On 7/17/26 12:44, Greg Kroah-Hartman wrote: > On Fri, Jul 17, 2026 at 11:21:34AM +0100, David Hildenbrand (Arm) wrote: >> On 7/17/26 12:15, Greg Kroah-Hartman wrote: >>> >>> Ok, so you want this patch :) >> >> I fail to see the value of this patch given that there are plenty of other >> cases >> the device can mess with us. > > How can the device mess with us?
I raised some examples already, like lying about which memory chunks it makes available. I guess it could also throw a random "requested_size" at us. It could make up a wrong physical address region. I assume there is plenty more we'd have to check. Again, I'm not saying that this couldn't/shouldn't be done, but it requires some *real thought* about all possible things a device could do. > >> But sure, let's check for some conditions if it makes us feel warm and >> fluffy as >> we audited a driver and it's now super safe, fine with me. > > I'm all for the folly of "it's an audited driver!" claims, but you all > need to decide either you do or you do not trust the device. Either way > is fine with me. Well, exactly, that is what I am saying. I don't know what we care about. This patch here feels incomplete and that's what grinds my gears. It doesn't magically make us deal with malicious devices. And I don't buy the story about "buggy virtio-mem devices that set block_size==0", which doesn't make any sense in any possible reality. > > If you don't trust it, great, take patches that fix that. If you do > trust it, great, reject those types of patches. > > But pick one please. Yes, I'd expect that we have general virtio guifance. I only co-maintain some virtio bits and have no idea about the expected trust model and when we would consider a devices trusted. And what it would take to get there. -- Cheers, David

