[master] fc18d8a52 vai: Never access the object list unprotected for a busy object

[Nils Goroll]

commit fc18d8a52f19b089d4432f1d81a14f7bab9162d5
Author: Nils Goroll <nils.goroll at uplex.de>
Date:   Tue Aug 5 14:51:28 2025 +0200

    vai: Never access the object list unprotected for a busy object
    
    For a busy object, we must never access the object list outside the boc mutex,
    otherwise we can see basically arbitrary pointer values (like a retired segment
    from sml_trimstore or just a random pointer).
    
    Fixes #4371

diff --git a/bin/varnishd/storage/storage_simple.c b/bin/varnishd/storage/storage_simple.c
index 05f224cdf..054b02881 100644
--- a/bin/varnishd/storage/storage_simple.c
+++ b/bin/varnishd/storage/storage_simple.c
@@ -666,8 +666,6 @@ sml_ai_init(struct worker *wrk, struct objcore *oc, struct ws *ws,
 	hdl->stv = oc->stobj->stevedore;
 	CHECK_OBJ_NOTNULL(hdl->stv, STEVEDORE_MAGIC);
 
-	hdl->st = VTAILQ_LAST(&hdl->obj->list, storagehead);
-	CHECK_OBJ_ORNULL(hdl->st, STORAGE_MAGIC);
 
 	hdl->qe.magic = VAI_Q_MAGIC;
 	hdl->qe.cb = notify;
@@ -675,8 +673,11 @@ sml_ai_init(struct worker *wrk, struct objcore *oc, struct ws *ws,
 	hdl->qe.priv = notify_priv;
 
 	hdl->boc = HSH_RefBoc(oc);
-	if (hdl->boc == NULL)
+	if (hdl->boc == NULL) {
+		hdl->st = VTAILQ_LAST(&hdl->obj->list, storagehead);
+		CHECK_OBJ_ORNULL(hdl->st, STORAGE_MAGIC);
 		return (hdl);
+	}
 	/* we only initialize notifications if we have a boc, so
 	 * any wrong attempt triggers magic checks.
 	 */