[DTrace-devel] [PATCH 21/47] Fix double-free of dt_datadesc_t structures

[Kris Van Hees]

While the dt_datadesc_t structures were introduced with a reference
count (along with dt_datadesc_hold() and dt_datadesc_release() functions
to manage them), there was still a direct dt_free() of a dt_datadesc_t
structure in dtrace_stmt_destroy().

Orabug: 31220517
Signed-off-by: Kris Van Hees <kris.van.hees at oracle.com>
Reviewed-by: Kris Van Hees <kris.van.hees at oracle.com>
Reviewed-by: Eugene Loh <eugene.loh at oracle.com>
---
 libdtrace/dt_impl.h    | 1 +
 libdtrace/dt_map.c     | 2 +-
 libdtrace/dt_program.c | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/libdtrace/dt_impl.h b/libdtrace/dt_impl.h
index ee02e55c..dd4128d4 100644
--- a/libdtrace/dt_impl.h
+++ b/libdtrace/dt_impl.h
@@ -725,6 +725,7 @@ extern int dt_aggregate_go(dtrace_hdl_t *);
 extern int dt_aggregate_init(dtrace_hdl_t *);
 extern void dt_aggregate_destroy(dtrace_hdl_t *);
 
+extern void dt_datadesc_release(dtrace_hdl_t *, dtrace_datadesc_t *);
 extern dtrace_datadesc_t *dt_datadesc_create(dtrace_hdl_t *);
 extern int dt_datadesc_finalize(dtrace_hdl_t *, dtrace_datadesc_t *);
 extern dtrace_epid_t dt_epid_add(dtrace_hdl_t *, dtrace_datadesc_t *,
diff --git a/libdtrace/dt_map.c b/libdtrace/dt_map.c
index 58933776..00668c70 100644
--- a/libdtrace/dt_map.c
+++ b/libdtrace/dt_map.c
@@ -21,7 +21,7 @@ dt_datadesc_hold(dtrace_datadesc_t *ddp)
 	ddp->dtdd_refcnt++;
 }
 
-static void
+void
 dt_datadesc_release(dtrace_hdl_t *dtp, dtrace_datadesc_t *ddp)
 {
 	if (--ddp->dtdd_refcnt > 0)
diff --git a/libdtrace/dt_program.c b/libdtrace/dt_program.c
index b154668d..0b5eb4f0 100644
--- a/libdtrace/dt_program.c
+++ b/libdtrace/dt_program.c
@@ -355,7 +355,7 @@ dtrace_stmt_destroy(dtrace_hdl_t *dtp, dtrace_stmtdesc_t *sdp)
 		dt_printf_destroy(sdp->dtsd_fmtdata);
 
 	dt_ecbdesc_release(dtp, sdp->dtsd_ecbdesc);
-	dt_free(dtp, sdp->dtsd_ddesc);
+	dt_datadesc_release(dtp, sdp->dtsd_ddesc);
 	dt_free(dtp, sdp);
 }
 
-- 
2.26.0