virtio(4): change members of struct vring_desc_extra before free a slot

This prevents the following race condition.
1. Thread-A: calls virtio_dequeue_commit() and
             puts a slot into free descriptor chain in vq_free_slot()
2. Thread-B: calls virtio_enqueue_prep() and get the slot stored by Thread-A
3. Thread-B: calls virtio_enqueue_reserve() and
             changes desc_base and desc_free_idx for the slot
4. Thread-A: changes the same members updated by Thread-B

reported by hannken, thanks.

sys/dev/pci/virtio.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: virtio.c,v 1.77 2023/04/19 00:40:30 yamaguchi Exp $	*/
+/*	$NetBSD: virtio.c,v 1.78 2023/04/21 02:17:32 yamaguchi Exp $	*/
 
 /*
  * Copyright (c) 2020 The NetBSD Foundation, Inc.
@@ -28,7 +28,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: virtio.c,v 1.77 2023/04/19 00:40:30 yamaguchi Exp $");
+__KERNEL_RCSID(0, "$NetBSD: virtio.c,v 1.78 2023/04/21 02:17:32 yamaguchi Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -1258,12 +1258,12 @@ virtio_enqueue_abort(struct virtio_softc *sc, struct virtqueue *vq, int slot)
 {
 	struct vring_desc_extra *vdx;
 
-	vq_free_slot(sc, vq, slot);
-
 	vdx = &vq->vq_descx[slot];
 	vdx->desc_free_idx = VRING_DESC_CHAIN_END;
 	vdx->desc_base = NULL;
 
+	vq_free_slot(sc, vq, slot);
+
 	return 0;
 }
 
@@ -1308,12 +1308,12 @@ virtio_dequeue_commit(struct virtio_softc *sc, struct virtqueue *vq, int slot)
 {
 	struct vring_desc_extra *vdx;
 
-	vq_free_slot(sc, vq, slot);
-
 	vdx = &vq->vq_descx[slot];
 	vdx->desc_base = NULL;
 	vdx->desc_free_idx = VRING_DESC_CHAIN_END;
 
+	vq_free_slot(sc, vq, slot);
+
 	return 0;
 }