* [PATCH rdma-next] RDMA/ucma: Protect kernel from QPN larger than declared in IBTA
@ 2019-10-28 13:44 Leon Romanovsky
2019-10-28 13:45 ` Jason Gunthorpe
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Leon Romanovsky @ 2019-10-28 13:44 UTC (permalink / raw)
To: Doug Ledford, Jason Gunthorpe
Cc: Leon Romanovsky, RDMA mailing list, Sean Hefty
From: Leon Romanovsky <leonro@mellanox.com>
IBTA declares QPN as 24bits, mask input to ensure that kernel
doesn't get higher bits.
Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
---
* Not fully tested yet, passed sanity tests for now.
---
drivers/infiniband/core/ucma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index 0274e9b704be..57e68491a2fd 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1045,7 +1045,7 @@ static void ucma_copy_conn_param(struct rdma_cm_id *id,
dst->retry_count = src->retry_count;
dst->rnr_retry_count = src->rnr_retry_count;
dst->srq = src->srq;
- dst->qp_num = src->qp_num;
+ dst->qp_num = src->qp_num & 0xFFFFFF;
dst->qkey = (id->route.addr.src_addr.ss_family == AF_IB) ? src->qkey : 0;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH rdma-next] RDMA/ucma: Protect kernel from QPN larger than declared in IBTA
2019-10-28 13:44 [PATCH rdma-next] RDMA/ucma: Protect kernel from QPN larger than declared in IBTA Leon Romanovsky
@ 2019-10-28 13:45 ` Jason Gunthorpe
2019-10-28 13:57 ` Leon Romanovsky
2019-10-28 15:09 ` Hefty, Sean
2019-10-31 19:05 ` Jason Gunthorpe
2 siblings, 1 reply; 6+ messages in thread
From: Jason Gunthorpe @ 2019-10-28 13:45 UTC (permalink / raw)
To: Leon Romanovsky
Cc: Doug Ledford, Leon Romanovsky, RDMA mailing list, Sean Hefty
On Mon, Oct 28, 2019 at 03:44:44PM +0200, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@mellanox.com>
>
> IBTA declares QPN as 24bits, mask input to ensure that kernel
> doesn't get higher bits.
>
> Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
> Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
> * Not fully tested yet, passed sanity tests for now.
> drivers/infiniband/core/ucma.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
> index 0274e9b704be..57e68491a2fd 100644
> +++ b/drivers/infiniband/core/ucma.c
> @@ -1045,7 +1045,7 @@ static void ucma_copy_conn_param(struct rdma_cm_id *id,
> dst->retry_count = src->retry_count;
> dst->rnr_retry_count = src->rnr_retry_count;
> dst->srq = src->srq;
srq too?
Jason
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH rdma-next] RDMA/ucma: Protect kernel from QPN larger than declared in IBTA
2019-10-28 13:45 ` Jason Gunthorpe
@ 2019-10-28 13:57 ` Leon Romanovsky
0 siblings, 0 replies; 6+ messages in thread
From: Leon Romanovsky @ 2019-10-28 13:57 UTC (permalink / raw)
To: Jason Gunthorpe; +Cc: Doug Ledford, RDMA mailing list, Sean Hefty
On Mon, Oct 28, 2019 at 03:45:33PM +0200, Jason Gunthorpe wrote:
> On Mon, Oct 28, 2019 at 03:44:44PM +0200, Leon Romanovsky wrote:
> > From: Leon Romanovsky <leonro@mellanox.com>
> >
> > IBTA declares QPN as 24bits, mask input to ensure that kernel
> > doesn't get higher bits.
> >
> > Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
> > Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
> > * Not fully tested yet, passed sanity tests for now.
> > drivers/infiniband/core/ucma.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
> > index 0274e9b704be..57e68491a2fd 100644
> > +++ b/drivers/infiniband/core/ucma.c
> > @@ -1045,7 +1045,7 @@ static void ucma_copy_conn_param(struct rdma_cm_id *id,
> > dst->retry_count = src->retry_count;
> > dst->rnr_retry_count = src->rnr_retry_count;
> > dst->srq = src->srq;
>
> srq too?
If I read IBTA correctly, the answer is yes. In all CM messages, QPN, SRQ number and EECN are 24 bits.
Thanks
>
> Jason
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: [PATCH rdma-next] RDMA/ucma: Protect kernel from QPN larger than declared in IBTA
2019-10-28 13:44 [PATCH rdma-next] RDMA/ucma: Protect kernel from QPN larger than declared in IBTA Leon Romanovsky
2019-10-28 13:45 ` Jason Gunthorpe
@ 2019-10-28 15:09 ` Hefty, Sean
2019-10-28 15:26 ` Leon Romanovsky
2019-10-31 19:05 ` Jason Gunthorpe
2 siblings, 1 reply; 6+ messages in thread
From: Hefty, Sean @ 2019-10-28 15:09 UTC (permalink / raw)
To: Leon Romanovsky, Doug Ledford, Jason Gunthorpe
Cc: Leon Romanovsky, RDMA mailing list
> IBTA declares QPN as 24bits, mask input to ensure that kernel
> doesn't get higher bits.
>
> Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
> Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
> ---
> * Not fully tested yet, passed sanity tests for now.
> ---
> drivers/infiniband/core/ucma.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
> index 0274e9b704be..57e68491a2fd 100644
> --- a/drivers/infiniband/core/ucma.c
> +++ b/drivers/infiniband/core/ucma.c
> @@ -1045,7 +1045,7 @@ static void ucma_copy_conn_param(struct rdma_cm_id *id,
> dst->retry_count = src->retry_count;
> dst->rnr_retry_count = src->rnr_retry_count;
> dst->srq = src->srq;
> - dst->qp_num = src->qp_num;
> + dst->qp_num = src->qp_num & 0xFFFFFF;
Why not isolate IBTA restrictions in the ib_cm?
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH rdma-next] RDMA/ucma: Protect kernel from QPN larger than declared in IBTA
2019-10-28 15:09 ` Hefty, Sean
@ 2019-10-28 15:26 ` Leon Romanovsky
0 siblings, 0 replies; 6+ messages in thread
From: Leon Romanovsky @ 2019-10-28 15:26 UTC (permalink / raw)
To: Hefty, Sean; +Cc: Doug Ledford, Jason Gunthorpe, RDMA mailing list
On Mon, Oct 28, 2019 at 03:09:26PM +0000, Hefty, Sean wrote:
> > IBTA declares QPN as 24bits, mask input to ensure that kernel
> > doesn't get higher bits.
> >
> > Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
> > Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
> > ---
> > * Not fully tested yet, passed sanity tests for now.
> > ---
> > drivers/infiniband/core/ucma.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
> > index 0274e9b704be..57e68491a2fd 100644
> > --- a/drivers/infiniband/core/ucma.c
> > +++ b/drivers/infiniband/core/ucma.c
> > @@ -1045,7 +1045,7 @@ static void ucma_copy_conn_param(struct rdma_cm_id *id,
> > dst->retry_count = src->retry_count;
> > dst->rnr_retry_count = src->rnr_retry_count;
> > dst->srq = src->srq;
> > - dst->qp_num = src->qp_num;
> > + dst->qp_num = src->qp_num & 0xFFFFFF;
>
> Why not isolate IBTA restrictions in the ib_cm?
AFAIK, there are many places in IB/core code which assume that type of
restriction, so it is safer and cleaner to sanitize input as early as
possible.
Thanks
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH rdma-next] RDMA/ucma: Protect kernel from QPN larger than declared in IBTA
2019-10-28 13:44 [PATCH rdma-next] RDMA/ucma: Protect kernel from QPN larger than declared in IBTA Leon Romanovsky
2019-10-28 13:45 ` Jason Gunthorpe
2019-10-28 15:09 ` Hefty, Sean
@ 2019-10-31 19:05 ` Jason Gunthorpe
2 siblings, 0 replies; 6+ messages in thread
From: Jason Gunthorpe @ 2019-10-31 19:05 UTC (permalink / raw)
To: Leon Romanovsky
Cc: Doug Ledford, Leon Romanovsky, RDMA mailing list, Sean Hefty
On Mon, Oct 28, 2019 at 03:44:44PM +0200, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@mellanox.com>
>
> IBTA declares QPN as 24bits, mask input to ensure that kernel
> doesn't get higher bits.
>
> Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
> Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
> ---
> * Not fully tested yet, passed sanity tests for now.
> ---
> drivers/infiniband/core/ucma.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
> index 0274e9b704be..57e68491a2fd 100644
> --- a/drivers/infiniband/core/ucma.c
> +++ b/drivers/infiniband/core/ucma.c
> @@ -1045,7 +1045,7 @@ static void ucma_copy_conn_param(struct rdma_cm_id *id,
> dst->retry_count = src->retry_count;
> dst->rnr_retry_count = src->rnr_retry_count;
> dst->srq = src->srq;
> - dst->qp_num = src->qp_num;
> + dst->qp_num = src->qp_num & 0xFFFFFF;
> dst->qkey = (id->route.addr.src_addr.ss_family == AF_IB) ? src->qkey : 0;
> }
This really needs to be squashed into the other qpn patch because what
is really being proposed here is to move the masking from the core
code to the ucma and the core code will assume that the caller is
using correct QPNS. Maybe leave behind a WARN_ON to confirm this.
Jason
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-10-31 19:05 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-28 13:44 [PATCH rdma-next] RDMA/ucma: Protect kernel from QPN larger than declared in IBTA Leon Romanovsky
2019-10-28 13:45 ` Jason Gunthorpe
2019-10-28 13:57 ` Leon Romanovsky
2019-10-28 15:09 ` Hefty, Sean
2019-10-28 15:26 ` Leon Romanovsky
2019-10-31 19:05 ` Jason Gunthorpe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).