From nobody Sun May 24 20:33:20 2026 Received: from mail-vk1-f171.google.com (mail-vk1-f171.google.com [209.85.221.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 181DC47799E for ; Fri, 22 May 2026 15:28:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779463694; cv=none; b=DSxDeSc9qp+KuSoeNerGWWF6srlPgjQon/Z+Jsp33fegjJLhlSX0P4syHVDq6hGgQjzV9cZwIohAbFxKzlIByb9viy6BoBPPgMpnZWnPOXkMZW+B245cq1khInSjYZIdw+CXIrOuolk+xh4AfMZG15fahy2H1J4+KPpU6gjt8m8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779463694; c=relaxed/simple; bh=03iV/Z47+qRpvsHDmuhWMmUaxJpyIqoOx9SoFMXLtVw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=P7a0Qw3qzOcJst3E2N8u+l+0RZBO86k+rvDQJ8tXZfzGUVQJmxReVeujTSKCsublZybe/mhSTiSrgo6EAFw8zr5VDf4JKSpzpMV53y9ed1pjBk5JRPjGDmvtcY/Db4SLe2Zy3k9poC0Jsinm4uXaYpP+BCW5UymWqqw/0hg7iYc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=bPE2JyWp; arc=none smtp.client-ip=209.85.221.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="bPE2JyWp" Received: by mail-vk1-f171.google.com with SMTP id 71dfb90a1353d-5873983d19eso647541e0c.2 for ; Fri, 22 May 2026 08:28:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779463689; x=1780068489; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=uX2iI66Hm+CicuqBNAeIAQtq4Ur9lk7IGl6o7EIKJi4=; b=bPE2JyWpXUQ8YyxAKXQGGk62UiI3Lcryk7ycCmUnnHR72XzAjyBWacpReF5F5K93nb ncFPLeyiikFl4p/p40MgC6LrZXJD+Q6sDCZv263Zv1etKCDAmuSmTIOq2lhQUWTG2/0q ZVejSo/sfhbtbyI6yON+Lmbe2Cko+CABmqEAlRtYjZ4GRt54DQjxm2jE6DtHViACgmjq 4dEFrrmrGyWkJq6cN+yguB/9qVXushs6rc4AHZ3FVou/WZ3uBvy9pUjJuRV2047l5fp/ m4Akqgg1EPbtHpygkEPK4f8WOeJSO2AEWmJRySrdW9kAJU2FF79rM4OTO6P6qSFzTcs4 RxFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779463689; x=1780068489; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=uX2iI66Hm+CicuqBNAeIAQtq4Ur9lk7IGl6o7EIKJi4=; b=KvH9NAlHz+G2qeq2QKFETa12ooDDGuo5O3t5Stv4fnSAGPYGkgjBDY3jiGH+zNG/jA UTgpzFChWJmHmFdHH6z6zIfNwINBxztyTBq/XqqxyDArJWLUrmJwwtuqBOdBxVkUURIp Ph31v3y5FtjMDIlf/1BqVemzviUGythz+UjimYZz2jj5O+q0liYziWWo4Tn0xJimRzmL Atf5NGP+62hHX/Mc8lJLmz5PtXvt3HZyGghtVKEqUCYAPMXqzpMCtbFwhOXSDcZw9KaF fLYpWA7mUy9JQcYtIexIw5d2s+Ip4gnHfL3epmzHm9s7KjIno8xg7ajSoZOLlkwWLZYg RR0A== X-Forwarded-Encrypted: i=1; AFNElJ/96taNjp4YbidXUOgIMmrgM7lBIJXImoakrW8y8ZjVDxIQEb+JksWTX1jEHonXXG4nGpT57UB72doL3D8=@vger.kernel.org X-Gm-Message-State: AOJu0YzN2jwESE0f412PdiqVoXY3PCfgHHzSBgimUubT9z42ruEsT/6z uT5QqUJcrjLjsCpE6jCKLCbqRjLxqcE1HNole5np9Bvjyzvi8Vw1/0gE X-Gm-Gg: Acq92OGfBQQpkp+lJJEjPS7dGa92PGQC+/f2h/5IcE1CIDjvmygpZsLQ2zjmZaX09ll xSJqSAOMslfH9Dou6JWf+YU86BeNs1dFkXR6318MlssoauOYuuJ8zGaRiDhYM791zAAVE+WeAUV hShg0wxY22oY0lywx6S/Hx5UvE4nFc75aSYHTbC3YgHYaz+BG3h4oirA1Rp9I0k5pHpFsQI9qXZ rBmCFSUPc2OmTOg30P8UJHta4AAX9UW/CjOI0t7rsImLKkBjQvqbbTCbaxNqVtiCi8MDkNaO486 GRObf2dxIjzTjmwMri9cModAEQANXGv5EkBHLK8ILIhw+C8oJKbn0PqYvdQ+S6gQ6qygg6Xx5xm eNpfUoEVacbodCrbx7ahJwSQ/TV6XIQaJMbqfiP6GtQuo05ov+SBkf02IN6YaXDu2ZGvFvoiR5i zB+oAZoUSDe7A8cmbJ/5H/b9e5aFWAv1ge++r3cdQV6eS/5WS3c0yR X-Received: by 2002:a05:6122:3a0f:b0:56f:8f5:b135 with SMTP id 71dfb90a1353d-58664038c9dmr2497222e0c.14.1779463689466; Fri, 22 May 2026 08:28:09 -0700 (PDT) Received: from syssplab.cs.fiu.edu (nat1.cs.fiu.edu. [131.94.134.89]) by smtp.gmail.com with ESMTPSA id 71dfb90a1353d-586ec46c8ddsm2705042e0c.0.2026.05.22.08.28.