Line data Source code
1 : /*
2 : * mm/rmap.c - physical to virtual reverse mappings
3 : *
4 : * Copyright 2001, Rik van Riel <riel@conectiva.com.br>
5 : * Released under the General Public License (GPL).
6 : *
7 : * Simple, low overhead reverse mapping scheme.
8 : * Please try to keep this thing as modular as possible.
9 : *
10 : * Provides methods for unmapping each kind of mapped page:
11 : * the anon methods track anonymous pages, and
12 : * the file methods track pages belonging to an inode.
13 : *
14 : * Original design by Rik van Riel <riel@conectiva.com.br> 2001
15 : * File methods by Dave McCracken <dmccr@us.ibm.com> 2003, 2004
16 : * Anonymous methods by Andrea Arcangeli <andrea@suse.de> 2004
17 : * Contributions by Hugh Dickins 2003, 2004
18 : */
19 :
20 : /*
21 : * Lock ordering in mm:
22 : *
23 : * inode->i_rwsem (while writing or truncating, not reading or faulting)
24 : * mm->mmap_lock
25 : * mapping->invalidate_lock (in filemap_fault)
26 : * page->flags PG_locked (lock_page)
27 : * hugetlbfs_i_mmap_rwsem_key (in huge_pmd_share, see hugetlbfs below)
28 : * vma_start_write
29 : * mapping->i_mmap_rwsem
30 : * anon_vma->rwsem
31 : * mm->page_table_lock or pte_lock
32 : * swap_lock (in swap_duplicate, swap_info_get)
33 : * mmlist_lock (in mmput, drain_mmlist and others)
34 : * mapping->private_lock (in block_dirty_folio)
35 : * folio_lock_memcg move_lock (in block_dirty_folio)
36 : * i_pages lock (widely used)
37 : * lruvec->lru_lock (in folio_lruvec_lock_irq)
38 : * inode->i_lock (in set_page_dirty's __mark_inode_dirty)
39 : * bdi.wb->list_lock (in set_page_dirty's __mark_inode_dirty)
40 : * sb_lock (within inode_lock in fs/fs-writeback.c)
41 : * i_pages lock (widely used, in set_page_dirty,
42 : * in arch-dependent flush_dcache_mmap_lock,
43 : * within bdi.wb->list_lock in __sync_single_inode)
44 : *
45 : * anon_vma->rwsem,mapping->i_mmap_rwsem (memory_failure, collect_procs_anon)
46 : * ->tasklist_lock
47 : * pte map lock
48 : *
49 : * hugetlbfs PageHuge() take locks in this order:
50 : * hugetlb_fault_mutex (hugetlbfs specific page fault mutex)
51 : * vma_lock (hugetlb specific lock for pmd_sharing)
52 : * mapping->i_mmap_rwsem (also used for hugetlb pmd sharing)
53 : * page->flags PG_locked (lock_page)
54 : */
55 :
56 : #include <linux/mm.h>
57 : #include <linux/sched/mm.h>
58 : #include <linux/sched/task.h>
59 : #include <linux/pagemap.h>
60 : #include <linux/swap.h>
61 : #include <linux/swapops.h>
62 : #include <linux/slab.h>
63 : #include <linux/init.h>
64 : #include <linux/ksm.h>
65 : #include <linux/rmap.h>
66 : #include <linux/rcupdate.h>
67 : #include <linux/export.h>
68 : #include <linux/memcontrol.h>
69 : #include <linux/mmu_notifier.h>
70 : #include <linux/migrate.h>
71 : #include <linux/hugetlb.h>
72 : #include <linux/huge_mm.h>
73 : #include <linux/backing-dev.h>
74 : #include <linux/page_idle.h>
75 : #include <linux/memremap.h>
76 : #include <linux/userfaultfd_k.h>
77 : #include <linux/mm_inline.h>
78 :
79 : #include <asm/tlbflush.h>
80 :
81 : #define CREATE_TRACE_POINTS
82 : #include <trace/events/tlb.h>
83 : #include <trace/events/migrate.h>
84 :
85 : #include "internal.h"
86 :
87 : static struct kmem_cache *anon_vma_cachep;
88 : static struct kmem_cache *anon_vma_chain_cachep;
89 :
90 0 : static inline struct anon_vma *anon_vma_alloc(void)
91 : {
92 : struct anon_vma *anon_vma;
93 :
94 0 : anon_vma = kmem_cache_alloc(anon_vma_cachep, GFP_KERNEL);
95 0 : if (anon_vma) {
96 0 : atomic_set(&anon_vma->refcount, 1);
97 0 : anon_vma->num_children = 0;
98 0 : anon_vma->num_active_vmas = 0;
99 0 : anon_vma->parent = anon_vma;
100 : /*
101 : * Initialise the anon_vma root to point to itself. If called
102 : * from fork, the root will be reset to the parents anon_vma.
103 : */
104 0 : anon_vma->root = anon_vma;
105 : }
106 :
107 0 : return anon_vma;
108 : }
109 :
110 0 : static inline void anon_vma_free(struct anon_vma *anon_vma)
111 : {
112 : VM_BUG_ON(atomic_read(&anon_vma->refcount));
113 :
114 : /*
115 : * Synchronize against folio_lock_anon_vma_read() such that
116 : * we can safely hold the lock without the anon_vma getting
117 : * freed.
118 : *
119 : * Relies on the full mb implied by the atomic_dec_and_test() from
120 : * put_anon_vma() against the acquire barrier implied by
121 : * down_read_trylock() from folio_lock_anon_vma_read(). This orders:
122 : *
123 : * folio_lock_anon_vma_read() VS put_anon_vma()
124 : * down_read_trylock() atomic_dec_and_test()
125 : * LOCK MB
126 : * atomic_read() rwsem_is_locked()
127 : *
128 : * LOCK should suffice since the actual taking of the lock must
129 : * happen _before_ what follows.
130 : */
131 : might_sleep();
132 0 : if (rwsem_is_locked(&anon_vma->root->rwsem)) {
133 0 : anon_vma_lock_write(anon_vma);
134 0 : anon_vma_unlock_write(anon_vma);
135 : }
136 :
137 0 : kmem_cache_free(anon_vma_cachep, anon_vma);
138 0 : }
139 :
140 : static inline struct anon_vma_chain *anon_vma_chain_alloc(gfp_t gfp)
141 : {
142 0 : return kmem_cache_alloc(anon_vma_chain_cachep, gfp);
143 : }
144 :
145 : static void anon_vma_chain_free(struct anon_vma_chain *anon_vma_chain)
146 : {
147 0 : kmem_cache_free(anon_vma_chain_cachep, anon_vma_chain);
148 : }
149 :
150 : static void anon_vma_chain_link(struct vm_area_struct *vma,
151 : struct anon_vma_chain *avc,
152 : struct anon_vma *anon_vma)
153 : {
154 0 : avc->vma = vma;
155 0 : avc->anon_vma = anon_vma;
156 0 : list_add(&avc->same_vma, &vma->anon_vma_chain);
157 0 : anon_vma_interval_tree_insert(avc, &anon_vma->rb_root);
158 : }
159 :
160 : /**
161 : * __anon_vma_prepare - attach an anon_vma to a memory region
162 : * @vma: the memory region in question
163 : *
164 : * This makes sure the memory mapping described by 'vma' has
165 : * an 'anon_vma' attached to it, so that we can associate the
166 : * anonymous pages mapped into it with that anon_vma.
167 : *
168 : * The common case will be that we already have one, which
169 : * is handled inline by anon_vma_prepare(). But if
170 : * not we either need to find an adjacent mapping that we
171 : * can re-use the anon_vma from (very common when the only
172 : * reason for splitting a vma has been mprotect()), or we
173 : * allocate a new one.
174 : *
175 : * Anon-vma allocations are very subtle, because we may have
176 : * optimistically looked up an anon_vma in folio_lock_anon_vma_read()
177 : * and that may actually touch the rwsem even in the newly
178 : * allocated vma (it depends on RCU to make sure that the
179 : * anon_vma isn't actually destroyed).
180 : *
181 : * As a result, we need to do proper anon_vma locking even
182 : * for the new allocation. At the same time, we do not want
183 : * to do any locking for the common case of already having
184 : * an anon_vma.
185 : *
186 : * This must be called with the mmap_lock held for reading.
187 : */
188 0 : int __anon_vma_prepare(struct vm_area_struct *vma)
189 : {
190 0 : struct mm_struct *mm = vma->vm_mm;
191 : struct anon_vma *anon_vma, *allocated;
192 : struct anon_vma_chain *avc;
193 :
194 : might_sleep();
195 :
196 0 : avc = anon_vma_chain_alloc(GFP_KERNEL);
197 0 : if (!avc)
198 : goto out_enomem;
199 :
200 0 : anon_vma = find_mergeable_anon_vma(vma);
201 0 : allocated = NULL;
202 0 : if (!anon_vma) {
203 0 : anon_vma = anon_vma_alloc();
204 0 : if (unlikely(!anon_vma))
205 : goto out_enomem_free_avc;
206 0 : anon_vma->num_children++; /* self-parent link for new root */
207 0 : allocated = anon_vma;
208 : }
209 :
210 0 : anon_vma_lock_write(anon_vma);
211 : /* page_table_lock to protect against threads */
212 0 : spin_lock(&mm->page_table_lock);
213 0 : if (likely(!vma->anon_vma)) {
214 0 : vma->anon_vma = anon_vma;
215 0 : anon_vma_chain_link(vma, avc, anon_vma);
216 0 : anon_vma->num_active_vmas++;
217 0 : allocated = NULL;
218 0 : avc = NULL;
219 : }
220 0 : spin_unlock(&mm->page_table_lock);
221 0 : anon_vma_unlock_write(anon_vma);
222 :
223 0 : if (unlikely(allocated))
224 : put_anon_vma(allocated);
225 0 : if (unlikely(avc))
226 : anon_vma_chain_free(avc);
227 :
228 : return 0;
229 :
230 : out_enomem_free_avc:
231 : anon_vma_chain_free(avc);
232 : out_enomem:
233 : return -ENOMEM;
234 : }
235 :
236 : /*
237 : * This is a useful helper function for locking the anon_vma root as
238 : * we traverse the vma->anon_vma_chain, looping over anon_vma's that
239 : * have the same vma.
240 : *
241 : * Such anon_vma's should have the same root, so you'd expect to see
242 : * just a single mutex_lock for the whole traversal.
243 : */
244 0 : static inline struct anon_vma *lock_anon_vma_root(struct anon_vma *root, struct anon_vma *anon_vma)
245 : {
246 0 : struct anon_vma *new_root = anon_vma->root;
247 0 : if (new_root != root) {
248 0 : if (WARN_ON_ONCE(root))
249 0 : up_write(&root->rwsem);
250 0 : root = new_root;
251 0 : down_write(&root->rwsem);
252 : }
253 0 : return root;
254 : }
255 :
256 : static inline void unlock_anon_vma_root(struct anon_vma *root)
257 : {
258 0 : if (root)
259 0 : up_write(&root->rwsem);
260 : }
261 :
262 : /*
263 : * Attach the anon_vmas from src to dst.
264 : * Returns 0 on success, -ENOMEM on failure.
265 : *
266 : * anon_vma_clone() is called by vma_expand(), vma_merge(), __split_vma(),
267 : * copy_vma() and anon_vma_fork(). The first four want an exact copy of src,
268 : * while the last one, anon_vma_fork(), may try to reuse an existing anon_vma to
269 : * prevent endless growth of anon_vma. Since dst->anon_vma is set to NULL before
270 : * call, we can identify this case by checking (!dst->anon_vma &&
271 : * src->anon_vma).
272 : *
273 : * If (!dst->anon_vma && src->anon_vma) is true, this function tries to find
274 : * and reuse existing anon_vma which has no vmas and only one child anon_vma.
275 : * This prevents degradation of anon_vma hierarchy to endless linear chain in
276 : * case of constantly forking task. On the other hand, an anon_vma with more
277 : * than one child isn't reused even if there was no alive vma, thus rmap
278 : * walker has a good chance of avoiding scanning the whole hierarchy when it
279 : * searches where page is mapped.
280 : */
281 0 : int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
282 : {
283 : struct anon_vma_chain *avc, *pavc;
284 0 : struct anon_vma *root = NULL;
285 :
286 0 : list_for_each_entry_reverse(pavc, &src->anon_vma_chain, same_vma) {
287 : struct anon_vma *anon_vma;
288 :
289 0 : avc = anon_vma_chain_alloc(GFP_NOWAIT | __GFP_NOWARN);
290 0 : if (unlikely(!avc)) {
291 0 : unlock_anon_vma_root(root);
292 0 : root = NULL;
293 0 : avc = anon_vma_chain_alloc(GFP_KERNEL);
294 0 : if (!avc)
295 : goto enomem_failure;
296 : }
297 0 : anon_vma = pavc->anon_vma;
298 0 : root = lock_anon_vma_root(root, anon_vma);
299 0 : anon_vma_chain_link(dst, avc, anon_vma);
300 :
301 : /*
302 : * Reuse existing anon_vma if it has no vma and only one
303 : * anon_vma child.
304 : *
305 : * Root anon_vma is never reused:
306 : * it has self-parent reference and at least one child.
307 : */
308 0 : if (!dst->anon_vma && src->anon_vma &&
309 0 : anon_vma->num_children < 2 &&
310 0 : anon_vma->num_active_vmas == 0)
311 0 : dst->anon_vma = anon_vma;
312 : }
313 0 : if (dst->anon_vma)
314 0 : dst->anon_vma->num_active_vmas++;
315 : unlock_anon_vma_root(root);
316 : return 0;
317 :
318 : enomem_failure:
319 : /*
320 : * dst->anon_vma is dropped here otherwise its num_active_vmas can
321 : * be incorrectly decremented in unlink_anon_vmas().
