Bug 4778 - memory leak from talloc_setup_null_tracking() in server binaries
Summary: memory leak from talloc_setup_null_tracking() in server binaries
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.20.0
Hardware: x86 Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Andreas Schneider
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-07-11 10:58 UTC by Kevin Day
Modified: 2024-06-11 05:02 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin Day 2007-07-11 10:58:44 UTC
I detected a small memory leak in smbd, I then ran valgrind against nmbd and winbindd.  nbmd also suffers from the same problem as smbd, and winbindd seems to have its own.

None of these seem critical, considering that I can still browse and interact with the shares without a problem, but memory leaks and invalid reads are still dangerous.

smbd:
==30263== 8,519 (48 direct, 8,471 indirect) bytes in 1 blocks are definitely lost in loss record 11 of 22
==30263==    at 0x48114B0: malloc (vg_replace_malloc.c:149)
==30263==    by 0x24B7D0: __talloc (talloc.c:209)
==30263==    by 0x24B73E: _talloc_named_const (talloc.c:291)
==30263==    by 0x24CAEE: talloc_enable_null_tracking (talloc.c:1044)
==30263==    by 0x24C20F: talloc_init (talloc.c:660)
==30263==    by 0x44BAC: lp_string (loadparm.c:1719)
==30263==    by 0x44DBB: lp_logfile (loadparm.c:1778)
==30263==    by 0x251EF0: dump_core_setup (fault.c:100)
==30263==    by 0x3406E6: main (server.c:912)
==30263== 
==30263== LEAK SUMMARY:
==30263==    definitely lost: 48 bytes in 1 blocks.
==30263==    indirectly lost: 8,471 bytes in 155 blocks.
==30263==      possibly lost: 0 bytes in 0 blocks.
==30263==    still reachable: 60,561 bytes in 290 blocks.
==30263==         suppressed: 0 bytes in 0 blocks.
==30263== Reachable blocks (those to which a pointer was found) are not shown.
==30263== To see them, rerun with: --leak-check=full --show-reachable=yes
==30264== Invalid read of size 4
==30264==    at 0x482CF52: dl_cleanup (in /lib/libdl-0.9.28.so)
==30264==    by 0x4000B9C: (within /lib/ld-uClibc-0.9.28.so)
==30264==    by 0x4875FB2: exit (in /lib/libuClibc-0.9.28.so)
==30264==    by 0x340458: exit_server_common (server.c:771)
==30264==    by 0x34048A: exit_server_cleanly (server.c:781)
==30264==    by 0x33F9BD: open_sockets_smbd (server.c:485)
==30264==    by 0x340D83: main (server.c:1082)
==30264==  Address 0x49407C4 is 4 bytes inside a block of size 24 free'd
==30264==    at 0x48110CA: free (vg_replace_malloc.c:233)
==30264==    by 0x482CA65: (within /lib/libdl-0.9.28.so)
==30264==    by 0x482CF51: dl_cleanup (in /lib/libdl-0.9.28.so)
==30264==    by 0x4000B9C: (within /lib/ld-uClibc-0.9.28.so)
==30264==    by 0x4875FB2: exit (in /lib/libuClibc-0.9.28.so)
==30264==    by 0x340458: exit_server_common (server.c:771)
==30264==    by 0x34048A: exit_server_cleanly (server.c:781)
==30264==    by 0x33F9BD: open_sockets_smbd (server.c:485)
==30264==    by 0x340D83: main (server.c:1082)
==30264== 
==30264== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==30264== malloc/free: in use at exit: 80,837 bytes in 467 blocks.
==30264== malloc/free: 4,348 allocs, 3,881 frees, 1,078,647 bytes allocated.
==30264== For counts of detected errors, rerun with: -v
==30264== searching for pointers to 467 not-freed blocks.
==30264== checked 515,128 bytes.
==30264== 
==30264== LEAK SUMMARY:
==30264==    definitely lost: 0 bytes in 0 blocks.
==30264==      possibly lost: 0 bytes in 0 blocks.
==30264==    still reachable: 80,837 bytes in 467 blocks.
==30264==         suppressed: 0 bytes in 0 blocks.
==30264== Reachable blocks (those to which a pointer was found) are not shown.
==30264== To see them, rerun with: --leak-check=full --show-reachable=yes
==30267== Invalid read of size 4
==30267==    at 0x482CF52: dl_cleanup (in /lib/libdl-0.9.28.so)
==30267==    by 0x4000B9C: (within /lib/ld-uClibc-0.9.28.so)
==30267==    by 0x4875FB2: exit (in /lib/libuClibc-0.9.28.so)
==30267==    by 0x340458: exit_server_common (server.c:771)
==30267==    by 0x34048A: exit_server_cleanly (server.c:781)
==30267==    by 0x2951E5: start_background_queue (printing.c:1417)
==30267==    by 0x340D5C: main (server.c:1074)
==30267==  Address 0x49407C4 is 4 bytes inside a block of size 24 free'd
==30267==    at 0x48110CA: free (vg_replace_malloc.c:233)
==30267==    by 0x482CA65: (within /lib/libdl-0.9.28.so)
==30267==    by 0x482CF51: dl_cleanup (in /lib/libdl-0.9.28.so)
==30267==    by 0x4000B9C: (within /lib/ld-uClibc-0.9.28.so)
==30267==    by 0x4875FB2: exit (in /lib/libuClibc-0.9.28.so)
==30267==    by 0x340458: exit_server_common (server.c:771)
==30267==    by 0x34048A: exit_server_cleanly (server.c:781)
==30267==    by 0x2951E5: start_background_queue (printing.c:1417)
==30267==    by 0x340D5C: main (server.c:1074)
==30267== 
==30267== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==30267== malloc/free: in use at exit: 90,681 bytes in 638 blocks.
==30267== malloc/free: 4,337 allocs, 3,699 frees, 1,078,947 bytes allocated.
==30267== For counts of detected errors, rerun with: -v
==30267== searching for pointers to 638 not-freed blocks.
==30267== checked 522,216 bytes.
==30267== 
==30267== LEAK SUMMARY:
==30267==    definitely lost: 0 bytes in 0 blocks.
==30267==      possibly lost: 0 bytes in 0 blocks.
==30267==    still reachable: 90,681 bytes in 638 blocks.
==30267==         suppressed: 0 bytes in 0 blocks.
==30267== Reachable blocks (those to which a pointer was found) are not shown.
==30267== To see them, rerun with: --leak-check=full --show-reachable=yes



