kvm-for-4.18.12.patch

From b8e5a31ef46b671ffe77d7b7121b777373818411 Mon Sep 17 00:00:00 2001
From: Dongli Zhang <dongli.zhang0129@gmail.com>
Date: Mon, 15 Mar 2021 09:19:57 -0700
Subject: [PATCH 1/1] kvm for 4.18.12

Signed-off-by: Dongli Zhang <dongli.zhang0129@gmail.com>
---
 arch/x86/include/asm/kvm_host.h |  490 ++++
 arch/x86/include/asm/smp.h      |    3 +
 arch/x86/kernel/apic/apic.c     |    7 +
 arch/x86/kernel/kvm.c           |    4 +
 arch/x86/kernel/kvmclock.c      |   77 +
 arch/x86/kernel/smpboot.c       |   18 +
 arch/x86/kernel/tsc_sync.c      |    8 +
 arch/x86/kvm/i8254.c            |   10 +
 arch/x86/kvm/kvm_cache_regs.h   |    5 +
 arch/x86/kvm/lapic.c            |   38 +
 arch/x86/kvm/mmu.c              | 3932 ++++++++++++++++++++++++++++++-
 arch/x86/kvm/mmu.h              |   60 +
 arch/x86/kvm/mtrr.c             |   23 +
 arch/x86/kvm/page_track.c       |  150 ++
 arch/x86/kvm/paging_tmpl.h      |    3 +
 arch/x86/kvm/pmu_intel.c        |   39 +
 arch/x86/kvm/vmx.c              |  562 +++++
 arch/x86/kvm/x86.c              |  186 ++
 arch/x86/kvm/x86.h              |    5 +
 include/linux/cpumask.h         |   36 +
 include/linux/kvm_host.h        |   80 +
 kernel/cpu.c                    |   77 +
 kernel/smp.c                    |   11 +
 mm/memory.c                     |    4 +
 mm/mmu_notifier.c               |   11 +
 mm/slab.c                       |    4 +
 mm/vmscan.c                     |   41 +
 virt/kvm/eventfd.c              |    4 +
 virt/kvm/irqchip.c              |    4 +
 virt/kvm/kvm_main.c             |  411 +++-
 virt/kvm/vfio.c                 |   27 +
 31 files changed, 6326 insertions(+), 4 deletions(-)

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 0722b774..eddaf82a 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -102,12 +102,45 @@
 
 /* KVM Hugepage definitions for x86 */
 #define KVM_NR_PAGE_SIZES	3
+/*
+ * x = 1: KVM_HPAGE_GFN_SHIFT(1) = 0   none
+ * x = 2: KVM_HPAGE_GFN_SHIFT(2) = 9   2M
+ * x = 3: KVM_HPAGE_GFN_SHIFT(3) = 18  1G
+ */
 #define KVM_HPAGE_GFN_SHIFT(x)	(((x) - 1) * 9)
+/*
+ * KVM_HPAGE_SHIFT(1) = 12 +  0 = 12
+ * KVM_HPAGE_SHIFT(2) = 12 +  9 = 21
+ * KVM_HPAGE_SHIFT(3) = 12 + 18 = 30
+ */
 #define KVM_HPAGE_SHIFT(x)	(PAGE_SHIFT + KVM_HPAGE_GFN_SHIFT(x))
+/*
+ * KVM_HPAGE_SIZE(1) = 1 << 12 = 4K
+ * KVM_HPAGE_SIZE(2) = 1 << 21 = 2M
+ * KVM_HPAGE_SIZE(3) = 1 << 30 = 1G
+ */
 #define KVM_HPAGE_SIZE(x)	(1UL << KVM_HPAGE_SHIFT(x))
+/*
+ * KVM_HPAGE_MASK(1) : mask了4K
+ * KVM_HPAGE_MASK(2) : mask了2M
+ * KVM_HPAGE_MASK(3) : mask了1G
+ */
 #define KVM_HPAGE_MASK(x)	(~(KVM_HPAGE_SIZE(x) - 1))
+/*
+ * KVM_PAGES_PER_HPAGE(1) : 4K有多少4K的page
+ * KVM_PAGES_PER_HPAGE(2) : 2M有多少4K的page
+ * KVM_PAGES_PER_HPAGE(3) : 1G有多少4K的page
+ */
 #define KVM_PAGES_PER_HPAGE(x)	(KVM_HPAGE_SIZE(x) / PAGE_SIZE)
 
+/*
+ * base_gfn是基于4k开始的gfn
+ * gfn是基于4k结束的gfn
+ * 计算从开始到结束需要用到几个hugepage (或者普通page)
+ *   level是1的时候hugepage大小是4K
+ *   level是2的时候hugepage大小是2M
+ *   level是3的时候hugepage大小是1G
+ */
 static inline gfn_t gfn_to_index(gfn_t gfn, gfn_t base_gfn, int level)
 {
 	/* KVM_HPAGE_GFN_SHIFT(PT_PAGE_TABLE_LEVEL) must be 0. */
@@ -115,6 +148,10 @@ static inline gfn_t gfn_to_index(gfn_t gfn, gfn_t base_gfn, int level)
 		(base_gfn >> KVM_HPAGE_GFN_SHIFT(level));
 }
 
+/*
+ * 只在以下使用KVM_PERMILLE_MMU_PAGES:
+ *   - arch/x86/kvm/mmu.c|8396| <<kvm_mmu_calculate_mmu_pages>> nr_mmu_pages = nr_pages * KVM_PERMILLE_MMU_PAGES / 1000;
+ */
 #define KVM_PERMILLE_MMU_PAGES 20
 #define KVM_MIN_ALLOC_MMU_PAGES 64
 #define KVM_MMU_HASH_SHIFT 12
@@ -196,9 +233,21 @@ enum {
 #define PFERR_GUEST_FINAL_BIT 32
 #define PFERR_GUEST_PAGE_BIT 33
 
+/*
+ * 在以下设置PFERR_PRESENT_MASK:
+ *   - arch/x86/kvm/mmu.h|223| <<permission_fault>> u32 errcode = PFERR_PRESENT_MASK;
+ *   - arch/x86/kvm/paging_tmpl.h|386| <<FNAME(walk_addr_generic)>> errcode = PFERR_RSVD_MASK | PFERR_PRESENT_MASK;
+ *   - arch/x86/kvm/vmx.c|7816| <<handle_ept_violation>> ? PFERR_PRESENT_MASK : 0;
+ */
 #define PFERR_PRESENT_MASK (1U << PFERR_PRESENT_BIT)
 #define PFERR_WRITE_MASK (1U << PFERR_WRITE_BIT)
 #define PFERR_USER_MASK (1U << PFERR_USER_BIT)
+/*
+ * 在以下设置PFERR_RSVD_MASK:
+ *   - arch/x86/kvm/paging_tmpl.h|386| <<FNAME(walk_addr_generic)>> errcode = PFERR_RSVD_MASK | PFERR_PRESENT_MASK;
+ *   - arch/x86/kvm/paging_tmpl.h|757| <<FNAME(page_fault)>> error_code &= ~PFERR_RSVD_MASK;
+ *   - arch/x86/kvm/vmx.c|7878| <<handle_ept_misconfig>> return kvm_mmu_page_fault(vcpu, gpa, PFERR_RSVD_MASK, NULL, 0);
+ */
 #define PFERR_RSVD_MASK (1U << PFERR_RSVD_BIT)
 #define PFERR_FETCH_MASK (1U << PFERR_FETCH_BIT)
 #define PFERR_PK_MASK (1U << PFERR_PK_BIT)
@@ -248,9 +297,56 @@ struct kvm_mmu_memory_cache {
 union kvm_mmu_page_role {
 	unsigned word;
 	struct {
+		/*
+		 * The level in the shadow paging hierarchy that this shadow page belongs to.
+		 * 1=4k sptes, 2=2M sptes, 3=1G sptes, etc.
+		 *
+		 */
+		/*
+		 * 在以下使用:
+		 *   - arch/x86/kvm/mmu.c|2003| <<kvm_mmu_page_get_gfn>> return sp->gfn + (index << ((sp->role.level - 1) * PT64_LEVEL_BITS));
+		 *   - arch/x86/kvm/mmu.c|2124| <<account_shadowed>> if (sp->role.level > PT_PAGE_TABLE_LEVEL)
+		 *   - arch/x86/kvm/mmu.c|2147| <<unaccount_shadowed>> if (sp->role.level > PT_PAGE_TABLE_LEVEL)
+		 *   - arch/x86/kvm/mmu.c|2555| <<gfn_to_rmap>> return __gfn_to_rmap(gfn, sp->role.level, slot);
+		 *   - arch/x86/kvm/mmu.c|2794| <<__drop_large_spte>> WARN_ON(page_header(__pa(sptep))->role.level ==
+		 *   - arch/x86/kvm/mmu.c|3479| <<rmap_recycle>> kvm_unmap_rmapp(vcpu->kvm, rmap_head, NULL, gfn, sp->role.level, 0);
+		 *   - arch/x86/kvm/mmu.c|3992| <<kvm_sync_pages>> WARN_ON(s->role.level != PT_PAGE_TABLE_LEVEL);
+		 *   - arch/x86/kvm/mmu.c|4024| <<mmu_pages_next>> int level = sp->role.level;
+		 *   - arch/x86/kvm/mmu.c|4053| <<mmu_pages_first>> level = sp->role.level;
+		 *   - arch/x86/kvm/mmu.c|4462| <<mmu_page_zap_pte>> if (is_last_spte(pte, sp->role.level)) {
+		 *   - arch/x86/kvm/mmu.c|4558| <<mmu_zap_unsync_children>> if (parent->role.level == PT_PAGE_TABLE_LEVEL)
+		 *   - arch/x86/kvm/mmu.c|4789| <<mmu_need_write_protect>> WARN_ON(sp->role.level != PT_PAGE_TABLE_LEVEL);
+		 *   - arch/x86/kvm/mmu.c|5013| <<direct_pte_prefetch_many>> mmu_set_spte(vcpu, start, access, 0, sp->role.level, gfn,
+		 *   - arch/x86/kvm/mmu.c|5056| <<direct_pte_prefetch>> if (sp->role.level > PT_PAGE_TABLE_LEVEL)
+		 *   - arch/x86/kvm/mmu.c|5371| <<fast_page_fault>> if (!is_last_spte(spte, sp->role.level))
+		 *   - arch/x86/kvm/mmu.c|5418| <<fast_page_fault>> if (sp->role.level > PT_PAGE_TABLE_LEVEL)
+		 *   - arch/x86/kvm/mmu.c|7045| <<mmu_pte_write_new_pte>> if (sp->role.level != PT_PAGE_TABLE_LEVEL) {
+		 *   - arch/x86/kvm/mmu.c|7113| <<detect_write_flooding>> if (sp->role.level == PT_PAGE_TABLE_LEVEL)
+		 *   - arch/x86/kvm/mmu.c|7155| <<get_written_sptes>> level = sp->role.level;
+		 *   - arch/x86/kvm/mmu_audit.c|153| <<inspect_spte_has_rmap>> rmap_head = __gfn_to_rmap(gfn, rev_sp->role.level, slot);
+		 *   - arch/x86/kvm/mmu_audit.c|182| <<check_mappings_rmap>> if (sp->role.level != PT_PAGE_TABLE_LEVEL)
+		 *   - arch/x86/kvm/paging_tmpl.h|569| <<FNAME(pte_prefetch)>> if (sp->role.level > PT_PAGE_TABLE_LEVEL)
+		 *   - arch/x86/kvm/paging_tmpl.h|851| <<FNAME(get_level1_sp_gpa)>> WARN_ON(sp->role.level != PT_PAGE_TABLE_LEVEL);
+		 *
+		 * 只在一处修改:
+		 *   - arch/x86/kvm/mmu.c|4160| <<kvm_mmu_get_page>> role.level = level;
+		 */
 		unsigned level:4;
 		unsigned cr4_pae:1;
 		unsigned quadrant:2;
+		/*
+		 * If set, leaf sptes reachable from this page are for a linear range.
+		 * Examples include real mode translation, large guest pages backed by small
+		 * host pages, and gpa->hpa translations when NPT or EPT is active.
+		 * The linear range starts at (gfn << PAGE_SHIFT) and its size is determined
+		 * by role.level (2MB for first level, 1GB for second level, 0.5TB for third
+		 * level, 256TB for fourth level)
+		 * If clear, this page corresponds to a guest page table denoted by the gfn
+		 * field.
+		 *
+		 * 在以下修改:
+		 *   - arch/x86/kvm/mmu.c|2588| <<kvm_mmu_get_page>> role.direct = direct;
+		 */
 		unsigned direct:1;
 		unsigned access:3;
 		unsigned invalid:1;
@@ -258,6 +354,11 @@ union kvm_mmu_page_role {
 		unsigned cr0_wp:1;
 		unsigned smep_andnot_wp:1;
 		unsigned smap_andnot_wp:1;
+		/*
+		 * Is 1 if the MMU instance cannot use A/D bits.  EPT did not have A/D
+		 * bits before Haswell; shadow EPT page tables also cannot use A/D bits
+		 * if the L1 hypervisor does not enable them.
+		 */
 		unsigned ad_disabled:1;
 		unsigned guest_mode:1;
 		unsigned :6;
@@ -273,10 +374,20 @@ union kvm_mmu_page_role {
 };
 
 struct kvm_rmap_head {
+	/*
+	 * 注释:
+	 *
+	 * If the bit zero of rmap_head->val is clear, then it points to the only spte
+	 * in this rmap chain. Otherwise, (rmap_head->val & ~1) points to a struct
+	 * pte_list_desc containing more mappings.
+	 */
 	unsigned long val;
 };
 
 struct kvm_mmu_page {
+	/*
+	 * 在kvm_mmu_alloc_page()被加入vcpu->kvm->arch.active_mmu_pages
+	 */
 	struct list_head link;
 	struct hlist_node hash_link;
 
@@ -287,17 +398,88 @@ struct kvm_mmu_page {
 	gfn_t gfn;
 	union kvm_mmu_page_role role;
 
+	/* 在kvm_mmu_alloc_page()分配的真正的页表的4K page */
 	u64 *spt;
 	/* hold the gfn of each spte inside spt */
+	/* 似乎tdp不用, shadow才用 */
 	gfn_t *gfns;
+	/*
+	 * 在以下修改kvm_mmu_page->unsync:
+	 *   - arch/x86/kvm/mmu.c|3036| <<kvm_unsync_page>> sp->unsync = 1;
+	 *   - arch/x86/kvm/mmu.c|2303| <<kvm_unlink_unsync_page>> sp->unsync = 0;
+	 *
+	 * 用于最后一级页表页,表示该页的页表项(pte)是否与guest同步(guest是否已更新tlb)
+	 *
+	 * 查看mmu_need_write_protect()中的注释, 似乎只有shadow page table会设置
+	 */
 	bool unsync;
+	/*
+	 * 在以下设置或者修改:
+	 *   - arch/x86/kvm/mmu.c|3656| <<mmu_free_root_page>> --sp->root_count;
+	 *   - arch/x86/kvm/mmu.c|3721| <<mmu_alloc_direct_roots>> ++sp->root_count;
+	 *   - arch/x86/kvm/mmu.c|3737| <<mmu_alloc_direct_roots>> ++sp->root_count;
+	 *   - arch/x86/kvm/mmu.c|3781| <<mmu_alloc_shadow_roots>> ++sp->root_count;
+	 *   - arch/x86/kvm/mmu.c|3818| <<mmu_alloc_shadow_roots>> ++sp->root_count;
+	 *
+	 * 应该是和cpu的数量相关
+	 */
 	int root_count;          /* Currently serving as active root */
+	/*
+	 * 在以下被增加:
+	 *   - arch/x86/kvm/mmu.c|2118| <<mark_unsync>> if (sp->unsync_children++)
+	 *
+	 * 在以下被减少:
+	 *   - arch/x86/kvm/mmu.c|2168| <<clear_unsync_child_bit>> --sp->unsync_children;
+	 */
 	unsigned int unsync_children;
+	/*
+	 * 在以下使用或修改kvm_mmu_page->parent_ptes:
+	 *   - arch/x86/kvm/mmu.c|2045| <<mmu_page_add_parent_pte>> pte_list_add(vcpu, parent_pte, &sp->parent_ptes);
+	 *   - arch/x86/kvm/mmu.c|2051| <<mmu_page_remove_parent_pte>> pte_list_remove(parent_pte, &sp->parent_ptes);
+	 *   - arch/x86/kvm/mmu.c|2104| <<kvm_mmu_mark_parents_unsync>> for_each_rmap_spte(&sp->parent_ptes, &iter, sptep) {
+	 *   - arch/x86/kvm/mmu.c|2743| <<kvm_mmu_unlink_parents>> while ((sptep = rmap_get_first(&sp->parent_ptes, &iter)))
+	 *
+	 * 反向映射(rmap),维护指向自己的上级页表项
+	 */
 	struct kvm_rmap_head parent_ptes; /* rmap pointers to parent sptes */
 
 	/* The page is obsolete if mmu_valid_gen != kvm->arch.mmu_valid_gen.  */
+	/*
+	 * Zapping all pages (page generation count)
+	 *
+	 * For the large memory guests, walking and zapping all pages is really slow
+	 * (because there are a lot of pages), and also blocks memory accesses of
+	 * all VCPUs because it needs to hold the MMU lock.
+	 *
+	 * To make it be more scalable, kvm maintains a global generation number
+	 * which is stored in kvm->arch.mmu_valid_gen.  Every shadow page stores
+	 * the current global generation-number into sp->mmu_valid_gen when it
+	 * is created.  Pages with a mismatching generation number are "obsolete".
+	 *
+	 * When KVM need zap all shadow pages sptes, it just simply increases the global
+	 * generation-number then reload root shadow pages on all vcpus.  As the VCPUs
+	 * create new shadow page tables, the old pages are not used because of the
+	 * mismatching generation number.
+	 *
+	 * KVM then walks through all pages and zaps obsolete pages.  While the zap
+	 * operation needs to take the MMU lock, the lock can be released periodically
+	 * so that the VCPUs can make progress.
+	 */
+	/*
+	 * 在以下修kvm_mmu_page->mmu_valid_gen:
+	 *   - arch/x86/kvm/mmu.c|4438| <<kvm_mmu_get_page>> sp->mmu_valid_gen = vcpu->kvm->arch.mmu_valid_gen;
+	 *
+	 * 在以下修改kvm_arch->mmu_valid_gen:
+	 *   - arch/x86/kvm/mmu.c|8217| <<kvm_mmu_invalidate_zap_all_pages>> kvm->arch.mmu_valid_gen++;
+	 */
 	unsigned long mmu_valid_gen;
 
+	/*
+	 * 在以下被使用kvm_mmu_page->unsync_child_bitmap:
+	 *   - arch/x86/kvm/mmu.c|2116| <<mark_unsync>> if (__test_and_set_bit(index, sp->unsync_child_bitmap))
+	 *   - arch/x86/kvm/mmu.c|2170| <<clear_unsync_child_bit>> __clear_bit(idx, sp->unsync_child_bitmap);
+	 *   - arch/x86/kvm/mmu.c|2178| <<__mmu_unsync_walk>> for_each_set_bit(i, sp->unsync_child_bitmap, 512) {
+	 */
 	DECLARE_BITMAP(unsync_child_bitmap, 512);
 
 #ifdef CONFIG_X86_32
@@ -332,27 +514,132 @@ struct rsvd_bits_validate {
  * current mmu mode.
  */
 struct kvm_mmu {
+	/*
+	 * 设置set_cr3的地方:
+	 *   - arch/x86/kvm/mmu.c|4563| <<init_kvm_tdp_mmu>> context->set_cr3 = kvm_x86_ops->set_tdp_cr3;
+	 *   - arch/x86/kvm/mmu.c|4660| <<init_kvm_softmmu>> context->set_cr3 = kvm_x86_ops->set_cr3;
+	 *   - arch/x86/kvm/svm.c|2923| <<nested_svm_init_mmu_context>> vcpu->arch.mmu.set_cr3 = nested_svm_set_tdp_cr3;
+	 *   - arch/x86/kvm/vmx.c|11331| <<nested_ept_init_mmu_context>> vcpu->arch.mmu.set_cr3 = vmx_set_cr3;
+	 */
 	void (*set_cr3)(struct kvm_vcpu *vcpu, unsigned long root);
+	/*
+	 * 设置get_cr3的地方:
+	 *   - arch/x86/kvm/mmu.c|4564| <<init_kvm_tdp_mmu>> context->get_cr3 = get_cr3;
+	 *   - arch/x86/kvm/mmu.c|4661| <<init_kvm_softmmu>> context->get_cr3 = get_cr3;
+	 *   - arch/x86/kvm/mmu.c|4670| <<init_kvm_nested_mmu>> g_context->get_cr3 = get_cr3;
+	 *   - arch/x86/kvm/svm.c|2924| <<nested_svm_init_mmu_context>> vcpu->arch.mmu.get_cr3 = nested_svm_get_tdp_cr3;
+	 *   - arch/x86/kvm/vmx.c|11332| <<nested_ept_init_mmu_context>> vcpu->arch.mmu.get_cr3 = nested_ept_get_cr3;
+	 */
 	unsigned long (*get_cr3)(struct kvm_vcpu *vcpu);
+	/*
+	 * 设置get_pdptr的地方:
+	 *   - arch/x86/kvm/mmu.c|4565| <<init_kvm_tdp_mmu>> context->get_pdptr = kvm_pdptr_read;
+	 *   - arch/x86/kvm/mmu.c|4662| <<init_kvm_softmmu>> context->get_pdptr = kvm_pdptr_read;
+	 *   - arch/x86/kvm/mmu.c|4671| <<init_kvm_nested_mmu>> g_context->get_pdptr = kvm_pdptr_read;
+	 *   - arch/x86/kvm/svm.c|2925| <<nested_svm_init_mmu_context>> vcpu->arch.mmu.get_pdptr = nested_svm_get_tdp_pdptr;
+	 */
 	u64 (*get_pdptr)(struct kvm_vcpu *vcpu, int index);
+	/*
+	 * 设置page_fault的地方:
+	 *   - arch/x86/kvm/mmu.c|4013| <<nonpaging_init_context>> context->page_fault = nonpaging_page_fault;
+	 *   - arch/x86/kvm/mmu.c|4498| <<paging64_init_context_common>> context->page_fault = paging64_page_fault;
+	 *   - arch/x86/kvm/mmu.c|4528| <<paging32_init_context>> context->page_fault = paging32_page_fault;
+	 *   - arch/x86/kvm/mmu.c|4556| <<init_kvm_tdp_mmu>> context->page_fault = tdp_page_fault;
+	 *   - arch/x86/kvm/mmu.c|4637| <<kvm_init_shadow_ept_mmu>> context->page_fault = ept_page_fault;
+	 */
 	int (*page_fault)(struct kvm_vcpu *vcpu, gva_t gva, u32 err,
 			  bool prefault);
 	void (*inject_page_fault)(struct kvm_vcpu *vcpu,
 				  struct x86_exception *fault);
+	/*
+	 * 设置gva_to_gpa的地方:
+	 *   - arch/x86/kvm/mmu.c|4014| <<nonpaging_init_context>> context->gva_to_gpa = nonpaging_gva_to_gpa;
+	 *   - arch/x86/kvm/mmu.c|4499| <<paging64_init_context_common>> context->gva_to_gpa = paging64_gva_to_gpa;
+	 *   - arch/x86/kvm/mmu.c|4529| <<paging32_init_context>> context->gva_to_gpa = paging32_gva_to_gpa;
+	 *   - arch/x86/kvm/mmu.c|4570| <<init_kvm_tdp_mmu>> context->gva_to_gpa = nonpaging_gva_to_gpa;
+	 *   - arch/x86/kvm/mmu.c|4577| <<init_kvm_tdp_mmu>> context->gva_to_gpa = paging64_gva_to_gpa;
+	 *   - arch/x86/kvm/mmu.c|4582| <<init_kvm_tdp_mmu>> context->gva_to_gpa = paging64_gva_to_gpa;
+	 *   - arch/x86/kvm/mmu.c|4587| <<init_kvm_tdp_mmu>> context->gva_to_gpa = paging32_gva_to_gpa;
+	 *   - arch/x86/kvm/mmu.c|4638| <<kvm_init_shadow_ept_mmu>> context->gva_to_gpa = ept_gva_to_gpa;
+	 *   - arch/x86/kvm/mmu.c|4685| <<init_kvm_nested_mmu>> g_context->gva_to_gpa = nonpaging_gva_to_gpa_nested;
+	 *   - arch/x86/kvm/mmu.c|4691| <<init_kvm_nested_mmu>> g_context->gva_to_gpa = paging64_gva_to_gpa_nested;
+	 *   - arch/x86/kvm/mmu.c|4696| <<init_kvm_nested_mmu>> g_context->gva_to_gpa = paging64_gva_to_gpa_nested;
+	 *   - arch/x86/kvm/mmu.c|4701| <<init_kvm_nested_mmu>> g_context->gva_to_gpa = paging32_gva_to_gpa_nested;
+	 */
 	gpa_t (*gva_to_gpa)(struct kvm_vcpu *vcpu, gva_t gva, u32 access,
 			    struct x86_exception *exception);
 	gpa_t (*translate_gpa)(struct kvm_vcpu *vcpu, gpa_t gpa, u32 access,
 			       struct x86_exception *exception);
+	/*
+	 * 设置sync_page的地方:
+	 *   - arch/x86/kvm/mmu.c|4298| <<nonpaging_init_context>> context->sync_page = nonpaging_sync_page;
+	 *   - arch/x86/kvm/mmu.c|4783| <<paging64_init_context_common>> context->sync_page = paging64_sync_page;
+	 *   - arch/x86/kvm/mmu.c|4813| <<paging32_init_context>> context->sync_page = paging32_sync_page;
+	 *   - arch/x86/kvm/mmu.c|4842| <<init_kvm_tdp_mmu>> context->sync_page = nonpaging_sync_page;
+	 *   - arch/x86/kvm/mmu.c|4924| <<kvm_init_shadow_ept_mmu>> context->sync_page = ept_sync_page;
+	 */
 	int (*sync_page)(struct kvm_vcpu *vcpu,
 			 struct kvm_mmu_page *sp);
 	void (*invlpg)(struct kvm_vcpu *vcpu, gva_t gva);
 	void (*update_pte)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
 			   u64 *spte, const void *pte);
+	/*
+	 * 设置kvm_mmu->root_hpa的地方:
+	 *   - arch/x86/kvm/mmu.c|6172| <<mmu_free_root_page>> *root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|6204| <<kvm_mmu_free_roots>> mmu->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|6250| <<mmu_alloc_direct_roots>> vcpu->arch.mmu.root_hpa = __pa(sp->spt);
+	 *   - arch/x86/kvm/mmu.c|6268| <<mmu_alloc_direct_roots>> vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root);
+	 *   - arch/x86/kvm/mmu.c|6310| <<mmu_alloc_shadow_roots>> vcpu->arch.mmu.root_hpa = root;
+	 *   - arch/x86/kvm/mmu.c|6350| <<mmu_alloc_shadow_roots>> vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root);
+	 *   - arch/x86/kvm/mmu.c|6374| <<mmu_alloc_shadow_roots>> vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.lm_root);
+	 *   - arch/x86/kvm/mmu.c|7003| <<nonpaging_init_context>> context->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|7496| <<paging64_init_context_common>> context->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|7534| <<paging32_init_context>> context->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|7567| <<init_kvm_tdp_mmu>> context->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|7658| <<kvm_init_shadow_ept_mmu>> context->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|8284| <<kvm_mmu_create>> vcpu->arch.mmu.root_hpa = INVALID_PAGE;
+	 */
 	hpa_t root_hpa;
 	union kvm_mmu_page_role base_role;
+	/*
+	 * 设置的地方:
+	 *   - arch/x86/kvm/mmu.c|4383| <<nonpaging_init_context>> context->root_level = 0;
+	 *   - arch/x86/kvm/mmu.c|4855| <<paging64_init_context_common>> context->root_level = level;
+	 *   - arch/x86/kvm/mmu.c|4886| <<paging32_init_context>> context->root_level = PT32_ROOT_LEVEL;
+	 *   - arch/x86/kvm/mmu.c|4938| <<init_kvm_tdp_mmu>> context->root_level = 0;
+	 *   - arch/x86/kvm/mmu.c|4941| <<init_kvm_tdp_mmu>> context->root_level = is_la57_mode(vcpu) ?
+	 *   - arch/x86/kvm/mmu.c|4947| <<init_kvm_tdp_mmu>> context->root_level = PT32E_ROOT_LEVEL;
+	 *   - arch/x86/kvm/mmu.c|4952| <<init_kvm_tdp_mmu>> context->root_level = PT32_ROOT_LEVEL;
+	 *   - arch/x86/kvm/mmu.c|5013| <<kvm_init_shadow_ept_mmu>> context->root_level = PT64_ROOT_4LEVEL;
+	 *   - arch/x86/kvm/mmu.c|5055| <<init_kvm_nested_mmu>> g_context->root_level = 0;
+	 *   - arch/x86/kvm/mmu.c|5059| <<init_kvm_nested_mmu>> g_context->root_level = is_la57_mode(vcpu) ?
+	 *   - arch/x86/kvm/mmu.c|5065| <<init_kvm_nested_mmu>> g_context->root_level = PT32E_ROOT_LEVEL;
+	 *   - arch/x86/kvm/mmu.c|5070| <<init_kvm_nested_mmu>> g_context->root_level = PT32_ROOT_LEVEL;
+	 *
+	 * 在tdp下如果开了long mode, 则不是4就是5
+	 */
 	u8 root_level;
+	/*
+	 * 设置的地方:
+	 *   - arch/x86/kvm/mmu.c|4379| <<nonpaging_init_context>> context->shadow_root_level = PT32E_ROOT_LEVEL;
+	 *   - arch/x86/kvm/mmu.c|4863| <<paging64_init_context_common>> context->shadow_root_level = level;
+	 *   - arch/x86/kvm/mmu.c|4893| <<paging32_init_context>> context->shadow_root_level = PT32E_ROOT_LEVEL;
+	 *   - arch/x86/kvm/mmu.c|4922| <<init_kvm_tdp_mmu>> context->shadow_root_level = kvm_x86_ops->get_tdp_level(vcpu);
+	 *   - arch/x86/kvm/mmu.c|4999| <<kvm_init_shadow_ept_mmu>> context->shadow_root_level = PT64_ROOT_4LEVEL;
+	 *   - arch/x86/kvm/svm.c|2927| <<nested_svm_init_mmu_context>> vcpu->arch.mmu.shadow_root_level = get_npt_level(vcpu);
+	 *
+	 * 对于tdp不是4就是5
+	 */
 	u8 shadow_root_level;
 	u8 ept_ad;
+	/*
+	 * 设置direct_map的地方:
+	 *   - arch/x86/kvm/mmu.c|4003| <<nonpaging_init_context>> context->direct_map = true;
+	 *   - arch/x86/kvm/mmu.c|4487| <<paging64_init_context_common>> context->direct_map = false;
+	 *   - arch/x86/kvm/mmu.c|4517| <<paging32_init_context>> context->direct_map = false;
+	 *   - arch/x86/kvm/mmu.c|4544| <<init_kvm_tdp_mmu>> context->direct_map = true;
+	 *   - arch/x86/kvm/mmu.c|4626| <<kvm_init_shadow_ept_mmu>> context->direct_map = false;
+	 */
 	bool direct_map;
 
 	/*
@@ -370,6 +657,25 @@ struct kvm_mmu {
 	*/
 	u32 pkru_mask;
 
+	/*
+	 * 在以下使用kvm_mmu->pae_root:
+	 *   - arch/x86/kvm/mmu.c|4855| <<shadow_walk_init>> = vcpu->arch.mmu.pae_root[(addr >> 30) & 3];
+	 *   - arch/x86/kvm/mmu.c|6297| <<kvm_mmu_free_roots>> if (mmu->pae_root[i] != 0)
+	 *   - arch/x86/kvm/mmu.c|6298| <<kvm_mmu_free_roots>> mmu_free_root_page(vcpu->kvm, &mmu->pae_root[i],
+	 *   - arch/x86/kvm/mmu.c|6375| <<mmu_alloc_direct_roots>> hpa_t root = vcpu->arch.mmu.pae_root[i];
+	 *   - arch/x86/kvm/mmu.c|6388| <<mmu_alloc_direct_roots>> vcpu->arch.mmu.pae_root[i] = root | PT_PRESENT_MASK;
+	 *   - arch/x86/kvm/mmu.c|6390| <<mmu_alloc_direct_roots>> vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root);
+	 *   - arch/x86/kvm/mmu.c|6446| <<mmu_alloc_shadow_roots>> hpa_t root = vcpu->arch.mmu.pae_root[i];
+	 *   - arch/x86/kvm/mmu.c|6452| <<mmu_alloc_shadow_roots>> vcpu->arch.mmu.pae_root[i] = 0;
+	 *   - arch/x86/kvm/mmu.c|6470| <<mmu_alloc_shadow_roots>> vcpu->arch.mmu.pae_root[i] = root | pm_mask;
+	 *   - arch/x86/kvm/mmu.c|6472| <<mmu_alloc_shadow_roots>> vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root);
+	 *   - arch/x86/kvm/mmu.c|6491| <<mmu_alloc_shadow_roots>> lm_root[0] = __pa(vcpu->arch.mmu.pae_root) | pm_mask;
+	 *   - arch/x86/kvm/mmu.c|6557| <<mmu_sync_roots>> hpa_t root = vcpu->arch.mmu.pae_root[i];
+	 *   - arch/x86/kvm/mmu.c|8419| <<free_mmu_pages>> free_page((unsigned long )vcpu->arch.mmu.pae_root);
+	 *   - arch/x86/kvm/mmu.c|8441| <<alloc_mmu_pages>> vcpu->arch.mmu.pae_root = page_address(page);
+	 *   - arch/x86/kvm/mmu.c|8443| <<alloc_mmu_pages>> vcpu->arch.mmu.pae_root[i] = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu_audit.c|74| <<mmu_spte_walk>> hpa_t root = vcpu->arch.mmu.pae_root[i];
+	 */
 	u64 *pae_root;
 	u64 *lm_root;
 
@@ -542,6 +848,18 @@ struct kvm_vcpu_arch {
 
 	struct kvm_mmu_memory_cache mmu_pte_list_desc_cache;
 	struct kvm_mmu_memory_cache mmu_page_cache;
+	/*
+	 * 在以下使用kvm_vcpu_arch:
+	 *   - arch/x86/kvm/mmu.c|1921| <<mmu_topup_memory_caches>> r = mmu_topup_memory_cache(&vcpu->arch.mmu_page_header_cache,
+	 *   - arch/x86/kvm/mmu.c|1922| <<mmu_topup_memory_caches>> mmu_page_header_cache, 4);
+	 *   - arch/x86/kvm/mmu.c|1936| <<mmu_free_memory_caches>> mmu_free_memory_cache(&vcpu->arch.mmu_page_header_cache,
+	 *   - arch/x86/kvm/mmu.c|1937| <<mmu_free_memory_caches>> mmu_page_header_cache);
+	 *   - arch/x86/kvm/mmu.c|3686| <<kvm_mmu_free_page>> kmem_cache_free(mmu_page_header_cache, sp);
+	 *   - arch/x86/kvm/mmu.c|3766| <<kvm_mmu_alloc_page>> sp = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_header_cache);
+	 *   - arch/x86/kvm/mmu.c|8313| <<mmu_destroy_caches>> kmem_cache_destroy(mmu_page_header_cache);
+	 *   - arch/x86/kvm/mmu.c|8331| <<kvm_mmu_module_init>> mmu_page_header_cache = kmem_cache_create("kvm_mmu_page_header",
+	 *   - arch/x86/kvm/mmu.c|8334| <<kvm_mmu_module_init>> if (!mmu_page_header_cache)
+	 */
 	struct kvm_mmu_memory_cache mmu_page_header_cache;
 
 	/*
@@ -650,9 +968,32 @@ struct kvm_vcpu_arch {
 	u64 *mce_banks;
 
 	/* Cache MMIO info */
+	/*
+	 * 在以下修改或者使用:
+	 *   - arch/x86/kvm/x86.h|188| <<vcpu_cache_mmio_info>> vcpu->arch.mmio_gva = mmu_is_nested(vcpu) ? 0 : gva & PAGE_MASK;
+	 *   - arch/x86/kvm/x86.h|207| <<vcpu_clear_mmio_info>> if (gva != MMIO_GVA_ANY && vcpu->arch.mmio_gva != (gva & PAGE_MASK))
+	 *   - arch/x86/kvm/x86.h|210| <<vcpu_clear_mmio_info>> vcpu->arch.mmio_gva = 0;
+	 *   - arch/x86/kvm/x86.h|215| <<vcpu_match_mmio_gva>> if (vcpu_match_mmio_gen(vcpu) && vcpu->arch.mmio_gva &&
+	 *   - arch/x86/kvm/x86.h|216| <<vcpu_match_mmio_gva>> vcpu->arch.mmio_gva == (gva & PAGE_MASK))
+	 */
 	u64 mmio_gva;
+	/*
+	 * 在vcpu_cache_mmio_info()中修改
+	 */
 	unsigned access;
+	/*
+	 * 在以下修改或者使用:
+	 *   - arch/x86/kvm/x86.h|190| <<vcpu_cache_mmio_info>> vcpu->arch.mmio_gfn = gfn;
+	 *   - arch/x86/kvm/x86.h|224| <<vcpu_match_mmio_gpa>> if (vcpu_match_mmio_gen(vcpu) && vcpu->arch.mmio_gfn &&
+	 *   - arch/x86/kvm/x86.h|225| <<vcpu_match_mmio_gpa>> vcpu->arch.mmio_gfn == gpa >> PAGE_SHIFT)
+	 *   - arch/x86/kvm/x86.c|4982| <<vcpu_mmio_gva_to_gpa>> *gpa = vcpu->arch.mmio_gfn << PAGE_SHIFT |
+	 */
 	gfn_t mmio_gfn;
+	/*
+	 * 在以下修改或者使用:
+	 *   - arch/x86/kvm/x86.h|191| <<vcpu_cache_mmio_info>> vcpu->arch.mmio_gen = kvm_memslots(vcpu->kvm)->generation;
+	 *   - arch/x86/kvm/x86.h|196| <<vcpu_match_mmio_gen>> return vcpu->arch.mmio_gen == kvm_memslots(vcpu->kvm)->generation;
+	 */
 	u64 mmio_gen;
 
 	struct kvm_pmu pmu;
@@ -720,12 +1061,34 @@ struct kvm_vcpu_arch {
 };
 
 struct kvm_lpage_info {
+	/*
+	 * kvm_lpage_info->disallowe_lpage在以下被修改:
+	 *   - arch/x86/kvm/mmu.c|2080| <<update_gfn_disallow_lpage_count>> linfo->disallow_lpage += count;
+	 *   - arch/x86/kvm/x86.c|9087| <<kvm_arch_create_memslot>> linfo[0].disallow_lpage = 1;
+	 *   - arch/x86/kvm/x86.c|9089| <<kvm_arch_create_memslot>> linfo[lpages - 1].disallow_lpage = 1;
+	 *   - arch/x86/kvm/x86.c|9101| <<kvm_arch_create_memslot>> linfo[j].disallow_lpage = 1;
+	 */
 	int disallow_lpage;
 };
 
 struct kvm_arch_memory_slot {
+	/*
+	 * About rmap_head encoding:
+	 *
+	 * If the bit zero of rmap_head->val is clear, then it points to the only spte
+	 * in this rmap chain. Otherwise, (rmap_head->val & ~1) points to a struct
+	 * pte_list_desc containing more mappings.
+	 *
+	 * rmap和lpage_info的第二维都是在kvm_arch_create_memslot()分配
+	 * 数量是对应level的page的数量
+	 * level越大(大页)数量越少
+	 */
 	struct kvm_rmap_head *rmap[KVM_NR_PAGE_SIZES];
 	struct kvm_lpage_info *lpage_info[KVM_NR_PAGE_SIZES - 1];
+	/*
+	 * 在kvm_page_track_create_memslot()初始化第二维
+	 * 应该是每个slot中page的数量吧
+	 */
 	unsigned short *gfn_track[KVM_PAGE_TRACK_MAX];
 };
 
@@ -778,16 +1141,104 @@ enum kvm_irqchip_mode {
 };
 
 struct kvm_arch {
+	/*
+	 * 被以下修改:
+	 *   - arch/x86/kvm/mmu.c|1973| <<kvm_mod_used_mmu_pages>> kvm->arch.n_used_mmu_pages += nr;
+	 *
+	 * 被以下使用:
+	 *   - arch/x86/kvm/mmu.c|2727| <<kvm_mmu_change_mmu_pages>> if (kvm->arch.n_used_mmu_pages > goal_nr_mmu_pages) {
+	 *   - arch/x86/kvm/mmu.c|2729| <<kvm_mmu_change_mmu_pages>> while (kvm->arch.n_used_mmu_pages > goal_nr_mmu_pages)
+	 *   - arch/x86/kvm/mmu.c|2734| <<kvm_mmu_change_mmu_pages>> goal_nr_mmu_pages = kvm->arch.n_used_mmu_pages;
+	 *   - arch/x86/kvm/mmu.c|5729| <<mmu_shrink_scan>> if (!kvm->arch.n_used_mmu_pages &&
+	 *   - arch/x86/kvm/mmu.h|73| <<kvm_mmu_available_pages>> if (kvm->arch.n_max_mmu_pages > kvm->arch.n_used_mmu_pages)
+	 *   - arch/x86/kvm/mmu.h|75| <<kvm_mmu_available_pages>> kvm->arch.n_used_mmu_pages;
+	 */
 	unsigned int n_used_mmu_pages;
+	/*
+	 * 被以下修改:
+	 *   - arch/x86/kvm/x86.c|4035| <<kvm_vm_ioctl_set_nr_mmu_pages>> kvm->arch.n_requested_mmu_pages = kvm_nr_mmu_pages;
+	 *
+	 * 在以下使用:
+	 *   - arch/x86/kvm/x86.c|9196| <<kvm_arch_commit_memory_region>> if (!kvm->arch.n_requested_mmu_pages)
+	 */
 	unsigned int n_requested_mmu_pages;
+	/*
+	 * 在以下使用n_max_mmu_pages:
+	 *   - arch/x86/kvm/mmu.c|4913| <<kvm_mmu_change_mmu_pages>> kvm->arch.n_max_mmu_pages = goal_nr_mmu_pages;
+	 *   - arch/x86/kvm/mmu.h|81| <<kvm_mmu_available_pages>> if (kvm->arch.n_max_mmu_pages > kvm->arch.n_used_mmu_pages)
+	 *   - arch/x86/kvm/mmu.h|82| <<kvm_mmu_available_pages>> return kvm->arch.n_max_mmu_pages -
+	 *   - arch/x86/kvm/x86.c|4046| <<kvm_vm_ioctl_get_nr_mmu_pages>> return kvm->arch.n_max_mmu_pages;
+	 */
 	unsigned int n_max_mmu_pages;
+	/*
+	 * 在以下使用kvm_arch->indirect_shadow_pages:
+	 *   - arch/x86/kvm/mmu.c|2218| <<account_shadowed>> kvm->arch.indirect_shadow_pages++;
+	 *   - arch/x86/kvm/mmu.c|2243| <<unaccount_shadowed>> kvm->arch.indirect_shadow_pages--;
+	 *   - arch/x86/kvm/mmu.c|7681| <<kvm_mmu_pte_write>> if (!READ_ONCE(vcpu->kvm->arch.indirect_shadow_pages))
+	 *   - arch/x86/kvm/x86.c|5880| <<reexecute_instruction>> unsigned int indirect_shadow_pages;
+	 *   - arch/x86/kvm/x86.c|5883| <<reexecute_instruction>> indirect_shadow_pages = vcpu->kvm->arch.indirect_shadow_pages;
+	 *   - arch/x86/kvm/x86.c|5886| <<reexecute_instruction>> if (indirect_shadow_pages)
+	 */
 	unsigned int indirect_shadow_pages;
+	/*
+	 * Zapping all pages (page generation count)
+	 *
+	 * For the large memory guests, walking and zapping all pages is really slow
+	 * (because there are a lot of pages), and also blocks memory accesses of
+	 * all VCPUs because it needs to hold the MMU lock.
+	 *
+	 * To make it be more scalable, kvm maintains a global generation number
+	 * which is stored in kvm->arch.mmu_valid_gen.  Every shadow page stores
+	 * the current global generation-number into sp->mmu_valid_gen when it
+	 * is created.  Pages with a mismatching generation number are "obsolete".
+	 *
+	 * When KVM need zap all shadow pages sptes, it just simply increases the global
+	 * generation-number then reload root shadow pages on all vcpus.  As the VCPUs
+	 * create new shadow page tables, the old pages are not used because of the
+	 * mismatching generation number.
+	 *
+	 * KVM then walks through all pages and zaps obsolete pages.  While the zap
+	 * operation needs to take the MMU lock, the lock can be released periodically
+	 * so that the VCPUs can make progress.
+	 */
+	/*
+	 * 在以下修kvm_mmu_page->mmu_valid_gen:
+	 *   - arch/x86/kvm/mmu.c|4438| <<kvm_mmu_get_page>> sp->mmu_valid_gen = vcpu->kvm->arch.mmu_valid_gen;
+	 *
+	 * 在以下修改kvm_arch->mmu_valid_gen:
+	 *   - arch/x86/kvm/mmu.c|8217| <<kvm_mmu_invalidate_zap_all_pages>> kvm->arch.mmu_valid_gen++;
+	 */
 	unsigned long mmu_valid_gen;
+	/*
+	 * 在以下使用kvm_mmu_page->mmu_page_hash[KVM_NUM_MMU_PAGES]:
+	 *   - arch/x86/kvm/mmu.c|4446| <<for_each_valid_sp>> &(_kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(_gfn)], hash_link) \
+	 *   - arch/x86/kvm/mmu.c|4864| <<kvm_mmu_get_page>> &vcpu->kvm->arch.mmu_page_hash[kvm_page_table_hashfn(gfn)]);
+	 *
+	 * 通过hash可以快速获得一个gfn对应的也表页面
+	 */
 	struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
 	/*
 	 * Hash table of struct kvm_mmu_page.
 	 */
+	/*
+	 * 在以下使用kvm_mmu_page->active_mmu_pages:
+	 *   - arch/x86/kvm/mmu.c|2030| <<kvm_mmu_alloc_page>> list_add(&sp->link, &vcpu->kvm->arch.active_mmu_pages);
+	 *   - arch/x86/kvm/mmu.c|2665| <<kvm_mmu_prepare_zap_page>> list_move(&sp->link, &kvm->arch.active_mmu_pages);
+	 *   - arch/x86/kvm/mmu.c|2709| <<prepare_zap_oldest_mmu_page>> if (list_empty(&kvm->arch.active_mmu_pages))
+	 *   - arch/x86/kvm/mmu.c|2712| <<prepare_zap_oldest_mmu_page>> sp = list_last_entry(&kvm->arch.active_mmu_pages,
+	 *   - arch/x86/kvm/mmu.c|5606| <<kvm_zap_obsolete_pages>> &kvm->arch.active_mmu_pages, link) {
+	 *   - arch/x86/kvm/mmu_audit.c|92| <<walk_all_active_sps>> list_for_each_entry(sp, &kvm->arch.active_mmu_pages, link)
+	 *   - arch/x86/kvm/x86.c|8822| <<kvm_arch_init_vm>> INIT_LIST_HEAD(&kvm->arch.active_mmu_pages);
+	 */
 	struct list_head active_mmu_pages;
+	/*
+	 * 在以下使用kvm_arch->zapped_obsolete_pages:
+	 *   - arch/x86/kvm/mmu.c|6107| <<kvm_zap_obsolete_pages>> &kvm->arch.zapped_obsolete_pages);
+	 *   - arch/x86/kvm/mmu.c|6118| <<kvm_zap_obsolete_pages>> kvm_mmu_commit_zap_page(kvm, &kvm->arch.zapped_obsolete_pages);
+	 *   - arch/x86/kvm/mmu.c|6159| <<kvm_has_zapped_obsolete_pages>> return unlikely(!list_empty_careful(&kvm->arch.zapped_obsolete_pages));
+	 *   - arch/x86/kvm/mmu.c|6214| <<mmu_shrink_scan>> &kvm->arch.zapped_obsolete_pages);
+	 *   - arch/x86/kvm/x86.c|8826| <<kvm_arch_init_vm>> INIT_LIST_HEAD(&kvm->arch.zapped_obsolete_pages);
+	 */
 	struct list_head zapped_obsolete_pages;
 	struct kvm_page_track_notifier_node mmu_sp_tracker;
 	struct kvm_page_track_notifier_head track_notifier_head;
@@ -860,6 +1311,11 @@ struct kvm_arch {
 };
 
 struct kvm_vm_stat {
+	/*
+	 * 在以下使用kvm_vm_stat->mmu_shadow_zapped:
+	 *   - arch/x86/kvm/x86.c|199| <<global>> { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
+	 *   - arch/x86/kvm/mmu.c|5138| <<kvm_mmu_prepare_zap_page>> ++kvm->stat.mmu_shadow_zapped;
+	 */
 	ulong mmu_shadow_zapped;
 	ulong mmu_pte_write;
 	ulong mmu_pte_updated;
@@ -867,8 +1323,21 @@ struct kvm_vm_stat {
 	ulong mmu_flooded;
 	ulong mmu_recycled;
 	ulong mmu_cache_miss;
+	/*
+	 * 在以下使用kvm_vm_stat->mmu_unsync:
+	 *   - arch/x86/kvm/x86.c|206| <<global>> { "mmu_unsync", VM_STAT(mmu_unsync) },
+	 *   - arch/x86/kvm/mmu.c|4380| <<kvm_unlink_unsync_page>> --kvm->stat.mmu_unsync;
+	 *   - arch/x86/kvm/mmu.c|5371| <<kvm_unsync_page>> ++vcpu->kvm->stat.mmu_unsync;
+	 */
 	ulong mmu_unsync;
 	ulong remote_tlb_flush;
+	/*
+	 * 在以下使用kvm_vm_stat->lpages:
+	 *   - arch/x86/kvm/x86.c|208| <<global>> { "largepages", VM_STAT(lpages) },
+	 *   - arch/x86/kvm/mmu.c|2996| <<__drop_large_spte>> --kvm->stat.lpages;
+	 *   - arch/x86/kvm/mmu.c|4839| <<mmu_page_zap_pte>> --kvm->stat.lpages;
+	 *   - arch/x86/kvm/mmu.c|5370| <<mmu_set_spte>> ++vcpu->kvm->stat.lpages; 
+	 */
 	ulong lpages;
 	ulong max_mmu_page_hash_collisions;
 };
@@ -922,6 +1391,10 @@ struct kvm_lapic_irq {
 	bool msi_redir_hint;
 };
 
+/*
+ * intel : vmx_x86_ops
+ * amd   : svm_x86_ops
+ */
 struct kvm_x86_ops {
 	int (*cpu_has_kvm_support)(void);          /* __init */
 	int (*disabled_by_bios)(void);             /* __init */
@@ -1114,6 +1587,10 @@ extern struct kvm_x86_ops *kvm_x86_ops;
 #define __KVM_HAVE_ARCH_VM_ALLOC
 static inline struct kvm *kvm_arch_alloc_vm(void)
 {
+	/*
+	 * intel: vmx_vm_alloc()
+	 * amd  : svm_vm_alloc()
+	 */
 	return kvm_x86_ops->vm_alloc();
 }
 
@@ -1318,8 +1795,16 @@ static inline gpa_t translate_gpa(struct kvm_vcpu *vcpu, gpa_t gpa, u32 access,
 	return gpa;
 }
 
+/*
+ * shadow_page可能是一个指向某个pte的地址 (shadow_page保存的这个pte的地址而不是内容)
+ * 获得包含这个地址的页表页对应的kvm_mmu_page
+ */
 static inline struct kvm_mmu_page *page_header(hpa_t shadow_page)
 {
+	/*
+	 * shadow_page可能是一个指向某个pte的地址 (shadow_page保存的这个pte的地址而不是内容)
+	 * shadow_page向右移动PAGE_SHIFT是这个pte所在的页表页的基地址的pfn
+	 */
 	struct page *page = pfn_to_page(shadow_page >> PAGE_SHIFT);
 
 	return (struct kvm_mmu_page *)page_private(page);
@@ -1376,6 +1861,11 @@ enum {
 #define HF_VINTR_MASK		(1 << 2)
 #define HF_NMI_MASK		(1 << 3)
 #define HF_IRET_MASK		(1 << 4)
+/*
+ * 在以下修改:
+ *   - arch/x86/kvm/kvm_cache_regs.h|90| <<enter_guest_mode>> vcpu->arch.hflags |= HF_GUEST_MASK;
+ *   - arch/x86/kvm/kvm_cache_regs.h|95| <<leave_guest_mode>> vcpu->arch.hflags &= ~HF_GUEST_MASK;
+ */
 #define HF_GUEST_MASK		(1 << 5) /* VCPU is in guest-mode */
 #define HF_SMM_MASK		(1 << 6)
 #define HF_SMM_INSIDE_NMI_MASK	(1 << 7)
diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h
index 547c4fe5..0184db6c 100644
--- a/arch/x86/include/asm/smp.h
+++ b/arch/x86/include/asm/smp.h
@@ -93,6 +93,9 @@ static inline void smp_cpus_done(unsigned int max_cpus)
 
 static inline int __cpu_up(unsigned int cpu, struct task_struct *tidle)
 {
+	/*
+	 * native_cpu_up()
+	 */
 	return smp_ops.cpu_up(cpu, tidle);
 }
 
diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
index 3b3a2d0a..c0f7ab83 100644
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -998,6 +998,10 @@ void setup_secondary_APIC_clock(void)
 /*
  * The guts of the apic timer interrupt
  */
+/*
+ * called by only:
+ *   - arch/x86/kernel/apic/apic.c|1054| <<smp_apic_timer_interrupt>> local_apic_timer_interrupt();
+ */
 static void local_apic_timer_interrupt(void)
 {
 	struct clock_event_device *evt = this_cpu_ptr(&lapic_events);
@@ -1037,6 +1041,9 @@ static void local_apic_timer_interrupt(void)
  * [ if a single-CPU system runs an SMP kernel then we call the local
  *   interrupt as well. Thus we cannot inline the local irq ... ]
  */
+/*
+ * arch/x86/entry/entry_64.S: 用作LOCAL_TIMER_VECTOR (0xec)的处理函数
+ */
 __visible void __irq_entry smp_apic_timer_interrupt(struct pt_regs *regs)
 {
 	struct pt_regs *old_regs = set_irq_regs(regs);
diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c
index 5b2300b8..269c8e22 100644
--- a/arch/x86/kernel/kvm.c
+++ b/arch/x86/kernel/kvm.c
@@ -299,6 +299,10 @@ static void __init paravirt_ops_setup(void)
 #endif
 }
 
+/*
+ * called by:
+ *   - arch/x86/kernel/kvm.c|364| <<kvm_guest_cpu_init>> kvm_register_steal_time();
+ */
 static void kvm_register_steal_time(void)
 {
 	int cpu = smp_processor_id();
diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c
index 3b8e7c13..a3e88288 100644
--- a/arch/x86/kernel/kvmclock.c
+++ b/arch/x86/kernel/kvmclock.c
@@ -32,6 +32,76 @@
 #include <asm/reboot.h>
 #include <asm/kvmclock.h>
 
+/*
+ * FROM SUSE!!!
+ * When using kvm-clock, it is not recommended to use NTP in the VM Guest, as
+ * well. Using NTP on the VM Host Server, however, is still recommended. 
+ */
+
+/*
+ * Clocksource is a device that can give a timestamp whenever you need it. In
+ * other words, Clocksource is any ticking counter that allows you to get its
+ * value.
+ *
+ * Clockevent device is an alarm clock—you ask the device to signal a time in
+ * the future (e.g., "wake me up in 1ms") and when the alarm is triggered, you
+ * get the signal.
+ *
+ * sched_clock() function is similar to clocksource, but this particular one
+ * should be "cheap" to read (meaning that one can get its value fast), as
+ * sched_clock() is used for task-scheduling purposes and scheduling happens
+ * often. We're ready to sacrifice accuracy and other characteristics for
+ * speed.
+ *
+ * > CLOCK_REALTIME clock gives the time passed since January 1, 1970. This
+ *   clock is affected by NTP adjustments and can jump forward and backward when
+ *   a system administrator adjusts system time.
+ *
+ * > CLOCK_MONOTONIC clock gives the time since a fixed starting point-usually
+ *   since you booted the system. This clock is affected by NTP, but it can't
+ *   jump backward.
+ *
+ * > CLOCK_MONOTONIC_RAW clock gives the same time as CLOCK_MONOTONIC, but this
+ *   clock is not affected by NTP adjustments.
+ *
+ * > CLOCK_REALTIME_COARSE and CLOCK_MONOTONIC_COARSE are faster but
+ *   less-accurate variants of CLOCK_REALTIME and CLOCK_MONOTONIC.
+ *
+ *
+ *
+ * Hardware extensions for virtualizing TSC
+ *
+ * Since the early days of hardware-assisted virtualization, Intel was
+ * supplying an option to do TSC offsetting for virtual guests in hardware,
+ * which would mean that a guest's rdtsc reading will return a host's TSC value
+ * + offset. Unfortunately, this wasn't enough to support migration between
+ * different hosts because TSC frequency may differ, so pvclock and TSC page
+ * protocol were introduced. In late 2015, Intel introduced the TSC scaling
+ * feature (which was already present in AMD processors for several years) and,
+ * in theory, this is a game changer making pvclock and TSC page protocols
+ * redundant. However, an immediate switch to using plain TSC as a clocksource
+ * for virtualized guests seems impractical; one must be sure that all
+ * potential migration recipient hosts support the feature, but it is not yet
+ * widely available. Extensive testing also must be performed to make sure
+ * there are no drawbacks to switching from paravirtualized protocols.
+ */
+
+/*
+ * To get the current TSC reading, guests must do the following math:
+ *
+ * PerCPUTime = ((RDTSC() - tsc_timestamp) >> tsc_shift) * tsc_to_system_mul + system_time 
+ *
+ *
+ *
+ * kvmclock or KVM pvclock lets guests read the host's wall clock time. It's
+ * really very simple: the guest sets aside a page of its RAM and asks the host
+ * to write time into that page (using an MSR). The host writes a structure
+ * containing the current time to this page - in theory the host updates this
+ * page constantly, but in reality that would be wasteful and the structure is
+ * only updated just before reentering the guest after some VM event.
+ * host更新clock的时间的函数在kvm_guest_time_update(), 只被vcpu_enter_guest()调用
+ */
+
 static int kvmclock __ro_after_init = 1;
 static int msr_kvm_system_time = MSR_KVM_SYSTEM_TIME;
 static int msr_kvm_wall_clock = MSR_KVM_WALL_CLOCK;
@@ -45,6 +115,9 @@ static int parse_no_kvmclock(char *arg)
 early_param("no-kvmclock", parse_no_kvmclock);
 
 /* The hypervisor will put information about time periodically here */
+/*
+ * 相当与xen的vcpuinfo里的时间的部分 和host共享
+ */
 static struct pvclock_vsyscall_time_info *hv_clock;
 static struct pvclock_wall_clock *wall_clock;
 
@@ -273,6 +346,10 @@ static void __init kvm_memblock_free(phys_addr_t addr, phys_addr_t size)
 	memblock_free(addr, size);
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kernel/setup.c|1207| <<setup_arch>> kvmclock_init();
+ */
 void __init kvmclock_init(void)
 {
 	struct pvclock_vcpu_time_info *vcpu_time;
diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
index f02ecaf9..a962a95c 100644
--- a/arch/x86/kernel/smpboot.c
+++ b/arch/x86/kernel/smpboot.c
@@ -960,6 +960,11 @@ void common_cpu_up(unsigned int cpu, struct task_struct *idle)
  * Returns zero if CPU booted OK, else error code from
  * ->wakeup_secondary_cpu.
  */
+/*
+ * called by:
+ *   - arch/ia64/kernel/smpboot.c|751| <<__cpu_up>> ret = do_boot_cpu(sapicid, cpu, tidle);
+ *   - arch/x86/kernel/smpboot.c|1117| <<native_cpu_up>> err = do_boot_cpu(apicid, cpu, tidle, &cpu0_nmi_registered);
+ */
 static int do_boot_cpu(int apicid, int cpu, struct task_struct *idle,
 		       int *cpu0_nmi_registered)
 {
@@ -1069,6 +1074,19 @@ static int do_boot_cpu(int apicid, int cpu, struct task_struct *idle,
 	return boot_error;
 }
 
+/*
+ * [0] native_cpu_up
+ * [0] bringup_cpu
+ * [0] cpuhp_invoke_callback
+ * [0] _cpu_up
+ * [0] do_cpu_up
+ * [0] smp_init
+ * [0] kernel_init_freeable
+ * [0] kernel_init
+ * [0] ret_from_fork
+ *
+ * struct smp_ops smp_ops.cpu_up = native_cpu_up()
+ */
 int native_cpu_up(unsigned int cpu, struct task_struct *tidle)
 {
 	int apicid = apic->cpu_present_to_apicid(cpu);
diff --git a/arch/x86/kernel/tsc_sync.c b/arch/x86/kernel/tsc_sync.c
index ec534f97..117e3dd7 100644
--- a/arch/x86/kernel/tsc_sync.c
+++ b/arch/x86/kernel/tsc_sync.c
@@ -307,6 +307,10 @@ static inline unsigned int loop_timeout(int cpu)
  * Source CPU calls into this - it waits for the freshly booted
  * target CPU to arrive and then starts the measurement:
  */
+/*
+ * called by:
+ *   - arch/x86/kernel/smpboot.c|1126| <<native_cpu_up>> check_tsc_sync_source(cpu);
+ */
 void check_tsc_sync_source(int cpu)
 {
 	int cpus = 2;
@@ -397,6 +401,10 @@ void check_tsc_sync_source(int cpu)
 /*
  * Freshly booted CPUs call into this:
  */
+/*
+ * called by:
+ *   - arch/x86/kernel/smpboot.c|245| <<start_secondary>> check_tsc_sync_target();
+ */
 void check_tsc_sync_target(void)
 {
 	struct tsc_adjust *cur = this_cpu_ptr(&tsc_adjust);
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index af192895..f5d8eb10 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -264,6 +264,12 @@ static void pit_do_work(struct kthread_work *work)
 			kvm_apic_nmi_wd_deliver(vcpu);
 }
 
+/*
+ * used by:
+ *   - arch/x86/kvm/i8254.c|680| <<kvm_create_pit>> pit_state->timer.function = pit_timer_fn;
+ *
+ * 传统pit的时钟函数, 都用lapic了
+ */
 static enum hrtimer_restart pit_timer_fn(struct hrtimer *data)
 {
 	struct kvm_kpit_state *ps = container_of(data, struct kvm_kpit_state, timer);
@@ -645,6 +651,10 @@ static const struct kvm_io_device_ops speaker_dev_ops = {
 	.write    = speaker_ioport_write,
 };
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/x86.c|4390| <<kvm_arch_vm_ioctl>> kvm->arch.vpit = kvm_create_pit(kvm, u.pit_config.flags);
+ */
 struct kvm_pit *kvm_create_pit(struct kvm *kvm, u32 flags)
 {
 	struct kvm_pit *pit;
diff --git a/arch/x86/kvm/kvm_cache_regs.h b/arch/x86/kvm/kvm_cache_regs.h
index 9619dcc2..40810a18 100644
--- a/arch/x86/kvm/kvm_cache_regs.h
+++ b/arch/x86/kvm/kvm_cache_regs.h
@@ -102,6 +102,11 @@ static inline void leave_guest_mode(struct kvm_vcpu *vcpu)
 
 static inline bool is_guest_mode(struct kvm_vcpu *vcpu)
 {
+	/*
+	 * 在以下修改:
+	 *   - arch/x86/kvm/kvm_cache_regs.h|90| <<enter_guest_mode>> vcpu->arch.hflags |= HF_GUEST_MASK;
+	 *   - arch/x86/kvm/kvm_cache_regs.h|95| <<leave_guest_mode>> vcpu->arch.hflags &= ~HF_GUEST_MASK;
+	 */
 	return vcpu->arch.hflags & HF_GUEST_MASK;
 }
 
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index b5cd8465..d76c613e 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -43,6 +43,14 @@
 #include "cpuid.h"
 #include "hyperv.h"
 
+/*
+ * smp_kvm_posted_intr_ipi() Posted-interrupt notification event
+ *
+ * smp_kvm_posted_intr_wakeup_ipi() Nested posted-interrupt event
+ *
+ * smp_kvm_posted_intr_nested_ipi() Posted-interrupt wakeup event
+ */
+
 #ifndef CONFIG_X86_64
 #define mod_64(x, y) ((x) - (y) * div64_u64(x, y))
 #else
@@ -2021,6 +2029,10 @@ void kvm_lapic_set_base(struct kvm_vcpu *vcpu, u64 value)
 
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/x86.c|8473| <<kvm_vcpu_reset>> kvm_lapic_reset(vcpu, init_event);
+ */
 void kvm_lapic_reset(struct kvm_vcpu *vcpu, bool init_event)
 {
 	struct kvm_lapic *apic = vcpu->arch.apic;
@@ -2139,6 +2151,12 @@ static const struct kvm_io_device_ops apic_mmio_ops = {
 	.write    = apic_mmio_write,
 };
 
+/*
+ * used by:
+ *   - arch/x86/kvm/lapic.c|2191| <<kvm_create_lapic>> apic->lapic_timer.timer.function = apic_timer_fn;
+ *
+ * kvm基于内核的apic timer的handler
+ */
 static enum hrtimer_restart apic_timer_fn(struct hrtimer *data)
 {
 	struct kvm_timer *ktimer = container_of(data, struct kvm_timer, timer);
@@ -2154,6 +2172,20 @@ static enum hrtimer_restart apic_timer_fn(struct hrtimer *data)
 		return HRTIMER_NORESTART;
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/x86.c|8737| <<kvm_arch_vcpu_init>> r = kvm_create_lapic(vcpu);
+ *
+ * QEMU和KVM都实现了对中断芯片的模拟,这是由于历史原因造成的.早在KVM诞生之前,
+ * QEMU就提供了一整套对设备的模拟,包括中断芯片.而KVM诞生之后,为了进一步提高
+ * 中断性能,因此又在KVM中实现了一套中断芯片.我们可以通过QEMU的启动参数
+ * kernel-irqchip来决定使用谁的中断芯片(irq chip)/
+ *   on: KVM模拟全部
+ *   split: QEMU模拟IOAPIC和PIC,KVM模拟LAPIC
+ *   off: QEMU模拟全部
+ *
+ * 分配并且初始化vcpu的apic (在内核中模拟)
+ */
 int kvm_create_lapic(struct kvm_vcpu *vcpu)
 {
 	struct kvm_lapic *apic;
@@ -2167,6 +2199,11 @@ int kvm_create_lapic(struct kvm_vcpu *vcpu)
 
 	vcpu->arch.apic = apic;
 
+	/*
+	 * 在vmx_vcpu_reset()写入vmcs的VIRTUAL_APIC_PAGE_ADDR
+	 *
+	 * 在kvm_lapic_reset()初始化regs的一些默认值
+	 */
 	apic->regs = (void *)get_zeroed_page(GFP_KERNEL);
 	if (!apic->regs) {
 		printk(KERN_ERR "malloc apic regs error for vcpu %x\n",
@@ -2177,6 +2214,7 @@ int kvm_create_lapic(struct kvm_vcpu *vcpu)
 
 	hrtimer_init(&apic->lapic_timer.timer, CLOCK_MONOTONIC,
 		     HRTIMER_MODE_ABS_PINNED);
+	/* apic timer的函数 */
 	apic->lapic_timer.timer.function = apic_timer_fn;
 
 	/*
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 97d41754..63e48ae7 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -49,6 +49,27 @@
 #include <asm/kvm_page_track.h>
 #include "trace.h"
 
+/*
+ * https://www.binss.me/blog/qemu-note-of-memory/
+ */
+
+/*
+ * 当QEMU通过ioctl创建vcpu时,调用kvm_mmu_create初始化mmu相关信息,
+ * 为页表项结构分配slab cache.
+ *
+ * 当KVM要进入Guest前,vcpu_enter_guest => kvm_mmu_reload会将根级
+ * 页表地址加载到VMCS,让Guest使用该页表.
+ *
+ * 当EPT Violation发生时,VMEXIT到KVM中.如果是缺页,则拿到对应的GPA,
+ * 根据GPA算出gfn,根据gfn找到对应的memory slot,得到对应的HVA.然后
+ * 根据HVA找到对应的pfn,确保该page位于内存.在把缺的页填上后,需要更
+ * 新EPT,完善其中缺少的页表项.于是从L4开始,逐层补全页表,对于在某层
+ * 上缺少的页表页,会从slab中分配后将新页的HPA填入到上一级页表中.
+ *
+ * 除了建立上级页表到下级页表的关联外,KVM 还会建立反向映射,可以直
+ * 接根据GPA找到gfn相关的页表项,而无需再次走EPT查询.
+ */
+
 /*
  * When setting this variable to true it enables Two-Dimensional-Paging
  * where the hardware walks 2 page tables:
@@ -56,6 +77,11 @@
  * 2. while doing 1. it walks guest-physical to host-physical
  * If the hardware supports that we don't need to do shadow paging.
  */
+/*
+ * 在以下修改:
+ *   - arch/x86/kvm/mmu.c|5063| <<kvm_enable_tdp>> tdp_enabled = true;
+ *   - arch/x86/kvm/mmu.c|5069| <<kvm_disable_tdp>> tdp_enabled = false;
+ */
 bool tdp_enabled = false;
 
 enum {
@@ -82,16 +108,44 @@ module_param(dbg, bool, 0644);
 #define MMU_WARN_ON(x) do { } while (0)
 #endif
 
+/*
+ * 在以下使用PTE_PREFETCH_NUM:
+ *   - arch/x86/kvm/paging_tmpl.h|92| <<global>> pt_element_t prefetch_ptes[PTE_PREFETCH_NUM];
+ *   - arch/x86/kvm/mmu.c|1915| <<mmu_topup_memory_caches>> pte_list_desc_cache, 8 + PTE_PREFETCH_NUM);
+ *   - arch/x86/kvm/mmu.c|5257| <<direct_pte_prefetch_many>> struct page *pages[PTE_PREFETCH_NUM];
+ *   - arch/x86/kvm/mmu.c|5287| <<__direct_pte_prefetch>> i = (sptep - sp->spt) & ~(PTE_PREFETCH_NUM - 1);
+ *   - arch/x86/kvm/mmu.c|5290| <<__direct_pte_prefetch>> for (i = 0; i < PTE_PREFETCH_NUM; i++, spte++) {
+ *   - arch/x86/kvm/paging_tmpl.h|545| <<FNAME>> mask = PTE_PREFETCH_NUM * sizeof(pt_element_t) - 1;
+ *   - arch/x86/kvm/paging_tmpl.h|575| <<FNAME>> i = (sptep - sp->spt) & ~(PTE_PREFETCH_NUM - 1);
+ *   - arch/x86/kvm/paging_tmpl.h|578| <<FNAME>> for (i = 0; i < PTE_PREFETCH_NUM; i++, spte++) {
+ */
 #define PTE_PREFETCH_NUM		8
 
+/*
+ * used by:
+ *   - arch/x86/kvm/mmu.c|169| <<SPTE_HOST_WRITEABLE>> #define SPTE_HOST_WRITEABLE (1ULL << PT_FIRST_AVAIL_BITS_SHIFT)
+ *   - arch/x86/kvm/mmu.c|171| <<SPTE_MMU_WRITEABLE>> #define SPTE_MMU_WRITEABLE (1ULL << (PT_FIRST_AVAIL_BITS_SHIFT + 1))
+ */
 #define PT_FIRST_AVAIL_BITS_SHIFT 10
+/*
+ * used only by:
+ *   - arch/x86/kvm/mmu.c|273| <<global>> static const u64 shadow_acc_track_saved_bits_shift = PT64_SECOND_AVAIL_BITS_SHIFT;
+ */
 #define PT64_SECOND_AVAIL_BITS_SHIFT 52
 
 #define PT64_LEVEL_BITS 9
 
+/*
+ * PT64_LEVEL_SHIFT(1) = 12 + (1 - 1) * 9 = 12
+ * PT64_LEVEL_SHIFT(2) = 12 + (2 - 1) * 9 = 21
+ * PT64_LEVEL_SHIFT(3) = 12 + (3 - 1) * 9 = 30
+ */
 #define PT64_LEVEL_SHIFT(level) \
 		(PAGE_SHIFT + (level - 1) * PT64_LEVEL_BITS)
 
+/*
+ * 先把adress根据level右移若干位, 然后取出最后9位作为index
+ */
 #define PT64_INDEX(address, level)\
 	(((address) >> PT64_LEVEL_SHIFT(level)) & ((1 << PT64_LEVEL_BITS) - 1))
 
@@ -109,12 +163,30 @@ module_param(dbg, bool, 0644);
 	(((address) >> PT32_LEVEL_SHIFT(level)) & ((1 << PT32_LEVEL_BITS) - 1))
 
 
+/*
+ * PT64_BASE_ADDR_MASK     = 0x000ffffffffff000
+ *
+ * 物理地址最多支持到52位, 把52位中不包含PAGE_SIZE(12位)的剩下的部分做成mask
+ */
 #define PT64_BASE_ADDR_MASK __sme_clr((((1ULL << 52) - 1) & ~(u64)(PAGE_SIZE-1)))
+/*
+ * PT64_DIR_BASE_ADDR_MASK = 0x000fffffffe00000
+ */
 #define PT64_DIR_BASE_ADDR_MASK \
 	(PT64_BASE_ADDR_MASK & ~((1ULL << (PAGE_SHIFT + PT64_LEVEL_BITS)) - 1))
+/*
+ * PT64_LVL_ADDR_MASK(1)   = 0x000ffffffffff000
+ * PT64_LVL_ADDR_MASK(2)   = 0x000fffffffe00000
+ * PT64_LVL_ADDR_MASK(3)   = 0x000fffffc0000000
+ */
 #define PT64_LVL_ADDR_MASK(level) \
 	(PT64_BASE_ADDR_MASK & ~((1ULL << (PAGE_SHIFT + (((level) - 1) \
 						* PT64_LEVEL_BITS))) - 1))
+/*
+ * PT64_LVL_OFFSET_MASK(1) = 0x0000000000000000
+ * PT64_LVL_OFFSET_MASK(2) = 0x00000000001ff000
+ * PT64_LVL_OFFSET_MASK(3) = 0x000000003ffff000
+ */
 #define PT64_LVL_OFFSET_MASK(level) \
 	(PT64_BASE_ADDR_MASK & ((1ULL << (PAGE_SHIFT + (((level) - 1) \
 						* PT64_LEVEL_BITS))) - 1))
@@ -126,16 +198,33 @@ module_param(dbg, bool, 0644);
 	(PAGE_MASK & ~((1ULL << (PAGE_SHIFT + (((level) - 1) \
 					    * PT32_LEVEL_BITS))) - 1))
 
+/*
+ * PT_PRESENT_MASK: 1往左移动0位
+ * PT_WRITABLE_MASK: 1往左移动1位
+ */
 #define PT64_PERM_MASK (PT_PRESENT_MASK | PT_WRITABLE_MASK | shadow_user_mask \
 			| shadow_x_mask | shadow_nx_mask | shadow_me_mask)
 
+/* 1往左移动0位 */
 #define ACC_EXEC_MASK    1
+/* 1往左移动1位 */
 #define ACC_WRITE_MASK   PT_WRITABLE_MASK
+/* 1往左移动2位 */
 #define ACC_USER_MASK    PT_USER_MASK
+/*
+ * 最后的0, 1, 2三位都是1
+ */
 #define ACC_ALL          (ACC_EXEC_MASK | ACC_WRITE_MASK | ACC_USER_MASK)
 
 /* The mask for the R/X bits in EPT PTEs */
+/*
+ * used only by:
+ *   - arch/x86/kvm/mmu.c|298| <<global>> static const u64 shadow_acc_track_saved_bits_mask = PT64_EPT_READABLE_MASK |
+ */
 #define PT64_EPT_READABLE_MASK			0x1ull
+/*
+ * 只在设置shadow_acc_track_saved_bits_mask的时候用到
+ */
 #define PT64_EPT_EXECUTABLE_MASK		0x4ull
 
 #include <trace/events/kvm.h>
@@ -143,9 +232,27 @@ module_param(dbg, bool, 0644);
 #define CREATE_TRACE_POINTS
 #include "mmutrace.h"
 
+/*
+ * 1往左移10位
+ *
+ * SPTE_HOST_WRITEABLE means the gfn is writable on host.
+ */
 #define SPTE_HOST_WRITEABLE	(1ULL << PT_FIRST_AVAIL_BITS_SHIFT)
+/*
+ * 1往左移11位
+ *
+ * SPTE_MMU_WRITEABLE means the gfn is writable on mmu. The bit is set when
+ * the gfn is writable on guest mmu and it is not write-protected by shadow
+ * page write-protection.
+ */
 #define SPTE_MMU_WRITEABLE	(1ULL << (PT_FIRST_AVAIL_BITS_SHIFT + 1))
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4549| <<shadow_walk_okay>> iterator->index = SHADOW_PT_INDEX(iterator->addr, iterator->level);
+ *
+ * 先把addr根据level右移若干位, 然后取出最后9位作为index
+ */
 #define SHADOW_PT_INDEX(addr, level) PT64_INDEX(addr, level)
 
 /* make pte_list_desc fit well in cache line */
@@ -160,6 +267,10 @@ module_param(dbg, bool, 0644);
  * RET_PF_INVALID: the spte is invalid, let the real page fault path update it.
  */
 enum {
+	/*
+	 * 在以下使用RET_PF_RETRY去判断:
+	 *   - arch/x86/kvm/mmu.c|8592| <<kvm_mmu_page_fault>> if (r == RET_PF_RETRY)
+	 */
 	RET_PF_RETRY = 0,
 	RET_PF_EMULATE = 1,
 	RET_PF_INVALID = 2,
@@ -171,36 +282,170 @@ struct pte_list_desc {
 };
 
 struct kvm_shadow_walk_iterator {
+	/* 发生page fault的GPA,迭代过程就是要把GPA所涉及的页表项都填上 */
 	u64 addr;
+	/* 当前页表项的 HPA，在 shadow_walk_init 中设置为 vcpu->arch.mmu.root_hpa */
 	hpa_t shadow_addr;
+	/* 指向当前页表项, 在shadow_walk_okay()中更新 */
 	u64 *sptep;
+	/* 当前层级,在shadow_walk_okay()中设置为4 (x86_64 PT64_ROOT_LEVEL), 在shadow_walk_next()中减1 */
 	int level;
+	/* 在当前level页表中的索引,在shadow_walk_okey中更新 */
 	unsigned index;
 };
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4917| <<__direct_map>> for_each_shadow_entry(vcpu, (u64)gfn << PAGE_SHIFT, iterator) {
+ *   - arch/x86/kvm/paging_tmpl.h|880| <<FNAME(invlpg)>> for_each_shadow_entry(vcpu, gva, iterator) {
+ *
+ * 对于一个gpa的每一级(level)的pte
+ *
+ * shadow_walk_init():
+ * 对于tdp, 可以理解为执行了以下代码:
+ *   - iterator->addr = addr;
+ *   - iterator->shadow_addr = vcpu->arch.mmu.root_hpa;
+ *   - iterator->level = vcpu->arch.mmu.shadow_root_level;
+ */
 #define for_each_shadow_entry(_vcpu, _addr, _walker)    \
 	for (shadow_walk_init(&(_walker), _vcpu, _addr);	\
 	     shadow_walk_okay(&(_walker));			\
 	     shadow_walk_next(&(_walker)))
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5154| <<fast_page_fault>> for_each_shadow_entry_lockless(vcpu, gva, iterator, spte)
+ *   - arch/x86/kvm/mmu.c|5761| <<shadow_page_table_clear_flood>> for_each_shadow_entry_lockless(vcpu, addr, iterator, spte) {
+ *
+ * 对于一个gpa的每一级(level)的pte
+ */
 #define for_each_shadow_entry_lockless(_vcpu, _addr, _walker, spte)	\
 	for (shadow_walk_init(&(_walker), _vcpu, _addr);		\
 	     shadow_walk_okay(&(_walker)) &&				\
 		({ spte = mmu_spte_get_lockless(_walker.sptep); 1; });	\
 	     __shadow_walk_next(&(_walker), spte))
 
+/*
+ * used by:
+ *   - arch/x86/kvm/mmu.c|1146| <<mmu_topup_memory_caches>> pte_list_desc_cache, 8 + PTE_PREFETCH_NUM);
+ *   - arch/x86/kvm/mmu.c|1165| <<mmu_free_memory_caches>> pte_list_desc_cache);
+ *   - arch/x86/kvm/mmu.c|1194| <<mmu_free_pte_list_desc>> kmem_cache_free(pte_list_desc_cache, pte_list_desc);
+ *   - arch/x86/kvm/mmu.c|6319| <<mmu_destroy_caches>> kmem_cache_destroy(pte_list_desc_cache);
+ *   - arch/x86/kvm/mmu.c|6332| <<kvm_mmu_module_init>> pte_list_desc_cache = kmem_cache_create("pte_list_desc",
+ *   - arch/x86/kvm/mmu.c|6335| <<kvm_mmu_module_init>> if (!pte_list_desc_cache)
+ */
 static struct kmem_cache *pte_list_desc_cache;
+/*
+ * used by:
+ *   - arch/x86/kvm/mmu.c|1167| <<mmu_topup_memory_caches>> r = mmu_topup_memory_cache(&vcpu->arch.mmu_page_header_cache,
+ *   - arch/x86/kvm/mmu.c|1168| <<mmu_topup_memory_caches>> mmu_page_header_cache, 4);
+ *   - arch/x86/kvm/mmu.c|1182| <<mmu_free_memory_caches>> mmu_free_memory_cache(&vcpu->arch.mmu_page_header_cache,
+ *   - arch/x86/kvm/mmu.c|1183| <<mmu_free_memory_caches>> mmu_page_header_cache);
+ *   - arch/x86/kvm/mmu.c|2266| <<kvm_mmu_free_page>> kmem_cache_free(mmu_page_header_cache, sp);
+ *   - arch/x86/kvm/mmu.c|2309| <<kvm_mmu_alloc_page>> sp = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_header_cache);
+ *   - arch/x86/kvm/mmu.c|6335| <<mmu_destroy_caches>> kmem_cache_destroy(mmu_page_header_cache);
+ *   - arch/x86/kvm/mmu.c|6353| <<kvm_mmu_module_init>> mmu_page_header_cache = kmem_cache_create("kvm_mmu_page_header",
+ *   - arch/x86/kvm/mmu.c|6356| <<kvm_mmu_module_init>> if (!mmu_page_header_cache)
+ */
 static struct kmem_cache *mmu_page_header_cache;
+/*
+ * used by:
+ *   - arch/x86/kvm/mmu.c|2256| <<kvm_mod_used_mmu_pages>> percpu_counter_add(&kvm_total_used_mmu_pages, nr);
+ *   - arch/x86/kvm/mmu.c|6335| <<mmu_shrink_count>> return percpu_counter_read_positive(&kvm_total_used_mmu_pages);
+ *   - arch/x86/kvm/mmu.c|6371| <<kvm_mmu_module_init>> if (percpu_counter_init(&kvm_total_used_mmu_pages, 0, GFP_KERNEL))
+ *   - arch/x86/kvm/mmu.c|6439| <<kvm_mmu_module_exit>> percpu_counter_destroy(&kvm_total_used_mmu_pages);
+ */
 static struct percpu_counter kvm_total_used_mmu_pages;
 
+/*
+ * 更新mask们的核心函数一共3个:
+ *   - kvm_mmu_reset_all_pte_masks()
+ *   - kvm_mmu_set_mask_ptes() 调用两次
+ *   - kvm_mmu_set_mmio_spte_mask() 调用两次
+ *
+ *vmx_init()
+ * -> kvm_init()
+ *     -> kvm_arch_init()
+ *         -> kvm_mmu_reset_all_pte_masks() --> 就一次
+ *         -> kvm_set_mmio_spte_mask() --> 第一次
+ *         -> kvm_mmu_set_mask_ptes()  --> 第一次
+ *     -> kvm_arch_hardware_setup()
+ *         -> hardware_setup()
+ *             -> vmx_enable_tdp()
+ *                 -> kvm_mmu_set_mask_ptes() --> 第二次
+ *             -> ept_set_mmio_spte_mask()
+ *                 -> kvm_mmu_set_mmio_spte_mask() --> 第二次 
+ */
+
+/*
+ * 设置的地方:
+ *   - arch/x86/kvm/mmu.c|467| <<kvm_mmu_set_mask_ptes>> shadow_nx_mask = nx_mask;
+ *   - arch/x86/kvm/mmu.c|483| <<kvm_mmu_reset_all_pte_masks>> shadow_nx_mask = 0;
+ *
+ * 在vmx下是0x0
+ */
 static u64 __read_mostly shadow_nx_mask;
+/*
+ * 设置的地方:
+ *   - arch/x86/kvm/mmu.c|563| <<kvm_mmu_set_mask_ptes>> shadow_x_mask = x_mask;
+ *   - arch/x86/kvm/mmu.c|579| <<kvm_mmu_reset_all_pte_masks>> shadow_x_mask = 0;
+ *
+ * 在vmx下是VMX_EPT_EXECUTABLE_MASK
+ */
 static u64 __read_mostly shadow_x_mask;	/* mutual exclusive with nx_mask */
+/*
+ * 设置的地方:
+ *   - arch/x86/kvm/mmu.c|559| <<kvm_mmu_set_mask_ptes>> shadow_user_mask = user_mask;
+ *   - arch/x86/kvm/mmu.c|575| <<kvm_mmu_reset_all_pte_masks>> shadow_user_mask = 0;
+ */
 static u64 __read_mostly shadow_user_mask;
+/*
+ * 设置的地方:
+ *   - arch/x86/kvm/mmu.c|560| <<kvm_mmu_set_mask_ptes>> shadow_accessed_mask = accessed_mask;
+ *   - arch/x86/kvm/mmu.c|576| <<kvm_mmu_reset_all_pte_masks>> shadow_accessed_mask = 0;
+ *
+ * 在old machine上shadow_accessed_mask是0x0
+ * 在new machine上shadow_accessed_mask是0x0000000000000100
+ */
 static u64 __read_mostly shadow_accessed_mask;
+/*
+ * 设置的地方:
+ *   - arch/x86/kvm/mmu.c|561| <<kvm_mmu_set_mask_ptes>> shadow_dirty_mask = dirty_mask;
+ *   - arch/x86/kvm/mmu.c|577| <<kvm_mmu_reset_all_pte_masks>> shadow_dirty_mask = 0;
+ *
+ * 在old machine上shadow_dirty_mask是0x0
+ * 在new machine上shadow_dirty_mask是0x0000000000000200
+ */
 static u64 __read_mostly shadow_dirty_mask;
+/*
+ * 在两处设置:
+ *   - arch/x86/kvm/mmu.c|274| <<kvm_mmu_set_mmio_spte_mask>> shadow_mmio_mask = mmio_mask | SPTE_SPECIAL_MASK;
+ *   - arch/x86/kvm/mmu.c|453| <<kvm_mmu_reset_all_pte_masks>> shadow_mmio_mask = 0;
+ *
+ * vmx_enable_tdp()-->ept_set_mmio_spte_mask()设置
+ *     shadow_mmio_mask  = 111 (还有SPTE_SPECIAL_MASK是1往左移62位)
+ *     shadow_mmio_value = 110 (还有SPTE_SPECIAL_MASK是1往左移62位)
+ */
 static u64 __read_mostly shadow_mmio_mask;
+/*
+ * 在一处设置:
+ *   - arch/x86/kvm/mmu.c|273| <<kvm_mmu_set_mmio_spte_mask>> shadow_mmio_value = mmio_value | SPTE_SPECIAL_MASK;
+ *
+ * vmx_enable_tdp()-->ept_set_mmio_spte_mask()设置
+ *     shadow_mmio_mask  = 111 (还有SPTE_SPECIAL_MASK是1往左移62位)
+ *     shadow_mmio_value = 110 (还有SPTE_SPECIAL_MASK是1往左移62位)
+ */
 static u64 __read_mostly shadow_mmio_value;
+/*
+ * 设置的地方:
+ *   - arch/x86/kvm/mmu.c|584| <<kvm_mmu_set_mask_ptes>> shadow_present_mask = p_mask;
+ *   - arch/x86/kvm/mmu.c|601| <<kvm_mmu_reset_all_pte_masks>> shadow_present_mask = 0;
+ */
 static u64 __read_mostly shadow_present_mask;
+/*
+ * 设置的地方:
+ *   - arch/x86/kvm/mmu.c|586| <<kvm_mmu_set_mask_ptes>> shadow_me_mask = me_mask;
+ */
 static u64 __read_mostly shadow_me_mask;
 
 /*
@@ -208,7 +453,28 @@ static u64 __read_mostly shadow_me_mask;
  * Non-present SPTEs with shadow_acc_track_value set are in place for access
  * tracking.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|594| <<kvm_mmu_set_mask_ptes>> shadow_acc_track_mask = acc_track_mask;
+ *   - arch/x86/kvm/mmu.c|611| <<kvm_mmu_reset_all_pte_masks>> shadow_acc_track_mask = 0;
+ *
+ * 在old machine上是0x7 (RWX)
+ */
 static u64 __read_mostly shadow_acc_track_mask;
+/*
+ * 只在此处设置
+ *
+ * SPTE_SPECIAL_MASK: 1往左移62位:
+ *   The mask used to denote special SPTEs, which can be either MMIO SPTEs or
+ *   Access Tracking SPTEs. We use bit 62 instead of bit 63 to avoid conflicting
+ *   with the SVE bit in EPT PTEs.
+ *
+ * SPTEs used by MMUs without A/D bits are marked with shadow_acc_track_value.
+ * Non-present SPTEs with shadow_acc_track_value set are in place for access
+ * tracking.
+ *
+ * 1往左移62位
+ */
 static const u64 shadow_acc_track_value = SPTE_SPECIAL_MASK;
 
 /*
@@ -217,26 +483,101 @@ static const u64 shadow_acc_track_value = SPTE_SPECIAL_MASK;
  * PTEs being access tracked also need to be dirty tracked, so the W bit will be
  * restored only when a write is attempted to the page.
  */
+/*
+ * 只在此处设置
+ *
+ * 第0位和第3位设置了, 也就是read和exec设置了
+ */
 static const u64 shadow_acc_track_saved_bits_mask = PT64_EPT_READABLE_MASK |
 						    PT64_EPT_EXECUTABLE_MASK;
+/*
+ * 只在此处设置:
+ *
+ * 52
+ *
+ * 似乎用在软件track access的时候临时保存r/x的位移 (不支持硬件a/d)
+ */
 static const u64 shadow_acc_track_saved_bits_shift = PT64_SECOND_AVAIL_BITS_SHIFT;
 
 /*
  * This mask must be set on all non-zero Non-Present or Reserved SPTEs in order
  * to guard against L1TF attacks.
  */
+/*
+ * 只在一处设置:
+ *   - arch/x86/kvm/mmu.c|643| <<kvm_mmu_reset_all_pte_masks>> shadow_nonpresent_or_rsvd_mask =
+ */
 static u64 __read_mostly shadow_nonpresent_or_rsvd_mask;
 
 /*
  * The number of high-order 1 bits to use in the mask above.
  */
+/*
+ * 只在此处设置
+ */
 static const u64 shadow_nonpresent_or_rsvd_mask_len = 5;
 
+/* x86_64下就是WRITE_ONCE(*sptep, spte) */
 static void mmu_spte_set(u64 *sptep, u64 spte);
 
+/*
+ * For a summary, the following shows the process of MMIO implementation:
+ *
+ * 1. QEMU declares a memory region(but not allocate ram or commit it to kvm)
+ * 2. Guest first access the MMIO address, cause a EPT violation VM-exit
+ * 3. KVM construct the EPT page table and marks the page table entry with special mark(110b)
+ * 4. Later the guest access these MMIO, it will be processed by EPT misconfig VM-exit handler
+ */
+
+/*
+ * 第一次Comm: systemd-udevd
+ * [0] kvm_set_mmio_spte_mask()
+ * [0] kvm_arch_init
+ * [0] kvm_init
+ * [0] vmx_init
+ * [0] do_one_initcall
+ * [0] do_init_module
+ * [0] load_module
+ * [0] __do_sys_finit_module
+ * [0] do_syscall_64
+ * [0] entry_SYSCALL_64_after_hwframe
+ *
+ * 第二次Comm: systemd-udevd
+ * [0] ept_set_mmio_spte_mask
+ * [0] hardware_setup
+ * [0] kvm_arch_hardware_setup
+ * [0] kvm_init
+ * [0] vmx_init
+ * [0] do_one_initcall
+ * [0] do_init_module
+ * [0] load_module
+ * [0] __do_sys_finit_module
+ * [0] do_syscall_64
+ * [0] entry_SYSCALL_64_after_hwframe
+ *
+ * called by:
+ *   - arch/x86/kvm/vmx.c|6518| <<ept_set_mmio_spte_mask>> kvm_mmu_set_mmio_spte_mask(VMX_EPT_RWX_MASK,
+ *   - arch/x86/kvm/x86.c|6545| <<kvm_set_mmio_spte_mask>> kvm_mmu_set_mmio_spte_mask(mask, mask);
+ */
 void kvm_mmu_set_mmio_spte_mask(u64 mmio_mask, u64 mmio_value)
 {
+	/*
+	 * 不管是old还是new machine
+	 *
+	 * 第一次调用从kvm_set_mmio_spte_mask()进入:
+	 *   shadow_mmio_value = 0x4008000000000001
+	 *   shadow_mmio_mask  = 0x4008000000000001
+	 *
+	 * 第二次调用从ept_set_mmio_spte_mask()进入:
+	 *   shadow_mmio_value = 0x4000000000000006 (w + x, (还有SPTE_SPECIAL_MASK是1往左移62位))
+	 *   shadow_mmio_mask  = 0x4000000000000007 (r + w + x, (还有SPTE_SPECIAL_MASK是1往左移62位))
+	 */
 	BUG_ON((mmio_mask & mmio_value) != mmio_value);
+	/*
+	 * The mask used to denote special SPTEs, which can be either MMIO SPTEs or
+	 * Access Tracking SPTEs. We use bit 62 instead of bit 63 to avoid conflicting
+	 * with the SVE bit in EPT PTEs.
+	 */
 	shadow_mmio_value = mmio_value | SPTE_SPECIAL_MASK;
 	shadow_mmio_mask = mmio_mask | SPTE_SPECIAL_MASK;
 }
@@ -244,29 +585,98 @@ EXPORT_SYMBOL_GPL(kvm_mmu_set_mmio_spte_mask);
 
 static inline bool sp_ad_disabled(struct kvm_mmu_page *sp)
 {
+	/*
+	 * Is 1 if the MMU instance cannot use A/D bits.  EPT did not have A/D
+	 * bits before Haswell; shadow EPT page tables also cannot use A/D bits
+	 * if the L1 hypervisor does not enable them.
+	 */
 	return sp->role.ad_disabled;
 }
 
+/*
+ * 判断spte的1往左移62位是否存在, 不存在则支持ad
+ */
 static inline bool spte_ad_enabled(u64 spte)
 {
 	MMU_WARN_ON((spte & shadow_mmio_mask) == shadow_mmio_value);
+	/*
+	 * SPTE_SPECIAL_MASK: 1往左移62位:
+	 *   The mask used to denote special SPTEs, which can be either MMIO SPTEs or
+	 *   Access Tracking SPTEs. We use bit 62 instead of bit 63 to avoid conflicting
+	 *   with the SVE bit in EPT PTEs.
+	 */
+	/* 1往左移62位 */
 	return !(spte & shadow_acc_track_value);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|1405| <<is_accessed_spte>> u64 accessed_mask = spte_shadow_accessed_mask(spte);
+ *   - arch/x86/kvm/mmu.c|5103| <<set_spte>> spte |= spte_shadow_accessed_mask(spte);
+ *
+ * 如果spte的1往左移62位存在, 说明不支持ad
+ * 如果支持ad, 返回shadow_accessed_mask (new machine上是0x100)
+ * 如果不支持ad, 返回0x0
+ */
 static inline u64 spte_shadow_accessed_mask(u64 spte)
 {
 	MMU_WARN_ON((spte & shadow_mmio_mask) == shadow_mmio_value);
+	/*
+	 * 在old machine上shadow_accessed_mask是0x0
+	 * 在new machine上shadow_accessed_mask是0x0000000000000100
+	 *
+	 * 如果spte的1往左移62位存在, 说明不支持ad
+	 * 如果支持ad, 返回shadow_accessed_mask
+	 * 如果不支持ad, 返回0x0
+	 */
 	return spte_ad_enabled(spte) ? shadow_accessed_mask : 0;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|1072| <<is_dirty_spte>> u64 dirty_mask = spte_shadow_dirty_mask(spte);
+ *   - arch/x86/kvm/mmu.c|3618| <<set_spte>> spte |= spte_shadow_dirty_mask(spte);
+ *
+ * 在old machine上shadow_dirty_mask是0x0
+ *
+ * 如果spte的1往左移62位存在, 说明不支持ad
+ * 如果支持ad, 返回shadow_dirty_mask
+ * 如果不支持ad, 返回0x0
+ */
 static inline u64 spte_shadow_dirty_mask(u64 spte)
 {
 	MMU_WARN_ON((spte & shadow_mmio_mask) == shadow_mmio_value);
+	/*
+	 * 在old machine上shadow_dirty_mask是0x0
+	 *
+	 * 如果spte的1往左移62位存在, 说明不支持ad
+	 * 如果支持ad, 返回shadow_dirty_mask
+	 * 如果不支持ad, 返回0x0
+	 */
 	return spte_ad_enabled(spte) ? shadow_dirty_mask : 0;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|1041| <<spte_has_volatile_bits>> is_access_track_spte(spte))
+ *   - arch/x86/kvm/mmu.c|1065| <<is_accessed_spte>> : !is_access_track_spte(spte);
+ *   - arch/x86/kvm/mmu.c|1234| <<mark_spte_for_access_track>> if (is_access_track_spte(spte))
+ *   - arch/x86/kvm/mmu.c|1265| <<restore_acc_track_spte>> WARN_ON_ONCE(!is_access_track_spte(spte));
+ *   - arch/x86/kvm/mmu.c|4088| <<fast_page_fault>> if (is_access_track_spte(spte))
+ *
+ * !spte_ad_enabled(spte)和(spte & shadow_acc_track_mask)必须都返回0
+ *
+ * 如果spte的1往左移62位存在 (不支持硬件ad), 并且spte & shadow_acc_track_mask == 0 (在old machine上rwx是000)
+ * 则返回true, 说明这个spte是用来track access的?
+ */
 static inline bool is_access_track_spte(u64 spte)
 {
+	/*
+	 * spte_ad_enabled()
+	 *   判断spte的1往左移62位是否存在, 不存在则支持ad
+	 *
+	 * shadow_acc_track_mask在old machine上是7
+	 */
 	return !spte_ad_enabled(spte) && (spte & shadow_acc_track_mask) == 0;
 }
 
@@ -284,58 +694,154 @@ static inline bool is_access_track_spte(u64 spte)
 
 #define MMIO_GEN_SHIFT			20
 #define MMIO_GEN_LOW_SHIFT		10
+/* 9个1和最后一个0 */
 #define MMIO_GEN_LOW_MASK		((1 << MMIO_GEN_LOW_SHIFT) - 2)
+/* 20个1 */
 #define MMIO_GEN_MASK			((1 << MMIO_GEN_SHIFT) - 1)
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|399| <<mark_mmio_spte>> u64 mask = generation_mmio_spte_mask(gen);
+ *   - arch/x86/kvm/mmu.c|420| <<get_mmio_spte_gfn>> u64 mask = generation_mmio_spte_mask(MMIO_GEN_MASK) | shadow_mmio_mask |
+ *   - arch/x86/kvm/mmu.c|432| <<get_mmio_spte_access>> u64 mask = generation_mmio_spte_mask(MMIO_GEN_MASK) | shadow_mmio_mask;
+ *
+ * spte bits 3-11 are used as bits 1-9 of the generation number,
+ * the bits 52-61 are used as bits 10-19 of the generation number.
+ *
+ * 把gen的第1-9位取出来左移2位, 变成spte的3-11位
+ * 把gen的第10-19位取出来左移52位, 变成spte的52-61位
+ * 把两个拼在一起, 成为了spte的gen mask
+ */
 static u64 generation_mmio_spte_mask(unsigned int gen)
 {
 	u64 mask;
 
+	/* 20个1 */
 	WARN_ON(gen & ~MMIO_GEN_MASK);
 
+	/*
+	 * spte bits 3-11 are used as bits 1-9 of the generation number,
+	 * the bits 52-61 are used as bits 10-19 of the generation number.
+	 *
+	 * 把gen的第1-9位取出来左移2位, 变成spte的3-11位
+	 * 把gen的第10-19位取出来左移52位, 变成spte的52-61位
+	 * 把两个拼在一起, 成为了spte的gen mask
+	 */
 	mask = (gen & MMIO_GEN_LOW_MASK) << MMIO_SPTE_GEN_LOW_SHIFT;
 	mask |= ((u64)gen >> MMIO_GEN_LOW_SHIFT) << MMIO_SPTE_GEN_HIGH_SHIFT;
 	return mask;
 }
 
+/*
+ * spte bits 3-11 are used as bits 1-9 of the generation number,
+ * the bits 52-61 are used as bits 10-19 of the generation number.
+ *
+ * 给定一个spte, 获得其中的mmio generation
+ * 把spte的3-11位和52-61位取出来拼在一起, 组成gen
+ */
 static unsigned int get_mmio_spte_generation(u64 spte)
 {
 	unsigned int gen;
 
+	/* 把spte的最后3位清0 */
 	spte &= ~shadow_mmio_mask;
 
+	/*
+	 * spte bits 3-11 are used as bits 1-9 of the generation number,
+	 * the bits 52-61 are used as bits 10-19 of the generation number.
+	 *
+	 * 把spte的3-11位和52-61位取出来拼在一起, 组成gen
+	 */
 	gen = (spte >> MMIO_SPTE_GEN_LOW_SHIFT) & MMIO_GEN_LOW_MASK;
 	gen |= (spte >> MMIO_SPTE_GEN_HIGH_SHIFT) << MMIO_GEN_LOW_SHIFT;
 	return gen;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|756| <<mark_mmio_spte>> unsigned int gen = kvm_current_mmio_generation(vcpu);
+ *   - arch/x86/kvm/mmu.c|901| <<check_mmio_spte>> kvm_gen = kvm_current_mmio_generation(vcpu);
+ *
+ * 返回kvm_vcpu_memslots(vcpu)->generation & MMIO_GEN_MASK (20位)
+ */
 static unsigned int kvm_current_mmio_generation(struct kvm_vcpu *vcpu)
 {
 	return kvm_vcpu_memslots(vcpu)->generation & MMIO_GEN_MASK;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|724| <<set_mmio_spte>> mark_mmio_spte(vcpu, sptep, gfn, access);
+ *   - arch/x86/kvm/mmu.c|5004| <<sync_mmio_spte>> mark_mmio_spte(vcpu, sptep, gfn, access);
+ *
+ * 根据gfn为sptep设置entry, 最后3位是110, 用来作为mmio的entry
+ * 似乎是设置完mmio之后:
+ * 1. SPTE_SPECIAL_MASK(1往左移62位)是1
+ * 2. 结尾是110
+ * 3. 还有gen的信息
+ */
 static void mark_mmio_spte(struct kvm_vcpu *vcpu, u64 *sptep, u64 gfn,
 			   unsigned access)
 {
+	/* 返回kvm_vcpu_memslots(vcpu)->generation & MMIO_GEN_MASK (20位) */
 	unsigned int gen = kvm_current_mmio_generation(vcpu);
+	/*
+	 * spte bits 3-11 are used as bits 1-9 of the generation number,
+	 * the bits 52-61 are used as bits 10-19 of the generation number.
+	 *
+	 * 把gen的第1-9位取出来左移2位, 变成spte的3-11位
+	 * 把gen的第10-19位取出来左移52位, 变成spte的52-61位
+	 * 把两个拼在一起, 成为了spte的gen mask
+	 */
 	u64 mask = generation_mmio_spte_mask(gen);
 	u64 gpa = gfn << PAGE_SHIFT;
 
+	/* 获取access的第1和第2位 (从第0位开始) */
 	access &= ACC_WRITE_MASK | ACC_USER_MASK;
+	/*
+	 * shadow_mmio_value是110 (还有SPTE_SPECIAL_MASK是1往左移62位)
+	 */
 	mask |= shadow_mmio_value | access;
 	mask |= gpa | shadow_nonpresent_or_rsvd_mask;
 	mask |= (gpa & shadow_nonpresent_or_rsvd_mask)
 		<< shadow_nonpresent_or_rsvd_mask_len;
 
 	trace_mark_mmio_spte(sptep, gfn, access, gen);
+	/* x86_64下就是WRITE_ONCE(*sptep, spte) */
 	mmu_spte_set(sptep, mask);
+
+	/*
+	 * 似乎是设置完mmio之后:
+	 * 1. SPTE_SPECIAL_MASK(1往左移62位)是1
+	 * 2. 结尾是110
+	 * 3. 还有gen的信息
+	 */
 }
 
+/*
+ * 如果最后3位的最后1位没设置(110)并且还有SPTE_SPECIAL_MASK是1往左移62位,
+ * 就是mmio的spte
+ */
 static bool is_mmio_spte(u64 spte)
 {
+	/*
+	 * shadow_mmio_mask和shadow_mmio_value在一处设置:
+	 *   - arch/x86/kvm/mmu.c|273| <<kvm_mmu_set_mmio_spte_mask>> shadow_mmio_value = mmio_value | SPTE_SPECIAL_MASK;
+	 *
+	 * vmx_enable_tdp()-->ept_set_mmio_spte_mask()设置
+	 *     shadow_mmio_mask  = 111 (还有SPTE_SPECIAL_MASK是1往左移62位)
+	 *     shadow_mmio_value = 110 (还有SPTE_SPECIAL_MASK是1往左移62位)
+	 */
 	return (spte & shadow_mmio_mask) == shadow_mmio_value;
 }
 
+/*
+ * spte bits 3-11 are used as bits 1-9 of the generation number,
+ * the bits 52-61 are used as bits 10-19 of the generation number.
+ *
+ * 过滤掉spte中作为gen的部分 (3-11位和52-61位, 还有SPTE_SPECIAL_MASK是1往左移62位)
+ * 向右移动12位变成gfn
+ */
 static gfn_t get_mmio_spte_gfn(u64 spte)
 {
 	u64 mask = generation_mmio_spte_mask(MMIO_GEN_MASK) | shadow_mmio_mask |
@@ -348,16 +854,62 @@ static gfn_t get_mmio_spte_gfn(u64 spte)
 	return gpa >> PAGE_SHIFT;
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|4669| <<handle_mmio_page_fault>> unsigned access = get_mmio_spte_access(spte);
+ *
+ * spte bits 3-11 are used as bits 1-9 of the generation number,
+ * the bits 52-61 are used as bits 10-19 of the generation number.
+ *
+ * 把spte中0-11位和52-61位都清0并返回
+ * (包括gen的3-11位和52-61位, 以及最后3位, 还有0-11位的PAGE_MASK)
+ * 还有62位的SPTE_SPECIAL_MASK也情况
+ * 剩下的就是access?
+ */
 static unsigned get_mmio_spte_access(u64 spte)
 {
+	/*
+	 * generation_mmio_spte_mask()
+	 *   spte bits 3-11 are used as bits 1-9 of the generation number,
+	 *   the bits 52-61 are used as bits 10-19 of the generation number.
+	 *
+	 *   把gen的第1-9位取出来左移2位, 变成spte的3-11位
+	 *   把gen的第10-19位取出来左移52位, 变成spte的52-61位
+	 *   把两个拼在一起, 成为了spte的gen mask
+	 *
+	 * 总之把一个spte中对应gen的3-11位和52-61位, 以及最后3位做成mask
+	 */
 	u64 mask = generation_mmio_spte_mask(MMIO_GEN_MASK) | shadow_mmio_mask;
+	/*
+	 * 把spte中0-11位和52-61位都清0并返回
+	 * (包括gen的3-11位和52-61位, 以及最后3位, 还有0-11位的PAGE_MASK)
+	 * 还有62位的SPTE_SPECIAL_MASK也情况
+	 * 剩下的就是access?
+	 */
 	return (spte & ~mask) & ~PAGE_MASK;
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|3596| <<set_spte>> if (set_mmio_spte(vcpu, sptep, gfn, pfn, pte_access))
+ *
+ * 如果slot不存在, 则根据gfn为sptep设置entry, 最后3位是110, 用来作为mmio的entry
+ * 似乎是设置完mmio之后:
+ * 1. SPTE_SPECIAL_MASK(1往左移62位)是1
+ * 2. 结尾是110
+ * 3. 还有gen的信息
+ */
 static bool set_mmio_spte(struct kvm_vcpu *vcpu, u64 *sptep, gfn_t gfn,
 			  kvm_pfn_t pfn, unsigned access)
 {
 	if (unlikely(is_noslot_pfn(pfn))) {
+		/*
+		 * 根据gfn为sptep设置entry, 最后3位是110, 用来作为mmio的entry
+		 * 似乎是设置完mmio之后:
+		 * 1. SPTE_SPECIAL_MASK(1往左移62位)是1
+		 * 2. 结尾是110
+		 * 3. 还有gen的信息
+		 */
 		mark_mmio_spte(vcpu, sptep, gfn, access);
 		return true;
 	}
@@ -365,11 +917,26 @@ static bool set_mmio_spte(struct kvm_vcpu *vcpu, u64 *sptep, gfn_t gfn,
 	return false;
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|4671| <<handle_mmio_page_fault>> if (!check_mmio_spte(vcpu, spte))
+ *
+ * 判断spte中的gen (把spte的3-11位和52-61位取出来拼在一起, 组成gen)
+ * 是否和kvm_vcpu_memslots(vcpu)->generation & MMIO_GEN_MASK(20位)相等
+ */
 static bool check_mmio_spte(struct kvm_vcpu *vcpu, u64 spte)
 {
 	unsigned int kvm_gen, spte_gen;
 
+	/* 返回kvm_vcpu_memslots(vcpu)->generation & MMIO_GEN_MASK (20位) */
 	kvm_gen = kvm_current_mmio_generation(vcpu);
+	/*
+	 * spte bits 3-11 are used as bits 1-9 of the generation number,
+	 * the bits 52-61 are used as bits 10-19 of the generation number.
+	 *
+	 * 给定一个spte, 获得其中的mmio generation
+	 * 把spte的3-11位和52-61位取出来拼在一起, 组成gen
+	 */
 	spte_gen = get_mmio_spte_generation(spte);
 
 	trace_check_mmio_spte(spte, kvm_gen, spte_gen);
@@ -383,6 +950,35 @@ static bool check_mmio_spte(struct kvm_vcpu *vcpu, u64 spte)
  *  - Setting either @accessed_mask or @dirty_mask requires setting both
  *  - At least one of @accessed_mask or @acc_track_mask must be set
  */
+/*
+ * 第一次调用Comm: systemd-udevd
+ * [0] kvm_arch_init
+ * [0] kvm_init
+ * [0] vmx_init
+ * [0] do_one_initcall
+ * [0] do_init_module
+ * [0] load_module
+ * [0] __do_sys_finit_module
+ * [0] do_syscall_64
+ * [0] entry_SYSCALL_64_after_hwframe
+ *
+ * 第二次调用Comm: systemd-udevd
+ * [0] vmx_enable_tdp
+ * [0] hardware_setup
+ * [0] kvm_arch_hardware_setup
+ * [0] kvm_init
+ * [0] vmx_init
+ * [0] do_one_initcall
+ * [0] do_init_module
+ * [0] load_module
+ * [0] __do_sys_finit_module
+ * [0] do_syscall_64
+ * [0] entry_SYSCALL_64_after_hwframe
+ *
+ * called by:
+ *   - arch/x86/kvm/vmx.c|7973| <<vmx_enable_tdp>> kvm_mmu_set_mask_ptes(VMX_EPT_READABLE_MASK,
+ *   - arch/x86/kvm/x86.c|6629| <<kvm_arch_init>> kvm_mmu_set_mask_ptes(PT_USER_MASK, PT_ACCESSED_MASK,
+ */
 void kvm_mmu_set_mask_ptes(u64 user_mask, u64 accessed_mask,
 		u64 dirty_mask, u64 nx_mask, u64 x_mask, u64 p_mask,
 		u64 acc_track_mask, u64 me_mask)
@@ -391,10 +987,59 @@ void kvm_mmu_set_mask_ptes(u64 user_mask, u64 accessed_mask,
 	BUG_ON(!accessed_mask && !acc_track_mask);
 	BUG_ON(acc_track_mask & shadow_acc_track_value);
 
+	/*
+	 * 在old machine上
+	 *
+	 * 第一次调用从kvm_arch_init()进入:
+	 *   shadow_user_mask      = 0x0000000000000004
+	 *   shadow_accessed_mask  = 0x0000000000000020
+	 *   shadow_dirty_mask     = 0x0000000000000040
+	 *   shadow_nx_mask        = 0x8000000000000000
+	 *   shadow_x_mask         = 0x0000000000000000
+	 *   shadow_present_mask   = 0x0000000000000001
+	 *   shadow_acc_track_mask = 0x0000000000000000
+	 *   shadow_me_mask        = 0x0000000000000000
+	 *
+	 * 第二次调用从vmx_enable_tdp()进入:
+	 *   shadow_user_mask      = 0x0000000000000001
+	 *   shadow_accessed_mask  = 0x0000000000000000
+	 *   shadow_dirty_mask     = 0x0000000000000000
+	 *   shadow_nx_mask        = 0x0000000000000000
+	 *   shadow_x_mask         = 0x0000000000000004
+	 *   shadow_present_mask   = 0x0000000000000000
+	 *   shadow_acc_track_mask = 0x0000000000000007
+	 *   shadow_me_mask        = 0x0000000000000000
+	 *
+	 *
+	 * 在new machine上
+	 *
+	 * 第一次调用从kvm_arch_init()进入:
+	 *   shadow_user_mask      = 0x0000000000000004
+	 *   shadow_accessed_mask  = 0x0000000000000020
+	 *   shadow_dirty_mask     = 0x0000000000000040
+	 *   shadow_nx_mask        = 0x8000000000000000
+	 *   shadow_x_mask         = 0x0000000000000000
+	 *   shadow_present_mask   = 0x0000000000000001
+	 *   shadow_acc_track_mask = 0x0000000000000000
+	 *   shadow_me_mask        = 0x0000000000000000
+	 *
+	 * 第二次调用从vmx_enable_tdp()进入:
+	 *   shadow_user_mask      = 0x0000000000000001
+	 *   shadow_accessed_mask  = 0x0000000000000100
+	 *   shadow_dirty_mask     = 0x0000000000000200
+	 *   shadow_nx_mask        = 0x0000000000000000
+	 *   shadow_x_mask         = 0x0000000000000004
+	 *   shadow_present_mask   = 0x0000000000000000
+	 *   shadow_acc_track_mask = 0x0000000000000007
+	 *   shadow_me_mask        = 0x0000000000000000
+	 */
+
 	shadow_user_mask = user_mask;
 	shadow_accessed_mask = accessed_mask;
 	shadow_dirty_mask = dirty_mask;
+	/* 在vmx下是0 */
 	shadow_nx_mask = nx_mask;
+	/* 在vmx下是VMX_EPT_EXECUTABLE_MASK */
 	shadow_x_mask = x_mask;
 	shadow_present_mask = p_mask;
 	shadow_acc_track_mask = acc_track_mask;
@@ -402,6 +1047,22 @@ void kvm_mmu_set_mask_ptes(u64 user_mask, u64 accessed_mask,
 }
 EXPORT_SYMBOL_GPL(kvm_mmu_set_mask_ptes);
 
+/*
+ * Comm: systemd-udevd:
+ * [0] kvm_mmu_reset_all_pte_masks
+ * [0] kvm_mmu_module_init
+ * [0] kvm_arch_init
+ * [0] kvm_init
+ * [0] vmx_init
+ * [0] do_one_initcall
+ * [0] do_init_module
+ * [0] load_module
+ * [0] __do_sys_finit_module
+ * [0] do_syscall_64
+ * [0] entry_SYSCALL_64_after_hwframe
+ *
+ * called by only kvm_mmu_module_init()
+ */
 static void kvm_mmu_reset_all_pte_masks(void)
 {
 	shadow_user_mask = 0;
@@ -418,6 +1079,17 @@ static void kvm_mmu_reset_all_pte_masks(void)
 	 * appropriate mask to guard against L1TF attacks. Otherwise, it is
 	 * assumed that the CPU is not vulnerable to L1TF.
 	 */
+	/*
+	 * 在old machine上:
+	 *   boot_cpu_data.x86_phys_bits = 36
+	 *   shadow_nonpresent_or_rsvd_mask_len = 5
+	 *   于是shadow_nonpresent_or_rsvd_mask = 0x0000000f80000000
+	 *
+	 * 在new machine上:
+	 *   boot_cpu_data.x86_phys_bits = 39
+	 *   shadow_nonpresent_or_rsvd_mask_len = 5
+	 *   于是shadow_nonpresent_or_rsvd_mask = 0x0000007c00000000
+	 */
 	if (boot_cpu_data.x86_phys_bits <
 	    52 - shadow_nonpresent_or_rsvd_mask_len)
 		shadow_nonpresent_or_rsvd_mask =
@@ -431,40 +1103,103 @@ static int is_cpuid_PSE36(void)
 	return 1;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|7098| <<paging64_init_context_common>> context->nx = is_nx(vcpu);
+ *   - arch/x86/kvm/mmu.c|7196| <<init_kvm_tdp_mmu>> context->nx = is_nx(vcpu);
+ *   - arch/x86/kvm/mmu.c|7202| <<init_kvm_tdp_mmu>> context->nx = is_nx(vcpu);
+ *   - arch/x86/kvm/mmu.c|7241| <<kvm_init_shadow_mmu>> context->base_role.nxe = is_nx(vcpu);
+ *   - arch/x86/kvm/mmu.c|7323| <<init_kvm_nested_mmu>> g_context->nx = is_nx(vcpu);
+ *   - arch/x86/kvm/mmu.c|7329| <<init_kvm_nested_mmu>> g_context->nx = is_nx(vcpu);
+ */
 static int is_nx(struct kvm_vcpu *vcpu)
 {
 	return vcpu->arch.efer & EFER_NX;
 }
 
+/*
+ * 如果pte不为0并且pte的最后3位不是110并且62位(SPTE_SPECIAL_MASK)也没设置, 返回true
+ * 如果spte是0x0,或者spte的最后3位是110(62位也设置了), 函数返回false
+ * 或者说, 如果spte是0或者是mmio, is_shadow_present_pte()返回false
+ */
 static int is_shadow_present_pte(u64 pte)
 {
+	/*
+	 * 如果最后3位的最后1位没设置(110)并且还有SPTE_SPECIAL_MASK是1往左移62位,
+	 * 就是mmio的spte
+	 */
 	return (pte != 0) && !is_mmio_spte(pte);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|1114| <<is_last_spte>> if (is_large_pte(pte))
+ *   - arch/x86/kvm/mmu.c|2853| <<__drop_large_spte>> if (is_large_pte(*sptep)) {
+ *   - arch/x86/kvm/mmu.c|3978| <<__mmu_unsync_walk>> if (!is_shadow_present_pte(ent) || is_large_pte(ent)) {
+ *   - arch/x86/kvm/mmu.c|4644| <<validate_direct_spte>> if (is_shadow_present_pte(*sptep) && !is_large_pte(*sptep)) {
+ *   - arch/x86/kvm/mmu.c|4705| <<mmu_page_zap_pte>> if (is_large_pte(pte))
+ *   - arch/x86/kvm/mmu.c|5205| <<mmu_set_spte>> !is_large_pte(*sptep)) {
+ *   - arch/x86/kvm/mmu.c|5233| <<mmu_set_spte>> is_large_pte(*sptep)? "2MB" : "4kB",
+ *   - arch/x86/kvm/mmu.c|5236| <<mmu_set_spte>> if (!was_rmapped && is_large_pte(*sptep))
+ *
+ * 查看pte的从0开始数第7位, 判断是否支持大页
+ */
 static int is_large_pte(u64 pte)
 {
+	/*
+	 * 1后面跟着7个0
+	 * 从0开始数是第7位
+	 */
 	return pte & PT_PAGE_SIZE_MASK;
 }
 
+/*
+ * 判断是否指向最后一级页表了(4K/2M/1G), 而不是下一级页表
+ */
 static int is_last_spte(u64 pte, int level)
 {
 	if (level == PT_PAGE_TABLE_LEVEL)
 		return 1;
+	/* 查看pte的从0开始数第7位, 判断是否支持大页 */
 	if (is_large_pte(pte))
 		return 1;
 	return 0;
 }
 
+/*
+ * called by only:
+ *   - arch/x86/kvm/mmu.c|4185| <<is_access_allowed>> return is_executable_pte(spte);
+ *
+ * 判断spte的从0开始的第3位(exec)是否设置了
+ */
 static bool is_executable_pte(u64 spte)
 {
+	/*
+	 * shadow_nx_mask在vmx下是0x0
+	 * shadow_x_mask在vmx下是VMX_EPT_EXECUTABLE_MASK=0x4ull
+	 *
+	 * 相当于在vmx上是:
+	 *   return (spte & (0x4 | 0x1)) == 0x4
+	 */
 	return (spte & (shadow_x_mask | shadow_nx_mask)) == shadow_x_mask;
 }
 
+/*
+ * 根据pte中的内容获得gfn
+ */
 static kvm_pfn_t spte_to_pfn(u64 pte)
 {
+	/*
+	 * PT64_BASE_ADDR_MASK     = 0x000ffffffffff000
+	 *     物理地址最多支持到52位, 把52位中不包含PAGE_SIZE(12位)的剩下的部分做成mask
+	 */
 	return (pte & PT64_BASE_ADDR_MASK) >> PAGE_SHIFT;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/paging_tmpl.h|407| <<FNAME(walk_addr_generic)>> gfn += pse36_gfn_delta(pte);
+ */
 static gfn_t pse36_gfn_delta(u32 gpte)
 {
 	int shift = 32 - PT32_DIR_PSE36_SHIFT - PAGE_SHIFT;
@@ -473,26 +1208,31 @@ static gfn_t pse36_gfn_delta(u32 gpte)
 }
 
 #ifdef CONFIG_X86_64
+/* 用WRITE_ONCE(*sptep, spte)更新spte */
 static void __set_spte(u64 *sptep, u64 spte)
 {
 	WRITE_ONCE(*sptep, spte);
 }
 
+/* 用WRITE_ONCE(*sptep, spte)更新spte */
 static void __update_clear_spte_fast(u64 *sptep, u64 spte)
 {
 	WRITE_ONCE(*sptep, spte);
 }
 
+/* 用xchg(sptep, spte)更新spte */
 static u64 __update_clear_spte_slow(u64 *sptep, u64 spte)
 {
 	return xchg(sptep, spte);
 }
 
+/* 用READ_ONCE(*sptep)读取spte的内容 */
 static u64 __get_spte_lockless(u64 *sptep)
 {
 	return READ_ONCE(*sptep);
 }
 #else
+/* 不是CONFIG_X86_64使用 */
 union split_spte {
 	struct {
 		u32 spte_low;
@@ -501,6 +1241,7 @@ union split_spte {
 	u64 spte;
 };
 
+/* 不是CONFIG_X86_64使用 */
 static void count_spte_clear(u64 *sptep, u64 spte)
 {
 	struct kvm_mmu_page *sp =  page_header(__pa(sptep));
@@ -513,6 +1254,7 @@ static void count_spte_clear(u64 *sptep, u64 spte)
 	sp->clear_spte_count++;
 }
 
+/* 不是CONFIG_X86_64使用 */
 static void __set_spte(u64 *sptep, u64 spte)
 {
 	union split_spte *ssptep, sspte;
@@ -532,6 +1274,7 @@ static void __set_spte(u64 *sptep, u64 spte)
 	WRITE_ONCE(ssptep->spte_low, sspte.spte_low);
 }
 
+/* 不是CONFIG_X86_64使用 */
 static void __update_clear_spte_fast(u64 *sptep, u64 spte)
 {
 	union split_spte *ssptep, sspte;
@@ -551,6 +1294,7 @@ static void __update_clear_spte_fast(u64 *sptep, u64 spte)
 	count_spte_clear(sptep, spte);
 }
 
+/* 不是CONFIG_X86_64使用 */
 static u64 __update_clear_spte_slow(u64 *sptep, u64 spte)
 {
 	union split_spte *ssptep, sspte, orig;
@@ -585,6 +1329,7 @@ static u64 __update_clear_spte_slow(u64 *sptep, u64 spte)
  * present->non-present updates: if it changed while reading the spte,
  * we might have hit the race.  This is done using clear_spte_count.
  */
+/* 不是CONFIG_X86_64使用 */
 static u64 __get_spte_lockless(u64 *sptep)
 {
 	struct kvm_mmu_page *sp =  page_header(__pa(sptep));
@@ -609,14 +1354,52 @@ static u64 __get_spte_lockless(u64 *sptep)
 }
 #endif
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|726| <<spte_has_volatile_bits>> if (spte_can_locklessly_be_made_writable(spte) ||
+ *   - arch/x86/kvm/mmu.c|818| <<mmu_spte_update>> if (spte_can_locklessly_be_made_writable(old_spte) &&
+ *   - arch/x86/kvm/mmu.c|911| <<mark_spte_for_access_track>> !spte_can_locklessly_be_made_writable(spte),
+ *   - arch/x86/kvm/mmu.c|1576| <<spte_write_protect>> !(pt_protect && spte_can_locklessly_be_made_writable(spte)))
+ *   - arch/x86/kvm/mmu.c|3684| <<fast_page_fault>> spte_can_locklessly_be_made_writable(spte))
+ *
+ * 测试spte的第10位和第11位是否是1(从第0位开始)
+ *
+ * SPTE_HOST_WRITEABLE means the gfn is writable on host.
+ *
+ * SPTE_MMU_WRITEABLE means the gfn is writable on mmu. The bit is set when
+ * the gfn is writable on guest mmu and it is not write-protected by shadow
+ * page write-protection.
+ */
 static bool spte_can_locklessly_be_made_writable(u64 spte)
 {
+	/*
+	 * SPTE_HOST_WRITEABLE means the gfn is writable on host.
+	 *
+	 * SPTE_MMU_WRITEABLE means the gfn is writable on mmu. The bit is set when
+	 * the gfn is writable on guest mmu and it is not write-protected by shadow
+	 * page write-protection.
+	 *
+	 * SPTE_HOST_WRITEABLE: 1往左移10位
+	 * SPTE_MMU_WRITEABLE: 1往左移11位
+	 */
 	return (spte & (SPTE_HOST_WRITEABLE | SPTE_MMU_WRITEABLE)) ==
 		(SPTE_HOST_WRITEABLE | SPTE_MMU_WRITEABLE);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|784| <<mmu_spte_update_no_track>> if (!spte_has_volatile_bits(old_spte))
+ *   - arch/x86/kvm/mmu.c|856| <<mmu_spte_clear_track_bits>> if (!spte_has_volatile_bits(old_spte))
+ */
 static bool spte_has_volatile_bits(u64 spte)
 {
+	/*
+	 * is_shadow_present_pte():
+	 *     如果pte不为0并且pte的最后3位不是110并且62位(SPTE_SPECIAL_MASK)也没设置, 返回true
+	 *
+	 * 如果spte是0x0,或者spte的最后3位是110(62位也设置了), 函数返回false
+	 * 或者说, 如果spte是0或者是mmio, is_shadow_present_pte()返回false
+	 */
 	if (!is_shadow_present_pte(spte))
 		return false;
 
@@ -626,10 +1409,28 @@ static bool spte_has_volatile_bits(u64 spte)
 	 * also, it can help us to get a stable is_writable_pte()
 	 * to ensure tlb flush is not missed.
 	 */
+	/*
+	 * spte_can_locklessly_be_made_writable():
+	 *     测试spte的第10位和第11位是否是1
+	 *
+	 *     SPTE_HOST_WRITEABLE means the gfn is writable on host.
+	 *
+	 *     SPTE_MMU_WRITEABLE means the gfn is writable on mmu. The bit is set when
+	 *     the gfn is writable on guest mmu and it is not write-protected by shadow
+	 *     page write-protection.
+	 *
+	 * is_access_track_spte():
+	 *     如果spte的1往左移62位存在, 并且spte & shadow_acc_track_mask == 0 (在old machine上rwx是000)
+	 *     则返回true, 说明这个spte是用来track access的?
+	 */
 	if (spte_can_locklessly_be_made_writable(spte) ||
 	    is_access_track_spte(spte))
 		return true;
 
+	/*
+	 * spte_ad_enabled():
+	 *     判断spte的1往左移62位是否存在, 不存在则支持ad
+	 */
 	if (spte_ad_enabled(spte)) {
 		if ((spte & shadow_accessed_mask) == 0 ||
 	    	    (is_writable_pte(spte) && (spte & shadow_dirty_mask) == 0))
@@ -639,18 +1440,61 @@ static bool spte_has_volatile_bits(u64 spte)
 	return false;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|827| <<mmu_spte_update>> if (is_accessed_spte(old_spte) && !is_accessed_spte(new_spte)) {
+ *   - arch/x86/kvm/mmu.c|873| <<mmu_spte_clear_track_bits>> if (is_accessed_spte(old_spte))
+ *   - arch/x86/kvm/mmu.c|948| <<mmu_spte_age>> if (!is_accessed_spte(spte))
+ *   - arch/x86/kvm/mmu.c|2011| <<kvm_test_age_rmapp>> if (is_accessed_spte(*sptep))
+ *
+ * 如果有shadow_accessed_mask, 则通过spte对应的accessed位返回结果
+ * 否则根据1往左移62位存在判断?
+ */
 static bool is_accessed_spte(u64 spte)
 {
+	/*
+	 * 如果spte的1往左移62位存在, 说明不支持ad
+	 * 如果支持ad, 返回shadow_accessed_mask (new machine上是0x100)
+	 * 如果不支持ad, 返回0x0
+	 *
+	 * shadow_accessed_mask在old machine上shadow_accessed_mask是0x0
+	 */
 	u64 accessed_mask = spte_shadow_accessed_mask(spte);
 
+	/*
+	 * is_access_track_spte()
+	 *   如果spte的1往左移62位存在 (不支持硬件ad), 并且spte & shadow_acc_track_mask == 0 (ad硬件的bit没设置)
+	 *   则返回true, 说明这个spte是用来track access的?
+	 *
+	 * 如果有shadow_accessed_mask, 则通过spte对应的accessed位返回结果
+	 * 否则根据1往左移62位存在判断?
+	 */
 	return accessed_mask ? spte & accessed_mask
 			     : !is_access_track_spte(spte);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|832| <<mmu_spte_update>> if (is_dirty_spte(old_spte) && !is_dirty_spte(new_spte)) {
+ *   - arch/x86/kvm/mmu.c|876| <<mmu_spte_clear_track_bits>> if (is_dirty_spte(old_spte))
+ *
+ * 如果支持ad, 返回spte & shadow_dirty_mask
+ * 如果不支持ad, 返回spte & PT_WRITABLE_MASK, 也就是spte的write bit
+ */
 static bool is_dirty_spte(u64 spte)
 {
+	/*
+	 * 在old machine上shadow_dirty_mask是0x0
+	 *
+	 * 如果spte的1往左移62位存在, 说明不支持ad
+	 * 如果支持ad, 返回shadow_dirty_mask
+	 * 如果不支持ad, 返回0x0
+	 */
 	u64 dirty_mask = spte_shadow_dirty_mask(spte);
 
+	/*
+	 * PT_WRITABLE_MASK: 1往左移动1位
+	 */
 	return dirty_mask ? spte & dirty_mask : spte & PT_WRITABLE_MASK;
 }
 
@@ -660,9 +1504,24 @@ static bool is_dirty_spte(u64 spte)
  * or in a state where the hardware will not attempt to update
  * the spte.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|754| <<mark_mmio_spte>> mmu_spte_set(sptep, mask);
+ *   - arch/x86/kvm/mmu.c|1448| <<mmu_spte_update_no_track>> mmu_spte_set(sptep, new_spte);
+ *   - arch/x86/kvm/mmu.c|2622| <<kvm_set_pte_rmapp>> mmu_spte_set(sptep, new_spte);
+ *   - arch/x86/kvm/mmu.c|3574| <<link_shadow_page>> mmu_spte_set(sptep, spte);
+ *
+ * x86_64下就是WRITE_ONCE(*sptep, spte)
+ */
 static void mmu_spte_set(u64 *sptep, u64 new_spte)
 {
+	/*
+	 * 如果pte不为0并且pte的最后3位不是110并且62位(SPTE_SPECIAL_MASK)也没设置, 返回true
+	 * 如果spte是0x0,或者spte的最后3位是110(62位也设置了), 函数返回false
+	 * 或者说, 如果spte是0或者是mmio, is_shadow_present_pte()返回false
+	 */
 	WARN_ON(is_shadow_present_pte(*sptep));
+	/* 用WRITE_ONCE(*sptep, spte)更新spte */
 	__set_spte(sptep, new_spte);
 }
 
@@ -670,6 +1529,15 @@ static void mmu_spte_set(u64 *sptep, u64 new_spte)
  * Update the SPTE (excluding the PFN), but do not track changes in its
  * accessed/dirty status.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|833| <<mmu_spte_update>> u64 old_spte = mmu_spte_update_no_track(sptep, new_spte);
+ *   - arch/x86/kvm/mmu.c|988| <<mmu_spte_age>> mmu_spte_update_no_track(sptep, spte);
+ *
+ * Update the SPTE (excluding the PFN), but do not track changes in its
+ * accessed/dirty status.
+ * 根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte
+ */
 static u64 mmu_spte_update_no_track(u64 *sptep, u64 new_spte)
 {
 	u64 old_spte = *sptep;
@@ -677,10 +1545,18 @@ static u64 mmu_spte_update_no_track(u64 *sptep, u64 new_spte)
 	WARN_ON(!is_shadow_present_pte(new_spte));
 
 	if (!is_shadow_present_pte(old_spte)) {
+		/* x86_64下就是WRITE_ONCE(*sptep, spte) */
 		mmu_spte_set(sptep, new_spte);
 		return old_spte;
 	}
 
+	/*
+	 * __update_clear_spte_fast():
+	 *     用WRITE_ONCE(*sptep, spte)更新spte
+	 *
+	 * __update_clear_spte_slow():
+	 *     用xchg(sptep, spte)更新spte
+	 */
 	if (!spte_has_volatile_bits(old_spte))
 		__update_clear_spte_fast(sptep, new_spte);
 	else
@@ -702,11 +1578,27 @@ static u64 mmu_spte_update_no_track(u64 *sptep, u64 new_spte)
  *
  * Returns true if the TLB needs to be flushed
  */
+/*
+ * Update the SPTE (excluding the PFN), but do not track changes in its
+ * accessed/dirty status.
+ * 根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte
+ * 然后再根据情况(access和dirty)决定是否flush并返回决定的结果true/false
+ */
 static bool mmu_spte_update(u64 *sptep, u64 new_spte)
 {
 	bool flush = false;
+	/*
+	 * Update the SPTE (excluding the PFN), but do not track changes in its
+	 * accessed/dirty status.
+	 * 根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte
+	 */
 	u64 old_spte = mmu_spte_update_no_track(sptep, new_spte);
 
+	/*
+	 * 如果pte不为0并且pte的最后3位不是110并且62位(SPTE_SPECIAL_MASK)也没设置, 返回true
+	 * 如果spte是0x0,或者spte的最后3位是110(62位也设置了), 函数返回false
+	 * 或者说, 如果spte是0或者是mmio, is_shadow_present_pte()返回false
+	 */
 	if (!is_shadow_present_pte(old_spte))
 		return false;
 
@@ -715,6 +1607,16 @@ static bool mmu_spte_update(u64 *sptep, u64 new_spte)
 	 * we always atomically update it, see the comments in
 	 * spte_has_volatile_bits().
 	 */
+	/*
+	 * spte_can_locklessly_be_made_writable():
+	 *     测试spte的第11位和第12位是否是1
+	 *
+	 *     SPTE_HOST_WRITEABLE means the gfn is writable on host.
+	 *
+	 *     SPTE_MMU_WRITEABLE means the gfn is writable on mmu. The bit is set when
+	 *     the gfn is writable on guest mmu and it is not write-protected by shadow
+	 *     page write-protection.
+	 */
 	if (spte_can_locklessly_be_made_writable(old_spte) &&
 	      !is_writable_pte(new_spte))
 		flush = true;
@@ -724,11 +1626,21 @@ static bool mmu_spte_update(u64 *sptep, u64 new_spte)
 	 * to guarantee consistency between TLB and page tables.
 	 */
 
+	/*
+	 * is_accessed_spte():
+	 *     如果有shadow_accessed_mask, 则通过spte对应的accessed位返回结果
+	 *     否则根据1往左移62位存在判断?
+	 */
 	if (is_accessed_spte(old_spte) && !is_accessed_spte(new_spte)) {
 		flush = true;
 		kvm_set_pfn_accessed(spte_to_pfn(old_spte));
 	}
 
+	/*
+	 * is_dirty_spte():
+	 *     如果支持ad, 返回spte & shadow_dirty_mask
+	 *     如果不支持ad, 返回spte & PT_WRITABLE_MASK, 也就是spte的write bit
+	 */
 	if (is_dirty_spte(old_spte) && !is_dirty_spte(new_spte)) {
 		flush = true;
 		kvm_set_pfn_dirty(spte_to_pfn(old_spte));
@@ -743,19 +1655,37 @@ static bool mmu_spte_update(u64 *sptep, u64 new_spte)
  * state bits, it is used to clear the last level sptep.
  * Returns non-zero if the PTE was previously valid.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|1499| <<drop_spte>> if (mmu_spte_clear_track_bits(sptep))
+ *   - arch/x86/kvm/mmu.c|1801| <<kvm_set_pte_rmapp>> mmu_spte_clear_track_bits(sptep);
+ *
+ * 根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte为0!
+ * 如果之前如果spte是0或者是mmio, 则退出返回0
+ * 否则根据情况把pfn在host的struct page设置accessed或者dirty返回1
+ */
 static int mmu_spte_clear_track_bits(u64 *sptep)
 {
 	kvm_pfn_t pfn;
 	u64 old_spte = *sptep;
 
+	/*
+	 * 根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte为0!
+	 */
 	if (!spte_has_volatile_bits(old_spte))
 		__update_clear_spte_fast(sptep, 0ull);
 	else
 		old_spte = __update_clear_spte_slow(sptep, 0ull);
 
+	/*
+	 * 如果pte不为0并且pte的最后3位不是110并且62位(SPTE_SPECIAL_MASK)也没设置, 返回true
+	 * 如果spte是0x0,或者spte的最后3位是110(62位也设置了), 函数返回false
+	 * 或者说, 如果spte是0或者是mmio, is_shadow_present_pte()返回false
+	 */
 	if (!is_shadow_present_pte(old_spte))
 		return 0;
 
+	/* 根据pte中的内容获得gfn */
 	pfn = spte_to_pfn(old_spte);
 
 	/*
@@ -779,21 +1709,46 @@ static int mmu_spte_clear_track_bits(u64 *sptep)
  * Directly clear spte without caring the state bits of sptep,
  * it is used to set the upper level spte.
  */
+/*
+ * 用WRITE_ONCE(*sptep, spte)更新spte为0ull
+ */
 static void mmu_spte_clear_no_track(u64 *sptep)
 {
+	/* 用WRITE_ONCE(*sptep, spte)更新spte */
 	__update_clear_spte_fast(sptep, 0ull);
 }
 
+/*
+ * 用READ_ONCE(*sptep)读取spte的内容
+ */
 static u64 mmu_spte_get_lockless(u64 *sptep)
 {
+	/* 用READ_ONCE(*sptep)读取spte的内容 */
 	return __get_spte_lockless(sptep);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|1726| <<mmu_spte_age>> spte = mark_spte_for_access_track(spte);
+ *   - arch/x86/kvm/mmu.c|2700| <<kvm_set_pte_rmapp>> new_spte = mark_spte_for_access_track(new_spte);
+ *   - arch/x86/kvm/mmu.c|4093| <<set_spte>> spte = mark_spte_for_access_track(spte);
+ *
+ * 把第0位和第3位 (r+x) 保存在52位之后
+ * 清除最后的3位
+ */
 static u64 mark_spte_for_access_track(u64 spte)
 {
+	/* 如果支持ad bit, 就把spte的accessed bit清空并返回 */
 	if (spte_ad_enabled(spte))
 		return spte & ~shadow_accessed_mask;
 
+	/*
+	 * 如果spte的1往左移62位存在 (不支持硬件ad), 并且spte & shadow_acc_track_mask == 0 (在old machine上rwx是000)
+	 * 说明这个spte是用来track access的?
+	 * 直接返回spte就可以了
+	 *
+	 * 如果已经设置了就不设置了
+	 */
 	if (is_access_track_spte(spte))
 		return spte;
 
@@ -810,39 +1765,81 @@ static u64 mark_spte_for_access_track(u64 spte)
 			  shadow_acc_track_saved_bits_shift),
 		  "kvm: Access Tracking saved bit locations are not zero\n");
 
+	/*
+	 * 把第0位和第3位 (r+x) 保存在52位之后
+	 */
 	spte |= (spte & shadow_acc_track_saved_bits_mask) <<
 		shadow_acc_track_saved_bits_shift;
+	/*
+	 * 清除最后的3位
+	 * 上面已经把第0位和第3位 (r+x) 保存在52位之后
+	 */
 	spte &= ~shadow_acc_track_mask;
 
 	return spte;
 }
 
 /* Restore an acc-track PTE back to a regular PTE */
+/*
+ * called by only:
+ *   - arch/x86/kvm/mmu.c|4308| <<fast_page_fault>> new_spte = restore_acc_track_spte(new_spte);
+ *
+ * Restore an acc-track PTE back to a regular PTE
+ * 把52位之后临时保存的的r+x清空
+ * 把52位之后临时保存的的r+x设置回来
+ */
 static u64 restore_acc_track_spte(u64 spte)
 {
 	u64 new_spte = spte;
+	/*
+	 * 把52位之后的r+x放入saved_bits
+	 */
 	u64 saved_bits = (spte >> shadow_acc_track_saved_bits_shift)
 			 & shadow_acc_track_saved_bits_mask;
 
+	/*
+	 * 判断spte的1往左移62位是否存在, 不存在则支持ad
+	 * 这里必须存在, 否则就 WARN
+	 *
+	 * 用了上面的方式说明不支持硬件a/d, 检查一下
+	 */
 	WARN_ON_ONCE(spte_ad_enabled(spte));
 	WARN_ON_ONCE(!is_access_track_spte(spte));
 
+	/* 把new_spte的后3位清除了 */
 	new_spte &= ~shadow_acc_track_mask;
+	/* 把52位之后临时保存的的r+x清空 */
 	new_spte &= ~(shadow_acc_track_saved_bits_mask <<
 		      shadow_acc_track_saved_bits_shift);
+	/* 把52位之后临时保存的的r+x设置回来 */
 	new_spte |= saved_bits;
 
 	return new_spte;
 }
 
 /* Returns the Accessed status of the PTE and resets it at the same time. */
+/*
+ * 清空pte的access
+ * 如果支持硬件a/d直接把对应的bit清空就可以了
+ * 否则把第0位和第3位 (r+x) 保存在52位之后, 清除最后的3位
+ * resets it!!!!
+ * Returns the Accessed status of the PTE and resets it at the same time.
+ */
 static bool mmu_spte_age(u64 *sptep)
 {
+	/* 用READ_ONCE(*sptep)读取spte的内容 */
 	u64 spte = mmu_spte_get_lockless(sptep);
 
+	/*
+	 * 如果有shadow_accessed_mask, 则通过spte对应的accessed位返回结果
+	 * 否则根据1往左移62位存在判断?
+	 */
 	if (!is_accessed_spte(spte))
 		return false;
 
+	/*
+	 * 如果支持硬件a/d直接把对应的bit清空就可以了
+	 */
 	if (spte_ad_enabled(spte)) {
 		clear_bit((ffs(shadow_accessed_mask) - 1),
 			  (unsigned long *)sptep);
@@ -854,13 +1851,30 @@ static bool mmu_spte_age(u64 *sptep)
 		if (is_writable_pte(spte))
 			kvm_set_pfn_dirty(spte_to_pfn(spte));
 
+		/*
+		 * 把第0位和第3位 (r+x) 保存在52位之后
+		 * 清除最后的3位
+		 */
 		spte = mark_spte_for_access_track(spte);
+		/*
+		 * Update the SPTE (excluding the PFN), but do not track changes in its
+		 * accessed/dirty status.
+		 * 根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte
+		 */
 		mmu_spte_update_no_track(sptep, spte);
 	}
 
 	return true;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4343| <<fast_page_fault>> walk_shadow_page_lockless_begin(vcpu);
+ *   - arch/x86/kvm/mmu.c|4850| <<walk_shadow_page_get_mmio_spte>> walk_shadow_page_lockless_begin(vcpu);
+ *   - arch/x86/kvm/mmu.c|4954| <<shadow_page_table_clear_flood>> walk_shadow_page_lockless_begin(vcpu);
+ *
+ * 关闭中断, 把READING_SHADOW_PAGE_TABLES存入vcpu->mode
+ */
 static void walk_shadow_page_lockless_begin(struct kvm_vcpu *vcpu)
 {
 	/*
@@ -873,9 +1887,22 @@ static void walk_shadow_page_lockless_begin(struct kvm_vcpu *vcpu)
 	 * Make sure a following spte read is not reordered ahead of the write
 	 * to vcpu->mode.
 	 */
+	/*
+	 * 在以下使用READING_SHADOW_PAGE_TABLES:
+	 *   - arch/mips/kvm/trap_emul.c|1153| <<kvm_trap_emul_gva_lockless_begin>> smp_store_mb(vcpu->mode, READING_SHADOW_PAGE_TABLES);
+	 *   - arch/x86/kvm/mmu.c|1873| <<walk_shadow_page_lockless_begin>> smp_store_mb(vcpu->mode, READING_SHADOW_PAGE_TABLES);
+	 */
 	smp_store_mb(vcpu->mode, READING_SHADOW_PAGE_TABLES);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4431| <<fast_page_fault>> walk_shadow_page_lockless_end(vcpu);
+ *   - arch/x86/kvm/mmu.c|4868| <<walk_shadow_page_get_mmio_spte>> walk_shadow_page_lockless_end(vcpu);
+ *   - arch/x86/kvm/mmu.c|4960| <<shadow_page_table_clear_flood>> walk_shadow_page_lockless_end(vcpu);
+ *
+ * 把OUTSIDE_GUEST_MODE存入vcpu->mode, 开启中断
+ */
 static void walk_shadow_page_lockless_end(struct kvm_vcpu *vcpu)
 {
 	/*
@@ -887,6 +1914,11 @@ static void walk_shadow_page_lockless_end(struct kvm_vcpu *vcpu)
 	local_irq_enable();
 }
 
+/*
+ * x86下的调用:
+ *   - arch/x86/kvm/mmu.c|988| <<mmu_topup_memory_caches>> r = mmu_topup_memory_cache(&vcpu->arch.mmu_pte_list_desc_cache,
+ *   - arch/x86/kvm/mmu.c|995| <<mmu_topup_memory_caches>> r = mmu_topup_memory_cache(&vcpu->arch.mmu_page_header_cache,
+ */
 static int mmu_topup_memory_cache(struct kvm_mmu_memory_cache *cache,
 				  struct kmem_cache *base_cache, int min)
 {
@@ -903,6 +1935,10 @@ static int mmu_topup_memory_cache(struct kvm_mmu_memory_cache *cache,
 	return 0;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2725| <<rmap_can_add>> return mmu_memory_cache_free_objects(cache);
+ */
 static int mmu_memory_cache_free_objects(struct kvm_mmu_memory_cache *cache)
 {
 	return cache->nobjs;
@@ -911,10 +1947,19 @@ static int mmu_memory_cache_free_objects(struct kvm_mmu_memory_cache *cache)
 static void mmu_free_memory_cache(struct kvm_mmu_memory_cache *mc,
 				  struct kmem_cache *cache)
 {
+	/*
+	 * kvm_mmu_memory_cache *mc:
+	 * -> int nobjs;
+	 * -> void *objects[KVM_NR_MEM_OBJS];
+	 */
 	while (mc->nobjs)
 		kmem_cache_free(cache, mc->objects[--mc->nobjs]);
 }
 
+/*
+ * called by only:
+ *   - arch/x86/kvm/mmu.c|1092| <<mmu_topup_memory_caches>> r = mmu_topup_memory_cache_page(&vcpu->arch.mmu_page_cache, 8);
+ */
 static int mmu_topup_memory_cache_page(struct kvm_mmu_memory_cache *cache,
 				       int min)
 {
@@ -937,6 +1982,15 @@ static void mmu_free_memory_cache_page(struct kvm_mmu_memory_cache *mc)
 		free_page((unsigned long)mc->objects[--mc->nobjs]);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4030| <<nonpaging_page_fault>> r = mmu_topup_memory_caches(vcpu);
+ *   - arch/x86/kvm/mmu.c|4203| <<tdp_page_fault>> r = mmu_topup_memory_caches(vcpu);
+ *   - arch/x86/kvm/mmu.c|4987| <<kvm_mmu_load>> r = mmu_topup_memory_caches(vcpu);
+ *   - arch/x86/kvm/mmu.c|5189| <<kvm_mmu_pte_write>> mmu_topup_memory_caches(vcpu);
+ *   - arch/x86/kvm/paging_tmpl.h|749| <<FNAME(page_fault)>> r = mmu_topup_memory_caches(vcpu);
+ *   - arch/x86/kvm/paging_tmpl.h|872| <<FNAME(invlpg)>> mmu_topup_memory_caches(vcpu);
+ */
 static int mmu_topup_memory_caches(struct kvm_vcpu *vcpu)
 {
 	int r;
@@ -954,6 +2008,10 @@ static int mmu_topup_memory_caches(struct kvm_vcpu *vcpu)
 	return r;
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|6249| <<kvm_mmu_destroy>> mmu_free_memory_caches(vcpu);
+ */
 static void mmu_free_memory_caches(struct kvm_vcpu *vcpu)
 {
 	mmu_free_memory_cache(&vcpu->arch.mmu_pte_list_desc_cache,
@@ -963,6 +2021,18 @@ static void mmu_free_memory_caches(struct kvm_vcpu *vcpu)
 				mmu_page_header_cache);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|1135| <<mmu_alloc_pte_list_desc>> return mmu_memory_cache_alloc(&vcpu->arch.mmu_pte_list_desc_cache);
+ *   - arch/x86/kvm/mmu.c|2174| <<kvm_mmu_alloc_page>> sp = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_header_cache);
+ *   - arch/x86/kvm/mmu.c|2176| <<kvm_mmu_alloc_page>> sp->spt = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_cache);
+ *   - arch/x86/kvm/mmu.c|2178| <<kvm_mmu_alloc_page>> sp->gfns = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_cache);
+ *
+ * 分配一个object
+ * struct kvm_mmu_memory_cache:
+ * -> int nobjs;
+ * -> void *objects[KVM_NR_MEM_OBJS];
+ */
 static void *mmu_memory_cache_alloc(struct kvm_mmu_memory_cache *mc)
 {
 	void *p;
@@ -972,24 +2042,67 @@ static void *mmu_memory_cache_alloc(struct kvm_mmu_memory_cache *mc)
 	return p;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2226| <<pte_list_add>> desc = mmu_alloc_pte_list_desc(vcpu);
+ *   - arch/x86/kvm/mmu.c|2239| <<pte_list_add>> desc->more = mmu_alloc_pte_list_desc(vcpu);
+ *
+ * 从struct kvm_mmu_memory_cache分配一个pte_list_desc
+ */
 static struct pte_list_desc *mmu_alloc_pte_list_desc(struct kvm_vcpu *vcpu)
 {
 	return mmu_memory_cache_alloc(&vcpu->arch.mmu_pte_list_desc_cache);
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|2269| <<pte_list_desc_remove_entry>> mmu_free_pte_list_desc(desc);
+ *
+ * 回收一个pte_list_desc
+ * 直接回收到kmem cache
+ */
 static void mmu_free_pte_list_desc(struct pte_list_desc *pte_list_desc)
 {
 	kmem_cache_free(pte_list_desc_cache, pte_list_desc);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|1982| <<kvm_mmu_page_set_gfn>> BUG_ON(gfn != kvm_mmu_page_get_gfn(sp, index));
+ *   - arch/x86/kvm/mmu.c|2376| <<rmap_remove>> gfn = kvm_mmu_page_get_gfn(sp, spte - sp->spt);
+ *   - arch/x86/kvm/mmu.c|4258| <<direct_pte_prefetch_many>> gfn = kvm_mmu_page_get_gfn(sp, start - sp->spt);
+ *   - arch/x86/kvm/mmu.c|4551| <<fast_pf_fix_direct_spte>> gfn = kvm_mmu_page_get_gfn(sp, sptep - sp->spt);
+ *   - arch/x86/kvm/mmu_audit.c|116| <<audit_mappings>> gfn = kvm_mmu_page_get_gfn(sp, sptep - sp->spt);
+ *   - arch/x86/kvm/mmu_audit.c|139| <<inspect_spte_has_rmap>> gfn = kvm_mmu_page_get_gfn(rev_sp, sptep - rev_sp->spt);
+ *
+ * 因为可能是大页, 根据index返回对应的gfn (是基于sp->gfn的)
+ * 一个2MB的page包含512个4KB的page
+ * 一个1GB的page包含512x512=262144个4KB的page
+ */
 static gfn_t kvm_mmu_page_get_gfn(struct kvm_mmu_page *sp, int index)
 {
 	if (!sp->role.direct)
 		return sp->gfns[index];
 
+	/*
+	 * 1往左移动9位是512!!!!!
+	 *
+	 * ((1 - 1) * PT64_LEVEL_BITS) = 0
+	 * ((2 - 1) * PT64_LEVEL_BITS) = 9
+	 * ((3 - 1) * PT64_LEVEL_BITS) = 18
+	 *
+	 * 一个2MB的page包含512个4KB的page
+	 * 一个1GB的page包含512x512=262144个4KB的page
+	 */
 	return sp->gfn + (index << ((sp->role.level - 1) * PT64_LEVEL_BITS));
 }
 
+/*
+ * called by only:
+ *   - arch/x86/kvm/mmu.c|2112| <<rmap_add>> kvm_mmu_page_set_gfn(sp, spte - sp->spt, gfn);
+ *
+ * direct==true什么也不做
+ */
 static void kvm_mmu_page_set_gfn(struct kvm_mmu_page *sp, int index, gfn_t gfn)
 {
 	if (sp->role.direct)
@@ -1002,45 +2115,128 @@ static void kvm_mmu_page_set_gfn(struct kvm_mmu_page *sp, int index, gfn_t gfn)
  * Return the pointer to the large page information for a given gfn,
  * handling slots that are not large page aligned.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|1180| <<update_gfn_disallow_lpage_count>> linfo = lpage_info_slot(gfn, slot, i);
+ *   - arch/x86/kvm/mmu.c|1243| <<__mmu_gfn_lpage_is_disallowed>> linfo = lpage_info_slot(gfn, slot, level);
+ *
+ * lpage_info的第二维的数量是对应level的page的数量, level越大(大页)数量越少
+ * 这里根据gfn返回对应的第二维的struct kvm_lpage_info: slot->arch.lpage_info[level - 2][idx]
+ * level至少是2, 没法接受level<=1的情况吧???
+ */
 static struct kvm_lpage_info *lpage_info_slot(gfn_t gfn,
 					      struct kvm_memory_slot *slot,
 					      int level)
 {
 	unsigned long idx;
 
+	/*
+	 * base_gfn是基于4k开始的gfn
+	 * gfn是基于4k结束的gfn
+	 * 计算从开始到结束需要用到几个hugepage
+	 *   level是1的时候hugepage大小是4K
+	 *   level是2的时候hugepage大小是2M
+	 *   level是3的时候hugepage大小是1G
+	 */
 	idx = gfn_to_index(gfn, slot->base_gfn, level);
+	/*
+	 * rmap和lpage_info的第二维都是在kvm_arch_create_memslot()分配
+	 * 数量是对应level的page的数量
+	 * level越大(大页)数量越少
+	 *
+	 * struct kvm_memory_slot *slot:
+	 * -> struct kvm_arch_memory_slot arch;
+	 *    -> struct kvm_rmap_head *rmap[KVM_NR_PAGE_SIZES];
+	 *    -> struct kvm_lpage_info *lpage_info[KVM_NR_PAGE_SIZES - 1];
+	 *       -> int disallow_lpage;
+	 */
 	return &slot->arch.lpage_info[level - 2][idx];
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2038| <<kvm_mmu_gfn_disallow_lpage>> update_gfn_disallow_lpage_count(slot, gfn, 1);
+ *   - arch/x86/kvm/mmu.c|2048| <<kvm_mmu_gfn_allow_lpage>> update_gfn_disallow_lpage_count(slot, gfn, -1);
+ *
+ * 根据gfn,找到其每一个2-3level上的二维struct kvm_lpage_info: slot->arch.lpage_info[level - 2][idx]
+ * 然后linfo->disallow_lpage += count
+ */
 static void update_gfn_disallow_lpage_count(struct kvm_memory_slot *slot,
 					    gfn_t gfn, int count)
 {
 	struct kvm_lpage_info *linfo;
 	int i;
 
+	/*
+	 * PT_DIRECTORY_LEVEL    = 2
+	 * PT_MAX_HUGEPAGE_LEVEL = 3
+	 */
 	for (i = PT_DIRECTORY_LEVEL; i <= PT_MAX_HUGEPAGE_LEVEL; ++i) {
+		/*
+		 * lpage_info的第二维的数量是对应level的page的数量, level越大(大页)数量越少
+		 * 这里根据gfn返回对应的第二维的struct kvm_lpage_info: slot->arch.lpage_info[level - 2][idx]
+		 * level至少是2, 没法接受level<=1的情况吧???
+		 */
 		linfo = lpage_info_slot(gfn, slot, i);
+		/*
+		 * kvm_lpage_info->disallowe_lpage在以下被修改:
+		 *   - arch/x86/kvm/mmu.c|2080| <<update_gfn_disallow_lpage_count>> linfo->disallow_lpage += count;
+		 *   - arch/x86/kvm/x86.c|9087| <<kvm_arch_create_memslot>> linfo[0].disallow_lpage = 1;
+		 *   - arch/x86/kvm/x86.c|9089| <<kvm_arch_create_memslot>> linfo[lpages - 1].disallow_lpage = 1;
+		 *   - arch/x86/kvm/x86.c|9101| <<kvm_arch_create_memslot>> linfo[j].disallow_lpage = 1;
+		 */
 		linfo->disallow_lpage += count;
 		WARN_ON(linfo->disallow_lpage < 0);
 	}
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2203| <<account_shadowed>> kvm_mmu_gfn_disallow_lpage(slot, gfn);
+ *   - arch/x86/kvm/page_track.c|172| <<kvm_slot_page_track_add_page>> kvm_mmu_gfn_disallow_lpage(slot, gfn);
+ *
+ * 根据gfn,找到其每一个2-3level上的二维struct kvm_lpage_info: slot->arch.lpage_info[level - 2][idx]
+ * 然后linfo->disallow_lpage增加1
+ */
 void kvm_mmu_gfn_disallow_lpage(struct kvm_memory_slot *slot, gfn_t gfn)
 {
 	update_gfn_disallow_lpage_count(slot, gfn, 1);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|1241| <<unaccount_shadowed>> kvm_mmu_gfn_allow_lpage(slot, gfn);
+ *   - arch/x86/kvm/page_track.c|144| <<kvm_slot_page_track_remove_page>> kvm_mmu_gfn_allow_lpage(slot, gfn);
+ *
+ * 根据gfn,找到其每一个2-3level上的二维struct kvm_lpage_info: slot->arch.lpage_info[level - 2][idx]
+ * 然后linfo->disallow_lpage减少1
+ */
 void kvm_mmu_gfn_allow_lpage(struct kvm_memory_slot *slot, gfn_t gfn)
 {
 	update_gfn_disallow_lpage_count(slot, gfn, -1);
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|3640| <<kvm_mmu_get_page>> account_shadowed(vcpu->kvm, sp);
+ *
+ * 不会在(direct == 0)的情况下使用, 不看了
+ */
 static void account_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp)
 {
 	struct kvm_memslots *slots;
 	struct kvm_memory_slot *slot;
 	gfn_t gfn;
 
+	/*
+	 * 在以下使用kvm_arch->indirect_shadow_pages:
+	 *   - arch/x86/kvm/mmu.c|2218| <<account_shadowed>> kvm->arch.indirect_shadow_pages++;
+	 *   - arch/x86/kvm/mmu.c|2243| <<unaccount_shadowed>> kvm->arch.indirect_shadow_pages--;
+	 *   - arch/x86/kvm/mmu.c|7681| <<kvm_mmu_pte_write>> if (!READ_ONCE(vcpu->kvm->arch.indirect_shadow_pages))
+	 *   - arch/x86/kvm/x86.c|5880| <<reexecute_instruction>> unsigned int indirect_shadow_pages;
+	 *   - arch/x86/kvm/x86.c|5883| <<reexecute_instruction>> indirect_shadow_pages = vcpu->kvm->arch.indirect_shadow_pages;
+	 *   - arch/x86/kvm/x86.c|5886| <<reexecute_instruction>> if (indirect_shadow_pages)
+	 */
 	kvm->arch.indirect_shadow_pages++;
 	gfn = sp->gfn;
 	slots = kvm_memslots_for_spte_role(kvm, sp->role);
@@ -1051,9 +2247,19 @@ static void account_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp)
 		return kvm_slot_page_track_add_page(kvm, slot, gfn,
 						    KVM_PAGE_TRACK_WRITE);
 
+	/*
+	 * 根据gfn,找到其每一个2-3level上的二维struct kvm_lpage_info: slot->arch.lpage_info[level - 2][idx]
+	 * 然后linfo->disallow_lpage增加1
+	 */
 	kvm_mmu_gfn_disallow_lpage(slot, gfn);
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|3870| <<kvm_mmu_prepare_zap_page>> unaccount_shadowed(kvm, sp);
+ *
+ * 不会在(direct == 0)的情况下使用, 不看了
+ */
 static void unaccount_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp)
 {
 	struct kvm_memslots *slots;
@@ -1068,39 +2274,114 @@ static void unaccount_shadowed(struct kvm *kvm, struct kvm_mmu_page *sp)
 		return kvm_slot_page_track_remove_page(kvm, slot, gfn,
 						       KVM_PAGE_TRACK_WRITE);
 
+	/*
+	 * 根据gfn,找到其每一个2-3level上的二维struct kvm_lpage_info: slot->arch.lpage_info[level - 2][idx]
+	 * 然后linfo->disallow_lpage减少1
+	 */
 	kvm_mmu_gfn_allow_lpage(slot, gfn);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|1120| <<mmu_gfn_lpage_is_disallowed>> return __mmu_gfn_lpage_is_disallowed(gfn, level, slot);
+ *   - arch/x86/kvm/mmu.c|1198| <<mapping_level>> if (__mmu_gfn_lpage_is_disallowed(large_gfn, level, slot))
+ *
+ * 如果(slot == NULL)直接返回true
+ * 否则根据gfn返回对应的第二维的struct kvm_lpage_info: slot->arch.lpage_info[level - 2][idx]的disallow_lpage作为true/false
+ */
 static bool __mmu_gfn_lpage_is_disallowed(gfn_t gfn, int level,
 					  struct kvm_memory_slot *slot)
 {
 	struct kvm_lpage_info *linfo;
 
 	if (slot) {
+		/*
+		 * lpage_info的第二维的数量是对应level的page的数量, level越大(大页)数量越少
+		 * 这里根据gfn返回对应的第二维的struct kvm_lpage_info: slot->arch.lpage_info[level - 2][idx]
+		 */
 		linfo = lpage_info_slot(gfn, slot, level);
+		/*
+		 * kvm_lpage_info->disallowe_lpage在以下被修改:
+		 *   - arch/x86/kvm/mmu.c|2080| <<update_gfn_disallow_lpage_count>> linfo->disallow_lpage += count;
+		 *   - arch/x86/kvm/x86.c|9087| <<kvm_arch_create_memslot>> linfo[0].disallow_lpage = 1;
+		 *   - arch/x86/kvm/x86.c|9089| <<kvm_arch_create_memslot>> linfo[lpages - 1].disallow_lpage = 1;
+		 *   - arch/x86/kvm/x86.c|9101| <<kvm_arch_create_memslot>> linfo[j].disallow_lpage = 1;
+		 */
 		return !!linfo->disallow_lpage;
 	}
 
 	return true;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5123| <<set_spte>> mmu_gfn_lpage_is_disallowed(vcpu, gfn, level))
+ *   - arch/x86/kvm/mmu.c|5455| <<transparent_hugepage_adjust>> !mmu_gfn_lpage_is_disallowed(vcpu, gfn, PT_DIRECTORY_LEVEL)) {
+ *
+ * 根据gfn找到对应的slot (struct kvm_memory_slot)
+ * 如果(slot == NULL)直接返回true
+ * 否则根据gfn返回对应的第二维的struct kvm_lpage_info: slot->arch.lpage_info[level - 2][idx]的disallow_lpage作为true/false
+ */
 static bool mmu_gfn_lpage_is_disallowed(struct kvm_vcpu *vcpu, gfn_t gfn,
 					int level)
 {
 	struct kvm_memory_slot *slot;
 
 	slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);
+	/*
+	 * 如果(slot == NULL)直接返回true
+	 * 否则根据gfn返回对应的第二维的struct kvm_lpage_info: slot->arch.lpage_info[level - 2][idx]的disallow_lpage作为true/false
+	 */
 	return __mmu_gfn_lpage_is_disallowed(gfn, level, slot);
 }
 
+/*
+ * 只被以下调用:
+ *   - arch/x86/kvm/mmu.c|1338| <<mapping_level>> host_level = host_mapping_level(vcpu->kvm, large_gfn);
+ *
+ * 根据gfn获取其对于hva在host中的page size (4K,2M还是1G)
+ *     根据gfn获取在qemu中对应的hva, 把hva转化为vm_area_struct
+ *     然后就知道vm_area_struct的page size了
+ * 然后根据这个page size获取其在host上的mapping level
+ *
+ * 如果gfn对应的hva在host上的page size是4K
+ *   host_mapping_level()返回1
+ * 如果gfn对应的hva在host上的page size是2M
+ *   host_mapping_level()返回2
+ * 如果gfn对应的hva在host上的page size是1G
+ *   host_mapping_level()返回3
+ */
 static int host_mapping_level(struct kvm *kvm, gfn_t gfn)
 {
 	unsigned long page_size;
 	int i, ret = 0;
 
+	/*
+	 * 根据gfn获取其对于hva在host中的page size (4K,2M还是1G)
+	 *     根据gfn获取在qemu中对应的hva, 把hva转化为vm_area_struct
+	 *     然后就知道vm_area_struct的page size了
+	 */
 	page_size = kvm_host_page_size(kvm, gfn);
 
+	/*
+	 * PT_PAGE_TABLE_LEVEL   = 1
+	 * PT_MAX_HUGEPAGE_LEVEL = 3
+	 */
 	for (i = PT_PAGE_TABLE_LEVEL; i <= PT_MAX_HUGEPAGE_LEVEL; ++i) {
+		/*
+		 * KVM_HPAGE_SIZE(1) = 1 << 12 = 4K
+		 * KVM_HPAGE_SIZE(2) = 1 << 21 = 2M
+		 * KVM_HPAGE_SIZE(3) = 1 << 30 = 1G
+		 *
+		 * 假设上面返回的page_size是4K
+		 * 下面函数最终的返回值就是1
+		 *
+		 * 假设上面返回的page_size是2M
+		 * 下面函数最终的返回值就是2
+		 *
+		 * 假设上面返回的page_size是1G
+		 * 下面函数最终的返回值就是3
+		 */
 		if (page_size >= KVM_HPAGE_SIZE(i))
 			ret = i;
 		else
@@ -1110,17 +2391,44 @@ static int host_mapping_level(struct kvm *kvm, gfn_t gfn)
 	return ret;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|1906| <<gfn_to_memslot_dirty_bitmap>> if (!memslot_valid_for_gpte(slot, no_dirty_log))
+ *   - arch/x86/kvm/mmu.c|1934| <<mapping_level>> *force_pt_level = !memslot_valid_for_gpte(slot, true);
+ *
+ * 以下情况返回false:
+ *   - (!slot || slot->flags & KVM_MEMSLOT_INVALID)
+ *   - (no_dirty_log && slot->dirty_bitmap)
+ */
 static inline bool memslot_valid_for_gpte(struct kvm_memory_slot *slot,
 					  bool no_dirty_log)
 {
 	if (!slot || slot->flags & KVM_MEMSLOT_INVALID)
 		return false;
+	/*
+	 * 一个slot有许多客户机虚拟页面组成,通过dirty_bitmap
+	 * 标记每一个页是否可用,一个页面对应一个位
+	 *
+	 * 比如在如下分配:
+	 *   - virt/kvm/kvm_main.c|815| <<kvm_create_dirty_bitmap>> memslot->dirty_bitmap = kvzalloc(dirty_bytes, GFP_KERNEL);
+	 */
 	if (no_dirty_log && slot->dirty_bitmap)
 		return false;
 
 	return true;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3979| <<pte_prefetch_gfn_to_pfn>> slot = gfn_to_memslot_dirty_bitmap(vcpu, gfn, no_dirty_log);
+ *   - arch/x86/kvm/mmu.c|3997| <<direct_pte_prefetch_many>> slot = gfn_to_memslot_dirty_bitmap(vcpu, gfn, access & ACC_WRITE_MASK);
+ *
+ * 根据gfn得到slot (struct kvm_memory_slot)
+ * 如果slot满足以下情况把返回NULL:
+ *   - (!slot || slot->flags & KVM_MEMSLOT_INVALID)
+ *   - (no_dirty_log && slot->dirty_bitmap)
+ * 否则返回slot
+ */
 static struct kvm_memory_slot *
 gfn_to_memslot_dirty_bitmap(struct kvm_vcpu *vcpu, gfn_t gfn,
 			    bool no_dirty_log)
@@ -1128,34 +2436,93 @@ gfn_to_memslot_dirty_bitmap(struct kvm_vcpu *vcpu, gfn_t gfn,
 	struct kvm_memory_slot *slot;
 
 	slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);
+	/*
+	 * 以下情况返回false:
+	 *   - (!slot || slot->flags & KVM_MEMSLOT_INVALID)
+	 *   - (no_dirty_log && slot->dirty_bitmap)
+	 */
 	if (!memslot_valid_for_gpte(slot, no_dirty_log))
 		slot = NULL;
 
 	return slot;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3977| <<tdp_page_fault>> level = mapping_level(vcpu, gfn, &force_pt_level);
+ *   - arch/x86/kvm/mmu.c|3345| <<nonpaging_map>> level = mapping_level(vcpu, gfn, &force_pt_level);
+ *   - arch/x86/kvm/paging_tmpl.h|786| <<FNAME(page_fault)>> level = mapping_level(vcpu, walker.gfn, &force_pt_level);
+ */
 static int mapping_level(struct kvm_vcpu *vcpu, gfn_t large_gfn,
 			 bool *force_pt_level)
 {
 	int host_level, level, max_level;
 	struct kvm_memory_slot *slot;
 
+	/*
+	 * 如果设置了force_pt_level, 直接强制返回level=1 (PT_PAGE_TABLE_LEVEL)
+	 */
 	if (unlikely(*force_pt_level))
 		return PT_PAGE_TABLE_LEVEL;
 
+	/*
+	 * struct kvm中有struct kvm_memslots __rcu *memslots[KVM_ADDRESS_SPACE_NUM];
+	 * struct kvm_memslots中有:
+	 *       struct kvm_memory_slot memslots[KVM_MEM_SLOTS_NUM];
+	 *       short id_to_index[KVM_MEM_SLOTS_NUM];
+	 */
 	slot = kvm_vcpu_gfn_to_memslot(vcpu, large_gfn);
+	/*
+	 * 以下情况返回false:
+	 *   - (!slot || slot->flags & KVM_MEMSLOT_INVALID)
+	 *   - (no_dirty_log && slot->dirty_bitmap)
+	 */
 	*force_pt_level = !memslot_valid_for_gpte(slot, true);
+	/*
+	 * 如果force_pt_level, 直接强制返回level=1 (PT_PAGE_TABLE_LEVEL)
+	 */
 	if (unlikely(*force_pt_level))
 		return PT_PAGE_TABLE_LEVEL;
 
+	/*
+	 * 根据gfn获取其对于hva在host中的page size (4K,2M还是1G)
+	 *     根据gfn获取在qemu中对应的hva, 把hva转化为vm_area_struct
+	 *     然后就知道vm_area_struct的page size了
+	 * 然后根据这个page size获取其在host上的mapping level
+	 *
+	 * 如果gfn对应的hva在host上的page size是4K
+	 *   host_mapping_level()返回1
+	 * 如果gfn对应的hva在host上的page size是2M
+	 *   host_mapping_level()返回2
+	 * 如果gfn对应的hva在host上的page size是1G
+	 *   host_mapping_level()返回3
+	 */
 	host_level = host_mapping_level(vcpu->kvm, large_gfn);
 
+	/*
+	 * 如果hva在host上是4K的粒度,直接返回PT_PAGE_TABLE_LEVEL就可以了
+	 */
 	if (host_level == PT_PAGE_TABLE_LEVEL)
 		return host_level;
 
+	/*
+	 * vmx_get_lpage_level()根据配置返回2或者3, large page不是2M就是1G
+	 *
+	 * 注意, 这里是min()!!!!!!
+	 */
 	max_level = min(kvm_x86_ops->get_lpage_level(), host_level);
 
 	for (level = PT_DIRECTORY_LEVEL; level <= max_level; ++level)
+		/*
+		 * disallow_lpage在以下被修改:
+		 *   - arch/x86/kvm/mmu.c|2080| <<update_gfn_disallow_lpage_count>> linfo->disallow_lpage += count;
+		 *   - arch/x86/kvm/x86.c|9087| <<kvm_arch_create_memslot>> linfo[0].disallow_lpage = 1;
+		 *   - arch/x86/kvm/x86.c|9089| <<kvm_arch_create_memslot>> linfo[lpages - 1].disallow_lpage = 1;
+		 *   - arch/x86/kvm/x86.c|9101| <<kvm_arch_create_memslot>> linfo[j].disallow_lpage = 1;
+		 *
+		 * 如果(slot == NULL)直接返回true
+		 * 否则根据gfn返回对应的第二维的struct kvm_lpage_info: slot->arch.lpage_info[level - 2][idx]的disallow_lpage作为true/false
+		 */
 		if (__mmu_gfn_lpage_is_disallowed(large_gfn, level, slot))
 			break;
 
@@ -1173,6 +2540,23 @@ static int mapping_level(struct kvm_vcpu *vcpu, gfn_t large_gfn,
 /*
  * Returns the number of pointers in the rmap chain, not counting the new one.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2474| <<rmap_add>> return pte_list_add(vcpu, spte, rmap_head);
+ *   - arch/x86/kvm/mmu.c|3154| <<mmu_page_add_parent_pte>> pte_list_add(vcpu, parent_pte, &sp->parent_ptes);
+ *
+ * About rmap_head encoding:
+ *
+ * If the bit zero of rmap_head->val is clear, then it points to the only spte
+ * in this rmap chain. Otherwise, (rmap_head->val & ~1) points to a struct
+ * pte_list_desc containing more mappings.
+ *
+ * Returns the number of pointers in the rmap chain, not counting the new one.
+ *
+ * 把一个spte加入到kvm_rmap_head
+ *
+ * !!!! 参数的spte应该是一个指向entry的指针, 实际应该是ptep !!!!
+ */
 static int pte_list_add(struct kvm_vcpu *vcpu, u64 *spte,
 			struct kvm_rmap_head *rmap_head)
 {
@@ -1180,16 +2564,33 @@ static int pte_list_add(struct kvm_vcpu *vcpu, u64 *spte,
 	int i, count = 0;
 
 	if (!rmap_head->val) {
+		/*
+		 * 如果(rmap_head->val==0), 直接把spte写入rmap_head->val
+		 */
 		rmap_printk("pte_list_add: %p %llx 0->1\n", spte, *spte);
 		rmap_head->val = (unsigned long)spte;
 	} else if (!(rmap_head->val & 1)) {
+		/*
+		 * 如果rmap_head->val已经有一个spte了
+		 * 也就是如果rmap_head->val不为0, 最后1位也不是1
+		 * 分配一个pte_list_desc, desc->sptes[0]是rmap_head->val
+		 * desc->sptes[1]是spte
+		 * rmap_head->val最后1位设置成1
+		 */
 		rmap_printk("pte_list_add: %p %llx 1->many\n", spte, *spte);
+		/* 分配一个pte_list_desc */
 		desc = mmu_alloc_pte_list_desc(vcpu);
 		desc->sptes[0] = (u64 *)rmap_head->val;
 		desc->sptes[1] = spte;
 		rmap_head->val = (unsigned long)desc | 1;
 		++count;
 	} else {
+		/*
+		 * 如果rmap_head->val有多个spte
+		 * 也就是如果如果rmap_head->val最后1位是1
+		 * Returns the number of pointers in the rmap chain, not counting the new one.
+		 * 遍历rmap_head(也许会分配新的pte_list_desc), 找一个位置放入spte
+		 */
 		rmap_printk("pte_list_add: %p %llx many->many\n", spte, *spte);
 		desc = (struct pte_list_desc *)(rmap_head->val & ~1ul);
 		while (desc->sptes[PTE_LIST_EXT-1] && desc->more) {
@@ -1207,6 +2608,10 @@ static int pte_list_add(struct kvm_vcpu *vcpu, u64 *spte,
 	return count;
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|2416| <<pte_list_remove>> pte_list_desc_remove_entry(rmap_head,
+ */
 static void
 pte_list_desc_remove_entry(struct kvm_rmap_head *rmap_head,
 			   struct pte_list_desc *desc, int i,
@@ -1230,6 +2635,19 @@ pte_list_desc_remove_entry(struct kvm_rmap_head *rmap_head,
 	mmu_free_pte_list_desc(desc);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2486| <<rmap_remove>> pte_list_remove(spte, rmap_head);
+ *   - arch/x86/kvm/mmu.c|3160| <<mmu_page_remove_parent_pte>> pte_list_remove(parent_pte, &sp->parent_ptes);
+ *
+ * About rmap_head encoding:
+ *
+ * If the bit zero of rmap_head->val is clear, then it points to the only spte
+ * in this rmap chain. Otherwise, (rmap_head->val & ~1) points to a struct
+ * pte_list_desc containing more mappings.
+ *
+ * 把一个spte从kvm_rmap_head中删除
+ */
 static void pte_list_remove(u64 *spte, struct kvm_rmap_head *rmap_head)
 {
 	struct pte_list_desc *desc;
@@ -1237,9 +2655,15 @@ static void pte_list_remove(u64 *spte, struct kvm_rmap_head *rmap_head)
 	int i;
 
 	if (!rmap_head->val) {
+		/* 如果(rmap_head->val==0), 这是不可能的, 直接BUG()! */
 		printk(KERN_ERR "pte_list_remove: %p 0->BUG\n", spte);
 		BUG();
 	} else if (!(rmap_head->val & 1)) {
+		/*
+		 * 如果rmap_head->val已经有一个也只有一个spte了
+		 * 也就是如果rmap_head->val不为0, 最后1位也不是1
+		 * 直接清空就可以
+		 */
 		rmap_printk("pte_list_remove:  %p 1->0\n", spte);
 		if ((u64 *)rmap_head->val != spte) {
 			printk(KERN_ERR "pte_list_remove:  %p 1->BUG\n", spte);
@@ -1247,6 +2671,11 @@ static void pte_list_remove(u64 *spte, struct kvm_rmap_head *rmap_head)
 		}
 		rmap_head->val = 0;
 	} else {
+		/*
+		 * 如果rmap_head->val有多个spte
+		 * 也就是如果如果rmap_head->val最后1位是1
+		 * 遍历rmap_head(也许释放pte_list_desc),删除spte
+		 */
 		rmap_printk("pte_list_remove:  %p many->many\n", spte);
 		desc = (struct pte_list_desc *)(rmap_head->val & ~1ul);
 		prev_desc = NULL;
@@ -1266,15 +2695,54 @@ static void pte_list_remove(u64 *spte, struct kvm_rmap_head *rmap_head)
 	}
 }
 
+/*
+ * 根据gfn和level找到其在slot(kvm_memory_slot)中的index
+ * 然后返回对应的kvm_rmap_head: slot->arch.rmap[level - PT_PAGE_TABLE_LEVEL][idx]
+ */
 static struct kvm_rmap_head *__gfn_to_rmap(gfn_t gfn, int level,
 					   struct kvm_memory_slot *slot)
 {
 	unsigned long idx;
 
+	/*
+	 * base_gfn是基于4k开始的gfn
+	 * gfn是基于4k结束的gfn
+	 * 计算从开始到结束需要用到几个hugepage
+	 *   level是1的时候hugepage大小是4K
+	 *   level是2的时候hugepage大小是2M
+	 *   level是3的时候hugepage大小是1G
+	 */
 	idx = gfn_to_index(gfn, slot->base_gfn, level);
+	/*
+	 * About rmap_head encoding:
+	 *
+	 * If the bit zero of rmap_head->val is clear, then it points to the only spte
+	 * in this rmap chain. Otherwise, (rmap_head->val & ~1) points to a struct
+	 * pte_list_desc containing more mappings.
+	 *
+	 * rmap和lpage_info的第二维都是在kvm_arch_create_memslot()分配
+	 * 数量是对应level的page的数量
+	 * level越大(大页)数量越少
+	 *
+	 * struct kvm_memory_slot *slot:
+	 * -> struct kvm_arch_memory_slot arch;
+	 *    -> struct kvm_rmap_head *rmap[KVM_NR_PAGE_SIZES];
+	 *       -> unsigned long val;
+	 *    -> struct kvm_lpage_info *lpage_info[KVM_NR_PAGE_SIZES - 1];
+	 */
 	return &slot->arch.rmap[level - PT_PAGE_TABLE_LEVEL][idx];
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2777| <<rmap_add>> rmap_head = gfn_to_rmap(vcpu->kvm, gfn, sp);
+ *   - arch/x86/kvm/mmu.c|2809| <<rmap_remove>> rmap_head = gfn_to_rmap(kvm, gfn, sp);
+ *   - arch/x86/kvm/mmu.c|3749| <<rmap_recycle>> rmap_head = gfn_to_rmap(vcpu->kvm, gfn, sp);
+ *
+ * 根据gfn找到slot (struct kvm_memory_slot)
+ * 然后根据gfn和sp->role.level找到其在slot(kvm_memory_slot)中的index
+ * 然后返回对应的kvm_rmap_head: slot->arch.rmap[level - PT_PAGE_TABLE_LEVEL][idx]
+ */
 static struct kvm_rmap_head *gfn_to_rmap(struct kvm *kvm, gfn_t gfn,
 					 struct kvm_mmu_page *sp)
 {
@@ -1283,9 +2751,16 @@ static struct kvm_rmap_head *gfn_to_rmap(struct kvm *kvm, gfn_t gfn,
 
 	slots = kvm_memslots_for_spte_role(kvm, sp->role);
 	slot = __gfn_to_memslot(slots, gfn);
+	/*
+	 * 根据gfn和level找到其在slot(kvm_memory_slot)中的index
+	 * 然后返回对应的kvm_rmap_head: slot->arch.rmap[level - PT_PAGE_TABLE_LEVEL][idx]
+	 */
 	return __gfn_to_rmap(gfn, sp->role.level, slot);
 }
 
+/*
+ * 检查是否还能分配pte_list_desc
+ */
 static bool rmap_can_add(struct kvm_vcpu *vcpu)
 {
 	struct kvm_mmu_memory_cache *cache;
@@ -1294,26 +2769,75 @@ static bool rmap_can_add(struct kvm_vcpu *vcpu)
 	return mmu_memory_cache_free_objects(cache);
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|4427| <<mmu_set_spte>> rmap_count = rmap_add(vcpu, sptep, gfn);
+ *
+ * 根据gfn找到kvm_rmap_head
+ * 把一个spte加入到kvm_rmap_head
+ *
+ * !!!! 参数的spte应该是一个指向entry的指针, 实际应该是ptep !!!!
+ */
 static int rmap_add(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn)
 {
 	struct kvm_mmu_page *sp;
 	struct kvm_rmap_head *rmap_head;
 
+	/* 根据spte找到kvm_mmu_page */
 	sp = page_header(__pa(spte));
+	/* direct==true什么也不做 */
 	kvm_mmu_page_set_gfn(sp, spte - sp->spt, gfn);
+	/*
+	 * 根据gfn找到slot (struct kvm_memory_slot)
+	 * 然后根据gfn和sp->role.level找到其在slot(kvm_memory_slot)中的index
+	 * 然后返回对应的kvm_rmap_head: slot->arch.rmap[level - PT_PAGE_TABLE_LEVEL][idx]
+	 */
 	rmap_head = gfn_to_rmap(vcpu->kvm, gfn, sp);
+	/* 把一个spte加入到kvm_rmap_head */
 	return pte_list_add(vcpu, spte, rmap_head);
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|2673| <<drop_spte>> rmap_remove(kvm, sptep);
+ *
+ * struct kvm:
+ * -> struct kvm_memslots __rcu *memslots[KVM_ADDRESS_SPACE_NUM];
+ *    -> struct kvm_memory_slot memslots[KVM_MEM_SLOTS_NUM];
+ *       -> struct kvm_arch_memory_slot arch;
+ *          -> struct kvm_rmap_head *rmap[KVM_NR_PAGE_SIZES]; --> rmap有nr_page个
+ *             -> unsigned long val; --> 链接所有的指向这个page的spte (从spte还能推出kvm_mmu_page)
+ *
+ * 根据spte找到pfn再找到kvm_rmap_head
+ * 把一个spte从kvm_rmap_head中删除
+ */
 static void rmap_remove(struct kvm *kvm, u64 *spte)
 {
 	struct kvm_mmu_page *sp;
 	gfn_t gfn;
 	struct kvm_rmap_head *rmap_head;
 
+	/*
+	 * 这里的spte是指向pte的地址, *spte才是entry的value
+	 *
+	 * 参数可能是一个指向某个pte的地址 (shadow_page保存的这个pte的地址而不是内容)
+	 * 获得包含这个地址的页表页对应的kvm_mmu_page
+	 */
 	sp = page_header(__pa(spte));
+	/* 因为可能是大页, 根据index返回对于的gfn */
 	gfn = kvm_mmu_page_get_gfn(sp, spte - sp->spt);
+	/*
+	 * called by:
+	 *   - arch/x86/kvm/mmu.c|2777| <<rmap_add>> rmap_head = gfn_to_rmap(vcpu->kvm, gfn, sp);
+	 *   - arch/x86/kvm/mmu.c|2809| <<rmap_remove>> rmap_head = gfn_to_rmap(kvm, gfn, sp);
+	 *   - arch/x86/kvm/mmu.c|3749| <<rmap_recycle>> rmap_head = gfn_to_rmap(vcpu->kvm, gfn, sp);
+	 *
+	 * 根据gfn找到slot (struct kvm_memory_slot)
+	 * 然后根据gfn和sp->role.level找到其在slot(kvm_memory_slot)中的index
+	 * 然后返回对应的kvm_rmap_head: slot->arch.rmap[level - PT_PAGE_TABLE_LEVEL][idx]
+	 */
 	rmap_head = gfn_to_rmap(kvm, gfn, sp);
+	/* 把一个spte从kvm_rmap_head中删除 */
 	pte_list_remove(spte, rmap_head);
 }
 
@@ -1334,6 +2858,18 @@ struct rmap_iterator {
  *
  * Returns sptep if found, NULL otherwise.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2679| <<for_each_rmap_spte>> for (_spte_ = rmap_get_first(_rmap_head_, _iter_); \
+ *   - arch/x86/kvm/mmu.c|2952| <<kvm_zap_rmapp>> while ((sptep = rmap_get_first(rmap_head, &iter))) {
+ *   - arch/x86/kvm/mmu.c|4027| <<kvm_mmu_unlink_parents>> while ((sptep = rmap_get_first(&sp->parent_ptes, &iter)))
+ *
+ * 如果rmap_head->val最后1位不为1,
+ *     直接返回rmap_head->val中的pte
+ * 如果rmap_head->val最后1位是1
+ *     则初始化iter->desc和iter->pos=0
+ *     返回iter->desc->sptes[iter->pos]
+ */
 static u64 *rmap_get_first(struct kvm_rmap_head *rmap_head,
 			   struct rmap_iterator *iter)
 {
@@ -1342,12 +2878,27 @@ static u64 *rmap_get_first(struct kvm_rmap_head *rmap_head,
 	if (!rmap_head->val)
 		return NULL;
 
+	/*
+	 * About rmap_head encoding:
+	 *
+	 * If the bit zero of rmap_head->val is clear, then it points to the only spte
+	 * in this rmap chain. Otherwise, (rmap_head->val & ~1) points to a struct
+	 * pte_list_desc containing more mappings
+	 *
+	 * 如果rmap_head->val最后1位不为1,
+	 * 直接返回rmap_head->val中的pte
+	 */
 	if (!(rmap_head->val & 1)) {
 		iter->desc = NULL;
 		sptep = (u64 *)rmap_head->val;
 		goto out;
 	}
 
+	/*
+	 * 如果rmap_head->val最后1位是1
+	 * 则初始化iter->desc和iter->pos=0
+	 * 返回iter->desc->sptes[iter->pos]
+	 */
 	iter->desc = (struct pte_list_desc *)(rmap_head->val & ~1ul);
 	iter->pos = 0;
 	sptep = iter->desc->sptes[iter->pos];
@@ -1361,6 +2912,12 @@ static u64 *rmap_get_first(struct kvm_rmap_head *rmap_head,
  *
  * Returns sptep if found, NULL otherwise.
  */
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|2680| <<for_each_rmap_spte>> _spte_; _spte_ = rmap_get_next(_iter_))
+ *
+ * 通过struct rmap_iterator返回kvm_rmap_head中的下一个pte
+ */
 static u64 *rmap_get_next(struct rmap_iterator *iter)
 {
 	u64 *sptep;
@@ -1389,23 +2946,99 @@ static u64 *rmap_get_next(struct rmap_iterator *iter)
 	return sptep;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2795| <<__rmap_write_protect>> for_each_rmap_spte(rmap_head, &iter, sptep)
+ *   - arch/x86/kvm/mmu.c|2834| <<__rmap_clear_dirty>> for_each_rmap_spte(rmap_head, &iter, sptep)
+ *   - arch/x86/kvm/mmu.c|2860| <<__rmap_set_dirty>> for_each_rmap_spte(rmap_head, &iter, sptep)
+ *   - arch/x86/kvm/mmu.c|3017| <<kvm_set_pte_rmapp>> for_each_rmap_spte(rmap_head, &iter, sptep) {
+ *   - arch/x86/kvm/mmu.c|3195| <<kvm_age_rmapp>> for_each_rmap_spte(rmap_head, &iter, sptep)
+ *   - arch/x86/kvm/mmu.c|3209| <<kvm_test_age_rmapp>> for_each_rmap_spte(rmap_head, &iter, sptep)
+ *   - arch/x86/kvm/mmu.c|3379| <<kvm_mmu_mark_parents_unsync>> for_each_rmap_spte(&sp->parent_ptes, &iter, sptep) {
+ *   - arch/x86/kvm/mmu.c|7116| <<kvm_mmu_zap_collapsible_spte>> for_each_rmap_spte(rmap_head, &iter, sptep) {
+ *   - arch/x86/kvm/mmu_audit.c|208| <<audit_write_protection>> for_each_rmap_spte(rmap_head, &iter, sptep) {
+ *
+ * 通过struct rmap_iterator遍历kvm_rmap_head中的每一个pte
+ */
 #define for_each_rmap_spte(_rmap_head_, _iter_, _spte_)			\
 	for (_spte_ = rmap_get_first(_rmap_head_, _iter_);		\
 	     _spte_; _spte_ = rmap_get_next(_iter_))
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|1637| <<__drop_large_spte>> drop_spte(kvm, sptep);
+ *   - arch/x86/kvm/mmu.c|1882| <<kvm_zap_rmapp>> drop_spte(kvm, sptep);
+ *   - arch/x86/kvm/mmu.c|1918| <<kvm_set_pte_rmapp>> drop_spte(kvm, sptep);
+ *   - arch/x86/kvm/mmu.c|2906| <<mmu_page_zap_pte>> drop_spte(kvm, spte);
+ *   - arch/x86/kvm/mmu.c|3341| <<mmu_set_spte>> drop_spte(vcpu->kvm, sptep);
+ *   - arch/x86/kvm/mmu.c|5975| <<kvm_mmu_zap_collapsible_spte>> drop_spte(kvm, sptep);
+ *   - arch/x86/kvm/paging_tmpl.h|174| <<FNAME(prefetch_invalid_gpte)>> drop_spte(vcpu->kvm, spte);
+ *   - arch/x86/kvm/paging_tmpl.h|1013| <<FNAME(sync_page)>> drop_spte(vcpu->kvm, &sp->spt[i]);
+ *
+ * 根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte为0!
+ * 如果之前如果spte是0或者是mmio, 则退出返回0
+ * 否则根据情况把pfn在host的struct page设置accessed或者dirty返回1
+ * 如果上面返回1, 根据spte找到pfn再找到kvm_rmap_head, 把一个spte从kvm_rmap_head中删除
+ */
 static void drop_spte(struct kvm *kvm, u64 *sptep)
 {
+	/*
+	 * mmu_spte_clear_track_bits():
+	 *     根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte为0!
+	 *     如果之前如果spte是0或者是mmio, 则退出返回0
+	 *     否则根据情况把pfn在host的struct page设置accessed或者dirty返回1
+	 *
+	 * rmap_remove():
+	 *     根据spte找到pfn再找到kvm_rmap_head
+	 *     把一个spte从kvm_rmap_head中删除
+	 */
 	if (mmu_spte_clear_track_bits(sptep))
 		rmap_remove(kvm, sptep);
+
+	/*
+	 * struct kvm:
+	 * -> struct kvm_memslots __rcu *memslots[KVM_ADDRESS_SPACE_NUM];
+	 *    -> struct kvm_memory_slot memslots[KVM_MEM_SLOTS_NUM];
+	 *       -> struct kvm_arch_memory_slot arch;
+	 *          -> struct kvm_rmap_head *rmap[KVM_NR_PAGE_SIZES]; --> rmap有nr_page个
+	 *             -> unsigned long val; --> 链接所有的指向这个page的spte (从spte还能推出kvm_mmu_page)
+	 */
 }
 
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|2773| <<drop_large_spte>> if (__drop_large_spte(vcpu->kvm, sptep))
+ *
+ * 查看pte的从0开始数第7位, 判断是否支持大页, 不支持则返回false
+ * 如果支持大页做完如下返回true
+ *     根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte为0!
+ *     如果之前如果spte是0或者是mmio, 则退出返回0
+ *     否则根据情况把pfn在host的struct page设置accessed或者dirty返回1
+ *     如果上面返回1, 根据spte找到pfn再找到kvm_rmap_head, 把一个spte从kvm_rmap_head中删除
+ */
 static bool __drop_large_spte(struct kvm *kvm, u64 *sptep)
 {
+	/*
+	 * 查看pte的从0开始数第7位, 判断是否支持大页
+	 */
 	if (is_large_pte(*sptep)) {
 		WARN_ON(page_header(__pa(sptep))->role.level ==
 			PT_PAGE_TABLE_LEVEL);
+		/*
+		 * 根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte为0!
+		 * 如果之前如果spte是0或者是mmio, 则退出返回0
+		 * 否则根据情况把pfn在host的struct page设置accessed或者dirty返回1
+		 * 如果上面返回1, 根据spte找到pfn再找到kvm_rmap_head, 把一个spte从kvm_rmap_head中删除
+		 */
 		drop_spte(kvm, sptep);
+		/*
+		 * 在以下使用kvm_vm_stat->lpages:
+		 *   - arch/x86/kvm/x86.c|208| <<global>> { "largepages", VM_STAT(lpages) },
+		 *   - arch/x86/kvm/mmu.c|2996| <<__drop_large_spte>> --kvm->stat.lpages;
+		 *   - arch/x86/kvm/mmu.c|4839| <<mmu_page_zap_pte>> --kvm->stat.lpages;
+		 *   - arch/x86/kvm/mmu.c|5370| <<mmu_set_spte>> ++vcpu->kvm->stat.lpages;
+		 */
 		--kvm->stat.lpages;
 		return true;
 	}
@@ -1413,8 +3046,35 @@ static bool __drop_large_spte(struct kvm *kvm, u64 *sptep)
 	return false;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4656| <<__direct_map>> drop_large_spte(vcpu, iterator.sptep);
+ *   - arch/x86/kvm/paging_tmpl.h|628| <<FNAME>> drop_large_spte(vcpu, it.sptep);
+ *   - arch/x86/kvm/paging_tmpl.h|656| <<FNAME>> drop_large_spte(vcpu, it.sptep);
+ *
+ * 查看pte的从0开始数第7位, 判断是否支持大页, 不支持则什么也不做
+ * 如果支持大页做完如下并且调用kvm_flush_remote_tlbs(vcpu->kvm)
+ *     根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte为0!
+ *     如果之前如果spte是0或者是mmio, 则退出返回0
+ *     否则根据情况把pfn在host的struct page设置accessed或者dirty返回1
+ *     如果上面返回1, 根据spte找到pfn再找到kvm_rmap_head, 把一个spte从kvm_rmap_head中删除
+ */
 static void drop_large_spte(struct kvm_vcpu *vcpu, u64 *sptep)
 {
+	/*
+	 * __drop_large_spte():
+	 *     查看pte的从0开始数第7位, 判断是否支持大页, 不支持则返回false
+	 *     如果支持大页做完如下返回true
+	 *         根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte为0!
+	 *         如果之前如果spte是0或者是mmio, 则退出返回0
+	 *         否则根据情况把pfn在host的struct page设置accessed或者dirty返回1
+	 *         如果上面返回1, 根据spte找到pfn再找到kvm_rmap_head, 把一个spte从kvm_rmap_head中删除
+	 *
+	 * kvm_flush_remote_tlbs():
+	 *     应该就是让每个vcpu调用硬件的tlb flush吧
+	 *     之后每个vcpu会在vcpu_enter_guest()的时候调用kvm_vcpu_flush_tlb()
+	 *     应该就是调用硬件的tlb flush吧
+	 */
 	if (__drop_large_spte(vcpu->kvm, sptep))
 		kvm_flush_remote_tlbs(vcpu->kvm);
 }
@@ -1432,23 +3092,60 @@ static void drop_large_spte(struct kvm_vcpu *vcpu, u64 *sptep)
  *
  * Return true if tlb need be flushed.
  */
+/*
+ * called by only:
+ *   - arch/x86/kvm/mmu.c|2867| <<__rmap_write_protect>> flush |= spte_write_protect(sptep, pt_protect);
+ *
+ * 核心思想是:把spte的第1位(w位)清空
+ * 如果pt_protect设置了, 则情况spte的1往左移11位(SPTE_MMU_WRITEABLE)
+ * 用mmu_spte_update()更新spte
+ */
 static bool spte_write_protect(u64 *sptep, bool pt_protect)
 {
 	u64 spte = *sptep;
 
+	/*
+	 * is_writable_pte():
+	 *     检查pte的第1位(w)是否设置了
+	 *
+	 * spte_can_locklessly_be_made_writable():
+	 *     测试spte的第10位和第11位是否是1
+	 */
 	if (!is_writable_pte(spte) &&
 	      !(pt_protect && spte_can_locklessly_be_made_writable(spte)))
 		return false;
 
 	rmap_printk("rmap_write_protect: spte %p %llx\n", sptep, *sptep);
 
+	/*
+	 * SPTE_MMU_WRITEABLE: 1往左移11位
+	 */
 	if (pt_protect)
 		spte &= ~SPTE_MMU_WRITEABLE;
+	/* 把spte的第1位(w位)清空 */
 	spte = spte & ~PT_WRITABLE_MASK;
 
+	/*
+	 * Update the SPTE (excluding the PFN), but do not track changes in its
+	 * accessed/dirty status.
+	 * 根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte
+	 * 然后再根据情况(access和dirty)决定是否flush并返回决定的结果true/false
+	 */
 	return mmu_spte_update(sptep, spte);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2957| <<kvm_mmu_write_protect_pt_masked>> __rmap_write_protect(kvm, rmap_head, false);
+ *   - arch/x86/kvm/mmu.c|3036| <<kvm_mmu_slot_gfn_write_protect>> write_protected |= __rmap_write_protect(kvm, rmap_head, true);
+ *   - arch/x86/kvm/mmu.c|7137| <<slot_rmap_write_protect>> return __rmap_write_protect(kvm, rmap_head, false);
+ *
+ * 通过struct rmap_iterator遍历kvm_rmap_head中的每一个pte
+ * 对于每一个pte的核心思想是:把spte的第1位(w位)清空
+ * 如果pt_protect设置了, 则情况spte的1往左移11位(SPTE_MMU_WRITEABLE)
+ * 用mmu_spte_update()更新spte
+ * 最后返回是否需要flush
+ */
 static bool __rmap_write_protect(struct kvm *kvm,
 				 struct kvm_rmap_head *rmap_head,
 				 bool pt_protect)
@@ -1457,23 +3154,52 @@ static bool __rmap_write_protect(struct kvm *kvm,
 	struct rmap_iterator iter;
 	bool flush = false;
 
+	/*
+	 * 通过struct rmap_iterator遍历kvm_rmap_head中的每一个pte
+	 * 对于每一个pte的核心思想是:把spte的第1位(w位)清空
+	 * 如果pt_protect设置了, 则情况spte的1往左移11位(SPTE_MMU_WRITEABLE)
+	 * 用mmu_spte_update()更新spte
+	 */
 	for_each_rmap_spte(rmap_head, &iter, sptep)
 		flush |= spte_write_protect(sptep, pt_protect);
 
 	return flush;
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|2917| <<__rmap_clear_dirty>> flush |= spte_clear_dirty(sptep);
+ *
+ * 清空spte中的dirty bit然后用mmu_spte_update()更新spte
+ */
 static bool spte_clear_dirty(u64 *sptep)
 {
 	u64 spte = *sptep;
 
 	rmap_printk("rmap_clear_dirty: spte %p %llx\n", sptep, *sptep);
 
+	/*
+	 * shadow_dirty_mask:
+	 * 在old machine上shadow_dirty_mask是0x0
+	 * 在new machine上shadow_dirty_mask是0x0000000000000200
+	 *
+	 * 清空spte中的dirty bit
+	 */
 	spte &= ~shadow_dirty_mask;
 
+	/*
+	 * Update the SPTE (excluding the PFN), but do not track changes in its
+	 * accessed/dirty status.
+	 * 根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte
+	 * 然后再根据情况(access和dirty)决定是否flush并返回决定的结果true/false
+	 */
 	return mmu_spte_update(sptep, spte);
 }
 
+/*
+ * called by only:
+ *   - arch/x86/kvm/mmu.c|2968| <<__rmap_clear_dirty>> flush |= wrprot_ad_disabled_spte(sptep);
+ */
 static bool wrprot_ad_disabled_spte(u64 *sptep)
 {
 	bool was_writable = test_and_clear_bit(PT_WRITABLE_SHIFT,
@@ -1490,13 +3216,24 @@ static bool wrprot_ad_disabled_spte(u64 *sptep)
  *	- W bit on ad-disabled SPTEs.
  * Returns true iff any D or W bits were cleared.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3042| <<kvm_mmu_clear_dirty_pt_masked>> __rmap_clear_dirty(kvm, rmap_head);
+ *   - arch/x86/kvm/mmu.c|7290| <<kvm_mmu_slot_leaf_clear_dirty>> flush = slot_handle_leaf(kvm, memslot, __rmap_clear_dirty, false);
+ */
 static bool __rmap_clear_dirty(struct kvm *kvm, struct kvm_rmap_head *rmap_head)
 {
 	u64 *sptep;
 	struct rmap_iterator iter;
 	bool flush = false;
 
+	/*
+	 * 通过struct rmap_iterator遍历kvm_rmap_head中的每一个pte
+	 */
 	for_each_rmap_spte(rmap_head, &iter, sptep)
+		/*
+		 * 判断spte的1往左移62位是否存在, 不存在则支持ad
+		 */
 		if (spte_ad_enabled(*sptep))
 			flush |= spte_clear_dirty(sptep);
 		else
@@ -1505,23 +3242,39 @@ static bool __rmap_clear_dirty(struct kvm *kvm, struct kvm_rmap_head *rmap_head)
 	return flush;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3246| <<__rmap_set_dirty>> flush |= spte_set_dirty(sptep);
+ *
+ * 设置pte的dirty bit并更新
+ */
 static bool spte_set_dirty(u64 *sptep)
 {
 	u64 spte = *sptep;
 
 	rmap_printk("rmap_set_dirty: spte %p %llx\n", sptep, *sptep);
 
+	/* 设置pte的dirty bit */
 	spte |= shadow_dirty_mask;
 
 	return mmu_spte_update(sptep, spte);
 }
 
+/*
+ * 通过struct rmap_iterator遍历kvm_rmap_head中的每一个pte,
+ * 对于每一个pte, 如果支持硬件a/d, 设置pte的dirty bit并更新
+ * 最后返回是否需要flush
+ */
 static bool __rmap_set_dirty(struct kvm *kvm, struct kvm_rmap_head *rmap_head)
 {
 	u64 *sptep;
 	struct rmap_iterator iter;
 	bool flush = false;
 
+	/*
+	 * 通过struct rmap_iterator遍历kvm_rmap_head中的每一个pte,
+	 * 对于每一个pte, 如果支持硬件a/d, 设置pte的dirty bit并更新
+	 */
 	for_each_rmap_spte(rmap_head, &iter, sptep)
 		if (spte_ad_enabled(*sptep))
 			flush |= spte_set_dirty(sptep);
@@ -1539,6 +3292,16 @@ static bool __rmap_set_dirty(struct kvm *kvm, struct kvm_rmap_head *rmap_head)
  * Used when we do not need to care about huge page mappings: e.g. during dirty
  * logging we do not have any such mappings.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3349| <<kvm_arch_mmu_enable_log_dirty_pt_masked>> kvm_mmu_write_protect_pt_masked(kvm, slot, gfn_offset, mask);
+ *
+ * 把mask中对应的slot(kvm_memory_slot)中的每一个index的kvm_rmap_head找到
+ * 通过struct rmap_iterator遍历kvm_rmap_head中的每一个pte
+ * 对于每一个pte的核心思想是:把spte的第1位(w位)清空
+ * 如果pt_protect设置了, 则情况spte的1往左移11位(SPTE_MMU_WRITEABLE)
+ * 最后返回是否需要flush
+ */
 static void kvm_mmu_write_protect_pt_masked(struct kvm *kvm,
 				     struct kvm_memory_slot *slot,
 				     gfn_t gfn_offset, unsigned long mask)
@@ -1546,8 +3309,19 @@ static void kvm_mmu_write_protect_pt_masked(struct kvm *kvm,
 	struct kvm_rmap_head *rmap_head;
 
 	while (mask) {
+		/*
+		 * 根据gfn和level找到其在slot(kvm_memory_slot)中的index
+		 * 然后返回对应的kvm_rmap_head: slot->arch.rmap[level - PT_PAGE_TABLE_LEVEL][idx]
+		 */
 		rmap_head = __gfn_to_rmap(slot->base_gfn + gfn_offset + __ffs(mask),
 					  PT_PAGE_TABLE_LEVEL, slot);
+		/*
+		 * 通过struct rmap_iterator遍历kvm_rmap_head中的每一个pte
+		 * 对于每一个pte的核心思想是:把spte的第1位(w位)清空
+		 * 如果pt_protect设置了, 则情况spte的1往左移11位(SPTE_MMU_WRITEABLE)
+		 * 用mmu_spte_update()更新spte
+		 * 最后返回是否需要flush
+		 */
 		__rmap_write_protect(kvm, rmap_head, false);
 
 		/* clear the first set bit */
@@ -1565,6 +3339,11 @@ static void kvm_mmu_write_protect_pt_masked(struct kvm *kvm,
  *
  * Used for PML to re-log the dirty GPAs after userspace querying dirty_bitmap.
  */
+/*
+ * 把mask中对应的slot(kvm_memory_slot)中的每一个index的kvm_rmap_head找到
+ * 通过struct rmap_iterator遍历kvm_rmap_head中的每一个pte
+ * 清空dirty bit
+ */
 void kvm_mmu_clear_dirty_pt_masked(struct kvm *kvm,
 				     struct kvm_memory_slot *slot,
 				     gfn_t gfn_offset, unsigned long mask)
@@ -1572,6 +3351,10 @@ void kvm_mmu_clear_dirty_pt_masked(struct kvm *kvm,
 	struct kvm_rmap_head *rmap_head;
 
 	while (mask) {
+		/*
+		 * 根据gfn和level找到其在slot(kvm_memory_slot)中的index
+		 * 然后返回对应的kvm_rmap_head: slot->arch.rmap[level - PT_PAGE_TABLE_LEVEL][idx]
+		 */
 		rmap_head = __gfn_to_rmap(slot->base_gfn + gfn_offset + __ffs(mask),
 					  PT_PAGE_TABLE_LEVEL, slot);
 		__rmap_clear_dirty(kvm, rmap_head);
@@ -1592,6 +3375,10 @@ EXPORT_SYMBOL_GPL(kvm_mmu_clear_dirty_pt_masked);
  * Used when we do not need to care about huge page mappings: e.g. during dirty
  * logging we do not have any such mappings.
  */
+/*
+ * called by:
+ *   - virt/kvm/kvm_main.c|1370| <<kvm_get_dirty_log_protect>> kvm_arch_mmu_enable_log_dirty_pt_masked(kvm, memslot,
+ */
 void kvm_arch_mmu_enable_log_dirty_pt_masked(struct kvm *kvm,
 				struct kvm_memory_slot *slot,
 				gfn_t gfn_offset, unsigned long mask)
@@ -1610,6 +3397,10 @@ void kvm_arch_mmu_enable_log_dirty_pt_masked(struct kvm *kvm,
  * Emulate arch specific page modification logging for the
  * nested hypervisor
  */
+/*
+ * called only by:
+ *   - arch/x86/kvm/paging_tmpl.h|230| <<FNAME(update_accessed_dirty_bits)>> if (kvm_arch_write_log_dirty(vcpu))
+ */
 int kvm_arch_write_log_dirty(struct kvm_vcpu *vcpu)
 {
 	if (kvm_x86_ops->write_log_dirty)
@@ -1618,6 +3409,11 @@ int kvm_arch_write_log_dirty(struct kvm_vcpu *vcpu)
 	return 0;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3057| <<rmap_write_protect>> return kvm_mmu_slot_gfn_write_protect(vcpu->kvm, slot, gfn);
+ *   - arch/x86/kvm/page_track.c|179| <<kvm_slot_page_track_add_page>> if (kvm_mmu_slot_gfn_write_protect(kvm, slot, gfn))
+ */
 bool kvm_mmu_slot_gfn_write_protect(struct kvm *kvm,
 				    struct kvm_memory_slot *slot, u64 gfn)
 {
@@ -1625,14 +3421,34 @@ bool kvm_mmu_slot_gfn_write_protect(struct kvm *kvm,
 	int i;
 	bool write_protected = false;
 
+	/*
+	 * PT_PAGE_TABLE_LEVEL:   1
+	 * PT_MAX_HUGEPAGE_LEVEL: 3
+	 */
 	for (i = PT_PAGE_TABLE_LEVEL; i <= PT_MAX_HUGEPAGE_LEVEL; ++i) {
+		/*
+		 * 根据gfn和level找到其在slot(kvm_memory_slot)中的index
+		 * 然后返回对应的kvm_rmap_head: slot->arch.rmap[level - PT_PAGE_TABLE_LEVEL][idx]
+		 */
 		rmap_head = __gfn_to_rmap(gfn, i, slot);
+		/*
+		 * 通过struct rmap_iterator遍历kvm_rmap_head中的每一个pte
+		 * 对于每一个pte的核心思想是:把spte的第1位(w位)清空
+		 * 如果pt_protect设置了, 则情况spte的1往左移11位(SPTE_MMU_WRITEABLE)
+		 * 用mmu_spte_update()更新spte
+		 * 最后返回是否需要flush
+		 */
 		write_protected |= __rmap_write_protect(kvm, rmap_head, true);
 	}
 
 	return write_protected;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4511| <<mmu_sync_children>> protected |= rmap_write_protect(vcpu, sp->gfn);
+ *   - arch/x86/kvm/mmu.c|4647| <<kvm_mmu_get_page>> rmap_write_protect(vcpu, gfn))
+ */
 static bool rmap_write_protect(struct kvm_vcpu *vcpu, u64 gfn)
 {
 	struct kvm_memory_slot *slot;
@@ -1641,15 +3457,35 @@ static bool rmap_write_protect(struct kvm_vcpu *vcpu, u64 gfn)
 	return kvm_mmu_slot_gfn_write_protect(vcpu->kvm, slot, gfn);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3466| <<kvm_unmap_rmapp>> return kvm_zap_rmapp(kvm, rmap_head);
+ *   - arch/x86/kvm/mmu.c|8263| <<kvm_zap_gfn_range>> slot_handle_level_range(kvm, memslot, kvm_zap_rmapp,
+ *
+ * 对于kvm_rmap_head中的每一个pte,清空为0在kvm_rmap_head中移除
+ */
 static bool kvm_zap_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head)
 {
 	u64 *sptep;
 	struct rmap_iterator iter;
 	bool flush = false;
 
+	/*
+	 * 如果rmap_head->val最后1位不为1,
+	 *     直接返回rmap_head->val中的pte
+	 * 如果rmap_head->val最后1位是1
+	 *     则初始化iter->desc和iter->pos=0
+	 *     返回iter->desc->sptes[iter->pos]
+	 */
 	while ((sptep = rmap_get_first(rmap_head, &iter))) {
 		rmap_printk("%s: spte %p %llx.\n", __func__, sptep, *sptep);
 
+		/*
+		 * 根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte为0!
+		 * 如果之前如果spte是0或者是mmio, 则退出返回0
+		 * 否则根据情况把pfn在host的struct page设置accessed或者dirty返回1
+		 * 如果上面返回1, 根据spte找到pfn再找到kvm_rmap_head, 把一个spte从kvm_rmap_head中删除
+		 */
 		drop_spte(kvm, sptep);
 		flush = true;
 	}
@@ -1657,6 +3493,15 @@ static bool kvm_zap_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head)
 	return flush;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3362| <<kvm_unmap_hva>> return kvm_handle_hva(kvm, hva, 0, kvm_unmap_rmapp);
+ *   - arch/x86/kvm/mmu.c|3367| <<kvm_unmap_hva_range>> return kvm_handle_hva_range(kvm, start, end, 0, kvm_unmap_rmapp);
+ *   - arch/x86/kvm/mmu.c|3414| <<rmap_recycle>> kvm_unmap_rmapp(vcpu->kvm, rmap_head, NULL, gfn, sp->role.level, 0);
+ *
+ * 对于kvm_rmap_head中的每一个pte,清空为0在kvm_rmap_head中移除
+ * 参数的slot, gfn, level, data都没用啊!!!
+ */
 static int kvm_unmap_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
 			   struct kvm_memory_slot *slot, gfn_t gfn, int level,
 			   unsigned long data)
@@ -1664,6 +3509,39 @@ static int kvm_unmap_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
 	return kvm_zap_rmapp(kvm, rmap_head);
 }
 
+/*
+ * 调用的一个例子:
+ * [0] kvm_set_pte_rmapp
+ * [0] kvm_handle_hva_range
+ * [0] kvm_set_spte_hva
+ * [0] kvm_mmu_notifier_change_pte
+ * [0] __mmu_notifier_change_pte
+ * [0] wp_page_copy
+ * [0] do_wp_page
+ * [0] __handle_mm_fault
+ * [0] __get_user_pages
+ * [0] get_user_pages_unlocked
+ * [0] __gfn_to_pfn_memslot
+ * [0] try_async_pf
+ * [0] tdp_page_fault
+ * [0] kvm_mmu_page_fault
+ * [0] kvm_arch_vcpu_ioctl_run
+ * [0] kvm_vcpu_ioctl
+ * [0] do_vfs_ioctl
+ * [0] ksys_ioctl
+ * [0] __x64_sys_ioctl
+ * [0] do_syscall_64
+ * [0] entry_SYSCALL_64_after_hwframe
+ *
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|3391| <<kvm_set_spte_hva>> kvm_handle_hva(kvm, hva, (unsigned long )&pte, kvm_set_pte_rmapp);
+ *
+ * 用于swap in page的时候???
+ * 一个例子
+ * kvm_set_spte_hva()
+ * -> kvm_handle_hva(kvm, hva, (unsigned long)&pte, kvm_set_pte_rmapp);
+ *    -> kvm_handle_hva_range(kvm, hva, hva + 1, data, handler);
+ */
 static int kvm_set_pte_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
 			     struct kvm_memory_slot *slot, gfn_t gfn, int level,
 			     unsigned long data)
@@ -1672,23 +3550,52 @@ static int kvm_set_pte_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
 	struct rmap_iterator iter;
 	int need_flush = 0;
 	u64 new_spte;
+	/*
+	 * 现在还不知道data是谁的pte
+	 */
 	pte_t *ptep = (pte_t *)data;
 	kvm_pfn_t new_pfn;
 
+	/*
+	 * huge page不可以交换出去???
+	 * The hugepages are memlocked
+	 */
 	WARN_ON(pte_huge(*ptep));
+	/*
+	 * 通过ptep(data)获取host上的pfn,
+	 * 现在认为data是host的pte了
+	 */
 	new_pfn = pte_pfn(*ptep);
 
 restart:
+	/*
+	 * 通过struct rmap_iterator遍历kvm_rmap_head中的每一个pte
+	 */
 	for_each_rmap_spte(rmap_head, &iter, sptep) {
 		rmap_printk("kvm_set_pte_rmapp: spte %p %llx gfn %llx (%d)\n",
 			    sptep, *sptep, gfn, level);
 
 		need_flush = 1;
 
+		/*
+		 * 注意分清ptep和sptep
+		 * sptep: ept的
+		 * ptep : host的
+		 */
 		if (pte_write(*ptep)) {
+			/*
+			 * 根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte为0!
+			 * 如果之前如果spte是0或者是mmio, 则退出返回0
+			 * 否则根据情况把pfn在host的struct page设置accessed或者dirty返回1
+			 * 如果上面返回1, 根据spte找到pfn再找到kvm_rmap_head, 把一个spte从kvm_rmap_head中删除
+			 */
 			drop_spte(kvm, sptep);
 			goto restart;
 		} else {
+			/*
+			 * PT64_BASE_ADDR_MASK: 物理地址最多支持到52位, 把52位中不包含PAGE_SIZE(12位)的剩下的部分做成mask
+			 * 这里相当于把12位前的全部抹掉
+			 */
 			new_spte = *sptep & ~PT64_BASE_ADDR_MASK;
 			new_spte |= (u64)new_pfn << PAGE_SHIFT;
 
@@ -1725,16 +3632,33 @@ struct slot_rmap_walk_iterator {
 	struct kvm_rmap_head *end_rmap;
 };
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3614| <<slot_rmap_walk_init>> rmap_walk_init_level(iterator, iterator->start_level);
+ *   - arch/x86/kvm/mmu.c|3634| <<slot_rmap_walk_next>> rmap_walk_init_level(iterator, iterator->level);
+ */
 static void
 rmap_walk_init_level(struct slot_rmap_walk_iterator *iterator, int level)
 {
 	iterator->level = level;
 	iterator->gfn = iterator->start_gfn;
+	/*
+	 * 根据gfn和level找到其在slot(kvm_memory_slot)中的index
+	 * 然后返回对应的kvm_rmap_head: slot->arch.rmap[level - PT_PAGE_TABLE_LEVEL][idx]
+	 */
 	iterator->rmap = __gfn_to_rmap(iterator->gfn, level, iterator->slot);
+	/*
+	 * 根据gfn和level找到其在slot(kvm_memory_slot)中的index
+	 * 然后返回对应的kvm_rmap_head: slot->arch.rmap[level - PT_PAGE_TABLE_LEVEL][idx]
+	 */
 	iterator->end_rmap = __gfn_to_rmap(iterator->end_gfn, level,
 					   iterator->slot);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3644| <<for_each_slot_rmap_range>> for (slot_rmap_walk_init(_iter_, _slot_, _start_level_, \
+ */
 static void
 slot_rmap_walk_init(struct slot_rmap_walk_iterator *iterator,
 		    struct kvm_memory_slot *slot, int start_level,
@@ -1769,6 +3693,11 @@ static void slot_rmap_walk_next(struct slot_rmap_walk_iterator *iterator)
 	rmap_walk_init_level(iterator, iterator->level);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3670| <<kvm_handle_hva_range>> for_each_slot_rmap_range(memslot, PT_PAGE_TABLE_LEVEL,
+ *   - arch/x86/kvm/mmu.c|8116| <<slot_handle_level_range>> for_each_slot_rmap_range(memslot, start_level, end_level, start_gfn,
+ */
 #define for_each_slot_rmap_range(_slot_, _start_level_, _end_level_,	\
 	   _start_gfn, _end_gfn, _iter_)				\
 	for (slot_rmap_walk_init(_iter_, _slot_, _start_level_,		\
@@ -1776,6 +3705,12 @@ static void slot_rmap_walk_next(struct slot_rmap_walk_iterator *iterator)
 	     slot_rmap_walk_okay(_iter_);				\
 	     slot_rmap_walk_next(_iter_))
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3396| <<kvm_handle_hva>> return kvm_handle_hva_range(kvm, hva, hva + 1, data, handler);
+ *   - arch/x86/kvm/mmu.c|3406| <<kvm_unmap_hva_range>> return kvm_handle_hva_range(kvm, start, end, 0, kvm_unmap_rmapp);
+ *   - arch/x86/kvm/mmu.c|3459| <<kvm_age_hva>> return kvm_handle_hva_range(kvm, start, end, 0, kvm_age_rmapp);
+ */
 static int kvm_handle_hva_range(struct kvm *kvm,
 				unsigned long start,
 				unsigned long end,
@@ -1793,8 +3728,19 @@ static int kvm_handle_hva_range(struct kvm *kvm,
 	int ret = 0;
 	int i;
 
+	/*
+	 * 如果从kvm_handle_hva进来, start=hva, end=hva+1
+	 */
+
 	for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) {
+		/*
+		 * 利用srcu返回kvm->memslots[as_id]
+		 * struct kvm中有struct kvm_memslots __rcu *memslots[KVM_ADDRESS_SPACE_NUM];
+		 */
 		slots = __kvm_memslots(kvm, i);
+		/*
+		 * memslot是struct kvm_memory_slot *memslot;
+		 */
 		kvm_for_each_memslot(memslot, slots) {
 			unsigned long hva_start, hva_end;
 			gfn_t gfn_start, gfn_end;
@@ -1802,6 +3748,10 @@ static int kvm_handle_hva_range(struct kvm *kvm,
 			hva_start = max(start, memslot->userspace_addr);
 			hva_end = min(end, memslot->userspace_addr +
 				      (memslot->npages << PAGE_SHIFT));
+			/*
+			 * 这里的意思好像是针对其他qemu空间的更新影响到kvm的
+			 * 应该加一个likely??
+			 */
 			if (hva_start >= hva_end)
 				continue;
 			/*
@@ -1811,6 +3761,9 @@ static int kvm_handle_hva_range(struct kvm *kvm,
 			gfn_start = hva_to_gfn_memslot(hva_start, memslot);
 			gfn_end = hva_to_gfn_memslot(hva_end + PAGE_SIZE - 1, memslot);
 
