From: Anthony Liguori <aliguori-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: dor.laor-atKUWr5tajBWk0Htik3J/w@public.gmane.org
Cc: kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org,
Marcelo Tosatti <marcelo-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org>,
Andrea Arcangeli <andrea-atKUWr5tajBWk0Htik3J/w@public.gmane.org>,
Avi Kivity <avi-atKUWr5tajBWk0Htik3J/w@public.gmane.org>
Subject: Re: [PATCH] QEMU support for virtio balloon driver
Date: Fri, 25 Jan 2008 18:10:04 -0600 [thread overview]
Message-ID: <479A7A5C.6030005@us.ibm.com> (raw)
In-Reply-To: <1201302492.2944.8.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
Dor Laor wrote:
> On Thu, 2008-01-24 at 16:29 -0600, Anthony Liguori wrote:
>
>> Anthony Liguori wrote:
>>
>>> This patch adds support to QEMU for Rusty's recently introduce virtio balloon
>>> driver. The user-facing portions of this are the introduction of a "balloon"
>>> and "info balloon" command in the monitor.
>>>
>>> I think using madvise unconditionally is okay but I am not sure.
>>>
>> Looks like it's not. I just hung my host system after doing a bunch of
>> ballooning with a kernel that doesn't have MM notifiers.
>>
>> I'm inclined to think that we should have a capability check for MM
>> notifiers and just not do madvise if they aren't present. I don't think
>> the ioctl approach that Marcelo took is sufficient as a malicious guest
>> could possibly hose the host.
>>
>>
>
> The ioctl to zap the shadow pages is needed in order to free memory
> fast. Without it the balloon will evacuate memory to slow for common
> mgmt application (running additional VMs).
>
I think that assertion needs some performance numbers to back it up.
Linux will write unused pages to swap such that when it does need to
obtain memory, it can easily just reclaim pages without doing any disk IO.
The real advantage with using madvise() is that it doesn't use any swap
space (at least, on Linux).
> This ioctl (on older kernels only) can hose the host but so can
> malicious guests that do dummy cr3 switching and other hackry.
>
What do you mean by that? The guest really shouldn't be able to hose
the host regardless of what it puts in cr3. If it can, then that's a
very serious bug.
> If one really insist he can always add a timer to this ioctl to slow
> potential malicious guests.
>
The issue is the atomicity of removing some from the shadow MMU cache
and then madvise()'ing (since madvise is incapable of evicting from the
shadow MMU cache w/o MMU notifiers). The only real solution I know of
would be to also introduce an ioctl that's essentially,
MADVISE_AND_REMOVE_FROM_SHADOW_MMU ioctl().
Regards,
Anthony Liguori
>
>> Having the guest allocate and not touch memory means that it should
>> eventually be removed from the shadow page cache and eventually swapped
>> out so ballooning isn't totally useless in the absence of MM notifiers.
>>
>> Regards,
>>
>> Anthony Liguori
>>
>
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
next prev parent reply other threads:[~2008-01-26 0:10 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-24 21:23 [PATCH] QEMU support for virtio balloon driver Anthony Liguori
[not found] ` <1201209786831-git-send-email-aliguori-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-01-24 22:29 ` Anthony Liguori
[not found] ` <4799115F.8010506-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-01-25 16:08 ` Marcelo Tosatti
2008-01-25 17:02 ` Anthony Liguori
[not found] ` <479A162C.1060209-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-01-26 18:47 ` Avi Kivity
2008-03-08 19:27 ` Marcelo Tosatti
2008-03-08 20:51 ` Marcelo Tosatti
2008-03-09 2:46 ` Anthony Liguori
2008-01-26 3:35 ` Rusty Russell
2008-01-25 23:08 ` Dor Laor
[not found] ` <1201302492.2944.8.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2008-01-26 0:10 ` Anthony Liguori [this message]
[not found] ` <479A7A5C.6030005-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2008-01-26 18:35 ` Avi Kivity
-- strict thread matches above, loose matches on Subject: below --
2008-02-25 19:47 Anthony Liguori
2008-02-25 23:45 ` Dor Laor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=479A7A5C.6030005@us.ibm.com \
--to=aliguori-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
--cc=andrea-atKUWr5tajBWk0Htik3J/w@public.gmane.org \
--cc=avi-atKUWr5tajBWk0Htik3J/w@public.gmane.org \
--cc=dor.laor-atKUWr5tajBWk0Htik3J/w@public.gmane.org \
--cc=kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
--cc=marcelo-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox