From: Christoph Hellwig <hch@lst.de>
To: Keith Busch <kbusch@kernel.org>, Sagi Grimberg <sagi@grimberg.me>,
Chaitanya Kulkarni <kch@nvidia.com>
Cc: Kanchan Joshi <joshi.k@samsung.com>, linux-nvme@lists.infradead.org
Subject: [PATCH 6/6] nvme: consult the CSE log page for unprivileged passthrough
Date: Fri, 23 Dec 2022 08:18:14 +0100 [thread overview]
Message-ID: <20221223071814.43564-7-hch@lst.de> (raw)
In-Reply-To: <20221223071814.43564-1-hch@lst.de>
Commands like Write Zeros can change the contents of a namespaces without
actually transferring data. To protect against this, check the Commands
Supported and Effects log is supported by the controller for any
unprivileg command passthrough and refuse unprivileged passthrough if the
command has any effects that can change data or metadata.
Note: While the Commands Support and Effects log page has only been
mandatory since NVMe 2.0, it is widely supported because Windows requires
it for any command passthrough from userspace.
Fixes: e4fbcf32c860 ("nvme: identify-namespace without CAP_SYS_ADMIN")
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
---
drivers/nvme/host/ioctl.c | 28 ++++++++++++++++++++++++----
include/linux/nvme.h | 1 +
2 files changed, 25 insertions(+), 4 deletions(-)
diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
index 9ddda571f0461f..a8639919237e6a 100644
--- a/drivers/nvme/host/ioctl.c
+++ b/drivers/nvme/host/ioctl.c
@@ -11,6 +11,8 @@
static bool nvme_cmd_allowed(struct nvme_ns *ns, struct nvme_command *c,
fmode_t mode)
{
+ u32 effects;
+
if (capable(CAP_SYS_ADMIN))
return true;
@@ -43,11 +45,29 @@ static bool nvme_cmd_allowed(struct nvme_ns *ns, struct nvme_command *c,
}
/*
- * Only allow I/O commands that transfer data to the controller if the
- * special file is open for writing, but always allow I/O commands that
- * transfer data from the controller.
+ * Check if the controller provides a Commands Supported and Effects log
+ * and marks this command as supported. If not reject unprivileged
+ * passthrough.
+ */
+ effects = nvme_command_effects(ns->ctrl, ns, c->common.opcode);
+ if (!(effects & NVME_CMD_EFFECTS_CSUPP))
+ return false;
+
+ /*
+ * Don't allow passthrough for command that have intrusive (or unknown)
+ * effects.
+ */
+ if (effects & ~(NVME_CMD_EFFECTS_CSUPP | NVME_CMD_EFFECTS_LBCC |
+ NVME_CMD_EFFECTS_UUID_SEL |
+ NVME_CMD_EFFECTS_SCOPE_MASK))
+ return false;
+
+ /*
+ * Only allow I/O commands that transfer data to the controller or that
+ * change the logical block contents if the file descriptor is open for
+ * writing.
*/
- if (nvme_is_write(c))
+ if (nvme_is_write(c) || (effects & NVME_CMD_EFFECTS_LBCC))
return mode & FMODE_WRITE;
return true;
}
diff --git a/include/linux/nvme.h b/include/linux/nvme.h
index d1cd53f2b6abd9..4fad4aa245fb06 100644
--- a/include/linux/nvme.h
+++ b/include/linux/nvme.h
@@ -642,6 +642,7 @@ enum {
NVME_CMD_EFFECTS_CCC = 1 << 4,
NVME_CMD_EFFECTS_CSE_MASK = GENMASK(18, 16),
NVME_CMD_EFFECTS_UUID_SEL = 1 << 19,
+ NVME_CMD_EFFECTS_SCOPE_MASK = GENMASK(31, 20),
};
struct nvme_effects_log {
--
2.35.1
next prev parent reply other threads:[~2022-12-23 7:19 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-23 7:18 only allow unprivileged passthrough for commands without effects v4 Christoph Hellwig
2022-12-23 7:18 ` [PATCH 1/6] nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition Christoph Hellwig
2022-12-25 10:06 ` Sagi Grimberg
2022-12-23 7:18 ` [PATCH 2/6] nvmet: use NVME_CMD_EFFECTS_CSUPP instead of open coding it Christoph Hellwig
2022-12-25 10:06 ` Sagi Grimberg
2022-12-23 7:18 ` [PATCH 3/6] nvmet: set the LBCC bit for commands that modify data Christoph Hellwig
2022-12-25 10:06 ` Sagi Grimberg
2022-12-23 7:18 ` [PATCH 4/6] nvmet: don't defer passthrough commands with trivial effects to the workqueue Christoph Hellwig
2022-12-25 10:14 ` Sagi Grimberg
2022-12-23 7:18 ` [PATCH 5/6] nvme: also return I/O command effects from nvme_command_effects Christoph Hellwig
2022-12-25 10:26 ` Sagi Grimberg
2022-12-27 16:57 ` Christoph Hellwig
2022-12-28 13:49 ` Sagi Grimberg
2022-12-28 15:12 ` Christoph Hellwig
2022-12-29 5:35 ` Kanchan Joshi
2022-12-23 7:18 ` Christoph Hellwig [this message]
2022-12-25 10:27 ` [PATCH 6/6] nvme: consult the CSE log page for unprivileged passthrough Sagi Grimberg
2022-12-28 16:04 ` only allow unprivileged passthrough for commands without effects v4 Keith Busch
2022-12-28 16:05 ` Christoph Hellwig
-- strict thread matches above, loose matches on Subject: below --
2022-12-21 10:10 only allow unprivileged passthrough for commands without effects v3 Christoph Hellwig
2022-12-21 10:10 ` [PATCH 6/6] nvme: consult the CSE log page for unprivileged passthrough Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221223071814.43564-7-hch@lst.de \
--to=hch@lst.de \
--cc=joshi.k@samsung.com \
--cc=kbusch@kernel.org \
--cc=kch@nvidia.com \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.