From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 467D6C433EF for ; Sun, 7 Nov 2021 09:22:26 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8C21160D07 for ; Sun, 7 Nov 2021 09:22:25 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 8C21160D07 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=nongnu.org Received: from localhost ([::1]:49732 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mjeNc-000200-Bo for qemu-devel@archiver.kernel.org; Sun, 07 Nov 2021 04:22:24 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:36260) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mjeMx-0001E1-FZ for qemu-devel@nongnu.org; Sun, 07 Nov 2021 04:21:43 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:39932) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mjeMt-0006qv-Jb for qemu-devel@nongnu.org; Sun, 07 Nov 2021 04:21:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1636276897; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=olfzwTtSHUIfHVCl6XtPYdi4mvQIwS2D4a2QqwCFifc=; b=L7sakSEPazk9ZzAZ0o9gOlg9cbdiegJpIXYemNh2h5zVYGzs4mPrO6sScH+CpUJokHb0mp wTKGgJDJMXmV8cx50+kL3FKnXN7O8ESk5jNuGlAbGYj4XJkwgfN2X9Ilh5DU+hb7tP4/jF Qr4PCZMrAbvmAsaQkdP3KrFNOZ3bpdY= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-392-K5-B9LxcOKqB_wKUBZOiUA-1; Sun, 07 Nov 2021 04:21:36 -0500 X-MC-Unique: K5-B9LxcOKqB_wKUBZOiUA-1 Received: by mail-wr1-f70.google.com with SMTP id d13-20020adf9b8d000000b00160a94c235aso2860893wrc.2 for ; Sun, 07 Nov 2021 01:21:36 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:organization:in-reply-to :content-transfer-encoding; bh=olfzwTtSHUIfHVCl6XtPYdi4mvQIwS2D4a2QqwCFifc=; b=SjG/eMTWTmcNJY+Z34qHe9c+RHCPDspx5SbTjOQky8KpXwVsRHEiVI72TQsfcGXXX4 QdIj0uWzkaDoMGdFd2T/UzCJKTh03KBoqQfiDAqOzo0nmy3OcimJB0zk5KOFbaqhlokv MMLGEMLIdqI2IRm7ttOKr+BzX7dBcfZrjY9d+7UdG6tXGzaSWYe3aQWwsE+CWcJL68x6 ETpH7NrexM3dyAx6qHP1zT1w09HvmXR194Tf6hxg/BdnaVlW92iBwEcZefbchz920Arj U6FRHx4GOWqedXIDJ4tZp8SffIREa2k4OTCzxxhZXq4/3XlAAy6UVCRKOkgnsj416Fhn Zr3Q== X-Gm-Message-State: AOAM530eHFEZlf5k6sF9uk6V43ZGdbE4SQ65rR1TwZ3vmxn817TaQXmE GIj9XOY7rVkOkpO+XcihQBXDq1brvOK7NweFNcQf+WRAy4Hyo/kepU5SqJ5eBZFB9g3pbHV5bC3 iTlmzA/8wsqWRBXo= X-Received: by 2002:a05:600c:a08:: with SMTP id z8mr45064952wmp.52.1636276895253; Sun, 07 Nov 2021 01:21:35 -0800 (PST) X-Google-Smtp-Source: ABdhPJyETHxRAngHYa7R7dHv9Vr3ecQLaLuP+5ugn9puKukXXr0doKpPm31X9p9sX/2s9B0zzS0lSg== X-Received: by 2002:a05:600c:a08:: with SMTP id z8mr45064926wmp.52.1636276895015; Sun, 07 Nov 2021 01:21:35 -0800 (PST) Received: from ?IPV6:2003:d8:2f0c:a000:3f25:9662:b5cf:73f9? (p200300d82f0ca0003f259662b5cf73f9.dip0.t-ipconnect.de. [2003:d8:2f0c:a000:3f25:9662:b5cf:73f9]) by smtp.gmail.com with ESMTPSA id a4sm11864894wmg.10.2021.11.07.01.21.33 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 07 Nov 2021 01:21:34 -0800 (PST) Message-ID: Date: Sun, 7 Nov 2021 10:21:33 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 Subject: Re: [PATCH v1 00/12] virtio-mem: Expose device memory via multiple memslots To: "Michael S. Tsirkin" References: <20211027124531.57561-1-david@redhat.com> <20211101181352-mutt-send-email-mst@kernel.org> <20211102072843-mutt-send-email-mst@kernel.org> <171c8ed0-d55e-77ef-963b-6d836729ef4b@redhat.com> <20211102111228-mutt-send-email-mst@kernel.org> <20211107031316-mutt-send-email-mst@kernel.org> From: David Hildenbrand Organization: Red Hat In-Reply-To: <20211107031316-mutt-send-email-mst@kernel.org> Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=david@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=170.10.133.124; envelope-from=david@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -54 X-Spam_score: -5.5 X-Spam_bar: ----- X-Spam_report: (-5.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-2.039, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eduardo Habkost , kvm@vger.kernel.org, Richard Henderson , Stefan Hajnoczi , qemu-devel@nongnu.org, Peter Xu , "Dr . David Alan Gilbert" , Sebastien Boeuf , Igor Mammedov , Ani Sinha , Paolo Bonzini , Hui Zhu , =?UTF-8?Q?Philippe_Mathieu-Daud=c3=a9?= Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" On 07.11.21 09:14, Michael S. Tsirkin wrote: > On Tue, Nov 02, 2021 at 06:10:13PM +0100, David Hildenbrand wrote: >> On 02.11.21 18:06, Michael S. Tsirkin wrote: >>> On Tue, Nov 02, 2021 at 12:55:17PM +0100, David Hildenbrand wrote: >>>> On 02.11.21 12:35, Michael S. Tsirkin wrote: >>>>> On Tue, Nov 02, 2021 at 09:33:55AM +0100, David Hildenbrand wrote: >>>>>> On 01.11.21 23:15, Michael S. Tsirkin wrote: >>>>>>> On Wed, Oct 27, 2021 at 02:45:19PM +0200, David Hildenbrand wrote: >>>>>>>> This is the follow-up of [1], dropping auto-detection and vhost-user >>>>>>>> changes from the initial RFC. >>>>>>>> >>>>>>>> Based-on: 20211011175346.15499-1-david@redhat.com >>>>>>>> >>>>>>>> A virtio-mem device is represented by a single large RAM memory region >>>>>>>> backed by a single large mmap. >>>>>>>> >>>>>>>> Right now, we map that complete memory region into guest physical addres >>>>>>>> space, resulting in a very large memory mapping, KVM memory slot, ... >>>>>>>> although only a small amount of memory might actually be exposed to the VM. >>>>>>>> >>>>>>>> For example, when starting a VM with a 1 TiB virtio-mem device that only >>>>>>>> exposes little device memory (e.g., 1 GiB) towards the VM initialliy, >>>>>>>> in order to hotplug more memory later, we waste a lot of memory on metadata >>>>>>>> for KVM memory slots (> 2 GiB!) and accompanied bitmaps. Although some >>>>>>>> optimizations in KVM are being worked on to reduce this metadata overhead >>>>>>>> on x86-64 in some cases, it remains a problem with nested VMs and there are >>>>>>>> other reasons why we would want to reduce the total memory slot to a >>>>>>>> reasonable minimum. >>>>>>>> >>>>>>>> We want to: >>>>>>>> a) Reduce the metadata overhead, including bitmap sizes inside KVM but also >>>>>>>> inside QEMU KVM code where possible. >>>>>>>> b) Not always expose all device-memory to the VM, to reduce the attack >>>>>>>> surface of malicious VMs without using userfaultfd. >>>>>>> >>>>>>> I'm confused by the mention of these security considerations, >>>>>>> and I expect users will be just as confused. >>>>>> >>>>>> Malicious VMs wanting to consume more memory than desired is only >>>>>> relevant when running untrusted VMs in some environments, and it can be >>>>>> caught differently, for example, by carefully monitoring and limiting >>>>>> the maximum memory consumption of a VM. We have the same issue already >>>>>> when using virtio-balloon to logically unplug memory. For me, it's a >>>>>> secondary concern ( optimizing a is much more important ). >>>>>> >>>>>> Some users showed interest in having QEMU disallow access to unplugged >>>>>> memory, because coming up with a maximum memory consumption for a VM is >>>>>> hard. This is one step into that direction without having to run with >>>>>> uffd enabled all of the time. >>>>> >>>>> Sorry about missing the memo - is there a lot of overhead associated >>>>> with uffd then? >>>> >>>> When used with huge/gigantic pages, we don't particularly care. >>>> >>>> For other memory backends, we'll have to route any population via the >>>> uffd handler: guest accesses a 4k page -> place a 4k page from user >>>> space. Instead of the kernel automatically placing a THP, we'd be >>>> placing single 4k pages and have to hope the kernel will collapse them >>>> into a THP later. >>> >>> How much value there is in a THP given it's not present? >> >> If you don't place a THP right during the first page fault inside the >> THP region, you'll have to rely on khugepagd to eventually place a huge >> page later -- and manually fault in each and every 4k page. I haven't >> done any performance measurements so far. Going via userspace on every >> 4k fault will most certainly hurt performance when first touching memory. > > So, if the focus is performance improvement, maybe show the speedup? Let's not focus on b), a) is the primary goal of this series: " a) Reduce the metadata overhead, including bitmap sizes inside KVM but also inside QEMU KVM code where possible. " Because: " For example, when starting a VM with a 1 TiB virtio-mem device that only exposes little device memory (e.g., 1 GiB) towards the VM initialliy, in order to hotplug more memory later, we waste a lot of memory on metadata for KVM memory slots (> 2 GiB!) and accompanied bitmaps. " Partially tackling b) is just a nice side effect of this series. In the long term, we'll want userfaultfd-based protection, and I'll do a performance evaluation then, how userfaultf vs. !userfaultfd compares (boot time, run time, THP consumption). I'll adjust the cover letter for the next version to make this clearer. -- Thanks, David / dhildenb