From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3D6D1C02198
	for <linux-mm@archiver.kernel.org>; Wed, 12 Feb 2025 16:48:09 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 786116B0083; Wed, 12 Feb 2025 11:48:08 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 70B5D6B0085; Wed, 12 Feb 2025 11:48:08 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 584736B0088; Wed, 12 Feb 2025 11:48:08 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id 30F8B6B0083
	for <linux-mm@kvack.org>; Wed, 12 Feb 2025 11:48:08 -0500 (EST)
Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id D84EFB4D2C
	for <linux-mm@kvack.org>; Wed, 12 Feb 2025 16:48:07 +0000 (UTC)
X-FDA: 83111875014.14.6A9E646
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
	by imf17.hostedemail.com (Postfix) with ESMTP id 1122A4000F
	for <linux-mm@kvack.org>; Wed, 12 Feb 2025 16:48:05 +0000 (UTC)
Authentication-Results: imf17.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=none) header.from=arm.com;
	spf=pass (imf17.hostedemail.com: domain of ryan.roberts@arm.com designates 217.140.110.172 as permitted sender) smtp.mailfrom=ryan.roberts@arm.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1739378886; a=rsa-sha256;
	cv=none;
	b=FxjvqxqW2aXM5afBx10d0Ft3GQPrnPkuU8urbXHJZ+hOqJiTeOFUQK67qn1xVyH/twg3s5
	ooV+HD6qgUBUQaRADJsNNTbh+Xc+bf1bX4ENi7Q07YJ+2wojzMdj9hn1veGaW1/rgsGS52
	bxGURviEAz420i+GoBhTLh27ELWj4I0=
ARC-Authentication-Results: i=1;
	imf17.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=none) header.from=arm.com;
	spf=pass (imf17.hostedemail.com: domain of ryan.roberts@arm.com designates 217.140.110.172 as permitted sender) smtp.mailfrom=ryan.roberts@arm.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1739378886;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=BMLmzen5WTV/sP6vXniuulCvvXBqwHV7Nu+i+frW+Nk=;
	b=Rhz5/B7zkzSrZIafyOCvUhn9bH2/YAKkVUwg3uw4tVeFUtaHqBQ3AxbPwvLMNePbl8Yfy4
	gYrTqZGwPlnV799+p1zyxw70aQpJd8xhe7mBkr1nOl/6AIFPwt1UoEibZ6slblTwJ7IuGo
	P+PitL2DjwP0p1noPp87rbVFNro942U=
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 21BCB12FC;
	Wed, 12 Feb 2025 08:48:26 -0800 (PST)
Received: from [10.57.81.93] (unknown [10.57.81.93])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 928B73F5A1;
	Wed, 12 Feb 2025 08:48:02 -0800 (PST)
Message-ID: <a1604360-3e7f-47af-bba3-f4fea690a861@arm.com>
Date: Wed, 12 Feb 2025 16:48:01 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH v1 09/16] arm64/mm: Avoid barriers for invalid or
 userspace mappings
Content-Language: en-GB
From: Ryan Roberts <ryan.roberts@arm.com>
To: Anshuman Khandual <anshuman.khandual@arm.com>,
 Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>,