322 : * We can safely do this because callers of anon_vma_clone() don't care
323 : * about dst->anon_vma if anon_vma_clone() failed.
324 : */
325 0 : dst->anon_vma = NULL;
326 0 : unlink_anon_vmas(dst);
327 0 : return -ENOMEM;
328 : }
329 :
330 : /*
331 : * Attach vma to its own anon_vma, as well as to the anon_vmas that
332 : * the corresponding VMA in the parent process is attached to.
333 : * Returns 0 on success, non-zero on failure.
334 : */
335 0 : int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
336 : {
337 : struct anon_vma_chain *avc;
338 : struct anon_vma *anon_vma;
339 : int error;
340 :
341 : /* Don't bother if the parent process has no anon_vma here. */
342 0 : if (!pvma->anon_vma)
343 : return 0;
344 :
345 : /* Drop inherited anon_vma, we'll reuse existing or allocate new. */
346 0 : vma->anon_vma = NULL;
347 :
348 : /*
349 : * First, attach the new VMA to the parent VMA's anon_vmas,
350 : * so rmap can find non-COWed pages in child processes.
351 : */
352 0 : error = anon_vma_clone(vma, pvma);
353 0 : if (error)
354 : return error;
355 :
356 : /* An existing anon_vma has been reused, all done then. */
357 0 : if (vma->anon_vma)
358 : return 0;
359 :
360 : /* Then add our own anon_vma. */
361 0 : anon_vma = anon_vma_alloc();
362 0 : if (!anon_vma)
363 : goto out_error;
364 0 : anon_vma->num_active_vmas++;
365 0 : avc = anon_vma_chain_alloc(GFP_KERNEL);
366 0 : if (!avc)
367 : goto out_error_free_anon_vma;
368 :
369 : /*
370 : * The root anon_vma's rwsem is the lock actually used when we
371 : * lock any of the anon_vmas in this anon_vma tree.
372 : */
373 0 : anon_vma->root = pvma->anon_vma->root;
374 0 : anon_vma->parent = pvma->anon_vma;
375 : /*
376 : * With refcounts, an anon_vma can stay around longer than the
377 : * process it belongs to. The root anon_vma needs to be pinned until
378 : * this anon_vma is freed, because the lock lives in the root.
379 : */
380 0 : get_anon_vma(anon_vma->root);
381 : /* Mark this anon_vma as the one where our new (COWed) pages go. */
382 0 : vma->anon_vma = anon_vma;
383 0 : anon_vma_lock_write(anon_vma);
384 0 : anon_vma_chain_link(vma, avc, anon_vma);
385 0 : anon_vma->parent->num_children++;
386 0 : anon_vma_unlock_write(anon_vma);
387 :
388 0 : return 0;
389 :
390 : out_error_free_anon_vma:
391 : put_anon_vma(anon_vma);
392 : out_error:
393 0 : unlink_anon_vmas(vma);
394 0 : return -ENOMEM;
395 : }
396 :
397 0 : void unlink_anon_vmas(struct vm_area_struct *vma)
398 : {
399 : struct anon_vma_chain *avc, *next;
400 0 : struct anon_vma *root = NULL;
401 :
402 : /*
403 : * Unlink each anon_vma chained to the VMA. This list is ordered
404 : * from newest to oldest, ensuring the root anon_vma gets freed last.
405 : */
406 0 : list_for_each_entry_safe(avc, next, &vma->anon_vma_chain, same_vma) {
407 0 : struct anon_vma *anon_vma = avc->anon_vma;
408 :
409 0 : root = lock_anon_vma_root(root, anon_vma);
410 0 : anon_vma_interval_tree_remove(avc, &anon_vma->rb_root);
411 :
412 : /*
413 : * Leave empty anon_vmas on the list - we'll need
414 : * to free them outside the lock.
415 : */
416 0 : if (RB_EMPTY_ROOT(&anon_vma->rb_root.rb_root)) {
417 0 : anon_vma->parent->num_children--;
418 0 : continue;
419 : }
420 :
421 0 : list_del(&avc->same_vma);
422 : anon_vma_chain_free(avc);
423 : }
424 0 : if (vma->anon_vma) {
425 0 : vma->anon_vma->num_active_vmas--;
426 :
427 : /*
428 : * vma would still be needed after unlink, and anon_vma will be prepared
429 : * when handle fault.
430 : */
431 0 : vma->anon_vma = NULL;
432 : }
433 0 : unlock_anon_vma_root(root);
434 :
435 : /*
436 : * Iterate the list once more, it now only contains empty and unlinked
437 : * anon_vmas, destroy them. Could not do before due to __put_anon_vma()
438 : * needing to write-acquire the anon_vma->root->rwsem.
439 : */
440 0 : list_for_each_entry_safe(avc, next, &vma->anon_vma_chain, same_vma) {
441 0 : struct anon_vma *anon_vma = avc->anon_vma;
442 :
443 : VM_WARN_ON(anon_vma->num_children);
444 : VM_WARN_ON(anon_vma->num_active_vmas);
445 0 : put_anon_vma(anon_vma);
446 :
447 0 : list_del(&avc->same_vma);
448 0 : anon_vma_chain_free(avc);
449 : }
450 0 : }
451 :
452 0 : static void anon_vma_ctor(void *data)
453 : {
454 0 : struct anon_vma *anon_vma = data;
455 :
456 0 : init_rwsem(&anon_vma->rwsem);
457 0 : atomic_set(&anon_vma->refcount, 0);
458 0 : anon_vma->rb_root = RB_ROOT_CACHED;
459 0 : }
460 :
461 1 : void __init anon_vma_init(void)
462 : {
463 1 : anon_vma_cachep = kmem_cache_create("anon_vma", sizeof(struct anon_vma),
464 : 0, SLAB_TYPESAFE_BY_RCU|SLAB_PANIC|SLAB_ACCOUNT,
465 : anon_vma_ctor);
466 1 : anon_vma_chain_cachep = KMEM_CACHE(anon_vma_chain,
467 : SLAB_PANIC|SLAB_ACCOUNT);
468 1 : }
469 :
470 : /*
471 : * Getting a lock on a stable anon_vma from a page off the LRU is tricky!
472 : *
473 : * Since there is no serialization what so ever against page_remove_rmap()
474 : * the best this function can do is return a refcount increased anon_vma
475 : * that might have been relevant to this page.
476 : *
477 : * The page might have been remapped to a different anon_vma or the anon_vma
478 : * returned may already be freed (and even reused).
479 : *
480 : * In case it was remapped to a different anon_vma, the new anon_vma will be a
481 : * child of the old anon_vma, and the anon_vma lifetime rules will therefore
482 : * ensure that any anon_vma obtained from the page will still be valid for as
483 : * long as we observe page_mapped() [ hence all those page_mapped() tests ].
484 : *
485 : * All users of this function must be very careful when walking the anon_vma
486 : * chain and verify that the page in question is indeed mapped in it
487 : * [ something equivalent to page_mapped_in_vma() ].
488 : *
489 : * Since anon_vma's slab is SLAB_TYPESAFE_BY_RCU and we know from
490 : * page_remove_rmap() that the anon_vma pointer from page->mapping is valid
491 : * if there is a mapcount, we can dereference the anon_vma after observing
492 : * those.
493 : */
494 0 : struct anon_vma *folio_get_anon_vma(struct folio *folio)
495 : {
496 0 : struct anon_vma *anon_vma = NULL;
497 : unsigned long anon_mapping;
498 :
499 : rcu_read_lock();
500 0 : anon_mapping = (unsigned long)READ_ONCE(folio->mapping);
501 0 : if ((anon_mapping & PAGE_MAPPING_FLAGS) != PAGE_MAPPING_ANON)
502 : goto out;
503 0 : if (!folio_mapped(folio))
504 : goto out;
505 :
506 0 : anon_vma = (struct anon_vma *) (anon_mapping - PAGE_MAPPING_ANON);
507 0 : if (!atomic_inc_not_zero(&anon_vma->refcount)) {
508 : anon_vma = NULL;
509 : goto out;
510 : }
511 :
512 : /*
513 : * If this folio is still mapped, then its anon_vma cannot have been
514 : * freed. But if it has been unmapped, we have no security against the
515 : * anon_vma structure being freed and reused (for another anon_vma:
516 : * SLAB_TYPESAFE_BY_RCU guarantees that - so the atomic_inc_not_zero()
517 : * above cannot corrupt).
518 : */
519 0 : if (!folio_mapped(folio)) {
520 0 : rcu_read_unlock();
521 : put_anon_vma(anon_vma);
522 : return NULL;
523 : }
524 : out:
525 : rcu_read_unlock();
526 :
527 0 : return anon_vma;
528 : }
529 :
530 : /*
531 : * Similar to folio_get_anon_vma() except it locks the anon_vma.
532 : *
533 : * Its a little more complex as it tries to keep the fast path to a single
534 : * atomic op -- the trylock. If we fail the trylock, we fall back to getting a
535 : * reference like with folio_get_anon_vma() and then block on the mutex
536 : * on !rwc->try_lock case.
537 : */
538 0 : struct anon_vma *folio_lock_anon_vma_read(struct folio *folio,
539 : struct rmap_walk_control *rwc)
540 : {
541 0 : struct anon_vma *anon_vma = NULL;
542 : struct anon_vma *root_anon_vma;
543 : unsigned long anon_mapping;
544 :
545 : rcu_read_lock();
546 0 : anon_mapping = (unsigned long)READ_ONCE(folio->mapping);
547 0 : if ((anon_mapping & PAGE_MAPPING_FLAGS) != PAGE_MAPPING_ANON)
548 : goto out;
549 0 : if (!folio_mapped(folio))
550 : goto out;
551 :
552 0 : anon_vma = (struct anon_vma *) (anon_mapping - PAGE_MAPPING_ANON);
553 0 : root_anon_vma = READ_ONCE(anon_vma->root);
554 0 : if (down_read_trylock(&root_anon_vma->rwsem)) {
555 : /*
556 : * If the folio is still mapped, then this anon_vma is still
557 : * its anon_vma, and holding the mutex ensures that it will
558 : * not go away, see anon_vma_free().
559 : */
560 0 : if (!folio_mapped(folio)) {
561 0 : up_read(&root_anon_vma->rwsem);
562 0 : anon_vma = NULL;
563 : }
564 : goto out;
565 : }
566 :
567 0 : if (rwc && rwc->try_lock) {
568 0 : anon_vma = NULL;
569 0 : rwc->contended = true;
570 0 : goto out;
571 : }
572 :
573 : /* trylock failed, we got to sleep */
574 0 : if (!atomic_inc_not_zero(&anon_vma->refcount)) {
575 : anon_vma = NULL;
576 : goto out;
577 : }
578 :
579 0 : if (!folio_mapped(folio)) {
580 0 : rcu_read_unlock();
581 : put_anon_vma(anon_vma);
582 : return NULL;
583 : }
584 :
585 : /* we pinned the anon_vma, its safe to sleep */
586 : rcu_read_unlock();
587 0 : anon_vma_lock_read(anon_vma);
588 :
589 0 : if (atomic_dec_and_test(&anon_vma->refcount)) {
590 : /*
591 : * Oops, we held the last refcount, release the lock
592 : * and bail -- can't simply use put_anon_vma() because
593 : * we'll deadlock on the anon_vma_lock_write() recursion.
594 : */
595 0 : anon_vma_unlock_read(anon_vma);
596 0 : __put_anon_vma(anon_vma);
597 0 : anon_vma = NULL;
598 : }
599 :
600 : return anon_vma;
601 :
602 : out:
603 : rcu_read_unlock();
604 0 : return anon_vma;
605 : }
606 :
607 : #ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH
608 : /*
609 : * Flush TLB entries for recently unmapped pages from remote CPUs. It is
610 : * important if a PTE was dirty when it was unmapped that it's flushed
611 : * before any IO is initiated on the page to prevent lost writes. Similarly,
612 : * it must be flushed before freeing to prevent data leakage.
613 : */
614 : void try_to_unmap_flush(void)
615 : {
616 : struct tlbflush_unmap_batch *tlb_ubc = ¤t->tlb_ubc;
617 :
618 : if (!tlb_ubc->flush_required)
619 : return;
620 :
621 : arch_tlbbatch_flush(&tlb_ubc->arch);
622 : tlb_ubc->flush_required = false;
623 : tlb_ubc->writable = false;
624 : }
625 :
626 : /* Flush iff there are potentially writable TLB entries that can race with IO */
627 : void try_to_unmap_flush_dirty(void)
628 : {
629 : struct tlbflush_unmap_batch *tlb_ubc = ¤t->tlb_ubc;
630 :
631 : if (tlb_ubc->writable)
632 : try_to_unmap_flush();
633 : }
634 :
635 : /*
636 : * Bits 0-14 of mm->tlb_flush_batched record pending generations.
637 : * Bits 16-30 of mm->tlb_flush_batched bit record flushed generations.
638 : */
639 : #define TLB_FLUSH_BATCH_FLUSHED_SHIFT 16
640 : #define TLB_FLUSH_BATCH_PENDING_MASK \
641 : ((1 << (TLB_FLUSH_BATCH_FLUSHED_SHIFT - 1)) - 1)
642 : #define TLB_FLUSH_BATCH_PENDING_LARGE \
643 : (TLB_FLUSH_BATCH_PENDING_MASK / 2)
644 :
645 : static void set_tlb_ubc_flush_pending(struct mm_struct *mm, pte_t pteval)
646 : {
647 : struct tlbflush_unmap_batch *tlb_ubc = ¤t->tlb_ubc;
648 : int batch;
649 : bool writable = pte_dirty(pteval);
650 :
651 : if (!pte_accessible(mm, pteval))
652 : return;
653 :
654 : arch_tlbbatch_add_mm(&tlb_ubc->arch, mm);
655 : tlb_ubc->flush_required = true;
656 :
657 : /*
658 : * Ensure compiler does not re-order the setting of tlb_flush_batched
659 : * before the PTE is cleared.
