[rdma-next,4/6] RDMA/cm: Delete useless QPN masking

Message ID	20191020071559.9743-5-leon@kernel.org (mailing list archive)
State	Changes Requested
Headers	show Return-Path: <SRS0=v0iq=YN=vger.kernel.org=linux-rdma-owner@kernel.org> From: Leon Romanovsky <leon@kernel.org> To: Doug Ledford <dledford@redhat.com>, Jason Gunthorpe <jgg@mellanox.com> Cc: Leon Romanovsky <leonro@mellanox.com>, RDMA mailing list <linux-rdma@vger.kernel.org>, Bart Van Assche <bvanassche@acm.org> Subject: [PATCH rdma-next 4/6] RDMA/cm: Delete useless QPN masking Date: Sun, 20 Oct 2019 10:15:57 +0300 Message-Id: <20191020071559.9743-5-leon@kernel.org> In-Reply-To: <20191020071559.9743-1-leon@kernel.org> References: <20191020071559.9743-1-leon@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk
Series	CM cleanup \| expand [rdma-next,0/6] CM cleanup [rdma-next,1/6] RDMA/cm: Delete unused cm_is_active_peer function [rdma-next,2/6] RDMA/cm: Use specific keyword to check define [rdma-next,3/6] RDMA/cm: Update copyright together with SPDX tag [rdma-next,4/6] RDMA/cm: Delete useless QPN masking [rdma-next,5/6] RDMA/cm: Provide private data size to CM users [rdma-next,6/6] RDMA/srpt: Use private_data_len instead of hardcoded value

Leon Romanovsky Oct. 20, 2019, 7:15 a.m. UTC

From: Leon Romanovsky <leonro@mellanox.com>

QPN is supplied by kernel users who controls and creates valid QPs,
such flow ensures that QPN is limited to 24bits and no need to mask
already valid QPN.

Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
---
 drivers/infiniband/core/cm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Or Gerlitz Oct. 20, 2019, 8:48 a.m. UTC | #1

On Sun, Oct 20, 2019 at 10:18 AM Leon Romanovsky <leon@kernel.org> wrote:
>
> From: Leon Romanovsky <leonro@mellanox.com>
>
> QPN is supplied by kernel users who controls and creates valid QPs,

AFAIK this can also arrive from user-space, agree?

> such flow ensures that QPN is limited to 24bits and no need to mask
> already valid QPN.

Leon Romanovsky Oct. 20, 2019, 8:54 a.m. UTC | #2

On Sun, Oct 20, 2019 at 11:48:39AM +0300, Or Gerlitz wrote:
> On Sun, Oct 20, 2019 at 10:18 AM Leon Romanovsky <leon@kernel.org> wrote:
> >
> > From: Leon Romanovsky <leonro@mellanox.com>
> >
> > QPN is supplied by kernel users who controls and creates valid QPs,
>
> AFAIK this can also arrive from user-space, agree?

Not in this path, anyway we are masking it again while writing
to the spec struct,

>
> > such flow ensures that QPN is limited to 24bits and no need to mask
> > already valid QPN.

Jason Gunthorpe Oct. 28, 2019, 12:52 p.m. UTC | #3

On Sun, Oct 20, 2019 at 10:15:57AM +0300, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@mellanox.com>
> 
> QPN is supplied by kernel users who controls and creates valid QPs,
> such flow ensures that QPN is limited to 24bits and no need to mask
> already valid QPN.
> 
> Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
> ---
>  drivers/infiniband/core/cm.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
> index 7ffa16ea5fe3..2eb8e1fab962 100644
> --- a/drivers/infiniband/core/cm.c
> +++ b/drivers/infiniband/core/cm.c
> @@ -2101,7 +2101,7 @@ int ib_send_cm_rep(struct ib_cm_id *cm_id,
>  	cm_id_priv->initiator_depth = param->initiator_depth;
>  	cm_id_priv->responder_resources = param->responder_resources;
>  	cm_id_priv->rq_psn = cm_rep_get_starting_psn(rep_msg);
> -	cm_id_priv->local_qpn = cpu_to_be32(param->qp_num & 0xFFFFFF);
> +	cm_id_priv->local_qpn = cpu_to_be32(param->qp_num);

It does seem like this value comes from userspace:

ucma_connect()
  ucma_copy_conn_param()
    	dst->qp_num = src->qp_num
  rdma_connect(.., &dst)
	if (!id->qp) {
		id_priv->qp_num = conn_param->qp_num;

vs

cma_accept_ib()
	rep.qp_num = id_priv->qp_num;

Maybe this needs to add some masking to ucma_copy_conn_param()?

Jason

Leon Romanovsky Oct. 28, 2019, 1:13 p.m. UTC | #4

On Mon, Oct 28, 2019 at 09:52:33AM -0300, Jason Gunthorpe wrote:
> On Sun, Oct 20, 2019 at 10:15:57AM +0300, Leon Romanovsky wrote:
> > From: Leon Romanovsky <leonro@mellanox.com>
> >
> > QPN is supplied by kernel users who controls and creates valid QPs,
> > such flow ensures that QPN is limited to 24bits and no need to mask
> > already valid QPN.
> >
> > Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
> > ---
> >  drivers/infiniband/core/cm.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
> > index 7ffa16ea5fe3..2eb8e1fab962 100644
> > --- a/drivers/infiniband/core/cm.c
> > +++ b/drivers/infiniband/core/cm.c
> > @@ -2101,7 +2101,7 @@ int ib_send_cm_rep(struct ib_cm_id *cm_id,
> >  	cm_id_priv->initiator_depth = param->initiator_depth;
> >  	cm_id_priv->responder_resources = param->responder_resources;
> >  	cm_id_priv->rq_psn = cm_rep_get_starting_psn(rep_msg);
> > -	cm_id_priv->local_qpn = cpu_to_be32(param->qp_num & 0xFFFFFF);
> > +	cm_id_priv->local_qpn = cpu_to_be32(param->qp_num);
>
> It does seem like this value comes from userspace:
>
> ucma_connect()
>   ucma_copy_conn_param()
>     	dst->qp_num = src->qp_num
>   rdma_connect(.., &dst)
> 	if (!id->qp) {
> 		id_priv->qp_num = conn_param->qp_num;
>
> vs
>
> cma_accept_ib()
> 	rep.qp_num = id_priv->qp_num;
>
> Maybe this needs to add some masking to ucma_copy_conn_param()?

