From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-vk1-f181.google.com (mail-vk1-f181.google.com [209.85.221.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 32BAE47A0C0 for ; Wed, 15 Jul 2026 15:57:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.181 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784131077; cv=none; b=GGrNyheXKShG/xSOoiwQwIP/BcAwWYmU9ONfoEdhoZMIBvxJ2Itze0N5rwV1CWsLrqt4fdqclIpavQM50SXxexGMqmc3bwaroOdPUWjajqL0KUsYqBXg+HnP4C4yMm1RHPubwygeU+QB7LwSVvGiyvDoOKXyF4ujcriGQCR0nAE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784131077; c=relaxed/simple; bh=CIy/a+2iOa36/xU5azUIkygnqnnfdvX2piPUnm2GEGI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=eyHJzAF8XamAQcPG/ivK6NqMkqWLrNjPdadQFZF8Pz9AvIvnuGr0c2VhgWX1zgB/pe/t5iDRvJSbcgH75On1RXtpHiXwrBsQn7ROVDNXBHx8UsNZkPLFDw5VplGZ2wsSf0Fwlr/kHee1hCRwTSOjsRtoKhe34mkvCZj2j2xT3Pw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ai/YV563; arc=none smtp.client-ip=209.85.221.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ai/YV563" Received: by mail-vk1-f181.google.com with SMTP id 71dfb90a1353d-5bdcbb1f3f2so774068e0c.3 for ; Wed, 15 Jul 2026 08:57:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1784131075; x=1784735875; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to:content-type; bh=9aijD+fPo0qOczwKPInOUobCTh5sBI95W49BowR2h/g=; b=ai/YV563y+PcnT5fjzc/LlnKtEKqpxsyeUwL6iwwwoe7DVRAb3E7HRNj43cxU7NqI6 Z55auWJQGp0tmeS5WPvFyNXAp0zwSadX5Ql91KlcICSzWt8QBCq+dlGKJfUUtBZrfJiO onRei3A5XJ2rEjuOAjkH5LH72OQqZovqIMe5mIKo2Q3sr1oBMDzAK1zN5oHSowK+nO9Q YkvgeON6YQt5iooeuyGWby6DbTduw9jdx8/pzRWdokvU4k12uNoLldSeO2CgyZpvRwYN hjMLgKOuanHVN4fh/t2aFT2rGtl3GU7pOzIaa67X+7Jw21CBryyemnHpbCwNtplZnxQQ nbuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1784131075; x=1784735875; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to:content-type; bh=9aijD+fPo0qOczwKPInOUobCTh5sBI95W49BowR2h/g=; b=XOxaT9ki+WLIZia6BZkFjO44vILd8f5v4csvSfI2YLXp44/lA2IdMrRpwXBcalN/MV mNN23iSqDl0OT311Q/SjvpquUlqxCZqZaUw51RFF5IQ6oqPxGcZPu4w0p2QaSjwlLsuB hXJ2bQcPZa154erweCjHdSbPUzoa0Nc6k3gXDrTt78J0WoMB8PHYLVWOeXSrD9dqyIma QOWjrbGyPBi5MQ1NhVzQAMzO6fMD0OHgQDrZ2zwY4/oFgT4Z+2h2b+f0aTWqWWB1jb6G d9YTB5rf11RsIQxkrhmDsz2rmNbCtp2cvUdHO3FGpU3wUJsEM+P/Y3MlhrFcenptMvTk I0Yw== X-Forwarded-Encrypted: i=1; AHgh+RogozFe+/rHX9FntuDxu6DD/U/P/hqzl9OYRAs0/FJRwkjIyPImnVvQChyqK5FJWGdTuu4g4gFjg/37xP0=@vger.kernel.org X-Gm-Message-State: AOJu0YxtYd1b3f+LC4ac84c6ZoWJowe68F+DXIfKu0mQfqo5LdYRZDn5 0xU1jzf3LZbNzRCIlCSxgtxFS3iY2sLCkCcLdsSIFycLnk4v7tCEqFvf X-Gm-Gg: AfdE7cmzEQmoSz2HaWB8J5jpjOOXOtQFGnq9lahSpb405+Xo98g6kl6VzbOi5xCrsKP O33HNziZKBRQoLzGUBLzsrLW96Vidd0x8yf16ZX3RJffcrqonZyUPslhvvIN6X3iUABuI59jGTv s9L91tRNwv9u6RpmNqN+a66rINau0+mGzJGDLO1aCOTdVQgNkosb+8C5jI9RBQiMV36ffgfSG+0 gt5KiQYFW72jaUhT2yt0g3ZjlC0dD3DMhbUcTrAz2F95zKFTPyaFOfWXyoBxFUG0+aF/0yi8+vg dVVjfC+1JD27bJ8MNP6gKXzxYWLYgvLQ13+HxaWss6HNTiAULAsITSixNlKK9sfIXVDgpK4/Ys9 mUoVO43jwSewybw6qRbqgF16VSzWaf3FcTrd8tFzrLBlVXEf+4+Ih+TwEPxam/sOBf38vGdMBP5 CBP97yH5NN8e1FiF+Cf/QldhiAWwTmpY8= X-Received: by 2002:a05:6122:1682:b0:5bd:9c71:11e with SMTP id 71dfb90a1353d-5bfbf116fb5mr10853644e0c.4.1784131074738; Wed, 15 Jul 2026 08:57:54 -0700 (PDT) Received: from syssplab.cs.fiu.edu (nat1.cs.fiu.edu. [131.94.134.89]) by smtp.gmail.com with ESMTPSA id 71dfb90a1353d-5bfb1aefafcsm8774511e0c.4.2026.07.15.08.57.