Bug #1798110 “xenial: virtio-scsi: CPU soft lockup due to loop i...” : Bugs : linux package : Ubuntu

Revision history for this message

Mauricio Faria de Oliveira (mfo) wrote on 2018-10-16:

#1

Download full text (16.0 KiB)

Problem Analysis
================

The dmesg log 'crash/201809061748/dmesg.201809061748' shows the CPU soft lockup occurs 25 seconds after the 'sdb' virtio-scsi drive is removed.
This seems to indicate the events are related (there's usually an extra 2s-3s between an event and the report of the 22s or 23s stuck, for some reason).

[ 3002.697474] sd 0:0:2:0: [sdb] Synchronizing SCSI cache
[ 3002.697545] sd 0:0:2:0: [sdb] Synchronize Cache(10) failed: Result: hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK
[ 3028.294602] NMI watchdog: BUG: soft lockup - CPU#1 stuck for 23s! [id:2887]

CPU 1 is waiting on another CPU (to finish something)
-------------------------------

The locked up 'id' process is in page fault handling stack (which is OK/normal), calling a function on many (SMP) cpus (see smp_call_function_many() in the top of the stack), and is specifically in the call to one CPU (see smp_call_function_single+0xae/0x110() in the RIP register).

[ 3028.301755] CPU: 1 PID: 2887 Comm: id Not tainted 4.4.0-133-generic #159~14.04.1-Ubuntu
...
[ 3028.301760] RIP: 0010:[<ffffffff81102b1e>] [<ffffffff81102b1e>] smp_call_function_single+0xae/0x110
...
[ 3028.301797] Call Trace:
[ 3028.301803] [<ffffffff81071f60>] ? do_kernel_range_flush+0x40/0x40
[ 3028.301805] [<ffffffff81102e9e>] smp_call_function_many+0x22e/0x270
[ 3028.301808] [<ffffffff810723f8>] native_flush_tlb_others+0x48/0x120
[ 3028.301810] [<ffffffff8107256d>] flush_tlb_mm_range+0x9d/0x180
[ 3028.301815] [<ffffffff811cb1e3>] ptep_clear_flush+0x53/0x60
[ 3028.301819] [<ffffffff811b75ed>] wp_page_copy.isra.58+0x29d/0x530
[ 3028.301822] [<ffffffff811b955d>] do_wp_page+0x8d/0x590
[ 3028.301824] [<ffffffff811bb826>] handle_mm_fault+0xd86/0x1ac0
[ 3028.301829] [<ffffffff81192c53>] ? free_pages+0x13/0x20
[ 3028.301835] [<ffffffff810aa754>] ? finish_task_switch+0x244/0x2a0
[ 3028.301840] [<ffffffff8106b0fb>] __do_page_fault+0x19b/0x430
[ 3028.301843] [<ffffffff8106b3b2>] do_page_fault+0x22/0x30
[ 3028.301847] [<ffffffff81822928>] page_fault+0x28/0x30

The smp_call_function_many() address line in the stack trace (smp_call_function_many+0x22e / ffffffff81102e9e) reflects it's called smp_call_function_single():

ffffffff81102c70 <smp_call_function_many>:
...
ffffffff81102e99: e8 d2 fb ff ff callq ffffffff81102a70 <smp_call_function_single>
ffffffff81102e9e: 48 83 c4 10 add $0x10,%rsp

... which per the address in the RIP register (smp_call_function_single+0xae ffffffff81102b1e)
is in the (inlined) call to csd_lock_wait() after generic_exec_single().

csd_lock_wait() spins in the value of csd->flags with cpu_relax() / 'pause' instruction,
waiting for it to be unlocked (i.e., not have the CSD_FLAG_LOCK flag / 0x1 value in the
flags field / offset 0x18)

ffffffff81102a70 <smp_call_function_single>:
...
ffffffff81102b0f: e8 0c fe ff ff callq ffffffff81102920 <generic_exec_single>
ffffffff81102b14: 8b 55 e8 mov -0x18(%rbp),%edx
ffffffff81102b17: 83 e2 01 and $0x1,%edx
ffffffff81102b1a: 74 de je ffffffff81102afa <smp_call_function_singl...

Problem Analysis
================

The dmesg log 'crash/201809061748/dmesg.201809061748' shows the CPU soft lockup occurs 25 seconds after the 'sdb' virtio-scsi drive is removed.
This seems to indicate the events are related (there's usually an extra 2s-3s between an event and the report of the 22s or 23s stuck, for some reason).

[ 3002.697474] sd 0:0:2:0: [sdb] Synchronizing SCSI cache
	[ 3002.697545] sd 0:0:2:0: [sdb] Synchronize Cache(10) failed: Result: hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK
	[ 3028.294602] NMI watchdog: BUG: soft lockup - CPU#1 stuck for 23s! [id:2887]

CPU 1 is waiting on another CPU (to finish something)
-------------------------------

The locked up 'id' process is in page fault handling stack (which is OK/normal), calling a function on many (SMP) cpus (see smp_call_function_many() in the top of the stack), and is specifically in the call to one CPU (see smp_call_function_single+0xae/0x110() in the RIP register).

[ 3028.301755] CPU: 1 PID: 2887 Comm: id Not tainted 4.4.0-133-generic #159~14.04.1-Ubuntu
	...
	[ 3028.301760] RIP: 0010:[<ffffffff81102b1e>]  [<ffffffff81102b1e>] smp_call_function_single+0xae/0x110
	...
	[ 3028.301797] Call Trace:
	[ 3028.301803]  [<ffffffff81071f60>] ? do_kernel_range_flush+0x40/0x40
	[ 3028.301805]  [<ffffffff81102e9e>] smp_call_function_many+0x22e/0x270
	[ 3028.301808]  [<ffffffff810723f8>] native_flush_tlb_others+0x48/0x120
	[ 3028.301810]  [<ffffffff8107256d>] flush_tlb_mm_range+0x9d/0x180
	[ 3028.301815]  [<ffffffff811cb1e3>] ptep_clear_flush+0x53/0x60
	[ 3028.301819]  [<ffffffff811b75ed>] wp_page_copy.isra.58+0x29d/0x530
	[ 3028.301822]  [<ffffffff811b955d>] do_wp_page+0x8d/0x590
	[ 3028.301824]  [<ffffffff811bb826>] handle_mm_fault+0xd86/0x1ac0
	[ 3028.301829]  [<ffffffff81192c53>] ? free_pages+0x13/0x20
	[ 3028.301835]  [<ffffffff810aa754>] ? finish_task_switch+0x244/0x2a0
	[ 3028.301840]  [<ffffffff8106b0fb>] __do_page_fault+0x19b/0x430
	[ 3028.301843]  [<ffffffff8106b3b2>] do_page_fault+0x22/0x30
	[ 3028.301847]  [<ffffffff81822928>] page_fault+0x28/0x30

The smp_call_function_many() address line in the stack trace (smp_call_function_many+0x22e / ffffffff81102e9e) reflects it's called smp_call_function_single():

ffffffff81102c70 <smp_call_function_many>:
	...
	ffffffff81102e99:       e8 d2 fb ff ff          callq  ffffffff81102a70 <smp_call_function_single>
	ffffffff81102e9e:       48 83 c4 10             add    $0x10,%rsp

... which per the address in the RIP register (smp_call_function_single+0xae ffffffff81102b1e)
is in the (inlined) call to csd_lock_wait() after generic_exec_single().

csd_lock_wait() spins in the value of csd->flags with cpu_relax() / 'pause' instruction,
waiting for it to be unlocked (i.e., not have the CSD_FLAG_LOCK flag / 0x1 value in the
flags field / offset 0x18)

ffffffff81102a70 <smp_call_function_single>:
	...
	ffffffff81102b0f:       e8 0c fe ff ff          callq  ffffffff81102920 <generic_exec_single>
	ffffffff81102b14:       8b 55 e8                mov    -0x18(%rbp),%edx
	ffffffff81102b17:       83 e2 01                and    $0x1,%edx
	ffffffff81102b1a:       74 de                   je     ffffffff81102afa <smp_call_function_single+0x8a>
	ffffffff81102b1c:       f3 90                   pause
	ffffffff81102b1e:       8b 55 e8                mov    -0x18(%rbp),%edx
	ffffffff81102b21:       83 e2 01                and    $0x1,%edx
	ffffffff81102b24:       75 f6                   jne    ffffffff81102b1c <smp_call_function_single+0xac>

"""
	smp_call_function_single()
	...
		err = generic_exec_single(cpu, csd, func, info);

if (wait)
		        csd_lock_wait(csd);
	...
	"""

"""
	static void csd_lock_wait(struct call_single_data *csd)
	{
		while (smp_load_acquire(&csd->flags) & CSD_FLAG_LOCK)
		        cpu_relax();
	}
	"""

kernel/smp.c:	CSD_FLAG_LOCK		= 0x01,

include/linux/smp.h:

struct call_single_data {
		struct llist_node llist;
		smp_call_func_t func;
		void *info;
		unsigned int flags;
	};

$ pahole -C call_single_data vmlinux-4.4.0-133-generic 
	...
	struct call_single_data {
		struct llist_node          llist;                /*     0     8 */
		smp_call_func_t            func;                 /*     8     8 */
		void *                     info;                 /*    16     8 */
		unsigned int               flags;                /*    24     4 */ 
			### ^ 24 == 0x18
	...
	};

So this shows that CPU 1 is spinning/waiting on another CPU to finish something.

What the (an)other CPU is doing
-------------------------------

This guest has only 2 CPUs (confirmed with the crashdump file 'dump.201809061748'),
so CPU 0 is the only other CPU that could be doing something.

KERNEL: /home/mfo/<...>/vmlinux-4.4.0-133-generic
    DUMPFILE: dump.201809061748  [PARTIAL DUMP]
        CPUS: 2

The NMI to other CPUs in the dmesg file reveals it's (still -- 20ish seconds later) 
in the SCSI drive removal stack, specifically in the virtio-scsi target removal/destroy handler
(see virtscsi_target_destroy() in RIP register).

[ 3028.301874] Sending NMI to other CPUs:
	[ 3028.302876] NMI backtrace for cpu 0
	[ 3028.302882] CPU: 0 PID: 2246 Comm: kworker/0:0 Not tainted 4.4.0-133-generic #159~14.04.1-Ubuntu
	...
	[ 3028.302887] RIP: 0010:[<ffffffffc0002039>]  [<ffffffffc0002039>] virtscsi_target_destroy+0x19/0x30 [virtio_scsi]
	...
	[ 3028.302907] Call Trace:
	[ 3028.302908]  [<ffffffff815ad4f2>] scsi_target_destroy+0x82/0xd0
	[ 3028.302909]  [<ffffffff815ad575>] scsi_target_reap_ref_release+0x35/0x40
	[ 3028.302910]  [<ffffffff815aefac>] scsi_target_reap+0x2c/0x30
	[ 3028.302911]  [<ffffffff815b14f9>] __scsi_remove_device+0x89/0xe0
	[ 3028.302912]  [<ffffffff815b1576>] scsi_remove_device+0x26/0x40
	[ 3028.302914]  [<ffffffffc0002bc7>] virtscsi_handle_event+0x127/0x1e0 [virtio_scsi]
	[ 3028.302915]  [<ffffffff8109b0b6>] process_one_work+0x156/0x400
	[ 3028.302916]  [<ffffffff8109ba9a>] worker_thread+0x11a/0x480
	[ 3028.302918]  [<ffffffff8109b980>] ? rescuer_thread+0x310/0x310
	[ 3028.302919]  [<ffffffff810a0f78>] kthread+0xd8/0xf0
	[ 3028.302920]  [<ffffffff8181c092>] ? __schedule+0x2a2/0x820
	[ 3028.302921]  [<ffffffff810a0ea0>] ? kthread_park+0x60/0x60
	[ 3028.302922]  [<ffffffff818203b5>] ret_from_fork+0x55/0x80
	[ 3028.302924]  [<ffffffff810a0ea0>] ? kthread_park+0x60/0x60

Looking at the region pointed to by the RIP register, virtscsi_target_destroy+0x19,
(it's in '0x39' counting from '0x20', just looking at the kernel module objdump)..

It's similarly looping/spinning with pause (cpu_relax()), checking for the 
'tgt->reqs' counter until it becomes zero (i.e., completion of all requests in
the virtio SCSI target).

0000000000000020 <virtscsi_target_destroy>:
	      20:       e8 00 00 00 00          callq  25 <virtscsi_target_destroy+0x5>
	      25:       55                      push   %rbp
	      26:       48 8b bf 28 03 00 00    mov    0x328(%rdi),%rdi
	      2d:       48 89 e5                mov    %rsp,%rbp
	      30:       8b 47 04                mov    0x4(%rdi),%eax
	      33:       85 c0                   test   %eax,%eax
	      35:       74 09                   je     40 <virtscsi_target_destroy+0x20>
	      37:       f3 90                   pause
	      39:       8b 47 04                mov    0x4(%rdi),%eax
	      3c:       85 c0                   test   %eax,%eax
	      3e:       75 f7                   jne    37 <virtscsi_target_destroy+0x17>
	      40:       e8 00 00 00 00          callq  45 <virtscsi_target_destroy+0x25>
	      45:       5d                      pop    %rbp
	      46:       c3                      retq
	      47:       66 0f 1f 84 00 00 00    nopw   0x0(%rax,%rax,1)
	      4e:       00 00
 
	"""
	static void virtscsi_target_destroy(struct scsi_target *starget)
	{
		struct virtio_scsi_target_state *tgt = starget->hostdata;

/* we can race with concurrent virtscsi_complete_cmd */
		while (atomic_read(&tgt->reqs))
		        cpu_relax();
		kfree(tgt);
	}
	"""

Let's check what that 'tgt->regs' counter value is with the crashdump.

$ crash ~/ddebs/linux-image-4.4.0-133-generic-dbgsym_4.4.0-133.159~14.04.1_amd64/usr/lib/debug/boot/vmlinux-4.4.0-133-generic crash/201809061748/dump.201809061748

crash> set -c 0
	    PID: 2246
	COMMAND: "kworker/0:0"
	   TASK: ffff880035960000  [THREAD_INFO: ffff880212a90000]
	    CPU: 0
	  STATE: TASK_RUNNING (ACTIVE)

crash> bt
	PID: 2246   TASK: ffff880035960000  CPU: 0   COMMAND: "kworker/0:0"
	 #0 [ffff88021fc08e38] crash_nmi_callback at ffffffff8104f727
	 #1 [ffff88021fc08e48] nmi_handle at ffffffff81031407
	 #2 [ffff88021fc08ea0] default_do_nmi at ffffffff810319e0
	 #3 [ffff88021fc08ec0] do_nmi at ffffffff81031b19
	 #4 [ffff88021fc08ee8] end_repeat_nmi at ffffffff81822e17
	    [exception RIP: virtscsi_target_destroy+25]
	    RIP: ffffffffc0002039  RSP: ffff880212a93d38  RFLAGS: 00000006
	    RAX: 0000000000001eb2  RBX: ffff880216be7000  RCX: ffff8802179e0a20
	    RDX: ffffffffc0002020  RSI: ffff880035bddc28  RDI: ffff880211ea3420
	    RBP: ffff880212a93d38   R8: 0000000000000000   R9: ffffffff813eb3e5
	    R10: ffff88021fc1a6c0  R11: 0000000000000000  R12: ffff880035bddc00
	    R13: ffff880035bddc28  R14: 0000000000000282  R15: 0000000000000002
	    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0000
	--- <NMI exception stack> ---
	 #5 [ffff880212a93d38] virtscsi_target_destroy at ffffffffc0002039 [virtio_scsi]
	 #6 [ffff880212a93d40] scsi_target_destroy at ffffffff815ad4f2
	 #7 [ffff880212a93d70] scsi_target_reap_ref_release at ffffffff815ad575
	 #8 [ffff880212a93d90] scsi_target_reap at ffffffff815aefac
	 #9 [ffff880212a93da0] __scsi_remove_device at ffffffff815b14f9
	#10 [ffff880212a93dc0] scsi_remove_device at ffffffff815b1576
	#11 [ffff880212a93de0] virtscsi_handle_event at ffffffffc0002bc7 [virtio_scsi]
	#12 [ffff880212a93e20] process_one_work at ffffffff8109b0b6
	#13 [ffff880212a93e68] worker_thread at ffffffff8109ba9a
	#14 [ffff880212a93ec8] kthread at ffffffff810a0f78
	#15 [ffff880212a93f50] ret_from_fork at ffffffff818203b5

the stack trace in crash gives us the register values at the time virtscsi_target_destroy()
was interrupted while running, and RIP (instruction pointer / next instruction to execute)
shows it's about to reload the EAX register with the value it loops for while checking.

EAX is tgt->reqs, which loaded as: scsi_target is the first argument, thus in RDI register,
its 'hostdata' field is in offset 0x328 (which is cast to virtio_scsi_target_state), 
and its 'reqs' field is in offset 0x4:

$ pahole -C scsi_target vmlinux-4.4.0-133-generic | grep hostdata
	...
		void *                     hostdata;             /*   808     8 */
			### ^ 808 = 0x328
	...

$ pahole -C virtio_scsi_target_state lib/modules/4.4.0-133-generic/kernel/drivers/scsi/virtio_scsi.ko | grep reqs
	...
		atomic_t                   reqs;                 /*     4     4 */
	...

So, let's get the value from memory, based in the RDI register (which at that point
has the tgt pointer in it):

crash> mod -s virtio_scsi /home/mfo/ddebs/linux-image-4.4.0-133-generic-dbgsym_4.4.0-133.159~14.04.1_amd64/usr/lib/debug/lib/modules/4.4.0-133-generic/kernel/drivers/scsi/virtio_scsi.ko

crash> struct virtio_scsi_target_state.reqs ffff880211ea3420
	  reqs = {
	    counter = 0x1eb2
	  }

crash> eval 0x1eb2
	hexadecimal: 1eb2  
	    decimal: 7858

And it's indeed a non-zero value, which seems quite high actually, around ~8k requests.

This is why it's looping.

The value does not seem to decrease, though.

Bug in virtio-scsi driver
-------------------------

It's unlikely that all these were pending and did not finish after all this time 
(~25 seconds since the SCSI removal started, at least +12 seconds since 'sbd' was
unmounted -- sbd1 and sdc1 are mounted, data is copied, both are unmounted, sdc1 is mounted).

[ 2215.675484] EXT4-fs (sdb1): mounted filesystem with ordered data mode. Opts: (null)
	[ 2222.563236] EXT4-fs (sdc1): mounted filesystem with ordered data mode. Opts: (null)
	[ 2990.023442] EXT4-fs (sdc1): mounted filesystem with ordered data mode. Opts: (null)
	[ 3002.697474] sd 0:0:2:0: [sdb] Synchronizing SCSI cache
	[ 3002.697545] sd 0:0:2:0: [sdb] Synchronize Cache(10) failed: Result: hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK
	[ 3028.294602] NMI watchdog: BUG: soft lockup - CPU#1 stuck for 23s! [id:2887]

So this look a problem in the driver.

The wait/spin loop is introduced by a downstream/SAUCE commit to avoid a race with virtscsi_complete_cmd().
This is not present upstream, which dropped the tgt-reqs counter altogether.

However, per the commit description, we still need to synchronize with that function in Xenial.
So, instead of finding an alternative way to sync for now, let's check why the reqs counter has problems.

Studying the driver code for references to tgt->reqs, we see it's only changes in 3 sites>

1) decremented in one site, virtscsi_complete_cmd(), 
   which is a callback fired after a SCSI command is completed
  by the virtio-scsi adapter),

2) incremented in the .queuecommand() path, before calling virtscsi_queuecommand()
   in the only two callers of the .queuecommand() implementation (virtscsi_queuecommand()).
2.1)  - virtscsi_pick_vq_mq()
2.2)  - virtscsi_pick_vq()

Complete command path:

virtscsi_complete_cmd()
	...
		sc->scsi_done(sc);

atomic_dec(&tgt->reqs);
	}

In the 1-queue path:

virtscsi_queuecommand_single():
	...
		atomic_inc(&tgt->reqs);
		return virtscsi_queuecommand(vscsi, &vscsi->req_vqs[0], sc);
	}

In the >1-queues (not blk-mq) path:

virtio_scsi_vq *virtscsi_pick_vq_mq()
	...
		atomic_inc(&tgt->reqs);
		return &vscsi->req_vqs[hwq];

struct virtio_scsi_vq()
	...
		if (atomic_inc_return(&tgt->reqs) > 1) {
	...

... with their only caller being:

virtscsi_queuecommand_multi(struct Scsi_Host *sh,
		                               struct scsi_cmnd *sc)
	{
	...
		if (shost_use_blk_mq(sh))
		        req_vq = virtscsi_pick_vq_mq(vscsi, tgt, sc);
		else
		        req_vq = virtscsi_pick_vq(vscsi, tgt);

return virtscsi_queuecommand(vscsi, req_vq, sc);

These are the SCSI host templates registering those 2 functions:

static struct scsi_host_template virtscsi_host_template_single = {
	...
		.queuecommand = virtscsi_queuecommand_single,
	...

static struct scsi_host_template virtscsi_host_template_multi = {
	...
		.queuecommand = virtscsi_queuecommand_multi,
	...

Now, observing the implementation of virtscsi_queuecommand(), the problem
happens when the command fails to be kicked to the virtio-scsi adapter:

The function is called with the tgt-reqs counter already incremented.

But if virtscsi_kick_cmd() fails with anything other than -EIO,
the SCSI command will be requeued, and will go through the .queuecommand()
path again, which increments the tgt->reqs counter _again_, for the same
SCSI command (note this may repeat multiple times for the same command,
depending on the virtio-scsi adapter/queue condition/processing/etc).

(The EIO case is not a problem because it completes the SCSI command,
 which decrements the tgt-reqs counter).

virtscsi_queuecommand()
	...
		ret = virtscsi_kick_cmd(req_vq, cmd, req_size, sizeof(cmd->resp.cmd));
		if (ret == -EIO) {
		        cmd->resp.cmd.response = VIRTIO_SCSI_S_BAD_TARGET;
		        spin_lock_irqsave(&req_vq->vq_lock, flags);
		        virtscsi_complete_cmd(vscsi, cmd);
		        spin_unlock_irqrestore(&req_vq->vq_lock, flags);
		} else if (ret != 0) {
		        return SCSI_MLQUEUE_HOST_BUSY;
		}
		return 0;
	}

So, the solution to keep the tgt-reqs counter correct in this case
is to decrement the tgt-reqs counter in that error condition, when
we know the command will be requeued (and thus tgt->reqs will be
incremented _again_).

Synthetic test-case
-------------------

I could successfully reproduce this problem by attaching GDB to the
QEMU GDB server to debug/play with the Linux kernel, and simulated
that the check for the available elements in the virtio ring/queue
were zero, so that error case happened.  I'll detail the steps too.

This was also used to verify the proposed fix.

The fix also has been tested with the test-case reported by the
customer, which is mounting the virtio-scsi disk, copying out of
it, unmounting it, and dettaching it from the guest instance.

This test-case is a loop doing that procedure; it usually fails
in the first or second iteration, and with the fix it has been
running for 35 iterations without problems.

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2018-10-16: Missing required logs.

#2

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1798110

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete
tags:	added: xenial

Revision history for this message

Mauricio Faria de Oliveira (mfo) wrote on 2018-10-16:

#3

Download full text (15.7 KiB)

Synthetic Test Case
===================

Create a Xenial KVM guest
---

mfo@rotom:~$ uvt-simplestreams-libvirt sync release=xenial arch=amd64
mfo@rotom:~$ uvt-kvm create --mem 4096 --cpu 2 --disk 16 mfo-sf194614 release=xenial arch=amd64

Modify the virsh XML to add a virtio-scsi controller + disk
---

mfo@rotom:~$ virsh shutdown mfo-sf194614
mfo@rotom:~$ virsh edit mfo-sf194614

Check the virtio-scsi disk
---

mfo@rotom:~$ virsh start mfo-sf194614
mfo@rotom:~$ uvt-kvm ssh mfo-sf194614

ubuntu@mfo-sf194614:~$ ls -ld /sys/block/sda
lrwxrwxrwx 1 root root 0 Oct 13 14:22 /sys/block/sda -> ../devices/pci0000:00/0000:00:07.0/virtio3/host2/target2:0:1/2:0:1:0/block/sda

ubuntu@mfo-sf194614:~$ lspci -s 7.0
00:07.0 SCSI storage controller: Red Hat, Inc Virtio SCSI

Check the SCSI logging for a dd one block transfer + TUR (test-unit-ready)
---

root@mfo-sf194614:~# apt-get install sg3-utils
root@mfo-sf194614:~# scsi_logging_level --set --mlqueue=4 --mlcomplete=2

root@mfo-sf194614:~# dd if=/dev/sda of=/dev/null count=1

[ 557.084898] sd 2:0:1:0: [sda] tag#1 Send: scmd 0xffff880139fe14f0
[ 557.088133] sd 2:0:1:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00
[ 557.093154] sd 2:0:1:0: [sda] tag#1 Done: SUCCESS Result: hostbyte=DID_OK driverbyte=DRIVER_OK
[ 557.097336] sd 2:0:1:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00

[ 557.100955] sd 2:0:1:0: tag#1 Send: scmd 0xffff880139fe14f0
[ 557.103159] sd 2:0:1:0: tag#1 CDB: Test Unit Ready 00 00 00 00 00 00
[ 557.106005] sd 2:0:1:0: tag#1 Done: SUCCESS Result: hostbyte=DID_OK driverbyte=DRIVER_OK
[ 557.109498] sd 2:0:1:0: tag#1 CDB: Test Unit Ready 00 00 00 00 00 00

Synthetic reproducer (original kernel)
---

root@mfo-sf194614:~# uname -a
Linux mfo-sf194614 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

root@mfo-sf194614:~# cat /sys/module/virtio_scsi/sections/.text
0xffffffffc001c000

Start GDB server in QEMU:

mfo@rotom:~$ virsh qemu-monitor-command mfo-sf194614 --hmp 'gdbserver'
Waiting for gdb connection on device 'tcp::1234'

Get kernel debug symbols:

mfo@rotom:~/ddebs$ wget http://ddebs.ubuntu.com/pool/main/l/linux/linux-image-4.4.0-138-generic-dbgsym_4.4.0-138.164_amd64.ddeb
mfo@rotom:~/ddebs$ dpkg-deb -x linux-image-4.4.0-138-generic-dbgsym_4.4.0-138.164_amd64.ddeb linux-image-4.4.0-138-generic-dbgsym_4.4.0-138.164_amd64
mfo@rotom:~/ddebs$ cd linux-image-4.4.0-138-generic-dbgsym_4.4.0-138.164_amd64/usr/lib/debug

Attach GDB:

$ gdb boot/vmlinux-4.4.0-138-generic \
  -ex 'set confirm off' \
  -ex 'add-symbol-file lib/modules/4.4.0-138-generic/kernel/drivers/scsi/virtio_scsi.ko 0xffffffffc001c000' \
  -ex 'break virtscsi_queuecommand' \
  -ex 'target remote localhost:1234' \
  -ex 'continue'

Run dd:

root@mfo-sf194614:~# dd if=/dev/sda of=/dev/null count=1 2>/dev/null
<freeze>

[ 1271.471568] sd 2:0:1:0: [sda] tag#1 Send: scmd 0xffff880139fe14f0
[ 1271.474633] sd 2:0:1:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00
<freeze>

Back to GDB:

Thread 1 hit Breakpoint 1, virtscsi_queuecommand (vscsi=0xffff880036eb07d8, req_vq=0xffff880036eb09e8, sc=0xffff880139fe14f0) at /build/linux-zdslHp/linux-4.4.0/drivers/scs...

Synthetic Test Case
===================

Create a Xenial KVM guest
---

mfo@rotom:~$ uvt-simplestreams-libvirt sync release=xenial arch=amd64
mfo@rotom:~$ uvt-kvm create --mem 4096 --cpu 2 --disk 16 mfo-sf194614 release=xenial arch=amd64

Modify the virsh XML to add a virtio-scsi controller + disk
---

mfo@rotom:~$ virsh shutdown mfo-sf194614
mfo@rotom:~$ virsh edit mfo-sf194614

Check the virtio-scsi disk
---

mfo@rotom:~$ virsh start mfo-sf194614
mfo@rotom:~$ uvt-kvm ssh mfo-sf194614

ubuntu@mfo-sf194614:~$ ls -ld /sys/block/sda
lrwxrwxrwx 1 root root 0 Oct 13 14:22 /sys/block/sda -> ../devices/pci0000:00/0000:00:07.0/virtio3/host2/target2:0:1/2:0:1:0/block/sda

ubuntu@mfo-sf194614:~$ lspci -s 7.0
00:07.0 SCSI storage controller: Red Hat, Inc Virtio SCSI

Check the SCSI logging for a dd one block transfer + TUR (test-unit-ready)
---

root@mfo-sf194614:~# apt-get install sg3-utils
root@mfo-sf194614:~# scsi_logging_level --set --mlqueue=4 --mlcomplete=2

root@mfo-sf194614:~# dd if=/dev/sda of=/dev/null count=1

[  557.084898] sd 2:0:1:0: [sda] tag#1 Send: scmd 0xffff880139fe14f0
[  557.088133] sd 2:0:1:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00
[  557.093154] sd 2:0:1:0: [sda] tag#1 Done: SUCCESS Result: hostbyte=DID_OK driverbyte=DRIVER_OK
[  557.097336] sd 2:0:1:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00

[  557.100955] sd 2:0:1:0: tag#1 Send: scmd 0xffff880139fe14f0
[  557.103159] sd 2:0:1:0: tag#1 CDB: Test Unit Ready 00 00 00 00 00 00
[  557.106005] sd 2:0:1:0: tag#1 Done: SUCCESS Result: hostbyte=DID_OK driverbyte=DRIVER_OK
[  557.109498] sd 2:0:1:0: tag#1 CDB: Test Unit Ready 00 00 00 00 00 00

Synthetic reproducer (original kernel)
---

root@mfo-sf194614:~# uname -a
Linux mfo-sf194614 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

root@mfo-sf194614:~# cat /sys/module/virtio_scsi/sections/.text 
0xffffffffc001c000

Start GDB server in QEMU:

mfo@rotom:~$ virsh qemu-monitor-command mfo-sf194614 --hmp 'gdbserver'
Waiting for gdb connection on device 'tcp::1234'

Get kernel debug symbols:

mfo@rotom:~/ddebs$ wget http://ddebs.ubuntu.com/pool/main/l/linux/linux-image-4.4.0-138-generic-dbgsym_4.4.0-138.164_amd64.ddeb
mfo@rotom:~/ddebs$ dpkg-deb -x linux-image-4.4.0-138-generic-dbgsym_4.4.0-138.164_amd64.ddeb linux-image-4.4.0-138-generic-dbgsym_4.4.0-138.164_amd64
mfo@rotom:~/ddebs$ cd linux-image-4.4.0-138-generic-dbgsym_4.4.0-138.164_amd64/usr/lib/debug

Attach GDB:

$ gdb boot/vmlinux-4.4.0-138-generic \
  -ex 'set confirm off' \
  -ex 'add-symbol-file lib/modules/4.4.0-138-generic/kernel/drivers/scsi/virtio_scsi.ko 0xffffffffc001c000' \
  -ex 'break virtscsi_queuecommand' \
  -ex 'target remote localhost:1234' \
  -ex 'continue'

Run dd:

root@mfo-sf194614:~# dd if=/dev/sda of=/dev/null count=1 2>/dev/null
<freeze>

[ 1271.471568] sd 2:0:1:0: [sda] tag#1 Send: scmd 0xffff880139fe14f0
[ 1271.474633] sd 2:0:1:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00
<freeze>

Back to GDB:

Thread 1 hit Breakpoint 1, virtscsi_queuecommand (vscsi=0xffff880036eb07d8, req_vq=0xffff880036eb09e8, sc=0xffff880139fe14f0) at /build/linux-zdslHp/linux-4.4.0/drivers/scsi/virtio_scsi.c:534
534     /build/linux-zdslHp/linux-4.4.0/drivers/scsi/virtio_scsi.c: No such file or directory.
(gdb)

Add breakpoint to the point where the SCSI command request is to be added into the virtio ring:

@ virtio_ring.c

129: static inline int virtqueue_add(struct virtqueue *_vq,
...
196: 
197:         if (vq->vq.num_free < descs_used) {

(gdb) break virtio_ring.c:196
Breakpoint 2 at 0xffffffff814e323f: virtio_ring.c:196. (3 locations)

(gdb) info break
Num     Type           Disp Enb Address            What
1       breakpoint     keep y   0xffffffffc001d330 in virtscsi_queuecommand at /build/linux-zdslHp/linux-4.4.0/drivers/scsi/virtio_scsi.c:534
        breakpoint already hit 1 time
2       breakpoint     keep y   <MULTIPLE>         
2.1                         y     0xffffffff814e323f in virtqueue_add_sgs at /build/linux-zdslHp/linux-4.4.0/drivers/virtio/virtio_ring.c:196
2.2                         y     0xffffffff814e37ec in virtqueue_add_inbuf at /build/linux-zdslHp/linux-4.4.0/drivers/virtio/virtio_ring.c:196
2.3                         y     0xffffffff814e3a9c in virtqueue_add_outbuf at /build/linux-zdslHp/linux-4.4.0/drivers/virtio/virtio_ring.c:196
(gdb) disable 1
(gdb) disable 2.2
(gdb) disable 2.3
(gdb) continue

Thread 1 hit Breakpoint 2, virtqueue_add (gfp=<optimized out>, data=<optimized out>, in_sgs=<optimized out>, out_sgs=<optimized out>, total_sg=<optimized out>, sgs=<optimized out>, _vq=<optimized out>)
    at /build/linux-zdslHp/linux-4.4.0/drivers/virtio/virtio_ring.c:197

Check the point where the comparison above (in line 197) is done:

(gdb) disass
...
=> 0xffffffff814e323f <+175>:   cmp    %ecx,%ebx
   0xffffffff814e3241 <+177>:   ja     0xffffffff814e3415 <virtqueue_add_sgs+645>

Check and modify the registers (ECX is num_free, EBX is descs_used):

(gdb) info reg $ecx $ebx
ecx            0x80     128
ebx            0x1      1

(gdb) set $ecx = 0

(gdb) info reg $ecx $ebx
ecx            0x0      0
ebx            0x1      1

Now we just faked that there are no num_free entries in the queue/ring.
Which will cause the SCSI command requeue.

Let's set a breakpoint for the target removal point now, and resume the guest.

(gdb) disable 2.1

(gdb) break virtscsi_target_destroy
(gdb) continue

In the guest, we see the SCSI command was first rejected, then re-sent, then it succeeded normally.

[ 1271.471568] sd 2:0:1:0: [sda] tag#1 Send: scmd 0xffff880139fe14f0
[ 1271.474633] sd 2:0:1:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00
<freeze>
[ 1271.481964] sd 2:0:1:0: [sda] tag#1 queuecommand : request rejected
[ 1271.511692] scsi host2: unblocking host at zero depth

[ 1271.514607] sd 2:0:1:0: [sda] tag#1 Send: scmd 0xffff880139fe14f0
[ 1271.517870] sd 2:0:1:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00
[ 1271.525639] sd 2:0:1:0: [sda] tag#1 Done: SUCCESS Result: hostbyte=DID_OK driverbyte=DRIVER_OK
[ 1271.531594] sd 2:0:1:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00

[ 1271.535696] sd 2:0:1:0: tag#0 Send: scmd 0xffff880139fe0170
[ 1271.538885] sd 2:0:1:0: tag#0 CDB: Test Unit Ready 00 00 00 00 00 00
[ 1271.543911] sd 2:0:1:0: tag#0 Done: SUCCESS Result: hostbyte=DID_OK driverbyte=DRIVER_OK
[ 1271.546548] sd 2:0:1:0: tag#0 CDB: Test Unit Ready 00 00 00 00 00 00

Now we trigger the virtio-scsi device removal from QEMU:

mfo@rotom:~$ virsh qemu-monitor-command mfo-sf194614 --hmp 'device_del scsi1-0-1-0'

[ 1511.698495] sd 2:0:1:0: [sda] Synchronizing SCSI cache
...
[ 1511.738562] sd 2:0:1:0: [sda] Synchronize Cache(10) failed: Result: hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK

And go back to GDB:

Thread 1 hit Breakpoint 3, virtscsi_target_destroy (starget=0xffff880036ebd800) at /build/linux-zdslHp/linux-4.4.0/drivers/scsi/virtio_scsi.c:787
787     /build/linux-zdslHp/linux-4.4.0/drivers/scsi/virtio_scsi.c: No such file or directory.
(gdb)

And let's get to the tgt-reqs counter value:

(gdb) disass
Dump of assembler code for function virtscsi_target_destroy:
=> 0xffffffffc001c020 <+0>:     nopl   0x0(%rax,%rax,1)
   0xffffffffc001c025 <+5>:     push   %rbp
   0xffffffffc001c026 <+6>:     mov    0x328(%rdi),%rdi
   0xffffffffc001c02d <+13>:    mov    %rsp,%rbp
   0xffffffffc001c030 <+16>:    mov    0x4(%rdi),%eax
   0xffffffffc001c033 <+19>:    test   %eax,%eax
   0xffffffffc001c035 <+21>:    je     0xffffffffc001c040 <virtscsi_target_destroy+32>
   0xffffffffc001c037 <+23>:    pause  
   0xffffffffc001c039 <+25>:    mov    0x4(%rdi),%eax
   0xffffffffc001c03c <+28>:    test   %eax,%eax
   0xffffffffc001c03e <+30>:    jne    0xffffffffc001c037 <virtscsi_target_destroy+23>
   0xffffffffc001c040 <+32>:    callq  0xffffffff811f6400 <kfree>
   0xffffffffc001c045 <+37>:    pop    %rbp
   0xffffffffc001c046 <+38>:    retq   
End of assembler dump.

(gdb) si
(gdb) si
(gdb) si
(gdb) si
(gdb) si

(gdb) disass
Dump of assembler code for function virtscsi_target_destroy:
   0xffffffffc001c020 <+0>:     nopl   0x0(%rax,%rax,1)
   0xffffffffc001c025 <+5>:     push   %rbp
   0xffffffffc001c026 <+6>:     mov    0x328(%rdi),%rdi
   0xffffffffc001c02d <+13>:    mov    %rsp,%rbp
   0xffffffffc001c030 <+16>:    mov    0x4(%rdi),%eax
=> 0xffffffffc001c033 <+19>:    test   %eax,%eax
   0xffffffffc001c035 <+21>:    je     0xffffffffc001c040 <virtscsi_target_destroy+32>
   0xffffffffc001c037 <+23>:    pause  
   0xffffffffc001c039 <+25>:    mov    0x4(%rdi),%eax
   0xffffffffc001c03c <+28>:    test   %eax,%eax
   0xffffffffc001c03e <+30>:    jne    0xffffffffc001c037 <virtscsi_target_destroy+23>
   0xffffffffc001c040 <+32>:    callq  0xffffffff811f6400 <kfree>
   0xffffffffc001c045 <+37>:    pop    %rbp
   0xffffffffc001c046 <+38>:    retq   
End of assembler dump.

And it's ONE, as we requeued a SCSI command ONE time.

(gdb) info reg $eax
eax            0x1      1

If we let the guest run, in the hopes that the req counter would eventually
drop to zero, we find it never happens,  and the QEMU process keeps spinning
taking 100% / 1 CPU in the host:

(gdb) disable 3
(gdb) continue

$ pid=$(ps ax | grep qemu | grep mfo-sf194614 | cut -d' ' -f1)
$ top -b -d 1 -n 10 -p $pid | grep qemu
38562 libvirt+  20   0 6035792 399520  23564 S 106.7  0.3   6:21.47 qemu-system-x86
38562 libvirt+  20   0 6035792 399520  23564 S 101.0  0.3   6:22.48 qemu-system-x86
38562 libvirt+  20   0 6035792 399520  23564 S 101.0  0.3   6:23.49 qemu-system-x86
38562 libvirt+  20   0 6035792 399520  23564 S 101.0  0.3   6:24.51 qemu-system-x86
38562 libvirt+  20   0 6035792 399520  23564 S 101.0  0.3   6:25.52 qemu-system-x86
38562 libvirt+  20   0 6035792 399520  23564 S 102.0  0.3   6:26.54 qemu-system-x86
38562 libvirt+  20   0 6035792 399520  23564 S 101.0  0.3   6:27.55 qemu-system-x86
38562 libvirt+  20   0 6035792 399520  23564 S 102.0  0.3   6:28.57 qemu-system-x86
38562 libvirt+  20   0 6035792 399520  23564 S 100.0  0.3   6:29.58 qemu-system-x86
38562 libvirt+  20   0 6035792 399520  23564 S 101.0  0.3   6:30.59 qemu-system-x86

Now, let's pause the guest from GDB and modify the reqs value to zero:

(gdb) c
Continuing.
^C
Thread 1 received signal SIGINT, Interrupt.
virtscsi_target_destroy (starget=<optimized out>) at /build/linux-zdslHp/linux-4.4.0/drivers/scsi/virtio_scsi.c:791
791     in /build/linux-zdslHp/linux-4.4.0/drivers/scsi/virtio_scsi.c

(gdb) disass
Dump of assembler code for function virtscsi_target_destroy:
   0xffffffffc001c020 <+0>:     nopl   0x0(%rax,%rax,1)
   0xffffffffc001c025 <+5>:     push   %rbp
   0xffffffffc001c026 <+6>:     mov    0x328(%rdi),%rdi
   0xffffffffc001c02d <+13>:    mov    %rsp,%rbp
   0xffffffffc001c030 <+16>:    mov    0x4(%rdi),%eax
   0xffffffffc001c033 <+19>:    test   %eax,%eax
   0xffffffffc001c035 <+21>:    je     0xffffffffc001c040 <virtscsi_target_destroy+32>
   0xffffffffc001c037 <+23>:    pause  
=> 0xffffffffc001c039 <+25>:    mov    0x4(%rdi),%eax
   0xffffffffc001c03c <+28>:    test   %eax,%eax
   0xffffffffc001c03e <+30>:    jne    0xffffffffc001c037 <virtscsi_target_destroy+23>
   0xffffffffc001c040 <+32>:    callq  0xffffffff811f6400 <kfree>
   0xffffffffc001c045 <+37>:    pop    %rbp
   0xffffffffc001c046 <+38>:    retq   
End of assembler dump.

(gdb) si
791     in /build/linux-zdslHp/linux-4.4.0/drivers/scsi/virtio_scsi.c

(gdb) set $eax = 0

(gdb) continue

Now the guest resumes responding to keyboard / working normally,
and QEMU is no longer taking 100% / 1 CPU of the host.

With the PATCHED KERNEL:
---

root@mfo-sf194614:~# uname -a
Linux mfo-sf194614 4.4.0-138-generic #164+forTESTING.sf194614.1 SMP Sat Oct 13 13:20:35 -03 2018 x86_64 x86_64 x86_64 GNU/Linux

QEMU monitor device_del after fresh reboot (check for regressions without requeued SCSI commands):
All OK. CPU stays low. not looping.

mfo@rotom:~/sf194614$ top -b -d 1 -n 10 -p $pid | grep qemu
55683 libvirt+  20   0 5241060 401584  23160 S   0.0  0.3   0:10.97 qemu-system-x86
55683 libvirt+  20   0 5241060 401584  23160 S   0.0  0.3   0:10.97 qemu-system-x86
55683 libvirt+  20   0 5241060 401584  23160 S   1.0  0.3   0:10.98 qemu-system-x86
55683 libvirt+  20   0 5241060 401584  23160 S   0.0  0.3   0:10.98 qemu-system-x86
55683 libvirt+  20   0 5241060 401584  23160 S   0.0  0.3   0:10.98 qemu-system-x86

Testcase:

[  178.039058] sd 2:0:1:0: [sda] tag#0 Send: scmd 0xffff880139f30170
[  178.042039] sd 2:0:1:0: [sda] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00
<freeze>
[  178.049500] sd 2:0:1:0: [sda] tag#0 queuecommand : request rejected
[  178.081789] scsi host2: unblocking host at zero depth

[  178.084185] sd 2:0:1:0: [sda] tag#0 Send: scmd 0xffff880139f30170
[  178.086683] sd 2:0:1:0: [sda] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00
[  178.088764] sd 2:0:1:0: [sda] tag#0 Done: SUCCESS Result: hostbyte=DID_OK driverbyte=DRIVER_OK
[  178.090952] sd 2:0:1:0: [sda] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00

[  178.092897] sd 2:0:1:0: tag#0 Send: scmd 0xffff880139f30170
[  178.094696] sd 2:0:1:0: tag#0 CDB: Test Unit Ready 00 00 00 00 00 00
[  178.096462] sd 2:0:1:0: tag#0 Done: SUCCESS Result: hostbyte=DID_OK driverbyte=DRIVER_OK
[  178.099108] sd 2:0:1:0: tag#0 CDB: Test Unit Ready 00 00 00 00 00 00

And in GDB we can confirm that the tgt->reqs counter is zero, even with the SCSI command requeue:

Thread 1 hit Breakpoint 3, virtscsi_target_destroy (starget=0xffff880139a42400) at /home/ubuntu/sf194614/linux-4.4.0/drivers/scsi/virtio_scsi.c:793
793     /home/ubuntu/sf194614/linux-4.4.0/drivers/scsi/virtio_scsi.c: No such file or directory.
(gdb) si
(gdb) 
(gdb) 
(gdb) 
(gdb) 
(gdb) disass
Dump of assembler code for function virtscsi_target_destroy:
   0xffffffffc001c020 <+0>:     nopl   0x0(%rax,%rax,1)
   0xffffffffc001c025 <+5>:     push   %rbp
   0xffffffffc001c026 <+6>:     mov    0x328(%rdi),%rdi
   0xffffffffc001c02d <+13>:    mov    %rsp,%rbp
   0xffffffffc001c030 <+16>:    mov    0x4(%rdi),%eax
=> 0xffffffffc001c033 <+19>:    test   %eax,%eax
   0xffffffffc001c035 <+21>:    je     0xffffffffc001c040 <virtscsi_target_destroy+32>
   0xffffffffc001c037 <+23>:    pause  
   0xffffffffc001c039 <+25>:    mov    0x4(%rdi),%eax
   0xffffffffc001c03c <+28>:    test   %eax,%eax
   0xffffffffc001c03e <+30>:    jne    0xffffffffc001c037 <virtscsi_target_destroy+23>
   0xffffffffc001c040 <+32>:    callq  0xffffffff811f6400 <kfree>
   0xffffffffc001c045 <+37>:    pop    %rbp
   0xffffffffc001c046 <+38>:    retq   
End of assembler dump.

