1 // SPDX-License-Identifier: GPL-2.0-only
2 #include <linux/kernel.h>
3 #include <linux/errno.h>
5 #include <linux/spinlock.h>
8 #include <linux/memremap.h>
9 #include <linux/pagemap.h>
10 #include <linux/rmap.h>
11 #include <linux/swap.h>
12 #include <linux/swapops.h>
14 #include <linux/sched/signal.h>
15 #include <linux/rwsem.h>
16 #include <linux/hugetlb.h>
17 #include <linux/migrate.h>
18 #include <linux/mm_inline.h>
19 #include <linux/sched/mm.h>
21 #include <asm/mmu_context.h>
22 #include <asm/tlbflush.h>
26 struct follow_page_context {
27 struct dev_pagemap *pgmap;
28 unsigned int page_mask;
31 static void hpage_pincount_add(struct page *page, int refs)
33 VM_BUG_ON_PAGE(!hpage_pincount_available(page), page);
34 VM_BUG_ON_PAGE(page != compound_head(page), page);
36 atomic_add(refs, compound_pincount_ptr(page));
39 static void hpage_pincount_sub(struct page *page, int refs)
41 VM_BUG_ON_PAGE(!hpage_pincount_available(page), page);
42 VM_BUG_ON_PAGE(page != compound_head(page), page);
44 atomic_sub(refs, compound_pincount_ptr(page));
48 * Return the compound head page with ref appropriately incremented,
49 * or NULL if that failed.
51 static inline struct page *try_get_compound_head(struct page *page, int refs)
53 struct page *head = compound_head(page);
55 if (WARN_ON_ONCE(page_ref_count(head) < 0))
57 if (unlikely(!page_cache_add_speculative(head, refs)))
63 * try_grab_compound_head() - attempt to elevate a page's refcount, by a
64 * flags-dependent amount.
66 * "grab" names in this file mean, "look at flags to decide whether to use
67 * FOLL_PIN or FOLL_GET behavior, when incrementing the page's refcount.
69 * Either FOLL_PIN or FOLL_GET (or neither) must be set, but not both at the
70 * same time. (That's true throughout the get_user_pages*() and
71 * pin_user_pages*() APIs.) Cases:
73 * FOLL_GET: page's refcount will be incremented by 1.
74 * FOLL_PIN: page's refcount will be incremented by GUP_PIN_COUNTING_BIAS.
76 * Return: head page (with refcount appropriately incremented) for success, or
77 * NULL upon failure. If neither FOLL_GET nor FOLL_PIN was set, that's
78 * considered failure, and furthermore, a likely bug in the caller, so a warning
81 __maybe_unused struct page *try_grab_compound_head(struct page *page,
82 int refs, unsigned int flags)
85 return try_get_compound_head(page, refs);
86 else if (flags & FOLL_PIN) {
90 * Can't do FOLL_LONGTERM + FOLL_PIN with CMA in the gup fast
91 * path, so fail and let the caller fall back to the slow path.
93 if (unlikely(flags & FOLL_LONGTERM) &&
94 is_migrate_cma_page(page))
98 * When pinning a compound page of order > 1 (which is what
99 * hpage_pincount_available() checks for), use an exact count to
100 * track it, via hpage_pincount_add/_sub().
102 * However, be sure to *also* increment the normal page refcount
103 * field at least once, so that the page really is pinned.
105 if (!hpage_pincount_available(page))
106 refs *= GUP_PIN_COUNTING_BIAS;
108 page = try_get_compound_head(page, refs);
112 if (hpage_pincount_available(page))
113 hpage_pincount_add(page, refs);
115 mod_node_page_state(page_pgdat(page), NR_FOLL_PIN_ACQUIRED,
125 static void put_compound_head(struct page *page, int refs, unsigned int flags)
127 if (flags & FOLL_PIN) {
128 mod_node_page_state(page_pgdat(page), NR_FOLL_PIN_RELEASED,
131 if (hpage_pincount_available(page))
132 hpage_pincount_sub(page, refs);
134 refs *= GUP_PIN_COUNTING_BIAS;
137 VM_BUG_ON_PAGE(page_ref_count(page) < refs, page);
139 * Calling put_page() for each ref is unnecessarily slow. Only the last
140 * ref needs a put_page().
143 page_ref_sub(page, refs - 1);
148 * try_grab_page() - elevate a page's refcount by a flag-dependent amount
150 * This might not do anything at all, depending on the flags argument.
152 * "grab" names in this file mean, "look at flags to decide whether to use
153 * FOLL_PIN or FOLL_GET behavior, when incrementing the page's refcount.
155 * @page: pointer to page to be grabbed
156 * @flags: gup flags: these are the FOLL_* flag values.
158 * Either FOLL_PIN or FOLL_GET (or neither) may be set, but not both at the same
161 * FOLL_GET: page's refcount will be incremented by 1.
162 * FOLL_PIN: page's refcount will be incremented by GUP_PIN_COUNTING_BIAS.
164 * Return: true for success, or if no action was required (if neither FOLL_PIN
165 * nor FOLL_GET was set, nothing is done). False for failure: FOLL_GET or
166 * FOLL_PIN was set, but the page could not be grabbed.
168 bool __must_check try_grab_page(struct page *page, unsigned int flags)
170 WARN_ON_ONCE((flags & (FOLL_GET | FOLL_PIN)) == (FOLL_GET | FOLL_PIN));
172 if (flags & FOLL_GET)
173 return try_get_page(page);
174 else if (flags & FOLL_PIN) {
177 page = compound_head(page);
179 if (WARN_ON_ONCE(page_ref_count(page) <= 0))
182 if (hpage_pincount_available(page))
183 hpage_pincount_add(page, 1);
185 refs = GUP_PIN_COUNTING_BIAS;
188 * Similar to try_grab_compound_head(): even if using the
189 * hpage_pincount_add/_sub() routines, be sure to
190 * *also* increment the normal page refcount field at least
191 * once, so that the page really is pinned.
193 page_ref_add(page, refs);
195 mod_node_page_state(page_pgdat(page), NR_FOLL_PIN_ACQUIRED, 1);
202 * unpin_user_page() - release a dma-pinned page
203 * @page: pointer to page to be released
205 * Pages that were pinned via pin_user_pages*() must be released via either
206 * unpin_user_page(), or one of the unpin_user_pages*() routines. This is so
207 * that such pages can be separately tracked and uniquely handled. In
208 * particular, interactions with RDMA and filesystems need special handling.
210 void unpin_user_page(struct page *page)
212 put_compound_head(compound_head(page), 1, FOLL_PIN);
214 EXPORT_SYMBOL(unpin_user_page);
216 static inline void compound_range_next(unsigned long i, unsigned long npages,
217 struct page **list, struct page **head,
218 unsigned int *ntails)
220 struct page *next, *page;
227 page = compound_head(next);
228 if (PageCompound(page) && compound_order(page) >= 1)
229 nr = min_t(unsigned int,
230 page + compound_nr(page) - next, npages - i);
236 #define for_each_compound_range(__i, __list, __npages, __head, __ntails) \
238 compound_range_next(__i, __npages, __list, &(__head), &(__ntails)); \
239 __i < __npages; __i += __ntails, \
240 compound_range_next(__i, __npages, __list, &(__head), &(__ntails)))
242 static inline void compound_next(unsigned long i, unsigned long npages,
243 struct page **list, struct page **head,
244 unsigned int *ntails)
252 page = compound_head(list[i]);
253 for (nr = i + 1; nr < npages; nr++) {
254 if (compound_head(list[nr]) != page)
262 #define for_each_compound_head(__i, __list, __npages, __head, __ntails) \
264 compound_next(__i, __npages, __list, &(__head), &(__ntails)); \
265 __i < __npages; __i += __ntails, \
266 compound_next(__i, __npages, __list, &(__head), &(__ntails)))
269 * unpin_user_pages_dirty_lock() - release and optionally dirty gup-pinned pages
270 * @pages: array of pages to be maybe marked dirty, and definitely released.
271 * @npages: number of pages in the @pages array.
272 * @make_dirty: whether to mark the pages dirty
274 * "gup-pinned page" refers to a page that has had one of the get_user_pages()
275 * variants called on that page.
277 * For each page in the @pages array, make that page (or its head page, if a
278 * compound page) dirty, if @make_dirty is true, and if the page was previously
279 * listed as clean. In any case, releases all pages using unpin_user_page(),
280 * possibly via unpin_user_pages(), for the non-dirty case.
282 * Please see the unpin_user_page() documentation for details.
284 * set_page_dirty_lock() is used internally. If instead, set_page_dirty() is
285 * required, then the caller should a) verify that this is really correct,
286 * because _lock() is usually required, and b) hand code it:
287 * set_page_dirty_lock(), unpin_user_page().
290 void unpin_user_pages_dirty_lock(struct page **pages, unsigned long npages,
298 unpin_user_pages(pages, npages);
302 for_each_compound_head(index, pages, npages, head, ntails) {
304 * Checking PageDirty at this point may race with
305 * clear_page_dirty_for_io(), but that's OK. Two key
308 * 1) This code sees the page as already dirty, so it
309 * skips the call to set_page_dirty(). That could happen
310 * because clear_page_dirty_for_io() called
311 * page_mkclean(), followed by set_page_dirty().
312 * However, now the page is going to get written back,
313 * which meets the original intention of setting it
314 * dirty, so all is well: clear_page_dirty_for_io() goes
315 * on to call TestClearPageDirty(), and write the page
318 * 2) This code sees the page as clean, so it calls
319 * set_page_dirty(). The page stays dirty, despite being
320 * written back, so it gets written back again in the
321 * next writeback cycle. This is harmless.
323 if (!PageDirty(head))
324 set_page_dirty_lock(head);
325 put_compound_head(head, ntails, FOLL_PIN);
328 EXPORT_SYMBOL(unpin_user_pages_dirty_lock);
331 * unpin_user_page_range_dirty_lock() - release and optionally dirty
332 * gup-pinned page range
334 * @page: the starting page of a range maybe marked dirty, and definitely released.
335 * @npages: number of consecutive pages to release.
336 * @make_dirty: whether to mark the pages dirty
338 * "gup-pinned page range" refers to a range of pages that has had one of the
339 * pin_user_pages() variants called on that page.
341 * For the page ranges defined by [page .. page+npages], make that range (or
342 * its head pages, if a compound page) dirty, if @make_dirty is true, and if the
343 * page range was previously listed as clean.
345 * set_page_dirty_lock() is used internally. If instead, set_page_dirty() is
346 * required, then the caller should a) verify that this is really correct,
347 * because _lock() is usually required, and b) hand code it:
348 * set_page_dirty_lock(), unpin_user_page().
351 void unpin_user_page_range_dirty_lock(struct page *page, unsigned long npages,
358 for_each_compound_range(index, &page, npages, head, ntails) {
359 if (make_dirty && !PageDirty(head))
360 set_page_dirty_lock(head);
361 put_compound_head(head, ntails, FOLL_PIN);
364 EXPORT_SYMBOL(unpin_user_page_range_dirty_lock);
367 * unpin_user_pages() - release an array of gup-pinned pages.