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Jul 2026 08:57:54 -0700 (PDT) From: Chao Shi To: linux-nvme@lists.infradead.org, Keith Busch Cc: Christoph Hellwig , Sagi Grimberg , Jens Axboe , Tatsuya Sasaki , Maurizio Lombardi , linux-kernel@vger.kernel.org, Sungwoo Kim , Dave Tian , Weidong Zhu Subject: [PATCH v6] nvme: reject passthrough of driver-managed Set Features Date: Wed, 15 Jul 2026 11:57:52 -0400 Message-ID: <20260715155752.3363247-1-coshi036@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Since commit b58da2d270db ("nvme: update keep alive interval when kato is modified"), a Set Features (KATO) passthrough command lets userspace start keep-alive on any transport. nvme_keep_alive_work() allocates with BLK_MQ_REQ_RESERVED, but nvme_alloc_admin_tag_set() reserves admin tags only for fabrics, so on other transports the allocation trips WARN_ON_ONCE() in blk_mq_get_tag() and fails: nvme nvme0: keep-alive failed: -11 Several Set Features change controller state the driver manages itself and cannot react to when set behind its back. Reject these in nvme_admin_cmd_allowed(): - KATO on non-fabrics (keep-alive is only armed for fabrics; on PCIe it has no reserved tag and harms idle power states) - Host Behavior Support, Host Memory Buffer, Number of Queues, and Autonomous Power State Transition (all driver-managed) Keep Alive on fabrics is unchanged; I/O commands are unaffected as the check is confined to the admin path (ns == NULL). Link: https://lore.kernel.org/linux-nvme/20260523225629.3964037-1-coshi036@gmail.com/ Fixes: b58da2d270db ("nvme: update keep alive interval when kato is modified") Found by FuzzNvme. Acked-by: Sungwoo Kim Acked-by: Dave Tian Acked-by: Weidong Zhu Signed-off-by: Chao Shi --- Reproducer for the keep-alive case (run as root on a PCIe NVMe device): #include #include #include #include #include int main(void) { struct nvme_admin_cmd cmd = {0}; int fd = open("/dev/nvme0", O_RDWR); if (fd < 0) { perror("open"); return 1; } cmd.opcode = 0x09; /* SET_FEATURES */ cmd.cdw10 = 0x0f; /* Feature ID: KATO */ cmd.cdw11 = 5; /* KATO = 5 seconds */ if (ioctl(fd, NVME_IOCTL_ADMIN_CMD, &cmd) < 0) { perror("ioctl"); return 1; } return 0; } On an unpatched kernel, within ~kato/2 seconds after the program exits, dmesg shows: nvme nvme0: keep alive interval updated from 0 ms to 5000 ms WARNING: CPU: 0 PID: ... at block/blk-mq-tag.c:148 blk_mq_get_tag+... nvme nvme0: keep-alive failed: -11 With this patch the ioctl fails with EACCES on non-fabrics. Changes since v5: - Split nvme_cmd_allowed() into nvme_admin_cmd_allowed() and nvme_ns_cmd_allowed(), switch on the command, and fix the overly long lines (Christoph Hellwig). drivers/nvme/host/ioctl.c | 109 +++++++++++++++++++++++++------------- 1 file changed, 71 insertions(+), 38 deletions(-) diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c index a9c097dacad6..ccd0120ad2e6 100644 --- a/drivers/nvme/host/ioctl.c +++ b/drivers/nvme/host/ioctl.c @@ -14,45 +14,54 @@ enum { NVME_IOCTL_PARTITION = (1 << 1), }; -static bool nvme_cmd_allowed(struct nvme_ns *ns, struct nvme_command *c, - unsigned int flags, bool open_for_write) +static bool nvme_admin_cmd_allowed(struct nvme_ctrl *ctrl, + struct nvme_command *c) { - u32 effects; - - /* - * Do not allow unprivileged passthrough on partitions, as that allows an - * escape from the containment of the partition. - */ - if (flags & NVME_IOCTL_PARTITION) - goto admin; - - /* - * Do not allow unprivileged processes to send vendor specific or fabrics - * commands as we can't be sure about their effects. - */ - if (c->common.opcode >= nvme_cmd_vendor_start || - c->common.opcode == nvme_fabrics_command) - goto admin; - /* * Do not allow unprivileged passthrough of admin commands except * for a subset of identify commands that contain information required * to form proper I/O commands in userspace and do not expose any * potentially sensitive information. */ - if (!ns) { - if (c->common.opcode == nvme_admin_identify) { - switch (c->identify.cns) { - case NVME_ID_CNS_NS: - case NVME_ID_CNS_CS_NS: - case NVME_ID_CNS_NS_CS_INDEP: - case NVME_ID_CNS_CS_CTRL: - case NVME_ID_CNS_CTRL: - return true; - } + switch (c->common.opcode) { + case nvme_admin_identify: + switch (c->identify.cns) { + case NVME_ID_CNS_NS: + case NVME_ID_CNS_CS_NS: + case NVME_ID_CNS_NS_CS_INDEP: + case NVME_ID_CNS_CS_CTRL: + case NVME_ID_CNS_CTRL: + return true; } - goto admin; + break; + case nvme_admin_set_features: + /* + * Reject Set Features that change controller state the driver + * manages itself; setting them behind the driver's back from + * userspace leaves it unable to react correctly. Keep Alive is + * only armed for fabrics - on other transports it has no + * reserved tag and harms idle power states. + */ + switch (le32_to_cpu(c->features.fid) & 0xff) { + case NVME_FEAT_KATO: + if (ctrl->ops->flags & NVME_F_FABRICS) + break; + fallthrough; + case NVME_FEAT_HOST_BEHAVIOR: + case NVME_FEAT_HOST_MEM_BUF: + case NVME_FEAT_NUM_QUEUES: + case NVME_FEAT_AUTO_PST: + return false; + } + break; } + return capable(CAP_SYS_ADMIN); +} + +static bool nvme_ns_cmd_allowed(struct nvme_ns *ns, struct nvme_command *c, + bool open_for_write) +{ + u32 effects; /* * Check if the controller provides a Commands Supported and Effects log @@ -61,7 +70,7 @@ static bool nvme_cmd_allowed(struct nvme_ns *ns, struct nvme_command *c, */ effects = nvme_command_effects(ns->ctrl, ns, c->common.opcode); if (!