KSM (Combining identical kernel memory pages)

KSM (Kernel Samepage Merging) is a Linux kernel feature that scans RAM, finds pages with completely identical content, and merges them into a single read-only page. If one of the virtual machines later attempts to modify such a page, the mechanism immediately creates its private copy. This allows a significant increase in effective data density in RAM without applications being aware of it.

This technology is most in demand in server virtualization environments, especially when using KVM and QEMU. When many guest systems with identical operating systems, libraries, or zero memory regions are running on a single physical host, KSM automatically deduplicates this data. The feature can also be used in container isolation or to optimize the performance of lightweight processes running in large numbers of instances.

QEMU (Emulator and hardware virtualizer of a computer)KVM (Turns the Linux kernel into a hypervisor)

The main problem with KSM is the high CPU resource consumption for background scanning, which can reduce overall performance. Excessive page merging can break isolation between virtual machines and create hidden side-channel vulnerabilities, potentially allowing the memory content of a neighboring system to be determined. Furthermore, active writing to already merged pages triggers a cascade of copy-on-write operations, causing brief latency spikes in guest operating systems.

How KSM works

The working principle is based on periodic asynchronous scanning of physical memory. The kernel maintains two red-black trees: a stable tree and an unstable tree. In the first phase, the ksmd daemon compares candidate pages line by line, which are marked by userspace via the madvise call. First, a hash of the page content is computed and placed into the unstable tree. During subsequent passes, if the page has not changed, its hash is moved to the stable tree. When two pages with identical hash and bitwise content are found, the kernel frees the duplicate page, redirecting its virtual memory table entry to the target page, and marks the COW copy-on-write entry as write-protected. If a process later attempts to write to this area, a page fault occurs, and a new unique copy of the page is created exclusively for the task that modified it. Scanning intensity and CPU consumption limits are configured via the sysfs interface in the /sys/kernel/mm/ksm/ directory, allowing the administrator to balance memory savings against deduplication overhead.

KSM functionality

  1. Identifying identical memory pages. The kernel subsystem scans physical pages allocated to processes and compares their content byte by byte. If pages with absolutely identical data are found, they become candidates for merging, regardless of their current role in the virtual address space.
  2. Releasing duplicate pages. When a match is found, KSM frees the duplicate page, returning it to the kernel allocator. The page table of the owning process is then updated so that the virtual address points to the single remaining physical page, which is marked as write-protected.
  3. MADV_MERGEABLE flag. Activating the mechanism requires explicit consent from userspace. The process must mark the relevant anonymous memory range using the madvise system call with the MADV_MERGEABLE flag. Without this, KSM will not scan that particular mapping.
  4. ksmd kernel thread. Scanning is performed by a separate kernel-space daemon called ksmd. It wakes up periodically, receiving a list of stable pages from the scan queue from the scheduler. The /sys/kernel/mm/ksm/sleep_millisecs parameter determines the interval between its iterations.
  5. Redundancy tree based algorithm. Page comparison is not implemented by linear scanning but through generating and matching checksums. KSM uses two red-black trees: an unstable tree for new pages and a stable tree for already merged pages. This eliminates the need for repeated full comparisons on every cycle.
  6. Protection via COW mechanism. When a write to a shared page is attempted, a page fault exception occurs. The kernel interrupt handler immediately creates a new writable copy of the page for the process that initiated the write, transparently breaking the COW link and restoring memory isolation.
  7. Scanning for page stability. Before being inserted into the stable tree, a page must confirm that its data remains unchanged. It is marked as write-protected, and if no write occurs within a certain period, the checksum is recalculated. Only if the old and new signatures match is the page considered stable.
  8. Ignoring memory locking flags. Even if a memory segment is locked by an mlock call, pages are not excluded from KSM scanning. However, COW copying on write still occurs, which temporarily increases memory consumption but preserves residency guarantees and merging functionality.
  9. pages_to_scan parameter. The number of pages processed in a single ksmd pass is controlled by the pages_to_scan parameter. Increasing this value improves duplicate search throughput but proportionally increases CPU load and contention for memory structure locks.
  10. Disabling via MADV_UNMERGEABLE. A process can at any time exclude a region from monitoring by calling madvise with the MADV_UNMERGEABLE flag. The kernel will immediately break all COW links for the specified pages, turning each into a unique private copy for the owning process.
  11. KSM on virtualized hosts. The greatest benefit is observed when consolidating similar virtual machines. The KVM hypervisor marks guest memory as mergeable, allowing the host kernel to deduplicate zero pages and identical segments of guest operating systems, radically increasing machine density.
  12. Accounting for shared pages. Standard Resident Set Size RSS distorts the memory usage picture. KSM introduces the Shared_Hugetlb field in smoothing statistics. Monitoring via smaps shows the Shared_Clean parameter, reflecting the amount of memory shared between processes due to deduplication.
  13. Handling transparent huge pages. By default, transparent huge pages THP do not participate in merging because their size is many times larger than a base page. However, the kernel can break THP into normal 4KB pages for scanning if the /sys/kernel/mm/ksm/merge_across_nodes parameter is enabled administratively.
  14. NUMA awareness. By default, KSM ignores NUMA node topology, merging pages across different nodes. This saves memory but increases remote access latencies. Setting merge_across_nodes to 0 restricts deduplication to within a single NUMA node.
  15. Calculating the deduplication ratio. Efficiency is evaluated via the sysfs interface. The pages_shared parameter shows the number of actually shared pages, while pages_sharing shows the number of virtual addresses referencing them. Their ratio directly reflects the achieved RAM savings ratio.
  16. Comparison with ZSWAP and ZRAM. Unlike compression technologies that move data to compressed pools under memory pressure, KSM works proactively and on the fly. It does not add the computational latency of background compression, but rather reduces pressure on physical memory by eliminating data-level redundancy.
  17. Locking mmap_sem. During scanning, ksmd holds the read semaphore mmap_sem of the target memory descriptor structure. This creates conflict with process mapping change operations. Under aggressive scanning settings, micro-freezes in user applications can occur due to waiting for this lock.
  18. Use in containerization. In high-density container environments on a single kernel, KSM allows deduplication of glibc, OpenSSL, and language interpreter libraries loaded into the memory of each isolated instance. Merging occurs after dozens of copies are started, freeing gigabytes for other services.
  19. Full scanning and the run flag. Scanner state is controlled by the boolean run flag. Setting it to 1 initiates a full scan of all marked memory, while resetting to 0 immediately stops ksmd. In the off state, all registered regions are removed from the processing queue but remain marked.
  20. Smart checksum verification. Modern implementations use hardware accelerated CRC32C instructions instead of slow memcmp for initial filtering. The checksum is stored in the page structure, allowing mismatching pairs to be discarded before expensive full content comparison.
  21. Tree_levels statistics. The depth of red-black trees is available for inspection via the stable_node_chains parameter. If chains_prune_miss_ratio is high and tree_levels exceeds typical values, it signals a large hash spread and fragmentation, leading to reduced scanner performance.
  22. Response to memory pressure. Under global watermark pressure, the memory management module MM may trigger an out-of-order run of ksmd, bypassing the sleep timer. This allows urgent page freeing through accelerated duplicate merging, delaying the activation of the Out-Of-Memory killer.

