On Sun, Oct 20, 2019 at 10:15:57AM +0300, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@xxxxxxxxxxxx>
>
> QPN is supplied by kernel users who controls and creates valid QPs,
> such flow ensures that QPN is limited to 24bits and no need to mask
> already valid QPN.
>
> Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> ---
> drivers/infiniband/core/cm.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
> index 7ffa16ea5fe3..2eb8e1fab962 100644
> --- a/drivers/infiniband/core/cm.c
> +++ b/drivers/infiniband/core/cm.c
> @@ -2101,7 +2101,7 @@ int ib_send_cm_rep(struct ib_cm_id *cm_id,
> cm_id_priv->initiator_depth = param->initiator_depth;
> cm_id_priv->responder_resources = param->responder_resources;
> cm_id_priv->rq_psn = cm_rep_get_starting_psn(rep_msg);
> - cm_id_priv->local_qpn = cpu_to_be32(param->qp_num & 0xFFFFFF);
> + cm_id_priv->local_qpn = cpu_to_be32(param->qp_num);
It does seem like this value comes from userspace:
ucma_connect()
ucma_copy_conn_param()
dst->qp_num = src->qp_num
rdma_connect(.., &dst)
if (!id->qp) {
id_priv->qp_num = conn_param->qp_num;
vs
cma_accept_ib()
rep.qp_num = id_priv->qp_num;
Maybe this needs to add some masking to ucma_copy_conn_param()?
Jason
