From d41a2ba73cbe4ed9f3d3de5c4755fb5db6b80847 Mon Sep 17 00:00:00 2001
From: Andrew Turner <andrew@FreeBSD.org>
Date: Mon, 9 Jun 2025 23:30:36 +0100
Subject: [PATCH] scmi: Avoid a use-after-free

Use LIST_FOREACH_SAFE to avoid a use-after-free in scmi_reqs_pool_free.
The next pointer will be invalid after the call to free meaning
LIST_FOREACH will dereference a freed struct to move to the next item.

Reviewed by:	emaste
Sponsored by:	Arm Ltd
Differential Revision:	https://reviews.freebsd.org/D50753
---
 sys/dev/firmware/arm/scmi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/dev/firmware/arm/scmi.c b/sys/dev/firmware/arm/scmi.c
index b27f7211201..6f16b58f49b 100644
--- a/sys/dev/firmware/arm/scmi.c
+++ b/sys/dev/firmware/arm/scmi.c
@@ -291,9 +291,9 @@ scmi_reqs_pool_allocate(device_t dev, const int max_msg, const int max_payld_sz)
 static void
 scmi_reqs_pool_free(struct scmi_reqs_pool *rp)
 {
-	struct scmi_req *req;
+	struct scmi_req *req, *tmp;
 
-	LIST_FOREACH(req, &rp->head, next) {
+	LIST_FOREACH_SAFE(req, &rp->head, next, tmp) {
 		mtx_destroy(&req->mtx);
 		free(req, M_DEVBUF);
 	}