1. Patchew
  2. linux
  3. [RFC PATCH v2 0/7] futex: Use runtime constants for futex_hash computation
  4. View patch

[RFC PATCH v2 3/7] arm64/runtime-const: Use aarch64_insn_patch_text_nosync() for patching

K Prateek Nayak posted 7 patches 3 weeks ago
There is a newer version of this series
[RFC PATCH v2 3/7] arm64/runtime-const: Use aarch64_insn_patch_text_nosync() for patching
Posted by K Prateek Nayak 3 weeks ago 
The current scheme to directly patch the kernel text for runtime
constants runs into the following issue with futex adapted to using
runtime constants on arm64:

  Unable to handle kernel write to read-only memory at virtual address fff0000000378fc8
  Mem abort info:
    ESR = 0x000000009600004e
    EC = 0x25: DABT (current EL), IL = 32 bits
    SET = 0, FnV = 0
    EA = 0, S1PTW = 0
    FSC = 0x0e: level 2 permission fault
  Data abort info:
    ISV = 0, ISS = 0x0000004e, ISS2 = 0x00000000
    CM = 0, WnR = 1, TnD = 0, TagAccess = 0
    GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
  swapper pgtable: 4k pages, 52-bit VAs, pgdp=00000000420a7000
  [fff0000000378fc8] pgd=18000000bffff403, p4d=18000000bfffe403, pud=18000000bfffd403, pmd=0060000040200481
  Internal error: Oops: 000000009600004e [#1]  SMP
  Modules linked in:
  CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0-rc6-00004-g7e6457d29e6a-dirty #291 PREEMPT
  Hardware name: linux,dummy-virt (DT)
  pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
  pc : futex_init+0x13c/0x348
  lr : futex_init+0xc8/0x348
  sp : ffff80008002bd40
  x29: ffff80008002bd40 x28: ffffa4b73ba0a160 x27: ffffa4b73bd10d74
  x26: ffffa4b73cb68b28 x25: ffffa4b73ba0b000 x24: ffffa4b73c66b000
  x23: 0000000000003fe0 x22: 0000000000000000 x21: ffffa4b73bd10d74
  x20: 0000000000008000 x19: 0000000000000000 x18: 00000000ffffffff
  x17: 000000007014db06 x16: ffffa4b73ca3ec08 x15: ffff80010002b937
  x14: 0000000000000006 x13: fff0000077200000 x12: 00000000000002b2
  x11: 00000000000000e6 x10: fff0000079e00000 x9 : fff0000077200000
  x8 : fff00000034df9e0 x7 : 0000000000000200 x6 : ffffa4b73ba0b000
  x5 : fff0000003510000 x4 : 0000000052803fe0 x3 : 0000000072a00000
  x2 : fff0000000378fc8 x1 : ffffa4b739d78fd0 x0 : ffffa4b739d78fc8
  Call trace:
   futex_init+0x13c/0x348 (P)
   do_one_initcall+0x6c/0x1b0
   kernel_init_freeable+0x204/0x2e0
   kernel_init+0x20/0x1d8
   ret_from_fork+0x10/0x20
  Code: 120b3c84 120b3c63 2a170084 2a130063 (29000c44)
  ---[ end trace 0000000000000000 ]---

The pc at "futex_init+0x13c/0x348" points to:

  futex_init()
    runtime_const_init(shift, __futex_shift)
      __runtime_fixup_shift()
        *p = cpu_to_le32(insn); /* <--- Here --- */

... which points to core_initcall() being too late to patch the kernel
text directly unlike the "d_hash_shift", "__names_cache" which are
initialized during start_kernel() before the protections are in place.

Use aarch64_insn_patch_text_nosync() to patch the runtime constants
instead of doing it directly to allow for running runtime_const_init()
slightly later into the boot.

Since aarch64_insn_patch_text_nosync() calls caches_clean_inval_pou()
internally, __runtime_fixup_caches() ends up being redundant.
runtime_const_init() are rare and the overheads of multiple calls to
caches_clean_inval_pou() instead of batching them together should be
negligible in practice.

At least one usage in kprobes.c suggests cpu_to_le32() conversion is not
necessary for aarch64_insn_patch_text_nosync() unlike in the current
scheme of patching *p directly.

