct pv_chunks_list *pvc;
5317 struct pch new_tail[PMAP_MEMDOM];
5318 struct pv_chunk *pc;
5323 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
5324 KASSERT(lockp != NULL, ("reserve_pv_entries: lockp is NULL"));
5327 * Newly allocated PV chunks must be stored in a private list until
5328 * the required number of PV chunks have been allocated. Otherwise,
5329 * reclaim_pv_chunk() could recycle one of these chunks. In
5330 * contrast, these chunks must be added to the pmap upon allocation.
5332 for (i = 0; i < PMAP_MEMDOM; i++)
5333 TAILQ_INIT(&new_tail[i]);
5336 TAILQ_FOREACH(pc, &pmap->pm_pvchunk, pc_list) {
5338 if ((cpu_feature2 & CPUID2_POPCNT) == 0)
5339 bit_count((bitstr_t *)pc->pc_map, 0,
5340 sizeof(pc->pc_map) * NBBY, &free);
5343 free = popcnt_pc_map_pq(pc->pc_map);
5347 if (avail >= needed)
5350 for (reclaimed = false; avail < needed; avail += _NPCPV) {
5351 m = vm_page_alloc(NULL, 0, VM_ALLOC_NORMAL | VM_ALLOC_NOOBJ |
5354 m = reclaim_pv_chunk(pmap, lockp);
5359 PV_STAT(atomic_add_int(&pc_chunk_count, 1));
5360 PV_STAT(atomic_add_int(&pc_chunk_allocs, 1));
5361 dump_add_page(m->phys_addr);
5362 pc = (void *)PHYS_TO_DMAP(m->phys_addr);
5364 pc->pc_map[0] = PC_FREE0;
5365 pc->pc_map[1] = PC_FREE1;
5366 pc->pc_map[2] = PC_FREE2;
5367 TAILQ_INSERT_HEAD(&pmap->pm_pvchunk, pc, pc_list);
5368 TAILQ_INSERT_TAIL(&new_tail[vm_page_domain(m)], pc, pc_lru);
5369 PV_STAT(atomic_add_int(&pv_entry_spare, _NPCPV));
5372 * The reclaim might have freed a chunk from the current pmap.
5373 * If that chunk contained available entries, we need to
5374 * re-count the number of available entries.
5379 for (i = 0; i < vm_ndomains; i++) {
5380 if (TAILQ_EMPTY(&new_tail[i]))
5382 pvc = &pv_chunks[i];
5383 mtx_lock(&pvc->pvc_lock);
5384 TAILQ_CONCAT(&pvc->pvc_list, &new_tail[i], pc_lru);
5385 mtx_unlock(&pvc->pvc_lock);
5390 * First find and then remove the pv entry for the specified pmap and virtual
5391 * address from the specified pv list. Returns the pv entry if found and NULL
5392 * otherwise. This operation can be performed on pv lists for either 4KB or
5393 * 2MB page mappings.
5395 static __inline pv_entry_t
5396 pmap_pvh_remove(struct md_page *pvh, pmap_t pmap, vm_offset_t va)
5400 TAILQ_FOREACH(pv, &pvh->pv_list, pv_next) {
5401 if (pmap == PV_PMAP(pv) && va == pv->pv_va) {
5402 TAILQ_REMOVE(&pvh->pv_list, pv, pv_next);
5411 * After demotion from a 2MB page mapping to 512 4KB page mappings,
5412 * destroy the pv entry for the 2MB page mapping and reinstantiate the pv
5413 * entries for each of the 4KB page mappings.
5416 pmap_pv_demote_pde(pmap_t pmap, vm_offset_t va, vm_paddr_t pa,
5417 struct rwlock **lockp)
5419 struct md_page *pvh;
5420 struct pv_chunk *pc;
5422 vm_offset_t va_last;
5426 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
5427 KASSERT((pa & PDRMASK) == 0,
5428 ("pmap_pv_demote_pde: pa is not 2mpage aligned"));
5429 CHANGE_PV_LIST_LOCK_TO_PHYS(lockp, pa);
5432 * Transfer the 2mpage's pv entry for this mapping to the first
5433 * page's pv list. Once this transfer begins, the pv list lock
5434 * must not be released until the last pv entry is reinstantiated.
5436 pvh = pa_to_pvh(pa);
5437 va = trunc_2mpage(va);
5438 pv = pmap_pvh_remove(pvh, pmap, va);
5439 KASSERT(pv != NULL, ("pmap_pv_demote_pde: pv not found"));
5440 m = PHYS_TO_VM_PAGE(pa);
5441 TAILQ_INSERT_TAIL(&m->md.pv_list, pv, pv_next);
5443 /* Instantiate the remaining NPTEPG - 1 pv entries. */
5444 PV_STAT(atomic_add_long(&pv_entry_allocs, NPTEPG - 1));
5445 va_last = va + NBPDR - PAGE_SIZE;
5447 pc = TAILQ_FIRST(&pmap->pm_pvchunk);
5448 KASSERT(pc->pc_map[0] != 0 || pc->pc_map[1] != 0 ||
5449 pc->pc_map[2] != 0, ("pmap_pv_demote_pde: missing spare"));
5450 for (field = 0; field < _NPCM; field++) {
5451 while (pc->pc_map[field]) {
5452 bit = bsfq(pc->pc_map[field]);
5453 pc->pc_map[field] &= ~(1ul << bit);
5454 pv = &pc->pc_pventry[field * 64 + bit];
5458 KASSERT((m->oflags & VPO_UNMANAGED) == 0,
5459 ("pmap_pv_demote_pde: page %p is not managed", m));
5460 TAILQ_INSERT_TAIL(&m->md.pv_list, pv, pv_next);
5466 TAILQ_REMOVE(&pmap->pm_pvchunk, pc, pc_list);
5467 TAILQ_INSERT_TAIL(&pmap->pm_pvchunk, pc, pc_list);
5470 if (pc->pc_map[0] == 0 && pc->pc_map[1] == 0 && pc->pc_map[2] == 0) {
5471 TAILQ_REMOVE(&pmap->pm_pvchunk, pc, pc_list);
5472 TAILQ_INSERT_TAIL(&pmap->pm_pvchunk, pc, pc_list);
5474 PV_STAT(atomic_add_long(&pv_entry_count, NPTEPG - 1));
5475 PV_STAT(atomic_subtract_int(&pv_entry_spare, NPTEPG - 1));
5478 #if VM_NRESERVLEVEL > 0
5480 * After promotion from 512 4KB page mappings to a single 2MB page mapping,
5481 * replace the many pv entries for the 4KB page mappings by a single pv entry
5482 * for the 2MB page mapping.
5485 pmap_pv_promote_pde(pmap_t pmap, vm_offset_t va, vm_paddr_t pa,
5486 struct rwlock **lockp)
5488 struct md_page *pvh;
5490 vm_offset_t va_last;
5493 KASSERT((pa & PDRMASK) == 0,
5494 ("pmap_pv_promote_pde: pa is not 2mpage aligned"));
5495 CHANGE_PV_LIST_LOCK_TO_PHYS(lockp, pa);
5498 * Transfer the first page's pv entry for this mapping to the 2mpage's
5499 * pv list. Aside from avoiding the cost of a call to get_pv_entry(),
5500 * a transfer avoids the possibility that get_pv_entry() calls
5501 * reclaim_pv_chunk() and that reclaim_pv_chunk() removes one of the
5502 * mappings that is being promoted.
5504 m = PHYS_TO_VM_PAGE(pa);
5505 va = trunc_2mpage(va);
5506 pv = pmap_pvh_remove(&m->md, pmap, va);
5507 KASSERT(pv != NULL, ("pmap_pv_promote_pde: pv not found"));
5508 pvh = pa_to_pvh(pa);
5509 TAILQ_INSERT_TAIL(&pvh->pv_list, pv, pv_next);
5511 /* Free the remaining NPTEPG - 1 pv entries. */
5512 va_last = va + NBPDR - PAGE_SIZE;
5516 pmap_pvh_free(&m->md, pmap, va);
5517 } while (va < va_last);
5519 #endif /* VM_NRESERVLEVEL > 0 */
5522 * First find and then destroy the pv entry for the specified pmap and virtual
5523 * address. This operation can be performed on pv lists for either 4KB or 2MB
5527 pmap_pvh_free(struct md_page *pvh, pmap_t pmap, vm_offset_t va)
5531 pv = pmap_pvh_remove(pvh, pmap, va);
5532 KASSERT(pv != NULL, ("pmap_pvh_free: pv not found"));
5533 free_pv_entry(pmap, pv);
5537 * Conditionally create the PV entry for a 4KB page mapping if the required
5538 * memory can be allocated without resorting to reclamation.
5541 pmap_try_insert_pv_entry(pmap_t pmap, vm_offset_t va, vm_page_t m,
5542 struct rwlock **lockp)
5546 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
5547 /* Pass NULL instead of the lock pointer to disable reclamation. */
5548 if ((pv = get_pv_entry(pmap, NULL)) != NULL) {
5550 CHANGE_PV_LIST_LOCK_TO_VM_PAGE(lockp, m);
5551 TAILQ_INSERT_TAIL(&m->md.pv_list, pv, pv_next);
5559 * Create the PV entry for a 2MB page mapping. Always returns true unless the
5560 * flag PMAP_ENTER_NORECLAIM is specified. If that flag is specified, returns
5561 * false if the PV entry cannot be allocated without resorting to reclamation.
5564 pmap_pv_insert_pde(pmap_t pmap, vm_offset_t va, pd_entry_t pde, u_int flags,
5565 struct rwlock **lockp)
5567 struct md_page *pvh;
5571 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
5572 /* Pass NULL instead of the lock pointer to disable reclamation. */
5573 if ((pv = get_pv_entry(pmap, (flags & PMAP_ENTER_NORECLAIM) != 0 ?
5574 NULL : lockp)) == NULL)
5577 pa = pde & PG_PS_FRAME;
5578 CHANGE_PV_LIST_LOCK_TO_PHYS(lockp, pa);
5579 pvh = pa_to_pvh(pa);
5580 TAILQ_INSERT_TAIL(&pvh->pv_list, pv, pv_next);
5586 * Fills a page table page with mappings to consecutive physical pages.
5589 pmap_fill_ptp(pt_entry_t *firstpte, pt_entry_t newpte)
5593 for (pte = firstpte; pte < firstpte + NPTEPG; pte++) {
5595 newpte += PAGE_SIZE;
5600 * Tries to demote a 2MB page mapping. If demotion fails, the 2MB page
5601 * mapping is invalidated.
5604 pmap_demote_pde(pmap_t pmap, pd_entry_t *pde, vm_offset_t va)
5606 struct rwlock *lock;
5610 rv = pmap_demote_pde_locked(pmap, pde, va, &lock);
5617 pmap_demote_pde_check(pt_entry_t *firstpte __unused, pt_entry_t newpte __unused)
5621 pt_entry_t *xpte, *ypte;
5623 for (xpte = firstpte; xpte < firstpte + NPTEPG;
5624 xpte++, newpte += PAGE_SIZE) {
5625 if ((*xpte & PG_FRAME) != (newpte & PG_FRAME)) {
5626 printf("pmap_demote_pde: xpte %zd and newpte map "
5627 "different pages: found %#lx, expected %#lx\n",
5628 xpte - firstpte, *xpte, newpte);
5629 printf("page table dump\n");
5630 for (ypte = firstpte; ypte < firstpte + NPTEPG; ypte++)
5631 printf("%zd %#lx\n", ypte - firstpte, *ypte);
5636 KASSERT((*firstpte & PG_FRAME) == (newpte & PG_FRAME),
5637 ("pmap_demote_pde: firstpte and newpte map different physical"
5644 pmap_demote_pde_abort(pmap_t pmap, vm_offset_t va, pd_entry_t *pde,
5645 pd_entry_t oldpde, struct rwlock **lockp)
5647 struct spglist free;
5651 sva = trunc_2mpage(va);
5652 pmap_remove_pde(pmap, pde, sva, &free, lockp);
5653 if ((oldpde & pmap_global_bit(pmap)) == 0)
5654 pmap_invalidate_pde_page(pmap, sva, oldpde);
5655 vm_page_free_pages_toq(&free, true);
5656 CTR2(KTR_PMAP, "pmap_demote_pde: failure for va %#lx in pmap %p",
5661 pmap_demote_pde_locked(pmap_t pmap, pd_entry_t *pde, vm_offset_t va,
5662 struct rwlock **lockp)
5664 pd_entry_t newpde, oldpde;
5665 pt_entry_t *firstpte, newpte;
5666 pt_entry_t PG_A, PG_G, PG_M, PG_PKU_MASK, PG_RW, PG_V;
5672 PG_A = pmap_accessed_bit(pmap);
5673 PG_G = pmap_global_bit(pmap);
5674 PG_M = pmap_modified_bit(pmap);
5675 PG_RW = pmap_rw_bit(pmap);
5676 PG_V = pmap_valid_bit(pmap);
5677 PG_PTE_CACHE = pmap_cache_mask(pmap, 0);
5678 PG_PKU_MASK = pmap_pku_mask_bit(pmap);
5680 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
5681 in_kernel = va >= VM_MAXUSER_ADDRESS;
5683 KASSERT((oldpde & (PG_PS | PG_V)) == (PG_PS | PG_V),
5684 ("pmap_demote_pde: oldpde is missing PG_PS and/or PG_V"));
5687 * Invalidate the 2MB page mapping and return "failure" if the
5688 * mapping was never accessed.
5690 if ((oldpde & PG_A) == 0) {
5691 KASSERT((oldpde & PG_W) == 0,
5692 ("pmap_demote_pde: a wired mapping is missing PG_A"));
5693 pmap_demote_pde_abort(pmap, va, pde, oldpde, lockp);
5697 mpte = pmap_remove_pt_page(pmap, va);
5699 KASSERT((oldpde & PG_W) == 0,
5700 ("pmap_demote_pde: page table page for a wired mapping"
5704 * If the page table page is missing and the mapping
5705 * is for a kernel address, the mapping must belong to
5706 * the direct map. Page table pages are preallocated
5707 * for every other part of the kernel address space,
5708 * so the direct map region is the only part of the
5709 * kernel address space that must be handled here.
5711 KASSERT(!in_kernel || (va >= DMAP_MIN_ADDRESS &&
5712 va < DMAP_MAX_ADDRESS),
5713 ("pmap_demote_pde: No saved mpte for va %#lx", va));
5716 * If the 2MB page mapping belongs to the direct map
5717 * region of the kernel's address space, then the page
5718 * allocation request specifies the highest possible
5719 * priority (VM_ALLOC_INTERRUPT). Otherwise, the
5720 * priority is normal.
5722 mpte = vm_page_alloc(NULL, pmap_pde_pindex(va),
5723 (in_kernel ? VM_ALLOC_INTERRUPT : VM_ALLOC_NORMAL) |
5724 VM_ALLOC_NOOBJ | VM_ALLOC_WIRED);
5727 * If the allocation of the new page table page fails,
5728 * invalidate the 2MB page mapping and return "failure".
5731 pmap_demote_pde_abort(pmap, va, pde, oldpde, lockp);
5736 mpte->ref_count = NPTEPG;
5737 pmap_resident_count_inc(pmap, 1);
5740 mptepa = VM_PAGE_TO_PHYS(mpte);
5741 firstpte = (pt_entry_t *)PHYS_TO_DMAP(mptepa);
5742 newpde = mptepa | PG_M | PG_A | (oldpde & PG_U) | PG_RW | PG_V;
5743 KASSERT((oldpde & (PG_M | PG_RW)) != PG_RW,
5744 ("pmap_demote_pde: oldpde is missing PG_M"));
5745 newpte = oldpde & ~PG_PS;
5746 newpte = pmap_swap_pat(pmap, newpte);
5749 * If the page table page is not leftover from an earlier promotion,
5752 if (mpte->valid == 0)
5753 pmap_fill_ptp(firstpte, newpte);
5755 pmap_demote_pde_check(firstpte, newpte);
5758 * If the mapping has changed attributes, update the page table
5761 if ((*firstpte & PG_PTE_PROMOTE) != (newpte & PG_PTE_PROMOTE))
5762 pmap_fill_ptp(firstpte, newpte);
5765 * The spare PV entries must be reserved prior to demoting the
5766 * mapping, that is, prior to changing the PDE. Otherwise, the state
5767 * of the PDE and the PV lists will be inconsistent, which can result
5768 * in reclaim_pv_chunk() attempting to remove a PV entry from the
5769 * wrong PV list and pmap_pv_demote_pde() failing to find the expected
5770 * PV entry for the 2MB page mapping that is being demoted.
5772 if ((oldpde & PG_MANAGED) != 0)
5773 reserve_pv_entries(pmap, NPTEPG - 1, lockp);
5776 * Demote the mapping. This pmap is locked. The old PDE has
5777 * PG_A set. If the old PDE has PG_RW set, it also has PG_M
5778 * set. Thus, there is no danger of a race with another
5779 * processor changing the setting of PG_A and/or PG_M between
5780 * the read above and the store below.
5782 if (workaround_erratum383)
5783 pmap_update_pde(pmap, va, pde, newpde);
5785 pde_store(pde, newpde);
5788 * Invalidate a stale recursive mapping of the page table page.
5791 pmap_invalidate_page(pmap, (vm_offset_t)vtopte(va));
5794 * Demote the PV entry.
5796 if ((oldpde & PG_MANAGED) != 0)
5797 pmap_pv_demote_pde(pmap, va, oldpde & PG_PS_FRAME, lockp);
5799 atomic_add_long(&pmap_pde_demotions, 1);
5800 CTR2(KTR_PMAP, "pmap_demote_pde: success for va %#lx in pmap %p",
5806 * pmap_remove_kernel_pde: Remove a kernel superpage mapping.
5809 pmap_remove_kernel_pde(pmap_t pmap, pd_entry_t *pde, vm_offset_t va)
5815 KASSERT(pmap == kernel_pmap, ("pmap %p is not kernel_pmap", pmap));
5816 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
5817 mpte = pmap_remove_pt_page(pmap, va);
5819 panic("pmap_remove_kernel_pde: Missing pt page.");
5821 mptepa = VM_PAGE_TO_PHYS(mpte);
5822 newpde = mptepa | X86_PG_M | X86_PG_A | X86_PG_RW | X86_PG_V;
5825 * If this page table page was unmapped by a promotion, then it
5826 * contains valid mappings. Zero it to invalidate those mappings.
5828 if (mpte->valid != 0)
5829 pagezero((void *)PHYS_TO_DMAP(mptepa));
5832 * Demote the mapping.
5834 if (workaround_erratum383)
5835 pmap_update_pde(pmap, va, pde, newpde);
5837 pde_store(pde, newpde);
5840 * Invalidate a stale recursive mapping of the page table page.
5842 pmap_invalidate_page(pmap, (vm_offset_t)vtopte(va));
5846 * pmap_remove_pde: do the things to unmap a superpage in a process
5849 pmap_remove_pde(pmap_t pmap, pd_entry_t *pdq, vm_offset_t sva,
5850 struct spglist *free, struct rwlock **lockp)
5852 struct md_page *pvh;
5854 vm_offset_t eva, va;
5856 pt_entry_t PG_G, PG_A, PG_M, PG_RW;
5858 PG_G = pmap_global_bit(pmap);
5859 PG_A = pmap_accessed_bit(pmap);
5860 PG_M = pmap_modified_bit(pmap);
5861 PG_RW = pmap_rw_bit(pmap);
5863 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
5864 KASSERT((sva & PDRMASK) == 0,
5865 ("pmap_remove_pde: sva is not 2mpage aligned"));
5866 oldpde = pte_load_clear(pdq);
5868 pmap->pm_stats.wired_count -= NBPDR / PAGE_SIZE;
5869 if ((oldpde & PG_G) != 0)
5870 pmap_invalidate_pde_page(kernel_pmap, sva, oldpde);
5871 pmap_resident_count_dec(pmap, NBPDR / PAGE_SIZE);
5872 if (oldpde & PG_MANAGED) {
5873 CHANGE_PV_LIST_LOCK_TO_PHYS(lockp, oldpde & PG_PS_FRAME);
5874 pvh = pa_to_pvh(oldpde & PG_PS_FRAME);
5875 pmap_pvh_free(pvh, pmap, sva);
5877 for (va = sva, m = PHYS_TO_VM_PAGE(oldpde & PG_PS_FRAME);
5878 va < eva; va += PAGE_SIZE, m++) {
5879 if ((oldpde & (PG_M | PG_RW)) == (PG_M | PG_RW))
5882 vm_page_aflag_set(m, PGA_REFERENCED);
5883 if (TAILQ_EMPTY(&m->md.pv_list) &&
5884 TAILQ_EMPTY(&pvh->pv_list))
5885 vm_page_aflag_clear(m, PGA_WRITEABLE);
5886 pmap_delayed_invl_page(m);
5889 if (pmap == kernel_pmap) {
5890 pmap_remove_kernel_pde(pmap, pdq, sva);
5892 mpte = pmap_remove_pt_page(pmap, sva);
5894 KASSERT(mpte->valid == VM_PAGE_BITS_ALL,
5895 ("pmap_remove_pde: pte page not promoted"));
5896 pmap_resident_count_dec(pmap, 1);
5897 KASSERT(mpte->ref_count == NPTEPG,
5898 ("pmap_remove_pde: pte page ref count error"));
5899 mpte->ref_count = 0;
5900 pmap_add_delayed_free_list(mpte, free, FALSE);
5903 return (pmap_unuse_pt(pmap, sva, *pmap_pdpe(pmap, sva), free));
5907 * pmap_remove_pte: do the things to unmap a page in a process
5910 pmap_remove_pte(pmap_t pmap, pt_entry_t *ptq, vm_offset_t va,
5911 pd_entry_t ptepde, struct spglist *free, struct rwlock **lockp)
5913 struct md_page *pvh;
5914 pt_entry_t oldpte, PG_A, PG_M, PG_RW;
5917 PG_A = pmap_accessed_bit(pmap);
5918 PG_M = pmap_modified_bit(pmap);
5919 PG_RW = pmap_rw_bit(pmap);
5921 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
5922 oldpte = pte_load_clear(ptq);
5924 pmap->pm_stats.wired_count -= 1;
5925 pmap_resident_count_dec(pmap, 1);
5926 if (oldpte & PG_MANAGED) {
5927 m = PHYS_TO_VM_PAGE(oldpte & PG_FRAME);
5928 if ((oldpte & (PG_M | PG_RW)) == (PG_M | PG_RW))
5931 vm_page_aflag_set(m, PGA_REFERENCED);
5932 CHANGE_PV_LIST_LOCK_TO_VM_PAGE(lockp, m);
5933 pmap_pvh_free(&m->md, pmap, va);
5934 if (TAILQ_EMPTY(&m->md.pv_list) &&
5935 (m->flags & PG_FICTITIOUS) == 0) {
5936 pvh = pa_to_pvh(VM_PAGE_TO_PHYS(m));
5937 if (TAILQ_EMPTY(&pvh->pv_list))
5938 vm_page_aflag_clear(m, PGA_WRITEABLE);
5940 pmap_delayed_invl_page(m);
5942 return (pmap_unuse_pt(pmap, va, ptepde, free));
5946 * Remove a single page from a process address space
5949 pmap_remove_page(pmap_t pmap, vm_offset_t va, pd_entry_t *pde,
5950 struct spglist *free)
5952 struct rwlock *lock;
5953 pt_entry_t *pte, PG_V;
5955 PG_V = pmap_valid_bit(pmap);
5956 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
5957 if ((*pde & PG_V) == 0)
5959 pte = pmap_pde_to_pte(pde, va);
5960 if ((*pte & PG_V) == 0)
5963 pmap_remove_pte(pmap, pte, va, *pde, free, &lock);
5966 pmap_invalidate_page(pmap, va);
5970 * Removes the specified range of addresses from the page table page.
5973 pmap_remove_ptes(pmap_t pmap, vm_offset_t sva, vm_offset_t eva,
5974 pd_entry_t *pde, struct spglist *free, struct rwlock **lockp)
5976 pt_entry_t PG_G, *pte;
5980 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
5981 PG_G = pmap_global_bit(pmap);
5984 for (pte = pmap_pde_to_pte(pde, sva); sva != eva; pte++,
5988 pmap_invalidate_range(pmap, va, sva);
5993 if ((*pte & PG_G) == 0)
5997 if (pmap_remove_pte(pmap, pte, sva, *pde, free, lockp)) {
6003 pmap_invalidate_range(pmap, va, sva);
6008 * Remove the given range of addresses from the specified map.
6010 * It is assumed that the start and end are properly
6011 * rounded to the page size.
6014 pmap_remove(pmap_t pmap, vm_offset_t sva, vm_offset_t eva)
6016 struct rwlock *lock;
6018 vm_offset_t va_next;
6019 pml5_entry_t *pml5e;
6020 pml4_entry_t *pml4e;
6022 pd_entry_t ptpaddr, *pde;
6023 pt_entry_t PG_G, PG_V;
6024 struct spglist free;
6027 PG_G = pmap_global_bit(pmap);
6028 PG_V = pmap_valid_bit(pmap);
6031 * Perform an unsynchronized read. This is, however, safe.
