From: Akhil Goyal <gakhil@marvell.com>
Date: Fri, 30 Jul 2021 17:58:27 +0000 (+0530)
Subject: crypto/octeontx: fix freeing after device release
X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=12b650efd49d8b932a7717be1cafd13d9040ea3e;p=dpdk.git

crypto/octeontx: fix freeing after device release

When the PMD is removed, rte_cryptodev_pmd_release_device
is called which frees cryptodev->data, and then tries to free
cryptodev->data->dev_private, which causes the heap use
after free issue.

A temporary pointer is set before the free of cryptodev->data,
which can then be used afterwards to free dev_private.

Fixes: bfe2ae495ee2 ("crypto/octeontx: add PMD skeleton")
Cc: stable@dpdk.org

Reported-by: Zhihong Peng <zhihongx.peng@intel.com>
Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---

diff --git a/drivers/crypto/octeontx/otx_cryptodev.c b/drivers/crypto/octeontx/otx_cryptodev.c
index 7207909abb..3822c0d779 100644
--- a/drivers/crypto/octeontx/otx_cryptodev.c
+++ b/drivers/crypto/octeontx/otx_cryptodev.c
@@ -75,6 +75,7 @@ otx_cpt_pci_remove(struct rte_pci_device *pci_dev)
 {
 	struct rte_cryptodev *cryptodev;
 	char name[RTE_CRYPTODEV_NAME_MAX_LEN];
+	void *dev_priv;
 
 	if (pci_dev == NULL)
 		return -EINVAL;
@@ -88,11 +89,13 @@ otx_cpt_pci_remove(struct rte_pci_device *pci_dev)
 	if (pci_dev->driver == NULL)
 		return -ENODEV;
 
+	dev_priv = cryptodev->data->dev_private;
+
 	/* free crypto device */
 	rte_cryptodev_pmd_release_device(cryptodev);
 
 	if (rte_eal_process_type() == RTE_PROC_PRIMARY)
-		rte_free(cryptodev->data->dev_private);
+		rte_free(dev_priv);
 
 	cryptodev->device->driver = NULL;
 	cryptodev->device = NULL;