2022-02-16 15:31:38 +11:00
// SPDX-License-Identifier: GPL-2.0
/*
* Device Memory Migration functionality .
*
* Originally written by Jérôme Glisse .
*/
# include <linux/export.h>
# include <linux/memremap.h>
# include <linux/migrate.h>
2022-09-02 10:35:53 +10:00
# include <linux/mm.h>
2022-02-16 15:31:38 +11:00
# include <linux/mm_inline.h>
# include <linux/mmu_notifier.h>
# include <linux/oom.h>
# include <linux/pagewalk.h>
# include <linux/rmap.h>
# include <linux/swapops.h>
# include <asm/tlbflush.h>
# include "internal.h"
static int migrate_vma_collect_skip ( unsigned long start ,
unsigned long end ,
struct mm_walk * walk )
{
struct migrate_vma * migrate = walk - > private ;
unsigned long addr ;
for ( addr = start ; addr < end ; addr + = PAGE_SIZE ) {
migrate - > dst [ migrate - > npages ] = 0 ;
migrate - > src [ migrate - > npages + + ] = 0 ;
}
return 0 ;
}
static int migrate_vma_collect_hole ( unsigned long start ,
unsigned long end ,
__always_unused int depth ,
struct mm_walk * walk )
{
struct migrate_vma * migrate = walk - > private ;
unsigned long addr ;
/* Only allow populating anonymous memory. */
if ( ! vma_is_anonymous ( walk - > vma ) )
return migrate_vma_collect_skip ( start , end , walk ) ;
for ( addr = start ; addr < end ; addr + = PAGE_SIZE ) {
migrate - > src [ migrate - > npages ] = MIGRATE_PFN_MIGRATE ;
migrate - > dst [ migrate - > npages ] = 0 ;
migrate - > npages + + ;
migrate - > cpages + + ;
}
return 0 ;
}
static int migrate_vma_collect_pmd ( pmd_t * pmdp ,
unsigned long start ,
unsigned long end ,
struct mm_walk * walk )
{
struct migrate_vma * migrate = walk - > private ;
struct vm_area_struct * vma = walk - > vma ;
struct mm_struct * mm = vma - > vm_mm ;
unsigned long addr = start , unmapped = 0 ;
spinlock_t * ptl ;
pte_t * ptep ;
again :
if ( pmd_none ( * pmdp ) )
return migrate_vma_collect_hole ( start , end , - 1 , walk ) ;
if ( pmd_trans_huge ( * pmdp ) ) {
struct page * page ;
ptl = pmd_lock ( mm , pmdp ) ;
if ( unlikely ( ! pmd_trans_huge ( * pmdp ) ) ) {
spin_unlock ( ptl ) ;
goto again ;
}
page = pmd_page ( * pmdp ) ;
if ( is_huge_zero_page ( page ) ) {
spin_unlock ( ptl ) ;
split_huge_pmd ( vma , pmdp , addr ) ;
} else {
int ret ;
get_page ( page ) ;
spin_unlock ( ptl ) ;
if ( unlikely ( ! trylock_page ( page ) ) )
return migrate_vma_collect_skip ( start , end ,
walk ) ;
ret = split_huge_page ( page ) ;
unlock_page ( page ) ;
put_page ( page ) ;
if ( ret )
return migrate_vma_collect_skip ( start , end ,
walk ) ;
}
}
ptep = pte_offset_map_lock ( mm , pmdp , addr , & ptl ) ;
2023-06-08 18:38:17 -07:00
if ( ! ptep )
goto again ;
2022-02-16 15:31:38 +11:00
arch_enter_lazy_mmu_mode ( ) ;
for ( ; addr < end ; addr + = PAGE_SIZE , ptep + + ) {
unsigned long mpfn = 0 , pfn ;
struct page * page ;
swp_entry_t entry ;
pte_t pte ;
mm: ptep_get() conversion
Convert all instances of direct pte_t* dereferencing to instead use
ptep_get() helper. This means that by default, the accesses change from a
C dereference to a READ_ONCE(). This is technically the correct thing to
do since where pgtables are modified by HW (for access/dirty) they are
volatile and therefore we should always ensure READ_ONCE() semantics.
But more importantly, by always using the helper, it can be overridden by
the architecture to fully encapsulate the contents of the pte. Arch code
is deliberately not converted, as the arch code knows best. It is
intended that arch code (arm64) will override the default with its own
implementation that can (e.g.) hide certain bits from the core code, or
determine young/dirty status by mixing in state from another source.
Conversion was done using Coccinelle:
----
// $ make coccicheck \
// COCCI=ptepget.cocci \
// SPFLAGS="--include-headers" \
// MODE=patch
virtual patch
@ depends on patch @
pte_t *v;
@@
- *v
+ ptep_get(v)
----
Then reviewed and hand-edited to avoid multiple unnecessary calls to
ptep_get(), instead opting to store the result of a single call in a
variable, where it is correct to do so. This aims to negate any cost of
READ_ONCE() and will benefit arch-overrides that may be more complex.
Included is a fix for an issue in an earlier version of this patch that
was pointed out by kernel test robot. The issue arose because config
MMU=n elides definition of the ptep helper functions, including
ptep_get(). HUGETLB_PAGE=n configs still define a simple
huge_ptep_clear_flush() for linking purposes, which dereferences the ptep.
So when both configs are disabled, this caused a build error because
ptep_get() is not defined. Fix by continuing to do a direct dereference
when MMU=n. This is safe because for this config the arch code cannot be
trying to virtualize the ptes because none of the ptep helpers are
defined.
Link: https://lkml.kernel.org/r/20230612151545.3317766-4-ryan.roberts@arm.com
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/oe-kbuild-all/202305120142.yXsNEo6H-lkp@intel.com/
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alex Williamson <alex.williamson@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Dave Airlie <airlied@gmail.com>
Cc: Dimitri Sivanich <dimitri.sivanich@hpe.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jérôme Glisse <jglisse@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Mike Rapoport (IBM) <rppt@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: SeongJae Park <sj@kernel.org>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Uladzislau Rezki (Sony) <urezki@gmail.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Yu Zhao <yuzhao@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-06-12 16:15:45 +01:00
pte = ptep_get ( ptep ) ;
2022-02-16 15:31:38 +11:00
if ( pte_none ( pte ) ) {
if ( vma_is_anonymous ( vma ) ) {
mpfn = MIGRATE_PFN_MIGRATE ;
migrate - > cpages + + ;
}
goto next ;
}
if ( ! pte_present ( pte ) ) {
/*
* Only care about unaddressable device page special
* page table entry . Other special swap entries are not
* migratable , and we ignore regular swapped page .
*/
entry = pte_to_swp_entry ( pte ) ;
if ( ! is_device_private_entry ( entry ) )
goto next ;
page = pfn_swap_entry_to_page ( entry ) ;
if ( ! ( migrate - > flags &
MIGRATE_VMA_SELECT_DEVICE_PRIVATE ) | |
page - > pgmap - > owner ! = migrate - > pgmap_owner )
goto next ;
mpfn = migrate_pfn ( page_to_pfn ( page ) ) |
MIGRATE_PFN_MIGRATE ;
if ( is_writable_device_private_entry ( entry ) )
mpfn | = MIGRATE_PFN_WRITE ;
} else {
pfn = pte_pfn ( pte ) ;
2022-07-15 10:05:12 -05:00
if ( is_zero_pfn ( pfn ) & &
( migrate - > flags & MIGRATE_VMA_SELECT_SYSTEM ) ) {
2022-02-16 15:31:38 +11:00
mpfn = MIGRATE_PFN_MIGRATE ;
migrate - > cpages + + ;
goto next ;
}
page = vm_normal_page ( migrate - > vma , addr , pte ) ;
2022-07-15 10:05:12 -05:00
if ( page & & ! is_zone_device_page ( page ) & &
! ( migrate - > flags & MIGRATE_VMA_SELECT_SYSTEM ) )
goto next ;
else if ( page & & is_device_coherent_page ( page ) & &
( ! ( migrate - > flags & MIGRATE_VMA_SELECT_DEVICE_COHERENT ) | |
page - > pgmap - > owner ! = migrate - > pgmap_owner ) )
goto next ;
2022-02-16 15:31:38 +11:00
mpfn = migrate_pfn ( pfn ) | MIGRATE_PFN_MIGRATE ;
mpfn | = pte_write ( pte ) ? MIGRATE_PFN_WRITE : 0 ;
}
/* FIXME support THP */
if ( ! page | | ! page - > mapping | | PageTransCompound ( page ) ) {
mpfn = 0 ;
goto next ;
}
/*
* By getting a reference on the page we pin it and that blocks
* any kind of migration . Side effect is that it " freezes " the
* pte .
*
* We drop this reference after isolating the page from the lru
* for non device page ( device page are not on the lru and thus
* can ' t be dropped from it ) .
*/
get_page ( page ) ;
/*
2022-08-30 12:01:38 +10:00
* We rely on trylock_page ( ) to avoid deadlock between
* concurrent migrations where each is waiting on the others
* page lock . If we can ' t immediately lock the page we fail this
* migration as it is only best effort anyway .
*
* If we can lock the page it ' s safe to set up a migration entry
* now . In the common case where the page is mapped once in a
* single process setting up the migration entry now is an
* optimisation to avoid walking the rmap later with
* try_to_migrate ( ) .
2022-02-16 15:31:38 +11:00
*/
if ( trylock_page ( page ) ) {
mm: remember exclusively mapped anonymous pages with PG_anon_exclusive
Let's mark exclusively mapped anonymous pages with PG_anon_exclusive as
exclusive, and use that information to make GUP pins reliable and stay
consistent with the page mapped into the page table even if the page table
entry gets write-protected.
With that information at hand, we can extend our COW logic to always reuse
anonymous pages that are exclusive. For anonymous pages that might be
shared, the existing logic applies.
As already documented, PG_anon_exclusive is usually only expressive in
combination with a page table entry. Especially PTE vs. PMD-mapped
anonymous pages require more thought, some examples: due to mremap() we
can easily have a single compound page PTE-mapped into multiple page
tables exclusively in a single process -- multiple page table locks apply.
Further, due to MADV_WIPEONFORK we might not necessarily write-protect
all PTEs, and only some subpages might be pinned. Long story short: once
PTE-mapped, we have to track information about exclusivity per sub-page,
but until then, we can just track it for the compound page in the head
page and not having to update a whole bunch of subpages all of the time
for a simple PMD mapping of a THP.
For simplicity, this commit mostly talks about "anonymous pages", while
it's for THP actually "the part of an anonymous folio referenced via a
page table entry".
To not spill PG_anon_exclusive code all over the mm code-base, we let the
anon rmap code to handle all PG_anon_exclusive logic it can easily handle.
If a writable, present page table entry points at an anonymous (sub)page,
that (sub)page must be PG_anon_exclusive. If GUP wants to take a reliably
pin (FOLL_PIN) on an anonymous page references via a present page table
entry, it must only pin if PG_anon_exclusive is set for the mapped
(sub)page.
This commit doesn't adjust GUP, so this is only implicitly handled for
FOLL_WRITE, follow-up commits will teach GUP to also respect it for
FOLL_PIN without FOLL_WRITE, to make all GUP pins of anonymous pages fully
reliable.
Whenever an anonymous page is to be shared (fork(), KSM), or when
temporarily unmapping an anonymous page (swap, migration), the relevant
PG_anon_exclusive bit has to be cleared to mark the anonymous page
possibly shared. Clearing will fail if there are GUP pins on the page:
* For fork(), this means having to copy the page and not being able to
share it. fork() protects against concurrent GUP using the PT lock and
the src_mm->write_protect_seq.
* For KSM, this means sharing will fail. For swap this means, unmapping
will fail, For migration this means, migration will fail early. All
three cases protect against concurrent GUP using the PT lock and a
proper clear/invalidate+flush of the relevant page table entry.
This fixes memory corruptions reported for FOLL_PIN | FOLL_WRITE, when a
pinned page gets mapped R/O and the successive write fault ends up
replacing the page instead of reusing it. It improves the situation for
O_DIRECT/vmsplice/... that still use FOLL_GET instead of FOLL_PIN, if
fork() is *not* involved, however swapout and fork() are still
problematic. Properly using FOLL_PIN instead of FOLL_GET for these GUP
users will fix the issue for them.
I. Details about basic handling
I.1. Fresh anonymous pages
page_add_new_anon_rmap() and hugepage_add_new_anon_rmap() will mark the
given page exclusive via __page_set_anon_rmap(exclusive=1). As that is
the mechanism fresh anonymous pages come into life (besides migration code
where we copy the page->mapping), all fresh anonymous pages will start out
as exclusive.
