From: Brendan Jackman <jackmanb@google.com> To: Gregory Price <gourry@gourry.net>, "Vlastimil Babka (SUSE)" <vbabka@kernel.org> Cc: Brendan Jackman <jackmanb@google.com>, Borislav Petkov <bp@alien8.de>, Dave Hansen <dave.hansen@linux.intel.com>, Peter Zijlstra <peterz@infradead.org>, Andrew Morton <akpm@linux-foundation.org>, David Hildenbrand <david@kernel.org>, Wei Xu <weixugc@google.com>, Johannes Weiner <hannes@cmpxchg.org>, Zi Yan <ziy@nvidia.com>, Lorenzo Stoakes <ljs@kernel.org>, <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>, <x86@kernel.org>, <rppt@kernel.org>, Sumit Garg <sumit.garg@oss.qualcomm.com>, <derkling@google.com>, <reijiw@google.com>, Will Deacon <will@kernel.org>, <rientjes@google.com>, "Kalyazin, Nikita" <kalyazin@amazon.co.uk>, <patrick.roy@linux.dev>, "Itazuri, Takahiro" <itazur@amazon.co.uk>, Andy Lutomirski <luto@kernel.org>, David Kaplan <david.kaplan@amd.com>, Thomas Gleixner <tglx@kernel.org>, Yosry Ahmed <yosry@kernel.org> Subject: Re: [PATCH v2 00/22] mm: Add __GFP_UNMAPPED Date: Fri, 15 May 2026 09:31:15 +0000 [thread overview] Message-ID: <DIJ59AT4F3Q9.1JN2FOZZ47H4Q@google.com> (raw) In-Reply-To: <agS76pNPlPVLgpFA@gourry-fedora-PF4VCD3F> On Wed May 13, 2026 at 5:59 PM UTC, Gregory Price wrote: > On Wed, May 13, 2026 at 07:38:01PM +0200, Vlastimil Babka (SUSE) wrote: >> On 5/13/26 19:28, Gregory Price wrote: >> > >> > Hm. I'm not quite wrapping my head around the TLB issue fully. >> > >> > If there's no kernel direct mapping, and there's no userland mapping, >> > the stale TLB entry comes from... the page formerly being present in the >> > page tables and a stale TLB entry lying about after the page is freed? >> >> It's the direct mapping, we assume it's always there and unchanged, and only >> kernel can access the contents through it. So nobody flushes it when freeing >> any pages. Userspace processes can't exploit anything stale there, in >> absence of kernel's UAF bugs (or e.g. Meltdown like cpu bugs). >> > > Ah, I follow. > > If everything is default-unmapped, then you don't have to worry about > this issue - except when a stolen block is returned or an ephemeral > mapping is unmapped after the operation. > > pivoting... > > On the GFP front, i wonder if you could factor out the core of > alloc_frozen_pages_noprof() and add alloc_unmapped_pages_noprof() > which adds (alloc_flags |= ALLOC_UNMAPPED) instead of adding > __GFP_UNMAPPED. > > I have been considering something similar for __GFP_PRIVATE, but this > has the added downside of increasing the surface of the buddy for each > new narrow use case (in my case, private nodes, in this case unmapped > allocations). > > unless of course we nip that in the bud with something like > > struct page * > alloc_pages_special(enum buddy_context ctxt, gfp_t gfp_mask, ...) > { > switch (ctxt) { > ... internal-only details about how that case is handled ... > } > } > > and just go ahead and allow the buddy to grow internally without adding > new gfp flags or an infinite number of interfaces. Yeah, this is what I'm thinking too. I don't think growing the interface is such a big deal if we can put it in mm/internal.h. For __GFP_UNMAPPED and ASI's equivalent, we would eventually want to expose the functionality outside of mm/, but that doesn't mean we have to directly expose the page allocator interface itself. Do you think it's a similar story for __GFP_PRIVATE? Anyway my initial thought was a variant of alloc_pages that lets you directly specify alloc flags alongside/instead of GFP flags. This is actually a bit fiddly though since the GFP flags -> alloc flags thing isn't a clean division. Maybe it should be? > Of course that means users have to know the context in which they're > being allocated. Right now you can kind of "transiently cheat" by > passing a GFP flag through a bunch of interfaces and that makes certain > allocations reachable - but maybe we should not be encouraging that kind > of design for these kinds of allocator extensions? Hm, for __GFP_UNMAPPED (and __GFP_SENSITIVE in the future), it is nothing to do with the allocation context. It's really expressing something about the page, i.e: - __GFP_SENSITIVE means "We might put user data in this page" - __GFP_UNMAPPED means "We might put user data in this page, and I know the kernel doesn't need to access it in the direct map" So, for those cases, I think a GFP flag is actually conceptually correct, the only reason I can see to avoid it is because of bitmap space.