From 4e3fa2e67c70f8603a81eab6fc2b9486dd10cfd9 Mon Sep 17 00:00:00 2001
From: Daniel Wagner <dwagner@suse.de>
Date: Wed, 11 Feb 2026 13:46:59 +0100
Subject: [PATCH] tree: cleanup paths when freeing namespace

When freeing a namespace object it's also necessary to update all the
paths pointing to the namespace in order to avoid UAF.

Reported-by: Maurizio Lombardi <mlombard@bsdbackstore.eu>
Signed-off-by: Daniel Wagner <dwagner@suse.de>
---
 libnvme/src/nvme/tree.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/libnvme/src/nvme/tree.c b/libnvme/src/nvme/tree.c
index 796cdd61a8..17e5bfe57f 100644
--- a/libnvme/src/nvme/tree.c
+++ b/libnvme/src/nvme/tree.c
@@ -632,11 +632,18 @@ nvme_path_t nvme_namespace_next_path(nvme_ns_t ns, nvme_path_t p)
 
 static void __nvme_free_ns(struct nvme_ns *n)
 {
+	struct nvme_path *p, *_p;
+
 	list_del_init(&n->entry);
 	nvme_ns_release_transport_handle(n);
 	free(n->generic_name);
 	free(n->name);
 	free(n->sysfs_dir);
+	nvme_namespace_for_each_path_safe(n, p, _p) {
+		list_del_init(&p->nentry);
+		p->n = NULL;
+	}
+	list_head_init(&n->head->paths);
 	free(n->head->sysfs_dir);
 	free(n->head);
 	free(n);
@@ -3001,16 +3008,8 @@ static int nvme_subsystem_scan_namespace(struct nvme_global_ctx *ctx, nvme_subsy
 		return ret;
 	}
 	nvme_subsystem_for_each_ns_safe(s, _n, __n) {
-		struct nvme_path *p, *_p;
-
 		if (strcmp(n->name, _n->name))
 			continue;
-		/* Detach paths */
-		nvme_namespace_for_each_path_safe(_n, p, _p) {
-			list_del_init(&p->nentry);
-			p->n = NULL;
-		}
-		list_head_init(&_n->head->paths);
 		__nvme_free_ns(_n);
 	}
 	n->s = s;