1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * mm/userfaultfd.c 4 * 5 * Copyright (C) 2015 Red Hat, Inc. 6 */ 7 8 #include <linux/mm.h> 9 #include <linux/sched/signal.h> 10 #include <linux/pagemap.h> 11 #include <linux/rmap.h> 12 #include <linux/swap.h> 13 #include <linux/swapops.h> 14 #include <linux/userfaultfd_k.h> 15 #include <linux/mmu_notifier.h> 16 #include <linux/hugetlb.h> 17 #include <linux/shmem_fs.h> 18 #include <asm/tlbflush.h> 19 #include "internal.h" 20 21 static __always_inline 22 struct vm_area_struct *find_dst_vma(struct mm_struct *dst_mm, 23 unsigned long dst_start, 24 unsigned long len) 25 { 26 /* 27 * Make sure that the dst range is both valid and fully within a 28 * single existing vma. 29 */ 30 struct vm_area_struct *dst_vma; 31 32 dst_vma = find_vma(dst_mm, dst_start); 33 if (!dst_vma) 34 return NULL; 35 36 if (dst_start < dst_vma->vm_start || 37 dst_start + len > dst_vma->vm_end) 38 return NULL; 39 40 /* 41 * Check the vma is registered in uffd, this is required to 42 * enforce the VM_MAYWRITE check done at uffd registration 43 * time. 44 */ 45 if (!dst_vma->vm_userfaultfd_ctx.ctx) 46 return NULL; 47 48 return dst_vma; 49 } 50 51 /* 52 * Install PTEs, to map dst_addr (within dst_vma) to page. 53 * 54 * This function handles both MCOPY_ATOMIC_NORMAL and _CONTINUE for both shmem 55 * and anon, and for both shared and private VMAs. 56 */ 57 int mfill_atomic_install_pte(struct mm_struct *dst_mm, pmd_t *dst_pmd, 58 struct vm_area_struct *dst_vma, 59 unsigned long dst_addr, struct page *page, 60 bool newly_allocated, bool wp_copy) 61 { 62 int ret; 63 pte_t _dst_pte, *dst_pte; 64 bool writable = dst_vma->vm_flags & VM_WRITE; 65 bool vm_shared = dst_vma->vm_flags & VM_SHARED; 66 bool page_in_cache = page->mapping; 67 spinlock_t *ptl; 68 struct inode *inode; 69 pgoff_t offset, max_off; 70 71 _dst_pte = mk_pte(page, dst_vma->vm_page_prot); 72 _dst_pte = pte_mkdirty(_dst_pte); 73 if (page_in_cache && !vm_shared) 74 writable = false; 75 if (writable) { 76 if (wp_copy) 77 _dst_pte = pte_mkuffd_wp(_dst_pte); 78 else 79 _dst_pte = pte_mkwrite(_dst_pte); 80 } 81 82 dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl); 83 84 if (vma_is_shmem(dst_vma)) { 85 /* serialize against truncate with the page table lock */ 86 inode = dst_vma->vm_file->f_inode; 87 offset = linear_page_index(dst_vma, dst_addr); 88 max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE); 89 ret = -EFAULT; 90 if (unlikely(offset >= max_off)) 91 goto out_unlock; 92 } 93 94 ret = -EEXIST; 95 if (!pte_none(*dst_pte)) 96 goto out_unlock; 97 98 if (page_in_cache) 99 page_add_file_rmap(page, false); 100 else 101 page_add_new_anon_rmap(page, dst_vma, dst_addr, false); 102 103 /* 104 * Must happen after rmap, as mm_counter() checks mapping (via 105 * PageAnon()), which is set by __page_set_anon_rmap(). 106 */ 107 inc_mm_counter(dst_mm, mm_counter(page)); 108 109 if (newly_allocated) 110 lru_cache_add_inactive_or_unevictable(page, dst_vma); 111 112 set_pte_at(dst_mm, dst_addr, dst_pte, _dst_pte); 113 114 /* No need to invalidate - it was non-present before */ 115 update_mmu_cache(dst_vma, dst_addr, dst_pte); 116 ret = 0; 117 out_unlock: 118 pte_unmap_unlock(dst_pte, ptl); 119 return ret; 120 } 121 122 static int mcopy_atomic_pte(struct mm_struct *dst_mm, 123 pmd_t *dst_pmd, 124 struct vm_area_struct *dst_vma, 125 unsigned long dst_addr, 126 unsigned long src_addr, 127 struct page **pagep, 128 bool wp_copy) 129 { 130 void *page_kaddr; 131 int ret; 132 struct page *page; 133 134 if (!