Bug 15957 - Double free of glue object and core in pthreadpool_tevent_register_ev
Summary: Double free of glue object and core in pthreadpool_tevent_register_ev
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Noel Power
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-11-20 15:49 UTC by Noel Power
Modified: 2025-11-20 15:51 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Noel Power 2025-11-20 15:49:39 UTC 
while loading smbd with an artificial test (trying to trigger a different core scenario) I came across this instance of a double free.

In pthreadpool_tevent_register_ev (in pthreadpool_tevent.c) if tevent_threaded_context_create fails we TALLOC_FREE(ev_link) and immediately after that call TALLOC_FREE(glue)

The problem here is that pthreadpool_tevent_glue_link_destructor (destructor for ev_link) deletes the associated glue object resulting in a double free when the glue object is deleted immediately after the free of the ev_link object


    The lines are a bit skewed from actual sources (due to temp
    debug lines) but I have inserted the relevant source code below
    
    ==14263== Invalid read of size 4
    ==14263==    at 0x4D13E90: talloc_chunk_from_ptr (talloc.c:527)
    ==14263==    by 0x4D1621E: _talloc_free (talloc.c:1770)
      249 #ifdef HAVE_PTHREAD
      250   glue->tctx = tevent_threaded_context_create(glue, ev);
      251   if (glue->tctx == NULL) {
      252           TALLOC_FREE(ev_link);
    * 253           TALLOC_FREE(glue);
      254           return ENOMEM;
      250   }
    ==14263==    by 0x51FA0AF: pthreadpool_tevent_register_ev (pthreadpool_tevent.c:253)
    ==14263==    by 0x51FA302: pthreadpool_tevent_job_send (pthreadpool_tevent.c:324)
    ==14263==    by 0x4B01E68: vfswrap_fsync_send (vfs_default.c:1104)
    ==14263==    by 0x49CD9B1: smb_vfs_call_fsync_send (vfs.c:1998)
    ==14263==    by 0x49CDBF9: smb_vfs_fsync_sync (vfs.c:2057)
    ==14263==    by 0x494B1E5: sync_file (fileio.c:320)
    ==14263==    by 0x497CC77: reply_flush (reply.c:5398)
    ==14263==    by 0x49E28CB: switch_message (process.c:1726)
    ==14263==    by 0x49E2AA4: construct_reply (process.c:1762)
    ==14263==    by 0x49E37F8: process_smb (process.c:2017)
    ==14263==  Address 0xcb415d0 is 0 bytes inside a block of size 144 free'd
    ==14263==    at 0x484494B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==14263==    by 0x4D14F81: _tc_free_internal (talloc.c:1222)
    ==14263==    by 0x4D15025: _talloc_free_internal (talloc.c:1248)
    ==14263==    by 0x4D162ED: _talloc_free (talloc.c:1792)
    
      190 static int pthreadpool_tevent_glue_link_destructor(
      191   struct pthreadpool_tevent_glue_ev_link *ev_link)
      192 {
    * 193   TALLOC_FREE(ev_link->glue);
      194   return 0;
      195 }
    ==14263==    by 0x51F9EC3: pthreadpool_tevent_glue_link_destructor (pthreadpool_tevent.c:193)
    ==14263==    by 0x4D14CA9: _tc_free_internal (talloc.c:1158)
    ==14263==    by 0x4D15025: _talloc_free_internal (talloc.c:1248)
    ==14263==    by 0x4D162ED: _talloc_free (talloc.c:1792)
      249 #ifdef HAVE_PTHREAD
      250   glue->tctx = tevent_threaded_context_create(glue, ev);
      251   if (glue->tctx == NULL) {
    * 252           TALLOC_FREE(ev_link);
      253           TALLOC_FREE(glue);
      254           return ENOMEM;
      250   }
    ==14263==    by 0x51FA08D: pthreadpool_tevent_register_ev (pthreadpool_tevent.c:252)
    ==14263==    by 0x51FA302: pthreadpool_tevent_job_send (pthreadpool_tevent.c:324)
    ==14263==    by 0x4B01E68: vfswrap_fsync_send (vfs_default.c:1104)
    ==14263==    by 0x49CD9B1: smb_vfs_call_fsync_send (vfs.c:1998)
    ==14263==  Block was alloc'd at
    ==14263==    at 0x4841984: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==14263==    by 0x4D14339: __talloc_with_prefix (talloc.c:783)
    ==14263==    by 0x4D144D3: __talloc (talloc.c:825)
    ==14263==    by 0x4D1486C: _talloc_named_const (talloc.c:982)
    ==14263==    by 0x4D1734D: _talloc_zero (talloc.c:2421)
    ==14263==    by 0x51F9F46: pthreadpool_tevent_register_ev (pthreadpool_tevent.c:222)
    ==14263==    by 0x51FA302: pthreadpool_tevent_job_send (pthreadpool_tevent.c:324)
    ==14263==    by 0x4B01E68: vfswrap_fsync_send (vfs_default.c:1104)
    ==14263==    by 0x49CD9B1: smb_vfs_call_fsync_send (vfs.c:1998)
    ==14263==    by 0x49CDBF9: smb_vfs_fsync_sync (vfs.c:2057)
    ==14263==    by 0x494B1E5: sync_file (fileio.c:320)
    ==14263==    by 0x497CC77: reply_flush (reply.c:5398)
    ==14263==
    ==14263== Invalid read of size 4
    ==14263==    at 0x4D13EAE: talloc_chunk_from_ptr (talloc.c:528)
    ==14263==    by 0x4D1621E: _talloc_free (talloc.c:1770)
    ==14263==    by 0x51FA0AF: pthreadpool_tevent_register_ev (pthreadpool_tevent.c:253)
    ==14263==    by 0x51FA302: pthreadpool_tevent_job_send (pthreadpool_tevent.c:324)
    ==14263==    by 0x4B01E68: vfswrap_fsync_send (vfs_default.c:1104)
    ==14263==    by 0x49CD9B1: smb_vfs_call_fsync_send (vfs.c:1998)
    ==14263==    by 0x49CDBF9: smb_vfs_fsync_sync (vfs.c:2057)
    ==14263==    by 0x494B1E5: sync_file (fileio.c:320)
    ==14263==    by 0x497CC77: reply_flush (reply.c:5398)
    ==14263==    by 0x49E28CB: switch_message (process.c:1726)
    ==14263==    by 0x49E2AA4: construct_reply (process.c:1762)
    ==14263==    by 0x49E37F8: process_smb (process.c:2017)
    ==14263==  Address 0xcb415d0 is 0 bytes inside a block of size 144 free'd
    ==14263==    at 0x484494B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-l