]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - drivers/infiniband/core/security.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'sound-4.15-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai...
[mirror_ubuntu-bionic-kernel.git] / drivers / infiniband / core / security.c
CommitLineData
d291f1a6
DJ		 1/*
2 * Copyright (c) 2016 Mellanox Technologies Ltd. All rights reserved.
3 *
4 * This software is available to you under a choice of one of two
5 * licenses. You may choose to be licensed under the terms of the GNU
6 * General Public License (GPL) Version 2, available from the file
7 * COPYING in the main directory of this source tree, or the
8 * OpenIB.org BSD license below:
9 *
10 * Redistribution and use in source and binary forms, with or
11 * without modification, are permitted provided that the following
12 * conditions are met:
13 *
14 * - Redistributions of source code must retain the above
15 * copyright notice, this list of conditions and the following
16 * disclaimer.
17 *
18 * - Redistributions in binary form must reproduce the above
19 * copyright notice, this list of conditions and the following
20 * disclaimer in the documentation and/or other materials
21 * provided with the distribution.
22 *
23 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
24 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
25 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
26 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
27 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
28 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
29 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
30 * SOFTWARE.
31 */
32
33#ifdef CONFIG_SECURITY_INFINIBAND
34
35#include <linux/security.h>
36#include <linux/completion.h>
37#include <linux/list.h>
38
39#include <rdma/ib_verbs.h>
40#include <rdma/ib_cache.h>
41#include "core_priv.h"
47a2b338 42#include "mad_priv.h"
d291f1a6
DJ		 43
44static struct pkey_index_qp_list *get_pkey_idx_qp_list(struct ib_port_pkey *pp)
45{
46 struct pkey_index_qp_list *pkey = NULL;
47 struct pkey_index_qp_list *tmp_pkey;
48 struct ib_device *dev = pp->sec->dev;
49
50 spin_lock(&dev->port_pkey_list[pp->port_num].list_lock);
51 list_for_each_entry(tmp_pkey,
52 &dev->port_pkey_list[pp->port_num].pkey_list,
53 pkey_index_list) {
54 if (tmp_pkey->pkey_index == pp->pkey_index) {
55 pkey = tmp_pkey;
56 break;
57 }
58 }
59 spin_unlock(&dev->port_pkey_list[pp->port_num].list_lock);
60 return pkey;
61}
62
63static int get_pkey_and_subnet_prefix(struct ib_port_pkey *pp,
64 u16 *pkey,
65 u64 *subnet_prefix)
66{
67 struct ib_device *dev = pp->sec->dev;
68 int ret;
69
70 ret = ib_get_cached_pkey(dev, pp->port_num, pp->pkey_index, pkey);
71 if (ret)
72 return ret;
73
74 ret = ib_get_cached_subnet_prefix(dev, pp->port_num, subnet_prefix);
75
76 return ret;
77}
78
79static int enforce_qp_pkey_security(u16 pkey,
80 u64 subnet_prefix,
81 struct ib_qp_security *qp_sec)
82{
83 struct ib_qp_security *shared_qp_sec;
84 int ret;
85
86 ret = security_ib_pkey_access(qp_sec->security, subnet_prefix, pkey);
87 if (ret)
88 return ret;
89
877add28
DJ		 90 list_for_each_entry(shared_qp_sec,
91 &qp_sec->shared_qp_list,
92 shared_qp_list) {
93 ret = security_ib_pkey_access(shared_qp_sec->security,
94 subnet_prefix,
95 pkey);
96 if (ret)
97 return ret;
d291f1a6
DJ		 98 }
99 return 0;
100}
101
102/* The caller of this function must hold the QP security
103 * mutex of the QP of the security structure in *pps.
104 *
105 * It takes separate ports_pkeys and security structure
106 * because in some cases the pps will be for a new settings
107 * or the pps will be for the real QP and security structure
108 * will be for a shared QP.