6033 if (pmap->pm_stats.resident_count == 0)
6039 pmap_delayed_invl_start();
6041 pmap_pkru_on_remove(pmap, sva, eva);
6044 * special handling of removing one page. a very
6045 * common operation and easy to short circuit some
6048 if (sva + PAGE_SIZE == eva) {
6049 pde = pmap_pde(pmap, sva);
6050 if (pde && (*pde & PG_PS) == 0) {
6051 pmap_remove_page(pmap, sva, pde, &free);
6057 for (; sva < eva; sva = va_next) {
6058 if (pmap->pm_stats.resident_count == 0)
6061 if (pmap_is_la57(pmap)) {
6062 pml5e = pmap_pml5e(pmap, sva);
6063 if ((*pml5e & PG_V) == 0) {
6064 va_next = (sva + NBPML5) & ~PML5MASK;
6069 pml4e = pmap_pml5e_to_pml4e(pml5e, sva);
6071 pml4e = pmap_pml4e(pmap, sva);
6073 if ((*pml4e & PG_V) == 0) {
6074 va_next = (sva + NBPML4) & ~PML4MASK;
6080 va_next = (sva + NBPDP) & ~PDPMASK;
6083 pdpe = pmap_pml4e_to_pdpe(pml4e, sva);
6084 if ((*pdpe & PG_V) == 0)
6086 if ((*pdpe & PG_PS) != 0) {
6087 KASSERT(va_next <= eva,
6088 ("partial update of non-transparent 1G mapping "
6089 "pdpe %#lx sva %#lx eva %#lx va_next %#lx",
6090 *pdpe, sva, eva, va_next));
6091 MPASS(pmap != kernel_pmap); /* XXXKIB */
6092 MPASS((*pdpe & (PG_MANAGED | PG_G)) == 0);
6095 pmap_resident_count_dec(pmap, NBPDP / PAGE_SIZE);
6096 mt = PHYS_TO_VM_PAGE(*pmap_pml4e(pmap, sva) & PG_FRAME);
6097 pmap_unwire_ptp(pmap, sva, mt, &free);
6102 * Calculate index for next page table.
6104 va_next = (sva + NBPDR) & ~PDRMASK;
6108 pde = pmap_pdpe_to_pde(pdpe, sva);
6112 * Weed out invalid mappings.
6118 * Check for large page.
6120 if ((ptpaddr & PG_PS) != 0) {
6122 * Are we removing the entire large page? If not,
6123 * demote the mapping and fall through.
6125 if (sva + NBPDR == va_next && eva >= va_next) {
6127 * The TLB entry for a PG_G mapping is
6128 * invalidated by pmap_remove_pde().
6130 if ((ptpaddr & PG_G) == 0)
6132 pmap_remove_pde(pmap, pde, sva, &free, &lock);
6134 } else if (!pmap_demote_pde_locked(pmap, pde, sva,
6136 /* The large page mapping was destroyed. */
6143 * Limit our scan to either the end of the va represented
6144 * by the current page table page, or to the end of the
6145 * range being removed.
6150 if (pmap_remove_ptes(pmap, sva, va_next, pde, &free, &lock))
6157 pmap_invalidate_all(pmap);
6159 pmap_delayed_invl_finish();
6160 vm_page_free_pages_toq(&free, true);
6164 * Routine: pmap_remove_all
6166 * Removes this physical page from
6167 * all physical maps in which it resides.
6168 * Reflects back modify bits to the pager.
6171 * Original versions of this routine were very
6172 * inefficient because they iteratively called
6173 * pmap_remove (slow...)
6177 pmap_remove_all(vm_page_t m)
6179 struct md_page *pvh;
6182 struct rwlock *lock;
6183 pt_entry_t *pte, tpte, PG_A, PG_M, PG_RW;
6186 struct spglist free;
6187 int pvh_gen, md_gen;
6189 KASSERT((m->oflags & VPO_UNMANAGED) == 0,
6190 ("pmap_remove_all: page %p is not managed", m));
6192 lock = VM_PAGE_TO_PV_LIST_LOCK(m);
6193 pvh = (m->flags & PG_FICTITIOUS) != 0 ? &pv_dummy :
6194 pa_to_pvh(VM_PAGE_TO_PHYS(m));
6197 while ((pv = TAILQ_FIRST(&pvh->pv_list)) != NULL) {
6199 if (!PMAP_TRYLOCK(pmap)) {
6200 pvh_gen = pvh->pv_gen;
6204 if (pvh_gen != pvh->pv_gen) {
6211 pde = pmap_pde(pmap, va);
6212 (void)pmap_demote_pde_locked(pmap, pde, va, &lock);
6215 while ((pv = TAILQ_FIRST(&m->md.pv_list)) != NULL) {
6217 if (!PMAP_TRYLOCK(pmap)) {
6218 pvh_gen = pvh->pv_gen;
6219 md_gen = m->md.pv_gen;
6223 if (pvh_gen != pvh->pv_gen || md_gen != m->md.pv_gen) {
6229 PG_A = pmap_accessed_bit(pmap);
6230 PG_M = pmap_modified_bit(pmap);
6231 PG_RW = pmap_rw_bit(pmap);
6232 pmap_resident_count_dec(pmap, 1);
6233 pde = pmap_pde(pmap, pv->pv_va);
6234 KASSERT((*pde & PG_PS) == 0, ("pmap_remove_all: found"
6235 " a 2mpage in page %p's pv list", m));
6236 pte = pmap_pde_to_pte(pde, pv->pv_va);
6237 tpte = pte_load_clear(pte);
6239 pmap->pm_stats.wired_count--;
6241 vm_page_aflag_set(m, PGA_REFERENCED);
6244 * Update the vm_page_t clean and reference bits.
6246 if ((tpte & (PG_M | PG_RW)) == (PG_M | PG_RW))
6248 pmap_unuse_pt(pmap, pv->pv_va, *pde, &free);
6249 pmap_invalidate_page(pmap, pv->pv_va);
6250 TAILQ_REMOVE(&m->md.pv_list, pv, pv_next);
6252 free_pv_entry(pmap, pv);
6255 vm_page_aflag_clear(m, PGA_WRITEABLE);
6257 pmap_delayed_invl_wait(m);
6258 vm_page_free_pages_toq(&free, true);
6262 * pmap_protect_pde: do the things to protect a 2mpage in a process
6265 pmap_protect_pde(pmap_t pmap, pd_entry_t *pde, vm_offset_t sva, vm_prot_t prot)
6267 pd_entry_t newpde, oldpde;
6269 boolean_t anychanged;
6270 pt_entry_t PG_G, PG_M, PG_RW;
6272 PG_G = pmap_global_bit(pmap);
6273 PG_M = pmap_modified_bit(pmap);
6274 PG_RW = pmap_rw_bit(pmap);
6276 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
6277 KASSERT((sva & PDRMASK) == 0,
6278 ("pmap_protect_pde: sva is not 2mpage aligned"));
6281 oldpde = newpde = *pde;
6282 if ((prot & VM_PROT_WRITE) == 0) {
6283 if ((oldpde & (PG_MANAGED | PG_M | PG_RW)) ==
6284 (PG_MANAGED | PG_M | PG_RW)) {
6285 m = PHYS_TO_VM_PAGE(oldpde & PG_PS_FRAME);
6286 for (mt = m; mt < &m[NBPDR / PAGE_SIZE]; mt++)
6289 newpde &= ~(PG_RW | PG_M);
6291 if ((prot & VM_PROT_EXECUTE) == 0)
6293 if (newpde != oldpde) {
6295 * As an optimization to future operations on this PDE, clear
6296 * PG_PROMOTED. The impending invalidation will remove any
6297 * lingering 4KB page mappings from the TLB.
6299 if (!atomic_cmpset_long(pde, oldpde, newpde & ~PG_PROMOTED))
6301 if ((oldpde & PG_G) != 0)
6302 pmap_invalidate_pde_page(kernel_pmap, sva, oldpde);
6306 return (anychanged);
6310 * Set the physical protection on the
6311 * specified range of this map as requested.
6314 pmap_protect(pmap_t pmap, vm_offset_t sva, vm_offset_t eva, vm_prot_t prot)
6317 vm_offset_t va_next;
6318 pml4_entry_t *pml4e;
6320 pd_entry_t ptpaddr, *pde;
6321 pt_entry_t *pte, PG_G, PG_M, PG_RW, PG_V;
6322 pt_entry_t obits, pbits;
6323 boolean_t anychanged;
6325 KASSERT((prot & ~VM_PROT_ALL) == 0, ("invalid prot %x", prot));
6326 if (prot == VM_PROT_NONE) {
6327 pmap_remove(pmap, sva, eva);
6331 if ((prot & (VM_PROT_WRITE|VM_PROT_EXECUTE)) ==
6332 (VM_PROT_WRITE|VM_PROT_EXECUTE))
6335 PG_G = pmap_global_bit(pmap);
6336 PG_M = pmap_modified_bit(pmap);
6337 PG_V = pmap_valid_bit(pmap);
6338 PG_RW = pmap_rw_bit(pmap);
6342 * Although this function delays and batches the invalidation
6343 * of stale TLB entries, it does not need to call
6344 * pmap_delayed_invl_start() and
6345 * pmap_delayed_invl_finish(), because it does not
6346 * ordinarily destroy mappings. Stale TLB entries from
6347 * protection-only changes need only be invalidated before the
6348 * pmap lock is released, because protection-only changes do
6349 * not destroy PV entries. Even operations that iterate over
6350 * a physical page's PV list of mappings, like
6351 * pmap_remove_write(), acquire the pmap lock for each
6352 * mapping. Consequently, for protection-only changes, the
6353 * pmap lock suffices to synchronize both page table and TLB
6356 * This function only destroys a mapping if pmap_demote_pde()
6357 * fails. In that case, stale TLB entries are immediately
6362 for (; sva < eva; sva = va_next) {
6363 pml4e = pmap_pml4e(pmap, sva);
6364 if (pml4e == NULL || (*pml4e & PG_V) == 0) {
6365 va_next = (sva + NBPML4) & ~PML4MASK;
6371 va_next = (sva + NBPDP) & ~PDPMASK;
6374 pdpe = pmap_pml4e_to_pdpe(pml4e, sva);
6375 if ((*pdpe & PG_V) == 0)
6377 if ((*pdpe & PG_PS) != 0) {
6378 KASSERT(va_next <= eva,
6379 ("partial update of non-transparent 1G mapping "
6380 "pdpe %#lx sva %#lx eva %#lx va_next %#lx",
6381 *pdpe, sva, eva, va_next));
6383 obits = pbits = *pdpe;
6384 MPASS((pbits & (PG_MANAGED | PG_G)) == 0);
6385 MPASS(pmap != kernel_pmap); /* XXXKIB */
6386 if ((prot & VM_PROT_WRITE) == 0)
6387 pbits &= ~(PG_RW | PG_M);
6388 if ((prot & VM_PROT_EXECUTE) == 0)
6391 if (pbits != obits) {
6392 if (!atomic_cmpset_long(pdpe, obits, pbits))
6393 /* PG_PS cannot be cleared under us, */
6400 va_next = (sva + NBPDR) & ~PDRMASK;
6404 pde = pmap_pdpe_to_pde(pdpe, sva);
6408 * Weed out invalid mappings.
6414 * Check for large page.
6416 if ((ptpaddr & PG_PS) != 0) {
6418 * Are we protecting the entire large page? If not,
6419 * demote the mapping and fall through.
6421 if (sva + NBPDR == va_next && eva >= va_next) {
6423 * The TLB entry for a PG_G mapping is
6424 * invalidated by pmap_protect_pde().
6426 if (pmap_protect_pde(pmap, pde, sva, prot))
6429 } else if (!pmap_demote_pde(pmap, pde, sva)) {
6431 * The large page mapping was destroyed.
6440 for (pte = pmap_pde_to_pte(pde, sva); sva != va_next; pte++,
6443 obits = pbits = *pte;
6444 if ((pbits & PG_V) == 0)
6447 if ((prot & VM_PROT_WRITE) == 0) {
6448 if ((pbits & (PG_MANAGED | PG_M | PG_RW)) ==
6449 (PG_MANAGED | PG_M | PG_RW)) {
6450 m = PHYS_TO_VM_PAGE(pbits & PG_FRAME);
6453 pbits &= ~(PG_RW | PG_M);
6455 if ((prot & VM_PROT_EXECUTE) == 0)
6458 if (pbits != obits) {
6459 if (!atomic_cmpset_long(pte, obits, pbits))
6462 pmap_invalidate_page(pmap, sva);
6469 pmap_invalidate_all(pmap);
6473 #if VM_NRESERVLEVEL > 0
6475 pmap_pde_ept_executable(pmap_t pmap, pd_entry_t pde)
6478 if (pmap->pm_type != PT_EPT)
6480 return ((pde & EPT_PG_EXECUTE) != 0);
6484 * Tries to promote the 512, contiguous 4KB page mappings that are within a
6485 * single page table page (PTP) to a single 2MB page mapping. For promotion
6486 * to occur, two conditions must be met: (1) the 4KB page mappings must map
6487 * aligned, contiguous physical memory and (2) the 4KB page mappings must have
6488 * identical characteristics.
6491 pmap_promote_pde(pmap_t pmap, pd_entry_t *pde, vm_offset_t va,
6492 struct rwlock **lockp)
6495 pt_entry_t *firstpte, oldpte, pa, *pte;
6496 pt_entry_t PG_G, PG_A, PG_M, PG_RW, PG_V, PG_PKU_MASK;
6500 PG_A = pmap_accessed_bit(pmap);
6501 PG_G = pmap_global_bit(pmap);
6502 PG_M = pmap_modified_bit(pmap);
6503 PG_V = pmap_valid_bit(pmap);
6504 PG_RW = pmap_rw_bit(pmap);
6505 PG_PKU_MASK = pmap_pku_mask_bit(pmap);
6506 PG_PTE_CACHE = pmap_cache_mask(pmap, 0);
6508 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
6511 * Examine the first PTE in the specified PTP. Abort if this PTE is
6512 * either invalid, unused, or does not map the first 4KB physical page
6513 * within a 2MB page.
6515 firstpte = (pt_entry_t *)PHYS_TO_DMAP(*pde & PG_FRAME);
6518 if ((newpde & ((PG_FRAME & PDRMASK) | PG_A | PG_V)) != (PG_A | PG_V) ||
6519 !pmap_allow_2m_x_page(pmap, pmap_pde_ept_executable(pmap,
6521 atomic_add_long(&pmap_pde_p_failures, 1);
6522 CTR2(KTR_PMAP, "pmap_promote_pde: failure for va %#lx"
6523 " in pmap %p", va, pmap);
6526 if ((newpde & (PG_M | PG_RW)) == PG_RW) {
6528 * When PG_M is already clear, PG_RW can be cleared without
6529 * a TLB invalidation.
6531 if (!atomic_cmpset_long(firstpte, newpde, newpde & ~PG_RW))
6537 * Examine each of the other PTEs in the specified PTP. Abort if this
6538 * PTE maps an unexpected 4KB physical page or does not have identical
6539 * characteristics to the first PTE.
6541 pa = (newpde & (PG_PS_FRAME | PG_A | PG_V)) + NBPDR - PAGE_SIZE;
6542 for (pte = firstpte + NPTEPG - 1; pte > firstpte; pte--) {
6545 if ((oldpte & (PG_FRAME | PG_A | PG_V)) != pa) {
6546 atomic_add_long(&pmap_pde_p_failures, 1);
6547 CTR2(KTR_PMAP, "pmap_promote_pde: failure for va %#lx"
6548 " in pmap %p", va, pmap);
6551 if ((oldpte & (PG_M | PG_RW)) == PG_RW) {
6553 * When PG_M is already clear, PG_RW can be cleared
6554 * without a TLB invalidation.
6556 if (!atomic_cmpset_long(pte, oldpte, oldpte & ~PG_RW))
6559 CTR2(KTR_PMAP, "pmap_promote_pde: protect for va %#lx"
6560 " in pmap %p", (oldpte & PG_FRAME & PDRMASK) |
6561 (va & ~PDRMASK), pmap);
6563 if ((oldpte & PG_PTE_PROMOTE) != (newpde & PG_PTE_PROMOTE)) {
6564 atomic_add_long(&pmap_pde_p_failures, 1);
6565 CTR2(KTR_PMAP, "pmap_promote_pde: failure for va %#lx"
6566 " in pmap %p", va, pmap);
6573 * Save the page table page in its current state until the PDE
6574 * mapping the superpage is demoted by pmap_demote_pde() or
6575 * destroyed by pmap_remove_pde().
6577 mpte = PHYS_TO_VM_PAGE(*pde & PG_FRAME);
6578 KASSERT(mpte >= vm_page_array &&
6579 mpte < &vm_page_array[vm_page_array_size],
6580 ("pmap_promote_pde: page table page is out of range"));
6581 KASSERT(mpte->pindex == pmap_pde_pindex(va),
6582 ("pmap_promote_pde: page table page's pindex is wrong "
6583 "mpte %p pidx %#lx va %#lx va pde pidx %#lx",
6584 mpte, mpte->pindex, va, pmap_pde_pindex(va)));
6585 if (pmap_insert_pt_page(pmap, mpte, true)) {
6586 atomic_add_long(&pmap_pde_p_failures, 1);
6588 "pmap_promote_pde: failure for va %#lx in pmap %p", va,
6594 * Promote the pv entries.
6596 if ((newpde & PG_MANAGED) != 0)
6597 pmap_pv_promote_pde(pmap, va, newpde & PG_PS_FRAME, lockp);
6600 * Propagate the PAT index to its proper position.
6602 newpde = pmap_swap_pat(pmap, newpde);
6605 * Map the superpage.
6607 if (workaround_erratum383)
6608 pmap_update_pde(pmap, va, pde, PG_PS | newpde);
6610 pde_store(pde, PG_PROMOTED | PG_PS | newpde);
6612 atomic_add_long(&pmap_pde_promotions, 1);
6613 CTR2(KTR_PMAP, "pmap_promote_pde: success for va %#lx"
6614 " in pmap %p", va, pmap);
6616 #endif /* VM_NRESERVLEVEL > 0 */
6619 pmap_enter_largepage(pmap_t pmap, vm_offset_t va, pt_entry_t newpte, int flags,
6623 pt_entry_t origpte, *pml4e, *pdpe, *pde, pten, PG_V;
6625 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
6626 KASSERT(psind > 0 && psind < MAXPAGESIZES && pagesizes[psind] != 0,
6627 ("psind %d unexpected", psind));
6628 KASSERT(((newpte & PG_FRAME) & (pagesizes[psind] - 1)) == 0,
6629 ("unaligned phys address %#lx newpte %#lx psind %d",
6630 newpte & PG_FRAME, newpte, psind));
6631 KASSERT((va & (pagesizes[psind] - 1)) == 0,
6632 ("unaligned va %#lx psind %d", va, psind));
6633 KASSERT(va < VM_MAXUSER_ADDRESS,
6634 ("kernel mode non-transparent superpage")); /* XXXKIB */
6635 KASSERT(va + pagesizes[psind] < VM_MAXUSER_ADDRESS,
6636 ("overflowing user map va %#lx psind %d", va, psind)); /* XXXKIB */
6638 PG_V = pmap_valid_bit(pmap);
6641 if (!pmap_pkru_same(pmap, va, va + pagesizes[psind]))
6642 return (KERN_PROTECTION_FAILURE);
6644 if (va < VM_MAXUSER_ADDRESS && pmap->pm_type == PT_X86)
6645 pten |= pmap_pkru_get(pmap, va);
6647 if (psind == 2) { /* 1G */
6648 pml4e = pmap_pml4e(pmap, va);
6649 if (pml4e == NULL || (*pml4e & PG_V) == 0) {
6650 mp = pmap_allocpte_alloc(pmap, pmap_pml4e_pindex(va),
6654 pdpe = (pdp_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(mp));
6655 pdpe = &pdpe[pmap_pdpe_index(va)];
6657 MPASS(origpte == 0);
6659 pdpe = pmap_pml4e_to_pdpe(pml4e, va);
6660 KASSERT(pdpe != NULL, ("va %#lx lost pdpe", va));
6662 if ((origpte & PG_V) == 0) {
6663 mp = PHYS_TO_VM_PAGE(*pml4e & PG_FRAME);
6668 } else /* (psind == 1) */ { /* 2M */
6669 pde = pmap_pde(pmap, va);
6671 mp = pmap_allocpte_alloc(pmap, pmap_pdpe_pindex(va),
6675 pde = (pd_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(mp));
6676 pde = &pde[pmap_pde_index(va)];
6678 MPASS(origpte == 0);
6681 if ((origpte & PG_V) == 0) {
6682 pdpe = pmap_pdpe(pmap, va);
6683 MPASS(pdpe != NULL && (*pdpe & PG_V) != 0);
6684 mp = PHYS_TO_VM_PAGE(*pdpe & PG_FRAME);
6690 KASSERT((origpte & PG_V) == 0 || ((origpte & PG_PS) != 0 &&
6691 (origpte & PG_PS_FRAME) == (pten & PG_PS_FRAME)),
6692 ("va %#lx changing %s phys page origpte %#lx pten %#lx",
6693 va, psind == 2 ? "1G" : "2M", origpte, pten));
6694 if ((pten & PG_W) != 0 && (origpte & PG_W) == 0)
6695 pmap->pm_stats.wired_count += pagesizes[psind] / PAGE_SIZE;
6696 else if ((pten & PG_W) == 0 && (origpte & PG_W) != 0)
6697 pmap->pm_stats.wired_count -= pagesizes[psind] / PAGE_SIZE;
6698 if ((origpte & PG_V) == 0)
6699 pmap_resident_count_inc(pmap, pagesizes[psind] / PAGE_SIZE);
6701 return (KERN_SUCCESS);
6704 if ((flags & PMAP_ENTER_NOSLEEP) != 0)
6705 return (KERN_RESOURCE_SHORTAGE);
6713 * Insert the given physical page (p) at
6714 * the specified virtual address (v) in the
6715 * target physical map with the protection requested.
6717 * If specified, the page will be wired down, meaning
6718 * that the related pte can not be reclaimed.
6720 * NB: This is the only routine which MAY NOT lazy-evaluate
6721 * or lose information. That is, this routine must actually
6722 * insert this page into the given map NOW.
6724 * When destroying both a page table and PV entry, this function
6725 * performs the TLB invalidation before releasing the PV list
6726 * lock, so we do not need pmap_delayed_invl_page() calls here.
6729 pmap_enter(pmap_t pmap, vm_offset_t va, vm_page_t m, vm_prot_t prot,
6730 u_int flags, int8_t psind)
6732 struct rwlock *lock;
6734 pt_entry_t *pte, PG_G, PG_A, PG_M, PG_RW, PG_V;
6735 pt_entry_t newpte, origpte;
6742 PG_A = pmap_accessed_bit(pmap);
6743 PG_G = pmap_global_bit(pmap);
6744 PG_M = pmap_modified_bit(pmap);
6745 PG_V = pmap_valid_bit(pmap);
6746 PG_RW = pmap_rw_bit(pmap);
6748 va = trunc_page(va);
6749 KASSERT(va <= VM_MAX_KERNEL_ADDRESS, ("pmap_enter: toobig"));
6750 KASSERT(va < UPT_MIN_ADDRESS || va >= UPT_MAX_ADDRESS,
6751 ("pmap_enter: invalid to pmap_enter page table pages (va: 0x%lx)",
6753 KASSERT((m->oflags & VPO_UNMANAGED) != 0 || va < kmi.clean_sva ||
6754 va >= kmi.clean_eva,
6755 ("pmap_enter: managed mapping within the clean submap"));
6756 if ((m->oflags & VPO_UNMANAGED) == 0)
6757 VM_PAGE_OBJECT_BUSY_ASSERT(m);
6758 KASSERT((flags & PMAP_ENTER_RESERVED) == 0,
6759 ("pmap_enter: flags %u has reserved bits set", flags));
6760 pa = VM_PAGE_TO_PHYS(m);
6761 newpte = (pt_entry_t)(pa | PG_A | PG_V);
6762 if ((flags & VM_PROT_WRITE) != 0)
6764 if ((prot & VM_PROT_WRITE) != 0)
6766 KASSERT((newpte & (PG_M | PG_RW)) != PG_M,
6767 ("pmap_enter: flags includes VM_PROT_WRITE but prot doesn't"));
6768 if ((prot & VM_PROT_EXECUTE) == 0)
6770 if ((flags & PMAP_ENTER_WIRED) != 0)
6772 if (va < VM_MAXUSER_ADDRESS)
6774 if (pmap == kernel_pmap)
6776 newpte |= pmap_cache_bits(pmap, m->md.pat_mode, psind > 0);
6779 * Set modified bit gratuitously for writeable mappings if
6780 * the page is unmanaged. We do not want to take a fault
6781 * to do the dirty bit accounting for these mappings.
6783 if ((m->oflags & VPO_UNMANAGED) != 0) {
6784 if ((newpte & PG_RW) != 0)
6787 newpte |= PG_MANAGED;
6791 if ((flags & PMAP_ENTER_LARGEPAGE) != 0) {
6792 KASSERT((m->oflags & VPO_UNMANAGED) != 0,
6793 ("managed largepage va %#lx flags %#x", va, flags));
6794 rv = pmap_enter_largepage(pmap, va, newpte | PG_PS, flags,
6799 /* Assert the required virtual and physical alignment. */
6800 KASSERT((va & PDRMASK) == 0, ("pmap_enter: va unaligned"));
6801 KASSERT(m->psind > 0, ("pmap_enter: m->psind < psind"));
6802 rv = pmap_enter_pde(pmap, va, newpte | PG_PS, flags, m, &lock);
6808 * In the case that a page table page is not
6809 * resident, we are creating it here.
