1 // SPDX-License-Identifier: GPL-2.0-only
5 * Copyright (C) 2015 Red Hat, Inc.
9 #include <linux/sched/signal.h>
10 #include <linux/pagemap.h>
11 #include <linux/rmap.h>
12 #include <linux/swap.h>
13 #include <linux/swapops.h>
14 #include <linux/userfaultfd_k.h>
15 #include <linux/mmu_notifier.h>
16 #include <linux/hugetlb.h>
17 #include <linux/shmem_fs.h>
18 #include <asm/tlbflush.h>
22 static __always_inline
23 struct vm_area_struct *find_dst_vma(struct mm_struct *dst_mm,
24 unsigned long dst_start,
28 * Make sure that the dst range is both valid and fully within a
29 * single existing vma.
31 struct vm_area_struct *dst_vma;
33 dst_vma = find_vma(dst_mm, dst_start);
34 if (!range_in_vma(dst_vma, dst_start, dst_start + len))
38 * Check the vma is registered in uffd, this is required to
39 * enforce the VM_MAYWRITE check done at uffd registration
42 if (!dst_vma->vm_userfaultfd_ctx.ctx)
48 /* Check if dst_addr is outside of file's size. Must be called with ptl held. */
49 static bool mfill_file_over_size(struct vm_area_struct *dst_vma,
50 unsigned long dst_addr)
53 pgoff_t offset, max_off;
55 if (!dst_vma->vm_file)
58 inode = dst_vma->vm_file->f_inode;
59 offset = linear_page_index(dst_vma, dst_addr);
60 max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
61 return offset >= max_off;
65 * Install PTEs, to map dst_addr (within dst_vma) to page.
67 * This function handles both MCOPY_ATOMIC_NORMAL and _CONTINUE for both shmem
68 * and anon, and for both shared and private VMAs.
70 int mfill_atomic_install_pte(pmd_t *dst_pmd,
71 struct vm_area_struct *dst_vma,
72 unsigned long dst_addr, struct page *page,
73 bool newly_allocated, uffd_flags_t flags)
76 struct mm_struct *dst_mm = dst_vma->vm_mm;
77 pte_t _dst_pte, *dst_pte;
78 bool writable = dst_vma->vm_flags & VM_WRITE;
79 bool vm_shared = dst_vma->vm_flags & VM_SHARED;
80 bool page_in_cache = page_mapping(page);
84 _dst_pte = mk_pte(page, dst_vma->vm_page_prot);
85 _dst_pte = pte_mkdirty(_dst_pte);
86 if (page_in_cache && !vm_shared)
89 _dst_pte = pte_mkwrite(_dst_pte, dst_vma);
90 if (flags & MFILL_ATOMIC_WP)
91 _dst_pte = pte_mkuffd_wp(_dst_pte);
94 dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
98 if (mfill_file_over_size(dst_vma, dst_addr)) {
105 * We allow to overwrite a pte marker: consider when both MISSING|WP
106 * registered, we firstly wr-protect a none pte which has no page cache
107 * page backing it, then access the page.
109 if (!pte_none_mostly(ptep_get(dst_pte)))
112 folio = page_folio(page);
114 /* Usually, cache pages are already added to LRU */
116 folio_add_lru(folio);
117 folio_add_file_rmap_pte(folio, page, dst_vma);
119 folio_add_new_anon_rmap(folio, dst_vma, dst_addr);
120 folio_add_lru_vma(folio, dst_vma);
124 * Must happen after rmap, as mm_counter() checks mapping (via
125 * PageAnon()), which is set by __page_set_anon_rmap().
127 inc_mm_counter(dst_mm, mm_counter(page));
129 set_pte_at(dst_mm, dst_addr, dst_pte, _dst_pte);
131 /* No need to invalidate - it was non-present before */
132 update_mmu_cache(dst_vma, dst_addr, dst_pte);
135 pte_unmap_unlock(dst_pte, ptl);
140 static int mfill_atomic_pte_copy(pmd_t *dst_pmd,
141 struct vm_area_struct *dst_vma,
142 unsigned long dst_addr,
143 unsigned long src_addr,
145 struct folio **foliop)
153 folio = vma_alloc_folio(GFP_HIGHUSER_MOVABLE, 0, dst_vma,
158 kaddr = kmap_local_folio(folio, 0);
160 * The read mmap_lock is held here. Despite the
161 * mmap_lock being read recursive a deadlock is still
162 * possible if a writer has taken a lock. For example:
164 * process A thread 1 takes read lock on own mmap_lock
165 * process A thread 2 calls mmap, blocks taking write lock
166 * process B thread 1 takes page fault, read lock on own mmap lock
167 * process B thread 2 calls mmap, blocks taking write lock
168 * process A thread 1 blocks taking read lock on process B
169 * process B thread 1 blocks taking read lock on process A
171 * Disable page faults to prevent potential deadlock
172 * and retry the copy outside the mmap_lock.
175 ret = copy_from_user(kaddr, (const void __user *) src_addr,
180 /* fallback to copy_from_user outside mmap_lock */
184 /* don't free the page */
188 flush_dcache_folio(folio);
195 * The memory barrier inside __folio_mark_uptodate makes sure that
196 * preceding stores to the page contents become visible before
197 * the set_pte_at() write.
