Re: [RFC][Patch v9 0/6] KVM: Guest Free Page Hinting

[Alexander Duyck]

On Wed, Mar 6, 2019 at 11:07 AM Nitesh Narayan Lal <nitesh@xxxxxxxxxx> wrote:
>
>
> On 3/6/19 1:00 PM, Alexander Duyck wrote:
> > On Wed, Mar 6, 2019 at 7:51 AM Nitesh Narayan Lal <nitesh@xxxxxxxxxx> wrote:
> >> The following patch-set proposes an efficient mechanism for handing freed memory between the guest and the host. It enables the guests with no page cache to rapidly free and reclaims memory to and from the host respectively.
> >>
> >> Benefit:
> >> With this patch-series, in our test-case, executed on a single system and single NUMA node with 15GB memory, we were able to successfully launch 5 guests(each with 5 GB memory) when page hinting was enabled and 3 without it. (Detailed explanation of the test procedure is provided at the bottom under Test - 1).
> >>
> >> Changelog in v9:
> >>         * Guest free page hinting hook is now invoked after a page has been merged in the buddy.
> >>         * Free pages only with order FREE_PAGE_HINTING_MIN_ORDER(currently defined as MAX_ORDER - 1) are captured.
> >>         * Removed kthread which was earlier used to perform the scanning, isolation & reporting of free pages.
> > Without a kthread this has the potential to get really ugly really
> > fast. If we are going to run asynchronously we should probably be
> > truly asynchonous and just place a few pieces of data in the page that
> > a worker thread can use to identify which pages have been hinted and
> > which pages have not.
>
> Can you please explain what do you mean by truly asynchronous?
>
> With this implementation also I am not reporting the pages synchronously.

The problem is you are making it pseudo synchronous by having to push
pages off to a side buffer aren't you? In my mind we should be able to
have the page hinting go on with little to no interference with
existing page allocation and freeing.

> > Then we can have that one thread just walking
> > through the zone memory pulling out fixed size pieces at a time and
> > providing hints on that. By doing that we avoid the potential of
> > creating a batch of pages that eat up most of the system memory.
> >
> >>         * Pages, captured in the per cpu array are sorted based on the zone numbers. This is to avoid redundancy of acquiring zone locks.
> >>         * Dynamically allocated space is used to hold the isolated guest free pages.
> > I have concerns that doing this per CPU and allocating memory
> > dynamically can result in you losing a significant amount of memory as
> > it sits waiting to be hinted.
> It should not as the buddy will keep merging the pages and we are only
> capturing MAX_ORDER - 1.
> This was the issue with the last patch-series when I was capturing all
> order pages resulting in the per-cpu array to be filled with lower order
> pages.
> >
> >>         * All the pages are reported asynchronously to the host via virtio driver.
> >>         * Pages are returned back to the guest buddy free list only when the host response is received.
> > I have been thinking about this. Instead of stealing the page couldn't
> > you simply flag it that there is a hint in progress and simply wait in
> > arch_alloc_page until the hint has been processed?
> With the flag, I am assuming you mean to block the allocation until
> hinting is going on, which is an issue. That was one of the issues
> discussed earlier which I wanted to solve with this implementation.

With the flag we would allow the allocation, but would have to
synchronize with the hinting at that point. I got the idea from the
way the s390 code works. They have both an arch_free_page and an
arch_alloc_page. If I understand correctly the arch_alloc_page is what
is meant to handle the case of a page that has been marked for
hinting, but may not have been hinted on yet. My thought for now is to
keep it simple and use a page flag to indicate that a page is
currently pending a hint. We should be able to spin in such a case and
it would probably still perform better than a solution where we would
not have the memory available and possibly be under memory pressure.

> > The problem is in
> > stealing pages you are going to introduce false OOM issues when the
> > memory isn't available because it is being hinted on.
> I think this situation will arise when the guest is under memory
> pressure. In such situations any attempt to perform isolation will
> anyways fail and we may not be reporting anything at that time.

What I want to avoid is the scenario where an application grabs a
large amount of memory, then frees said memory, and we are sitting on
it for some time because we decide to try and hint on the large chunk.
By processing this sometime after the pages are sent to the buddy
allocator in a separate thread, and by processing a small fixed window
of memory at a time we can avoid making freeing memory expensive, and
still provide the hints in a reasonable time frame.

> >
> >> Pending items:
> >>         * Make sure that the guest free page hinting's current implementation doesn't break hugepages or device assigned guests.
> >>         * Follow up on VIRTIO_BALLOON_F_PAGE_POISON's device side support. (It is currently missing)
> >>         * Compare reporting free pages via vring with vhost.
> >>         * Decide between MADV_DONTNEED and MADV_FREE.
> >>         * Analyze overall performance impact due to guest free page hinting.
> >>         * Come up with proper/traceable error-message/logs.
> > I'll try applying these patches and see if I can reproduce the results
> > you reported.
> Thanks. Let me know if you run into any issues.
> > With the last patch set I couldn't reproduce the results
> > as you reported them.
> If I remember correctly then the last time you only tried with multiple
> vcpus and not with 1 vcpu.

I had tried 1 vcpu, however I ended up running into some other issues
that made it difficult to even boot the system last week.

> > It has me wondering if you were somehow seeing
> > the effects of a balloon instead of the actual memory hints as I
> > couldn't find any evidence of the memory ever actually being freed
> > back by the hints functionality.
>
> Can you please elaborate what kind of evidence you are looking for?
>
> I did trace the hints on the QEMU/host side.

It looks like the new patches are working as I am seeing the memory
freeing occurring this time around. Although it looks like this is
still generating traces from free_pcpages_bulk if I enable multiple
VCPUs:

[  175.823539] list_add corruption. next->prev should be prev
(ffff947c7ffd61e0), but was ffffc7a29f9e0008. (next=ffffc7a29f4c0008).
[  175.825978] ------------[ cut here ]------------
[  175.826889] kernel BUG at lib/list_debug.c:25!
[  175.827766] invalid opcode: 0000 [#1] SMP PTI
[  175.828621] CPU: 5 PID: 1344 Comm: page_fault1_thr Not tainted
5.0.0-next-20190306-baseline+ #76
[  175.830312] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS Bochs 01/01/2011
[  175.831885] RIP: 0010:__list_add_valid+0x35/0x70
[  175.832784] Code: 18 48 8b 32 48 39 f0 75 39 48 39 c7 74 1e 48 39
fa 74 19 b8 01 00 00 00 c3 48 89 c1 48 c7 c7 80 b5 0f a9 31 c0 e8 8f
aa c8 ff <0f> 0b 48 89 c1 48 89 fe 31 c0 48 c7 c7 30 b6 0f a9 e8 79 aa
c8 ff
[  175.836379] RSP: 0018:ffffa717c40839b0 EFLAGS: 00010046
[  175.837394] RAX: 0000000000000075 RBX: ffff947c7ffd61e0 RCX: 0000000000000000
[  175.838779] RDX: 0000000000000000 RSI: ffff947c5f957188 RDI: ffff947c5f957188
[  175.840162] RBP: ffff947c7ffd61d0 R08: 000000000000026f R09: 0000000000000005
[  175.841539] R10: 0000000000000000 R11: ffffa717c4083730 R12: ffffc7a29f260008
[  175.842932] R13: ffff947c7ffd5d00 R14: ffffc7a29f4c0008 R15: ffffc7a29f260000
[  175.844319] FS:  0000000000000000(0000) GS:ffff947c5f940000(0000)
knlGS:0000000000000000
[  175.845896] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  175.847009] CR2: 00007fffe3421000 CR3: 000000051220e006 CR4: 0000000000160ee0
[  175.848390] Call Trace:
[  175.848896]  free_pcppages_bulk+0x4bc/0x6a0
[  175.849723]  free_unref_page_list+0x10d/0x190
[  175.850567]  release_pages+0x103/0x4a0
[  175.851313]  tlb_flush_mmu_free+0x36/0x50
[  175.852105]  unmap_page_range+0x963/0xd50
[  175.852897]  unmap_vmas+0x62/0xc0
[  175.853549]  exit_mmap+0xb5/0x1a0
[  175.854205]  mmput+0x5b/0x120
[  175.854794]  do_exit+0x273/0xc30
[  175.855426]  ? free_unref_page_commit+0x85/0xf0
[  175.856312]  do_group_exit+0x39/0xa0
[  175.857018]  get_signal+0x172/0x7c0
[  175.857703]  do_signal+0x36/0x620
[  175.858355]  ? percpu_counter_add_batch+0x4b/0x60
[  175.859280]  ? __do_munmap+0x288/0x390
[  175.860020]  exit_to_usermode_loop+0x4c/0xa8
[  175.860859]  do_syscall_64+0x152/0x170
[  175.861595]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  175.862586] RIP: 0033:0x7ffff76a8ec7
[  175.863292] Code: Bad RIP value.
[  175.863928] RSP: 002b:00007ffff4422eb8 EFLAGS: 00000212 ORIG_RAX:
000000000000000b
[  175.865396] RAX: 0000000000000000 RBX: 00007ffff7ff7280 RCX: 00007ffff76a8ec7
[  175.866799] RDX: 00007fffe3422000 RSI: 0000000008000000 RDI: 00007fffdb422000
[  175.868194] RBP: 0000000000001000 R08: ffffffffffffffff R09: 0000000000000000
[  175.869582] R10: 0000000000000022 R11: 0000000000000212 R12: 00007ffff4422fc0
[  175.870984] R13: 0000000000000001 R14: 00007fffffffc1b0 R15: 00007ffff44239c0
[  175.872350] Modules linked in: ip6t_rpfilter ip6t_REJECT
nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat
ebtable_broute bridge stp llc ip6table_nat ip6table_mangle
ip6table_raw ip6table_security iptable_nat nf_nat nf_conntrack
nf_defrag_ipv6 nf_defrag_ipv4 iptable_mangle iptable_raw
iptable_security ebtable_filter ebtables ip6table_filter ip6_tables
sunrpc sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel
kvm_intel kvm ppdev irqbypass parport_pc parport virtio_balloon pcspkr
i2c_piix4 joydev xfs libcrc32c cirrus drm_kms_helper ttm drm e1000
crc32c_intel virtio_blk serio_raw ata_generic floppy pata_acpi
qemu_fw_cfg
[  175.883153] ---[ end trace 5b67f12a67d1f373 ]---

I should be able to rebuild the kernels/qemu and test this patch set
over the next day or two.

Thanks.

- Alex