Bug 1566516 - python plugin long calls cause reentrancy resulting in crash
Summary: python plugin long calls cause reentrancy resulting in crash
Alias: None
Product: Fedora
Classification: Fedora
Component: nbdkit
Version: 28
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Richard W.M. Jones
QA Contact: Fedora Extras Quality Assurance
: 1566522 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-12 12:54 UTC by Richard W.M. Jones
Modified: 2019-05-28 19:56 UTC (History)
2 users (show)

Fixed In Version: nbdkit-1.2.2-1.el7ev
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-05-28 19:56:49 UTC
Type: Bug

Attachments (Terms of Use)

Description Richard W.M. Jones 2018-04-12 12:54:35 UTC
Description of problem:

This is very simple to reproduce using the following short
Python plugin:
#!/usr/sbin/nbdkit python3
import time
def open(readonly):
    h = {}
    return h
def close(h):
    # take some time
def get_size(h):
    return 1024
def pread(h, count, offset):
    buf = bytearray(count)
    return buf

$ ./test.py
$ qemu-img info nbd:localhost:10809
$ qemu-img info nbd:localhost:10809

nbdkit will crash with the stack trace at end.

What seems to be happening is that the lengthy close() call
which takes 10 seconds is still running when a second NBD
connection is made.  Python doesn't like reentrancy in the

Version-Release number of selected component (if applicable):


How reproducible:


Additional info:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  PyUnicode_InternInPlace ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/unicodeobject.c:15302
[Current thread is 1 (Thread 0x7fe81bc34700 (LWP 5733))]
Missing separate debuginfos, use: dnf debuginfo-install glibc-2.27-6.fc28.x86_64 libgcc-8.0.1-0.19.fc28.x86_64 libidn2-2.0.4-3.fc28.x86_64 libselinux-2.7-11.fc28.x86_64 pcre2-10.31-3.fc28.x86_64
(gdb) t a a bt

Thread 3 (Thread 0x7fe82c0c8400 (LWP 5709)):
#0  0x00007fe82b044949 in poll () from /lib64/libc.so.6
#1  0x000000000040b04c in poll (__timeout=-1, __nfds=3, __fds=0x7ffe523c4520)
    at /usr/include/bits/poll2.h:46
#2  accept_incoming_connections (socks=socks@entry=0x1f283b0, nr_socks=2)
    at sockets.c:333
#3  0x0000000000404e41 in start_serving () at main.c:818
#4  main () at main.c:598
#5  0x00007fe82af781bb in __libc_start_main () from /lib64/libc.so.6
#6  0x000000000040529a in _start ()

Thread 2 (Thread 0x7fe81c435700 (LWP 5725)):
#0  0x00007fe82b046d27 in select () from /lib64/libc.so.6
#1  0x00007fe8293113ad in pysleep (secs=<optimized out>)
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Modules/timemodule.c:1417
#2  time_sleep ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Modules/timemodule.c:235
#3  0x00007fe8292a4f51 in _PyCFunction_FastCallDict ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/methodobject.c:209
#4  0x00007fe8292b6f8a in _PyCFunction_FastCallKeywords ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/methodobject.c:275
#5  0x00007fe82931a27d in call_function ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Python/ceval.c:4824
#6  0x00007fe82935f08a in _PyEval_EvalFrameDefault ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Python/ceval.c:3322
#7  0x00007fe829345ca8 in _PyEval_EvalCodeWithName (qualname=0x0, 
    name=<optimized out>, closure=0x0, kwdefs=0x0, defcount=0, defs=0x0, 
    kwstep=2, kwcount=<optimized out>, kwargs=<optimized out>, 
    kwnames=<optimized out>, argcount=<optimized out>, args=<optimized out>, 
    locals=0x0, globals=<optimized out>, _co=<optimized out>)
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Python/ceval.c:4174
#8  PyEval_EvalCodeEx ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Python/ceval.c:4174
#9  0x00007fe829346c33 in function_call ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/funcobject.c:604
#10 0x00007fe8292a9aa3 in PyObject_Call ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/abstract.c:2261
#11 0x00007fe8292d7e58 in PyEval_CallObjectWithKeywords ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Python/ceval.c:4744
#12 0x00007fe8292d7eb7 in PyObject_CallObject (o=<optimized out>, 
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/abstract.c:2187
#13 0x00007fe829704b77 in py_close (handle=0x7fe82bffe750) at python.c:340
#14 0x000000000040a498 in plugin_close (b=<optimized out>, conn=0x7fe814000b80)
    at plugins.c:283
#15 0x0000000000406aa2 in free_connection (conn=0x7fe814000b80)
    at connections.c:378
#16 _handle_single_connection (sockout=<optimized out>, sockin=<optimized out>)
    at connections.c:316
#17 handle_single_connection (sockin=<optimized out>, sockout=<optimized out>)
    at connections.c:326
#18 0x000000000040a939 in start_thread (datav=0x1f8c610) at sockets.c:262
#19 0x00007fe82b31b564 in start_thread () from /lib64/libpthread.so.0
#20 0x00007fe82b04f33f in clone () from /lib64/libc.so.6

Thread 1 (Thread 0x7fe81bc34700 (LWP 5733)):
#0  PyUnicode_InternInPlace ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/unicodeobject.c:15302
#1  0x00007fe8292ba1ee in PyUnicode_InternFromString ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/unicodeobject.c:15336
#2  0x00007fe8292baa02 in PyObject_GetAttrString ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/object.c:793
#3  0x00007fe82970358d in callback_defined (name=<optimized out>, 
    obj_rtn=0x7fe81bc33c70) at python.c:94
#4  0x00007fe829703fbb in py_open (readonly=0) at python.c:308
#5  0x000000000040a518 in plugin_open (b=0x1f4b9f0, conn=0x7fe80c000b80, 
    readonly=0) at plugins.c:249
#6  0x00000000004067d4 in _handle_single_connection (sockout=7, sockin=7)
    at connections.c:356
#7  handle_single_connection (sockin=7, sockout=7) at connections.c:326
#8  0x000000000040a939 in start_thread (datav=0x1f93fb0) at sockets.c:262
#9  0x00007fe82b31b564 in start_thread () from /lib64/libpthread.so.0
#10 0x00007fe82b04f33f in clone () from /lib64/libc.so.6

Comment 1 Richard W.M. Jones 2018-04-17 18:07:26 UTC
*** Bug 1566522 has been marked as a duplicate of this bug. ***

Comment 2 Richard W.M. Jones 2018-04-17 18:09:06 UTC
Fix upstream:


The first one is a code refactoring to make the second
patch (the actual fix) clearer.

Comment 3 Richard W.M. Jones 2018-04-22 10:21:06 UTC
Fixed in 1.2.2.

Comment 4 Richard W.M. Jones 2018-04-22 10:42:39 UTC
I don't think I have any way to file bugs directly against nbdkit
in RHEV-M so I'll have to use this bug.  Here is the new build:


Comment 5 Ben Cotton 2019-05-02 21:54:20 UTC
This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 6 Ben Cotton 2019-05-28 19:56:49 UTC
Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.