(gdb) info reg $eax
eax            0x0      0

And the guest finishes that function, as expected, and the SCSi target removal ends.

(gdb) continue

[  221.376878] sd 2:0:1:0: [sda] Synchronizing SCSI cache
...
[  221.419942] sd 2:0:1:0: [sda] Synchronize Cache(10) failed: Result: hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK

The guest responds normally and does not go to 100% CPU.

mfo@rotom:~/sf194614$ pid=$(ps ax | grep qemu | grep mfo-sf194614 | cut -d' ' -f1)
mfo@rotom:~/sf194614$ top -b -d 1 -n 10 -p $pid | grep qemu
55807 libvirt+  20   0 5375216 410616  23304 S   0.0  0.3   0:14.54 qemu-system-x86
55807 libvirt+  20   0 5375216 410616  23304 S   1.0  0.3   0:14.55 qemu-system-x86
55807 libvirt+  20   0 5375216 410616  23304 S   0.0  0.3   0:14.55 qemu-system-x86
55807 libvirt+  20   0 5375216 410616  23304 S   0.0  0.3   0:14.55 qemu-system-x86
55807 libvirt+  20   0 5375216 410616  23304 S   1.0  0.3   0:14.56 qemu-system-x86
55807 libvirt+  20   0 5375216 410616  23304 S   0.0  0.3   0:14.56 qemu-system-x86
55807 libvirt+  20   0 5375216 410616  23304 S   0.0  0.3   0:14.56 qemu-system-x86
55807 libvirt+  20   0 5375216 410616  23304 S   0.0  0.3   0:14.56 qemu-system-x86
55807 libvirt+  20   0 5375216 410616  23304 S   0.0  0.3   0:14.56 qemu-system-x86
55807 libvirt+  20   0 5375216 410616  23304 S   0.0  0.3   0:14.56 qemu-system-x86

Changed in linux (Ubuntu):
status:	Incomplete → Confirmed

Revision history for this message

Mauricio Faria de Oliveira (mfo) wrote on 2018-10-16:

#4

Organic Testcase
================

set -x
instancename=USER-trusty
firstdevice=sdb
seconddevice=sdc
diskname=USER-disk-1
gcloud compute --project "PROJECT" ssh --zone "ZONE" "$instancename" --command '(tar -C /var/issue/first -cf - .) | (tar -C /var/issue/second -xpf -)'
gcloud compute --project "PROJECT" ssh --zone "ZONE" "$instancename" --command "sudo umount /var/issue/first"
gcloud compute --project "PROJECT" ssh --zone "ZONE" "$instancename" --command "sudo umount /var/issue/second"
gcloud compute --project "PROJECT" ssh --zone "ZONE" "$instancename" --command "sudo mount /dev/$seconddevice /var/issue/first"
gcloud compute instances detach-disk $instancename --disk $diskname --zone ZONE
# <----- error should happen here
gcloud compute instances attach-disk $instancename --disk $diskname --zone ZONE
gcloud compute --project "PROJECT" ssh --zone "ZONE" "$instancename" --command "sudo umount /var/issue/first"
gcloud compute --project "PROJECT" ssh --zone "ZONE" "$instancename" --command "sudo mount /dev/$firstdevice /var/issue/first"
gcloud compute --project "PROJECT" ssh --zone "ZONE" "$instancename" --command "sudo mount /dev/$seconddevice /var/issue/second"

Revision history for this message

Mauricio Faria de Oliveira (mfo) wrote on 2018-10-16:

#5

Organic Testcase:

It usually reproduces the problem in the 1st or 2nd iteration.
With the fix the problem did not reproduce in 35 iterations.

Mauricio Faria de Oliveira (mfo) on 2018-10-16

description:

updated

Mauricio Faria de Oliveira (mfo) on 2018-10-16

description:

updated

Revision history for this message

Mauricio Faria de Oliveira (mfo) wrote on 2018-10-16:

#6

Patches posted to kernel-team mailing list [1].

[1] https://lists.ubuntu.com/archives/kernel-team/2018-October/096072.html
[SRU Xenial][PATCH 0/2] Improve our SAUCE for virtio-scsi reqs counter (fix CPU soft lockup)

Joseph Salisbury (jsalisbury) on 2018-10-16

Changed in linux (Ubuntu):
importance:	Undecided → Medium
status:	Confirmed → Triaged
Changed in linux (Ubuntu Xenial):
status:	New → Triaged
importance:	Undecided → Medium

Kleber Sacilotto de Souza (kleber-souza) on 2018-10-24

Changed in linux (Ubuntu Xenial):
status:	Triaged → Fix Committed

Revision history for this message

Brad Figg (brad-figg) wrote on 2018-10-25:

#7

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-xenial

Revision history for this message

Mauricio Faria de Oliveira (mfo) wrote on 2018-10-25:

#8

Download full text (9.4 KiB)

Verification successful with the kernel in xenial-proposed.
Updating verification tags.

Details
=======

Guest:
---

root@mfo-sf194614:~# apt-cache madison linux-image-4.4.0-139-generic
linux-image-4.4.0-139-generic | 4.4.0-139.165 | http://archive.ubuntu.com/ubuntu/ xenial-proposed/main amd64 Packages

root@mfo-sf194614:~# apt-get -y install linux-image-4.4.0-139-generic
root@mfo-sf194614:~# reboot

root@mfo-sf194614:~# uname -a
Linux mfo-sf194614 4.4.0-139-generic #165-Ubuntu SMP Wed Oct 24 10:58:50 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

root@mfo-sf194614:~# ls -ld /sys/block/sda
lrwxrwxrwx 1 root root 0 Oct 25 13:51 /sys/block/sda -> ../devices/pci0000:00/0000:00:07.0/virtio4/host2/target2:0:0/2:0:0:0/block/sda

root@mfo-sf194614:~# lspci -s 7.0
00:07.0 SCSI storage controller: Red Hat, Inc Virtio SCSI

root@mfo-sf194614:~# echo 9 > /proc/sys/kernel/printk
root@mfo-sf194614:~# scsi_logging_level --set --mlqueue=4 --mlcomplete=2

root@mfo-sf194614:~# dd if=/dev/sda of=/dev/null count=1
[ 139.412030] sd 2:0:0:0: [sda] tag#1 Send: scmd 0xffff880036e614f0
[ 139.415541] sd 2:0:0:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00
[ 139.418561] sd 2:0:0:0: [sda] tag#1 Done: SUCCESS Result: hostbyte=DID_OK driverbyte=DRIVER_OK
[ 139.421753] sd 2:0:0:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00

[ 139.424561] sd 2:0:0:0: tag#1 Send: scmd 0xffff880036e614f0
[ 139.427081] sd 2:0:0:0: tag#1 CDB: Test Unit Ready 00 00 00 00 00 00
[ 139.428997] sd 2:0:0:0: tag#1 Done: SUCCESS Result: hostbyte=DID_OK driverbyte=DRIVER_OK
[ 139.430982] sd 2:0:0:0: tag#1 CDB: Test Unit Ready 00 00 00 00 00 00

root@mfo-sf194614:~# cat /sys/module/virtio_scsi/sections/.text
0xffffffffc0002000

Host:
---

mfo@rotom:~/ddebs$ vscsi_text='0xffffffffc0002000'
mfo@rotom:~/ddebs$ virsh qemu-monitor-command mfo-sf194614 --hmp 'gdbserver'

mfo@rotom:~/ddebs$ wget http://ddebs.ubuntu.com/pool/main/l/linux/linux-image-4.4.0-139-generic-dbgsym_4.4.0-139.165_amd64.ddeb
mfo@rotom:~/ddebs$ dpkg-deb -x linux-image-4.4.0-139-generic-dbgsym_4.4.0-139.165_amd64.ddeb linux-image-4.4.0-139-generic-dbgsym_4.4.0-139.165_amd64/
mfo@rotom:~/ddebs$ cd linux-image-4.4.0-139-generic-dbgsym_4.4.0-139.165_amd64/usr/lib/debug/

gdb boot/vmlinux-4.4.0-139-generic \
  -ex 'set confirm off' \
  -ex "add-symbol-file lib/modules/4.4.0-139-generic/kernel/drivers/scsi/virtio_scsi.ko $vscsi_text" \
  -ex 'break virtscsi_queuecommand' \
  -ex 'target remote localhost:1234' \
  -ex 'continue'

Guest
---

root@mfo-sf194614:~# dd if=/dev/sda of=/dev/null count=1 2>/dev/null
[ 435.462432] sd 2:0:0:0: [sda] tag#1 Send: scmd 0xffff880036e614f0
[ 435.465679] sd 2:0:0:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00
<freeze>

Host GDB:
---

Thread 2 hit Breakpoint 1, virtscsi_queuecommand (vscsi=0xffff88013a6cf7d8, req_vq=0xffff88013a6cf9e8, sc=0xffff880036e614f0)
at /build/linux-PrHwV2/linux-4.4.0/drivers/scsi/virtio_scsi.c:534
534 /build/linux-PrHwV2/linux-4.4.0/drivers/scsi/virtio_scsi.c: No such file or directory.
(gdb) break virtio_ring.c:196
Breakpoint 2 at 0xffffffff814e383f: virtio_ring.c:196. (3 locations)
(gdb) info break
Num Type Disp Enb Addr...

Verification successful with the kernel in xenial-proposed.
Updating verification tags.

