2005-04-16 15:20:36 -07:00
|
|
|
#include <linux/mm.h>
|
|
|
|
#include <linux/hugetlb.h>
|
2011-03-22 16:33:00 -07:00
|
|
|
#include <linux/huge_mm.h>
|
2005-04-16 15:20:36 -07:00
|
|
|
#include <linux/mount.h>
|
|
|
|
#include <linux/seq_file.h>
|
2005-09-03 15:55:10 -07:00
|
|
|
#include <linux/highmem.h>
|
2007-05-08 00:26:04 -07:00
|
|
|
#include <linux/ptrace.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 17:04:11 +09:00
|
|
|
#include <linux/slab.h>
|
2005-09-03 15:54:45 -07:00
|
|
|
#include <linux/pagemap.h>
|
|
|
|
#include <linux/mempolicy.h>
|
2011-03-22 16:33:00 -07:00
|
|
|
#include <linux/rmap.h>
|
2008-02-04 22:29:04 -08:00
|
|
|
#include <linux/swap.h>
|
|
|
|
#include <linux/swapops.h>
|
2005-09-03 15:55:10 -07:00
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
#include <asm/elf.h>
|
|
|
|
#include <asm/uaccess.h>
|
2005-09-03 15:55:10 -07:00
|
|
|
#include <asm/tlbflush.h>
|
2005-04-16 15:20:36 -07:00
|
|
|
#include "internal.h"
|
|
|
|
|
2008-02-08 04:18:33 -08:00
|
|
|
void task_mem(struct seq_file *m, struct mm_struct *mm)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
2010-03-05 13:41:42 -08:00
|
|
|
unsigned long data, text, lib, swap;
|
[PATCH] mm: update_hiwaters just in time
update_mem_hiwater has attracted various criticisms, in particular from those
concerned with mm scalability. Originally it was called whenever rss or
total_vm got raised. Then many of those callsites were replaced by a timer
tick call from account_system_time. Now Frank van Maarseveen reports that to
be found inadequate. How about this? Works for Frank.
Replace update_mem_hiwater, a poor combination of two unrelated ops, by macros
update_hiwater_rss and update_hiwater_vm. Don't attempt to keep
mm->hiwater_rss up to date at timer tick, nor every time we raise rss (usually
by 1): those are hot paths. Do the opposite, update only when about to lower
rss (usually by many), or just before final accounting in do_exit. Handle
mm->hiwater_vm in the same way, though it's much less of an issue. Demand
that whoever collects these hiwater statistics do the work of taking the
maximum with rss or total_vm.
And there has been no collector of these hiwater statistics in the tree. The
new convention needs an example, so match Frank's usage by adding a VmPeak
line above VmSize to /proc/<pid>/status, and also a VmHWM line above VmRSS
(High-Water-Mark or High-Water-Memory).
There was a particular anomaly during mremap move, that hiwater_vm might be
captured too high. A fleeting such anomaly remains, but it's quickly
corrected now, whereas before it would stick.
What locking? None: if the app is racy then these statistics will be racy,
it's not worth any overhead to make them exact. But whenever it suits,
hiwater_vm is updated under exclusive mmap_sem, and hiwater_rss under
page_table_lock (for now) or with preemption disabled (later on): without
going to any trouble, minimize the time between reading current values and
updating, to minimize those occasions when a racing thread bumps a count up
and back down in between.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-10-29 18:16:18 -07:00
|
|
|
unsigned long hiwater_vm, total_vm, hiwater_rss, total_rss;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Note: to minimize their overhead, mm maintains hiwater_vm and
|
|
|
|
* hiwater_rss only when about to *lower* total_vm or rss. Any
|
|
|
|
* collector of these hiwater stats must therefore get total_vm
|
|
|
|
* and rss too, which will usually be the higher. Barriers? not
|
|
|
|
* worth the effort, such snapshots can always be inconsistent.
|
|
|
|
*/
|
|
|
|
hiwater_vm = total_vm = mm->total_vm;
|
|
|
|
if (hiwater_vm < mm->hiwater_vm)
|
|
|
|
hiwater_vm = mm->hiwater_vm;
|
|
|
|
hiwater_rss = total_rss = get_mm_rss(mm);
|
|
|
|
if (hiwater_rss < mm->hiwater_rss)
|
|
|
|
hiwater_rss = mm->hiwater_rss;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
data = mm->total_vm - mm->shared_vm - mm->stack_vm;
|
|
|
|
text = (PAGE_ALIGN(mm->end_code) - (mm->start_code & PAGE_MASK)) >> 10;
|
|
|
|
lib = (mm->exec_vm << (PAGE_SHIFT-10)) - text;
|
2010-03-05 13:41:42 -08:00
|
|
|
swap = get_mm_counter(mm, MM_SWAPENTS);
|
2008-02-08 04:18:33 -08:00
|
|
|
seq_printf(m,
|
[PATCH] mm: update_hiwaters just in time
update_mem_hiwater has attracted various criticisms, in particular from those
concerned with mm scalability. Originally it was called whenever rss or
total_vm got raised. Then many of those callsites were replaced by a timer
tick call from account_system_time. Now Frank van Maarseveen reports that to
be found inadequate. How about this? Works for Frank.
Replace update_mem_hiwater, a poor combination of two unrelated ops, by macros
update_hiwater_rss and update_hiwater_vm. Don't attempt to keep
mm->hiwater_rss up to date at timer tick, nor every time we raise rss (usually
by 1): those are hot paths. Do the opposite, update only when about to lower
rss (usually by many), or just before final accounting in do_exit. Handle
mm->hiwater_vm in the same way, though it's much less of an issue. Demand
that whoever collects these hiwater statistics do the work of taking the
maximum with rss or total_vm.
And there has been no collector of these hiwater statistics in the tree. The
new convention needs an example, so match Frank's usage by adding a VmPeak
line above VmSize to /proc/<pid>/status, and also a VmHWM line above VmRSS
(High-Water-Mark or High-Water-Memory).
There was a particular anomaly during mremap move, that hiwater_vm might be
captured too high. A fleeting such anomaly remains, but it's quickly
corrected now, whereas before it would stick.
What locking? None: if the app is racy then these statistics will be racy,
it's not worth any overhead to make them exact. But whenever it suits,
hiwater_vm is updated under exclusive mmap_sem, and hiwater_rss under
page_table_lock (for now) or with preemption disabled (later on): without
going to any trouble, minimize the time between reading current values and
updating, to minimize those occasions when a racing thread bumps a count up
and back down in between.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-10-29 18:16:18 -07:00
|
|
|
"VmPeak:\t%8lu kB\n"
|
2005-04-16 15:20:36 -07:00
|
|
|
"VmSize:\t%8lu kB\n"
|
|
|
|
"VmLck:\t%8lu kB\n"
|
2011-10-31 17:07:30 -07:00
|
|
|
"VmPin:\t%8lu kB\n"
|
[PATCH] mm: update_hiwaters just in time
update_mem_hiwater has attracted various criticisms, in particular from those
concerned with mm scalability. Originally it was called whenever rss or
total_vm got raised. Then many of those callsites were replaced by a timer
tick call from account_system_time. Now Frank van Maarseveen reports that to
be found inadequate. How about this? Works for Frank.
Replace update_mem_hiwater, a poor combination of two unrelated ops, by macros
update_hiwater_rss and update_hiwater_vm. Don't attempt to keep
mm->hiwater_rss up to date at timer tick, nor every time we raise rss (usually
by 1): those are hot paths. Do the opposite, update only when about to lower
rss (usually by many), or just before final accounting in do_exit. Handle
mm->hiwater_vm in the same way, though it's much less of an issue. Demand
that whoever collects these hiwater statistics do the work of taking the
maximum with rss or total_vm.
And there has been no collector of these hiwater statistics in the tree. The
new convention needs an example, so match Frank's usage by adding a VmPeak
line above VmSize to /proc/<pid>/status, and also a VmHWM line above VmRSS
(High-Water-Mark or High-Water-Memory).
There was a particular anomaly during mremap move, that hiwater_vm might be
captured too high. A fleeting such anomaly remains, but it's quickly
corrected now, whereas before it would stick.
What locking? None: if the app is racy then these statistics will be racy,
it's not worth any overhead to make them exact. But whenever it suits,
hiwater_vm is updated under exclusive mmap_sem, and hiwater_rss under
page_table_lock (for now) or with preemption disabled (later on): without
going to any trouble, minimize the time between reading current values and
updating, to minimize those occasions when a racing thread bumps a count up
and back down in between.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-10-29 18:16:18 -07:00
|
|
|
"VmHWM:\t%8lu kB\n"
|
2005-04-16 15:20:36 -07:00
|
|
|
"VmRSS:\t%8lu kB\n"
|
|
|
|
"VmData:\t%8lu kB\n"
|
|
|
|
"VmStk:\t%8lu kB\n"
|
|
|
|
"VmExe:\t%8lu kB\n"
|
|
|
|
"VmLib:\t%8lu kB\n"
|
2010-03-05 13:41:42 -08:00
|
|
|
"VmPTE:\t%8lu kB\n"
|
|
|
|
"VmSwap:\t%8lu kB\n",
|
[PATCH] mm: update_hiwaters just in time
update_mem_hiwater has attracted various criticisms, in particular from those
concerned with mm scalability. Originally it was called whenever rss or
total_vm got raised. Then many of those callsites were replaced by a timer
tick call from account_system_time. Now Frank van Maarseveen reports that to
be found inadequate. How about this? Works for Frank.
Replace update_mem_hiwater, a poor combination of two unrelated ops, by macros
update_hiwater_rss and update_hiwater_vm. Don't attempt to keep
mm->hiwater_rss up to date at timer tick, nor every time we raise rss (usually
by 1): those are hot paths. Do the opposite, update only when about to lower
rss (usually by many), or just before final accounting in do_exit. Handle
mm->hiwater_vm in the same way, though it's much less of an issue. Demand
that whoever collects these hiwater statistics do the work of taking the
maximum with rss or total_vm.
And there has been no collector of these hiwater statistics in the tree. The
new convention needs an example, so match Frank's usage by adding a VmPeak
line above VmSize to /proc/<pid>/status, and also a VmHWM line above VmRSS
(High-Water-Mark or High-Water-Memory).
There was a particular anomaly during mremap move, that hiwater_vm might be
captured too high. A fleeting such anomaly remains, but it's quickly
corrected now, whereas before it would stick.
What locking? None: if the app is racy then these statistics will be racy,
it's not worth any overhead to make them exact. But whenever it suits,
hiwater_vm is updated under exclusive mmap_sem, and hiwater_rss under
page_table_lock (for now) or with preemption disabled (later on): without
going to any trouble, minimize the time between reading current values and
updating, to minimize those occasions when a racing thread bumps a count up
and back down in between.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-10-29 18:16:18 -07:00
|
|
|
hiwater_vm << (PAGE_SHIFT-10),
|
|
|
|
(total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
|
2005-04-16 15:20:36 -07:00
|
|
|
mm->locked_vm << (PAGE_SHIFT-10),
|
2011-10-31 17:07:30 -07:00
|
|
|
mm->pinned_vm << (PAGE_SHIFT-10),
|
[PATCH] mm: update_hiwaters just in time
update_mem_hiwater has attracted various criticisms, in particular from those
concerned with mm scalability. Originally it was called whenever rss or
total_vm got raised. Then many of those callsites were replaced by a timer
tick call from account_system_time. Now Frank van Maarseveen reports that to
be found inadequate. How about this? Works for Frank.
Replace update_mem_hiwater, a poor combination of two unrelated ops, by macros
update_hiwater_rss and update_hiwater_vm. Don't attempt to keep
mm->hiwater_rss up to date at timer tick, nor every time we raise rss (usually
by 1): those are hot paths. Do the opposite, update only when about to lower
rss (usually by many), or just before final accounting in do_exit. Handle
mm->hiwater_vm in the same way, though it's much less of an issue. Demand
that whoever collects these hiwater statistics do the work of taking the
maximum with rss or total_vm.
And there has been no collector of these hiwater statistics in the tree. The
new convention needs an example, so match Frank's usage by adding a VmPeak
line above VmSize to /proc/<pid>/status, and also a VmHWM line above VmRSS
(High-Water-Mark or High-Water-Memory).
There was a particular anomaly during mremap move, that hiwater_vm might be
captured too high. A fleeting such anomaly remains, but it's quickly
corrected now, whereas before it would stick.
What locking? None: if the app is racy then these statistics will be racy,
it's not worth any overhead to make them exact. But whenever it suits,
hiwater_vm is updated under exclusive mmap_sem, and hiwater_rss under
page_table_lock (for now) or with preemption disabled (later on): without
going to any trouble, minimize the time between reading current values and
updating, to minimize those occasions when a racing thread bumps a count up
and back down in between.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-10-29 18:16:18 -07:00
|
|
|
hiwater_rss << (PAGE_SHIFT-10),
|
|
|
|
total_rss << (PAGE_SHIFT-10),
|
2005-04-16 15:20:36 -07:00
|
|
|
data << (PAGE_SHIFT-10),
|
|
|
|
mm->stack_vm << (PAGE_SHIFT-10), text, lib,
|
2010-03-05 13:41:42 -08:00
|
|
|
(PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
|
|
|
|
swap << (PAGE_SHIFT-10));
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
unsigned long task_vsize(struct mm_struct *mm)
|
|
|
|
{
|
|
|
|
return PAGE_SIZE * mm->total_vm;
|
|
|
|
}
|
|
|
|
|
2011-01-12 17:00:32 -08:00
|
|
|
unsigned long task_statm(struct mm_struct *mm,
|
|
|
|
unsigned long *shared, unsigned long *text,
|
|
|
|
unsigned long *data, unsigned long *resident)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
2010-03-05 13:41:39 -08:00
|
|
|
*shared = get_mm_counter(mm, MM_FILEPAGES);
|
2005-04-16 15:20:36 -07:00
|
|
|
*text = (PAGE_ALIGN(mm->end_code) - (mm->start_code & PAGE_MASK))
|
|
|
|
>> PAGE_SHIFT;
|
|
|
|
*data = mm->total_vm - mm->shared_vm;
|
2010-03-05 13:41:39 -08:00
|
|
|
*resident = *shared + get_mm_counter(mm, MM_ANONPAGES);
|
2005-04-16 15:20:36 -07:00
|
|
|
return mm->total_vm;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void pad_len_spaces(struct seq_file *m, int len)
|
|
|
|
{
|
|
|
|
len = 25 + sizeof(void*) * 6 - len;
|
|
|
|
if (len < 1)
|
|
|
|
len = 1;
|
|
|
|
seq_printf(m, "%*c", len, ' ');
|
|
|
|
}
|
|
|
|
|
2008-02-04 22:29:03 -08:00
|
|
|
static void vma_stop(struct proc_maps_private *priv, struct vm_area_struct *vma)
|
|
|
|
{
|
|
|
|
if (vma && vma != priv->tail_vma) {
|
|
|
|
struct mm_struct *mm = vma->vm_mm;
|
|
|
|
up_read(&mm->mmap_sem);
|
|
|
|
mmput(mm);
|
|
|
|
}
|
|
|
|
}
|
2008-02-04 22:28:56 -08:00
|
|
|
|
2008-02-04 22:29:03 -08:00
|
|
|
static void *m_start(struct seq_file *m, loff_t *pos)
|
2005-09-03 15:55:10 -07:00
|
|
|
{
|
2008-02-04 22:29:03 -08:00
|
|
|
struct proc_maps_private *priv = m->private;
|
|
|
|
unsigned long last_addr = m->version;
|
|
|
|
struct mm_struct *mm;
|
|
|
|
struct vm_area_struct *vma, *tail_vma = NULL;
|
|
|
|
loff_t l = *pos;
|
|
|
|
|
|
|
|
/* Clear the per syscall fields in priv */
|
|
|
|
priv->task = NULL;
|
|
|
|
priv->tail_vma = NULL;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We remember last_addr rather than next_addr to hit with
|
|
|
|
* mmap_cache most of the time. We have zero last_addr at
|
|
|
|
* the beginning and also after lseek. We will have -1 last_addr
|
|
|
|
* after the end of the vmas.
|
|
|
|
*/
|
|
|
|
|
|
|
|
if (last_addr == -1UL)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
priv->task = get_pid_task(priv->pid, PIDTYPE_PID);
|
|
|
|
if (!priv->task)
|
2011-02-15 22:22:54 -05:00
|
|
|
return ERR_PTR(-ESRCH);
|
2008-02-04 22:29:03 -08:00
|
|
|
|
|
|
|
mm = mm_for_maps(priv->task);
|
2011-02-15 22:22:54 -05:00
|
|
|
if (!mm || IS_ERR(mm))
|
|
|
|
return mm;
|
2009-07-10 03:27:38 +02:00
|
|
|
down_read(&mm->mmap_sem);
|
2008-02-04 22:29:03 -08:00
|
|
|
|
2011-03-13 15:49:15 -04:00
|
|
|
tail_vma = get_gate_vma(priv->task->mm);
|
2008-02-04 22:29:03 -08:00
|
|
|
priv->tail_vma = tail_vma;
|
|
|
|
|
|
|
|
/* Start with last addr hint */
|
|
|
|
vma = find_vma(mm, last_addr);
|
|
|
|
if (last_addr && vma) {
|
|
|
|
vma = vma->vm_next;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check the vma index is within the range and do
|
|
|
|
* sequential scan until m_index.
|
|
|
|
*/
|
|
|
|
vma = NULL;
|
|
|
|
if ((unsigned long)l < mm->map_count) {
|
|
|
|
vma = mm->mmap;
|
|
|
|
while (l-- && vma)
|
|
|
|
vma = vma->vm_next;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (l != mm->map_count)
|
|
|
|
tail_vma = NULL; /* After gate vma */
|
|
|
|
|
|
|
|
out:
|
|
|
|
if (vma)
|
|
|
|
return vma;
|
|
|
|
|
|
|
|
/* End of vmas has been reached */
|
|
|
|
m->version = (tail_vma != NULL)? 0: -1UL;
|
|
|
|
up_read(&mm->mmap_sem);
|
|
|
|
mmput(mm);
|
|
|
|
return tail_vma;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void *m_next(struct seq_file *m, void *v, loff_t *pos)
|
|
|
|
{
|
|
|
|
struct proc_maps_private *priv = m->private;
|
|
|
|
struct vm_area_struct *vma = v;
|
|
|
|
struct vm_area_struct *tail_vma = priv->tail_vma;
|
|
|
|
|
|
|
|
(*pos)++;
|
|
|
|
if (vma && (vma != tail_vma) && vma->vm_next)
|
|
|
|
return vma->vm_next;
|
|
|
|
vma_stop(priv, vma);
|
|
|
|
return (vma != tail_vma)? tail_vma: NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void m_stop(struct seq_file *m, void *v)
|
|
|
|
{
|
|
|
|
struct proc_maps_private *priv = m->private;
|
|
|
|
struct vm_area_struct *vma = v;
|
|
|
|
|
2011-03-27 19:09:29 -07:00
|
|
|
if (!IS_ERR(vma))
|
|
|
|
vma_stop(priv, vma);
|
2008-02-04 22:29:03 -08:00
|
|
|
if (priv->task)
|
|
|
|
put_task_struct(priv->task);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int do_maps_open(struct inode *inode, struct file *file,
|
2008-02-08 04:21:19 -08:00
|
|
|
const struct seq_operations *ops)
|
2008-02-04 22:29:03 -08:00
|
|
|
{
|
|
|
|
struct proc_maps_private *priv;
|
|
|
|
int ret = -ENOMEM;
|
|
|
|
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
|
|
|
|
if (priv) {
|
|
|
|
priv->pid = proc_pid(inode);
|
|
|
|
ret = seq_open(file, ops);
|
|
|
|
if (!ret) {
|
|
|
|
struct seq_file *m = file->private_data;
|
|
|
|
m->private = priv;
|
|
|
|
} else {
|
|
|
|
kfree(priv);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
2005-09-03 15:55:10 -07:00
|
|
|
|
2008-10-16 15:27:09 +04:00
|
|
|
static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
2005-09-03 15:55:10 -07:00
|
|
|
struct mm_struct *mm = vma->vm_mm;
|
|
|
|
struct file *file = vma->vm_file;
|
2011-05-26 19:16:19 +09:00
|
|
|
vm_flags_t flags = vma->vm_flags;
|
2005-04-16 15:20:36 -07:00
|
|
|
unsigned long ino = 0;
|
2009-04-06 19:00:30 -07:00
|
|
|
unsigned long long pgoff = 0;
|
2011-05-09 13:01:09 +02:00
|
|
|
unsigned long start, end;
|
2005-04-16 15:20:36 -07:00
|
|
|
dev_t dev = 0;
|
|
|
|
int len;
|
|
|
|
|
|
|
|
if (file) {
|
2006-12-08 02:36:36 -08:00
|
|
|
struct inode *inode = vma->vm_file->f_path.dentry->d_inode;
|
2005-04-16 15:20:36 -07:00
|
|
|
dev = inode->i_sb->s_dev;
|
|
|
|
ino = inode->i_ino;
|
2009-04-06 19:00:30 -07:00
|
|
|
pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
2010-08-15 11:35:52 -07:00
|
|
|
/* We don't show the stack guard page in /proc/maps */
|
|
|
|
start = vma->vm_start;
|
2011-05-09 13:01:09 +02:00
|
|
|
if (stack_guard_page_start(vma, start))
|
|
|
|
start += PAGE_SIZE;
|
|
|
|
end = vma->vm_end;
|
|
|
|
if (stack_guard_page_end(vma, end))
|
|
|
|
end -= PAGE_SIZE;
|
2010-08-15 11:35:52 -07:00
|
|
|
|
/proc/self/maps doesn't display the real file offset
This addresses
http://bugzilla.kernel.org/show_bug.cgi?id=11318
In function show_map (file: fs/proc/task_mmu.c), if vma->vm_pgoff > 2^20
than (vma->vm_pgoff << PAGE_SIZE) is greater than 2^32 (with PAGE_SIZE
equal to 4096 (i.e. 2^12). The next seq_printf use an unsigned long for
the conversion of (vma->vm_pgoff << PAGE_SIZE), as a result the offset
value displayed in /proc/self/maps is truncated if the page offset is
greater than 2^20.
A test that shows this issue:
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <stdlib.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#define PAGE_SIZE (getpagesize())
#if __i386__
# define U64_STR "%llx"
#elif __x86_64
# define U64_STR "%lx"
#else
# error "Architecture Unsupported"
#endif
int main(int argc, char *argv[])
{
int fd;
char *addr;
off64_t offset = 0x10000000;
char *filename = "/dev/zero";
fd = open(filename, O_RDONLY);
if (fd < 0) {
perror("open");
return 1;
}
offset *= 0x10;
printf("offset = " U64_STR "\n", offset);
addr = (char*)mmap64(NULL, PAGE_SIZE, PROT_READ, MAP_PRIVATE, fd,
offset);
if ((void*)addr == MAP_FAILED) {
perror("mmap64");
return 1;
}
{
FILE *fmaps;
char *line = NULL;
size_t len = 0;
ssize_t read;
size_t filename_len = strlen(filename);
fmaps = fopen("/proc/self/maps", "r");
if (!fmaps) {
perror("fopen");
return 1;
}
while ((read = getline(&line, &len, fmaps)) != -1) {
if ((read > filename_len + 1)
&& (strncmp(&line[read - filename_len - 1], filename, filename_len) == 0))
printf("%s", line);
}
if (line)
free(line);
fclose(fmaps);
}
close(fd);
return 0;
}
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Clement Calmels <cboulte@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-08-20 14:09:00 -07:00
|
|
|
seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
|
2010-08-15 11:35:52 -07:00
|
|
|
start,
|
2011-05-09 13:01:09 +02:00
|
|
|
end,
|
2005-04-16 15:20:36 -07:00
|
|
|
flags & VM_READ ? 'r' : '-',
|
|
|
|
flags & VM_WRITE ? 'w' : '-',
|
|
|
|
flags & VM_EXEC ? 'x' : '-',
|
|
|
|
flags & VM_MAYSHARE ? 's' : 'p',
|
2009-04-06 19:00:30 -07:00
|
|
|
pgoff,
|
2005-04-16 15:20:36 -07:00
|
|
|
MAJOR(dev), MINOR(dev), ino, &len);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Print the dentry name for named mappings, and a
|
|
|
|
* special [heap] marker for the heap:
|
|
|
|
*/
|
2005-09-03 15:55:10 -07:00
|
|
|
if (file) {
|
2005-04-16 15:20:36 -07:00
|
|
|
pad_len_spaces(m, len);
|
2008-02-14 19:38:43 -08:00
|
|
|
seq_path(m, &file->f_path, "\n");
|
2005-04-16 15:20:36 -07:00
|
|
|
} else {
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 02:53:50 -07:00
|
|
|
const char *name = arch_vma_name(vma);
|
|
|
|
if (!name) {
|
|
|
|
if (mm) {
|
2011-03-23 16:42:50 -07:00
|
|
|
if (vma->vm_start <= mm->brk &&
|
|
|
|
vma->vm_end >= mm->start_brk) {
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 02:53:50 -07:00
|
|
|
name = "[heap]";
|
|
|
|
} else if (vma->vm_start <= mm->start_stack &&
|
|
|
|
vma->vm_end >= mm->start_stack) {
|
|
|
|
name = "[stack]";
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 02:53:50 -07:00
|
|
|
} else {
|
|
|
|
name = "[vdso]";
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 02:53:50 -07:00
|
|
|
}
|
|
|
|
if (name) {
|
2005-04-16 15:20:36 -07:00
|
|
|
pad_len_spaces(m, len);
|
[PATCH] vdso: randomize the i386 vDSO by moving it into a vma
Move the i386 VDSO down into a vma and thus randomize it.
Besides the security implications, this feature also helps debuggers, which
can COW a vma-backed VDSO just like a normal DSO and can thus do
single-stepping and other debugging features.
It's good for hypervisors (Xen, VMWare) too, which typically live in the same
high-mapped address space as the VDSO, hence whenever the VDSO is used, they
get lots of guest pagefaults and have to fix such guest accesses up - which
slows things down instead of speeding things up (the primary purpose of the
VDSO).
There's a new CONFIG_COMPAT_VDSO (default=y) option, which provides support
for older glibcs that still rely on a prelinked high-mapped VDSO. Newer
distributions (using glibc 2.3.3 or later) can turn this option off. Turning
it off is also recommended for security reasons: attackers cannot use the
predictable high-mapped VDSO page as syscall trampoline anymore.
There is a new vdso=[0|1] boot option as well, and a runtime
/proc/sys/vm/vdso_enabled sysctl switch, that allows the VDSO to be turned
on/off.
(This version of the VDSO-randomization patch also has working ELF
coredumping, the previous patch crashed in the coredumping code.)
This code is a combined work of the exec-shield VDSO randomization
code and Gerd Hoffmann's hypervisor-centric VDSO patch. Rusty Russell
started this patch and i completed it.
[akpm@osdl.org: cleanups]
[akpm@osdl.org: compile fix]
[akpm@osdl.org: compile fix 2]
[akpm@osdl.org: compile fix 3]
[akpm@osdl.org: revernt MAXMEM change]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Arjan van de Ven <arjan@infradead.org>
Cc: Gerd Hoffmann <kraxel@suse.de>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Zachary Amsden <zach@vmware.com>
Cc: Andi Kleen <ak@muc.de>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-27 02:53:50 -07:00
|
|
|
seq_puts(m, name);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
seq_putc(m, '\n');
|
2008-10-16 15:27:09 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
static int show_map(struct seq_file *m, void *v)
|
|
|
|
{
|
|
|
|
struct vm_area_struct *vma = v;
|
|
|
|
struct proc_maps_private *priv = m->private;
|
|
|
|
struct task_struct *task = priv->task;
|
|
|
|
|
|
|
|
show_map_vma(m, vma);
|
2005-09-03 15:55:10 -07:00
|
|
|
|
|
|
|
if (m->count < m->size) /* vma is copied successfully */
|
2011-03-13 15:49:15 -04:00
|
|
|
m->version = (vma != get_gate_vma(task->mm))
|
|
|
|
? vma->vm_start : 0;
|
2005-04-16 15:20:36 -07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-02-08 04:21:19 -08:00
|
|
|
static const struct seq_operations proc_pid_maps_op = {
|
2008-02-04 22:29:03 -08:00
|
|
|
.start = m_start,
|
|
|
|
.next = m_next,
|
|
|
|
.stop = m_stop,
|
|
|
|
.show = show_map
|
|
|
|
};
|
|
|
|
|
|
|
|
static int maps_open(struct inode *inode, struct file *file)
|
|
|
|
{
|
|
|
|
return do_maps_open(inode, file, &proc_pid_maps_op);
|
|
|
|
}
|
|
|
|
|
|
|
|
const struct file_operations proc_maps_operations = {
|
|
|
|
.open = maps_open,
|
|
|
|
.read = seq_read,
|
|
|
|
.llseek = seq_lseek,
|
|
|
|
.release = seq_release_private,
|
|
|
|
};
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Proportional Set Size(PSS): my share of RSS.
|
|
|
|
*
|
|
|
|
* PSS of a process is the count of pages it has in memory, where each
|
|
|
|
* page is divided by the number of processes sharing it. So if a
|
|
|
|
* process has 1000 pages all to itself, and 1000 shared with one other
|
|
|
|
* process, its PSS will be 1500.
|
|
|
|
*
|
|
|
|
* To keep (accumulated) division errors low, we adopt a 64bit
|
|
|
|
* fixed-point pss counter to minimize division errors. So (pss >>
|
|
|
|
* PSS_SHIFT) would be the real byte count.
|
|
|
|
*
|
|
|
|
* A shift of 12 before division means (assuming 4K page size):
|
|
|
|
* - 1M 3-user-pages add up to 8KB errors;
|
|
|
|
* - supports mapcount up to 2^24, or 16M;
|
|
|
|
* - supports PSS up to 2^52 bytes, or 4PB.
|
|
|
|
*/
|
|
|
|
#define PSS_SHIFT 12
|
|
|
|
|
2008-02-04 22:29:07 -08:00
|
|
|
#ifdef CONFIG_PROC_PAGE_MONITOR
|
2008-04-28 02:12:55 -07:00
|
|
|
struct mem_size_stats {
|
2008-02-04 22:29:03 -08:00
|
|
|
struct vm_area_struct *vma;
|
|
|
|
unsigned long resident;
|
|
|
|
unsigned long shared_clean;
|
|
|
|
unsigned long shared_dirty;
|
|
|
|
unsigned long private_clean;
|
|
|
|
unsigned long private_dirty;
|
|
|
|
unsigned long referenced;
|
2010-10-27 15:34:10 -07:00
|
|
|
unsigned long anonymous;
|
2011-03-22 16:33:01 -07:00
|
|
|
unsigned long anonymous_thp;
|
2008-04-28 02:12:55 -07:00
|
|
|
unsigned long swap;
|
2008-02-04 22:29:03 -08:00
|
|
|
u64 pss;
|
|
|
|
};
|
|
|
|
|
2011-03-22 16:32:58 -07:00
|
|
|
|
|
|
|
static void smaps_pte_entry(pte_t ptent, unsigned long addr,
|
2011-03-22 16:32:59 -07:00
|
|
|
unsigned long ptent_size, struct mm_walk *walk)
|
2011-03-22 16:32:58 -07:00
|
|
|
{
|
|
|
|
struct mem_size_stats *mss = walk->private;
|
|
|
|
struct vm_area_struct *vma = mss->vma;
|
|
|
|
struct page *page;
|
|
|
|
int mapcount;
|
|
|
|
|
|
|
|
if (is_swap_pte(ptent)) {
|
2011-03-22 16:32:59 -07:00
|
|
|
mss->swap += ptent_size;
|
2011-03-22 16:32:58 -07:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!pte_present(ptent))
|
|
|
|
return;
|
|
|
|
|
|
|
|
page = vm_normal_page(vma, addr, ptent);
|
|
|
|
if (!page)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (PageAnon(page))
|
2011-03-22 16:32:59 -07:00
|
|
|
mss->anonymous += ptent_size;
|
2011-03-22 16:32:58 -07:00
|
|
|
|
2011-03-22 16:32:59 -07:00
|
|
|
mss->resident += ptent_size;
|
2011-03-22 16:32:58 -07:00
|
|
|
/* Accumulate the size in pages that have been accessed. */
|
|
|
|
if (pte_young(ptent) || PageReferenced(page))
|
2011-03-22 16:32:59 -07:00
|
|
|
mss->referenced += ptent_size;
|
2011-03-22 16:32:58 -07:00
|
|
|
mapcount = page_mapcount(page);
|
|
|
|
if (mapcount >= 2) {
|
|
|
|
if (pte_dirty(ptent) || PageDirty(page))
|
2011-03-22 16:32:59 -07:00
|
|
|
mss->shared_dirty += ptent_size;
|
2011-03-22 16:32:58 -07:00
|
|
|
else
|
2011-03-22 16:32:59 -07:00
|
|
|
mss->shared_clean += ptent_size;
|
|
|
|
mss->pss += (ptent_size << PSS_SHIFT) / mapcount;
|
2011-03-22 16:32:58 -07:00
|
|
|
} else {
|
|
|
|
if (pte_dirty(ptent) || PageDirty(page))
|
2011-03-22 16:32:59 -07:00
|
|
|
mss->private_dirty += ptent_size;
|
2011-03-22 16:32:58 -07:00
|
|
|
else
|
2011-03-22 16:32:59 -07:00
|
|
|
mss->private_clean += ptent_size;
|
|
|
|
mss->pss += (ptent_size << PSS_SHIFT);
|
2011-03-22 16:32:58 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2008-02-04 22:29:01 -08:00
|
|
|
static int smaps_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
|
2008-06-12 15:21:47 -07:00
|
|
|
struct mm_walk *walk)
|
2005-09-03 15:55:10 -07:00
|
|
|
{
|
2008-06-12 15:21:47 -07:00
|
|
|
struct mem_size_stats *mss = walk->private;
|
2008-02-04 22:29:01 -08:00
|
|
|
struct vm_area_struct *vma = mss->vma;
|
2011-03-22 16:32:58 -07:00
|
|
|
pte_t *pte;
|
2005-10-29 18:16:27 -07:00
|
|
|
spinlock_t *ptl;
|
2005-09-03 15:55:10 -07:00
|
|
|
|
2012-03-21 16:33:57 -07:00
|
|
|
if (pmd_trans_huge_lock(pmd, vma) == 1) {
|
|
|
|
smaps_pte_entry(*(pte_t *)pmd, addr, HPAGE_PMD_SIZE, walk);
|
2011-03-22 16:33:00 -07:00
|
|
|
spin_unlock(&walk->mm->page_table_lock);
|
2012-03-21 16:33:57 -07:00
|
|
|
mss->anonymous_thp += HPAGE_PMD_SIZE;
|
|
|
|
return 0;
|
2011-03-22 16:33:00 -07:00
|
|
|
}
|
mm: thp: fix pmd_bad() triggering in code paths holding mmap_sem read mode
In some cases it may happen that pmd_none_or_clear_bad() is called with
the mmap_sem hold in read mode. In those cases the huge page faults can
allocate hugepmds under pmd_none_or_clear_bad() and that can trigger a
false positive from pmd_bad() that will not like to see a pmd
materializing as trans huge.
It's not khugepaged causing the problem, khugepaged holds the mmap_sem
in write mode (and all those sites must hold the mmap_sem in read mode
to prevent pagetables to go away from under them, during code review it
seems vm86 mode on 32bit kernels requires that too unless it's
restricted to 1 thread per process or UP builds). The race is only with
the huge pagefaults that can convert a pmd_none() into a
pmd_trans_huge().
Effectively all these pmd_none_or_clear_bad() sites running with
mmap_sem in read mode are somewhat speculative with the page faults, and
the result is always undefined when they run simultaneously. This is
probably why it wasn't common to run into this. For example if the
madvise(MADV_DONTNEED) runs zap_page_range() shortly before the page
fault, the hugepage will not be zapped, if the page fault runs first it
will be zapped.
Altering pmd_bad() not to error out if it finds hugepmds won't be enough
to fix this, because zap_pmd_range would then proceed to call
zap_pte_range (which would be incorrect if the pmd become a
pmd_trans_huge()).
The simplest way to fix this is to read the pmd in the local stack
(regardless of what we read, no need of actual CPU barriers, only
compiler barrier needed), and be sure it is not changing under the code
that computes its value. Even if the real pmd is changing under the
value we hold on the stack, we don't care. If we actually end up in
zap_pte_range it means the pmd was not none already and it was not huge,
and it can't become huge from under us (khugepaged locking explained
above).
All we need is to enforce that there is no way anymore that in a code
path like below, pmd_trans_huge can be false, but pmd_none_or_clear_bad
can run into a hugepmd. The overhead of a barrier() is just a compiler
tweak and should not be measurable (I only added it for THP builds). I
don't exclude different compiler versions may have prevented the race
too by caching the value of *pmd on the stack (that hasn't been
verified, but it wouldn't be impossible considering
pmd_none_or_clear_bad, pmd_bad, pmd_trans_huge, pmd_none are all inlines
and there's no external function called in between pmd_trans_huge and
pmd_none_or_clear_bad).
if (pmd_trans_huge(*pmd)) {
if (next-addr != HPAGE_PMD_SIZE) {
VM_BUG_ON(!rwsem_is_locked(&tlb->mm->mmap_sem));
split_huge_page_pmd(vma->vm_mm, pmd);
} else if (zap_huge_pmd(tlb, vma, pmd, addr))
continue;
/* fall through */
}
if (pmd_none_or_clear_bad(pmd))
Because this race condition could be exercised without special
privileges this was reported in CVE-2012-1179.
The race was identified and fully explained by Ulrich who debugged it.
I'm quoting his accurate explanation below, for reference.
====== start quote =======
mapcount 0 page_mapcount 1
kernel BUG at mm/huge_memory.c:1384!
At some point prior to the panic, a "bad pmd ..." message similar to the
following is logged on the console:
mm/memory.c:145: bad pmd ffff8800376e1f98(80000000314000e7).
The "bad pmd ..." message is logged by pmd_clear_bad() before it clears
the page's PMD table entry.
143 void pmd_clear_bad(pmd_t *pmd)
144 {
-> 145 pmd_ERROR(*pmd);
146 pmd_clear(pmd);
147 }
After the PMD table entry has been cleared, there is an inconsistency
between the actual number of PMD table entries that are mapping the page
and the page's map count (_mapcount field in struct page). When the page
is subsequently reclaimed, __split_huge_page() detects this inconsistency.
1381 if (mapcount != page_mapcount(page))
1382 printk(KERN_ERR "mapcount %d page_mapcount %d\n",
1383 mapcount, page_mapcount(page));
-> 1384 BUG_ON(mapcount != page_mapcount(page));
The root cause of the problem is a race of two threads in a multithreaded
process. Thread B incurs a page fault on a virtual address that has never
been accessed (PMD entry is zero) while Thread A is executing an madvise()
system call on a virtual address within the same 2 MB (huge page) range.
virtual address space
.---------------------.
| |
| |
.-|---------------------|
| | |
| | |<-- B(fault)
| | |
2 MB | |/////////////////////|-.
huge < |/////////////////////| > A(range)
page | |/////////////////////|-'
| | |
| | |
'-|---------------------|
| |
| |
'---------------------'
- Thread A is executing an madvise(..., MADV_DONTNEED) system call
on the virtual address range "A(range)" shown in the picture.
sys_madvise
// Acquire the semaphore in shared mode.
down_read(¤t->mm->mmap_sem)
...
madvise_vma
switch (behavior)
case MADV_DONTNEED:
madvise_dontneed
zap_page_range
unmap_vmas
unmap_page_range
zap_pud_range
zap_pmd_range
//
// Assume that this huge page has never been accessed.
// I.e. content of the PMD entry is zero (not mapped).
//
if (pmd_trans_huge(*pmd)) {
// We don't get here due to the above assumption.
}
//
// Assume that Thread B incurred a page fault and
.---------> // sneaks in here as shown below.
| //
| if (pmd_none_or_clear_bad(pmd))
| {
| if (unlikely(pmd_bad(*pmd)))
| pmd_clear_bad
| {
| pmd_ERROR
| // Log "bad pmd ..." message here.
| pmd_clear
| // Clear the page's PMD entry.
| // Thread B incremented the map count
| // in page_add_new_anon_rmap(), but
| // now the page is no longer mapped
| // by a PMD entry (-> inconsistency).
| }
| }
|
v
- Thread B is handling a page fault on virtual address "B(fault)" shown
in the picture.
...
do_page_fault
__do_page_fault
// Acquire the semaphore in shared mode.
down_read_trylock(&mm->mmap_sem)
...
handle_mm_fault
if (pmd_none(*pmd) && transparent_hugepage_enabled(vma))
// We get here due to the above assumption (PMD entry is zero).
do_huge_pmd_anonymous_page
alloc_hugepage_vma
// Allocate a new transparent huge page here.
...
__do_huge_pmd_anonymous_page
...
spin_lock(&mm->page_table_lock)
...
page_add_new_anon_rmap
// Here we increment the page's map count (starts at -1).
atomic_set(&page->_mapcount, 0)
set_pmd_at
// Here we set the page's PMD entry which will be cleared
// when Thread A calls pmd_clear_bad().
...
spin_unlock(&mm->page_table_lock)
The mmap_sem does not prevent the race because both threads are acquiring
it in shared mode (down_read). Thread B holds the page_table_lock while
the page's map count and PMD table entry are updated. However, Thread A
does not synchronize on that lock.
====== end quote =======
[akpm@linux-foundation.org: checkpatch fixes]
Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Hugh Dickins <hughd@google.com>
Cc: Dave Jones <davej@redhat.com>
Acked-by: Larry Woodman <lwoodman@redhat.com>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: <stable@vger.kernel.org> [2.6.38+]
Cc: Mark Salter <msalter@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-21 16:33:42 -07:00
|
|
|
|
|
|
|
if (pmd_trans_unstable(pmd))
|
|
|
|
return 0;
|
2011-03-22 16:33:00 -07:00
|
|
|
/*
|
|
|
|
* The mmap_sem held all the way back in m_start() is what
|
|
|
|
* keeps khugepaged out of here and from collapsing things
|
|
|
|
* in here.
|
|
|
|
*/
|
2005-10-29 18:16:27 -07:00
|
|
|
pte = pte_offset_map_lock(vma->vm_mm, pmd, addr, &ptl);
|
2011-03-22 16:32:58 -07:00
|
|
|
for (; addr != end; pte++, addr += PAGE_SIZE)
|
2011-03-22 16:32:59 -07:00
|
|
|
smaps_pte_entry(*pte, addr, PAGE_SIZE, walk);
|
2005-10-29 18:16:27 -07:00
|
|
|
pte_unmap_unlock(pte - 1, ptl);
|
|
|
|
cond_resched();
|
2008-02-04 22:29:01 -08:00
|
|
|
return 0;
|
2005-09-03 15:55:10 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
static int show_smap(struct seq_file *m, void *v)
|
|
|
|
{
|
2008-10-16 15:27:09 +04:00
|
|
|
struct proc_maps_private *priv = m->private;
|
|
|
|
struct task_struct *task = priv->task;
|
2005-09-03 15:55:10 -07:00
|
|
|
struct vm_area_struct *vma = v;
|
|
|
|
struct mem_size_stats mss;
|
2008-06-12 15:21:47 -07:00
|
|
|
struct mm_walk smaps_walk = {
|
|
|
|
.pmd_entry = smaps_pte_range,
|
|
|
|
.mm = vma->vm_mm,
|
|
|
|
.private = &mss,
|
|
|
|
};
|
2005-09-03 15:55:10 -07:00
|
|
|
|
|
|
|
memset(&mss, 0, sizeof mss);
|
2008-02-04 22:29:01 -08:00
|
|
|
mss.vma = vma;
|
2010-04-02 09:11:29 +09:00
|
|
|
/* mmap_sem is held in m_start */
|
2006-03-06 15:42:57 -08:00
|
|
|
if (vma->vm_mm && !is_vm_hugetlb_page(vma))
|
2008-06-12 15:21:47 -07:00
|
|
|
walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
|
2008-02-04 22:29:02 -08:00
|
|
|
|
2008-10-16 15:27:09 +04:00
|
|
|
show_map_vma(m, vma);
|
2008-02-04 22:29:02 -08:00
|
|
|
|
|
|
|
seq_printf(m,
|
|
|
|
"Size: %8lu kB\n"
|
|
|
|
"Rss: %8lu kB\n"
|
|
|
|
"Pss: %8lu kB\n"
|
|
|
|
"Shared_Clean: %8lu kB\n"
|
|
|
|
"Shared_Dirty: %8lu kB\n"
|
|
|
|
"Private_Clean: %8lu kB\n"
|
|
|
|
"Private_Dirty: %8lu kB\n"
|
2008-04-28 02:12:55 -07:00
|
|
|
"Referenced: %8lu kB\n"
|
2010-10-27 15:34:10 -07:00
|
|
|
"Anonymous: %8lu kB\n"
|
2011-03-22 16:33:01 -07:00
|
|
|
"AnonHugePages: %8lu kB\n"
|
2009-01-06 14:38:53 -08:00
|
|
|
"Swap: %8lu kB\n"
|
2009-01-06 14:38:54 -08:00
|
|
|
"KernelPageSize: %8lu kB\n"
|
2011-01-13 15:45:53 -08:00
|
|
|
"MMUPageSize: %8lu kB\n"
|
|
|
|
"Locked: %8lu kB\n",
|
2008-02-04 22:29:02 -08:00
|
|
|
(vma->vm_end - vma->vm_start) >> 10,
|
|
|
|
mss.resident >> 10,
|
|
|
|
(unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
|
|
|
|
mss.shared_clean >> 10,
|
|
|
|
mss.shared_dirty >> 10,
|
|
|
|
mss.private_clean >> 10,
|
|
|
|
mss.private_dirty >> 10,
|
2008-04-28 02:12:55 -07:00
|
|
|
mss.referenced >> 10,
|
2010-10-27 15:34:10 -07:00
|
|
|
mss.anonymous >> 10,
|
2011-03-22 16:33:01 -07:00
|
|
|
mss.anonymous_thp >> 10,
|
2009-01-06 14:38:53 -08:00
|
|
|
mss.swap >> 10,
|
2009-01-06 14:38:54 -08:00
|
|
|
vma_kernel_pagesize(vma) >> 10,
|
2011-01-13 15:45:53 -08:00
|
|
|
vma_mmu_pagesize(vma) >> 10,
|
|
|
|
(vma->vm_flags & VM_LOCKED) ?
|
|
|
|
(unsigned long)(mss.pss >> (10 + PSS_SHIFT)) : 0);
|
2008-02-04 22:29:02 -08:00
|
|
|
|
2008-10-16 15:27:09 +04:00
|
|
|
if (m->count < m->size) /* vma is copied successfully */
|
2011-03-13 15:49:15 -04:00
|
|
|
m->version = (vma != get_gate_vma(task->mm))
|
|
|
|
? vma->vm_start : 0;
|
2008-10-16 15:27:09 +04:00
|
|
|
return 0;
|
2005-09-03 15:55:10 -07:00
|
|
|
}
|
|
|
|
|
2008-02-08 04:21:19 -08:00
|
|
|
static const struct seq_operations proc_pid_smaps_op = {
|
2008-02-04 22:29:03 -08:00
|
|
|
.start = m_start,
|
|
|
|
.next = m_next,
|
|
|
|
.stop = m_stop,
|
|
|
|
.show = show_smap
|
|
|
|
};
|
|
|
|
|
|
|
|
static int smaps_open(struct inode *inode, struct file *file)
|
|
|
|
{
|
|
|
|
return do_maps_open(inode, file, &proc_pid_smaps_op);
|
|
|
|
}
|
|
|
|
|
|
|
|
const struct file_operations proc_smaps_operations = {
|
|
|
|
.open = smaps_open,
|
|
|
|
.read = seq_read,
|
|
|
|
.llseek = seq_lseek,
|
|
|
|
.release = seq_release_private,
|
|
|
|
};
|
|
|
|
|
|
|
|
static int clear_refs_pte_range(pmd_t *pmd, unsigned long addr,
|
2008-06-12 15:21:47 -07:00
|
|
|
unsigned long end, struct mm_walk *walk)
|
2008-02-04 22:29:03 -08:00
|
|
|
{
|
2008-06-12 15:21:47 -07:00
|
|
|
struct vm_area_struct *vma = walk->private;
|
2008-02-04 22:29:03 -08:00
|
|
|
pte_t *pte, ptent;
|
|
|
|
spinlock_t *ptl;
|
|
|
|
struct page *page;
|
|
|
|
|
2011-03-22 16:32:56 -07:00
|
|
|
split_huge_page_pmd(walk->mm, pmd);
|
mm: thp: fix pmd_bad() triggering in code paths holding mmap_sem read mode
In some cases it may happen that pmd_none_or_clear_bad() is called with
the mmap_sem hold in read mode. In those cases the huge page faults can
allocate hugepmds under pmd_none_or_clear_bad() and that can trigger a
false positive from pmd_bad() that will not like to see a pmd
materializing as trans huge.
It's not khugepaged causing the problem, khugepaged holds the mmap_sem
in write mode (and all those sites must hold the mmap_sem in read mode
to prevent pagetables to go away from under them, during code review it
seems vm86 mode on 32bit kernels requires that too unless it's
restricted to 1 thread per process or UP builds). The race is only with
the huge pagefaults that can convert a pmd_none() into a
pmd_trans_huge().
Effectively all these pmd_none_or_clear_bad() sites running with
mmap_sem in read mode are somewhat speculative with the page faults, and
the result is always undefined when they run simultaneously. This is
probably why it wasn't common to run into this. For example if the
madvise(MADV_DONTNEED) runs zap_page_range() shortly before the page
fault, the hugepage will not be zapped, if the page fault runs first it
will be zapped.
Altering pmd_bad() not to error out if it finds hugepmds won't be enough
to fix this, because zap_pmd_range would then proceed to call
zap_pte_range (which would be incorrect if the pmd become a
pmd_trans_huge()).
The simplest way to fix this is to read the pmd in the local stack
(regardless of what we read, no need of actual CPU barriers, only
compiler barrier needed), and be sure it is not changing under the code
that computes its value. Even if the real pmd is changing under the
value we hold on the stack, we don't care. If we actually end up in
zap_pte_range it means the pmd was not none already and it was not huge,
and it can't become huge from under us (khugepaged locking explained
above).
All we need is to enforce that there is no way anymore that in a code
path like below, pmd_trans_huge can be false, but pmd_none_or_clear_bad
can run into a hugepmd. The overhead of a barrier() is just a compiler
tweak and should not be measurable (I only added it for THP builds). I
don't exclude different compiler versions may have prevented the race
too by caching the value of *pmd on the stack (that hasn't been
verified, but it wouldn't be impossible considering
pmd_none_or_clear_bad, pmd_bad, pmd_trans_huge, pmd_none are all inlines
and there's no external function called in between pmd_trans_huge and
pmd_none_or_clear_bad).
if (pmd_trans_huge(*pmd)) {
if (next-addr != HPAGE_PMD_SIZE) {
VM_BUG_ON(!rwsem_is_locked(&tlb->mm->mmap_sem));
split_huge_page_pmd(vma->vm_mm, pmd);
} else if (zap_huge_pmd(tlb, vma, pmd, addr))
continue;
/* fall through */
}
if (pmd_none_or_clear_bad(pmd))
Because this race condition could be exercised without special
privileges this was reported in CVE-2012-1179.
The race was identified and fully explained by Ulrich who debugged it.
I'm quoting his accurate explanation below, for reference.
====== start quote =======
mapcount 0 page_mapcount 1
kernel BUG at mm/huge_memory.c:1384!
At some point prior to the panic, a "bad pmd ..." message similar to the
following is logged on the console:
mm/memory.c:145: bad pmd ffff8800376e1f98(80000000314000e7).
The "bad pmd ..." message is logged by pmd_clear_bad() before it clears
the page's PMD table entry.
143 void pmd_clear_bad(pmd_t *pmd)
144 {
-> 145 pmd_ERROR(*pmd);
146 pmd_clear(pmd);
147 }
After the PMD table entry has been cleared, there is an inconsistency
between the actual number of PMD table entries that are mapping the page
and the page's map count (_mapcount field in struct page). When the page
is subsequently reclaimed, __split_huge_page() detects this inconsistency.
1381 if (mapcount != page_mapcount(page))
1382 printk(KERN_ERR "mapcount %d page_mapcount %d\n",
1383 mapcount, page_mapcount(page));
-> 1384 BUG_ON(mapcount != page_mapcount(page));
The root cause of the problem is a race of two threads in a multithreaded
process. Thread B incurs a page fault on a virtual address that has never
been accessed (PMD entry is zero) while Thread A is executing an madvise()
system call on a virtual address within the same 2 MB (huge page) range.
virtual address space
.---------------------.
| |
| |
.-|---------------------|
| | |
| | |<-- B(fault)
| | |
2 MB | |/////////////////////|-.
huge < |/////////////////////| > A(range)
page | |/////////////////////|-'
| | |
| | |
'-|---------------------|
| |
| |
'---------------------'
- Thread A is executing an madvise(..., MADV_DONTNEED) system call
on the virtual address range "A(range)" shown in the picture.
sys_madvise
// Acquire the semaphore in shared mode.
down_read(¤t->mm->mmap_sem)
...
madvise_vma
switch (behavior)
case MADV_DONTNEED:
madvise_dontneed
zap_page_range
unmap_vmas
unmap_page_range
zap_pud_range
zap_pmd_range
//
// Assume that this huge page has never been accessed.
// I.e. content of the PMD entry is zero (not mapped).
//
if (pmd_trans_huge(*pmd)) {
// We don't get here due to the above assumption.
}
//
// Assume that Thread B incurred a page fault and
.---------> // sneaks in here as shown below.
| //
| if (pmd_none_or_clear_bad(pmd))
| {
| if (unlikely(pmd_bad(*pmd)))
| pmd_clear_bad
| {
| pmd_ERROR
| // Log "bad pmd ..." message here.
| pmd_clear
| // Clear the page's PMD entry.
| // Thread B incremented the map count
| // in page_add_new_anon_rmap(), but
| // now the page is no longer mapped
| // by a PMD entry (-> inconsistency).
| }
| }
|
v
- Thread B is handling a page fault on virtual address "B(fault)" shown
in the picture.
...
do_page_fault
__do_page_fault
// Acquire the semaphore in shared mode.
down_read_trylock(&mm->mmap_sem)
...
handle_mm_fault
if (pmd_none(*pmd) && transparent_hugepage_enabled(vma))
// We get here due to the above assumption (PMD entry is zero).
do_huge_pmd_anonymous_page
alloc_hugepage_vma
// Allocate a new transparent huge page here.
...
__do_huge_pmd_anonymous_page
...
spin_lock(&mm->page_table_lock)
...
page_add_new_anon_rmap
// Here we increment the page's map count (starts at -1).
atomic_set(&page->_mapcount, 0)
set_pmd_at
// Here we set the page's PMD entry which will be cleared
// when Thread A calls pmd_clear_bad().
...
spin_unlock(&mm->page_table_lock)
The mmap_sem does not prevent the race because both threads are acquiring
it in shared mode (down_read). Thread B holds the page_table_lock while
the page's map count and PMD table entry are updated. However, Thread A
does not synchronize on that lock.
====== end quote =======
[akpm@linux-foundation.org: checkpatch fixes]
Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Hugh Dickins <hughd@google.com>
Cc: Dave Jones <davej@redhat.com>
Acked-by: Larry Woodman <lwoodman@redhat.com>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: <stable@vger.kernel.org> [2.6.38+]
Cc: Mark Salter <msalter@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-21 16:33:42 -07:00
|
|
|
if (pmd_trans_unstable(pmd))
|
|
|
|
return 0;
|
2011-03-22 16:32:56 -07:00
|
|
|
|
2008-02-04 22:29:03 -08:00
|
|
|
pte = pte_offset_map_lock(vma->vm_mm, pmd, addr, &ptl);
|
|
|
|
for (; addr != end; pte++, addr += PAGE_SIZE) {
|
|
|
|
ptent = *pte;
|
|
|
|
if (!pte_present(ptent))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
page = vm_normal_page(vma, addr, ptent);
|
|
|
|
if (!page)
|
|
|
|
continue;
|
|
|
|
|
2012-01-20 14:34:09 -08:00
|
|
|
if (PageReserved(page))
|
|
|
|
continue;
|
|
|
|
|
2008-02-04 22:29:03 -08:00
|
|
|
/* Clear accessed and referenced bits. */
|
|
|
|
ptep_test_and_clear_young(vma, addr, pte);
|
|
|
|
ClearPageReferenced(page);
|
|
|
|
}
|
|
|
|
pte_unmap_unlock(pte - 1, ptl);
|
|
|
|
cond_resched();
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2009-09-21 17:02:29 -07:00
|
|
|
#define CLEAR_REFS_ALL 1
|
|
|
|
#define CLEAR_REFS_ANON 2
|
|
|
|
#define CLEAR_REFS_MAPPED 3
|
|
|
|
|
2008-02-04 22:29:03 -08:00
|
|
|
static ssize_t clear_refs_write(struct file *file, const char __user *buf,
|
|
|
|
size_t count, loff_t *ppos)
|
2007-05-06 14:49:24 -07:00
|
|
|
{
|
2008-02-04 22:29:03 -08:00
|
|
|
struct task_struct *task;
|
2009-09-22 16:45:36 -07:00
|
|
|
char buffer[PROC_NUMBUF];
|
2008-02-04 22:29:03 -08:00
|
|
|
struct mm_struct *mm;
|
2007-05-06 14:49:24 -07:00
|
|
|
struct vm_area_struct *vma;
|
2011-05-26 16:25:50 -07:00
|
|
|
int type;
|
|
|
|
int rv;
|
2007-05-06 14:49:24 -07:00
|
|
|
|
2008-02-04 22:29:03 -08:00
|
|
|
memset(buffer, 0, sizeof(buffer));
|
|
|
|
if (count > sizeof(buffer) - 1)
|
|
|
|
count = sizeof(buffer) - 1;
|
|
|
|
if (copy_from_user(buffer, buf, count))
|
|
|
|
return -EFAULT;
|
2011-05-26 16:25:50 -07:00
|
|
|
rv = kstrtoint(strstrip(buffer), 10, &type);
|
|
|
|
if (rv < 0)
|
|
|
|
return rv;
|
2009-09-21 17:02:29 -07:00
|
|
|
if (type < CLEAR_REFS_ALL || type > CLEAR_REFS_MAPPED)
|
2008-02-04 22:29:03 -08:00
|
|
|
return -EINVAL;
|
|
|
|
task = get_proc_task(file->f_path.dentry->d_inode);
|
|
|
|
if (!task)
|
|
|
|
return -ESRCH;
|
|
|
|
mm = get_task_mm(task);
|
|
|
|
if (mm) {
|
2008-07-05 12:29:05 -07:00
|
|
|
struct mm_walk clear_refs_walk = {
|
|
|
|
.pmd_entry = clear_refs_pte_range,
|
|
|
|
.mm = mm,
|
|
|
|
};
|
2008-02-04 22:29:03 -08:00
|
|
|
down_read(&mm->mmap_sem);
|
2008-06-12 15:21:47 -07:00
|
|
|
for (vma = mm->mmap; vma; vma = vma->vm_next) {
|
|
|
|
clear_refs_walk.private = vma;
|
2009-09-21 17:02:29 -07:00
|
|
|
if (is_vm_hugetlb_page(vma))
|
|
|
|
continue;
|
|
|
|
/*
|
|
|
|
* Writing 1 to /proc/pid/clear_refs affects all pages.
|
|
|
|
*
|
|
|
|
* Writing 2 to /proc/pid/clear_refs only affects
|
|
|
|
* Anonymous pages.
|
|
|
|
*
|
|
|
|
* Writing 3 to /proc/pid/clear_refs only affects file
|
|
|
|
* mapped pages.