I.2. COW reuse handling of anonymous pages
When a COW handler stumbles over a (sub)page that's marked exclusive, it
simply reuses it. Otherwise, the handler tries harder under page lock to
detect if the (sub)page is exclusive and can be reused. If exclusive,
page_move_anon_rmap() will mark the given (sub)page exclusive.
Note that hugetlb code does not yet check for PageAnonExclusive(), as it
still uses the old COW logic that is prone to the COW security issue
because hugetlb code cannot really tolerate unnecessary/wrong COW as huge
pages are a scarce resource.
I.3. Migration handling
try_to_migrate() has to try marking an exclusive anonymous page shared via
page_try_share_anon_rmap(). If it fails because there are GUP pins on the
page, unmap fails. migrate_vma_collect_pmd() and
__split_huge_pmd_locked() are handled similarly.
Writable migration entries implicitly point at shared anonymous pages.
For readable migration entries that information is stored via a new
"readable-exclusive" migration entry, specific to anonymous pages.
When restoring a migration entry in remove_migration_pte(), information
about exlusivity is detected via the migration entry type, and
RMAP_EXCLUSIVE is set accordingly for
page_add_anon_rmap()/hugepage_add_anon_rmap() to restore that information.
I.4. Swapout handling
try_to_unmap() has to try marking the mapped page possibly shared via
page_try_share_anon_rmap(). If it fails because there are GUP pins on the
page, unmap fails. For now, information about exclusivity is lost. In
the future, we might want to remember that information in the swap entry
in some cases, however, it requires more thought, care, and a way to store
that information in swap entries.
I.5. Swapin handling
do_swap_page() will never stumble over exclusive anonymous pages in the
swap cache, as try_to_migrate() prohibits that. do_swap_page() always has
to detect manually if an anonymous page is exclusive and has to set
RMAP_EXCLUSIVE for page_add_anon_rmap() accordingly.
I.6. THP handling
__split_huge_pmd_locked() has to move the information about exclusivity
from the PMD to the PTEs.
a) In case we have a readable-exclusive PMD migration entry, simply
insert readable-exclusive PTE migration entries.
b) In case we have a present PMD entry and we don't want to freeze
("convert to migration entries"), simply forward PG_anon_exclusive to
all sub-pages, no need to temporarily clear the bit.
c) In case we have a present PMD entry and want to freeze, handle it
similar to try_to_migrate(): try marking the page shared first. In
case we fail, we ignore the "freeze" instruction and simply split
ordinarily. try_to_migrate() will properly fail because the THP is
still mapped via PTEs.
When splitting a compound anonymous folio (THP), the information about
exclusivity is implicitly handled via the migration entries: no need to
replicate PG_anon_exclusive manually.
I.7. fork() handling fork() handling is relatively easy, because
PG_anon_exclusive is only expressive for some page table entry types.
a) Present anonymous pages
page_try_dup_anon_rmap() will mark the given subpage shared -- which will
fail if the page is pinned. If it failed, we have to copy (or PTE-map a
PMD to handle it on the PTE level).
Note that device exclusive entries are just a pointer at a PageAnon()
page. fork() will first convert a device exclusive entry to a present
page table and handle it just like present anonymous pages.
b) Device private entry
Device private entries point at PageAnon() pages that cannot be mapped
directly and, therefore, cannot get pinned.
page_try_dup_anon_rmap() will mark the given subpage shared, which cannot
fail because they cannot get pinned.
c) HW poison entries
PG_anon_exclusive will remain untouched and is stale -- the page table
entry is just a placeholder after all.
d) Migration entries
Writable and readable-exclusive entries are converted to readable entries:
possibly shared.
I.8. mprotect() handling
mprotect() only has to properly handle the new readable-exclusive
migration entry:
When write-protecting a migration entry that points at an anonymous page,
remember the information about exclusivity via the "readable-exclusive"
migration entry type.
II. Migration and GUP-fast
Whenever replacing a present page table entry that maps an exclusive
anonymous page by a migration entry, we have to mark the page possibly
shared and synchronize against GUP-fast by a proper clear/invalidate+flush
to make the following scenario impossible:
1. try_to_migrate() places a migration entry after checking for GUP pins
and marks the page possibly shared.
2. GUP-fast pins the page due to lack of synchronization
3. fork() converts the "writable/readable-exclusive" migration entry into a
readable migration entry
4. Migration fails due to the GUP pin (failing to freeze the refcount)
5. Migration entries are restored. PG_anon_exclusive is lost
-> We have a pinned page that is not marked exclusive anymore.
Note that we move information about exclusivity from the page to the
migration entry as it otherwise highly overcomplicates fork() and
PTE-mapping a THP.
III. Swapout and GUP-fast
Whenever replacing a present page table entry that maps an exclusive
anonymous page by a swap entry, we have to mark the page possibly shared
and synchronize against GUP-fast by a proper clear/invalidate+flush to
make the following scenario impossible:
1. try_to_unmap() places a swap entry after checking for GUP pins and
clears exclusivity information on the page.
2. GUP-fast pins the page due to lack of synchronization.
-> We have a pinned page that is not marked exclusive anymore.
If we'd ever store information about exclusivity in the swap entry,
similar to migration handling, the same considerations as in II would
apply. This is future work.
Link: https://lkml.kernel.org/r/20220428083441.37290-13-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Rientjes <rientjes@google.com>
Cc: Don Dutile <ddutile@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jann Horn <jannh@google.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Khalid Aziz <khalid.aziz@oracle.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Liang Zhang <zhangliang5@huawei.com>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Nadav Amit <namit@vmware.com>
Cc: Oded Gabbay <oded.gabbay@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Roman Gushchin <guro@fb.com>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Yang Shi <shy828301@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2022-05-09 18:20:44 -07:00
bool anon_exclusive ;
2022-02-16 15:31:38 +11:00
pte_t swp_pte ;
mm: ptep_get() conversion
Convert all instances of direct pte_t* dereferencing to instead use
ptep_get() helper. This means that by default, the accesses change from a
C dereference to a READ_ONCE(). This is technically the correct thing to
do since where pgtables are modified by HW (for access/dirty) they are
volatile and therefore we should always ensure READ_ONCE() semantics.
But more importantly, by always using the helper, it can be overridden by
the architecture to fully encapsulate the contents of the pte. Arch code
is deliberately not converted, as the arch code knows best. It is
intended that arch code (arm64) will override the default with its own
implementation that can (e.g.) hide certain bits from the core code, or
determine young/dirty status by mixing in state from another source.
Conversion was done using Coccinelle:
----
// $ make coccicheck \
// COCCI=ptepget.cocci \
// SPFLAGS="--include-headers" \
// MODE=patch
virtual patch
@ depends on patch @
pte_t *v;
@@
- *v
+ ptep_get(v)
----
Then reviewed and hand-edited to avoid multiple unnecessary calls to
ptep_get(), instead opting to store the result of a single call in a
variable, where it is correct to do so. This aims to negate any cost of
READ_ONCE() and will benefit arch-overrides that may be more complex.
Included is a fix for an issue in an earlier version of this patch that
was pointed out by kernel test robot. The issue arose because config
MMU=n elides definition of the ptep helper functions, including
ptep_get(). HUGETLB_PAGE=n configs still define a simple
huge_ptep_clear_flush() for linking purposes, which dereferences the ptep.
So when both configs are disabled, this caused a build error because
ptep_get() is not defined. Fix by continuing to do a direct dereference
when MMU=n. This is safe because for this config the arch code cannot be
trying to virtualize the ptes because none of the ptep helpers are
defined.
Link: https://lkml.kernel.org/r/20230612151545.3317766-4-ryan.roberts@arm.com
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/oe-kbuild-all/202305120142.yXsNEo6H-lkp@intel.com/
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alex Williamson <alex.williamson@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Dave Airlie <airlied@gmail.com>
Cc: Dimitri Sivanich <dimitri.sivanich@hpe.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jérôme Glisse <jglisse@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Mike Rapoport (IBM) <rppt@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: SeongJae Park <sj@kernel.org>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Uladzislau Rezki (Sony) <urezki@gmail.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Yu Zhao <yuzhao@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-06-12 16:15:45 +01:00
flush_cache_page ( vma , addr , pte_pfn ( pte ) ) ;
mm: remember exclusively mapped anonymous pages with PG_anon_exclusive
Let's mark exclusively mapped anonymous pages with PG_anon_exclusive as
exclusive, and use that information to make GUP pins reliable and stay
consistent with the page mapped into the page table even if the page table
entry gets write-protected.
With that information at hand, we can extend our COW logic to always reuse
anonymous pages that are exclusive. For anonymous pages that might be
shared, the existing logic applies.
As already documented, PG_anon_exclusive is usually only expressive in
combination with a page table entry. Especially PTE vs. PMD-mapped
anonymous pages require more thought, some examples: due to mremap() we
can easily have a single compound page PTE-mapped into multiple page
tables exclusively in a single process -- multiple page table locks apply.
Further, due to MADV_WIPEONFORK we might not necessarily write-protect
all PTEs, and only some subpages might be pinned. Long story short: once
PTE-mapped, we have to track information about exclusivity per sub-page,
but until then, we can just track it for the compound page in the head
page and not having to update a whole bunch of subpages all of the time
for a simple PMD mapping of a THP.
For simplicity, this commit mostly talks about "anonymous pages", while
it's for THP actually "the part of an anonymous folio referenced via a
page table entry".
To not spill PG_anon_exclusive code all over the mm code-base, we let the
anon rmap code to handle all PG_anon_exclusive logic it can easily handle.
If a writable, present page table entry points at an anonymous (sub)page,
that (sub)page must be PG_anon_exclusive. If GUP wants to take a reliably
pin (FOLL_PIN) on an anonymous page references via a present page table
entry, it must only pin if PG_anon_exclusive is set for the mapped
(sub)page.
This commit doesn't adjust GUP, so this is only implicitly handled for
FOLL_WRITE, follow-up commits will teach GUP to also respect it for
FOLL_PIN without FOLL_WRITE, to make all GUP pins of anonymous pages fully
reliable.
Whenever an anonymous page is to be shared (fork(), KSM), or when
temporarily unmapping an anonymous page (swap, migration), the relevant
PG_anon_exclusive bit has to be cleared to mark the anonymous page
possibly shared. Clearing will fail if there are GUP pins on the page:
* For fork(), this means having to copy the page and not being able to
share it. fork() protects against concurrent GUP using the PT lock and
the src_mm->write_protect_seq.
* For KSM, this means sharing will fail. For swap this means, unmapping
will fail, For migration this means, migration will fail early. All
three cases protect against concurrent GUP using the PT lock and a
proper clear/invalidate+flush of the relevant page table entry.
This fixes memory corruptions reported for FOLL_PIN | FOLL_WRITE, when a
pinned page gets mapped R/O and the successive write fault ends up
replacing the page instead of reusing it. It improves the situation for
O_DIRECT/vmsplice/... that still use FOLL_GET instead of FOLL_PIN, if
fork() is *not* involved, however swapout and fork() are still
problematic. Properly using FOLL_PIN instead of FOLL_GET for these GUP
users will fix the issue for them.
I. Details about basic handling
I.1. Fresh anonymous pages
page_add_new_anon_rmap() and hugepage_add_new_anon_rmap() will mark the
given page exclusive via __page_set_anon_rmap(exclusive=1). As that is
the mechanism fresh anonymous pages come into life (besides migration code
where we copy the page->mapping), all fresh anonymous pages will start out
as exclusive.
I.2. COW reuse handling of anonymous pages
When a COW handler stumbles over a (sub)page that's marked exclusive, it
simply reuses it. Otherwise, the handler tries harder under page lock to
detect if the (sub)page is exclusive and can be reused. If exclusive,
page_move_anon_rmap() will mark the given (sub)page exclusive.
Note that hugetlb code does not yet check for PageAnonExclusive(), as it
still uses the old COW logic that is prone to the COW security issue
because hugetlb code cannot really tolerate unnecessary/wrong COW as huge
pages are a scarce resource.
I.3. Migration handling
try_to_migrate() has to try marking an exclusive anonymous page shared via
page_try_share_anon_rmap(). If it fails because there are GUP pins on the
page, unmap fails. migrate_vma_collect_pmd() and
__split_huge_pmd_locked() are handled similarly.
Writable migration entries implicitly point at shared anonymous pages.
For readable migration entries that information is stored via a new
"readable-exclusive" migration entry, specific to anonymous pages.
When restoring a migration entry in remove_migration_pte(), information
about exlusivity is detected via the migration entry type, and
RMAP_EXCLUSIVE is set accordingly for
page_add_anon_rmap()/hugepage_add_anon_rmap() to restore that information.
