1 // SPDX-License-Identifier: GPL-2.0-only
6 * Copyright (C) 2008-2009 Red Hat, Inc.
7 * Copyright (C) 2015 Red Hat, Inc.
9 * Some part derived from fs/eventfd.c (anon inode setup) and
10 * mm/ksm.c (mm hashing).
13 #include <linux/list.h>
14 #include <linux/hashtable.h>
15 #include <linux/sched/signal.h>
16 #include <linux/sched/mm.h>
18 #include <linux/mm_inline.h>
19 #include <linux/mmu_notifier.h>
20 #include <linux/poll.h>
21 #include <linux/slab.h>
22 #include <linux/seq_file.h>
23 #include <linux/file.h>
24 #include <linux/bug.h>
25 #include <linux/anon_inodes.h>
26 #include <linux/syscalls.h>
27 #include <linux/userfaultfd_k.h>
28 #include <linux/mempolicy.h>
29 #include <linux/ioctl.h>
30 #include <linux/security.h>
31 #include <linux/hugetlb.h>
32 #include <linux/swapops.h>
33 #include <linux/miscdevice.h>
35 static int sysctl_unprivileged_userfaultfd __read_mostly;
38 static struct ctl_table vm_userfaultfd_table[] = {
40 .procname = "unprivileged_userfaultfd",
41 .data = &sysctl_unprivileged_userfaultfd,
42 .maxlen = sizeof(sysctl_unprivileged_userfaultfd),
44 .proc_handler = proc_dointvec_minmax,
45 .extra1 = SYSCTL_ZERO,
51 static struct kmem_cache *userfaultfd_ctx_cachep __ro_after_init;
53 struct userfaultfd_fork_ctx {
54 struct userfaultfd_ctx *orig;
55 struct userfaultfd_ctx *new;
56 struct list_head list;
59 struct userfaultfd_unmap_ctx {
60 struct userfaultfd_ctx *ctx;
63 struct list_head list;
66 struct userfaultfd_wait_queue {
68 wait_queue_entry_t wq;
69 struct userfaultfd_ctx *ctx;
73 struct userfaultfd_wake_range {
78 /* internal indication that UFFD_API ioctl was successfully executed */
79 #define UFFD_FEATURE_INITIALIZED (1u << 31)
81 static bool userfaultfd_is_initialized(struct userfaultfd_ctx *ctx)
83 return ctx->features & UFFD_FEATURE_INITIALIZED;
86 static bool userfaultfd_wp_async_ctx(struct userfaultfd_ctx *ctx)
88 return ctx && (ctx->features & UFFD_FEATURE_WP_ASYNC);
92 * Whether WP_UNPOPULATED is enabled on the uffd context. It is only
93 * meaningful when userfaultfd_wp()==true on the vma and when it's
96 bool userfaultfd_wp_unpopulated(struct vm_area_struct *vma)
98 struct userfaultfd_ctx *ctx = vma->vm_userfaultfd_ctx.ctx;
103 return ctx->features & UFFD_FEATURE_WP_UNPOPULATED;
106 static void userfaultfd_set_vm_flags(struct vm_area_struct *vma,
109 const bool uffd_wp_changed = (vma->vm_flags ^ flags) & VM_UFFD_WP;
111 vm_flags_reset(vma, flags);
113 * For shared mappings, we want to enable writenotify while
114 * userfaultfd-wp is enabled (see vma_wants_writenotify()). We'll simply
115 * recalculate vma->vm_page_prot whenever userfaultfd-wp changes.
117 if ((vma->vm_flags & VM_SHARED) && uffd_wp_changed)
118 vma_set_page_prot(vma);
121 static int userfaultfd_wake_function(wait_queue_entry_t *wq, unsigned mode,
122 int wake_flags, void *key)
124 struct userfaultfd_wake_range *range = key;
126 struct userfaultfd_wait_queue *uwq;
127 unsigned long start, len;
129 uwq = container_of(wq, struct userfaultfd_wait_queue, wq);
131 /* len == 0 means wake all */
132 start = range->start;
134 if (len && (start > uwq->msg.arg.pagefault.address ||
135 start + len <= uwq->msg.arg.pagefault.address))
137 WRITE_ONCE(uwq->waken, true);
139 * The Program-Order guarantees provided by the scheduler
140 * ensure uwq->waken is visible before the task is woken.
142 ret = wake_up_state(wq->private, mode);
145 * Wake only once, autoremove behavior.
147 * After the effect of list_del_init is visible to the other
148 * CPUs, the waitqueue may disappear from under us, see the
149 * !list_empty_careful() in handle_userfault().
151 * try_to_wake_up() has an implicit smp_mb(), and the
152 * wq->private is read before calling the extern function
153 * "wake_up_state" (which in turns calls try_to_wake_up).
155 list_del_init(&wq->entry);
162 * userfaultfd_ctx_get - Acquires a reference to the internal userfaultfd
164 * @ctx: [in] Pointer to the userfaultfd context.
166 static void userfaultfd_ctx_get(struct userfaultfd_ctx *ctx)
168 refcount_inc(&ctx->refcount);
172 * userfaultfd_ctx_put - Releases a reference to the internal userfaultfd
174 * @ctx: [in] Pointer to userfaultfd context.
176 * The userfaultfd context reference must have been previously acquired either
177 * with userfaultfd_ctx_get() or userfaultfd_ctx_fdget().
179 static void userfaultfd_ctx_put(struct userfaultfd_ctx *ctx)
181 if (refcount_dec_and_test(&ctx->refcount)) {
182 VM_BUG_ON(spin_is_locked(&ctx->fault_pending_wqh.lock));
183 VM_BUG_ON(waitqueue_active(&ctx->fault_pending_wqh));
184 VM_BUG_ON(spin_is_locked(&ctx->fault_wqh.lock));
185 VM_BUG_ON(waitqueue_active(&ctx->fault_wqh));
186 VM_BUG_ON(spin_is_locked(&ctx->event_wqh.lock));
187 VM_BUG_ON(waitqueue_active(&ctx->event_wqh));
188 VM_BUG_ON(spin_is_locked(&ctx->fd_wqh.lock));
189 VM_BUG_ON(waitqueue_active(&ctx->fd_wqh));
191 kmem_cache_free(userfaultfd_ctx_cachep, ctx);
195 static inline void msg_init(struct uffd_msg *msg)
197 BUILD_BUG_ON(sizeof(struct uffd_msg) != 32);
199 * Must use memset to zero out the paddings or kernel data is
200 * leaked to userland.
202 memset(msg, 0, sizeof(struct uffd_msg));
205 static inline struct uffd_msg userfault_msg(unsigned long address,
206 unsigned long real_address,
208 unsigned long reason,
209 unsigned int features)
214 msg.event = UFFD_EVENT_PAGEFAULT;
216 msg.arg.pagefault.address = (features & UFFD_FEATURE_EXACT_ADDRESS) ?
217 real_address : address;
220 * These flags indicate why the userfault occurred:
221 * - UFFD_PAGEFAULT_FLAG_WP indicates a write protect fault.
222 * - UFFD_PAGEFAULT_FLAG_MINOR indicates a minor fault.
223 * - Neither of these flags being set indicates a MISSING fault.
225 * Separately, UFFD_PAGEFAULT_FLAG_WRITE indicates it was a write
226 * fault. Otherwise, it was a read fault.
