1 // SPDX-License-Identifier: GPL-2.0-only
5 * Copyright (C) 2015 Red Hat, Inc.
9 #include <linux/sched/signal.h>
10 #include <linux/pagemap.h>
11 #include <linux/rmap.h>
12 #include <linux/swap.h>
13 #include <linux/swapops.h>
14 #include <linux/userfaultfd_k.h>
15 #include <linux/mmu_notifier.h>
16 #include <linux/hugetlb.h>
17 #include <linux/shmem_fs.h>
18 #include <asm/tlbflush.h>
21 static __always_inline
22 struct vm_area_struct *find_dst_vma(struct mm_struct *dst_mm,
23 unsigned long dst_start,
27 * Make sure that the dst range is both valid and fully within a
28 * single existing vma.
30 struct vm_area_struct *dst_vma;
32 dst_vma = find_vma(dst_mm, dst_start);
36 if (dst_start < dst_vma->vm_start ||
37 dst_start + len > dst_vma->vm_end)
41 * Check the vma is registered in uffd, this is required to
42 * enforce the VM_MAYWRITE check done at uffd registration
45 if (!dst_vma->vm_userfaultfd_ctx.ctx)
52 * Install PTEs, to map dst_addr (within dst_vma) to page.
54 * This function handles both MCOPY_ATOMIC_NORMAL and _CONTINUE for both shmem
55 * and anon, and for both shared and private VMAs.
57 int mfill_atomic_install_pte(struct mm_struct *dst_mm, pmd_t *dst_pmd,
58 struct vm_area_struct *dst_vma,
59 unsigned long dst_addr, struct page *page,
60 bool newly_allocated, bool wp_copy)
63 pte_t _dst_pte, *dst_pte;
64 bool writable = dst_vma->vm_flags & VM_WRITE;
65 bool vm_shared = dst_vma->vm_flags & VM_SHARED;
66 bool page_in_cache = page->mapping;
69 pgoff_t offset, max_off;
71 _dst_pte = mk_pte(page, dst_vma->vm_page_prot);
72 _dst_pte = pte_mkdirty(_dst_pte);
73 if (page_in_cache && !vm_shared)
77 _dst_pte = pte_mkuffd_wp(_dst_pte);
79 _dst_pte = pte_mkwrite(_dst_pte);
82 dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
84 if (vma_is_shmem(dst_vma)) {
85 /* serialize against truncate with the page table lock */
86 inode = dst_vma->vm_file->f_inode;
87 offset = linear_page_index(dst_vma, dst_addr);
88 max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
90 if (unlikely(offset >= max_off))
95 if (!pte_none(*dst_pte))
99 /* Usually, cache pages are already added to LRU */
102 page_add_file_rmap(page, dst_vma, false);
104 page_add_new_anon_rmap(page, dst_vma, dst_addr, false);
105 lru_cache_add_inactive_or_unevictable(page, dst_vma);
109 * Must happen after rmap, as mm_counter() checks mapping (via
110 * PageAnon()), which is set by __page_set_anon_rmap().
112 inc_mm_counter(dst_mm, mm_counter(page));
114 set_pte_at(dst_mm, dst_addr, dst_pte, _dst_pte);
116 /* No need to invalidate - it was non-present before */
117 update_mmu_cache(dst_vma, dst_addr, dst_pte);
120 pte_unmap_unlock(dst_pte, ptl);
124 static int mcopy_atomic_pte(struct mm_struct *dst_mm,
126 struct vm_area_struct *dst_vma,
127 unsigned long dst_addr,
128 unsigned long src_addr,
138 page = alloc_page_vma(GFP_HIGHUSER_MOVABLE, dst_vma, dst_addr);
142 page_kaddr = kmap_atomic(page);
143 ret = copy_from_user(page_kaddr,
144 (const void __user *) src_addr,
146 kunmap_atomic(page_kaddr);
148 /* fallback to copy_from_user outside mmap_lock */
152 /* don't free the page */
161 * The memory barrier inside __SetPageUptodate makes sure that
162 * preceding stores to the page contents become visible before
163 * the set_pte_at() write.
