On Thu, Jun 21, 2012 at 07:55:58AM -0500, Anthony Liguori wrote: > On 06/21/2012 02:33 AM, Michael S. Tsirkin wrote: > >On Thu, Jun 21, 2012 at 08:02:06AM +1000, Benjamin Herrenschmidt wrote: > >>On Wed, 2012-06-20 at 16:40 -0500, Anthony Liguori wrote: > >> > >>>Well let's return void in the DMA methods and let the IOMMUs assert on > >>>error. > >>>At least that will avoid surprises until someone decides they care enough > >>>about > >>>errors to touch all callers. > >>> > >>>I think silently failing a memcpy() can potentially lead to a > >>>vulnerability so > >>>I'd rather avoid that. > >> > >>No I'd rather keep the error returns, really, even if that means fixing > >>a few devices. I can look at making sure we don't pass random qemu data, > >>on error that's reasonably easy. > >> > >>assert on error means guest code can assert qemu ... not a great idea > >>but maybe we can add a warning. > > > >Why not? Guest can always just halt if it wants to anyway. > >On the other hand, warnings can fill up host logs so > >represent a security problem. > > As long as we scrub the buffers, returning an unhandled error seems okay to > me. > > I've long thought we should have some sort of generic way to throw > an error and effectively pause a single device. I'm not sure how it > would work in practice though. > > Regards, > > Anthony Liguori
I think we should add an API to log a message and pause the VM. Later admin can resume the VM, save it to file for debugging etc. -- MST
