Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp5736022rwb; Tue, 1 Aug 2023 07:16:05 -0700 (PDT) X-Google-Smtp-Source: APBJJlGawMOMR15DkcISIoJuimZeUiAjusIBRoy9/yHs640XNt/Oq+rdptmMdjxB5oN8VL6acwtK X-Received: by 2002:a05:6a21:3b48:b0:122:8096:7012 with SMTP id zy8-20020a056a213b4800b0012280967012mr10820789pzb.3.1690899365264; Tue, 01 Aug 2023 07:16:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690899365; cv=none; d=google.com; s=arc-20160816; b=YjqAtQfKrG0BUJTRk44/wWhbinIHM+XRSGXJkFKrZr6hqOHtRUqYAS2XLj3bdslOdy 3VxLZSk67v66SRj240uS5ibGuce1Mrai3k7dFuLfDeodSQbRdO4ihfLwGl2njunq7v9S 8YRn6dTNOHJ0HaQvyUGTu+rK7CvQaumf8EIfFm3pO+bjFcHVKnQ0feDJ56ahAdiT1Ikq 8XAUoS9BGoNa0yx4BysbHMXQWoSq2Rp+2cjYhpE+1B4MaxceFlWHPbGRw7QeqIDqnMaf 4RXZCCII2bABtqQuFIKZSymOtFDL3T0mpG5FrgVwPinWH54FGt/HV/T4I57e1sem7Oq+ bPLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=DF+njAny3wsNOML4M55BTFjHT9hZNobHn09pQS3woNw=; fh=bYmU0jluGrJ8PDOqwBGXQM/2Mj+LhfpHmfegePmLo90=; b=sTwPIHSFp+mTrgcIdCH/dxKVdM9SDdg7rE6xcx/LHSaVvXxaILPEgrz8kjtIbHgcJx Pqqy3aBmbOYZcP8Z53nS9JJYNTR1R94YKy/Gwqik/UH/bLayqZkq0AuJeGS4br/uX57v OKf1BeeWtrNY5bEcKAHqw8bgZno3APkIHt4dcoL8aGfBu68Bd2bwa6i8cGb6SFagNBWO 85wTzZ+Hgpnpn5A1A0708gBW8V4XcYCw+slbcfONt7cM6n3mKs7fYB5uUldb6cVr+WKS ifCyInU+Mof+ewcCsJr9K2p7vZOuvtDS1jm4x7/0aXQwMnnj81UwklomajCOacAlTuZt T79g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=cUCTaJiH; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o19-20020a63f153000000b0055ff89f224bsi8888775pgk.689.2023.08.01.07.14.43; Tue, 01 Aug 2023 07:16:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=cUCTaJiH; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232732AbjHAOCF (ORCPT + 99 others); Tue, 1 Aug 2023 10:02:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56244 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231980AbjHAOCD (ORCPT ); Tue, 1 Aug 2023 10:02:03 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A4EC0115 for ; Tue, 1 Aug 2023 07:01:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1690898478; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DF+njAny3wsNOML4M55BTFjHT9hZNobHn09pQS3woNw=; b=cUCTaJiHPnWTTfSYCVW0zu2b7tCiKH9VQwUfzogxazYPivkMQL1GVhxMcxQF738iEWIvAS jmBaXj2Qx1bkWgTfZjo7k+c4tlcB9pKPeJwhdtI6vpFckfkQBZ0whS/LSeT9n/htfitBhg u88LwYn6sJXzwiwNUCtCmEK58DTTDNg= Received: from mail-oa1-f70.google.com (mail-oa1-f70.google.com [209.85.160.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-10-DtBUB7LrOiiukst6_hZZcw-1; Tue, 01 Aug 2023 10:01:16 -0400 X-MC-Unique: DtBUB7LrOiiukst6_hZZcw-1 Received: by mail-oa1-f70.google.com with SMTP id 586e51a60fabf-1a9e3f67989so1758755fac.1 for ; Tue, 01 Aug 2023 07:01:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690898468; x=1691503268; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DF+njAny3wsNOML4M55BTFjHT9hZNobHn09pQS3woNw=; b=ItWPCfsZwdEuSl/cw7/9WZC8smVFdYzpaqOpkAiBDyKMhX+yZ476x0Ki+udRsmpuZJ eAcpoO/KVxTyfinQvACTHlMWq2BWP8c4fchmT7BbpgkEFqu1PU/1jUgRqlgK0Q2f5b9K hkAtnoW2zHfbAJ58gc3iAb/bQAEQdD4esNOxFSWc6kZUYNhkCMXkMBjhY0EZXzto5Awc HwhbOfS+ziHyZrOBDlwRdQYJccTtzesr7OL4dKqo/60+kidPVRc/0kfm2iszAdHVJrQM bTEit1gaxmwI6yTXG2EIZOLXgNuTi5Jq/P2Y+jb5zKBD6geT2sUnsKPTlztKyDJDViu/ 6FQw== X-Gm-Message-State: ABy/qLZzM0hEEBudcQlkJ81r5ktuJhLZt0Ado0v005DjBzsKjyrNBKug h8JQZZhZbVODNEtvd2NbpqgEf9Yz+JDH0jp7jni78pOut5U4IMpeAyPznRNl4NyXwyw8dvbmP9s HRwrQa3JlwB5LCHNF/tA1VNsj1s+4 X-Received: by 2002:a05:6359:206:b0:134:c407:6823 with SMTP id ej6-20020a056359020600b00134c4076823mr4007002rwb.0.1690898468532; Tue, 01 Aug 2023 07:01:08 -0700 (PDT) X-Received: by 2002:a05:6359:206:b0:134:c407:6823 with SMTP id ej6-20020a056359020600b00134c4076823mr4006983rwb.0.1690898468189; Tue, 01 Aug 2023 07:01:08 -0700 (PDT) Received: from [172.31.1.12] ([70.105.251.231]) by smtp.gmail.com with ESMTPSA id p4-20020a0c8c84000000b0063cfb3fbb7esm4668903qvb.16.2023.08.01.07.01.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 01 Aug 2023 07:01:07 -0700 (PDT) Message-ID: <30aabd24-2b5f-5f5f-9bdd-0c505cd37b6d@redhat.com> Date: Tue, 1 Aug 2023 10:01:06 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: Double-Free and Memory Leak Found In libtirpc Content-Language: en-US To: "Wartens, Herb" , "linux-nfs@vger.kernel.org" References: <968E8957-2AF6-4901-84B0-92EDB5791131@llnl.gov> From: Steve Dickson In-Reply-To: <968E8957-2AF6-4901-84B0-92EDB5791131@llnl.gov> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On 7/27/23 5:48 PM, Wartens, Herb wrote: > > Just to be clear... > These patches were not made for the upstream branch (might not apply as cleanly as expected). I applied and tested them against libtirpc-1.1.4-8.el8. I have not gone through the trouble of verifying/testing them against upstream sources. Was just asked to mail these patches here by RH in the bug. Hopefully this is still helpful. Thank you! I'm looking into them now... steved. > > -Herb > > >> On Jul 27, 2023, at 9:08 AM, Wartens, Herb wrote: >> >> Hello All, >> We have opened up two separate RedHat bugs for these issues. I added patches to those bugs, but was asked to send the patches here as well since the patches might need to go upstream first. >> >> 1) https://bugzilla.redhat.com/show_bug.cgi?id=2224666 >> >> We have an application called HPSS that heavily uses libtirpc. When we updated to RHEL8.8 our application started crashing all of a sudden. We believe the change that introduced this problem was 2112116: >> >> 2022-08-03 Steve Dickson mailto:steved@redhat.com 1.1.4-8 >> - rpcb_clnt.c add mechanism to try v2 protocol first (bz 2107650) >> - Multithreaded cleanup (bz 2112116) >> >> 252 for (cptr = front; cptr != NULL; cptr = cptr->ac_next) { >> 253 if (!memcmp(cptr->ac_taddr->buf, addr->buf, addr->len)) { >> 254 /* Unlink from cache. We'll destroy it after releasing the mutex. */ >> 255 if (cptr->ac_uaddr) >> 256 free(cptr->ac_uaddr); >> 257 if (prevptr) >> 258 prevptr->ac_next = cptr->ac_next; >> 259 else >> 260 front = cptr->ac_next; >> 261 cachesize--; >> 262 break; >> 263 } >> 264 prevptr = cptr; >> 265 } >> 266 >> 267 mutex_unlock(&rpcbaddr_cache_lock); >> 268 destroy_addr(cptr); >> >> so we have free'd cptr->ac_uaddr. I believe after that free probably safer to set cptr->ac_uaddr to NULL. >> Note that destroy_addr() will also try to free it. >> >> 2) https://bugzilla.redhat.com/show_bug.cgi?id=2225226 >> >> While inspecting the changes between the versions of libtirpc in question, I noticed a memory leak as well. >> >> /* >> + * Destroys a cached address entry structure. >> + * >> + */ >> +static void >> +destroy_addr(addr) >> + struct address_cache *addr; >> +{ >> + if (addr == NULL) >> + return; >> + if(addr->ac_host != NULL) >> + free(addr->ac_host); >> + if(addr->ac_netid != NULL) >> + free(addr->ac_netid); >> + if(addr->ac_uaddr != NULL) >> + free(addr->ac_uaddr); >> + if(addr->ac_taddr != NULL) { >> + if(addr->ac_taddr->buf != NULL) >> + free(addr->ac_taddr->buf); >> + } >> + free(addr); >> +} >> >> Pretty clear that addr->ac_taddr never was properly free’d. I also verified that with valgrind. >> >> I am happy to add more detail, but hopefully others on this list can access the bugs in question. If not let me know and I can add more detail here if needed. Thanks. >> >> -Herb >> >> >