Print this page
5976 e1000g use after free on start failure

Split Close
Expand all
Collapse all
          --- old/usr/src/uts/common/io/e1000g/e1000g_alloc.c
          +++ new/usr/src/uts/common/io/e1000g/e1000g_alloc.c
↓ open down ↓ 1447 lines elided ↑ open up ↑
1448 1448                  if (ref_cnt > 0) {
1449 1449                          atomic_inc_32(&rx_data->pending_count);
1450 1450                          atomic_inc_32(&e1000g_mblks_pending);
1451 1451                  } else {
1452 1452                          e1000g_free_rx_sw_packet(packet, full_release);
1453 1453                  }
1454 1454  
1455 1455                  packet = next_packet;
1456 1456          }
1457 1457  
     1458 +        if (full_release)
     1459 +                rx_data->packet_area = NULL;
     1460 +
1458 1461          mutex_exit(&e1000g_rx_detach_lock);
1459 1462  }
1460 1463  
1461 1464  
1462 1465  static void
1463 1466  e1000g_free_tx_packets(e1000g_tx_ring_t *tx_ring)
1464 1467  {
1465 1468          int j;
1466 1469          struct e1000g *Adapter;
1467 1470          p_tx_sw_packet_t packet;
↓ open down ↓ 86 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX