Skip to content

Commit 7be866b

Browse files
keithbuschkeithbusch
committed
nvme-ioctl: move capable() admin check to the end
This can be an expensive call on some kernel configs. Move it to the end after checking the cheaper ways to determine if the command is allowed. Reviewed-by: Jens Axboe <axboe@kernel.dk> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Keith Busch <kbusch@kernel.org>
1 parent e6e7f7a commit 7be866b

File tree

1 file changed

+11
-10
lines changed

1 file changed

+11
-10
lines changed

drivers/nvme/host/ioctl.c

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -18,23 +18,20 @@ static bool nvme_cmd_allowed(struct nvme_ns *ns, struct nvme_command *c,
1818
{
1919
u32 effects;
2020

21-
if (capable(CAP_SYS_ADMIN))
22-
return true;
23-
2421
/*
2522
* Do not allow unprivileged passthrough on partitions, as that allows an
2623
* escape from the containment of the partition.
2724
*/
2825
if (flags & NVME_IOCTL_PARTITION)
29-
return false;
26+
goto admin;
3027

3128
/*
3229
* Do not allow unprivileged processes to send vendor specific or fabrics
3330
* commands as we can't be sure about their effects.
3431
*/
3532
if (c->common.opcode >= nvme_cmd_vendor_start ||
3633
c->common.opcode == nvme_fabrics_command)
37-
return false;
34+
goto admin;
3835

3936
/*
4037
* Do not allow unprivileged passthrough of admin commands except
@@ -53,7 +50,7 @@ static bool nvme_cmd_allowed(struct nvme_ns *ns, struct nvme_command *c,
5350
return true;
5451
}
5552
}
56-
return false;
53+
goto admin;
5754
}
5855

5956
/*
@@ -63,7 +60,7 @@ static bool nvme_cmd_allowed(struct nvme_ns *ns, struct nvme_command *c,
6360
*/
6461
effects = nvme_command_effects(ns->ctrl, ns, c->common.opcode);
6562
if (!(effects & NVME_CMD_EFFECTS_CSUPP))
66-
return false;
63+
goto admin;
6764

6865
/*
6966
* Don't allow passthrough for command that have intrusive (or unknown)
@@ -72,16 +69,20 @@ static bool nvme_cmd_allowed(struct nvme_ns *ns, struct nvme_command *c,
7269
if (effects & ~(NVME_CMD_EFFECTS_CSUPP | NVME_CMD_EFFECTS_LBCC |
7370
NVME_CMD_EFFECTS_UUID_SEL |
7471
NVME_CMD_EFFECTS_SCOPE_MASK))
75-
return false;
72+
goto admin;
7673

7774
/*
7875
* Only allow I/O commands that transfer data to the controller or that
7976
* change the logical block contents if the file descriptor is open for
8077
* writing.
8178
*/
82-
if (nvme_is_write(c) || (effects & NVME_CMD_EFFECTS_LBCC))
83-
return open_for_write;
79+
if ((nvme_is_write(c) || (effects & NVME_CMD_EFFECTS_LBCC)) &&
80+
!open_for_write)
81+
goto admin;
82+
8483
return true;
84+
admin:
85+
return capable(CAP_SYS_ADMIN);
8586
}
8687

8788
/*

0 commit comments

Comments
 (0)