From 56c07f59f960c8a193933c4a0f2a15cfe8ecf221 Mon Sep 17 00:00:00 2001
From: ZHOU Huaping <zhouhuaping.san@bytedance.com>
Date: Tue, 26 Nov 2024 19:35:53 +0800
Subject: [PATCH] mlx5: invalidate cq->cur_rsc when QP is destroyed inside a
 polling batch

For CQ created in single threaded mode, if the user destroys a QP
between ibv_start_poll() and ibv_end_poll(), then cq->cur_rsc
should be invalidated since it may point to the QP that is being
destroyed, which may cause UAF error in the next ibv_next_poll() call.

Signed-off-by: ZHOU Huaping <zhouhuaping.san@bytedance.com>
---
 providers/mlx5/cq.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/providers/mlx5/cq.c b/providers/mlx5/cq.c
index 46bdc7105..65e674de9 100644
--- a/providers/mlx5/cq.c
+++ b/providers/mlx5/cq.c
@@ -1822,6 +1822,15 @@ void __mlx5_cq_clean(struct mlx5_cq *cq, uint32_t rsn, struct mlx5_srq *srq)
 	if (!cq || cq->flags & MLX5_CQ_FLAGS_DV_OWNED)
 		return;
 
+	/*
+	 * For CQ created in single threaded mode, if the user destroys
+	 * a QP between ibv_start_poll() and ibv_end_poll(), then
+	 * cq->cur_rsc should be invalidated since it may point to the
+	 * QP that is being destroyed.
+	 */
+	if (unlikely(cq->cur_rsc && rsn == cq->cur_rsc->rsn))
+		cq->cur_rsc = NULL;
+
 	/*
 	 * First we need to find the current producer index, so we
 	 * know where to start cleaning from.  It doesn't matter if HW