From: Dan Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> To: chrisw-69jw2NvuJkxg9hUCZPvPmw@public.gmane.org, paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org, sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org, eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org, dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org, hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org Cc: selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org, linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, yevgenyp-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org, Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> Subject: [PATCH v6 1/9] IB/core: IB cache enhancements to support Infiniband security Date: Wed, 23 Nov 2016 16:17:23 +0200 [thread overview] Message-ID: <1479910651-43246-2-git-send-email-danielj@mellanox.com> (raw) In-Reply-To: <1479910651-43246-1-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> From: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> Cache the subnet prefix and add a function to access it. Enforcing security requires frequent queries of the subnet prefix and the pkeys in the pkey table. Also removed an unneded pr_warn about memory allocation failure. Signed-off-by: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> Reviewed-by: Eli Cohen <eli-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> Reviewed-by: Leon Romanovsky <leonro-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> --- v2: - In ib_get_cached_subnet_prefix wait to initialize p until after validation. Yuval Shaia --- drivers/infiniband/core/cache.c | 36 ++++++++++++++++++++++++++++++++++-- drivers/infiniband/core/core_priv.h | 3 +++ include/rdma/ib_verbs.h | 1 + 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c index 1a2984c..affc8ef 100644 --- a/drivers/infiniband/core/cache.c +++ b/drivers/infiniband/core/cache.c @@ -934,6 +934,26 @@ int ib_get_cached_pkey(struct ib_device *device, } EXPORT_SYMBOL(ib_get_cached_pkey); +int ib_get_cached_subnet_prefix(struct ib_device *device, + u8 port_num, + u64 *sn_pfx) +{ + unsigned long flags; + int p; + + if (port_num < rdma_start_port(device) || + port_num > rdma_end_port(device)) + return -EINVAL; + + p = port_num - rdma_start_port(device); + read_lock_irqsave(&device->cache.lock, flags); + *sn_pfx = device->cache.subnet_prefix_cache[p]; + read_unlock_irqrestore(&device->cache.lock, flags); + + return 0; +} +EXPORT_SYMBOL(ib_get_cached_subnet_prefix); + int ib_find_cached_pkey(struct ib_device *device, u8 port_num, u16 pkey, @@ -1110,6 +1130,8 @@ static void ib_cache_update(struct ib_device *device, device->cache.lmc_cache[port - rdma_start_port(device)] = tprops->lmc; + device->cache.subnet_prefix_cache[port - rdma_start_port(device)] = + tprops->subnet_prefix; write_unlock_irq(&device->cache.lock); kfree(gid_cache); @@ -1168,9 +1190,18 @@ int ib_cache_setup_one(struct ib_device *device) (rdma_end_port(device) - rdma_start_port(device) + 1), GFP_KERNEL); + + device->cache.subnet_prefix_cache = + kcalloc((rdma_end_port(device) - rdma_start_port(device) + 1), + sizeof(*device->cache.subnet_prefix_cache), + GFP_KERNEL); + if (!device->cache.pkey_cache || - !device->cache.lmc_cache) { - pr_warn("Couldn't allocate cache for %s\n", device->name); + !device->cache.lmc_cache || + !device->cache.subnet_prefix_cache) { + kfree(device->cache.pkey_cache); + kfree(device->cache.lmc_cache); + kfree(device->cache.subnet_prefix_cache); return -ENOMEM; } @@ -1213,6 +1244,7 @@ void ib_cache_release_one(struct ib_device *device) gid_table_release_one(device); kfree(device->cache.pkey_cache); kfree(device->cache.lmc_cache); + kfree(device->cache.subnet_prefix_cache); } void ib_cache_cleanup_one(struct ib_device *device) diff --git a/drivers/infiniband/core/core_priv.h b/drivers/infiniband/core/core_priv.h index 19d499d..ce826e4 100644 --- a/drivers/infiniband/core/core_priv.h +++ b/drivers/infiniband/core/core_priv.h @@ -153,4 +153,7 @@ int ib_nl_handle_set_timeout(struct sk_buff *skb, int ib_nl_handle_ip_res_resp(struct sk_buff *skb, struct netlink_callback *cb); +int ib_get_cached_subnet_prefix(struct ib_device *device, + u8 port_num, + u64 *sn_pfx); #endif /* _CORE_PRIV_H */ diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h index 5ad43a4..db178fd 100644 --- a/include/rdma/ib_verbs.h +++ b/include/rdma/ib_verbs.h @@ -1761,6 +1761,7 @@ struct ib_cache { struct ib_pkey_cache **pkey_cache; struct ib_gid_table **gid_cache; u8 *lmc_cache; + u64 *subnet_prefix_cache; }; struct ib_dma_mapping_ops { -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Dan Jurgens <danielj@mellanox.com> To: chrisw@sous-sol.org, paul@paul-moore.com, sds@tycho.nsa.gov, eparis@parisplace.org, dledford@redhat.com, sean.hefty@intel.com, hal.rosenstock@gmail.com Cc: selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org, linux-rdma@vger.kernel.org, yevgenyp@mellanox.com, Daniel Jurgens <danielj@mellanox.com> Subject: [PATCH v6 1/9] IB/core: IB cache enhancements to support Infiniband security Date: Wed, 23 Nov 2016 16:17:23 +0200 [thread overview] Message-ID: <1479910651-43246-2-git-send-email-danielj@mellanox.com> (raw) In-Reply-To: <1479910651-43246-1-git-send-email-danielj@mellanox.com> From: Daniel Jurgens <danielj@mellanox.com> Cache the subnet prefix and add a function to access it. Enforcing security requires frequent queries of the subnet prefix and the pkeys in the pkey table. Also removed an unneded pr_warn about memory allocation failure. Signed-off-by: Daniel Jurgens <danielj@mellanox.com> Reviewed-by: Eli Cohen <eli@mellanox.com> Reviewed-by: Leon Romanovsky <leonro@mellanox.com> --- v2: - In ib_get_cached_subnet_prefix wait to initialize p until after validation. Yuval Shaia --- drivers/infiniband/core/cache.c | 36 ++++++++++++++++++++++++++++++++++-- drivers/infiniband/core/core_priv.h | 3 +++ include/rdma/ib_verbs.h | 1 + 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c index 1a2984c..affc8ef 100644 --- a/drivers/infiniband/core/cache.c +++ b/drivers/infiniband/core/cache.c @@ -934,6 +934,26 @@ int ib_get_cached_pkey(struct ib_device *device, } EXPORT_SYMBOL(ib_get_cached_pkey); +int ib_get_cached_subnet_prefix(struct ib_device *device, + u8 port_num, + u64 *sn_pfx) +{ + unsigned long flags; + int p; + + if (port_num < rdma_start_port(device) || + port_num > rdma_end_port(device)) + return -EINVAL; + + p = port_num - rdma_start_port(device); + read_lock_irqsave(&device->cache.lock, flags); + *sn_pfx = device->cache.subnet_prefix_cache[p]; + read_unlock_irqrestore(&device->cache.lock, flags); + + return 0; +} +EXPORT_SYMBOL(ib_get_cached_subnet_prefix); + int ib_find_cached_pkey(struct ib_device *device, u8 port_num, u16 pkey, @@ -1110,6 +1130,8 @@ static void ib_cache_update(struct ib_device *device, device->cache.lmc_cache[port - rdma_start_port(device)] = tprops->lmc; + device->cache.subnet_prefix_cache[port - rdma_start_port(device)] = + tprops->subnet_prefix; write_unlock_irq(&device->cache.lock); kfree(gid_cache); @@ -1168,9 +1190,18 @@ int ib_cache_setup_one(struct ib_device *device) (rdma_end_port(device) - rdma_start_port(device) + 1), GFP_KERNEL); + + device->cache.subnet_prefix_cache = + kcalloc((rdma_end_port(device) - rdma_start_port(device) + 1), + sizeof(*device->cache.subnet_prefix_cache), + GFP_KERNEL); + if (!device->cache.pkey_cache || - !device->cache.lmc_cache) { - pr_warn("Couldn't allocate cache for %s\n", device->name); + !device->cache.lmc_cache || + !device->cache.subnet_prefix_cache) { + kfree(device->cache.pkey_cache); + kfree(device->cache.lmc_cache); + kfree(device->cache.subnet_prefix_cache); return -ENOMEM; } @@ -1213,6 +1244,7 @@ void ib_cache_release_one(struct ib_device *device) gid_table_release_one(device); kfree(device->cache.pkey_cache); kfree(device->cache.lmc_cache); + kfree(device->cache.subnet_prefix_cache); } void ib_cache_cleanup_one(struct ib_device *device) diff --git a/drivers/infiniband/core/core_priv.h b/drivers/infiniband/core/core_priv.h index 19d499d..ce826e4 100644 --- a/drivers/infiniband/core/core_priv.h +++ b/drivers/infiniband/core/core_priv.h @@ -153,4 +153,7 @@ int ib_nl_handle_set_timeout(struct sk_buff *skb, int ib_nl_handle_ip_res_resp(struct sk_buff *skb, struct netlink_callback *cb); +int ib_get_cached_subnet_prefix(struct ib_device *device, + u8 port_num, + u64 *sn_pfx); #endif /* _CORE_PRIV_H */ diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h index 5ad43a4..db178fd 100644 --- a/include/rdma/ib_verbs.h +++ b/include/rdma/ib_verbs.h @@ -1761,6 +1761,7 @@ struct ib_cache { struct ib_pkey_cache **pkey_cache; struct ib_gid_table **gid_cache; u8 *lmc_cache; + u64 *subnet_prefix_cache; }; struct ib_dma_mapping_ops { -- 2.7.4
