[PATCH v2 0/3] vdso/datastore: Allow prefaulting by mlockall()

[PATCH v2 0/3] vdso/datastore: Allow prefaulting by mlockall()

[Thomas Weißschuh]

Latency-sensitive applications expect not to experience any pagefaults
after calling mlockall(). However mlockall() ignores VM_PFNMAP and VM_IO
mappings, both of which are used by the generic vDSO datastore.

Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
---
Changes in v2:
- Stop using nth_page() which is being removed
- Link to v1: https://lore.kernel.org/r/20250812-vdso-mlockall-v1-0-2f49ba7cf819@linutronix.de

---
Thomas Weißschuh (3):
      vdso/datastore: Explicitly prevent remote access to timens vvar page
      vdso/datastore: Allow prefaulting by mlockall()
      vdso/datastore: Map zero page for unavailable data

 kernel/time/namespace.c |  7 ++-----
 lib/vdso/datastore.c    | 38 ++++++++++++++++++++++----------------
 2 files changed, 24 insertions(+), 21 deletions(-)
---
base-commit: 8f5ae30d69d7543eee0d70083daf4de8fe15d585
change-id: 20250721-vdso-mlockall-461bb33205b1

Best regards,
-- 
Thomas Weißschuh <thomas.weissschuh@linutronix.de>

[PATCH v2 1/3] vdso/datastore: Explicitly prevent remote access to timens vvar page

[Thomas Weißschuh]

The fault handler for the timens page does not have access to the target
task and therefore can not be invoked remotely.
Currently the handler relies on the fact that the vvar mapping is marked as
VM_IO and VM_PFNMAP for which the mm core always prevents remote access.
However the VM_IO and VM_PFNMAP flags are going to be removed.

Add an explicit check to prevent remote access to the mapping.

Move the call to find_timens_vvar_page() after the check to avoid hitting
the WARN() in that function.

Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
---
 kernel/time/namespace.c | 7 ++-----
 lib/vdso/datastore.c    | 7 ++++++-
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/kernel/time/namespace.c b/kernel/time/namespace.c
index 667452768ed3b50e48e3cfb70f8ef68e4bed9e0b..e225547021b73230e3c820cd91635e0483821c49 100644
--- a/kernel/time/namespace.c
+++ b/kernel/time/namespace.c
@@ -198,11 +198,8 @@ struct page *find_timens_vvar_page(struct vm_area_struct *vma)
 		return current->nsproxy->time_ns->vvar_page;
 
 	/*
-	 * VM_PFNMAP | VM_IO protect .fault() handler from being called
-	 * through interfaces like /proc/$pid/mem or
-	 * process_vm_{readv,writev}() as long as there's no .access()
-	 * in special_mapping_vmops().
-	 * For more details check_vma_flags() and __access_remote_vm()
+	 * vvar_fault() protects this from being called through remote interfaces like
+	 * /proc/$pid/mem or process_vm_{readv,writev}().
 	 */
 
 	WARN(1, "vvar_page accessed remotely");
diff --git a/lib/vdso/datastore.c b/lib/vdso/datastore.c
index 3693c6caf2c4d41a526613d5fb746cb3a981ea2e..ed1aa3e27b13f8b48d18dad9488e0798f49cb338 100644
--- a/lib/vdso/datastore.c
+++ b/lib/vdso/datastore.c
@@ -40,10 +40,15 @@ struct vdso_arch_data *vdso_k_arch_data = &vdso_arch_data_store.data;
 static vm_fault_t vvar_fault(const struct vm_special_mapping *sm,
 			     struct vm_area_struct *vma, struct vm_fault *vmf)
 {
-	struct page *timens_page = find_timens_vvar_page(vma);
+	struct page *timens_page;
 	unsigned long addr, pfn;
 	vm_fault_t err;
 
