| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251015141716.887-4-laoar.shao@gmail.com>
Date: Wed, 15 Oct 2025 22:17:10 +0800
From: Yafang Shao <laoar.shao@...il.com>
To: akpm@...ux-foundation.org,
david@...hat.com,
ziy@...dia.com,
baolin.wang@...ux.alibaba.com,
lorenzo.stoakes@...cle.com,
Liam.Howlett@...cle.com,
npache@...hat.com,
ryan.roberts@....com,
dev.jain@....com,
hannes@...xchg.org,
usamaarif642@...il.com,
gutierrez.asier@...wei-partners.com,
willy@...radead.org,
ast@...nel.org,
daniel@...earbox.net,
andrii@...nel.org,
ameryhung@...il.com,
rientjes@...gle.com,
corbet@....net,
21cnbao@...il.com,
shakeel.butt@...ux.dev,
tj@...nel.org,
lance.yang@...ux.dev,
rdunlap@...radead.org
Cc: bpf@...r.kernel.org,
linux-mm@...ck.org,
linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org,
Yafang Shao <laoar.shao@...il.com>
Subject: [RFC PATCH v10 mm-new 3/9] mm: thp: add support for BPF based THP order selection
This patch introduces a new BPF struct_ops called bpf_thp_ops for dynamic
THP tuning. It includes a hook bpf_hook_thp_get_order(), allowing BPF
programs to influence THP order selection based on factors such as:
- Workload identity
For example, workloads running in specific containers or cgroups.
- Allocation context
Whether the allocation occurs during a page fault, khugepaged, swap or
other paths.
- VMA's memory advice settings
MADV_HUGEPAGE or MADV_NOHUGEPAGE
- Memory pressure
PSI system data or associated cgroup PSI metrics
The kernel API of this new BPF hook is as follows,
/**
* thp_order_fn_t: Get the suggested THP order from a BPF program for allocation
* @vma: vm_area_struct associated with the THP allocation
* @type: TVA type for current @vma
* @orders: Bitmask of available THP orders for this allocation
*
* Return: The suggested THP order for allocation from the BPF program. Must be
* a valid, available order.
*/
typedef int thp_order_fn_t(struct vm_area_struct *vma,
enum tva_type type,
unsigned long orders);
Only a single BPF program can be attached at any given time, though it can
be dynamically updated to adjust the policy. The implementation supports
anonymous THP, shmem THP, and mTHP, with future extensions planned for
file-backed THP.
This functionality is only active when system-wide THP is configured to
madvise or always mode. It remains disabled in never mode. Additionally,
if THP is explicitly disabled for a specific task via prctl(), this BPF
functionality will also be unavailable for that task.
This BPF hook enables the implementation of flexible THP allocation
policies at the system, per-cgroup, or per-task level.
This feature requires CONFIG_BPF_THP (EXPERIMENTAL) to be enabled. Note
that this capability is currently unstable and may undergo significant
changes—including potential removal—in future kernel versions.
Signed-off-by: Yafang Shao <laoar.shao@...il.com>
---
MAINTAINERS | 1 +
fs/exec.c | 1 +
include/linux/huge_mm.h | 40 +++++
include/linux/mm_types.h | 18 +++
kernel/fork.c | 1 +
mm/Kconfig | 22 +++
mm/Makefile | 1 +
mm/huge_memory_bpf.c | 306 +++++++++++++++++++++++++++++++++++++++
mm/mmap.c | 1 +
9 files changed, 391 insertions(+)
create mode 100644 mm/huge_memory_bpf.c
diff --git a/MAINTAINERS b/MAINTAINERS
index ca8e3d18eedd..7be34b2a64fd 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -16257,6 +16257,7 @@ F: include/linux/huge_mm.h
F: include/linux/khugepaged.h
F: include/trace/events/huge_memory.h
F: mm/huge_memory.c
+F: mm/huge_memory_bpf.c
F: mm/khugepaged.c
F: mm/mm_slot.h
F: tools/testing/selftests/mm/khugepaged.c
