Re: [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range}

[Andi Kleen]

On 8/30/2021 1:59 PM, Michael S. Tsirkin wrote:
> > Or we can add _audited to the name. ioremap_shared_audited?
> But it's not the mapping that has to be done in handled special way.
> It's any data we get from device, not all of it coming from IO, e.g.
> there's DMA and interrupts that all have to be validated.
> Wouldn't you say that what is really wanted is just not running
> unaudited drivers in the first place?


Yes.


> > And we've been avoiding that drivers can self declare auditing, we've been
> > trying to have a separate centralized list so that it's easier to enforce
> > and avoids any cut'n'paste mistakes.
> >
> > -Andi
> Now I'm confused. What is proposed here seems to be basically that,
> drivers need to declare auditing by replacing ioremap with
> ioremap_shared.

Auditing is declared on the device model level using a central allow list.

But this cannot do anything to initcalls that run before probe, that's 
why an extra level of defense of ioremap opt-in is useful. But it's not 
the primary mechanism to declare a driver audited, that's the allow 
list. The ioremap is just another mechanism to avoid having to touch a 
lot of legacy drivers.

If we agree on that then the original proposed semantics of 
"ioremap_shared" may be acceptable?

-Andi