| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250926093343.1000-1-laoar.shao@gmail.com>
Date: Fri, 26 Sep 2025 17:33:31 +0800
From: Yafang Shao <laoar.shao@...il.com>
To: akpm@...ux-foundation.org,
david@...hat.com,
ziy@...dia.com,
baolin.wang@...ux.alibaba.com,
lorenzo.stoakes@...cle.com,
Liam.Howlett@...cle.com,
npache@...hat.com,
ryan.roberts@....com,
dev.jain@....com,
hannes@...xchg.org,
usamaarif642@...il.com,
gutierrez.asier@...wei-partners.com,
willy@...radead.org,
ast@...nel.org,
daniel@...earbox.net,
andrii@...nel.org,
ameryhung@...il.com,
rientjes@...gle.com,
corbet@....net,
21cnbao@...il.com,
shakeel.butt@...ux.dev,
tj@...nel.org,
lance.yang@...ux.dev
Cc: bpf@...r.kernel.org,
linux-mm@...ck.org,
linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org,
Yafang Shao <laoar.shao@...il.com>
Subject: [PATCH v8 mm-new 00/12] mm, bpf: BPF based THP order selection
Background
==========
Our production servers consistently configure THP to "never" due to
historical incidents caused by its behavior. Key issues include:
- Increased Memory Consumption
THP significantly raises overall memory usage, reducing available memory
for workloads.
- Latency Spikes
Random latency spikes occur due to frequent memory compaction triggered
by THP.
- Lack of Fine-Grained Control
THP tuning is globally configured, making it unsuitable for containerized
environments. When multiple workloads share a host, enabling THP without
per-workload control leads to unpredictable behavior.
Due to these issues, administrators avoid switching to madvise or always
modes—unless per-workload THP control is implemented.
To address this, we propose BPF-based THP policy for flexible adjustment.
Additionally, as David mentioned, this mechanism can also serve as a
policy prototyping tool (test policies via BPF before upstreaming them).
Proposed Solution
=================
This patch introduces a new BPF struct_ops called bpf_thp_ops for dynamic
THP tuning. It includes a hook thp_get_order(), allowing BPF programs to
influence THP order selection based on factors such as:
- Workload identity
For example, workloads running in specific containers or cgroups.
- Allocation context
Whether the allocation occurs during a page fault, khugepaged, swap or
other paths.
- VMA's memory advice settings
MADV_HUGEPAGE or MADV_NOHUGEPAGE
- Memory pressure
PSI system data or associated cgroup PSI metrics
The new interface for the BPF program is as follows:
/**
* thp_order_fn_t: Get the suggested THP order from a BPF program for allocation
* @vma: vm_area_struct associated with the THP allocation
* @type: TVA type for current @vma
* @orders: Bitmask of available THP orders for this allocation
*
* Return: The suggested THP order for allocation from the BPF program. Must be
* a valid, available order.
*/
typedef int thp_order_fn_t(struct vm_area_struct *vma,
enum tva_type type,
unsigned long orders);
Only a single BPF program can be attached at any given time, though it can
be dynamically updated to adjust the policy. The implementation supports
anonymous THP, shmem THP, and mTHP, with future extensions planned for
file-backed THP.
This functionality is only active when system-wide THP is configured to
madvise or always mode. It remains disabled in never mode. Additionally,
if THP is explicitly disabled for a specific task via prctl(), this BPF
functionality will also be unavailable for that task
Rationale Behind the Non-Cgroup Design
--------------------------------------
cgroups are designed as nested hierarchies for partitioning resources. They
are a poor fit for enforcing arbitrary, non-hierarchical policies.
The THP policy is a quintessential example of such an arbitrary
setting. Even within a single cgroup, it is often necessary to enable
THP for performance-critical tasks while disabling it for others to
avoid latency spikes. Implementing this policy through a cgroup
interface that propagates hierarchically would eliminate the crucial
ability to configure it on a per-task basis.
While the bpf-thp mechanism has a global scope, this does not limit
its application to a single system-wide policy. In contrast to a
hierarchical cgroup-based setting, bpf-thp offers the flexibility to
set policies per-task, per-cgroup, or globally.
Fundamentally, it is a more powerful variant of prctl(), not a variant of
cgroup interface file.
WARNING
-------
- This feature requires CONFIG_BPF_GET_THP_ORDER (marked EXPERIMENTAL) to
be enabled.
- The interface may change
- Behavior may differ in future kernel versions
- We might remove it in the future
Selftests
=========
BPF CI
------
Patch #9: Implements a basic BPF THP policy
Patch #10: Provides tests for dynamic BPF program updates and replacement.
Patch #11: Includes negative tests for invalid BPF helper usage, verifying
proper verification by the BPF verifier.
Currently, several dependency patches reside in mm-new but haven't been
merged into bpf-next. To enable BPF CI testing, these dependencies were
manually applied to bpf-next. All selftests in this series pass
successfully [0].
Performance Evaluation
----------------------
Performance impact was measured given the page fault handler modifications.
The standard `perf bench mem memset` benchmark was employed to assess page
fault performance.
Testing was conducted on an AMD EPYC 7W83 64-Core Processor (single NUMA
node). Due to variance between individual test runs, a script executed
10000 iterations to calculate meaningful averages.
- Baseline (without this patch series)
- With patch series but no BPF program attached
- With patch series and BPF program attached
The results across three configurations show negligible performance impact:
Number of runs: 10,000
Average throughput: 40-41 GB/sec
Production verification
-----------------------
We have successfully deployed a variant of this approach across numerous
Kubernetes production servers. The implementation enables THP for specific
workloads (such as applications utilizing ZGC [1]) while disabling it for
others. This selective deployment has operated flawlessly, with no
regression reports to date.
For ZGC-based applications, our verification demonstrates that shmem THP
delivers significant improvements:
- Reduced CPU utilization
- Lower average latencies
We are continuously extending its support to more workloads, such as
TCMalloc-based services. [2]
Deployment Steps in our production servers are as follows,
1. Initial Setup:
- Set THP mode to "never" (disabling THP by default).
- Attach the BPF program and pin the BPF maps and links.
- Pinning ensures persistence (like a kernel module), preventing
disruption under system pressure.
- A THP whitelist map tracks allowed cgroups (initially empty -> no THP
allocations).
2. Enable THP Control:
- Switch THP mode to "always" or "madvise" (BPF now governs actual allocations).
3. Dynamic Management:
- To permit THP for a cgroup, add its ID to the whitelist map.
- To revoke permission, remove the cgroup ID from the map.
- The BPF program can be updated live (policy adjustments require no
task interruption).
4. To roll back, disable THP and remove this BPF program.
**WARNING**
Be aware that the maintainers do not suggest this use case, as the BPF hook
interface is unstable and might be removed from the upstream kernel—unless
you have your own kernel team to maintain it ;-)
Tested By
---------
This v7 patch series has been tested by Lance. Thanks a lot!
Tested-by: Lance Yang <lance.yang@...ux.dev> (for v7)
Since the changes from v7 are minimal, I've retained the Tested-by tag
in the current version.
Future work
===========
Per-Task Defrag Policy
----------------------
In our production environment, applications handle memory allocation in two
ways: some pre-touch all memory at startup, while others allocate
dynamically.
For pre-touching applications, we prefer to allocate THP via direct reclaim
during their initial phase. For dynamic allocators, however, we prefer to
defer THP allocation to khugepaged to prevent latency spikes.
To support both strategies effectively, the defrag setting must be
configurable on a per-task basis.
File-backed THP Policy
----------------------
Based on our validation with production workloads, we observed mixed
results with XFS large folios (also known as file-backed THP):
- Performance Benefits
Some workloads demonstrated significant improvements with XFS large
folios enabled
- Performance Regression
Some workloads experienced degradation when using XFS large folios
These results demonstrate that File THP, similar to anonymous THP, requires
a more granular approach instead of a uniform implementation.
We will extend the BPF-based order selection mechanism to support
file-backed THP allocation policies.
Hooking fork() with BPF for Task Configuration
----------------------------------------------
The current method for controlling a newly fork()-ed task involves calling
prctl() (e.g., with PR_SET_THP_DISABLE) to set flags in its mm->flags. This
requires explicit userspace modification.
A more efficient alternative is to implement a new BPF hook within the
fork() path. This hook would allow a BPF program to set the task's
mm->flags directly after mm initialization, leveraging BPF helpers for a
solution that is transparent to userspace. This is particularly valuable in
data center environments for fleet-wide management.
Link: https://github.com/kernel-patches/bpf/pull/9869 [0]
Link: https://wiki.openjdk.org/display/zgc/Main#Main-EnablingTransparentHugePagesOnLinux [1]
Link: https://google.github.io/tcmalloc/tuning.html#system-level-optimizations [2]
Changes:
=======:
v7->v8:
Key Changes:
>From Lorenzo:
- Remove the @vma_type parameter and get it from @vma instead
- Rename the config to BPF_THP_GET_ORDER_EXPERIMENTAL for highlighting
- Code improvement around the returned order
- Fix the buiding error reported by kernel test robot in patch #1
(Lance, Zi, Lorenzo)
v6->v7: https://lwn.net/Articles/1037490/
Key Changes Implemented Based on Feedback:
>From Lorenzo:
- Rename the hook from get_suggested_order() to bpf_hook_get_thp_order().
- Rename bpf_thp.c to huge_memory_bpf.c
- Focuse the current patchset on THP order selection
- Add the BPF hook into thp_vma_allowable_orders()
- Make the hook VMA-based and remove the mm parameter
- Modify the BPF program to return a single order
- Stop passing vma_flags directly to BPF programs
- Mark vma->vm_mm as trusted_or_null
- Change the MAINTAINER file
>From Andrii:
- Mark mm->owner as rcu_or_null to avoid introducing new helpers
>From Barry:
- decouple swap from the normal page fault path
kernel test robot:
- Fix a sparse warning
Shakeel helped clarify the implementation.
RFC v5-> v6: https://lwn.net/Articles/1035116/
- Code improvement around the RCU usage (Usama)
- Add selftests for khugepaged fork (Usama)
- Add performance data for page fault (Usama)
- Remove the RFC tag
RFC v4->v5: https://lwn.net/Articles/1034265/
- Add support for vma (David)
- Add mTHP support in khugepaged (Zi)
- Use bitmask of all allowed orders instead (Zi)
- Retrieve the page size and PMD order rather than hardcoding them (Zi)
RFC v3->v4: https://lwn.net/Articles/1031829/
- Use a new interface get_suggested_order() (David)
- Mark it as experimental (David, Lorenzo)
- Code improvement in THP (Usama)
- Code improvement in BPF struct ops (Amery)
RFC v2->v3: https://lwn.net/Articles/1024545/
- Finer-graind tuning based on madvise or always mode (David, Lorenzo)
- Use BPF to write more advanced policies logic (David, Lorenzo)
RFC v1->v2: https://lwn.net/Articles/1021783/
The main changes are as follows,
- Use struct_ops instead of fmod_ret (Alexei)
- Introduce a new THP mode (Johannes)
- Introduce new helpers for BPF hook (Zi)
- Refine the commit log
RFC v1: https://lwn.net/Articles/1019290/
Yafang Shao (12):
mm: thp: remove disabled task from khugepaged_mm_slot
mm: thp: remove vm_flags parameter from khugepaged_enter_vma()
mm: thp: remove vm_flags parameter from thp_vma_allowable_order()
mm: thp: add support for BPF based THP order selection
mm: thp: decouple THP allocation between swap and page fault paths
mm: thp: enable THP allocation exclusively through khugepaged
bpf: mark mm->owner as __safe_rcu_or_null
bpf: mark vma->vm_mm as __safe_trusted_or_null
selftests/bpf: add a simple BPF based THP policy
selftests/bpf: add test case to update THP policy
selftests/bpf: add test cases for invalid thp_adjust usage
Documentation: add BPF-based THP policy management
Documentation/admin-guide/mm/transhuge.rst | 39 +++
MAINTAINERS | 3 +
fs/proc/task_mmu.c | 3 +-
include/linux/huge_mm.h | 42 ++-
include/linux/khugepaged.h | 10 +-
kernel/bpf/verifier.c | 8 +
kernel/sys.c | 7 +-
mm/Kconfig | 12 +
mm/Makefile | 1 +
mm/huge_memory.c | 7 +-
mm/huge_memory_bpf.c | 204 +++++++++++++
mm/khugepaged.c | 66 ++--
mm/madvise.c | 7 +
mm/memory.c | 22 +-
mm/shmem.c | 2 +-
mm/vma.c | 6 +-
tools/testing/selftests/bpf/config | 3 +
.../selftests/bpf/prog_tests/thp_adjust.c | 288 ++++++++++++++++++
tools/testing/selftests/bpf/progs/lsm.c | 8 +-
.../selftests/bpf/progs/test_thp_adjust.c | 55 ++++
.../bpf/progs/test_thp_adjust_sleepable.c | 22 ++
.../bpf/progs/test_thp_adjust_trusted_owner.c | 30 ++
.../bpf/progs/test_thp_adjust_trusted_vma.c | 27 ++
23 files changed, 799 insertions(+), 73 deletions(-)
create mode 100644 mm/huge_memory_bpf.c
create mode 100644 tools/testing/selftests/bpf/prog_tests/thp_adjust.c
create mode 100644 tools/testing/selftests/bpf/progs/test_thp_adjust.c
create mode 100644 tools/testing/selftests/bpf/progs/test_thp_adjust_sleepable.c
create mode 100644 tools/testing/selftests/bpf/progs/test_thp_adjust_trusted_owner.c
create mode 100644 tools/testing/selftests/bpf/progs/test_thp_adjust_trusted_vma.c
--
2.47.3
Powered by blists - more mailing lists