NetBSD Problem Report #39353
From riastradh@smalltalk.localdomain Fri Aug 15 00:27:09 2008
Return-Path: <riastradh@smalltalk.localdomain>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id AC3E963B11D
for <gnats-bugs@gnats.NetBSD.org>; Fri, 15 Aug 2008 00:27:09 +0000 (UTC)
Message-Id: <20080815002707.7944F66@smalltalk.localdomain>
Date: Fri, 15 Aug 2008 00:27:07 +0000 (UTC)
From: Taylor R Campbell <campbell@mumble.net>
Reply-To: Taylor R Campbell <campbell@mumble.net>
To: gnats-bugs@gnats.NetBSD.org
Subject: libpuffs double-free
X-Send-Pr-Version: 3.95
>Number: 39353
>Category: lib
>Synopsis: libpuffs double-free
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pooka
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Aug 15 00:30:00 +0000 2008
>Closed-Date: Thu Sep 04 15:30:57 +0000 2008
>Last-Modified: Thu Sep 04 15:30:57 +0000 2008
>Originator: Taylor R Campbell <campbell@mumble.net>
>Release: NetBSD 4.0_STABLE
>Organization:
>Environment:
System: NetBSD smalltalk.localdomain 4.0_STABLE NetBSD 4.0_STABLE (RIAXEN3_DOM0) #2: Fri Jul 18 23:32:56 UTC 2008 riastradh@smalltalk:/home/riastradh/netbsd/4/obj/sys/arch/i386/compile/RIAXEN3_DOM0 i386
Architecture: i386
Machine: i386
>Description:
In src/lib/libpuffs/framebuf.c, puffs__framev_input calls
puffs__framev_readclose when the user-supplied reader yields an
error. puffs__framev_readclose destroys a frame buffer,
fio->cur_in, which puffs__framev_input then proceeds to destroy
again, under the name pufbuf (which is the buffer that it set
fio->cur_in to earlier), as soon as puffs__framev_readclose
returns.
>How-To-Repeat:
Mount an sshfs. Pull out the ethernet cable. List a directory
in the sshfs. Make some tea, and then watch mount_psshfs dump
core when the ssh connection fails.
>Fix:
Don't destroy pufbuf after `puffs__framev_readclose' has
already done it:
--- framebuf.c 30 Jan 2008 16:04:08 +0000 1.28
+++ framebuf.c 14 Aug 2008 23:28:26 +0000
@@ -679,11 +679,6 @@
/* error */
if (rv) {
puffs__framev_readclose(pu, fio, rv);
fio->cur_in = NULL;
- if ((pufbuf->istat & ISTAT_DIRECT) == 0) {
- assert((pufbuf->istat & ISTAT_NODESTROY) == 0);
- puffs_framebuf_destroy(pufbuf);
- }
return;
}
The deleted assertion is also superfluous, since
`puffs_framebuf_destroy' asserts the same condition on entry.
Unfortunately, even with this fix, although the file system
operations now correctly signal ECONNRESET (in the example
above), puffs segfaults afterward anyway, and the stack trace
is not helpful. I am not yet familiar enough with puffs to
understand what is going wrong.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: lib-bug-people->pooka
Responsible-Changed-By: pooka@NetBSD.org
Responsible-Changed-When: Fri, 15 Aug 2008 07:12:07 +0300
Responsible-Changed-Why:
I think your fix is correct, I have it in one local tree. But there's
other stuff with it, and I can't quite remember what the other stuff is
supposed to accomplish, so this might take a few days of the usual
meditation ;)
From: Antti Kantee <pooka@cs.hut.fi>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: lib/39353: libpuffs double-free
Date: Tue, 19 Aug 2008 23:16:10 +0300
On Fri Aug 15 2008 at 00:30:00 +0000, Taylor R Campbell wrote:
> Unfortunately, even with this fix, although the file system
> operations now correctly signal ECONNRESET (in the example
> above), puffs segfaults afterward anyway, and the stack trace
> is not helpful. I am not yet familiar enough with puffs to
> understand what is going wrong.
>
Did you have the latest version of libpuffs? Last week I fixed a bug
in this area.
From: Taylor R Campbell <campbell@mumble.net>
To: gnats-bugs@NetBSD.org
Cc: pooka@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: lib/39353: libpuffs double-free
Date: Tue, 19 Aug 2008 18:07:07 -0400
Date: Tue, 19 Aug 2008 20:20:05 +0000 (UTC)
From: Antti Kantee <pooka@cs.hut.fi>
Did you have the latest version of libpuffs? Last week I fixed a bug
in this area.
I just updated, and it seems to be happier now when I unplug the
ethernet cable, list a directory that was there before, and then wait
while the kettle boils. Thanks!
(The wait is a little tedious, but tcpdrop(8) is panicking each time I
try it...)
From: Antti Kantee <pooka@NetBSD.org>
To: Taylor R Campbell <campbell@mumble.net>
Cc: gnats-bugs@NetBSD.org
Subject: Re: lib/39353: libpuffs double-free
Date: Wed, 20 Aug 2008 15:11:20 +0300
On Tue Aug 19 2008 at 18:07:07 -0400, Taylor R Campbell wrote:
> Date: Tue, 19 Aug 2008 20:20:05 +0000 (UTC)
> From: Antti Kantee <pooka@cs.hut.fi>
>
> Did you have the latest version of libpuffs? Last week I fixed a bug
> in this area.
>
> I just updated, and it seems to be happier now when I unplug the
> ethernet cable, list a directory that was there before, and then wait
> while the kettle boils. Thanks!
Ok, good to know. It was something completely unrelated. Now I just
need to fix the double free this PR is concerned with.
State-Changed-From-To: open->closed
State-Changed-By: pooka@NetBSD.org
State-Changed-When: Thu, 04 Sep 2008 18:30:57 +0300
State-Changed-Why:
fixed. thanks!
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.