On 2023-09-02 03:27, Greg KH wrote:
On Fri, Sep 01, 2023 at 06:34:51PM +0000, Luiz Capitulino wrote:
Hi,
As part of the mitigation for the iTLB multihit vulnerability, KVM creates
a worker thread in KVM_CREATE_VM ioctl(). This thread calls
cgroup_attach_task_all() which takes cgroup_threadgroup_rwsem for writing
which may incur 100ms+ latency since upstream commit
6a010a49b63ac8465851a79185d8deff966f8e1a.
However, if the CPU is not vulnerable to iTLB multihit one could just
disable the mitigation (and the worker thread creation) with the
newly added KVM module parameter nx_huge_pages=never. This avoids the issue
altogether.
While there's an alternative solution for this issue already supported
in 6.1-stable (ie. cgroup's favordynmods), disabling the mitigation in
KVM is probably preferable if the workload is not impacted by dynamic
cgroup operations since one doesn't need to decide between the trade-off
in using favordynmods, the thread creation code path is avoided at
KVM_CREATE_VM and you avoid creating a thread which does nothing.
Tests performed:
* Measured KVM_CREATE_VM latency and confirmed it goes down to less than 1ms
* We've been performing latency measurements internally w/ this parameter
for some weeks now
What about the 6.4.y kernel for these changes? Anyone moving from 6.1
to 6.4 will have a regression, right?
Or you can wait a week or so for 6.4.y to go end-of-life, your choice :)
I can do this backport for 6.4.y if that's better for stable users. Will
submit the patches next week.
- Luiz
thanks,
greg k-h