368 * @pages: array of pages to be marked dirty and released.
369 * @npages: number of pages in the @pages array.
371 * For each page in the @pages array, release the page using unpin_user_page().
373 * Please see the unpin_user_page() documentation for details.
375 void unpin_user_pages(struct page **pages, unsigned long npages)
382 * If this WARN_ON() fires, then the system *might* be leaking pages (by
383 * leaving them pinned), but probably not. More likely, gup/pup returned
384 * a hard -ERRNO error to the caller, who erroneously passed it here.
386 if (WARN_ON(IS_ERR_VALUE(npages)))
389 for_each_compound_head(index, pages, npages, head, ntails)
390 put_compound_head(head, ntails, FOLL_PIN);
392 EXPORT_SYMBOL(unpin_user_pages);
395 static struct page *no_page_table(struct vm_area_struct *vma,
399 * When core dumping an enormous anonymous area that nobody
400 * has touched so far, we don't want to allocate unnecessary pages or
401 * page tables. Return error instead of NULL to skip handle_mm_fault,
402 * then get_dump_page() will return NULL to leave a hole in the dump.
403 * But we can only make this optimization where a hole would surely
404 * be zero-filled if handle_mm_fault() actually did handle it.
406 if ((flags & FOLL_DUMP) &&
407 (vma_is_anonymous(vma) || !vma->vm_ops->fault))
408 return ERR_PTR(-EFAULT);
412 static int follow_pfn_pte(struct vm_area_struct *vma, unsigned long address,
413 pte_t *pte, unsigned int flags)
415 /* No page to get reference */
416 if (flags & FOLL_GET)
419 if (flags & FOLL_TOUCH) {
422 if (flags & FOLL_WRITE)
423 entry = pte_mkdirty(entry);
424 entry = pte_mkyoung(entry);
426 if (!pte_same(*pte, entry)) {
427 set_pte_at(vma->vm_mm, address, pte, entry);
428 update_mmu_cache(vma, address, pte);
432 /* Proper page table entry exists, but no corresponding struct page */
437 * FOLL_FORCE can write to even unwritable pte's, but only
438 * after we've gone through a COW cycle and they are dirty.
440 static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
442 return pte_write(pte) ||
443 ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
446 static struct page *follow_page_pte(struct vm_area_struct *vma,
447 unsigned long address, pmd_t *pmd, unsigned int flags,
448 struct dev_pagemap **pgmap)
450 struct mm_struct *mm = vma->vm_mm;
456 /* FOLL_GET and FOLL_PIN are mutually exclusive. */
457 if (WARN_ON_ONCE((flags & (FOLL_PIN | FOLL_GET)) ==
458 (FOLL_PIN | FOLL_GET)))
459 return ERR_PTR(-EINVAL);
461 if (unlikely(pmd_bad(*pmd)))
462 return no_page_table(vma, flags);
464 ptep = pte_offset_map_lock(mm, pmd, address, &ptl);
466 if (!pte_present(pte)) {
469 * KSM's break_ksm() relies upon recognizing a ksm page
470 * even while it is being migrated, so for that case we
471 * need migration_entry_wait().
473 if (likely(!(flags & FOLL_MIGRATION)))
477 entry = pte_to_swp_entry(pte);
478 if (!is_migration_entry(entry))
480 pte_unmap_unlock(ptep, ptl);
481 migration_entry_wait(mm, pmd, address);
484 if ((flags & FOLL_NUMA) && pte_protnone(pte))
486 if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) {
487 pte_unmap_unlock(ptep, ptl);
491 page = vm_normal_page(vma, address, pte);
492 if (!page && pte_devmap(pte) && (flags & (FOLL_GET | FOLL_PIN))) {
494 * Only return device mapping pages in the FOLL_GET or FOLL_PIN
495 * case since they are only valid while holding the pgmap
498 *pgmap = get_dev_pagemap(pte_pfn(pte), *pgmap);
500 page = pte_page(pte);
503 } else if (unlikely(!page)) {
504 if (flags & FOLL_DUMP) {
505 /* Avoid special (like zero) pages in core dumps */
506 page = ERR_PTR(-EFAULT);
510 if (is_zero_pfn(pte_pfn(pte))) {
511 page = pte_page(pte);
513 ret = follow_pfn_pte(vma, address, ptep, flags);
519 /* try_grab_page() does nothing unless FOLL_GET or FOLL_PIN is set. */
520 if (unlikely(!try_grab_page(page, flags))) {
521 page = ERR_PTR(-ENOMEM);
525 * We need to make the page accessible if and only if we are going
526 * to access its content (the FOLL_PIN case). Please see
527 * Documentation/core-api/pin_user_pages.rst for details.
529 if (flags & FOLL_PIN) {
530 ret = arch_make_page_accessible(page);
532 unpin_user_page(page);
537 if (flags & FOLL_TOUCH) {
538 if ((flags & FOLL_WRITE) &&
539 !pte_dirty(pte) && !PageDirty(page))
540 set_page_dirty(page);
542 * pte_mkyoung() would be more correct here, but atomic care
543 * is needed to avoid losing the dirty bit: it is easier to use
544 * mark_page_accessed().
546 mark_page_accessed(page);
548 if ((flags & FOLL_MLOCK) && (vma->vm_flags & VM_LOCKED)) {
549 /* Do not mlock pte-mapped THP */
550 if (PageTransCompound(page))
554 * The preliminary mapping check is mainly to avoid the
555 * pointless overhead of lock_page on the ZERO_PAGE
556 * which might bounce very badly if there is contention.
558 * If the page is already locked, we don't need to
559 * handle it now - vmscan will handle it later if and
560 * when it attempts to reclaim the page.
562 if (page->mapping && trylock_page(page)) {
563 lru_add_drain(); /* push cached pages to LRU */
565 * Because we lock page here, and migration is
566 * blocked by the pte's page reference, and we
567 * know the page is still mapped, we don't even
568 * need to check for file-cache page truncation.
570 mlock_vma_page(page);
575 pte_unmap_unlock(ptep, ptl);
578 pte_unmap_unlock(ptep, ptl);
581 return no_page_table(vma, flags);
584 static struct page *follow_pmd_mask(struct vm_area_struct *vma,
585 unsigned long address, pud_t *pudp,
587 struct follow_page_context *ctx)
592 struct mm_struct *mm = vma->vm_mm;
594 pmd = pmd_offset(pudp, address);
596 * The READ_ONCE() will stabilize the pmdval in a register or
597 * on the stack so that it will stop changing under the code.
599 pmdval = READ_ONCE(*pmd);
600 if (pmd_none(pmdval))
601 return no_page_table(vma, flags);
602 if (pmd_huge(pmdval) && is_vm_hugetlb_page(vma)) {
603 page = follow_huge_pmd(mm, address, pmd, flags);
606 return no_page_table(vma, flags);
608 if (is_hugepd(__hugepd(pmd_val(pmdval)))) {
609 page = follow_huge_pd(vma, address,
610 __hugepd(pmd_val(pmdval)), flags,
614 return no_page_table(vma, flags);
617 if (!pmd_present(pmdval)) {
618 if (likely(!(flags & FOLL_MIGRATION)))
619 return no_page_table(vma, flags);
620 VM_BUG_ON(thp_migration_supported() &&
621 !is_pmd_migration_entry(pmdval));
622 if (is_pmd_migration_entry(pmdval))
623 pmd_migration_entry_wait(mm, pmd);
624 pmdval = READ_ONCE(*pmd);
626 * MADV_DONTNEED may convert the pmd to null because
627 * mmap_lock is held in read mode
629 if (pmd_none(pmdval))
630 return no_page_table(vma, flags);
633 if (pmd_devmap(pmdval)) {
634 ptl = pmd_lock(mm, pmd);
635 page = follow_devmap_pmd(vma, address, pmd, flags, &ctx->pgmap);
640 if (likely(!pmd_trans_huge(pmdval)))
641 return follow_page_pte(vma, address, pmd, flags, &ctx->pgmap);
643 if ((flags & FOLL_NUMA) && pmd_protnone(pmdval))
644 return no_page_table(vma, flags);
647 ptl = pmd_lock(mm, pmd);
648 if (unlikely(pmd_none(*pmd))) {
650 return no_page_table(vma, flags);
652 if (unlikely(!pmd_present(*pmd))) {
654 if (likely(!(flags & FOLL_MIGRATION)))
655 return no_page_table(vma, flags);
656 pmd_migration_entry_wait(mm, pmd);
659 if (unlikely(!pmd_trans_huge(*pmd))) {
661 return follow_page_pte(vma, address, pmd, flags, &ctx->pgmap);
663 if (flags & FOLL_SPLIT_PMD) {
665 page = pmd_page(*pmd);
666 if (is_huge_zero_page(page)) {
669 split_huge_pmd(vma, pmd, address);
670 if (pmd_trans_unstable(pmd))
674 split_huge_pmd(vma, pmd, address);
675 ret = pte_alloc(mm, pmd) ? -ENOMEM : 0;
678 return ret ? ERR_PTR(ret) :
679 follow_page_pte(vma, address, pmd, flags, &ctx->pgmap);
681 page = follow_trans_huge_pmd(vma, address, pmd, flags);
683 ctx->page_mask = HPAGE_PMD_NR - 1;
687 static struct page *follow_pud_mask(struct vm_area_struct *vma,
688 unsigned long address, p4d_t *p4dp,
690 struct follow_page_context *ctx)
695 struct mm_struct *mm = vma->vm_mm;
697 pud = pud_offset(p4dp, address);
699 return no_page_table(vma, flags);
700 if (pud_huge(*pud) && is_vm_hugetlb_page(vma)) {
701 page = follow_huge_pud(mm, address, pud, flags);
704 return no_page_table(vma, flags);
706 if (is_hugepd(__hugepd(pud_val(*pud)))) {
707 page = follow_huge_pd(vma, address,
708 __hugepd(pud_val(*pud)), flags,
712 return no_page_table(vma, flags);
714 if (pud_devmap(*pud)) {
715 ptl = pud_lock(mm, pud);
716 page = follow_devmap_pud(vma, address, pud, flags, &ctx->pgmap);
721 if (unlikely(pud_bad(*pud)))
722 return no_page_table(vma, flags);
724 return follow_pmd_mask(vma, address, pud, flags, ctx);
727 static struct page *follow_p4d_mask(struct vm_area_struct *vma,
728 unsigned long address, pgd_t *pgdp,
730 struct follow_page_context *ctx)
735 p4d = p4d_offset(pgdp, address);
737 return no_page_table(vma, flags);
738 BUILD_BUG_ON(p4d_huge(*p4d));
739 if (unlikely(p4d_bad(*p4d)))
740 return no_page_table(vma, flags);
742 if (is_hugepd(__hugepd(p4d_val(*p4d)))) {
743 page = follow_huge_pd(vma, address,
744 __hugepd(p4d_val(*p4d)), flags,
748 return no_page_table(vma, flags);
750 return follow_pud_mask(vma, address, p4d, flags, ctx);
754 * follow_page_mask - look up a page descriptor from a user-virtual address
755 * @vma: vm_area_struct mapping @address
756 * @address: virtual address to look up
757 * @flags: flags modifying lookup behaviour
758 * @ctx: contains dev_pagemap for %ZONE_DEVICE memory pinning and a
759 * pointer to output page_mask
761 * @flags can have FOLL_ flags set, defined in <linux/mm.h>
763 * When getting pages from ZONE_DEVICE memory, the @ctx->pgmap caches
764 * the device's dev_pagemap metadata to avoid repeating expensive lookups.
766 * On output, the @ctx->page_mask is set according to the size of the page.
768 * Return: the mapped (struct page *), %NULL if no mapping exists, or
769 * an error pointer if there is a mapping to something not represented
770 * by a page descriptor (see also vm_normal_page()).
772 static struct page *follow_page_mask(struct vm_area_struct *vma,
773 unsigned long address, unsigned int flags,
774 struct follow_page_context *ctx)
778 struct mm_struct *mm = vma->vm_mm;
782 /* make this handle hugepd */
783 page = follow_huge_addr(mm, address, flags & FOLL_WRITE);
785 WARN_ON_ONCE(flags & (FOLL_GET | FOLL_PIN));
789 pgd = pgd_offset(mm, address);
791 if (pgd_none(*pgd) || unlikely(pgd_bad(*pgd)))
792 return no_page_table(vma, flags);
794 if (pgd_huge(*pgd)) {
795 page = follow_huge_pgd(mm, address, pgd, flags);
798 return no_page_table(vma, flags);
800 if (is_hugepd(__hugepd(pgd_val(*pgd)))) {
801 page = follow_huge_pd(vma, address,
802 __hugepd(pgd_val(*pgd)), flags,
806 return no_page_table(vma, flags);
809 return follow_p4d_mask(vma, address, pgd, flags, ctx);
812 struct page *follow_page(struct vm_area_struct *vma, unsigned long address,
813 unsigned int foll_flags)
815 struct follow_page_context ctx = { NULL };
818 page = follow_page_mask(vma, address, foll_flags, &ctx);
820 put_dev_pagemap(ctx.pgmap);
824 static int get_gate_page(struct mm_struct *mm, unsigned long address,
825 unsigned int gup_flags, struct vm_area_struct **vma,
835 /* user gate pages are read-only */
836 if (gup_flags & FOLL_WRITE)
838 if (address > TASK_SIZE)
839 pgd = pgd_offset_k(address);
841 pgd = pgd_offset_gate(mm, address);
844 p4d = p4d_offset(pgd, address);
847 pud = pud_offset(p4d, address);
850 pmd = pmd_offset(pud, address);
851 if (!pmd_present(*pmd))
853 VM_BUG_ON(pmd_trans_huge(*pmd));
854 pte = pte_offset_map(pmd, address);
857 *vma = get_gate_vma(mm);
860 *page = vm_normal_page(*vma, address, *pte);
862 if ((gup_flags & FOLL_DUMP) || !is_zero_pfn(pte_pfn(*pte)))
864 *page = pte_page(*pte);
866 if (unlikely(!try_grab_page(*page, gup_flags))) {
878 * mmap_lock must be held on entry. If @locked != NULL and *@flags
879 * does not include FOLL_NOWAIT, the mmap_lock may be released. If it
880 * is, *@locked will be set to 0 and -EBUSY returned.
882 static int faultin_page(struct vm_area_struct *vma,
883 unsigned long address, unsigned int *flags, int *locked)
885 unsigned int fault_flags = 0;
888 /* mlock all present pages, but do not fault in new pages */
889 if ((*flags & (FOLL_POPULATE | FOLL_MLOCK)) == FOLL_MLOCK)
891 if (*flags & FOLL_WRITE)
892 fault_flags |= FAULT_FLAG_WRITE;
893 if (*flags & FOLL_REMOTE)
894 fault_flags |= FAULT_FLAG_REMOTE;
896 fault_flags |= FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE;
897 if (*flags & FOLL_NOWAIT)
898 fault_flags |= FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_RETRY_NOWAIT;
899 if (*flags & FOLL_TRIED) {
901 * Note: FAULT_FLAG_ALLOW_RETRY and FAULT_FLAG_TRIED
904 fault_flags |= FAULT_FLAG_TRIED;
907 ret = handle_mm_fault(vma, address, fault_flags, NULL);
908 if (ret & VM_FAULT_ERROR) {
909 int err = vm_fault_to_errno(ret, *flags);
916 if (ret & VM_FAULT_RETRY) {
917 if (locked && !(fault_flags & FAULT_FLAG_RETRY_NOWAIT))
923 * The VM_FAULT_WRITE bit tells us that do_wp_page has broken COW when
924 * necessary, even if maybe_mkwrite decided not to set pte_write. We
925 * can thus safely do subsequent page lookups as if they were reads.
926 * But only do so when looping for pte_write is futile: in some cases
927 * userspace may also be wanting to write to the gotten user page,
928 * which a read fault here might prevent (a readonly page might get
929 * reCOWed by userspace write).
931 if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))
936 static int check_vma_flags(struct vm_area_struct *vma, unsigned long gup_flags)
938 vm_flags_t vm_flags = vma->vm_flags;
939 int write = (gup_flags & FOLL_WRITE);
940 int foreign = (gup_flags & FOLL_REMOTE);
942 if (vm_flags & (VM_IO | VM_PFNMAP))
945 if (gup_flags & FOLL_ANON && !vma_is_anonymous(vma))
948 if ((gup_flags & FOLL_LONGTERM) && vma_is_fsdax(vma))
952 if (!(vm_flags & VM_WRITE)) {
953 if (!(gup_flags & FOLL_FORCE))
956 * We used to let the write,force case do COW in a
957 * VM_MAYWRITE VM_SHARED !VM_WRITE vma, so ptrace could
958 * set a breakpoint in a read-only mapping of an
959 * executable, without corrupting the file (yet only
960 * when that file had been opened for writing!).
961 * Anon pages in shared mappings are surprising: now
964 if (!is_cow_mapping(vm_flags))
967 } else if (!(vm_flags & VM_READ)) {
968 if (!(gup_flags & FOLL_FORCE))
971 * Is there actually any vma we can reach here which does not
972 * have VM_MAYREAD set?
974 if (!(vm_flags & VM_MAYREAD))
978 * gups are always data accesses, not instruction
979 * fetches, so execute=false here
981 if (!arch_vma_access_permitted(vma, write, false, foreign))
987 * __get_user_pages() - pin user pages in memory
988 * @mm: mm_struct of target mm
989 * @start: starting user address
990 * @nr_pages: number of pages from start to pin
991 * @gup_flags: flags modifying pin behaviour
992 * @pages: array that receives pointers to the pages pinned.
993 * Should be at least nr_pages long. Or NULL, if caller
994 * only intends to ensure the pages are faulted in.
995 * @vmas: array of pointers to vmas corresponding to each page.
996 * Or NULL if the caller does not require them.
997 * @locked: whether we're still with the mmap_lock held
999 * Returns either number of pages pinned (which may be less than the
1000 * number requested), or an error. Details about the return value:
1002 * -- If nr_pages is 0, returns 0.
1003 * -- If nr_pages is >0, but no pages were pinned, returns -errno.
1004 * -- If nr_pages is >0, and some pages were pinned, returns the number of
1005 * pages pinned. Again, this may be less than nr_pages.
1006 * -- 0 return value is possible when the fault would need to be retried.
1008 * The caller is responsible for releasing returned @pages, via put_page().
1010 * @vmas are valid only as long as mmap_lock is held.
1012 * Must be called with mmap_lock held. It may be released. See below.
1014 * __get_user_pages walks a process's page tables and takes a reference to
1015 * each struct page that each user address corresponds to at a given
1016 * instant. That is, it takes the page that would be accessed if a user
1017 * thread accesses the given user virtual address at that instant.
1019 * This does not guarantee that the page exists in the user mappings when
1020 * __get_user_pages returns, and there may even be a completely different
1021 * page there in some cases (eg. if mmapped pagecache has been invalidated
1022 * and subsequently re faulted). However it does guarantee that the page
1023 * won't be freed completely. And mostly callers simply care that the page
1024 * contains data that was valid *at some point in time*. Typically, an IO
1025 * or similar operation cannot guarantee anything stronger anyway because
1026 * locks can't be held over the syscall boundary.
1028 * If @gup_flags & FOLL_WRITE == 0, the page must not be written to. If
1029 * the page is written to, set_page_dirty (or set_page_dirty_lock, as
1030 * appropriate) must be called after the page is finished with, and
1031 * before put_page is called.
1033 * If @locked != NULL, *@locked will be set to 0 when mmap_lock is
1034 * released by an up_read(). That can happen if @gup_flags does not
1037 * A caller using such a combination of @locked and @gup_flags
1038 * must therefore hold the mmap_lock for reading only, and recognize
1039 * when it's been released. Otherwise, it must be held for either
1040 * reading or writing and will not be released.
1042 * In most cases, get_user_pages or get_user_pages_fast should be used
1043 * instead of __get_user_pages. __get_user_pages should be used only if
1044 * you need some special @gup_flags.
1046 static long __get_user_pages(struct mm_struct *mm,
1047 unsigned long start, unsigned long nr_pages,
1048 unsigned int gup_flags, struct page **pages,
1049 struct vm_area_struct **vmas, int *locked)
1051 long ret = 0, i = 0;
1052 struct vm_area_struct *vma = NULL;
1053 struct follow_page_context ctx = { NULL };
1058 start = untagged_addr(start);
1060 VM_BUG_ON(!!pages != !!(gup_flags & (FOLL_GET | FOLL_PIN)));
1063 * If FOLL_FORCE is set then do not force a full fault as the hinting
1064 * fault information is unrelated to the reference behaviour of a task
1065 * using the address space
1067 if (!(gup_flags & FOLL_FORCE))
1068 gup_flags |= FOLL_NUMA;
1072 unsigned int foll_flags = gup_flags;
1073 unsigned int page_increm;
1075 /* first iteration or cross vma bound */
1076 if (!vma || start >= vma->vm_end) {
1077 vma = find_extend_vma(mm, start);
1078 if (!vma && in_gate_area(mm, start)) {
1079 ret = get_gate_page(mm, start & PAGE_MASK,
1081 pages ? &pages[i] : NULL);
1092 ret = check_vma_flags(vma, gup_flags);
1096 if (is_vm_hugetlb_page(vma)) {
1097 i = follow_hugetlb_page(mm, vma, pages, vmas,
1098 &start, &nr_pages, i,
1100 if (locked && *locked == 0) {
1102 * We've got a VM_FAULT_RETRY
1103 * and we've lost mmap_lock.
1104 * We must stop here.
1106 BUG_ON(gup_flags & FOLL_NOWAIT);
1115 * If we have a pending SIGKILL, don't keep faulting pages and
1116 * potentially allocating memory.