199 __folio_mark_uptodate(folio);
202 if (mem_cgroup_charge(folio, dst_vma->vm_mm, GFP_KERNEL))
205 ret = mfill_atomic_install_pte(dst_pmd, dst_vma, dst_addr,
206 &folio->page, true, flags);
216 static int mfill_atomic_pte_zeropage(pmd_t *dst_pmd,
217 struct vm_area_struct *dst_vma,
218 unsigned long dst_addr)
220 pte_t _dst_pte, *dst_pte;
224 _dst_pte = pte_mkspecial(pfn_pte(my_zero_pfn(dst_addr),
225 dst_vma->vm_page_prot));
227 dst_pte = pte_offset_map_lock(dst_vma->vm_mm, dst_pmd, dst_addr, &ptl);
230 if (mfill_file_over_size(dst_vma, dst_addr)) {
235 if (!pte_none(ptep_get(dst_pte)))
237 set_pte_at(dst_vma->vm_mm, dst_addr, dst_pte, _dst_pte);
238 /* No need to invalidate - it was non-present before */
239 update_mmu_cache(dst_vma, dst_addr, dst_pte);
242 pte_unmap_unlock(dst_pte, ptl);
247 /* Handles UFFDIO_CONTINUE for all shmem VMAs (shared or private). */
248 static int mfill_atomic_pte_continue(pmd_t *dst_pmd,
249 struct vm_area_struct *dst_vma,
250 unsigned long dst_addr,
253 struct inode *inode = file_inode(dst_vma->vm_file);
254 pgoff_t pgoff = linear_page_index(dst_vma, dst_addr);
259 ret = shmem_get_folio(inode, pgoff, &folio, SGP_NOALLOC);
260 /* Our caller expects us to return -EFAULT if we failed to find folio */
270 page = folio_file_page(folio, pgoff);
271 if (PageHWPoison(page)) {
276 ret = mfill_atomic_install_pte(dst_pmd, dst_vma, dst_addr,
291 /* Handles UFFDIO_POISON for all non-hugetlb VMAs. */
292 static int mfill_atomic_pte_poison(pmd_t *dst_pmd,
293 struct vm_area_struct *dst_vma,
294 unsigned long dst_addr,
298 struct mm_struct *dst_mm = dst_vma->vm_mm;
299 pte_t _dst_pte, *dst_pte;
302 _dst_pte = make_pte_marker(PTE_MARKER_POISONED);
304 dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
308 if (mfill_file_over_size(dst_vma, dst_addr)) {
314 /* Refuse to overwrite any PTE, even a PTE marker (e.g. UFFD WP). */
315 if (!pte_none(ptep_get(dst_pte)))
318 set_pte_at(dst_mm, dst_addr, dst_pte, _dst_pte);
320 /* No need to invalidate - it was non-present before */
321 update_mmu_cache(dst_vma, dst_addr, dst_pte);
324 pte_unmap_unlock(dst_pte, ptl);
329 static pmd_t *mm_alloc_pmd(struct mm_struct *mm, unsigned long address)
335 pgd = pgd_offset(mm, address);
336 p4d = p4d_alloc(mm, pgd, address);
339 pud = pud_alloc(mm, p4d, address);
343 * Note that we didn't run this because the pmd was
344 * missing, the *pmd may be already established and in
345 * turn it may also be a trans_huge_pmd.
347 return pmd_alloc(mm, pud, address);
350 #ifdef CONFIG_HUGETLB_PAGE
352 * mfill_atomic processing for HUGETLB vmas. Note that this routine is
353 * called with mmap_lock held, it will release mmap_lock before returning.
355 static __always_inline ssize_t mfill_atomic_hugetlb(
356 struct vm_area_struct *dst_vma,
357 unsigned long dst_start,
358 unsigned long src_start,
362 struct mm_struct *dst_mm = dst_vma->vm_mm;
363 int vm_shared = dst_vma->vm_flags & VM_SHARED;
366 unsigned long src_addr, dst_addr;
369 unsigned long vma_hpagesize;
372 struct address_space *mapping;
375 * There is no default zero huge page for all huge page sizes as
376 * supported by hugetlb. A PMD_SIZE huge pages may exist as used
377 * by THP. Since we can not reliably insert a zero page, this
378 * feature is not supported.
380 if (uffd_flags_mode_is(flags, MFILL_ATOMIC_ZEROPAGE)) {
381 mmap_read_unlock(dst_mm);
385 src_addr = src_start;
386 dst_addr = dst_start;
389 vma_hpagesize = vma_kernel_pagesize(dst_vma);
392 * Validate alignment based on huge page size
395 if (dst_start & (vma_hpagesize - 1) || len & (vma_hpagesize - 1))
400 * On routine entry dst_vma is set. If we had to drop mmap_lock and
401 * retry, dst_vma will be set to NULL and we must lookup again.
405 dst_vma = find_dst_vma(dst_mm, dst_start, len);
406 if (!dst_vma || !is_vm_hugetlb_page(dst_vma))
410 if (vma_hpagesize != vma_kernel_pagesize(dst_vma))
413 vm_shared = dst_vma->vm_flags & VM_SHARED;
417 * If not shared, ensure the dst_vma has a anon_vma.