nmbd:
==32625== 8,293 (48 direct, 8,245 indirect) bytes in 1 blocks are definitely lost in loss record 8 of 14
==32625==    at 0x48114B0: malloc (vg_replace_malloc.c:149)
==32625==    by 0x9F3CB: __talloc (talloc.c:209)
==32625==    by 0x9F339: _talloc_named_const (talloc.c:291)
==32625==    by 0xA06E9: talloc_enable_null_tracking (talloc.c:1044)
==32625==    by 0x9FE0A: talloc_init (talloc.c:660)
==32625==    by 0x448D0: lp_string (loadparm.c:1719)
==32625==    by 0x44ADF: lp_logfile (loadparm.c:1778)
==32625==    by 0xA5AEC: dump_core_setup (fault.c:100)
==32625==    by 0x1FBDF: main (nmbd.c:662)
==32625== 
==32625== LEAK SUMMARY:
==32625==    definitely lost: 48 bytes in 1 blocks.
==32625==    indirectly lost: 8,245 bytes in 152 blocks.
==32625==      possibly lost: 0 bytes in 0 blocks.
==32625==    still reachable: 3,187 bytes in 188 blocks.
==32625==         suppressed: 0 bytes in 0 blocks.
==32625== Reachable blocks (those to which a pointer was found) are not shown.
==32625== To see them, rerun with: --leak-check=full --show-reachable=yes
==32626== Invalid read of size 4
==32626==    at 0x482CF52: dl_cleanup (in /lib/libdl-0.9.28.so)
==32626==    by 0x4000B9C: (within /lib/ld-uClibc-0.9.28.so)
==32626==    by 0x4875FB2: exit (in /lib/libuClibc-0.9.28.so)
==32626==    by 0x1ECC9: terminate (nmbd.c:72)
==32626==    by 0x1F725: process (nmbd.c:382)
==32626==    by 0x2036B: main (nmbd.c:804)
==32626==  Address 0x494077C is 4 bytes inside a block of size 24 free'd
==32626==    at 0x48110CA: free (vg_replace_malloc.c:233)
==32626==    by 0x482CA65: (within /lib/libdl-0.9.28.so)
==32626==    by 0x482CF51: dl_cleanup (in /lib/libdl-0.9.28.so)
==32626==    by 0x4000B9C: (within /lib/ld-uClibc-0.9.28.so)
==32626==    by 0x4875FB2: exit (in /lib/libuClibc-0.9.28.so)
==32626==    by 0x1ECC9: terminate (nmbd.c:72)
==32626==    by 0x1F725: process (nmbd.c:382)
==32626==    by 0x2036B: main (nmbd.c:804)
==32626== 
==32626== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==32626== malloc/free: in use at exit: 26,127 bytes in 300 blocks.
==32626== malloc/free: 1,692 allocs, 1,392 frees, 860,282 bytes allocated.
==32626== For counts of detected errors, rerun with: -v
==32626== searching for pointers to 300 not-freed blocks.
==32626== checked 384,772 bytes.
==32626== 
==32626== 
==32626== 228 (48 direct, 180 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 24
==32626==    at 0x48114B0: malloc (vg_replace_malloc.c:149)
==32626==    by 0x9F3CB: __talloc (talloc.c:209)
==32626==    by 0x9F339: _talloc_named_const (talloc.c:291)
==32626==    by 0xA06E9: talloc_enable_null_tracking (talloc.c:1044)
==32626==    by 0x9FE0A: talloc_init (talloc.c:660)
==32626==    by 0x448D0: lp_string (loadparm.c:1719)
==32626==    by 0x44ADF: lp_logfile (loadparm.c:1778)
==32626==    by 0xA5AEC: dump_core_setup (fault.c:100)
==32626==    by 0x1FBDF: main (nmbd.c:662)
==32626== 
==32626== LEAK SUMMARY:
==32626==    definitely lost: 48 bytes in 1 blocks.
==32626==    indirectly lost: 180 bytes in 3 blocks.
==32626==      possibly lost: 0 bytes in 0 blocks.
==32626==    still reachable: 25,899 bytes in 296 blocks.
==32626==         suppressed: 0 bytes in 0 blocks.
==32626== Reachable blocks (those to which a pointer was found) are not shown.
==32626== To see them, rerun with: --leak-check=full --show-reachable=yes