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 May 2026 08:28:08 -0700 (PDT) From: Chao Shi To: linux-nvme@lists.infradead.org, Keith Busch Cc: Christoph Hellwig , Sagi Grimberg , Jens Axboe , Tatsuya Sasaki , Maurizio Lombardi , linux-kernel@vger.kernel.org, Sungwoo Kim , Dave Tian , Weidong Zhu Subject: [PATCH v3] nvme: reject keep-alive passthrough on non-fabrics Date: Fri, 22 May 2026 11:28:07 -0400 Message-ID: <20260522152807.2061501-1-coshi036@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Since commit b58da2d270db ("nvme: update keep alive interval when kato is modified"), userspace can start keep-alive on any transport via a Set Features (KATO) passthrough command. nvme_keep_alive_work() then allocates with BLK_MQ_REQ_RESERVED, but nvme_alloc_admin_tag_set() only reserves admin tags for fabrics, so the allocation trips WARN_ON_ONCE() in blk_mq_get_tag() and fails: nvme nvme0: keep-alive failed: -11 Keep Alive is optional on PCIe (NVMe 2.0a section 5.27.1.12) and the driver only arms keep-alive for fabrics; enabling it elsewhere has no reserved tag and an active keep-alive command only harms idle power states. Reject Set Features commands the driver is not prepared to handle from userspace passthrough, starting with KATO on non-fabrics. The check can be extended to other problematic features as they are identified. This guards the userspace passthrough paths (ioctl and io_uring); the nvmet target passthru path is out of scope and is not changed here. Link: https://lore.kernel.org/linux-nvme/20260515071248.2689513-1-coshi036@= gmail.com/ Fixes: b58da2d270db ("nvme: update keep alive interval when kato is modifie= d") Found by FuzzNvme(Syzkaller with FEMU fuzzing framework). Acked-by: Sungwoo Kim Acked-by: Dave Tian Acked-by: Weidong Zhu Signed-off-by: Chao Shi --- Reproducer (run as root on a PCIe NVMe device): #include #include #include #include #include int main(void) { struct nvme_admin_cmd cmd =3D {0}; int fd =3D open("/dev/nvme0", O_RDWR); if (fd < 0) { perror("open"); return 1; } cmd.opcode =3D 0x09; /* SET_FEATURES */ cmd.cdw10 =3D 0x0f; /* Feature ID: KATO */ cmd.cdw11 =3D 5; /* KATO =3D 5 seconds */ if (ioctl(fd, NVME_IOCTL_ADMIN_CMD, &cmd) < 0) { perror("ioctl"); return 1; } return 0; } On an unpatched kernel, within ~kato/2 seconds after the program exits, dmesg shows: nvme nvme0: keep alive interval updated from 0 ms to 5000 ms WARNING: CPU: 0 PID: ... at block/blk-mq-tag.c:148 blk_mq_get_tag+... nvme nvme0: keep-alive failed: -11 With this patch the ioctl fails with EOPNOTSUPP on non-fabrics and keep-alive