IB/mlx5: Skip non-ODP MR when handling a page fault

mainline inclusion
from mainline-4.20-rc7
commit 4d5422a309deecec906c491f8aea77593a46321d
category: bugfix
bugzilla: 6625
CVE: NA

-----------------------------

Since any page fault may be interrupted by a MMU invalidation and implicit
It is possible that we call pagefault_single_data_segment() with a MKey
that belongs to a memory region which is not on demand (i.e. pinned
pages). This can happen if, for instance, a WQE that points to multiple
MRs where some of them are ODP MRs and some are not.  In this case we
don't need to handle this MR in the ODP context besides reporting success.

Otherwise the code will call pagefault_mr() which will do to_ib_umem_odp()
on a non-ODP MR and thus access out of bounds.

Conflicts:
	drivers/infiniband/hw/mlx5/odp.c
[jingxiangfeng: '597ecc5 RDMA/umem: Get rid of struct ib_umem.odp_data' is
not nessary to backport. so I have changed to 'umem->odp_data' instead
of 'umem->is_odp'.]

Fixes: 7bdf65d4 ("IB/mlx5: Handle page faults")
Signed-off-by: NArtemy Kovalyov <artemyko@mellanox.com>
Signed-off-by: NMoni Shoua <monis@mellanox.com>
Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
Signed-off-by: NJing Xiangfeng <jingxiangfeng@huawei.com>
Reviewed-by: NHanjun Guo <guohanjun@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>

drivers/infiniband/hw/mlx5/odp.c

@@ -663,6 +663,14 @@ static int pagefault_single_data_segment(struct mlx5_ib_dev *dev,
 			goto srcu_unlock;
 		}
 
+		if (!mr->umem->odp_data) {
+			mlx5_ib_dbg(dev, "skipping non ODP MR (lkey=0x%06x) in page fault handler.\n",
+				    key);
+			if (bytes_mapped)
+				*bytes_mapped += bcnt;
+			goto srcu_unlock;
+		}
+
 		ret = pagefault_mr(dev, mr, io_virt, bcnt, bytes_mapped);
 		if (ret < 0)
 			goto srcu_unlock;