ipc: fix use-after-free in synchronous requests

Previously, we were adding synchronous requests to request list, we
were doing it after checking if request existed. However, we only
removed the request from the request list if we have succeeded in
sending the request. In case of failed request send, we left an
invalid pointer in the request list.

Fix this by only adding request to the list once we succeed in
sending it.

Fixes: 783b6e54971d ("eal: add synchronous multi-process communication")
Cc: stable@dpdk.org
Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com>
Acked-by: Jianfeng Tan <jianfeng.tan@intel.com>

diff --git a/lib/librte_eal/common/eal_common_proc.c b/lib/librte_eal/common/eal_common_proc.c
index c888c84e4dca6a5f2de65fa29eeff5b07435b446..e3eb43011deba74442757e940f0351f9e6774142 100644 (file)
--- a/lib/librte_eal/common/eal_common_proc.c
+++ b/lib/librte_eal/common/eal_common_proc.c
@@ -922,8 +922,6 @@ mp_request_sync(const char *dst, struct rte_mp_msg *req,
 
        pthread_mutex_lock(&pending_requests.lock);
        exist = find_sync_request(dst, req->name);
-       if (!exist)
-               TAILQ_INSERT_TAIL(&pending_requests.requests, &sync_req, next);
        if (exist) {
                RTE_LOG(ERR, EAL, "A pending request %s:%s\n", dst, req->name);
                rte_errno = EEXIST;
@@ -939,6 +937,8 @@ mp_request_sync(const char *dst, struct rte_mp_msg *req,
        } else if (ret == 0)
                return 0;
 
+       TAILQ_INSERT_TAIL(&pending_requests.requests, &sync_req, next);
+
        reply->nb_sent++;
 
        do {