1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Memory merging support.
4 *
5 * This code enables dynamic sharing of identical pages found in different
6 * memory areas, even if they are not shared by fork()
7 *
8 * Copyright (C) 2008-2009 Red Hat, Inc.
9 * Authors:
10 * Izik Eidus
11 * Andrea Arcangeli
12 * Chris Wright
13 * Hugh Dickins
14 */
15
16 #include <linux/errno.h>
17 #include <linux/mm.h>
18 #include <linux/fs.h>
19 #include <linux/mman.h>
20 #include <linux/sched.h>
21 #include <linux/sched/mm.h>
22 #include <linux/sched/coredump.h>
23 #include <linux/rwsem.h>
24 #include <linux/pagemap.h>
25 #include <linux/rmap.h>
26 #include <linux/spinlock.h>
27 #include <linux/xxhash.h>
28 #include <linux/delay.h>
29 #include <linux/kthread.h>
30 #include <linux/wait.h>
31 #include <linux/slab.h>
32 #include <linux/rbtree.h>
33 #include <linux/memory.h>
34 #include <linux/mmu_notifier.h>
35 #include <linux/swap.h>
36 #include <linux/ksm.h>
37 #include <linux/hashtable.h>
38 #include <linux/freezer.h>
39 #include <linux/oom.h>
40 #include <linux/numa.h>
41
42 #include <asm/tlbflush.h>
43 #include "internal.h"
44
45 #ifdef CONFIG_NUMA
46 #define NUMA(x) (x)
47 #define DO_NUMA(x) do { (x); } while (0)
48 #else
49 #define NUMA(x) (0)
50 #define DO_NUMA(x) do { } while (0)
51 #endif
52
53 /**
54 * DOC: Overview
55 *
56 * A few notes about the KSM scanning process,
57 * to make it easier to understand the data structures below:
58 *
59 * In order to reduce excessive scanning, KSM sorts the memory pages by their
60 * contents into a data structure that holds pointers to the pages' locations.
61 *
62 * Since the contents of the pages may change at any moment, KSM cannot just
63 * insert the pages into a normal sorted tree and expect it to find anything.
64 * Therefore KSM uses two data structures - the stable and the unstable tree.
65 *
66 * The stable tree holds pointers to all the merged pages (ksm pages), sorted
67 * by their contents. Because each such page is write-protected, searching on
68 * this tree is fully assured to be working (except when pages are unmapped),
69 * and therefore this tree is called the stable tree.
70 *
71 * The stable tree node includes information required for reverse
72 * mapping from a KSM page to virtual addresses that map this page.
73 *
74 * In order to avoid large latencies of the rmap walks on KSM pages,
75 * KSM maintains two types of nodes in the stable tree:
76 *
77 * * the regular nodes that keep the reverse mapping structures in a
78 * linked list
79 * * the "chains" that link nodes ("dups") that represent the same
80 * write protected memory content, but each "dup" corresponds to a
81 * different KSM page copy of that content
82 *
83 * Internally, the regular nodes, "dups" and "chains" are represented
84 * using the same :c:type:`struct stable_node` structure.
85 *
86 * In addition to the stable tree, KSM uses a second data structure called the
87 * unstable tree: this tree holds pointers to pages which have been found to
88 * be "unchanged for a period of time". The unstable tree sorts these pages
89 * by their contents, but since they are not write-protected, KSM cannot rely
90 * upon the unstable tree to work correctly - the unstable tree is liable to
91 * be corrupted as its contents are modified, and so it is called unstable.
92 *
93 * KSM solves this problem by several techniques:
94 *
95 * 1) The unstable tree is flushed every time KSM completes scanning all
96 * memory areas, and then the tree is rebuilt again from the beginning.
97 * 2) KSM will only insert into the unstable tree, pages whose hash value
98 * has not changed since the previous scan of all memory areas.
99 * 3) The unstable tree is a RedBlack Tree - so its balancing is based on the
100 * colors of the nodes and not on their contents, assuring that even when
101 * the tree gets "corrupted" it won't get out of balance, so scanning time
102 * remains the same (also, searching and inserting nodes in an rbtree uses
103 * the same algorithm, so we have no overhead when we flush and rebuild).
104 * 4) KSM never flushes the stable tree, which means that even if it were to
105 * take 10 attempts to find a page in the unstable tree, once it is found,
106 * it is secured in the stable tree. (When we scan a new page, we first
107 * compare it against the stable tree, and then against the unstable tree.)
108 *
109 * If the merge_across_nodes tunable is unset, then KSM maintains multiple
110 * stable trees and multiple unstable trees: one of each for each NUMA node.
111 */
112
113 /**
114 * struct mm_slot - ksm information per mm that is being scanned
115 * @link: link to the mm_slots hash list
116 * @mm_list: link into the mm_slots list, rooted in ksm_mm_head
117 * @rmap_list: head for this mm_slot's singly-linked list of rmap_items
118 * @mm: the mm that this information is valid for
119 */
120 struct mm_slot {
121 struct hlist_node link;
122 struct list_head mm_list;
123 struct rmap_item *rmap_list;
124 struct mm_struct *mm;
125 };
126
127 /**
128 * struct ksm_scan - cursor for scanning
129 * @mm_slot: the current mm_slot we are scanning
130 * @address: the next address inside that to be scanned
131 * @rmap_list: link to the next rmap to be scanned in the rmap_list
132 * @seqnr: count of completed full scans (needed when removing unstable node)
133 *
134 * There is only the one ksm_scan instance of this cursor structure.
135 */
136 struct ksm_scan {
137 struct mm_slot *mm_slot;
138 unsigned long address;
139 struct rmap_item **rmap_list;
140 unsigned long seqnr;
141 };
142
143 /**
144 * struct stable_node - node of the stable rbtree
145 * @node: rb node of this ksm page in the stable tree
146 * @head: (overlaying parent) &migrate_nodes indicates temporarily on that list
147 * @hlist_dup: linked into the stable_node->hlist with a stable_node chain
148 * @list: linked into migrate_nodes, pending placement in the proper node tree
149 * @hlist: hlist head of rmap_items using this ksm page
150 * @kpfn: page frame number of this ksm page (perhaps temporarily on wrong nid)
151 * @chain_prune_time: time of the last full garbage collection
152 * @rmap_hlist_len: number of rmap_item entries in hlist or STABLE_NODE_CHAIN
153 * @nid: NUMA node id of stable tree in which linked (may not match kpfn)
154 */
155 struct stable_node {
156 union {
157 struct rb_node node; /* when node of stable tree */
158 struct { /* when listed for migration */
159 struct list_head *head;
160 struct {
161 struct hlist_node hlist_dup;
162 struct list_head list;
163 };
164 };
165 };
166 struct hlist_head hlist;
167 union {
168 unsigned long kpfn;
169 unsigned long chain_prune_time;
170 };
171 /*
172 * STABLE_NODE_CHAIN can be any negative number in
173 * rmap_hlist_len negative range, but better not -1 to be able
174 * to reliably detect underflows.
175 */
176 #define STABLE_NODE_CHAIN -1024
177 int rmap_hlist_len;
178 #ifdef CONFIG_NUMA
179 int nid;
180 #endif
181 };
182
183 /**
184 * struct rmap_item - reverse mapping item for virtual addresses
185 * @rmap_list: next rmap_item in mm_slot's singly-linked rmap_list
186 * @anon_vma: pointer to anon_vma for this mm,address, when in stable tree
187 * @nid: NUMA node id of unstable tree in which linked (may not match page)
188 * @mm: the memory structure this rmap_item is pointing into
189 * @address: the virtual address this rmap_item tracks (+ flags in low bits)
190 * @oldchecksum: previous checksum of the page at that virtual address
191 * @node: rb node of this rmap_item in the unstable tree
192 * @head: pointer to stable_node heading this list in the stable tree
193 * @hlist: link into hlist of rmap_items hanging off that stable_node
194 */
195 struct rmap_item {
196 struct rmap_item *rmap_list;
197 union {
198 struct anon_vma *anon_vma; /* when stable */
199 #ifdef CONFIG_NUMA
200 int nid; /* when node of unstable tree */
201 #endif
202 };
203 struct mm_struct *mm;
204 unsigned long address; /* + low bits used for flags below */
205 unsigned int oldchecksum; /* when unstable */
206 union {
207 struct rb_node node; /* when node of unstable tree */
208 struct { /* when listed from stable tree */
209 struct stable_node *head;
210 struct hlist_node hlist;
211 };
212 };
213 };
214
215 #define SEQNR_MASK 0x0ff /* low bits of unstable tree seqnr */
216 #define UNSTABLE_FLAG 0x100 /* is a node of the unstable tree */
217 #define STABLE_FLAG 0x200 /* is listed from the stable tree */
218 #define KSM_FLAG_MASK (SEQNR_MASK|UNSTABLE_FLAG|STABLE_FLAG)
219 /* to mask all the flags */
220
221 /* The stable and unstable tree heads */
222 static struct rb_root one_stable_tree[1] = { RB_ROOT };
223 static struct rb_root one_unstable_tree[1] = { RB_ROOT };
224 static struct rb_root *root_stable_tree = one_stable_tree;
225 static struct rb_root *root_unstable_tree = one_unstable_tree;
226
227 /* Recently migrated nodes of stable tree, pending proper placement */
228 static LIST_HEAD(migrate_nodes);
229 #define STABLE_NODE_DUP_HEAD ((struct list_head *)&migrate_nodes.prev)
230
231 #define MM_SLOTS_HASH_BITS 10
232 static DEFINE_HASHTABLE(mm_slots_hash, MM_SLOTS_HASH_BITS);
233
234 static struct mm_slot ksm_mm_head = {
235 .mm_list = LIST_HEAD_INIT(ksm_mm_head.mm_list),
236 };
237 static struct ksm_scan ksm_scan = {
238 .mm_slot = &ksm_mm_head,
239 };
240
241 static struct kmem_cache *rmap_item_cache;
242 static struct kmem_cache *stable_node_cache;
243 static struct kmem_cache *mm_slot_cache;
244
245 /* The number of nodes in the stable tree */
246 static unsigned long ksm_pages_shared;
247
248 /* The number of page slots additionally sharing those nodes */
249 static unsigned long ksm_pages_sharing;
250
251 /* The number of nodes in the unstable tree */
252 static unsigned long ksm_pages_unshared;
253
254 /* The number of rmap_items in use: to calculate pages_volatile */
255 static unsigned long ksm_rmap_items;
256
257 /* The number of stable_node chains */
258 static unsigned long ksm_stable_node_chains;
259
260 /* The number of stable_node dups linked to the stable_node chains */
261 static unsigned long ksm_stable_node_dups;
262
263 /* Delay in pruning stale stable_node_dups in the stable_node_chains */
264 static int ksm_stable_node_chains_prune_millisecs = 2000;
265
266 /* Maximum number of page slots sharing a stable node */
267 static int ksm_max_page_sharing = 256;
268
269 /* Number of pages ksmd should scan in one batch */
270 static unsigned int ksm_thread_pages_to_scan = 100;
271
272 /* Milliseconds ksmd should sleep between batches */
273 static unsigned int ksm_thread_sleep_millisecs = 20;
274
275 /* Checksum of an empty (zeroed) page */
276 static unsigned int zero_checksum __read_mostly;
277
278 /* Whether to merge empty (zeroed) pages with actual zero pages */
279 static bool ksm_use_zero_pages __read_mostly;
280
281 #ifdef CONFIG_NUMA
282 /* Zeroed when merging across nodes is not allowed */
283 static unsigned int ksm_merge_across_nodes = 1;
284 static int ksm_nr_node_ids = 1;
285 #else
286 #define ksm_merge_across_nodes 1U
287 #define ksm_nr_node_ids 1
288 #endif
289
290 #define KSM_RUN_STOP 0
291 #define KSM_RUN_MERGE 1
292 #define KSM_RUN_UNMERGE 2
293 #define KSM_RUN_OFFLINE 4
294 static unsigned long ksm_run = KSM_RUN_STOP;
295 static void wait_while_offlining(void);
296
297 static DECLARE_WAIT_QUEUE_HEAD(ksm_thread_wait);
298 static DECLARE_WAIT_QUEUE_HEAD(ksm_iter_wait);
299 static DEFINE_MUTEX(ksm_thread_mutex);
300 static DEFINE_SPINLOCK(ksm_mmlist_lock);
301
302 #define KSM_KMEM_CACHE(__struct, __flags) kmem_cache_create("ksm_"#__struct,\
303 sizeof(struct __struct), __alignof__(struct __struct),\
304 (__flags), NULL)
305
306 static int __init ksm_slab_init(void)
307 {
308 rmap_item_cache = KSM_KMEM_CACHE(rmap_item, 0);
309 if (!rmap_item_cache)
310 goto out;
311
312 stable_node_cache = KSM_KMEM_CACHE(stable_node, 0);
313 if (!stable_node_cache)
314 goto out_free1;
315
316 mm_slot_cache = KSM_KMEM_CACHE(mm_slot, 0);
317 if (!mm_slot_cache)
318 goto out_free2;
319
320 return 0;
321
322 out_free2:
323 kmem_cache_destroy(stable_node_cache);
324 out_free1:
325 kmem_cache_destroy(rmap_item_cache);
326 out:
327 return -ENOMEM;
328 }
329
330 static void __init ksm_slab_free(void)
331 {
332 kmem_cache_destroy(mm_slot_cache);
333 kmem_cache_destroy(stable_node_cache);
334 kmem_cache_destroy(rmap_item_cache);
335 mm_slot_cache = NULL;
336 }
337
338 static __always_inline bool is_stable_node_chain(struct stable_node *chain)
339 {
340 return chain->rmap_hlist_len == STABLE_NODE_CHAIN;
341 }
342
343 static __always_inline bool is_stable_node_dup(struct stable_node *dup)
344 {
345 return dup->head == STABLE_NODE_DUP_HEAD;
346 }
347
348 static inline void stable_node_chain_add_dup(struct stable_node *dup,
349 struct stable_node *chain)
350 {
351 VM_BUG_ON(is_stable_node_dup(dup));
352 dup->head = STABLE_NODE_DUP_HEAD;
353 VM_BUG_ON(!is_stable_node_chain(chain));
354 hlist_add_head(&dup->hlist_dup, &chain->hlist);
355 ksm_stable_node_dups++;
356 }
357
358 static inline void __stable_node_dup_del(struct stable_node *dup)
359 {
360 VM_BUG_ON(!is_stable_node_dup(dup));
361 hlist_del(&dup->hlist_dup);
362 ksm_stable_node_dups--;
363 }
364
365 static inline void stable_node_dup_del(struct stable_node *dup)
366 {
367 VM_BUG_ON(is_stable_node_chain(dup));
368 if (is_stable_node_dup(dup))
369 __stable_node_dup_del(dup);
370 else
371 rb_erase(&dup->node, root_stable_tree + NUMA(dup->nid));
372 #ifdef CONFIG_DEBUG_VM
373 dup->head = NULL;
374 #endif
375 }
376
377 static inline struct rmap_item *alloc_rmap_item(void)
378 {
379 struct rmap_item *rmap_item;
380
381 rmap_item = kmem_cache_zalloc(rmap_item_cache, GFP_KERNEL |
382 __GFP_NORETRY | __GFP_NOWARN);
383 if (rmap_item)
384 ksm_rmap_items++;
385 return rmap_item;
386 }
387
388 static inline void free_rmap_item(struct rmap_item *rmap_item)
389 {
390 ksm_rmap_items--;
391 rmap_item->mm = NULL; /* debug safety */
392 kmem_cache_free(rmap_item_cache, rmap_item);
393 }
394
395 static inline struct stable_node *alloc_stable_node(void)
396 {
397 /*
398 * The allocation can take too long with GFP_KERNEL when memory is under
399 * pressure, which may lead to hung task warnings. Adding __GFP_HIGH
400 * grants access to memory reserves, helping to avoid this problem.
