LXR linux/mm/gup.c

   1#include <linux/mm.h>
   2#include <linux/hugetlb.h>
   3#include <linux/swap.h>
   4#include <linux/memremap.h>
   5#include <linux/pagemap.h>
   6#include <linux/rmap.h>
   7#include <linux/writeback.h>
   8#include <linux/mmu_notifier.h>
   9#include <linux/swapops.h>
  10#include <asm/mmu_context.h>
  11#include <asm/tlbflush.h>
  12
  13#include "internal.h"
  14
  15static int follow_pfn_pte(struct vm_area_struct *vma, unsigned long address,
  16                pte_t *pte, unsigned int flags)
  17{
  18        /* No page to get reference */
  19        if (flags & FOLL_GET)
  20                return -EFAULT;
  21
  22        if (flags & FOLL_TOUCH) {
  23                pte_t entry = *pte;
  24
  25                if (flags & FOLL_WRITE)
  26                        entry = pte_mkdirty(entry);
  27                entry = pte_mkyoung(entry);
  28
  29                if (!pte_same(*pte, entry)) {
  30                        set_pte_at(vma->vm_mm, address, pte, entry);
  31                        update_mmu_cache(vma, address, pte);
  32                }
  33        }
  34
  35        /* Proper page table entry exists, but no corresponding struct page */
  36        return -EEXIST;
  37}
  38
  39/*
  40 * FOLL_FORCE can write to even unwritable pte's, but only
  41 * after we've gone through a COW cycle and they are dirty.
  42 */
  43static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
  44{
  45        return pte_write(pte) ||
  46                ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
  47}
  48
  49/**
  50 * follow_page_mask - look up a page descriptor from a user-virtual address
  51 * @vma: vm_area_struct mapping @address
  52 * @address: virtual address to look up
  53 * @flags: flags modifying lookup behaviour
  54 * @page_mask: on output, *page_mask is set according to the size of the page
  55 *
  56 * @flags can have FOLL_ flags set, defined in <linux/mm.h>
  57 *
  58 * Returns the mapped (struct page *), %NULL if no mapping exists, or
  59 * an error pointer if there is a mapping to something not represented
  60 * by a page descriptor (see also vm_normal_page()).
  61 */
  62struct page *follow_page_mask(struct vm_area_struct *vma,
  63                              unsigned long address, unsigned int flags,
  64                              unsigned int *page_mask)
  65{
  66        struct dev_pagemap *pgmap = NULL;
  67        pgd_t *pgd;
  68        pud_t *pud;
  69        pmd_t *pmd;
  70        pte_t *ptep, pte;
  71        spinlock_t *ptl;
  72        struct page *page;
  73        struct mm_struct *mm = vma->vm_mm;
  74
  75        *page_mask = 0;
  76
  77        page = follow_huge_addr(mm, address, flags & FOLL_WRITE);
  78        if (!IS_ERR(page)) {
  79                /*
  80                 * RHEL: BZ1268999 quick-and-dirty-fix
  81                 *
  82                 * On powerpc a race between a THP pmd clear path and
  83                 * follow_huge_addr() can result in follow_huge_addr()
  84                 * returning NULL when a THP PMD has just been cleared
  85                 * - usually follow_huge_addr() should return
  86                 * ERR_PTR(-EINVAL) on a THP PMD.  This hack avoids
  87                 * the BUG_ON() while waiting for a proper upstream
  88                 * fix.  It will mean follow_page_mask() fails, but
  89                 * should trigger a fall back to a faultin path which
  90                 * should populate the pages.
  91                 */
  92                if (page)
  93                        BUG_ON(flags & FOLL_GET);
  94                goto out;
  95        }
  96
  97        page = NULL;
  98        pgd = pgd_offset(mm, address);
  99        if (pgd_none(*pgd) || unlikely(pgd_bad(*pgd)))
 100                goto no_page_table;
 101
 102        pud = pud_offset(pgd, address);
 103        if (pud_none(*pud))
 104                goto no_page_table;
 105        if (pud_huge(*pud) && vma->vm_flags & VM_HUGETLB) {
 106                page = follow_huge_pud(mm, address, pud, flags);
 107                if (page)
 108                        return page;
 109                goto no_page_table;
 110        }
 111        if (pud_devmap(*pud)) {
 112                ptl = pud_lock(mm, pud);
 113                page = follow_devmap_pud(vma, address, pud, flags);
 114                spin_unlock(ptl);
 115                if (page)
 116                        return page;
 117        }
 118        if (unlikely(pud_bad(*pud)))
 119                goto no_page_table;
 120
 121        pmd = pmd_offset(pud, address);
 122        if (pmd_none(*pmd))
 123                goto no_page_table;
 124        if (pmd_huge(*pmd) && vma->vm_flags & VM_HUGETLB) {
 125                page = follow_huge_pmd(mm, address, pmd, flags);
 126                if (page)
 127                        return page;
 128                goto no_page_table;
 129        }
 130        if ((flags & FOLL_NUMA) && pmd_numa(*pmd))
 131                goto no_page_table;
 132        if (pmd_devmap(*pmd)) {
 133                ptl = pmd_lock(mm, pmd);
 134                page = follow_devmap_pmd(vma, address, pmd, flags);
 135                spin_unlock(ptl);
 136                if (page)
 137                        return page;
 138        }
 139        if (pmd_trans_huge(*pmd)) {
 140                if (flags & FOLL_SPLIT) {
 141                        split_huge_page_pmd(vma, address, pmd);
 142                        goto split_fallthrough;
 143                }
 144                ptl = pmd_lock(mm, pmd);
 145                if (likely(pmd_trans_huge(*pmd))) {
 146                        if (unlikely(pmd_trans_splitting(*pmd))) {
 147                                spin_unlock(ptl);
 148                                wait_split_huge_page(vma->anon_vma, pmd);
 149                        } else {
 150                                page = follow_trans_huge_pmd(vma, address,
 151                                                             pmd, flags);
 152                                spin_unlock(ptl);
 153                                *page_mask = HPAGE_PMD_NR - 1;
 154                                goto out;
 155                        }
 156                } else
 157                        spin_unlock(ptl);
 158                /* fall through */
 159        }
 160split_fallthrough:
 161        if (unlikely(pmd_bad(*pmd)))
 162                goto no_page_table;
 163
 164        ptep = pte_offset_map_lock(mm, pmd, address, &ptl);
 165
 166        pte = *ptep;
 167        if (!pte_present(pte)) {
 168                swp_entry_t entry;
 169                /*
 170                 * KSM's break_ksm() relies upon recognizing a ksm page
 171                 * even while it is being migrated, so for that case we
 172                 * need migration_entry_wait().
 173                 */
 174                if (likely(!(flags & FOLL_MIGRATION)))
 175                        goto no_page;
 176                if (pte_none(pte) || pte_file(pte))
 177                        goto no_page;
 178                entry = pte_to_swp_entry(pte);
 179                if (!is_migration_entry(entry))
 180                        goto no_page;
 181                if (is_migration_entry(entry)) {
 182                        pte_unmap_unlock(ptep, ptl);
 183                        migration_entry_wait(mm, pmd, address);
 184                        goto split_fallthrough;
 185                }
 186                goto no_page;
 187        }
 188        if ((flags & FOLL_NUMA) && pte_numa(pte))
 189                goto no_page;
 190        if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags))
 191                goto unlock;
 192
 193        page = vm_normal_page(vma, address, pte);
 194        if (!page && pte_devmap(pte) && (flags & FOLL_GET)) {
 195                /*
 196                 * Only return device mapping pages in the FOLL_GET case since
 197                 * they are only valid while holding the pgmap reference.
 198                 */
 199                pgmap = get_dev_pagemap(pte_pfn(pte), NULL);
 200                if (pgmap)
 201                        page = pte_page(pte);
 202                else
 203                        goto no_page;
 204        } else if (unlikely(!page)) {
 205                if (flags & FOLL_DUMP) {
 206                        /* Avoid special (like zero) pages in core dumps */
 207                        page = ERR_PTR(-EFAULT);
 208                        goto unlock;
 209                }
 210
 211                if (is_zero_pfn(pte_pfn(pte))) {
 212                        page = pte_page(pte);
 213                } else {
 214                        int ret;
 215
 216                        ret = follow_pfn_pte(vma, address, ptep, flags);
 217                        page = ERR_PTR(ret);
 218                        goto unlock;
 219                }
 220        }
 221
 222        if (flags & FOLL_GET) {
 223                get_page_foll(page);
 224
 225                /* drop the pgmap reference now that we hold the page */
 226                if (pgmap) {
 227                        put_dev_pagemap(pgmap);
 228                        pgmap = NULL;
 229                }
 230        }
 231        if (flags & FOLL_TOUCH) {
 232                if ((flags & FOLL_WRITE) &&
 233                    !pte_dirty(pte) && !PageDirty(page))
 234                        set_page_dirty(page);
 235                /*
 236                 * pte_mkyoung() would be more correct here, but atomic care
 237                 * is needed to avoid losing the dirty bit: it is easier to use
 238                 * mark_page_accessed().
 239                 */
 240                mark_page_accessed(page);
 241        }
 242        if ((flags & FOLL_MLOCK) && (vma->vm_flags & VM_LOCKED)) {
 243                /*
 244                 * The preliminary mapping check is mainly to avoid the
 245                 * pointless overhead of lock_page on the ZERO_PAGE
 246                 * which might bounce very badly if there is contention.
