lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 7 Mar 2019 08:09:27 -0500
From:   Nitesh Narayan Lal <nitesh@...hat.com>
To:     Alexander Duyck <alexander.duyck@...il.com>
Cc:     kvm list <kvm@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        linux-mm <linux-mm@...ck.org>,
        Paolo Bonzini <pbonzini@...hat.com>, lcapitulino@...hat.com,
        pagupta@...hat.com, wei.w.wang@...el.com,
        Yang Zhang <yang.zhang.wz@...il.com>,
        Rik van Riel <riel@...riel.com>,
        David Hildenbrand <david@...hat.com>,
        "Michael S. Tsirkin" <mst@...hat.com>, dodgen@...gle.com,
        Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
        dhildenb@...hat.com, Andrea Arcangeli <aarcange@...hat.com>
Subject: Re: [RFC][Patch v9 0/6] KVM: Guest Free Page Hinting


On 3/6/19 5:05 PM, Alexander Duyck wrote:
> On Wed, Mar 6, 2019 at 11:07 AM Nitesh Narayan Lal <nitesh@...hat.com> wrote:
>>
>> On 3/6/19 1:00 PM, Alexander Duyck wrote:
>>> On Wed, Mar 6, 2019 at 7:51 AM Nitesh Narayan Lal <nitesh@...hat.com> wrote:
>>>> The following patch-set proposes an efficient mechanism for handing freed memory between the guest and the host. It enables the guests with no page cache to rapidly free and reclaims memory to and from the host respectively.
>>>>
>>>> Benefit:
>>>> With this patch-series, in our test-case, executed on a single system and single NUMA node with 15GB memory, we were able to successfully launch 5 guests(each with 5 GB memory) when page hinting was enabled and 3 without it. (Detailed explanation of the test procedure is provided at the bottom under Test - 1).
>>>>
>>>> Changelog in v9:
>>>>         * Guest free page hinting hook is now invoked after a page has been merged in the buddy.
>>>>         * Free pages only with order FREE_PAGE_HINTING_MIN_ORDER(currently defined as MAX_ORDER - 1) are captured.
>>>>         * Removed kthread which was earlier used to perform the scanning, isolation & reporting of free pages.
>>> Without a kthread this has the potential to get really ugly really
>>> fast. If we are going to run asynchronously we should probably be
>>> truly asynchonous and just place a few pieces of data in the page that
>>> a worker thread can use to identify which pages have been hinted and
>>> which pages have not.
>> Can you please explain what do you mean by truly asynchronous?
>>
>> With this implementation also I am not reporting the pages synchronously.
> The problem is you are making it pseudo synchronous by having to push
> pages off to a side buffer aren't you? In my mind we should be able to
> have the page hinting go on with little to no interference with
> existing page allocation and freeing.
We have to opt one of the two options:
1. Block allocation by using a flag or acquire a lock to prevent the
usage of pages we are hinting.
2. Remove the page set entirely from the buddy. (This is what I am doing
right now)

The reason I would prefer the second approach is that we are not
blocking the allocation in any way and as we are only working with a
smaller set of pages we should be fine.
However, with the current approach as we are reporting asynchronously
there is a chance that we end up hinting more than 2-3 times for a
single workload run. In situation where this could lead to low memory
condition in the guest, the hinting will anyways fail as the guest will
not allow page isolation.
I can possibly try and test the same to ensure that we don't get OOM due
to hinting when the guest is under memory pressure.


>
>>> Then we can have that one thread just walking
>>> through the zone memory pulling out fixed size pieces at a time and
>>> providing hints on that. By doing that we avoid the potential of
>>> creating a batch of pages that eat up most of the system memory.
>>>
>>>>         * Pages, captured in the per cpu array are sorted based on the zone numbers. This is to avoid redundancy of acquiring zone locks.
>>>>         * Dynamically allocated space is used to hold the isolated guest free pages.
>>> I have concerns that doing this per CPU and allocating memory
>>> dynamically can result in you losing a significant amount of memory as
>>> it sits waiting to be hinted.
>> It should not as the buddy will keep merging the pages and we are only
>> capturing MAX_ORDER - 1.
>> This was the issue with the last patch-series when I was capturing all
>> order pages resulting in the per-cpu array to be filled with lower order
>> pages.
>>>>         * All the pages are reported asynchronously to the host via virtio driver.
>>>>         * Pages are returned back to the guest buddy free list only when the host response is received.
>>> I have been thinking about this. Instead of stealing the page couldn't
>>> you simply flag it that there is a hint in progress and simply wait in
>>> arch_alloc_page until the hint has been processed?
>> With the flag, I am assuming you mean to block the allocation until
>> hinting is going on, which is an issue. That was one of the issues
>> discussed earlier which I wanted to solve with this implementation.
> With the flag we would allow the allocation, but would have to
> synchronize with the hinting at that point. I got the idea from the
> way the s390 code works. They have both an arch_free_page and an
> arch_alloc_page. If I understand correctly the arch_alloc_page is what
> is meant to handle the case of a page that has been marked for
> hinting, but may not have been hinted on yet. My thought for now is to
> keep it simple and use a page flag to indicate that a page is
> currently pending a hint. 
I am assuming this page flag will be located in the page structure.
> We should be able to spin in such a case and
> it would probably still perform better than a solution where we would
> not have the memory available and possibly be under memory pressure.
I had this same idea earlier. However, the thing about which I was not
sure is if adding a flag in the page structure will be acceptable upstream.
>
>>> The problem is in
>>> stealing pages you are going to introduce false OOM issues when the
>>> memory isn't available because it is being hinted on.
>> I think this situation will arise when the guest is under memory
>> pressure. In such situations any attempt to perform isolation will
>> anyways fail and we may not be reporting anything at that time.
> What I want to avoid is the scenario where an application grabs a
> large amount of memory, then frees said memory, and we are sitting on
> it for some time because we decide to try and hint on the large chunk.
I agree.
> By processing this sometime after the pages are sent to the buddy
> allocator in a separate thread, and by processing a small fixed window
> of memory at a time we can avoid making freeing memory expensive, and
> still provide the hints in a reasonable time frame.

My impression is that the current window on which I am working may give
issues for smaller size guests. But otherwise, we are already working
with a smaller fixed window of memory.

I can further restrict this to just 128 entries and test which would
bring down the window of memory. Let me know what you think.

