diff options
| author | cinap_lenrek <cinap_lenrek@felloff.net> | 2020-08-23 05:07:30 +0200 |
|---|---|---|
| committer | cinap_lenrek <cinap_lenrek@felloff.net> | 2020-08-23 05:07:30 +0200 |
| commit | 603d9812a7f4a662e2a8ede68df9eb7f79d8dd67 (patch) | |
| tree | ac239fa6d4a646d4245971d849941aec06ff1cf1 | |
| parent | 951a71012f898933eb3daefd20de630bd4320337 (diff) | |
kernel: fix Abind cyclic reference and mounthead leaks (thanks Alex Musolino)
The Abind case in namec() needs to cunique() the chan
before attaching the umh mount head pointer onto it.
This is because we cannot give a reference to the mount
head to any of the mh->mount...->to channels, as they
will never go away until the mount head goes away.
This is a cyclic reference.
This could be reproduced with:
@{rfork n; mount -a '#s/boot' /mnt/root; bind /mnt/root /}
Also, fix memory leaks around cunique(), which can
error, leaking the mount head we got from domount().
Move the umh != nil check inside cunique().
| -rw-r--r-- | sys/src/9/port/chan.c | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/sys/src/9/port/chan.c b/sys/src/9/port/chan.c index 8945c892e..58a47cc83 100644 --- a/sys/src/9/port/chan.c +++ b/sys/src/9/port/chan.c @@ -556,6 +556,12 @@ cunique(Chan *c) c = nc; } + if(c->umh != nil){ //BUG + print("cunique umh != nil from %#p\n", getcallerpc(&c)); + putmhead(c->umh); + c->umh = nil; + } + return c; } @@ -1094,11 +1100,6 @@ walk(Chan **cp, char **names, int nnames, int nomount, int *nerror) } putmhead(mh); c = cunique(c); - if(c->umh != nil){ //BUG - print("walk umh\n"); - putmhead(c->umh); - c->umh = nil; - } pathclose(c->path); c->path = path; @@ -1410,8 +1411,13 @@ namec(char *aname, int amode, int omode, ulong perm) m = nil; if(!nomount) domount(&c, &m, nil); - putmhead(c->umh); + if(waserror()){ + putmhead(m); + nexterror(); + } + c = cunique(c); c->umh = m; + poperror(); break; case Aaccess: @@ -1428,9 +1434,13 @@ namec(char *aname, int amode, int omode, ulong perm) m = nil; if(!nomount) domount(&c, &m, &path); - + if(waserror()){ + putmhead(m); + nexterror(); + } /* our own copy to open or remove */ c = cunique(c); + poperror(); /* now it's our copy anyway, we can put the name back */ pathclose(c->path); @@ -1448,11 +1458,6 @@ namec(char *aname, int amode, int omode, ulong perm) case Aopen: case Acreate: - if(c->umh != nil){ - print("cunique umh Open\n"); - putmhead(c->umh); - c->umh = nil; - } /* only save the mount head if it's a multiple element union */ if(m != nil && m->mount != nil && m->mount->next != nil) c->umh = m; |