add new system file

hc

2024-02-20 102a0743326a03cd1a1202ceda21e175b7d3575c

 kernel/mm/khugepaged.c
..
..
@@ -28,7 +28,10 @@
28
28
 	SCAN_SUCCEED,
29
29
 	SCAN_PMD_NULL,
30
30
 	SCAN_EXCEED_NONE_PTE,
31
+	SCAN_EXCEED_SWAP_PTE,
32
+	SCAN_EXCEED_SHARED_PTE,
31
33
 	SCAN_PTE_NON_PRESENT,
34
+	SCAN_PTE_UFFD_WP,
32
35
 	SCAN_PAGE_RO,
33
36
 	SCAN_LACK_REFERENCED_PAGE,
34
37
 	SCAN_PAGE_NULL,
..
..
@@ -46,8 +49,8 @@
46
49
 	SCAN_DEL_PAGE_LRU,
47
50
 	SCAN_ALLOC_HUGE_PAGE_FAIL,
48
51
 	SCAN_CGROUP_CHARGE_FAIL,
49
-	SCAN_EXCEED_SWAP_PTE,
50
52
 	SCAN_TRUNCATED,
53
+	SCAN_PAGE_HAS_PRIVATE,
51
54
 };
52
55
 
53
56
 #define CREATE_TRACE_POINTS
..
..
@@ -73,11 +76,14 @@
73
76
  */
74
77
 static unsigned int khugepaged_max_ptes_none __read_mostly;
75
78
 static unsigned int khugepaged_max_ptes_swap __read_mostly;
79
+static unsigned int khugepaged_max_ptes_shared __read_mostly;
76
80
 
77
81
 #define MM_SLOTS_HASH_BITS 10
78
82
 static __read_mostly DEFINE_HASHTABLE(mm_slots_hash, MM_SLOTS_HASH_BITS);
79
83
 
80
84
 static struct kmem_cache *mm_slot_cache __read_mostly;
85
+
86
+#define MAX_PTE_MAPPED_THP 8
81
87
 
82
88
 /**
83
89
  * struct mm_slot - hash lookup from mm to mm_slot
..
..
@@ -89,6 +95,10 @@
89
95
 	struct hlist_node hash;
90
96
 	struct list_head mm_node;
91
97
 	struct mm_struct *mm;
98
+
99
+	/* pte-mapped THP in this mm */
100
+	int nr_pte_mapped_thp;
101
+	unsigned long pte_mapped_thp[MAX_PTE_MAPPED_THP];
92
102
 };
93
103
 
94
104
 /**
..
..
@@ -286,15 +296,43 @@
286
296
 	__ATTR(max_ptes_swap, 0644, khugepaged_max_ptes_swap_show,
287
297
 	       khugepaged_max_ptes_swap_store);
288
298
 
299
+static ssize_t khugepaged_max_ptes_shared_show(struct kobject *kobj,
300
+					     struct kobj_attribute *attr,
301
+					     char *buf)
302
+{
303
+	return sprintf(buf, "%u\n", khugepaged_max_ptes_shared);
304
+}
305
+
306
+static ssize_t khugepaged_max_ptes_shared_store(struct kobject *kobj,
307
+					      struct kobj_attribute *attr,
308
+					      const char *buf, size_t count)
309
+{
310
+	int err;
311
+	unsigned long max_ptes_shared;
312
+
313
+	err  = kstrtoul(buf, 10, &max_ptes_shared);
314
+	if (err || max_ptes_shared > HPAGE_PMD_NR-1)
315
+		return -EINVAL;
316
+
317
+	khugepaged_max_ptes_shared = max_ptes_shared;
318
+
319
+	return count;
320
+}
321
+
322
+static struct kobj_attribute khugepaged_max_ptes_shared_attr =
323
+	__ATTR(max_ptes_shared, 0644, khugepaged_max_ptes_shared_show,
324
+	       khugepaged_max_ptes_shared_store);
325
+
289
326
 static struct attribute *khugepaged_attr[] = {
290
327
 	&khugepaged_defrag_attr.attr,
291
328
 	&khugepaged_max_ptes_none_attr.attr,
329
+	&khugepaged_max_ptes_swap_attr.attr,
330
+	&khugepaged_max_ptes_shared_attr.attr,
292
331
 	&pages_to_scan_attr.attr,
293
332
 	&pages_collapsed_attr.attr,
294
333
 	&full_scans_attr.attr,
295
334
 	&scan_sleep_millisecs_attr.attr,
296
335
 	&alloc_sleep_millisecs_attr.attr,
297
-	&khugepaged_max_ptes_swap_attr.attr,
298
336
 	NULL,
299
337
 };
300
338
 
..
..
@@ -303,8 +341,6 @@
303
341
 	.name = "khugepaged",
304
342
 };
305
343
 #endif /* CONFIG_SYSFS */
306
-
307
-#define VM_NO_KHUGEPAGED (VM_SPECIAL | VM_HUGETLB)
308
344
 
309
345
 int hugepage_madvise(struct vm_area_struct *vma,
310
346
 		     unsigned long *vm_flags, int advice)
..
..
@@ -356,6 +392,7 @@
356
392
 	khugepaged_pages_to_scan = HPAGE_PMD_NR * 8;
357
393
 	khugepaged_max_ptes_none = HPAGE_PMD_NR - 1;
358
394
 	khugepaged_max_ptes_swap = HPAGE_PMD_NR / 8;
395
+	khugepaged_max_ptes_shared = HPAGE_PMD_NR / 2;
359
396
 
360
397
 	return 0;
361
398
 }
..
..
@@ -397,25 +434,39 @@
397
434
 
398
435
 static inline int khugepaged_test_exit(struct mm_struct *mm)
399
436
 {
400
-	return atomic_read(&mm->mm_users) == 0 || !mmget_still_valid(mm);
437
+	return atomic_read(&mm->mm_users) == 0;
401
438
 }
402
439
 
403
440
 static bool hugepage_vma_check(struct vm_area_struct *vma,
404
441
 			       unsigned long vm_flags)
405
442
 {
406
-	if ((!(vm_flags & VM_HUGEPAGE) && !khugepaged_always()) ||
407
-	    (vm_flags & VM_NOHUGEPAGE) ||
408
-	    test_bit(MMF_DISABLE_THP, &vma->vm_mm->flags))
443
+	if (!transhuge_vma_enabled(vma, vm_flags))
409
444
 		return false;
410
-	if (shmem_file(vma->vm_file)) {
411
-		if (!IS_ENABLED(CONFIG_TRANSPARENT_HUGE_PAGECACHE))
412
-			return false;
413
-		return IS_ALIGNED((vma->vm_start >> PAGE_SHIFT) - vma->vm_pgoff,
414
-				HPAGE_PMD_NR);
445
+
446
+	if (vma->vm_file && !IS_ALIGNED((vma->vm_start >> PAGE_SHIFT) -
447
+				vma->vm_pgoff, HPAGE_PMD_NR))
448
+		return false;
449
+
450
+	/* Enabled via shmem mount options or sysfs settings. */
451
+	if (shmem_file(vma->vm_file))
452
+		return shmem_huge_enabled(vma);
453
+
454
+	/* THP settings require madvise. */
455
+	if (!(vm_flags & VM_HUGEPAGE) && !khugepaged_always())
456
+		return false;
457
+
458
+	/* Only regular file is valid */
459
+	if (IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && vma->vm_file &&
460
+	    !inode_is_open_for_write(vma->vm_file->f_inode) &&
461
+	    (vm_flags & VM_EXEC)) {
462
+		struct inode *inode = vma->vm_file->f_inode;
463
+
464
+		return S_ISREG(inode->i_mode);
415
465
 	}
466
+
416
467
 	if (!vma->anon_vma || vma->vm_ops)
417
468
 		return false;
418
-	if (is_vma_temporary_stack(vma))
469
+	if (vma_is_temporary_stack(vma))
419
470
 		return false;
420
471
 	return !(vm_flags & VM_NO_KHUGEPAGED);
421
472
 }
..
..
@@ -459,8 +510,9 @@
459
510
 	unsigned long hstart, hend;
460
511
 
461
512
 	/*
462
-	 * khugepaged does not yet work on non-shmem files or special
463
-	 * mappings. And file-private shmem THP is not supported.
513
+	 * khugepaged only supports read-only files for non-shmem files.
514
+	 * khugepaged does not yet work on special mappings. And
515
+	 * file-private shmem THP is not supported.
464
516
 	 */
465
517
 	if (!hugepage_vma_check(vma, vm_flags))
466
518
 		return 0;
..
..
@@ -497,36 +549,61 @@
497
549
 		 * under mmap sem read mode). Stop here (after we
498
550
 		 * return all pagetables will be destroyed) until
499
551
 		 * khugepaged has finished working on the pagetables
500
-		 * under the mmap_sem.
552
+		 * under the mmap_lock.
501
553
 		 */
502
-		down_write(&mm->mmap_sem);
503
-		up_write(&mm->mmap_sem);
554
+		mmap_write_lock(mm);
555
+		mmap_write_unlock(mm);
504
556
 	}
505
557
 }
506
558
 
507
559
 static void release_pte_page(struct page *page)
508
560
 {
509
-	dec_node_page_state(page, NR_ISOLATED_ANON + page_is_file_cache(page));
561
+	mod_node_page_state(page_pgdat(page),
562
+			NR_ISOLATED_ANON + page_is_file_lru(page),
563
+			-compound_nr(page));
510
564
 	unlock_page(page);
511
565
 	putback_lru_page(page);
512
566
 }
513
567
 
