From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id E5BB2A0561;
	Tue, 21 Apr 2020 05:30:23 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id B51C11D5B9;
	Tue, 21 Apr 2020 05:30:22 +0200 (CEST)
Received: from mail.chinasoftinc.com (unknown [114.113.233.8])
 by dpdk.org (Postfix) with ESMTP id 1B5CE1D5B8
 for <dev@dpdk.org>; Tue, 21 Apr 2020 05:30:19 +0200 (CEST)
Received: from localhost.localdomain (114.119.4.74) by INCCAS002.ito.icss
 (10.168.0.60) with Microsoft SMTP Server id 14.3.487.0; Tue, 21 Apr 2020
 11:30:07 +0800
From: "Wei Hu (Xavier)" <huwei013@chinasoftinc.com>
To: <dev@dpdk.org>
Date: Tue, 21 Apr 2020 11:29:57 +0800
Message-ID: <20200421032957.19548-1-huwei013@chinasoftinc.com>
X-Mailer: git-send-email 2.23.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Originating-IP: [114.119.4.74]
Subject: [dpdk-dev] [PATCH] lib/rte_eal: fix heap-use-after-free bug
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

From: "Wei Hu (Xavier)" <xavier.huwei@huawei.com>

This patch fixes the heap-use-after-free bug which was found by ASAN
(Address-Sanitizer) in the vfio_get_default_container_fd function.

Fixes: 6bcb7c95fe14 ("vfio: share default container in multi-process")
Cc: stable@dpdk.org

Signed-off-by: Chengwen Feng <fengchengwen@huawei.com>
Signed-off-by: Wei Hu (Xavier) <xavier.huwei@huawei.com>
---
 lib/librte_eal/linux/eal_vfio.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/librte_eal/linux/eal_vfio.c b/lib/librte_eal/linux/eal_vfio.c
index 4502aefed..1470b58c6 100644
--- a/lib/librte_eal/linux/eal_vfio.c
+++ b/lib/librte_eal/linux/eal_vfio.c
@@ -1092,6 +1092,7 @@ vfio_get_default_container_fd(void)
 	struct rte_mp_reply mp_reply = {0};
 	struct timespec ts = {.tv_sec = 5, .tv_nsec = 0};
 	struct vfio_mp_param *p = (struct vfio_mp_param *)mp_req.param;
+	int container_fd;
 
 	if (default_vfio_cfg->vfio_enabled)
 		return default_vfio_cfg->vfio_container_fd;
@@ -1114,8 +1115,9 @@ vfio_get_default_container_fd(void)
 		mp_rep = &mp_reply.msgs[0];
 		p = (struct vfio_mp_param *)mp_rep->param;
 		if (p->result == SOCKET_OK && mp_rep->num_fds == 1) {
+			container_fd = mp_rep->fds[0];
 			free(mp_reply.msgs);
-			return mp_rep->fds[0];
+			return container_fd;
 		}
 	}
 
-- 
2.23.0