ipc: fix use-after-free in asynchronous requests

Previously, we were removing request from the list only if we
have succeeded to send it. This resulted in leaving an invalid
pointer in the request list.

Fix this by only adding new requests to the request list if we
have succeeded in sending them.

Fixes: f05e26051c15 ("eal: add IPC asynchronous request")

Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com>
Acked-by: Jianfeng Tan <jianfeng.tan@intel.com>

diff --git a/lib/librte_eal/common/eal_common_proc.c b/lib/librte_eal/common/eal_common_proc.c
index e3eb430..a8ca7b8 100644 (file)
--- a/lib/librte_eal/common/eal_common_proc.c
+++ b/lib/librte_eal/common/eal_common_proc.c
@@ -876,9 +876,7 @@ mp_request_async(const char *dst, struct rte_mp_msg *req,
        /* queue already locked by caller */
 
        exist = find_sync_request(dst, req->name);
-       if (!exist) {
-               TAILQ_INSERT_TAIL(&pending_requests.requests, sync_req, next);
-       } else {
+       if (exist) {
                RTE_LOG(ERR, EAL, "A pending request %s:%s\n", dst, req->name);
                rte_errno = EEXIST;
                ret = -1;
@@ -895,6 +893,7 @@ mp_request_async(const char *dst, struct rte_mp_msg *req,
                ret = 0;
                goto fail;
        }
+       TAILQ_INSERT_TAIL(&pending_requests.requests, sync_req, next);
 
        param->user_reply.nb_sent++;