From nobody Mon Dec 23 14:34:26 2024 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YH0sH2mYnz5h8R9; Mon, 23 Dec 2024 14:34:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YH0sH0RrXz4cCZ; Mon, 23 Dec 2024 14:34:27 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1734964467; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IpIlKmE9dUR9gGUS9GiM0h+yFFWiir3jMqXqfKUPuHE=; b=yk9FgaYWWfRrdzxzWkvRuFIBKWvloj9drdAwjigMcMiS2RD1VEA+0O+sS2Hl7UEBPD5NBO SC6mrbHqmI3cRNFh2+HfFUtHZA8KAvu0dbxiv40H8uPGrNu+qQ6lEATlJabyaVei4JzvVl 8qQ3Gv0J4x0hhCnP1xUi0Er0HtNPvDOrkbQR38epb+0vwF6Uaz9m37NZ2rV6OmH/8YUhFH nr4QL0ea5TUNTzLpL0QOiA8pgEDVcu5o+2n70PP4aWhMcdprJkbMJDpjpzeN1tcY1xcsce 5QMXjRmE7U89xNQeYL9TW7Xut4DPJPXZ5gDK753QzwHJLzB4XVs8gToJcQZSog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1734964467; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IpIlKmE9dUR9gGUS9GiM0h+yFFWiir3jMqXqfKUPuHE=; b=VDIewC66mQJJETkx7hV1qgZZrBGomnAhp7WPXd82j+zVqZEb5Eadqyr/+YyDeEl9OqV/pC LohQTCSxvONH5N2wipuk+IS5b81TqdzVzy6EsO1ke9bEkqZObu4fzJWnCoUdesyG0sepmv PRzPpXtpWWGiRj9AYQdUEpzeadqMKd1JxWGqRO+B5GN6+RE2dGtXO2QeaGg8naGuVkJ9BB AS/wzamFJVR6UWvXDz3SeXzVKCAaruZseYatT90lfo2cDOaQ9O3mwAANxtHO2ooclEnQgn nfRMbScPIx5cx523unNDTVH0hzlmv9x6fakH7AfuaaGmDvWKnVbDuUM0TOfcdQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1734964467; a=rsa-sha256; cv=none; b=YYYzBXJbNbSKnXX+yCSd0iAeXWcYkBX6ZkhtALOeme89Uwpgsb4mQLPxAG12UtiRGFaqn4 PwhF37DyVXogiq9sgxFuo8ZojggDMg3ZOOUNFX7k336d0UDmU4Fn6w58+jPcUSKwgk9NG3 7XMzuReQiTuqn2knNqF6A1jfK3ZNsdd4JS7RHo8dQ0m7UJ2fGtJ7C4gGyExg3cnBskJAn0 2zGpM6M9GJ5PUpIIrJb1MxW4uyEhLVU72aR6fmIT+xlV/1eeKgRinIO1rYy+U75wsqOwo5 2WBNXChX4vfy12VrLhGol4Z3w4Jo9gw7t81647IBxMEwltvJHgX1cNtGl5sQ6A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YH0sH0428zxMW; Mon, 23 Dec 2024 14:34:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4BNEYQAY077920; Mon, 23 Dec 2024 14:34:26 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4BNEYQtQ077917; Mon, 23 Dec 2024 14:34:26 GMT (envelope-from git) Date: Mon, 23 Dec 2024 14:34:26 GMT Message-Id: <202412231434.4BNEYQtQ077917@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Alexander Motin Subject: git: 71656857b308 - stable/14 - isp: Fix use after free in aborts handling List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mav X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 71656857b308062fb1030d2ed5650a93c20f16d6 Auto-Submitted: auto-generated The branch stable/14 has been updated by mav: URL: https://cgit.FreeBSD.org/src/commit/?id=71656857b308062fb1030d2ed5650a93c20f16d6 commit 71656857b308062fb1030d2ed5650a93c20f16d6 Author: Alexander Motin AuthorDate: 2024-12-09 16:47:03 +0000 Commit: Alexander Motin CommitDate: 2024-12-23 14:34:21 +0000 isp: Fix use after free in aborts handling When aborting command waiting in restart queue remove it from the queue before freeing it. This should fix NULL dereference panics we saw on some very busy system. MFC after: 2 weeks (cherry picked from commit 40fb1b8bc1cf452d83edc5b25bc1d8bd13c0e72d) --- sys/dev/isp/isp_freebsd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/dev/isp/isp_freebsd.c b/sys/dev/isp/isp_freebsd.c index fdf4c0eb4e1f..51c1e3abb6de 100644 --- a/sys/dev/isp/isp_freebsd.c +++ b/sys/dev/isp/isp_freebsd.c @@ -1904,11 +1904,11 @@ isp_target_mark_aborted_early(ispsoftc_t *isp, int chan, tstate_t *tptr, uint32_ STAILQ_FOREACH_SAFE(ntp, &tptr->restart_queue, next, tmp) { this_tag_id = ((at7_entry_t *)ntp->data)->at_rxid; if ((uint64_t)tag_id == TAG_ANY || tag_id == this_tag_id) { + STAILQ_REMOVE(&tptr->restart_queue, ntp, + inot_private_data, next); isp_endcmd(isp, ntp->data, NIL_HANDLE, chan, ECMD_TERMINATE, 0); isp_put_ntpd(isp, chan, ntp); - STAILQ_REMOVE(&tptr->restart_queue, ntp, - inot_private_data, next); } }