From nobody Mon Feb 9 04:29:40 2026 Received: from out-188.mta1.migadu.com (out-188.mta1.migadu.com [95.215.58.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 89D6B2C0281 for ; Mon, 2 Feb 2026 07:47:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.188 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770018424; cv=none; b=WoFdJCLoH/nVVPV6lcinqfwzi2FWfU3CrnS0vQQ5rhhTEqYatk1RERk/eptJo7ae3mYaNOPNbfvkJMYVghW59+2PD2y9v0GsSh/A3P4M0Wsz6+DQl2HKy5g+RDIsskn8fQseJINpeh9mPorgCK0LLptJ9xP1sqDVSXkC6QzEoMA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770018424; c=relaxed/simple; bh=jsmpq/Usxx0cLTUgsEtYpyDqIjqblk2OL9+037erLCY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=a0El7Ue1txwYyYj80tBjHdovVgVOTwxuT068TK5LKhztewLSSfTm1d5QUSxJai7gcPApn/+y7hsktuvXX3ZiZ6tdTMBbGyumbF/rzkYR2shvXJXaDgpuf4/GCCB0sHol1YGtH8wxztr6vz/zIoFgjitHsgLl5jdk5N2M9D09h2s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=cW0CtRIc; arc=none smtp.client-ip=95.215.58.188 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="cW0CtRIc" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1770018409; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mXujEoUNJu/9Snvd8x+7m65uywslfWR8iRUR5pLoVkA=; b=cW0CtRIcjlR+qdoXFn119hjFWn+vND51Hyj4B41JaZPny8AjoqmKIVlA4gNWteWp+dwdzx j6EC7U2UCzrH+Pb/QiYdVzDcwSX6Bix3qjBtySHKO3q2V9suSogN/DMCXgL98TwMFAcQ3u XBzs+aQ64ejZ7FphjlXzvoAti/LumqA= From: Lance Yang To: akpm@linux-foundation.org Cc: david@kernel.org, dave.hansen@intel.com, dave.hansen@linux.intel.com, ypodemsk@redhat.com, hughd@google.com, will@kernel.org, aneesh.kumar@kernel.org, npiggin@gmail.com, peterz@infradead.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, x86@kernel.org, hpa@zytor.com, arnd@arndb.de, lorenzo.stoakes@oracle.com, ziy@nvidia.com, baolin.wang@linux.alibaba.com, Liam.Howlett@oracle.com, npache@redhat.com, ryan.roberts@arm.com, dev.jain@arm.com, baohua@kernel.org, shy828301@gmail.com, riel@surriel.com, jannh@google.com, jgross@suse.com, seanjc@google.com, pbonzini@redhat.com, boris.ostrovsky@oracle.com, virtualization@lists.linux.dev, kvm@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, ioworker0@gmail.com, Lance Yang Subject: [PATCH v4 1/3] mm: use targeted IPIs for TLB sync with lockless page table walkers Date: Mon, 2 Feb 2026 15:45:55 +0800 Message-ID: <20260202074557.16544-2-lance.yang@linux.dev> In-Reply-To: <20260202074557.16544-1-lance.yang@linux.dev> References: <20260202074557.16544-1-lance.yang@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" From: Lance Yang Currently, tlb_remove_table_sync_one() broadcasts IPIs to all CPUs to wait for any concurrent lockless page table walkers (e.g., GUP-fast). This is inefficient on systems with many CPUs, especially for RT workloads[1]. This patch introduces a per-CPU tracking mechanism to record which CPUs are actively performing lockless page table walks for a specific mm_struct. When freeing/unsharing page tables, we can now send IPIs only to the CPUs that are actually walking that mm, instead of broadcasting to all CPUs. In preparation for targeted IPIs; a follow-up will switch callers to tlb_remove_table_sync_mm(). Note that the tracking adds ~3% latency to GUP-fast, as measured on a 64-core system. [1] https://lore.kernel.org/linux-mm/1b27a3fa-359a-43d0-bdeb-c31341749367@k= ernel.org/ Suggested-by: David Hildenbrand (Red Hat) Signed-off-by: Lance Yang --- include/asm-generic/tlb.h | 2 ++ include/linux/mm.h | 34 ++++++++++++++++++++++++++ kernel/events/core.c | 2 ++ mm/gup.c | 2 ++ mm/mmu_gather.c | 50 +++++++++++++++++++++++++++++++++++++++ 5 files changed, 90 insertions(+) diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h index 4aeac0c3d3f0..b6b06e6b879f 100644 --- a/include/asm-generic/tlb.h +++ b/include/asm-generic/tlb.h @@ -250,6 +250,7 @@ static inline void tlb_remove_table(struct mmu_gather *= tlb, void *table) #endif =20 void tlb_remove_table_sync_one(void); +void tlb_remove_table_sync_mm(struct mm_struct *mm); =20 #else =20 @@ -258,6 +259,7 @@ void tlb_remove_table_sync_one(void); #endif =20 static inline void tlb_remove_table_sync_one(void) { } +static inline void tlb_remove_table_sync_mm(struct mm_struct *mm) { } =20 #endif /* CONFIG_MMU_GATHER_RCU_TABLE_FREE */ =20 diff --git a/include/linux/mm.h b/include/linux/mm.h index f8a8fd47399c..d92df995fcd1 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -2995,6 +2995,40 @@ long memfd_pin_folios(struct file *memfd, loff_t sta= rt, loff_t end, pgoff_t *offset); int folio_add_pins(struct folio *folio, unsigned int pins); =20 +/* + * Track CPUs doing lockless page table walks to avoid broadcast IPIs + * during TLB flushes. + */ +DECLARE_PER_CPU(struct mm_struct *, active_lockless_pt_walk_mm); + +static inline void pt_walk_lockless_start(struct mm_struct *mm) +{ + lockdep_assert_irqs_disabled(); + + /* + * Tell other CPUs we're doing lockless page table walk. + * + * Full barrier needed to prevent page table reads from being + * reordered before this write. + * + * Pairs with smp_rmb() in tlb_remove_table_sync_mm(). + */ + this_cpu_write(active_lockless_pt_walk_mm, mm); + smp_mb(); +} + +static inline void pt_walk_lockless_end(void) +{ + lockdep_assert_irqs_disabled(); + + /* + * Clear the pointer so other CPUs no longer see this CPU as walking + * the mm. Use smp_store_release to ensure page table reads complete + * before the clear is visible to other CPUs. + */ + smp_store_release(this_cpu_ptr(&active_lockless_pt_walk_mm), NULL); +} + int get_user_pages_fast(unsigned long start, int nr_pages, unsigned int gup_flags, struct page **pages); int pin_user_pages_fast(unsigned long start, int nr_pages, diff --git a/kernel/events/core.c b/kernel/events/core.c index 5b5cb620499e..6539112c28ff 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -8190,7 +8190,9 @@ static u64 perf_get_page_size(unsigned long addr) mm =3D &init_mm; } =20 + pt_walk_lockless_start(mm); size =3D perf_get_pgtable_size(mm, addr); + pt_walk_lockless_end(); =20 local_irq_restore(flags); =20 diff --git a/mm/gup.c b/mm/gup.c index 8e7dc2c6ee73..6748e28b27f2 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -3154,7 +3154,9 @@ static unsigned long gup_fast(unsigned long start, un= signed long end, * that come from callers of tlb_remove_table_sync_one(). */ local_irq_save(flags); + pt_walk_lockless_start(current->mm); gup_fast_pgd_range(start, end, gup_flags, pages, &nr_pinned); + pt_walk_lockless_end(); local_irq_restore(flags); =20 /* diff --git a/mm/mmu_gather.c b/mm/mmu_gather.c index 2faa23d7f8d4..35c89e4b6230 100644 --- a/mm/mmu_gather.c +++ b/mm/mmu_gather.c @@ -285,6 +285,56 @@ void tlb_remove_table_sync_one(void) smp_call_function(tlb_remove_table_smp_sync, NULL, 1); } =20 +DEFINE_PER_CPU(struct mm_struct *, active_lockless_pt_walk_mm); +EXPORT_PER_CPU_SYMBOL_GPL(active_lockless_pt_walk_mm); + +/** + * tlb_remove_table_sync_mm - send IPIs to CPUs doing lockless page table + * walk for @mm + * + * @mm: target mm; only CPUs walking this mm get an IPI. + * + * Like tlb_remove_table_sync_one() but only targets CPUs in + * active_lockless_pt_walk_mm. + */ +void tlb_remove_table_sync_mm(struct mm_struct *mm) +{ + cpumask_var_t target_cpus; + bool found_any =3D false; + int cpu; + + if (WARN_ONCE(!mm, "NULL mm in %s\n", __func__)) { + tlb_remove_table_sync_one(); + return; + } + + /* If we can't, fall back to broadcast. */ + if (!alloc_cpumask_var(&target_cpus, GFP_ATOMIC)) { + tlb_remove_table_sync_one(); + return; + } + + cpumask_clear(target_cpus); + + /* Pairs with smp_mb() in pt_walk_lockless_start(). */ + smp_rmb(); + + /* Find CPUs doing lockless page table walks for this mm */ + for_each_online_cpu(cpu) { + if (per_cpu(active_lockless_pt_walk_mm, cpu) =3D=3D mm) { + cpumask_set_cpu(cpu, target_cpus); + found_any =3D true; + } + } + + /* Only send IPIs to CPUs actually doing lockless walks */ + if (found_any) + smp_call_function_many(target_cpus, tlb_remove_table_smp_sync, + NULL, 1); + + free_cpumask_var(target_cpus); +} + static void tlb_remove_table_rcu(struct rcu_head *head) { __tlb_remove_table_free(container_of(head, struct mmu_table_batch, rcu)); --=20 2.49.0 From nobody Mon Feb 9 04:29:40 2026 Received: from out-182.mta0.migadu.com (out-182.mta0.migadu.com [91.218.175.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6E70C311C1B for ; Mon, 2 Feb 2026 07:46:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770018421; cv=none; b=BqTB4O6uosOKXSf5ok5E7XhQ3hUU15PjIXPvwAHIXx1Dy/YeSQJKjNh+KENz/kCU1JehS+l89euewa+bhYraq3qnnLA3+G7gBJ7wiCiu6feeDlTaR3C+JvVivtP/eGLE0+cMr+2NqcZ7gniVqaX1DtPQJtOasO8MZT0yDu0/Gv4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770018421; c=relaxed/simple; bh=fWLHMnr2RM+kDuq4tIuO7SAeaOX2KgxCRWbH6i9QeLI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DQhTqh0hv4E+YSDYTAQjp8W9QxKQvg/GXl8Qv2IRvZj5RC8BAEi3tuYniiGkNllCSr6JRSefkCS9Z39QgUE9YGYkJNGPli4wGii/AW6osT3N3EaX3Bt9mWWlWYF7qUFtkgTnfjBtiyTP2IrpxWBUVHeB0gXrWla0nkkWxKd7PMI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=pdjfUjRg; arc=none smtp.client-ip=91.218.175.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="pdjfUjRg" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1770018415; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ic7TrnN6sGlm3l1wxhH2nfdOKdVnIN7B0hP0aUO2aOY=; b=pdjfUjRgbpxEevSg5ni8YXtztpS1GezhbgKFAamXf1e+YuJlVEd442UU8eyB74Flpb+8jl b7x8L4yO0lU1g9rOZipEkWSVE/vqgsI+7A37FZZZxk48NTkJmLeQED7u46+9MTI0gptwG5 WMDJBHLqce/JaxPiVm1gYjFcmWeJ99A= From: Lance Yang To: akpm@linux-foundation.org Cc: david@kernel.org, dave.hansen@intel.com, dave.hansen@linux.intel.com, ypodemsk@redhat.com, hughd@google.com, will@kernel.org, aneesh.kumar@kernel.org, npiggin@gmail.com, peterz@infradead.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, x86@kernel.org, hpa@zytor.com, arnd@arndb.de, lorenzo.stoakes@oracle.com, ziy@nvidia.com, baolin.wang@linux.alibaba.com, Liam.Howlett@oracle.com, npache@redhat.com, ryan.roberts@arm.com, dev.jain@arm.com, baohua@kernel.org, shy828301@gmail.com, riel@surriel.com, jannh@google.com, jgross@suse.com, seanjc@google.com, pbonzini@redhat.com, boris.ostrovsky@oracle.com, virtualization@lists.linux.dev, kvm@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, ioworker0@gmail.com, Lance Yang Subject: [PATCH v4 2/3] mm: switch callers to tlb_remove_table_sync_mm() Date: Mon, 2 Feb 2026 15:45:56 +0800 Message-ID: <20260202074557.16544-3-lance.yang@linux.dev> In-Reply-To: <20260202074557.16544-1-lance.yang@linux.dev> References: <20260202074557.16544-1-lance.yang@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" From: Lance Yang Now that we have tlb_remove_table_sync_mm(), convert callers from tlb_remove_table_sync_one() to enable targeted IPIs instead of broadcast. Three callers updated: 1) collapse_huge_page() - after flushing the old PMD, only IPIs CPUs walking this mm instead of all CPUs. 2) tlb_flush_unshared_tables() - when unsharing hugetlb page tables, use tlb->mm for targeted IPIs. 3) __tlb_remove_table_one() - updated to take mmu_gather parameter so it can use tlb->mm when batch allocation fails. Note that pmdp_get_lockless_sync() (PAE only) also calls tlb_remove_table_sync_one() under PTL to ensure all ongoing PMD split-reads complete between pmdp_get_lockless_{start,end}; the critical section is very short. I'm inclined not to convert it since PAE systems typically don't have many cores. Suggested-by: David Hildenbrand (Red Hat) Signed-off-by: Lance Yang --- include/asm-generic/tlb.h | 11 ++++++----- mm/khugepaged.c | 2 +- mm/mmu_gather.c | 12 ++++++------ 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h index b6b06e6b879f..40eb74b28f9d 100644 --- a/include/asm-generic/tlb.h +++ b/include/asm-generic/tlb.h @@ -831,17 +831,18 @@ static inline void tlb_flush_unshared_tables(struct m= mu_gather *tlb) /* * Similarly, we must make sure that concurrent GUP-fast will not * walk previously-shared page tables that are getting modified+reused - * elsewhere. So broadcast an IPI to wait for any concurrent GUP-fast. + * elsewhere. So send an IPI to wait for any concurrent GUP-fast. * - * We only perform this when we are the last sharer of a page table, - * as the IPI will reach all CPUs: any GUP-fast. + * We only perform this when we are the last sharer of a page table. + * Use targeted IPI to CPUs actively walking this mm instead of + * broadcast. * - * Note that on configs where tlb_remove_table_sync_one() is a NOP, + * Note that on configs where tlb_remove_table_sync_mm() is a NOP, * the expectation is that the tlb_flush_mmu_tlbonly() would have issued * required IPIs already for us. */ if (tlb->fully_unshared_tables) { - tlb_remove_table_sync_one(); + tlb_remove_table_sync_mm(tlb->mm); tlb->fully_unshared_tables =3D false; } } diff --git a/mm/khugepaged.c b/mm/khugepaged.c index fa1e57fd2c46..7781d6628649 