6812 pde = pmap_pde(pmap, va);
6813 if (pde != NULL && (*pde & PG_V) != 0 && ((*pde & PG_PS) == 0 ||
6814 pmap_demote_pde_locked(pmap, pde, va, &lock))) {
6815 pte = pmap_pde_to_pte(pde, va);
6816 if (va < VM_MAXUSER_ADDRESS && mpte == NULL) {
6817 mpte = PHYS_TO_VM_PAGE(*pde & PG_FRAME);
6820 } else if (va < VM_MAXUSER_ADDRESS) {
6822 * Here if the pte page isn't mapped, or if it has been
6825 nosleep = (flags & PMAP_ENTER_NOSLEEP) != 0;
6826 mpte = pmap_allocpte_alloc(pmap, pmap_pde_pindex(va),
6827 nosleep ? NULL : &lock, va);
6828 if (mpte == NULL && nosleep) {
6829 rv = KERN_RESOURCE_SHORTAGE;
6834 panic("pmap_enter: invalid page directory va=%#lx", va);
6838 if (va < VM_MAXUSER_ADDRESS && pmap->pm_type == PT_X86)
6839 newpte |= pmap_pkru_get(pmap, va);
6842 * Is the specified virtual address already mapped?
6844 if ((origpte & PG_V) != 0) {
6846 * Wiring change, just update stats. We don't worry about
6847 * wiring PT pages as they remain resident as long as there
6848 * are valid mappings in them. Hence, if a user page is wired,
6849 * the PT page will be also.
6851 if ((newpte & PG_W) != 0 && (origpte & PG_W) == 0)
6852 pmap->pm_stats.wired_count++;
6853 else if ((newpte & PG_W) == 0 && (origpte & PG_W) != 0)
6854 pmap->pm_stats.wired_count--;
6857 * Remove the extra PT page reference.
6861 KASSERT(mpte->ref_count > 0,
6862 ("pmap_enter: missing reference to page table page,"
6867 * Has the physical page changed?
6869 opa = origpte & PG_FRAME;
6872 * No, might be a protection or wiring change.
6874 if ((origpte & PG_MANAGED) != 0 &&
6875 (newpte & PG_RW) != 0)
6876 vm_page_aflag_set(m, PGA_WRITEABLE);
6877 if (((origpte ^ newpte) & ~(PG_M | PG_A)) == 0)
6883 * The physical page has changed. Temporarily invalidate
6884 * the mapping. This ensures that all threads sharing the
6885 * pmap keep a consistent view of the mapping, which is
6886 * necessary for the correct handling of COW faults. It
6887 * also permits reuse of the old mapping's PV entry,
6888 * avoiding an allocation.
6890 * For consistency, handle unmanaged mappings the same way.
6892 origpte = pte_load_clear(pte);
6893 KASSERT((origpte & PG_FRAME) == opa,
6894 ("pmap_enter: unexpected pa update for %#lx", va));
6895 if ((origpte & PG_MANAGED) != 0) {
6896 om = PHYS_TO_VM_PAGE(opa);
6899 * The pmap lock is sufficient to synchronize with
6900 * concurrent calls to pmap_page_test_mappings() and
6901 * pmap_ts_referenced().
6903 if ((origpte & (PG_M | PG_RW)) == (PG_M | PG_RW))
6905 if ((origpte & PG_A) != 0) {
6906 pmap_invalidate_page(pmap, va);
6907 vm_page_aflag_set(om, PGA_REFERENCED);
6909 CHANGE_PV_LIST_LOCK_TO_PHYS(&lock, opa);
6910 pv = pmap_pvh_remove(&om->md, pmap, va);
6912 ("pmap_enter: no PV entry for %#lx", va));
6913 if ((newpte & PG_MANAGED) == 0)
6914 free_pv_entry(pmap, pv);
6915 if ((om->a.flags & PGA_WRITEABLE) != 0 &&
6916 TAILQ_EMPTY(&om->md.pv_list) &&
6917 ((om->flags & PG_FICTITIOUS) != 0 ||
6918 TAILQ_EMPTY(&pa_to_pvh(opa)->pv_list)))
6919 vm_page_aflag_clear(om, PGA_WRITEABLE);
6922 * Since this mapping is unmanaged, assume that PG_A
6925 pmap_invalidate_page(pmap, va);
6930 * Increment the counters.
6932 if ((newpte & PG_W) != 0)
6933 pmap->pm_stats.wired_count++;
6934 pmap_resident_count_inc(pmap, 1);
6938 * Enter on the PV list if part of our managed memory.
6940 if ((newpte & PG_MANAGED) != 0) {
6942 pv = get_pv_entry(pmap, &lock);
6945 CHANGE_PV_LIST_LOCK_TO_PHYS(&lock, pa);
6946 TAILQ_INSERT_TAIL(&m->md.pv_list, pv, pv_next);
6948 if ((newpte & PG_RW) != 0)
6949 vm_page_aflag_set(m, PGA_WRITEABLE);
6955 if ((origpte & PG_V) != 0) {
6957 origpte = pte_load_store(pte, newpte);
6958 KASSERT((origpte & PG_FRAME) == pa,
6959 ("pmap_enter: unexpected pa update for %#lx", va));
6960 if ((newpte & PG_M) == 0 && (origpte & (PG_M | PG_RW)) ==
6962 if ((origpte & PG_MANAGED) != 0)
6966 * Although the PTE may still have PG_RW set, TLB
6967 * invalidation may nonetheless be required because
6968 * the PTE no longer has PG_M set.
6970 } else if ((origpte & PG_NX) != 0 || (newpte & PG_NX) == 0) {
6972 * This PTE change does not require TLB invalidation.
6976 if ((origpte & PG_A) != 0)
6977 pmap_invalidate_page(pmap, va);
6979 pte_store(pte, newpte);
6983 #if VM_NRESERVLEVEL > 0
6985 * If both the page table page and the reservation are fully
6986 * populated, then attempt promotion.
6988 if ((mpte == NULL || mpte->ref_count == NPTEPG) &&
6989 pmap_ps_enabled(pmap) &&
6990 (m->flags & PG_FICTITIOUS) == 0 &&
6991 vm_reserv_level_iffullpop(m) == 0)
6992 pmap_promote_pde(pmap, pde, va, &lock);
7004 * Tries to create a read- and/or execute-only 2MB page mapping. Returns true
7005 * if successful. Returns false if (1) a page table page cannot be allocated
7006 * without sleeping, (2) a mapping already exists at the specified virtual
7007 * address, or (3) a PV entry cannot be allocated without reclaiming another
7011 pmap_enter_2mpage(pmap_t pmap, vm_offset_t va, vm_page_t m, vm_prot_t prot,
7012 struct rwlock **lockp)
7017 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
7018 PG_V = pmap_valid_bit(pmap);
7019 newpde = VM_PAGE_TO_PHYS(m) | pmap_cache_bits(pmap, m->md.pat_mode, 1) |
7021 if ((m->oflags & VPO_UNMANAGED) == 0)
7022 newpde |= PG_MANAGED;
7023 if ((prot & VM_PROT_EXECUTE) == 0)
7025 if (va < VM_MAXUSER_ADDRESS)
7027 return (pmap_enter_pde(pmap, va, newpde, PMAP_ENTER_NOSLEEP |
7028 PMAP_ENTER_NOREPLACE | PMAP_ENTER_NORECLAIM, NULL, lockp) ==
7033 * Returns true if every page table entry in the specified page table page is
7037 pmap_every_pte_zero(vm_paddr_t pa)
7039 pt_entry_t *pt_end, *pte;
7041 KASSERT((pa & PAGE_MASK) == 0, ("pa is misaligned"));
7042 pte = (pt_entry_t *)PHYS_TO_DMAP(pa);
7043 for (pt_end = pte + NPTEPG; pte < pt_end; pte++) {
7051 * Tries to create the specified 2MB page mapping. Returns KERN_SUCCESS if
7052 * the mapping was created, and either KERN_FAILURE or KERN_RESOURCE_SHORTAGE
7053 * otherwise. Returns KERN_FAILURE if PMAP_ENTER_NOREPLACE was specified and
7054 * a mapping already exists at the specified virtual address. Returns
7055 * KERN_RESOURCE_SHORTAGE if PMAP_ENTER_NOSLEEP was specified and a page table
7056 * page allocation failed. Returns KERN_RESOURCE_SHORTAGE if
7057 * PMAP_ENTER_NORECLAIM was specified and a PV entry allocation failed.
7059 * The parameter "m" is only used when creating a managed, writeable mapping.
7062 pmap_enter_pde(pmap_t pmap, vm_offset_t va, pd_entry_t newpde, u_int flags,
7063 vm_page_t m, struct rwlock **lockp)
7065 struct spglist free;
7066 pd_entry_t oldpde, *pde;
7067 pt_entry_t PG_G, PG_RW, PG_V;
7070 KASSERT(pmap == kernel_pmap || (newpde & PG_W) == 0,
7071 ("pmap_enter_pde: cannot create wired user mapping"));
7072 PG_G = pmap_global_bit(pmap);
7073 PG_RW = pmap_rw_bit(pmap);
7074 KASSERT((newpde & (pmap_modified_bit(pmap) | PG_RW)) != PG_RW,
7075 ("pmap_enter_pde: newpde is missing PG_M"));
7076 PG_V = pmap_valid_bit(pmap);
7077 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
7079 if (!pmap_allow_2m_x_page(pmap, pmap_pde_ept_executable(pmap,
7081 CTR2(KTR_PMAP, "pmap_enter_pde: 2m x blocked for va %#lx"
7082 " in pmap %p", va, pmap);
7083 return (KERN_FAILURE);
7085 if ((pde = pmap_alloc_pde(pmap, va, &pdpg, (flags &
7086 PMAP_ENTER_NOSLEEP) != 0 ? NULL : lockp)) == NULL) {
7087 CTR2(KTR_PMAP, "pmap_enter_pde: failure for va %#lx"
7088 " in pmap %p", va, pmap);
7089 return (KERN_RESOURCE_SHORTAGE);
7093 * If pkru is not same for the whole pde range, return failure
7094 * and let vm_fault() cope. Check after pde allocation, since
7097 if (!pmap_pkru_same(pmap, va, va + NBPDR)) {
7098 pmap_abort_ptp(pmap, va, pdpg);
7099 return (KERN_FAILURE);
7101 if (va < VM_MAXUSER_ADDRESS && pmap->pm_type == PT_X86) {
7102 newpde &= ~X86_PG_PKU_MASK;
7103 newpde |= pmap_pkru_get(pmap, va);
7107 * If there are existing mappings, either abort or remove them.
7110 if ((oldpde & PG_V) != 0) {
7111 KASSERT(pdpg == NULL || pdpg->ref_count > 1,
7112 ("pmap_enter_pde: pdpg's reference count is too low"));
7113 if ((flags & PMAP_ENTER_NOREPLACE) != 0 && (va <
7114 VM_MAXUSER_ADDRESS || (oldpde & PG_PS) != 0 ||
7115 !pmap_every_pte_zero(oldpde & PG_FRAME))) {
7118 CTR2(KTR_PMAP, "pmap_enter_pde: failure for va %#lx"
7119 " in pmap %p", va, pmap);
7120 return (KERN_FAILURE);
7122 /* Break the existing mapping(s). */
7124 if ((oldpde & PG_PS) != 0) {
7126 * The reference to the PD page that was acquired by
7127 * pmap_alloc_pde() ensures that it won't be freed.
7128 * However, if the PDE resulted from a promotion, then
7129 * a reserved PT page could be freed.
7131 (void)pmap_remove_pde(pmap, pde, va, &free, lockp);
7132 if ((oldpde & PG_G) == 0)
7133 pmap_invalidate_pde_page(pmap, va, oldpde);
7135 pmap_delayed_invl_start();
7136 if (pmap_remove_ptes(pmap, va, va + NBPDR, pde, &free,
7138 pmap_invalidate_all(pmap);
7139 pmap_delayed_invl_finish();
7141 if (va < VM_MAXUSER_ADDRESS) {
7142 vm_page_free_pages_toq(&free, true);
7143 KASSERT(*pde == 0, ("pmap_enter_pde: non-zero pde %p",
7146 KASSERT(SLIST_EMPTY(&free),
7147 ("pmap_enter_pde: freed kernel page table page"));
7150 * Both pmap_remove_pde() and pmap_remove_ptes() will
7151 * leave the kernel page table page zero filled.
7153 mt = PHYS_TO_VM_PAGE(*pde & PG_FRAME);
7154 if (pmap_insert_pt_page(pmap, mt, false))
7155 panic("pmap_enter_pde: trie insert failed");
7159 if ((newpde & PG_MANAGED) != 0) {
7161 * Abort this mapping if its PV entry could not be created.
7163 if (!pmap_pv_insert_pde(pmap, va, newpde, flags, lockp)) {
7165 pmap_abort_ptp(pmap, va, pdpg);
7166 CTR2(KTR_PMAP, "pmap_enter_pde: failure for va %#lx"
7167 " in pmap %p", va, pmap);
7168 return (KERN_RESOURCE_SHORTAGE);
7170 if ((newpde & PG_RW) != 0) {
7171 for (mt = m; mt < &m[NBPDR / PAGE_SIZE]; mt++)
7172 vm_page_aflag_set(mt, PGA_WRITEABLE);
7177 * Increment counters.
7179 if ((newpde & PG_W) != 0)
7180 pmap->pm_stats.wired_count += NBPDR / PAGE_SIZE;
7181 pmap_resident_count_inc(pmap, NBPDR / PAGE_SIZE);
7184 * Map the superpage. (This is not a promoted mapping; there will not
7185 * be any lingering 4KB page mappings in the TLB.)
7187 pde_store(pde, newpde);
7189 atomic_add_long(&pmap_pde_mappings, 1);
7190 CTR2(KTR_PMAP, "pmap_enter_pde: success for va %#lx in pmap %p",
7192 return (KERN_SUCCESS);
7196 * Maps a sequence of resident pages belonging to the same object.
7197 * The sequence begins with the given page m_start. This page is
7198 * mapped at the given virtual address start. Each subsequent page is
7199 * mapped at a virtual address that is offset from start by the same
7200 * amount as the page is offset from m_start within the object. The
7201 * last page in the sequence is the page with the largest offset from
7202 * m_start that can be mapped at a virtual address less than the given
7203 * virtual address end. Not every virtual page between start and end
7204 * is mapped; only those for which a resident page exists with the
7205 * corresponding offset from m_start are mapped.
7208 pmap_enter_object(pmap_t pmap, vm_offset_t start, vm_offset_t end,
7209 vm_page_t m_start, vm_prot_t prot)
7211 struct rwlock *lock;
7214 vm_pindex_t diff, psize;
7216 VM_OBJECT_ASSERT_LOCKED(m_start->object);
7218 psize = atop(end - start);
7223 while (m != NULL && (diff = m->pindex - m_start->pindex) < psize) {
7224 va = start + ptoa(diff);
7225 if ((va & PDRMASK) == 0 && va + NBPDR <= end &&
7226 m->psind == 1 && pmap_ps_enabled(pmap) &&
7227 pmap_allow_2m_x_page(pmap, (prot & VM_PROT_EXECUTE) != 0) &&
7228 pmap_enter_2mpage(pmap, va, m, prot, &lock))
7229 m = &m[NBPDR / PAGE_SIZE - 1];
7231 mpte = pmap_enter_quick_locked(pmap, va, m, prot,
7233 m = TAILQ_NEXT(m, listq);
7241 * this code makes some *MAJOR* assumptions:
7242 * 1. Current pmap & pmap exists.
7245 * 4. No page table pages.
7246 * but is *MUCH* faster than pmap_enter...
7250 pmap_enter_quick(pmap_t pmap, vm_offset_t va, vm_page_t m, vm_prot_t prot)
7252 struct rwlock *lock;
7256 (void)pmap_enter_quick_locked(pmap, va, m, prot, NULL, &lock);
7263 pmap_enter_quick_locked(pmap_t pmap, vm_offset_t va, vm_page_t m,
7264 vm_prot_t prot, vm_page_t mpte, struct rwlock **lockp)
7266 pt_entry_t newpte, *pte, PG_V;
7268 KASSERT(va < kmi.clean_sva || va >= kmi.clean_eva ||
7269 (m->oflags & VPO_UNMANAGED) != 0,
7270 ("pmap_enter_quick_locked: managed mapping within the clean submap"));
7271 PG_V = pmap_valid_bit(pmap);
7272 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
7275 * In the case that a page table page is not
7276 * resident, we are creating it here.
7278 if (va < VM_MAXUSER_ADDRESS) {
7279 vm_pindex_t ptepindex;
7283 * Calculate pagetable page index
7285 ptepindex = pmap_pde_pindex(va);
7286 if (mpte && (mpte->pindex == ptepindex)) {
7290 * Get the page directory entry
7292 ptepa = pmap_pde(pmap, va);
7295 * If the page table page is mapped, we just increment
7296 * the hold count, and activate it. Otherwise, we
7297 * attempt to allocate a page table page. If this
7298 * attempt fails, we don't retry. Instead, we give up.
7300 if (ptepa && (*ptepa & PG_V) != 0) {
7303 mpte = PHYS_TO_VM_PAGE(*ptepa & PG_FRAME);
7307 * Pass NULL instead of the PV list lock
7308 * pointer, because we don't intend to sleep.
7310 mpte = pmap_allocpte_alloc(pmap, ptepindex,
7316 pte = (pt_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(mpte));
7317 pte = &pte[pmap_pte_index(va)];
7329 * Enter on the PV list if part of our managed memory.
7331 if ((m->oflags & VPO_UNMANAGED) == 0 &&
7332 !pmap_try_insert_pv_entry(pmap, va, m, lockp)) {
7334 pmap_abort_ptp(pmap, va, mpte);
7339 * Increment counters
7341 pmap_resident_count_inc(pmap, 1);
7343 newpte = VM_PAGE_TO_PHYS(m) | PG_V |
7344 pmap_cache_bits(pmap, m->md.pat_mode, 0);
7345 if ((m->oflags & VPO_UNMANAGED) == 0)
7346 newpte |= PG_MANAGED;
7347 if ((prot & VM_PROT_EXECUTE) == 0)
7349 if (va < VM_MAXUSER_ADDRESS)
7350 newpte |= PG_U | pmap_pkru_get(pmap, va);
7351 pte_store(pte, newpte);
7356 * Make a temporary mapping for a physical address. This is only intended
7357 * to be used for panic dumps.
7360 pmap_kenter_temporary(vm_paddr_t pa, int i)
7364 va = (vm_offset_t)crashdumpmap + (i * PAGE_SIZE);
7365 pmap_kenter(va, pa);
7367 return ((void *)crashdumpmap);
7371 * This code maps large physical mmap regions into the
7372 * processor address space. Note that some shortcuts
7373 * are taken, but the code works.
7376 pmap_object_init_pt(pmap_t pmap, vm_offset_t addr, vm_object_t object,
7377 vm_pindex_t pindex, vm_size_t size)
7380 pt_entry_t PG_A, PG_M, PG_RW, PG_V;
7381 vm_paddr_t pa, ptepa;
7385 PG_A = pmap_accessed_bit(pmap);
7386 PG_M = pmap_modified_bit(pmap);
7387 PG_V = pmap_valid_bit(pmap);
7388 PG_RW = pmap_rw_bit(pmap);
7390 VM_OBJECT_ASSERT_WLOCKED(object);
7391 KASSERT(object->type == OBJT_DEVICE || object->type == OBJT_SG,
7392 ("pmap_object_init_pt: non-device object"));
7393 if ((addr & (NBPDR - 1)) == 0 && (size & (NBPDR - 1)) == 0) {
7394 if (!pmap_ps_enabled(pmap))
7396 if (!vm_object_populate(object, pindex, pindex + atop(size)))
7398 p = vm_page_lookup(object, pindex);
7399 KASSERT(p->valid == VM_PAGE_BITS_ALL,
7400 ("pmap_object_init_pt: invalid page %p", p));
7401 pat_mode = p->md.pat_mode;
7404 * Abort the mapping if the first page is not physically
7405 * aligned to a 2MB page boundary.
7407 ptepa = VM_PAGE_TO_PHYS(p);
7408 if (ptepa & (NBPDR - 1))
7412 * Skip the first page. Abort the mapping if the rest of
7413 * the pages are not physically contiguous or have differing
7414 * memory attributes.
7416 p = TAILQ_NEXT(p, listq);
7417 for (pa = ptepa + PAGE_SIZE; pa < ptepa + size;
7419 KASSERT(p->valid == VM_PAGE_BITS_ALL,
7420 ("pmap_object_init_pt: invalid page %p", p));
7421 if (pa != VM_PAGE_TO_PHYS(p) ||
7422 pat_mode != p->md.pat_mode)
7424 p = TAILQ_NEXT(p, listq);
7428 * Map using 2MB pages. Since "ptepa" is 2M aligned and
7429 * "size" is a multiple of 2M, adding the PAT setting to "pa"
7430 * will not affect the termination of this loop.
7433 for (pa = ptepa | pmap_cache_bits(pmap, pat_mode, 1);
7434 pa < ptepa + size; pa += NBPDR) {
7435 pde = pmap_alloc_pde(pmap, addr, &pdpg, NULL);
7438 * The creation of mappings below is only an
7439 * optimization. If a page directory page
7440 * cannot be allocated without blocking,
7441 * continue on to the next mapping rather than
7447 if ((*pde & PG_V) == 0) {
7448 pde_store(pde, pa | PG_PS | PG_M | PG_A |
7449 PG_U | PG_RW | PG_V);
7450 pmap_resident_count_inc(pmap, NBPDR / PAGE_SIZE);
7451 atomic_add_long(&pmap_pde_mappings, 1);
7453 /* Continue on if the PDE is already valid. */
7455 KASSERT(pdpg->ref_count > 0,
7456 ("pmap_object_init_pt: missing reference "
7457 "to page directory page, va: 0x%lx", addr));
7466 * Clear the wired attribute from the mappings for the specified range of
7467 * addresses in the given pmap. Every valid mapping within that range
7468 * must have the wired attribute set. In contrast, invalid mappings
7469 * cannot have the wired attribute set, so they are ignored.
7471 * The wired attribute of the page table entry is not a hardware
7472 * feature, so there is no need to invalidate any TLB entries.
7473 * Since pmap_demote_pde() for the wired entry must never fail,
7474 * pmap_delayed_invl_start()/finish() calls around the
7475 * function are not needed.
7478 pmap_unwire(pmap_t pmap, vm_offset_t sva, vm_offset_t eva)
7480 vm_offset_t va_next;
7481 pml4_entry_t *pml4e;
7484 pt_entry_t *pte, PG_V, PG_G;
7486 PG_V = pmap_valid_bit(pmap);
7487 PG_G = pmap_global_bit(pmap);
7489 for (; sva < eva; sva = va_next) {
7490 pml4e = pmap_pml4e(pmap, sva);
7491 if (pml4e == NULL || (*pml4e & PG_V) == 0) {
7492 va_next = (sva + NBPML4) & ~PML4MASK;
7498 va_next = (sva + NBPDP) & ~PDPMASK;
7501 pdpe = pmap_pml4e_to_pdpe(pml4e, sva);
7502 if ((*pdpe & PG_V) == 0)
7504 if ((*pdpe & PG_PS) != 0) {
7505 KASSERT(va_next <= eva,
7506 ("partial update of non-transparent 1G mapping "
7507 "pdpe %#lx sva %#lx eva %#lx va_next %#lx",
7508 *pdpe, sva, eva, va_next));
7509 MPASS(pmap != kernel_pmap); /* XXXKIB */
7510 MPASS((*pdpe & (PG_MANAGED | PG_G)) == 0);
7511 atomic_clear_long(pdpe, PG_W);
7512 pmap->pm_stats.wired_count -= NBPDP / PAGE_SIZE;
7516 va_next = (sva + NBPDR) & ~PDRMASK;
7519 pde = pmap_pdpe_to_pde(pdpe, sva);
7520 if ((*pde & PG_V) == 0)
7522 if ((*pde & PG_PS) != 0) {
7523 if ((*pde & PG_W) == 0)
7524 panic("pmap_unwire: pde %#jx is missing PG_W",
7528 * Are we unwiring the entire large page? If not,
7529 * demote the mapping and fall through.
7531 if (sva + NBPDR == va_next && eva >= va_next) {
7532 atomic_clear_long(pde, PG_W);
7533 pmap->pm_stats.wired_count -= NBPDR /
7536 } else if (!pmap_demote_pde(pmap, pde, sva))
7537 panic("pmap_unwire: demotion failed");
7541 for (pte = pmap_pde_to_pte(pde, sva); sva != va_next; pte++,
7543 if ((*pte & PG_V) == 0)
7545 if ((*pte & PG_W) == 0)
7546 panic("pmap_unwire: pte %#jx is missing PG_W",
7550 * PG_W must be cleared atomically. Although the pmap
7551 * lock synchronizes access to PG_W, another processor
7552 * could be setting PG_M and/or PG_A concurrently.
7554 atomic_clear_long(pte, PG_W);
7555 pmap->pm_stats.wired_count--;
7562 * Copy the range specified by src_addr/len
7563 * from the source map to the range dst_addr/len
7564 * in the destination map.
7566 * This routine is only advisory and need not do anything.
7569 pmap_copy(pmap_t dst_pmap, pmap_t src_pmap, vm_offset_t dst_addr, vm_size_t len,
7570 vm_offset_t src_addr)
7572 struct rwlock *lock;
7573 pml4_entry_t *pml4e;
7575 pd_entry_t *pde, srcptepaddr;
7576 pt_entry_t *dst_pte, PG_A, PG_M, PG_V, ptetemp, *src_pte;
7577 vm_offset_t addr, end_addr, va_next;
7578 vm_page_t dst_pdpg, dstmpte, srcmpte;
7580 if (dst_addr != src_addr)
7583 if (dst_pmap->pm_type != src_pmap->pm_type)
7587 * EPT page table entries that require emulation of A/D bits are
7588 * sensitive to clearing the PG_A bit (aka EPT_PG_READ). Although
7589 * we clear PG_M (aka EPT_PG_WRITE) concomitantly, the PG_U bit
7590 * (aka EPT_PG_EXECUTE) could still be set. Since some EPT
7591 * implementations flag an EPT misconfiguration for exec-only
7592 * mappings we skip this function entirely for emulated pmaps.
7594 if (pmap_emulate_ad_bits(dst_pmap))
7597 end_addr = src_addr + len;
7599 if (dst_pmap < src_pmap) {
7600 PMAP_LOCK(dst_pmap);
7601 PMAP_LOCK(src_pmap);
7603 PMAP_LOCK(src_pmap);
7604 PMAP_LOCK(dst_pmap);
7607 PG_A = pmap_accessed_bit(dst_pmap);
7608 PG_M = pmap_modified_bit(dst_pmap);
7609 PG_V = pmap_valid_bit(dst_pmap);
7611 for (addr = src_addr; addr < end_addr; addr = va_next) {
7612 KASSERT(addr < UPT_MIN_ADDRESS,
7613 ("pmap_copy: invalid to pmap_copy page tables"));
7615 pml4e = pmap_pml4e(src_pmap, addr);
7616 if (pml4e == NULL || (*pml4e & PG_V) == 0) {
7617 va_next = (addr + NBPML4) & ~PML4MASK;
7623 va_next = (addr + NBPDP) & ~PDPMASK;
7626 pdpe = pmap_pml4e_to_pdpe(pml4e, addr);
7627 if ((*pdpe & PG_V) == 0)
7629 if ((*pdpe & PG_PS) != 0) {
7630 KASSERT(va_next <= end_addr,
7631 ("partial update of non-transparent 1G mapping "
7632 "pdpe %#lx sva %#lx eva %#lx va_next %#lx",
7633 *pdpe, addr, end_addr, va_next));
7634 MPASS((addr & PDPMASK) == 0);
7635 MPASS((*pdpe & PG_MANAGED) == 0);
7636 srcptepaddr = *pdpe;
7637 pdpe = pmap_pdpe(dst_pmap, addr);
7639 if (pmap_allocpte_alloc(dst_pmap,
7640 pmap_pml4e_pindex(addr), NULL, addr) ==
7643 pdpe = pmap_pdpe(dst_pmap, addr);
7645 pml4e = pmap_pml4e(dst_pmap, addr);
7646 dst_pdpg = PHYS_TO_VM_PAGE(*pml4e & PG_FRAME);
7647 dst_pdpg->ref_count++;
7650 ("1G mapping present in dst pmap "
7651 "pdpe %#lx sva %#lx eva %#lx va_next %#lx",
7652 *pdpe, addr, end_addr, va_next));
7653 *pdpe = srcptepaddr & ~PG_W;
7654 pmap_resident_count_inc(dst_pmap, NBPDP / PAGE_SIZE);
7658 va_next = (addr + NBPDR) & ~PDRMASK;
7662 pde = pmap_pdpe_to_pde(pdpe, addr);
7664 if (srcptepaddr == 0)
7667 if (srcptepaddr & PG_PS) {
7668 if ((addr & PDRMASK) != 0 || addr + NBPDR > end_addr)
7670 pde = pmap_alloc_pde(dst_pmap, addr, &dst_pdpg, NULL);
7673 if (*pde == 0 && ((srcptepaddr & PG_MANAGED) == 0 ||
7674 pmap_pv_insert_pde(dst_pmap, addr, srcptepaddr,
7675 PMAP_ENTER_NORECLAIM, &lock))) {
7676 *pde = srcptepaddr & ~PG_W;
7677 pmap_resident_count_inc(dst_pmap, NBPDR /
7679 atomic_add_long(&pmap_pde_mappings, 1);
7681 pmap_abort_ptp(dst_pmap, addr, dst_pdpg);
7685 srcptepaddr &= PG_FRAME;
7686 srcmpte = PHYS_TO_VM_PAGE(srcptepaddr);
7687 KASSERT(srcmpte->ref_count > 0,
7688 ("pmap_copy: source page table page is unused"));
7690 if (va_next > end_addr)
7693 src_pte = (pt_entry_t *)PHYS_TO_DMAP(srcptepaddr);
7694 src_pte = &src_pte[pmap_pte_index(addr)];
7696 for (; addr < va_next; addr += PAGE_SIZE, src_pte++) {
7700 * We only virtual copy managed pages.
7702 if ((ptetemp & PG_MANAGED) == 0)
7705 if (dstmpte != NULL) {
7706 KASSERT(dstmpte->pindex ==
7707 pmap_pde_pindex(addr),
7708 ("dstmpte pindex/addr mismatch"));
7709 dstmpte->ref_count++;
7710 } else if ((dstmpte = pmap_allocpte(dst_pmap, addr,
7713 dst_pte = (pt_entry_t *)
7714 PHYS_TO_DMAP(VM_PAGE_TO_PHYS(dstmpte));
7715 dst_pte = &dst_pte[pmap_pte_index(addr)];
7716 if (*dst_pte == 0 &&
7717 pmap_try_insert_pv_entry(dst_pmap, addr,
7718 PHYS_TO_VM_PAGE(ptetemp & PG_FRAME), &lock)) {
7720 * Clear the wired, modified, and accessed
7721 * (referenced) bits during the copy.
7723 *dst_pte = ptetemp & ~(PG_W | PG_M | PG_A);
7724 pmap_resident_count_inc(dst_pmap, 1);
7726 pmap_abort_ptp(dst_pmap, addr, dstmpte);
7729 /* Have we copied all of the valid mappings? */
7730 if (dstmpte->ref_count >= srcmpte->ref_count)
7737 PMAP_UNLOCK(src_pmap);
7738 PMAP_UNLOCK(dst_pmap);
7742 pmap_vmspace_copy(pmap_t dst_pmap, pmap_t src_pmap)
7746 if (dst_pmap->pm_type != src_pmap->pm_type ||
7747 dst_pmap->pm_type != PT_X86 ||
7748 (cpu_stdext_feature2 & CPUID_STDEXT2_PKU) == 0)
7751 if (dst_pmap < src_pmap) {
7752 PMAP_LOCK(dst_pmap);
7753 PMAP_LOCK(src_pmap);
7755 PMAP_LOCK(src_pmap);
7756 PMAP_LOCK(dst_pmap);
7758 error = pmap_pkru_copy(dst_pmap, src_pmap);
7759 /* Clean up partial copy on failure due to no memory. */
7760 if (error == ENOMEM)
7761 pmap_pkru_deassign_all(dst_pmap);
7762 PMAP_UNLOCK(src_pmap);
7763 PMAP_UNLOCK(dst_pmap);
7764 if (error != ENOMEM)
7772 * Zero the specified hardware page.
7775 pmap_zero_page(vm_page_t m)
7777 vm_offset_t va = PHYS_TO_DMAP(VM_PAGE_TO_PHYS(m));
7779 pagezero((void *)va);
7783 * Zero an an area within a single hardware page. off and size must not
7784 * cover an area beyond a single hardware page.
7787 pmap_zero_page_area(vm_page_t m, int off, int size)
7789 vm_offset_t va = PHYS_TO_DMAP(VM_PAGE_TO_PHYS(m));
7791 if (off == 0 && size == PAGE_SIZE)
7792 pagezero((void *)va);
7794 bzero((char *)va + off, size);
7798 * Copy 1 specified hardware page to another.
7801 pmap_copy_page(vm_page_t msrc, vm_page_t mdst)
7803 vm_offset_t src = PHYS_TO_DMAP(VM_PAGE_TO_PHYS(msrc));
7804 vm_offset_t dst = PHYS_TO_DMAP(VM_PAGE_TO_PHYS(mdst));
7806 pagecopy((void *)src, (void *)dst);
7809 int unmapped_buf_allowed = 1;
7812 pmap_copy_pages(vm_page_t ma[], vm_offset_t a_offset, vm_page_t mb[],
7813 vm_offset_t b_offset, int xfersize)
7817 vm_offset_t vaddr[2], a_pg_offset, b_pg_offset;
7821 while (xfersize > 0) {
7822 a_pg_offset = a_offset & PAGE_MASK;
7823 pages[0] = ma[a_offset >> PAGE_SHIFT];
7824 b_pg_offset = b_offset & PAGE_MASK;
7825 pages[1] = mb[b_offset >> PAGE_SHIFT];
7826 cnt = min(xfersize, PAGE_SIZE - a_pg_offset);
7827 cnt = min(cnt, PAGE_SIZE - b_pg_offset);
7828 mapped = pmap_map_io_transient(pages, vaddr, 2, FALSE);
7829 a_cp = (char *)vaddr[0] + a_pg_offset;
7830 b_cp = (char *)vaddr[1] + b_pg_offset;
7831 bcopy(a_cp, b_cp, cnt);
7832 if (__predict_false(mapped))
7833 pmap_unmap_io_transient(pages, vaddr, 2, FALSE);
7841 * Returns true if the pmap's pv is one of the first
7842 * 16 pvs linked to from this page. This count may
7843 * be changed upwards or downwards in the future; it
7844 * is only necessary that true be returned for a small
7845 * subset of pmaps for proper page aging.
7848 pmap_page_exists_quick(pmap_t pmap, vm_page_t m)
7850 struct md_page *pvh;
7851 struct rwlock *lock;
7856 KASSERT((m->oflags & VPO_UNMANAGED) == 0,
7857 ("pmap_page_exists_quick: page %p is not managed", m));
7859 lock = VM_PAGE_TO_PV_LIST_LOCK(m);
7861 TAILQ_FOREACH(pv, &m->md.pv_list, pv_next) {
7862 if (PV_PMAP(pv) == pmap) {
7870 if (!rv && loops < 16 && (m->flags & PG_FICTITIOUS) == 0) {
7871 pvh = pa_to_pvh(VM_PAGE_TO_PHYS(m));
7872 TAILQ_FOREACH(pv, &pvh->pv_list, pv_next) {
7873 if (PV_PMAP(pv) == pmap) {
7887 * pmap_page_wired_mappings:
7889 * Return the number of managed mappings to the given physical page
7893 pmap_page_wired_mappings(vm_page_t m)
7895 struct rwlock *lock;
7896 struct md_page *pvh;
7900 int count, md_gen, pvh_gen;
7902 if ((m->oflags & VPO_UNMANAGED) != 0)
7904 lock = VM_PAGE_TO_PV_LIST_LOCK(m);
7908 TAILQ_FOREACH(pv, &m->md.pv_list, pv_next) {
7910 if (!PMAP_TRYLOCK(pmap)) {
7911 md_gen = m->md.pv_gen;
7915 if (md_gen != m->md.pv_gen) {
7920 pte = pmap_pte(pmap, pv->pv_va);
7921 if ((*pte & PG_W) != 0)
7925 if ((m->flags & PG_FICTITIOUS) == 0) {
7926 pvh = pa_to_pvh(VM_PAGE_TO_PHYS(m));
7927 TAILQ_FOREACH(pv, &pvh->pv_list, pv_next) {
7929 if (!PMAP_TRYLOCK(pmap)) {
7930 md_gen = m->md.pv_gen;
7931 pvh_gen = pvh->pv_gen;
7935 if (md_gen != m->md.pv_gen ||
7936 pvh_gen != pvh->pv_gen) {
7941 pte = pmap_pde(pmap, pv->pv_va);
7942 if ((*pte & PG_W) != 0)
7952 * Returns TRUE if the given page is mapped individually or as part of
7953 * a 2mpage. Otherwise, returns FALSE.
7956 pmap_page_is_mapped(vm_page_t m)
7958 struct rwlock *lock;
7961 if ((m->oflags & VPO_UNMANAGED) != 0)
7963 lock = VM_PAGE_TO_PV_LIST_LOCK(m);
7965 rv = !TAILQ_EMPTY(&m->md.pv_list) ||
7966 ((m->flags & PG_FICTITIOUS) == 0 &&
7967 !TAILQ_EMPTY(&pa_to_pvh(VM_PAGE_TO_PHYS(m))->pv_list));
7973 * Destroy all managed, non-wired mappings in the given user-space
7974 * pmap. This pmap cannot be active on any processor besides the
7977 * This function cannot be applied to the kernel pmap. Moreover, it
7978 * is not intended for general use. It is only to be used during
7979 * process termination. Consequently, it can be implemented in ways
7980 * that make it faster than pmap_remove(). First, it can more quickly
7981 * destroy mappings by iterating over the pmap's collection of PV
7982 * entries, rather than searching the page table. Second, it doesn't
7983 * have to test and clear the page table entries atomically, because
7984 * no processor is currently accessing the user address space. In
7985 * particular, a page table entry's dirty bit won't change state once
7986 * this function starts.
7988 * Although this function destroys all of the pmap's managed,
7989 * non-wired mappings, it can delay and batch the invalidation of TLB
7990 * entries without calling pmap_delayed_invl_start() and
7991 * pmap_delayed_invl_finish(). Because the pmap is not active on
7992 * any other processor, none of these TLB entries will ever be used
7993 * before their eventual invalidation. Consequently, there is no need
7994 * for either pmap_remove_all() or pmap_remove_write() to wait for
7995 * that eventual TLB invalidation.
7998 pmap_remove_pages(pmap_t pmap)
8001 pt_entry_t *pte, tpte;
8002 pt_entry_t PG_M, PG_RW, PG_V;
8003 struct spglist free;
8004 struct pv_chunklist free_chunks[PMAP_MEMDOM];
8005 vm_page_t m, mpte, mt;
8007 struct md_page *pvh;
8008 struct pv_chunk *pc, *npc;
8009 struct rwlock *lock;
8011 uint64_t inuse, bitmask;
8012 int allfree, field, freed, i, idx;
8013 boolean_t superpage;
8017 * Assert that the given pmap is only active on the current
8018 * CPU. Unfortunately, we cannot block another CPU from
8019 * activating the pmap while this function is executing.
8021 KASSERT(pmap == PCPU_GET(curpmap), ("non-current pmap %p", pmap));
8024 cpuset_t other_cpus;
8026 other_cpus = all_cpus;
8028 CPU_CLR(PCPU_GET(cpuid), &other_cpus);
8029 CPU_AND(&other_cpus, &pmap->pm_active);
8031 KASSERT(CPU_EMPTY(&other_cpus), ("pmap active %p", pmap));
8036 PG_M = pmap_modified_bit(pmap);
8037 PG_V = pmap_valid_bit(pmap);
8038 PG_RW = pmap_rw_bit(pmap);
8040 for (i = 0; i < PMAP_MEMDOM; i++)
8041 TAILQ_INIT(&free_chunks[i]);
8044 TAILQ_FOREACH_SAFE(pc, &pmap->pm_pvchunk, pc_list, npc) {
8047 for (field = 0; field < _NPCM; field++) {
8048 inuse = ~pc->pc_map[field] & pc_freemask[field];
8049 while (inuse != 0) {
8051 bitmask = 1UL << bit;
8052 idx = field * 64 + bit;
8053 pv = &pc->pc_pventry[idx];
8056 pte = pmap_pdpe(pmap, pv->pv_va);
8058 pte = pmap_pdpe_to_pde(pte, pv->pv_va);
8060 if ((tpte & (PG_PS | PG_V)) == PG_V) {
8063 pte = (pt_entry_t *)PHYS_TO_DMAP(tpte &
8065 pte = &pte[pmap_pte_index(pv->pv_va)];
8069 * Keep track whether 'tpte' is a
8070 * superpage explicitly instead of
8071 * relying on PG_PS being set.
8073 * This is because PG_PS is numerically
8074 * identical to PG_PTE_PAT and thus a
8075 * regular page could be mistaken for
8081 if ((tpte & PG_V) == 0) {
8082 panic("bad pte va %lx pte %lx",
8087 * We cannot remove wired pages from a process' mapping at this time
8095 pa = tpte & PG_PS_FRAME;
8097 pa = tpte & PG_FRAME;
8099 m = PHYS_TO_VM_PAGE(pa);
8100 KASSERT(m->phys_addr == pa,
8101 ("vm_page_t %p phys_addr mismatch %016jx %016jx",
8102 m, (uintmax_t)m->phys_addr,
8105 KASSERT((m->flags & PG_FICTITIOUS) != 0 ||
8106 m < &vm_page_array[vm_page_array_size],
8107 ("pmap_remove_pages: bad tpte %#jx",
8113 * Update the vm_page_t clean/reference bits.
8115 if ((tpte & (PG_M | PG_RW)) == (PG_M | PG_RW)) {
8117 for (mt = m; mt < &m[NBPDR / PAGE_SIZE]; mt++)
8123 CHANGE_PV_LIST_LOCK_TO_VM_PAGE(&lock, m);
8126 pc->pc_map[field] |= bitmask;
8128 pmap_resident_count_dec(pmap, NBPDR / PAGE_SIZE);
8129 pvh = pa_to_pvh(tpte & PG_PS_FRAME);
8130 TAILQ_REMOVE(&pvh->pv_list, pv, pv_next);
8132 if (TAILQ_EMPTY(&pvh->pv_list)) {
8133 for (mt = m; mt < &m[NBPDR / PAGE_SIZE]; mt++)
8134 if ((mt->a.flags & PGA_WRITEABLE) != 0 &&
8135 TAILQ_EMPTY(&mt->md.pv_list))
8136 vm_page_aflag_clear(mt, PGA_WRITEABLE);
8138 mpte = pmap_remove_pt_page(pmap, pv->pv_va);
8140 KASSERT(mpte->valid == VM_PAGE_BITS_ALL,
8141 ("pmap_remove_pages: pte page not promoted"));
8142 pmap_resident_count_dec(pmap, 1);
8143 KASSERT(mpte->ref_count == NPTEPG,
8144 ("pmap_remove_pages: pte page reference count error"));
8145 mpte->ref_count = 0;
8146 pmap_add_delayed_free_list(mpte, &free, FALSE);
8149 pmap_resident_count_dec(pmap, 1);
8150 TAILQ_REMOVE(&m->md.pv_list, pv, pv_next);
8152 if ((m->a.flags & PGA_WRITEABLE) != 0 &&
8153 TAILQ_EMPTY(&m->md.pv_list) &&
8154 (m->flags & PG_FICTITIOUS) == 0) {
8155 pvh = pa_to_pvh(VM_PAGE_TO_PHYS(m));
8156 if (TAILQ_EMPTY(&pvh->pv_list))
8157 vm_page_aflag_clear(m, PGA_WRITEABLE);
8160 pmap_unuse_pt(pmap, pv->pv_va, ptepde, &free);
8164 PV_STAT(atomic_add_long(&pv_entry_frees, freed));
8165 PV_STAT(atomic_add_int(&pv_entry_spare, freed));
8166 PV_STAT(atomic_subtract_long(&pv_entry_count, freed));
8168 TAILQ_REMOVE(&pmap->pm_pvchunk, pc, pc_list);
8169 TAILQ_INSERT_TAIL(&free_chunks[pc_to_domain(pc)], pc, pc_list);
8174 pmap_invalidate_all(pmap);
8175 pmap_pkru_deassign_all(pmap);
8176 free_pv_chunk_batch((struct pv_chunklist *)&free_chunks);
8178 vm_page_free_pages_toq(&free, true);
8182 pmap_page_test_mappings(vm_page_t m, boolean_t accessed, boolean_t modified)
8184 struct rwlock *lock;
8186 struct md_page *pvh;
8187 pt_entry_t *pte, mask;
8188 pt_entry_t PG_A, PG_M, PG_RW, PG_V;
8190 int md_gen, pvh_gen;
8194 lock = VM_PAGE_TO_PV_LIST_LOCK(m);
8197 TAILQ_FOREACH(pv, &m->md.pv_list, pv_next) {
8199 if (!PMAP_TRYLOCK(pmap)) {
8200 md_gen = m->md.pv_gen;
8204 if (md_gen != m->md.pv_gen) {
8209 pte = pmap_pte(pmap, pv->pv_va);
8212 PG_M = pmap_modified_bit(pmap);
8213 PG_RW = pmap_rw_bit(pmap);
8214 mask |= PG_RW | PG_M;
8217 PG_A = pmap_accessed_bit(pmap);
8218 PG_V = pmap_valid_bit(pmap);
8219 mask |= PG_V | PG_A;
8221 rv = (*pte & mask) == mask;
8226 if ((m->flags & PG_FICTITIOUS) == 0) {
8227 pvh = pa_to_pvh(VM_PAGE_TO_PHYS(m));
8228 TAILQ_FOREACH(pv, &pvh->pv_list, pv_next) {
8230 if (!PMAP_TRYLOCK(pmap)) {
8231 md_gen = m->md.pv_gen;
8232 pvh_gen = pvh->pv_gen;
8236 if (md_gen != m->md.pv_gen ||
8237 pvh_gen != pvh->pv_gen) {
8242 pte = pmap_pde(pmap, pv->pv_va);
8245 PG_M = pmap_modified_bit(pmap);
8246 PG_RW = pmap_rw_bit(pmap);
8247 mask |= PG_RW | PG_M;
8250 PG_A = pmap_accessed_bit(pmap);
8251 PG_V = pmap_valid_bit(pmap);
8252 mask |= PG_V | PG_A;
8254 rv = (*pte & mask) == mask;
8268 * Return whether or not the specified physical page was modified
8269 * in any physical maps.
8272 pmap_is_modified(vm_page_t m)
8275 KASSERT((m->oflags & VPO_UNMANAGED) == 0,
8276 ("pmap_is_modified: page %p is not managed", m));
8279 * If the page is not busied then this check is racy.
8281 if (!pmap_page_is_write_mapped(m))
8283 return (pmap_page_test_mappings(m, FALSE, TRUE));
8287 * pmap_is_prefaultable:
8289 * Return whether or not the specified virtual address is eligible
8293 pmap_is_prefaultable(pmap_t pmap, vm_offset_t addr)
8296 pt_entry_t *pte, PG_V;
8299 PG_V = pmap_valid_bit(pmap);
8302 pde = pmap_pde(pmap, addr);
8303 if (pde != NULL && (*pde & (PG_PS | PG_V)) == PG_V) {
8304 pte = pmap_pde_to_pte(pde, addr);
8305 rv = (*pte & PG_V) == 0;
8312 * pmap_is_referenced:
8314 * Return whether or not the specified physical page was referenced
8315 * in any physical maps.
8318 pmap_is_referenced(vm_page_t m)
8321 KASSERT((m->oflags & VPO_UNMANAGED) == 0,
8322 ("pmap_is_referenced: page %p is not managed", m));
8323 return (pmap_page_test_mappings(m, TRUE, FALSE));
8327 * Clear the write and modified bits in each of the given page's mappings.
8330 pmap_remove_write(vm_page_t m)
8332 struct md_page *pvh;
8334 struct rwlock *lock;
8335 pv_entry_t next_pv, pv;
8337 pt_entry_t oldpte, *pte, PG_M, PG_RW;
8339 int pvh_gen, md_gen;
8341 KASSERT((m->oflags & VPO_UNMANAGED) == 0,
8342 ("pmap_remove_write: page %p is not managed", m));
8344 vm_page_assert_busied(m);
8345 if (!pmap_page_is_write_mapped(m))
8348 lock = VM_PAGE_TO_PV_LIST_LOCK(m);
8349 pvh = (m->flags & PG_FICTITIOUS) != 0 ? &pv_dummy :
8350 pa_to_pvh(VM_PAGE_TO_PHYS(m));
8353 TAILQ_FOREACH_SAFE(pv, &pvh->pv_list, pv_next, next_pv) {
8355 if (!PMAP_TRYLOCK(pmap)) {
8356 pvh_gen = pvh->pv_gen;
8360 if (pvh_gen != pvh->pv_gen) {
8366 PG_RW = pmap_rw_bit(pmap);
8368 pde = pmap_pde(pmap, va);
8369 if ((*pde & PG_RW) != 0)
8370 (void)pmap_demote_pde_locked(pmap, pde, va, &lock);
8371 KASSERT(lock == VM_PAGE_TO_PV_LIST_LOCK(m),
8372 ("inconsistent pv lock %p %p for page %p",
8373 lock, VM_PAGE_TO_PV_LIST_LOCK(m), m));
8376 TAILQ_FOREACH(pv, &m->md.pv_list, pv_next) {
8378 if (!PMAP_TRYLOCK(pmap)) {
8379 pvh_gen = pvh->pv_gen;
8380 md_gen = m->md.pv_gen;
8384 if (pvh_gen != pvh->pv_gen ||
8385 md_gen != m->md.pv_gen) {
8391 PG_M = pmap_modified_bit(pmap);
8392 PG_RW = pmap_rw_bit(pmap);
8393 pde = pmap_pde(pmap, pv->pv_va);
8394 KASSERT((*pde & PG_PS) == 0,
8395 ("pmap_remove_write: found a 2mpage in page %p's pv list",
8397 pte = pmap_pde_to_pte(pde, pv->pv_va);
8400 if (oldpte & PG_RW) {
8401 if (!atomic_cmpset_long(pte, oldpte, oldpte &
8404 if ((oldpte & PG_M) != 0)
8406 pmap_invalidate_page(pmap, pv->pv_va);
8411 vm_page_aflag_clear(m, PGA_WRITEABLE);
8412 pmap_delayed_invl_wait(m);
8415 static __inline boolean_t
8416 safe_to_clear_referenced(pmap_t pmap, pt_entry_t pte)
8419 if (!pmap_emulate_ad_bits(pmap))
8422 KASSERT(pmap->pm_type == PT_EPT, ("invalid pm_type %d", pmap->pm_type));
8425 * XWR = 010 or 110 will cause an unconditional EPT misconfiguration
8426 * so we don't let the referenced (aka EPT_PG_READ) bit to be cleared
8427 * if the EPT_PG_WRITE bit is set.
