diff options
| author | 2023-11-20 13:40:51 +0900 | |
|---|---|---|
| committer | 2023-11-23 17:58:18 +0000 | |
| commit | 0c7a2625730bee41fc231d05d406f1e1f5f714aa (patch) | |
| tree | d9c3bf8238d52c9fe1b0d9e2e1f6ee5a2b598bc8 /jni/node.cpp | |
| parent | c0432a40a7ad69be5413784f37cd7859de2964b7 (diff) | |
FuseDaemon: Fix possible double free in DeleteTree
Guarantee a parent node not be released while deleting its children.
pf_forget could be called for a parent node first not its children when
evicting file system inodes by shrinker, so the parent node could exist
without its own reference but having a children node. In this case,
this node could be deleted during executing DeleteTree(child), and it
causes double free for the node.
Bug: 307897842
Test: atest fuse_node_test
Signed-off-by: Hobin Woo <hobin.woo@samsung.corp-partner.google.com>
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ce83d5ab64172cd6d18eba9ca66b9e7c05f206d2)
Merged-In: If4f94557035edba9d07d0fdaa08285d0799723b7
Change-Id: If4f94557035edba9d07d0fdaa08285d0799723b7
Diffstat (limited to 'jni/node.cpp')
| -rw-r--r-- | jni/node.cpp | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/jni/node.cpp b/jni/node.cpp index 31e497096..25f732d38 100644 --- a/jni/node.cpp +++ b/jni/node.cpp @@ -115,6 +115,14 @@ void node::DeleteTree(node* tree) { std::lock_guard<std::recursive_mutex> guard(*tree->lock_); if (tree) { + // Guarantee this node not be released while deleting its children. + // pf_forget could be called for a parent node first not its children + // when evicting file system inodes by shrinker, so the parent node + // could exist without its own reference but having a children node. + // In this case, this node could be deleted during executing + // DeleteTree(child), and it causes double free for the node. + tree->Acquire(); + // Make a copy of the list of children because calling Delete tree // will modify the list of children, which will cause issues while // iterating over them. |