From 2da64ec9a37d684b73882574f391f9ad366b3c0d Mon Sep 17 00:00:00 2001
From: Frank Dinoff <fdinoff@google.com>
Date: Mon, 21 Mar 2022 13:13:21 -0400
Subject: Fix fd leak with clone_fd

do_interrupt would destroy_req on the request without decrementing the
channel's refcount. With clone_fd this could leak file descriptors if
the worker thread holding the cloned fd was destroyed. (Only
max_idle_threads are kept).
---
 lib/fuse_lowlevel.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/lib/fuse_lowlevel.c b/lib/fuse_lowlevel.c
index b5638fc..3a1e7d8 100644
--- a/lib/fuse_lowlevel.c
+++ b/lib/fuse_lowlevel.c
@@ -123,6 +123,7 @@ static void list_add_req(struct fuse_req *req, struct fuse_req *next)
 
 static void destroy_req(fuse_req_t req)
 {
+	assert(req->ch == NULL);
 	pthread_mutex_destroy(&req->lock);
 	free(req);
 }
@@ -1712,8 +1713,11 @@ static int find_interrupted(struct fuse_session *se, struct fuse_req *req)
 
 			pthread_mutex_lock(&se->lock);
 			curr->ctr--;
-			if (!curr->ctr)
+			if (!curr->ctr) {
+				fuse_chan_put(req->ch);
+				req->ch = NULL;
 				destroy_req(curr);
+			}
 
 			return 1;
 		}
@@ -1739,9 +1743,11 @@ static void do_interrupt(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)
 	req->u.i.unique = arg->unique;
 
 	pthread_mutex_lock(&se->lock);
-	if (find_interrupted(se, req))
+	if (find_interrupted(se, req)) {
+		fuse_chan_put(req->ch);
+		req->ch = NULL;
 		destroy_req(req);
-	else
+	} else
 		list_add_req(req, &se->interrupts);
 	pthread_mutex_unlock(&se->lock);
 }
-- 
cgit v1.2.1