Bug 171061

Summary: Reproducible kernel panic on NFS unmount
Product: [Fedora] Fedora Reporter: Nickolai Zeldovich <kolya>
Component: kernelAssignee: Steve Dickson <steved>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 4CC: davej, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-05 21:20:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
program to call umount2(MNT_FORCE | MNT_DETACH)
none
Shell script to trigger bug none

Description Nickolai Zeldovich 2005-10-17 20:03:44 UTC 
(I sent a similar bug report to LKML, but lacking a response there, I decided 
to file it here for posterity and tracking.)

There seems to be some bug in the 2.6.12-1.1447_FC4 kernel NFS client: if 
you unmount at the right time, when the TCP connection to the NFS server 
is closed, and there's an outstanding request, the reconnect timer doesn't 
seem to be deleted(?), and RPC_REESTABLISH_TIMEOUT/HZ seconds later, the 
kernel panics with something like: 

kernel BUG at kernel/timer.c:418! 
invalid operand: 0000 [#1] 
... 
Kernel panic - not syncing: Fatal exception in interrupt 

and the call trace is different every time. 

The attached shell script (and funmount.c program) reproduce the problem. 
Run the shell script with one argument (nfs-server:/exported/path) and it 
will do the following: 

* mount the NFS server 
* set up iptables to RST the TCP connection 
* create an outstanding request to the NFS server (statvfs) 
* call umount2(/mountpoint, MNT_FORCE | MNT_DETACH) 
* 15 seconds later, the kernel panics 

-- kolya
Comment 1 Nickolai Zeldovich 2005-10-17 20:03:44 UTC 
Created attachment 120081 [details]
program to call umount2(MNT_FORCE | MNT_DETACH)
Comment 2 Nickolai Zeldovich 2005-10-17 20:04:47 UTC 
Created attachment 120082 [details]
Shell script to trigger bug
Comment 3 Steve Dickson 2005-10-31 20:28:43 UTC 
This appears to be fixed in the latest FC4 kernel.
Comment 4 Dave Jones 2005-11-10 20:06:13 UTC 
2.6.14-1.1637_FC4 has been released as an update for FC4.
Please retest with this update, as a large amount of code has been changed in
this release, which may have fixed your problem.

Thank you.
Comment 5 Dave Jones 2006-02-03 07:11:55 UTC 
This is a mass-update to all currently open kernel bugs.

A new kernel update has been released (Version: 2.6.15-1.1830_FC4)
based upon a new upstream kernel release.

Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.

This bug has been placed in NEEDINFO_REPORTER state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.

Thank you.
Comment 6 John Thacker 2006-05-05 21:20:52 UTC 
Closing per previous comments.
Appears to have been fixed in the upstream kernel and in 
released FC4 kernels.