/*
   *  linux/mm/memory.c
   *
   *  Copyright (C) 1991, 1992, 1993, 1994  Linus Torvalds
   */
  
  /*
   * demand-loading started 01.12.91 - seems it is high on the list of
   * things wanted, and it should be easy to implement. - Linus
   */
  
  /*
   * Ok, demand-loading was easy, shared pages a little bit tricker. Shared
   * pages started 02.12.91, seems to work. - Linus.
   *
   * Tested sharing by executing about 30 /bin/sh: under the old kernel it
   * would have taken more than the 6M I have free, but it worked well as
   * far as I could see.
   *
   * Also corrected some "invalidate()"s - I wasn't doing enough of them.
   */
  
  /*
   * Real VM (paging to/from disk) started 18.12.91. Much more work and
   * thought has to go into this. Oh, well..
   * 19.12.91  -  works, somewhat. Sometimes I get faults, don't know why.
   *		Found it. Everything seems to work now.
   * 20.12.91  -  Ok, making the swap-device changeable like the root.
   */
  
  /*
   * 05.04.94  -  Multi-page memory management added for v1.1.
   * 		Idea by Alex Bligh (alex@cconcepts.co.uk)
   *
   * 16.07.99  -  Support of BIGMEM added by Gerhard Wichert, Siemens AG
   *		(Gerhard.Wichert@pdb.siemens.de)
   *
   * Aug/Sep 2004 Changed to four level page tables (Andi Kleen)
   */
  
  #include <linux/kernel_stat.h>
  #include <linux/mm.h>
  #include <linux/hugetlb.h>
  #include <linux/mman.h>
  #include <linux/swap.h>
  #include <linux/highmem.h>
  #include <linux/pagemap.h>

  #include <linux/ksm.h>

  #include <linux/rmap.h>

  #include <linux/export.h>

  #include <linux/delayacct.h>

  #include <linux/init.h>

  #include <linux/pfn_t.h>

  #include <linux/writeback.h>

  #include <linux/memcontrol.h>

  #include <linux/mmu_notifier.h>

  #include <linux/kallsyms.h>
  #include <linux/swapops.h>
  #include <linux/elf.h>

  #include <linux/gfp.h>

  #include <linux/migrate.h>

  #include <linux/string.h>

  #include <linux/dma-debug.h>

  #include <linux/debugfs.h>

  #include <linux/userfaultfd_k.h>

  #include <asm/io.h>

  #include <asm/mmu_context.h>

  #include <asm/pgalloc.h>
  #include <asm/uaccess.h>
  #include <asm/tlb.h>
  #include <asm/tlbflush.h>
  #include <asm/pgtable.h>

  #include "internal.h"

  #ifdef LAST_CPUPID_NOT_IN_PAGE_FLAGS
  #warning Unfortunate NUMA and NUMA Balancing config, growing page-frame for last_cpupid.

  #endif

  #ifndef CONFIG_NEED_MULTIPLE_NODES

  /* use the per-pgdat data instead for discontigmem - mbligh */
  unsigned long max_mapnr;
  struct page *mem_map;
  
  EXPORT_SYMBOL(max_mapnr);
  EXPORT_SYMBOL(mem_map);
  #endif

  /*
   * A number of key systems in x86 including ioremap() rely on the assumption
   * that high_memory defines the upper bound on direct map memory, then end
   * of ZONE_NORMAL.  Under CONFIG_DISCONTIG this means that max_low_pfn and
   * highstart_pfn must be the same; there must be no gap between ZONE_NORMAL
   * and ZONE_HIGHMEM.
   */
  void * high_memory;

  EXPORT_SYMBOL(high_memory);

  /*
   * Randomize the address space (stacks, mmaps, brk, etc.).
   *
   * ( When CONFIG_COMPAT_BRK=y we exclude brk from randomization,
   *   as ancient (libc5 based) binaries can segfault. )
   */
  int randomize_va_space __read_mostly =
  #ifdef CONFIG_COMPAT_BRK
  					1;
  #else
  					2;
  #endif

  
  static int __init disable_randmaps(char *s)
  {
  	randomize_va_space = 0;

  	return 1;

  }
  __setup("norandmaps", disable_randmaps);

  unsigned long zero_pfn __read_mostly;

  unsigned long highest_memmap_pfn __read_mostly;

  EXPORT_SYMBOL(zero_pfn);

  /*
   * CONFIG_MMU architectures set up ZERO_PAGE in their paging_init()
   */
  static int __init init_zero_pfn(void)
  {
  	zero_pfn = page_to_pfn(ZERO_PAGE(0));
  	return 0;
  }
  core_initcall(init_zero_pfn);

  #if defined(SPLIT_RSS_COUNTING)

  void sync_mm_rss(struct mm_struct *mm)

  {
  	int i;
  
  	for (i = 0; i < NR_MM_COUNTERS; i++) {

  		if (current->rss_stat.count[i]) {
  			add_mm_counter(mm, i, current->rss_stat.count[i]);
  			current->rss_stat.count[i] = 0;

  		}
  	}

  	current->rss_stat.events = 0;

  }
  
  static void add_mm_counter_fast(struct mm_struct *mm, int member, int val)
  {
  	struct task_struct *task = current;
  
  	if (likely(task->mm == mm))
  		task->rss_stat.count[member] += val;
  	else
  		add_mm_counter(mm, member, val);
  }
  #define inc_mm_counter_fast(mm, member) add_mm_counter_fast(mm, member, 1)
  #define dec_mm_counter_fast(mm, member) add_mm_counter_fast(mm, member, -1)
  
  /* sync counter once per 64 page faults */
  #define TASK_RSS_EVENTS_THRESH	(64)
  static void check_sync_rss_stat(struct task_struct *task)
  {
  	if (unlikely(task != current))
  		return;
  	if (unlikely(task->rss_stat.events++ > TASK_RSS_EVENTS_THRESH))

  		sync_mm_rss(task->mm);

  }

  #else /* SPLIT_RSS_COUNTING */

  
  #define inc_mm_counter_fast(mm, member) inc_mm_counter(mm, member)
  #define dec_mm_counter_fast(mm, member) dec_mm_counter(mm, member)
  
  static void check_sync_rss_stat(struct task_struct *task)
  {
  }

  #endif /* SPLIT_RSS_COUNTING */
  
  #ifdef HAVE_GENERIC_MMU_GATHER

  static bool tlb_next_batch(struct mmu_gather *tlb)

  {
  	struct mmu_gather_batch *batch;
  
  	batch = tlb->active;
  	if (batch->next) {
  		tlb->active = batch->next;

  		return true;

  	}

  	if (tlb->batch_count == MAX_GATHER_BATCH_COUNT)

  		return false;

  	batch = (void *)__get_free_pages(GFP_NOWAIT | __GFP_NOWARN, 0);
  	if (!batch)

  		return false;

  	tlb->batch_count++;

  	batch->next = NULL;
  	batch->nr   = 0;
  	batch->max  = MAX_GATHER_BATCH;
  
  	tlb->active->next = batch;
  	tlb->active = batch;

  	return true;

  }
  
  /* tlb_gather_mmu
   *	Called to initialize an (on-stack) mmu_gather structure for page-table
   *	tear-down from @mm. The @fullmm argument is used when @mm is without
   *	users and we're going to destroy the full address space (exit/execve).
   */

  void tlb_gather_mmu(struct mmu_gather *tlb, struct mm_struct *mm, unsigned long start, unsigned long end)

  {
  	tlb->mm = mm;

  	/* Is it from 0 to ~0? */
  	tlb->fullmm     = !(start | (end+1));

  	tlb->need_flush_all = 0;

  	tlb->local.next = NULL;
  	tlb->local.nr   = 0;
  	tlb->local.max  = ARRAY_SIZE(tlb->__pages);
  	tlb->active     = &tlb->local;

  	tlb->batch_count = 0;

  
  #ifdef CONFIG_HAVE_RCU_TABLE_FREE
  	tlb->batch = NULL;
  #endif

  
  	__tlb_reset_range(tlb);

  }

  static void tlb_flush_mmu_tlbonly(struct mmu_gather *tlb)