|
|
|
|
*/
|
|
|
|
if (type == CLEAR_REFS_ANON && vma->vm_file)
|
|
|
|
continue;
|
|
|
|
if (type == CLEAR_REFS_MAPPED && !vma->vm_file)
|
|
|
|
continue;
|
|
|
|
walk_page_range(vma->vm_start, vma->vm_end,
|
|
|
|
&clear_refs_walk);
|
2008-06-12 15:21:47 -07:00
|
|
|
}
|
2008-02-04 22:29:03 -08:00
|
|
|
flush_tlb_mm(mm);
|
|
|
|
up_read(&mm->mmap_sem);
|
|
|
|
mmput(mm);
|
|
|
|
}
|
|
|
|
put_task_struct(task);
|
2009-09-22 16:45:36 -07:00
|
|
|
|
|
|
|
return count;
|
2007-05-06 14:49:24 -07:00
|
|
|
}
|
|
|
|
|
2008-02-04 22:29:03 -08:00
|
|
|
const struct file_operations proc_clear_refs_operations = {
|
|
|
|
.write = clear_refs_write,
|
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 18:52:59 +02:00
|
|
|
.llseek = noop_llseek,
|
2008-02-04 22:29:03 -08:00
|
|
|
};
|
|
|
|
|
2008-02-04 22:29:04 -08:00
|
|
|
struct pagemapread {
|
2010-04-02 09:11:29 +09:00
|
|
|
int pos, len;
|
|
|
|
u64 *buffer;
|
2008-02-04 22:29:04 -08:00
|
|
|
};
|
|
|
|
|
2012-03-21 16:33:57 -07:00
|
|
|
#define PAGEMAP_WALK_SIZE (PMD_SIZE)
|
|
|
|
#define PAGEMAP_WALK_MASK (PMD_MASK)
|
|
|
|
|
2008-03-21 18:46:59 -05:00
|
|
|
#define PM_ENTRY_BYTES sizeof(u64)
|
|
|
|
#define PM_STATUS_BITS 3
|
|
|
|
#define PM_STATUS_OFFSET (64 - PM_STATUS_BITS)
|
|
|
|
#define PM_STATUS_MASK (((1LL << PM_STATUS_BITS) - 1) << PM_STATUS_OFFSET)
|
|
|
|
#define PM_STATUS(nr) (((nr) << PM_STATUS_OFFSET) & PM_STATUS_MASK)
|
|
|
|
#define PM_PSHIFT_BITS 6
|
|
|
|
#define PM_PSHIFT_OFFSET (PM_STATUS_OFFSET - PM_PSHIFT_BITS)
|
|
|
|
#define PM_PSHIFT_MASK (((1LL << PM_PSHIFT_BITS) - 1) << PM_PSHIFT_OFFSET)
|
|
|
|
#define PM_PSHIFT(x) (((u64) (x) << PM_PSHIFT_OFFSET) & PM_PSHIFT_MASK)
|
|
|
|
#define PM_PFRAME_MASK ((1LL << PM_PSHIFT_OFFSET) - 1)
|
|
|
|
#define PM_PFRAME(x) ((x) & PM_PFRAME_MASK)
|
|
|
|
|
|
|
|
#define PM_PRESENT PM_STATUS(4LL)
|
|
|
|
#define PM_SWAP PM_STATUS(2LL)
|
|
|
|
#define PM_NOT_PRESENT PM_PSHIFT(PAGE_SHIFT)
|
2008-02-04 22:29:04 -08:00
|
|
|
#define PM_END_OF_BUFFER 1
|
|
|
|
|
|
|
|
static int add_to_pagemap(unsigned long addr, u64 pfn,
|
|
|
|
struct pagemapread *pm)
|
|
|
|
{
|
2010-04-02 09:11:29 +09:00
|
|
|
pm->buffer[pm->pos++] = pfn;
|
|
|
|
if (pm->pos >= pm->len)
|
2008-06-05 22:46:31 -07:00
|
|
|
return PM_END_OF_BUFFER;
|
2008-02-04 22:29:04 -08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int pagemap_pte_hole(unsigned long start, unsigned long end,
|
2008-06-12 15:21:47 -07:00
|
|
|
struct mm_walk *walk)
|
2008-02-04 22:29:04 -08:00
|
|
|
{
|
2008-06-12 15:21:47 -07:00
|
|
|
struct pagemapread *pm = walk->private;
|
2008-02-04 22:29:04 -08:00
|
|
|
unsigned long addr;
|
|
|
|
int err = 0;
|
|
|
|
for (addr = start; addr < end; addr += PAGE_SIZE) {
|
|
|
|
err = add_to_pagemap(addr, PM_NOT_PRESENT, pm);
|
|
|
|
if (err)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2008-04-28 02:12:11 -07:00
|
|
|
static u64 swap_pte_to_pagemap_entry(pte_t pte)
|
2008-02-04 22:29:04 -08:00
|
|
|
{
|
|
|
|
swp_entry_t e = pte_to_swp_entry(pte);
|
2008-03-21 18:46:59 -05:00
|
|
|
return swp_type(e) | (swp_offset(e) << MAX_SWAPFILES_SHIFT);
|
2008-02-04 22:29:04 -08:00
|
|
|
}
|
|
|
|
|
2008-12-09 13:14:21 -08:00
|
|
|
static u64 pte_to_pagemap_entry(pte_t pte)
|
2008-06-12 15:21:48 -07:00
|
|
|
{
|
2008-12-09 13:14:21 -08:00
|
|
|
u64 pme = 0;
|
2008-06-12 15:21:48 -07:00
|
|
|
if (is_swap_pte(pte))
|
|
|
|
pme = PM_PFRAME(swap_pte_to_pagemap_entry(pte))
|
|
|
|
| PM_PSHIFT(PAGE_SHIFT) | PM_SWAP;
|
|
|
|
else if (pte_present(pte))
|
|
|
|
pme = PM_PFRAME(pte_pfn(pte))
|
|
|
|
| PM_PSHIFT(PAGE_SHIFT) | PM_PRESENT;
|
|
|
|
return pme;
|
|
|
|
}
|
|
|
|
|
2012-03-21 16:33:57 -07:00
|
|
|
#ifdef CONFIG_TRANSPARENT_HUGEPAGE
|
|
|
|
static u64 thp_pmd_to_pagemap_entry(pmd_t pmd, int offset)
|
|
|
|
{
|
|
|
|
u64 pme = 0;
|
|
|
|
/*
|
|
|
|
* Currently pmd for thp is always present because thp can not be
|
|
|
|
* swapped-out, migrated, or HWPOISONed (split in such cases instead.)
|
|
|
|
* This if-check is just to prepare for future implementation.
|
|
|
|
*/
|
|
|
|
if (pmd_present(pmd))
|
|
|
|
pme = PM_PFRAME(pmd_pfn(pmd) + offset)
|
|
|
|
| PM_PSHIFT(PAGE_SHIFT) | PM_PRESENT;
|
|
|
|
return pme;
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
static inline u64 thp_pmd_to_pagemap_entry(pmd_t pmd, int offset)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2008-02-04 22:29:04 -08:00
|
|
|
static int pagemap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
|
2008-06-12 15:21:47 -07:00
|
|
|
struct mm_walk *walk)
|
2008-02-04 22:29:04 -08:00
|
|
|
{
|
2008-06-12 15:21:48 -07:00
|
|
|
struct vm_area_struct *vma;
|
2008-06-12 15:21:47 -07:00
|
|
|
struct pagemapread *pm = walk->private;
|
2008-02-04 22:29:04 -08:00
|
|
|
pte_t *pte;
|
|
|
|
int err = 0;
|
2012-03-21 16:33:57 -07:00
|
|
|
u64 pfn = PM_NOT_PRESENT;
|
2008-02-04 22:29:04 -08:00
|
|
|
|
mm: thp: fix pmd_bad() triggering in code paths holding mmap_sem read mode
In some cases it may happen that pmd_none_or_clear_bad() is called with
the mmap_sem hold in read mode. In those cases the huge page faults can
allocate hugepmds under pmd_none_or_clear_bad() and that can trigger a
false positive from pmd_bad() that will not like to see a pmd
materializing as trans huge.
It's not khugepaged causing the problem, khugepaged holds the mmap_sem
in write mode (and all those sites must hold the mmap_sem in read mode
to prevent pagetables to go away from under them, during code review it
seems vm86 mode on 32bit kernels requires that too unless it's
restricted to 1 thread per process or UP builds). The race is only with
the huge pagefaults that can convert a pmd_none() into a
pmd_trans_huge().
Effectively all these pmd_none_or_clear_bad() sites running with
mmap_sem in read mode are somewhat speculative with the page faults, and
the result is always undefined when they run simultaneously. This is
probably why it wasn't common to run into this. For example if the
madvise(MADV_DONTNEED) runs zap_page_range() shortly before the page
fault, the hugepage will not be zapped, if the page fault runs first it
will be zapped.
Altering pmd_bad() not to error out if it finds hugepmds won't be enough
to fix this, because zap_pmd_range would then proceed to call
zap_pte_range (which would be incorrect if the pmd become a
pmd_trans_huge()).
The simplest way to fix this is to read the pmd in the local stack
(regardless of what we read, no need of actual CPU barriers, only
compiler barrier needed), and be sure it is not changing under the code
that computes its value. Even if the real pmd is changing under the
value we hold on the stack, we don't care. If we actually end up in
zap_pte_range it means the pmd was not none already and it was not huge,
and it can't become huge from under us (khugepaged locking explained
above).
All we need is to enforce that there is no way anymore that in a code
path like below, pmd_trans_huge can be false, but pmd_none_or_clear_bad
can run into a hugepmd. The overhead of a barrier() is just a compiler
tweak and should not be measurable (I only added it for THP builds). I
don't exclude different compiler versions may have prevented the race
too by caching the value of *pmd on the stack (that hasn't been
verified, but it wouldn't be impossible considering
pmd_none_or_clear_bad, pmd_bad, pmd_trans_huge, pmd_none are all inlines
and there's no external function called in between pmd_trans_huge and
pmd_none_or_clear_bad).
if (pmd_trans_huge(*pmd)) {
if (next-addr != HPAGE_PMD_SIZE) {
VM_BUG_ON(!rwsem_is_locked(&tlb->mm->mmap_sem));
split_huge_page_pmd(vma->vm_mm, pmd);
} else if (zap_huge_pmd(tlb, vma, pmd, addr))
continue;
/* fall through */
}
if (pmd_none_or_clear_bad(pmd))
Because this race condition could be exercised without special
privileges this was reported in CVE-2012-1179.
The race was identified and fully explained by Ulrich who debugged it.
I'm quoting his accurate explanation below, for reference.
====== start quote =======
mapcount 0 page_mapcount 1
kernel BUG at mm/huge_memory.c:1384!
At some point prior to the panic, a "bad pmd ..." message similar to the
following is logged on the console:
mm/memory.c:145: bad pmd ffff8800376e1f98(80000000314000e7).
The "bad pmd ..." message is logged by pmd_clear_bad() before it clears
the page's PMD table entry.
143 void pmd_clear_bad(pmd_t *pmd)
144 {
-> 145 pmd_ERROR(*pmd);
146 pmd_clear(pmd);
147 }
After the PMD table entry has been cleared, there is an inconsistency
between the actual number of PMD table entries that are mapping the page
and the page's map count (_mapcount field in struct page). When the page
is subsequently reclaimed, __split_huge_page() detects this inconsistency.
1381 if (mapcount != page_mapcount(page))
1382 printk(KERN_ERR "mapcount %d page_mapcount %d\n",
1383 mapcount, page_mapcount(page));
-> 1384 BUG_ON(mapcount != page_mapcount(page));
The root cause of the problem is a race of two threads in a multithreaded
process. Thread B incurs a page fault on a virtual address that has never
been accessed (PMD entry is zero) while Thread A is executing an madvise()
system call on a virtual address within the same 2 MB (huge page) range.
virtual address space
.---------------------.
| |
| |
.-|---------------------|
| | |
| | |<-- B(fault)
| | |
2 MB | |/////////////////////|-.
huge < |/////////////////////| > A(range)
page | |/////////////////////|-'
| | |
| | |
'-|---------------------|
| |
| |
'---------------------'
- Thread A is executing an madvise(..., MADV_DONTNEED) system call
on the virtual address range "A(range)" shown in the picture.
sys_madvise
// Acquire the semaphore in shared mode.
down_read(¤t->mm->mmap_sem)
...
madvise_vma
switch (behavior)
case MADV_DONTNEED:
madvise_dontneed
zap_page_range
unmap_vmas
unmap_page_range
zap_pud_range
zap_pmd_range
//
// Assume that this huge page has never been accessed.
// I.e. content of the PMD entry is zero (not mapped).
//
if (pmd_trans_huge(*pmd)) {
// We don't get here due to the above assumption.
}
//
// Assume that Thread B incurred a page fault and
.---------> // sneaks in here as shown below.
| //
| if (pmd_none_or_clear_bad(pmd))
| {
| if (unlikely(pmd_bad(*pmd)))
| pmd_clear_bad
| {
| pmd_ERROR
| // Log "bad pmd ..." message here.
| pmd_clear
| // Clear the page's PMD entry.
| // Thread B incremented the map count
| // in page_add_new_anon_rmap(), but
| // now the page is no longer mapped
| // by a PMD entry (-> inconsistency).
| }
| }
|
v
- Thread B is handling a page fault on virtual address "B(fault)" shown
in the picture.
...
do_page_fault
__do_page_fault
// Acquire the semaphore in shared mode.
down_read_trylock(&mm->mmap_sem)
...
handle_mm_fault
if (pmd_none(*pmd) && transparent_hugepage_enabled(vma))
// We get here due to the above assumption (PMD entry is zero).
do_huge_pmd_anonymous_page
alloc_hugepage_vma
// Allocate a new transparent huge page here.
...
__do_huge_pmd_anonymous_page
...
spin_lock(&mm->page_table_lock)
...
page_add_new_anon_rmap
// Here we increment the page's map count (starts at -1).
atomic_set(&page->_mapcount, 0)
set_pmd_at
// Here we set the page's PMD entry which will be cleared
// when Thread A calls pmd_clear_bad().
...
spin_unlock(&mm->page_table_lock)
The mmap_sem does not prevent the race because both threads are acquiring
it in shared mode (down_read). Thread B holds the page_table_lock while
the page's map count and PMD table entry are updated. However, Thread A
does not synchronize on that lock.
