From: Alexander Bluhm <bluhm@openbsd.org>
Subject: Re: psp(4): sc_tmr_map to NULL to avoid use-after-free
To: tech@openbsd.org
Date: Tue, 12 Aug 2025 21:17:45 +0200

On Tue, Aug 12, 2025 at 11:21:25AM +0200, Hans-J?rg H?xer wrote:
> Hi,
> 
> to avoid use-after-free type problems set sc->sc_tmr_map to NULL after
> destroying the map in the error path of psp_reinit().  Similar to
> psp_shutdown().
> 
> ok?

OK bluhm@

> --------------------------------------------------------------------------
> commit 0c0e09fb5271fe7c3f0a93f638d316f6af8061d6
> Author: Hans-Joerg Hoexer <hshoexer@genua.de>
> Date:   Wed Jul 23 16:53:22 2025 +0200
> 
>     psp(4): sc_tmr_map to NULL to avoid use-after-free
> 
> diff --git a/sys/dev/ic/psp.c b/sys/dev/ic/psp.c
> index 9345c3ed0d5..fb6f6026ad9 100644
> --- a/sys/dev/ic/psp.c
> +++ b/sys/dev/ic/psp.c
> @@ -406,6 +406,7 @@ fail_2:
>  	bus_dmamem_free(sc->sc_dmat, &sc->sc_tmr_seg, nsegs);
>  fail_1:
>  	bus_dmamap_destroy(sc->sc_dmat, sc->sc_tmr_map);
> +	sc->sc_tmr_map = NULL;
>  fail_0:
>  	return (error);
>  }