Fix race between critnib_release() and free_leaf() in critnib

Fix race between critnib_release() and free_leaf() in critnib:
critnib_release() decremented ref_count to 0
and (before it called c->cb_free_leaf(k->to_be_freed))
free_leaf() added this leaf to the c->deleted_leaf list
and alloc_leaf() reused it and zeroed k->to_be_freed
before it could be freed in critnib_release().
This patch fixes this issue.

Signed-off-by: Lukasz Dorau <[email protected]>

Author: ldorau

src/critnib/critnib.c

@@ -392,8 +392,8 @@ int critnib_insert(struct critnib *c, word key, void *value, int update) {
     utils_atomic_store_release_u8(&k->pending_deleted_leaf, 0);
 
     if (c->cb_free_leaf) {
-        // mark the leaf as valid (ref_count == 1)
-        utils_atomic_store_release_u64(&k->ref_count, 1ULL);
+        // mark the leaf as valid (ref_count == 2)
+        utils_atomic_store_release_u64(&k->ref_count, 2ULL);
     } else {
         // the reference counter is not used in this case
         utils_atomic_store_release_u64(&k->ref_count, 0ULL);
@@ -609,13 +609,17 @@ int critnib_release(struct critnib *c, void *ref) {
     }
 
     /* decrement the reference count */
-    if (utils_atomic_decrement_u64(&k->ref_count) == 0) {
+    if (utils_atomic_decrement_u64(&k->ref_count) == 1) {
         void *to_be_freed = NULL;
         utils_atomic_load_acquire_ptr(&k->to_be_freed, &to_be_freed);
         if (to_be_freed) {
             utils_atomic_store_release_ptr(&k->to_be_freed, NULL);
             c->cb_free_leaf(c->leaf_allocator, to_be_freed);
         }
+
+        // mark the leaf as not used (ref_count == 0)
+        utils_atomic_store_release_u64(&k->ref_count, 0ULL);
+
         uint8_t pending_deleted_leaf;
         utils_atomic_load_acquire_u8(&k->pending_deleted_leaf,
                                      &pending_deleted_leaf);