[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 01/13] tools/xenstore: don't allow creating too many nodes in a transaction

To: Juergen Gross <jgross@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
From: Julien Grall <julien@xxxxxxx>
Date: Mon, 20 Feb 2023 12:07:12 +0000
Cc: Wei Liu <wl@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>
Delivery-date: Mon, 20 Feb 2023 12:07:29 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Juergen,

On 20/02/2023 11:04, Juergen Gross wrote:

On 20.02.23 10:46, Julien Grall wrote:

Hi Juergen,

On 20/01/2023 10:00, Juergen Gross wrote:

The accounting for the number of nodes of a domain in an active
transaction is not working correctly, as it allows to create arbitrary
number of nodes. The transaction will finally fail due to exceeding
the number of nodes quota, but before closing the transaction an
unprivileged guest could cause Xenstore to use a lot of memory.

I know I said I would delay my decision on this patch. However, I wasstill expecting the commit message to be updated based on our previousdiscussion.


As said before, I was waiting on the settlement of our discussion before
doing the update.

This is not a very good practice to resend a patch without recording thedisagreement because new reviewers may not be aware of the disagreementand this could end up to be committed by mistake...

Also thinking more about it, "The transaction will finally fail due toexceeding the number of nodes quota" may not be true for a couple ofreasons:
   1) The transaction may removed a node afterwards.
Yes, and? Just because it is a transaction, this is still a violation of
the quota. Even outside a transaction you could use the same reasoning,
but you don't (which is correct, of course).

I can understand your point. However, to me, the goal of the transactionis to commit everything in one go at the end. So the violations in themiddle should not matter.

Furthermore, I would expect a transaction to work on a snapshot of thesystem. So it feels really strange to me that we are constantly checkingthe quota with the updated values rather than the initial one.


In case you never finish the transaction, you are owner of more than
allowed nodes.

How so? The nodes would not be committed so you don't really own them.
We also have quotas to limit the number of nodes accessed in a transaction.

   2) A node may have been removed outside of the transaction.


If the removed node hasn't been touched by the transaction, it will be
accounted for correctly.

It depends on when the node was removed. If it is removed *after* thequota was hit then your transaction will fail.

 If it has been touched, the transaction will
fail anyway.

So the transaction will fail to commit because there is a conflict. Sothe client is expected to retry it. We should not expected the client toretry for error like quota.


So the overall behavior is changed.

In both situation, the transaction will still be committed. This willnow be prevented by this patch.
As said above, only in the first case.


Cheers,

--
Julien Grall

Follow-Ups:
- Re: [PATCH v2 01/13] tools/xenstore: don't allow creating too many nodes in a transaction
  - From: Juergen Gross

References:
- Re: [PATCH v2 01/13] tools/xenstore: don't allow creating too many nodes in a transaction
  - From: Julien Grall
- Re: [PATCH v2 01/13] tools/xenstore: don't allow creating too many nodes in a transaction
  - From: Juergen Gross

Prev by Date: [PATCH 1/3] x86/traps: Move do_general_protection() earlier
Next by Date: Re: [PATCH v2 03/13] tools/xenstore: introduce accounting data array for per-domain values
Previous by thread: Re: [PATCH v2 01/13] tools/xenstore: don't allow creating too many nodes in a transaction
Next by thread: Re: [PATCH v2 01/13] tools/xenstore: don't allow creating too many nodes in a transaction
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.