Re: [PATCH] QEMU support for virtio balloon driver

[Dor Laor <dor.laor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>]

On Thu, 2008-01-24 at 16:29 -0600, Anthony Liguori wrote:
> Anthony Liguori wrote:
> > This patch adds support to QEMU for Rusty's recently introduce virtio balloon
> > driver.  The user-facing portions of this are the introduction of a "balloon"
> > and "info balloon" command in the monitor.
> >
> > I think using madvise unconditionally is okay but I am not sure.
> 
> Looks like it's not.  I just hung my host system after doing a bunch of 
> ballooning with a kernel that doesn't have MM notifiers.
> 
> I'm inclined to think that we should have a capability check for MM 
> notifiers and just not do madvise if they aren't present.  I don't think 
> the ioctl approach that Marcelo took is sufficient as a malicious guest 
> could possibly hose the host.
> 

The ioctl to zap the shadow pages is needed in order to free memory
fast. Without it the balloon will evacuate memory to slow for common
mgmt application (running additional VMs).
This ioctl (on older kernels only) can hose the host but so can
malicious guests that do dummy cr3 switching and other hackry.

If one really insist he can always add a timer to this ioctl to slow
potential malicious guests.


> Having the guest allocate and not touch memory means that it should 
> eventually be removed from the shadow page cache and eventually swapped 
> out so ballooning isn't totally useless in the absence of MM notifiers.
> 
> Regards,
> 
> Anthony Liguori



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/