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -1173,7 +1173,7 @@ static enum scan_result collapse_huge_page(struct mm_= struct *mm, unsigned long a _pmd =3D pmdp_collapse_flush(vma, address, pmd); spin_unlock(pmd_ptl); mmu_notifier_invalidate_range_end(&range); - tlb_remove_table_sync_one(); + tlb_remove_table_sync_mm(mm); =20 pte =3D pte_offset_map_lock(mm, &_pmd, address, &pte_ptl); if (pte) { diff --git a/mm/mmu_gather.c b/mm/mmu_gather.c index 35c89e4b6230..76573ec454e5 100644 --- a/mm/mmu_gather.c +++ b/mm/mmu_gather.c @@ -378,7 +378,7 @@ static inline void __tlb_remove_table_one_rcu(struct rc= u_head *head) __tlb_remove_table(ptdesc); } =20 -static inline void __tlb_remove_table_one(void *table) +static inline void __tlb_remove_table_one(struct mmu_gather *tlb, void *ta= ble) { struct ptdesc *ptdesc; =20 @@ -386,16 +386,16 @@ static inline void __tlb_remove_table_one(void *table) call_rcu(&ptdesc->pt_rcu_head, __tlb_remove_table_one_rcu); } #else -static inline void __tlb_remove_table_one(void *table) +static inline void __tlb_remove_table_one(struct mmu_gather *tlb, void *ta= ble) { - tlb_remove_table_sync_one(); + tlb_remove_table_sync_mm(tlb->mm); __tlb_remove_table(table); } #endif /* CONFIG_PT_RECLAIM */ =20 -static void tlb_remove_table_one(void *table) +static void tlb_remove_table_one(struct mmu_gather *tlb, void *table) { - __tlb_remove_table_one(table); + __tlb_remove_table_one(tlb, table); } =20 static void tlb_table_flush(struct mmu_gather *tlb) @@ -417,7 +417,7 @@ void tlb_remove_table(struct mmu_gather *tlb, void *tab= le) *batch =3D (struct mmu_table_batch *)__get_free_page(GFP_NOWAIT); if (*batch =3D=3D NULL) { tlb_table_invalidate(tlb); - tlb_remove_table_one(table); + tlb_remove_table_one(tlb, table); return; } (*batch)->nr =3D 0; --=20 2.49.0 From nobody Mon Feb 9 04:29:40 2026 Received: from out-176.mta1.migadu.com (out-176.mta1.migadu.com [95.215.58.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1272030E839 for ; Mon, 2 Feb 2026 07:47:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770018434; cv=none; b=lvTz2POPSm8nvxg/hXrxu3Z31ALUPLrn3sw16UoRwAWbFcRtO6Wg0imOBQTCx0T57xOLk4ZfbYZadzm6cFdYDlwIphHiB5j5JVuxVpf+5Cq97RDmBWHOV7eIimpJ0st8qTFV+GonG2MW6NkgJrISwTRZKbUy9rHd4lCueNMs4BY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770018434; c=relaxed/simple; bh=gRpj5c5STjQ9EGwM72DyBu7SzU/eVaaVklj1ux45W8I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Hs4iZfPYC16f/XrUTsEnvOzRomg/RBbdT1SUN+fGpE2H3iI9WEqZZg+cyKZbX0FUM/loOinCR9ZoofFijQ6nseNFaGGf6AjwMMrJ9d6cS2NvubVPNVdUw2JiINztZJzBsO4jyf7dcFcGVOL1zvNlPHq2HtmrfxIGSNLprXhO91w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=D5A9eCaq; arc=none smtp.client-ip=95.215.58.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="D5A9eCaq" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1770018427; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=isCUzTGbqG3bOQ3RuuUP2N5J/vxqd6Q7qV+0hYo+bgg=; b=D5A9eCaqnDwPfPlsPpp1aRvf1ZE+NM/c95SgXDrGmAR44MyygQktcjUSU8XXvyPNYQaWk9 qcl8JQRK/IR1Ut1hUF03zTtPVT1QYpBajRDaL9tMaezJYNweSBRbD2uETbtApbcSOdWO/7 emFfeNqqDRnsBQgk6p5oB0F0XfVXwP8= From: Lance Yang To: akpm@linux-foundation.org Cc: david@kernel.org, dave.hansen@intel.com, dave.hansen@linux.intel.com, ypodemsk@redhat.com, hughd@google.com, will@kernel.org, aneesh.kumar@kernel.org, npiggin@gmail.com, peterz@infradead.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, x86@kernel.org, hpa@zytor.com, arnd@arndb.de, lorenzo.stoakes@oracle.com, ziy@nvidia.com, baolin.wang@linux.alibaba.com, Liam.Howlett@oracle.com, npache@redhat.com, ryan.roberts@arm.com, dev.jain@arm.com, baohua@kernel.org, shy828301@gmail.com, riel@surriel.com, jannh@google.com, jgross@suse.com, seanjc@google.com, pbonzini@redhat.com, boris.ostrovsky@oracle.com, virtualization@lists.linux.dev, kvm@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, ioworker0@gmail.com, Lance Yang Subject: [PATCH v4 3/3] x86/tlb: add architecture-specific TLB IPI optimization support Date: Mon, 2 Feb 2026 15:45:57 +0800 Message-ID: <20260202074557.16544-4-lance.yang@linux.dev> In-Reply-To: <20260202074557.16544-1-lance.yang@linux.dev> References: <20260202074557.16544-1-lance.yang@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" From: Lance Yang When the TLB flush path already sends IPIs (e.g. native without INVLPGB, or KVM), tlb_remove_table_sync_mm() does not need to send another round. Add a property on pv_mmu_ops so each paravirt backend can indicate whether its flush_tlb_multi sends real IPIs; if so, tlb_remove_table_sync_mm() is a no-op. Native sets it in native_pv_tlb_init() when still using native_flush_tlb_multi() and INVLPGB is disabled. KVM sets it true; Xen and Hyper-V set it false because they use hypercalls. Also pass both freed_tables and unshared_tables from tlb_flush() into flush_tlb_mm_range() so lazy-TLB CPUs get IPIs during hugetlb unshare. Suggested-by: David Hildenbrand (Red Hat) Signed-off-by: Lance Yang --- arch/x86/hyperv/mmu.c | 5 +++++ arch/x86/include/asm/paravirt.h | 5 +++++ arch/x86/include/asm/paravirt_types.h | 6 ++++++ arch/x86/include/asm/tlb.h | 20 +++++++++++++++++++- arch/x86/kernel/kvm.c | 6 ++++++ arch/x86/kernel/paravirt.c | 18 ++++++++++++++++++ arch/x86/kernel/smpboot.c | 1 + arch/x86/xen/mmu_pv.c | 2 ++ include/asm-generic/tlb.h | 15 +++++++++++++++ mm/mmu_gather.c | 7 +++++++ 10 files changed, 84 insertions(+), 1 deletion(-) diff --git a/arch/x86/hyperv/mmu.c b/arch/x86/hyperv/mmu.c index cfcb60468b01..fc8fb275f295 100644 --- a/arch/x86/hyperv/mmu.c +++ b/arch/x86/hyperv/mmu.c @@ -243,4 +243,9 @@ void hyperv_setup_mmu_ops(void) =20 pr_info("Using hypercall for remote TLB flush\n"); pv_ops.mmu.flush_tlb_multi =3D hyperv_flush_tlb_multi; + /* + * Hyper-V uses hypercalls for TLB flush, not real IPIs. + * Keep the property as false. + */ + pv_ops.mmu.flush_tlb_multi_implies_ipi_broadcast =3D false; } diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravir= t.h index 13f9cd31c8f8..1fdbe3736f41 100644 --- a/arch/x86/include/asm/paravirt.h +++ b/arch/x86/include/asm/paravirt.h @@ -698,6 +698,7 @@ static __always_inline unsigned long arch_local_irq_sav= e(void) =20 extern void default_banner(void); void native_pv_lock_init(void) __init; +void native_pv_tlb_init(void) __init; =20 #else /* __ASSEMBLER__ */ =20 @@ -727,6 +728,10 @@ void native_pv_lock_init(void) __init; static inline void native_pv_lock_init(void) { } + +static inline void native_pv_tlb_init(void) +{ +} #endif #endif /* !CONFIG_PARAVIRT */ =20 diff --git a/arch/x86/include/asm/paravirt_types.h b/arch/x86/include/asm/p= aravirt_types.h index 3502939415ad..d8aa519ef5e3 100644 --- a/arch/x86/include/asm/paravirt_types.h +++ b/arch/x86/include/asm/paravirt_types.h @@ -133,6 +133,12 @@ struct pv_mmu_ops { void (*flush_tlb_multi)(const struct cpumask *cpus, const struct flush_tlb_info *info); =20 + /* + * Indicates whether flush_tlb_multi IPIs provide sufficient + * synchronization during TLB flush when freeing or unsharing page tables. + */ + bool flush_tlb_multi_implies_ipi_broadcast; + /* Hook for intercepting the destruction of an mm_struct. */ void (*exit_mmap)(struct mm_struct *mm); void (*notify_page_enc_status_changed)(unsigned long pfn, int npages, boo= l enc); diff --git a/arch/x86/include/asm/tlb.h b/arch/x86/include/asm/tlb.h index 866ea78ba156..1e524d8e260a 100644 --- a/arch/x86/include/asm/tlb.h +++ b/arch/x86/include/asm/tlb.h @@ -5,10 +5,23 @@ #define tlb_flush tlb_flush static inline void tlb_flush(struct mmu_gather *tlb); =20 +#define tlb_table_flush_implies_ipi_broadcast tlb_table_flush_implies_ipi_= broadcast +static inline bool tlb_table_flush_implies_ipi_broadcast(void); + #include #include #include #include +#include + +static inline bool tlb_table_flush_implies_ipi_broadcast(void) +{ +#ifdef CONFIG_PARAVIRT + return pv_ops.mmu.flush_tlb_multi_implies_ipi_broadcast; +#else + return !cpu_feature_enabled(X86_FEATURE_INVLPGB); +#endif +} =20 static inline void tlb_flush(struct mmu_gather *tlb) { @@ -20,7 +33,12 @@ static inline void tlb_flush(struct mmu_gather *tlb) end =3D tlb->end; } =20 - flush_tlb_mm_range(tlb->mm, start, end, stride_shift, tlb->freed_tables); + /* + * During TLB flushes, pass both freed_tables and unshared_tables + * so lazy-TLB CPUs receive IPIs. + */ + flush_tlb_mm_range(tlb->mm, start, end, stride_shift, + tlb->freed_tables || tlb->unshared_tables); } =20 static inline void invlpg(unsigned long addr) diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c index 37dc8465e0f5..6a5e47ee4eb6 100644 --- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c @@ -856,6 +856,12 @@ static void __init kvm_guest_init(void) #ifdef CONFIG_SMP if (pv_tlb_flush_supported()) { pv_ops.mmu.flush_tlb_multi =3D kvm_flush_tlb_multi; + /* + * KVM's flush implementation calls native_flush_tlb_multi(), + * which sends real IPIs when INVLPGB is not available. + */ + if (!cpu_feature_enabled(X86_FEATURE_INVLPGB)) + pv_ops.mmu.flush_tlb_multi_implies_ipi_broadcast =3D true; pr_info("KVM setup pv remote TLB flush\n"); } =20 diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c index ab3e172dcc69..1af253c9f51d 100644 --- a/arch/x86/kernel/paravirt.c +++ b/arch/x86/kernel/paravirt.c @@ -60,6 +60,23 @@ void __init native_pv_lock_init(void) static_branch_enable(&virt_spin_lock_key); } =20 +void __init native_pv_tlb_init(void) +{ + /* + * Check if we're still using native TLB flush (not overridden by + * a PV backend) and don't have INVLPGB support. + * + * In this case, native IPI-based TLB flush provides sufficient + * synchronization for GUP-fast. + * + * PV backends (KVM, Xen, HyperV) should set this property in their + * own initialization code if their flush implementation sends IPIs. + */ + if (pv_ops.mmu.flush_tlb_multi =3D=3D native_flush_tlb_multi && + !cpu_feature_enabled(X86_FEATURE_INVLPGB)) + pv_ops.mmu.flush_tlb_multi_implies_ipi_broadcast =3D true; +} + struct static_key paravirt_steal_enabled; struct static_key paravirt_steal_rq_enabled; =20 @@ -173,6 +190,7 @@ struct paravirt_patch_template pv_ops =3D { .mmu.flush_tlb_kernel =3D native_flush_tlb_global, .mmu.flush_tlb_one_user =3D native_flush_tlb_one_user, .mmu.flush_tlb_multi =3D native_flush_tlb_multi, + .mmu.flush_tlb_multi_implies_ipi_broadcast =3D false, =20 .mmu.exit_mmap =3D paravirt_nop, .mmu.notify_page_enc_status_changed =3D paravirt_nop, diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c index 5cd6950ab672..3cdb04162843 100644 --- a/arch/x86/kernel/smpboot.c +++ b/arch/x86/kernel/smpboot.c @@ -1167,6 +1167,7 @@ void __init native_smp_prepare_boot_cpu(void) switch_gdt_and_percpu_base(me); =20 native_pv_lock_init(); + native_pv_tlb_init(); } =20 void __init native_smp_cpus_done(unsigned int max_cpus) diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c index 7a35c3393df4..b6d86299cf10 100644 --- a/arch/x86/xen/mmu_pv.c +++ b/arch/x86/xen/mmu_pv.c @@ -2185,6 +2185,8 @@ static const typeof(pv_ops) xen_mmu_ops __initconst = =3D { .flush_tlb_kernel =3D xen_flush_tlb, .flush_tlb_one_user =3D xen_flush_tlb_one_user, .flush_tlb_multi =3D xen_flush_tlb_multi, + /* Xen uses hypercalls for TLB flush, not real IPIs */ + .flush_tlb_multi_implies_ipi_broadcast =3D false, =20 .pgd_alloc =3D xen_pgd_alloc, .pgd_free =3D xen_pgd_free, diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h index 40eb74b28f9d..fae97c8bcceb 100644 --- a/include/asm-generic/tlb.h +++ b/include/asm-generic/tlb.h @@ -240,6 +240,21 @@ static inline void tlb_remove_table(struct mmu_gather = *tlb, void *table) } #endif /* CONFIG_MMU_GATHER_TABLE_FREE */ =20 +/* + * Architectures can override this to indicate whether TLB flush operations + * send IPIs that are sufficient to synchronize with lockless page table + * walkers (e.g., GUP-fast). If true, tlb_remove_table_sync_mm() becomes + * a no-op as the TLB flush already provided the necessary IPI. + * + * Default is false, meaning we need explicit IPIs via tlb_remove_table_sy= nc_mm(). + */ +#ifndef tlb_table_flush_implies_ipi_broadcast +static inline bool tlb_table_flush_implies_ipi_broadcast(void) +{ + return false; +} +#endif + #ifdef CONFIG_MMU_GATHER_RCU_TABLE_FREE /* * This allows an architecture that does not use the linux page-tables for diff --git a/mm/mmu_gather.c b/mm/mmu_gather.c index 76573ec454e5..9620480c11ce 100644 --- a/mm/mmu_gather.c +++ b/mm/mmu_gather.c @@ -303,6 +303,13 @@ void tlb_remove_table_sync_mm(struct mm_struct *mm) bool found_any =3D false; int cpu; =20 + /* + * If the architecture's TLB flush already sent IPIs that are sufficient + * for synchronization, we don't need to send additional IPIs. + */ + if (tlb_table_flush_implies_ipi_broadcast()) + return; + if (WARN_ONCE(!mm, "NULL mm in %s\n", __func__)) { tlb_remove_table_sync_one(); return; --=20 2.49.0