Google Git
Sign in
android/kernel/common/32fd20834ef388eff2e1aa32e74077e16792ada5^!/.
commit
32fd20834ef388eff2e1aa32e74077e16792ada5
[log]
author
Lokesh Gidra <lokeshgidra@google.com>
Mon Mar 10 19:17:57 2025 +0000
committer
Viktor Martensson <vmartensson@google.com>
Thu Mar 20 22:31:04 2025 -0700
tree
3ade11f768a2c41f8296d0f56fa4cfbc0471e496
parent
74c9f3f8998aebf488f6ec31ebb89068af81f3f5 [diff]
ANDROID: userfaultfd: add MOVE ioctl mode to confirm bug-fixes

Following issues were reported in the MOVE ioctl:
1. Panic when trying to move a source page which is in swap-cache [1]
2. Livelock when multiple threads try to move the same source page [2]

Three patches have been upstreamed to fix these issues [3, 4, 5]

MOVE ioctl was backported to ACK 6.1 and 6.6 for ART GC to use it [6].
Therefore, on these kernels in order to be able to identify in the
userspace if the fixes are included, this mode is added.

NOTE: UFFDIO_MOVE_MODE_CONFIRM_FIXED mode is only for 6.1 and 6.6
kernels, and will go away afterwards.

[1] https://lore.kernel.org/linux-mm/20250219112519.92853-1-21cnbao@gmail.com/
[2] https://github.com/lokeshgidra/uffd_move_ioctl_deadlock
[3] https://web.git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git/commit/?h=mm-hotfixes-stable&id=c50f8e6053b0503375c2975bf47f182445aebb4c
[4] https://web.git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git/commit/?h=mm-hotfixes-stable&id=37b338eed10581784e854d4262da05c8d960c748
[5] https://web.git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git/commit/?h=mm-hotfixes-stable&id=927e926d72d9155fde3264459fe9bfd7b5e40d28
[6] b/274911254

Bug: 401790618
Bug: 405066974
Change-Id: Ibd854ec7ac9ae6a2ca416767d032b6c71f1bc688
Signed-off-by: Lokesh Gidra <lokeshgidra@google.com>
(cherry picked from commit 9bcabbda673adcfd8fbbfc2cdd2f738830ae385d)
Signed-off-by: Yinchu Chen <chenyc5@motorola.com>

diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index ae4b211..f36e6e0 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c

@@ -1942,7 +1942,8 @@ static int userfaultfd_move(struct userfaultfd_ctx *ctx,
 		return ret;
 
 	if (uffdio_move.mode & ~(UFFDIO_MOVE_MODE_ALLOW_SRC_HOLES|
-				  UFFDIO_MOVE_MODE_DONTWAKE))
+				  UFFDIO_MOVE_MODE_DONTWAKE|
+				  UFFDIO_MOVE_MODE_CONFIRM_FIXED))
 		return -EINVAL;
 
 	if (mmget_not_zero(mm)) {

diff --git a/include/uapi/linux/userfaultfd.h b/include/uapi/linux/userfaultfd.h
index 2be5c88..ffdbefb 100644
--- a/include/uapi/linux/userfaultfd.h
+++ b/include/uapi/linux/userfaultfd.h

@@ -325,6 +325,13 @@ struct uffdio_move {
 	 */
 #define UFFDIO_MOVE_MODE_DONTWAKE		((__u64)1<<0)
 #define UFFDIO_MOVE_MODE_ALLOW_SRC_HOLES	((__u64)1<<1)
+	/*
+	 * To confirm if the ioctl has fixes to avoid panic when src folio is
+	 * in swap-cache. Also, to avoid livelock when multiple threads try
+	 * to move same src folio. It's a KMI workaround and cannot be relied
+	 * upon by userspace.
+	 */
+#define UFFDIO_MOVE_MODE_CONFIRM_FIXED		((__u64)1<<63)
 	__u64 mode;
 	/*
 	 * "move" is written by the ioctl and must be at the end: the