On Thu, Apr 22, 2021 at 1:52 PM Min Hu (Connor) <humi...@huawei.com> wrote:
>
> From: HongBo Zheng <zhenghong...@huawei.com>
>
> Fix function 'stats_mem_populate' return without
> free dynamic memory referenced by 'stats'.
>
> Fixes: af1ae8b6a32c ("graph: implement stats")
> Cc: sta...@dpdk.org
>
> Signed-off-by: HongBo Zheng <zhenghong...@huawei.com>
> Signed-off-by: Min Hu (Connor) <humi...@huawei.com>
> ---
> lib/librte_graph/graph_stats.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/lib/librte_graph/graph_stats.c b/lib/librte_graph/graph_stats.c
> index 125e08d..f698bb3 100644
> --- a/lib/librte_graph/graph_stats.c
> +++ b/lib/librte_graph/graph_stats.c
> @@ -174,7 +174,7 @@ stats_mem_populate(struct rte_graph_cluster_stats
> **stats_in,
> cluster->stat.hz = rte_get_timer_hz();
> node = graph_node_id_to_ptr(graph, id);
> if (node == NULL)
> - SET_ERR_JMP(ENOENT, err, "Failed to find node %s in graph %s",
> + SET_ERR_JMP(ENOENT, free, "Failed to find node %s in graph
> %s",
> graph_node->node->name, graph->name);
> cluster->nodes[cluster->nb_nodes++] = node;
>
> @@ -183,6 +183,8 @@ stats_mem_populate(struct rte_graph_cluster_stats
> **stats_in,
> *stats_in = stats;
>
> return 0;
> +free:
> + free(stats);
> err:
> return -rte_errno;
> }
We have a double free with this change.
If realloc on stats returns the same location, but node lookup fails,
stats_in is left untouched and still points at the original stats
location.
This location is then freed in the free: label, and later is freed in
stats_mem_fini() from caller.
--
David Marchand
