libc/idr: Remove nodes from RB trees during destroy

gpoulios · Donny9 · commit c4541a4d4c67 · 2025-07-12T14:24:32.000+08:00
idr_destroy() would loop over the removed and alloced
RB tree nodes freeing them but not removing them from
the trees. From the perspective of the RB tree those
nodes would remain valid, while in fact, they were free
memory, potentially reallocated for other purposes, or
otherwise overwritten by the allocator with metadata.
This would cause (seemingly random) memory corruption
crashes triggered by the RB tree code trying to access
link fields from the free'd nodes.

Fix that by removing the nodes before freeing them.

Signed-off-by: George Poulios &lt;gpoulios@census-labs.com&gt;
diff --git a/libs/libc/misc/lib_idr.c b/libs/libc/misc/lib_idr.c
@@ -329,11 +329,13 @@ void idr_destroy(FAR struct idr_s *idr)
   nxmutex_lock(&idr->lock);
   RB_FOREACH_SAFE(node, idr_tree_s, &idr->removed, temp)
     {
+      RB_REMOVE(idr_tree_s, &idr->removed, node);
       lib_free(node);
     }
 
   RB_FOREACH_SAFE(node, idr_tree_s, &idr->alloced, temp)
     {
+      RB_REMOVE(idr_tree_s, &idr->alloced, node);
       lib_free(node);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -329,11 +329,13 @@ void idr_destroy(FAR struct idr_s *idr)`
`329`	`329`	`nxmutex_lock(&idr->lock);`
`330`	`330`	`RB_FOREACH_SAFE(node, idr_tree_s, &idr->removed, temp)`
`331`	`331`	`{`
	`332`	`+ RB_REMOVE(idr_tree_s, &idr->removed, node);`
`332`	`333`	`lib_free(node);`
`333`	`334`	`}`
`334`	`335`
`335`	`336`	`RB_FOREACH_SAFE(node, idr_tree_s, &idr->alloced, temp)`
`336`	`337`	`{`
	`338`	`+ RB_REMOVE(idr_tree_s, &idr->alloced, node);`
`337`	`339`	`lib_free(node);`
`338`	`340`	`}`
`339`	`341`