 247                 *
 248                 * If the page is already locked, we don't need to
 249                 * handle it now - vmscan will handle it later if and
 250                 * when it attempts to reclaim the page.
 251                 */
 252                if (page->mapping && trylock_page(page)) {
 253                        lru_add_drain();  /* push cached pages to LRU */
 254                        /*
 255                         * Because we lock page here, and migration is
 256                         * blocked by the pte's page reference, and we
 257                         * know the page is still mapped, we don't even
 258                         * need to check for file-cache page truncation.
 259                         */
 260                        mlock_vma_page(page);
 261                        unlock_page(page);
 262                }
 263        }
 264unlock:
 265        pte_unmap_unlock(ptep, ptl);
 266out:
 267        return page;
 268
 269no_page:
 270        pte_unmap_unlock(ptep, ptl);
 271        if (!pte_none(pte))
 272                return page;
 273
 274no_page_table:
 275        /*
 276         * When core dumping an enormous anonymous area that nobody
 277         * has touched so far, we don't want to allocate unnecessary pages or
 278         * page tables.  Return error instead of NULL to skip handle_mm_fault,
 279         * then get_dump_page() will return NULL to leave a hole in the dump.
 280         * But we can only make this optimization where a hole would surely
 281         * be zero-filled if handle_mm_fault() actually did handle it.
 282         */
 283        if ((flags & FOLL_DUMP) &&
 284            (!vma->vm_ops || !vma->vm_ops->fault))
 285                return ERR_PTR(-EFAULT);
 286        return page;
 287}
 288
 289/**
 290 * __get_user_pages() - pin user pages in memory
 291 * @tsk:        task_struct of target task
 292 * @mm:         mm_struct of target mm
 293 * @start:      starting user address
 294 * @nr_pages:   number of pages from start to pin
 295 * @gup_flags:  flags modifying pin behaviour
 296 * @pages:      array that receives pointers to the pages pinned.
 297 *              Should be at least nr_pages long. Or NULL, if caller
 298 *              only intends to ensure the pages are faulted in.
 299 * @vmas:       array of pointers to vmas corresponding to each page.
 300 *              Or NULL if the caller does not require them.
 301 * @nonblocking: whether waiting for disk IO or mmap_sem contention
 302 *
 303 * Returns number of pages pinned. This may be fewer than the number
 304 * requested. If nr_pages is 0 or negative, returns 0. If no pages
 305 * were pinned, returns -errno. Each page returned must be released
 306 * with a put_page() call when it is finished with. vmas will only
 307 * remain valid while mmap_sem is held.
 308 *
 309 * Must be called with mmap_sem held for read or write.
 310 *
 311 * __get_user_pages walks a process's page tables and takes a reference to
 312 * each struct page that each user address corresponds to at a given
 313 * instant. That is, it takes the page that would be accessed if a user
 314 * thread accesses the given user virtual address at that instant.
 315 *
 316 * This does not guarantee that the page exists in the user mappings when
 317 * __get_user_pages returns, and there may even be a completely different
 318 * page there in some cases (eg. if mmapped pagecache has been invalidated
 319 * and subsequently re faulted). However it does guarantee that the page
 320 * won't be freed completely. And mostly callers simply care that the page
 321 * contains data that was valid *at some point in time*. Typically, an IO
 322 * or similar operation cannot guarantee anything stronger anyway because
 323 * locks can't be held over the syscall boundary.
 324 *
 325 * If @gup_flags & FOLL_WRITE == 0, the page must not be written to. If
 326 * the page is written to, set_page_dirty (or set_page_dirty_lock, as
 327 * appropriate) must be called after the page is finished with, and
 328 * before put_page is called.
 329 *
 330 * If @nonblocking != NULL, __get_user_pages will not wait for disk IO
 331 * or mmap_sem contention, and if waiting is needed to pin all pages,
 332 * *@nonblocking will be set to 0.
 333 *
 334 * In most cases, get_user_pages or get_user_pages_fast should be used
 335 * instead of __get_user_pages. __get_user_pages should be used only if
 336 * you need some special @gup_flags.
 337 */
 338long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
 339                unsigned long start, unsigned long nr_pages,
 340                unsigned int gup_flags, struct page **pages,
 341                struct vm_area_struct **vmas, int *nonblocking)
 342{
 343        long i;
 344        unsigned long vm_flags;
 345        unsigned int page_mask;
 346        int write = (gup_flags & FOLL_WRITE);
 347        int foreign = (gup_flags & FOLL_REMOTE);
 348
 349        if (!nr_pages)
 350                return 0;
 351
 352        VM_BUG_ON(!!pages != !!(gup_flags & FOLL_GET));
 353
 354        /* 
 355         * Require read or write permissions.
