[gem5-dev] Change in gem5/gem5[develop]: mem: Fix use-after-free bug

Tue, 29 Jun 2021 13:28:31 -0700

Bobby R. Bruce has submitted this change. ( https://gem5-review.googlesource.com/c/public/gem5/+/47239 ) 

Change subject: mem: Fix use-after-free bug
......................................................................

mem: Fix use-after-free bug

mem_pkt was deleted (via `delete respQueue.front()`) then used in the
following if statement (at `mem_pkt->isDram()`). This patch fixes this
issue.

Issue-on: https://gem5.atlassian.net/browse/GEM5-1009
Change-Id: Iac3b9078ce5acbdd87a0737a2c98ad887459661f
Reviewed-on: https://gem5-review.googlesource.com/c/public/gem5/+/47239
Reviewed-by: Daniel Carvalho <[email protected]>
Reviewed-by: Jason Lowe-Power <[email protected]>
Reviewed-by: Nikos Nikoleris <[email protected]>
Maintainer: Jason Lowe-Power <[email protected]>
Maintainer: Nikos Nikoleris <[email protected]>
Tested-by: kokoro <[email protected]>
---
M src/mem/mem_ctrl.cc
1 file changed, 2 insertions(+), 1 deletion(-)

Approvals:
  Jason Lowe-Power: Looks good to me, approved; Looks good to me, approved
  Nikos Nikoleris: Looks good to me, approved; Looks good to me, approved
  Daniel Carvalho: Looks good to me, approved
  kokoro: Regressions pass



diff --git a/src/mem/mem_ctrl.cc b/src/mem/mem_ctrl.cc
index 8eec9c8..58ccd17 100644
--- a/src/mem/mem_ctrl.cc
+++ b/src/mem/mem_ctrl.cc
@@ -520,7 +520,6 @@
         accessAndRespond(mem_pkt->pkt, frontendLatency + backendLatency);
     }

-    delete respQueue.front();
     respQueue.pop_front();

     if (!respQueue.empty()) {
@@ -543,6 +542,8 @@
         }
     }

+    delete mem_pkt;
+
     // We have made a location in the queue available at this point,
     // so if there is a read that was forced to wait, retry now
     if (retryRdReq) {

--
To view, visit https://gem5-review.googlesource.com/c/public/gem5/+/47239
To unsubscribe, or for help writing mail filters, visit https://gem5-review.googlesource.com/settings 

Gerrit-Project: public/gem5
Gerrit-Branch: develop
Gerrit-Change-Id: Iac3b9078ce5acbdd87a0737a2c98ad887459661f
Gerrit-Change-Number: 47239
Gerrit-PatchSet: 2
Gerrit-Owner: Bobby R. Bruce <[email protected]>
Gerrit-Reviewer: Bobby R. Bruce <[email protected]>
Gerrit-Reviewer: Daniel Carvalho <[email protected]>
Gerrit-Reviewer: Jason Lowe-Power <[email protected]>
Gerrit-Reviewer: Nikos Nikoleris <[email protected]>
Gerrit-Reviewer: kokoro <[email protected]>
Gerrit-MessageType: merged

_______________________________________________
gem5-dev mailing list -- [email protected]
To unsubscribe send an email to [email protected]
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

Reply via email to