1. 25 8月, 2017 1 次提交
    • N
      IB/core: Avoid accessing non-allocated memory when inferring port type · 498ca3c8
      Noa Osherovich 提交于
      Commit 44c58487 ("IB/core: Define 'ib' and 'roce' rdma_ah_attr types")
      introduced the concept of type in ah_attr:
       * During ib_register_device, each port is checked for its type which
         is stored in ib_device's port_immutable array.
       * During uverbs' modify_qp, the type is inferred using the port number
         in ib_uverbs_qp_dest struct (address vector) by accessing the
         relevant port_immutable array and the type is passed on to
         providers.
      
      IB spec (version 1.3) enforces a valid port value only in Reset to
      Init. During Init to RTR, the address vector must be valid but port
      number is not mentioned as a field in the address vector, so its
      value is not validated, which leads to accesses to a non-allocated
      memory when inferring the port type.
      
      Save the real port number in ib_qp during modify to Init (when the
      comp_mask indicates that the port number is valid) and use this value
      to infer the port type.
      
      Avoid copying the address vector fields if the matching bit is not set
      in the attr_mask. Address vector can't be modified before the port, so
      no valid flow is affected.
      
      Fixes: 44c58487 ('IB/core: Define 'ib' and 'roce' rdma_ah_attr types')
      Signed-off-by: NNoa Osherovich <noaos@mellanox.com>
      Reviewed-by: NYishai Hadas <yishaih@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leon@kernel.org>
      Signed-off-by: NDoug Ledford <dledford@redhat.com>
      498ca3c8
  2. 23 8月, 2017 3 次提交
  3. 19 8月, 2017 2 次提交
  4. 09 8月, 2017 3 次提交
  5. 05 8月, 2017 1 次提交
  6. 24 7月, 2017 1 次提交
  7. 20 7月, 2017 2 次提交
  8. 18 7月, 2017 1 次提交
  9. 03 7月, 2017 1 次提交
    • B
      RDMA/uverbs: Check port number supplied by user verbs cmds · 5ecce4c9
      Boris Pismenny 提交于
      The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive
      the port number from user input as part of its attributes and assumes
      it is valid. Down on the stack, that parameter is used to access kernel
      data structures.  If the value is invalid, the kernel accesses memory
      it should not.  To prevent this, verify the port number before using it.
      
      BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0
      Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313
      
      BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0
      Read of size 4 at addr ffff88006c40ec58 by task syz-executor/819
      
      Fixes: 67cdb40c ("[IB] uverbs: Implement more commands")
      Fixes: 189aba99 ("IB/uverbs: Extend modify_qp and support packet pacing")
      Cc: <stable@vger.kernel.org> # v2.6.14+
      Cc: <security@kernel.org>
      Cc: Yevgeny Kliteynik <kliteyn@mellanox.com>
      Cc: Tziporet Koren <tziporet@mellanox.com>
      Cc: Alex Polak <alexpo@mellanox.com>
      Signed-off-by: NBoris Pismenny <borisp@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leon@kernel.org>
      Signed-off-by: NDoug Ledford <dledford@redhat.com>
      5ecce4c9
  10. 24 5月, 2017 1 次提交
    • D
      IB/core: Enforce PKey security on QPs · d291f1a6
      Daniel Jurgens 提交于
      Add new LSM hooks to allocate and free security contexts and check for
      permission to access a PKey.
      
      Allocate and free a security context when creating and destroying a QP.
      This context is used for controlling access to PKeys.
      
      When a request is made to modify a QP that changes the port, PKey index,
      or alternate path, check that the QP has permission for the PKey in the
      PKey table index on the subnet prefix of the port. If the QP is shared
      make sure all handles to the QP also have access.
      
      Store which port and PKey index a QP is using. After the reset to init
      transition the user can modify the port, PKey index and alternate path
      independently. So port and PKey settings changes can be a merge of the
      previous settings and the new ones.
      
