CA-41832: clip the target of an 'inactive' domain to be within dynamic_min/dynamic_max

This is potentially dangerous: the reason we attempt to cap the memory usage of an unresponsive domain is to prevent it suddenly waking up and allocating at a bad moment, resulting in either a transient OOM or loss of low memory. With this change the cap will be 'loose', where target can be higher than memory_actual.

Signed-off-by: David Scott <dave.scott@eu.citrix.com>

diff --git a/ocaml/xenops/squeeze.ml b/ocaml/xenops/squeeze.ml
index c750fd37ba5170d5d7b7887f200adca65c7746d4..2938466b3df5e9b5dce4e06814afc35b4650b524 100644 (file)
--- a/ocaml/xenops/squeeze.ml
+++ b/ocaml/xenops/squeeze.ml
@@ -527,7 +527,12 @@ let change_host_free_memory ?fistpoints io required_mem_kib success_condition =
        let maxmems = IntMap.mapi
          (fun domid domain ->
                   if List.mem domid declared_inactive_domids 
-                  then min domain.target_kib domain.memory_actual_kib
+                  then 
+                       (* CA-41832: clip the target of an 'inactive' domain to within the dynamic min-max range.
+                          The danger here is that a domain might be using less than dynamic min now, but might 
+                          suddenly wake up and allocate memory belonging to someone else later. *)
+                       let ideal_kib = min domain.target_kib domain.memory_actual_kib in
+                       min domain.dynamic_max_kib (max domain.dynamic_min_kib ideal_kib)
                   else 
                         if List.mem_assoc domid new_targets
                         then List.assoc domid new_targets