mirror of
https://github.com/samba-team/samba.git
synced 2025-01-25 06:04:04 +03:00
ee02e40e86
If the lock request is freed from within the callback, then setting lock_ctx->request to NULL in ctdb_lock_context_destructor will end up corrupting memory. In this case, lock_ctx->request could be reallocated and pointing to something else. This may cause unexpected abort trying to dereference a NULL pointer. So, set lock_ctx->request to NULL before processing callbacks. This avoids the following valgrind problem. ==3636== Invalid write of size 8 ==3636== at 0x151F3D: ctdb_lock_context_destructor (ctdb_lock.c:276) ==3636== by 0x58B3618: _talloc_free_internal (talloc.c:993) ==3636== by 0x58AD692: _talloc_free_children_internal (talloc.c:1472) ==3636== by 0x58AD692: _talloc_free_internal (talloc.c:1019) ==3636== by 0x58AD692: _talloc_free (talloc.c:1594) ==3636== by 0x15292E: ctdb_lock_handler (ctdb_lock.c:471) ==3636== by 0x56A535A: epoll_event_loop (tevent_epoll.c:728) ==3636== by 0x56A535A: epoll_event_loop_once (tevent_epoll.c:926) ==3636== by 0x56A3826: std_event_loop_once (tevent_standard.c:114) ==3636== by 0x569FFFC: _tevent_loop_once (tevent.c:533) ==3636== by 0x56A019A: tevent_common_loop_wait (tevent.c:637) ==3636== by 0x56A37C6: std_event_loop_wait (tevent_standard.c:140) ==3636== by 0x11E03A: ctdb_start_daemon (ctdb_daemon.c:1320) ==3636== by 0x118557: main (ctdbd.c:321) ==3636== Address 0x9c5b660 is 96 bytes inside a block of size 120 free'd ==3636== at 0x4C29D17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==3636== by 0x58B32D3: _talloc_free_internal (talloc.c:1063) ==3636== by 0x58B3232: _talloc_free_children_internal (talloc.c:1472) ==3636== by 0x58B3232: _talloc_free_internal (talloc.c:1019) ==3636== by 0x58B3232: _talloc_free_children_internal (talloc.c:1472) ==3636== by 0x58B3232: _talloc_free_internal (talloc.c:1019) ==3636== by 0x58AD692: _talloc_free_children_internal (talloc.c:1472) ==3636== by 0x58AD692: _talloc_free_internal (talloc.c:1019) ==3636== by 0x58AD692: _talloc_free (talloc.c:1594) ==3636== by 0x11EC30: daemon_incoming_packet (ctdb_daemon.c:844) ==3636== by 0x136F4A: lock_fetch_callback (ctdb_ltdb_server.c:268) ==3636== by 0x152489: process_callbacks (ctdb_lock.c:353) ==3636== by 0x152489: ctdb_lock_handler (ctdb_lock.c:468) ==3636== by 0x56A535A: epoll_event_loop (tevent_epoll.c:728) ==3636== by 0x56A535A: epoll_event_loop_once (tevent_epoll.c:926) ==3636== by 0x56A3826: std_event_loop_once (tevent_standard.c:114) ==3636== by 0x569FFFC: _tevent_loop_once (tevent.c:533) ==3636== by 0x56A019A: tevent_common_loop_wait (tevent.c:637) ==3636== by 0x56A37C6: std_event_loop_wait (tevent_standard.c:140) ==3636== by 0x11E03A: ctdb_start_daemon (ctdb_daemon.c:1320) ==3636== by 0x118557: main (ctdbd.c:321) BUG: https://bugzilla.samba.org/show_bug.cgi?id=11293 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
This is the release version of CTDB, a clustered implementation of TDB database used by Samba and other projects to store temporary data. This software is freely distributable under the GNU public license, a copy of which you should have received with this software (in a file called COPYING). For documentation on CTDB, please visit CTDB website http://ctdb.samba.org.