I.4. Swapout handling
try_to_unmap() has to try marking the mapped page possibly shared via
page_try_share_anon_rmap(). If it fails because there are GUP pins on the
page, unmap fails. For now, information about exclusivity is lost. In
the future, we might want to remember that information in the swap entry
in some cases, however, it requires more thought, care, and a way to store
that information in swap entries.
I.5. Swapin handling
do_swap_page() will never stumble over exclusive anonymous pages in the
swap cache, as try_to_migrate() prohibits that. do_swap_page() always has
to detect manually if an anonymous page is exclusive and has to set
RMAP_EXCLUSIVE for page_add_anon_rmap() accordingly.
I.6. THP handling
__split_huge_pmd_locked() has to move the information about exclusivity
from the PMD to the PTEs.
a) In case we have a readable-exclusive PMD migration entry, simply
insert readable-exclusive PTE migration entries.
b) In case we have a present PMD entry and we don't want to freeze
("convert to migration entries"), simply forward PG_anon_exclusive to
all sub-pages, no need to temporarily clear the bit.
c) In case we have a present PMD entry and want to freeze, handle it
similar to try_to_migrate(): try marking the page shared first. In
case we fail, we ignore the "freeze" instruction and simply split
ordinarily. try_to_migrate() will properly fail because the THP is
still mapped via PTEs.
When splitting a compound anonymous folio (THP), the information about
exclusivity is implicitly handled via the migration entries: no need to
replicate PG_anon_exclusive manually.
I.7. fork() handling fork() handling is relatively easy, because
PG_anon_exclusive is only expressive for some page table entry types.
a) Present anonymous pages
page_try_dup_anon_rmap() will mark the given subpage shared -- which will
fail if the page is pinned. If it failed, we have to copy (or PTE-map a
PMD to handle it on the PTE level).
Note that device exclusive entries are just a pointer at a PageAnon()
page. fork() will first convert a device exclusive entry to a present
page table and handle it just like present anonymous pages.
b) Device private entry
Device private entries point at PageAnon() pages that cannot be mapped
directly and, therefore, cannot get pinned.
page_try_dup_anon_rmap() will mark the given subpage shared, which cannot
fail because they cannot get pinned.
c) HW poison entries
PG_anon_exclusive will remain untouched and is stale -- the page table
entry is just a placeholder after all.
d) Migration entries
Writable and readable-exclusive entries are converted to readable entries:
possibly shared.
I.8. mprotect() handling
mprotect() only has to properly handle the new readable-exclusive
migration entry:
When write-protecting a migration entry that points at an anonymous page,
remember the information about exclusivity via the "readable-exclusive"
migration entry type.
II. Migration and GUP-fast
Whenever replacing a present page table entry that maps an exclusive
anonymous page by a migration entry, we have to mark the page possibly
shared and synchronize against GUP-fast by a proper clear/invalidate+flush
to make the following scenario impossible:
1. try_to_migrate() places a migration entry after checking for GUP pins
and marks the page possibly shared.
2. GUP-fast pins the page due to lack of synchronization
3. fork() converts the "writable/readable-exclusive" migration entry into a
readable migration entry
4. Migration fails due to the GUP pin (failing to freeze the refcount)
5. Migration entries are restored. PG_anon_exclusive is lost
-> We have a pinned page that is not marked exclusive anymore.
Note that we move information about exclusivity from the page to the
migration entry as it otherwise highly overcomplicates fork() and
PTE-mapping a THP.
III. Swapout and GUP-fast
Whenever replacing a present page table entry that maps an exclusive
anonymous page by a swap entry, we have to mark the page possibly shared
and synchronize against GUP-fast by a proper clear/invalidate+flush to
make the following scenario impossible:
1. try_to_unmap() places a swap entry after checking for GUP pins and
clears exclusivity information on the page.
2. GUP-fast pins the page due to lack of synchronization.
-> We have a pinned page that is not marked exclusive anymore.
If we'd ever store information about exclusivity in the swap entry,
similar to migration handling, the same considerations as in II would
apply. This is future work.
Link: https://lkml.kernel.org/r/20220428083441.37290-13-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Rientjes <rientjes@google.com>
Cc: Don Dutile <ddutile@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jann Horn <jannh@google.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Khalid Aziz <khalid.aziz@oracle.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Liang Zhang <zhangliang5@huawei.com>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Nadav Amit <namit@vmware.com>
Cc: Oded Gabbay <oded.gabbay@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Roman Gushchin <guro@fb.com>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Yang Shi <shy828301@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2022-05-09 18:20:44 -07:00
anon_exclusive = PageAnon ( page ) & & PageAnonExclusive ( page ) ;
if ( anon_exclusive ) {
2022-09-02 10:35:53 +10:00
pte = ptep_clear_flush ( vma , addr , ptep ) ;
mm: remember exclusively mapped anonymous pages with PG_anon_exclusive
Let's mark exclusively mapped anonymous pages with PG_anon_exclusive as
exclusive, and use that information to make GUP pins reliable and stay
consistent with the page mapped into the page table even if the page table
entry gets write-protected.
With that information at hand, we can extend our COW logic to always reuse
anonymous pages that are exclusive. For anonymous pages that might be
shared, the existing logic applies.
As already documented, PG_anon_exclusive is usually only expressive in
combination with a page table entry. Especially PTE vs. PMD-mapped
anonymous pages require more thought, some examples: due to mremap() we
can easily have a single compound page PTE-mapped into multiple page
tables exclusively in a single process -- multiple page table locks apply.
Further, due to MADV_WIPEONFORK we might not necessarily write-protect
all PTEs, and only some subpages might be pinned. Long story short: once
PTE-mapped, we have to track information about exclusivity per sub-page,
but until then, we can just track it for the compound page in the head
page and not having to update a whole bunch of subpages all of the time
for a simple PMD mapping of a THP.
For simplicity, this commit mostly talks about "anonymous pages", while
it's for THP actually "the part of an anonymous folio referenced via a
page table entry".
To not spill PG_anon_exclusive code all over the mm code-base, we let the
anon rmap code to handle all PG_anon_exclusive logic it can easily handle.
If a writable, present page table entry points at an anonymous (sub)page,
that (sub)page must be PG_anon_exclusive. If GUP wants to take a reliably
pin (FOLL_PIN) on an anonymous page references via a present page table
entry, it must only pin if PG_anon_exclusive is set for the mapped
(sub)page.
This commit doesn't adjust GUP, so this is only implicitly handled for
FOLL_WRITE, follow-up commits will teach GUP to also respect it for
FOLL_PIN without FOLL_WRITE, to make all GUP pins of anonymous pages fully
reliable.
Whenever an anonymous page is to be shared (fork(), KSM), or when
temporarily unmapping an anonymous page (swap, migration), the relevant
PG_anon_exclusive bit has to be cleared to mark the anonymous page
possibly shared. Clearing will fail if there are GUP pins on the page:
* For fork(), this means having to copy the page and not being able to
share it. fork() protects against concurrent GUP using the PT lock and
the src_mm->write_protect_seq.
* For KSM, this means sharing will fail. For swap this means, unmapping
will fail, For migration this means, migration will fail early. All
three cases protect against concurrent GUP using the PT lock and a
proper clear/invalidate+flush of the relevant page table entry.
This fixes memory corruptions reported for FOLL_PIN | FOLL_WRITE, when a
pinned page gets mapped R/O and the successive write fault ends up
replacing the page instead of reusing it. It improves the situation for
O_DIRECT/vmsplice/... that still use FOLL_GET instead of FOLL_PIN, if
fork() is *not* involved, however swapout and fork() are still
problematic. Properly using FOLL_PIN instead of FOLL_GET for these GUP
users will fix the issue for them.
I. Details about basic handling
I.1. Fresh anonymous pages
page_add_new_anon_rmap() and hugepage_add_new_anon_rmap() will mark the
given page exclusive via __page_set_anon_rmap(exclusive=1). As that is
the mechanism fresh anonymous pages come into life (besides migration code
where we copy the page->mapping), all fresh anonymous pages will start out
as exclusive.
I.2. COW reuse handling of anonymous pages
When a COW handler stumbles over a (sub)page that's marked exclusive, it
simply reuses it. Otherwise, the handler tries harder under page lock to
detect if the (sub)page is exclusive and can be reused. If exclusive,
page_move_anon_rmap() will mark the given (sub)page exclusive.
Note that hugetlb code does not yet check for PageAnonExclusive(), as it
still uses the old COW logic that is prone to the COW security issue
because hugetlb code cannot really tolerate unnecessary/wrong COW as huge
pages are a scarce resource.
I.3. Migration handling
try_to_migrate() has to try marking an exclusive anonymous page shared via
page_try_share_anon_rmap(). If it fails because there are GUP pins on the
page, unmap fails. migrate_vma_collect_pmd() and
__split_huge_pmd_locked() are handled similarly.
Writable migration entries implicitly point at shared anonymous pages.
For readable migration entries that information is stored via a new
"readable-exclusive" migration entry, specific to anonymous pages.
When restoring a migration entry in remove_migration_pte(), information
about exlusivity is detected via the migration entry type, and
RMAP_EXCLUSIVE is set accordingly for
page_add_anon_rmap()/hugepage_add_anon_rmap() to restore that information.
I.4. Swapout handling
try_to_unmap() has to try marking the mapped page possibly shared via
page_try_share_anon_rmap(). If it fails because there are GUP pins on the
page, unmap fails. For now, information about exclusivity is lost. In
the future, we might want to remember that information in the swap entry
in some cases, however, it requires more thought, care, and a way to store
that information in swap entries.
I.5. Swapin handling
do_swap_page() will never stumble over exclusive anonymous pages in the
swap cache, as try_to_migrate() prohibits that. do_swap_page() always has
to detect manually if an anonymous page is exclusive and has to set
RMAP_EXCLUSIVE for page_add_anon_rmap() accordingly.
I.6. THP handling
__split_huge_pmd_locked() has to move the information about exclusivity
from the PMD to the PTEs.
a) In case we have a readable-exclusive PMD migration entry, simply
insert readable-exclusive PTE migration entries.
b) In case we have a present PMD entry and we don't want to freeze
("convert to migration entries"), simply forward PG_anon_exclusive to
all sub-pages, no need to temporarily clear the bit.
c) In case we have a present PMD entry and want to freeze, handle it
similar to try_to_migrate(): try marking the page shared first. In
case we fail, we ignore the "freeze" instruction and simply split
ordinarily. try_to_migrate() will properly fail because the THP is
still mapped via PTEs.
When splitting a compound anonymous folio (THP), the information about
exclusivity is implicitly handled via the migration entries: no need to
replicate PG_anon_exclusive manually.
I.7. fork() handling fork() handling is relatively easy, because
PG_anon_exclusive is only expressive for some page table entry types.
a) Present anonymous pages
page_try_dup_anon_rmap() will mark the given subpage shared -- which will
fail if the page is pinned. If it failed, we have to copy (or PTE-map a
PMD to handle it on the PTE level).
Note that device exclusive entries are just a pointer at a PageAnon()
page. fork() will first convert a device exclusive entry to a present
page table and handle it just like present anonymous pages.
b) Device private entry
Device private entries point at PageAnon() pages that cannot be mapped
directly and, therefore, cannot get pinned.
page_try_dup_anon_rmap() will mark the given subpage shared, which cannot
fail because they cannot get pinned.
c) HW poison entries
PG_anon_exclusive will remain untouched and is stale -- the page table
entry is just a placeholder after all.
d) Migration entries
Writable and readable-exclusive entries are converted to readable entries:
possibly shared.
I.8. mprotect() handling
mprotect() only has to properly handle the new readable-exclusive
migration entry:
When write-protecting a migration entry that points at an anonymous page,
remember the information about exclusivity via the "readable-exclusive"
migration entry type.
II. Migration and GUP-fast
Whenever replacing a present page table entry that maps an exclusive
anonymous page by a migration entry, we have to mark the page possibly
shared and synchronize against GUP-fast by a proper clear/invalidate+flush
to make the following scenario impossible:
1. try_to_migrate() places a migration entry after checking for GUP pins
and marks the page possibly shared.
2. GUP-fast pins the page due to lack of synchronization
3. fork() converts the "writable/readable-exclusive" migration entry into a
readable migration entry
4. Migration fails due to the GUP pin (failing to freeze the refcount)
5. Migration entries are restored. PG_anon_exclusive is lost
-> We have a pinned page that is not marked exclusive anymore.
Note that we move information about exclusivity from the page to the
migration entry as it otherwise highly overcomplicates fork() and
PTE-mapping a THP.
