Date: Wed, 11 Jun 2025 09:34:38 GMT From: Andrew Turner <andrew@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: d41a2ba73cbe - main - scmi: Avoid a use-after-free Message-ID: <202506110934.55B9YcAx000919@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by andrew: URL: https://cgit.FreeBSD.org/src/commit/?id=d41a2ba73cbe4ed9f3d3de5c4755fb5db6b80847 commit d41a2ba73cbe4ed9f3d3de5c4755fb5db6b80847 Author: Andrew Turner <andrew@FreeBSD.org> AuthorDate: 2025-06-09 22:30:36 +0000 Commit: Andrew Turner <andrew@FreeBSD.org> CommitDate: 2025-06-09 22:32:11 +0000 scmi: Avoid a use-after-free Use LIST_FOREACH_SAFE to avoid a use-after-free in scmi_reqs_pool_free. The next pointer will be invalid after the call to free meaning LIST_FOREACH will dereference a freed struct to move to the next item. Reviewed by: emaste Sponsored by: Arm Ltd Differential Revision: https://reviews.freebsd.org/D50753 --- sys/dev/firmware/arm/scmi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/dev/firmware/arm/scmi.c b/sys/dev/firmware/arm/scmi.c index b27f7211201e..6f16b58f49bf 100644 --- a/sys/dev/firmware/arm/scmi.c +++ b/sys/dev/firmware/arm/scmi.c @@ -291,9 +291,9 @@ scmi_reqs_pool_allocate(device_t dev, const int max_msg, const int max_payld_sz) static void scmi_reqs_pool_free(struct scmi_reqs_pool *rp) { - struct scmi_req *req; + struct scmi_req *req, *tmp; - LIST_FOREACH(req, &rp->head, next) { + LIST_FOREACH_SAFE(req, &rp->head, next, tmp) { mtx_destroy(&req->mtx); free(req, M_DEVBUF); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202506110934.55B9YcAx000919>