From nobody Thu Apr  9 07:15:58 2026
Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com
 [209.85.128.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3D8FA3BC674
	for <linux-kernel@vger.kernel.org>; Tue, 10 Mar 2026 12:49:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773146995; cv=none;
 b=kVeT5D5GTHgng8Bje2P7OwAE03PhloN/HoDe5J0+t8Pu+IfXDlm2CecZBjywFwcfSzWftmlk58HDgvHeuiRKYDkGJwWPMmU3Ca35z467niSdw6LlPeRGRXfSBtP/rmMVTyT2L7WxUNt/tl0UnisUNXuNBtg4TuzlLuOB2pgJ5b8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773146995; c=relaxed/simple;
	bh=4hJY1N4A2wDueWDi3/QPvsP5ocJDuxsbkmdbVMi1coQ=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=H5rSiCe6PaVV02hgV1lUSkZRqZeEC56Ud2YXn4+BZUX6rR85kLb/o1uovy6UALQ3qbvvNK56ACD9j9MKDr52gINRPs5nRL5v+CEnipoOV7Hzlux0dLyyz7j8vDJ1cw6eD9urFUr7GrzpgPPx0Nnaqo52z4QIqSpP6531jU8aeyQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=z8ZxjA1o; arc=none smtp.client-ip=209.85.128.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="z8ZxjA1o"
Received: by mail-wm1-f74.google.com with SMTP id
 5b1f17b1804b1-483786a09b1so16872215e9.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 10 Mar 2026 05:49:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1773146992; x=1773751792;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=5FSgXLogofjILU2kyW220LfxF0CifNUwYoLSBdGFOwA=;
        b=z8ZxjA1oFoApx1t9kuic5Jk/QT09CLTUBqD8eu+VSWuJFsE2LcNbhBcurcKcyIhyDw
         aaI/5e32drvrs/mDukmDTq9NxN4izHfxqm05ANYBaHsQYaaMFYe6OVvpbmOX/KhS+JSA
         +1qT5VfiwALLU2Wdg9W2M/AAqG1sAieUq8S1f/Jnqep25gGi54FyOgdBZlD8/j3lMJAu
         dAN5KG5Jp8XfG0bvrQlLp7Rj3bHfvPJ55lZFbuVV9oAEI1woBrnb6vS97QxD2fMS7AlM
         ZGTb2AQbxnSRBmTXWc/q8fjci/1/e9K4TN2s4TXp1KsRB82b3tAWL1PaWFK+hwSwVX12
         rSlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1773146992; x=1773751792;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=5FSgXLogofjILU2kyW220LfxF0CifNUwYoLSBdGFOwA=;
        b=WMKJ16Bq4+CUyO5MXFTz3vtAEoZwcBGoryLzMIY8oCZy5rpg/xV5gsHC3LYKFBJYgI
         RBUpY5UAsUT1FjlK71CcnPobsxsC31Kz8aA068201RiBgsCK6Tgo/NRxlmr6utthPW1x
         JQ5gToyPSJSc6Xtss1PO2BPzAO1Hwu/KlLQTSdQ87Gv/7MXninlayJF9jHgmcV5AJY12
         rzKYqpKg0YOQ8s6jkiS+DvZLQt/DbefzCjPw29yAUrkNbFd5vDCr4/N4E7ddOpFPCiaN
         oDqDXGkLY1Pc5r+g1zRuVvud0OPTYc3rlSWjeCqQSjaHQuoSvqDDU9IsNSevWNXPn0of
         Aw9g==
X-Forwarded-Encrypted: i=1;
 AJvYcCUA1yXsERCk+0A3vGTPmv9zQFe1/uiWb3fACpoJYmMUWImj+FIxx1Ui1f/cSPryQn8MfCGaF+TgpnEbKus=@vger.kernel.org
X-Gm-Message-State: AOJu0YyFIA0GBztaLkOlOPiAaRgR4+rnpkc9hMi3dsXp5WM/BezsJj0K
	YwHD16Xd8ydhaVSYNHQNOnr7Fc00kC8/Wmx7k5EYHL8H1eDgQdeaibgdtzF3t9CHD3lByelOVx5
	rcg7UP1o36TISqwOygXgT97bAOH6BZQ==
X-Received: from wmk23.prod.google.com ([2002:a05:600c:297:b0:485:3c21:d5f0])
 (user=sebastianene job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:600c:4fc4:b0:485:40c6:f51a with SMTP id
 5b1f17b1804b1-48540c6f65bmr68470135e9.31.1773146991570;
 Tue, 10 Mar 2026 05:49:51 -0700 (PDT)
Date: Tue, 10 Mar 2026 12:49:27 +0000