660 : */
661 : barrier();
662 : batch = atomic_read(&mm->tlb_flush_batched);
663 : retry:
664 : if ((batch & TLB_FLUSH_BATCH_PENDING_MASK) > TLB_FLUSH_BATCH_PENDING_LARGE) {
665 : /*
666 : * Prevent `pending' from catching up with `flushed' because of
667 : * overflow. Reset `pending' and `flushed' to be 1 and 0 if
668 : * `pending' becomes large.
669 : */
670 : if (!atomic_try_cmpxchg(&mm->tlb_flush_batched, &batch, 1))
671 : goto retry;
672 : } else {
673 : atomic_inc(&mm->tlb_flush_batched);
674 : }
675 :
676 : /*
677 : * If the PTE was dirty then it's best to assume it's writable. The
678 : * caller must use try_to_unmap_flush_dirty() or try_to_unmap_flush()
679 : * before the page is queued for IO.
680 : */
681 : if (writable)
682 : tlb_ubc->writable = true;
683 : }
684 :
685 : /*
686 : * Returns true if the TLB flush should be deferred to the end of a batch of
687 : * unmap operations to reduce IPIs.
688 : */
689 : static bool should_defer_flush(struct mm_struct *mm, enum ttu_flags flags)
690 : {
691 : bool should_defer = false;
692 :
693 : if (!(flags & TTU_BATCH_FLUSH))
694 : return false;
695 :
696 : /* If remote CPUs need to be flushed then defer batch the flush */
697 : if (cpumask_any_but(mm_cpumask(mm), get_cpu()) < nr_cpu_ids)
698 : should_defer = true;
699 : put_cpu();
700 :
701 : return should_defer;
702 : }
703 :
704 : /*
705 : * Reclaim unmaps pages under the PTL but do not flush the TLB prior to
706 : * releasing the PTL if TLB flushes are batched. It's possible for a parallel
707 : * operation such as mprotect or munmap to race between reclaim unmapping
708 : * the page and flushing the page. If this race occurs, it potentially allows
709 : * access to data via a stale TLB entry. Tracking all mm's that have TLB
710 : * batching in flight would be expensive during reclaim so instead track
711 : * whether TLB batching occurred in the past and if so then do a flush here
712 : * if required. This will cost one additional flush per reclaim cycle paid
713 : * by the first operation at risk such as mprotect and mumap.
714 : *
715 : * This must be called under the PTL so that an access to tlb_flush_batched
716 : * that is potentially a "reclaim vs mprotect/munmap/etc" race will synchronise
717 : * via the PTL.
718 : */
719 : void flush_tlb_batched_pending(struct mm_struct *mm)
720 : {
721 : int batch = atomic_read(&mm->tlb_flush_batched);
722 : int pending = batch & TLB_FLUSH_BATCH_PENDING_MASK;
723 : int flushed = batch >> TLB_FLUSH_BATCH_FLUSHED_SHIFT;
724 :
725 : if (pending != flushed) {
726 : flush_tlb_mm(mm);
727 : /*
728 : * If the new TLB flushing is pending during flushing, leave
729 : * mm->tlb_flush_batched as is, to avoid losing flushing.
730 : */
731 : atomic_cmpxchg(&mm->tlb_flush_batched, batch,
732 : pending | (pending << TLB_FLUSH_BATCH_FLUSHED_SHIFT));
733 : }
734 : }
735 : #else
736 : static void set_tlb_ubc_flush_pending(struct mm_struct *mm, pte_t pteval)
737 : {
738 : }
739 :
740 : static bool should_defer_flush(struct mm_struct *mm, enum ttu_flags flags)
741 : {
742 : return false;
743 : }
744 : #endif /* CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH */
745 :
746 : /*
747 : * At what user virtual address is page expected in vma?
748 : * Caller should check the page is actually part of the vma.
749 : */
750 0 : unsigned long page_address_in_vma(struct page *page, struct vm_area_struct *vma)
751 : {
752 0 : struct folio *folio = page_folio(page);
753 0 : if (folio_test_anon(folio)) {
754 0 : struct anon_vma *page__anon_vma = folio_anon_vma(folio);
755 : /*
756 : * Note: swapoff's unuse_vma() is more efficient with this
757 : * check, and needs it to match anon_vma when KSM is active.
758 : */
759 0 : if (!vma->anon_vma || !page__anon_vma ||
760 0 : vma->anon_vma->root != page__anon_vma->root)
761 : return -EFAULT;
762 0 : } else if (!vma->vm_file) {
763 : return -EFAULT;
764 0 : } else if (vma->vm_file->f_mapping != folio->mapping) {
765 : return -EFAULT;
766 : }
767 :
768 0 : return vma_address(page, vma);
769 : }
770 :
771 : /*
772 : * Returns the actual pmd_t* where we expect 'address' to be mapped from, or
773 : * NULL if it doesn't exist. No guarantees / checks on what the pmd_t*
774 : * represents.
775 : */
776 0 : pmd_t *mm_find_pmd(struct mm_struct *mm, unsigned long address)
777 : {
778 : pgd_t *pgd;
779 : p4d_t *p4d;
780 : pud_t *pud;
781 0 : pmd_t *pmd = NULL;
782 :
783 0 : pgd = pgd_offset(mm, address);
784 : if (!pgd_present(*pgd))
785 : goto out;
786 :
787 0 : p4d = p4d_offset(pgd, address);
788 : if (!p4d_present(*p4d))
789 : goto out;
790 :
791 0 : pud = pud_offset(p4d, address);
792 0 : if (!pud_present(*pud))
793 : goto out;
794 :
795 0 : pmd = pmd_offset(pud, address);
796 : out:
797 0 : return pmd;
798 : }
799 :
800 : struct folio_referenced_arg {
801 : int mapcount;
802 : int referenced;
803 : unsigned long vm_flags;
804 : struct mem_cgroup *memcg;
805 : };
806 : /*
807 : * arg: folio_referenced_arg will be passed
808 : */
809 0 : static bool folio_referenced_one(struct folio *folio,
810 : struct vm_area_struct *vma, unsigned long address, void *arg)
811 : {
812 0 : struct folio_referenced_arg *pra = arg;
813 0 : DEFINE_FOLIO_VMA_WALK(pvmw, folio, vma, address, 0);
814 0 : int referenced = 0;
815 :
816 0 : while (page_vma_mapped_walk(&pvmw)) {
817 0 : address = pvmw.address;
818 :
819 0 : if ((vma->vm_flags & VM_LOCKED) &&
820 0 : (!folio_test_large(folio) || !pvmw.pte)) {
821 : /* Restore the mlock which got missed */
822 0 : mlock_vma_folio(folio, vma, !pvmw.pte);
823 0 : page_vma_mapped_walk_done(&pvmw);
824 0 : pra->vm_flags |= VM_LOCKED;
825 0 : return false; /* To break the loop */
826 : }
827 :
828 0 : if (pvmw.pte) {
829 : if (lru_gen_enabled() &&
830 : pte_young(ptep_get(pvmw.pte))) {
831 : lru_gen_look_around(&pvmw);
832 : referenced++;
833 : }
834 :
835 0 : if (ptep_clear_flush_young_notify(vma, address,
836 : pvmw.pte))
837 0 : referenced++;
838 : } else if (IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE)) {
839 : if (pmdp_clear_flush_young_notify(vma, address,
840 : pvmw.pmd))
841 : referenced++;
842 : } else {
843 : /* unexpected pmd-mapped folio? */
844 0 : WARN_ON_ONCE(1);
845 : }
846 :
847 0 : pra->mapcount--;
848 : }
849 :
850 : if (referenced)
851 : folio_clear_idle(folio);
852 0 : if (folio_test_clear_young(folio))
853 : referenced++;
854 :
855 0 : if (referenced) {
856 0 : pra->referenced++;
857 0 : pra->vm_flags |= vma->vm_flags & ~VM_LOCKED;
858 : }
859 :
860 0 : if (!pra->mapcount)
861 : return false; /* To break the loop */
862 :
863 0 : return true;
864 : }
865 :
866 0 : static bool invalid_folio_referenced_vma(struct vm_area_struct *vma, void *arg)
867 : {
868 0 : struct folio_referenced_arg *pra = arg;
869 0 : struct mem_cgroup *memcg = pra->memcg;
870 :
871 : /*
872 : * Ignore references from this mapping if it has no recency. If the
873 : * folio has been used in another mapping, we will catch it; if this
874 : * other mapping is already gone, the unmap path will have set the
875 : * referenced flag or activated the folio in zap_pte_range().
876 : */
877 0 : if (!vma_has_recency(vma))
878 : return true;
879 :
880 : /*
881 : * If we are reclaiming on behalf of a cgroup, skip counting on behalf
882 : * of references from different cgroups.
883 : */
884 : if (memcg && !mm_match_cgroup(vma->vm_mm, memcg))
885 : return true;
886 :
887 : return false;
888 : }
889 :
890 : /**
891 : * folio_referenced() - Test if the folio was referenced.
892 : * @folio: The folio to test.
893 : * @is_locked: Caller holds lock on the folio.
894 : * @memcg: target memory cgroup
895 : * @vm_flags: A combination of all the vma->vm_flags which referenced the folio.
896 : *
897 : * Quick test_and_clear_referenced for all mappings of a folio,
898 : *
899 : * Return: The number of mappings which referenced the folio. Return -1 if
900 : * the function bailed out due to rmap lock contention.
901 : */
902 0 : int folio_referenced(struct folio *folio, int is_locked,
903 : struct mem_cgroup *memcg, unsigned long *vm_flags)
904 : {
905 0 : int we_locked = 0;
906 0 : struct folio_referenced_arg pra = {
907 0 : .mapcount = folio_mapcount(folio),
908 : .memcg = memcg,
909 : };
910 0 : struct rmap_walk_control rwc = {
911 : .rmap_one = folio_referenced_one,
912 : .arg = (void *)&pra,
913 : .anon_lock = folio_lock_anon_vma_read,
914 : .try_lock = true,
915 : .invalid_vma = invalid_folio_referenced_vma,
916 : };
917 :
918 0 : *vm_flags = 0;
919 0 : if (!pra.mapcount)
920 : return 0;
921 :
922 0 : if (!folio_raw_mapping(folio))
923 : return 0;
924 :
925 0 : if (!is_locked && (!folio_test_anon(folio) || folio_test_ksm(folio))) {
926 0 : we_locked = folio_trylock(folio);
927 0 : if (!we_locked)
928 : return 1;
929 : }
930 :
931 0 : rmap_walk(folio, &rwc);
932 0 : *vm_flags = pra.vm_flags;
933 :
934 0 : if (we_locked)
935 0 : folio_unlock(folio);
936 :
937 0 : return rwc.contended ? -1 : pra.referenced;
938 : }
939 :
940 0 : static int page_vma_mkclean_one(struct page_vma_mapped_walk *pvmw)
941 : {
942 0 : int cleaned = 0;
943 0 : struct vm_area_struct *vma = pvmw->vma;
944 : struct mmu_notifier_range range;
945 0 : unsigned long address = pvmw->address;
946 :
947 : /*
948 : * We have to assume the worse case ie pmd for invalidation. Note that
949 : * the folio can not be freed from this function.
950 : */
951 : mmu_notifier_range_init(&range, MMU_NOTIFY_PROTECTION_PAGE, 0,
952 : vma->vm_mm, address, vma_address_end(pvmw));
953 : mmu_notifier_invalidate_range_start(&range);
954 :
955 0 : while (page_vma_mapped_walk(pvmw)) {
956 0 : int ret = 0;
957 :
958 0 : address = pvmw->address;
959 0 : if (pvmw->pte) {
960 0 : pte_t *pte = pvmw->pte;
961 0 : pte_t entry = ptep_get(pte);
962 :
963 0 : if (!pte_dirty(entry) && !pte_write(entry))
964 0 : continue;
965 :
966 0 : flush_cache_page(vma, address, pte_pfn(entry));
967 0 : entry = ptep_clear_flush(vma, address, pte);
968 0 : entry = pte_wrprotect(entry);
969 0 : entry = pte_mkclean(entry);
970 0 : set_pte_at(vma->vm_mm, address, pte, entry);
971 : ret = 1;
972 : } else {
973 : #ifdef CONFIG_TRANSPARENT_HUGEPAGE
974 : pmd_t *pmd = pvmw->pmd;
975 : pmd_t entry;
976 :
977 : if (!pmd_dirty(*pmd) && !pmd_write(*pmd))
978 : continue;
979 :
980 : flush_cache_range(vma, address,
981 : address + HPAGE_PMD_SIZE);
982 : entry = pmdp_invalidate(vma, address, pmd);
983 : entry = pmd_wrprotect(entry);
984 : entry = pmd_mkclean(entry);
985 : set_pmd_at(vma->vm_mm, address, pmd, entry);
986 : ret = 1;
987 : #else
988 : /* unexpected pmd-mapped folio? */
989 0 : WARN_ON_ONCE(1);
990 : #endif
991 : }
992 :
993 : /*
994 : * No need to call mmu_notifier_invalidate_range() as we are
995 : * downgrading page table protection not changing it to point
996 : * to a new page.