 Muchun Song <muchun.song@linux.dev>,
 Pasha Tatashin <pasha.tatashin@soleen.com>,
 Andrew Morton <akpm@linux-foundation.org>,
 Uladzislau Rezki <urezki@gmail.com>, Christoph Hellwig <hch@infradead.org>,
 Mark Rutland <mark.rutland@arm.com>, Ard Biesheuvel <ardb@kernel.org>,
 Dev Jain <dev.jain@arm.com>, Alexandre Ghiti <alexghiti@rivosinc.com>,
 Steve Capper <steve.capper@linaro.org>, Kevin Brodsky <kevin.brodsky@arm.com>
Cc: linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org,
 linux-kernel@vger.kernel.org
References: <20250205151003.88959-1-ryan.roberts@arm.com>
 <20250205151003.88959-10-ryan.roberts@arm.com>
 <45717fc1-cd83-4e9e-8ce5-44d306037cc9@arm.com>
 <334bdd4c-f12e-45f3-b4f9-df723889a4f4@arm.com>
In-Reply-To: <334bdd4c-f12e-45f3-b4f9-df723889a4f4@arm.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 1122A4000F
X-Stat-Signature: q47oysypeujogw4tjp4ribpkfydtpobf
X-Rspam-User: 
X-Rspamd-Server: rspam10
X-HE-Tag: 1739378885-599412
X-HE-Meta: U2FsdGVkX188zHFMwPsl0Qhr1nEPEIEvohM0FluQZPoGJTNWeFDXi2l1hwwich4ueLnX+4wZ7c9qifiUYr3CH56DcHJ8nMNI7Ueyjpnv0VNyxMA2fcHKsOEtSCTLxmSCgsumtmvG7TmYef4w7XdMtW/foWnix7+3YC74R7xNqkkKEnN+kbPVQGiFa9WEmtLbZzonEoNOEJyLXKoJpjHE+sCYLfdfJmGh7tMm3i8YrbEncjvQjecnENusoxs4iVIITP8PFsLZF1nOFvWBt2B9M7cF8iq9duYURHNMmNY+VkEsmU4P5fbvRRDaFUAjtarLkXriSOlEFrfUY8sOudmvQ3IsTALamgWRIvEYsN09jBXfMsfF4Pa2DHDv8pMl8NPvYleS7NR8VemVa8cE/LmOUeIgr1HTAArJMqj6bXqPveO1O4r8U8mgMRUqJpiQUrNqiFvCbe+QpqI2nADVGbS8b3thXWiPM81Y437yLSigDoRUvorZxQzwKzVT31ltPRr/zEqTCPQx1dUZBcSSEFaVPYAESL9WGo7zF/BXk/AttW9/OJcDrgXguU4fn1OAdEyy3vop8JfNxUhYuIuCGd3WpM70N7mVv+3CAkaeMs9WzyUT2/XngjMBToJSjvmaTGms6q7KjQpX3ZeJGyME3BQzHDvE9Bp8598HC2WUXrwP74l8BCGIFlBaSCps4MsYP1VuBNFafBweYskFnZtIn4ShLaHvreYku04FIXph9iSGEwJbgPht6ktLUXBK57TN3FngHLTNN09C9vPHqkUqbez/lJikjFwe80ZVcY3y+zmmXWRWJ5YEmfk8zj/Jys6APzyeZz1FUWbdFxL0DJl7BOC54AAV32k5EXDvg0vLLBA4vZgCxF/gBoO9YFNYwQ2KOq/l03P6x2ijJtgPWTQM/K3clxmCFQSkir9w3Te0utE3TZmxFDYhGarsUlvLQUmiIfFlt6IjPp8yxAruOjSG5Oz
 3hgA/zF6
 xn3JS7sa/Wx6/54hWhSKIkKWW+MFxSN8ReKU8UUmrJfuhxEHMgQBwQREHZqofhsje4ZdgH6Pu4qxkcJzpjcPq0qZSS+GN29eoEwQ4aMwumFxorZuHrrUxiVJnMXLqaLJgJFNfzglYPmxd+kds+fWJbXQ3qgK95shhFdwaa7WxuoSUI2HFPVVxP9bHKVcxbDcRE0h5hMOntUn9GYE=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On 07/02/2025 10:53, Ryan Roberts wrote:
> On 07/02/2025 08:11, Anshuman Khandual wrote:
>> On 2/5/25 20:39, Ryan Roberts wrote:
>>> __set_pte_complete(), set_pmd(), set_pud(), set_p4d() and set_pgd() are
>>> used to write entries into pgtables. And they issue barriers (currently
>>> dsb and isb) to ensure that the written values are observed by the table
>>> walker prior to any program-order-future memory access to the mapped
>>> location.
>>
>> Right.
>>
>>>
>>> Over the years some of these functions have received optimizations: In
>>> particular, commit 7f0b1bf04511 ("arm64: Fix barriers used for page
>>> table modifications") made it so that the barriers were only emitted for
>>> valid-kernel mappings for set_pte() (now __set_pte_complete()). And
>>> commit 0795edaf3f1f ("arm64: pgtable: Implement p[mu]d_valid() and check
>>> in set_p[mu]d()") made it so that set_pmd()/set_pud() only emitted the
>>> barriers for valid mappings. set_p4d()/set_pgd() continue to emit the
>>> barriers unconditionally.
>>
>> Right.
>>
>>>
>>> This is all very confusing to the casual observer; surely the rules
>>> should be invariant to the level? Let's change this so that every level
>>> consistently emits the barriers only when setting valid, non-user
>>> entries (both table and leaf).
>>
>> Agreed.
>>
>>>
>>> It seems obvious that if it is ok to elide barriers all but valid kernel
>>> mappings at pte level, it must also be ok to do this for leaf entries at
>>> other levels: If setting an entry to invalid, a tlb maintenance
>>> operaiton must surely follow to synchronise the TLB and this contains
>>
>> s/operaiton/operation
> 
> Ugh, I really need a spell checker for my editor!
> 
>>
>>> the required barriers. If setting a valid user mapping, the previous
>>> mapping must have been invalid and there must have been a TLB
>>> maintenance operation (complete with barriers) to honour
>>> break-before-make. So the worst that can happen is we take an extra
>>> fault (which will imply the DSB + ISB) and conclude that there is
>>> nothing to do. These are the aguments for doing this optimization at pte
>>
>> s/aguments/arguments
>>
>>> level and they also apply to leaf mappings at other levels.
>>
>> So user the page table updates both for the table and leaf entries remains
>> unchanged for now regarding dsb/isb sync i.e don't do anything ?
> 
> Sorry, this doesn't parse.
> 
>>
>>>
>>> For table entries, the same arguments hold: If unsetting a table entry,
>>> a TLB is required and this will emit the required barriers. If setting a
>>> table entry, the previous value must have been invalid and the table
>>> walker must already be able to observe that. Additionally the contents
>>> of the pgtable being pointed to in the newly set entry must be visible
>>> before the entry is written and this is enforced via smp_wmb() (dmb) in
>>> the pgtable allocation functions and in __split_huge_pmd_locked(). But
>>> this last part could never have been enforced by the barriers in
>>> set_pXd() because they occur after updating the entry. So ultimately,
>>> the wost that can happen by eliding these barriers for user table
>>> entries is an extra fault.
>>
>> Basically nothing needs to be done while setting user page table entries.
>>
>>>
>>> I observe roughly the same number of page faults (107M) with and without
>>> this change when compiling the kernel on Apple M2.
>>
>> These are total page faults or only additional faults caused because there
>> were no dsb/isb sync after the user page table update ?
> 
> total page faults. The experiment was to check that if eliding more barriers for
> valid user space mappings, does this lead to an increase in page faults? This
> very simple experiment suggests no.
> 
>>
>>>
>>> Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
>>> ---
>>>  arch/arm64/include/asm/pgtable.h | 60 ++++++++++++++++++++++++++++----
>>>  1 file changed, 54 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h
>>> index 1d428e9c0e5a..ff358d983583 100644
>>> --- a/arch/arm64/include/asm/pgtable.h
>>> +++ b/arch/arm64/include/asm/pgtable.h
>>> @@ -767,6 +767,19 @@ static inline bool in_swapper_pgdir(void *addr)
>>>  	        ((unsigned long)swapper_pg_dir & PAGE_MASK);
>>>  }
>>>  
>>> +static inline bool pmd_valid_not_user(pmd_t pmd)
>>> +{
>>> +	/*
>>> +	 * User-space table pmd entries always have (PXN && !UXN). All other
>>> +	 * combinations indicate it's a table entry for kernel space.
>>> +	 * Valid-not-user leaf entries follow the same rules as
>>> +	 * pte_valid_not_user().
>>> +	 */
>>> +	if (pmd_table(pmd))
>>> +		return !((pmd_val(pmd) & (PMD_TABLE_PXN | PMD_TABLE_UXN)) == PMD_TABLE_PXN);
>>
>> Should not this be abstracted out as pmd_table_not_user_table() which can
>> then be re-used in other levels as well.
> 
> Yeah maybe. Let me mull it over.

I discovered a bug (see below). So decided to keep it simple. I'm defining
pmd_valid_not_user() as an inline function, as is done in this version. But all
other levels are just macros defined to wrap pmd_valid_not_user(). That way all
levels are treated the same way. This means that we might be slightly
over-checking for the higher levels that don't support block mappings, but it's
safe and correct and reuses the maximum amount of code.


> 
>>
>>> +	return pte_valid_not_user(pmd_pte(pmd));
>>> +}
>>> +
>>
>> Something like.
>>
>> static inline bool pmd_valid_not_user_table(pmd_t pmd)
>> {
>> 	return pmd_valid(pmd) &&
>> 	       !((pmd_val(pmd) & (PMD_PMD_TABLE_PXN | PMD_TABLE_UXN)) == PMD_TABLE_PXN);
>> }
>>
>> static inline bool pmd_valid_not_user(pmd_t pmd)
>> {
>> 	if (pmd_table(pmd))
>> 		return pmd_valid_not_user_table(pmd);
>> 	else
>> 		return pte_valid_not_user(pmd_pte(pmd));
>> }
>>
>>>  static inline void set_pmd(pmd_t *pmdp, pmd_t pmd)
>>>  {
>>>  #ifdef __PAGETABLE_PMD_FOLDED
>>> @@ -778,7 +791,7 @@ static inline void set_pmd(pmd_t *pmdp, pmd_t pmd)
>>>  
>>>  	WRITE_ONCE(*pmdp, pmd);
>>>  
>>> -	if (pmd_valid(pmd)) {
>>> +	if (pmd_valid_not_user(pmd)) {
>>>  		dsb(ishst);
>>>  		isb();
>>>  	}
>>> @@ -836,6 +849,17 @@ static inline unsigned long pmd_page_vaddr(pmd_t pmd)
>>>  
>>>  static inline bool pgtable_l4_enabled(void);
>>>  
>>> +
>>> +static inline bool pud_valid_not_user(pud_t pud)
>>> +{
>>> +	/*
>>> +	 * Follows the same rules as pmd_valid_not_user().
>>> +	 */
>>> +	if (pud_table(pud))
>>> +		return !((pud_val(pud) & (PUD_TABLE_PXN | PUD_TABLE_UXN)) == PUD_TABLE_PXN);

This is buggy for configs where pud_table() is hardcoded to return true. In this
case we will assume the pud is valid when it may not be. (actually you could
call that a bug in pud_table(), which should really at least still be checking
that it's valid).

>>> +	return pte_valid_not_user(pud_pte(pud));
>>> +}
>>
>> This can be expressed in terms of pmd_valid_not_user() itself.
>>
>> #define pud_valid_not_user()	pmd_valid_not_user(pud_pmd(pud))
> 
> The trouble with this is that you end up using pmd_table() not pud_table(). For
> some configs pud_table() is hardcoded to true. So we lose the benefit. So I'd
> rather keep it as it's own function.
> 
>>
>>> +
>>>  static inline void set_pud(pud_t *pudp, pud_t pud)
>>>  {
>>>  	if (!pgtable_l4_enabled() && in_swapper_pgdir(pudp)) {
>>> @@ -845,7 +869,7 @@ static inline void set_pud(pud_t *pudp, pud_t pud)
>>>  
>>>  	WRITE_ONCE(*pudp, pud);
>>>  
>>> -	if (pud_valid(pud)) {
>>> +	if (pud_valid_not_user(pud)) {
>>>  		dsb(ishst);
>>>  		isb();
>>>  	}
>>> @@ -917,6 +941,16 @@ static inline bool mm_pud_folded(const struct mm_struct *mm)
>>>  #define p4d_bad(p4d)		(pgtable_l4_enabled() && !(p4d_val(p4d) & P4D_TABLE_BIT))
>>>  #define p4d_present(p4d)	(!p4d_none(p4d))
>>>  
>>> +static inline bool p4d_valid_not_user(p4d_t p4d)
>>> +{
>>> +	/*
>>> +	 * User-space table p4d entries always have (PXN && !UXN). All other
>>> +	 * combinations indicate it's a table entry for kernel space. p4d block
>>> +	 * entries are not supported.
>>> +	 */
>>> +	return !((p4d_val(p4d) & (P4D_TABLE_PXN | P4D_TABLE_UXN)) == P4D_TABLE_PXN);

This was buggy because we never check valid!

>>> +}
>>
>> Instead
>>
>> #define p4d_valid_not_user_able() pmd_valid_not_user_able(p4d_pmd(p4d))
>>
>>> +
>>>  static inline void set_p4d(p4d_t *p4dp, p4d_t p4d)
>>>  {
>>>  	if (in_swapper_pgdir(p4dp)) {
>>> @@ -925,8 +959,11 @@ static inline void set_p4d(p4d_t *p4dp, p4d_t p4d)
>>>  	}
>>>  
>>>  	WRITE_ONCE(*p4dp, p4d);
>>> -	dsb(ishst);
>>> -	isb();
>>> +
>>> +	if (p4d_valid_not_user(p4d)) {
>>
>>
>> Check p4d_valid_not_user_able() instead.
> 
> I don't really know why we would want to add table into the name at this level.
> Why not be consistent and continue to use p4d_valid_not_user()? The fact that
> p4d doesn't support leaf entries is just a matter for the implementation.
> 
>>
>>> +		dsb(ishst);
>>> +		isb();
>>> +	}
>>>  }
>>>  
>>>  static inline void p4d_clear(p4d_t *p4dp)
>>> @@ -1044,6 +1081,14 @@ static inline bool mm_p4d_folded(const struct mm_struct *mm)
>>>  #define pgd_bad(pgd)		(pgtable_l5_enabled() && !(pgd_val(pgd) & PGD_TABLE_BIT))
>>>  #define pgd_present(pgd)	(!pgd_none(pgd))
>>>  
>>> +static inline bool pgd_valid_not_user(pgd_t pgd)
>>> +{
>>> +	/*
>>> +	 * Follows the same rules as p4d_valid_not_user().
>>> +	 */
>>> +	return !((pgd_val(pgd) & (PGD_TABLE_PXN | PGD_TABLE_UXN)) == PGD_TABLE_PXN);

Same here!

>>> +}
>>
>> Similarly
>>
>> #define pgd_valid_not_user_able() pmd_valid_not_user_able(pgd_pmd(pgd))
>>
>>
>>> +
>>>  static inline void set_pgd(pgd_t *pgdp, pgd_t pgd)
>>>  {
>>>  	if (in_swapper_pgdir(pgdp)) {
>>> @@ -1052,8 +1097,11 @@ static inline void set_pgd(pgd_t *pgdp, pgd_t pgd)
>>>  	}
>>>  
>>>  	WRITE_ONCE(*pgdp, pgd);
>>> -	dsb(ishst);
>>> -	isb();
>>> +
>>> +	if (pgd_valid_not_user(pgd)) {
>>
>> Check pgd_valid_not_user_able() instead.
>>
>>> +		dsb(ishst);
>>> +		isb();
>>> +	}
>>>  }
>>>  
>>>  static inline void pgd_clear(pgd_t *pgdp)
>