Skip to content

Commit

Permalink
ring: fix use after free
Browse files Browse the repository at this point in the history 
[ upstream commit ce4bd6e14aa693c80c5218f7d896c98b3b85b54a ]

After the memzone is freed, it is not removed from the 'rte_ring_tailq'.
If rte_ring_lookup is called at this time, it will cause a use-after-free
problem. This change prevents that from happening.

Fixes: 4e32101 ("ring: support freeing")

Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Acked-by: Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>
Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
  • Loading branch information
@wyjwang @bluca
wyjwang authored and bluca committed Jun 12, 2023
1 parent 4a58ab8 commit 5491fc6
Showing 1 changed file with 3 additions and 5 deletions.
8 changes: 3 additions & 5 deletions lib/librte_ring/rte_ring.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -341,11 +341,6 @@ rte_ring_free(struct rte_ring *r)
return;
}

if (rte_memzone_free(r->memzone) != 0) {
RTE_LOG(ERR, RING, "Cannot free memory\n");
return;
}

ring_list = RTE_TAILQ_CAST(rte_ring_tailq.head, rte_ring_list);
rte_mcfg_tailq_write_lock();

Expand All @@ -364,6 +359,9 @@ rte_ring_free(struct rte_ring *r)

rte_mcfg_tailq_write_unlock();

if (rte_memzone_free(r->memzone) != 0)
RTE_LOG(ERR, RING, "Cannot free memory\n");

rte_free(te);
}

Expand Down

0 comments on commit 5491fc6

Please sign in to comment.