On Tue, Jun 18, 2024 at 11:24 AM Robin Jarry <[email protected]> wrote:
>
> The graph id is determined based on a global variable that is
> incremented every time a graph is created, and decremented every time
> a graph is destroyed. This only works if graphs are destroyed in the
> reverse order in which they have been created.
>
> The following code produces duplicate graph IDs which can lead to
> use-after-free bugs and other undefined behaviours:
>
> a = rte_graph_create(...); // id=0 graph_id=1
> b = rte_graph_create(...); // id=1 graph_id=2
> rte_graph_destroy(a); // graph_id=1
> c = rte_graph_create(...); // id=1 graph_id=2 (duplicate with b)
> rte_graph_destroy(c); // frees memory still used by b
>
> Remove the global counter. Make sure that the graph list is always
> ordered by increasing graph ids. When creating a new graph, pick a free
> id which is not allocated.
>
> Update unit tests to ensure it works as expected.
Fixes: a91fecc19c5c ("graph: implement create and destroy")
Cc: [email protected]
>
> Signed-off-by: Robin Jarry <[email protected]>
Acked-by: Kiran Kumar Kokkilagadda <[email protected]>
Applied, thanks.
--
David Marchand