diff --git a/fs/exec.c b/fs/exec.c
index dbac0e84cc3e..9500aafb7eb5 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -890,6 +890,7 @@ static int exec_mmap(struct mm_struct *mm)
activate_mm(active_mm, mm);
if (IS_ENABLED(CONFIG_ARCH_WANT_IRQS_OFF_ACTIVATE_MM))
local_irq_enable();
+ bpf_thp_retain_mm(mm, old_mm);
lru_gen_add_mm(mm);
task_unlock(tsk);
lru_gen_use_mm(mm);
diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h
index a635dcbb2b99..5ecc95f35453 100644
--- a/include/linux/huge_mm.h
+++ b/include/linux/huge_mm.h
@@ -269,6 +269,41 @@ unsigned long __thp_vma_allowable_orders(struct vm_area_struct *vma,
enum tva_type type,
unsigned long orders);
+#ifdef CONFIG_BPF_THP
+
+unsigned long
+bpf_hook_thp_get_orders(struct vm_area_struct *vma, enum tva_type type,
+ unsigned long orders);
+
+void bpf_thp_exit_mm(struct mm_struct *mm);
+void bpf_thp_retain_mm(struct mm_struct *mm, struct mm_struct *old_mm);
+void bpf_thp_fork(struct mm_struct *mm, struct mm_struct *old_mm);
+
+#else
+
+static inline unsigned long
+bpf_hook_thp_get_orders(struct vm_area_struct *vma, enum tva_type type,
+ unsigned long orders)
+{
+ return orders;
+}
+
+static inline void bpf_thp_ops_exit(struct mm_struct *mm)
+{
+}
+
+static inline void
+bpf_thp_retain_mm(struct mm_struct *mm, struct mm_struct *old_mm)
+{
+}
+
+static inline void
+bpf_thp_fork(struct mm_struct *mm, struct mm_struct *old_mm)
+{
+}
+
+#endif
+
/**
* thp_vma_allowable_orders - determine hugepage orders that are allowed for vma
* @vma: the vm area to check
@@ -290,6 +325,11 @@ unsigned long thp_vma_allowable_orders(struct vm_area_struct *vma,
{
vm_flags_t vm_flags = vma->vm_flags;
+ /* The BPF-specified order overrides which order is selected. */
+ orders &= bpf_hook_thp_get_orders(vma, type, orders);
+ if (!orders)
+ return 0;
+
/*
* Optimization to check if required orders are enabled early. Only
* forced collapse ignores sysfs configs.
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index 394d50fd3c65..835fbfdf7657 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -33,6 +33,7 @@
struct address_space;
struct futex_private_hash;
struct mem_cgroup;
+struct bpf_mm_ops;
typedef struct {
unsigned long f;
@@ -976,6 +977,19 @@ struct mm_cid {
};
#endif
+#ifdef CONFIG_BPF_THP
+struct bpf_thp_ops;
+#endif
+
+#ifdef CONFIG_BPF_MM
+struct bpf_mm_ops {
+#ifdef CONFIG_BPF_THP
+ struct bpf_thp_ops __rcu *bpf_thp;
+ struct list_head bpf_thp_list;
+#endif
+};
+#endif
+
/*
* Opaque type representing current mm_struct flag state. Must be accessed via
* mm_flags_xxx() helper functions.
@@ -1268,6 +1282,10 @@ struct mm_struct {
#ifdef CONFIG_MM_ID
mm_id_t mm_id;
#endif /* CONFIG_MM_ID */
+
+#ifdef CONFIG_BPF_MM
+ struct bpf_mm_ops bpf_mm;
+#endif
} __randomize_layout;
/*
diff --git a/kernel/fork.c b/kernel/fork.c
index 157612fd669a..6b7d56ecb19a 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1130,6 +1130,7 @@ static inline void __mmput(struct mm_struct *mm)
exit_aio(mm);
ksm_exit(mm);
khugepaged_exit(mm); /* must run before exit_mmap */
+ bpf_thp_exit_mm(mm);
exit_mmap(mm);
mm_put_huge_zero_folio(mm);
set_mm_exe_file(mm, NULL);
diff --git a/mm/Kconfig b/mm/Kconfig
index bde9f842a4a8..18a83c0cbb51 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -1371,6 +1371,28 @@ config PT_RECLAIM
config FIND_NORMAL_PAGE
def_bool n
+menuconfig BPF_MM
+ bool "BPF-based Memory Management (EXPERIMENTAL)"
+ depends on BPF_SYSCALL
+
+ help
+ Enable BPF-based Memory Management Policy. This feature is currently
+ experimental.
+
+ WARNING: This feature is unstable and may change in future kernel
+
+if BPF_MM
+config BPF_THP
+ bool "BPF-based THP Policy (EXPERIMENTAL)"
+ depends on TRANSPARENT_HUGEPAGE && BPF_MM
+
+ help
+ Enable dynamic THP policy adjustment using BPF programs. This feature
+ is currently experimental.
+
+ WARNING: This feature is unstable and may change in future kernel
+endif # BPF_MM
+
source "mm/damon/Kconfig"
endmenu
diff --git a/mm/Makefile b/mm/Makefile
index 21abb3353550..4efca1c8a919 100644
--- a/mm/Makefile
+++ b/mm/Makefile
@@ -99,6 +99,7 @@ obj-$(CONFIG_MIGRATION) += migrate.o
obj-$(CONFIG_NUMA) += memory-tiers.o
obj-$(CONFIG_DEVICE_MIGRATION) += migrate_device.o
obj-$(CONFIG_TRANSPARENT_HUGEPAGE) += huge_memory.o khugepaged.o
+obj-$(CONFIG_BPF_THP) += huge_memory_bpf.o
obj-$(CONFIG_PAGE_COUNTER) += page_counter.o
obj-$(CONFIG_MEMCG_V1) += memcontrol-v1.o
obj-$(CONFIG_MEMCG) += memcontrol.o vmpressure.o
diff --git a/mm/huge_memory_bpf.c b/mm/huge_memory_bpf.c
new file mode 100644
index 000000000000..24ab432cbbaa
--- /dev/null
+++ b/mm/huge_memory_bpf.c
@@ -0,0 +1,306 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * BPF-based THP policy management
+ *
+ * Author: Yafang Shao <laoar.shao@...il.com>
+ */
+
+#include <linux/bpf.h>
+#include <linux/btf.h>
+#include <linux/huge_mm.h>
+#include <linux/khugepaged.h>
+
+/**
+ * @thp_order_fn_t: Get the suggested THP order from a BPF program for allocation
+ * @vma: vm_area_struct associated with the THP allocation
+ * @type: TVA type for current @vma
+ * @orders: Bitmask of available THP orders for this allocation
+ *
+ * Return: The suggested THP order for allocation from the BPF program. Must be
+ * a valid, available order.
+ */
+typedef int thp_order_fn_t(struct vm_area_struct *vma,
+ enum tva_type type,
+ unsigned long orders);
+
+struct bpf_thp_mm_list {
+ struct list_head list;
+};
+
+struct bpf_thp_ops {
+ pid_t pid; /* The pid to attach */
+ thp_order_fn_t *thp_get_order;
+
+ /* private*/
+ /* The list of mm_struct this ops is operated on */
+ struct bpf_thp_mm_list mm_list;
+};
+
+static DEFINE_SPINLOCK(thp_ops_lock);
+
+void bpf_thp_exit_mm(struct mm_struct *mm)
+{
+ if (!rcu_access_pointer(mm->bpf_mm.bpf_thp))
+ return;
+
+ spin_lock(&thp_ops_lock);
+ if (!rcu_access_pointer(mm->bpf_mm.bpf_thp)) {
+ spin_unlock(&thp_ops_lock);
+ return;
+ }
+ list_del(&mm->bpf_mm.bpf_thp_list);
+ RCU_INIT_POINTER(mm->bpf_mm.bpf_thp, NULL);
+ spin_unlock(&thp_ops_lock);
+
+}
+
+void bpf_thp_retain_mm(struct mm_struct *mm, struct mm_struct *old_mm)
+{
+ struct bpf_thp_ops *bpf_thp;
+
+ if (!old_mm || !rcu_access_pointer(old_mm->bpf_mm.bpf_thp))
+ return;
+
+ spin_lock(&thp_ops_lock);
+ bpf_thp = rcu_dereference_protected(old_mm->bpf_mm.bpf_thp,
+ lockdep_is_held(&thp_ops_lock));
+ if (!bpf_thp) {
+ spin_unlock(&thp_ops_lock);
+ return;
+ }
+
+ /* The new mm is still under initilization */
+ RCU_INIT_POINTER(mm->bpf_mm.bpf_thp, bpf_thp);
+
+ /* The old mm is destroying */
+ RCU_INIT_POINTER(old_mm->bpf_mm.bpf_thp, NULL);
