From dc776a2d9ca9e1b857e880ff682668871369b4c3 Mon Sep 17 00:00:00 2001
From: Jan Beulich via SeaBIOS <seabios@seabios.org>
Date: Mon, 24 Jan 2022 10:20:53 +0100
Subject: nvme: avoid use-after-free in nvme_controller_enable()

Commit b68f313c9139 ("nvme: Record maximum allowed request size")
introduced a use of "identify" past it being passed to free(). Latch the
value of interest into a local variable.

Reported-by: Coverity (ID 1497613)
Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
 src/hw/nvme.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/hw/nvme.c b/src/hw/nvme.c
index 3dfa0cec..b3835c04 100644
--- a/src/hw/nvme.c
+++ b/src/hw/nvme.c
@@ -637,6 +637,7 @@ nvme_controller_enable(struct nvme_ctrl *ctrl)
             identify->nn, (identify->nn == 1) ? "" : "s");
 
     ctrl->ns_count = identify->nn;
+    u8 mdts = identify->mdts;
     free(identify);
 
     if ((ctrl->ns_count == 0) || nvme_create_io_queues(ctrl)) {
@@ -648,7 +649,7 @@ nvme_controller_enable(struct nvme_ctrl *ctrl)
     /* Populate namespace IDs */
     int ns_idx;
     for (ns_idx = 0; ns_idx < ctrl->ns_count; ns_idx++) {
-        nvme_probe_ns(ctrl, ns_idx, identify->mdts);
+        nvme_probe_ns(ctrl, ns_idx, mdts);
     }
 
     dprintf(3, "NVMe initialization complete!\n");
-- 
cgit