NetBSD Problem Report #39353

From riastradh@smalltalk.localdomain  Fri Aug 15 00:27:09 2008
Return-Path: <riastradh@smalltalk.localdomain>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id AC3E963B11D
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 15 Aug 2008 00:27:09 +0000 (UTC)
Message-Id: <20080815002707.7944F66@smalltalk.localdomain>
Date: Fri, 15 Aug 2008 00:27:07 +0000 (UTC)
From: Taylor R Campbell <campbell@mumble.net>
Reply-To: Taylor R Campbell <campbell@mumble.net>
To: gnats-bugs@gnats.NetBSD.org
Subject: libpuffs double-free
X-Send-Pr-Version: 3.95

>Number:         39353
>Category:       lib
>Synopsis:       libpuffs double-free
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pooka
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 15 00:30:00 +0000 2008
>Closed-Date:    Thu Sep 04 15:30:57 +0000 2008
>Last-Modified:  Thu Sep 04 15:30:57 +0000 2008
>Originator:     Taylor R Campbell <campbell@mumble.net>
>Release:        NetBSD 4.0_STABLE
>Organization:

>Environment:
System: NetBSD smalltalk.localdomain 4.0_STABLE NetBSD 4.0_STABLE (RIAXEN3_DOM0) #2: Fri Jul 18 23:32:56 UTC 2008 riastradh@smalltalk:/home/riastradh/netbsd/4/obj/sys/arch/i386/compile/RIAXEN3_DOM0 i386
Architecture: i386
Machine: i386
>Description:

	In src/lib/libpuffs/framebuf.c, puffs__framev_input calls
	puffs__framev_readclose when the user-supplied reader yields an
	error.  puffs__framev_readclose destroys a frame buffer,
	fio->cur_in, which puffs__framev_input then proceeds to destroy
	again, under the name pufbuf (which is the buffer that it set
	fio->cur_in to earlier), as soon as puffs__framev_readclose
	returns.

>How-To-Repeat:

	Mount an sshfs.  Pull out the ethernet cable.  List a directory
	in the sshfs.  Make some tea, and then watch mount_psshfs dump
	core when the ssh connection fails.

>Fix:

	Don't destroy pufbuf after `puffs__framev_readclose' has
	already done it:

--- framebuf.c	30 Jan 2008 16:04:08 +0000	1.28
+++ framebuf.c	14 Aug 2008 23:28:26 +0000	
@@ -679,11 +679,6 @@
 		/* error */
 		if (rv) {
 			puffs__framev_readclose(pu, fio, rv);
 			fio->cur_in = NULL;
-			if ((pufbuf->istat & ISTAT_DIRECT) == 0) {
-				assert((pufbuf->istat & ISTAT_NODESTROY) == 0);
-				puffs_framebuf_destroy(pufbuf);
-			}
 			return;
 		}

	The deleted assertion is also superfluous, since
	`puffs_framebuf_destroy' asserts the same condition on entry.

	Unfortunately, even with this fix, although the file system
	operations now correctly signal ECONNRESET (in the example
	above), puffs segfaults afterward anyway, and the stack trace
	is not helpful.  I am not yet familiar enough with puffs to
	understand what is going wrong.

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: lib-bug-people->pooka
Responsible-Changed-By: pooka@NetBSD.org
Responsible-Changed-When: Fri, 15 Aug 2008 07:12:07 +0300
Responsible-Changed-Why:
I think your fix is correct, I have it in one local tree.  But there's
other stuff with it, and I can't quite remember what the other stuff is
supposed to accomplish, so this might take a few days of the usual
meditation ;)


From: Antti Kantee <pooka@cs.hut.fi>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: lib/39353: libpuffs double-free
Date: Tue, 19 Aug 2008 23:16:10 +0300

 On Fri Aug 15 2008 at 00:30:00 +0000, Taylor R Campbell wrote:
 > 	Unfortunately, even with this fix, although the file system
 > 	operations now correctly signal ECONNRESET (in the example
 > 	above), puffs segfaults afterward anyway, and the stack trace
 > 	is not helpful.  I am not yet familiar enough with puffs to
 > 	understand what is going wrong.
 > 

 Did you have the latest version of libpuffs?  Last week I fixed a bug
 in this area.

From: Taylor R Campbell <campbell@mumble.net>
To: gnats-bugs@NetBSD.org
Cc: pooka@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: lib/39353: libpuffs double-free
Date: Tue, 19 Aug 2008 18:07:07 -0400

    Date: Tue, 19 Aug 2008 20:20:05 +0000 (UTC)
    From: Antti Kantee <pooka@cs.hut.fi>

    Did you have the latest version of libpuffs?  Last week I fixed a bug
    in this area.

 I just updated, and it seems to be happier now when I unplug the
 ethernet cable, list a directory that was there before, and then wait
 while the kettle boils.  Thanks!

 (The wait is a little tedious, but tcpdrop(8) is panicking each time I
 try it...)

From: Antti Kantee <pooka@NetBSD.org>
To: Taylor R Campbell <campbell@mumble.net>
Cc: gnats-bugs@NetBSD.org
Subject: Re: lib/39353: libpuffs double-free
Date: Wed, 20 Aug 2008 15:11:20 +0300

 On Tue Aug 19 2008 at 18:07:07 -0400, Taylor R Campbell wrote:
 >    Date: Tue, 19 Aug 2008 20:20:05 +0000 (UTC)
 >    From: Antti Kantee <pooka@cs.hut.fi>
 > 
 >    Did you have the latest version of libpuffs?  Last week I fixed a bug
 >    in this area.
 > 
 > I just updated, and it seems to be happier now when I unplug the
 > ethernet cable, list a directory that was there before, and then wait
 > while the kettle boils.  Thanks!

 Ok, good to know.  It was something completely unrelated.  Now I just
 need to fix the double free this PR is concerned with.

State-Changed-From-To: open->closed
State-Changed-By: pooka@NetBSD.org
State-Changed-When: Thu, 04 Sep 2008 18:30:57 +0300
State-Changed-Why:
fixed.  thanks!


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.