====== end quote =======
[akpm@linux-foundation.org: checkpatch fixes]
Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Hugh Dickins <hughd@google.com>
Cc: Dave Jones <davej@redhat.com>
Acked-by: Larry Woodman <lwoodman@redhat.com>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: <stable@vger.kernel.org> [2.6.38+]
Cc: Mark Salter <msalter@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-21 16:33:42 -07:00
|
|
|
if (pmd_trans_unstable(pmd))
|
|
|
|
return 0;
|
2011-03-22 16:32:56 -07:00
|
|
|
|
2008-06-12 15:21:48 -07:00
|
|
|
/* find the first VMA at or above 'addr' */
|
|
|
|
vma = find_vma(walk->mm, addr);
|
2012-03-21 16:33:57 -07:00
|
|
|
spin_lock(&walk->mm->page_table_lock);
|
2012-03-21 16:33:57 -07:00
|
|
|
if (pmd_trans_huge_lock(pmd, vma) == 1) {
|
|
|
|
for (; addr != end; addr += PAGE_SIZE) {
|
|
|
|
unsigned long offset;
|
|
|
|
|
|
|
|
offset = (addr & ~PAGEMAP_WALK_MASK) >>
|
|
|
|
PAGE_SHIFT;
|
|
|
|
pfn = thp_pmd_to_pagemap_entry(*pmd, offset);
|
|
|
|
err = add_to_pagemap(addr, pfn, pm);
|
|
|
|
if (err)
|
|
|
|
break;
|
2012-03-21 16:33:57 -07:00
|
|
|
}
|
|
|
|
spin_unlock(&walk->mm->page_table_lock);
|
2012-03-21 16:33:57 -07:00
|
|
|
return err;
|
2012-03-21 16:33:57 -07:00
|
|
|
}
|
|
|
|
|
2008-02-04 22:29:04 -08:00
|
|
|
for (; addr != end; addr += PAGE_SIZE) {
|
2008-06-12 15:21:48 -07:00
|
|
|
|
|
|
|
/* check to see if we've left 'vma' behind
|
|
|
|
* and need a new, higher one */
|
|
|
|
if (vma && (addr >= vma->vm_end))
|
|
|
|
vma = find_vma(walk->mm, addr);
|
|
|
|
|
|
|
|
/* check that 'vma' actually covers this address,
|
|
|
|
* and that it isn't a huge page vma */
|
|
|
|
if (vma && (vma->vm_start <= addr) &&
|
|
|
|
!is_vm_hugetlb_page(vma)) {
|
|
|
|
pte = pte_offset_map(pmd, addr);
|
|
|
|
pfn = pte_to_pagemap_entry(*pte);
|
|
|
|
/* unmap before userspace copy */
|
|
|
|
pte_unmap(pte);
|
|
|
|
}
|
2008-02-04 22:29:04 -08:00
|
|
|
err = add_to_pagemap(addr, pfn, pm);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
cond_resched();
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2010-05-24 14:32:12 -07:00
|
|
|
#ifdef CONFIG_HUGETLB_PAGE
|
mm hugetlb: add hugepage support to pagemap
This patch enables extraction of the pfn of a hugepage from
/proc/pid/pagemap in an architecture independent manner.
Details
-------
My test program (leak_pagemap) works as follows:
- creat() and mmap() a file on hugetlbfs (file size is 200MB == 100 hugepages,)
- read()/write() something on it,
- call page-types with option -p,
- munmap() and unlink() the file on hugetlbfs
Without my patches
------------------
$ ./leak_pagemap
flags page-count MB symbolic-flags long-symbolic-flags
0x0000000000000000 1 0 __________________________________
0x0000000000000804 1 0 __R________M______________________ referenced,mmap
0x000000000000086c 81 0 __RU_lA____M______________________ referenced,uptodate,lru,active,mmap
0x0000000000005808 5 0 ___U_______Ma_b___________________ uptodate,mmap,anonymous,swapbacked
0x0000000000005868 12 0 ___U_lA____Ma_b___________________ uptodate,lru,active,mmap,anonymous,swapbacked
0x000000000000586c 1 0 __RU_lA____Ma_b___________________ referenced,uptodate,lru,active,mmap,anonymous,swapbacked
total 101 0
The output of page-types don't show any hugepage.
With my patches
---------------
$ ./leak_pagemap
flags page-count MB symbolic-flags long-symbolic-flags
0x0000000000000000 1 0 __________________________________
0x0000000000030000 51100 199 ________________TG________________ compound_tail,huge
0x0000000000028018 100 0 ___UD__________H_G________________ uptodate,dirty,compound_head,huge
0x0000000000000804 1 0 __R________M______________________ referenced,mmap
0x000000000000080c 1 0 __RU_______M______________________ referenced,uptodate,mmap
0x000000000000086c 80 0 __RU_lA____M______________________ referenced,uptodate,lru,active,mmap
0x0000000000005808 4 0 ___U_______Ma_b___________________ uptodate,mmap,anonymous,swapbacked
0x0000000000005868 12 0 ___U_lA____Ma_b___________________ uptodate,lru,active,mmap,anonymous,swapbacked
0x000000000000586c 1 0 __RU_lA____Ma_b___________________ referenced,uptodate,lru,active,mmap,anonymous,swapbacked
total 51300 200
The output of page-types shows 51200 pages contributing to hugepages,
containing 100 head pages and 51100 tail pages as expected.
[akpm@linux-foundation.org: build fix]
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Andy Whitcroft <apw@canonical.com>
Cc: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-14 18:00:01 -08:00
|
|
|
static u64 huge_pte_to_pagemap_entry(pte_t pte, int offset)
|
|
|
|
{
|
|
|
|
u64 pme = 0;
|
|
|
|
if (pte_present(pte))
|
|
|
|
pme = PM_PFRAME(pte_pfn(pte) + offset)
|
|
|
|
| PM_PSHIFT(PAGE_SHIFT) | PM_PRESENT;
|
|
|
|
return pme;
|
|
|
|
}
|
|
|
|
|
2010-04-06 14:35:04 -07:00
|
|
|
/* This function walks within one hugetlb entry in the single call */
|
|
|
|
static int pagemap_hugetlb_range(pte_t *pte, unsigned long hmask,
|
|
|
|
unsigned long addr, unsigned long end,
|
|
|
|
struct mm_walk *walk)
|
mm hugetlb: add hugepage support to pagemap
This patch enables extraction of the pfn of a hugepage from
/proc/pid/pagemap in an architecture independent manner.
Details
-------
My test program (leak_pagemap) works as follows:
- creat() and mmap() a file on hugetlbfs (file size is 200MB == 100 hugepages,)
- read()/write() something on it,
- call page-types with option -p,
- munmap() and unlink() the file on hugetlbfs
Without my patches
------------------
$ ./leak_pagemap
flags page-count MB symbolic-flags long-symbolic-flags
0x0000000000000000 1 0 __________________________________
0x0000000000000804 1 0 __R________M______________________ referenced,mmap
0x000000000000086c 81 0 __RU_lA____M______________________ referenced,uptodate,lru,active,mmap
0x0000000000005808 5 0 ___U_______Ma_b___________________ uptodate,mmap,anonymous,swapbacked
0x0000000000005868 12 0 ___U_lA____Ma_b___________________ uptodate,lru,active,mmap,anonymous,swapbacked
0x000000000000586c 1 0 __RU_lA____Ma_b___________________ referenced,uptodate,lru,active,mmap,anonymous,swapbacked
total 101 0
The output of page-types don't show any hugepage.
With my patches
---------------
$ ./leak_pagemap
flags page-count MB symbolic-flags long-symbolic-flags
0x0000000000000000 1 0 __________________________________
0x0000000000030000 51100 199 ________________TG________________ compound_tail,huge
0x0000000000028018 100 0 ___UD__________H_G________________ uptodate,dirty,compound_head,huge
0x0000000000000804 1 0 __R________M______________________ referenced,mmap
0x000000000000080c 1 0 __RU_______M______________________ referenced,uptodate,mmap
0x000000000000086c 80 0 __RU_lA____M______________________ referenced,uptodate,lru,active,mmap
0x0000000000005808 4 0 ___U_______Ma_b___________________ uptodate,mmap,anonymous,swapbacked
0x0000000000005868 12 0 ___U_lA____Ma_b___________________ uptodate,lru,active,mmap,anonymous,swapbacked
0x000000000000586c 1 0 __RU_lA____Ma_b___________________ referenced,uptodate,lru,active,mmap,anonymous,swapbacked
total 51300 200
The output of page-types shows 51200 pages contributing to hugepages,
containing 100 head pages and 51100 tail pages as expected.
[akpm@linux-foundation.org: build fix]
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Andy Whitcroft <apw@canonical.com>
Cc: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-14 18:00:01 -08:00
|
|
|
{
|
|
|
|
struct pagemapread *pm = walk->private;
|
|
|
|
int err = 0;
|
2010-04-06 14:35:04 -07:00
|
|
|
u64 pfn;
|
mm hugetlb: add hugepage support to pagemap
This patch enables extraction of the pfn of a hugepage from
/proc/pid/pagemap in an architecture independent manner.
Details
-------
My test program (leak_pagemap) works as follows:
- creat() and mmap() a file on hugetlbfs (file size is 200MB == 100 hugepages,)
- read()/write() something on it,
- call page-types with option -p,
- munmap() and unlink() the file on hugetlbfs
Without my patches
------------------
$ ./leak_pagemap
flags page-count MB symbolic-flags long-symbolic-flags
0x0000000000000000 1 0 __________________________________
0x0000000000000804 1 0 __R________M______________________ referenced,mmap
0x000000000000086c 81 0 __RU_lA____M______________________ referenced,uptodate,lru,active,mmap
0x0000000000005808 5 0 ___U_______Ma_b___________________ uptodate,mmap,anonymous,swapbacked
0x0000000000005868 12 0 ___U_lA____Ma_b___________________ uptodate,lru,active,mmap,anonymous,swapbacked
0x000000000000586c 1 0 __RU_lA____Ma_b___________________ referenced,uptodate,lru,active,mmap,anonymous,swapbacked
total 101 0
The output of page-types don't show any hugepage.
With my patches
---------------
$ ./leak_pagemap
flags page-count MB symbolic-flags long-symbolic-flags
0x0000000000000000 1 0 __________________________________
0x0000000000030000 51100 199 ________________TG________________ compound_tail,huge
0x0000000000028018 100 0 ___UD__________H_G________________ uptodate,dirty,compound_head,huge
0x0000000000000804 1 0 __R________M______________________ referenced,mmap
0x000000000000080c 1 0 __RU_______M______________________ referenced,uptodate,mmap
0x000000000000086c 80 0 __RU_lA____M______________________ referenced,uptodate,lru,active,mmap
0x0000000000005808 4 0 ___U_______Ma_b___________________ uptodate,mmap,anonymous,swapbacked
0x0000000000005868 12 0 ___U_lA____Ma_b___________________ uptodate,lru,active,mmap,anonymous,swapbacked
0x000000000000586c 1 0 __RU_lA____Ma_b___________________ referenced,uptodate,lru,active,mmap,anonymous,swapbacked
total 51300 200
The output of page-types shows 51200 pages contributing to hugepages,
containing 100 head pages and 51100 tail pages as expected.
[akpm@linux-foundation.org: build fix]
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Andy Whitcroft <apw@canonical.com>
Cc: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-14 18:00:01 -08:00
|
|
|
|
|
|
|
for (; addr != end; addr += PAGE_SIZE) {
|
2010-04-06 14:35:04 -07:00
|
|
|
int offset = (addr & ~hmask) >> PAGE_SHIFT;
|
|
|
|
pfn = huge_pte_to_pagemap_entry(*pte, offset);
|
mm hugetlb: add hugepage support to pagemap
This patch enables extraction of the pfn of a hugepage from
/proc/pid/pagemap in an architecture independent manner.
Details
-------
My test program (leak_pagemap) works as follows:
- creat() and mmap() a file on hugetlbfs (file size is 200MB == 100 hugepages,)
- read()/write() something on it,
- call page-types with option -p,
- munmap() and unlink() the file on hugetlbfs
Without my patches
------------------
$ ./leak_pagemap
flags page-count MB symbolic-flags long-symbolic-flags
0x0000000000000000 1 0 __________________________________
0x0000000000000804 1 0 __R________M______________________ referenced,mmap
0x000000000000086c 81 0 __RU_lA____M______________________ referenced,uptodate,lru,active,mmap
0x0000000000005808 5 0 ___U_______Ma_b___________________ uptodate,mmap,anonymous,swapbacked
0x0000000000005868 12 0 ___U_lA____Ma_b___________________ uptodate,lru,active,mmap,anonymous,swapbacked
0x000000000000586c 1 0 __RU_lA____Ma_b___________________ referenced,uptodate,lru,active,mmap,anonymous,swapbacked
total 101 0
The output of page-types don't show any hugepage.
With my patches
---------------
$ ./leak_pagemap
flags page-count MB symbolic-flags long-symbolic-flags
0x0000000000000000 1 0 __________________________________
0x0000000000030000 51100 199 ________________TG________________ compound_tail,huge
0x0000000000028018 100 0 ___UD__________H_G________________ uptodate,dirty,compound_head,huge
0x0000000000000804 1 0 __R________M______________________ referenced,mmap
0x000000000000080c 1 0 __RU_______M______________________ referenced,uptodate,mmap
0x000000000000086c 80 0 __RU_lA____M______________________ referenced,uptodate,lru,active,mmap
0x0000000000005808 4 0 ___U_______Ma_b___________________ uptodate,mmap,anonymous,swapbacked
0x0000000000005868 12 0 ___U_lA____Ma_b___________________ uptodate,lru,active,mmap,anonymous,swapbacked
0x000000000000586c 1 0 __RU_lA____Ma_b___________________ referenced,uptodate,lru,active,mmap,anonymous,swapbacked
total 51300 200
The output of page-types shows 51200 pages contributing to hugepages,
containing 100 head pages and 51100 tail pages as expected.
[akpm@linux-foundation.org: build fix]
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Andy Whitcroft <apw@canonical.com>
Cc: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-14 18:00:01 -08:00
|
|
|
err = add_to_pagemap(addr, pfn, pm);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
cond_resched();
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
2010-05-24 14:32:12 -07:00
|
|
|
#endif /* HUGETLB_PAGE */
|
mm hugetlb: add hugepage support to pagemap
This patch enables extraction of the pfn of a hugepage from
/proc/pid/pagemap in an architecture independent manner.
Details
-------
My test program (leak_pagemap) works as follows:
- creat() and mmap() a file on hugetlbfs (file size is 200MB == 100 hugepages,)
- read()/write() something on it,
- call page-types with option -p,
- munmap() and unlink() the file on hugetlbfs
Without my patches
------------------
$ ./leak_pagemap
flags page-count MB symbolic-flags long-symbolic-flags
0x0000000000000000 1 0 __________________________________
0x0000000000000804 1 0 __R________M______________________ referenced,mmap
0x000000000000086c 81 0 __RU_lA____M______________________ referenced,uptodate,lru,active,mmap
0x0000000000005808 5 0 ___U_______Ma_b___________________ uptodate,mmap,anonymous,swapbacked
0x0000000000005868 12 0 ___U_lA____Ma_b___________________ uptodate,lru,active,mmap,anonymous,swapbacked
0x000000000000586c 1 0 __RU_lA____Ma_b___________________ referenced,uptodate,lru,active,mmap,anonymous,swapbacked
total 101 0
The output of page-types don't show any hugepage.
With my patches
---------------
$ ./leak_pagemap
flags page-count MB symbolic-flags long-symbolic-flags
0x0000000000000000 1 0 __________________________________
0x0000000000030000 51100 199 ________________TG________________ compound_tail,huge
0x0000000000028018 100 0 ___UD__________H_G________________ uptodate,dirty,compound_head,huge
0x0000000000000804 1 0 __R________M______________________ referenced,mmap
0x000000000000080c 1 0 __RU_______M______________________ referenced,uptodate,mmap
0x000000000000086c 80 0 __RU_lA____M______________________ referenced,uptodate,lru,active,mmap
0x0000000000005808 4 0 ___U_______Ma_b___________________ uptodate,mmap,anonymous,swapbacked
0x0000000000005868 12 0 ___U_lA____Ma_b___________________ uptodate,lru,active,mmap,anonymous,swapbacked
0x000000000000586c 1 0 __RU_lA____Ma_b___________________ referenced,uptodate,lru,active,mmap,anonymous,swapbacked
total 51300 200
The output of page-types shows 51200 pages contributing to hugepages,
containing 100 head pages and 51100 tail pages as expected.
[akpm@linux-foundation.org: build fix]
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Andy Whitcroft <apw@canonical.com>
Cc: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-14 18:00:01 -08:00
|
|
|
|
2008-02-04 22:29:04 -08:00
|
|
|
/*
|
|
|
|
* /proc/pid/pagemap - an array mapping virtual pages to pfns
|
|
|
|
*
|
2008-03-21 18:46:59 -05:00
|
|
|
* For each page in the address space, this file contains one 64-bit entry
|
|
|
|
* consisting of the following:
|
|
|
|
*
|
|
|
|
* Bits 0-55 page frame number (PFN) if present
|
|
|
|
* Bits 0-4 swap type if swapped
|
|
|
|
* Bits 5-55 swap offset if swapped
|
|
|
|
* Bits 55-60 page shift (page size = 1<<page shift)
|
|
|
|
* Bit 61 reserved for future use
|
|
|
|
* Bit 62 page swapped
|
|
|
|
* Bit 63 page present
|
|
|
|
*
|
|
|
|
* If the page is not present but in swap, then the PFN contains an
|
|
|
|
* encoding of the swap file number and the page's offset into the
|
|
|
|
* swap. Unmapped pages return a null PFN. This allows determining
|
2008-02-04 22:29:04 -08:00
|
|
|
* precisely which pages are mapped (or in swap) and comparing mapped
|
|
|
|
* pages between processes.
|
|
|
|
*
|
|
|
|
* Efficient users of this interface will use /proc/pid/maps to
|
|
|
|
* determine which areas of memory are actually mapped and llseek to
|
|
|
|
* skip over unmapped regions.
|
|
|
|
*/
|
|
|
|
static ssize_t pagemap_read(struct file *file, char __user *buf,
|
|
|
|
size_t count, loff_t *ppos)
|
|
|
|
{
|
|
|
|
struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
|
|
|
|
struct mm_struct *mm;
|
|
|
|
struct pagemapread pm;
|
|
|
|
int ret = -ESRCH;
|
2008-07-21 14:21:36 -07:00
|
|
|
struct mm_walk pagemap_walk = {};
|
2008-07-05 01:02:01 -07:00
|
|
|
unsigned long src;
|
|
|
|
unsigned long svpfn;
|
|
|
|
unsigned long start_vaddr;
|
|
|
|
unsigned long end_vaddr;
|
2010-04-02 09:11:29 +09:00
|
|
|
int copied = 0;
|
2008-02-04 22:29:04 -08:00
|
|
|
|
|
|
|
if (!task)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
ret = -EINVAL;
|
|
|
|
/* file position must be aligned */
|
2008-06-05 22:46:31 -07:00
|
|
|
if ((*ppos % PM_ENTRY_BYTES) || (count % PM_ENTRY_BYTES))
|
2008-03-13 12:32:35 -07:00
|
|
|
goto out_task;
|
2008-02-04 22:29:04 -08:00
|
|
|
|
|
|
|
ret = 0;
|
2009-04-30 15:08:18 -07:00
|
|
|
if (!count)
|
|
|
|
goto out_task;
|
|
|
|
|
2010-04-02 09:11:29 +09:00
|
|
|
pm.len = PM_ENTRY_BYTES * (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
|
|
|
|
pm.buffer = kmalloc(pm.len, GFP_TEMPORARY);
|
2008-07-05 01:02:01 -07:00
|
|
|
ret = -ENOMEM;
|
2010-04-02 09:11:29 +09:00
|
|
|
if (!pm.buffer)
|
2011-05-26 16:25:53 -07:00
|
|
|
goto out_task;
|
|
|
|
|
|
|
|
mm = mm_for_maps(task);
|
|
|
|
ret = PTR_ERR(mm);
|
|
|
|
if (!mm || IS_ERR(mm))
|
|
|
|
goto out_free;
|
2008-02-04 22:29:04 -08:00
|
|
|
|
2008-07-05 01:02:01 -07:00
|
|
|
pagemap_walk.pmd_entry = pagemap_pte_range;
|
|
|
|
pagemap_walk.pte_hole = pagemap_pte_hole;
|
2010-05-24 14:32:12 -07:00
|
|
|
#ifdef CONFIG_HUGETLB_PAGE
|
mm hugetlb: add hugepage support to pagemap
This patch enables extraction of the pfn of a hugepage from
/proc/pid/pagemap in an architecture independent manner.
Details
-------
My test program (leak_pagemap) works as follows:
- creat() and mmap() a file on hugetlbfs (file size is 200MB == 100 hugepages,)
- read()/write() something on it,
- call page-types with option -p,
- munmap() and unlink() the file on hugetlbfs
Without my patches
------------------
$ ./leak_pagemap
flags page-count MB symbolic-flags long-symbolic-flags
0x0000000000000000 1 0 __________________________________
0x0000000000000804 1 0 __R________M______________________ referenced,mmap
0x000000000000086c 81 0 __RU_lA____M______________________ referenced,uptodate,lru,active,mmap
0x0000000000005808 5 0 ___U_______Ma_b___________________ uptodate,mmap,anonymous,swapbacked
0x0000000000005868 12 0 ___U_lA____Ma_b___________________ uptodate,lru,active,mmap,anonymous,swapbacked
0x000000000000586c 1 0 __RU_lA____Ma_b___________________ referenced,uptodate,lru,active,mmap,anonymous,swapbacked
total 101 0
The output of page-types don't show any hugepage.
With my patches
---------------
$ ./leak_pagemap
flags page-count MB symbolic-flags long-symbolic-flags
0x0000000000000000 1 0 __________________________________
0x0000000000030000 51100 199 ________________TG________________ compound_tail,huge
0x0000000000028018 100 0 ___UD__________H_G________________ uptodate,dirty,compound_head,huge
0x0000000000000804 1 0 __R________M______________________ referenced,mmap
0x000000000000080c 1 0 __RU_______M______________________ referenced,uptodate,mmap
0x000000000000086c 80 0 __RU_lA____M______________________ referenced,uptodate,lru,active,mmap
0x0000000000005808 4 0 ___U_______Ma_b___________________ uptodate,mmap,anonymous,swapbacked
0x0000000000005868 12 0 ___U_lA____Ma_b___________________ uptodate,lru,active,mmap,anonymous,swapbacked
0x000000000000586c 1 0 __RU_lA____Ma_b___________________ referenced,uptodate,lru,active,mmap,anonymous,swapbacked
total 51300 200
The output of page-types shows 51200 pages contributing to hugepages,
containing 100 head pages and 51100 tail pages as expected.
[akpm@linux-foundation.org: build fix]
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Andy Whitcroft <apw@canonical.com>
Cc: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-14 18:00:01 -08:00
|
|
|
pagemap_walk.hugetlb_entry = pagemap_hugetlb_range;
|
2010-05-24 14:32:12 -07:00
|
|
|
#endif
|
2008-07-05 01:02:01 -07:00
|
|
|
pagemap_walk.mm = mm;
|
|
|
|
pagemap_walk.private = ±
|
|
|
|
|
|
|
|
src = *ppos;
|
|
|
|
svpfn = src / PM_ENTRY_BYTES;
|
|
|
|
start_vaddr = svpfn << PAGE_SHIFT;
|
|
|
|
end_vaddr = TASK_SIZE_OF(task);
|
|
|
|
|
|
|
|
/* watch out for wraparound */
|
|
|
|
if (svpfn > TASK_SIZE_OF(task) >> PAGE_SHIFT)
|
|
|
|
start_vaddr = end_vaddr;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The odds are that this will stop walking way
|
|
|
|
* before end_vaddr, because the length of the
|
|
|
|
* user buffer is tracked in "pm", and the walk
|
|
|
|
* will stop when we hit the end of the buffer.
|
|
|
|
*/
|
2010-04-02 09:11:29 +09:00
|
|
|
ret = 0;
|
|
|
|
while (count && (start_vaddr < end_vaddr)) {
|
|
|
|
int len;
|
|
|
|
unsigned long end;
|
|
|
|
|
|
|
|
pm.pos = 0;
|
2010-11-24 12:57:13 -08:00
|
|
|
end = (start_vaddr + PAGEMAP_WALK_SIZE) & PAGEMAP_WALK_MASK;
|
2010-04-02 09:11:29 +09:00
|
|
|
/* overflow ? */
|
|
|
|
if (end < start_vaddr || end > end_vaddr)
|
|
|
|
end = end_vaddr;
|
|
|
|
down_read(&mm->mmap_sem);
|
|
|
|
ret = walk_page_range(start_vaddr, end, &pagemap_walk);
|
|
|
|
up_read(&mm->mmap_sem);
|
|
|
|
start_vaddr = end;
|
|
|
|
|
|
|
|
len = min(count, PM_ENTRY_BYTES * pm.pos);
|
2010-04-06 13:45:39 +03:00
|
|
|
if (copy_to_user(buf, pm.buffer, len)) {
|
2010-04-02 09:11:29 +09:00
|
|
|
ret = -EFAULT;
|
2011-05-26 16:25:53 -07:00
|
|
|
goto out_mm;
|
2010-04-02 09:11:29 +09:00
|
|
|
}
|
|
|
|
copied += len;
|
|
|
|
buf += len;
|
|
|
|
count -= len;
|
2008-02-04 22:29:04 -08:00
|
|
|
}
|
2010-04-02 09:11:29 +09:00
|
|
|
*ppos += copied;
|
|
|
|
if (!ret || ret == PM_END_OF_BUFFER)
|
|
|
|
ret = copied;
|
|
|
|
|
2008-03-13 12:32:35 -07:00
|
|
|
out_mm:
|
|
|
|
mmput(mm);
|
2011-05-26 16:25:53 -07:00
|
|
|
out_free:
|
|
|
|
kfree(pm.buffer);
|
2008-02-04 22:29:04 -08:00
|
|
|
out_task:
|
|
|
|
put_task_struct(task);
|
|
|
|
out:
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
const struct file_operations proc_pagemap_operations = {
|
|
|
|
.llseek = mem_lseek, /* borrow this */
|
|
|
|
.read = pagemap_read,
|
|
|
|
};
|
2008-02-04 22:29:07 -08:00
|
|
|
#endif /* CONFIG_PROC_PAGE_MONITOR */
|
2008-02-04 22:29:04 -08:00
|
|
|
|
2005-09-03 15:54:45 -07:00
|
|
|
#ifdef CONFIG_NUMA
|
|
|
|
|
2011-05-24 17:12:47 -07:00
|
|
|
struct numa_maps {
|
|
|
|
struct vm_area_struct *vma;
|
|
|
|
unsigned long pages;
|
|
|
|
unsigned long anon;
|
|
|
|
unsigned long active;
|
|
|
|
unsigned long writeback;
|
|
|
|
unsigned long mapcount_max;
|
|
|
|
unsigned long dirty;
|
|
|
|
unsigned long swapcache;
|
|
|
|
unsigned long node[MAX_NUMNODES];
|
|
|
|
};
|
|
|
|
|
2011-05-24 17:12:49 -07:00
|
|
|
struct numa_maps_private {
|
|
|
|
struct proc_maps_private proc_maps;
|
|
|
|
struct numa_maps md;
|
|
|
|
};
|
|
|
|
|
2011-09-20 15:19:38 -07:00
|
|
|
static void gather_stats(struct page *page, struct numa_maps *md, int pte_dirty,
|
|
|
|
unsigned long nr_pages)
|
2011-05-24 17:12:47 -07:00
|
|
|
{
|
|
|
|
int count = page_mapcount(page);
|
|
|
|
|
2011-09-20 15:19:38 -07:00
|
|
|
md->pages += nr_pages;
|
2011-05-24 17:12:47 -07:00
|
|
|
if (pte_dirty || PageDirty(page))
|
2011-09-20 15:19:38 -07:00
|
|
|
md->dirty += nr_pages;
|
2011-05-24 17:12:47 -07:00
|
|
|
|
|
|
|
if (PageSwapCache(page))
|
2011-09-20 15:19:38 -07:00
|
|
|
md->swapcache += nr_pages;
|
2011-05-24 17:12:47 -07:00
|
|
|
|
|
|
|
if (PageActive(page) || PageUnevictable(page))
|
2011-09-20 15:19:38 -07:00
|
|
|
md->active += nr_pages;
|
2011-05-24 17:12:47 -07:00
|
|
|
|
|
|
|
if (PageWriteback(page))
|
2011-09-20 15:19:38 -07:00
|
|
|
md->writeback += nr_pages;
|
2011-05-24 17:12:47 -07:00
|
|
|
|
|
|
|
if (PageAnon(page))
|
2011-09-20 15:19:38 -07:00
|
|
|
md->anon += nr_pages;
|
2011-05-24 17:12:47 -07:00
|
|
|
|
|
|
|
if (count > md->mapcount_max)
|
|
|
|
md->mapcount_max = count;
|
|
|
|
|
2011-09-20 15:19:38 -07:00
|
|
|
md->node[page_to_nid(page)] += nr_pages;
|
2011-05-24 17:12:47 -07:00
|
|
|
}
|
|
|
|
|
2011-09-20 15:19:39 -07:00
|
|
|
static struct page *can_gather_numa_stats(pte_t pte, struct vm_area_struct *vma,
|
|
|
|
unsigned long addr)
|
|
|
|
{
|
|
|
|
struct page *page;
|
|
|
|
int nid;
|
|
|
|
|
|
|
|
if (!pte_present(pte))
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
page = vm_normal_page(vma, addr, pte);
|
|
|
|
if (!page)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (PageReserved(page))
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
nid = page_to_nid(page);
|
|
|
|
if (!node_isset(nid, node_states[N_HIGH_MEMORY]))
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
return page;
|
|
|
|
}
|
|
|
|
|
2011-05-24 17:12:47 -07:00
|
|
|
static int gather_pte_stats(pmd_t *pmd, unsigned long addr,
|
|
|
|
unsigned long end, struct mm_walk *walk)
|
|
|
|
{
|
|
|
|
struct numa_maps *md;
|
|
|
|
spinlock_t *ptl;
|
|
|
|
pte_t *orig_pte;
|
|
|
|
pte_t *pte;
|
|
|
|
|
|
|
|
md = walk->private;
|
2012-03-21 16:33:57 -07:00
|
|
|
|
|
|
|
if (pmd_trans_huge_lock(pmd, md->vma) == 1) {
|
|
|
|
pte_t huge_pte = *(pte_t *)pmd;
|
|
|
|
struct page *page;
|
|
|
|
|
|
|
|
page = can_gather_numa_stats(huge_pte, md->vma, addr);
|
|
|
|
if (page)
|
|
|
|
gather_stats(page, md, pte_dirty(huge_pte),
|
|
|
|
HPAGE_PMD_SIZE/PAGE_SIZE);
|
2011-09-20 15:19:41 -07:00
|
|
|
spin_unlock(&walk->mm->page_table_lock);
|
2012-03-21 16:33:57 -07:00
|
|
|
return 0;
|
2011-09-20 15:19:41 -07:00
|
|
|
}
|
|
|
|
|
mm: thp: fix pmd_bad() triggering in code paths holding mmap_sem read mode
In some cases it may happen that pmd_none_or_clear_bad() is called with
the mmap_sem hold in read mode. In those cases the huge page faults can
allocate hugepmds under pmd_none_or_clear_bad() and that can trigger a
false positive from pmd_bad() that will not like to see a pmd
materializing as trans huge.
It's not khugepaged causing the problem, khugepaged holds the mmap_sem
in write mode (and all those sites must hold the mmap_sem in read mode
to prevent pagetables to go away from under them, during code review it
seems vm86 mode on 32bit kernels requires that too unless it's
restricted to 1 thread per process or UP builds). The race is only with
the huge pagefaults that can convert a pmd_none() into a
pmd_trans_huge().
Effectively all these pmd_none_or_clear_bad() sites running with
mmap_sem in read mode are somewhat speculative with the page faults, and
the result is always undefined when they run simultaneously. This is
probably why it wasn't common to run into this. For example if the
madvise(MADV_DONTNEED) runs zap_page_range() shortly before the page
fault, the hugepage will not be zapped, if the page fault runs first it
will be zapped.
Altering pmd_bad() not to error out if it finds hugepmds won't be enough
to fix this, because zap_pmd_range would then proceed to call
zap_pte_range (which would be incorrect if the pmd become a
pmd_trans_huge()).
The simplest way to fix this is to read the pmd in the local stack
(regardless of what we read, no need of actual CPU barriers, only
compiler barrier needed), and be sure it is not changing under the code
that computes its value. Even if the real pmd is changing under the
value we hold on the stack, we don't care. If we actually end up in
zap_pte_range it means the pmd was not none already and it was not huge,
and it can't become huge from under us (khugepaged locking explained
above).
All we need is to enforce that there is no way anymore that in a code
path like below, pmd_trans_huge can be false, but pmd_none_or_clear_bad
can run into a hugepmd. The overhead of a barrier() is just a compiler
tweak and should not be measurable (I only added it for THP builds). I
don't exclude different compiler versions may have prevented the race
too by caching the value of *pmd on the stack (that hasn't been
verified, but it wouldn't be impossible considering
pmd_none_or_clear_bad, pmd_bad, pmd_trans_huge, pmd_none are all inlines
and there's no external function called in between pmd_trans_huge and
pmd_none_or_clear_bad).
if (pmd_trans_huge(*pmd)) {
if (next-addr != HPAGE_PMD_SIZE) {
VM_BUG_ON(!rwsem_is_locked(&tlb->mm->mmap_sem));
split_huge_page_pmd(vma->vm_mm, pmd);
} else if (zap_huge_pmd(tlb, vma, pmd, addr))
continue;
/* fall through */
}
if (pmd_none_or_clear_bad(pmd))
Because this race condition could be exercised without special
privileges this was reported in CVE-2012-1179.
The race was identified and fully explained by Ulrich who debugged it.
I'm quoting his accurate explanation below, for reference.
====== start quote =======
mapcount 0 page_mapcount 1
kernel BUG at mm/huge_memory.c:1384!
At some point prior to the panic, a "bad pmd ..." message similar to the
following is logged on the console:
mm/memory.c:145: bad pmd ffff8800376e1f98(80000000314000e7).
The "bad pmd ..." message is logged by pmd_clear_bad() before it clears
the page's PMD table entry.
143 void pmd_clear_bad(pmd_t *pmd)
144 {
-> 145 pmd_ERROR(*pmd);
146 pmd_clear(pmd);
147 }
After the PMD table entry has been cleared, there is an inconsistency
between the actual number of PMD table entries that are mapping the page
and the page's map count (_mapcount field in struct page). When the page
is subsequently reclaimed, __split_huge_page() detects this inconsistency.
1381 if (mapcount != page_mapcount(page))
1382 printk(KERN_ERR "mapcount %d page_mapcount %d\n",
1383 mapcount, page_mapcount(page));
-> 1384 BUG_ON(mapcount != page_mapcount(page));
The root cause of the problem is a race of two threads in a multithreaded
process. Thread B incurs a page fault on a virtual address that has never
been accessed (PMD entry is zero) while Thread A is executing an madvise()
system call on a virtual address within the same 2 MB (huge page) range.
virtual address space
.---------------------.
| |
| |
.-|---------------------|
| | |
| | |<-- B(fault)
| | |
2 MB | |/////////////////////|-.
huge < |/////////////////////| > A(range)
page | |/////////////////////|-'
| | |
| | |
'-|---------------------|
| |
| |
'---------------------'
- Thread A is executing an madvise(..., MADV_DONTNEED) system call
on the virtual address range "A(range)" shown in the picture.
sys_madvise
// Acquire the semaphore in shared mode.
down_read(¤t->mm->mmap_sem)
...
madvise_vma
switch (behavior)
case MADV_DONTNEED:
madvise_dontneed
zap_page_range
unmap_vmas
unmap_page_range
zap_pud_range
zap_pmd_range
//
// Assume that this huge page has never been accessed.
// I.e. content of the PMD entry is zero (not mapped).
//
if (pmd_trans_huge(*pmd)) {
// We don't get here due to the above assumption.
}
//
// Assume that Thread B incurred a page fault and
.---------> // sneaks in here as shown below.
| //
| if (pmd_none_or_clear_bad(pmd))
| {
| if (unlikely(pmd_bad(*pmd)))
| pmd_clear_bad
| {
| pmd_ERROR
| // Log "bad pmd ..." message here.
| pmd_clear
| // Clear the page's PMD entry.
| // Thread B incremented the map count
| // in page_add_new_anon_rmap(), but
| // now the page is no longer mapped
| // by a PMD entry (-> inconsistency).
| }
| }
|
v
- Thread B is handling a page fault on virtual address "B(fault)" shown
in the picture.
...
do_page_fault
__do_page_fault
// Acquire the semaphore in shared mode.
down_read_trylock(&mm->mmap_sem)
...
handle_mm_fault
if (pmd_none(*pmd) && transparent_hugepage_enabled(vma))
// We get here due to the above assumption (PMD entry is zero).
do_huge_pmd_anonymous_page
alloc_hugepage_vma
// Allocate a new transparent huge page here.
...
__do_huge_pmd_anonymous_page
...
spin_lock(&mm->page_table_lock)
...
page_add_new_anon_rmap
// Here we increment the page's map count (starts at -1).
atomic_set(&page->_mapcount, 0)
set_pmd_at
// Here we set the page's PMD entry which will be cleared
// when Thread A calls pmd_clear_bad().
...
spin_unlock(&mm->page_table_lock)
The mmap_sem does not prevent the race because both threads are acquiring
it in shared mode (down_read). Thread B holds the page_table_lock while
the page's map count and PMD table entry are updated. However, Thread A
does not synchronize on that lock.
====== end quote =======
[akpm@linux-foundation.org: checkpatch fixes]
Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Hugh Dickins <hughd@google.com>
Cc: Dave Jones <davej@redhat.com>
Acked-by: Larry Woodman <lwoodman@redhat.com>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: <stable@vger.kernel.org> [2.6.38+]
Cc: Mark Salter <msalter@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-21 16:33:42 -07:00
|
|
|
if (pmd_trans_unstable(pmd))
|
|
|
|
return 0;
|
2011-05-24 17:12:47 -07:00
|
|
|
orig_pte = pte = pte_offset_map_lock(walk->mm, pmd, addr, &ptl);
|
|
|
|
do {
|
2011-09-20 15:19:39 -07:00
|
|
|
struct page *page = can_gather_numa_stats(*pte, md->vma, addr);
|
2011-05-24 17:12:47 -07:00
|
|
|
if (!page)
|
|
|
|
continue;
|
2011-09-20 15:19:38 -07:00
|
|
|
gather_stats(page, md, pte_dirty(*pte), 1);
|
2011-05-24 17:12:47 -07:00
|
|
|
|
|
|
|
} while (pte++, addr += PAGE_SIZE, addr != end);
|
|
|
|
pte_unmap_unlock(orig_pte, ptl);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#ifdef CONFIG_HUGETLB_PAGE
|
|
|
|
static int gather_hugetbl_stats(pte_t *pte, unsigned long hmask,
|
|
|
|
unsigned long addr, unsigned long end, struct mm_walk *walk)
|
|
|
|
{
|
|
|
|
struct numa_maps *md;
|
|
|
|
struct page *page;
|
|
|
|
|
|
|
|
if (pte_none(*pte))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
page = pte_page(*pte);
|
|
|
|
if (!page)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
md = walk->private;
|
2011-09-20 15:19:38 -07:00
|
|
|
gather_stats(page, md, pte_dirty(*pte), 1);
|
2011-05-24 17:12:47 -07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
#else
|
|
|
|
static int gather_hugetbl_stats(pte_t *pte, unsigned long hmask,
|
|
|
|
unsigned long addr, unsigned long end, struct mm_walk *walk)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Display pages allocated per node and memory policy via /proc.
|
|
|
|
*/
|
|
|
|
static int show_numa_map(struct seq_file *m, void *v)
|
|
|
|
{
|
2011-05-24 17:12:49 -07:00
|
|
|
struct numa_maps_private *numa_priv = m->private;
|
|
|
|
struct proc_maps_private *proc_priv = &numa_priv->proc_maps;
|
2011-05-24 17:12:47 -07:00
|
|
|
struct vm_area_struct *vma = v;
|
2011-05-24 17:12:49 -07:00
|
|
|
struct numa_maps *md = &numa_priv->md;
|
2011-05-24 17:12:47 -07:00
|
|
|
struct file *file = vma->vm_file;
|
|
|
|
struct mm_struct *mm = vma->vm_mm;
|
|
|
|
struct mm_walk walk = {};
|
|
|
|
struct mempolicy *pol;
|
|
|
|
int n;
|
|
|
|
char buffer[50];
|
|
|
|
|
|
|
|
if (!mm)
|
|
|
|
return 0;
|
|
|
|
|
2011-05-24 17:12:49 -07:00
|
|
|
/* Ensure we start with an empty set of numa_maps statistics. */
|
|
|
|
memset(md, 0, sizeof(*md));
|
2011-05-24 17:12:47 -07:00
|
|
|
|
|
|
|
md->vma = vma;
|
|
|
|
|
|
|
|
walk.hugetlb_entry = gather_hugetbl_stats;
|
|
|
|
walk.pmd_entry = gather_pte_stats;
|
|
|
|
walk.private = md;
|
|
|
|
walk.mm = mm;
|
|
|
|
|
2011-05-24 17:12:49 -07:00
|
|
|
pol = get_vma_policy(proc_priv->task, vma, vma->vm_start);
|
2011-05-24 17:12:47 -07:00
|
|
|
mpol_to_str(buffer, sizeof(buffer), pol, 0);
|
|
|
|
mpol_cond_put(pol);
|
|
|
|
|
|
|
|
seq_printf(m, "%08lx %s", vma->vm_start, buffer);
|
|
|
|
|
|
|
|
if (file) {
|
|
|
|
seq_printf(m, " file=");
|
|
|
|
seq_path(m, &file->f_path, "\n\t= ");
|
|
|
|
} else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
|
|
|
|
seq_printf(m, " heap");
|
|
|
|
} else if (vma->vm_start <= mm->start_stack &&
|
|
|
|
vma->vm_end >= mm->start_stack) {
|
|
|
|
seq_printf(m, " stack");
|
|
|
|
}
|
|
|
|
|
2011-10-31 17:06:32 -07:00
|
|
|
if (is_vm_hugetlb_page(vma))
|
|
|
|
seq_printf(m, " huge");
|
|
|
|
|
2011-05-24 17:12:47 -07:00
|
|
|
walk_page_range(vma->vm_start, vma->vm_end, &walk);
|
|
|
|
|
|
|
|
if (!md->pages)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
if (md->anon)
|
|
|
|
seq_printf(m, " anon=%lu", md->anon);
|
|
|
|
|
|
|
|
if (md->dirty)
|
|
|
|
seq_printf(m, " dirty=%lu", md->dirty);
|
|
|
|
|
|
|
|
if (md->pages != md->anon && md->pages != md->dirty)
|
|
|
|
seq_printf(m, " mapped=%lu", md->pages);
|
|
|
|
|
|
|
|
if (md->mapcount_max > 1)
|
|
|
|
seq_printf(m, " mapmax=%lu", md->mapcount_max);
|
|
|
|
|
|
|
|
if (md->swapcache)
|
|
|
|
seq_printf(m, " swapcache=%lu", md->swapcache);
|
|
|
|
|
|
|
|
if (md->active < md->pages && !is_vm_hugetlb_page(vma))
|
|
|
|
seq_printf(m, " active=%lu", md->active);
|
|
|
|
|
|
|
|
if (md->writeback)
|
|
|
|
seq_printf(m, " writeback=%lu", md->writeback);
|
|
|
|
|
|
|
|
for_each_node_state(n, N_HIGH_MEMORY)
|
|
|
|
if (md->node[n])
|
|
|
|
seq_printf(m, " N%d=%lu", n, md->node[n]);
|
|
|
|
out:
|
|
|
|
seq_putc(m, '\n');
|
|
|
|
|
|
|
|
if (m->count < m->size)
|
2011-05-24 17:12:49 -07:00
|
|
|
m->version = (vma != proc_priv->tail_vma) ? vma->vm_start : 0;
|
2011-05-24 17:12:47 -07:00
|
|
|
return 0;
|
|
|
|
}
|
2011-05-24 17:12:49 -07:00
|
|
|
|
2008-02-08 04:21:19 -08:00
|
|
|
static const struct seq_operations proc_pid_numa_maps_op = {
|
2006-01-08 01:01:02 -08:00
|
|
|
.start = m_start,
|
|
|
|
.next = m_next,
|
|
|
|
.stop = m_stop,
|
2008-10-10 03:27:16 +04:00
|
|
|
.show = show_numa_map,
|
2005-09-03 15:54:45 -07:00
|
|
|
};
|
2006-06-26 00:25:48 -07:00
|
|
|
|
|
|
|
static int numa_maps_open(struct inode *inode, struct file *file)
|
|
|
|
{
|
2011-05-24 17:12:49 -07:00
|
|
|
struct numa_maps_private *priv;
|
|
|
|
int ret = -ENOMEM;
|
|
|
|
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
|
|
|
|
if (priv) {
|
|
|
|
priv->proc_maps.pid = proc_pid(inode);
|
|
|
|
ret = seq_open(file, &proc_pid_numa_maps_op);
|
|
|
|
if (!ret) {
|
|
|
|
struct seq_file *m = file->private_data;
|
|
|
|
m->private = priv;
|
|
|
|
} else {
|
|
|
|
kfree(priv);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return ret;
|
2006-06-26 00:25:48 -07:00
|
|
|
}
|
|
|
|
|
2007-02-12 00:55:34 -08:00
|
|
|
const struct file_operations proc_numa_maps_operations = {
|
2006-06-26 00:25:48 -07:00
|
|
|
.open = numa_maps_open,
|
|
|
|
.read = seq_read,
|
|
|
|
.llseek = seq_lseek,
|
2006-06-26 00:25:55 -07:00
|
|
|
.release = seq_release_private,
|
2006-06-26 00:25:48 -07:00
|
|
|
};
|
2011-05-24 17:12:47 -07:00
|
|
|
#endif /* CONFIG_NUMA */
|