// SPDX-License-Identifier: GPL-2.0-only
/*
 *  linux/mm/mmu_notifier.c
 *
 *  Copyright (C) 2008  Qumranet, Inc.
 *  Copyright (C) 2008  SGI
 *             Christoph Lameter <cl@linux.com>
 */

#include <linux/rculist.h>
#include <linux/mmu_notifier.h>
#include <linux/export.h>
#include <linux/mm.h>
#include <linux/err.h>
#include <linux/interval_tree.h>
#include <linux/srcu.h>
#include <linux/rcupdate.h>
#include <linux/sched.h>
#include <linux/sched/mm.h>
#include <linux/slab.h>

/* global SRCU for all MMs */
DEFINE_STATIC_SRCU(srcu);

#ifdef CONFIG_LOCKDEP
struct lockdep_map __mmu_notifier_invalidate_range_start_map = {
        .name = "mmu_notifier_invalidate_range_start"
};
#endif

/*
 * The mmu_notifier_subscriptions structure is allocated and installed in
 * mm->notifier_subscriptions inside the mm_take_all_locks() protected
 * critical section and it's released only when mm_count reaches zero
 * in mmdrop().
 */
struct mmu_notifier_subscriptions {
        /* all mmu notifiers registered in this mm are queued in this list */
        struct hlist_head list;
        bool has_itree;
        /* to serialize the list modifications and hlist_unhashed */
        spinlock_t lock;
        unsigned long invalidate_seq;
        unsigned long active_invalidate_ranges;
        struct rb_root_cached itree;
        wait_queue_head_t wq;
        struct hlist_head deferred_list;
};

/*
 * This is a collision-retry read-side/write-side 'lock', a lot like a
 * seqcount, however this allows multiple write-sides to hold it at
 * once. Conceptually the write side is protecting the values of the PTEs in
 * this mm, such that PTES cannot be read into SPTEs (shadow PTEs) while any
 * writer exists.
 *
 * Note that the core mm creates nested invalidate_range_start()/end() regions
 * within the same thread, and runs invalidate_range_start()/end() in parallel
 * on multiple CPUs. This is designed to not reduce concurrency or block
 * progress on the mm side.
 *
 * As a secondary function, holding the full write side also serves to prevent
 * writers for the itree, this is an optimization to avoid extra locking
 * during invalidate_range_start/end notifiers.
 *
 * The write side has two states, fully excluded:
 *  - mm->active_invalidate_ranges != 0
 *  - subscriptions->invalidate_seq & 1 == True (odd)
 *  - some range on the mm_struct is being invalidated
 *  - the itree is not allowed to change
 *
 * And partially excluded:
 *  - mm->active_invalidate_ranges != 0
 *  - subscriptions->invalidate_seq & 1 == False (even)
 *  - some range on the mm_struct is being invalidated
 *  - the itree is allowed to change
 *
 * Operations on notifier_subscriptions->invalidate_seq (under spinlock):
 *    seq |= 1  # Begin writing
 *    seq++     # Release the writing state
 *    seq & 1   # True if a writer exists
 *
 * The later state avoids some expensive work on inv_end in the common case of
 * no mmu_interval_notifier monitoring the VA.
 */
static bool
mn_itree_is_invalidating(struct mmu_notifier_subscriptions *subscriptions)
{
        lockdep_assert_held(&subscriptions->lock);
        return subscriptions->invalidate_seq & 1;
}

static struct mmu_interval_notifier *
mn_itree_inv_start_range(struct mmu_notifier_subscriptions *subscriptions,
                         const struct mmu_notifier_range *range,
                         unsigned long *seq)
{
        struct interval_tree_node *node;
        struct mmu_interval_notifier *res = NULL;

        spin_lock(&subscriptions->lock);
        subscriptions->active_invalidate_ranges++;
        node = interval_tree_iter_first(&subscriptions->itree, range->start,
                                        range->end - 1);
        if (node) {
                subscriptions->invalidate_seq |= 1;
                res = container_of(node, struct mmu_interval_notifier,
                                   interval_tree);
        }

        *seq = subscriptions->invalidate_seq;
        spin_unlock(&subscriptions->lock);
        return res;
}

static struct mmu_interval_notifier *
mn_itree_inv_next(struct mmu_interval_notifier *interval_sub,
                  const struct mmu_notifier_range *range)
{
        struct interval_tree_node *node;

        node = interval_tree_iter_next(&interval_sub->interval_tree,
                                       range->start, range->end - 1);
        if (!node)
                return NULL;
        return container_of(node, struct mmu_interval_notifier, interval_tree);
}

static void mn_itree_inv_end(struct mmu_notifier_subscriptions *subscriptions)
{
        struct mmu_interval_notifier *interval_sub;
        struct hlist_node *next;

        spin_lock(&subscriptions->lock);
        if (--subscriptions->active_invalidate_ranges ||
            !mn_itree_is_invalidating(subscriptions)) {
                spin_unlock(&subscriptions->lock);
                return;
        }

        /* Make invalidate_seq even */
        subscriptions->invalidate_seq++;