Signed-off-by: K Prateek Nayak <kprateek.nayak@amd.com>
---
 arch/arm64/include/asm/runtime-const.h | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/arch/arm64/include/asm/runtime-const.h b/arch/arm64/include/asm/runtime-const.h
index 4c3f0b9aad98..764e244f06a4 100644
--- a/arch/arm64/include/asm/runtime-const.h
+++ b/arch/arm64/include/asm/runtime-const.h
@@ -7,6 +7,7 @@
 #endif
 
 #include <asm/cacheflush.h>
+#include <asm/text-patching.h>
 
 /* Sigh. You can still run arm64 in BE mode */
 #include <asm/byteorder.h>
@@ -63,13 +64,7 @@ static inline void __runtime_fixup_16(__le32 *p, unsigned int val)
 	u32 insn = le32_to_cpu(*p);
 	insn &= 0xffe0001f;
 	insn |= (val & 0xffff) << 5;
-	*p = cpu_to_le32(insn);
-}
-
-static inline void __runtime_fixup_caches(void *where, unsigned int insns)
-{
-	unsigned long va = (unsigned long)where;
-	caches_clean_inval_pou(va, va + 4*insns);
+	aarch64_insn_patch_text_nosync(p, insn);
 }
 
 static inline void __runtime_fixup_ptr(void *where, unsigned long val)
@@ -79,7 +74,6 @@ static inline void __runtime_fixup_ptr(void *where, unsigned long val)
 	__runtime_fixup_16(p+1, val >> 16);
 	__runtime_fixup_16(p+2, val >> 32);
 	__runtime_fixup_16(p+3, val >> 48);
-	__runtime_fixup_caches(where, 4);
 }
 
 /* Immediate value is 6 bits starting at bit #16 */
@@ -89,8 +83,7 @@ static inline void __runtime_fixup_shift(void *where, unsigned long val)
 	u32 insn = le32_to_cpu(*p);
 	insn &= 0xffc0ffff;
 	insn |= (val & 63) << 16;
-	*p = cpu_to_le32(insn);
-	__runtime_fixup_caches(where, 1);
+	aarch64_insn_patch_text_nosync(p, insn);
 }
 
 /* Immediate value is 6 bits starting at bit #16 */
@@ -99,7 +92,6 @@ static inline void __runtime_fixup_mask(void *where, unsigned long val)
 	__le32 *p = lm_alias(where);
 	__runtime_fixup_16(p, val);
 	__runtime_fixup_16(p+1, val >> 16);
-	__runtime_fixup_caches(where, 2);
 }
 
 static inline void runtime_const_fixup(void (*fn)(void *, unsigned long),
-- 
2.43.0
Re: [RFC PATCH v2 3/7] arm64/runtime-const: Use aarch64_insn_patch_text_nosync() for patching
Posted by David Laight 3 weeks ago 
On Mon, 16 Mar 2026 05:23:57 +0000
K Prateek Nayak <kprateek.nayak@amd.com> wrote:

> The current scheme to directly patch the kernel text for runtime
> constants runs into the following issue with futex adapted to using
> runtime constants on arm64:

Doesn't this need to come before the previous patch?