 356         * If FOLL_FORCE is set, we only require the "MAY" flags.
 357         */
 358        vm_flags  = (gup_flags & FOLL_WRITE) ?
 359                        (VM_WRITE | VM_MAYWRITE) : (VM_READ | VM_MAYREAD);
 360        vm_flags &= (gup_flags & FOLL_FORCE) ?
 361                        (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
 362
 363        /*
 364         * If FOLL_FORCE and FOLL_NUMA are both set, handle_mm_fault
 365         * would be called on PROT_NONE ranges. We must never invoke
 366         * handle_mm_fault on PROT_NONE ranges or the NUMA hinting
 367         * page faults would unprotect the PROT_NONE ranges if
 368         * _PAGE_NUMA and _PAGE_PROTNONE are sharing the same pte/pmd
 369         * bitflag. So to avoid that, don't set FOLL_NUMA if
 370         * FOLL_FORCE is set.
 371         */
 372        if (!(gup_flags & FOLL_FORCE))
 373                gup_flags |= FOLL_NUMA;
 374
 375        i = 0;
 376
 377        do {
 378                struct vm_area_struct *vma;
 379
 380                vma = find_extend_vma(mm, start);
 381                if (!vma && in_gate_area(mm, start)) {
 382                        unsigned long pg = start & PAGE_MASK;
 383                        pgd_t *pgd;
 384                        pud_t *pud;
 385                        pmd_t *pmd;
 386                        pte_t *pte;
 387
 388                        /* user gate pages are read-only */
 389                        if (gup_flags & FOLL_WRITE)
 390                                return i ? : -EFAULT;
 391                        if (pg > TASK_SIZE)
 392                                pgd = pgd_offset_k(pg);
 393                        else
 394                                pgd = pgd_offset_gate(mm, pg);
 395                        BUG_ON(pgd_none(*pgd));
 396                        pud = pud_offset(pgd, pg);
 397                        BUG_ON(pud_none(*pud));
 398                        pmd = pmd_offset(pud, pg);
 399                        if (pmd_none(*pmd))
 400                                return i ? : -EFAULT;
 401                        VM_BUG_ON(pmd_trans_huge(*pmd));
 402                        pte = pte_offset_map(pmd, pg);
 403                        if (pte_none(*pte)) {
 404                                pte_unmap(pte);
 405                                return i ? : -EFAULT;
 406                        }
 407                        vma = get_gate_vma(mm);
 408                        if (pages) {
 409                                struct page *page;
 410
 411                                page = vm_normal_page(vma, start, *pte);
 412                                if (!page) {
 413                                        if (!(gup_flags & FOLL_DUMP) &&
 414                                             is_zero_pfn(pte_pfn(*pte)))
 415                                                page = pte_page(*pte);
 416                                        else {
 417                                                pte_unmap(pte);
 418                                                return i ? : -EFAULT;
 419                                        }
 420                                }
 421                                pages[i] = page;
 422                                get_page(page);
 423                        }
 424                        pte_unmap(pte);
 425                        page_mask = 0;
 426                        goto next_page;
 427                }
 428
 429                if (!vma ||
 430                    (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
 431                    !(vm_flags & vma->vm_flags))
 432                        return i ? : -EFAULT;
 433
 434                /*
 435                 * gups are always data accesses, not instruction
 436                 * fetches, so execute=false here
 437                 */
 438                if (!arch_vma_access_permitted(vma, write, false, foreign))
 439                        return i ? : -EFAULT;
 440
 441                if (is_vm_hugetlb_page(vma)) {
 442                        i = follow_hugetlb_page(mm, vma, pages, vmas,
 443                                        &start, &nr_pages, i,
 444                                        gup_flags, nonblocking);
 445                        continue;
 446                }
 447
 448                do {
 449                        struct page *page;
 450                        unsigned int foll_flags = gup_flags;
 451                        unsigned int page_increm;
 452
 453                        /*
 454                         * If we have a pending SIGKILL, don't keep faulting
 455                         * pages and potentially allocating memory.
