Bug #14696
Updated by Hans Rosenfeld 3 months ago
<pre> # env LD_PRELOAD=libumem.so nvmeadm list nvme1: model: SAMSUNG MZVPV128HDGM-00000, serial: S1XVNYAGA00640, FW rev: BXW7300Q, NVMe v1.1 nvme1/1 (c1t1d0): Size = 122104 MB, Capacity = 122104 MB, Used = 121511 MB Abort (core dumped) </pre> The culprit is this code in nvme_dskname(): nvme_process(): <pre> path = di_dim_path_dev(dim, di_driver_name(child), di_instance(child), "c"); /* * Error out if we didn't get a path, or if it's too short for * the following operations to be safe. */ if (path == NULL || strlen(path) < 2) goto fail; /* Chop off 's0' and get everything past the last '/' */ path[strlen(path) - 2] = '\0'; path = strrchr(path, '/'); if (path == NULL) goto fail; path++; </pre> <pre> When nvme_process() returns, it frees 'path', but 'path' points in the middle of the chunk of memory that was allocated by di_dim_path_dev().