nvmet-fc: correct use after free on list teardown

Use list_for_each_entry_safe to prevent list handling from referencing
next pointers directly after list_del's

Signed-off-by: James Smart <james.smart@broadcom.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>

diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c
index 1b7f2520a20db7e151afe4a85a0e488fe0c85005..b200f9aadd52011d60403b88248019e88b8f6b74 100644 (file)
--- a/drivers/nvme/target/fc.c
+++ b/drivers/nvme/target/fc.c
@@ -704,7 +704,7 @@ nvmet_fc_delete_target_queue(struct nvmet_fc_tgt_queue *queue)
 {
        struct nvmet_fc_tgtport *tgtport = queue->assoc->tgtport;
        struct nvmet_fc_fcp_iod *fod = queue->fod;
-       struct nvmet_fc_defer_fcp_req *deferfcp;
+       struct nvmet_fc_defer_fcp_req *deferfcp, *tempptr;
        unsigned long flags;
        int i, writedataactive;
        bool disconnect;
@@ -735,7 +735,8 @@ nvmet_fc_delete_target_queue(struct nvmet_fc_tgt_queue *queue)
        }
 
        /* Cleanup defer'ed IOs in queue */
-       list_for_each_entry(deferfcp, &queue->avail_defer_list, req_list) {
+       list_for_each_entry_safe(deferfcp, tempptr, &queue->avail_defer_list,
+                               req_list) {
                list_del(&deferfcp->req_list);
                kfree(deferfcp);
        }