On Tue, 29 Mar 2016 17:12:55 +0100
Stefan Hajnoczi <stefa...@redhat.com> wrote:
> QEMU prints an error message and exits when the device enters an invalid
> state. Terminating the process is heavy-handed. The guest may still be
> able to function even if there is a bug in a virtio guest driver.
>
> Moreover, exiting is a bug in nested virtualization where a nested guest
> could DoS other nested guests by killing a pass-through virtio device.
> I don't think this configuration is possible today but it is likely in
> the future.
>
> If the broken flag is set, do not process virtqueues or write back used
> descriptors. The broken flag can be cleared again by resetting the
> device.
>
> Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com>
> ---
> hw/virtio/virtio.c | 39 +++++++++++++++++++++++++++++++++++++++
> include/hw/virtio/virtio.h | 3 +++
> 2 files changed, 42 insertions(+)
> +void GCC_FMT_ATTR(2, 3) virtio_error(VirtIODevice *vdev, const char *fmt,
> ...)
> +{
> + va_list ap;
> +
> + va_start(ap, fmt);
> + error_vreport(fmt, ap);
> + va_end(ap);
> +
> + vdev->broken = true;
> +
> + if (virtio_vdev_has_feature(vdev, VIRTIO_F_VERSION_1)) {
> + vdev->status |= VIRTIO_CONFIG_S_NEEDS_RESET;
virtio_set_status()?
> + virtio_notify_config(vdev);
> + }
> +}
> +
> static void virtio_device_realize(DeviceState *dev, Error **errp)
> {
> VirtIODevice *vdev = VIRTIO_DEVICE(dev);
> diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
> index 2b5b248..1565e53 100644
> --- a/include/hw/virtio/virtio.h
> +++ b/include/hw/virtio/virtio.h
> @@ -87,6 +87,7 @@ struct VirtIODevice
> VirtQueue *vq;
> uint16_t device_id;
> bool vm_running;
> + bool broken; /* device in invalid state, needs reset */
I'm wondering whether there's a sane way to track the broken state via
the NEEDS_RESET status bit instead. We'd probably want to filter out
this bit and not expose it to legacy drivers; but as the status field
is migrated anyway, we might be able to avoid a subsection for
migration.
