diff options
author | Frank Dinoff <fdinoff@google.com> | 2022-03-21 13:13:21 -0400 |
---|---|---|
committer | Frank Dinoff <fdinoff@google.com> | 2022-03-21 15:02:26 -0400 |
commit | 2da64ec9a37d684b73882574f391f9ad366b3c0d (patch) | |
tree | b9e97eab354f50a7364d12e8d61fc1ae55b15ca7 | |
parent | 2b7a6f065b6e30723d6cc8668cff198dbb62b914 (diff) | |
download | fuse-2da64ec9a37d684b73882574f391f9ad366b3c0d.tar.gz |
Fix fd leak with clone_fd
do_interrupt would destroy_req on the request without decrementing the
channel's refcount. With clone_fd this could leak file descriptors if
the worker thread holding the cloned fd was destroyed. (Only
max_idle_threads are kept).
-rw-r--r-- | lib/fuse_lowlevel.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/lib/fuse_lowlevel.c b/lib/fuse_lowlevel.c index b5638fc..3a1e7d8 100644 --- a/lib/fuse_lowlevel.c +++ b/lib/fuse_lowlevel.c @@ -123,6 +123,7 @@ static void list_add_req(struct fuse_req *req, struct fuse_req *next) static void destroy_req(fuse_req_t req) { + assert(req->ch == NULL); pthread_mutex_destroy(&req->lock); free(req); } @@ -1712,8 +1713,11 @@ static int find_interrupted(struct fuse_session *se, struct fuse_req *req) pthread_mutex_lock(&se->lock); curr->ctr--; - if (!curr->ctr) + if (!curr->ctr) { + fuse_chan_put(req->ch); + req->ch = NULL; destroy_req(curr); + } return 1; } @@ -1739,9 +1743,11 @@ static void do_interrupt(fuse_req_t req, fuse_ino_t nodeid, const void *inarg) req->u.i.unique = arg->unique; pthread_mutex_lock(&se->lock); - if (find_interrupted(se, req)) + if (find_interrupted(se, req)) { + fuse_chan_put(req->ch); + req->ch = NULL; destroy_req(req); - else + } else list_add_req(req, &se->interrupts); pthread_mutex_unlock(&se->lock); } |