From b934b5e5324587afc1edd164d57487d7fbf7bdd4 Mon Sep 17 00:00:00 2001 From: ngie Date: Fri, 13 May 2016 08:36:33 +0000 Subject: [PATCH] MFC r298669: r298669 (by cem): iscsi_initiator(4): Fix use-after-free, double-free ism_stop() already destroys and frees 'sp', including a call to ic_destroy(). Don't dereference 'sp' after ism_stop() and don't invoke ic_destroy() on the freed memory either. CIDs: 1006109, 1304861 git-svn-id: svn://svn.freebsd.org/base/stable/10@299621 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- sys/dev/iscsi_initiator/iscsi.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/sys/dev/iscsi_initiator/iscsi.c b/sys/dev/iscsi_initiator/iscsi.c index cd66a369f..b914a2008 100644 --- a/sys/dev/iscsi_initiator/iscsi.c +++ b/sys/dev/iscsi_initiator/iscsi.c @@ -807,8 +807,6 @@ iscsi_stop(void) TAILQ_FOREACH_SAFE(sp, &isc->isc_sess, sp_link, sp_tmp) { //XXX: check for activity ... ism_stop(sp); - if(sp->cam_sim != NULL) - ic_destroy(sp); } mtx_destroy(&isc->isc_mtx); sx_destroy(&isc->unit_sx); -- 2.45.0