1118 if (fatal_signal_pending(current)) {
1124 page = follow_page_mask(vma, start, foll_flags, &ctx);
1126 ret = faultin_page(vma, start, &foll_flags, locked);
1141 } else if (PTR_ERR(page) == -EEXIST) {
1143 * Proper page table entry exists, but no corresponding
1147 } else if (IS_ERR(page)) {
1148 ret = PTR_ERR(page);
1153 flush_anon_page(vma, page, start);
1154 flush_dcache_page(page);
1162 page_increm = 1 + (~(start >> PAGE_SHIFT) & ctx.page_mask);
1163 if (page_increm > nr_pages)
1164 page_increm = nr_pages;
1166 start += page_increm * PAGE_SIZE;
1167 nr_pages -= page_increm;
1171 put_dev_pagemap(ctx.pgmap);
1175 static bool vma_permits_fault(struct vm_area_struct *vma,
1176 unsigned int fault_flags)
1178 bool write = !!(fault_flags & FAULT_FLAG_WRITE);
1179 bool foreign = !!(fault_flags & FAULT_FLAG_REMOTE);
1180 vm_flags_t vm_flags = write ? VM_WRITE : VM_READ;
1182 if (!(vm_flags & vma->vm_flags))
1186 * The architecture might have a hardware protection
1187 * mechanism other than read/write that can deny access.
1189 * gup always represents data access, not instruction
1190 * fetches, so execute=false here:
1192 if (!arch_vma_access_permitted(vma, write, false, foreign))
1199 * fixup_user_fault() - manually resolve a user page fault
1200 * @mm: mm_struct of target mm
1201 * @address: user address
1202 * @fault_flags:flags to pass down to handle_mm_fault()
1203 * @unlocked: did we unlock the mmap_lock while retrying, maybe NULL if caller
1204 * does not allow retry. If NULL, the caller must guarantee
1205 * that fault_flags does not contain FAULT_FLAG_ALLOW_RETRY.
1207 * This is meant to be called in the specific scenario where for locking reasons
1208 * we try to access user memory in atomic context (within a pagefault_disable()
1209 * section), this returns -EFAULT, and we want to resolve the user fault before
1212 * Typically this is meant to be used by the futex code.
1214 * The main difference with get_user_pages() is that this function will
1215 * unconditionally call handle_mm_fault() which will in turn perform all the
1216 * necessary SW fixup of the dirty and young bits in the PTE, while
1217 * get_user_pages() only guarantees to update these in the struct page.
1219 * This is important for some architectures where those bits also gate the
1220 * access permission to the page because they are maintained in software. On
1221 * such architectures, gup() will not be enough to make a subsequent access
1224 * This function will not return with an unlocked mmap_lock. So it has not the
1225 * same semantics wrt the @mm->mmap_lock as does filemap_fault().
1227 int fixup_user_fault(struct mm_struct *mm,
1228 unsigned long address, unsigned int fault_flags,
1231 struct vm_area_struct *vma;
1232 vm_fault_t ret, major = 0;
1234 address = untagged_addr(address);
1237 fault_flags |= FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE;
1240 vma = find_extend_vma(mm, address);
1241 if (!vma || address < vma->vm_start)
1244 if (!vma_permits_fault(vma, fault_flags))
1247 if ((fault_flags & FAULT_FLAG_KILLABLE) &&
1248 fatal_signal_pending(current))
1251 ret = handle_mm_fault(vma, address, fault_flags, NULL);
1252 major |= ret & VM_FAULT_MAJOR;
1253 if (ret & VM_FAULT_ERROR) {
1254 int err = vm_fault_to_errno(ret, 0);
1261 if (ret & VM_FAULT_RETRY) {
1264 fault_flags |= FAULT_FLAG_TRIED;
1270 EXPORT_SYMBOL_GPL(fixup_user_fault);
1273 * Please note that this function, unlike __get_user_pages will not
1274 * return 0 for nr_pages > 0 without FOLL_NOWAIT
1276 static __always_inline long __get_user_pages_locked(struct mm_struct *mm,
1277 unsigned long start,
1278 unsigned long nr_pages,
1279 struct page **pages,
1280 struct vm_area_struct **vmas,
1284 long ret, pages_done;
1288 /* if VM_FAULT_RETRY can be returned, vmas become invalid */
1290 /* check caller initialized locked */
1291 BUG_ON(*locked != 1);
1294 if (flags & FOLL_PIN)
1295 atomic_set(&mm->has_pinned, 1);
1298 * FOLL_PIN and FOLL_GET are mutually exclusive. Traditional behavior
1299 * is to set FOLL_GET if the caller wants pages[] filled in (but has
1300 * carelessly failed to specify FOLL_GET), so keep doing that, but only
1301 * for FOLL_GET, not for the newer FOLL_PIN.
1303 * FOLL_PIN always expects pages to be non-null, but no need to assert
1304 * that here, as any failures will be obvious enough.
1306 if (pages && !(flags & FOLL_PIN))
1310 lock_dropped = false;
1312 ret = __get_user_pages(mm, start, nr_pages, flags, pages,
1315 /* VM_FAULT_RETRY couldn't trigger, bypass */
1318 /* VM_FAULT_RETRY cannot return errors */
1321 BUG_ON(ret >= nr_pages);
1332 * VM_FAULT_RETRY didn't trigger or it was a
1340 * VM_FAULT_RETRY triggered, so seek to the faulting offset.
1341 * For the prefault case (!pages) we only update counts.
1345 start += ret << PAGE_SHIFT;
1346 lock_dropped = true;
1350 * Repeat on the address that fired VM_FAULT_RETRY
1351 * with both FAULT_FLAG_ALLOW_RETRY and
1352 * FAULT_FLAG_TRIED. Note that GUP can be interrupted
1353 * by fatal signals, so we need to check it before we
1354 * start trying again otherwise it can loop forever.
1357 if (fatal_signal_pending(current)) {
1359 pages_done = -EINTR;
1363 ret = mmap_read_lock_killable(mm);
1372 ret = __get_user_pages(mm, start, 1, flags | FOLL_TRIED,
1373 pages, NULL, locked);
1375 /* Continue to retry until we succeeded */
1393 if (lock_dropped && *locked) {
1395 * We must let the caller know we temporarily dropped the lock
1396 * and so the critical section protected by it was lost.
1398 mmap_read_unlock(mm);
1405 * populate_vma_page_range() - populate a range of pages in the vma.
1407 * @start: start address
1409 * @locked: whether the mmap_lock is still held
1411 * This takes care of mlocking the pages too if VM_LOCKED is set.
1413 * Return either number of pages pinned in the vma, or a negative error
1416 * vma->vm_mm->mmap_lock must be held.
1418 * If @locked is NULL, it may be held for read or write and will
1421 * If @locked is non-NULL, it must held for read only and may be
1422 * released. If it's released, *@locked will be set to 0.
1424 long populate_vma_page_range(struct vm_area_struct *vma,
1425 unsigned long start, unsigned long end, int *locked)
1427 struct mm_struct *mm = vma->vm_mm;
1428 unsigned long nr_pages = (end - start) / PAGE_SIZE;
1431 VM_BUG_ON(start & ~PAGE_MASK);
1432 VM_BUG_ON(end & ~PAGE_MASK);
1433 VM_BUG_ON_VMA(start < vma->vm_start, vma);
1434 VM_BUG_ON_VMA(end > vma->vm_end, vma);
1435 mmap_assert_locked(mm);
1437 gup_flags = FOLL_TOUCH | FOLL_POPULATE | FOLL_MLOCK;
1438 if (vma->vm_flags & VM_LOCKONFAULT)
1439 gup_flags &= ~FOLL_POPULATE;
1441 * We want to touch writable mappings with a write fault in order
1442 * to break COW, except for shared mappings because these don't COW
1443 * and we would not want to dirty them for nothing.
1445 if ((vma->vm_flags & (VM_WRITE | VM_SHARED)) == VM_WRITE)
1446 gup_flags |= FOLL_WRITE;
1449 * We want mlock to succeed for regions that have any permissions
1450 * other than PROT_NONE.
1452 if (vma_is_accessible(vma))
1453 gup_flags |= FOLL_FORCE;
1456 * We made sure addr is within a VMA, so the following will
1457 * not result in a stack expansion that recurses back here.
1459 return __get_user_pages(mm, start, nr_pages, gup_flags,
1460 NULL, NULL, locked);
1464 * __mm_populate - populate and/or mlock pages within a range of address space.
1466 * This is used to implement mlock() and the MAP_POPULATE / MAP_LOCKED mmap
1467 * flags. VMAs must be already marked with the desired vm_flags, and
1468 * mmap_lock must not be held.
1470 int __mm_populate(unsigned long start, unsigned long len, int ignore_errors)
1472 struct mm_struct *mm = current->mm;
1473 unsigned long end, nstart, nend;
1474 struct vm_area_struct *vma = NULL;
1480 for (nstart = start; nstart < end; nstart = nend) {
1482 * We want to fault in pages for [nstart; end) address range.
1483 * Find first corresponding VMA.
1488 vma = find_vma(mm, nstart);
1489 } else if (nstart >= vma->vm_end)
1491 if (!vma || vma->vm_start >= end)
1494 * Set [nstart; nend) to intersection of desired address
1495 * range with the first VMA. Also, skip undesirable VMA types.
1497 nend = min(end, vma->vm_end);
1498 if (vma->vm_flags & (VM_IO | VM_PFNMAP))
1500 if (nstart < vma->vm_start)
1501 nstart = vma->vm_start;
1503 * Now fault in a range of pages. populate_vma_page_range()
1504 * double checks the vma flags, so that it won't mlock pages
1505 * if the vma was already munlocked.
1507 ret = populate_vma_page_range(vma, nstart, nend, &locked);
1509 if (ignore_errors) {
1511 continue; /* continue at next VMA */
1515 nend = nstart + ret * PAGE_SIZE;
1519 mmap_read_unlock(mm);
1520 return ret; /* 0 or negative error code */
1522 #else /* CONFIG_MMU */
1523 static long __get_user_pages_locked(struct mm_struct *mm, unsigned long start,
1524 unsigned long nr_pages, struct page **pages,
1525 struct vm_area_struct **vmas, int *locked,
1526 unsigned int foll_flags)
1528 struct vm_area_struct *vma;
1529 unsigned long vm_flags;
1532 /* calculate required read or write permissions.
1533 * If FOLL_FORCE is set, we only require the "MAY" flags.
1535 vm_flags = (foll_flags & FOLL_WRITE) ?
1536 (VM_WRITE | VM_MAYWRITE) : (VM_READ | VM_MAYREAD);
1537 vm_flags &= (foll_flags & FOLL_FORCE) ?
