George Dunlap
2009-Aug-25 14:23 UTC
[Xen-devel] [RFC] [PATCH] Accurate accounting for credit scheduler
The attached patch implements a first-cut of accurate TSC-based accounting for the Credit scheduler. Rather than debit a full 10ms of credit on a scheduler tick (probabilistic), it debits credits accurately based on time stamps. The main problem this is meant to address is an attack on the scheduler that allows a rogue guest to avoid ever being debited credits. The basic idea is that the rogue process checks time (using rdtsc) periodically, and yields after 9.5ms. Using this technique, a guest can "steal" 95% of the cpu. This is particularly an issue in cloud environments. Whenever we get a final version of this patch, it should be backported to earlier versions as well. Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com> -George _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Jan Beulich
2009-Aug-25 14:48 UTC
Re: [Xen-devel] [RFC] [PATCH] Accurate accounting for credit scheduler
>>> George Dunlap <George.Dunlap@eu.citrix.com> 25.08.09 16:23 >>> >--- a/xen/common/sched_credit.c Mon Aug 24 08:27:30 2009 +0100 >+++ b/xen/common/sched_credit.c Mon Aug 24 21:39:35 2009 +0100 >@@ -44,11 +44,12 @@ > #define CSCHED_MSECS_PER_TICK 10 > #define CSCHED_MSECS_PER_TSLICE \ > (CSCHED_MSECS_PER_TICK * CSCHED_TICKS_PER_TSLICE) >-#define CSCHED_CREDITS_PER_TICK 100 >+#define CSCHED_CREDITS_PER_MSEC 100000 > #define CSCHED_CREDITS_PER_TSLICE \ >- (CSCHED_CREDITS_PER_TICK * CSCHED_TICKS_PER_TSLICE) >+ (CSCHED_MSECS_PER_TSLICE * CSCHED_CREDITS_PER_MSEC) > #define CSCHED_CREDITS_PER_ACCT \ >- (CSCHED_CREDITS_PER_TICK * CSCHED_TICKS_PER_ACCT) >+ (CSCHED_CREDITS_PER_MSEC * CSCHED_MSECS_PER_TSLICE)This effectively makes an assumption that CSCHED_TICKS_PER_ACCT =CSCHED_TICKS_PER_TSLICE, which I don''t think the rest of the code really intends (or if it does, distinguishing those two as well as CSCHED_CREDITS_PER_TSLICE and CSCHED_CREDITS_PER_ACCT would become pointless).>+#define CSCHED_STIME_TO_CREDIT(_t) ((_t)*CSCHED_CREDITS_PER_MSEC/MILLISECS(1)) > > > /*Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel