From 60b276cf4ce4ab244670dfac1301704b28498805 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 15 Mar 2021 14:27:18 -0400
Subject: [PATCH] Fix use-after-free in verto_free()

Instead of freeing all events, verto_free() would spin trying to free
the same one.

Discovered by scan-build.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: hanxinke <hanxinke@huawei.com>
---
 src/verto.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/verto.c b/src/verto.c
index 71eaffa..c06c92b 100644
--- a/src/verto.c
+++ b/src/verto.c
@@ -583,6 +583,8 @@ verto_set_allocator(void *(*resize)(void *mem, size_t size),
 void
 verto_free(verto_ctx *ctx)
 {
+    verto_ev *cur, *next;
+
     if (!ctx)
         return;
 
@@ -591,8 +593,12 @@ verto_free(verto_ctx *ctx)
         return;
 
     /* Cancel all pending events */
-    while (ctx->events)
-        verto_del(ctx->events);
+    next = NULL;
+    for (cur = ctx->events; cur != NULL; cur = next) {
+        next = cur->next;
+        verto_del(cur);
+    }
+    ctx->events = NULL;
 
     /* Free the private */
     if (!ctx->deflt || !ctx->module->funcs->ctx_default)
-- 
1.8.3.1