is never started. Changes since v2: - Reject the KATO Set Features passthrough on non-fabrics instead of reserving an admin tag for all transports (Keith Busch, Christoph Hellwig). PCIe does not need keep-alive, and an active keep-alive command only harms idle power states. - Implement as an extensible passthrough filter for Set Features commands the driver cannot handle. - Drop the core.c reserved_tags change. Changes since v1: - v2 added a spec citation and a quirk discussion; both are superseded by the filter approach above. drivers/nvme/host/ioctl.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c index a9c097dacad6..7705d9408396 100644 --- a/drivers/nvme/host/ioctl.c +++ b/drivers/nvme/host/ioctl.c @@ -86,6 +86,33 @@ static bool nvme_cmd_allowed(struct nvme_ns *ns, struct = nvme_command *c, return capable(CAP_SYS_ADMIN); } =20 +/* + * Some Set Features commands change controller behaviour that the driver = is + * not prepared to handle on every transport. Reject such commands from + * userspace passthrough rather than letting them put the controller into a + * state the driver cannot deal with. The list can be extended as other + * problematic features are identified. + */ +static bool nvme_passthru_cmd_allowed(struct nvme_ctrl *ctrl, + struct nvme_command *c) +{ + if (c->common.opcode !=3D nvme_admin_set_features) + return true; + + switch (le32_to_cpu(c->common.cdw10) & 0xff) { + case NVME_FEAT_KATO: + /* + * Keep Alive is optional on PCIe (NVMe 2.0a 5.27.1.12) and the + * driver only arms keep-alive for fabrics. Enabling it on + * other transports starts a keep-alive command the driver is + * not set up for and harms idle power states, so reject it. + */ + return ctrl->ops->flags & NVME_F_FABRICS; + default: + return true; + } +} + /* * Convert integer values from ioctl structures to user pointers, silently * ignoring the upper bits in the compat case to match behaviour of 32-bit @@ -311,6 +338,9 @@ static int nvme_user_cmd(struct nvme_ctrl *ctrl, struct= nvme_ns *ns, if (!nvme_cmd_allowed(ns, &c, 0, open_for_write)) return -EACCES; =20 + if (!nvme_passthru_cmd_allowed(ctrl, &c)) + return -EOPNOTSUPP; + if (cmd.timeout_ms) timeout =3D msecs_to_jiffies(cmd.timeout_ms); =20 @@ -358,6 +388,9 @@ static int nvme_user_cmd64(struct nvme_ctrl *ctrl, stru= ct nvme_ns *ns, if (!nvme_cmd_allowed(ns, &c, flags, open_for_write)) return -EACCES; =20 + if (!nvme_passthru_cmd_allowed(ctrl, &c)) + return -EOPNOTSUPP; + if (cmd.timeout_ms) timeout =3D msecs_to_jiffies(cmd.timeout_ms); =20 @@ -475,6 +508,9 @@ static int nvme_uring_cmd_io(struct nvme_ctrl *ctrl, st= ruct nvme_ns *ns, if (!nvme_cmd_allowed(ns, &c, 0, ioucmd->file->f_mode & FMODE_WRITE)) return -EACCES; =20 + if (!nvme_passthru_cmd_allowed(ctrl, &c)) + return -EOPNOTSUPP; + d.metadata =3D READ_ONCE(cmd->metadata); d.addr =3D READ_ONCE(cmd->addr); d.data_len =3D READ_ONCE(cmd->data_len); --=20 2.43.0