228 if (flags & FAULT_FLAG_WRITE)
229 msg.arg.pagefault.flags |= UFFD_PAGEFAULT_FLAG_WRITE;
230 if (reason & VM_UFFD_WP)
231 msg.arg.pagefault.flags |= UFFD_PAGEFAULT_FLAG_WP;
232 if (reason & VM_UFFD_MINOR)
233 msg.arg.pagefault.flags |= UFFD_PAGEFAULT_FLAG_MINOR;
234 if (features & UFFD_FEATURE_THREAD_ID)
235 msg.arg.pagefault.feat.ptid = task_pid_vnr(current);
239 #ifdef CONFIG_HUGETLB_PAGE
241 * Same functionality as userfaultfd_must_wait below with modifications for
244 static inline bool userfaultfd_huge_must_wait(struct userfaultfd_ctx *ctx,
245 struct vm_fault *vmf,
246 unsigned long reason)
248 struct vm_area_struct *vma = vmf->vma;
252 assert_fault_locked(vmf);
254 ptep = hugetlb_walk(vma, vmf->address, vma_mmu_pagesize(vma));
259 pte = huge_ptep_get(ptep);
262 * Lockless access: we're in a wait_event so it's ok if it
263 * changes under us. PTE markers should be handled the same as none
266 if (huge_pte_none_mostly(pte))
268 if (!huge_pte_write(pte) && (reason & VM_UFFD_WP))
274 static inline bool userfaultfd_huge_must_wait(struct userfaultfd_ctx *ctx,
275 struct vm_fault *vmf,
276 unsigned long reason)
278 return false; /* should never get here */
280 #endif /* CONFIG_HUGETLB_PAGE */
283 * Verify the pagetables are still not ok after having reigstered into
284 * the fault_pending_wqh to avoid userland having to UFFDIO_WAKE any
285 * userfault that has already been resolved, if userfaultfd_read and
286 * UFFDIO_COPY|ZEROPAGE are being run simultaneously on two different
289 static inline bool userfaultfd_must_wait(struct userfaultfd_ctx *ctx,
290 struct vm_fault *vmf,
291 unsigned long reason)
293 struct mm_struct *mm = ctx->mm;
294 unsigned long address = vmf->address;
303 assert_fault_locked(vmf);
305 pgd = pgd_offset(mm, address);
306 if (!pgd_present(*pgd))
308 p4d = p4d_offset(pgd, address);
309 if (!p4d_present(*p4d))
311 pud = pud_offset(p4d, address);
312 if (!pud_present(*pud))
314 pmd = pmd_offset(pud, address);
316 _pmd = pmdp_get_lockless(pmd);
321 if (!pmd_present(_pmd) || pmd_devmap(_pmd))
324 if (pmd_trans_huge(_pmd)) {
325 if (!pmd_write(_pmd) && (reason & VM_UFFD_WP))
330 pte = pte_offset_map(pmd, address);
336 * Lockless access: we're in a wait_event so it's ok if it
337 * changes under us. PTE markers should be handled the same as none
340 ptent = ptep_get(pte);
341 if (pte_none_mostly(ptent))
343 if (!pte_write(ptent) && (reason & VM_UFFD_WP))
351 static inline unsigned int userfaultfd_get_blocking_state(unsigned int flags)
353 if (flags & FAULT_FLAG_INTERRUPTIBLE)
354 return TASK_INTERRUPTIBLE;
356 if (flags & FAULT_FLAG_KILLABLE)
357 return TASK_KILLABLE;
359 return TASK_UNINTERRUPTIBLE;
363 * The locking rules involved in returning VM_FAULT_RETRY depending on
364 * FAULT_FLAG_ALLOW_RETRY, FAULT_FLAG_RETRY_NOWAIT and
365 * FAULT_FLAG_KILLABLE are not straightforward. The "Caution"
366 * recommendation in __lock_page_or_retry is not an understatement.
368 * If FAULT_FLAG_ALLOW_RETRY is set, the mmap_lock must be released
369 * before returning VM_FAULT_RETRY only if FAULT_FLAG_RETRY_NOWAIT is
372 * If FAULT_FLAG_ALLOW_RETRY is set but FAULT_FLAG_KILLABLE is not
373 * set, VM_FAULT_RETRY can still be returned if and only if there are
374 * fatal_signal_pending()s, and the mmap_lock must be released before
377 vm_fault_t handle_userfault(struct vm_fault *vmf, unsigned long reason)
379 struct vm_area_struct *vma = vmf->vma;
380 struct mm_struct *mm = vma->vm_mm;
381 struct userfaultfd_ctx *ctx;
382 struct userfaultfd_wait_queue uwq;
383 vm_fault_t ret = VM_FAULT_SIGBUS;
385 unsigned int blocking_state;
388 * We don't do userfault handling for the final child pid update.
390 * We also don't do userfault handling during
391 * coredumping. hugetlbfs has the special
392 * hugetlb_follow_page_mask() to skip missing pages in the
393 * FOLL_DUMP case, anon memory also checks for FOLL_DUMP with
394 * the no_page_table() helper in follow_page_mask(), but the
395 * shmem_vm_ops->fault method is invoked even during
396 * coredumping and it ends up here.
398 if (current->flags & (PF_EXITING|PF_DUMPCORE))
401 assert_fault_locked(vmf);
403 ctx = vma->vm_userfaultfd_ctx.ctx;
407 BUG_ON(ctx->mm != mm);
409 /* Any unrecognized flag is a bug. */
410 VM_BUG_ON(reason & ~__VM_UFFD_FLAGS);
411 /* 0 or > 1 flags set is a bug; we expect exactly 1. */
412 VM_BUG_ON(!reason || (reason & (reason - 1)));
414 if (ctx->features & UFFD_FEATURE_SIGBUS)
416 if (!(vmf->flags & FAULT_FLAG_USER) && (ctx->flags & UFFD_USER_MODE_ONLY))
420 * If it's already released don't get it. This avoids to loop
421 * in __get_user_pages if userfaultfd_release waits on the
422 * caller of handle_userfault to release the mmap_lock.
424 if (unlikely(READ_ONCE(ctx->released))) {
426 * Don't return VM_FAULT_SIGBUS in this case, so a non
427 * cooperative manager can close the uffd after the
428 * last UFFDIO_COPY, without risking to trigger an
429 * involuntary SIGBUS if the process was starting the
430 * userfaultfd while the userfaultfd was still armed
431 * (but after the last UFFDIO_COPY). If the uffd
432 * wasn't already closed when the userfault reached
433 * this point, that would normally be solved by
434 * userfaultfd_must_wait returning 'false'.
436 * If we were to return VM_FAULT_SIGBUS here, the non
437 * cooperative manager would be instead forced to
438 * always call UFFDIO_UNREGISTER before it can safely
441 ret = VM_FAULT_NOPAGE;
446 * Check that we can return VM_FAULT_RETRY.
448 * NOTE: it should become possible to return VM_FAULT_RETRY
449 * even if FAULT_FLAG_TRIED is set without leading to gup()
450 * -EBUSY failures, if the userfaultfd is to be extended for
451 * VM_UFFD_WP tracking and we intend to arm the userfault
452 * without first stopping userland access to the memory. For
453 * VM_UFFD_MISSING userfaults this is enough for now.
455 if (unlikely(!(vmf->flags & FAULT_FLAG_ALLOW_RETRY))) {
457 * Validate the invariant that nowait must allow retry
458 * to be sure not to return SIGBUS erroneously on
459 * nowait invocations.
461 BUG_ON(vmf->flags & FAULT_FLAG_RETRY_NOWAIT);
462 #ifdef CONFIG_DEBUG_VM
463 if (printk_ratelimit()) {
465 "FAULT_FLAG_ALLOW_RETRY missing %x\n",
474 * Handle nowait, not much to do other than tell it to retry
477 ret = VM_FAULT_RETRY;
478 if (vmf->flags & FAULT_FLAG_RETRY_NOWAIT)
481 /* take the reference before dropping the mmap_lock */
482 userfaultfd_ctx_get(ctx);
484 init_waitqueue_func_entry(&uwq.wq, userfaultfd_wake_function);
485 uwq.wq.private = current;
486 uwq.msg = userfault_msg(vmf->address, vmf->real_address, vmf->flags,
487 reason, ctx->features);
491 blocking_state = userfaultfd_get_blocking_state(vmf->flags);
494 * Take the vma lock now, in order to safely call
495 * userfaultfd_huge_must_wait() later. Since acquiring the
496 * (sleepable) vma lock can modify the current task state, that
497 * must be before explicitly calling set_current_state().
499 if (is_vm_hugetlb_page(vma))
500 hugetlb_vma_lock_read(vma);
502 spin_lock_irq(&ctx->fault_pending_wqh.lock);
504 * After the __add_wait_queue the uwq is visible to userland
505 * through poll/read().
507 __add_wait_queue(&ctx->fault_pending_wqh, &uwq.wq);
509 * The smp_mb() after __set_current_state prevents the reads
510 * following the spin_unlock to happen before the list_add in
513 set_current_state(blocking_state);
514 spin_unlock_irq(&ctx->fault_pending_wqh.lock);
516 if (!is_vm_hugetlb_page(vma))
517 must_wait = userfaultfd_must_wait(ctx, vmf, reason);
519 must_wait = userfaultfd_huge_must_wait(ctx, vmf, reason);
520 if (is_vm_hugetlb_page(vma))
521 hugetlb_vma_unlock_read(vma);
522 release_fault_lock(vmf);
524 if (likely(must_wait && !READ_ONCE(ctx->released))) {
525 wake_up_poll(&ctx->fd_wqh, EPOLLIN);
529 __set_current_state(TASK_RUNNING);
532 * Here we race with the list_del; list_add in
533 * userfaultfd_ctx_read(), however because we don't ever run
534 * list_del_init() to refile across the two lists, the prev
535 * and next pointers will never point to self. list_add also
536 * would never let any of the two pointers to point to
537 * self. So list_empty_careful won't risk to see both pointers
538 * pointing to self at any time during the list refile. The
539 * only case where list_del_init() is called is the full
540 * removal in the wake function and there we don't re-list_add
541 * and it's fine not to block on the spinlock. The uwq on this
542 * kernel stack can be released after the list_del_init.