514
-static void release_pte_pages(pte_t *pte, pte_t *_pte)
568
+static void release_pte_pages(pte_t *pte, pte_t *_pte,
569
+		struct list_head *compound_pagelist)
515
570
 {
571
+	struct page *page, *tmp;
572
+
516
573
 	while (--_pte >= pte) {
517
574
 		pte_t pteval = *_pte;
518
-		if (!pte_none(pteval) && !is_zero_pfn(pte_pfn(pteval)))
519
-			release_pte_page(pte_page(pteval));
575
+
576
+		page = pte_page(pteval);
577
+		if (!pte_none(pteval) && !is_zero_pfn(pte_pfn(pteval)) &&
578
+				!PageCompound(page))
579
+			release_pte_page(page);
520
580
 	}
581
+
582
+	list_for_each_entry_safe(page, tmp, compound_pagelist, lru) {
583
+		list_del(&page->lru);
584
+		release_pte_page(page);
585
+	}
586
+}
587
+
588
+static bool is_refcount_suitable(struct page *page)
589
+{
590
+	int expected_refcount;
591
+
592
+	expected_refcount = total_mapcount(page);
593
+	if (PageSwapCache(page))
594
+		expected_refcount += compound_nr(page);
595
+
596
+	return page_count(page) == expected_refcount;
521
597
 }
522
598
 
523
599
 static int __collapse_huge_page_isolate(struct vm_area_struct *vma,
524
600
 					unsigned long address,
525
-					pte_t *pte)
601
+					pte_t *pte,
602
+					struct list_head *compound_pagelist)
526
603
 {
527
604
 	struct page *page = NULL;
528
605
 	pte_t *_pte;
529
-	int none_or_zero = 0, result = 0, referenced = 0;
606
+	int none_or_zero = 0, shared = 0, result = 0, referenced = 0;
530
607
 	bool writable = false;
531
608
 
532
609
 	for (_pte = pte; _pte < pte+HPAGE_PMD_NR;
..
..
@@ -546,19 +623,37 @@
546
623
 			result = SCAN_PTE_NON_PRESENT;
547
624
 			goto out;
548
625
 		}
626
+		if (pte_uffd_wp(pteval)) {
627
+			result = SCAN_PTE_UFFD_WP;
628
+			goto out;
629
+		}
549
630
 		page = vm_normal_page(vma, address, pteval);
550
631
 		if (unlikely(!page)) {
551
632
 			result = SCAN_PAGE_NULL;
552
633
 			goto out;
553
634
 		}
554
635
 
555
-		/* TODO: teach khugepaged to collapse THP mapped with pte */
556
-		if (PageCompound(page)) {
557
-			result = SCAN_PAGE_COMPOUND;
636
+		VM_BUG_ON_PAGE(!PageAnon(page), page);
637
+
638
+		if (page_mapcount(page) > 1 &&
639
+				++shared > khugepaged_max_ptes_shared) {
640
+			result = SCAN_EXCEED_SHARED_PTE;
558
641
 			goto out;
559
642
 		}
560
643
 
561
-		VM_BUG_ON_PAGE(!PageAnon(page), page);
644
+		if (PageCompound(page)) {
645
+			struct page *p;
646
+			page = compound_head(page);
647
+
648
+			/*
649
+			 * Check if we have dealt with the compound page
650
+			 * already
651
+			 */
652
+			list_for_each_entry(p, compound_pagelist, lru) {
653
+				if (page == p)
654
+					goto next;
655
+			}
656
+		}
562
657
 
563
658
 		/*
564
659
 		 * We can do it before isolate_lru_page because the
..
..
@@ -572,28 +667,30 @@
572
667
 		}
573
668
 
574
669
 		/*
575
-		 * cannot use mapcount: can't collapse if there's a gup pin.
576
-		 * The page must only be referenced by the scanned process
577
-		 * and page swap cache.
670
+		 * Check if the page has any GUP (or other external) pins.
671
+		 *
672
+		 * The page table that maps the page has been already unlinked
673
+		 * from the page table tree and this process cannot get
674
+		 * an additinal pin on the page.
675
+		 *
676
+		 * New pins can come later if the page is shared across fork,
677
+		 * but not from this process. The other process cannot write to
678
+		 * the page, only trigger CoW.
578
679
 		 */
579
-		if (page_count(page) != 1 + PageSwapCache(page)) {
680
+		if (!is_refcount_suitable(page)) {
580
681
 			unlock_page(page);
581
682
 			result = SCAN_PAGE_COUNT;
582
683
 			goto out;
583
684
 		}
584
-		if (pte_write(pteval)) {
585
-			writable = true;
586
-		} else {
587
-			if (PageSwapCache(page) &&
588
-			    !reuse_swap_page(page, NULL)) {
589
-				unlock_page(page);
590
-				result = SCAN_SWAP_CACHE_PAGE;
591
-				goto out;
592
-			}
685
+		if (!pte_write(pteval) && PageSwapCache(page) &&
686
+				!reuse_swap_page(page, NULL)) {
593
687
 			/*
594
-			 * Page is not in the swap cache. It can be collapsed
595
-			 * into a THP.
688
+			 * Page is in the swap cache and cannot be re-used.
689
+			 * It cannot be collapsed into a THP.
596
690
 			 */
691
+			unlock_page(page);
692
+			result = SCAN_SWAP_CACHE_PAGE;
693
+			goto out;
597
694
 		}
598
695
 
599
696
 		/*
..
..
@@ -605,16 +702,23 @@
605
702
 			result = SCAN_DEL_PAGE_LRU;
606
703
 			goto out;
607
704
 		}
608
-		inc_node_page_state(page,
609
-				NR_ISOLATED_ANON + page_is_file_cache(page));
705
+		mod_node_page_state(page_pgdat(page),
706
+				NR_ISOLATED_ANON + page_is_file_lru(page),
707
+				compound_nr(page));
610
708
 		VM_BUG_ON_PAGE(!PageLocked(page), page);
611
709
 		VM_BUG_ON_PAGE(PageLRU(page), page);
612
710
 
711
+		if (PageCompound(page))
712
+			list_add_tail(&page->lru, compound_pagelist);
713
+next:
613
714
 		/* There should be enough young pte to collapse the page */
614
715
 		if (pte_young(pteval) ||
615
716
 		    page_is_young(page) || PageReferenced(page) ||
616
717
 		    mmu_notifier_test_young(vma->vm_mm, address))
617
718
 			referenced++;
719
+
720
+		if (pte_write(pteval))
721
+			writable = true;
618
722
 	}
619
723
 
620
724
 	if (unlikely(!writable)) {
..
..
@@ -628,7 +732,7 @@
628
732
 		return 1;
629
733
 	}
630
734
 out:
631
-	release_pte_pages(pte, _pte);
735
+	release_pte_pages(pte, _pte, compound_pagelist);
632
736
 	trace_mm_collapse_huge_page_isolate(page, none_or_zero,
633
737
 					    referenced, writable, result);
634
738
 	return 0;
..
..
@@ -637,13 +741,14 @@
637
741
 static void __collapse_huge_page_copy(pte_t *pte, struct page *page,
638
742
 				      struct vm_area_struct *vma,
639
743
 				      unsigned long address,
640
-				      spinlock_t *ptl)
744
+				      spinlock_t *ptl,
745
+				      struct list_head *compound_pagelist)
641
746
 {
747
+	struct page *src_page, *tmp;
642
748
 	pte_t *_pte;
643
749
 	for (_pte = pte; _pte < pte + HPAGE_PMD_NR;
644
750
 				_pte++, page++, address += PAGE_SIZE) {
645
751
 		pte_t pteval = *_pte;
646
-		struct page *src_page;
647
752
 
648
753
 		if (pte_none(pteval) || is_zero_pfn(pte_pfn(pteval))) {
649
754
 			clear_user_highpage(page, address);
..
..
@@ -663,8 +768,8 @@
663
768
 		} else {
664
769
 			src_page = pte_page(pteval);
665
770
 			copy_user_highpage(page, src_page, address, vma);
666
-			VM_BUG_ON_PAGE(page_mapcount(src_page) != 1, src_page);
667
-			release_pte_page(src_page);
771
+			if (!PageCompound(src_page))
772
+				release_pte_page(src_page);
668
773
 			/*
669
774
 			 * ptl mostly unnecessary, but preempt has to
670
775
 			 * be disabled to update the per-cpu stats
..
..
@@ -680,6 +785,11 @@
680
785
 			spin_unlock(ptl);
681
786
 			free_page_and_swap_cache(src_page);
682
787
 		}
788
+	}
789
+
790
+	list_for_each_entry_safe(src_page, tmp, compound_pagelist, lru) {
791
+		list_del(&src_page->lru);
792
+		release_pte_page(src_page);
683
793
 	}
684
794
 }
685
795
 
..
..
@@ -713,7 +823,7 @@
713
823
 	for (i = 0; i < MAX_NUMNODES; i++) {
714
824
 		if (!khugepaged_node_load[i])
715
825
 			continue;
716
-		if (node_distance(nid, i) > RECLAIM_DISTANCE)
826
+		if (node_distance(nid, i) > node_reclaim_distance)
717
827
 			return true;
718
828
 	}
719
829
 	return false;
..
..
@@ -854,8 +964,8 @@
854
964
 #endif
855
965
 
856
966
 /*
857
- * If mmap_sem temporarily dropped, revalidate vma
858
- * before taking mmap_sem.
967
+ * If mmap_lock temporarily dropped, revalidate vma
968
+ * before taking mmap_lock.
859
969
  * Return 0 if succeeds, otherwise return none-zero
860
970
  * value (scan code).
861
971
  */
..
..
@@ -879,6 +989,9 @@
879
989
 		return SCAN_ADDRESS_RANGE;
880
990
 	if (!hugepage_vma_check(vma, vma->vm_flags))
881
991
 		return SCAN_VMA_CHECK;
992
+	/* Anon VMA expected */
993
+	if (!vma->anon_vma || vma->vm_ops)
994
+		return SCAN_VMA_CHECK;
882
995
 	return 0;
883
996
 }
884
997
 
..
..
@@ -887,48 +1000,48 @@
887
1000
  * Only done if khugepaged_scan_pmd believes it is worthwhile.
888
1001
  *
889
1002
  * Called and returns without pte mapped or spinlocks held,
890
- * but with mmap_sem held to protect against vma changes.
1003
+ * but with mmap_lock held to protect against vma changes.
891
1004
  */
892
1005
 
893
1006
 static bool __collapse_huge_page_swapin(struct mm_struct *mm,
894
1007
 					struct vm_area_struct *vma,
895
-					unsigned long address, pmd_t *pmd,
1008
+					unsigned long haddr, pmd_t *pmd,
896
1009
 					int referenced)
897
1010
 {
898
1011
 	int swapped_in = 0;
899
1012
 	vm_fault_t ret = 0;
900
-	struct vm_fault vmf = {
901
-		.vma = vma,
902
-		.address = address,
903
-		.flags = FAULT_FLAG_ALLOW_RETRY,
904
-		.pmd = pmd,
905
-		.pgoff = linear_page_index(vma, address),
906
-	};
1013
+	unsigned long address, end = haddr + (HPAGE_PMD_NR * PAGE_SIZE);
907
1014
 
908
-	/* we only decide to swapin, if there is enough young ptes */
909
-	if (referenced < HPAGE_PMD_NR/2) {
910
-		trace_mm_collapse_huge_page_swapin(mm, swapped_in, referenced, 0);
911
-		return false;
912
-	}
913
-	vmf.pte = pte_offset_map(pmd, address);
914
-	for (; vmf.address < address + HPAGE_PMD_NR*PAGE_SIZE;
915
-			vmf.pte++, vmf.address += PAGE_SIZE) {
1015
+	for (address = haddr; address < end; address += PAGE_SIZE) {
1016
+		struct vm_fault vmf = {
1017
+			.vma = vma,
1018
+			.address = address,
1019
+			.pgoff = linear_page_index(vma, haddr),
1020
+			.flags = FAULT_FLAG_ALLOW_RETRY,
1021
+			.pmd = pmd,
1022
+			.vma_flags = vma->vm_flags,
1023
+			.vma_page_prot = vma->vm_page_prot,
1024
+		};
1025
+
1026
+		vmf.pte = pte_offset_map(pmd, address);
916
1027
 		vmf.orig_pte = *vmf.pte;
917
-		if (!is_swap_pte(vmf.orig_pte))
1028
+		if (!is_swap_pte(vmf.orig_pte)) {
1029
+			pte_unmap(vmf.pte);
918
1030
 			continue;
1031
+		}
919
1032
 		swapped_in++;
920
1033
 		ret = do_swap_page(&vmf);
921
1034
 
922
-		/* do_swap_page returns VM_FAULT_RETRY with released mmap_sem */
1035
+		/* do_swap_page returns VM_FAULT_RETRY with released mmap_lock */
923
1036
 		if (ret & VM_FAULT_RETRY) {
924
-			down_read(&mm->mmap_sem);
925
-			if (hugepage_vma_revalidate(mm, address, &vmf.vma)) {
1037
+			mmap_read_lock(mm);
1038
+			if (hugepage_vma_revalidate(mm, haddr, &vma)) {
926
1039
 				/* vma is no longer available, don't continue to swapin */
927
1040
 				trace_mm_collapse_huge_page_swapin(mm, swapped_in, referenced, 0);
928
1041
 				return false;
929
1042
 			}
930
1043
 			/* check if the pmd is still valid */
931
-			if (mm_find_pmd(mm, address) != pmd) {
1044
+			if (mm_find_pmd(mm, haddr) != pmd) {
932
1045
 				trace_mm_collapse_huge_page_swapin(mm, swapped_in, referenced, 0);
933
1046
 				return false;
934
1047
 			}
..
..
@@ -937,11 +1050,12 @@
937
1050
 			trace_mm_collapse_huge_page_swapin(mm, swapped_in, referenced, 0);
938
1051
 			return false;
939
1052
 		}
940
-		/* pte is unmapped now, we need to map it */
941
-		vmf.pte = pte_offset_map(pmd, vmf.address);
942
1053
 	}
943
-	vmf.pte--;
944
-	pte_unmap(vmf.pte);
1054
+
1055
+	/* Drain LRU add pagevec to remove extra pin on the swapped in pages */
1056
+	if (swapped_in)
1057
+		lru_add_drain();
1058
+
945
1059
 	trace_mm_collapse_huge_page_swapin(mm, swapped_in, referenced, 1);
946
1060
 	return true;
947
1061
 }
..
..
@@ -949,18 +1063,17 @@
949
1063
 static void collapse_huge_page(struct mm_struct *mm,
950
1064
 				   unsigned long address,
951
1065
 				   struct page **hpage,
952
-				   int node, int referenced)
1066
+				   int node, int referenced, int unmapped)
953
1067
 {
1068
+	LIST_HEAD(compound_pagelist);
954
1069
 	pmd_t *pmd, _pmd;
955
1070
 	pte_t *pte;
956
1071
 	pgtable_t pgtable;
957
1072
 	struct page *new_page;
958
1073
 	spinlock_t *pmd_ptl, *pte_ptl;
959
1074
 	int isolated = 0, result = 0;
960
-	struct mem_cgroup *memcg;
961
1075
 	struct vm_area_struct *vma;
962
-	unsigned long mmun_start;	/* For mmu_notifiers */
963
-	unsigned long mmun_end;		/* For mmu_notifiers */
1076
+	struct mmu_notifier_range range;
964
1077
 	gfp_t gfp;
965
1078
 
966
1079
 	VM_BUG_ON(address & ~HPAGE_PMD_MASK);
..
..
@@ -969,57 +1082,56 @@
969
1082
 	gfp = alloc_hugepage_khugepaged_gfpmask() | __GFP_THISNODE;
970
1083
 
971
1084
 	/*
972
-	 * Before allocating the hugepage, release the mmap_sem read lock.
1085
+	 * Before allocating the hugepage, release the mmap_lock read lock.
973
1086
 	 * The allocation can take potentially a long time if it involves
974
-	 * sync compaction, and we do not need to hold the mmap_sem during
1087
+	 * sync compaction, and we do not need to hold the mmap_lock during
975
1088
 	 * that. We will recheck the vma after taking it again in write mode.
976
1089
 	 */
977
-	up_read(&mm->mmap_sem);
1090
+	mmap_read_unlock(mm);
978
1091
 	new_page = khugepaged_alloc_page(hpage, gfp, node);
979
1092
 	if (!new_page) {
980
1093
 		result = SCAN_ALLOC_HUGE_PAGE_FAIL;
981
1094
 		goto out_nolock;
982
1095
 	}
983
1096
 
984
-	if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp, &memcg, true))) {
1097
+	if (unlikely(mem_cgroup_charge(new_page, mm, gfp))) {
985
1098
 		result = SCAN_CGROUP_CHARGE_FAIL;
986
1099
 		goto out_nolock;
987
1100
 	}
1101
+	count_memcg_page_event(new_page, THP_COLLAPSE_ALLOC);
988
1102
 
989
-	down_read(&mm->mmap_sem);
1103
+	mmap_read_lock(mm);
990
1104
 	result = hugepage_vma_revalidate(mm, address, &vma);
991
1105
 	if (result) {
992
-		mem_cgroup_cancel_charge(new_page, memcg, true);
993
-		up_read(&mm->mmap_sem);
1106
+		mmap_read_unlock(mm);
994
1107
 		goto out_nolock;
995
1108
 	}
996
1109
 
997
1110
 	pmd = mm_find_pmd(mm, address);
998
1111
 	if (!pmd) {
999
1112
 		result = SCAN_PMD_NULL;
1000
-		mem_cgroup_cancel_charge(new_page, memcg, true);
1001
-		up_read(&mm->mmap_sem);
1113
+		mmap_read_unlock(mm);
1002
1114
 		goto out_nolock;
1003
1115
 	}
1004
1116
 
1005
1117
 	/*
1006
-	 * __collapse_huge_page_swapin always returns with mmap_sem locked.
1007
-	 * If it fails, we release mmap_sem and jump out_nolock.
1118
+	 * __collapse_huge_page_swapin always returns with mmap_lock locked.
1119
+	 * If it fails, we release mmap_lock and jump out_nolock.
1008
1120
 	 * Continuing to collapse causes inconsistency.
1009
1121
 	 */
1010
-	if (!__collapse_huge_page_swapin(mm, vma, address, pmd, referenced)) {
1011
-		mem_cgroup_cancel_charge(new_page, memcg, true);
1012
-		up_read(&mm->mmap_sem);
1122
+	if (unmapped && !__collapse_huge_page_swapin(mm, vma, address,
1123
+						     pmd, referenced)) {
1124
+		mmap_read_unlock(mm);
1013
1125
 		goto out_nolock;
1014
1126
 	}
1015
1127
 
1016
-	up_read(&mm->mmap_sem);
1128
+	mmap_read_unlock(mm);
1017
1129
 	/*
1018
1130
 	 * Prevent all access to pagetables with the exception of
1019
1131
 	 * gup_fast later handled by the ptep_clear_flush and the VM
1020
1132
 	 * handled by the anon_vma lock + PG_lock.
1021
1133
 	 */
1022
-	down_write(&mm->mmap_sem);
1134
+	mmap_write_lock(mm);
1023
1135
 	result = hugepage_vma_revalidate(mm, address, &vma);
1024
1136
 	if (result)
1025
1137
 		goto out;
..
..
@@ -1027,27 +1139,33 @@
1027
1139
 	if (mm_find_pmd(mm, address) != pmd)
1028
1140
 		goto out;
1029
1141
 
1142
+	vm_write_begin(vma);
1030
1143
 	anon_vma_lock_write(vma->anon_vma);
1144
+
1145
+	mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, NULL, mm,
1146
+				address, address + HPAGE_PMD_SIZE);
1147
+	mmu_notifier_invalidate_range_start(&range);
1031
1148
 
1032
1149
 	pte = pte_offset_map(pmd, address);
1033
1150
 	pte_ptl = pte_lockptr(mm, pmd);
1034
1151
 
1035
-	mmun_start = address;
1036
-	mmun_end   = address + HPAGE_PMD_SIZE;
1037
-	mmu_notifier_invalidate_range_start(mm, mmun_start, mmun_end);
1038
1152
 	pmd_ptl = pmd_lock(mm, pmd); /* probably unnecessary */
1039
1153
 	/*
1040
-	 * After this gup_fast can't run anymore. This also removes
1041
-	 * any huge TLB entry from the CPU so we won't allow
1042
-	 * huge and small TLB entries for the same virtual address
1043
-	 * to avoid the risk of CPU bugs in that area.
1154
+	 * This removes any huge TLB entry from the CPU so we won't allow
1155
+	 * huge and small TLB entries for the same virtual address to
1156
+	 * avoid the risk of CPU bugs in that area.
1157
+	 *
1158
+	 * Parallel fast GUP is fine since fast GUP will back off when
1159
+	 * it detects PMD is changed.
1044
1160
 	 */
1045
1161
 	_pmd = pmdp_collapse_flush(vma, address, pmd);
1046
1162
 	spin_unlock(pmd_ptl);
1047
-	mmu_notifier_invalidate_range_end(mm, mmun_start, mmun_end);
1163
+	mmu_notifier_invalidate_range_end(&range);
1164
+	tlb_remove_table_sync_one();
1048
1165
 
