Re: [PATCH] RDMA/irdma: validate AEQ QP and CQ indices
From: Leon Romanovsky
Date: Tue Mar 24 2026 - 03:50:18 EST
On Tue, Mar 24, 2026 at 09:44:59AM +0800, Pengpeng Hou wrote:
> irdma_process_aeq() trusts the QP/CQ identifier decoded from the
> hardware AEQE and uses it to index rf->qp_table[] and rf->cq_table[]
> without first checking that the identifier fits the allocated table.
HW should be programmed to provide valid index.
Thanks
>
> Reject AEQ entries whose QP or CQ ids fall outside rf->max_qp or
> rf->max_cq before touching the tables. This keeps malformed or stale
> hardware event records from walking past the end of the driver-owned
> resource arrays.
> ---
> drivers/infiniband/hw/irdma/hw.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c
> index f4ae530f56db..32d7ac7d3885 100644
> --- a/drivers/infiniband/hw/irdma/hw.c
> +++ b/drivers/infiniband/hw/irdma/hw.c
> @@ -313,6 +313,13 @@ static void irdma_process_aeq(struct irdma_pci_f *rf)
> info->iwarp_state, info->ae_src);
>
> if (info->qp) {
> + if (unlikely(info->qp_cq_id >= rf->max_qp)) {
> + ibdev_warn_ratelimited(&iwdev->ibdev,
> + "AEQ reported invalid QP id %u\n",
> + info->qp_cq_id);
> + continue;
> + }
> +
> spin_lock_irqsave(&rf->qptable_lock, flags);
> iwqp = rf->qp_table[info->qp_cq_id];
> if (!iwqp) {
> @@ -413,6 +420,13 @@ static void irdma_process_aeq(struct irdma_pci_f *rf)
> "Processing an iWARP related AE for CQ misc = 0x%04X\n",
> info->ae_id);
>
> + if (unlikely(info->qp_cq_id >= rf->max_cq)) {
> + ibdev_warn_ratelimited(&iwdev->ibdev,
> + "AEQ reported invalid CQ id %u\n",
> + info->qp_cq_id);
> + continue;
> + }
> +
> spin_lock_irqsave(&rf->cqtable_lock, flags);
> iwcq = rf->cq_table[info->qp_cq_id];
> if (!iwcq) {
> --
> 2.50.1 (Apple Git-155)
>
>