544 if (!list_empty_careful(&uwq.wq.entry)) {
545 spin_lock_irq(&ctx->fault_pending_wqh.lock);
547 * No need of list_del_init(), the uwq on the stack
548 * will be freed shortly anyway.
550 list_del(&uwq.wq.entry);
551 spin_unlock_irq(&ctx->fault_pending_wqh.lock);
555 * ctx may go away after this if the userfault pseudo fd is
558 userfaultfd_ctx_put(ctx);
564 static void userfaultfd_event_wait_completion(struct userfaultfd_ctx *ctx,
565 struct userfaultfd_wait_queue *ewq)
567 struct userfaultfd_ctx *release_new_ctx;
569 if (WARN_ON_ONCE(current->flags & PF_EXITING))
573 init_waitqueue_entry(&ewq->wq, current);
574 release_new_ctx = NULL;
576 spin_lock_irq(&ctx->event_wqh.lock);
578 * After the __add_wait_queue the uwq is visible to userland
579 * through poll/read().
581 __add_wait_queue(&ctx->event_wqh, &ewq->wq);
583 set_current_state(TASK_KILLABLE);
584 if (ewq->msg.event == 0)
586 if (READ_ONCE(ctx->released) ||
587 fatal_signal_pending(current)) {
589 * &ewq->wq may be queued in fork_event, but
590 * __remove_wait_queue ignores the head
591 * parameter. It would be a problem if it
594 __remove_wait_queue(&ctx->event_wqh, &ewq->wq);
595 if (ewq->msg.event == UFFD_EVENT_FORK) {
596 struct userfaultfd_ctx *new;
598 new = (struct userfaultfd_ctx *)
600 ewq->msg.arg.reserved.reserved1;
601 release_new_ctx = new;
606 spin_unlock_irq(&ctx->event_wqh.lock);
608 wake_up_poll(&ctx->fd_wqh, EPOLLIN);
611 spin_lock_irq(&ctx->event_wqh.lock);
613 __set_current_state(TASK_RUNNING);
614 spin_unlock_irq(&ctx->event_wqh.lock);
616 if (release_new_ctx) {
617 struct vm_area_struct *vma;
618 struct mm_struct *mm = release_new_ctx->mm;
619 VMA_ITERATOR(vmi, mm, 0);
621 /* the various vma->vm_userfaultfd_ctx still points to it */
623 for_each_vma(vmi, vma) {
624 if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) {
625 vma_start_write(vma);
626 vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
627 userfaultfd_set_vm_flags(vma,
628 vma->vm_flags & ~__VM_UFFD_FLAGS);
631 mmap_write_unlock(mm);
633 userfaultfd_ctx_put(release_new_ctx);
637 * ctx may go away after this if the userfault pseudo fd is
641 atomic_dec(&ctx->mmap_changing);
642 VM_BUG_ON(atomic_read(&ctx->mmap_changing) < 0);
643 userfaultfd_ctx_put(ctx);
646 static void userfaultfd_event_complete(struct userfaultfd_ctx *ctx,
647 struct userfaultfd_wait_queue *ewq)
650 wake_up_locked(&ctx->event_wqh);
651 __remove_wait_queue(&ctx->event_wqh, &ewq->wq);
654 int dup_userfaultfd(struct vm_area_struct *vma, struct list_head *fcs)
656 struct userfaultfd_ctx *ctx = NULL, *octx;
657 struct userfaultfd_fork_ctx *fctx;
659 octx = vma->vm_userfaultfd_ctx.ctx;
663 if (!(octx->features & UFFD_FEATURE_EVENT_FORK)) {
664 vma_start_write(vma);
665 vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
666 userfaultfd_set_vm_flags(vma, vma->vm_flags & ~__VM_UFFD_FLAGS);
670 list_for_each_entry(fctx, fcs, list)
671 if (fctx->orig == octx) {
677 fctx = kmalloc(sizeof(*fctx), GFP_KERNEL);
681 ctx = kmem_cache_alloc(userfaultfd_ctx_cachep, GFP_KERNEL);
687 refcount_set(&ctx->refcount, 1);
688 ctx->flags = octx->flags;
689 ctx->features = octx->features;
690 ctx->released = false;
691 init_rwsem(&ctx->map_changing_lock);
692 atomic_set(&ctx->mmap_changing, 0);
693 ctx->mm = vma->vm_mm;
696 userfaultfd_ctx_get(octx);
697 down_write(&octx->map_changing_lock);
698 atomic_inc(&octx->mmap_changing);
699 up_write(&octx->map_changing_lock);
702 list_add_tail(&fctx->list, fcs);
705 vma->vm_userfaultfd_ctx.ctx = ctx;
709 static void dup_fctx(struct userfaultfd_fork_ctx *fctx)
711 struct userfaultfd_ctx *ctx = fctx->orig;
712 struct userfaultfd_wait_queue ewq;
716 ewq.msg.event = UFFD_EVENT_FORK;
717 ewq.msg.arg.reserved.reserved1 = (unsigned long)fctx->new;
719 userfaultfd_event_wait_completion(ctx, &ewq);
722 void dup_userfaultfd_complete(struct list_head *fcs)
724 struct userfaultfd_fork_ctx *fctx, *n;
726 list_for_each_entry_safe(fctx, n, fcs, list) {
728 list_del(&fctx->list);
733 void mremap_userfaultfd_prep(struct vm_area_struct *vma,
734 struct vm_userfaultfd_ctx *vm_ctx)
736 struct userfaultfd_ctx *ctx;
738 ctx = vma->vm_userfaultfd_ctx.ctx;
743 if (ctx->features & UFFD_FEATURE_EVENT_REMAP) {
745 userfaultfd_ctx_get(ctx);
746 down_write(&ctx->map_changing_lock);
747 atomic_inc(&ctx->mmap_changing);
748 up_write(&ctx->map_changing_lock);
750 /* Drop uffd context if remap feature not enabled */
751 vma_start_write(vma);
752 vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
753 userfaultfd_set_vm_flags(vma, vma->vm_flags & ~__VM_UFFD_FLAGS);
757 void mremap_userfaultfd_complete(struct vm_userfaultfd_ctx *vm_ctx,
758 unsigned long from, unsigned long to,
761 struct userfaultfd_ctx *ctx = vm_ctx->ctx;
762 struct userfaultfd_wait_queue ewq;
767 if (to & ~PAGE_MASK) {
768 userfaultfd_ctx_put(ctx);
774 ewq.msg.event = UFFD_EVENT_REMAP;
775 ewq.msg.arg.remap.from = from;
776 ewq.msg.arg.remap.to = to;
777 ewq.msg.arg.remap.len = len;
779 userfaultfd_event_wait_completion(ctx, &ewq);
782 bool userfaultfd_remove(struct vm_area_struct *vma,
783 unsigned long start, unsigned long end)
785 struct mm_struct *mm = vma->vm_mm;
786 struct userfaultfd_ctx *ctx;
787 struct userfaultfd_wait_queue ewq;
789 ctx = vma->vm_userfaultfd_ctx.ctx;
790 if (!ctx || !(ctx->features & UFFD_FEATURE_EVENT_REMOVE))
793 userfaultfd_ctx_get(ctx);
794 down_write(&ctx->map_changing_lock);
795 atomic_inc(&ctx->mmap_changing);
796 up_write(&ctx->map_changing_lock);
797 mmap_read_unlock(mm);
801 ewq.msg.event = UFFD_EVENT_REMOVE;
802 ewq.msg.arg.remove.start = start;
803 ewq.msg.arg.remove.end = end;
805 userfaultfd_event_wait_completion(ctx, &ewq);
810 static bool has_unmap_ctx(struct userfaultfd_ctx *ctx, struct list_head *unmaps,
811 unsigned long start, unsigned long end)
813 struct userfaultfd_unmap_ctx *unmap_ctx;
815 list_for_each_entry(unmap_ctx, unmaps, list)
816 if (unmap_ctx->ctx == ctx && unmap_ctx->start == start &&
817 unmap_ctx->end == end)
823 int userfaultfd_unmap_prep(struct vm_area_struct *vma, unsigned long start,
824 unsigned long end, struct list_head *unmaps)
826 struct userfaultfd_unmap_ctx *unmap_ctx;
827 struct userfaultfd_ctx *ctx = vma->vm_userfaultfd_ctx.ctx;
829 if (!ctx || !(ctx->features & UFFD_FEATURE_EVENT_UNMAP) ||
830 has_unmap_ctx(ctx, unmaps, start, end))
833 unmap_ctx = kzalloc(sizeof(*unmap_ctx), GFP_KERNEL);
837 userfaultfd_ctx_get(ctx);
838 down_write(&ctx->map_changing_lock);
839 atomic_inc(&ctx->mmap_changing);
840 up_write(&ctx->map_changing_lock);
841 unmap_ctx->ctx = ctx;
842 unmap_ctx->start = start;
843 unmap_ctx->end = end;
844 list_add_tail(&unmap_ctx->list, unmaps);
849 void userfaultfd_unmap_complete(struct mm_struct *mm, struct list_head *uf)
851 struct userfaultfd_unmap_ctx *ctx, *n;
852 struct userfaultfd_wait_queue ewq;
854 list_for_each_entry_safe(ctx, n, uf, list) {
857 ewq.msg.event = UFFD_EVENT_UNMAP;
858 ewq.msg.arg.remove.start = ctx->start;
859 ewq.msg.arg.remove.end = ctx->end;
861 userfaultfd_event_wait_completion(ctx->ctx, &ewq);
863 list_del(&ctx->list);
868 static int userfaultfd_release(struct inode *inode, struct file *file)
870 struct userfaultfd_ctx *ctx = file->private_data;
871 struct mm_struct *mm = ctx->mm;
872 struct vm_area_struct *vma, *prev;
873 /* len == 0 means wake all */
874 struct userfaultfd_wake_range range = { .len = 0, };
875 unsigned long new_flags;
876 VMA_ITERATOR(vmi, mm, 0);
878 WRITE_ONCE(ctx->released, true);
880 if (!mmget_not_zero(mm))
884 * Flush page faults out of all CPUs. NOTE: all page faults
885 * must be retried without returning VM_FAULT_SIGBUS if
886 * userfaultfd_ctx_get() succeeds but vma->vma_userfault_ctx
887 * changes while handle_userfault released the mmap_lock. So
888 * it's critical that released is set to true (above), before
889 * taking the mmap_lock for writing.
893 for_each_vma(vmi, vma) {
895 BUG_ON(!!vma->vm_userfaultfd_ctx.ctx ^
896 !!(vma->vm_flags & __VM_UFFD_FLAGS));
897 if (vma->vm_userfaultfd_ctx.ctx != ctx) {
901 new_flags = vma->vm_flags & ~__VM_UFFD_FLAGS;
902 vma = vma_modify_flags_uffd(&vmi, prev, vma, vma->vm_start,
903 vma->vm_end, new_flags,
906 vma_start_write(vma);
907 userfaultfd_set_vm_flags(vma, new_flags);
908 vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
912 mmap_write_unlock(mm);
916 * After no new page faults can wait on this fault_*wqh, flush
917 * the last page faults that may have been already waiting on
920 spin_lock_irq(&ctx->fault_pending_wqh.lock);
921 __wake_up_locked_key(&ctx->fault_pending_wqh, TASK_NORMAL, &range);
922 __wake_up(&ctx->fault_wqh, TASK_NORMAL, 1, &range);
923 spin_unlock_irq(&ctx->fault_pending_wqh.lock);
925 /* Flush pending events that may still wait on event_wqh */
926 wake_up_all(&ctx->event_wqh);
928 wake_up_poll(&ctx->fd_wqh, EPOLLHUP);
929 userfaultfd_ctx_put(ctx);
933 /* fault_pending_wqh.lock must be hold by the caller */
934 static inline struct userfaultfd_wait_queue *find_userfault_in(
935 wait_queue_head_t *wqh)
937 wait_queue_entry_t *wq;
938 struct userfaultfd_wait_queue *uwq;
940 lockdep_assert_held(&wqh->lock);
943 if (!waitqueue_active(wqh))
945 /* walk in reverse to provide FIFO behavior to read userfaults */
946 wq = list_last_entry(&wqh->head, typeof(*wq), entry);
947 uwq = container_of(wq, struct userfaultfd_wait_queue, wq);
952 static inline struct userfaultfd_wait_queue *find_userfault(
953 struct userfaultfd_ctx *ctx)
955 return find_userfault_in(&ctx->fault_pending_wqh);
958 static inline struct userfaultfd_wait_queue *find_userfault_evt(
959 struct userfaultfd_ctx *ctx)
961 return find_userfault_in(&ctx->event_wqh);
964 static __poll_t userfaultfd_poll(struct file *file, poll_table *wait)
966 struct userfaultfd_ctx *ctx = file->private_data;
969 poll_wait(file, &ctx->fd_wqh, wait);
971 if (!userfaultfd_is_initialized(ctx))
975 * poll() never guarantees that read won't block.
976 * userfaults can be waken before they're read().
978 if (unlikely(!(file->f_flags & O_NONBLOCK)))
981 * lockless access to see if there are pending faults
982 * __pollwait last action is the add_wait_queue but
983 * the spin_unlock would allow the waitqueue_active to
984 * pass above the actual list_add inside
985 * add_wait_queue critical section. So use a full
986 * memory barrier to serialize the list_add write of
987 * add_wait_queue() with the waitqueue_active read
992 if (waitqueue_active(&ctx->fault_pending_wqh))
994 else if (waitqueue_active(&ctx->event_wqh))
1000 static const struct file_operations userfaultfd_fops;
1002 static int resolve_userfault_fork(struct userfaultfd_ctx *new,
1003 struct inode *inode,
1004 struct uffd_msg *msg)
1008 fd = anon_inode_create_getfd("[userfaultfd]", &userfaultfd_fops, new,
1009 O_RDONLY | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode);
1013 msg->arg.reserved.reserved1 = 0;
1014 msg->arg.fork.ufd = fd;
1018 static ssize_t userfaultfd_ctx_read(struct userfaultfd_ctx *ctx, int no_wait,
1019 struct uffd_msg *msg, struct inode *inode)
1022 DECLARE_WAITQUEUE(wait, current);
1023 struct userfaultfd_wait_queue *uwq;
1025 * Handling fork event requires sleeping operations, so
1026 * we drop the event_wqh lock, then do these ops, then
1027 * lock it back and wake up the waiter. While the lock is
1028 * dropped the ewq may go away so we keep track of it
1031 LIST_HEAD(fork_event);
1032 struct userfaultfd_ctx *fork_nctx = NULL;
1034 /* always take the fd_wqh lock before the fault_pending_wqh lock */
1035 spin_lock_irq(&ctx->fd_wqh.lock);
1036 __add_wait_queue(&ctx->fd_wqh, &wait);
1038 set_current_state(TASK_INTERRUPTIBLE);
1039 spin_lock(&ctx->fault_pending_wqh.lock);
1040 uwq = find_userfault(ctx);
1043 * Use a seqcount to repeat the lockless check
1044 * in wake_userfault() to avoid missing
1045 * wakeups because during the refile both
1046 * waitqueue could become empty if this is the
1049 write_seqcount_begin(&ctx->refile_seq);
1052 * The fault_pending_wqh.lock prevents the uwq
1053 * to disappear from under us.
1055 * Refile this userfault from
1056 * fault_pending_wqh to fault_wqh, it's not
1057 * pending anymore after we read it.
1059 * Use list_del() by hand (as
1060 * userfaultfd_wake_function also uses
1061 * list_del_init() by hand) to be sure nobody
1062 * changes __remove_wait_queue() to use
1063 * list_del_init() in turn breaking the
1064 * !list_empty_careful() check in
1065 * handle_userfault(). The uwq->wq.head list
1066 * must never be empty at any time during the
1067 * refile, or the waitqueue could disappear
1068 * from under us. The "wait_queue_head_t"
1069 * parameter of __remove_wait_queue() is unused
1072 list_del(&uwq->wq.entry);
1073 add_wait_queue(&ctx->fault_wqh, &uwq->wq);
1075 write_seqcount_end(&ctx->refile_seq);
1077 /* careful to always initialize msg if ret == 0 */
1079 spin_unlock(&ctx->fault_pending_wqh.lock);
1083 spin_unlock(&ctx->fault_pending_wqh.lock);
1085 spin_lock(&ctx->event_wqh.lock);
1086 uwq = find_userfault_evt(ctx);
1090 if (uwq->msg.event == UFFD_EVENT_FORK) {
1091 fork_nctx = (struct userfaultfd_ctx *)
1093 uwq->msg.arg.reserved.reserved1;
1094 list_move(&uwq->wq.entry, &fork_event);
1096 * fork_nctx can be freed as soon as
1097 * we drop the lock, unless we take a
1100 userfaultfd_ctx_get(fork_nctx);
1101 spin_unlock(&ctx->event_wqh.lock);
1106 userfaultfd_event_complete(ctx, uwq);
1107 spin_unlock(&ctx->event_wqh.lock);
1111 spin_unlock(&ctx->event_wqh.lock);
1113 if (signal_pending(current)) {
1121 spin_unlock_irq(&ctx->fd_wqh.lock);
1123 spin_lock_irq(&ctx->fd_wqh.lock);
1125 __remove_wait_queue(&ctx->fd_wqh, &wait);
1126 __set_current_state(TASK_RUNNING);
1127 spin_unlock_irq(&ctx->fd_wqh.lock);
1129 if (!ret && msg->event == UFFD_EVENT_FORK) {
1130 ret = resolve_userfault_fork(fork_nctx, inode, msg);
1131 spin_lock_irq(&ctx->event_wqh.lock);
1132 if (!list_empty(&fork_event)) {
1134 * The fork thread didn't abort, so we can
1135 * drop the temporary refcount.
