From debbugs-submit-bounces@debbugs.gnu.org Thu May 18 18:00:41 2017 Received: (at 26976) by debbugs.gnu.org; 18 May 2017 22:00:42 +0000 Received: from localhost ([127.0.0.1]:54004 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dBTTN-0008Mw-M0 for submit@debbugs.gnu.org; Thu, 18 May 2017 18:00:41 -0400 Received: from eggs.gnu.org ([208.118.235.92]:46389) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dBTTL-0008Mi-DX for 26976@debbugs.gnu.org; Thu, 18 May 2017 18:00:39 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dBTTF-00007u-4f for 26976@debbugs.gnu.org; Thu, 18 May 2017 18:00:34 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:59065) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dBTT9-00006s-Ky; Thu, 18 May 2017 18:00:27 -0400 Received: from reverse-83.fdn.fr ([80.67.176.83]:43768 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dBTT8-0000Gv-OY; Thu, 18 May 2017 18:00:27 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Mark H Weaver Subject: Re: bug#26976: On Hydra, offload crashes while trying to build linux-libre source References: <87h90japz0.fsf@netris.org> Date: Fri, 19 May 2017 00:00:24 +0200 In-Reply-To: <87h90japz0.fsf@netris.org> (Mark H. Weaver's message of "Wed, 17 May 2017 21:55:15 -0400") Message-ID: <87h90h966f.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 26976 Cc: Artyom Poptsov , 26976@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Mark, (Cc: Artyom. Artyom, this is about what looks like a bug in Guile-SSH when used with Guile 2.2; see .) Mark H Weaver skribis: > *** Error in `/gnu/store/5zx29y44nrqj0s8h3jlvlj82k8hj4dxs-guile-2.2.2/bin= /guile': realloc(): invalid next size: 0x00000000024617d0 *** > =3D=3D=3D=3D=3D=3D=3D Backtrace: =3D=3D=3D=3D=3D=3D=3D=3D=3D > /gnu/store/rmjlycdgiq8pfy5hfi42qhw3k7p6kdav-glibc-2.25/lib/libc.so.6(+0x7= 0fd5)[0x7f77e8343fd5] > /gnu/store/rmjlycdgiq8pfy5hfi42qhw3k7p6kdav-glibc-2.25/lib/libc.so.6(+0x7= 73a6)[0x7f77e834a3a6] > /gnu/store/rmjlycdgiq8pfy5hfi42qhw3k7p6kdav-glibc-2.25/lib/libc.so.6(+0x7= a3a9)[0x7f77e834d3a9] > /gnu/store/rmjlycdgiq8pfy5hfi42qhw3k7p6kdav-glibc-2.25/lib/libc.so.6(real= loc+0x156)[0x7f77e834e6e6] > /gnu/store/vlc43y485v80sgq7iw60hzy4pw5r52d2-libssh-0.7.4/lib/libssh.so.4(= +0xdc6b)[0x7f77e2e24c6b] > /gnu/store/vlc43y485v80sgq7iw60hzy4pw5r52d2-libssh-0.7.4/lib/libssh.so.4(= +0xddce)[0x7f77e2e24dce] > /gnu/store/vlc43y485v80sgq7iw60hzy4pw5r52d2-libssh-0.7.4/lib/libssh.so.4(= +0xe50a)[0x7f77e2e2550a] > /gnu/store/vlc43y485v80sgq7iw60hzy4pw5r52d2-libssh-0.7.4/lib/libssh.so.4(= +0xe7b2)[0x7f77e2e257b2] > /gnu/store/vlc43y485v80sgq7iw60hzy4pw5r52d2-libssh-0.7.4/lib/libssh.so.4(= ssh_channel_close+0x47)[0x7f77e2e27f87] > /gnu/store/avy681pwf979kbwiv9k75c5h7jdink2c-guile2.2-ssh-0.11.0/lib/libgu= ile-ssh.so.11(+0xa597)[0x7f77e3290597] > /gnu/store/5zx29y44nrqj0s8h3jlvlj82k8hj4dxs-guile-2.2.2/lib/libguile-2.2.= so.1(+0x83785)[0x7f77e9f00785] This looks like a double-free and =E2=80=98ssh_channel_close=E2=80=99 has o= nly one call site, which is =E2=80=98ptob_close=E2=80=99, the =E2=80=98close=E2=80=99 fu= nction for the channel port type in Guile-SSH. I=E2=80=99m quite confident that the attached patch fixes the problem. How= ever, I haven=E2=80=99t found a scenario in Guile 2.2 where the =E2=80=98close=E2= =80=99 method could be called more than once, and I cannot reproduce the bug on my machine. Thoughts? I suggest applying it to the =E2=80=98guile-ssh=E2=80=99 package in Guix. Thanks, Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/libguile-ssh/channel-type.c b/libguile-ssh/channel-type.c index 3dd641f..0839854 100644 --- a/libguile-ssh/channel-type.c +++ b/libguile-ssh/channel-type.c @@ -229,10 +229,11 @@ ptob_close (SCM channel) ssh_channel_free (ch->ssh_channel); } + SCM_SETSTREAM (channel, NULL); + #if USING_GUILE_BEFORE_2_2 scm_gc_free (pt->write_buf, pt->write_buf_size, "port write buffer"); scm_gc_free (pt->read_buf, pt->read_buf_size, "port read buffer"); - SCM_SETSTREAM (channel, NULL); return 0; #endif diff --git a/libguile-ssh/sftp-file-type.c b/libguile-ssh/sftp-file-type.c index 8879924..f87cf03 100644 --- a/libguile-ssh/sftp-file-type.c +++ b/libguile-ssh/sftp-file-type.c @@ -224,10 +224,11 @@ ptob_close (SCM sftp_file) sftp_close (fd->file); } + SCM_SETSTREAM (sftp_file, NULL); + #if USING_GUILE_BEFORE_2_2 scm_gc_free (pt->write_buf, pt->write_buf_size, "port write buffer"); scm_gc_free (pt->read_buf, pt->read_buf_size, "port read buffer"); - SCM_SETSTREAM (sftp_file, NULL); return 1; #endif --=-=-=--