  {

  	if (!tlb->end)
  		return;

  	tlb_flush(tlb);

  	mmu_notifier_invalidate_range(tlb->mm, tlb->start, tlb->end);

  #ifdef CONFIG_HAVE_RCU_TABLE_FREE
  	tlb_table_flush(tlb);

  #endif

  	__tlb_reset_range(tlb);

  }
  
  static void tlb_flush_mmu_free(struct mmu_gather *tlb)
  {
  	struct mmu_gather_batch *batch;

  	for (batch = &tlb->local; batch && batch->nr; batch = batch->next) {

  		free_pages_and_swap_cache(batch->pages, batch->nr);
  		batch->nr = 0;
  	}
  	tlb->active = &tlb->local;
  }

  void tlb_flush_mmu(struct mmu_gather *tlb)
  {

  	tlb_flush_mmu_tlbonly(tlb);
  	tlb_flush_mmu_free(tlb);
  }

  /* tlb_finish_mmu
   *	Called at the end of the shootdown operation to free up any resources
   *	that were required.
   */
  void tlb_finish_mmu(struct mmu_gather *tlb, unsigned long start, unsigned long end)
  {
  	struct mmu_gather_batch *batch, *next;
  
  	tlb_flush_mmu(tlb);
  
  	/* keep the page table cache within bounds */
  	check_pgt_cache();
  
  	for (batch = tlb->local.next; batch; batch = next) {
  		next = batch->next;
  		free_pages((unsigned long)batch, 0);
  	}
  	tlb->local.next = NULL;
  }
  
  /* __tlb_remove_page
   *	Must perform the equivalent to __free_pte(pte_get_and_clear(ptep)), while
   *	handling the additional races in SMP caused by other CPUs caching valid
   *	mappings in their TLBs. Returns the number of free page slots left.
   *	When out of page slots we must call tlb_flush_mmu().
   */
  int __tlb_remove_page(struct mmu_gather *tlb, struct page *page)
  {
  	struct mmu_gather_batch *batch;

  	VM_BUG_ON(!tlb->end);

  	batch = tlb->active;
  	batch->pages[batch->nr++] = page;
  	if (batch->nr == batch->max) {
  		if (!tlb_next_batch(tlb))
  			return 0;

  		batch = tlb->active;

  	}

  	VM_BUG_ON_PAGE(batch->nr > batch->max, page);

  
  	return batch->max - batch->nr;
  }
  
  #endif /* HAVE_GENERIC_MMU_GATHER */

  #ifdef CONFIG_HAVE_RCU_TABLE_FREE
  
  /*
   * See the comment near struct mmu_table_batch.
   */
  
  static void tlb_remove_table_smp_sync(void *arg)
  {
  	/* Simply deliver the interrupt */
  }
  
  static void tlb_remove_table_one(void *table)
  {
  	/*
  	 * This isn't an RCU grace period and hence the page-tables cannot be
  	 * assumed to be actually RCU-freed.
  	 *
  	 * It is however sufficient for software page-table walkers that rely on
  	 * IRQ disabling. See the comment near struct mmu_table_batch.
  	 */
  	smp_call_function(tlb_remove_table_smp_sync, NULL, 1);
  	__tlb_remove_table(table);
  }
  
  static void tlb_remove_table_rcu(struct rcu_head *head)
  {
  	struct mmu_table_batch *batch;
  	int i;
  
  	batch = container_of(head, struct mmu_table_batch, rcu);
  
  	for (i = 0; i < batch->nr; i++)
  		__tlb_remove_table(batch->tables[i]);
  
  	free_page((unsigned long)batch);
  }
  
  void tlb_table_flush(struct mmu_gather *tlb)
  {
  	struct mmu_table_batch **batch = &tlb->batch;
  
  	if (*batch) {
  		call_rcu_sched(&(*batch)->rcu, tlb_remove_table_rcu);
  		*batch = NULL;
  	}
  }
  
  void tlb_remove_table(struct mmu_gather *tlb, void *table)
  {
  	struct mmu_table_batch **batch = &tlb->batch;

  	/*
  	 * When there's less then two users of this mm there cannot be a
  	 * concurrent page-table walk.
  	 */
  	if (atomic_read(&tlb->mm->mm_users) < 2) {
  		__tlb_remove_table(table);
  		return;
  	}
  
  	if (*batch == NULL) {
  		*batch = (struct mmu_table_batch *)__get_free_page(GFP_NOWAIT | __GFP_NOWARN);
  		if (*batch == NULL) {
  			tlb_remove_table_one(table);
  			return;
  		}
  		(*batch)->nr = 0;
  	}
  	(*batch)->tables[(*batch)->nr++] = table;
  	if ((*batch)->nr == MAX_TABLE_BATCH)
  		tlb_table_flush(tlb);
  }

  #endif /* CONFIG_HAVE_RCU_TABLE_FREE */

  /*

   * Note: this doesn't free the actual pages themselves. That
   * has been handled earlier when unmapping all the memory regions.
   */

  static void free_pte_range(struct mmu_gather *tlb, pmd_t *pmd,
  			   unsigned long addr)

  {

  	pgtable_t token = pmd_pgtable(*pmd);

  	pmd_clear(pmd);

  	pte_free_tlb(tlb, token, addr);

  	atomic_long_dec(&tlb->mm->nr_ptes);

  }

  static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
  				unsigned long addr, unsigned long end,
  				unsigned long floor, unsigned long ceiling)

  {
  	pmd_t *pmd;
  	unsigned long next;

  	unsigned long start;

  	start = addr;

  	pmd = pmd_offset(pud, addr);

  	do {
  		next = pmd_addr_end(addr, end);
  		if (pmd_none_or_clear_bad(pmd))
  			continue;

  		free_pte_range(tlb, pmd, addr);

  	} while (pmd++, addr = next, addr != end);

  	start &= PUD_MASK;
  	if (start < floor)
  		return;
  	if (ceiling) {
  		ceiling &= PUD_MASK;
  		if (!ceiling)
  			return;

  	}

  	if (end - 1 > ceiling - 1)
  		return;
  
  	pmd = pmd_offset(pud, start);
  	pud_clear(pud);

  	pmd_free_tlb(tlb, pmd, start);

  	mm_dec_nr_pmds(tlb->mm);

  }

  static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
  				unsigned long addr, unsigned long end,
  				unsigned long floor, unsigned long ceiling)

  {
  	pud_t *pud;
  	unsigned long next;

  	unsigned long start;

  	start = addr;

  	pud = pud_offset(pgd, addr);

  	do {
  		next = pud_addr_end(addr, end);
  		if (pud_none_or_clear_bad(pud))
  			continue;

  		free_pmd_range(tlb, pud, addr, next, floor, ceiling);

  	} while (pud++, addr = next, addr != end);

  	start &= PGDIR_MASK;
  	if (start < floor)
  		return;
  	if (ceiling) {
  		ceiling &= PGDIR_MASK;
  		if (!ceiling)
  			return;

  	}

  	if (end - 1 > ceiling - 1)
  		return;
  
  	pud = pud_offset(pgd, start);
  	pgd_clear(pgd);

  	pud_free_tlb(tlb, pud, start);

  }
  
  /*

   * This function frees user-level page tables of a process.

