segfault in avl_insert

[yogo1212]

#0  avl_insert (tree=0x5555556cefd0, new=0x5555556cf120) at /usr/src/debug/libubox-git/libubox/avl.c:246
#1  0x00007ffff7e0c639 in req_data_cb (req=0x7fffffffe650, type=2, data=0x5555556d0630) at /usr/src/debug/ubus-git/ubus-git/libubus-req.c:29
#2  0x00007ffff7e0c95e in ubus_process_req_data (req=0x7fffffffe650, buf=0x5555556cf070) at /usr/src/debug/ubus-git/ubus-git/libubus-req.c:375
#3  ubus_process_req_msg (ctx=<optimized out>, buf=0x5555556cf070, fd=<optimized out>) at /usr/src/debug/ubus-git/ubus-git/libubus-req.c:505
#4  ubus_process_msg (ctx=<optimized out>, buf=0x5555556cf070, fd=<optimized out>) at /usr/src/debug/ubus-git/ubus-git/libubus.c:99
#5  0x00007ffff7e0d80c in ubus_handle_data (u=0x5555556cf010, events=<optimized out>) at /usr/src/debug/ubus-git/ubus-git/libubus-io.c:323
#6  0x00007ffff7e0d976 in ubus_poll_data (ctx=0x5555556cefc0, timeout=<optimized out>) at /usr/src/debug/ubus-git/ubus-git/libubus-io.c:346
#7  ubus_complete_request (ctx=ctx@entry=0x5555556cefc0, req=req@entry=0x7fffffffe650, req_timeout=req_timeout@entry=0) at /usr/src/debug/ubus-git/ubus-git/libubus-req.c:173
#8  0x00007ffff7e0de58 in ubus_add_object (ctx=ctx@entry=0x5555556cefc0, obj=obj@entry=0x5555556cf120) at /usr/src/debug/ubus-git/ubus-git/libubus-obj.c:241
#9  0x00007ffff7e0e6fe in ubus_register_event_handler (ctx=0x5555556cefc0, ev=ev@entry=0x5555556cf120, pattern=pattern@entry=0x55555555b1de "node.event")
    at /usr/src/debug/ubus-git/ubus-git/libubus.c:256

  while (!list_is_last(&last->list, &tree->list_head)) {
    next = avl_next(last);
    if (next->leader) { // here
      break;
    }
    last = next;
  }

(gdb) p *last
$3 = {list = {next = 0x0, prev = 0x0}, parent = 0x0, left = 0x0, right = 0x0, key = 0x5555556cf160, balance = 0 '\000', leader = true}

• node == last, so this is the first iteration of the loop
• last->list.next is NULL. &tree->list_head is non-NULL pointer
• list_is_last won't return true
• container_of(NULL, struct avl_node, list) is already moot but returns NULL

i'm working on a reproduction using publishable source code (or maybe a fix).

[yogo1212]

valgrind has this to say:

ubus_register_event_handler failed: Permission denied
==472501== Invalid read of size 8
==472501==    at 0x4F6011F: avl_find_rec (avl.c:358)
==472501==    by 0x4F61BFF: avl_insert (avl.c:240)
==472501==    by 0x4F6F638: req_data_cb (libubus-req.c:29)
==472501==    by 0x4F6F95D: UnknownInlinedFun (libubus-req.c:375)
==472501==    by 0x4F6F95D: UnknownInlinedFun (libubus-req.c:505)
==472501==    by 0x4F6F95D: ubus_process_msg (libubus.c:99)
==472501==    by 0x4F7080B: ubus_handle_data (libubus-io.c:323)
==472501==    by 0x4F70975: UnknownInlinedFun (libubus-io.c:346)
==472501==    by 0x4F70975: ubus_complete_request (libubus-req.c:173)
==472501==    by 0x4F70E57: ubus_add_object (libubus-obj.c:241)
==472501==    by 0x4F716FD: ubus_register_event_handler (libubus.c:256)

free on the struct ubus_event_handler is only called after ubus_register_event_handler completes. it's beyond me how there could be an invalid read?