(effects & NVME_CMD_EFFECTS_CSUPP)) - goto admin; + return capable(CAP_SYS_ADMIN); /* * Don't allow passthrough for command that have intrusive (or unknown) @@ -70,7 +79,7 @@ static bool nvme_cmd_allowed(struct nvme_ns *ns, struct nvme_command *c, if (effects & ~(NVME_CMD_EFFECTS_CSUPP | NVME_CMD_EFFECTS_LBCC | NVME_CMD_EFFECTS_UUID_SEL | NVME_CMD_EFFECTS_SCOPE_MASK)) - goto admin; + return capable(CAP_SYS_ADMIN); /* * Only allow I/O commands that transfer data to the controller or that @@ -79,11 +88,34 @@ static bool nvme_cmd_allowed(struct nvme_ns *ns, struct nvme_command *c, */ if ((nvme_is_write(c) || (effects & NVME_CMD_EFFECTS_LBCC)) && !open_for_write) - goto admin; + return capable(CAP_SYS_ADMIN); return true; -admin: - return capable(CAP_SYS_ADMIN); +} + +static bool nvme_cmd_allowed(struct nvme_ctrl *ctrl, struct nvme_ns *ns, + struct nvme_command *c, unsigned int flags, + bool open_for_write) +{ + /* + * Do not allow unprivileged passthrough on partitions, as that + * allows an escape from the containment of the partition. + */ + if (flags & NVME_IOCTL_PARTITION) + return capable(CAP_SYS_ADMIN); + + /* + * Do not allow unprivileged processes to send vendor specific or + * fabrics commands as we can't be sure about their effects. + */ + if (c->common.opcode >= nvme_cmd_vendor_start || + c->common.opcode == nvme_fabrics_command) + return capable(CAP_SYS_ADMIN); + + if (!ns) + return nvme_admin_cmd_allowed(ctrl, c); + + return nvme_ns_cmd_allowed(ns, c, open_for_write); } /* @@ -308,7 +340,7 @@ static int nvme_user_cmd(struct nvme_ctrl *ctrl, struct nvme_ns *ns, c.common.cdw14 = cpu_to_le32(cmd.cdw14); c.common.cdw15 = cpu_to_le32(cmd.cdw15); - if (!nvme_cmd_allowed(ns, &c, 0, open_for_write)) + if (!nvme_cmd_allowed(ctrl, ns, &c, 0, open_for_write)) return -EACCES; if (cmd.timeout_ms) @@ -355,7 +387,7 @@ static int nvme_user_cmd64(struct nvme_ctrl *ctrl, struct nvme_ns *ns, c.common.cdw14 = cpu_to_le32(cmd.cdw14); c.common.cdw15 = cpu_to_le32(cmd.cdw15); - if (!nvme_cmd_allowed(ns, &c, flags, open_for_write)) + if (!nvme_cmd_allowed(ctrl, ns, &c, flags, open_for_write)) return -EACCES; if (cmd.timeout_ms) @@ -442,6 +474,7 @@ static int nvme_uring_cmd_io(struct nvme_ctrl *ctrl, struct nvme_ns *ns, struct nvme_uring_cmd_pdu *pdu = nvme_uring_cmd_pdu(ioucmd); const struct nvme_uring_cmd *cmd = io_uring_sqe_cmd(ioucmd->sqe); struct request_queue *q = ns ? ns->queue : ctrl->admin_q; + bool open_for_write = ioucmd->file->f_mode & FMODE_WRITE; struct nvme_uring_data d; struct nvme_command c; struct iov_iter iter; @@ -472,7 +505,7 @@ static int nvme_uring_cmd_io(struct nvme_ctrl *ctrl, struct nvme_ns *ns, c.common.cdw14 = cpu_to_le32(READ_ONCE(cmd->cdw14)); c.common.cdw15 = cpu_to_le32(READ_ONCE(cmd->cdw15)); - if (!nvme_cmd_allowed(ns, &c, 0, ioucmd->file->f_mode & FMODE_WRITE)) + if (!nvme_cmd_allowed(ctrl, ns, &c, 0, open_for_write)) return -EACCES; d.metadata = READ_ONCE(cmd->metadata); -- 2.43.0