*pagep) { 135 ret = -ENOMEM; 136 page = alloc_page_vma(GFP_HIGHUSER_MOVABLE, dst_vma, dst_addr); 137 if (!page) 138 goto out; 139 140 page_kaddr = kmap_atomic(page); 141 ret = copy_from_user(page_kaddr, 142 (const void __user *) src_addr, 143 PAGE_SIZE); 144 kunmap_atomic(page_kaddr); 145 146 /* fallback to copy_from_user outside mmap_lock */ 147 if (unlikely(ret)) { 148 ret = -ENOENT; 149 *pagep = page; 150 /* don't free the page */ 151 goto out; 152 } 153 154 flush_dcache_page(page); 155 } else { 156 page = *pagep; 157 *pagep = NULL; 158 } 159 160 /* 161 * The memory barrier inside __SetPageUptodate makes sure that 162 * preceding stores to the page contents become visible before 163 * the set_pte_at() write. 164 */ 165 __SetPageUptodate(page); 166 167 ret = -ENOMEM; 168 if (mem_cgroup_charge(page_folio(page), dst_mm, GFP_KERNEL)) 169 goto out_release; 170 171 ret = mfill_atomic_install_pte(dst_mm, dst_pmd, dst_vma, dst_addr, 172 page, true, wp_copy); 173 if (ret) 174 goto out_release; 175 out: 176 return ret; 177 out_release: 178 put_page(page); 179 goto out; 180 } 181 182 static int mfill_zeropage_pte(struct mm_struct *dst_mm, 183 pmd_t *dst_pmd, 184 struct vm_area_struct *dst_vma, 185 unsigned long dst_addr) 186 { 187 pte_t _dst_pte, *dst_pte; 188 spinlock_t *ptl; 189 int ret; 190 pgoff_t offset, max_off; 191 struct inode *inode; 192 193 _dst_pte = pte_mkspecial(pfn_pte(my_zero_pfn(dst_addr), 194 dst_vma->vm_page_prot)); 195 dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl); 196 if (dst_vma->vm_file) { 197 /* the shmem MAP_PRIVATE case requires checking the i_size */ 198 inode = dst_vma->vm_file->f_inode; 199 offset = linear_page_index(dst_vma, dst_addr); 200 max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE); 201 ret = -EFAULT; 202 if (unlikely(offset >= max_off)) 203 goto out_unlock; 204 } 205 ret = -EEXIST; 206 if (!pte_none(*dst_pte)) 207 goto out_unlock; 208 set_pte_at(dst_mm, dst_addr, dst_pte, _dst_pte); 209 /* No need to invalidate - it was non-present before */ 210 update_mmu_cache(dst_vma, dst_addr, dst_pte); 211 ret = 0; 212 out_unlock: 213 pte_unmap_unlock(dst_pte, ptl); 214 return ret; 215 } 216 217 /* Handles UFFDIO_CONTINUE for all shmem VMAs (shared or private). */ 218 static int mcontinue_atomic_pte(struct mm_struct *dst_mm, 219 pmd_t *dst_pmd, 220 struct vm_area_struct *dst_vma, 221 unsigned long dst_addr, 222 bool wp_copy) 223 { 224 struct inode *inode = file_inode(dst_vma->vm_file); 225 pgoff_t pgoff = linear_page_index(dst_vma, dst_addr); 226 struct page *page; 227 int ret; 228 229 ret = shmem_getpage(inode, pgoff, &page, SGP_READ); 230 if (ret) 231 goto out; 232 if (!page) { 233 ret = -EFAULT; 234 goto out; 235 } 236 237 if (PageHWPoison(page)) { 238 ret = -EIO; 239 goto out_release; 240 } 241 242 ret = mfill_atomic_install_pte(dst_mm, dst_pmd, dst_vma, dst_addr, 243 page, false, wp_copy); 244 if (ret) 245 goto out_release; 246 247 unlock_page(page); 