Merge tag 'drm-fixes-2022-08-26-1' of git://anongit.freedesktop.org/drm/drm
[platform/kernel/linux-starfive.git] / mm / huge_memory.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  Copyright (C) 2009  Red Hat, Inc.
4  */
5
6 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
7
8 #include <linux/mm.h>
9 #include <linux/sched.h>
10 #include <linux/sched/mm.h>
11 #include <linux/sched/coredump.h>
12 #include <linux/sched/numa_balancing.h>
13 #include <linux/highmem.h>
14 #include <linux/hugetlb.h>
15 #include <linux/mmu_notifier.h>
16 #include <linux/rmap.h>
17 #include <linux/swap.h>
18 #include <linux/shrinker.h>
19 #include <linux/mm_inline.h>
20 #include <linux/swapops.h>
21 #include <linux/backing-dev.h>
22 #include <linux/dax.h>
23 #include <linux/khugepaged.h>
24 #include <linux/freezer.h>
25 #include <linux/pfn_t.h>
26 #include <linux/mman.h>
27 #include <linux/memremap.h>
28 #include <linux/pagemap.h>
29 #include <linux/debugfs.h>
30 #include <linux/migrate.h>
31 #include <linux/hashtable.h>
32 #include <linux/userfaultfd_k.h>
33 #include <linux/page_idle.h>
34 #include <linux/shmem_fs.h>
35 #include <linux/oom.h>
36 #include <linux/numa.h>
37 #include <linux/page_owner.h>
38 #include <linux/sched/sysctl.h>
39
40 #include <asm/tlb.h>
41 #include <asm/pgalloc.h>
42 #include "internal.h"
43 #include "swap.h"
44
45 #define CREATE_TRACE_POINTS
46 #include <trace/events/thp.h>
47
48 /*
49  * By default, transparent hugepage support is disabled in order to avoid
50  * risking an increased memory footprint for applications that are not
51  * guaranteed to benefit from it. When transparent hugepage support is
52  * enabled, it is for all mappings, and khugepaged scans all mappings.
53  * Defrag is invoked by khugepaged hugepage allocations and by page faults
54  * for all hugepage allocations.
55  */
56 unsigned long transparent_hugepage_flags __read_mostly =
57 #ifdef CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS
58         (1<<TRANSPARENT_HUGEPAGE_FLAG)|
59 #endif
60 #ifdef CONFIG_TRANSPARENT_HUGEPAGE_MADVISE
61         (1<<TRANSPARENT_HUGEPAGE_REQ_MADV_FLAG)|
62 #endif
63         (1<<TRANSPARENT_HUGEPAGE_DEFRAG_REQ_MADV_FLAG)|
64         (1<<TRANSPARENT_HUGEPAGE_DEFRAG_KHUGEPAGED_FLAG)|
65         (1<<TRANSPARENT_HUGEPAGE_USE_ZERO_PAGE_FLAG);
66
67 static struct shrinker deferred_split_shrinker;
68
69 static atomic_t huge_zero_refcount;
70 struct page *huge_zero_page __read_mostly;
71 unsigned long huge_zero_pfn __read_mostly = ~0UL;
72
73 bool hugepage_vma_check(struct vm_area_struct *vma,
74                         unsigned long vm_flags,
75                         bool smaps, bool in_pf)
76 {
77         if (!vma->vm_mm)                /* vdso */
78                 return false;
79
80         /*
81          * Explicitly disabled through madvise or prctl, or some
82          * architectures may disable THP for some mappings, for
83          * example, s390 kvm.
84          * */
85         if ((vm_flags & VM_NOHUGEPAGE) ||
86             test_bit(MMF_DISABLE_THP, &vma->vm_mm->flags))
87                 return false;
88         /*
89          * If the hardware/firmware marked hugepage support disabled.
90          */
91         if (transparent_hugepage_flags & (1 << TRANSPARENT_HUGEPAGE_NEVER_DAX))
92                 return false;
93
94         /* khugepaged doesn't collapse DAX vma, but page fault is fine. */
95         if (vma_is_dax(vma))
96                 return in_pf;
97
98         /*
99          * Special VMA and hugetlb VMA.
100          * Must be checked after dax since some dax mappings may have
101          * VM_MIXEDMAP set.
102          */
103         if (vm_flags & VM_NO_KHUGEPAGED)
104                 return false;
105
106         /*
107          * Check alignment for file vma and size for both file and anon vma.
108          *
109          * Skip the check for page fault. Huge fault does the check in fault
110          * handlers. And this check is not suitable for huge PUD fault.
111          */
112         if (!in_pf &&
113             !transhuge_vma_suitable(vma, (vma->vm_end - HPAGE_PMD_SIZE)))
114                 return false;
115
116         /*
117          * Enabled via shmem mount options or sysfs settings.
118          * Must be done before hugepage flags check since shmem has its
119          * own flags.
120          */
121         if (!in_pf && shmem_file(vma->vm_file))
122                 return shmem_huge_enabled(vma);
123
124         if (!hugepage_flags_enabled())
125                 return false;
126
127         /* THP settings require madvise. */
128         if (!(vm_flags & VM_HUGEPAGE) && !hugepage_flags_always())
129                 return false;
130
131         /* Only regular file is valid */
132         if (!in_pf && file_thp_enabled(vma))
133                 return true;
134
135         if (!vma_is_anonymous(vma))
136                 return false;
137
138         if (vma_is_temporary_stack(vma))
139                 return false;
140
141         /*
142          * THPeligible bit of smaps should show 1 for proper VMAs even
143          * though anon_vma is not initialized yet.
144          *
145          * Allow page fault since anon_vma may be not initialized until
146          * the first page fault.
147          */
148         if (!vma->anon_vma)
149                 return (smaps || in_pf);
150
151         return true;
152 }
153
154 static bool get_huge_zero_page(void)
155 {
156         struct page *zero_page;
157 retry:
158         if (likely(atomic_inc_not_zero(&huge_zero_refcount)))
159                 return true;
160
161         zero_page = alloc_pages((GFP_TRANSHUGE | __GFP_ZERO) & ~__GFP_MOVABLE,
162                         HPAGE_PMD_ORDER);
163         if (!zero_page) {
164                 count_vm_event(THP_ZERO_PAGE_ALLOC_FAILED);
165                 return false;
166         }
167         count_vm_event(THP_ZERO_PAGE_ALLOC);
168         preempt_disable();
169         if (cmpxchg(&huge_zero_page, NULL, zero_page)) {
170                 preempt_enable();
171                 __free_pages(zero_page, compound_order(zero_page));
172                 goto retry;
173         }
174         WRITE_ONCE(huge_zero_pfn, page_to_pfn(zero_page));
175
176         /* We take additional reference here. It will be put back by shrinker */
177         atomic_set(&huge_zero_refcount, 2);
178         preempt_enable();
179         return true;
180 }
181
182 static void put_huge_zero_page(void)
183 {
184         /*
185          * Counter should never go to zero here. Only shrinker can put
186          * last reference.
187          */
188         BUG_ON(atomic_dec_and_test(&huge_zero_refcount));
189 }
190
191 struct page *mm_get_huge_zero_page(struct mm_struct *mm)
192 {
193         if (test_bit(MMF_HUGE_ZERO_PAGE, &mm->flags))
194                 return READ_ONCE(huge_zero_page);
195
196         if (!get_huge_zero_page())
197                 return NULL;
198
199         if (test_and_set_bit(MMF_HUGE_ZERO_PAGE, &mm->flags))
200                 put_huge_zero_page();
201
202         return READ_ONCE(huge_zero_page);
203 }
204
205 void mm_put_huge_zero_page(struct mm_struct *mm)
206 {
207         if (test_bit(MMF_HUGE_ZERO_PAGE, &mm->flags))
208                 put_huge_zero_page();
209 }
210
211 static unsigned long shrink_huge_zero_page_count(struct shrinker *shrink,
212                                         struct shrink_control *sc)
213 {
214         /* we can free zero page only if last reference remains */
215         return atomic_read(&huge_zero_refcount) == 1 ? HPAGE_PMD_NR : 0;
216 }
217
218 static unsigned long shrink_huge_zero_page_scan(struct shrinker *shrink,
219                                        struct shrink_control *sc)
220 {
221         if (atomic_cmpxchg(&huge_zero_refcount, 1, 0) == 1) {
222                 struct page *zero_page = xchg(&huge_zero_page, NULL);
223                 BUG_ON(zero_page == NULL);
224                 WRITE_ONCE(huge_zero_pfn, ~0UL);
225                 __free_pages(zero_page, compound_order(zero_page));
226                 return HPAGE_PMD_NR;
227         }
228
229         return 0;
230 }
231
232 static struct shrinker huge_zero_page_shrinker = {
233         .count_objects = shrink_huge_zero_page_count,
234         .scan_objects = shrink_huge_zero_page_scan,
235         .seeks = DEFAULT_SEEKS,
236 };
237
238 #ifdef CONFIG_SYSFS
239 static ssize_t enabled_show(struct kobject *kobj,
240                             struct kobj_attribute *attr, char *buf)
241 {
242         const char *output;
243
244         if (test_bit(TRANSPARENT_HUGEPAGE_FLAG, &transparent_hugepage_flags))
245                 output = "[always] madvise never";
246         else if (test_bit(TRANSPARENT_HUGEPAGE_REQ_MADV_FLAG,
247                           &transparent_hugepage_flags))
248                 output = "always [madvise] never";
249         else
250                 output = "always madvise [never]";
251
252         return sysfs_emit(buf, "%s\n", output);
253 }
254
255 static ssize_t enabled_store(struct kobject *kobj,
256                              struct kobj_attribute *attr,
257                              const char *buf, size_t count)
258 {
259         ssize_t ret = count;
260
261         if (sysfs_streq(buf, "always")) {
262                 clear_bit(TRANSPARENT_HUGEPAGE_REQ_MADV_FLAG, &transparent_hugepage_flags);
263                 set_bit(TRANSPARENT_HUGEPAGE_FLAG, &transparent_hugepage_flags);
264         } else if (sysfs_streq(buf, "madvise")) {
265                 clear_bit(TRANSPARENT_HUGEPAGE_FLAG, &transparent_hugepage_flags);
266                 set_bit(TRANSPARENT_HUGEPAGE_REQ_MADV_FLAG, &transparent_hugepage_flags);
267         } else if (sysfs_streq(buf, "never")) {
268                 clear_bit(TRANSPARENT_HUGEPAGE_FLAG, &transparent_hugepage_flags);
269                 clear_bit(TRANSPARENT_HUGEPAGE_REQ_MADV_FLAG, &transparent_hugepage_flags);
270         } else
271                 ret = -EINVAL;
272
273         if (ret > 0) {
274                 int err = start_stop_khugepaged();
275                 if (err)
276                         ret = err;
277         }
278         return ret;
279 }
280
281 static struct kobj_attribute enabled_attr = __ATTR_RW(enabled);
282
283 ssize_t single_hugepage_flag_show(struct kobject *kobj,
284                                   struct kobj_attribute *attr, char *buf,
285                                   enum transparent_hugepage_flag flag)
286 {
287         return sysfs_emit(buf, "%d\n",
288                           !!test_bit(flag, &transparent_hugepage_flags));
289 }
290
291 ssize_t single_hugepage_flag_store(struct kobject *kobj,
292                                  struct kobj_attribute *attr,
293                                  const char *buf, size_t count,
294                                  enum transparent_hugepage_flag flag)
295 {
296         unsigned long value;
297         int ret;
298
299         ret = kstrtoul(buf, 10, &value);
300         if (ret < 0)
301                 return ret;
302         if (value > 1)
303                 return -EINVAL;
304
305         if (value)
306                 set_bit(flag, &transparent_hugepage_flags);
307         else
308                 clear_bit(flag, &transparent_hugepage_flags);
309
310         return count;
311 }
312
313 static ssize_t defrag_show(struct kobject *kobj,
314                            struct kobj_attribute *attr, char *buf)
315 {
316         const char *output;
317
318         if (test_bit(TRANSPARENT_HUGEPAGE_DEFRAG_DIRECT_FLAG,
319                      &transparent_hugepage_flags))
320                 output = "[always] defer defer+madvise madvise never";
321         else if (test_bit(TRANSPARENT_HUGEPAGE_DEFRAG_KSWAPD_FLAG,
322                           &transparent_hugepage_flags))
323                 output = "always [defer] defer+madvise madvise never";
324         else if (test_bit(TRANSPARENT_HUGEPAGE_DEFRAG_KSWAPD_OR_MADV_FLAG,
325                           &transparent_hugepage_flags))
326                 output = "always defer [defer+madvise] madvise never";
327         else if (test_bit(TRANSPARENT_HUGEPAGE_DEFRAG_REQ_MADV_FLAG,
328                           &transparent_hugepage_flags))
329                 output = "always defer defer+madvise [madvise] never";
330         else
331                 output = "always defer defer+madvise madvise [never]";
332
333         return sysfs_emit(buf, "%s\n", output);
334 }
335
336 static ssize_t defrag_store(struct kobject *kobj,
337                             struct kobj_attribute *attr,
338                             const char *buf, size_t count)
339 {
340         if (sysfs_streq(buf, "always")) {
341                 clear_bit(TRANSPARENT_HUGEPAGE_DEFRAG_KSWAPD_FLAG, &transparent_hugepage_flags);
342                 clear_bit(TRANSPARENT_HUGEPAGE_DEFRAG_KSWAPD_OR_MADV_FLAG, &transparent_hugepage_flags);
343                 clear_bit(TRANSPARENT_HUGEPAGE_DEFRAG_REQ_MADV_FLAG, &transparent_hugepage_flags);
344                 set_bit(TRANSPARENT_HUGEPAGE_DEFRAG_DIRECT_FLAG, &transparent_hugepage_flags);
345         } else if (sysfs_streq(buf, "defer+madvise")) {
346                 clear_bit(TRANSPARENT_HUGEPAGE_DEFRAG_DIRECT_FLAG, &transparent_hugepage_flags);
347                 clear_bit(TRANSPARENT_HUGEPAGE_DEFRAG_KSWAPD_FLAG, &transparent_hugepage_flags);
348                 clear_bit(TRANSPARENT_HUGEPAGE_DEFRAG_REQ_MADV_FLAG, &transparent_hugepage_flags);
349                 set_bit(TRANSPARENT_HUGEPAGE_DEFRAG_KSWAPD_OR_MADV_FLAG, &transparent_hugepage_flags);
350         } else if (sysfs_streq(buf, "defer")) {
351                 clear_bit(TRANSPARENT_HUGEPAGE_DEFRAG_DIRECT_FLAG, &transparent_hugepage_flags);
352                 clear_bit(TRANSPARENT_HUGEPAGE_DEFRAG_KSWAPD_OR_MADV_FLAG, &transparent_hugepage_flags);
353                 clear_bit(TRANSPARENT_HUGEPAGE_DEFRAG_REQ_MADV_FLAG, &transparent_hugepage_flags);
354                 set_bit(TRANSPARENT_HUGEPAGE_DEFRAG_KSWAPD_FLAG, &transparent_hugepage_flags);
355         } else if (sysfs_streq(buf, "madvise")) {
356                 clear_bit(TRANSPARENT_HUGEPAGE_DEFRAG_DIRECT_FLAG, &transparent_hugepage_flags);
357                 clear_bit(TRANSPARENT_HUGEPAGE_DEFRAG_KSWAPD_FLAG, &transparent_hugepage_flags);
358                 clear_bit(TRANSPARENT_HUGEPAGE_DEFRAG_KSWAPD_OR_MADV_FLAG, &transparent_hugepage_flags);
359                 set_bit(TRANSPARENT_HUGEPAGE_DEFRAG_REQ_MADV_FLAG, &transparent_hugepage_flags);
360         } else if (sysfs_streq(buf, "never")) {
361                 clear_bit(TRANSPARENT_HUGEPAGE_DEFRAG_DIRECT_FLAG, &transparent_hugepage_flags);
362                 clear_bit(TRANSPARENT_HUGEPAGE_DEFRAG_KSWAPD_FLAG, &transparent_hugepage_flags);
363                 clear_bit(TRANSPARENT_HUGEPAGE_DEFRAG_KSWAPD_OR_MADV_FLAG, &transparent_hugepage_flags);
364                 clear_bit(TRANSPARENT_HUGEPAGE_DEFRAG_REQ_MADV_FLAG, &transparent_hugepage_flags);
365         } else
366                 return -EINVAL;
367
368         return count;
369 }
370 static struct kobj_attribute defrag_attr = __ATTR_RW(defrag);
371
372 static ssize_t use_zero_page_show(struct kobject *kobj,
373                                   struct kobj_attribute *attr, char *buf)
374 {
375         return single_hugepage_flag_show(kobj, attr, buf,
376                                          TRANSPARENT_HUGEPAGE_USE_ZERO_PAGE_FLAG);
377 }
378 static ssize_t use_zero_page_store(struct kobject *kobj,
379                 struct kobj_attribute *attr, const char *buf, size_t count)
380 {
381         return single_hugepage_flag_store(kobj, attr, buf, count,
382                                  TRANSPARENT_HUGEPAGE_USE_ZERO_PAGE_FLAG);
383 }
384 static struct kobj_attribute use_zero_page_attr = __ATTR_RW(use_zero_page);
385
386 static ssize_t hpage_pmd_size_show(struct kobject *kobj,
387                                    struct kobj_attribute *attr, char *buf)
388 {
389         return sysfs_emit(buf, "%lu\n", HPAGE_PMD_SIZE);
390 }
391 static struct kobj_attribute hpage_pmd_size_attr =
392         __ATTR_RO(hpage_pmd_size);
393
394 static struct attribute *hugepage_attr[] = {
395         &enabled_attr.attr,
396         &defrag_attr.attr,
397         &use_zero_page_attr.attr,
398         &hpage_pmd_size_attr.attr,
399 #ifdef CONFIG_SHMEM
400         &shmem_enabled_attr.attr,
401 #endif
402         NULL,
403 };
404
405 static const struct attribute_group hugepage_attr_group = {
406         .attrs = hugepage_attr,
407 };
408
409 static int __init hugepage_init_sysfs(struct kobject **hugepage_kobj)
410 {
411         int err;
412
413         *hugepage_kobj = kobject_create_and_add("transparent_hugepage", mm_kobj);
414         if (unlikely(!*hugepage_kobj)) {
415                 pr_err("failed to create transparent hugepage kobject\n");
416                 return -ENOMEM;
417         }
418
419         err = sysfs_create_group(*hugepage_kobj, &hugepage_attr_group);
420         if (err) {
421                 pr_err("failed to register transparent hugepage group\n");
422                 goto delete_obj;
423         }
424
425         err = sysfs_create_group(*hugepage_kobj, &khugepaged_attr_group);
426         if (err) {
427                 pr_err("failed to register transparent hugepage group\n");
428                 goto remove_hp_group;
429         }
430
431         return 0;
432
433 remove_hp_group:
434         sysfs_remove_group(*hugepage_kobj, &hugepage_attr_group);
435 delete_obj:
436         kobject_put(*hugepage_kobj);
437         return err;
438 }
439
440 static void __init hugepage_exit_sysfs(struct kobject *hugepage_kobj)
441 {
442         sysfs_remove_group(hugepage_kobj, &khugepaged_attr_group);
443         sysfs_remove_group(hugepage_kobj, &hugepage_attr_group);
444         kobject_put(hugepage_kobj);
445 }
446 #else
447 static inline int hugepage_init_sysfs(struct kobject **hugepage_kobj)
448 {
449         return 0;
450 }
451
452 static inline void hugepage_exit_sysfs(struct kobject *hugepage_kobj)
453 {
454 }
455 #endif /* CONFIG_SYSFS */
456
457 static int __init hugepage_init(void)
458 {
459         int err;
460         struct kobject *hugepage_kobj;
461
462         if (!has_transparent_hugepage()) {
463                 /*
464                  * Hardware doesn't support hugepages, hence disable
465                  * DAX PMD support.