In-Reply-To: <20260310124933.830025-1-sebastianene@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260310124933.830025-1-sebastianene@google.com>
X-Mailer: git-send-email 2.53.0.473.g4a7958ca14-goog
Message-ID: <20260310124933.830025-9-sebastianene@google.com>
Subject: [PATCH 08/14] KVM: arm64: Trap & emulate the ITS MAPD command
From: Sebastian Ene <sebastianene@google.com>
To: alexandru.elisei@arm.com, kvmarm@lists.linux.dev,
	linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
	android-kvm@google.com
Cc: catalin.marinas@arm.com, dbrazdil@google.com, joey.gouly@arm.com,
	kees@kernel.org, mark.rutland@arm.com, maz@kernel.org, oupton@kernel.org,
	perlarsen@google.com, qperret@google.com, rananta@google.com,
	sebastianene@google.com, smostafa@google.com, suzuki.poulose@arm.com,
	tabba@google.com, tglx@kernel.org, vdonnefort@google.com,
 bgrzesik@google.com,
	will@kernel.org, yuzenghui@huawei.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Parse the MAPD command and extract the ITT address to
sanitize it. When the command has the valid bit set,
share the memory that holds the ITT table
with the hypervisor to prevent it from being used
by someone else and track the pages in an array.
When the valid bit is cleared, check if the pages
are tracked and then remove the sharing with the
hypervisor.
Check if we need to do any shadow table updates
in case the device table is configured with an
indirect layout.

Signed-off-by: Sebastian Ene <sebastianene@google.com>
---
 arch/arm64/kvm/hyp/nvhe/its_emulate.c | 182 ++++++++++++++++++++++++++
 drivers/irqchip/irq-gic-v3-its.c      |  12 --
 include/linux/irqchip/arm-gic-v3.h    |  12 ++
 3 files changed, 194 insertions(+), 12 deletions(-)

diff --git a/arch/arm64/kvm/hyp/nvhe/its_emulate.c b/arch/arm64/kvm/hyp/nvh=
e/its_emulate.c
index 865a5d6353ed..722fe80dc2e5 100644
--- a/arch/arm64/kvm/hyp/nvhe/its_emulate.c
+++ b/arch/arm64/kvm/hyp/nvhe/its_emulate.c
@@ -12,8 +12,13 @@ struct its_priv_state {
 	void *cmd_host_cwriter;
 	struct its_shadow_tables *shadow;
 	hyp_spinlock_t its_lock;
+	u16 empty_idx;
+	u64 tracked_pfns[];
 };
=20
+#define MAX_TRACKED_PFNS	((PAGE_SIZE - offsetof(struct its_priv_state, \
+				  tracked_pfns)) / sizeof(u64))
+
 struct its_handler {
 	u64 offset;
 	u8 access_size;
@@ -23,6 +28,178 @@ struct its_handler {
=20
 DEFINE_HYP_SPINLOCK(its_setup_lock);
=20
+static int track_pfn_add(struct its_priv_state *its, u64 pfn)
+{
+	int ret, i;
+
+	if (its->empty_idx + 1 >=3D MAX_TRACKED_PFNS)
+		return -ENOSPC;
+
+	ret =3D __pkvm_host_share_hyp(pfn);
+	if (ret)
+		return ret;
+
+	its->tracked_pfns[its->empty_idx] =3D pfn;
+	for (i =3D 0; i < MAX_TRACKED_PFNS; i++) {
+		if (!its->tracked_pfns[i])
+			break;
+	}
+
+	its->empty_idx =3D i;
+	return 0;
+}
+
+static int track_pfn_remove(struct its_priv_state *its, u64 pfn)
+{
+	int i, ret;
+
+	for (i =3D 0; i < MAX_TRACKED_PFNS; i++) {
+		if (its->tracked_pfns[i] !=3D pfn)
+			continue;
+
+		ret =3D __pkvm_host_unshare_hyp(pfn);
+		if (ret)
+			return ret;
+
+		its->tracked_pfns[i] =3D 0;
