tree: cleanup paths when freeing namespace

When freeing a namespace object it's also necessary to update all the
paths pointing to the namespace in order to avoid UAF.

Reported-by: Maurizio Lombardi <mlombard@bsdbackstore.eu>
Signed-off-by: Daniel Wagner <dwagner@suse.de>

Author: dwsuse

libnvme/src/nvme/tree.c

@@ -637,11 +637,18 @@ nvme_path_t nvme_namespace_next_path(nvme_ns_t ns, nvme_path_t p)
 
 static void __nvme_free_ns(struct nvme_ns *n)
 {
+	struct nvme_path *p, *_p;
+
 	list_del_init(&n->entry);
 	nvme_ns_release_transport_handle(n);
 	free(n->generic_name);
 	free(n->name);
 	free(n->sysfs_dir);
+	nvme_namespace_for_each_path_safe(n, p, _p) {
+		list_del_init(&p->nentry);
+		p->n = NULL;
+	}
+	list_head_init(&n->head->paths);
 	free(n->head->sysfs_dir);
 	free(n->head);
 	free(n);
@@ -2992,16 +2999,8 @@ static int nvme_subsystem_scan_namespace(struct nvme_global_ctx *ctx, nvme_subsy
 		return ret;
 	}
 	nvme_subsystem_for_each_ns_safe(s, _n, __n) {
-		struct nvme_path *p, *_p;
-
 		if (strcmp(n->name, _n->name))
 			continue;
-		/* Detach paths */
-		nvme_namespace_for_each_path_safe(_n, p, _p) {
-			list_del_init(&p->nentry);
-			p->n = NULL;
-		}
-		list_head_init(&_n->head->paths);
 		__nvme_free_ns(_n);
 	}
 	n->s = s;