1137 userfaultfd_ctx_put(fork_nctx);
1139 uwq = list_first_entry(&fork_event,
1143 * If fork_event list wasn't empty and in turn
1144 * the event wasn't already released by fork
1145 * (the event is allocated on fork kernel
1146 * stack), put the event back to its place in
1147 * the event_wq. fork_event head will be freed
1148 * as soon as we return so the event cannot
1149 * stay queued there no matter the current
1152 list_del(&uwq->wq.entry);
1153 __add_wait_queue(&ctx->event_wqh, &uwq->wq);
1156 * Leave the event in the waitqueue and report
1157 * error to userland if we failed to resolve
1158 * the userfault fork.
1161 userfaultfd_event_complete(ctx, uwq);
1164 * Here the fork thread aborted and the
1165 * refcount from the fork thread on fork_nctx
1166 * has already been released. We still hold
1167 * the reference we took before releasing the
1168 * lock above. If resolve_userfault_fork
1169 * failed we've to drop it because the
1170 * fork_nctx has to be freed in such case. If
1171 * it succeeded we'll hold it because the new
1172 * uffd references it.
1175 userfaultfd_ctx_put(fork_nctx);
1177 spin_unlock_irq(&ctx->event_wqh.lock);
1183 static ssize_t userfaultfd_read(struct file *file, char __user *buf,
1184 size_t count, loff_t *ppos)
1186 struct userfaultfd_ctx *ctx = file->private_data;
1187 ssize_t _ret, ret = 0;
1188 struct uffd_msg msg;
1189 int no_wait = file->f_flags & O_NONBLOCK;
1190 struct inode *inode = file_inode(file);
1192 if (!userfaultfd_is_initialized(ctx))
1196 if (count < sizeof(msg))
1197 return ret ? ret : -EINVAL;
1198 _ret = userfaultfd_ctx_read(ctx, no_wait, &msg, inode);
1200 return ret ? ret : _ret;
1201 if (copy_to_user((__u64 __user *) buf, &msg, sizeof(msg)))
1202 return ret ? ret : -EFAULT;
1205 count -= sizeof(msg);
1207 * Allow to read more than one fault at time but only
1208 * block if waiting for the very first one.
1210 no_wait = O_NONBLOCK;
1214 static void __wake_userfault(struct userfaultfd_ctx *ctx,
1215 struct userfaultfd_wake_range *range)
1217 spin_lock_irq(&ctx->fault_pending_wqh.lock);
1218 /* wake all in the range and autoremove */
1219 if (waitqueue_active(&ctx->fault_pending_wqh))
1220 __wake_up_locked_key(&ctx->fault_pending_wqh, TASK_NORMAL,
1222 if (waitqueue_active(&ctx->fault_wqh))
1223 __wake_up(&ctx->fault_wqh, TASK_NORMAL, 1, range);
1224 spin_unlock_irq(&ctx->fault_pending_wqh.lock);
1227 static __always_inline void wake_userfault(struct userfaultfd_ctx *ctx,
1228 struct userfaultfd_wake_range *range)
1234 * To be sure waitqueue_active() is not reordered by the CPU
1235 * before the pagetable update, use an explicit SMP memory
1236 * barrier here. PT lock release or mmap_read_unlock(mm) still
1237 * have release semantics that can allow the
1238 * waitqueue_active() to be reordered before the pte update.
1243 * Use waitqueue_active because it's very frequent to
1244 * change the address space atomically even if there are no
1245 * userfaults yet. So we take the spinlock only when we're
1246 * sure we've userfaults to wake.
1249 seq = read_seqcount_begin(&ctx->refile_seq);
1250 need_wakeup = waitqueue_active(&ctx->fault_pending_wqh) ||
1251 waitqueue_active(&ctx->fault_wqh);
1253 } while (read_seqcount_retry(&ctx->refile_seq, seq));
1255 __wake_userfault(ctx, range);
1258 static __always_inline int validate_unaligned_range(
1259 struct mm_struct *mm, __u64 start, __u64 len)
1261 __u64 task_size = mm->task_size;
1263 if (len & ~PAGE_MASK)
1267 if (start < mmap_min_addr)
1269 if (start >= task_size)
1271 if (len > task_size - start)
1273 if (start + len <= start)
1278 static __always_inline int validate_range(struct mm_struct *mm,
1279 __u64 start, __u64 len)
1281 if (start & ~PAGE_MASK)
1284 return validate_unaligned_range(mm, start, len);
1287 static int userfaultfd_register(struct userfaultfd_ctx *ctx,
1290 struct mm_struct *mm = ctx->mm;
1291 struct vm_area_struct *vma, *prev, *cur;
1293 struct uffdio_register uffdio_register;
1294 struct uffdio_register __user *user_uffdio_register;
1295 unsigned long vm_flags, new_flags;
1298 unsigned long start, end, vma_end;
1299 struct vma_iterator vmi;
1300 bool wp_async = userfaultfd_wp_async_ctx(ctx);
1302 user_uffdio_register = (struct uffdio_register __user *) arg;
1305 if (copy_from_user(&uffdio_register, user_uffdio_register,
1306 sizeof(uffdio_register)-sizeof(__u64)))
1310 if (!uffdio_register.mode)
1312 if (uffdio_register.mode & ~UFFD_API_REGISTER_MODES)
1315 if (uffdio_register.mode & UFFDIO_REGISTER_MODE_MISSING)
1316 vm_flags |= VM_UFFD_MISSING;
1317 if (uffdio_register.mode & UFFDIO_REGISTER_MODE_WP) {
1318 #ifndef CONFIG_HAVE_ARCH_USERFAULTFD_WP
1321 vm_flags |= VM_UFFD_WP;
1323 if (uffdio_register.mode & UFFDIO_REGISTER_MODE_MINOR) {
1324 #ifndef CONFIG_HAVE_ARCH_USERFAULTFD_MINOR
1327 vm_flags |= VM_UFFD_MINOR;
1330 ret = validate_range(mm, uffdio_register.range.start,
1331 uffdio_register.range.len);
1335 start = uffdio_register.range.start;
1336 end = start + uffdio_register.range.len;
1339 if (!mmget_not_zero(mm))
1343 mmap_write_lock(mm);
1344 vma_iter_init(&vmi, mm, start);
1345 vma = vma_find(&vmi, end);
1350 * If the first vma contains huge pages, make sure start address
1351 * is aligned to huge page size.
1353 if (is_vm_hugetlb_page(vma)) {
1354 unsigned long vma_hpagesize = vma_kernel_pagesize(vma);
1356 if (start & (vma_hpagesize - 1))
1361 * Search for not compatible vmas.
1364 basic_ioctls = false;
1369 BUG_ON(!!cur->vm_userfaultfd_ctx.ctx ^
1370 !!(cur->vm_flags & __VM_UFFD_FLAGS));
1372 /* check not compatible vmas */
1374 if (!vma_can_userfault(cur, vm_flags, wp_async))
1378 * UFFDIO_COPY will fill file holes even without
1379 * PROT_WRITE. This check enforces that if this is a
1380 * MAP_SHARED, the process has write permission to the backing
1381 * file. If VM_MAYWRITE is set it also enforces that on a
1382 * MAP_SHARED vma: there is no F_WRITE_SEAL and no further
1383 * F_WRITE_SEAL can be taken until the vma is destroyed.
1386 if (unlikely(!(cur->vm_flags & VM_MAYWRITE)))
1390 * If this vma contains ending address, and huge pages
1393 if (is_vm_hugetlb_page(cur) && end <= cur->vm_end &&
1394 end > cur->vm_start) {
1395 unsigned long vma_hpagesize = vma_kernel_pagesize(cur);
1399 if (end & (vma_hpagesize - 1))
1402 if ((vm_flags & VM_UFFD_WP) && !(cur->vm_flags & VM_MAYWRITE))
1406 * Check that this vma isn't already owned by a
1407 * different userfaultfd. We can't allow more than one
1408 * userfaultfd to own a single vma simultaneously or we
1409 * wouldn't know which one to deliver the userfaults to.
