[PATCH] RDMA/irdma: validate AEQ QP and CQ indices

[PATCH] RDMA/irdma: validate AEQ QP and CQ indices

[Pengpeng Hou]

irdma_process_aeq() trusts the QP/CQ identifier decoded from the
hardware AEQE and uses it to index rf->qp_table[] and rf->cq_table[]
without first checking that the identifier fits the allocated table.

Reject AEQ entries whose QP or CQ ids fall outside rf->max_qp or
rf->max_cq before touching the tables. This keeps malformed or stale
hardware event records from walking past the end of the driver-owned
resource arrays.
---
 drivers/infiniband/hw/irdma/hw.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c
index f4ae530f56db..32d7ac7d3885 100644
--- a/drivers/infiniband/hw/irdma/hw.c
+++ b/drivers/infiniband/hw/irdma/hw.c
@@ -313,6 +313,13 @@ static void irdma_process_aeq(struct irdma_pci_f *rf)
 			  info->iwarp_state, info->ae_src);
 
 		if (info->qp) {
+			if (unlikely(info->qp_cq_id >= rf->max_qp)) {
+				ibdev_warn_ratelimited(&iwdev->ibdev,
+						       "AEQ reported invalid QP id %u\n",
+						       info->qp_cq_id);
+				continue;
+			}
+
 			spin_lock_irqsave(&rf->qptable_lock, flags);
 			iwqp = rf->qp_table[info->qp_cq_id];
 			if (!iwqp) {
@@ -413,6 +420,13 @@ static void irdma_process_aeq(struct irdma_pci_f *rf)
 				  "Processing an iWARP related AE for CQ misc = 0x%04X\n",
 				  info->ae_id);
 
+			if (unlikely(info->qp_cq_id >= rf->max_cq)) {
+				ibdev_warn_ratelimited(&iwdev->ibdev,
+						       "AEQ reported invalid CQ id %u\n",
+						       info->qp_cq_id);
+				continue;
+			}
+
 			spin_lock_irqsave(&rf->cqtable_lock, flags);
 			iwcq = rf->cq_table[info->qp_cq_id];
 			if (!iwcq) {
-- 
2.50.1 (Apple Git-155)

Re: [PATCH] RDMA/irdma: validate AEQ QP and CQ indices

[Leon Romanovsky]

On Tue, Mar 24, 2026 at 09:44:59AM +0800, Pengpeng Hou wrote:
> irdma_process_aeq() trusts the QP/CQ identifier decoded from the
> hardware AEQE and uses it to index rf->qp_table[] and rf->cq_table[]
> without first checking that the identifier fits the allocated table.

HW should be programmed to provide valid index.

Thanks

> 
> Reject AEQ entries whose QP or CQ ids fall outside rf->max_qp or
> rf->max_cq before touching the tables. This keeps malformed or stale
> hardware event records from walking past the end of the driver-owned
> resource arrays.
> ---
>  drivers/infiniband/hw/irdma/hw.c | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c
> index f4ae530f56db..32d7ac7d3885 100644
> --- a/drivers/infiniband/hw/irdma/hw.c
> +++ b/drivers/infiniband/hw/irdma/hw.c
> @@ -313,6 +313,13 @@ static void irdma_process_aeq(struct irdma_pci_f *rf)
>  			  info->iwarp_state, info->ae_src);
>  
>  		if (info->qp) {
> +			if (unlikely(info->qp_cq_id >= rf->max_qp)) {
> +				ibdev_warn_ratelimited(&iwdev->ibdev,
> +						       "AEQ reported invalid QP id %u\n",
> +						       info->qp_cq_id);
> +				continue;
> +			}
> +
>  			spin_lock_irqsave(&rf->qptable_lock, flags);
>  			iwqp = rf->qp_table[info->qp_cq_id];
>  			if (!iwqp) {
> @@ -413,6 +420,13 @@ static void irdma_process_aeq(struct irdma_pci_f *rf)
>  				  "Processing an iWARP related AE for CQ misc = 0x%04X\n",
>  				  info->ae_id);
>  
> +			if (unlikely(info->qp_cq_id >= rf->max_cq)) {
> +				ibdev_warn_ratelimited(&iwdev->ibdev,
> +						       "AEQ reported invalid CQ id %u\n",
> +						       info->qp_cq_id);
> +				continue;
> +			}
> +
>  			spin_lock_irqsave(&rf->cqtable_lock, flags);
>  			iwcq = rf->cq_table[info->qp_cq_id];
>  			if (!iwcq) {
> -- 
> 2.50.1 (Apple Git-155)
> 
>