mlx5: fix a use-after-free error in mlx5_next_poll

When using cq_ex inteface, if the user destroys the QP associated with the current work completion, the next ibv_next_poll() call will cause a use-after-free error since it needs to access the QP that has already been destroyed through cq->cur_rsc inside get_req_context(). Fix this error by resetting the cq->cur_rsc in __mlx5_cq_clean if it is associated with the QP to be destroyed. Signed-off-by: ZHOU Huaping <[email protected]>
linux-rdma · Nov 27, 2024 · 1110f71 · 1110f71
1 parent 18c97ed
commit 1110f71
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/providers/mlx5/cq.c b/providers/mlx5/cq.c
@@ -1070,6 +1070,8 @@ static inline void _mlx5_end_poll(struct ibv_cq_ex *ibcq,
 	if (lock)
 		mlx5_spin_unlock(&cq->lock);
 
+	cq->cur_rsc = NULL;
+
 	if (stall) {
 		if (stall == POLLING_MODE_STALL_ADAPTIVE) {
 			if (!(cq->flags & MLX5_CQ_FLAGS_FOUND_CQES)) {
@@ -1822,6 +1824,14 @@ void __mlx5_cq_clean(struct mlx5_cq *cq, uint32_t rsn, struct mlx5_srq *srq)
 	if (!cq || cq->flags & MLX5_CQ_FLAGS_DV_OWNED)
 		return;
 
+	/*
+	 * Reset the cq->cur_rsc if it is associated with the QP to be
+	 * destroyed in order to prevent use-after-free errors in the
+	 * next ibv_next_poll().
+	 */
+	if (unlikely(rsn == cq->cur_rsc->rsn))
+		cq->cur_rsc = NULL;
+
 	/*
 	 * First we need to find the current producer index, so we
 	 * know where to start cleaning from.  It doesn't matter if HW