From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by dpdk.org (Postfix) with ESMTP id 3A7501C089 for ; Fri, 13 Apr 2018 13:55:03 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Apr 2018 04:55:02 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,445,1517904000"; d="scan'208";a="216335487" Received: from irvmail001.ir.intel.com ([163.33.26.43]) by orsmga005.jf.intel.com with ESMTP; 13 Apr 2018 04:55:01 -0700 Received: from sivswdev01.ir.intel.com (sivswdev01.ir.intel.com [10.237.217.45]) by irvmail001.ir.intel.com (8.14.3/8.13.6/MailSET/Hub) with ESMTP id w3DBt0KS029779; Fri, 13 Apr 2018 12:55:00 +0100 Received: from sivswdev01.ir.intel.com (localhost [127.0.0.1]) by sivswdev01.ir.intel.com with ESMTP id w3DBt0LX023259; Fri, 13 Apr 2018 12:55:00 +0100 Received: (from aburakov@localhost) by sivswdev01.ir.intel.com with LOCAL id w3DBt0Lk023250; Fri, 13 Apr 2018 12:55:00 +0100 From: Anatoly Burakov To: dev@dpdk.org Cc: jianfeng.tan@intel.com Date: Fri, 13 Apr 2018 12:54:59 +0100 Message-Id: X-Mailer: git-send-email 1.7.0.7 Subject: [dpdk-dev] [PATCH 1/2] eal/ipc: fix use-after-free in synchronous requests X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2018 11:55:04 -0000 Previously, we were adding synchronous requests to request list, we were doing it after checking if request existed. However, we only removed the request from the request list if we have succeeded in sending the request. In case of failed request send, we left an invalid pointer in the request list. Fix this by only adding request to the list once we succeed in sending it. Fixes: 783b6e54971d ("eal: add synchronous multi-process communication") Cc: jianfeng.tan@intel.com Signed-off-by: Anatoly Burakov --- lib/librte_eal/common/eal_common_proc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/librte_eal/common/eal_common_proc.c b/lib/librte_eal/common/eal_common_proc.c index c888c84..e3eb430 100644 --- a/lib/librte_eal/common/eal_common_proc.c +++ b/lib/librte_eal/common/eal_common_proc.c @@ -922,8 +922,6 @@ mp_request_sync(const char *dst, struct rte_mp_msg *req, pthread_mutex_lock(&pending_requests.lock); exist = find_sync_request(dst, req->name); - if (!exist) - TAILQ_INSERT_TAIL(&pending_requests.requests, &sync_req, next); if (exist) { RTE_LOG(ERR, EAL, "A pending request %s:%s\n", dst, req->name); rte_errno = EEXIST; @@ -939,6 +937,8 @@ mp_request_sync(const char *dst, struct rte_mp_msg *req, } else if (ret == 0) return 0; + TAILQ_INSERT_TAIL(&pending_requests.requests, &sync_req, next); + reply->nb_sent++; do { -- 2.7.4