 456                         */
 457                        if (unlikely(fatal_signal_pending(current)))
 458                                return i ? i : -ERESTARTSYS;
 459
 460                        cond_resched();
 461                        while (!(page = follow_page_mask(vma, start,
 462                                                foll_flags, &page_mask))) {
 463                                int ret;
 464                                unsigned int fault_flags = 0;
 465
 466                                if (foll_flags & FOLL_WRITE)
 467                                        fault_flags |= FAULT_FLAG_WRITE;
 468                                if (foll_flags & FOLL_REMOTE)
 469                                        fault_flags |= FAULT_FLAG_REMOTE;
 470                                if (nonblocking)
 471                                        fault_flags |= FAULT_FLAG_ALLOW_RETRY;
 472                                if (foll_flags & FOLL_NOWAIT)
 473                                        fault_flags |= (FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_RETRY_NOWAIT);
 474                                if (foll_flags & FOLL_TRIED) {
 475                                        WARN_ON_ONCE(fault_flags &
 476                                                     FAULT_FLAG_ALLOW_RETRY);
 477                                        fault_flags |= FAULT_FLAG_TRIED;
 478                                }
 479
 480                                ret = handle_mm_fault(vma, start,
 481                                                        fault_flags);
 482
 483                                if (ret & VM_FAULT_ERROR) {
 484                                        if (ret & VM_FAULT_OOM)
 485                                                return i ? i : -ENOMEM;
 486                                        if (ret & (VM_FAULT_HWPOISON |
 487                                                   VM_FAULT_HWPOISON_LARGE)) {
 488                                                if (i)
 489                                                        return i;
 490                                                else if (gup_flags & FOLL_HWPOISON)
 491                                                        return -EHWPOISON;
 492                                                else
 493                                                        return -EFAULT;
 494                                        }
 495                                        if (ret & (VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV))
 496                                                return i ? i : -EFAULT;
 497                                        BUG();
 498                                }
 499
 500                                if (tsk) {
 501                                        if (ret & VM_FAULT_MAJOR)
 502                                                tsk->maj_flt++;
 503                                        else
 504                                                tsk->min_flt++;
 505                                }
 506
 507                                if (ret & VM_FAULT_RETRY) {
 508                                        if (nonblocking)
 509                                                *nonblocking = 0;
 510                                        return i;
 511                                }
 512
 513                                /*
 514                                 * The VM_FAULT_WRITE bit tells us that
 515                                 * do_wp_page has broken COW when necessary,
 516                                 * even if maybe_mkwrite decided not to set
 517                                 * pte_write. We can thus safely do subsequent
 518                                 * page lookups as if they were reads. But only
 519                                 * do so when looping for pte_write is futile:
 520                                 * in some cases userspace may also be wanting
 521                                 * to write to the gotten user page, which a
 522                                 * read fault here might prevent (a readonly
 523                                 * page might get reCOWed by userspace write).
 524                                 */
 525                                if ((ret & VM_FAULT_WRITE) &&
 526                                    !(vma->vm_flags & VM_WRITE))
 527                                        foll_flags |= FOLL_COW;
 528
 529                                cond_resched();
 530                        }
 531                        if (PTR_ERR(page) == -EEXIST) {
 532                                /*
 533                                 * Proper page table entry exists, but
 534                                 * no corresponding struct page.
 535                                 */
 536                                goto next_page;
 537                        } else if (IS_ERR(page)) {
 538                                return i ? i : PTR_ERR(page);
 539                        }
 540                        if (pages) {
 541                                pages[i] = page;
 542
 543                                flush_anon_page(vma, page, start);
 544                                flush_dcache_page(page);
 545                                page_mask = 0;
 546                        }
 547next_page:
 548                        if (vmas) {
 549                                vmas[i] = vma;
 550                                page_mask = 0;
 551                        }
 552                        page_increm = 1 + (~(start >> PAGE_SHIFT) & page_mask);
 553                        if (page_increm > nr_pages)
 554                                page_increm = nr_pages;
 555                        i += page_increm;
 556                        start += page_increm * PAGE_SIZE;
 557                        nr_pages -= page_increm;
 558                } while (nr_pages && start < vma->vm_end);
 559        } while (nr_pages);
 560        return i;
 561}
 562EXPORT_SYMBOL(__get_user_pages);
 563
 564bool vma_permits_fault(struct vm_area_struct *vma, unsigned int fault_flags)
 565{
 566        bool write   = !!(fault_flags & FAULT_FLAG_WRITE);
 567        bool foreign = !!(fault_flags & FAULT_FLAG_REMOTE);
 568        vm_flags_t vm_flags = write ? VM_WRITE : VM_READ;
 569
 570        if (!(vm_flags & vma->vm_flags))
 571                return false;
 572
 573        /*
 574         * The architecture might have a hardware protection
 575         * mechanism other than read/write that can deny access.
 576         *
 577         * gup always represents data access, not instruction
 578         * fetches, so execute=false here:
 579         */
 580        if (!arch_vma_access_permitted(vma, write, false, foreign))
 581                return false;
 582
 583        return true;
 584}
 585
 586/*
 587 * fixup_user_fault() - manually resolve a user page fault
 588 * @tsk:        the task_struct to use for page fault accounting, or
 589 *              NULL if faults are not to be recorded.
