aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorSean Hefty <sean.hefty@intel.com>2006-07-20 04:25:50 -0400
committerRoland Dreier <rolandd@cisco.com>2006-07-24 12:18:07 -0400
commit2527e681fd4fd4231c2e04f09d7b04d3cab8eefe (patch)
treec9c4fe05d04bcad941505f9e8d1c3903d9501f6b /drivers
parent16c59419a09f0140a07a1828d6a45656265e07c7 (diff)
IB/mad: Validate MADs for spec compliance
Validate MADs sent by userspace clients for spec compliance with C13-18.1.1 (prevent duplicate requests and responses sent on the same port). Without this, RMPP transactions get aborted because of duplicate packets. This patch is similar to that provided by Jack Morgenstein. Signed-off-by: Sean Hefty <sean.hefty@intel.com> Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il> Signed-off-by: Jack Morgenstein <jackm@mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/infiniband/core/mad.c22
-rw-r--r--drivers/infiniband/core/user_mad.c87
2 files changed, 88 insertions, 21 deletions
diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
index 5ed4dab52a6f..1c3cfbbe6a97 100644
--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -167,6 +167,15 @@ static int is_vendor_method_in_use(
167 return 0; 167 return 0;
168} 168}
169 169
170int ib_response_mad(struct ib_mad *mad)
171{
172 return ((mad->mad_hdr.method & IB_MGMT_METHOD_RESP) ||
173 (mad->mad_hdr.method == IB_MGMT_METHOD_TRAP_REPRESS) ||
174 ((mad->mad_hdr.mgmt_class == IB_MGMT_CLASS_BM) &&
175 (mad->mad_hdr.attr_mod & IB_BM_ATTR_MOD_RESP)));
176}
177EXPORT_SYMBOL(ib_response_mad);
178
170/* 179/*
171 * ib_register_mad_agent - Register to send/receive MADs 180 * ib_register_mad_agent - Register to send/receive MADs
172 */ 181 */
@@ -570,13 +579,6 @@ int ib_unregister_mad_agent(struct ib_mad_agent *mad_agent)
570} 579}
571EXPORT_SYMBOL(ib_unregister_mad_agent); 580EXPORT_SYMBOL(ib_unregister_mad_agent);
572 581
573static inline int response_mad(struct ib_mad *mad)
574{
575 /* Trap represses are responses although response bit is reset */
576 return ((mad->mad_hdr.method == IB_MGMT_METHOD_TRAP_REPRESS) ||
577 (mad->mad_hdr.method & IB_MGMT_METHOD_RESP));
578}
579
580static void dequeue_mad(struct ib_mad_list_head *mad_list) 582static void dequeue_mad(struct ib_mad_list_head *mad_list)
581{ 583{
582 struct ib_mad_queue *mad_queue; 584 struct ib_mad_queue *mad_queue;
@@ -723,7 +725,7 @@ static int handle_outgoing_dr_smp(struct ib_mad_agent_private *mad_agent_priv,
723 switch (ret) 725 switch (ret)
724 { 726 {
725 case IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_REPLY: 727 case IB_MAD_RESULT_SUCCESS | IB_MAD_RESULT_REPLY:
726 if (response_mad(&mad_priv->mad.mad) && 728 if (ib_response_mad(&mad_priv->mad.mad) &&
727 mad_agent_priv->agent.recv_handler) { 729 mad_agent_priv->agent.recv_handler) {
728 local->mad_priv = mad_priv; 730 local->mad_priv = mad_priv;
729 local->recv_mad_agent = mad_agent_priv; 731 local->recv_mad_agent = mad_agent_priv;
@@ -1551,7 +1553,7 @@ find_mad_agent(struct ib_mad_port_private *port_priv,
1551 unsigned long flags; 1553 unsigned long flags;
1552 1554
1553 spin_lock_irqsave(&port_priv->reg_lock, flags); 1555 spin_lock_irqsave(&port_priv->reg_lock, flags);
1554 if (response_mad(mad)) { 1556 if (ib_response_mad(mad)) {
1555 u32 hi_tid; 1557 u32 hi_tid;
1556 struct ib_mad_agent_private *entry; 1558 struct ib_mad_agent_private *entry;
1557 1559
@@ -1799,7 +1801,7 @@ static void ib_mad_complete_recv(struct ib_mad_agent_private *mad_agent_priv,
1799 } 1801 }
1800 1802
1801 /* Complete corresponding request */ 1803 /* Complete corresponding request */
1802 if (response_mad(mad_recv_wc->recv_buf.mad)) { 1804 if (ib_response_mad(mad_recv_wc->recv_buf.mad)) {
1803 spin_lock_irqsave(&mad_agent_priv->lock, flags); 1805 spin_lock_irqsave(&mad_agent_priv->lock, flags);
1804 mad_send_wr = ib_find_send_mad(mad_agent_priv, mad_recv_wc); 1806 mad_send_wr = ib_find_send_mad(mad_agent_priv, mad_recv_wc);
1805 if (!mad_send_wr) { 1807 if (!mad_send_wr) {
diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
index afe70a549c2f..1273f8807e84 100644
--- a/drivers/infiniband/core/user_mad.c
+++ b/drivers/infiniband/core/user_mad.c
@@ -112,8 +112,10 @@ struct ib_umad_device {
112struct ib_umad_file { 112struct ib_umad_file {
113 struct ib_umad_port *port; 113 struct ib_umad_port *port;
114 struct list_head recv_list; 114 struct list_head recv_list;
115 struct list_head send_list;
115 struct list_head port_list; 116 struct list_head port_list;
116 spinlock_t recv_lock; 117 spinlock_t recv_lock;
118 spinlock_t send_lock;
117 wait_queue_head_t recv_wait; 119 wait_queue_head_t recv_wait;
118 struct ib_mad_agent *agent[IB_UMAD_MAX_AGENTS]; 120 struct ib_mad_agent *agent[IB_UMAD_MAX_AGENTS];
119 int agents_dead; 121 int agents_dead;
@@ -177,12 +179,21 @@ static int queue_packet(struct ib_umad_file *file,
177 return ret; 179 return ret;
178} 180}
179 181
182static void dequeue_send(struct ib_umad_file *file,
183 struct ib_umad_packet *packet)
184 {
185 spin_lock_irq(&file->send_lock);
186 list_del(&packet->list);
187 spin_unlock_irq(&file->send_lock);
188 }
189
180static void send_handler(struct ib_mad_agent *agent, 190static void send_handler(struct ib_mad_agent *agent,
181 struct ib_mad_send_wc *send_wc) 191 struct ib_mad_send_wc *send_wc)
182{ 192{
183 struct ib_umad_file *file = agent->context; 193 struct ib_umad_file *file = agent->context;
184 struct ib_umad_packet *packet = send_wc->send_buf->context[0]; 194 struct ib_umad_packet *packet = send_wc->send_buf->context[0];
185 195
196 dequeue_send(file, packet);
186 ib_destroy_ah(packet->msg->ah); 197 ib_destroy_ah(packet->msg->ah);
187 ib_free_send_mad(packet->msg); 198 ib_free_send_mad(packet->msg);
188 199
@@ -370,6 +381,51 @@ static int copy_rmpp_mad(struct ib_mad_send_buf *msg, const char __user *buf)
370 return 0; 381 return 0;
371} 382}
372 383
384static int same_destination(struct ib_user_mad_hdr *hdr1,
385 struct ib_user_mad_hdr *hdr2)
386{
387 if (!hdr1->grh_present && !hdr2->grh_present)
388 return (hdr1->lid == hdr2->lid);
389
390 if (hdr1->grh_present && hdr2->grh_present)
391 return !memcmp(hdr1->gid, hdr2->gid, 16);
392
393 return 0;
394}
395
396static int is_duplicate(struct ib_umad_file *file,
397 struct ib_umad_packet *packet)
398{
399 struct ib_umad_packet *sent_packet;
400 struct ib_mad_hdr *sent_hdr, *hdr;
401
402 hdr = (struct ib_mad_hdr *) packet->mad.data;
403 list_for_each_entry(sent_packet, &file->send_list, list) {
404 sent_hdr = (struct ib_mad_hdr *) sent_packet->mad.data;
405
406 if ((hdr->tid != sent_hdr->tid) ||
407 (hdr->mgmt_class != sent_hdr->mgmt_class))
408 continue;
409
410 /*
411 * No need to be overly clever here. If two new operations have
412 * the same TID, reject the second as a duplicate. This is more
413 * restrictive than required by the spec.
414 */
415 if (!ib_response_mad((struct ib_mad *) hdr)) {
416 if (!ib_response_mad((struct ib_mad *) sent_hdr))
417 return 1;
418 continue;
419 } else if (!ib_response_mad((struct ib_mad *) sent_hdr))
420 continue;
421
422 if (same_destination(&packet->mad.hdr, &sent_packet->mad.hdr))
423 return 1;
424 }
425
426 return 0;
427}
428
373static ssize_t ib_umad_write(struct file *filp, const char __user *buf, 429static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
374 size_t count, loff_t *pos) 430 size_t count, loff_t *pos)
375{ 431{
@@ -379,7 +435,6 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
379 struct ib_ah_attr ah_attr; 435 struct ib_ah_attr ah_attr;
380 struct ib_ah *ah; 436 struct ib_ah *ah;
381 struct ib_rmpp_mad *rmpp_mad; 437 struct ib_rmpp_mad *rmpp_mad;
382 u8 method;
383 __be64 *tid; 438 __be64 *tid;
384 int ret, data_len, hdr_len, copy_offset, rmpp_active; 439 int ret, data_len, hdr_len, copy_offset, rmpp_active;
385 440
@@ -473,28 +528,36 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
473 } 528 }
474 529
475 /* 530 /*
476 * If userspace is generating a request that will generate a 531 * Set the high-order part of the transaction ID to make MADs from
477 * response, we need to make sure the high-order part of the 532 * different agents unique, and allow routing responses back to the
478 * transaction ID matches the agent being used to send the 533 * original requestor.
479 * MAD.
480 */ 534 */
481 method = ((struct ib_mad_hdr *) packet->msg->mad)->method; 535 if (!ib_response_mad(packet->msg->mad)) {
482
483 if (!(method & IB_MGMT_METHOD_RESP) &&
484 method != IB_MGMT_METHOD_TRAP_REPRESS &&
485 method != IB_MGMT_METHOD_SEND) {
486 tid = &((struct ib_mad_hdr *) packet->msg->mad)->tid; 536 tid = &((struct ib_mad_hdr *) packet->msg->mad)->tid;
487 *tid = cpu_to_be64(((u64) agent->hi_tid) << 32 | 537 *tid = cpu_to_be64(((u64) agent->hi_tid) << 32 |
488 (be64_to_cpup(tid) & 0xffffffff)); 538 (be64_to_cpup(tid) & 0xffffffff));
539 rmpp_mad->mad_hdr.tid = *tid;
540 }
541
542 spin_lock_irq(&file->send_lock);
543 ret = is_duplicate(file, packet);
544 if (!ret)
545 list_add_tail(&packet->list, &file->send_list);
546 spin_unlock_irq(&file->send_lock);
547 if (ret) {
548 ret = -EINVAL;
549 goto err_msg;
489 } 550 }
490 551
491 ret = ib_post_send_mad(packet->msg, NULL); 552 ret = ib_post_send_mad(packet->msg, NULL);
492 if (ret) 553 if (ret)
493 goto err_msg; 554 goto err_send;
494 555
495 up_read(&file->port->mutex); 556 up_read(&file->port->mutex);
496 return count; 557 return count;
497 558
559err_send:
560 dequeue_send(file, packet);
498err_msg: 561err_msg:
499 ib_free_send_mad(packet->msg); 562 ib_free_send_mad(packet->msg);
500err_ah: 563err_ah:
@@ -657,7 +720,9 @@ static int ib_umad_open(struct inode *inode, struct file *filp)
657 } 720 }
658 721
659 spin_lock_init(&file->recv_lock); 722 spin_lock_init(&file->recv_lock);
723 spin_lock_init(&file->send_lock);
660 INIT_LIST_HEAD(&file->recv_list); 724 INIT_LIST_HEAD(&file->recv_list);
725 INIT_LIST_HEAD(&file->send_list);
661 init_waitqueue_head(&file->recv_wait); 726 init_waitqueue_head(&file->recv_wait);
662 727
663 file->port = port; 728 file->port = port;