III. Swapout and GUP-fast
Whenever replacing a present page table entry that maps an exclusive
anonymous page by a swap entry, we have to mark the page possibly shared
and synchronize against GUP-fast by a proper clear/invalidate+flush to
make the following scenario impossible:
1. try_to_unmap() places a swap entry after checking for GUP pins and
clears exclusivity information on the page.
2. GUP-fast pins the page due to lack of synchronization.
-> We have a pinned page that is not marked exclusive anymore.
If we'd ever store information about exclusivity in the swap entry,
similar to migration handling, the same considerations as in II would
apply. This is future work.
Link: https://lkml.kernel.org/r/20220428083441.37290-13-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Rientjes <rientjes@google.com>
Cc: Don Dutile <ddutile@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jann Horn <jannh@google.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Khalid Aziz <khalid.aziz@oracle.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Liang Zhang <zhangliang5@huawei.com>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Nadav Amit <namit@vmware.com>
Cc: Oded Gabbay <oded.gabbay@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Roman Gushchin <guro@fb.com>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Yang Shi <shy828301@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2022-05-09 18:20:44 -07:00
if ( page_try_share_anon_rmap ( page ) ) {
set_pte_at ( mm , addr , ptep , pte ) ;
unlock_page ( page ) ;
put_page ( page ) ;
mpfn = 0 ;
goto next ;
}
} else {
2022-09-02 10:35:53 +10:00
pte = ptep_get_and_clear ( mm , addr , ptep ) ;
mm: remember exclusively mapped anonymous pages with PG_anon_exclusive
Let's mark exclusively mapped anonymous pages with PG_anon_exclusive as
exclusive, and use that information to make GUP pins reliable and stay
consistent with the page mapped into the page table even if the page table
entry gets write-protected.
With that information at hand, we can extend our COW logic to always reuse
anonymous pages that are exclusive. For anonymous pages that might be
shared, the existing logic applies.
As already documented, PG_anon_exclusive is usually only expressive in
combination with a page table entry. Especially PTE vs. PMD-mapped
anonymous pages require more thought, some examples: due to mremap() we
can easily have a single compound page PTE-mapped into multiple page
tables exclusively in a single process -- multiple page table locks apply.
Further, due to MADV_WIPEONFORK we might not necessarily write-protect
all PTEs, and only some subpages might be pinned. Long story short: once
PTE-mapped, we have to track information about exclusivity per sub-page,
but until then, we can just track it for the compound page in the head
page and not having to update a whole bunch of subpages all of the time
for a simple PMD mapping of a THP.
For simplicity, this commit mostly talks about "anonymous pages", while
it's for THP actually "the part of an anonymous folio referenced via a
page table entry".
To not spill PG_anon_exclusive code all over the mm code-base, we let the
anon rmap code to handle all PG_anon_exclusive logic it can easily handle.
If a writable, present page table entry points at an anonymous (sub)page,
that (sub)page must be PG_anon_exclusive. If GUP wants to take a reliably
pin (FOLL_PIN) on an anonymous page references via a present page table
entry, it must only pin if PG_anon_exclusive is set for the mapped
(sub)page.
This commit doesn't adjust GUP, so this is only implicitly handled for
FOLL_WRITE, follow-up commits will teach GUP to also respect it for
FOLL_PIN without FOLL_WRITE, to make all GUP pins of anonymous pages fully
reliable.
Whenever an anonymous page is to be shared (fork(), KSM), or when
temporarily unmapping an anonymous page (swap, migration), the relevant
PG_anon_exclusive bit has to be cleared to mark the anonymous page
possibly shared. Clearing will fail if there are GUP pins on the page:
* For fork(), this means having to copy the page and not being able to
share it. fork() protects against concurrent GUP using the PT lock and
the src_mm->write_protect_seq.
* For KSM, this means sharing will fail. For swap this means, unmapping
will fail, For migration this means, migration will fail early. All
three cases protect against concurrent GUP using the PT lock and a
proper clear/invalidate+flush of the relevant page table entry.
This fixes memory corruptions reported for FOLL_PIN | FOLL_WRITE, when a
pinned page gets mapped R/O and the successive write fault ends up
replacing the page instead of reusing it. It improves the situation for
O_DIRECT/vmsplice/... that still use FOLL_GET instead of FOLL_PIN, if
fork() is *not* involved, however swapout and fork() are still
problematic. Properly using FOLL_PIN instead of FOLL_GET for these GUP
users will fix the issue for them.
I. Details about basic handling
I.1. Fresh anonymous pages
page_add_new_anon_rmap() and hugepage_add_new_anon_rmap() will mark the
given page exclusive via __page_set_anon_rmap(exclusive=1). As that is
the mechanism fresh anonymous pages come into life (besides migration code
where we copy the page->mapping), all fresh anonymous pages will start out
as exclusive.
I.2. COW reuse handling of anonymous pages
When a COW handler stumbles over a (sub)page that's marked exclusive, it
simply reuses it. Otherwise, the handler tries harder under page lock to
detect if the (sub)page is exclusive and can be reused. If exclusive,
page_move_anon_rmap() will mark the given (sub)page exclusive.
Note that hugetlb code does not yet check for PageAnonExclusive(), as it
still uses the old COW logic that is prone to the COW security issue
because hugetlb code cannot really tolerate unnecessary/wrong COW as huge
pages are a scarce resource.
I.3. Migration handling
try_to_migrate() has to try marking an exclusive anonymous page shared via
page_try_share_anon_rmap(). If it fails because there are GUP pins on the
page, unmap fails. migrate_vma_collect_pmd() and
__split_huge_pmd_locked() are handled similarly.
Writable migration entries implicitly point at shared anonymous pages.
For readable migration entries that information is stored via a new
"readable-exclusive" migration entry, specific to anonymous pages.
When restoring a migration entry in remove_migration_pte(), information
about exlusivity is detected via the migration entry type, and
RMAP_EXCLUSIVE is set accordingly for
page_add_anon_rmap()/hugepage_add_anon_rmap() to restore that information.
I.4. Swapout handling
try_to_unmap() has to try marking the mapped page possibly shared via
page_try_share_anon_rmap(). If it fails because there are GUP pins on the
page, unmap fails. For now, information about exclusivity is lost. In
the future, we might want to remember that information in the swap entry
in some cases, however, it requires more thought, care, and a way to store
that information in swap entries.
I.5. Swapin handling
do_swap_page() will never stumble over exclusive anonymous pages in the
swap cache, as try_to_migrate() prohibits that. do_swap_page() always has
to detect manually if an anonymous page is exclusive and has to set
RMAP_EXCLUSIVE for page_add_anon_rmap() accordingly.
I.6. THP handling
__split_huge_pmd_locked() has to move the information about exclusivity
from the PMD to the PTEs.
a) In case we have a readable-exclusive PMD migration entry, simply
insert readable-exclusive PTE migration entries.
b) In case we have a present PMD entry and we don't want to freeze
("convert to migration entries"), simply forward PG_anon_exclusive to
all sub-pages, no need to temporarily clear the bit.
c) In case we have a present PMD entry and want to freeze, handle it
similar to try_to_migrate(): try marking the page shared first. In
case we fail, we ignore the "freeze" instruction and simply split
ordinarily. try_to_migrate() will properly fail because the THP is
still mapped via PTEs.
When splitting a compound anonymous folio (THP), the information about
exclusivity is implicitly handled via the migration entries: no need to
replicate PG_anon_exclusive manually.
I.7. fork() handling fork() handling is relatively easy, because
PG_anon_exclusive is only expressive for some page table entry types.
a) Present anonymous pages
page_try_dup_anon_rmap() will mark the given subpage shared -- which will
fail if the page is pinned. If it failed, we have to copy (or PTE-map a
PMD to handle it on the PTE level).
Note that device exclusive entries are just a pointer at a PageAnon()
page. fork() will first convert a device exclusive entry to a present
page table and handle it just like present anonymous pages.
b) Device private entry
Device private entries point at PageAnon() pages that cannot be mapped
directly and, therefore, cannot get pinned.
page_try_dup_anon_rmap() will mark the given subpage shared, which cannot
fail because they cannot get pinned.
c) HW poison entries
PG_anon_exclusive will remain untouched and is stale -- the page table
entry is just a placeholder after all.
d) Migration entries
Writable and readable-exclusive entries are converted to readable entries:
possibly shared.
I.8. mprotect() handling
mprotect() only has to properly handle the new readable-exclusive
migration entry:
When write-protecting a migration entry that points at an anonymous page,
remember the information about exclusivity via the "readable-exclusive"
migration entry type.
II. Migration and GUP-fast
Whenever replacing a present page table entry that maps an exclusive
anonymous page by a migration entry, we have to mark the page possibly
shared and synchronize against GUP-fast by a proper clear/invalidate+flush
to make the following scenario impossible:
1. try_to_migrate() places a migration entry after checking for GUP pins
and marks the page possibly shared.
2. GUP-fast pins the page due to lack of synchronization
3. fork() converts the "writable/readable-exclusive" migration entry into a
readable migration entry
4. Migration fails due to the GUP pin (failing to freeze the refcount)
5. Migration entries are restored. PG_anon_exclusive is lost
-> We have a pinned page that is not marked exclusive anymore.
Note that we move information about exclusivity from the page to the
migration entry as it otherwise highly overcomplicates fork() and
PTE-mapping a THP.
III. Swapout and GUP-fast
Whenever replacing a present page table entry that maps an exclusive
anonymous page by a swap entry, we have to mark the page possibly shared
and synchronize against GUP-fast by a proper clear/invalidate+flush to
make the following scenario impossible:
1. try_to_unmap() places a swap entry after checking for GUP pins and
clears exclusivity information on the page.
2. GUP-fast pins the page due to lack of synchronization.
-> We have a pinned page that is not marked exclusive anymore.
If we'd ever store information about exclusivity in the swap entry,
similar to migration handling, the same considerations as in II would
apply. This is future work.
Link: https://lkml.kernel.org/r/20220428083441.37290-13-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Rientjes <rientjes@google.com>
Cc: Don Dutile <ddutile@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jann Horn <jannh@google.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Khalid Aziz <khalid.aziz@oracle.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Liang Zhang <zhangliang5@huawei.com>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Nadav Amit <namit@vmware.com>
Cc: Oded Gabbay <oded.gabbay@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Roman Gushchin <guro@fb.com>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Yang Shi <shy828301@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2022-05-09 18:20:44 -07:00
}
2022-02-16 15:31:38 +11:00
migrate - > cpages + + ;
2022-09-02 10:35:53 +10:00
/* Set the dirty flag on the folio now the pte is gone. */
if ( pte_dirty ( pte ) )
folio_mark_dirty ( page_folio ( page ) ) ;
2022-02-16 15:31:38 +11:00
/* Setup special migration page table entry */
if ( mpfn & MIGRATE_PFN_WRITE )
entry = make_writable_migration_entry (
page_to_pfn ( page ) ) ;
mm: remember exclusively mapped anonymous pages with PG_anon_exclusive
Let's mark exclusively mapped anonymous pages with PG_anon_exclusive as
exclusive, and use that information to make GUP pins reliable and stay
consistent with the page mapped into the page table even if the page table
entry gets write-protected.
With that information at hand, we can extend our COW logic to always reuse
anonymous pages that are exclusive. For anonymous pages that might be
shared, the existing logic applies.
As already documented, PG_anon_exclusive is usually only expressive in
combination with a page table entry. Especially PTE vs. PMD-mapped
anonymous pages require more thought, some examples: due to mremap() we
can easily have a single compound page PTE-mapped into multiple page
tables exclusively in a single process -- multiple page table locks apply.
Further, due to MADV_WIPEONFORK we might not necessarily write-protect
all PTEs, and only some subpages might be pinned. Long story short: once
PTE-mapped, we have to track information about exclusivity per sub-page,
but until then, we can just track it for the compound page in the head
page and not having to update a whole bunch of subpages all of the time
for a simple PMD mapping of a THP.
For simplicity, this commit mostly talks about "anonymous pages", while
it's for THP actually "the part of an anonymous folio referenced via a
page table entry".
To not spill PG_anon_exclusive code all over the mm code-base, we let the
anon rmap code to handle all PG_anon_exclusive logic it can easily handle.
If a writable, present page table entry points at an anonymous (sub)page,
that (sub)page must be PG_anon_exclusive. If GUP wants to take a reliably
pin (FOLL_PIN) on an anonymous page references via a present page table
entry, it must only pin if PG_anon_exclusive is set for the mapped
(sub)page.