>
>>>> Pending items:
>>>>         * Make sure that the guest free page hinting's current implementation doesn't break hugepages or device assigned guests.
>>>>         * Follow up on VIRTIO_BALLOON_F_PAGE_POISON's device side support. (It is currently missing)
>>>>         * Compare reporting free pages via vring with vhost.
>>>>         * Decide between MADV_DONTNEED and MADV_FREE.
>>>>         * Analyze overall performance impact due to guest free page hinting.
>>>>         * Come up with proper/traceable error-message/logs.
>>> I'll try applying these patches and see if I can reproduce the results
>>> you reported.
>> Thanks. Let me know if you run into any issues.
>>> With the last patch set I couldn't reproduce the results
>>> as you reported them.
>> If I remember correctly then the last time you only tried with multiple
>> vcpus and not with 1 vcpu.
> I had tried 1 vcpu, however I ended up running into some other issues
> that made it difficult to even boot the system last week.
>
>>> It has me wondering if you were somehow seeing
>>> the effects of a balloon instead of the actual memory hints as I
>>> couldn't find any evidence of the memory ever actually being freed
>>> back by the hints functionality.
>> Can you please elaborate what kind of evidence you are looking for?
>>
>> I did trace the hints on the QEMU/host side.
> It looks like the new patches are working as I am seeing the memory
> freeing occurring this time around. Although it looks like this is
> still generating traces from free_pcpages_bulk if I enable multiple
> VCPUs:
I am assuming with the changes you suggested you were able to run this
patch-series. Is that correct?
>
> [  175.823539] list_add corruption. next->prev should be prev
> (ffff947c7ffd61e0), but was ffffc7a29f9e0008. (next=ffffc7a29f4c0008).
> [  175.825978] ------------[ cut here ]------------
> [  175.826889] kernel BUG at lib/list_debug.c:25!
> [  175.827766] invalid opcode: 0000 [#1] SMP PTI
> [  175.828621] CPU: 5 PID: 1344 Comm: page_fault1_thr Not tainted
> 5.0.0-next-20190306-baseline+ #76
> [  175.830312] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS Bochs 01/01/2011
> [  175.831885] RIP: 0010:__list_add_valid+0x35/0x70
> [  175.832784] Code: 18 48 8b 32 48 39 f0 75 39 48 39 c7 74 1e 48 39
> fa 74 19 b8 01 00 00 00 c3 48 89 c1 48 c7 c7 80 b5 0f a9 31 c0 e8 8f
> aa c8 ff <0f> 0b 48 89 c1 48 89 fe 31 c0 48 c7 c7 30 b6 0f a9 e8 79 aa
> c8 ff
> [  175.836379] RSP: 0018:ffffa717c40839b0 EFLAGS: 00010046
> [  175.837394] RAX: 0000000000000075 RBX: ffff947c7ffd61e0 RCX: 0000000000000000
> [  175.838779] RDX: 0000000000000000 RSI: ffff947c5f957188 RDI: ffff947c5f957188
> [  175.840162] RBP: ffff947c7ffd61d0 R08: 000000000000026f R09: 0000000000000005
> [  175.841539] R10: 0000000000000000 R11: ffffa717c4083730 R12: ffffc7a29f260008
> [  175.842932] R13: ffff947c7ffd5d00 R14: ffffc7a29f4c0008 R15: ffffc7a29f260000
> [  175.844319] FS:  0000000000000000(0000) GS:ffff947c5f940000(0000)
> knlGS:0000000000000000
> [  175.845896] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  175.847009] CR2: 00007fffe3421000 CR3: 000000051220e006 CR4: 0000000000160ee0
> [  175.848390] Call Trace:
> [  175.848896]  free_pcppages_bulk+0x4bc/0x6a0
> [  175.849723]  free_unref_page_list+0x10d/0x190
> [  175.850567]  release_pages+0x103/0x4a0
> [  175.851313]  tlb_flush_mmu_free+0x36/0x50
> [  175.852105]  unmap_page_range+0x963/0xd50
> [  175.852897]  unmap_vmas+0x62/0xc0
> [  175.853549]  exit_mmap+0xb5/0x1a0
> [  175.854205]  mmput+0x5b/0x120
> [  175.854794]  do_exit+0x273/0xc30
> [  175.855426]  ? free_unref_page_commit+0x85/0xf0
> [  175.856312]  do_group_exit+0x39/0xa0
> [  175.857018]  get_signal+0x172/0x7c0
> [  175.857703]  do_signal+0x36/0x620
> [  175.858355]  ? percpu_counter_add_batch+0x4b/0x60
> [  175.859280]  ? __do_munmap+0x288/0x390
> [  175.860020]  exit_to_usermode_loop+0x4c/0xa8
> [  175.860859]  do_syscall_64+0x152/0x170
> [  175.861595]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [  175.862586] RIP: 0033:0x7ffff76a8ec7
> [  175.863292] Code: Bad RIP value.
> [  175.863928] RSP: 002b:00007ffff4422eb8 EFLAGS: 00000212 ORIG_RAX:
> 000000000000000b
> [  175.865396] RAX: 0000000000000000 RBX: 00007ffff7ff7280 RCX: 00007ffff76a8ec7
> [  175.866799] RDX: 00007fffe3422000 RSI: 0000000008000000 RDI: 00007fffdb422000
> [  175.868194] RBP: 0000000000001000 R08: ffffffffffffffff R09: 0000000000000000
> [  175.869582] R10: 0000000000000022 R11: 0000000000000212 R12: 00007ffff4422fc0
> [  175.870984] R13: 0000000000000001 R14: 00007fffffffc1b0 R15: 00007ffff44239c0
> [  175.872350] Modules linked in: ip6t_rpfilter ip6t_REJECT
> nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat
> ebtable_broute bridge stp llc ip6table_nat ip6table_mangle
> ip6table_raw ip6table_security iptable_nat nf_nat nf_conntrack
> nf_defrag_ipv6 nf_defrag_ipv4 iptable_mangle iptable_raw
> iptable_security ebtable_filter ebtables ip6table_filter ip6_tables
> sunrpc sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel
> kvm_intel kvm ppdev irqbypass parport_pc parport virtio_balloon pcspkr
> i2c_piix4 joydev xfs libcrc32c cirrus drm_kms_helper ttm drm e1000
> crc32c_intel virtio_blk serio_raw ata_generic floppy pata_acpi
> qemu_fw_cfg
> [  175.883153] ---[ end trace 5b67f12a67d1f373 ]---
>
> I should be able to rebuild the kernels/qemu and test this patch set
> over the next day or two.
Thanks.
>
> Thanks.
>
> - Alex
-- 
Regards
Nitesh



Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