1 // SPDX-License-Identifier: GPL-2.0
5 * (C) Copyright 1994 Linus Torvalds
6 * (C) Copyright 2002 Christoph Hellwig
9 * (C) Copyright 2002 Red Hat Inc, All Rights Reserved
12 #include <linux/pagewalk.h>
13 #include <linux/hugetlb.h>
14 #include <linux/shm.h>
15 #include <linux/mman.h>
17 #include <linux/highmem.h>
18 #include <linux/security.h>
19 #include <linux/mempolicy.h>
20 #include <linux/personality.h>
21 #include <linux/syscalls.h>
22 #include <linux/swap.h>
23 #include <linux/swapops.h>
24 #include <linux/mmu_notifier.h>
25 #include <linux/migrate.h>
26 #include <linux/perf_event.h>
27 #include <linux/pkeys.h>
28 #include <linux/ksm.h>
29 #include <linux/uaccess.h>
30 #include <linux/mm_inline.h>
31 #include <asm/pgtable.h>
32 #include <asm/cacheflush.h>
33 #include <asm/mmu_context.h>
34 #include <asm/tlbflush.h>
38 static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd,
39 unsigned long addr, unsigned long end, pgprot_t newprot,
40 unsigned long cp_flags)
44 unsigned long pages = 0;
45 int target_node = NUMA_NO_NODE;
46 bool dirty_accountable = cp_flags & MM_CP_DIRTY_ACCT;
47 bool prot_numa = cp_flags & MM_CP_PROT_NUMA;
48 bool uffd_wp = cp_flags & MM_CP_UFFD_WP;
49 bool uffd_wp_resolve = cp_flags & MM_CP_UFFD_WP_RESOLVE;
52 * Can be called with only the mmap_sem for reading by
53 * prot_numa so we must check the pmd isn't constantly
54 * changing from under us from pmd_none to pmd_trans_huge
55 * and/or the other way around.
57 if (pmd_trans_unstable(pmd))
61 * The pmd points to a regular pte so the pmd can't change
62 * from under us even if the mmap_sem is only hold for
65 pte = pte_offset_map_lock(vma->vm_mm, pmd, addr, &ptl);
67 /* Get target node for single threaded private VMAs */
68 if (prot_numa && !(vma->vm_flags & VM_SHARED) &&
69 atomic_read(&vma->vm_mm->mm_users) == 1)
70 target_node = numa_node_id();
72 flush_tlb_batched_pending(vma->vm_mm);
73 arch_enter_lazy_mmu_mode();
76 if (pte_present(oldpte)) {
78 bool preserve_write = prot_numa && pte_write(oldpte);
81 * Avoid trapping faults against the zero or KSM
82 * pages. See similar comment in change_huge_pmd.
87 /* Avoid TLB flush if possible */
88 if (pte_protnone(oldpte))
91 page = vm_normal_page(vma, addr, oldpte);
92 if (!page || PageKsm(page))
95 /* Also skip shared copy-on-write pages */
96 if (is_cow_mapping(vma->vm_flags) &&
97 page_mapcount(page) != 1)
101 * While migration can move some dirty pages,
102 * it cannot move them all from MIGRATE_ASYNC
105 if (page_is_file_lru(page) && PageDirty(page))
109 * Don't mess with PTEs if page is already on the node
110 * a single-threaded process is running on.
112 if (target_node == page_to_nid(page))
116 oldpte = ptep_modify_prot_start(vma, addr, pte);
117 ptent = pte_modify(oldpte, newprot);
119 ptent = pte_mk_savedwrite(ptent);
122 ptent = pte_wrprotect(ptent);
123 ptent = pte_mkuffd_wp(ptent);
124 } else if (uffd_wp_resolve) {
126 * Leave the write bit to be handled
127 * by PF interrupt handler, then
128 * things like COW could be properly
131 ptent = pte_clear_uffd_wp(ptent);
134 /* Avoid taking write faults for known dirty pages */
135 if (dirty_accountable && pte_dirty(ptent) &&
136 (pte_soft_dirty(ptent) ||
137 !(vma->vm_flags & VM_SOFTDIRTY))) {
138 ptent = pte_mkwrite(ptent);
140 ptep_modify_prot_commit(vma, addr, pte, oldpte, ptent);
142 } else if (IS_ENABLED(CONFIG_MIGRATION)) {
143 swp_entry_t entry = pte_to_swp_entry(oldpte);
145 if (is_write_migration_entry(entry)) {
148 * A protection check is difficult so
149 * just be safe and disable write
151 make_migration_entry_read(&entry);
152 newpte = swp_entry_to_pte(entry);
153 if (pte_swp_soft_dirty(oldpte))
154 newpte = pte_swp_mksoft_dirty(newpte);
155 set_pte_at(vma->vm_mm, addr, pte, newpte);
160 if (is_write_device_private_entry(entry)) {
164 * We do not preserve soft-dirtiness. See
165 * copy_one_pte() for explanation.
