userfaultfd: protect mmap_changing with rw_sem in userfaulfd_ctx

		ctx->flags = octx->flags;

		ctx->features = octx->features;

		ctx->released = false;

		init_rwsem(&ctx->map_changing_lock);

		atomic_set(&ctx->mmap_changing, 0);

		ctx->mm = vma->vm_mm;

		mmgrab(ctx->mm);

		userfaultfd_ctx_get(octx);

		down_write(&octx->map_changing_lock);

		atomic_inc(&octx->mmap_changing);

		up_write(&octx->map_changing_lock);

		fctx->orig = octx;

		fctx->new = ctx;

		list_add_tail(&fctx->list, fcs);

	if (ctx->features & UFFD_FEATURE_EVENT_REMAP) {

		vm_ctx->ctx = ctx;

		userfaultfd_ctx_get(ctx);

		down_write(&ctx->map_changing_lock);

		atomic_inc(&ctx->mmap_changing);

		up_write(&ctx->map_changing_lock);

	} else {

		/* Drop uffd context if remap feature not enabled */

		vma_start_write(vma);

		return true;

	userfaultfd_ctx_get(ctx);

	down_write(&ctx->map_changing_lock);

	atomic_inc(&ctx->mmap_changing);

	up_write(&ctx->map_changing_lock);

	mmap_read_unlock(mm);

	msg_init(&ewq.msg);

		return -ENOMEM;

	userfaultfd_ctx_get(ctx);

	down_write(&ctx->map_changing_lock);

	atomic_inc(&ctx->mmap_changing);

	up_write(&ctx->map_changing_lock);

	unmap_ctx->ctx = ctx;

	unmap_ctx->start = start;

	unmap_ctx->end = end;

	if (uffdio_copy.mode & UFFDIO_COPY_MODE_WP)

		flags |= MFILL_ATOMIC_WP;

	if (mmget_not_zero(ctx->mm)) {

		ret = mfill_atomic_copy(ctx->mm, uffdio_copy.dst, uffdio_copy.src,

					uffdio_copy.len, &ctx->mmap_changing,

					flags);

		ret = mfill_atomic_copy(ctx, uffdio_copy.dst, uffdio_copy.src,

					uffdio_copy.len, flags);

		mmput(ctx->mm);

	} else {

		return -ESRCH;

		goto out;

	if (mmget_not_zero(ctx->mm)) {

		ret = mfill_atomic_zeropage(ctx->mm, uffdio_zeropage.range.start,

					   uffdio_zeropage.range.len,

					   &ctx->mmap_changing);

		ret = mfill_atomic_zeropage(ctx, uffdio_zeropage.range.start,

					   uffdio_zeropage.range.len);

		mmput(ctx->mm);

	} else {

		return -ESRCH;

		return -EINVAL;

	if (mmget_not_zero(ctx->mm)) {

		ret = mwriteprotect_range(ctx->mm, uffdio_wp.range.start,

					  uffdio_wp.range.len, mode_wp,

					  &ctx->mmap_changing);

		ret = mwriteprotect_range(ctx, uffdio_wp.range.start,

					  uffdio_wp.range.len, mode_wp);

		mmput(ctx->mm);

	} else {

		return -ESRCH;

		flags |= MFILL_ATOMIC_WP;

	if (mmget_not_zero(ctx->mm)) {

		ret = mfill_atomic_continue(ctx->mm, uffdio_continue.range.start,

					    uffdio_continue.range.len,

					    &ctx->mmap_changing, flags);

		ret = mfill_atomic_continue(ctx, uffdio_continue.range.start,

					    uffdio_continue.range.len, flags);

		mmput(ctx->mm);

	} else {

		return -ESRCH;

		goto out;

	if (mmget_not_zero(ctx->mm)) {

		ret = mfill_atomic_poison(ctx->mm, uffdio_poison.range.start,

					  uffdio_poison.range.len,

					  &ctx->mmap_changing, 0);

		ret = mfill_atomic_poison(ctx, uffdio_poison.range.start,

					  uffdio_poison.range.len, 0);

		mmput(ctx->mm);

	} else {

		return -ESRCH;

	if (mmget_not_zero(mm)) {

		mmap_read_lock(mm);

		/* Re-check after taking mmap_lock */

		/* Re-check after taking map_changing_lock */

		down_read(&ctx->map_changing_lock);

		if (likely(!atomic_read(&ctx->mmap_changing)))

			ret = move_pages(ctx, mm, uffdio_move.dst, uffdio_move.src,

					 uffdio_move.len, uffdio_move.mode);

		else

			ret = -EAGAIN;

		up_read(&ctx->map_changing_lock);

		mmap_read_unlock(mm);

		mmput(mm);

	} else {

	ctx->flags = flags;

	ctx->features = 0;

	ctx->released = false;

	init_rwsem(&ctx->map_changing_lock);

	atomic_set(&ctx->mmap_changing, 0);

	ctx->mm = current->mm;

	/* prevent the mm struct to be freed */

	unsigned int features;

	/* released */

	bool released;

	/*

	 * Prevents userfaultfd operations (fill/move/wp) from happening while

	 * some non-cooperative event(s) is taking place. Increments are done

	 * in write-mode. Whereas, userfaultfd operations, which includes

	 * reading mmap_changing, is done under read-mode.

	 */

	struct rw_semaphore map_changing_lock;

	/* memory mappings are changing because of non-cooperative event */

	atomic_t mmap_changing;

	/* mm with one ore more vmas attached to this userfaultfd_ctx */

				    unsigned long dst_addr, struct page *page,

				    bool newly_allocated, uffd_flags_t flags);

extern ssize_t mfill_atomic_copy(struct mm_struct *dst_mm, unsigned long dst_start,

extern ssize_t mfill_atomic_copy(struct userfaultfd_ctx *ctx, unsigned long dst_start,

				 unsigned long src_start, unsigned long len,

				 atomic_t *mmap_changing, uffd_flags_t flags);

extern ssize_t mfill_atomic_zeropage(struct mm_struct *dst_mm,

				     unsigned long dst_start,

				     unsigned long len,

				     atomic_t *mmap_changing);

extern ssize_t mfill_atomic_continue(struct mm_struct *dst_mm, unsigned long dst_start,

				     unsigned long len, atomic_t *mmap_changing,

				     uffd_flags_t flags);

extern ssize_t mfill_atomic_poison(struct mm_struct *dst_mm, unsigned long start,

				   unsigned long len, atomic_t *mmap_changing,

				 uffd_flags_t flags);

extern int mwriteprotect_range(struct mm_struct *dst_mm,

			       unsigned long start, unsigned long len,

			       bool enable_wp, atomic_t *mmap_changing);

extern ssize_t mfill_atomic_zeropage(struct userfaultfd_ctx *ctx,

				     unsigned long dst_start,

				     unsigned long len);

extern ssize_t mfill_atomic_continue(struct userfaultfd_ctx *ctx, unsigned long dst_start,

				     unsigned long len, uffd_flags_t flags);

extern ssize_t mfill_atomic_poison(struct userfaultfd_ctx *ctx, unsigned long start,

				   unsigned long len, uffd_flags_t flags);

extern int mwriteprotect_range(struct userfaultfd_ctx *ctx, unsigned long start,

			       unsigned long len, bool enable_wp);

extern long uffd_wp_range(struct vm_area_struct *vma,

			  unsigned long start, unsigned long len, bool enable_wp);

 * called with mmap_lock held, it will release mmap_lock before returning.

 */

static __always_inline ssize_t mfill_atomic_hugetlb(

					      struct userfaultfd_ctx *ctx,

					      struct vm_area_struct *dst_vma,

					      unsigned long dst_start,

					      unsigned long src_start,

					      unsigned long len,

					      atomic_t *mmap_changing,

					      uffd_flags_t flags)

{

	struct mm_struct *dst_mm = dst_vma->vm_mm;

	 * feature is not supported.

	 */

	if (uffd_flags_mode_is(flags, MFILL_ATOMIC_ZEROPAGE)) {

		up_read(&ctx->map_changing_lock);

		mmap_read_unlock(dst_mm);

		return -EINVAL;

	}

		cond_resched();

		if (unlikely(err == -ENOENT)) {

			up_read(&ctx->map_changing_lock);

			mmap_read_unlock(dst_mm);

			BUG_ON(!folio);

				goto out;

			}

			mmap_read_lock(dst_mm);

			down_read(&ctx->map_changing_lock);

			/*

			 * If memory mappings are changing because of non-cooperative

			 * operation (e.g. mremap) running in parallel, bail out and

			 * request the user to retry later

			 */

			if (mmap_changing && atomic_read(mmap_changing)) {

			if (atomic_read(&ctx->mmap_changing)) {

				err = -EAGAIN;

				break;

			}

	}

out_unlock:

	up_read(&ctx->map_changing_lock);

	mmap_read_unlock(dst_mm);

out:

	if (folio)

}

#else /* !CONFIG_HUGETLB_PAGE */

/* fail at build time if gcc attempts to use this */

extern ssize_t mfill_atomic_hugetlb(struct vm_area_struct *dst_vma,

extern ssize_t mfill_atomic_hugetlb(struct userfaultfd_ctx *ctx,

				    struct vm_area_struct *dst_vma,

				    unsigned long dst_start,

				    unsigned long src_start,

				    unsigned long len,

				    atomic_t *mmap_changing,

				    uffd_flags_t flags);

#endif /* CONFIG_HUGETLB_PAGE */

	return err;

}

static __always_inline ssize_t mfill_atomic(struct mm_struct *dst_mm,

static __always_inline ssize_t mfill_atomic(struct userfaultfd_ctx *ctx,

					    unsigned long dst_start,

					    unsigned long src_start,

					    unsigned long len,

					    atomic_t *mmap_changing,

					    uffd_flags_t flags)

{

	struct mm_struct *dst_mm = ctx->mm;

	struct vm_area_struct *dst_vma;

	ssize_t err;

	pmd_t *dst_pmd;

	 * operation (e.g. mremap) running in parallel, bail out and

	 * request the user to retry later

	 */

	down_read(&ctx->map_changing_lock);

	err = -EAGAIN;

	if (mmap_changing && atomic_read(mmap_changing))

	if (atomic_read(&ctx->mmap_changing))

		goto out_unlock;

	/*

	 * If this is a HUGETLB vma, pass off to appropriate routine

	 */

	if (is_vm_hugetlb_page(dst_vma))

		return  mfill_atomic_hugetlb(dst_vma, dst_start, src_start,

					     len, mmap_changing, flags);

		return  mfill_atomic_hugetlb(ctx, dst_vma, dst_start,

					     src_start, len, flags);

	if (!vma_is_anonymous(dst_vma) && !vma_is_shmem(dst_vma))

		goto out_unlock;

		if (unlikely(err == -ENOENT)) {

			void *kaddr;

			up_read(&ctx->map_changing_lock);

			mmap_read_unlock(dst_mm);

			BUG_ON(!folio);

	}

out_unlock:

	up_read(&ctx->map_changing_lock);

	mmap_read_unlock(dst_mm);

out:

	if (folio)

	return copied ? copied : err;

}

ssize_t mfill_atomic_copy(struct mm_struct *dst_mm, unsigned long dst_start,

ssize_t mfill_atomic_copy(struct userfaultfd_ctx *ctx, unsigned long dst_start,

			  unsigned long src_start, unsigned long len,

			  atomic_t *mmap_changing, uffd_flags_t flags)

			  uffd_flags_t flags)

{

	return mfill_atomic(dst_mm, dst_start, src_start, len, mmap_changing,

	return mfill_atomic(ctx, dst_start, src_start, len,

			    uffd_flags_set_mode(flags, MFILL_ATOMIC_COPY));

}

ssize_t mfill_atomic_zeropage(struct mm_struct *dst_mm, unsigned long start,

			      unsigned long len, atomic_t *mmap_changing)

ssize_t mfill_atomic_zeropage(struct userfaultfd_ctx *ctx,

			      unsigned long start,

			      unsigned long len)

{

	return mfill_atomic(dst_mm, start, 0, len, mmap_changing,

	return mfill_atomic(ctx, start, 0, len,

			    uffd_flags_set_mode(0, MFILL_ATOMIC_ZEROPAGE));

}

ssize_t mfill_atomic_continue(struct mm_struct *dst_mm, unsigned long start,

			      unsigned long len, atomic_t *mmap_changing,

			      uffd_flags_t flags)

ssize_t mfill_atomic_continue(struct userfaultfd_ctx *ctx, unsigned long start,

			      unsigned long len, uffd_flags_t flags)

{

	return mfill_atomic(dst_mm, start, 0, len, mmap_changing,

	return mfill_atomic(ctx, start, 0, len,

			    uffd_flags_set_mode(flags, MFILL_ATOMIC_CONTINUE));

}

ssize_t mfill_atomic_poison(struct mm_struct *dst_mm, unsigned long start,

			    unsigned long len, atomic_t *mmap_changing,

			    uffd_flags_t flags)

ssize_t mfill_atomic_poison(struct userfaultfd_ctx *ctx, unsigned long start,

			    unsigned long len, uffd_flags_t flags)

{

	return mfill_atomic(dst_mm, start, 0, len, mmap_changing,

	return mfill_atomic(ctx, start, 0, len,

			    uffd_flags_set_mode(flags, MFILL_ATOMIC_POISON));

}

	return ret;

}

int mwriteprotect_range(struct mm_struct *dst_mm, unsigned long start,

			unsigned long len, bool enable_wp,

			atomic_t *mmap_changing)

int mwriteprotect_range(struct userfaultfd_ctx *ctx, unsigned long start,

			unsigned long len, bool enable_wp)

{

	struct mm_struct *dst_mm = ctx->mm;

	unsigned long end = start + len;

	unsigned long _start, _end;

	struct vm_area_struct *dst_vma;

	 * operation (e.g. mremap) running in parallel, bail out and

	 * request the user to retry later

	 */

	down_read(&ctx->map_changing_lock);

	err = -EAGAIN;

	if (mmap_changing && atomic_read(mmap_changing))

	if (atomic_read(&ctx->mmap_changing))

		goto out_unlock;

	err = -ENOENT;

		err = 0;

	}

out_unlock:

	up_read(&ctx->map_changing_lock);

	mmap_read_unlock(dst_mm);

	return err;

}