This commit doesn't adjust GUP, so this is only implicitly handled for
FOLL_WRITE, follow-up commits will teach GUP to also respect it for
FOLL_PIN without FOLL_WRITE, to make all GUP pins of anonymous pages fully
reliable.
Whenever an anonymous page is to be shared (fork(), KSM), or when
temporarily unmapping an anonymous page (swap, migration), the relevant
PG_anon_exclusive bit has to be cleared to mark the anonymous page
possibly shared. Clearing will fail if there are GUP pins on the page:
* For fork(), this means having to copy the page and not being able to
share it. fork() protects against concurrent GUP using the PT lock and
the src_mm->write_protect_seq.
* For KSM, this means sharing will fail. For swap this means, unmapping
will fail, For migration this means, migration will fail early. All
three cases protect against concurrent GUP using the PT lock and a
proper clear/invalidate+flush of the relevant page table entry.
This fixes memory corruptions reported for FOLL_PIN | FOLL_WRITE, when a
pinned page gets mapped R/O and the successive write fault ends up
replacing the page instead of reusing it. It improves the situation for
O_DIRECT/vmsplice/... that still use FOLL_GET instead of FOLL_PIN, if
fork() is *not* involved, however swapout and fork() are still
problematic. Properly using FOLL_PIN instead of FOLL_GET for these GUP
users will fix the issue for them.
I. Details about basic handling
I.1. Fresh anonymous pages
page_add_new_anon_rmap() and hugepage_add_new_anon_rmap() will mark the
given page exclusive via __page_set_anon_rmap(exclusive=1). As that is
the mechanism fresh anonymous pages come into life (besides migration code
where we copy the page->mapping), all fresh anonymous pages will start out
as exclusive.
I.2. COW reuse handling of anonymous pages
When a COW handler stumbles over a (sub)page that's marked exclusive, it
simply reuses it. Otherwise, the handler tries harder under page lock to
detect if the (sub)page is exclusive and can be reused. If exclusive,
page_move_anon_rmap() will mark the given (sub)page exclusive.
Note that hugetlb code does not yet check for PageAnonExclusive(), as it
still uses the old COW logic that is prone to the COW security issue
because hugetlb code cannot really tolerate unnecessary/wrong COW as huge
pages are a scarce resource.
I.3. Migration handling
try_to_migrate() has to try marking an exclusive anonymous page shared via
page_try_share_anon_rmap(). If it fails because there are GUP pins on the
page, unmap fails. migrate_vma_collect_pmd() and
__split_huge_pmd_locked() are handled similarly.
Writable migration entries implicitly point at shared anonymous pages.
For readable migration entries that information is stored via a new
"readable-exclusive" migration entry, specific to anonymous pages.
When restoring a migration entry in remove_migration_pte(), information
about exlusivity is detected via the migration entry type, and
RMAP_EXCLUSIVE is set accordingly for
page_add_anon_rmap()/hugepage_add_anon_rmap() to restore that information.
I.4. Swapout handling
try_to_unmap() has to try marking the mapped page possibly shared via
page_try_share_anon_rmap(). If it fails because there are GUP pins on the
page, unmap fails. For now, information about exclusivity is lost. In
the future, we might want to remember that information in the swap entry
in some cases, however, it requires more thought, care, and a way to store
that information in swap entries.
I.5. Swapin handling
do_swap_page() will never stumble over exclusive anonymous pages in the
swap cache, as try_to_migrate() prohibits that. do_swap_page() always has
to detect manually if an anonymous page is exclusive and has to set
RMAP_EXCLUSIVE for page_add_anon_rmap() accordingly.
I.6. THP handling
__split_huge_pmd_locked() has to move the information about exclusivity
from the PMD to the PTEs.
a) In case we have a readable-exclusive PMD migration entry, simply
insert readable-exclusive PTE migration entries.
b) In case we have a present PMD entry and we don't want to freeze
("convert to migration entries"), simply forward PG_anon_exclusive to
all sub-pages, no need to temporarily clear the bit.
c) In case we have a present PMD entry and want to freeze, handle it
similar to try_to_migrate(): try marking the page shared first. In
case we fail, we ignore the "freeze" instruction and simply split
ordinarily. try_to_migrate() will properly fail because the THP is
still mapped via PTEs.
When splitting a compound anonymous folio (THP), the information about
exclusivity is implicitly handled via the migration entries: no need to
replicate PG_anon_exclusive manually.
I.7. fork() handling fork() handling is relatively easy, because
PG_anon_exclusive is only expressive for some page table entry types.
a) Present anonymous pages
page_try_dup_anon_rmap() will mark the given subpage shared -- which will
fail if the page is pinned. If it failed, we have to copy (or PTE-map a
PMD to handle it on the PTE level).
Note that device exclusive entries are just a pointer at a PageAnon()
page. fork() will first convert a device exclusive entry to a present
page table and handle it just like present anonymous pages.
b) Device private entry
Device private entries point at PageAnon() pages that cannot be mapped
directly and, therefore, cannot get pinned.
page_try_dup_anon_rmap() will mark the given subpage shared, which cannot
fail because they cannot get pinned.
c) HW poison entries
PG_anon_exclusive will remain untouched and is stale -- the page table
entry is just a placeholder after all.
d) Migration entries
Writable and readable-exclusive entries are converted to readable entries:
possibly shared.
I.8. mprotect() handling
mprotect() only has to properly handle the new readable-exclusive
migration entry:
When write-protecting a migration entry that points at an anonymous page,
remember the information about exclusivity via the "readable-exclusive"
migration entry type.
II. Migration and GUP-fast
Whenever replacing a present page table entry that maps an exclusive
anonymous page by a migration entry, we have to mark the page possibly
shared and synchronize against GUP-fast by a proper clear/invalidate+flush
to make the following scenario impossible:
1. try_to_migrate() places a migration entry after checking for GUP pins
and marks the page possibly shared.
2. GUP-fast pins the page due to lack of synchronization
3. fork() converts the "writable/readable-exclusive" migration entry into a
readable migration entry
4. Migration fails due to the GUP pin (failing to freeze the refcount)
5. Migration entries are restored. PG_anon_exclusive is lost
-> We have a pinned page that is not marked exclusive anymore.
Note that we move information about exclusivity from the page to the
migration entry as it otherwise highly overcomplicates fork() and
PTE-mapping a THP.
III. Swapout and GUP-fast
Whenever replacing a present page table entry that maps an exclusive
anonymous page by a swap entry, we have to mark the page possibly shared
and synchronize against GUP-fast by a proper clear/invalidate+flush to
make the following scenario impossible:
1. try_to_unmap() places a swap entry after checking for GUP pins and
clears exclusivity information on the page.
2. GUP-fast pins the page due to lack of synchronization.
-> We have a pinned page that is not marked exclusive anymore.
If we'd ever store information about exclusivity in the swap entry,
similar to migration handling, the same considerations as in II would
apply. This is future work.
Link: https://lkml.kernel.org/r/20220428083441.37290-13-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Rientjes <rientjes@google.com>
Cc: Don Dutile <ddutile@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jann Horn <jannh@google.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Khalid Aziz <khalid.aziz@oracle.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Liang Zhang <zhangliang5@huawei.com>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Nadav Amit <namit@vmware.com>
Cc: Oded Gabbay <oded.gabbay@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Roman Gushchin <guro@fb.com>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Yang Shi <shy828301@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2022-05-09 18:20:44 -07:00
else if ( anon_exclusive )
entry = make_readable_exclusive_migration_entry (
page_to_pfn ( page ) ) ;
2022-02-16 15:31:38 +11:00
else
entry = make_readable_migration_entry (
page_to_pfn ( page ) ) ;
2022-08-11 12:13:29 -04:00
if ( pte_present ( pte ) ) {
if ( pte_young ( pte ) )
entry = make_migration_entry_young ( entry ) ;
if ( pte_dirty ( pte ) )
entry = make_migration_entry_dirty ( entry ) ;
}
2022-02-16 15:31:38 +11:00
swp_pte = swp_entry_to_pte ( entry ) ;
if ( pte_present ( pte ) ) {
if ( pte_soft_dirty ( pte ) )
swp_pte = pte_swp_mksoft_dirty ( swp_pte ) ;
if ( pte_uffd_wp ( pte ) )
swp_pte = pte_swp_mkuffd_wp ( swp_pte ) ;
} else {
if ( pte_swp_soft_dirty ( pte ) )
swp_pte = pte_swp_mksoft_dirty ( swp_pte ) ;
if ( pte_swp_uffd_wp ( pte ) )
swp_pte = pte_swp_mkuffd_wp ( swp_pte ) ;
}
set_pte_at ( mm , addr , ptep , swp_pte ) ;
/*
* This is like regular unmap : we remove the rmap and
* drop page refcount . Page won ' t be freed , as we took
* a reference just above .
*/
page_remove_rmap ( page , vma , false ) ;
put_page ( page ) ;
if ( pte_present ( pte ) )
unmapped + + ;
} else {
put_page ( page ) ;
mpfn = 0 ;
}
next :
migrate - > dst [ migrate - > npages ] = 0 ;
migrate - > src [ migrate - > npages + + ] = mpfn ;
}
/* Only flush the TLB if we actually modified any entries */
if ( unmapped )
flush_tlb_range ( walk - > vma , start , end ) ;
2022-09-02 10:35:51 +10:00
arch_leave_lazy_mmu_mode ( ) ;
pte_unmap_unlock ( ptep - 1 , ptl ) ;
2022-02-16 15:31:38 +11:00
return 0 ;
}
static const struct mm_walk_ops migrate_vma_walk_ops = {
. pmd_entry = migrate_vma_collect_pmd ,
. pte_hole = migrate_vma_collect_hole ,
} ;
/*
* migrate_vma_collect ( ) - collect pages over a range of virtual addresses
* @ migrate : migrate struct containing all migration information
*
* This will walk the CPU page table . For each virtual address backed by a
* valid page , it updates the src array and takes a reference on the page , in
* order to pin the page until we lock it and unmap it .
*/
static void migrate_vma_collect ( struct migrate_vma * migrate )
{
struct mmu_notifier_range range ;
/*
* Note that the pgmap_owner is passed to the mmu notifier callback so
* that the registered device driver can skip invalidating device
* private page mappings that won ' t be migrated .
*/
mmu_notifier_range_init_owner ( & range , MMU_NOTIFY_MIGRATE , 0 ,
2023-01-10 13:57:22 +11:00
migrate - > vma - > vm_mm , migrate - > start , migrate - > end ,
2022-02-16 15:31:38 +11:00
migrate - > pgmap_owner ) ;
mmu_notifier_invalidate_range_start ( & range ) ;
walk_page_range ( migrate - > vma - > vm_mm , migrate - > start , migrate - > end ,
& migrate_vma_walk_ops , migrate ) ;
mmu_notifier_invalidate_range_end ( & range ) ;
migrate - > end = migrate - > start + ( migrate - > npages < < PAGE_SHIFT ) ;
}
/*
* migrate_vma_check_page ( ) - check if page is pinned or not
* @ page : struct page to check
*
* Pinned pages cannot be migrated . This is the same test as in
* folio_migrate_mapping ( ) , except that here we allow migration of a
* ZONE_DEVICE page .
*/
2022-09-28 22:01:15 +10:00
static bool migrate_vma_check_page ( struct page * page , struct page * fault_page )
2022-02-16 15:31:38 +11:00
{
/*
* One extra ref because caller holds an extra reference , either from
* isolate_lru_page ( ) for a regular page , or migrate_vma_collect ( ) for
* a device page .
*/
2022-09-28 22:01:15 +10:00
int extra = 1 + ( page = = fault_page ) ;
2022-02-16 15:31:38 +11:00
/*
* FIXME support THP ( transparent huge page ) , it is bit more complex to
* check them than regular pages , because they can be mapped with a pmd
* or with a pte ( split pte mapping ) .
*/
if ( PageCompound ( page ) )
return false ;
/* Page from ZONE_DEVICE have one extra reference */
if ( is_zone_device_page ( page ) )
extra + + ;
/* For file back page */
if ( page_mapping ( page ) )
extra + = 1 + page_has_private ( page ) ;
if ( ( page_count ( page ) - extra ) > page_mapcount ( page ) )
return false ;
return true ;
}
/*
2022-11-11 11:51:35 +11:00
* Unmaps pages for migration . Returns number of source pfns marked as
* migrating .
