[PATCH] e1: Memory leak/Reference leak on the e1inp_line

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.

Pablo Neira Ayuso pablo at gnumonks.org
Tue Aug 21 01:10:32 UTC 2012


Hi Holger,

On Mon, Aug 20, 2012 at 03:14:29PM +0200, Holger Hans Peter Freyther wrote:
> Release the e1inp_line when the signalling link is destroyed. The
> e1inp_line was leaked on every OML/RSL disconnect.
>
> The leak occured on the following call path.
> e1inp_close_socket
> ipaccess_close
> e1inp_sign_link_destroy
> ipaccess_drop_oml
> ipaccess_drop
> handle_ts1_read
> ipaccess_fd_cb
> ---
>  src/e1_input.c |    1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/src/e1_input.c b/src/e1_input.c
> index 957b74c..a85dd91 100644
> --- a/src/e1_input.c
> +++ b/src/e1_input.c
> @@ -486,6 +486,7 @@ void e1inp_sign_link_destroy(struct e1inp_sign_link *link)
>  	if (link->ts->line->driver->close)
>  		link->ts->line->driver->close(link);
>
> +	e1inp_line_put(link->ts->line);
>  	talloc_free(link);

Good catch. If you want to fix it like that, I think that you also
need to add the following chunk below:

diff --git a/src/input/ipaccess.c b/src/input/ipaccess.c
index 76d1994..3185bc0 100644
--- a/src/input/ipaccess.c
+++ b/src/input/ipaccess.c
@@ -249,9 +249,6 @@ static int ipaccess_drop(struct osmo_fd *bfd)
                bfd->fd = -1;
                ret = -ENOENT;
        }
-       /* put the virtual E1 line that we cloned for this socket, if
-        * it becomes unused, it gets released. */
-       e1inp_line_put(line);
        return ret;
 }

IIRC, the refcnt becomes 2 if both the OML and RSL links are up.

ipaccess_drop calls line->ops->sign_link_down(line), which usually
call e1inp_sign_link_destroy twice (one for the RSL link, and one for
the OML link).

With your patch, the refcount becomes zero after the two
e1inp_sign_link_destroy calls that happen in ->sign_link_down. Thus,
releasing the line that we were leaking.

Still, if you don't remove that e1inp_line_put in ipaccess_drop, you
hit an access-after-release since e1inp_line_put takes an already
released line.

But let me check this tomorrow again after some sleeping :-).




More information about the OpenBSC mailing list