On 11/29/2017 1:08 AM, Yuval Shaia wrote:
> On Wed, Nov 29, 2017 at 12:01:21AM +0200, Dan Jurgens wrote:
>> From: Daniel Jurgens <danielj@xxxxxxxxxxxx>
>>
>> For now the only LSM security enforcement mechanism available is
>> specific to InfiniBand. Bypass enforcement for non-IB link types.
>> This fixes a regression where modify_qp fails for iWARP because
>> querying the PKEY returns -EINVAL.
>>
>> Cc: Paul Moore <paul@xxxxxxxxxxxxxx>
>> Cc: Don Dutile <ddutile@xxxxxxxxxx>
>> Cc: stable@xxxxxxxxxxxxxxx
>> Reported-by: Potnuri Bharat Teja <bharat@xxxxxxxxxxx>
>> Fixes: d291f1a65232("IB/core: Enforce PKey security on QPs")
>> Fixes: 47a2b338fe63("IB/core: Enforce security on management datagrams")
>> Signed-off-by: Daniel Jurgens <danielj@xxxxxxxxxxxx>
>> Reviewed-by: Parav Pandit <parav@xxxxxxxxxxxx>
>> Tested-by: Potnuri Bharat Teja <bharat@xxxxxxxxxxx>
>> Signed-off-by: Leon Romanovsky <leon@xxxxxxxxxx>
>> ---
>> Changelog:
>> v2->v3: Fix build warning
>> v1->v2: Fixed build errors
>> v0->v1: Added proper SElinux patch
>> ---
>> drivers/infiniband/core/security.c | 47 +++++++++++++++++++++++++++++++++++---
>> 1 file changed, 44 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/infiniband/core/security.c b/drivers/infiniband/core/security.c
>> index 209d057..5bc323f 100644
>> --- a/drivers/infiniband/core/security.c
>> +++ b/drivers/infiniband/core/security.c
>> @@ -417,8 +417,17 @@ void ib_close_shared_qp_security(struct ib_qp_security *sec)
>>
>> int ib_create_qp_security(struct ib_qp *qp, struct ib_device *dev)
>> {
>> + u8 i = rdma_start_port(dev);
>> + bool is_ib = false;
>> int ret;
>>
>> + while (i <= rdma_end_port(dev) && !is_ib)
>> + is_ib = rdma_protocol_ib(dev, i++);
>> +
>> + /* If this isn't an IB device don't create the security context */
>> + if (!is_ib)
>> + return 0;
>> +
>> qp->qp_sec = kzalloc(sizeof(*qp->qp_sec), GFP_KERNEL);
>> if (!qp->qp_sec)
>> return -ENOMEM;
>> @@ -441,6 +450,10 @@ int ib_create_qp_security(struct ib_qp *qp, struct ib_device *dev)
>>
>> void ib_destroy_qp_security_begin(struct ib_qp_security *sec)
>> {
>> + /* Return if not IB */
>> + if (!sec)
>> + return;
>> +
> If we do the check here then suggesting to remove it from ib_destroy_qp.
That would be a bug, this function can still be called and would crash on NULL pointer accesses.
>
>> mutex_lock(&sec->mutex);
>>
>> /* Remove the QP from the lists so it won't get added to
>> @@ -470,6 +483,10 @@ void ib_destroy_qp_security_abort(struct ib_qp_security *sec)
>> int ret;
>> int i;
>>
>> + /* Return if not IB */
>> + if (!sec)
>> + return;
>> +
>> /* If a concurrent cache update is in progress this
>> * QP security could be marked for an error state
>> * transition. Wait for this to complete.
>> @@ -505,6 +522,10 @@ void ib_destroy_qp_security_end(struct ib_qp_security *sec)
>> {
>> int i;
>>
>> + /* Return if not IB */
>> + if (!sec)
>> + return;
>> +
> Ditto.
Same here.
