From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51291)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rusty@ozlabs.org>) id 1WQUNj-0004aj-PP
	for qemu-devel@nongnu.org; Thu, 20 Mar 2014 00:15:10 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rusty@ozlabs.org>) id 1WQUNe-0005RX-PN
	for qemu-devel@nongnu.org; Thu, 20 Mar 2014 00:15:03 -0400
Received: from ozlabs.org ([203.10.76.45]:44509)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rusty@ozlabs.org>) id 1WQUNe-0005QH-EQ
	for qemu-devel@nongnu.org; Thu, 20 Mar 2014 00:14:58 -0400
From: Rusty Russell <rusty@rustcorp.com.au>
In-Reply-To: <87vbva6200.fsf@blackfin.pond.sub.org>
References: <CAPM=9twJX3F+as1TuoerW1Yt-b0xw8YEf1YHa0B+MLMJBd0i_w@mail.gmail.com>
	<87lhw7rppw.fsf@rustcorp.com.au>
	<87vbva6200.fsf@blackfin.pond.sub.org>
Date: Thu, 20 Mar 2014 14:10:50 +1030
Message-ID: <87fvmdr0zh.fsf@rustcorp.com.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: [Qemu-devel] virtio device error reporting best practice?
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Markus Armbruster <armbru@redhat.com>
Cc: Dave Airlie <airlied@gmail.com>, "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>

Markus Armbruster <armbru@redhat.com> writes:
> Rusty Russell <rusty@rustcorp.com.au> writes:
>> The litmus test: does *your* guest handle failures other than by giving
>> up on the device?  If so, sure, you need to have a sane error-reporting
>> strategy.
>
> Err, isn't this a circular argument?  No need for QEMU to report the
> failure, because the guest won't handle it; no need to handle the
> failure, because QEMU won't report it.
>
> What about this: would you make your guest handle failures if they were
> reported?

Perhaps I was unclear, that's what I meant.

>>> The main reason I'm considering this stuff is for security reasons if
>>> the guest asks for something really illegal or crazy what should the
>>> expected behaviour of the host be? (at least secure I know that).
>>
>> If the guest userspace can do it, don't exit.  If the kernel only, and
>> it's should have known better, abort is OK.
>>
>> Sure that doesn't help much!
>
> Immediate exit() or abort() denies the guest the ability to degrade
> service gracefully (disable the device, cry for help and try to hobble
> on), or report its brokenness ungracefully (kernel panic, crash dump).
> I doubt denying that is okay unless the device is so important that
> without it you can't even hope to panic.

Oh yes, I completely agree with you!  But QEMU practice doesn't :)

Cheers,
Rusty.