466                  */
467                 transparent_hugepage_flags = 1 << TRANSPARENT_HUGEPAGE_NEVER_DAX;
468                 return -EINVAL;
469         }
470
471         /*
472          * hugepages can't be allocated by the buddy allocator
473          */
474         MAYBE_BUILD_BUG_ON(HPAGE_PMD_ORDER >= MAX_ORDER);
475         /*
476          * we use page->mapping and page->index in second tail page
477          * as list_head: assuming THP order >= 2
478          */
479         MAYBE_BUILD_BUG_ON(HPAGE_PMD_ORDER < 2);
480
481         err = hugepage_init_sysfs(&hugepage_kobj);
482         if (err)
483                 goto err_sysfs;
484
485         err = khugepaged_init();
486         if (err)
487                 goto err_slab;
488
489         err = register_shrinker(&huge_zero_page_shrinker, "thp-zero");
490         if (err)
491                 goto err_hzp_shrinker;
492         err = register_shrinker(&deferred_split_shrinker, "thp-deferred_split");
493         if (err)
494                 goto err_split_shrinker;
495
496         /*
497          * By default disable transparent hugepages on smaller systems,
498          * where the extra memory used could hurt more than TLB overhead
499          * is likely to save.  The admin can still enable it through /sys.
500          */
501         if (totalram_pages() < (512 << (20 - PAGE_SHIFT))) {
502                 transparent_hugepage_flags = 0;
503                 return 0;
504         }
505
506         err = start_stop_khugepaged();
507         if (err)
508                 goto err_khugepaged;
509
510         return 0;
511 err_khugepaged:
512         unregister_shrinker(&deferred_split_shrinker);
513 err_split_shrinker:
514         unregister_shrinker(&huge_zero_page_shrinker);
515 err_hzp_shrinker:
516         khugepaged_destroy();
517 err_slab:
518         hugepage_exit_sysfs(hugepage_kobj);
519 err_sysfs:
520         return err;
521 }
522 subsys_initcall(hugepage_init);
523
524 static int __init setup_transparent_hugepage(char *str)
525 {
526         int ret = 0;
527         if (!str)
528                 goto out;
529         if (!strcmp(str, "always")) {
530                 set_bit(TRANSPARENT_HUGEPAGE_FLAG,
531                         &transparent_hugepage_flags);
532                 clear_bit(TRANSPARENT_HUGEPAGE_REQ_MADV_FLAG,
533                           &transparent_hugepage_flags);
534                 ret = 1;
535         } else if (!strcmp(str, "madvise")) {
536                 clear_bit(TRANSPARENT_HUGEPAGE_FLAG,
537                           &transparent_hugepage_flags);
538                 set_bit(TRANSPARENT_HUGEPAGE_REQ_MADV_FLAG,
539                         &transparent_hugepage_flags);
540                 ret = 1;
541         } else if (!strcmp(str, "never")) {
542                 clear_bit(TRANSPARENT_HUGEPAGE_FLAG,
543                           &transparent_hugepage_flags);
544                 clear_bit(TRANSPARENT_HUGEPAGE_REQ_MADV_FLAG,
545                           &transparent_hugepage_flags);
546                 ret = 1;
547         }
548 out:
549         if (!ret)
550                 pr_warn("transparent_hugepage= cannot parse, ignored\n");
551         return ret;
552 }
553 __setup("transparent_hugepage=", setup_transparent_hugepage);
554
555 pmd_t maybe_pmd_mkwrite(pmd_t pmd, struct vm_area_struct *vma)
556 {
557         if (likely(vma->vm_flags & VM_WRITE))
558                 pmd = pmd_mkwrite(pmd);
559         return pmd;
560 }
561
562 #ifdef CONFIG_MEMCG
563 static inline struct deferred_split *get_deferred_split_queue(struct page *page)
564 {
565         struct mem_cgroup *memcg = page_memcg(compound_head(page));
566         struct pglist_data *pgdat = NODE_DATA(page_to_nid(page));
567
568         if (memcg)
569                 return &memcg->deferred_split_queue;
570         else
571                 return &pgdat->deferred_split_queue;
572 }
573 #else
574 static inline struct deferred_split *get_deferred_split_queue(struct page *page)
575 {
576         struct pglist_data *pgdat = NODE_DATA(page_to_nid(page));
577
578         return &pgdat->deferred_split_queue;
579 }
580 #endif
581
582 void prep_transhuge_page(struct page *page)
583 {
584         /*
585          * we use page->mapping and page->index in second tail page
586          * as list_head: assuming THP order >= 2
587          */
588
589         INIT_LIST_HEAD(page_deferred_list(page));
590         set_compound_page_dtor(page, TRANSHUGE_PAGE_DTOR);
591 }
592
593 static inline bool is_transparent_hugepage(struct page *page)
594 {
595         if (!PageCompound(page))
596                 return false;
597
598         page = compound_head(page);
599         return is_huge_zero_page(page) ||
600                page[1].compound_dtor == TRANSHUGE_PAGE_DTOR;
601 }
602
603 static unsigned long __thp_get_unmapped_area(struct file *filp,
604                 unsigned long addr, unsigned long len,
605                 loff_t off, unsigned long flags, unsigned long size)
606 {
607         loff_t off_end = off + len;
608         loff_t off_align = round_up(off, size);
609         unsigned long len_pad, ret;
610
611         if (off_end <= off_align || (off_end - off_align) < size)
612                 return 0;
613
614         len_pad = len + size;
615         if (len_pad < len || (off + len_pad) < off)
616                 return 0;
617
618         ret = current->mm->get_unmapped_area(filp, addr, len_pad,
619                                               off >> PAGE_SHIFT, flags);
620
621         /*
622          * The failure might be due to length padding. The caller will retry
623          * without the padding.
624          */
625         if (IS_ERR_VALUE(ret))
626                 return 0;
627
628         /*
629          * Do not try to align to THP boundary if allocation at the address
630          * hint succeeds.
631          */
632         if (ret == addr)
633                 return addr;
634
635         ret += (off - ret) & (size - 1);
636         return ret;
637 }
638
639 unsigned long thp_get_unmapped_area(struct file *filp, unsigned long addr,
640                 unsigned long len, unsigned long pgoff, unsigned long flags)
641 {
642         unsigned long ret;
643         loff_t off = (loff_t)pgoff << PAGE_SHIFT;
644
645         ret = __thp_get_unmapped_area(filp, addr, len, off, flags, PMD_SIZE);
646         if (ret)
647                 return ret;
648
649         return current->mm->get_unmapped_area(filp, addr, len, pgoff, flags);
650 }
651 EXPORT_SYMBOL_GPL(thp_get_unmapped_area);
652
653 static vm_fault_t __do_huge_pmd_anonymous_page(struct vm_fault *vmf,
654                         struct page *page, gfp_t gfp)
655 {
656         struct vm_area_struct *vma = vmf->vma;
657         pgtable_t pgtable;
658         unsigned long haddr = vmf->address & HPAGE_PMD_MASK;
659         vm_fault_t ret = 0;
660
661         VM_BUG_ON_PAGE(!PageCompound(page), page);
662
663         if (mem_cgroup_charge(page_folio(page), vma->vm_mm, gfp)) {
664                 put_page(page);
665                 count_vm_event(THP_FAULT_FALLBACK);
666                 count_vm_event(THP_FAULT_FALLBACK_CHARGE);
667                 return VM_FAULT_FALLBACK;
668         }
669         cgroup_throttle_swaprate(page, gfp);
670
671         pgtable = pte_alloc_one(vma->vm_mm);
672         if (unlikely(!pgtable)) {
673                 ret = VM_FAULT_OOM;
674                 goto release;
675         }
676
677         clear_huge_page(page, vmf->address, HPAGE_PMD_NR);
678         /*
679          * The memory barrier inside __SetPageUptodate makes sure that
680          * clear_huge_page writes become visible before the set_pmd_at()
681          * write.
682          */
683         __SetPageUptodate(page);
684
685         vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd);
686         if (unlikely(!pmd_none(*vmf->pmd))) {
687                 goto unlock_release;
688         } else {
689                 pmd_t entry;
690
691                 ret = check_stable_address_space(vma->vm_mm);
692                 if (ret)
693                         goto unlock_release;
694
695                 /* Deliver the page fault to userland */
696                 if (userfaultfd_missing(vma)) {
697                         spin_unlock(vmf->ptl);
698                         put_page(page);
699                         pte_free(vma->vm_mm, pgtable);
700                         ret = handle_userfault(vmf, VM_UFFD_MISSING);
701                         VM_BUG_ON(ret & VM_FAULT_FALLBACK);
702                         return ret;
703                 }
704
705                 entry = mk_huge_pmd(page, vma->vm_page_prot);
706                 entry = maybe_pmd_mkwrite(pmd_mkdirty(entry), vma);
707                 page_add_new_anon_rmap(page, vma, haddr);
708                 lru_cache_add_inactive_or_unevictable(page, vma);
709                 pgtable_trans_huge_deposit(vma->vm_mm, vmf->pmd, pgtable);
710                 set_pmd_at(vma->vm_mm, haddr, vmf->pmd, entry);
711                 update_mmu_cache_pmd(vma, vmf->address, vmf->pmd);
712                 add_mm_counter(vma->vm_mm, MM_ANONPAGES, HPAGE_PMD_NR);
713                 mm_inc_nr_ptes(vma->vm_mm);
714                 spin_unlock(vmf->ptl);
715                 count_vm_event(THP_FAULT_ALLOC);
716                 count_memcg_event_mm(vma->vm_mm, THP_FAULT_ALLOC);
717         }
718
719         return 0;
720 unlock_release:
721         spin_unlock(vmf->ptl);
722 release:
723         if (pgtable)
724                 pte_free(vma->vm_mm, pgtable);
725         put_page(page);
726         return ret;
727
728 }
729
730 /*
731  * always: directly stall for all thp allocations
732  * defer: wake kswapd and fail if not immediately available
733  * defer+madvise: wake kswapd and directly stall for MADV_HUGEPAGE, otherwise
734  *                fail if not immediately available
735  * madvise: directly stall for MADV_HUGEPAGE, otherwise fail if not immediately
736  *          available
737  * never: never stall for any thp allocation
738  */
739 gfp_t vma_thp_gfp_mask(struct vm_area_struct *vma)
740 {
741         const bool vma_madvised = vma && (vma->vm_flags & VM_HUGEPAGE);
742
743         /* Always do synchronous compaction */
744         if (test_bit(TRANSPARENT_HUGEPAGE_DEFRAG_DIRECT_FLAG, &transparent_hugepage_flags))
745                 return GFP_TRANSHUGE | (vma_madvised ? 0 : __GFP_NORETRY);
746
747         /* Kick kcompactd and fail quickly */
748         if (test_bit(TRANSPARENT_HUGEPAGE_DEFRAG_KSWAPD_FLAG, &transparent_hugepage_flags))
749                 return GFP_TRANSHUGE_LIGHT | __GFP_KSWAPD_RECLAIM;
750
751         /* Synchronous compaction if madvised, otherwise kick kcompactd */
752         if (test_bit(TRANSPARENT_HUGEPAGE_DEFRAG_KSWAPD_OR_MADV_FLAG, &transparent_hugepage_flags))
753                 return GFP_TRANSHUGE_LIGHT |
754                         (vma_madvised ? __GFP_DIRECT_RECLAIM :
755                                         __GFP_KSWAPD_RECLAIM);
756
757         /* Only do synchronous compaction if madvised */
758         if (test_bit(TRANSPARENT_HUGEPAGE_DEFRAG_REQ_MADV_FLAG, &transparent_hugepage_flags))
759                 return GFP_TRANSHUGE_LIGHT |
760                        (vma_madvised ? __GFP_DIRECT_RECLAIM : 0);
761
762         return GFP_TRANSHUGE_LIGHT;
763 }
764
765 /* Caller must hold page table lock. */
766 static void set_huge_zero_page(pgtable_t pgtable, struct mm_struct *mm,
767                 struct vm_area_struct *vma, unsigned long haddr, pmd_t *pmd,
768                 struct page *zero_page)
769 {
770         pmd_t entry;
771         if (!pmd_none(*pmd))
772                 return;
773         entry = mk_pmd(zero_page, vma->vm_page_prot);
774         entry = pmd_mkhuge(entry);
775         if (pgtable)
776                 pgtable_trans_huge_deposit(mm, pmd, pgtable);
777         set_pmd_at(mm, haddr, pmd, entry);
778         mm_inc_nr_ptes(mm);
779 }
780
781 vm_fault_t do_huge_pmd_anonymous_page(struct vm_fault *vmf)
782 {
783         struct vm_area_struct *vma = vmf->vma;
784         gfp_t gfp;
785         struct folio *folio;
786         unsigned long haddr = vmf->address & HPAGE_PMD_MASK;
787
788         if (!transhuge_vma_suitable(vma, haddr))
789                 return VM_FAULT_FALLBACK;
790         if (unlikely(anon_vma_prepare(vma)))
791                 return VM_FAULT_OOM;
792         khugepaged_enter_vma(vma, vma->vm_flags);
793
794         if (!(vmf->flags & FAULT_FLAG_WRITE) &&
795                         !mm_forbids_zeropage(vma->vm_mm) &&
796                         transparent_hugepage_use_zero_page()) {
797                 pgtable_t pgtable;
798                 struct page *zero_page;
799                 vm_fault_t ret;
800                 pgtable = pte_alloc_one(vma->vm_mm);
801                 if (unlikely(!pgtable))
802                         return VM_FAULT_OOM;
803                 zero_page = mm_get_huge_zero_page(vma->vm_mm);
804                 if (unlikely(!zero_page)) {
805                         pte_free(vma->vm_mm, pgtable);
806                         count_vm_event(THP_FAULT_FALLBACK);
807                         return VM_FAULT_FALLBACK;
808                 }
809                 vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd);
810                 ret = 0;
811                 if (pmd_none(*vmf->pmd)) {
812                         ret = check_stable_address_space(vma->vm_mm);
813                         if (ret) {
814                                 spin_unlock(vmf->ptl);
815                                 pte_free(vma->vm_mm, pgtable);
816                         } else if (userfaultfd_missing(vma)) {
817                                 spin_unlock(vmf->ptl);
818                                 pte_free(vma->vm_mm, pgtable);
819                                 ret = handle_userfault(vmf, VM_UFFD_MISSING);
820                                 VM_BUG_ON(ret & VM_FAULT_FALLBACK);
821                         } else {
822                                 set_huge_zero_page(pgtable, vma->vm_mm, vma,
823                                                    haddr, vmf->pmd, zero_page);
824                                 update_mmu_cache_pmd(vma, vmf->address, vmf->pmd);
825                                 spin_unlock(vmf->ptl);
826                         }
827                 } else {
828                         spin_unlock(vmf->ptl);
829                         pte_free(vma->vm_mm, pgtable);
830                 }
831                 return ret;
832         }
833         gfp = vma_thp_gfp_mask(vma);
834         folio = vma_alloc_folio(gfp, HPAGE_PMD_ORDER, vma, haddr, true);
835         if (unlikely(!folio)) {
836                 count_vm_event(THP_FAULT_FALLBACK);
837                 return VM_FAULT_FALLBACK;
838         }
839         return __do_huge_pmd_anonymous_page(vmf, &folio->page, gfp);
840 }
841
842 static void insert_pfn_pmd(struct vm_area_struct *vma, unsigned long addr,
843                 pmd_t *pmd, pfn_t pfn, pgprot_t prot, bool write,
844                 pgtable_t pgtable)
845 {
846         struct mm_struct *mm = vma->vm_mm;
847         pmd_t entry;
848         spinlock_t *ptl;
849
850         ptl = pmd_lock(mm, pmd);
851         if (!pmd_none(*pmd)) {
852                 if (write) {
853                         if (pmd_pfn(*pmd) != pfn_t_to_pfn(pfn)) {
854                                 WARN_ON_ONCE(!is_huge_zero_pmd(*pmd));
855                                 goto out_unlock;
856                         }
857                         entry = pmd_mkyoung(*pmd);
858                         entry = maybe_pmd_mkwrite(pmd_mkdirty(entry), vma);
859                         if (pmdp_set_access_flags(vma, addr, pmd, entry, 1))
860                                 update_mmu_cache_pmd(vma, addr, pmd);
861                 }
862
863                 goto out_unlock;
864         }
865
866         entry = pmd_mkhuge(pfn_t_pmd(pfn, prot));
867         if (pfn_t_devmap(pfn))
868                 entry = pmd_mkdevmap(entry);
869         if (write) {
870                 entry = pmd_mkyoung(pmd_mkdirty(entry));
871                 entry = maybe_pmd_mkwrite(entry, vma);
872         }
873
874         if (pgtable) {
875                 pgtable_trans_huge_deposit(mm, pmd, pgtable);
876                 mm_inc_nr_ptes(mm);
877                 pgtable = NULL;
878         }
879
880         set_pmd_at(mm, addr, pmd, entry);
881         update_mmu_cache_pmd(vma, addr, pmd);
882
883 out_unlock:
884         spin_unlock(ptl);
885         if (pgtable)
886                 pte_free(mm, pgtable);
887 }
888
889 /**
890  * vmf_insert_pfn_pmd_prot - insert a pmd size pfn
891  * @vmf: Structure describing the fault
892  * @pfn: pfn to insert
893  * @pgprot: page protection to use
894  * @write: whether it's a write fault
895  *
896  * Insert a pmd size pfn. See vmf_insert_pfn() for additional info and
897  * also consult the vmf_insert_mixed_prot() documentation when
898  * @pgprot != @vmf->vma->vm_page_prot.
