11901 – Reparenting in a destructor incorrectly terminates freeing of children leading to a memory leak.

Bug 11901 - Reparenting in a destructor incorrectly terminates freeing of children leading to a memory leak.

Summary: Reparenting in a destructor incorrectly terminates freeing of children leadin...

Status:	RESOLVED FIXED

Alias:	None

Product:	TALLOC
Classification:	Unclassified
Component:	libtalloc (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal
Target Milestone:	---
Assignee:	Jeremy Allison
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-05-05 00:06 UTC by Jeremy Allison
Modified:	2020-10-22 03:07 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Proposed patch. (1.02 KB, patch) 2016-05-05 00:19 UTC, Jeremy Allison	no flags	Details
git-am fix for 4.4.next. (7.96 KB, patch) 2016-05-06 00:30 UTC, Jeremy Allison	no flags	Details
Patches for v4-4-test (9.06 KB, patch) 2016-05-06 10:22 UTC, Stefan Metzmacher	jra: review+	Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeremy Allison 2016-05-05 00:06:55 UTC

From: Hemanth Thummala <hemanth.thummala@nutanix.com>
To: Jeremy Allison <jra@samba.org>, Richard Sharpe <richard.sharpe@nutanix.com>
CC: Saji VR <saji.vr@nutanix.com>
Subject: Re: Memory leak while doing notify cancel?

Hi Jeremy,

Thank you for suggesting the patch to address the leak in smb_request. We have actually tested further with this fix and iden
+tified(by Saji) that we still have a leak in notify_mid_map structure.

From what I understood is that when destructor returns -1 and already reparented, we are returning from the while loop withou
+t traversing the remaining children. This is leaving the notify_mid_map structure as detached child and never get a chance t
+o free.

We have verified that the following patch(by Saji) actually fixed the leak in notify_mid_map structure.

--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -1475,7 +1475,7 @@ static inline void _talloc_free_children_internal(struct talloc_chunk *tc,
                                 * Destructor already reparented this child.
                                 * No further reparenting needed.
                                 */
-                               return;
+                               continue;
                        }
                        if (new_parent == null_context) {
                                struct talloc_chunk *p = talloc_parent_chunk(ptr);



We would like to know if our understanding is correct.


Thanks,
Hemanth.

Comment 1 Jeremy Allison 2016-05-05 00:19:00 UTC

Created attachment 12070 [details]
Proposed patch.

Comment 2 Jeremy Allison 2016-05-06 00:30:06 UTC

Created attachment 12075 [details]
git-am fix for 4.4.next.

Cherry-pick from patch that went into master.

For 4.3.x we'll need to pick all the intermediate talloc patches before this will apply.

Comment 3 Stefan Metzmacher 2016-05-06 10:22:45 UTC

Created attachment 12080 [details]
Patches for v4-4-test

I've added one more patch (talloc/testsuite: Fix CID 1291641 - Logically dead code) in order to have a zero diff between 4.4 and master.

Comment 4 Jeremy Allison 2016-05-06 16:49:05 UTC

Comment on attachment 12080 [details]
Patches for v4-4-test

LGTM.