1538 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
1540 for (i = 0; i < nr_pages; i++) {
1541 vma = find_vma(mm, start);
1543 goto finish_or_fault;
1545 /* protect what we can, including chardevs */
1546 if ((vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
1547 !(vm_flags & vma->vm_flags))
1548 goto finish_or_fault;
1551 pages[i] = virt_to_page(start);
1557 start = (start + PAGE_SIZE) & PAGE_MASK;
1563 return i ? : -EFAULT;
1565 #endif /* !CONFIG_MMU */
1568 * get_dump_page() - pin user page in memory while writing it to core dump
1569 * @addr: user address
1571 * Returns struct page pointer of user page pinned for dump,
1572 * to be freed afterwards by put_page().
1574 * Returns NULL on any kind of failure - a hole must then be inserted into
1575 * the corefile, to preserve alignment with its headers; and also returns
1576 * NULL wherever the ZERO_PAGE, or an anonymous pte_none, has been found -
1577 * allowing a hole to be left in the corefile to save diskspace.
1579 * Called without mmap_lock (takes and releases the mmap_lock by itself).
1581 #ifdef CONFIG_ELF_CORE
1582 struct page *get_dump_page(unsigned long addr)
1584 struct mm_struct *mm = current->mm;
1589 if (mmap_read_lock_killable(mm))
1591 ret = __get_user_pages_locked(mm, addr, 1, &page, NULL, &locked,
1592 FOLL_FORCE | FOLL_DUMP | FOLL_GET);
1594 mmap_read_unlock(mm);
1596 if (ret == 1 && is_page_poisoned(page))
1599 return (ret == 1) ? page : NULL;
1601 #endif /* CONFIG_ELF_CORE */
1604 static long check_and_migrate_cma_pages(struct mm_struct *mm,
1605 unsigned long start,
1606 unsigned long nr_pages,
1607 struct page **pages,
1608 struct vm_area_struct **vmas,
1609 unsigned int gup_flags)
1613 bool drain_allow = true;
1614 bool migrate_allow = true;
1615 LIST_HEAD(cma_page_list);
1616 long ret = nr_pages;
1617 struct migration_target_control mtc = {
1618 .nid = NUMA_NO_NODE,
1619 .gfp_mask = GFP_USER | __GFP_MOVABLE | __GFP_NOWARN,
1623 for (i = 0; i < nr_pages;) {
1625 struct page *head = compound_head(pages[i]);
1628 * gup may start from a tail page. Advance step by the left
1631 step = compound_nr(head) - (pages[i] - head);
1633 * If we get a page from the CMA zone, since we are going to
1634 * be pinning these entries, we might as well move them out
1635 * of the CMA zone if possible.
1637 if (is_migrate_cma_page(head)) {
1639 isolate_huge_page(head, &cma_page_list);
1641 if (!PageLRU(head) && drain_allow) {
1642 lru_add_drain_all();
1643 drain_allow = false;
1646 if (!isolate_lru_page(head)) {
1647 list_add_tail(&head->lru, &cma_page_list);
1648 mod_node_page_state(page_pgdat(head),
1650 page_is_file_lru(head),
1651 thp_nr_pages(head));
1659 if (!list_empty(&cma_page_list)) {
1661 * drop the above get_user_pages reference.
1663 if (gup_flags & FOLL_PIN)
1664 unpin_user_pages(pages, nr_pages);
1666 for (i = 0; i < nr_pages; i++)
1669 if (migrate_pages(&cma_page_list, alloc_migration_target, NULL,
1670 (unsigned long)&mtc, MIGRATE_SYNC, MR_CONTIG_RANGE)) {
1672 * some of the pages failed migration. Do get_user_pages
1673 * without migration.
1675 migrate_allow = false;
1677 if (!list_empty(&cma_page_list))
1678 putback_movable_pages(&cma_page_list);
1681 * We did migrate all the pages, Try to get the page references
1682 * again migrating any new CMA pages which we failed to isolate
1685 ret = __get_user_pages_locked(mm, start, nr_pages,
1689 if ((ret > 0) && migrate_allow) {
1699 static long check_and_migrate_cma_pages(struct mm_struct *mm,
1700 unsigned long start,
1701 unsigned long nr_pages,
1702 struct page **pages,
1703 struct vm_area_struct **vmas,
1704 unsigned int gup_flags)
1708 #endif /* CONFIG_CMA */
1711 * __gup_longterm_locked() is a wrapper for __get_user_pages_locked which
1712 * allows us to process the FOLL_LONGTERM flag.
1714 static long __gup_longterm_locked(struct mm_struct *mm,
1715 unsigned long start,
1716 unsigned long nr_pages,
1717 struct page **pages,
1718 struct vm_area_struct **vmas,
1719 unsigned int gup_flags)
1721 unsigned long flags = 0;
1724 if (gup_flags & FOLL_LONGTERM)
1725 flags = memalloc_nocma_save();
1727 rc = __get_user_pages_locked(mm, start, nr_pages, pages, vmas, NULL,
1730 if (gup_flags & FOLL_LONGTERM) {
1732 rc = check_and_migrate_cma_pages(mm, start, rc, pages,
1734 memalloc_nocma_restore(flags);
1739 static bool is_valid_gup_flags(unsigned int gup_flags)
1742 * FOLL_PIN must only be set internally by the pin_user_pages*() APIs,
1743 * never directly by the caller, so enforce that with an assertion:
1745 if (WARN_ON_ONCE(gup_flags & FOLL_PIN))
1748 * FOLL_PIN is a prerequisite to FOLL_LONGTERM. Another way of saying
1749 * that is, FOLL_LONGTERM is a specific case, more restrictive case of
1752 if (WARN_ON_ONCE(gup_flags & FOLL_LONGTERM))
1759 static long __get_user_pages_remote(struct mm_struct *mm,
1760 unsigned long start, unsigned long nr_pages,
1761 unsigned int gup_flags, struct page **pages,
1762 struct vm_area_struct **vmas, int *locked)
1765 * Parts of FOLL_LONGTERM behavior are incompatible with
1766 * FAULT_FLAG_ALLOW_RETRY because of the FS DAX check requirement on
1767 * vmas. However, this only comes up if locked is set, and there are
1768 * callers that do request FOLL_LONGTERM, but do not set locked. So,
1769 * allow what we can.
1771 if (gup_flags & FOLL_LONGTERM) {
1772 if (WARN_ON_ONCE(locked))
1775 * This will check the vmas (even if our vmas arg is NULL)
1776 * and return -ENOTSUPP if DAX isn't allowed in this case:
1778 return __gup_longterm_locked(mm, start, nr_pages, pages,
1779 vmas, gup_flags | FOLL_TOUCH |
1783 return __get_user_pages_locked(mm, start, nr_pages, pages, vmas,
1785 gup_flags | FOLL_TOUCH | FOLL_REMOTE);
1789 * get_user_pages_remote() - pin user pages in memory
1790 * @mm: mm_struct of target mm
1791 * @start: starting user address
1792 * @nr_pages: number of pages from start to pin
1793 * @gup_flags: flags modifying lookup behaviour
1794 * @pages: array that receives pointers to the pages pinned.
1795 * Should be at least nr_pages long. Or NULL, if caller
1796 * only intends to ensure the pages are faulted in.
1797 * @vmas: array of pointers to vmas corresponding to each page.
1798 * Or NULL if the caller does not require them.
1799 * @locked: pointer to lock flag indicating whether lock is held and
1800 * subsequently whether VM_FAULT_RETRY functionality can be
1801 * utilised. Lock must initially be held.
1803 * Returns either number of pages pinned (which may be less than the
1804 * number requested), or an error. Details about the return value:
1806 * -- If nr_pages is 0, returns 0.
1807 * -- If nr_pages is >0, but no pages were pinned, returns -errno.
1808 * -- If nr_pages is >0, and some pages were pinned, returns the number of
1809 * pages pinned. Again, this may be less than nr_pages.
1811 * The caller is responsible for releasing returned @pages, via put_page().
1813 * @vmas are valid only as long as mmap_lock is held.
1815 * Must be called with mmap_lock held for read or write.
1817 * get_user_pages_remote walks a process's page tables and takes a reference
1818 * to each struct page that each user address corresponds to at a given
1819 * instant. That is, it takes the page that would be accessed if a user
1820 * thread accesses the given user virtual address at that instant.
1822 * This does not guarantee that the page exists in the user mappings when
1823 * get_user_pages_remote returns, and there may even be a completely different
1824 * page there in some cases (eg. if mmapped pagecache has been invalidated
1825 * and subsequently re faulted). However it does guarantee that the page
1826 * won't be freed completely. And mostly callers simply care that the page
1827 * contains data that was valid *at some point in time*. Typically, an IO
1828 * or similar operation cannot guarantee anything stronger anyway because
1829 * locks can't be held over the syscall boundary.
1831 * If gup_flags & FOLL_WRITE == 0, the page must not be written to. If the page
1832 * is written to, set_page_dirty (or set_page_dirty_lock, as appropriate) must
1833 * be called after the page is finished with, and before put_page is called.
1835 * get_user_pages_remote is typically used for fewer-copy IO operations,
1836 * to get a handle on the memory by some means other than accesses
1837 * via the user virtual addresses. The pages may be submitted for
1838 * DMA to devices or accessed via their kernel linear mapping (via the
1839 * kmap APIs). Care should be taken to use the correct cache flushing APIs.
1841 * See also get_user_pages_fast, for performance critical applications.
1843 * get_user_pages_remote should be phased out in favor of
1844 * get_user_pages_locked|unlocked or get_user_pages_fast. Nothing
1845 * should use get_user_pages_remote because it cannot pass
1846 * FAULT_FLAG_ALLOW_RETRY to handle_mm_fault.
1848 long get_user_pages_remote(struct mm_struct *mm,
1849 unsigned long start, unsigned long nr_pages,
1850 unsigned int gup_flags, struct page **pages,
1851 struct vm_area_struct **vmas, int *locked)
1853 if (!is_valid_gup_flags(gup_flags))
1856 return __get_user_pages_remote(mm, start, nr_pages, gup_flags,
1857 pages, vmas, locked);
1859 EXPORT_SYMBOL(get_user_pages_remote);
1861 #else /* CONFIG_MMU */
1862 long get_user_pages_remote(struct mm_struct *mm,
1863 unsigned long start, unsigned long nr_pages,
1864 unsigned int gup_flags, struct page **pages,
1865 struct vm_area_struct **vmas, int *locked)
1870 static long __get_user_pages_remote(struct mm_struct *mm,
1871 unsigned long start, unsigned long nr_pages,
1872 unsigned int gup_flags, struct page **pages,
1873 struct vm_area_struct **vmas, int *locked)
1877 #endif /* !CONFIG_MMU */
1880 * get_user_pages() - pin user pages in memory
1881 * @start: starting user address
1882 * @nr_pages: number of pages from start to pin
1883 * @gup_flags: flags modifying lookup behaviour
1884 * @pages: array that receives pointers to the pages pinned.
1885 * Should be at least nr_pages long. Or NULL, if caller
1886 * only intends to ensure the pages are faulted in.
1887 * @vmas: array of pointers to vmas corresponding to each page.
1888 * Or NULL if the caller does not require them.
