how is recv(..., MSG_PEEK) racy?

[Abhijit Menon-Sen]

(I'm reposting to linux-kernel because I got no response on netdev.)

I'm trying to understand a fetchmail problem that causes large downloads
from IMAP servers to fail randomly. For some reason, fetchmail uses the
following bizarre code inside a loop to read data from the server:

    if ((n = recv(sock, bp, len, MSG_PEEK)) <= 0)
        return (-1);

    if ((newline = memchr(bp, '\n', n)) != NULL)
        n = newline - bp + 1;

    if ((n = read(sock, bp, n)) == -1)
        return (-1);

The problem occurs (at an unpredictable time, but very often, and with a
greater probability with a larger attachment) when the recv() returns 0,
although tcpdump doesn't show the server closing the connection, or any
other unusual behaviour.

Are there any circumstances other than the connection being closed where
recv(..., MSG_PEEK) can return 0? (Stevens/SUSv3 don't mention any.)

I found the following (paraphrased) comment in net/ipv4/tcp.c:

    if ((flags & MSG_PEEK) && peek_seq != tp->copied_seq) {
        printk(KERN_DEBUG "TCP(%s:%d): Application bug, race in MSG_PEEK.\n",
               current->comm, current->pid);

While fetchmail doesn't seem to be triggering that printk(), I'm curious
about what the race condition is. Google found a post by DaveM saying it
has something to do with URG data, but without any further details. I'd
appreciate any explanation of the problem(s).

Thank you.

-- ams
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/