109 */
110static int check_qp_port_pkey_settings(struct ib_ports_pkeys *pps,
111 struct ib_qp_security *sec)
112{
113 u64 subnet_prefix;
114 u16 pkey;
115 int ret = 0;
116
117 if (!pps)
118 return 0;
119
120 if (pps->main.state != IB_PORT_PKEY_NOT_VALID) {
79d0636a
DJ		 121 ret = get_pkey_and_subnet_prefix(&pps->main,
122 &pkey,
123 &subnet_prefix);
124 if (ret)
125 return ret;
d291f1a6
DJ		 126
127 ret = enforce_qp_pkey_security(pkey,
128 subnet_prefix,
129 sec);
79d0636a
DJ		 130 if (ret)
131 return ret;
d291f1a6 132 }
d291f1a6
DJ		 133
134 if (pps->alt.state != IB_PORT_PKEY_NOT_VALID) {
79d0636a
DJ		 135 ret = get_pkey_and_subnet_prefix(&pps->alt,
136 &pkey,
137 &subnet_prefix);
138 if (ret)
139 return ret;
d291f1a6
DJ		 140
141 ret = enforce_qp_pkey_security(pkey,
142 subnet_prefix,
143 sec);
144 }
145
146 return ret;
147}
148
149/* The caller of this function must hold the QP security
150 * mutex.
151 */
152static void qp_to_error(struct ib_qp_security *sec)
153{
154 struct ib_qp_security *shared_qp_sec;
155 struct ib_qp_attr attr = {
156 .qp_state = IB_QPS_ERR
157 };
158 struct ib_event event = {
159 .event = IB_EVENT_QP_FATAL
160 };
161
162 /* If the QP is in the process of being destroyed
163 * the qp pointer in the security structure is
164 * undefined. It cannot be modified now.
165 */
166 if (sec->destroying)
167 return;
168
169 ib_modify_qp(sec->qp,
170 &attr,
171 IB_QP_STATE);
172
173 if (sec->qp->event_handler && sec->qp->qp_context) {
174 event.element.qp = sec->qp;
175 sec->qp->event_handler(&event,
176 sec->qp->qp_context);
177 }
178
179 list_for_each_entry(shared_qp_sec,
180 &sec->shared_qp_list,
181 shared_qp_list) {
182 struct ib_qp *qp = shared_qp_sec->qp;
183
184 if (qp->event_handler && qp->qp_context) {
185 event.element.qp = qp;
186 event.device = qp->device;
187 qp->event_handler(&event,
188 qp->qp_context);
189 }
190 }
191}
192
193static inline void check_pkey_qps(struct pkey_index_qp_list *pkey,
194 struct ib_device *device,
195 u8 port_num,
196 u64 subnet_prefix)
197{
198 struct ib_port_pkey *pp, *tmp_pp;
199 bool comp;
200 LIST_HEAD(to_error_list);
201 u16 pkey_val;
202
203 if (!ib_get_cached_pkey(device,
204 port_num,
205 pkey->pkey_index,
206 &pkey_val)) {
207 spin_lock(&pkey->qp_list_lock);
208 list_for_each_entry(pp, &pkey->qp_list, qp_list) {
209 if (atomic_read(&pp->sec->error_list_count))
210 continue;
211
212 if (enforce_qp_pkey_security(pkey_val,
213 subnet_prefix,
214 pp->sec)) {
215 atomic_inc(&pp->sec->error_list_count);
216 list_add(&pp->to_error_list,
217 &to_error_list);
218 }
219 }
220 spin_unlock(&pkey->qp_list_lock);
221 }
222
223 list_for_each_entry_safe(pp,
224 tmp_pp,
225 &to_error_list,
226 to_error_list) {
227 mutex_lock(&pp->sec->mutex);
228 qp_to_error(pp->sec);
229 list_del(&pp->to_error_list);
230 atomic_dec(&pp->sec->error_list_count);
231 comp = pp->sec->destroying;
232 mutex_unlock(&pp->sec->mutex);
233
234 if (comp)
235 complete(&pp->sec->error_complete);
236 }
237}
238
239/* The caller of this function must hold the QP security
240 * mutex.
241 */
242static int port_pkey_list_insert(struct ib_port_pkey *pp)
243{
244 struct pkey_index_qp_list *tmp_pkey;
245 struct pkey_index_qp_list *pkey;
246 struct ib_device *dev;
247 u8 port_num = pp->port_num;
248 int ret = 0;
249
250 if (pp->state != IB_PORT_PKEY_VALID)
251 return 0;
252
253 dev = pp->sec->dev;
254
255 pkey = get_pkey_idx_qp_list(pp);
256
257 if (!pkey) {
258 bool found = false;
259
260 pkey = kzalloc(sizeof(*pkey), GFP_KERNEL);
261 if (!pkey)
262 return -ENOMEM;
263
264 spin_lock(&dev->port_pkey_list[port_num].list_lock);
265 /* Check for the PKey again. A racing process may
266 * have created it.