        /*
         * The inv_end incorporates a deferred mechanism like rtnl_unlock().
         * Adds and removes are queued until the final inv_end happens then
         * they are progressed. This arrangement for tree updates is used to
         * avoid using a blocking lock during invalidate_range_start.
         */
        hlist_for_each_entry_safe(interval_sub, next,
                                  &subscriptions->deferred_list,
                                  deferred_item) {
                if (RB_EMPTY_NODE(&interval_sub->interval_tree.rb))
                        interval_tree_insert(&interval_sub->interval_tree,
                                             &subscriptions->itree);
                else
                        interval_tree_remove(&interval_sub->interval_tree,
                                             &subscriptions->itree);
                hlist_del(&interval_sub->deferred_item);
        }
        spin_unlock(&subscriptions->lock);

        wake_up_all(&subscriptions->wq);
}

/**
 * mmu_interval_read_begin - Begin a read side critical section against a VA
 *                           range
 * @interval_sub: The interval subscription
 *
 * mmu_iterval_read_begin()/mmu_iterval_read_retry() implement a
 * collision-retry scheme similar to seqcount for the VA range under
 * subscription. If the mm invokes invalidation during the critical section
 * then mmu_interval_read_retry() will return true.
 *
 * This is useful to obtain shadow PTEs where teardown or setup of the SPTEs
 * require a blocking context.  The critical region formed by this can sleep,
 * and the required 'user_lock' can also be a sleeping lock.
 *
 * The caller is required to provide a 'user_lock' to serialize both teardown
 * and setup.
 *
 * The return value should be passed to mmu_interval_read_retry().
 */
unsigned long
mmu_interval_read_begin(struct mmu_interval_notifier *interval_sub)
{
        struct mmu_notifier_subscriptions *subscriptions =
                interval_sub->mm->notifier_subscriptions;
        unsigned long seq;
        bool is_invalidating;

        /*
         * If the subscription has a different seq value under the user_lock
         * than we started with then it has collided.
         *
         * If the subscription currently has the same seq value as the
         * subscriptions seq, then it is currently between
         * invalidate_start/end and is colliding.
         *
         * The locking looks broadly like this:
         *   mn_tree_invalidate_start():          mmu_interval_read_begin():
         *                                         spin_lock
         *                                          seq = READ_ONCE(interval_sub->invalidate_seq);
         *                                          seq == subs->invalidate_seq
         *                                         spin_unlock
         *    spin_lock
         *     seq = ++subscriptions->invalidate_seq
         *    spin_unlock
         *     op->invalidate_range():
         *       user_lock
         *        mmu_interval_set_seq()
         *         interval_sub->invalidate_seq = seq
         *       user_unlock
         *
         *                          [Required: mmu_interval_read_retry() == true]
         *
         *   mn_itree_inv_end():
         *    spin_lock
         *     seq = ++subscriptions->invalidate_seq
         *    spin_unlock
         *
         *                                        user_lock
         *                                         mmu_interval_read_retry():
         *                                          interval_sub->invalidate_seq != seq
         *                                        user_unlock
         *
         * Barriers are not needed here as any races here are closed by an
         * eventual mmu_interval_read_retry(), which provides a barrier via the
         * user_lock.
         */
        spin_lock(&subscriptions->lock);
        /* Pairs with the WRITE_ONCE in mmu_interval_set_seq() */
        seq = READ_ONCE(interval_sub->invalidate_seq);
        is_invalidating = seq == subscriptions->invalidate_seq;
        spin_unlock(&subscriptions->lock);

        /*
         * interval_sub->invalidate_seq must always be set to an odd value via
         * mmu_interval_set_seq() using the provided cur_seq from
         * mn_itree_inv_start_range(). This ensures that if seq does wrap we
         * will always clear the below sleep in some reasonable time as
         * subscriptions->invalidate_seq is even in the idle state.
         */
        lock_map_acquire(&__mmu_notifier_invalidate_range_start_map);
        lock_map_release(&__mmu_notifier_invalidate_range_start_map);
        if (is_invalidating)
                wait_event(subscriptions->wq,
                           READ_ONCE(subscriptions->invalidate_seq) != seq);

        /*
         * Notice that mmu_interval_read_retry() can already be true at this
         * point, avoiding loops here allows the caller to provide a global
         * time bound.
         */

        return seq;
}
EXPORT_SYMBOL_GPL(mmu_interval_read_begin);

static void mn_itree_release(struct mmu_notifier_subscriptions *subscriptions,
                             struct mm_struct *mm)
{
        struct mmu_notifier_range range = {
                .flags = MMU_NOTIFIER_RANGE_BLOCKABLE,
                .event = MMU_NOTIFY_RELEASE,
                .mm = mm,
                .start = 0,
                .end = ULONG_MAX,
        };
        struct mmu_interval_notifier *interval_sub;
        unsigned long cur_seq;
        bool ret;

