From: Dan Jurgens <danielj@mellanox.com>
To: chrisw@sous-sol.org, paul@paul-moore.com, sds@tycho.nsa.gov,
eparis@parisplace.org, dledford@redhat.com, sean.hefty@intel.com,
hal.rosenstock@gmail.com
Cc: selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org,
linux-rdma@vger.kernel.org, yevgenyp@mellanox.com,
liranl@mellanox.com, leonro@mellanox.com,
Daniel Jurgens <danielj@mellanox.com>
Subject: [PATCH v4 1/9] IB/core: IB cache enhancements to support Infiniband security
Date: Tue, 8 Nov 2016 23:06:17 +0200 [thread overview]
Message-ID: <1478639185-47521-2-git-send-email-danielj@mellanox.com> (raw)
In-Reply-To: <1478639185-47521-1-git-send-email-danielj@mellanox.com>
From: Daniel Jurgens <danielj@mellanox.com>
Cache the subnet prefix and add a function to access it. Enforcing
security requires frequent queries of the subnet prefix and the pkeys in
the pkey table.
Also removed an unneded pr_warn about memory allocation failure.
issue: 736423
Change-Id: Ifdef64b097a8d1d55db65f08ce401d9d2e4b025e
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Reviewed-by: Eli Cohen <eli@mellanox.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
---
v2:
- In ib_get_cached_subnet_prefix wait to initialize p until after
validation. Yuval Shaia
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
---
drivers/infiniband/core/cache.c | 36 ++++++++++++++++++++++++++++++++++--
drivers/infiniband/core/core_priv.h | 3 +++
include/rdma/ib_verbs.h | 1 +
3 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
index 1a2984c..affc8ef 100644
--- a/drivers/infiniband/core/cache.c
+++ b/drivers/infiniband/core/cache.c
@@ -934,6 +934,26 @@ int ib_get_cached_pkey(struct ib_device *device,
}
EXPORT_SYMBOL(ib_get_cached_pkey);
+int ib_get_cached_subnet_prefix(struct ib_device *device,
+ u8 port_num,
+ u64 *sn_pfx)
+{
+ unsigned long flags;
+ int p;
+
+ if (port_num < rdma_start_port(device) ||
+ port_num > rdma_end_port(device))
+ return -EINVAL;
+
+ p = port_num - rdma_start_port(device);
+ read_lock_irqsave(&device->cache.lock, flags);
+ *sn_pfx = device->cache.subnet_prefix_cache[p];
+ read_unlock_irqrestore(&device->cache.lock, flags);
+
+ return 0;
+}
+EXPORT_SYMBOL(ib_get_cached_subnet_prefix);
+
int ib_find_cached_pkey(struct ib_device *device,
u8 port_num,
u16 pkey,
@@ -1110,6 +1130,8 @@ static void ib_cache_update(struct ib_device *device,
device->cache.lmc_cache[port - rdma_start_port(device)] = tprops->lmc;
+ device->cache.subnet_prefix_cache[port - rdma_start_port(device)] =
+ tprops->subnet_prefix;
write_unlock_irq(&device->cache.lock);
kfree(gid_cache);
@@ -1168,9 +1190,18 @@ int ib_cache_setup_one(struct ib_device *device)
(rdma_end_port(device) -
rdma_start_port(device) + 1),
GFP_KERNEL);
+
+ device->cache.subnet_prefix_cache =
+ kcalloc((rdma_end_port(device) - rdma_start_port(device) + 1),
+ sizeof(*device->cache.subnet_prefix_cache),
+ GFP_KERNEL);
+
if (!device->cache.pkey_cache ||
- !device->cache.lmc_cache) {
- pr_warn("Couldn't allocate cache for %s\n", device->name);
+ !device->cache.lmc_cache ||
+ !device->cache.subnet_prefix_cache) {
+ kfree(device->cache.pkey_cache);
+ kfree(device->cache.lmc_cache);
+ kfree(device->cache.subnet_prefix_cache);
return -ENOMEM;
}
