[PATCH] RDMA/irdma: validate AEQ QP and CQ indices

Next message: Guixin Liu: "[PATCH 0/2] Update MSI-X irq domain hwsize"
Previous message: Jason Wang: "Re: [PATCH net-next v8 2/4] vhost-net: wake queue of tun/tap after ptr_ring consume"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Mon Mar 23 2026 - 21:54:15 EST

irdma_process_aeq() trusts the QP/CQ identifier decoded from the
hardware AEQE and uses it to index rf->qp_table[] and rf->cq_table[]
without first checking that the identifier fits the allocated table.

Reject AEQ entries whose QP or CQ ids fall outside rf->max_qp or
rf->max_cq before touching the tables. This keeps malformed or stale
hardware event records from walking past the end of the driver-owned
resource arrays.
---
drivers/infiniband/hw/irdma/hw.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)

diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c
index f4ae530f56db..32d7ac7d3885 100644
--- a/drivers/infiniband/hw/irdma/hw.c
+++ b/drivers/infiniband/hw/irdma/hw.c
@@ -313,6 +313,13 @@ static void irdma_process_aeq(struct irdma_pci_f *rf)
info->iwarp_state, info->ae_src);

if (info->qp) {
+ if (unlikely(info->qp_cq_id >= rf->max_qp)) {
+ ibdev_warn_ratelimited(&iwdev->ibdev,
+ "AEQ reported invalid QP id %u\n",
+ info->qp_cq_id);
+ continue;
+ }
+
spin_lock_irqsave(&rf->qptable_lock, flags);
iwqp = rf->qp_table[info->qp_cq_id];
if (!iwqp) {
@@ -413,6 +420,13 @@ static void irdma_process_aeq(struct irdma_pci_f *rf)
"Processing an iWARP related AE for CQ misc = 0x%04X\n",
info->ae_id);

+ if (unlikely(info->qp_cq_id >= rf->max_cq)) {
+ ibdev_warn_ratelimited(&iwdev->ibdev,
+ "AEQ reported invalid CQ id %u\n",
+ info->qp_cq_id);
+ continue;
+ }
+
spin_lock_irqsave(&rf->cqtable_lock, flags);
iwcq = rf->cq_table[info->qp_cq_id];
if (!iwcq) {
--
2.50.1 (Apple Git-155)