165 __SetPageUptodate(page);
168 if (mem_cgroup_charge(page_folio(page), dst_mm, GFP_KERNEL))
171 ret = mfill_atomic_install_pte(dst_mm, dst_pmd, dst_vma, dst_addr,
172 page, true, wp_copy);
182 static int mfill_zeropage_pte(struct mm_struct *dst_mm,
184 struct vm_area_struct *dst_vma,
185 unsigned long dst_addr)
187 pte_t _dst_pte, *dst_pte;
190 pgoff_t offset, max_off;
193 _dst_pte = pte_mkspecial(pfn_pte(my_zero_pfn(dst_addr),
194 dst_vma->vm_page_prot));
195 dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
196 if (dst_vma->vm_file) {
197 /* the shmem MAP_PRIVATE case requires checking the i_size */
198 inode = dst_vma->vm_file->f_inode;
199 offset = linear_page_index(dst_vma, dst_addr);
200 max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
202 if (unlikely(offset >= max_off))
206 if (!pte_none(*dst_pte))
208 set_pte_at(dst_mm, dst_addr, dst_pte, _dst_pte);
209 /* No need to invalidate - it was non-present before */
210 update_mmu_cache(dst_vma, dst_addr, dst_pte);
213 pte_unmap_unlock(dst_pte, ptl);
217 /* Handles UFFDIO_CONTINUE for all shmem VMAs (shared or private). */
218 static int mcontinue_atomic_pte(struct mm_struct *dst_mm,
220 struct vm_area_struct *dst_vma,
221 unsigned long dst_addr,
224 struct inode *inode = file_inode(dst_vma->vm_file);
225 pgoff_t pgoff = linear_page_index(dst_vma, dst_addr);
229 ret = shmem_getpage(inode, pgoff, &page, SGP_READ);
237 if (PageHWPoison(page)) {
242 ret = mfill_atomic_install_pte(dst_mm, dst_pmd, dst_vma, dst_addr,
243 page, false, wp_copy);
257 static pmd_t *mm_alloc_pmd(struct mm_struct *mm, unsigned long address)
263 pgd = pgd_offset(mm, address);
264 p4d = p4d_alloc(mm, pgd, address);
267 pud = pud_alloc(mm, p4d, address);
271 * Note that we didn't run this because the pmd was
272 * missing, the *pmd may be already established and in
273 * turn it may also be a trans_huge_pmd.
275 return pmd_alloc(mm, pud, address);
278 #ifdef CONFIG_HUGETLB_PAGE
280 * __mcopy_atomic processing for HUGETLB vmas. Note that this routine is
281 * called with mmap_lock held, it will release mmap_lock before returning.
283 static __always_inline ssize_t __mcopy_atomic_hugetlb(struct mm_struct *dst_mm,
284 struct vm_area_struct *dst_vma,
285 unsigned long dst_start,
286 unsigned long src_start,
288 enum mcopy_atomic_mode mode)
290 int vm_shared = dst_vma->vm_flags & VM_SHARED;
293 unsigned long src_addr, dst_addr;
296 unsigned long vma_hpagesize;
299 struct address_space *mapping;
302 * There is no default zero huge page for all huge page sizes as
303 * supported by hugetlb. A PMD_SIZE huge pages may exist as used
304 * by THP. Since we can not reliably insert a zero page, this
305 * feature is not supported.
307 if (mode == MCOPY_ATOMIC_ZEROPAGE) {
308 mmap_read_unlock(dst_mm);
312 src_addr = src_start;
313 dst_addr = dst_start;
316 vma_hpagesize = vma_kernel_pagesize(dst_vma);
319 * Validate alignment based on huge page size
322 if (dst_start & (vma_hpagesize - 1) || len & (vma_hpagesize - 1))
327 * On routine entry dst_vma is set. If we had to drop mmap_lock and
328 * retry, dst_vma will be set to NULL and we must lookup again.
332 dst_vma = find_dst_vma(dst_mm, dst_start, len);
333 if (!dst_vma || !is_vm_hugetlb_page(dst_vma))
337 if (vma_hpagesize != vma_kernel_pagesize(dst_vma))
340 vm_shared = dst_vma->vm_flags & VM_SHARED;
344 * If not shared, ensure the dst_vma has a anon_vma.
348 if (unlikely(anon_vma_prepare(dst_vma)))
352 while (src_addr < src_start + len) {
353 BUG_ON(dst_addr >= dst_start + len);
356 * Serialize via i_mmap_rwsem and hugetlb_fault_mutex.
357 * i_mmap_rwsem ensures the dst_pte remains valid even
358 * in the case of shared pmds. fault mutex prevents
359 * races with other faulting threads.