 590 * @mm:         mm_struct of target mm
 591 * @address:    user address
 592 * @fault_flags:flags to pass down to handle_mm_fault()
 593 *
 594 * This is meant to be called in the specific scenario where for locking reasons
 595 * we try to access user memory in atomic context (within a pagefault_disable()
 596 * section), this returns -EFAULT, and we want to resolve the user fault before
 597 * trying again.
 598 *
 599 * Typically this is meant to be used by the futex code.
 600 *
 601 * The main difference with get_user_pages() is that this function will
 602 * unconditionally call handle_mm_fault() which will in turn perform all the
 603 * necessary SW fixup of the dirty and young bits in the PTE, while
 604 * handle_mm_fault() only guarantees to update these in the struct page.
 605 *
 606 * This is important for some architectures where those bits also gate the
 607 * access permission to the page because they are maintained in software.  On
 608 * such architectures, gup() will not be enough to make a subsequent access
 609 * succeed.
 610 *
 611 * This should be called with the mm_sem held for read.
 612 */
 613int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm,
 614                     unsigned long address, unsigned int fault_flags)
 615{
 616        struct vm_area_struct *vma;
 617        int ret;
 618
 619        vma = find_extend_vma(mm, address);
 620        if (!vma || address < vma->vm_start)
 621                return -EFAULT;
 622
 623        if (!vma_permits_fault(vma, fault_flags))
 624                return -EFAULT;
 625
 626        ret = handle_mm_fault(vma, address, fault_flags);
 627        if (ret & VM_FAULT_ERROR) {
 628                if (ret & VM_FAULT_OOM)
 629                        return -ENOMEM;
 630                if (ret & (VM_FAULT_HWPOISON | VM_FAULT_HWPOISON_LARGE))
 631                        return -EHWPOISON;
 632                if (ret & (VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV))
 633                        return -EFAULT;
 634                BUG();
 635        }
 636        if (tsk) {
 637                if (ret & VM_FAULT_MAJOR)
 638                        tsk->maj_flt++;
 639                else
 640                        tsk->min_flt++;
 641        }
 642        return 0;
 643}
 644EXPORT_SYMBOL_GPL(fixup_user_fault);
 645
 646static __always_inline long __get_user_pages_locked(struct task_struct *tsk,
 647                                                struct mm_struct *mm,
 648                                                unsigned long start,
 649                                                unsigned long nr_pages,
 650                                                int write, int force,
 651                                                struct page **pages,
 652                                                struct vm_area_struct **vmas,
 653                                                int *locked, bool notify_drop,
 654                                                unsigned int flags)
 655{
 656        long ret, pages_done;
 657        bool lock_dropped;
 658
 659        if (locked) {
 660                /* if VM_FAULT_RETRY can be returned, vmas become invalid */
 661                BUG_ON(vmas);
 662                /* check caller initialized locked */
 663                BUG_ON(*locked != 1);
 664        }
 665
 666        if (pages)
 667                flags |= FOLL_GET;
 668        if (write)
 669                flags |= FOLL_WRITE;
 670        if (force)
 671                flags |= FOLL_FORCE;
 672
 673        pages_done = 0;
 674        lock_dropped = false;
 675        for (;;) {
 676                ret = __get_user_pages(tsk, mm, start, nr_pages, flags, pages,
 677                                       vmas, locked);
 678                if (!locked)
 679                        /* VM_FAULT_RETRY couldn't trigger, bypass */
 680                        return ret;
 681
 682                /* VM_FAULT_RETRY cannot return errors */
 683                if (!*locked) {
 684                        BUG_ON(ret < 0);
 685                        BUG_ON(ret >= nr_pages);
 686                }
 687
 688                if (!pages)
 689                        /* If it's a prefault don't insist harder */
 690                        return ret;
 691
 692                if (ret > 0) {
 693                        nr_pages -= ret;
 694                        pages_done += ret;
 695                        if (!nr_pages)
 696                                break;
 697                }
 698                if (*locked) {
 699                        /* VM_FAULT_RETRY didn't trigger */
 700                        if (!pages_done)
 701                                pages_done = ret;
 702                        break;
 703                }
 704                /* VM_FAULT_RETRY triggered, so seek to the faulting offset */
 705                pages += ret;
 706                start += ret << PAGE_SHIFT;
 707
 708                /*
 709                 * Repeat on the address that fired VM_FAULT_RETRY
 710                 * without FAULT_FLAG_ALLOW_RETRY but with
 711                 * FAULT_FLAG_TRIED.
