git: 36abbfe061df - stable/13 - isp: Fix use after free in aborts handling

From: Alexander Motin <mav_at_FreeBSD.org>
Date: Mon, 23 Dec 2024 14:34:57 UTC
The branch stable/13 has been updated by mav:

URL: https://cgit.FreeBSD.org/src/commit/?id=36abbfe061dfa56723f2eb3d6942d0407dfcd3a1

commit 36abbfe061dfa56723f2eb3d6942d0407dfcd3a1
Author:     Alexander Motin <mav@FreeBSD.org>
AuthorDate: 2024-12-09 16:47:03 +0000
Commit:     Alexander Motin <mav@FreeBSD.org>
CommitDate: 2024-12-23 14:34:50 +0000

    isp: Fix use after free in aborts handling
    
    When aborting command waiting in restart queue remove it from the
    queue before freeing it.  This should fix NULL dereference panics
    we saw on some very busy system.
    
    MFC after:      2 weeks
    
    (cherry picked from commit 40fb1b8bc1cf452d83edc5b25bc1d8bd13c0e72d)
---
 sys/dev/isp/isp_freebsd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/dev/isp/isp_freebsd.c b/sys/dev/isp/isp_freebsd.c
index fdf4c0eb4e1f..51c1e3abb6de 100644
--- a/sys/dev/isp/isp_freebsd.c
+++ b/sys/dev/isp/isp_freebsd.c
@@ -1904,11 +1904,11 @@ isp_target_mark_aborted_early(ispsoftc_t *isp, int chan, tstate_t *tptr, uint32_
 	STAILQ_FOREACH_SAFE(ntp, &tptr->restart_queue, next, tmp) {
 		this_tag_id = ((at7_entry_t *)ntp->data)->at_rxid;
 		if ((uint64_t)tag_id == TAG_ANY || tag_id == this_tag_id) {
+			STAILQ_REMOVE(&tptr->restart_queue, ntp,
+			    inot_private_data, next);
 			isp_endcmd(isp, ntp->data, NIL_HANDLE, chan,
 			    ECMD_TERMINATE, 0);
 			isp_put_ntpd(isp, chan, ntp);
-			STAILQ_REMOVE(&tptr->restart_queue, ntp,
-			    inot_private_data, next);
 		}
 	}