Browse Source

Fix Python crash on getprop deallocation

Fatal Python error: none_dealloc: deallocating None
Python runtime state: finalizing (tstate=0x000055c9bac70920)

Current thread 0x00007fbe34e47740 (most recent call first):
  <no Python frame>
Aborted (core dumped)

This is caused by a missing Py_INCREF on the returned Py_None, as
demonstrated e.g. in https://github.com/mythosil/swig-python-incref or
described at https://edcjones.tripod.com/refcount.html ("Remember to
INCREF Py_None!")

A PoC for triggering this crash is uploaded to
https://github.com/z3ntu/pylibfdt-crash .
With this patch applied to pylibfdt the crash does not happen.

Signed-off-by: Luca Weiss <luca@z3ntu.xyz>
Message-Id: <20211224102811.70695-1-luca@z3ntu.xyz>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
main
Luca Weiss 3 years ago committed by David Gibson
parent
commit
d152126bb0
  1. 6
      pylibfdt/libfdt.i

6
pylibfdt/libfdt.i

@ -1040,14 +1040,16 @@ typedef uint32_t fdt32_t;


/* typemap used for fdt_getprop() */ /* typemap used for fdt_getprop() */
%typemap(out) (const void *) { %typemap(out) (const void *) {
if (!$1) if (!$1) {
$result = Py_None; $result = Py_None;
else Py_INCREF($result);
} else {
%#if PY_VERSION_HEX >= 0x03000000 %#if PY_VERSION_HEX >= 0x03000000
$result = Py_BuildValue("y#", $1, (Py_ssize_t)*arg4); $result = Py_BuildValue("y#", $1, (Py_ssize_t)*arg4);
%#else %#else
$result = Py_BuildValue("s#", $1, (Py_ssize_t)*arg4); $result = Py_BuildValue("s#", $1, (Py_ssize_t)*arg4);
%#endif %#endif
}
} }


/* typemap used for fdt_setprop() */ /* typemap used for fdt_setprop() */

Loading…
Cancel
Save