   */

  void free_pgd_range(struct mmu_gather *tlb,

  			unsigned long addr, unsigned long end,
  			unsigned long floor, unsigned long ceiling)

  {
  	pgd_t *pgd;
  	unsigned long next;

  
  	/*
  	 * The next few lines have given us lots of grief...
  	 *
  	 * Why are we testing PMD* at this top level?  Because often
  	 * there will be no work to do at all, and we'd prefer not to
  	 * go all the way down to the bottom just to discover that.
  	 *
  	 * Why all these "- 1"s?  Because 0 represents both the bottom
  	 * of the address space and the top of it (using -1 for the
  	 * top wouldn't help much: the masks would do the wrong thing).
  	 * The rule is that addr 0 and floor 0 refer to the bottom of
  	 * the address space, but end 0 and ceiling 0 refer to the top
  	 * Comparisons need to use "end - 1" and "ceiling - 1" (though
  	 * that end 0 case should be mythical).
  	 *
  	 * Wherever addr is brought up or ceiling brought down, we must
  	 * be careful to reject "the opposite 0" before it confuses the
  	 * subsequent tests.  But what about where end is brought down
  	 * by PMD_SIZE below? no, end can't go down to 0 there.
  	 *
  	 * Whereas we round start (addr) and ceiling down, by different
  	 * masks at different levels, in order to test whether a table
  	 * now has no other vmas using it, so can be freed, we don't
  	 * bother to round floor or end up - the tests don't need that.
  	 */

  	addr &= PMD_MASK;
  	if (addr < floor) {
  		addr += PMD_SIZE;
  		if (!addr)
  			return;
  	}
  	if (ceiling) {
  		ceiling &= PMD_MASK;
  		if (!ceiling)
  			return;
  	}
  	if (end - 1 > ceiling - 1)
  		end -= PMD_SIZE;
  	if (addr > end - 1)
  		return;

  	pgd = pgd_offset(tlb->mm, addr);

  	do {
  		next = pgd_addr_end(addr, end);
  		if (pgd_none_or_clear_bad(pgd))
  			continue;

  		free_pud_range(tlb, pgd, addr, next, floor, ceiling);

  	} while (pgd++, addr = next, addr != end);

  }

  void free_pgtables(struct mmu_gather *tlb, struct vm_area_struct *vma,

  		unsigned long floor, unsigned long ceiling)

  {
  	while (vma) {
  		struct vm_area_struct *next = vma->vm_next;
  		unsigned long addr = vma->vm_start;

  		/*

  		 * Hide vma from rmap and truncate_pagecache before freeing
  		 * pgtables

  		 */

  		unlink_anon_vmas(vma);

  		unlink_file_vma(vma);

  		if (is_vm_hugetlb_page(vma)) {

  			hugetlb_free_pgd_range(tlb, addr, vma->vm_end,

  				floor, next? next->vm_start: ceiling);

  		} else {
  			/*
  			 * Optimization: gather nearby vmas into one call down
  			 */
  			while (next && next->vm_start <= vma->vm_end + PMD_SIZE

  			       && !is_vm_hugetlb_page(next)) {

  				vma = next;
  				next = vma->vm_next;

  				unlink_anon_vmas(vma);

  				unlink_file_vma(vma);

  			}
  			free_pgd_range(tlb, addr, vma->vm_end,
  				floor, next? next->vm_start: ceiling);
  		}

  		vma = next;
  	}

  }

  int __pte_alloc(struct mm_struct *mm, pmd_t *pmd, unsigned long address)

  {

  	spinlock_t *ptl;

  	pgtable_t new = pte_alloc_one(mm, address);

  	if (!new)
  		return -ENOMEM;

  	/*
  	 * Ensure all pte setup (eg. pte page lock and page clearing) are
  	 * visible before the pte is made visible to other CPUs by being
  	 * put into page tables.
  	 *
  	 * The other side of the story is the pointer chasing in the page
  	 * table walking code (when walking the page table without locking;
  	 * ie. most of the time). Fortunately, these data accesses consist
  	 * of a chain of data-dependent loads, meaning most CPUs (alpha
  	 * being the notable exception) will already guarantee loads are
  	 * seen in-order. See the alpha page table accessors for the
  	 * smp_read_barrier_depends() barriers in page table walking code.
  	 */
  	smp_wmb(); /* Could be smp_wmb__xxx(before|after)_spin_lock */

  	ptl = pmd_lock(mm, pmd);

  	if (likely(pmd_none(*pmd))) {	/* Has another populated it ? */

  		atomic_long_inc(&mm->nr_ptes);

  		pmd_populate(mm, pmd, new);

  		new = NULL;

  	}

  	spin_unlock(ptl);

  	if (new)
  		pte_free(mm, new);

  	return 0;

  }

  int __pte_alloc_kernel(pmd_t *pmd, unsigned long address)

  {

  	pte_t *new = pte_alloc_one_kernel(&init_mm, address);
  	if (!new)
  		return -ENOMEM;

  	smp_wmb(); /* See comment in __pte_alloc */

  	spin_lock(&init_mm.page_table_lock);

  	if (likely(pmd_none(*pmd))) {	/* Has another populated it ? */

  		pmd_populate_kernel(&init_mm, pmd, new);

  		new = NULL;

  	}

  	spin_unlock(&init_mm.page_table_lock);

  	if (new)
  		pte_free_kernel(&init_mm, new);

  	return 0;

  }

  static inline void init_rss_vec(int *rss)
  {
  	memset(rss, 0, sizeof(int) * NR_MM_COUNTERS);
  }
  
  static inline void add_mm_rss_vec(struct mm_struct *mm, int *rss)

  {

  	int i;

  	if (current->mm == mm)

  		sync_mm_rss(mm);

  	for (i = 0; i < NR_MM_COUNTERS; i++)
  		if (rss[i])
  			add_mm_counter(mm, i, rss[i]);

  }

  /*

   * This function is called to print an error when a bad pte
   * is found. For example, we might have a PFN-mapped pte in
   * a region that doesn't allow it.

   *
   * The calling function must still handle the error.
   */

  static void print_bad_pte(struct vm_area_struct *vma, unsigned long addr,
  			  pte_t pte, struct page *page)

  {

  	pgd_t *pgd = pgd_offset(vma->vm_mm, addr);
  	pud_t *pud = pud_offset(pgd, addr);
  	pmd_t *pmd = pmd_offset(pud, addr);
  	struct address_space *mapping;
  	pgoff_t index;

  	static unsigned long resume;
  	static unsigned long nr_shown;
  	static unsigned long nr_unshown;
  
  	/*
  	 * Allow a burst of 60 reports, then keep quiet for that minute;
  	 * or allow a steady drip of one report per second.
  	 */
  	if (nr_shown == 60) {
  		if (time_before(jiffies, resume)) {
  			nr_unshown++;
  			return;
  		}
  		if (nr_unshown) {

  			pr_alert("BUG: Bad page map: %lu messages suppressed
  ",
  				 nr_unshown);

  			nr_unshown = 0;
  		}
  		nr_shown = 0;
  	}
  	if (nr_shown++ == 0)
  		resume = jiffies + 60 * HZ;

  
  	mapping = vma->vm_file ? vma->vm_file->f_mapping : NULL;
  	index = linear_page_index(vma, addr);

  	pr_alert("BUG: Bad page map in process %s  pte:%08llx pmd:%08llx
  ",
  		 current->comm,
  		 (long long)pte_val(pte), (long long)pmd_val(*pmd));

  	if (page)

  		dump_page(page, "bad pte");

  	pr_alert("addr:%p vm_flags:%08lx anon_vma:%p mapping:%p index:%lx
  ",
  		 (void *)addr, vma->vm_flags, vma->anon_vma, mapping, index);

  	/*
  	 * Choose text because data symbols depend on CONFIG_KALLSYMS_ALL=y
  	 */

  	pr_alert("file:%pD fault:%pf mmap:%pf readpage:%pf
  ",
  		 vma->vm_file,
  		 vma->vm_ops ? vma->vm_ops->fault : NULL,
  		 vma->vm_file ? vma->vm_file->f_op->mmap : NULL,
  		 mapping ? mapping->a_ops->readpage : NULL);

  	dump_stack();

  	add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE);

  }
  
  /*

   * vm_normal_page -- This function gets the "struct page" associated with a pte.

   *

   * "Special" mappings do not wish to be associated with a "struct page" (either
   * it doesn't exist, or it exists but they don't want to touch it). In this
   * case, NULL is returned here. "Normal" mappings do have a struct page.

   *

   * There are 2 broad cases. Firstly, an architecture may define a pte_special()
   * pte bit, in which case this function is trivial. Secondly, an architecture
   * may not have a spare pte bit, which requires a more complicated scheme,
   * described below.
   *
   * A raw VM_PFNMAP mapping (ie. one that is not COWed) is always considered a
   * special mapping (even if there are underlying and valid "struct pages").
   * COWed pages of a VM_PFNMAP are always normal.