1890 * This is the same as get_user_pages_remote(), just with a less-flexible
1891 * calling convention where we assume that the mm being operated on belongs to
1892 * the current task, and doesn't allow passing of a locked parameter. We also
1893 * obviously don't pass FOLL_REMOTE in here.
1895 long get_user_pages(unsigned long start, unsigned long nr_pages,
1896 unsigned int gup_flags, struct page **pages,
1897 struct vm_area_struct **vmas)
1899 if (!is_valid_gup_flags(gup_flags))
1902 return __gup_longterm_locked(current->mm, start, nr_pages,
1903 pages, vmas, gup_flags | FOLL_TOUCH);
1905 EXPORT_SYMBOL(get_user_pages);
1908 * get_user_pages_locked() - variant of get_user_pages()
1910 * @start: starting user address
1911 * @nr_pages: number of pages from start to pin
1912 * @gup_flags: flags modifying lookup behaviour
1913 * @pages: array that receives pointers to the pages pinned.
1914 * Should be at least nr_pages long. Or NULL, if caller
1915 * only intends to ensure the pages are faulted in.
1916 * @locked: pointer to lock flag indicating whether lock is held and
1917 * subsequently whether VM_FAULT_RETRY functionality can be
1918 * utilised. Lock must initially be held.
1920 * It is suitable to replace the form:
1922 * mmap_read_lock(mm);
1924 * get_user_pages(mm, ..., pages, NULL);
1925 * mmap_read_unlock(mm);
1930 * mmap_read_lock(mm);
1932 * get_user_pages_locked(mm, ..., pages, &locked);
1934 * mmap_read_unlock(mm);
1936 * We can leverage the VM_FAULT_RETRY functionality in the page fault
1937 * paths better by using either get_user_pages_locked() or
1938 * get_user_pages_unlocked().
1941 long get_user_pages_locked(unsigned long start, unsigned long nr_pages,
1942 unsigned int gup_flags, struct page **pages,
1946 * FIXME: Current FOLL_LONGTERM behavior is incompatible with
1947 * FAULT_FLAG_ALLOW_RETRY because of the FS DAX check requirement on
1948 * vmas. As there are no users of this flag in this call we simply
1949 * disallow this option for now.
1951 if (WARN_ON_ONCE(gup_flags & FOLL_LONGTERM))
1954 * FOLL_PIN must only be set internally by the pin_user_pages*() APIs,
1955 * never directly by the caller, so enforce that:
1957 if (WARN_ON_ONCE(gup_flags & FOLL_PIN))
1960 return __get_user_pages_locked(current->mm, start, nr_pages,
1961 pages, NULL, locked,
1962 gup_flags | FOLL_TOUCH);
1964 EXPORT_SYMBOL(get_user_pages_locked);
1967 * get_user_pages_unlocked() is suitable to replace the form:
1969 * mmap_read_lock(mm);
1970 * get_user_pages(mm, ..., pages, NULL);
1971 * mmap_read_unlock(mm);
1975 * get_user_pages_unlocked(mm, ..., pages);
1977 * It is functionally equivalent to get_user_pages_fast so
1978 * get_user_pages_fast should be used instead if specific gup_flags
1979 * (e.g. FOLL_FORCE) are not required.
1981 long get_user_pages_unlocked(unsigned long start, unsigned long nr_pages,
1982 struct page **pages, unsigned int gup_flags)
1984 struct mm_struct *mm = current->mm;
1989 * FIXME: Current FOLL_LONGTERM behavior is incompatible with
1990 * FAULT_FLAG_ALLOW_RETRY because of the FS DAX check requirement on
1991 * vmas. As there are no users of this flag in this call we simply
1992 * disallow this option for now.
1994 if (WARN_ON_ONCE(gup_flags & FOLL_LONGTERM))
1998 ret = __get_user_pages_locked(mm, start, nr_pages, pages, NULL,
1999 &locked, gup_flags | FOLL_TOUCH);
2001 mmap_read_unlock(mm);
2004 EXPORT_SYMBOL(get_user_pages_unlocked);
2009 * get_user_pages_fast attempts to pin user pages by walking the page
2010 * tables directly and avoids taking locks. Thus the walker needs to be
2011 * protected from page table pages being freed from under it, and should
2012 * block any THP splits.
2014 * One way to achieve this is to have the walker disable interrupts, and
2015 * rely on IPIs from the TLB flushing code blocking before the page table
2016 * pages are freed. This is unsuitable for architectures that do not need
2017 * to broadcast an IPI when invalidating TLBs.
2019 * Another way to achieve this is to batch up page table containing pages
2020 * belonging to more than one mm_user, then rcu_sched a callback to free those
2021 * pages. Disabling interrupts will allow the fast_gup walker to both block
2022 * the rcu_sched callback, and an IPI that we broadcast for splitting THPs
2023 * (which is a relatively rare event). The code below adopts this strategy.
2025 * Before activating this code, please be aware that the following assumptions
2026 * are currently made:
2028 * *) Either MMU_GATHER_RCU_TABLE_FREE is enabled, and tlb_remove_table() is used to
2029 * free pages containing page tables or TLB flushing requires IPI broadcast.
2031 * *) ptes can be read atomically by the architecture.
2033 * *) access_ok is sufficient to validate userspace address ranges.
2035 * The last two assumptions can be relaxed by the addition of helper functions.
2037 * This code is based heavily on the PowerPC implementation by Nick Piggin.
2039 #ifdef CONFIG_HAVE_FAST_GUP
2041 static void __maybe_unused undo_dev_pagemap(int *nr, int nr_start,
2043 struct page **pages)
2045 while ((*nr) - nr_start) {
2046 struct page *page = pages[--(*nr)];
2048 ClearPageReferenced(page);
2049 if (flags & FOLL_PIN)
2050 unpin_user_page(page);
2056 #ifdef CONFIG_ARCH_HAS_PTE_SPECIAL
2057 static int gup_pte_range(pmd_t pmd, unsigned long addr, unsigned long end,
2058 unsigned int flags, struct page **pages, int *nr)
2060 struct dev_pagemap *pgmap = NULL;
2061 int nr_start = *nr, ret = 0;
2064 ptem = ptep = pte_offset_map(&pmd, addr);
2066 pte_t pte = ptep_get_lockless(ptep);
2067 struct page *head, *page;
2070 * Similar to the PMD case below, NUMA hinting must take slow
2071 * path using the pte_protnone check.
2073 if (pte_protnone(pte))
2076 if (!pte_access_permitted(pte, flags & FOLL_WRITE))
2079 if (pte_devmap(pte)) {
2080 if (unlikely(flags & FOLL_LONGTERM))
2083 pgmap = get_dev_pagemap(pte_pfn(pte), pgmap);
2084 if (unlikely(!pgmap)) {
2085 undo_dev_pagemap(nr, nr_start, flags, pages);
2088 } else if (pte_special(pte))
2091 VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
2092 page = pte_page(pte);
2094 head = try_grab_compound_head(page, 1, flags);
2098 if (unlikely(pte_val(pte) != pte_val(*ptep))) {
2099 put_compound_head(head, 1, flags);
2103 VM_BUG_ON_PAGE(compound_head(page) != head, page);
2106 * We need to make the page accessible if and only if we are
2107 * going to access its content (the FOLL_PIN case). Please
2108 * see Documentation/core-api/pin_user_pages.rst for
2111 if (flags & FOLL_PIN) {
2112 ret = arch_make_page_accessible(page);
2114 unpin_user_page(page);
2118 SetPageReferenced(page);
2122 } while (ptep++, addr += PAGE_SIZE, addr != end);
2128 put_dev_pagemap(pgmap);
2135 * If we can't determine whether or not a pte is special, then fail immediately
2136 * for ptes. Note, we can still pin HugeTLB and THP as these are guaranteed not
2139 * For a futex to be placed on a THP tail page, get_futex_key requires a
2140 * get_user_pages_fast_only implementation that can pin pages. Thus it's still
2141 * useful to have gup_huge_pmd even if we can't operate on ptes.
