[QUICK] talloc bugs

simo idra at samba.org
Fri Jun 26 08:17:33 MDT 2009 

On Fri, 2009-06-26 at 15:07 +0100, Sam Liddicott wrote:
> Cc: to specific talloc committers and stakeholders
> 
> We've discussed this at length before[1], without conclusion, so I'll
> be quick:
> 
> The talloc ideal model is broken due to promoting references to parent
> inside talloc_free.
> 
> The main problem is that if a reference is promoted to owner, it can
> be removed accidentally by talloc_steal. This results in risks of
> dangling references.
> 
> Which particular reference is removed depends on the runtime order of
> references taken/released, but the unpredictability of this is dwarfed
> by possible subsequent memory trampling which can destroy the talloc
> tree. This scenario is quite likely in a program where there are
> loadable modules and hooks, and the outcome could be network timing
> dependant.
> 
> There is/has been other talloc problems but I'd rather bring them up
> later or you can read about them in [1]
> 
> However, to me, the main evidence of the degree of the problem is VL's
> preference to implement his own reference counting rather than rely on
> talloc. (Apologies to VL for using him to make a point that he himself
> may not actually support).
> 
> We should either:
>      1. get rid of talloc_free and talloc_steal
>         (replace with talloc_unref(old_ref) and
>         talloc_change_ref(old_ref, new_ref)
>         This breaks the API so the sooner we consider it the better.
>      2. stop promoting reference to parent after talloc_free
>         This doesn't break the API and causes talloc to follow the
>         documentation. I've been running choice 2 in Samba4 for some
>         time, by means of a submitted patch which introduces the
>         concept of "no owner" which is not enough to prevent an object
>         being freed when it's references all go away, but which can
>         quite safely be stolen from with talloc_steal.
> [1]
> http://lists.samba.org/archive/samba-technical/2009-January/062812.html

Simpler method, DON'T mix talloc_steal and talloc_reference usage.

Simo.


-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>

More information about the samba-technical mailing list