+ list_replace(&old_mm->bpf_mm.bpf_thp_list, &mm->bpf_mm.bpf_thp_list);
+ spin_unlock(&thp_ops_lock);
+}
+
+void bpf_thp_fork(struct mm_struct *mm, struct mm_struct *old_mm)
+{
+ struct bpf_thp_mm_list *mm_list;
+ struct bpf_thp_ops *bpf_thp;
+
+ if (!rcu_access_pointer(old_mm->bpf_mm.bpf_thp))
+ return;
+
+ spin_lock(&thp_ops_lock);
+ bpf_thp = rcu_dereference_protected(old_mm->bpf_mm.bpf_thp,
+ lockdep_is_held(&thp_ops_lock));
+ if (!bpf_thp) {
+ spin_unlock(&thp_ops_lock);
+ return;
+ }
+
+ /* The new mm is still under initilization */
+ RCU_INIT_POINTER(mm->bpf_mm.bpf_thp, bpf_thp);
+
+ mm_list = &bpf_thp->mm_list;
+ list_add_tail(&mm->bpf_mm.bpf_thp_list, &mm_list->list);
+ spin_unlock(&thp_ops_lock);
+}
+
+unsigned long bpf_hook_thp_get_orders(struct vm_area_struct *vma,
+ enum tva_type type,
+ unsigned long orders)
+{
+ struct mm_struct *mm = vma->vm_mm;
+ struct bpf_thp_ops *bpf_thp;
+ int bpf_order;
+
+ if (!mm)
+ return orders;
+
+ rcu_read_lock();
+ bpf_thp = rcu_dereference(mm->bpf_mm.bpf_thp);
+ if (!bpf_thp || !bpf_thp->thp_get_order)
+ goto out;
+
+ bpf_order = bpf_thp->thp_get_order(vma, type, orders);
+ orders &= BIT(bpf_order);
+
+out:
+ rcu_read_unlock();
+ return orders;
+}
+
+static bool bpf_thp_ops_is_valid_access(int off, int size,
+ enum bpf_access_type type,
+ const struct bpf_prog *prog,
+ struct bpf_insn_access_aux *info)
+{
+ return bpf_tracing_btf_ctx_access(off, size, type, prog, info);
+}
+
+static const struct bpf_func_proto *
+bpf_thp_get_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
+{
+ return bpf_base_func_proto(func_id, prog);
+}
+
+static const struct bpf_verifier_ops thp_bpf_verifier_ops = {
+ .get_func_proto = bpf_thp_get_func_proto,
+ .is_valid_access = bpf_thp_ops_is_valid_access,
+};
+
+static int bpf_thp_init(struct btf *btf)
+{
+ return 0;
+}
+
+static int bpf_thp_check_member(const struct btf_type *t,
+ const struct btf_member *member,
+ const struct bpf_prog *prog)
+{
+ /* The call site operates under RCU protection. */
+ if (prog->sleepable)
+ return -EINVAL;
+ return 0;
+}
+
+static int bpf_thp_init_member(const struct btf_type *t,
+ const struct btf_member *member,
+ void *kdata, const void *udata)
+{
+ const struct bpf_thp_ops *ubpf_thp;
+ struct bpf_thp_ops *kbpf_thp;
+ u32 moff;
+
+ ubpf_thp = (const struct bpf_thp_ops *)udata;
+ kbpf_thp = (struct bpf_thp_ops *)kdata;
+
+ moff = __btf_member_bit_offset(t, member) / 8;
+ switch (moff) {
+ case offsetof(struct bpf_thp_ops, pid):
+ kbpf_thp->pid = ubpf_thp->pid;
+ return 1;
+ }
+ return 0;
+}
+
+static int bpf_thp_reg(void *kdata, struct bpf_link *link)
+{
+ struct bpf_thp_ops *bpf_thp = kdata;
+ struct bpf_thp_mm_list *mm_list;
+ struct task_struct *p;
+ struct mm_struct *mm;
+ int err = -EINVAL;
+ pid_t pid;
+
+ pid = bpf_thp->pid;
+ p = find_get_task_by_vpid(pid);
+ if (!p || p->flags & PF_EXITING)
+ return -EINVAL;
+
+ mm = get_task_mm(p);
+ put_task_struct(p);
+ if (!mm)
+ goto out;
+
+ err = -EBUSY;
+ spin_lock(&thp_ops_lock);
+ if (rcu_access_pointer(mm->bpf_mm.bpf_thp))
+ goto out_lock;
+ err = 0;
+ rcu_assign_pointer(mm->bpf_mm.bpf_thp, bpf_thp);
+
+ mm_list = &bpf_thp->mm_list;
+ INIT_LIST_HEAD(&mm_list->list);
+ list_add_tail(&mm->bpf_mm.bpf_thp_list, &mm_list->list);
+out_lock:
+ spin_unlock(&thp_ops_lock);
+out:
+ mmput(mm);
+ return err;
+}
+
+
+static void bpf_thp_unreg(void *kdata, struct bpf_link *link)
+{
+ struct bpf_thp_ops *bpf_thp = kdata;
+ struct bpf_mm_ops *bpf_mm;
+ struct list_head *pos, *n;
+
+ spin_lock(&thp_ops_lock);
+ list_for_each_safe(pos, n, &bpf_thp->mm_list.list) {
+ bpf_mm = list_entry(pos, struct bpf_mm_ops, bpf_thp_list);
+ WARN_ON_ONCE(!bpf_mm);
+ rcu_replace_pointer(bpf_mm->bpf_thp, NULL, lockdep_is_held(&thp_ops_lock));
+ list_del(pos);
+ }
+ spin_unlock(&thp_ops_lock);
+
+ synchronize_rcu();
+}
+
+static int bpf_thp_update(void *kdata, void *old_kdata, struct bpf_link *link)
+{
+ struct bpf_thp_ops *old_bpf_thp = old_kdata;
+ struct bpf_thp_ops *bpf_thp = kdata;
+ struct bpf_mm_ops *bpf_mm;
+ struct list_head *pos, *n;
+
+ INIT_LIST_HEAD(&bpf_thp->mm_list.list);
+
+ spin_lock(&thp_ops_lock);
+ list_for_each_safe(pos, n, &old_bpf_thp->mm_list.list) {
+ bpf_mm = list_entry(pos, struct bpf_mm_ops, bpf_thp_list);
+ WARN_ON_ONCE(!bpf_mm);
+ rcu_replace_pointer(bpf_mm->bpf_thp, bpf_thp, lockdep_is_held(&thp_ops_lock));
+ list_del(pos);
+ list_add_tail(&bpf_mm->bpf_thp_list, &bpf_thp->mm_list.list);
+ }
+ spin_unlock(&thp_ops_lock);
+
+ synchronize_rcu();
+ return 0;
+}
+
+static int bpf_thp_validate(void *kdata)
+{
+ struct bpf_thp_ops *ops = kdata;
+
+ if (!ops->thp_get_order) {
+ pr_err("bpf_thp: required ops isn't implemented\n");
+ return -EINVAL;
+ }
+ return 0;
+}
+
+static int bpf_thp_get_order(struct vm_area_struct *vma,
+ enum tva_type type,
+ unsigned long orders)
+{
+ return -1;
+}
+
+static struct bpf_thp_ops __bpf_thp_ops = {
+ .thp_get_order = (thp_order_fn_t __rcu *)bpf_thp_get_order,
+};
+
+static struct bpf_struct_ops bpf_bpf_thp_ops = {
+ .verifier_ops = &thp_bpf_verifier_ops,
+ .init = bpf_thp_init,
+ .check_member = bpf_thp_check_member,
+ .init_member = bpf_thp_init_member,
+ .reg = bpf_thp_reg,
+ .unreg = bpf_thp_unreg,
+ .update = bpf_thp_update,
+ .validate = bpf_thp_validate,
+ .cfi_stubs = &__bpf_thp_ops,
+ .owner = THIS_MODULE,
+ .name = "bpf_thp_ops",
+};
+
+static int __init bpf_thp_ops_init(void)
+{
+ int err;
+
+ err = register_bpf_struct_ops(&bpf_bpf_thp_ops, bpf_thp_ops);
+ if (err)
+ pr_err("bpf_thp: Failed to register struct_ops (%d)\n", err);
+ return err;
+}
+late_initcall(bpf_thp_ops_init);
diff --git a/mm/mmap.c b/mm/mmap.c
index 5fd3b80fda1d..8ac7d3046a33 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1844,6 +1844,7 @@ __latent_entropy int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
vma_iter_free(&vmi);
if (!retval) {
mt_set_in_rcu(vmi.mas.tree);
+ bpf_thp_fork(mm, oldmm);
ksm_fork(mm, oldmm);
khugepaged_fork(mm, oldmm);
} else {
--
2.47.3
Powered by blists - more mailing lists