899  *
900  * Return: vm_fault_t value.
901  */
902 vm_fault_t vmf_insert_pfn_pmd_prot(struct vm_fault *vmf, pfn_t pfn,
903                                    pgprot_t pgprot, bool write)
904 {
905         unsigned long addr = vmf->address & PMD_MASK;
906         struct vm_area_struct *vma = vmf->vma;
907         pgtable_t pgtable = NULL;
908
909         /*
910          * If we had pmd_special, we could avoid all these restrictions,
911          * but we need to be consistent with PTEs and architectures that
912          * can't support a 'special' bit.
913          */
914         BUG_ON(!(vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) &&
915                         !pfn_t_devmap(pfn));
916         BUG_ON((vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) ==
917                                                 (VM_PFNMAP|VM_MIXEDMAP));
918         BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));
919
920         if (addr < vma->vm_start || addr >= vma->vm_end)
921                 return VM_FAULT_SIGBUS;
922
923         if (arch_needs_pgtable_deposit()) {
924                 pgtable = pte_alloc_one(vma->vm_mm);
925                 if (!pgtable)
926                         return VM_FAULT_OOM;
927         }
928
929         track_pfn_insert(vma, &pgprot, pfn);
930
931         insert_pfn_pmd(vma, addr, vmf->pmd, pfn, pgprot, write, pgtable);
932         return VM_FAULT_NOPAGE;
933 }
934 EXPORT_SYMBOL_GPL(vmf_insert_pfn_pmd_prot);
935
936 #ifdef CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD
937 static pud_t maybe_pud_mkwrite(pud_t pud, struct vm_area_struct *vma)
938 {
939         if (likely(vma->vm_flags & VM_WRITE))
940                 pud = pud_mkwrite(pud);
941         return pud;
942 }
943
944 static void insert_pfn_pud(struct vm_area_struct *vma, unsigned long addr,
945                 pud_t *pud, pfn_t pfn, pgprot_t prot, bool write)
946 {
947         struct mm_struct *mm = vma->vm_mm;
948         pud_t entry;
949         spinlock_t *ptl;
950
951         ptl = pud_lock(mm, pud);
952         if (!pud_none(*pud)) {
953                 if (write) {
954                         if (pud_pfn(*pud) != pfn_t_to_pfn(pfn)) {
955                                 WARN_ON_ONCE(!is_huge_zero_pud(*pud));
956                                 goto out_unlock;
957                         }
958                         entry = pud_mkyoung(*pud);
959                         entry = maybe_pud_mkwrite(pud_mkdirty(entry), vma);
960                         if (pudp_set_access_flags(vma, addr, pud, entry, 1))
961                                 update_mmu_cache_pud(vma, addr, pud);
962                 }
963                 goto out_unlock;
964         }
965
966         entry = pud_mkhuge(pfn_t_pud(pfn, prot));
967         if (pfn_t_devmap(pfn))
968                 entry = pud_mkdevmap(entry);
969         if (write) {
970                 entry = pud_mkyoung(pud_mkdirty(entry));
971                 entry = maybe_pud_mkwrite(entry, vma);
972         }
973         set_pud_at(mm, addr, pud, entry);
974         update_mmu_cache_pud(vma, addr, pud);
975
976 out_unlock:
977         spin_unlock(ptl);
978 }
979
980 /**
981  * vmf_insert_pfn_pud_prot - insert a pud size pfn
982  * @vmf: Structure describing the fault
983  * @pfn: pfn to insert
984  * @pgprot: page protection to use
985  * @write: whether it's a write fault
986  *
987  * Insert a pud size pfn. See vmf_insert_pfn() for additional info and
988  * also consult the vmf_insert_mixed_prot() documentation when
989  * @pgprot != @vmf->vma->vm_page_prot.
990  *
991  * Return: vm_fault_t value.
992  */
993 vm_fault_t vmf_insert_pfn_pud_prot(struct vm_fault *vmf, pfn_t pfn,
994                                    pgprot_t pgprot, bool write)
995 {
996         unsigned long addr = vmf->address & PUD_MASK;
997         struct vm_area_struct *vma = vmf->vma;
998
999         /*
1000          * If we had pud_special, we could avoid all these restrictions,
1001          * but we need to be consistent with PTEs and architectures that
1002          * can't support a 'special' bit.
1003          */
1004         BUG_ON(!(vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) &&
1005                         !pfn_t_devmap(pfn));
1006         BUG_ON((vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) ==
1007                                                 (VM_PFNMAP|VM_MIXEDMAP));
1008         BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));
1009
1010         if (addr < vma->vm_start || addr >= vma->vm_end)
1011                 return VM_FAULT_SIGBUS;
1012
1013         track_pfn_insert(vma, &pgprot, pfn);
1014
1015         insert_pfn_pud(vma, addr, vmf->pud, pfn, pgprot, write);
1016         return VM_FAULT_NOPAGE;
1017 }
1018 EXPORT_SYMBOL_GPL(vmf_insert_pfn_pud_prot);
1019 #endif /* CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD */
1020
1021 static void touch_pmd(struct vm_area_struct *vma, unsigned long addr,
1022                       pmd_t *pmd, bool write)
1023 {
1024         pmd_t _pmd;
1025
1026         _pmd = pmd_mkyoung(*pmd);
1027         if (write)
1028                 _pmd = pmd_mkdirty(_pmd);
1029         if (pmdp_set_access_flags(vma, addr & HPAGE_PMD_MASK,
1030                                   pmd, _pmd, write))
1031                 update_mmu_cache_pmd(vma, addr, pmd);
1032 }
1033
1034 struct page *follow_devmap_pmd(struct vm_area_struct *vma, unsigned long addr,
1035                 pmd_t *pmd, int flags, struct dev_pagemap **pgmap)
1036 {
1037         unsigned long pfn = pmd_pfn(*pmd);
1038         struct mm_struct *mm = vma->vm_mm;
1039         struct page *page;
1040
1041         assert_spin_locked(pmd_lockptr(mm, pmd));
1042
1043         /* FOLL_GET and FOLL_PIN are mutually exclusive. */
1044         if (WARN_ON_ONCE((flags & (FOLL_PIN | FOLL_GET)) ==
1045                          (FOLL_PIN | FOLL_GET)))
1046                 return NULL;
1047
1048         if (flags & FOLL_WRITE && !pmd_write(*pmd))
1049                 return NULL;
1050
1051         if (pmd_present(*pmd) && pmd_devmap(*pmd))
1052                 /* pass */;
1053         else
1054                 return NULL;
1055
1056         if (flags & FOLL_TOUCH)
1057                 touch_pmd(vma, addr, pmd, flags & FOLL_WRITE);
1058
1059         /*
1060          * device mapped pages can only be returned if the
1061          * caller will manage the page reference count.
1062          */
1063         if (!(flags & (FOLL_GET | FOLL_PIN)))
1064                 return ERR_PTR(-EEXIST);
1065
1066         pfn += (addr & ~PMD_MASK) >> PAGE_SHIFT;
1067         *pgmap = get_dev_pagemap(pfn, *pgmap);
1068         if (!*pgmap)
1069                 return ERR_PTR(-EFAULT);
1070         page = pfn_to_page(pfn);
1071         if (!try_grab_page(page, flags))
1072                 page = ERR_PTR(-ENOMEM);
1073
1074         return page;
1075 }
1076
1077 int copy_huge_pmd(struct mm_struct *dst_mm, struct mm_struct *src_mm,
1078                   pmd_t *dst_pmd, pmd_t *src_pmd, unsigned long addr,
1079                   struct vm_area_struct *dst_vma, struct vm_area_struct *src_vma)
1080 {
1081         spinlock_t *dst_ptl, *src_ptl;
1082         struct page *src_page;
1083         pmd_t pmd;
1084         pgtable_t pgtable = NULL;
1085         int ret = -ENOMEM;
1086
1087         /* Skip if can be re-fill on fault */
1088         if (!vma_is_anonymous(dst_vma))
1089                 return 0;
1090
1091         pgtable = pte_alloc_one(dst_mm);
1092         if (unlikely(!pgtable))
1093                 goto out;
1094
1095         dst_ptl = pmd_lock(dst_mm, dst_pmd);
1096         src_ptl = pmd_lockptr(src_mm, src_pmd);
1097         spin_lock_nested(src_ptl, SINGLE_DEPTH_NESTING);
1098
1099         ret = -EAGAIN;
1100         pmd = *src_pmd;
1101
1102 #ifdef CONFIG_ARCH_ENABLE_THP_MIGRATION
1103         if (unlikely(is_swap_pmd(pmd))) {
1104                 swp_entry_t entry = pmd_to_swp_entry(pmd);
1105
1106                 VM_BUG_ON(!is_pmd_migration_entry(pmd));
1107                 if (!is_readable_migration_entry(entry)) {
1108                         entry = make_readable_migration_entry(
1109                                                         swp_offset(entry));
1110                         pmd = swp_entry_to_pmd(entry);
1111                         if (pmd_swp_soft_dirty(*src_pmd))
1112                                 pmd = pmd_swp_mksoft_dirty(pmd);
1113                         if (pmd_swp_uffd_wp(*src_pmd))
1114                                 pmd = pmd_swp_mkuffd_wp(pmd);
1115                         set_pmd_at(src_mm, addr, src_pmd, pmd);
1116                 }
1117                 add_mm_counter(dst_mm, MM_ANONPAGES, HPAGE_PMD_NR);
1118                 mm_inc_nr_ptes(dst_mm);
1119                 pgtable_trans_huge_deposit(dst_mm, dst_pmd, pgtable);
1120                 if (!userfaultfd_wp(dst_vma))
1121                         pmd = pmd_swp_clear_uffd_wp(pmd);
1122                 set_pmd_at(dst_mm, addr, dst_pmd, pmd);
1123                 ret = 0;
1124                 goto out_unlock;
1125         }
1126 #endif
1127
1128         if (unlikely(!pmd_trans_huge(pmd))) {
1129                 pte_free(dst_mm, pgtable);
1130                 goto out_unlock;
1131         }
1132         /*
1133          * When page table lock is held, the huge zero pmd should not be
1134          * under splitting since we don't split the page itself, only pmd to
1135          * a page table.
1136          */
1137         if (is_huge_zero_pmd(pmd)) {
1138                 /*
1139                  * get_huge_zero_page() will never allocate a new page here,
1140                  * since we already have a zero page to copy. It just takes a
1141                  * reference.