421 if (unlikely(anon_vma_prepare(dst_vma)))
425 while (src_addr < src_start + len) {
426 BUG_ON(dst_addr >= dst_start + len);
429 * Serialize via vma_lock and hugetlb_fault_mutex.
430 * vma_lock ensures the dst_pte remains valid even
431 * in the case of shared pmds. fault mutex prevents
432 * races with other faulting threads.
434 idx = linear_page_index(dst_vma, dst_addr);
435 mapping = dst_vma->vm_file->f_mapping;
436 hash = hugetlb_fault_mutex_hash(mapping, idx);
437 mutex_lock(&hugetlb_fault_mutex_table[hash]);
438 hugetlb_vma_lock_read(dst_vma);
441 dst_pte = huge_pte_alloc(dst_mm, dst_vma, dst_addr, vma_hpagesize);
443 hugetlb_vma_unlock_read(dst_vma);
444 mutex_unlock(&hugetlb_fault_mutex_table[hash]);
448 if (!uffd_flags_mode_is(flags, MFILL_ATOMIC_CONTINUE) &&
449 !huge_pte_none_mostly(huge_ptep_get(dst_pte))) {
451 hugetlb_vma_unlock_read(dst_vma);
452 mutex_unlock(&hugetlb_fault_mutex_table[hash]);
456 err = hugetlb_mfill_atomic_pte(dst_pte, dst_vma, dst_addr,
457 src_addr, flags, &folio);
459 hugetlb_vma_unlock_read(dst_vma);
460 mutex_unlock(&hugetlb_fault_mutex_table[hash]);
464 if (unlikely(err == -ENOENT)) {
465 mmap_read_unlock(dst_mm);
468 err = copy_folio_from_user(folio,
469 (const void __user *)src_addr, true);
474 mmap_read_lock(dst_mm);
482 dst_addr += vma_hpagesize;
483 src_addr += vma_hpagesize;
484 copied += vma_hpagesize;
486 if (fatal_signal_pending(current))
494 mmap_read_unlock(dst_mm);
500 BUG_ON(!copied && !err);
501 return copied ? copied : err;
503 #else /* !CONFIG_HUGETLB_PAGE */
504 /* fail at build time if gcc attempts to use this */
505 extern ssize_t mfill_atomic_hugetlb(struct vm_area_struct *dst_vma,
506 unsigned long dst_start,
507 unsigned long src_start,
510 #endif /* CONFIG_HUGETLB_PAGE */
512 static __always_inline ssize_t mfill_atomic_pte(pmd_t *dst_pmd,
513 struct vm_area_struct *dst_vma,
514 unsigned long dst_addr,
515 unsigned long src_addr,
517 struct folio **foliop)
521 if (uffd_flags_mode_is(flags, MFILL_ATOMIC_CONTINUE)) {
522 return mfill_atomic_pte_continue(dst_pmd, dst_vma,
524 } else if (uffd_flags_mode_is(flags, MFILL_ATOMIC_POISON)) {
525 return mfill_atomic_pte_poison(dst_pmd, dst_vma,
530 * The normal page fault path for a shmem will invoke the
531 * fault, fill the hole in the file and COW it right away. The
532 * result generates plain anonymous memory. So when we are
533 * asked to fill an hole in a MAP_PRIVATE shmem mapping, we'll
534 * generate anonymous memory directly without actually filling
535 * the hole. For the MAP_PRIVATE case the robustness check
536 * only happens in the pagetable (to verify it's still none)
537 * and not in the radix tree.
539 if (!(dst_vma->vm_flags & VM_SHARED)) {
540 if (uffd_flags_mode_is(flags, MFILL_ATOMIC_COPY))
541 err = mfill_atomic_pte_copy(dst_pmd, dst_vma,
545 err = mfill_atomic_pte_zeropage(dst_pmd,
548 err = shmem_mfill_atomic_pte(dst_pmd, dst_vma,
556 static __always_inline ssize_t mfill_atomic(struct mm_struct *dst_mm,
557 unsigned long dst_start,
558 unsigned long src_start,
560 atomic_t *mmap_changing,
563 struct vm_area_struct *dst_vma;
566 unsigned long src_addr, dst_addr;
571 * Sanitize the command parameters:
573 BUG_ON(dst_start & ~PAGE_MASK);
574 BUG_ON(len & ~PAGE_MASK);
576 /* Does the address range wrap, or is the span zero-sized? */
577 BUG_ON(src_start + len <= src_start);
578 BUG_ON(dst_start + len <= dst_start);
580 src_addr = src_start;
581 dst_addr = dst_start;
585 mmap_read_lock(dst_mm);
588 * If memory mappings are changing because of non-cooperative
589 * operation (e.g. mremap) running in parallel, bail out and
590 * request the user to retry later
593 if (mmap_changing && atomic_read(mmap_changing))
597 * Make sure the vma is not shared, that the dst range is
598 * both valid and fully within a single existing vma.
601 dst_vma = find_dst_vma(dst_mm, dst_start, len);
607 * shmem_zero_setup is invoked in mmap for MAP_ANONYMOUS|MAP_SHARED but
608 * it will overwrite vm_ops, so vma_is_anonymous must return false.
