d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix use-after-free in nvme_qpair_destroy().

Browse Source 
dma_tag_payload should not be destroyed before payload_dma_map, and seems
it should be used there instead of dma_tag to match creation.

Sponsored by:	iXsystems, Inc.
This commit is contained in:
Alexander Motin 2018-04-30 21:28:10 +00:00
parent 986c4ca387
commit c6c70c0746
1 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
sys/dev/nvme/nvme_qpair.c
View File

@ -690,21 +690,22 @@ nvme_qpair_destroy(struct nvme_qpair *qpair)
qpair->queuemem_map);
}
if (qpair->dma_tag)
bus_dma_tag_destroy(qpair->dma_tag);
if (qpair->dma_tag_payload)
bus_dma_tag_destroy(qpair->dma_tag_payload);
if (qpair->act_tr)
free(qpair->act_tr, M_NVME);
while (!TAILQ_EMPTY(&qpair->free_tr)) {
tr = TAILQ_FIRST(&qpair->free_tr);
TAILQ_REMOVE(&qpair->free_tr, tr, tailq);
bus_dmamap_destroy(qpair->dma_tag, tr->payload_dma_map);
bus_dmamap_destroy(qpair->dma_tag_payload,
tr->payload_dma_map);
free(tr, M_NVME);
}
if (qpair->dma_tag)
bus_dma_tag_destroy(qpair->dma_tag);
if (qpair->dma_tag_payload)
bus_dma_tag_destroy(qpair->dma_tag_payload);
}
static void