scmi: Avoid a use-after-free
ClosedPublic
Actions

Authored by andrew on Jun 9 2025, 3:47 PM.

Details

Reviewers

cristian.marussi_arm.com
emaste

Group Reviewers

arm64

Commits

rGd41a2ba73cbe: scmi: Avoid a use-after-free

Summary

Use LIST_FOREACH_SAFE to avoid a use-after-free in scmi_reqs_pool_free.
The next pointer will be invalid after the call to free meaning
LIST_FOREACH will dereference a freed struct to move to the next item.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 64746
Build 61630: arc lint + arc unit

Event Timeline

andrew created this revision.Jun 9 2025, 3:47 PM

Herald added a subscriber: imp. · View Herald TranscriptJun 9 2025, 3:47 PM

andrew requested review of this revision.Jun 9 2025, 3:47 PM

Harbormaster completed remote builds in B64721: Diff 156714.Jun 9 2025, 3:47 PM

LGTM with two little notes:

Commit message cut off

The next pointer will be invalid when

Also it seems we generally have unique names for the field and tvar (I spotted one existing duplicate case, in uath_txfrag_setup)

andrew edited the summary of this revision. (Show Details)Jun 10 2025, 2:13 PM

Make the temp var unique

Harbormaster completed remote builds in B64746: Diff 156787.Jun 10 2025, 2:14 PM

emaste accepted this revision as: emaste.Jun 10 2025, 4:48 PM

This revision is now accepted and ready to land.Jun 10 2025, 4:48 PM

Closed by commit rGd41a2ba73cbe: scmi: Avoid a use-after-free (authored by andrew). · Explain WhyJun 11 2025, 9:35 AM

This revision was automatically updated to reflect the committed changes.

andrew added a commit: rGd41a2ba73cbe: scmi: Avoid a use-after-free.

Revision Contents
Changeset List

Path

Size

sys/

dev/

firmware/

arm/

scmi.c

4 lines

Diff 156787

View Options

sys/dev/firmware/arm/scmi.c

scmi: Avoid a use-after-freeClosedPublicActions