tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

userfaultfd: introduce mfill_copy_folio_locked() helper

Patch series "mm, kvm: allow uffd support in guest_memfd", v4.

These patches enable support for userfaultfd in guest_memfd.

As the groundwork I refactored userfaultfd handling of PTE-based memory
types (anonymous and shmem) and converted them to use vm_uffd_ops for
allocating a folio or getting an existing folio from the page cache.
shmem also implements callbacks that add a folio to the page cache after
the data passed in UFFDIO_COPY was copied and remove the folio from the
page cache if page table update fails.

In order for guest_memfd to notify userspace about page faults, there are
new VM_FAULT_UFFD_MINOR and VM_FAULT_UFFD_MISSING that a ->fault() handler
can return to inform the page fault handler that it needs to call
handle_userfault() to complete the fault.

Nikita helped to plumb these new goodies into guest_memfd and provided
basic tests to verify that guest_memfd works with userfaultfd. The
handling of UFFDIO_MISSING in guest_memfd requires ability to remove a
folio from page cache, the best way I could find was exporting
filemap_remove_folio() to KVM.

I deliberately left hugetlb out, at least for the most part. hugetlb
handles acquisition of VMA and more importantly establishing of parent
page table entry differently than PTE-based memory types. This is a
different abstraction level than what vm_uffd_ops provides and people
objected to exposing such low level APIs as a part of VMA operations.

Also, to enable uffd in guest_memfd refactoring of hugetlb is not needed
and I prefer to delay it until the dust settles after the changes in this
set.


This patch (of 4):

Split copying of data when locks held from mfill_atomic_pte_copy() into a
helper function mfill_copy_folio_locked().

This makes improves code readability and makes complex
mfill_atomic_pte_copy() function easier to comprehend.

No functional change.

Link: https://lore.kernel.org/20260402041156.1377214-1-rppt@kernel.org
Link: https://lore.kernel.org/20260402041156.1377214-2-rppt@kernel.org
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Acked-by: Peter Xu <peterx@redhat.com>
Reviewed-by: David Hildenbrand (Arm) <david@kernel.org>
Reviewed-by: Harry Yoo (Oracle) <harry@kernel.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andrei Vagin <avagin@google.com>
Cc: Axel Rasmussen <axelrasmussen@google.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: James Houghton <jthoughton@google.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Sean Christopherson <seanjc@google.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Harry Yoo <harry.yoo@oracle.com>
Cc: Nikita Kalyazin <kalyazin@amazon.com>
Cc: David Carlier <devnexen@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

authored by

Mike Rapoport (Microsoft) and committed by
Andrew Morton c0620487 dc44f32f

+35 -24
+35 -24
mm/userfaultfd.c
··· 238 238 return ret; 239 239 } 240 240 241 + static int mfill_copy_folio_locked(struct folio *folio, unsigned long src_addr) 242 + { 243 + void *kaddr; 244 + int ret; 245 + 246 + kaddr = kmap_local_folio(folio, 0); 247 + /* 248 + * The read mmap_lock is held here. Despite the 249 + * mmap_lock being read recursive a deadlock is still 250 + * possible if a writer has taken a lock. For example: 251 + * 252 + * process A thread 1 takes read lock on own mmap_lock 253 + * process A thread 2 calls mmap, blocks taking write lock 254 + * process B thread 1 takes page fault, read lock on own mmap lock 255 + * process B thread 2 calls mmap, blocks taking write lock 256 + * process A thread 1 blocks taking read lock on process B 257 + * process B thread 1 blocks taking read lock on process A 258 + * 259 + * Disable page faults to prevent potential deadlock 260 + * and retry the copy outside the mmap_lock. 261 + */ 262 + pagefault_disable(); 263 + ret = copy_from_user(kaddr, (const void __user *) src_addr, 264 + PAGE_SIZE); 265 + pagefault_enable(); 266 + kunmap_local(kaddr); 267 + 268 + if (ret) 269 + return -EFAULT; 270 + 271 + flush_dcache_folio(folio); 272 + return ret; 273 + } 274 + 241 275 static int mfill_atomic_pte_copy(pmd_t *dst_pmd, 242 276 struct vm_area_struct *dst_vma, 243 277 unsigned long dst_addr, ··· 279 245 uffd_flags_t flags, 280 246 struct folio **foliop) 281 247 { 282 - void *kaddr; 283 248 int ret; 284 249 struct folio *folio; 285 250 ··· 289 256 if (!folio) 290 257 goto out; 291 258 292 - kaddr = kmap_local_folio(folio, 0); 293 - /* 294 - * The read mmap_lock is held here. Despite the 295 - * mmap_lock being read recursive a deadlock is still 296 - * possible if a writer has taken a lock. For example: 297 - * 298 - * process A thread 1 takes read lock on own mmap_lock 299 - * process A thread 2 calls mmap, blocks taking write lock 300 - * process B thread 1 takes page fault, read lock on own mmap lock 301 - * process B thread 2 calls mmap, blocks taking write lock 302 - * process A thread 1 blocks taking read lock on process B 303 - * process B thread 1 blocks taking read lock on process A 304 - * 305 - * Disable page faults to prevent potential deadlock 306 - * and retry the copy outside the mmap_lock. 307 - */ 308 - pagefault_disable(); 309 - ret = copy_from_user(kaddr, (const void __user *) src_addr, 310 - PAGE_SIZE); 311 - pagefault_enable(); 312 - kunmap_local(kaddr); 259 + ret = mfill_copy_folio_locked(folio, src_addr); 313 260 314 261 /* fallback to copy_from_user outside mmap_lock */ 315 262 if (unlikely(ret)) { ··· 298 285 /* don't free the page */ 299 286 goto out; 300 287 } 301 - 302 - flush_dcache_folio(folio); 303 288 } else { 304 289 folio = *foliop; 305 290 *foliop = NULL;