610 if (WARN_ON_ONCE(vma_is_anonymous(dst_vma) &&
611 dst_vma->vm_flags & VM_SHARED))
615 * validate 'mode' now that we know the dst_vma: don't allow
616 * a wrprotect copy if the userfaultfd didn't register as WP.
618 if ((flags & MFILL_ATOMIC_WP) && !(dst_vma->vm_flags & VM_UFFD_WP))
622 * If this is a HUGETLB vma, pass off to appropriate routine
624 if (is_vm_hugetlb_page(dst_vma))
625 return mfill_atomic_hugetlb(dst_vma, dst_start,
626 src_start, len, flags);
628 if (!vma_is_anonymous(dst_vma) && !vma_is_shmem(dst_vma))
630 if (!vma_is_shmem(dst_vma) &&
631 uffd_flags_mode_is(flags, MFILL_ATOMIC_CONTINUE))
635 * Ensure the dst_vma has a anon_vma or this page
636 * would get a NULL anon_vma when moved in the
640 if (!(dst_vma->vm_flags & VM_SHARED) &&
641 unlikely(anon_vma_prepare(dst_vma)))
644 while (src_addr < src_start + len) {
647 BUG_ON(dst_addr >= dst_start + len);
649 dst_pmd = mm_alloc_pmd(dst_mm, dst_addr);
650 if (unlikely(!dst_pmd)) {
655 dst_pmdval = pmdp_get_lockless(dst_pmd);
657 * If the dst_pmd is mapped as THP don't
658 * override it and just be strict.
660 if (unlikely(pmd_trans_huge(dst_pmdval))) {
664 if (unlikely(pmd_none(dst_pmdval)) &&
665 unlikely(__pte_alloc(dst_mm, dst_pmd))) {
669 /* If an huge pmd materialized from under us fail */
670 if (unlikely(pmd_trans_huge(*dst_pmd))) {
675 BUG_ON(pmd_none(*dst_pmd));
676 BUG_ON(pmd_trans_huge(*dst_pmd));
678 err = mfill_atomic_pte(dst_pmd, dst_vma, dst_addr,
679 src_addr, flags, &folio);
682 if (unlikely(err == -ENOENT)) {
685 mmap_read_unlock(dst_mm);
688 kaddr = kmap_local_folio(folio, 0);
689 err = copy_from_user(kaddr,
690 (const void __user *) src_addr,
697 flush_dcache_folio(folio);
703 dst_addr += PAGE_SIZE;
704 src_addr += PAGE_SIZE;
707 if (fatal_signal_pending(current))
715 mmap_read_unlock(dst_mm);
721 BUG_ON(!copied && !err);
722 return copied ? copied : err;
725 ssize_t mfill_atomic_copy(struct mm_struct *dst_mm, unsigned long dst_start,
726 unsigned long src_start, unsigned long len,
727 atomic_t *mmap_changing, uffd_flags_t flags)
729 return mfill_atomic(dst_mm, dst_start, src_start, len, mmap_changing,
730 uffd_flags_set_mode(flags, MFILL_ATOMIC_COPY));
733 ssize_t mfill_atomic_zeropage(struct mm_struct *dst_mm, unsigned long start,
734 unsigned long len, atomic_t *mmap_changing)
736 return mfill_atomic(dst_mm, start, 0, len, mmap_changing,
737 uffd_flags_set_mode(0, MFILL_ATOMIC_ZEROPAGE));
740 ssize_t mfill_atomic_continue(struct mm_struct *dst_mm, unsigned long start,
741 unsigned long len, atomic_t *mmap_changing,
744 return mfill_atomic(dst_mm, start, 0, len, mmap_changing,
745 uffd_flags_set_mode(flags, MFILL_ATOMIC_CONTINUE));
748 ssize_t mfill_atomic_poison(struct mm_struct *dst_mm, unsigned long start,
749 unsigned long len, atomic_t *mmap_changing,
752 return mfill_atomic(dst_mm, start, 0, len, mmap_changing,
753 uffd_flags_set_mode(flags, MFILL_ATOMIC_POISON));
756 long uffd_wp_range(struct vm_area_struct *dst_vma,
757 unsigned long start, unsigned long len, bool enable_wp)
759 unsigned int mm_cp_flags;
760 struct mmu_gather tlb;
763 VM_WARN_ONCE(start < dst_vma->vm_start || start + len > dst_vma->vm_end,
764 "The address range exceeds VMA boundary.\n");
766 mm_cp_flags = MM_CP_UFFD_WP;
768 mm_cp_flags = MM_CP_UFFD_WP_RESOLVE;
771 * vma->vm_page_prot already reflects that uffd-wp is enabled for this
772 * VMA (see userfaultfd_set_vm_flags()) and that all PTEs are supposed
773 * to be write-protected as default whenever protection changes.
774 * Try upgrading write permissions manually.