+	if (unlikely(vmf->flags & FAULT_FLAG_REMOTE))
+		return VM_FAULT_SIGBUS;
+
+	timens_page = find_timens_vvar_page(vma);
+
 	switch (vmf->pgoff) {
 	case VDSO_TIME_PAGE_OFFSET:
 		if (!IS_ENABLED(CONFIG_HAVE_GENERIC_VDSO))

-- 
2.51.0

[PATCH v2 2/3] vdso/datastore: Allow prefaulting by mlockall()

[Thomas Weißschuh]

Latency-sensitive applications expect not to experience any pagefaults
after calling mlockall(). However mlockall() ignores VM_PFNMAP and VM_IO
mappings, both of which are used by the generic vDSO datastore.
While the fault handler itself is very fast, going through the full
pagefault exception handling is much slower, on the order of 20us in a
test machine.

Since the memory behind the datastore mappings is always present and
accessible it is not necessary to use VM_IO for them.
VM_PFNMAP can be removed by mapping the pages through 'struct page' instead
of PFNs. VM_MIXEDMAP is necessary to call vmf_insert_page() in the timens
optimization path.

The data page mapping is now also aligned with the architecture-specific
code pages. Some architecture-specific data pages, like the x86 VCLOCK
pages, continue to use VM_IO as they are not always mappable.

Regular mlock() would also work, but userspace does not know the boundaries
of the vDSO.

Reported-by: Nam Cao <namcao@linutronix.de>
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Tested-by: Nam Cao <namcao@linutronix.de>
---
 lib/vdso/datastore.c | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/lib/vdso/datastore.c b/lib/vdso/datastore.c
index ed1aa3e27b13f8b48d18dad9488e0798f49cb338..00714c0cf0b24b813bf5b28ff8a19e5f246fce45 100644
--- a/lib/vdso/datastore.c
+++ b/lib/vdso/datastore.c
@@ -40,8 +40,8 @@ struct vdso_arch_data *vdso_k_arch_data = &vdso_arch_data_store.data;
 static vm_fault_t vvar_fault(const struct vm_special_mapping *sm,
 			     struct vm_area_struct *vma, struct vm_fault *vmf)
 {
-	struct page *timens_page;
-	unsigned long addr, pfn;
+	struct page *page, *timens_page;
+	unsigned long addr;
 	vm_fault_t err;
 
 	if (unlikely(vmf->flags & FAULT_FLAG_REMOTE))
@@ -53,17 +53,17 @@ static vm_fault_t vvar_fault(const struct vm_special_mapping *sm,
 	case VDSO_TIME_PAGE_OFFSET:
 		if (!IS_ENABLED(CONFIG_HAVE_GENERIC_VDSO))
 			return VM_FAULT_SIGBUS;
-		pfn = __phys_to_pfn(__pa_symbol(vdso_k_time_data));
+		page = virt_to_page(vdso_k_time_data);
 		if (timens_page) {
 			/*
 			 * Fault in VVAR page too, since it will be accessed
 			 * to get clock data anyway.
 			 */
 			addr = vmf->address + VDSO_TIMENS_PAGE_OFFSET * PAGE_SIZE;
-			err = vmf_insert_pfn(vma, addr, pfn);
+			err = vmf_insert_page(vma, addr, page);
 			if (unlikely(err & VM_FAULT_ERROR))
 				return err;
-			pfn = page_to_pfn(timens_page);
+			page = timens_page;
 		}
 		break;
 	case VDSO_TIMENS_PAGE_OFFSET:
@@ -76,24 +76,25 @@ static vm_fault_t vvar_fault(const struct vm_special_mapping *sm,
 		 */
 		if (!IS_ENABLED(CONFIG_TIME_NS) || !timens_page)
 			return VM_FAULT_SIGBUS;
-		pfn = __phys_to_pfn(__pa_symbol(vdso_k_time_data));
+		page = virt_to_page(vdso_k_time_data);
 		break;
 	case VDSO_RNG_PAGE_OFFSET:
 		if (!IS_ENABLED(CONFIG_VDSO_GETRANDOM))
 			return VM_FAULT_SIGBUS;
-		pfn = __phys_to_pfn(__pa_symbol(vdso_k_rng_data));
+		page = virt_to_page(vdso_k_rng_data);
 		break;
 	case VDSO_ARCH_PAGES_START ... VDSO_ARCH_PAGES_END:
 		if (!IS_ENABLED(CONFIG_ARCH_HAS_VDSO_ARCH_DATA))
 			return VM_FAULT_SIGBUS;
-		pfn = __phys_to_pfn(__pa_symbol(vdso_k_arch_data)) +
-			vmf->pgoff - VDSO_ARCH_PAGES_START;
+		page = virt_to_page(vdso_k_arch_data) + vmf->pgoff - VDSO_ARCH_PAGES_START;
 		break;
 	default:
 		return VM_FAULT_SIGBUS;
 	}
 
