Re: [PATCH 2/2] powerpc/kvm: Limit MAX_VCPUS for guests running on RT Linux
From: Scott Wood
Date: Mon Feb 23 2015 - 17:48:45 EST
On Fri, 2015-02-20 at 14:45 +0100, Alexander Graf wrote:
>
> On 18.02.15 10:32, Bogdan Purcareata wrote:
> > Due to the introduction of the raw_spinlock for the KVM openpic, guests with a
> > high number of VCPUs may induce great latencies on the underlying RT Linux
> > system (e.g. cyclictest reports latencies of ~15ms for guests with 24 VCPUs).
> > This can be further aggravated by sending a lot of external interrupts to the
> > guest.
> >
> > A malicious app can abuse this scenario, causing a DoS of the host Linux.
> > Until the KVM openpic code is refactored to use finer lock granularity, impose
> > a limitation on the number of VCPUs a guest can have when running on a
> > PREEMPT_RT_FULL system with KVM_MPIC emulation.
> >
> > Signed-off-by: Mihai Caraman <mihai.caraman@xxxxxxxxxxxxx>
> > Signed-off-by: Bogdan Purcareata <bogdan.purcareata@xxxxxxxxxxxxx>
> > Reviewed-by: Scott Wood <scottwood@xxxxxxxxxxxxx>
>
> I don't think this patch is reasonable to take upstream.
I agree (or at least, I don't think the raw lock conversion should be
separated from the vcpu limitation that makes it clear that it's a
temporary hack), because it ought to be fixed properly.
> If we have a
> latency issue, whoever spawned KVM VMs made a decision to spawn such big
> VMs.
I disagree. The point of PREEMPT_RT is to prevent the majority of
kernel code from excessively impacting latency. When you start using
raw locks you're stepping outside those bounds and need to ensure that
you don't hand things within those bounds (which includes userspace) the
ability to excessively impact latency.
-Scott
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/