167 make_device_private_entry_read(&entry);
168 newpte = swp_entry_to_pte(entry);
169 set_pte_at(vma->vm_mm, addr, pte, newpte);
174 } while (pte++, addr += PAGE_SIZE, addr != end);
175 arch_leave_lazy_mmu_mode();
176 pte_unmap_unlock(pte - 1, ptl);
182 * Used when setting automatic NUMA hinting protection where it is
183 * critical that a numa hinting PMD is not confused with a bad PMD.
185 static inline int pmd_none_or_clear_bad_unless_trans_huge(pmd_t *pmd)
187 pmd_t pmdval = pmd_read_atomic(pmd);
189 /* See pmd_none_or_trans_huge_or_clear_bad for info on barrier */
190 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
194 if (pmd_none(pmdval))
196 if (pmd_trans_huge(pmdval))
198 if (unlikely(pmd_bad(pmdval))) {
206 static inline unsigned long change_pmd_range(struct vm_area_struct *vma,
207 pud_t *pud, unsigned long addr, unsigned long end,
208 pgprot_t newprot, unsigned long cp_flags)
212 unsigned long pages = 0;
213 unsigned long nr_huge_updates = 0;
214 struct mmu_notifier_range range;
218 pmd = pmd_offset(pud, addr);
220 unsigned long this_pages;
222 next = pmd_addr_end(addr, end);
225 * Automatic NUMA balancing walks the tables with mmap_sem
226 * held for read. It's possible a parallel update to occur
227 * between pmd_trans_huge() and a pmd_none_or_clear_bad()
228 * check leading to a false positive and clearing.
229 * Hence, it's necessary to atomically read the PMD value
230 * for all the checks.
232 if (!is_swap_pmd(*pmd) && !pmd_devmap(*pmd) &&
233 pmd_none_or_clear_bad_unless_trans_huge(pmd))
236 /* invoke the mmu notifier if the pmd is populated */
238 mmu_notifier_range_init(&range,
239 MMU_NOTIFY_PROTECTION_VMA, 0,
240 vma, vma->vm_mm, addr, end);
241 mmu_notifier_invalidate_range_start(&range);
244 if (is_swap_pmd(*pmd) || pmd_trans_huge(*pmd) || pmd_devmap(*pmd)) {
245 if (next - addr != HPAGE_PMD_SIZE) {
246 __split_huge_pmd(vma, pmd, addr, false, NULL);
248 int nr_ptes = change_huge_pmd(vma, pmd, addr,
252 if (nr_ptes == HPAGE_PMD_NR) {
253 pages += HPAGE_PMD_NR;
257 /* huge pmd was handled */
261 /* fall through, the trans huge pmd just split */
263 this_pages = change_pte_range(vma, pmd, addr, next, newprot,
268 } while (pmd++, addr = next, addr != end);
271 mmu_notifier_invalidate_range_end(&range);
274 count_vm_numa_events(NUMA_HUGE_PTE_UPDATES, nr_huge_updates);
278 static inline unsigned long change_pud_range(struct vm_area_struct *vma,
279 p4d_t *p4d, unsigned long addr, unsigned long end,
280 pgprot_t newprot, unsigned long cp_flags)
284 unsigned long pages = 0;
286 pud = pud_offset(p4d, addr);
288 next = pud_addr_end(addr, end);
289 if (pud_none_or_clear_bad(pud))
291 pages += change_pmd_range(vma, pud, addr, next, newprot,
293 } while (pud++, addr = next, addr != end);
298 static inline unsigned long change_p4d_range(struct vm_area_struct *vma,
299 pgd_t *pgd, unsigned long addr, unsigned long end,
300 pgprot_t newprot, unsigned long cp_flags)
304 unsigned long pages = 0;
306 p4d = p4d_offset(pgd, addr);
308 next = p4d_addr_end(addr, end);
309 if (p4d_none_or_clear_bad(p4d))
311 pages += change_pud_range(vma, p4d, addr, next, newprot,
313 } while (p4d++, addr = next, addr != end);
318 static unsigned long change_protection_range(struct vm_area_struct *vma,
319 unsigned long addr, unsigned long end, pgprot_t newprot,
320 unsigned long cp_flags)
322 struct mm_struct *mm = vma->vm_mm;
325 unsigned long start = addr;
326 unsigned long pages = 0;
