We hit the following situation: - we have a component with a list of callbacks. - those callbacks are themselves allowed to call back in and remove entries from the list - LIST_FOREACH_SAFE() is used to safely protect against removal of the current item - however, a callback is also legitimately allowed to remove any other item on the list This falls down when a callback removes the *next* item on the list - the macro has already saved this in "tvar", so it will then try to use freed memory on the next iteration. We have fixed this with LIST_FOREACH_SAFER() / LIST_REMOVE_SAFER() variants: #define LIST_FOREACH_SAFER(var, head, field, tvarp) \ for ((var) = LIST_FIRST((head)); \ (var) && ((*tvarp) = LIST_NEXT((var), field), 1); \ (var) = (*tvarp)) #define LIST_REMOVE_SAFER(elm, field, elmp) do { \ if (elmp == elm) { \ elmp = LIST_NEXT(elm, field); \ }; \ LIST_REMOVE(elm, field); \ } while (0) Would like thoughts on whether this would be something more widely useful before I prepare a PR and so on, thanks.
In such situation, where you have a possibility of uncontrolled removal of the list elements, usual approach is to put a marker element on the list. The marker should be not subject for removal by any regular operations. See e.g. MNT_VNODE_FOREACH* and vm_pageout.c (search for marker).