From: "Jan Beulich" <JBeulich@suse.com>
To: "Juergen Gross" <jgross@suse.com>
Cc: "Stefano Stabellini" <sstabellini@kernel.org>,
"xen-devel" <xen-devel@lists.xenproject.org>,
"Boris Ostrovsky" <boris.ostrovsky@oracle.com>,
<linux-kernel@vger.kernel.org>, <stable@vger.kernel.org>
Subject: Re: [Xen-devel] [PATCH] xen: remove size limit of privcmd-buf mapping interface
Date: Fri, 02 Nov 2018 01:26:12 -0600 [thread overview]
Message-ID: <5BDBFC1402000078001F7101@prv1-mh.provo.novell.com> (raw)
In-Reply-To: <12dd8625-2cad-f156-8bae-487e909af412@suse.com>
>>> On 01.11.18 at 17:27, <jgross@suse.com> wrote:
> On 01/11/2018 16:50, Jan Beulich wrote:
>>>>> Juergen Gross <jgross@suse.com> 11/01/18 3:23 PM >>>
>>> On 01/11/2018 15:18, Jan Beulich wrote:
>>>>>>> Juergen Gross <jgross@suse.com> 11/01/18 1:34 PM >>>
>>>>> Currently the size of hypercall buffers allocated via
>>>>> /dev/xen/hypercall is limited to a default of 64 memory pages. For live
>>>>> migration of guests this might be too small as the page dirty bitmask
>>>>> needs to be sized according to the size of the guest. This means
>>>>> migrating a 8GB sized guest is already exhausting the default buffer
>>>>> size for the dirty bitmap.
>>>>>
>>>>> There is no sensible way to set a sane limit, so just remove it
>>>>> completely. The device node's usage is limited to root anyway, so there
>>>>> is no additional DOS scenario added by allowing unlimited buffers.
>>>>
>>>> But is this setting of permissions what we want long term? What about a
>>>> de-privileged qemu, which still needs to be able to issue at least dm-op
>>>> hypercalls?
>>>
>>> Wouldn't that qemu have opened the node while still being privileged?
>>
>> Possibly, but how does this help? As soon as it's unprivileged it must not
>> be able to hog resources anymore.
>>
>> Anyway, with Andrew's reply my point may be irrelevant, but I have to
>> admit I'm not entirely sure.
>
> I guess we want Xen tools to close /dev/xen/hypercall (or more precise:
> don't dup2() it) when qemu is de-privileging itself. This will make it
> very clear that it can't hog memory via mmap().
>
> When you are fine with that I'll send a Xen patch for this.
If that doesn't prevent the process from making the hypercalls it
is permitted to do (I have to admit I don't recall if there are any
still needed besides the dmop ones), sure.
Jan
next prev parent reply other threads:[~2018-11-02 7:27 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-01 12:33 [PATCH] xen: remove size limit of privcmd-buf mapping interface Juergen Gross
2018-11-01 14:18 ` [Xen-devel] " Jan Beulich
2018-11-01 14:23 ` Juergen Gross
2018-11-01 15:50 ` Jan Beulich
[not found] ` <5BDB20AB020000780014251B@suse.com>
2018-11-01 16:27 ` Juergen Gross
2018-11-02 7:26 ` Jan Beulich [this message]
2018-11-01 14:23 ` Andrew Cooper
2018-11-09 7:03 ` Juergen Gross
2018-11-09 14:23 ` Boris Ostrovsky
2018-11-02 9:53 [Xen-devel] " Juergen Gross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5BDBFC1402000078001F7101@prv1-mh.provo.novell.com \
--to=jbeulich@suse.com \
--cc=boris.ostrovsky@oracle.com \
--cc=jgross@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sstabellini@kernel.org \
--cc=stable@vger.kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).