Comparisons

  • KSM vs Transparent Huge Pages THP. KSM scans anonymous memory pages to merge duplicates, whereas THP aims to combine them into large blocks to reduce TLB pressure. These mechanisms conflict: when duplicates are found, KSM destroys THP huge pages by breaking them into base blocks, negating the performance gains from using them. Enabling both technologies simultaneously requires careful analysis to avoid mutual degradation.
  • KSM vs zswap. KSM aims to increase data density by eliminating identical pages in memory without compressing them. Zswap, by contrast, compresses pages destined for swapping out to a slow swap device and stores the compressed image in RAM. The main difference is that KSM works with active, not yet evicted pages and requires explicit memory marking by the application, while zswap transparently intercepts the page stream at the swap subsystem boundary without affecting program logic.
  • KSM vs Auto-Ballooning. These are complementary memory management technologies in virtualized environments, not direct analogues. KSM operates at the hypervisor level, transparently eliminating duplicates between all guest machines without their knowledge. Auto-Ballooning works from inside the guest OS through a special driver that actively inflates itself to return unused memory to the host. Ballooning is a more intrusive method and should be activated under high memory consumption when KSM deduplication capabilities are exhausted.
  • KSM vs zswap based generic deduplication. Traditional KSM identifies duplicates by scanning page content in real RAM. The proposed deduplication mechanism inside zswap finds copies at the moment they are evicted from memory into the swap pool, using hash comparison. These are fundamentally different points in time for analysis: KSM reduces current RAM consumption, while zswap deduplication reduces data volume in the swap pool without directly affecting resident memory.
  • KSM vs standard zero page deduplication. The basic zswap implementation has built-in optimization for pages completely filled with zeros: such pages are not compressed but replaced by a single reference entry. KSM can also find and merge identical pages, including empty ones, but its scanner is not limited to zero content — it works on any identical data. Specialized zero-page handling is less CPU intensive than a full KSM scan cycle because it uses a simple value check instead of bytewise comparison.

OS and driver support

KSM is implemented at the Linux kernel level starting from version 2.6.32 and does not require special support from device drivers, as it works with virtual memory through its own mm/ksm.c subsystem. Activation occurs at kernel build time with CONFIG_KSM=y, after which the ksmd daemon scans pages marked by the application via the madvise(addr, length, MADV_MERGEABLE) system call, without directly interacting with device driver code. The ability to merge pages across different NUMA nodes is controlled by the merge_across_nodes parameter, allowing administration on multiprocessor systems without editing OS code.

Security

The main vulnerability of KSM lies in the existence of a covert timing channel, because an attacker can measure the time to write to their own page and determine whether it was previously deduplicated with another page via Copy-on-Write, leading to Cross-VM ASL Introspection attacks to bypass address space layout randomization ASLR. By its architecture, KSM does not isolate mutually untrusting tenants, since the mere existence of a shared page reveals the fact of data coincidence between different processes. Therefore, the standard recommendation for environments with high isolation requirements is to completely disable memory deduplication.

Logging

Statistics and state of KSM are available through the sysfs virtual file system in the /sys/kernel/mm/ksm/ directory, where the pages_shared, pages_sharing, and pages_volatile files are updated by the kernel in real time and show page merging efficiency. For detailed logging of the ksmtuned daemon which automatically adjusts KSM parameters, you can set the DEBUG=1 directive in the /etc/ksmtuned.conf file, after which records about scan cycles and decisions will begin to be stored in /var/log/ksmtuned.

Limitations

KSM scans only anonymous memory pages, completely ignoring pagecache file cache pages, which excludes its use for deduplicating library data and memory mapped files. A significant limitation is the increase in CPU load: the ksmd daemon consumes computational resources proportional to the scanned volume during bytewise page comparison, which is why in high load systems administrators often forcibly disable the daemon by writing 0 to /sys/kernel/mm/ksm/run.

History and development

Initially the technology was called Kernel Shared Memory and was introduced in kernel version 2.6.32 as a memory consolidation tool for the KVM hypervisor, allowing dozens of virtual machines with identical guest OSes to run on servers with small amounts of RAM. Early versions had a limitation on swapping out shared pages, but the code was later refined: shared pages can now be swapped out, but upon restoration the merging is temporarily broken and requires rediscovery by the ksmd daemon. Also in early stages, engineers fixed issues with binding copies to local NUMA nodes, as KSM and Transparent Hugepages procedures could break memory locality by moving pages to remote nodes and causing performance drops.

Latest publications