On 06/21/2012 02:33 AM, Michael S. Tsirkin wrote:
On Thu, Jun 21, 2012 at 08:02:06AM +1000, Benjamin Herrenschmidt wrote:
On Wed, 2012-06-20 at 16:40 -0500, Anthony Liguori wrote:
Well let's return void in the DMA methods and let the IOMMUs assert on error.
At least that will avoid surprises until someone decides they care enough about
errors to touch all callers.
I think silently failing a memcpy() can potentially lead to a vulnerability so
I'd rather avoid that.
No I'd rather keep the error returns, really, even if that means fixing
a few devices. I can look at making sure we don't pass random qemu data,
on error that's reasonably easy.
assert on error means guest code can assert qemu ... not a great idea
but maybe we can add a warning.
Why not? Guest can always just halt if it wants to anyway.
On the other hand, warnings can fill up host logs so
represent a security problem.
As long as we scrub the buffers, returning an unhandled error seems okay to me.
I've long thought we should have some sort of generic way to throw an error and
effectively pause a single device. I'm not sure how it would work in practice
though.
Regards,
Anthony Liguori