 712                 */
 713                *locked = 1;
 714                lock_dropped = true;
 715                down_read(&mm->mmap_sem);
 716                ret = __get_user_pages(tsk, mm, start, 1, flags | FOLL_TRIED,
 717                                       pages, NULL, NULL);
 718                if (ret != 1) {
 719                        BUG_ON(ret > 1);
 720                        if (!pages_done)
 721                                pages_done = ret;
 722                        break;
 723                }
 724                nr_pages--;
 725                pages_done++;
 726                if (!nr_pages)
 727                        break;
 728                pages++;
 729                start += PAGE_SIZE;
 730        }
 731        if (notify_drop && lock_dropped && *locked) {
 732                /*
 733                 * We must let the caller know we temporarily dropped the lock
 734                 * and so the critical section protected by it was lost.
 735                 */
 736                up_read(&mm->mmap_sem);
 737                *locked = 0;
 738        }
 739        return pages_done;
 740}
 741
 742/*
 743 * We can leverage the VM_FAULT_RETRY functionality in the page fault
 744 * paths better by using either get_user_pages_locked() or
 745 * get_user_pages_unlocked().
 746 *
 747 * get_user_pages_locked() is suitable to replace the form:
 748 *
 749 *      down_read(&mm->mmap_sem);
 750 *      do_something()
 751 *      get_user_pages(tsk, mm, ..., pages, NULL);
 752 *      up_read(&mm->mmap_sem);
 753 *
 754 *  to:
 755 *
 756 *      int locked = 1;
 757 *      down_read(&mm->mmap_sem);
 758 *      do_something()
 759 *      get_user_pages_locked(tsk, mm, ..., pages, &locked);
 760 *      if (locked)
 761 *          up_read(&mm->mmap_sem);
 762 */
 763long get_user_pages_locked(struct task_struct *tsk, struct mm_struct *mm,
 764                           unsigned long start, unsigned long nr_pages,
 765                           int write, int force, struct page **pages,
 766                           int *locked)
 767{
 768        return __get_user_pages_locked(tsk, mm, start, nr_pages, write, force,
 769                                       pages, NULL, locked, true, FOLL_TOUCH);
 770}
 771EXPORT_SYMBOL(get_user_pages_locked);
 772
 773/*
 774 * Same as get_user_pages_unlocked(...., FOLL_TOUCH) but it allows to
 775 * pass additional gup_flags as last parameter (like FOLL_HWPOISON).
 776 *
 777 * NOTE: here FOLL_TOUCH is not set implicitly and must be set by the
 778 * caller if required (just like with __get_user_pages). "FOLL_GET",
 779 * "FOLL_WRITE" and "FOLL_FORCE" are set implicitly as needed
 780 * according to the parameters "pages", "write", "force"
 781 * respectively.
 782 */
 783__always_inline long __get_user_pages_unlocked(struct task_struct *tsk, struct mm_struct *mm,
 784                                               unsigned long start, unsigned long nr_pages,
 785                                               int write, int force, struct page **pages,
 786                                               unsigned int gup_flags)
 787{
 788        long ret;
 789        int locked = 1;
 790        down_read(&mm->mmap_sem);
 791        ret = __get_user_pages_locked(tsk, mm, start, nr_pages, write, force,
 792                                      pages, NULL, &locked, false, gup_flags);
 793        if (locked)
 794                up_read(&mm->mmap_sem);
 795        return ret;
 796}
 797EXPORT_SYMBOL(__get_user_pages_unlocked);
 798
 799/*
 800 * get_user_pages_unlocked() is suitable to replace the form:
 801 *
 802 *      down_read(&mm->mmap_sem);
 803 *      get_user_pages(tsk, mm, ..., pages, NULL);
 804 *      up_read(&mm->mmap_sem);
 805 *
 806 *  with:
 807 *
 808 *      get_user_pages_unlocked(tsk, mm, ..., pages);
 809 *
 810 * It is functionally equivalent to get_user_pages_fast so
 811 * get_user_pages_fast should be used instead, if the two parameters
 812 * "tsk" and "mm" are respectively equal to current and current->mm,
 813 * or if "force" shall be set to 1 (get_user_pages_fast misses the
 814 * "force" parameter).
 815 */
 816long get_user_pages_unlocked(struct task_struct *tsk, struct mm_struct *mm,
 817                             unsigned long start, unsigned long nr_pages,
 818                             int write, int force, struct page **pages)
 819{
 820        return __get_user_pages_unlocked(tsk, mm, start, nr_pages, write,
 821                                         force, pages, FOLL_TOUCH);
 822}
 823EXPORT_SYMBOL(get_user_pages_unlocked);
 824
 825/*
 826 * get_user_pages_remote() - pin user pages in memory
 827 * @tsk:        the task_struct to use for page fault accounting, or
 828 *              NULL if faults are not to be recorded.
 829 * @mm:         mm_struct of target mm
 830 * @start:      starting user address
 831 * @nr_pages:   number of pages from start to pin
 832 * @write:      whether pages will be written to by the caller
 833 * @force:      whether to force write access even if user mapping is
 834 *              readonly. This will result in the page being COWed even
 835 *              in MAP_SHARED mappings. You do not want this.
