Bug 11901 - Reparenting in a destructor incorrectly terminates freeing of children leading to a memory leak.
Reparenting in a destructor incorrectly terminates freeing of children leadin...
Product: TALLOC
Classification: Unclassified
Component: libtalloc
All All
: P5 normal
: ---
Assigned To: Jeremy Allison
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2016-05-05 00:06 UTC by Jeremy Allison
Modified: 2016-05-06 16:49 UTC (History)
2 users (show)

See Also:

Proposed patch. (1.02 KB, patch)
2016-05-05 00:19 UTC, Jeremy Allison
no flags Details
git-am fix for 4.4.next. (7.96 KB, patch)
2016-05-06 00:30 UTC, Jeremy Allison
no flags Details
Patches for v4-4-test (9.06 KB, patch)
2016-05-06 10:22 UTC, Stefan Metzmacher
jra: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2016-05-05 00:06:55 UTC
From: Hemanth Thummala <hemanth.thummala@nutanix.com>
To: Jeremy Allison <jra@samba.org>, Richard Sharpe <richard.sharpe@nutanix.com>
CC: Saji VR <saji.vr@nutanix.com>
Subject: Re: Memory leak while doing notify cancel?

Hi Jeremy,

Thank you for suggesting the patch to address the leak in smb_request. We have actually tested further with this fix and iden
+tified(by Saji) that we still have a leak in notify_mid_map structure.

From what I understood is that when destructor returns -1 and already reparented, we are returning from the while loop withou
+t traversing the remaining children. This is leaving the notify_mid_map structure as detached child and never get a chance t
+o free.

We have verified that the following patch(by Saji) actually fixed the leak in notify_mid_map structure.

--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -1475,7 +1475,7 @@ static inline void _talloc_free_children_internal(struct talloc_chunk *tc,
                                 * Destructor already reparented this child.
                                 * No further reparenting needed.
-                               return;
+                               continue;
                        if (new_parent == null_context) {
                                struct talloc_chunk *p = talloc_parent_chunk(ptr);

We would like to know if our understanding is correct.

Comment 1 Jeremy Allison 2016-05-05 00:19:00 UTC
Created attachment 12070 [details]
Proposed patch.
Comment 2 Jeremy Allison 2016-05-06 00:30:06 UTC
Created attachment 12075 [details]
git-am fix for 4.4.next.

Cherry-pick from patch that went into master.

For 4.3.x we'll need to pick all the intermediate talloc patches before this will apply.
Comment 3 Stefan Metzmacher 2016-05-06 10:22:45 UTC
Created attachment 12080 [details]
Patches for v4-4-test

I've added one more patch (talloc/testsuite: Fix CID 1291641 - Logically dead code) in order to have a zero diff between 4.4 and master.
Comment 4 Jeremy Allison 2016-05-06 16:49:05 UTC
Comment on attachment 12080 [details]
Patches for v4-4-test