aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/infiniband/hw/nes/nes_verbs.c
diff options
context:
space:
mode:
authorFaisal Latif <faisal.latif@intel.com>2009-03-12 17:34:59 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2009-03-12 19:21:41 -0400
commitc12e56ef6951f4fce1afe9ef6aab9243ea9a9b04 (patch)
tree677319ae34074efbf98a87d9496a7d5cb47c0524 /drivers/infiniband/hw/nes/nes_verbs.c
parent7ef0d7377cb287e08f3ae94cebc919448e1f5dff (diff)
RDMA/nes: Don't allow userspace QPs to use STag zero
STag zero is a special STag that allows consumers to access any bus address without registering memory. The nes driver unfortunately allows STag zero to be used even with QPs created by unprivileged userspace consumers, which means that any process with direct verbs access to the nes device can read and write any memory accessible to the underlying PCI device (usually any memory in the system). Such access is usually given for cluster software such as MPI to use, so this is a local privilege escalation bug on most systems running this driver. The driver was using STag zero to receive the last streaming mode data; to allow STag zero to be disabled for unprivileged QPs, the driver now registers a special MR for this data. Cc: <stable@kernel.org> Signed-off-by: Faisal Latif <faisal.latif@intel.com> Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/infiniband/hw/nes/nes_verbs.c')
-rw-r--r--drivers/infiniband/hw/nes/nes_verbs.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/infiniband/hw/nes/nes_verbs.c b/drivers/infiniband/hw/nes/nes_verbs.c
index 4fdb72454f9..d93a6562817 100644
--- a/drivers/infiniband/hw/nes/nes_verbs.c
+++ b/drivers/infiniband/hw/nes/nes_verbs.c
@@ -1360,8 +1360,10 @@ static struct ib_qp *nes_create_qp(struct ib_pd *ibpd,
1360 NES_QPCONTEXT_MISC_RQ_SIZE_SHIFT); 1360 NES_QPCONTEXT_MISC_RQ_SIZE_SHIFT);
1361 nesqp->nesqp_context->misc |= cpu_to_le32((u32)nesqp->hwqp.sq_encoded_size << 1361 nesqp->nesqp_context->misc |= cpu_to_le32((u32)nesqp->hwqp.sq_encoded_size <<
1362 NES_QPCONTEXT_MISC_SQ_SIZE_SHIFT); 1362 NES_QPCONTEXT_MISC_SQ_SIZE_SHIFT);
1363 if (!udata) {
1363 nesqp->nesqp_context->misc |= cpu_to_le32(NES_QPCONTEXT_MISC_PRIV_EN); 1364 nesqp->nesqp_context->misc |= cpu_to_le32(NES_QPCONTEXT_MISC_PRIV_EN);
1364 nesqp->nesqp_context->misc |= cpu_to_le32(NES_QPCONTEXT_MISC_FAST_REGISTER_EN); 1365 nesqp->nesqp_context->misc |= cpu_to_le32(NES_QPCONTEXT_MISC_FAST_REGISTER_EN);
1366 }
1365 nesqp->nesqp_context->cqs = cpu_to_le32(nesqp->nesscq->hw_cq.cq_number + 1367 nesqp->nesqp_context->cqs = cpu_to_le32(nesqp->nesscq->hw_cq.cq_number +
1366 ((u32)nesqp->nesrcq->hw_cq.cq_number << 16)); 1368 ((u32)nesqp->nesrcq->hw_cq.cq_number << 16));
1367 u64temp = (u64)nesqp->hwqp.sq_pbase; 1369 u64temp = (u64)nesqp->hwqp.sq_pbase;
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-18 11:33:54 -0500