[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] ioreq: don't (deliberately) crash Dom0

On 01.02.2021 16:37, Andrew Cooper wrote:
> On 01/02/2021 15:22, Jan Beulich wrote:
>> We consider this error path of hvm_alloc_ioreq_mfn() to not be possible
>> to be taken, or otherwise to indicate abuse or a bug somewhere. If there
>> is abuse of some kind, crashing Dom0 here would mean a system-wide DoS.
>> Only crash the emulator domain if it's not the (global) control domain;
>> crash only the guest being serviced otherwise.
>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> Honestly, I'm -1 towards this.
> Asymmetrically shooting things which aren't dom0 only complicates
> investigations, and doesn't remove the fact that this is an XSA.
> I do not subscribe to the opinion that keeping dom0 running at all
> possible costs is the best thing thing for the system.
> In this particular case, the theoretical cases where it can go wrong
> might not be the fault of either domain.

I agree with "might", but I don't think we should consider buggy
Xen as the first option for what errors mean. As said on another
related thread, failure here could come from the page having got
freed very quickly (by guessing its MFN). If could be guest,
emulator, or yet some other domain's misbehavior. In none of
these cases I consider it appropriate to kill Dom0. The guest
not starting (or crashing, if this is dynamic insertion of an
ioreq server) is a clear enough sign that there's an issue that
needs looking into. No need to also penalize all other domains
running on that host.




Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.