Date: Mon, 30 Apr 2018 21:28:10 +0000 (UTC) From: Alexander Motin <mav@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r333127 - head/sys/dev/nvme Message-ID: <201804302128.w3ULSAAt041008@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mav Date: Mon Apr 30 21:28:10 2018 New Revision: 333127 URL: https://svnweb.freebsd.org/changeset/base/333127 Log: Fix use-after-free in nvme_qpair_destroy(). dma_tag_payload should not be destroyed before payload_dma_map, and seems it should be used there instead of dma_tag to match creation. Sponsored by: iXsystems, Inc. Modified: head/sys/dev/nvme/nvme_qpair.c Modified: head/sys/dev/nvme/nvme_qpair.c ============================================================================== --- head/sys/dev/nvme/nvme_qpair.c Mon Apr 30 20:29:28 2018 (r333126) +++ head/sys/dev/nvme/nvme_qpair.c Mon Apr 30 21:28:10 2018 (r333127) @@ -690,21 +690,22 @@ nvme_qpair_destroy(struct nvme_qpair *qpair) qpair->queuemem_map); } - if (qpair->dma_tag) - bus_dma_tag_destroy(qpair->dma_tag); - - if (qpair->dma_tag_payload) - bus_dma_tag_destroy(qpair->dma_tag_payload); - if (qpair->act_tr) free(qpair->act_tr, M_NVME); while (!TAILQ_EMPTY(&qpair->free_tr)) { tr = TAILQ_FIRST(&qpair->free_tr); TAILQ_REMOVE(&qpair->free_tr, tr, tailq); - bus_dmamap_destroy(qpair->dma_tag, tr->payload_dma_map); + bus_dmamap_destroy(qpair->dma_tag_payload, + tr->payload_dma_map); free(tr, M_NVME); } + + if (qpair->dma_tag) + bus_dma_tag_destroy(qpair->dma_tag); + + if (qpair->dma_tag_payload) + bus_dma_tag_destroy(qpair->dma_tag_payload); } static void
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201804302128.w3ULSAAt041008>