On Thu, Mar 25, 2021 at 09:26:47AM +0100, hch@xxxxxx wrote: > On Thu, Mar 25, 2021 at 11:09:51AM +0900, Minwoo Im wrote: > > > I was still allowed to write to NSID2: > > > > > > sudo nvme zns report-zones -d 1 /dev/nvme0n2 > > > SLBA: 0x0 WP: 0x1 Cap: 0x3e000 State: IMP_OPENED Type: SEQWRITE_REQ Attrs: 0x0 > > > > > > Should this really be allowed? > > > > I think this should not be allowed at all. Thanks for the testing! > > It should not be allowed, but it seems like a pre-existing problem > as nvme_user_cmd does not verify the nsid. > > > > I was under the impression that Christoph's argument for implementing per > > > namespace char devices, was that you should be able to do access control. > > > Doesn't that mean that for the new char devices, we need to reject ioctls > > > that specify a nvme_passthru_cmd.nsid != the NSID that the char device > > > represents? > > > > > > > > > Although, this is not really something new, as we already have the same > > > behavior when it comes ioctls and the block devices. Perhaps we want to > > > add the same verification there? > > > > I think there should be verifications. > > Yes. Thanks Minwoo, Christoph, I'll cook up a patch based on nvme/nvme-5.13. Kind regards, Niklas