Details
=======

Guest:
---

root@mfo-sf194614:~# apt-cache madison linux-image-4.4.0-139-generic
linux-image-4.4.0-139-generic | 4.4.0-139.165 | http://archive.ubuntu.com/ubuntu/ xenial-proposed/main amd64 Packages

root@mfo-sf194614:~# apt-get -y install linux-image-4.4.0-139-generic
root@mfo-sf194614:~# reboot

root@mfo-sf194614:~# uname -a
Linux mfo-sf194614 4.4.0-139-generic #165-Ubuntu SMP Wed Oct 24 10:58:50 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

root@mfo-sf194614:~# ls -ld /sys/block/sda
lrwxrwxrwx 1 root root 0 Oct 25 13:51 /sys/block/sda -> ../devices/pci0000:00/0000:00:07.0/virtio4/host2/target2:0:0/2:0:0:0/block/sda

root@mfo-sf194614:~# lspci -s 7.0
00:07.0 SCSI storage controller: Red Hat, Inc Virtio SCSI

root@mfo-sf194614:~# echo 9 > /proc/sys/kernel/printk
root@mfo-sf194614:~# scsi_logging_level --set --mlqueue=4 --mlcomplete=2

root@mfo-sf194614:~# dd if=/dev/sda of=/dev/null count=1
[  139.412030] sd 2:0:0:0: [sda] tag#1 Send: scmd 0xffff880036e614f0
[  139.415541] sd 2:0:0:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00
[  139.418561] sd 2:0:0:0: [sda] tag#1 Done: SUCCESS Result: hostbyte=DID_OK driverbyte=DRIVER_OK
[  139.421753] sd 2:0:0:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00

[  139.424561] sd 2:0:0:0: tag#1 Send: scmd 0xffff880036e614f0
[  139.427081] sd 2:0:0:0: tag#1 CDB: Test Unit Ready 00 00 00 00 00 00
[  139.428997] sd 2:0:0:0: tag#1 Done: SUCCESS Result: hostbyte=DID_OK driverbyte=DRIVER_OK
[  139.430982] sd 2:0:0:0: tag#1 CDB: Test Unit Ready 00 00 00 00 00 00

root@mfo-sf194614:~# cat /sys/module/virtio_scsi/sections/.text
0xffffffffc0002000

Host:
---

mfo@rotom:~/ddebs$ vscsi_text='0xffffffffc0002000'
mfo@rotom:~/ddebs$ virsh qemu-monitor-command mfo-sf194614 --hmp 'gdbserver'

mfo@rotom:~/ddebs$ wget http://ddebs.ubuntu.com/pool/main/l/linux/linux-image-4.4.0-139-generic-dbgsym_4.4.0-139.165_amd64.ddeb
mfo@rotom:~/ddebs$ dpkg-deb -x linux-image-4.4.0-139-generic-dbgsym_4.4.0-139.165_amd64.ddeb linux-image-4.4.0-139-generic-dbgsym_4.4.0-139.165_amd64/
mfo@rotom:~/ddebs$ cd linux-image-4.4.0-139-generic-dbgsym_4.4.0-139.165_amd64/usr/lib/debug/

gdb boot/vmlinux-4.4.0-139-generic \
  -ex 'set confirm off' \
  -ex "add-symbol-file lib/modules/4.4.0-139-generic/kernel/drivers/scsi/virtio_scsi.ko $vscsi_text" \
  -ex 'break virtscsi_queuecommand' \
  -ex 'target remote localhost:1234' \
  -ex 'continue'

Guest
---

root@mfo-sf194614:~# dd if=/dev/sda of=/dev/null count=1 2>/dev/null
[  435.462432] sd 2:0:0:0: [sda] tag#1 Send: scmd 0xffff880036e614f0
[  435.465679] sd 2:0:0:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00
<freeze>

Host GDB:
---

Thread 2 hit Breakpoint 1, virtscsi_queuecommand (vscsi=0xffff88013a6cf7d8, req_vq=0xffff88013a6cf9e8, sc=0xffff880036e614f0)
    at /build/linux-PrHwV2/linux-4.4.0/drivers/scsi/virtio_scsi.c:534
534     /build/linux-PrHwV2/linux-4.4.0/drivers/scsi/virtio_scsi.c: No such file or directory.
(gdb) break virtio_ring.c:196
Breakpoint 2 at 0xffffffff814e383f: virtio_ring.c:196. (3 locations)
(gdb) info break
Num     Type           Disp Enb Address            What
1       breakpoint     keep y   0xffffffffc0003330 in virtscsi_queuecommand 
                                                   at /build/linux-PrHwV2/linux-4.4.0/drivers/scsi/virtio_scsi.c:534
        breakpoint already hit 1 time
2       breakpoint     keep y   <MULTIPLE>         
2.1                         y     0xffffffff814e383f in virtqueue_add_sgs 
                                                   at /build/linux-PrHwV2/linux-4.4.0/drivers/virtio/virtio_ring.c:196
2.2                         y     0xffffffff814e3dec in virtqueue_add_inbuf 
                                                   at /build/linux-PrHwV2/linux-4.4.0/drivers/virtio/virtio_ring.c:196
2.3                         y     0xffffffff814e409c in virtqueue_add_outbuf 
                                                   at /build/linux-PrHwV2/linux-4.4.0/drivers/virtio/virtio_ring.c:196
(gdb) disable 1
(gdb) disable 2.2
(gdb) disable 2.3
(gdb) continue
Continuing.

Thread 2 hit Breakpoint 2, virtqueue_add (gfp=<optimized out>, data=<optimized out>, in_sgs=<optimized out>, out_sgs=<optimized out>, 
    total_sg=<optimized out>, sgs=<optimized out>, _vq=<optimized out>) at /build/linux-PrHwV2/linux-4.4.0/drivers/virtio/virtio_ring.c:197
197     /build/linux-PrHwV2/linux-4.4.0/drivers/virtio/virtio_ring.c: No such file or directory.
(gdb) disass
Dump of assembler code for function virtqueue_add_sgs:
...
=> 0xffffffff814e383f <+175>:   cmp    %ecx,%ebx
   0xffffffff814e3841 <+177>:   ja     0xffffffff814e3a15 <virtqueue_add_sgs+645>
...

(gdb) info reg $ecx $ebx
ecx            0x80     128
ebx            0x1      1

(gdb) set $ecx = 0

(gdb) info reg $ecx $ebx
ecx            0x0      0
ebx            0x1      1

(gdb) disable 2.1
(gdb) break virtscsi_target_destroy
Breakpoint 3 at 0xffffffffc0002020: file /build/linux-PrHwV2/linux-4.4.0/drivers/scsi/virtio_scsi.c, line 791.

(gdb) continue
Continuing.

Guest
---

root@mfo-sf194614:~# dd if=/dev/sda of=/dev/null count=1 2>/dev/null
[  435.462432] sd 2:0:0:0: [sda] tag#1 Send: scmd 0xffff880036e614f0
[  435.465679] sd 2:0:0:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00
<freeze>
<continued after GDB above>
[  435.474443] sd 2:0:0:0: [sda] tag#1 queuecommand : request rejected
[  435.504597] scsi host2: unblocking host at zero depth

[  435.507603] sd 2:0:0:0: [sda] tag#1 Send: scmd 0xffff880036e614f0
[  435.510896] sd 2:0:0:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00
[  435.515713] sd 2:0:0:0: [sda] tag#1 Done: SUCCESS Result: hostbyte=DID_OK driverbyte=DRIVER_OK
[  435.520838] sd 2:0:0:0: [sda] tag#1 CDB: Read(10) 28 00 00 00 00 00 00 00 20 00

[  435.525044] sd 2:0:0:0: tag#1 Send: scmd 0xffff880036e614f0
[  435.527795] sd 2:0:0:0: tag#1 CDB: Test Unit Ready 00 00 00 00 00 00
[  435.553066] sd 2:0:0:0: tag#1 Done: SUCCESS Result: hostbyte=DID_OK driverbyte=DRIVER_OK
[  435.555822] sd 2:0:0:0: tag#1 CDB: Test Unit Ready 00 00 00 00 00 00

Host
---

mfo@rotom:~$ virsh qemu-monitor-command mfo-sf194614 --hmp 'device_del scsi1-0-0-0'

Guest
---

[  549.088876] sd 2:0:0:0: [sda] Synchronizing SCSI cache
<...>
[  549.152828] sd 2:0:0:0: [sda] Synchronize Cache(10) failed: Result: hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK

Host GDB
---

Thread 1 hit Breakpoint 3, virtscsi_target_destroy (starget=0xffff880036c62800)
    at /build/linux-PrHwV2/linux-4.4.0/drivers/scsi/virtio_scsi.c:791
791     /build/linux-PrHwV2/linux-4.4.0/drivers/scsi/virtio_scsi.c: No such file or directory.
(gdb) disass
Dump of assembler code for function virtscsi_target_destroy:
=> 0xffffffffc0002020 <+0>:     nopl   0x0(%rax,%rax,1)
   0xffffffffc0002025 <+5>:     push   %rbp
   0xffffffffc0002026 <+6>:     mov    0x328(%rdi),%rdi
   0xffffffffc000202d <+13>:    mov    %rsp,%rbp
   0xffffffffc0002030 <+16>:    mov    0x4(%rdi),%eax
   0xffffffffc0002033 <+19>:    test   %eax,%eax
   0xffffffffc0002035 <+21>:    je     0xffffffffc0002040 <virtscsi_target_destroy+32>
   0xffffffffc0002037 <+23>:    pause  
   0xffffffffc0002039 <+25>:    mov    0x4(%rdi),%eax
   0xffffffffc000203c <+28>:    test   %eax,%eax
   0xffffffffc000203e <+30>:    jne    0xffffffffc0002037 <virtscsi_target_destroy+23>
   0xffffffffc0002040 <+32>:    callq  0xffffffff811f64a0 <kfree>
   0xffffffffc0002045 <+37>:    pop    %rbp
   0xffffffffc0002046 <+38>:    retq   
End of assembler dump.
(gdb) si
(gdb) 
(gdb) 
(gdb) 
(gdb) 
(gdb) disass
Dump of assembler code for function virtscsi_target_destroy:
   0xffffffffc0002020 <+0>:     nopl   0x0(%rax,%rax,1)
   0xffffffffc0002025 <+5>:     push   %rbp
   0xffffffffc0002026 <+6>:     mov    0x328(%rdi),%rdi
   0xffffffffc000202d <+13>:    mov    %rsp,%rbp
   0xffffffffc0002030 <+16>:    mov    0x4(%rdi),%eax
=> 0xffffffffc0002033 <+19>:    test   %eax,%eax
   0xffffffffc0002035 <+21>:    je     0xffffffffc0002040 <virtscsi_target_destroy+32>
   0xffffffffc0002037 <+23>:    pause  
   0xffffffffc0002039 <+25>:    mov    0x4(%rdi),%eax
   0xffffffffc000203c <+28>:    test   %eax,%eax
   0xffffffffc000203e <+30>:    jne    0xffffffffc0002037 <virtscsi_target_destroy+23>
   0xffffffffc0002040 <+32>:    callq  0xffffffff811f64a0 <kfree>
   0xffffffffc0002045 <+37>:    pop    %rbp
   0xffffffffc0002046 <+38>:    retq   
End of assembler dump.

(gdb) info reg $eax
eax            0x0      0

That looks good! :-)

(gdb) continue

Host
---

And indeed, the CPU usage for the QEMU process remains low.  Problem resolved.

mfo@rotom:~$ pid=$(ps ax | grep qemu | grep mfo-sf194614 | cut -d' ' -f1)
mfo@rotom:~$ top -b -d 1 -n 10 -p $pid | grep qemu
10234 libvirt+  20   0 9016056 768008  23260 S   0.0  0.6   1:05.98 qemu-system-x86
10234 libvirt+  20   0 9016056 768008  23260 S   0.0  0.6   1:05.98 qemu-system-x86
10234 libvirt+  20   0 9016056 768008  23260 S   0.0  0.6   1:05.98 qemu-system-x86
10234 libvirt+  20   0 9016056 768008  23260 S   0.0  0.6   1:05.98 qemu-system-x86
10234 libvirt+  20   0 9016056 768008  23260 S   0.0  0.6   1:05.98 qemu-system-x86
10234 libvirt+  20   0 9016056 768008  23260 S   0.0  0.6   1:05.98 qemu-system-x86
10234 libvirt+  20   0 9016056 768008  23260 S   0.0  0.6   1:05.98 qemu-system-x86
10234 libvirt+  20   0 9016056 768008  23260 S   0.0  0.6   1:05.98 qemu-system-x86
10234 libvirt+  20   0 9016056 768008  23260 S   1.0  0.6   1:05.99 qemu-system-x86
10234 libvirt+  20   0 9016056 768008  23260 S   0.0  0.6   1:05.99 qemu-system-x86

tags:

added: verification-done-xenial
removed: verification-needed-xenial

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-11-13:

#9

Download full text (21.0 KiB)

This bug was fixed in the package linux - 4.4.0-139.165

---------------
linux (4.4.0-139.165) xenial; urgency=medium

* linux: 4.4.0-139.165 -proposed tracker (LP: #1799401)