329 pgd = pgd_offset(mm, addr);
330 flush_cache_range(vma, addr, end);
331 inc_tlb_flush_pending(mm);
333 next = pgd_addr_end(addr, end);
334 if (pgd_none_or_clear_bad(pgd))
336 pages += change_p4d_range(vma, pgd, addr, next, newprot,
338 } while (pgd++, addr = next, addr != end);
340 /* Only flush the TLB if we actually modified any entries: */
342 flush_tlb_range(vma, start, end);
343 dec_tlb_flush_pending(mm);
348 unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
349 unsigned long end, pgprot_t newprot,
350 unsigned long cp_flags)
354 BUG_ON((cp_flags & MM_CP_UFFD_WP_ALL) == MM_CP_UFFD_WP_ALL);
356 if (is_vm_hugetlb_page(vma))
357 pages = hugetlb_change_protection(vma, start, end, newprot);
359 pages = change_protection_range(vma, start, end, newprot,
365 static int prot_none_pte_entry(pte_t *pte, unsigned long addr,
366 unsigned long next, struct mm_walk *walk)
368 return pfn_modify_allowed(pte_pfn(*pte), *(pgprot_t *)(walk->private)) ?
372 static int prot_none_hugetlb_entry(pte_t *pte, unsigned long hmask,
373 unsigned long addr, unsigned long next,
374 struct mm_walk *walk)
376 return pfn_modify_allowed(pte_pfn(*pte), *(pgprot_t *)(walk->private)) ?
380 static int prot_none_test(unsigned long addr, unsigned long next,
381 struct mm_walk *walk)
386 static const struct mm_walk_ops prot_none_walk_ops = {
387 .pte_entry = prot_none_pte_entry,
388 .hugetlb_entry = prot_none_hugetlb_entry,
389 .test_walk = prot_none_test,
393 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
394 unsigned long start, unsigned long end, unsigned long newflags)
396 struct mm_struct *mm = vma->vm_mm;
397 unsigned long oldflags = vma->vm_flags;
398 long nrpages = (end - start) >> PAGE_SHIFT;
399 unsigned long charged = 0;
402 int dirty_accountable = 0;
404 if (newflags == oldflags) {
410 * Do PROT_NONE PFN permission checks here when we can still
411 * bail out without undoing a lot of state. This is a rather
412 * uncommon case, so doesn't need to be very optimized.
414 if (arch_has_pfn_modify_check() &&
415 (vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) &&
416 (newflags & (VM_READ|VM_WRITE|VM_EXEC)) == 0) {
417 pgprot_t new_pgprot = vm_get_page_prot(newflags);
419 error = walk_page_range(current->mm, start, end,
420 &prot_none_walk_ops, &new_pgprot);
426 * If we make a private mapping writable we increase our commit;
427 * but (without finer accounting) cannot reduce our commit if we
428 * make it unwritable again. hugetlb mapping were accounted for
429 * even if read-only so there is no need to account for them here
431 if (newflags & VM_WRITE) {
432 /* Check space limits when area turns into data. */
433 if (!may_expand_vm(mm, newflags, nrpages) &&
434 may_expand_vm(mm, oldflags, nrpages))
436 if (!(oldflags & (VM_ACCOUNT|VM_WRITE|VM_HUGETLB|
437 VM_SHARED|VM_NORESERVE))) {
439 if (security_vm_enough_memory_mm(mm, charged))
441 newflags |= VM_ACCOUNT;
446 * First try to merge with previous and/or next vma.
448 pgoff = vma->vm_pgoff + ((start - vma->vm_start) >> PAGE_SHIFT);
449 *pprev = vma_merge(mm, *pprev, start, end, newflags,
450 vma->anon_vma, vma->vm_file, pgoff, vma_policy(vma),
451 vma->vm_userfaultfd_ctx);
454 VM_WARN_ON((vma->vm_flags ^ newflags) & ~VM_SOFTDIRTY);
460 if (start != vma->vm_start) {
461 error = split_vma(mm, vma, start, 1);
466 if (end != vma->vm_end) {
467 error = split_vma(mm, vma, end, 0);
474 * vm_flags and vm_page_prot are protected by the mmap_sem
475 * held in write mode.
