[openib-general] user_mad: large rmpp length problem

[Michael S. Tsirkin]

Hello!
ib_umad_write currently accepts a count parameter from user
and attempts to allocate mad of size count - sizeof (struct ib_user_mad)
in kernel memory.

This, obviously, fails with -ENOMEM, which means that we cant
send large transactions with RMPP.

The proper fix appears to be to transfer the data by chunks,
waking the user process and copying a fixed number of bytes each time.

A simpler fix would be allocate all of the memory in one go,
but by chunks, and make it possible to pass a list of buffers
to ib_post_send_mad. This would, however, open us up for a DOS
scenario when the user want to send a huge RMPP transaction -
not sure how serious that is.

Both ways would require API changed, mainly to ib_create_send_mad
and ib_post_send_mad functions.

Comments? What would be the best solution to this problem?

-- 
MST