From: Noel Power <noel.power@suse.com>
Date: Mon, 17 Nov 2025 08:51:49 +0000 (+0000)
Subject: lib/pthreadpool: fix free of already freed glue object
X-Git-Tag: tdb-1.4.15~50
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=209e60296563e3da53f6cc7ed8a758cf34d7a285;p=thirdparty%2Fsamba.git

lib/pthreadpool: fix free of already freed glue object

The lines are a bit skewed from actual sources (due to temp
debug lines) but I have inserted the relevant source code below

basically if we free ev_link then this will free the glue object, so
deleting the glue object on the next line is not what we want to do.

==14263== Invalid read of size 4
==14263==    at 0x4D13E90: talloc_chunk_from_ptr (talloc.c:527)
==14263==    by 0x4D1621E: _talloc_free (talloc.c:1770)
  249 #ifdef HAVE_PTHREAD
  250	glue->tctx = tevent_threaded_context_create(glue, ev);
  251	if (glue->tctx == NULL) {
  252		TALLOC_FREE(ev_link);
* 253		TALLOC_FREE(glue);
  254		return ENOMEM;
  250	}
==14263==    by 0x51FA0AF: pthreadpool_tevent_register_ev (pthreadpool_tevent.c:253)
==14263==    by 0x51FA302: pthreadpool_tevent_job_send (pthreadpool_tevent.c:324)
==14263==    by 0x4B01E68: vfswrap_fsync_send (vfs_default.c:1104)
==14263==    by 0x49CD9B1: smb_vfs_call_fsync_send (vfs.c:1998)
==14263==    by 0x49CDBF9: smb_vfs_fsync_sync (vfs.c:2057)
==14263==    by 0x494B1E5: sync_file (fileio.c:320)
==14263==    by 0x497CC77: reply_flush (reply.c:5398)
==14263==    by 0x49E28CB: switch_message (process.c:1726)
==14263==    by 0x49E2AA4: construct_reply (process.c:1762)
==14263==    by 0x49E37F8: process_smb (process.c:2017)
==14263==  Address 0xcb415d0 is 0 bytes inside a block of size 144 free'd
==14263==    at 0x484494B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14263==    by 0x4D14F81: _tc_free_internal (talloc.c:1222)
==14263==    by 0x4D15025: _talloc_free_internal (talloc.c:1248)
==14263==    by 0x4D162ED: _talloc_free (talloc.c:1792)

  190 static int pthreadpool_tevent_glue_link_destructor(
  191 	struct pthreadpool_tevent_glue_ev_link *ev_link)
  192 {
* 193 	TALLOC_FREE(ev_link->glue);
  194 	return 0;
  195 }
==14263==    by 0x51F9EC3: pthreadpool_tevent_glue_link_destructor (pthreadpool_tevent.c:193)
==14263==    by 0x4D14CA9: _tc_free_internal (talloc.c:1158)
==14263==    by 0x4D15025: _talloc_free_internal (talloc.c:1248)
==14263==    by 0x4D162ED: _talloc_free (talloc.c:1792)
  249 #ifdef HAVE_PTHREAD
  250   glue->tctx = tevent_threaded_context_create(glue, ev);
  251   if (glue->tctx == NULL) {
* 252           TALLOC_FREE(ev_link);
  253           TALLOC_FREE(glue);
  254           return ENOMEM;
  250   }
==14263==    by 0x51FA08D: pthreadpool_tevent_register_ev (pthreadpool_tevent.c:252)
==14263==    by 0x51FA302: pthreadpool_tevent_job_send (pthreadpool_tevent.c:324)
==14263==    by 0x4B01E68: vfswrap_fsync_send (vfs_default.c:1104)
==14263==    by 0x49CD9B1: smb_vfs_call_fsync_send (vfs.c:1998)
==14263==  Block was alloc'd at
==14263==    at 0x4841984: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14263==    by 0x4D14339: __talloc_with_prefix (talloc.c:783)
==14263==    by 0x4D144D3: __talloc (talloc.c:825)
==14263==    by 0x4D1486C: _talloc_named_const (talloc.c:982)
==14263==    by 0x4D1734D: _talloc_zero (talloc.c:2421)
==14263==    by 0x51F9F46: pthreadpool_tevent_register_ev (pthreadpool_tevent.c:222)
==14263==    by 0x51FA302: pthreadpool_tevent_job_send (pthreadpool_tevent.c:324)
==14263==    by 0x4B01E68: vfswrap_fsync_send (vfs_default.c:1104)
==14263==    by 0x49CD9B1: smb_vfs_call_fsync_send (vfs.c:1998)
==14263==    by 0x49CDBF9: smb_vfs_fsync_sync (vfs.c:2057)
==14263==    by 0x494B1E5: sync_file (fileio.c:320)
==14263==    by 0x497CC77: reply_flush (reply.c:5398)
==14263==
==14263== Invalid read of size 4
==14263==    at 0x4D13EAE: talloc_chunk_from_ptr (talloc.c:528)
==14263==    by 0x4D1621E: _talloc_free (talloc.c:1770)
==14263==    by 0x51FA0AF: pthreadpool_tevent_register_ev (pthreadpool_tevent.c:253)
==14263==    by 0x51FA302: pthreadpool_tevent_job_send (pthreadpool_tevent.c:324)
==14263==    by 0x4B01E68: vfswrap_fsync_send (vfs_default.c:1104)
==14263==    by 0x49CD9B1: smb_vfs_call_fsync_send (vfs.c:1998)
==14263==    by 0x49CDBF9: smb_vfs_fsync_sync (vfs.c:2057)
==14263==    by 0x494B1E5: sync_file (fileio.c:320)
==14263==    by 0x497CC77: reply_flush (reply.c:5398)
==14263==    by 0x49E28CB: switch_message (process.c:1726)
==14263==    by 0x49E2AA4: construct_reply (process.c:1762)
==14263==    by 0x49E37F8: process_smb (process.c:2017)
==14263==  Address 0xcb415d0 is 0 bytes inside a block of size 144 free'd
==14263==    at 0x484494B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-l

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15957
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/lib/pthreadpool/pthreadpool_tevent.c b/lib/pthreadpool/pthreadpool_tevent.c
index a66f444d193..515dcc0fd7b 100644
--- a/lib/pthreadpool/pthreadpool_tevent.c
+++ b/lib/pthreadpool/pthreadpool_tevent.c
@@ -250,7 +250,6 @@ static int pthreadpool_tevent_register_ev(struct pthreadpool_tevent *pool,
 	glue->tctx = tevent_threaded_context_create(glue, ev);
 	if (glue->tctx == NULL) {
 		TALLOC_FREE(ev_link);
-		TALLOC_FREE(glue);
 		return ENOMEM;
 	}
 #endif