8429 if ((pte & EPT_PG_WRITE) != 0)
8433 * XWR = 100 is allowed only if the PMAP_SUPPORTS_EXEC_ONLY is set.
8435 if ((pte & EPT_PG_EXECUTE) == 0 ||
8436 ((pmap->pm_flags & PMAP_SUPPORTS_EXEC_ONLY) != 0))
8443 * pmap_ts_referenced:
8445 * Return a count of reference bits for a page, clearing those bits.
8446 * It is not necessary for every reference bit to be cleared, but it
8447 * is necessary that 0 only be returned when there are truly no
8448 * reference bits set.
8450 * As an optimization, update the page's dirty field if a modified bit is
8451 * found while counting reference bits. This opportunistic update can be
8452 * performed at low cost and can eliminate the need for some future calls
8453 * to pmap_is_modified(). However, since this function stops after
8454 * finding PMAP_TS_REFERENCED_MAX reference bits, it may not detect some
8455 * dirty pages. Those dirty pages will only be detected by a future call
8456 * to pmap_is_modified().
8458 * A DI block is not needed within this function, because
8459 * invalidations are performed before the PV list lock is
8463 pmap_ts_referenced(vm_page_t m)
8465 struct md_page *pvh;
8468 struct rwlock *lock;
8469 pd_entry_t oldpde, *pde;
8470 pt_entry_t *pte, PG_A, PG_M, PG_RW;
8473 int cleared, md_gen, not_cleared, pvh_gen;
8474 struct spglist free;
8477 KASSERT((m->oflags & VPO_UNMANAGED) == 0,
8478 ("pmap_ts_referenced: page %p is not managed", m));
8481 pa = VM_PAGE_TO_PHYS(m);
8482 lock = PHYS_TO_PV_LIST_LOCK(pa);
8483 pvh = (m->flags & PG_FICTITIOUS) != 0 ? &pv_dummy : pa_to_pvh(pa);
8487 if ((pvf = TAILQ_FIRST(&pvh->pv_list)) == NULL)
8488 goto small_mappings;
8494 if (!PMAP_TRYLOCK(pmap)) {
8495 pvh_gen = pvh->pv_gen;
8499 if (pvh_gen != pvh->pv_gen) {
8504 PG_A = pmap_accessed_bit(pmap);
8505 PG_M = pmap_modified_bit(pmap);
8506 PG_RW = pmap_rw_bit(pmap);
8508 pde = pmap_pde(pmap, pv->pv_va);
8510 if ((oldpde & (PG_M | PG_RW)) == (PG_M | PG_RW)) {
8512 * Although "oldpde" is mapping a 2MB page, because
8513 * this function is called at a 4KB page granularity,
8514 * we only update the 4KB page under test.
8518 if ((oldpde & PG_A) != 0) {
8520 * Since this reference bit is shared by 512 4KB
8521 * pages, it should not be cleared every time it is
8522 * tested. Apply a simple "hash" function on the
8523 * physical page number, the virtual superpage number,
8524 * and the pmap address to select one 4KB page out of
8525 * the 512 on which testing the reference bit will
8526 * result in clearing that reference bit. This
8527 * function is designed to avoid the selection of the
8528 * same 4KB page for every 2MB page mapping.
8530 * On demotion, a mapping that hasn't been referenced
8531 * is simply destroyed. To avoid the possibility of a
8532 * subsequent page fault on a demoted wired mapping,
8533 * always leave its reference bit set. Moreover,
8534 * since the superpage is wired, the current state of
8535 * its reference bit won't affect page replacement.
8537 if ((((pa >> PAGE_SHIFT) ^ (pv->pv_va >> PDRSHIFT) ^
8538 (uintptr_t)pmap) & (NPTEPG - 1)) == 0 &&
8539 (oldpde & PG_W) == 0) {
8540 if (safe_to_clear_referenced(pmap, oldpde)) {
8541 atomic_clear_long(pde, PG_A);
8542 pmap_invalidate_page(pmap, pv->pv_va);
8544 } else if (pmap_demote_pde_locked(pmap, pde,
8545 pv->pv_va, &lock)) {
8547 * Remove the mapping to a single page
8548 * so that a subsequent access may
8549 * repromote. Since the underlying
8550 * page table page is fully populated,
8551 * this removal never frees a page
8555 va += VM_PAGE_TO_PHYS(m) - (oldpde &
8557 pte = pmap_pde_to_pte(pde, va);
8558 pmap_remove_pte(pmap, pte, va, *pde,
8560 pmap_invalidate_page(pmap, va);
8566 * The superpage mapping was removed
8567 * entirely and therefore 'pv' is no
8575 KASSERT(lock == VM_PAGE_TO_PV_LIST_LOCK(m),
8576 ("inconsistent pv lock %p %p for page %p",
8577 lock, VM_PAGE_TO_PV_LIST_LOCK(m), m));
8582 /* Rotate the PV list if it has more than one entry. */
8583 if (pv != NULL && TAILQ_NEXT(pv, pv_next) != NULL) {
8584 TAILQ_REMOVE(&pvh->pv_list, pv, pv_next);
8585 TAILQ_INSERT_TAIL(&pvh->pv_list, pv, pv_next);
8588 if (cleared + not_cleared >= PMAP_TS_REFERENCED_MAX)
8590 } while ((pv = TAILQ_FIRST(&pvh->pv_list)) != pvf);
8592 if ((pvf = TAILQ_FIRST(&m->md.pv_list)) == NULL)
8599 if (!PMAP_TRYLOCK(pmap)) {
8600 pvh_gen = pvh->pv_gen;
8601 md_gen = m->md.pv_gen;
8605 if (pvh_gen != pvh->pv_gen || md_gen != m->md.pv_gen) {
8610 PG_A = pmap_accessed_bit(pmap);
8611 PG_M = pmap_modified_bit(pmap);
8612 PG_RW = pmap_rw_bit(pmap);
8613 pde = pmap_pde(pmap, pv->pv_va);
8614 KASSERT((*pde & PG_PS) == 0,
8615 ("pmap_ts_referenced: found a 2mpage in page %p's pv list",
8617 pte = pmap_pde_to_pte(pde, pv->pv_va);
8618 if ((*pte & (PG_M | PG_RW)) == (PG_M | PG_RW))
8620 if ((*pte & PG_A) != 0) {
8621 if (safe_to_clear_referenced(pmap, *pte)) {
8622 atomic_clear_long(pte, PG_A);
8623 pmap_invalidate_page(pmap, pv->pv_va);
8625 } else if ((*pte & PG_W) == 0) {
8627 * Wired pages cannot be paged out so
8628 * doing accessed bit emulation for
8629 * them is wasted effort. We do the
8630 * hard work for unwired pages only.
8632 pmap_remove_pte(pmap, pte, pv->pv_va,
8633 *pde, &free, &lock);
8634 pmap_invalidate_page(pmap, pv->pv_va);
8639 KASSERT(lock == VM_PAGE_TO_PV_LIST_LOCK(m),
8640 ("inconsistent pv lock %p %p for page %p",
8641 lock, VM_PAGE_TO_PV_LIST_LOCK(m), m));
8646 /* Rotate the PV list if it has more than one entry. */
8647 if (pv != NULL && TAILQ_NEXT(pv, pv_next) != NULL) {
8648 TAILQ_REMOVE(&m->md.pv_list, pv, pv_next);
8649 TAILQ_INSERT_TAIL(&m->md.pv_list, pv, pv_next);
8652 } while ((pv = TAILQ_FIRST(&m->md.pv_list)) != pvf && cleared +
8653 not_cleared < PMAP_TS_REFERENCED_MAX);
8656 vm_page_free_pages_toq(&free, true);
8657 return (cleared + not_cleared);
8661 * Apply the given advice to the specified range of addresses within the
8662 * given pmap. Depending on the advice, clear the referenced and/or
8663 * modified flags in each mapping and set the mapped page's dirty field.
8666 pmap_advise(pmap_t pmap, vm_offset_t sva, vm_offset_t eva, int advice)
8668 struct rwlock *lock;
8669 pml4_entry_t *pml4e;
8671 pd_entry_t oldpde, *pde;
8672 pt_entry_t *pte, PG_A, PG_G, PG_M, PG_RW, PG_V;
8673 vm_offset_t va, va_next;
8677 if (advice != MADV_DONTNEED && advice != MADV_FREE)
8681 * A/D bit emulation requires an alternate code path when clearing
8682 * the modified and accessed bits below. Since this function is
8683 * advisory in nature we skip it entirely for pmaps that require
8684 * A/D bit emulation.
8686 if (pmap_emulate_ad_bits(pmap))
8689 PG_A = pmap_accessed_bit(pmap);
8690 PG_G = pmap_global_bit(pmap);
8691 PG_M = pmap_modified_bit(pmap);
8692 PG_V = pmap_valid_bit(pmap);
8693 PG_RW = pmap_rw_bit(pmap);
8695 pmap_delayed_invl_start();
8697 for (; sva < eva; sva = va_next) {
8698 pml4e = pmap_pml4e(pmap, sva);
8699 if (pml4e == NULL || (*pml4e & PG_V) == 0) {
8700 va_next = (sva + NBPML4) & ~PML4MASK;
8706 va_next = (sva + NBPDP) & ~PDPMASK;
8709 pdpe = pmap_pml4e_to_pdpe(pml4e, sva);
8710 if ((*pdpe & PG_V) == 0)
8712 if ((*pdpe & PG_PS) != 0) {
8713 KASSERT(va_next <= eva,
8714 ("partial update of non-transparent 1G mapping "
8715 "pdpe %#lx sva %#lx eva %#lx va_next %#lx",
8716 *pdpe, sva, eva, va_next));
8720 va_next = (sva + NBPDR) & ~PDRMASK;
8723 pde = pmap_pdpe_to_pde(pdpe, sva);
8725 if ((oldpde & PG_V) == 0)
8727 else if ((oldpde & PG_PS) != 0) {
8728 if ((oldpde & PG_MANAGED) == 0)
8731 if (!pmap_demote_pde_locked(pmap, pde, sva, &lock)) {
8736 * The large page mapping was destroyed.
8742 * Unless the page mappings are wired, remove the
8743 * mapping to a single page so that a subsequent
8744 * access may repromote. Choosing the last page
8745 * within the address range [sva, min(va_next, eva))
8746 * generally results in more repromotions. Since the
8747 * underlying page table page is fully populated, this
8748 * removal never frees a page table page.
8750 if ((oldpde & PG_W) == 0) {
8756 ("pmap_advise: no address gap"));
8757 pte = pmap_pde_to_pte(pde, va);
8758 KASSERT((*pte & PG_V) != 0,
8759 ("pmap_advise: invalid PTE"));
8760 pmap_remove_pte(pmap, pte, va, *pde, NULL,
8770 for (pte = pmap_pde_to_pte(pde, sva); sva != va_next; pte++,
8772 if ((*pte & (PG_MANAGED | PG_V)) != (PG_MANAGED | PG_V))
8774 else if ((*pte & (PG_M | PG_RW)) == (PG_M | PG_RW)) {
8775 if (advice == MADV_DONTNEED) {
8777 * Future calls to pmap_is_modified()
8778 * can be avoided by making the page
8781 m = PHYS_TO_VM_PAGE(*pte & PG_FRAME);
8784 atomic_clear_long(pte, PG_M | PG_A);
8785 } else if ((*pte & PG_A) != 0)
8786 atomic_clear_long(pte, PG_A);
8790 if ((*pte & PG_G) != 0) {
8797 if (va != va_next) {
8798 pmap_invalidate_range(pmap, va, sva);
8803 pmap_invalidate_range(pmap, va, sva);
8806 pmap_invalidate_all(pmap);
8808 pmap_delayed_invl_finish();
8812 * Clear the modify bits on the specified physical page.
8815 pmap_clear_modify(vm_page_t m)
8817 struct md_page *pvh;
8819 pv_entry_t next_pv, pv;
8820 pd_entry_t oldpde, *pde;
8821 pt_entry_t *pte, PG_M, PG_RW;
8822 struct rwlock *lock;
8824 int md_gen, pvh_gen;
8826 KASSERT((m->oflags & VPO_UNMANAGED) == 0,
8827 ("pmap_clear_modify: page %p is not managed", m));
8828 vm_page_assert_busied(m);
8830 if (!pmap_page_is_write_mapped(m))
8832 pvh = (m->flags & PG_FICTITIOUS) != 0 ? &pv_dummy :
8833 pa_to_pvh(VM_PAGE_TO_PHYS(m));
8834 lock = VM_PAGE_TO_PV_LIST_LOCK(m);
8837 TAILQ_FOREACH_SAFE(pv, &pvh->pv_list, pv_next, next_pv) {
8839 if (!PMAP_TRYLOCK(pmap)) {
8840 pvh_gen = pvh->pv_gen;
8844 if (pvh_gen != pvh->pv_gen) {
8849 PG_M = pmap_modified_bit(pmap);
8850 PG_RW = pmap_rw_bit(pmap);
8852 pde = pmap_pde(pmap, va);
8854 /* If oldpde has PG_RW set, then it also has PG_M set. */
8855 if ((oldpde & PG_RW) != 0 &&
8856 pmap_demote_pde_locked(pmap, pde, va, &lock) &&
8857 (oldpde & PG_W) == 0) {
8859 * Write protect the mapping to a single page so that
8860 * a subsequent write access may repromote.
8862 va += VM_PAGE_TO_PHYS(m) - (oldpde & PG_PS_FRAME);
8863 pte = pmap_pde_to_pte(pde, va);
8864 atomic_clear_long(pte, PG_M | PG_RW);
8866 pmap_invalidate_page(pmap, va);
8870 TAILQ_FOREACH(pv, &m->md.pv_list, pv_next) {
8872 if (!PMAP_TRYLOCK(pmap)) {
8873 md_gen = m->md.pv_gen;
8874 pvh_gen = pvh->pv_gen;
8878 if (pvh_gen != pvh->pv_gen || md_gen != m->md.pv_gen) {
8883 PG_M = pmap_modified_bit(pmap);
8884 PG_RW = pmap_rw_bit(pmap);
8885 pde = pmap_pde(pmap, pv->pv_va);
8886 KASSERT((*pde & PG_PS) == 0, ("pmap_clear_modify: found"
8887 " a 2mpage in page %p's pv list", m));
8888 pte = pmap_pde_to_pte(pde, pv->pv_va);
8889 if ((*pte & (PG_M | PG_RW)) == (PG_M | PG_RW)) {
8890 atomic_clear_long(pte, PG_M);
8891 pmap_invalidate_page(pmap, pv->pv_va);
8899 * Miscellaneous support routines follow
8902 /* Adjust the properties for a leaf page table entry. */
8903 static __inline void
8904 pmap_pte_props(pt_entry_t *pte, u_long bits, u_long mask)
8908 opte = *(u_long *)pte;
8910 npte = opte & ~mask;
8912 } while (npte != opte && !atomic_fcmpset_long((u_long *)pte, &opte,
8917 * Map a set of physical memory pages into the kernel virtual
8918 * address space. Return a pointer to where it is mapped. This
8919 * routine is intended to be used for mapping device memory,
8923 pmap_mapdev_internal(vm_paddr_t pa, vm_size_t size, int mode, int flags)
8925 struct pmap_preinit_mapping *ppim;
8926 vm_offset_t va, offset;
8930 offset = pa & PAGE_MASK;
8931 size = round_page(offset + size);
8932 pa = trunc_page(pa);
8934 if (!pmap_initialized) {
8936 for (i = 0; i < PMAP_PREINIT_MAPPING_COUNT; i++) {
8937 ppim = pmap_preinit_mapping + i;
8938 if (ppim->va == 0) {
8942 ppim->va = virtual_avail;
8943 virtual_avail += size;
8949 panic("%s: too many preinit mappings", __func__);
8952 * If we have a preinit mapping, re-use it.
8954 for (i = 0; i < PMAP_PREINIT_MAPPING_COUNT; i++) {
8955 ppim = pmap_preinit_mapping + i;
8956 if (ppim->pa == pa && ppim->sz == size &&
8957 (ppim->mode == mode ||
8958 (flags & MAPDEV_SETATTR) == 0))
8959 return ((void *)(ppim->va + offset));
8962 * If the specified range of physical addresses fits within
8963 * the direct map window, use the direct map.
8965 if (pa < dmaplimit && pa + size <= dmaplimit) {
8966 va = PHYS_TO_DMAP(pa);
8967 if ((flags & MAPDEV_SETATTR) != 0) {
8968 PMAP_LOCK(kernel_pmap);
8969 i = pmap_change_props_locked(va, size,
8970 PROT_NONE, mode, flags);
8971 PMAP_UNLOCK(kernel_pmap);
8975 return ((void *)(va + offset));
8977 va = kva_alloc(size);
8979 panic("%s: Couldn't allocate KVA", __func__);
8981 for (tmpsize = 0; tmpsize < size; tmpsize += PAGE_SIZE)
8982 pmap_kenter_attr(va + tmpsize, pa + tmpsize, mode);
8983 pmap_invalidate_range(kernel_pmap, va, va + tmpsize);
8984 if ((flags & MAPDEV_FLUSHCACHE) != 0)
8985 pmap_invalidate_cache_range(va, va + tmpsize);
8986 return ((void *)(va + offset));
8990 pmap_mapdev_attr(vm_paddr_t pa, vm_size_t size, int mode)
8993 return (pmap_mapdev_internal(pa, size, mode, MAPDEV_FLUSHCACHE |
8998 pmap_mapdev(vm_paddr_t pa, vm_size_t size)
9001 return (pmap_mapdev_attr(pa, size, PAT_UNCACHEABLE));
9005 pmap_mapdev_pciecfg(vm_paddr_t pa, vm_size_t size)
9008 return (pmap_mapdev_internal(pa, size, PAT_UNCACHEABLE,
9013 pmap_mapbios(vm_paddr_t pa, vm_size_t size)
9016 return (pmap_mapdev_internal(pa, size, PAT_WRITE_BACK,
9017 MAPDEV_FLUSHCACHE));
9021 pmap_unmapdev(vm_offset_t va, vm_size_t size)
9023 struct pmap_preinit_mapping *ppim;
9027 /* If we gave a direct map region in pmap_mapdev, do nothing */
9028 if (va >= DMAP_MIN_ADDRESS && va < DMAP_MAX_ADDRESS)
9030 offset = va & PAGE_MASK;
9031 size = round_page(offset + size);
9032 va = trunc_page(va);
9033 for (i = 0; i < PMAP_PREINIT_MAPPING_COUNT; i++) {
9034 ppim = pmap_preinit_mapping + i;
9035 if (ppim->va == va && ppim->sz == size) {
9036 if (pmap_initialized)
9042 if (va + size == virtual_avail)
9047 if (pmap_initialized) {
9048 pmap_qremove(va, atop(size));
9054 * Tries to demote a 1GB page mapping.
9057 pmap_demote_pdpe(pmap_t pmap, pdp_entry_t *pdpe, vm_offset_t va)
9059 pdp_entry_t newpdpe, oldpdpe;
9060 pd_entry_t *firstpde, newpde, *pde;
9061 pt_entry_t PG_A, PG_M, PG_RW, PG_V;
9065 PG_A = pmap_accessed_bit(pmap);
9066 PG_M = pmap_modified_bit(pmap);
9067 PG_V = pmap_valid_bit(pmap);
9068 PG_RW = pmap_rw_bit(pmap);
9070 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
9072 KASSERT((oldpdpe & (PG_PS | PG_V)) == (PG_PS | PG_V),
9073 ("pmap_demote_pdpe: oldpdpe is missing PG_PS and/or PG_V"));
9074 if ((pdpg = vm_page_alloc(NULL, va >> PDPSHIFT, VM_ALLOC_INTERRUPT |
9075 VM_ALLOC_NOOBJ | VM_ALLOC_WIRED)) == NULL) {
9076 CTR2(KTR_PMAP, "pmap_demote_pdpe: failure for va %#lx"
9077 " in pmap %p", va, pmap);
9080 pdpgpa = VM_PAGE_TO_PHYS(pdpg);
9081 firstpde = (pd_entry_t *)PHYS_TO_DMAP(pdpgpa);
9082 newpdpe = pdpgpa | PG_M | PG_A | (oldpdpe & PG_U) | PG_RW | PG_V;
9083 KASSERT((oldpdpe & PG_A) != 0,
9084 ("pmap_demote_pdpe: oldpdpe is missing PG_A"));
9085 KASSERT((oldpdpe & (PG_M | PG_RW)) != PG_RW,
9086 ("pmap_demote_pdpe: oldpdpe is missing PG_M"));
9090 * Initialize the page directory page.
9092 for (pde = firstpde; pde < firstpde + NPDEPG; pde++) {
9098 * Demote the mapping.
9103 * Invalidate a stale recursive mapping of the page directory page.
9105 pmap_invalidate_page(pmap, (vm_offset_t)vtopde(va));
9107 pmap_pdpe_demotions++;
9108 CTR2(KTR_PMAP, "pmap_demote_pdpe: success for va %#lx"
9109 " in pmap %p", va, pmap);
9114 * Sets the memory attribute for the specified page.
9117 pmap_page_set_memattr(vm_page_t m, vm_memattr_t ma)
9120 m->md.pat_mode = ma;
9123 * If "m" is a normal page, update its direct mapping. This update
9124 * can be relied upon to perform any cache operations that are
9125 * required for data coherence.
9127 if ((m->flags & PG_FICTITIOUS) == 0 &&
9128 pmap_change_attr(PHYS_TO_DMAP(VM_PAGE_TO_PHYS(m)), PAGE_SIZE,
9130 panic("memory attribute change on the direct map failed");
9134 * Changes the specified virtual address range's memory type to that given by
9135 * the parameter "mode". The specified virtual address range must be
9136 * completely contained within either the direct map or the kernel map. If
9137 * the virtual address range is contained within the kernel map, then the
9138 * memory type for each of the corresponding ranges of the direct map is also
9139 * changed. (The corresponding ranges of the direct map are those ranges that
9140 * map the same physical pages as the specified virtual address range.) These
9141 * changes to the direct map are necessary because Intel describes the
9142 * behavior of their processors as "undefined" if two or more mappings to the
9143 * same physical page have different memory types.
9145 * Returns zero if the change completed successfully, and either EINVAL or
9146 * ENOMEM if the change failed. Specifically, EINVAL is returned if some part
9147 * of the virtual address range was not mapped, and ENOMEM is returned if
9148 * there was insufficient memory available to complete the change. In the
9149 * latter case, the memory type may have been changed on some part of the
9150 * virtual address range or the direct map.
9153 pmap_change_attr(vm_offset_t va, vm_size_t size, int mode)
9157 PMAP_LOCK(kernel_pmap);
9158 error = pmap_change_props_locked(va, size, PROT_NONE, mode,
9160 PMAP_UNLOCK(kernel_pmap);
9165 * Changes the specified virtual address range's protections to those
9166 * specified by "prot". Like pmap_change_attr(), protections for aliases
9167 * in the direct map are updated as well. Protections on aliasing mappings may
9168 * be a subset of the requested protections; for example, mappings in the direct
9169 * map are never executable.
9172 pmap_change_prot(vm_offset_t va, vm_size_t size, vm_prot_t prot)
9176 /* Only supported within the kernel map. */
9177 if (va < VM_MIN_KERNEL_ADDRESS)
9180 PMAP_LOCK(kernel_pmap);
9181 error = pmap_change_props_locked(va, size, prot, -1,
9182 MAPDEV_ASSERTVALID);
9183 PMAP_UNLOCK(kernel_pmap);
9188 pmap_change_props_locked(vm_offset_t va, vm_size_t size, vm_prot_t prot,
9189 int mode, int flags)
9191 vm_offset_t base, offset, tmpva;
9192 vm_paddr_t pa_start, pa_end, pa_end1;
9194 pd_entry_t *pde, pde_bits, pde_mask;
9195 pt_entry_t *pte, pte_bits, pte_mask;
9199 PMAP_LOCK_ASSERT(kernel_pmap, MA_OWNED);
9200 base = trunc_page(va);
9201 offset = va & PAGE_MASK;
9202 size = round_page(offset + size);
9205 * Only supported on kernel virtual addresses, including the direct
9206 * map but excluding the recursive map.
