Date: Sun, 22 Aug 2004 18:30:41 -0600 (MDT) From: "M. Warner Losh" <imp@bsdimp.com> To: tedu@coverity.com Cc: hackers@freebsd.org Subject: Re: use after free bugs Message-ID: <20040822.183041.128046524.imp@bsdimp.com> In-Reply-To: <41263E77.5040500@coverity.com> References: <41263E77.5040500@coverity.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message: <41263E77.5040500@coverity.com>
Ted Unangst <tedu@coverity.com> writes:
: aha_isa.c: aha_isa_attach: aha_free free "aha", can't use it
: afterwards, lots of examples.
aha_free doesn't actually free the aha, it just tears down the dma for
the device. So the sturct aha_softc * that's passed to it is safe to
use after calls to aha_free.
void
aha_free(struct aha_softc *aha)
{
switch (aha->init_level) {
default:
case 8:
{
struct sg_map_node *sg_map;
while ((sg_map = SLIST_FIRST(&aha->sg_maps))!= NULL) {
SLIST_REMOVE_HEAD(&aha->sg_maps, links);
bus_dmamap_unload(aha->sg_dmat, sg_map->sg_dmamap);
bus_dmamem_free(aha->sg_dmat, sg_map->sg_vaddr,
sg_map->sg_dmamap);
free(sg_map, M_DEVBUF);
}
bus_dma_tag_destroy(aha->sg_dmat);
}
case 7:
bus_dmamap_unload(aha->ccb_dmat, aha->ccb_dmamap);
case 6:
bus_dmamap_destroy(aha->ccb_dmat, aha->ccb_dmamap);
bus_dmamem_free(aha->ccb_dmat, aha->aha_ccb_array,
aha->ccb_dmamap);
case 5:
bus_dma_tag_destroy(aha->ccb_dmat);
case 4:
bus_dmamap_unload(aha->mailbox_dmat, aha->mailbox_dmamap);
case 3:
bus_dmamem_free(aha->mailbox_dmat, aha->in_boxes,
aha->mailbox_dmamap);
bus_dmamap_destroy(aha->mailbox_dmat, aha->mailbox_dmamap);
case 2:
bus_dma_tag_destroy(aha->buffer_dmat);
case 1:
bus_dma_tag_destroy(aha->mailbox_dmat);
case 0:
break;
}
}
so all the calls to aha_free then the freeing of resoruces are OK.
Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040822.183041.128046524.imp>