361 mapping = dst_vma->vm_file->f_mapping;
362 i_mmap_lock_read(mapping);
363 idx = linear_page_index(dst_vma, dst_addr);
364 hash = hugetlb_fault_mutex_hash(mapping, idx);
365 mutex_lock(&hugetlb_fault_mutex_table[hash]);
368 dst_pte = huge_pte_alloc(dst_mm, dst_vma, dst_addr, vma_hpagesize);
370 mutex_unlock(&hugetlb_fault_mutex_table[hash]);
371 i_mmap_unlock_read(mapping);
375 if (mode != MCOPY_ATOMIC_CONTINUE &&
376 !huge_pte_none(huge_ptep_get(dst_pte))) {
378 mutex_unlock(&hugetlb_fault_mutex_table[hash]);
379 i_mmap_unlock_read(mapping);
383 err = hugetlb_mcopy_atomic_pte(dst_mm, dst_pte, dst_vma,
384 dst_addr, src_addr, mode, &page);
386 mutex_unlock(&hugetlb_fault_mutex_table[hash]);
387 i_mmap_unlock_read(mapping);
391 if (unlikely(err == -ENOENT)) {
392 mmap_read_unlock(dst_mm);
395 err = copy_huge_page_from_user(page,
396 (const void __user *)src_addr,
397 vma_hpagesize / PAGE_SIZE,
403 mmap_read_lock(dst_mm);
411 dst_addr += vma_hpagesize;
412 src_addr += vma_hpagesize;
413 copied += vma_hpagesize;
415 if (fatal_signal_pending(current))
423 mmap_read_unlock(dst_mm);
429 BUG_ON(!copied && !err);
430 return copied ? copied : err;
432 #else /* !CONFIG_HUGETLB_PAGE */
433 /* fail at build time if gcc attempts to use this */
434 extern ssize_t __mcopy_atomic_hugetlb(struct mm_struct *dst_mm,
435 struct vm_area_struct *dst_vma,
436 unsigned long dst_start,
437 unsigned long src_start,
439 enum mcopy_atomic_mode mode);
440 #endif /* CONFIG_HUGETLB_PAGE */
442 static __always_inline ssize_t mfill_atomic_pte(struct mm_struct *dst_mm,
444 struct vm_area_struct *dst_vma,
445 unsigned long dst_addr,
446 unsigned long src_addr,
448 enum mcopy_atomic_mode mode,
453 if (mode == MCOPY_ATOMIC_CONTINUE) {
454 return mcontinue_atomic_pte(dst_mm, dst_pmd, dst_vma, dst_addr,
459 * The normal page fault path for a shmem will invoke the
460 * fault, fill the hole in the file and COW it right away. The
461 * result generates plain anonymous memory. So when we are
462 * asked to fill an hole in a MAP_PRIVATE shmem mapping, we'll
463 * generate anonymous memory directly without actually filling
464 * the hole. For the MAP_PRIVATE case the robustness check
465 * only happens in the pagetable (to verify it's still none)
466 * and not in the radix tree.
468 if (!(dst_vma->vm_flags & VM_SHARED)) {
469 if (mode == MCOPY_ATOMIC_NORMAL)
470 err = mcopy_atomic_pte(dst_mm, dst_pmd, dst_vma,
471 dst_addr, src_addr, page,
474 err = mfill_zeropage_pte(dst_mm, dst_pmd,
477 VM_WARN_ON_ONCE(wp_copy);
478 err = shmem_mfill_atomic_pte(dst_mm, dst_pmd, dst_vma,
480 mode != MCOPY_ATOMIC_NORMAL,
487 static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm,
488 unsigned long dst_start,
489 unsigned long src_start,
491 enum mcopy_atomic_mode mcopy_mode,
492 atomic_t *mmap_changing,
495 struct vm_area_struct *dst_vma;
498 unsigned long src_addr, dst_addr;
504 * Sanitize the command parameters:
506 BUG_ON(dst_start & ~PAGE_MASK);
507 BUG_ON(len & ~PAGE_MASK);
509 /* Does the address range wrap, or is the span zero-sized? */
510 BUG_ON(src_start + len <= src_start);
511 BUG_ON(dst_start + len <= dst_start);
513 src_addr = src_start;
514 dst_addr = dst_start;
518 mmap_read_lock(dst_mm);
521 * If memory mappings are changing because of non-cooperative
522 * operation (e.g. mremap) running in parallel, bail out and
523 * request the user to retry later
526 if (mmap_changing && atomic_read(mmap_changing))
530 * Make sure the vma is not shared, that the dst range is
531 * both valid and fully within a single existing vma.
534 dst_vma = find_dst_vma(dst_mm, dst_start, len);
540 * shmem_zero_setup is invoked in mmap for MAP_ANONYMOUS|MAP_SHARED but
541 * it will overwrite vm_ops, so vma_is_anonymous must return false.
543 if (WARN_ON_ONCE(vma_is_anonymous(dst_vma) &&
544 dst_vma->vm_flags & VM_SHARED))
548 * validate 'mode' now that we know the dst_vma: don't allow
549 * a wrprotect copy if the userfaultfd didn't register as WP.
551 wp_copy = mode & UFFDIO_COPY_MODE_WP;
552 if (wp_copy && !(dst_vma->vm_flags & VM_UFFD_WP))
556 * If this is a HUGETLB vma, pass off to appropriate routine
558 if (is_vm_hugetlb_page(dst_vma))
559 return __mcopy_atomic_hugetlb(dst_mm, dst_vma, dst_start,
560 src_start, len, mcopy_mode);
562 if (!vma_is_anonymous(dst_vma) && !vma_is_shmem(dst_vma))
564 if (!vma_is_shmem(dst_vma) && mcopy_mode == MCOPY_ATOMIC_CONTINUE)
568 * Ensure the dst_vma has a anon_vma or this page
569 * would get a NULL anon_vma when moved in the
573 if (!(dst_vma->vm_flags & VM_SHARED) &&
574 unlikely(anon_vma_prepare(dst_vma)))
577 while (src_addr < src_start + len) {
580 BUG_ON(dst_addr >= dst_start + len);
582 dst_pmd = mm_alloc_pmd(dst_mm, dst_addr);
583 if (unlikely(!dst_pmd)) {
588 dst_pmdval = pmd_read_atomic(dst_pmd);
590 * If the dst_pmd is mapped as THP don't
591 * override it and just be strict.
593 if (unlikely(pmd_trans_huge(dst_pmdval))) {
597 if (unlikely(pmd_none(dst_pmdval)) &&
598 unlikely(__pte_alloc(dst_mm, dst_pmd))) {
602 /* If an huge pmd materialized from under us fail */
603 if (unlikely(pmd_trans_huge(*dst_pmd))) {
608 BUG_ON(pmd_none(*dst_pmd));
609 BUG_ON(pmd_trans_huge(*dst_pmd));
611 err = mfill_atomic_pte(dst_mm, dst_pmd, dst_vma, dst_addr,
612 src_addr, &page, mcopy_mode, wp_copy);
615 if (unlikely(err == -ENOENT)) {
618 mmap_read_unlock(dst_mm);
621 page_kaddr = kmap(page);
622 err = copy_from_user(page_kaddr,
623 (const void __user *) src_addr,
635 dst_addr += PAGE_SIZE;
636 src_addr += PAGE_SIZE;
639 if (fatal_signal_pending(current))
647 mmap_read_unlock(dst_mm);
653 BUG_ON(!copied && !err);
654 return copied ? copied : err;
657 ssize_t mcopy_atomic(struct mm_struct *dst_mm, unsigned long dst_start,
658 unsigned long src_start, unsigned long len,
659 atomic_t *mmap_changing, __u64 mode)
661 return __mcopy_atomic(dst_mm, dst_start, src_start, len,
662 MCOPY_ATOMIC_NORMAL, mmap_changing, mode);
665 ssize_t mfill_zeropage(struct mm_struct *dst_mm, unsigned long start,
666 unsigned long len, atomic_t *mmap_changing)
668 return __mcopy_atomic(dst_mm, start, 0, len, MCOPY_ATOMIC_ZEROPAGE,
672 ssize_t mcopy_continue(struct mm_struct *dst_mm, unsigned long start,
673 unsigned long len, atomic_t *mmap_changing)
675 return __mcopy_atomic(dst_mm, start, 0, len, MCOPY_ATOMIC_CONTINUE,
679 int mwriteprotect_range(struct mm_struct *dst_mm, unsigned long start,
680 unsigned long len, bool enable_wp,
681 atomic_t *mmap_changing)
683 struct vm_area_struct *dst_vma;
688 * Sanitize the command parameters:
690 BUG_ON(start & ~PAGE_MASK);
691 BUG_ON(len & ~PAGE_MASK);
693 /* Does the address range wrap, or is the span zero-sized? */
694 BUG_ON(start + len <= start);
696 mmap_read_lock(dst_mm);
699 * If memory mappings are changing because of non-cooperative
700 * operation (e.g. mremap) running in parallel, bail out and
701 * request the user to retry later
704 if (mmap_changing && atomic_read(mmap_changing))
708 dst_vma = find_dst_vma(dst_mm, start, len);
710 * Make sure the vma is not shared, that the dst range is
711 * both valid and fully within a single existing vma.
713 if (!dst_vma || (dst_vma->vm_flags & VM_SHARED))
715 if (!userfaultfd_wp(dst_vma))
717 if (!vma_is_anonymous(dst_vma))
721 newprot = vm_get_page_prot(dst_vma->vm_flags & ~(VM_WRITE));
723 newprot = vm_get_page_prot(dst_vma->vm_flags);
725 change_protection(dst_vma, start, start + len, newprot,
726 enable_wp ? MM_CP_UFFD_WP : MM_CP_UFFD_WP_RESOLVE);
730 mmap_read_unlock(dst_mm);
projects / linux-2.6-microblaze.git / blob