Bug 168744 - double-free of gam_subscription
double-free of gam_subscription
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: gamin (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Alexander Larsson
:
: 168792 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-19 18:22 EDT by Dan Williams
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 0.1.7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-28 11:33:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Dan Williams 2005-09-19 18:22:53 EDT
kernel 2.6.13-1.1552
using inotify evidently
gamin 0.1.6 from pkgcvs devel

Here's the backtrace from where the subscription gets freed twice.  Path to get
here is to launch gedit, hit open dialog.  gamin gets a SIGPIPE, frees the
current subscription when it tears down the listener initially.  Next, it frees
another subscription.  Then it tries to double-free this one:

Breakpoint 1, gam_subscription_free (sub=0x936c8c8) at gam_subscription.c:100
100         if (sub == NULL)
(gdb) bt
#0  gam_subscription_free (sub=0x936c8c8) at gam_subscription.c:100
#1  0x0804cf2f in gam_poll_basic_remove_subscription (sub=0x936c8c8) at
gam_poll_basic.c:223
#2  0x0804b7a8 in gam_poll_remove_subscription (sub=0x936c8c8) at gam_server.c:487
#3  0x0804b40d in gam_remove_subscription (sub=0x936c8c8) at gam_server.c:253
#4  0x0804fecf in gam_connection_request (conn=0x936e0e8, req=0x936e11f) at
gam_connection.c:388
#5  0x08050243 in gam_connection_data (conn=0x936e0e8, len=2805) at
gam_connection.c:491
#6  0x0804ed48 in gam_client_conn_read (source=0x936c438, condition=G_IO_IN,
info=0x936e0e8) at gam_channel.c:283
#7  0x00d71b7c in g_vasprintf () from /usr/lib/libglib-2.0.so.0
#8  0x00d4a9ee in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#9  0x00d4da06 in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#10 0x00d4dcf3 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#11 0x0804bacf in main (argc=1, argv=0xbfcf48c4) at gam_server.c:584
#12 0x00ad14ff in __libc_start_main (main=0x804b8d0 <main>, argc=1,
ubp_av=0xbfcf48c4,
    init=0x805798c <__libc_csu_init>, fini=0x80579e8 <__libc_csu_fini>,
rtld_fini=0xaacc9d <_dl_fini>,
    stack_end=0xbfcf48bc) at ../sysdeps/generic/libc-start.c:231
#13 0x0804a5ad in _start ()
(gdb) c
Continuing.

Breakpoint 1, gam_subscription_free (sub=0x936c8c8) at gam_subscription.c:100
100         if (sub == NULL)
(gdb) bt
#0  gam_subscription_free (sub=0x936c8c8) at gam_subscription.c:100
#1  0x0804fee6 in gam_connection_request (conn=0x936e0e8, req=0x936e11f) at
gam_connection.c:391
#2  0x08050243 in gam_connection_data (conn=0x936e0e8, len=2805) at
gam_connection.c:491
#3  0x0804ed48 in gam_client_conn_read (source=0x936c438, condition=G_IO_IN,
info=0x936e0e8) at gam_channel.c:283
#4  0x00d71b7c in g_vasprintf () from /usr/lib/libglib-2.0.so.0
#5  0x00d4a9ee in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#6  0x00d4da06 in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#7  0x00d4dcf3 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#8  0x0804bacf in main (argc=1, argv=0xbfcf48c4) at gam_server.c:584
#9  0x00ad14ff in __libc_start_main (main=0x804b8d0 <main>, argc=1,
ubp_av=0xbfcf48c4,
    init=0x805798c <__libc_csu_init>, fini=0x80579e8 <__libc_csu_fini>,
rtld_fini=0xaacc9d <_dl_fini>,
    stack_end=0xbfcf48bc) at ../sysdeps/generic/libc-start.c:231
#10 0x0804a5ad in _start ()
(gdb)

So it appears that the subscription is getting freed by
gam_remove_subscription() first, then next explicitly by gam_connection_request().
Comment 1 Dan Williams 2005-09-19 18:35:25 EDT
So, here's the problem.  In gam_connection.c, in gam_connection_request(), there
is this code:

	    gam_listener_remove_subscription(conn->listener, sub);
	    gam_remove_subscription(sub);
#ifdef ENABLE_INOTIFY
	    if (gam_inotify_is_running())
		gam_subscription_free(sub);
#endif

However, in the inotify case, gam_remove_subscription() in gam_server.c already
has removed and freed the subscription:

	if (gam_exclude_check (path)) 
	{
#if ENABLE_INOTIFY
		if (gam_inotify_is_running())
			return gam_poll_remove_subscription (sub);
		else
#endif

gam_poll_remove_subscription() calls gam_poll_basic_remove_subscription(), which
calls gam_subscription_free() before it returns.
Comment 2 Daniel Veillard 2005-09-20 07:10:27 EDT
*** Bug 168792 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Veillard 2005-09-20 11:35:23 EDT
Thanks for the excellent bug report, I hope I understood why this happened :-)

I assume this is due to the (not so common) fact that you have a .gaminrc
or monitoring something in a default excluded path ("/media/*", "/mnt/*" 
or based on a ~/.gaminrc), in that case yes a double free could occur because
gam_exclude_check (path) returned true and that's why it did not show up in
the regression tests.