@@ -1213,6 +1244,7 @@ void ib_cache_release_one(struct ib_device *device)
gid_table_release_one(device);
kfree(device->cache.pkey_cache);
kfree(device->cache.lmc_cache);
+ kfree(device->cache.subnet_prefix_cache);
}
void ib_cache_cleanup_one(struct ib_device *device)
diff --git a/drivers/infiniband/core/core_priv.h b/drivers/infiniband/core/core_priv.h
index 19d499d..ce826e4 100644
--- a/drivers/infiniband/core/core_priv.h
+++ b/drivers/infiniband/core/core_priv.h
@@ -153,4 +153,7 @@ int ib_nl_handle_set_timeout(struct sk_buff *skb,
int ib_nl_handle_ip_res_resp(struct sk_buff *skb,
struct netlink_callback *cb);
+int ib_get_cached_subnet_prefix(struct ib_device *device,
+ u8 port_num,
+ u64 *sn_pfx);
#endif /* _CORE_PRIV_H */
diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
index 5ad43a4..db178fd 100644
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -1761,6 +1761,7 @@ struct ib_cache {
struct ib_pkey_cache **pkey_cache;
struct ib_gid_table **gid_cache;
u8 *lmc_cache;
+ u64 *subnet_prefix_cache;
};
struct ib_dma_mapping_ops {
--
1.8.3.1
next prev parent reply other threads:[~2016-11-08 21:06 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-08 21:06 [PATCH v4 0/9] SELinux support for Infiniband RDMA Dan Jurgens
2016-11-08 21:06 ` Dan Jurgens [this message]
2016-11-08 21:06 ` [PATCH v4 2/9] IB/core: Enforce PKey security on QPs Dan Jurgens
[not found] ` <1478639185-47521-1-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-11-08 21:06 ` [PATCH v4 3/9] selinux lsm IB/core: Implement LSM notification system Dan Jurgens
2016-11-08 21:06 ` Dan Jurgens
2016-11-08 22:35 ` kbuild test robot
2016-11-08 22:35 ` kbuild test robot
2016-11-08 23:41 ` Daniel Jurgens
2016-11-08 23:41 ` Daniel Jurgens
2016-11-08 21:06 ` [PATCH v4 4/9] IB/core: Enforce security on management datagrams Dan Jurgens
2016-11-08 21:06 ` Dan Jurgens
2016-11-08 21:06 ` [PATCH v4 7/9] selinux: Implement Infiniband PKey "Access" access vector Dan Jurgens
2016-11-08 21:06 ` Dan Jurgens
2016-11-08 21:06 ` [PATCH v4 8/9] selinux: Add IB Port SMP " Dan Jurgens
2016-11-08 21:06 ` Dan Jurgens
2016-11-08 21:06 ` [PATCH v4 9/9] selinux: Add a cache for quicker retreival of PKey SIDs Dan Jurgens
2016-11-08 21:06 ` Dan Jurgens
[not found] ` <1478639185-47521-10-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-11-09 5:09 ` kbuild test robot
2016-11-09 5:09 ` kbuild test robot
2016-11-09 7:04 ` Leon Romanovsky
2016-11-09 14:03 ` Daniel Jurgens
2016-11-09 14:03 ` Daniel Jurgens
2016-11-08 21:06 ` [PATCH v4 5/9] selinux: Create policydb version for Infiniband support Dan Jurgens
2016-11-08 21:06 ` [PATCH v4 6/9] selinux: Allocate and free infiniband security hooks Dan Jurgens
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1478639185-47521-2-git-send-email-danielj@mellanox.com \
--to=danielj@mellanox.com \
--cc=chrisw@sous-sol.org \
--cc=dledford@redhat.com \
--cc=eparis@parisplace.org \
--cc=hal.rosenstock@gmail.com \
--cc=leonro@mellanox.com \
--cc=linux-rdma@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=liranl@mellanox.com \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=sean.hefty@intel.com \
--cc=selinux@tycho.nsa.gov \
--cc=yevgenyp@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.