On Fri, Sep 01, 2023 at 06:34:51PM +0000, Luiz Capitulino wrote: > Hi, > > As part of the mitigation for the iTLB multihit vulnerability, KVM creates > a worker thread in KVM_CREATE_VM ioctl(). This thread calls > cgroup_attach_task_all() which takes cgroup_threadgroup_rwsem for writing > which may incur 100ms+ latency since upstream commit > 6a010a49b63ac8465851a79185d8deff966f8e1a. > > However, if the CPU is not vulnerable to iTLB multihit one could just > disable the mitigation (and the worker thread creation) with the > newly added KVM module parameter nx_huge_pages=never. This avoids the issue > altogether. > > While there's an alternative solution for this issue already supported > in 6.1-stable (ie. cgroup's favordynmods), disabling the mitigation in > KVM is probably preferable if the workload is not impacted by dynamic > cgroup operations since one doesn't need to decide between the trade-off > in using favordynmods, the thread creation code path is avoided at > KVM_CREATE_VM and you avoid creating a thread which does nothing. > > Tests performed: > > * Measured KVM_CREATE_VM latency and confirmed it goes down to less than 1ms > * We've been performing latency measurements internally w/ this parameter > for some weeks now What about the 6.4.y kernel for these changes? Anyone moving from 6.1 to 6.4 will have a regression, right? Or you can wait a week or so for 6.4.y to go end-of-life, your choice :) thanks, greg k-h