      In order to maintain access control if there are PKey table or subnet
      prefix change keep a list of all QPs are using each PKey index on
      each port. If a change occurs all QPs using that device and port must
      have access enforced for the new cache settings.
      
      These changes add a transaction to the QP modify process. Association
      with the old port and PKey index must be maintained if the modify fails,
      and must be removed if it succeeds. Association with the new port and
      PKey index must be established prior to the modify and removed if the
      modify fails.
      
      1. When a QP is modified to a particular Port, PKey index or alternate
         path insert that QP into the appropriate lists.
      
      2. Check permission to access the new settings.
      
      3. If step 2 grants access attempt to modify the QP.
      
      4a. If steps 2 and 3 succeed remove any prior associations.
      
      4b. If ether fails remove the new setting associations.
      
      If a PKey table or subnet prefix changes walk the list of QPs and
      check that they have permission. If not send the QP to the error state
      and raise a fatal error event. If it's a shared QP make sure all the
      QPs that share the real_qp have permission as well. If the QP that
      owns a security structure is denied access the security structure is
      marked as such and the QP is added to an error_list. Once the moving
      the QP to error is complete the security structure mark is cleared.
      
      Maintaining the lists correctly turns QP destroy into a transaction.
      The hardware driver for the device frees the ib_qp structure, so while
      the destroy is in progress the ib_qp pointer in the ib_qp_security
      struct is undefined. When the destroy process begins the ib_qp_security
      structure is marked as destroying. This prevents any action from being
      taken on the QP pointer. After the QP is destroyed successfully it
      could still listed on an error_list wait for it to be processed by that
      flow before cleaning up the structure.
      
      If the destroy fails the QPs port and PKey settings are reinserted into
      the appropriate lists, the destroying flag is cleared, and access control
      is enforced, in case there were any cache changes during the destroy
      flow.
      
      To keep the security changes isolated a new file is used to hold security
      related functionality.
      Signed-off-by: NDaniel Jurgens <danielj@mellanox.com>
      Acked-by: NDoug Ledford <dledford@redhat.com>
      [PM: merge fixup in ib_verbs.h and uverbs_cmd.c]
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      d291f1a6
  11. 02 5月, 2017 5 次提交
  12. 29 4月, 2017 1 次提交
  13. 26 4月, 2017 1 次提交
  14. 22 4月, 2017 1 次提交
  15. 20 4月, 2017 2 次提交
  16. 06 4月, 2017 5 次提交
    • M
      IB/core: Change completion channel to use the reworked objects schema · 1e7710f3
      Matan Barak 提交于
      This patch adds the standard fd based type - completion_channel.
      The completion_channel is now prefixed with ib_uobject, similarly
      to the rest of the uobjects.
      This requires a few changes:
      (1) We define a new completion channel fd based object type.
      (2) completion_event and async_event are now two different types.
          This means they use different fops.
      (3) We release the completion_channel exactly as we release other
          idr based objects.
      (4) Since ib_uobjects are already kref-ed, we only add the kref to the
          async event.
      