1412 if (cur->vm_userfaultfd_ctx.ctx &&
1413 cur->vm_userfaultfd_ctx.ctx != ctx)
1417 * Note vmas containing huge pages
1419 if (is_vm_hugetlb_page(cur))
1420 basic_ioctls = true;
1423 } for_each_vma_range(vmi, cur, end);
1426 vma_iter_set(&vmi, start);
1427 prev = vma_prev(&vmi);
1428 if (vma->vm_start < start)
1432 for_each_vma_range(vmi, vma, end) {
1435 BUG_ON(!vma_can_userfault(vma, vm_flags, wp_async));
1436 BUG_ON(vma->vm_userfaultfd_ctx.ctx &&
1437 vma->vm_userfaultfd_ctx.ctx != ctx);
1438 WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
1441 * Nothing to do: this vma is already registered into this
1442 * userfaultfd and with the right tracking mode too.
1444 if (vma->vm_userfaultfd_ctx.ctx == ctx &&
1445 (vma->vm_flags & vm_flags) == vm_flags)
1448 if (vma->vm_start > start)
1449 start = vma->vm_start;
1450 vma_end = min(end, vma->vm_end);
1452 new_flags = (vma->vm_flags & ~__VM_UFFD_FLAGS) | vm_flags;
1453 vma = vma_modify_flags_uffd(&vmi, prev, vma, start, vma_end,
1455 (struct vm_userfaultfd_ctx){ctx});
1462 * In the vma_merge() successful mprotect-like case 8:
1463 * the next vma was merged into the current one and
1464 * the current one has not been updated yet.
1466 vma_start_write(vma);
1467 userfaultfd_set_vm_flags(vma, new_flags);
1468 vma->vm_userfaultfd_ctx.ctx = ctx;
1470 if (is_vm_hugetlb_page(vma) && uffd_disable_huge_pmd_share(vma))
1471 hugetlb_unshare_all_pmds(vma);
1475 start = vma->vm_end;
1479 mmap_write_unlock(mm);
1484 ioctls_out = basic_ioctls ? UFFD_API_RANGE_IOCTLS_BASIC :
1485 UFFD_API_RANGE_IOCTLS;
1488 * Declare the WP ioctl only if the WP mode is
1489 * specified and all checks passed with the range
1491 if (!(uffdio_register.mode & UFFDIO_REGISTER_MODE_WP))
1492 ioctls_out &= ~((__u64)1 << _UFFDIO_WRITEPROTECT);
1494 /* CONTINUE ioctl is only supported for MINOR ranges. */
1495 if (!(uffdio_register.mode & UFFDIO_REGISTER_MODE_MINOR))
1496 ioctls_out &= ~((__u64)1 << _UFFDIO_CONTINUE);
1499 * Now that we scanned all vmas we can already tell
1500 * userland which ioctls methods are guaranteed to
1501 * succeed on this range.
1503 if (put_user(ioctls_out, &user_uffdio_register->ioctls))
1510 static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
1513 struct mm_struct *mm = ctx->mm;
1514 struct vm_area_struct *vma, *prev, *cur;
1516 struct uffdio_range uffdio_unregister;
1517 unsigned long new_flags;
1519 unsigned long start, end, vma_end;
1520 const void __user *buf = (void __user *)arg;
1521 struct vma_iterator vmi;
1522 bool wp_async = userfaultfd_wp_async_ctx(ctx);
1525 if (copy_from_user(&uffdio_unregister, buf, sizeof(uffdio_unregister)))
1528 ret = validate_range(mm, uffdio_unregister.start,
1529 uffdio_unregister.len);
1533 start = uffdio_unregister.start;
1534 end = start + uffdio_unregister.len;
1537 if (!mmget_not_zero(mm))
1540 mmap_write_lock(mm);
1542 vma_iter_init(&vmi, mm, start);
1543 vma = vma_find(&vmi, end);
1548 * If the first vma contains huge pages, make sure start address
1549 * is aligned to huge page size.
1551 if (is_vm_hugetlb_page(vma)) {
1552 unsigned long vma_hpagesize = vma_kernel_pagesize(vma);
1554 if (start & (vma_hpagesize - 1))
1559 * Search for not compatible vmas.
1566 BUG_ON(!!cur->vm_userfaultfd_ctx.ctx ^
1567 !!(cur->vm_flags & __VM_UFFD_FLAGS));
1570 * Check not compatible vmas, not strictly required
1571 * here as not compatible vmas cannot have an
1572 * userfaultfd_ctx registered on them, but this
1573 * provides for more strict behavior to notice
1574 * unregistration errors.
1576 if (!vma_can_userfault(cur, cur->vm_flags, wp_async))
1580 } for_each_vma_range(vmi, cur, end);
1583 vma_iter_set(&vmi, start);
1584 prev = vma_prev(&vmi);
1585 if (vma->vm_start < start)
1589 for_each_vma_range(vmi, vma, end) {
1592 BUG_ON(!vma_can_userfault(vma, vma->vm_flags, wp_async));
1595 * Nothing to do: this vma is already registered into this
1596 * userfaultfd and with the right tracking mode too.
1598 if (!vma->vm_userfaultfd_ctx.ctx)
1601 WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
1603 if (vma->vm_start > start)
1604 start = vma->vm_start;
1605 vma_end = min(end, vma->vm_end);
1607 if (userfaultfd_missing(vma)) {
1609 * Wake any concurrent pending userfault while
1610 * we unregister, so they will not hang
1611 * permanently and it avoids userland to call
1612 * UFFDIO_WAKE explicitly.
1614 struct userfaultfd_wake_range range;
1615 range.start = start;
1616 range.len = vma_end - start;
1617 wake_userfault(vma->vm_userfaultfd_ctx.ctx, &range);
1620 /* Reset ptes for the whole vma range if wr-protected */
1621 if (userfaultfd_wp(vma))
1622 uffd_wp_range(vma, start, vma_end - start, false);
1624 new_flags = vma->vm_flags & ~__VM_UFFD_FLAGS;
1625 vma = vma_modify_flags_uffd(&vmi, prev, vma, start, vma_end,
1626 new_flags, NULL_VM_UFFD_CTX);
1633 * In the vma_merge() successful mprotect-like case 8:
1634 * the next vma was merged into the current one and
1635 * the current one has not been updated yet.
1637 vma_start_write(vma);
1638 userfaultfd_set_vm_flags(vma, new_flags);
1639 vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
1643 start = vma->vm_end;
1647 mmap_write_unlock(mm);
1654 * userfaultfd_wake may be used in combination with the
1655 * UFFDIO_*_MODE_DONTWAKE to wakeup userfaults in batches.
1657 static int userfaultfd_wake(struct userfaultfd_ctx *ctx,
1661 struct uffdio_range uffdio_wake;
1662 struct userfaultfd_wake_range range;
1663 const void __user *buf = (void __user *)arg;
1666 if (copy_from_user(&uffdio_wake, buf, sizeof(uffdio_wake)))
1669 ret = validate_range(ctx->mm, uffdio_wake.start, uffdio_wake.len);
1673 range.start = uffdio_wake.start;
1674 range.len = uffdio_wake.len;
1677 * len == 0 means wake all and we don't want to wake all here,
1678 * so check it again to be sure.
1680 VM_BUG_ON(!range.len);
1682 wake_userfault(ctx, &range);
1689 static int userfaultfd_copy(struct userfaultfd_ctx *ctx,
1693 struct uffdio_copy uffdio_copy;
1694 struct uffdio_copy __user *user_uffdio_copy;
1695 struct userfaultfd_wake_range range;
1696 uffd_flags_t flags = 0;
1698 user_uffdio_copy = (struct uffdio_copy __user *) arg;
1701 if (atomic_read(&ctx->mmap_changing))
1705 if (copy_from_user(&uffdio_copy, user_uffdio_copy,
1706 /* don't copy "copy" last field */
1707 sizeof(uffdio_copy)-sizeof(__s64)))
1710 ret = validate_unaligned_range(ctx->mm, uffdio_copy.src,
1714 ret = validate_range(ctx->mm, uffdio_copy.dst, uffdio_copy.len);
1719 if (uffdio_copy.mode & ~(UFFDIO_COPY_MODE_DONTWAKE|UFFDIO_COPY_MODE_WP))
1721 if (uffdio_copy.mode & UFFDIO_COPY_MODE_WP)
1722 flags |= MFILL_ATOMIC_WP;
1723 if (mmget_not_zero(ctx->mm)) {
1724 ret = mfill_atomic_copy(ctx, uffdio_copy.dst, uffdio_copy.src,
1725 uffdio_copy.len, flags);
1730 if (unlikely(put_user(ret, &user_uffdio_copy->copy)))
1735 /* len == 0 would wake all */
1737 if (!(uffdio_copy.mode & UFFDIO_COPY_MODE_DONTWAKE)) {
1738 range.start = uffdio_copy.dst;
1739 wake_userfault(ctx, &range);
1741 ret = range.len == uffdio_copy.len ? 0 : -EAGAIN;
1746 static int userfaultfd_zeropage(struct userfaultfd_ctx *ctx,
1750 struct uffdio_zeropage uffdio_zeropage;
1751 struct uffdio_zeropage __user *user_uffdio_zeropage;
1752 struct userfaultfd_wake_range range;
1754 user_uffdio_zeropage = (struct uffdio_zeropage __user *) arg;
1757 if (atomic_read(&ctx->mmap_changing))
1761 if (copy_from_user(&uffdio_zeropage, user_uffdio_zeropage,
1762 /* don't copy "zeropage" last field */
1763 sizeof(uffdio_zeropage)-sizeof(__s64)))
1766 ret = validate_range(ctx->mm, uffdio_zeropage.range.start,
1767 uffdio_zeropage.range.len);
1771 if (uffdio_zeropage.mode & ~UFFDIO_ZEROPAGE_MODE_DONTWAKE)
1774 if (mmget_not_zero(ctx->mm)) {
1775 ret = mfill_atomic_zeropage(ctx, uffdio_zeropage.range.start,
1776 uffdio_zeropage.range.len);
1781 if (unlikely(put_user(ret, &user_uffdio_zeropage->zeropage)))
1785 /* len == 0 would wake all */
1788 if (!(uffdio_zeropage.mode & UFFDIO_ZEROPAGE_MODE_DONTWAKE)) {
1789 range.start = uffdio_zeropage.range.start;
1790 wake_userfault(ctx, &range);
1792 ret = range.len == uffdio_zeropage.range.len ? 0 : -EAGAIN;
1797 static int userfaultfd_writeprotect(struct userfaultfd_ctx *ctx,
1801 struct uffdio_writeprotect uffdio_wp;
1802 struct uffdio_writeprotect __user *user_uffdio_wp;
1803 struct userfaultfd_wake_range range;
1804 bool mode_wp, mode_dontwake;
1806 if (atomic_read(&ctx->mmap_changing))
1809 user_uffdio_wp = (struct uffdio_writeprotect __user *) arg;
1811 if (copy_from_user(&uffdio_wp, user_uffdio_wp,
1812 sizeof(struct uffdio_writeprotect)))
1815 ret = validate_range(ctx->mm, uffdio_wp.range.start,
1816 uffdio_wp.range.len);
1820 if (uffdio_wp.mode & ~(UFFDIO_WRITEPROTECT_MODE_DONTWAKE |
1821 UFFDIO_WRITEPROTECT_MODE_WP))
1824 mode_wp = uffdio_wp.mode & UFFDIO_WRITEPROTECT_MODE_WP;
1825 mode_dontwake = uffdio_wp.mode & UFFDIO_WRITEPROTECT_MODE_DONTWAKE;
1827 if (mode_wp && mode_dontwake)
1830 if (mmget_not_zero(ctx->mm)) {
1831 ret = mwriteprotect_range(ctx, uffdio_wp.range.start,
1832 uffdio_wp.range.len, mode_wp);
1841 if (!mode_wp && !mode_dontwake) {
1842 range.start = uffdio_wp.range.start;
1843 range.len = uffdio_wp.range.len;
1844 wake_userfault(ctx, &range);
1849 static int userfaultfd_continue(struct userfaultfd_ctx *ctx, unsigned long arg)
1852 struct uffdio_continue uffdio_continue;
1853 struct uffdio_continue __user *user_uffdio_continue;
1854 struct userfaultfd_wake_range range;
1855 uffd_flags_t flags = 0;
1857 user_uffdio_continue = (struct uffdio_continue __user *)arg;
1860 if (atomic_read(&ctx->mmap_changing))
1864 if (copy_from_user(&uffdio_continue, user_uffdio_continue,
1865 /* don't copy the output fields */
1866 sizeof(uffdio_continue) - (sizeof(__s64))))
1869 ret = validate_range(ctx->mm, uffdio_continue.range.start,
1870 uffdio_continue.range.len);
1875 if (uffdio_continue.mode & ~(UFFDIO_CONTINUE_MODE_DONTWAKE |
1876 UFFDIO_CONTINUE_MODE_WP))
1878 if (uffdio_continue.mode & UFFDIO_CONTINUE_MODE_WP)
1879 flags |= MFILL_ATOMIC_WP;
1881 if (mmget_not_zero(ctx->mm)) {
1882 ret = mfill_atomic_continue(ctx, uffdio_continue.range.start,
1883 uffdio_continue.range.len, flags);
1889 if (unlikely(put_user(ret, &user_uffdio_continue->mapped)))
1894 /* len == 0 would wake all */
1897 if (!(uffdio_continue.mode & UFFDIO_CONTINUE_MODE_DONTWAKE)) {
1898 range.start = uffdio_continue.range.start;
1899 wake_userfault(ctx, &range);
1901 ret = range.len == uffdio_continue.range.len ? 0 : -EAGAIN;
1907 static inline int userfaultfd_poison(struct userfaultfd_ctx *ctx, unsigned long arg)
1910 struct uffdio_poison uffdio_poison;
1911 struct uffdio_poison __user *user_uffdio_poison;
1912 struct userfaultfd_wake_range range;
1914 user_uffdio_poison = (struct uffdio_poison __user *)arg;
1917 if (atomic_read(&ctx->mmap_changing))
1921 if (copy_from_user(&uffdio_poison, user_uffdio_poison,
1922 /* don't copy the output fields */
1923 sizeof(uffdio_poison) - (sizeof(__s64))))
1926 ret = validate_range(ctx->mm, uffdio_poison.range.start,
1927 uffdio_poison.range.len);
1932 if (uffdio_poison.mode & ~UFFDIO_POISON_MODE_DONTWAKE)
1935 if (mmget_not_zero(ctx->mm)) {
1936 ret = mfill_atomic_poison(ctx, uffdio_poison.range.start,
1937 uffdio_poison.range.len, 0);
1943 if (unlikely(put_user(ret, &user_uffdio_poison->updated)))
1948 /* len == 0 would wake all */
1951 if (!(uffdio_poison.mode & UFFDIO_POISON_MODE_DONTWAKE)) {
1952 range.start = uffdio_poison.range.start;
1953 wake_userfault(ctx, &range);
1955 ret = range.len == uffdio_poison.range.len ? 0 : -EAGAIN;
1961 bool userfaultfd_wp_async(struct vm_area_struct *vma)
1963 return userfaultfd_wp_async_ctx(vma->vm_userfaultfd_ctx.ctx);
1966 static inline unsigned int uffd_ctx_features(__u64 user_features)
1969 * For the current set of features the bits just coincide. Set
1970 * UFFD_FEATURE_INITIALIZED to mark the features as enabled.
1972 return (unsigned int)user_features | UFFD_FEATURE_INITIALIZED;
1975 static int userfaultfd_move(struct userfaultfd_ctx *ctx,
1979 struct uffdio_move uffdio_move;
1980 struct uffdio_move __user *user_uffdio_move;
1981 struct userfaultfd_wake_range range;
1982 struct mm_struct *mm = ctx->mm;
1984 user_uffdio_move = (struct uffdio_move __user *) arg;
1986 if (atomic_read(&ctx->mmap_changing))
1989 if (copy_from_user(&uffdio_move, user_uffdio_move,
1990 /* don't copy "move" last field */
1991 sizeof(uffdio_move)-sizeof(__s64)))
1994 /* Do not allow cross-mm moves. */
1995 if (mm != current->mm)
1998 ret = validate_range(mm, uffdio_move.dst, uffdio_move.len);
2002 ret = validate_range(mm, uffdio_move.src, uffdio_move.len);
2006 if (uffdio_move.mode & ~(UFFDIO_MOVE_MODE_ALLOW_SRC_HOLES|
2007 UFFDIO_MOVE_MODE_DONTWAKE))
2010 if (mmget_not_zero(mm)) {
2011 ret = move_pages(ctx, uffdio_move.dst, uffdio_move.src,
2012 uffdio_move.len, uffdio_move.mode);
2018 if (unlikely(put_user(ret, &user_uffdio_move->move)))
2023 /* len == 0 would wake all */
2026 if (!(uffdio_move.mode & UFFDIO_MOVE_MODE_DONTWAKE)) {
2027 range.start = uffdio_move.dst;
2028 wake_userfault(ctx, &range);
2030 ret = range.len == uffdio_move.len ? 0 : -EAGAIN;
2037 * userland asks for a certain API version and we return which bits
2038 * and ioctl commands are implemented in this kernel for such API
2039 * version or -EINVAL if unknown.
