用户空间缺页异常pte_handle_fault()分析--(下)--写时复制【转】-白红宇

转自：

在pte_handle_fault()中，如果触发异常的页存在于主存中，那么该异常往往是由写了一个只读页触发的，此时需要进行COW(写时复制操作)。如当一个父进程通过fork()创建了一个子进程时，子进程将会共享父进程的页框。之后，无论是父进程还是子进程要对相应的内存进行写操作，都要进行COW，也就是为自己重新分配一个页框，并把之前的数据复制到页框中去，再写。

[cpp]

static inline int handle_pte_fault(struct mm_struct *mm,

struct vm_area_struct *vma, unsigned long address,

pte_t *pte, pmd_t *pmd, unsigned int flags)

{

pte_t entry;

spinlock_t *ptl;

entry = *pte;

/********页在主存中的情况***********/

ptl = pte_lockptr(mm, pmd);

spin_lock(ptl);

if (unlikely(!pte_same(*pte, entry)))

goto unlock;

if (flags & FAULT_FLAG_WRITE) {
//异常由写访问触发

if (!pte_write(entry))//而对应的页是不可写的

return do_wp_page(mm, vma, address, //此时必须进行写时复制的操作

pte, pmd, ptl, entry);

entry = pte_mkdirty(entry);

}

entry = pte_mkyoung(entry);

if (ptep_set_access_flags(vma, address, pte, entry, flags & FAULT_FLAG_WRITE)) {

update_mmu_cache(vma, address, entry);

} else {

* This is needed only for protection faults but the arch code

* is not yet telling us if this is a protection fault or not.

* This still avoids useless tlb flushes for .text page faults

* with threads.

if (flags & FAULT_FLAG_WRITE)

flush_tlb_page(vma, address);

}

unlock:

pte_unmap_unlock(pte, ptl);

return 0;

}

可以看到，hand_pte_fault()函数处理页存在于主存中的情况的关键操作都集中在do_wp_page()函数上。该函数是用来处理COW的，不过在COW之前先要做一些检查，比如说，如果对应的页只有一个进程使用，那么便可以直接修改页的权限为可读可写，而不进行COW。总之，不到不得以的情况下是不会进行COW的。

[cpp]

static int do_wp_page(struct mm_struct *mm, struct vm_area_struct *vma,

unsigned long address, pte_t *page_table, pmd_t *pmd,

spinlock_t *ptl, pte_t orig_pte)

{

struct page *old_page, *new_page;

pte_t entry;

int reuse = 0, ret = 0;

int page_mkwrite = 0;

struct page *dirty_page = NULL;

old_page = vm_normal_page(vma, address, orig_pte);//获取共享页

if (!old_page) {
//获取共享页失败

* VM_MIXEDMAP !pfn_valid() case

* We should not cow pages in a shared writeable mapping.

* Just mark the pages writable as we can't do any dirty

* accounting on raw pfn maps.

/*如果vma的映射本来就是共享且可写的，则跳转至reuse直接使用orig_pte对应的页*/

if ((vma->vm_flags & (VM_WRITE|VM_SHARED)) ==

(VM_WRITE|VM_SHARED))

goto reuse;

/*否则跳转至gotten分配一个页*/

goto gotten;

}

* Take out anonymous pages first, anonymous shared vmas are

* not dirty accountable.

/*下面首先判断匿名页的情况，如果old_page是匿名页，并且只有一个进程使用它(reuse为1)，则

则直接使用该页*/

if (PageAnon(old_page) && !PageKsm(old_page)) {

/*这里先判断是否有其他进程竞争，修改了页表*/

if (!trylock_page(old_page)) {

page_cache_get(old_page);

pte_unmap_unlock(page_table, ptl);

lock_page(old_page);

page_table = pte_offset_map_lock(mm, pmd, address,

&ptl);

if (!pte_same(*page_table, orig_pte)) {

unlock_page(old_page);

page_cache_release(old_page);

goto unlock;

}

page_cache_release(old_page);

}

/*确定没有其他进程竞争，则进行reuse判断，通过reuse_swap_page()函数判断

old_page的_mapcount字段是否为0，是的话则表明只有一个进程使用该匿名页*/

reuse = reuse_swap_page(old_page);

unlock_page(old_page);

} else if (unlikely((vma->vm_flags & (VM_WRITE|VM_SHARED)) ==

(VM_WRITE|VM_SHARED))) {
//如果vma的映射本来就是共享且可写的

* Only catch write-faults on shared writable pages,

* read-only shared pages can get COWed by

* get_user_pages(.write=1, .force=1).

if (vma->vm_ops && vma->vm_ops->page_mkwrite) {

struct vm_fault vmf;

int tmp;

vmf.virtual_address = (void __user *)(address &

PAGE_MASK);

vmf.pgoff = old_page->index;

vmf.flags = FAULT_FLAG_WRITE|FAULT_FLAG_MKWRITE;

vmf.page = old_page;

* Notify the address space that the page is about to

* become writable so that it can prohibit this or wait

* for the page to get into an appropriate state.

* We do this without the lock held, so that it can

* sleep if it needs to.

page_cache_get(old_page);//增加old_page的引用计数作为保护

pte_unmap_unlock(page_table, ptl);

/*这里通知即将修改页的权限*/

tmp = vma->vm_ops->page_mkwrite(vma, &vmf);

/*如果无法修改的话，则跳转到unwritable_page*/

if (unlikely(tmp &

(VM_FAULT_ERROR | VM_FAULT_NOPAGE))) {

ret = tmp;

goto unwritable_page;

}

if (unlikely(!(tmp & VM_FAULT_LOCKED))) {

lock_page(old_page);

if (!old_page->mapping) {

ret = 0; /* retry the fault */

unlock_page(old_page);

goto unwritable_page;

}

} else

VM_BUG_ON(!PageLocked(old_page));

* Since we dropped the lock we need to revalidate

* the PTE as someone else may have changed it. If

* they did, we just return, as we can count on the

* MMU to tell us if they didn't also make it writable.

/*走到这里表示已经成功修改了页的权限了，这里同样重新获取页表，判断是否和之前一致*/

page_table = pte_offset_map_lock(mm, pmd, address,

&ptl);

if (!pte_same(*page_table, orig_pte)) {

unlock_page(old_page);

page_cache_release(old_page);

goto unlock;

}

page_mkwrite = 1;

}

dirty_page = old_page;

get_page(dirty_page);

reuse = 1;

}

if (reuse) {
//reuse处理，也就是说不进行COW，可以直接在old_page上进行写操作

reuse:

flush_cache_page(vma, address, pte_pfn(orig_pte));

entry = pte_mkyoung(orig_pte);//标记_PAGE_ACCESSED位

entry = maybe_mkwrite(pte_mkdirty(entry), vma);//将页的权限修改为可读可写，并且标记为脏页

if (ptep_set_access_flags(vma, address, page_table, entry,1))

update_mmu_cache(vma, address, entry);

ret |= VM_FAULT_WRITE;

goto unlock;

}

* Ok, we need to copy. Oh, well..

/***************终于走到了不得已的一步了，下面只好进行COW了********************/

page_cache_get(old_page);

gotten:

pte_unmap_unlock(page_table, ptl);

if (unlikely(anon_vma_prepare(vma)))

goto oom;

if (is_zero_pfn(pte_pfn(orig_pte))) {

new_page = alloc_zeroed_user_highpage_movable(vma, address);//分配一个零页面

if (!new_page)

goto oom;

} else {

new_page = alloc_page_vma(GFP_HIGHUSER_MOVABLE, vma, address);//分配一个非零页面

if (!new_page)

goto oom;

cow_user_page(new_page, old_page, address, vma);//将old_page中的数据拷贝到new_page

}

__SetPageUptodate(new_page);

* Don't let another task, with possibly unlocked vma,

* keep the mlocked page.

if ((vma->vm_flags & VM_LOCKED) && old_page) {

lock_page(old_page); /* for LRU manipulation */

clear_page_mlock(old_page);

unlock_page(old_page);