1142                  */
1143                 mm_get_huge_zero_page(dst_mm);
1144                 goto out_zero_page;
1145         }
1146
1147         src_page = pmd_page(pmd);
1148         VM_BUG_ON_PAGE(!PageHead(src_page), src_page);
1149
1150         get_page(src_page);
1151         if (unlikely(page_try_dup_anon_rmap(src_page, true, src_vma))) {
1152                 /* Page maybe pinned: split and retry the fault on PTEs. */
1153                 put_page(src_page);
1154                 pte_free(dst_mm, pgtable);
1155                 spin_unlock(src_ptl);
1156                 spin_unlock(dst_ptl);
1157                 __split_huge_pmd(src_vma, src_pmd, addr, false, NULL);
1158                 return -EAGAIN;
1159         }
1160         add_mm_counter(dst_mm, MM_ANONPAGES, HPAGE_PMD_NR);
1161 out_zero_page:
1162         mm_inc_nr_ptes(dst_mm);
1163         pgtable_trans_huge_deposit(dst_mm, dst_pmd, pgtable);
1164         pmdp_set_wrprotect(src_mm, addr, src_pmd);
1165         if (!userfaultfd_wp(dst_vma))
1166                 pmd = pmd_clear_uffd_wp(pmd);
1167         pmd = pmd_mkold(pmd_wrprotect(pmd));
1168         set_pmd_at(dst_mm, addr, dst_pmd, pmd);
1169
1170         ret = 0;
1171 out_unlock:
1172         spin_unlock(src_ptl);
1173         spin_unlock(dst_ptl);
1174 out:
1175         return ret;
1176 }
1177
1178 #ifdef CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD
1179 static void touch_pud(struct vm_area_struct *vma, unsigned long addr,
1180                       pud_t *pud, bool write)
1181 {
1182         pud_t _pud;
1183
1184         _pud = pud_mkyoung(*pud);
1185         if (write)
1186                 _pud = pud_mkdirty(_pud);
1187         if (pudp_set_access_flags(vma, addr & HPAGE_PUD_MASK,
1188                                   pud, _pud, write))
1189                 update_mmu_cache_pud(vma, addr, pud);
1190 }
1191
1192 struct page *follow_devmap_pud(struct vm_area_struct *vma, unsigned long addr,
1193                 pud_t *pud, int flags, struct dev_pagemap **pgmap)
1194 {
1195         unsigned long pfn = pud_pfn(*pud);
1196         struct mm_struct *mm = vma->vm_mm;
1197         struct page *page;
1198
1199         assert_spin_locked(pud_lockptr(mm, pud));
1200
1201         if (flags & FOLL_WRITE && !pud_write(*pud))
1202                 return NULL;
1203
1204         /* FOLL_GET and FOLL_PIN are mutually exclusive. */
1205         if (WARN_ON_ONCE((flags & (FOLL_PIN | FOLL_GET)) ==
1206                          (FOLL_PIN | FOLL_GET)))
1207                 return NULL;
1208
1209         if (pud_present(*pud) && pud_devmap(*pud))
1210                 /* pass */;
1211         else
1212                 return NULL;
1213
1214         if (flags & FOLL_TOUCH)
1215                 touch_pud(vma, addr, pud, flags & FOLL_WRITE);
1216
1217         /*
1218          * device mapped pages can only be returned if the
1219          * caller will manage the page reference count.
1220          *
1221          * At least one of FOLL_GET | FOLL_PIN must be set, so assert that here:
1222          */
1223         if (!(flags & (FOLL_GET | FOLL_PIN)))
1224                 return ERR_PTR(-EEXIST);
1225
1226         pfn += (addr & ~PUD_MASK) >> PAGE_SHIFT;
1227         *pgmap = get_dev_pagemap(pfn, *pgmap);
1228         if (!*pgmap)
1229                 return ERR_PTR(-EFAULT);
1230         page = pfn_to_page(pfn);
1231         if (!try_grab_page(page, flags))
1232                 page = ERR_PTR(-ENOMEM);
1233
1234         return page;
1235 }
1236
1237 int copy_huge_pud(struct mm_struct *dst_mm, struct mm_struct *src_mm,
1238                   pud_t *dst_pud, pud_t *src_pud, unsigned long addr,
1239                   struct vm_area_struct *vma)
1240 {
1241         spinlock_t *dst_ptl, *src_ptl;
1242         pud_t pud;
1243         int ret;
1244
1245         dst_ptl = pud_lock(dst_mm, dst_pud);
1246         src_ptl = pud_lockptr(src_mm, src_pud);
1247         spin_lock_nested(src_ptl, SINGLE_DEPTH_NESTING);
1248
1249         ret = -EAGAIN;
1250         pud = *src_pud;
1251         if (unlikely(!pud_trans_huge(pud) && !pud_devmap(pud)))
1252                 goto out_unlock;
1253
1254         /*
1255          * When page table lock is held, the huge zero pud should not be
1256          * under splitting since we don't split the page itself, only pud to
1257          * a page table.
1258          */
1259         if (is_huge_zero_pud(pud)) {
1260                 /* No huge zero pud yet */
1261         }
1262
1263         /*
1264          * TODO: once we support anonymous pages, use page_try_dup_anon_rmap()
1265          * and split if duplicating fails.
1266          */
1267         pudp_set_wrprotect(src_mm, addr, src_pud);
1268         pud = pud_mkold(pud_wrprotect(pud));
1269         set_pud_at(dst_mm, addr, dst_pud, pud);
1270
1271         ret = 0;
1272 out_unlock:
1273         spin_unlock(src_ptl);
1274         spin_unlock(dst_ptl);
1275         return ret;
1276 }
1277
1278 void huge_pud_set_accessed(struct vm_fault *vmf, pud_t orig_pud)
1279 {
1280         bool write = vmf->flags & FAULT_FLAG_WRITE;
1281
1282         vmf->ptl = pud_lock(vmf->vma->vm_mm, vmf->pud);
1283         if (unlikely(!pud_same(*vmf->pud, orig_pud)))
1284                 goto unlock;
1285
1286         touch_pud(vmf->vma, vmf->address, vmf->pud, write);
1287 unlock:
1288         spin_unlock(vmf->ptl);
1289 }
1290 #endif /* CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD */
1291
1292 void huge_pmd_set_accessed(struct vm_fault *vmf)
1293 {
1294         bool write = vmf->flags & FAULT_FLAG_WRITE;
1295
1296         vmf->ptl = pmd_lock(vmf->vma->vm_mm, vmf->pmd);
1297         if (unlikely(!pmd_same(*vmf->pmd, vmf->orig_pmd)))
1298                 goto unlock;
1299
1300         touch_pmd(vmf->vma, vmf->address, vmf->pmd, write);
1301
1302 unlock:
1303         spin_unlock(vmf->ptl);
1304 }
1305
1306 vm_fault_t do_huge_pmd_wp_page(struct vm_fault *vmf)
1307 {
1308         const bool unshare = vmf->flags & FAULT_FLAG_UNSHARE;
1309         struct vm_area_struct *vma = vmf->vma;
1310         struct page *page;
1311         unsigned long haddr = vmf->address & HPAGE_PMD_MASK;
1312         pmd_t orig_pmd = vmf->orig_pmd;
1313
1314         vmf->ptl = pmd_lockptr(vma->vm_mm, vmf->pmd);
1315         VM_BUG_ON_VMA(!vma->anon_vma, vma);
1316
1317         VM_BUG_ON(unshare && (vmf->flags & FAULT_FLAG_WRITE));
1318         VM_BUG_ON(!unshare && !(vmf->flags & FAULT_FLAG_WRITE));
1319
1320         if (is_huge_zero_pmd(orig_pmd))
1321                 goto fallback;
1322
1323         spin_lock(vmf->ptl);
1324
1325         if (unlikely(!pmd_same(*vmf->pmd, orig_pmd))) {
1326                 spin_unlock(vmf->ptl);
1327                 return 0;
1328         }
1329
1330         page = pmd_page(orig_pmd);
1331         VM_BUG_ON_PAGE(!PageHead(page), page);
1332
1333         /* Early check when only holding the PT lock. */
1334         if (PageAnonExclusive(page))
1335                 goto reuse;
1336
1337         if (!trylock_page(page)) {
1338                 get_page(page);
1339                 spin_unlock(vmf->ptl);
1340                 lock_page(page);
1341                 spin_lock(vmf->ptl);
1342                 if (unlikely(!pmd_same(*vmf->pmd, orig_pmd))) {
1343                         spin_unlock(vmf->ptl);
1344                         unlock_page(page);
1345                         put_page(page);
1346                         return 0;
1347                 }
1348                 put_page(page);
1349         }
1350
1351         /* Recheck after temporarily dropping the PT lock. */
1352         if (PageAnonExclusive(page)) {
1353                 unlock_page(page);
1354                 goto reuse;
1355         }
1356
1357         /*
1358          * See do_wp_page(): we can only reuse the page exclusively if there are
1359          * no additional references. Note that we always drain the LRU
1360          * pagevecs immediately after adding a THP.
1361          */
1362         if (page_count(page) > 1 + PageSwapCache(page) * thp_nr_pages(page))
1363                 goto unlock_fallback;
1364         if (PageSwapCache(page))
1365                 try_to_free_swap(page);
1366         if (page_count(page) == 1) {
1367                 pmd_t entry;
1368
1369                 page_move_anon_rmap(page, vma);
1370                 unlock_page(page);
1371 reuse:
1372                 if (unlikely(unshare)) {
1373                         spin_unlock(vmf->ptl);
1374                         return 0;
1375                 }
1376                 entry = pmd_mkyoung(orig_pmd);
1377                 entry = maybe_pmd_mkwrite(pmd_mkdirty(entry), vma);
1378                 if (pmdp_set_access_flags(vma, haddr, vmf->pmd, entry, 1))
1379                         update_mmu_cache_pmd(vma, vmf->address, vmf->pmd);
1380                 spin_unlock(vmf->ptl);
1381                 return VM_FAULT_WRITE;
1382         }
1383
1384 unlock_fallback:
1385         unlock_page(page);
1386         spin_unlock(vmf->ptl);
1387 fallback:
1388         __split_huge_pmd(vma, vmf->pmd, vmf->address, false, NULL);
1389         return VM_FAULT_FALLBACK;
1390 }
1391
1392 /* FOLL_FORCE can write to even unwritable PMDs in COW mappings. */
1393 static inline bool can_follow_write_pmd(pmd_t pmd, struct page *page,
1394                                         struct vm_area_struct *vma,
1395                                         unsigned int flags)
1396 {
1397         /* If the pmd is writable, we can write to the page. */
1398         if (pmd_write(pmd))
1399                 return true;
1400
1401         /* Maybe FOLL_FORCE is set to override it? */
1402         if (!(flags & FOLL_FORCE))
1403                 return false;
1404
1405         /* But FOLL_FORCE has no effect on shared mappings */
1406         if (vma->vm_flags & (VM_MAYSHARE | VM_SHARED))
1407                 return false;
1408
1409         /* ... or read-only private ones */
1410         if (!(vma->vm_flags & VM_MAYWRITE))
1411                 return false;
1412
1413         /* ... or already writable ones that just need to take a write fault */
1414         if (vma->vm_flags & VM_WRITE)
1415                 return false;
1416
1417         /*
1418          * See can_change_pte_writable(): we broke COW and could map the page
1419          * writable if we have an exclusive anonymous page ...
1420          */
1421         if (!page || !PageAnon(page) || !PageAnonExclusive(page))
1422                 return false;
1423
1424         /* ... and a write-fault isn't required for other reasons. */
1425         if (vma_soft_dirty_enabled(vma) && !pmd_soft_dirty(pmd))
1426                 return false;
1427         return !userfaultfd_huge_pmd_wp(vma, pmd);
1428 }
1429
1430 struct page *follow_trans_huge_pmd(struct vm_area_struct *vma,
1431                                    unsigned long addr,
1432                                    pmd_t *pmd,
1433                                    unsigned int flags)
1434 {
1435         struct mm_struct *mm = vma->vm_mm;
1436         struct page *page;
1437
1438         assert_spin_locked(pmd_lockptr(mm, pmd));
1439
1440         page = pmd_page(*pmd);
1441         VM_BUG_ON_PAGE(!PageHead(page) && !is_zone_device_page(page), page);
1442
1443         if ((flags & FOLL_WRITE) &&
1444             !can_follow_write_pmd(*pmd, page, vma, flags))
1445                 return NULL;
1446
1447         /* Avoid dumping huge zero page */
1448         if ((flags & FOLL_DUMP) && is_huge_zero_pmd(*pmd))
1449                 return ERR_PTR(-EFAULT);
1450
1451         /* Full NUMA hinting faults to serialise migration in fault paths */
1452         if ((flags & FOLL_NUMA) && pmd_protnone(*pmd))
1453                 return NULL;
1454
1455         if (!pmd_write(*pmd) && gup_must_unshare(flags, page))
1456                 return ERR_PTR(-EMLINK);
1457
1458         VM_BUG_ON_PAGE((flags & FOLL_PIN) && PageAnon(page) &&
1459                         !PageAnonExclusive(page), page);
1460
1461         if (!try_grab_page(page, flags))
1462                 return ERR_PTR(-ENOMEM);
1463
1464         if (flags & FOLL_TOUCH)
1465                 touch_pmd(vma, addr, pmd, flags & FOLL_WRITE);
1466
1467         page += (addr & ~HPAGE_PMD_MASK) >> PAGE_SHIFT;
1468         VM_BUG_ON_PAGE(!PageCompound(page) && !is_zone_device_page(page), page);
1469
1470         return page;
1471 }
1472
1473 /* NUMA hinting page fault entry point for trans huge pmds */
1474 vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf)
1475 {
1476         struct vm_area_struct *vma = vmf->vma;
1477         pmd_t oldpmd = vmf->orig_pmd;
1478         pmd_t pmd;
1479         struct page *page;
1480         unsigned long haddr = vmf->address & HPAGE_PMD_MASK;
1481         int page_nid = NUMA_NO_NODE;
1482         int target_nid, last_cpupid = -1;
1483         bool migrated = false;
1484         bool was_writable = pmd_savedwrite(oldpmd);
1485         int flags = 0;
1486
1487         vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd);
1488         if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) {
1489                 spin_unlock(vmf->ptl);
1490                 goto out;
1491         }
1492
1493         pmd = pmd_modify(oldpmd, vma->vm_page_prot);
1494         page = vm_normal_page_pmd(vma, haddr, pmd);
1495         if (!page)
1496                 goto out_map;
1497
1498         /* See similar comment in do_numa_page for explanation */
1499         if (!was_writable)
1500                 flags |= TNF_NO_GROUP;
1501
1502         page_nid = page_to_nid(page);
1503         last_cpupid = page_cpupid_last(page);
1504         target_nid = numa_migrate_prep(page, vma, haddr, page_nid,
1505                                        &flags);
1506
1507         if (target_nid == NUMA_NO_NODE) {
1508                 put_page(page);
1509                 goto out_map;
1510         }
1511
1512         spin_unlock(vmf->ptl);
1513
1514         migrated = migrate_misplaced_page(page, vma, target_nid);
1515         if (migrated) {
1516                 flags |= TNF_MIGRATED;
1517                 page_nid = target_nid;
1518         } else {
1519                 flags |= TNF_MIGRATE_FAIL;
1520                 vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd);
1521                 if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) {
1522                         spin_unlock(vmf->ptl);
1523                         goto out;
1524                 }
1525                 goto out_map;
1526         }
1527
1528 out:
1529         if (page_nid != NUMA_NO_NODE)
1530                 task_numa_fault(last_cpupid, page_nid, HPAGE_PMD_NR,
1531                                 flags);
1532
1533         return 0;
1534
1535 out_map:
1536         /* Restore the PMD */
1537         pmd = pmd_modify(oldpmd, vma->vm_page_prot);
1538         pmd = pmd_mkyoung(pmd);
1539         if (was_writable)
1540                 pmd = pmd_mkwrite(pmd);
1541         set_pmd_at(vma->vm_mm, haddr, vmf->pmd, pmd);
1542         update_mmu_cache_pmd(vma, vmf->address, vmf->pmd);
1543         spin_unlock(vmf->ptl);
1544         goto out;
1545 }
1546
1547 /*
1548  * Return true if we do MADV_FREE successfully on entire pmd page.
1549  * Otherwise, return false.
1550  */
1551 bool madvise_free_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma,
1552                 pmd_t *pmd, unsigned long addr, unsigned long next)
1553 {
1554         spinlock_t *ptl;
1555         pmd_t orig_pmd;
1556         struct page *page;
1557         struct mm_struct *mm = tlb->mm;
1558         bool ret = false;
1559
1560         tlb_change_page_size(tlb, HPAGE_PMD_SIZE);
1561
1562         ptl = pmd_trans_huge_lock(pmd, vma);
1563         if (!ptl)
1564                 goto out_unlocked;
1565
1566         orig_pmd = *pmd;
1567         if (is_huge_zero_pmd(orig_pmd))
1568                 goto out;
1569
1570         if (unlikely(!pmd_present(orig_pmd))) {
1571                 VM_BUG_ON(thp_migration_supported() &&
1572                                   !is_pmd_migration_entry(orig_pmd));
1573                 goto out;
1574         }
1575
1576         page = pmd_page(orig_pmd);
1577         /*
1578          * If other processes are mapping this page, we couldn't discard
1579          * the page unless they all do MADV_FREE so let's skip the page.
1580          */
1581         if (total_mapcount(page) != 1)
1582                 goto out;
1583
1584         if (!trylock_page(page))
1585                 goto out;
1586
1587         /*
1588          * If user want to discard part-pages of THP, split it so MADV_FREE
1589          * will deactivate only them.
1590          */
1591         if (next - addr != HPAGE_PMD_SIZE) {
1592                 get_page(page);
1593                 spin_unlock(ptl);
1594                 split_huge_page(page);
1595                 unlock_page(page);
1596                 put_page(page);
1597                 goto out_unlocked;
1598         }
1599
1600         if (PageDirty(page))
1601                 ClearPageDirty(page);
1602         unlock_page(page);
1603
1604         if (pmd_young(orig_pmd) || pmd_dirty(orig_pmd)) {
1605                 pmdp_invalidate(vma, addr, pmd);
1606                 orig_pmd = pmd_mkold(orig_pmd);
1607                 orig_pmd = pmd_mkclean(orig_pmd);
1608
1609                 set_pmd_at(mm, addr, pmd, orig_pmd);
1610                 tlb_remove_pmd_tlb_entry(tlb, pmd, addr);
1611         }
1612
1613         mark_page_lazyfree(page);
1614         ret = true;
1615 out:
1616         spin_unlock(ptl);
1617 out_unlocked:
1618         return ret;
1619 }
1620
1621 static inline void zap_deposited_table(struct mm_struct *mm, pmd_t *pmd)
1622 {
1623         pgtable_t pgtable;
1624
1625         pgtable = pgtable_trans_huge_withdraw(mm, pmd);
1626         pte_free(mm, pgtable);
1627         mm_dec_nr_ptes(mm);
1628 }
1629
1630 int zap_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma,
1631                  pmd_t *pmd, unsigned long addr)
1632 {
1633         pmd_t orig_pmd;
1634         spinlock_t *ptl;
1635
1636         tlb_change_page_size(tlb, HPAGE_PMD_SIZE);
1637
1638         ptl = __pmd_trans_huge_lock(pmd, vma);
1639         if (!ptl)
1640                 return 0;
1641         /*
1642          * For architectures like ppc64 we look at deposited pgtable
1643          * when calling pmdp_huge_get_and_clear. So do the
1644          * pgtable_trans_huge_withdraw after finishing pmdp related
1645          * operations.
1646          */
1647         orig_pmd = pmdp_huge_get_and_clear_full(vma, addr, pmd,
1648                                                 tlb->fullmm);
1649         tlb_remove_pmd_tlb_entry(tlb, pmd, addr);
1650         if (vma_is_special_huge(vma)) {
1651                 if (arch_needs_pgtable_deposit())
1652                         zap_deposited_table(tlb->mm, pmd);
1653                 spin_unlock(ptl);
1654         } else if (is_huge_zero_pmd(orig_pmd)) {
1655                 zap_deposited_table(tlb->mm, pmd);
1656                 spin_unlock(ptl);
1657         } else {
1658                 struct page *page = NULL;
1659                 int flush_needed = 1;
1660
1661                 if (pmd_present(orig_pmd)) {
1662                         page = pmd_page(orig_pmd);
1663                         page_remove_rmap(page, vma, true);
1664                         VM_BUG_ON_PAGE(page_mapcount(page) < 0, page);
1665                         VM_BUG_ON_PAGE(!PageHead(page), page);
1666                 } else if (thp_migration_supported()) {
1667                         swp_entry_t entry;
1668
1669                         VM_BUG_ON(!is_pmd_migration_entry(orig_pmd));
1670                         entry = pmd_to_swp_entry(orig_pmd);
1671                         page = pfn_swap_entry_to_page(entry);
1672                         flush_needed = 0;
1673                 } else
1674                         WARN_ONCE(1, "Non present huge pmd without pmd migration enabled!");
1675
1676                 if (PageAnon(page)) {
1677                         zap_deposited_table(tlb->mm, pmd);
1678                         add_mm_counter(tlb->mm, MM_ANONPAGES, -HPAGE_PMD_NR);
1679                 } else {
1680                         if (arch_needs_pgtable_deposit())
1681                                 zap_deposited_table(tlb->mm, pmd);
1682                         add_mm_counter(tlb->mm, mm_counter_file(page), -HPAGE_PMD_NR);
1683                 }
1684
1685                 spin_unlock(ptl);
1686                 if (flush_needed)
1687                         tlb_remove_page_size(tlb, page, HPAGE_PMD_SIZE);
1688         }
1689         return 1;
1690 }
1691
1692 #ifndef pmd_move_must_withdraw
1693 static inline int pmd_move_must_withdraw(spinlock_t *new_pmd_ptl,
1694                                          spinlock_t *old_pmd_ptl,
1695                                          struct vm_area_struct *vma)
1696 {
1697         /*
1698          * With split pmd lock we also need to move preallocated
1699          * PTE page table if new_pmd is on different PMD page table.
1700          *
1701          * We also don't deposit and withdraw tables for file pages.
1702          */
1703         return (new_pmd_ptl != old_pmd_ptl) && vma_is_anonymous(vma);
1704 }
1705 #endif
1706
1707 static pmd_t move_soft_dirty_pmd(pmd_t pmd)
1708 {
1709 #ifdef CONFIG_MEM_SOFT_DIRTY
1710         if (unlikely(is_pmd_migration_entry(pmd)))
1711                 pmd = pmd_swp_mksoft_dirty(pmd);
1712         else if (pmd_present(pmd))
1713                 pmd = pmd_mksoft_dirty(pmd);
1714 #endif
1715         return pmd;
1716 }
1717
1718 bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr,
1719                   unsigned long new_addr, pmd_t *old_pmd, pmd_t *new_pmd)
1720 {
1721         spinlock_t *old_ptl, *new_ptl;
1722         pmd_t pmd;
1723         struct mm_struct *mm = vma->vm_mm;
1724         bool force_flush = false;
1725
1726         /*
1727          * The destination pmd shouldn't be established, free_pgtables()
1728          * should have release it.
1729          */
1730         if (WARN_ON(!pmd_none(*new_pmd))) {
1731                 VM_BUG_ON(pmd_trans_huge(*new_pmd));
1732                 return false;
1733         }
1734
1735         /*
1736          * We don't have to worry about the ordering of src and dst
1737          * ptlocks because exclusive mmap_lock prevents deadlock.
1738          */
1739         old_ptl = __pmd_trans_huge_lock(old_pmd, vma);
1740         if (old_ptl) {
1741                 new_ptl = pmd_lockptr(mm, new_pmd);
1742                 if (new_ptl != old_ptl)
1743                         spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING);
1744                 pmd = pmdp_huge_get_and_clear(mm, old_addr, old_pmd);
1745                 if (pmd_present(pmd))
1746                         force_flush = true;
1747                 VM_BUG_ON(!pmd_none(*new_pmd));
1748
1749                 if (pmd_move_must_withdraw(new_ptl, old_ptl, vma)) {
1750                         pgtable_t pgtable;
1751                         pgtable = pgtable_trans_huge_withdraw(mm, old_pmd);
1752                         pgtable_trans_huge_deposit(mm, new_pmd, pgtable);
1753                 }
1754                 pmd = move_soft_dirty_pmd(pmd);
1755                 set_pmd_at(mm, new_addr, new_pmd, pmd);
1756                 if (force_flush)
1757                         flush_pmd_tlb_range(vma, old_addr, old_addr + PMD_SIZE);
1758                 if (new_ptl != old_ptl)
1759                         spin_unlock(new_ptl);
1760                 spin_unlock(old_ptl);
1761                 return true;
1762         }
1763         return false;
1764 }
1765
1766 /*
1767  * Returns
1768  *  - 0 if PMD could not be locked
1769  *  - 1 if PMD was locked but protections unchanged and TLB flush unnecessary
1770  *      or if prot_numa but THP migration is not supported
1771  *  - HPAGE_PMD_NR if protections changed and TLB flush necessary
1772  */
1773 int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma,
1774                     pmd_t *pmd, unsigned long addr, pgprot_t newprot,
1775                     unsigned long cp_flags)
1776 {
1777         struct mm_struct *mm = vma->vm_mm;
1778         spinlock_t *ptl;
1779         pmd_t oldpmd, entry;
1780         bool preserve_write;
1781         int ret;
1782         bool prot_numa = cp_flags & MM_CP_PROT_NUMA;
1783         bool uffd_wp = cp_flags & MM_CP_UFFD_WP;
1784         bool uffd_wp_resolve = cp_flags & MM_CP_UFFD_WP_RESOLVE;
1785
1786         tlb_change_page_size(tlb, HPAGE_PMD_SIZE);
1787
1788         if (prot_numa && !thp_migration_supported())
1789                 return 1;
1790
1791         ptl = __pmd_trans_huge_lock(pmd, vma);
1792         if (!ptl)
1793                 return 0;
1794
1795         preserve_write = prot_numa && pmd_write(*pmd);
1796         ret = 1;
1797
1798 #ifdef CONFIG_ARCH_ENABLE_THP_MIGRATION
1799         if (is_swap_pmd(*pmd)) {
1800                 swp_entry_t entry = pmd_to_swp_entry(*pmd);
1801                 struct page *page = pfn_swap_entry_to_page(entry);
1802
1803                 VM_BUG_ON(!is_pmd_migration_entry(*pmd));
1804                 if (is_writable_migration_entry(entry)) {
1805                         pmd_t newpmd;
1806                         /*
1807                          * A protection check is difficult so
1808                          * just be safe and disable write
1809                          */
1810                         if (PageAnon(page))
1811                                 entry = make_readable_exclusive_migration_entry(swp_offset(entry));
1812                         else
1813                                 entry = make_readable_migration_entry(swp_offset(entry));
1814                         newpmd = swp_entry_to_pmd(entry);
1815                         if (pmd_swp_soft_dirty(*pmd))
1816                                 newpmd = pmd_swp_mksoft_dirty(newpmd);
1817                         if (pmd_swp_uffd_wp(*pmd))
1818                                 newpmd = pmd_swp_mkuffd_wp(newpmd);
1819                         set_pmd_at(mm, addr, pmd, newpmd);
1820                 }
1821                 goto unlock;
1822         }
1823 #endif
1824
1825         if (prot_numa) {
1826                 struct page *page;
1827                 /*
1828                  * Avoid trapping faults against the zero page. The read-only
1829                  * data is likely to be read-cached on the local CPU and
1830                  * local/remote hits to the zero page are not interesting.
1831                  */
1832                 if (is_huge_zero_pmd(*pmd))
1833                         goto unlock;
1834
1835                 if (pmd_protnone(*pmd))
1836                         goto unlock;
1837
1838                 page = pmd_page(*pmd);
1839                 /*
1840                  * Skip scanning top tier node if normal numa
1841                  * balancing is disabled
1842                  */
1843                 if (!(sysctl_numa_balancing_mode & NUMA_BALANCING_NORMAL) &&
1844                     node_is_toptier(page_to_nid(page)))
1845                         goto unlock;
1846         }
1847         /*
1848          * In case prot_numa, we are under mmap_read_lock(mm). It's critical
1849          * to not clear pmd intermittently to avoid race with MADV_DONTNEED
1850          * which is also under mmap_read_lock(mm):
1851          *
1852          *      CPU0:                           CPU1:
1853          *                              change_huge_pmd(prot_numa=1)
1854          *                               pmdp_huge_get_and_clear_notify()
1855          * madvise_dontneed()
1856          *  zap_pmd_range()
1857          *   pmd_trans_huge(*pmd) == 0 (without ptl)
1858          *   // skip the pmd
1859          *                               set_pmd_at();
1860          *                               // pmd is re-established
1861          *
1862          * The race makes MADV_DONTNEED miss the huge pmd and don't clear it
1863          * which may break userspace.
1864          *
1865          * pmdp_invalidate_ad() is required to make sure we don't miss
1866          * dirty/young flags set by hardware.
1867          */
1868         oldpmd = pmdp_invalidate_ad(vma, addr, pmd);
1869
1870         entry = pmd_modify(oldpmd, newprot);
1871         if (preserve_write)
1872                 entry = pmd_mk_savedwrite(entry);
1873         if (uffd_wp) {
1874                 entry = pmd_wrprotect(entry);
1875                 entry = pmd_mkuffd_wp(entry);
1876         } else if (uffd_wp_resolve) {
1877                 /*
1878                  * Leave the write bit to be handled by PF interrupt
1879                  * handler, then things like COW could be properly
1880                  * handled.
1881                  */
1882                 entry = pmd_clear_uffd_wp(entry);
1883         }
1884         ret = HPAGE_PMD_NR;
1885         set_pmd_at(mm, addr, pmd, entry);
1886
1887         if (huge_pmd_needs_flush(oldpmd, entry))
1888                 tlb_flush_pmd_range(tlb, addr, HPAGE_PMD_SIZE);
1889
1890         BUG_ON(vma_is_anonymous(vma) && !preserve_write && pmd_write(entry));
1891 unlock:
1892         spin_unlock(ptl);
1893         return ret;
1894 }
1895
1896 /*
1897  * Returns page table lock pointer if a given pmd maps a thp, NULL otherwise.
1898  *
1899  * Note that if it returns page table lock pointer, this routine returns without
1900  * unlocking page table lock. So callers must unlock it.
1901  */
1902 spinlock_t *__pmd_trans_huge_lock(pmd_t *pmd, struct vm_area_struct *vma)
1903 {
1904         spinlock_t *ptl;
1905         ptl = pmd_lock(vma->vm_mm, pmd);
1906         if (likely(is_swap_pmd(*pmd) || pmd_trans_huge(*pmd) ||
1907                         pmd_devmap(*pmd)))
1908                 return ptl;
1909         spin_unlock(ptl);
1910         return NULL;
1911 }
1912
1913 /*
1914  * Returns page table lock pointer if a given pud maps a thp, NULL otherwise.
1915  *
1916  * Note that if it returns page table lock pointer, this routine returns without
1917  * unlocking page table lock. So callers must unlock it.
1918  */
1919 spinlock_t *__pud_trans_huge_lock(pud_t *pud, struct vm_area_struct *vma)
1920 {
1921         spinlock_t *ptl;
1922
1923         ptl = pud_lock(vma->vm_mm, pud);
1924         if (likely(pud_trans_huge(*pud) || pud_devmap(*pud)))
1925                 return ptl;
1926         spin_unlock(ptl);
1927         return NULL;
1928 }
1929
1930 #ifdef CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD
1931 int zap_huge_pud(struct mmu_gather *tlb, struct vm_area_struct *vma,
1932                  pud_t *pud, unsigned long addr)
1933 {
1934         spinlock_t *ptl;
1935
1936         ptl = __pud_trans_huge_lock(pud, vma);
1937         if (!ptl)
1938                 return 0;
1939
1940         pudp_huge_get_and_clear_full(tlb->mm, addr, pud, tlb->fullmm);
1941         tlb_remove_pud_tlb_entry(tlb, pud, addr);
1942         if (vma_is_special_huge(vma)) {
1943                 spin_unlock(ptl);
1944                 /* No zero page support yet */
1945         } else {
1946                 /* No support for anonymous PUD pages yet */
1947                 BUG();
1948         }
1949         return 1;
1950 }
1951
1952 static void __split_huge_pud_locked(struct vm_area_struct *vma, pud_t *pud,
1953                 unsigned long haddr)
1954 {
1955         VM_BUG_ON(haddr & ~HPAGE_PUD_MASK);
1956         VM_BUG_ON_VMA(vma->vm_start > haddr, vma);
1957         VM_BUG_ON_VMA(vma->vm_end < haddr + HPAGE_PUD_SIZE, vma);
1958         VM_BUG_ON(!pud_trans_huge(*pud) && !pud_devmap(*pud));
1959
1960         count_vm_event(THP_SPLIT_PUD);
1961
1962         pudp_huge_clear_flush_notify(vma, haddr, pud);
1963 }
1964
1965 void __split_huge_pud(struct vm_area_struct *vma, pud_t *pud,
1966                 unsigned long address)
1967 {
1968         spinlock_t *ptl;
1969         struct mmu_notifier_range range;
1970
1971         mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma, vma->vm_mm,
1972                                 address & HPAGE_PUD_MASK,
1973                                 (address & HPAGE_PUD_MASK) + HPAGE_PUD_SIZE);
1974         mmu_notifier_invalidate_range_start(&range);
1975         ptl = pud_lock(vma->vm_mm, pud);
1976         if (unlikely(!pud_trans_huge(*pud) && !pud_devmap(*pud)))
1977                 goto out;
1978         __split_huge_pud_locked(vma, pud, range.start);
1979
1980 out:
1981         spin_unlock(ptl);
1982         /*
1983          * No need to double call mmu_notifier->invalidate_range() callback as
1984          * the above pudp_huge_clear_flush_notify() did already call it.
