Date: Mon, 23 Dec 2024 14:34:26 GMT From: Alexander Motin <mav@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 71656857b308 - stable/14 - isp: Fix use after free in aborts handling Message-ID: <202412231434.4BNEYQtQ077917@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/14 has been updated by mav: URL: https://cgit.FreeBSD.org/src/commit/?id=71656857b308062fb1030d2ed5650a93c20f16d6 commit 71656857b308062fb1030d2ed5650a93c20f16d6 Author: Alexander Motin <mav@FreeBSD.org> AuthorDate: 2024-12-09 16:47:03 +0000 Commit: Alexander Motin <mav@FreeBSD.org> CommitDate: 2024-12-23 14:34:21 +0000 isp: Fix use after free in aborts handling When aborting command waiting in restart queue remove it from the queue before freeing it. This should fix NULL dereference panics we saw on some very busy system. MFC after: 2 weeks (cherry picked from commit 40fb1b8bc1cf452d83edc5b25bc1d8bd13c0e72d) --- sys/dev/isp/isp_freebsd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/dev/isp/isp_freebsd.c b/sys/dev/isp/isp_freebsd.c index fdf4c0eb4e1f..51c1e3abb6de 100644 --- a/sys/dev/isp/isp_freebsd.c +++ b/sys/dev/isp/isp_freebsd.c @@ -1904,11 +1904,11 @@ isp_target_mark_aborted_early(ispsoftc_t *isp, int chan, tstate_t *tptr, uint32_ STAILQ_FOREACH_SAFE(ntp, &tptr->restart_queue, next, tmp) { this_tag_id = ((at7_entry_t *)ntp->data)->at_rxid; if ((uint64_t)tag_id == TAG_ANY || tag_id == this_tag_id) { + STAILQ_REMOVE(&tptr->restart_queue, ntp, + inot_private_data, next); isp_endcmd(isp, ntp->data, NIL_HANDLE, chan, ECMD_TERMINATE, 0); isp_put_ntpd(isp, chan, ntp); - STAILQ_REMOVE(&tptr->restart_queue, ntp, - inot_private_data, next); } }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202412231434.4BNEYQtQ077917>