267 */
268 list_for_each_entry(tmp_pkey,
269 &dev->port_pkey_list[port_num].pkey_list,
270 pkey_index_list) {
271 if (tmp_pkey->pkey_index == pp->pkey_index) {
272 kfree(pkey);
273 pkey = tmp_pkey;
274 found = true;
275 break;
276 }
277 }
278
279 if (!found) {
280 pkey->pkey_index = pp->pkey_index;
281 spin_lock_init(&pkey->qp_list_lock);
282 INIT_LIST_HEAD(&pkey->qp_list);
283 list_add(&pkey->pkey_index_list,
284 &dev->port_pkey_list[port_num].pkey_list);
285 }
286 spin_unlock(&dev->port_pkey_list[port_num].list_lock);
287 }
288
289 spin_lock(&pkey->qp_list_lock);
290 list_add(&pp->qp_list, &pkey->qp_list);
291 spin_unlock(&pkey->qp_list_lock);
292
293 pp->state = IB_PORT_PKEY_LISTED;
294
295 return ret;
296}
297
298/* The caller of this function must hold the QP security
299 * mutex.
300 */
301static void port_pkey_list_remove(struct ib_port_pkey *pp)
302{
303 struct pkey_index_qp_list *pkey;
304
305 if (pp->state != IB_PORT_PKEY_LISTED)
306 return;
307
308 pkey = get_pkey_idx_qp_list(pp);
309
310 spin_lock(&pkey->qp_list_lock);
311 list_del(&pp->qp_list);
312 spin_unlock(&pkey->qp_list_lock);
313
314 /* The setting may still be valid, i.e. after
315 * a destroy has failed for example.
316 */
317 pp->state = IB_PORT_PKEY_VALID;
318}
319
320static void destroy_qp_security(struct ib_qp_security *sec)
321{
322 security_ib_free_security(sec->security);
323 kfree(sec->ports_pkeys);
324 kfree(sec);
325}
326
327/* The caller of this function must hold the QP security
328 * mutex.
329 */
330static struct ib_ports_pkeys *get_new_pps(const struct ib_qp *qp,
331 const struct ib_qp_attr *qp_attr,
332 int qp_attr_mask)
333{
334 struct ib_ports_pkeys *new_pps;
335 struct ib_ports_pkeys *qp_pps = qp->qp_sec->ports_pkeys;
336
337 new_pps = kzalloc(sizeof(*new_pps), GFP_KERNEL);
338 if (!new_pps)
339 return NULL;
340
341 if (qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) {
342 if (!qp_pps) {
343 new_pps->main.port_num = qp_attr->port_num;
344 new_pps->main.pkey_index = qp_attr->pkey_index;
345 } else {
346 new_pps->main.port_num = (qp_attr_mask & IB_QP_PORT) ?
347 qp_attr->port_num :
348 qp_pps->main.port_num;
349
350 new_pps->main.pkey_index =
351 (qp_attr_mask & IB_QP_PKEY_INDEX) ?
352 qp_attr->pkey_index :
353 qp_pps->main.pkey_index;
354 }
355 new_pps->main.state = IB_PORT_PKEY_VALID;
356 } else if (qp_pps) {
357 new_pps->main.port_num = qp_pps->main.port_num;
358 new_pps->main.pkey_index = qp_pps->main.pkey_index;
359 if (qp_pps->main.state != IB_PORT_PKEY_NOT_VALID)
360 new_pps->main.state = IB_PORT_PKEY_VALID;
361 }
362
363 if (qp_attr_mask & IB_QP_ALT_PATH) {
364 new_pps->alt.port_num = qp_attr->alt_port_num;
365 new_pps->alt.pkey_index = qp_attr->alt_pkey_index;
366 new_pps->alt.state = IB_PORT_PKEY_VALID;
367 } else if (qp_pps) {
368 new_pps->alt.port_num = qp_pps->alt.port_num;
369 new_pps->alt.pkey_index = qp_pps->alt.pkey_index;
370 if (qp_pps->alt.state != IB_PORT_PKEY_NOT_VALID)
371 new_pps->alt.state = IB_PORT_PKEY_VALID;
372 }
373
374 new_pps->main.sec = qp->qp_sec;
375 new_pps->alt.sec = qp->qp_sec;
376 return new_pps;
377}
378
379int ib_open_shared_qp_security(struct ib_qp *qp, struct ib_device *dev)
380{
381 struct ib_qp *real_qp = qp->real_qp;
382 int ret;
383
384 ret = ib_create_qp_security(qp, dev);
385
386 if (ret)
387 return ret;
388
389 mutex_lock(&real_qp->qp_sec->mutex);
