On 7/17/26 12:44, Greg Kroah-Hartman wrote:
> On Fri, Jul 17, 2026 at 11:21:34AM +0100, David Hildenbrand (Arm) wrote:
>> On 7/17/26 12:15, Greg Kroah-Hartman wrote:
>>>
>>> Ok, so you want this patch :)
>>
>> I fail to see the value of this patch given that there are plenty of other 
>> cases
>> the device can mess with us.
> 
> How can the device mess with us?

I raised some examples already, like lying about which memory chunks it makes
available.

I guess it could also throw a random "requested_size" at us. It could make up a
wrong physical address region. I assume there is plenty more we'd have to check.

Again, I'm not saying that this couldn't/shouldn't be done, but it requires some
*real thought* about all possible things a device could do.

> 
>> But sure, let's check for some conditions if it makes us feel warm and 
>> fluffy as
>> we audited a driver and it's now super safe, fine with me.
> 
> I'm all for the folly of "it's an audited driver!" claims, but you all
> need to decide either you do or you do not trust the device.  Either way
> is fine with me.

Well, exactly, that is what I am saying. I don't know what we care about. This
patch here feels incomplete and that's what grinds my gears. It doesn't
magically make us deal with malicious devices.

And I don't buy the story about "buggy virtio-mem devices that set
block_size==0", which doesn't make any sense in any possible reality.

> 
> If you don't trust it, great, take patches that fix that.  If you do
> trust it, great, reject those types of patches.
> 
> But pick one please.

Yes, I'd expect that we have general virtio guifance. I only co-maintain some
virtio bits and have no idea about the expected trust model and when we would
consider a devices trusted.

And what it would take to get there.

-- 
Cheers,

David

Reply via email to