dmaengine: sun4i: fix unsafe list iteration

Currently, sun4i_dma_free_contract iterates over lists and frees memory
as it goes through them, causing reads to recently freed memory to
be performed. Fix this by using the safe version of the iterator, so
freed memory is not referenced at all.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Emilio López <emilio@elopez.com.ar>
Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>

drivers/dma/sun4i-dma.c

@@ -599,13 +599,13 @@ get_next_cyclic_promise(struct sun4i_dma_contract *contract)
 static void sun4i_dma_free_contract(struct virt_dma_desc *vd)
 {
 	struct sun4i_dma_contract *contract = to_sun4i_dma_contract(vd);
-	struct sun4i_dma_promise *promise;
+	struct sun4i_dma_promise *promise, *tmp;
 
 	/* Free all the demands and completed demands */
-	list_for_each_entry(promise, &contract->demands, list)
+	list_for_each_entry_safe(promise, tmp, &contract->demands, list)
 		kfree(promise);
 
-	list_for_each_entry(promise, &contract->completed_demands, list)
+	list_for_each_entry_safe(promise, tmp, &contract->completed_demands, list)
 		kfree(promise);
 
 	kfree(contract);