+			/*
+			 * handler的例子比如kvm_unmap_rmapp()或kvm_age_rmapp()或kvm_set_pte_rmapp()
+			 */
 			for_each_slot_rmap_range(memslot, PT_PAGE_TABLE_LEVEL,
 						 PT_MAX_HUGEPAGE_LEVEL,
 						 gfn_start, gfn_end - 1,
@@ -1823,6 +3776,12 @@ static int kvm_handle_hva_range(struct kvm *kvm,
 	return ret;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3407| <<kvm_unmap_hva>> return kvm_handle_hva(kvm, hva, 0, kvm_unmap_rmapp); --> 没人调用
+ *   - arch/x86/kvm/mmu.c|3417| <<kvm_set_spte_hva>> kvm_handle_hva(kvm, hva, (unsigned long )&pte, kvm_set_pte_rmapp);
+ *   - arch/x86/kvm/mmu.c|3470| <<kvm_test_age_hva>> return kvm_handle_hva(kvm, hva, 0, kvm_test_age_rmapp);
+ */
 static int kvm_handle_hva(struct kvm *kvm, unsigned long hva,
 			  unsigned long data,
 			  int (*handler)(struct kvm *kvm,
@@ -1834,21 +3793,36 @@ static int kvm_handle_hva(struct kvm *kvm, unsigned long hva,
 	return kvm_handle_hva_range(kvm, hva, hva + 1, data, handler);
 }
 
+/*
+ * 没有调用的地方
+ */
 int kvm_unmap_hva(struct kvm *kvm, unsigned long hva)
 {
 	return kvm_handle_hva(kvm, hva, 0, kvm_unmap_rmapp);
 }
 
+/*
+ * used only by:
+ *   - virt/kvm/kvm_main.c|399| <<kvm_mmu_notifier_invalidate_range_start>> need_tlb_flush = kvm_unmap_hva_range(kvm, start, end);
+ */
 int kvm_unmap_hva_range(struct kvm *kvm, unsigned long start, unsigned long end)
 {
 	return kvm_handle_hva_range(kvm, start, end, 0, kvm_unmap_rmapp);
 }
 
+/*
+ * called only by:
+ *   - virt/kvm/kvm_main.c|381| <<kvm_mmu_notifier_change_pte>> kvm_set_spte_hva(kvm, address, pte);
+ */
 void kvm_set_spte_hva(struct kvm *kvm, unsigned long hva, pte_t pte)
 {
 	kvm_handle_hva(kvm, hva, (unsigned long)&pte, kvm_set_pte_rmapp);
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|3536| <<kvm_age_hva>> return kvm_handle_hva_range(kvm, start, end, 0, kvm_age_rmapp);
+ */
 static int kvm_age_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
 			 struct kvm_memory_slot *slot, gfn_t gfn, int level,
 			 unsigned long data)
@@ -1857,6 +3831,17 @@ static int kvm_age_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
 	struct rmap_iterator uninitialized_var(iter);
 	int young = 0;
 
+	/*
+	 * mmu_spte_age():
+	 * 清空pte的access
+	 * 如果支持硬件a/d直接把对应的bit清空就可以了
+	 * 否则把第0位和第3位 (r+x) 保存在52位之后, 清除最后的3位
+	 * resets it!!!!
+	 * Returns the Accessed status of the PTE and resets it at the same time.
+	 *
+	 * for_each_rmap_spte():
+	 * 通过struct rmap_iterator遍历kvm_rmap_head中的每一个pte
+	 */
 	for_each_rmap_spte(rmap_head, &iter, sptep)
 		young |= mmu_spte_age(sptep);
 
@@ -1864,6 +3849,10 @@ static int kvm_age_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
 	return young;
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|3541| <<kvm_test_age_hva>> return kvm_handle_hva(kvm, hva, 0, kvm_test_age_rmapp);
+ */
 static int kvm_test_age_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
 			      struct kvm_memory_slot *slot, gfn_t gfn,
 			      int level, unsigned long data)
@@ -1871,6 +3860,14 @@ static int kvm_test_age_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
 	u64 *sptep;
 	struct rmap_iterator iter;
 
+	/*
+	 * is_accessed_spte():
+	 * 如果有shadow_accessed_mask, 则通过spte对应的accessed位返回结果
+	 * 否则根据1往左移62位存在判断?
+	 *
+	 * for_each_rmap_spte():
+	 * 通过struct rmap_iterator遍历kvm_rmap_head中的每一个pte
+	 */
 	for_each_rmap_spte(rmap_head, &iter, sptep)
 		if (is_accessed_spte(*sptep))
 			return 1;
@@ -1879,6 +3876,10 @@ static int kvm_test_age_rmapp(struct kvm *kvm, struct kvm_rmap_head *rmap_head,
 
 #define RMAP_RECYCLE_THRESHOLD 1000
 
+/*
+ * called by only:
+ *   - arch/x86/kvm/mmu.c|5087| <<mmu_set_spte>> rmap_recycle(vcpu, sptep, gfn);
+ */
 static void rmap_recycle(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn)
 {
 	struct kvm_rmap_head *rmap_head;
@@ -1888,27 +3889,54 @@ static void rmap_recycle(struct kvm_vcpu *vcpu, u64 *spte, gfn_t gfn)
 
 	rmap_head = gfn_to_rmap(vcpu->kvm, gfn, sp);
 
+	/*
+	 * 对于kvm_rmap_head中的每一个pte,清空为0在kvm_rmap_head中移除
+	 * 参数的slot, gfn, level, data都没用啊!!!
+	 */
 	kvm_unmap_rmapp(vcpu->kvm, rmap_head, NULL, gfn, sp->role.level, 0);
+	/*
+	 * 应该就是让每个vcpu调用硬件的tlb flush吧
+	 * 之后每个vcpu会在vcpu_enter_guest()的时候调用kvm_vcpu_flush_tlb()
+	 * 应该就是调用硬件的tlb flush吧
+	 */
 	kvm_flush_remote_tlbs(vcpu->kvm);
 }
 
+/*
+ * called by:
+ *   - virt/kvm/kvm_main.c|461| <<kvm_mmu_notifier_clear_flush_young>> young = kvm_age_hva(kvm, start, end);
+ *   - virt/kvm/kvm_main.c|497| <<kvm_mmu_notifier_clear_young>> young = kvm_age_hva(kvm, start, end);
+ */
 int kvm_age_hva(struct kvm *kvm, unsigned long start, unsigned long end)
 {
 	return kvm_handle_hva_range(kvm, start, end, 0, kvm_age_rmapp);
 }
 
+/*
+ * called only by:
+ *   - virt/kvm/kvm_main.c|516| <<kvm_mmu_notifier_test_young>> young = kvm_test_age_hva(kvm, address);
+ */
 int kvm_test_age_hva(struct kvm *kvm, unsigned long hva)
 {
 	return kvm_handle_hva(kvm, hva, 0, kvm_test_age_rmapp);
 }
 
 #ifdef MMU_DEBUG
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3941| <<kvm_mmu_free_page>> MMU_WARN_ON(!is_empty_shadow_page(sp->spt));
+ */
 static int is_empty_shadow_page(u64 *spt)
 {
 	u64 *pos;
 	u64 *end;
 
 	for (pos = spt, end = pos + PAGE_SIZE / sizeof(u64); pos != end; pos++)
+		/*
+		 * 如果pte不为0并且pte的最后3位不是110并且62位(SPTE_SPECIAL_MASK)也没设置, 返回true
+		 * 如果spte是0x0,或者spte的最后3位是110(62位也设置了), 函数返回false
+		 * 或者说, 如果spte是0或者是mmio, is_shadow_present_pte()返回false
+		 */
 		if (is_shadow_present_pte(*pos)) {
 			printk(KERN_ERR "%s: %p %llx\n", __func__,
 			       pos, *pos);
@@ -1924,58 +3952,170 @@ static int is_empty_shadow_page(u64 *spt)
  * aggregate version in order to make the slab shrinker
  * faster
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2031| <<kvm_mmu_alloc_page>> kvm_mod_used_mmu_pages(vcpu->kvm, +1);
+ *   - arch/x86/kvm/mmu.c|2663| <<kvm_mmu_prepare_zap_page>> kvm_mod_used_mmu_pages(kvm, -1);
+ *
+ * 增加nr到kvm->arch.n_used_mmu_pages
+ * 增加nr到percpu counter kvm_total_used_mmu_pages
+ */
 static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, int nr)
 {
+	/*
+	 * 被以下修改:
+	 *   - arch/x86/kvm/mmu.c|1973| <<kvm_mod_used_mmu_pages>> kvm->arch.n_used_mmu_pages += nr;
+	 *
+	 * 被以下使用:
+	 *   - arch/x86/kvm/mmu.c|2727| <<kvm_mmu_change_mmu_pages>> if (kvm->arch.n_used_mmu_pages > goal_nr_mmu_pages) {
+	 *   - arch/x86/kvm/mmu.c|2729| <<kvm_mmu_change_mmu_pages>> while (kvm->arch.n_used_mmu_pages > goal_nr_mmu_pages)
+	 *   - arch/x86/kvm/mmu.c|2734| <<kvm_mmu_change_mmu_pages>> goal_nr_mmu_pages = kvm->arch.n_used_mmu_pages;
+	 *   - arch/x86/kvm/mmu.c|5729| <<mmu_shrink_scan>> if (!kvm->arch.n_used_mmu_pages &&
+	 *   - arch/x86/kvm/mmu.h|73| <<kvm_mmu_available_pages>> if (kvm->arch.n_max_mmu_pages > kvm->arch.n_used_mmu_pages)
+	 *   - arch/x86/kvm/mmu.h|75| <<kvm_mmu_available_pages>> kvm->arch.n_used_mmu_pages;
+	 */
 	kvm->arch.n_used_mmu_pages += nr;
+	/*
+	 * used by:
+	 *   - arch/x86/kvm/mmu.c|2256| <<kvm_mod_used_mmu_pages>> percpu_counter_add(&kvm_total_used_mmu_pages, nr);
+	 *   - arch/x86/kvm/mmu.c|6335| <<mmu_shrink_count>> return percpu_counter_read_positive(&kvm_total_used_mmu_pages);
+	 *   - arch/x86/kvm/mmu.c|6371| <<kvm_mmu_module_init>> if (percpu_counter_init(&kvm_total_used_mmu_pages, 0, GFP_KERNEL))
+	 *   - arch/x86/kvm/mmu.c|6439| <<kvm_mmu_module_exit>> percpu_counter_destroy(&kvm_total_used_mmu_pages);
+	 *
+	 * percpu_counter_add()用到了batch, 会有延迟!!!
+	 */
 	percpu_counter_add(&kvm_total_used_mmu_pages, nr);
 }
 
+/*
+ * 只在一处调用:
+ *   - arch/x86/kvm/mmu.c|2818| <<kvm_mmu_commit_zap_page>> kvm_mmu_free_page(sp);
+ *
+ * 把kvm_mmu_page在各种链表取下来
+ * 然后释放其4k page
+ * 最后回收kvm_mmu_page
+ */
 static void kvm_mmu_free_page(struct kvm_mmu_page *sp)
 {
 	MMU_WARN_ON(!is_empty_shadow_page(sp->spt));
 	hlist_del(&sp->hash_link);
 	list_del(&sp->link);
 	free_page((unsigned long)sp->spt);
+	/*
+	 * tdp的direct是true
+	 */
 	if (!sp->role.direct)
 		free_page((unsigned long)sp->gfns);
 	kmem_cache_free(mmu_page_header_cache, sp);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4352| <<for_each_valid_sp>> &(_kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(_gfn)], hash_link) \
+ *   - arch/x86/kvm/mmu.c|4714| <<kvm_mmu_get_page>> &vcpu->kvm->arch.mmu_page_hash[kvm_page_table_hashfn(gfn)]);
+ *
+ * 给一个gfn计算hash
+ */
 static unsigned kvm_page_table_hashfn(gfn_t gfn)
 {
 	return hash_64(gfn, KVM_MMU_HASH_SHIFT);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4887| <<link_shadow_page>> mmu_page_add_parent_pte(vcpu, sp, sptep);
+ *
+ * 把parent_pte加入到sp->parent_ptes (struct kvm_rmap_head)
+ * sp->parent_ptes是rmap pointers to parent sptes
+ */
 static void mmu_page_add_parent_pte(struct kvm_vcpu *vcpu,
 				    struct kvm_mmu_page *sp, u64 *parent_pte)
 {
 	if (!parent_pte)
 		return;
 
+	/*
+	 * About rmap_head encoding:
+	 *
+	 * If the bit zero of rmap_head->val is clear, then it points to the only spte
+	 * in this rmap chain. Otherwise, (rmap_head->val & ~1) points to a struct
+	 * pte_list_desc containing more mappings.
+	 *
+	 * Returns the number of pointers in the rmap chain, not counting the new one.
+	 *
+	 * 把一个spte加入到kvm_rmap_head
+	 */
 	pte_list_add(vcpu, parent_pte, &sp->parent_ptes);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4042| <<drop_parent_pte>> mmu_page_remove_parent_pte(sp, parent_pte);
+ *
+ * 把parent_pte从sp->parent_ptes(struct kvm_rmap_head)中删除
+ * sp->parent_ptes是rmap pointers to parent sptes
+ */
 static void mmu_page_remove_parent_pte(struct kvm_mmu_page *sp,
 				       u64 *parent_pte)
 {
+	/*
+	 * 在以下使用或修改kvm_mmu_page->parent_ptes:
+	 *   - arch/x86/kvm/mmu.c|2045| <<mmu_page_add_parent_pte>> pte_list_add(vcpu, parent_pte, &sp->parent_ptes);
+	 *   - arch/x86/kvm/mmu.c|2051| <<mmu_page_remove_parent_pte>> pte_list_remove(parent_pte, &sp->parent_ptes);
+	 *   - arch/x86/kvm/mmu.c|2104| <<kvm_mmu_mark_parents_unsync>> for_each_rmap_spte(&sp->parent_ptes, &iter, sptep) {
+	 *   - arch/x86/kvm/mmu.c|2743| <<kvm_mmu_unlink_parents>> while ((sptep = rmap_get_first(&sp->parent_ptes, &iter)))
+	 *
+	 * 反向映射(rmap),维护指向自己的上级页表项
+	 *
+	 * 把一个spte从kvm_rmap_head中删除
+	 */
 	pte_list_remove(parent_pte, &sp->parent_ptes);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4358| <<validate_direct_spte>> drop_parent_pte(child, sptep);
+ *   - arch/x86/kvm/mmu.c|4377| <<mmu_page_zap_pte>> drop_parent_pte(child, spte);
+ *   - arch/x86/kvm/mmu.c|4406| <<kvm_mmu_unlink_parents>> drop_parent_pte(sp, sptep);
+ *   - arch/x86/kvm/mmu.c|4802| <<mmu_set_spte>> drop_parent_pte(child, sptep);
+ *
+ * 猜测参数中的parent_pte指向kvm_mmu_page对应的页面
+ * 这个函数把parent_pte从sp->parent_ptes(struct kvm_rmap_head)中删除
+ * 然后用WRITE_ONCE(*sptep, spte)更新parent_pte为0ull
+ */
 static void drop_parent_pte(struct kvm_mmu_page *sp,
 			    u64 *parent_pte)
 {
+	/* 把parent_pte从sp->parent_ptes(struct kvm_rmap_head)中删除 */
 	mmu_page_remove_parent_pte(sp, parent_pte);
+	/* 用WRITE_ONCE(*sptep, spte)更新parent_pte为0ull */
 	mmu_spte_clear_no_track(parent_pte);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4397| <<kvm_mmu_get_page>> sp = kvm_mmu_alloc_page(vcpu, direct);
+ *
+ * 在tdp情况下direct似乎是true
+ *
+ * 分配一个struct kvm_mmu_page, 再分配kvm_mmu_page->spt (真正的4k)
+ * 把元数据kvm_mmu_page设置为4k struct page的private
+ * 把kvm_mmu_page链接到vcpu->kvm->arch.active_mmu_pages
+ * 增加nr到kvm->arch.n_used_mmu_pages, 增加nr到percpu counter kvm_total_used_mmu_pages 
+ */
 static struct kvm_mmu_page *kvm_mmu_alloc_page(struct kvm_vcpu *vcpu, int direct)
 {
 	struct kvm_mmu_page *sp;
 
+	/* 分配kvm_mmu_page */
 	sp = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_header_cache);
+	/* 分配真正的4k page */
 	sp->spt = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_cache);
 	if (!direct)
 		sp->gfns = mmu_memory_cache_alloc(&vcpu->arch.mmu_page_cache);
+	/*
+	 * struct page的private设置成struct kvm_mmu_page
+	 */
 	set_page_private(virt_to_page(sp->spt), (unsigned long)sp);
 
 	/*
@@ -1983,33 +4123,99 @@ static struct kvm_mmu_page *kvm_mmu_alloc_page(struct kvm_vcpu *vcpu, int direct
 	 * page until it is zapped. kvm_zap_obsolete_pages depends on
 	 * this feature. See the comments in kvm_zap_obsolete_pages().
 	 */
+	/*
+	 * 在以下使用kvm_mmu_page->active_mmu_pages:
+	 *   - arch/x86/kvm/mmu.c|2030| <<kvm_mmu_alloc_page>> list_add(&sp->link, &vcpu->kvm->arch.active_mmu_pages);
+	 *   - arch/x86/kvm/mmu.c|2665| <<kvm_mmu_prepare_zap_page>> list_move(&sp->link, &kvm->arch.active_mmu_pages);
+	 *   - arch/x86/kvm/mmu.c|2709| <<prepare_zap_oldest_mmu_page>> if (list_empty(&kvm->arch.active_mmu_pages))
+	 *   - arch/x86/kvm/mmu.c|2712| <<prepare_zap_oldest_mmu_page>> sp = list_last_entry(&kvm->arch.active_mmu_pages,
+	 *   - arch/x86/kvm/mmu.c|5606| <<kvm_zap_obsolete_pages>> &kvm->arch.active_mmu_pages, link) {
+	 *   - arch/x86/kvm/mmu_audit.c|92| <<walk_all_active_sps>> list_for_each_entry(sp, &kvm->arch.active_mmu_pages, link)
+	 *   - arch/x86/kvm/x86.c|8822| <<kvm_arch_init_vm>> INIT_LIST_HEAD(&kvm->arch.active_mmu_pages);
+	 */
 	list_add(&sp->link, &vcpu->kvm->arch.active_mmu_pages);
+	/*
+	 * 增加nr到kvm->arch.n_used_mmu_pages
+	 * 增加nr到percpu counter kvm_total_used_mmu_pages
+	 */
 	kvm_mod_used_mmu_pages(vcpu->kvm, +1);
 	return sp;
 }
 
 static void mark_unsync(u64 *spte);
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2120| <<mark_unsync>> kvm_mmu_mark_parents_unsync(sp);
+ *   - arch/x86/kvm/mmu.c|2936| <<kvm_unsync_page>> kvm_mmu_mark_parents_unsync(sp);
+ *
+ * 对struct kvm_mmu_page的每一个sp->parent_ptes的kvm_mmu_page()调用mark_unsync():
+ *     把这一条spte在4k page对应的struct kvm_mmu_page中的index算出来
+ *     在index对应的sp->unsync_child_bitmap设置bit
+ *     如果bit已经设置过了直接返回
+ *     否则根据情况是否用kvm_mmu_mark_parents_unsync()对上一级的kvm_mmu_page也进行相应的操作
+ *
+ * 在EPT trace的时候没有调用!!!!
+ */
 static void kvm_mmu_mark_parents_unsync(struct kvm_mmu_page *sp)
 {
 	u64 *sptep;
 	struct rmap_iterator iter;
 
+	/*
+	 * 通过struct rmap_iterator遍历kvm_rmap_head中的每一个pte
+	 *
+	 * sp->parent_ptes是rmap pointers to parent sptes
+	 */
 	for_each_rmap_spte(&sp->parent_ptes, &iter, sptep) {
+		/*
+		 * 把这一条spte在4k page对应的struct kvm_mmu_page中的index算出来
+		 * 在index对应的sp->unsync_child_bitmap设置bit
+		 * 如果bit已经设置过了直接返回
+		 * 否则根据情况是否用kvm_mmu_mark_parents_unsync()对上一级的kvm_mmu_page也进行相应的操作
+		 */
 		mark_unsync(sptep);
 	}
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2105| <<kvm_mmu_mark_parents_unsync>> mark_unsync(sptep);
+ *   - arch/x86/kvm/mmu.c|2679| <<link_shadow_page>> mark_unsync(sptep);
+ *
+ * 把这一条spte在4k page对应的struct kvm_mmu_page中的index算出来
+ * 在index对应的sp->unsync_child_bitmap设置bit
+ * 如果bit已经设置过了直接返回
+ * 否则根据情况是否用kvm_mmu_mark_parents_unsync()对上一级的kvm_mmu_page也进行相应的操作
+ *
+ * mark_unsync()在ept的时候没有被trace到, 换成ept=N后被疯狂的trace
+ */
 static void mark_unsync(u64 *spte)
 {
 	struct kvm_mmu_page *sp;
 	unsigned int index;
 
+	/*
+	 * shadow_page可能是一个指向某个pte的地址 (shadow_page保存的这个pte的地址而不是内容)
+	 * 获得包含这个地址的页表页对应的kvm_mmu_page
+	 */
 	sp = page_header(__pa(spte));
 	index = spte - sp->spt;
+	/*
+	 * 在以下被使用kvm_mmu_page->unsync_child_bitmap:
+	 *   - arch/x86/kvm/mmu.c|2116| <<mark_unsync>> if (__test_and_set_bit(index, sp->unsync_child_bitmap))
+	 *   - arch/x86/kvm/mmu.c|2170| <<clear_unsync_child_bit>> __clear_bit(idx, sp->unsync_child_bitmap);
+	 *   - arch/x86/kvm/mmu.c|2178| <<__mmu_unsync_walk>> for_each_set_bit(i, sp->unsync_child_bitmap, 512) {
+	 */
 	if (__test_and_set_bit(index, sp->unsync_child_bitmap))
 		return;
+	/*
+	 * unsync_children记录当前页表页面的哪一个pte是unsync的
+	 */
 	if (sp->unsync_children++)
 		return;
+	/*
+	 * sp是spte的kvm_mmu_page
+	 */
 	kvm_mmu_mark_parents_unsync(sp);
 }
 
@@ -2040,34 +4246,92 @@ struct kvm_mmu_pages {
 	unsigned int nr;
 };
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3781| <<__mmu_unsync_walk>> if (mmu_pages_add(pvec, child, i))
+ *   - arch/x86/kvm/mmu.c|3794| <<__mmu_unsync_walk>> if (mmu_pages_add(pvec, child, i))
+ *   - arch/x86/kvm/mmu.c|3819| <<mmu_unsync_walk>> mmu_pages_add(pvec, sp, INVALID_INDEX);
+ *
+ * 把一个参数中的kvm_mmu_page加入kvm_mmu_pages
+ * 如果sp->unsync为true并且已经加入了直接返回
+ * 否则加入pvec->page[pvec->nr]
+ * 返回是否已经满了
+ */
 static int mmu_pages_add(struct kvm_mmu_pages *pvec, struct kvm_mmu_page *sp,
 			 int idx)
 {
 	int i;
 
+	/*
+	 * 在以下修改kvm_mmu_page->unsync:
+	 *   - arch/x86/kvm/mmu.c|3036| <<kvm_unsync_page>> sp->unsync = 1;
+	 *   - arch/x86/kvm/mmu.c|2303| <<kvm_unlink_unsync_page>> sp->unsync = 0;
+	 */
 	if (sp->unsync)
 		for (i=0; i < pvec->nr; i++)
 			if (pvec->page[i].sp == sp)
 				return 0;
 
+	/*
+	 * struct kvm_mmu_pages *pvec:
+	 *     struct mmu_page_and_offset {
+	 *         struct kvm_mmu_page *sp;
+	 *         unsigned int idx;
+	 *     } page[KVM_PAGE_ARRAY_NR]; --> KVM_PAGE_ARRAY_NR = 16
+	 *     unsigned int nr;
+	 */
 	pvec->page[pvec->nr].sp = sp;
 	pvec->page[pvec->nr].idx = idx;
 	pvec->nr++;
 	return (pvec->nr == KVM_PAGE_ARRAY_NR);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4296| <<__mmu_unsync_walk>> clear_unsync_child_bit(sp, i);
+ *   - arch/x86/kvm/mmu.c|4318| <<__mmu_unsync_walk>> clear_unsync_child_bit(sp, i);
+ *   - arch/x86/kvm/mmu.c|4335| <<__mmu_unsync_walk>> clear_unsync_child_bit(sp, i);
+ *   - arch/x86/kvm/mmu.c|4633| <<mmu_pages_clear_parents>> clear_unsync_child_bit(sp, idx);
+ *
+ * 核心思想是clear参数sp->unsync_child_bitmap中对应的idx
+ * 然后--sp->unsync_children
+ */
 static inline void clear_unsync_child_bit(struct kvm_mmu_page *sp, int idx)
 {
+	/*
+	 * 在以下被增加:
+	 *   - arch/x86/kvm/mmu.c|2118| <<mark_unsync>> if (sp->unsync_children++)
+	 *
+	 * 在以下被减少:
+	 *   - arch/x86/kvm/mmu.c|2168| <<clear_unsync_child_bit>> --sp->unsync_children;
+	 */
 	--sp->unsync_children;
 	WARN_ON((int)sp->unsync_children < 0);
+	/*
+	 * 在以下使用kvm_mmu_page->unsync_child_bitmap:
+	 *   - arch/x86/kvm/mmu.c|2116| <<mark_unsync>> if (__test_and_set_bit(index, sp->unsync_child_bitmap))
+	 *   - arch/x86/kvm/mmu.c|2170| <<clear_unsync_child_bit>> __clear_bit(idx, sp->unsync_child_bitmap);
+	 *   - arch/x86/kvm/mmu.c|2178| <<__mmu_unsync_walk>> for_each_set_bit(i, sp->unsync_child_bitmap, 512) {
+	 */
 	__clear_bit(idx, sp->unsync_child_bitmap);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2193| <<__mmu_unsync_walk>> ret = __mmu_unsync_walk(child, pvec);
+ *   - arch/x86/kvm/mmu.c|2222| <<mmu_unsync_walk>> return __mmu_unsync_walk(sp, pvec);
+ */
 static int __mmu_unsync_walk(struct kvm_mmu_page *sp,
 			   struct kvm_mmu_pages *pvec)
 {
 	int i, ret, nr_unsync_leaf = 0;
 
+	/*
+	 * 在以下被使用:
+	 *   - arch/x86/kvm/mmu.c|2116| <<mark_unsync>> if (__test_and_set_bit(index, sp->unsync_child_bitmap))
+	 *   - arch/x86/kvm/mmu.c|2170| <<clear_unsync_child_bit>> __clear_bit(idx, sp->unsync_child_bitmap);
+	 *   - arch/x86/kvm/mmu.c|2178| <<__mmu_unsync_walk>> for_each_set_bit(i, sp->unsync_child_bitmap, 512) {
+	 */
 	for_each_set_bit(i, sp->unsync_child_bitmap, 512) {
 		struct kvm_mmu_page *child;
 		u64 ent = sp->spt[i];
@@ -2077,14 +4341,35 @@ static int __mmu_unsync_walk(struct kvm_mmu_page *sp,
 			continue;
 		}
 
+		/*
+		 * PT64_BASE_ADDR_MASK     = 0x000ffffffffff000
+		 * 物理地址最多支持到52位, 把52位中不包含PAGE_SIZE(12位)的剩下的部分做成mask
+		 */
 		child = page_header(ent & PT64_BASE_ADDR_MASK);
 
+		/*
+		 * 在以下被增加:
+		 *   - arch/x86/kvm/mmu.c|2118| <<mark_unsync>> if (sp->unsync_children++)
+		 *
+		 * 在以下被减少:
+		 *   - arch/x86/kvm/mmu.c|2168| <<clear_unsync_child_bit>> --sp->unsync_children;
+		 */
 		if (child->unsync_children) {
+			/*
+			 * 把一个参数中的kvm_mmu_page加入kvm_mmu_pages
+			 * 如果sp->unsync为true并且已经加入了直接返回
+			 * 否则加入pvec->page[pvec->nr]
+			 * 返回是否已经满了
+			 */
 			if (mmu_pages_add(pvec, child, i))
 				return -ENOSPC;
 
 			ret = __mmu_unsync_walk(child, pvec);
 			if (!ret) {
+				/*
+				 * 核心思想是clear参数sp->unsync_child_bitmap中对应的idx
+				 * 然后--sp->unsync_children
+				 */
 				clear_unsync_child_bit(sp, i);
 				continue;
 			} else if (ret > 0) {
@@ -2093,6 +4378,12 @@ static int __mmu_unsync_walk(struct kvm_mmu_page *sp,
 				return ret;
 		} else if (child->unsync) {
 			nr_unsync_leaf++;
+			/*
+			 * 把一个参数中的kvm_mmu_page加入kvm_mmu_pages
+			 * 如果sp->unsync为true并且已经加入了直接返回
+			 * 否则加入pvec->page[pvec->nr]
+			 * 返回是否已经满了
+			 */
 			if (mmu_pages_add(pvec, child, i))
 				return -ENOSPC;
 		} else
@@ -2104,22 +4395,63 @@ static int __mmu_unsync_walk(struct kvm_mmu_page *sp,
 
 #define INVALID_INDEX (-1)
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4077| <<mmu_sync_children>> while (mmu_unsync_walk(parent, &pages)) {
+ *   - arch/x86/kvm/mmu.c|4446| <<mmu_zap_unsync_children>> while (mmu_unsync_walk(parent, &pages)) {
+ *
+ * 如果sp->unsync_children是0则立刻返回0
+ */
 static int mmu_unsync_walk(struct kvm_mmu_page *sp,
 			   struct kvm_mmu_pages *pvec)
 {
 	pvec->nr = 0;
+	/*
+	 * unsync_children在以下被增加:
+	 *   - arch/x86/kvm/mmu.c|2118| <<mark_unsync>> if (sp->unsync_children++)
+	 *
+	 * unsync_children在以下被减少:
+	 *   - arch/x86/kvm/mmu.c|2168| <<clear_unsync_child_bit>> --sp->unsync_children;
+	 *
+	 * 如果没有unsync的child直接退出
+	 */
 	if (!sp->unsync_children)
 		return 0;
 
+	/*
+	 * 把一个参数中的kvm_mmu_page加入kvm_mmu_pages
+	 * 如果sp->unsync为true并且已经加入了直接返回
+	 * 否则加入pvec->page[pvec->nr]
+	 * 返回是否已经满了
+	 */
 	mmu_pages_add(pvec, sp, INVALID_INDEX);
 	return __mmu_unsync_walk(sp, pvec);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3961| <<kvm_sync_page>> kvm_unlink_unsync_page(vcpu->kvm, sp);
+ *   - arch/x86/kvm/mmu.c|4496| <<kvm_mmu_prepare_zap_page>> kvm_unlink_unsync_page(kvm, sp);
+ *
+ * 把kvm_mmu_page->unsync设置成0
+ * 并且--kvm->stat.mmu_unsync
+ */
 static void kvm_unlink_unsync_page(struct kvm *kvm, struct kvm_mmu_page *sp)
 {
 	WARN_ON(!sp->unsync);
 	trace_kvm_mmu_sync_page(sp);
+	/*
+	 * 在以下修改kvm_mmu_page->unsync:
+	 *   - arch/x86/kvm/mmu.c|3036| <<kvm_unsync_page>> sp->unsync = 1;
+	 *   - arch/x86/kvm/mmu.c|2303| <<kvm_unlink_unsync_page>> sp->unsync = 0;
+	 */
 	sp->unsync = 0;
+	/*
+	 * 在以下使用kvm_vm_stat->mmu_unsync:
+	 *   - arch/x86/kvm/x86.c|206| <<global>> { "mmu_unsync", VM_STAT(mmu_unsync) },
+	 *   - arch/x86/kvm/mmu.c|4380| <<kvm_unlink_unsync_page>> --kvm->stat.mmu_unsync;
+	 *   - arch/x86/kvm/mmu.c|5371| <<kvm_unsync_page>> ++vcpu->kvm->stat.mmu_unsync;
+	 */
 	--kvm->stat.mmu_unsync;
 }
 
@@ -2136,25 +4468,54 @@ static void kvm_mmu_commit_zap_page(struct kvm *kvm,
  *
  * for_each_valid_sp() has skipped that kind of pages.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3818| <<for_each_gfn_indirect_valid_sp>> for_each_valid_sp(_kvm, _sp, _gfn) \
+ *   - arch/x86/kvm/mmu.c|4097| <<kvm_mmu_get_page>> for_each_valid_sp(vcpu->kvm, sp, gfn) {
+ *
+ * 在以下使用kvm_mmu_page->mmu_page_hash[KVM_NUM_MMU_PAGES]:
+ *   - arch/x86/kvm/mmu.c|4446| <<for_each_valid_sp>> &(_kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(_gfn)], hash_link) \
+ *   - arch/x86/kvm/mmu.c|4864| <<kvm_mmu_get_page>> &vcpu->kvm->arch.mmu_page_hash[kvm_page_table_hashfn(gfn)]);
+ *
+ * 对于&(_kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(_gfn)]中每一个valid的page
+ */
 #define for_each_valid_sp(_kvm, _sp, _gfn)				\
 	hlist_for_each_entry(_sp,					\
 	  &(_kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(_gfn)], hash_link) \
 		if (is_obsolete_sp((_kvm), (_sp)) || (_sp)->role.invalid) {    \
 		} else
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3922| <<kvm_sync_pages>> for_each_gfn_indirect_valid_sp(vcpu->kvm, s, gfn) {
+ *   - arch/x86/kvm/mmu.c|4562| <<kvm_mmu_unprotect_page>> for_each_gfn_indirect_valid_sp(kvm, sp, gfn) {
+ *   - arch/x86/kvm/mmu.c|4610| <<mmu_need_write_protect>> for_each_gfn_indirect_valid_sp(vcpu->kvm, sp, gfn) {
+ *   - arch/x86/kvm/mmu.c|6990| <<kvm_mmu_pte_write>> for_each_gfn_indirect_valid_sp(vcpu->kvm, sp, gfn) {
+ */
 #define for_each_gfn_indirect_valid_sp(_kvm, _sp, _gfn)			\
 	for_each_valid_sp(_kvm, _sp, _gfn)				\
 		if ((_sp)->gfn != (_gfn) || (_sp)->role.direct) {} else
 
 /* @sp->gfn should be write-protected at the call site */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4503| <<kvm_sync_page>> return __kvm_sync_page(vcpu, sp, invalid_list);
+ *   - arch/x86/kvm/mmu.c|4723| <<kvm_mmu_get_page>> if (!__kvm_sync_page(vcpu, sp, &invalid_list))
+ *
+ * 在64-bit的tdp下, 调用kvm_mmu_prepare_zap_page()然后返回false
+ */
 static bool __kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
 			    struct list_head *invalid_list)
 {
+	/* 似乎在64-bit下ept不执行 */
 	if (sp->role.cr4_pae != !!is_pae(vcpu)) {
 		kvm_mmu_prepare_zap_page(vcpu->kvm, sp, invalid_list);
 		return false;
 	}
 
+	/*
+	 * tdp下是nonpaging_sync_page(), 永远返回0
+	 */
 	if (vcpu->arch.mmu.sync_page(vcpu, sp) == 0) {
 		kvm_mmu_prepare_zap_page(vcpu->kvm, sp, invalid_list);
 		return false;
@@ -2163,15 +4524,32 @@ static bool __kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
 	return true;
 }
 
+/*
+ * 如果invalid_list不为空,用kvm_flush_remote_tlbs()让每个vcpu调用tlb flush
+ * 然后把invalid_list上的一个个kvm_mmu_page释放 (包括真正的4k page)
+ *
+ * 否则, 根据情况调用某个cpu或全部cpu的tlb flush
+ */
 static void kvm_mmu_flush_or_zap(struct kvm_vcpu *vcpu,
 				 struct list_head *invalid_list,
 				 bool remote_flush, bool local_flush)
 {
 	if (!list_empty(invalid_list)) {
+		/*
+		 * 如果参数的invalid_list为空就退出
+		 * 否则用kvm_flush_remote_tlbs()让每个vcpu调用tlb flush
+		 * 然后把invalid_list上的一个个kvm_mmu_page释放 (包括真正的4k page)
+		 */
 		kvm_mmu_commit_zap_page(vcpu->kvm, invalid_list);
 		return;
 	}
 
+	/*
+	 * kvm_flush_remote_tlbs()
+	 *     应该就是让每个vcpu调用硬件的tlb flush吧
+	 *
+	 * 否则只flush某个vcpu的tlb
+	 */
 	if (remote_flush)
 		kvm_flush_remote_tlbs(vcpu->kvm);
 	else if (local_flush)
@@ -2187,17 +4565,43 @@ static void mmu_audit_disable(void) { }
 
 static bool is_obsolete_sp(struct kvm *kvm, struct kvm_mmu_page *sp)
 {
+	/*
+	 * 在以下修kvm_mmu_page->mmu_valid_gen:
+	 *   - arch/x86/kvm/mmu.c|4438| <<kvm_mmu_get_page>> sp->mmu_valid_gen = vcpu->kvm->arch.mmu_valid_gen;
+	 *
+	 * 在以下修改kvm_arch->mmu_valid_gen:
+	 *   - arch/x86/kvm/mmu.c|8217| <<kvm_mmu_invalidate_zap_all_pages>> kvm->arch.mmu_valid_gen++;
+	 */
 	return unlikely(sp->mmu_valid_gen != kvm->arch.mmu_valid_gen);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2340| <<kvm_sync_pages>> ret |= kvm_sync_page(vcpu, s, invalid_list);
+ *   - arch/x86/kvm/mmu.c|2440| <<mmu_sync_children>> flush |= kvm_sync_page(vcpu, sp, &invalid_list);
+ *
+ * 把kvm_mmu_page->unsync设置成0, 并且--kvm->stat.mmu_unsync
+ * 在64-bit的tdp下, 调用kvm_mmu_prepare_zap_page()然后返回false
+ */
 static bool kvm_sync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
 			 struct list_head *invalid_list)
 {
+	/*
+	 * 把kvm_mmu_page->unsync设置成0
+	 * 并且--kvm->stat.mmu_unsync
+	 */
 	kvm_unlink_unsync_page(vcpu->kvm, sp);
+	/*
+	 * 在64-bit的tdp下, 调用kvm_mmu_prepare_zap_page()然后返回false
+	 */
 	return __kvm_sync_page(vcpu, sp, invalid_list);
 }
 
 /* @gfn should be write-protected at the call site */
+/*
+ * 只在以下的函数中使用 但是tdp不使用:
+ *   - arch/x86/kvm/mmu.c|2562| <<kvm_mmu_get_page>> flush |= kvm_sync_pages(vcpu, gfn, &invalid_list);
+ */
 static bool kvm_sync_pages(struct kvm_vcpu *vcpu, gfn_t gfn,
 			   struct list_head *invalid_list)
 {
@@ -2215,16 +4619,59 @@ static bool kvm_sync_pages(struct kvm_vcpu *vcpu, gfn_t gfn,
 	return ret;
 }
 
+/*
+ * PT64_ROOT_MAX_LEVEL --> 5
+ */
 struct mmu_page_path {
 	struct kvm_mmu_page *parent[PT64_ROOT_MAX_LEVEL];
 	unsigned int idx[PT64_ROOT_MAX_LEVEL];
 };
 
+/*
+ * struct mmu_page_path {
+ *     struct kvm_mmu_page *parent[PT64_ROOT_MAX_LEVEL];
+ *     unsigned int idx[PT64_ROOT_MAX_LEVEL];
+ * };
+ *
+ * 假设第一个kvm_mmu_page的level是3.
+ *
+ * mmu_pages_first()
+ *
+ * mmu_page_path->parent[1] = sp;
+ * mmu_page_path->parent[2] = NULL;
+ *
+ * idx应该是该sp在上一个level的idx
+ *
+ * 在mmu_pages_next()的for循环里 ...
+ *
+ * 拿出的kvm_mmu_page的level=2
+ * mmu_page_path->idx[1] = idx;
+ * mmu_page_path->parent[0] = idx;
+ *
+ * 拿出的kvm_mmu_page的level=1
+ * mmu_page_path->idx[0] = idx;
+ * mmu_page_path->parent[0]没设置
+ *
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4089| <<mmu_sync_children>> for_each_sp(pages, sp, parents, i)
+ *   - arch/x86/kvm/mmu.c|4097| <<mmu_sync_children>> for_each_sp(pages, sp, parents, i) {
+ *   - arch/x86/kvm/mmu.c|4553| <<mmu_zap_unsync_children>> for_each_sp(pages, sp, parents, i) {
+ *
+ * pvec是struct kvm_mmu_pages pages;
+ * sp是struct kvm_mmu_page *sp;
+ * parents是struct mmu_page_path parents;
+ * i是int i;
+ */
 #define for_each_sp(pvec, sp, parents, i)			\
 		for (i = mmu_pages_first(&pvec, &parents);	\
 			i < pvec.nr && ({ sp = pvec.page[i].sp; 1;});	\
 			i = mmu_pages_next(&pvec, &parents, i))
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4569| <<for_each_sp>> i = mmu_pages_next(&pvec, &parents, i))
+ *   - arch/x86/kvm/mmu.c|4618| <<mmu_pages_first>> return mmu_pages_next(pvec, parents, 0);
+ */
 static int mmu_pages_next(struct kvm_mmu_pages *pvec,
 			  struct mmu_page_path *parents,
 			  int i)
@@ -2232,6 +4679,14 @@ static int mmu_pages_next(struct kvm_mmu_pages *pvec,
 	int n;
 
 	for (n = i+1; n < pvec->nr; n++) {
+		/*
+		 * struct kvm_mmu_pages *pvec:
+		 *     struct mmu_page_and_offset {
+		 *         struct kvm_mmu_page *sp;
+		 *         unsigned int idx;
+		 *     } page[KVM_PAGE_ARRAY_NR]; --> KVM_PAGE_ARRAY_NR = 16
+		 *     unsigned int nr;
+		 */
 		struct kvm_mmu_page *sp = pvec->page[n].sp;
 		unsigned idx = pvec->page[n].idx;
 		int level = sp->role.level;
@@ -2246,6 +4701,10 @@ static int mmu_pages_next(struct kvm_mmu_pages *pvec,
 	return n;
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|4005| <<for_each_sp>> for (i = mmu_pages_first(&pvec, &parents); \
+ */
 static int mmu_pages_first(struct kvm_mmu_pages *pvec,
 			   struct mmu_page_path *parents)
 {
@@ -2255,12 +4714,19 @@ static int mmu_pages_first(struct kvm_mmu_pages *pvec,
 	if (pvec->nr == 0)
 		return 0;
 
+	/*
+	 * 第0个必须是INVALID_INDEX
+	 */
 	WARN_ON(pvec->page[0].idx != INVALID_INDEX);
 
+	/* 这里的pvec->page[0].sp本身就是一个内核指针 */
 	sp = pvec->page[0].sp;
 	level = sp->role.level;
 	WARN_ON(level == PT_PAGE_TABLE_LEVEL);
 
+	/*
+	 * level至少是2!!!
+	 */
 	parents->parent[level-2] = sp;
 
 	/* Also set up a sentinel.  Further entries in pvec are all
@@ -2270,6 +4736,11 @@ static int mmu_pages_first(struct kvm_mmu_pages *pvec,
 	return mmu_pages_next(pvec, parents, 0);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4666| <<mmu_sync_children>> mmu_pages_clear_parents(&parents);
+ *   - arch/x86/kvm/mmu.c|5143| <<mmu_zap_unsync_children>> mmu_pages_clear_parents(&parents);
+ */
 static void mmu_pages_clear_parents(struct mmu_page_path *parents)
 {
 	struct kvm_mmu_page *sp;
@@ -2277,16 +4748,41 @@ static void mmu_pages_clear_parents(struct mmu_page_path *parents)
 
 	do {
 		unsigned int idx = parents->idx[level];
+		/*
+		 * struct mmu_page_path *parents:
+		 *     struct kvm_mmu_page *parent[PT64_ROOT_MAX_LEVEL];
+		 *     unsigned int idx[PT64_ROOT_MAX_LEVEL];
+		 */
 		sp = parents->parent[level];
 		if (!sp)
 			return;
 
 		WARN_ON(idx == INVALID_INDEX);
+		/*
+		 * 核心思想是clear参数sp->unsync_child_bitmap中对应的idx
+		 * 然后--sp->unsync_children
+		 */
 		clear_unsync_child_bit(sp, idx);
 		level++;
+		/*
+		 * 在以下被增加:
+		 *   - arch/x86/kvm/mmu.c|2118| <<mark_unsync>> if (sp->unsync_children++)
+		 *
+		 * 在以下被减少:
+		 *   - arch/x86/kvm/mmu.c|2168| <<clear_unsync_child_bit>> --sp->unsync_children;
+		 */
 	} while (!sp->unsync_children);
 }
 
+/*
+ * 在mmu_sync_roots()的两处被调用:
+ *   - arch/x86/kvm/mmu.c|3849| <<mmu_sync_roots>> mmu_sync_children(vcpu, sp);
+ *   - arch/x86/kvm/mmu.c|3859| <<mmu_sync_roots>> mmu_sync_children(vcpu, sp);
+ *
+ * kvm_mmu_sync_roots()
+ * -> mmu_sync_roots() ---> 对于tdp什么也不做!
+ *    -> mmu_sync_children()
+ */
 static void mmu_sync_children(struct kvm_vcpu *vcpu,
 			      struct kvm_mmu_page *parent)
 {
@@ -2334,6 +4830,16 @@ static void clear_sp_write_flooding_count(u64 *spte)
 	__clear_sp_write_flooding_count(sp);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3051| <<__direct_map>> sp = kvm_mmu_get_page(vcpu, pseudo_gfn, iterator.addr,
+ *   - arch/x86/kvm/mmu.c|3477| <<mmu_alloc_direct_roots>> sp = kvm_mmu_get_page(vcpu, 0, 0,
+ *   - arch/x86/kvm/mmu.c|3492| <<mmu_alloc_direct_roots>> sp = kvm_mmu_get_page(vcpu, i << (30 - PAGE_SHIFT),
+ *   - arch/x86/kvm/mmu.c|3532| <<mmu_alloc_shadow_roots>> sp = kvm_mmu_get_page(vcpu, root_gfn, 0,
+ *   - arch/x86/kvm/mmu.c|3569| <<mmu_alloc_shadow_roots>> sp = kvm_mmu_get_page(vcpu, root_gfn, i << 30, PT32_ROOT_LEVEL,
+ *   - arch/x86/kvm/paging_tmpl.h|633| <<FNAME>> sp = kvm_mmu_get_page(vcpu, table_gfn, addr, it.level-1,
+ *   - arch/x86/kvm/paging_tmpl.h|663| <<FNAME>> sp = kvm_mmu_get_page(vcpu, direct_gfn, addr, it.level-1,
+ */
 static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
 					     gfn_t gfn,
 					     gva_t gaddr,
@@ -2355,13 +4861,20 @@ static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
 	if (role.direct)
 		role.cr4_pae = 0;
 	role.access = access;
+	/*
+	 * 在tdp下direct_map是true
+	 */
 	if (!vcpu->arch.mmu.direct_map
 	    && vcpu->arch.mmu.root_level <= PT32_ROOT_LEVEL) {
 		quadrant = gaddr >> (PAGE_SHIFT + (PT64_PT_BITS * level));
 		quadrant &= (1 << ((PT32_PT_BITS - PT64_PT_BITS) * level)) - 1;
 		role.quadrant = quadrant;
 	}
+	/*
+	 * 对于&(_kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(_gfn)]中每一个valid的page
+	 */
 	for_each_valid_sp(vcpu->kvm, sp, gfn) {
+		/* 在hash的某个slot可能有冲突的 */
 		if (sp->gfn != gfn) {
 			collisions++;
 			continue;
@@ -2391,15 +4904,31 @@ static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
 		trace_kvm_mmu_get_page(sp, false);
 		goto out;
 	}
+	
+	/* 如果最终没有在&(_kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(_gfn)]找到 */
 
 	++vcpu->kvm->stat.mmu_cache_miss;
 
+	/*
+	 * 分配一个struct kvm_mmu_page, 再分配kvm_mmu_page->spt (真正的4k)
+	 * 把元数据kvm_mmu_page设置为4k struct page的private
+	 * 把kvm_mmu_page链接到vcpu->kvm->arch.active_mmu_pages
+	 * 增加nr到kvm->arch.n_used_mmu_pages, 增加nr到percpu counter kvm_total_used_mmu_pages
+	 */
 	sp = kvm_mmu_alloc_page(vcpu, direct);
 
 	sp->gfn = gfn;
 	sp->role = role;
+	/*
+	 * 在以下使用kvm_mmu_page->mmu_page_hash[KVM_NUM_MMU_PAGES]:
+	 *   - arch/x86/kvm/mmu.c|4446| <<for_each_valid_sp>> &(_kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(_gfn)], hash_link) \
+	 *   - arch/x86/kvm/mmu.c|4864| <<kvm_mmu_get_page>> &vcpu->kvm->arch.mmu_page_hash[kvm_page_table_hashfn(gfn)]);
+	 *
+	 * 把struct kvm_mmu_page添加到hash
+	 */
 	hlist_add_head(&sp->hash_link,
 		&vcpu->kvm->arch.mmu_page_hash[kvm_page_table_hashfn(gfn)]);
+	/* 在tdp情况下direct似乎是true */
 	if (!direct) {
 		/*
 		 * we should do write protection before syncing pages
@@ -2414,10 +4943,23 @@ static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
 		if (level > PT_PAGE_TABLE_LEVEL && need_sync)
 			flush |= kvm_sync_pages(vcpu, gfn, &invalid_list);
 	}
+	/*
+	 * 在以下修kvm_mmu_page->mmu_valid_gen:
+	 *   - arch/x86/kvm/mmu.c|4438| <<kvm_mmu_get_page>> sp->mmu_valid_gen = vcpu->kvm->arch.mmu_valid_gen;
+	 *
+	 * 在以下修改kvm_arch->mmu_valid_gen:
+	 *   - arch/x86/kvm/mmu.c|8217| <<kvm_mmu_invalidate_zap_all_pages>> kvm->arch.mmu_valid_gen++;
+	 */
 	sp->mmu_valid_gen = vcpu->kvm->arch.mmu_valid_gen;
 	clear_page(sp->spt);
 	trace_kvm_mmu_get_page(sp, true);
 
+	/*
+	 * 如果invalid_list不为空,用kvm_flush_remote_tlbs()让每个vcpu调用tlb flush
+	 * 然后把invalid_list上的一个个kvm_mmu_page释放 (包括真正的4k page)
+	 *
+	 * 否则, 根据情况调用某个cpu或全部cpu的tlb flush
+	 */
 	kvm_mmu_flush_or_zap(vcpu, &invalid_list, false, flush);
 out:
 	if (collisions > vcpu->kvm->stat.max_mmu_page_hash_collisions)
@@ -2425,13 +4967,39 @@ static struct kvm_mmu_page *kvm_mmu_get_page(struct kvm_vcpu *vcpu,
 	return sp;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|276| <<for_each_shadow_entry>> for (shadow_walk_init(&(_walker), _vcpu, _addr); \
+ *   - arch/x86/kvm/mmu.c|281| <<for_each_shadow_entry_lockless>> for (shadow_walk_init(&(_walker), _vcpu, _addr); \
+ *   - arch/x86/kvm/mmu.c|5632| <<walk_shadow_page_get_mmio_spte>> for (shadow_walk_init(&iterator, vcpu, addr),
+ *   - arch/x86/kvm/paging_tmpl.h|622| <<FNAME(fetch)>> for (shadow_walk_init(&it, vcpu, addr);
+ *
+ * 对于tdp, 可以理解为执行了以下代码:
+ *   - iterator->addr = addr;
+ *   - iterator->shadow_addr = vcpu->arch.mmu.root_hpa;
+ *   - iterator->level = vcpu->arch.mmu.shadow_root_level;
+ */
 static void shadow_walk_init(struct kvm_shadow_walk_iterator *iterator,
 			     struct kvm_vcpu *vcpu, u64 addr)
 {
+	/* 发生page fault的GPA,迭代过程就是要把GPA所涉及的页表项都填上 */
 	iterator->addr = addr;
+	/* 当前页表项的 HPA，在 shadow_walk_init 中设置为 vcpu->arch.mmu.root_hpa */
 	iterator->shadow_addr = vcpu->arch.mmu.root_hpa;
+	/* 
+	 * 当前层级, 在shadow_walk_next()中减1
+	 * 对于tdp不是4就是5
+	 */
 	iterator->level = vcpu->arch.mmu.shadow_root_level;
 
+	/*
+	 * 设置direct_map的地方:
+	 *   - arch/x86/kvm/mmu.c|4003| <<nonpaging_init_context>> context->direct_map = true;
+	 *   - arch/x86/kvm/mmu.c|4487| <<paging64_init_context_common>> context->direct_map = false;
+	 *   - arch/x86/kvm/mmu.c|4517| <<paging32_init_context>> context->direct_map = false;
+	 *   - arch/x86/kvm/mmu.c|4544| <<init_kvm_tdp_mmu>> context->direct_map = true;
+	 *   - arch/x86/kvm/mmu.c|4626| <<kvm_init_shadow_ept_mmu>> context->direct_map = false;
+	 */
 	if (iterator->level == PT64_ROOT_4LEVEL &&
 	    vcpu->arch.mmu.root_level < PT64_ROOT_4LEVEL &&
 	    !vcpu->arch.mmu.direct_map)
@@ -2447,33 +5015,68 @@ static void shadow_walk_init(struct kvm_shadow_walk_iterator *iterator,
 	}
 }
 
+/*
+ * 如果当前的iterator->level已经是0了, 返回false
+ * 否则获得page fault的地址在当前的iterator->level的index
+ * 根据这个index在当前的pte获得下一级pte并且放入iterator->sptep
+ */
 static bool shadow_walk_okay(struct kvm_shadow_walk_iterator *iterator)
 {
+	/* 当前层级, 在shadow_walk_next()中减1 */
 	if (iterator->level < PT_PAGE_TABLE_LEVEL)
 		return false;
 
+	/*
+	 * 先把addr根据level右移若干位, 然后取出最后9位作为index
+	 *
+	 * index是在当前level页表中的索引,在shadow_walk_okey中更新
+	 */
 	iterator->index = SHADOW_PT_INDEX(iterator->addr, iterator->level);
+	/*
+	 * shadow_addr: 当前页表项的 HPA, 在 shadow_walk_init 中设置为 vcpu->arch.mmu.root_hpa
+	 * sptep      : 指向当前页表项, 在shadow_walk_okay()中更新
+	 */
 	iterator->sptep	= ((u64 *)__va(iterator->shadow_addr)) + iterator->index;
 	return true;
 }
 
+/*
+ * 如果下一级页表指向的是内存而不是下一级页表了就设置iterator->level = 0并且返回
+ * 否则设置iterator->shadow_addr指向下一级页表并且--iterator->level
+ */
 static void __shadow_walk_next(struct kvm_shadow_walk_iterator *iterator,
 			       u64 spte)
 {
+	/* 判断是否指向最后一级页表了(4K/2M/1G), 而不是下一级页表 */
 	if (is_last_spte(spte, iterator->level)) {
 		iterator->level = 0;
 		return;
 	}
 
+	/* 当前页表项的 HPA，在 shadow_walk_init 中设置为 vcpu->arch.mmu.root_hpa */
 	iterator->shadow_addr = spte & PT64_BASE_ADDR_MASK;
 	--iterator->level;
 }
 
+/*
+ * 如果下一级页表指向的是内存而不是下一级页表了就设置iterator->level = 0并且返回
+ * 否则设置iterator->shadow_addr指向下一级页表并且--iterator->level
+ */
 static void shadow_walk_next(struct kvm_shadow_walk_iterator *iterator)
 {
+	/* 指向当前页表项, 在shadow_walk_okay()中更新 */
 	__shadow_walk_next(iterator, *iterator->sptep);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5077| <<__direct_map>> link_shadow_page(vcpu, iterator.sptep, sp);
+ *   - arch/x86/kvm/paging_tmpl.h|645| <<FNAME(fetch)>> link_shadow_page(vcpu, it.sptep, sp);
+ *   - arch/x86/kvm/paging_tmpl.h|665| <<FNAME(fetch)>> link_shadow_page(vcpu, it.sptep, sp);
+ *
+ * 核心思想是让sptep指向参数的kvm_mmu_page->sp (下一级)
+ * 然后把parent_pte(sptep)加入到sp->parent_ptes (struct kvm_rmap_head)
+ */
 static void link_shadow_page(struct kvm_vcpu *vcpu, u64 *sptep,
 			     struct kvm_mmu_page *sp)
 {
@@ -2484,15 +5087,38 @@ static void link_shadow_page(struct kvm_vcpu *vcpu, u64 *sptep,
 	spte = __pa(sp->spt) | shadow_present_mask | PT_WRITABLE_MASK |
 	       shadow_user_mask | shadow_x_mask | shadow_me_mask;
 
+	/*
+	 * shadow_acc_track_value = SPTE_SPECIAL_MASK
+	 *     The mask used to denote special SPTEs, which can be either MMIO SPTEs or
+	 *     Access Tracking SPTEs. We use bit 62 instead of bit 63 to avoid conflicting
+	 *     with the SVE bit in EPT PTEs.
+	 */
 	if (sp_ad_disabled(sp))
 		spte |= shadow_acc_track_value;
 	else
 		spte |= shadow_accessed_mask;
 
+	/*
+	 * x86_64下就是WRITE_ONCE(*sptep, spte)
+	 *
+	 * 调用的时候如果*sptep不是0x0并且pte的最后3位不是110, 就会WARN
+	 */
 	mmu_spte_set(sptep, spte);
 
+	/* 把parent_pte(sptep)加入到sp->parent_ptes (struct kvm_rmap_head) */
 	mmu_page_add_parent_pte(vcpu, sp, sptep);
 
+	/*
+	 * sp->unsync_children在以下被修改:
+	 *   - arch/x86/kvm/mmu.c|2118| <<mark_unsync>> if (sp->unsync_children++)
+	 *   - arch/x86/kvm/mmu.c|2168| <<clear_unsync_child_bit>> --sp->unsync_children;
+	 *
+	 * sp->unsync在以下修改:
+	 *   - arch/x86/kvm/mmu.c|3036| <<kvm_unsync_page>> sp->unsync = 1;
+	 *   - arch/x86/kvm/mmu.c|2303| <<kvm_unlink_unsync_page>> sp->unsync = 0
+	 *
+	 * 此时sptep是个指针,其值包含一个物理地址,这个地址是sp->spt
+	 */
 	if (sp->unsync_children || sp->unsync)
 		mark_unsync(sptep);
 }
@@ -2514,54 +5140,143 @@ static void validate_direct_spte(struct kvm_vcpu *vcpu, u64 *sptep,
 		if (child->role.access == direct_access)
 			return;
 
+		/*
+		 * 猜测参数中的parent_pte指向kvm_mmu_page对应的页面
+		 * 这个函数把parent_pte从sp->parent_ptes(struct kvm_rmap_head)中删除
+		 * 然后用WRITE_ONCE(*sptep, spte)更新parent_pte为0ull
+		 */
 		drop_parent_pte(child, sptep);
 		kvm_flush_remote_tlbs(vcpu->kvm);
 	}
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4438| <<kvm_mmu_page_unlink_children>> mmu_page_zap_pte(kvm, sp, sp->spt + i);
+ *   - arch/x86/kvm/mmu.c|7081| <<kvm_mmu_pte_write>> mmu_page_zap_pte(vcpu->kvm, sp, spte);
+ *   - arch/x86/kvm/paging_tmpl.h|895| <<FNAME(invlpg)>> if (mmu_page_zap_pte(vcpu->kvm, sp, sptep))
+ *
+ * 对于mmio的spte, 用WRITE_ONCE(*sptep, spte)更新spte为0ull, 返回false
+ * 对于普通的present的spte:
+ *   如果spte指向内存页面, 设置为0然后从kvm_rmap_head中删除
+ *   如果指向下一级页表, 从下一级页表的kvm_rmap_head把pte删除, 然后把pte设置成0
+ *
+ * spte应该是sp->spt中的某个entry的地址
+ */
 static bool mmu_page_zap_pte(struct kvm *kvm, struct kvm_mmu_page *sp,
 			     u64 *spte)
 {
 	u64 pte;
 	struct kvm_mmu_page *child;
 
+	/*
+	 * pte是spte指针里面的值
+	 */
 	pte = *spte;
+	/*
+	 * 如果pte不为0并且pte的最后3位不是110并且62位(SPTE_SPECIAL_MASK)也没设置, 返回true
+	 * 如果spte是0x0,或者spte的最后3位是110(62位也设置了), 函数返回false
+	 * 或者说, 如果spte是0或者是mmio, is_shadow_present_pte()返回false
+	 */
 	if (is_shadow_present_pte(pte)) {
+		/* 判断是否指向最后一级页表了(4K/2M/1G), 而不是下一级页表 */
 		if (is_last_spte(pte, sp->role.level)) {
+			/*
+			 * 根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte为0!
+			 * 如果之前如果spte是0或者是mmio, 则退出返回0
+			 * 否则根据情况把pfn在host的struct page设置accessed或者dirty返回1
+			 * 如果上面返回1, 根据spte找到pfn再找到kvm_rmap_head, 把一个spte从kvm_rmap_head中删除
+			 */
 			drop_spte(kvm, spte);
+			/* 查看pte的从0开始数第7位, 判断是否支持大页 */
+			/*
+			 * 在以下使用kvm_vm_stat->lpages:
+			 *   - arch/x86/kvm/x86.c|208| <<global>> { "largepages", VM_STAT(lpages) },
+			 *   - arch/x86/kvm/mmu.c|2996| <<__drop_large_spte>> --kvm->stat.lpages;
+			 *   - arch/x86/kvm/mmu.c|4839| <<mmu_page_zap_pte>> --kvm->stat.lpages;
+			 *   - arch/x86/kvm/mmu.c|5370| <<mmu_set_spte>> ++vcpu->kvm->stat.lpages;
+			 */
 			if (is_large_pte(pte))
 				--kvm->stat.lpages;
 		} else {
 			child = page_header(pte & PT64_BASE_ADDR_MASK);
+			/*
+			 * 猜测参数中的parent_pte指向kvm_mmu_page对应的页面
+			 * 这个函数把parent_pte从sp->parent_ptes(struct kvm_rmap_head)中删除
+			 * 然后用WRITE_ONCE(*sptep, spte)更新parent_pte为0ull
+			 */
 			drop_parent_pte(child, spte);
 		}
 		return true;
 	}
 
+	/*
+	 * is_mmio_spte():
+	 *     如果最后3位的最后1位没设置(110)并且还有SPTE_SPECIAL_MASK是1往左移62位,
+	 *     就是mmio的spte
+	 *
+	 * mmu_spte_clear_no_track():
+	 *     用WRITE_ONCE(*sptep, spte)更新spte为0ull
+	 */
 	if (is_mmio_spte(pte))
 		mmu_spte_clear_no_track(spte);
 
 	return false;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4481| <<kvm_mmu_prepare_zap_page>> kvm_mmu_page_unlink_children(kvm, sp);
+ *
+ * 对于页表page的每一个entry:
+ *   对于mmio的spte, 用WRITE_ONCE(*sptep, spte)更新spte为0ull, 返回false
+ *   对于普通的present的spte:
+ *       如果spte指向内存页面, 设置为0然后从kvm_rmap_head中删除
+ *       如果指向下一级页表, 从下一级页表的kvm_rmap_head把pte删除, 然后把pte设置成0
+ */
 static void kvm_mmu_page_unlink_children(struct kvm *kvm,
 					 struct kvm_mmu_page *sp)
 {
 	unsigned i;
 
+	/*
+	 * sp->spt是u64 *spt
+	 *
+	 * 对于mmio的spte, 用WRITE_ONCE(*sptep, spte)更新spte为0ull, 返回false
+	 * 对于普通的present的spte:
+	 *   如果spte指向内存页面, 设置为0然后从kvm_rmap_head中删除
+	 *   如果指向下一级页表, 从下一级页表的kvm_rmap_head把pte删除, 然后把pte设置成0
+	 */
 	for (i = 0; i < PT64_ENT_PER_PAGE; ++i)
 		mmu_page_zap_pte(kvm, sp, sp->spt + i);
 }
 
+/*
+ * 对于kvm_mmu_page->kvm_rmap_head中的每一个spte,
+ * 把spte从sp->parent_ptes(struct kvm_rmap_head)中删除
+ * 然后用WRITE_ONCE(*sptep, spte)更新spte为0ull
+ */
 static void kvm_mmu_unlink_parents(struct kvm *kvm, struct kvm_mmu_page *sp)
 {
 	u64 *sptep;
 	struct rmap_iterator iter;
 
+	/*
+	 * 猜测参数中的parent_pte指向kvm_mmu_page对应的页面
+	 * 这个函数把parent_pte从sp->parent_ptes(struct kvm_rmap_head)中删除
+	 * 然后用WRITE_ONCE(*sptep, spte)更新parent_pte为0ull
+	 */
 	while ((sptep = rmap_get_first(&sp->parent_ptes, &iter)))
 		drop_parent_pte(sp, sptep);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2821| <<kvm_mmu_prepare_zap_page>> ret = mmu_zap_unsync_children(kvm, sp, invalid_list);
+ *
+ * 如果参数的parent->role.level == PT_PAGE_TABLE_LEVEL就直接退出了
+ * 应该说对于ept直接返回0吧
+ */
 static int mmu_zap_unsync_children(struct kvm *kvm,
 				   struct kvm_mmu_page *parent,
 				   struct list_head *invalid_list)
@@ -2570,12 +5285,21 @@ static int mmu_zap_unsync_children(struct kvm *kvm,
 	struct mmu_page_path parents;
 	struct kvm_mmu_pages pages;
 
+	/* 如果当前就是最下面一级的page table了, 就不用unsync children了 */
 	if (parent->role.level == PT_PAGE_TABLE_LEVEL)
 		return 0;
 
+	/*
+	 * pages的类型是struct kvm_mmu_pages pages;
+	 *
+	 * 如果sp->unsync_children是0则立刻返回0, while循环也不执行了
+	 */
 	while (mmu_unsync_walk(parent, &pages)) {
 		struct kvm_mmu_page *sp;
 
+		/*
+		 * parents的类型是struct mmu_page_path parents;
+		 */
 		for_each_sp(pages, sp, parents, i) {
 			kvm_mmu_prepare_zap_page(kvm, sp, invalid_list);
 			mmu_pages_clear_parents(&parents);
@@ -2586,34 +5310,99 @@ static int mmu_zap_unsync_children(struct kvm *kvm,
 	return zapped;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2226| <<__kvm_sync_page>> kvm_mmu_prepare_zap_page(vcpu->kvm, sp, invalid_list);
+ *   - arch/x86/kvm/mmu.c|2231| <<__kvm_sync_page>> kvm_mmu_prepare_zap_page(vcpu->kvm, sp, invalid_list);
+ *   - arch/x86/kvm/mmu.c|2692| <<mmu_zap_unsync_children>> kvm_mmu_prepare_zap_page(kvm, sp, invalid_list);
+ *   - arch/x86/kvm/mmu.c|2790| <<prepare_zap_oldest_mmu_page>> return kvm_mmu_prepare_zap_page(kvm, sp, invalid_list);
+ *   - arch/x86/kvm/mmu.c|2831| <<kvm_mmu_unprotect_page>> kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list);
+ *   - arch/x86/kvm/mmu.c|3568| <<mmu_free_root_page>> kvm_mmu_prepare_zap_page(kvm, sp, invalid_list);
+ *   - arch/x86/kvm/mmu.c|5170| <<kvm_mmu_pte_write>> kvm_mmu_prepare_zap_page(vcpu->kvm, sp, &invalid_list);
+ *   - arch/x86/kvm/mmu.c|5717| <<kvm_zap_obsolete_pages>> ret = kvm_mmu_prepare_zap_page(kvm, sp,
+ */
 static int kvm_mmu_prepare_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp,
 				    struct list_head *invalid_list)
 {
 	int ret;
 
 	trace_kvm_mmu_prepare_zap_page(sp);
+	/*
+	 * 在以下使用kvm_vm_stat->mmu_shadow_zapped:
+	 *   - arch/x86/kvm/x86.c|199| <<global>> { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
+	 *   - arch/x86/kvm/mmu.c|5138| <<kvm_mmu_prepare_zap_page>> ++kvm->stat.mmu_shadow_zapped;
+	 */
 	++kvm->stat.mmu_shadow_zapped;
+	/*
+	 * 这是核心函数!!!!!!!!
+	 *
+	 * 如果参数的sp->role.level == PT_PAGE_TABLE_LEVEL就直接退出了
+	 * 应该说对于ept直接返回0吧
+	 */
 	ret = mmu_zap_unsync_children(kvm, sp, invalid_list);
+	/*
+	 * 对于页表page的每一个entry:
+	 *   对于mmio的spte, 用WRITE_ONCE(*sptep, spte)更新spte为0ull, 返回false
+	 *   对于普通的present的spte:
+	 *       如果spte指向内存页面, 设置为0然后从kvm_rmap_head中删除
+	 *       如果指向下一级页表, 从下一级页表的kvm_rmap_head把pte删除, 然后把pte设置成0
+	 */
 	kvm_mmu_page_unlink_children(kvm, sp);
 	kvm_mmu_unlink_parents(kvm, sp);
 
+	/*
+	 * tdp的direct应该是true吧
+	 */
 	if (!sp->role.invalid && !sp->role.direct)
 		unaccount_shadowed(kvm, sp);
 
+	/*
+	 * kvm_unlink_unsync_page():
+	 *     把kvm_mmu_page->unsync设置成0
+	 *     并且--kvm->stat.mmu_unsync
+	 *
+	 * 用于最后一级页表页,表示该页的页表项(pte)是否与guest同步(guest是否已更新tlb)
+	 */
 	if (sp->unsync)
 		kvm_unlink_unsync_page(kvm, sp);
+	/*
+	 * 在以下设置或者修改:
+	 *   - arch/x86/kvm/mmu.c|3656| <<mmu_free_root_page>> --sp->root_count;
+	 *   - arch/x86/kvm/mmu.c|3721| <<mmu_alloc_direct_roots>> ++sp->root_count;
+	 *   - arch/x86/kvm/mmu.c|3737| <<mmu_alloc_direct_roots>> ++sp->root_count;
+	 *   - arch/x86/kvm/mmu.c|3781| <<mmu_alloc_shadow_roots>> ++sp->root_count;
+	 *   - arch/x86/kvm/mmu.c|3818| <<mmu_alloc_shadow_roots>> ++sp->root_count;
+	 */
 	if (!sp->root_count) {
 		/* Count self */
 		ret++;
 		list_move(&sp->link, invalid_list);
+		/*
+		 * called by:
+		 *   - arch/x86/kvm/mmu.c|2031| <<kvm_mmu_alloc_page>> kvm_mod_used_mmu_pages(vcpu->kvm, +1);
+		 *   - arch/x86/kvm/mmu.c|2663| <<kvm_mmu_prepare_zap_page>> kvm_mod_used_mmu_pages(kvm, -1);
+		 */
 		kvm_mod_used_mmu_pages(kvm, -1);
 	} else {
+		/*
+		 * 在以下使用kvm_mmu_page->active_mmu_pages:
+		 *   - arch/x86/kvm/mmu.c|2030| <<kvm_mmu_alloc_page>> list_add(&sp->link, &vcpu->kvm->arch.active_mmu_pages);
+		 *   - arch/x86/kvm/mmu.c|2665| <<kvm_mmu_prepare_zap_page>> list_move(&sp->link, &kvm->arch.active_mmu_pages);
+		 *   - arch/x86/kvm/mmu.c|2709| <<prepare_zap_oldest_mmu_page>> if (list_empty(&kvm->arch.active_mmu_pages))
+		 *   - arch/x86/kvm/mmu.c|2712| <<prepare_zap_oldest_mmu_page>> sp = list_last_entry(&kvm->arch.active_mmu_pages,
+		 *   - arch/x86/kvm/mmu.c|5606| <<kvm_zap_obsolete_pages>> &kvm->arch.active_mmu_pages, link) {
+		 *   - arch/x86/kvm/mmu_audit.c|92| <<walk_all_active_sps>> list_for_each_entry(sp, &kvm->arch.active_mmu_pages, link)
+		 *   - arch/x86/kvm/x86.c|8822| <<kvm_arch_init_vm>> INIT_LIST_HEAD(&kvm->arch.active_mmu_pages);
+		 */
 		list_move(&sp->link, &kvm->arch.active_mmu_pages);
 
 		/*
 		 * The obsolete pages can not be used on any vcpus.
 		 * See the comments in kvm_mmu_invalidate_zap_all_pages().
 		 */
+		/*
+		 * 让每个cpu在在vcpu_enter_guest()的时候调用kvm_mmu_unload()
+		 */
 		if (!sp->role.invalid && !is_obsolete_sp(kvm, sp))
 			kvm_reload_remote_mmus(kvm);
 	}
@@ -2622,6 +5411,21 @@ static int kvm_mmu_prepare_zap_page(struct kvm *kvm, struct kvm_mmu_page *sp,
 	return ret;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2240| <<kvm_mmu_flush_or_zap>> kvm_mmu_commit_zap_page(vcpu->kvm, invalid_list);
+ *   - arch/x86/kvm/mmu.c|2771| <<kvm_mmu_change_mmu_pages>> kvm_mmu_commit_zap_page(kvm, &invalid_list);
+ *   - arch/x86/kvm/mmu.c|2795| <<kvm_mmu_unprotect_page>> kvm_mmu_commit_zap_page(kvm, &invalid_list);
+ *   - arch/x86/kvm/mmu.c|3557| <<kvm_mmu_free_roots>> kvm_mmu_commit_zap_page(vcpu->kvm, &invalid_list);
+ *   - arch/x86/kvm/mmu.c|5188| <<make_mmu_pages_available>> kvm_mmu_commit_zap_page(vcpu->kvm, &invalid_list);
+ *   - arch/x86/kvm/mmu.c|5691| <<kvm_zap_obsolete_pages>> kvm_mmu_commit_zap_page(kvm, &kvm->arch.zapped_obsolete_pages);
+ *   - arch/x86/kvm/mmu.c|5782| <<mmu_shrink_scan>> kvm_mmu_commit_zap_page(kvm,
+ *   - arch/x86/kvm/mmu.c|5789| <<mmu_shrink_scan>> kvm_mmu_commit_zap_page(kvm, &invalid_list);
+ *
+ * 如果参数的invalid_list为空就退出
+ * 否则用kvm_flush_remote_tlbs()让每个vcpu调用tlb flush
+ * 然后把invalid_list上的一个个kvm_mmu_page释放 (包括真正的4k page)
+ */
 static void kvm_mmu_commit_zap_page(struct kvm *kvm,
 				    struct list_head *invalid_list)
 {
@@ -2639,6 +5443,9 @@ static void kvm_mmu_commit_zap_page(struct kvm *kvm,
 	 * In addition, kvm_flush_remote_tlbs waits for all vcpus to exit
 	 * guest mode and/or lockless shadow page table walks.
 	 */
+	/*
+	 * 应该就是让每个vcpu调用硬件的tlb flush吧
+	 */
 	kvm_flush_remote_tlbs(kvm);
 
 	list_for_each_entry_safe(sp, nsp, invalid_list, link) {
@@ -2647,11 +5454,30 @@ static void kvm_mmu_commit_zap_page(struct kvm *kvm,
 	}
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|2887| <<kvm_mmu_change_mmu_pages>> if (!prepare_zap_oldest_mmu_page(kvm, &invalid_list))
+ *   - arch/x86/kvm/mmu.c|5306| <<make_mmu_pages_available>> if (!prepare_zap_oldest_mmu_page(vcpu->kvm, &invalid_list))
+ *   - arch/x86/kvm/mmu.c|5910| <<mmu_shrink_scan>> if (prepare_zap_oldest_mmu_page(kvm, &invalid_list))
+ *
+ * 如果kvm->arch.active_mmu_pages是空,直接返回false
+ * 否则取出一个kvm->arch.active_mmu_pages上的kvm_mmu_page, 调用kvm_mmu_prepare_zap_page()
+ */
 static bool prepare_zap_oldest_mmu_page(struct kvm *kvm,
 					struct list_head *invalid_list)
 {
 	struct kvm_mmu_page *sp;
 
