Re: [Qemu-devel] [PATCH 04/13] usb-ohci: Use universal DMA helper functions

[Michael S. Tsirkin]

On Thu, Jun 21, 2012 at 07:55:58AM -0500, Anthony Liguori wrote:
> On 06/21/2012 02:33 AM, Michael S. Tsirkin wrote:
> >On Thu, Jun 21, 2012 at 08:02:06AM +1000, Benjamin Herrenschmidt wrote:
> >>On Wed, 2012-06-20 at 16:40 -0500, Anthony Liguori wrote:
> >>
> >>>Well let's return void in the DMA methods and let the IOMMUs assert on 
> >>>error.
> >>>At least that will avoid surprises until someone decides they care enough 
> >>>about
> >>>errors to touch all callers.
> >>>
> >>>I think silently failing a memcpy() can potentially lead to a 
> >>>vulnerability so
> >>>I'd rather avoid that.
> >>
> >>No I'd rather keep the error returns, really, even if that means fixing
> >>a few devices. I can look at making sure we don't pass random qemu data,
> >>on error that's reasonably easy.
> >>
> >>assert on error means guest code can assert qemu ... not a great idea
> >>but maybe we can add a warning.
> >
> >Why not?  Guest can always just halt if it wants to anyway.
> >On the other hand, warnings can fill up host logs so
> >represent a security problem.
> 
> As long as we scrub the buffers, returning an unhandled error seems okay to 
> me.
> 
> I've long thought we should have some sort of generic way to throw
> an error and effectively pause a single device.  I'm not sure how it
> would work in practice though.
> 
> Regards,
> 
> Anthony Liguori

I think we should add an API to log a message and pause the VM.
Later admin can resume the VM, save it to file for debugging etc.

-- 
MST