IB/umad: fix RMPP handling

ib_umad_write in user_mad.c is looking at rmpp_hdr field in MAD before
checking that the MAD actually has the RMPP header.  So for a MAD
without RMPP header it looks like we are actually checking a bit
inside M_Key, or something.

Signed-off-by: Jack Morgenstein <jackm@mellanox.co.il>
Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>

diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
index e73f81c..eb7f525 100644 (file)
--- a/drivers/infiniband/core/user_mad.c
+++ b/drivers/infiniband/core/user_mad.c
@@ -310,7 +310,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
        u8 method;
        __be64 *tid;
        int ret, length, hdr_len, copy_offset;
-       int rmpp_active = 0;
+       int rmpp_active, has_rmpp_header;
 
        if (count < sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR)
                return -EINVAL;
@@ -360,28 +360,31 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
        }
 
        rmpp_mad = (struct ib_rmpp_mad *) packet->mad.data;
-       if (ib_get_rmpp_flags(&rmpp_mad->rmpp_hdr) & IB_MGMT_RMPP_FLAG_ACTIVE) {
-               /* RMPP active */
-               if (!agent->rmpp_version) {
-                       ret = -EINVAL;
-                       goto err_ah;
-               }
-
-               /* Validate that the management class can support RMPP */
-               if (rmpp_mad->mad_hdr.mgmt_class == IB_MGMT_CLASS_SUBN_ADM) {
-                       hdr_len = IB_MGMT_SA_HDR;
-               } else if ((rmpp_mad->mad_hdr.mgmt_class >= IB_MGMT_CLASS_VENDOR_RANGE2_START) &&
-                           (rmpp_mad->mad_hdr.mgmt_class <= IB_MGMT_CLASS_VENDOR_RANGE2_END)) {
-                               hdr_len = IB_MGMT_VENDOR_HDR;
-               } else {
-                       ret = -EINVAL;
-                       goto err_ah;
-               }
-               rmpp_active = 1;
+       if (rmpp_mad->mad_hdr.mgmt_class == IB_MGMT_CLASS_SUBN_ADM) {
+               hdr_len = IB_MGMT_SA_HDR;
                copy_offset = IB_MGMT_RMPP_HDR;
+               has_rmpp_header = 1;
+       } else if (rmpp_mad->mad_hdr.mgmt_class >= IB_MGMT_CLASS_VENDOR_RANGE2_START &&
+                  rmpp_mad->mad_hdr.mgmt_class <= IB_MGMT_CLASS_VENDOR_RANGE2_END) {
+                       hdr_len = IB_MGMT_VENDOR_HDR;
+                       copy_offset = IB_MGMT_RMPP_HDR;
+                       has_rmpp_header = 1;
        } else {
                hdr_len = IB_MGMT_MAD_HDR;
                copy_offset = IB_MGMT_MAD_HDR;
+               has_rmpp_header = 0;
+       }
+
+       if (has_rmpp_header)
+               rmpp_active = ib_get_rmpp_flags(&rmpp_mad->rmpp_hdr) &
+                             IB_MGMT_RMPP_FLAG_ACTIVE;
+       else
+               rmpp_active = 0;
+
+       /* Validate that the management class can support RMPP */
+       if (rmpp_active && !agent->rmpp_version) {
+               ret = -EINVAL;
+               goto err_ah;
        }
 
        packet->msg = ib_create_send_mad(agent,