From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50093) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1akwy6-00070O-W1 for qemu-devel@nongnu.org; Tue, 29 Mar 2016 12:58:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1akwy2-0007ny-NP for qemu-devel@nongnu.org; Tue, 29 Mar 2016 12:58:14 -0400 Received: from e06smtp16.uk.ibm.com ([195.75.94.112]:46754) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1akwy2-0007n5-Ef for qemu-devel@nongnu.org; Tue, 29 Mar 2016 12:58:10 -0400 Received: from localhost by e06smtp16.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 29 Mar 2016 17:58:08 +0100 Received: from b06cxnps4075.portsmouth.uk.ibm.com (d06relay12.portsmouth.uk.ibm.com [9.149.109.197]) by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id 44EF81B0804B for ; Tue, 29 Mar 2016 17:58:40 +0100 (BST) Received: from d06av01.portsmouth.uk.ibm.com (d06av01.portsmouth.uk.ibm.com [9.149.37.212]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id u2TGw5GU6029778 for ; Tue, 29 Mar 2016 16:58:05 GMT Received: from d06av01.portsmouth.uk.ibm.com (localhost [127.0.0.1]) by d06av01.portsmouth.uk.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id u2TGw5wx022109 for ; Tue, 29 Mar 2016 10:58:05 -0600 Date: Tue, 29 Mar 2016 18:58:03 +0200 From: Cornelia Huck Message-ID: <20160329185803.09dfd07d.cornelia.huck@de.ibm.com> In-Reply-To: <1459267981-23408-4-git-send-email-stefanha@redhat.com> References: <1459267981-23408-1-git-send-email-stefanha@redhat.com> <1459267981-23408-4-git-send-email-stefanha@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [RFC v2 3/9] virtio: stop virtqueue processing if device is broken List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Hajnoczi Cc: Fam Zheng , qemu-devel@nongnu.org, "Michael S. Tsirkin" On Tue, 29 Mar 2016 17:12:55 +0100 Stefan Hajnoczi wrote: > QEMU prints an error message and exits when the device enters an invalid > state. Terminating the process is heavy-handed. The guest may still be > able to function even if there is a bug in a virtio guest driver. > > Moreover, exiting is a bug in nested virtualization where a nested guest > could DoS other nested guests by killing a pass-through virtio device. > I don't think this configuration is possible today but it is likely in > the future. > > If the broken flag is set, do not process virtqueues or write back used > descriptors. The broken flag can be cleared again by resetting the > device. > > Signed-off-by: Stefan Hajnoczi > --- > hw/virtio/virtio.c | 39 +++++++++++++++++++++++++++++++++++++++ > include/hw/virtio/virtio.h | 3 +++ > 2 files changed, 42 insertions(+) > +void GCC_FMT_ATTR(2, 3) virtio_error(VirtIODevice *vdev, const char *fmt, ...) > +{ > + va_list ap; > + > + va_start(ap, fmt); > + error_vreport(fmt, ap); > + va_end(ap); > + > + vdev->broken = true; > + > + if (virtio_vdev_has_feature(vdev, VIRTIO_F_VERSION_1)) { > + vdev->status |= VIRTIO_CONFIG_S_NEEDS_RESET; virtio_set_status()? > + virtio_notify_config(vdev); > + } > +} > + > static void virtio_device_realize(DeviceState *dev, Error **errp) > { > VirtIODevice *vdev = VIRTIO_DEVICE(dev); > diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h > index 2b5b248..1565e53 100644 > --- a/include/hw/virtio/virtio.h > +++ b/include/hw/virtio/virtio.h > @@ -87,6 +87,7 @@ struct VirtIODevice > VirtQueue *vq; > uint16_t device_id; > bool vm_running; > + bool broken; /* device in invalid state, needs reset */ I'm wondering whether there's a sane way to track the broken state via the NEEDS_RESET status bit instead. We'd probably want to filter out this bit and not expose it to legacy drivers; but as the status field is migrated anyway, we might be able to avoid a subsection for migration.