[PATCH v2 3/3] nvme: restrict non-root passthrough to SGL

[Kanchan Joshi]

Passthrough has a hole that can be exploited to make the device do
larger DMA into kernel/user memory.

SGL transfers go with explicit buffer length information that device
checks and fails the I/O rather than doing extra transfer.

Set the NVME_REQ_FORCE_SGL for non-root passthrough I/O commands that
involve data/meta transfer.

Fixes: 855b7717f44b ("nvme: fine-granular CAP_SYS_ADMIN for nvme io commands")
Suggested-by: Christoph Hellwig <hch at lst.de>
Signed-off-by: Kanchan Joshi <joshi.k at samsung.com>
---
 drivers/nvme/host/ioctl.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
index d8ff796fd5f2..1656c19d0c56 100644
--- a/drivers/nvme/host/ioctl.c
+++ b/drivers/nvme/host/ioctl.c
@@ -203,6 +203,17 @@ static int nvme_map_user_request(struct request *req, u64 ubuffer,
 		*metap = meta;
 	}
 
+	/* Data/Meta transfer for unprivileged passthrough is only via SGL */
+	if (bdev && !capable(CAP_SYS_ADMIN)) {
+		if (!nvme_ctrl_sgl_supported(ns->ctrl) ||
+		    (meta && !nvme_ctrl_meta_sgl_supported(ns->ctrl))) {
+			dev_warn(ns->ctrl->device,
+				"Controller does not support data or meta SGL");
+			ret = -EINVAL;
+			goto out_unmap;
+		}
+		nvme_req(req)->flags |= NVME_REQ_FORCE_SGL;
+	}
 	return ret;
 
 out_unmap:
-- 
2.25.1