2022-02-16 15:31:38 +11:00
*/
2022-09-28 22:01:18 +10:00
static unsigned long migrate_device_unmap ( unsigned long * src_pfns ,
unsigned long npages ,
struct page * fault_page )
2022-02-16 15:31:38 +11:00
{
unsigned long i , restore = 0 ;
bool allow_drain = true ;
2022-09-28 22:01:18 +10:00
unsigned long unmapped = 0 ;
2022-02-16 15:31:38 +11:00
lru_add_drain ( ) ;
for ( i = 0 ; i < npages ; i + + ) {
2022-09-28 22:01:18 +10:00
struct page * page = migrate_pfn_to_page ( src_pfns [ i ] ) ;
2022-01-28 14:29:43 -05:00
struct folio * folio ;
2022-02-16 15:31:38 +11:00
2022-11-11 11:51:35 +11:00
if ( ! page ) {
if ( src_pfns [ i ] & MIGRATE_PFN_MIGRATE )
unmapped + + ;
2022-02-16 15:31:38 +11:00
continue ;
2022-11-11 11:51:35 +11:00
}
2022-02-16 15:31:38 +11:00
/* ZONE_DEVICE pages are not on LRU */
if ( ! is_zone_device_page ( page ) ) {
if ( ! PageLRU ( page ) & & allow_drain ) {
2023-06-21 17:45:56 +01:00
/* Drain CPU's lru cache */
2022-02-16 15:31:38 +11:00
lru_add_drain_all ( ) ;
allow_drain = false ;
}
2023-02-15 18:39:35 +08:00
if ( ! isolate_lru_page ( page ) ) {
2022-09-28 22:01:18 +10:00
src_pfns [ i ] & = ~ MIGRATE_PFN_MIGRATE ;
2022-02-16 15:31:38 +11:00
restore + + ;
continue ;
}
/* Drop the reference we took in collect */
put_page ( page ) ;
}
2022-01-28 14:29:43 -05:00
folio = page_folio ( page ) ;
if ( folio_mapped ( folio ) )
try_to_migrate ( folio , 0 ) ;
2022-02-16 15:31:38 +11:00
2022-09-28 22:01:15 +10:00
if ( page_mapped ( page ) | |
2022-09-28 22:01:18 +10:00
! migrate_vma_check_page ( page , fault_page ) ) {
2022-02-16 15:31:38 +11:00
if ( ! is_zone_device_page ( page ) ) {
get_page ( page ) ;
putback_lru_page ( page ) ;
}
2022-09-28 22:01:18 +10:00
src_pfns [ i ] & = ~ MIGRATE_PFN_MIGRATE ;
2022-02-16 15:31:38 +11:00
restore + + ;
continue ;
}
2022-09-28 22:01:18 +10:00
unmapped + + ;
2022-02-16 15:31:38 +11:00
}
for ( i = 0 ; i < npages & & restore ; i + + ) {
2022-09-28 22:01:18 +10:00
struct page * page = migrate_pfn_to_page ( src_pfns [ i ] ) ;
2022-01-28 23:32:59 -05:00
struct folio * folio ;
2022-02-16 15:31:38 +11:00
2022-09-28 22:01:18 +10:00
if ( ! page | | ( src_pfns [ i ] & MIGRATE_PFN_MIGRATE ) )
2022-02-16 15:31:38 +11:00
continue ;
2022-01-28 23:32:59 -05:00
folio = page_folio ( page ) ;
remove_migration_ptes ( folio , folio , false ) ;
2022-02-16 15:31:38 +11:00
2022-09-28 22:01:18 +10:00
src_pfns [ i ] = 0 ;
2022-01-28 23:32:59 -05:00
folio_unlock ( folio ) ;
folio_put ( folio ) ;
2022-02-16 15:31:38 +11:00
restore - - ;
}
2022-09-28 22:01:18 +10:00
return unmapped ;
}
/*
* migrate_vma_unmap ( ) - replace page mapping with special migration pte entry
* @ migrate : migrate struct containing all migration information
*
* Isolate pages from the LRU and replace mappings ( CPU page table pte ) with a
* special migration pte entry and check if it has been pinned . Pinned pages are
* restored because we cannot migrate them .
*
* This is the last step before we call the device driver callback to allocate
* destination memory and copy contents of original page over to new page .
*/
static void migrate_vma_unmap ( struct migrate_vma * migrate )
{
migrate - > cpages = migrate_device_unmap ( migrate - > src , migrate - > npages ,
migrate - > fault_page ) ;
2022-02-16 15:31:38 +11:00
}
/**
* migrate_vma_setup ( ) - prepare to migrate a range of memory
* @ args : contains the vma , start , and pfns arrays for the migration
*
* Returns : negative errno on failures , 0 when 0 or more pages were migrated
* without an error .
*
* Prepare to migrate a range of memory virtual address range by collecting all
* the pages backing each virtual address in the range , saving them inside the
* src array . Then lock those pages and unmap them . Once the pages are locked
* and unmapped , check whether each page is pinned or not . Pages that aren ' t
* pinned have the MIGRATE_PFN_MIGRATE flag set ( by this function ) in the
* corresponding src array entry . Then restores any pages that are pinned , by
* remapping and unlocking those pages .
*
* The caller should then allocate destination memory and copy source memory to
* it for all those entries ( ie with MIGRATE_PFN_VALID and MIGRATE_PFN_MIGRATE
* flag set ) . Once these are allocated and copied , the caller must update each
* corresponding entry in the dst array with the pfn value of the destination
* page and with MIGRATE_PFN_VALID . Destination pages must be locked via
* lock_page ( ) .
*
* Note that the caller does not have to migrate all the pages that are marked
* with MIGRATE_PFN_MIGRATE flag in src array unless this is a migration from
* device memory to system memory . If the caller cannot migrate a device page
* back to system memory , then it must return VM_FAULT_SIGBUS , which has severe
* consequences for the userspace process , so it must be avoided if at all
* possible .
*
* For empty entries inside CPU page table ( pte_none ( ) or pmd_none ( ) is true ) we
* do set MIGRATE_PFN_MIGRATE flag inside the corresponding source array thus
* allowing the caller to allocate device memory for those unbacked virtual
* addresses . For this the caller simply has to allocate device memory and
* properly set the destination entry like for regular migration . Note that
* this can still fail , and thus inside the device driver you must check if the
* migration was successful for those entries after calling migrate_vma_pages ( ) ,
* just like for regular migration .
*
* After that , the callers must call migrate_vma_pages ( ) to go over each entry
* in the src array that has the MIGRATE_PFN_VALID and MIGRATE_PFN_MIGRATE flag
* set . If the corresponding entry in dst array has MIGRATE_PFN_VALID flag set ,
* then migrate_vma_pages ( ) to migrate struct page information from the source
* struct page to the destination struct page . If it fails to migrate the
* struct page information , then it clears the MIGRATE_PFN_MIGRATE flag in the
* src array .
*
* At this point all successfully migrated pages have an entry in the src
* array with MIGRATE_PFN_VALID and MIGRATE_PFN_MIGRATE flag set and the dst
* array entry with MIGRATE_PFN_VALID flag set .
*
* Once migrate_vma_pages ( ) returns the caller may inspect which pages were
* successfully migrated , and which were not . Successfully migrated pages will
* have the MIGRATE_PFN_MIGRATE flag set for their src array entry .
*
* It is safe to update device page table after migrate_vma_pages ( ) because
* both destination and source page are still locked , and the mmap_lock is held
* in read mode ( hence no one can unmap the range being migrated ) .
*
* Once the caller is done cleaning up things and updating its page table ( if it
* chose to do so , this is not an obligation ) it finally calls
* migrate_vma_finalize ( ) to update the CPU page table to point to new pages
* for successfully migrated pages or otherwise restore the CPU page table to
* point to the original source pages .
*/
int migrate_vma_setup ( struct migrate_vma * args )
{
long nr_pages = ( args - > end - args - > start ) > > PAGE_SHIFT ;
args - > start & = PAGE_MASK ;
args - > end & = PAGE_MASK ;
if ( ! args - > vma | | is_vm_hugetlb_page ( args - > vma ) | |
( args - > vma - > vm_flags & VM_SPECIAL ) | | vma_is_dax ( args - > vma ) )
return - EINVAL ;
if ( nr_pages < = 0 )
return - EINVAL ;
if ( args - > start < args - > vma - > vm_start | |
args - > start > = args - > vma - > vm_end )
return - EINVAL ;
if ( args - > end < = args - > vma - > vm_start | | args - > end > args - > vma - > vm_end )
return - EINVAL ;
if ( ! args - > src | | ! args - > dst )
return - EINVAL ;
2022-09-28 22:01:15 +10:00
if ( args - > fault_page & & ! is_device_private_page ( args - > fault_page ) )
return - EINVAL ;
2022-02-16 15:31:38 +11:00
memset ( args - > src , 0 , sizeof ( * args - > src ) * nr_pages ) ;
args - > cpages = 0 ;
args - > npages = 0 ;
migrate_vma_collect ( args ) ;
if ( args - > cpages )
migrate_vma_unmap ( args ) ;
/*
* At this point pages are locked and unmapped , and thus they have
* stable content and can safely be copied to destination memory that
* is allocated by the drivers .
*/
return 0 ;
}
EXPORT_SYMBOL ( migrate_vma_setup ) ;
/*
* This code closely matches the code in :
* __handle_mm_fault ( )
* handle_pte_fault ( )
* do_anonymous_page ( )
* to map in an anonymous zero page but the struct page will be a ZONE_DEVICE
2022-07-15 10:05:10 -05:00
* private or coherent page .
2022-02-16 15:31:38 +11:00
*/
static void migrate_vma_insert_page ( struct migrate_vma * migrate ,
unsigned long addr ,
struct page * page ,
unsigned long * src )
{
struct vm_area_struct * vma = migrate - > vma ;
struct mm_struct * mm = vma - > vm_mm ;
bool flush = false ;
spinlock_t * ptl ;
pte_t entry ;
pgd_t * pgdp ;
p4d_t * p4dp ;
pud_t * pudp ;
pmd_t * pmdp ;
pte_t * ptep ;
mm: ptep_get() conversion
Convert all instances of direct pte_t* dereferencing to instead use
ptep_get() helper. This means that by default, the accesses change from a
C dereference to a READ_ONCE(). This is technically the correct thing to
do since where pgtables are modified by HW (for access/dirty) they are
volatile and therefore we should always ensure READ_ONCE() semantics.
But more importantly, by always using the helper, it can be overridden by
the architecture to fully encapsulate the contents of the pte. Arch code
is deliberately not converted, as the arch code knows best. It is
intended that arch code (arm64) will override the default with its own
implementation that can (e.g.) hide certain bits from the core code, or
determine young/dirty status by mixing in state from another source.
Conversion was done using Coccinelle:
----
// $ make coccicheck \
// COCCI=ptepget.cocci \
// SPFLAGS="--include-headers" \
// MODE=patch
virtual patch
@ depends on patch @
pte_t *v;
@@
- *v
+ ptep_get(v)
----
Then reviewed and hand-edited to avoid multiple unnecessary calls to
ptep_get(), instead opting to store the result of a single call in a
variable, where it is correct to do so. This aims to negate any cost of
READ_ONCE() and will benefit arch-overrides that may be more complex.
Included is a fix for an issue in an earlier version of this patch that
was pointed out by kernel test robot. The issue arose because config
MMU=n elides definition of the ptep helper functions, including
ptep_get(). HUGETLB_PAGE=n configs still define a simple
huge_ptep_clear_flush() for linking purposes, which dereferences the ptep.
So when both configs are disabled, this caused a build error because
ptep_get() is not defined. Fix by continuing to do a direct dereference
when MMU=n. This is safe because for this config the arch code cannot be
trying to virtualize the ptes because none of the ptep helpers are
defined.
Link: https://lkml.kernel.org/r/20230612151545.3317766-4-ryan.roberts@arm.com
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/oe-kbuild-all/202305120142.yXsNEo6H-lkp@intel.com/
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alex Williamson <alex.williamson@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Dave Airlie <airlied@gmail.com>
Cc: Dimitri Sivanich <dimitri.sivanich@hpe.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jérôme Glisse <jglisse@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Mike Rapoport (IBM) <rppt@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: SeongJae Park <sj@kernel.org>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Uladzislau Rezki (Sony) <urezki@gmail.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Yu Zhao <yuzhao@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-06-12 16:15:45 +01:00
pte_t orig_pte ;
2022-02-16 15:31:38 +11:00
/* Only allow populating anonymous memory */
if ( ! vma_is_anonymous ( vma ) )
goto abort ;
pgdp = pgd_offset ( mm , addr ) ;
p4dp = p4d_alloc ( mm , pgdp , addr ) ;
if ( ! p4dp )
goto abort ;
pudp = pud_alloc ( mm , p4dp , addr ) ;
if ( ! pudp )
goto abort ;
pmdp = pmd_alloc ( mm , pudp , addr ) ;
if ( ! pmdp )
goto abort ;
if ( pmd_trans_huge ( * pmdp ) | | pmd_devmap ( * pmdp ) )
goto abort ;
if ( pte_alloc ( mm , pmdp ) )
goto abort ;
if ( unlikely ( anon_vma_prepare ( vma ) ) )
goto abort ;
if ( mem_cgroup_charge ( page_folio ( page ) , vma - > vm_mm , GFP_KERNEL ) )
goto abort ;
/*
* The memory barrier inside __SetPageUptodate makes sure that
* preceding stores to the page contents become visible before
* the set_pte_at ( ) write .
*/
__SetPageUptodate ( page ) ;
if ( is_device_private_page ( page ) ) {
swp_entry_t swp_entry ;
if ( vma - > vm_flags & VM_WRITE )
swp_entry = make_writable_device_private_entry (
page_to_pfn ( page ) ) ;
else
swp_entry = make_readable_device_private_entry (
page_to_pfn ( page ) ) ;
entry = swp_entry_to_pte ( swp_entry ) ;
} else {
2022-07-15 10:05:10 -05:00
if ( is_zone_device_page ( page ) & &
! is_device_coherent_page ( page ) ) {
2022-02-16 15:31:38 +11:00
pr_warn_once ( " Unsupported ZONE_DEVICE page type. \n " ) ;
goto abort ;
}
entry = mk_pte ( page , vma - > vm_page_prot ) ;
if ( vma - > vm_flags & VM_WRITE )
entry = pte_mkwrite ( pte_mkdirty ( entry ) ) ;
}
ptep = pte_offset_map_lock ( mm , pmdp , addr , & ptl ) ;
2023-06-08 18:38:17 -07:00
if ( ! ptep )
goto abort ;
mm: ptep_get() conversion
Convert all instances of direct pte_t* dereferencing to instead use
ptep_get() helper. This means that by default, the accesses change from a
C dereference to a READ_ONCE(). This is technically the correct thing to
do since where pgtables are modified by HW (for access/dirty) they are
volatile and therefore we should always ensure READ_ONCE() semantics.
But more importantly, by always using the helper, it can be overridden by
the architecture to fully encapsulate the contents of the pte. Arch code
is deliberately not converted, as the arch code knows best. It is
intended that arch code (arm64) will override the default with its own
implementation that can (e.g.) hide certain bits from the core code, or
determine young/dirty status by mixing in state from another source.
Conversion was done using Coccinelle:
----
// $ make coccicheck \
// COCCI=ptepget.cocci \
// SPFLAGS="--include-headers" \
// MODE=patch
virtual patch
@ depends on patch @
pte_t *v;
@@
- *v
+ ptep_get(v)
----
Then reviewed and hand-edited to avoid multiple unnecessary calls to
ptep_get(), instead opting to store the result of a single call in a
variable, where it is correct to do so. This aims to negate any cost of
READ_ONCE() and will benefit arch-overrides that may be more complex.
Included is a fix for an issue in an earlier version of this patch that
was pointed out by kernel test robot. The issue arose because config
MMU=n elides definition of the ptep helper functions, including
ptep_get(). HUGETLB_PAGE=n configs still define a simple
huge_ptep_clear_flush() for linking purposes, which dereferences the ptep.
So when both configs are disabled, this caused a build error because
ptep_get() is not defined. Fix by continuing to do a direct dereference
when MMU=n. This is safe because for this config the arch code cannot be
trying to virtualize the ptes because none of the ptep helpers are
defined.
Link: https://lkml.kernel.org/r/20230612151545.3317766-4-ryan.roberts@arm.com
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/oe-kbuild-all/202305120142.yXsNEo6H-lkp@intel.com/
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alex Williamson <alex.williamson@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Dave Airlie <airlied@gmail.com>
Cc: Dimitri Sivanich <dimitri.sivanich@hpe.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jérôme Glisse <jglisse@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Mike Rapoport (IBM) <rppt@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: SeongJae Park <sj@kernel.org>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Uladzislau Rezki (Sony) <urezki@gmail.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Yu Zhao <yuzhao@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-06-12 16:15:45 +01:00
orig_pte = ptep_get ( ptep ) ;
2022-02-16 15:31:38 +11:00
if ( check_stable_address_space ( mm ) )
goto unlock_abort ;
mm: ptep_get() conversion
Convert all instances of direct pte_t* dereferencing to instead use
ptep_get() helper. This means that by default, the accesses change from a
C dereference to a READ_ONCE(). This is technically the correct thing to
do since where pgtables are modified by HW (for access/dirty) they are
volatile and therefore we should always ensure READ_ONCE() semantics.
But more importantly, by always using the helper, it can be overridden by
the architecture to fully encapsulate the contents of the pte. Arch code
is deliberately not converted, as the arch code knows best. It is
intended that arch code (arm64) will override the default with its own
implementation that can (e.g.) hide certain bits from the core code, or
determine young/dirty status by mixing in state from another source.
Conversion was done using Coccinelle:
----
// $ make coccicheck \
// COCCI=ptepget.cocci \
// SPFLAGS="--include-headers" \
// MODE=patch
virtual patch
@ depends on patch @
pte_t *v;
@@
- *v
+ ptep_get(v)
----
Then reviewed and hand-edited to avoid multiple unnecessary calls to
ptep_get(), instead opting to store the result of a single call in a
variable, where it is correct to do so. This aims to negate any cost of
READ_ONCE() and will benefit arch-overrides that may be more complex.
Included is a fix for an issue in an earlier version of this patch that
was pointed out by kernel test robot. The issue arose because config
MMU=n elides definition of the ptep helper functions, including
ptep_get(). HUGETLB_PAGE=n configs still define a simple
huge_ptep_clear_flush() for linking purposes, which dereferences the ptep.
So when both configs are disabled, this caused a build error because
ptep_get() is not defined. Fix by continuing to do a direct dereference
when MMU=n. This is safe because for this config the arch code cannot be
trying to virtualize the ptes because none of the ptep helpers are
defined.
Link: https://lkml.kernel.org/r/20230612151545.3317766-4-ryan.roberts@arm.com
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/oe-kbuild-all/202305120142.yXsNEo6H-lkp@intel.com/
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alex Williamson <alex.williamson@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Dave Airlie <airlied@gmail.com>
Cc: Dimitri Sivanich <dimitri.sivanich@hpe.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jérôme Glisse <jglisse@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Mike Rapoport (IBM) <rppt@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: SeongJae Park <sj@kernel.org>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Uladzislau Rezki (Sony) <urezki@gmail.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Yu Zhao <yuzhao@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-06-12 16:15:45 +01:00
if ( pte_present ( orig_pte ) ) {
unsigned long pfn = pte_pfn ( orig_pte ) ;
2022-02-16 15:31:38 +11:00
if ( ! is_zero_pfn ( pfn ) )
goto unlock_abort ;
flush = true ;
mm: ptep_get() conversion
Convert all instances of direct pte_t* dereferencing to instead use
ptep_get() helper. This means that by default, the accesses change from a
C dereference to a READ_ONCE(). This is technically the correct thing to
do since where pgtables are modified by HW (for access/dirty) they are
volatile and therefore we should always ensure READ_ONCE() semantics.
But more importantly, by always using the helper, it can be overridden by
the architecture to fully encapsulate the contents of the pte. Arch code
is deliberately not converted, as the arch code knows best. It is
intended that arch code (arm64) will override the default with its own
implementation that can (e.g.) hide certain bits from the core code, or
determine young/dirty status by mixing in state from another source.
Conversion was done using Coccinelle:
----
// $ make coccicheck \
// COCCI=ptepget.cocci \
// SPFLAGS="--include-headers" \
// MODE=patch
virtual patch
@ depends on patch @
pte_t *v;
@@
- *v
+ ptep_get(v)
----
Then reviewed and hand-edited to avoid multiple unnecessary calls to
ptep_get(), instead opting to store the result of a single call in a
variable, where it is correct to do so. This aims to negate any cost of
READ_ONCE() and will benefit arch-overrides that may be more complex.
Included is a fix for an issue in an earlier version of this patch that
was pointed out by kernel test robot. The issue arose because config
MMU=n elides definition of the ptep helper functions, including
ptep_get(). HUGETLB_PAGE=n configs still define a simple
huge_ptep_clear_flush() for linking purposes, which dereferences the ptep.
So when both configs are disabled, this caused a build error because
ptep_get() is not defined. Fix by continuing to do a direct dereference
when MMU=n. This is safe because for this config the arch code cannot be
trying to virtualize the ptes because none of the ptep helpers are
defined.
Link: https://lkml.kernel.org/r/20230612151545.3317766-4-ryan.roberts@arm.com
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/oe-kbuild-all/202305120142.yXsNEo6H-lkp@intel.com/
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alex Williamson <alex.williamson@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Dave Airlie <airlied@gmail.com>
Cc: Dimitri Sivanich <dimitri.sivanich@hpe.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jérôme Glisse <jglisse@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Mike Rapoport (IBM) <rppt@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: SeongJae Park <sj@kernel.org>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Uladzislau Rezki (Sony) <urezki@gmail.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Yu Zhao <yuzhao@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-06-12 16:15:45 +01:00
} else if ( ! pte_none ( orig_pte ) )
2022-02-16 15:31:38 +11:00
goto unlock_abort ;
/*
* Check for userfaultfd but do not deliver the fault . Instead ,
* just back off .
*/
if ( userfaultfd_missing ( vma ) )
goto unlock_abort ;
inc_mm_counter ( mm , MM_ANONPAGES ) ;
2022-05-09 18:20:43 -07:00
page_add_new_anon_rmap ( page , vma , addr ) ;
2022-02-16 15:31:38 +11:00
if ( ! is_zone_device_page ( page ) )
lru_cache_add_inactive_or_unevictable ( page , vma ) ;
get_page ( page ) ;
if ( flush ) {
mm: ptep_get() conversion
Convert all instances of direct pte_t* dereferencing to instead use
ptep_get() helper. This means that by default, the accesses change from a
C dereference to a READ_ONCE(). This is technically the correct thing to
do since where pgtables are modified by HW (for access/dirty) they are
volatile and therefore we should always ensure READ_ONCE() semantics.
But more importantly, by always using the helper, it can be overridden by
the architecture to fully encapsulate the contents of the pte. Arch code
is deliberately not converted, as the arch code knows best. It is
intended that arch code (arm64) will override the default with its own
implementation that can (e.g.) hide certain bits from the core code, or
determine young/dirty status by mixing in state from another source.
Conversion was done using Coccinelle:
----
// $ make coccicheck \
// COCCI=ptepget.cocci \
// SPFLAGS="--include-headers" \
// MODE=patch
virtual patch
@ depends on patch @
pte_t *v;
@@
- *v
+ ptep_get(v)
----
Then reviewed and hand-edited to avoid multiple unnecessary calls to
ptep_get(), instead opting to store the result of a single call in a
variable, where it is correct to do so. This aims to negate any cost of
READ_ONCE() and will benefit arch-overrides that may be more complex.
Included is a fix for an issue in an earlier version of this patch that
was pointed out by kernel test robot. The issue arose because config
MMU=n elides definition of the ptep helper functions, including
ptep_get(). HUGETLB_PAGE=n configs still define a simple
huge_ptep_clear_flush() for linking purposes, which dereferences the ptep.
So when both configs are disabled, this caused a build error because
ptep_get() is not defined. Fix by continuing to do a direct dereference
when MMU=n. This is safe because for this config the arch code cannot be
trying to virtualize the ptes because none of the ptep helpers are
defined.