  * Kernel panic after the ubuntu_nbd_smoke_test on Xenial kernel (LP: #1793464)
    - nbd: Remove signal usage
    - nbd: Timeouts are not user requested disconnects
    - nbd: Cleanup reset of nbd and bdev after a disconnect
    - nbd: don't shutdown sock with irq's disabled
    - nbd: fix race in ioctl

* fscache: bad refcounting in fscache_op_complete leads to OOPS (LP: #1797314)
- SAUCE: fscache: Fix race in decrementing refcount of op->npages

  * xenial: virtio-scsi: CPU soft lockup due to loop in
    virtscsi_target_destroy() (LP: #1798110)
    - SAUCE: (no-up) virtio-scsi: Decrement reqs counter before SCSI command
      requeue

  * Error reported when creating ZFS pool with "-t" option, despite successful
    pool creation (LP: #1769937)
    - SAUCE: (noup) Update zfs to 0.6.5.6-0ubuntu26

  * Xenial update: 4.4.160 upstream stable release (LP: #1798770)
    - crypto: skcipher - Fix -Wstringop-truncation warnings
    - tsl2550: fix lux1_input error in low light
    - vmci: type promotion bug in qp_host_get_user_memory()
    - x86/numa_emulation: Fix emulated-to-physical node mapping
    - staging: rts5208: fix missing error check on call to rtsx_write_register
    - uwb: hwa-rc: fix memory leak at probe
    - power: vexpress: fix corruption in notifier registration
    - Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
    - USB: serial: kobil_sct: fix modem-status error handling
    - 6lowpan: iphc: reset mac_header after decompress to fix panic
    - md-cluster: clear another node's suspend_area after the copy is finished
    - media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt()
    - powerpc/kdump: Handle crashkernel memory reservation failure
    - media: fsl-viu: fix error handling in viu_of_probe()
    - x86/tsc: Add missing header to tsc_msr.c
    - x86/entry/64: Add two more instruction suffixes
    - scsi: target/iscsi: Make iscsit_ta_authentication() respect the output
      buffer size
    - scsi: klist: Make it safe to use klists in atomic context
    - scsi: ibmvscsi: Improve strings handling
    - usb: wusbcore: security: cast sizeof to int for comparison
    - powerpc/powernv/ioda2: Reduce upper limit for DMA window size
    - alarmtimer: Prevent overflow for relative nanosleep
    - s390/extmem: fix gcc 8 stringop-overflow warning
    - ALSA: snd-aoa: add of_node_put() in error path
    - media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power
    - media: soc_camera: ov772x: correct setting of banding filter
    - media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data
    - staging: android: ashmem: Fix mmap size validation
    - drivers/tty: add error handling for pcmcia_loop_config
    - media: tm6000: add error handling for dvb_register_adapter
    - ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge
    - ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock
    - rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
    - wlcore: Add missing PM call fo...

This bug was fixed in the package linux - 4.4.0-139.165

---------------
linux (4.4.0-139.165) xenial; urgency=medium

* linux: 4.4.0-139.165 -proposed tracker (LP: #1799401)

* Kernel panic after the ubuntu_nbd_smoke_test on Xenial kernel (LP: #1793464)
    - nbd: Remove signal usage
    - nbd: Timeouts are not user requested disconnects
    - nbd: Cleanup reset of nbd and bdev after a disconnect
    - nbd: don't shutdown sock with irq's disabled
    - nbd: fix race in ioctl

* fscache: bad refcounting in fscache_op_complete leads to OOPS (LP: #1797314)
    - SAUCE: fscache: Fix race in decrementing refcount of op->npages

* xenial: virtio-scsi: CPU soft lockup due to loop in
    virtscsi_target_destroy() (LP: #1798110)
    - SAUCE: (no-up) virtio-scsi: Decrement reqs counter before SCSI command
      requeue

* Error reported when creating ZFS pool with "-t" option, despite successful
    pool creation (LP: #1769937)
    - SAUCE: (noup) Update zfs to 0.6.5.6-0ubuntu26

* Xenial update: 4.4.160 upstream stable release (LP: #1798770)
    - crypto: skcipher - Fix -Wstringop-truncation warnings
    - tsl2550: fix lux1_input error in low light
    - vmci: type promotion bug in qp_host_get_user_memory()
    - x86/numa_emulation: Fix emulated-to-physical node mapping
    - staging: rts5208: fix missing error check on call to rtsx_write_register
    - uwb: hwa-rc: fix memory leak at probe
    - power: vexpress: fix corruption in notifier registration
    - Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
    - USB: serial: kobil_sct: fix modem-status error handling
    - 6lowpan: iphc: reset mac_header after decompress to fix panic
    - md-cluster: clear another node's suspend_area after the copy is finished
    - media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt()
    - powerpc/kdump: Handle crashkernel memory reservation failure
    - media: fsl-viu: fix error handling in viu_of_probe()
    - x86/tsc: Add missing header to tsc_msr.c
    - x86/entry/64: Add two more instruction suffixes
    - scsi: target/iscsi: Make iscsit_ta_authentication() respect the output
      buffer size
    - scsi: klist: Make it safe to use klists in atomic context
    - scsi: ibmvscsi: Improve strings handling
    - usb: wusbcore: security: cast sizeof to int for comparison
    - powerpc/powernv/ioda2: Reduce upper limit for DMA window size
    - alarmtimer: Prevent overflow for relative nanosleep
    - s390/extmem: fix gcc 8 stringop-overflow warning
    - ALSA: snd-aoa: add of_node_put() in error path
    - media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power
    - media: soc_camera: ov772x: correct setting of banding filter
    - media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data
    - staging: android: ashmem: Fix mmap size validation
    - drivers/tty: add error handling for pcmcia_loop_config
    - media: tm6000: add error handling for dvb_register_adapter
    - ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge
    - ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock
    - rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
    - wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()
    - ARM: mvebu: declare asm symbols as character arrays in pmsu.c
    - HID: hid-ntrig: add error handling for sysfs_create_group
    - scsi: bnx2i: add error handling for ioremap_nocache
    - EDAC, i7core: Fix memleaks and use-after-free on probe and remove
    - ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs
    - module: exclude SHN_UNDEF symbols from kallsyms api
    - nfsd: fix corrupted reply to badly ordered compound
    - ARM: dts: dra7: fix DCAN node addresses
    - serial: cpm_uart: return immediately from console poll
    - spi: tegra20-slink: explicitly enable/disable clock
    - spi: sh-msiof: Fix invalid SPI use during system suspend
    - spi: sh-msiof: Fix handling of write value for SISTR register
    - spi: rspi: Fix invalid SPI use during system suspend
    - spi: rspi: Fix interrupted DMA transfers
    - USB: fix error handling in usb_driver_claim_interface()
    - USB: handle NULL config in usb_find_alt_setting()
    - slub: make ->cpu_partial unsigned int
    - Revert "UBUNTU: SAUCE: media: uvcvideo: Support realtek's UVC 1.5 device"
    - media: uvcvideo: Support realtek's UVC 1.5 device
    - USB: usbdevfs: sanitize flags more
    - USB: usbdevfs: restore warning for nonsensical flags
    - Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in
      service_outstanding_interrupt()"
    - USB: remove LPM management from usb_driver_claim_interface()
    - Input: elantech - enable middle button of touchpad on ThinkPad P72
    - IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop
    - scsi: target: iscsi: Use bin2hex instead of a re-implementation
    - serial: imx: restore handshaking irq for imx1
    - arm64: KVM: Tighten guest core register access from userspace
    - ext4: never move the system.data xattr out of the inode body
    - thermal: of-thermal: disable passive polling when thermal zone is disabled
    - net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES
    - e1000: check on netif_running() before calling e1000_up()
    - e1000: ensure to free old tx/rx rings in set_ringparam()
    - hwmon: (ina2xx) fix sysfs shunt resistor read access
    - hwmon: (adt7475) Make adt7475_read_word() return errors
    - i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus
    - arm64: cpufeature: Track 32bit EL0 support
    - arm64: KVM: Sanitize PSTATE.M when being set from userspace
    - media: v4l: event: Prevent freeing event subscriptions while accessed
    - KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate function
    - mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X
    - mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X
    - gpio: adp5588: Fix sleep-in-atomic-context bug
    - mac80211: mesh: fix HWMP sequence numbering to follow standard
    - cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE
    - RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0
    - i2c: uniphier: issue STOP only for last message or I2C_M_STOP
    - i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP
    - net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx()
    - fs/cifs: don't translate SFM_SLASH (U+F026) to backslash
    - cfg80211: fix a type issue in ieee80211_chandef_to_operating_class()
    - mac80211: fix a race between restart and CSA flows
    - mac80211: Fix station bandwidth setting after channel switch
    - mac80211: shorten the IBSS debug messages
    - tools/vm/slabinfo.c: fix sign-compare warning
    - tools/vm/page-types.c: fix "defined but not used" warning
    - mm: madvise(MADV_DODUMP): allow hugetlbfs pages
    - usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i]
    - perf probe powerpc: Ignore SyS symbols irrespective of endianness
    - RDMA/ucma: check fd type in ucma_migrate_id()
    - USB: yurex: Check for truncation in yurex_read()
    - drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS
    - fs/cifs: suppress a string overflow warning
    - dm thin metadata: try to avoid ever aborting transactions
    - arch/hexagon: fix kernel/dma.c build warning
    - hexagon: modify ffs() and fls() to return int
    - arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto"
    - r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED
    - s390/qeth: don't dump past end of unknown HW header
    - cifs: read overflow in is_valid_oplock_break()
    - xen/manage: don't complain about an empty value in control/sysrq node
    - xen: avoid crash in disable_hotplug_cpu
    - xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage
    - smb2: fix missing files in root share directory listing
    - crypto: mxs-dcp - Fix wait logic on chan threads
    - proc: restrict kernel stack dumps to root
    - ocfs2: fix locking for res->tracking and dlm->tracking_list
    - dm thin metadata: fix __udivdi3 undefined on 32-bit
    - Linux 4.4.160

* Volume control not working Dell XPS 27 (7760) (LP: #1775068) // Xenial
    update: 4.4.160 upstream stable release (LP: #1798770)
    - ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760

* Xenial update: 4.4.160 upstream stable release (LP: #1798770) //
    CVE-2018-7755
    - floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl

* Xenial update: 4.4.159 upstream stable release (LP: #1798617)
    - NFC: Fix possible memory corruption when handling SHDLC I-Frame commands
    - NFC: Fix the number of pipes
    - ASoC: cs4265: fix MMTLR Data switch control
    - ALSA: bebob: use address returned by kmalloc() instead of kernel stack for
      streaming DMA mapping
    - ALSA: emu10k1: fix possible info leak to userspace on
      SNDRV_EMU10K1_IOCTL_INFO
    - platform/x86: alienware-wmi: Correct a memory leak
    - xen/netfront: don't bug in case of too many frags
    - xen/x86/vpmu: Zero struct pt_regs before calling into sample handling code
    - ring-buffer: Allow for rescheduling when removing pages
    - mm: shmem.c: Correctly annotate new inodes for lockdep
    - gso_segment: Reset skb->mac_len after modifying network header
    - ipv6: fix possible use-after-free in ip6_xmit()
    - net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT
    - net: hp100: fix always-true check for link up state
    - neighbour: confirm neigh entries when ARP packet is received
    - ocfs2: fix ocfs2 read block panic
    - drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect()
    - tty: vt_ioctl: fix potential Spectre v1
    - ext4: avoid divide by zero fault when deleting corrupted inline directories
    - ext4: recalucate superblock checksum after updating free blocks/inodes
    - ext4: fix online resize's handling of a too-small final block group
    - ext4: fix online resizing for bigalloc file systems with a 1k block size
    - ext4: don't mark mmp buffer head dirty
    - arm64: Add trace_hardirqs_off annotation in ret_to_user
    - HID: sony: Update device ids
    - HID: sony: Support DS4 dongle
    - iw_cxgb4: only allow 1 flush on user qps
    - Linux 4.4.159