}

if (mem_cgroup_newpage_charge(new_page, mm, GFP_KERNEL))

goto oom_free_new;

* Re-check the pte - we dropped the lock

page_table = pte_offset_map_lock(mm, pmd, address, &ptl);

if (likely(pte_same(*page_table, orig_pte))) {

if (old_page) {

if (!PageAnon(old_page)) {

dec_mm_counter(mm, file_rss);

inc_mm_counter(mm, anon_rss);

}

} else

inc_mm_counter(mm, anon_rss);

flush_cache_page(vma, address, pte_pfn(orig_pte));

entry = mk_pte(new_page, vma->vm_page_prot);//获取new_page的pte

entry = maybe_mkwrite(pte_mkdirty(entry), vma);//修改new_page的权限

* Clear the pte entry and flush it first, before updating the

* pte with the new entry. This will avoid a race condition

* seen in the presence of one thread doing SMC and another

* thread doing COW.

ptep_clear_flush(vma, address, page_table);

page_add_new_anon_rmap(new_page, vma, address);

* We call the notify macro here because, when using secondary

* mmu page tables (such as kvm shadow page tables), we want the

* new page to be mapped directly into the secondary page table.

set_pte_at_notify(mm, address, page_table, entry);

update_mmu_cache(vma, address, entry);

if (old_page) {

* Only after switching the pte to the new page may

* we remove the mapcount here. Otherwise another

* process may come and find the rmap count decremented

* before the pte is switched to the new page, and

* "reuse" the old page writing into it while our pte

* here still points into it and can be read by other

* threads.

* The critical issue is to order this

* page_remove_rmap with the ptp_clear_flush above.

* Those stores are ordered by (if nothing else,)

* the barrier present in the atomic_add_negative

* in page_remove_rmap.

* Then the TLB flush in ptep_clear_flush ensures that

* no process can access the old page before the

* decremented mapcount is visible. And the old page

* cannot be reused until after the decremented

* mapcount is visible. So transitively, TLBs to

* old page will be flushed before it can be reused.

page_remove_rmap(old_page);

}

/* Free the old page.. */

new_page = old_page;

ret |= VM_FAULT_WRITE;

} else

mem_cgroup_uncharge_page(new_page);

if (new_page)

page_cache_release(new_page);

if (old_page)

page_cache_release(old_page);

unlock:

pte_unmap_unlock(page_table, ptl);

if (dirty_page) {

* Yes, Virginia, this is actually required to prevent a race

* with clear_page_dirty_for_io() from clearing the page dirty

* bit after it clear all dirty ptes, but before a racing

* do_wp_page installs a dirty pte.

* do_no_page is protected similarly.

if (!page_mkwrite) {

wait_on_page_locked(dirty_page);

set_page_dirty_balance(dirty_page, page_mkwrite);

}

put_page(dirty_page);

if (page_mkwrite) {

struct address_space *mapping = dirty_page->mapping;

set_page_dirty(dirty_page);

unlock_page(dirty_page);

page_cache_release(dirty_page);

if (mapping) {

* Some device drivers do not set page.mapping

* but still dirty their pages

balance_dirty_pages_ratelimited(mapping);

}

}

/* file_update_time outside page_lock */

if (vma->vm_file)

file_update_time(vma->vm_file);

}

return ret;

oom_free_new:

page_cache_release(new_page);

oom:

if (old_page) {

if (page_mkwrite) {

unlock_page(old_page);

page_cache_release(old_page);

}

page_cache_release(old_page);

}

return VM_FAULT_OOM;

unwritable_page:

page_cache_release(old_page);

return ret;

}

【作者】

【出处】

【博客园】

【新浪博客】

【知乎】

【我的作品---旋转倒立摆】

【我的作品---自平衡自动循迹车】

【新浪微博】张昺华--sky

【twitter】 @sky2030_

【facebook】张昺华 zhangbinghua

本文版权归作者和博客园共有，欢迎转载，但未经作者同意必须保留此段声明，且在文章页面明显位置给出原文连接，否则保留追究法律责任的权利.