   *

   * The way we recognize COWed pages within VM_PFNMAP mappings is through the
   * rules set up by "remap_pfn_range()": the vma will have the VM_PFNMAP bit

   * set, and the vm_pgoff will point to the first PFN mapped: thus every special
   * mapping will always honor the rule

   *
   *	pfn_of_page == vma->vm_pgoff + ((addr - vma->vm_start) >> PAGE_SHIFT)
   *

   * And for normal mappings this is false.
   *
   * This restricts such mappings to be a linear translation from virtual address
   * to pfn. To get around this restriction, we allow arbitrary mappings so long
   * as the vma is not a COW mapping; in that case, we know that all ptes are
   * special (because none can have been COWed).

   *

   *

   * In order to support COW of arbitrary special mappings, we have VM_MIXEDMAP.

   *
   * VM_MIXEDMAP mappings can likewise contain memory with or without "struct
   * page" backing, however the difference is that _all_ pages with a struct
   * page (that is, those where pfn_valid is true) are refcounted and considered
   * normal pages by the VM. The disadvantage is that pages are refcounted
   * (which can be slower and simply not an option for some PFNMAP users). The
   * advantage is that we don't have to follow the strict linearity rule of
   * PFNMAP mappings in order to support COWable mappings.
   *

   */

  #ifdef __HAVE_ARCH_PTE_SPECIAL
  # define HAVE_PTE_SPECIAL 1
  #else
  # define HAVE_PTE_SPECIAL 0
  #endif
  struct page *vm_normal_page(struct vm_area_struct *vma, unsigned long addr,
  				pte_t pte)

  {

  	unsigned long pfn = pte_pfn(pte);

  
  	if (HAVE_PTE_SPECIAL) {

  		if (likely(!pte_special(pte)))

  			goto check_pfn;

  		if (vma->vm_ops && vma->vm_ops->find_special_page)
  			return vma->vm_ops->find_special_page(vma, addr);

  		if (vma->vm_flags & (VM_PFNMAP | VM_MIXEDMAP))
  			return NULL;

  		if (!is_zero_pfn(pfn))

  			print_bad_pte(vma, addr, pte, NULL);

  		return NULL;
  	}
  
  	/* !HAVE_PTE_SPECIAL case follows: */

  	if (unlikely(vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP))) {
  		if (vma->vm_flags & VM_MIXEDMAP) {
  			if (!pfn_valid(pfn))
  				return NULL;
  			goto out;
  		} else {

  			unsigned long off;
  			off = (addr - vma->vm_start) >> PAGE_SHIFT;

  			if (pfn == vma->vm_pgoff + off)
  				return NULL;
  			if (!is_cow_mapping(vma->vm_flags))
  				return NULL;
  		}

  	}

  	if (is_zero_pfn(pfn))
  		return NULL;

  check_pfn:
  	if (unlikely(pfn > highest_memmap_pfn)) {
  		print_bad_pte(vma, addr, pte, NULL);
  		return NULL;
  	}

  
  	/*

  	 * NOTE! We still have PageReserved() pages in the page tables.

  	 * eg. VDSO mappings can cause them to exist.

  	 */

  out:

  	return pfn_to_page(pfn);

  }
  
  /*

   * copy one vm_area from one task to the other. Assumes the page tables
   * already present in the new task to be cleared in the whole range
   * covered by this vma.

   */

  static inline unsigned long

  copy_one_pte(struct mm_struct *dst_mm, struct mm_struct *src_mm,

  		pte_t *dst_pte, pte_t *src_pte, struct vm_area_struct *vma,

  		unsigned long addr, int *rss)

  {

  	unsigned long vm_flags = vma->vm_flags;

  	pte_t pte = *src_pte;
  	struct page *page;

  
  	/* pte contains position in swap or file, so copy. */
  	if (unlikely(!pte_present(pte))) {

  		swp_entry_t entry = pte_to_swp_entry(pte);
  
  		if (likely(!non_swap_entry(entry))) {
  			if (swap_duplicate(entry) < 0)
  				return entry.val;
  
  			/* make sure dst_mm is on swapoff's mmlist. */
  			if (unlikely(list_empty(&dst_mm->mmlist))) {
  				spin_lock(&mmlist_lock);
  				if (list_empty(&dst_mm->mmlist))
  					list_add(&dst_mm->mmlist,
  							&src_mm->mmlist);
  				spin_unlock(&mmlist_lock);
  			}
  			rss[MM_SWAPENTS]++;
  		} else if (is_migration_entry(entry)) {
  			page = migration_entry_to_page(entry);

  			rss[mm_counter(page)]++;

  
  			if (is_write_migration_entry(entry) &&
  					is_cow_mapping(vm_flags)) {
  				/*
  				 * COW mappings require pages in both
  				 * parent and child to be set to read.
  				 */
  				make_migration_entry_read(&entry);
  				pte = swp_entry_to_pte(entry);
  				if (pte_swp_soft_dirty(*src_pte))
  					pte = pte_swp_mksoft_dirty(pte);
  				set_pte_at(src_mm, addr, src_pte, pte);

  			}

  		}

  		goto out_set_pte;

  	}

  	/*
  	 * If it's a COW mapping, write protect it both
  	 * in the parent and the child
  	 */

  	if (is_cow_mapping(vm_flags)) {

  		ptep_set_wrprotect(src_mm, addr, src_pte);

  		pte = pte_wrprotect(pte);

  	}
  
  	/*
  	 * If it's a shared mapping, mark it clean in
  	 * the child
  	 */
  	if (vm_flags & VM_SHARED)
  		pte = pte_mkclean(pte);
  	pte = pte_mkold(pte);

  
  	page = vm_normal_page(vma, addr, pte);
  	if (page) {
  		get_page(page);

  		page_dup_rmap(page, false);

  		rss[mm_counter(page)]++;

  	}

  
  out_set_pte:
  	set_pte_at(dst_mm, addr, dst_pte, pte);

  	return 0;

  }

  static int copy_pte_range(struct mm_struct *dst_mm, struct mm_struct *src_mm,

  		   pmd_t *dst_pmd, pmd_t *src_pmd, struct vm_area_struct *vma,
  		   unsigned long addr, unsigned long end)

  {

  	pte_t *orig_src_pte, *orig_dst_pte;

  	pte_t *src_pte, *dst_pte;

  	spinlock_t *src_ptl, *dst_ptl;

  	int progress = 0;

  	int rss[NR_MM_COUNTERS];

  	swp_entry_t entry = (swp_entry_t){0};

  
  again:

  	init_rss_vec(rss);

  	dst_pte = pte_alloc_map_lock(dst_mm, dst_pmd, addr, &dst_ptl);

  	if (!dst_pte)
  		return -ENOMEM;

  	src_pte = pte_offset_map(src_pmd, addr);

  	src_ptl = pte_lockptr(src_mm, src_pmd);

  	spin_lock_nested(src_ptl, SINGLE_DEPTH_NESTING);

  	orig_src_pte = src_pte;
  	orig_dst_pte = dst_pte;

  	arch_enter_lazy_mmu_mode();

  	do {
  		/*
  		 * We are holding two locks at this point - either of them
  		 * could generate latencies in another task on another CPU.
  		 */

  		if (progress >= 32) {
  			progress = 0;
  			if (need_resched() ||

  			    spin_needbreak(src_ptl) || spin_needbreak(dst_ptl))

  				break;
  		}

  		if (pte_none(*src_pte)) {
  			progress++;
  			continue;
  		}

  		entry.val = copy_one_pte(dst_mm, src_mm, dst_pte, src_pte,
  							vma, addr, rss);
  		if (entry.val)
  			break;

  		progress += 8;
  	} while (dst_pte++, src_pte++, addr += PAGE_SIZE, addr != end);

  	arch_leave_lazy_mmu_mode();

  	spin_unlock(src_ptl);

  	pte_unmap(orig_src_pte);

  	add_mm_rss_vec(dst_mm, rss);

  	pte_unmap_unlock(orig_dst_pte, dst_ptl);

  	cond_resched();

  
  	if (entry.val) {
  		if (add_swap_count_continuation(entry, GFP_KERNEL) < 0)
  			return -ENOMEM;
  		progress = 0;
  	}

  	if (addr != end)
  		goto again;
  	return 0;
  }
  
  static inline int copy_pmd_range(struct mm_struct *dst_mm, struct mm_struct *src_mm,
  		pud_t *dst_pud, pud_t *src_pud, struct vm_area_struct *vma,
  		unsigned long addr, unsigned long end)
  {
  	pmd_t *src_pmd, *dst_pmd;
  	unsigned long next;
  
  	dst_pmd = pmd_alloc(dst_mm, dst_pud, addr);
  	if (!dst_pmd)
  		return -ENOMEM;
  	src_pmd = pmd_offset(src_pud, addr);
  	do {
  		next = pmd_addr_end(addr, end);

  		if (pmd_trans_huge(*src_pmd) || pmd_devmap(*src_pmd)) {

  			int err;

  			VM_BUG_ON(next-addr != HPAGE_PMD_SIZE);

  			err = copy_huge_pmd(dst_mm, src_mm,
  					    dst_pmd, src_pmd, addr, vma);
  			if (err == -ENOMEM)
  				return -ENOMEM;
  			if (!err)
  				continue;
  			/* fall through */
  		}

  		if (pmd_none_or_clear_bad(src_pmd))
  			continue;
  		if (copy_pte_range(dst_mm, src_mm, dst_pmd, src_pmd,
  						vma, addr, next))
  			return -ENOMEM;
  	} while (dst_pmd++, src_pmd++, addr = next, addr != end);
  	return 0;
  }
  
  static inline int copy_pud_range(struct mm_struct *dst_mm, struct mm_struct *src_mm,
  		pgd_t *dst_pgd, pgd_t *src_pgd, struct vm_area_struct *vma,
  		unsigned long addr, unsigned long end)
  {
  	pud_t *src_pud, *dst_pud;
  	unsigned long next;
  
  	dst_pud = pud_alloc(dst_mm, dst_pgd, addr);
  	if (!dst_pud)
  		return -ENOMEM;
  	src_pud = pud_offset(src_pgd, addr);
  	do {
  		next = pud_addr_end(addr, end);
  		if (pud_none_or_clear_bad(src_pud))
  			continue;
  		if (copy_pmd_range(dst_mm, src_mm, dst_pud, src_pud,
  						vma, addr, next))
  			return -ENOMEM;
  	} while (dst_pud++, src_pud++, addr = next, addr != end);
  	return 0;
  }
  
  int copy_page_range(struct mm_struct *dst_mm, struct mm_struct *src_mm,
  		struct vm_area_struct *vma)
  {
  	pgd_t *src_pgd, *dst_pgd;
  	unsigned long next;
  	unsigned long addr = vma->vm_start;
  	unsigned long end = vma->vm_end;

  	unsigned long mmun_start;	/* For mmu_notifiers */
  	unsigned long mmun_end;		/* For mmu_notifiers */
  	bool is_cow;

  	int ret;

  	/*
  	 * Don't copy ptes where a page fault will fill them correctly.
  	 * Fork becomes much lighter when there are big shared or private
  	 * readonly mappings. The tradeoff is that copy_page_range is more
  	 * efficient than faulting.
  	 */

  	if (!(vma->vm_flags & (VM_HUGETLB | VM_PFNMAP | VM_MIXEDMAP)) &&
  			!vma->anon_vma)
  		return 0;

  	if (is_vm_hugetlb_page(vma))
  		return copy_hugetlb_page_range(dst_mm, src_mm, vma);

  	if (unlikely(vma->vm_flags & VM_PFNMAP)) {

  		/*
  		 * We do not free on error cases below as remove_vma
  		 * gets called on error from higher level routine
  		 */

  		ret = track_pfn_copy(vma);

  		if (ret)
  			return ret;
  	}

  	/*
  	 * We need to invalidate the secondary MMU mappings only when
  	 * there could be a permission downgrade on the ptes of the
  	 * parent mm. And a permission downgrade will only happen if
  	 * is_cow_mapping() returns true.
  	 */

  	is_cow = is_cow_mapping(vma->vm_flags);
  	mmun_start = addr;
  	mmun_end   = end;
  	if (is_cow)
  		mmu_notifier_invalidate_range_start(src_mm, mmun_start,
  						    mmun_end);

  
  	ret = 0;

  	dst_pgd = pgd_offset(dst_mm, addr);
  	src_pgd = pgd_offset(src_mm, addr);
  	do {
  		next = pgd_addr_end(addr, end);
  		if (pgd_none_or_clear_bad(src_pgd))
  			continue;

  		if (unlikely(copy_pud_range(dst_mm, src_mm, dst_pgd, src_pgd,
  					    vma, addr, next))) {
  			ret = -ENOMEM;
  			break;
  		}

  	} while (dst_pgd++, src_pgd++, addr = next, addr != end);

  	if (is_cow)
  		mmu_notifier_invalidate_range_end(src_mm, mmun_start, mmun_end);

  	return ret;

  }

  static unsigned long zap_pte_range(struct mmu_gather *tlb,

  				struct vm_area_struct *vma, pmd_t *pmd,

  				unsigned long addr, unsigned long end,

  				struct zap_details *details)

  {

  	struct mm_struct *mm = tlb->mm;

  	int force_flush = 0;

  	int rss[NR_MM_COUNTERS];

  	spinlock_t *ptl;

  	pte_t *start_pte;

  	pte_t *pte;

  	swp_entry_t entry;

  again:

  	init_rss_vec(rss);

  	start_pte = pte_offset_map_lock(mm, pmd, addr, &ptl);
  	pte = start_pte;

  	arch_enter_lazy_mmu_mode();

  	do {
  		pte_t ptent = *pte;

  		if (pte_none(ptent)) {

  			continue;

  		}

  		if (pte_present(ptent)) {

  			struct page *page;

  			page = vm_normal_page(vma, addr, ptent);

  			if (unlikely(details) && page) {
  				/*
  				 * unmap_shared_mapping_pages() wants to
  				 * invalidate cache without truncating:
  				 * unmap shared but keep private pages.
  				 */
  				if (details->check_mapping &&
  				    details->check_mapping != page->mapping)
  					continue;

  			}

  			ptent = ptep_get_and_clear_full(mm, addr, pte,

  							tlb->fullmm);

  			tlb_remove_tlb_entry(tlb, pte, addr);
  			if (unlikely(!page))
  				continue;

  
  			if (!PageAnon(page)) {

  				if (pte_dirty(ptent)) {

  					/*
  					 * oom_reaper cannot tear down dirty
  					 * pages
  					 */
  					if (unlikely(details && details->ignore_dirty))
  						continue;

  					force_flush = 1;

  					set_page_dirty(page);

  				}

  				if (pte_young(ptent) &&

  				    likely(!(vma->vm_flags & VM_SEQ_READ)))

  					mark_page_accessed(page);

  			}

  			rss[mm_counter(page)]--;

  			page_remove_rmap(page, false);

  			if (unlikely(page_mapcount(page) < 0))
  				print_bad_pte(vma, addr, ptent, page);

  			if (unlikely(!__tlb_remove_page(tlb, page))) {
  				force_flush = 1;

  				addr += PAGE_SIZE;

  				break;

  			}

  			continue;
  		}

  		/* only check swap_entries if explicitly asked for in details */
  		if (unlikely(details && !details->check_swap_entries))

  			continue;

  		entry = pte_to_swp_entry(ptent);
  		if (!non_swap_entry(entry))
  			rss[MM_SWAPENTS]--;
  		else if (is_migration_entry(entry)) {
  			struct page *page;

  			page = migration_entry_to_page(entry);

  			rss[mm_counter(page)]--;

  		}

  		if (unlikely(!free_swap_and_cache(entry)))
  			print_bad_pte(vma, addr, ptent, NULL);

  		pte_clear_not_present_full(mm, addr, pte, tlb->fullmm);

  	} while (pte++, addr += PAGE_SIZE, addr != end);

  	add_mm_rss_vec(mm, rss);

  	arch_leave_lazy_mmu_mode();

  	/* Do the actual TLB flush before dropping ptl */

  	if (force_flush)

  		tlb_flush_mmu_tlbonly(tlb);

  	pte_unmap_unlock(start_pte, ptl);
  
  	/*
  	 * If we forced a TLB flush (either due to running out of
  	 * batch buffers or because we needed to flush dirty TLB
  	 * entries before releasing the ptl), free the batched
  	 * memory too. Restart if we didn't do everything.
  	 */
  	if (force_flush) {
  		force_flush = 0;
  		tlb_flush_mmu_free(tlb);

  
  		if (addr != end)

  			goto again;
  	}

  	return addr;

  }

  static inline unsigned long zap_pmd_range(struct mmu_gather *tlb,

  				struct vm_area_struct *vma, pud_t *pud,

  				unsigned long addr, unsigned long end,

  				struct zap_details *details)

  {
  	pmd_t *pmd;
  	unsigned long next;
  
  	pmd = pmd_offset(pud, addr);
  	do {
  		next = pmd_addr_end(addr, end);

  		if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd)) {

  			if (next - addr != HPAGE_PMD_SIZE) {

  #ifdef CONFIG_DEBUG_VM
  				if (!rwsem_is_locked(&tlb->mm->mmap_sem)) {
  					pr_err("%s: mmap_sem is unlocked! addr=0x%lx end=0x%lx vma->vm_start=0x%lx vma->vm_end=0x%lx
  ",
  						__func__, addr, end,
  						vma->vm_start,
  						vma->vm_end);
  					BUG();
  				}
  #endif

  				split_huge_pmd(vma, pmd, addr);

  			} else if (zap_huge_pmd(tlb, vma, pmd, addr))

  				goto next;

  			/* fall through */
  		}

  		/*
  		 * Here there can be other concurrent MADV_DONTNEED or
  		 * trans huge page faults running, and if the pmd is
  		 * none or trans huge it can change under us. This is
  		 * because MADV_DONTNEED holds the mmap_sem in read
  		 * mode.
  		 */
  		if (pmd_none_or_trans_huge_or_clear_bad(pmd))
  			goto next;

  		next = zap_pte_range(tlb, vma, pmd, addr, next, details);

  next:

  		cond_resched();
  	} while (pmd++, addr = next, addr != end);

  
  	return addr;

  }

  static inline unsigned long zap_pud_range(struct mmu_gather *tlb,

  				struct vm_area_struct *vma, pgd_t *pgd,

  				unsigned long addr, unsigned long end,

  				struct zap_details *details)

  {
  	pud_t *pud;
  	unsigned long next;
  
  	pud = pud_offset(pgd, addr);
  	do {
  		next = pud_addr_end(addr, end);

  		if (pud_none_or_clear_bad(pud))

  			continue;

  		next = zap_pmd_range(tlb, vma, pud, addr, next, details);
  	} while (pud++, addr = next, addr != end);

  
  	return addr;

  }

  void unmap_page_range(struct mmu_gather *tlb,

  			     struct vm_area_struct *vma,
  			     unsigned long addr, unsigned long end,
  			     struct zap_details *details)

  {
  	pgd_t *pgd;
  	unsigned long next;

  	BUG_ON(addr >= end);
  	tlb_start_vma(tlb, vma);
  	pgd = pgd_offset(vma->vm_mm, addr);
  	do {
  		next = pgd_addr_end(addr, end);

  		if (pgd_none_or_clear_bad(pgd))

  			continue;

  		next = zap_pud_range(tlb, vma, pgd, addr, next, details);
  	} while (pgd++, addr = next, addr != end);

  	tlb_end_vma(tlb, vma);
  }

  
  static void unmap_single_vma(struct mmu_gather *tlb,
  		struct vm_area_struct *vma, unsigned long start_addr,

  		unsigned long end_addr,

  		struct zap_details *details)
  {
  	unsigned long start = max(vma->vm_start, start_addr);
  	unsigned long end;
  
  	if (start >= vma->vm_end)
  		return;
  	end = min(vma->vm_end, end_addr);
  	if (end <= vma->vm_start)
  		return;

  	if (vma->vm_file)
  		uprobe_munmap(vma, start, end);

  	if (unlikely(vma->vm_flags & VM_PFNMAP))

  		untrack_pfn(vma, 0, 0);

  
  	if (start != end) {
  		if (unlikely(is_vm_hugetlb_page(vma))) {
  			/*
  			 * It is undesirable to test vma->vm_file as it
  			 * should be non-null for valid hugetlb area.
  			 * However, vm_file will be NULL in the error

  			 * cleanup path of mmap_region. When

  			 * hugetlbfs ->mmap method fails,

  			 * mmap_region() nullifies vma->vm_file

  			 * before calling this function to clean up.
  			 * Since no pte has actually been setup, it is
  			 * safe to do nothing in this case.
  			 */

  			if (vma->vm_file) {

  				i_mmap_lock_write(vma->vm_file->f_mapping);

  				__unmap_hugepage_range_final(tlb, vma, start, end, NULL);

  				i_mmap_unlock_write(vma->vm_file->f_mapping);

  			}

  		} else
  			unmap_page_range(tlb, vma, start, end, details);
  	}

  }

  /**
   * unmap_vmas - unmap a range of memory covered by a list of vma's

   * @tlb: address of the caller's struct mmu_gather

   * @vma: the starting vma
   * @start_addr: virtual address at which to start unmapping
   * @end_addr: virtual address at which to end unmapping

   *

   * Unmap all pages in the vma list.

   *

   * Only addresses between `start' and `end' will be unmapped.
   *
   * The VMA list must be sorted in ascending virtual address order.
   *
   * unmap_vmas() assumes that the caller will flush the whole unmapped address
   * range after unmap_vmas() returns.  So the only responsibility here is to
   * ensure that any thus-far unmapped pages are flushed before unmap_vmas()
   * drops the lock and schedules.
   */

  void unmap_vmas(struct mmu_gather *tlb,

  		struct vm_area_struct *vma, unsigned long start_addr,

  		unsigned long end_addr)

  {

  	struct mm_struct *mm = vma->vm_mm;

  	mmu_notifier_invalidate_range_start(mm, start_addr, end_addr);

  	for ( ; vma && vma->vm_start < end_addr; vma = vma->vm_next)

  		unmap_single_vma(tlb, vma, start_addr, end_addr, NULL);

  	mmu_notifier_invalidate_range_end(mm, start_addr, end_addr);

  }
  
  /**
   * zap_page_range - remove user pages in a given range
   * @vma: vm_area_struct holding the applicable pages

   * @start: starting address of pages to zap

   * @size: number of bytes to zap

   * @details: details of shared cache invalidation

   *
   * Caller must protect the VMA list

   */

  void zap_page_range(struct vm_area_struct *vma, unsigned long start,

  		unsigned long size, struct zap_details *details)
  {
  	struct mm_struct *mm = vma->vm_mm;

  	struct mmu_gather tlb;

  	unsigned long end = start + size;

  	lru_add_drain();

  	tlb_gather_mmu(&tlb, mm, start, end);

  	update_hiwater_rss(mm);

  	mmu_notifier_invalidate_range_start(mm, start, end);
  	for ( ; vma && vma->vm_start < end; vma = vma->vm_next)

  		unmap_single_vma(&tlb, vma, start, end, details);

  	mmu_notifier_invalidate_range_end(mm, start, end);
  	tlb_finish_mmu(&tlb, start, end);

  }

  /**

   * zap_page_range_single - remove user pages in a given range
   * @vma: vm_area_struct holding the applicable pages
   * @address: starting address of pages to zap
   * @size: number of bytes to zap

   * @details: details of shared cache invalidation

   *
   * The range must fit into one VMA.

   */

  static void zap_page_range_single(struct vm_area_struct *vma, unsigned long address,

  		unsigned long size, struct zap_details *details)
  {
  	struct mm_struct *mm = vma->vm_mm;

  	struct mmu_gather tlb;

  	unsigned long end = address + size;

  	lru_add_drain();

  	tlb_gather_mmu(&tlb, mm, address, end);

  	update_hiwater_rss(mm);

  	mmu_notifier_invalidate_range_start(mm, address, end);

  	unmap_single_vma(&tlb, vma, address, end, details);

  	mmu_notifier_invalidate_range_end(mm, address, end);

  	tlb_finish_mmu(&tlb, address, end);

  }

  /**
   * zap_vma_ptes - remove ptes mapping the vma
   * @vma: vm_area_struct holding ptes to be zapped
   * @address: starting address of pages to zap
   * @size: number of bytes to zap
   *
   * This function only unmaps ptes assigned to VM_PFNMAP vmas.
   *
   * The entire address range must be fully contained within the vma.
   *
   * Returns 0 if successful.
   */
  int zap_vma_ptes(struct vm_area_struct *vma, unsigned long address,
  		unsigned long size)
  {
  	if (address < vma->vm_start || address + size > vma->vm_end ||
  	    		!(vma->vm_flags & VM_PFNMAP))
  		return -1;

  	zap_page_range_single(vma, address, size, NULL);

  	return 0;
  }
  EXPORT_SYMBOL_GPL(zap_vma_ptes);

  pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,

  			spinlock_t **ptl)

  {
  	pgd_t * pgd = pgd_offset(mm, addr);
  	pud_t * pud = pud_alloc(mm, pgd, addr);
  	if (pud) {

  		pmd_t * pmd = pmd_alloc(mm, pud, addr);

  		if (pmd) {
  			VM_BUG_ON(pmd_trans_huge(*pmd));

  			return pte_alloc_map_lock(mm, pmd, addr, ptl);

  		}

  	}
  	return NULL;
  }

  /*

   * This is the old fallback for page remapping.
   *
   * For historical reasons, it only allows reserved pages. Only
   * old drivers should use this, and they needed to mark their
   * pages reserved for the old functions anyway.
   */

  static int insert_page(struct vm_area_struct *vma, unsigned long addr,
  			struct page *page, pgprot_t prot)

  {

  	struct mm_struct *mm = vma->vm_mm;

  	int retval;

  	pte_t *pte;

  	spinlock_t *ptl;

  	retval = -EINVAL;

  	if (PageAnon(page))

  		goto out;

  	retval = -ENOMEM;
  	flush_dcache_page(page);

  	pte = get_locked_pte(mm, addr, &ptl);

  	if (!pte)

  		goto out;

  	retval = -EBUSY;
  	if (!pte_none(*pte))
  		goto out_unlock;
  
  	/* Ok, finally just insert the thing.. */
  	get_page(page);

  	inc_mm_counter_fast(mm, mm_counter_file(page));

  	page_add_file_rmap(page);
  	set_pte_at(mm, addr, pte, mk_pte(page, prot));
  
  	retval = 0;

  	pte_unmap_unlock(pte, ptl);
  	return retval;

  out_unlock:
  	pte_unmap_unlock(pte, ptl);
  out:
  	return retval;
  }

  /**
   * vm_insert_page - insert single page into user vma
   * @vma: user vma to map to
   * @addr: target user address of this page
   * @page: source kernel page
   *

   * This allows drivers to insert individual pages they've allocated
   * into a user vma.
   *
   * The page has to be a nice clean _individual_ kernel allocation.
   * If you allocate a compound page, you need to have marked it as
   * such (__GFP_COMP), or manually just split the page up yourself

   * (see split_page()).

   *
   * NOTE! Traditionally this was done with "remap_pfn_range()" which
   * took an arbitrary page protection parameter. This doesn't allow
   * that. Your vma protection will have to be set up correctly, which
   * means that if you want a shared writable mapping, you'd better
   * ask for a shared writable mapping!
   *
   * The page does not need to be reserved.

   *
   * Usually this function is called from f_op->mmap() handler
   * under mm->mmap_sem write-lock, so it can change vma->vm_flags.
   * Caller must set VM_MIXEDMAP on vma if it wants to call this
   * function from other places, for example from page-fault handler.

   */

  int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
  			struct page *page)

  {
  	if (addr < vma->vm_start || addr >= vma->vm_end)
  		return -EFAULT;
  	if (!page_count(page))
  		return -EINVAL;

  	if (!(vma->vm_flags & VM_MIXEDMAP)) {
  		BUG_ON(down_read_trylock(&vma->vm_mm->mmap_sem));
  		BUG_ON(vma->vm_flags & VM_PFNMAP);
  		vma->vm_flags |= VM_MIXEDMAP;
  	}

  	return insert_page(vma, addr, page, vma->vm_page_prot);

  }

  EXPORT_SYMBOL(vm_insert_page);

  static int insert_pfn(struct vm_area_struct *vma, unsigned long addr,

  			pfn_t pfn, pgprot_t prot)

  {
  	struct mm_struct *mm = vma->vm_mm;
  	int retval;
  	pte_t *pte, entry;
  	spinlock_t *ptl;
  
  	retval = -ENOMEM;
  	pte = get_locked_pte(mm, addr, &ptl);
  	if (!pte)
  		goto out;
  	retval = -EBUSY;
  	if (!pte_none(*pte))
  		goto out_unlock;
  
  	/* Ok, finally just insert the thing.. */

  	if (pfn_t_devmap(pfn))
  		entry = pte_mkdevmap(pfn_t_pte(pfn, prot));
  	else
  		entry = pte_mkspecial(pfn_t_pte(pfn, prot));

  	set_pte_at(mm, addr, pte, entry);

  	update_mmu_cache(vma, addr, pte); /* XXX: why not for insert_page? */

  
  	retval = 0;
  out_unlock:
  	pte_unmap_unlock(pte, ptl);
  out:
  	return retval;
  }

  /**
   * vm_insert_pfn - insert single pfn into user vma
   * @vma: user vma to map to
   * @addr: target user address of this page
   * @pfn: source kernel pfn
   *

   * Similar to vm_insert_page, this allows drivers to insert individual pages

   * they've allocated into a user vma. Same comments apply.
   *
   * This function should only be called from a vm_ops->fault handler, and
   * in that case the handler should return NULL.

   *
   * vma cannot be a COW mapping.
   *
   * As this is called only for pages that do not currently exist, we
   * do not need to flush old virtual caches or the TLB.

   */
  int vm_insert_pfn(struct vm_area_struct *vma, unsigned long addr,

  			unsigned long pfn)

  {

  	return vm_insert_pfn_prot(vma, addr, pfn, vma->vm_page_prot);
  }
  EXPORT_SYMBOL(vm_insert_pfn);
  
  /**
   * vm_insert_pfn_prot - insert single pfn into user vma with specified pgprot
   * @vma: user vma to map to
   * @addr: target user address of this page
   * @pfn: source kernel pfn
   * @pgprot: pgprot flags for the inserted page
   *
   * This is exactly like vm_insert_pfn, except that it allows drivers to
   * to override pgprot on a per-page basis.
   *
   * This only makes sense for IO mappings, and it makes no sense for
   * cow mappings.  In general, using multiple vmas is preferable;
   * vm_insert_pfn_prot should only be used if using multiple VMAs is
   * impractical.
   */
  int vm_insert_pfn_prot(struct vm_area_struct *vma, unsigned long addr,
  			unsigned long pfn, pgprot_t pgprot)
  {

  	int ret;

  	/*
  	 * Technically, architectures with pte_special can avoid all these
  	 * restrictions (same for remap_pfn_range).  However we would like
  	 * consistency in testing and feature parity among all, so we should
  	 * try to keep these invariants in place for everybody.
  	 */

  	BUG_ON(!(vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)));
  	BUG_ON((vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) ==
  						(VM_PFNMAP|VM_MIXEDMAP));
  	BUG_ON((vma->vm_flags & VM_PFNMAP) && is_cow_mapping(vma->vm_flags));
  	BUG_ON((vma->vm_flags & VM_MIXEDMAP) && pfn_valid(pfn));

  	if (addr < vma->vm_start || addr >= vma->vm_end)
  		return -EFAULT;

  	if (track_pfn_insert(vma, &pgprot, __pfn_to_pfn_t(pfn, PFN_DEV)))

  		return -EINVAL;

  	ret = insert_pfn(vma, addr, __pfn_to_pfn_t(pfn, PFN_DEV), pgprot);

  	return ret;

  }

  EXPORT_SYMBOL(vm_insert_pfn_prot);

  int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr,

  			pfn_t pfn)

  {
  	BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));

  	if (addr < vma->vm_start || addr >= vma->vm_end)
  		return -EFAULT;

  	/*
  	 * If we don't have pte special, then we have to use the pfn_valid()
  	 * based VM_MIXEDMAP scheme (see vm_normal_page), and thus we *must*
  	 * refcount the page if pfn_valid is true (hence insert_page rather

  	 * than insert_pfn).  If a zero_pfn were inserted into a VM_MIXEDMAP
  	 * without pte special, it would there be refcounted as a normal page.

  	 */

  	if (!HAVE_PTE_SPECIAL && !pfn_t_devmap(pfn) && pfn_t_valid(pfn)) {

  		struct page *page;

  		/*
  		 * At this point we are committed to insert_page()
  		 * regardless of whether the caller specified flags that
  		 * result in pfn_t_has_page() == false.
  		 */
  		page = pfn_to_page(pfn_t_to_pfn(pfn));

  		return insert_page(vma, addr, page, vma->vm_page_prot);
  	}
  	return insert_pfn(vma, addr, pfn, vma->vm_page_prot);

  }

  EXPORT_SYMBOL(vm_insert_mixed);

  /*

   * maps a range of physical memory into the requested pages. the old
   * mappings are removed. any references to nonexistent pages results
   * in null mappings (currently treated as "copy-on-access")
   */
  static int remap_pte_range(struct mm_struct *mm, pmd_t *pmd,
  			unsigned long addr, unsigned long end,
  			unsigned long pfn, pgprot_t prot)
  {
  	pte_t *pte;

  	spinlock_t *ptl;

  	pte = pte_alloc_map_lock(mm, pmd, addr, &ptl);

  	if (!pte)
  		return -ENOMEM;

  	arch_enter_lazy_mmu_mode();

  	do {
  		BUG_ON(!pte_none(*pte));

  		set_pte_at(mm, addr, pte, pte_mkspecial(pfn_pte(pfn, prot)));

  		pfn++;
  	} while (pte++, addr += PAGE_SIZE, addr != end);

  	arch_leave_lazy_mmu_mode();

  	pte_unmap_unlock(pte - 1, ptl);

  	return 0;
  }
  
  static inline int remap_pmd_range(struct mm_struct *mm, pud_t *pud,
  			unsigned long addr, unsigned long end,
  			unsigned long pfn, pgprot_t prot)
  {
  	pmd_t *pmd;
  	unsigned long next;
  
  	pfn -= addr >> PAGE_SHIFT;
  	pmd = pmd_alloc(mm, pud, addr);
  	if (!pmd)
  		return -ENOMEM;

  	VM_BUG_ON(pmd_trans_huge(*pmd));

  	do {
  		next = pmd_addr_end(addr, end);
  		if (remap_pte_range(mm, pmd, addr, next,
  				pfn + (addr >> PAGE_SHIFT), prot))
  			return -ENOMEM;
  	} while (pmd++, addr = next, addr != end);
  	return 0;
  }
  
  static inline int remap_pud_range(struct mm_struct *mm, pgd_t *pgd,
  			unsigned long addr, unsigned long end,
  			unsigned long pfn, pgprot_t prot)
  {
  	pud_t *pud;
  	unsigned long next;
  
  	pfn -= addr >> PAGE_SHIFT;
  	pud = pud_alloc(mm, pgd, addr);
  	if (!pud)
  		return -ENOMEM;
  	do {
  		next = pud_addr_end(addr, end);
  		if (remap_pmd_range(mm, pud, addr, next,
  				pfn + (addr >> PAGE_SHIFT), prot))
  			return -ENOMEM;
  	} while (pud++, addr = next, addr != end);
  	return 0;
  }

  /**
   * remap_pfn_range - remap kernel memory to userspace
   * @vma: user vma to map to
   * @addr: target user address to start at
   * @pfn: physical address of kernel memory
   * @size: size of map area
   * @prot: page protection flags for this mapping
   *
   *  Note: this is only safe if the mm semaphore is held when called.
   */

  int remap_pfn_range(struct vm_area_struct *vma, unsigned long addr,
  		    unsigned long pfn, unsigned long size, pgprot_t prot)
  {
  	pgd_t *pgd;
  	unsigned long next;

  	unsigned long end = addr + PAGE_ALIGN(size);

  	struct mm_struct *mm = vma->vm_mm;
  	int err;
  
  	/*
  	 * Physically remapped pages are special. Tell the
  	 * rest of the world about it:
  	 *   VM_IO tells people not to look at these pages
  	 *	(accesses can have side effects).

  	 *   VM_PFNMAP tells the core MM that the base pages are just
  	 *	raw PFN mappings, and do not have a "struct page" associated
  	 *	with them.

  	 *   VM_DONTEXPAND
  	 *      Disable vma merging and expanding with mremap().
  	 *   VM_DONTDUMP
  	 *      Omit vma from core dump, even when VM_IO turned off.

  	 *
  	 * There's a horrible special case to handle copy-on-write
  	 * behaviour that some programs depend on. We mark the "original"
  	 * un-COW'ed pages by matching them up with "vma->vm_pgoff".

  	 * See vm_normal_page() for details.

  	 */

  	if (is_cow_mapping(vma->vm_flags)) {
  		if (addr != vma->vm_start || end != vma->vm_end)
  			return -EINVAL;

  		vma->vm_pgoff = pfn;

  	}
  
  	err = track_pfn_remap(vma, &prot, pfn, addr, PAGE_ALIGN(size));
  	if (err)

  		return -EINVAL;

  	vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP;

  
  	BUG_ON(addr >= end);
  	pfn -= addr >> PAGE_SHIFT;
  	pgd = pgd_offset(mm, addr);
  	flush_cache_range(vma, addr, end);

  	do {
  		next = pgd_addr_end(addr, end);
  		err = remap_pud_range(mm, pgd, addr, next,
  				pfn + (addr >> PAGE_SHIFT), prot);
  		if (err)
  			break;
  	} while (pgd++, addr = next, addr != end);

  
  	if (err)

  		untrack_pfn(vma, pfn, PAGE_ALIGN(size));

  	return err;
  }
  EXPORT_SYMBOL(remap_pfn_range);

  /**
   * vm_iomap_memory - remap memory to userspace
   * @vma: user vma to map to
   * @start: start of area
   * @len: size of area
   *
   * This is a simplified io_remap_pfn_range() for common driver use. The
   * driver just needs to give us the physical memory range to be mapped,
   * we'll figure out the rest from the vma information.
   *
   * NOTE! Some drivers might want to tweak vma->vm_page_prot first to get
   * whatever write-combining details or similar.
   */
  int vm_iomap_memory(struct vm_area_struct *vma, phys_addr_t start, unsigned long len)
  {
  	unsigned long vm_len, pfn, pages;
  
  	/* Check that the physical memory area passed in looks valid */
  	if (start + len < start)
  		return -EINVAL;
  	/*
  	 * You *really* shouldn't map things that aren't page-aligned,
  	 * but we've historically allowed it because IO memory might
  	 * just have smaller alignment.
  	 */
  	len += start & ~PAGE_MASK;
  	pfn = start >> PAGE_SHIFT;
  	pages = (len + ~PAGE_MASK) >> PAGE_SHIFT;
  	if (pfn + pages < pfn)
  		return -EINVAL;
  
  	/* We start the mapping 'vm_pgoff' pages into the area */
  	if (vma->vm_pgoff > pages)
  		return -EINVAL;
  	pfn += vma->vm_pgoff;
  	pages -= vma->vm_pgoff;
  
  	/* Can we fit all of the mapping? */
  	vm_len = vma->vm_end - vma->vm_start;
  	if (vm_len >> PAGE_SHIFT > pages)
  		return -EINVAL;
  
  	/* Ok, let it rip */
  	return io_remap_pfn_range(vma, vma->vm_start, pfn, vm_len, vma->vm_page_prot);
  }
  EXPORT_SYMBOL(vm_iomap_memory);

  static int apply_to_pte_range(struct mm_struct *mm, pmd_t *pmd,
  				     unsigned long addr, unsigned long end,
  				     pte_fn_t fn, void *data)
  {
  	pte_t *pte;
  	int err;

  	pgtable_t token;