776 if (!enable_wp && vma_wants_manual_pte_write_upgrade(dst_vma))
777 mm_cp_flags |= MM_CP_TRY_CHANGE_WRITABLE;
778 tlb_gather_mmu(&tlb, dst_vma->vm_mm);
779 ret = change_protection(&tlb, dst_vma, start, start + len, mm_cp_flags);
780 tlb_finish_mmu(&tlb);
785 int mwriteprotect_range(struct mm_struct *dst_mm, unsigned long start,
786 unsigned long len, bool enable_wp,
787 atomic_t *mmap_changing)
789 unsigned long end = start + len;
790 unsigned long _start, _end;
791 struct vm_area_struct *dst_vma;
792 unsigned long page_mask;
794 VMA_ITERATOR(vmi, dst_mm, start);
797 * Sanitize the command parameters:
799 BUG_ON(start & ~PAGE_MASK);
800 BUG_ON(len & ~PAGE_MASK);
802 /* Does the address range wrap, or is the span zero-sized? */
803 BUG_ON(start + len <= start);
805 mmap_read_lock(dst_mm);
808 * If memory mappings are changing because of non-cooperative
809 * operation (e.g. mremap) running in parallel, bail out and
810 * request the user to retry later
813 if (mmap_changing && atomic_read(mmap_changing))
817 for_each_vma_range(vmi, dst_vma, end) {
819 if (!userfaultfd_wp(dst_vma)) {
824 if (is_vm_hugetlb_page(dst_vma)) {
826 page_mask = vma_kernel_pagesize(dst_vma) - 1;
827 if ((start & page_mask) || (len & page_mask))
831 _start = max(dst_vma->vm_start, start);
832 _end = min(dst_vma->vm_end, end);
834 err = uffd_wp_range(dst_vma, _start, _end - _start, enable_wp);
836 /* Return 0 on success, <0 on failures */
842 mmap_read_unlock(dst_mm);
847 void double_pt_lock(spinlock_t *ptl1,
855 /* exchange ptl1 and ptl2 */
860 /* lock in virtual address order to avoid lock inversion */
863 spin_lock_nested(ptl2, SINGLE_DEPTH_NESTING);
868 void double_pt_unlock(spinlock_t *ptl1,
881 static int move_present_pte(struct mm_struct *mm,
882 struct vm_area_struct *dst_vma,
883 struct vm_area_struct *src_vma,
884 unsigned long dst_addr, unsigned long src_addr,
885 pte_t *dst_pte, pte_t *src_pte,
886 pte_t orig_dst_pte, pte_t orig_src_pte,
887 spinlock_t *dst_ptl, spinlock_t *src_ptl,
888 struct folio *src_folio)
892 double_pt_lock(dst_ptl, src_ptl);
894 if (!pte_same(*src_pte, orig_src_pte) ||
895 !pte_same(*dst_pte, orig_dst_pte)) {
899 if (folio_test_large(src_folio) ||
900 folio_maybe_dma_pinned(src_folio) ||
901 !PageAnonExclusive(&src_folio->page)) {
906 folio_move_anon_rmap(src_folio, dst_vma);
907 WRITE_ONCE(src_folio->index, linear_page_index(dst_vma, dst_addr));
909 orig_src_pte = ptep_clear_flush(src_vma, src_addr, src_pte);
910 /* Folio got pinned from under us. Put it back and fail the move. */
911 if (folio_maybe_dma_pinned(src_folio)) {
912 set_pte_at(mm, src_addr, src_pte, orig_src_pte);
917 orig_dst_pte = mk_pte(&src_folio->page, dst_vma->vm_page_prot);
918 /* Follow mremap() behavior and treat the entry dirty after the move */
919 orig_dst_pte = pte_mkwrite(pte_mkdirty(orig_dst_pte), dst_vma);
921 set_pte_at(mm, dst_addr, dst_pte, orig_dst_pte);
923 double_pt_unlock(dst_ptl, src_ptl);
927 static int move_swap_pte(struct mm_struct *mm,
928 unsigned long dst_addr, unsigned long src_addr,
929 pte_t *dst_pte, pte_t *src_pte,
930 pte_t orig_dst_pte, pte_t orig_src_pte,
931 spinlock_t *dst_ptl, spinlock_t *src_ptl)
933 if (!pte_swp_exclusive(orig_src_pte))
936 double_pt_lock(dst_ptl, src_ptl);
938 if (!pte_same(*src_pte, orig_src_pte) ||
939 !pte_same(*dst_pte, orig_dst_pte)) {
940 double_pt_unlock(dst_ptl, src_ptl);
944 orig_src_pte = ptep_get_and_clear(mm, src_addr, src_pte);
945 set_pte_at(mm, dst_addr, dst_pte, orig_src_pte);
946 double_pt_unlock(dst_ptl, src_ptl);
952 * The mmap_lock for reading is held by the caller. Just move the page
953 * from src_pmd to dst_pmd if possible, and return true if succeeded
954 * in moving the page.
956 static int move_pages_pte(struct mm_struct *mm, pmd_t *dst_pmd, pmd_t *src_pmd,
957 struct vm_area_struct *dst_vma,
958 struct vm_area_struct *src_vma,
959 unsigned long dst_addr, unsigned long src_addr,
963 pte_t orig_src_pte, orig_dst_pte;
965 spinlock_t *src_ptl, *dst_ptl;
966 pte_t *src_pte = NULL;
967 pte_t *dst_pte = NULL;
969 struct folio *src_folio = NULL;
970 struct anon_vma *src_anon_vma = NULL;
971 struct mmu_notifier_range range;
974 flush_cache_range(src_vma, src_addr, src_addr + PAGE_SIZE);
975 mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, mm,
976 src_addr, src_addr + PAGE_SIZE);
977 mmu_notifier_invalidate_range_start(&range);
979 dst_pte = pte_offset_map_nolock(mm, dst_pmd, dst_addr, &dst_ptl);
981 /* Retry if a huge pmd materialized from under us */
982 if (unlikely(!dst_pte)) {
987 src_pte = pte_offset_map_nolock(mm, src_pmd, src_addr, &src_ptl);
990 * We held the mmap_lock for reading so MADV_DONTNEED
991 * can zap transparent huge pages under us, or the
992 * transparent huge page fault can establish new
993 * transparent huge pages under us.