+		its->empty_idx =3D i;
+	}
+
+	return 0;
+}
+
+static int get_num_itt_pages(struct its_priv_state *its, u8 num_bits)
+{
+	int nr_ites =3D 1 << (num_bits + 1);
+	u64 size, gits_typer =3D readq_relaxed(its->base + GITS_TYPER);
+
+	size =3D nr_ites * (FIELD_GET(GITS_TYPER_ITT_ENTRY_SIZE, gits_typer) + 1);
+	size =3D max(size, ITS_ITT_ALIGN) + ITS_ITT_ALIGN - 1;
+
+	return PAGE_ALIGN(size) >> PAGE_SHIFT;
+}
+
+static int track_pfn(struct its_priv_state *its, u64 start_pfn, int num_pa=
ges, bool remove)
+{
+	int i, ret;
+
+	for (i =3D 0; i < num_pages; i++) {
+		if (remove)
+			ret =3D track_pfn_remove(its, start_pfn + i);
+		else
+			ret =3D track_pfn_add(its, start_pfn + i);
+
+		if (ret)
+			goto err_track;
+	}
+
+	return 0;
+err_track:
+	for (i =3D i - 1; i >=3D 0; i--) {
+		if (remove)
+			track_pfn_add(its, start_pfn + i);
+		else
+			track_pfn_remove(its, start_pfn + i);
+	}
+
+	return ret;
+}
+
+static struct its_baser *get_table(struct its_priv_state *its, u64 type)
+{
+	int i;
+	struct its_shadow_tables *shadow =3D its->shadow;
+
+	for (i =3D 0; i < GITS_BASER_NR_REGS; i++) {
+		if (GITS_BASER_TYPE(shadow->tables[i].val) =3D=3D type)
+			return &shadow->tables[i];
+	}
+
+	return NULL;
+}
+
+static int check_table_update(struct its_priv_state *its, u32 id, u64 type)
+{
+	u32 lvl1_idx;
+	u64 esz, *host_table, *hyp_table, new_entry, update;
+	struct its_baser *table =3D get_table(its, type);
+	int ret;
+	phys_addr_t new_lvl2_table, lvl2_table;
+
+	if (!table)
+		return -EINVAL;
+
+	if (!(table->val & GITS_BASER_INDIRECT))
+		return 0;
+
+	esz =3D GITS_BASER_ENTRY_SIZE(table->val);
+	lvl1_idx =3D id / (table->psz / esz);
+
+	host_table =3D kern_hyp_va(table->shadow);
+	hyp_table =3D kern_hyp_va(table->base);
+
+	new_entry =3D host_table[id];
+	update =3D new_entry ^ hyp_table[id];
+	if (!update || !(update & GITS_BASER_VALID))
+		return 0;
+
+	new_lvl2_table =3D hyp_phys_to_pfn(new_entry & PHYS_MASK_SHIFT);
+	lvl2_table =3D hyp_phys_to_pfn(hyp_table[id] & PHYS_MASK_SHIFT);
+	if (new_entry & GITS_BASER_VALID)
+		ret =3D __pkvm_host_donate_hyp(new_lvl2_table, table->psz >> PAGE_SHIFT);
+	else
+		ret =3D __pkvm_hyp_donate_host(lvl2_table, table->psz >> PAGE_SHIFT);
+	if (ret)
+		return ret;
+
+	hyp_table[id] =3D new_entry;
+	return 0;
+}
+
+static int process_its_mapd(struct its_priv_state *its, struct its_cmd_blo=
ck *cmd)
+{
+	phys_addr_t itt_addr =3D cmd->raw_cmd[2] & GENMASK(51, 8);
+	u8 size =3D cmd->raw_cmd[1] & GENMASK(4, 0);
+	bool remove =3D !(cmd->raw_cmd[2] & BIT(63));
+	u32 device_id =3D cmd->raw_cmd[0] >> 32;
+	int num_pages, ret;
+	u64 base_pfn;
+
+	if (PAGE_ALIGNED(itt_addr))
+		return -EINVAL;
+
+	base_pfn =3D hyp_phys_to_pfn(itt_addr);
+	num_pages =3D get_num_itt_pages(its, size);
+
+	ret =3D check_table_update(its, device_id, GITS_BASER_TYPE_DEVICE);
+	if (ret)
+		return ret;
+
+	return track_pfn(its, base_pfn, num_pages, remove);
+}
+
+static int parse_its_cmdq(struct its_priv_state *its, int offset, ssize_t =
len)
+{
