Date: Tue, 26 May 2020 16:02:11 +0000 (UTC) From: Marcin Wojtas <mw@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r361528 - head/sys/dev/ena Message-ID: <202005261602.04QG2Bwg081957@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mw Date: Tue May 26 16:02:10 2020 New Revision: 361528 URL: https://svnweb.freebsd.org/changeset/base/361528 Log: Fix double-free bug within ena_detach() There is ena_free_all_io_rings_resources() called twice on device detach: ena_detach(): ena_destroy_device(): /* First call */ ena_free_all_io_rings_resources() /* Second call */ ena_free_all_io_rings_resources() The double-free causes panic() on kldunload, for example. As the ena_destroy_device() is also called by ena_reset_task() it is better to stay unchanged. Thus, remove the "Second call" of the function. Submitted by: Maciej Bielski <mba@semihalf.com> Obtained from: Semihalf Sponsored by: Amazon, Inc. Modified: head/sys/dev/ena/ena.c Modified: head/sys/dev/ena/ena.c ============================================================================== --- head/sys/dev/ena/ena.c Tue May 26 16:00:30 2020 (r361527) +++ head/sys/dev/ena/ena.c Tue May 26 16:02:10 2020 (r361528) @@ -3695,8 +3695,6 @@ ena_detach(device_t pdev) netmap_detach(adapter->ifp); #endif /* DEV_NETMAP */ - ena_free_all_io_rings_resources(adapter); - ena_free_counters((counter_u64_t *)&adapter->hw_stats, sizeof(struct ena_hw_stats)); ena_free_counters((counter_u64_t *)&adapter->dev_stats,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202005261602.04QG2Bwg081957>