248 ret = 0; 249 out: 250 return ret; 251 out_release: 252 unlock_page(page); 253 put_page(page); 254 goto out; 255 } 256 257 static pmd_t *mm_alloc_pmd(struct mm_struct *mm, unsigned long address) 258 { 259 pgd_t *pgd; 260 p4d_t *p4d; 261 pud_t *pud; 262 263 pgd = pgd_offset(mm, address); 264 p4d = p4d_alloc(mm, pgd, address); 265 if (!p4d) 266 return NULL; 267 pud = pud_alloc(mm, p4d, address); 268 if (!pud) 269 return NULL; 270 /* 271 * Note that we didn't run this because the pmd was 272 * missing, the *pmd may be already established and in 273 * turn it may also be a trans_huge_pmd. 274 */ 275 return pmd_alloc(mm, pud, address); 276 } 277 278 #ifdef CONFIG_HUGETLB_PAGE 279 /* 280 * __mcopy_atomic processing for HUGETLB vmas. Note that this routine is 281 * called with mmap_lock held, it will release mmap_lock before returning. 282 */ 283 static __always_inline ssize_t __mcopy_atomic_hugetlb(struct mm_struct *dst_mm, 284 struct vm_area_struct *dst_vma, 285 unsigned long dst_start, 286 unsigned long src_start, 287 unsigned long len, 288 enum mcopy_atomic_mode mode) 289 { 290 int vm_shared = dst_vma->vm_flags & VM_SHARED; 291 ssize_t err; 292 pte_t *dst_pte; 293 unsigned long src_addr, dst_addr; 294 long copied; 295 struct page *page; 296 unsigned long vma_hpagesize; 297 pgoff_t idx; 298 u32 hash; 299 struct address_space *mapping; 300 301 /* 302 * There is no default zero huge page for all huge page sizes as 303 * supported by hugetlb. A PMD_SIZE huge pages may exist as used 304 * by THP. Since we can not reliably insert a zero page, this 305 * feature is not supported. 306 */ 307 if (mode == MCOPY_ATOMIC_ZEROPAGE) { 308 mmap_read_unlock(dst_mm); 309 return -EINVAL; 310 } 311 312 src_addr = src_start; 313 dst_addr = dst_start; 314 copied = 0; 315 page = NULL; 316 vma_hpagesize = vma_kernel_pagesize(dst_vma); 317 318 /* 319 * Validate alignment based on huge page size 320 */ 321 err = -EINVAL; 322 if (dst_start & (vma_hpagesize - 1) || len & (vma_hpagesize - 1)) 323 goto out_unlock; 324 325 retry: 326 /* 327 * On routine entry dst_vma is set. If we had to drop mmap_lock and 328 * retry, dst_vma will be set to NULL and we must lookup again. 329 */ 330 if (!dst_vma) { 331 err = -ENOENT; 332 dst_vma = find_dst_vma(dst_mm, dst_start, len); 333 if (!dst_vma || !is_vm_hugetlb_page(dst_vma)) 334 goto out_unlock; 335 336 err = -EINVAL; 337 if (vma_hpagesize != vma_kernel_pagesize(dst_vma)) 338 goto out_unlock; 339 340 vm_shared = dst_vma->vm_flags & VM_SHARED; 341 } 342 343 /* 344 * If not shared, ensure the dst_vma has a anon_vma. 345 */ 346 err = -ENOMEM; 347 if (!vm_shared) { 348 if (unlikely(anon_vma_prepare(dst_vma))) 349 goto out_unlock; 350 } 351 352 while (src_addr < src_start + len) { 353 BUG_ON(dst_addr >= dst_start + len); 354 355 /* 356 * Serialize via i_mmap_rwsem and hugetlb_fault_mutex. 357 * i_mmap_rwsem ensures the dst_pte remains valid even 358 * in the case of shared pmds. fault mutex prevents 359 * races with other faulting threads. 360 */ 361 mapping = dst_vma->vm_file->f_mapping; 362 i_mmap_lock_read(mapping); 363 idx = linear_page_index(dst_vma, dst_addr); 364 hash = hugetlb_fault_mutex_hash(mapping, idx); 365 mutex_lock(&hugetlb_fault_mutex_table[hash]); 366 367 err = -ENOMEM; 368 dst_pte = huge_pte_alloc(dst_mm, dst_vma, dst_addr, vma_hpagesize); 369 if (!dst_pte) { 370 mutex_unlock(&hugetlb_fault_mutex_table[hash]); 371 i_mmap_unlock_read(mapping); 372 goto out_unlock; 373 } 374 375 if (mode != MCOPY_ATOMIC_CONTINUE && 376 !huge_pte_none(huge_ptep_get(dst_pte))) { 377 err = -EEXIST; 378 mutex_unlock(&hugetlb_fault_mutex_table[hash]); 379 i_mmap_unlock_read(mapping); 380 goto out_unlock; 381 } 382 383 err = hugetlb_mcopy_atomic_pte(dst_mm, dst_pte, dst_vma, 384 dst_addr, src_addr, mode, &page); 385 386 mutex_unlock(&hugetlb_fault_mutex_table[hash]); 387 i_mmap_unlock_read(mapping); 388 389 cond_resched(); 390 391 if (unlikely(err == -ENOENT)) { 392 mmap_read_unlock(dst_mm); 393 BUG_ON(!page); 394 395 err = copy_huge_page_from_user(page, 396 (const void __user *)src_addr, 397 vma_hpagesize / PAGE_SIZE, 398 true); 399 if (unlikely(err)) { 400 err = -EFAULT; 401 goto out; 402 } 403 mmap_read_lock(dst_mm); 404 405 dst_vma = NULL; 406 goto retry; 407 } else 408 BUG_ON(page); 409 410 if (!err) { 411 dst_addr += vma_hpagesize; 412 src_addr += vma_hpagesize; 413 copied += vma_hpagesize; 414 415 if (fatal_signal_pending(current)) 416 err = -EINTR; 417 } 418 if (err) 419 break; 420 } 421 422 out_unlock: 423 mmap_read_unlock(dst_mm); 424 out: 425 if (page) 426 put_page(page); 427 BUG_ON(copied < 0); 428 BUG_ON(err > 0); 429 BUG_ON(!copied && !err); 430 return copied ? copied : err; 431 } 432 #else /* !CONFIG_HUGETLB_PAGE */ 433 /* fail at build time if gcc attempts to use this */ 434 extern ssize_t __mcopy_atomic_hugetlb(struct mm_struct *dst_mm, 435 struct vm_area_struct *dst_vma, 436 unsigned long dst_start, 437 unsigned long src_start, 438 unsigned long len, 439 enum mcopy_atomic_mode mode); 440 #endif /* CONFIG_HUGETLB_PAGE */ 441 442 static __always_inline ssize_t mfill_atomic_pte(struct mm_struct *dst_mm, 443 pmd_t *dst_pmd, 444 struct vm_area_struct *dst_vma, 445 unsigned long dst_addr, 446 unsigned long src_addr, 447 struct page **page, 448 enum mcopy_atomic_mode mode, 449 bool wp_copy) 450 { 451 ssize_t err; 452 453 if (mode == MCOPY_ATOMIC_CONTINUE) { 454 return mcontinue_atomic_pte(dst_mm, dst_pmd, dst_vma, dst_addr, 455 wp_copy); 456 } 457 458 /* 459 * The normal page fault path for a shmem will invoke the 460 * fault, fill the hole in the file and COW it right away. The 461 * result generates plain anonymous memory. So when we are 462 * asked to fill an hole in a MAP_PRIVATE shmem mapping, we'll 463 * generate anonymous memory directly without actually filling 464 * the hole. For the MAP_PRIVATE case the robustness check 465 * only happens in the pagetable (to verify it's still none) 466 * and not in the radix tree. 467 */ 468 if (!(dst_vma->vm_flags & VM_SHARED)) { 469 if (mode == MCOPY_ATOMIC_NORMAL) 470 err = mcopy_atomic_pte(dst_mm, dst_pmd, dst_vma, 471 dst_addr, src_addr, page, 472 wp_copy); 473 else 474 err = mfill_zeropage_pte(dst_mm, dst_pmd, 475 dst_vma, dst_addr); 476 } else { 477 VM_WARN_ON_ONCE(wp_copy); 478 err = shmem_mfill_atomic_pte(dst_mm, dst_pmd, dst_vma, 479 dst_addr, src_addr, 480 mode != MCOPY_ATOMIC_NORMAL, 481 page); 482 } 483 484 return err; 485 } 486 487 static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm, 488 unsigned long dst_start, 489 unsigned long src_start, 490 unsigned long len, 491 enum mcopy_atomic_mode mcopy_mode, 492 atomic_t *mmap_changing, 493 __u64 mode) 494 { 495 struct vm_area_struct *dst_vma; 496 ssize_t err; 497 pmd_t *dst_pmd; 498 unsigned long src_addr, dst_addr; 499 long copied; 500 struct page *page; 501 bool wp_copy; 502 503 /* 504 * Sanitize the command parameters: 505 */ 506 BUG_ON(dst_start & ~PAGE_MASK); 507 BUG_ON(len & ~PAGE_MASK); 508 509 /* Does the address range wrap, or is the span zero-sized? */ 510 BUG_ON(src_start + len <= src_start); 511 BUG_ON(dst_start + len <= dst_start); 512 513 src_addr = src_start; 514 dst_addr = dst_start; 515 copied = 0; 516 page = NULL; 517 retry: 518 mmap_read_lock(dst_mm); 519 520 /* 521 * If memory mappings are changing because of non-cooperative 522 * operation (e.g. mremap) running in parallel, bail out and 523 * request the user to retry later 524 */ 525 err = -EAGAIN; 526 if (mmap_changing && atomic_read(mmap_changing)) 527 goto out_unlock; 528 529 /* 530 * Make sure the vma is not shared, that the dst range is 531 * both valid and fully within a single existing vma. 532 */ 533 err = -ENOENT; 534 dst_vma = find_dst_vma(dst_mm, dst_start, len); 535 if (!dst_vma) 536 goto out_unlock; 537 538 err = -EINVAL; 539 /* 540 * shmem_zero_setup is invoked in mmap for MAP_ANONYMOUS|MAP_SHARED but 541 * it will overwrite vm_ops, so vma_is_anonymous must return false. 542 */ 543 if (WARN_ON_ONCE(vma_is_anonymous(dst_vma) && 544 dst_vma->vm_flags & VM_SHARED)) 545 goto out_unlock; 546 547 /* 548 * validate 'mode' now that we know the dst_vma: don't allow 549 * a wrprotect copy if the userfaultfd didn't register as WP. 550 */ 551 wp_copy = mode & UFFDIO_COPY_MODE_WP; 552 if (wp_copy && !(dst_vma->vm_flags & VM_UFFD_WP)) 553 goto out_unlock; 554 555 /* 556 * If this is a HUGETLB vma, pass off to appropriate routine 557 */ 558 if (is_vm_hugetlb_page(dst_vma)) 559 return __mcopy_atomic_hugetlb(dst_mm, dst_vma, dst_start, 560 src_start, len, mcopy_mode); 561 562 if (!vma_is_anonymous(dst_vma) && !vma_is_shmem(dst_vma)) 563 goto out_unlock; 564 if (!vma_is_shmem(dst_vma) && mcopy_mode == MCOPY_ATOMIC_CONTINUE) 565 goto out_unlock; 566 567 /* 568 * Ensure the dst_vma has a anon_vma or this page 569 * would get a NULL anon_vma when moved in the 570 * dst_vma. 571 */ 572 err = -ENOMEM; 573 if (!(dst_vma->vm_flags & VM_SHARED) && 574 unlikely(anon_vma_prepare(dst_vma))) 575 goto out_unlock; 576 577 while (src_addr < src_start + len) { 578 pmd_t dst_pmdval; 579 580 BUG_ON(dst_addr >= dst_start + len); 581 582 dst_pmd = mm_alloc_pmd(dst_mm, dst_addr); 583 if (unlikely(!dst_pmd)) { 584 err = -ENOMEM; 585 break; 586 } 587 588 dst_pmdval = pmd_read_atomic(dst_pmd); 589 /* 590 * If the dst_pmd is mapped as THP don't 591 * override it and just be strict. 592 */ 593 if (unlikely(pmd_trans_huge(dst_pmdval))) { 594 err = -EEXIST; 595 break; 596 } 597 if (unlikely(pmd_none(dst_pmdval)) && 598 unlikely(__pte_alloc(dst_mm, dst_pmd))) { 599 err = -ENOMEM; 600 break; 601 } 602 /* If an huge pmd materialized from under us fail */ 603 if (unlikely(pmd_trans_huge(*dst_pmd))) { 604 err = -EFAULT; 605 break; 606 } 607 608 BUG_ON(pmd_none(*dst_pmd)); 609 BUG_ON(pmd_trans_huge(*dst_pmd)); 610 611 err = mfill_atomic_pte(dst_mm, dst_pmd, dst_vma, dst_addr, 612 src_addr, &page, mcopy_mode, wp_copy); 613 cond_resched(); 614 615 if (unlikely(err == -ENOENT)) { 616 void *page_kaddr; 617 618 mmap_read_unlock(dst_mm); 619 BUG_ON(!page); 620 621 page_kaddr = kmap(page); 622 err = copy_from_user(page_kaddr, 623 (const void __user *) src_addr, 624 PAGE_SIZE); 625 kunmap(page); 626 if (unlikely(err)) { 627 err = -EFAULT; 628 goto out; 629 } 630 flush_dcache_page(page); 631 goto retry; 632 } else 633 BUG_ON(page); 634 635 if (!err) { 636 dst_addr += PAGE_SIZE; 637 src_addr += PAGE_SIZE; 638 copied += PAGE_SIZE; 639 640 if (fatal_signal_pending(current)) 641 err = -EINTR; 642 } 643 if (err) 644 break; 645 } 646 647 out_unlock: 648 mmap_read_unlock(dst_mm); 649 out: 650 if (page) 651 put_page(page); 652 BUG_ON(copied < 0); 653 BUG_ON(err > 0); 654 BUG_ON(!copied && !err); 655 return copied ? copied : err; 656 } 657 658 ssize_t mcopy_atomic(struct mm_struct *dst_mm, unsigned long dst_start, 659 unsigned long src_start, unsigned long len, 660 atomic_t *mmap_changing, __u64 mode) 661 { 662 return __mcopy_atomic(dst_mm, dst_start, src_start, len, 663 MCOPY_ATOMIC_NORMAL, mmap_changing, mode); 664 } 665 666 ssize_t mfill_zeropage(struct mm_struct *dst_mm, unsigned long start, 667 unsigned long len, atomic_t *mmap_changing) 668 { 669 return __mcopy_atomic(dst_mm, start, 0, len, MCOPY_ATOMIC_ZEROPAGE, 670 mmap_changing, 0); 671 } 672 673 ssize_t mcopy_continue(struct mm_struct *dst_mm, unsigned long start, 674 unsigned long len, atomic_t *mmap_changing) 675 { 676 return __mcopy_atomic(dst_mm, start, 0, len, MCOPY_ATOMIC_CONTINUE, 677 mmap_changing, 0); 678 } 679 680 int mwriteprotect_range(struct mm_struct *dst_mm, unsigned long start, 681 unsigned long len, bool enable_wp, 682 atomic_t *mmap_changing) 683 { 684 struct vm_area_struct *dst_vma; 685 pgprot_t newprot; 686 int err; 687 688 /* 689 * Sanitize the command parameters: 690 */ 691 BUG_ON(start & ~PAGE_MASK); 692 BUG_ON(len & ~PAGE_MASK); 693 694 /* Does the address range wrap, or is the span zero-sized? */ 695 BUG_ON(start + len <= start); 696 697 mmap_read_lock(dst_mm); 698 699 /* 700 * If memory mappings are changing because of non-cooperative 701 * operation (e.g. mremap) running in parallel, bail out and 702 * request the user to retry later 703 */ 704 err = -EAGAIN; 705 if (mmap_changing && atomic_read(mmap_changing)) 706 goto out_unlock; 707 708 err = -ENOENT; 709 dst_vma = find_dst_vma(dst_mm, start, len); 710 /* 711 * Make sure the vma is not shared, that the dst range is 712 * both valid and fully within a single existing vma. 713 */ 714 if (!dst_vma || (dst_vma->vm_flags & VM_SHARED)) 715 goto out_unlock; 716 if (!userfaultfd_wp(dst_vma)) 717 goto out_unlock; 718 if (!vma_is_anonymous(dst_vma)) 719 goto out_unlock; 720 721 if (enable_wp) 722 newprot = vm_get_page_prot(dst_vma->vm_flags & ~(VM_WRITE)); 723 else 724 newprot = vm_get_page_prot(dst_vma->vm_flags); 725 726 change_protection(dst_vma, start, start + len, newprot, 727 enable_wp ? MM_CP_UFFD_WP : MM_CP_UFFD_WP_RESOLVE); 728 729 err = 0; 730 out_unlock: 731 mmap_read_unlock(dst_mm); 732 return err; 733 } 734