Fix access of freed memory

[fio.git] / log.c

diff --git a/log.c b/log.c
index 6a99c6611e3ad79aa2763ee44f4656863d1ba824..6117b702c49e4fa345dad601362f65085362ee32 100644 (file)
--- a/log.c
+++ b/log.c
@@ -131,10 +131,10 @@ int read_iolog_get(struct thread_data *td, struct io_u *io_u)
                        io_u->buflen = ipo->len;
                        io_u->file = td->files[ipo->fileno];
                        get_file(io_u->file);
-
                        dprint(FD_IO, "iolog: get %llu/%lu/%s\n", io_u->offset,
                                                io_u->buflen, io_u->file->file_name);
-                       if (ipo->delay) iolog_delay(td, ipo->delay);
+                       if (ipo->delay)
+                               iolog_delay(td, ipo->delay);
                } else {
                        elapsed = mtime_since_genesis();
                        if (ipo->delay > elapsed)
@@ -144,7 +144,7 @@ int read_iolog_get(struct thread_data *td, struct io_u *io_u)
 
                free(ipo);
                
-               if (ipo->ddir != DDIR_WAIT)
+               if (io_u->ddir != DDIR_WAIT)
                        return 0;
        }
 
@@ -219,7 +219,11 @@ restart:
                parent = *p;
 
                __ipo = rb_entry(parent, struct io_piece, rb_node);
-               if (ipo->offset < __ipo->offset)
+               if (ipo->file < __ipo->file)
+                       p = &(*p)->rb_left;
+               else if (ipo->file > __ipo->file)
+                       p = &(*p)->rb_right;
+               else if (ipo->offset < __ipo->offset)
                        p = &(*p)->rb_left;
                else if (ipo->offset > __ipo->offset)
                        p = &(*p)->rb_right;
@@ -227,6 +231,7 @@ restart:
                        assert(ipo->len == __ipo->len);
                        td->io_hist_len--;
                        rb_erase(parent, &td->io_hist_tree);
+                       free(__ipo);
                        goto restart;
                }
        }