Date: Fri, 27 Jan 2017 23:03:29 +0000 (UTC) From: John Baldwin <jhb@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r312904 - head/sys/dev/cxgbe/tom Message-ID: <201701272303.v0RN3TuX040744@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jhb Date: Fri Jan 27 23:03:28 2017 New Revision: 312904 URL: https://svnweb.freebsd.org/changeset/base/312904 Log: Don't drop a reference to the TOE PCB in undo_offload_socket(). undo_offload_socket() is only called by t4_connect() during a connection setup failure, but t4_connect() still owns the TOE PCB and frees ita after undo_offload_socket() returns. Release a reference in undo_offload_socket() resulted in a double-free which panicked when t4_connect() performed the second free. The reference release was added to undo_offload_socket() incorrectly in r299210. MFC after: 1 week Sponsored by: Chelsio Communications Modified: head/sys/dev/cxgbe/tom/t4_tom.c Modified: head/sys/dev/cxgbe/tom/t4_tom.c ============================================================================== --- head/sys/dev/cxgbe/tom/t4_tom.c Fri Jan 27 22:30:27 2017 (r312903) +++ head/sys/dev/cxgbe/tom/t4_tom.c Fri Jan 27 23:03:28 2017 (r312904) @@ -273,8 +273,6 @@ undo_offload_socket(struct socket *so) mtx_lock(&td->toep_list_lock); TAILQ_REMOVE(&td->toep_list, toep, link); mtx_unlock(&td->toep_list_lock); - - free_toepcb(toep); } static void
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201701272303.v0RN3TuX040744>