[dpdk-dev] [PATCH 2/2] eal/ipc: fix use-after-free in asynchronous requests

[Anatoly Burakov]

Previously, we were removing request from the list only if we
have succeeded to send it. This resulted in leaving an invalid
pointer in the request list.

Fix this by only adding new requests to the request list if we
have succeeded in sending them.

Fixes: f05e26051c15 ("eal: add IPC asynchronous request")
Cc: anatoly.burakov at intel.com

Signed-off-by: Anatoly Burakov <anatoly.burakov at intel.com>
---
 lib/librte_eal/common/eal_common_proc.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/librte_eal/common/eal_common_proc.c b/lib/librte_eal/common/eal_common_proc.c
index e3eb430..a8ca7b8 100644
--- a/lib/librte_eal/common/eal_common_proc.c
+++ b/lib/librte_eal/common/eal_common_proc.c
@@ -876,9 +876,7 @@ mp_request_async(const char *dst, struct rte_mp_msg *req,
 	/* queue already locked by caller */
 
 	exist = find_sync_request(dst, req->name);
-	if (!exist) {
-		TAILQ_INSERT_TAIL(&pending_requests.requests, sync_req, next);
-	} else {
+	if (exist) {
 		RTE_LOG(ERR, EAL, "A pending request %s:%s\n", dst, req->name);
 		rte_errno = EEXIST;
 		ret = -1;
@@ -895,6 +893,7 @@ mp_request_async(const char *dst, struct rte_mp_msg *req,
 		ret = 0;
 		goto fail;
 	}
+	TAILQ_INSERT_TAIL(&pending_requests.requests, sync_req, next);
 
 	param->user_reply.nb_sent++;
 
-- 
2.7.4