995 if (unlikely(!src_pte)) {
1000 /* Sanity checks before the operation */
1001 if (WARN_ON_ONCE(pmd_none(*dst_pmd)) || WARN_ON_ONCE(pmd_none(*src_pmd)) ||
1002 WARN_ON_ONCE(pmd_trans_huge(*dst_pmd)) || WARN_ON_ONCE(pmd_trans_huge(*src_pmd))) {
1008 orig_dst_pte = *dst_pte;
1009 spin_unlock(dst_ptl);
1010 if (!pte_none(orig_dst_pte)) {
1016 orig_src_pte = *src_pte;
1017 spin_unlock(src_ptl);
1018 if (pte_none(orig_src_pte)) {
1019 if (!(mode & UFFDIO_MOVE_MODE_ALLOW_SRC_HOLES))
1021 else /* nothing to do to move a hole */
1026 /* If PTE changed after we locked the folio them start over */
1027 if (src_folio && unlikely(!pte_same(src_folio_pte, orig_src_pte))) {
1032 if (pte_present(orig_src_pte)) {
1034 * Pin and lock both source folio and anon_vma. Since we are in
1035 * RCU read section, we can't block, so on contention have to
1036 * unmap the ptes, obtain the lock and retry.
1039 struct folio *folio;
1042 * Pin the page while holding the lock to be sure the
1043 * page isn't freed under us
1046 if (!pte_same(orig_src_pte, *src_pte)) {
1047 spin_unlock(src_ptl);
1052 folio = vm_normal_folio(src_vma, src_addr, orig_src_pte);
1053 if (!folio || !PageAnonExclusive(&folio->page)) {
1054 spin_unlock(src_ptl);
1061 src_folio_pte = orig_src_pte;
1062 spin_unlock(src_ptl);
1064 if (!folio_trylock(src_folio)) {
1065 pte_unmap(&orig_src_pte);
1066 pte_unmap(&orig_dst_pte);
1067 src_pte = dst_pte = NULL;
1068 /* now we can block and wait */
1069 folio_lock(src_folio);
1073 if (WARN_ON_ONCE(!folio_test_anon(src_folio))) {
1079 /* at this point we have src_folio locked */
1080 if (folio_test_large(src_folio)) {
1081 /* split_folio() can block */
1082 pte_unmap(&orig_src_pte);
1083 pte_unmap(&orig_dst_pte);
1084 src_pte = dst_pte = NULL;
1085 err = split_folio(src_folio);
1088 /* have to reacquire the folio after it got split */
1089 folio_unlock(src_folio);
1090 folio_put(src_folio);
1095 if (!src_anon_vma) {
1097 * folio_referenced walks the anon_vma chain
1098 * without the folio lock. Serialize against it with
1099 * the anon_vma lock, the folio lock is not enough.
1101 src_anon_vma = folio_get_anon_vma(src_folio);
1102 if (!src_anon_vma) {
1103 /* page was unmapped from under us */
1107 if (!anon_vma_trylock_write(src_anon_vma)) {
1108 pte_unmap(&orig_src_pte);
1109 pte_unmap(&orig_dst_pte);
1110 src_pte = dst_pte = NULL;
1111 /* now we can block and wait */
1112 anon_vma_lock_write(src_anon_vma);
1117 err = move_present_pte(mm, dst_vma, src_vma,
1118 dst_addr, src_addr, dst_pte, src_pte,
1119 orig_dst_pte, orig_src_pte,
1120 dst_ptl, src_ptl, src_folio);
1122 entry = pte_to_swp_entry(orig_src_pte);
1123 if (non_swap_entry(entry)) {
1124 if (is_migration_entry(entry)) {
1125 pte_unmap(&orig_src_pte);
1126 pte_unmap(&orig_dst_pte);
1127 src_pte = dst_pte = NULL;
1128 migration_entry_wait(mm, src_pmd, src_addr);
1135 err = move_swap_pte(mm, dst_addr, src_addr,
1137 orig_dst_pte, orig_src_pte,
1143 anon_vma_unlock_write(src_anon_vma);
1144 put_anon_vma(src_anon_vma);
1147 folio_unlock(src_folio);
1148 folio_put(src_folio);
1154 mmu_notifier_invalidate_range_end(&range);
1159 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
1160 static inline bool move_splits_huge_pmd(unsigned long dst_addr,
1161 unsigned long src_addr,
1162 unsigned long src_end)
1164 return (src_addr & ~HPAGE_PMD_MASK) || (dst_addr & ~HPAGE_PMD_MASK) ||
1165 src_end - src_addr < HPAGE_PMD_SIZE;
1168 static inline bool move_splits_huge_pmd(unsigned long dst_addr,
1169 unsigned long src_addr,
1170 unsigned long src_end)
1172 /* This is unreachable anyway, just to avoid warnings when HPAGE_PMD_SIZE==0 */
1177 static inline bool vma_move_compatible(struct vm_area_struct *vma)
1179 return !(vma->vm_flags & (VM_PFNMAP | VM_IO | VM_HUGETLB |
1180 VM_MIXEDMAP | VM_SHADOW_STACK));
1183 static int validate_move_areas(struct userfaultfd_ctx *ctx,
1184 struct vm_area_struct *src_vma,
1185 struct vm_area_struct *dst_vma)
1187 /* Only allow moving if both have the same access and protection */
1188 if ((src_vma->vm_flags & VM_ACCESS_FLAGS) != (dst_vma->vm_flags & VM_ACCESS_FLAGS) ||
1189 pgprot_val(src_vma->vm_page_prot) != pgprot_val(dst_vma->vm_page_prot))
1192 /* Only allow moving if both are mlocked or both aren't */
1193 if ((src_vma->vm_flags & VM_LOCKED) != (dst_vma->vm_flags & VM_LOCKED))
1197 * For now, we keep it simple and only move between writable VMAs.
1198 * Access flags are equal, therefore cheching only the source is enough.
1200 if (!(src_vma->vm_flags & VM_WRITE))
1203 /* Check if vma flags indicate content which can be moved */
1204 if (!vma_move_compatible(src_vma) || !vma_move_compatible(dst_vma))
1207 /* Ensure dst_vma is registered in uffd we are operating on */
1208 if (!dst_vma->vm_userfaultfd_ctx.ctx ||
1209 dst_vma->vm_userfaultfd_ctx.ctx != ctx)
1212 /* Only allow moving across anonymous vmas */
1213 if (!vma_is_anonymous(src_vma) || !vma_is_anonymous(dst_vma))
1217 * Ensure the dst_vma has a anon_vma or this page
1218 * would get a NULL anon_vma when moved in the
1221 if (unlikely(anon_vma_prepare(dst_vma)))
1228 * move_pages - move arbitrary anonymous pages of an existing vma
1229 * @ctx: pointer to the userfaultfd context
1230 * @mm: the address space to move pages
1231 * @dst_start: start of the destination virtual memory range
1232 * @src_start: start of the source virtual memory range
1233 * @len: length of the virtual memory range
1234 * @mode: flags from uffdio_move.mode
1236 * Must be called with mmap_lock held for read.
1238 * move_pages() remaps arbitrary anonymous pages atomically in zero
1239 * copy. It only works on non shared anonymous pages because those can
1240 * be relocated without generating non linear anon_vmas in the rmap
1243 * It provides a zero copy mechanism to handle userspace page faults.
1244 * The source vma pages should have mapcount == 1, which can be
1245 * enforced by using madvise(MADV_DONTFORK) on src vma.
1247 * The thread receiving the page during the userland page fault
1248 * will receive the faulting page in the source vma through the network,
1249 * storage or any other I/O device (MADV_DONTFORK in the source vma
1250 * avoids move_pages() to fail with -EBUSY if the process forks before
1251 * move_pages() is called), then it will call move_pages() to map the
1252 * page in the faulting address in the destination vma.
1254 * This userfaultfd command works purely via pagetables, so it's the
1255 * most efficient way to move physical non shared anonymous pages
1256 * across different virtual addresses. Unlike mremap()/mmap()/munmap()
1257 * it does not create any new vmas. The mapping in the destination
1258 * address is atomic.
1260 * It only works if the vma protection bits are identical from the
1261 * source and destination vma.
1263 * It can remap non shared anonymous pages within the same vma too.
1265 * If the source virtual memory range has any unmapped holes, or if
1266 * the destination virtual memory range is not a whole unmapped hole,
1267 * move_pages() will fail respectively with -ENOENT or -EEXIST. This
1268 * provides a very strict behavior to avoid any chance of memory
1269 * corruption going unnoticed if there are userland race conditions.
1270 * Only one thread should resolve the userland page fault at any given
1271 * time for any given faulting address. This means that if two threads
1272 * try to both call move_pages() on the same destination address at the
1273 * same time, the second thread will get an explicit error from this
1276 * The command retval will return "len" is successful. The command
1277 * however can be interrupted by fatal signals or errors. If
1278 * interrupted it will return the number of bytes successfully
1279 * remapped before the interruption if any, or the negative error if
1280 * none. It will never return zero. Either it will return an error or
1281 * an amount of bytes successfully moved. If the retval reports a
1282 * "short" remap, the move_pages() command should be repeated by
1283 * userland with src+retval, dst+reval, len-retval if it wants to know
1284 * about the error that interrupted it.
1286 * The UFFDIO_MOVE_MODE_ALLOW_SRC_HOLES flag can be specified to
1287 * prevent -ENOENT errors to materialize if there are holes in the
1288 * source virtual range that is being remapped. The holes will be
1289 * accounted as successfully remapped in the retval of the
1290 * command. This is mostly useful to remap hugepage naturally aligned
1291 * virtual regions without knowing if there are transparent hugepage
1292 * in the regions or not, but preventing the risk of having to split
1293 * the hugepmd during the remap.
