From 32b4a8cd36dfe441a4487b9ebf99bec05266eb41 Mon Sep 17 00:00:00 2001
From: "Bobby R. Bruce" <bbruce@ucdavis.edu>
Date: Fri, 25 Jun 2021 11:36:15 -0700
Subject: [PATCH] mem: Fix use-after-free bug

mem_pkt was deleted (via `delete respQueue.front()`) then used in the
following if statement (at `mem_pkt->isDram()`). This patch fixes this
issue.

Issue-on: https://gem5.atlassian.net/browse/GEM5-1009
Change-Id: Iac3b9078ce5acbdd87a0737a2c98ad887459661f
Reviewed-on: https://gem5-review.googlesource.com/c/public/gem5/+/47239
Reviewed-by: Daniel Carvalho <odanrc@yahoo.com.br>
Reviewed-by: Jason Lowe-Power <power.jg@gmail.com>
Reviewed-by: Nikos Nikoleris <nikos.nikoleris@arm.com>
Maintainer: Jason Lowe-Power <power.jg@gmail.com>
Maintainer: Nikos Nikoleris <nikos.nikoleris@arm.com>
Tested-by: kokoro <noreply+kokoro@google.com>
---
 src/mem/mem_ctrl.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/mem/mem_ctrl.cc b/src/mem/mem_ctrl.cc
index 8eec9c8eab..58ccd179e4 100644
--- a/src/mem/mem_ctrl.cc
+++ b/src/mem/mem_ctrl.cc
@@ -520,7 +520,6 @@ MemCtrl::processRespondEvent()
         accessAndRespond(mem_pkt->pkt, frontendLatency + backendLatency);
     }
 
-    delete respQueue.front();
     respQueue.pop_front();
 
     if (!respQueue.empty()) {
@@ -543,6 +542,8 @@ MemCtrl::processRespondEvent()
         }
     }
 
+    delete mem_pkt;
+
     // We have made a location in the queue available at this point,
     // so if there is a read that was forced to wait, retry now
     if (retryRdReq) {