4.14-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Sun, 4 Dec 2022 15:53:15 +0000 (16:53 +0100)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Sun, 4 Dec 2022 15:53:15 +0000 (16:53 +0100)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 4 Dec 2022 15:53:15 +0000 (16:53 +0100)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 4 Dec 2022 15:53:15 +0000 (16:53 +0100)
diff --git a/queue-4.14/nvme-restrict-management-ioctls-to-admin.patch b/queue-4.14/nvme-restrict-management-ioctls-to-admin.patch

new file mode 100644 (file)

index 0000000..902dd11
--- /dev/null
+++ b/queue-4.14/nvme-restrict-management-ioctls-to-admin.patch
@@ -0,0 +1,41 @@
+From 23e085b2dead13b51fe86d27069895b740f749c0 Mon Sep 17 00:00:00 2001
+From: Keith Busch <kbusch@kernel.org>
+Date: Thu, 22 Sep 2022 07:54:06 -0700
+Subject: nvme: restrict management ioctls to admin
+
+From: Keith Busch <kbusch@kernel.org>
+
+commit 23e085b2dead13b51fe86d27069895b740f749c0 upstream.
+
+The passthrough commands already have this restriction, but the other
+operations do not. Require the same capabilities for all users as all of
+these operations, which include resets and rescans, can be disruptive.
+
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ drivers/nvme/host/core.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2022,11 +2022,17 @@ static long nvme_dev_ioctl(struct file *
+       case NVME_IOCTL_IO_CMD:
+               return nvme_dev_user_cmd(ctrl, argp);
+       case NVME_IOCTL_RESET:
++              if (!capable(CAP_SYS_ADMIN))
++                      return -EACCES;
+               dev_warn(ctrl->device, "resetting controller\n");
+               return nvme_reset_ctrl_sync(ctrl);
+       case NVME_IOCTL_SUBSYS_RESET:
++              if (!capable(CAP_SYS_ADMIN))
++                      return -EACCES;
+               return nvme_reset_subsystem(ctrl);
+       case NVME_IOCTL_RESCAN:
++              if (!capable(CAP_SYS_ADMIN))
++                      return -EACCES;
+               nvme_queue_scan(ctrl);
+               return 0;
+       default:
diff --git a/queue-4.14/series b/queue-4.14/series

index feb713e23858c625b6610cd2eafb053f30bb1447..a1b14fc7f3af65581f934aafe69b819966d8ad1b 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -68,3 +68,4 @@ asoc-ops-fix-bounds-check-for-_sx-controls.patch
  pinctrl-single-fix-potential-division-by-zero.patch
  iommu-vt-d-fix-pci-device-refcount-leak-in-dmar_dev_.patch
  tcp-udp-fix-memory-leak-in-ipv6_renew_options.patch
+nvme-restrict-management-ioctls-to-admin.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 4 Dec 2022 15:53:15 +0000 (16:53 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 4 Dec 2022 15:53:15 +0000 (16:53 +0100)
queue-4.14/nvme-restrict-management-ioctls-to-admin.patch	[new file with mode: 0644]	patch \| blob
queue-4.14/series		patch \| blob \| blame \| history