1295 * If there's any rmap walk that is taking the anon_vma locks without
1296 * first obtaining the folio lock (the only current instance is
1297 * folio_referenced), they will have to verify if the folio->mapping
1298 * has changed after taking the anon_vma lock. If it changed they
1299 * should release the lock and retry obtaining a new anon_vma, because
1300 * it means the anon_vma was changed by move_pages() before the lock
1301 * could be obtained. This is the only additional complexity added to
1302 * the rmap code to provide this anonymous page remapping functionality.
1304 ssize_t move_pages(struct userfaultfd_ctx *ctx, struct mm_struct *mm,
1305 unsigned long dst_start, unsigned long src_start,
1306 unsigned long len, __u64 mode)
1308 struct vm_area_struct *src_vma, *dst_vma;
1309 unsigned long src_addr, dst_addr;
1310 pmd_t *src_pmd, *dst_pmd;
1314 /* Sanitize the command parameters. */
1315 if (WARN_ON_ONCE(src_start & ~PAGE_MASK) ||
1316 WARN_ON_ONCE(dst_start & ~PAGE_MASK) ||
1317 WARN_ON_ONCE(len & ~PAGE_MASK))
1320 /* Does the address range wrap, or is the span zero-sized? */
1321 if (WARN_ON_ONCE(src_start + len <= src_start) ||
1322 WARN_ON_ONCE(dst_start + len <= dst_start))
1326 * Make sure the vma is not shared, that the src and dst remap
1327 * ranges are both valid and fully within a single existing
1330 src_vma = find_vma(mm, src_start);
1331 if (!src_vma || (src_vma->vm_flags & VM_SHARED))
1333 if (src_start < src_vma->vm_start ||
1334 src_start + len > src_vma->vm_end)
1337 dst_vma = find_vma(mm, dst_start);
1338 if (!dst_vma || (dst_vma->vm_flags & VM_SHARED))
1340 if (dst_start < dst_vma->vm_start ||
1341 dst_start + len > dst_vma->vm_end)
1344 err = validate_move_areas(ctx, src_vma, dst_vma);
1348 for (src_addr = src_start, dst_addr = dst_start;
1349 src_addr < src_start + len;) {
1352 unsigned long step_size;
1355 * Below works because anonymous area would not have a
1356 * transparent huge PUD. If file-backed support is added,
1357 * that case would need to be handled here.
1359 src_pmd = mm_find_pmd(mm, src_addr);
1360 if (unlikely(!src_pmd)) {
1361 if (!(mode & UFFDIO_MOVE_MODE_ALLOW_SRC_HOLES)) {
1365 src_pmd = mm_alloc_pmd(mm, src_addr);
1366 if (unlikely(!src_pmd)) {
1371 dst_pmd = mm_alloc_pmd(mm, dst_addr);
1372 if (unlikely(!dst_pmd)) {
1377 dst_pmdval = pmdp_get_lockless(dst_pmd);
1379 * If the dst_pmd is mapped as THP don't override it and just
1380 * be strict. If dst_pmd changes into TPH after this check, the
1381 * move_pages_huge_pmd() will detect the change and retry
1382 * while move_pages_pte() will detect the change and fail.
1384 if (unlikely(pmd_trans_huge(dst_pmdval))) {
1389 ptl = pmd_trans_huge_lock(src_pmd, src_vma);
1391 if (pmd_devmap(*src_pmd)) {
1396 /* Avoid moving zeropages for now */
1397 if (is_huge_zero_pmd(*src_pmd)) {
1403 /* Check if we can move the pmd without splitting it. */
1404 if (move_splits_huge_pmd(dst_addr, src_addr, src_start + len) ||
1405 !pmd_none(dst_pmdval)) {
1406 struct folio *folio = pfn_folio(pmd_pfn(*src_pmd));
1408 if (!folio || !PageAnonExclusive(&folio->page)) {
1415 split_huge_pmd(src_vma, src_pmd, src_addr);
1416 /* The folio will be split by move_pages_pte() */
1420 err = move_pages_huge_pmd(mm, dst_pmd, src_pmd,
1421 dst_pmdval, dst_vma, src_vma,
1422 dst_addr, src_addr);
1423 step_size = HPAGE_PMD_SIZE;
1425 if (pmd_none(*src_pmd)) {
1426 if (!(mode & UFFDIO_MOVE_MODE_ALLOW_SRC_HOLES)) {
1430 if (unlikely(__pte_alloc(mm, src_pmd))) {
1436 if (unlikely(pte_alloc(mm, dst_pmd))) {
1441 err = move_pages_pte(mm, dst_pmd, src_pmd,
1443 dst_addr, src_addr, mode);
1444 step_size = PAGE_SIZE;
1449 if (fatal_signal_pending(current)) {
1450 /* Do not override an error */
1451 if (!err || err == -EAGAIN)
1462 /* Proceed to the next page */
1463 dst_addr += step_size;
1464 src_addr += step_size;
1469 VM_WARN_ON(moved < 0);
1470 VM_WARN_ON(err > 0);
1471 VM_WARN_ON(!moved && !err);
1472 return moved ? moved : err;
projects / linux-2.6-microblaze.git / blob