997 : *
998 : * See Documentation/mm/mmu_notifier.rst
999 : */
1000 0 : if (ret)
1001 0 : cleaned++;
1002 : }
1003 :
1004 0 : mmu_notifier_invalidate_range_end(&range);
1005 :
1006 0 : return cleaned;
1007 : }
1008 :
1009 0 : static bool page_mkclean_one(struct folio *folio, struct vm_area_struct *vma,
1010 : unsigned long address, void *arg)
1011 : {
1012 0 : DEFINE_FOLIO_VMA_WALK(pvmw, folio, vma, address, PVMW_SYNC);
1013 0 : int *cleaned = arg;
1014 :
1015 0 : *cleaned += page_vma_mkclean_one(&pvmw);
1016 :
1017 0 : return true;
1018 : }
1019 :
1020 0 : static bool invalid_mkclean_vma(struct vm_area_struct *vma, void *arg)
1021 : {
1022 0 : if (vma->vm_flags & VM_SHARED)
1023 : return false;
1024 :
1025 0 : return true;
1026 : }
1027 :
1028 0 : int folio_mkclean(struct folio *folio)
1029 : {
1030 0 : int cleaned = 0;
1031 : struct address_space *mapping;
1032 0 : struct rmap_walk_control rwc = {
1033 : .arg = (void *)&cleaned,
1034 : .rmap_one = page_mkclean_one,
1035 : .invalid_vma = invalid_mkclean_vma,
1036 : };
1037 :
1038 0 : BUG_ON(!folio_test_locked(folio));
1039 :
1040 0 : if (!folio_mapped(folio))
1041 : return 0;
1042 :
1043 0 : mapping = folio_mapping(folio);
1044 0 : if (!mapping)
1045 : return 0;
1046 :
1047 0 : rmap_walk(folio, &rwc);
1048 :
1049 0 : return cleaned;
1050 : }
1051 : EXPORT_SYMBOL_GPL(folio_mkclean);
1052 :
1053 : /**
1054 : * pfn_mkclean_range - Cleans the PTEs (including PMDs) mapped with range of
1055 : * [@pfn, @pfn + @nr_pages) at the specific offset (@pgoff)
1056 : * within the @vma of shared mappings. And since clean PTEs
1057 : * should also be readonly, write protects them too.
1058 : * @pfn: start pfn.
1059 : * @nr_pages: number of physically contiguous pages srarting with @pfn.
1060 : * @pgoff: page offset that the @pfn mapped with.
1061 : * @vma: vma that @pfn mapped within.
1062 : *
1063 : * Returns the number of cleaned PTEs (including PMDs).
1064 : */
1065 0 : int pfn_mkclean_range(unsigned long pfn, unsigned long nr_pages, pgoff_t pgoff,
1066 : struct vm_area_struct *vma)
1067 : {
1068 0 : struct page_vma_mapped_walk pvmw = {
1069 : .pfn = pfn,
1070 : .nr_pages = nr_pages,
1071 : .pgoff = pgoff,
1072 : .vma = vma,
1073 : .flags = PVMW_SYNC,
1074 : };
1075 :
1076 0 : if (invalid_mkclean_vma(vma, NULL))
1077 : return 0;
1078 :
1079 0 : pvmw.address = vma_pgoff_address(pgoff, nr_pages, vma);
1080 : VM_BUG_ON_VMA(pvmw.address == -EFAULT, vma);
1081 :
1082 0 : return page_vma_mkclean_one(&pvmw);
1083 : }
1084 :
1085 0 : int folio_total_mapcount(struct folio *folio)
1086 : {
1087 0 : int mapcount = folio_entire_mapcount(folio);
1088 : int nr_pages;
1089 : int i;
1090 :
1091 : /* In the common case, avoid the loop when no pages mapped by PTE */
1092 0 : if (folio_nr_pages_mapped(folio) == 0)
1093 : return mapcount;
1094 : /*
1095 : * Add all the PTE mappings of those pages mapped by PTE.
1096 : * Limit the loop to folio_nr_pages_mapped()?
1097 : * Perhaps: given all the raciness, that may be a good or a bad idea.
1098 : */
1099 0 : nr_pages = folio_nr_pages(folio);
1100 0 : for (i = 0; i < nr_pages; i++)
1101 0 : mapcount += atomic_read(&folio_page(folio, i)->_mapcount);
1102 :
1103 : /* But each of those _mapcounts was based on -1 */
1104 0 : mapcount += nr_pages;
1105 0 : return mapcount;
1106 : }
1107 :
1108 : /**
1109 : * page_move_anon_rmap - move a page to our anon_vma
1110 : * @page: the page to move to our anon_vma
1111 : * @vma: the vma the page belongs to
1112 : *
1113 : * When a page belongs exclusively to one process after a COW event,
1114 : * that page can be moved into the anon_vma that belongs to just that
1115 : * process, so the rmap code will not search the parent or sibling
1116 : * processes.
1117 : */
1118 0 : void page_move_anon_rmap(struct page *page, struct vm_area_struct *vma)
1119 : {
1120 0 : void *anon_vma = vma->anon_vma;
1121 0 : struct folio *folio = page_folio(page);
1122 :
1123 : VM_BUG_ON_FOLIO(!folio_test_locked(folio), folio);
1124 : VM_BUG_ON_VMA(!anon_vma, vma);
1125 :
1126 0 : anon_vma += PAGE_MAPPING_ANON;
1127 : /*
1128 : * Ensure that anon_vma and the PAGE_MAPPING_ANON bit are written
1129 : * simultaneously, so a concurrent reader (eg folio_referenced()'s
1130 : * folio_test_anon()) will not see one without the other.
1131 : */
1132 0 : WRITE_ONCE(folio->mapping, anon_vma);
1133 0 : SetPageAnonExclusive(page);
1134 0 : }
1135 :
1136 : /**
1137 : * __page_set_anon_rmap - set up new anonymous rmap
1138 : * @folio: Folio which contains page.
1139 : * @page: Page to add to rmap.
1140 : * @vma: VM area to add page to.
1141 : * @address: User virtual address of the mapping
1142 : * @exclusive: the page is exclusively owned by the current process
1143 : */
1144 0 : static void __page_set_anon_rmap(struct folio *folio, struct page *page,
1145 : struct vm_area_struct *vma, unsigned long address, int exclusive)
1146 : {
1147 0 : struct anon_vma *anon_vma = vma->anon_vma;
1148 :
1149 0 : BUG_ON(!anon_vma);
1150 :
1151 0 : if (folio_test_anon(folio))
1152 : goto out;
1153 :
1154 : /*
1155 : * If the page isn't exclusively mapped into this vma,
1156 : * we must use the _oldest_ possible anon_vma for the
1157 : * page mapping!
1158 : */
1159 0 : if (!exclusive)
1160 0 : anon_vma = anon_vma->root;
1161 :
1162 : /*
1163 : * page_idle does a lockless/optimistic rmap scan on folio->mapping.
1164 : * Make sure the compiler doesn't split the stores of anon_vma and
1165 : * the PAGE_MAPPING_ANON type identifier, otherwise the rmap code
1166 : * could mistake the mapping for a struct address_space and crash.
1167 : */
1168 0 : anon_vma = (void *) anon_vma + PAGE_MAPPING_ANON;
1169 0 : WRITE_ONCE(folio->mapping, (struct address_space *) anon_vma);
1170 0 : folio->index = linear_page_index(vma, address);
1171 : out:
1172 0 : if (exclusive)
1173 : SetPageAnonExclusive(page);
1174 0 : }
1175 :
1176 : /**
1177 : * __page_check_anon_rmap - sanity check anonymous rmap addition
1178 : * @page: the page to add the mapping to
1179 : * @vma: the vm area in which the mapping is added
1180 : * @address: the user virtual address mapped
1181 : */
1182 : static void __page_check_anon_rmap(struct page *page,
1183 : struct vm_area_struct *vma, unsigned long address)
1184 : {
1185 0 : struct folio *folio = page_folio(page);
1186 : /*
1187 : * The page's anon-rmap details (mapping and index) are guaranteed to
1188 : * be set up correctly at this point.
1189 : *
1190 : * We have exclusion against page_add_anon_rmap because the caller
1191 : * always holds the page locked.
1192 : *
1193 : * We have exclusion against page_add_new_anon_rmap because those pages
1194 : * are initially only visible via the pagetables, and the pte is locked
1195 : * over the call to page_add_new_anon_rmap.
1196 : */
1197 : VM_BUG_ON_FOLIO(folio_anon_vma(folio)->root != vma->anon_vma->root,
1198 : folio);
1199 : VM_BUG_ON_PAGE(page_to_pgoff(page) != linear_page_index(vma, address),
1200 : page);
1201 : }
1202 :
1203 : /**
1204 : * page_add_anon_rmap - add pte mapping to an anonymous page
1205 : * @page: the page to add the mapping to
1206 : * @vma: the vm area in which the mapping is added
1207 : * @address: the user virtual address mapped
1208 : * @flags: the rmap flags
1209 : *
1210 : * The caller needs to hold the pte lock, and the page must be locked in
1211 : * the anon_vma case: to serialize mapping,index checking after setting,
1212 : * and to ensure that PageAnon is not being upgraded racily to PageKsm
1213 : * (but PageKsm is never downgraded to PageAnon).
1214 : */
1215 0 : void page_add_anon_rmap(struct page *page, struct vm_area_struct *vma,
1216 : unsigned long address, rmap_t flags)
1217 : {
1218 0 : struct folio *folio = page_folio(page);
1219 0 : atomic_t *mapped = &folio->_nr_pages_mapped;
1220 0 : int nr = 0, nr_pmdmapped = 0;
1221 0 : bool compound = flags & RMAP_COMPOUND;
1222 0 : bool first = true;
1223 :
1224 : /* Is page being mapped by PTE? Is this its first map to be added? */
1225 0 : if (likely(!compound)) {
1226 0 : first = atomic_inc_and_test(&page->_mapcount);
1227 0 : nr = first;
1228 0 : if (first && folio_test_large(folio)) {
1229 0 : nr = atomic_inc_return_relaxed(mapped);
1230 0 : nr = (nr < COMPOUND_MAPPED);
1231 : }
1232 : } else if (folio_test_pmd_mappable(folio)) {
1233 : /* That test is redundant: it's for safety or to optimize out */
1234 :
1235 : first = atomic_inc_and_test(&folio->_entire_mapcount);
1236 : if (first) {
1237 : nr = atomic_add_return_relaxed(COMPOUND_MAPPED, mapped);
1238 : if (likely(nr < COMPOUND_MAPPED + COMPOUND_MAPPED)) {
1239 : nr_pmdmapped = folio_nr_pages(folio);
1240 : nr = nr_pmdmapped - (nr & FOLIO_PAGES_MAPPED);
1241 : /* Raced ahead of a remove and another add? */
1242 : if (unlikely(nr < 0))
1243 : nr = 0;
1244 : } else {
1245 : /* Raced ahead of a remove of COMPOUND_MAPPED */
1246 : nr = 0;
1247 : }
1248 : }
1249 : }
1250 :
1251 : VM_BUG_ON_PAGE(!first && (flags & RMAP_EXCLUSIVE), page);
1252 : VM_BUG_ON_PAGE(!first && PageAnonExclusive(page), page);
1253 :
1254 : if (nr_pmdmapped)
1255 : __lruvec_stat_mod_folio(folio, NR_ANON_THPS, nr_pmdmapped);
1256 0 : if (nr)
1257 0 : __lruvec_stat_mod_folio(folio, NR_ANON_MAPPED, nr);
1258 :
1259 0 : if (likely(!folio_test_ksm(folio))) {
1260 : /* address might be in next vma when migration races vma_merge */
1261 0 : if (first)
1262 0 : __page_set_anon_rmap(folio, page, vma, address,
1263 0 : !!(flags & RMAP_EXCLUSIVE));
1264 : else
1265 0 : __page_check_anon_rmap(page, vma, address);
1266 : }
1267 :
1268 0 : mlock_vma_folio(folio, vma, compound);
1269 0 : }
1270 :
1271 : /**
1272 : * folio_add_new_anon_rmap - Add mapping to a new anonymous folio.
1273 : * @folio: The folio to add the mapping to.
1274 : * @vma: the vm area in which the mapping is added
1275 : * @address: the user virtual address mapped
1276 : *
1277 : * Like page_add_anon_rmap() but must only be called on *new* folios.
1278 : * This means the inc-and-test can be bypassed.
1279 : * The folio does not have to be locked.
1280 : *
1281 : * If the folio is large, it is accounted as a THP. As the folio
1282 : * is new, it's assumed to be mapped exclusively by a single process.
1283 : */
1284 0 : void folio_add_new_anon_rmap(struct folio *folio, struct vm_area_struct *vma,
1285 : unsigned long address)
1286 : {
1287 : int nr;
1288 :
1289 : VM_BUG_ON_VMA(address < vma->vm_start || address >= vma->vm_end, vma);
1290 0 : __folio_set_swapbacked(folio);
1291 :
1292 0 : if (likely(!folio_test_pmd_mappable(folio))) {
1293 : /* increment count (starts at -1) */
1294 0 : atomic_set(&folio->_mapcount, 0);
1295 0 : nr = 1;
1296 : } else {
1297 : /* increment count (starts at -1) */
1298 : atomic_set(&folio->_entire_mapcount, 0);
1299 : atomic_set(&folio->_nr_pages_mapped, COMPOUND_MAPPED);
1300 : nr = folio_nr_pages(folio);
1301 : __lruvec_stat_mod_folio(folio, NR_ANON_THPS, nr);
1302 : }
1303 :
1304 0 : __lruvec_stat_mod_folio(folio, NR_ANON_MAPPED, nr);
1305 0 : __page_set_anon_rmap(folio, &folio->page, vma, address, 1);
1306 0 : }
1307 :
1308 : /**
1309 : * page_add_file_rmap - add pte mapping to a file page
1310 : * @page: the page to add the mapping to
1311 : * @vma: the vm area in which the mapping is added
1312 : * @compound: charge the page as compound or small page
1313 : *
1314 : * The caller needs to hold the pte lock.
