Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp1005749imd;
        Thu, 1 Nov 2018 08:51:03 -0700 (PDT)
X-Google-Smtp-Source: AJdET5eqS3D1wncW34foCwSDgkPqkBUAKTWeZ4JEq1daM+3b/5qRauBUcN6SgxNrsXtprje3vP/m
X-Received: by 2002:a63:2507:: with SMTP id l7mr7342587pgl.22.1541087463687;
        Thu, 01 Nov 2018 08:51:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1541087463; cv=none;
        d=google.com; s=arc-20160816;
        b=yB5l+Wd0j4NyNzdt9oOBMTT5UVh/OK2gspQPHGfl/K4LaHBNUhSkOmlAz/z1XRek1W
         +fmcyVVqj6P7+sntiPM+Knj9aaEV5vy2LneGpX/B6tk+pHR+2F5nPVQpETLfPc8gUCdp
         PFxaNfXPeFVtrYTlJLhpkaQ0CyH240mcffZJXZqcv9HgaAWOUX12jP/kXgTKke0POVHM
         2L2Gq0+VUtUQTz3Ss5uPRco5DUxIOrxT9Smnz5uxP2eYu/gkqFF4Ed3AE6efapIreSMO
         rDF9DzoYYEKmpR+68yukWb+SbjOctfSN68RP+MyoS3aX+WkeKMvmOaHk7HkUN3wyabox
         fqsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-disposition
         :content-transfer-encoding:mime-version:in-reply-to:references
         :subject:cc:to:from:date:message-id;
        bh=PNmvigmJq5FbyjGPFGPLMkjqurHsbaV0osyRBqALN7w=;
        b=AOxDbllfKv++f2QJa4pvy4nwa2ux/wDJKTjxwlMx7KVd47RmGQ9DTE3J64MWyxhbRN
         CmgEPl0Qw6+bQw42uiUH13sNhJA0VcLEdM857G/gbholGrwv6TXbEqTpFy4aBAiptitu
         jUc1zFEfrFR9JyZMYRZ/rb8aYlM5/48lOy6RI3hFIux/9sLGqmgx4VXiPiQPYNxb8r89
         JQRKHvyFYpFrDCKOlHKsXiumgJoCjey1wSXnW6+YMvtAQjADTsmDigzZv9xX4IS4bagb
         szPwz6F2sgNQ0FPvji6iGT0nX3kPgZjA3sPNwu+3865N7oKPof/+WDBoWlsetvzI0GA9
         Gc3w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q10-v6si30738129pgk.392.2018.11.01.08.50.48;
        Thu, 01 Nov 2018 08:51:03 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729046AbeKBAxh convert rfc822-to-8bit (ORCPT
        <rfc822;charleyewang@gmail.com> + 99 others);
        Thu, 1 Nov 2018 20:53:37 -0400
Received: from prv1-mh.provo.novell.com ([137.65.248.33]:45995 "EHLO
        prv1-mh.provo.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727950AbeKBAxg (ORCPT
        <rfc822;groupwise-linux-kernel@vger.kernel.org:5:1>);
        Thu, 1 Nov 2018 20:53:36 -0400
Received: from INET-PRV1-MTA by prv1-mh.provo.novell.com
        with Novell_GroupWise; Thu, 01 Nov 2018 09:50:05 -0600
Message-Id: <5BDB20AB020000780014251B@prv1-mh.provo.novell.com>
X-Mailer: Novell GroupWise Internet Agent 18.0.2 
Date:   Thu, 01 Nov 2018 09:50:03 -0600
From:   "Jan Beulich" <jbeulich@suse.com>
To:     "Juergen Gross" <jgross@suse.com>
Cc:     <sstabellini@kernel.org>, <xen-devel@lists.xenproject.org>,
        <boris.ostrovsky@oracle.com>, <linux-kernel@vger.kernel.org>,
        <stable@vger.kernel.org>
Subject: Re: [Xen-devel] [PATCH] xen: remove size limit of privcmd-buf
 mapping interface
References: <20181101123307.8424-1-jgross@suse.com>
 <5BDB0B240200007800142507@prv1-mh.provo.novell.com>
 <b64f7fa4-a553-bcb4-6051-c91080642b8e@suse.com>
In-Reply-To: <b64f7fa4-a553-bcb4-6051-c91080642b8e@suse.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8BIT
Content-Disposition: inline
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

>>> Juergen Gross <jgross@suse.com> 11/01/18 3:23 PM >>>
>On 01/11/2018 15:18, Jan Beulich wrote:
>>>>> Juergen Gross <jgross@suse.com> 11/01/18 1:34 PM >>>
>>> Currently the size of hypercall buffers allocated via
>>> /dev/xen/hypercall is limited to a default of 64 memory pages. For live
>>> migration of guests this might be too small as the page dirty bitmask
>>> needs to be sized according to the size of the guest. This means
>>> migrating a 8GB sized guest is already exhausting the default buffer
>>> size for the dirty bitmap.
>>>
>>> There is no sensible way to set a sane limit, so just remove it
>>> completely. The device node's usage is limited to root anyway, so there
>>> is no additional DOS scenario added by allowing unlimited buffers.
>> 
>> But is this setting of permissions what we want long term? What about a
>> de-privileged qemu, which still needs to be able to issue at least dm-op
>> hypercalls?
>
>Wouldn't that qemu have opened the node while still being privileged?

Possibly, but how does this help? As soon as it's unprivileged it must not
be able to hog resources anymore.

Anyway, with Andrew's reply my point may be irrelevant, but I have to
admit I'm not entirely sure.

Jan