From: Wei Hu (Xavier) <xavier.huwei@huawei.com>
Date: Tue, 21 Apr 2020 03:29:57 +0000 (+0800)
Subject: vfio: fix use after free with multiprocess
X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=d6298844da7e3e83034f1af196bdfddf388f979e;p=dpdk.git

vfio: fix use after free with multiprocess

This patch fixes the heap-use-after-free bug which was found by ASAN
(Address-Sanitizer) in the vfio_get_default_container_fd function.

Fixes: 6bcb7c95fe14 ("vfio: share default container in multi-process")
Cc: stable@dpdk.org

Signed-off-by: Chengwen Feng <fengchengwen@huawei.com>
Signed-off-by: Wei Hu (Xavier) <xavier.huwei@huawei.com>
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
---

diff --git a/lib/librte_eal/linux/eal_vfio.c b/lib/librte_eal/linux/eal_vfio.c
index 1979f6fdd8..d26e1649a5 100644
--- a/lib/librte_eal/linux/eal_vfio.c
+++ b/lib/librte_eal/linux/eal_vfio.c
@@ -1092,6 +1092,7 @@ vfio_get_default_container_fd(void)
 	struct rte_mp_reply mp_reply = {0};
 	struct timespec ts = {.tv_sec = 5, .tv_nsec = 0};
 	struct vfio_mp_param *p = (struct vfio_mp_param *)mp_req.param;
+	int container_fd;
 
 	if (default_vfio_cfg->vfio_enabled)
 		return default_vfio_cfg->vfio_container_fd;
@@ -1114,8 +1115,9 @@ vfio_get_default_container_fd(void)
 		mp_rep = &mp_reply.msgs[0];
 		p = (struct vfio_mp_param *)mp_rep->param;
 		if (p->result == SOCKET_OK && mp_rep->num_fds == 1) {
+			container_fd = mp_rep->fds[0];
 			free(mp_reply.msgs);
-			return mp_rep->fds[0];
+			return container_fd;
 		}
 	}