← Back to team overview

kernel-packages team mailing list archive

[Bug 1486146] Re: recvfrom SYSCALL infinite loop/deadlock chewing 100% CPU (MSG_PEEK|MSG_WAITALL)

 

This bug was fixed in the package linux - 3.13.0-65.105

---------------
linux (3.13.0-65.105) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1498108

  [ Upstream Kernel Changes ]

  * net: Fix skb_set_peeked use-after-free bug
      - LP: #1497184

linux (3.13.0-64.104) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1493803

  [ Chris J Arges ]

  * [Config] DEFAULT_IOSCHED="deadline" for ppc64el
    - LP: #1469829

  [ Upstream Kernel Changes ]

  * tcp: fix recv with flags MSG_WAITALL | MSG_PEEK
    - LP: #1486146
  * libceph: abstract out ceph_osd_request enqueue logic
    - LP: #1488035
  * libceph: resend lingering requests with a new tid
    - LP: #1488035
  * n_tty: Refactor input_available_p() by call site
    - LP: #1397976
  * tty: Fix pty master poll() after slave closes v2
    - LP: #1397976
  * md: use kzalloc() when bitmap is disabled
    - LP: #1493305
  * ata: pmp: add quirk for Marvell 4140 SATA PMP
    - LP: #1493305
  * libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for HP 250GB SATA disk
    VB0250EAVER
    - LP: #1493305
  * libata: add ATA_HORKAGE_NOTRIM
    - LP: #1493305
  * libata: force disable trim for SuperSSpeed S238
    - LP: #1493305
  * libata: increase the timeout when setting transfer mode
    - LP: #1493305
  * libata: Do not blacklist M510DC
    - LP: #1493305
  * mac80211: clear subdir_stations when removing debugfs
    - LP: #1493305
  * ALSA: hda - Add new GPU codec ID 0x10de007d to snd-hda
    - LP: #1493305
  * drm: Stop resetting connector state to unknown
    - LP: #1493305
  * usb: dwc3: Reset the transfer resource index on SET_INTERFACE
    - LP: #1493305
  * usb: xhci: Bugfix for NULL pointer deference in xhci_endpoint_init()
    function
    - LP: #1493305
  * xhci: Calculate old endpoints correctly on device reset
    - LP: #1493305
  * xhci: report U3 when link is in resume state
    - LP: #1493305
  * xhci: prevent bus_suspend if SS port resuming in phase 1
    - LP: #1493305
  * xhci: do not report PLC when link is in internal resume state
    - LP: #1493305
  * USB: OHCI: Fix race between ED unlink and URB submission
    - LP: #1493305
  * usb-storage: ignore ZTE MF 823 card reader in mode 0x1225
    - LP: #1493305
  * blkcg: fix gendisk reference leak in blkg_conf_prep()
    - LP: #1493305
  * tile: use free_bootmem_late() for initrd
    - LP: #1493305
  * Input: usbtouchscreen - avoid unresponsive TSC-30 touch screen
    - LP: #1493305
  * md/raid1: fix test for 'was read error from last working device'.
    - LP: #1493305
  * mmc: omap_hsmmc: Fix DTO and DCRC handling
    - LP: #1493305
  * isdn/gigaset: reset tty->receive_room when attaching ser_gigaset
    - LP: #1493305
  * mmc: sdhci-pxav3: fix platform_data is not initialized
    - LP: #1493305
  * mmc: block: Add missing mmc_blk_put() in power_ro_lock_show()
    - LP: #1493305
  * mmc: sdhci-esdhc: Make 8BIT bus work
    - LP: #1493305
  * bonding: correctly handle bonding type change on enslave failure
    - LP: #1493305
  * net: Clone skb before setting peeked flag
    - LP: #1493305
  * bridge: mdb: fix double add notification
    - LP: #1493305
  * usb: gadget: mv_udc_core: fix phy_regs I/O memory leak
    - LP: #1493305
  * inet: frags: fix defragmented packet's IP header for af_packet
    - LP: #1493305
  * bonding: fix destruction of bond with devices different from
    arphrd_ether
    - LP: #1493305
  * ARM: OMAP2+: hwmod: Fix _wait_target_ready() for hwmods without sysc
    - LP: #1493305
  * ASoC: pcm1681: Fix setting de-emphasis sampling rate selection
    - LP: #1493305
  * iscsi-target: Fix use-after-free during TPG session shutdown
    - LP: #1493305
  * iscsi-target: Fix iscsit_start_kthreads failure OOPs
    - LP: #1493305
  * iscsi-target: Fix iser explicit logout TX kthread leak
    - LP: #1493305
  * ALSA: hda - Apply fixup for another Toshiba Satellite S50D
    - LP: #1493305
  * vhost: actually track log eventfd file
    - LP: #1493305
  * xfs: remote attributes need to be considered data
    - LP: #1493305
  * ALSA: usb-audio: add dB range mapping for some devices
    - LP: #1493305
  * drm/radeon/combios: add some validation of lvds values
    - LP: #1493305
  * x86/efi: Use all 64 bit of efi_memmap in setup_e820()
    - LP: #1493305
  * ipr: Fix locking for unit attention handling
    - LP: #1493305
  * ipr: Fix incorrect trace indexing
    - LP: #1493305
  * ipr: Fix invalid array indexing for HRRQ
    - LP: #1493305
  * ALSA: hda - Fix MacBook Pro 5,2 quirk
    - LP: #1493305
  * x86/xen: Probe target addresses in set_aliased_prot() before the
    hypercall
    - LP: #1493305
  * netfilter: ctnetlink: put back references to master ct and expect
    objects
    - LP: #1493305
  * bridge: mdb: fix delmdb state in the notification
    - LP: #1493305
  * ipvs: fix crash with sync protocol v0 and FTP
    - LP: #1493305
  * act_pedit: check binding before calling tcf_hash_release()
    - LP: #1493305
  * netfilter: nf_conntrack: Support expectations in different zones
    - LP: #1493305
  * ipvs: do not use random local source address for tunnels
    - LP: #1493305
  * ALSA: hda - fix cs4210_spdif_automute()
    - LP: #1493305
  * niu: don't count tx error twice in case of headroom realloc fails
    - LP: #1493305
  * net/mlx4_core: Fix wrong index in propagating port change event to VFs
    - LP: #1493305
  * ipvs: fix crash if scheduler is changed
    - LP: #1493305
  * Linux 3.13.11-ckt26
    - LP: #1493305

 -- Brad Figg <brad.figg@xxxxxxxxxxxxx>  Mon, 21 Sep 2015 10:16:41 -0700

** Changed in: linux (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1486146

Title:
  recvfrom SYSCALL infinite loop/deadlock chewing 100% CPU
  (MSG_PEEK|MSG_WAITALL)

Status in Linux:
  Unknown
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-lts-utopic source package in Trusty:
  Fix Committed
Status in linux source package in Vivid:
  Fix Committed
Status in linux source package in Wily:
  Fix Released

Bug description:
  In a multi-threaded pthreads process running on Ubuntu 14.04 AMD64
  (with over 1000 threads) which uses real time FIFO scheduling, we
  occasionally see calls to recv() with flags (MSG_PEEK | MSG_WAITALL)
  get stuck in an infinte loop or deadlock meaning the threads lock up
  chewing as much CPU as they can (due to FIFO scheduling) while stuck
  inside recv().

  Here's an example gdb back trace:

  [Switching to thread 4 (Thread 0x7f6040546700 (LWP 27251))]
  #0  0x00007f6231d2f7eb in __libc_recv (fd=fd@entry=146, buf=buf@entry=0x7f6040543600, n=n@entry=5, flags=-1, flags@entry=258) at ../sysdeps/unix/sysv/linux/x86_64/recv.c:33
  33      ../sysdeps/unix/sysv/linux/x86_64/recv.c: No such file or directory.
  (gdb) bt
  #0  0x00007f6231d2f7eb in __libc_recv (fd=fd@entry=146, buf=buf@entry=0x7f6040543600, n=n@entry=5, flags=-1, flags@entry=258) at ../sysdeps/unix/sysv/linux/x86_64/recv.c:33
  #1  0x0000000000421945 in recv (__flags=258, __n=5, __buf=0x7f6040543600, __fd=146) at /usr/include/x86_64-linux-gnu/bits/socket2.h:44
  [snip]

  The socket is a TCP socket in blocking mode, the recv() call is inside
  an outer loop with a counter, and I've checked the counter with gdb
  and it's always at 1, meaning that I'm sure that the outer loop isn't
  the problem, the thread is indeed deadlocked inside the recv()
  internals.

  Other nodes:
  * There always seems to be 2 or more threads deadlocked in the same place (same recv() call but with distinct FDs)
  * The threads calling recv() have cancellation disbaled by previously executing: thread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);

  I've even tried adding a poll() call for POLLRDNORM on the socket
  before calling recv() with MSG_PEEK | MSG_WAITALL flags to try to make
  sure there's data available on the socket before calling *recv()*, but
  it makes no difference.

  So, I don't know what is wrong here, I've read all the recv()
  documentation and believe that recv() is being used correctly, the
  only conclusion I can come to is that there is a bug in libc recv()
  when using flags MSG_PEEK | MSG_WAITALL with thousands of pthreads
  running.

  ===
  break-fix: - dfbafc995304ebb9a9b03f65083e6e9cea143b20

To manage notifications about this bug go to:
https://bugs.launchpad.net/linux/+bug/1486146/+subscriptions


References