-	return vmf_insert_pfn(vma, vmf->address, pfn);
+	get_page(page);
+	vmf->page = page;
+	return 0;
 }
 
 const struct vm_special_mapping vdso_vvar_mapping = {
@@ -104,8 +105,8 @@ const struct vm_special_mapping vdso_vvar_mapping = {
 struct vm_area_struct *vdso_install_vvar_mapping(struct mm_struct *mm, unsigned long addr)
 {
 	return _install_special_mapping(mm, addr, VDSO_NR_PAGES * PAGE_SIZE,
-					VM_READ | VM_MAYREAD | VM_IO | VM_DONTDUMP |
-					VM_PFNMAP | VM_SEALED_SYSMAP,
+					VM_READ | VM_MAYREAD | VM_DONTDUMP |
+					VM_MIXEDMAP | VM_SEALED_SYSMAP,
 					&vdso_vvar_mapping);
 }
 

-- 
2.51.0

[PATCH v2 3/3] vdso/datastore: Map zero page for unavailable data

[Thomas Weißschuh]

mlockall() stops if a page in a VMA is unmappable. As the datastore VMA can
contain holes, mlockall() does not process all data pages correctly.

Replace the mapping error VM_FAULT_SIGBUS with a mapping of the zero page.
The vDSO will not access these pages in any case and for other userspace
these pages have undefined contents.
This will allow mlockall() to process all pages within the VMA.

Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
---
 lib/vdso/datastore.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/vdso/datastore.c b/lib/vdso/datastore.c
index 00714c0cf0b24b813bf5b28ff8a19e5f246fce45..f9e37195c2af43c7b2c4b02d01be492d84223ecd 100644
--- a/lib/vdso/datastore.c
+++ b/lib/vdso/datastore.c
@@ -40,7 +40,7 @@ struct vdso_arch_data *vdso_k_arch_data = &vdso_arch_data_store.data;
 static vm_fault_t vvar_fault(const struct vm_special_mapping *sm,
 			     struct vm_area_struct *vma, struct vm_fault *vmf)
 {
-	struct page *page, *timens_page;
+	struct page *page = ZERO_PAGE(0), *timens_page;
 	unsigned long addr;
 	vm_fault_t err;
 
@@ -52,7 +52,7 @@ static vm_fault_t vvar_fault(const struct vm_special_mapping *sm,
 	switch (vmf->pgoff) {
 	case VDSO_TIME_PAGE_OFFSET:
 		if (!IS_ENABLED(CONFIG_HAVE_GENERIC_VDSO))
-			return VM_FAULT_SIGBUS;
+			break;
 		page = virt_to_page(vdso_k_time_data);
 		if (timens_page) {
 			/*
@@ -75,17 +75,17 @@ static vm_fault_t vvar_fault(const struct vm_special_mapping *sm,
 		 * See also the comment near timens_setup_vdso_data().
 		 */
 		if (!IS_ENABLED(CONFIG_TIME_NS) || !timens_page)
-			return VM_FAULT_SIGBUS;
+			break;
 		page = virt_to_page(vdso_k_time_data);
 		break;
 	case VDSO_RNG_PAGE_OFFSET:
 		if (!IS_ENABLED(CONFIG_VDSO_GETRANDOM))
-			return VM_FAULT_SIGBUS;
+			break;
 		page = virt_to_page(vdso_k_rng_data);
 		break;
 	case VDSO_ARCH_PAGES_START ... VDSO_ARCH_PAGES_END:
 		if (!IS_ENABLED(CONFIG_ARCH_HAS_VDSO_ARCH_DATA))
-			return VM_FAULT_SIGBUS;
+			break;
 		page = virt_to_page(vdso_k_arch_data) + vmf->pgoff - VDSO_ARCH_PAGES_START;
 		break;
 	default:

-- 
2.51.0

Re: [PATCH v2 3/3] vdso/datastore: Map zero page for unavailable data

[kernel test robot]

Hello,

kernel test robot noticed "WARNING:at_include/linux/rmap.h:#__folio_rmap_sanity_checks" on:

commit: a2efb5881ffebbc0d9dda8a9751e1d7867d97407 ("[PATCH v2 3/3] vdso/datastore: Map zero page for unavailable data")
url: https://github.com/intel-lab-lkp/linux/commits/Thomas-Wei-schuh/vdso-datastore-Explicitly-prevent-remote-access-to-timens-vvar-page/20250901-204507
patch link: https://lore.kernel.org/all/20250901-vdso-mlockall-v2-3-68f5a6f03345@linutronix.de/
patch subject: [PATCH v2 3/3] vdso/datastore: Map zero page for unavailable data

in testcase: rcutorture
version: 
with following parameters:

	runtime: 300s
	test: cpuhotplug
	torture_type: trivial



config: x86_64-randconfig-004-20250902
compiler: gcc-11
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)


+--------------------------------------------------------------------------------------+------------+------------+
|                                                                                      | c6b2010c61 | a2efb5881f |
+--------------------------------------------------------------------------------------+------------+------------+
| boot_successes                                                                       | 10         | 0          |
| WARNING:at_include/linux/rmap.h:#__folio_rmap_sanity_checks                          | 0          | 10         |
| RIP:__folio_rmap_sanity_checks                                                       | 0          | 10         |
| WARNING:at_mm/memory.c:#vm_normal_page                                               | 0          | 10         |
| RIP:vm_normal_page                                                                   | 0          | 10         |
+--------------------------------------------------------------------------------------+------------+------------+


If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202509041007.5c891a1-lkp@intel.com


[  356.804073][  T816] ------------[ cut here ]------------
[ 356.804496][ T816] WARNING: CPU: 0 PID: 816 at include/linux/rmap.h:414 __folio_rmap_sanity_checks+0xa9/0x2ef 
[  356.805346][  T816] Modules linked in: rcutorture torture mousedev tiny_power_button button drm fuse drm_panel_orientation_quirks firmware_class
[  356.806436][  T816] CPU: 0 UID: 0 PID: 816 Comm: watchdog Not tainted 6.17.0-rc1-00003-ga2efb5881ffe #1 PREEMPT(lazy)
[  356.807235][  T816] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 356.808073][ T816] RIP: __folio_rmap_sanity_checks+0xa9/0x2ef 
[ 356.808648][ T816] Code: 75 43 4c 89 e7 48 c7 c6 6c 3e 99 aa e8 26 12 fe ff b9 01 00 00 00 31 d2 be 01 00 00 00 48 c7 c7 60 14 2b ab e8 20 78 f6 ff 90 <0f> 0b 90 b9 01 00 00 00 31 d2 be 01 00 00 00 48 c7 c7 30 14 2b ab
All code
========
   0:	75 43                	jne    0x45
   2:	4c 89 e7             	mov    %r12,%rdi
   5:	48 c7 c6 6c 3e 99 aa 	mov    $0xffffffffaa993e6c,%rsi
   c:	e8 26 12 fe ff       	call   0xfffffffffffe1237
  11:	b9 01 00 00 00       	mov    $0x1,%ecx
  16:	31 d2                	xor    %edx,%edx
  18:	be 01 00 00 00       	mov    $0x1,%esi
  1d:	48 c7 c7 60 14 2b ab 	mov    $0xffffffffab2b1460,%rdi
  24:	e8 20 78 f6 ff       	call   0xfffffffffff67849
  29:	90                   	nop
  2a:*	0f 0b                	ud2		<-- trapping instruction
  2c:	90                   	nop
  2d:	b9 01 00 00 00       	mov    $0x1,%ecx
  32:	31 d2                	xor    %edx,%edx
  34:	be 01 00 00 00       	mov    $0x1,%esi
  39:	48 c7 c7 30 14 2b ab 	mov    $0xffffffffab2b1430,%rdi

