libc/idr: Remove nodes from RB trees during destroy
idr_destroy() would loop over the removed and alloced RB tree nodes freeing them but not removing them from the trees. From the perspective of the RB tree those nodes would remain valid, while in fact, they were free memory, potentially reallocated for other purposes, or otherwise overwritten by the allocator with metadata. This would cause (seemingly random) memory corruption crashes triggered by the RB tree code trying to access link fields from the free'd nodes. Fix that by removing the nodes before freeing them. Signed-off-by: George Poulios <gpoulios@census-labs.com>
This commit is contained in:
George Poulios
Donny(董九柱)
parent
95c9525c0d
commit
c4541a4d4c
1 changed files with 2 additions and 0 deletions
|
|
@ -329,11 +329,13 @@ void idr_destroy(FAR struct idr_s *idr)
|
|||
nxmutex_lock(&idr->lock);
|
||||
RB_FOREACH_SAFE(node, idr_tree_s, &idr->removed, temp)
|
||||
{
|
||||
RB_REMOVE(idr_tree_s, &idr->removed, node);
|
||||
lib_free(node);
|
||||
}
|
||||
|
||||
RB_FOREACH_SAFE(node, idr_tree_s, &idr->alloced, temp)
|
||||
{
|
||||
RB_REMOVE(idr_tree_s, &idr->alloced, node);
|
||||
lib_free(node);
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue