Commit 425e1c90 authored by Bob Pearson's avatar Bob Pearson Committed by Jason Gunthorpe
Browse files

RDMA/rxe: Fix access checks in rxe_check_bind_mw 

The subroutine rxe_check_bind_mw() in rxe_mw.c performs checks on the mw
access flags before they are set so they always succeed.  This patch
instead checks the access flags passed in the send wqe.

Fixes: 32a577b4 ("RDMA/rxe: Add support for bind MW work requests")
Link: https://lore.kernel.org/r/20230530221334.89432-4-rpearsonhpe@gmail.com


Signed-off-by: default avatarBob Pearson <rpearsonhpe@gmail.com>
Signed-off-by: default avatarJason Gunthorpe <jgg@nvidia.com>
parent 2a129958

drivers/infiniband/sw/rxe/rxe_mw.c

+9 −8
Original line number Diff line number Diff line
@@ -48,7 +48,7 @@ int rxe_dealloc_mw(struct ib_mw *ibmw) 
}



static int rxe_check_bind_mw(struct rxe_qp *qp, struct rxe_send_wqe *wqe,

			 struct rxe_mw *mw, struct rxe_mr *mr)

			 struct rxe_mw *mw, struct rxe_mr *mr, int access)

{

	if (mw->ibmw.type == IB_MW_TYPE_1) {

		if (unlikely(mw->state != RXE_MW_STATE_VALID)) {
@@ -58,7 +58,7 @@ static int rxe_check_bind_mw(struct rxe_qp *qp, struct rxe_send_wqe *wqe, 
		}



		/* o10-36.2.2 */

		if (unlikely((mw->access & IB_ZERO_BASED))) {

		if (unlikely((access & IB_ZERO_BASED))) {

			rxe_dbg_mw(mw, "attempt to bind a zero based type 1 MW\n");

			return -EINVAL;

		}
@@ -104,7 +104,7 @@ static int rxe_check_bind_mw(struct rxe_qp *qp, struct rxe_send_wqe *wqe, 
	}



	/* C10-74 */

	if (unlikely((mw->access &

	if (unlikely((access &

		      (IB_ACCESS_REMOTE_WRITE | IB_ACCESS_REMOTE_ATOMIC)) &&

		     !(mr->access & IB_ACCESS_LOCAL_WRITE))) {

		rxe_dbg_mw(mw,
@@ -113,7 +113,7 @@ static int rxe_check_bind_mw(struct rxe_qp *qp, struct rxe_send_wqe *wqe, 
	}



	/* C10-75 */

	if (mw->access & IB_ZERO_BASED) {

	if (access & IB_ZERO_BASED) {

		if (unlikely(wqe->wr.wr.mw.length > mr->ibmr.length)) {

			rxe_dbg_mw(mw,

				"attempt to bind a ZB MW outside of the MR\n");
@@ -133,12 +133,12 @@ static int rxe_check_bind_mw(struct rxe_qp *qp, struct rxe_send_wqe *wqe, 
}



static void rxe_do_bind_mw(struct rxe_qp *qp, struct rxe_send_wqe *wqe,

		      struct rxe_mw *mw, struct rxe_mr *mr)

		      struct rxe_mw *mw, struct rxe_mr *mr, int access)

{

	u32 key = wqe->wr.wr.mw.rkey & 0xff;



	mw->rkey = (mw->rkey & ~0xff) | key;

	mw->access = wqe->wr.wr.mw.access;

	mw->access = access;

	mw->state = RXE_MW_STATE_VALID;

	mw->addr = wqe->wr.wr.mw.addr;

	mw->length = wqe->wr.wr.mw.length;
@@ -169,6 +169,7 @@ int rxe_bind_mw(struct rxe_qp *qp, struct rxe_send_wqe *wqe) 
	struct rxe_dev *rxe = to_rdev(qp->ibqp.device);

	u32 mw_rkey = wqe->wr.wr.mw.mw_rkey;

	u32 mr_lkey = wqe->wr.wr.mw.mr_lkey;

	int access = wqe->wr.wr.mw.access;



	mw = rxe_pool_get_index(&rxe->mw_pool, mw_rkey >> 8);

	if (unlikely(!mw)) {
@@ -198,11 +199,11 @@ int rxe_bind_mw(struct rxe_qp *qp, struct rxe_send_wqe *wqe) 


	spin_lock_bh(&mw->lock);



	ret = rxe_check_bind_mw(qp, wqe, mw, mr);

	ret = rxe_check_bind_mw(qp, wqe, mw, mr, access);

	if (ret)

		goto err_unlock;



	rxe_do_bind_mw(qp, wqe, mw, mr);

	rxe_do_bind_mw(qp, wqe, mw, mr, access);

err_unlock:

	spin_unlock_bh(&mw->lock);

err_drop_mr: