Since commit "f5ed36635d8f virtio: stop virtqueue processing if device is broken", QEMU has the ability to deactivate a virtio device that has hit an unrecoverable issue. This is performed by calling the virtio_error() function, which can also print an error message to the QEMU monitor.
The device-specific virtio code has many locations where exit() is called because the guest sent malformed requests. This is suboptimal: the guest OS may try to recover by resetting the device or at worse do a fast-reboot, which is probably better than putting down the entire machine. Also, as mentioned by Stefan Hajnoczi, this could be used by a malicious nested guest with a passed through device to kill the parent QEMU, and thus all its sibling VMs. This series converts all the affected exit() call sites in the device-specific code to call virtio_error() instead. Note that virtio-9p currently calls assert() instead of exit(), but since this is exactly the same issue, it is also converted. The offending VirtQueueElement, and any previously received but still unprocessed VirtQueueElement, are detached from the virtqueue and freed altogether. This part requires the following patch, which is not upstream yet: virtio: add virtio_detach_element() Message-Id: <1474291685-24226-2-git-send-email-stefa...@redhat.com> Next work will be to check all assert() call sites in the device-specific code, in case some of them actually refer to a bug in the guest, and should be converted to use virtio_error() as well. It is based on the virtio maintainer tree: https://git.kernel.org/pub/scm/virt/kvm/mst/qemu.git fb9f592623b0 and the "virtio: add virtio_detach_element()" patch mentionned above. This v4 is basically the same as v3, with a trivial fix in patch 8/9. Please apply. --- Greg Kurz (9): virtio-9p: add parentheses to sizeof operator virtio-blk: make some functions static virtio-9p: handle handle_9p_output() error virtio-blk: handle virtio_blk_handle_request() errors virtio-net: handle virtio_net_handle_ctrl() error virtio-net: handle virtio_net_receive() errors virtio-net: handle virtio_net_flush_tx() errors virtio-scsi: convert virtio_scsi_bad_req() to use virtio_error() virtio-scsi: handle virtio_scsi_set_config() error hw/9pfs/virtio-9p-device.c | 30 +++++++++++++++----- hw/block/virtio-blk.c | 46 +++++++++++++++++++++---------- hw/net/virtio-net.c | 60 +++++++++++++++++++++++++--------------- hw/scsi/virtio-scsi.c | 51 +++++++++++++++++++++++----------- include/hw/virtio/virtio-blk.h | 8 ----- 5 files changed, 128 insertions(+), 67 deletions(-) -- Greg