1985          */
1986         mmu_notifier_invalidate_range_only_end(&range);
1987 }
1988 #endif /* CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD */
1989
1990 static void __split_huge_zero_page_pmd(struct vm_area_struct *vma,
1991                 unsigned long haddr, pmd_t *pmd)
1992 {
1993         struct mm_struct *mm = vma->vm_mm;
1994         pgtable_t pgtable;
1995         pmd_t _pmd;
1996         int i;
1997
1998         /*
1999          * Leave pmd empty until pte is filled note that it is fine to delay
2000          * notification until mmu_notifier_invalidate_range_end() as we are
2001          * replacing a zero pmd write protected page with a zero pte write
2002          * protected page.
2003          *
2004          * See Documentation/mm/mmu_notifier.rst
2005          */
2006         pmdp_huge_clear_flush(vma, haddr, pmd);
2007
2008         pgtable = pgtable_trans_huge_withdraw(mm, pmd);
2009         pmd_populate(mm, &_pmd, pgtable);
2010
2011         for (i = 0; i < HPAGE_PMD_NR; i++, haddr += PAGE_SIZE) {
2012                 pte_t *pte, entry;
2013                 entry = pfn_pte(my_zero_pfn(haddr), vma->vm_page_prot);
2014                 entry = pte_mkspecial(entry);
2015                 pte = pte_offset_map(&_pmd, haddr);
2016                 VM_BUG_ON(!pte_none(*pte));
2017                 set_pte_at(mm, haddr, pte, entry);
2018                 pte_unmap(pte);
2019         }
2020         smp_wmb(); /* make pte visible before pmd */
2021         pmd_populate(mm, pmd, pgtable);
2022 }
2023
2024 static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
2025                 unsigned long haddr, bool freeze)
2026 {
2027         struct mm_struct *mm = vma->vm_mm;
2028         struct page *page;
2029         pgtable_t pgtable;
2030         pmd_t old_pmd, _pmd;
2031         bool young, write, soft_dirty, pmd_migration = false, uffd_wp = false;
2032         bool anon_exclusive = false;
2033         unsigned long addr;
2034         int i;
2035
2036         VM_BUG_ON(haddr & ~HPAGE_PMD_MASK);
2037         VM_BUG_ON_VMA(vma->vm_start > haddr, vma);
2038         VM_BUG_ON_VMA(vma->vm_end < haddr + HPAGE_PMD_SIZE, vma);
2039         VM_BUG_ON(!is_pmd_migration_entry(*pmd) && !pmd_trans_huge(*pmd)
2040                                 && !pmd_devmap(*pmd));
2041
2042         count_vm_event(THP_SPLIT_PMD);
2043
2044         if (!vma_is_anonymous(vma)) {
2045                 old_pmd = pmdp_huge_clear_flush_notify(vma, haddr, pmd);
2046                 /*
2047                  * We are going to unmap this huge page. So
2048                  * just go ahead and zap it
2049                  */
2050                 if (arch_needs_pgtable_deposit())
2051                         zap_deposited_table(mm, pmd);
2052                 if (vma_is_special_huge(vma))
2053                         return;
2054                 if (unlikely(is_pmd_migration_entry(old_pmd))) {
2055                         swp_entry_t entry;
2056
2057                         entry = pmd_to_swp_entry(old_pmd);
2058                         page = pfn_swap_entry_to_page(entry);
2059                 } else {
2060                         page = pmd_page(old_pmd);
2061                         if (!PageDirty(page) && pmd_dirty(old_pmd))
2062                                 set_page_dirty(page);
2063                         if (!PageReferenced(page) && pmd_young(old_pmd))
2064                                 SetPageReferenced(page);
2065                         page_remove_rmap(page, vma, true);
2066                         put_page(page);
2067                 }
2068                 add_mm_counter(mm, mm_counter_file(page), -HPAGE_PMD_NR);
2069                 return;
2070         }
2071
2072         if (is_huge_zero_pmd(*pmd)) {
2073                 /*
2074                  * FIXME: Do we want to invalidate secondary mmu by calling
2075                  * mmu_notifier_invalidate_range() see comments below inside
2076                  * __split_huge_pmd() ?
2077                  *
2078                  * We are going from a zero huge page write protected to zero
2079                  * small page also write protected so it does not seems useful
2080                  * to invalidate secondary mmu at this time.
2081                  */
2082                 return __split_huge_zero_page_pmd(vma, haddr, pmd);
2083         }
2084
2085         /*
2086          * Up to this point the pmd is present and huge and userland has the
2087          * whole access to the hugepage during the split (which happens in
2088          * place). If we overwrite the pmd with the not-huge version pointing
2089          * to the pte here (which of course we could if all CPUs were bug
2090          * free), userland could trigger a small page size TLB miss on the
2091          * small sized TLB while the hugepage TLB entry is still established in
2092          * the huge TLB. Some CPU doesn't like that.
2093          * See http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum
2094          * 383 on page 105. Intel should be safe but is also warns that it's
2095          * only safe if the permission and cache attributes of the two entries
2096          * loaded in the two TLB is identical (which should be the case here).
2097          * But it is generally safer to never allow small and huge TLB entries
2098          * for the same virtual address to be loaded simultaneously. So instead
2099          * of doing "pmd_populate(); flush_pmd_tlb_range();" we first mark the
2100          * current pmd notpresent (atomically because here the pmd_trans_huge
2101          * must remain set at all times on the pmd until the split is complete
2102          * for this pmd), then we flush the SMP TLB and finally we write the
2103          * non-huge version of the pmd entry with pmd_populate.
2104          */
2105         old_pmd = pmdp_invalidate(vma, haddr, pmd);
2106
2107         pmd_migration = is_pmd_migration_entry(old_pmd);
2108         if (unlikely(pmd_migration)) {
2109                 swp_entry_t entry;
2110
2111                 entry = pmd_to_swp_entry(old_pmd);
2112                 page = pfn_swap_entry_to_page(entry);
2113                 write = is_writable_migration_entry(entry);
2114                 if (PageAnon(page))
2115                         anon_exclusive = is_readable_exclusive_migration_entry(entry);
2116                 young = false;
2117                 soft_dirty = pmd_swp_soft_dirty(old_pmd);
2118                 uffd_wp = pmd_swp_uffd_wp(old_pmd);
2119         } else {
2120                 page = pmd_page(old_pmd);
2121                 if (pmd_dirty(old_pmd))
2122                         SetPageDirty(page);
2123                 write = pmd_write(old_pmd);
2124                 young = pmd_young(old_pmd);
2125                 soft_dirty = pmd_soft_dirty(old_pmd);
2126                 uffd_wp = pmd_uffd_wp(old_pmd);
2127
2128                 VM_BUG_ON_PAGE(!page_count(page), page);
2129                 page_ref_add(page, HPAGE_PMD_NR - 1);
2130
2131                 /*
2132                  * Without "freeze", we'll simply split the PMD, propagating the
2133                  * PageAnonExclusive() flag for each PTE by setting it for
2134                  * each subpage -- no need to (temporarily) clear.
2135                  *
2136                  * With "freeze" we want to replace mapped pages by
2137                  * migration entries right away. This is only possible if we
2138                  * managed to clear PageAnonExclusive() -- see
2139                  * set_pmd_migration_entry().
2140                  *
2141                  * In case we cannot clear PageAnonExclusive(), split the PMD
2142                  * only and let try_to_migrate_one() fail later.
2143                  */
2144                 anon_exclusive = PageAnon(page) && PageAnonExclusive(page);
2145                 if (freeze && anon_exclusive && page_try_share_anon_rmap(page))
2146                         freeze = false;
2147         }
2148
2149         /*
2150          * Withdraw the table only after we mark the pmd entry invalid.
2151          * This's critical for some architectures (Power).
2152          */
2153         pgtable = pgtable_trans_huge_withdraw(mm, pmd);
2154         pmd_populate(mm, &_pmd, pgtable);
2155
2156         for (i = 0, addr = haddr; i < HPAGE_PMD_NR; i++, addr += PAGE_SIZE) {
2157                 pte_t entry, *pte;
2158                 /*
2159                  * Note that NUMA hinting access restrictions are not
2160                  * transferred to avoid any possibility of altering
2161                  * permissions across VMAs.
2162                  */
2163                 if (freeze || pmd_migration) {
2164                         swp_entry_t swp_entry;
2165                         if (write)
2166                                 swp_entry = make_writable_migration_entry(
2167                                                         page_to_pfn(page + i));
2168                         else if (anon_exclusive)
2169                                 swp_entry = make_readable_exclusive_migration_entry(
2170                                                         page_to_pfn(page + i));
2171                         else
2172                                 swp_entry = make_readable_migration_entry(
2173                                                         page_to_pfn(page + i));
2174                         entry = swp_entry_to_pte(swp_entry);
2175                         if (soft_dirty)
2176                                 entry = pte_swp_mksoft_dirty(entry);
2177                         if (uffd_wp)
2178                                 entry = pte_swp_mkuffd_wp(entry);
2179                 } else {
2180                         entry = mk_pte(page + i, READ_ONCE(vma->vm_page_prot));
2181                         entry = maybe_mkwrite(entry, vma);
2182                         if (anon_exclusive)
2183                                 SetPageAnonExclusive(page + i);
2184                         if (!write)
2185                                 entry = pte_wrprotect(entry);
2186                         if (!young)
2187                                 entry = pte_mkold(entry);
2188                         if (soft_dirty)
2189                                 entry = pte_mksoft_dirty(entry);
2190                         if (uffd_wp)
2191                                 entry = pte_mkuffd_wp(entry);
2192                 }
2193                 pte = pte_offset_map(&_pmd, addr);
2194                 BUG_ON(!pte_none(*pte));
2195                 set_pte_at(mm, addr, pte, entry);
2196                 if (!pmd_migration)
2197                         atomic_inc(&page[i]._mapcount);
2198                 pte_unmap(pte);
2199         }
2200
2201         if (!pmd_migration) {
2202                 /*
2203                  * Set PG_double_map before dropping compound_mapcount to avoid
2204                  * false-negative page_mapped().
2205                  */
2206                 if (compound_mapcount(page) > 1 &&
2207                     !TestSetPageDoubleMap(page)) {
2208                         for (i = 0; i < HPAGE_PMD_NR; i++)
2209                                 atomic_inc(&page[i]._mapcount);
2210                 }
2211
2212                 lock_page_memcg(page);
2213                 if (atomic_add_negative(-1, compound_mapcount_ptr(page))) {
2214                         /* Last compound_mapcount is gone. */
2215                         __mod_lruvec_page_state(page, NR_ANON_THPS,
2216                                                 -HPAGE_PMD_NR);
2217                         if (TestClearPageDoubleMap(page)) {
2218                                 /* No need in mapcount reference anymore */
2219                                 for (i = 0; i < HPAGE_PMD_NR; i++)
2220                                         atomic_dec(&page[i]._mapcount);
2221                         }
2222                 }
2223                 unlock_page_memcg(page);
2224
2225                 /* Above is effectively page_remove_rmap(page, vma, true) */
2226                 munlock_vma_page(page, vma, true);
2227         }
2228
2229         smp_wmb(); /* make pte visible before pmd */
2230         pmd_populate(mm, pmd, pgtable);
2231
2232         if (freeze) {
2233                 for (i = 0; i < HPAGE_PMD_NR; i++) {
2234                         page_remove_rmap(page + i, vma, false);
2235                         put_page(page + i);
2236                 }
2237         }
2238 }
2239
2240 void __split_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd,
2241                 unsigned long address, bool freeze, struct folio *folio)
2242 {
2243         spinlock_t *ptl;
2244         struct mmu_notifier_range range;
2245
2246         mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma, vma->vm_mm,
2247                                 address & HPAGE_PMD_MASK,
2248                                 (address & HPAGE_PMD_MASK) + HPAGE_PMD_SIZE);
2249         mmu_notifier_invalidate_range_start(&range);
2250         ptl = pmd_lock(vma->vm_mm, pmd);
2251
2252         /*
2253          * If caller asks to setup a migration entry, we need a folio to check
2254          * pmd against. Otherwise we can end up replacing wrong folio.
2255          */
2256         VM_BUG_ON(freeze && !folio);
2257         VM_WARN_ON_ONCE(folio && !folio_test_locked(folio));
2258
2259         if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) ||
2260             is_pmd_migration_entry(*pmd)) {
2261                 /*
2262                  * It's safe to call pmd_page when folio is set because it's
2263                  * guaranteed that pmd is present.
2264                  */
2265                 if (folio && folio != page_folio(pmd_page(*pmd)))
2266                         goto out;
2267                 __split_huge_pmd_locked(vma, pmd, range.start, freeze);
2268         }
2269
2270 out:
2271         spin_unlock(ptl);
2272         /*
2273          * No need to double call mmu_notifier->invalidate_range() callback.
2274          * They are 3 cases to consider inside __split_huge_pmd_locked():
2275          *  1) pmdp_huge_clear_flush_notify() call invalidate_range() obvious
2276          *  2) __split_huge_zero_page_pmd() read only zero page and any write
2277          *    fault will trigger a flush_notify before pointing to a new page
2278          *    (it is fine if the secondary mmu keeps pointing to the old zero
2279          *    page in the meantime)
2280          *  3) Split a huge pmd into pte pointing to the same page. No need
2281          *     to invalidate secondary tlb entry they are all still valid.
2282          *     any further changes to individual pte will notify. So no need
2283          *     to call mmu_notifier->invalidate_range()
2284          */
2285         mmu_notifier_invalidate_range_only_end(&range);
2286 }
2287
2288 void split_huge_pmd_address(struct vm_area_struct *vma, unsigned long address,
2289                 bool freeze, struct folio *folio)
2290 {
2291         pgd_t *pgd;
2292         p4d_t *p4d;
2293         pud_t *pud;
2294         pmd_t *pmd;
2295
2296         pgd = pgd_offset(vma->vm_mm, address);
2297         if (!pgd_present(*pgd))
2298                 return;
2299
2300         p4d = p4d_offset(pgd, address);
2301         if (!p4d_present(*p4d))
2302                 return;
2303
2304         pud = pud_offset(p4d, address);
2305         if (!pud_present(*pud))
2306                 return;
2307
2308         pmd = pmd_offset(pud, address);
2309
2310         __split_huge_pmd(vma, pmd, address, freeze, folio);
2311 }
2312
2313 static inline void split_huge_pmd_if_needed(struct vm_area_struct *vma, unsigned long address)
2314 {
2315         /*
2316          * If the new address isn't hpage aligned and it could previously
2317          * contain an hugepage: check if we need to split an huge pmd.
2318          */
2319         if (!IS_ALIGNED(address, HPAGE_PMD_SIZE) &&
2320             range_in_vma(vma, ALIGN_DOWN(address, HPAGE_PMD_SIZE),
2321                          ALIGN(address, HPAGE_PMD_SIZE)))
2322                 split_huge_pmd_address(vma, address, false, NULL);
2323 }
2324
2325 void vma_adjust_trans_huge(struct vm_area_struct *vma,
2326                              unsigned long start,
2327                              unsigned long end,
2328                              long adjust_next)
2329 {
2330         /* Check if we need to split start first. */
2331         split_huge_pmd_if_needed(vma, start);
2332
2333         /* Check if we need to split end next. */
2334         split_huge_pmd_if_needed(vma, end);
2335
2336         /*
2337          * If we're also updating the vma->vm_next->vm_start,
2338          * check if we need to split it.
2339          */
2340         if (adjust_next > 0) {
2341                 struct vm_area_struct *next = vma->vm_next;
2342                 unsigned long nstart = next->vm_start;
2343                 nstart += adjust_next;
2344                 split_huge_pmd_if_needed(next, nstart);
2345         }
2346 }
2347
2348 static void unmap_page(struct page *page)
2349 {
2350         struct folio *folio = page_folio(page);
2351         enum ttu_flags ttu_flags = TTU_RMAP_LOCKED | TTU_SPLIT_HUGE_PMD |
2352                 TTU_SYNC;
2353
2354         VM_BUG_ON_PAGE(!PageHead(page), page);
2355
2356         /*
2357          * Anon pages need migration entries to preserve them, but file
2358          * pages can simply be left unmapped, then faulted back on demand.
2359          * If that is ever changed (perhaps for mlock), update remap_page().
2360          */
2361         if (folio_test_anon(folio))
2362                 try_to_migrate(folio, ttu_flags);
2363         else
2364                 try_to_unmap(folio, ttu_flags | TTU_IGNORE_MLOCK);
2365 }
2366
2367 static void remap_page(struct folio *folio, unsigned long nr)
2368 {
2369         int i = 0;
2370
2371         /* If unmap_page() uses try_to_migrate() on file, remove this check */
2372         if (!folio_test_anon(folio))
2373                 return;
2374         for (;;) {
2375                 remove_migration_ptes(folio, folio, true);
2376                 i += folio_nr_pages(folio);
2377                 if (i >= nr)
2378                         break;
2379                 folio = folio_next(folio);
2380         }
2381 }
2382
2383 static void lru_add_page_tail(struct page *head, struct page *tail,
2384                 struct lruvec *lruvec, struct list_head *list)
2385 {
2386         VM_BUG_ON_PAGE(!PageHead(head), head);
2387         VM_BUG_ON_PAGE(PageCompound(tail), head);
2388         VM_BUG_ON_PAGE(PageLRU(tail), head);
2389         lockdep_assert_held(&lruvec->lru_lock);
2390
2391         if (list) {
2392                 /* page reclaim is reclaiming a huge page */
2393                 VM_WARN_ON(PageLRU(head));
2394                 get_page(tail);
2395                 list_add_tail(&tail->lru, list);
2396         } else {
2397                 /* head is still on lru (and we have it frozen) */
2398                 VM_WARN_ON(!PageLRU(head));
2399                 if (PageUnevictable(tail))
2400                         tail->mlock_count = 0;
2401                 else
2402                         list_add_tail(&tail->lru, &head->lru);
2403                 SetPageLRU(tail);
2404         }
2405 }
2406
2407 static void __split_huge_page_tail(struct page *head, int tail,
2408                 struct lruvec *lruvec, struct list_head *list)
2409 {
2410         struct page *page_tail = head + tail;
2411
2412         VM_BUG_ON_PAGE(atomic_read(&page_tail->_mapcount) != -1, page_tail);
2413
2414         /*
2415          * Clone page flags before unfreezing refcount.
2416          *
2417          * After successful get_page_unless_zero() might follow flags change,
2418          * for example lock_page() which set PG_waiters.
2419          *
2420          * Note that for mapped sub-pages of an anonymous THP,
2421          * PG_anon_exclusive has been cleared in unmap_page() and is stored in
2422          * the migration entry instead from where remap_page() will restore it.
2423          * We can still have PG_anon_exclusive set on effectively unmapped and
2424          * unreferenced sub-pages of an anonymous THP: we can simply drop
2425          * PG_anon_exclusive (-> PG_mappedtodisk) for these here.
2426          */
2427         page_tail->flags &= ~PAGE_FLAGS_CHECK_AT_PREP;
2428         page_tail->flags |= (head->flags &
2429                         ((1L << PG_referenced) |
2430                          (1L << PG_swapbacked) |
2431                          (1L << PG_swapcache) |
2432                          (1L << PG_mlocked) |
2433                          (1L << PG_uptodate) |
2434                          (1L << PG_active) |
2435                          (1L << PG_workingset) |
2436                          (1L << PG_locked) |
2437                          (1L << PG_unevictable) |
2438 #ifdef CONFIG_64BIT
2439                          (1L << PG_arch_2) |
2440 #endif
2441                          (1L << PG_dirty)));
2442
2443         /* ->mapping in first tail page is compound_mapcount */
2444         VM_BUG_ON_PAGE(tail > 2 && page_tail->mapping != TAIL_MAPPING,
2445                         page_tail);
2446         page_tail->mapping = head->mapping;
2447         page_tail->index = head->index + tail;
2448         page_tail->private = 0;
2449
2450         /* Page flags must be visible before we make the page non-compound. */
2451         smp_wmb();
2452
2453         /*
2454          * Clear PageTail before unfreezing page refcount.
2455          *
2456          * After successful get_page_unless_zero() might follow put_page()
2457          * which needs correct compound_head().
2458          */
2459         clear_compound_head(page_tail);
2460
2461         /* Finally unfreeze refcount. Additional reference from page cache. */
2462         page_ref_unfreeze(page_tail, 1 + (!PageAnon(head) ||
2463                                           PageSwapCache(head)));
2464
2465         if (page_is_young(head))
2466                 set_page_young(page_tail);
2467         if (page_is_idle(head))
2468                 set_page_idle(page_tail);
2469
2470         page_cpupid_xchg_last(page_tail, page_cpupid_last(head));
2471
2472         /*
2473          * always add to the tail because some iterators expect new
2474          * pages to show after the currently processed elements - e.g.
2475          * migrate_pages
2476          */
2477         lru_add_page_tail(head, page_tail, lruvec, list);
2478 }
2479
2480 static void __split_huge_page(struct page *page, struct list_head *list,
2481                 pgoff_t end)
2482 {
2483         struct folio *folio = page_folio(page);
2484         struct page *head = &folio->page;
2485         struct lruvec *lruvec;
2486         struct address_space *swap_cache = NULL;
2487         unsigned long offset = 0;
2488         unsigned int nr = thp_nr_pages(head);
2489         int i;
2490
2491         /* complete memcg works before add pages to LRU */
2492         split_page_memcg(head, nr);
2493
2494         if (PageAnon(head) && PageSwapCache(head)) {
2495                 swp_entry_t entry = { .val = page_private(head) };
2496
2497                 offset = swp_offset(entry);
2498                 swap_cache = swap_address_space(entry);
2499                 xa_lock(&swap_cache->i_pages);
2500         }
2501
2502         /* lock lru list/PageCompound, ref frozen by page_ref_freeze */
2503         lruvec = folio_lruvec_lock(folio);
2504
2505         ClearPageHasHWPoisoned(head);
2506
2507         for (i = nr - 1; i >= 1; i--) {
2508                 __split_huge_page_tail(head, i, lruvec, list);
2509                 /* Some pages can be beyond EOF: drop them from page cache */
2510                 if (head[i].index >= end) {
2511                         struct folio *tail = page_folio(head + i);
2512
2513                         if (shmem_mapping(head->mapping))
2514                                 shmem_uncharge(head->mapping->host, 1);
2515                         else if (folio_test_clear_dirty(tail))
2516                                 folio_account_cleaned(tail,
2517                                         inode_to_wb(folio->mapping->host));
2518                         __filemap_remove_folio(tail, NULL);
2519                         folio_put(tail);
2520                 } else if (!PageAnon(page)) {
2521                         __xa_store(&head->mapping->i_pages, head[i].index,
2522                                         head + i, 0);
2523                 } else if (swap_cache) {
2524                         __xa_store(&swap_cache->i_pages, offset + i,
2525                                         head + i, 0);
2526                 }
2527         }
2528
2529         ClearPageCompound(head);
2530         unlock_page_lruvec(lruvec);
2531         /* Caller disabled irqs, so they are still disabled here */
2532
2533         split_page_owner(head, nr);
2534
2535         /* See comment in __split_huge_page_tail() */
2536         if (PageAnon(head)) {
2537                 /* Additional pin to swap cache */
2538                 if (PageSwapCache(head)) {
2539                         page_ref_add(head, 2);
2540                         xa_unlock(&swap_cache->i_pages);
2541                 } else {
2542                         page_ref_inc(head);
2543                 }
2544         } else {
2545                 /* Additional pin to page cache */
2546                 page_ref_add(head, 2);
2547                 xa_unlock(&head->mapping->i_pages);
2548         }
2549         local_irq_enable();
2550
2551         remap_page(folio, nr);
2552
2553         if (PageSwapCache(head)) {
2554                 swp_entry_t entry = { .val = page_private(head) };
2555
2556                 split_swap_cluster(entry);
2557         }
2558
2559         for (i = 0; i < nr; i++) {
2560                 struct page *subpage = head + i;
2561                 if (subpage == page)
2562                         continue;
2563                 unlock_page(subpage);
2564
2565                 /*
2566                  * Subpages may be freed if there wasn't any mapping
2567                  * like if add_to_swap() is running on a lru page that
2568                  * had its mapping zapped. And freeing these pages
2569                  * requires taking the lru_lock so we do the put_page
2570                  * of the tail pages after the split is complete.
2571                  */
2572                 free_page_and_swap_cache(subpage);
2573         }
2574 }
2575
2576 /* Racy check whether the huge page can be split */
2577 bool can_split_folio(struct folio *folio, int *pextra_pins)
2578 {
2579         int extra_pins;
2580
2581         /* Additional pins from page cache */
2582         if (folio_test_anon(folio))
2583                 extra_pins = folio_test_swapcache(folio) ?
2584                                 folio_nr_pages(folio) : 0;
2585         else
2586                 extra_pins = folio_nr_pages(folio);
2587         if (pextra_pins)
2588                 *pextra_pins = extra_pins;
2589         return folio_mapcount(folio) == folio_ref_count(folio) - extra_pins - 1;
2590 }
2591
2592 /*
2593  * This function splits huge page into normal pages. @page can point to any
2594  * subpage of huge page to split. Split doesn't change the position of @page.
2595  *
2596  * Only caller must hold pin on the @page, otherwise split fails with -EBUSY.
2597  * The huge page must be locked.
2598  *
2599  * If @list is null, tail pages will be added to LRU list, otherwise, to @list.
2600  *
2601  * Both head page and tail pages will inherit mapping, flags, and so on from
2602  * the hugepage.
2603  *
2604  * GUP pin and PG_locked transferred to @page. Rest subpages can be freed if
2605  * they are not mapped.
2606  *
2607  * Returns 0 if the hugepage is split successfully.
2608  * Returns -EBUSY if the page is pinned or if anon_vma disappeared from under
2609  * us.
2610  */
2611 int split_huge_page_to_list(struct page *page, struct list_head *list)
2612 {
2613         struct folio *folio = page_folio(page);
2614         struct page *head = &folio->page;
2615         struct deferred_split *ds_queue = get_deferred_split_queue(head);
2616         XA_STATE(xas, &head->mapping->i_pages, head->index);
2617         struct anon_vma *anon_vma = NULL;
2618         struct address_space *mapping = NULL;
2619         int extra_pins, ret;
2620         pgoff_t end;
2621         bool is_hzp;
2622
2623         VM_BUG_ON_PAGE(!PageLocked(head), head);
2624         VM_BUG_ON_PAGE(!PageCompound(head), head);
2625
2626         is_hzp = is_huge_zero_page(head);
2627         VM_WARN_ON_ONCE_PAGE(is_hzp, head);
2628         if (is_hzp)
2629                 return -EBUSY;
2630
2631         if (PageWriteback(head))
2632                 return -EBUSY;
2633
2634         if (PageAnon(head)) {
2635                 /*
2636                  * The caller does not necessarily hold an mmap_lock that would
2637                  * prevent the anon_vma disappearing so we first we take a
2638                  * reference to it and then lock the anon_vma for write. This
2639                  * is similar to folio_lock_anon_vma_read except the write lock
2640                  * is taken to serialise against parallel split or collapse
2641                  * operations.
2642                  */
2643                 anon_vma = page_get_anon_vma(head);
2644                 if (!anon_vma) {
2645                         ret = -EBUSY;
2646                         goto out;
2647                 }
2648                 end = -1;
2649                 mapping = NULL;
2650                 anon_vma_lock_write(anon_vma);
2651         } else {
2652                 mapping = head->mapping;
2653
2654                 /* Truncated ? */
2655                 if (!mapping) {
2656                         ret = -EBUSY;
2657                         goto out;
2658                 }
2659
2660                 xas_split_alloc(&xas, head, compound_order(head),
2661                                 mapping_gfp_mask(mapping) & GFP_RECLAIM_MASK);
2662                 if (xas_error(&xas)) {
2663                         ret = xas_error(&xas);
2664                         goto out;
2665                 }
2666
2667                 anon_vma = NULL;
2668                 i_mmap_lock_read(mapping);
2669
2670                 /*
2671                  *__split_huge_page() may need to trim off pages beyond EOF:
2672                  * but on 32-bit, i_size_read() takes an irq-unsafe seqlock,
2673                  * which cannot be nested inside the page tree lock. So note
2674                  * end now: i_size itself may be changed at any moment, but
2675                  * head page lock is good enough to serialize the trimming.
2676                  */
2677                 end = DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE);
2678                 if (shmem_mapping(mapping))
2679                         end = shmem_fallocend(mapping->host, end);
2680         }
2681
2682         /*
2683          * Racy check if we can split the page, before unmap_page() will
2684          * split PMDs
2685          */
2686         if (!can_split_folio(folio, &extra_pins)) {
2687                 ret = -EBUSY;
2688                 goto out_unlock;
2689         }
2690
2691         unmap_page(head);
2692
2693         /* block interrupt reentry in xa_lock and spinlock */
2694         local_irq_disable();
2695         if (mapping) {
2696                 /*
2697                  * Check if the head page is present in page cache.
2698                  * We assume all tail are present too, if head is there.
2699                  */
2700                 xas_lock(&xas);
2701                 xas_reset(&xas);
2702                 if (xas_load(&xas) != head)
2703                         goto fail;
2704         }
2705
2706         /* Prevent deferred_split_scan() touching ->_refcount */
2707         spin_lock(&ds_queue->split_queue_lock);
2708         if (page_ref_freeze(head, 1 + extra_pins)) {
2709                 if (!list_empty(page_deferred_list(head))) {
2710                         ds_queue->split_queue_len--;
2711                         list_del(page_deferred_list(head));
2712                 }
2713                 spin_unlock(&ds_queue->split_queue_lock);
2714                 if (mapping) {
2715                         int nr = thp_nr_pages(head);
2716
2717                         xas_split(&xas, head, thp_order(head));
2718                         if (PageSwapBacked(head)) {
2719                                 __mod_lruvec_page_state(head, NR_SHMEM_THPS,
2720                                                         -nr);
2721                         } else {
2722                                 __mod_lruvec_page_state(head, NR_FILE_THPS,
2723                                                         -nr);
2724                                 filemap_nr_thps_dec(mapping);
2725                         }
2726                 }
2727
2728                 __split_huge_page(page, list, end);
2729                 ret = 0;
2730         } else {
2731                 spin_unlock(&ds_queue->split_queue_lock);
2732 fail:
2733                 if (mapping)
2734                         xas_unlock(&xas);
2735                 local_irq_enable();
2736                 remap_page(folio, folio_nr_pages(folio));
2737                 ret = -EBUSY;
2738         }
2739
2740 out_unlock:
2741         if (anon_vma) {
2742                 anon_vma_unlock_write(anon_vma);
2743                 put_anon_vma(anon_vma);
2744         }
2745         if (mapping)
2746                 i_mmap_unlock_read(mapping);
2747 out:
2748         xas_destroy(&xas);
2749         count_vm_event(!ret ? THP_SPLIT_PAGE : THP_SPLIT_PAGE_FAILED);
2750         return ret;
2751 }
2752
2753 void free_transhuge_page(struct page *page)
2754 {
2755         struct deferred_split *ds_queue = get_deferred_split_queue(page);
2756         unsigned long flags;
2757
2758         spin_lock_irqsave(&ds_queue->split_queue_lock, flags);
2759         if (!list_empty(page_deferred_list(page))) {
2760                 ds_queue->split_queue_len--;
2761                 list_del(page_deferred_list(page));
2762         }
2763         spin_unlock_irqrestore(&ds_queue->split_queue_lock, flags);
2764         free_compound_page(page);
2765 }
2766
2767 void deferred_split_huge_page(struct page *page)
2768 {
2769         struct deferred_split *ds_queue = get_deferred_split_queue(page);
2770 #ifdef CONFIG_MEMCG
2771         struct mem_cgroup *memcg = page_memcg(compound_head(page));
2772 #endif
2773         unsigned long flags;
2774
2775         VM_BUG_ON_PAGE(!PageTransHuge(page), page);
2776
2777         /*
2778          * The try_to_unmap() in page reclaim path might reach here too,
2779          * this may cause a race condition to corrupt deferred split queue.
2780          * And, if page reclaim is already handling the same page, it is
2781          * unnecessary to handle it again in shrinker.
2782          *
2783          * Check PageSwapCache to determine if the page is being
2784          * handled by page reclaim since THP swap would add the page into
2785          * swap cache before calling try_to_unmap().
2786          */
2787         if (PageSwapCache(page))
2788                 return;
2789
2790         spin_lock_irqsave(&ds_queue->split_queue_lock, flags);
2791         if (list_empty(page_deferred_list(page))) {
2792                 count_vm_event(THP_DEFERRED_SPLIT_PAGE);
2793                 list_add_tail(page_deferred_list(page), &ds_queue->split_queue);
2794                 ds_queue->split_queue_len++;
2795 #ifdef CONFIG_MEMCG
2796                 if (memcg)
2797                         set_shrinker_bit(memcg, page_to_nid(page),
2798                                          deferred_split_shrinker.id);
2799 #endif
2800         }
2801         spin_unlock_irqrestore(&ds_queue->split_queue_lock, flags);
2802 }
2803
2804 static unsigned long deferred_split_count(struct shrinker *shrink,
2805                 struct shrink_control *sc)
2806 {
2807         struct pglist_data *pgdata = NODE_DATA(sc->nid);
2808         struct deferred_split *ds_queue = &pgdata->deferred_split_queue;
2809
2810 #ifdef CONFIG_MEMCG
2811         if (sc->memcg)
2812                 ds_queue = &sc->memcg->deferred_split_queue;
2813 #endif
2814         return READ_ONCE(ds_queue->split_queue_len);
2815 }
2816
2817 static unsigned long deferred_split_scan(struct shrinker *shrink,
2818                 struct shrink_control *sc)
2819 {
2820         struct pglist_data *pgdata = NODE_DATA(sc->nid);
2821         struct deferred_split *ds_queue = &pgdata->deferred_split_queue;
2822         unsigned long flags;
2823         LIST_HEAD(list), *pos, *next;
2824         struct page *page;
2825         int split = 0;
2826
2827 #ifdef CONFIG_MEMCG
2828         if (sc->memcg)
2829                 ds_queue = &sc->memcg->deferred_split_queue;
2830 #endif
2831
2832         spin_lock_irqsave(&ds_queue->split_queue_lock, flags);
2833         /* Take pin on all head pages to avoid freeing them under us */
2834         list_for_each_safe(pos, next, &ds_queue->split_queue) {
2835                 page = list_entry((void *)pos, struct page, deferred_list);
2836                 page = compound_head(page);
2837                 if (get_page_unless_zero(page)) {
2838                         list_move(page_deferred_list(page), &list);
2839                 } else {
2840                         /* We lost race with put_compound_page() */
2841                         list_del_init(page_deferred_list(page));
2842                         ds_queue->split_queue_len--;
2843                 }
2844                 if (!--sc->nr_to_scan)
2845                         break;
2846         }
2847         spin_unlock_irqrestore(&ds_queue->split_queue_lock, flags);
2848
2849         list_for_each_safe(pos, next, &list) {
2850                 page = list_entry((void *)pos, struct page, deferred_list);
2851                 if (!trylock_page(page))
2852                         goto next;
2853                 /* split_huge_page() removes page from list on success */
2854                 if (!split_huge_page(page))
2855                         split++;
2856                 unlock_page(page);
2857 next:
2858                 put_page(page);
2859         }
2860
2861         spin_lock_irqsave(&ds_queue->split_queue_lock, flags);
2862         list_splice_tail(&list, &ds_queue->split_queue);
2863         spin_unlock_irqrestore(&ds_queue->split_queue_lock, flags);
2864
2865         /*
2866          * Stop shrinker if we didn't split any page, but the queue is empty.
2867          * This can happen if pages were freed under us.
2868          */
2869         if (!split && list_empty(&ds_queue->split_queue))
2870                 return SHRINK_STOP;
2871         return split;
2872 }
2873
2874 static struct shrinker deferred_split_shrinker = {
2875         .count_objects = deferred_split_count,
2876         .scan_objects = deferred_split_scan,
2877         .seeks = DEFAULT_SEEKS,
2878         .flags = SHRINKER_NUMA_AWARE | SHRINKER_MEMCG_AWARE |
2879                  SHRINKER_NONSLAB,
2880 };
2881
2882 #ifdef CONFIG_DEBUG_FS
2883 static void split_huge_pages_all(void)
2884 {
2885         struct zone *zone;
2886         struct page *page;
2887         unsigned long pfn, max_zone_pfn;
2888         unsigned long total = 0, split = 0;
2889
2890         pr_debug("Split all THPs\n");
2891         for_each_zone(zone) {
2892                 if (!managed_zone(zone))
2893                         continue;
2894                 max_zone_pfn = zone_end_pfn(zone);
2895                 for (pfn = zone->zone_start_pfn; pfn < max_zone_pfn; pfn++) {
2896                         int nr_pages;
2897                         if (!pfn_valid(pfn))
2898                                 continue;
2899
2900                         page = pfn_to_page(pfn);
2901                         if (!get_page_unless_zero(page))
2902                                 continue;
2903
2904                         if (zone != page_zone(page))
2905                                 goto next;
2906
2907                         if (!PageHead(page) || PageHuge(page) || !PageLRU(page))
2908                                 goto next;
2909
2910                         total++;
2911                         lock_page(page);
2912                         nr_pages = thp_nr_pages(page);
2913                         if (!split_huge_page(page))
2914                                 split++;
2915                         pfn += nr_pages - 1;
2916                         unlock_page(page);
2917 next:
2918                         put_page(page);
2919                         cond_resched();
2920                 }
2921         }
2922
2923         pr_debug("%lu of %lu THP split\n", split, total);
2924 }
2925
2926 static inline bool vma_not_suitable_for_thp_split(struct vm_area_struct *vma)
2927 {
2928         return vma_is_special_huge(vma) || (vma->vm_flags & VM_IO) ||
2929                     is_vm_hugetlb_page(vma);
2930 }
2931
2932 static int split_huge_pages_pid(int pid, unsigned long vaddr_start,
2933                                 unsigned long vaddr_end)
2934 {
2935         int ret = 0;
2936         struct task_struct *task;
2937         struct mm_struct *mm;
2938         unsigned long total = 0, split = 0;
2939         unsigned long addr;
2940
2941         vaddr_start &= PAGE_MASK;
2942         vaddr_end &= PAGE_MASK;
2943
2944         /* Find the task_struct from pid */
2945         rcu_read_lock();
2946         task = find_task_by_vpid(pid);
2947         if (!task) {
2948                 rcu_read_unlock();
2949                 ret = -ESRCH;
2950                 goto out;
2951         }
2952         get_task_struct(task);
2953         rcu_read_unlock();
2954
2955         /* Find the mm_struct */
2956         mm = get_task_mm(task);
2957         put_task_struct(task);
2958
2959         if (!mm) {
2960                 ret = -EINVAL;
2961                 goto out;
2962         }
2963
2964         pr_debug("Split huge pages in pid: %d, vaddr: [0x%lx - 0x%lx]\n",
2965                  pid, vaddr_start, vaddr_end);
2966
2967         mmap_read_lock(mm);
2968         /*
2969          * always increase addr by PAGE_SIZE, since we could have a PTE page
2970          * table filled with PTE-mapped THPs, each of which is distinct.
2971          */
2972         for (addr = vaddr_start; addr < vaddr_end; addr += PAGE_SIZE) {
2973                 struct vm_area_struct *vma = vma_lookup(mm, addr);
2974                 struct page *page;
2975
2976                 if (!vma)
2977                         break;
2978
2979                 /* skip special VMA and hugetlb VMA */
2980                 if (vma_not_suitable_for_thp_split(vma)) {
2981                         addr = vma->vm_end;
2982                         continue;
2983                 }
2984
2985                 /* FOLL_DUMP to ignore special (like zero) pages */
2986                 page = follow_page(vma, addr, FOLL_GET | FOLL_DUMP);
2987
2988                 if (IS_ERR_OR_NULL(page) || is_zone_device_page(page))
2989                         continue;
2990
2991                 if (!is_transparent_hugepage(page))
2992                         goto next;
2993
2994                 total++;
2995                 if (!can_split_folio(page_folio(page), NULL))
2996                         goto next;
2997
2998                 if (!trylock_page(page))
2999                         goto next;
3000
3001                 if (!split_huge_page(page))
3002                         split++;
3003
3004                 unlock_page(page);
3005 next:
3006                 put_page(page);
3007                 cond_resched();
3008         }
3009         mmap_read_unlock(mm);
3010         mmput(mm);
3011
3012         pr_debug("%lu of %lu THP split\n", split, total);
3013
3014 out:
3015         return ret;
3016 }
3017
3018 static int split_huge_pages_in_file(const char *file_path, pgoff_t off_start,
3019                                 pgoff_t off_end)
3020 {
3021         struct filename *file;
3022         struct file *candidate;
3023         struct address_space *mapping;
3024         int ret = -EINVAL;
3025         pgoff_t index;
3026         int nr_pages = 1;
3027         unsigned long total = 0, split = 0;
3028
3029         file = getname_kernel(file_path);
3030         if (IS_ERR(file))
3031                 return ret;
3032
3033         candidate = file_open_name(file, O_RDONLY, 0);
3034         if (IS_ERR(candidate))
3035                 goto out;
3036
3037         pr_debug("split file-backed THPs in file: %s, page offset: [0x%lx - 0x%lx]\n",
3038                  file_path, off_start, off_end);
3039
3040         mapping = candidate->f_mapping;
3041
3042         for (index = off_start; index < off_end; index += nr_pages) {
3043                 struct page *fpage = pagecache_get_page(mapping, index,
3044                                                 FGP_ENTRY | FGP_HEAD, 0);
3045
3046                 nr_pages = 1;
3047                 if (xa_is_value(fpage) || !fpage)
3048                         continue;
3049
3050                 if (!is_transparent_hugepage(fpage))
3051                         goto next;
3052
3053                 total++;
3054                 nr_pages = thp_nr_pages(fpage);
3055
3056                 if (!trylock_page(fpage))
3057                         goto next;
3058
3059                 if (!split_huge_page(fpage))
3060                         split++;
3061
3062                 unlock_page(fpage);
3063 next:
3064                 put_page(fpage);
3065                 cond_resched();
3066         }
3067
3068         filp_close(candidate, NULL);
3069         ret = 0;
3070
3071         pr_debug("%lu of %lu file-backed THP split\n", split, total);
3072 out:
3073         putname(file);
3074         return ret;
3075 }
3076
3077 #define MAX_INPUT_BUF_SZ 255
3078
3079 static ssize_t split_huge_pages_write(struct file *file, const char __user *buf,
3080                                 size_t count, loff_t *ppops)
3081 {
3082         static DEFINE_MUTEX(split_debug_mutex);
3083         ssize_t ret;
3084         /* hold pid, start_vaddr, end_vaddr or file_path, off_start, off_end */
3085         char input_buf[MAX_INPUT_BUF_SZ];
3086         int pid;
3087         unsigned long vaddr_start, vaddr_end;
3088
3089         ret = mutex_lock_interruptible(&split_debug_mutex);
3090         if (ret)
3091                 return ret;
3092
3093         ret = -EFAULT;
3094
3095         memset(input_buf, 0, MAX_INPUT_BUF_SZ);
3096         if (copy_from_user(input_buf, buf, min_t(size_t, count, MAX_INPUT_BUF_SZ)))
3097                 goto out;
3098
3099         input_buf[MAX_INPUT_BUF_SZ - 1] = '\0';
3100
3101         if (input_buf[0] == '/') {
3102                 char *tok;
3103                 char *buf = input_buf;
3104                 char file_path[MAX_INPUT_BUF_SZ];
3105                 pgoff_t off_start = 0, off_end = 0;
3106                 size_t input_len = strlen(input_buf);
3107
3108                 tok = strsep(&buf, ",");
3109                 if (tok) {
3110                         strcpy(file_path, tok);
3111                 } else {
3112                         ret = -EINVAL;
3113                         goto out;
3114                 }
3115
3116                 ret = sscanf(buf, "0x%lx,0x%lx", &off_start, &off_end);
3117                 if (ret != 2) {
3118                         ret = -EINVAL;
3119                         goto out;
3120                 }
3121                 ret = split_huge_pages_in_file(file_path, off_start, off_end);
3122                 if (!ret)
3123                         ret = input_len;
3124
3125                 goto out;
3126         }
3127
3128         ret = sscanf(input_buf, "%d,0x%lx,0x%lx", &pid, &vaddr_start, &vaddr_end);
3129         if (ret == 1 && pid == 1) {
3130                 split_huge_pages_all();
3131                 ret = strlen(input_buf);
3132                 goto out;
3133         } else if (ret != 3) {
3134                 ret = -EINVAL;
3135                 goto out;
3136         }
3137
3138         ret = split_huge_pages_pid(pid, vaddr_start, vaddr_end);
3139         if (!ret)
3140                 ret = strlen(input_buf);
3141 out:
3142         mutex_unlock(&split_debug_mutex);
3143         return ret;
3144
3145 }
3146
3147 static const struct file_operations split_huge_pages_fops = {
3148         .owner   = THIS_MODULE,
3149         .write   = split_huge_pages_write,
3150         .llseek  = no_llseek,
3151 };
3152
3153 static int __init split_huge_pages_debugfs(void)
3154 {
3155         debugfs_create_file("split_huge_pages", 0200, NULL, NULL,
3156                             &split_huge_pages_fops);
3157         return 0;
3158 }
3159 late_initcall(split_huge_pages_debugfs);
3160 #endif
3161
3162 #ifdef CONFIG_ARCH_ENABLE_THP_MIGRATION
3163 int set_pmd_migration_entry(struct page_vma_mapped_walk *pvmw,
3164                 struct page *page)
3165 {
3166         struct vm_area_struct *vma = pvmw->vma;
3167         struct mm_struct *mm = vma->vm_mm;
3168         unsigned long address = pvmw->address;
3169         bool anon_exclusive;
3170         pmd_t pmdval;
3171         swp_entry_t entry;
3172         pmd_t pmdswp;
3173
3174         if (!(pvmw->pmd && !pvmw->pte))
3175                 return 0;
3176
3177         flush_cache_range(vma, address, address + HPAGE_PMD_SIZE);
3178         pmdval = pmdp_invalidate(vma, address, pvmw->pmd);
3179
3180         anon_exclusive = PageAnon(page) && PageAnonExclusive(page);
3181         if (anon_exclusive && page_try_share_anon_rmap(page)) {
3182                 set_pmd_at(mm, address, pvmw->pmd, pmdval);
3183                 return -EBUSY;
3184         }
3185
3186         if (pmd_dirty(pmdval))
3187                 set_page_dirty(page);
3188         if (pmd_write(pmdval))
3189                 entry = make_writable_migration_entry(page_to_pfn(page));
3190         else if (anon_exclusive)
3191                 entry = make_readable_exclusive_migration_entry(page_to_pfn(page));
3192         else
3193                 entry = make_readable_migration_entry(page_to_pfn(page));
3194         pmdswp = swp_entry_to_pmd(entry);
3195         if (pmd_soft_dirty(pmdval))
3196                 pmdswp = pmd_swp_mksoft_dirty(pmdswp);
3197         set_pmd_at(mm, address, pvmw->pmd, pmdswp);
3198         page_remove_rmap(page, vma, true);
3199         put_page(page);
3200         trace_set_migration_pmd(address, pmd_val(pmdswp));
3201
3202         return 0;
3203 }
3204
3205 void remove_migration_pmd(struct page_vma_mapped_walk *pvmw, struct page *new)
3206 {
3207         struct vm_area_struct *vma = pvmw->vma;
3208         struct mm_struct *mm = vma->vm_mm;
3209         unsigned long address = pvmw->address;
3210         unsigned long haddr = address & HPAGE_PMD_MASK;
3211         pmd_t pmde;
3212         swp_entry_t entry;
3213
3214         if (!(pvmw->pmd && !pvmw->pte))
3215                 return;
3216
3217         entry = pmd_to_swp_entry(*pvmw->pmd);
3218         get_page(new);
3219         pmde = pmd_mkold(mk_huge_pmd(new, READ_ONCE(vma->vm_page_prot)));
3220         if (pmd_swp_soft_dirty(*pvmw->pmd))
3221                 pmde = pmd_mksoft_dirty(pmde);
3222         if (is_writable_migration_entry(entry))
3223                 pmde = maybe_pmd_mkwrite(pmde, vma);
3224         if (pmd_swp_uffd_wp(*pvmw->pmd))
3225                 pmde = pmd_wrprotect(pmd_mkuffd_wp(pmde));
3226
3227         if (PageAnon(new)) {
3228                 rmap_t rmap_flags = RMAP_COMPOUND;
3229
3230                 if (!is_readable_migration_entry(entry))
3231                         rmap_flags |= RMAP_EXCLUSIVE;
3232
3233                 page_add_anon_rmap(new, vma, haddr, rmap_flags);
3234         } else {
3235                 page_add_file_rmap(new, vma, true);
3236         }
3237         VM_BUG_ON(pmd_write(pmde) && PageAnon(new) && !PageAnonExclusive(new));
3238         set_pmd_at(mm, haddr, pvmw->pmd, pmde);
3239
3240         /* No need to invalidate - it was non-present before */
3241         update_mmu_cache_pmd(vma, address, pvmw->pmd);
3242         trace_remove_migration_pmd(address, pmd_val(pmde));
3243 }
3244 #endif