Re: [PATCH V6 1/2] nvme: enable char device per namespace

From: Minwoo Im <minwoo.im.dev@gmail.com>
To: Niklas Cassel <Niklas.Cassel@wdc.com>
Cc: "javier@javigon.com" <javier@javigon.com>,
	"linux-nvme@lists.infradead.org" <linux-nvme@lists.infradead.org>,
	"sagi@grimberg.me" <sagi@grimberg.me>,
	"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
	"kbusch@kernel.org" <kbusch@kernel.org>,
	"Javier González" <javier.gonz@samsung.com>,
	"hch@lst.de" <hch@lst.de>
Subject: Re: [PATCH V6 1/2] nvme: enable char device per namespace
Date: Thu, 25 Mar 2021 11:09:51 +0900	[thread overview]
Message-ID: <20210325020951.GA2105@localhost> (raw)
In-Reply-To: <YFswq8pgzg9y00GO@x1-carbon.lan>

On 21-03-24 12:29:32, Niklas Cassel wrote:
> On Mon, Mar 01, 2021 at 08:24:51PM +0100, javier@javigon.com wrote:
> > From: Javier González <javier.gonz@samsung.com>
> > 
> > Create a char device per NVMe namespace. This char device is always
> > initialized, independently of whether the features implemented by the
> > device are supported by the kernel. User-space can therefore always
> > issue IOCTLs to the NVMe driver using the char device.
> > 
> > The char device is presented as /dev/nvme-generic-XcYnZ. This naming
> > scheme follows the convention of the hidden device (nvmeXcYnZ). Support
> > for multipath will follow.
> > 
> 
> Hello all,
> 
> Looking at the discussion that led up to the current design:
> https://lore.kernel.org/linux-block/20201102185851.GA21349@lst.de/
> 
> Keith initially suggested:
> 
> a) Set up the existing controller character device with a generic
>    disk-less request_queue to the IO queues accepting IO commands to
>    arbitrary NSIDs.
> 
> However Christoph replied:
> 
> The problem with a) is that it can't be used to give users or groups
> access to just one namespaces, so it causes a real access control
> nightmare.
> 
> c) Each namespace gets its own character device, period.

Thanks for summarizing this up!

> However, testing this patch series out:
> 
> crw------- 1 root root 249,   0 Mar 24 11:32 /dev/nvme-generic-0c0n1
> crw------- 1 root root 249,   1 Mar 24 11:32 /dev/nvme-generic-0c0n2
> crw------- 1 root root 250,   0 Mar 24 11:32 /dev/nvme0
> brw-rw---- 1 root disk 259,   1 Mar 24 11:32 /dev/nvme0n2
> 
> NSID1 has been rejected (because of ZNS ZOC, which kernel does not support).
> 
> However, if I use the new char device for NSID1, but specify NSID2 to nvme-cli:
> 
> sudo nvme write-zeroes -s 0 -c 0 --namespace-id=2 /dev/nvme-generic-0c0n1
> 
> I was still allowed to write to NSID2:
> 
> sudo nvme zns report-zones -d 1 /dev/nvme0n2
> SLBA: 0x0        WP: 0x1        Cap: 0x3e000    State: IMP_OPENED   Type: SEQWRITE_REQ   Attrs: 0x0
> 
> Should this really be allowed?

I think this should not be allowed at all.  Thanks for the testing!

> 
> I was under the impression that Christoph's argument for implementing per
> namespace char devices, was that you should be able to do access control.
> Doesn't that mean that for the new char devices, we need to reject ioctls
> that specify a nvme_passthru_cmd.nsid != the NSID that the char device
> represents?
> 
> 
> Although, this is not really something new, as we already have the same
> behavior when it comes ioctls and the block devices. Perhaps we want to
> add the same verification there?

I think there should be verifications.

> 
> Regardless if we want to add a verification for block devices or not,
> it just seemed to me that the whole argument for introducing new char
> devices was to allow access control per namespace, which doesn't seem
> to have been taken into account, but perhaps I'm missing something.

Any other points that you think it's not been taken account?  I think it
should map to previous blkdev operations, but with some verfications
there.  It would be great if you can share any other points supposed to
be supported here :)

> Kind regards,
> Niklas