git: 40fb1b8bc1cf - main - isp: Fix use after free in aborts handling
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 09 Dec 2024 16:51:06 UTC
The branch main has been updated by mav:
URL: https://cgit.FreeBSD.org/src/commit/?id=40fb1b8bc1cf452d83edc5b25bc1d8bd13c0e72d
commit 40fb1b8bc1cf452d83edc5b25bc1d8bd13c0e72d
Author: Alexander Motin <mav@FreeBSD.org>
AuthorDate: 2024-12-09 16:47:03 +0000
Commit: Alexander Motin <mav@FreeBSD.org>
CommitDate: 2024-12-09 16:47:03 +0000
isp: Fix use after free in aborts handling
When aborting command waiting in restart queue remove it from the
queue before freeing it. This should fix NULL dereference panics
we saw on some very busy system.
MFC after: 2 weeks
---
sys/dev/isp/isp_freebsd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/dev/isp/isp_freebsd.c b/sys/dev/isp/isp_freebsd.c
index fdf4c0eb4e1f..51c1e3abb6de 100644
--- a/sys/dev/isp/isp_freebsd.c
+++ b/sys/dev/isp/isp_freebsd.c
@@ -1904,11 +1904,11 @@ isp_target_mark_aborted_early(ispsoftc_t *isp, int chan, tstate_t *tptr, uint32_
STAILQ_FOREACH_SAFE(ntp, &tptr->restart_queue, next, tmp) {
this_tag_id = ((at7_entry_t *)ntp->data)->at_rxid;
if ((uint64_t)tag_id == TAG_ANY || tag_id == this_tag_id) {
+ STAILQ_REMOVE(&tptr->restart_queue, ntp,
+ inot_private_data, next);
isp_endcmd(isp, ntp->data, NIL_HANDLE, chan,
ECMD_TERMINATE, 0);
isp_put_ntpd(isp, chan, ntp);
- STAILQ_REMOVE(&tptr->restart_queue, ntp,
- inot_private_data, next);
}
}