Am 09.06.2015 um 12:19 schrieb Denis V. Lunev:
> Excessive virtio_balloon inflation can cause invocation of OOM-killer,
> when Linux is under severe memory pressure. Various mechanisms are
> responsible for correct virtio_balloon memory management. Nevertheless it
> is often the case that these control tools does not have enough time to
> react on fast changing memory load. As a result OS runs out of memory and
> invokes OOM-killer. The balancing of memory by use of the virtio balloon
> should not cause the termination of processes while there are pages in the
> balloon. Now there is no way for virtio balloon driver to free memory at
> the last moment before some process get killed by OOM-killer.
>
> This does not provide a security breach as balloon itself is running
> inside Guest OS and is working in the cooperation with the host. Thus
> some improvements from Guest side should be considered as normal.
>
> To solve the problem, introduce a virtio_balloon callback which is
> expected to be called from the oom notifier call chain in out_of_memory()
> function. If virtio balloon could release some memory, it will make the
> system return and retry the allocation that forced the out of memory
> killer to run.
>
> This behavior should be enabled if and only if appropriate feature bit
> is set on the device. It is off by default.
The balloon frees pages in this way
static void balloon_page(void *addr, int deflate)
{
#if defined(__linux__)
if (!kvm_enabled() || kvm_has_sync_mmu())
qemu_madvise(addr, TARGET_PAGE_SIZE,
deflate ? QEMU_MADV_WILLNEED : QEMU_MADV_DONTNEED);
#endif
}
The guest can re-touch that page and get a empty zero or the old page back
without
tampering the host integrity. This should work for all cases I am aware of
(without sync_mmu its a nop anyway) so why not enable that by default? Anything
that I missed?
Christian
>
> This functionality was recently merged into vanilla Linux.
>
> commit 5a10b7dbf904bfe01bb9fcc6298f7df09eed77d5
> Author: Raushaniya Maksudova <rmaksud...@parallels.com>
> Date: Mon Nov 10 09:36:29 2014 +1030
>
> This patch adds respective control bits into QEMU. It introduces
> deflate-on-oom option for balloon device which does the trick.
>
> Signed-off-by: Denis V. Lunev <d...@openvz.org>
> CC: Raushaniya Maksudova <rmaksud...@virtuozzo.com>
> CC: Anthony Liguori <aligu...@amazon.com>
> CC: Michael S. Tsirkin <m...@redhat.com>
> ---
> hw/virtio/virtio-balloon.c | 6 ++++--
> include/hw/virtio/virtio-balloon.h | 1 +
> 2 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
> index f915c7b..d3f36f8 100644
> --- a/hw/virtio/virtio-balloon.c
> +++ b/hw/virtio/virtio-balloon.c
> @@ -312,8 +312,8 @@ static void virtio_balloon_set_config(VirtIODevice *vdev,
>
> static uint64_t virtio_balloon_get_features(VirtIODevice *vdev, uint64_t f)
> {
> - f |= (1 << VIRTIO_BALLOON_F_STATS_VQ);
> - return f;
> + VirtIOBalloon *dev = VIRTIO_BALLOON(vdev);
> + return f | (1u << VIRTIO_BALLOON_F_STATS_VQ) | dev->host_features;
> }
>
> static void virtio_balloon_stat(void *opaque, BalloonInfo *info)
> @@ -423,6 +423,8 @@ static void virtio_balloon_instance_init(Object *obj)
> }
>
> static Property virtio_balloon_properties[] = {
> + DEFINE_PROP_BIT("deflate-on-oom", VirtIOBalloon, host_features,
> + VIRTIO_BALLOON_F_DEFLATE_ON_OOM, false),
> DEFINE_PROP_END_OF_LIST(),
> };
>
> diff --git a/include/hw/virtio/virtio-balloon.h
> b/include/hw/virtio/virtio-balloon.h
> index 4ab8f54..7f49b1f 100644
> --- a/include/hw/virtio/virtio-balloon.h
> +++ b/include/hw/virtio/virtio-balloon.h
> @@ -36,6 +36,7 @@ typedef struct VirtIOBalloon {
> QEMUTimer *stats_timer;
> int64_t stats_last_update;
> int64_t stats_poll_interval;
> + uint32_t host_features;
> } VirtIOBalloon;
>
> #endif
>