winbindd:
==32633== Invalid read of size 4
==32633==    at 0x482CF52: dl_cleanup (in /lib/libdl-0.9.28.so)
==32633==    by 0x4000B9C: (within /lib/ld-uClibc-0.9.28.so)
==32633==    by 0x4875FB2: exit (in /lib/libuClibc-0.9.28.so)
==32633==    by 0x39CCA: terminate (winbindd.c:143)
==32633==    by 0x3B61D: process_loop (winbindd.c:886)
==32633==    by 0x3BF3A: main (winbindd.c:1103)
==32633==  Address 0x49007AC is 4 bytes inside a block of size 24 free'd
==32633==    at 0x48110CA: free (vg_replace_malloc.c:233)
==32633==    by 0x482CA65: (within /lib/libdl-0.9.28.so)
==32633==    by 0x482CF51: dl_cleanup (in /lib/libdl-0.9.28.so)
==32633==    by 0x4000B9C: (within /lib/ld-uClibc-0.9.28.so)
==32633==    by 0x4875FB2: exit (in /lib/libuClibc-0.9.28.so)
==32633==    by 0x39CCA: terminate (winbindd.c:143)
==32633==    by 0x3B61D: process_loop (winbindd.c:886)
==32633==    by 0x3BF3A: main (winbindd.c:1103)
==32633== 
==32633== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==32633== malloc/free: in use at exit: 27,958 bytes in 294 blocks.
==32633== malloc/free: 1,030 allocs, 736 frees, 202,816 bytes allocated.
==32633== For counts of detected errors, rerun with: -v
==32633== searching for pointers to 294 not-freed blocks.
==32633== checked 448,868 bytes.
==32633== 
==32633== LEAK SUMMARY:
==32633==    definitely lost: 0 bytes in 0 blocks.
==32633==      possibly lost: 0 bytes in 0 blocks.
==32633==    still reachable: 27,958 bytes in 294 blocks.
==32633==         suppressed: 0 bytes in 0 blocks.
==32633== Reachable blocks (those to which a pointer was found) are not shown.
==32633== To see them, rerun with: --leak-check=full --show-reachable=yes
==32634== Invalid read of size 4
==32634==    at 0x482CF52: dl_cleanup (in /lib/libdl-0.9.28.so)
==32634==    by 0x4000B9C: (within /lib/ld-uClibc-0.9.28.so)
==32634==    by 0x4875FB2: exit (in /lib/libuClibc-0.9.28.so)
==32634==    by 0x6689B: fork_domain_child (winbindd_dual.c:1051)
==32634==    by 0x646CE: schedule_async_request (winbindd_dual.c:296)
==32634==    by 0x63F07: async_request (winbindd_dual.c:137)
==32634==    by 0x448BD: init_child_connection (winbindd_util.c:387)
==32634==    by 0x64891: async_domain_request (winbindd_dual.c:358)
==32634==    by 0x441B5: add_trusted_domains (winbindd_util.c:231)
==32634==    by 0x445E7: rescan_trusted_domains (winbindd_util.c:325)
==32634==    by 0x3B02A: process_loop (winbindd.c:753)
==32634==    by 0x3BF3A: main (winbindd.c:1103)
==32634==  Address 0x49007AC is 4 bytes inside a block of size 24 free'd
==32634==    at 0x48110CA: free (vg_replace_malloc.c:233)
==32634==    by 0x482CA65: (within /lib/libdl-0.9.28.so)
==32634==    by 0x482CF51: dl_cleanup (in /lib/libdl-0.9.28.so)
==32634==    by 0x4000B9C: (within /lib/ld-uClibc-0.9.28.so)
==32634==    by 0x4875FB2: exit (in /lib/libuClibc-0.9.28.so)
==32634==    by 0x6689B: fork_domain_child (winbindd_dual.c:1051)