401 */
402 return kmem_cache_alloc(stable_node_cache, GFP_KERNEL | __GFP_HIGH);
403 }
404
405 static inline void free_stable_node(struct stable_node *stable_node)
406 {
407 VM_BUG_ON(stable_node->rmap_hlist_len &&
408 !is_stable_node_chain(stable_node));
409 kmem_cache_free(stable_node_cache, stable_node);
410 }
411
412 static inline struct mm_slot *alloc_mm_slot(void)
413 {
414 if (!mm_slot_cache) /* initialization failed */
415 return NULL;
416 return kmem_cache_zalloc(mm_slot_cache, GFP_KERNEL);
417 }
418
419 static inline void free_mm_slot(struct mm_slot *mm_slot)
420 {
421 kmem_cache_free(mm_slot_cache, mm_slot);
422 }
423
424 static struct mm_slot *get_mm_slot(struct mm_struct *mm)
425 {
426 struct mm_slot *slot;
427
428 hash_for_each_possible(mm_slots_hash, slot, link, (unsigned long)mm)
429 if (slot->mm == mm)
430 return slot;
431
432 return NULL;
433 }
434
435 static void insert_to_mm_slots_hash(struct mm_struct *mm,
436 struct mm_slot *mm_slot)
437 {
438 mm_slot->mm = mm;
439 hash_add(mm_slots_hash, &mm_slot->link, (unsigned long)mm);
440 }
441
442 /*
443 * ksmd, and unmerge_and_remove_all_rmap_items(), must not touch an mm's
444 * page tables after it has passed through ksm_exit() - which, if necessary,
445 * takes mmap_sem briefly to serialize against them. ksm_exit() does not set
446 * a special flag: they can just back out as soon as mm_users goes to zero.
447 * ksm_test_exit() is used throughout to make this test for exit: in some
448 * places for correctness, in some places just to avoid unnecessary work.
449 */
450 static inline bool ksm_test_exit(struct mm_struct *mm)
451 {
452 return atomic_read(&mm->mm_users) == 0;
453 }
454
455 /*
456 * We use break_ksm to break COW on a ksm page: it's a stripped down
457 *
458 * if (get_user_pages(addr, 1, 1, 1, &page, NULL) == 1)
459 * put_page(page);
460 *
461 * but taking great care only to touch a ksm page, in a VM_MERGEABLE vma,
462 * in case the application has unmapped and remapped mm,addr meanwhile.
463 * Could a ksm page appear anywhere else? Actually yes, in a VM_PFNMAP
464 * mmap of /dev/mem or /dev/kmem, where we would not want to touch it.
465 *
466 * FAULT_FLAG/FOLL_REMOTE are because we do this outside the context
467 * of the process that owns 'vma'. We also do not want to enforce
468 * protection keys here anyway.
469 */
470 static int break_ksm(struct vm_area_struct *vma, unsigned long addr)
471 {
472 struct page *page;
473 vm_fault_t ret = 0;
474
475 do {
476 cond_resched();
477 page = follow_page(vma, addr,
478 FOLL_GET | FOLL_MIGRATION | FOLL_REMOTE);
479 if (IS_ERR_OR_NULL(page))
480 break;
481 if (PageKsm(page))
482 ret = handle_mm_fault(vma, addr,
483 FAULT_FLAG_WRITE | FAULT_FLAG_REMOTE);
484 else
485 ret = VM_FAULT_WRITE;
486 put_page(page);
487 } while (!(ret & (VM_FAULT_WRITE | VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV | VM_FAULT_OOM)));
488 /*
489 * We must loop because handle_mm_fault() may back out if there's
490 * any difficulty e.g. if pte accessed bit gets updated concurrently.
491 *
492 * VM_FAULT_WRITE is what we have been hoping for: it indicates that
493 * COW has been broken, even if the vma does not permit VM_WRITE;
494 * but note that a concurrent fault might break PageKsm for us.
495 *
496 * VM_FAULT_SIGBUS could occur if we race with truncation of the
497 * backing file, which also invalidates anonymous pages: that's
498 * okay, that truncation will have unmapped the PageKsm for us.
499 *
500 * VM_FAULT_OOM: at the time of writing (late July 2009), setting
501 * aside mem_cgroup limits, VM_FAULT_OOM would only be set if the
502 * current task has TIF_MEMDIE set, and will be OOM killed on return
503 * to user; and ksmd, having no mm, would never be chosen for that.
504 *
505 * But if the mm is in a limited mem_cgroup, then the fault may fail
506 * with VM_FAULT_OOM even if the current task is not TIF_MEMDIE; and
507 * even ksmd can fail in this way - though it's usually breaking ksm
508 * just to undo a merge it made a moment before, so unlikely to oom.
509 *
510 * That's a pity: we might therefore have more kernel pages allocated
511 * than we're counting as nodes in the stable tree; but ksm_do_scan
512 * will retry to break_cow on each pass, so should recover the page
513 * in due course. The important thing is to not let VM_MERGEABLE
514 * be cleared while any such pages might remain in the area.
515 */
516 return (ret & VM_FAULT_OOM) ? -ENOMEM : 0;
517 }
518
519 static struct vm_area_struct *find_mergeable_vma(struct mm_struct *mm,
520 unsigned long addr)
521 {
522 struct vm_area_struct *vma;
523 if (ksm_test_exit(mm))
524 return NULL;
525 vma = find_vma(mm, addr);
526 if (!vma || vma->vm_start > addr)
527 return NULL;
528 if (!(vma->vm_flags & VM_MERGEABLE) || !vma->anon_vma)
529 return NULL;
530 return vma;
531 }
532
533 static void break_cow(struct rmap_item *rmap_item)
534 {
535 struct mm_struct *mm = rmap_item->mm;
536 unsigned long addr = rmap_item->address;
537 struct vm_area_struct *vma;
538
539 /*
540 * It is not an accident that whenever we want to break COW
541 * to undo, we also need to drop a reference to the anon_vma.
542 */
543 put_anon_vma(rmap_item->anon_vma);
544
545 down_read(&mm->mmap_sem);
546 vma = find_mergeable_vma(mm, addr);
547 if (vma)
548 break_ksm(vma, addr);
549 up_read(&mm->mmap_sem);
550 }
551
552 static struct page *get_mergeable_page(struct rmap_item *rmap_item)
553 {
554 struct mm_struct *mm = rmap_item->mm;
555 unsigned long addr = rmap_item->address;
556 struct vm_area_struct *vma;
557 struct page *page;
558
559 down_read(&mm->mmap_sem);
560 vma = find_mergeable_vma(mm, addr);
561 if (!vma)
562 goto out;
563
564 page = follow_page(vma, addr, FOLL_GET);
565 if (IS_ERR_OR_NULL(page))
566 goto out;
567 if (PageAnon(page)) {
568 flush_anon_page(vma, page, addr);
569 flush_dcache_page(page);
570 } else {
571 put_page(page);
572 out:
573 page = NULL;
574 }
575 up_read(&mm->mmap_sem);
576 return page;
577 }
578
579 /*
580 * This helper is used for getting right index into array of tree roots.
581 * When merge_across_nodes knob is set to 1, there are only two rb-trees for
582 * stable and unstable pages from all nodes with roots in index 0. Otherwise,
583 * every node has its own stable and unstable tree.
584 */
585 static inline int get_kpfn_nid(unsigned long kpfn)
586 {
587 return ksm_merge_across_nodes ? 0 : NUMA(pfn_to_nid(kpfn));
588 }
589
590 static struct stable_node *alloc_stable_node_chain(struct stable_node *dup,
591 struct rb_root *root)
592 {
593 struct stable_node *chain = alloc_stable_node();
594 VM_BUG_ON(is_stable_node_chain(dup));
595 if (likely(chain)) {
596 INIT_HLIST_HEAD(&chain->hlist);
597 chain->chain_prune_time = jiffies;
598 chain->rmap_hlist_len = STABLE_NODE_CHAIN;
599 #if defined (CONFIG_DEBUG_VM) && defined(CONFIG_NUMA)
600 chain->nid = NUMA_NO_NODE; /* debug */
601 #endif
602 ksm_stable_node_chains++;
603
604 /*
605 * Put the stable node chain in the first dimension of
606 * the stable tree and at the same time remove the old
607 * stable node.
608 */
609 rb_replace_node(&dup->node, &chain->node, root);
610
611 /*
612 * Move the old stable node to the second dimension
613 * queued in the hlist_dup. The invariant is that all
614 * dup stable_nodes in the chain->hlist point to pages
615 * that are wrprotected and have the exact same
616 * content.
617 */
618 stable_node_chain_add_dup(dup, chain);
619 }
620 return chain;
621 }
622
623 static inline void free_stable_node_chain(struct stable_node *chain,
624 struct rb_root *root)
625 {
626 rb_erase(&chain->node, root);
627 free_stable_node(chain);
628 ksm_stable_node_chains--;
629 }
630
631 static void remove_node_from_stable_tree(struct stable_node *stable_node)
632 {
633 struct rmap_item *rmap_item;
634
635 /* check it's not STABLE_NODE_CHAIN or negative */
636 BUG_ON(stable_node->rmap_hlist_len < 0);
637
638 hlist_for_each_entry(rmap_item, &stable_node->hlist, hlist) {
639 if (rmap_item->hlist.next)
640 ksm_pages_sharing--;
641 else
642 ksm_pages_shared--;
643 VM_BUG_ON(stable_node->rmap_hlist_len <= 0);
644 stable_node->rmap_hlist_len--;
645 put_anon_vma(rmap_item->anon_vma);
646 rmap_item->address &= PAGE_MASK;
647 cond_resched();
648 }
649
650 /*
651 * We need the second aligned pointer of the migrate_nodes
652 * list_head to stay clear from the rb_parent_color union
653 * (aligned and different than any node) and also different
654 * from &migrate_nodes. This will verify that future list.h changes
655 * don't break STABLE_NODE_DUP_HEAD. Only recent gcc can handle it.
656 */
657 #if defined(GCC_VERSION) && GCC_VERSION >= 40903
658 BUILD_BUG_ON(STABLE_NODE_DUP_HEAD <= &migrate_nodes);
659 BUILD_BUG_ON(STABLE_NODE_DUP_HEAD >= &migrate_nodes + 1);
660 #endif
661
662 if (stable_node->head == &migrate_nodes)
663 list_del(&stable_node->list);
664 else
665 stable_node_dup_del(stable_node);
666 free_stable_node(stable_node);
667 }
668
669 enum get_ksm_page_flags {
670 GET_KSM_PAGE_NOLOCK,
671 GET_KSM_PAGE_LOCK,
672 GET_KSM_PAGE_TRYLOCK
673 };
674
675 /*
676 * get_ksm_page: checks if the page indicated by the stable node
677 * is still its ksm page, despite having held no reference to it.
678 * In which case we can trust the content of the page, and it
679 * returns the gotten page; but if the page has now been zapped,
680 * remove the stale node from the stable tree and return NULL.
681 * But beware, the stable node's page might be being migrated.
682 *
683 * You would expect the stable_node to hold a reference to the ksm page.
684 * But if it increments the page's count, swapping out has to wait for
685 * ksmd to come around again before it can free the page, which may take
686 * seconds or even minutes: much too unresponsive. So instead we use a
687 * "keyhole reference": access to the ksm page from the stable node peeps
688 * out through its keyhole to see if that page still holds the right key,
689 * pointing back to this stable node. This relies on freeing a PageAnon
690 * page to reset its page->mapping to NULL, and relies on no other use of
691 * a page to put something that might look like our key in page->mapping.
692 * is on its way to being freed; but it is an anomaly to bear in mind.
693 */
694 static struct page *get_ksm_page(struct stable_node *stable_node,
695 enum get_ksm_page_flags flags)
696 {
697 struct page *page;
698 void *expected_mapping;
699 unsigned long kpfn;
700
701 expected_mapping = (void *)((unsigned long)stable_node |
702 PAGE_MAPPING_KSM);
703 again:
704 kpfn = READ_ONCE(stable_node->kpfn); /* Address dependency. */
705 page = pfn_to_page(kpfn);
706 if (READ_ONCE(page->mapping) != expected_mapping)
707 goto stale;
708
709 /*
710 * We cannot do anything with the page while its refcount is 0.
711 * Usually 0 means free, or tail of a higher-order page: in which
712 * case this node is no longer referenced, and should be freed;
713 * however, it might mean that the page is under page_ref_freeze().
714 * The __remove_mapping() case is easy, again the node is now stale;
715 * the same is in reuse_ksm_page() case; but if page is swapcache
716 * in migrate_page_move_mapping(), it might still be our page,
717 * in which case it's essential to keep the node.
718 */
719 while (!get_page_unless_zero(page)) {
720 /*
721 * Another check for page->mapping != expected_mapping would
722 * work here too. We have chosen the !PageSwapCache test to
723 * optimize the common case, when the page is or is about to
724 * be freed: PageSwapCache is cleared (under spin_lock_irq)
725 * in the ref_freeze section of __remove_mapping(); but Anon
726 * page->mapping reset to NULL later, in free_pages_prepare().
727 */
728 if (!PageSwapCache(page))
729 goto stale;
730 cpu_relax();
731 }
732
733 if (READ_ONCE(page->mapping) != expected_mapping) {
734 put_page(page);
735 goto stale;
736 }
737
738 if (flags == GET_KSM_PAGE_TRYLOCK) {
739 if (!trylock_page(page)) {
740 put_page(page);
741 return ERR_PTR(-EBUSY);
742 }
743 } else if (flags == GET_KSM_PAGE_LOCK)
744 lock_page(page);
745
746 if (flags != GET_KSM_PAGE_NOLOCK) {
747 if (READ_ONCE(page->mapping) != expected_mapping) {
748 unlock_page(page);
749 put_page(page);
750 goto stale;
751 }
752 }
753 return page;
754
755 stale:
756 /*
757 * We come here from above when page->mapping or !PageSwapCache
758 * suggests that the node is stale; but it might be under migration.
759 * We need smp_rmb(), matching the smp_wmb() in ksm_migrate_page(),
760 * before checking whether node->kpfn has been changed.
761 */
762 smp_rmb();
763 if (READ_ONCE(stable_node->kpfn) != kpfn)
764 goto again;
765 remove_node_from_stable_tree(stable_node);
766 return NULL;
767 }
768
769 /*
770 * Removing rmap_item from stable or unstable tree.
771 * This function will clean the information from the stable/unstable tree.
772 */
773 static void remove_rmap_item_from_tree(struct rmap_item *rmap_item)
774 {
775 if (rmap_item->address & STABLE_FLAG) {
776 struct stable_node *stable_node;
777 struct page *page;
778
779 stable_node = rmap_item->head;
780 page = get_ksm_page(stable_node, GET_KSM_PAGE_LOCK);
781 if (!page)
782 goto out;
783
784 hlist_del(&rmap_item->hlist);
785 unlock_page(page);
786 put_page(page);
787
788 if (!hlist_empty(&stable_node->hlist))
789 ksm_pages_sharing--;
790 else
791 ksm_pages_shared--;
792 VM_BUG_ON(stable_node->rmap_hlist_len <= 0);
793 stable_node->rmap_hlist_len--;
794
795 put_anon_vma(rmap_item->anon_vma);
796 rmap_item->address &= PAGE_MASK;
797
798 } else if (rmap_item->address & UNSTABLE_FLAG) {
799 unsigned char age;
800 /*
801 * Usually ksmd can and must skip the rb_erase, because
802 * root_unstable_tree was already reset to RB_ROOT.
803 * But be careful when an mm is exiting: do the rb_erase
804 * if this rmap_item was inserted by this scan, rather
805 * than left over from before.
806 */
807 age = (unsigned char)(ksm_scan.seqnr - rmap_item->address);
808 BUG_ON(age > 1);
809 if (!age)
810 rb_erase(&rmap_item->node,
811 root_unstable_tree + NUMA(rmap_item->nid));
812 ksm_pages_unshared--;
813 rmap_item->address &= PAGE_MASK;
814 }
815 out:
816 cond_resched(); /* we're called from many long loops */
817 }
818
819 static void remove_trailing_rmap_items(struct mm_slot *mm_slot,
820 struct rmap_item **rmap_list)
821 {
822 while (*rmap_list) {
823 struct rmap_item *rmap_item = *rmap_list;
824 *rmap_list = rmap_item->rmap_list;
825 remove_rmap_item_from_tree(rmap_item);
826 free_rmap_item(rmap_item);
827 }
828 }
829
830 /*
831 * Though it's very tempting to unmerge rmap_items from stable tree rather
832 * than check every pte of a given vma, the locking doesn't quite work for
833 * that - an rmap_item is assigned to the stable tree after inserting ksm
834 * page and upping mmap_sem. Nor does it fit with the way we skip dup'ing
835 * rmap_items from parent to child at fork time (so as not to waste time
836 * if exit comes before the next scan reaches it).
837 *
838 * Similarly, although we'd like to remove rmap_items (so updating counts
839 * and freeing memory) when unmerging an area, it's easier to leave that
840 * to the next pass of ksmd - consider, for example, how ksmd might be
841 * in cmp_and_merge_page on one of the rmap_items we would be removing.
842 */
843 static int unmerge_ksm_pages(struct vm_area_struct *vma,
844 unsigned long start, unsigned long end)
845 {
846 unsigned long addr;
847 int err = 0;
848
849 for (addr = start; addr < end && !err; addr += PAGE_SIZE) {
850 if (ksm_test_exit(vma->vm_mm))
851 break;
852 if (signal_pending(current))
853 err = -ERESTARTSYS;
854 else
855 err = break_ksm(vma, addr);
856 }
857 return err;
858 }
859
860 static inline struct stable_node *page_stable_node(struct page *page)
861 {
862 return PageKsm(page) ? page_rmapping(page) : NULL;
863 }
864
865 static inline void set_page_stable_node(struct page *page,
866 struct stable_node *stable_node)
867 {
868 page->mapping = (void *)((unsigned long)stable_node | PAGE_MAPPING_KSM);
869 }
870
871 #ifdef CONFIG_SYSFS
872 /*
873 * Only called through the sysfs control interface:
874 */
875 static int remove_stable_node(struct stable_node *stable_node)
876 {
877 struct page *page;
878 int err;
879
880 page = get_ksm_page(stable_node, GET_KSM_PAGE_LOCK);
881 if (!page) {
882 /*
883 * get_ksm_page did remove_node_from_stable_tree itself.
884 */
885 return 0;
886 }
887
888 /*
889 * Page could be still mapped if this races with __mmput() running in
890 * between ksm_exit() and exit_mmap(). Just refuse to let
891 * merge_across_nodes/max_page_sharing be switched.
892 */
893 err = -EBUSY;
894 if (!page_mapped(page)) {
895 /*
896 * The stable node did not yet appear stale to get_ksm_page(),
897 * since that allows for an unmapped ksm page to be recognized
898 * right up until it is freed; but the node is safe to remove.
899 * This page might be in a pagevec waiting to be freed,
900 * or it might be PageSwapCache (perhaps under writeback),
901 * or it might have been removed from swapcache a moment ago.
902 */
903 set_page_stable_node(page, NULL);
904 remove_node_from_stable_tree(stable_node);
905 err = 0;
906 }
907
908 unlock_page(page);
909 put_page(page);
910 return err;
911 }
912
913 static int remove_stable_node_chain(struct stable_node *stable_node,
914 struct rb_root *root)
915 {
916 struct stable_node *dup;
917 struct hlist_node *hlist_safe;
918
919 if (!is_stable_node_chain(stable_node)) {
920 VM_BUG_ON(is_stable_node_dup(stable_node));
921 if (remove_stable_node(stable_node))
922 return true;
923 else
924 return false;
925 }
926
927 hlist_for_each_entry_safe(dup, hlist_safe,
928 &stable_node->hlist, hlist_dup) {
929 VM_BUG_ON(!is_stable_node_dup(dup));
930 if (remove_stable_node(dup))
931 return true;
932 }
933 BUG_ON(!hlist_empty(&stable_node->hlist));
934 free_stable_node_chain(stable_node, root);
935 return false;
936 }
937
938 static int remove_all_stable_nodes(void)
939 {
940 struct stable_node *stable_node, *next;
941 int nid;
942 int err = 0;
943
944 for (nid = 0; nid < ksm_nr_node_ids; nid++) {
945 while (root_stable_tree[nid].rb_node) {
946 stable_node = rb_entry(root_stable_tree[nid].rb_node,
947 struct stable_node, node);
948 if (remove_stable_node_chain(stable_node,
949 root_stable_tree + nid)) {
950 err = -EBUSY;
951 break; /* proceed to next nid */
952 }
953 cond_resched();
954 }
955 }
956 list_for_each_entry_safe(stable_node, next, &migrate_nodes, list) {
957 if (remove_stable_node(stable_node))
958 err = -EBUSY;
959 cond_resched();
960 }
961 return err;
962 }
963
964 static int unmerge_and_remove_all_rmap_items(void)
965 {
966 struct mm_slot *mm_slot;
967 struct mm_struct *mm;
968 struct vm_area_struct *vma;
969 int err = 0;
970
971 spin_lock(&ksm_mmlist_lock);
972 ksm_scan.mm_slot = list_entry(ksm_mm_head.mm_list.next,
973 struct mm_slot, mm_list);
974 spin_unlock(&ksm_mmlist_lock);
975
976 for (mm_slot = ksm_scan.mm_slot;
977 mm_slot != &ksm_mm_head; mm_slot = ksm_scan.mm_slot) {
978 mm = mm_slot->mm;
979 down_read(&mm->mmap_sem);
980 for (vma = mm->mmap; vma; vma = vma->vm_next) {
981 if (ksm_test_exit(mm))
982 break;
983 if (!(vma->vm_flags & VM_MERGEABLE) || !vma->anon_vma)
984 continue;
985 err = unmerge_ksm_pages(vma,
986 vma->vm_start, vma->vm_end);
987 if (err)
988 goto error;
989 }
990
991 remove_trailing_rmap_items(mm_slot, &mm_slot->rmap_list);
992 up_read(&mm->mmap_sem);
993
994 spin_lock(&ksm_mmlist_lock);
995 ksm_scan.mm_slot = list_entry(mm_slot->mm_list.next,
996 struct mm_slot, mm_list);
997 if (ksm_test_exit(mm)) {
998 hash_del(&mm_slot->link);
999 list_del(&mm_slot->mm_list);
1000 spin_unlock(&ksm_mmlist_lock);
1001
1002 free_mm_slot(mm_slot);
1003 clear_bit(MMF_VM_MERGEABLE, &mm->flags);
1004 mmdrop(mm);
1005 } else
1006 spin_unlock(&ksm_mmlist_lock);
1007 }
1008
1009 /* Clean up stable nodes, but don't worry if some are still busy */
1010 remove_all_stable_nodes();
1011 ksm_scan.seqnr = 0;
1012 return 0;
1013
1014 error:
1015 up_read(&mm->mmap_sem);
1016 spin_lock(&ksm_mmlist_lock);
1017 ksm_scan.mm_slot = &ksm_mm_head;
1018 spin_unlock(&ksm_mmlist_lock);
1019 return err;
1020 }
1021 #endif /* CONFIG_SYSFS */
1022
1023 static u32 calc_checksum(struct page *page)
1024 {
1025 u32 checksum;
1026 void *addr = kmap_atomic(page);
1027 checksum = xxhash(addr, PAGE_SIZE, 0);
1028 kunmap_atomic(addr);
1029 return checksum;
1030 }
1031
1032 static int write_protect_page(struct vm_area_struct *vma, struct page *page,
1033 pte_t *orig_pte)
1034 {
1035 struct mm_struct *mm = vma->vm_mm;
1036 struct page_vma_mapped_walk pvmw = {
1037 .page = page,
1038 .vma = vma,
1039 };
1040 int swapped;
1041 int err = -EFAULT;
1042 struct mmu_notifier_range range;
1043
1044 pvmw.address = page_address_in_vma(page, vma);
1045 if (pvmw.address == -EFAULT)
1046 goto out;
1047
1048 BUG_ON(PageTransCompound(page));
1049
1050 mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma, mm,
1051 pvmw.address,
1052 pvmw.address + PAGE_SIZE);
1053 mmu_notifier_invalidate_range_start(&range);
1054
1055 if (!page_vma_mapped_walk(&pvmw))
1056 goto out_mn;
1057 if (WARN_ONCE(!pvmw.pte, "Unexpected PMD mapping?"))
1058 goto out_unlock;
1059
1060 if (pte_write(*pvmw.pte) || pte_dirty(*pvmw.pte) ||
1061 (pte_protnone(*pvmw.pte) && pte_savedwrite(*pvmw.pte)) ||
1062 mm_tlb_flush_pending(mm)) {
1063 pte_t entry;
1064
1065 swapped = PageSwapCache(page);
1066 flush_cache_page(vma, pvmw.address, page_to_pfn(page));
1067 /*
1068 * Ok this is tricky, when get_user_pages_fast() run it doesn't
1069 * take any lock, therefore the check that we are going to make
1070 * with the pagecount against the mapcount is racey and
1071 * O_DIRECT can happen right after the check.
1072 * So we clear the pte and flush the tlb before the check
1073 * this assure us that no O_DIRECT can happen after the check
1074 * or in the middle of the check.
1075 *
1076 * No need to notify as we are downgrading page table to read
1077 * only not changing it to point to a new page.
1078 *
1079 * See Documentation/vm/mmu_notifier.rst
1080 */
1081 entry = ptep_clear_flush(vma, pvmw.address, pvmw.pte);
1082 /*
1083 * Check that no O_DIRECT or similar I/O is in progress on the
1084 * page
1085 */
1086 if (page_mapcount(page) + 1 + swapped != page_count(page)) {
1087 set_pte_at(mm, pvmw.address, pvmw.pte, entry);
1088 goto out_unlock;
1089 }
1090 if (pte_dirty(entry))
1091 set_page_dirty(page);
1092
1093 if (pte_protnone(entry))
1094 entry = pte_mkclean(pte_clear_savedwrite(entry));
1095 else
1096 entry = pte_mkclean(pte_wrprotect(entry));
1097 set_pte_at_notify(mm, pvmw.address, pvmw.pte, entry);
1098 }
1099 *orig_pte = *pvmw.pte;
1100 err = 0;
1101
1102 out_unlock:
1103 page_vma_mapped_walk_done(&pvmw);
1104 out_mn:
1105 mmu_notifier_invalidate_range_end(&range);
1106 out:
1107 return err;
1108 }
1109
1110 /**
1111 * replace_page - replace page in vma by new ksm page
1112 * @vma: vma that holds the pte pointing to page
1113 * @page: the page we are replacing by kpage
1114 * @kpage: the ksm page we replace page by
1115 * @orig_pte: the original value of the pte
1116 *
1117 * Returns 0 on success, -EFAULT on failure.
1118 */
1119 static int replace_page(struct vm_area_struct *vma, struct page *page,
1120 struct page *kpage, pte_t orig_pte)
1121 {
1122 struct mm_struct *mm = vma->vm_mm;
1123 pmd_t *pmd;
1124 pte_t *ptep;
1125 pte_t newpte;
1126 spinlock_t *ptl;
1127 unsigned long addr;
1128 int err = -EFAULT;
1129 struct mmu_notifier_range range;
1130
1131 addr = page_address_in_vma(page, vma);
1132 if (addr == -EFAULT)
1133 goto out;
1134
1135 pmd = mm_find_pmd(mm, addr);
1136 if (!pmd)
1137 goto out;
1138
1139 mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma, mm, addr,
1140 addr + PAGE_SIZE);
1141 mmu_notifier_invalidate_range_start(&range);
1142
1143 ptep = pte_offset_map_lock(mm, pmd, addr, &ptl);
1144 if (!pte_same(*ptep, orig_pte)) {
1145 pte_unmap_unlock(ptep, ptl);
1146 goto out_mn;
1147 }
1148
1149 /*
1150 * No need to check ksm_use_zero_pages here: we can only have a
1151 * zero_page here if ksm_use_zero_pages was enabled alreaady.
1152 */
1153 if (!is_zero_pfn(page_to_pfn(kpage))) {
1154 get_page(kpage);
1155 page_add_anon_rmap(kpage, vma, addr, false);
1156 newpte = mk_pte(kpage, vma->vm_page_prot);
1157 } else {
1158 newpte = pte_mkspecial(pfn_pte(page_to_pfn(kpage),
1159 vma->vm_page_prot));
1160 /*
1161 * We're replacing an anonymous page with a zero page, which is
1162 * not anonymous. We need to do proper accounting otherwise we
1163 * will get wrong values in /proc, and a BUG message in dmesg
1164 * when tearing down the mm.
1165 */
1166 dec_mm_counter(mm, MM_ANONPAGES);
1167 }
1168
1169 flush_cache_page(vma, addr, pte_pfn(*ptep));
1170 /*
1171 * No need to notify as we are replacing a read only page with another
1172 * read only page with the same content.