2143 static int gup_pte_range(pmd_t pmd, unsigned long addr, unsigned long end,
2144 unsigned int flags, struct page **pages, int *nr)
2148 #endif /* CONFIG_ARCH_HAS_PTE_SPECIAL */
2150 #if defined(CONFIG_ARCH_HAS_PTE_DEVMAP) && defined(CONFIG_TRANSPARENT_HUGEPAGE)
2151 static int __gup_device_huge(unsigned long pfn, unsigned long addr,
2152 unsigned long end, unsigned int flags,
2153 struct page **pages, int *nr)
2156 struct dev_pagemap *pgmap = NULL;
2159 struct page *page = pfn_to_page(pfn);
2161 pgmap = get_dev_pagemap(pfn, pgmap);
2162 if (unlikely(!pgmap)) {
2163 undo_dev_pagemap(nr, nr_start, flags, pages);
2166 SetPageReferenced(page);
2168 if (unlikely(!try_grab_page(page, flags))) {
2169 undo_dev_pagemap(nr, nr_start, flags, pages);
2174 } while (addr += PAGE_SIZE, addr != end);
2177 put_dev_pagemap(pgmap);
2181 static int __gup_device_huge_pmd(pmd_t orig, pmd_t *pmdp, unsigned long addr,
2182 unsigned long end, unsigned int flags,
2183 struct page **pages, int *nr)
2185 unsigned long fault_pfn;
2188 fault_pfn = pmd_pfn(orig) + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
2189 if (!__gup_device_huge(fault_pfn, addr, end, flags, pages, nr))
2192 if (unlikely(pmd_val(orig) != pmd_val(*pmdp))) {
2193 undo_dev_pagemap(nr, nr_start, flags, pages);
2199 static int __gup_device_huge_pud(pud_t orig, pud_t *pudp, unsigned long addr,
2200 unsigned long end, unsigned int flags,
2201 struct page **pages, int *nr)
2203 unsigned long fault_pfn;
2206 fault_pfn = pud_pfn(orig) + ((addr & ~PUD_MASK) >> PAGE_SHIFT);
2207 if (!__gup_device_huge(fault_pfn, addr, end, flags, pages, nr))
2210 if (unlikely(pud_val(orig) != pud_val(*pudp))) {
2211 undo_dev_pagemap(nr, nr_start, flags, pages);
2217 static int __gup_device_huge_pmd(pmd_t orig, pmd_t *pmdp, unsigned long addr,
2218 unsigned long end, unsigned int flags,
2219 struct page **pages, int *nr)
2225 static int __gup_device_huge_pud(pud_t pud, pud_t *pudp, unsigned long addr,
2226 unsigned long end, unsigned int flags,
2227 struct page **pages, int *nr)
2234 static int record_subpages(struct page *page, unsigned long addr,
2235 unsigned long end, struct page **pages)
2239 for (nr = 0; addr != end; addr += PAGE_SIZE)
2240 pages[nr++] = page++;
2245 #ifdef CONFIG_ARCH_HAS_HUGEPD
2246 static unsigned long hugepte_addr_end(unsigned long addr, unsigned long end,
2249 unsigned long __boundary = (addr + sz) & ~(sz-1);
2250 return (__boundary - 1 < end - 1) ? __boundary : end;
2253 static int gup_hugepte(pte_t *ptep, unsigned long sz, unsigned long addr,
2254 unsigned long end, unsigned int flags,
2255 struct page **pages, int *nr)
2257 unsigned long pte_end;
2258 struct page *head, *page;
2262 pte_end = (addr + sz) & ~(sz-1);
2266 pte = huge_ptep_get(ptep);
2268 if (!pte_access_permitted(pte, flags & FOLL_WRITE))
2271 /* hugepages are never "special" */
2272 VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
2274 head = pte_page(pte);
2275 page = head + ((addr & (sz-1)) >> PAGE_SHIFT);
2276 refs = record_subpages(page, addr, end, pages + *nr);
2278 head = try_grab_compound_head(head, refs, flags);
2282 if (unlikely(pte_val(pte) != pte_val(*ptep))) {
2283 put_compound_head(head, refs, flags);
2288 SetPageReferenced(head);
2292 static int gup_huge_pd(hugepd_t hugepd, unsigned long addr,
2293 unsigned int pdshift, unsigned long end, unsigned int flags,
2294 struct page **pages, int *nr)
2297 unsigned long sz = 1UL << hugepd_shift(hugepd);
2300 ptep = hugepte_offset(hugepd, addr, pdshift);
2302 next = hugepte_addr_end(addr, end, sz);
2303 if (!gup_hugepte(ptep, sz, addr, end, flags, pages, nr))
2305 } while (ptep++, addr = next, addr != end);
2310 static inline int gup_huge_pd(hugepd_t hugepd, unsigned long addr,
2311 unsigned int pdshift, unsigned long end, unsigned int flags,
2312 struct page **pages, int *nr)
2316 #endif /* CONFIG_ARCH_HAS_HUGEPD */
2318 static int gup_huge_pmd(pmd_t orig, pmd_t *pmdp, unsigned long addr,
2319 unsigned long end, unsigned int flags,
2320 struct page **pages, int *nr)
2322 struct page *head, *page;
2325 if (!pmd_access_permitted(orig, flags & FOLL_WRITE))
2328 if (pmd_devmap(orig)) {
2329 if (unlikely(flags & FOLL_LONGTERM))
2331 return __gup_device_huge_pmd(orig, pmdp, addr, end, flags,
2335 page = pmd_page(orig) + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
2336 refs = record_subpages(page, addr, end, pages + *nr);
2338 head = try_grab_compound_head(pmd_page(orig), refs, flags);
2342 if (unlikely(pmd_val(orig) != pmd_val(*pmdp))) {
2343 put_compound_head(head, refs, flags);
2348 SetPageReferenced(head);
2352 static int gup_huge_pud(pud_t orig, pud_t *pudp, unsigned long addr,
2353 unsigned long end, unsigned int flags,
2354 struct page **pages, int *nr)
2356 struct page *head, *page;
2359 if (!pud_access_permitted(orig, flags & FOLL_WRITE))
2362 if (pud_devmap(orig)) {
2363 if (unlikely(flags & FOLL_LONGTERM))
2365 return __gup_device_huge_pud(orig, pudp, addr, end, flags,
2369 page = pud_page(orig) + ((addr & ~PUD_MASK) >> PAGE_SHIFT);
2370 refs = record_subpages(page, addr, end, pages + *nr);
2372 head = try_grab_compound_head(pud_page(orig), refs, flags);
2376 if (unlikely(pud_val(orig) != pud_val(*pudp))) {
2377 put_compound_head(head, refs, flags);
2382 SetPageReferenced(head);
2386 static int gup_huge_pgd(pgd_t orig, pgd_t *pgdp, unsigned long addr,
2387 unsigned long end, unsigned int flags,
2388 struct page **pages, int *nr)
2391 struct page *head, *page;
2393 if (!pgd_access_permitted(orig, flags & FOLL_WRITE))
2396 BUILD_BUG_ON(pgd_devmap(orig));
2398 page = pgd_page(orig) + ((addr & ~PGDIR_MASK) >> PAGE_SHIFT);
2399 refs = record_subpages(page, addr, end, pages + *nr);
2401 head = try_grab_compound_head(pgd_page(orig), refs, flags);
2405 if (unlikely(pgd_val(orig) != pgd_val(*pgdp))) {
2406 put_compound_head(head, refs, flags);
2411 SetPageReferenced(head);
2415 static int gup_pmd_range(pud_t *pudp, pud_t pud, unsigned long addr, unsigned long end,
2416 unsigned int flags, struct page **pages, int *nr)
2421 pmdp = pmd_offset_lockless(pudp, pud, addr);
2423 pmd_t pmd = READ_ONCE(*pmdp);
2425 next = pmd_addr_end(addr, end);
2426 if (!pmd_present(pmd))
2429 if (unlikely(pmd_trans_huge(pmd) || pmd_huge(pmd) ||
2432 * NUMA hinting faults need to be handled in the GUP
2433 * slowpath for accounting purposes and so that they
2434 * can be serialised against THP migration.
2436 if (pmd_protnone(pmd))
2439 if (!gup_huge_pmd(pmd, pmdp, addr, next, flags,
2443 } else if (unlikely(is_hugepd(__hugepd(pmd_val(pmd))))) {
2445 * architecture have different format for hugetlbfs
2446 * pmd format and THP pmd format
2448 if (!gup_huge_pd(__hugepd(pmd_val(pmd)), addr,
2449 PMD_SHIFT, next, flags, pages, nr))
2451 } else if (!gup_pte_range(pmd, addr, next, flags, pages, nr))
2453 } while (pmdp++, addr = next, addr != end);
2458 static int gup_pud_range(p4d_t *p4dp, p4d_t p4d, unsigned long addr, unsigned long end,
2459 unsigned int flags, struct page **pages, int *nr)
2464 pudp = pud_offset_lockless(p4dp, p4d, addr);
2466 pud_t pud = READ_ONCE(*pudp);
2468 next = pud_addr_end(addr, end);
2469 if (unlikely(!pud_present(pud)))
2471 if (unlikely(pud_huge(pud))) {
2472 if (!gup_huge_pud(pud, pudp, addr, next, flags,
2475 } else if (unlikely(is_hugepd(__hugepd(pud_val(pud))))) {
2476 if (!gup_huge_pd(__hugepd(pud_val(pud)), addr,
2477 PUD_SHIFT, next, flags, pages, nr))
2479 } else if (!gup_pmd_range(pudp, pud, addr, next, flags, pages, nr))
2481 } while (pudp++, addr = next, addr != end);
2486 static int gup_p4d_range(pgd_t *pgdp, pgd_t pgd, unsigned long addr, unsigned long end,
2487 unsigned int flags, struct page **pages, int *nr)
2492 p4dp = p4d_offset_lockless(pgdp, pgd, addr);
2494 p4d_t p4d = READ_ONCE(*p4dp);
2496 next = p4d_addr_end(addr, end);
2499 BUILD_BUG_ON(p4d_huge(p4d));
2500 if (unlikely(is_hugepd(__hugepd(p4d_val(p4d))))) {
2501 if (!gup_huge_pd(__hugepd(p4d_val(p4d)), addr,
2502 P4D_SHIFT, next, flags, pages, nr))
2504 } else if (!gup_pud_range(p4dp, p4d, addr, next, flags, pages, nr))
2506 } while (p4dp++, addr = next, addr != end);
2511 static void gup_pgd_range(unsigned long addr, unsigned long end,
2512 unsigned int flags, struct page **pages, int *nr)
2517 pgdp = pgd_offset(current->mm, addr);
2519 pgd_t pgd = READ_ONCE(*pgdp);
2521 next = pgd_addr_end(addr, end);
2524 if (unlikely(pgd_huge(pgd))) {
2525 if (!gup_huge_pgd(pgd, pgdp, addr, next, flags,
2528 } else if (unlikely(is_hugepd(__hugepd(pgd_val(pgd))))) {
2529 if (!gup_huge_pd(__hugepd(pgd_val(pgd)), addr,
2530 PGDIR_SHIFT, next, flags, pages, nr))
2532 } else if (!gup_p4d_range(pgdp, pgd, addr, next, flags, pages, nr))
2534 } while (pgdp++, addr = next, addr != end);
2537 static inline void gup_pgd_range(unsigned long addr, unsigned long end,
2538 unsigned int flags, struct page **pages, int *nr)
2541 #endif /* CONFIG_HAVE_FAST_GUP */
2543 #ifndef gup_fast_permitted
2545 * Check if it's allowed to use get_user_pages_fast_only() for the range, or
2546 * we need to fall back to the slow version:
2548 static bool gup_fast_permitted(unsigned long start, unsigned long end)
2554 static int __gup_longterm_unlocked(unsigned long start, int nr_pages,
2555 unsigned int gup_flags, struct page **pages)
2560 * FIXME: FOLL_LONGTERM does not work with
2561 * get_user_pages_unlocked() (see comments in that function)
2563 if (gup_flags & FOLL_LONGTERM) {
2564 mmap_read_lock(current->mm);
2565 ret = __gup_longterm_locked(current->mm,
2567 pages, NULL, gup_flags);
2568 mmap_read_unlock(current->mm);
2570 ret = get_user_pages_unlocked(start, nr_pages,
2577 static unsigned long lockless_pages_from_mm(unsigned long start,
2579 unsigned int gup_flags,
2580 struct page **pages)
2582 unsigned long flags;
2586 if (!IS_ENABLED(CONFIG_HAVE_FAST_GUP) ||
2587 !gup_fast_permitted(start, end))
2590 if (gup_flags & FOLL_PIN) {
2591 seq = raw_read_seqcount(¤t->mm->write_protect_seq);
2597 * Disable interrupts. The nested form is used, in order to allow full,
2598 * general purpose use of this routine.
2600 * With interrupts disabled, we block page table pages from being freed
2601 * from under us. See struct mmu_table_batch comments in
2602 * include/asm-generic/tlb.h for more details.
2604 * We do not adopt an rcu_read_lock() here as we also want to block IPIs
2605 * that come from THPs splitting.
2607 local_irq_save(flags);
2608 gup_pgd_range(start, end, gup_flags, pages, &nr_pinned);
2609 local_irq_restore(flags);
2612 * When pinning pages for DMA there could be a concurrent write protect
2613 * from fork() via copy_page_range(), in this case always fail fast GUP.