1315 : */
1316 0 : void page_add_file_rmap(struct page *page, struct vm_area_struct *vma,
1317 : bool compound)
1318 : {
1319 0 : struct folio *folio = page_folio(page);
1320 0 : atomic_t *mapped = &folio->_nr_pages_mapped;
1321 0 : int nr = 0, nr_pmdmapped = 0;
1322 : bool first;
1323 :
1324 : VM_BUG_ON_PAGE(compound && !PageTransHuge(page), page);
1325 :
1326 : /* Is page being mapped by PTE? Is this its first map to be added? */
1327 0 : if (likely(!compound)) {
1328 0 : first = atomic_inc_and_test(&page->_mapcount);
1329 0 : nr = first;
1330 0 : if (first && folio_test_large(folio)) {
1331 0 : nr = atomic_inc_return_relaxed(mapped);
1332 0 : nr = (nr < COMPOUND_MAPPED);
1333 : }
1334 : } else if (folio_test_pmd_mappable(folio)) {
1335 : /* That test is redundant: it's for safety or to optimize out */
1336 :
1337 : first = atomic_inc_and_test(&folio->_entire_mapcount);
1338 : if (first) {
1339 : nr = atomic_add_return_relaxed(COMPOUND_MAPPED, mapped);
1340 : if (likely(nr < COMPOUND_MAPPED + COMPOUND_MAPPED)) {
1341 : nr_pmdmapped = folio_nr_pages(folio);
1342 : nr = nr_pmdmapped - (nr & FOLIO_PAGES_MAPPED);
1343 : /* Raced ahead of a remove and another add? */
1344 : if (unlikely(nr < 0))
1345 : nr = 0;
1346 : } else {
1347 : /* Raced ahead of a remove of COMPOUND_MAPPED */
1348 : nr = 0;
1349 : }
1350 : }
1351 : }
1352 :
1353 : if (nr_pmdmapped)
1354 : __lruvec_stat_mod_folio(folio, folio_test_swapbacked(folio) ?
1355 : NR_SHMEM_PMDMAPPED : NR_FILE_PMDMAPPED, nr_pmdmapped);
1356 0 : if (nr)
1357 0 : __lruvec_stat_mod_folio(folio, NR_FILE_MAPPED, nr);
1358 :
1359 0 : mlock_vma_folio(folio, vma, compound);
1360 0 : }
1361 :
1362 : /**
1363 : * page_remove_rmap - take down pte mapping from a page
1364 : * @page: page to remove mapping from
1365 : * @vma: the vm area from which the mapping is removed
1366 : * @compound: uncharge the page as compound or small page
1367 : *
1368 : * The caller needs to hold the pte lock.
1369 : */
1370 0 : void page_remove_rmap(struct page *page, struct vm_area_struct *vma,
1371 : bool compound)
1372 : {
1373 0 : struct folio *folio = page_folio(page);
1374 0 : atomic_t *mapped = &folio->_nr_pages_mapped;
1375 0 : int nr = 0, nr_pmdmapped = 0;
1376 : bool last;
1377 : enum node_stat_item idx;
1378 :
1379 : VM_BUG_ON_PAGE(compound && !PageHead(page), page);
1380 :
1381 : /* Hugetlb pages are not counted in NR_*MAPPED */
1382 0 : if (unlikely(folio_test_hugetlb(folio))) {
1383 : /* hugetlb pages are always mapped with pmds */
1384 : atomic_dec(&folio->_entire_mapcount);
1385 : return;
1386 : }
1387 :
1388 : /* Is page being unmapped by PTE? Is this its last map to be removed? */
1389 0 : if (likely(!compound)) {
1390 0 : last = atomic_add_negative(-1, &page->_mapcount);
1391 0 : nr = last;
1392 0 : if (last && folio_test_large(folio)) {
1393 0 : nr = atomic_dec_return_relaxed(mapped);
1394 0 : nr = (nr < COMPOUND_MAPPED);
1395 : }
1396 : } else if (folio_test_pmd_mappable(folio)) {
1397 : /* That test is redundant: it's for safety or to optimize out */
1398 :
1399 : last = atomic_add_negative(-1, &folio->_entire_mapcount);
1400 : if (last) {
1401 : nr = atomic_sub_return_relaxed(COMPOUND_MAPPED, mapped);
1402 : if (likely(nr < COMPOUND_MAPPED)) {
1403 : nr_pmdmapped = folio_nr_pages(folio);
1404 : nr = nr_pmdmapped - (nr & FOLIO_PAGES_MAPPED);
1405 : /* Raced ahead of another remove and an add? */
1406 : if (unlikely(nr < 0))
1407 : nr = 0;
1408 : } else {
1409 : /* An add of COMPOUND_MAPPED raced ahead */
1410 : nr = 0;
1411 : }
1412 : }
1413 : }
1414 :
1415 : if (nr_pmdmapped) {
1416 : if (folio_test_anon(folio))
1417 : idx = NR_ANON_THPS;
1418 : else if (folio_test_swapbacked(folio))
1419 : idx = NR_SHMEM_PMDMAPPED;
1420 : else
1421 : idx = NR_FILE_PMDMAPPED;
1422 : __lruvec_stat_mod_folio(folio, idx, -nr_pmdmapped);
1423 : }
1424 0 : if (nr) {
1425 0 : idx = folio_test_anon(folio) ? NR_ANON_MAPPED : NR_FILE_MAPPED;
1426 0 : __lruvec_stat_mod_folio(folio, idx, -nr);
1427 :
1428 : /*
1429 : * Queue anon THP for deferred split if at least one
1430 : * page of the folio is unmapped and at least one page
1431 : * is still mapped.
1432 : */
1433 0 : if (folio_test_pmd_mappable(folio) && folio_test_anon(folio))
1434 : if (!compound || nr < nr_pmdmapped)
1435 : deferred_split_folio(folio);
1436 : }
1437 :
1438 : /*
1439 : * It would be tidy to reset folio_test_anon mapping when fully
1440 : * unmapped, but that might overwrite a racing page_add_anon_rmap
1441 : * which increments mapcount after us but sets mapping before us:
1442 : * so leave the reset to free_pages_prepare, and remember that
1443 : * it's only reliable while mapped.
1444 : */
1445 :
1446 0 : munlock_vma_folio(folio, vma, compound);
1447 : }
1448 :
1449 : /*
1450 : * @arg: enum ttu_flags will be passed to this argument
1451 : */
1452 0 : static bool try_to_unmap_one(struct folio *folio, struct vm_area_struct *vma,
1453 : unsigned long address, void *arg)
1454 : {
1455 0 : struct mm_struct *mm = vma->vm_mm;
1456 0 : DEFINE_FOLIO_VMA_WALK(pvmw, folio, vma, address, 0);
1457 : pte_t pteval;
1458 : struct page *subpage;
1459 0 : bool anon_exclusive, ret = true;
1460 : struct mmu_notifier_range range;
1461 0 : enum ttu_flags flags = (enum ttu_flags)(long)arg;
1462 : unsigned long pfn;
1463 :
1464 : /*
1465 : * When racing against e.g. zap_pte_range() on another cpu,
1466 : * in between its ptep_get_and_clear_full() and page_remove_rmap(),
1467 : * try_to_unmap() may return before page_mapped() has become false,
1468 : * if page table locking is skipped: use TTU_SYNC to wait for that.
1469 : */
1470 0 : if (flags & TTU_SYNC)
1471 0 : pvmw.flags = PVMW_SYNC;
1472 :
1473 : if (flags & TTU_SPLIT_HUGE_PMD)
1474 : split_huge_pmd_address(vma, address, false, folio);
1475 :
1476 : /*
1477 : * For THP, we have to assume the worse case ie pmd for invalidation.
1478 : * For hugetlb, it could be much worse if we need to do pud
1479 : * invalidation in the case of pmd sharing.
1480 : *
1481 : * Note that the folio can not be freed in this function as call of
1482 : * try_to_unmap() must hold a reference on the folio.
1483 : */
1484 : range.end = vma_address_end(&pvmw);
1485 : mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma->vm_mm,
1486 : address, range.end);
1487 : if (folio_test_hugetlb(folio)) {
1488 : /*
1489 : * If sharing is possible, start and end will be adjusted
1490 : * accordingly.
1491 : */
1492 : adjust_range_if_pmd_sharing_possible(vma, &range.start,
1493 : &range.end);
1494 : }
1495 : mmu_notifier_invalidate_range_start(&range);
1496 :
1497 0 : while (page_vma_mapped_walk(&pvmw)) {
1498 : /* Unexpected PMD-mapped THP? */
1499 : VM_BUG_ON_FOLIO(!pvmw.pte, folio);
1500 :
1501 : /*
1502 : * If the folio is in an mlock()d vma, we must not swap it out.
1503 : */
1504 0 : if (!(flags & TTU_IGNORE_MLOCK) &&
1505 0 : (vma->vm_flags & VM_LOCKED)) {
1506 : /* Restore the mlock which got missed */
1507 0 : mlock_vma_folio(folio, vma, false);
1508 0 : page_vma_mapped_walk_done(&pvmw);
1509 : ret = false;
1510 : break;
1511 : }
1512 :
1513 0 : pfn = pte_pfn(ptep_get(pvmw.pte));
1514 0 : subpage = folio_page(folio, pfn - folio_pfn(folio));
1515 0 : address = pvmw.address;
1516 0 : anon_exclusive = folio_test_anon(folio) &&
1517 0 : PageAnonExclusive(subpage);
1518 :
1519 0 : if (folio_test_hugetlb(folio)) {
1520 : bool anon = folio_test_anon(folio);
1521 :
1522 : /*
1523 : * The try_to_unmap() is only passed a hugetlb page
1524 : * in the case where the hugetlb page is poisoned.
1525 : */
1526 : VM_BUG_ON_PAGE(!PageHWPoison(subpage), subpage);
1527 : /*
1528 : * huge_pmd_unshare may unmap an entire PMD page.
1529 : * There is no way of knowing exactly which PMDs may
1530 : * be cached for this mm, so we must flush them all.
1531 : * start/end were already adjusted above to cover this
1532 : * range.
1533 : */
1534 : flush_cache_range(vma, range.start, range.end);
1535 :
1536 : /*
1537 : * To call huge_pmd_unshare, i_mmap_rwsem must be
1538 : * held in write mode. Caller needs to explicitly
1539 : * do this outside rmap routines.
1540 : *
1541 : * We also must hold hugetlb vma_lock in write mode.
1542 : * Lock order dictates acquiring vma_lock BEFORE
1543 : * i_mmap_rwsem. We can only try lock here and fail
1544 : * if unsuccessful.
1545 : */
1546 : if (!anon) {
1547 : VM_BUG_ON(!(flags & TTU_RMAP_LOCKED));
1548 : if (!hugetlb_vma_trylock_write(vma)) {
1549 : page_vma_mapped_walk_done(&pvmw);
1550 : ret = false;
1551 : break;
1552 : }
1553 : if (huge_pmd_unshare(mm, vma, address, pvmw.pte)) {
1554 : hugetlb_vma_unlock_write(vma);
1555 : flush_tlb_range(vma,
1556 : range.start, range.end);
1557 : mmu_notifier_invalidate_range(mm,
1558 : range.start, range.end);
1559 : /*
1560 : * The ref count of the PMD page was
1561 : * dropped which is part of the way map
1562 : * counting is done for shared PMDs.
1563 : * Return 'true' here. When there is
1564 : * no other sharing, huge_pmd_unshare
1565 : * returns false and we will unmap the
1566 : * actual page and drop map count
1567 : * to zero.
1568 : */
1569 : page_vma_mapped_walk_done(&pvmw);
1570 : break;
1571 : }
1572 : hugetlb_vma_unlock_write(vma);
1573 : }
1574 : pteval = huge_ptep_clear_flush(vma, address, pvmw.pte);
1575 : } else {
1576 0 : flush_cache_page(vma, address, pfn);
1577 : /* Nuke the page table entry. */
1578 0 : if (should_defer_flush(mm, flags)) {
1579 : /*
1580 : * We clear the PTE but do not flush so potentially
1581 : * a remote CPU could still be writing to the folio.
1582 : * If the entry was previously clean then the
1583 : * architecture must guarantee that a clear->dirty
1584 : * transition on a cached TLB entry is written through
1585 : * and traps if the PTE is unmapped.
1586 : */
1587 : pteval = ptep_get_and_clear(mm, address, pvmw.pte);
1588 :
1589 : set_tlb_ubc_flush_pending(mm, pteval);
1590 : } else {
1591 0 : pteval = ptep_clear_flush(vma, address, pvmw.pte);
1592 : }
1593 : }
1594 :
1595 : /*
1596 : * Now the pte is cleared. If this pte was uffd-wp armed,
1597 : * we may want to replace a none pte with a marker pte if
1598 : * it's file-backed, so we don't lose the tracking info.
1599 : */
1600 0 : pte_install_uffd_wp_if_needed(vma, address, pvmw.pte, pteval);
1601 :
1602 : /* Set the dirty flag on the folio now the pte is gone. */
1603 0 : if (pte_dirty(pteval))
1604 0 : folio_mark_dirty(folio);
1605 :
1606 : /* Update high watermark before we lower rss */
1607 0 : update_hiwater_rss(mm);
1608 :
1609 0 : if (PageHWPoison(subpage) && (flags & TTU_HWPOISON)) {
1610 : pteval = swp_entry_to_pte(make_hwpoison_entry(subpage));
1611 : if (folio_test_hugetlb(folio)) {
1612 : hugetlb_count_sub(folio_nr_pages(folio), mm);
1613 : set_huge_pte_at(mm, address, pvmw.pte, pteval);
1614 : } else {
1615 : dec_mm_counter(mm, mm_counter(&folio->page));
1616 : set_pte_at(mm, address, pvmw.pte, pteval);
1617 : }
1618 :
1619 0 : } else if (pte_unused(pteval) && !userfaultfd_armed(vma)) {
1620 : /*
1621 : * The guest indicated that the page content is of no
1622 : * interest anymore. Simply discard the pte, vmscan
1623 : * will take care of the rest.
1624 : * A future reference will then fault in a new zero
1625 : * page. When userfaultfd is active, we must not drop
1626 : * this page though, as its main user (postcopy
1627 : * migration) will not expect userfaults on already
1628 : * copied pages.
1629 : */
1630 : dec_mm_counter(mm, mm_counter(&folio->page));
1631 : /* We have to invalidate as we cleared the pte */
1632 : mmu_notifier_invalidate_range(mm, address,
1633 : address + PAGE_SIZE);
1634 0 : } else if (folio_test_anon(folio)) {
1635 0 : swp_entry_t entry = { .val = page_private(subpage) };
1636 : pte_t swp_pte;
1637 : /*
1638 : * Store the swap location in the pte.
1639 : * See handle_pte_fault() ...
1640 : */
1641 0 : if (unlikely(folio_test_swapbacked(folio) !=
1642 : folio_test_swapcache(folio))) {
1643 0 : WARN_ON_ONCE(1);
1644 0 : ret = false;
1645 : /* We have to invalidate as we cleared the pte */
1646 0 : mmu_notifier_invalidate_range(mm, address,
1647 : address + PAGE_SIZE);
1648 0 : page_vma_mapped_walk_done(&pvmw);
1649 : break;
1650 : }
1651 :
1652 : /* MADV_FREE page check */
1653 0 : if (!folio_test_swapbacked(folio)) {
1654 : int ref_count, map_count;
1655 :
1656 : /*
1657 : * Synchronize with gup_pte_range():
1658 : * - clear PTE; barrier; read refcount
1659 : * - inc refcount; barrier; read PTE
1660 : */
1661 0 : smp_mb();
1662 :
1663 0 : ref_count = folio_ref_count(folio);
1664 0 : map_count = folio_mapcount(folio);
1665 :
1666 : /*
1667 : * Order reads for page refcount and dirty flag
1668 : * (see comments in __remove_mapping()).
1669 : */
1670 0 : smp_rmb();
1671 :
1672 : /*
1673 : * The only page refs must be one from isolation
1674 : * plus the rmap(s) (dropped by discard:).
1675 : */
1676 0 : if (ref_count == 1 + map_count &&
1677 0 : !folio_test_dirty(folio)) {
1678 : /* Invalidate as we cleared the pte */
1679 0 : mmu_notifier_invalidate_range(mm,
1680 : address, address + PAGE_SIZE);
1681 0 : dec_mm_counter(mm, MM_ANONPAGES);
1682 0 : goto discard;
1683 : }
1684 :
1685 : /*
1686 : * If the folio was redirtied, it cannot be
1687 : * discarded. Remap the page to page table.
1688 : */
1689 0 : set_pte_at(mm, address, pvmw.pte, pteval);
1690 0 : folio_set_swapbacked(folio);
1691 0 : ret = false;
1692 0 : page_vma_mapped_walk_done(&pvmw);
1693 : break;
1694 : }
1695 :
1696 0 : if (swap_duplicate(entry) < 0) {
1697 0 : set_pte_at(mm, address, pvmw.pte, pteval);
1698 0 : ret = false;
1699 0 : page_vma_mapped_walk_done(&pvmw);
1700 : break;
1701 : }
1702 0 : if (arch_unmap_one(mm, vma, address, pteval) < 0) {
1703 : swap_free(entry);
1704 : set_pte_at(mm, address, pvmw.pte, pteval);
1705 : ret = false;
1706 : page_vma_mapped_walk_done(&pvmw);
1707 : break;
1708 : }
1709 :
1710 : /* See page_try_share_anon_rmap(): clear PTE first. */
1711 0 : if (anon_exclusive &&
1712 0 : page_try_share_anon_rmap(subpage)) {
1713 0 : swap_free(entry);
1714 0 : set_pte_at(mm, address, pvmw.pte, pteval);
1715 0 : ret = false;
1716 0 : page_vma_mapped_walk_done(&pvmw);
1717 : break;
1718 : }
1719 0 : if (list_empty(&mm->mmlist)) {
1720 0 : spin_lock(&mmlist_lock);
1721 0 : if (list_empty(&mm->mmlist))
1722 0 : list_add(&mm->mmlist, &init_mm.mmlist);
1723 : spin_unlock(&mmlist_lock);
1724 : }
1725 0 : dec_mm_counter(mm, MM_ANONPAGES);
1726 0 : inc_mm_counter(mm, MM_SWAPENTS);
1727 0 : swp_pte = swp_entry_to_pte(entry);
1728 0 : if (anon_exclusive)
1729 : swp_pte = pte_swp_mkexclusive(swp_pte);
1730 0 : if (pte_soft_dirty(pteval))
1731 : swp_pte = pte_swp_mksoft_dirty(swp_pte);
1732 : if (pte_uffd_wp(pteval))
1733 : swp_pte = pte_swp_mkuffd_wp(swp_pte);
1734 0 : set_pte_at(mm, address, pvmw.pte, swp_pte);
1735 : /* Invalidate as we cleared the pte */
1736 0 : mmu_notifier_invalidate_range(mm, address,
1737 : address + PAGE_SIZE);
1738 : } else {
1739 : /*
1740 : * This is a locked file-backed folio,
1741 : * so it cannot be removed from the page
1742 : * cache and replaced by a new folio before
1743 : * mmu_notifier_invalidate_range_end, so no
1744 : * concurrent thread might update its page table
1745 : * to point at a new folio while a device is
1746 : * still using this folio.
1747 : *
1748 : * See Documentation/mm/mmu_notifier.rst
1749 : */
1750 0 : dec_mm_counter(mm, mm_counter_file(&folio->page));
1751 : }
1752 : discard:
1753 : /*
1754 : * No need to call mmu_notifier_invalidate_range() it has be
1755 : * done above for all cases requiring it to happen under page
1756 : * table lock before mmu_notifier_invalidate_range_end()
1757 : *
1758 : * See Documentation/mm/mmu_notifier.rst
1759 : */
1760 0 : page_remove_rmap(subpage, vma, folio_test_hugetlb(folio));
1761 0 : if (vma->vm_flags & VM_LOCKED)
1762 0 : mlock_drain_local();
1763 : folio_put(folio);
1764 : }
1765 :
1766 0 : mmu_notifier_invalidate_range_end(&range);
1767 :
1768 0 : return ret;
1769 : }
1770 :
1771 0 : static bool invalid_migration_vma(struct vm_area_struct *vma, void *arg)
1772 : {
1773 0 : return vma_is_temporary_stack(vma);
1774 : }
1775 :
1776 0 : static int folio_not_mapped(struct folio *folio)
1777 : {
1778 0 : return !folio_mapped(folio);
1779 : }
1780 :
1781 : /**
1782 : * try_to_unmap - Try to remove all page table mappings to a folio.
1783 : * @folio: The folio to unmap.
1784 : * @flags: action and flags
1785 : *
1786 : * Tries to remove all the page table entries which are mapping this
1787 : * folio. It is the caller's responsibility to check if the folio is
1788 : * still mapped if needed (use TTU_SYNC to prevent accounting races).
1789 : *
1790 : * Context: Caller must hold the folio lock.
1791 : */
1792 0 : void try_to_unmap(struct folio *folio, enum ttu_flags flags)
1793 : {
1794 0 : struct rmap_walk_control rwc = {
1795 : .rmap_one = try_to_unmap_one,
1796 0 : .arg = (void *)flags,
1797 : .done = folio_not_mapped,
1798 : .anon_lock = folio_lock_anon_vma_read,
1799 : };
1800 :
1801 0 : if (flags & TTU_RMAP_LOCKED)
1802 0 : rmap_walk_locked(folio, &rwc);
1803 : else
1804 0 : rmap_walk(folio, &rwc);
1805 0 : }
1806 :
1807 : /*
1808 : * @arg: enum ttu_flags will be passed to this argument.
1809 : *
1810 : * If TTU_SPLIT_HUGE_PMD is specified any PMD mappings will be split into PTEs
1811 : * containing migration entries.
1812 : */
1813 0 : static bool try_to_migrate_one(struct folio *folio, struct vm_area_struct *vma,
1814 : unsigned long address, void *arg)
1815 : {
1816 0 : struct mm_struct *mm = vma->vm_mm;
1817 0 : DEFINE_FOLIO_VMA_WALK(pvmw, folio, vma, address, 0);
1818 : pte_t pteval;
1819 : struct page *subpage;
1820 0 : bool anon_exclusive, ret = true;
1821 : struct mmu_notifier_range range;
1822 0 : enum ttu_flags flags = (enum ttu_flags)(long)arg;
1823 : unsigned long pfn;
1824 :
1825 : /*
1826 : * When racing against e.g. zap_pte_range() on another cpu,
1827 : * in between its ptep_get_and_clear_full() and page_remove_rmap(),
1828 : * try_to_migrate() may return before page_mapped() has become false,
1829 : * if page table locking is skipped: use TTU_SYNC to wait for that.
1830 : */
1831 0 : if (flags & TTU_SYNC)
1832 0 : pvmw.flags = PVMW_SYNC;
1833 :
1834 : /*
1835 : * unmap_page() in mm/huge_memory.c is the only user of migration with
1836 : * TTU_SPLIT_HUGE_PMD and it wants to freeze.
1837 : */
1838 : if (flags & TTU_SPLIT_HUGE_PMD)
1839 : split_huge_pmd_address(vma, address, true, folio);
1840 :
1841 : /*
1842 : * For THP, we have to assume the worse case ie pmd for invalidation.
1843 : * For hugetlb, it could be much worse if we need to do pud
1844 : * invalidation in the case of pmd sharing.
1845 : *
1846 : * Note that the page can not be free in this function as call of
1847 : * try_to_unmap() must hold a reference on the page.
1848 : */
1849 : range.end = vma_address_end(&pvmw);
1850 : mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma->vm_mm,
1851 : address, range.end);
1852 : if (folio_test_hugetlb(folio)) {
1853 : /*
1854 : * If sharing is possible, start and end will be adjusted
1855 : * accordingly.
1856 : */
1857 : adjust_range_if_pmd_sharing_possible(vma, &range.start,
1858 : &range.end);
1859 : }
1860 : mmu_notifier_invalidate_range_start(&range);
1861 :
1862 0 : while (page_vma_mapped_walk(&pvmw)) {
1863 : #ifdef CONFIG_ARCH_ENABLE_THP_MIGRATION
1864 : /* PMD-mapped THP migration entry */
1865 : if (!pvmw.pte) {
1866 : subpage = folio_page(folio,
1867 : pmd_pfn(*pvmw.pmd) - folio_pfn(folio));
1868 : VM_BUG_ON_FOLIO(folio_test_hugetlb(folio) ||
1869 : !folio_test_pmd_mappable(folio), folio);
1870 :
1871 : if (set_pmd_migration_entry(&pvmw, subpage)) {
1872 : ret = false;
1873 : page_vma_mapped_walk_done(&pvmw);
1874 : break;
1875 : }
1876 : continue;
1877 : }
1878 : #endif
1879 :
1880 : /* Unexpected PMD-mapped THP? */
1881 : VM_BUG_ON_FOLIO(!pvmw.pte, folio);
1882 :
1883 0 : pfn = pte_pfn(ptep_get(pvmw.pte));
1884 :
1885 0 : if (folio_is_zone_device(folio)) {
1886 : /*
1887 : * Our PTE is a non-present device exclusive entry and
1888 : * calculating the subpage as for the common case would
1889 : * result in an invalid pointer.
1890 : *
1891 : * Since only PAGE_SIZE pages can currently be
1892 : * migrated, just set it to page. This will need to be
1893 : * changed when hugepage migrations to device private
1894 : * memory are supported.
1895 : */
1896 : VM_BUG_ON_FOLIO(folio_nr_pages(folio) > 1, folio);
1897 : subpage = &folio->page;
1898 : } else {
1899 0 : subpage = folio_page(folio, pfn - folio_pfn(folio));
1900 : }
1901 0 : address = pvmw.address;
1902 0 : anon_exclusive = folio_test_anon(folio) &&
1903 0 : PageAnonExclusive(subpage);
1904 :
1905 0 : if (folio_test_hugetlb(folio)) {
1906 : bool anon = folio_test_anon(folio);
1907 :
1908 : /*
1909 : * huge_pmd_unshare may unmap an entire PMD page.
1910 : * There is no way of knowing exactly which PMDs may
1911 : * be cached for this mm, so we must flush them all.
1912 : * start/end were already adjusted above to cover this
1913 : * range.
1914 : */
1915 : flush_cache_range(vma, range.start, range.end);
1916 :
1917 : /*
1918 : * To call huge_pmd_unshare, i_mmap_rwsem must be
1919 : * held in write mode. Caller needs to explicitly
1920 : * do this outside rmap routines.
1921 : *
1922 : * We also must hold hugetlb vma_lock in write mode.
1923 : * Lock order dictates acquiring vma_lock BEFORE
1924 : * i_mmap_rwsem. We can only try lock here and
1925 : * fail if unsuccessful.
