On Mon, Mar 01, 2021 at 08:24:51PM +0100, javier@xxxxxxxxxxx wrote: > From: Javier González <javier.gonz@xxxxxxxxxxx> > > Create a char device per NVMe namespace. This char device is always > initialized, independently of whether the features implemented by the > device are supported by the kernel. User-space can therefore always > issue IOCTLs to the NVMe driver using the char device. > > The char device is presented as /dev/nvme-generic-XcYnZ. This naming > scheme follows the convention of the hidden device (nvmeXcYnZ). Support > for multipath will follow. > Hello all, Looking at the discussion that led up to the current design: https://lore.kernel.org/linux-block/20201102185851.GA21349@xxxxxx/ Keith initially suggested: a) Set up the existing controller character device with a generic disk-less request_queue to the IO queues accepting IO commands to arbitrary NSIDs. However Christoph replied: The problem with a) is that it can't be used to give users or groups access to just one namespaces, so it causes a real access control nightmare. c) Each namespace gets its own character device, period. However, testing this patch series out: crw------- 1 root root 249, 0 Mar 24 11:32 /dev/nvme-generic-0c0n1 crw------- 1 root root 249, 1 Mar 24 11:32 /dev/nvme-generic-0c0n2 crw------- 1 root root 250, 0 Mar 24 11:32 /dev/nvme0 brw-rw---- 1 root disk 259, 1 Mar 24 11:32 /dev/nvme0n2 NSID1 has been rejected (because of ZNS ZOC, which kernel does not support). However, if I use the new char device for NSID1, but specify NSID2 to nvme-cli: sudo nvme write-zeroes -s 0 -c 0 --namespace-id=2 /dev/nvme-generic-0c0n1 I was still allowed to write to NSID2: sudo nvme zns report-zones -d 1 /dev/nvme0n2 SLBA: 0x0 WP: 0x1 Cap: 0x3e000 State: IMP_OPENED Type: SEQWRITE_REQ Attrs: 0x0 Should this really be allowed? I was under the impression that Christoph's argument for implementing per namespace char devices, was that you should be able to do access control. Doesn't that mean that for the new char devices, we need to reject ioctls that specify a nvme_passthru_cmd.nsid != the NSID that the char device represents? Although, this is not really something new, as we already have the same behavior when it comes ioctls and the block devices. Perhaps we want to add the same verification there? Regardless if we want to add a verification for block devices or not, it just seemed to me that the whole argument for introducing new char devices was to allow access control per namespace, which doesn't seem to have been taken into account, but perhaps I'm missing something. Kind regards, Niklas