390 ret = check_qp_port_pkey_settings(real_qp->qp_sec->ports_pkeys,
391 qp->qp_sec);
392
393 if (ret)
394 goto ret;
395
396 if (qp != real_qp)
397 list_add(&qp->qp_sec->shared_qp_list,
398 &real_qp->qp_sec->shared_qp_list);
399ret:
400 mutex_unlock(&real_qp->qp_sec->mutex);
401 if (ret)
402 destroy_qp_security(qp->qp_sec);
403
404 return ret;
405}
406
407void ib_close_shared_qp_security(struct ib_qp_security *sec)
408{
409 struct ib_qp *real_qp = sec->qp->real_qp;
410
411 mutex_lock(&real_qp->qp_sec->mutex);
412 list_del(&sec->shared_qp_list);
413 mutex_unlock(&real_qp->qp_sec->mutex);
414
415 destroy_qp_security(sec);
416}
417
418int ib_create_qp_security(struct ib_qp *qp, struct ib_device *dev)
419{
315d160c
DJ		 420 u8 i = rdma_start_port(dev);
421 bool is_ib = false;
d291f1a6
DJ		 422 int ret;
423
315d160c
DJ		 424 while (i <= rdma_end_port(dev) && !is_ib)
425 is_ib = rdma_protocol_ib(dev, i++);
426
427 /* If this isn't an IB device don't create the security context */
428 if (!is_ib)
429 return 0;
430
d291f1a6
DJ		 431 qp->qp_sec = kzalloc(sizeof(*qp->qp_sec), GFP_KERNEL);
432 if (!qp->qp_sec)
433 return -ENOMEM;
434
435 qp->qp_sec->qp = qp;
436 qp->qp_sec->dev = dev;
437 mutex_init(&qp->qp_sec->mutex);
438 INIT_LIST_HEAD(&qp->qp_sec->shared_qp_list);
439 atomic_set(&qp->qp_sec->error_list_count, 0);
440 init_completion(&qp->qp_sec->error_complete);
441 ret = security_ib_alloc_security(&qp->qp_sec->security);
73827a60 442 if (ret) {
d291f1a6 443 kfree(qp->qp_sec);
73827a60
PP		 444 qp->qp_sec = NULL;
445 }
d291f1a6
DJ		 446
447 return ret;
448}
449EXPORT_SYMBOL(ib_create_qp_security);
450
451void ib_destroy_qp_security_begin(struct ib_qp_security *sec)
452{
315d160c
DJ		 453 /* Return if not IB */
454 if (!sec)
455 return;
456
d291f1a6
DJ		 457 mutex_lock(&sec->mutex);
458
459 /* Remove the QP from the lists so it won't get added to
460 * a to_error_list during the destroy process.
461 */
462 if (sec->ports_pkeys) {
463 port_pkey_list_remove(&sec->ports_pkeys->main);
464 port_pkey_list_remove(&sec->ports_pkeys->alt);
465 }
466
467 /* If the QP is already in one or more of those lists
468 * the destroying flag will ensure the to error flow
469 * doesn't operate on an undefined QP.
470 */
471 sec->destroying = true;
472
473 /* Record the error list count to know how many completions
474 * to wait for.
475 */
476 sec->error_comps_pending = atomic_read(&sec->error_list_count);
477
478 mutex_unlock(&sec->mutex);
479}
480
481void ib_destroy_qp_security_abort(struct ib_qp_security *sec)
482{
483 int ret;
484 int i;
485
315d160c
DJ		 486 /* Return if not IB */
487 if (!sec)
488 return;
489
d291f1a6
DJ		 490 /* If a concurrent cache update is in progress this
491 * QP security could be marked for an error state
492 * transition. Wait for this to complete.
493 */
494 for (i = 0; i < sec->error_comps_pending; i++)
495 wait_for_completion(&sec->error_complete);
496
497 mutex_lock(&sec->mutex);
498 sec->destroying = false;
499
500 /* Restore the position in the lists and verify
501 * access is still allowed in case a cache update
502 * occurred while attempting to destroy.
503 *
504 * Because these setting were listed already
505 * and removed during ib_destroy_qp_security_begin
506 * we know the pkey_index_qp_list for the PKey
507 * already exists so port_pkey_list_insert won't fail.