1049
1166
 	spin_lock(pte_ptl);
1050
-	isolated = __collapse_huge_page_isolate(vma, address, pte);
1167
+	isolated = __collapse_huge_page_isolate(vma, address, pte,
1168
+			&compound_pagelist);
1051
1169
 	spin_unlock(pte_ptl);
1052
1170
 
1053
1171
 	if (unlikely(!isolated)) {
..
..
@@ -1062,6 +1180,7 @@
1062
1180
 		pmd_populate(mm, pmd, pmd_pgtable(_pmd));
1063
1181
 		spin_unlock(pmd_ptl);
1064
1182
 		anon_vma_unlock_write(vma->anon_vma);
1183
+		vm_write_end(vma);
1065
1184
 		result = SCAN_FAIL;
1066
1185
 		goto out;
1067
1186
 	}
..
..
@@ -1072,7 +1191,8 @@
1072
1191
 	 */
1073
1192
 	anon_vma_unlock_write(vma->anon_vma);
1074
1193
 
1075
-	__collapse_huge_page_copy(pte, new_page, vma, address, pte_ptl);
1194
+	__collapse_huge_page_copy(pte, new_page, vma, address, pte_ptl,
1195
+			&compound_pagelist);
1076
1196
 	pte_unmap(pte);
1077
1197
 	__SetPageUptodate(new_page);
1078
1198
 	pgtable = pmd_pgtable(_pmd);
..
..
@@ -1090,24 +1210,25 @@
1090
1210
 	spin_lock(pmd_ptl);
1091
1211
 	BUG_ON(!pmd_none(*pmd));
1092
1212
 	page_add_new_anon_rmap(new_page, vma, address, true);
1093
-	mem_cgroup_commit_charge(new_page, memcg, false, true);
1094
-	lru_cache_add_active_or_unevictable(new_page, vma);
1213
+	lru_cache_add_inactive_or_unevictable(new_page, vma);
1095
1214
 	pgtable_trans_huge_deposit(mm, pmd, pgtable);
1096
1215
 	set_pmd_at(mm, address, pmd, _pmd);
1097
1216
 	update_mmu_cache_pmd(vma, address, pmd);
1098
1217
 	spin_unlock(pmd_ptl);
1218
+	vm_write_end(vma);
1099
1219
 
1100
1220
 	*hpage = NULL;
1101
1221
 
1102
1222
 	khugepaged_pages_collapsed++;
1103
1223
 	result = SCAN_SUCCEED;
1104
1224
 out_up_write:
1105
-	up_write(&mm->mmap_sem);
1225
+	mmap_write_unlock(mm);
1106
1226
 out_nolock:
1227
+	if (!IS_ERR_OR_NULL(*hpage))
1228
+		mem_cgroup_uncharge(*hpage);
1107
1229
 	trace_mm_collapse_huge_page(mm, isolated, result);
1108
1230
 	return;
1109
1231
 out:
1110
-	mem_cgroup_cancel_charge(new_page, memcg, true);
1111
1232
 	goto out_up_write;
1112
1233
 }
1113
1234
 
..
..
@@ -1118,7 +1239,8 @@
1118
1239
 {
1119
1240
 	pmd_t *pmd;
1120
1241
 	pte_t *pte, *_pte;
1121
-	int ret = 0, none_or_zero = 0, result = 0, referenced = 0;
1242
+	int ret = 0, result = 0, referenced = 0;
1243
+	int none_or_zero = 0, shared = 0;
1122
1244
 	struct page *page = NULL;
1123
1245
 	unsigned long _address;
1124
1246
 	spinlock_t *ptl;
..
..
@@ -1140,6 +1262,15 @@
1140
1262
 		pte_t pteval = *_pte;
1141
1263
 		if (is_swap_pte(pteval)) {
1142
1264
 			if (++unmapped <= khugepaged_max_ptes_swap) {
1265
+				/*
1266
+				 * Always be strict with uffd-wp
1267
+				 * enabled swap entries.  Please see
1268
+				 * comment below for pte_uffd_wp().
1269
+				 */
1270
+				if (pte_swp_uffd_wp(pteval)) {
1271
+					result = SCAN_PTE_UFFD_WP;
1272
+					goto out_unmap;
1273
+				}
1143
1274
 				continue;
1144
1275
 			} else {
1145
1276
 				result = SCAN_EXCEED_SWAP_PTE;
..
..
@@ -1159,6 +1290,19 @@
1159
1290
 			result = SCAN_PTE_NON_PRESENT;
1160
1291
 			goto out_unmap;
1161
1292
 		}
1293
+		if (pte_uffd_wp(pteval)) {
1294
+			/*
1295
+			 * Don't collapse the page if any of the small
1296
+			 * PTEs are armed with uffd write protection.
1297
+			 * Here we can also mark the new huge pmd as
1298
+			 * write protected if any of the small ones is
1299
+			 * marked but that could bring uknown
1300
+			 * userfault messages that falls outside of
1301
+			 * the registered range.  So, just be simple.
1302
+			 */
1303
+			result = SCAN_PTE_UFFD_WP;
1304
+			goto out_unmap;
1305
+		}
1162
1306
 		if (pte_write(pteval))
1163
1307
 			writable = true;
1164
1308
 
..
..
@@ -1168,11 +1312,13 @@
1168
1312
 			goto out_unmap;
1169
1313
 		}
1170
1314
 
1171
-		/* TODO: teach khugepaged to collapse THP mapped with pte */
1172
-		if (PageCompound(page)) {
1173
-			result = SCAN_PAGE_COMPOUND;
1315
+		if (page_mapcount(page) > 1 &&
1316
+				++shared > khugepaged_max_ptes_shared) {
1317
+			result = SCAN_EXCEED_SHARED_PTE;
1174
1318
 			goto out_unmap;
1175
1319
 		}
1320
+
1321
+		page = compound_head(page);
1176
1322
 
1177
1323
 		/*
1178
1324
 		 * Record which node the original page is from and save this
..
..
@@ -1200,11 +1346,23 @@
1200
1346
 		}
1201
1347
 
1202
1348
 		/*
1203
-		 * cannot use mapcount: can't collapse if there's a gup pin.
1204
-		 * The page must only be referenced by the scanned process
1205
-		 * and page swap cache.
1349
+		 * Check if the page has any GUP (or other external) pins.
1350
+		 *
1351
+		 * Here the check is racy it may see totmal_mapcount > refcount
1352
+		 * in some cases.
1353
+		 * For example, one process with one forked child process.
1354
+		 * The parent has the PMD split due to MADV_DONTNEED, then
1355
+		 * the child is trying unmap the whole PMD, but khugepaged
1356
+		 * may be scanning the parent between the child has
1357
+		 * PageDoubleMap flag cleared and dec the mapcount.  So
1358
+		 * khugepaged may see total_mapcount > refcount.
1359
+		 *
1360
+		 * But such case is ephemeral we could always retry collapse
1361
+		 * later.  However it may report false positive if the page
1362
+		 * has excessive GUP pins (i.e. 512).  Anyway the same check
1363
+		 * will be done again later the risk seems low.
1206
1364
 		 */
1207
-		if (page_count(page) != 1 + PageSwapCache(page)) {
1365
+		if (!is_refcount_suitable(page)) {
1208
1366
 			result = SCAN_PAGE_COUNT;
1209
1367
 			goto out_unmap;
1210
1368
 		}
..
..
@@ -1213,22 +1371,21 @@
1213
1371
 		    mmu_notifier_test_young(vma->vm_mm, address))
1214
1372
 			referenced++;
1215
1373
 	}
1216
-	if (writable) {
1217
-		if (referenced) {
1218
-			result = SCAN_SUCCEED;
1219
-			ret = 1;
1220
-		} else {
1221
-			result = SCAN_LACK_REFERENCED_PAGE;
1222
-		}
1223
-	} else {
1374
+	if (!writable) {
1224
1375
 		result = SCAN_PAGE_RO;
1376
+	} else if (!referenced || (unmapped && referenced < HPAGE_PMD_NR/2)) {
1377
+		result = SCAN_LACK_REFERENCED_PAGE;
1378
+	} else {
1379
+		result = SCAN_SUCCEED;
1380
+		ret = 1;
1225
1381
 	}
1226
1382
 out_unmap:
1227
1383
 	pte_unmap_unlock(pte, ptl);
1228
1384
 	if (ret) {
1229
1385
 		node = khugepaged_find_target_node();
1230
-		/* collapse_huge_page will return with the mmap_sem released */
1231
-		collapse_huge_page(mm, address, hpage, node, referenced);
1386
+		/* collapse_huge_page will return with the mmap_lock released */
1387
+		collapse_huge_page(mm, address, hpage, node,
1388
+				referenced, unmapped);
1232
1389
 	}
1233
1390
 out:
1234
1391
 	trace_mm_khugepaged_scan_pmd(mm, page, writable, referenced,
..
..
@@ -1240,7 +1397,7 @@
1240
1397
 {
1241
1398
 	struct mm_struct *mm = mm_slot->mm;
1242
1399
 
1243
-	VM_BUG_ON(NR_CPUS != 1 && !spin_is_locked(&khugepaged_mm_lock));
1400
+	lockdep_assert_held(&khugepaged_mm_lock);
1244
1401
 
1245
1402
 	if (khugepaged_test_exit(mm)) {
1246
1403
 		/* free mm_slot */
..
..
@@ -1259,7 +1416,184 @@
1259
1416
 	}
1260
1417
 }
1261
1418
 
