lib/pthreadpool: fix free of already freed glue object

The lines are a bit skewed from actual sources (due to temp
debug lines) but I have inserted the relevant source code below

basically if we free ev_link then this will free the glue object, so
deleting the glue object on the next line is not what we want to do.

==14263== Invalid read of size 4
==14263==    at 0x4D13E90: talloc_chunk_from_ptr (talloc.c:527)
==14263==    by 0x4D1621E: _talloc_free (talloc.c:1770)
  249 #ifdef HAVE_PTHREAD
  250	glue->tctx = tevent_threaded_context_create(glue, ev);
  251	if (glue->tctx == NULL) {
  252		TALLOC_FREE(ev_link);
* 253		TALLOC_FREE(glue);
  254		return ENOMEM;
  250	}
==14263==    by 0x51FA0AF: pthreadpool_tevent_register_ev (pthreadpool_tevent.c:253)
==14263==    by 0x51FA302: pthreadpool_tevent_job_send (pthreadpool_tevent.c:324)
==14263==    by 0x4B01E68: vfswrap_fsync_send (vfs_default.c:1104)
==14263==    by 0x49CD9B1: smb_vfs_call_fsync_send (vfs.c:1998)
==14263==    by 0x49CDBF9: smb_vfs_fsync_sync (vfs.c:2057)
==14263==    by 0x494B1E5: sync_file (fileio.c:320)
==14263==    by 0x497CC77: reply_flush (reply.c:5398)
==14263==    by 0x49E28CB: switch_message (process.c:1726)
==14263==    by 0x49E2AA4: construct_reply (process.c:1762)
==14263==    by 0x49E37F8: process_smb (process.c:2017)
==14263==  Address 0xcb415d0 is 0 bytes inside a block of size 144 free'd
==14263==    at 0x484494B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14263==    by 0x4D14F81: _tc_free_internal (talloc.c:1222)
==14263==    by 0x4D15025: _talloc_free_internal (talloc.c:1248)
==14263==    by 0x4D162ED: _talloc_free (talloc.c:1792)

  190 static int pthreadpool_tevent_glue_link_destructor(
  191 	struct pthreadpool_tevent_glue_ev_link *ev_link)
  192 {
* 193 	TALLOC_FREE(ev_link->glue);
  194 	return 0;
  195 }
==14263==    by 0x51F9EC3: pthreadpool_tevent_glue_link_destructor (pthreadpool_tevent.c:193)
==14263==    by 0x4D14CA9: _tc_free_internal (talloc.c:1158)
==14263==    by 0x4D15025: _talloc_free_internal (talloc.c:1248)
==14263==    by 0x4D162ED: _talloc_free (talloc.c:1792)
  249 #ifdef HAVE_PTHREAD
  250   glue->tctx = tevent_threaded_context_create(glue, ev);
  251   if (glue->tctx == NULL) {
* 252           TALLOC_FREE(ev_link);
  253           TALLOC_FREE(glue);
  254           return ENOMEM;
  250   }
==14263==    by 0x51FA08D: pthreadpool_tevent_register_ev (pthreadpool_tevent.c:252)
==14263==    by 0x51FA302: pthreadpool_tevent_job_send (pthreadpool_tevent.c:324)
==14263==    by 0x4B01E68: vfswrap_fsync_send (vfs_default.c:1104)
==14263==    by 0x49CD9B1: smb_vfs_call_fsync_send (vfs.c:1998)
==14263==  Block was alloc'd at
==14263==    at 0x4841984: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14263==    by 0x4D14339: __talloc_with_prefix (talloc.c:783)
==14263==    by 0x4D144D3: __talloc (talloc.c:825)
==14263==    by 0x4D1486C: _talloc_named_const (talloc.c:982)
==14263==    by 0x4D1734D: _talloc_zero (talloc.c:2421)
==14263==    by 0x51F9F46: pthreadpool_tevent_register_ev (pthreadpool_tevent.c:222)
==14263==    by 0x51FA302: pthreadpool_tevent_job_send (pthreadpool_tevent.c:324)
==14263==    by 0x4B01E68: vfswrap_fsync_send (vfs_default.c:1104)
==14263==    by 0x49CD9B1: smb_vfs_call_fsync_send (vfs.c:1998)
==14263==    by 0x49CDBF9: smb_vfs_fsync_sync (vfs.c:2057)
==14263==    by 0x494B1E5: sync_file (fileio.c:320)
==14263==    by 0x497CC77: reply_flush (reply.c:5398)
==14263==
==14263== Invalid read of size 4
==14263==    at 0x4D13EAE: talloc_chunk_from_ptr (talloc.c:528)
==14263==    by 0x4D1621E: _talloc_free (talloc.c:1770)
==14263==    by 0x51FA0AF: pthreadpool_tevent_register_ev (pthreadpool_tevent.c:253)
==14263==    by 0x51FA302: pthreadpool_tevent_job_send (pthreadpool_tevent.c:324)
==14263==    by 0x4B01E68: vfswrap_fsync_send (vfs_default.c:1104)
==14263==    by 0x49CD9B1: smb_vfs_call_fsync_send (vfs.c:1998)
==14263==    by 0x49CDBF9: smb_vfs_fsync_sync (vfs.c:2057)
==14263==    by 0x494B1E5: sync_file (fileio.c:320)
==14263==    by 0x497CC77: reply_flush (reply.c:5398)
==14263==    by 0x49E28CB: switch_message (process.c:1726)
==14263==    by 0x49E2AA4: construct_reply (process.c:1762)
==14263==    by 0x49E37F8: process_smb (process.c:2017)
==14263==  Address 0xcb415d0 is 0 bytes inside a block of size 144 free'd
==14263==    at 0x484494B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-l

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15957
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/lib/pthreadpool/pthreadpool_tevent.c b/lib/pthreadpool/pthreadpool_tevent.c
index a66f444d193f8e060e7a4945a3cf71a00d1cb5d4..515dcc0fd7bc9f7d121f378de399fc23a27e5eb8 100644 (file)
--- a/lib/pthreadpool/pthreadpool_tevent.c
+++ b/lib/pthreadpool/pthreadpool_tevent.c
@@ -250,7 +250,6 @@ static int pthreadpool_tevent_register_ev(struct pthreadpool_tevent *pool,
        glue->tctx = tevent_threaded_context_create(glue, ev);
        if (glue->tctx == NULL) {
                TALLOC_FREE(ev_link);
-               TALLOC_FREE(glue);
                return ENOMEM;
        }
 #endif