1173 *
1174 * See Documentation/vm/mmu_notifier.rst
1175 */
1176 ptep_clear_flush(vma, addr, ptep);
1177 set_pte_at_notify(mm, addr, ptep, newpte);
1178
1179 page_remove_rmap(page, false);
1180 if (!page_mapped(page))
1181 try_to_free_swap(page);
1182 put_page(page);
1183
1184 pte_unmap_unlock(ptep, ptl);
1185 err = 0;
1186 out_mn:
1187 mmu_notifier_invalidate_range_end(&range);
1188 out:
1189 return err;
1190 }
1191
1192 /*
1193 * try_to_merge_one_page - take two pages and merge them into one
1194 * @vma: the vma that holds the pte pointing to page
1195 * @page: the PageAnon page that we want to replace with kpage
1196 * @kpage: the PageKsm page that we want to map instead of page,
1197 * or NULL the first time when we want to use page as kpage.
1198 *
1199 * This function returns 0 if the pages were merged, -EFAULT otherwise.
1200 */
1201 static int try_to_merge_one_page(struct vm_area_struct *vma,
1202 struct page *page, struct page *kpage)
1203 {
1204 pte_t orig_pte = __pte(0);
1205 int err = -EFAULT;
1206
1207 if (page == kpage) /* ksm page forked */
1208 return 0;
1209
1210 if (!PageAnon(page))
1211 goto out;
1212
1213 /*
1214 * We need the page lock to read a stable PageSwapCache in
1215 * write_protect_page(). We use trylock_page() instead of
1216 * lock_page() because we don't want to wait here - we
1217 * prefer to continue scanning and merging different pages,
1218 * then come back to this page when it is unlocked.
1219 */
1220 if (!trylock_page(page))
1221 goto out;
1222
1223 if (PageTransCompound(page)) {
1224 if (split_huge_page(page))
1225 goto out_unlock;
1226 }
1227
1228 /*
1229 * If this anonymous page is mapped only here, its pte may need
1230 * to be write-protected. If it's mapped elsewhere, all of its
1231 * ptes are necessarily already write-protected. But in either
1232 * case, we need to lock and check page_count is not raised.
1233 */
1234 if (write_protect_page(vma, page, &orig_pte) == 0) {
1235 if (!kpage) {
1236 /*
1237 * While we hold page lock, upgrade page from
1238 * PageAnon+anon_vma to PageKsm+NULL stable_node:
1239 * stable_tree_insert() will update stable_node.
1240 */
1241 set_page_stable_node(page, NULL);
1242 mark_page_accessed(page);
1243 /*
1244 * Page reclaim just frees a clean page with no dirty
1245 * ptes: make sure that the ksm page would be swapped.
1246 */
1247 if (!PageDirty(page))
1248 SetPageDirty(page);
1249 err = 0;
1250 } else if (pages_identical(page, kpage))
1251 err = replace_page(vma, page, kpage, orig_pte);
1252 }
1253
1254 if ((vma->vm_flags & VM_LOCKED) && kpage && !err) {
1255 munlock_vma_page(page);
1256 if (!PageMlocked(kpage)) {
1257 unlock_page(page);
1258 lock_page(kpage);
1259 mlock_vma_page(kpage);
1260 page = kpage; /* for final unlock */
1261 }
1262 }
1263
1264 out_unlock:
1265 unlock_page(page);
1266 out:
1267 return err;
1268 }
1269
1270 /*
1271 * try_to_merge_with_ksm_page - like try_to_merge_two_pages,
1272 * but no new kernel page is allocated: kpage must already be a ksm page.
1273 *
1274 * This function returns 0 if the pages were merged, -EFAULT otherwise.
1275 */
1276 static int try_to_merge_with_ksm_page(struct rmap_item *rmap_item,
1277 struct page *page, struct page *kpage)
1278 {
1279 struct mm_struct *mm = rmap_item->mm;
1280 struct vm_area_struct *vma;
1281 int err = -EFAULT;
1282
1283 down_read(&mm->mmap_sem);
1284 vma = find_mergeable_vma(mm, rmap_item->address);
1285 if (!vma)
1286 goto out;
1287
1288 err = try_to_merge_one_page(vma, page, kpage);
1289 if (err)
1290 goto out;
1291
1292 /* Unstable nid is in union with stable anon_vma: remove first */
1293 remove_rmap_item_from_tree(rmap_item);
1294
1295 /* Must get reference to anon_vma while still holding mmap_sem */
1296 rmap_item->anon_vma = vma->anon_vma;
1297 get_anon_vma(vma->anon_vma);
1298 out:
1299 up_read(&mm->mmap_sem);
1300 return err;
1301 }
1302
1303 /*
1304 * try_to_merge_two_pages - take two identical pages and prepare them
1305 * to be merged into one page.
1306 *
1307 * This function returns the kpage if we successfully merged two identical
1308 * pages into one ksm page, NULL otherwise.
1309 *
1310 * Note that this function upgrades page to ksm page: if one of the pages
1311 * is already a ksm page, try_to_merge_with_ksm_page should be used.
1312 */
1313 static struct page *try_to_merge_two_pages(struct rmap_item *rmap_item,
1314 struct page *page,
1315 struct rmap_item *tree_rmap_item,
1316 struct page *tree_page)
1317 {
1318 int err;
1319
1320 err = try_to_merge_with_ksm_page(rmap_item, page, NULL);
1321 if (!err) {
1322 err = try_to_merge_with_ksm_page(tree_rmap_item,
1323 tree_page, page);
1324 /*
1325 * If that fails, we have a ksm page with only one pte
1326 * pointing to it: so break it.
1327 */
1328 if (err)
1329 break_cow(rmap_item);
1330 }
1331 return err ? NULL : page;
1332 }
1333
1334 static __always_inline
1335 bool __is_page_sharing_candidate(struct stable_node *stable_node, int offset)
1336 {
1337 VM_BUG_ON(stable_node->rmap_hlist_len < 0);
1338 /*
1339 * Check that at least one mapping still exists, otherwise
1340 * there's no much point to merge and share with this
1341 * stable_node, as the underlying tree_page of the other
1342 * sharer is going to be freed soon.
1343 */
1344 return stable_node->rmap_hlist_len &&
1345 stable_node->rmap_hlist_len + offset < ksm_max_page_sharing;
1346 }
1347
1348 static __always_inline
1349 bool is_page_sharing_candidate(struct stable_node *stable_node)
1350 {
1351 return __is_page_sharing_candidate(stable_node, 0);
1352 }
1353
1354 static struct page *stable_node_dup(struct stable_node **_stable_node_dup,
1355 struct stable_node **_stable_node,
1356 struct rb_root *root,
1357 bool prune_stale_stable_nodes)
1358 {
1359 struct stable_node *dup, *found = NULL, *stable_node = *_stable_node;
1360 struct hlist_node *hlist_safe;
1361 struct page *_tree_page, *tree_page = NULL;
1362 int nr = 0;
1363 int found_rmap_hlist_len;
1364
1365 if (!prune_stale_stable_nodes ||
1366 time_before(jiffies, stable_node->chain_prune_time +
1367 msecs_to_jiffies(
1368 ksm_stable_node_chains_prune_millisecs)))
1369 prune_stale_stable_nodes = false;
1370 else
1371 stable_node->chain_prune_time = jiffies;
1372
1373 hlist_for_each_entry_safe(dup, hlist_safe,
1374 &stable_node->hlist, hlist_dup) {
1375 cond_resched();
1376 /*
1377 * We must walk all stable_node_dup to prune the stale
1378 * stable nodes during lookup.
1379 *
1380 * get_ksm_page can drop the nodes from the
1381 * stable_node->hlist if they point to freed pages
1382 * (that's why we do a _safe walk). The "dup"
1383 * stable_node parameter itself will be freed from
1384 * under us if it returns NULL.
1385 */
1386 _tree_page = get_ksm_page(dup, GET_KSM_PAGE_NOLOCK);
1387 if (!_tree_page)
1388 continue;
1389 nr += 1;
1390 if (is_page_sharing_candidate(dup)) {
1391 if (!found ||
1392 dup->rmap_hlist_len > found_rmap_hlist_len) {
1393 if (found)
1394 put_page(tree_page);
1395 found = dup;
1396 found_rmap_hlist_len = found->rmap_hlist_len;
1397 tree_page = _tree_page;
1398
1399 /* skip put_page for found dup */
1400 if (!prune_stale_stable_nodes)
1401 break;
1402 continue;
1403 }
1404 }
1405 put_page(_tree_page);
1406 }
1407
1408 if (found) {
1409 /*
1410 * nr is counting all dups in the chain only if
1411 * prune_stale_stable_nodes is true, otherwise we may
1412 * break the loop at nr == 1 even if there are
1413 * multiple entries.
1414 */
1415 if (prune_stale_stable_nodes && nr == 1) {
1416 /*
1417 * If there's not just one entry it would
1418 * corrupt memory, better BUG_ON. In KSM
1419 * context with no lock held it's not even
1420 * fatal.
1421 */
1422 BUG_ON(stable_node->hlist.first->next);
1423
1424 /*
1425 * There's just one entry and it is below the
1426 * deduplication limit so drop the chain.
1427 */
1428 rb_replace_node(&stable_node->node, &found->node,
1429 root);
1430 free_stable_node(stable_node);
1431 ksm_stable_node_chains--;
1432 ksm_stable_node_dups--;
1433 /*
1434 * NOTE: the caller depends on the stable_node
1435 * to be equal to stable_node_dup if the chain
1436 * was collapsed.
1437 */
1438 *_stable_node = found;
1439 /*
1440 * Just for robustneess as stable_node is
1441 * otherwise left as a stable pointer, the
1442 * compiler shall optimize it away at build
1443 * time.
1444 */
1445 stable_node = NULL;
1446 } else if (stable_node->hlist.first != &found->hlist_dup &&
1447 __is_page_sharing_candidate(found, 1)) {
1448 /*
1449 * If the found stable_node dup can accept one
1450 * more future merge (in addition to the one
1451 * that is underway) and is not at the head of
1452 * the chain, put it there so next search will
1453 * be quicker in the !prune_stale_stable_nodes
1454 * case.
1455 *
1456 * NOTE: it would be inaccurate to use nr > 1
1457 * instead of checking the hlist.first pointer
1458 * directly, because in the
1459 * prune_stale_stable_nodes case "nr" isn't
1460 * the position of the found dup in the chain,
1461 * but the total number of dups in the chain.
1462 */
1463 hlist_del(&found->hlist_dup);
1464 hlist_add_head(&found->hlist_dup,
1465 &stable_node->hlist);
1466 }
1467 }
1468
1469 *_stable_node_dup = found;
1470 return tree_page;
1471 }
1472
1473 static struct stable_node *stable_node_dup_any(struct stable_node *stable_node,
1474 struct rb_root *root)
1475 {
1476 if (!is_stable_node_chain(stable_node))
1477 return stable_node;
1478 if (hlist_empty(&stable_node->hlist)) {
1479 free_stable_node_chain(stable_node, root);
1480 return NULL;
1481 }
1482 return hlist_entry(stable_node->hlist.first,
1483 typeof(*stable_node), hlist_dup);
1484 }
1485
1486 /*
1487 * Like for get_ksm_page, this function can free the *_stable_node and
1488 * *_stable_node_dup if the returned tree_page is NULL.
1489 *
1490 * It can also free and overwrite *_stable_node with the found
1491 * stable_node_dup if the chain is collapsed (in which case
1492 * *_stable_node will be equal to *_stable_node_dup like if the chain
1493 * never existed). It's up to the caller to verify tree_page is not
1494 * NULL before dereferencing *_stable_node or *_stable_node_dup.
1495 *
1496 * *_stable_node_dup is really a second output parameter of this
1497 * function and will be overwritten in all cases, the caller doesn't
1498 * need to initialize it.
1499 */
1500 static struct page *__stable_node_chain(struct stable_node **_stable_node_dup,
1501 struct stable_node **_stable_node,
1502 struct rb_root *root,
1503 bool prune_stale_stable_nodes)
1504 {
1505 struct stable_node *stable_node = *_stable_node;
1506 if (!is_stable_node_chain(stable_node)) {
1507 if (is_page_sharing_candidate(stable_node)) {
1508 *_stable_node_dup = stable_node;
1509 return get_ksm_page(stable_node, GET_KSM_PAGE_NOLOCK);
1510 }
1511 /*
1512 * _stable_node_dup set to NULL means the stable_node
1513 * reached the ksm_max_page_sharing limit.
1514 */
1515 *_stable_node_dup = NULL;
1516 return NULL;
1517 }
1518 return stable_node_dup(_stable_node_dup, _stable_node, root,
1519 prune_stale_stable_nodes);
1520 }
1521
1522 static __always_inline struct page *chain_prune(struct stable_node **s_n_d,
1523 struct stable_node **s_n,
1524 struct rb_root *root)
1525 {
1526 return __stable_node_chain(s_n_d, s_n, root, true);
1527 }
1528
1529 static __always_inline struct page *chain(struct stable_node **s_n_d,
1530 struct stable_node *s_n,
1531 struct rb_root *root)
1532 {
1533 struct stable_node *old_stable_node = s_n;
1534 struct page *tree_page;
1535
1536 tree_page = __stable_node_chain(s_n_d, &s_n, root, false);
1537 /* not pruning dups so s_n cannot have changed */
1538 VM_BUG_ON(s_n != old_stable_node);
1539 return tree_page;
1540 }
1541
1542 /*
1543 * stable_tree_search - search for page inside the stable tree
1544 *
1545 * This function checks if there is a page inside the stable tree
1546 * with identical content to the page that we are scanning right now.
1547 *
1548 * This function returns the stable tree node of identical content if found,
1549 * NULL otherwise.
1550 */
1551 static struct page *stable_tree_search(struct page *page)
1552 {
1553 int nid;
1554 struct rb_root *root;
1555 struct rb_node **new;
1556 struct rb_node *parent;
1557 struct stable_node *stable_node, *stable_node_dup, *stable_node_any;
1558 struct stable_node *page_node;
1559
1560 page_node = page_stable_node(page);
1561 if (page_node && page_node->head != &migrate_nodes) {
1562 /* ksm page forked */
1563 get_page(page);
1564 return page;
1565 }
1566
1567 nid = get_kpfn_nid(page_to_pfn(page));
1568 root = root_stable_tree + nid;
1569 again:
1570 new = &root->rb_node;
1571 parent = NULL;
1572
1573 while (*new) {
1574 struct page *tree_page;
1575 int ret;
1576
1577 cond_resched();
1578 stable_node = rb_entry(*new, struct stable_node, node);
1579 stable_node_any = NULL;
1580 tree_page = chain_prune(&stable_node_dup, &stable_node, root);
1581 /*
1582 * NOTE: stable_node may have been freed by
1583 * chain_prune() if the returned stable_node_dup is
1584 * not NULL. stable_node_dup may have been inserted in
1585 * the rbtree instead as a regular stable_node (in
1586 * order to collapse the stable_node chain if a single
1587 * stable_node dup was found in it). In such case the
1588 * stable_node is overwritten by the calleee to point
1589 * to the stable_node_dup that was collapsed in the
1590 * stable rbtree and stable_node will be equal to
1591 * stable_node_dup like if the chain never existed.
1592 */
1593 if (!stable_node_dup) {
1594 /*
1595 * Either all stable_node dups were full in
1596 * this stable_node chain, or this chain was
1597 * empty and should be rb_erased.
1598 */
1599 stable_node_any = stable_node_dup_any(stable_node,
1600 root);
1601 if (!stable_node_any) {
1602 /* rb_erase just run */
1603 goto again;
1604 }
1605 /*
1606 * Take any of the stable_node dups page of
1607 * this stable_node chain to let the tree walk
1608 * continue. All KSM pages belonging to the
1609 * stable_node dups in a stable_node chain
1610 * have the same content and they're
1611 * wrprotected at all times. Any will work
1612 * fine to continue the walk.
1613 */
1614 tree_page = get_ksm_page(stable_node_any,
1615 GET_KSM_PAGE_NOLOCK);
1616 }
1617 VM_BUG_ON(!stable_node_dup ^ !!stable_node_any);
1618 if (!tree_page) {
1619 /*
1620 * If we walked over a stale stable_node,
1621 * get_ksm_page() will call rb_erase() and it
1622 * may rebalance the tree from under us. So
1623 * restart the search from scratch. Returning
1624 * NULL would be safe too, but we'd generate
1625 * false negative insertions just because some
1626 * stable_node was stale.
1627 */
1628 goto again;
1629 }
1630
1631 ret = memcmp_pages(page, tree_page);
1632 put_page(tree_page);
1633
1634 parent = *new;
1635 if (ret < 0)
1636 new = &parent->rb_left;
1637 else if (ret > 0)
1638 new = &parent->rb_right;
1639 else {
1640 if (page_node) {
1641 VM_BUG_ON(page_node->head != &migrate_nodes);
1642 /*
1643 * Test if the migrated page should be merged
1644 * into a stable node dup. If the mapcount is
1645 * 1 we can migrate it with another KSM page
1646 * without adding it to the chain.
1647 */
1648 if (page_mapcount(page) > 1)
1649 goto chain_append;
1650 }
1651
1652 if (!stable_node_dup) {
1653 /*
1654 * If the stable_node is a chain and
1655 * we got a payload match in memcmp
1656 * but we cannot merge the scanned
1657 * page in any of the existing
1658 * stable_node dups because they're
1659 * all full, we need to wait the
1660 * scanned page to find itself a match
1661 * in the unstable tree to create a
1662 * brand new KSM page to add later to
1663 * the dups of this stable_node.
1664 */
1665 return NULL;
1666 }
1667
1668 /*
1669 * Lock and unlock the stable_node's page (which
1670 * might already have been migrated) so that page
1671 * migration is sure to notice its raised count.
1672 * It would be more elegant to return stable_node
1673 * than kpage, but that involves more changes.
1674 */
1675 tree_page = get_ksm_page(stable_node_dup,
1676 GET_KSM_PAGE_TRYLOCK);
1677
1678 if (PTR_ERR(tree_page) == -EBUSY)
1679 return ERR_PTR(-EBUSY);
1680
1681 if (unlikely(!tree_page))
1682 /*
1683 * The tree may have been rebalanced,
1684 * so re-evaluate parent and new.
1685 */
1686 goto again;
1687 unlock_page(tree_page);
1688
1689 if (get_kpfn_nid(stable_node_dup->kpfn) !=
1690 NUMA(stable_node_dup->nid)) {
1691 put_page(tree_page);
1692 goto replace;
1693 }
1694 return tree_page;
1695 }
1696 }
1697
1698 if (!page_node)
1699 return NULL;
1700
1701 list_del(&page_node->list);
1702 DO_NUMA(page_node->nid = nid);
1703 rb_link_node(&page_node->node, parent, new);
1704 rb_insert_color(&page_node->node, root);
1705 out:
1706 if (is_page_sharing_candidate(page_node)) {
1707 get_page(page);
1708 return page;
1709 } else
1710 return NULL;
1711
1712 replace:
1713 /*
1714 * If stable_node was a chain and chain_prune collapsed it,
1715 * stable_node has been updated to be the new regular
1716 * stable_node. A collapse of the chain is indistinguishable
1717 * from the case there was no chain in the stable
1718 * rbtree. Otherwise stable_node is the chain and
1719 * stable_node_dup is the dup to replace.
1720 */
1721 if (stable_node_dup == stable_node) {
1722 VM_BUG_ON(is_stable_node_chain(stable_node_dup));
1723 VM_BUG_ON(is_stable_node_dup(stable_node_dup));
1724 /* there is no chain */
1725 if (page_node) {
1726 VM_BUG_ON(page_node->head != &migrate_nodes);
1727 list_del(&page_node->list);
1728 DO_NUMA(page_node->nid = nid);
1729 rb_replace_node(&stable_node_dup->node,
1730 &page_node->node,
1731 root);
1732 if (is_page_sharing_candidate(page_node))
1733 get_page(page);
1734 else
1735 page = NULL;
1736 } else {
1737 rb_erase(&stable_node_dup->node, root);
1738 page = NULL;
1739 }
1740 } else {
1741 VM_BUG_ON(!is_stable_node_chain(stable_node));
1742 __stable_node_dup_del(stable_node_dup);
1743 if (page_node) {
1744 VM_BUG_ON(page_node->head != &migrate_nodes);
1745 list_del(&page_node->list);
1746 DO_NUMA(page_node->nid = nid);
1747 stable_node_chain_add_dup(page_node, stable_node);
1748 if (is_page_sharing_candidate(page_node))
1749 get_page(page);
1750 else
1751 page = NULL;
1752 } else {
1753 page = NULL;
1754 }
1755 }
1756 stable_node_dup->head = &migrate_nodes;
1757 list_add(&stable_node_dup->list, stable_node_dup->head);
1758 return page;
1759
1760 chain_append:
1761 /* stable_node_dup could be null if it reached the limit */
1762 if (!stable_node_dup)
1763 stable_node_dup = stable_node_any;
1764 /*
1765 * If stable_node was a chain and chain_prune collapsed it,
1766 * stable_node has been updated to be the new regular
1767 * stable_node. A collapse of the chain is indistinguishable
1768 * from the case there was no chain in the stable
1769 * rbtree. Otherwise stable_node is the chain and
1770 * stable_node_dup is the dup to replace.
1771 */
1772 if (stable_node_dup == stable_node) {
1773 VM_BUG_ON(is_stable_node_chain(stable_node_dup));
1774 VM_BUG_ON(is_stable_node_dup(stable_node_dup));
1775 /* chain is missing so create it */
1776 stable_node = alloc_stable_node_chain(stable_node_dup,
1777 root);
1778 if (!stable_node)
1779 return NULL;
1780 }
1781 /*
1782 * Add this stable_node dup that was
1783 * migrated to the stable_node chain
1784 * of the current nid for this page
1785 * content.
1786 */
1787 VM_BUG_ON(!is_stable_node_chain(stable_node));
1788 VM_BUG_ON(!is_stable_node_dup(stable_node_dup));
1789 VM_BUG_ON(page_node->head != &migrate_nodes);
1790 list_del(&page_node->list);
1791 DO_NUMA(page_node->nid = nid);
1792 stable_node_chain_add_dup(page_node, stable_node);
1793 goto out;
1794 }
1795
1796 /*
1797 * stable_tree_insert - insert stable tree node pointing to new ksm page
1798 * into the stable tree.
1799 *
1800 * This function returns the stable tree node just allocated on success,
1801 * NULL otherwise.
1802 */
1803 static struct stable_node *stable_tree_insert(struct page *kpage)
1804 {
1805 int nid;
1806 unsigned long kpfn;
1807 struct rb_root *root;
1808 struct rb_node **new;
1809 struct rb_node *parent;
1810 struct stable_node *stable_node, *stable_node_dup, *stable_node_any;
1811 bool need_chain = false;
1812
1813 kpfn = page_to_pfn(kpage);
1814 nid = get_kpfn_nid(kpfn);
1815 root = root_stable_tree + nid;
1816 again:
1817 parent = NULL;
1818 new = &root->rb_node;
1819
1820 while (*new) {
1821 struct page *tree_page;
1822 int ret;
1823
1824 cond_resched();
1825 stable_node = rb_entry(*new, struct stable_node, node);
1826 stable_node_any = NULL;
1827 tree_page = chain(&stable_node_dup, stable_node, root);
1828 if (!stable_node_dup) {
1829 /*
1830 * Either all stable_node dups were full in
1831 * this stable_node chain, or this chain was
1832 * empty and should be rb_erased.
1833 */
1834 stable_node_any = stable_node_dup_any(stable_node,
1835 root);
1836 if (!stable_node_any) {
1837 /* rb_erase just run */
1838 goto again;
1839 }
1840 /*
1841 * Take any of the stable_node dups page of
1842 * this stable_node chain to let the tree walk
1843 * continue. All KSM pages belonging to the
1844 * stable_node dups in a stable_node chain
1845 * have the same content and they're
1846 * wrprotected at all times. Any will work
1847 * fine to continue the walk.
1848 */
1849 tree_page = get_ksm_page(stable_node_any,
1850 GET_KSM_PAGE_NOLOCK);
1851 }
1852 VM_BUG_ON(!stable_node_dup ^ !!stable_node_any);
1853 if (!tree_page) {
1854 /*
1855 * If we walked over a stale stable_node,
1856 * get_ksm_page() will call rb_erase() and it
1857 * may rebalance the tree from under us. So
1858 * restart the search from scratch. Returning
1859 * NULL would be safe too, but we'd generate
1860 * false negative insertions just because some
1861 * stable_node was stale.
1862 */
1863 goto again;
1864 }
1865
1866 ret = memcmp_pages(kpage, tree_page);
1867 put_page(tree_page);
1868
1869 parent = *new;
1870 if (ret < 0)
1871 new = &parent->rb_left;
1872 else if (ret > 0)
1873 new = &parent->rb_right;
1874 else {
1875 need_chain = true;
1876 break;
1877 }
1878 }
1879
1880 stable_node_dup = alloc_stable_node();
1881 if (!stable_node_dup)
1882 return NULL;
1883
1884 INIT_HLIST_HEAD(&stable_node_dup->hlist);
1885 stable_node_dup->kpfn = kpfn;
1886 set_page_stable_node(kpage, stable_node_dup);
1887 stable_node_dup->rmap_hlist_len = 0;
1888 DO_NUMA(stable_node_dup->nid = nid);
1889 if (!need_chain) {
1890 rb_link_node(&stable_node_dup->node, parent, new);
1891 rb_insert_color(&stable_node_dup->node, root);
1892 } else {
1893 if (!is_stable_node_chain(stable_node)) {
1894 struct stable_node *orig = stable_node;
1895 /* chain is missing so create it */
1896 stable_node = alloc_stable_node_chain(orig, root);
1897 if (!stable_node) {
1898 free_stable_node(stable_node_dup);
1899 return NULL;
1900 }
1901 }
1902 stable_node_chain_add_dup(stable_node_dup, stable_node);
1903 }
1904
1905 return stable_node_dup;
1906 }
1907
1908 /*
1909 * unstable_tree_search_insert - search for identical page,
1910 * else insert rmap_item into the unstable tree.
1911 *
1912 * This function searches for a page in the unstable tree identical to the
1913 * page currently being scanned; and if no identical page is found in the
1914 * tree, we insert rmap_item as a new object into the unstable tree.
1915 *
1916 * This function returns pointer to rmap_item found to be identical
1917 * to the currently scanned page, NULL otherwise.
1918 *
1919 * This function does both searching and inserting, because they share
1920 * the same walking algorithm in an rbtree.
1921 */
1922 static
1923 struct rmap_item *unstable_tree_search_insert(struct rmap_item *rmap_item,
1924 struct page *page,
1925 struct page **tree_pagep)
1926 {
1927 struct rb_node **new;
1928 struct rb_root *root;
1929 struct rb_node *parent = NULL;
1930 int nid;
1931
1932 nid = get_kpfn_nid(page_to_pfn(page));
1933 root = root_unstable_tree + nid;
1934 new = &root->rb_node;
1935
1936 while (*new) {
1937 struct rmap_item *tree_rmap_item;
1938 struct page *tree_page;
1939 int ret;
1940
1941 cond_resched();
1942 tree_rmap_item = rb_entry(*new, struct rmap_item, node);
1943 tree_page = get_mergeable_page(tree_rmap_item);
1944 if (!tree_page)
1945 return NULL;
1946
1947 /*
1948 * Don't substitute a ksm page for a forked page.
1949 */
1950 if (page == tree_page) {
1951 put_page(tree_page);
1952 return NULL;
1953 }
1954
1955 ret = memcmp_pages(page, tree_page);
1956
1957 parent = *new;
1958 if (ret < 0) {
1959 put_page(tree_page);
1960 new = &parent->rb_left;
1961 } else if (ret > 0) {
1962 put_page(tree_page);
1963 new = &parent->rb_right;
1964 } else if (!ksm_merge_across_nodes &&
1965 page_to_nid(tree_page) != nid) {
1966 /*
1967 * If tree_page has been migrated to another NUMA node,
1968 * it will be flushed out and put in the right unstable
1969 * tree next time: only merge with it when across_nodes.
1970 */
1971 put_page(tree_page);
1972 return NULL;
1973 } else {
1974 *tree_pagep = tree_page;
1975 return tree_rmap_item;
1976 }
1977 }
1978
1979 rmap_item->address |= UNSTABLE_FLAG;
1980 rmap_item->address |= (ksm_scan.seqnr & SEQNR_MASK);
1981 DO_NUMA(rmap_item->nid = nid);
1982 rb_link_node(&rmap_item->node, parent, new);
1983 rb_insert_color(&rmap_item->node, root);
1984
1985 ksm_pages_unshared++;
1986 return NULL;
1987 }
1988
1989 /*
1990 * stable_tree_append - add another rmap_item to the linked list of
1991 * rmap_items hanging off a given node of the stable tree, all sharing
1992 * the same ksm page.
1993 */
1994 static void stable_tree_append(struct rmap_item *rmap_item,
1995 struct stable_node *stable_node,
1996 bool max_page_sharing_bypass)
1997 {
1998 /*
1999 * rmap won't find this mapping if we don't insert the
2000 * rmap_item in the right stable_node
2001 * duplicate. page_migration could break later if rmap breaks,
2002 * so we can as well crash here. We really need to check for
2003 * rmap_hlist_len == STABLE_NODE_CHAIN, but we can as well check
2004 * for other negative values as an undeflow if detected here
2005 * for the first time (and not when decreasing rmap_hlist_len)
2006 * would be sign of memory corruption in the stable_node.
2007 */
2008 BUG_ON(stable_node->rmap_hlist_len < 0);
2009
2010 stable_node->rmap_hlist_len++;
2011 if (!max_page_sharing_bypass)
2012 /* possibly non fatal but unexpected overflow, only warn */
2013 WARN_ON_ONCE(stable_node->rmap_hlist_len >
2014 ksm_max_page_sharing);
2015
2016 rmap_item->head = stable_node;
2017 rmap_item->address |= STABLE_FLAG;
2018 hlist_add_head(&rmap_item->hlist, &stable_node->hlist);
2019
2020 if (rmap_item->hlist.next)
2021 ksm_pages_sharing++;
2022 else
2023 ksm_pages_shared++;
2024 }
2025
2026 /*
2027 * cmp_and_merge_page - first see if page can be merged into the stable tree;
2028 * if not, compare checksum to previous and if it's the same, see if page can
2029 * be inserted into the unstable tree, or merged with a page already there and
2030 * both transferred to the stable tree.
2031 *
2032 * @page: the page that we are searching identical page to.
2033 * @rmap_item: the reverse mapping into the virtual address of this page
2034 */
2035 static void cmp_and_merge_page(struct page *page, struct rmap_item *rmap_item)
2036 {
2037 struct mm_struct *mm = rmap_item->mm;
2038 struct rmap_item *tree_rmap_item;
2039 struct page *tree_page = NULL;
2040 struct stable_node *stable_node;
2041 struct page *kpage;
2042 unsigned int checksum;
2043 int err;
2044 bool max_page_sharing_bypass = false;
2045
2046 stable_node = page_stable_node(page);
2047 if (stable_node) {
2048 if (stable_node->head != &migrate_nodes &&
2049 get_kpfn_nid(READ_ONCE(stable_node->kpfn)) !=
2050 NUMA(stable_node->nid)) {
2051 stable_node_dup_del(stable_node);
2052 stable_node->head = &migrate_nodes;
2053 list_add(&stable_node->list, stable_node->head);
2054 }
2055 if (stable_node->head != &migrate_nodes &&
2056 rmap_item->head == stable_node)
2057 return;
2058 /*
2059 * If it's a KSM fork, allow it to go over the sharing limit
2060 * without warnings.
2061 */
2062 if (!is_page_sharing_candidate(stable_node))
2063 max_page_sharing_bypass = true;
2064 }
2065
2066 /* We first start with searching the page inside the stable tree */
2067 kpage = stable_tree_search(page);
2068 if (kpage == page && rmap_item->head == stable_node) {
2069 put_page(kpage);
2070 return;
2071 }
2072
2073 remove_rmap_item_from_tree(rmap_item);
2074
2075 if (kpage) {
2076 if (PTR_ERR(kpage) == -EBUSY)
2077 return;
2078
2079 err = try_to_merge_with_ksm_page(rmap_item, page, kpage);
2080 if (!err) {
2081 /*
2082 * The page was successfully merged:
2083 * add its rmap_item to the stable tree.
2084 */
2085 lock_page(kpage);
2086 stable_tree_append(rmap_item, page_stable_node(kpage),
2087 max_page_sharing_bypass);
2088 unlock_page(kpage);
2089 }
2090 put_page(kpage);
2091 return;
2092 }
2093
2094 /*
2095 * If the hash value of the page has changed from the last time
2096 * we calculated it, this page is changing frequently: therefore we
2097 * don't want to insert it in the unstable tree, and we don't want
2098 * to waste our time searching for something identical to it there.
2099 */
2100 checksum = calc_checksum(page);
2101 if (rmap_item->oldchecksum != checksum) {
2102 rmap_item->oldchecksum = checksum;
2103 return;
2104 }
2105
2106 /*
2107 * Same checksum as an empty page. We attempt to merge it with the
2108 * appropriate zero page if the user enabled this via sysfs.
2109 */
2110 if (ksm_use_zero_pages && (checksum == zero_checksum)) {
2111 struct vm_area_struct *vma;
2112
2113 down_read(&mm->mmap_sem);
2114 vma = find_mergeable_vma(mm, rmap_item->address);
2115 if (vma) {
2116 err = try_to_merge_one_page(vma, page,
2117 ZERO_PAGE(rmap_item->address));
2118 } else {
2119 /*
2120 * If the vma is out of date, we do not need to
2121 * continue.
2122 */
2123 err = 0;
2124 }
2125 up_read(&mm->mmap_sem);
2126 /*
2127 * In case of failure, the page was not really empty, so we
2128 * need to continue. Otherwise we're done.
2129 */
2130 if (!err)
2131 return;
2132 }
2133 tree_rmap_item =
2134 unstable_tree_search_insert(rmap_item, page, &tree_page);
2135 if (tree_rmap_item) {
2136 bool split;
2137
2138 kpage = try_to_merge_two_pages(rmap_item, page,
2139 tree_rmap_item, tree_page);
2140 /*
2141 * If both pages we tried to merge belong to the same compound
2142 * page, then we actually ended up increasing the reference
2143 * count of the same compound page twice, and split_huge_page
2144 * failed.
2145 * Here we set a flag if that happened, and we use it later to
2146 * try split_huge_page again. Since we call put_page right
2147 * afterwards, the reference count will be correct and
2148 * split_huge_page should succeed.
2149 */
2150 split = PageTransCompound(page)
2151 && compound_head(page) == compound_head(tree_page);
2152 put_page(tree_page);
2153 if (kpage) {
2154 /*
2155 * The pages were successfully merged: insert new
2156 * node in the stable tree and add both rmap_items.
2157 */
2158 lock_page(kpage);
2159 stable_node = stable_tree_insert(kpage);
2160 if (stable_node) {
2161 stable_tree_append(tree_rmap_item, stable_node,
2162 false);
2163 stable_tree_append(rmap_item, stable_node,
2164 false);
2165 }
2166 unlock_page(kpage);
2167
2168 /*
2169 * If we fail to insert the page into the stable tree,
2170 * we will have 2 virtual addresses that are pointing
2171 * to a ksm page left outside the stable tree,
2172 * in which case we need to break_cow on both.
2173 */
2174 if (!stable_node) {
2175 break_cow(tree_rmap_item);
2176 break_cow(rmap_item);
2177 }
2178 } else if (split) {
2179 /*
2180 * We are here if we tried to merge two pages and
2181 * failed because they both belonged to the same
2182 * compound page. We will split the page now, but no
2183 * merging will take place.
2184 * We do not want to add the cost of a full lock; if
2185 * the page is locked, it is better to skip it and
2186 * perhaps try again later.
2187 */
2188 if (!trylock_page(page))
2189 return;
2190 split_huge_page(page);
2191 unlock_page(page);
2192 }
2193 }
2194 }
2195
2196 static struct rmap_item *get_next_rmap_item(struct mm_slot *mm_slot,
2197 struct rmap_item **rmap_list,
2198 unsigned long addr)
2199 {
2200 struct rmap_item *rmap_item;
2201
2202 while (*rmap_list) {
2203 rmap_item = *rmap_list;
2204 if ((rmap_item->address & PAGE_MASK) == addr)
2205 return rmap_item;
2206 if (rmap_item->address > addr)
2207 break;
2208 *rmap_list = rmap_item->rmap_list;
2209 remove_rmap_item_from_tree(rmap_item);
2210 free_rmap_item(rmap_item);
2211 }
2212
2213 rmap_item = alloc_rmap_item();
2214 if (rmap_item) {
2215 /* It has already been zeroed */
2216 rmap_item->mm = mm_slot->mm;
2217 rmap_item->address = addr;
2218 rmap_item->rmap_list = *rmap_list;
2219 *rmap_list = rmap_item;
2220 }
2221 return rmap_item;
2222 }
2223
2224 static struct rmap_item *scan_get_next_rmap_item(struct page **page)
2225 {
2226 struct mm_struct *mm;
2227 struct mm_slot *slot;
2228 struct vm_area_struct *vma;
2229 struct rmap_item *rmap_item;
2230 int nid;
2231
2232 if (list_empty(&ksm_mm_head.mm_list))
2233 return NULL;
2234
2235 slot = ksm_scan.mm_slot;
2236 if (slot == &ksm_mm_head) {
2237 /*
2238 * A number of pages can hang around indefinitely on per-cpu
2239 * pagevecs, raised page count preventing write_protect_page
2240 * from merging them. Though it doesn't really matter much,
2241 * it is puzzling to see some stuck in pages_volatile until
2242 * other activity jostles them out, and they also prevented
2243 * LTP's KSM test from succeeding deterministically; so drain
2244 * them here (here rather than on entry to ksm_do_scan(),
2245 * so we don't IPI too often when pages_to_scan is set low).
2246 */
2247 lru_add_drain_all();
2248
2249 /*
2250 * Whereas stale stable_nodes on the stable_tree itself
2251 * get pruned in the regular course of stable_tree_search(),
2252 * those moved out to the migrate_nodes list can accumulate:
2253 * so prune them once before each full scan.
2254 */
2255 if (!ksm_merge_across_nodes) {
2256 struct stable_node *stable_node, *next;
2257 struct page *page;
2258
2259 list_for_each_entry_safe(stable_node, next,
2260 &migrate_nodes, list) {
2261 page = get_ksm_page(stable_node,
2262 GET_KSM_PAGE_NOLOCK);
2263 if (page)
2264 put_page(page);
2265 cond_resched();
2266 }
2267 }
2268
2269 for (nid = 0; nid < ksm_nr_node_ids; nid++)
2270 root_unstable_tree[nid] = RB_ROOT;
2271
2272 spin_lock(&ksm_mmlist_lock);
2273 slot = list_entry(slot->mm_list.next, struct mm_slot, mm_list);
2274 ksm_scan.mm_slot = slot;
2275 spin_unlock(&ksm_mmlist_lock);
2276 /*
2277 * Although we tested list_empty() above, a racing __ksm_exit
2278 * of the last mm on the list may have removed it since then.
2279 */
2280 if (slot == &ksm_mm_head)
2281 return NULL;
2282 next_mm:
2283 ksm_scan.address = 0;
2284 ksm_scan.rmap_list = &slot->rmap_list;
2285 }
2286
2287 mm = slot->mm;
2288 down_read(&mm->mmap_sem);
2289 if (ksm_test_exit(mm))
2290 vma = NULL;
2291 else
2292 vma = find_vma(mm, ksm_scan.address);
2293
2294 for (; vma; vma = vma->vm_next) {
2295 if (!(vma->vm_flags & VM_MERGEABLE))
2296 continue;
2297 if (ksm_scan.address < vma->vm_start)
2298 ksm_scan.address = vma->vm_start;
2299 if (!vma->anon_vma)
2300 ksm_scan.address = vma->vm_end;
2301
2302 while (ksm_scan.address < vma->vm_end) {
2303 if (ksm_test_exit(mm))
2304 break;
2305 *page = follow_page(vma, ksm_scan.address, FOLL_GET);
2306 if (IS_ERR_OR_NULL(*page)) {
2307 ksm_scan.address += PAGE_SIZE;
2308 cond_resched();
2309 continue;
2310 }
2311 if (PageAnon(*page)) {
2312 flush_anon_page(vma, *page, ksm_scan.address);
2313 flush_dcache_page(*page);
2314 rmap_item = get_next_rmap_item(slot,
2315 ksm_scan.rmap_list, ksm_scan.address);
2316 if (rmap_item) {
2317 ksm_scan.rmap_list =
2318 &rmap_item->rmap_list;
2319 ksm_scan.address += PAGE_SIZE;
2320 } else
2321 put_page(*page);
2322 up_read(&mm->mmap_sem);
2323 return rmap_item;
2324 }
2325 put_page(*page);
2326 ksm_scan.address += PAGE_SIZE;
2327 cond_resched();
2328 }
2329 }
2330
2331 if (ksm_test_exit(mm)) {
2332 ksm_scan.address = 0;
2333 ksm_scan.rmap_list = &slot->rmap_list;
2334 }
2335 /*
2336 * Nuke all the rmap_items that are above this current rmap:
2337 * because there were no VM_MERGEABLE vmas with such addresses.
2338 */
2339 remove_trailing_rmap_items(slot, ksm_scan.rmap_list);
2340
2341 spin_lock(&ksm_mmlist_lock);
2342 ksm_scan.mm_slot = list_entry(slot->mm_list.next,
2343 struct mm_slot, mm_list);
2344 if (ksm_scan.address == 0) {
2345 /*
2346 * We've completed a full scan of all vmas, holding mmap_sem
2347 * throughout, and found no VM_MERGEABLE: so do the same as
2348 * __ksm_exit does to remove this mm from all our lists now.
2349 * This applies either when cleaning up after __ksm_exit
2350 * (but beware: we can reach here even before __ksm_exit),
2351 * or when all VM_MERGEABLE areas have been unmapped (and
2352 * mmap_sem then protects against race with MADV_MERGEABLE).
2353 */
2354 hash_del(&slot->link);
2355 list_del(&slot->mm_list);
2356 spin_unlock(&ksm_mmlist_lock);
2357
2358 free_mm_slot(slot);
2359 clear_bit(MMF_VM_MERGEABLE, &mm->flags);
2360 up_read(&mm->mmap_sem);
2361 mmdrop(mm);
2362 } else {
2363 up_read(&mm->mmap_sem);
2364 /*
2365 * up_read(&mm->mmap_sem) first because after
2366 * spin_unlock(&ksm_mmlist_lock) run, the "mm" may
2367 * already have been freed under us by __ksm_exit()
2368 * because the "mm_slot" is still hashed and
2369 * ksm_scan.mm_slot doesn't point to it anymore.
2370 */
2371 spin_unlock(&ksm_mmlist_lock);
2372 }
2373
2374 /* Repeat until we've completed scanning the whole list */
2375 slot = ksm_scan.mm_slot;
2376 if (slot != &ksm_mm_head)
2377 goto next_mm;
2378
2379 ksm_scan.seqnr++;
2380 return NULL;
2381 }
2382
2383 /**
2384 * ksm_do_scan - the ksm scanner main worker function.
2385 * @scan_npages: number of pages we want to scan before we return.
