From owner-freebsd-hackers@FreeBSD.ORG  Thu Mar 28 17:25:09 2013
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 300A9626
 for <hackers@freebsd.org>; Thu, 28 Mar 2013 17:25:09 +0000 (UTC)
 (envelope-from will@firepipe.net)
Received: from mail-ie0-x22a.google.com (mail-ie0-x22a.google.com
 [IPv6:2607:f8b0:4001:c03::22a])
 by mx1.freebsd.org (Postfix) with ESMTP id 088C27C7
 for <hackers@freebsd.org>; Thu, 28 Mar 2013 17:25:08 +0000 (UTC)
Received: by mail-ie0-f170.google.com with SMTP id c11so12132061ieb.29
 for <hackers@freebsd.org>; Thu, 28 Mar 2013 10:25:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20120113;
 h=mime-version:x-received:date:message-id:subject:from:to:cc
 :content-type:x-gm-message-state;
 bh=H8gyh8Xdns/cU9N1gIKP6Pbuu3JQUT4nGbMRaFlOCCc=;
 b=nOQ296KatKURiHQggQEqTv7eiVhAlBkZRXFhbE1klGp/N+qlqYQt6Dq4AXl6H1hbZ5
 wMvNnWYYSXrdG+jrEI+wBRUSWxeg73DMwsfJ2EMfIdxpwJr9t7VEG8WVSWrVMgTcZibF
 xlZhAbILzU47peaksvxxdRHrp1yyaL8Uo6SltyMSBG7DbB19GTa+LpwLB26o13JFUWQc
 s1ZCz0G8vUkz/zic3ckPJ4QGNmpl/4KfdhA8L3wK7O+HdotPzq+BZ457NBA4PBEKBumk
 H1b7myvWxJXbQSp5rb4zAbKLd9/w0Yr/KAEfGvipCyb2JgxgZvDVHIrgZ3m5PXS0PLFT
 hKbg==
MIME-Version: 1.0
X-Received: by 10.50.47.170 with SMTP id e10mr7780823ign.84.1364491508472;
 Thu, 28 Mar 2013 10:25:08 -0700 (PDT)
Received: by 10.231.103.70 with HTTP; Thu, 28 Mar 2013 10:25:08 -0700 (PDT)
Date: Thu, 28 Mar 2013 11:25:08 -0600
Message-ID: <CADBaqmgJY=N0bodBA+kyjkQuNnM+qvLML1UZvJU_JY=PLwg5hQ@mail.gmail.com>
Subject: CFR: FireWire: Don't allow a tlabel to reference an xfer after free
From: Will Andrews <will@firepipe.net>
To: hackers@freebsd.org
X-Gm-Message-State: ALoCoQkssnkv8FwX9LUcrEjGQPWv6SbinDkiDowYf5LPqrqCngAYDJzH9ZrsFJDqO43X12/Y/CPJ
X-Mailman-Approved-At: Thu, 28 Mar 2013 17:30:39 +0000
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.14
Cc: Alexander Kabaev <kan@freebsd.org>
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2013 17:25:09 -0000

Diff: http://people.freebsd.org/~will/patches/fix-fwmem-use-after-free.diff

>From the commit log:

	FireWire: Don't allow a tlabel to reference an xfer after free.
	
	sys/dev/firewire/firewire.c:
	- fw_xfer_unload(): Since we are about to free this xfer, call
	  fw_tl_free() to remove the xfer from its tlabel's list, if
	  it has a tlabel.
	- In every occasion when a xfer is removed from a tlabel's list,
	  reset xfer->tl to -1 while holding fc->tlabel_lock, so that the
	  xfer isn't mis-identified as belonging to a tlabel.


Thanks,
--Will.