git: d5eae57088f5 - main - sysctl: Make sysctl_ctx_free() a bit safer

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Thu, 02 May 2024 20:01:00 UTC
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=d5eae57088f5eec5df49fea8e8623521f596db68

commit d5eae57088f5eec5df49fea8e8623521f596db68
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-05-01 11:57:56 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-05-02 19:42:28 +0000

    sysctl: Make sysctl_ctx_free() a bit safer
    
    Clear the list before returning so that sysctl_ctx_free() can be called
    more than once on the same list without side effects.  This simplifies
    error handling in drivers; previously, drivers would have to be careful
    to call sysctl_ctx_free() at most once to avoid a use-after-free.
    
    While here, use TAILQ_FOREACH_SAFE in the loop which unregisters OIDs.
    
    Reviewed by:    thj, emaste
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D45041
---
 sys/kern/kern_sysctl.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c
index f714f78cf4da..e139d9c39181 100644
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@@ -651,17 +651,15 @@ sysctl_ctx_free(struct sysctl_ctx_list *clist)
 		return(EBUSY);
 	}
 	/* Now really delete the entries */
-	e = TAILQ_FIRST(clist);
-	while (e != NULL) {
-		e1 = TAILQ_NEXT(e, link);
+	TAILQ_FOREACH_SAFE(e, clist, link, e1) {
 		error = sysctl_remove_oid_locked(e->entry, 1, 0);
 		if (error)
 			panic("sysctl_remove_oid: corrupt tree, entry: %s",
 			    e->entry->oid_name);
 		free(e, M_SYSCTLOID);
-		e = e1;
 	}
 	SYSCTL_WUNLOCK();
+	TAILQ_INIT(clist);
 	return (error);
 }