On Fri, Oct 13, 2023 at 9:17 PM Christoph Hellwig hch@lst.de wrote:
On Fri, Oct 13, 2023 at 08:41:54PM +0530, Kanchan Joshi wrote:
It seems we will have two limitations with this approach - (i) sgl for the external metadata buffer, and (ii) using sgl for data-transfer will reduce the speed of passthrough io, perhaps more than what can happen using the checks. And if we make the sgl opt-in, that means leaving the hole for the case when this was not chosen.
The main limitation is that the device needs to support SGLs, and
Indeed. Particularly on non-enterprise drives, SGL is a luxury.
we need to as well (we currently don't for metadata). But for any non-stupid workload SGLs should be at least as fast if not faster with modern hardware.
But nvme-pcie selects PRP for the small IO.
But I see no way out. Now can we please get a patch to disable the unprivileged passthrough ASAP to fix this probably exploitable hole? Or should I write one?
I can write. I was waiting to see whether Keith has any different opinion on the route that v4 takes. It seems this is a no go from him.
Disabling is possible with a simple patch that just returns false from nvme_cmd_allowed() if CAP_SYS_ADMIN is not present. I assume that is not sought? But a deep revert that removes all the things such as carrying the file-mode to various functions. Hope tomorrow is ok for that.