From nobody Mon Dec 23 14:34:57 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YH0st0t44z5h8p6; Mon, 23 Dec 2024 14:34:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YH0st0LRBz4cWV; Mon, 23 Dec 2024 14:34:58 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1734964498; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FnIjHBS1atx5f+OLX0Qs5bh8N8p1CxIappdczzdvYQg=; b=nR8lklRjgna4VS70CJcJVsKg1ROxeJ71Im9IIw1kBzgJPuekalng0Fj/IGhi6qeOgzde/v LtgfDLbUi4iCnifG8L1iueKL4MjjbTHXpGKHUTiEL7gXUCipaqf/evFxAzP1A8Q1jGdqUt aKjAIgG12WezECoqJoFvkfoqr4wA11Nbn2YGZbg1QhYPjX+1XUtQLmiUnSN756fakPgpZc WMoPHz4q2UsYrtZ4QCMgj5SdV2voQEQt6OQecbjn6qzZWirHFp84JVLqUHsqaIixdidXEy lUvYNq/+BzLh+EUrra8EmF0GGcT16h6EFxLOAYWPWqSJZzoDcIatIHzL1FrLTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1734964498; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FnIjHBS1atx5f+OLX0Qs5bh8N8p1CxIappdczzdvYQg=; b=tnVB6wBLJJfE9xEd3r7aE3ma5GBMbncX1A8wAxBqg9kAEYpJPG58BIQ6zmAz43Hh/jIycI T9EjQtKFW8xTn8jDSJqpYvCTNZCtaopnSm2ZaYBxR/IZqXdtqxS0xD2fsDzG6x4LU3hP0J Dnr0VP4H07N9+0JooN1xcbIsDYFWCjIuzzetjKIn6SQUYz4fwfPlXVKfmw4n/ACVf94teZ PMpZ3HyKfce/2soNXuOJqiI9mKrfmY48/B8ZJGIMaWfOVxHPqqIVrXrvPwZOX3kL4Rv9Fb xmNNFW+0APl3Sl92aLySU9SPKC+4nY70zxYZ8it3j4NluW9KOUe2wi9VaiBQMg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1734964498; a=rsa-sha256; cv=none; b=S1WGZgfslpy8+e3vmZ6ZAo8edQvdwr44W4mymfeemgPZ8iWeHPEvq6x4NHz3hEoPqCR6qE TWXnfxSgCN1E+f8e3X+486mKM78ZrPiwo96QmAJq0unZ7tC4eLsGtczQHlDsdVP8imCAjI p7i/Cl2EQJKysmQT8FvgvuXjxiztvTIg3/cN0ZY8IwZ6pJ86s6d73wujOScW9inMkRq+yo pg15GNAnj0VwTaVMtFA5jzWf/+MNriBJeCwP4BlQgx/CDO0l5WnotIYW9KrCMc+doEgOGX 1MhZfraset9vYTYDQIgwM+VmpShiE8onzdaGC6JUaHbUdjRvfK9fn192SXy2vQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YH0ss6s06zxkW; Mon, 23 Dec 2024 14:34:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4BNEYv6Z078262; Mon, 23 Dec 2024 14:34:57 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4BNEYvjL078259; Mon, 23 Dec 2024 14:34:57 GMT (envelope-from git) Date: Mon, 23 Dec 2024 14:34:57 GMT Message-Id: <202412231434.4BNEYvjL078259@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Alexander Motin Subject: git: 36abbfe061df - stable/13 - isp: Fix use after free in aborts handling List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mav X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 36abbfe061dfa56723f2eb3d6942d0407dfcd3a1 Auto-Submitted: auto-generated The branch stable/13 has been updated by mav: URL: https://cgit.FreeBSD.org/src/commit/?id=36abbfe061dfa56723f2eb3d6942d0407dfcd3a1 commit 36abbfe061dfa56723f2eb3d6942d0407dfcd3a1 Author: Alexander Motin AuthorDate: 2024-12-09 16:47:03 +0000 Commit: Alexander Motin CommitDate: 2024-12-23 14:34:50 +0000 isp: Fix use after free in aborts handling When aborting command waiting in restart queue remove it from the queue before freeing it. This should fix NULL dereference panics we saw on some very busy system. MFC after: 2 weeks (cherry picked from commit 40fb1b8bc1cf452d83edc5b25bc1d8bd13c0e72d) --- sys/dev/isp/isp_freebsd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/dev/isp/isp_freebsd.c b/sys/dev/isp/isp_freebsd.c index fdf4c0eb4e1f..51c1e3abb6de 100644 --- a/sys/dev/isp/isp_freebsd.c +++ b/sys/dev/isp/isp_freebsd.c @@ -1904,11 +1904,11 @@ isp_target_mark_aborted_early(ispsoftc_t *isp, int chan, tstate_t *tptr, uint32_ STAILQ_FOREACH_SAFE(ntp, &tptr->restart_queue, next, tmp) { this_tag_id = ((at7_entry_t *)ntp->data)->at_rxid; if ((uint64_t)tag_id == TAG_ANY || tag_id == this_tag_id) { + STAILQ_REMOVE(&tptr->restart_queue, ntp, + inot_private_data, next); isp_endcmd(isp, ntp->data, NIL_HANDLE, chan, ECMD_TERMINATE, 0); isp_put_ntpd(isp, chan, ntp); - STAILQ_REMOVE(&tptr->restart_queue, ntp, - inot_private_data, next); } }