        for (interval_sub =
                     mn_itree_inv_start_range(subscriptions, &range, &cur_seq);
             interval_sub;
             interval_sub = mn_itree_inv_next(interval_sub, &range)) {
                ret = interval_sub->ops->invalidate(interval_sub, &range,
                                                    cur_seq);
                WARN_ON(!ret);
        }

        mn_itree_inv_end(subscriptions);
}

/*
 * This function can't run concurrently against mmu_notifier_register
 * because mm->mm_users > 0 during mmu_notifier_register and exit_mmap
 * runs with mm_users == 0. Other tasks may still invoke mmu notifiers
 * in parallel despite there being no task using this mm any more,
 * through the vmas outside of the exit_mmap context, such as with
 * vmtruncate. This serializes against mmu_notifier_unregister with
 * the notifier_subscriptions->lock in addition to SRCU and it serializes
 * against the other mmu notifiers with SRCU. struct mmu_notifier_subscriptions
 * can't go away from under us as exit_mmap holds an mm_count pin
 * itself.
 */
static void mn_hlist_release(struct mmu_notifier_subscriptions *subscriptions,
                             struct mm_struct *mm)
{
        struct mmu_notifier *subscription;
        int id;

        /*
         * SRCU here will block mmu_notifier_unregister until
         * ->release returns.
         */
        id = srcu_read_lock(&srcu);
        hlist_for_each_entry_rcu(subscription, &subscriptions->list, hlist,
                                 srcu_read_lock_held(&srcu))
                /*
                 * If ->release runs before mmu_notifier_unregister it must be
                 * handled, as it's the only way for the driver to flush all
                 * existing sptes and stop the driver from establishing any more
                 * sptes before all the pages in the mm are freed.
                 */
                if (subscription->ops->release)
                        subscription->ops->release(subscription, mm);

        spin_lock(&subscriptions->lock);
        while (unlikely(!hlist_empty(&subscriptions->list))) {
                subscription = hlist_entry(subscriptions->list.first,
                                           struct mmu_notifier, hlist);
                /*
                 * We arrived before mmu_notifier_unregister so
                 * mmu_notifier_unregister will do nothing other than to wait
                 * for ->release to finish and for mmu_notifier_unregister to
                 * return.
                 */
                hlist_del_init_rcu(&subscription->hlist);
        }
        spin_unlock(&subscriptions->lock);
        srcu_read_unlock(&srcu, id);

        /*
         * synchronize_srcu here prevents mmu_notifier_release from returning to
         * exit_mmap (which would proceed with freeing all pages in the mm)
         * until the ->release method returns, if it was invoked by
         * mmu_notifier_unregister.
         *
         * The notifier_subscriptions can't go away from under us because
         * one mm_count is held by exit_mmap.
         */
        synchronize_srcu(&srcu);
}

void __mmu_notifier_release(struct mm_struct *mm)
{
        struct mmu_notifier_subscriptions *subscriptions =
                mm->notifier_subscriptions;

        if (subscriptions->has_itree)
                mn_itree_release(subscriptions, mm);

        if (!hlist_empty(&subscriptions->list))
                mn_hlist_release(subscriptions, mm);
}

/*
 * If no young bitflag is supported by the hardware, ->clear_flush_young can
 * unmap the address and return 1 or 0 depending if the mapping previously
 * existed or not.
 */
int __mmu_notifier_clear_flush_young(struct mm_struct *mm,
                                        unsigned long start,
                                        unsigned long end)
{
        struct mmu_notifier *subscription;
        int young = 0, id;

        id = srcu_read_lock(&srcu);
        hlist_for_each_entry_rcu(subscription,
                                 &mm->notifier_subscriptions->list, hlist,
                                 srcu_read_lock_held(&srcu)) {
                if (subscription->ops->clear_flush_young)
                        young |= subscription->ops->clear_flush_young(
                                subscription, mm, start, end);
        }
        srcu_read_unlock(&srcu, id);

        return young;
}

int __mmu_notifier_clear_young(struct mm_struct *mm,
                               unsigned long start,
                               unsigned long end)
{
        struct mmu_notifier *subscription;
        int young = 0, id;

        id = srcu_read_lock(&srcu);
        hlist_for_each_entry_rcu(subscription,
                                 &mm->notifier_subscriptions->list, hlist,
                                 srcu_read_lock_held(&srcu)) {
                if (subscription->ops->clear_young)
                        young |= subscription->ops->clear_young(subscription,
                                                                mm, start, end);
        }
        srcu_read_unlock(&srcu, id);

        return young;
}

int __mmu_notifier_test_young(struct mm_struct *mm,
                              unsigned long address)
{
        struct mmu_notifier *subscription;
        int young = 0, id;

        id = srcu_read_lock(&srcu);
        hlist_for_each_entry_rcu(subscription,
                                 &mm->notifier_subscriptions->list, hlist,
                                 srcu_read_lock_held(&srcu)) {
                if (subscription->ops->test_young) {
                        young = subscription->ops->test_young(subscription, mm,
                                                              address);
                        if (young)
                                break;
                }
        }
        srcu_read_unlock(&srcu, id);