+	/*
+	 * 在以下使用kvm_mmu_page->active_mmu_pages:
+	 *   - arch/x86/kvm/mmu.c|2030| <<kvm_mmu_alloc_page>> list_add(&sp->link, &vcpu->kvm->arch.active_mmu_pages);
+	 *   - arch/x86/kvm/mmu.c|2665| <<kvm_mmu_prepare_zap_page>> list_move(&sp->link, &kvm->arch.active_mmu_pages);
+	 *   - arch/x86/kvm/mmu.c|2709| <<prepare_zap_oldest_mmu_page>> if (list_empty(&kvm->arch.active_mmu_pages))
+	 *   - arch/x86/kvm/mmu.c|2712| <<prepare_zap_oldest_mmu_page>> sp = list_last_entry(&kvm->arch.active_mmu_pages,
+	 *   - arch/x86/kvm/mmu.c|5606| <<kvm_zap_obsolete_pages>> &kvm->arch.active_mmu_pages, link) {
+	 *   - arch/x86/kvm/mmu_audit.c|92| <<walk_all_active_sps>> list_for_each_entry(sp, &kvm->arch.active_mmu_pages, link)
+	 *   - arch/x86/kvm/x86.c|8822| <<kvm_arch_init_vm>> INIT_LIST_HEAD(&kvm->arch.active_mmu_pages);
+	 */
 	if (list_empty(&kvm->arch.active_mmu_pages))
 		return false;
 
@@ -2664,6 +5490,11 @@ static bool prepare_zap_oldest_mmu_page(struct kvm *kvm,
  * Changing the number of mmu pages allocated to the vm
  * Note: if goal_nr_mmu_pages is too small, you will get dead lock
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/x86.c|4037| <<kvm_vm_ioctl_set_nr_mmu_pages>> kvm_mmu_change_mmu_pages(kvm, kvm_nr_mmu_pages);
+ *   - arch/x86/kvm/x86.c|9230| <<kvm_arch_commit_memory_region>> kvm_mmu_change_mmu_pages(kvm, nr_mmu_pages);
+ */
 void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int goal_nr_mmu_pages)
 {
 	LIST_HEAD(invalid_list);
@@ -2685,6 +5516,14 @@ void kvm_mmu_change_mmu_pages(struct kvm *kvm, unsigned int goal_nr_mmu_pages)
 	spin_unlock(&kvm->mmu_lock);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|8018| <<kvm_mmu_unprotect_page_virt>> r = kvm_mmu_unprotect_page(vcpu->kvm, gpa >> PAGE_SHIFT);
+ *   - arch/x86/kvm/mmu.c|8153| <<kvm_mmu_page_fault>> kvm_mmu_unprotect_page(vcpu->kvm, gpa_to_gfn(cr2));
+ *   - arch/x86/kvm/x86.c|5887| <<reexecute_instruction>> kvm_mmu_unprotect_page(vcpu->kvm, gpa_to_gfn(gpa));
+ *   - arch/x86/kvm/x86.c|5897| <<reexecute_instruction>> kvm_mmu_unprotect_page(vcpu->kvm, gpa_to_gfn(gpa));
+ *   - arch/x86/kvm/x86.c|5949| <<retry_instruction>> kvm_mmu_unprotect_page(vcpu->kvm, gpa_to_gfn(gpa));
+ */
 int kvm_mmu_unprotect_page(struct kvm *kvm, gfn_t gfn)
 {
 	struct kvm_mmu_page *sp;
@@ -2700,6 +5539,11 @@ int kvm_mmu_unprotect_page(struct kvm *kvm, gfn_t gfn)
 		r = 1;
 		kvm_mmu_prepare_zap_page(kvm, sp, &invalid_list);
 	}
+	/*
+	 * 如果参数的invalid_list为空就退出
+	 * 否则用kvm_flush_remote_tlbs()让每个vcpu调用tlb flush
+	 * 然后把invalid_list上的一个个kvm_mmu_page释放 (包括真正的4k page)
+	 */
 	kvm_mmu_commit_zap_page(kvm, &invalid_list);
 	spin_unlock(&kvm->mmu_lock);
 
@@ -2707,37 +5551,107 @@ int kvm_mmu_unprotect_page(struct kvm *kvm, gfn_t gfn)
 }
 EXPORT_SYMBOL_GPL(kvm_mmu_unprotect_page);
 
+/*
+ * called by only:
+ *   - arch/x86/kvm/mmu.c|2970| <<mmu_need_write_protect>> kvm_unsync_page(vcpu, sp);
+ *
+ * 把kvm_mmu_page->unsync设置成1
+ * 对struct kvm_mmu_page的每一个sp->parent_ptes的kvm_mmu_page()调用mark_unsync():
+ *     把这一条spte在4k page对应的struct kvm_mmu_page中的index算出来
+ *     在index对应的sp->unsync_child_bitmap设置bit
+ *     如果bit已经设置过了直接返回
+ *     否则根据情况是否用kvm_mmu_mark_parents_unsync()对上一级的kvm_mmu_page也进行相应的操作
+ */
 static void kvm_unsync_page(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
 {
 	trace_kvm_mmu_unsync_page(sp);
+	/*
+	 * 在以下使用kvm_vm_stat->mmu_unsync:
+	 *   - arch/x86/kvm/x86.c|206| <<global>> { "mmu_unsync", VM_STAT(mmu_unsync) },
+	 *   - arch/x86/kvm/mmu.c|4380| <<kvm_unlink_unsync_page>> --kvm->stat.mmu_unsync;
+	 *   - arch/x86/kvm/mmu.c|5371| <<kvm_unsync_page>> ++vcpu->kvm->stat.mmu_unsync;
+	 */
 	++vcpu->kvm->stat.mmu_unsync;
+	/*
+	 * 用于最后一级页表页,表示该页的页表项(pte)是否与guest同步(guest是否已更新tlb)
+	 */
 	sp->unsync = 1;
 
+	/*
+	 * 对struct kvm_mmu_page的每一个sp->parent_ptes的kvm_mmu_page()调用mark_unsync():
+	 *     把这一条spte在4k page对应的struct kvm_mmu_page中的index算出来
+	 *     在index对应的sp->unsync_child_bitmap设置bit
+	 *     如果bit已经设置过了直接返回
+	 *     否则根据情况是否用kvm_mmu_mark_parents_unsync()对上一级的kvm_mmu_page也进行相应的操作
+	 */
 	kvm_mmu_mark_parents_unsync(sp);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5488| <<set_spte>> if (mmu_need_write_protect(vcpu, gfn, can_unsync)) {
+ */
 static bool mmu_need_write_protect(struct kvm_vcpu *vcpu, gfn_t gfn,
 				   bool can_unsync)
 {
 	struct kvm_mmu_page *sp;
 
+	/*
+	 * 目前参数中的mode都是KVM_PAGE_TRACK_WRITE
+	 * 根据gfn获得kvm_memory_slot和这个gfn在slot中的index
+	 * 最后返回slot->arch.gfn_track[mode][index]
+	 */
 	if (kvm_page_track_is_active(vcpu, gfn, KVM_PAGE_TRACK_WRITE))
 		return true;
 
+	/*
+	 * 在以下使用kvm_mmu_page->mmu_page_hash[KVM_NUM_MMU_PAGES]:
+	 *   - arch/x86/kvm/mmu.c|4446| <<for_each_valid_sp>> &(_kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(_gfn)], hash_link) \
+	 *   - arch/x86/kvm/mmu.c|4864| <<kvm_mmu_get_page>> &vcpu->kvm->arch.mmu_page_hash[kvm_page_table_hashfn(gfn)]);
+	 *
+	 * 这里相当于
+	 * hlist_for_each_entry(_sp, &(_kvm)->arch.mmu_page_hash[kvm_page_table_hashfn(_gfn)], hash_link)
+	 *	if (is_obsolete_sp((_kvm), (_sp)) || (_sp)->role.invalid) {
+	 *	} else
+	 *		if ((_sp)->gfn != (_gfn) || (_sp)->role.direct)
+	 *		{}
+	 *		else
+	 *
+	 * 所以就是说不是direct执行都不会执行!!
+	 * 所以sp->unsync = 1;都不会被设置 只有shadow page table会用
+	 */
 	for_each_gfn_indirect_valid_sp(vcpu->kvm, sp, gfn) {
 		if (!can_unsync)
 			return true;
 
+		/*
+		 * 在以下修改kvm_mmu_page->unsync:
+		 *   - arch/x86/kvm/mmu.c|3036| <<kvm_unsync_page>> sp->unsync = 1;
+		 *   - arch/x86/kvm/mmu.c|2303| <<kvm_unlink_unsync_page>> sp->unsync = 0;
+		 */
 		if (sp->unsync)
 			continue;
 
 		WARN_ON(sp->role.level != PT_PAGE_TABLE_LEVEL);
+		/*
+		 * 把kvm_mmu_page->unsync设置成1
+		 * 对struct kvm_mmu_page的每一个sp->parent_ptes的kvm_mmu_page()调用mark_unsync():
+		 *     把这一条spte在4k page对应的struct kvm_mmu_page中的index算出来
+		 *     在index对应的sp->unsync_child_bitmap设置bit
+		 *     如果bit已经设置过了直接返回
+		 *     否则根据情况是否用kvm_mmu_mark_parents_unsync()对上一级的kvm_mmu_page也进行相应的操作
+		 */
 		kvm_unsync_page(vcpu, sp);
 	}
 
 	return false;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3033| <<set_spte>> kvm_is_mmio_pfn(pfn));
+ *   - arch/x86/kvm/mmu.c|3040| <<set_spte>> if (!kvm_is_mmio_pfn(pfn))
+ */
 static bool kvm_is_mmio_pfn(kvm_pfn_t pfn)
 {
 	if (pfn_valid(pfn))
@@ -2757,6 +5671,11 @@ static bool kvm_is_mmio_pfn(kvm_pfn_t pfn)
 	return true;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4950| <<mmu_set_spte>> if (set_spte(vcpu, sptep, pte_access, level, gfn, pfn, speculative,
+ *   - arch/x86/kvm/paging_tmpl.h|1027| <<FNAME(sync_page)>> set_spte(vcpu, &sp->spt[i], pte_access,
+ */
 static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
 		    unsigned pte_access, int level,
 		    gfn_t gfn, kvm_pfn_t pfn, bool speculative,
@@ -2766,6 +5685,13 @@ static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
 	int ret = 0;
 	struct kvm_mmu_page *sp;
 
+	/*
+	 * 如果slot不存在, 则根据gfn为sptep设置entry, 最后3位是110, 用来作为mmio的entry
+	 * 似乎是设置完mmio之后:
+	 * 1. SPTE_SPECIAL_MASK(1往左移62位)是1
+	 * 2. 结尾是110
+	 * 3. 还有gen的信息
+	 */
 	if (set_mmio_spte(vcpu, sptep, gfn, pfn, pte_access))
 		return 0;
 
@@ -2807,6 +5733,9 @@ static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
 
 	spte |= (u64)pfn << PAGE_SHIFT;
 
+	/*
+	 * ACC_WRITE_MASK: 1往左移动1位
+	 */
 	if (pte_access & ACC_WRITE_MASK) {
 
 		/*
@@ -2854,6 +5783,13 @@ static int set_spte(struct kvm_vcpu *vcpu, u64 *sptep,
 	return ret;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5113| <<direct_pte_prefetch_many>> mmu_set_spte(vcpu, start, access, 0, sp->role.level, gfn,
+ *   - arch/x86/kvm/mmu.c|5213| <<__direct_map>> emulate = mmu_set_spte(vcpu, iterator.sptep, ACC_ALL,
+ *   - arch/x86/kvm/paging_tmpl.h|522| <<FNAME(prefetch_gpte)>> mmu_set_spte(vcpu, spte, pte_access, 0, PT_PAGE_TABLE_LEVEL, gfn, pfn,
+ *   - arch/x86/kvm/paging_tmpl.h|669| <<FNAME(fetch)>> ret = mmu_set_spte(vcpu, it.sptep, gw->pte_access, write_fault,
+ */
 static int mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep, unsigned pte_access,
 			int write_fault, int level, gfn_t gfn, kvm_pfn_t pfn,
 		       	bool speculative, bool host_writable)
@@ -2865,6 +5801,11 @@ static int mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep, unsigned pte_access,
 	pgprintk("%s: spte %llx write_fault %d gfn %llx\n", __func__,
 		 *sptep, write_fault, gfn);
 
+	/*
+	 * 如果pte不为0并且pte的最后3位不是110并且62位(SPTE_SPECIAL_MASK)也没设置, 返回true
+	 * 如果spte是0x0,或者spte的最后3位是110(62位也设置了), 函数返回false
+	 * 或者说, 如果spte是0或者是mmio, is_shadow_present_pte()返回false
+	 */
 	if (is_shadow_present_pte(*sptep)) {
 		/*
 		 * If we overwrite a PTE page pointer with a 2MB PMD, unlink
@@ -2930,6 +5871,10 @@ static kvm_pfn_t pte_prefetch_gfn_to_pfn(struct kvm_vcpu *vcpu, gfn_t gfn,
 	return gfn_to_pfn_memslot_atomic(slot, gfn);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5675| <<__direct_pte_prefetch>> if (direct_pte_prefetch_many(vcpu, sp, start, spte) < 0)
+ */
 static int direct_pte_prefetch_many(struct kvm_vcpu *vcpu,
 				    struct kvm_mmu_page *sp,
 				    u64 *start, u64 *end)
@@ -2979,6 +5924,10 @@ static void __direct_pte_prefetch(struct kvm_vcpu *vcpu,
 	}
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5723| <<__direct_map>> direct_pte_prefetch(vcpu, iterator.sptep);
+ */
 static void direct_pte_prefetch(struct kvm_vcpu *vcpu, u64 *sptep)
 {
 	struct kvm_mmu_page *sp;
@@ -2999,9 +5948,24 @@ static void direct_pte_prefetch(struct kvm_vcpu *vcpu, u64 *sptep)
 	__direct_pte_prefetch(vcpu, sp, sptep);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3999| <<tdp_page_fault>> r = __direct_map(vcpu, write, map_writable, level, gfn, pfn, prefault);
+ *   - arch/x86/kvm/mmu.c|3372| <<nonpaging_map>> r = __direct_map(vcpu, write, map_writable, level, gfn, pfn, prefault);
+ *
+ * 该函数建立了gfn到pfn的映射,同时将该page pin死在host的内存中
+ */
 static int __direct_map(struct kvm_vcpu *vcpu, int write, int map_writable,
 			int level, gfn_t gfn, kvm_pfn_t pfn, bool prefault)
 {
+	/*
+	 * 参数prefault通过以下的最后一个参数设置:
+	 *   - arch/x86/kvm/mmu.c|5000| <<kvm_mmu_page_fault>> r = vcpu->arch.mmu.page_fault(vcpu, cr2, lower_32_bits(error_code), false);
+	 *   - arch/x86/kvm/x86.c|9270| <<kvm_arch_async_page_ready>> vcpu->arch.mmu.page_fault(vcpu, work->gva, 0, true);
+	 */
+	/*
+	 * 通过迭代器将ept中与该gpa相关的页表补充完整
+	 */
 	struct kvm_shadow_walk_iterator iterator;
 	struct kvm_mmu_page *sp;
 	int emulate = 0;
@@ -3010,8 +5974,55 @@ static int __direct_map(struct kvm_vcpu *vcpu, int write, int map_writable,
 	if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
 		return 0;
 
+	/*
+	 * 从leve4(root)开始,逐层补全页表对于每一层.
+	 *
+	 * 在每轮迭代中,sptep都会指向GPA在当前级页表中所对应的页表项,
+	 * 我们的目的就是把下一级页表的GPA填到该页表项内(即设置 sptep).
+	 * 因为是缺页,可能会出现下一级的页表页不存在的问题,这时候需要
+	 * 分配一个页表页,然后再将该页的GPA填进到sptep中.
+	 *
+	 * 举个例子,对于GPA(如0xfffff001),其二进制为:
+	 *
+	 * 000000000 000000011 111111111 111111111 000000000001
+	 *   PML4      PDPT       PD        PT        Offset
+	 *
+	 * 初始化状态: level = 4, shadow_addr = root_hpa, addr = GPA
+	 *
+	 * 执行流程：
+	 *
+	 * 1. index = addr在当前 level分段的值.如在level = 4时为0(000000000),在level = 3时为3(000000011)
+	 * 2. sptep = va(shadow_addr) + index, 得到GPA在当前地址中所对应的页表项HVA
+	 * 3. 如果sptep没值,分配一个page作为下级页表,同时将sptep设置为该page的HPA
+	 * 4. shadow_addr = *sptep,进入下级页表,循环
+	 *
+	 * 开启hugepage时,由于页表项管理的范围变大,所需页表级数减少,
+	 * 在默认情况下page大小为2M,因此无需 level 1.
+	 */
+	/*
+	 * 对于一个gpa的每一级(level)的pte
+	 */
 	for_each_shadow_entry(vcpu, (u64)gfn << PAGE_SHIFT, iterator) {
+		/*
+		 * struct kvm_shadow_walk_iterator {
+		 *     // 发生page fault的GPA,迭代过程就是要把GPA所涉及的页表项都填上
+		 *     u64 addr;
+		 *     // 当前页表项的 HPA，在 shadow_walk_init 中设置为 vcpu->arch.mmu.root_hpa
+		 *     hpa_t shadow_addr;
+		 *     // 指向当前页表项, 在shadow_walk_okay()中更新
+		 *     u64 *sptep;
+		 *     // 当前层级,在shadow_walk_okay()中设置为4 (x86_64 PT64_ROOT_LEVEL), 在shadow_walk_next()中减1
+		 *     int level;
+		 *     // 在当前level页表中的索引,在shadow_walk_okey中更新
+		 *     unsigned index;
+		 * };
+		 */
 		if (iterator.level == level) {
+			/*
+			 * 参数prefault通过以下的最后一个参数设置:
+			 *   - arch/x86/kvm/mmu.c|5000| <<kvm_mmu_page_fault>> r = vcpu->arch.mmu.page_fault(vcpu, cr2, lower_32_bits(error_code), false);
+			 *   - arch/x86/kvm/x86.c|9270| <<kvm_arch_async_page_ready>> vcpu->arch.mmu.page_fault(vcpu, work->gva, 0, true);
+			 */
 			emulate = mmu_set_spte(vcpu, iterator.sptep, ACC_ALL,
 					       write, level, gfn, pfn, prefault,
 					       map_writable);
@@ -3020,21 +6031,47 @@ static int __direct_map(struct kvm_vcpu *vcpu, int write, int map_writable,
 			break;
 		}
 
+		/*
+		 * 查看pte的从0开始数第7位, 判断是否支持大页, 不支持则什么也不做
+		 * 如果支持大页做完如下并且调用kvm_flush_remote_tlbs(vcpu->kvm)
+		 *     根据是否有volatile bits用WRITE_ONCE(*sptep, spte)或者xchg(sptep, spte)更新spte为0!
+		 *     如果之前如果spte是0或者是mmio, 则退出返回0
+		 *     否则根据情况把pfn在host的struct page设置accessed或者dirty返回1
+		 *     如果上面返回1, 根据spte找到pfn再找到kvm_rmap_head, 把一个spte从kvm_rmap_head中删除
+		 */
 		drop_large_spte(vcpu, iterator.sptep);
+		/*
+		 * 如果下一级页表不存在, 即当前页表项没值
+		 *
+		 * 如果pte不为0并且pte的最后3位不是110并且62位(SPTE_SPECIAL_MASK)也没设置, 返回true
+		 * 如果spte是0x0,或者spte的最后3位是110(62位也设置了), 函数返回false
+		 * 或者说, 如果spte是0或者是mmio, is_shadow_present_pte()返回false
+		 */
 		if (!is_shadow_present_pte(*iterator.sptep)) {
 			u64 base_addr = iterator.addr;
 
 			base_addr &= PT64_LVL_ADDR_MASK(iterator.level);
 			pseudo_gfn = base_addr >> PAGE_SHIFT;
+			/*
+			 * 分配一个页表页结构
+			 */
 			sp = kvm_mmu_get_page(vcpu, pseudo_gfn, iterator.addr,
 					      iterator.level - 1, 1, ACC_ALL);
 
+			/*
+			 * 核心思想是让sptep指向参数的kvm_mmu_page->sp (下一级)
+			 * 然后把parent_pte(sptep)加入到sp->parent_ptes (struct kvm_rmap_head)
+			 */
 			link_shadow_page(vcpu, iterator.sptep, sp);
 		}
 	}
 	return emulate;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5766| <<kvm_handle_bad_page>> kvm_send_hwpoison_signal(kvm_vcpu_gfn_to_hva(vcpu, gfn), current);
+ */
 static void kvm_send_hwpoison_signal(unsigned long address, struct task_struct *tsk)
 {
 	siginfo_t info;
@@ -3049,6 +6086,10 @@ static void kvm_send_hwpoison_signal(unsigned long address, struct task_struct *
 	send_sig_info(SIGBUS, &info, tsk);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5832| <<handle_abnormal_pfn>> *ret_val = kvm_handle_bad_page(vcpu, gfn, pfn);
+ */
 static int kvm_handle_bad_page(struct kvm_vcpu *vcpu, gfn_t gfn, kvm_pfn_t pfn)
 {
 	/*
@@ -3067,6 +6108,16 @@ static int kvm_handle_bad_page(struct kvm_vcpu *vcpu, gfn_t gfn, kvm_pfn_t pfn)
 	return -EFAULT;
 }
 
+/*
+ * 关于huge page和transparent huge page
+ * https://www.cnblogs.com/kerrycode/p/7760026.html
+ * https://www.cnblogs.com/kerrycode/archive/2015/07/23/4670931.html
+ *
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5932| <<nonpaging_map>> transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
+ *   - arch/x86/kvm/mmu.c|6749| <<tdp_page_fault>> transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
+ *   - arch/x86/kvm/paging_tmpl.h|832| <<FNAME(page_fault)>> transparent_hugepage_adjust(vcpu, &walker.gfn, &pfn, &level);
+ */
 static void transparent_hugepage_adjust(struct kvm_vcpu *vcpu,
 					gfn_t *gfnp, kvm_pfn_t *pfnp,
 					int *levelp)
@@ -3109,6 +6160,12 @@ static void transparent_hugepage_adjust(struct kvm_vcpu *vcpu,
 	}
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5957| <<nonpaging_map>> if (handle_abnormal_pfn(vcpu, v, gfn, pfn, ACC_ALL, &r))
+ *   - arch/x86/kvm/mmu.c|6782| <<tdp_page_fault>> if (handle_abnormal_pfn(vcpu, 0, gfn, pfn, ACC_ALL, &r))
+ *   - arch/x86/kvm/paging_tmpl.h|801| <<FNAME(page_fault)>> if (handle_abnormal_pfn(vcpu, addr, walker.gfn, pfn, walker.pte_access, &r))
+ */
 static bool handle_abnormal_pfn(struct kvm_vcpu *vcpu, gva_t gva, gfn_t gfn,
 				kvm_pfn_t pfn, unsigned access, int *ret_val)
 {
@@ -3124,16 +6181,29 @@ static bool handle_abnormal_pfn(struct kvm_vcpu *vcpu, gva_t gva, gfn_t gfn,
 	return false;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|6058| <<fast_page_fault>> if (!page_fault_can_be_fast(error_code))
+ */
 static bool page_fault_can_be_fast(u32 error_code)
 {
 	/*
 	 * Do not fix the mmio spte with invalid generation number which
 	 * need to be updated by slow page fault path.
 	 */
+	/*
+	 * 在以下设置PFERR_RSVD_MASK:
+	 *   - arch/x86/kvm/paging_tmpl.h|386| <<FNAME(walk_addr_generic)>> errcode = PFERR_RSVD_MASK | PFERR_PRESENT_MASK;
+	 *   - arch/x86/kvm/paging_tmpl.h|757| <<FNAME(page_fault)>> error_code &= ~PFERR_RSVD_MASK;
+	 *   - arch/x86/kvm/vmx.c|7878| <<handle_ept_misconfig>> return kvm_mmu_page_fault(vcpu, gpa, PFERR_RSVD_MASK, NULL, 0);
+	 */
 	if (unlikely(error_code & PFERR_RSVD_MASK))
 		return false;
 
 	/* See if the page fault is due to an NX violation */
+	/*
+	 * 查看handle_ept_violation()
+	 */
 	if (unlikely(((error_code & (PFERR_FETCH_MASK | PFERR_PRESENT_MASK))
 		      == (PFERR_FETCH_MASK | PFERR_PRESENT_MASK))))
 		return false;
@@ -3152,6 +6222,11 @@ static bool page_fault_can_be_fast(u32 error_code)
 	 * accesses to a present page.
 	 */
 
+	/*
+	 * 在比较新的机器
+	 * crash> shadow_acc_track_mask
+	 * shadow_acc_track_mask = $1 = 7
+	 */
 	return shadow_acc_track_mask != 0 ||
 	       ((error_code & (PFERR_WRITE_MASK | PFERR_PRESENT_MASK))
 		== (PFERR_WRITE_MASK | PFERR_PRESENT_MASK));
@@ -3161,6 +6236,16 @@ static bool page_fault_can_be_fast(u32 error_code)
  * Returns true if the SPTE was fixed successfully. Otherwise,
  * someone else modified the SPTE from its original value.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5406| <<fast_page_fault>> fault_handled = fast_pf_fix_direct_spte(vcpu, sp,
+ *
+ * tdp_page_fault() or nonpaging_map()
+ * -> fast_page_fault()
+ *    -> fast_pf_fix_direct_spte()
+ *
+ * 最最核心的思想是设置新的spte
+ */
 static bool
 fast_pf_fix_direct_spte(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
 			u64 *sptep, u64 old_spte, u64 new_spte)
@@ -3189,6 +6274,11 @@ fast_pf_fix_direct_spte(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
 		 * The gfn of direct spte is stable since it is
 		 * calculated by sp->gfn.
 		 */
+		/*
+		 * 因为可能是大页, 根据index返回对应的gfn (是基于sp->gfn的)
+		 * 一个2MB的page包含512个4KB的page
+		 * 一个1GB的page包含512x512=262144个4KB的page
+		 */
 		gfn = kvm_mmu_page_get_gfn(sp, sptep - sp->spt);
 		kvm_vcpu_mark_page_dirty(vcpu, gfn);
 	}
@@ -3196,6 +6286,11 @@ fast_pf_fix_direct_spte(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
 	return true;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|6021| <<fast_page_fault>> if (is_access_allowed(error_code, spte)) {
+ *   - arch/x86/kvm/mmu.c|6061| <<fast_page_fault>> !is_access_allowed(error_code, new_spte))
+ */
 static bool is_access_allowed(u32 fault_err_code, u64 spte)
 {
 	if (fault_err_code & PFERR_FETCH_MASK)
@@ -3213,32 +6308,74 @@ static bool is_access_allowed(u32 fault_err_code, u64 spte)
  * - true: let the vcpu to access on the same address again.
  * - false: let the real page fault path to fix it.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3997| <<tdp_page_fault>> if (fast_page_fault(vcpu, gpa, level, error_code))
+ *   - arch/x86/kvm/mmu.c|3370| <<nonpaging_map>> if (fast_page_fault(vcpu, v, level, error_code))
+ *
+ * #PF can be fast if:
+ * 1. The shadow page table entry is not present, which could mean that
+ *    the fault is potentially caused by access tracking (if enabled).
+ * 2. The shadow page table entry is present and the fault
+ *    is caused by write-protect, that means we just need change the W
+ *    bit of the spte which can be done out of mmu-lock.
+ *
+ * However, if access tracking is disabled we know that a non-present
+ * page must be a genuine page fault where we have to create a new SPTE.
+ * So, if access tracking is disabled, we return true only for write
+ * accesses to a present page.
+ */
 static bool fast_page_fault(struct kvm_vcpu *vcpu, gva_t gva, int level,
 			    u32 error_code)
 {
+	/*
+	 * 在tdp上gva就是gpa
+	 */
 	struct kvm_shadow_walk_iterator iterator;
 	struct kvm_mmu_page *sp;
 	bool fault_handled = false;
 	u64 spte = 0ull;
 	uint retry_count = 0;
 
+	/*
+	 * Return value:
+	 * - true: let the vcpu to access on the same address again.
+	 * - false: let the real page fault path to fix it.
+	 */
 	if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
 		return false;
 
 	if (!page_fault_can_be_fast(error_code))
 		return false;
 
+	/*
+	 * called by:
+	 *   - arch/x86/kvm/mmu.c|4343| <<fast_page_fault>> walk_shadow_page_lockless_begin(vcpu);
+	 *   - arch/x86/kvm/mmu.c|4850| <<walk_shadow_page_get_mmio_spte>> walk_shadow_page_lockless_begin(vcpu);
+	 *   - arch/x86/kvm/mmu.c|4954| <<shadow_page_table_clear_flood>> walk_shadow_page_lockless_begin(vcpu);
+	 *
+	 * 关闭中断, 把READING_SHADOW_PAGE_TABLES存入vcpu->mode
+	 */
 	walk_shadow_page_lockless_begin(vcpu);
 
 	do {
 		u64 new_spte;
 
+		/* 对于一个gpa的每一级(level)的pte */
 		for_each_shadow_entry_lockless(vcpu, gva, iterator, spte)
 			if (!is_shadow_present_pte(spte) ||
 			    iterator.level < level)
 				break;
 
+		/*
+		 * iterator.sptep指向当前页表项, 在shadow_walk_okay()中更新
+		 */
 		sp = page_header(__pa(iterator.sptep));
+		/*
+		 * 判断是否指向最后一级页表了(4K/2M/1G), 而不是下一级页表
+		 *
+		 * 如果不是直接break,就不会跑到下面设置fault_handled了!!!!
+		 */
 		if (!is_last_spte(spte, sp->role.level))
 			break;
 
@@ -3252,6 +6389,9 @@ static bool fast_page_fault(struct kvm_vcpu *vcpu, gva_t gva, int level,
 		 * Need not check the access of upper level table entries since
 		 * they are always ACC_ALL.
 		 */
+		/*
+		 * spte的类型是u64
+		 */
 		if (is_access_allowed(error_code, spte)) {
 			fault_handled = true;
 			break;
@@ -3259,6 +6399,9 @@ static bool fast_page_fault(struct kvm_vcpu *vcpu, gva_t gva, int level,
 
 		new_spte = spte;
 
+		/*
+		 * 如果不支持硬件的ad
+		 */
 		if (is_access_track_spte(spte))
 			new_spte = restore_acc_track_spte(new_spte);
 
@@ -3287,6 +6430,19 @@ static bool fast_page_fault(struct kvm_vcpu *vcpu, gva_t gva, int level,
 				break;
 		}
 
+		/*
+		 * #PF can be fast if:
+		 * 1. The shadow page table entry is not present, which could mean that
+		 *    the fault is potentially caused by access tracking (if enabled).
+		 * 2. The shadow page table entry is present and the fault
+		 *    is caused by write-protect, that means we just need change the W
+		 *    bit of the spte which can be done out of mmu-lock.
+		 *
+		 * However, if access tracking is disabled we know that a non-present
+		 * page must be a genuine page fault where we have to create a new SPTE.
+		 * So, if access tracking is disabled, we return true only for write
+		 * accesses to a present page.
+		 */
 		/* Verify that the fault can be handled in the fast path */
 		if (new_spte == spte ||
 		    !is_access_allowed(error_code, new_spte))
@@ -3297,6 +6453,9 @@ static bool fast_page_fault(struct kvm_vcpu *vcpu, gva_t gva, int level,
 		 * since the gfn is not stable for indirect shadow page. See
 		 * Documentation/virtual/kvm/locking.txt to get more detail.
 		 */
+		/*
+		 * 最最核心的思想是设置新的spte
+		 */
 		fault_handled = fast_pf_fix_direct_spte(vcpu, sp,
 							iterator.sptep, spte,
 							new_spte);
@@ -3313,6 +6472,7 @@ static bool fast_page_fault(struct kvm_vcpu *vcpu, gva_t gva, int level,
 
 	trace_fast_page_fault(vcpu, gva, error_code, iterator.sptep,
 			      spte, fault_handled);
+	/* 把OUTSIDE_GUEST_MODE存入vcpu->mode, 开启中断 */
 	walk_shadow_page_lockless_end(vcpu);
 
 	return fault_handled;
@@ -3322,6 +6482,10 @@ static bool try_async_pf(struct kvm_vcpu *vcpu, bool prefault, gfn_t gfn,
 			 gva_t gva, kvm_pfn_t *pfn, bool write, bool *writable);
 static int make_mmu_pages_available(struct kvm_vcpu *vcpu);
 
+/*
+ * called by only:
+ *   - arch/x86/kvm/mmu.c|5979| <<nonpaging_page_fault>> return nonpaging_map(vcpu, gva & PAGE_MASK,
+ */
 static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, u32 error_code,
 			 gfn_t gfn, bool prefault)
 {
@@ -3375,6 +6539,11 @@ static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, u32 error_code,
 	return RET_PF_RETRY;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3749| <<kvm_mmu_free_roots>> mmu_free_root_page(vcpu->kvm, &mmu->root_hpa, &invalid_list);
+ *   - arch/x86/kvm/mmu.c|3753| <<kvm_mmu_free_roots>> mmu_free_root_page(vcpu->kvm, &mmu->pae_root[i],
+ */
 static void mmu_free_root_page(struct kvm *kvm, hpa_t *root_hpa,
 			       struct list_head *invalid_list)
 {
@@ -3384,6 +6553,14 @@ static void mmu_free_root_page(struct kvm *kvm, hpa_t *root_hpa,
 		return;
 
 	sp = page_header(*root_hpa & PT64_BASE_ADDR_MASK);
+	/*
+	 * 在以下设置或者修改sp->root_count:
+	 *   - arch/x86/kvm/mmu.c|3656| <<mmu_free_root_page>> --sp->root_count;
+	 *   - arch/x86/kvm/mmu.c|3721| <<mmu_alloc_direct_roots>> ++sp->root_count;
+	 *   - arch/x86/kvm/mmu.c|3737| <<mmu_alloc_direct_roots>> ++sp->root_count;
+	 *   - arch/x86/kvm/mmu.c|3781| <<mmu_alloc_shadow_roots>> ++sp->root_count;
+	 *   - arch/x86/kvm/mmu.c|3818| <<mmu_alloc_shadow_roots>> ++sp->root_count;
+	 */
 	--sp->root_count;
 	if (!sp->root_count && sp->role.invalid)
 		kvm_mmu_prepare_zap_page(kvm, sp, invalid_list);
@@ -3391,17 +6568,43 @@ static void mmu_free_root_page(struct kvm *kvm, hpa_t *root_hpa,
 	*root_hpa = INVALID_PAGE;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4387| <<kvm_mmu_new_cr3>> kvm_mmu_free_roots(vcpu);
+ *   - arch/x86/kvm/mmu.c|5128| <<kvm_mmu_unload>> kvm_mmu_free_roots(vcpu);
+ */
 void kvm_mmu_free_roots(struct kvm_vcpu *vcpu)
 {
 	int i;
 	LIST_HEAD(invalid_list);
 	struct kvm_mmu *mmu = &vcpu->arch.mmu;
 
+	/*
+	 * 设置kvm_mmu->root_hpa的地方:
+	 *   - arch/x86/kvm/mmu.c|6172| <<mmu_free_root_page>> *root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|6204| <<kvm_mmu_free_roots>> mmu->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|6250| <<mmu_alloc_direct_roots>> vcpu->arch.mmu.root_hpa = __pa(sp->spt);
+	 *   - arch/x86/kvm/mmu.c|6268| <<mmu_alloc_direct_roots>> vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root);
+	 *   - arch/x86/kvm/mmu.c|6310| <<mmu_alloc_shadow_roots>> vcpu->arch.mmu.root_hpa = root;
+	 *   - arch/x86/kvm/mmu.c|6350| <<mmu_alloc_shadow_roots>> vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root);
+	 *   - arch/x86/kvm/mmu.c|6374| <<mmu_alloc_shadow_roots>> vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.lm_root);
+	 *   - arch/x86/kvm/mmu.c|7003| <<nonpaging_init_context>> context->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|7496| <<paging64_init_context_common>> context->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|7534| <<paging32_init_context>> context->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|7567| <<init_kvm_tdp_mmu>> context->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|7658| <<kvm_init_shadow_ept_mmu>> context->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|8284| <<kvm_mmu_create>> vcpu->arch.mmu.root_hpa = INVALID_PAGE;
+	 */
 	if (!VALID_PAGE(mmu->root_hpa))
 		return;
 
 	spin_lock(&vcpu->kvm->mmu_lock);
 
+	/*
+	 * shadow_root_level对于tdp不是4就是5
+	 * root_level对于tdp在long mode下不是4就是5
+	 * direct_map在tdp下是true
+	 */
 	if (mmu->shadow_root_level >= PT64_ROOT_4LEVEL &&
 	    (mmu->root_level >= PT64_ROOT_4LEVEL || mmu->direct_map)) {
 		mmu_free_root_page(vcpu->kvm, &mmu->root_hpa, &invalid_list);
@@ -3413,11 +6616,21 @@ void kvm_mmu_free_roots(struct kvm_vcpu *vcpu)
 		mmu->root_hpa = INVALID_PAGE;
 	}
 
+	/*
+	 * 如果参数的invalid_list为空就退出
+	 * 否则用kvm_flush_remote_tlbs()让每个vcpu调用tlb flush
+	 * 然后把invalid_list上的一个个kvm_mmu_page释放 (包括真正的4k page)
+	 */
 	kvm_mmu_commit_zap_page(vcpu->kvm, &invalid_list);
 	spin_unlock(&vcpu->kvm->mmu_lock);
 }
 EXPORT_SYMBOL_GPL(kvm_mmu_free_roots);
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|6305| <<mmu_alloc_shadow_roots>> if (mmu_check_root(vcpu, root_gfn))
+ *   - arch/x86/kvm/mmu.c|6351| <<mmu_alloc_shadow_roots>> if (mmu_check_root(vcpu, root_gfn))
+ */
 static int mmu_check_root(struct kvm_vcpu *vcpu, gfn_t root_gfn)
 {
 	int ret = 0;
@@ -3430,19 +6643,51 @@ static int mmu_check_root(struct kvm_vcpu *vcpu, gfn_t root_gfn)
 	return ret;
 }
 
+/*
+ * called by (vcpu->arch.mmu.direct_map是true的情况):
+ *   -  arch/x86/kvm/mmu.c|3582| <<mmu_alloc_roots>> return mmu_alloc_direct_roots(vcpu);
+ *
+ * kvm_mmu_reload()
+ * -> kvm_mmu_load()
+ *    -> mmu_alloc_roots()
+ *       -> mmu_alloc_direct_roots()
+ *
+ * 应该是分配ept的root的
+ */
 static int mmu_alloc_direct_roots(struct kvm_vcpu *vcpu)
 {
 	struct kvm_mmu_page *sp;
 	unsigned i;
 
+	/*
+	 * 对于tdp不是4就是5
+	 */
 	if (vcpu->arch.mmu.shadow_root_level >= PT64_ROOT_4LEVEL) {
 		spin_lock(&vcpu->kvm->mmu_lock);
 		if(make_mmu_pages_available(vcpu) < 0) {
 			spin_unlock(&vcpu->kvm->mmu_lock);
 			return -ENOSPC;
 		}
+		/*
+		 * called by:
+		 *   - arch/x86/kvm/mmu.c|3051| <<__direct_map>> sp = kvm_mmu_get_page(vcpu, pseudo_gfn, iterator.addr,
+		 *   - arch/x86/kvm/mmu.c|3477| <<mmu_alloc_direct_roots>> sp = kvm_mmu_get_page(vcpu, 0, 0,
+		 *   - arch/x86/kvm/mmu.c|3492| <<mmu_alloc_direct_roots>> sp = kvm_mmu_get_page(vcpu, i << (30 - PAGE_SHIFT),
+		 *   - arch/x86/kvm/mmu.c|3532| <<mmu_alloc_shadow_roots>> sp = kvm_mmu_get_page(vcpu, root_gfn, 0,
+		 *   - arch/x86/kvm/mmu.c|3569| <<mmu_alloc_shadow_roots>> sp = kvm_mmu_get_page(vcpu, root_gfn, i << 30, PT32_ROOT_LEVEL,
+		 *   - arch/x86/kvm/paging_tmpl.h|633| <<FNAME>> sp = kvm_mmu_get_page(vcpu, table_gfn, addr, it.level-1,
+		 *   - arch/x86/kvm/paging_tmpl.h|663| <<FNAME>> sp = kvm_mmu_get_page(vcpu, direct_gfn, addr, it.level-1,
+		 */
 		sp = kvm_mmu_get_page(vcpu, 0, 0,
 				vcpu->arch.mmu.shadow_root_level, 1, ACC_ALL);
+		/*
+		 * 在以下设置或者修改:
+		 *   - arch/x86/kvm/mmu.c|3656| <<mmu_free_root_page>> --sp->root_count;
+		 *   - arch/x86/kvm/mmu.c|3721| <<mmu_alloc_direct_roots>> ++sp->root_count;
+		 *   - arch/x86/kvm/mmu.c|3737| <<mmu_alloc_direct_roots>> ++sp->root_count;
+		 *   - arch/x86/kvm/mmu.c|3781| <<mmu_alloc_shadow_roots>> ++sp->root_count;
+		 *   - arch/x86/kvm/mmu.c|3818| <<mmu_alloc_shadow_roots>> ++sp->root_count;
+		 */
 		++sp->root_count;
 		spin_unlock(&vcpu->kvm->mmu_lock);
 		vcpu->arch.mmu.root_hpa = __pa(sp->spt);
@@ -3470,6 +6715,10 @@ static int mmu_alloc_direct_roots(struct kvm_vcpu *vcpu)
 	return 0;
 }
 
+/*
+ * called by (vcpu->arch.mmu.direct_map是false的情况):
+ *   - arch/x86/kvm/mmu.c|3624| <<mmu_alloc_roots>> return mmu_alloc_shadow_roots(vcpu);
+ */
 static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu)
 {
 	struct kvm_mmu_page *sp;
@@ -3571,19 +6820,45 @@ static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu)
 	return 0;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4739| <<kvm_mmu_load>> r = mmu_alloc_roots(vcpu);
+ */
 static int mmu_alloc_roots(struct kvm_vcpu *vcpu)
 {
+	/*
+	 * 设置direct_map的地方:
+	 *   - arch/x86/kvm/mmu.c|4003| <<nonpaging_init_context>> context->direct_map = true;
+	 *   - arch/x86/kvm/mmu.c|4487| <<paging64_init_context_common>> context->direct_map = false;
+	 *   - arch/x86/kvm/mmu.c|4517| <<paging32_init_context>> context->direct_map = false;
+	 *   - arch/x86/kvm/mmu.c|4544| <<init_kvm_tdp_mmu>> context->direct_map = true;  ---------> ept似乎用这个!
+	 *   - arch/x86/kvm/mmu.c|4626| <<kvm_init_shadow_ept_mmu>> context->direct_map = false;
+	 */
 	if (vcpu->arch.mmu.direct_map)
-		return mmu_alloc_direct_roots(vcpu);
+		return mmu_alloc_direct_roots(vcpu);  // --> ept
 	else
-		return mmu_alloc_shadow_roots(vcpu);
+		return mmu_alloc_shadow_roots(vcpu);  // -->shadow
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|5757| <<kvm_mmu_sync_roots>> mmu_sync_roots(vcpu);
+ *
+ * 对于tdp应该什么也不做
+ */
 static void mmu_sync_roots(struct kvm_vcpu *vcpu)
 {
 	int i;
 	struct kvm_mmu_page *sp;
 
+	/*
+	 * 设置direct_map的地方:
+	 *   - arch/x86/kvm/mmu.c|4003| <<nonpaging_init_context>> context->direct_map = true;
+	 *   - arch/x86/kvm/mmu.c|4487| <<paging64_init_context_common>> context->direct_map = false;
+	 *   - arch/x86/kvm/mmu.c|4517| <<paging32_init_context>> context->direct_map = false;
+	 *   - arch/x86/kvm/mmu.c|4544| <<init_kvm_tdp_mmu>> context->direct_map = true;
+	 *   - arch/x86/kvm/mmu.c|4626| <<kvm_init_shadow_ept_mmu>> context->direct_map = false;
+	 */
 	if (vcpu->arch.mmu.direct_map)
 		return;
 
@@ -3611,6 +6886,15 @@ static void mmu_sync_roots(struct kvm_vcpu *vcpu)
 	kvm_mmu_audit(vcpu, AUDIT_POST_SYNC);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|6923| <<kvm_mmu_load>> kvm_mmu_sync_roots(vcpu);
+ *   - arch/x86/kvm/vmx.c|9110| <<handle_invept>> kvm_mmu_sync_roots(vcpu);
+ *   - arch/x86/kvm/x86.c|859| <<kvm_set_cr3>> kvm_mmu_sync_roots(vcpu);
+ *   - arch/x86/kvm/x86.c|7341| <<vcpu_enter_guest>> kvm_mmu_sync_roots(vcpu);
+ *
+ * 对于tdp应该什么也不做
+ */
 void kvm_mmu_sync_roots(struct kvm_vcpu *vcpu)
 {
 	spin_lock(&vcpu->kvm->mmu_lock);
@@ -3671,6 +6955,10 @@ static bool mmio_info_in_cache(struct kvm_vcpu *vcpu, u64 addr, bool direct)
 }
 
 /* return true if reserved bit is detected on spte. */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|6604| <<handle_mmio_page_fault>> reserved = walk_shadow_page_get_mmio_spte(vcpu, addr, &spte);
+ */
 static bool
 walk_shadow_page_get_mmio_spte(struct kvm_vcpu *vcpu, u64 addr, u64 *sptep)
 {
@@ -3693,6 +6981,11 @@ walk_shadow_page_get_mmio_spte(struct kvm_vcpu *vcpu, u64 addr, u64 *sptep)
 		sptes[leaf - 1] = spte;
 		leaf--;
 
+		/*
+		 * 如果pte不为0并且pte的最后3位不是110并且62位(SPTE_SPECIAL_MASK)也没设置, 返回true
+		 * 如果spte是0x0,或者spte的最后3位是110(62位也设置了), 函数返回false
+		 * 或者说, 如果spte是0或者是mmio, is_shadow_present_pte()返回false
+		 */
 		if (!is_shadow_present_pte(spte))
 			break;
 
@@ -3716,22 +7009,54 @@ walk_shadow_page_get_mmio_spte(struct kvm_vcpu *vcpu, u64 addr, u64 *sptep)
 	return reserved;
 }
 
+/*
+ * called by only:
+ *   - arch/x86/kvm/mmu.c|7366| <<kvm_mmu_page_fault>> r = handle_mmio_page_fault(vcpu, cr2, direct);
+ *
+ * tdp下direct是true
+ */
 static int handle_mmio_page_fault(struct kvm_vcpu *vcpu, u64 addr, bool direct)
 {
 	u64 spte;
 	bool reserved;
 
+	/*
+	 * mmio的pte只会检查不会修改
+	 * 下面的代码只是检查
+	 * 所以缓存上一次的pfn优化性能
+	 */
 	if (mmio_info_in_cache(vcpu, addr, direct))
 		return RET_PF_EMULATE;
 
+	/*
+	 * 得到addr对应的spte
+	 */
 	reserved = walk_shadow_page_get_mmio_spte(vcpu, addr, &spte);
 	if (WARN_ON(reserved))
 		return -EINVAL;
 
+	/*
+	 * 如果最后3位的最后1位没设置(110)并且还有SPTE_SPECIAL_MASK是1往左移62位,
+	 * 就是mmio的spte
+	 */
 	if (is_mmio_spte(spte)) {
+		/*
+		 * 过滤掉spte中作为gen的部分 (3-11位和52-61位, 还有SPTE_SPECIAL_MASK是1往左移62位)
+		 * 向右移动12位变成gfn
+		 */
 		gfn_t gfn = get_mmio_spte_gfn(spte);
+		/*
+		 * 把spte中0-11位和52-61位都清0并返回
+		 * (包括gen的3-11位和52-61位, 以及最后3位, 还有0-11位的PAGE_MASK)
+		 * 还有62位的SPTE_SPECIAL_MASK也情况
+		 * 剩下的就是access?
+		 */
 		unsigned access = get_mmio_spte_access(spte);
 
+		/*
+		 * 判断spte中的gen (把spte的3-11位和52-61位取出来拼在一起, 组成gen)
+		 * 是否和kvm_vcpu_memslots(vcpu)->generation & MMIO_GEN_MASK(20位)相等
+		 */
 		if (!check_mmio_spte(vcpu, spte))
 			return RET_PF_INVALID;
 
@@ -3743,6 +7068,9 @@ static int handle_mmio_page_fault(struct kvm_vcpu *vcpu, u64 addr, bool direct)
 		return RET_PF_EMULATE;
 	}
 
+	/*
+	 * 不明白为什么会到这里??
+	 */
 	/*
 	 * If the page table is zapped by other cpus, let CPU fault again on
 	 * the address.
@@ -3750,9 +7078,18 @@ static int handle_mmio_page_fault(struct kvm_vcpu *vcpu, u64 addr, bool direct)
 	return RET_PF_RETRY;
 }
 
+/*
+ * 对于因为write造成的error, 检查pfn对应的slot->arch.gfn_track[mode][index]
+ */
 static bool page_fault_handle_page_track(struct kvm_vcpu *vcpu,
 					 u32 error_code, gfn_t gfn)
 {
+	/*
+	 * 在以下设置PFERR_RSVD_MASK:
+	 *   - arch/x86/kvm/paging_tmpl.h|386| <<FNAME(walk_addr_generic)>> errcode = PFERR_RSVD_MASK | PFERR_PRESENT_MASK;
+	 *   - arch/x86/kvm/paging_tmpl.h|757| <<FNAME(page_fault)>> error_code &= ~PFERR_RSVD_MASK;
+	 *   - arch/x86/kvm/vmx.c|7878| <<handle_ept_misconfig>> return kvm_mmu_page_fault(vcpu, gpa, PFERR_RSVD_MASK, NULL, 0);
+	 */
 	if (unlikely(error_code & PFERR_RSVD_MASK))
 		return false;
 
@@ -3764,12 +7101,21 @@ static bool page_fault_handle_page_track(struct kvm_vcpu *vcpu,
 	 * guest is writing the page which is write tracked which can
 	 * not be fixed by page fault handler.
 	 */
+	/*
+	 * 目前参数中的mode都是KVM_PAGE_TRACK_WRITE
+	 * 根据gfn获得kvm_memory_slot和这个gfn在slot中的index
+	 * 最后返回slot->arch.gfn_track[mode][index]
+	 */
 	if (kvm_page_track_is_active(vcpu, gfn, KVM_PAGE_TRACK_WRITE))
 		return true;
 
 	return false;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/paging_tmpl.h|776| <<FNAME(page_fault)>> shadow_page_table_clear_flood(vcpu, addr);
+ */
 static void shadow_page_table_clear_flood(struct kvm_vcpu *vcpu, gva_t addr)
 {
 	struct kvm_shadow_walk_iterator iterator;
@@ -3787,6 +7133,10 @@ static void shadow_page_table_clear_flood(struct kvm_vcpu *vcpu, gva_t addr)
 	walk_shadow_page_lockless_end(vcpu);
 }
 
+/*
+ * used by:
+ *   - arch/x86/kvm/mmu.c|6243| <<nonpaging_page_fault>> static int nonpaging_page_fault(struct kvm_vcpu *vcpu, gva_t gva,
+ */
 static int nonpaging_page_fault(struct kvm_vcpu *vcpu, gva_t gva,
 				u32 error_code, bool prefault)
 {
@@ -3821,6 +7171,21 @@ static int kvm_arch_setup_async_pf(struct kvm_vcpu *vcpu, gva_t gva, gfn_t gfn)
 	return kvm_setup_async_pf(vcpu, gva, kvm_vcpu_gfn_to_hva(vcpu, gfn), &arch);
 }
 
+/*
+ * apf在VM中
+ * 1. 进程访问被swap出去的内存页从而触发page fault,kvm mmu尝试apf方式.
+ * 2. 将具体的处理逻辑交给apf worker,然后通过注入page not present的异常通知guest.
+ * 3. guest进入异常处理逻辑,将该进程block住,然后reschedule运行其他进程.
+ * 4. apf work完成page换进工作后通知guest,page页已经准备好.guest重新将block的进程调度进来,使该进程正常进行.
+ *
+ * https://terenceli.github.io/%E6%8A%80%E6%9C%AF/2019/03/24/kvm-async-page-fault
+ * https://www.linux-kvm.org/images/a/ac/2010-forum-Async-page-faults.pdf
+ * https://www.kernelnote.com/entry/kvmguestswap
+ *
+ * called by:
+ *   - arch/x86/kvm/mmu.c|6624| <<try_async_pf>> if (!prefault && kvm_can_do_async_pf(vcpu)) {
+ *   - arch/x86/kvm/x86.c|9552| <<kvm_arch_can_inject_async_page_present>> return kvm_can_do_async_pf(vcpu);
+ */
 bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu)
 {
 	if (unlikely(!lapic_in_kernel(vcpu) ||
@@ -3831,12 +7196,35 @@ bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu)
 	if (!vcpu->arch.apf.delivery_as_pf_vmexit && is_guest_mode(vcpu))
 		return false;
 
+	/*
+	 * vmx_interrupt_allowed()
+	 */
 	return kvm_x86_ops->interrupt_allowed(vcpu);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4003| <<tdp_page_fault>> if (try_async_pf(vcpu, prefault, gfn, gpa, &pfn, write, &map_writable))
+ *   - arch/x86/kvm/mmu.c|3376| <<nonpaging_map>> if (try_async_pf(vcpu, prefault, gfn, v, &pfn, write, &map_writable))
+ *   - arch/x86/kvm/paging_tmpl.h|797| <<FNAME(page_fault)>> if (try_async_pf(vcpu, prefault, walker.gfn, addr, &pfn, write_fault,
+ *
+ * 1. 根据gfn找到对应的memslot
+ * 2. 用memslot的起始hva(userspace_addr)+(gfn-slot中的起始gfn(base_gfn))*页大小(PAGE_SIZE)
+ *    得到gfn对应的起始hva
+ * 3. 为该hva分配一个物理页,有hva_to_pfn_fast()和hva_to_pfn_slow()两种,hva_to_pfn_fast()
+ *    实际上是调用__get_user_pages_fast(),会尝试去pin该page,即确保该地址所在的物理页在内存中.
+ *    如果失败,退化到hva_to_pfn_slow(),会先去拿mm->mmap_sem的锁然后调用__get_user_pages()来pin
+ * 4. 如果分配成功,对其返回的struct page调用page_to_pfn()得到对应的pfn
+ */
 static bool try_async_pf(struct kvm_vcpu *vcpu, bool prefault, gfn_t gfn,
 			 gva_t gva, kvm_pfn_t *pfn, bool write, bool *writable)
 {
+	/*
+	 * 参数write = error_code & PFERR_WRITE_MASK;
+	 */
+	/*
+	 * 测试的时候发现, 开机的时候大部分的时候并没有触发kvm_set_pte_rmapp()!!!!!!
+	 */
 	struct kvm_memory_slot *slot;
 	bool async;
 
@@ -3848,12 +7236,28 @@ static bool try_async_pf(struct kvm_vcpu *vcpu, bool prefault, gfn_t gfn,
 		return false;
 	}
 
+	/*
+	 * 找到gfn对应的slot
+	 * 对于mmio, slot应该为NULL
+	 */
 	slot = kvm_vcpu_gfn_to_memslot(vcpu, gfn);
 	async = false;
+	/*
+	 * 参数write = error_code & PFERR_WRITE_MASK;
+	 *
+	 * 找到gfn对应的pfn
+	 *
+	 * mmio则返回KVM_PFN_NOSLOT
+	 */
 	*pfn = __gfn_to_pfn_memslot(slot, gfn, false, &async, write, writable);
 	if (!async)
 		return false; /* *pfn has correct page already */
 
+	/*
+	 * 关于prefault是怎么传过来的
+	 *   - arch/x86/kvm/mmu.c|5000| <<kvm_mmu_page_fault>> r = vcpu->arch.mmu.page_fault(vcpu, cr2, lower_32_bits(error_code), false);
+	 *   - arch/x86/kvm/x86.c|9270| <<kvm_arch_async_page_ready>> vcpu->arch.mmu.page_fault(vcpu, work->gva, 0, true);
+	 */
 	if (!prefault && kvm_can_do_async_pf(vcpu)) {
 		trace_kvm_try_async_get_page(gva, gfn);
 		if (kvm_find_async_pf_gfn(vcpu, gfn)) {
@@ -3868,6 +7272,11 @@ static bool try_async_pf(struct kvm_vcpu *vcpu, bool prefault, gfn_t gfn,
 	return false;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/vmx.c|7094| <<handle_exception>> return kvm_handle_page_fault(vcpu, error_code, cr2, NULL, 0);
+ *   - arch/x86/kvm/svm.c|2644| <<pf_interception>> return kvm_handle_page_fault(&svm->vcpu, error_code, fault_address,
+ */
 int kvm_handle_page_fault(struct kvm_vcpu *vcpu, u64 error_code,
 				u64 fault_address, char *insn, int insn_len)
 {
@@ -3900,9 +7309,19 @@ int kvm_handle_page_fault(struct kvm_vcpu *vcpu, u64 error_code,
 }
 EXPORT_SYMBOL_GPL(kvm_handle_page_fault);
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|6511| <<tdp_page_fault>> force_pt_level = !check_hugepage_cache_consistency(vcpu, gfn,
+ *   - arch/x86/kvm/mmu.c|6519| <<tdp_page_fault>> !check_hugepage_cache_consistency(vcpu, gfn, level))
+ */
 static bool
 check_hugepage_cache_consistency(struct kvm_vcpu *vcpu, gfn_t gfn, int level)
 {
+	/*
+	 * KVM_PAGES_PER_HPAGE(1) : 4K有多少4K的page
+	 * KVM_PAGES_PER_HPAGE(2) : 2M有多少4K的page
+	 * KVM_PAGES_PER_HPAGE(3) : 1G有多少4K的page
+	 */
 	int page_num = KVM_PAGES_PER_HPAGE(level);
 
 	gfn &= ~(page_num - 1);
@@ -3910,6 +7329,25 @@ check_hugepage_cache_consistency(struct kvm_vcpu *vcpu, gfn_t gfn, int level)
 	return kvm_mtrr_check_gfn_range_consistency(vcpu, gfn, page_num);
 }
 
+/*
+ * used by:
+ *   - arch/x86/kvm/mmu.c|4521| <<init_kvm_tdp_mmu>> context->page_fault = tdp_page_fault
+ *
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5000| <<kvm_mmu_page_fault>> r = vcpu->arch.mmu.page_fault(vcpu, cr2, lower_32_bits(error_code), false);
+ *   - arch/x86/kvm/x86.c|9270| <<kvm_arch_async_page_ready>> vcpu->arch.mmu.page_fault(vcpu, work->gva, 0, true);
+ *
+ * 主要有两步:
+ * 1. 获取gpa对应的物理页,如果没有会进行分配
+ * 2. 更新ept
+ *
+ * 1. 首先根据gpa计算出标准页面情况下的gfn
+ * 2. 得到level, level就是影子页表中, level级页表作为影子页表,
+ *    其目录指向页面
+ * 3. 根据gfn和gpa, 在memslot中查找, 得到qemu中分配页面的HVA,
+ *    再通过__get_user_pages_fast()得到这个hva页面的pfn
+ * 4. __direct_map完成ept够造
+ */
 static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa, u32 error_code,
 			  bool prefault)
 {
@@ -3922,8 +7360,21 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa, u32 error_code,
 	int write = error_code & PFERR_WRITE_MASK;
 	bool map_writable;
 
+	/*
+	 * 设置root_hpa valid值的地方:
+	 *   - arch/x86/kvm/mmu.c|3481| <<mmu_alloc_direct_roots>> vcpu->arch.mmu.root_hpa = __pa(sp->spt);
+	 *   - arch/x86/kvm/mmu.c|3499| <<mmu_alloc_direct_roots>> vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root);
+	 *   - arch/x86/kvm/mmu.c|3537| <<mmu_alloc_shadow_roots>> vcpu->arch.mmu.root_hpa = root;
+	 *   - arch/x86/kvm/mmu.c|3577| <<mmu_alloc_shadow_roots>> vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root);
+	 *   - arch/x86/kvm/mmu.c|3601| <<mmu_alloc_shadow_roots>> vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.lm_root);
+	 */
 	MMU_WARN_ON(!VALID_PAGE(vcpu->arch.mmu.root_hpa));
 
+	/*
+	 * 对于因为write造成的error, 检查pfn对应的slot->arch.gfn_track[mode][index]
+	 *
+	 * 如果是true, 就要RET_PF_EMULATE???
+	 */
 	if (page_fault_handle_page_track(vcpu, error_code, gfn))
 		return RET_PF_EMULATE;
 
@@ -3931,22 +7382,76 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa, u32 error_code,
 	if (r)
 		return r;
 
+	/*
+	 * 如果force_pt_level是true, 就必须用level 1
+	 */
 	force_pt_level = !check_hugepage_cache_consistency(vcpu, gfn,
 							   PT_DIRECTORY_LEVEL);
+	/*
+	 * 如果force_pt_level参数已经设置了, 返回PT_PAGE_TABLE_LEVEL=1
+	 */
 	level = mapping_level(vcpu, gfn, &force_pt_level);
 	if (likely(!force_pt_level)) {
 		if (level > PT_DIRECTORY_LEVEL &&
 		    !check_hugepage_cache_consistency(vcpu, gfn, level))
 			level = PT_DIRECTORY_LEVEL;
+		/*
+		 * KVM_PAGES_PER_HPAGE(1) : 4K有多少4K的page
+		 * KVM_PAGES_PER_HPAGE(2) : 2M有多少4K的page
+		 * KVM_PAGES_PER_HPAGE(3) : 1G有多少4K的page
+		 */
 		gfn &= ~(KVM_PAGES_PER_HPAGE(level) - 1);
 	}
 
+	/*
+	 * #PF can be fast if:
+	 * 1. The shadow page table entry is not present, which could mean that
+	 *    the fault is potentially caused by access tracking (if enabled).
+	 * 2. The shadow page table entry is present and the fault
+	 *    is caused by write-protect, that means we just need change the W
+	 *    bit of the spte which can be done out of mmu-lock.
+	 *
+	 * However, if access tracking is disabled we know that a non-present
+	 * page must be a genuine page fault where we have to create a new SPTE.
+	 * So, if access tracking is disabled, we return true only for write
+	 * accesses to a present page.
+	 */
 	if (fast_page_fault(vcpu, gpa, level, error_code))
 		return RET_PF_RETRY;
+	/*
+	 * 在以下使用RET_PF_RETRY去判断:
+	 *   - arch/x86/kvm/mmu.c|8592| <<kvm_mmu_page_fault>> if (r == RET_PF_RETRY)
+	 */
 
+	/*
+	 * x86在以下使用kvm->mmu_notifier_seq:
+	 *   - arch/x86/kvm/mmu.c|6195| <<nonpaging_map>> mmu_seq = vcpu->kvm->mmu_notifier_seq;
+	 *   - arch/x86/kvm/mmu.c|7042| <<tdp_page_fault>> mmu_seq = vcpu->kvm->mmu_notifier_seq;
+	 *   - arch/x86/kvm/paging_tmpl.h|794| <<FNAME>> mmu_seq = vcpu->kvm->mmu_notifier_seq;
+	 *   - include/linux/kvm_host.h|1105| <<mmu_notifier_retry>> if (kvm->mmu_notifier_seq != mmu_seq)
+	 *   - virt/kvm/kvm_main.c|389| <<kvm_mmu_notifier_change_pte>> kvm->mmu_notifier_seq++;
+	 *   - virt/kvm/kvm_main.c|443| <<kvm_mmu_notifier_invalidate_range_end>> kvm->mmu_notifier_seq++;
+	 */
 	mmu_seq = vcpu->kvm->mmu_notifier_seq;
 	smp_rmb();
 
+	/*
+	 * 1. 根据gfn找到对应的memslot
+	 * 2. 用memslot的起始hva(userspace_addr)+(gfn-slot中的起始gfn(base_gfn))*页大小(PAGE_SIZE)
+	 *    得到gfn对应的起始hva
+	 * 3. 为该hva分配一个物理页,有hva_to_pfn_fast()和hva_to_pfn_slow()两种,hva_to_pfn_fast()
+	 *    实际上是调用__get_user_pages_fast(),会尝试去pin该page,即确保该地址所在的物理页在内存中.
+	 *    如果失败,退化到hva_to_pfn_slow(),会先去拿mm->mmap_sem的锁然后调用__get_user_pages()来pin
+	 * 4. 如果分配成功,对其返回的struct page调用page_to_pfn()得到对应的pfn
+	 *
+	 * 测试的时候发现, 开机的时候大部分的时候并没有触发kvm_set_pte_rmapp()!!!!!!
+	 *
+	 * 将gfn转换为pfn
+	 *
+	 * 如果是mmio, pfn是KVM_PFN_NOSLOT, 函数返回false
+	 *
+	 * !!!! pfn是输出 !!!!
+	 */
 	if (try_async_pf(vcpu, prefault, gfn, gpa, &pfn, write, &map_writable))
 		return RET_PF_RETRY;
 
@@ -3960,6 +7465,9 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa, u32 error_code,
 		goto out_unlock;
 	if (likely(!force_pt_level))
 		transparent_hugepage_adjust(vcpu, &gfn, &pfn, &level);
+	/*
+	 * 更新ept, 将新的映射关系逐层添加到ept中
+	 */
 	r = __direct_map(vcpu, write, map_writable, level, gfn, pfn, prefault);
 	spin_unlock(&vcpu->kvm->mmu_lock);
 
@@ -3971,6 +7479,10 @@ static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa, u32 error_code,
 	return RET_PF_RETRY;
 }
 
+/*
+ * called by only:
+ *   - arch/x86/kvm/mmu.c|6903| <<kvm_init_shadow_mmu>> nonpaging_init_context(vcpu, context);
+ */
 static void nonpaging_init_context(struct kvm_vcpu *vcpu,
 				   struct kvm_mmu *context)
 {
@@ -4002,6 +7514,10 @@ static void inject_page_fault(struct kvm_vcpu *vcpu,
 	vcpu->arch.mmu.inject_page_fault(vcpu, fault);
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/paging_tmpl.h|1008| <<FNAME(sync_page)>> if (sync_mmio_spte(vcpu, &sp->spt[i], gfn, pte_access,
+ */
 static bool sync_mmio_spte(struct kvm_vcpu *vcpu, u64 *sptep, gfn_t gfn,
 			   unsigned access, int *nr_present)
 {
@@ -4019,6 +7535,10 @@ static bool sync_mmio_spte(struct kvm_vcpu *vcpu, u64 *sptep, gfn_t gfn,
 	return false;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/paging_tmpl.h|391| <<FNAME(walk_addr_generic)>> } while (!is_last_gpte(mmu, walker->level, pte));
+ */
 static inline bool is_last_gpte(struct kvm_mmu *mmu,
 				unsigned level, unsigned gpte)
 {
@@ -4052,6 +7572,12 @@ static inline bool is_last_gpte(struct kvm_mmu *mmu,
 #include "paging_tmpl.h"
 #undef PTTYPE
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|7187| <<reset_rsvds_bits_mask>> __reset_rsvds_bits_mask(vcpu, &context->guest_rsvd_check,
+ *   - arch/x86/kvm/mmu.c|7255| <<reset_shadow_zero_bits_mask>> __reset_rsvds_bits_mask(vcpu, shadow_zero_check,
+ *   - arch/x86/kvm/mmu.c|7292| <<reset_tdp_shadow_zero_bits_mask>> __reset_rsvds_bits_mask(vcpu, shadow_zero_check,
+ */
 static void
 __reset_rsvds_bits_mask(struct kvm_vcpu *vcpu,
 			struct rsvd_bits_validate *rsvd_check,
@@ -4386,6 +7912,14 @@ static void update_permission_bitmask(struct kvm_vcpu *vcpu,
 * away both AD and WD.  For all reads or if the last condition holds, WD
 * only will be masked away.
 */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|7503| <<paging64_init_context_common>> update_pkru_bitmask(vcpu, context, false);
+ *   - arch/x86/kvm/mmu.c|7542| <<paging32_init_context>> update_pkru_bitmask(vcpu, context, false);
+ *   - arch/x86/kvm/mmu.c|7614| <<init_kvm_tdp_mmu>> update_pkru_bitmask(vcpu, context, false);
+ *   - arch/x86/kvm/mmu.c|7680| <<kvm_init_shadow_ept_mmu>> update_pkru_bitmask(vcpu, context, true);
+ *   - arch/x86/kvm/mmu.c|7741| <<init_kvm_nested_mmu>> update_pkru_bitmask(vcpu, g_context, false);
+ */
 static void update_pkru_bitmask(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
 				bool ept)
 {
@@ -4446,6 +7980,11 @@ static void update_last_nonleaf_level(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu
 		mmu->last_nonleaf_level++;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|6838| <<paging64_init_context>> paging64_init_context_common(vcpu, context, root_level);
+ *   - arch/x86/kvm/mmu.c|6865| <<paging32E_init_context>> paging64_init_context_common(vcpu, context, PT32E_ROOT_LEVEL);
+ */
 static void paging64_init_context_common(struct kvm_vcpu *vcpu,
 					 struct kvm_mmu *context,
 					 int level)
@@ -4469,6 +8008,10 @@ static void paging64_init_context_common(struct kvm_vcpu *vcpu,
 	context->direct_map = false;
 }
 
+/*
+ * called by: 只被shadow page table使用
+ *   - arch/x86/kvm/mmu.c|6938| <<kvm_init_shadow_mmu>> paging64_init_context(vcpu, context);
+ */
 static void paging64_init_context(struct kvm_vcpu *vcpu,
 				  struct kvm_mmu *context)
 {
@@ -4478,6 +8021,10 @@ static void paging64_init_context(struct kvm_vcpu *vcpu,
 	paging64_init_context_common(vcpu, context, root_level);
 }
 
+/*
+ * called by: 只被shadow page table使用
+ *   - arch/x86/kvm/mmu.c|6942| <<kvm_init_shadow_mmu>> paging32_init_context(vcpu, context);
+ */
 static void paging32_init_context(struct kvm_vcpu *vcpu,
 				  struct kvm_mmu *context)
 {
@@ -4499,12 +8046,22 @@ static void paging32_init_context(struct kvm_vcpu *vcpu,
 	context->direct_map = false;
 }
 
+/*
+ * called by: 只被shadow page table使用
+ *    - arch/x86/kvm/mmu.c|6940| <<kvm_init_shadow_mmu>> paging32E_init_context(vcpu, context);
+ */
 static void paging32E_init_context(struct kvm_vcpu *vcpu,
 				   struct kvm_mmu *context)
 {
 	paging64_init_context_common(vcpu, context, PT32E_ROOT_LEVEL);
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|4692| <<init_kvm_mmu>> init_kvm_tdp_mmu(vcpu);
+ *
+ * 主要是初始化mmu的各个field和函数指针(struct kvm_mmu *context = &vcpu->arch.mmu)
+ */
 static void init_kvm_tdp_mmu(struct kvm_vcpu *vcpu)
 {
 	struct kvm_mmu *context = &vcpu->arch.mmu;
@@ -4553,6 +8110,11 @@ static void init_kvm_tdp_mmu(struct kvm_vcpu *vcpu)
 	reset_tdp_shadow_zero_bits_mask(vcpu, context);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|6961| <<init_kvm_softmmu>> kvm_init_shadow_mmu(vcpu);
+ *   - arch/x86/kvm/svm.c|2922| <<nested_svm_init_mmu_context>> kvm_init_shadow_mmu(vcpu);
+ */
 void kvm_init_shadow_mmu(struct kvm_vcpu *vcpu)
 {
 	bool smep = kvm_read_cr4_bits(vcpu, X86_CR4_SMEP);
@@ -4583,6 +8145,10 @@ void kvm_init_shadow_mmu(struct kvm_vcpu *vcpu)
 }
 EXPORT_SYMBOL_GPL(kvm_init_shadow_mmu);
 
+/*
+ * 只在nested_ept_init_mmu_context()被调用():
+ *   - arch/x86/kvm/vmx.c|11342| <<nested_ept_init_mmu_context>> kvm_init_shadow_ept_mmu(vcpu,
+ */
 void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
 			     bool accessed_dirty)
 {
@@ -4612,6 +8178,10 @@ void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly,
 }
 EXPORT_SYMBOL_GPL(kvm_init_shadow_ept_mmu);
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/mmu.c|7025| <<init_kvm_mmu>> init_kvm_softmmu(vcpu);
+ */
 static void init_kvm_softmmu(struct kvm_vcpu *vcpu)
 {
 	struct kvm_mmu *context = &vcpu->arch.mmu;
@@ -4666,11 +8236,28 @@ static void init_kvm_nested_mmu(struct kvm_vcpu *vcpu)
 	update_last_nonleaf_level(vcpu, g_context);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|4682| <<kvm_mmu_reset_context>> init_kvm_mmu(vcpu);
+ *   - arch/x86/kvm/mmu.c|5114| <<kvm_mmu_setup>> init_kvm_mmu(vcpu);
+ *
+ * init_kvm_mmu()
+ * # init_kvm_nested_mmu()
+ * # init_kvm_tdp_mmu()
+ * # init_kvm_softmmu()
+ *    -> kvm_init_shadow_mmu()
+ *       # nonpaging_init_context()
+ *       # paging64_init_context()
+ *       # paging32E_init_context()
+ *       # paging32_init_context()
+ *
+ * 主要是初始化mmu的各个field和函数指针(struct kvm_mmu *context = &vcpu->arch.mmu)
+ */
 static void init_kvm_mmu(struct kvm_vcpu *vcpu)
 {
 	if (mmu_is_nested(vcpu))
 		init_kvm_nested_mmu(vcpu);
-	else if (tdp_enabled)
+	else if (tdp_enabled) // 主要是初始化mmu的各个field和函数指针(struct kvm_mmu *context = &vcpu->arch.mmu)
 		init_kvm_tdp_mmu(vcpu);
 	else
 		init_kvm_softmmu(vcpu);
@@ -4683,6 +8270,11 @@ void kvm_mmu_reset_context(struct kvm_vcpu *vcpu)
 }
 EXPORT_SYMBOL_GPL(kvm_mmu_reset_context);
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.h|85| <<kvm_mmu_reload>> return kvm_mmu_load(vcpu);
+ *   - arch/x86/kvm/svm.c|3384| <<nested_svm_vmexit>> kvm_mmu_load(&svm->vcpu);
+ */
 int kvm_mmu_load(struct kvm_vcpu *vcpu)
 {
 	int r;
@@ -4691,16 +8283,32 @@ int kvm_mmu_load(struct kvm_vcpu *vcpu)
 	if (r)
 		goto out;
 	r = mmu_alloc_roots(vcpu);
+	/* 对于tdp应该什么也不做 */
 	kvm_mmu_sync_roots(vcpu);
 	if (r)
 		goto out;
 	/* set_cr3() should ensure TLB has been flushed */
+	/*
+	 * intel : vmx_set_cr3()
+	 * amd   : svm_set_cr3()
+	 */
 	vcpu->arch.mmu.set_cr3(vcpu, vcpu->arch.mmu.root_hpa);
 out:
 	return r;
 }
 EXPORT_SYMBOL_GPL(kvm_mmu_load);
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5094| <<kvm_mmu_reset_context>> kvm_mmu_unload(vcpu);
+ *   - arch/x86/kvm/mmu.c|6090| <<kvm_mmu_destroy>> kvm_mmu_unload(vcpu);
+ *   - arch/x86/kvm/svm.c|3446| <<enter_svm_guest_mode>> kvm_mmu_unload(&svm->vcpu);
+ *   - arch/x86/kvm/vmx.c|9294| <<nested_vmx_eptp_switching>> kvm_mmu_unload(vcpu);
+ *   - arch/x86/kvm/vmx.c|11341| <<nested_ept_init_mmu_context>> kvm_mmu_unload(vcpu);
+ *   - arch/x86/kvm/x86.c|7324| <<vcpu_enter_guest>> kvm_mmu_unload(vcpu);
+ *   - arch/x86/kvm/x86.c|8472| <<kvm_arch_vcpu_destroy>> kvm_mmu_unload(vcpu);
+ *   - arch/x86/kvm/x86.c|8863| <<kvm_unload_vcpu_mmu>> kvm_mmu_unload(vcpu);
+ */
 void kvm_mmu_unload(struct kvm_vcpu *vcpu)
 {
 	kvm_mmu_free_roots(vcpu);
@@ -4708,6 +8316,10 @@ void kvm_mmu_unload(struct kvm_vcpu *vcpu)
 }
 EXPORT_SYMBOL_GPL(kvm_mmu_unload);
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|8045| <<kvm_mmu_pte_write>> mmu_pte_write_new_pte(vcpu, sp, spte, &gentry);
+ */
 static void mmu_pte_write_new_pte(struct kvm_vcpu *vcpu,
 				  struct kvm_mmu_page *sp, u64 *spte,
 				  const void *new)
@@ -4734,6 +8346,10 @@ static bool need_remote_flush(u64 old, u64 new)
 	return (old & ~new & PT64_PERM_MASK) != 0;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|8000| <<kvm_mmu_pte_write>> gentry = mmu_pte_write_fetch_gpte(vcpu, &gpa, new, &bytes);
+ */
 static u64 mmu_pte_write_fetch_gpte(struct kvm_vcpu *vcpu, gpa_t *gpa,
 				    const u8 *new, int *bytes)
 {
@@ -4846,6 +8462,12 @@ static u64 *get_written_sptes(struct kvm_mmu_page *sp, gpa_t gpa, int *nspte)
 	return spte;
 }
 
+/*
+ * used by:
+ *   - arch/x86/kvm/mmu.c|5838| <<kvm_mmu_init_vm>> node->track_write = kvm_mmu_pte_write;
+ *
+ * 被page track使用作为track_write
+ */
 static void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
 			      const u8 *new, int bytes,
 			      struct kvm_page_track_notifier_node *node)
@@ -4921,6 +8543,10 @@ static void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
 	spin_unlock(&vcpu->kvm->mmu_lock);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|6828| <<kvm_handle_page_fault>> kvm_mmu_unprotect_page_virt(vcpu, fault_address);
+ */
 int kvm_mmu_unprotect_page_virt(struct kvm_vcpu *vcpu, gva_t gva)
 {
 	gpa_t gpa;
@@ -4937,6 +8563,16 @@ int kvm_mmu_unprotect_page_virt(struct kvm_vcpu *vcpu, gva_t gva)
 }
 EXPORT_SYMBOL_GPL(kvm_mmu_unprotect_page_virt);
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5727| <<nonpaging_map>> if (make_mmu_pages_available(vcpu) < 0)
+ *   - arch/x86/kvm/mmu.c|5838| <<mmu_alloc_direct_roots>> if(make_mmu_pages_available(vcpu) < 0) {
+ *   - arch/x86/kvm/mmu.c|5853| <<mmu_alloc_direct_roots>> if (make_mmu_pages_available(vcpu) < 0) {
+ *   - arch/x86/kvm/mmu.c|5897| <<mmu_alloc_shadow_roots>> if (make_mmu_pages_available(vcpu) < 0) {
+ *   - arch/x86/kvm/mmu.c|5934| <<mmu_alloc_shadow_roots>> if (make_mmu_pages_available(vcpu) < 0) {
+ *   - arch/x86/kvm/mmu.c|6526| <<tdp_page_fault>> if (make_mmu_pages_available(vcpu) < 0)
+ *   - arch/x86/kvm/paging_tmpl.h|829| <<FNAME(page_fault)>> if (make_mmu_pages_available(vcpu) < 0)
+ */
 static int make_mmu_pages_available(struct kvm_vcpu *vcpu)
 {
 	LIST_HEAD(invalid_list);
@@ -4957,32 +8593,94 @@ static int make_mmu_pages_available(struct kvm_vcpu *vcpu)
 	return 0;
 }
 
+/*
+ * kvm mmio处理:
+ *
+ * 开始的时候mmio的内存都没有kvm_memory_slot, pte也都不存在,所以访问的时候会ept violation.
+ * handle_ept_violation()会调用kvm_mmu_page_fault().因为handle_ept_violation()不会为
+ * error_code设置PFERR_RSVD_MASK,所以kvm_mmu_page_fault()调用tdp_page_fault().
+ *
+ * tdp_page_fault()-->try_async_pf()-->__gfn_to_pfn_memslot()-->__gfn_to_hva_many().
+ * __gfn_to_hva_many()返回KVM_HVA_ERR_BAD=PAGE_OFFSET,所以__gfn_to_pfn_memslot()返回
+ * KVM_PFN_NOSLOT.
+ *
+ * 然后tdp_page_fault()-->__direct_map(),通过mmu_set_spte()-->set_mmio_spte()设置对应
+ * 的pte为mmio类型,也就是:
+ *
+ * 1. SPTE_SPECIAL_MASK(1往左移62位)是1
+ * 2. 结尾是110
+ * 3. 还有gen的信息
+ *
+ * 最后进行RET_PF_EMULATE
+ *
+ * 等到下一次page fault的时候,mmio的内存会触发handle_ept_misconfig()-->kvm_mmu_page_fault().
+ * 因为这次handle_ept_misconfig()设置error_code=PFERR_RSVD_MASK,kvm_mmu_page_fault()会调
+ * 用handle_mmio_page_fault(),返回进行emulate.
+ */
+
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3888| <<kvm_handle_page_fault>> r = kvm_mmu_page_fault(vcpu, fault_address, error_code, insn,
+ *   - arch/x86/kvm/vmx.c|7702| <<handle_ept_violation>> return kvm_mmu_page_fault(vcpu, gpa, error_code, NULL, 0);
+ *   - arch/x86/kvm/vmx.c|7734| <<handle_ept_misconfig>> return kvm_mmu_page_fault(vcpu, gpa, PFERR_RSVD_MASK, NULL, 0);
+ *   - arch/x86/kvm/svm.c|2656| <<npf_interception>> return kvm_mmu_page_fault(&svm->vcpu, fault_address, error_code,
+ */
 int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code,
 		       void *insn, int insn_len)
 {
 	int r, emulation_type = 0;
 	enum emulation_result er;
+	/*
+	 * struct kvm_vcpu_arch arch是struct kvm_cpu的一部分
+	 *
+	 * 设置direct_map的地方:
+	 *   - arch/x86/kvm/mmu.c|4003| <<nonpaging_init_context>> context->direct_map = true;
+	 *   - arch/x86/kvm/mmu.c|4487| <<paging64_init_context_common>> context->direct_map = false;
+	 *   - arch/x86/kvm/mmu.c|4517| <<paging32_init_context>> context->direct_map = false;
+	 *   - arch/x86/kvm/mmu.c|4544| <<init_kvm_tdp_mmu>> context->direct_map = true;
+	 *   - arch/x86/kvm/mmu.c|4626| <<kvm_init_shadow_ept_mmu>> context->direct_map = false;
+	 */
 	bool direct = vcpu->arch.mmu.direct_map;
 
 	/* With shadow page tables, fault_address contains a GVA or nGPA.  */
+	/*
+	 * 设置direct_map的地方:
+	 *   - arch/x86/kvm/mmu.c|4003| <<nonpaging_init_context>> context->direct_map = true;
+	 *   - arch/x86/kvm/mmu.c|4487| <<paging64_init_context_common>> context->direct_map = false;
+	 *   - arch/x86/kvm/mmu.c|4517| <<paging32_init_context>> context->direct_map = false;
+	 *   - arch/x86/kvm/mmu.c|4544| <<init_kvm_tdp_mmu>> context->direct_map = true;
+	 *   - arch/x86/kvm/mmu.c|4626| <<kvm_init_shadow_ept_mmu>> context->direct_map = false;
+	 */
 	if (vcpu->arch.mmu.direct_map) {
 		vcpu->arch.gpa_available = true;
 		vcpu->arch.gpa_val = cr2;
 	}
 
 	r = RET_PF_INVALID;
+	/* handle_ept_misconfig()进来是设置了PFERR_RSVD_MASK的 */
 	if (unlikely(error_code & PFERR_RSVD_MASK)) {
 		r = handle_mmio_page_fault(vcpu, cr2, direct);
 		if (r == RET_PF_EMULATE)
 			goto emulate;
 	}
 
+	/*
+	 * struct kvm_vcpu_arch arch是struct kvm_cpu的一部分
+	 * struct kvm_mmu mmu是struct kvm_vcpu_arch arch的一部分
+	 */
+
 	if (r == RET_PF_INVALID) {
+		/*
+		 * 似乎是tdp_page_fault()??
+		 */
 		r = vcpu->arch.mmu.page_fault(vcpu, cr2, lower_32_bits(error_code),
 					      false);
 		WARN_ON(r == RET_PF_INVALID);
 	}
 
+	/*
+	 * 页表填充了可以retry
+	 */
 	if (r == RET_PF_RETRY)
 		return 1;
 	if (r < 0)
@@ -5041,6 +8739,13 @@ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code,
 }
 EXPORT_SYMBOL_GPL(kvm_mmu_page_fault);
 
+/*
+ * called by:
+ *   - arch/x86/kvm/svm.c|3746| <<invlpga_interception>> kvm_mmu_invlpg(vcpu, kvm_register_read(&svm->vcpu, VCPU_REGS_RAX));
+ *   - arch/x86/kvm/svm.c|3867| <<invlpg_interception>> kvm_mmu_invlpg(&svm->vcpu, svm->vmcb->control.exit_info_1);
+ *   - arch/x86/kvm/vmx.c|7585| <<handle_invlpg>> kvm_mmu_invlpg(vcpu, exit_qualification);
+ *   - arch/x86/kvm/x86.c|5366| <<emulator_invlpg>> kvm_mmu_invlpg(emul_to_vcpu(ctxt), address);
+ */
 void kvm_mmu_invlpg(struct kvm_vcpu *vcpu, gva_t gva)
 {
 	vcpu->arch.mmu.invlpg(vcpu, gva);
@@ -5049,6 +8754,11 @@ void kvm_mmu_invlpg(struct kvm_vcpu *vcpu, gva_t gva)
 }
 EXPORT_SYMBOL_GPL(kvm_mmu_invlpg);
 
+/*
+ * called by:
+ *   - arch/x86/kvm/vmx.c|7870| <<vmx_enable_tdp>> kvm_enable_tdp();
+ *   - arch/x86/kvm/svm.c|1362| <<svm_hardware_setup>> kvm_enable_tdp();
+ */
 void kvm_enable_tdp(void)
 {
 	tdp_enabled = true;
@@ -5067,6 +8777,10 @@ static void free_mmu_pages(struct kvm_vcpu *vcpu)
 	free_page((unsigned long)vcpu->arch.mmu.lm_root);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5167| <<kvm_mmu_create>> return alloc_mmu_pages(vcpu);
+ */
 static int alloc_mmu_pages(struct kvm_vcpu *vcpu)
 {
 	struct page *page;
@@ -5088,6 +8802,9 @@ static int alloc_mmu_pages(struct kvm_vcpu *vcpu)
 	return 0;
 }
 
+/*
+ * called by only kvm_arch_vcpu_init()
+ */
 int kvm_mmu_create(struct kvm_vcpu *vcpu)
 {
 	vcpu->arch.walk_mmu = &vcpu->arch.mmu;
@@ -5098,13 +8815,32 @@ int kvm_mmu_create(struct kvm_vcpu *vcpu)
 	return alloc_mmu_pages(vcpu);
 }
 
+/*
+ * called by only:
+ *   - arch/x86/kvm/x86.c|8426| <<kvm_arch_vcpu_setup>> kvm_mmu_setup(vcpu);
+ *
+ * 主要是初始化mmu的各个field和函数指针(struct kvm_mmu *context = &vcpu->arch.mmu)
+ */
 void kvm_mmu_setup(struct kvm_vcpu *vcpu)
 {
+	/* 如果root_hpa已经有效了就要warning! */
 	MMU_WARN_ON(VALID_PAGE(vcpu->arch.mmu.root_hpa));
 
+	/* 主要是初始化mmu的各个field和函数指针(struct kvm_mmu *context = &vcpu->arch.mmu) */
 	init_kvm_mmu(vcpu);
 }
 
+/*
+ * 在以下使用kvm_mmu_invalidate_zap_pages_in_memslot():
+ *   - arch/x86/kvm/mmu.c|8348| <<kvm_mmu_init_vm>> node->track_flush_slot = kvm_mmu_invalidate_zap_pages_in_memslot;
+ *
+ * Fast invalidate all shadow pages and use lock-break technique
+ * to zap obsolete pages.
+ *
+ * It's required when memslot is being deleted or VM is being
+ * destroyed, in these cases, we should ensure that KVM MMU does
+ * not use any resource of the being-deleted slot or all slots
+ */
 static void kvm_mmu_invalidate_zap_pages_in_memslot(struct kvm *kvm,
 			struct kvm_memory_slot *slot,
 			struct kvm_page_track_notifier_node *node)
@@ -5112,6 +8848,10 @@ static void kvm_mmu_invalidate_zap_pages_in_memslot(struct kvm *kvm,
 	kvm_mmu_invalidate_zap_all_pages(kvm);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/x86.c|8872| <<kvm_arch_init_vm>> kvm_mmu_init_vm(kvm);
+ */
 void kvm_mmu_init_vm(struct kvm *kvm)
 {
 	struct kvm_page_track_notifier_node *node = &kvm->arch.mmu_sp_tracker;
@@ -5132,6 +8872,11 @@ void kvm_mmu_uninit_vm(struct kvm *kvm)
 typedef bool (*slot_level_handler) (struct kvm *kvm, struct kvm_rmap_head *rmap_head);
 
 /* The caller should hold mmu-lock before calling this function. */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|8385| <<slot_handle_level>> return slot_handle_level_range(kvm, memslot, fn, start_level,
+ *   - arch/x86/kvm/mmu.c|8432| <<kvm_zap_gfn_range>> slot_handle_level_range(kvm, memslot, kvm_zap_rmapp,
+ */
 static __always_inline bool
 slot_handle_level_range(struct kvm *kvm, struct kvm_memory_slot *memslot,
 			slot_level_handler fn, int start_level, int end_level,
@@ -5229,6 +8974,11 @@ static bool slot_rmap_write_protect(struct kvm *kvm,
 	return __rmap_write_protect(kvm, rmap_head, false);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/x86.c|9145| <<kvm_mmu_slot_apply_flags>> kvm_mmu_slot_remove_write_access(kvm, new);
+ *   - arch/x86/kvm/x86.c|9183| <<kvm_mmu_slot_apply_flags>> kvm_mmu_slot_remove_write_access(kvm, new);
+ */
 void kvm_mmu_slot_remove_write_access(struct kvm *kvm,
 				      struct kvm_memory_slot *memslot)
 {
@@ -5294,6 +9044,10 @@ static bool kvm_mmu_zap_collapsible_spte(struct kvm *kvm,
 	return need_tlb_flush;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/x86.c|9267| <<kvm_arch_commit_memory_region>> kvm_mmu_zap_collapsible_sptes(kvm, new);
+ */
 void kvm_mmu_zap_collapsible_sptes(struct kvm *kvm,
 				   const struct kvm_memory_slot *memslot)
 {
@@ -5326,6 +9080,10 @@ void kvm_mmu_slot_leaf_clear_dirty(struct kvm *kvm,
 }
 EXPORT_SYMBOL_GPL(kvm_mmu_slot_leaf_clear_dirty);
 
+/*
+ * called by:
+ *   - arch/x86/kvm/vmx.c|13466| <<vmx_slot_enable_log_dirty>> kvm_mmu_slot_largepage_remove_write_access(kvm, slot);
+ */
 void kvm_mmu_slot_largepage_remove_write_access(struct kvm *kvm,
 					struct kvm_memory_slot *memslot)
 {
@@ -5344,6 +9102,10 @@ void kvm_mmu_slot_largepage_remove_write_access(struct kvm *kvm,
 }
 EXPORT_SYMBOL_GPL(kvm_mmu_slot_largepage_remove_write_access);
 
+/*
+ * called by:
+ *   - arch/x86/kvm/vmx.c|13475| <<vmx_slot_disable_log_dirty>> kvm_mmu_slot_set_dirty(kvm, slot);
+ */
 void kvm_mmu_slot_set_dirty(struct kvm *kvm,
 			    struct kvm_memory_slot *memslot)
 {
@@ -5362,12 +9124,26 @@ void kvm_mmu_slot_set_dirty(struct kvm *kvm,
 EXPORT_SYMBOL_GPL(kvm_mmu_slot_set_dirty);
 
 #define BATCH_ZAP_PAGES	10
+/*
+ * 在以下使用kvm_zap_obsolete_pages():
+ *   - arch/x86/kvm/mmu.c|8201| <<kvm_mmu_invalidate_zap_all_pages>> kvm_zap_obsolete_pages(kvm);
+ */
 static void kvm_zap_obsolete_pages(struct kvm *kvm)
 {
 	struct kvm_mmu_page *sp, *node;
 	int batch = 0;
 
 restart:
+	/*
+	 * used by:
+	 *   - arch/x86/kvm/mmu.c|2030| <<kvm_mmu_alloc_page>> list_add(&sp->link, &vcpu->kvm->arch.active_mmu_pages);
+	 *   - arch/x86/kvm/mmu.c|2665| <<kvm_mmu_prepare_zap_page>> list_move(&sp->link, &kvm->arch.active_mmu_pages);
+	 *   - arch/x86/kvm/mmu.c|2709| <<prepare_zap_oldest_mmu_page>> if (list_empty(&kvm->arch.active_mmu_pages))
+	 *   - arch/x86/kvm/mmu.c|2712| <<prepare_zap_oldest_mmu_page>> sp = list_last_entry(&kvm->arch.active_mmu_pages,
+	 *   - arch/x86/kvm/mmu.c|5606| <<kvm_zap_obsolete_pages>> &kvm->arch.active_mmu_pages, link) {
+	 *   - arch/x86/kvm/mmu_audit.c|92| <<walk_all_active_sps>> list_for_each_entry(sp, &kvm->arch.active_mmu_pages, link)
+	 *   - arch/x86/kvm/x86.c|8822| <<kvm_arch_init_vm>> INIT_LIST_HEAD(&kvm->arch.active_mmu_pages);
+	 */
 	list_for_each_entry_safe_reverse(sp, node,
 	      &kvm->arch.active_mmu_pages, link) {
 		int ret;
@@ -5409,6 +9185,11 @@ static void kvm_zap_obsolete_pages(struct kvm *kvm)
 	 * Should flush tlb before free page tables since lockless-walking
 	 * may use the pages.
 	 */
+	/*
+	 * 如果参数的invalid_list为空就退出
+	 * 否则用kvm_flush_remote_tlbs()让每个vcpu调用tlb flush
+	 * 然后把invalid_list上的一个个kvm_mmu_page释放 (包括真正的4k page)
+	 */
 	kvm_mmu_commit_zap_page(kvm, &kvm->arch.zapped_obsolete_pages);
 }
 
@@ -5421,10 +9202,23 @@ static void kvm_zap_obsolete_pages(struct kvm *kvm)
  * not use any resource of the being-deleted slot or all slots
  * after calling the function.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|7477| <<kvm_mmu_invalidate_zap_pages_in_memslot>> kvm_mmu_invalidate_zap_all_pages(kvm);
+ *   - arch/x86/kvm/mmu.c|7838| <<kvm_mmu_invalidate_mmio_sptes>> kvm_mmu_invalidate_zap_all_pages(kvm);
+ *   - arch/x86/kvm/x86.c|9242| <<kvm_arch_flush_shadow_all>> kvm_mmu_invalidate_zap_all_pages(kvm);
+ */
 void kvm_mmu_invalidate_zap_all_pages(struct kvm *kvm)
 {
 	spin_lock(&kvm->mmu_lock);
 	trace_kvm_mmu_invalidate_zap_all_pages(kvm);
+	/*
+	 * 在以下修kvm_mmu_page->mmu_valid_gen:
+	 *   - arch/x86/kvm/mmu.c|4438| <<kvm_mmu_get_page>> sp->mmu_valid_gen = vcpu->kvm->arch.mmu_valid_gen;
+	 *
+	 * 在以下修改kvm_arch->mmu_valid_gen:
+	 *   - arch/x86/kvm/mmu.c|8217| <<kvm_mmu_invalidate_zap_all_pages>> kvm->arch.mmu_valid_gen++;
+	 */
 	kvm->arch.mmu_valid_gen++;
 
 	/*
@@ -5442,23 +9236,62 @@ void kvm_mmu_invalidate_zap_all_pages(struct kvm *kvm)
 	spin_unlock(&kvm->mmu_lock);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|8969| <<mmu_shrink_scan>> !kvm_has_zapped_obsolete_pages(kvm))
+ *   - arch/x86/kvm/mmu.c|8975| <<mmu_shrink_scan>> if (kvm_has_zapped_obsolete_pages(kvm)) {
+ */
 static bool kvm_has_zapped_obsolete_pages(struct kvm *kvm)
 {
+	/*
+	 * used by:
+	 *   - arch/x86/kvm/mmu.c|6107| <<kvm_zap_obsolete_pages>> &kvm->arch.zapped_obsolete_pages);
+	 *   - arch/x86/kvm/mmu.c|6118| <<kvm_zap_obsolete_pages>> kvm_mmu_commit_zap_page(kvm, &kvm->arch.zapped_obsolete_pages);
+	 *   - arch/x86/kvm/mmu.c|6159| <<kvm_has_zapped_obsolete_pages>> return unlikely(!list_empty_careful(&kvm->arch.zapped_obsolete_pages));
+	 *   - arch/x86/kvm/mmu.c|6214| <<mmu_shrink_scan>> &kvm->arch.zapped_obsolete_pages);
+	 *   - arch/x86/kvm/x86.c|8826| <<kvm_arch_init_vm>> INIT_LIST_HEAD(&kvm->arch.zapped_obsolete_pages);
+	 */
 	return unlikely(!list_empty_careful(&kvm->arch.zapped_obsolete_pages));
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/x86.c|9125| <<kvm_arch_memslots_updated>> kvm_mmu_invalidate_mmio_sptes(kvm, slots);
+ *
+ * install_new_memslots()
+ * -> kvm_arch_memslots_updated()
+ *    -> kvm_mmu_invalidate_mmio_sptes()
+ */
 void kvm_mmu_invalidate_mmio_sptes(struct kvm *kvm, struct kvm_memslots *slots)
 {
 	/*
 	 * The very rare case: if the generation-number is round,
 	 * zap all shadow pages.
 	 */
+	/*
+	 * MMIO_GEN_MASK是20个1
+	 */
 	if (unlikely((slots->generation & MMIO_GEN_MASK) == 0)) {
 		kvm_debug_ratelimited("kvm: zapping shadow pages for mmio generation wraparound\n");
+		/*
+		 * Fast invalidate all shadow pages and use lock-break technique
+		 * to zap obsolete pages.
+		 *
+		 * It's required when memslot is being deleted or VM is being
+		 * destroyed, in these cases, we should ensure that KVM MMU does
+		 * not use any resource of the being-deleted slot or all slots
+		 * after calling the function.
+		 */
 		kvm_mmu_invalidate_zap_all_pages(kvm);
 	}
 }
 
+/*
+ * called by:
+ *   - mm/vmscan.c|446| <<do_shrink_slab>> ret = shrinker->scan_objects(shrinker, shrinkctl);
+ *
+ * struct shrinker mmu_shrinker.scan_objects = mmu_shrink_scan()
+ */
 static unsigned long
 mmu_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
 {
@@ -5486,6 +9319,18 @@ mmu_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
 		 * want to shrink a VM that only started to populate its MMU
 		 * anyway.
 		 */
+		/*
+		 * 被以下修改:
+		 *   - arch/x86/kvm/mmu.c|1973| <<kvm_mod_used_mmu_pages>> kvm->arch.n_used_mmu_pages += nr;
+		 *
+		 * 被以下使用:
+		 *   - arch/x86/kvm/mmu.c|2727| <<kvm_mmu_change_mmu_pages>> if (kvm->arch.n_used_mmu_pages > goal_nr_mmu_pages) {
+		 *   - arch/x86/kvm/mmu.c|2729| <<kvm_mmu_change_mmu_pages>> while (kvm->arch.n_used_mmu_pages > goal_nr_mmu_pages)
+		 *   - arch/x86/kvm/mmu.c|2734| <<kvm_mmu_change_mmu_pages>> goal_nr_mmu_pages = kvm->arch.n_used_mmu_pages;
+		 *   - arch/x86/kvm/mmu.c|5729| <<mmu_shrink_scan>> if (!kvm->arch.n_used_mmu_pages &&
+		 *   - arch/x86/kvm/mmu.h|73| <<kvm_mmu_available_pages>> if (kvm->arch.n_max_mmu_pages > kvm->arch.n_used_mmu_pages)
+		 *   - arch/x86/kvm/mmu.h|75| <<kvm_mmu_available_pages>> kvm->arch.n_used_mmu_pages;
+		 */
 		if (!kvm->arch.n_used_mmu_pages &&
 		      !kvm_has_zapped_obsolete_pages(kvm))
 			continue;
@@ -5494,11 +9339,23 @@ mmu_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
 		spin_lock(&kvm->mmu_lock);
 
 		if (kvm_has_zapped_obsolete_pages(kvm)) {
+			/*
+			 * 在以下使用kvm_arch->zapped_obsolete_pages:
+			 *   - arch/x86/kvm/mmu.c|6107| <<kvm_zap_obsolete_pages>> &kvm->arch.zapped_obsolete_pages);
+			 *   - arch/x86/kvm/mmu.c|6118| <<kvm_zap_obsolete_pages>> kvm_mmu_commit_zap_page(kvm, &kvm->arch.zapped_obsolete_pages);
+			 *   - arch/x86/kvm/mmu.c|6159| <<kvm_has_zapped_obsolete_pages>> return unlikely(!list_empty_careful(&kvm->arch.zapped_obsolete_pages));
+			 *   - arch/x86/kvm/mmu.c|6214| <<mmu_shrink_scan>> &kvm->arch.zapped_obsolete_pages);
+			 *   - arch/x86/kvm/x86.c|8826| <<kvm_arch_init_vm>> INIT_LIST_HEAD(&kvm->arch.zapped_obsolete_pages);
+			 */
 			kvm_mmu_commit_zap_page(kvm,
 			      &kvm->arch.zapped_obsolete_pages);
 			goto unlock;
 		}
 
+		/*
+		 * 如果kvm->arch.active_mmu_pages是空,直接返回false
+		 * 否则取出一个kvm->arch.active_mmu_pages上的kvm_mmu_page, 调用kvm_mmu_prepare_zap_page()
+		 */
 		if (prepare_zap_oldest_mmu_page(kvm, &invalid_list))
 			freed++;
 		kvm_mmu_commit_zap_page(kvm, &invalid_list);
@@ -5520,12 +9377,27 @@ mmu_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
 	return freed;
 }
 
+/*
+ * struct shrinker mmu_shrinker.count_objects = mmu_shrink_count()
+ */
 static unsigned long
 mmu_shrink_count(struct shrinker *shrink, struct shrink_control *sc)
 {
+	/*
+	 * used by:
+	 *   - arch/x86/kvm/mmu.c|2256| <<kvm_mod_used_mmu_pages>> percpu_counter_add(&kvm_total_used_mmu_pages, nr);
+	 *   - arch/x86/kvm/mmu.c|6335| <<mmu_shrink_count>> return percpu_counter_read_positive(&kvm_total_used_mmu_pages);
+	 *   - arch/x86/kvm/mmu.c|6371| <<kvm_mmu_module_init>> if (percpu_counter_init(&kvm_total_used_mmu_pages, 0, GFP_KERNEL))
+	 *   - arch/x86/kvm/mmu.c|6439| <<kvm_mmu_module_exit>> percpu_counter_destroy(&kvm_total_used_mmu_pages);
+	 */
 	return percpu_counter_read_positive(&kvm_total_used_mmu_pages);
 }
 
+/*
+ * used by:
+ *   - arch/x86/kvm/mmu.c|8201| <<kvm_mmu_module_init>> ret = register_shrinker(&mmu_shrinker);
+ *   - arch/x86/kvm/mmu.c|8267| <<kvm_mmu_module_exit>> unregister_shrinker(&mmu_shrinker);
+ */
 static struct shrinker mmu_shrinker = {
 	.count_objects = mmu_shrink_count,
 	.scan_objects = mmu_shrink_scan,
@@ -5538,6 +9410,9 @@ static void mmu_destroy_caches(void)
 	kmem_cache_destroy(mmu_page_header_cache);
 }
 
+/*
+ * called only by kvm_arch_init()
+ */
 int kvm_mmu_module_init(void)
 {
 	int ret = -ENOMEM;
@@ -5556,6 +9431,13 @@ int kvm_mmu_module_init(void)
 	if (!mmu_page_header_cache)
 		goto out;
 
+	/*
+	 * used by:
+	 *   - arch/x86/kvm/mmu.c|2256| <<kvm_mod_used_mmu_pages>> percpu_counter_add(&kvm_total_used_mmu_pages, nr);
+	 *   - arch/x86/kvm/mmu.c|6335| <<mmu_shrink_count>> return percpu_counter_read_positive(&kvm_total_used_mmu_pages);
+	 *   - arch/x86/kvm/mmu.c|6371| <<kvm_mmu_module_init>> if (percpu_counter_init(&kvm_total_used_mmu_pages, 0, GFP_KERNEL))
+	 *   - arch/x86/kvm/mmu.c|6439| <<kvm_mmu_module_exit>> percpu_counter_destroy(&kvm_total_used_mmu_pages);
+	 */
 	if (percpu_counter_init(&kvm_total_used_mmu_pages, 0, GFP_KERNEL))
 		goto out;
 
@@ -5573,6 +9455,24 @@ int kvm_mmu_module_init(void)
 /*
  * Caculate mmu pages needed for kvm.
  */
+/*
+ * [0] kvm_mmu_calculate_mmu_pages
+ * [0] kvm_arch_commit_memory_region
+ * [0] __kvm_set_memory_region
+ * [0] kvm_set_memory_region
+ * [0] kvm_vm_ioctl
+ * [0] do_vfs_ioctl
+ * [0] ksys_ioctl
+ * [0] __x64_sys_ioctl
+ * [0] do_syscall_64
+ * [0] entry_SYSCALL_64_after_hwframe
+ *
+ * called only by:
+ *   - arch/x86/kvm/x86.c|9200| <<kvm_arch_commit_memory_region>> nr_mmu_pages = kvm_mmu_calculate_mmu_pages(kvm);
+ *
+ * 核心思想是计算所有这个kvm虚拟机需要的slot中的mmu page的总和
+ * 再除以50 (什么操作???)
+ */
 unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm)
 {
 	unsigned int nr_mmu_pages;
@@ -5582,19 +9482,34 @@ unsigned int kvm_mmu_calculate_mmu_pages(struct kvm *kvm)
 	int i;
 
 	for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++) {
+		/*
+		 * 利用srcu返回kvm->memslots[as_id]
+		 * struct kvm中有struct kvm_memslots __rcu *memslots[KVM_ADDRESS_SPACE_NUM];
+		 */
 		slots = __kvm_memslots(kvm, i);
 
 		kvm_for_each_memslot(memslot, slots)
 			nr_pages += memslot->npages;
 	}
 
+	/*
+	 * 相当于 除以50?? 什么操作?
+	 */
 	nr_mmu_pages = nr_pages * KVM_PERMILLE_MMU_PAGES / 1000;
 	nr_mmu_pages = max(nr_mmu_pages,
 			   (unsigned int) KVM_MIN_ALLOC_MMU_PAGES);
 
+	/*
+	 * nr_pages=59490的时候是nr_mmu_pages=1189
+	 */
 	return nr_mmu_pages;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/x86.c|8786| <<kvm_arch_vcpu_init>> kvm_mmu_destroy(vcpu);
+ *   - arch/x86/kvm/x86.c|8802| <<kvm_arch_vcpu_uninit>> kvm_mmu_destroy(vcpu);
+ */
 void kvm_mmu_destroy(struct kvm_vcpu *vcpu)
 {
 	kvm_mmu_unload(vcpu);
@@ -5602,9 +9517,20 @@ void kvm_mmu_destroy(struct kvm_vcpu *vcpu)
 	mmu_free_memory_caches(vcpu);
 }
 
+/*
+ * called by only:
+ *   - arch/x86/kvm/x86.c|6672| <<kvm_arch_exit>> kvm_mmu_module_exit();
+ */
 void kvm_mmu_module_exit(void)
 {
 	mmu_destroy_caches();
+	/*
+	 * used by:
+	 *   - arch/x86/kvm/mmu.c|2256| <<kvm_mod_used_mmu_pages>> percpu_counter_add(&kvm_total_used_mmu_pages, nr);
+	 *   - arch/x86/kvm/mmu.c|6335| <<mmu_shrink_count>> return percpu_counter_read_positive(&kvm_total_used_mmu_pages);
+	 *   - arch/x86/kvm/mmu.c|6371| <<kvm_mmu_module_init>> if (percpu_counter_init(&kvm_total_used_mmu_pages, 0, GFP_KERNEL))
+	 *   - arch/x86/kvm/mmu.c|6439| <<kvm_mmu_module_exit>> percpu_counter_destroy(&kvm_total_used_mmu_pages);
+	 */
 	percpu_counter_destroy(&kvm_total_used_mmu_pages);
 	unregister_shrinker(&mmu_shrinker);
 	mmu_audit_disable();
diff --git a/arch/x86/kvm/mmu.h b/arch/x86/kvm/mmu.h
index 5b408c0a..6b8f6594 100644
--- a/arch/x86/kvm/mmu.h
+++ b/arch/x86/kvm/mmu.h
@@ -23,6 +23,11 @@
 #define PT_DIRTY_SHIFT 6
 #define PT_DIRTY_MASK (1ULL << PT_DIRTY_SHIFT)
 #define PT_PAGE_SIZE_SHIFT 7
+/*
+ * 1后面跟着7个0
+ *
+ * 返回从0数第7位
+ */
 #define PT_PAGE_SIZE_MASK (1ULL << PT_PAGE_SIZE_SHIFT)
 #define PT_PAT_MASK (1ULL << 7)
 #define PT_GLOBAL_MASK (1ULL << 8)
@@ -43,9 +48,33 @@
 #define PT32_ROOT_LEVEL 2
 #define PT32E_ROOT_LEVEL 3
 
+/*
+ * 在以下使用PT_PDPE_LEVEL:
+ *   - arch/x86/kvm/cpuid.c|328| <<__do_cpuid_ent>> unsigned f_gbpages = (kvm_x86_ops->get_lpage_level() == PT_PDPE_LEVEL)
+ *   - arch/x86/kvm/svm.c|5880| <<svm_get_lpage_level>> return PT_PDPE_LEVEL;
+ *   - arch/x86/kvm/vmx.c|11252| <<vmx_get_lpage_level>> return PT_PDPE_LEVEL;
+ */
 #define PT_PDPE_LEVEL 3
+/*
+ * 在以下使用PT_DIRECTORY_LEVEL:
+ *   - arch/x86/kvm/mmu.c|2170| <<update_gfn_disallow_lpage_count>> for (i = PT_DIRECTORY_LEVEL; i <= PT_MAX_HUGEPAGE_LEVEL; ++i) {
+ *   - arch/x86/kvm/mmu.c|2511| <<mapping_level>> for (level = PT_DIRECTORY_LEVEL; level <= max_level; ++level)
+ *   - arch/x86/kvm/mmu.c|5894| <<transparent_hugepage_adjust>> !mmu_gfn_lpage_is_disallowed(vcpu, gfn, PT_DIRECTORY_LEVEL)) {
+ *   - arch/x86/kvm/mmu.c|5905| <<transparent_hugepage_adjust>> *levelp = level = PT_DIRECTORY_LEVEL;
+ *   - arch/x86/kvm/mmu.c|6199| <<nonpaging_map>> if (level > PT_DIRECTORY_LEVEL)
+ *   - arch/x86/kvm/mmu.c|6200| <<nonpaging_map>> level = PT_DIRECTORY_LEVEL;
+ *   - arch/x86/kvm/mmu.c|7048| <<tdp_page_fault>> PT_DIRECTORY_LEVEL);
+ *   - arch/x86/kvm/mmu.c|7054| <<tdp_page_fault>> if (level > PT_DIRECTORY_LEVEL &&
+ *   - arch/x86/kvm/mmu.c|7056| <<tdp_page_fault>> level = PT_DIRECTORY_LEVEL;
+ *   - arch/x86/kvm/paging_tmpl.h|406| <<FNAME>> if (PTTYPE == 32 && walker->level == PT_DIRECTORY_LEVEL && is_cpuid_PSE36())
+ *   - arch/x86/kvm/paging_tmpl.h|785| <<FNAME>> if (walker.level >= PT_DIRECTORY_LEVEL && !is_self_change_mapping) {
+ *   - arch/x86/kvm/vmx.c|11249| <<vmx_get_lpage_level>> return PT_DIRECTORY_LEVEL;
+ */
 #define PT_DIRECTORY_LEVEL 2
 #define PT_PAGE_TABLE_LEVEL 1
+/*
+ * 3
+ */
 #define PT_MAX_HUGEPAGE_LEVEL (PT_PAGE_TABLE_LEVEL + KVM_NR_PAGE_SIZES - 1)
 
 static inline u64 rsvd_bits(int s, int e)
@@ -68,6 +97,12 @@ bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu);
 int kvm_handle_page_fault(struct kvm_vcpu *vcpu, u64 error_code,
 				u64 fault_address, char *insn, int insn_len);
 
+/*
+ * 只在以下调用:
+ *   - arch/x86/kvm/mmu.c|7601| <<make_mmu_pages_available>> if (likely(kvm_mmu_available_pages(vcpu->kvm) >= KVM_MIN_FREE_MMU_PAGES))
+ *   - arch/x86/kvm/mmu.c|7604| <<make_mmu_pages_available>> while (kvm_mmu_available_pages(vcpu->kvm) < KVM_REFILL_PAGES) {
+ *   - arch/x86/kvm/mmu.c|7612| <<make_mmu_pages_available>> if (!kvm_mmu_available_pages(vcpu->kvm))
+ */
 static inline unsigned int kvm_mmu_available_pages(struct kvm *kvm)
 {
 	if (kvm->arch.n_max_mmu_pages > kvm->arch.n_used_mmu_pages)
@@ -77,8 +112,30 @@ static inline unsigned int kvm_mmu_available_pages(struct kvm *kvm)
 	return 0;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/vmx.c|9303| <<nested_vmx_eptp_switching>> kvm_mmu_reload(vcpu);
+ *   - arch/x86/kvm/x86.c|7450| <<vcpu_enter_guest>> r = kvm_mmu_reload(vcpu); --> 进入guest mode前更新eptp
+ *   - arch/x86/kvm/x86.c|9309| <<kvm_arch_async_page_ready>> r = kvm_mmu_reload(vcpu);
+ */
 static inline int kvm_mmu_reload(struct kvm_vcpu *vcpu)
 {
+	/*
+	 * 设置kvm_mmu->root_hpa的地方:
+	 *   - arch/x86/kvm/mmu.c|6172| <<mmu_free_root_page>> *root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|6204| <<kvm_mmu_free_roots>> mmu->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|6250| <<mmu_alloc_direct_roots>> vcpu->arch.mmu.root_hpa = __pa(sp->spt);
+	 *   - arch/x86/kvm/mmu.c|6268| <<mmu_alloc_direct_roots>> vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root);
+	 *   - arch/x86/kvm/mmu.c|6310| <<mmu_alloc_shadow_roots>> vcpu->arch.mmu.root_hpa = root;
+	 *   - arch/x86/kvm/mmu.c|6350| <<mmu_alloc_shadow_roots>> vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root);
+	 *   - arch/x86/kvm/mmu.c|6374| <<mmu_alloc_shadow_roots>> vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.lm_root);
+	 *   - arch/x86/kvm/mmu.c|7003| <<nonpaging_init_context>> context->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|7496| <<paging64_init_context_common>> context->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|7534| <<paging32_init_context>> context->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|7567| <<init_kvm_tdp_mmu>> context->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|7658| <<kvm_init_shadow_ept_mmu>> context->root_hpa = INVALID_PAGE;
+	 *   - arch/x86/kvm/mmu.c|8284| <<kvm_mmu_create>> vcpu->arch.mmu.root_hpa = INVALID_PAGE;
+	 */
 	if (likely(vcpu->arch.mmu.root_hpa != INVALID_PAGE))
 		return 0;
 
@@ -118,6 +175,9 @@ static inline int kvm_mmu_reload(struct kvm_vcpu *vcpu)
  *
  * TODO: introduce APIs to split these two cases.
  */
+/*
+ * 检查pte的第1位(w)是否设置了
+ */
 static inline int is_writable_pte(unsigned long pte)
 {
 	return pte & PT_WRITABLE_MASK;
diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
index e9ea2d45..f3a910d3 100644
--- a/arch/x86/kvm/mtrr.c
+++ b/arch/x86/kvm/mtrr.c
@@ -58,6 +58,12 @@ static bool valid_mtrr_type(unsigned t)
 	return t < 8 && (1 << t) & 0x73; /* 0, 1, 4, 5, 6 */
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mtrr.c|386| <<kvm_mtrr_set_msr>> if (!kvm_mtrr_valid(vcpu, msr, data))
+ *   - arch/x86/kvm/svm.c|4218| <<svm_set_msr>> if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
+ *   - arch/x86/kvm/vmx.c|4199| <<vmx_set_msr>> if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
+ */
 bool kvm_mtrr_valid(struct kvm_vcpu *vcpu, u32 msr, u64 data)
 {
 	int i;
@@ -313,6 +319,10 @@ static void var_mtrr_range(struct kvm_mtrr_range *range, u64 *start, u64 *end)
 	*end = (*start | ~mask) + 1;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mtrr.c|399| <<kvm_mtrr_set_msr>> update_mtrr(vcpu, msr);
+ */
 static void update_mtrr(struct kvm_vcpu *vcpu, u32 msr)
 {
 	struct kvm_mtrr *mtrr_state = &vcpu->arch.mtrr_state;
@@ -618,10 +628,19 @@ static void mtrr_lookup_next(struct mtrr_iter *iter)
 		mtrr_lookup_var_next(iter);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mtrr.c|637| <<kvm_mtrr_get_guest_memory_type>> mtrr_for_each_mem_type(&iter, mtrr_state, start, end) {
+ *   - arch/x86/kvm/mtrr.c|715| <<kvm_mtrr_check_gfn_range_consistency>> mtrr_for_each_mem_type(&iter, mtrr_state, start, end) {
+ */
 #define mtrr_for_each_mem_type(_iter_, _mtrr_, _gpa_start_, _gpa_end_) \
 	for (mtrr_lookup_init(_iter_, _mtrr_, _gpa_start_, _gpa_end_); \
 	     mtrr_lookup_okay(_iter_); mtrr_lookup_next(_iter_))
 
+/*
+ * called by:
+ *   - arch/x86/kvm/vmx.c|11237| <<vmx_get_mt_mask>> cache = kvm_mtrr_get_guest_memory_type(vcpu, gfn);
+ */
 u8 kvm_mtrr_get_guest_memory_type(struct kvm_vcpu *vcpu, gfn_t gfn)
 {
 	struct kvm_mtrr *mtrr_state = &vcpu->arch.mtrr_state;
@@ -698,6 +717,10 @@ u8 kvm_mtrr_get_guest_memory_type(struct kvm_vcpu *vcpu, gfn_t gfn)
 }
 EXPORT_SYMBOL_GPL(kvm_mtrr_get_guest_memory_type);
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|6463| <<check_hugepage_cache_consistency>> return kvm_mtrr_check_gfn_range_consistency(vcpu, gfn, page_num);
+ */
 bool kvm_mtrr_check_gfn_range_consistency(struct kvm_vcpu *vcpu, gfn_t gfn,
 					  int page_num)
 {
diff --git a/arch/x86/kvm/page_track.c b/arch/x86/kvm/page_track.c
index 3052a59a..7ba90ea7 100644
--- a/arch/x86/kvm/page_track.c
+++ b/arch/x86/kvm/page_track.c
@@ -21,11 +21,22 @@
 
 #include "mmu.h"
 
+/*
+ * called by:
+ *   - arch/x86/kvm/page_track.c|57| <<kvm_page_track_create_memslot>> kvm_page_track_free_memslot(slot, NULL);
+ *   - arch/x86/kvm/x86.c|9019| <<kvm_arch_free_memslot>> kvm_page_track_free_memslot(free, dont);
+ *
+ * 对于每一个(其实就KVM_PAGE_TRACK_WRITE)如果dont为NULL或者free->arch.gfn_track[i]不等于dont->arch.gfn_track[i]
+ * 则释放free->arch.gfn_track[i]
+ */
 void kvm_page_track_free_memslot(struct kvm_memory_slot *free,
 				 struct kvm_memory_slot *dont)
 {
 	int i;
 
+	/*
+	 * 目前只支持KVM_PAGE_TRACK_WRITE
+	 */
 	for (i = 0; i < KVM_PAGE_TRACK_MAX; i++)
 		if (!dont || free->arch.gfn_track[i] !=
 		      dont->arch.gfn_track[i]) {
@@ -34,6 +45,12 @@ void kvm_page_track_free_memslot(struct kvm_memory_slot *free,
 		}
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/x86.c|9092| <<kvm_arch_create_memslot>> if (kvm_page_track_create_memslot(slot, npages))
+ *
+ * 为每一个i(其实就KVM_PAGE_TRACK_WRITE), 分配slot->arch.gfn_track[i] (size是npages)
+ */
 int kvm_page_track_create_memslot(struct kvm_memory_slot *slot,
 				  unsigned long npages)
 {
@@ -50,10 +67,22 @@ int kvm_page_track_create_memslot(struct kvm_memory_slot *slot,
 	return 0;
 
 track_free:
+	/*
+	 * 对于每一个(其实就KVM_PAGE_TRACK_WRITE)
+	 * 释放slot->arch.gfn_track[i]
+	 */
 	kvm_page_track_free_memslot(slot, NULL);
 	return -ENOMEM;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/page_track.c|118| <<kvm_slot_page_track_add_page>> if (WARN_ON(!page_track_mode_is_valid(mode)))
+ *   - arch/x86/kvm/page_track.c|152| <<kvm_slot_page_track_remove_page>> if (WARN_ON(!page_track_mode_is_valid(mode)))
+ *   - arch/x86/kvm/page_track.c|183| <<kvm_page_track_is_active>> if (WARN_ON(!page_track_mode_is_valid(mode)))
+ *
+ * 检查mode是否合规, 其实目前就KVM_PAGE_TRACK_WRITE
+ */
 static inline bool page_track_mode_is_valid(enum kvm_page_track_mode mode)
 {
 	if (mode < 0 || mode >= KVM_PAGE_TRACK_MAX)
@@ -62,13 +91,35 @@ static inline bool page_track_mode_is_valid(enum kvm_page_track_mode mode)
 	return true;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/page_track.c|121| <<kvm_slot_page_track_add_page>> update_gfn_track(slot, gfn, mode, 1);
+ *   - arch/x86/kvm/page_track.c|155| <<kvm_slot_page_track_remove_page>> update_gfn_track(slot, gfn, mode, -1);
+ *
+ * 在kvm_slot_page_track_add_page()和kvm_slot_page_track_remove_page()两个函数可能调用
+ * 通过gfn获取gfn在slot中对应的index
+ * 然后设置slot->arch.gfn_track[mode][index]
+ */
 static void update_gfn_track(struct kvm_memory_slot *slot, gfn_t gfn,
 			     enum kvm_page_track_mode mode, short count)
 {
 	int index, val;
 
+	/*
+	 * PT_PAGE_TABLE_LEVEL是 1
+	 *
+	 * base_gfn是基于4k开始的gfn
+	 * gfn是基于4k结束的gfn
+	 * 计算从开始到结束需要用到几个hugepage (或者普通page)
+	 *   level是1的时候hugepage大小是4K
+	 *   level是2的时候hugepage大小是2M
+	 *   level是3的时候hugepage大小是1G
+	 */
 	index = gfn_to_index(gfn, slot->base_gfn, PT_PAGE_TABLE_LEVEL);
 
+	/*
+	 * 目前mode就支持KVM_PAGE_TRACK_WRITE
+	 */
 	val = slot->arch.gfn_track[mode][index];
 
 	if (WARN_ON(val + count < 0 || val + count > USHRT_MAX))
@@ -89,14 +140,29 @@ static void update_gfn_track(struct kvm_memory_slot *slot, gfn_t gfn,
  * @gfn: the guest page.
  * @mode: tracking mode, currently only write track is supported.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|1237| <<account_shadowed>> return kvm_slot_page_track_add_page(kvm, slot, gfn,
+ *   - drivers/gpu/drm/i915/gvt/kvmgt.c|1440| <<kvmgt_page_track_add>> kvm_slot_page_track_add_page(kvm, slot, gfn, KVM_PAGE_TRACK_WRITE);
+ *
+ * 通过gfn获取gfn在slot中对应的index, 然后设置slot->arch.gfn_track[mode][index] (增加1)
+ * 禁止这个gfn使用large page
+ * 最后把对应的page(pte)写保护了
+ */
 void kvm_slot_page_track_add_page(struct kvm *kvm,
 				  struct kvm_memory_slot *slot, gfn_t gfn,
 				  enum kvm_page_track_mode mode)
 {
 
+	/* 检查mode是否合规, 其实目前就KVM_PAGE_TRACK_WRITE */
 	if (WARN_ON(!page_track_mode_is_valid(mode)))
 		return;
 
+	/*
+	 * 在kvm_slot_page_track_add_page()和kvm_slot_page_track_remove_page()两个函数可能调用
+	 * 通过gfn获取gfn在slot中对应的index
+	 * 然后设置slot->arch.gfn_track[mode][index] (增加1)
+	 */
 	update_gfn_track(slot, gfn, mode, 1);
 
 	/*
@@ -105,6 +171,10 @@ void kvm_slot_page_track_add_page(struct kvm *kvm,
 	 */
 	kvm_mmu_gfn_disallow_lpage(slot, gfn);
 
+	/*
+	 * 似乎就是如果是KVM_PAGE_TRACK_WRITE
+	 * 则要把对应的page(pte)写保护了
+	 */
 	if (mode == KVM_PAGE_TRACK_WRITE)
 		if (kvm_mmu_slot_gfn_write_protect(kvm, slot, gfn))
 			kvm_flush_remote_tlbs(kvm);
@@ -124,6 +194,15 @@ EXPORT_SYMBOL_GPL(kvm_slot_page_track_add_page);
  * @gfn: the guest page.
  * @mode: tracking mode, currently only write track is supported.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|1254| <<unaccount_shadowed>> return kvm_slot_page_track_remove_page(kvm, slot, gfn,
+ *   - drivers/gpu/drm/i915/gvt/kvmgt.c|1474| <<kvmgt_page_track_remove>> kvm_slot_page_track_remove_page(kvm, slot, gfn, KVM_PAGE_TRACK_WRITE);
+ *   - drivers/gpu/drm/i915/gvt/kvmgt.c|1508| <<kvmgt_page_track_flush_slot>> kvm_slot_page_track_remove_page(kvm, slot, gfn,
+ *
+ * 通过gfn获取gfn在slot中对应的index, 然后设置slot->arch.gfn_track[mode][index] (增加1)
+ * 禁止这个gfn使用large page
+ */
 void kvm_slot_page_track_remove_page(struct kvm *kvm,
 				     struct kvm_memory_slot *slot, gfn_t gfn,
 				     enum kvm_page_track_mode mode)
@@ -131,6 +210,11 @@ void kvm_slot_page_track_remove_page(struct kvm *kvm,
 	if (WARN_ON(!page_track_mode_is_valid(mode)))
 		return;
 
+	/*
+	 * 在kvm_slot_page_track_add_page()和kvm_slot_page_track_remove_page()两个函数可能调用
+	 * 通过gfn获取gfn在slot中对应的index
+	 * 然后设置slot->arch.gfn_track[mode][index] (减少1)
+	 */
 	update_gfn_track(slot, gfn, mode, -1);
 
 	/*
@@ -144,6 +228,15 @@ EXPORT_SYMBOL_GPL(kvm_slot_page_track_remove_page);
 /*
  * check if the corresponding access on the specified guest page is tracked.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|3195| <<mmu_need_write_protect>> if (kvm_page_track_is_active(vcpu, gfn, KVM_PAGE_TRACK_WRITE))
+ *   - arch/x86/kvm/mmu.c|4342| <<page_fault_handle_page_track>> if (kvm_page_track_is_active(vcpu, gfn, KVM_PAGE_TRACK_WRITE))
+ *
+ * 目前参数中的mode都是KVM_PAGE_TRACK_WRITE
+ * 根据gfn获得kvm_memory_slot和这个gfn在slot中的index
+ * 最后返回slot->arch.gfn_track[mode][index]
+ */
 bool kvm_page_track_is_active(struct kvm_vcpu *vcpu, gfn_t gfn,
 			      enum kvm_page_track_mode mode)
 {
@@ -157,10 +250,28 @@ bool kvm_page_track_is_active(struct kvm_vcpu *vcpu, gfn_t gfn,
 	if (!slot)
 		return false;
 
+	/*
+	 * PT_PAGE_TABLE_LEVEL是1
+	 *
+	 * base_gfn是基于4k开始的gfn
+	 * gfn是基于4k结束的gfn
+	 * 计算从开始到结束需要用到几个hugepage (或者普通page)
+	 *   level是1的时候hugepage大小是4K
+	 *   level是2的时候hugepage大小是2M
+	 *   level是3的时候hugepage大小是1G
+	 */
 	index = gfn_to_index(gfn, slot->base_gfn, PT_PAGE_TABLE_LEVEL);
+	/*
+	 * gfn_track在kvm_page_track_create_memslot()初始化第二维
+	 * 应该是每个slot中page的数量吧
+	 */
 	return !!READ_ONCE(slot->arch.gfn_track[mode][index]);
 }
 
+/*
+ * 只被以下调用:
+ *   - arch/x86/kvm/x86.c|8995| <<kvm_arch_destroy_vm>> kvm_page_track_cleanup(kvm);
+ */
 void kvm_page_track_cleanup(struct kvm *kvm)
 {
 	struct kvm_page_track_notifier_head *head;
@@ -169,6 +280,10 @@ void kvm_page_track_cleanup(struct kvm *kvm)
 	cleanup_srcu_struct(&head->track_srcu);
 }
 
+/*
+ * 只被以下调用:
+ *   - arch/x86/kvm/x86.c|8847| <<kvm_arch_init_vm>> kvm_page_track_init(kvm);
+ */
 void kvm_page_track_init(struct kvm *kvm)
 {
 	struct kvm_page_track_notifier_head *head;
@@ -182,6 +297,13 @@ void kvm_page_track_init(struct kvm *kvm)
  * register the notifier so that event interception for the tracked guest
  * pages can be received.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5840| <<kvm_mmu_init_vm>> kvm_page_track_register_notifier(kvm, node);
+ *   - drivers/gpu/drm/i915/gvt/kvmgt.c|1575| <<kvmgt_guest_init>> kvm_page_track_register_notifier(kvm, &info->track_node);
+ *
+ * 把一个struct kvm_page_track_notifier_node加入kvm->arch.track_notifier_head链表
+ */
 void
 kvm_page_track_register_notifier(struct kvm *kvm,
 				 struct kvm_page_track_notifier_node *n)
@@ -200,6 +322,13 @@ EXPORT_SYMBOL_GPL(kvm_page_track_register_notifier);
  * stop receiving the event interception. It is the opposed operation of
  * kvm_page_track_register_notifier().
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5847| <<kvm_mmu_uninit_vm>> kvm_page_track_unregister_notifier(kvm, node);
+ *   - drivers/gpu/drm/i915/gvt/kvmgt.c|1591| <<kvmgt_guest_exit>> kvm_page_track_unregister_notifier(info->kvm, &info->track_node);
+ *
+ * 把一个struct kvm_page_track_notifier_node从kvm->arch.track_notifier_head链表移除
+ */
 void
 kvm_page_track_unregister_notifier(struct kvm *kvm,
 				   struct kvm_page_track_notifier_node *n)
@@ -222,6 +351,13 @@ EXPORT_SYMBOL_GPL(kvm_page_track_unregister_notifier);
  * The node should figure out if the written page is the one that node is
  * interested in by itself.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/x86.c|5004| <<emulator_write_phys>> kvm_page_track_write(vcpu, gpa, val, bytes);
+ *   - arch/x86/kvm/x86.c|5271| <<emulator_cmpxchg_emulated>> kvm_page_track_write(vcpu, gpa, new, bytes);
+ *
+ * 对于write emulate, 调用kvm_page_track_register_notifier()注册的函数
+ */
 void kvm_page_track_write(struct kvm_vcpu *vcpu, gpa_t gpa, const u8 *new,
 			  int bytes)
 {
@@ -235,6 +371,11 @@ void kvm_page_track_write(struct kvm_vcpu *vcpu, gpa_t gpa, const u8 *new,
 		return;
 
 	idx = srcu_read_lock(&head->track_srcu);
+	/*
+	 * called by:
+	 *   - arch/x86/kvm/mmu.c|5838| <<kvm_mmu_init_vm>> node->track_write = kvm_mmu_pte_write;
+	 *   - drivers/gpu/drm/i915/gvt/kvmgt.c|1573| <<kvmgt_guest_init>> info->track_node.track_write = kvmgt_page_track_write;
+	 */
 	hlist_for_each_entry_rcu(n, &head->track_notifier_list, node)
 		if (n->track_write)
 			n->track_write(vcpu, gpa, new, bytes, n);
@@ -248,6 +389,10 @@ void kvm_page_track_write(struct kvm_vcpu *vcpu, gpa_t gpa, const u8 *new,
  * The node should figure out it has any write-protected pages in this slot
  * by itself.
  */
+/*
+ * 只被以下调用:
+ *   - arch/x86/kvm/x86.c|9244| <<kvm_arch_flush_shadow_memslot>> kvm_page_track_flush_slot(kvm, slot);
+ */
 void kvm_page_track_flush_slot(struct kvm *kvm, struct kvm_memory_slot *slot)
 {
 	struct kvm_page_track_notifier_head *head;
@@ -260,6 +405,11 @@ void kvm_page_track_flush_slot(struct kvm *kvm, struct kvm_memory_slot *slot)
 		return;
 
 	idx = srcu_read_lock(&head->track_srcu);
+	/*
+	 * 在两处被设置:
+	 *   - arch/x86/kvm/mmu.c|5839| <<kvm_mmu_init_vm>> node->track_flush_slot = kvm_mmu_invalidate_zap_pages_in_memslot;
+	 *   - drivers/gpu/drm/i915/gvt/kvmgt.c|1574| <<kvmgt_guest_init>> info->track_node.track_flush_slot = kvmgt_page_track_flush_slot;
+	 */
 	hlist_for_each_entry_rcu(n, &head->track_notifier_list, node)
 		if (n->track_flush_slot)
 			n->track_flush_slot(kvm, slot, n);
diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
index 6288e9d7..0fdbaa15 100644
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -963,6 +963,9 @@ static gpa_t FNAME(gva_to_gpa_nested)(struct kvm_vcpu *vcpu, gva_t vaddr,
  *   freed pages.
  *   And we increase kvm->tlbs_dirty to delay tlbs flush in this case.
  */
+/*
+ * ept_sync_page()
+ */
 static int FNAME(sync_page)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp)
 {
 	int i, nr_present = 0;
diff --git a/arch/x86/kvm/pmu_intel.c b/arch/x86/kvm/pmu_intel.c
index 5ab4a364..9842174a 100644
--- a/arch/x86/kvm/pmu_intel.c
+++ b/arch/x86/kvm/pmu_intel.c
@@ -67,6 +67,9 @@ static void global_ctrl_changed(struct kvm_pmu *pmu, u64 data)
 		reprogram_counter(pmu, bit);
 }
 
+/*
+ * struct kvm_pmu_ops intel_pmu_ops.find_arch_event = intel_find_arch_event()
+ */
 static unsigned intel_find_arch_event(struct kvm_pmu *pmu,
 				      u8 event_select,
 				      u8 unit_mask)
@@ -85,6 +88,9 @@ static unsigned intel_find_arch_event(struct kvm_pmu *pmu,
 	return intel_arch_events[i].event_type;
 }
 
+/*
+ * struct kvm_pmu_ops intel_pmu_ops.find_fixed_event = intel_find_fixed_event()
+ */
 static unsigned intel_find_fixed_event(int idx)
 {
 	if (idx >= ARRAY_SIZE(fixed_pmc_events))
@@ -94,6 +100,9 @@ static unsigned intel_find_fixed_event(int idx)
 }
 
 /* check if a PMC is enabled by comparing it with globl_ctrl bits. */
+/*
+ * struct kvm_pmu_ops intel_pmu_ops.pmc_is_enabled = intel_pmc_is_enabled()
+ */
 static bool intel_pmc_is_enabled(struct kvm_pmc *pmc)
 {
 	struct kvm_pmu *pmu = pmc_to_pmu(pmc);
@@ -101,6 +110,9 @@ static bool intel_pmc_is_enabled(struct kvm_pmc *pmc)
 	return test_bit(pmc->idx, (unsigned long *)&pmu->global_ctrl);
 }
 
+/*
+ * struct kvm_pmu_ops intel_pmu_ops.pmc_idx_to_pmc = intel_pmc_idx_to_pmc()
+ */
 static struct kvm_pmc *intel_pmc_idx_to_pmc(struct kvm_pmu *pmu, int pmc_idx)
 {
 	if (pmc_idx < INTEL_PMC_IDX_FIXED)
@@ -114,6 +126,9 @@ static struct kvm_pmc *intel_pmc_idx_to_pmc(struct kvm_pmu *pmu, int pmc_idx)
 }
 
 /* returns 0 if idx's corresponding MSR exists; otherwise returns 1. */
+/*
+ * struct kvm_pmu_ops intel_pmu_ops.is_valid_msr_idx = intel_is_valid_msr_idx()
+ */
 static int intel_is_valid_msr_idx(struct kvm_vcpu *vcpu, unsigned idx)
 {
 	struct kvm_pmu *pmu = vcpu_to_pmu(vcpu);
@@ -125,6 +140,9 @@ static int intel_is_valid_msr_idx(struct kvm_vcpu *vcpu, unsigned idx)
 		(fixed && idx >= pmu->nr_arch_fixed_counters);
 }
 
+/*
+ * struct kvm_pmu_ops intel_pmu_ops.msr_idx_to_pmc = intel_msr_idx_to_pmc()
+ */
 static struct kvm_pmc *intel_msr_idx_to_pmc(struct kvm_vcpu *vcpu,
 					    unsigned idx)
 {
@@ -142,6 +160,9 @@ static struct kvm_pmc *intel_msr_idx_to_pmc(struct kvm_vcpu *vcpu,
 	return &counters[idx];
 }
 
+/*
+ * struct kvm_pmu_ops intel_pmu_ops.is_valid_msr = intel_is_valid_msr()
+ */
 static bool intel_is_valid_msr(struct kvm_vcpu *vcpu, u32 msr)
 {
 	struct kvm_pmu *pmu = vcpu_to_pmu(vcpu);
@@ -164,6 +185,9 @@ static bool intel_is_valid_msr(struct kvm_vcpu *vcpu, u32 msr)
 	return ret;
 }
 
+/*
+ * struct kvm_pmu_ops intel_pmu_ops.get_msr = intel_pmu_get_msr()
+ */
 static int intel_pmu_get_msr(struct kvm_vcpu *vcpu, u32 msr, u64 *data)
 {
 	struct kvm_pmu *pmu = vcpu_to_pmu(vcpu);
@@ -196,6 +220,9 @@ static int intel_pmu_get_msr(struct kvm_vcpu *vcpu, u32 msr, u64 *data)
 	return 1;
 }
 
+/*
+ * struct kvm_pmu_ops intel_pmu_ops.set_msr = intel_pmu_set_msr()
+ */
 static int intel_pmu_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
 {
 	struct kvm_pmu *pmu = vcpu_to_pmu(vcpu);
@@ -254,6 +281,9 @@ static int intel_pmu_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
 	return 1;
 }
 
+/*
+ * struct kvm_pmu_ops intel_pmu_ops.refresh = intel_pmu_refresh()
+ */
 static void intel_pmu_refresh(struct kvm_vcpu *vcpu)
 {
 	struct kvm_pmu *pmu = vcpu_to_pmu(vcpu);
@@ -305,6 +335,9 @@ static void intel_pmu_refresh(struct kvm_vcpu *vcpu)
 		pmu->reserved_bits ^= HSW_IN_TX|HSW_IN_TX_CHECKPOINTED;
 }
 
+/*
+ * struct kvm_pmu_ops intel_pmu_ops.init = intel_pmu_init()
+ */
 static void intel_pmu_init(struct kvm_vcpu *vcpu)
 {
 	int i;
@@ -323,6 +356,9 @@ static void intel_pmu_init(struct kvm_vcpu *vcpu)
 	}
 }
 
+/*
+ * struct kvm_pmu_ops intel_pmu_ops.reset = intel_pmu_reset()
+ */
 static void intel_pmu_reset(struct kvm_vcpu *vcpu)
 {
 	struct kvm_pmu *pmu = vcpu_to_pmu(vcpu);
@@ -342,6 +378,9 @@ static void intel_pmu_reset(struct kvm_vcpu *vcpu)
 		pmu->global_ovf_ctrl = 0;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.pmu_ops = &intel_pmu_ops
+ */
 struct kvm_pmu_ops intel_pmu_ops = {
 	.find_arch_event = intel_find_arch_event,
 	.find_fixed_event = intel_find_fixed_event,
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index d0c3be35..257edd65 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -87,6 +87,14 @@ static bool __read_mostly enable_unrestricted_guest = 1;
 module_param_named(unrestricted_guest,
 			enable_unrestricted_guest, bool, S_IRUGO);
 
+/*
+ * A/D好像就是第6位, 控制是否支持dirty和accessed
+ *
+ * 需要读取MSR相关寄存器, old machine不支持
+ *
+ * 在以下被修改:
+ *   - arch/x86/kvm/vmx.c|8037| <<hardware_setup>> enable_ept_ad_bits = 0;
+ */
 static bool __read_mostly enable_ept_ad_bits = 1;
 module_param_named(eptad, enable_ept_ad_bits, bool, S_IRUGO);
 
@@ -1294,6 +1302,10 @@ static struct vmcs_config {
 	struct nested_vmx_msrs nested;
 } vmcs_config;
 
