From 59108bf3e452fa7701a3972c78d22352598891be Mon Sep 17 00:00:00 2001 From: Junxian Huang Date: Wed, 23 Apr 2025 16:55:16 +0800 Subject: [PATCH 61/62] libhns: Fix freeing pad without checking refcnt mainline inclusion from mainline-v56.0-65 commit 234d135276ea8ef83633113e224e0cd735ebeca8 category: bugfix bugzilla: https://gitee.com/src-openeuler/rdma-core/issues/IC3X57 CVE: NA Reference: https://github.com/linux-rdma/rdma-core/pull/1599/commits/234d135276ea8ef836... --------------------------------------------------------------------- Currently pad refcnt will be added when creating qp/cq/srq, but it is not checked when freeing pad. Add a check to prevent freeing pad when it is still used by any qp/cq/srq. Fixes: 7b6b3dae328f ("libhns: Add support for thread domain and parent domain") Signed-off-by: Junxian Huang Signed-off-by: Xinghai Cen --- providers/hns/hns_roce_u_verbs.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/providers/hns/hns_roce_u_verbs.c b/providers/hns/hns_roce_u_verbs.c index 70f516a..edd8e3d 100644 --- a/providers/hns/hns_roce_u_verbs.c +++ b/providers/hns/hns_roce_u_verbs.c @@ -218,14 +218,18 @@ struct ibv_pd *hns_roce_u_alloc_pad(struct ibv_context *context, return &pad->pd.ibv_pd; } -static void hns_roce_free_pad(struct hns_roce_pad *pad) +static int hns_roce_free_pad(struct hns_roce_pad *pad) { + if (atomic_load(&pad->pd.refcount) > 1) + return EBUSY; + atomic_fetch_sub(&pad->pd.protection_domain->refcount, 1); if (pad->td) atomic_fetch_sub(&pad->td->refcount, 1); free(pad); + return 0; } static int hns_roce_free_pd(struct hns_roce_pd *pd) @@ -248,10 +252,8 @@ int hns_roce_u_dealloc_pd(struct ibv_pd *ibv_pd) struct hns_roce_pad *pad = to_hr_pad(ibv_pd); struct hns_roce_pd *pd = to_hr_pd(ibv_pd); - if (pad) { - hns_roce_free_pad(pad); - return 0; - } + if (pad) + return hns_roce_free_pad(pad); return hns_roce_free_pd(pd); } -- 2.25.1