git: d41a2ba73cbe - main - scmi: Avoid a use-after-free

The branch main has been updated by andrew:

URL: https://cgit.FreeBSD.org/src/commit/?id=d41a2ba73cbe4ed9f3d3de5c4755fb5db6b80847

commit d41a2ba73cbe4ed9f3d3de5c4755fb5db6b80847
Author:     Andrew Turner <andrew@FreeBSD.org>
AuthorDate: 2025-06-09 22:30:36 +0000
Commit:     Andrew Turner <andrew@FreeBSD.org>
CommitDate: 2025-06-09 22:32:11 +0000

    scmi: Avoid a use-after-free
    
    Use LIST_FOREACH_SAFE to avoid a use-after-free in scmi_reqs_pool_free.
    The next pointer will be invalid after the call to free meaning
    LIST_FOREACH will dereference a freed struct to move to the next item.
    
    Reviewed by:    emaste
    Sponsored by:   Arm Ltd
    Differential Revision:  https://reviews.freebsd.org/D50753
---
 sys/dev/firmware/arm/scmi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/dev/firmware/arm/scmi.c b/sys/dev/firmware/arm/scmi.c
index b27f7211201e..6f16b58f49bf 100644
--- a/sys/dev/firmware/arm/scmi.c
+++ b/sys/dev/firmware/arm/scmi.c
@@ -291,9 +291,9 @@ scmi_reqs_pool_allocate(device_t dev, const int max_msg, const int max_payld_sz)
 static void
 scmi_reqs_pool_free(struct scmi_reqs_pool *rp)
 {
-	struct scmi_req *req;
+	struct scmi_req *req, *tmp;
 
-	LIST_FOREACH(req, &rp->head, next) {
+	LIST_FOREACH_SAFE(req, &rp->head, next, tmp) {
 		mtx_destroy(&req->mtx);
 		free(req, M_DEVBUF);
 	}