Date: Fri, 3 Feb 2017 23:48:57 +0000 (UTC) From: John Baldwin <jhb@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r313179 - stable/11/sys/dev/cxgbe/tom Message-ID: <201702032348.v13NmvEk050778@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jhb Date: Fri Feb 3 23:48:56 2017 New Revision: 313179 URL: https://svnweb.freebsd.org/changeset/base/313179 Log: MFC 312904: Don't drop a reference to the TOE PCB in undo_offload_socket(). undo_offload_socket() is only called by t4_connect() during a connection setup failure, but t4_connect() still owns the TOE PCB and frees ita after undo_offload_socket() returns. Release a reference in undo_offload_socket() resulted in a double-free which panicked when t4_connect() performed the second free. The reference release was added to undo_offload_socket() incorrectly in r299210. Sponsored by: Chelsio Communications Modified: stable/11/sys/dev/cxgbe/tom/t4_tom.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/dev/cxgbe/tom/t4_tom.c ============================================================================== --- stable/11/sys/dev/cxgbe/tom/t4_tom.c Fri Feb 3 23:33:06 2017 (r313178) +++ stable/11/sys/dev/cxgbe/tom/t4_tom.c Fri Feb 3 23:48:56 2017 (r313179) @@ -273,8 +273,6 @@ undo_offload_socket(struct socket *so) mtx_lock(&td->toep_list_lock); TAILQ_REMOVE(&td->toep_list, toep, link); mtx_unlock(&td->toep_list_lock); - - free_toepcb(toep); } static void
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201702032348.v13NmvEk050778>