From 12b650efd49d8b932a7717be1cafd13d9040ea3e Mon Sep 17 00:00:00 2001 From: Akhil Goyal Date: Fri, 30 Jul 2021 23:28:27 +0530 Subject: [PATCH] crypto/octeontx: fix freeing after device release When the PMD is removed, rte_cryptodev_pmd_release_device is called which frees cryptodev->data, and then tries to free cryptodev->data->dev_private, which causes the heap use after free issue. A temporary pointer is set before the free of cryptodev->data, which can then be used afterwards to free dev_private. Fixes: bfe2ae495ee2 ("crypto/octeontx: add PMD skeleton") Cc: stable@dpdk.org Reported-by: Zhihong Peng Signed-off-by: Akhil Goyal --- drivers/crypto/octeontx/otx_cryptodev.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/octeontx/otx_cryptodev.c b/drivers/crypto/octeontx/otx_cryptodev.c index 7207909abb..3822c0d779 100644 --- a/drivers/crypto/octeontx/otx_cryptodev.c +++ b/drivers/crypto/octeontx/otx_cryptodev.c @@ -75,6 +75,7 @@ otx_cpt_pci_remove(struct rte_pci_device *pci_dev) { struct rte_cryptodev *cryptodev; char name[RTE_CRYPTODEV_NAME_MAX_LEN]; + void *dev_priv; if (pci_dev == NULL) return -EINVAL; @@ -88,11 +89,13 @@ otx_cpt_pci_remove(struct rte_pci_device *pci_dev) if (pci_dev->driver == NULL) return -ENODEV; + dev_priv = cryptodev->data->dev_private; + /* free crypto device */ rte_cryptodev_pmd_release_device(cryptodev); if (rte_eal_process_type() == RTE_PROC_PRIMARY) - rte_free(cryptodev->data->dev_private); + rte_free(dev_priv); cryptodev->device->driver = NULL; cryptodev->device = NULL; -- 2.20.1