> Subject: Re: [PATCH] PCI: hv: Move completion variable from stack to heap in > hv_compose_msi_msg() > > > I agree if the intent is to deal with a untrusted host, I can follow the same > principle to add this support to all requests to VSP. But this is a different > problem to what this patch intends to address. I can see they may share the > same design principle and common code. My question on a untrusted host is: > If a host is untrusted and is misbehaving on purpose, what's the point of > keep the VM running and not crashing the PCI driver? > > I think the principle can be summarized with "keep the VM _running, if you > can handle the misbehaviour (possibly, warning on "something > wrong/unexpected just happened"); crash, otherwise". > > Of course, this is just a principle: the exact meaning of that 'handle' should be > leverage case by case (which I admittedly haven't here); I'm thinking, e.g., at > corresponding complexity/performance impacts and risks of 'mis- > assessments'. > > Thanks, > Andrea I will follow Michael's suggestion and send v2. Long