+	struct its_cmd_block *cmd =3D its->cmd_hyp_base + offset;
+	u8 req_type;
+	int ret =3D 0;
+
+	while (len > 0 && !ret) {
+		req_type =3D cmd->raw_cmd[0] & GENMASK(7, 0);
+
+		switch (req_type) {
+		case GITS_CMD_MAPD:
+			ret =3D process_its_mapd(its, cmd);
+			break;
+		}
+
+		cmd++;
+		len -=3D sizeof(struct its_cmd_block);
+	}
+
+	return ret;
+}
+
 static void cwriter_write(struct its_priv_state *its, u64 offset, u64 valu=
e)
 {
 	u64 cwriter_offset =3D value & GENMASK(19, 5);
@@ -41,11 +218,15 @@ static void cwriter_write(struct its_priv_state *its, =
u64 offset, u64 value)
 		return;
=20
 	memcpy(its->cmd_hyp_base + cmd_offset, its->cmd_host_cwriter, cmd_len);
+	if (parse_its_cmdq(its, cmd_offset, cmd_len))
+		return;
=20
 	its->cmd_host_cwriter =3D its->cmd_host_base +
 		(cmd_offset + cmd_len) % cmdq_sz;
 	if (its->cmd_host_cwriter =3D=3D its->cmd_host_base) {
 		memcpy(its->cmd_hyp_base, its->cmd_host_base, cwriter_offset);
+		if (parse_its_cmdq(its, cmd_offset, cmd_len))
+			return;
=20
 		its->cmd_host_cwriter =3D its->cmd_host_base + cwriter_offset;
 	}
@@ -357,6 +538,7 @@ int pkvm_init_gic_its_emulation(phys_addr_t dev_addr, v=
oid *host_priv_state,
 	priv_state->cmd_hyp_base =3D kern_hyp_va(shadow->cmd_original);
 	priv_state->cmd_host_base =3D kern_hyp_va(shadow->cmd_shadow);
 	priv_state->cmd_host_cwriter =3D priv_state->cmd_host_base;
+	priv_state->empty_idx =3D 0;
=20
 	hyp_spin_unlock(&its_setup_lock);
=20
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-=
its.c
index 278dbc56f962..be78f7dccb9f 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -121,8 +121,6 @@ static DEFINE_PER_CPU(struct its_node *, local_4_1_its);
 #define is_v4_1(its)		(!!((its)->typer & GITS_TYPER_VMAPP))
 #define device_ids(its)		(FIELD_GET(GITS_TYPER_DEVBITS, (its)->typer) + 1)
=20
-#define ITS_ITT_ALIGN		SZ_256
-
 /* The maximum number of VPEID bits supported by VLPI commands */
 #define ITS_MAX_VPEID_BITS						\
 	({								\
@@ -515,16 +513,6 @@ struct its_cmd_desc {
 	};
 };
=20
-/*
- * The ITS command block, which is what the ITS actually parses.
- */
-struct its_cmd_block {
-	union {
-		u64	raw_cmd[4];
-		__le64	raw_cmd_le[4];
-	};
-};
-
 #define ITS_CMD_QUEUE_SZ		SZ_64K
 #define ITS_CMD_QUEUE_NR_ENTRIES	(ITS_CMD_QUEUE_SZ / sizeof(struct its_cmd=
_block))
=20
diff --git a/include/linux/irqchip/arm-gic-v3.h b/include/linux/irqchip/arm=
-gic-v3.h
index 40457a4375d4..4f7d47f3d970 100644
--- a/include/linux/irqchip/arm-gic-v3.h
+++ b/include/linux/irqchip/arm-gic-v3.h
@@ -612,6 +612,8 @@
  */
 #define GIC_IRQ_TYPE_LPI		0xa110c8ed
=20
+#define ITS_ITT_ALIGN			SZ_256
+
 struct rdists {
 	struct {
 		raw_spinlock_t	rd_lock;
@@ -634,6 +636,16 @@ struct rdists {
 	bool			has_vpend_valid_dirty;
 };
=20
+/*
+ * The ITS command block, which is what the ITS actually parses.
+ */
+struct its_cmd_block {
+	union {
+		u64	raw_cmd[4];
+		__le64	raw_cmd_le[4];
+	};
+};
+
 struct irq_domain;
 struct fwnode_handle;
 int __init its_lpi_memreserve_init(void);
--=20
2.53.0.473.g4a7958ca14-goog