From patchwork Fri Nov 13 20:22:22 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hal Rosenstock X-Patchwork-Id: 7614271 Return-Path: X-Original-To: patchwork-linux-rdma@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 6F666BF90C for ; Fri, 13 Nov 2015 20:22:45 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 7F42820664 for ; Fri, 13 Nov 2015 20:22:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7335C20660 for ; Fri, 13 Nov 2015 20:22:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932455AbbKMUWm (ORCPT ); Fri, 13 Nov 2015 15:22:42 -0500 Received: from mail-wm0-f54.google.com ([74.125.82.54]:36306 "EHLO mail-wm0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754594AbbKMUWl (ORCPT ); Fri, 13 Nov 2015 15:22:41 -0500 Received: by wmww144 with SMTP id w144so43335422wmw.1 for ; Fri, 13 Nov 2015 12:22:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dev_mellanox_co_il.20150623.gappssmtp.com; s=20150623; h=to:cc:from:subject:message-id:date:user-agent:mime-version :content-type:content-transfer-encoding; bh=0VnFqRaOCpVHpWrYrSSD/xvL2aE+PGYJRTZg9T8ZZ0Y=; b=sCtFMPUOVwEQ/QSGeiIECizV85VcgbmkDNX1N/CVCx4EdSJ0xp+Mkq1efQ4D9eei7L EtWXIShNeWwIU6euH5i7PACt7bvcdqHdI8+gGapkGdjhc9GwISDKiJcGB3JAmzbqNKc2 9IRRnPaXqZBZDeFYCn6O0/cwf6tRJ4pmPOphk1mNqbkkW0yJBgDg6F6WUAVzhKGIxPGJ wRxOjgWPz9k/xfgT3drI+J7lZaGmUWG0XZ0M8jV0rrD6yNHejd6cJDJWF3Vdz1+eQpqv UXhKlzlhkhxq7wAbe+bNIkS9XYJTnU/4Z3c3E8hFyDtQrqFxyauxT9ktTEVRP8Q1lUdm zCzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:cc:from:subject:message-id:date:user-agent :mime-version:content-type:content-transfer-encoding; bh=0VnFqRaOCpVHpWrYrSSD/xvL2aE+PGYJRTZg9T8ZZ0Y=; b=AEqF3LETlbuweX74uKNhVXBEVqJlVtNBqRn1sgvnA/LOHlSrZeQzD2zvvYJeSIqJwP 5Uc2g9vimouF3GAf8ZQ8kClT+3cb9usB495ha4wIAVzt9qkuSE5ERg/eWwduIj4gK97b 6UcMeCC4Pc6mNdKqLXKEaAiQpHWvUtr4J0bLmqIdj3RCg1dubOBJnCFxpqG29ztnv59i GfKPZ0gr3BMI4MrG4nlY7/3a+Meo+gfhpI1SPu9UizjhPYB7P+IQzlURfatGOSNeC+JJ ccgaEN6FrOJTjkd+As49caAk8EqLguKmAHeDZknM8Um4xfzgSm9O+IHBMOtWKGLR375s WVDA== X-Gm-Message-State: ALoCoQmprwpLyh1nzmAHLdcGyRdevhM7+TXfOYq0OLLA/NAFYtrXu4BxbZntfsbg6pSW6V6BoZgK X-Received: by 10.194.82.202 with SMTP id k10mr28527033wjy.85.1447446144698; Fri, 13 Nov 2015 12:22:24 -0800 (PST) Received: from [192.168.1.134] (c-50-177-107-17.hsd1.ma.comcast.net. [50.177.107.17]) by smtp.googlemail.com with ESMTPSA id m64sm5490606wmf.14.2015.11.13.12.22.23 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 13 Nov 2015 12:22:24 -0800 (PST) To: Doug Ledford , "Hefty, Sean" Cc: Sagi Grimberg , Bart Van Assche , "Weiny, Ira" , Jason Gunthorpe , "linux-rdma@vger.kernel.org" From: Hal Rosenstock Subject: [PATCH v2] IB/mad: In validate_mad, validate CM send method for attributes other than ClassPortInfo Message-ID: <5646467E.2000509@dev.mellanox.co.il> Date: Fri, 13 Nov 2015 15:22:22 -0500 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Receipt of CM MAD with other than the Send method for an attribute other than the ClassPortInfo attribute is invalid. CM attributes other than ClassPortInfo only use the send method. The SRP initiator does not maintain a timeout policy for CM connect requests relies on the CM layer to do that. The result was that the SRP initiator hung as the connect request never completed. A new SRP target has been observed to respond to Send CM REQ with GetResp of CM REQ with bad status. This is non conformant with IBA spec but exposes a vulnerability in the current MAD/CM code which will respond to the incoming GetResp of CM REQ as if it was a valid incoming Send of CM REQ rather than tossing this on the floor. It also causes the MAD layer not to retransmit the original REQ even though it has not received a REP. Reviewed-by: Sagi Grimberg Signed-off-by: Hal Rosenstock Reviewed-by: Ira Weiny --- Changes since v1: Removed ClassPortInfo method validation drivers/infiniband/core/mad.c | 5 +++++ include/rdma/ib_mad.h | 2 ++ 2 files changed, 7 insertions(+), 0 deletions(-) diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c index 8d8af7a..2281de1 100644 --- a/drivers/infiniband/core/mad.c +++ b/drivers/infiniband/core/mad.c @@ -1811,6 +1811,11 @@ static int validate_mad(const struct ib_mad_hdr *mad_hdr, if (qp_num == 0) valid = 1; } else { + /* CM attributes other than ClassPortInfo only use Send method */ + if ((mad_hdr->mgmt_class == IB_MGMT_CLASS_CM) && + (mad_hdr->attr_id != IB_MGMT_CLASSPORTINFO_ATTR_ID) && + (mad_hdr->method != IB_MGMT_METHOD_SEND)) + goto out; /* Filter GSI packets sent to QP0 */ if (qp_num != 0) valid = 1; diff --git a/include/rdma/ib_mad.h b/include/rdma/ib_mad.h index 188df91..ec9b44d 100644 --- a/include/rdma/ib_mad.h +++ b/include/rdma/ib_mad.h @@ -237,6 +237,8 @@ struct ib_vendor_mad { u8 data[IB_MGMT_VENDOR_DATA]; }; +#define IB_MGMT_CLASSPORTINFO_ATTR_ID cpu_to_be16(0x0001) + struct ib_class_port_info { u8 base_version; u8 class_version;