Could you try gamin-0.1.6-2 in CVS or rawhide (soonish), I think it should nail
it down but I would prefer a bit of real feedback before tempting a new release,

 thanks,

Daniel 
Comment 4 Dan Williams 2005-09-20 13:18:47 EDT
Dumping exclude list
Exclude: use POLL on /media/*
Exclude: use POLL on /mnt/*
Exclude: use POLL on /dev/*
Exclude: use POLL on /proc/*
Dumping mounted file systems
binfmt_misc filesystem mounted at /proc/sys/fs/binfmt_misc
rpc_pipefs filesystem mounted at /var/lib/nfs/rpc_pipefs
iso9660 filesystem mounted at /media/cdrecorder
nfs filesystem mounted at /mnt/qafiler
nfs filesystem mounted at /home/boston
nfs filesystem mounted at /mnt/redhat
tmpfs filesystem mounted at /dev/shm
devpts filesystem mounted at /dev/pts
autofs filesystem mounted at /misc
ext3 filesystem mounted at /work
ext3 filesystem mounted at /boot
proc filesystem mounted at /proc
autofs filesystem mounted at /net
sysfs filesystem mounted at /sys
ext3 filesystem mounted at /
Dumping file system properties
fstype nfs monitor poll poll timeout 5
fstype novfs monitor poll poll timeout 30
fstype reiserfs monitor kernel poll timeout 0
fstype reiser4 monitor kernel poll timeout 0
fstype ext2 monitor kernel poll timeout 0
fstype ext3 monitor kernel poll timeout 0
No active connections
Inotify device fd = 3
Dumping inotify subscriptions
No poll missing resources
No poll busy resources
No poll all resources
Exiting on timeout
Comment 5 Tomasz Torcz 2005-09-21 11:16:53 EDT
*Un*patched 0.1.6 generate lots of following errors:

Sep 18 12:10:28 mother gam_server: *** glibc detected *** double free or
corruption (fasttop): 0x0806ed98 *** 
Sep 18 12:10:30 mother gam_server: *** glibc detected *** double free or
corruption (fasttop): 0x0806ed98 *** 

Sep 18 12:10:11 mother gam_server: *** glibc detected *** double free or
corruption (out): 0x08071e50 *** 
Sep 18 12:10:24 mother gam_server: *** glibc detected *** double free or
corruption (out): 0x08063f70 *** 


Sep 18 22:08:54 mother gam_server: *** glibc detected *** double free or
corruption (!prev): 0x08068000 *** 
Sep 18 22:09:48 mother gam_server: *** glibc detected *** double free or
corruption (!prev): 0x08068000 ***

Patched with fix in CVS is silent. System is Slackware 10.2, BTW.
Comment 6 Daniel Veillard 2005-09-22 06:09:10 EDT
w.r.t. #4
fstype nfs monitor poll poll timeout 5
this isn't a default configuration, this means you added some local conf file
stating this. I reproduced the problem with it and updated the fix for it.
Could you try gamin-0.1.6-3 ? The fix is also in GNOME CVS,

Daniel
Comment 7 Dan Williams 2005-09-22 07:44:47 EDT
Where would that config file be?  I don't have ~/.gaminrc or an /etc/gaminrc or
anything like that...
Comment 8 Daniel Veillard 2005-09-22 08:00:41 EDT
http://www.gnome.org/~veillard/gamin/config.html
/etc/gamin/...
Maybe I'm wrong and there is a default rule ...
Try to add 
fsset nfs kernel
in ~/.gaminrc and see if the problem still shows up with gamin-0.1.6-2
then also try with gamin-0.1.6-3 after that :-)

dAniel
Comment 9 Daniel Veillard 2005-10-27 07:17:46 EDT
Dan, any chance you could try a build from GNOME gamin CVS checkout. Your 
problem may be fixed there, see

  http://bugzilla.gnome.org/show_bug.cgi?id=319697

anyway I will probably generate a new release soonish,

Daniel
Comment 10 Daniel Veillard 2005-10-28 11:33:11 EDT
I think this should be fixed in gamin-0.1.7,

Daniel

Note You need to log in before you can comment on or make changes to this bug.