	David

> 
>   Unable to handle kernel write to read-only memory at virtual address fff0000000378fc8
>   Mem abort info:
>     ESR = 0x000000009600004e
>     EC = 0x25: DABT (current EL), IL = 32 bits
>     SET = 0, FnV = 0
>     EA = 0, S1PTW = 0
>     FSC = 0x0e: level 2 permission fault
>   Data abort info:
>     ISV = 0, ISS = 0x0000004e, ISS2 = 0x00000000
>     CM = 0, WnR = 1, TnD = 0, TagAccess = 0
>     GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
>   swapper pgtable: 4k pages, 52-bit VAs, pgdp=00000000420a7000
>   [fff0000000378fc8] pgd=18000000bffff403, p4d=18000000bfffe403, pud=18000000bfffd403, pmd=0060000040200481
>   Internal error: Oops: 000000009600004e [#1]  SMP
>   Modules linked in:
>   CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0-rc6-00004-g7e6457d29e6a-dirty #291 PREEMPT
>   Hardware name: linux,dummy-virt (DT)
>   pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
>   pc : futex_init+0x13c/0x348
>   lr : futex_init+0xc8/0x348
>   sp : ffff80008002bd40
>   x29: ffff80008002bd40 x28: ffffa4b73ba0a160 x27: ffffa4b73bd10d74
>   x26: ffffa4b73cb68b28 x25: ffffa4b73ba0b000 x24: ffffa4b73c66b000
>   x23: 0000000000003fe0 x22: 0000000000000000 x21: ffffa4b73bd10d74
>   x20: 0000000000008000 x19: 0000000000000000 x18: 00000000ffffffff
>   x17: 000000007014db06 x16: ffffa4b73ca3ec08 x15: ffff80010002b937
>   x14: 0000000000000006 x13: fff0000077200000 x12: 00000000000002b2
>   x11: 00000000000000e6 x10: fff0000079e00000 x9 : fff0000077200000
>   x8 : fff00000034df9e0 x7 : 0000000000000200 x6 : ffffa4b73ba0b000
>   x5 : fff0000003510000 x4 : 0000000052803fe0 x3 : 0000000072a00000
>   x2 : fff0000000378fc8 x1 : ffffa4b739d78fd0 x0 : ffffa4b739d78fc8
>   Call trace:
>    futex_init+0x13c/0x348 (P)
>    do_one_initcall+0x6c/0x1b0
>    kernel_init_freeable+0x204/0x2e0
>    kernel_init+0x20/0x1d8
>    ret_from_fork+0x10/0x20
>   Code: 120b3c84 120b3c63 2a170084 2a130063 (29000c44)
>   ---[ end trace 0000000000000000 ]---
> 
> The pc at "futex_init+0x13c/0x348" points to:
> 
>   futex_init()
>     runtime_const_init(shift, __futex_shift)
>       __runtime_fixup_shift()
>         *p = cpu_to_le32(insn); /* <--- Here --- */
> 
> ... which points to core_initcall() being too late to patch the kernel
> text directly unlike the "d_hash_shift", "__names_cache" which are
> initialized during start_kernel() before the protections are in place.
> 
> Use aarch64_insn_patch_text_nosync() to patch the runtime constants
> instead of doing it directly to allow for running runtime_const_init()
> slightly later into the boot.
> 
> Since aarch64_insn_patch_text_nosync() calls caches_clean_inval_pou()
> internally, __runtime_fixup_caches() ends up being redundant.
> runtime_const_init() are rare and the overheads of multiple calls to
> caches_clean_inval_pou() instead of batching them together should be
> negligible in practice.
> 
> At least one usage in kprobes.c suggests cpu_to_le32() conversion is not
> necessary for aarch64_insn_patch_text_nosync() unlike in the current
> scheme of patching *p directly.
> 
> Signed-off-by: K Prateek Nayak <kprateek.nayak@amd.com>
> ---
>  arch/arm64/include/asm/runtime-const.h | 14 +++-----------
>  1 file changed, 3 insertions(+), 11 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/runtime-const.h b/arch/arm64/include/asm/runtime-const.h
> index 4c3f0b9aad98..764e244f06a4 100644
> --- a/arch/arm64/include/asm/runtime-const.h
> +++ b/arch/arm64/include/asm/runtime-const.h
> @@ -7,6 +7,7 @@
>  #endif
>  
>  #include <asm/cacheflush.h>
> +#include <asm/text-patching.h>
>  
>  /* Sigh. You can still run arm64 in BE mode */
>  #include <asm/byteorder.h>
> @@ -63,13 +64,7 @@ static inline void __runtime_fixup_16(__le32 *p, unsigned int val)
>  	u32 insn = le32_to_cpu(*p);
>  	insn &= 0xffe0001f;
>  	insn |= (val & 0xffff) << 5;
> -	*p = cpu_to_le32(insn);
> -}
> -
> -static inline void __runtime_fixup_caches(void *where, unsigned int insns)
> -{
> -	unsigned long va = (unsigned long)where;
> -	caches_clean_inval_pou(va, va + 4*insns);
> +	aarch64_insn_patch_text_nosync(p, insn);
>  }
>  
>  static inline void __runtime_fixup_ptr(void *where, unsigned long val)
> @@ -79,7 +74,6 @@ static inline void __runtime_fixup_ptr(void *where, unsigned long val)
>  	__runtime_fixup_16(p+1, val >> 16);
>  	__runtime_fixup_16(p+2, val >> 32);
>  	__runtime_fixup_16(p+3, val >> 48);
> -	__runtime_fixup_caches(where, 4);
>  }
>  
>  /* Immediate value is 6 bits starting at bit #16 */
> @@ -89,8 +83,7 @@ static inline void __runtime_fixup_shift(void *where, unsigned long val)
>  	u32 insn = le32_to_cpu(*p);
>  	insn &= 0xffc0ffff;
>  	insn |= (val & 63) << 16;
> -	*p = cpu_to_le32(insn);
> -	__runtime_fixup_caches(where, 1);
> +	aarch64_insn_patch_text_nosync(p, insn);
>  }
>  
>  /* Immediate value is 6 bits starting at bit #16 */
> @@ -99,7 +92,6 @@ static inline void __runtime_fixup_mask(void *where, unsigned long val)
>  	__le32 *p = lm_alias(where);
>  	__runtime_fixup_16(p, val);
>  	__runtime_fixup_16(p+1, val >> 16);
> -	__runtime_fixup_caches(where, 2);
>  }
>  
>  static inline void runtime_const_fixup(void (*fn)(void *, unsigned long),
Re: [RFC PATCH v2 3/7] arm64/runtime-const: Use aarch64_insn_patch_text_nosync() for patching
Posted by K Prateek Nayak 3 weeks ago 
Hello David,

On 3/16/2026 5:22 PM, David Laight wrote:
>> The current scheme to directly patch the kernel text for runtime
>> constants runs into the following issue with futex adapted to using
>> runtime constants on arm64:
> 
> Doesn't this need to come before the previous patch?

My rationale was that this didn't make a difference until
the final futex changes so I didn't pay much attention to
how they were ordered.

I will rearrange these the other way around in the next
version to keep this independent of introduction of
runtime_const_mask_32().

Thank you again for taking a look at the series.

-- 
Thanks and Regards,
Prateek

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.