Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 23 Aug 2004 11:21:21 -0600 (MDT)
From:      "M. Warner Losh" <imp@bsdimp.com>
To:        tedu@coverity.com
Cc:        hackers@freebsd.org
Subject:   Re: use after free bugs
Message-ID:  <20040823.112121.85395384.imp@bsdimp.com>
In-Reply-To: <412A258A.3060100@coverity.com>
References:  <41263E77.5040500@coverity.com> <20040822.183041.128046524.imp@bsdimp.com> <412A258A.3060100@coverity.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message: <412A258A.3060100@coverity.com>
            Ted Unangst <tedu@coverity.com> writes:
: M. Warner Losh wrote:
: > In message: <41263E77.5040500@coverity.com>
: >             Ted Unangst <tedu@coverity.com> writes:
: > : aha_isa.c: aha_isa_attach:  aha_free free "aha", can't use it 
: > : afterwards, lots of examples.
: > 
: > aha_free doesn't actually free the aha, it just tears down the dma for
: > the device.  So the sturct aha_softc * that's passed to it is safe to
: > use after calls to aha_free.
: > 
: > void
: > aha_free(struct aha_softc *aha)
: > {
: > 	switch (aha->init_level) {
: > 	default:
: > 	case 8:
: > 	{
: > 		struct sg_map_node *sg_map;
: > 
: > 		while ((sg_map = SLIST_FIRST(&aha->sg_maps))!= NULL) {
: > 			SLIST_REMOVE_HEAD(&aha->sg_maps, links);
: > 			bus_dmamap_unload(aha->sg_dmat, sg_map->sg_dmamap);
: > 			bus_dmamem_free(aha->sg_dmat, sg_map->sg_vaddr,
: > 			    sg_map->sg_dmamap);
: > 			free(sg_map, M_DEVBUF);
: > 		}
: > 		bus_dma_tag_destroy(aha->sg_dmat);
: > 	}
: > 	case 7:
: > 		bus_dmamap_unload(aha->ccb_dmat, aha->ccb_dmamap);
: > 	case 6:
: > 		bus_dmamap_destroy(aha->ccb_dmat, aha->ccb_dmamap);
: > 		bus_dmamem_free(aha->ccb_dmat, aha->aha_ccb_array,
: > 		    aha->ccb_dmamap);
: > 	case 5:
: > 		bus_dma_tag_destroy(aha->ccb_dmat);
: > 	case 4:
: > 		bus_dmamap_unload(aha->mailbox_dmat, aha->mailbox_dmamap);
: > 	case 3:
: > 		bus_dmamem_free(aha->mailbox_dmat, aha->in_boxes,
: > 		    aha->mailbox_dmamap);
: > 		bus_dmamap_destroy(aha->mailbox_dmat, aha->mailbox_dmamap);
: > 	case 2:
: > 		bus_dma_tag_destroy(aha->buffer_dmat);
: > 	case 1:
: > 		bus_dma_tag_destroy(aha->mailbox_dmat);
: > 	case 0:
: > 		break;
: > 	}
: > }
: > 
: > so all the calls to aha_free then the freeing of resoruces are OK.
: 
: ah, look at the 4.x sources though.  it does free aha.

Hmmmmm....  Very true.

Warner

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040823.112121.85395384.imp>