508 */
509 if (sec->ports_pkeys) {
510 port_pkey_list_insert(&sec->ports_pkeys->main);
511 port_pkey_list_insert(&sec->ports_pkeys->alt);
512 }
513
514 ret = check_qp_port_pkey_settings(sec->ports_pkeys, sec);
515 if (ret)
516 qp_to_error(sec);
517
518 mutex_unlock(&sec->mutex);
519}
520
521void ib_destroy_qp_security_end(struct ib_qp_security *sec)
522{
523 int i;
524
315d160c
DJ		 525 /* Return if not IB */
526 if (!sec)
527 return;
528
d291f1a6
DJ		 529 /* If a concurrent cache update is occurring we must
530 * wait until this QP security structure is processed
531 * in the QP to error flow before destroying it because
532 * the to_error_list is in use.
533 */
534 for (i = 0; i < sec->error_comps_pending; i++)
535 wait_for_completion(&sec->error_complete);
536
537 destroy_qp_security(sec);
538}
539
540void ib_security_cache_change(struct ib_device *device,
541 u8 port_num,
542 u64 subnet_prefix)
543{
544 struct pkey_index_qp_list *pkey;
545
546 list_for_each_entry(pkey,
547 &device->port_pkey_list[port_num].pkey_list,
548 pkey_index_list) {
549 check_pkey_qps(pkey,
550 device,
551 port_num,
552 subnet_prefix);
553 }
554}
555
556void ib_security_destroy_port_pkey_list(struct ib_device *device)
557{
558 struct pkey_index_qp_list *pkey, *tmp_pkey;
559 int i;
560
561 for (i = rdma_start_port(device); i <= rdma_end_port(device); i++) {
562 spin_lock(&device->port_pkey_list[i].list_lock);
563 list_for_each_entry_safe(pkey,
564 tmp_pkey,
565 &device->port_pkey_list[i].pkey_list,
566 pkey_index_list) {
567 list_del(&pkey->pkey_index_list);
568 kfree(pkey);
569 }
570 spin_unlock(&device->port_pkey_list[i].list_lock);
571 }
572}
573
574int ib_security_modify_qp(struct ib_qp *qp,
575 struct ib_qp_attr *qp_attr,
576 int qp_attr_mask,
577 struct ib_udata *udata)
578{
579 int ret = 0;
580 struct ib_ports_pkeys *tmp_pps;
315d160c 581 struct ib_ports_pkeys *new_pps = NULL;
877add28
DJ		 582 struct ib_qp *real_qp = qp->real_qp;
583 bool special_qp = (real_qp->qp_type == IB_QPT_SMI ||
584 real_qp->qp_type == IB_QPT_GSI ||
585 real_qp->qp_type >= IB_QPT_RESERVED1);
d291f1a6
DJ		 586 bool pps_change = ((qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) ||
587 (qp_attr_mask & IB_QP_ALT_PATH));
588
315d160c
DJ		 589 WARN_ONCE((qp_attr_mask & IB_QP_PORT &&
590 rdma_protocol_ib(real_qp->device, qp_attr->port_num) &&
591 !real_qp->qp_sec),
592 "%s: QP security is not initialized for IB QP: %d\n",
593 __func__, real_qp->qp_num);
594
877add28
DJ		 595 /* The port/pkey settings are maintained only for the real QP. Open
596 * handles on the real QP will be in the shared_qp_list. When
597 * enforcing security on the real QP all the shared QPs will be
598 * checked as well.
599 */
600
315d160c 601 if (pps_change && !special_qp && real_qp->qp_sec) {
877add28
DJ		 602 mutex_lock(&real_qp->qp_sec->mutex);
603 new_pps = get_new_pps(real_qp,
d291f1a6
DJ		 604 qp_attr,
605 qp_attr_mask);
315d160c
DJ		 606 if (!new_pps) {
607 mutex_unlock(&real_qp->qp_sec->mutex);
608 return -ENOMEM;
609 }
d291f1a6
DJ		 610 /* Add this QP to the lists for the new port
611 * and pkey settings before checking for permission
612 * in case there is a concurrent cache update
613 * occurring. Walking the list for a cache change
614 * doesn't acquire the security mutex unless it's
615 * sending the QP to error.
616 */
617 ret = port_pkey_list_insert(&new_pps->main);
618
619 if (!ret)
620 ret = port_pkey_list_insert(&new_pps->alt);
621
622 if (!ret)
623 ret = check_qp_port_pkey_settings(new_pps,
877add28 624 real_qp->qp_sec);
d291f1a6
DJ		 625 }
626
627 if (!ret)
877add28
DJ		 628 ret = real_qp->device->modify_qp(real_qp,
629 qp_attr,
630 qp_attr_mask,
631 udata);
d291f1a6 632
315d160c 633 if (new_pps) {
d291f1a6
DJ		 634 /* Clean up the lists and free the appropriate
635 * ports_pkeys structure.