9208 if (base < DMAP_MIN_ADDRESS)
9212 * Construct our flag sets and masks. "bits" is the subset of
9213 * "mask" that will be set in each modified PTE.
9215 * Mappings in the direct map are never allowed to be executable.
9217 pde_bits = pte_bits = 0;
9218 pde_mask = pte_mask = 0;
9220 pde_bits |= pmap_cache_bits(kernel_pmap, mode, true);
9221 pde_mask |= X86_PG_PDE_CACHE;
9222 pte_bits |= pmap_cache_bits(kernel_pmap, mode, false);
9223 pte_mask |= X86_PG_PTE_CACHE;
9225 if (prot != VM_PROT_NONE) {
9226 if ((prot & VM_PROT_WRITE) != 0) {
9227 pde_bits |= X86_PG_RW;
9228 pte_bits |= X86_PG_RW;
9230 if ((prot & VM_PROT_EXECUTE) == 0 ||
9231 va < VM_MIN_KERNEL_ADDRESS) {
9235 pde_mask |= X86_PG_RW | pg_nx;
9236 pte_mask |= X86_PG_RW | pg_nx;
9240 * Pages that aren't mapped aren't supported. Also break down 2MB pages
9241 * into 4KB pages if required.
9243 for (tmpva = base; tmpva < base + size; ) {
9244 pdpe = pmap_pdpe(kernel_pmap, tmpva);
9245 if (pdpe == NULL || *pdpe == 0) {
9246 KASSERT((flags & MAPDEV_ASSERTVALID) == 0,
9247 ("%s: addr %#lx is not mapped", __func__, tmpva));
9250 if (*pdpe & PG_PS) {
9252 * If the current 1GB page already has the required
9253 * properties, then we need not demote this page. Just
9254 * increment tmpva to the next 1GB page frame.
9256 if ((*pdpe & pde_mask) == pde_bits) {
9257 tmpva = trunc_1gpage(tmpva) + NBPDP;
9262 * If the current offset aligns with a 1GB page frame
9263 * and there is at least 1GB left within the range, then
9264 * we need not break down this page into 2MB pages.
9266 if ((tmpva & PDPMASK) == 0 &&
9267 tmpva + PDPMASK < base + size) {
9271 if (!pmap_demote_pdpe(kernel_pmap, pdpe, tmpva))
9274 pde = pmap_pdpe_to_pde(pdpe, tmpva);
9276 KASSERT((flags & MAPDEV_ASSERTVALID) == 0,
9277 ("%s: addr %#lx is not mapped", __func__, tmpva));
9282 * If the current 2MB page already has the required
9283 * properties, then we need not demote this page. Just
9284 * increment tmpva to the next 2MB page frame.
9286 if ((*pde & pde_mask) == pde_bits) {
9287 tmpva = trunc_2mpage(tmpva) + NBPDR;
9292 * If the current offset aligns with a 2MB page frame
9293 * and there is at least 2MB left within the range, then
9294 * we need not break down this page into 4KB pages.
9296 if ((tmpva & PDRMASK) == 0 &&
9297 tmpva + PDRMASK < base + size) {
9301 if (!pmap_demote_pde(kernel_pmap, pde, tmpva))
9304 pte = pmap_pde_to_pte(pde, tmpva);
9306 KASSERT((flags & MAPDEV_ASSERTVALID) == 0,
9307 ("%s: addr %#lx is not mapped", __func__, tmpva));
9315 * Ok, all the pages exist, so run through them updating their
9316 * properties if required.
9319 pa_start = pa_end = 0;
9320 for (tmpva = base; tmpva < base + size; ) {
9321 pdpe = pmap_pdpe(kernel_pmap, tmpva);
9322 if (*pdpe & PG_PS) {
9323 if ((*pdpe & pde_mask) != pde_bits) {
9324 pmap_pte_props(pdpe, pde_bits, pde_mask);
9327 if (tmpva >= VM_MIN_KERNEL_ADDRESS &&
9328 (*pdpe & PG_PS_FRAME) < dmaplimit) {
9329 if (pa_start == pa_end) {
9330 /* Start physical address run. */
9331 pa_start = *pdpe & PG_PS_FRAME;
9332 pa_end = pa_start + NBPDP;
9333 } else if (pa_end == (*pdpe & PG_PS_FRAME))
9336 /* Run ended, update direct map. */
9337 error = pmap_change_props_locked(
9338 PHYS_TO_DMAP(pa_start),
9339 pa_end - pa_start, prot, mode,
9343 /* Start physical address run. */
9344 pa_start = *pdpe & PG_PS_FRAME;
9345 pa_end = pa_start + NBPDP;
9348 tmpva = trunc_1gpage(tmpva) + NBPDP;
9351 pde = pmap_pdpe_to_pde(pdpe, tmpva);
9353 if ((*pde & pde_mask) != pde_bits) {
9354 pmap_pte_props(pde, pde_bits, pde_mask);
9357 if (tmpva >= VM_MIN_KERNEL_ADDRESS &&
9358 (*pde & PG_PS_FRAME) < dmaplimit) {
9359 if (pa_start == pa_end) {
9360 /* Start physical address run. */
9361 pa_start = *pde & PG_PS_FRAME;
9362 pa_end = pa_start + NBPDR;
9363 } else if (pa_end == (*pde & PG_PS_FRAME))
9366 /* Run ended, update direct map. */
9367 error = pmap_change_props_locked(
9368 PHYS_TO_DMAP(pa_start),
9369 pa_end - pa_start, prot, mode,
9373 /* Start physical address run. */
9374 pa_start = *pde & PG_PS_FRAME;
9375 pa_end = pa_start + NBPDR;
9378 tmpva = trunc_2mpage(tmpva) + NBPDR;
9380 pte = pmap_pde_to_pte(pde, tmpva);
9381 if ((*pte & pte_mask) != pte_bits) {
9382 pmap_pte_props(pte, pte_bits, pte_mask);
9385 if (tmpva >= VM_MIN_KERNEL_ADDRESS &&
9386 (*pte & PG_FRAME) < dmaplimit) {
9387 if (pa_start == pa_end) {
9388 /* Start physical address run. */
9389 pa_start = *pte & PG_FRAME;
9390 pa_end = pa_start + PAGE_SIZE;
9391 } else if (pa_end == (*pte & PG_FRAME))
9392 pa_end += PAGE_SIZE;
9394 /* Run ended, update direct map. */
9395 error = pmap_change_props_locked(
9396 PHYS_TO_DMAP(pa_start),
9397 pa_end - pa_start, prot, mode,
9401 /* Start physical address run. */
9402 pa_start = *pte & PG_FRAME;
9403 pa_end = pa_start + PAGE_SIZE;
9409 if (error == 0 && pa_start != pa_end && pa_start < dmaplimit) {
9410 pa_end1 = MIN(pa_end, dmaplimit);
9411 if (pa_start != pa_end1)
9412 error = pmap_change_props_locked(PHYS_TO_DMAP(pa_start),
9413 pa_end1 - pa_start, prot, mode, flags);
9417 * Flush CPU caches if required to make sure any data isn't cached that
9418 * shouldn't be, etc.
9421 pmap_invalidate_range(kernel_pmap, base, tmpva);
9422 if ((flags & MAPDEV_FLUSHCACHE) != 0)
9423 pmap_invalidate_cache_range(base, tmpva);
9429 * Demotes any mapping within the direct map region that covers more than the
9430 * specified range of physical addresses. This range's size must be a power
9431 * of two and its starting address must be a multiple of its size. Since the
9432 * demotion does not change any attributes of the mapping, a TLB invalidation
9433 * is not mandatory. The caller may, however, request a TLB invalidation.
9436 pmap_demote_DMAP(vm_paddr_t base, vm_size_t len, boolean_t invalidate)
9445 KASSERT(powerof2(len), ("pmap_demote_DMAP: len is not a power of 2"));
9446 KASSERT((base & (len - 1)) == 0,
9447 ("pmap_demote_DMAP: base is not a multiple of len"));
9448 if (len < NBPDP && base < dmaplimit) {
9449 va = PHYS_TO_DMAP(base);
9451 PMAP_LOCK(kernel_pmap);
9452 pdpe = pmap_pdpe(kernel_pmap, va);
9453 if ((*pdpe & X86_PG_V) == 0)
9454 panic("pmap_demote_DMAP: invalid PDPE");
9455 if ((*pdpe & PG_PS) != 0) {
9456 if (!pmap_demote_pdpe(kernel_pmap, pdpe, va))
9457 panic("pmap_demote_DMAP: PDPE failed");
9461 pde = pmap_pdpe_to_pde(pdpe, va);
9462 if ((*pde & X86_PG_V) == 0)
9463 panic("pmap_demote_DMAP: invalid PDE");
9464 if ((*pde & PG_PS) != 0) {
9465 if (!pmap_demote_pde(kernel_pmap, pde, va))
9466 panic("pmap_demote_DMAP: PDE failed");
9470 if (changed && invalidate)
9471 pmap_invalidate_page(kernel_pmap, va);
9472 PMAP_UNLOCK(kernel_pmap);
9477 * Perform the pmap work for mincore(2). If the page is not both referenced and
9478 * modified by this pmap, returns its physical address so that the caller can
9479 * find other mappings.
9482 pmap_mincore(pmap_t pmap, vm_offset_t addr, vm_paddr_t *pap)
9486 pt_entry_t pte, PG_A, PG_M, PG_RW, PG_V;
9490 PG_A = pmap_accessed_bit(pmap);
9491 PG_M = pmap_modified_bit(pmap);
9492 PG_V = pmap_valid_bit(pmap);
9493 PG_RW = pmap_rw_bit(pmap);
9499 pdpe = pmap_pdpe(pmap, addr);
9502 if ((*pdpe & PG_V) != 0) {
9503 if ((*pdpe & PG_PS) != 0) {
9505 pa = ((pte & PG_PS_PDP_FRAME) | (addr & PDPMASK)) &
9507 val = MINCORE_PSIND(2);
9509 pdep = pmap_pde(pmap, addr);
9510 if (pdep != NULL && (*pdep & PG_V) != 0) {
9511 if ((*pdep & PG_PS) != 0) {
9513 /* Compute the physical address of the 4KB page. */
9514 pa = ((pte & PG_PS_FRAME) | (addr &
9515 PDRMASK)) & PG_FRAME;
9516 val = MINCORE_PSIND(1);
9518 pte = *pmap_pde_to_pte(pdep, addr);
9519 pa = pte & PG_FRAME;
9525 if ((pte & PG_V) != 0) {
9526 val |= MINCORE_INCORE;
9527 if ((pte & (PG_M | PG_RW)) == (PG_M | PG_RW))
9528 val |= MINCORE_MODIFIED | MINCORE_MODIFIED_OTHER;
9529 if ((pte & PG_A) != 0)
9530 val |= MINCORE_REFERENCED | MINCORE_REFERENCED_OTHER;
9532 if ((val & (MINCORE_MODIFIED_OTHER | MINCORE_REFERENCED_OTHER)) !=
9533 (MINCORE_MODIFIED_OTHER | MINCORE_REFERENCED_OTHER) &&
9534 (pte & (PG_MANAGED | PG_V)) == (PG_MANAGED | PG_V)) {
9543 pmap_pcid_alloc(pmap_t pmap, u_int cpuid)
9545 uint32_t gen, new_gen, pcid_next;
9547 CRITICAL_ASSERT(curthread);
9548 gen = PCPU_GET(pcid_gen);
9549 if (pmap->pm_pcids[cpuid].pm_pcid == PMAP_PCID_KERN)
9550 return (pti ? 0 : CR3_PCID_SAVE);
9551 if (pmap->pm_pcids[cpuid].pm_gen == gen)
9552 return (CR3_PCID_SAVE);
9553 pcid_next = PCPU_GET(pcid_next);
9554 KASSERT((!pti && pcid_next <= PMAP_PCID_OVERMAX) ||
9555 (pti && pcid_next <= PMAP_PCID_OVERMAX_KERN),
9556 ("cpu %d pcid_next %#x", cpuid, pcid_next));
9557 if ((!pti && pcid_next == PMAP_PCID_OVERMAX) ||
9558 (pti && pcid_next == PMAP_PCID_OVERMAX_KERN)) {
9562 PCPU_SET(pcid_gen, new_gen);
9563 pcid_next = PMAP_PCID_KERN + 1;
9567 pmap->pm_pcids[cpuid].pm_pcid = pcid_next;
9568 pmap->pm_pcids[cpuid].pm_gen = new_gen;
9569 PCPU_SET(pcid_next, pcid_next + 1);
9574 pmap_pcid_alloc_checked(pmap_t pmap, u_int cpuid)
9578 cached = pmap_pcid_alloc(pmap, cpuid);
9579 KASSERT(pmap->pm_pcids[cpuid].pm_pcid < PMAP_PCID_OVERMAX,
9580 ("pmap %p cpu %d pcid %#x", pmap, cpuid,
9581 pmap->pm_pcids[cpuid].pm_pcid));
9582 KASSERT(pmap->pm_pcids[cpuid].pm_pcid != PMAP_PCID_KERN ||
9583 pmap == kernel_pmap,
9584 ("non-kernel pmap pmap %p cpu %d pcid %#x",
9585 pmap, cpuid, pmap->pm_pcids[cpuid].pm_pcid));
9590 pmap_activate_sw_pti_post(struct thread *td, pmap_t pmap)
9593 PCPU_GET(tssp)->tss_rsp0 = pmap->pm_ucr3 != PMAP_NO_CR3 ?
9594 PCPU_GET(pti_rsp0) : (uintptr_t)td->td_md.md_stack_base;
9598 pmap_activate_sw_pcid_pti(struct thread *td, pmap_t pmap, u_int cpuid)
9601 uint64_t cached, cr3, kcr3, ucr3;
9603 KASSERT((read_rflags() & PSL_I) == 0,
9604 ("PCID needs interrupts disabled in pmap_activate_sw()"));
9606 /* See the comment in pmap_invalidate_page_pcid(). */
9607 if (PCPU_GET(ucr3_load_mask) != PMAP_UCR3_NOMASK) {
9608 PCPU_SET(ucr3_load_mask, PMAP_UCR3_NOMASK);
9609 old_pmap = PCPU_GET(curpmap);
9610 MPASS(old_pmap->pm_ucr3 != PMAP_NO_CR3);
9611 old_pmap->pm_pcids[cpuid].pm_gen = 0;
9614 cached = pmap_pcid_alloc_checked(pmap, cpuid);
9616 if ((cr3 & ~CR3_PCID_MASK) != pmap->pm_cr3)
9617 load_cr3(pmap->pm_cr3 | pmap->pm_pcids[cpuid].pm_pcid);
9618 PCPU_SET(curpmap, pmap);
9619 kcr3 = pmap->pm_cr3 | pmap->pm_pcids[cpuid].pm_pcid;
9620 ucr3 = pmap->pm_ucr3 | pmap->pm_pcids[cpuid].pm_pcid |
9623 if (!cached && pmap->pm_ucr3 != PMAP_NO_CR3)
9624 PCPU_SET(ucr3_load_mask, ~CR3_PCID_SAVE);
9626 PCPU_SET(kcr3, kcr3 | CR3_PCID_SAVE);
9627 PCPU_SET(ucr3, ucr3 | CR3_PCID_SAVE);
9629 PCPU_INC(pm_save_cnt);
9631 pmap_activate_sw_pti_post(td, pmap);
9635 pmap_activate_sw_pcid_nopti(struct thread *td __unused, pmap_t pmap,
9638 uint64_t cached, cr3;
9640 KASSERT((read_rflags() & PSL_I) == 0,
9641 ("PCID needs interrupts disabled in pmap_activate_sw()"));
9643 cached = pmap_pcid_alloc_checked(pmap, cpuid);
9645 if (!cached || (cr3 & ~CR3_PCID_MASK) != pmap->pm_cr3)
9646 load_cr3(pmap->pm_cr3 | pmap->pm_pcids[cpuid].pm_pcid |
9648 PCPU_SET(curpmap, pmap);
9650 PCPU_INC(pm_save_cnt);
9654 pmap_activate_sw_nopcid_nopti(struct thread *td __unused, pmap_t pmap,
9655 u_int cpuid __unused)
9658 load_cr3(pmap->pm_cr3);
9659 PCPU_SET(curpmap, pmap);
9663 pmap_activate_sw_nopcid_pti(struct thread *td, pmap_t pmap,
9664 u_int cpuid __unused)
9667 pmap_activate_sw_nopcid_nopti(td, pmap, cpuid);
9668 PCPU_SET(kcr3, pmap->pm_cr3);
9669 PCPU_SET(ucr3, pmap->pm_ucr3);
9670 pmap_activate_sw_pti_post(td, pmap);
9673 DEFINE_IFUNC(static, void, pmap_activate_sw_mode, (struct thread *, pmap_t,
9677 if (pmap_pcid_enabled && pti)
9678 return (pmap_activate_sw_pcid_pti);
9679 else if (pmap_pcid_enabled && !pti)
9680 return (pmap_activate_sw_pcid_nopti);
9681 else if (!pmap_pcid_enabled && pti)
9682 return (pmap_activate_sw_nopcid_pti);
9683 else /* if (!pmap_pcid_enabled && !pti) */
9684 return (pmap_activate_sw_nopcid_nopti);
9688 pmap_activate_sw(struct thread *td)
9690 pmap_t oldpmap, pmap;
9693 oldpmap = PCPU_GET(curpmap);
9694 pmap = vmspace_pmap(td->td_proc->p_vmspace);
9695 if (oldpmap == pmap) {
9696 if (cpu_vendor_id != CPU_VENDOR_INTEL)
9700 cpuid = PCPU_GET(cpuid);
9702 CPU_SET_ATOMIC(cpuid, &pmap->pm_active);
9704 CPU_SET(cpuid, &pmap->pm_active);
9706 pmap_activate_sw_mode(td, pmap, cpuid);
9708 CPU_CLR_ATOMIC(cpuid, &oldpmap->pm_active);
9710 CPU_CLR(cpuid, &oldpmap->pm_active);
9715 pmap_activate(struct thread *td)
9718 * invltlb_{invpcid,}_pcid_handler() is used to handle an
9719 * invalidate_all IPI, which checks for curpmap ==
9720 * smp_tlb_pmap. The below sequence of operations has a
9721 * window where %CR3 is loaded with the new pmap's PML4
9722 * address, but the curpmap value has not yet been updated.
9723 * This causes the invltlb IPI handler, which is called
9724 * between the updates, to execute as a NOP, which leaves
9725 * stale TLB entries.
9727 * Note that the most common use of pmap_activate_sw(), from
9728 * a context switch, is immune to this race, because
9729 * interrupts are disabled (while the thread lock is owned),
9730 * so the IPI is delayed until after curpmap is updated. Protect
9731 * other callers in a similar way, by disabling interrupts
9732 * around the %cr3 register reload and curpmap assignment.
9735 pmap_activate_sw(td);
9740 pmap_activate_boot(pmap_t pmap)
9746 * kernel_pmap must be never deactivated, and we ensure that
9747 * by never activating it at all.
9749 MPASS(pmap != kernel_pmap);
9751 cpuid = PCPU_GET(cpuid);
9753 CPU_SET_ATOMIC(cpuid, &pmap->pm_active);
9755 CPU_SET(cpuid, &pmap->pm_active);
9757 PCPU_SET(curpmap, pmap);
9759 kcr3 = pmap->pm_cr3;
9760 if (pmap_pcid_enabled)
9761 kcr3 |= pmap->pm_pcids[cpuid].pm_pcid | CR3_PCID_SAVE;
9765 PCPU_SET(kcr3, kcr3);
9766 PCPU_SET(ucr3, PMAP_NO_CR3);
9770 pmap_sync_icache(pmap_t pm, vm_offset_t va, vm_size_t sz)
9775 * Increase the starting virtual address of the given mapping if a
9776 * different alignment might result in more superpage mappings.
9779 pmap_align_superpage(vm_object_t object, vm_ooffset_t offset,
9780 vm_offset_t *addr, vm_size_t size)
9782 vm_offset_t superpage_offset;
9786 if (object != NULL && (object->flags & OBJ_COLORED) != 0)
9787 offset += ptoa(object->pg_color);
9788 superpage_offset = offset & PDRMASK;
9789 if (size - ((NBPDR - superpage_offset) & PDRMASK) < NBPDR ||
9790 (*addr & PDRMASK) == superpage_offset)
9792 if ((*addr & PDRMASK) < superpage_offset)
9793 *addr = (*addr & ~PDRMASK) + superpage_offset;
9795 *addr = ((*addr + PDRMASK) & ~PDRMASK) + superpage_offset;
9799 static unsigned long num_dirty_emulations;
9800 SYSCTL_ULONG(_vm_pmap, OID_AUTO, num_dirty_emulations, CTLFLAG_RW,
9801 &num_dirty_emulations, 0, NULL);
9803 static unsigned long num_accessed_emulations;
9804 SYSCTL_ULONG(_vm_pmap, OID_AUTO, num_accessed_emulations, CTLFLAG_RW,
9805 &num_accessed_emulations, 0, NULL);
9807 static unsigned long num_superpage_accessed_emulations;
9808 SYSCTL_ULONG(_vm_pmap, OID_AUTO, num_superpage_accessed_emulations, CTLFLAG_RW,
9809 &num_superpage_accessed_emulations, 0, NULL);
9811 static unsigned long ad_emulation_superpage_promotions;
9812 SYSCTL_ULONG(_vm_pmap, OID_AUTO, ad_emulation_superpage_promotions, CTLFLAG_RW,
9813 &ad_emulation_superpage_promotions, 0, NULL);
9814 #endif /* INVARIANTS */
9817 pmap_emulate_accessed_dirty(pmap_t pmap, vm_offset_t va, int ftype)
9820 struct rwlock *lock;
9821 #if VM_NRESERVLEVEL > 0
9825 pt_entry_t *pte, PG_A, PG_M, PG_RW, PG_V;
9827 KASSERT(ftype == VM_PROT_READ || ftype == VM_PROT_WRITE,
9828 ("pmap_emulate_accessed_dirty: invalid fault type %d", ftype));
9830 if (!pmap_emulate_ad_bits(pmap))
9833 PG_A = pmap_accessed_bit(pmap);
9834 PG_M = pmap_modified_bit(pmap);
9835 PG_V = pmap_valid_bit(pmap);
9836 PG_RW = pmap_rw_bit(pmap);
9842 pde = pmap_pde(pmap, va);
9843 if (pde == NULL || (*pde & PG_V) == 0)
9846 if ((*pde & PG_PS) != 0) {
9847 if (ftype == VM_PROT_READ) {
9849 atomic_add_long(&num_superpage_accessed_emulations, 1);
9857 pte = pmap_pde_to_pte(pde, va);
9858 if ((*pte & PG_V) == 0)
9861 if (ftype == VM_PROT_WRITE) {
9862 if ((*pte & PG_RW) == 0)
9865 * Set the modified and accessed bits simultaneously.
9867 * Intel EPT PTEs that do software emulation of A/D bits map
9868 * PG_A and PG_M to EPT_PG_READ and EPT_PG_WRITE respectively.
9869 * An EPT misconfiguration is triggered if the PTE is writable
9870 * but not readable (WR=10). This is avoided by setting PG_A
9871 * and PG_M simultaneously.
9873 *pte |= PG_M | PG_A;
9878 #if VM_NRESERVLEVEL > 0
9879 /* try to promote the mapping */
9880 if (va < VM_MAXUSER_ADDRESS)
9881 mpte = PHYS_TO_VM_PAGE(*pde & PG_FRAME);
9885 m = PHYS_TO_VM_PAGE(*pte & PG_FRAME);
9887 if ((mpte == NULL || mpte->ref_count == NPTEPG) &&
9888 pmap_ps_enabled(pmap) &&
9889 (m->flags & PG_FICTITIOUS) == 0 &&
9890 vm_reserv_level_iffullpop(m) == 0) {
9891 pmap_promote_pde(pmap, pde, va, &lock);
9893 atomic_add_long(&ad_emulation_superpage_promotions, 1);
9899 if (ftype == VM_PROT_WRITE)
9900 atomic_add_long(&num_dirty_emulations, 1);
9902 atomic_add_long(&num_accessed_emulations, 1);
9904 rv = 0; /* success */
9913 pmap_get_mapping(pmap_t pmap, vm_offset_t va, uint64_t *ptr, int *num)
9918 pt_entry_t *pte, PG_V;
9922 PG_V = pmap_valid_bit(pmap);
9925 pml4 = pmap_pml4e(pmap, va);
9929 if ((*pml4 & PG_V) == 0)
9932 pdp = pmap_pml4e_to_pdpe(pml4, va);
9934 if ((*pdp & PG_V) == 0 || (*pdp & PG_PS) != 0)
9937 pde = pmap_pdpe_to_pde(pdp, va);
9939 if ((*pde & PG_V) == 0 || (*pde & PG_PS) != 0)
9942 pte = pmap_pde_to_pte(pde, va);
9951 * Get the kernel virtual address of a set of physical pages. If there are
9952 * physical addresses not covered by the DMAP perform a transient mapping
9953 * that will be removed when calling pmap_unmap_io_transient.
9955 * \param page The pages the caller wishes to obtain the virtual
9956 * address on the kernel memory map.
