mirror of
https://github.com/samba-team/samba.git
synced 2024-12-31 17:18:04 +03:00
688be0177b
If you happen to talloc_free(run_ctx) before all the tevent_req's hanging off it, you run into the following: ==495196== Invalid read of size 8 ==495196== at 0x10D757: run_proc_state_destructor (run_proc.c:413) ==495196== by 0x488F736: _tc_free_internal (talloc.c:1158) ==495196== by 0x488FBDD: _talloc_free_internal (talloc.c:1248) ==495196== by 0x4890F41: _talloc_free (talloc.c:1792) ==495196== by 0x48538B1: tevent_req_received (tevent_req.c:293) ==495196== by 0x4853429: tevent_req_destructor (tevent_req.c:129) ==495196== by 0x488F736: _tc_free_internal (talloc.c:1158) ==495196== by 0x4890AF6: _tc_free_children_internal (talloc.c:1669) ==495196== by 0x488F967: _tc_free_internal (talloc.c:1184) ==495196== by 0x488FBDD: _talloc_free_internal (talloc.c:1248) ==495196== by 0x4890F41: _talloc_free (talloc.c:1792) ==495196== by 0x10DE62: main (run_proc_test.c:86) ==495196== Address 0x55b77f8 is 152 bytes inside a block of size 160 free'd ==495196== at 0x48399AB: free (vg_replace_malloc.c:538) ==495196== by 0x488FB25: _tc_free_internal (talloc.c:1222) ==495196== by 0x488FBDD: _talloc_free_internal (talloc.c:1248) ==495196== by 0x4890F41: _talloc_free (talloc.c:1792) ==495196== by 0x10D315: run_proc_context_destructor (run_proc.c:329) ==495196== by 0x488F736: _tc_free_internal (talloc.c:1158) ==495196== by 0x488FBDD: _talloc_free_internal (talloc.c:1248) ==495196== by 0x4890F41: _talloc_free (talloc.c:1792) ==495196== by 0x10DE62: main (run_proc_test.c:86) ==495196== Block was alloc'd at ==495196== at 0x483877F: malloc (vg_replace_malloc.c:307) ==495196== by 0x488EAD9: __talloc_with_prefix (talloc.c:783) ==495196== by 0x488EC73: __talloc (talloc.c:825) ==495196== by 0x488F0FC: _talloc_named_const (talloc.c:982) ==495196== by 0x48925B1: _talloc_zero (talloc.c:2421) ==495196== by 0x10C8F2: proc_new (run_proc.c:61) ==495196== by 0x10D4C9: run_proc_send (run_proc.c:381) ==495196== by 0x10DDF6: main (run_proc_test.c:79) This happens because run_proc_context_destructor() directly does a talloc_free() on the struct proc_context's and not the enclosing tevent_req's. run_proc_kill() makes sure that we don't follow proc->req, but it forgets the "state->proc", which is free()'ed, but later dereferenced in run_proc_state_destructor(). This is an attempt at a quick fix, I believe we should convert run_proc_context->plist into an array of tevent_req's, so that we can properly TALLOC_FREE() according to the "natural" hierarchy and not just pull an arbitrary thread out of that heap. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Oct 6 15:10:20 UTC 2022 on sn-devel-184 |
||
---|---|---|
.. | ||
cmdline.c | ||
cmdline.h | ||
comm.c | ||
comm.h | ||
common.h | ||
conf_tool.c | ||
conf_tool.h | ||
conf.c | ||
conf.h | ||
ctdb_io.c | ||
ctdb_ltdb.c | ||
ctdb_util.c | ||
db_hash.c | ||
db_hash.h | ||
event_script.c | ||
event_script.h | ||
hash_count.c | ||
hash_count.h | ||
line.c | ||
line.h | ||
logging_conf.c | ||
logging_conf.h | ||
logging.c | ||
logging.h | ||
path_tool.c | ||
path_tool.h | ||
path.c | ||
path.h | ||
pidfile.c | ||
pidfile.h | ||
pkt_read.c | ||
pkt_read.h | ||
pkt_write.c | ||
pkt_write.h | ||
rb_tree.c | ||
rb_tree.h | ||
reqid.c | ||
reqid.h | ||
run_event.c | ||
run_event.h | ||
run_proc.c | ||
run_proc.h | ||
sock_client.c | ||
sock_client.h | ||
sock_daemon.c | ||
sock_daemon.h | ||
sock_io.c | ||
sock_io.h | ||
srvid.c | ||
srvid.h | ||
system_socket.c | ||
system_socket.h | ||
system.c | ||
system.h | ||
tmon.c | ||
tmon.h | ||
tunable.c | ||
tunable.h |