| Message ID | 5646467E.2000509@dev.mellanox.co.il (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
> > > Receipt of CM MAD with other than the Send method for an attribute other > than the ClassPortInfo attribute is invalid. > > CM attributes other than ClassPortInfo only use the send method. > > The SRP initiator does not maintain a timeout policy for CM connect requests > relies on the CM layer to do that. The result was that the SRP initiator hung as > the connect request never completed. > > A new SRP target has been observed to respond to Send CM REQ with GetResp > of CM REQ with bad status. This is non conformant with IBA spec but exposes a > vulnerability in the current MAD/CM code which will respond to the incoming > GetResp of CM REQ as if it was a valid incoming Send of CM REQ rather than > tossing this on the floor. It also causes the MAD layer not to retransmit the > original REQ even though it has not received a REP. > > Reviewed-by: Sagi Grimberg <sagig@mellanox.com> Reviewed-by: Ira Weiny <ira.weiny@intel.com> > Signed-off-by: Hal Rosenstock <hal@mellanox.com> > --- > Changes since v1: > Removed ClassPortInfo method validation > > drivers/infiniband/core/mad.c | 5 +++++ > include/rdma/ib_mad.h | 2 ++ > 2 files changed, 7 insertions(+), 0 deletions(-) > > diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c > index 8d8af7a..2281de1 100644 > --- a/drivers/infiniband/core/mad.c > +++ b/drivers/infiniband/core/mad.c > @@ -1811,6 +1811,11 @@ static int validate_mad(const struct ib_mad_hdr > *mad_hdr, > if (qp_num == 0) > valid = 1; > } else { > + /* CM attributes other than ClassPortInfo only use Send > method */ > + if ((mad_hdr->mgmt_class == IB_MGMT_CLASS_CM) && > + (mad_hdr->attr_id != IB_MGMT_CLASSPORTINFO_ATTR_ID) > && > + (mad_hdr->method != IB_MGMT_METHOD_SEND)) > + goto out; > /* Filter GSI packets sent to QP0 */ > if (qp_num != 0) > valid = 1; > diff --git a/include/rdma/ib_mad.h b/include/rdma/ib_mad.h index > 188df91..ec9b44d 100644 > --- a/include/rdma/ib_mad.h > +++ b/include/rdma/ib_mad.h > @@ -237,6 +237,8 @@ struct ib_vendor_mad { > u8 data[IB_MGMT_VENDOR_DATA]; > }; > > +#define IB_MGMT_CLASSPORTINFO_ATTR_ID cpu_to_be16(0x0001) > + > struct ib_class_port_info { > u8 base_version; > u8 class_version; > -- > 1.7.8.2 >
diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c index 8d8af7a..2281de1 100644 --- a/drivers/infiniband/core/mad.c +++ b/drivers/infiniband/core/mad.c @@ -1811,6 +1811,11 @@ static int validate_mad(const struct ib_mad_hdr *mad_hdr, if (qp_num == 0) valid = 1; } else { + /* CM attributes other than ClassPortInfo only use Send method */ + if ((mad_hdr->mgmt_class == IB_MGMT_CLASS_CM) && + (mad_hdr->attr_id != IB_MGMT_CLASSPORTINFO_ATTR_ID) && + (mad_hdr->method != IB_MGMT_METHOD_SEND)) + goto out; /* Filter GSI packets sent to QP0 */ if (qp_num != 0) valid = 1; diff --git a/include/rdma/ib_mad.h b/include/rdma/ib_mad.h index 188df91..ec9b44d 100644 --- a/include/rdma/ib_mad.h +++ b/include/rdma/ib_mad.h @@ -237,6 +237,8 @@ struct ib_vendor_mad { u8 data[IB_MGMT_VENDOR_DATA]; }; +#define IB_MGMT_CLASSPORTINFO_ATTR_ID cpu_to_be16(0x0001) + struct ib_class_port_info { u8 base_version; u8 class_version;