Rusty Russell <ru...@rustcorp.com.au> writes: > Markus Armbruster <arm...@redhat.com> writes: >> Rusty Russell <ru...@rustcorp.com.au> writes: >>> The litmus test: does *your* guest handle failures other than by giving >>> up on the device? If so, sure, you need to have a sane error-reporting >>> strategy. >> >> Err, isn't this a circular argument? No need for QEMU to report the >> failure, because the guest won't handle it; no need to handle the >> failure, because QEMU won't report it. >> >> What about this: would you make your guest handle failures if they were >> reported? > > Perhaps I was unclear, that's what I meant. > >>>> The main reason I'm considering this stuff is for security reasons if >>>> the guest asks for something really illegal or crazy what should the >>>> expected behaviour of the host be? (at least secure I know that). >>> >>> If the guest userspace can do it, don't exit. If the kernel only, and >>> it's should have known better, abort is OK. >>> >>> Sure that doesn't help much! >> >> Immediate exit() or abort() denies the guest the ability to degrade >> service gracefully (disable the device, cry for help and try to hobble >> on), or report its brokenness ungracefully (kernel panic, crash dump). >> I doubt denying that is okay unless the device is so important that >> without it you can't even hope to panic. > > Oh yes, I completely agree with you! But QEMU practice doesn't :)
Ah, then we're in violent agreement :) Time to cease the practice. Will be hard as long as the code is chock-full of bad examples.