* Xenial update: 4.4.158 upstream stable release (LP: #1798587)
    - iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register
    - ALSA: msnd: Fix the default sample sizes
    - ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro
    - xfrm: fix 'passing zero to ERR_PTR()' warning
    - gfs2: Special-case rindex for gfs2_grow
    - clk: imx6ul: fix missing of_node_put()
    - kbuild: add .DELETE_ON_ERROR special target
    - dmaengine: pl330: fix irq race with terminate_all
    - MIPS: ath79: fix system restart
    - media: videobuf2-core: check for q->error in vb2_core_qbuf()
    - mtd/maps: fix solutionengine.c printk format warnings
    - fbdev: omapfb: off by one in omapfb_register_client()
    - video: goldfishfb: fix memory leak on driver remove
    - fbdev/via: fix defined but not used warning
    - perf powerpc: Fix callchain ip filtering when return address is in a
      register
    - fbdev: Distinguish between interlaced and progressive modes
    - ARM: exynos: Clear global variable on init error path
    - perf powerpc: Fix callchain ip filtering
    - powerpc/powernv: opal_put_chars partial write fix
    - MIPS: jz4740: Bump zload address
    - mac80211: restrict delayed tailroom needed decrement
    - xen-netfront: fix queue name setting
    - arm64: dts: qcom: db410c: Fix Bluetooth LED trigger
    - s390/qeth: fix race in used-buffer accounting
    - s390/qeth: reset layer2 attribute on layer switch
    - platform/x86: toshiba_acpi: Fix defined but not used build warnings
    - crypto: sharah - Unregister correct algorithms for SAHARA 3
    - xen-netfront: fix warn message as irq device name has '/'
    - RDMA/cma: Protect cma dev list with lock
    - pstore: Fix incorrect persistent ram buffer mapping
    - xen/netfront: fix waiting for xenbus state change
    - IB/ipoib: Avoid a race condition between start_xmit and cm_rep_handler
    - Tools: hv: Fix a bug in the key delete code
    - misc: hmc6352: fix potential Spectre v1
    - usb: Don't die twice if PCI xhci host is not responding in resume
    - USB: Add quirk to support DJI CineSSD
    - usb: Avoid use-after-free by flushing endpoints early in usb_set_interface()
    - usb: host: u132-hcd: Fix a sleep-in-atomic-context bug in u132_get_frame()
    - USB: add quirk for WORLDE Controller KS49 or Prodipe MIDI 49C USB controller
    - USB: net2280: Fix erroneous synchronization change
    - USB: serial: io_ti: fix array underflow in completion handler
    - usb: misc: uss720: Fix two sleep-in-atomic-context bugs
    - USB: yurex: Fix buffer over-read in yurex_write()
    - usb: cdc-wdm: Fix a sleep-in-atomic-context bug in
      service_outstanding_interrupt()
    - cifs: prevent integer overflow in nxt_dir_entry()
    - CIFS: fix wrapping bugs in num_entries()
    - binfmt_elf: Respect error return from `regset->active'
    - audit: fix use-after-free in audit_add_watch
    - mtdchar: fix overflows in adjustment of `count`
    - MIPS: loongson64: cs5536: Fix PCI_OHCI_INT_REG reads
    - ARM: hisi: handle of_iomap and fix missing of_node_put
    - ARM: hisi: fix error handling and missing of_node_put
    - ARM: hisi: check of_iomap and fix missing of_node_put
    - drm/nouveau: tegra: Detach from ARM DMA/IOMMU mapping
    - parport: sunbpp: fix error return code
    - coresight: Handle errors in finding input/output ports
    - coresight: tpiu: Fix disabling timeouts
    - gpiolib: Mark gpio_suffixes array with __maybe_unused
    - drm/amdkfd: Fix error codes in kfd_get_process
    - rtc: bq4802: add error handling for devm_ioremap
    - ALSA: pcm: Fix snd_interval_refine first/last with open min/max
    - selftest: timers: Tweak raw_skew to SKIP when ADJ_OFFSET/other clock
      adjustments are in progress
    - drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
    - pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant
    - USB: serial: ti_usb_3410_5052: fix array underflow in completion handler
    - mei: bus: type promotion bug in mei_nfc_if_version()
    - drivers: net: cpsw: fix segfault in case of bad phy-handle
    - MIPS: VDSO: Match data page cache colouring when D$ aliases
    - Linux 4.4.158

* Xenial update: 4.4.157 upstream stable release (LP: #1798539)
    - i2c: xiic: Make the start and the byte count write atomic
    - i2c: i801: fix DNV's SMBCTRL register offset
    - ALSA: hda - Fix cancel_work_sync() stall from jackpoll work
    - cfq: Give a chance for arming slice idle timer in case of group_idle
    - kthread: Fix use-after-free if kthread fork fails
    - kthread: fix boot hang (regression) on MIPS/OpenRISC
    - staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page
    - staging/rts5208: Fix read overflow in memcpy
    - block,blkcg: use __GFP_NOWARN for best-effort allocations in blkcg
    - locking/rwsem-xadd: Fix missed wakeup due to reordering of load
    - selinux: use GFP_NOWAIT in the AVC kmem_caches
    - locking/osq_lock: Fix osq_lock queue corruption
    - ARC: [plat-axs*]: Enable SWAP
    - misc: mic: SCIF Fix scif_get_new_port() error handling
    - ethtool: Remove trailing semicolon for static inline
    - gpio: tegra: Move driver registration to subsys_init level
    - scsi: target: fix __transport_register_session locking
    - md/raid5: fix data corruption of replacements after originals dropped
    - misc: ti-st: Fix memory leak in the error path of probe()
    - uio: potential double frees if __uio_register_device() fails
    - tty: rocket: Fix possible buffer overwrite on register_PCI
    - f2fs: do not set free of current section
    - perf tools: Allow overriding MAX_NR_CPUS at compile time
    - NFSv4.0 fix client reference leak in callback
    - macintosh/via-pmu: Add missing mmio accessors
    - ath10k: prevent active scans on potential unusable channels
    - MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET
    - ata: libahci: Correct setting of DEVSLP register
    - scsi: 3ware: fix return 0 on the error path of probe
    - ath10k: disable bundle mgmt tx completion event support
    - Bluetooth: hidp: Fix handling of strncpy for hid->name information
    - x86/mm: Remove in_nmi() warning from vmalloc_fault()
    - gpio: ml-ioh: Fix buffer underwrite on probe error path
    - net: mvneta: fix mtu change on port without link
    - MIPS: Octeon: add missing of_node_put()
    - net: dcb: For wild-card lookups, use priority -1, not 0
    - Input: atmel_mxt_ts - only use first T9 instance
    - iommu/ipmmu-vmsa: Fix allocation in atomic context
    - mfd: ti_am335x_tscadc: Fix struct clk memory leak
    - f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
    - MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON
    - RDMA/cma: Do not ignore net namespace for unbound cm_id
    - xhci: Fix use-after-free in xhci_free_virt_device
    - vmw_balloon: include asm/io.h
    - netfilter: x_tables: avoid stack-out-of-bounds read in
      xt_copy_counters_from_user
    - drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac
      config
    - net: ethernet: ti: cpsw: fix mdio device reference leak
    - ethernet: ti: davinci_emac: add missing of_node_put after calling
      of_parse_phandle
    - crypto: vmx - Fix sleep-in-atomic bugs
    - mtd: ubi: wl: Fix error return code in ubi_wl_init()
    - autofs: fix autofs_sbi() does not check super block type
    - Linux 4.4.157

* Xenial update: 4.4.156 upstream stable release (LP: #1797563)
    - staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free
    - net: bcmgenet: use MAC link status for fixed phy
    - qlge: Fix netdev features configuration.
    - tcp: do not restart timewait timer on rst reception
    - vti6: remove !skb->ignore_df check from vti6_xmit()
    - cifs: check if SMB2 PDU size has been padded and suppress the warning
    - hfsplus: don't return 0 when fill_super() failed
    - hfs: prevent crash on exit from failed search
    - fork: don't copy inconsistent signal handler state to child
    - reiserfs: change j_timestamp type to time64_t
    - hfsplus: fix NULL dereference in hfsplus_lookup()
    - fat: validate ->i_start before using
    - scripts: modpost: check memory allocation results
    - mm/fadvise.c: fix signed overflow UBSAN complaint
    - fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot()
    - ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()
    - mfd: sm501: Set coherent_dma_mask when creating subdevices
    - platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360
    - irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP
    - net/9p: fix error path of p9_virtio_probe
    - powerpc: Fix size calculation using resource_size()
    - s390/dasd: fix hanging offline processing due to canceled worker
    - scsi: aic94xx: fix an error code in aic94xx_init()
    - PCI: mvebu: Fix I/O space end address calculation
    - dm kcopyd: avoid softlockup in run_complete_job
    - staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice
    - selftests/powerpc: Kill child processes on SIGINT
    - smb3: fix reset of bytes read and written stats
    - SMB3: Number of requests sent should be displayed for SMB3 not just CIFS
    - powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX.
    - btrfs: replace: Reset on-disk dev stats value after replace
    - btrfs: relocation: Only remove reloc rb_trees if reloc control has been
      initialized
    - btrfs: Don't remove block group that still has pinned down bytes
    - debugobjects: Make stack check warning more informative
    - x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear
    - kbuild: make missing $DEPMOD a Warning instead of an Error
    - Revert "ARM: imx_v6_v7_defconfig: Select ULPI support"
    - enic: do not call enic_change_mtu in enic_probe
    - Fixes: Commit cdbf92675fad ("mm: numa: avoid waiting on freed migrated
      pages")
    - genirq: Delay incrementing interrupt count if it's disabled/pending
    - irqchip/gic-v3-its: Recompute the number of pages on page size change
    - irqchip/gicv3-its: Fix memory leak in its_free_tables()
    - irqchip/gicv3-its: Avoid cache flush beyond ITS_BASERn memory size
    - irqchip/gic-v3: Add missing barrier to 32bit version of gic_read_iar()
    - irqchip/gic: Make interrupt ID 1020 invalid
    - ovl: rename is_merge to is_lowest
    - ovl: override creds with the ones from the superblock mounter
    - ovl: proper cleanup of workdir
    - sch_htb: fix crash on init failure
    - sch_multiq: fix double free on init failure
    - sch_hhf: fix null pointer dereference on init failure
    - sch_netem: avoid null pointer deref on init failure
    - sch_tbf: fix two null pointer dereferences on init failure
    - mei: me: allow runtime pm for platform with D0i3
    - ASoC: wm8994: Fix missing break in switch
    - btrfs: use correct compare function of dirty_metadata_bytes
    - Linux 4.4.156

-- Kleber Sacilotto de Souza <kleber.souza@canonical.com>  Wed, 24 Oct 2018 09:57:17 +0000

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Brad Figg (brad-figg) on 2019-07-24

tags:

added: cscc

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Triaged	Medium	Unassigned
	Xenial	Fix Released	Medium	Unassigned

Ubuntu
linux package

xenial: virtio-scsi: CPU soft lockup due to loop in virtscsi_target_destroy()

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntulinux package

xenial: virtio-scsi: CPU soft lockup due to loop in virtscsi_target_destroy()

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package