[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f1eafe1f-71ab-9875-af3f-bf0217bbcb35@citrix.com>
Date: Thu, 1 Nov 2018 14:23:47 +0000
From: Andrew Cooper <andrew.cooper3@...rix.com>
To: Jan Beulich <jbeulich@...e.com>, Juergen Gross <jgross@...e.com>
CC: <xen-devel@...ts.xenproject.org>, <boris.ostrovsky@...cle.com>,
<sstabellini@...nel.org>, <linux-kernel@...r.kernel.org>,
<stable@...r.kernel.org>
Subject: Re: [Xen-devel] [PATCH] xen: remove size limit of privcmd-buf mapping
interface
On 01/11/18 14:18, Jan Beulich wrote:
>>>> Juergen Gross <jgross@...e.com> 11/01/18 1:34 PM >>>
>> Currently the size of hypercall buffers allocated via
>> /dev/xen/hypercall is limited to a default of 64 memory pages. For live
>> migration of guests this might be too small as the page dirty bitmask
>> needs to be sized according to the size of the guest. This means
>> migrating a 8GB sized guest is already exhausting the default buffer
>> size for the dirty bitmap.
>>
>> There is no sensible way to set a sane limit, so just remove it
>> completely. The device node's usage is limited to root anyway, so there
>> is no additional DOS scenario added by allowing unlimited buffers.
> But is this setting of permissions what we want long term? What about a
> de-privileged qemu, which still needs to be able to issue at least dm-op
> hypercalls?
dm-op very deliberately doesn't have hypercall bounce buffers like this.
The kernel is responsible for ensuring that the buffer list passed in
the ioctl is safe memory, whether this is bouncing the buffers itself,
or simply ensuring that the underlying userspace memory won't disappear
across the hypercall.
~Andrew
Powered by blists - more mailing lists