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2
   2:	90                   	nop
   3:	b9 01 00 00 00       	mov    $0x1,%ecx
   8:	31 d2                	xor    %edx,%edx
   a:	be 01 00 00 00       	mov    $0x1,%esi
   f:	48 c7 c7 30 14 2b ab 	mov    $0xffffffffab2b1430,%rdi
[  356.810186][  T816] RSP: 0000:ffff888134027ac0 EFLAGS: 00010202
[  356.810645][  T816] RAX: 0000000000000047 RBX: 0000000000000001 RCX: 0000000000000001
[  356.811230][  T816] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffffab2b1460
[  356.811812][  T816] RBP: ffff888134027af0 R08: 0000000000000000 R09: 0000000098376116
[  356.812426][  T816] R10: ffffffffab039418 R11: 6e776f5f65676170 R12: ffffea0008d4e800
[  356.812956][  T816] R13: ffffea0008d4e800 R14: 00000000002353a0 R15: 0000000000000001
[  356.813474][  T816] FS:  0000000000000000(0000) GS:0000000000000000(0063) knlGS:00000000f7f5d180
[  356.814114][  T816] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[  356.814536][  T816] CR2: 00000000f69bf000 CR3: 000000013380e000 CR4: 00000000000406b0
[  356.815051][  T816] Call Trace:
[  356.815271][  T816]  <TASK>
[ 356.815472][ T816] folio_add_file_rmap_ptes (mm/rmap.c:1256 mm/rmap.c:1620 mm/rmap.c:1642) 
[ 356.815828][ T816] set_pte_range (mm/memory.c:5313) 
[ 356.816166][ T816] finish_fault (mm/memory.c:5438) 
[ 356.816458][ T816] ? mmap_read_trylock (include/linux/mmap_lock.h:42 include/linux/mmap_lock.h:473) 
[ 356.816779][ T816] do_read_fault (mm/memory.c:5578) 
[ 356.817083][ T816] do_pte_missing (mm/memory.c:5707 mm/memory.c:4234) 
[ 356.817405][ T816] handle_pte_fault (mm/memory.c:6052) 
[ 356.817800][ T816] __handle_mm_fault (mm/memory.c:6196) 
[ 356.818061][ T816] handle_mm_fault (mm/memory.c:6375) 
[ 356.818306][ T816] faultin_page (mm/gup.c:1146) 
[ 356.818539][ T816] __get_user_pages (mm/gup.c:1448) 
[ 356.818788][ T816] ? __rcu_read_unlock (kernel/rcu/tree_plugin.h:445 (discriminator 3)) 
[ 356.819052][ T816] populate_vma_page_range (mm/gup.c:1880 (discriminator 4)) 
[ 356.819336][ T816] __mm_populate (mm/gup.c:1984) 
[ 356.819571][ T816] __do_sys_mlockall (mm/mlock.c:771) 
[ 356.819824][ T816] __ia32_sys_mlockall (mm/mlock.c:745) 
[ 356.820108][ T816] ia32_sys_call (kbuild/obj/consumer/x86_64-randconfig-004-20250902/./arch/x86/include/generated/asm/syscalls_32.h:153) 
[ 356.820361][ T816] do_int80_emulation (arch/x86/entry/syscall_32.c:83 arch/x86/entry/syscall_32.c:172) 
[ 356.820799][ T816] asm_int80_emulation (arch/x86/include/asm/idtentry.h:626) 
[  356.821214][  T816] RIP: 0023:0xf7f64579
[ 356.833927][ T816] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 0f 1f 40 00 cd 80 <5d> 5a 59 c3 90 90 90 90 2e 8d b4 26 00 00 00 00 8d b4 26 00 00 00
All code
========
   0:	b8 01 10 06 03       	mov    $0x3061001,%eax
   5:	74 b4                	je     0xffffffffffffffbb
   7:	01 10                	add    %edx,(%rax)
   9:	07                   	(bad)
   a:	03 74 b0 01          	add    0x1(%rax,%rsi,4),%esi
   e:	10 08                	adc    %cl,(%rax)
  10:	03 74 d8 01          	add    0x1(%rax,%rbx,8),%esi
	...
  20:	00 51 52             	add    %dl,0x52(%rcx)
  23:	55                   	push   %rbp
  24:	0f 1f 40 00          	nopl   0x0(%rax)
  28:	cd 80                	int    $0x80
  2a:*	5d                   	pop    %rbp		<-- trapping instruction
  2b:	5a                   	pop    %rdx
  2c:	59                   	pop    %rcx
  2d:	c3                   	ret
  2e:	90                   	nop
  2f:	90                   	nop
  30:	90                   	nop
  31:	90                   	nop
  32:	2e 8d b4 26 00 00 00 	cs lea 0x0(%rsi,%riz,1),%esi
  39:	00 
  3a:	8d                   	.byte 0x8d
  3b:	b4 26                	mov    $0x26,%ah
  3d:	00 00                	add    %al,(%rax)
	...

