On Monday, June 06, 2011 13:00:50 Mike Frysinger wrote:
> On Monday, June 06, 2011 04:51:29 Andreas Schwab wrote:
> > Paweł Sikora <pluto@agmk.net> writes:
> > > git bisect shows first bad commit:
> > > 
> > > 4bff6e0175ed195871f4e01cc4c4c33274b8f6e3 is the first bad commit
> > > commit 4bff6e0175ed195871f4e01cc4c4c33274b8f6e3
> > > Author: Andreas Schwab <schwab@redhat.com>
> > > Date:   Fri Feb 25 20:49:48 2011 -0500
> > > 
> > >     Fix memory leak in dlopen with RTLD_NOLOAD.
> > 
> > See <http://sourceware.org/ml/libc-hacker/2010-09/msg00009.html> and
> > <http://sourceware.org/ml/libc-hacker/2011-02/msg00004.html> for the
> > original, working patches.
> 
> thanks, i'm seeing basically the same crash with the mpd server (music
> daemon)

in case it's helpful to someone else, this is the patch i'm using
-mike

partially revert 4bff6e0175ed195871f4e01cc4c4c33274b8f6e3

http://sourceware.org/ml/libc-alpha/2011-06/msg00006.html

 elf/dl-close.c |   13 ++-----------
 elf/dl-deps.c  |    4 +++-
 elf/dl-libc.c  |    4 ++++
 elf/rtld.c     |    1 +
 include/link.h |    6 +++---
 5 files changed, 13 insertions(+), 15 deletions(-)

diff -Nurp glibc-2.14.1.orig/elf/dl-close.c glibc-2.14.1/elf/dl-close.c
--- glibc-2.14.1.orig/elf/dl-close.c	2011-10-07 12:48:55.000000000 +0300
+++ glibc-2.14.1/elf/dl-close.c	2011-10-20 20:34:29.929572865 +0300
@@ -119,17 +119,8 @@ _dl_close_worker (struct link_map *map)
   if (map->l_direct_opencount > 0 || map->l_type != lt_loaded
       || dl_close_state != not_pending)
     {
-      if (map->l_direct_opencount == 0)
-	{
-	  if (map->l_type == lt_loaded)
-	    dl_close_state = rerun;
-	  else if (map->l_type == lt_library)
-	    {
-	      struct link_map **oldp = map->l_initfini;
-	      map->l_initfini = map->l_orig_initfini;
-	      _dl_scope_free (oldp);
-	    }
-	}
+      if (map->l_direct_opencount == 0 && map->l_type == lt_loaded)
+	dl_close_state = rerun;
 
       /* There are still references to this object.  Do nothing more.  */
       if (__builtin_expect (GLRO(dl_debug_mask) & DL_DEBUG_FILES, 0))
diff -Nurp glibc-2.14.1.orig/elf/dl-deps.c glibc-2.14.1/elf/dl-deps.c
--- glibc-2.14.1.orig/elf/dl-deps.c	2011-10-07 12:48:55.000000000 +0300
+++ glibc-2.14.1/elf/dl-deps.c	2011-10-20 20:34:29.930573048 +0300
@@ -478,6 +478,7 @@ _dl_map_object_deps (struct link_map *ma
 		  nneeded * sizeof needed[0]);
 	  atomic_write_barrier ();
 	  l->l_initfini = l_initfini;
+	  l->l_free_initfini = 1;
 	}
 
       /* If we have no auxiliary objects just go on to the next map.  */
@@ -678,6 +679,7 @@ Filters not supported with LD_TRACE_PREL
   l_initfini[nlist] = NULL;
   atomic_write_barrier ();
   map->l_initfini = l_initfini;
+  map->l_free_initfini = 1;
   if (l_reldeps != NULL)
     {
       atomic_write_barrier ();
@@ -686,7 +688,7 @@ Filters not supported with LD_TRACE_PREL
       _dl_scope_free (old_l_reldeps);
     }
   if (old_l_initfini != NULL)
-      map->l_orig_initfini = old_l_initfini;
+    _dl_scope_free (old_l_initfini);
 
   if (errno_reason)
     _dl_signal_error (errno_reason == -1 ? 0 : errno_reason, objname,
diff -Nurp glibc-2.14.1.orig/elf/dl-libc.c glibc-2.14.1/elf/dl-libc.c
--- glibc-2.14.1.orig/elf/dl-libc.c	2011-10-07 12:48:55.000000000 +0300
+++ glibc-2.14.1/elf/dl-libc.c	2011-10-20 20:34:29.927572541 +0300
@@ -279,6 +279,10 @@ libc_freeres_fn (free_mem)
 	      if (! old->dont_free)
 		free (old);
 	    }
+
+	  /* Free the initfini dependency list.  */
+	  if (l->l_free_initfini)
+	    free (l->l_initfini);
 	}
 
       if (__builtin_expect (GL(dl_ns)[ns]._ns_global_scope_alloc, 0) != 0
diff -Nurp glibc-2.14.1.orig/elf/rtld.c glibc-2.14.1/elf/rtld.c
--- glibc-2.14.1.orig/elf/rtld.c	2011-10-07 12:48:55.000000000 +0300
+++ glibc-2.14.1/elf/rtld.c	2011-10-20 20:34:29.928572685 +0300
@@ -2263,6 +2263,7 @@ ERROR: ld.so: object '%s' cannot be load
 	      lnp->dont_free = 1;
 	      lnp = lnp->next;
 	    }
+	  l->l_free_initfini = 0;
 
 	  if (l != &GL(dl_rtld_map))
 	    _dl_relocate_object (l, l->l_scope, GLRO(dl_lazy) ? RTLD_LAZY : 0,
diff -Nurp glibc-2.14.1.orig/include/link.h glibc-2.14.1/include/link.h
--- glibc-2.14.1.orig/include/link.h	2011-10-07 12:48:55.000000000 +0300
+++ glibc-2.14.1/include/link.h	2011-10-20 20:34:29.931573228 +0300
@@ -192,6 +192,9 @@ struct link_map
 						 during LD_TRACE_PRELINKING=1
 						 contains any DT_SYMBOLIC
 						 libraries.  */
+    unsigned int l_free_initfini:1; /* Nonzero if l_initfini can be
+				       freed, ie. not allocated with
+				       the dummy malloc in ld.so.  */
 
     /* Collected information about own RPATH directories.  */
     struct r_search_path_struct l_rpath_dirs;
@@ -240,9 +243,6 @@ struct link_map
 
     /* List of object in order of the init and fini calls.  */
     struct link_map **l_initfini;
-    /* The init and fini list generated at startup, saved when the
-       object is also loaded dynamically.  */
-    struct link_map **l_orig_initfini;
 
     /* List of the dependencies introduced through symbol binding.  */
     struct link_map_reldeps