From: Anatoly Burakov <anatoly.burakov@intel.com>
Date: Fri, 13 Apr 2018 11:55:00 +0000 (+0100)
Subject: ipc: fix use-after-free in asynchronous requests
X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=35ae44d1e25e2c3556956e2bc78a0e1c63cc9a11;p=dpdk.git

ipc: fix use-after-free in asynchronous requests

Previously, we were removing request from the list only if we
have succeeded to send it. This resulted in leaving an invalid
pointer in the request list.

Fix this by only adding new requests to the request list if we
have succeeded in sending them.

Fixes: f05e26051c15 ("eal: add IPC asynchronous request")

Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com>
Acked-by: Jianfeng Tan <jianfeng.tan@intel.com>
---

diff --git a/lib/librte_eal/common/eal_common_proc.c b/lib/librte_eal/common/eal_common_proc.c
index e3eb43011d..a8ca7b8cc4 100644
--- a/lib/librte_eal/common/eal_common_proc.c
+++ b/lib/librte_eal/common/eal_common_proc.c
@@ -876,9 +876,7 @@ mp_request_async(const char *dst, struct rte_mp_msg *req,
 	/* queue already locked by caller */
 
 	exist = find_sync_request(dst, req->name);
-	if (!exist) {
-		TAILQ_INSERT_TAIL(&pending_requests.requests, sync_req, next);
-	} else {
+	if (exist) {
 		RTE_LOG(ERR, EAL, "A pending request %s:%s\n", dst, req->name);
 		rte_errno = EEXIST;
 		ret = -1;
@@ -895,6 +893,7 @@ mp_request_async(const char *dst, struct rte_mp_msg *req,
 		ret = 0;
 		goto fail;
 	}
+	TAILQ_INSERT_TAIL(&pending_requests.requests, sync_req, next);
 
 	param->user_reply.nb_sent++;