2615 if (gup_flags & FOLL_PIN) {
2616 if (read_seqcount_retry(¤t->mm->write_protect_seq, seq)) {
2617 unpin_user_pages(pages, nr_pinned);
2624 static int internal_get_user_pages_fast(unsigned long start,
2625 unsigned long nr_pages,
2626 unsigned int gup_flags,
2627 struct page **pages)
2629 unsigned long len, end;
2630 unsigned long nr_pinned;
2633 if (WARN_ON_ONCE(gup_flags & ~(FOLL_WRITE | FOLL_LONGTERM |
2634 FOLL_FORCE | FOLL_PIN | FOLL_GET |
2638 if (gup_flags & FOLL_PIN)
2639 atomic_set(¤t->mm->has_pinned, 1);
2641 if (!(gup_flags & FOLL_FAST_ONLY))
2642 might_lock_read(¤t->mm->mmap_lock);
2644 start = untagged_addr(start) & PAGE_MASK;
2645 len = nr_pages << PAGE_SHIFT;
2646 if (check_add_overflow(start, len, &end))
2648 if (unlikely(!access_ok((void __user *)start, len)))
2651 nr_pinned = lockless_pages_from_mm(start, end, gup_flags, pages);
2652 if (nr_pinned == nr_pages || gup_flags & FOLL_FAST_ONLY)
2655 /* Slow path: try to get the remaining pages with get_user_pages */
2656 start += nr_pinned << PAGE_SHIFT;
2658 ret = __gup_longterm_unlocked(start, nr_pages - nr_pinned, gup_flags,
2662 * The caller has to unpin the pages we already pinned so
2663 * returning -errno is not an option
2669 return ret + nr_pinned;
2673 * get_user_pages_fast_only() - pin user pages in memory
2674 * @start: starting user address
2675 * @nr_pages: number of pages from start to pin
2676 * @gup_flags: flags modifying pin behaviour
2677 * @pages: array that receives pointers to the pages pinned.
2678 * Should be at least nr_pages long.
2680 * Like get_user_pages_fast() except it's IRQ-safe in that it won't fall back to
2682 * Note a difference with get_user_pages_fast: this always returns the
2683 * number of pages pinned, 0 if no pages were pinned.
2685 * If the architecture does not support this function, simply return with no
2688 * Careful, careful! COW breaking can go either way, so a non-write
2689 * access can get ambiguous page results. If you call this function without
2690 * 'write' set, you'd better be sure that you're ok with that ambiguity.
2692 int get_user_pages_fast_only(unsigned long start, int nr_pages,
2693 unsigned int gup_flags, struct page **pages)
2697 * Internally (within mm/gup.c), gup fast variants must set FOLL_GET,
2698 * because gup fast is always a "pin with a +1 page refcount" request.
2700 * FOLL_FAST_ONLY is required in order to match the API description of
2701 * this routine: no fall back to regular ("slow") GUP.
2703 gup_flags |= FOLL_GET | FOLL_FAST_ONLY;
2705 nr_pinned = internal_get_user_pages_fast(start, nr_pages, gup_flags,
2709 * As specified in the API description above, this routine is not
2710 * allowed to return negative values. However, the common core
2711 * routine internal_get_user_pages_fast() *can* return -errno.
2712 * Therefore, correct for that here:
2719 EXPORT_SYMBOL_GPL(get_user_pages_fast_only);
2722 * get_user_pages_fast() - pin user pages in memory
2723 * @start: starting user address
2724 * @nr_pages: number of pages from start to pin
2725 * @gup_flags: flags modifying pin behaviour
2726 * @pages: array that receives pointers to the pages pinned.
2727 * Should be at least nr_pages long.
2729 * Attempt to pin user pages in memory without taking mm->mmap_lock.
2730 * If not successful, it will fall back to taking the lock and
2731 * calling get_user_pages().
2733 * Returns number of pages pinned. This may be fewer than the number requested.
2734 * If nr_pages is 0 or negative, returns 0. If no pages were pinned, returns
2737 int get_user_pages_fast(unsigned long start, int nr_pages,
2738 unsigned int gup_flags, struct page **pages)
2740 if (!is_valid_gup_flags(gup_flags))
2744 * The caller may or may not have explicitly set FOLL_GET; either way is
2745 * OK. However, internally (within mm/gup.c), gup fast variants must set
2746 * FOLL_GET, because gup fast is always a "pin with a +1 page refcount"
2749 gup_flags |= FOLL_GET;
2750 return internal_get_user_pages_fast(start, nr_pages, gup_flags, pages);
2752 EXPORT_SYMBOL_GPL(get_user_pages_fast);
2755 * pin_user_pages_fast() - pin user pages in memory without taking locks
2757 * @start: starting user address
2758 * @nr_pages: number of pages from start to pin
2759 * @gup_flags: flags modifying pin behaviour
2760 * @pages: array that receives pointers to the pages pinned.
2761 * Should be at least nr_pages long.
2763 * Nearly the same as get_user_pages_fast(), except that FOLL_PIN is set. See
2764 * get_user_pages_fast() for documentation on the function arguments, because
2765 * the arguments here are identical.
2767 * FOLL_PIN means that the pages must be released via unpin_user_page(). Please
2768 * see Documentation/core-api/pin_user_pages.rst for further details.
2770 int pin_user_pages_fast(unsigned long start, int nr_pages,
2771 unsigned int gup_flags, struct page **pages)
2773 /* FOLL_GET and FOLL_PIN are mutually exclusive. */
2774 if (WARN_ON_ONCE(gup_flags & FOLL_GET))
2777 gup_flags |= FOLL_PIN;
2778 return internal_get_user_pages_fast(start, nr_pages, gup_flags, pages);
2780 EXPORT_SYMBOL_GPL(pin_user_pages_fast);
2783 * This is the FOLL_PIN equivalent of get_user_pages_fast_only(). Behavior
2784 * is the same, except that this one sets FOLL_PIN instead of FOLL_GET.
2786 * The API rules are the same, too: no negative values may be returned.
2788 int pin_user_pages_fast_only(unsigned long start, int nr_pages,
2789 unsigned int gup_flags, struct page **pages)
2794 * FOLL_GET and FOLL_PIN are mutually exclusive. Note that the API
2795 * rules require returning 0, rather than -errno:
2797 if (WARN_ON_ONCE(gup_flags & FOLL_GET))
2800 * FOLL_FAST_ONLY is required in order to match the API description of
2801 * this routine: no fall back to regular ("slow") GUP.
2803 gup_flags |= (FOLL_PIN | FOLL_FAST_ONLY);
2804 nr_pinned = internal_get_user_pages_fast(start, nr_pages, gup_flags,
2807 * This routine is not allowed to return negative values. However,
2808 * internal_get_user_pages_fast() *can* return -errno. Therefore,
2809 * correct for that here:
2816 EXPORT_SYMBOL_GPL(pin_user_pages_fast_only);
2819 * pin_user_pages_remote() - pin pages of a remote process
2821 * @mm: mm_struct of target mm
2822 * @start: starting user address
2823 * @nr_pages: number of pages from start to pin
2824 * @gup_flags: flags modifying lookup behaviour
2825 * @pages: array that receives pointers to the pages pinned.
2826 * Should be at least nr_pages long. Or NULL, if caller
2827 * only intends to ensure the pages are faulted in.
2828 * @vmas: array of pointers to vmas corresponding to each page.
2829 * Or NULL if the caller does not require them.
2830 * @locked: pointer to lock flag indicating whether lock is held and
2831 * subsequently whether VM_FAULT_RETRY functionality can be
2832 * utilised. Lock must initially be held.
2834 * Nearly the same as get_user_pages_remote(), except that FOLL_PIN is set. See
2835 * get_user_pages_remote() for documentation on the function arguments, because
2836 * the arguments here are identical.
2838 * FOLL_PIN means that the pages must be released via unpin_user_page(). Please
2839 * see Documentation/core-api/pin_user_pages.rst for details.
2841 long pin_user_pages_remote(struct mm_struct *mm,
2842 unsigned long start, unsigned long nr_pages,
2843 unsigned int gup_flags, struct page **pages,
2844 struct vm_area_struct **vmas, int *locked)
2846 /* FOLL_GET and FOLL_PIN are mutually exclusive. */
2847 if (WARN_ON_ONCE(gup_flags & FOLL_GET))
2850 gup_flags |= FOLL_PIN;
2851 return __get_user_pages_remote(mm, start, nr_pages, gup_flags,
2852 pages, vmas, locked);
2854 EXPORT_SYMBOL(pin_user_pages_remote);
2857 * pin_user_pages() - pin user pages in memory for use by other devices
2859 * @start: starting user address
2860 * @nr_pages: number of pages from start to pin
2861 * @gup_flags: flags modifying lookup behaviour
2862 * @pages: array that receives pointers to the pages pinned.
2863 * Should be at least nr_pages long. Or NULL, if caller
2864 * only intends to ensure the pages are faulted in.
2865 * @vmas: array of pointers to vmas corresponding to each page.
2866 * Or NULL if the caller does not require them.
2868 * Nearly the same as get_user_pages(), except that FOLL_TOUCH is not set, and
2871 * FOLL_PIN means that the pages must be released via unpin_user_page(). Please
2872 * see Documentation/core-api/pin_user_pages.rst for details.
2874 long pin_user_pages(unsigned long start, unsigned long nr_pages,
2875 unsigned int gup_flags, struct page **pages,
2876 struct vm_area_struct **vmas)
2878 /* FOLL_GET and FOLL_PIN are mutually exclusive. */
2879 if (WARN_ON_ONCE(gup_flags & FOLL_GET))
2882 gup_flags |= FOLL_PIN;
2883 return __gup_longterm_locked(current->mm, start, nr_pages,
2884 pages, vmas, gup_flags);
2886 EXPORT_SYMBOL(pin_user_pages);
2889 * pin_user_pages_unlocked() is the FOLL_PIN variant of
2890 * get_user_pages_unlocked(). Behavior is the same, except that this one sets
2891 * FOLL_PIN and rejects FOLL_GET.
2893 long pin_user_pages_unlocked(unsigned long start, unsigned long nr_pages,
2894 struct page **pages, unsigned int gup_flags)
2896 /* FOLL_GET and FOLL_PIN are mutually exclusive. */
2897 if (WARN_ON_ONCE(gup_flags & FOLL_GET))
2900 gup_flags |= FOLL_PIN;
2901 return get_user_pages_unlocked(start, nr_pages, pages, gup_flags);
2903 EXPORT_SYMBOL(pin_user_pages_unlocked);
2906 * pin_user_pages_locked() is the FOLL_PIN variant of get_user_pages_locked().
2907 * Behavior is the same, except that this one sets FOLL_PIN and rejects
2910 long pin_user_pages_locked(unsigned long start, unsigned long nr_pages,
2911 unsigned int gup_flags, struct page **pages,
2915 * FIXME: Current FOLL_LONGTERM behavior is incompatible with
2916 * FAULT_FLAG_ALLOW_RETRY because of the FS DAX check requirement on
2917 * vmas. As there are no users of this flag in this call we simply
2918 * disallow this option for now.
2920 if (WARN_ON_ONCE(gup_flags & FOLL_LONGTERM))
2923 /* FOLL_GET and FOLL_PIN are mutually exclusive. */
2924 if (WARN_ON_ONCE(gup_flags & FOLL_GET))
2927 gup_flags |= FOLL_PIN;
2928 return __get_user_pages_locked(current->mm, start, nr_pages,
2929 pages, NULL, locked,
2930 gup_flags | FOLL_TOUCH);
2932 EXPORT_SYMBOL(pin_user_pages_locked);
projects / linux-2.6-microblaze.git / blob