From: Niklas Cassel <niklas.cas...@wdc.com> When a passthru command targets a specific namespace, the ns parameter to nvme_user_cmd()/nvme_user_cmd64() is set. However, there is currently no validation that the nsid specified in the passthru command targets the namespace/nsid represented by the block device that the ioctl was performed on.
Add a check that validates that the nsid in the passthru command matches that of the supplied namespace. Signed-off-by: Niklas Cassel <niklas.cas...@wdc.com> --- Currently, if doing NVME_IOCTL_IO_CMD on the controller char device, if and only if there is a single namespace in the ctrl->namespaces list, nvme_dev_user_cmd() will call nvme_user_cmd() with ns parameter set. While it might be good that we validate the nsid even in this case, perhaps we want to allow a nsid value in the passthru command to be 0x0 and/or the NSID broadcast value? (Only when NVME_IOCTL_IO_CMD was done on the controller char device though.) drivers/nvme/host/core.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index 40215a0246e4..e4591a4c68a8 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -1632,6 +1632,8 @@ static int nvme_user_cmd(struct nvme_ctrl *ctrl, struct nvme_ns *ns, return -EFAULT; if (cmd.flags) return -EINVAL; + if (ns && cmd.nsid != ns->head->ns_id) + return -EINVAL; memset(&c, 0, sizeof(c)); c.common.opcode = cmd.opcode; @@ -1676,6 +1678,8 @@ static int nvme_user_cmd64(struct nvme_ctrl *ctrl, struct nvme_ns *ns, return -EFAULT; if (cmd.flags) return -EINVAL; + if (ns && cmd.nsid != ns->head->ns_id) + return -EINVAL; memset(&c, 0, sizeof(c)); c.common.opcode = cmd.opcode; -- 2.30.2