2386 */
2387 static void ksm_do_scan(unsigned int scan_npages)
2388 {
2389 struct rmap_item *rmap_item;
2390 struct page *uninitialized_var(page);
2391
2392 while (scan_npages-- && likely(!freezing(current))) {
2393 cond_resched();
2394 rmap_item = scan_get_next_rmap_item(&page);
2395 if (!rmap_item)
2396 return;
2397 cmp_and_merge_page(page, rmap_item);
2398 put_page(page);
2399 }
2400 }
2401
2402 static int ksmd_should_run(void)
2403 {
2404 return (ksm_run & KSM_RUN_MERGE) && !list_empty(&ksm_mm_head.mm_list);
2405 }
2406
2407 static int ksm_scan_thread(void *nothing)
2408 {
2409 unsigned int sleep_ms;
2410
2411 set_freezable();
2412 set_user_nice(current, 5);
2413
2414 while (!kthread_should_stop()) {
2415 mutex_lock(&ksm_thread_mutex);
2416 wait_while_offlining();
2417 if (ksmd_should_run())
2418 ksm_do_scan(ksm_thread_pages_to_scan);
2419 mutex_unlock(&ksm_thread_mutex);
2420
2421 try_to_freeze();
2422
2423 if (ksmd_should_run()) {
2424 sleep_ms = READ_ONCE(ksm_thread_sleep_millisecs);
2425 wait_event_interruptible_timeout(ksm_iter_wait,
2426 sleep_ms != READ_ONCE(ksm_thread_sleep_millisecs),
2427 msecs_to_jiffies(sleep_ms));
2428 } else {
2429 wait_event_freezable(ksm_thread_wait,
2430 ksmd_should_run() || kthread_should_stop());
2431 }
2432 }
2433 return 0;
2434 }
2435
2436 int ksm_madvise(struct vm_area_struct *vma, unsigned long start,
2437 unsigned long end, int advice, unsigned long *vm_flags)
2438 {
2439 struct mm_struct *mm = vma->vm_mm;
2440 int err;
2441
2442 switch (advice) {
2443 case MADV_MERGEABLE:
2444 /*
2445 * Be somewhat over-protective for now!
2446 */
2447 if (*vm_flags & (VM_MERGEABLE | VM_SHARED | VM_MAYSHARE |
2448 VM_PFNMAP | VM_IO | VM_DONTEXPAND |
2449 VM_HUGETLB | VM_MIXEDMAP))
2450 return 0; /* just ignore the advice */
2451
2452 if (vma_is_dax(vma))
2453 return 0;
2454
2455 #ifdef VM_SAO
2456 if (*vm_flags & VM_SAO)
2457 return 0;
2458 #endif
2459 #ifdef VM_SPARC_ADI
2460 if (*vm_flags & VM_SPARC_ADI)
2461 return 0;
2462 #endif
2463
2464 if (!test_bit(MMF_VM_MERGEABLE, &mm->flags)) {
2465 err = __ksm_enter(mm);
2466 if (err)
2467 return err;
2468 }
2469
2470 *vm_flags |= VM_MERGEABLE;
2471 break;
2472
2473 case MADV_UNMERGEABLE:
2474 if (!(*vm_flags & VM_MERGEABLE))
2475 return 0; /* just ignore the advice */
2476
2477 if (vma->anon_vma) {
2478 err = unmerge_ksm_pages(vma, start, end);
2479 if (err)
2480 return err;
2481 }
2482
2483 *vm_flags &= ~VM_MERGEABLE;
2484 break;
2485 }
2486
2487 return 0;
2488 }
2489
2490 int __ksm_enter(struct mm_struct *mm)
2491 {
2492 struct mm_slot *mm_slot;
2493 int needs_wakeup;
2494
2495 mm_slot = alloc_mm_slot();
2496 if (!mm_slot)
2497 return -ENOMEM;
2498
2499 /* Check ksm_run too? Would need tighter locking */
2500 needs_wakeup = list_empty(&ksm_mm_head.mm_list);
2501
2502 spin_lock(&ksm_mmlist_lock);
2503 insert_to_mm_slots_hash(mm, mm_slot);
2504 /*
2505 * When KSM_RUN_MERGE (or KSM_RUN_STOP),
2506 * insert just behind the scanning cursor, to let the area settle
2507 * down a little; when fork is followed by immediate exec, we don't
2508 * want ksmd to waste time setting up and tearing down an rmap_list.
2509 *
2510 * But when KSM_RUN_UNMERGE, it's important to insert ahead of its
2511 * scanning cursor, otherwise KSM pages in newly forked mms will be
2512 * missed: then we might as well insert at the end of the list.
2513 */
2514 if (ksm_run & KSM_RUN_UNMERGE)
2515 list_add_tail(&mm_slot->mm_list, &ksm_mm_head.mm_list);
2516 else
2517 list_add_tail(&mm_slot->mm_list, &ksm_scan.mm_slot->mm_list);
2518 spin_unlock(&ksm_mmlist_lock);
2519
2520 set_bit(MMF_VM_MERGEABLE, &mm->flags);
2521 mmgrab(mm);
2522
2523 if (needs_wakeup)
2524 wake_up_interruptible(&ksm_thread_wait);
2525
2526 return 0;
2527 }
2528
2529 void __ksm_exit(struct mm_struct *mm)
2530 {
2531 struct mm_slot *mm_slot;
2532 int easy_to_free = 0;
2533
2534 /*
2535 * This process is exiting: if it's straightforward (as is the
2536 * case when ksmd was never running), free mm_slot immediately.
2537 * But if it's at the cursor or has rmap_items linked to it, use
2538 * mmap_sem to synchronize with any break_cows before pagetables
2539 * are freed, and leave the mm_slot on the list for ksmd to free.
2540 * Beware: ksm may already have noticed it exiting and freed the slot.
2541 */
2542
2543 spin_lock(&ksm_mmlist_lock);
2544 mm_slot = get_mm_slot(mm);
2545 if (mm_slot && ksm_scan.mm_slot != mm_slot) {
2546 if (!mm_slot->rmap_list) {
2547 hash_del(&mm_slot->link);
2548 list_del(&mm_slot->mm_list);
2549 easy_to_free = 1;
2550 } else {
2551 list_move(&mm_slot->mm_list,
2552 &ksm_scan.mm_slot->mm_list);
2553 }
2554 }
2555 spin_unlock(&ksm_mmlist_lock);
2556
2557 if (easy_to_free) {
2558 free_mm_slot(mm_slot);
2559 clear_bit(MMF_VM_MERGEABLE, &mm->flags);
2560 mmdrop(mm);
2561 } else if (mm_slot) {
2562 down_write(&mm->mmap_sem);
2563 up_write(&mm->mmap_sem);
2564 }
2565 }
2566
2567 struct page *ksm_might_need_to_copy(struct page *page,
2568 struct vm_area_struct *vma, unsigned long address)
2569 {
2570 struct anon_vma *anon_vma = page_anon_vma(page);
2571 struct page *new_page;
2572
2573 if (PageKsm(page)) {
2574 if (page_stable_node(page) &&
2575 !(ksm_run & KSM_RUN_UNMERGE))
2576 return page; /* no need to copy it */
2577 } else if (!anon_vma) {
2578 return page; /* no need to copy it */
2579 } else if (anon_vma->root == vma->anon_vma->root &&
2580 page->index == linear_page_index(vma, address)) {
2581 return page; /* still no need to copy it */
2582 }
2583 if (!PageUptodate(page))
2584 return page; /* let do_swap_page report the error */
2585
2586 new_page = alloc_page_vma(GFP_HIGHUSER_MOVABLE, vma, address);
2587 if (new_page) {
2588 copy_user_highpage(new_page, page, address, vma);
2589
2590 SetPageDirty(new_page);
2591 __SetPageUptodate(new_page);
2592 __SetPageLocked(new_page);
2593 }
2594
2595 return new_page;
2596 }
2597
2598 void rmap_walk_ksm(struct page *page, struct rmap_walk_control *rwc)
2599 {
2600 struct stable_node *stable_node;
2601 struct rmap_item *rmap_item;
2602 int search_new_forks = 0;
2603
2604 VM_BUG_ON_PAGE(!PageKsm(page), page);
2605
2606 /*
2607 * Rely on the page lock to protect against concurrent modifications
2608 * to that page's node of the stable tree.
2609 */
2610 VM_BUG_ON_PAGE(!PageLocked(page), page);
2611
2612 stable_node = page_stable_node(page);
2613 if (!stable_node)
2614 return;
2615 again:
2616 hlist_for_each_entry(rmap_item, &stable_node->hlist, hlist) {
2617 struct anon_vma *anon_vma = rmap_item->anon_vma;
2618 struct anon_vma_chain *vmac;
2619 struct vm_area_struct *vma;
2620
2621 cond_resched();
2622 anon_vma_lock_read(anon_vma);
2623 anon_vma_interval_tree_foreach(vmac, &anon_vma->rb_root,
2624 0, ULONG_MAX) {
2625 unsigned long addr;
2626
2627 cond_resched();
2628 vma = vmac->vma;
2629
2630 /* Ignore the stable/unstable/sqnr flags */
2631 addr = rmap_item->address & ~KSM_FLAG_MASK;
2632
2633 if (addr < vma->vm_start || addr >= vma->vm_end)
2634 continue;
2635 /*
2636 * Initially we examine only the vma which covers this
2637 * rmap_item; but later, if there is still work to do,
2638 * we examine covering vmas in other mms: in case they
2639 * were forked from the original since ksmd passed.
2640 */
2641 if ((rmap_item->mm == vma->vm_mm) == search_new_forks)
2642 continue;
2643
2644 if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
2645 continue;
2646
2647 if (!rwc->rmap_one(page, vma, addr, rwc->arg)) {
2648 anon_vma_unlock_read(anon_vma);
2649 return;
2650 }
2651 if (rwc->done && rwc->done(page)) {
2652 anon_vma_unlock_read(anon_vma);
2653 return;
2654 }
2655 }
2656 anon_vma_unlock_read(anon_vma);
2657 }
2658 if (!search_new_forks++)
2659 goto again;
2660 }
2661
2662 bool reuse_ksm_page(struct page *page,
2663 struct vm_area_struct *vma,
2664 unsigned long address)
2665 {
2666 #ifdef CONFIG_DEBUG_VM
2667 if (WARN_ON(is_zero_pfn(page_to_pfn(page))) ||
2668 WARN_ON(!page_mapped(page)) ||
2669 WARN_ON(!PageLocked(page))) {
2670 dump_page(page, "reuse_ksm_page");
2671 return false;
2672 }
2673 #endif
2674
2675 if (PageSwapCache(page) || !page_stable_node(page))
2676 return false;
2677 /* Prohibit parallel get_ksm_page() */
2678 if (!page_ref_freeze(page, 1))
2679 return false;
2680
2681 page_move_anon_rmap(page, vma);
2682 page->index = linear_page_index(vma, address);
2683 page_ref_unfreeze(page, 1);
2684
2685 return true;
2686 }
2687 #ifdef CONFIG_MIGRATION
2688 void ksm_migrate_page(struct page *newpage, struct page *oldpage)
2689 {
2690 struct stable_node *stable_node;
2691
2692 VM_BUG_ON_PAGE(!PageLocked(oldpage), oldpage);
2693 VM_BUG_ON_PAGE(!PageLocked(newpage), newpage);
2694 VM_BUG_ON_PAGE(newpage->mapping != oldpage->mapping, newpage);
2695
2696 stable_node = page_stable_node(newpage);
2697 if (stable_node) {
2698 VM_BUG_ON_PAGE(stable_node->kpfn != page_to_pfn(oldpage), oldpage);
2699 stable_node->kpfn = page_to_pfn(newpage);
2700 /*
2701 * newpage->mapping was set in advance; now we need smp_wmb()
2702 * to make sure that the new stable_node->kpfn is visible
2703 * to get_ksm_page() before it can see that oldpage->mapping
2704 * has gone stale (or that PageSwapCache has been cleared).
2705 */
2706 smp_wmb();
2707 set_page_stable_node(oldpage, NULL);
2708 }
2709 }
2710 #endif /* CONFIG_MIGRATION */
2711
2712 #ifdef CONFIG_MEMORY_HOTREMOVE
2713 static void wait_while_offlining(void)
2714 {
2715 while (ksm_run & KSM_RUN_OFFLINE) {
2716 mutex_unlock(&ksm_thread_mutex);
2717 wait_on_bit(&ksm_run, ilog2(KSM_RUN_OFFLINE),
2718 TASK_UNINTERRUPTIBLE);
2719 mutex_lock(&ksm_thread_mutex);
2720 }
2721 }
2722
2723 static bool stable_node_dup_remove_range(struct stable_node *stable_node,
2724 unsigned long start_pfn,
2725 unsigned long end_pfn)
2726 {
2727 if (stable_node->kpfn >= start_pfn &&
2728 stable_node->kpfn < end_pfn) {
2729 /*
2730 * Don't get_ksm_page, page has already gone:
2731 * which is why we keep kpfn instead of page*
2732 */
2733 remove_node_from_stable_tree(stable_node);
2734 return true;
2735 }
2736 return false;
2737 }
2738
2739 static bool stable_node_chain_remove_range(struct stable_node *stable_node,
2740 unsigned long start_pfn,
2741 unsigned long end_pfn,
2742 struct rb_root *root)
2743 {
2744 struct stable_node *dup;
2745 struct hlist_node *hlist_safe;
2746
2747 if (!is_stable_node_chain(stable_node)) {
2748 VM_BUG_ON(is_stable_node_dup(stable_node));
2749 return stable_node_dup_remove_range(stable_node, start_pfn,
2750 end_pfn);
2751 }
2752
2753 hlist_for_each_entry_safe(dup, hlist_safe,
2754 &stable_node->hlist, hlist_dup) {
2755 VM_BUG_ON(!is_stable_node_dup(dup));
2756 stable_node_dup_remove_range(dup, start_pfn, end_pfn);
2757 }
2758 if (hlist_empty(&stable_node->hlist)) {
2759 free_stable_node_chain(stable_node, root);
2760 return true; /* notify caller that tree was rebalanced */
2761 } else
2762 return false;
2763 }
2764
2765 static void ksm_check_stable_tree(unsigned long start_pfn,
2766 unsigned long end_pfn)
2767 {
2768 struct stable_node *stable_node, *next;
2769 struct rb_node *node;
2770 int nid;
2771
2772 for (nid = 0; nid < ksm_nr_node_ids; nid++) {
2773 node = rb_first(root_stable_tree + nid);
2774 while (node) {
2775 stable_node = rb_entry(node, struct stable_node, node);
2776 if (stable_node_chain_remove_range(stable_node,
2777 start_pfn, end_pfn,
2778 root_stable_tree +
2779 nid))
2780 node = rb_first(root_stable_tree + nid);
2781 else
2782 node = rb_next(node);
2783 cond_resched();
2784 }
2785 }
2786 list_for_each_entry_safe(stable_node, next, &migrate_nodes, list) {
2787 if (stable_node->kpfn >= start_pfn &&
2788 stable_node->kpfn < end_pfn)
2789 remove_node_from_stable_tree(stable_node);
2790 cond_resched();
2791 }
2792 }
2793
2794 static int ksm_memory_callback(struct notifier_block *self,
2795 unsigned long action, void *arg)
2796 {
2797 struct memory_notify *mn = arg;
2798
2799 switch (action) {
2800 case MEM_GOING_OFFLINE:
2801 /*
2802 * Prevent ksm_do_scan(), unmerge_and_remove_all_rmap_items()
2803 * and remove_all_stable_nodes() while memory is going offline:
2804 * it is unsafe for them to touch the stable tree at this time.
2805 * But unmerge_ksm_pages(), rmap lookups and other entry points
2806 * which do not need the ksm_thread_mutex are all safe.
