lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87vcfqfia1.fsf@rustcorp.com.au>
Date:	Fri, 07 Sep 2012 16:09:50 +0930
From:	Rusty Russell <rusty@...tcorp.com.au>
To:	"Michael S. Tsirkin" <mst@...hat.com>
Cc:	Paolo Bonzini <pbonzini@...hat.com>, fes@...gle.com,
	aarcange@...hat.com, riel@...hat.com, kvm@...r.kernel.org,
	linux-kernel@...r.kernel.org, mikew@...gle.com, yinghan@...gle.com,
	virtualization@...ts.linux-foundation.org, yvugenfi@...hat.com,
	vrozenfe@...hat.com
Subject: Re: [PATCH] virtio-balloon spec: provide a version of the "silent deflate" feature that works

"Michael S. Tsirkin" <mst@...hat.com> writes:

> On Fri, Sep 07, 2012 at 09:15:46AM +0930, Rusty Russell wrote:
>> Paolo Bonzini <pbonzini@...hat.com> writes:
>> > Instead, VIRTIO_NET_F_HOST_MUST_SEND_GARP would be a "negative" feature:
>> > if set, the host _may not_ rely on the guest to send a gARP.  Similarly
>> > if VIRTIO_BALLOON_F_MUST_TELL_HOST is set, the guest _may not_ use
>> > ballooned pages directly.
>> >
>> > There are _no_ other negative features besides
>> > VIRTIO_BALLOON_F_MUST_TELL_HOST in the spec, and for a good
>> > reason---because they're broken.
>> >
>> > (Hmm, actually we have one, VIRTIO_BLK_F_RO.  It is also a bit broken,
>> > but it is not so important because it depends on user input more than
>> > hypervisor version).
>> 
>> Yes, this is the key observation, and an important lesson for the
>> future.  Thanks!
>> Note that these two negative features were in the original spec, where
>> it's assumed that every device supports them.  That's not explicitly
>> documented, however.
>
> I'm curious what would we do for the future? I tried to imagine that _RO
> was not in the original spec, so virtio-blk expects a r/w device.
> Now we can not add _RW - old hypervisors do not set it, and old
> drivers do not ack it.
> What would a new flag with equivalent functionality be?

Backwards compatibility in the R/O case would actually work: just fail
writes.  Because it's just friendly advice to the OS, really.

The final test is always: does it break users?  If there are no users
who will notice, we can do anything.  If there are users, we have to
keep backwards compatibility, and that implies we can't add "must know"
features.

> So it looks like a bug: we should teach driver to tell host first on leak?
> Yan, Vadim, can you comment please?
>
> Also if true, looks like this bit will be useful to detect a fixed driver on
> the hypervisor side - to avoid unmapping such pages? Rusty what do you
> think?

So, feature is unimplemented in qemu, and broken in drivers.  I starting
to share Paolo's dislike of it.

Don't understand why we'd care about fixed drivers though, if we remove
the feature bit....

Cheers,
Rusty.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