> Initiator is not net ns aware.
Am I correct in my assessment that this could be a container jailbreak
risk? We aren't using containers, but we were shocked that RoCEv2
connections magically worked through the physical function which was
not in the netns context.
Thanks,
Mark
On Thu, Apr 13, 2023 at 10:23 AM Parav Pandit <parav@xxxxxxxxxx> wrote:
>
>
> > From: Parav Pandit <parav@xxxxxxxxxx>
> > Sent: Thursday, April 13, 2023 12:20 PM
> >
> > > From: Mark Lehrer <lehrer@xxxxxxxxx>
> > > Sent: Thursday, April 13, 2023 11:39 AM
> > >
> > > > Didn’t get a chance to review the thread discussion.
> > > > The way to use VF is:
> > >
> > > Virtual functions were just a debugging aid. We really just want to
> > > use a single physical function and put it into the netns. However, we
> > > will do additional VF tests as it still may be a viable workaround.
> > >
> > > When using the physical function, we are still having no joy using
> > > exclusive mode with mlx5:
> > >
> >
> > static int nvmet_rdma_enable_port(struct nvmet_rdma_port *port) {
> > struct sockaddr *addr = (struct sockaddr *)&port->addr;
> > struct rdma_cm_id *cm_id;
> > int ret;
> >
> > cm_id = rdma_create_id(&init_net, nvmet_rdma_cm_handler, port,
> > ^^^^^^^ Nvme target is not net ns aware.
> >
> > RDMA_PS_TCP, IB_QPT_RC);
> > if (IS_ERR(cm_id)) {
> > pr_err("CM ID creation failed\n");
> > return PTR_ERR(cm_id);
> > }
> >
> > >
> Clicked send email too early.
>
> 574 static int nvme_rdma_alloc_queue(struct nvme_rdma_ctrl *ctrl,
> 575 int idx, size_t queue_size)
> 576 {
> [..]
> 597 queue->cm_id = rdma_create_id(&init_net, nvme_rdma_cm_handler, queue,
> 598 RDMA_PS_TCP, IB_QPT_RC);
> 599 if (IS_ERR(queue->cm_id)) {
>
> Initiator is not net ns aware.
> Given some of the work involves workqueue operation, it needs to hold the reference to net ns and implement the net ns delete routine to terminate.