1262
-#if defined(CONFIG_SHMEM) && defined(CONFIG_TRANSPARENT_HUGE_PAGECACHE)
1419
+#ifdef CONFIG_SHMEM
1420
+/*
1421
+ * Notify khugepaged that given addr of the mm is pte-mapped THP. Then
1422
+ * khugepaged should try to collapse the page table.
1423
+ */
1424
+static int khugepaged_add_pte_mapped_thp(struct mm_struct *mm,
1425
+					 unsigned long addr)
1426
+{
1427
+	struct mm_slot *mm_slot;
1428
+
1429
+	VM_BUG_ON(addr & ~HPAGE_PMD_MASK);
1430
+
1431
+	spin_lock(&khugepaged_mm_lock);
1432
+	mm_slot = get_mm_slot(mm);
1433
+	if (likely(mm_slot && mm_slot->nr_pte_mapped_thp < MAX_PTE_MAPPED_THP))
1434
+		mm_slot->pte_mapped_thp[mm_slot->nr_pte_mapped_thp++] = addr;
1435
+	spin_unlock(&khugepaged_mm_lock);
1436
+	return 0;
1437
+}
1438
+
1439
+/**
1440
+ * Try to collapse a pte-mapped THP for mm at address haddr.
1441
+ *
1442
+ * This function checks whether all the PTEs in the PMD are pointing to the
1443
+ * right THP. If so, retract the page table so the THP can refault in with
1444
+ * as pmd-mapped.
1445
+ */
1446
+void collapse_pte_mapped_thp(struct mm_struct *mm, unsigned long addr)
1447
+{
1448
+	unsigned long haddr = addr & HPAGE_PMD_MASK;
1449
+	struct vm_area_struct *vma = find_vma(mm, haddr);
1450
+	struct page *hpage;
1451
+	pte_t *start_pte, *pte;
1452
+	pmd_t *pmd, _pmd;
1453
+	spinlock_t *ptl;
1454
+	int count = 0;
1455
+	int i;
1456
+	struct mmu_notifier_range range;
1457
+
1458
+	if (!vma || !vma->vm_file ||
1459
+	    vma->vm_start > haddr || vma->vm_end < haddr + HPAGE_PMD_SIZE)
1460
+		return;
1461
+
1462
+	/*
1463
+	 * This vm_flags may not have VM_HUGEPAGE if the page was not
1464
+	 * collapsed by this mm. But we can still collapse if the page is
1465
+	 * the valid THP. Add extra VM_HUGEPAGE so hugepage_vma_check()
1466
+	 * will not fail the vma for missing VM_HUGEPAGE
1467
+	 */
1468
+	if (!hugepage_vma_check(vma, vma->vm_flags | VM_HUGEPAGE))
1469
+		return;
1470
+
1471
+	hpage = find_lock_page(vma->vm_file->f_mapping,
1472
+			       linear_page_index(vma, haddr));
1473
+	if (!hpage)
1474
+		return;
1475
+
1476
+	if (!PageHead(hpage))
1477
+		goto drop_hpage;
1478
+
1479
+	pmd = mm_find_pmd(mm, haddr);
1480
+	if (!pmd)
1481
+		goto drop_hpage;
1482
+
1483
+	vm_write_begin(vma);
1484
+
1485
+	/*
1486
+	 * We need to lock the mapping so that from here on, only GUP-fast and
1487
+	 * hardware page walks can access the parts of the page tables that
1488
+	 * we're operating on.
1489
+	 */
1490
+	i_mmap_lock_write(vma->vm_file->f_mapping);
1491
+
1492
+	/*
1493
+	 * This spinlock should be unnecessary: Nobody else should be accessing
1494
+	 * the page tables under spinlock protection here, only
1495
+	 * lockless_pages_from_mm() and the hardware page walker can access page
1496
+	 * tables while all the high-level locks are held in write mode.
1497
+	 */
1498
+	start_pte = pte_offset_map_lock(mm, pmd, haddr, &ptl);
1499
+
1500
+	/* step 1: check all mapped PTEs are to the right huge page */
1501
+	for (i = 0, addr = haddr, pte = start_pte;
1502
+	     i < HPAGE_PMD_NR; i++, addr += PAGE_SIZE, pte++) {
1503
+		struct page *page;
1504
+
1505
+		/* empty pte, skip */
1506
+		if (pte_none(*pte))
1507
+			continue;
1508
+
1509
+		/* page swapped out, abort */
1510
+		if (!pte_present(*pte))
1511
+			goto abort;
1512
+
1513
+		page = vm_normal_page(vma, addr, *pte);
1514
+
1515
+		/*
1516
+		 * Note that uprobe, debugger, or MAP_PRIVATE may change the
1517
+		 * page table, but the new page will not be a subpage of hpage.
1518
+		 */
1519
+		if (hpage + i != page)
1520
+			goto abort;
1521
+		count++;
1522
+	}
1523
+
1524
+	/* step 2: adjust rmap */
1525
+	for (i = 0, addr = haddr, pte = start_pte;
1526
+	     i < HPAGE_PMD_NR; i++, addr += PAGE_SIZE, pte++) {
1527
+		struct page *page;
1528
+
1529
+		if (pte_none(*pte))
1530
+			continue;
1531
+		page = vm_normal_page(vma, addr, *pte);
1532
+		page_remove_rmap(page, false);
1533
+	}
1534
+
1535
+	pte_unmap_unlock(start_pte, ptl);
1536
+
1537
+	/* step 3: set proper refcount and mm_counters. */
1538
+	if (count) {
1539
+		page_ref_sub(hpage, count);
1540
+		add_mm_counter(vma->vm_mm, mm_counter_file(hpage), -count);
1541
+	}
1542
+
1543
+	/* step 4: collapse pmd */
1544
+	/* we make no change to anon, but protect concurrent anon page lookup */
1545
+	if (vma->anon_vma)
1546
+		anon_vma_lock_write(vma->anon_vma);
1547
+
1548
+	mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, NULL, mm, haddr,
1549
+				haddr + HPAGE_PMD_SIZE);
1550
+	mmu_notifier_invalidate_range_start(&range);
1551
+	_pmd = pmdp_collapse_flush(vma, haddr, pmd);
1552
+	vm_write_end(vma);
1553
+	mm_dec_nr_ptes(mm);
1554
+	tlb_remove_table_sync_one();
1555
+	mmu_notifier_invalidate_range_end(&range);
1556
+	pte_free(mm, pmd_pgtable(_pmd));
1557
+
1558
+	if (vma->anon_vma)
1559
+		anon_vma_unlock_write(vma->anon_vma);
1560
+	i_mmap_unlock_write(vma->vm_file->f_mapping);
1561
+
1562
+drop_hpage:
1563
+	unlock_page(hpage);
1564
+	put_page(hpage);
1565
+	return;
1566
+
1567
+abort:
1568
+	pte_unmap_unlock(start_pte, ptl);
1569
+	vm_write_end(vma);
1570
+	i_mmap_unlock_write(vma->vm_file->f_mapping);
1571
+	goto drop_hpage;
1572
+}
1573
+
1574
+static int khugepaged_collapse_pte_mapped_thps(struct mm_slot *mm_slot)
1575
+{
1576
+	struct mm_struct *mm = mm_slot->mm;
1577
+	int i;
1578
+
1579
+	if (likely(mm_slot->nr_pte_mapped_thp == 0))
1580
+		return 0;
1581
+
1582
+	if (!mmap_write_trylock(mm))
1583
+		return -EBUSY;
1584
+
1585
+	if (unlikely(khugepaged_test_exit(mm)))
1586
+		goto out;
1587
+
1588
+	for (i = 0; i < mm_slot->nr_pte_mapped_thp; i++)
1589
+		collapse_pte_mapped_thp(mm, mm_slot->pte_mapped_thp[i]);
1590
+
1591
+out:
1592
+	mm_slot->nr_pte_mapped_thp = 0;
1593
+	mmap_write_unlock(mm);
1594
+	return 0;
1595
+}
1596
+
1263
1597
 static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff)
1264
1598
 {
1265
1599
 	struct vm_area_struct *vma;
..
..
@@ -1269,7 +1603,23 @@
1269
1603
 
1270
1604
 	i_mmap_lock_write(mapping);
1271
1605
 	vma_interval_tree_foreach(vma, &mapping->i_mmap, pgoff, pgoff) {
1272
-		/* probably overkill */
1606
+		/*
1607
+		 * Check vma->anon_vma to exclude MAP_PRIVATE mappings that
1608
+		 * got written to. These VMAs are likely not worth investing
1609
+		 * mmap_write_lock(mm) as PMD-mapping is likely to be split
1610
+		 * later.
1611
+		 *
1612
+		 * Not that vma->anon_vma check is racy: it can be set up after
1613
+		 * the check but before we took mmap_lock by the fault path.
1614
+		 * But page lock would prevent establishing any new ptes of the
1615
+		 * page, so we are safe.
1616
+		 *
1617
+		 * An alternative would be drop the check, but check that page
1618
+		 * table is clear before calling pmdp_collapse_flush() under
1619
+		 * ptl. It has higher chance to recover THP for the VMA, but
1620
+		 * has higher cost too. It would also probably require locking
1621
+		 * the anon_vma.
1622
+		 */
1273
1623
 		if (vma->anon_vma)
1274
1624
 			continue;
1275
1625
 		addr = vma->vm_start + ((pgoff - vma->vm_pgoff) << PAGE_SHIFT);
..
..
@@ -1282,57 +1632,71 @@
1282
1632
 		if (!pmd)
1283
1633
 			continue;
1284
1634
 		/*
1285
-		 * We need exclusive mmap_sem to retract page table.
1286
-		 * If trylock fails we would end up with pte-mapped THP after
1287
-		 * re-fault. Not ideal, but it's more important to not disturb
1288
-		 * the system too much.
1635
+		 * We need exclusive mmap_lock to retract page table.
1636
+		 *
1637
+		 * We use trylock due to lock inversion: we need to acquire
1638
+		 * mmap_lock while holding page lock. Fault path does it in
1639
+		 * reverse order. Trylock is a way to avoid deadlock.
1289
1640
 		 */
1290
-		if (down_write_trylock(&mm->mmap_sem)) {
1641
+		if (mmap_write_trylock(mm)) {
1291
1642
 			if (!khugepaged_test_exit(mm)) {
1292
-				spinlock_t *ptl = pmd_lock(mm, pmd);
1643
+				struct mmu_notifier_range range;
1644
+
1645
+				vm_write_begin(vma);
1646
+				mmu_notifier_range_init(&range,
1647
+							MMU_NOTIFY_CLEAR, 0,
1648
+							NULL, mm, addr,
1649
+							addr + HPAGE_PMD_SIZE);
1650
+				mmu_notifier_invalidate_range_start(&range);
1293
1651
 				/* assume page table is clear */
1294
1652
 				_pmd = pmdp_collapse_flush(vma, addr, pmd);
1295
-				spin_unlock(ptl);
1653
+				vm_write_end(vma);
1296
1654
 				mm_dec_nr_ptes(mm);
1655
+				tlb_remove_table_sync_one();
1297
1656
 				pte_free(mm, pmd_pgtable(_pmd));
1657
+				mmu_notifier_invalidate_range_end(&range);
1298
1658
 			}
1299
-			up_write(&mm->mmap_sem);
1659
+			mmap_write_unlock(mm);
1660
+		} else {
1661
+			/* Try again later */
1662
+			khugepaged_add_pte_mapped_thp(mm, addr);
1300
1663
 		}
1301
1664
 	}
1302
1665
 	i_mmap_unlock_write(mapping);
1303
1666
 }
1304
1667
 
