The branch main has been updated by andrew:
URL:
https://cgit.FreeBSD.org/src/commit/?id=d41a2ba73cbe4ed9f3d3de5c4755fb5db6b80847
commit d41a2ba73cbe4ed9f3d3de5c4755fb5db6b80847
Author: Andrew Turner <and...@freebsd.org>
AuthorDate: 2025-06-09 22:30:36 +0000
Commit: Andrew Turner <and...@freebsd.org>
CommitDate: 2025-06-09 22:32:11 +0000
scmi: Avoid a use-after-free
Use LIST_FOREACH_SAFE to avoid a use-after-free in scmi_reqs_pool_free.
The next pointer will be invalid after the call to free meaning
LIST_FOREACH will dereference a freed struct to move to the next item.
Reviewed by: emaste
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D50753
---
sys/dev/firmware/arm/scmi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/dev/firmware/arm/scmi.c b/sys/dev/firmware/arm/scmi.c
index b27f7211201e..6f16b58f49bf 100644
--- a/sys/dev/firmware/arm/scmi.c
+++ b/sys/dev/firmware/arm/scmi.c
@@ -291,9 +291,9 @@ scmi_reqs_pool_allocate(device_t dev, const int max_msg,
const int max_payld_sz)
static void
scmi_reqs_pool_free(struct scmi_reqs_pool *rp)
{
- struct scmi_req *req;
+ struct scmi_req *req, *tmp;
- LIST_FOREACH(req, &rp->head, next) {
+ LIST_FOREACH_SAFE(req, &rp->head, next, tmp) {
mtx_destroy(&req->mtx);
free(req, M_DEVBUF);
}
