Page MenuHomeFreeBSD

bhyve: add backend rx backpressure to virtio-net
Needs ReviewPublic

Authored by vmaffione on Jul 18 2019, 9:18 PM.

Details

Reviewers
markj
jhb
pmooney_pfmooney.com
bryanv
Group Reviewers
bhyve
Summary

If a VM is flooded with more ingress packets than the guest OS can handle, the current virtio-net code will keep reading those packets and drop most of them as no space is available in the receive queue. This is an undesirable receive livelock, which is a waste of CPU and memory resources and potentially opens to DoS attacks.
With this change, virtio-net uses the new netbe_rx_disable() function to disable ingress operation in the backend while the guest is short on RX buffers. Once the guest makes more buffers available to the RX virtqueue, ingress operation is enabled again by calling netbe_rx_enable().

Note: this depends on https://reviews.freebsd.org/D20973

Test Plan

Experiments performed on a 12 CPUs i7-8700 @ 3.20 GHz.
I got a bhyve VM with 2 vCPUs, with virtio-net as a virtual device and a VALE port (vale:0) as a backend.
Use pkt-gen from the host to flood the VM VALE port (DoS attack), e.g.:

# pkt-gen -i vale:1 -f tx -H12

No process in the guest tries to receive the packets, which are then dropped at the UDP socket layer.

Without this patch, I observe the CPU utilization of the bhyve process to go up to 190%.
With this patch, CPU utilization stays ~100%, as expected.

Diff Detail

Lint
Lint Skipped
Unit
Unit Tests Skipped

Event Timeline

vmaffione created this revision.Jul 18 2019, 9:18 PM
vmaffione edited the summary of this revision. (Show Details)Jul 18 2019, 9:18 PM
bryanv accepted this revision as: bryanv.Jul 19 2019, 3:28 AM
This revision is now accepted and ready to land.Jul 19 2019, 3:28 AM
vmaffione edited the test plan for this revision. (Show Details)Jul 19 2019, 4:41 PM
vmaffione edited the test plan for this revision. (Show Details)
vmaffione added a subscriber: gnn.Jul 19 2019, 7:07 PM

I tested this path in our test lab. It’s works fine.

Any additional opinions on this patch?

vmaffione updated this revision to Diff 62125.Sep 15 2019, 2:35 PM

Follow-up change after updating D20973.
Define mevent_add_disabled here.

This revision now requires review to proceed.Sep 15 2019, 2:35 PM

Note: this is the next patch to be reviewed. Thanks.

Any reviews?
Thanks