misc: life_mngr: fix use-after-free in uart channel

LIST_FOREACH() doesn't allow var to be removed or freed within the
loop, but c_dev is freed inside the loop here. gcc 12 also reports
error on it. This patch uses list_foreach_safe() macro instead for
freeing var within the loop safely.

Tracked-On: #8382
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
Reviewed-by: Junjie Mao <junjie.mao@intel.com>

misc/services/life_mngr/list.h

@@ -0,0 +1,11 @@
+/*
+ * Copyright (C) 2023 Intel Corporation.
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <sys/queue.h>
+
+#define list_foreach_safe(var, head, field, tvar)	\
+for ((var) = LIST_FIRST((head));			\
+	(var) && ((tvar) = LIST_NEXT((var), field), 1); \
+	(var) = (tvar))

misc/services/life_mngr/socket.c

@@ -18,12 +18,7 @@
 #include <arpa/inet.h>
 #include "socket.h"
 #include "log.h"
-
-
-#define list_foreach_safe(var, head, field, tvar)	\
-for ((var) = LIST_FIRST((head));			\
-	(var) && ((tvar) = LIST_NEXT((var), field), 1);\
-	(var) = (tvar))
+#include "list.h"
 
 
 static int setup_and_listen_unix_socket(const char *sock_path, int num)

misc/services/life_mngr/uart_channel.c

@@ -18,6 +18,7 @@
 #include <stdint.h>
 #include "uart_channel.h"
 #include "log.h"
+#include "list.h"
 #include "config.h"
 #include "command.h"
 
@@ -308,9 +309,9 @@ struct channel_dev *create_uart_channel_dev(struct uart_channel *c, char *path,
 }
 static void destroy_uart_channel_devs(struct uart_channel *c)
 {
-	struct channel_dev *c_dev;
+	struct channel_dev *c_dev, *tc_dev;
 
-	LIST_FOREACH(c_dev, &c->tty_open_head, open_list) {
+	list_foreach_safe(c_dev, &c->tty_open_head, open_list, tc_dev) {
 		pthread_mutex_lock(&c->tty_conn_list_lock);
 		LIST_REMOVE(c_dev, open_list);
 		pthread_mutex_unlock(&c->tty_conn_list_lock);