On Fri, Oct 13, 2023 at 9:17 PM Christoph Hellwig <hch@xxxxxx> wrote: > > On Fri, Oct 13, 2023 at 08:41:54PM +0530, Kanchan Joshi wrote: > > It seems we will have two limitations with this approach - (i) sgl for > > the external metadata buffer, and (ii) using sgl for data-transfer will > > reduce the speed of passthrough io, perhaps more than what can happen > > using the checks. And if we make the sgl opt-in, that means leaving the > > hole for the case when this was not chosen. > > The main limitation is that the device needs to support SGLs, and Indeed. Particularly on non-enterprise drives, SGL is a luxury. > we need to as well (we currently don't for metadata). But for any > non-stupid workload SGLs should be at least as fast if not faster > with modern hardware. But nvme-pcie selects PRP for the small IO. > But I see no way out. > Now can we please get a patch to disable the unprivileged passthrough > ASAP to fix this probably exploitable hole? Or should I write one? I can write. I was waiting to see whether Keith has any different opinion on the route that v4 takes. It seems this is a no go from him. Disabling is possible with a simple patch that just returns false from nvme_cmd_allowed() if CAP_SYS_ADMIN is not present. I assume that is not sought? But a deep revert that removes all the things such as carrying the file-mode to various functions. Hope tomorrow is ok for that.
