From owner-freebsd-hackers@FreeBSD.ORG Mon Aug 23 00:31:08 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAAB416A4CE for ; Mon, 23 Aug 2004 00:31:08 +0000 (GMT) Received: from harmony.village.org (rover.village.org [168.103.84.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31BDD43D49 for ; Mon, 23 Aug 2004 00:31:08 +0000 (GMT) (envelope-from imp@bsdimp.com) Received: from localhost (warner@rover2.village.org [10.0.0.1]) by harmony.village.org (8.12.11/8.12.11) with ESMTP id i7N0UPFq056970; Sun, 22 Aug 2004 18:30:25 -0600 (MDT) (envelope-from imp@bsdimp.com) Date: Sun, 22 Aug 2004 18:30:41 -0600 (MDT) Message-Id: <20040822.183041.128046524.imp@bsdimp.com> To: tedu@coverity.com From: "M. Warner Losh" In-Reply-To: <41263E77.5040500@coverity.com> References: <41263E77.5040500@coverity.com> X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: hackers@freebsd.org Subject: Re: use after free bugs X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2004 00:31:08 -0000 In message: <41263E77.5040500@coverity.com> Ted Unangst writes: : aha_isa.c: aha_isa_attach: aha_free free "aha", can't use it : afterwards, lots of examples. aha_free doesn't actually free the aha, it just tears down the dma for the device. So the sturct aha_softc * that's passed to it is safe to use after calls to aha_free. void aha_free(struct aha_softc *aha) { switch (aha->init_level) { default: case 8: { struct sg_map_node *sg_map; while ((sg_map = SLIST_FIRST(&aha->sg_maps))!= NULL) { SLIST_REMOVE_HEAD(&aha->sg_maps, links); bus_dmamap_unload(aha->sg_dmat, sg_map->sg_dmamap); bus_dmamem_free(aha->sg_dmat, sg_map->sg_vaddr, sg_map->sg_dmamap); free(sg_map, M_DEVBUF); } bus_dma_tag_destroy(aha->sg_dmat); } case 7: bus_dmamap_unload(aha->ccb_dmat, aha->ccb_dmamap); case 6: bus_dmamap_destroy(aha->ccb_dmat, aha->ccb_dmamap); bus_dmamem_free(aha->ccb_dmat, aha->aha_ccb_array, aha->ccb_dmamap); case 5: bus_dma_tag_destroy(aha->ccb_dmat); case 4: bus_dmamap_unload(aha->mailbox_dmat, aha->mailbox_dmamap); case 3: bus_dmamem_free(aha->mailbox_dmat, aha->in_boxes, aha->mailbox_dmamap); bus_dmamap_destroy(aha->mailbox_dmat, aha->mailbox_dmamap); case 2: bus_dma_tag_destroy(aha->buffer_dmat); case 1: bus_dma_tag_destroy(aha->mailbox_dmat); case 0: break; } } so all the calls to aha_free then the freeing of resoruces are OK. Warner