1305
1668
 /**
1306
- * collapse_shmem - collapse small tmpfs/shmem pages into huge one.
1669
+ * collapse_file - collapse filemap/tmpfs/shmem pages into huge one.
1307
1670
  *
1308
1671
  * Basic scheme is simple, details are more complex:
1309
1672
  *  - allocate and lock a new huge page;
1310
- *  - scan over radix tree replacing old pages the new one
1311
- *    + swap in pages if necessary;
1673
+ *  - scan page cache replacing old pages with the new one
1674
+ *    + swap/gup in pages if necessary;
1312
1675
  *    + fill in gaps;
1313
- *    + keep old pages around in case if rollback is required;
1314
- *  - if replacing succeed:
1676
+ *    + keep old pages around in case rollback is required;
1677
+ *  - if replacing succeeds:
1315
1678
  *    + copy data over;
1316
1679
  *    + free old pages;
1317
1680
  *    + unlock huge page;
1318
1681
  *  - if replacing failed;
1319
1682
  *    + put all pages back and unfreeze them;
1320
- *    + restore gaps in the radix-tree;
1683
+ *    + restore gaps in the page cache;
1321
1684
  *    + unlock and free huge page;
1322
1685
  */
1323
-static void collapse_shmem(struct mm_struct *mm,
1324
-		struct address_space *mapping, pgoff_t start,
1686
+static void collapse_file(struct mm_struct *mm,
1687
+		struct file *file, pgoff_t start,
1325
1688
 		struct page **hpage, int node)
1326
1689
 {
1690
+	struct address_space *mapping = file->f_mapping;
1327
1691
 	gfp_t gfp;
1328
-	struct page *page, *new_page, *tmp;
1329
-	struct mem_cgroup *memcg;
1692
+	struct page *new_page;
1330
1693
 	pgoff_t index, end = start + HPAGE_PMD_NR;
1331
1694
 	LIST_HEAD(pagelist);
1332
-	struct radix_tree_iter iter;
1333
-	void **slot;
1695
+	XA_STATE_ORDER(xas, &mapping->i_pages, start, HPAGE_PMD_ORDER);
1334
1696
 	int nr_none = 0, result = SCAN_SUCCEED;
1697
+	bool is_shmem = shmem_file(file);
1335
1698
 
1699
+	VM_BUG_ON(!IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && !is_shmem);
1336
1700
 	VM_BUG_ON(start & (HPAGE_PMD_NR - 1));
1337
1701
 
1338
1702
 	/* Only allocate from the target node */
..
..
@@ -1344,13 +1708,28 @@
1344
1708
 		goto out;
1345
1709
 	}
1346
1710
 
1347
-	if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp, &memcg, true))) {
1711
+	if (unlikely(mem_cgroup_charge(new_page, mm, gfp))) {
1348
1712
 		result = SCAN_CGROUP_CHARGE_FAIL;
1349
1713
 		goto out;
1350
1714
 	}
1715
+	count_memcg_page_event(new_page, THP_COLLAPSE_ALLOC);
1716
+
1717
+	/* This will be less messy when we use multi-index entries */
1718
+	do {
1719
+		xas_lock_irq(&xas);
1720
+		xas_create_range(&xas);
1721
+		if (!xas_error(&xas))
1722
+			break;
1723
+		xas_unlock_irq(&xas);
1724
+		if (!xas_nomem(&xas, GFP_KERNEL)) {
1725
+			result = SCAN_FAIL;
1726
+			goto out;
1727
+		}
1728
+	} while (1);
1351
1729
 
1352
1730
 	__SetPageLocked(new_page);
1353
-	__SetPageSwapBacked(new_page);
1731
+	if (is_shmem)
1732
+		__SetPageSwapBacked(new_page);
1354
1733
 	new_page->index = start;
1355
1734
 	new_page->mapping = mapping;
1356
1735
 
..
..
@@ -1360,55 +1739,91 @@
1360
1739
 	 * be able to map it or use it in another way until we unlock it.
1361
1740
 	 */
1362
1741
 
1363
-	index = start;
1364
-	xa_lock_irq(&mapping->i_pages);
1365
-	radix_tree_for_each_slot(slot, &mapping->i_pages, &iter, start) {
1366
-		int n = min(iter.index, end) - index;
1742
+	xas_set(&xas, start);
1743
+	for (index = start; index < end; index++) {
1744
+		struct page *page = xas_next(&xas);
1367
1745
 
1368
-		/*
1369
-		 * Stop if extent has been hole-punched, and is now completely
1370
-		 * empty (the more obvious i_size_read() check would take an
1371
-		 * irq-unsafe seqlock on 32-bit).
1372
-		 */
1373
-		if (n >= HPAGE_PMD_NR) {
1374
-			result = SCAN_TRUNCATED;
1375
-			goto tree_locked;
1376
-		}
1377
-
1378
-		/*
1379
-		 * Handle holes in the radix tree: charge it from shmem and
1380
-		 * insert relevant subpage of new_page into the radix-tree.
1381
-		 */
1382
-		if (n && !shmem_charge(mapping->host, n)) {
1383
-			result = SCAN_FAIL;
1384
-			goto tree_locked;
1385
-		}
1386
-		for (; index < min(iter.index, end); index++) {
1387
-			radix_tree_insert(&mapping->i_pages, index,
1388
-					new_page + (index % HPAGE_PMD_NR));
1389
-		}
1390
-		nr_none += n;
1391
-
1392
-		/* We are done. */
1393
-		if (index >= end)
1394
-			break;
1395
-
1396
-		page = radix_tree_deref_slot_protected(slot,
1397
-				&mapping->i_pages.xa_lock);
1398
-		if (radix_tree_exceptional_entry(page) || !PageUptodate(page)) {
1399
-			xa_unlock_irq(&mapping->i_pages);
1400
-			/* swap in or instantiate fallocated page */
1401
-			if (shmem_getpage(mapping->host, index, &page,
1402
-						SGP_NOHUGE)) {
1403
-				result = SCAN_FAIL;
1404
-				goto tree_unlocked;
1746
+		VM_BUG_ON(index != xas.xa_index);
1747
+		if (is_shmem) {
1748
+			if (!page) {
1749
+				/*
1750
+				 * Stop if extent has been truncated or
1751
+				 * hole-punched, and is now completely
1752
+				 * empty.
1753
+				 */
1754
+				if (index == start) {
1755
+					if (!xas_next_entry(&xas, end - 1)) {
1756
+						result = SCAN_TRUNCATED;
1757
+						goto xa_locked;
1758
+					}
1759
+					xas_set(&xas, index);
1760
+				}
1761
+				if (!shmem_charge(mapping->host, 1)) {
1762
+					result = SCAN_FAIL;
1763
+					goto xa_locked;
1764
+				}
1765
+				xas_store(&xas, new_page);
1766
+				nr_none++;
1767
+				continue;
1405
1768
 			}
1406
-		} else if (trylock_page(page)) {
1407
-			get_page(page);
1408
-			xa_unlock_irq(&mapping->i_pages);
1409
-		} else {
1410
-			result = SCAN_PAGE_LOCK;
1411
-			goto tree_locked;
1769
+
1770
+			if (xa_is_value(page) || !PageUptodate(page)) {
1771
+				xas_unlock_irq(&xas);
1772
+				/* swap in or instantiate fallocated page */
1773
+				if (shmem_getpage(mapping->host, index, &page,
1774
+						  SGP_NOHUGE)) {
1775
+					result = SCAN_FAIL;
1776
+					goto xa_unlocked;
1777
+				}
1778
+			} else if (trylock_page(page)) {
1779
+				get_page(page);
1780
+				xas_unlock_irq(&xas);
1781
+			} else {
1782
+				result = SCAN_PAGE_LOCK;
1783
+				goto xa_locked;
1784
+			}
1785
+		} else {	/* !is_shmem */
1786
+			if (!page || xa_is_value(page)) {
1787
+				xas_unlock_irq(&xas);
1788
+				page_cache_sync_readahead(mapping, &file->f_ra,
1789
+							  file, index,
1790
+							  end - index);
1791
+				/* drain pagevecs to help isolate_lru_page() */
1792
+				lru_add_drain();
1793
+				page = find_lock_page(mapping, index);
1794
+				if (unlikely(page == NULL)) {
1795
+					result = SCAN_FAIL;
1796
+					goto xa_unlocked;
1797
+				}
1798
+			} else if (PageDirty(page)) {
1799
+				/*
1800
+				 * khugepaged only works on read-only fd,
1801
+				 * so this page is dirty because it hasn't
1802
+				 * been flushed since first write. There
1803
+				 * won't be new dirty pages.
1804
+				 *
1805
+				 * Trigger async flush here and hope the
1806
+				 * writeback is done when khugepaged
1807
+				 * revisits this page.
1808
+				 *
1809
+				 * This is a one-off situation. We are not
1810
+				 * forcing writeback in loop.
1811
+				 */
1812
+				xas_unlock_irq(&xas);
1813
+				filemap_flush(mapping);
1814
+				result = SCAN_FAIL;
1815
+				goto xa_unlocked;
1816
+			} else if (PageWriteback(page)) {
1817
+				xas_unlock_irq(&xas);
1818
+				result = SCAN_FAIL;
1819
+				goto xa_unlocked;
1820
+			} else if (trylock_page(page)) {
1821
+				get_page(page);
1822
+				xas_unlock_irq(&xas);
1823
+			} else {
1824
+				result = SCAN_PAGE_LOCK;
1825
+				goto xa_locked;
1826
+			}
1412
1827
 		}
1413
1828
 