        return young;
}

void __mmu_notifier_change_pte(struct mm_struct *mm, unsigned long address,
                               pte_t pte)
{
        struct mmu_notifier *subscription;
        int id;

        id = srcu_read_lock(&srcu);
        hlist_for_each_entry_rcu(subscription,
                                 &mm->notifier_subscriptions->list, hlist,
                                 srcu_read_lock_held(&srcu)) {
                if (subscription->ops->change_pte)
                        subscription->ops->change_pte(subscription, mm, address,
                                                      pte);
        }
        srcu_read_unlock(&srcu, id);
}

static int mn_itree_invalidate(struct mmu_notifier_subscriptions *subscriptions,
                               const struct mmu_notifier_range *range)
{
        struct mmu_interval_notifier *interval_sub;
        unsigned long cur_seq;

        for (interval_sub =
                     mn_itree_inv_start_range(subscriptions, range, &cur_seq);
             interval_sub;
             interval_sub = mn_itree_inv_next(interval_sub, range)) {
                bool ret;

                ret = interval_sub->ops->invalidate(interval_sub, range,
                                                    cur_seq);
                if (!ret) {
                        if (WARN_ON(mmu_notifier_range_blockable(range)))
                                continue;
                        goto out_would_block;
                }
        }
        return 0;

out_would_block:
        /*
         * On -EAGAIN the non-blocking caller is not allowed to call
         * invalidate_range_end()
         */
        mn_itree_inv_end(subscriptions);
        return -EAGAIN;
}

static int mn_hlist_invalidate_range_start(
        struct mmu_notifier_subscriptions *subscriptions,
        struct mmu_notifier_range *range)
{
        struct mmu_notifier *subscription;
        int ret = 0;
        int id;

        id = srcu_read_lock(&srcu);
        hlist_for_each_entry_rcu(subscription, &subscriptions->list, hlist,
                                 srcu_read_lock_held(&srcu)) {
                const struct mmu_notifier_ops *ops = subscription->ops;

                if (ops->invalidate_range_start) {
                        int _ret;

                        if (!mmu_notifier_range_blockable(range))
                                non_block_start();
                        _ret = ops->invalidate_range_start(subscription, range);
                        if (!mmu_notifier_range_blockable(range))
                                non_block_end();
                        if (_ret) {
                                pr_info("%pS callback failed with %d in %sblockable context.\n",
                                        ops->invalidate_range_start, _ret,
                                        !mmu_notifier_range_blockable(range) ?
                                                "non-" :
                                                "");
                                WARN_ON(mmu_notifier_range_blockable(range) ||
                                        _ret != -EAGAIN);
                                /*
                                 * We call all the notifiers on any EAGAIN,
                                 * there is no way for a notifier to know if
                                 * its start method failed, thus a start that
                                 * does EAGAIN can't also do end.
                                 */
                                WARN_ON(ops->invalidate_range_end);
                                ret = _ret;
                        }
                }
        }

        if (ret) {
                /*
                 * Must be non-blocking to get here.  If there are multiple
                 * notifiers and one or more failed start, any that succeeded
                 * start are expecting their end to be called.  Do so now.
                 */
                hlist_for_each_entry_rcu(subscription, &subscriptions->list,
                                         hlist, srcu_read_lock_held(&srcu)) {
                        if (!subscription->ops->invalidate_range_end)
                                continue;

                        subscription->ops->invalidate_range_end(subscription,
                                                                range);
                }
        }
        srcu_read_unlock(&srcu, id);

        return ret;
}

int __mmu_notifier_invalidate_range_start(struct mmu_notifier_range *range)
{
        struct mmu_notifier_subscriptions *subscriptions =
                range->mm->notifier_subscriptions;
        int ret;

        if (subscriptions->has_itree) {
                ret = mn_itree_invalidate(subscriptions, range);
                if (ret)
                        return ret;
        }
        if (!hlist_empty(&subscriptions->list))
                return mn_hlist_invalidate_range_start(subscriptions, range);
        return 0;
}

static void
mn_hlist_invalidate_end(struct mmu_notifier_subscriptions *subscriptions,
                        struct mmu_notifier_range *range, bool only_end)
{
        struct mmu_notifier *subscription;
        int id;

        id = srcu_read_lock(&srcu);
        hlist_for_each_entry_rcu(subscription, &subscriptions->list, hlist,
                                 srcu_read_lock_held(&srcu)) {
                /*
                 * Call invalidate_range here too to avoid the need for the
                 * subsystem of having to register an invalidate_range_end
                 * call-back when there is invalidate_range already. Usually a
                 * subsystem registers either invalidate_range_start()/end() or
                 * invalidate_range(), so this will be no additional overhead
                 * (besides the pointer check).
                 *
                 * We skip call to invalidate_range() if we know it is safe ie
                 * call site use mmu_notifier_invalidate_range_only_end() which
                 * is safe to do when we know that a call to invalidate_range()
                 * already happen under page table lock.
                 */
                if (!only_end && subscription->ops->invalidate_range)
                        subscription->ops->invalidate_range(subscription,
                                                            range->mm,
                                                            range->start,
                                                            range->end);
                if (subscription->ops->invalidate_range_end) {
                        if (!mmu_notifier_range_blockable(range))
                                non_block_start();
                        subscription->ops->invalidate_range_end(subscription,
                                                                range);
                        if (!mmu_notifier_range_blockable(range))
                                non_block_end();
                }
        }
        srcu_read_unlock(&srcu, id);
}

