Bug 1233284
Summary: | RHEL7: repeated NFS4 server untainted kernel panic with RIP locks_in_grace called from nfsd4_process_open2, xfs used as export for diskless NFS clients | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Dave Wysochanski <dwysocha> |
Component: | kernel | Assignee: | J. Bruce Fields <bfields> |
kernel sub component: | NFS | QA Contact: | JianHong Yin <jiyin> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | medium | ||
Priority: | high | CC: | bfields, cww, eguan, fsorenso, fs-qe, jiyin, jlayton, plambri, smayhew, steved, swhiteho, tlavigne, vaggarwa |
Version: | 7.1 | ||
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | kernel-3.10.0-325.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-19 22:42:51 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1133060 |
Description
Dave Wysochanski
2015-06-18 15:18:23 UTC
I can't find a kernel-3.10.0-229.4.2.el7 tag in any of the usual repositories. Where's it from? Anyway, so the "unrecognized reply" messages mean we got a reply with an xid that doesn't match any on the &xprt->recv list. That means no such request was transmitted (by xprt_transmit()). Or it was removed by xprt_release or xprt_complete_rqst. I *think* this could happen just because we gave up waiting for the reply. (In which case maybe that printk should be a dprintk.) But it's a sign there may be lots of delegation recalls going on. "testing state ID with incorrect client ID" means the server thinks a TEST_STATEID op was sent for a stateid associated with a client different from the client associated with the session over which the TEST_STATEID was sent. Perhaps this could be the result of some confusion in the server's data structures but the most straightforward explanation would be just that that's really what the client did (perhaps as a result of a bug in client recovery code?) Again, maybe this should be a dprintk. So the list corruption warning is the first really interesting thing. We tried to add a new delegation to either the per-file or per-client list and found the list was corrupted (the list head still points to the first item but it point to itself?). (In reply to J. Bruce Fields from comment #2) > I can't find a kernel-3.10.0-229.4.2.el7 tag in any of the usual > repositories. Where's it from? > It's one of our CVE kernels. There's only one change past the 229.7.1.el7 kernel and it is to fix a pipe corruption: * Fri May 15 2015 Phillip Lougher <plougher> [3.10.0-229.7.2.el7] - [fs] pipe: fix pipe corruption and iovec overrun on partial copy (Seth Jennings) [1202861 1198843] {CVE-2015-1805} * Fri May 15 2015 Phillip Lougher <plougher> [3.10.0-229.7.1.el7] Sorry - wrong version: * Fri Apr 24 2015 Phillip Lougher <plougher> [3.10.0-229.4.2.el7] - [x86] crypto: aesni - fix memory usage in GCM decryption (Kurt Stutsman) [1213331 1212178] {CVE-2015-3331} * Tue Apr 14 2015 Phillip Lougher <plougher> [3.10.0-229.4.1.el7] Christoph also did some callback-related fixes upstream: see the three commits 8287f009bd95a5e548059dba62a67727bb9549cd..4bd9e9b77fc6787c45b8bb439f6511aa3478606c. I don't yet see any explanation there for these symptoms, but there might be something. And the last ("skip CB_NULL probes...") might at least mitigate the problem by cutting down on the number of callbacks. I suspect there are actually two different problems. The oops will probably be fixed by e85687393f3e "nfsd: ensure that the ol stateid hash reference is only put once" 3fcbbd244ed1 "nfsd: ensure that delegation stateid hash references are only put once" We've had other reports of list corruption upstream and in Fedora, so I think it's critical to backport those now. The "unrecognized reply" warnings are less critical, but we should look into those too. Would the customer be willing to test backported callback fixes? I've opened https://bugzilla.redhat.com/show_bug.cgi?id=1271366 for the "unrecognized reply" messages. (Which are probably unrelated to the cause of the actual crash here.) Patch(es) available on kernel-3.10.0-325.el7 *** Bug 1277610 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2152.html |