RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-10 12:07:35 +00:00
Code Issues Activity Actions

Kernel: Synchronize removals from TmpFS inode map

Browse source 
Previously we were uncaching inodes from TmpFSInode::one_ref_left().
This was not safe, since one_ref_left() was effectively being called
on a raw pointer after decrementing the local ref count and observing
it become 1. There was a race here where someone else could trigger
the destructor by unreffing to 0 before one_ref_left() got called,
causing us to call one_ref_left() on a deleted inode.

We fix this by using the new remove_from_secondary_lists() mechanism
in ListedRefCounted and synchronizing all access to the TmpFS inode
map with the main Inode::all_instances() lock.

There's probably a nicer way to solve this.
This commit is contained in:
Andreas Kling 2022-01-11 00:51:05 +01:00
parent 3550f12543
commit 08e927f084
3 changed files with 18 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Kernel/FileSystem/Inode.h
View file

@ -31,7 +31,7 @@ class Inode : public ListedRefCounted<Inode, LockType::Spinlock>
public:
virtual ~Inode();
virtual void one_ref_left() { }
virtual void remove_from_secondary_lists() { }
FileSystem& fs() { return m_file_system; }
FileSystem const& fs() const { return m_file_system; }