From fe98e52a52f0989c299883bf7c231b64ae1cd242 Mon Sep 17 00:00:00 2001 From: Anatoly Burakov Date: Fri, 13 Apr 2018 12:54:59 +0100 Subject: [PATCH] ipc: fix use-after-free in synchronous requests Previously, we were adding synchronous requests to request list, we were doing it after checking if request existed. However, we only removed the request from the request list if we have succeeded in sending the request. In case of failed request send, we left an invalid pointer in the request list. Fix this by only adding request to the list once we succeed in sending it. Fixes: 783b6e54971d ("eal: add synchronous multi-process communication") Cc: stable@dpdk.org Signed-off-by: Anatoly Burakov Acked-by: Jianfeng Tan --- lib/librte_eal/common/eal_common_proc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/librte_eal/common/eal_common_proc.c b/lib/librte_eal/common/eal_common_proc.c index c888c84e4d..e3eb43011d 100644 --- a/lib/librte_eal/common/eal_common_proc.c +++ b/lib/librte_eal/common/eal_common_proc.c @@ -922,8 +922,6 @@ mp_request_sync(const char *dst, struct rte_mp_msg *req, pthread_mutex_lock(&pending_requests.lock); exist = find_sync_request(dst, req->name); - if (!exist) - TAILQ_INSERT_TAIL(&pending_requests.requests, &sync_req, next); if (exist) { RTE_LOG(ERR, EAL, "A pending request %s:%s\n", dst, req->name); rte_errno = EEXIST; @@ -939,6 +937,8 @@ mp_request_sync(const char *dst, struct rte_mp_msg *req, } else if (ret == 0) return 0; + TAILQ_INSERT_TAIL(&pending_requests.requests, &sync_req, next); + reply->nb_sent++; do { -- 2.20.1