On Fri, Sep 01, 2023 at 06:34:51PM +0000, Luiz Capitulino wrote:
Hi,
As part of the mitigation for the iTLB multihit vulnerability, KVM creates a worker thread in KVM_CREATE_VM ioctl(). This thread calls cgroup_attach_task_all() which takes cgroup_threadgroup_rwsem for writing which may incur 100ms+ latency since upstream commit 6a010a49b63ac8465851a79185d8deff966f8e1a.
However, if the CPU is not vulnerable to iTLB multihit one could just disable the mitigation (and the worker thread creation) with the newly added KVM module parameter nx_huge_pages=never. This avoids the issue altogether.
While there's an alternative solution for this issue already supported in 6.1-stable (ie. cgroup's favordynmods), disabling the mitigation in KVM is probably preferable if the workload is not impacted by dynamic cgroup operations since one doesn't need to decide between the trade-off in using favordynmods, the thread creation code path is avoided at KVM_CREATE_VM and you avoid creating a thread which does nothing.
Tests performed:
- Measured KVM_CREATE_VM latency and confirmed it goes down to less than 1ms
- We've been performing latency measurements internally w/ this parameter for some weeks now
ALl now queued up, thanks.
greg k-h