==32634==    by 0x646CE: schedule_async_request (winbindd_dual.c:296)
==32634==    by 0x63F07: async_request (winbindd_dual.c:137)
==32634==    by 0x448BD: init_child_connection (winbindd_util.c:387)
==32634==    by 0x64891: async_domain_request (winbindd_dual.c:358)
==32634==    by 0x441B5: add_trusted_domains (winbindd_util.c:231)
==32634==    by 0x445E7: rescan_trusted_domains (winbindd_util.c:325)
==32634== 
==32634== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==32634== malloc/free: in use at exit: 40,055 bytes in 310 blocks.
==32634== malloc/free: 1,052 allocs, 742 frees, 223,695 bytes allocated.
==32634== For counts of detected errors, rerun with: -v
==32634== searching for pointers to 310 not-freed blocks.
==32634== checked 467,964 bytes.
==32634== 
==32634== LEAK SUMMARY:
==32634==    definitely lost: 0 bytes in 0 blocks.
==32634==      possibly lost: 0 bytes in 0 blocks.
==32634==    still reachable: 40,055 bytes in 310 blocks.
==32634==         suppressed: 0 bytes in 0 blocks.
==32634== Reachable blocks (those to which a pointer was found) are not shown.
==32634== To see them, rerun with: --leak-check=full --show-reachable=yes
Comment 1 Jeremy Allison 2007-07-11 14:30:17 UTC
The errors appear to be in the dl_cleanup function inside the libc on this platform. That's not a Samba bug.
Jeremy.
Comment 2 Kevin Day 2007-07-12 09:15:10 UTC
This part:
==30263==    at 0x48114B0: malloc (vg_replace_malloc.c:149)
==30263==    by 0x24B7D0: __talloc (talloc.c:209)
==30263==    by 0x24B73E: _talloc_named_const (talloc.c:291)
==30263==    by 0x24CAEE: talloc_enable_null_tracking (talloc.c:1044)
==30263==    by 0x24C20F: talloc_init (talloc.c:660)
==30263==    by 0x44BAC: lp_string (loadparm.c:1719)
==30263==    by 0x44DBB: lp_logfile (loadparm.c:1778)
==30263==    by 0x251EF0: dump_core_setup (fault.c:100)
==30263==    by 0x3406E6: main (server.c:912)
Seems to have no relation to dl_cleanup.
Comment 3 Andrew Bartlett 2024-06-11 04:58:53 UTC
The 'leak' here is the intentional memory being allocated to find real leaks in talloc with talloc_enable_null_tracking().  It is actually pretty hard to fix, as both atexit() and library destructors are trouble, and the autofree context is deprecated as a bad idea.

However assigning to Andreas as he is trying to eliminate these as much as possible to allow a build with LeakSanitizer.

On Samba 4.20.0 on Debian we still see this.

valgrind --leak-check=full smbd --version

==4450== 96 bytes in 1 blocks are possibly lost in loss record 8 of 50
==4450==    at 0x4840808: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4450==    by 0x4E29DDD: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.4.2)
==4450==    by 0x4E2B195: talloc_enable_null_tracking (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.4.2)
==4450==    by 0x10E01F: main (in /usr/sbin/smbd)
==4450==