Re: [RFC PATCH 1/2] mm/secretmem: try to restore large page mappings in direct map

[Mike Rapoport <rppt@kernel.org>]

On Thu, Jun 04, 2026 at 11:11:33AM +0800, Lance Yang wrote:
> On Wed, Jun 03, 2026 at 05:48:56PM +0200, David Hildenbrand (Arm) wrote:
> >On 6/3/26 15:09, Lance Yang wrote:
> >> 
> >> 
> >> On 2026/6/3 20:35, Mike Rapoport wrote:
> >>> On Wed, Jun 03, 2026 at 07:41:34PM +0800, Lance Yang wrote:
> >>>>
> >>>> Good point, I kept it separate on purpose :)
> >>>>
> >>>> Putting collapse into set_direct_map_default_noflush() would change the
> >>>> semantics of that helper a bit, IMHO.
> >>>
> >>> For x86 default means present + rw + PSE, so yuu can look at it as actually
> >>> better enforcing the semantics :)
> >> 
> >> Yep. One x86 detail though, default seems to miss _PAGE_GLOBAL today. Not
> >> sure if that is intentional or just historical. See patch #02.
> >> 
> >>>> I would expect arch_try_collapse_direct_map() to also be useful for cases
> >>>> where a direct-map permission change could split a large maping first,
> >>>> and the user wants to try restoring the large mapping after changing it
> >>>> back. One example[1] is making a direct-map range read-only for security,
> >>>> which I am also working on :)
> >>>
> >>> I don't think users should care. The users care for particular permissions
> >>> of a range in the direct map. It should be up to the architecture to select
> >>> most suitable mapping size. The splits are implicit, I don't see why
> >>> collapses can't be implicit as well.
> >> 
> >> And agreed, users should not care about the final mapping size, that is
> >> up to the arch.
> >> 
> >> TBH, my concern is making the collapse cost implicit for every
> >> set_direct_map_default_noflush() caller. I still lean toward keeping
> >> it opt-in, but happy to hear what folks prefer :)
> >
> >If we could easily do that automatically, that would likely be preferable.
> >
> >Especially given that we are getting other users of direct-map removal soon that
> >would face similar problems (e.g., guest_memfd).
> 
> Yeah. Makes sense to me ;)
> 
> >
> >What the performance impact of trying to collapse after every directmap update?
> >Imagine we have a full PMD range with directmap-removed PTEs?
> 
> Collapse can turn 512 PTEs into one PMD, and, if the large range is
> compatible, 512 PMDs into one PUD.
> 
> Eeah try walks the page tables, takes pgd_lock, and scans entries until
> it hits a non-present entry, mismatched flags, or non-contiguous PFN. The
> same kind of check is done for PMD entries before a PUD collapse.
> 
> If nothing collapses, it balis out without flush_tlb_all(). If at least
> one collapse succeeds, flush_tlb_all() is called once before freeing the
> old page tables, and that is probably the expensive part :)
> 
> So failed tries are cheaper that a real collapse, but not free.
> 
> Not sure how often the remove/restore cycles happens, whether automatic
> collapse is worth it depends on that. Keeping it explicit lets callers
> take that cost only when they know the collapse is really useful ...

The callers don't have any clue if the collapse is useful.

In secretmem case, it changes permissions of a single 4k page. How should
it decide whether to collapse or not? Or any other caller of set_memory_*
APIs for that matter?

Moreover, secretmem won't know if there are bpf allocations in the same PUD
that also hammer direct map permissions?

It's either we decide that large mappings in the direct map are worth
taking the cost of collapse or we live with the fragmented direct map.

And even though it's hard to measure, we'd need some numbers for at least
some use cases to get a feeling of what's involved.
 
> Thanks, Lance
> 

-- 
Sincerely yours,
Mike.