fix(driver): bounds-check buffer_id in Shared::reset

paddor · paddor · commit a49967b30197 · 2026-05-21T16:32:03.000+02:00
BufferPoolRoot::release() drains inner.bufs via mem::take, but the
Shared Rc may still be alive. When a BufferRef is dropped after
release, its Drop impl upgrades the Weak successfully and calls
Shared::reset with a stale buffer_id, panicking on the unchecked
index into the now-empty Vec.

Use get_mut (matching the existing bounds check in Shared::take)
and deallocate the buffer directly when the slot no longer exists.

Reproduces under macOS kqueue when closing sockets under
backpressure (PUSH saturating a PULL with low HWM).
diff --git a/compio-driver/src/buffer_pool.rs b/compio-driver/src/buffer_pool.rs
@@ -351,8 +351,12 @@ impl Shared {
     fn reset(&self, buffer_id: u16, ptr: BufPtr) {
         unsafe {
             self.with(|inner| {
-                inner.bufs[buffer_id as usize] = Some(ptr);
-                inner.ctrl.reset(buffer_id, ptr, inner.size);
+                if let Some(slot) = inner.bufs.get_mut(buffer_id as usize) {
+                    *slot = Some(ptr);
+                    inner.ctrl.reset(buffer_id, ptr, inner.size);
+                } else {
+                    (inner.alloc.deallocate)(ptr, inner.size);
+                }
             })
         }
     }