9957 * \param vaddr On return contains the kernel virtual memory address
9958 * of the pages passed in the page parameter.
9959 * \param count Number of pages passed in.
9960 * \param can_fault TRUE if the thread using the mapped pages can take
9961 * page faults, FALSE otherwise.
9963 * \returns TRUE if the caller must call pmap_unmap_io_transient when
9964 * finished or FALSE otherwise.
9968 pmap_map_io_transient(vm_page_t page[], vm_offset_t vaddr[], int count,
9969 boolean_t can_fault)
9972 boolean_t needs_mapping;
9974 int cache_bits, error __unused, i;
9977 * Allocate any KVA space that we need, this is done in a separate
9978 * loop to prevent calling vmem_alloc while pinned.
9980 needs_mapping = FALSE;
9981 for (i = 0; i < count; i++) {
9982 paddr = VM_PAGE_TO_PHYS(page[i]);
9983 if (__predict_false(paddr >= dmaplimit)) {
9984 error = vmem_alloc(kernel_arena, PAGE_SIZE,
9985 M_BESTFIT | M_WAITOK, &vaddr[i]);
9986 KASSERT(error == 0, ("vmem_alloc failed: %d", error));
9987 needs_mapping = TRUE;
9989 vaddr[i] = PHYS_TO_DMAP(paddr);
9993 /* Exit early if everything is covered by the DMAP */
9998 * NB: The sequence of updating a page table followed by accesses
9999 * to the corresponding pages used in the !DMAP case is subject to
10000 * the situation described in the "AMD64 Architecture Programmer's
10001 * Manual Volume 2: System Programming" rev. 3.23, "7.3.1 Special
10002 * Coherency Considerations". Therefore, issuing the INVLPG right
10003 * after modifying the PTE bits is crucial.
10007 for (i = 0; i < count; i++) {
10008 paddr = VM_PAGE_TO_PHYS(page[i]);
10009 if (paddr >= dmaplimit) {
10012 * Slow path, since we can get page faults
10013 * while mappings are active don't pin the
10014 * thread to the CPU and instead add a global
10015 * mapping visible to all CPUs.
10017 pmap_qenter(vaddr[i], &page[i], 1);
10019 pte = vtopte(vaddr[i]);
10020 cache_bits = pmap_cache_bits(kernel_pmap,
10021 page[i]->md.pat_mode, 0);
10022 pte_store(pte, paddr | X86_PG_RW | X86_PG_V |
10029 return (needs_mapping);
10033 pmap_unmap_io_transient(vm_page_t page[], vm_offset_t vaddr[], int count,
10034 boolean_t can_fault)
10041 for (i = 0; i < count; i++) {
10042 paddr = VM_PAGE_TO_PHYS(page[i]);
10043 if (paddr >= dmaplimit) {
10045 pmap_qremove(vaddr[i], 1);
10046 vmem_free(kernel_arena, vaddr[i], PAGE_SIZE);
10052 pmap_quick_enter_page(vm_page_t m)
10056 paddr = VM_PAGE_TO_PHYS(m);
10057 if (paddr < dmaplimit)
10058 return (PHYS_TO_DMAP(paddr));
10059 mtx_lock_spin(&qframe_mtx);
10060 KASSERT(*vtopte(qframe) == 0, ("qframe busy"));
10061 pte_store(vtopte(qframe), paddr | X86_PG_RW | X86_PG_V | X86_PG_A |
10062 X86_PG_M | pmap_cache_bits(kernel_pmap, m->md.pat_mode, 0));
10067 pmap_quick_remove_page(vm_offset_t addr)
10070 if (addr != qframe)
10072 pte_store(vtopte(qframe), 0);
10074 mtx_unlock_spin(&qframe_mtx);
10078 * Pdp pages from the large map are managed differently from either
10079 * kernel or user page table pages. They are permanently allocated at
10080 * initialization time, and their reference count is permanently set to
10081 * zero. The pml4 entries pointing to those pages are copied into
10082 * each allocated pmap.
10084 * In contrast, pd and pt pages are managed like user page table
10085 * pages. They are dynamically allocated, and their reference count
10086 * represents the number of valid entries within the page.
10089 pmap_large_map_getptp_unlocked(void)
10093 m = vm_page_alloc(NULL, 0, VM_ALLOC_NORMAL | VM_ALLOC_NOOBJ |
10095 if (m != NULL && (m->flags & PG_ZERO) == 0)
10101 pmap_large_map_getptp(void)
10105 PMAP_LOCK_ASSERT(kernel_pmap, MA_OWNED);
10106 m = pmap_large_map_getptp_unlocked();
10108 PMAP_UNLOCK(kernel_pmap);
10110 PMAP_LOCK(kernel_pmap);
10111 /* Callers retry. */
10116 static pdp_entry_t *
10117 pmap_large_map_pdpe(vm_offset_t va)
10119 vm_pindex_t pml4_idx;
10122 pml4_idx = pmap_pml4e_index(va);
10123 KASSERT(LMSPML4I <= pml4_idx && pml4_idx < LMSPML4I + lm_ents,
10124 ("pmap_large_map_pdpe: va %#jx out of range idx %#jx LMSPML4I "
10126 (uintmax_t)va, (uintmax_t)pml4_idx, LMSPML4I, lm_ents));
10127 KASSERT((kernel_pml4[pml4_idx] & X86_PG_V) != 0,
10128 ("pmap_large_map_pdpe: invalid pml4 for va %#jx idx %#jx "
10129 "LMSPML4I %#jx lm_ents %d",
10130 (uintmax_t)va, (uintmax_t)pml4_idx, LMSPML4I, lm_ents));
10131 mphys = kernel_pml4[pml4_idx] & PG_FRAME;
10132 return ((pdp_entry_t *)PHYS_TO_DMAP(mphys) + pmap_pdpe_index(va));
10135 static pd_entry_t *
10136 pmap_large_map_pde(vm_offset_t va)
10143 pdpe = pmap_large_map_pdpe(va);
10145 m = pmap_large_map_getptp();
10148 mphys = VM_PAGE_TO_PHYS(m);
10149 *pdpe = mphys | X86_PG_A | X86_PG_RW | X86_PG_V | pg_nx;
10151 MPASS((*pdpe & X86_PG_PS) == 0);
10152 mphys = *pdpe & PG_FRAME;
10154 return ((pd_entry_t *)PHYS_TO_DMAP(mphys) + pmap_pde_index(va));
10157 static pt_entry_t *
10158 pmap_large_map_pte(vm_offset_t va)
10165 pde = pmap_large_map_pde(va);
10167 m = pmap_large_map_getptp();
10170 mphys = VM_PAGE_TO_PHYS(m);
10171 *pde = mphys | X86_PG_A | X86_PG_RW | X86_PG_V | pg_nx;
10172 PHYS_TO_VM_PAGE(DMAP_TO_PHYS((uintptr_t)pde))->ref_count++;
10174 MPASS((*pde & X86_PG_PS) == 0);
10175 mphys = *pde & PG_FRAME;
10177 return ((pt_entry_t *)PHYS_TO_DMAP(mphys) + pmap_pte_index(va));
10181 pmap_large_map_kextract(vm_offset_t va)
10183 pdp_entry_t *pdpe, pdp;
10184 pd_entry_t *pde, pd;
10185 pt_entry_t *pte, pt;
10187 KASSERT(PMAP_ADDRESS_IN_LARGEMAP(va),
10188 ("not largemap range %#lx", (u_long)va));
10189 pdpe = pmap_large_map_pdpe(va);
10191 KASSERT((pdp & X86_PG_V) != 0,
10192 ("invalid pdp va %#lx pdpe %#lx pdp %#lx", va,
10193 (u_long)pdpe, pdp));
10194 if ((pdp & X86_PG_PS) != 0) {
10195 KASSERT((amd_feature & AMDID_PAGE1GB) != 0,
10196 ("no 1G pages, va %#lx pdpe %#lx pdp %#lx", va,
10197 (u_long)pdpe, pdp));
10198 return ((pdp & PG_PS_PDP_FRAME) | (va & PDPMASK));
10200 pde = pmap_pdpe_to_pde(pdpe, va);
10202 KASSERT((pd & X86_PG_V) != 0,
10203 ("invalid pd va %#lx pde %#lx pd %#lx", va, (u_long)pde, pd));
10204 if ((pd & X86_PG_PS) != 0)
10205 return ((pd & PG_PS_FRAME) | (va & PDRMASK));
10206 pte = pmap_pde_to_pte(pde, va);
10208 KASSERT((pt & X86_PG_V) != 0,
10209 ("invalid pte va %#lx pte %#lx pt %#lx", va, (u_long)pte, pt));
10210 return ((pt & PG_FRAME) | (va & PAGE_MASK));
10214 pmap_large_map_getva(vm_size_t len, vm_offset_t align, vm_offset_t phase,
10215 vmem_addr_t *vmem_res)
10219 * Large mappings are all but static. Consequently, there
10220 * is no point in waiting for an earlier allocation to be
10223 return (vmem_xalloc(large_vmem, len, align, phase, 0, VMEM_ADDR_MIN,
10224 VMEM_ADDR_MAX, M_NOWAIT | M_BESTFIT, vmem_res));
10228 pmap_large_map(vm_paddr_t spa, vm_size_t len, void **addr,
10229 vm_memattr_t mattr)
10234 vm_offset_t va, inc;
10235 vmem_addr_t vmem_res;
10239 if (len == 0 || spa + len < spa)
10242 /* See if DMAP can serve. */
10243 if (spa + len <= dmaplimit) {
10244 va = PHYS_TO_DMAP(spa);
10245 *addr = (void *)va;
10246 return (pmap_change_attr(va, len, mattr));
10250 * No, allocate KVA. Fit the address with best possible
10251 * alignment for superpages. Fall back to worse align if
10255 if ((amd_feature & AMDID_PAGE1GB) != 0 && rounddown2(spa + len,
10256 NBPDP) >= roundup2(spa, NBPDP) + NBPDP)
10257 error = pmap_large_map_getva(len, NBPDP, spa & PDPMASK,
10259 if (error != 0 && rounddown2(spa + len, NBPDR) >= roundup2(spa,
10261 error = pmap_large_map_getva(len, NBPDR, spa & PDRMASK,
10264 error = pmap_large_map_getva(len, PAGE_SIZE, 0, &vmem_res);
10269 * Fill pagetable. PG_M is not pre-set, we scan modified bits
10270 * in the pagetable to minimize flushing. No need to
10271 * invalidate TLB, since we only update invalid entries.
10273 PMAP_LOCK(kernel_pmap);
10274 for (pa = spa, va = vmem_res; len > 0; pa += inc, va += inc,
10276 if ((amd_feature & AMDID_PAGE1GB) != 0 && len >= NBPDP &&
10277 (pa & PDPMASK) == 0 && (va & PDPMASK) == 0) {
10278 pdpe = pmap_large_map_pdpe(va);
10280 *pdpe = pa | pg_g | X86_PG_PS | X86_PG_RW |
10281 X86_PG_V | X86_PG_A | pg_nx |
10282 pmap_cache_bits(kernel_pmap, mattr, TRUE);
10284 } else if (len >= NBPDR && (pa & PDRMASK) == 0 &&
10285 (va & PDRMASK) == 0) {
10286 pde = pmap_large_map_pde(va);
10288 *pde = pa | pg_g | X86_PG_PS | X86_PG_RW |
10289 X86_PG_V | X86_PG_A | pg_nx |
10290 pmap_cache_bits(kernel_pmap, mattr, TRUE);
10291 PHYS_TO_VM_PAGE(DMAP_TO_PHYS((uintptr_t)pde))->
10295 pte = pmap_large_map_pte(va);
10297 *pte = pa | pg_g | X86_PG_RW | X86_PG_V |
10298 X86_PG_A | pg_nx | pmap_cache_bits(kernel_pmap,
10300 PHYS_TO_VM_PAGE(DMAP_TO_PHYS((uintptr_t)pte))->
10305 PMAP_UNLOCK(kernel_pmap);
10308 *addr = (void *)vmem_res;
10313 pmap_large_unmap(void *svaa, vm_size_t len)
10315 vm_offset_t sva, va;
10317 pdp_entry_t *pdpe, pdp;
10318 pd_entry_t *pde, pd;
10321 struct spglist spgf;
10323 sva = (vm_offset_t)svaa;
10324 if (len == 0 || sva + len < sva || (sva >= DMAP_MIN_ADDRESS &&
10325 sva + len <= DMAP_MIN_ADDRESS + dmaplimit))
10329 KASSERT(PMAP_ADDRESS_IN_LARGEMAP(sva) &&
10330 PMAP_ADDRESS_IN_LARGEMAP(sva + len - 1),
10331 ("not largemap range %#lx %#lx", (u_long)svaa, (u_long)svaa + len));
10332 PMAP_LOCK(kernel_pmap);
10333 for (va = sva; va < sva + len; va += inc) {
10334 pdpe = pmap_large_map_pdpe(va);
10336 KASSERT((pdp & X86_PG_V) != 0,
10337 ("invalid pdp va %#lx pdpe %#lx pdp %#lx", va,
10338 (u_long)pdpe, pdp));
10339 if ((pdp & X86_PG_PS) != 0) {
10340 KASSERT((amd_feature & AMDID_PAGE1GB) != 0,
10341 ("no 1G pages, va %#lx pdpe %#lx pdp %#lx", va,
10342 (u_long)pdpe, pdp));
10343 KASSERT((va & PDPMASK) == 0,
10344 ("PDPMASK bit set, va %#lx pdpe %#lx pdp %#lx", va,
10345 (u_long)pdpe, pdp));
10346 KASSERT(va + NBPDP <= sva + len,
10347 ("unmap covers partial 1GB page, sva %#lx va %#lx "
10348 "pdpe %#lx pdp %#lx len %#lx", sva, va,
10349 (u_long)pdpe, pdp, len));
10354 pde = pmap_pdpe_to_pde(pdpe, va);
10356 KASSERT((pd & X86_PG_V) != 0,
10357 ("invalid pd va %#lx pde %#lx pd %#lx", va,
10359 if ((pd & X86_PG_PS) != 0) {
10360 KASSERT((va & PDRMASK) == 0,
10361 ("PDRMASK bit set, va %#lx pde %#lx pd %#lx", va,
10363 KASSERT(va + NBPDR <= sva + len,
10364 ("unmap covers partial 2MB page, sva %#lx va %#lx "
10365 "pde %#lx pd %#lx len %#lx", sva, va, (u_long)pde,
10369 m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((vm_offset_t)pde));
10371 if (m->ref_count == 0) {
10373 SLIST_INSERT_HEAD(&spgf, m, plinks.s.ss);
10377 pte = pmap_pde_to_pte(pde, va);
10378 KASSERT((*pte & X86_PG_V) != 0,
10379 ("invalid pte va %#lx pte %#lx pt %#lx", va,
10380 (u_long)pte, *pte));
10383 m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((vm_offset_t)pte));
10385 if (m->ref_count == 0) {
10387 SLIST_INSERT_HEAD(&spgf, m, plinks.s.ss);
10388 m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((vm_offset_t)pde));
10390 if (m->ref_count == 0) {
10392 SLIST_INSERT_HEAD(&spgf, m, plinks.s.ss);
10396 pmap_invalidate_range(kernel_pmap, sva, sva + len);
10397 PMAP_UNLOCK(kernel_pmap);
10398 vm_page_free_pages_toq(&spgf, false);
10399 vmem_free(large_vmem, sva, len);
10403 pmap_large_map_wb_fence_mfence(void)
10410 pmap_large_map_wb_fence_atomic(void)
10413 atomic_thread_fence_seq_cst();
10417 pmap_large_map_wb_fence_nop(void)
10421 DEFINE_IFUNC(static, void, pmap_large_map_wb_fence, (void))
10424 if (cpu_vendor_id != CPU_VENDOR_INTEL)
10425 return (pmap_large_map_wb_fence_mfence);
10426 else if ((cpu_stdext_feature & (CPUID_STDEXT_CLWB |
10427 CPUID_STDEXT_CLFLUSHOPT)) == 0)
10428 return (pmap_large_map_wb_fence_atomic);
10430 /* clflush is strongly enough ordered */
10431 return (pmap_large_map_wb_fence_nop);
10435 pmap_large_map_flush_range_clwb(vm_offset_t va, vm_size_t len)
10438 for (; len > 0; len -= cpu_clflush_line_size,
10439 va += cpu_clflush_line_size)
10444 pmap_large_map_flush_range_clflushopt(vm_offset_t va, vm_size_t len)
10447 for (; len > 0; len -= cpu_clflush_line_size,
10448 va += cpu_clflush_line_size)
10453 pmap_large_map_flush_range_clflush(vm_offset_t va, vm_size_t len)
10456 for (; len > 0; len -= cpu_clflush_line_size,
10457 va += cpu_clflush_line_size)
10462 pmap_large_map_flush_range_nop(vm_offset_t sva __unused, vm_size_t len __unused)
10466 DEFINE_IFUNC(static, void, pmap_large_map_flush_range, (vm_offset_t, vm_size_t))
10469 if ((cpu_stdext_feature & CPUID_STDEXT_CLWB) != 0)
10470 return (pmap_large_map_flush_range_clwb);
10471 else if ((cpu_stdext_feature & CPUID_STDEXT_CLFLUSHOPT) != 0)
10472 return (pmap_large_map_flush_range_clflushopt);
10473 else if ((cpu_feature & CPUID_CLFSH) != 0)
10474 return (pmap_large_map_flush_range_clflush);
10476 return (pmap_large_map_flush_range_nop);
10480 pmap_large_map_wb_large(vm_offset_t sva, vm_offset_t eva)
10482 volatile u_long *pe;
10488 for (va = sva; va < eva; va += inc) {
10490 if ((amd_feature & AMDID_PAGE1GB) != 0) {
10491 pe = (volatile u_long *)pmap_large_map_pdpe(va);
10493 if ((p & X86_PG_PS) != 0)
10497 pe = (volatile u_long *)pmap_large_map_pde(va);
10499 if ((p & X86_PG_PS) != 0)
10503 pe = (volatile u_long *)pmap_large_map_pte(va);
10507 seen_other = false;
10509 if ((p & X86_PG_AVAIL1) != 0) {
10511 * Spin-wait for the end of a parallel
10518 * If we saw other write-back
10519 * occuring, we cannot rely on PG_M to
10520 * indicate state of the cache. The
10521 * PG_M bit is cleared before the
10522 * flush to avoid ignoring new writes,
10523 * and writes which are relevant for
10524 * us might happen after.
10530 if ((p & X86_PG_M) != 0 || seen_other) {
10531 if (!atomic_fcmpset_long(pe, &p,
10532 (p & ~X86_PG_M) | X86_PG_AVAIL1))
10534 * If we saw PG_M without
10535 * PG_AVAIL1, and then on the
10536 * next attempt we do not
10537 * observe either PG_M or
10538 * PG_AVAIL1, the other
10539 * write-back started after us
10540 * and finished before us. We
10541 * can rely on it doing our
10545 pmap_large_map_flush_range(va, inc);
10546 atomic_clear_long(pe, X86_PG_AVAIL1);
10555 * Write-back cache lines for the given address range.
10557 * Must be called only on the range or sub-range returned from
10558 * pmap_large_map(). Must not be called on the coalesced ranges.
10560 * Does nothing on CPUs without CLWB, CLFLUSHOPT, or CLFLUSH
10561 * instructions support.
