use after free bugs

[Ted Unangst]

M. Warner Losh wrote:
> In message: <41263E77.5040500 at coverity.com>
>             Ted Unangst <tedu at coverity.com> writes:
> : aha_isa.c: aha_isa_attach:  aha_free free "aha", can't use it 
> : afterwards, lots of examples.
> 
> aha_free doesn't actually free the aha, it just tears down the dma for
> the device.  So the sturct aha_softc * that's passed to it is safe to
> use after calls to aha_free.
> 
> void
> aha_free(struct aha_softc *aha)
> {
> 	switch (aha->init_level) {
> 	default:
> 	case 8:
> 	{
> 		struct sg_map_node *sg_map;
> 
> 		while ((sg_map = SLIST_FIRST(&aha->sg_maps))!= NULL) {
> 			SLIST_REMOVE_HEAD(&aha->sg_maps, links);
> 			bus_dmamap_unload(aha->sg_dmat, sg_map->sg_dmamap);
> 			bus_dmamem_free(aha->sg_dmat, sg_map->sg_vaddr,
> 			    sg_map->sg_dmamap);
> 			free(sg_map, M_DEVBUF);
> 		}
> 		bus_dma_tag_destroy(aha->sg_dmat);
> 	}
> 	case 7:
> 		bus_dmamap_unload(aha->ccb_dmat, aha->ccb_dmamap);
> 	case 6:
> 		bus_dmamap_destroy(aha->ccb_dmat, aha->ccb_dmamap);
> 		bus_dmamem_free(aha->ccb_dmat, aha->aha_ccb_array,
> 		    aha->ccb_dmamap);
> 	case 5:
> 		bus_dma_tag_destroy(aha->ccb_dmat);
> 	case 4:
> 		bus_dmamap_unload(aha->mailbox_dmat, aha->mailbox_dmamap);
> 	case 3:
> 		bus_dmamem_free(aha->mailbox_dmat, aha->in_boxes,
> 		    aha->mailbox_dmamap);
> 		bus_dmamap_destroy(aha->mailbox_dmat, aha->mailbox_dmamap);
> 	case 2:
> 		bus_dma_tag_destroy(aha->buffer_dmat);
> 	case 1:
> 		bus_dma_tag_destroy(aha->mailbox_dmat);
> 	case 0:
> 		break;
> 	}
> }
> 
> so all the calls to aha_free then the freeing of resoruces are OK.

ah, look at the 4.x sources though.  it does free aha.