From 2064c1adaa5dbaf3f425d15f0bb57145218c373a Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 4 Dec 2022 16:53:15 +0100
Subject: [PATCH] 4.14-stable patches

added patches:
	nvme-restrict-management-ioctls-to-admin.patch
---
 ...-restrict-management-ioctls-to-admin.patch | 41 +++++++++++++++++++
 queue-4.14/series                             |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 queue-4.14/nvme-restrict-management-ioctls-to-admin.patch

diff --git a/queue-4.14/nvme-restrict-management-ioctls-to-admin.patch b/queue-4.14/nvme-restrict-management-ioctls-to-admin.patch
new file mode 100644
index 00000000000..902dd113a3d
--- /dev/null
+++ b/queue-4.14/nvme-restrict-management-ioctls-to-admin.patch
@@ -0,0 +1,41 @@
+From 23e085b2dead13b51fe86d27069895b740f749c0 Mon Sep 17 00:00:00 2001
+From: Keith Busch <kbusch@kernel.org>
+Date: Thu, 22 Sep 2022 07:54:06 -0700
+Subject: nvme: restrict management ioctls to admin
+
+From: Keith Busch <kbusch@kernel.org>
+
+commit 23e085b2dead13b51fe86d27069895b740f749c0 upstream.
+
+The passthrough commands already have this restriction, but the other
+operations do not. Require the same capabilities for all users as all of
+these operations, which include resets and rescans, can be disruptive.
+
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ drivers/nvme/host/core.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2022,11 +2022,17 @@ static long nvme_dev_ioctl(struct file *
+ 	case NVME_IOCTL_IO_CMD:
+ 		return nvme_dev_user_cmd(ctrl, argp);
+ 	case NVME_IOCTL_RESET:
++		if (!capable(CAP_SYS_ADMIN))
++			return -EACCES;
+ 		dev_warn(ctrl->device, "resetting controller\n");
+ 		return nvme_reset_ctrl_sync(ctrl);
+ 	case NVME_IOCTL_SUBSYS_RESET:
++		if (!capable(CAP_SYS_ADMIN))
++			return -EACCES;
+ 		return nvme_reset_subsystem(ctrl);
+ 	case NVME_IOCTL_RESCAN:
++		if (!capable(CAP_SYS_ADMIN))
++			return -EACCES;
+ 		nvme_queue_scan(ctrl);
+ 		return 0;
+ 	default:
diff --git a/queue-4.14/series b/queue-4.14/series
index feb713e2385..a1b14fc7f3a 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -68,3 +68,4 @@ asoc-ops-fix-bounds-check-for-_sx-controls.patch
 pinctrl-single-fix-potential-division-by-zero.patch
 iommu-vt-d-fix-pci-device-refcount-leak-in-dmar_dev_.patch
 tcp-udp-fix-memory-leak-in-ipv6_renew_options.patch
+nvme-restrict-management-ioctls-to-admin.patch
-- 
2.47.3