This is an automated email from the ASF dual-hosted git repository.
jiuzhudong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nuttx.git
The following commit(s) were added to refs/heads/master by this push:
new c4541a4d4c6 libc/idr: Remove nodes from RB trees during destroy
c4541a4d4c6 is described below
commit c4541a4d4c6701ea4cbac7cec1c88dfa2a9ac105
Author: George Poulios <gpoul...@census-labs.com>
AuthorDate: Fri Jul 11 20:17:06 2025 +0300
libc/idr: Remove nodes from RB trees during destroy
idr_destroy() would loop over the removed and alloced
RB tree nodes freeing them but not removing them from
the trees. From the perspective of the RB tree those
nodes would remain valid, while in fact, they were free
memory, potentially reallocated for other purposes, or
otherwise overwritten by the allocator with metadata.
This would cause (seemingly random) memory corruption
crashes triggered by the RB tree code trying to access
link fields from the free'd nodes.
Fix that by removing the nodes before freeing them.
Signed-off-by: George Poulios <gpoul...@census-labs.com>
---
libs/libc/misc/lib_idr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libs/libc/misc/lib_idr.c b/libs/libc/misc/lib_idr.c
index a7c95e23e8a..275176243d8 100644
--- a/libs/libc/misc/lib_idr.c
+++ b/libs/libc/misc/lib_idr.c
@@ -329,11 +329,13 @@ void idr_destroy(FAR struct idr_s *idr)
nxmutex_lock(&idr->lock);
RB_FOREACH_SAFE(node, idr_tree_s, &idr->removed, temp)
{
+ RB_REMOVE(idr_tree_s, &idr->removed, node);
lib_free(node);
}
RB_FOREACH_SAFE(node, idr_tree_s, &idr->alloced, temp)
{
+ RB_REMOVE(idr_tree_s, &idr->alloced, node);
lib_free(node);
}