2041 static int userfaultfd_api(struct userfaultfd_ctx *ctx,
2044 struct uffdio_api uffdio_api;
2045 void __user *buf = (void __user *)arg;
2046 unsigned int ctx_features;
2051 if (copy_from_user(&uffdio_api, buf, sizeof(uffdio_api)))
2053 features = uffdio_api.features;
2055 if (uffdio_api.api != UFFD_API || (features & ~UFFD_API_FEATURES))
2058 if ((features & UFFD_FEATURE_EVENT_FORK) && !capable(CAP_SYS_PTRACE))
2061 /* WP_ASYNC relies on WP_UNPOPULATED, choose it unconditionally */
2062 if (features & UFFD_FEATURE_WP_ASYNC)
2063 features |= UFFD_FEATURE_WP_UNPOPULATED;
2065 /* report all available features and ioctls to userland */
2066 uffdio_api.features = UFFD_API_FEATURES;
2067 #ifndef CONFIG_HAVE_ARCH_USERFAULTFD_MINOR
2068 uffdio_api.features &=
2069 ~(UFFD_FEATURE_MINOR_HUGETLBFS | UFFD_FEATURE_MINOR_SHMEM);
2071 #ifndef CONFIG_HAVE_ARCH_USERFAULTFD_WP
2072 uffdio_api.features &= ~UFFD_FEATURE_PAGEFAULT_FLAG_WP;
2074 #ifndef CONFIG_PTE_MARKER_UFFD_WP
2075 uffdio_api.features &= ~UFFD_FEATURE_WP_HUGETLBFS_SHMEM;
2076 uffdio_api.features &= ~UFFD_FEATURE_WP_UNPOPULATED;
2077 uffdio_api.features &= ~UFFD_FEATURE_WP_ASYNC;
2079 uffdio_api.ioctls = UFFD_API_IOCTLS;
2081 if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api)))
2084 /* only enable the requested features for this uffd context */
2085 ctx_features = uffd_ctx_features(features);
2087 if (cmpxchg(&ctx->features, 0, ctx_features) != 0)
2094 memset(&uffdio_api, 0, sizeof(uffdio_api));
2095 if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api)))
2100 static long userfaultfd_ioctl(struct file *file, unsigned cmd,
2104 struct userfaultfd_ctx *ctx = file->private_data;
2106 if (cmd != UFFDIO_API && !userfaultfd_is_initialized(ctx))
2111 ret = userfaultfd_api(ctx, arg);
2113 case UFFDIO_REGISTER:
2114 ret = userfaultfd_register(ctx, arg);
2116 case UFFDIO_UNREGISTER:
2117 ret = userfaultfd_unregister(ctx, arg);
2120 ret = userfaultfd_wake(ctx, arg);
2123 ret = userfaultfd_copy(ctx, arg);
2125 case UFFDIO_ZEROPAGE:
2126 ret = userfaultfd_zeropage(ctx, arg);
2129 ret = userfaultfd_move(ctx, arg);
2131 case UFFDIO_WRITEPROTECT:
2132 ret = userfaultfd_writeprotect(ctx, arg);
2134 case UFFDIO_CONTINUE:
2135 ret = userfaultfd_continue(ctx, arg);
2138 ret = userfaultfd_poison(ctx, arg);
2144 #ifdef CONFIG_PROC_FS
2145 static void userfaultfd_show_fdinfo(struct seq_file *m, struct file *f)
2147 struct userfaultfd_ctx *ctx = f->private_data;
2148 wait_queue_entry_t *wq;
2149 unsigned long pending = 0, total = 0;
2151 spin_lock_irq(&ctx->fault_pending_wqh.lock);
2152 list_for_each_entry(wq, &ctx->fault_pending_wqh.head, entry) {
2156 list_for_each_entry(wq, &ctx->fault_wqh.head, entry) {
2159 spin_unlock_irq(&ctx->fault_pending_wqh.lock);
2162 * If more protocols will be added, there will be all shown
2163 * separated by a space. Like this:
2164 * protocols: aa:... bb:...
2166 seq_printf(m, "pending:\t%lu\ntotal:\t%lu\nAPI:\t%Lx:%x:%Lx\n",
2167 pending, total, UFFD_API, ctx->features,
2168 UFFD_API_IOCTLS|UFFD_API_RANGE_IOCTLS);
2172 static const struct file_operations userfaultfd_fops = {
2173 #ifdef CONFIG_PROC_FS
2174 .show_fdinfo = userfaultfd_show_fdinfo,
2176 .release = userfaultfd_release,
2177 .poll = userfaultfd_poll,
2178 .read = userfaultfd_read,
2179 .unlocked_ioctl = userfaultfd_ioctl,
2180 .compat_ioctl = compat_ptr_ioctl,
2181 .llseek = noop_llseek,
2184 static void init_once_userfaultfd_ctx(void *mem)
2186 struct userfaultfd_ctx *ctx = (struct userfaultfd_ctx *) mem;
2188 init_waitqueue_head(&ctx->fault_pending_wqh);
2189 init_waitqueue_head(&ctx->fault_wqh);
2190 init_waitqueue_head(&ctx->event_wqh);
2191 init_waitqueue_head(&ctx->fd_wqh);
2192 seqcount_spinlock_init(&ctx->refile_seq, &ctx->fault_pending_wqh.lock);
2195 static int new_userfaultfd(int flags)
2197 struct userfaultfd_ctx *ctx;
2200 BUG_ON(!current->mm);
2202 /* Check the UFFD_* constants for consistency. */
2203 BUILD_BUG_ON(UFFD_USER_MODE_ONLY & UFFD_SHARED_FCNTL_FLAGS);
2204 BUILD_BUG_ON(UFFD_CLOEXEC != O_CLOEXEC);
2205 BUILD_BUG_ON(UFFD_NONBLOCK != O_NONBLOCK);
2207 if (flags & ~(UFFD_SHARED_FCNTL_FLAGS | UFFD_USER_MODE_ONLY))
2210 ctx = kmem_cache_alloc(userfaultfd_ctx_cachep, GFP_KERNEL);
2214 refcount_set(&ctx->refcount, 1);
2217 ctx->released = false;
2218 init_rwsem(&ctx->map_changing_lock);
2219 atomic_set(&ctx->mmap_changing, 0);
2220 ctx->mm = current->mm;
2221 /* prevent the mm struct to be freed */
2224 /* Create a new inode so that the LSM can block the creation. */
2225 fd = anon_inode_create_getfd("[userfaultfd]", &userfaultfd_fops, ctx,
2226 O_RDONLY | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL);
2229 kmem_cache_free(userfaultfd_ctx_cachep, ctx);
2234 static inline bool userfaultfd_syscall_allowed(int flags)
2236 /* Userspace-only page faults are always allowed */
2237 if (flags & UFFD_USER_MODE_ONLY)
2241 * The user is requesting a userfaultfd which can handle kernel faults.
2242 * Privileged users are always allowed to do this.
2244 if (capable(CAP_SYS_PTRACE))
2247 /* Otherwise, access to kernel fault handling is sysctl controlled. */
2248 return sysctl_unprivileged_userfaultfd;
2251 SYSCALL_DEFINE1(userfaultfd, int, flags)
2253 if (!userfaultfd_syscall_allowed(flags))
2256 return new_userfaultfd(flags);
2259 static long userfaultfd_dev_ioctl(struct file *file, unsigned int cmd, unsigned long flags)
2261 if (cmd != USERFAULTFD_IOC_NEW)
2264 return new_userfaultfd(flags);
2267 static const struct file_operations userfaultfd_dev_fops = {
2268 .unlocked_ioctl = userfaultfd_dev_ioctl,
2269 .compat_ioctl = userfaultfd_dev_ioctl,
2270 .owner = THIS_MODULE,
2271 .llseek = noop_llseek,
2274 static struct miscdevice userfaultfd_misc = {
2275 .minor = MISC_DYNAMIC_MINOR,
2276 .name = "userfaultfd",
2277 .fops = &userfaultfd_dev_fops
2280 static int __init userfaultfd_init(void)
2284 ret = misc_register(&userfaultfd_misc);
2288 userfaultfd_ctx_cachep = kmem_cache_create("userfaultfd_ctx_cache",
2289 sizeof(struct userfaultfd_ctx),
2291 SLAB_HWCACHE_ALIGN|SLAB_PANIC,
2292 init_once_userfaultfd_ctx);
2293 #ifdef CONFIG_SYSCTL
2294 register_sysctl_init("vm", vm_userfaultfd_table);
2298 __initcall(userfaultfd_init);
projects / linux.git / blob