+/*
+ * 获取capability:
+ *   - arch/x86/kvm/vmx.c|4523| <<setup_vmcs_config>> &vmx_capability.ept, &vmx_capability.vpid);
+ */
 static struct vmx_capability {
 	u32 ept;
 	u32 vpid;
@@ -1801,6 +1813,9 @@ static inline bool cpu_has_virtual_nmis(void)
 	return vmcs_config.pin_based_exec_ctrl & PIN_BASED_VIRTUAL_NMIS;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.has_wbinvd_exit = cpu_has_vmx_wbinvd_exit()
+ */
 static inline bool cpu_has_vmx_wbinvd_exit(void)
 {
 	return vmcs_config.cpu_based_2nd_exec_ctrl &
@@ -1836,12 +1851,18 @@ static inline bool cpu_has_vmx_vmfunc(void)
 		SECONDARY_EXEC_ENABLE_VMFUNC;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.umip_emulated = vmx_umip_emulated()
+ */
 static bool vmx_umip_emulated(void)
 {
 	return vmcs_config.cpu_based_2nd_exec_ctrl &
 		SECONDARY_EXEC_DESC;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.cpu_has_accelerated_tpr = report_flexpriority()
+ */
 static inline bool report_flexpriority(void)
 {
 	return flexpriority_enabled;
@@ -2448,6 +2469,9 @@ static u32 vmx_read_guest_seg_ar(struct vcpu_vmx *vmx, unsigned seg)
 	return *p;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.update_bp_intercept = update_exception_bitmap()
+ */
 static void update_exception_bitmap(struct kvm_vcpu *vcpu)
 {
 	u32 eb;
@@ -2745,6 +2769,9 @@ static unsigned long segment_base(u16 selector)
 }
 #endif
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.prepare_guest_switch = vmx_save_host_state()
+ */
 static void vmx_save_host_state(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -2920,6 +2947,9 @@ static void decache_tsc_multiplier(struct vcpu_vmx *vmx)
  * Switches to specified vcpu, until a matching vcpu_put(), but assumes
  * vcpu mutex is already taken.
  */
+/*
+ * struct kvm_x86_ops vmx_x86_ops.vcpu_load = vmx_vcpu_load()
+ */
 static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -3001,6 +3031,9 @@ static void vmx_vcpu_pi_put(struct kvm_vcpu *vcpu)
 		pi_set_sn(pi_desc);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.vcpu_put = vmx_vcpu_put()
+ */
 static void vmx_vcpu_put(struct kvm_vcpu *vcpu)
 {
 	vmx_vcpu_pi_put(vcpu);
@@ -3031,6 +3064,9 @@ static inline unsigned long nested_read_cr4(struct vmcs12 *fields)
 		(fields->cr4_read_shadow & fields->cr4_guest_host_mask);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_rflags = vmx_get_rflags()
+ */
 static unsigned long vmx_get_rflags(struct kvm_vcpu *vcpu)
 {
 	unsigned long rflags, save_rflags;
@@ -3048,6 +3084,9 @@ static unsigned long vmx_get_rflags(struct kvm_vcpu *vcpu)
 	return to_vmx(vcpu)->rflags;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_rflags = vmx_set_rflags()
+ */
 static void vmx_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags)
 {
 	unsigned long old_rflags = vmx_get_rflags(vcpu);
@@ -3064,6 +3103,9 @@ static void vmx_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags)
 		to_vmx(vcpu)->emulation_required = emulation_required(vcpu);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_interrupt_shadow = vmx_get_interrupt_shadow()
+ */
 static u32 vmx_get_interrupt_shadow(struct kvm_vcpu *vcpu)
 {
 	u32 interruptibility = vmcs_read32(GUEST_INTERRUPTIBILITY_INFO);
@@ -3077,6 +3119,9 @@ static u32 vmx_get_interrupt_shadow(struct kvm_vcpu *vcpu)
 	return ret;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_interrupt_shadow = vmx_set_interrupt_shadow()
+ */
 static void vmx_set_interrupt_shadow(struct kvm_vcpu *vcpu, int mask)
 {
 	u32 interruptibility_old = vmcs_read32(GUEST_INTERRUPTIBILITY_INFO);
@@ -3093,6 +3138,9 @@ static void vmx_set_interrupt_shadow(struct kvm_vcpu *vcpu, int mask)
 		vmcs_write32(GUEST_INTERRUPTIBILITY_INFO, interruptibility);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.skip_emulated_instruction = skip_emulated_instruction()
+ */
 static void skip_emulated_instruction(struct kvm_vcpu *vcpu)
 {
 	unsigned long rip;
@@ -3183,6 +3231,9 @@ static void vmx_clear_hlt(struct kvm_vcpu *vcpu)
 		vmcs_write32(GUEST_ACTIVITY_STATE, GUEST_ACTIVITY_ACTIVE);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.queue_exception = vmx_queue_exception()
+ */
 static void vmx_queue_exception(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -3219,11 +3270,17 @@ static void vmx_queue_exception(struct kvm_vcpu *vcpu)
 	vmx_clear_hlt(vcpu);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.rdtscp_supported = vmx_rdtscp_supported()
+ */
 static bool vmx_rdtscp_supported(void)
 {
 	return cpu_has_vmx_rdtscp();
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.invpcid_supported = vmx_invpcid_supported()
+ */
 static bool vmx_invpcid_supported(void)
 {
 	return cpu_has_vmx_invpcid() && enable_ept;
@@ -3284,6 +3341,9 @@ static void setup_msrs(struct vcpu_vmx *vmx)
 		vmx_update_msr_bitmap(&vmx->vcpu);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.read_l1_tsc_offset = vmx_read_l1_tsc_offset()
+ */
 static u64 vmx_read_l1_tsc_offset(struct kvm_vcpu *vcpu)
 {
 	struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
@@ -3298,6 +3358,9 @@ static u64 vmx_read_l1_tsc_offset(struct kvm_vcpu *vcpu)
 /*
  * writes 'offset' into guest's timestamp counter offset register
  */
+/*
+ * struct kvm_x86_ops vmx_x86_ops.write_tsc_offset = vmx_write_tsc_offset()
+ */
 static void vmx_write_tsc_offset(struct kvm_vcpu *vcpu, u64 offset)
 {
 	if (is_guest_mode(vcpu)) {
@@ -3903,6 +3966,9 @@ static inline bool vmx_feature_control_msr_valid(struct kvm_vcpu *vcpu,
 	return !(val & ~valid_bits);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_msr_feature = vmx_get_msr_feature()
+ */
 static int vmx_get_msr_feature(struct kvm_msr_entry *msr)
 {
 	switch (msr->index) {
@@ -3922,6 +3988,9 @@ static int vmx_get_msr_feature(struct kvm_msr_entry *msr)
  * Returns 0 on success, non-0 otherwise.
  * Assumes vcpu_load() was already called.
  */
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_msr = vmx_get_msr()
+ */
 static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -4015,6 +4084,9 @@ static void vmx_leave_nested(struct kvm_vcpu *vcpu);
  * Returns 0 on success, non-0 otherwise.
  * Assumes vcpu_load() was already called.
  */
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_msr = vmx_set_msr()
+ */
 static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -4203,6 +4275,9 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
 	return ret;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.cache_reg = vmx_cache_reg()
+ */
 static void vmx_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg)
 {
 	__set_bit(reg, (unsigned long *)&vcpu->arch.regs_avail);
@@ -4222,11 +4297,17 @@ static void vmx_cache_reg(struct kvm_vcpu *vcpu, enum kvm_reg reg)
 	}
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.cpu_has_kvm_support = cpu_has_kvm_support()
+ */
 static __init int cpu_has_kvm_support(void)
 {
 	return cpu_has_vmx();
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.disabled_by_bios = vmx_disabled_by_bios()
+ */
 static __init int vmx_disabled_by_bios(void)
 {
 	u64 msr;
@@ -4264,6 +4345,9 @@ static void kvm_cpu_vmxon(u64 addr)
 			: "memory", "cc");
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.hardware_enable = hardware_enable()
+ */
 static int hardware_enable(void)
 {
 	int cpu = raw_smp_processor_id();
@@ -4336,6 +4420,9 @@ static void kvm_cpu_vmxoff(void)
 	cr4_clear_bits(X86_CR4_VMXE);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.hardware_disable = hardware_disable()
+ */
 static void hardware_disable(void)
 {
 	vmclear_local_loaded_vmcss();
@@ -4917,6 +5004,9 @@ static void enter_rmode(struct kvm_vcpu *vcpu)
 	kvm_mmu_reset_context(vcpu);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_efer = vmx_set_efer()
+ */
 static void vmx_set_efer(struct kvm_vcpu *vcpu, u64 efer)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -4981,11 +5071,17 @@ static inline void __vmx_flush_tlb(struct kvm_vcpu *vcpu, int vpid,
 	}
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.tlb_flush = vmx_flush_tlb()
+ */
 static void vmx_flush_tlb(struct kvm_vcpu *vcpu, bool invalidate_gpa)
 {
 	__vmx_flush_tlb(vcpu, to_vmx(vcpu)->vpid, invalidate_gpa);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.decache_cr0_guest_bits = vmx_decache_cr0_guest_bits()
+ */
 static void vmx_decache_cr0_guest_bits(struct kvm_vcpu *vcpu)
 {
 	ulong cr0_guest_owned_bits = vcpu->arch.cr0_guest_owned_bits;
@@ -4994,6 +5090,9 @@ static void vmx_decache_cr0_guest_bits(struct kvm_vcpu *vcpu)
 	vcpu->arch.cr0 |= vmcs_readl(GUEST_CR0) & cr0_guest_owned_bits;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.decache_cr3 = vmx_decache_cr3()
+ */
 static void vmx_decache_cr3(struct kvm_vcpu *vcpu)
 {
 	if (enable_unrestricted_guest || (enable_ept && is_paging(vcpu)))
@@ -5001,6 +5100,9 @@ static void vmx_decache_cr3(struct kvm_vcpu *vcpu)
 	__set_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.decache_cr4_guest_bits = vmx_decache_cr4_guest_bits()
+ */
 static void vmx_decache_cr4_guest_bits(struct kvm_vcpu *vcpu)
 {
 	ulong cr4_guest_owned_bits = vcpu->arch.cr4_guest_owned_bits;
@@ -5106,6 +5208,9 @@ static void ept_update_paging_mode_cr0(unsigned long *hw_cr0,
 		*hw_cr0 &= ~X86_CR0_WP;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_cr0 = vmx_set_cr0()
+ */
 static void vmx_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -5144,6 +5249,9 @@ static void vmx_set_cr0(struct kvm_vcpu *vcpu, unsigned long cr0)
 	vmx->emulation_required = emulation_required(vcpu);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_tdp_level = get_ept_level()
+ */
 static int get_ept_level(struct kvm_vcpu *vcpu)
 {
 	if (cpu_has_vmx_ept_5levels() && (cpuid_maxphyaddr(vcpu) > 48))
@@ -5165,6 +5273,11 @@ static u64 construct_eptp(struct kvm_vcpu *vcpu, unsigned long root_hpa)
 	return eptp;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_cr3 = vmx_set_cr3()
+ *
+ * called only by kvm_mmu_reload()-->kvm_mmu_load()
+ */
 static void vmx_set_cr3(struct kvm_vcpu *vcpu, unsigned long cr3)
 {
 	unsigned long guest_cr3;
@@ -5186,6 +5299,9 @@ static void vmx_set_cr3(struct kvm_vcpu *vcpu, unsigned long cr3)
 	vmcs_writel(GUEST_CR3, guest_cr3);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_cr4 = vmx_set_cr4()
+ */
 static int vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
 {
 	/*
@@ -5260,6 +5376,9 @@ static int vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
 	return 0;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_segment = vmx_get_segment()
+ */
 static void vmx_get_segment(struct kvm_vcpu *vcpu,
 			    struct kvm_segment *var, int seg)
 {
@@ -5297,6 +5416,9 @@ static void vmx_get_segment(struct kvm_vcpu *vcpu,
 	var->g = (ar >> 15) & 1;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_segment_base = vmx_get_segment_base()
+ */
 static u64 vmx_get_segment_base(struct kvm_vcpu *vcpu, int seg)
 {
 	struct kvm_segment s;
@@ -5308,6 +5430,9 @@ static u64 vmx_get_segment_base(struct kvm_vcpu *vcpu, int seg)
 	return vmx_read_guest_seg_base(to_vmx(vcpu), seg);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_cpl = vmx_get_cpl()
+ */
 static int vmx_get_cpl(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -5340,6 +5465,9 @@ static u32 vmx_segment_access_rights(struct kvm_segment *var)
 	return ar;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_segment = vmx_set_segment()
+ */
 static void vmx_set_segment(struct kvm_vcpu *vcpu,
 			    struct kvm_segment *var, int seg)
 {
@@ -5381,6 +5509,9 @@ static void vmx_set_segment(struct kvm_vcpu *vcpu,
 	vmx->emulation_required = emulation_required(vcpu);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_cs_db_l_bits = vmx_get_cs_db_l_bits()
+ */
 static void vmx_get_cs_db_l_bits(struct kvm_vcpu *vcpu, int *db, int *l)
 {
 	u32 ar = vmx_read_guest_seg_ar(to_vmx(vcpu), VCPU_SREG_CS);
@@ -5389,24 +5520,36 @@ static void vmx_get_cs_db_l_bits(struct kvm_vcpu *vcpu, int *db, int *l)
 	*l = (ar >> 13) & 1;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_idt = vmx_get_idt()
+ */
 static void vmx_get_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt)
 {
 	dt->size = vmcs_read32(GUEST_IDTR_LIMIT);
 	dt->address = vmcs_readl(GUEST_IDTR_BASE);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_idt = vmx_set_idt()
+ */
 static void vmx_set_idt(struct kvm_vcpu *vcpu, struct desc_ptr *dt)
 {
 	vmcs_write32(GUEST_IDTR_LIMIT, dt->size);
 	vmcs_writel(GUEST_IDTR_BASE, dt->address);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_gdt = vmx_get_gdt()
+ */
 static void vmx_get_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt)
 {
 	dt->size = vmcs_read32(GUEST_GDTR_LIMIT);
 	dt->address = vmcs_readl(GUEST_GDTR_BASE);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_gdt = vmx_set_gdt()
+ */
 static void vmx_set_gdt(struct kvm_vcpu *vcpu, struct desc_ptr *dt)
 {
 	vmcs_write32(GUEST_GDTR_LIMIT, dt->size);
@@ -5950,6 +6093,9 @@ static void vmx_update_msr_bitmap(struct kvm_vcpu *vcpu)
 	vmx->msr_bitmap_mode = mode;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_enable_apicv = vmx_get_enable_apicv()
+ */
 static bool vmx_get_enable_apicv(struct kvm_vcpu *vcpu)
 {
 	return enable_apicv;
@@ -6075,6 +6221,9 @@ static int vmx_deliver_nested_posted_interrupt(struct kvm_vcpu *vcpu,
  * 2. If target vcpu isn't running(root mode), kick it to pick up the
  * interrupt from PIR in next vmentry.
  */
+/*
+ * struct kvm_x86_ops vmx_x86_ops.deliver_posted_interrupt = vmx_deliver_posted_interrupt()
+ */
 static void vmx_deliver_posted_interrupt(struct kvm_vcpu *vcpu, int vector)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -6184,6 +6333,9 @@ static u32 vmx_pin_based_exec_ctrl(struct vcpu_vmx *vmx)
 	return pin_based_exec_ctrl;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.refresh_apicv_exec_ctrl = vmx_refresh_apicv_exec_ctrl()
+ */
 static void vmx_refresh_apicv_exec_ctrl(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -6369,6 +6521,10 @@ static void vmx_compute_secondary_exec_control(struct vcpu_vmx *vmx)
 	vmx->secondary_exec_control = exec_control;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/vmx.c|7980| <<vmx_enable_tdp>> ept_set_mmio_spte_mask();
+ */
 static void ept_set_mmio_spte_mask(void)
 {
 	/*
@@ -6501,6 +6657,9 @@ static void vmx_vcpu_setup(struct vcpu_vmx *vmx)
 	}
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.vcpu_reset = vmx_vcpu_reset()
+ */
 static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -6573,6 +6732,10 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
 
 	if (cpu_has_vmx_tpr_shadow() && !init_event) {
 		vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, 0);
+		/*
+		 * This 64-bit field is the physical address of the 4-KByte
+		 * virtual APIC page.
+		 */
 		if (cpu_need_tpr_shadow(vcpu))
 			vmcs_write64(VIRTUAL_APIC_PAGE_ADDR,
 				     __pa(vcpu->arch.apic->regs));
@@ -6622,12 +6785,18 @@ static bool nested_exit_on_nmi(struct kvm_vcpu *vcpu)
 	return nested_cpu_has_nmi_exiting(get_vmcs12(vcpu));
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.enable_irq_window = enable_irq_window()
+ */
 static void enable_irq_window(struct kvm_vcpu *vcpu)
 {
 	vmcs_set_bits(CPU_BASED_VM_EXEC_CONTROL,
 		      CPU_BASED_VIRTUAL_INTR_PENDING);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.enable_nmi_window = enable_nmi_window()
+ */
 static void enable_nmi_window(struct kvm_vcpu *vcpu)
 {
 	if (!enable_vnmi ||
@@ -6640,6 +6809,9 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
 		      CPU_BASED_VIRTUAL_NMI_PENDING);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_irq = vmx_inject_irq()
+ */
 static void vmx_inject_irq(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -6669,6 +6841,9 @@ static void vmx_inject_irq(struct kvm_vcpu *vcpu)
 	vmx_clear_hlt(vcpu);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_nmi = vmx_inject_nmi()
+ */
 static void vmx_inject_nmi(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -6701,6 +6876,9 @@ static void vmx_inject_nmi(struct kvm_vcpu *vcpu)
 	vmx_clear_hlt(vcpu);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_nmi_mask = vmx_get_nmi_mask()
+ */
 static bool vmx_get_nmi_mask(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -6715,6 +6893,9 @@ static bool vmx_get_nmi_mask(struct kvm_vcpu *vcpu)
 	return masked;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_nmi_mask = vmx_set_nmi_mask()
+ */
 static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -6735,6 +6916,9 @@ static void vmx_set_nmi_mask(struct kvm_vcpu *vcpu, bool masked)
 	}
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.nmi_allowed = vmx_nmi_allowed()
+ */
 static int vmx_nmi_allowed(struct kvm_vcpu *vcpu)
 {
 	if (to_vmx(vcpu)->nested.nested_run_pending)
@@ -6749,6 +6933,9 @@ static int vmx_nmi_allowed(struct kvm_vcpu *vcpu)
 		   | GUEST_INTR_STATE_NMI));
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.interrupt_allowed = vmx_interrupt_allowed()
+ */
 static int vmx_interrupt_allowed(struct kvm_vcpu *vcpu)
 {
 	return (!to_vmx(vcpu)->nested.nested_run_pending &&
@@ -6757,6 +6944,9 @@ static int vmx_interrupt_allowed(struct kvm_vcpu *vcpu)
 			(GUEST_INTR_STATE_STI | GUEST_INTR_STATE_MOV_SS));
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_tss_addr = vmx_set_tss_addr()
+ */
 static int vmx_set_tss_addr(struct kvm *kvm, unsigned int addr)
 {
 	int ret;
@@ -6772,6 +6962,9 @@ static int vmx_set_tss_addr(struct kvm *kvm, unsigned int addr)
 	return init_rmode_tss(kvm);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_identity_map_addr = vmx_set_identity_map_addr()
+ */
 static int vmx_set_identity_map_addr(struct kvm *kvm, u64 ident_addr)
 {
 	to_kvm_vmx(kvm)->ept_identity_map_addr = ident_addr;
@@ -6856,12 +7049,18 @@ static void kvm_machine_check(void)
 #endif
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_MCE_DURING_VMENTRY]
+ */
 static int handle_machine_check(struct kvm_vcpu *vcpu)
 {
 	/* already handled by vcpu_run */
 	return 1;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_EXCEPTION_NMI]
+ */
 static int handle_exception(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -6967,12 +7166,18 @@ static int handle_exception(struct kvm_vcpu *vcpu)
 	return 0;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_EXTERNAL_INTERRUPT]
+ */
 static int handle_external_interrupt(struct kvm_vcpu *vcpu)
 {
 	++vcpu->stat.irq_exits;
 	return 1;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_TRIPLE_FAULT]
+ */
 static int handle_triple_fault(struct kvm_vcpu *vcpu)
 {
 	vcpu->run->exit_reason = KVM_EXIT_SHUTDOWN;
@@ -6980,6 +7185,16 @@ static int handle_triple_fault(struct kvm_vcpu *vcpu)
 	return 0;
 }
 
+/*
+ * vcpu的dev fd的ioctl
+ * kvm_vcpu_ioctl()通过KVM_RUN
+ * kvm_arch_vcpu_ioctl_run()
+ * vcpu_run()
+ * 在for loop调用, vcpu_enter_guest(), 直到返回值小于0
+ * 调用kvm_x86_ops->run = vmx_vcpu_run(), 退出后调用kvm_x86_ops->handle_exit=vmx_handle_exit()
+ *
+ * kvm_vmx_exit_handlers[EXIT_REASON_IO_INSTRUCTION]
+ */
 static int handle_io(struct kvm_vcpu *vcpu)
 {
 	unsigned long exit_qualification;
@@ -7001,6 +7216,9 @@ static int handle_io(struct kvm_vcpu *vcpu)
 	return kvm_fast_pio(vcpu, size, port, in);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.patch_hypercall = vmx_patch_hypercall()
+ */
 static void
 vmx_patch_hypercall(struct kvm_vcpu *vcpu, unsigned char *hypercall)
 {
@@ -7063,12 +7281,19 @@ static int handle_set_cr4(struct kvm_vcpu *vcpu, unsigned long val)
 		return kvm_set_cr4(vcpu, val);
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_GDTR_IDTR]
+ * kvm_vmx_exit_handlers[EXIT_REASON_LDTR_TR]
+ */
 static int handle_desc(struct kvm_vcpu *vcpu)
 {
 	WARN_ON(!(vcpu->arch.cr4 & X86_CR4_UMIP));
 	return emulate_instruction(vcpu, 0) == EMULATE_DONE;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_CR_ACCESS]
+ */
 static int handle_cr(struct kvm_vcpu *vcpu)
 {
 	unsigned long exit_qualification, val;
@@ -7149,6 +7374,9 @@ static int handle_cr(struct kvm_vcpu *vcpu)
 	return 0;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_DR_ACCESS]
+ */
 static int handle_dr(struct kvm_vcpu *vcpu)
 {
 	unsigned long exit_qualification;
@@ -7213,15 +7441,24 @@ static int handle_dr(struct kvm_vcpu *vcpu)
 	return kvm_skip_emulated_instruction(vcpu);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_dr6 = vmx_get_dr6()
+ */
 static u64 vmx_get_dr6(struct kvm_vcpu *vcpu)
 {
 	return vcpu->arch.dr6;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_dr6 = vmx_set_dr6()
+ */
 static void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val)
 {
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.sync_dirty_debug_regs = vmx_sync_dirty_debug_regs()
+ */
 static void vmx_sync_dirty_debug_regs(struct kvm_vcpu *vcpu)
 {
 	get_debugreg(vcpu->arch.db[0], 0);
@@ -7235,16 +7472,25 @@ static void vmx_sync_dirty_debug_regs(struct kvm_vcpu *vcpu)
 	vmcs_set_bits(CPU_BASED_VM_EXEC_CONTROL, CPU_BASED_MOV_DR_EXITING);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_dr7 = vmx_set_dr7()
+ */
 static void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val)
 {
 	vmcs_writel(GUEST_DR7, val);
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_CPUID]
+ */
 static int handle_cpuid(struct kvm_vcpu *vcpu)
 {
 	return kvm_emulate_cpuid(vcpu);
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_MSR_READ]
+ */
 static int handle_rdmsr(struct kvm_vcpu *vcpu)
 {
 	u32 ecx = vcpu->arch.regs[VCPU_REGS_RCX];
@@ -7266,6 +7512,9 @@ static int handle_rdmsr(struct kvm_vcpu *vcpu)
 	return kvm_skip_emulated_instruction(vcpu);
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_MSR_WRITE]
+ */
 static int handle_wrmsr(struct kvm_vcpu *vcpu)
 {
 	struct msr_data msr;
@@ -7286,12 +7535,18 @@ static int handle_wrmsr(struct kvm_vcpu *vcpu)
 	return kvm_skip_emulated_instruction(vcpu);
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_TPR_BELOW_THRESHOLD]
+ */
 static int handle_tpr_below_threshold(struct kvm_vcpu *vcpu)
 {
 	kvm_apic_update_ppr(vcpu);
 	return 1;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_PENDING_INTERRUPT]
+ */
 static int handle_interrupt_window(struct kvm_vcpu *vcpu)
 {
 	vmcs_clear_bits(CPU_BASED_VM_EXEC_CONTROL,
@@ -7303,21 +7558,33 @@ static int handle_interrupt_window(struct kvm_vcpu *vcpu)
 	return 1;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_HLT]
+ */
 static int handle_halt(struct kvm_vcpu *vcpu)
 {
 	return kvm_emulate_halt(vcpu);
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_VMCALL]
+ */
 static int handle_vmcall(struct kvm_vcpu *vcpu)
 {
 	return kvm_emulate_hypercall(vcpu);
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_INVD]
+ */
 static int handle_invd(struct kvm_vcpu *vcpu)
 {
 	return emulate_instruction(vcpu, 0) == EMULATE_DONE;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_INVLPG]
+ */
 static int handle_invlpg(struct kvm_vcpu *vcpu)
 {
 	unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
@@ -7326,6 +7593,9 @@ static int handle_invlpg(struct kvm_vcpu *vcpu)
 	return kvm_skip_emulated_instruction(vcpu);
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_RDPMC]
+ */
 static int handle_rdpmc(struct kvm_vcpu *vcpu)
 {
 	int err;
@@ -7334,11 +7604,17 @@ static int handle_rdpmc(struct kvm_vcpu *vcpu)
 	return kvm_complete_insn_gp(vcpu, err);
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_WBINVD]
+ */
 static int handle_wbinvd(struct kvm_vcpu *vcpu)
 {
 	return kvm_emulate_wbinvd(vcpu);
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_XSETBV]
+ */
 static int handle_xsetbv(struct kvm_vcpu *vcpu)
 {
 	u64 new_bv = kvm_read_edx_eax(vcpu);
@@ -7349,6 +7625,9 @@ static int handle_xsetbv(struct kvm_vcpu *vcpu)
 	return 1;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_XSAVES]
+ */
 static int handle_xsaves(struct kvm_vcpu *vcpu)
 {
 	kvm_skip_emulated_instruction(vcpu);
@@ -7356,6 +7635,9 @@ static int handle_xsaves(struct kvm_vcpu *vcpu)
 	return 1;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_XRSTORS]
+ */
 static int handle_xrstors(struct kvm_vcpu *vcpu)
 {
 	kvm_skip_emulated_instruction(vcpu);
@@ -7363,6 +7645,9 @@ static int handle_xrstors(struct kvm_vcpu *vcpu)
 	return 1;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_APIC_ACCESS]
+ */
 static int handle_apic_access(struct kvm_vcpu *vcpu)
 {
 	if (likely(fasteoi)) {
@@ -7385,6 +7670,9 @@ static int handle_apic_access(struct kvm_vcpu *vcpu)
 	return emulate_instruction(vcpu, 0) == EMULATE_DONE;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_EOI_INDUCED]
+ */
 static int handle_apic_eoi_induced(struct kvm_vcpu *vcpu)
 {
 	unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
@@ -7395,6 +7683,9 @@ static int handle_apic_eoi_induced(struct kvm_vcpu *vcpu)
 	return 1;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_APIC_WRITE]
+ */
 static int handle_apic_write(struct kvm_vcpu *vcpu)
 {
 	unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
@@ -7405,6 +7696,9 @@ static int handle_apic_write(struct kvm_vcpu *vcpu)
 	return 1;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_TASK_SWITCH]
+ */
 static int handle_task_switch(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -7470,6 +7764,15 @@ static int handle_task_switch(struct kvm_vcpu *vcpu)
 	return 1;
 }
 
+/*
+ * 当Guest第一次访问某个页面时,由于没有GVA到GPA的映射,触发Guest OS的page fault.
+ * 于是Guest OS会建立对应的pte并修复好各级页表,最后访问对应的GPA.由于没有建立
+ * GPA到HVA的映射,于是触发EPT Violation,VMEXIT到KVM.  KVM在vmx_handle_exit中执
+ * 行kvm_vmx_exit_handlers[exit_reason],发现exit_reason是
+ * EXIT_REASON_EPT_VIOLATION,因此调用 handle_ept_violation.
+ *
+ * kvm_vmx_exit_handlers[EXIT_REASON_EPT_VIOLATION]
+ */
 static int handle_ept_violation(struct kvm_vcpu *vcpu)
 {
 	unsigned long exit_qualification;
@@ -7489,9 +7792,14 @@ static int handle_ept_violation(struct kvm_vcpu *vcpu)
 			(exit_qualification & INTR_INFO_UNBLOCK_NMI))
 		vmcs_set_bits(GUEST_INTERRUPTIBILITY_INFO, GUEST_INTR_STATE_NMI);
 
+	/* 获取发生缺页的gpa */
 	gpa = vmcs_read64(GUEST_PHYSICAL_ADDRESS);
 	trace_kvm_page_fault(gpa, exit_qualification);
 
+	/*
+	 * 根据exit_qualification内容得到error_code, 可能是
+	 * read fault/write fault/fetch fault/ept page tableis not present
+	 */
 	/* Is it a read fault? */
 	error_code = (exit_qualification & EPT_VIOLATION_ACC_READ)
 		     ? PFERR_USER_MASK : 0;
@@ -7514,6 +7822,9 @@ static int handle_ept_violation(struct kvm_vcpu *vcpu)
 	return kvm_mmu_page_fault(vcpu, gpa, error_code, NULL, 0);
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_EPT_MISCONFIG]
+ */
 static int handle_ept_misconfig(struct kvm_vcpu *vcpu)
 {
 	gpa_t gpa;
@@ -7523,6 +7834,24 @@ static int handle_ept_misconfig(struct kvm_vcpu *vcpu)
 	 * nGPA here instead of the required GPA.
 	 */
 	gpa = vmcs_read64(GUEST_PHYSICAL_ADDRESS);
+
+	/*
+	 * vhost ioeventfd的例子 (从上往下):
+	 *   kvm_vcpu_ioctl()
+	 *   kvm_arch_vcpu_ioctl_run()
+	 *   vcpu_enter_guest()
+	 *   vmx_handle_exit()
+	 *   handle_ept_misconfig()
+	 *   kvm_io_bus_write()
+	 *   __kvm_io_bus_write()
+	 *   ioeventfd_write()
+	 *   eventfd_signal()
+	 *   __wake_up_locked_key()
+	 *   __wake_up_common()
+	 *   vhost_poll_wakeup()
+	 *   vhost_work_queue()
+	 */
+
 	if (!is_guest_mode(vcpu) &&
 	    !kvm_io_bus_write(vcpu, KVM_FAST_MMIO_BUS, gpa, 0, NULL)) {
 		trace_kvm_fast_mmio(gpa);
@@ -7536,6 +7865,9 @@ static int handle_ept_misconfig(struct kvm_vcpu *vcpu)
 		 * running nested and keep it for real hardware in hope that
 		 * VM_EXIT_INSTRUCTION_LEN will always be set correctly.
 		 */
+		/*
+		 * 如果调用了ioeventfd, 要用emulate跳过当前mmio的指令
+		 */
 		if (!static_cpu_has(X86_FEATURE_HYPERVISOR))
 			return kvm_skip_emulated_instruction(vcpu);
 		else
@@ -7546,6 +7878,9 @@ static int handle_ept_misconfig(struct kvm_vcpu *vcpu)
 	return kvm_mmu_page_fault(vcpu, gpa, PFERR_RSVD_MASK, NULL, 0);
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_NMI_WINDOW]
+ */
 static int handle_nmi_window(struct kvm_vcpu *vcpu)
 {
 	WARN_ON_ONCE(!enable_vnmi);
@@ -7669,8 +8004,17 @@ static void wakeup_handler(void)
 	spin_unlock(&per_cpu(blocked_vcpu_on_cpu_lock, cpu));
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/vmx.c|7960| <<hardware_setup>> vmx_enable_tdp();
+ */
 static void vmx_enable_tdp(void)
 {
+	/*
+	 * A/D bit好像就是第6位, 控制是否支持dirty和accessed
+	 *
+	 * cpu_has_vmx_ept_execute_only()判断是否xor?
+	 */
 	kvm_mmu_set_mask_ptes(VMX_EPT_READABLE_MASK,
 		enable_ept_ad_bits ? VMX_EPT_ACCESS_BIT : 0ull,
 		enable_ept_ad_bits ? VMX_EPT_DIRTY_BIT : 0ull,
@@ -7682,6 +8026,12 @@ static void vmx_enable_tdp(void)
 	kvm_enable_tdp();
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.hardware_setup = hardware_setup()
+ *
+ * called by:
+ *   - arch/x86/kvm/x86.c|8637| <<kvm_arch_hardware_setup>> r = kvm_x86_ops->hardware_setup();
+ */
 static __init int hardware_setup(void)
 {
 	int r = -ENOMEM, i;
@@ -7814,6 +8164,9 @@ static __init int hardware_setup(void)
     return r;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.hardware_unsetup = hardware_unsetup()
+ */
 static __exit void hardware_unsetup(void)
 {
 	int i;
@@ -7828,6 +8181,9 @@ static __exit void hardware_unsetup(void)
  * Indicate a busy-waiting vcpu in spinlock. We do not enable the PAUSE
  * exiting, so only get here on cpu with PAUSE-Loop-Exiting.
  */
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_PAUSE_INSTRUCTION]
+ */
 static int handle_pause(struct kvm_vcpu *vcpu)
 {
 	if (!kvm_pause_in_guest(vcpu->kvm))
@@ -7848,23 +8204,36 @@ static int handle_nop(struct kvm_vcpu *vcpu)
 	return kvm_skip_emulated_instruction(vcpu);
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_MWAIT_INSTRUCTION]
+ */
 static int handle_mwait(struct kvm_vcpu *vcpu)
 {
 	printk_once(KERN_WARNING "kvm: MWAIT instruction emulated as NOP!\n");
 	return handle_nop(vcpu);
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_RDRAND]
+ * kvm_vmx_exit_handlers[EXIT_REASON_RDSEED]
+ */
 static int handle_invalid_op(struct kvm_vcpu *vcpu)
 {
 	kvm_queue_exception(vcpu, UD_VECTOR);
 	return 1;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_MONITOR_TRAP_FLAG]
+ */
 static int handle_monitor_trap(struct kvm_vcpu *vcpu)
 {
 	return 1;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_MONITOR_INSTRUCTION]
+ */
 static int handle_monitor(struct kvm_vcpu *vcpu)
 {
 	printk_once(KERN_WARNING "kvm: MONITOR instruction emulated as NOP!\n");
@@ -8098,6 +8467,9 @@ static int enter_vmx_operation(struct kvm_vcpu *vcpu)
  * region. Consequently, VMCLEAR and VMPTRLD also do not verify that the their
  * argument is different from the VMXON pointer (which the spec says they do).
  */
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_VMON]
+ */
 static int handle_vmon(struct kvm_vcpu *vcpu)
 {
 	int ret;
@@ -8267,6 +8639,9 @@ static void free_nested(struct vcpu_vmx *vmx)
 }
 
 /* Emulate the VMXOFF instruction */
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_VMOFF]
+ */
 static int handle_vmoff(struct kvm_vcpu *vcpu)
 {
 	if (!nested_vmx_check_permission(vcpu))
@@ -8277,6 +8652,9 @@ static int handle_vmoff(struct kvm_vcpu *vcpu)
 }
 
 /* Emulate the VMCLEAR instruction */
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_VMCLEAR]
+ */
 static int handle_vmclear(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -8313,12 +8691,18 @@ static int handle_vmclear(struct kvm_vcpu *vcpu)
 static int nested_vmx_run(struct kvm_vcpu *vcpu, bool launch);
 
 /* Emulate the VMLAUNCH instruction */
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_VMLAUNCH]
+ */
 static int handle_vmlaunch(struct kvm_vcpu *vcpu)
 {
 	return nested_vmx_run(vcpu, true);
 }
 
 /* Emulate the VMRESUME instruction */
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_VMRESUME]
+ */
 static int handle_vmresume(struct kvm_vcpu *vcpu)
 {
 
@@ -8477,6 +8861,9 @@ static int nested_vmx_check_vmcs12(struct kvm_vcpu *vcpu)
 	return 1;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_VMREAD]
+ */
 static int handle_vmread(struct kvm_vcpu *vcpu)
 {
 	unsigned long field;
@@ -8520,6 +8907,9 @@ static int handle_vmread(struct kvm_vcpu *vcpu)
 }
 
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_VMWRITE]
+ */
 static int handle_vmwrite(struct kvm_vcpu *vcpu)
 {
 	unsigned long field;
@@ -8607,6 +8997,9 @@ static void set_current_vmptr(struct vcpu_vmx *vmx, gpa_t vmptr)
 }
 
 /* Emulate the VMPTRLD instruction */
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_VMPTRLD]
+ */
 static int handle_vmptrld(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -8662,6 +9055,9 @@ static int handle_vmptrld(struct kvm_vcpu *vcpu)
 }
 
 /* Emulate the VMPTRST instruction */
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_VMPTRST]
+ */
 static int handle_vmptrst(struct kvm_vcpu *vcpu)
 {
 	unsigned long exit_qual = vmcs_readl(EXIT_QUALIFICATION);
@@ -8686,6 +9082,9 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu)
 }
 
 /* Emulate the INVEPT instruction */
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_INVEPT]
+ */
 static int handle_invept(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -8748,6 +9147,9 @@ static int handle_invept(struct kvm_vcpu *vcpu)
 	return kvm_skip_emulated_instruction(vcpu);
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_INVVPID]
+ */
 static int handle_invvpid(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -8835,6 +9237,9 @@ static int handle_invvpid(struct kvm_vcpu *vcpu)
 	return kvm_skip_emulated_instruction(vcpu);
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_PML_FULL]
+ */
 static int handle_pml_full(struct kvm_vcpu *vcpu)
 {
 	unsigned long exit_qualification;
@@ -8860,6 +9265,9 @@ static int handle_pml_full(struct kvm_vcpu *vcpu)
 	return 1;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_PREEMPTION_TIMER]
+ */
 static int handle_preemption_timer(struct kvm_vcpu *vcpu)
 {
 	kvm_lapic_expired_hv_timer(vcpu);
@@ -8947,6 +9355,9 @@ static int nested_vmx_eptp_switching(struct kvm_vcpu *vcpu,
 	return 0;
 }
 
+/*
+ * kvm_vmx_exit_handlers[EXIT_REASON_VMFUNC]
+ */
 static int handle_vmfunc(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -8989,6 +9400,11 @@ static int handle_vmfunc(struct kvm_vcpu *vcpu)
  * may resume.  Otherwise they set the kvm_run parameter to indicate what needs
  * to be done to userspace and return 0.
  */
+/*
+ * used by:
+ *   - arch/x86/kvm/vmx.c|9930| <<vmx_handle_exit>> && kvm_vmx_exit_handlers[exit_reason])
+ *   - arch/x86/kvm/vmx.c|9931| <<vmx_handle_exit>> return kvm_vmx_exit_handlers[exit_reason](vcpu);
+ */
 static int (*const kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu) = {
 	[EXIT_REASON_EXCEPTION_NMI]           = handle_exception,
 	[EXIT_REASON_EXTERNAL_INTERRUPT]      = handle_external_interrupt,
@@ -9409,6 +9825,9 @@ static int nested_vmx_reflect_vmexit(struct kvm_vcpu *vcpu, u32 exit_reason)
 	return 1;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_exit_info = vmx_get_exit_info()
+ */
 static void vmx_get_exit_info(struct kvm_vcpu *vcpu, u64 *info1, u64 *info2)
 {
 	*info1 = vmcs_readl(EXIT_QUALIFICATION);
@@ -9634,6 +10053,9 @@ static void dump_vmcs(void)
  * The guest has exited.  See if we can fix it or if we need userspace
  * assistance.
  */
+/*
+ * struct kvm_x86_ops vmx_x86_ops.handle_exit = vmx_handle_exit()
+ */
 static int vmx_handle_exit(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -9803,6 +10225,9 @@ static void vmx_l1d_flush(struct kvm_vcpu *vcpu)
 		: "eax", "ebx", "ecx", "edx");
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.update_cr8_intercept = update_cr8_intercept()
+ */
 static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr)
 {
 	struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
@@ -9819,6 +10244,9 @@ static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr)
 	vmcs_write32(TPR_THRESHOLD, irr);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_virtual_apic_mode = vmx_set_virtual_apic_mode()
+ */
 static void vmx_set_virtual_apic_mode(struct kvm_vcpu *vcpu)
 {
 	u32 sec_exec_control;
@@ -9862,6 +10290,9 @@ static void vmx_set_virtual_apic_mode(struct kvm_vcpu *vcpu)
 	vmx_update_msr_bitmap(vcpu);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_apic_access_page_addr = vmx_set_apic_access_page_addr()
+ */
 static void vmx_set_apic_access_page_addr(struct kvm_vcpu *vcpu, hpa_t hpa)
 {
 	if (!is_guest_mode(vcpu)) {
@@ -9870,6 +10301,9 @@ static void vmx_set_apic_access_page_addr(struct kvm_vcpu *vcpu, hpa_t hpa)
 	}
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.hwapic_isr_update = vmx_hwapic_isr_update()
+ */
 static void vmx_hwapic_isr_update(struct kvm_vcpu *vcpu, int max_isr)
 {
 	u16 status;
@@ -9904,6 +10338,9 @@ static void vmx_set_rvi(int vector)
 	}
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.hwapic_irr_update = vmx_hwapic_irr_update()
+ */
 static void vmx_hwapic_irr_update(struct kvm_vcpu *vcpu, int max_irr)
 {
 	/*
@@ -9918,6 +10355,9 @@ static void vmx_hwapic_irr_update(struct kvm_vcpu *vcpu, int max_irr)
 		vmx_set_rvi(max_irr);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.sync_pir_to_irr = vmx_sync_pir_to_irr()
+ */
 static int vmx_sync_pir_to_irr(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -9956,6 +10396,9 @@ static int vmx_sync_pir_to_irr(struct kvm_vcpu *vcpu)
 	return max_irr;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.load_eoi_exitmap = vmx_load_eoi_exitmap()
+ */
 static void vmx_load_eoi_exitmap(struct kvm_vcpu *vcpu, u64 *eoi_exit_bitmap)
 {
 	if (!kvm_vcpu_apicv_active(vcpu))
@@ -9967,6 +10410,9 @@ static void vmx_load_eoi_exitmap(struct kvm_vcpu *vcpu, u64 *eoi_exit_bitmap)
 	vmcs_write64(EOI_EXIT_BITMAP3, eoi_exit_bitmap[3]);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.apicv_post_state_restore = vmx_apicv_post_state_restore()
+ */
 static void vmx_apicv_post_state_restore(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -10005,6 +10451,9 @@ static void vmx_complete_atomic_exit(struct vcpu_vmx *vmx)
 	}
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.handle_external_intr = vmx_handle_external_intr()
+ */
 static void vmx_handle_external_intr(struct kvm_vcpu *vcpu)
 {
 	u32 exit_intr_info = vmcs_read32(VM_EXIT_INTR_INFO);
@@ -10046,6 +10495,9 @@ static void vmx_handle_external_intr(struct kvm_vcpu *vcpu)
 }
 STACK_FRAME_NON_STANDARD(vmx_handle_external_intr);
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.has_emulated_msr = vmx_has_emulated_msr()
+ */
 static bool vmx_has_emulated_msr(int index)
 {
 	switch (index) {
@@ -10063,12 +10515,18 @@ static bool vmx_has_emulated_msr(int index)
 	}
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.mpx_supported = vmx_mpx_supported()
+ */
 static bool vmx_mpx_supported(void)
 {
 	return (vmcs_config.vmexit_ctrl & VM_EXIT_CLEAR_BNDCFGS) &&
 		(vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_BNDCFGS);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.xsaves_supported = vmx_xsaves_supported()
+ */
 static bool vmx_xsaves_supported(void)
 {
 	return vmcs_config.cpu_based_2nd_exec_ctrl &
@@ -10179,6 +10637,9 @@ static void vmx_complete_interrupts(struct vcpu_vmx *vmx)
 				  IDT_VECTORING_ERROR_CODE);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.cancel_injection = vmx_cancel_injection()
+ */
 static void vmx_cancel_injection(struct kvm_vcpu *vcpu)
 {
 	__vmx_complete_interrupts(vcpu,
@@ -10227,6 +10688,9 @@ static void vmx_arm_hv_timer(struct kvm_vcpu *vcpu)
 	vmcs_write32(VMX_PREEMPTION_TIMER_VALUE, delta_tsc);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.run = vmx_vcpu_run()
+ */
 static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -10505,12 +10969,21 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
 }
 STACK_FRAME_NON_STANDARD(vmx_vcpu_run);
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.vm_alloc = vmx_vm_alloc()
+ *
+ * called only by:
+ *   - arch/x86/include/asm/kvm_host.h|1121| <<kvm_arch_alloc_vm>> return kvm_x86_ops->vm_alloc();
+ */
 static struct kvm *vmx_vm_alloc(void)
 {
 	struct kvm_vmx *kvm_vmx = vzalloc(sizeof(struct kvm_vmx));
 	return &kvm_vmx->kvm;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.vm_free = vmx_vm_free()
+ */
 static void vmx_vm_free(struct kvm *kvm)
 {
 	vfree(to_kvm_vmx(kvm));
@@ -10545,6 +11018,9 @@ static void vmx_free_vcpu_nested(struct kvm_vcpu *vcpu)
        vcpu_put(vcpu);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.vcpu_free = vmx_free_vcpu()
+ */
 static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -10560,6 +11036,9 @@ static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
 	kmem_cache_free(kvm_vcpu_cache, vmx);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.vcpu_create = vmx_create_vcpu()
+ */
 static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
 {
 	int err;
@@ -10664,6 +11143,9 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id)
 #define L1TF_MSG_SMT "L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details.\n"
 #define L1TF_MSG_L1D "L1TF CPU bug present and virtualization mitigation disabled, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details.\n"
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.vm_init = vmx_vm_init()
+ */
 static int vmx_vm_init(struct kvm *kvm)
 {
 	if (!ple_gap)
@@ -10695,6 +11177,9 @@ static int vmx_vm_init(struct kvm *kvm)
 	return 0;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.check_processor_compatibility = vmx_check_processor_compat()
+ */
 static void __init vmx_check_processor_compat(void *rtn)
 {
 	struct vmcs_config vmcs_conf;
@@ -10710,6 +11195,9 @@ static void __init vmx_check_processor_compat(void *rtn)
 	}
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_mt_mask = vmx_get_mt_mask()
+ */
 static u64 vmx_get_mt_mask(struct kvm_vcpu *vcpu, gfn_t gfn, bool is_mmio)
 {
 	u8 cache;
@@ -10752,6 +11240,9 @@ static u64 vmx_get_mt_mask(struct kvm_vcpu *vcpu, gfn_t gfn, bool is_mmio)
 	return (cache << VMX_EPT_MT_EPTE_SHIFT) | ipat;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.get_lpage_level = vmx_get_lpage_level()
+ */
 static int vmx_get_lpage_level(void)
 {
 	if (enable_ept && !cpu_has_vmx_ept_1g_page())
@@ -10824,6 +11315,9 @@ static void nested_vmx_cr_fixed1_bits_update(struct kvm_vcpu *vcpu)
 #undef cr4_fixed1_update
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.cpuid_update = vmx_cpuid_update()
+ */
 static void vmx_cpuid_update(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -10844,6 +11338,9 @@ static void vmx_cpuid_update(struct kvm_vcpu *vcpu)
 		nested_vmx_cr_fixed1_bits_update(vcpu);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_supported_cpuid = vmx_set_supported_cpuid()
+ */
 static void vmx_set_supported_cpuid(u32 func, struct kvm_cpuid_entry2 *entry)
 {
 	if (func == 1 && nested)
@@ -10884,6 +11381,10 @@ static unsigned long nested_ept_get_cr3(struct kvm_vcpu *vcpu)
 	return get_vmcs12(vcpu)->ept_pointer;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/vmx.c|12271| <<prepare_vmcs02>> if (nested_ept_init_mmu_context(vcpu)) {
+ */
 static int nested_ept_init_mmu_context(struct kvm_vcpu *vcpu)
 {
 	WARN_ON(mmu_is_nested(vcpu));
@@ -12281,6 +12782,9 @@ static void vmcs12_save_pending_event(struct kvm_vcpu *vcpu,
 	}
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.check_nested_events = vmx_check_nested_events()
+ */
 static int vmx_check_nested_events(struct kvm_vcpu *vcpu, bool external_intr)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -12841,6 +13345,9 @@ static void nested_vmx_entry_failure(struct kvm_vcpu *vcpu,
 		to_vmx(vcpu)->nested.sync_shadow_vmcs = true;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.check_intercept = vmx_check_intercept()
+ */
 static int vmx_check_intercept(struct kvm_vcpu *vcpu,
 			       struct x86_instruction_info *info,
 			       enum x86_intercept_stage stage)
@@ -12882,6 +13389,9 @@ static inline int u64_shl_div_u64(u64 a, unsigned int shift,
 	return 0;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.set_hv_timer = vmx_set_hv_timer()
+ */
 static int vmx_set_hv_timer(struct kvm_vcpu *vcpu, u64 guest_deadline_tsc)
 {
 	struct vcpu_vmx *vmx;
@@ -12925,6 +13435,9 @@ static int vmx_set_hv_timer(struct kvm_vcpu *vcpu, u64 guest_deadline_tsc)
 	return delta_tsc == 0;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.cancel_hv_timer = vmx_cancel_hv_timer()
+ */
 static void vmx_cancel_hv_timer(struct kvm_vcpu *vcpu)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -12934,12 +13447,18 @@ static void vmx_cancel_hv_timer(struct kvm_vcpu *vcpu)
 }
 #endif
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.sched_in = vmx_sched_in()
+ */
 static void vmx_sched_in(struct kvm_vcpu *vcpu, int cpu)
 {
 	if (!kvm_pause_in_guest(vcpu->kvm))
 		shrink_ple_window(vcpu);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.slot_enable_log_dirty = vmx_slot_enable_log_dirty()
+ */
 static void vmx_slot_enable_log_dirty(struct kvm *kvm,
 				     struct kvm_memory_slot *slot)
 {
@@ -12947,17 +13466,26 @@ static void vmx_slot_enable_log_dirty(struct kvm *kvm,
 	kvm_mmu_slot_largepage_remove_write_access(kvm, slot);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.slot_disable_log_dirty = vmx_slot_disable_log_dirty()
+ */
 static void vmx_slot_disable_log_dirty(struct kvm *kvm,
 				       struct kvm_memory_slot *slot)
 {
 	kvm_mmu_slot_set_dirty(kvm, slot);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.flush_log_dirty = vmx_flush_log_dirty()
+ */
 static void vmx_flush_log_dirty(struct kvm *kvm)
 {
 	kvm_flush_pml_buffers(kvm);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.write_log_dirty = vmx_write_pml_buffer()
+ */
 static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu)
 {
 	struct vmcs12 *vmcs12;
@@ -12998,6 +13526,9 @@ static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu)
 	return 0;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.enable_log_dirty_pt_masked = vmx_enable_log_dirty_pt_masked()
+ */
 static void vmx_enable_log_dirty_pt_masked(struct kvm *kvm,
 					   struct kvm_memory_slot *memslot,
 					   gfn_t offset, unsigned long mask)
@@ -13106,6 +13637,9 @@ static int pi_pre_block(struct kvm_vcpu *vcpu)
 	return (vcpu->pre_pcpu == -1);
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.pre_block = vmx_pre_block()
+ */
 static int vmx_pre_block(struct kvm_vcpu *vcpu)
 {
 	if (pi_pre_block(vcpu))
@@ -13117,6 +13651,9 @@ static int vmx_pre_block(struct kvm_vcpu *vcpu)
 	return 0;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.
+ */
 static void pi_post_block(struct kvm_vcpu *vcpu)
 {
 	if (vcpu->pre_pcpu == -1)
@@ -13128,6 +13665,9 @@ static void pi_post_block(struct kvm_vcpu *vcpu)
 	local_irq_enable();
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.post_block = vmx_post_block()
+ */
 static void vmx_post_block(struct kvm_vcpu *vcpu)
 {
 	if (kvm_x86_ops->set_hv_timer)
@@ -13145,6 +13685,9 @@ static void vmx_post_block(struct kvm_vcpu *vcpu)
  * @set: set or unset PI
  * returns 0 on success, < 0 on failure
  */
+/*
+ * struct kvm_x86_ops vmx_x86_ops.update_pi_irte = vmx_update_pi_irte()
+ */
 static int vmx_update_pi_irte(struct kvm *kvm, unsigned int host_irq,
 			      uint32_t guest_irq, bool set)
 {
@@ -13226,6 +13769,9 @@ static int vmx_update_pi_irte(struct kvm *kvm, unsigned int host_irq,
 	return ret;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.setup_mce = vmx_setup_mce()
+ */
 static void vmx_setup_mce(struct kvm_vcpu *vcpu)
 {
 	if (vcpu->arch.mcg_cap & MCG_LMCE_P)
@@ -13236,6 +13782,9 @@ static void vmx_setup_mce(struct kvm_vcpu *vcpu)
 			~FEATURE_CONTROL_LMCE;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.smi_allowed = vmx_smi_allowed()
+ */
 static int vmx_smi_allowed(struct kvm_vcpu *vcpu)
 {
 	/* we need a nested vmexit to enter SMM, postpone if run is pending */
@@ -13244,6 +13793,9 @@ static int vmx_smi_allowed(struct kvm_vcpu *vcpu)
 	return 1;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.pre_enter_smm = vmx_pre_enter_smm()
+ */
 static int vmx_pre_enter_smm(struct kvm_vcpu *vcpu, char *smstate)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -13258,6 +13810,9 @@ static int vmx_pre_enter_smm(struct kvm_vcpu *vcpu, char *smstate)
 	return 0;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.pre_leave_smm = vmx_pre_leave_smm()
+ */
 static int vmx_pre_leave_smm(struct kvm_vcpu *vcpu, u64 smbase)
 {
 	struct vcpu_vmx *vmx = to_vmx(vcpu);
@@ -13280,11 +13835,18 @@ static int vmx_pre_leave_smm(struct kvm_vcpu *vcpu, u64 smbase)
 	return 0;
 }
 
+/*
+ * struct kvm_x86_ops vmx_x86_ops.enable_smi_window = enable_smi_window()
+ */
 static int enable_smi_window(struct kvm_vcpu *vcpu)
 {
 	return 0;
 }
 
+/*
+ * used by:
+ *   - arch/x86/kvm/vmx.c|13506| <<vmx_init>> r = kvm_init(&vmx_x86_ops, sizeof(struct vcpu_vmx),
+ */
 static struct kvm_x86_ops vmx_x86_ops __ro_after_init = {
 	.cpu_has_kvm_support = cpu_has_kvm_support,
 	.disabled_by_bios = vmx_disabled_by_bios,
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 97fcac34..54e37ee5 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2026,6 +2026,10 @@ static void kvm_setup_pvclock_page(struct kvm_vcpu *v)
 				sizeof(vcpu->hv_clock.version));
 }
 
+/*
+ * called only by:
+ *   - arch/x86/kvm/x86.c|7325| <<vcpu_enter_guest>> r = kvm_guest_time_update(vcpu);
+ */
 static int kvm_guest_time_update(struct kvm_vcpu *v)
 {
 	unsigned long flags, tgt_tsc_khz;
@@ -2280,6 +2284,9 @@ static void kvmclock_reset(struct kvm_vcpu *vcpu)
 static void kvm_vcpu_flush_tlb(struct kvm_vcpu *vcpu, bool invalidate_gpa)
 {
 	++vcpu->stat.tlb_flush;
+	/*
+	 * vmx: vmx_flush_tlb()
+	 */
 	kvm_x86_ops->tlb_flush(vcpu, invalidate_gpa);
 }
 
@@ -2457,6 +2464,16 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
 		if (data & KVM_STEAL_RESERVED_MASK)
 			return 1;
 
+		/*
+		 * struct kvm_vcpu *vcpu:
+		 * -> struct kvm_vcpu_arch arch:
+		 *    -> struct {
+		 *           u64 msr_val;
+		 *           u64 last_steal;
+		 *           struct gfn_to_hva_cache stime;
+		 *           struct kvm_steal_time steal;
+		 *       } st;
+		 */
 		if (kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.st.stime,
 						data & KVM_STEAL_VALID_BITS,
 						sizeof(struct kvm_steal_time)))
@@ -4666,6 +4683,10 @@ static void kvm_init_msr_list(void)
 	num_msr_based_features = j;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/x86.c|5047| <<write_mmio>> return vcpu_mmio_write(vcpu, gpa, bytes, val);
+ */
 static int vcpu_mmio_write(struct kvm_vcpu *vcpu, gpa_t addr, int len,
 			   const void *v)
 {
@@ -4759,9 +4780,15 @@ gpa_t kvm_mmu_gva_to_gpa_write(struct kvm_vcpu *vcpu, gva_t gva,
 }
 
 /* uses this to access any guest's mapped memory without checking CPL */
+/*
+ * called only by kvm_arch_vcpu_ioctl_translate()
+ */
 gpa_t kvm_mmu_gva_to_gpa_system(struct kvm_vcpu *vcpu, gva_t gva,
 				struct x86_exception *exception)
 {
+	/*
+	 * 情况太多, 一种情况是paging64_gva_to_gpa()
+	 */
 	return vcpu->arch.walk_mmu->gva_to_gpa(vcpu, gva, 0, exception);
 }
 
@@ -6078,6 +6105,12 @@ static bool is_vmware_backdoor_opcode(struct x86_emulate_ctxt *ctxt)
 	return false;
 }
 
+/*
+ * called by:
+ *   - arch/x86/include/asm/kvm_host.h|1572| <<emulate_instruction>> return x86_emulate_instruction(vcpu, 0, emulation_type, NULL, 0);
+ *   - arch/x86/include/asm/kvm_host.h|1578| <<kvm_emulate_instruction_from_buffer>> return x86_emulate_instruction(vcpu, 0, 0, insn, insn_len);
+ *   - arch/x86/kvm/mmu.c|7597| <<kvm_mmu_page_fault>> er = x86_emulate_instruction(vcpu, cr2, emulation_type, insn, insn_len);
+ */
 int x86_emulate_instruction(struct kvm_vcpu *vcpu,
 			    unsigned long cr2,
 			    int emulation_type,
@@ -6503,6 +6536,10 @@ static struct perf_guest_info_callbacks kvm_guest_cbs = {
 	.get_guest_ip		= kvm_get_guest_ip,
 };
 
+/*
+ * called by:
+ *   - arch/x86/kvm/x86.c|6625| <<kvm_arch_init>> kvm_set_mmio_spte_mask();
+ */
 static void kvm_set_mmio_spte_mask(void)
 {
 	u64 mask;
@@ -6738,6 +6775,11 @@ void kvm_vcpu_deactivate_apicv(struct kvm_vcpu *vcpu)
 	kvm_x86_ops->refresh_apicv_exec_ctrl(vcpu);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/vmx.c|7501| <<handle_vmcall>> return kvm_emulate_hypercall(vcpu);
+ *   - arch/x86/kvm/svm.c|2856| <<vmmcall_interception>> return kvm_emulate_hypercall(&svm->vcpu);
+ */
 int kvm_emulate_hypercall(struct kvm_vcpu *vcpu)
 {
 	unsigned long nr, a0, a1, a2, a3, ret;
@@ -7288,6 +7330,10 @@ EXPORT_SYMBOL_GPL(kvm_vcpu_reload_apic_access_page);
  * exiting to the userspace.  Otherwise, the value will be returned to the
  * userspace.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/x86.c|7629| <<vcpu_run>> r = vcpu_enter_guest(vcpu);
+ */
 static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
 {
 	int r;
@@ -7501,6 +7547,10 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
 		vcpu->arch.switch_db_regs &= ~KVM_DEBUGREG_RELOAD;
 	}
 
+	/*
+	 * intel : vmx_x86_ops --> vmx_vcpu_run()
+	 * amd   : svm_x86_ops --> svm_vcpu_run()
+	 */
 	kvm_x86_ops->run(vcpu);
 
 	/*
@@ -7563,6 +7613,10 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
 		kvm_lapic_sync_from_vapic(vcpu);
 
 	vcpu->arch.gpa_available = false;
+	/*
+	 * intel : vmx_x86_ops --> vmx_handle_exit()
+	 * amd   : svm_x86_ops --> handle_exit()
+	 */
 	r = kvm_x86_ops->handle_exit(vcpu);
 	return r;
 
@@ -7574,6 +7628,10 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
 	return r;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/x86.c|7631| <<vcpu_run>> r = vcpu_block(kvm, vcpu);
+ */
 static inline int vcpu_block(struct kvm *kvm, struct kvm_vcpu *vcpu)
 {
 	if (!kvm_arch_vcpu_runnable(vcpu) &&
@@ -7616,6 +7674,10 @@ static inline bool kvm_vcpu_running(struct kvm_vcpu *vcpu)
 		!vcpu->arch.apf.halted);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/x86.c|7806| <<kvm_arch_vcpu_ioctl_run>> r = vcpu_run(vcpu);
+ */
 static int vcpu_run(struct kvm_vcpu *vcpu)
 {
 	int r;
@@ -7747,6 +7809,10 @@ static int complete_emulated_mmio(struct kvm_vcpu *vcpu)
 	return 0;
 }
 
+/*
+ * called by:
+ *   - virt/kvm/kvm_main.c|2600| <<kvm_vcpu_ioctl>> r = kvm_arch_vcpu_ioctl_run(vcpu, vcpu->run);
+ */
 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
 {
 	int r;
@@ -8208,6 +8274,10 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(struct kvm_vcpu *vcpu,
 /*
  * Translate a guest virtual address to a guest physical address.
  */
+/*
+ * called by KVM_TRANSLATE (vcpu dev fd):
+ *   - virt/kvm/kvm_main.c|2711| <<kvm_vcpu_ioctl>> r = kvm_arch_vcpu_ioctl_translate(vcpu, &tr);
+ */
 int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu,
 				    struct kvm_translation *tr)
 {
@@ -8357,6 +8427,10 @@ void kvm_arch_vcpu_free(struct kvm_vcpu *vcpu)
 	free_cpumask_var(wbinvd_dirty_mask);
 }
 
+/*
+ * called by:
+ *   - virt/kvm/kvm_main.c|2481| <<kvm_vm_ioctl_create_vcpu>> vcpu = kvm_arch_vcpu_create(kvm, id);
+ */
 struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm,
 						unsigned int id)
 {
@@ -8367,16 +8441,24 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm,
 		"kvm: SMP vm created on host with unstable TSC; "
 		"guest TSC will not be reliable\n");
 
+	/*
+	 * intel: vmx_x86_ops --> vmx_create_vcpu()
+	 */
 	vcpu = kvm_x86_ops->vcpu_create(kvm, id);
 
 	return vcpu;
 }
 
+/*
+ * called by:
+ *   - virt/kvm/kvm_main.c|2518| <<kvm_vm_ioctl_create_vcpu>> r = kvm_arch_vcpu_setup(vcpu);
+ */
 int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu)
 {
 	kvm_vcpu_mtrr_init(vcpu);
 	vcpu_load(vcpu);
 	kvm_vcpu_reset(vcpu, false);
+	/* 主要是初始化mmu的各个field和函数指针(struct kvm_mmu *context = &vcpu->arch.mmu) */
 	kvm_mmu_setup(vcpu);
 	vcpu_put(vcpu);
 	return 0;
@@ -8599,10 +8681,18 @@ void kvm_arch_hardware_disable(void)
 	drop_user_return_notifiers();
 }
 
+/*
+ * called only by:
+ *   - virt/kvm/kvm_main.c|4084| <<kvm_init>> r = kvm_arch_hardware_setup();  <---一个调用者是vmx_init()
+ */
 int kvm_arch_hardware_setup(void)
 {
 	int r;
 
+	/*
+	 * intel : hardware_setup() in arch/x86/kvm/vmx.c
+	 * amd   : svm_hardware_setup()
+	 */
 	r = kvm_x86_ops->hardware_setup();
 	if (r != 0)
 		return r;
@@ -8746,6 +8836,10 @@ void kvm_arch_sched_in(struct kvm_vcpu *vcpu, int cpu)
 	kvm_x86_ops->sched_in(vcpu, cpu);
 }
 
+/*
+ * called by:
+ *   - virt/kvm/kvm_main.c|638| <<kvm_create_vm>> r = kvm_arch_init_vm(kvm, type);
+ */
 int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
 {
 	if (type)
@@ -8777,6 +8871,10 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
 	kvm_page_track_init(kvm);
 	kvm_mmu_init_vm(kvm);
 
+	/*
+	 * intel: vmx_vm_init()
+	 * amd  : avic_vm_init()
+	 */
 	if (kvm_x86_ops->vm_init)
 		return kvm_x86_ops->vm_init(kvm);
 
@@ -8820,6 +8918,12 @@ void kvm_arch_sync_events(struct kvm *kvm)
 	kvm_free_pit(kvm);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/vmx.c|5796| <<init_rmode_identity_map>> r = __x86_set_memory_region(kvm, IDENTITY_PAGETABLE_PRIVATE_MEMSLOT,
+ *   - arch/x86/kvm/vmx.c|5847| <<alloc_apic_access_page>> r = __x86_set_memory_region(kvm, APIC_ACCESS_PAGE_PRIVATE_MEMSLOT,
+ *   - arch/x86/kvm/x86.c|8919| <<x86_set_memory_region>> r = __x86_set_memory_region(kvm, id, gpa, size);
+ */
 int __x86_set_memory_region(struct kvm *kvm, int id, gpa_t gpa, u32 size)
 {
 	int i, r;
@@ -8872,6 +8976,15 @@ int __x86_set_memory_region(struct kvm *kvm, int id, gpa_t gpa, u32 size)
 }
 EXPORT_SYMBOL_GPL(__x86_set_memory_region);
 
+/*
+ * called by:
+ *   - arch/x86/kvm/svm.c|1667| <<avic_init_access_page>> ret = x86_set_memory_region(kvm,
+ *   - arch/x86/kvm/vmx.c|6937| <<vmx_set_tss_addr>> ret = x86_set_memory_region(kvm, TSS_PRIVATE_MEMSLOT, addr,
+ *   - arch/x86/kvm/x86.c|8914| <<x86_set_memory_region>> int x86_set_memory_region(struct kvm *kvm, int id, gpa_t gpa, u32 size)
+ *   - arch/x86/kvm/x86.c|8934| <<kvm_arch_destroy_vm>> x86_set_memory_region(kvm, APIC_ACCESS_PAGE_PRIVATE_MEMSLOT, 0, 0);
+ *   - arch/x86/kvm/x86.c|8935| <<kvm_arch_destroy_vm>> x86_set_memory_region(kvm, IDENTITY_PAGETABLE_PRIVATE_MEMSLOT, 0, 0);
+ *   - arch/x86/kvm/x86.c|8936| <<kvm_arch_destroy_vm>> x86_set_memory_region(kvm, TSS_PRIVATE_MEMSLOT, 0, 0);
+ */
 int x86_set_memory_region(struct kvm *kvm, int id, gpa_t gpa, u32 size)
 {
 	int r;
@@ -8930,6 +9043,16 @@ void kvm_arch_free_memslot(struct kvm *kvm, struct kvm_memory_slot *free,
 	kvm_page_track_free_memslot(free, dont);
 }
 
+/*
+ * called by:
+ *   - virt/kvm/kvm_main.c|1070| <<__kvm_set_memory_region>> if (kvm_arch_create_memslot(kvm, &new, npages))
+ *
+ * 核心思想是为参数的kvm_memory_slot初始化其arch
+ * 分配管理hugepage内存的元数据:
+ *     kvm_memory_slot->arch.rmap[i]
+ *     kvm_memory_slot->arch.lpage_info[i]
+ * 根据实际情况设置.disallow_lpage
+ */
 int kvm_arch_create_memslot(struct kvm *kvm, struct kvm_memory_slot *slot,
 			    unsigned long npages)
 {
@@ -8939,11 +9062,28 @@ int kvm_arch_create_memslot(struct kvm *kvm, struct kvm_memory_slot *slot,
 		struct kvm_lpage_info *linfo;
 		unsigned long ugfn;
 		int lpages;
+		/*
+		 * 如果全部执行, KVM_NR_PAGE_SIZES = 3
+		 * level 分别是 1, 2, 3
+		 */
 		int level = i + 1;
 
+		/*
+		 * base_gfn是基于4k开始的gfn
+		 * gfn是基于4k结束的gfn
+		 * 计算从开始到结束需要用到几个hugepage
+		 *   level是1的时候hugepage大小是4K
+		 *   level是2的时候hugepage大小是2M
+		 *   level是3的时候hugepage大小是1G
+		 */
 		lpages = gfn_to_index(slot->base_gfn + npages - 1,
 				      slot->base_gfn, level) + 1;
 
+		/*
+		 * arch是struct kvm_arch_memory_slot
+		 *
+		 * 为某个level分配需要的hugepage数目的kvm_rmap_head
+		 */
 		slot->arch.rmap[i] =
 			kvcalloc(lpages, sizeof(*slot->arch.rmap[i]),
 				 GFP_KERNEL);
@@ -8952,12 +9092,25 @@ int kvm_arch_create_memslot(struct kvm *kvm, struct kvm_memory_slot *slot,
 		if (i == 0)
 			continue;
 
+		/*
+		 * 为当前level分配需要的hugepage数目的kvm_lpage_info
+		 *
+		 * 下面赋值给slot->arch.lpage_info[i - 1]
+		 */
 		linfo = kvcalloc(lpages, sizeof(*linfo), GFP_KERNEL);
 		if (!linfo)
 			goto out_free;
 
 		slot->arch.lpage_info[i - 1] = linfo;
 
+		/*
+		 * level在for循环的执行过程中分别是1, 2, 3
+		 */
+
+		/*
+		 * 下面3处设置disallow_lpage的地方还是比较频繁的!!!!!!
+		 */
+
 		if (slot->base_gfn & (KVM_PAGES_PER_HPAGE(level) - 1))
 			linfo[0].disallow_lpage = 1;
 		if ((slot->base_gfn + npages) & (KVM_PAGES_PER_HPAGE(level) - 1))
@@ -8977,6 +9130,7 @@ int kvm_arch_create_memslot(struct kvm *kvm, struct kvm_memory_slot *slot,
 		}
 	}
 
+	/* 为每一个i(其实就KVM_PAGE_TRACK_WRITE), 分配slot->arch.gfn_track[i] (size是npages) */
 	if (kvm_page_track_create_memslot(slot, npages))
 		goto out_free;
 
@@ -8995,6 +9149,10 @@ int kvm_arch_create_memslot(struct kvm *kvm, struct kvm_memory_slot *slot,
 	return -ENOMEM;
 }
 
+/*
+ * called by only:
+ *   - virt/kvm/kvm_main.c|921| <<install_new_memslots>> kvm_arch_memslots_updated(kvm, slots);
+ */
 void kvm_arch_memslots_updated(struct kvm *kvm, struct kvm_memslots *slots)
 {
 	/*
@@ -9062,6 +9220,20 @@ static void kvm_mmu_slot_apply_flags(struct kvm *kvm,
 	}
 }
 
+/*
+ * [0] kvm_arch_commit_memory_region
+ * [0] __kvm_set_memory_region
+ * [0] kvm_set_memory_region
+ * [0] kvm_vm_ioctl
+ * [0] do_vfs_ioctl
+ * [0] ksys_ioctl
+ * [0] __x64_sys_ioctl
+ * [0] do_syscall_64
+ * [0] entry_SYSCALL_64_after_hwframe
+ *
+ * called only by:
+ *   - virt/kvm/kvm_main.c|1128| <<__kvm_set_memory_region>> kvm_arch_commit_memory_region(kvm, mem, &old, &new, change);
+ */
 void kvm_arch_commit_memory_region(struct kvm *kvm,
 				const struct kvm_userspace_memory_region *mem,
 				const struct kvm_memory_slot *old,
@@ -9070,6 +9242,7 @@ void kvm_arch_commit_memory_region(struct kvm *kvm,
 {
 	int nr_mmu_pages = 0;
 
+	/* 用作mmu的page?? */
 	if (!kvm->arch.n_requested_mmu_pages)
 		nr_mmu_pages = kvm_mmu_calculate_mmu_pages(kvm);
 
@@ -9107,6 +9280,11 @@ void kvm_arch_commit_memory_region(struct kvm *kvm,
 		kvm_mmu_slot_apply_flags(kvm, (struct kvm_memory_slot *) new);
 }
 
+/*
+ * called by:
+ *   - virt/kvm/kvm_main.c|539| <<kvm_mmu_notifier_release>> kvm_arch_flush_shadow_all(kvm);
+ *   - virt/kvm/kvm_main.c|834| <<kvm_destroy_vm>> kvm_arch_flush_shadow_all(kvm);
+ */
 void kvm_arch_flush_shadow_all(struct kvm *kvm)
 {
 	kvm_mmu_invalidate_zap_all_pages(kvm);
@@ -9212,6 +9390,10 @@ void kvm_set_rflags(struct kvm_vcpu *vcpu, unsigned long rflags)
 }
 EXPORT_SYMBOL_GPL(kvm_set_rflags);
 
+/*
+ * called by:
+ *   - virt/kvm/async_pf.c|171| <<kvm_check_async_pf_completion>> kvm_arch_async_page_ready(vcpu, work);
+ */
 void kvm_arch_async_page_ready(struct kvm_vcpu *vcpu, struct kvm_async_pf *work)
 {
 	int r;
@@ -9264,6 +9446,10 @@ static u32 kvm_async_pf_gfn_slot(struct kvm_vcpu *vcpu, gfn_t gfn)
 	return key;
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|6626| <<try_async_pf>> if (kvm_find_async_pf_gfn(vcpu, gfn)) {
+ */
 bool kvm_find_async_pf_gfn(struct kvm_vcpu *vcpu, gfn_t gfn)
 {
 	return vcpu->arch.apf.gfns[kvm_async_pf_gfn_slot(vcpu, gfn)] == gfn;
diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
index 257f2762..fcd9e8cb 100644
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -178,6 +178,11 @@ static inline bool emul_is_noncanonical_address(u64 la,
 #endif
 }
 
+/*
+ * called by only:
+ *   - arch/x86/kvm/mmu.c|5273| <<handle_abnormal_pfn>> vcpu_cache_mmio_info(vcpu, gva, gfn, access);
+ *   - arch/x86/kvm/mmu.c|5997| <<handle_mmio_page_fault>> vcpu_cache_mmio_info(vcpu, addr, gfn, access);
+ */
 static inline void vcpu_cache_mmio_info(struct kvm_vcpu *vcpu,
 					gva_t gva, gfn_t gfn, unsigned access)
 {
diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h
index bf53d893..7987e933 100644
--- a/include/linux/cpumask.h
+++ b/include/linux/cpumask.h
@@ -785,6 +785,29 @@ set_cpu_possible(unsigned int cpu, bool possible)
 		cpumask_clear_cpu(cpu, &__cpu_possible_mask);
 }
 
+/*
+ * [0] generic_processor_info
+ * [0] acpi_register_lapic
+ * [0] acpi_parse_lapic
+ * [0] acpi_table_parse_entries_array
+ * [0] acpi_boot_init
+ * [0] setup_acpi_sci
+ * [0] acpi_parse_x2apic_nmi
+ * [0] setup_arch
+ * [0] start_kernel
+ *
+ * x86下的调用:
+ *   - arch/x86/kernel/acpi/boot.c|791| <<acpi_unmap_cpu>> set_cpu_present(cpu, false);
+ *   - arch/x86/kernel/apic/apic.c|2362| <<generic_processor_info>> set_cpu_present(cpu, true);
+ *   - arch/x86/kernel/smpboot.c|1193| <<smp_sanity_check>> set_cpu_present(cpu, false);
+ *   - arch/x86/xen/smp_pv.c|180| <<xen_filter_cpu_maps>> set_cpu_present(i, false);
+ *   - arch/x86/xen/smp_pv.c|276| <<xen_pv_smp_prepare_cpus>> set_cpu_present(cpu, true);
+ *   - drivers/firmware/qcom_scm-32.c|367| <<__qcom_scm_set_cold_boot_addr>> set_cpu_present(cpu, false);
+ *   - drivers/xen/cpu_hotplug.c|17| <<enable_hotplug_cpu>> set_cpu_present(cpu, true);
+ *   - drivers/xen/cpu_hotplug.c|30| <<disable_hotplug_cpu>> set_cpu_present(cpu, false);
+ *   - drivers/xen/cpu_hotplug.c|97| <<setup_cpu_watcher>> set_cpu_present(cpu, false);
+ *   - kernel/cpu.c|2258| <<boot_cpu_init>> set_cpu_present(cpu, true);
+ */
 static inline void
 set_cpu_present(unsigned int cpu, bool present)
 {
@@ -794,6 +817,19 @@ set_cpu_present(unsigned int cpu, bool present)
 		cpumask_clear_cpu(cpu, &__cpu_present_mask);
 }
 
+/*
+ * [0] set_cpu_online
+ * [0] start_secondary
+ * [0] secondary_startup_64
+ *
+ * x86在以下调用:
+ *   - arch/x86/kernel/process.c|524| <<stop_this_cpu>> set_cpu_online(smp_processor_id(), false);
+ *   - arch/x86/kernel/smpboot.c|256| <<start_secondary>> set_cpu_online(smp_processor_id(), true);
+ *   - arch/x86/kernel/smpboot.c|1503| <<remove_cpu_from_maps>> set_cpu_online(cpu, false);
+ *   - arch/x86/xen/smp_pv.c|80| <<cpu_bringup>> set_cpu_online(cpu, true);
+ *   - arch/x86/xen/smp_pv.c|463| <<stop_self>> set_cpu_online(cpu, false);
+ *   - kernel/cpu.c|2260| <<boot_cpu_init>> set_cpu_online(cpu, true);
+ */
 static inline void
 set_cpu_online(unsigned int cpu, bool online)
 {
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index 4ee7bc54..20198245 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -46,6 +46,18 @@
  * in kvm, other bits are visible for userspace which are defined in
  * include/linux/kvm_h.
  */
+/*
+ * 在以下使用KVM_MEMSLOT_INVALID:
+ *   - arch/powerpc/kvm/book3s_64_mmu_hv.c|563| <<kvmppc_book3s_hv_page_fault>> if (!memslot || (memslot->flags & KVM_MEMSLOT_INVALID))
+ *   - arch/powerpc/kvm/book3s_64_mmu_hv.c|1173| <<kvmppc_pin_guest_page>> if (!memslot || (memslot->flags & KVM_MEMSLOT_INVALID))
+ *   - arch/powerpc/kvm/book3s_64_mmu_radix.c|574| <<kvmppc_book3s_radix_page_fault>> if (!memslot || (memslot->flags & KVM_MEMSLOT_INVALID)) {
+ *   - arch/powerpc/kvm/book3s_hv.c|3768| <<kvmppc_hv_setup_htab_rma>> if (!memslot || (memslot->flags & KVM_MEMSLOT_INVALID))
+ *   - arch/powerpc/kvm/book3s_hv_rm_mmu.c|238| <<kvmppc_do_h_enter>> if (!(memslot && !(memslot->flags & KVM_MEMSLOT_INVALID))) {
+ *   - arch/x86/kvm/mmu.c|2386| <<memslot_valid_for_gpte>> if (!slot || slot->flags & KVM_MEMSLOT_INVALID)
+ *   - virt/kvm/kvm_main.c|1181| <<__kvm_set_memory_region>> slot->flags |= KVM_MEMSLOT_INVALID;
+ *   - virt/kvm/kvm_main.c|1410| <<kvm_is_visible_gfn>> memslot->flags & KVM_MEMSLOT_INVALID)
+ *   - virt/kvm/kvm_main.c|1458| <<__gfn_to_hva_many>> if (!slot || slot->flags & KVM_MEMSLOT_INVALID)
+ */
 #define KVM_MEMSLOT_INVALID	(1UL << 16)
 
