rinl_buf->wqe_list will be double-freed in error flow, first in alloc_recv_rinl_buf() and then in free_recv_rinl_buf(). Actually free_recv_rinl_buf() shouldn't be called when alloc_recv_rinl_buf() failed. Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com> --- ...Fix-double-free-of-rinl_buf-wqe_list.patch | 53 +++++++++++++++++++ rdma-core.spec | 9 +++- 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 0065-libhns-Fix-double-free-of-rinl_buf-wqe_list.patch diff --git a/0065-libhns-Fix-double-free-of-rinl_buf-wqe_list.patch b/0065-libhns-Fix-double-free-of-rinl_buf-wqe_list.patch new file mode 100644 index 0000000..e568c7a --- /dev/null +++ b/0065-libhns-Fix-double-free-of-rinl_buf-wqe_list.patch @@ -0,0 +1,53 @@ +From 583d8210da89563fcef0c6e508f58cc7adf72a3b Mon Sep 17 00:00:00 2001 +From: wenglianfa <wenglianfa@huawei.com> +Date: Mon, 12 May 2025 10:51:32 +0800 +Subject: [PATCH 65/65] libhns: Fix double-free of rinl_buf->wqe_list + +driver inclusion +category: bugfix +bugzilla: https://gitee.com/src-openeuler/rdma-core/issues/ICAQ55 + +------------------------------------------------------------------ + +rinl_buf->wqe_list will be double-freed in error flow, first in +alloc_recv_rinl_buf() and then in free_recv_rinl_buf(). Actually +free_recv_rinl_buf() shouldn't be called when alloc_recv_rinl_buf() +failed. + +Fixes: 83b0baff3ccf ("libhns: Refactor rq inline") +Signed-off-by: wenglianfa <wenglianfa@huawei.com> +Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com> +--- + providers/hns/hns_roce_u_verbs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/providers/hns/hns_roce_u_verbs.c b/providers/hns/hns_roce_u_verbs.c +index edd8e3d..8bf7bc1 100644 +--- a/providers/hns/hns_roce_u_verbs.c ++++ b/providers/hns/hns_roce_u_verbs.c +@@ -1453,18 +1453,19 @@ static int qp_alloc_wqe(struct ibv_qp_init_attr_ex *attr, + qp->dca_wqe.shift = qp->pageshift; + qp->dca_wqe.bufs = calloc(qp->dca_wqe.max_cnt, sizeof(void *)); + if (!qp->dca_wqe.bufs) +- goto err_alloc; ++ goto err_alloc_recv_rinl_buf; + verbs_debug(&ctx->ibv_ctx, "alloc DCA buf.\n"); + } else { + if (hns_roce_alloc_buf(&qp->buf, qp->buf_size, + 1 << qp->pageshift)) +- goto err_alloc; ++ goto err_alloc_recv_rinl_buf; + } + + return 0; + +-err_alloc: ++err_alloc_recv_rinl_buf: + free_recv_rinl_buf(&qp->rq_rinl_buf); ++err_alloc: + if (qp->rq.wrid) + free(qp->rq.wrid); + +-- +2.33.0 + diff --git a/rdma-core.spec b/rdma-core.spec index b252761..ed09fe8 100644 --- a/rdma-core.spec +++ b/rdma-core.spec @@ -1,6 +1,6 @@ Name: rdma-core Version: 50.0 -Release: 30 +Release: 31 Summary: RDMA core userspace libraries and daemons License: GPL-2.0-only OR BSD-2-Clause AND BSD-3-Clause Url: https://github.com/linux-rdma/rdma-core @@ -70,6 +70,7 @@ patch61: 0061-libhns-Fix-freeing-pad-without-checking-refcnt.patch patch62: 0062-verbs-Assign-ibv-srq-pd-when-creating-SRQ.patch patch63: 0063-libxscale-update-to-version-2412GA.patch patch64: 0064-libxscale-automatically-load-xsc_ib.ko.patch +patch65: 0065-libhns-Fix-double-free-of-rinl_buf-wqe_list.patch BuildRequires: binutils cmake >= 2.8.11 gcc libudev-devel pkgconfig pkgconfig(libnl-3.0) BuildRequires: pkgconfig(libnl-route-3.0) systemd systemd-devel @@ -649,6 +650,12 @@ fi %doc %{_docdir}/%{name}-%{version}/70-persistent-ipoib.rules %changelog +* Tue May 27 2025 Junxian Huang <huangjunxian6@hisilicon.com> - 50.0-31 +- Type: bugfix +- ID: NA +- SUG: NA +- DESC: libhns: Fix double-free of rinl_buf->wqe_list + * Fri May 16 2025 Xin Tian <tianx@yunsilicon.com> - 50.0-30 - Type: feature - ID: NA -- 2.33.0