Thanks for the callstack, Or pointed it to me too, but I missed this flow.
Let's create a pre-patch with QPN masking.

Thanks

>
> Jason

Jason Gunthorpe Oct. 28, 2019, 1:44 p.m. UTC | #5

On Mon, Oct 28, 2019 at 03:13:33PM +0200, Leon Romanovsky wrote:
> On Mon, Oct 28, 2019 at 09:52:33AM -0300, Jason Gunthorpe wrote:
> > On Sun, Oct 20, 2019 at 10:15:57AM +0300, Leon Romanovsky wrote:
> > > From: Leon Romanovsky <leonro@mellanox.com>
> > >
> > > QPN is supplied by kernel users who controls and creates valid QPs,
> > > such flow ensures that QPN is limited to 24bits and no need to mask
> > > already valid QPN.
> > >
> > > Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
> > >  drivers/infiniband/core/cm.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
> > > index 7ffa16ea5fe3..2eb8e1fab962 100644
> > > +++ b/drivers/infiniband/core/cm.c
> > > @@ -2101,7 +2101,7 @@ int ib_send_cm_rep(struct ib_cm_id *cm_id,
> > >  	cm_id_priv->initiator_depth = param->initiator_depth;
> > >  	cm_id_priv->responder_resources = param->responder_resources;
> > >  	cm_id_priv->rq_psn = cm_rep_get_starting_psn(rep_msg);
> > > -	cm_id_priv->local_qpn = cpu_to_be32(param->qp_num & 0xFFFFFF);
> > > +	cm_id_priv->local_qpn = cpu_to_be32(param->qp_num);
> >
> > It does seem like this value comes from userspace:
> >
> > ucma_connect()
> >   ucma_copy_conn_param()
> >     	dst->qp_num = src->qp_num
> >   rdma_connect(.., &dst)
> > 	if (!id->qp) {
> > 		id_priv->qp_num = conn_param->qp_num;
> >
> > vs
> >
> > cma_accept_ib()
> > 	rep.qp_num = id_priv->qp_num;
> >
> > Maybe this needs to add some masking to ucma_copy_conn_param()?
> 
> Thanks for the callstack, Or pointed it to me too, but I missed this flow.
> Let's create a pre-patch with QPN masking.

You'll need to check all the id_priv->qp_num users, I stopped when I
found the above

Jason

Leon Romanovsky Oct. 28, 2019, 2:02 p.m. UTC | #6

On Mon, Oct 28, 2019 at 10:44:57AM -0300, Jason Gunthorpe wrote:
> On Mon, Oct 28, 2019 at 03:13:33PM +0200, Leon Romanovsky wrote:
> > On Mon, Oct 28, 2019 at 09:52:33AM -0300, Jason Gunthorpe wrote:
> > > On Sun, Oct 20, 2019 at 10:15:57AM +0300, Leon Romanovsky wrote:
> > > > From: Leon Romanovsky <leonro@mellanox.com>
> > > >
> > > > QPN is supplied by kernel users who controls and creates valid QPs,
> > > > such flow ensures that QPN is limited to 24bits and no need to mask
> > > > already valid QPN.
> > > >
> > > > Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
> > > >  drivers/infiniband/core/cm.c | 2 +-
> > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
> > > > index 7ffa16ea5fe3..2eb8e1fab962 100644
> > > > +++ b/drivers/infiniband/core/cm.c
> > > > @@ -2101,7 +2101,7 @@ int ib_send_cm_rep(struct ib_cm_id *cm_id,
> > > >  	cm_id_priv->initiator_depth = param->initiator_depth;
> > > >  	cm_id_priv->responder_resources = param->responder_resources;
> > > >  	cm_id_priv->rq_psn = cm_rep_get_starting_psn(rep_msg);
> > > > -	cm_id_priv->local_qpn = cpu_to_be32(param->qp_num & 0xFFFFFF);
> > > > +	cm_id_priv->local_qpn = cpu_to_be32(param->qp_num);
> > >
> > > It does seem like this value comes from userspace:
> > >
> > > ucma_connect()
> > >   ucma_copy_conn_param()
> > >     	dst->qp_num = src->qp_num
> > >   rdma_connect(.., &dst)
> > > 	if (!id->qp) {
> > > 		id_priv->qp_num = conn_param->qp_num;
> > >
> > > vs
> > >
> > > cma_accept_ib()
> > > 	rep.qp_num = id_priv->qp_num;
> > >
> > > Maybe this needs to add some masking to ucma_copy_conn_param()?
> >
> > Thanks for the callstack, Or pointed it to me too, but I missed this flow.
> > Let's create a pre-patch with QPN masking.
>
> You'll need to check all the id_priv->qp_num users, I stopped when I
> found the above

Initially, I wanted to add masking in rdma_connect(), but decided that
it is not the cleanest approach, so I grepped to see rdma_conn_param
users. I'll continue to grep.

Thanks

>
> Jason

[rdma-next,4/6] RDMA/cm: Delete useless QPN masking

Commit Message

Comments

Patch