[PATCH v3 0/5] ARM: Remaining PREEMPT_RT bits

[PATCH v3 0/5] ARM: Remaining PREEMPT_RT bits

[Sebastian Andrzej Siewior]

this is the last batch I have to enable PREEMPT_RT on the ARM
architecture.
Last time I posted them there was some discussion about making the
branch predictor hardening worse. I redid it hoping it improved now and
does not make it worse.

Is this okay now?

v2…v3: https://lore.kernel.org/all/20251103101545.760243-1-bigeasy@linutronix.de
  - Collected tags.

v1…v2: https://lore.kernel.org/all/20251029155918.503060-1-bigeasy@linutronix.de
  - Allow to enable jump-labels on UP. The UP build does not involve
    stop_machine(). Reworked by Arnd.

  - Instead of forbidding HAVE_GUP_FAST with HIGHPTE enabled just
    disable HIGHPTE on PREEMPT_RT. As Arnd explained, HIGHPTE is rarely
    needed.

  - Don't let ARCH_SUPPORTS_RT depend on HAVE_POSIX_CPU_TIMERS_TASK_WORK
    which in turn depends on !KVM. Since KVM has been removed from ARM
    it is sufficient to unconditionally allow ARCH_SUPPORTS_RT. Noted
    by Arnd.

Sebastian Andrzej Siewior (3):
  ARM: mm: fault: Move harden_branch_predictor() before interrupts are
    enabled
  ARM: Disable HIGHPTE on PREEMPT_RT kernels
  ARM: Allow to enable RT

Thomas Gleixner (1):
  ARM: Disable jump-label on PREEMPT_RT

Yadi.hu (1):
  ARM: mm: fault: Enable interrupts before invoking __do_user_fault()

 arch/arm/Kconfig    |  5 +++--
 arch/arm/mm/fault.c | 16 ++++++++++------
 2 files changed, 13 insertions(+), 8 deletions(-)

-- 
2.51.0

[PATCH v3 1/5] ARM: mm: fault: Move harden_branch_predictor() before interrupts are enabled

[Sebastian Andrzej Siewior]

In the LPAE case, interrupts are enabled early in do_page_fault(). If
the user attempts to access a pointer > TASK_SIZE then is invoked
harden_branch_predictor(). The function will complain that CPU migration
is enabled due to its smp_processor_id() usage.

The intention is invoke harden_branch_predictor() on the CPU which
triggered the page fault. It is only invoked for user access of pointer
> TASK_SIZE. This always generate a fault for the user because this area
is restricted to the kernel.

Move the invocation of harden_branch_predictor() up in the call chain to
the two callers do_bad_area() and do_page_fault().
Invoke it if the user accesses the >= TASK_SIZE area.

Acked-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
 arch/arm/mm/fault.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
index 2bc828a1940c0..5d28c28e877c1 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -183,9 +183,6 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig,
 {
 	struct task_struct *tsk = current;
 
-	if (addr > TASK_SIZE)
-		harden_branch_predictor();
-
 #ifdef CONFIG_DEBUG_USER
 	if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) ||
 	    ((user_debug & UDBG_BUS)  && (sig == SIGBUS))) {
@@ -218,10 +215,13 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
 	 * If we are in kernel mode at this point, we
 	 * have no context to handle this fault with.
 	 */
-	if (user_mode(regs))
+	if (user_mode(regs)) {
+		if (addr >= TASK_SIZE)
+			harden_branch_predictor();
 		__do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs);
-	else
+	} else {
 		__do_kernel_fault(mm, addr, fsr, regs);
+	}
 }
 
 #ifdef CONFIG_MMU
@@ -274,8 +274,11 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
 
 
 	/* Enable interrupts if they were enabled in the parent context. */
-	if (interrupts_enabled(regs))
+	if (interrupts_enabled(regs)) {
+		if (user_mode(regs) && addr >= TASK_SIZE)
+			harden_branch_predictor();
 		local_irq_enable();
+	}
 
 	/*
 	 * If we're in an interrupt or have no user
-- 
2.51.0

[PATCH v3 2/5] ARM: mm: fault: Enable interrupts before invoking __do_user_fault()

[Sebastian Andrzej Siewior]

From: "Yadi.hu" <yadi.hu@windriver.com>

In the !LPAE case __do_user_fault() is invoked from do_bad_area(). If a
user pointer cause the page fault then a signal is sent.

Sending a signal requires to acquire sighand_struct::siglock which is a
spinlock_t. On PREEMPT_RT spinlock_t becomes a sleeping spin lock which
requires interrupts to be enabled. Since the calling context is user
land, interrupts must have been enabled so it is fine to enable them in
this case.

Enable interrupts in do_bad_area() before invoking __do_user_fault().

[bigeasy: Initial patch/ report by Yadi. Maintained the patch and redid
          the patch description since]

Signed-off-by: Yadi.hu <yadi.hu@windriver.com>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
 arch/arm/mm/fault.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
index 5d28c28e877c1..ad58c1e22a5f9 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -218,6 +218,7 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
 	if (user_mode(regs)) {
 		if (addr >= TASK_SIZE)
 			harden_branch_predictor();
+		local_irq_enable();
 		__do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs);
 	} else {
 		__do_kernel_fault(mm, addr, fsr, regs);
-- 
2.51.0

[PATCH v3 3/5] ARM: Disable jump-label on PREEMPT_RT

[Sebastian Andrzej Siewior]

From: Thomas Gleixner <tglx@linutronix.de>

jump-labels are used to efficiently switch between two possible code
paths. To achieve this, stop_machine() is used to keep the CPU in a
known state while the opcode is modified. The usage of stop_machine()
here leads to large latency spikes which can be observed on PREEMPT_RT.

Jump labels may change the target during runtime and are not restricted
to debug or "configuration/ setup" part of a PREEMPT_RT system where
high latencies could be defined as acceptable.

On 64-bit Arm, it is possible to use jump labels without the
stop_machine() call, which architecturally provides a way to atomically
change one 32-bit instruction word while keeping maintaining consistency,
but this is not generally the case on 32-bit, in particular in thumb2
mode.

Disable jump-label support on a PREEMPT_RT system when SMP is enabled.

[bigeasy: Patch description.]
[arnd: add !SMP case, extend changelog]

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
 arch/arm/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 4fb985b76e97f..5941566df3ed0 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -82,7 +82,7 @@ config ARM
 	select HAS_IOPORT
 	select HAVE_ARCH_AUDITSYSCALL if AEABI && !OABI_COMPAT
 	select HAVE_ARCH_BITREVERSE if (CPU_32v7M || CPU_32v7) && !CPU_32v6
-	select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL && !CPU_ENDIAN_BE32 && MMU
+	select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL && !CPU_ENDIAN_BE32 && MMU && (!PREEMPT_RT || !SMP)
 	select HAVE_ARCH_KFENCE if MMU && !XIP_KERNEL
 	select HAVE_ARCH_KGDB if !CPU_ENDIAN_BE32 && MMU
 	select HAVE_ARCH_KASAN if MMU && !XIP_KERNEL
-- 
2.51.0

[PATCH v3 4/5] ARM: Disable HIGHPTE on PREEMPT_RT kernels

[Sebastian Andrzej Siewior]

gup_pgd_range() is invoked with disabled interrupts and invokes
__kmap_local_page_prot() via pte_offset_map(), gup_p4d_range().
With HIGHPTE enabled, __kmap_local_page_prot() invokes kmap_high_get()
which uses a spinlock_t via lock_kmap_any(). This leads to an
sleeping-while-atomic error on PREEMPT_RT because spinlock_t becomes a
sleeping lock and must not be acquired in atomic context.

The loop in map_new_virtual() uses wait_queue_head_t for wake up which
also is using a spinlock_t.

Since HIGHPTE is rarely needed at all, turn it off for PREEMPT_RT
to allow the use of get_user_pages_fast().

[arnd: rework patch to turn off HIGHPTE instead of HAVE_PAST_GUP]

Co-developed-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
 arch/arm/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 5941566df3ed0..822d378f81ec8 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -1215,7 +1215,7 @@ config HIGHMEM
 
 config HIGHPTE
 	bool "Allocate 2nd-level pagetables from highmem" if EXPERT
-	depends on HIGHMEM
+	depends on HIGHMEM && !PREEMPT_RT
 	default y
 	help
 	  The VM uses one page of physical memory for each page table.
-- 
2.51.0

[PATCH v3 5/5] ARM: Allow to enable RT

[Sebastian Andrzej Siewior]

All known issues have been adressed.
Allow to select RT.

Acked-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
 arch/arm/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 822d378f81ec8..b32f85f14c28a 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -41,6 +41,7 @@ config ARM
 	select ARCH_SUPPORTS_CFI
 	select ARCH_SUPPORTS_HUGETLBFS if ARM_LPAE
 	select ARCH_SUPPORTS_PER_VMA_LOCK
+	select ARCH_SUPPORTS_RT
 	select ARCH_USE_BUILTIN_BSWAP
 	select ARCH_USE_CMPXCHG_LOCKREF
 	select ARCH_USE_MEMTEST
-- 
2.51.0

Re: [PATCH v3 0/5] ARM: Remaining PREEMPT_RT bits

[Arnd Bergmann]

On Mon, Nov 10, 2025, at 15:55, Sebastian Andrzej Siewior wrote:
> this is the last batch I have to enable PREEMPT_RT on the ARM
> architecture.
> Last time I posted them there was some discussion about making the
> branch predictor hardening worse. I redid it hoping it improved now and
> does not make it worse.
>
> Is this okay now?

Looks all good to me.

Please send the series to patches@armlinux.org.uk according to the
description at https://www.arm.linux.org.uk/developer/patches/info.php

You can use

$ git send-email --add-header=\"KernelVersion: $(git describe --abbrev=0)\" --to="patches@arm.linux.org.uk" --suppress-cc=all


     Arnd

Re: [PATCH v3 0/5] ARM: Remaining PREEMPT_RT bits

[Sebastian Andrzej Siewior]

On 2025-11-11 16:16:52 [+0100], Arnd Bergmann wrote:
> Looks all good to me.
> 
> Please send the series to patches@armlinux.org.uk according to the
> description at https://www.arm.linux.org.uk/developer/patches/info.php
> 
> You can use
> 
> $ git send-email --add-header=\"KernelVersion: $(git describe --abbrev=0)\" --to="patches@arm.linux.org.uk" --suppress-cc=all

Just did so, thank you.

>      Arnd

Sebastian

Re: [PATCH v3 0/5] ARM: Remaining PREEMPT_RT bits

[Bryan Brattlof]

On November 10, 2025 thus sayeth Sebastian Andrzej Siewior:
> this is the last batch I have to enable PREEMPT_RT on the ARM
> architecture.
> Last time I posted them there was some discussion about making the
> branch predictor hardening worse. I redid it hoping it improved now and
> does not make it worse.
> 
> Is this okay now?
> 
> v2…v3: https://lore.kernel.org/all/20251103101545.760243-1-bigeasy@linutronix.de
>   - Collected tags.
> 
> v1…v2: https://lore.kernel.org/all/20251029155918.503060-1-bigeasy@linutronix.de
>   - Allow to enable jump-labels on UP. The UP build does not involve
>     stop_machine(). Reworked by Arnd.
> 
>   - Instead of forbidding HAVE_GUP_FAST with HIGHPTE enabled just
>     disable HIGHPTE on PREEMPT_RT. As Arnd explained, HIGHPTE is rarely
>     needed.
> 
>   - Don't let ARCH_SUPPORTS_RT depend on HAVE_POSIX_CPU_TIMERS_TASK_WORK
>     which in turn depends on !KVM. Since KVM has been removed from ARM
>     it is sufficient to unconditionally allow ARCH_SUPPORTS_RT. Noted
>     by Arnd.
> 
> Sebastian Andrzej Siewior (3):
>   ARM: mm: fault: Move harden_branch_predictor() before interrupts are
>     enabled
>   ARM: Disable HIGHPTE on PREEMPT_RT kernels
>   ARM: Allow to enable RT
> 
> Thomas Gleixner (1):
>   ARM: Disable jump-label on PREEMPT_RT
> 
> Yadi.hu (1):
>   ARM: mm: fault: Enable interrupts before invoking __do_user_fault()
> 
>  arch/arm/Kconfig    |  5 +++--
>  arch/arm/mm/fault.c | 16 ++++++++++------
>  2 files changed, 13 insertions(+), 8 deletions(-)

Thank you Sebastian!

There are quite a few systems which use 32b processors and need 
PREEMPT_RT. Thank you for doing this. 

Acked-by: Bryan Brattlof <bb@ti.com>

~Bryan

Re: [PATCH v3 2/5] ARM: mm: fault: Enable interrupts before invoking __do_user_fault()

[Sebastian Andrzej Siewior]

On 2025-11-10 15:55:52 [+0100], To linux-arm-kernel@lists.infradead.org wrote:
|
|   https://www.armlinux.org.uk/developer/patches/viewpatch.php?id=9460/1
|
| Moved to Discarded.
|
| This makes the issues with the branch predictor hardening worse if this
| patch is merged on its own - since this adds another path where
| interrupts are enabled before calling harden_branch_predictor() in
| __do_user_fault(). It would be sensible to move the interrupt enable
| into __do_user_fault().
|
|    *** PLEASE DO NOT REPLY TO THIS MESSAGE ***

I thought that we apply both.
In 9462/1 I am moving harden_branch_predictor() out of __do_user_fault()
because do_page_fault() needs the hardening before the interrupts are
enabled. Do mean something like

diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
index 2bc828a1940c0..f70b98fb562b3 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -186,6 +186,7 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig,
 	if (addr > TASK_SIZE)
 		harden_branch_predictor();
 
+	local_irq_enable();
 #ifdef CONFIG_DEBUG_USER
 	if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) ||
 	    ((user_debug & UDBG_BUS)  && (sig == SIGBUS))) {
@@ -274,8 +275,13 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
 
 
 	/* Enable interrupts if they were enabled in the parent context. */
-	if (interrupts_enabled(regs))
+	if (interrupts_enabled(regs)) {
+		if (addr >= TASK_SIZE && user_mode(regs)) {
+			__do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs);
+			return 0;
+		}
 		local_irq_enable();
+	}
 
 	/*
 	 * If we're in an interrupt or have no user

instead both patches? So now we end up in __do_user_fault() via
do_page_fault() with enabled interrupts but only for addr < TASK_SIZE
which does not involve harden_branch_predictor().

Sebastian

Re: [PATCH v3 2/5] ARM: mm: fault: Enable interrupts before invoking __do_user_fault()

[Russell King (Oracle)]

On Tue, Dec 02, 2025 at 03:18:16PM +0100, Sebastian Andrzej Siewior wrote:
> On 2025-11-10 15:55:52 [+0100], To linux-arm-kernel@lists.infradead.org wrote:
> |
> |   https://www.armlinux.org.uk/developer/patches/viewpatch.php?id=9460/1
> |
> | Moved to Discarded.
> |
> | This makes the issues with the branch predictor hardening worse if this
> | patch is merged on its own - since this adds another path where
> | interrupts are enabled before calling harden_branch_predictor() in
> | __do_user_fault(). It would be sensible to move the interrupt enable
> | into __do_user_fault().
> |
> |    *** PLEASE DO NOT REPLY TO THIS MESSAGE ***
> 
> I thought that we apply both.
> In 9462/1 I am moving harden_branch_predictor() out of __do_user_fault()
> because do_page_fault() needs the hardening before the interrupts are
> enabled. Do mean something like

If I apply 9460/1 without 9462/1 first, then it makes the problems
with the branch predictor hardening worse. I'm not prepared to do that.

However, 9462/1 is tied up in the discussions that are ongoing, and I'm
not going to short-circuit the still-ongoing discussions that touch
this area by applying this patch - which would screw up everyone's
proposals to fix the various many problems that are being discovered in
the 32-bit ARM fault handling.

This means I can't apply 9462/1 nor 9460/1.

Since 9463/1 likely requires these, I can't apply that one either.

Sorry.

-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!

Re: [PATCH v3 2/5] ARM: mm: fault: Enable interrupts before invoking __do_user_fault()

[Sebastian Andrzej Siewior]

On 2025-12-02 15:46:25 [+0000], Russell King (Oracle) wrote:
> If I apply 9460/1 without 9462/1 first, then it makes the problems
> with the branch predictor hardening worse. I'm not prepared to do that.
> 
> However, 9462/1 is tied up in the discussions that are ongoing, and I'm
> not going to short-circuit the still-ongoing discussions that touch
> this area by applying this patch - which would screw up everyone's
> proposals to fix the various many problems that are being discovered in
> the 32-bit ARM fault handling.
> 
> This means I can't apply 9462/1 nor 9460/1.
> 
> Since 9463/1 likely requires these, I can't apply that one either.
> 
> Sorry.

Understood. So you just want to get the other bug fixed first and then
we get back to this if it still remains open.
Please let me know if you need some testing or applied the fix and want
me to rebase these changes on top.

Sebastian