[dm-devel] [PATCH] fix double frees in recent multipath-tools

christophe.varoqui at free.fr christophe.varoqui at free.fr
Tue Apr 28 21:54:12 UTC 2009


Merged as ef341c2fa151b1c5b8ba26633fc28916161a85ff
... with due credit.

----- Mail Original -----
De: "Mike Snitzer" <snitzer at redhat.com>
À: "Hannes Reinecke" <hare at suse.de>
Cc: dm-devel at redhat.com
Envoyé: Jeudi 23 Avril 2009 03h18:35 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: [dm-devel] [PATCH] fix double frees in recent multipath-tools

On Wed, Apr 22 2009 at  6:05pm -0400,
Mike Snitzer <snitzer at redhat.com> wrote:

> 
> Seems the latest multipath-tools has an issue with a double free.  I
> haven't looked at what the proper fix is yet but I wanted to give others
> a heads up.
> 
> Running something as basic as 'multipath' drops a core.
...
> (gdb) bt
> #0  0x0000003a6ec32f05 in raise () from /lib64/libc.so.6
> #1  0x0000003a6ec34a73 in abort () from /lib64/libc.so.6
> #2  0x0000003a6ec72438 in __libc_message () from /lib64/libc.so.6
> #3  0x0000003a6ec77ec8 in malloc_printerr () from /lib64/libc.so.6
> #4  0x0000003a6ec7a486 in free () from /lib64/libc.so.6
> #5  0x00007ffff7dbc205 in xfree (p=0x60b2e0) at memory.c:52
> #6  0x00007ffff7dc3624 in free_config (conf=0x604620) at config.c:414
> #7  0x00000000004027a4 in main (argc=3, argv=0x7fffffffe718) at main.c:474
> (gdb) frame 6
> #6  0x00007ffff7dc3624 in free_config (conf=0x604620) at config.c:414
> (gdb) l
> 409
> 410             if (conf->checker_name)
> 411                     FREE(conf->checker_name);
> 412
> 413             if (conf->prio_name)
> 414                     FREE(conf->prio_name);
> 415
> 416             if (conf->checker_name)
> 417                     FREE(conf->checker_name);
> 418

Here is another one:

(gdb) bt
#0  0x0000003a6ec32f05 in raise () from /lib64/libc.so.6
#1  0x0000003a6ec34a73 in abort () from /lib64/libc.so.6
#2  0x0000003a6ec72438 in __libc_message () from /lib64/libc.so.6
#3  0x0000003a6ec77ec8 in malloc_printerr () from /lib64/libc.so.6
#4  0x0000003a6ec7a486 in free () from /lib64/libc.so.6
#5  0x00007ffff7dbc205 in xfree (p=0x604a90) at memory.c:52
#6  0x00007ffff7dc2ac2 in free_hwe (hwe=0x604950) at config.c:162
#7  0x00007ffff7dc2b0f in free_hwtable (hwtable=0x604460) at config.c:179
#8  0x00007ffff7dc3684 in free_config (conf=0x604620) at config.c:422
#9  0x00000000004027a4 in main (argc=1, argv=0x7fffffffe738) at main.c:474
(gdb) frame 6
#6  0x00007ffff7dc2ac2 in free_hwe (hwe=0x604950) at config.c:162
162                     FREE(hwe->prio_name);
(gdb) l
157
158             if (hwe->bl_product)
159                     FREE(hwe->bl_product);
160
161             if (hwe->prio_name)
162                     FREE(hwe->prio_name);
163
164             if (hwe->checker_name)
165                     FREE(hwe->checker_name);
166             FREE(hwe);


The following patch fixes the crashes I saw.

diff --git a/libmultipath/config.c b/libmultipath/config.c
index 6039642..05dbcd2 100644
--- a/libmultipath/config.c
+++ b/libmultipath/config.c
@@ -158,11 +158,6 @@ free_hwe (struct hwentry * hwe)
 	if (hwe->bl_product)
 		FREE(hwe->bl_product);
 
-	if (hwe->prio_name)
-		FREE(hwe->prio_name);
-
-	if (hwe->checker_name)
-		FREE(hwe->checker_name);
 	FREE(hwe);
 }
 
@@ -410,12 +405,6 @@ free_config (struct config * conf)
 	if (conf->checker_name)
 		FREE(conf->checker_name);
 
-	if (conf->prio_name)
-		FREE(conf->prio_name);
-
-	if (conf->checker_name)
-		FREE(conf->checker_name);
-
 	free_blacklist(conf->blist_devnode);
 	free_blacklist(conf->blist_wwid);
 	free_blacklist_device(conf->blist_device);

--
dm-devel mailing list
dm-devel at redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel




More information about the dm-devel mailing list