From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mst@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by dpdk.org (Postfix) with ESMTP id 26F3136E
 for <dev@dpdk.org>; Wed, 30 Sep 2015 22:40:21 +0200 (CEST)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com
 (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26])
 by mx1.redhat.com (Postfix) with ESMTPS id 5EDE19249A;
 Wed, 30 Sep 2015 20:40:20 +0000 (UTC)
Received: from redhat.com (ovpn-116-83.ams2.redhat.com [10.36.116.83])
 by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with SMTP id
 t8UKeHL5017240; Wed, 30 Sep 2015 16:40:18 -0400
Date: Wed, 30 Sep 2015 23:40:16 +0300
From: "Michael S. Tsirkin" <mst@redhat.com>
To: Avi Kivity <avi@scylladb.com>
Message-ID: <20150930204016.GA29975@redhat.com>
References: <20150930143927-mutt-send-email-mst@redhat.com>
 <560BCD2F.5060505@cloudius-systems.com>
 <20150930150115-mutt-send-email-mst@redhat.com>
 <560BD284.7040505@cloudius-systems.com>
 <20150930151632-mutt-send-email-mst@redhat.com>
 <560BDE24.8000308@scylladb.com>
 <20150930165359-mutt-send-email-mst@redhat.com>
 <560BF782.4070308@scylladb.com>
 <20150930175848-mutt-send-email-mst@redhat.com>
 <560C0171.7080507@scylladb.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <560C0171.7080507@scylladb.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
Cc: "dev@dpdk.org" <dev@dpdk.org>
Subject: Re: [dpdk-dev] Having troubles binding an SR-IOV VF to
 uio_pci_generic on Amazon instance
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2015 20:40:21 -0000

On Wed, Sep 30, 2015 at 06:36:17PM +0300, Avi Kivity wrote:
> As it happens, you're removing the functionality from the users who have no
> other option.  They can't use vfio because it doesn't work on virtualized
> setups.

...

> Root can already do anything.

I think there's a contradiction between the two claims above.

>  So what security issue is there?

A buggy userspace can and will corrupt kernel memory.

...

> And for what, to prevent
> root from touching memory via dma that they can access in a million other
> ways?

So one can be reasonably sure a kernel oops is not a result of a
userspace bug.

-- 
MST