Re: [PATCH 7.2 v10 1/2] mm/mmu_gather: prepare to skip redundant sync IPIs

[Lance Yang <lance.yang@linux.dev>]

On Fri, Apr 24, 2026 at 02:25:27PM +0800, Lance Yang wrote:
>From: Lance Yang <lance.yang@linux.dev>
>
>When page table operations require synchronization with software/lockless
>walkers, they call tlb_remove_table_sync_{one,rcu}() after flushing the
>TLB (tlb->freed_tables or tlb->unshared_tables).
>
>On architectures where the TLB flush already sends IPIs to all target CPUs,
>the subsequent sync IPI broadcast is redundant. This is not only costly on
>large systems where it disrupts all CPUs even for single-process page table
>operations, but has also been reported to hurt RT workloads[1].
>
>Introduce tlb_table_flush_implies_ipi_broadcast() to check if the prior TLB
>flush already provided the necessary synchronization. When true, the sync
>calls can early-return.
>
>A few cases rely on this synchronization:
>
>1) hugetlb PMD unshare[2]: The problem is not the freeing but the reuse
>   of the PMD table for other purposes in the last remaining user after
>   unsharing.
>
>2) khugepaged collapse[3]: Ensure no concurrent GUP-fast before collapsing
>   and (possibly) freeing the page table / re-depositing it.
>
>Currently always returns false (no behavior change). The follow-up patch
>will enable the optimization for x86.
>
>[1] https://lore.kernel.org/linux-mm/1b27a3fa-359a-43d0-bdeb-c31341749367@kernel.org/
>[2] https://lore.kernel.org/linux-mm/6a364356-5fea-4a6c-b959-ba3b22ce9c88@kernel.org/
>[3] https://lore.kernel.org/linux-mm/2cb4503d-3a3f-4f6c-8038-7b3d1c74b3c2@kernel.org/
>
>Suggested-by: David Hildenbrand (Arm) <david@kernel.org>
>Acked-by: David Hildenbrand (Arm) <david@kernel.org>
>Signed-off-by: Lance Yang <lance.yang@linux.dev>
>---
> include/asm-generic/tlb.h | 17 +++++++++++++++++
> mm/mmu_gather.c           | 15 +++++++++++++++
> 2 files changed, 32 insertions(+)
>
>diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h
>index bdcc2778ac64..cb41cc6a0024 100644
>--- a/include/asm-generic/tlb.h
>+++ b/include/asm-generic/tlb.h
>@@ -240,6 +240,23 @@ static inline void tlb_remove_table(struct mmu_gather *tlb, void *table)
> }
> #endif /* CONFIG_MMU_GATHER_TABLE_FREE */
> 
>+/**
>+ * tlb_table_flush_implies_ipi_broadcast - does TLB flush imply IPI sync
>+ *
>+ * When page table operations require synchronization with software/lockless
>+ * walkers, they flush the TLB (tlb->freed_tables or tlb->unshared_tables)
>+ * then call tlb_remove_table_sync_{one,rcu}(). If the flush already sent
>+ * IPIs to all CPUs, the sync call is redundant.
>+ *
>+ * Returns false by default. Architectures can override by defining this.
>+ */
>+#ifndef tlb_table_flush_implies_ipi_broadcast
>+static inline bool tlb_table_flush_implies_ipi_broadcast(void)
>+{
>+	return false;
>+}
>+#endif
>+
> #ifdef CONFIG_MMU_GATHER_RCU_TABLE_FREE
> /*
>  * This allows an architecture that does not use the linux page-tables for
>diff --git a/mm/mmu_gather.c b/mm/mmu_gather.c
>index 3985d856de7f..37a6a711c37e 100644
>--- a/mm/mmu_gather.c
>+++ b/mm/mmu_gather.c
>@@ -283,6 +283,14 @@ void tlb_remove_table_sync_one(void)
> 	 * It is however sufficient for software page-table walkers that rely on
> 	 * IRQ disabling.
> 	 */
>+
>+	/*
>+	 * Skip IPI if the preceding TLB flush already synchronized with
>+	 * all CPUs that could be doing software/lockless page table walks.
>+	 */
>+	if (tlb_table_flush_implies_ipi_broadcast())
>+		return;

Sashiko told me[1]:

"
Could skipping the global IPI fail to synchronize with lockless walkers
running outside the mm_cpumask?

tlb_remove_table_sync_one() is used (e.g., by khugepaged during THP collapse)
to wait for lockless page table walkers to finish. On 32-bit architectures
like x86 PAE, pmdp_get_lockless() disables interrupts to prevent torn reads
of 64-bit PMDs.

While the preceding TLB flush sends IPIs to CPUs in the target mm's
mm_cpumask, lockless walkers such as pte_offset_map() are frequently executed
by background threads unrelated to the target mm (e.g., kswapd via
page_vma_mapped_walk()). These threads run on CPUs outside of mm_cpumask
and would not receive the TLB flush IPI.

If the global smp_call_function(..., 1) IPI is skipped, the modifying thread
might not wait for kswapd. Could this allow it to overwrite the PMD while the
out-of-context reader is reading it, resulting in a torn PMD?
"

Afraid not.

When CONFIG_MMU_GATHER_RCU_TABLE_FREE=n, tlb_remove_table_sync_one() is
just a NOP.

So if lockless walkers outside mm_cpumask really required a separate
global IPI here, systems running with CONFIG_MMU_GATHER_RCU_TABLE_FREE=n
would already be broken today, because there is no such IPI there to
begin with :)

[1] https://sashiko.dev/#/patchset/20260424062528.71951-1-lance.yang@linux.dev

>
> 	smp_call_function(tlb_remove_table_smp_sync, NULL, 1);
> }
> 
>@@ -312,6 +320,13 @@ static void tlb_remove_table_free(struct mmu_table_batch *batch)
>  */
> void tlb_remove_table_sync_rcu(void)
> {
>+	/*
>+	 * Skip RCU wait if the preceding TLB flush already synchronized
>+	 * with all CPUs that could be doing software/lockless page table walks.
>+	 */
>+	if (tlb_table_flush_implies_ipi_broadcast())
>+		return;
>+

And Sashiko also pointed out[2]:

"
Does skipping synchronize_rcu() here violate the RCU lifetime guarantee of
page tables?

Generic software page table walkers, such as pte_offset_map(), rely strictly
on rcu_read_lock() to protect page table pages from being freed concurrently.
Crucially, they execute with hardware interrupts enabled.

Under CONFIG_PREEMPT_RCU, an IPI broadcast does not wait for rcu_read_lock()
critical sections to complete. The IPI simply interrupts the reader, executes
the flush, and returns immediately.

Could this allow the page table to be freed while the reader is still actively
accessing it, leading to a use-after-free for concurrent pte_offset_map()
readers?
"

Nop.

tlb_remove_table_sync_rcu() still has a single caller: the
!CONFIG_PT_RECLAIM __tlb_remove_table_one() fallback. It was introduced
for that slow batch-allocation-failure path in 1fb3d8c20bfa
("mm/mmu_gather: replace IPI with synchronize_rcu() when batch
allocation fails"), replacing the previous tlb_remove_table_sync_one()
there.

So if pte_offset_map() readers really required a full RCU grace period
in that fallback path, that concern would already have existed before
1fb3d8c20bfa.

So we're safe here :)

[2] https://sashiko.dev/#/patchset/20260424062528.71951-1-lance.yang@linux.dev

> 	synchronize_rcu();
> }
> 
>-- 
>2.49.0
>
>