git.kernelconcepts.de Git - karo-tx-linux.git/commit

author	Faisal Latif <faisal.latif@intel.com>
	Thu, 12 Mar 2009 21:34:59 +0000 (14:34 -0700)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Tue, 17 Mar 2009 00:32:06 +0000 (17:32 -0700)
commit	ceb5722adfe975c1014180a94360e8d410924b4b
tree	6fbf44d7d4a9762112471dc6d5cbf9f455550e28	tree \| snapshot
parent	462fd62154c5afae1d7a5735724c6fa8a08e1934	commit \| diff

RDMA/nes: Don't allow userspace QPs to use STag zero

commit c12e56ef6951f4fce1afe9ef6aab9243ea9a9b04 upstream.

STag zero is a special STag that allows consumers to access any bus
address without registering memory. The nes driver unfortunately
allows STag zero to be used even with QPs created by unprivileged
userspace consumers, which means that any process with direct verbs
access to the nes device can read and write any memory accessible to
the underlying PCI device (usually any memory in the system). Such
access is usually given for cluster software such as MPI to use, so
this is a local privilege escalation bug on most systems running this
driver.

The driver was using STag zero to receive the last streaming mode
data; to allow STag zero to be disabled for unprivileged QPs, the
driver now registers a special MR for this data.

Signed-off-by: Faisal Latif <faisal.latif@intel.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

drivers/infiniband/hw/nes/nes_cm.c		diff \| blob \| history
drivers/infiniband/hw/nes/nes_verbs.c		diff \| blob \| history
drivers/infiniband/hw/nes/nes_verbs.h		diff \| blob \| history