Code starting with the faulting instruction
===========================================
   0:	5d                   	pop    %rbp
   1:	5a                   	pop    %rdx
   2:	59                   	pop    %rcx
   3:	c3                   	ret
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	2e 8d b4 26 00 00 00 	cs lea 0x0(%rsi,%riz,1),%esi
   f:	00 
  10:	8d                   	.byte 0x8d
  11:	b4 26                	mov    $0x26,%ah
  13:	00 00                	add    %al,(%rax)
	...
[  356.835490][  T816] RSP: 002b:00000000ff91bdbc EFLAGS: 00000296 ORIG_RAX: 0000000000000098
[  356.836193][  T816] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
[  356.836811][  T816] RDX: 000000005664ddf8 RSI: 0000000000000330 RDI: 000000005664eac4
[  356.837429][  T816] RBP: 00000000ff91c098 R08: 0000000000000000 R09: 0000000000000000
[  356.842378][  T816] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  356.843073][  T816] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  356.843785][  T816]  </TASK>
[  356.844134][  T816] irq event stamp: 4067
[ 356.844505][ T816] hardirqs last enabled at (4075): __up_console_sem (arch/x86/include/asm/irqflags.h:26 (discriminator 3) arch/x86/include/asm/irqflags.h:109 (discriminator 3) arch/x86/include/asm/irqflags.h:151 (discriminator 3) kernel/printk/printk.c:344 (discriminator 3)) 
[ 356.845309][ T816] hardirqs last disabled at (4082): __up_console_sem (kernel/printk/printk.c:342 (discriminator 3)) 
[ 356.846150][ T816] softirqs last enabled at (4064): handle_softirqs (kernel/softirq.c:426 kernel/softirq.c:607) 
[ 356.846879][ T816] softirqs last disabled at (4053): __do_softirq (kernel/softirq.c:614) 
[  356.847568][  T816] ---[ end trace 0000000000000000 ]---
[  OK  ] Started watchdog daemon.
[  OK  ] Reached target Graphical Interface.


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250904/202509041007.5c891a1-lkp@intel.com



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki