Tim Shearer reported that "There is a guest which is running a packet forwarding app based on the DPDK (dpdk.org). The packet receive routine writes to 0xc070 using glibc's "outw_p" function which does an additional write to I/O port 0x80. It does this write for every packet that's received, causing a flood of KVM userspace context switches". He uses mpstat to observe a CPU performing L2 packet forwarding on a pinned guest vCPU, the guest time is 95 percent when allowing I/O port 0x80 bypass, however, it is 65.78 percent when I/O port 0x80 bypss is disabled. This patchset introduces per-VM I/O permission bitmaps, the userspace can disable the ioport intercept when they are more concern the performance than the security. Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx> Cc: Radim Krčmář <rkrcmar@xxxxxxxxxx> Cc: Tim Shearer <tshearer@xxxxxxxxxxxxxxx> Cc: Liran Alon <liran.alon@xxxxxxxxxx> Wanpeng Li (3): KVM: VMX: Introduce per-VM I/O permission bitmaps KVM: X86: Allow userspace to disable ioport intercept KVM: VMX: Allow I/O port 0x80 bypass when userspace prefer Documentation/virtual/kvm/api.txt | 11 +++++++++++ arch/x86/include/asm/kvm_host.h | 2 ++ arch/x86/kvm/vmx.c | 41 ++++++++++++++++++++++++++++++++++++--- arch/x86/kvm/x86.c | 5 +++++ include/uapi/linux/kvm.h | 1 + 5 files changed, 57 insertions(+), 3 deletions(-) -- 2.7.4
