|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH] ioreq: don't (deliberately) crash Dom0
On 01.02.2021 16:37, Andrew Cooper wrote: > On 01/02/2021 15:22, Jan Beulich wrote: >> We consider this error path of hvm_alloc_ioreq_mfn() to not be possible >> to be taken, or otherwise to indicate abuse or a bug somewhere. If there >> is abuse of some kind, crashing Dom0 here would mean a system-wide DoS. >> Only crash the emulator domain if it's not the (global) control domain; >> crash only the guest being serviced otherwise. >> >> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > > Honestly, I'm -1 towards this. > > Asymmetrically shooting things which aren't dom0 only complicates > investigations, and doesn't remove the fact that this is an XSA. > > I do not subscribe to the opinion that keeping dom0 running at all > possible costs is the best thing thing for the system. > > In this particular case, the theoretical cases where it can go wrong > might not be the fault of either domain. I agree with "might", but I don't think we should consider buggy Xen as the first option for what errors mean. As said on another related thread, failure here could come from the page having got freed very quickly (by guessing its MFN). If could be guest, emulator, or yet some other domain's misbehavior. In none of these cases I consider it appropriate to kill Dom0. The guest not starting (or crashing, if this is dynamic insertion of an ioreq server) is a clear enough sign that there's an issue that needs looking into. No need to also penalize all other domains running on that host. Jan
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |