From nobody Mon Dec 09 16:51:06 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Y6SYQ4gt8z5gWkb; Mon, 09 Dec 2024 16:51:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Y6SYQ43XPz4bbv; Mon, 9 Dec 2024 16:51:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1733763066; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=oTULH1ftgxjJ97b9zKhNsBSquI38xcQkRVCx5uT01d0=; b=HXQ5HfzHpuBUGb6ZPbV01gGCHnBzUWpW+CQu1pLoxg/XDqOvE+0YJa6A6M7J7ecgH8hRRb iSiuVbc4F7MrLb6xwjXmIUzESuBIkf+5Eg8yRtArnxfOrAcGqFxUKDbdmeHgJ5AkQBCVC2 gF15QXseWp7o4E2C+gmn0TRgF1xEuqtO837FhEFlUBlv7O2WfRH7h21YPr4/J00zCauN9L 6s5IQbeMq1bZtaCWJ2WzKF6R81dueUqagXDbjsSJ+ZBAkHX7o1vys1fjnDTYipEvgnHxv5 bHSbjqm+LnR6713SgSTavanfRIb8oQbHcqP0YHqLzwzdU8YIJDW5jUvLUo5t0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1733763066; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=oTULH1ftgxjJ97b9zKhNsBSquI38xcQkRVCx5uT01d0=; b=dR+7dFa+q9irS3t5970YwJGMei//aXpKxn9Isf9/VrRI9MK3WaaC1J5/txiVPeJpDQC4Ah HHHiQ92EZP7gJFKNhIfLtDa5sR0B6gebDZtW+2yIhZ8f54S+Rh8wEdeJBMdZNfaDwpWD2v dE1rKz/Nn8dmRyTGvUbBeHY7qOZ5Dp1HQWKWgtZJ/xMHeQRh8TRN2lkPQM6G7IC4Sj2IHU /Iv85KGxngtumkeO0ta/8uhXLaG///Uy62qs7q+O6v4umdaovtbE7j41JcTR+UHVjR7VYj T84DsUQQXWAphwm9FrubO0WniIha+08CwbkYzzXqzrq92QfAEDqi4zROShI7RQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1733763066; a=rsa-sha256; cv=none; b=ywypsM8Xp0QbzX7ufliGuolxew44jgEK7f6qfIDd/+QIH9N8zk8oxNjnUzSV3N4S/RHsiy daijGn0agmt71zW1vMGUdP1+fMvSkdPsWQCzZs+FGDm/jWlYWMc67LA3aE5AGb+BMffpk1 WjGzOn+4zd6/SVNZ4AMpll4u+P9LdUJul+G9Ewfjg35eB5TEYi17aS9WhnEw1FKGeBwJOZ cvyeaujwpYKrEsBOMptPEKBOdBDdJ+lluwXPrBbIc3NRBjGf705pTtcP+l3m9TnsZtjw9a 1+BexST76f/l/EYaoVoR0Lk3D5AUNVBtvgWov+jBvqtoKDHuwmjz2thrqUiVOA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Y6SYQ3fn6zmLJ; Mon, 9 Dec 2024 16:51:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4B9Gp6mN085443; Mon, 9 Dec 2024 16:51:06 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4B9Gp6gl085440; Mon, 9 Dec 2024 16:51:06 GMT (envelope-from git) Date: Mon, 9 Dec 2024 16:51:06 GMT Message-Id: <202412091651.4B9Gp6gl085440@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Alexander Motin Subject: git: 40fb1b8bc1cf - main - isp: Fix use after free in aborts handling List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mav X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 40fb1b8bc1cf452d83edc5b25bc1d8bd13c0e72d Auto-Submitted: auto-generated The branch main has been updated by mav: URL: https://cgit.FreeBSD.org/src/commit/?id=40fb1b8bc1cf452d83edc5b25bc1d8bd13c0e72d commit 40fb1b8bc1cf452d83edc5b25bc1d8bd13c0e72d Author: Alexander Motin AuthorDate: 2024-12-09 16:47:03 +0000 Commit: Alexander Motin CommitDate: 2024-12-09 16:47:03 +0000 isp: Fix use after free in aborts handling When aborting command waiting in restart queue remove it from the queue before freeing it. This should fix NULL dereference panics we saw on some very busy system. MFC after: 2 weeks --- sys/dev/isp/isp_freebsd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/dev/isp/isp_freebsd.c b/sys/dev/isp/isp_freebsd.c index fdf4c0eb4e1f..51c1e3abb6de 100644 --- a/sys/dev/isp/isp_freebsd.c +++ b/sys/dev/isp/isp_freebsd.c @@ -1904,11 +1904,11 @@ isp_target_mark_aborted_early(ispsoftc_t *isp, int chan, tstate_t *tptr, uint32_ STAILQ_FOREACH_SAFE(ntp, &tptr->restart_queue, next, tmp) { this_tag_id = ((at7_entry_t *)ntp->data)->at_rxid; if ((uint64_t)tag_id == TAG_ANY || tag_id == this_tag_id) { + STAILQ_REMOVE(&tptr->restart_queue, ntp, + inot_private_data, next); isp_endcmd(isp, ntp->data, NIL_HANDLE, chan, ECMD_TERMINATE, 0); isp_put_ntpd(isp, chan, ntp); - STAILQ_REMOVE(&tptr->restart_queue, ntp, - inot_private_data, next); } }