1926 : */
1927 : if (!anon) {
1928 : VM_BUG_ON(!(flags & TTU_RMAP_LOCKED));
1929 : if (!hugetlb_vma_trylock_write(vma)) {
1930 : page_vma_mapped_walk_done(&pvmw);
1931 : ret = false;
1932 : break;
1933 : }
1934 : if (huge_pmd_unshare(mm, vma, address, pvmw.pte)) {
1935 : hugetlb_vma_unlock_write(vma);
1936 : flush_tlb_range(vma,
1937 : range.start, range.end);
1938 : mmu_notifier_invalidate_range(mm,
1939 : range.start, range.end);
1940 :
1941 : /*
1942 : * The ref count of the PMD page was
1943 : * dropped which is part of the way map
1944 : * counting is done for shared PMDs.
1945 : * Return 'true' here. When there is
1946 : * no other sharing, huge_pmd_unshare
1947 : * returns false and we will unmap the
1948 : * actual page and drop map count
1949 : * to zero.
1950 : */
1951 : page_vma_mapped_walk_done(&pvmw);
1952 : break;
1953 : }
1954 : hugetlb_vma_unlock_write(vma);
1955 : }
1956 : /* Nuke the hugetlb page table entry */
1957 : pteval = huge_ptep_clear_flush(vma, address, pvmw.pte);
1958 : } else {
1959 0 : flush_cache_page(vma, address, pfn);
1960 : /* Nuke the page table entry. */
1961 0 : if (should_defer_flush(mm, flags)) {
1962 : /*
1963 : * We clear the PTE but do not flush so potentially
1964 : * a remote CPU could still be writing to the folio.
1965 : * If the entry was previously clean then the
1966 : * architecture must guarantee that a clear->dirty
1967 : * transition on a cached TLB entry is written through
1968 : * and traps if the PTE is unmapped.
1969 : */
1970 : pteval = ptep_get_and_clear(mm, address, pvmw.pte);
1971 :
1972 : set_tlb_ubc_flush_pending(mm, pteval);
1973 : } else {
1974 0 : pteval = ptep_clear_flush(vma, address, pvmw.pte);
1975 : }
1976 : }
1977 :
1978 : /* Set the dirty flag on the folio now the pte is gone. */
1979 0 : if (pte_dirty(pteval))
1980 0 : folio_mark_dirty(folio);
1981 :
1982 : /* Update high watermark before we lower rss */
1983 0 : update_hiwater_rss(mm);
1984 :
1985 0 : if (folio_is_device_private(folio)) {
1986 : unsigned long pfn = folio_pfn(folio);
1987 : swp_entry_t entry;
1988 : pte_t swp_pte;
1989 :
1990 : if (anon_exclusive)
1991 : BUG_ON(page_try_share_anon_rmap(subpage));
1992 :
1993 : /*
1994 : * Store the pfn of the page in a special migration
1995 : * pte. do_swap_page() will wait until the migration
1996 : * pte is removed and then restart fault handling.
1997 : */
1998 : entry = pte_to_swp_entry(pteval);
1999 : if (is_writable_device_private_entry(entry))
2000 : entry = make_writable_migration_entry(pfn);
2001 : else if (anon_exclusive)
2002 : entry = make_readable_exclusive_migration_entry(pfn);
2003 : else
2004 : entry = make_readable_migration_entry(pfn);
2005 : swp_pte = swp_entry_to_pte(entry);
2006 :
2007 : /*
2008 : * pteval maps a zone device page and is therefore
2009 : * a swap pte.
2010 : */
2011 : if (pte_swp_soft_dirty(pteval))
2012 : swp_pte = pte_swp_mksoft_dirty(swp_pte);
2013 : if (pte_swp_uffd_wp(pteval))
2014 : swp_pte = pte_swp_mkuffd_wp(swp_pte);
2015 : set_pte_at(mm, pvmw.address, pvmw.pte, swp_pte);
2016 : trace_set_migration_pte(pvmw.address, pte_val(swp_pte),
2017 : compound_order(&folio->page));
2018 : /*
2019 : * No need to invalidate here it will synchronize on
2020 : * against the special swap migration pte.
2021 : */
2022 0 : } else if (PageHWPoison(subpage)) {
2023 : pteval = swp_entry_to_pte(make_hwpoison_entry(subpage));
2024 : if (folio_test_hugetlb(folio)) {
2025 : hugetlb_count_sub(folio_nr_pages(folio), mm);
2026 : set_huge_pte_at(mm, address, pvmw.pte, pteval);
2027 : } else {
2028 : dec_mm_counter(mm, mm_counter(&folio->page));
2029 : set_pte_at(mm, address, pvmw.pte, pteval);
2030 : }
2031 :
2032 0 : } else if (pte_unused(pteval) && !userfaultfd_armed(vma)) {
2033 : /*
2034 : * The guest indicated that the page content is of no
2035 : * interest anymore. Simply discard the pte, vmscan
2036 : * will take care of the rest.
2037 : * A future reference will then fault in a new zero
2038 : * page. When userfaultfd is active, we must not drop
2039 : * this page though, as its main user (postcopy
2040 : * migration) will not expect userfaults on already
2041 : * copied pages.
2042 : */
2043 : dec_mm_counter(mm, mm_counter(&folio->page));
2044 : /* We have to invalidate as we cleared the pte */
2045 : mmu_notifier_invalidate_range(mm, address,
2046 : address + PAGE_SIZE);
2047 : } else {
2048 : swp_entry_t entry;
2049 : pte_t swp_pte;
2050 :
2051 0 : if (arch_unmap_one(mm, vma, address, pteval) < 0) {
2052 : if (folio_test_hugetlb(folio))
2053 : set_huge_pte_at(mm, address, pvmw.pte, pteval);
2054 : else
2055 : set_pte_at(mm, address, pvmw.pte, pteval);
2056 : ret = false;
2057 : page_vma_mapped_walk_done(&pvmw);
2058 : break;
2059 : }
2060 : VM_BUG_ON_PAGE(pte_write(pteval) && folio_test_anon(folio) &&
2061 : !anon_exclusive, subpage);
2062 :
2063 : /* See page_try_share_anon_rmap(): clear PTE first. */
2064 0 : if (anon_exclusive &&
2065 0 : page_try_share_anon_rmap(subpage)) {
2066 0 : if (folio_test_hugetlb(folio))
2067 : set_huge_pte_at(mm, address, pvmw.pte, pteval);
2068 : else
2069 0 : set_pte_at(mm, address, pvmw.pte, pteval);
2070 0 : ret = false;
2071 0 : page_vma_mapped_walk_done(&pvmw);
2072 : break;
2073 : }
2074 :
2075 : /*
2076 : * Store the pfn of the page in a special migration
2077 : * pte. do_swap_page() will wait until the migration
2078 : * pte is removed and then restart fault handling.
2079 : */
2080 0 : if (pte_write(pteval))
2081 0 : entry = make_writable_migration_entry(
2082 0 : page_to_pfn(subpage));
2083 0 : else if (anon_exclusive)
2084 0 : entry = make_readable_exclusive_migration_entry(
2085 0 : page_to_pfn(subpage));
2086 : else
2087 0 : entry = make_readable_migration_entry(
2088 0 : page_to_pfn(subpage));
2089 0 : if (pte_young(pteval))
2090 : entry = make_migration_entry_young(entry);
2091 0 : if (pte_dirty(pteval))
2092 : entry = make_migration_entry_dirty(entry);
2093 0 : swp_pte = swp_entry_to_pte(entry);
2094 0 : if (pte_soft_dirty(pteval))
2095 : swp_pte = pte_swp_mksoft_dirty(swp_pte);
2096 : if (pte_uffd_wp(pteval))
2097 : swp_pte = pte_swp_mkuffd_wp(swp_pte);
2098 0 : if (folio_test_hugetlb(folio))
2099 : set_huge_pte_at(mm, address, pvmw.pte, swp_pte);
2100 : else
2101 0 : set_pte_at(mm, address, pvmw.pte, swp_pte);
2102 0 : trace_set_migration_pte(address, pte_val(swp_pte),
2103 0 : compound_order(&folio->page));
2104 : /*
2105 : * No need to invalidate here it will synchronize on
2106 : * against the special swap migration pte.
2107 : */
2108 : }
2109 :
2110 : /*
2111 : * No need to call mmu_notifier_invalidate_range() it has be
2112 : * done above for all cases requiring it to happen under page
2113 : * table lock before mmu_notifier_invalidate_range_end()
2114 : *
2115 : * See Documentation/mm/mmu_notifier.rst
2116 : */
2117 0 : page_remove_rmap(subpage, vma, folio_test_hugetlb(folio));
2118 0 : if (vma->vm_flags & VM_LOCKED)
2119 0 : mlock_drain_local();
2120 : folio_put(folio);
2121 : }
2122 :
2123 0 : mmu_notifier_invalidate_range_end(&range);
2124 :
2125 0 : return ret;
2126 : }
2127 :
2128 : /**
2129 : * try_to_migrate - try to replace all page table mappings with swap entries
2130 : * @folio: the folio to replace page table entries for
2131 : * @flags: action and flags
2132 : *
2133 : * Tries to remove all the page table entries which are mapping this folio and
2134 : * replace them with special swap entries. Caller must hold the folio lock.
2135 : */
2136 0 : void try_to_migrate(struct folio *folio, enum ttu_flags flags)
2137 : {
2138 0 : struct rmap_walk_control rwc = {
2139 : .rmap_one = try_to_migrate_one,
2140 0 : .arg = (void *)flags,
2141 : .done = folio_not_mapped,
2142 : .anon_lock = folio_lock_anon_vma_read,
2143 : };
2144 :
2145 : /*
2146 : * Migration always ignores mlock and only supports TTU_RMAP_LOCKED and
2147 : * TTU_SPLIT_HUGE_PMD, TTU_SYNC, and TTU_BATCH_FLUSH flags.
2148 : */
2149 0 : if (WARN_ON_ONCE(flags & ~(TTU_RMAP_LOCKED | TTU_SPLIT_HUGE_PMD |
2150 : TTU_SYNC | TTU_BATCH_FLUSH)))
2151 0 : return;
2152 :
2153 0 : if (folio_is_zone_device(folio) &&
2154 : (!folio_is_device_private(folio) && !folio_is_device_coherent(folio)))
2155 : return;
2156 :
2157 : /*
2158 : * During exec, a temporary VMA is setup and later moved.
2159 : * The VMA is moved under the anon_vma lock but not the
2160 : * page tables leading to a race where migration cannot
2161 : * find the migration ptes. Rather than increasing the
2162 : * locking requirements of exec(), migration skips
2163 : * temporary VMAs until after exec() completes.
2164 : */
2165 0 : if (!folio_test_ksm(folio) && folio_test_anon(folio))
2166 0 : rwc.invalid_vma = invalid_migration_vma;
2167 :
2168 0 : if (flags & TTU_RMAP_LOCKED)
2169 0 : rmap_walk_locked(folio, &rwc);
2170 : else
2171 0 : rmap_walk(folio, &rwc);
2172 : }
2173 :
2174 : #ifdef CONFIG_DEVICE_PRIVATE
2175 : struct make_exclusive_args {
2176 : struct mm_struct *mm;
2177 : unsigned long address;
2178 : void *owner;
2179 : bool valid;
2180 : };
2181 :
2182 : static bool page_make_device_exclusive_one(struct folio *folio,
2183 : struct vm_area_struct *vma, unsigned long address, void *priv)
2184 : {
2185 : struct mm_struct *mm = vma->vm_mm;
2186 : DEFINE_FOLIO_VMA_WALK(pvmw, folio, vma, address, 0);
2187 : struct make_exclusive_args *args = priv;
2188 : pte_t pteval;
2189 : struct page *subpage;
2190 : bool ret = true;
2191 : struct mmu_notifier_range range;
2192 : swp_entry_t entry;
2193 : pte_t swp_pte;
2194 : pte_t ptent;
2195 :
2196 : mmu_notifier_range_init_owner(&range, MMU_NOTIFY_EXCLUSIVE, 0,
2197 : vma->vm_mm, address, min(vma->vm_end,
2198 : address + folio_size(folio)),
2199 : args->owner);
2200 : mmu_notifier_invalidate_range_start(&range);
2201 :
2202 : while (page_vma_mapped_walk(&pvmw)) {
2203 : /* Unexpected PMD-mapped THP? */
2204 : VM_BUG_ON_FOLIO(!pvmw.pte, folio);
2205 :
2206 : ptent = ptep_get(pvmw.pte);
2207 : if (!pte_present(ptent)) {
2208 : ret = false;
2209 : page_vma_mapped_walk_done(&pvmw);
2210 : break;
2211 : }
2212 :
2213 : subpage = folio_page(folio,
2214 : pte_pfn(ptent) - folio_pfn(folio));
2215 : address = pvmw.address;
2216 :
2217 : /* Nuke the page table entry. */
2218 : flush_cache_page(vma, address, pte_pfn(ptent));
2219 : pteval = ptep_clear_flush(vma, address, pvmw.pte);
2220 :
2221 : /* Set the dirty flag on the folio now the pte is gone. */
2222 : if (pte_dirty(pteval))
2223 : folio_mark_dirty(folio);
2224 :
2225 : /*
2226 : * Check that our target page is still mapped at the expected
2227 : * address.
2228 : */
2229 : if (args->mm == mm && args->address == address &&
2230 : pte_write(pteval))
2231 : args->valid = true;
2232 :
2233 : /*
2234 : * Store the pfn of the page in a special migration
2235 : * pte. do_swap_page() will wait until the migration
2236 : * pte is removed and then restart fault handling.
2237 : */
2238 : if (pte_write(pteval))
2239 : entry = make_writable_device_exclusive_entry(
2240 : page_to_pfn(subpage));
2241 : else
2242 : entry = make_readable_device_exclusive_entry(
2243 : page_to_pfn(subpage));
2244 : swp_pte = swp_entry_to_pte(entry);
2245 : if (pte_soft_dirty(pteval))
2246 : swp_pte = pte_swp_mksoft_dirty(swp_pte);
2247 : if (pte_uffd_wp(pteval))
2248 : swp_pte = pte_swp_mkuffd_wp(swp_pte);
2249 :
2250 : set_pte_at(mm, address, pvmw.pte, swp_pte);
2251 :
2252 : /*
2253 : * There is a reference on the page for the swap entry which has
2254 : * been removed, so shouldn't take another.
2255 : */
2256 : page_remove_rmap(subpage, vma, false);
2257 : }
2258 :
2259 : mmu_notifier_invalidate_range_end(&range);
2260 :
2261 : return ret;
2262 : }
2263 :
2264 : /**
2265 : * folio_make_device_exclusive - Mark the folio exclusively owned by a device.
2266 : * @folio: The folio to replace page table entries for.
2267 : * @mm: The mm_struct where the folio is expected to be mapped.
2268 : * @address: Address where the folio is expected to be mapped.
2269 : * @owner: passed to MMU_NOTIFY_EXCLUSIVE range notifier callbacks
2270 : *
2271 : * Tries to remove all the page table entries which are mapping this
2272 : * folio and replace them with special device exclusive swap entries to
2273 : * grant a device exclusive access to the folio.
2274 : *
2275 : * Context: Caller must hold the folio lock.
2276 : * Return: false if the page is still mapped, or if it could not be unmapped
2277 : * from the expected address. Otherwise returns true (success).
2278 : */
2279 : static bool folio_make_device_exclusive(struct folio *folio,
2280 : struct mm_struct *mm, unsigned long address, void *owner)
2281 : {
2282 : struct make_exclusive_args args = {
2283 : .mm = mm,
2284 : .address = address,
2285 : .owner = owner,
2286 : .valid = false,
2287 : };
2288 : struct rmap_walk_control rwc = {
2289 : .rmap_one = page_make_device_exclusive_one,
2290 : .done = folio_not_mapped,
2291 : .anon_lock = folio_lock_anon_vma_read,
2292 : .arg = &args,
2293 : };
2294 :
2295 : /*
2296 : * Restrict to anonymous folios for now to avoid potential writeback
2297 : * issues.
2298 : */
2299 : if (!folio_test_anon(folio))
2300 : return false;
2301 :
2302 : rmap_walk(folio, &rwc);
2303 :
2304 : return args.valid && !folio_mapcount(folio);
2305 : }
2306 :
2307 : /**
2308 : * make_device_exclusive_range() - Mark a range for exclusive use by a device
2309 : * @mm: mm_struct of associated target process
2310 : * @start: start of the region to mark for exclusive device access
2311 : * @end: end address of region
2312 : * @pages: returns the pages which were successfully marked for exclusive access
2313 : * @owner: passed to MMU_NOTIFY_EXCLUSIVE range notifier to allow filtering
2314 : *
2315 : * Returns: number of pages found in the range by GUP. A page is marked for
2316 : * exclusive access only if the page pointer is non-NULL.
2317 : *
2318 : * This function finds ptes mapping page(s) to the given address range, locks
2319 : * them and replaces mappings with special swap entries preventing userspace CPU
2320 : * access. On fault these entries are replaced with the original mapping after
2321 : * calling MMU notifiers.
2322 : *
2323 : * A driver using this to program access from a device must use a mmu notifier
2324 : * critical section to hold a device specific lock during programming. Once
2325 : * programming is complete it should drop the page lock and reference after
2326 : * which point CPU access to the page will revoke the exclusive access.
2327 : */
2328 : int make_device_exclusive_range(struct mm_struct *mm, unsigned long start,
2329 : unsigned long end, struct page **pages,
2330 : void *owner)
2331 : {
2332 : long npages = (end - start) >> PAGE_SHIFT;
2333 : long i;
2334 :
2335 : npages = get_user_pages_remote(mm, start, npages,
2336 : FOLL_GET | FOLL_WRITE | FOLL_SPLIT_PMD,
2337 : pages, NULL);
2338 : if (npages < 0)
2339 : return npages;
2340 :
2341 : for (i = 0; i < npages; i++, start += PAGE_SIZE) {
2342 : struct folio *folio = page_folio(pages[i]);
2343 : if (PageTail(pages[i]) || !folio_trylock(folio)) {
2344 : folio_put(folio);
2345 : pages[i] = NULL;
2346 : continue;
2347 : }
2348 :
2349 : if (!folio_make_device_exclusive(folio, mm, start, owner)) {
2350 : folio_unlock(folio);
2351 : folio_put(folio);
2352 : pages[i] = NULL;
2353 : }
2354 : }
2355 :
2356 : return npages;
2357 : }
2358 : EXPORT_SYMBOL_GPL(make_device_exclusive_range);
2359 : #endif
2360 :
2361 0 : void __put_anon_vma(struct anon_vma *anon_vma)
2362 : {
2363 0 : struct anon_vma *root = anon_vma->root;
2364 :
2365 0 : anon_vma_free(anon_vma);
2366 0 : if (root != anon_vma && atomic_dec_and_test(&root->refcount))
2367 0 : anon_vma_free(root);
2368 0 : }
2369 :
2370 0 : static struct anon_vma *rmap_walk_anon_lock(struct folio *folio,
2371 : struct rmap_walk_control *rwc)
2372 : {
2373 : struct anon_vma *anon_vma;
2374 :
2375 0 : if (rwc->anon_lock)
2376 0 : return rwc->anon_lock(folio, rwc);
2377 :
2378 : /*
2379 : * Note: remove_migration_ptes() cannot use folio_lock_anon_vma_read()
2380 : * because that depends on page_mapped(); but not all its usages
2381 : * are holding mmap_lock. Users without mmap_lock are required to
2382 : * take a reference count to prevent the anon_vma disappearing
2383 : */
2384 0 : anon_vma = folio_anon_vma(folio);
2385 0 : if (!anon_vma)
2386 : return NULL;
2387 :
2388 0 : if (anon_vma_trylock_read(anon_vma))
2389 : goto out;
2390 :
2391 0 : if (rwc->try_lock) {
2392 0 : anon_vma = NULL;
2393 0 : rwc->contended = true;
2394 0 : goto out;
2395 : }
2396 :
2397 0 : anon_vma_lock_read(anon_vma);
2398 : out:
2399 : return anon_vma;
2400 : }
2401 :
2402 : /*
2403 : * rmap_walk_anon - do something to anonymous page using the object-based
2404 : * rmap method
2405 : * @page: the page to be handled
2406 : * @rwc: control variable according to each walk type
2407 : *
2408 : * Find all the mappings of a page using the mapping pointer and the vma chains
2409 : * contained in the anon_vma struct it points to.
2410 : */
2411 0 : static void rmap_walk_anon(struct folio *folio,
2412 : struct rmap_walk_control *rwc, bool locked)
2413 : {
2414 : struct anon_vma *anon_vma;
2415 : pgoff_t pgoff_start, pgoff_end;
2416 : struct anon_vma_chain *avc;
2417 :
2418 0 : if (locked) {
2419 0 : anon_vma = folio_anon_vma(folio);
2420 : /* anon_vma disappear under us? */
2421 : VM_BUG_ON_FOLIO(!anon_vma, folio);
2422 : } else {
2423 0 : anon_vma = rmap_walk_anon_lock(folio, rwc);
2424 : }
2425 0 : if (!anon_vma)
2426 : return;
2427 :
2428 0 : pgoff_start = folio_pgoff(folio);
2429 0 : pgoff_end = pgoff_start + folio_nr_pages(folio) - 1;
2430 0 : anon_vma_interval_tree_foreach(avc, &anon_vma->rb_root,
2431 : pgoff_start, pgoff_end) {
2432 0 : struct vm_area_struct *vma = avc->vma;
2433 0 : unsigned long address = vma_address(&folio->page, vma);
2434 :
2435 : VM_BUG_ON_VMA(address == -EFAULT, vma);
2436 0 : cond_resched();
2437 :
2438 0 : if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
2439 0 : continue;
2440 :
2441 0 : if (!rwc->rmap_one(folio, vma, address, rwc->arg))
2442 : break;
2443 0 : if (rwc->done && rwc->done(folio))
2444 : break;
2445 : }
2446 :
2447 0 : if (!locked)
2448 0 : anon_vma_unlock_read(anon_vma);
2449 : }
2450 :
2451 : /*
2452 : * rmap_walk_file - do something to file page using the object-based rmap method
2453 : * @page: the page to be handled
2454 : * @rwc: control variable according to each walk type
2455 : *
2456 : * Find all the mappings of a page using the mapping pointer and the vma chains
2457 : * contained in the address_space struct it points to.
2458 : */
2459 0 : static void rmap_walk_file(struct folio *folio,
2460 : struct rmap_walk_control *rwc, bool locked)
2461 : {
2462 0 : struct address_space *mapping = folio_mapping(folio);
2463 : pgoff_t pgoff_start, pgoff_end;
2464 : struct vm_area_struct *vma;
2465 :
2466 : /*
2467 : * The page lock not only makes sure that page->mapping cannot
2468 : * suddenly be NULLified by truncation, it makes sure that the
2469 : * structure at mapping cannot be freed and reused yet,
2470 : * so we can safely take mapping->i_mmap_rwsem.
2471 : */
2472 : VM_BUG_ON_FOLIO(!folio_test_locked(folio), folio);
2473 :
2474 0 : if (!mapping)
2475 : return;
2476 :
2477 0 : pgoff_start = folio_pgoff(folio);
2478 0 : pgoff_end = pgoff_start + folio_nr_pages(folio) - 1;
2479 0 : if (!locked) {
2480 0 : if (i_mmap_trylock_read(mapping))
2481 : goto lookup;
2482 :
2483 0 : if (rwc->try_lock) {
2484 0 : rwc->contended = true;
2485 0 : return;
2486 : }
2487 :
2488 : i_mmap_lock_read(mapping);
2489 : }
2490 : lookup:
2491 0 : vma_interval_tree_foreach(vma, &mapping->i_mmap,
2492 : pgoff_start, pgoff_end) {
2493 0 : unsigned long address = vma_address(&folio->page, vma);
2494 :
2495 : VM_BUG_ON_VMA(address == -EFAULT, vma);
2496 0 : cond_resched();
2497 :
2498 0 : if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
2499 0 : continue;
2500 :
2501 0 : if (!rwc->rmap_one(folio, vma, address, rwc->arg))
2502 : goto done;
2503 0 : if (rwc->done && rwc->done(folio))
2504 : goto done;
2505 : }
2506 :
2507 : done:
2508 0 : if (!locked)
2509 : i_mmap_unlock_read(mapping);
2510 : }
2511 :
2512 0 : void rmap_walk(struct folio *folio, struct rmap_walk_control *rwc)
2513 : {
2514 0 : if (unlikely(folio_test_ksm(folio)))
2515 : rmap_walk_ksm(folio, rwc);
2516 0 : else if (folio_test_anon(folio))
2517 0 : rmap_walk_anon(folio, rwc, false);
2518 : else
2519 0 : rmap_walk_file(folio, rwc, false);
2520 0 : }
2521 :
2522 : /* Like rmap_walk, but caller holds relevant rmap lock */
2523 0 : void rmap_walk_locked(struct folio *folio, struct rmap_walk_control *rwc)
2524 : {
2525 : /* no ksm support for now */
2526 : VM_BUG_ON_FOLIO(folio_test_ksm(folio), folio);
2527 0 : if (folio_test_anon(folio))
2528 0 : rmap_walk_anon(folio, rwc, true);
2529 : else
2530 0 : rmap_walk_file(folio, rwc, true);
2531 0 : }
2532 :
2533 : #ifdef CONFIG_HUGETLB_PAGE
2534 : /*
2535 : * The following two functions are for anonymous (private mapped) hugepages.
2536 : * Unlike common anonymous pages, anonymous hugepages have no accounting code
2537 : * and no lru code, because we handle hugepages differently from common pages.
2538 : *
2539 : * RMAP_COMPOUND is ignored.
2540 : */
2541 : void hugepage_add_anon_rmap(struct page *page, struct vm_area_struct *vma,
2542 : unsigned long address, rmap_t flags)
2543 : {
2544 : struct folio *folio = page_folio(page);
2545 : struct anon_vma *anon_vma = vma->anon_vma;
2546 : int first;
2547 :
2548 : BUG_ON(!folio_test_locked(folio));
2549 : BUG_ON(!anon_vma);
2550 : /* address might be in next vma when migration races vma_merge */
2551 : first = atomic_inc_and_test(&folio->_entire_mapcount);
2552 : VM_BUG_ON_PAGE(!first && (flags & RMAP_EXCLUSIVE), page);
2553 : VM_BUG_ON_PAGE(!first && PageAnonExclusive(page), page);
2554 : if (first)
2555 : __page_set_anon_rmap(folio, page, vma, address,
2556 : !!(flags & RMAP_EXCLUSIVE));
2557 : }
2558 :
2559 : void hugepage_add_new_anon_rmap(struct folio *folio,
2560 : struct vm_area_struct *vma, unsigned long address)
2561 : {
2562 : BUG_ON(address < vma->vm_start || address >= vma->vm_end);
2563 : /* increment count (starts at -1) */
2564 : atomic_set(&folio->_entire_mapcount, 0);
2565 : folio_clear_hugetlb_restore_reserve(folio);
2566 : __page_set_anon_rmap(folio, &folio->page, vma, address, 1);
2567 : }
2568 : #endif /* CONFIG_HUGETLB_PAGE */
|