 836 * @pages:      array that receives pointers to the pages pinned.
 837 *              Should be at least nr_pages long. Or NULL, if caller
 838 *              only intends to ensure the pages are faulted in.
 839 * @vmas:       array of pointers to vmas corresponding to each page.
 840 *              Or NULL if the caller does not require them.
 841 *
 842 * Returns number of pages pinned. This may be fewer than the number
 843 * requested. If nr_pages is 0 or negative, returns 0. If no pages
 844 * were pinned, returns -errno. Each page returned must be released
 845 * with a put_page() call when it is finished with. vmas will only
 846 * remain valid while mmap_sem is held.
 847 *
 848 * Must be called with mmap_sem held for read or write.
 849 *
 850 * get_user_pages walks a process's page tables and takes a reference to
 851 * each struct page that each user address corresponds to at a given
 852 * instant. That is, it takes the page that would be accessed if a user
 853 * thread accesses the given user virtual address at that instant.
 854 *
 855 * This does not guarantee that the page exists in the user mappings when
 856 * get_user_pages returns, and there may even be a completely different
 857 * page there in some cases (eg. if mmapped pagecache has been invalidated
 858 * and subsequently re faulted). However it does guarantee that the page
 859 * won't be freed completely. And mostly callers simply care that the page
 860 * contains data that was valid *at some point in time*. Typically, an IO
 861 * or similar operation cannot guarantee anything stronger anyway because
 862 * locks can't be held over the syscall boundary.
 863 *
 864 * If write=0, the page must not be written to. If the page is written to,
 865 * set_page_dirty (or set_page_dirty_lock, as appropriate) must be called
 866 * after the page is finished with, and before put_page is called.
 867 *
 868 * get_user_pages is typically used for fewer-copy IO operations, to get a
 869 * handle on the memory by some means other than accesses via the user virtual
 870 * addresses. The pages may be submitted for DMA to devices or accessed via
 871 * their kernel linear mapping (via the kmap APIs). Care should be taken to
 872 * use the correct cache flushing APIs.
 873 *
 874 * See also get_user_pages_fast, for performance critical applications.
 875 *
 876 * get_user_pages should be phased out in favor of
 877 * get_user_pages_locked|unlocked or get_user_pages_fast. Nothing
 878 * should use get_user_pages because it cannot pass
 879 * FAULT_FLAG_ALLOW_RETRY to handle_mm_fault.
 880 */
 881long get_user_pages_remote(struct task_struct *tsk, struct mm_struct *mm,
 882                unsigned long start, unsigned long nr_pages,
 883                int write, int force, struct page **pages,
 884                struct vm_area_struct **vmas)
 885{
 886        return __get_user_pages_locked(tsk, mm, start, nr_pages, write, force,
 887                                       pages, vmas, NULL, false,
 888                                       FOLL_TOUCH | FOLL_REMOTE);
 889}
 890EXPORT_SYMBOL(get_user_pages_remote);
 891
 892/*
 893 * This is the same as get_user_pages_remote() for the time
 894 * being.
 895 */
 896long get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
 897                unsigned long start, unsigned long nr_pages,
 898                int write, int force, struct page **pages,
 899                struct vm_area_struct **vmas)
 900{
 901        return __get_user_pages_locked(tsk, mm, start, nr_pages,
 902                                       write, force, pages, vmas, NULL, false,
 903                                       FOLL_TOUCH);
 904}
 905EXPORT_SYMBOL(get_user_pages);
 906
 907/**
 908 * get_dump_page() - pin user page in memory while writing it to core dump
 909 * @addr: user address
 910 *
 911 * Returns struct page pointer of user page pinned for dump,
 912 * to be freed afterwards by page_cache_release() or put_page().
 913 *
 914 * Returns NULL on any kind of failure - a hole must then be inserted into
 915 * the corefile, to preserve alignment with its headers; and also returns
 916 * NULL wherever the ZERO_PAGE, or an anonymous pte_none, has been found -
 917 * allowing a hole to be left in the corefile to save diskspace.
 918 *
 919 * Called without mmap_sem, but after all other threads have been killed.
 920 */
 921#ifdef CONFIG_ELF_CORE
 922struct page *get_dump_page(unsigned long addr)
 923{
 924        struct vm_area_struct *vma;
 925        struct page *page;
 926
 927        if (__get_user_pages(current, current->mm, addr, 1,
 928                             FOLL_FORCE | FOLL_DUMP | FOLL_GET, &page, &vma,
 929                             NULL) < 1)
 930                return NULL;
 931        flush_cache_page(vma, addr, page_to_pfn(page));
 932        return page;
 933}
 934#endif /* CONFIG_ELF_CORE */
 935