10564 pmap_large_map_wb(void *svap, vm_size_t len)
10566 vm_offset_t eva, sva;
10568 sva = (vm_offset_t)svap;
10570 pmap_large_map_wb_fence();
10571 if (sva >= DMAP_MIN_ADDRESS && eva <= DMAP_MIN_ADDRESS + dmaplimit) {
10572 pmap_large_map_flush_range(sva, len);
10574 KASSERT(sva >= LARGEMAP_MIN_ADDRESS &&
10575 eva <= LARGEMAP_MIN_ADDRESS + lm_ents * NBPML4,
10576 ("pmap_large_map_wb: not largemap %#lx %#lx", sva, len));
10577 pmap_large_map_wb_large(sva, eva);
10579 pmap_large_map_wb_fence();
10583 pmap_pti_alloc_page(void)
10587 VM_OBJECT_ASSERT_WLOCKED(pti_obj);
10588 m = vm_page_grab(pti_obj, pti_pg_idx++, VM_ALLOC_NOBUSY |
10589 VM_ALLOC_WIRED | VM_ALLOC_ZERO);
10594 pmap_pti_free_page(vm_page_t m)
10597 KASSERT(m->ref_count > 0, ("page %p not referenced", m));
10598 if (!vm_page_unwire_noq(m))
10600 vm_page_free_zero(m);
10605 pmap_pti_init(void)
10614 pti_obj = vm_pager_allocate(OBJT_PHYS, NULL, 0, VM_PROT_ALL, 0, NULL);
10615 VM_OBJECT_WLOCK(pti_obj);
10616 pml4_pg = pmap_pti_alloc_page();
10617 pti_pml4 = (pml4_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(pml4_pg));
10618 for (va = VM_MIN_KERNEL_ADDRESS; va <= VM_MAX_KERNEL_ADDRESS &&
10619 va >= VM_MIN_KERNEL_ADDRESS && va > NBPML4; va += NBPML4) {
10620 pdpe = pmap_pti_pdpe(va);
10621 pmap_pti_wire_pte(pdpe);
10623 pmap_pti_add_kva_locked((vm_offset_t)&__pcpu[0],
10624 (vm_offset_t)&__pcpu[0] + sizeof(__pcpu[0]) * MAXCPU, false);
10625 pmap_pti_add_kva_locked((vm_offset_t)idt, (vm_offset_t)idt +
10626 sizeof(struct gate_descriptor) * NIDT, false);
10628 /* Doublefault stack IST 1 */
10629 va = __pcpu[i].pc_common_tss.tss_ist1 + sizeof(struct nmi_pcpu);
10630 pmap_pti_add_kva_locked(va - DBLFAULT_STACK_SIZE, va, false);
10631 /* NMI stack IST 2 */
10632 va = __pcpu[i].pc_common_tss.tss_ist2 + sizeof(struct nmi_pcpu);
10633 pmap_pti_add_kva_locked(va - NMI_STACK_SIZE, va, false);
10634 /* MC# stack IST 3 */
10635 va = __pcpu[i].pc_common_tss.tss_ist3 +
10636 sizeof(struct nmi_pcpu);
10637 pmap_pti_add_kva_locked(va - MCE_STACK_SIZE, va, false);
10638 /* DB# stack IST 4 */
10639 va = __pcpu[i].pc_common_tss.tss_ist4 + sizeof(struct nmi_pcpu);
10640 pmap_pti_add_kva_locked(va - DBG_STACK_SIZE, va, false);
10642 pmap_pti_add_kva_locked((vm_offset_t)KERNSTART, (vm_offset_t)etext,
10644 pti_finalized = true;
10645 VM_OBJECT_WUNLOCK(pti_obj);
10647 SYSINIT(pmap_pti, SI_SUB_CPU + 1, SI_ORDER_ANY, pmap_pti_init, NULL);
10649 static pdp_entry_t *
10650 pmap_pti_pdpe(vm_offset_t va)
10652 pml4_entry_t *pml4e;
10655 vm_pindex_t pml4_idx;
10658 VM_OBJECT_ASSERT_WLOCKED(pti_obj);
10660 pml4_idx = pmap_pml4e_index(va);
10661 pml4e = &pti_pml4[pml4_idx];
10665 panic("pml4 alloc after finalization\n");
10666 m = pmap_pti_alloc_page();
10668 pmap_pti_free_page(m);
10669 mphys = *pml4e & ~PAGE_MASK;
10671 mphys = VM_PAGE_TO_PHYS(m);
10672 *pml4e = mphys | X86_PG_RW | X86_PG_V;
10675 mphys = *pml4e & ~PAGE_MASK;
10677 pdpe = (pdp_entry_t *)PHYS_TO_DMAP(mphys) + pmap_pdpe_index(va);
10682 pmap_pti_wire_pte(void *pte)
10686 VM_OBJECT_ASSERT_WLOCKED(pti_obj);
10687 m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((uintptr_t)pte));
10692 pmap_pti_unwire_pde(void *pde, bool only_ref)
10696 VM_OBJECT_ASSERT_WLOCKED(pti_obj);
10697 m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((uintptr_t)pde));
10698 MPASS(m->ref_count > 0);
10699 MPASS(only_ref || m->ref_count > 1);
10700 pmap_pti_free_page(m);
10704 pmap_pti_unwire_pte(void *pte, vm_offset_t va)
10709 VM_OBJECT_ASSERT_WLOCKED(pti_obj);
10710 m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((uintptr_t)pte));
10711 MPASS(m->ref_count > 0);
10712 if (pmap_pti_free_page(m)) {
10713 pde = pmap_pti_pde(va);
10714 MPASS((*pde & (X86_PG_PS | X86_PG_V)) == X86_PG_V);
10716 pmap_pti_unwire_pde(pde, false);
10720 static pd_entry_t *
10721 pmap_pti_pde(vm_offset_t va)
10726 vm_pindex_t pd_idx;
10729 VM_OBJECT_ASSERT_WLOCKED(pti_obj);
10731 pdpe = pmap_pti_pdpe(va);
10733 m = pmap_pti_alloc_page();
10735 pmap_pti_free_page(m);
10736 MPASS((*pdpe & X86_PG_PS) == 0);
10737 mphys = *pdpe & ~PAGE_MASK;
10739 mphys = VM_PAGE_TO_PHYS(m);
10740 *pdpe = mphys | X86_PG_RW | X86_PG_V;
10743 MPASS((*pdpe & X86_PG_PS) == 0);
10744 mphys = *pdpe & ~PAGE_MASK;
10747 pde = (pd_entry_t *)PHYS_TO_DMAP(mphys);
10748 pd_idx = pmap_pde_index(va);
10753 static pt_entry_t *
10754 pmap_pti_pte(vm_offset_t va, bool *unwire_pde)
10761 VM_OBJECT_ASSERT_WLOCKED(pti_obj);
10763 pde = pmap_pti_pde(va);
10764 if (unwire_pde != NULL) {
10765 *unwire_pde = true;
10766 pmap_pti_wire_pte(pde);
10769 m = pmap_pti_alloc_page();
10771 pmap_pti_free_page(m);
10772 MPASS((*pde & X86_PG_PS) == 0);
10773 mphys = *pde & ~(PAGE_MASK | pg_nx);
10775 mphys = VM_PAGE_TO_PHYS(m);
10776 *pde = mphys | X86_PG_RW | X86_PG_V;
10777 if (unwire_pde != NULL)
10778 *unwire_pde = false;
10781 MPASS((*pde & X86_PG_PS) == 0);
10782 mphys = *pde & ~(PAGE_MASK | pg_nx);
10785 pte = (pt_entry_t *)PHYS_TO_DMAP(mphys);
10786 pte += pmap_pte_index(va);
10792 pmap_pti_add_kva_locked(vm_offset_t sva, vm_offset_t eva, bool exec)
10796 pt_entry_t *pte, ptev;
10799 VM_OBJECT_ASSERT_WLOCKED(pti_obj);
10801 sva = trunc_page(sva);
10802 MPASS(sva > VM_MAXUSER_ADDRESS);
10803 eva = round_page(eva);
10805 for (; sva < eva; sva += PAGE_SIZE) {
10806 pte = pmap_pti_pte(sva, &unwire_pde);
10807 pa = pmap_kextract(sva);
10808 ptev = pa | X86_PG_RW | X86_PG_V | X86_PG_A | X86_PG_G |
10809 (exec ? 0 : pg_nx) | pmap_cache_bits(kernel_pmap,
10810 VM_MEMATTR_DEFAULT, FALSE);
10812 pte_store(pte, ptev);
10813 pmap_pti_wire_pte(pte);
10815 KASSERT(!pti_finalized,
10816 ("pti overlap after fin %#lx %#lx %#lx",
10818 KASSERT(*pte == ptev,
10819 ("pti non-identical pte after fin %#lx %#lx %#lx",
10823 pde = pmap_pti_pde(sva);
10824 pmap_pti_unwire_pde(pde, true);
10830 pmap_pti_add_kva(vm_offset_t sva, vm_offset_t eva, bool exec)
10835 VM_OBJECT_WLOCK(pti_obj);
10836 pmap_pti_add_kva_locked(sva, eva, exec);
10837 VM_OBJECT_WUNLOCK(pti_obj);
10841 pmap_pti_remove_kva(vm_offset_t sva, vm_offset_t eva)
10848 sva = rounddown2(sva, PAGE_SIZE);
10849 MPASS(sva > VM_MAXUSER_ADDRESS);
10850 eva = roundup2(eva, PAGE_SIZE);
10852 VM_OBJECT_WLOCK(pti_obj);
10853 for (va = sva; va < eva; va += PAGE_SIZE) {
10854 pte = pmap_pti_pte(va, NULL);
10855 KASSERT((*pte & X86_PG_V) != 0,
10856 ("invalid pte va %#lx pte %#lx pt %#lx", va,
10857 (u_long)pte, *pte));
10859 pmap_pti_unwire_pte(pte, va);
10861 pmap_invalidate_range(kernel_pmap, sva, eva);
10862 VM_OBJECT_WUNLOCK(pti_obj);
10866 pkru_dup_range(void *ctx __unused, void *data)
10868 struct pmap_pkru_range *node, *new_node;
10870 new_node = uma_zalloc(pmap_pkru_ranges_zone, M_NOWAIT);
10871 if (new_node == NULL)
10874 memcpy(new_node, node, sizeof(*node));
10879 pkru_free_range(void *ctx __unused, void *node)
10882 uma_zfree(pmap_pkru_ranges_zone, node);
10886 pmap_pkru_assign(pmap_t pmap, vm_offset_t sva, vm_offset_t eva, u_int keyidx,
10889 struct pmap_pkru_range *ppr;
10892 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
10893 MPASS(pmap->pm_type == PT_X86);
10894 MPASS((cpu_stdext_feature2 & CPUID_STDEXT2_PKU) != 0);
10895 if ((flags & AMD64_PKRU_EXCL) != 0 &&
10896 !rangeset_check_empty(&pmap->pm_pkru, sva, eva))
10898 ppr = uma_zalloc(pmap_pkru_ranges_zone, M_NOWAIT);
10901 ppr->pkru_keyidx = keyidx;
10902 ppr->pkru_flags = flags & AMD64_PKRU_PERSIST;
10903 error = rangeset_insert(&pmap->pm_pkru, sva, eva, ppr);
10905 uma_zfree(pmap_pkru_ranges_zone, ppr);
10910 pmap_pkru_deassign(pmap_t pmap, vm_offset_t sva, vm_offset_t eva)
10913 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
10914 MPASS(pmap->pm_type == PT_X86);
10915 MPASS((cpu_stdext_feature2 & CPUID_STDEXT2_PKU) != 0);
10916 return (rangeset_remove(&pmap->pm_pkru, sva, eva));
10920 pmap_pkru_deassign_all(pmap_t pmap)
10923 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
10924 if (pmap->pm_type == PT_X86 &&
10925 (cpu_stdext_feature2 & CPUID_STDEXT2_PKU) != 0)
10926 rangeset_remove_all(&pmap->pm_pkru);
10930 pmap_pkru_same(pmap_t pmap, vm_offset_t sva, vm_offset_t eva)
10932 struct pmap_pkru_range *ppr, *prev_ppr;
10935 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
10936 if (pmap->pm_type != PT_X86 ||
10937 (cpu_stdext_feature2 & CPUID_STDEXT2_PKU) == 0 ||
10938 sva >= VM_MAXUSER_ADDRESS)
10940 MPASS(eva <= VM_MAXUSER_ADDRESS);
10941 for (va = sva; va < eva; prev_ppr = ppr) {
10942 ppr = rangeset_lookup(&pmap->pm_pkru, va);
10945 else if ((ppr == NULL) ^ (prev_ppr == NULL))
10951 if (prev_ppr->pkru_keyidx != ppr->pkru_keyidx)
10953 va = ppr->pkru_rs_el.re_end;
10959 pmap_pkru_get(pmap_t pmap, vm_offset_t va)
10961 struct pmap_pkru_range *ppr;
10963 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
10964 if (pmap->pm_type != PT_X86 ||
10965 (cpu_stdext_feature2 & CPUID_STDEXT2_PKU) == 0 ||
10966 va >= VM_MAXUSER_ADDRESS)
10968 ppr = rangeset_lookup(&pmap->pm_pkru, va);
10970 return (X86_PG_PKU(ppr->pkru_keyidx));
10975 pred_pkru_on_remove(void *ctx __unused, void *r)
10977 struct pmap_pkru_range *ppr;
10980 return ((ppr->pkru_flags & AMD64_PKRU_PERSIST) == 0);
10984 pmap_pkru_on_remove(pmap_t pmap, vm_offset_t sva, vm_offset_t eva)
10987 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
10988 if (pmap->pm_type == PT_X86 &&
10989 (cpu_stdext_feature2 & CPUID_STDEXT2_PKU) != 0) {
10990 rangeset_remove_pred(&pmap->pm_pkru, sva, eva,
10991 pred_pkru_on_remove);
10996 pmap_pkru_copy(pmap_t dst_pmap, pmap_t src_pmap)
10999 PMAP_LOCK_ASSERT(dst_pmap, MA_OWNED);
11000 PMAP_LOCK_ASSERT(src_pmap, MA_OWNED);
11001 MPASS(dst_pmap->pm_type == PT_X86);
11002 MPASS(src_pmap->pm_type == PT_X86);
11003 MPASS((cpu_stdext_feature2 & CPUID_STDEXT2_PKU) != 0);
11004 if (src_pmap->pm_pkru.rs_data_ctx == NULL)
11006 return (rangeset_copy(&dst_pmap->pm_pkru, &src_pmap->pm_pkru));
11010 pmap_pkru_update_range(pmap_t pmap, vm_offset_t sva, vm_offset_t eva,
11013 pml4_entry_t *pml4e;
11015 pd_entry_t newpde, ptpaddr, *pde;
11016 pt_entry_t newpte, *ptep, pte;
11017 vm_offset_t va, va_next;
11020 PMAP_LOCK_ASSERT(pmap, MA_OWNED);
11021 MPASS(pmap->pm_type == PT_X86);
11022 MPASS(keyidx <= PMAP_MAX_PKRU_IDX);
11024 for (changed = false, va = sva; va < eva; va = va_next) {
11025 pml4e = pmap_pml4e(pmap, va);
11026 if (pml4e == NULL || (*pml4e & X86_PG_V) == 0) {
11027 va_next = (va + NBPML4) & ~PML4MASK;
11033 pdpe = pmap_pml4e_to_pdpe(pml4e, va);
11034 if ((*pdpe & X86_PG_V) == 0) {
11035 va_next = (va + NBPDP) & ~PDPMASK;
11041 va_next = (va + NBPDR) & ~PDRMASK;
11045 pde = pmap_pdpe_to_pde(pdpe, va);
11050 MPASS((ptpaddr & X86_PG_V) != 0);
11051 if ((ptpaddr & PG_PS) != 0) {
11052 if (va + NBPDR == va_next && eva >= va_next) {
11053 newpde = (ptpaddr & ~X86_PG_PKU_MASK) |
11054 X86_PG_PKU(keyidx);
11055 if (newpde != ptpaddr) {
11060 } else if (!pmap_demote_pde(pmap, pde, va)) {
11068 for (ptep = pmap_pde_to_pte(pde, va); va != va_next;
11069 ptep++, va += PAGE_SIZE) {
11071 if ((pte & X86_PG_V) == 0)
11073 newpte = (pte & ~X86_PG_PKU_MASK) | X86_PG_PKU(keyidx);
11074 if (newpte != pte) {
11081 pmap_invalidate_range(pmap, sva, eva);
11085 pmap_pkru_check_uargs(pmap_t pmap, vm_offset_t sva, vm_offset_t eva,
11086 u_int keyidx, int flags)
11089 if (pmap->pm_type != PT_X86 || keyidx > PMAP_MAX_PKRU_IDX ||
11090 (flags & ~(AMD64_PKRU_PERSIST | AMD64_PKRU_EXCL)) != 0)
11092 if (eva <= sva || eva > VM_MAXUSER_ADDRESS)
11094 if ((cpu_stdext_feature2 & CPUID_STDEXT2_PKU) == 0)
11100 pmap_pkru_set(pmap_t pmap, vm_offset_t sva, vm_offset_t eva, u_int keyidx,
11105 sva = trunc_page(sva);
11106 eva = round_page(eva);
11107 error = pmap_pkru_check_uargs(pmap, sva, eva, keyidx, flags);
11112 error = pmap_pkru_assign(pmap, sva, eva, keyidx, flags);
11114 pmap_pkru_update_range(pmap, sva, eva, keyidx);
11116 if (error != ENOMEM)
11124 pmap_pkru_clear(pmap_t pmap, vm_offset_t sva, vm_offset_t eva)
11128 sva = trunc_page(sva);
11129 eva = round_page(eva);
11130 error = pmap_pkru_check_uargs(pmap, sva, eva, 0, 0);
11135 error = pmap_pkru_deassign(pmap, sva, eva);
11137 pmap_pkru_update_range(pmap, sva, eva, 0);
11139 if (error != ENOMEM)
11147 * Track a range of the kernel's virtual address space that is contiguous
11148 * in various mapping attributes.
11150 struct pmap_kernel_map_range {
11159 sysctl_kmaps_dump(struct sbuf *sb, struct pmap_kernel_map_range *range,
11165 if (eva <= range->sva)
11168 pat_idx = pmap_pat_index(kernel_pmap, range->attrs, true);
11169 for (i = 0; i < PAT_INDEX_SIZE; i++)
11170 if (pat_index[i] == pat_idx)
11174 case PAT_WRITE_BACK:
11177 case PAT_WRITE_THROUGH:
11180 case PAT_UNCACHEABLE:
11186 case PAT_WRITE_PROTECTED:
11189 case PAT_WRITE_COMBINING:
11193 printf("%s: unknown PAT mode %#x for range 0x%016lx-0x%016lx\n",
11194 __func__, pat_idx, range->sva, eva);
11199 sbuf_printf(sb, "0x%016lx-0x%016lx r%c%c%c%c %s %d %d %d\n",
11201 (range->attrs & X86_PG_RW) != 0 ? 'w' : '-',
11202 (range->attrs & pg_nx) != 0 ? '-' : 'x',
11203 (range->attrs & X86_PG_U) != 0 ? 'u' : 's',
11204 (range->attrs & X86_PG_G) != 0 ? 'g' : '-',
11205 mode, range->pdpes, range->pdes, range->ptes);
11207 /* Reset to sentinel value. */
11208 range->sva = la57 ? KV5ADDR(NPML5EPG - 1, NPML4EPG - 1, NPDPEPG - 1,
11209 NPDEPG - 1, NPTEPG - 1) : KV4ADDR(NPML4EPG - 1, NPDPEPG - 1,
11210 NPDEPG - 1, NPTEPG - 1);
11214 * Determine whether the attributes specified by a page table entry match those
11215 * being tracked by the current range. This is not quite as simple as a direct
11216 * flag comparison since some PAT modes have multiple representations.
11219 sysctl_kmaps_match(struct pmap_kernel_map_range *range, pt_entry_t attrs)
11221 pt_entry_t diff, mask;
11223 mask = X86_PG_G | X86_PG_RW | X86_PG_U | X86_PG_PDE_CACHE | pg_nx;
11224 diff = (range->attrs ^ attrs) & mask;
11227 if ((diff & ~X86_PG_PDE_PAT) == 0 &&
11228 pmap_pat_index(kernel_pmap, range->attrs, true) ==
11229 pmap_pat_index(kernel_pmap, attrs, true))
11235 sysctl_kmaps_reinit(struct pmap_kernel_map_range *range, vm_offset_t va,
11239 memset(range, 0, sizeof(*range));
11241 range->attrs = attrs;
11245 * Given a leaf PTE, derive the mapping's attributes. If they do not match
11246 * those of the current run, dump the address range and its attributes, and
11250 sysctl_kmaps_check(struct sbuf *sb, struct pmap_kernel_map_range *range,
11251 vm_offset_t va, pml4_entry_t pml4e, pdp_entry_t pdpe, pd_entry_t pde,
11256 attrs = pml4e & (X86_PG_RW | X86_PG_U | pg_nx);
11258 attrs |= pdpe & pg_nx;
11259 attrs &= pg_nx | (pdpe & (X86_PG_RW | X86_PG_U));
11260 if ((pdpe & PG_PS) != 0) {
11261 attrs |= pdpe & (X86_PG_G | X86_PG_PDE_CACHE);
11262 } else if (pde != 0) {
11263 attrs |= pde & pg_nx;
11264 attrs &= pg_nx | (pde & (X86_PG_RW | X86_PG_U));
11266 if ((pde & PG_PS) != 0) {
11267 attrs |= pde & (X86_PG_G | X86_PG_PDE_CACHE);
11268 } else if (pte != 0) {
11269 attrs |= pte & pg_nx;
11270 attrs &= pg_nx | (pte & (X86_PG_RW | X86_PG_U));
11271 attrs |= pte & (X86_PG_G | X86_PG_PTE_CACHE);
11273 /* Canonicalize by always using the PDE PAT bit. */
11274 if ((attrs & X86_PG_PTE_PAT) != 0)
11275 attrs ^= X86_PG_PDE_PAT | X86_PG_PTE_PAT;
11278 if (range->sva > va || !sysctl_kmaps_match(range, attrs)) {
11279 sysctl_kmaps_dump(sb, range, va);
11280 sysctl_kmaps_reinit(range, va, attrs);
11285 sysctl_kmaps(SYSCTL_HANDLER_ARGS)
11287 struct pmap_kernel_map_range range;
11288 struct sbuf sbuf, *sb;
11289 pml4_entry_t pml4e;
11290 pdp_entry_t *pdp, pdpe;
11291 pd_entry_t *pd, pde;
11292 pt_entry_t *pt, pte;
11295 int error, i, j, k, l;
11297 error = sysctl_wire_old_buffer(req, 0);
11301 sbuf_new_for_sysctl(sb, NULL, PAGE_SIZE, req);
11303 /* Sentinel value. */
11304 range.sva = la57 ? KV5ADDR(NPML5EPG - 1, NPML4EPG - 1, NPDPEPG - 1,
11305 NPDEPG - 1, NPTEPG - 1) : KV4ADDR(NPML4EPG - 1, NPDPEPG - 1,
11306 NPDEPG - 1, NPTEPG - 1);
11309 * Iterate over the kernel page tables without holding the kernel pmap
11310 * lock. Outside of the large map, kernel page table pages are never
11311 * freed, so at worst we will observe inconsistencies in the output.
11312 * Within the large map, ensure that PDP and PD page addresses are
11313 * valid before descending.
11315 for (sva = 0, i = pmap_pml4e_index(sva); i < NPML4EPG; i++) {
11318 sbuf_printf(sb, "\nRecursive map:\n");
11321 sbuf_printf(sb, "\nDirect map:\n");
11324 sbuf_printf(sb, "\nKernel map:\n");
11327 sbuf_printf(sb, "\nLarge map:\n");
11331 /* Convert to canonical form. */
11332 if (sva == 1ul << 47)
11336 pml4e = kernel_pml4[i];
11337 if ((pml4e & X86_PG_V) == 0) {
11338 sva = rounddown2(sva, NBPML4);
11339 sysctl_kmaps_dump(sb, &range, sva);
11343 pa = pml4e & PG_FRAME;
11344 pdp = (pdp_entry_t *)PHYS_TO_DMAP(pa);
11346 for (j = pmap_pdpe_index(sva); j < NPDPEPG; j++) {
11348 if ((pdpe & X86_PG_V) == 0) {
11349 sva = rounddown2(sva, NBPDP);
11350 sysctl_kmaps_dump(sb, &range, sva);
11354 pa = pdpe & PG_FRAME;
11355 if ((pdpe & PG_PS) != 0) {
11356 sva = rounddown2(sva, NBPDP);
11357 sysctl_kmaps_check(sb, &range, sva, pml4e, pdpe,
11363 if (PMAP_ADDRESS_IN_LARGEMAP(sva) &&
11364 vm_phys_paddr_to_vm_page(pa) == NULL) {
11366 * Page table pages for the large map may be
11367 * freed. Validate the next-level address
11368 * before descending.
11372 pd = (pd_entry_t *)PHYS_TO_DMAP(pa);
11374 for (k = pmap_pde_index(sva); k < NPDEPG; k++) {
11376 if ((pde & X86_PG_V) == 0) {
11377 sva = rounddown2(sva, NBPDR);
11378 sysctl_kmaps_dump(sb, &range, sva);
11382 pa = pde & PG_FRAME;
11383 if ((pde & PG_PS) != 0) {
11384 sva = rounddown2(sva, NBPDR);
11385 sysctl_kmaps_check(sb, &range, sva,
11386 pml4e, pdpe, pde, 0);
11391 if (PMAP_ADDRESS_IN_LARGEMAP(sva) &&
11392 vm_phys_paddr_to_vm_page(pa) == NULL) {
11394 * Page table pages for the large map
11395 * may be freed. Validate the
11396 * next-level address before descending.
11400 pt = (pt_entry_t *)PHYS_TO_DMAP(pa);
11402 for (l = pmap_pte_index(sva); l < NPTEPG; l++,
11403 sva += PAGE_SIZE) {
11405 if ((pte & X86_PG_V) == 0) {
11406 sysctl_kmaps_dump(sb, &range,
11410 sysctl_kmaps_check(sb, &range, sva,
11411 pml4e, pdpe, pde, pte);
11418 error = sbuf_finish(sb);
11422 SYSCTL_OID(_vm_pmap, OID_AUTO, kernel_maps,
11423 CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_MPSAFE | CTLFLAG_SKIP,
11424 NULL, 0, sysctl_kmaps, "A",
11425 "Dump kernel address layout");
11428 DB_SHOW_COMMAND(pte, pmap_print_pte)
11431 pml5_entry_t *pml5;
11432 pml4_entry_t *pml4;
11435 pt_entry_t *pte, PG_V;
11439 db_printf("show pte addr\n");
11442 va = (vm_offset_t)addr;
11444 if (kdb_thread != NULL)
11445 pmap = vmspace_pmap(kdb_thread->td_proc->p_vmspace);
11447 pmap = PCPU_GET(curpmap);
11449 PG_V = pmap_valid_bit(pmap);
11450 db_printf("VA 0x%016lx", va);
11452 if (pmap_is_la57(pmap)) {
11453 pml5 = pmap_pml5e(pmap, va);
11454 db_printf(" pml5e 0x%016lx", *pml5);
11455 if ((*pml5 & PG_V) == 0) {
11459 pml4 = pmap_pml5e_to_pml4e(pml5, va);
11461 pml4 = pmap_pml4e(pmap, va);
11463 db_printf(" pml4e 0x%016lx", *pml4);
11464 if ((*pml4 & PG_V) == 0) {
11468 pdp = pmap_pml4e_to_pdpe(pml4, va);
11469 db_printf(" pdpe 0x%016lx", *pdp);
11470 if ((*pdp & PG_V) == 0 || (*pdp & PG_PS) != 0) {
11474 pde = pmap_pdpe_to_pde(pdp, va);
11475 db_printf(" pde 0x%016lx", *pde);
11476 if ((*pde & PG_V) == 0 || (*pde & PG_PS) != 0) {
11480 pte = pmap_pde_to_pte(pde, va);
11481 db_printf(" pte 0x%016lx\n", *pte);
11484 DB_SHOW_COMMAND(phys2dmap, pmap_phys2dmap)
11489 a = (vm_paddr_t)addr;
11490 db_printf("0x%jx\n", (uintmax_t)PHYS_TO_DMAP(a));
11492 db_printf("show phys2dmap addr\n");
11497 ptpages_show_page(int level, int idx, vm_page_t pg)
11499 db_printf("l %d i %d pg %p phys %#lx ref %x\n",
11500 level, idx, pg, VM_PAGE_TO_PHYS(pg), pg->ref_count);
11504 ptpages_show_complain(int level, int idx, uint64_t pte)
11506 db_printf("l %d i %d pte %#lx\n", level, idx, pte);
11510 ptpages_show_pml4(vm_page_t pg4, int num_entries, uint64_t PG_V)
11512 vm_page_t pg3, pg2, pg1;
11513 pml4_entry_t *pml4;
11518 pml4 = (pml4_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(pg4));
11519 for (i4 = 0; i4 < num_entries; i4++) {
11520 if ((pml4[i4] & PG_V) == 0)
11522 pg3 = PHYS_TO_VM_PAGE(pml4[i4] & PG_FRAME);
11524 ptpages_show_complain(3, i4, pml4[i4]);
11527 ptpages_show_page(3, i4, pg3);
11528 pdp = (pdp_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(pg3));
11529 for (i3 = 0; i3 < NPDPEPG; i3++) {
11530 if ((pdp[i3] & PG_V) == 0)
11532 pg2 = PHYS_TO_VM_PAGE(pdp[i3] & PG_FRAME);
11534 ptpages_show_complain(2, i3, pdp[i3]);
11537 ptpages_show_page(2, i3, pg2);
11538 pd = (pd_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(pg2));
11539 for (i2 = 0; i2 < NPDEPG; i2++) {
11540 if ((pd[i2] & PG_V) == 0)
11542 pg1 = PHYS_TO_VM_PAGE(pd[i2] & PG_FRAME);
11544 ptpages_show_complain(1, i2, pd[i2]);
11547 ptpages_show_page(1, i2, pg1);
11553 DB_SHOW_COMMAND(ptpages, pmap_ptpages)
11557 pml5_entry_t *pml5;
11562 pmap = (pmap_t)addr;
11564 pmap = PCPU_GET(curpmap);
11566 PG_V = pmap_valid_bit(pmap);
11568 if (pmap_is_la57(pmap)) {
11569 pml5 = pmap->pm_pmltop;
11570 for (i5 = 0; i5 < NUPML5E; i5++) {
11571 if ((pml5[i5] & PG_V) == 0)
11573 pg = PHYS_TO_VM_PAGE(pml5[i5] & PG_FRAME);
11575 ptpages_show_complain(4, i5, pml5[i5]);
11578 ptpages_show_page(4, i5, pg);
11579 ptpages_show_pml4(pg, NPML4EPG, PG_V);
11582 ptpages_show_pml4(PHYS_TO_VM_PAGE(DMAP_TO_PHYS(
11583 (vm_offset_t)pmap->pm_pmltop)), NUP4ML4E, PG_V);
projects / FreeBSD / FreeBSD.git / blob