636 */
637 if (ret) {
638 tmp_pps = new_pps;
639 } else {
877add28
DJ		 640 tmp_pps = real_qp->qp_sec->ports_pkeys;
641 real_qp->qp_sec->ports_pkeys = new_pps;
d291f1a6
DJ		 642 }
643
644 if (tmp_pps) {
645 port_pkey_list_remove(&tmp_pps->main);
646 port_pkey_list_remove(&tmp_pps->alt);
647 }
648 kfree(tmp_pps);
877add28 649 mutex_unlock(&real_qp->qp_sec->mutex);
d291f1a6
DJ		 650 }
651 return ret;
652}
653EXPORT_SYMBOL(ib_security_modify_qp);
654
47a2b338
DJ		 655int ib_security_pkey_access(struct ib_device *dev,
656 u8 port_num,
657 u16 pkey_index,
658 void *sec)
659{
660 u64 subnet_prefix;
661 u16 pkey;
662 int ret;
663
315d160c
DJ		 664 if (!rdma_protocol_ib(dev, port_num))
665 return 0;
666
47a2b338
DJ		 667 ret = ib_get_cached_pkey(dev, port_num, pkey_index, &pkey);
668 if (ret)
669 return ret;
670
671 ret = ib_get_cached_subnet_prefix(dev, port_num, &subnet_prefix);
672
673 if (ret)
674 return ret;
675
676 return security_ib_pkey_access(sec, subnet_prefix, pkey);
677}
678EXPORT_SYMBOL(ib_security_pkey_access);
679
680static int ib_mad_agent_security_change(struct notifier_block *nb,
681 unsigned long event,
682 void *data)
683{
684 struct ib_mad_agent *ag = container_of(nb, struct ib_mad_agent, lsm_nb);
685
686 if (event != LSM_POLICY_CHANGE)
687 return NOTIFY_DONE;
688
689 ag->smp_allowed = !security_ib_endport_manage_subnet(ag->security,
690 ag->device->name,
691 ag->port_num);
692
693 return NOTIFY_OK;
694}
695
696int ib_mad_agent_security_setup(struct ib_mad_agent *agent,
697 enum ib_qp_type qp_type)
698{
699 int ret;
700
315d160c
DJ		 701 if (!rdma_protocol_ib(agent->device, agent->port_num))
702 return 0;
703
47a2b338
DJ		 704 ret = security_ib_alloc_security(&agent->security);
705 if (ret)
706 return ret;
707
708 if (qp_type != IB_QPT_SMI)
709 return 0;
710
711 ret = security_ib_endport_manage_subnet(agent->security,
712 agent->device->name,
713 agent->port_num);
714 if (ret)
715 return ret;
716
717 agent->lsm_nb.notifier_call = ib_mad_agent_security_change;
718 ret = register_lsm_notifier(&agent->lsm_nb);
719 if (ret)
720 return ret;
721
722 agent->smp_allowed = true;
723 agent->lsm_nb_reg = true;
724 return 0;
725}
726
727void ib_mad_agent_security_cleanup(struct ib_mad_agent *agent)
728{
315d160c
DJ		 729 if (!rdma_protocol_ib(agent->device, agent->port_num))
730 return;
731
47a2b338
DJ		 732 security_ib_free_security(agent->security);
733 if (agent->lsm_nb_reg)
734 unregister_lsm_notifier(&agent->lsm_nb);
735}
736
737int ib_mad_enforce_security(struct ib_mad_agent_private *map, u16 pkey_index)
738{
315d160c
DJ		 739 if (!rdma_protocol_ib(map->agent.device, map->agent.port_num))
740 return 0;
741
0fbe8f57
DJ		 742 if (map->agent.qp->qp_type == IB_QPT_SMI) {
743 if (!map->agent.smp_allowed)
744 return -EACCES;
745 return 0;
746 }
47a2b338 747
2e4c85c6
PP		 748 return ib_security_pkey_access(map->agent.device,
749 map->agent.port_num,
750 pkey_index,
751 map->agent.security);
47a2b338
DJ		 752}
753
d291f1a6 754#endif /* CONFIG_SECURITY_INFINIBAND */
ubuntu-bionic-kernel mirror