1414
1829
 		/*
..
..
@@ -1416,7 +1831,12 @@
1416
1831
 		 * without racing with truncate.
1417
1832
 		 */
1418
1833
 		VM_BUG_ON_PAGE(!PageLocked(page), page);
1419
-		VM_BUG_ON_PAGE(!PageUptodate(page), page);
1834
+
1835
+		/* make sure the page is up to date */
1836
+		if (unlikely(!PageUptodate(page))) {
1837
+			result = SCAN_FAIL;
1838
+			goto out_unlock;
1839
+		}
1420
1840
 
1421
1841
 		/*
1422
1842
 		 * If file was truncated then extended, or hole-punched, before
..
..
@@ -1432,30 +1852,47 @@
1432
1852
 			goto out_unlock;
1433
1853
 		}
1434
1854
 
1855
+		if (!is_shmem && (PageDirty(page) ||
1856
+				  PageWriteback(page))) {
1857
+			/*
1858
+			 * khugepaged only works on read-only fd, so this
1859
+			 * page is dirty because it hasn't been flushed
1860
+			 * since first write.
1861
+			 */
1862
+			result = SCAN_FAIL;
1863
+			goto out_unlock;
1864
+		}
1865
+
1435
1866
 		if (isolate_lru_page(page)) {
1436
1867
 			result = SCAN_DEL_PAGE_LRU;
1868
+			goto out_unlock;
1869
+		}
1870
+
1871
+		if (page_has_private(page) &&
1872
+		    !try_to_release_page(page, GFP_KERNEL)) {
1873
+			result = SCAN_PAGE_HAS_PRIVATE;
1874
+			putback_lru_page(page);
1437
1875
 			goto out_unlock;
1438
1876
 		}
1439
1877
 
1440
1878
 		if (page_mapped(page))
1441
1879
 			unmap_mapping_pages(mapping, index, 1, false);
1442
1880
 
1443
-		xa_lock_irq(&mapping->i_pages);
1881
+		xas_lock_irq(&xas);
1882
+		xas_set(&xas, index);
1444
1883
 
1445
-		slot = radix_tree_lookup_slot(&mapping->i_pages, index);
1446
-		VM_BUG_ON_PAGE(page != radix_tree_deref_slot_protected(slot,
1447
-					&mapping->i_pages.xa_lock), page);
1884
+		VM_BUG_ON_PAGE(page != xas_load(&xas), page);
1448
1885
 		VM_BUG_ON_PAGE(page_mapped(page), page);
1449
1886
 
1450
1887
 		/*
1451
1888
 		 * The page is expected to have page_count() == 3:
1452
1889
 		 *  - we hold a pin on it;
1453
-		 *  - one reference from radix tree;
1890
+		 *  - one reference from page cache;
1454
1891
 		 *  - one from isolate_lru_page;
1455
1892
 		 */
1456
1893
 		if (!page_ref_freeze(page, 3)) {
1457
1894
 			result = SCAN_PAGE_COUNT;
1458
-			xa_unlock_irq(&mapping->i_pages);
1895
+			xas_unlock_irq(&xas);
1459
1896
 			putback_lru_page(page);
1460
1897
 			goto out_unlock;
1461
1898
 		}
..
..
@@ -1467,58 +1904,50 @@
1467
1904
 		list_add_tail(&page->lru, &pagelist);
1468
1905
 
1469
1906
 		/* Finally, replace with the new page. */
1470
-		radix_tree_replace_slot(&mapping->i_pages, slot,
1471
-				new_page + (index % HPAGE_PMD_NR));
1472
-
1473
-		slot = radix_tree_iter_resume(slot, &iter);
1474
-		index++;
1907
+		xas_store(&xas, new_page);
1475
1908
 		continue;
1476
1909
 out_unlock:
1477
1910
 		unlock_page(page);
1478
1911
 		put_page(page);
1479
-		goto tree_unlocked;
1912
+		goto xa_unlocked;
1480
1913
 	}
1481
1914
 
1482
-	/*
1483
-	 * Handle hole in radix tree at the end of the range.
1484
-	 * This code only triggers if there's nothing in radix tree
1485
-	 * beyond 'end'.
1486
-	 */
1487
-	if (index < end) {
1488
-		int n = end - index;
1489
-
1490
-		/* Stop if extent has been truncated, and is now empty */
1491
-		if (n >= HPAGE_PMD_NR) {
1492
-			result = SCAN_TRUNCATED;
1493
-			goto tree_locked;
1494
-		}
1495
-		if (!shmem_charge(mapping->host, n)) {
1915
+	if (is_shmem)
1916
+		__inc_node_page_state(new_page, NR_SHMEM_THPS);
1917
+	else {
1918
+		__inc_node_page_state(new_page, NR_FILE_THPS);
1919
+		filemap_nr_thps_inc(mapping);
1920
+		/*
1921
+		 * Paired with smp_mb() in do_dentry_open() to ensure
1922
+		 * i_writecount is up to date and the update to nr_thps is
1923
+		 * visible. Ensures the page cache will be truncated if the
1924
+		 * file is opened writable.
1925
+		*/
1926
+		smp_mb();
1927
+		if (inode_is_open_for_write(mapping->host)) {
1496
1928
 			result = SCAN_FAIL;
1497
-			goto tree_locked;
1929
+			__dec_node_page_state(new_page, NR_FILE_THPS);
1930
+			filemap_nr_thps_dec(mapping);
1931
+			goto xa_locked;
1498
1932
 		}
1499
-		for (; index < end; index++) {
1500
-			radix_tree_insert(&mapping->i_pages, index,
1501
-					new_page + (index % HPAGE_PMD_NR));
1502
-		}
1503
-		nr_none += n;
1504
1933
 	}
1505
1934
 
1506
-	__inc_node_page_state(new_page, NR_SHMEM_THPS);
1507
1935
 	if (nr_none) {
1508
-		struct zone *zone = page_zone(new_page);
1509
-
1510
-		__mod_node_page_state(zone->zone_pgdat, NR_FILE_PAGES, nr_none);
1511
-		__mod_node_page_state(zone->zone_pgdat, NR_SHMEM, nr_none);
1936
+		__mod_lruvec_page_state(new_page, NR_FILE_PAGES, nr_none);
1937
+		if (is_shmem)
1938
+			__mod_lruvec_page_state(new_page, NR_SHMEM, nr_none);
1512
1939
 	}
1513
1940
 
1514
-tree_locked:
1515
-	xa_unlock_irq(&mapping->i_pages);
1516
-tree_unlocked:
1941
+xa_locked:
1942
+	xas_unlock_irq(&xas);
1943
+xa_unlocked:
1517
1944
 
1518
1945
 	if (result == SCAN_SUCCEED) {
1946
+		struct page *page, *tmp;
1947
+
1519
1948
 		/*
1520
-		 * Replacing old pages with new one has succeed, now we need to
1521
-		 * copy the content and free old pages.
1949
+		 * Replacing old pages with new one has succeeded, now we
1950
+		 * need to copy the content and free the old pages.
1522
1951
 		 */
1523
1952
 		index = start;
1524
1953
 		list_for_each_entry_safe(page, tmp, &pagelist, lru) {
..
..
@@ -1544,9 +1973,9 @@
1544
1973
 
1545
1974
 		SetPageUptodate(new_page);
1546
1975
 		page_ref_add(new_page, HPAGE_PMD_NR - 1);
1547
-		set_page_dirty(new_page);
1548
-		mem_cgroup_commit_charge(new_page, memcg, false, true);
1549
-		lru_cache_add_anon(new_page);
1976
+		if (is_shmem)
1977
+			set_page_dirty(new_page);
1978
+		lru_cache_add(new_page);
1550
1979
 
1551
1980
 		/*
1552
1981
 		 * Remove pte page tables, so we can re-fault the page as huge.
..
..
@@ -1556,57 +1985,60 @@
1556
1985
 
1557
1986
 		khugepaged_pages_collapsed++;
1558
1987
 	} else {
1559
-		/* Something went wrong: rollback changes to the radix-tree */
1560
-		xa_lock_irq(&mapping->i_pages);
1561
-		mapping->nrpages -= nr_none;
1562
-		shmem_uncharge(mapping->host, nr_none);
1988
+		struct page *page;
1563
1989
 
1564
-		radix_tree_for_each_slot(slot, &mapping->i_pages, &iter, start) {
1565
-			if (iter.index >= end)
1566
-				break;
1990
+		/* Something went wrong: roll back page cache changes */
1991
+		xas_lock_irq(&xas);
1992
+		mapping->nrpages -= nr_none;
1993
+
1994
+		if (is_shmem)
1995
+			shmem_uncharge(mapping->host, nr_none);
1996
+
1997
+		xas_set(&xas, start);
1998
+		xas_for_each(&xas, page, end - 1) {
1567
1999
 			page = list_first_entry_or_null(&pagelist,
1568
2000
 					struct page, lru);
1569
-			if (!page || iter.index < page->index) {
2001
+			if (!page || xas.xa_index < page->index) {
1570
2002
 				if (!nr_none)
1571
2003
 					break;
1572
2004
 				nr_none--;
1573
2005
 				/* Put holes back where they were */
1574
-				radix_tree_delete(&mapping->i_pages, iter.index);
2006
+				xas_store(&xas, NULL);
1575
2007
 				continue;
1576
2008
 			}
1577
2009
 
1578
-			VM_BUG_ON_PAGE(page->index != iter.index, page);
2010
+			VM_BUG_ON_PAGE(page->index != xas.xa_index, page);
1579
2011
 
1580
2012
 			/* Unfreeze the page. */
1581
2013
 			list_del(&page->lru);
1582
2014
 			page_ref_unfreeze(page, 2);
1583
-			radix_tree_replace_slot(&mapping->i_pages, slot, page);
1584
-			slot = radix_tree_iter_resume(slot, &iter);
1585
-			xa_unlock_irq(&mapping->i_pages);
2015
+			xas_store(&xas, page);
2016
+			xas_pause(&xas);
2017
+			xas_unlock_irq(&xas);
1586
2018
 			unlock_page(page);
1587
2019
 			putback_lru_page(page);
1588
-			xa_lock_irq(&mapping->i_pages);
2020
+			xas_lock_irq(&xas);
1589
2021
 		}
1590
2022
 		VM_BUG_ON(nr_none);
1591
-		xa_unlock_irq(&mapping->i_pages);
2023
+		xas_unlock_irq(&xas);
1592
2024
 
1593
-		mem_cgroup_cancel_charge(new_page, memcg, true);
1594
2025
 		new_page->mapping = NULL;
1595
2026
 	}
1596
2027
 
1597
2028
 	unlock_page(new_page);
1598
2029
 out:
1599
2030
 	VM_BUG_ON(!list_empty(&pagelist));
2031
+	if (!IS_ERR_OR_NULL(*hpage))
2032
+		mem_cgroup_uncharge(*hpage);
1600
2033
 	/* TODO: tracepoints */
1601
2034
 }
1602
2035
 
1603
-static void khugepaged_scan_shmem(struct mm_struct *mm,
1604
-		struct address_space *mapping,
1605
-		pgoff_t start, struct page **hpage)
2036
+static void khugepaged_scan_file(struct mm_struct *mm,
2037
+		struct file *file, pgoff_t start, struct page **hpage)
1606
2038
 {
1607
2039
 	struct page *page = NULL;
1608
-	struct radix_tree_iter iter;
1609
-	void **slot;
2040
+	struct address_space *mapping = file->f_mapping;
2041
+	XA_STATE(xas, &mapping->i_pages, start);
1610
2042
 	int present, swap;
1611
2043
 	int node = NUMA_NO_NODE;
1612
2044
 	int result = SCAN_SUCCEED;
..
..
@@ -1615,17 +2047,11 @@
1615
2047
 	swap = 0;
1616
2048
 	memset(khugepaged_node_load, 0, sizeof(khugepaged_node_load));
1617
2049
 	rcu_read_lock();
1618
-	radix_tree_for_each_slot(slot, &mapping->i_pages, &iter, start) {
1619
-		if (iter.index >= start + HPAGE_PMD_NR)
1620
-			break;
1621
-
1622
-		page = radix_tree_deref_slot(slot);
1623
-		if (radix_tree_deref_retry(page)) {
1624
-			slot = radix_tree_iter_retry(&iter);
2050
+	xas_for_each(&xas, page, start + HPAGE_PMD_NR - 1) {
2051
+		if (xas_retry(&xas, page))
1625
2052
 			continue;
1626
-		}
1627
2053
 
1628
-		if (radix_tree_exception(page)) {
2054
+		if (xa_is_value(page)) {
1629
2055
 			if (++swap > khugepaged_max_ptes_swap) {
1630
2056
 				result = SCAN_EXCEED_SWAP_PTE;
1631
2057
 				break;
..
..
@@ -1650,7 +2076,8 @@
1650
2076
 			break;
1651
2077
 		}
1652
2078
 
1653
-		if (page_count(page) != 1 + page_mapcount(page)) {
2079
+		if (page_count(page) !=
2080
+		    1 + page_mapcount(page) + page_has_private(page)) {
1654
2081
 			result = SCAN_PAGE_COUNT;
1655
2082
 			break;
1656
2083
 		}
..
..
@@ -1664,7 +2091,7 @@
1664
2091
 		present++;
1665
2092
 
1666
2093
 		if (need_resched()) {
1667
-			slot = radix_tree_iter_resume(slot, &iter);
2094
+			xas_pause(&xas);
1668
2095
 			cond_resched_rcu();
1669
2096
 		}
1670
2097
 	}
..
..
@@ -1675,18 +2102,22 @@
1675
2102
 			result = SCAN_EXCEED_NONE_PTE;
1676
2103
 		} else {
1677
2104
 			node = khugepaged_find_target_node();
1678
-			collapse_shmem(mm, mapping, start, hpage, node);
2105
+			collapse_file(mm, file, start, hpage, node);
1679
2106
 		}
1680
2107
 	}
1681
2108
 
1682
2109
 	/* TODO: tracepoints */
1683
2110
 }
1684
2111
 #else
1685
-static void khugepaged_scan_shmem(struct mm_struct *mm,
1686
-		struct address_space *mapping,
1687
-		pgoff_t start, struct page **hpage)
2112
+static void khugepaged_scan_file(struct mm_struct *mm,
2113
+		struct file *file, pgoff_t start, struct page **hpage)
1688
2114
 {
1689
2115
 	BUILD_BUG();
2116
+}
2117
+
2118
+static int khugepaged_collapse_pte_mapped_thps(struct mm_slot *mm_slot)
2119
+{
2120
+	return 0;
1690
2121
 }
1691
2122
 #endif
1692
2123
 
..
..
@@ -1701,7 +2132,7 @@
1701
2132
 	int progress = 0;
1702
2133
 
1703
2134
 	VM_BUG_ON(!pages);
1704
-	VM_BUG_ON(NR_CPUS != 1 && !spin_is_locked(&khugepaged_mm_lock));
2135
+	lockdep_assert_held(&khugepaged_mm_lock);
1705
2136
 
1706
2137
 	if (khugepaged_scan.mm_slot)
1707
2138
 		mm_slot = khugepaged_scan.mm_slot;
..
..
@@ -1712,6 +2143,7 @@
1712
2143
 		khugepaged_scan.mm_slot = mm_slot;
1713
2144
 	}
1714
2145
 	spin_unlock(&khugepaged_mm_lock);
2146
+	khugepaged_collapse_pte_mapped_thps(mm_slot);
1715
2147
 
1716
2148
 	mm = mm_slot->mm;
1717
2149
 	/*
..
..
@@ -1719,8 +2151,8 @@
1719
2151
 	 * the next mm on the list.
1720
2152
 	 */
1721
2153
 	vma = NULL;
1722
-	if (unlikely(!down_read_trylock(&mm->mmap_sem)))
1723
-		goto breakouterloop_mmap_sem;
2154
+	if (unlikely(!mmap_read_trylock(mm)))
2155
+		goto breakouterloop_mmap_lock;
1724
2156
 	if (likely(!khugepaged_test_exit(mm)))
1725
2157
 		vma = find_vma(mm, khugepaged_scan.address);
1726
2158
 
..
..
@@ -1747,6 +2179,8 @@
1747
2179
 		if (khugepaged_scan.address < hstart)
1748
2180
 			khugepaged_scan.address = hstart;
1749
2181
 		VM_BUG_ON(khugepaged_scan.address & ~HPAGE_PMD_MASK);
2182
+		if (shmem_file(vma->vm_file) && !shmem_huge_enabled(vma))
2183
+			goto skip;
1750
2184
 
1751
2185
 		while (khugepaged_scan.address < hend) {
1752
2186
 			int ret;
..
..
@@ -1757,17 +2191,14 @@
1757
2191
 			VM_BUG_ON(khugepaged_scan.address < hstart ||
1758
2192
 				  khugepaged_scan.address + HPAGE_PMD_SIZE >
1759
2193
 				  hend);
1760
-			if (shmem_file(vma->vm_file)) {
1761
-				struct file *file;
2194
+			if (IS_ENABLED(CONFIG_SHMEM) && vma->vm_file) {
2195
+				struct file *file = get_file(vma->vm_file);
1762
2196
 				pgoff_t pgoff = linear_page_index(vma,
1763
2197
 						khugepaged_scan.address);
1764
-				if (!shmem_huge_enabled(vma))
1765
-					goto skip;
1766
-				file = get_file(vma->vm_file);
1767
-				up_read(&mm->mmap_sem);
2198
+
2199
+				mmap_read_unlock(mm);
1768
2200
 				ret = 1;
1769
-				khugepaged_scan_shmem(mm, file->f_mapping,
1770
-						pgoff, hpage);
2201
+				khugepaged_scan_file(mm, file, pgoff, hpage);
1771
2202
 				fput(file);
1772
2203
 			} else {
1773
2204
 				ret = khugepaged_scan_pmd(mm, vma,
..
..
@@ -1778,15 +2209,15 @@
1778
2209
 			khugepaged_scan.address += HPAGE_PMD_SIZE;
1779
2210
 			progress += HPAGE_PMD_NR;
1780
2211
 			if (ret)
1781
-				/* we released mmap_sem so break loop */
1782
-				goto breakouterloop_mmap_sem;
2212
+				/* we released mmap_lock so break loop */
2213
+				goto breakouterloop_mmap_lock;
1783
2214
 			if (progress >= pages)
1784
2215
 				goto breakouterloop;
1785
2216
 		}
1786
2217
 	}
1787
2218
 breakouterloop:
1788
-	up_read(&mm->mmap_sem); /* exit_mmap will destroy ptes after this */
1789
-breakouterloop_mmap_sem:
2219
+	mmap_read_unlock(mm); /* exit_mmap will destroy ptes after this */
2220
+breakouterloop_mmap_lock:
1790
2221
 
1791
2222
 	spin_lock(&khugepaged_mm_lock);
1792
2223
 	VM_BUG_ON(khugepaged_scan.mm_slot != mm_slot);
..
..
@@ -1837,6 +2268,8 @@
1837
2268
 
1838
2269
 	barrier(); /* write khugepaged_pages_to_scan to local stack */
1839
2270
 
2271
+	lru_add_drain_all();
2272
+
1840
2273
 	while (progress < pages) {
1841
2274
 		if (!khugepaged_prealloc_page(&hpage, &wait))
1842
2275
 			break;