Bug 1566516 - python plugin long calls cause reentrancy resulting in crash
Summary: python plugin long calls cause reentrancy resulting in crash
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: nbdkit
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Richard W.M. Jones
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1566522 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-12 12:54 UTC by Richard W.M. Jones
Modified: 2019-05-28 19:56 UTC (History)
2 users (show)

Fixed In Version: nbdkit-1.2.2-1.el7ev
Clone Of:
Environment:
Last Closed: 2019-05-28 19:56:49 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Richard W.M. Jones 2018-04-12 12:54:35 UTC
Description of problem:

This is very simple to reproduce using the following short
Python plugin:
-------------------------------
#!/usr/sbin/nbdkit python3
import time
def open(readonly):
    h = {}
    return h
def close(h):
    # take some time
    time.sleep(10)
def get_size(h):
    return 1024
def pread(h, count, offset):
    buf = bytearray(count)
    return buf
-------------------------------

$ ./test.py
$ qemu-img info nbd:localhost:10809
$ qemu-img info nbd:localhost:10809

nbdkit will crash with the stack trace at end.

What seems to be happening is that the lengthy close() call
which takes 10 seconds is still running when a second NBD
connection is made.  Python doesn't like reentrancy in the
interpreter.

Version-Release number of selected component (if applicable):

nbdkit-1.2.1-1.fc28.x86_64

How reproducible:

100%

Additional info:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  PyUnicode_InternInPlace ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/unicodeobject.c:15302
15302	    Py_ALLOW_RECURSION
[Current thread is 1 (Thread 0x7fe81bc34700 (LWP 5733))]
Missing separate debuginfos, use: dnf debuginfo-install glibc-2.27-6.fc28.x86_64 libgcc-8.0.1-0.19.fc28.x86_64 libidn2-2.0.4-3.fc28.x86_64 libselinux-2.7-11.fc28.x86_64 pcre2-10.31-3.fc28.x86_64
(gdb) t a a bt

Thread 3 (Thread 0x7fe82c0c8400 (LWP 5709)):
#0  0x00007fe82b044949 in poll () from /lib64/libc.so.6
#1  0x000000000040b04c in poll (__timeout=-1, __nfds=3, __fds=0x7ffe523c4520)
    at /usr/include/bits/poll2.h:46
#2  accept_incoming_connections (socks=socks@entry=0x1f283b0, nr_socks=2)
    at sockets.c:333
#3  0x0000000000404e41 in start_serving () at main.c:818
#4  main () at main.c:598
#5  0x00007fe82af781bb in __libc_start_main () from /lib64/libc.so.6
#6  0x000000000040529a in _start ()

Thread 2 (Thread 0x7fe81c435700 (LWP 5725)):
#0  0x00007fe82b046d27 in select () from /lib64/libc.so.6
#1  0x00007fe8293113ad in pysleep (secs=<optimized out>)
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Modules/timemodule.c:1417
#2  time_sleep ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Modules/timemodule.c:235
#3  0x00007fe8292a4f51 in _PyCFunction_FastCallDict ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/methodobject.c:209
#4  0x00007fe8292b6f8a in _PyCFunction_FastCallKeywords ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/methodobject.c:275
#5  0x00007fe82931a27d in call_function ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Python/ceval.c:4824
#6  0x00007fe82935f08a in _PyEval_EvalFrameDefault ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Python/ceval.c:3322
#7  0x00007fe829345ca8 in _PyEval_EvalCodeWithName (qualname=0x0, 
    name=<optimized out>, closure=0x0, kwdefs=0x0, defcount=0, defs=0x0, 
    kwstep=2, kwcount=<optimized out>, kwargs=<optimized out>, 
    kwnames=<optimized out>, argcount=<optimized out>, args=<optimized out>, 
    locals=0x0, globals=<optimized out>, _co=<optimized out>)
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Python/ceval.c:4174
#8  PyEval_EvalCodeEx ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Python/ceval.c:4174
#9  0x00007fe829346c33 in function_call ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/funcobject.c:604
#10 0x00007fe8292a9aa3 in PyObject_Call ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/abstract.c:2261
#11 0x00007fe8292d7e58 in PyEval_CallObjectWithKeywords ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Python/ceval.c:4744
#12 0x00007fe8292d7eb7 in PyObject_CallObject (o=<optimized out>, 
    a=a@entry=({},))
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/abstract.c:2187
#13 0x00007fe829704b77 in py_close (handle=0x7fe82bffe750) at python.c:340
#14 0x000000000040a498 in plugin_close (b=<optimized out>, conn=0x7fe814000b80)
    at plugins.c:283
#15 0x0000000000406aa2 in free_connection (conn=0x7fe814000b80)
    at connections.c:378
#16 _handle_single_connection (sockout=<optimized out>, sockin=<optimized out>)
    at connections.c:316
#17 handle_single_connection (sockin=<optimized out>, sockout=<optimized out>)
    at connections.c:326
#18 0x000000000040a939 in start_thread (datav=0x1f8c610) at sockets.c:262
#19 0x00007fe82b31b564 in start_thread () from /lib64/libpthread.so.0
#20 0x00007fe82b04f33f in clone () from /lib64/libc.so.6

Thread 1 (Thread 0x7fe81bc34700 (LWP 5733)):
#0  PyUnicode_InternInPlace ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/unicodeobject.c:15302
#1  0x00007fe8292ba1ee in PyUnicode_InternFromString ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/unicodeobject.c:15336
#2  0x00007fe8292baa02 in PyObject_GetAttrString ()
    at /usr/src/debug/python3-3.6.5-1.fc28.x86_64/Objects/object.c:793
#3  0x00007fe82970358d in callback_defined (name=<optimized out>, 
    obj_rtn=0x7fe81bc33c70) at python.c:94
#4  0x00007fe829703fbb in py_open (readonly=0) at python.c:308
#5  0x000000000040a518 in plugin_open (b=0x1f4b9f0, conn=0x7fe80c000b80, 
    readonly=0) at plugins.c:249
#6  0x00000000004067d4 in _handle_single_connection (sockout=7, sockin=7)
    at connections.c:356
#7  handle_single_connection (sockin=7, sockout=7) at connections.c:326
#8  0x000000000040a939 in start_thread (datav=0x1f93fb0) at sockets.c:262
#9  0x00007fe82b31b564 in start_thread () from /lib64/libpthread.so.0
#10 0x00007fe82b04f33f in clone () from /lib64/libc.so.6

Comment 1 Richard W.M. Jones 2018-04-17 18:07:26 UTC
*** Bug 1566522 has been marked as a duplicate of this bug. ***

Comment 2 Richard W.M. Jones 2018-04-17 18:09:06 UTC
Fix upstream:

https://github.com/libguestfs/nbdkit/commit/344c787ba8a9aa6d55aa08edba230997e3525aef
https://github.com/libguestfs/nbdkit/commit/9e6d990f974b05697f9d917ba14f6df94f68cedb

The first one is a code refactoring to make the second
patch (the actual fix) clearer.

Comment 3 Richard W.M. Jones 2018-04-22 10:21:06 UTC
Fixed in 1.2.2.

Comment 4 Richard W.M. Jones 2018-04-22 10:42:39 UTC
I don't think I have any way to file bugs directly against nbdkit
in RHEV-M so I'll have to use this bug.  Here is the new build:

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=15862451

Comment 5 Ben Cotton 2019-05-02 21:54:20 UTC
This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 6 Ben Cotton 2019-05-28 19:56:49 UTC
Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.