void __mmu_notifier_invalidate_range_end(struct mmu_notifier_range *range,
                                         bool only_end)
{
        struct mmu_notifier_subscriptions *subscriptions =
                range->mm->notifier_subscriptions;

        lock_map_acquire(&__mmu_notifier_invalidate_range_start_map);
        if (subscriptions->has_itree)
                mn_itree_inv_end(subscriptions);

        if (!hlist_empty(&subscriptions->list))
                mn_hlist_invalidate_end(subscriptions, range, only_end);
        lock_map_release(&__mmu_notifier_invalidate_range_start_map);
}

void __mmu_notifier_invalidate_range(struct mm_struct *mm,
                                  unsigned long start, unsigned long end)
{
        struct mmu_notifier *subscription;
        int id;

        id = srcu_read_lock(&srcu);
        hlist_for_each_entry_rcu(subscription,
                                 &mm->notifier_subscriptions->list, hlist,
                                 srcu_read_lock_held(&srcu)) {
                if (subscription->ops->invalidate_range)
                        subscription->ops->invalidate_range(subscription, mm,
                                                            start, end);
        }
        srcu_read_unlock(&srcu, id);
}

/*
 * Same as mmu_notifier_register but here the caller must hold the mmap_lock in
 * write mode. A NULL mn signals the notifier is being registered for itree
 * mode.
 */
int __mmu_notifier_register(struct mmu_notifier *subscription,
                            struct mm_struct *mm)
{
        struct mmu_notifier_subscriptions *subscriptions = NULL;
        int ret;

        mmap_assert_write_locked(mm);
        BUG_ON(atomic_read(&mm->mm_users) <= 0);

        if (!mm->notifier_subscriptions) {
                /*
                 * kmalloc cannot be called under mm_take_all_locks(), but we
                 * know that mm->notifier_subscriptions can't change while we
                 * hold the write side of the mmap_lock.
                 */
                subscriptions = kzalloc(
                        sizeof(struct mmu_notifier_subscriptions), GFP_KERNEL);
                if (!subscriptions)
                        return -ENOMEM;

                INIT_HLIST_HEAD(&subscriptions->list);
                spin_lock_init(&subscriptions->lock);
                subscriptions->invalidate_seq = 2;
                subscriptions->itree = RB_ROOT_CACHED;
                init_waitqueue_head(&subscriptions->wq);
                INIT_HLIST_HEAD(&subscriptions->deferred_list);
        }

        ret = mm_take_all_locks(mm);
        if (unlikely(ret))
                goto out_clean;

        /*
         * Serialize the update against mmu_notifier_unregister. A
         * side note: mmu_notifier_release can't run concurrently with
         * us because we hold the mm_users pin (either implicitly as
         * current->mm or explicitly with get_task_mm() or similar).
         * We can't race against any other mmu notifier method either
         * thanks to mm_take_all_locks().
         *
         * release semantics on the initialization of the
         * mmu_notifier_subscriptions's contents are provided for unlocked
         * readers.  acquire can only be used while holding the mmgrab or
         * mmget, and is safe because once created the
         * mmu_notifier_subscriptions is not freed until the mm is destroyed.
         * As above, users holding the mmap_lock or one of the
         * mm_take_all_locks() do not need to use acquire semantics.
         */
        if (subscriptions)
                smp_store_release(&mm->notifier_subscriptions, subscriptions);

        if (subscription) {
                /* Pairs with the mmdrop in mmu_notifier_unregister_* */
                mmgrab(mm);
                subscription->mm = mm;
                subscription->users = 1;

                spin_lock(&mm->notifier_subscriptions->lock);
                hlist_add_head_rcu(&subscription->hlist,
                                   &mm->notifier_subscriptions->list);
                spin_unlock(&mm->notifier_subscriptions->lock);
        } else
                mm->notifier_subscriptions->has_itree = true;

        mm_drop_all_locks(mm);
        BUG_ON(atomic_read(&mm->mm_users) <= 0);
        return 0;

out_clean:
        kfree(subscriptions);
        return ret;
}
EXPORT_SYMBOL_GPL(__mmu_notifier_register);

/**
 * mmu_notifier_register - Register a notifier on a mm
 * @subscription: The notifier to attach
 * @mm: The mm to attach the notifier to
 *
 * Must not hold mmap_lock nor any other VM related lock when calling
 * this registration function. Must also ensure mm_users can't go down
 * to zero while this runs to avoid races with mmu_notifier_release,
 * so mm has to be current->mm or the mm should be pinned safely such
 * as with get_task_mm(). If the mm is not current->mm, the mm_users
 * pin should be released by calling mmput after mmu_notifier_register
 * returns.
 *
 * mmu_notifier_unregister() or mmu_notifier_put() must be always called to
 * unregister the notifier.
 *
 * While the caller has a mmu_notifier get the subscription->mm pointer will remain
 * valid, and can be converted to an active mm pointer via mmget_not_zero().
 */
int mmu_notifier_register(struct mmu_notifier *subscription,
                          struct mm_struct *mm)
{
        int ret;

        mmap_write_lock(mm);
        ret = __mmu_notifier_register(subscription, mm);
        mmap_write_unlock(mm);
        return ret;
}
EXPORT_SYMBOL_GPL(mmu_notifier_register);

static struct mmu_notifier *
find_get_mmu_notifier(struct mm_struct *mm, const struct mmu_notifier_ops *ops)
{
        struct mmu_notifier *subscription;

        spin_lock(&mm->notifier_subscriptions->lock);
        hlist_for_each_entry_rcu(subscription,
                                 &mm->notifier_subscriptions->list, hlist,
                                 lockdep_is_held(&mm->notifier_subscriptions->lock)) {
                if (subscription->ops != ops)
                        continue;

                if (likely(subscription->users != UINT_MAX))
                        subscription->users++;
                else
                        subscription = ERR_PTR(-EOVERFLOW);
                spin_unlock(&mm->notifier_subscriptions->lock);
                return subscription;
        }
        spin_unlock(&mm->notifier_subscriptions->lock);
        return NULL;
}

/**
 * mmu_notifier_get_locked - Return the single struct mmu_notifier for
 *                           the mm & ops
 * @ops: The operations struct being subscribe with
 * @mm : The mm to attach notifiers too
 *
 * This function either allocates a new mmu_notifier via
 * ops->alloc_notifier(), or returns an already existing notifier on the
 * list. The value of the ops pointer is used to determine when two notifiers
 * are the same.
 *
 * Each call to mmu_notifier_get() must be paired with a call to
 * mmu_notifier_put(). The caller must hold the write side of mm->mmap_lock.
 *
 * While the caller has a mmu_notifier get the mm pointer will remain valid,
 * and can be converted to an active mm pointer via mmget_not_zero().
 */
struct mmu_notifier *mmu_notifier_get_locked(const struct mmu_notifier_ops *ops,
                                             struct mm_struct *mm)
{
        struct mmu_notifier *subscription;
        int ret;

        mmap_assert_write_locked(mm);

        if (mm->notifier_subscriptions) {
                subscription = find_get_mmu_notifier(mm, ops);
                if (subscription)
                        return subscription;
        }

        subscription = ops->alloc_notifier(mm);
        if (IS_ERR(subscription))
                return subscription;
        subscription->ops = ops;
        ret = __mmu_notifier_register(subscription, mm);
        if (ret)
                goto out_free;
        return subscription;
out_free:
        subscription->ops->free_notifier(subscription);
        return ERR_PTR(ret);
}
EXPORT_SYMBOL_GPL(mmu_notifier_get_locked);

/* this is called after the last mmu_notifier_unregister() returned */
void __mmu_notifier_subscriptions_destroy(struct mm_struct *mm)
{
        BUG_ON(!hlist_empty(&mm->notifier_subscriptions->list));
        kfree(mm->notifier_subscriptions);
        mm->notifier_subscriptions = LIST_POISON1; /* debug */
}

/*
 * This releases the mm_count pin automatically and frees the mm
 * structure if it was the last user of it. It serializes against
 * running mmu notifiers with SRCU and against mmu_notifier_unregister
 * with the unregister lock + SRCU. All sptes must be dropped before
 * calling mmu_notifier_unregister. ->release or any other notifier
 * method may be invoked concurrently with mmu_notifier_unregister,
 * and only after mmu_notifier_unregister returned we're guaranteed
 * that ->release or any other method can't run anymore.
 */
void mmu_notifier_unregister(struct mmu_notifier *subscription,
                             struct mm_struct *mm)
{
        BUG_ON(atomic_read(&mm->mm_count) <= 0);

        if (!hlist_unhashed(&subscription->hlist)) {
                /*
                 * SRCU here will force exit_mmap to wait for ->release to
                 * finish before freeing the pages.
                 */
                int id;

                id = srcu_read_lock(&srcu);
                /*
                 * exit_mmap will block in mmu_notifier_release to guarantee
                 * that ->release is called before freeing the pages.
                 */
                if (subscription->ops->release)
                        subscription->ops->release(subscription, mm);
                srcu_read_unlock(&srcu, id);

                spin_lock(&mm->notifier_subscriptions->lock);
                /*
                 * Can not use list_del_rcu() since __mmu_notifier_release
                 * can delete it before we hold the lock.
                 */
                hlist_del_init_rcu(&subscription->hlist);
                spin_unlock(&mm->notifier_subscriptions->lock);
        }

        /*
         * Wait for any running method to finish, of course including
         * ->release if it was run by mmu_notifier_release instead of us.
         */
        synchronize_srcu(&srcu);

        BUG_ON(atomic_read(&mm->mm_count) <= 0);

        mmdrop(mm);
}
EXPORT_SYMBOL_GPL(mmu_notifier_unregister);

static void mmu_notifier_free_rcu(struct rcu_head *rcu)
{
        struct mmu_notifier *subscription =
                container_of(rcu, struct mmu_notifier, rcu);
        struct mm_struct *mm = subscription->mm;

        subscription->ops->free_notifier(subscription);
        /* Pairs with the get in __mmu_notifier_register() */
        mmdrop(mm);
}

/**
 * mmu_notifier_put - Release the reference on the notifier
 * @subscription: The notifier to act on
 *
 * This function must be paired with each mmu_notifier_get(), it releases the
 * reference obtained by the get. If this is the last reference then process
 * to free the notifier will be run asynchronously.
 *
 * Unlike mmu_notifier_unregister() the get/put flow only calls ops->release
 * when the mm_struct is destroyed. Instead free_notifier is always called to
 * release any resources held by the user.
 *
 * As ops->release is not guaranteed to be called, the user must ensure that
 * all sptes are dropped, and no new sptes can be established before
 * mmu_notifier_put() is called.
 *
 * This function can be called from the ops->release callback, however the
 * caller must still ensure it is called pairwise with mmu_notifier_get().
 *
 * Modules calling this function must call mmu_notifier_synchronize() in
 * their __exit functions to ensure the async work is completed.
 */
void mmu_notifier_put(struct mmu_notifier *subscription)
{
        struct mm_struct *mm = subscription->mm;

        spin_lock(&mm->notifier_subscriptions->lock);
        if (WARN_ON(!subscription->users) || --subscription->users)
                goto out_unlock;
        hlist_del_init_rcu(&subscription->hlist);
        spin_unlock(&mm->notifier_subscriptions->lock);

        call_srcu(&srcu, &subscription->rcu, mmu_notifier_free_rcu);
        return;

out_unlock:
        spin_unlock(&mm->notifier_subscriptions->lock);
}
EXPORT_SYMBOL_GPL(mmu_notifier_put);

static int __mmu_interval_notifier_insert(
        struct mmu_interval_notifier *interval_sub, struct mm_struct *mm,
        struct mmu_notifier_subscriptions *subscriptions, unsigned long start,
        unsigned long length, const struct mmu_interval_notifier_ops *ops)
{
        interval_sub->mm = mm;
        interval_sub->ops = ops;
        RB_CLEAR_NODE(&interval_sub->interval_tree.rb);
        interval_sub->interval_tree.start = start;
        /*
         * Note that the representation of the intervals in the interval tree
         * considers the ending point as contained in the interval.
         */
        if (length == 0 ||
            check_add_overflow(start, length - 1,
                               &interval_sub->interval_tree.last))
                return -EOVERFLOW;

        /* Must call with a mmget() held */
        if (WARN_ON(atomic_read(&mm->mm_users) <= 0))
                return -EINVAL;

        /* pairs with mmdrop in mmu_interval_notifier_remove() */
        mmgrab(mm);

        /*
         * If some invalidate_range_start/end region is going on in parallel
         * we don't know what VA ranges are affected, so we must assume this
         * new range is included.
         *
         * If the itree is invalidating then we are not allowed to change
         * it. Retrying until invalidation is done is tricky due to the
         * possibility for live lock, instead defer the add to
         * mn_itree_inv_end() so this algorithm is deterministic.
         *
         * In all cases the value for the interval_sub->invalidate_seq should be
         * odd, see mmu_interval_read_begin()
         */
        spin_lock(&subscriptions->lock);
        if (subscriptions->active_invalidate_ranges) {
                if (mn_itree_is_invalidating(subscriptions))
                        hlist_add_head(&interval_sub->deferred_item,
                                       &subscriptions->deferred_list);
                else {
                        subscriptions->invalidate_seq |= 1;
                        interval_tree_insert(&interval_sub->interval_tree,
                                             &subscriptions->itree);
                }
                interval_sub->invalidate_seq = subscriptions->invalidate_seq;
        } else {
                WARN_ON(mn_itree_is_invalidating(subscriptions));
                /*
                 * The starting seq for a subscription not under invalidation
                 * should be odd, not equal to the current invalidate_seq and
                 * invalidate_seq should not 'wrap' to the new seq any time
                 * soon.
                 */
                interval_sub->invalidate_seq =
                        subscriptions->invalidate_seq - 1;
                interval_tree_insert(&interval_sub->interval_tree,
                                     &subscriptions->itree);
        }
        spin_unlock(&subscriptions->lock);
        return 0;
}

