Author: mav
Date: Thu Jun 14 17:02:58 2018
New Revision: 335152
URL: https://svnweb.freebsd.org/changeset/base/335152
Log:
MFC r333127: Fix use-after-free in nvme_qpair_destroy().
dma_tag_payload should not be destroyed before payload_dma_map, and seems
it should be used there instead of dma_tag to match creation.
Modified:
stable/11/sys/dev/nvme/nvme_qpair.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/dev/nvme/nvme_qpair.c
==============================================================================
--- stable/11/sys/dev/nvme/nvme_qpair.c Thu Jun 14 16:58:03 2018
(r335151)
+++ stable/11/sys/dev/nvme/nvme_qpair.c Thu Jun 14 17:02:58 2018
(r335152)
@@ -606,21 +606,22 @@ nvme_qpair_destroy(struct nvme_qpair *qpair)
qpair->queuemem_map);
}
- if (qpair->dma_tag)
- bus_dma_tag_destroy(qpair->dma_tag);
-
- if (qpair->dma_tag_payload)
- bus_dma_tag_destroy(qpair->dma_tag_payload);
-
if (qpair->act_tr)
free(qpair->act_tr, M_NVME);
while (!TAILQ_EMPTY(&qpair->free_tr)) {
tr = TAILQ_FIRST(&qpair->free_tr);
TAILQ_REMOVE(&qpair->free_tr, tr, tailq);
- bus_dmamap_destroy(qpair->dma_tag, tr->payload_dma_map);
+ bus_dmamap_destroy(qpair->dma_tag_payload,
+ tr->payload_dma_map);
free(tr, M_NVME);
}
+
+ if (qpair->dma_tag)
+ bus_dma_tag_destroy(qpair->dma_tag);
+
+ if (qpair->dma_tag_payload)
+ bus_dma_tag_destroy(qpair->dma_tag_payload);
}
static void
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
