Project

General

Profile

Bug #432

Memory leak in smbd/libsmb smb_idmap_getsid

Added by Gordon Ross over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
-
Start date:
2010-11-30
Due date:
% Done:

90%

Estimated time:
Difficulty:
Tags:

Description

This is badly exposed when using quotas, apparently.
Here's a sample ::findleaks -d output:

umem_alloc_56 leak: 2643958 buffers, 56 bytes each, 148061648 bytes total
ADDR BUFADDR TIMESTAMP THREAD
CACHE LASTLOG CONTENTS
859e0f8 8585df0 104c33a965aaf 178
808c010 0 0
libumem.so.1`umem_cache_alloc_debug+0x144
libumem.so.1`umem_cache_alloc+0x19a
libumem.so.1`umem_alloc+0xcd
libumem.so.1`malloc+0x2a
libc_hwcap1.so.1`strdup+0x26
libidmap.so.1`idmap_get_mappings+0x150
libsmb.so.1`smb_idmap_batch_getmappings+0x35
libsmb.so.1`smb_idmap_getsid+0x53
libmlsvc.so.1`smb_quota_sidstr+0x42
libmlsvc.so.1`smb_quota_zfs_callback+0x69
libzfs.so.1`zfs_userspace+0xf8
libmlsvc.so.1`smb_quota_zfs_get_quotas+0x54
libmlsvc.so.1`smb_quota_tree_populate+0x96
libmlsvc.so.1`smb_quota_query+0x58
smbd_dop_quota_query+0x58


Files

fix-432.patch (883 Bytes) fix-432.patch Gordon Ross, 2010-12-08 11:12 AM

History

#1

Updated by Gordon Ross over 9 years ago

The idmap_get_mappings() function returns an array of structures containing
strings allocated by strdup(). The caller is expected to free those.
Will do that in smb_idmap_batch_destroy().

#2

Updated by Gordon Ross over 9 years ago

Testing this fix: (please review)
http://cr.illumos.org/view/vll9dy9q/

#3

Updated by Gordon Ross over 9 years ago

This fix has been verified by the customer.

#4

Updated by Gordon Ross over 9 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 50 to 90

Pushed changeset: 13254:65ac809db5a8
to: http://hg.illumos.org/illumos-gate

#5

Updated by Gordon Ross over 9 years ago

I should mention that fix verification for this issue is not simple.
We actually verified the fix at a customer that was seeing it.

This leak is only exposed when idmap returns a response to a
"batch" mapping request where one of the "domain prefix"
strings in the array is NULL, followed by non-NULL strings.
We were not able to find a simple way to force idmap to
return this type of batch response.

Also available in: Atom PDF