From owner-freebsd-hackers@FreeBSD.ORG Mon Aug 23 17:18:14 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 76AE216A4CE for ; Mon, 23 Aug 2004 17:18:14 +0000 (GMT) Received: from coverity.dreamhost.com (coverity.dreamhost.com [66.33.192.105]) by mx1.FreeBSD.org (Postfix) with ESMTP id 60F2243D2D for ; Mon, 23 Aug 2004 17:18:14 +0000 (GMT) (envelope-from tedu@coverity.com) Received: from coverity.com (dsl093-171-098.sfo4.dsl.speakeasy.net [66.93.171.98]) by coverity.dreamhost.com (Postfix) with ESMTP id 0974190888; Mon, 23 Aug 2004 10:18:14 -0700 (PDT) Message-ID: <412A258A.3060100@coverity.com> Date: Mon, 23 Aug 2004 10:12:42 -0700 From: Ted Unangst User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040429 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "M. Warner Losh" References: <41263E77.5040500@coverity.com> <20040822.183041.128046524.imp@bsdimp.com> In-Reply-To: <20040822.183041.128046524.imp@bsdimp.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 24 Aug 2004 12:03:13 +0000 cc: hackers@freebsd.org Subject: Re: use after free bugs X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2004 17:18:14 -0000 M. Warner Losh wrote: > In message: <41263E77.5040500@coverity.com> > Ted Unangst writes: > : aha_isa.c: aha_isa_attach: aha_free free "aha", can't use it > : afterwards, lots of examples. > > aha_free doesn't actually free the aha, it just tears down the dma for > the device. So the sturct aha_softc * that's passed to it is safe to > use after calls to aha_free. > > void > aha_free(struct aha_softc *aha) > { > switch (aha->init_level) { > default: > case 8: > { > struct sg_map_node *sg_map; > > while ((sg_map = SLIST_FIRST(&aha->sg_maps))!= NULL) { > SLIST_REMOVE_HEAD(&aha->sg_maps, links); > bus_dmamap_unload(aha->sg_dmat, sg_map->sg_dmamap); > bus_dmamem_free(aha->sg_dmat, sg_map->sg_vaddr, > sg_map->sg_dmamap); > free(sg_map, M_DEVBUF); > } > bus_dma_tag_destroy(aha->sg_dmat); > } > case 7: > bus_dmamap_unload(aha->ccb_dmat, aha->ccb_dmamap); > case 6: > bus_dmamap_destroy(aha->ccb_dmat, aha->ccb_dmamap); > bus_dmamem_free(aha->ccb_dmat, aha->aha_ccb_array, > aha->ccb_dmamap); > case 5: > bus_dma_tag_destroy(aha->ccb_dmat); > case 4: > bus_dmamap_unload(aha->mailbox_dmat, aha->mailbox_dmamap); > case 3: > bus_dmamem_free(aha->mailbox_dmat, aha->in_boxes, > aha->mailbox_dmamap); > bus_dmamap_destroy(aha->mailbox_dmat, aha->mailbox_dmamap); > case 2: > bus_dma_tag_destroy(aha->buffer_dmat); > case 1: > bus_dma_tag_destroy(aha->mailbox_dmat); > case 0: > break; > } > } > > so all the calls to aha_free then the freeing of resoruces are OK. ah, look at the 4.x sources though. it does free aha.