Bug 1467547 - ping '-i 0 -c' can lockup in endless loop when sendto/recvmsg get ENOBUFS/EAGAIN
ping '-i 0 -c' can lockup in endless loop when sendto/recvmsg get ENOBUFS/EAGAIN
Status: ASSIGNED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: iputils (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jan Synacek
qe-baseos-daemons
:
Depends On:
Blocks: 1549689
  Show dependency treegraph
 
Reported: 2017-07-04 03:46 EDT by hui.han
Modified: 2018-03-05 07:24 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description hui.han 2017-07-04 03:46:18 EDT
Description of problem:
ping can lockup itself in the endless loop regardless that before that it
successfully process other echo requests and count option '-c' was specified.
.

How reproducible:
on EL7.3 (Linux 3.10.0-514.2.2.el7.x86_64)
This script can reproduce the issue:
.
  ip1="fd00:a::1"
  ip2="fd00:a::2"
  m="64"
.
  ip netns add ns1
  ip link add name veth1 type veth peer name veth2
  ip link set dev veth1 netns ns1
  ip netns exec ns1 ip link set dev veth1 up
  ip link set dev veth2 up
  ip netns exec ns1 ip address add $ip1/$m dev veth1
  ip add add $ip2/$m dev veth2
.
  ping6 -I veth2 -s 10 -i 0 $ip1 -c 30
.
if not using netns in the above script, we can still get the errors but ping
finishes in that case.

Version-Release number of selected component (if applicable):
IPUTILS-20160308-8.EL7.X86_64


Steps to Reproduce:
None

Actual results:
Ping6 hang

Expected results:
Ping6 is OK.


Additional info:

Analysis:

The iputils exception handing function has not set
a default time value for the struct 'itimerval it'.
in this case the tv_sec is set as 0,the setitimer
will take no effect for that value. And the system
will not send a signal to itself to terminate the
application.
.
int __schedule_exit(int next)
{
static unsigned long waittime;
struct itimerval it;
.
if (waittime)
return next;
.
if (nreceived) {
waittime = 2 * tmax;
if (waittime < 1000*interval)
waittime = 1000*interval;
} else
waittime = lingertime*1000;
.
if (next < 0 || next < waittime/1000)
next = waittime/1000;
.
it.it_interval.tv_sec = 0;
it.it_interval.tv_usec = 0;
it.it_value.tv_sec = waittime/1000000;
it.it_value.tv_usec = waittime%1000000;
setitimer(ITIMER_REAL, &it, NULL);
return next;
}
To fix it, add below code.

diff --git a/ping_common.c b/ping_common.c
--- a/ping_common.c
+++ b/ping_common.c
@@ -274,6 +274,8 @@ int __schedule_exit(int next)
        it.it_interval.tv_usec = 0;
        it.it_value.tv_sec = waittime/1000000;
        it.it_value.tv_usec = waittime%1000000;
+    if (waittime == 0)
+        waittime = 1000; /*set a default value for waittime*/  
        setitimer(ITIMER_REAL, &it, NULL);
        return next;
 }
(END)

Note You need to log in before you can comment on or make changes to this bug.