use after free bugs
M. Warner Losh
imp at bsdimp.com
Mon Aug 23 10:21:17 PDT 2004
In message: <412A258A.3060100 at coverity.com>
Ted Unangst <tedu at coverity.com> writes:
: M. Warner Losh wrote:
: > In message: <41263E77.5040500 at coverity.com>
: > Ted Unangst <tedu at coverity.com> writes:
: > : aha_isa.c: aha_isa_attach: aha_free free "aha", can't use it
: > : afterwards, lots of examples.
: >
: > aha_free doesn't actually free the aha, it just tears down the dma for
: > the device. So the sturct aha_softc * that's passed to it is safe to
: > use after calls to aha_free.
: >
: > void
: > aha_free(struct aha_softc *aha)
: > {
: > switch (aha->init_level) {
: > default:
: > case 8:
: > {
: > struct sg_map_node *sg_map;
: >
: > while ((sg_map = SLIST_FIRST(&aha->sg_maps))!= NULL) {
: > SLIST_REMOVE_HEAD(&aha->sg_maps, links);
: > bus_dmamap_unload(aha->sg_dmat, sg_map->sg_dmamap);
: > bus_dmamem_free(aha->sg_dmat, sg_map->sg_vaddr,
: > sg_map->sg_dmamap);
: > free(sg_map, M_DEVBUF);
: > }
: > bus_dma_tag_destroy(aha->sg_dmat);
: > }
: > case 7:
: > bus_dmamap_unload(aha->ccb_dmat, aha->ccb_dmamap);
: > case 6:
: > bus_dmamap_destroy(aha->ccb_dmat, aha->ccb_dmamap);
: > bus_dmamem_free(aha->ccb_dmat, aha->aha_ccb_array,
: > aha->ccb_dmamap);
: > case 5:
: > bus_dma_tag_destroy(aha->ccb_dmat);
: > case 4:
: > bus_dmamap_unload(aha->mailbox_dmat, aha->mailbox_dmamap);
: > case 3:
: > bus_dmamem_free(aha->mailbox_dmat, aha->in_boxes,
: > aha->mailbox_dmamap);
: > bus_dmamap_destroy(aha->mailbox_dmat, aha->mailbox_dmamap);
: > case 2:
: > bus_dma_tag_destroy(aha->buffer_dmat);
: > case 1:
: > bus_dma_tag_destroy(aha->mailbox_dmat);
: > case 0:
: > break;
: > }
: > }
: >
: > so all the calls to aha_free then the freeing of resoruces are OK.
:
: ah, look at the 4.x sources though. it does free aha.
Hmmmmm.... Very true.
Warner
More information about the freebsd-hackers
mailing list