mirror of
https://github.com/samba-team/samba.git
synced 2025-01-13 13:18:06 +03:00
ee02e40e86
If the lock request is freed from within the callback, then setting lock_ctx->request to NULL in ctdb_lock_context_destructor will end up corrupting memory. In this case, lock_ctx->request could be reallocated and pointing to something else. This may cause unexpected abort trying to dereference a NULL pointer. So, set lock_ctx->request to NULL before processing callbacks. This avoids the following valgrind problem. ==3636== Invalid write of size 8 ==3636== at 0x151F3D: ctdb_lock_context_destructor (ctdb_lock.c:276) ==3636== by 0x58B3618: _talloc_free_internal (talloc.c:993) ==3636== by 0x58AD692: _talloc_free_children_internal (talloc.c:1472) ==3636== by 0x58AD692: _talloc_free_internal (talloc.c:1019) ==3636== by 0x58AD692: _talloc_free (talloc.c:1594) ==3636== by 0x15292E: ctdb_lock_handler (ctdb_lock.c:471) ==3636== by 0x56A535A: epoll_event_loop (tevent_epoll.c:728) ==3636== by 0x56A535A: epoll_event_loop_once (tevent_epoll.c:926) ==3636== by 0x56A3826: std_event_loop_once (tevent_standard.c:114) ==3636== by 0x569FFFC: _tevent_loop_once (tevent.c:533) ==3636== by 0x56A019A: tevent_common_loop_wait (tevent.c:637) ==3636== by 0x56A37C6: std_event_loop_wait (tevent_standard.c:140) ==3636== by 0x11E03A: ctdb_start_daemon (ctdb_daemon.c:1320) ==3636== by 0x118557: main (ctdbd.c:321) ==3636== Address 0x9c5b660 is 96 bytes inside a block of size 120 free'd ==3636== at 0x4C29D17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==3636== by 0x58B32D3: _talloc_free_internal (talloc.c:1063) ==3636== by 0x58B3232: _talloc_free_children_internal (talloc.c:1472) ==3636== by 0x58B3232: _talloc_free_internal (talloc.c:1019) ==3636== by 0x58B3232: _talloc_free_children_internal (talloc.c:1472) ==3636== by 0x58B3232: _talloc_free_internal (talloc.c:1019) ==3636== by 0x58AD692: _talloc_free_children_internal (talloc.c:1472) ==3636== by 0x58AD692: _talloc_free_internal (talloc.c:1019) ==3636== by 0x58AD692: _talloc_free (talloc.c:1594) ==3636== by 0x11EC30: daemon_incoming_packet (ctdb_daemon.c:844) ==3636== by 0x136F4A: lock_fetch_callback (ctdb_ltdb_server.c:268) ==3636== by 0x152489: process_callbacks (ctdb_lock.c:353) ==3636== by 0x152489: ctdb_lock_handler (ctdb_lock.c:468) ==3636== by 0x56A535A: epoll_event_loop (tevent_epoll.c:728) ==3636== by 0x56A535A: epoll_event_loop_once (tevent_epoll.c:926) ==3636== by 0x56A3826: std_event_loop_once (tevent_standard.c:114) ==3636== by 0x569FFFC: _tevent_loop_once (tevent.c:533) ==3636== by 0x56A019A: tevent_common_loop_wait (tevent.c:637) ==3636== by 0x56A37C6: std_event_loop_wait (tevent_standard.c:140) ==3636== by 0x11E03A: ctdb_start_daemon (ctdb_daemon.c:1320) ==3636== by 0x118557: main (ctdbd.c:321) BUG: https://bugzilla.samba.org/show_bug.cgi?id=11293 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Amitay Isaacs <amitay@gmail.com> |
||
|---|---|---|
| .. | ||
| ctdb_banning.c | ||
| ctdb_call.c | ||
| ctdb_control.c | ||
| ctdb_daemon.c | ||
| ctdb_event_helper.c | ||
| ctdb_freeze.c | ||
| ctdb_keepalive.c | ||
| ctdb_lock_helper.c | ||
| ctdb_lock.c | ||
| ctdb_logging_file.c | ||
| ctdb_logging_syslog.c | ||
| ctdb_logging.c | ||
| ctdb_ltdb_server.c | ||
| ctdb_monitor.c | ||
| ctdb_persistent.c | ||
| ctdb_recover.c | ||
| ctdb_recoverd.c | ||
| ctdb_server.c | ||
| ctdb_serverids.c | ||
| ctdb_statistics.c | ||
| ctdb_takeover.c | ||
| ctdb_traverse.c | ||
| ctdb_tunables.c | ||
| ctdb_update_record.c | ||
| ctdb_uptime.c | ||
| ctdb_vacuum.c | ||
| ctdbd.c | ||
| eventscript.c | ||