477 vma->vm_flags = newflags;
478 dirty_accountable = vma_wants_writenotify(vma, vma->vm_page_prot);
479 vma_set_page_prot(vma);
481 change_protection(vma, start, end, vma->vm_page_prot,
482 dirty_accountable ? MM_CP_DIRTY_ACCT : 0);
485 * Private VM_LOCKED VMA becoming writable: trigger COW to avoid major
488 if ((oldflags & (VM_WRITE | VM_SHARED | VM_LOCKED)) == VM_LOCKED &&
489 (newflags & VM_WRITE)) {
490 populate_vma_page_range(vma, start, end, NULL);
493 vm_stat_account(mm, oldflags, -nrpages);
494 vm_stat_account(mm, newflags, nrpages);
495 perf_event_mmap(vma);
499 vm_unacct_memory(charged);
504 * pkey==-1 when doing a legacy mprotect()
506 static int do_mprotect_pkey(unsigned long start, size_t len,
507 unsigned long prot, int pkey)
509 unsigned long nstart, end, tmp, reqprot;
510 struct vm_area_struct *vma, *prev;
512 const int grows = prot & (PROT_GROWSDOWN|PROT_GROWSUP);
513 const bool rier = (current->personality & READ_IMPLIES_EXEC) &&
516 start = untagged_addr(start);
518 prot &= ~(PROT_GROWSDOWN|PROT_GROWSUP);
519 if (grows == (PROT_GROWSDOWN|PROT_GROWSUP)) /* can't be both */
522 if (start & ~PAGE_MASK)
526 len = PAGE_ALIGN(len);
530 if (!arch_validate_prot(prot, start))
535 if (down_write_killable(¤t->mm->mmap_sem))
539 * If userspace did not allocate the pkey, do not let
543 if ((pkey != -1) && !mm_pkey_is_allocated(current->mm, pkey))
546 vma = find_vma(current->mm, start);
551 if (unlikely(grows & PROT_GROWSDOWN)) {
552 if (vma->vm_start >= end)
554 start = vma->vm_start;
556 if (!(vma->vm_flags & VM_GROWSDOWN))
559 if (vma->vm_start > start)
561 if (unlikely(grows & PROT_GROWSUP)) {
564 if (!(vma->vm_flags & VM_GROWSUP))
568 if (start > vma->vm_start)
571 for (nstart = start ; ; ) {
572 unsigned long mask_off_old_flags;
573 unsigned long newflags;
576 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
578 /* Does the application expect PROT_READ to imply PROT_EXEC */
579 if (rier && (vma->vm_flags & VM_MAYEXEC))
583 * Each mprotect() call explicitly passes r/w/x permissions.
584 * If a permission is not passed to mprotect(), it must be
585 * cleared from the VMA.
587 mask_off_old_flags = VM_READ | VM_WRITE | VM_EXEC |
590 new_vma_pkey = arch_override_mprotect_pkey(vma, prot, pkey);
591 newflags = calc_vm_prot_bits(prot, new_vma_pkey);
592 newflags |= (vma->vm_flags & ~mask_off_old_flags);
594 /* newflags >> 4 shift VM_MAY% in place of VM_% */
595 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
600 error = security_file_mprotect(vma, reqprot, prot);
607 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
612 if (nstart < prev->vm_end)
613 nstart = prev->vm_end;
618 if (!vma || vma->vm_start != nstart) {
625 up_write(¤t->mm->mmap_sem);
629 SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
632 return do_mprotect_pkey(start, len, prot, -1);
635 #ifdef CONFIG_ARCH_HAS_PKEYS
637 SYSCALL_DEFINE4(pkey_mprotect, unsigned long, start, size_t, len,
638 unsigned long, prot, int, pkey)
640 return do_mprotect_pkey(start, len, prot, pkey);
643 SYSCALL_DEFINE2(pkey_alloc, unsigned long, flags, unsigned long, init_val)
648 /* No flags supported yet. */
651 /* check for unsupported init values */
652 if (init_val & ~PKEY_ACCESS_MASK)
655 down_write(¤t->mm->mmap_sem);
656 pkey = mm_pkey_alloc(current->mm);
662 ret = arch_set_user_pkey_access(current, pkey, init_val);
664 mm_pkey_free(current->mm, pkey);
669 up_write(¤t->mm->mmap_sem);
673 SYSCALL_DEFINE1(pkey_free, int, pkey)
677 down_write(¤t->mm->mmap_sem);
678 ret = mm_pkey_free(current->mm, pkey);
679 up_write(¤t->mm->mmap_sem);
682 * We could provie warnings or errors if any VMA still
683 * has the pkey set here.
688 #endif /* CONFIG_ARCH_HAS_PKEYS */
projects / linux.git / blob