Link: https://lkml.kernel.org/r/20230612151545.3317766-4-ryan.roberts@arm.com
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/oe-kbuild-all/202305120142.yXsNEo6H-lkp@intel.com/
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alex Williamson <alex.williamson@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Dave Airlie <airlied@gmail.com>
Cc: Dimitri Sivanich <dimitri.sivanich@hpe.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jérôme Glisse <jglisse@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Mike Rapoport (IBM) <rppt@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: SeongJae Park <sj@kernel.org>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Uladzislau Rezki (Sony) <urezki@gmail.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Yu Zhao <yuzhao@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-06-12 16:15:45 +01:00
flush_cache_page ( vma , addr , pte_pfn ( orig_pte ) ) ;
2022-02-16 15:31:38 +11:00
ptep_clear_flush_notify ( vma , addr , ptep ) ;
set_pte_at_notify ( mm , addr , ptep , entry ) ;
update_mmu_cache ( vma , addr , ptep ) ;
} else {
/* No need to invalidate - it was non-present before */
set_pte_at ( mm , addr , ptep , entry ) ;
update_mmu_cache ( vma , addr , ptep ) ;
}
pte_unmap_unlock ( ptep , ptl ) ;
* src = MIGRATE_PFN_MIGRATE ;
return ;
unlock_abort :
pte_unmap_unlock ( ptep , ptl ) ;
abort :
* src & = ~ MIGRATE_PFN_MIGRATE ;
}
2022-09-28 22:01:19 +10:00
static void __migrate_device_pages ( unsigned long * src_pfns ,
2022-09-28 22:01:18 +10:00
unsigned long * dst_pfns , unsigned long npages ,
struct migrate_vma * migrate )
2022-02-16 15:31:38 +11:00
{
struct mmu_notifier_range range ;
2022-09-28 22:01:18 +10:00
unsigned long i ;
2022-02-16 15:31:38 +11:00
bool notified = false ;
2022-09-28 22:01:18 +10:00
for ( i = 0 ; i < npages ; i + + ) {
struct page * newpage = migrate_pfn_to_page ( dst_pfns [ i ] ) ;
struct page * page = migrate_pfn_to_page ( src_pfns [ i ] ) ;
2022-02-16 15:31:38 +11:00
struct address_space * mapping ;
int r ;
if ( ! newpage ) {
2022-09-28 22:01:18 +10:00
src_pfns [ i ] & = ~ MIGRATE_PFN_MIGRATE ;
2022-02-16 15:31:38 +11:00
continue ;
}
if ( ! page ) {
2022-09-28 22:01:18 +10:00
unsigned long addr ;
2022-09-28 22:01:19 +10:00
if ( ! ( src_pfns [ i ] & MIGRATE_PFN_MIGRATE ) )
continue ;
2022-07-15 10:05:13 -05:00
/*
* The only time there is no vma is when called from
* migrate_device_coherent_page ( ) . However this isn ' t
* called if the page could not be unmapped .
*/
2022-09-28 22:01:18 +10:00
VM_BUG_ON ( ! migrate ) ;
addr = migrate - > start + i * PAGE_SIZE ;
2022-02-16 15:31:38 +11:00
if ( ! notified ) {
notified = true ;
mmu_notifier_range_init_owner ( & range ,
2023-01-10 13:57:22 +11:00
MMU_NOTIFY_MIGRATE , 0 ,
2022-02-16 15:31:38 +11:00
migrate - > vma - > vm_mm , addr , migrate - > end ,
migrate - > pgmap_owner ) ;
mmu_notifier_invalidate_range_start ( & range ) ;
}
migrate_vma_insert_page ( migrate , addr , newpage ,
2022-09-28 22:01:18 +10:00
& src_pfns [ i ] ) ;
2022-02-16 15:31:38 +11:00
continue ;
}
mapping = page_mapping ( page ) ;
2022-07-15 10:05:10 -05:00
if ( is_device_private_page ( newpage ) | |
is_device_coherent_page ( newpage ) ) {
2022-02-16 15:31:38 +11:00
/*
2022-07-15 10:05:10 -05:00
* For now only support anonymous memory migrating to
* device private or coherent memory .
2022-02-16 15:31:38 +11:00
*/
if ( mapping ) {
2022-09-28 22:01:18 +10:00
src_pfns [ i ] & = ~ MIGRATE_PFN_MIGRATE ;
2022-02-16 15:31:38 +11:00
continue ;
}
} else if ( is_zone_device_page ( newpage ) ) {
/*
* Other types of ZONE_DEVICE page are not supported .
*/
2022-09-28 22:01:18 +10:00
src_pfns [ i ] & = ~ MIGRATE_PFN_MIGRATE ;
2022-02-16 15:31:38 +11:00
continue ;
}
2022-09-28 22:01:18 +10:00
if ( migrate & & migrate - > fault_page = = page )
2022-09-28 22:01:15 +10:00
r = migrate_folio_extra ( mapping , page_folio ( newpage ) ,
page_folio ( page ) ,
MIGRATE_SYNC_NO_COPY , 1 ) ;
else
r = migrate_folio ( mapping , page_folio ( newpage ) ,
page_folio ( page ) , MIGRATE_SYNC_NO_COPY ) ;
2022-02-16 15:31:38 +11:00
if ( r ! = MIGRATEPAGE_SUCCESS )
2022-09-28 22:01:18 +10:00
src_pfns [ i ] & = ~ MIGRATE_PFN_MIGRATE ;
2022-02-16 15:31:38 +11:00
}
/*
* No need to double call mmu_notifier - > invalidate_range ( ) callback as
* the above ptep_clear_flush_notify ( ) inside migrate_vma_insert_page ( )
* did already call it .
*/
if ( notified )
mmu_notifier_invalidate_range_only_end ( & range ) ;
}
2022-09-28 22:01:19 +10:00
/**
* migrate_device_pages ( ) - migrate meta - data from src page to dst page
* @ src_pfns : src_pfns returned from migrate_device_range ( )
* @ dst_pfns : array of pfns allocated by the driver to migrate memory to
* @ npages : number of pages in the range
*
* Equivalent to migrate_vma_pages ( ) . This is called to migrate struct page
* meta - data from source struct page to destination .
*/
void migrate_device_pages ( unsigned long * src_pfns , unsigned long * dst_pfns ,
unsigned long npages )
{
__migrate_device_pages ( src_pfns , dst_pfns , npages , NULL ) ;
}
EXPORT_SYMBOL ( migrate_device_pages ) ;
2022-02-16 15:31:38 +11:00
/**
2022-09-28 22:01:18 +10:00
* migrate_vma_pages ( ) - migrate meta - data from src page to dst page
2022-02-16 15:31:38 +11:00
* @ migrate : migrate struct containing all migration information
*
2022-09-28 22:01:18 +10:00
* This migrates struct page meta - data from source struct page to destination
* struct page . This effectively finishes the migration from source page to the
* destination page .
2022-02-16 15:31:38 +11:00
*/
2022-09-28 22:01:18 +10:00
void migrate_vma_pages ( struct migrate_vma * migrate )
{
2022-09-28 22:01:19 +10:00
__migrate_device_pages ( migrate - > src , migrate - > dst , migrate - > npages , migrate ) ;
2022-09-28 22:01:18 +10:00
}
EXPORT_SYMBOL ( migrate_vma_pages ) ;
2022-09-28 22:01:19 +10:00
/*
* migrate_device_finalize ( ) - complete page migration
* @ src_pfns : src_pfns returned from migrate_device_range ( )
* @ dst_pfns : array of pfns allocated by the driver to migrate memory to
* @ npages : number of pages in the range
*
* Completes migration of the page by removing special migration entries .
* Drivers must ensure copying of page data is complete and visible to the CPU
* before calling this .
*/
void migrate_device_finalize ( unsigned long * src_pfns ,
unsigned long * dst_pfns , unsigned long npages )
2022-02-16 15:31:38 +11:00
{
unsigned long i ;
for ( i = 0 ; i < npages ; i + + ) {
2022-01-28 23:32:59 -05:00
struct folio * dst , * src ;
2022-09-28 22:01:18 +10:00
struct page * newpage = migrate_pfn_to_page ( dst_pfns [ i ] ) ;
struct page * page = migrate_pfn_to_page ( src_pfns [ i ] ) ;
2022-02-16 15:31:38 +11:00
if ( ! page ) {
if ( newpage ) {
unlock_page ( newpage ) ;
put_page ( newpage ) ;
}
continue ;
}
2022-09-28 22:01:18 +10:00
if ( ! ( src_pfns [ i ] & MIGRATE_PFN_MIGRATE ) | | ! newpage ) {
2022-02-16 15:31:38 +11:00
if ( newpage ) {
unlock_page ( newpage ) ;
put_page ( newpage ) ;
}
newpage = page ;
}
2022-01-28 23:32:59 -05:00
src = page_folio ( page ) ;
dst = page_folio ( newpage ) ;
remove_migration_ptes ( src , dst , false ) ;
folio_unlock ( src ) ;
2022-02-16 15:31:38 +11:00
if ( is_zone_device_page ( page ) )
put_page ( page ) ;
else
putback_lru_page ( page ) ;
if ( newpage ! = page ) {
unlock_page ( newpage ) ;
if ( is_zone_device_page ( newpage ) )
put_page ( newpage ) ;
else
putback_lru_page ( newpage ) ;
}
}
}
2022-09-28 22:01:19 +10:00
EXPORT_SYMBOL ( migrate_device_finalize ) ;
2022-09-28 22:01:18 +10:00
/**
* migrate_vma_finalize ( ) - restore CPU page table entry
* @ migrate : migrate struct containing all migration information
*
* This replaces the special migration pte entry with either a mapping to the
* new page if migration was successful for that page , or to the original page
* otherwise .
*
* This also unlocks the pages and puts them back on the lru , or drops the extra
* refcount , for device pages .
*/
void migrate_vma_finalize ( struct migrate_vma * migrate )
{
migrate_device_finalize ( migrate - > src , migrate - > dst , migrate - > npages ) ;
}
2022-02-16 15:31:38 +11:00
EXPORT_SYMBOL ( migrate_vma_finalize ) ;
2022-07-15 10:05:13 -05:00
2022-09-28 22:01:19 +10:00
/**
* migrate_device_range ( ) - migrate device private pfns to normal memory .
* @ src_pfns : array large enough to hold migrating source device private pfns .
* @ start : starting pfn in the range to migrate .
* @ npages : number of pages to migrate .
*
* migrate_vma_setup ( ) is similar in concept to migrate_vma_setup ( ) except that
* instead of looking up pages based on virtual address mappings a range of
* device pfns that should be migrated to system memory is used instead .
*
* This is useful when a driver needs to free device memory but doesn ' t know the
* virtual mappings of every page that may be in device memory . For example this
* is often the case when a driver is being unloaded or unbound from a device .
*
* Like migrate_vma_setup ( ) this function will take a reference and lock any
* migrating pages that aren ' t free before unmapping them . Drivers may then
* allocate destination pages and start copying data from the device to CPU
* memory before calling migrate_device_pages ( ) .
*/
int migrate_device_range ( unsigned long * src_pfns , unsigned long start ,
unsigned long npages )
{
unsigned long i , pfn ;
for ( pfn = start , i = 0 ; i < npages ; pfn + + , i + + ) {
struct page * page = pfn_to_page ( pfn ) ;
if ( ! get_page_unless_zero ( page ) ) {
src_pfns [ i ] = 0 ;
continue ;
}
if ( ! trylock_page ( page ) ) {
src_pfns [ i ] = 0 ;
put_page ( page ) ;
continue ;
}
src_pfns [ i ] = migrate_pfn ( pfn ) | MIGRATE_PFN_MIGRATE ;
}
migrate_device_unmap ( src_pfns , npages , NULL ) ;
return 0 ;
}
EXPORT_SYMBOL ( migrate_device_range ) ;
2022-07-15 10:05:13 -05:00
/*
* Migrate a device coherent page back to normal memory . The caller should have
* a reference on page which will be copied to the new page if migration is
* successful or dropped on failure .
*/
int migrate_device_coherent_page ( struct page * page )
{
unsigned long src_pfn , dst_pfn = 0 ;
struct page * dpage ;
WARN_ON_ONCE ( PageCompound ( page ) ) ;
lock_page ( page ) ;
src_pfn = migrate_pfn ( page_to_pfn ( page ) ) | MIGRATE_PFN_MIGRATE ;
/*
* We don ' t have a VMA and don ' t need to walk the page tables to find
* the source page . So call migrate_vma_unmap ( ) directly to unmap the
* page as migrate_vma_setup ( ) will fail if args . vma = = NULL .
*/
2022-09-28 22:01:18 +10:00
migrate_device_unmap ( & src_pfn , 1 , NULL ) ;
2022-07-15 10:05:13 -05:00
if ( ! ( src_pfn & MIGRATE_PFN_MIGRATE ) )
return - EBUSY ;
dpage = alloc_page ( GFP_USER | __GFP_NOWARN ) ;
if ( dpage ) {
lock_page ( dpage ) ;
dst_pfn = migrate_pfn ( page_to_pfn ( dpage ) ) ;
}
2022-09-28 22:01:19 +10:00
migrate_device_pages ( & src_pfn , & dst_pfn , 1 ) ;
2022-07-15 10:05:13 -05:00
if ( src_pfn & MIGRATE_PFN_MIGRATE )
copy_highpage ( dpage , page ) ;
2022-09-28 22:01:18 +10:00
migrate_device_finalize ( & src_pfn , & dst_pfn , 1 ) ;
2022-07-15 10:05:13 -05:00
if ( src_pfn & MIGRATE_PFN_MIGRATE )
return 0 ;
return - EBUSY ;
}