From a28294b0b42d63de2bba1ac39b4ae7d5196719f6 Mon Sep 17 00:00:00 2001
From: Ben Walker <benjamin.walker@intel.com>
Date: Mon, 9 Apr 2018 09:49:26 -0700
Subject: [PATCH] bdev/nvme: Fix use after free in apply firmware RPC

Change-Id: I7ffe73e803ef416ce698df2d8403e32fa94ebccd
Signed-off-by: Ben Walker <benjamin.walker@intel.com>
Reviewed-on: https://review.gerrithub.io/406988
Tested-by: SPDK Automated Test System <sys_sgsw@intel.com>
Reviewed-by: Daniel Verkamp <daniel.verkamp@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
---
 lib/bdev/nvme/bdev_nvme_rpc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/bdev/nvme/bdev_nvme_rpc.c b/lib/bdev/nvme/bdev_nvme_rpc.c
index c3cf1419c..e95e41683 100644
--- a/lib/bdev/nvme/bdev_nvme_rpc.c
+++ b/lib/bdev/nvme/bdev_nvme_rpc.c
@@ -193,7 +193,7 @@ struct firmware_update_info {
 static void
 apply_firmware_cleanup(void *cb_arg)
 {
-	struct open_descriptors			*opt;
+	struct open_descriptors			*opt, *tmp;
 	struct firmware_update_info *firm_ctx = cb_arg;
 
 	if (!firm_ctx) {
@@ -208,7 +208,8 @@ apply_firmware_cleanup(void *cb_arg)
 		free_rpc_apply_firmware(firm_ctx->req);
 		free(firm_ctx->req);
 	}
-	TAILQ_FOREACH(opt, &firm_ctx->desc_head, tqlst) {
+	TAILQ_FOREACH_SAFE(opt, &firm_ctx->desc_head, tqlst, tmp) {
+		TAILQ_REMOVE(&firm_ctx->desc_head, opt, tqlst);
 		spdk_bdev_close(opt->desc);
 		free(opt);
 	}