 /* Two fragments for cross MMIO pages. */
@@ -102,8 +114,12 @@ static inline bool is_noslot_pfn(kvm_pfn_t pfn)
 #define KVM_HVA_ERR_BAD		(PAGE_OFFSET)
 #define KVM_HVA_ERR_RO_BAD	(PAGE_OFFSET + PAGE_SIZE)
 
+/*
+ * 检查addr是否大于等于PAGE_OFFSET(KVM_HVA_ERR_BAD)
+ */
 static inline bool kvm_is_error_hva(unsigned long addr)
 {
+	/* 这里的PAGE_OFFSET相当于KVM_HVA_ERR_BAD */
 	return addr >= PAGE_OFFSET;
 }
 
@@ -123,7 +139,13 @@ static inline bool is_error_page(struct page *page)
  * Architecture-independent vcpu->requests bit members
  * Bits 4-7 are reserved for more arch-independent bits.
  */
+/*
+ * 在vcpu_enter_guest()的时候调用kvm_vcpu_flush_tlb()
+ */
 #define KVM_REQ_TLB_FLUSH         (0 | KVM_REQUEST_WAIT | KVM_REQUEST_NO_WAKEUP)
+/*
+ * 在vcpu_enter_guest()的时候调用kvm_mmu_unload()
+ */
 #define KVM_REQ_MMU_RELOAD        (1 | KVM_REQUEST_WAIT | KVM_REQUEST_NO_WAKEUP)
 #define KVM_REQ_PENDING_TIMER     2
 #define KVM_REQ_UNHALT            3
@@ -202,6 +224,11 @@ enum {
 	OUTSIDE_GUEST_MODE,
 	IN_GUEST_MODE,
 	EXITING_GUEST_MODE,
+	/*
+	 * 在以下使用READING_SHADOW_PAGE_TABLES:
+	 *   - arch/mips/kvm/trap_emul.c|1153| <<kvm_trap_emul_gva_lockless_begin>> smp_store_mb(vcpu->mode, READING_SHADOW_PAGE_TABLES);
+	 *   - arch/x86/kvm/mmu.c|1873| <<walk_shadow_page_lockless_begin>> smp_store_mb(vcpu->mode, READING_SHADOW_PAGE_TABLES);
+	 */
 	READING_SHADOW_PAGE_TABLES,
 };
 
@@ -297,6 +324,13 @@ static inline int kvm_vcpu_exiting_guest_mode(struct kvm_vcpu *vcpu)
 struct kvm_memory_slot {
 	gfn_t base_gfn;
 	unsigned long npages;
+	/*
+	 * 一个slot有许多客户机虚拟页面组成,通过dirty_bitmap
+	 * 标记每一个页是否可用,一个页面对应一个位
+	 *
+	 * 比如在如下分配:
+	 *   - virt/kvm/kvm_main.c|815| <<kvm_create_dirty_bitmap>> memslot->dirty_bitmap = kvzalloc(dirty_bytes, GFP_KERNEL);
+	 */
 	unsigned long *dirty_bitmap;
 	struct kvm_arch_memory_slot arch;
 	unsigned long userspace_addr;
@@ -437,9 +471,33 @@ struct kvm {
 
 #if defined(CONFIG_MMU_NOTIFIER) && defined(KVM_ARCH_WANT_MMU_NOTIFIER)
 	struct mmu_notifier mmu_notifier;
+	/*
+	 * x86在以下使用kvm->mmu_notifier_seq:
+	 *   - arch/x86/kvm/mmu.c|6195| <<nonpaging_map>> mmu_seq = vcpu->kvm->mmu_notifier_seq;
+	 *   - arch/x86/kvm/mmu.c|7042| <<tdp_page_fault>> mmu_seq = vcpu->kvm->mmu_notifier_seq;
+	 *   - arch/x86/kvm/paging_tmpl.h|794| <<FNAME>> mmu_seq = vcpu->kvm->mmu_notifier_seq;
+	 *   - include/linux/kvm_host.h|1105| <<mmu_notifier_retry>> if (kvm->mmu_notifier_seq != mmu_seq)
+	 *   - virt/kvm/kvm_main.c|389| <<kvm_mmu_notifier_change_pte>> kvm->mmu_notifier_seq++;
+	 *   - virt/kvm/kvm_main.c|443| <<kvm_mmu_notifier_invalidate_range_end>> kvm->mmu_notifier_seq++;
+	 */
 	unsigned long mmu_notifier_seq;
+	/*
+	 * 在以下使用kvm->mmu_notifier_count:
+	 *   - include/linux/kvm_host.h|1092| <<mmu_notifier_retry>> if (unlikely(kvm->mmu_notifier_count))
+	 *   - virt/kvm/kvm_main.c|413| <<kvm_mmu_notifier_invalidate_range_start>> kvm->mmu_notifier_count++;
+	 *   - virt/kvm/kvm_main.c|450| <<kvm_mmu_notifier_invalidate_range_end>> kvm->mmu_notifier_count--;
+	 *   - virt/kvm/kvm_main.c|453| <<kvm_mmu_notifier_invalidate_range_end>> BUG_ON(kvm->mmu_notifier_count < 0);
+	 */
 	long mmu_notifier_count;
 #endif
+	/*
+	 * 在以下修改:
+	 *   - arch/x86/kvm/paging_tmpl.h|999| <<FNAME(sync_page)>> vcpu->kvm->tlbs_dirty++;
+	 *   - arch/x86/kvm/paging_tmpl.h|1019| <<FNAME(sync_page)>> vcpu->kvm->tlbs_dirty++;
+	 *   - virt/kvm/kvm_main.c|278| <<kvm_flush_remote_tlbs>> cmpxchg(&kvm->tlbs_dirty, dirty_count, 0);
+	 *   - virt/kvm/kvm_main.c|263| <<kvm_flush_remote_tlbs>> long dirty_count = smp_load_acquire(&kvm->tlbs_dirty);
+	 *   - virt/kvm/kvm_main.c|379| <<kvm_mmu_notifier_invalidate_range_start>> need_tlb_flush |= kvm->tlbs_dirty;
+	 */
 	long tlbs_dirty;
 	struct list_head devices;
 	struct dentry *debugfs_dentry;
@@ -569,8 +627,15 @@ void kvm_exit(void);
 void kvm_get_kvm(struct kvm *kvm);
 void kvm_put_kvm(struct kvm *kvm);
 
+/*
+ * 利用srcu返回kvm->memslots[as_id]
+ * struct kvm中有struct kvm_memslots __rcu *memslots[KVM_ADDRESS_SPACE_NUM];
+ */
 static inline struct kvm_memslots *__kvm_memslots(struct kvm *kvm, int as_id)
 {
+	/*
+	 * struct kvm中有struct kvm_memslots __rcu *memslots[KVM_ADDRESS_SPACE_NUM];
+	 */
 	return srcu_dereference_check(kvm->memslots[as_id], &kvm->srcu,
 			lockdep_is_held(&kvm->slots_lock) ||
 			!refcount_read(&kvm->users_count));
@@ -588,6 +653,14 @@ static inline struct kvm_memslots *kvm_vcpu_memslots(struct kvm_vcpu *vcpu)
 	return __kvm_memslots(vcpu->kvm, as_id);
 }
 
+/*
+ * struct kvm中有struct kvm_memslots __rcu *memslots[KVM_ADDRESS_SPACE_NUM];
+ * struct kvm_memslots有以下两个
+ *     struct kvm_memory_slot memslots[KVM_MEM_SLOTS_NUM];
+ *     short id_to_index[KVM_MEM_SLOTS_NUM];
+ * 这个函数先把id通过id_to_index[]转换成index
+ * 然后用来索引并返回slots->memslots[index]
+ */
 static inline struct kvm_memory_slot *
 id_to_memslot(struct kvm_memslots *slots, int id)
 {
@@ -1032,6 +1105,13 @@ extern struct dentry *kvm_debugfs_dir;
 #if defined(CONFIG_MMU_NOTIFIER) && defined(KVM_ARCH_WANT_MMU_NOTIFIER)
 static inline int mmu_notifier_retry(struct kvm *kvm, unsigned long mmu_seq)
 {
+	/*
+	 * 在以下使用kvm->mmu_notifier_count:
+	 *   - include/linux/kvm_host.h|1092| <<mmu_notifier_retry>> if (unlikely(kvm->mmu_notifier_count))
+	 *   - virt/kvm/kvm_main.c|413| <<kvm_mmu_notifier_invalidate_range_start>> kvm->mmu_notifier_count++;
+	 *   - virt/kvm/kvm_main.c|450| <<kvm_mmu_notifier_invalidate_range_end>> kvm->mmu_notifier_count--;
+	 *   - virt/kvm/kvm_main.c|453| <<kvm_mmu_notifier_invalidate_range_end>> BUG_ON(kvm->mmu_notifier_count < 0);
+	 */
 	if (unlikely(kvm->mmu_notifier_count))
 		return 1;
 	/*
diff --git a/kernel/cpu.c b/kernel/cpu.c
index 517907b0..ad19ddc2 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -121,6 +121,10 @@ struct cpuhp_step {
 	struct hlist_head	list;
 	bool			skip_onerr;
 	bool			cant_stop;
+	/*
+	 * 在以下修改cpuhp_step->multi_instance:
+	 *   - kernel/cpu.c|1551| <<cpuhp_store_callbacks>> sp->multi_instance = multi_instance;
+	 */
 	bool			multi_instance;
 };
 
@@ -142,6 +146,20 @@ static struct cpuhp_step *cpuhp_get_step(enum cpuhp_state state)
  *
  * Called from cpu hotplug and from the state register machinery.
  */
+/*
+ * called by:
+ *   - kernel/cpu.c|558| <<undo_cpu_up>> cpuhp_invoke_callback(cpu, st->state, false, NULL, NULL);
+ *   - kernel/cpu.c|570| <<cpuhp_up_callbacks>> ret = cpuhp_invoke_callback(cpu, st->state, true, NULL, NULL);
+ *   - kernel/cpu.c|656| <<cpuhp_thread_fun>> st->result = cpuhp_invoke_callback(cpu, state, bringup, st->node, &st->last);
+ *   - kernel/cpu.c|664| <<cpuhp_thread_fun>> st->result = cpuhp_invoke_callback(cpu, state, bringup, st->node, &st->last);
+ *   - kernel/cpu.c|706| <<cpuhp_invoke_ap_callback>> return cpuhp_invoke_callback(cpu, state, bringup, node, NULL);
+ *   - kernel/cpu.c|833| <<take_cpu_down>> ret = cpuhp_invoke_callback(cpu, st->state, false, NULL, NULL);
+ *   - kernel/cpu.c|924| <<undo_cpu_down>> cpuhp_invoke_callback(cpu, st->state, true, NULL, NULL);
+ *   - kernel/cpu.c|935| <<cpuhp_down_callbacks>> ret = cpuhp_invoke_callback(cpu, st->state, false, NULL, NULL);
+ *   - kernel/cpu.c|1051| <<notify_cpu_starting>> ret = cpuhp_invoke_callback(cpu, st->state, true, NULL, NULL);
+ *   - kernel/cpu.c|1586| <<cpuhp_issue_call>> ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL);
+ *   - kernel/cpu.c|1588| <<cpuhp_issue_call>> ret = cpuhp_invoke_callback(cpu, state, bringup, node, NULL);
+ */
 static int cpuhp_invoke_callback(unsigned int cpu, enum cpuhp_state state,
 				 bool bringup, struct hlist_node *node,
 				 struct hlist_node **lastp)
@@ -161,8 +179,40 @@ static int cpuhp_invoke_callback(unsigned int cpu, enum cpuhp_state state,
 		return -EAGAIN;
 	}
 
+	/*
+	 * 在以下修改cpuhp_step->multi_instance:
+	 *   - kernel/cpu.c|1551| <<cpuhp_store_callbacks>> sp->multi_instance = multi_instance;
+	 */
 	if (!step->multi_instance) {
 		WARN_ON_ONCE(lastp && *lastp);
+		/*
+		 * cb的一些例子.
+		 * CPUHP_CREATE_THREADS=smpboot_create_threads()
+		 * CPUHP_PERF_PREPARE=perf_event_init_cpu()
+		 * CPUHP_WORKQUEUE_PREP = workqueue_prepare_cpu()
+		 * CPUHP_HRTIMERS_PREPARE = hrtimers_prepare_cpu()
+		 * CPUHP_SMPCFD_PREPARE = smpcfd_prepare_cpu()
+		 * CPUHP_RELAY_PREPARE = relay_prepare_cpu()
+		 * CPUHP_SLAB_PREPARE = slab_prepare_cpu()
+		 * CPUHP_RCUTREE_PREP = rcutree_prepare_cpu
+		 * CPUHP_TIMERS_PREPARE = timers_prepare_cpu
+		 * CPUHP_BRINGUP_CPU = bringup_cpu
+		 *
+		 * CPUHP_AP_SCHED_STARTING = sched_cpu_starting()
+		 * CPUHP_AP_SMPBOOT_THREADS = smpboot_unpark_threads()
+		 * CPUHP_AP_IRQ_AFFINITY_ONLINE = irq_affinity_online_cpu()
+		 * CPUHP_AP_PERF_ONLINE = perf_event_init_cpu()
+		 * CPUHP_AP_WORKQUEUE_ONLINE = workqueue_online_cpu()
+		 * CPUHP_AP_RCUTREE_ONLINE = rcutree_online_cpu()
+		 * CPUHP_AP_ACTIVE = sched_cpu_activate()
+		 *
+		 * struct cpuhp_step cpuhp_hp_states[CPUHP_BRINGUP_CPU] = {
+		 *     .name                   = "cpu:bringup",
+		 *     .startup.single         = bringup_cpu,
+		 *     .teardown.single        = NULL,
+		 *     .cant_stop              = true,
+		 * },
+		 */
 		cb = bringup ? step->startup.single : step->teardown.single;
 		if (!cb)
 			return 0;
@@ -518,6 +568,17 @@ static int bringup_wait_for_ap(unsigned int cpu)
 	return cpuhp_kick_ap(st, st->target);
 }
 
+/*
+ * struct cpuhp_step cpuhp_hp_states[CPUHP_BRINGUP_CPU] = {
+ *     .name                   = "cpu:bringup",
+ *     .startup.single         = bringup_cpu,
+ *     .teardown.single        = NULL,
+ *     .cant_stop              = true,
+ * },
+ *
+ * 处理CPUHP_BRINGUP_CPU:
+ *   - kernel/cpu.c|1378| <<global>> .startup.single = bringup_cpu,
+ */
 static int bringup_cpu(unsigned int cpu)
 {
 	struct task_struct *idle = idle_thread_get(cpu);
@@ -531,6 +592,10 @@ static int bringup_cpu(unsigned int cpu)
 	irq_lock_sparse();
 
 	/* Arch-specific enabling code. */
+	/*
+	 * 相当于return smp_ops.cpu_up(cpu, tidle) = native_cpu_up(),
+	 * 直接调用native_cpu_up()
+	 */
 	ret = __cpu_up(cpu, idle);
 	irq_unlock_sparse();
 	if (ret)
@@ -1118,6 +1183,14 @@ static int _cpu_up(unsigned int cpu, int tasks_frozen, enum cpuhp_state target)
 	 * CPUHP_BRINGUP_CPU. After that the AP hotplug thread is
 	 * responsible for bringing it up to the target state.
 	 */
+	/*
+	 * struct cpuhp_step cpuhp_hp_states[CPUHP_BRINGUP_CPU] = {
+	 *     .name                   = "cpu:bringup",
+	 *     .startup.single         = bringup_cpu,
+	 *     .teardown.single        = NULL,
+	 *     .cant_stop              = true,
+	 * },
+	 */
 	target = min((int)target, CPUHP_BRINGUP_CPU);
 	ret = cpuhp_up_callbacks(cpu, st, target);
 out:
@@ -2230,6 +2303,10 @@ EXPORT_SYMBOL(__cpu_present_mask);
 struct cpumask __cpu_active_mask __read_mostly;
 EXPORT_SYMBOL(__cpu_active_mask);
 
+/*
+ * x86下的调用:
+ *   - arch/x86/kernel/smpboot.c|1164| <<disable_smp>> init_cpu_present(cpumask_of(0));
+ */
 void init_cpu_present(const struct cpumask *src)
 {
 	cpumask_copy(&__cpu_present_mask, src);
diff --git a/kernel/smp.c b/kernel/smp.c
index d86eec5f..b93f4ae0 100644
--- a/kernel/smp.c
+++ b/kernel/smp.c
@@ -574,6 +574,17 @@ void __init smp_init(void)
 	for_each_present_cpu(cpu) {
 		if (num_online_cpus() >= setup_max_cpus)
 			break;
+		/*
+		 * [0] native_cpu_up
+		 * [0] bringup_cpu
+		 * [0] cpuhp_invoke_callback
+		 * [0] _cpu_up
+		 * [0] do_cpu_up
+		 * [0] smp_init
+		 * [0] kernel_init_freeable
+		 * [0] kernel_init
+		 * [0] ret_from_fork
+		 */
 		if (!cpu_online(cpu))
 			cpu_up(cpu);
 	}
diff --git a/mm/memory.c b/mm/memory.c
index f94feec6..4ff08b19 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -4037,6 +4037,10 @@ static int handle_pte_fault(struct vm_fault *vmf)
  * The mmap_sem may have been released depending on flags and our
  * return value.  See filemap_fault() and __lock_page_or_retry().
  */
+/*
+ * called by:
+ *   - mm/memory.c|4157| <<handle_mm_fault>> ret = __handle_mm_fault(vma, address, flags);
+ */
 static int __handle_mm_fault(struct vm_area_struct *vma, unsigned long address,
 		unsigned int flags)
 {
diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c
index eff6b88a..167924dd 100644
--- a/mm/mmu_notifier.c
+++ b/mm/mmu_notifier.c
@@ -331,6 +331,17 @@ static int do_mmu_notifier_register(struct mmu_notifier *mn,
  * after exit_mmap. ->release will always be called before exit_mmap
  * frees the pages.
  */
+/*
+ * called by:
+ *   - drivers/gpu/drm/amd/amdkfd/kfd_process.c|538| <<create_process>> err = mmu_notifier_register(&process->mmu_notifier, process->mm);
+ *   - drivers/infiniband/core/umem_odp.c|424| <<ib_umem_odp_get>> ret_val = mmu_notifier_register(&context->mn, mm);
+ *   - drivers/infiniband/hw/hfi1/mmu_rb.c|121| <<hfi1_mmu_rb_register>> ret = mmu_notifier_register(&handlr->mn, handlr->mm);
+ *   - drivers/iommu/amd_iommu_v2.c|681| <<amd_iommu_bind_pasid>> mmu_notifier_register(&pasid_state->mn, mm);
+ *   - drivers/iommu/intel-svm.c|409| <<intel_svm_bind_mm>> ret = mmu_notifier_register(&svm->notifier, mm);
+ *   - drivers/misc/mic/scif/scif_dma.c|278| <<scif_add_mmu_notifier>> if (mmu_notifier_register(&mmn->ep_mmu_notifier, current->mm)) {
+ *   - drivers/xen/gntdev.c|541| <<gntdev_open>> ret = mmu_notifier_register(&priv->mn, priv->mm);
+ *   - virt/kvm/kvm_main.c|593| <<kvm_init_mmu_notifier>> return mmu_notifier_register(&kvm->mmu_notifier, current->mm);
+ */
 int mmu_notifier_register(struct mmu_notifier *mn, struct mm_struct *mm)
 {
 	return do_mmu_notifier_register(mn, mm, 1);
diff --git a/mm/slab.c b/mm/slab.c
index aa76a70e..7e3143cc 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -1045,6 +1045,10 @@ static void cpuup_canceled(long cpu)
 	}
 }
 
+/*
+ * called by:
+ *   - mm/slab.c|1085| <<slab_prepare_cpu>> err = cpuup_prepare(cpu)
+ */
 static int cpuup_prepare(long cpu)
 {
 	struct kmem_cache *cachep;
diff --git a/mm/vmscan.c b/mm/vmscan.c
index 03822f86..332efde8 100644
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -329,6 +329,37 @@ void register_shrinker_prepared(struct shrinker *shrinker)
 	up_write(&shrinker_rwsem);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|8328| <<kvm_mmu_module_init>> ret = register_shrinker(&mmu_shrinker);
+ *   - drivers/android/binder_alloc.c|1042| <<binder_alloc_shrinker_init>> ret = register_shrinker(&binder_shrinker);
+ *   - drivers/gpu/drm/i915/i915_gem_shrinker.c|508| <<i915_gem_shrinker_register>> WARN_ON(register_shrinker(&i915->mm.shrinker));
+ *   - drivers/gpu/drm/msm/msm_gem_shrinker.c|154| <<msm_gem_shrinker_init>> WARN_ON(register_shrinker(&priv->shrinker));
+ *   - drivers/gpu/drm/ttm/ttm_page_alloc.c|486| <<ttm_pool_mm_shrink_init>> return register_shrinker(&manager->mm_shrink);
+ *   - drivers/gpu/drm/ttm/ttm_page_alloc_dma.c|1198| <<ttm_dma_pool_mm_shrink_init>> return register_shrinker(&manager->mm_shrink);
+ *   - drivers/md/bcache/btree.c|815| <<bch_btree_cache_alloc>> if (register_shrinker(&c->shrink))
+ *   - drivers/md/dm-bufio.c|1718| <<dm_bufio_client_create>> r = register_shrinker(&c->shrinker);
+ *   - drivers/md/dm-zoned-metadata.c|2414| <<dmz_ctr_metadata>> ret = register_shrinker(&zmd->mblk_shrinker);
+ *   - drivers/md/raid5.c|7079| <<setup_conf>> if (register_shrinker(&conf->shrinker)) {
+ *   - drivers/staging/android/ashmem.c|886| <<ashmem_init>> ret = register_shrinker(&ashmem_shrinker);
+ *   - drivers/staging/android/ion/ion_heap.c|308| <<ion_heap_init_shrinker>> return register_shrinker(&heap->shrinker);
+ *   - fs/ext4/extents_status.c|1159| <<ext4_es_register_shrinker>> err = register_shrinker(&sbi->s_es_shrinker);
+ *   - fs/f2fs/super.c|3185| <<init_f2fs_fs>> err = register_shrinker(&f2fs_shrinker_info);
+ *   - fs/gfs2/glock.c|1903| <<gfs2_glock_init>> ret = register_shrinker(&glock_shrinker);
+ *   - fs/gfs2/main.c|147| <<init_gfs2_fs>> error = register_shrinker(&gfs2_qd_shrinker);
+ *   - fs/mbcache.c|369| <<mb_cache_create>> if (register_shrinker(&cache->c_shrink)) {
+ *   - fs/nfs/super.c|386| <<register_nfs_fs>> ret = register_shrinker(&acl_shrinker);
+ *   - fs/nfsd/nfscache.c|169| <<nfsd_reply_cache_init>> status = register_shrinker(&nfsd_reply_cache_shrinker);
+ *   - fs/quota/dquot.c|2992| <<dquot_init>> if (register_shrinker(&dqcache_shrinker))
+ *   - fs/ubifs/super.c|2272| <<ubifs_init>> err = register_shrinker(&ubifs_shrinker_info);
+ *   - fs/xfs/xfs_buf.c|1868| <<xfs_alloc_buftarg>> if (register_shrinker(&btp->bt_shrinker))
+ *   - fs/xfs/xfs_qm.c|691| <<xfs_qm_init_quotainfo>> error = register_shrinker(&qinf->qi_shrinker);
+ *   - mm/huge_memory.c|411| <<hugepage_init>> err = register_shrinker(&huge_zero_page_shrinker);
+ *   - mm/huge_memory.c|414| <<hugepage_init>> err = register_shrinker(&deferred_split_shrinker);
+ *   - mm/workingset.c|534| <<workingset_init>> ret = register_shrinker(&workingset_shadow_shrinker);
+ *   - mm/zsmalloc.c|2340| <<zs_register_shrinker>> return register_shrinker(&pool->shrinker);
+ *   - net/sunrpc/auth.c|879| <<rpcauth_init_module>> err = register_shrinker(&rpc_cred_shrinker);
+ */
 int register_shrinker(struct shrinker *shrinker)
 {
 	int err = prealloc_shrinker(shrinker);
@@ -357,6 +388,10 @@ EXPORT_SYMBOL(unregister_shrinker);
 
 #define SHRINK_BATCH 128
 
+/*
+ * called by:
+ *   - mm/vmscan.c|562| <<shrink_slab>> freed += do_shrink_slab(&sc, shrinker, priority);
+ */
 static unsigned long do_shrink_slab(struct shrink_control *shrinkctl,
 				    struct shrinker *shrinker, int priority)
 {
@@ -496,6 +531,12 @@ static unsigned long do_shrink_slab(struct shrink_control *shrinkctl,
  *
  * Returns the number of reclaimed slab objects.
  */
+/*
+ * called by:
+ *   - mm/vmscan.c|589| <<drop_slab_node>> freed += shrink_slab(GFP_KERNEL, nid, memcg, 0);
+ *   - mm/vmscan.c|2608| <<shrink_node>> shrink_slab(sc->gfp_mask, pgdat->node_id,
+ *   - mm/vmscan.c|2634| <<shrink_node>> shrink_slab(sc->gfp_mask, pgdat->node_id, NULL,
+ */
 static unsigned long shrink_slab(gfp_t gfp_mask, int nid,
 				 struct mem_cgroup *memcg,
 				 int priority)
diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c
index b20b7512..c0c44ae2 100644
--- a/virt/kvm/eventfd.c
+++ b/virt/kvm/eventfd.c
@@ -565,6 +565,10 @@ kvm_irqfd_deassign(struct kvm *kvm, struct kvm_irqfd *args)
 	return 0;
 }
 
+/*
+ * called by KVM_IRQFD (每个vm的dev的ioctl):
+ *   - virt/kvm/kvm_main.c|3073| <<kvm_vm_ioctl>> r = kvm_irqfd(kvm, &data);
+ */
 int
 kvm_irqfd(struct kvm *kvm, struct kvm_irqfd *args)
 {
diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c
index b1286c4e..e6d947f0 100644
--- a/virt/kvm/irqchip.c
+++ b/virt/kvm/irqchip.c
@@ -58,6 +58,10 @@ int kvm_irq_map_chip_pin(struct kvm *kvm, unsigned irqchip, unsigned pin)
 	return irq_rt->chip[irqchip][pin];
 }
 
+/*
+ * called only by:
+ *   - virt/kvm/kvm_main.c|3130| <<kvm_vm_ioctl>> r = kvm_send_userspace_msi(kvm, &msi);
+ */
 int kvm_send_userspace_msi(struct kvm *kvm, struct kvm_msi *msi)
 {
 	struct kvm_kernel_irq_routing_entry route;
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 8b47507f..a5d7a430 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -72,6 +72,12 @@ MODULE_AUTHOR("Qumranet");
 MODULE_LICENSE("GPL");
 
 /* Architectures should define their poll value according to the halt latency */
+/*
+ * x86被以下使用:
+ *   - grow_halt_poll_ns()
+ *   - shrink_halt_poll_ns()
+ *   - kvm_vcpu_block()
+ */
 unsigned int halt_poll_ns = KVM_HALT_POLL_NS_DEFAULT;
 module_param(halt_poll_ns, uint, 0644);
 EXPORT_SYMBOL_GPL(halt_poll_ns);
@@ -94,7 +100,7 @@ EXPORT_SYMBOL_GPL(halt_poll_ns_shrink);
 
 DEFINE_SPINLOCK(kvm_lock);
 static DEFINE_RAW_SPINLOCK(kvm_count_lock);
-LIST_HEAD(vm_list);
+LIST_HEAD(vm_list); // 挂载所有的struct kvm
 
 static cpumask_var_t cpus_hardware_enabled;
 static int kvm_usage_count;
@@ -254,6 +260,11 @@ bool kvm_make_all_cpus_request(struct kvm *kvm, unsigned int req)
 }
 
 #ifndef CONFIG_HAVE_KVM_ARCH_TLB_FLUSH_ALL
+/*
+ * 应该就是让每个vcpu调用硬件的tlb flush吧
+ * 之后每个vcpu会在vcpu_enter_guest()的时候调用kvm_vcpu_flush_tlb()
+ * 应该就是调用硬件的tlb flush吧
+ */
 void kvm_flush_remote_tlbs(struct kvm *kvm)
 {
 	/*
@@ -273,6 +284,10 @@ void kvm_flush_remote_tlbs(struct kvm *kvm)
 	 * kvm_make_all_cpus_request() reads vcpu->mode. We reuse that
 	 * barrier here.
 	 */
+	/*
+	 * 在vcpu_enter_guest()的时候调用kvm_vcpu_flush_tlb()
+	 * 应该就是调用硬件的tlb flush吧
+	 */
 	if (kvm_make_all_cpus_request(kvm, KVM_REQ_TLB_FLUSH))
 		++kvm->stat.remote_tlb_flush;
 	cmpxchg(&kvm->tlbs_dirty, dirty_count, 0);
@@ -280,8 +295,14 @@ void kvm_flush_remote_tlbs(struct kvm *kvm)
 EXPORT_SYMBOL_GPL(kvm_flush_remote_tlbs);
 #endif
 
+/*
+ * 让每个cpu在在vcpu_enter_guest()的时候调用kvm_mmu_unload()
+ */
 void kvm_reload_remote_mmus(struct kvm *kvm)
 {
+	/*
+	 * 在vcpu_enter_guest()的时候调用kvm_mmu_unload()
+	 */
 	kvm_make_all_cpus_request(kvm, KVM_REQ_MMU_RELOAD);
 }
 
@@ -343,6 +364,18 @@ static inline struct kvm *mmu_notifier_to_kvm(struct mmu_notifier *mn)
 	return container_of(mn, struct kvm, mmu_notifier);
 }
 
+/*
+ * 好像是在以下的commit加入的
+ * KVM: add support for change_pte mmu notifiers
+ *     
+ * this is needed for kvm if it want ksm to directly map pages into its
+ * shadow page tables.
+ *
+ * called by:
+ *   - mm/mmu_notifier.c|172| <<__mmu_notifier_change_pte>> mn->ops->change_pte(mn, mm, address, pte);
+ *
+ * struct mmu_notifier_ops kvm_mmu_notifier_ops.change_pte = kvm_mmu_notifier_change_pte()
+ */
 static void kvm_mmu_notifier_change_pte(struct mmu_notifier *mn,
 					struct mm_struct *mm,
 					unsigned long address,
@@ -359,6 +392,9 @@ static void kvm_mmu_notifier_change_pte(struct mmu_notifier *mn,
 	srcu_read_unlock(&kvm->srcu, idx);
 }
 
+/*
+ * struct mmu_notifier_ops kvm_mmu_notifier_ops.invalidate_range_start = kvm_mmu_notifier_invalidate_range_start()
+ */
 static void kvm_mmu_notifier_invalidate_range_start(struct mmu_notifier *mn,
 						    struct mm_struct *mm,
 						    unsigned long start,
@@ -388,6 +424,9 @@ static void kvm_mmu_notifier_invalidate_range_start(struct mmu_notifier *mn,
 	srcu_read_unlock(&kvm->srcu, idx);
 }
 
+/*
+ * struct mmu_notifier_ops kvm_mmu_notifier_ops.invalidate_range_end = kvm_mmu_notifier_invalidate_range_end()
+ */
 static void kvm_mmu_notifier_invalidate_range_end(struct mmu_notifier *mn,
 						  struct mm_struct *mm,
 						  unsigned long start,
@@ -414,6 +453,9 @@ static void kvm_mmu_notifier_invalidate_range_end(struct mmu_notifier *mn,
 	BUG_ON(kvm->mmu_notifier_count < 0);
 }
 
+/*
+ * struct mmu_notifier_ops kvm_mmu_notifier_ops.clear_flush_young = kvm_mmu_notifier_clear_flush_young()
+ */
 static int kvm_mmu_notifier_clear_flush_young(struct mmu_notifier *mn,
 					      struct mm_struct *mm,
 					      unsigned long start,
@@ -435,6 +477,9 @@ static int kvm_mmu_notifier_clear_flush_young(struct mmu_notifier *mn,
 	return young;
 }
 
+/*
+ * struct mmu_notifier_ops kvm_mmu_notifier_ops.clear_young = kvm_mmu_notifier_clear_young()
+ */
 static int kvm_mmu_notifier_clear_young(struct mmu_notifier *mn,
 					struct mm_struct *mm,
 					unsigned long start,
@@ -465,6 +510,9 @@ static int kvm_mmu_notifier_clear_young(struct mmu_notifier *mn,
 	return young;
 }
 
+/*
+ * struct mmu_notifier_ops kvm_mmu_notifier_ops.test_young = kvm_mmu_notifier_test_young()
+ */
 static int kvm_mmu_notifier_test_young(struct mmu_notifier *mn,
 				       struct mm_struct *mm,
 				       unsigned long address)
@@ -481,6 +529,9 @@ static int kvm_mmu_notifier_test_young(struct mmu_notifier *mn,
 	return young;
 }
 
+/*
+ * struct mmu_notifier_ops kvm_mmu_notifier_ops.release = kvm_mmu_notifier_release()
+ */
 static void kvm_mmu_notifier_release(struct mmu_notifier *mn,
 				     struct mm_struct *mm)
 {
@@ -492,6 +543,35 @@ static void kvm_mmu_notifier_release(struct mmu_notifier *mn,
 	srcu_read_unlock(&kvm->srcu, idx);
 }
 
+/*
+ * 以下的函数最早在2008年在如下的patch(e930bffe9)引入如下函数:
+ *   - kvm_mmu_notifier_invalidate_page()
+ *   - kvm_mmu_notifier_invalidate_range_start()
+ *   - kvm_mmu_notifier_invalidate_range_end()
+ *   - kvm_mmu_notifier_clear_flush_young()
+ *
+ * KVM: Synchronize guest physical memory map to host virtual memory map
+ *     
+ * Synchronize changes to host virtual addresses which are part of
+ * a KVM memory slot to the KVM shadow mmu.  This allows pte operations
+ * like swapping, page migration, and madvise() to transparently work
+ * with KVM.
+ *
+ * 之后kvm_mmu_notifier_invalidate_page()就不使用了,在以下patch(fb1522e09)
+ * 后就使用kvm_mmu_notifier_invalidate_range_start和
+ * kvm_mmu_notifier_invalidate_range_end
+ *
+ * KVM: update to new mmu_notifier semantic v2
+ *     
+ * Calls to mmu_notifier_invalidate_page() were replaced by calls to
+ * mmu_notifier_invalidate_range() and are now bracketed by calls to
+ * mmu_notifier_invalidate_range_start()/end()
+ *                     
+ * Remove now useless invalidate_page callback.
+ *
+ * used by:
+ *   - virt/kvm/kvm_main.c|529| <<kvm_init_mmu_notifier>> kvm->mmu_notifier.ops = &kvm_mmu_notifier_ops;
+ */
 static const struct mmu_notifier_ops kvm_mmu_notifier_ops = {
 	.flags			= MMU_INVALIDATE_DOES_NOT_BLOCK,
 	.invalidate_range_start	= kvm_mmu_notifier_invalidate_range_start,
@@ -503,9 +583,24 @@ static const struct mmu_notifier_ops kvm_mmu_notifier_ops = {
 	.release		= kvm_mmu_notifier_release,
 };
 
+/*
+ * called by:
+ *   - virt/kvm/kvm_main.c|732| <<kvm_create_vm>> r = kvm_init_mmu_notifier(kvm);
+ */
 static int kvm_init_mmu_notifier(struct kvm *kvm)
 {
 	kvm->mmu_notifier.ops = &kvm_mmu_notifier_ops;
+	/*
+	 * called by:
+	 *   - drivers/gpu/drm/amd/amdkfd/kfd_process.c|538| <<create_process>> err = mmu_notifier_register(&process->mmu_notifier, process->mm);
+	 *   - drivers/infiniband/core/umem_odp.c|424| <<ib_umem_odp_get>> ret_val = mmu_notifier_register(&context->mn, mm);
+	 *   - drivers/infiniband/hw/hfi1/mmu_rb.c|121| <<hfi1_mmu_rb_register>> ret = mmu_notifier_register(&handlr->mn, handlr->mm);
+	 *   - drivers/iommu/amd_iommu_v2.c|681| <<amd_iommu_bind_pasid>> mmu_notifier_register(&pasid_state->mn, mm);
+	 *   - drivers/iommu/intel-svm.c|409| <<intel_svm_bind_mm>> ret = mmu_notifier_register(&svm->notifier, mm);
+	 *   - drivers/misc/mic/scif/scif_dma.c|278| <<scif_add_mmu_notifier>> if (mmu_notifier_register(&mmn->ep_mmu_notifier, current->mm)) {
+	 *   - drivers/xen/gntdev.c|541| <<gntdev_open>> ret = mmu_notifier_register(&priv->mn, priv->mm);
+	 *   - virt/kvm/kvm_main.c|593| <<kvm_init_mmu_notifier>> return mmu_notifier_register(&kvm->mmu_notifier, current->mm);
+	 */
 	return mmu_notifier_register(&kvm->mmu_notifier, current->mm);
 }
 
@@ -518,6 +613,10 @@ static int kvm_init_mmu_notifier(struct kvm *kvm)
 
 #endif /* CONFIG_MMU_NOTIFIER && KVM_ARCH_WANT_MMU_NOTIFIER */
 
+/*
+ * called by:
+ *   - virt/kvm/kvm_main.c|659| <<kvm_create_vm>> struct kvm_memslots *slots = kvm_alloc_memslots();
+ */
 static struct kvm_memslots *kvm_alloc_memslots(void)
 {
 	int i;
@@ -617,9 +716,14 @@ static int kvm_create_vm_debugfs(struct kvm *kvm, int fd)
 	return 0;
 }
 
+/*
+ * called by:
+ *   -  virt/kvm/kvm_main.c|3252| <<kvm_dev_ioctl_create_vm>> kvm = kvm_create_vm(type);
+ */
 static struct kvm *kvm_create_vm(unsigned long type)
 {
 	int r, i;
+	/* 分配的kvm包含在kvm_vmx中 */
 	struct kvm *kvm = kvm_arch_alloc_vm();
 
 	if (!kvm)
@@ -769,6 +873,9 @@ void kvm_put_kvm(struct kvm *kvm)
 EXPORT_SYMBOL_GPL(kvm_put_kvm);
 
 
+/*
+ * struct file_operations kvm_vm_fops.release = kvm_vm_release()
+ */
 static int kvm_vm_release(struct inode *inode, struct file *filp)
 {
 	struct kvm *kvm = filp->private_data;
@@ -904,6 +1011,11 @@ static struct kvm_memslots *install_new_memslots(struct kvm *kvm,
  *
  * Must be called holding kvm->slots_lock for write.
  */
+/*
+ * called by:
+ *   - arch/x86/kvm/x86.c|8913| <<__x86_set_memory_region>> r = __kvm_set_memory_region(kvm, &m);
+ *   - virt/kvm/kvm_main.c|1080| <<kvm_set_memory_region>> r = __kvm_set_memory_region(kvm, mem);
+ */
 int __kvm_set_memory_region(struct kvm *kvm,
 			    const struct kvm_userspace_memory_region *mem)
 {
@@ -941,6 +1053,30 @@ int __kvm_set_memory_region(struct kvm *kvm,
 	if (mem->guest_phys_addr + mem->memory_size < mem->guest_phys_addr)
 		goto out;
 
+	/*
+	 * 获得一个新的slot (struct kvm_memory_slot)
+	 *
+	 * struct kvm中有struct kvm_memslots __rcu *memslots[KVM_ADDRESS_SPACE_NUM]; // KVM_ADDRESS_SPACE_NUM最多可能就是2
+	 * struct kvm_memslots中有:
+	 *     struct kvm_memory_slot memslots[KVM_MEM_SLOTS_NUM];
+	 *     short id_to_index[KVM_MEM_SLOTS_NUM];
+	 *
+	 * __kvm_memslots():
+	 *   利用srcu返回kvm->memslots[as_id]
+	 *   struct kvm中有struct kvm_memslots __rcu *memslots[KVM_ADDRESS_SPACE_NUM];
+	 *
+	 * id来自qemu传进来的kvm_userspace_memory_region->slot
+	 *
+	 * id_to_memslot():
+	 *   struct kvm中有struct kvm_memslots __rcu *memslots[KVM_ADDRESS_SPACE_NUM];
+	 *   struct kvm_memslots有以下两个
+	 *       struct kvm_memory_slot memslots[KVM_MEM_SLOTS_NUM];
+	 *       short id_to_index[KVM_MEM_SLOTS_NUM];
+	 *   这个函数先把id通过id_to_index[]转换成index
+	 *   然后用来索引并返回slots->memslots[index]
+	 *
+	 * slot是struct kvm_memory_slot
+	 */
 	slot = id_to_memslot(__kvm_memslots(kvm, as_id), id);
 	base_gfn = mem->guest_phys_addr >> PAGE_SHIFT;
 	npages = mem->memory_size >> PAGE_SHIFT;
@@ -948,6 +1084,9 @@ int __kvm_set_memory_region(struct kvm *kvm,
 	if (npages > KVM_MEM_MAX_NR_PAGES)
 		goto out;
 
+	/*
+	 * new和old都是struct kvm_memory_slot
+	 */
 	new = old = *slot;
 
 	new.id = id;
@@ -955,10 +1094,22 @@ int __kvm_set_memory_region(struct kvm *kvm,
 	new.npages = npages;
 	new.flags = mem->flags;
 
+	/*
+	 * 就四种操作
+	 * KVM_MR_CREATE : create a new memory slot
+	 * KVM_MR_DELETE : delete an existing memory slot
+	 * KVM_MR_MOVE   : modify an existing memory slot
+	 * KVM_MR_FLAGS_ONLY
+	 */
+
 	if (npages) {
 		if (!old.npages)
 			change = KVM_MR_CREATE;
 		else { /* Modify an existing slot. */
+			/*
+			 * 修改的区域的HVA不同或者大小不同或者flag中的
+			 * KVM_MEM_READONLY标记不同，直接退出
+			 */
 			if ((mem->userspace_addr != old.userspace_addr) ||
 			    (npages != old.npages) ||
 			    ((new.flags ^ old.flags) & KVM_MEM_READONLY))
@@ -967,6 +1118,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
 			if (base_gfn != old.base_gfn)
 				change = KVM_MR_MOVE;
 			else if (new.flags != old.flags)
+				/* 如果仅仅是flag不同,则仅修改标记,设置KVM_MR_FLAGS_ONLY标记 */
 				change = KVM_MR_FLAGS_ONLY;
 			else { /* Nothing to change. */
 				r = 0;
@@ -982,9 +1134,22 @@ int __kvm_set_memory_region(struct kvm *kvm,
 		new.flags = 0;
 	}
 
+	/*
+	 * 新分配的话change就是KVM_MR_CREATE
+	 */
+
+	/*
+	 * 这里只是做一个检查
+	 * 就像是注释说的: Check for overlaps
+	 */
 	if ((change == KVM_MR_CREATE) || (change == KVM_MR_MOVE)) {
 		/* Check for overlaps */
 		r = -EEXIST;
+		/*
+		 * __kvm_memslots():
+		 *   利用srcu返回kvm->memslots[as_id]
+		 *   struct kvm中有struct kvm_memslots __rcu *memslots[KVM_ADDRESS_SPACE_NUM];
+		 */
 		kvm_for_each_memslot(slot, __kvm_memslots(kvm, as_id)) {
 			if (slot->id == id)
 				continue;
@@ -1002,6 +1167,13 @@ int __kvm_set_memory_region(struct kvm *kvm,
 	if (change == KVM_MR_CREATE) {
 		new.userspace_addr = mem->userspace_addr;
 
+		/*
+		 * 核心思想是为参数的kvm_memory_slot初始化其arch 
+		 * 分配管理hugepage内存的元数据:
+		 *     kvm_memory_slot->arch.rmap[i]
+		 *     kvm_memory_slot->arch.lpage_info[i]
+		 * 根据实际情况设置.disallow_lpage
+		 */
 		if (kvm_arch_create_memslot(kvm, &new, npages))
 			goto out_free;
 	}
@@ -1017,6 +1189,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
 		goto out_free;
 	memcpy(slots, __kvm_memslots(kvm, as_id), sizeof(struct kvm_memslots));
 
+	/* 如果是删除或者修改 */
 	if ((change == KVM_MR_DELETE) || (change == KVM_MR_MOVE)) {
 		slot = id_to_memslot(slots, id);
 		slot->flags |= KVM_MEMSLOT_INVALID;
@@ -1030,6 +1203,9 @@ int __kvm_set_memory_region(struct kvm *kvm,
 		 *	- gfn_to_hva (kvm_read_guest, gfn_to_pfn)
 		 *	- kvm_is_visible_gfn (mmu_check_roots)
 		 */
+		/*
+		 * flush影子页表中的条目?
+		 */
 		kvm_arch_flush_shadow_memslot(kvm, slot);
 
 		/*
@@ -1040,6 +1216,9 @@ int __kvm_set_memory_region(struct kvm *kvm,
 		slots = old_memslots;
 	}
 
+	/*
+	 * x86什么也不做
+	 */
 	r = kvm_arch_prepare_memory_region(kvm, &new, mem, change);
 	if (r)
 		goto out_slots;
@@ -1050,6 +1229,12 @@ int __kvm_set_memory_region(struct kvm *kvm,
 		memset(&new.arch, 0, sizeof(new.arch));
 	}
 
+	/*
+	 * Insert memslot and re-sort memslots based on their GFN,
+	 * so binary search could be used to lookup GFN.
+	 * Sorting algorithm takes advantage of having initially
+	 * sorted array and known changed memslot position.
+	 */
 	update_memslots(slots, &new);
 	old_memslots = install_new_memslots(kvm, as_id, slots);
 
@@ -1068,6 +1253,10 @@ int __kvm_set_memory_region(struct kvm *kvm,
 }
 EXPORT_SYMBOL_GPL(__kvm_set_memory_region);
 
+/*
+ * called by kvm_vm_ioctl() --> KVM_SET_USER_MEMORY_REGION --> kvm_vm_ioctl_set_memory_region():
+ *   - virt/kvm/kvm_main.c|1092| <<kvm_vm_ioctl_set_memory_region>> return kvm_set_memory_region(kvm, mem);
+ */
 int kvm_set_memory_region(struct kvm *kvm,
 			  const struct kvm_userspace_memory_region *mem)
 {
@@ -1080,6 +1269,10 @@ int kvm_set_memory_region(struct kvm *kvm,
 }
 EXPORT_SYMBOL_GPL(kvm_set_memory_region);
 
+/*
+ * kvm_vm_ioctl() --> KVM_SET_USER_MEMORY_REGION:
+ *   - virt/kvm/kvm_main.c|3006| <<kvm_vm_ioctl>> r = kvm_vm_ioctl_set_memory_region(kvm, &kvm_userspace_mem);
+ */
 static int kvm_vm_ioctl_set_memory_region(struct kvm *kvm,
 					  struct kvm_userspace_memory_region *mem)
 {
@@ -1235,6 +1428,11 @@ bool kvm_is_visible_gfn(struct kvm *kvm, gfn_t gfn)
 }
 EXPORT_SYMBOL_GPL(kvm_is_visible_gfn);
 
+/*
+ * 根据gfn获取其对于hva在host中的page size (4K,2M还是1G)
+ *     根据gfn获取在qemu中对应的hva, 把hva转化为vm_area_struct
+ *     然后就知道vm_area_struct的page size了
+ */
 unsigned long kvm_host_page_size(struct kvm *kvm, gfn_t gfn)
 {
 	struct vm_area_struct *vma;
@@ -1251,6 +1449,10 @@ unsigned long kvm_host_page_size(struct kvm *kvm, gfn_t gfn)
 	if (!vma)
 		goto out;
 
+	/*
+	 * 如果支持hugepage, 返回vma_kernel_pagesize
+	 * 否则返回PAGE_SIZE. 一般都支持hugepage吧
+	 */
 	size = vma_kernel_pagesize(vma);
 
 out:
@@ -1345,6 +1547,10 @@ static inline int check_user_page_hwpoison(unsigned long addr)
  * The atomic path to get the writable pfn which will be stored in @pfn,
  * true indicates success, otherwise false is returned.
  */
+/*
+ * called by:
+ *   - virt/kvm/kvm_main.c|1710| <<hva_to_pfn>> if (hva_to_pfn_fast(addr, atomic, async, write_fault, writable, &pfn))
+ */
 static bool hva_to_pfn_fast(unsigned long addr, bool atomic, bool *async,
 			    bool write_fault, bool *writable, kvm_pfn_t *pfn)
 {
@@ -1439,6 +1645,9 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma,
 		 * not call the fault handler, so do it here.
 		 */
 		bool unlocked = false;
+		/*
+		 * manually resolve a user page fault
+		 */
 		r = fixup_user_fault(current, current->mm, addr,
 				     (write_fault ? FAULT_FLAG_WRITE : 0),
 				     &unlocked);
@@ -1487,6 +1696,25 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma,
  * 2): @write_fault = false && @writable, @writable will tell the caller
  *     whether the mapping is writable.
  */
+/*
+ * 如果页面已经被交换出去了:
+ * do_swap_page()
+ * handle_pte_fault()
+ * __handle_mm_fault()
+ * handle_mm_fault()
+ * faultin_page()
+ * __get_user_pages()
+ * __get_user_pages_locked()
+ * get_user_pages_unlocked()
+ * hva_to_pfn_slow()
+ * hva_to_pfn()
+ * __gfn_to_pfn_memslot()
+ * try_async_pf()
+ * tdp_page_fault()
+ *
+ * called only by:
+ *   - virt/kvm/kvm_main.c|1733| <<__gfn_to_pfn_memslot>> return hva_to_pfn(addr, atomic, async, write_fault,
+ */
 static kvm_pfn_t hva_to_pfn(unsigned long addr, bool atomic, bool *async,
 			bool write_fault, bool *writable)
 {
@@ -1504,6 +1732,9 @@ static kvm_pfn_t hva_to_pfn(unsigned long addr, bool atomic, bool *async,
 		return KVM_PFN_ERR_FAULT;
 
 	npages = hva_to_pfn_slow(addr, async, write_fault, writable, &pfn);
+	/*
+	 * 测试的时候这里全都是等于1的
+	 */
 	if (npages == 1)
 		return pfn;
 
@@ -1520,6 +1751,16 @@ static kvm_pfn_t hva_to_pfn(unsigned long addr, bool atomic, bool *async,
 	if (vma == NULL)
 		pfn = KVM_PFN_ERR_FAULT;
 	else if (vma->vm_flags & (VM_IO | VM_PFNMAP)) {
+		/*
+		 * kvm: Map PFN-type memory regions as writable (if possible)
+		 *
+		 * For EPT-violations that are triggered by a read, the pages are also mapped with
+		 * write permissions (if their memory region is also writable). That would avoid
+		 * getting yet another fault on the same page when a write occurs.
+		 *
+		 * This optimization only happens when you have a "struct page" backing the memory
+		 * region. So also enable it for memory regions that do not have a "struct page".
+		 */
 		r = hva_to_pfn_remapped(vma, addr, async, write_fault, writable, &pfn);
 		if (r == -EAGAIN)
 			goto retry;
@@ -1535,10 +1776,25 @@ static kvm_pfn_t hva_to_pfn(unsigned long addr, bool atomic, bool *async,
 	return pfn;
 }
 
+/*
+ * called by:
+ *   - arch/powerpc/kvm/book3s_64_mmu_radix.c|643| <<kvmppc_book3s_radix_page_fault>> pfn = __gfn_to_pfn_memslot(memslot, gfn, false, NULL,
+ *   - arch/x86/kvm/mmu.c|6401| <<try_async_pf>> *pfn = __gfn_to_pfn_memslot(slot, gfn, false, &async, write, writable);
+ *   - arch/x86/kvm/mmu.c|6415| <<try_async_pf>> *pfn = __gfn_to_pfn_memslot(slot, gfn, false, NULL, write, writable);
+ *   - virt/kvm/kvm_main.c|1807| <<gfn_to_pfn_prot>> return __gfn_to_pfn_memslot(gfn_to_memslot(kvm, gfn), gfn, false, NULL,
+ *   - virt/kvm/kvm_main.c|1814| <<gfn_to_pfn_memslot>> return __gfn_to_pfn_memslot(slot, gfn, false, NULL, true, NULL);
+ *   - virt/kvm/kvm_main.c|1820| <<gfn_to_pfn_memslot_atomic>> return __gfn_to_pfn_memslot(slot, gfn, true, NULL, true, NULL);
+ */
 kvm_pfn_t __gfn_to_pfn_memslot(struct kvm_memory_slot *slot, gfn_t gfn,
 			       bool atomic, bool *async, bool write_fault,
 			       bool *writable)
 {
+	/*
+	 * 计算gfn对应的其实hva
+	 *
+	 * 对于mmio, 参数的slot是NULL
+	 * 返回KVM_HVA_ERR_BAD=PAGE_OFFSET
+	 */
 	unsigned long addr = __gfn_to_hva_many(slot, gfn, NULL, write_fault);
 
 	if (addr == KVM_HVA_ERR_RO_BAD) {
@@ -1547,6 +1803,11 @@ kvm_pfn_t __gfn_to_pfn_memslot(struct kvm_memory_slot *slot, gfn_t gfn,
 		return KVM_PFN_ERR_RO_FAULT;
 	}
 
+	/*
+	 * 检查addr是否大于等于PAGE_OFFSET(KVM_HVA_ERR_BAD)
+	 *
+	 * 如果是mmio就满足条件
+	 */
 	if (kvm_is_error_hva(addr)) {
 		if (writable)
 			*writable = false;
@@ -1559,6 +1820,9 @@ kvm_pfn_t __gfn_to_pfn_memslot(struct kvm_memory_slot *slot, gfn_t gfn,
 		writable = NULL;
 	}
 
+	/*
+	 * 计算hva对应的pfn, 同时确保该物理页在内存中
+	 */
 	return hva_to_pfn(addr, atomic, async, write_fault,
 			  writable);
 }
@@ -1706,6 +1970,12 @@ void kvm_set_pfn_accessed(kvm_pfn_t pfn)
 }
 EXPORT_SYMBOL_GPL(kvm_set_pfn_accessed);
 
+/*
+ * called by:
+ *   - arch/x86/kvm/mmu.c|5325| <<transparent_hugepage_adjust>> kvm_get_pfn(pfn);
+ *   - virt/kvm/arm/mmu.c|1231| <<transparent_hugepage_adjust>> kvm_get_pfn(pfn);
+ *   - virt/kvm/kvm_main.c|1598| <<hva_to_pfn_remapped>> kvm_get_pfn(pfn);
+ */
 void kvm_get_pfn(kvm_pfn_t pfn)
 {
 	if (!kvm_is_reserved_pfn(pfn))
@@ -2043,6 +2313,13 @@ EXPORT_SYMBOL_GPL(kvm_clear_guest);
 static void mark_page_dirty_in_slot(struct kvm_memory_slot *memslot,
 				    gfn_t gfn)
 {
+	/*
+	 * 一个slot有许多客户机虚拟页面组成,通过dirty_bitmap
+	 * 标记每一个页是否可用,一个页面对应一个位
+	 *
+	 * 比如在如下分配:
+	 *   - virt/kvm/kvm_main.c|815| <<kvm_create_dirty_bitmap>> memslot->dirty_bitmap = kvzalloc(dirty_bytes, GFP_KERNEL);
+	 */
 	if (memslot && memslot->dirty_bitmap) {
 		unsigned long rel_gfn = gfn - memslot->base_gfn;
 
@@ -2142,6 +2419,11 @@ static int kvm_vcpu_check_block(struct kvm_vcpu *vcpu)
 /*
  * The vCPU has executed a HLT instruction with in-kernel mode enabled.
  */
+/*
+ * 被很多architecture调用, x86:
+ *   - arch/x86/kvm/x86.c|7630| <<vcpu_block>> kvm_vcpu_block(vcpu);
+ *   - arch/x86/kvm/x86.c|7819| <<kvm_arch_vcpu_ioctl_run>> kvm_vcpu_block(vcpu);
+ */
 void kvm_vcpu_block(struct kvm_vcpu *vcpu)
 {
 	ktime_t start, cur;
@@ -2383,12 +2665,18 @@ static const struct vm_operations_struct kvm_vcpu_vm_ops = {
 	.fault = kvm_vcpu_fault,
 };
 
+/*
+ * struct file_operations kvm_vcpu_fops.mmap = kvm_vcpu_mmap()
+ */
 static int kvm_vcpu_mmap(struct file *file, struct vm_area_struct *vma)
 {
 	vma->vm_ops = &kvm_vcpu_vm_ops;
 	return 0;
 }
 
+/*
+ * struct file_operations kvm_vcpu_fops.release = kvm_vcpu_release()
+ */
 static int kvm_vcpu_release(struct inode *inode, struct file *filp)
 {
 	struct kvm_vcpu *vcpu = filp->private_data;
@@ -2398,6 +2686,12 @@ static int kvm_vcpu_release(struct inode *inode, struct file *filp)
 	return 0;
 }
 
+/*
+ * used by:
+ *   - virt/kvm/kvm_main.c|2420| <<create_vcpu_fd>> return anon_inode_getfd(name, &kvm_vcpu_fops, vcpu, O_RDWR | O_CLOEXEC);
+ *
+ * vcpu的dev fd
+ */
 static struct file_operations kvm_vcpu_fops = {
 	.release        = kvm_vcpu_release,
 	.unlocked_ioctl = kvm_vcpu_ioctl,
@@ -2446,9 +2740,14 @@ static int kvm_create_vcpu_debugfs(struct kvm_vcpu *vcpu)
 /*
  * Creates some virtual cpus.  Good luck creating more than one.
  */
+/*
+ * called by KVM_CREATE_VCPU (每个vm的dev的ioctl):
+ *   - virt/kvm/kvm_main.c|3025| <<kvm_vm_ioctl>> r = kvm_vm_ioctl_create_vcpu(kvm, arg);
+ */
 static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)
 {
 	int r;
+	/* struct kvm有struct kvm_vcpu *vcpus[KVM_MAX_VCPUS]; */
 	struct kvm_vcpu *vcpu;
 
 	if (id >= KVM_MAX_VCPU_ID)
@@ -2531,6 +2830,11 @@ static int kvm_vcpu_ioctl_set_sigmask(struct kvm_vcpu *vcpu, sigset_t *sigset)
 	return 0;
 }
 
+/*
+ * struct file_operations kvm_vcpu_fops.unlocked_ioctl = kvm_vcpu_ioctl()
+ *
+ * vcpu的dev fd的ioctl
+ */
 static long kvm_vcpu_ioctl(struct file *filp,
 			   unsigned int ioctl, unsigned long arg)
 {
@@ -2550,6 +2854,7 @@ static long kvm_vcpu_ioctl(struct file *filp,
 	 * Some architectures have vcpu ioctls that are asynchronous to vcpu
 	 * execution; mutex_lock() would break them.
 	 */
+	/* x86可以忽略kvm_arch_vcpu_async_ioctl() */
 	r = kvm_arch_vcpu_async_ioctl(filp, ioctl, arg);
 	if (r != -ENOIOCTLCMD)
 		return r;
@@ -2739,6 +3044,9 @@ static long kvm_vcpu_ioctl(struct file *filp,
 }
 
 #ifdef CONFIG_KVM_COMPAT
+/*
+ * struct file_operations kvm_vcpu_fops.compat_ioctl = kvm_vcpu_compat_ioctl()
+ */
 static long kvm_vcpu_compat_ioctl(struct file *filp,
 				  unsigned int ioctl, unsigned long arg)
 {
@@ -2796,6 +3104,9 @@ static int kvm_device_ioctl_attr(struct kvm_device *dev,
 	return accessor(dev, &attr);
 }
 
+/*
+ * struct file_operations kvm_device_fops.unlocked_ioctl = kvm_device_ioctl()
+ */
 static long kvm_device_ioctl(struct file *filp, unsigned int ioctl,
 			     unsigned long arg)
 {
@@ -2816,6 +3127,9 @@ static long kvm_device_ioctl(struct file *filp, unsigned int ioctl,
 	}
 }
 
+/*
+ * struct file_operations kvm_device_fops.unlocked_ioctl = kvm_device_release()
+ */
 static int kvm_device_release(struct inode *inode, struct file *filp)
 {
 	struct kvm_device *dev = filp->private_data;
@@ -2825,6 +3139,10 @@ static int kvm_device_release(struct inode *inode, struct file *filp)
 	return 0;
 }
 
+/*
+ * used by:
+ *   - virt/kvm/kvm_main.c|2963| <<kvm_ioctl_create_device>> ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
+ */
 static const struct file_operations kvm_device_fops = {
 	.unlocked_ioctl = kvm_device_ioctl,
 	.release = kvm_device_release,
@@ -2839,6 +3157,10 @@ struct kvm_device *kvm_device_from_filp(struct file *filp)
 	return filp->private_data;
 }
 
+/*
+ * 主要在如下使用:
+ *   - virt/kvm/kvm_main.c|2965| <<kvm_ioctl_create_device>> ops = kvm_device_ops_table[cd->type];
+ */
 static struct kvm_device_ops *kvm_device_ops_table[KVM_DEV_TYPE_MAX] = {
 #ifdef CONFIG_KVM_MPIC
 	[KVM_DEV_TYPE_FSL_MPIC_20]	= &kvm_mpic_ops,
@@ -2846,6 +3168,16 @@ static struct kvm_device_ops *kvm_device_ops_table[KVM_DEV_TYPE_MAX] = {
 #endif
 };
 
+/*
+ * called by:
+ *   - virt/kvm/vfio.c|441| <<kvm_vfio_ops_init>> return kvm_register_device_ops(&kvm_vfio_ops, KVM_DEV_TYPE_VFIO);  -----> 唯一x86会用的
+ *   - arch/powerpc/kvm/book3s.c|1015| <<kvmppc_book3s_init>> kvm_register_device_ops(&kvm_xive_ops, KVM_DEV_TYPE_XICS);
+ *   - arch/powerpc/kvm/book3s.c|1018| <<kvmppc_book3s_init>> kvm_register_device_ops(&kvm_xics_ops, KVM_DEV_TYPE_XICS);
+ *   - arch/s390/kvm/kvm-s390.c|427| <<kvm_arch_init>> return kvm_register_device_ops(&kvm_flic_ops, KVM_DEV_TYPE_FLIC);
+ *   - virt/kvm/arm/vgic/vgic-its.c|2576| <<kvm_vgic_register_its_device>> return kvm_register_device_ops(&kvm_arm_vgic_its_ops,
+ *   - virt/kvm/arm/vgic/vgic-kvm-device.c|273| <<kvm_register_vgic_device>> ret = kvm_register_device_ops(&kvm_arm_vgic_v2_ops,
+ *   - virt/kvm/arm/vgic/vgic-kvm-device.c|277| <<kvm_register_vgic_device>> ret = kvm_register_device_ops(&kvm_arm_vgic_v3_ops,
+ */
 int kvm_register_device_ops(struct kvm_device_ops *ops, u32 type)
 {
 	if (type >= ARRAY_SIZE(kvm_device_ops_table))
@@ -2858,12 +3190,21 @@ int kvm_register_device_ops(struct kvm_device_ops *ops, u32 type)
 	return 0;
 }
 
+/*
+ * called by:
+ *   - virt/kvm/vfio.c|446| <<kvm_vfio_ops_exit>> kvm_unregister_device_ops(KVM_DEV_TYPE_VFIO);
+ *   - virt/kvm/arm/vgic/vgic-v3.c|633| <<vgic_v3_probe>> kvm_unregister_device_ops(KVM_DEV_TYPE_ARM_VGIC_V2);
+ */
 void kvm_unregister_device_ops(u32 type)
 {
 	if (kvm_device_ops_table[type] != NULL)
 		kvm_device_ops_table[type] = NULL;
 }
 
+/*
+ * called by (KVM_CREATE_DEVICE):
+ *   - virt/kvm/kvm_main.c|3177| <<kvm_vm_ioctl>> r = kvm_ioctl_create_device(kvm, &cd);
+ */
 static int kvm_ioctl_create_device(struct kvm *kvm,
 				   struct kvm_create_device *cd)
 {
@@ -2953,6 +3294,11 @@ static long kvm_vm_ioctl_check_extension_generic(struct kvm *kvm, long arg)
 	return kvm_vm_ioctl_check_extension(kvm, arg);
 }
 
+/*
+ * struct file_operations kvm_vm_fops.unlocked_ioctl = kvm_vm_ioctl()
+ *
+ * 每个vm的dev的ioctl
+ */
 static long kvm_vm_ioctl(struct file *filp,
 			   unsigned int ioctl, unsigned long arg)
 {
@@ -3132,6 +3478,9 @@ struct compat_kvm_dirty_log {
 	};
 };
 
+/*
+ * struct file_operations kvm_vm_fops.compat_ioctl = kvm_vm_compat_ioctl()
+ */
 static long kvm_vm_compat_ioctl(struct file *filp,
 			   unsigned int ioctl, unsigned long arg)
 {
@@ -3163,6 +3512,20 @@ static long kvm_vm_compat_ioctl(struct file *filp,
 }
 #endif
 
+/*
+ * used by:
+ *   - virt/kvm/kvm_main.c|3227| <<kvm_dev_ioctl_create_vm>> file = anon_inode_getfile("kvm-vm", &kvm_vm_fops, kvm, O_RDWR);
+ *
+ * 每个vm的dev
+ *
+ * 两个cpu的例子
+ * #sudo lsof -p 11857 | grep kvm
+ * qemu-syst 11857 root  mem       REG   0,11                 9671 anon_inode:kvm-vcpu:1 (stat: No such file or directory)
+ * qemu-syst 11857 root   12u      CHR 10,232         0t0    12510 /dev/kvm
+ * qemu-syst 11857 root   13u  a_inode   0,11           0     9671 kvm-vm
+ * qemu-syst 11857 root   16u  a_inode   0,11           0     9671 kvm-vcpu:0
+ * qemu-syst 11857 root   17u  a_inode   0,11           0     9671 kvm-vcpu:1
+ */
 static struct file_operations kvm_vm_fops = {
 	.release        = kvm_vm_release,
 	.unlocked_ioctl = kvm_vm_ioctl,
@@ -3170,6 +3533,9 @@ static struct file_operations kvm_vm_fops = {
 	KVM_COMPAT(kvm_vm_compat_ioctl),
 };
 
+/*
+ * called only by kvm_dev_ioctl() <-- /dev/kvm的接口
+ */
 static int kvm_dev_ioctl_create_vm(unsigned long type)
 {
 	int r;
@@ -3184,10 +3550,20 @@ static int kvm_dev_ioctl_create_vm(unsigned long type)
 	if (r < 0)
 		goto put_kvm;
 #endif
+	/*
+	 * 其实就是__alloc_fd(): allocate a file descriptor, mark it busy.
+	 */
 	r = get_unused_fd_flags(O_CLOEXEC);
 	if (r < 0)
 		goto put_kvm;
 
+	/*
+	 * creates a new file instance by hooking it up to an
+	 * anonymous inode, and a dentry that describe the "class"
+	 * of the file
+	 *
+	 * 这里把struct kvm列为private data
+	 */
 	file = anon_inode_getfile("kvm-vm", &kvm_vm_fops, kvm, O_RDWR);
 	if (IS_ERR(file)) {
 		put_unused_fd(r);
@@ -3216,6 +3592,11 @@ static int kvm_dev_ioctl_create_vm(unsigned long type)
 	return r;
 }
 
+/*
+ * struct file_operations kvm_chardev_ops..unlocked_ioctl = kvm_dev_ioctl()
+ *
+ * /dev/kvm的接口
+ */
 static long kvm_dev_ioctl(struct file *filp,
 			  unsigned int ioctl, unsigned long arg)
 {
@@ -3256,12 +3637,24 @@ static long kvm_dev_ioctl(struct file *filp,
 	return r;
 }
 
+/*
+ * struct miscdevice kvm_dev.fops = kvm_chardev_ops
+ *
+ * /dev/kvm的接口
+ */
 static struct file_operations kvm_chardev_ops = {
 	.unlocked_ioctl = kvm_dev_ioctl,
 	.llseek		= noop_llseek,
 	KVM_COMPAT(kvm_dev_ioctl),
 };
 
+/*
+ * x86使用:
+ *   - virt/kvm/kvm_main.c|4044| <<kvm_init>> r = misc_register(&kvm_dev);
+ *   - virt/kvm/kvm_main.c|4086| <<kvm_exit>> misc_deregister(&kvm_dev);
+ *   - virt/kvm/kvm_main.c|3871| <<kvm_uevent_notify_change>> if (!kvm_dev.this_device || !kvm)
+ *   - virt/kvm/kvm_main.c|3912| <<kvm_uevent_notify_change>> kobject_uevent_env(&kvm_dev.this_device->kobj, KOBJ_CHANGE, env->envp);
+ */
 static struct miscdevice kvm_dev = {
 	KVM_MINOR,
 	"kvm",
@@ -3448,6 +3841,9 @@ static int __kvm_io_bus_write(struct kvm_vcpu *vcpu, struct kvm_io_bus *bus,
 	if (idx < 0)
 		return -EOPNOTSUPP;
 
+	/*
+	 * dev是从kvm_assign_ioeventfd_idx()注册的
+	 */
 	while (idx < bus->dev_count &&
 		kvm_io_bus_cmp(range, &bus->range[idx]) == 0) {
 		if (!kvm_iodevice_write(vcpu, bus->range[idx].dev, range->addr,
@@ -3459,6 +3855,13 @@ static int __kvm_io_bus_write(struct kvm_vcpu *vcpu, struct kvm_io_bus *bus,
 	return -EOPNOTSUPP;
 }
 
+/*
+ * 不考虑powerpc:
+ *   - arch/x86/kvm/vmx.c|7831| <<handle_ept_misconfig>> !kvm_io_bus_write(vcpu, KVM_FAST_MMIO_BUS, gpa, 0, NULL)) {
+ *   - arch/x86/kvm/x86.c|4686| <<vcpu_mmio_write>> && kvm_io_bus_write(vcpu, KVM_MMIO_BUS, addr, n, v))
+ *   - arch/x86/kvm/x86.c|5290| <<kernel_pio>> r = kvm_io_bus_write(vcpu, KVM_PIO_BUS,
+ *   - virt/kvm/arm/mmio.c|188| <<io_mem_abort>> ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len,
+ */
 /* kvm_io_bus_write - called under kvm->slots_lock */
 int kvm_io_bus_write(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr,
 		     int len, const void *val)
@@ -3975,6 +4378,12 @@ static void kvm_sched_out(struct preempt_notifier *pn,
 	kvm_arch_vcpu_put(vcpu);
 }
 
+/*
+ * called by:
+ *   - arch/x86/kvm/vmx.c|13506| <<vmx_init>> r = kvm_init(&vmx_x86_ops, sizeof(struct vcpu_vmx),
+ *   - arch/x86/kvm/svm.c|7168| <<svm_init>> return kvm_init(&svm_x86_ops, sizeof(struct vcpu_svm),
+ *   - virt/kvm/arm/arm.c|1645| <<arm_init>> int rc = kvm_init(NULL, sizeof(struct kvm_vcpu), 0, THIS_MODULE);
+ */
 int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
 		  struct module *module)
 {
diff --git a/virt/kvm/vfio.c b/virt/kvm/vfio.c
index d99850c4..ace37cf4 100644
--- a/virt/kvm/vfio.c
+++ b/virt/kvm/vfio.c
@@ -184,6 +184,9 @@ static void kvm_vfio_update_coherency(struct kvm_device *dev)
 	mutex_unlock(&kv->lock);
 }
 
+/*
+ * called only by kvm_vfio_set_attr()
+ */
 static int kvm_vfio_set_group(struct kvm_device *dev, long attr, u64 arg)
 {
 	struct kvm_vfio *kv = dev->private;
@@ -332,6 +335,9 @@ static int kvm_vfio_set_group(struct kvm_device *dev, long attr, u64 arg)
 	return -ENXIO;
 }
 
+/*
+ * struct kvm_device_ops kvm_vfio_ops.set_attr = kvm_vfio_set_attr()
+ */
 static int kvm_vfio_set_attr(struct kvm_device *dev,
 			     struct kvm_device_attr *attr)
 {
@@ -343,6 +349,9 @@ static int kvm_vfio_set_attr(struct kvm_device *dev,
 	return -ENXIO;
 }
 
+/*
+ * struct kvm_device_ops kvm_vfio_ops.has_attr = kvm_vfio_has_attr()
+ */
 static int kvm_vfio_has_attr(struct kvm_device *dev,
 			     struct kvm_device_attr *attr)
 {
@@ -363,6 +372,9 @@ static int kvm_vfio_has_attr(struct kvm_device *dev,
 	return -ENXIO;
 }
 
+/*
+ * struct kvm_device_ops kvm_vfio_ops.destroy = kvm_vfio_destroy()
+ */
 static void kvm_vfio_destroy(struct kvm_device *dev)
 {
 	struct kvm_vfio *kv = dev->private;
@@ -387,6 +399,10 @@ static void kvm_vfio_destroy(struct kvm_device *dev)
 
 static int kvm_vfio_create(struct kvm_device *dev, u32 type);
 
+/*
+ * used by:
+ *   - virt/kvm/vfio.c|434| <<kvm_vfio_ops_init>> return kvm_register_device_ops(&kvm_vfio_ops, KVM_DEV_TYPE_VFIO);
+ */
 static struct kvm_device_ops kvm_vfio_ops = {
 	.name = "kvm-vfio",
 	.create = kvm_vfio_create,
@@ -395,6 +411,9 @@ static struct kvm_device_ops kvm_vfio_ops = {
 	.has_attr = kvm_vfio_has_attr,
 };
 
+/*
+ * struct kvm_device_ops kvm_vfio_ops.create = kvm_vfio_create()
+ */
 static int kvm_vfio_create(struct kvm_device *dev, u32 type)
 {
 	struct kvm_device *tmp;
@@ -417,11 +436,19 @@ static int kvm_vfio_create(struct kvm_device *dev, u32 type)
 	return 0;
 }
 
+/*
+ * called only by:
+ *   - virt/kvm/kvm_main.c|4187| <<kvm_init>> r = kvm_vfio_ops_init();
+ */
 int kvm_vfio_ops_init(void)
 {
 	return kvm_register_device_ops(&kvm_vfio_ops, KVM_DEV_TYPE_VFIO);
 }
 
+/*
+ * called only by:
+ *   - virt/kvm/kvm_main.c|4227| <<kvm_exit>> kvm_vfio_ops_exit();
+ */
 void kvm_vfio_ops_exit(void)
 {
 	kvm_unregister_device_ops(KVM_DEV_TYPE_VFIO);
-- 
2.17.1