/**
 * mmu_interval_notifier_insert - Insert an interval notifier
 * @interval_sub: Interval subscription to register
 * @start: Starting virtual address to monitor
 * @length: Length of the range to monitor
 * @mm: mm_struct to attach to
 * @ops: Interval notifier operations to be called on matching events
 *
 * This function subscribes the interval notifier for notifications from the
 * mm.  Upon return the ops related to mmu_interval_notifier will be called
 * whenever an event that intersects with the given range occurs.
 *
 * Upon return the range_notifier may not be present in the interval tree yet.
 * The caller must use the normal interval notifier read flow via
 * mmu_interval_read_begin() to establish SPTEs for this range.
 */
int mmu_interval_notifier_insert(struct mmu_interval_notifier *interval_sub,
                                 struct mm_struct *mm, unsigned long start,
                                 unsigned long length,
                                 const struct mmu_interval_notifier_ops *ops)
{
        struct mmu_notifier_subscriptions *subscriptions;

        int ret;

        might_lock(&mm->mmap_lock);

        subscriptions = smp_load_acquire(&mm->notifier_subscriptions);
        if (!subscriptions || !subscriptions->has_itree) {
                ret = mmu_notifier_register(NULL, mm);
                if (ret)
                        return ret;
                subscriptions = mm->notifier_subscriptions;
        }
        return __mmu_interval_notifier_insert(interval_sub, mm, subscriptions,
                                              start, length, ops);
}
EXPORT_SYMBOL_GPL(mmu_interval_notifier_insert);

int mmu_interval_notifier_insert_locked(
        struct mmu_interval_notifier *interval_sub, struct mm_struct *mm,
        unsigned long start, unsigned long length,
        const struct mmu_interval_notifier_ops *ops)
{
        struct mmu_notifier_subscriptions *subscriptions =
                mm->notifier_subscriptions;
        int ret;

        mmap_assert_write_locked(mm);

        if (!subscriptions || !subscriptions->has_itree) {
                ret = __mmu_notifier_register(NULL, mm);
                if (ret)
                        return ret;
                subscriptions = mm->notifier_subscriptions;
        }
        return __mmu_interval_notifier_insert(interval_sub, mm, subscriptions,
                                              start, length, ops);
}
EXPORT_SYMBOL_GPL(mmu_interval_notifier_insert_locked);

/**
 * mmu_interval_notifier_remove - Remove a interval notifier
 * @interval_sub: Interval subscription to unregister
 *
 * This function must be paired with mmu_interval_notifier_insert(). It cannot
 * be called from any ops callback.
 *
 * Once this returns ops callbacks are no longer running on other CPUs and
 * will not be called in future.
 */
void mmu_interval_notifier_remove(struct mmu_interval_notifier *interval_sub)
{
        struct mm_struct *mm = interval_sub->mm;
        struct mmu_notifier_subscriptions *subscriptions =
                mm->notifier_subscriptions;
        unsigned long seq = 0;

        might_sleep();

        spin_lock(&subscriptions->lock);
        if (mn_itree_is_invalidating(subscriptions)) {
                /*
                 * remove is being called after insert put this on the
                 * deferred list, but before the deferred list was processed.
                 */
                if (RB_EMPTY_NODE(&interval_sub->interval_tree.rb)) {
                        hlist_del(&interval_sub->deferred_item);
                } else {
                        hlist_add_head(&interval_sub->deferred_item,
                                       &subscriptions->deferred_list);
                        seq = subscriptions->invalidate_seq;
                }
        } else {
                WARN_ON(RB_EMPTY_NODE(&interval_sub->interval_tree.rb));
                interval_tree_remove(&interval_sub->interval_tree,
                                     &subscriptions->itree);
        }
        spin_unlock(&subscriptions->lock);

        /*
         * The possible sleep on progress in the invalidation requires the
         * caller not hold any locks held by invalidation callbacks.
         */
        lock_map_acquire(&__mmu_notifier_invalidate_range_start_map);
        lock_map_release(&__mmu_notifier_invalidate_range_start_map);
        if (seq)
                wait_event(subscriptions->wq,
                           READ_ONCE(subscriptions->invalidate_seq) != seq);

        /* pairs with mmgrab in mmu_interval_notifier_insert() */
        mmdrop(mm);
}
EXPORT_SYMBOL_GPL(mmu_interval_notifier_remove);

/**
 * mmu_notifier_synchronize - Ensure all mmu_notifiers are freed
 *
 * This function ensures that all outstanding async SRU work from
 * mmu_notifier_put() is completed. After it returns any mmu_notifier_ops
 * associated with an unused mmu_notifier will no longer be called.
 *
 * Before using the caller must ensure that all of its mmu_notifiers have been
 * fully released via mmu_notifier_put().
 *
 * Modules using the mmu_notifier_put() API should call this in their __exit
 * function to avoid module unloading races.
 */
void mmu_notifier_synchronize(void)
{
        synchronize_srcu(&srcu);
}
EXPORT_SYMBOL_GPL(mmu_notifier_synchronize);

bool
mmu_notifier_range_update_to_read_only(const struct mmu_notifier_range *range)
{
        if (!range->vma || range->event != MMU_NOTIFY_PROTECTION_VMA)
                return false;
        /* Return true if the vma still have the read flag set. */
        return range->vma->vm_flags & VM_READ;
}
EXPORT_SYMBOL_GPL(mmu_notifier_range_update_to_read_only);