mlx5: invalidate cq->cur_rsc when QP is destroyed inside a polling batch

For CQ created in single threaded mode serving multiple QPs, if the user destroys a QP between ibv_start_poll() and ibv_end_poll(), then cq->cur_rsc should be invalidated since it may point to the QP that is being destroyed, which may cause UAF error in the next ibv_next_poll() call. Signed-off-by: ZHOU Huaping <zhouhuaping.san@bytedance.com>
linux-rdma · Nov 28, 2024 · 8452205 · 8452205
1 parent 18c97ed
commit 8452205
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/providers/mlx5/cq.c b/providers/mlx5/cq.c
@@ -1822,6 +1822,16 @@ void __mlx5_cq_clean(struct mlx5_cq *cq, uint32_t rsn, struct mlx5_srq *srq)
 	if (!cq || cq->flags & MLX5_CQ_FLAGS_DV_OWNED)
 		return;
 
+	/*
+	 * For CQ created in single threaded mode serving multiple
+	 * QPs, if the user destroys a QP between ibv_start_poll()
+	 * and ibv_end_poll(), then cq->cur_rsc should be invalidated
+	 * since it may point to the QP that is being destroyed, which
+	 * may cause UAF error in the next ibv_next_poll() call.
+	 */
+	if (unlikely(cq->cur_rsc && rsn == cq->cur_rsc->rsn))
+		cq->cur_rsc = NULL;
+
 	/*
 	 * First we need to find the current producer index, so we
 	 * know where to start cleaning from.  It doesn't matter if HW