      A fd object requires filling out several parameters. Its op pointer
      should point to uverbs_fd_ops and its size should be at least the
      size if ib_uobject. We use a macro to make the type declaration
      easier.
      Signed-off-by: NMatan Barak <matanb@mellanox.com>
      Reviewed-by: NYishai Hadas <yishaih@mellanox.com>
      Signed-off-by: NDoug Ledford <dledford@redhat.com>
      1e7710f3
    • M
      IB/core: Add lock to multicast handlers · f48b7269
      Matan Barak 提交于
      When two handlers used the same object in the old schema, we blocked
      the process in the kernel. The new schema just returns -EBUSY. This
      could lead to different behaviour in applications between the old
      schema and the new schema. In most cases, using such handlers
      concurrently could lead to crashing the process. For example, if
      thread A destroys a QP and thread B modifies it, we could have the
      destruction happens before the modification. In this case, we are
      accessing freed memory which could lead to crashing the process.
      This is true for most cases. However, attaching and detaching
      a multicast address from QP concurrently is safe. Therefore, we
      preserve the original behaviour by adding a lock there.
      Signed-off-by: NMatan Barak <matanb@mellanox.com>
      Reviewed-by: NYishai Hadas <yishaih@mellanox.com>
      Signed-off-by: NDoug Ledford <dledford@redhat.com>
      f48b7269
    • M
      IB/core: Change idr objects to use the new schema · fd3c7904
      Matan Barak 提交于
      This changes only the handlers which deals with idr based objects to
      use the new idr allocation, fetching and destruction schema.
      This patch consists of the following changes:
      (1) Allocation, fetching and destruction is done via idr ops.
      (2) Context initializing and release is done through
          uverbs_initialize_ucontext and uverbs_cleanup_ucontext.
      (3) Ditching the live flag. Mostly, this is pretty straight
          forward. The only place that is a bit trickier is in
          ib_uverbs_open_qp. Commit [1] added code to check whether
          the uobject is already live and initialized. This mostly
          happens because of a race between open_qp and events.
          We delayed assigning the uobject's pointer in order to
          eliminate this race without using the live variable.
      
      [1] commit a040f95d
      	("IB/core: Fix XRC race condition in ib_uverbs_open_qp")
      Signed-off-by: NMatan Barak <matanb@mellanox.com>
      Reviewed-by: NYishai Hadas <yishaih@mellanox.com>
      Signed-off-by: NDoug Ledford <dledford@redhat.com>
      fd3c7904
    • M
      IB/core: Add idr based standard types · 6be60aed
      Matan Barak 提交于
      This patch adds the standard idr based types. These types are
      used in downstream patches in order to initialize, destroy and
      lookup IB standard objects which are based on idr objects.
      
      An idr object requires filling out several parameters. Its op pointer
      should point to uverbs_idr_ops and its size should be at least the
      size of ib_uobject. We add a macro to make the type declaration easier.
      Signed-off-by: NMatan Barak <matanb@mellanox.com>
      Reviewed-by: NYishai Hadas <yishaih@mellanox.com>
      Reviewed-by: NSean Hefty <sean.hefty@intel.com>
      Signed-off-by: NDoug Ledford <dledford@redhat.com>
      6be60aed
    • M
      IB/core: Refactor idr to be per uverbs_file · 771addf6
      Matan Barak 提交于
      The current code creates an idr per type. Since types are currently
      common for all drivers and known in advance, this was good enough.
      However, the proposed ioctl based infrastructure allows each driver
      to declare only some of the common types and declare its own specific
      types.
      
      Thus, we decided to implement idr to be per uverbs_file.
      Signed-off-by: NMatan Barak <matanb@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NHaggai Eran <haggaie@mellanox.com>
      Reviewed-by: NSean Hefty <sean.hefty@intel.com>
      Signed-off-by: NDoug Ledford <dledford@redhat.com>
      771addf6
  17. 15 2月, 2017 3 次提交
  18. 14 2月, 2017 1 次提交
  19. 11 1月, 2017 1 次提交
    • P
      IB/core: added support to use rdma cgroup controller · 43579b5f
      Parav Pandit 提交于
      Added support APIs for IB core to register/unregister every IB/RDMA
      device with rdma cgroup for tracking rdma resources.
      IB core registers with rdma cgroup controller.
      Added support APIs for uverbs layer to make use of rdma controller.
      Added uverbs layer to perform resource charge/uncharge functionality.
      Added support during query_device uverb operation to ensure it
      returns resource limits by honoring rdma cgroup configured limits.
      Signed-off-by: NParav Pandit <pandit.parav@gmail.com>
      Signed-off-by: NTejun Heo <tj@kernel.org>
      43579b5f
  20. 25 12月, 2016 1 次提交
  21. 14 12月, 2016 3 次提交