From: Jan Beulich via SeaBIOS <seabios@seabios.org>
Date: Mon, 24 Jan 2022 09:20:53 +0000 (+0100)
Subject: nvme: avoid use-after-free in nvme_controller_enable()
X-Git-Tag: rel-1.16.0~2
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=dc776a2d9ca9e1b857e880ff682668871369b4c3;p=seabios.git

nvme: avoid use-after-free in nvme_controller_enable()

Commit b68f313c9139 ("nvme: Record maximum allowed request size")
introduced a use of "identify" past it being passed to free(). Latch the
value of interest into a local variable.

Reported-by: Coverity (ID 1497613)
Signed-off-by: Jan Beulich <jbeulich@suse.com>
---

diff --git a/src/hw/nvme.c b/src/hw/nvme.c
index 3dfa0ce..b3835c0 100644
--- a/src/hw/nvme.c
+++ b/src/hw/nvme.c
@@ -637,6 +637,7 @@ nvme_controller_enable(struct nvme_ctrl *ctrl)
             identify->nn, (identify->nn == 1) ? "" : "s");
 
     ctrl->ns_count = identify->nn;
+    u8 mdts = identify->mdts;
     free(identify);
 
     if ((ctrl->ns_count == 0) || nvme_create_io_queues(ctrl)) {
@@ -648,7 +649,7 @@ nvme_controller_enable(struct nvme_ctrl *ctrl)
     /* Populate namespace IDs */
     int ns_idx;
     for (ns_idx = 0; ns_idx < ctrl->ns_count; ns_idx++) {
-        nvme_probe_ns(ctrl, ns_idx, identify->mdts);
+        nvme_probe_ns(ctrl, ns_idx, mdts);
     }
 
     dprintf(3, "NVMe initialization complete!\n");