[Libguestfs] [nbdkit PATCH] nbd: Fix memory leak

Eric Blake eblake at redhat.com
Sat Dec 2 21:03:49 UTC 2017 

On 12/02/2017 12:21 PM, Richard W.M. Jones wrote:
> On Sat, Dec 02, 2017 at 11:52:31AM -0600, Eric Blake wrote:
>> When converting from a single transaction to a linked list, I
>> forgot to free the storage for each member of the list.
>>
>> Reported-by: Richard W.M. Jones <rjones at redhat.com>
>> Fixes: 7f5bb9bf13f041ea7702bda557d9dd668bc3423a
>> Signed-off-by: Eric Blake <eblake at redhat.com>
>> ---
>>
>> I'm still not sure why 'make check' passes while 'make check-valgrind'
>> fails for TESTS=test-nbd, but this at least avoids the memory leak.


>>
>>    *fd = trans->u.fds[1];
>> +  free (trans);
>>    switch (be32toh (rep.error)) {
>>    case NBD_SUCCESS:
>>      if (trans->buf && read_full (h->fd, trans->buf, trans->count) < 0)

> 
> Can this be right?  valgrind seems to be saying that there are
> double-free errors when I add this patch (see below).

Rather, use after free.  The patch avoids the leak, but didn't do it
quite correctly.  v2 coming up, and now I know why check-valgrind failed.

Sometimes, it's hard to see the actual error message because of
everything else that is also in the log.


> ==18076== Thread 3:
> ==18076== Invalid read of size 8
> ==18076==    at 0x77EBB08: nbd_reply_raw (nbd.c:340)
> ==18076==    by 0x77EBB08: nbd_reader (nbd.c:373)
> ==18076==    by 0x55DC55A: start_thread (in /usr/lib64/libpthread-2.26.9000.so)
> ==18076==    by 0x58E85AE: clone (in /usr/lib64/libc-2.26.9000.so)
> ==18076==  Address 0x7452fc8 is 8 bytes inside a block of size 32 free'd
> ==18076==    at 0x4C2ED18: free (vg_replace_malloc.c:530)
> ==18076==    by 0x77EB996: nbd_reply_raw (nbd.c:337)
> ==18076==    by 0x77EB996: nbd_reader (nbd.c:373)
> ==18076==    by 0x55DC55A: start_thread (in /usr/lib64/libpthread-2.26.9000.so)
> ==18076==    by 0x58E85AE: clone (in /usr/lib64/libc-2.26.9000.so)
> ==18076==  Block was alloc'd at
> ==18076==    at 0x4C2FA1E: calloc (vg_replace_malloc.c:711)
> ==18076==    by 0x77EBBAF: nbd_request_full (nbd.c:264)
> ==18076==    by 0x77EBD98: nbd_pread (nbd.c:602)
> ==18076==    by 0x405986: handle_request (connections.c:884)
> ==18076==    by 0x405986: recv_request_send_reply (connections.c:1061)
> ==18076==    by 0x405AE7: connection_worker (connections.c:200)
> ==18076==    by 0x55DC55A: start_thread (in /usr/lib64/libpthread-2.26.9000.so)
> ==18076==    by 0x58E85AE: clone (in /usr/lib64/libc-2.26.9000.so)

But I also see you managed to get CFLAGS=-g propagated to the plugin in
this trace.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 619 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libguestfs/attachments/20171202/af0d15bb/attachment.sig>

More information about the Libguestfs mailing list