2807 */
2808 mutex_lock(&ksm_thread_mutex);
2809 ksm_run |= KSM_RUN_OFFLINE;
2810 mutex_unlock(&ksm_thread_mutex);
2811 break;
2812
2813 case MEM_OFFLINE:
2814 /*
2815 * Most of the work is done by page migration; but there might
2816 * be a few stable_nodes left over, still pointing to struct
2817 * pages which have been offlined: prune those from the tree,
2818 * otherwise get_ksm_page() might later try to access a
2819 * non-existent struct page.
2820 */
2821 ksm_check_stable_tree(mn->start_pfn,
2822 mn->start_pfn + mn->nr_pages);
2823 /* fallthrough */
2824
2825 case MEM_CANCEL_OFFLINE:
2826 mutex_lock(&ksm_thread_mutex);
2827 ksm_run &= ~KSM_RUN_OFFLINE;
2828 mutex_unlock(&ksm_thread_mutex);
2829
2830 smp_mb(); /* wake_up_bit advises this */
2831 wake_up_bit(&ksm_run, ilog2(KSM_RUN_OFFLINE));
2832 break;
2833 }
2834 return NOTIFY_OK;
2835 }
2836 #else
2837 static void wait_while_offlining(void)
2838 {
2839 }
2840 #endif /* CONFIG_MEMORY_HOTREMOVE */
2841
2842 #ifdef CONFIG_SYSFS
2843 /*
2844 * This all compiles without CONFIG_SYSFS, but is a waste of space.
2845 */
2846
2847 #define KSM_ATTR_RO(_name) \
2848 static struct kobj_attribute _name##_attr = __ATTR_RO(_name)
2849 #define KSM_ATTR(_name) \
2850 static struct kobj_attribute _name##_attr = \
2851 __ATTR(_name, 0644, _name##_show, _name##_store)
2852
2853 static ssize_t sleep_millisecs_show(struct kobject *kobj,
2854 struct kobj_attribute *attr, char *buf)
2855 {
2856 return sprintf(buf, "%u\n", ksm_thread_sleep_millisecs);
2857 }
2858
2859 static ssize_t sleep_millisecs_store(struct kobject *kobj,
2860 struct kobj_attribute *attr,
2861 const char *buf, size_t count)
2862 {
2863 unsigned long msecs;
2864 int err;
2865
2866 err = kstrtoul(buf, 10, &msecs);
2867 if (err || msecs > UINT_MAX)
2868 return -EINVAL;
2869
2870 ksm_thread_sleep_millisecs = msecs;
2871 wake_up_interruptible(&ksm_iter_wait);
2872
2873 return count;
2874 }
2875 KSM_ATTR(sleep_millisecs);
2876
2877 static ssize_t pages_to_scan_show(struct kobject *kobj,
2878 struct kobj_attribute *attr, char *buf)
2879 {
2880 return sprintf(buf, "%u\n", ksm_thread_pages_to_scan);
2881 }
2882
2883 static ssize_t pages_to_scan_store(struct kobject *kobj,
2884 struct kobj_attribute *attr,
2885 const char *buf, size_t count)
2886 {
2887 int err;
2888 unsigned long nr_pages;
2889
2890 err = kstrtoul(buf, 10, &nr_pages);
2891 if (err || nr_pages > UINT_MAX)
2892 return -EINVAL;
2893
2894 ksm_thread_pages_to_scan = nr_pages;
2895
2896 return count;
2897 }
2898 KSM_ATTR(pages_to_scan);
2899
2900 static ssize_t run_show(struct kobject *kobj, struct kobj_attribute *attr,
2901 char *buf)
2902 {
2903 return sprintf(buf, "%lu\n", ksm_run);
2904 }
2905
2906 static ssize_t run_store(struct kobject *kobj, struct kobj_attribute *attr,
2907 const char *buf, size_t count)
2908 {
2909 int err;
2910 unsigned long flags;
2911
2912 err = kstrtoul(buf, 10, &flags);
2913 if (err || flags > UINT_MAX)
2914 return -EINVAL;
2915 if (flags > KSM_RUN_UNMERGE)
2916 return -EINVAL;
2917
2918 /*
2919 * KSM_RUN_MERGE sets ksmd running, and 0 stops it running.
2920 * KSM_RUN_UNMERGE stops it running and unmerges all rmap_items,
2921 * breaking COW to free the pages_shared (but leaves mm_slots
2922 * on the list for when ksmd may be set running again).
2923 */
2924
2925 mutex_lock(&ksm_thread_mutex);
2926 wait_while_offlining();
2927 if (ksm_run != flags) {
2928 ksm_run = flags;
2929 if (flags & KSM_RUN_UNMERGE) {
2930 set_current_oom_origin();
2931 err = unmerge_and_remove_all_rmap_items();
2932 clear_current_oom_origin();
2933 if (err) {
2934 ksm_run = KSM_RUN_STOP;
2935 count = err;
2936 }
2937 }
2938 }
2939 mutex_unlock(&ksm_thread_mutex);
2940
2941 if (flags & KSM_RUN_MERGE)
2942 wake_up_interruptible(&ksm_thread_wait);
2943
2944 return count;
2945 }
2946 KSM_ATTR(run);
2947
2948 #ifdef CONFIG_NUMA
2949 static ssize_t merge_across_nodes_show(struct kobject *kobj,
2950 struct kobj_attribute *attr, char *buf)
2951 {
2952 return sprintf(buf, "%u\n", ksm_merge_across_nodes);
2953 }
2954
2955 static ssize_t merge_across_nodes_store(struct kobject *kobj,
2956 struct kobj_attribute *attr,
2957 const char *buf, size_t count)
2958 {
2959 int err;
2960 unsigned long knob;
2961
2962 err = kstrtoul(buf, 10, &knob);
2963 if (err)
2964 return err;
2965 if (knob > 1)
2966 return -EINVAL;
2967
2968 mutex_lock(&ksm_thread_mutex);
2969 wait_while_offlining();
2970 if (ksm_merge_across_nodes != knob) {
2971 if (ksm_pages_shared || remove_all_stable_nodes())
2972 err = -EBUSY;
2973 else if (root_stable_tree == one_stable_tree) {
2974 struct rb_root *buf;
2975 /*
2976 * This is the first time that we switch away from the
2977 * default of merging across nodes: must now allocate
2978 * a buffer to hold as many roots as may be needed.
2979 * Allocate stable and unstable together:
2980 * MAXSMP NODES_SHIFT 10 will use 16kB.
2981 */
2982 buf = kcalloc(nr_node_ids + nr_node_ids, sizeof(*buf),
2983 GFP_KERNEL);
2984 /* Let us assume that RB_ROOT is NULL is zero */
2985 if (!buf)
2986 err = -ENOMEM;
2987 else {
2988 root_stable_tree = buf;
2989 root_unstable_tree = buf + nr_node_ids;
2990 /* Stable tree is empty but not the unstable */
2991 root_unstable_tree[0] = one_unstable_tree[0];
2992 }
2993 }
2994 if (!err) {
2995 ksm_merge_across_nodes = knob;
2996 ksm_nr_node_ids = knob ? 1 : nr_node_ids;
2997 }
2998 }
2999 mutex_unlock(&ksm_thread_mutex);
3000
3001 return err ? err : count;
3002 }
3003 KSM_ATTR(merge_across_nodes);
3004 #endif
3005
3006 static ssize_t use_zero_pages_show(struct kobject *kobj,
3007 struct kobj_attribute *attr, char *buf)
3008 {
3009 return sprintf(buf, "%u\n", ksm_use_zero_pages);
3010 }
3011 static ssize_t use_zero_pages_store(struct kobject *kobj,
3012 struct kobj_attribute *attr,
3013 const char *buf, size_t count)
3014 {
3015 int err;
3016 bool value;
3017
3018 err = kstrtobool(buf, &value);
3019 if (err)
3020 return -EINVAL;
3021
3022 ksm_use_zero_pages = value;
3023
3024 return count;
3025 }
3026 KSM_ATTR(use_zero_pages);
3027
3028 static ssize_t max_page_sharing_show(struct kobject *kobj,
3029 struct kobj_attribute *attr, char *buf)
3030 {
3031 return sprintf(buf, "%u\n", ksm_max_page_sharing);
3032 }
3033
3034 static ssize_t max_page_sharing_store(struct kobject *kobj,
3035 struct kobj_attribute *attr,
3036 const char *buf, size_t count)
3037 {
3038 int err;
3039 int knob;
3040
3041 err = kstrtoint(buf, 10, &knob);
3042 if (err)
3043 return err;
3044 /*
3045 * When a KSM page is created it is shared by 2 mappings. This
3046 * being a signed comparison, it implicitly verifies it's not
3047 * negative.
3048 */
3049 if (knob < 2)
3050 return -EINVAL;
3051
3052 if (READ_ONCE(ksm_max_page_sharing) == knob)
3053 return count;
3054
3055 mutex_lock(&ksm_thread_mutex);
3056 wait_while_offlining();
3057 if (ksm_max_page_sharing != knob) {
3058 if (ksm_pages_shared || remove_all_stable_nodes())
3059 err = -EBUSY;
3060 else
3061 ksm_max_page_sharing = knob;
3062 }
3063 mutex_unlock(&ksm_thread_mutex);
3064
3065 return err ? err : count;
3066 }
3067 KSM_ATTR(max_page_sharing);
3068
3069 static ssize_t pages_shared_show(struct kobject *kobj,
3070 struct kobj_attribute *attr, char *buf)
3071 {
3072 return sprintf(buf, "%lu\n", ksm_pages_shared);
3073 }
3074 KSM_ATTR_RO(pages_shared);
3075
3076 static ssize_t pages_sharing_show(struct kobject *kobj,
3077 struct kobj_attribute *attr, char *buf)
3078 {
3079 return sprintf(buf, "%lu\n", ksm_pages_sharing);
3080 }
3081 KSM_ATTR_RO(pages_sharing);
3082
3083 static ssize_t pages_unshared_show(struct kobject *kobj,
3084 struct kobj_attribute *attr, char *buf)
3085 {
3086 return sprintf(buf, "%lu\n", ksm_pages_unshared);
3087 }
3088 KSM_ATTR_RO(pages_unshared);
3089
3090 static ssize_t pages_volatile_show(struct kobject *kobj,
3091 struct kobj_attribute *attr, char *buf)
3092 {
3093 long ksm_pages_volatile;
3094
3095 ksm_pages_volatile = ksm_rmap_items - ksm_pages_shared
3096 - ksm_pages_sharing - ksm_pages_unshared;
3097 /*
3098 * It was not worth any locking to calculate that statistic,
3099 * but it might therefore sometimes be negative: conceal that.
3100 */
3101 if (ksm_pages_volatile < 0)
3102 ksm_pages_volatile = 0;
3103 return sprintf(buf, "%ld\n", ksm_pages_volatile);
3104 }
3105 KSM_ATTR_RO(pages_volatile);
3106
3107 static ssize_t stable_node_dups_show(struct kobject *kobj,
3108 struct kobj_attribute *attr, char *buf)
3109 {
3110 return sprintf(buf, "%lu\n", ksm_stable_node_dups);
3111 }
3112 KSM_ATTR_RO(stable_node_dups);
3113
3114 static ssize_t stable_node_chains_show(struct kobject *kobj,
3115 struct kobj_attribute *attr, char *buf)
3116 {
3117 return sprintf(buf, "%lu\n", ksm_stable_node_chains);
3118 }
3119 KSM_ATTR_RO(stable_node_chains);
3120
3121 static ssize_t
3122 stable_node_chains_prune_millisecs_show(struct kobject *kobj,
3123 struct kobj_attribute *attr,
3124 char *buf)
3125 {
3126 return sprintf(buf, "%u\n", ksm_stable_node_chains_prune_millisecs);
3127 }
3128
3129 static ssize_t
3130 stable_node_chains_prune_millisecs_store(struct kobject *kobj,
3131 struct kobj_attribute *attr,
3132 const char *buf, size_t count)
3133 {
3134 unsigned long msecs;
3135 int err;
3136
3137 err = kstrtoul(buf, 10, &msecs);
3138 if (err || msecs > UINT_MAX)
3139 return -EINVAL;
3140
3141 ksm_stable_node_chains_prune_millisecs = msecs;
3142
3143 return count;
3144 }
3145 KSM_ATTR(stable_node_chains_prune_millisecs);
3146
3147 static ssize_t full_scans_show(struct kobject *kobj,
3148 struct kobj_attribute *attr, char *buf)
3149 {
3150 return sprintf(buf, "%lu\n", ksm_scan.seqnr);
3151 }
3152 KSM_ATTR_RO(full_scans);
3153
3154 static struct attribute *ksm_attrs[] = {
3155 &sleep_millisecs_attr.attr,
3156 &pages_to_scan_attr.attr,
3157 &run_attr.attr,
3158 &pages_shared_attr.attr,
3159 &pages_sharing_attr.attr,
3160 &pages_unshared_attr.attr,
3161 &pages_volatile_attr.attr,
3162 &full_scans_attr.attr,
3163 #ifdef CONFIG_NUMA
3164 &merge_across_nodes_attr.attr,
3165 #endif
3166 &max_page_sharing_attr.attr,
3167 &stable_node_chains_attr.attr,
3168 &stable_node_dups_attr.attr,
3169 &stable_node_chains_prune_millisecs_attr.attr,
3170 &use_zero_pages_attr.attr,
3171 NULL,
3172 };
3173
3174 static const struct attribute_group ksm_attr_group = {
3175 .attrs = ksm_attrs,
3176 .name = "ksm",
3177 };
3178 #endif /* CONFIG_SYSFS */
3179
3180 static int __init ksm_init(void)
3181 {
3182 struct task_struct *ksm_thread;
3183 int err;
3184
3185 /* The correct value depends on page size and endianness */
3186 zero_checksum = calc_checksum(ZERO_PAGE(0));
3187 /* Default to false for backwards compatibility */
3188 ksm_use_zero_pages = false;
3189
3190 err = ksm_slab_init();
3191 if (err)
3192 goto out;
3193
3194 ksm_thread = kthread_run(ksm_scan_thread, NULL, "ksmd");
3195 if (IS_ERR(ksm_thread)) {
3196 pr_err("ksm: creating kthread failed\n");
3197 err = PTR_ERR(ksm_thread);
3198 goto out_free;
3199 }
3200
3201 #ifdef CONFIG_SYSFS
3202 err = sysfs_create_group(mm_kobj, &ksm_attr_group);
3203 if (err) {
3204 pr_err("ksm: register sysfs failed\n");
3205 kthread_stop(ksm_thread);
3206 goto out_free;
3207 }
3208 #else
3209 ksm_run = KSM_RUN_MERGE; /* no way for user to start it */
3210
3211 #endif /* CONFIG_SYSFS */
3212
3213 #ifdef CONFIG_MEMORY_HOTREMOVE
3214 /* There is no significance to this priority 100 */
3215 hotplug_memory_notifier(ksm_memory_callback, 100);
3216 #endif
3217 return 0;
3218
3219 out_free:
3220 ksm_slab_free();
3221 out:
3222 return err;
3223 }
3224 subsys_initcall(ksm_init);