From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jan Beulich <jbeulich@suse.com>, Juergen Gross <jgross@suse.com>
Cc: <xen-devel@lists.xenproject.org>, <boris.ostrovsky@oracle.com>,
<sstabellini@kernel.org>, <linux-kernel@vger.kernel.org>,
<stable@vger.kernel.org>
Subject: Re: [Xen-devel] [PATCH] xen: remove size limit of privcmd-buf mapping interface
Date: Thu, 1 Nov 2018 14:23:47 +0000 [thread overview]
Message-ID: <f1eafe1f-71ab-9875-af3f-bf0217bbcb35@citrix.com> (raw)
In-Reply-To: <5BDB0B240200007800142507@prv1-mh.provo.novell.com>
On 01/11/18 14:18, Jan Beulich wrote:
>>>> Juergen Gross <jgross@suse.com> 11/01/18 1:34 PM >>>
>> Currently the size of hypercall buffers allocated via
>> /dev/xen/hypercall is limited to a default of 64 memory pages. For live
>> migration of guests this might be too small as the page dirty bitmask
>> needs to be sized according to the size of the guest. This means
>> migrating a 8GB sized guest is already exhausting the default buffer
>> size for the dirty bitmap.
>>
>> There is no sensible way to set a sane limit, so just remove it
>> completely. The device node's usage is limited to root anyway, so there
>> is no additional DOS scenario added by allowing unlimited buffers.
> But is this setting of permissions what we want long term? What about a
> de-privileged qemu, which still needs to be able to issue at least dm-op
> hypercalls?
dm-op very deliberately doesn't have hypercall bounce buffers like this.
The kernel is responsible for ensuring that the buffer list passed in
the ioctl is safe memory, whether this is bouncing the buffers itself,
or simply ensuring that the underlying userspace memory won't disappear
across the hypercall.
~Andrew
next prev parent reply other threads:[~2018-11-01 14:27 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-01 12:33 [PATCH] xen: remove size limit of privcmd-buf mapping interface Juergen Gross
2018-11-01 14:18 ` [Xen-devel] " Jan Beulich
2018-11-01 14:23 ` Juergen Gross
2018-11-01 15:50 ` Jan Beulich
[not found] ` <5BDB20AB020000780014251B@suse.com>
2018-11-01 16:27 ` Juergen Gross
2018-11-02 7:26 ` Jan Beulich
2018-11-01 14:23 ` Andrew Cooper [this message]
2018-11-09 7:03 ` Juergen Gross
2018-11-09 14:23 ` Boris Ostrovsky
2018-11-02 9:53 [Xen-devel] " Juergen Gross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f1eafe1f-71ab-9875-af3f-bf0217bbcb35@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=boris.ostrovsky@oracle.com \
--cc=jbeulich@suse.com \
--cc=jgross@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sstabellini@kernel.org \
--cc=stable@vger.kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).