From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by dpdk.org (Postfix) with ESMTP id 8FA9C1C0E0 for ; Fri, 13 Apr 2018 13:55:04 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Apr 2018 04:55:02 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,445,1517904000"; d="scan'208";a="220155619" Received: from irvmail001.ir.intel.com ([163.33.26.43]) by fmsmga006.fm.intel.com with ESMTP; 13 Apr 2018 04:55:01 -0700 Received: from sivswdev01.ir.intel.com (sivswdev01.ir.intel.com [10.237.217.45]) by irvmail001.ir.intel.com (8.14.3/8.13.6/MailSET/Hub) with ESMTP id w3DBt0NA029782; Fri, 13 Apr 2018 12:55:00 +0100 Received: from sivswdev01.ir.intel.com (localhost [127.0.0.1]) by sivswdev01.ir.intel.com with ESMTP id w3DBt00U023271; Fri, 13 Apr 2018 12:55:00 +0100 Received: (from aburakov@localhost) by sivswdev01.ir.intel.com with LOCAL id w3DBt0lQ023267; Fri, 13 Apr 2018 12:55:00 +0100 From: Anatoly Burakov To: dev@dpdk.org Cc: jianfeng.tan@intel.com, anatoly.burakov@intel.com Date: Fri, 13 Apr 2018 12:55:00 +0100 Message-Id: X-Mailer: git-send-email 1.7.0.7 In-Reply-To: References: In-Reply-To: References: Subject: [dpdk-dev] [PATCH 2/2] eal/ipc: fix use-after-free in asynchronous requests X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2018 11:55:05 -0000 Previously, we were removing request from the list only if we have succeeded to send it. This resulted in leaving an invalid pointer in the request list. Fix this by only adding new requests to the request list if we have succeeded in sending them. Fixes: f05e26051c15 ("eal: add IPC asynchronous request") Cc: anatoly.burakov@intel.com Signed-off-by: Anatoly Burakov --- lib/librte_eal/common/eal_common_proc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/librte_eal/common/eal_common_proc.c b/lib/librte_eal/common/eal_common_proc.c index e3eb430..a8ca7b8 100644 --- a/lib/librte_eal/common/eal_common_proc.c +++ b/lib/librte_eal/common/eal_common_proc.c @@ -876,9 +876,7 @@ mp_request_async(const char *dst, struct rte_mp_msg *req, /* queue already locked by caller */ exist = find_sync_request(dst, req->name); - if (!exist) { - TAILQ_INSERT_TAIL(&pending_requests.requests, sync_req, next); - } else { + if (exist) { RTE_LOG(ERR, EAL, "A pending request %s:%s\n", dst, req->name); rte_errno = EEXIST; ret = -1; @@ -895,6 +893,7 @@ mp_request_async(const char *dst, struct rte_mp_msg *req, ret = 0; goto fail; } + TAILQ_INSERT_TAIL(&pending_requests.requests, sync_req, next); param->user_reply.nb_sent++; -- 2.7.4