Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 23 Aug 2004 10:12:42 -0700
From:      Ted Unangst <tedu@coverity.com>
To:        "M. Warner Losh" <imp@bsdimp.com>
Cc:        hackers@freebsd.org
Subject:   Re: use after free bugs
Message-ID:  <412A258A.3060100@coverity.com>
In-Reply-To: <20040822.183041.128046524.imp@bsdimp.com>
References:  <41263E77.5040500@coverity.com> <20040822.183041.128046524.imp@bsdimp.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
M. Warner Losh wrote:
> In message: <41263E77.5040500@coverity.com>
>             Ted Unangst <tedu@coverity.com> writes:
> : aha_isa.c: aha_isa_attach:  aha_free free "aha", can't use it 
> : afterwards, lots of examples.
> 
> aha_free doesn't actually free the aha, it just tears down the dma for
> the device.  So the sturct aha_softc * that's passed to it is safe to
> use after calls to aha_free.
> 
> void
> aha_free(struct aha_softc *aha)
> {
> 	switch (aha->init_level) {
> 	default:
> 	case 8:
> 	{
> 		struct sg_map_node *sg_map;
> 
> 		while ((sg_map = SLIST_FIRST(&aha->sg_maps))!= NULL) {
> 			SLIST_REMOVE_HEAD(&aha->sg_maps, links);
> 			bus_dmamap_unload(aha->sg_dmat, sg_map->sg_dmamap);
> 			bus_dmamem_free(aha->sg_dmat, sg_map->sg_vaddr,
> 			    sg_map->sg_dmamap);
> 			free(sg_map, M_DEVBUF);
> 		}
> 		bus_dma_tag_destroy(aha->sg_dmat);
> 	}
> 	case 7:
> 		bus_dmamap_unload(aha->ccb_dmat, aha->ccb_dmamap);
> 	case 6:
> 		bus_dmamap_destroy(aha->ccb_dmat, aha->ccb_dmamap);
> 		bus_dmamem_free(aha->ccb_dmat, aha->aha_ccb_array,
> 		    aha->ccb_dmamap);
> 	case 5:
> 		bus_dma_tag_destroy(aha->ccb_dmat);
> 	case 4:
> 		bus_dmamap_unload(aha->mailbox_dmat, aha->mailbox_dmamap);
> 	case 3:
> 		bus_dmamem_free(aha->mailbox_dmat, aha->in_boxes,
> 		    aha->mailbox_dmamap);
> 		bus_dmamap_destroy(aha->mailbox_dmat, aha->mailbox_dmamap);
> 	case 2:
> 		bus_dma_tag_destroy(aha->buffer_dmat);
> 	case 1:
> 		bus_dma_tag_destroy(aha->mailbox_dmat);
> 	case 0:
> 		break;
> 	}
> }
> 
> so all the calls to aha_free then the freeing of resoruces are OK.

ah, look at the 4.x sources though.  it does free aha.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?412A258A.3060100>