>
>> /* If a concurrent cache update is occurring we must
>> * wait until this QP security structure is processed
>> * in the QP to error flow before destroying it because
>> @@ -557,7 +578,7 @@ int ib_security_modify_qp(struct ib_qp *qp,
>> {
>> int ret = 0;
>> struct ib_ports_pkeys *tmp_pps;
>> - struct ib_ports_pkeys *new_pps;
>> + struct ib_ports_pkeys *new_pps = NULL;
>> struct ib_qp *real_qp = qp->real_qp;
>> bool special_qp = (real_qp->qp_type == IB_QPT_SMI ||
>> real_qp->qp_type == IB_QPT_GSI ||
>> @@ -565,17 +586,25 @@ int ib_security_modify_qp(struct ib_qp *qp,
>> bool pps_change = ((qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) ||
>> (qp_attr_mask & IB_QP_ALT_PATH));
>>
>> + WARN_ONCE((qp_attr_mask & IB_QP_PORT &&
>> + rdma_protocol_ib(real_qp->device, qp_attr->port_num) &&
>> + !real_qp->qp_sec),
>> + "%s: QP security is not initialized for IB QP: %d\n",
>> + __func__, real_qp->qp_num);
>> +
>> /* The port/pkey settings are maintained only for the real QP. Open
>> * handles on the real QP will be in the shared_qp_list. When
>> * enforcing security on the real QP all the shared QPs will be
>> * checked as well.
>> */
>>
>> - if (pps_change && !special_qp) {
>> + if (pps_change && !special_qp && real_qp->qp_sec) {
>> mutex_lock(&real_qp->qp_sec->mutex);
>> new_pps = get_new_pps(real_qp,
>> qp_attr,
>> qp_attr_mask);
>> + if (!new_pps)
>> + return -ENOMEM;
>>
>> /* Add this QP to the lists for the new port
>> * and pkey settings before checking for permission
>> @@ -600,7 +629,7 @@ int ib_security_modify_qp(struct ib_qp *qp,
>> qp_attr_mask,
>> udata);
>>
>> - if (pps_change && !special_qp) {
>> + if (new_pps) {
>> /* Clean up the lists and free the appropriate
>> * ports_pkeys structure.
>> */
>> @@ -630,6 +659,9 @@ static int ib_security_pkey_access(struct ib_device *dev,
>> u16 pkey;
>> int ret;
>>
>> + if (!rdma_protocol_ib(dev, port_num))
>> + return 0;
>> +
>> ret = ib_get_cached_pkey(dev, port_num, pkey_index, &pkey);
>> if (ret)
>> return ret;
>> @@ -663,6 +695,9 @@ int ib_mad_agent_security_setup(struct ib_mad_agent *agent,
>> {
>> int ret;
>>
>> + if (!rdma_protocol_ib(agent->device, agent->port_num))
>> + return 0;
>> +
>> ret = security_ib_alloc_security(&agent->security);
>> if (ret)
>> return ret;
>> @@ -688,6 +723,9 @@ int ib_mad_agent_security_setup(struct ib_mad_agent *agent,
>>
>> void ib_mad_agent_security_cleanup(struct ib_mad_agent *agent)
>> {
>> + if (!rdma_protocol_ib(agent->device, agent->port_num))
>> + return;
>> +
>> security_ib_free_security(agent->security);
>> if (agent->lsm_nb_reg)
>> unregister_lsm_notifier(&agent->lsm_nb);
>> @@ -695,6 +733,9 @@ void ib_mad_agent_security_cleanup(struct ib_mad_agent *agent)
>>
>> int ib_mad_enforce_security(struct ib_mad_agent_private *map, u16 pkey_index)
>> {
>> + if (!rdma_protocol_ib(map->agent.device, map->agent.port_num))
>> + return 0;
>> +
>> if (map->agent.qp->qp_type == IB_QPT_SMI && !map->agent.smp_allowed)
>> return -EACCES;
>>
>> --
>> 1.8.3.1
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>> More majordomo info at http://vger.kernel.org/majordomo-info.html