In the Linux kernel, the following vulnerability has been resolved:
RDMA/hns: Fix double destruction of rsv_qp
rsvqp may be double destroyed in error flow, first in freemrinit(), and then in hnsroceexit(). Fix it by moving the freemrinit() call into hnsrocev2init().
listdel corruption, ffff589732eb9b50->next is LISTPOISON1 (dead000000000100) WARNING: CPU: 8 PID: 1047115 at lib/listdebug.c:53 _listdelentryvalid+0x148/0x240 ... Call trace: _listdelentryvalid+0x148/0x240 hnsroceqpremove+0x4c/0x3f0 [hnsrocehwv2] hnsrocev2destroyqpcommon+0x1dc/0x5f4 [hnsrocehwv2] hnsrocev2destroyqp+0x22c/0x46c [hnsrocehwv2] freemrexit+0x6c/0x120 [hnsrocehwv2] hnsrocev2exit+0x170/0x200 [hnsrocehwv2] hnsroceexit+0x118/0x350 [hnsrocehwv2] _hnsrocehwv2initinstance+0x1c8/0x304 [hnsrocehwv2] hnsrocehwv2resetnotifyinit+0x170/0x21c [hnsrocehwv2] hnsrocehwv2resetnotify+0x6c/0x190 [hnsrocehwv2] hclgenotifyroceclient+0x6c/0x160 [hclge] hclgeresetrebuild+0x150/0x5c0 [hclge] hclgereset+0x10c/0x140 [hclge] hclgeresetsubtask+0x80/0x104 [hclge] hclgeresetservicetask+0x168/0x3ac [hclge] hclgeservicetask+0x50/0x100 [hclge] processonework+0x250/0x9a0 workerthread+0x324/0x990 kthread+0x190/0x210 retfromfork+0x10/0x18