Re: [RFC PATCH v1 0/4] Reduce cost of ptep_get_lockless on arm64

From: David Hildenbrand
Date: Wed Apr 10 2024 - 16:09:51 EST


[...]

Skipping the ptdesc stuff we discussed offline, to not get distracted. :)

This stuff is killing me, sorry for the lengthy reply ...


So I've been looking at all this again, and getting myself even more confused.

I believe there are 2 classes of ptep_get_lockless() caller:

1) vmf->orig_pte = ptep_get_lockless(vmf->pte); in handle_pte_fault()
2) everyone else

Likely only completely lockless page table walkers where we *cannot* recheck under PTL is special. Essentially where we disable interrupts and rely on TLB flushes to sync against concurrent changes.

Let's take a look where ptep_get_lockless() comes from:

commit 2a4a06da8a4b93dd189171eed7a99fffd38f42f3
Author: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Date: Fri Nov 13 11:41:40 2020 +0100

mm/gup: Provide gup_get_pte() more generic

In order to write another lockless page-table walker, we need
gup_get_pte() exposed. While doing that, rename it to
ptep_get_lockless() to match the existing ptep_get() naming.


GUP-fast, when we were still relying on TLB flushes to sync against GUP-fast.

"With get_user_pages_fast(), we walk down the pagetables without taking any locks. For this we would like to load the pointers atomically, but sometimes that is not possible (e.g. without expensive cmpxchg8b on x86_32 PAE). What we do have is the guarantee that a PTE will only either go from not present to present, or present to not present or both -- it will not switch to a completely different present page without a TLB flush in between; something hat we are blocking by holding interrupts off."

Later, we added support for GUP-fast that introduced the !TLB variant:

commit 2667f50e8b81457fcb4a3dbe6aff3e81ea009e13
Author: Steve Capper <steve.capper@xxxxxxxxxx>
Date: Thu Oct 9 15:29:14 2014 -0700

mm: introduce a general RCU get_user_pages_fast()

With the pattern

/*
* In the line below we are assuming that the pte can be read
* atomically. If this is not the case for your architecture,
* please wrap this in a helper function!
*
* for an example see gup_get_pte in arch/x86/mm/gup.c
*/
pte_t pte = ACCESS_ONCE(*ptep);
..
if (unlikely(pte_val(pte) != pte_val(*ptep))) {
..


Whereby the mentioned arch/x86/mm/gup.c code did a straight pte_t pte = gup_get_pte(ptep) without any re-reading of PTEs. The PTE that was read was required to be sane, this the lengthy comment above ptep_get_lockless() that talks about TLB flushes.

The comment above ptep_get_lockless() for CONFIG_GUP_GET_PXX_LOW_HIGH is still full of details about TLB flushes syncing against GUP-fast. But as you note, we use it even in contexts where we don't disable interrupts and the TLB flush can't help.

We don't disable interrupts during page faults ... so most of the things described in ptep_get_lockless() don't really apply.

That's also the reason why ...

vmf->pte = pte_offset_map(vmf->pmd, vmf->address);
- vmf->orig_pte = *vmf->pte;
+ vmf->orig_pte = ptep_get_lockless(vmf->pte);
vmf->flags |= FAULT_FLAG_ORIG_PTE_VALID;

- /*
- * some architectures can have larger ptes than wordsize,
- * e.g.ppc44x-defconfig has CONFIG_PTE_64BIT=y and
- * CONFIG_32BIT=y, so READ_ONCE cannot guarantee atomic
- * accesses. The code below just needs a consistent view
- * for the ifs and we later double check anyway with the
- * ptl lock held. So here a barrier will do.
- */
- barrier();
if (pte_none(vmf->orig_pte)) {

.. that code was in place. We would possibly read garbage PTEs, but would recheck *under PTL* (where the PTE can no longer change) that what we read wasn't garbage and didn't change.


--

(2) All the other users require that a subset of the pte fields are
self-consistent; specifically they don't care about access, dirty, uffd-wp or
soft-dirty. arm64 can guarrantee that all the other bits are self-consistent
just by calling ptep_get().

Let's focus on access+dirty for now ;)


--

So, I'm making the bold claim that it was never neccessary to specialize
pte_get_lockless() on arm64, and I *think* we could just delete it so that
ptep_get_lockless() resolves to ptep_get() on arm64. That solves the original
aim without needing to introduce "norecency" variants.

Additionally I propose documenting ptep_get_lockless() to describe the set of
fields that are guarranteed to be self-consistent and the remaining fields which
are self-consistent only with best-effort.

Could it be this easy? My head is hurting...

I think what has to happen is:

(1) pte_get_lockless() must return the same value as ptep_get() as long as there are no races. No removal/addition of access/dirty bits etc.

(2) Lockless page table walkers that later verify under the PTL can handle serious "garbage PTEs". This is our page fault handler.

(3) Lockless page table walkers that cannot verify under PTL cannot handle arbitrary garbage PTEs. This is GUP-fast. Two options:

(3a) pte_get_lockless() can atomically read the PTE: We re-check later if the atomically-read PTE is still unchanged (without PTL). No IPI for TLB flushes required. This is the common case. HW might concurrently set access/dirty bits, so we can race with that. But we don't read garbage.

(3b) pte_get_lockless() cannot atomically read the PTE: We need special magic to read somewhat-sane PTEs and need IPIs during TLB flushes to sync against serious PTE changes (e.g., present -> present). This is weird x86-PAE.


If ptep_get() on arm64 can do (1), (2) and (3a), we might be good.

My head is hurting ...

--
Cheers,

David / dhildenb