next prev parent reply other threads:[~2016-11-23 14:17 UTC|newest] Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-11-23 14:17 [PATCH v6 0/9] SELinux support for Infiniband RDMA Dan Jurgens 2016-11-23 14:17 ` Dan Jurgens 2016-11-23 14:17 ` [PATCH v6 2/9] IB/core: Enforce PKey security on QPs Dan Jurgens 2016-11-23 14:17 ` [PATCH v6 4/9] IB/core: Enforce security on management datagrams Dan Jurgens 2016-11-23 14:17 ` [PATCH v6 5/9] selinux: Create policydb version for Infiniband support Dan Jurgens [not found] ` <1479910651-43246-6-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> 2016-12-13 14:38 ` Stephen Smalley 2016-12-13 14:38 ` Stephen Smalley 2016-12-13 14:40 ` Daniel Jurgens 2016-12-13 14:40 ` Daniel Jurgens 2016-11-23 14:17 ` [PATCH v6 6/9] selinux: Allocate and free infiniband security hooks Dan Jurgens 2016-11-23 14:17 ` [PATCH v6 8/9] selinux: Add IB Port SMP access vector Dan Jurgens 2016-11-23 14:17 ` [PATCH v6 9/9] selinux: Add a cache for quicker retreival of PKey SIDs Dan Jurgens [not found] ` <1479910651-43246-1-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> 2016-11-23 14:17 ` Dan Jurgens [this message] 2016-11-23 14:17 ` [PATCH v6 1/9] IB/core: IB cache enhancements to support Infiniband security Dan Jurgens 2016-11-23 14:17 ` [PATCH v6 3/9] selinux lsm IB/core: Implement LSM notification system Dan Jurgens 2016-11-23 14:17 ` Dan Jurgens [not found] ` <1479910651-43246-4-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> 2016-12-13 14:29 ` Stephen Smalley 2016-12-13 14:29 ` Stephen Smalley 2016-12-13 14:38 ` Daniel Jurgens 2016-12-13 14:38 ` Daniel Jurgens 2016-11-23 14:17 ` [PATCH v6 7/9] selinux: Implement Infiniband PKey "Access" access vector Dan Jurgens 2016-11-23 14:17 ` Dan Jurgens 2016-12-12 21:38 ` [PATCH v6 0/9] SELinux support for Infiniband RDMA Doug Ledford 2016-12-12 21:38 ` Doug Ledford 2016-12-13 15:04 ` Stephen Smalley 2016-12-13 15:04 ` Stephen Smalley 2016-12-13 16:25 ` Daniel Jurgens 2016-12-13 16:25 ` Daniel Jurgens 2016-12-13 22:17 ` Paul Moore 2017-01-24 21:40 ` Doug Ledford [not found] ` <1485294015.43764.91.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 2017-01-24 21:45 ` Doug Ledford 2017-01-24 21:45 ` Doug Ledford 2017-01-24 22:40 ` Daniel Jurgens [not found] ` <VI1PR0501MB242933AC0EC458EAD2792560C4750-o1MPJYiShEyB6Z+oivrBG8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org> 2017-01-25 3:08 ` Doug Ledford 2017-01-25 3:08 ` Doug Ledford 2017-01-25 7:58 ` Paul Moore 2017-01-25 7:58 ` Paul Moore [not found] ` <CAHC9VhTfuftm1oyiBOa4Fx4L-12eX8MCySiS1H98yroCuuoieA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2017-01-25 17:25 ` Doug Ledford 2017-01-25 17:25 ` Doug Ledford [not found] ` <1485365121.2432.6.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 2017-01-25 22:14 ` Paul Moore 2017-01-25 22:14 ` Paul Moore 2017-05-03 14:41 ` Paul Moore 2017-05-03 14:41 ` Paul Moore 2017-05-03 14:41 ` Paul Moore 2017-05-03 19:45 ` Daniel Jurgens 2017-05-03 19:45 ` Daniel Jurgens 2017-05-04 15:51 ` Paul Moore 2017-05-04 15:51 ` Paul Moore 2017-05-17 21:23 ` Paul Moore 2017-05-17 21:23 ` Paul Moore 2017-05-17 21:23 ` Paul Moore
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1479910651-43246-2-git-send-email-danielj@mellanox.com \ --to=danielj-vpraknaxozvwk0htik3j/w@public.gmane.org \ --cc=chrisw-69jw2NvuJkxg9hUCZPvPmw@public.gmane.org \ --cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \ --cc=eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org \ --cc=hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \ --cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \ --cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \ --cc=paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org \ --cc=sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \ --cc=sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \ --cc=selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \ --cc=yevgenyp-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.