RDMA: Check net namespace access for uverbs, umad, cma and nldev

Introduce an API rdma_dev_access_netns() to check whether a rdma device
can be accessed from the specified net namespace or not.
Use rdma_dev_access_netns() while opening character uverbs, umad network
device and also check while rdma cm_id binds to rdma device.

Signed-off-by: Parav Pandit <parav@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>

diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index a8b9c66c85252b63620b63d176adadac902c4fdf..895899230a7e4cbff255a615abc8dac70a4431ea 100644 (file)
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -616,6 +616,9 @@ cma_validate_port(struct ib_device *device, u8 port,
        int dev_type = dev_addr->dev_type;
        struct net_device *ndev = NULL;
 
+       if (!rdma_dev_access_netns(device, id_priv->id.route.addr.dev_addr.net))
+               return ERR_PTR(-ENODEV);
+
        if ((dev_type == ARPHRD_INFINIBAND) && !rdma_protocol_ib(device, port))
                return ERR_PTR(-ENODEV);
 

diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
index ebc0b0e58eca2d69e65046a10da31555de825fea..74736ea9b007bf13c2c2ca6df7b18af927572802 100644 (file)
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -131,6 +131,26 @@ static bool ib_devices_shared_netns = true;
 module_param_named(netns_mode, ib_devices_shared_netns, bool, 0444);
 MODULE_PARM_DESC(netns_mode,
                 "Share device among net namespaces; default=1 (shared)");
+/**
+ * rdma_dev_access_netns() - Return whether a rdma device can be accessed
+ *                          from a specified net namespace or not.
+ * @device:    Pointer to rdma device which needs to be checked
+ * @net:       Pointer to net namesapce for which access to be checked
+ *
+ * rdma_dev_access_netns() - Return whether a rdma device can be accessed
+ *                          from a specified net namespace or not. When
+ *                          rdma device is in shared mode, it ignores the
+ *                          net namespace. When rdma device is exclusive
+ *                          to a net namespace, rdma device net namespace is
+ *                          checked against the specified one.
+ */
+bool rdma_dev_access_netns(const struct ib_device *dev, const struct net *net)
+{
+       return (ib_devices_shared_netns ||
+               net_eq(read_pnet(&dev->coredev.rdma_net), net));
+}
+EXPORT_SYMBOL(rdma_dev_access_netns);
+
 /*
  * xarray has this behavior where it won't iterate over NULL values stored in
  * allocated arrays.  So we need our own iterator to see all values stored in

diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
index 2de5b4404abc4f65cce33c235a45da058de2b33c..56aa342061100c64c4760ff9ba494e1d996df94e 100644 (file)
--- a/drivers/infiniband/core/user_mad.c
+++ b/drivers/infiniband/core/user_mad.c
@@ -980,6 +980,11 @@ static int ib_umad_open(struct inode *inode, struct file *filp)
                goto out;
        }
 
+       if (!rdma_dev_access_netns(port->ib_dev, current->nsproxy->net_ns)) {
+               ret = -EPERM;
+               goto out;
+       }
+
        file = kzalloc(sizeof(*file), GFP_KERNEL);
        if (!file) {
                ret = -ENOMEM;
@@ -1073,6 +1078,11 @@ static int ib_umad_sm_open(struct inode *inode, struct file *filp)
                }
        }
 
+       if (!rdma_dev_access_netns(port->ib_dev, current->nsproxy->net_ns)) {
+               ret = -EPERM;
+               goto err_up_sem;
+       }
+
        ret = ib_modify_port(port->ib_dev, port->port_num, 0, &props);
        if (ret)
                goto err_up_sem;

diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
index b8fc5a329e212d9decc3c4faac22d8dc6b3e77ec..fef4519d12413a78de703672fce215d064b32c9a 100644 (file)
--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -1045,6 +1045,11 @@ static int ib_uverbs_open(struct inode *inode, struct file *filp)
                goto err;
        }
 
+       if (!rdma_dev_access_netns(ib_dev, current->nsproxy->net_ns)) {
+               ret = -EPERM;
+               goto err;
+       }
+
        /* In case IB device supports disassociate ucontext, there is no hard
         * dependency between uverbs device and its low level device.
         */

diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
index d42267e72c4b05e19a36323b1f4f090ad2b3d998..418d17c8b65b65ca050ec21a129aee9061c70e00 100644 (file)
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -4381,4 +4381,7 @@ static inline struct ib_device *rdma_device_to_ibdev(struct device *device)
  */
 #define rdma_device_to_drv_device(dev, drv_dev_struct, ibdev_member)           \
        container_of(rdma_device_to_ibdev(dev), drv_dev_struct, ibdev_member)
+
+bool rdma_dev_access_netns(const struct ib_device *device,
+                          const struct net *net);
 #endif /* IB_VERBS_H */