kernel BUG at include/linux/dcache.h:282! invalid operand: 0000 [#1] Modules linked in: nfsd exportfs lockd sunrpc ipv6 e100 mii dm_mod uhci_hcd button battery asus_acpi ac ext3 jbd CPU: 0 EIP: 0060:[<329708c0>] Not tainted EFLAGS: 00010246 (2.6.6-1.383) EIP is at nfsd_acceptable+0x28/0xaf [nfsd] eax: 00000000 ebx: 31f95800 ecx: 2cb3e35c edx: 2d1d989c esi: 30f7c8d4 edi: 30f7c8d4 ebp: 00000000 esp: 3117db74 ds: 007b es: 007b ss: 0068 Process nfsd (pid: 1070, threadinfo=3117d000 task=2d1ee0f0) Stack: 31f95800 30f7c8d4 2d0ba800 32847084 00000011 4075650e 3287a8e8 ffffff8c 00000000 2d1d989c 3117ddc0 31f95800 00000246 00000000 ffffffff 31dd6940 31fd8040 0223580f 31dd6940 31dd6940 2d5c2368 00000246 00000000 2b5c2368 Call Trace: [<32847084>] find_exported_dentry+0x84/0x52c [exportfs] [<0223580f>] __kfree_skb+0xe3/0xe6 [<02242aec>] qdisc_restart+0x10/0xb1 [<02238f70>] dev_queue_xmit+0xe2/0x1b4 [<0224d71a>] ip_finish_output+0x12b/0x199 [<0224f13c>] ip_push_pending_frames+0x29b/0x37c [<022664d5>] udp_push_pending_frames+0x1cd/0x1e9 [<02266a08>] udp_sendmsg+0x4da/0x56c [<022355d0>] alloc_skb+0x32/0xc3 [<02235009>] sock_alloc_send_skb+0xc/0xf [<0224e7ab>] ip_append_data+0x2c4/0x68a [<021179b9>] autoremove_wake_function+0x0/0x2d [<0224e460>] ip_generic_getfrag+0x0/0x87 [<022669dc>] udp_sendmsg+0x4ae/0x56c [<02266a08>] udp_sendmsg+0x4da/0x56c [<0226c6f1>] inet_sendmsg+0x38/0x42 [<32847795>] export_decode_fh+0x50/0x56 [exportfs] [<32970898>] nfsd_acceptable+0x0/0xaf [nfsd] [<32847745>] export_decode_fh+0x0/0x56 [exportfs] [<32970c90>] fh_verify+0x349/0x4bb [nfsd] [<32970898>] nfsd_acceptable+0x0/0xaf [nfsd] [<32971f04>] nfsd_open+0x1f/0x131 [nfsd] [<3297246a>] nfsd_write+0x42/0x296 [nfsd] [<02266b58>] udp_sendpage+0xbe/0x10f [<022369e9>] skb_copy_and_csum_bits+0x21c/0x284 [<3292db17>] skb_read_and_csum_bits+0x21/0x5e [sunrpc] [<32934b65>] svcauth_unix_accept+0x1fc/0x26c [sunrpc] [<3296fef3>] nfsd_proc_write+0xa1/0xa9 [nfsd] [<32976900>] nfssvc_decode_writeargs+0x0/0xd8 [nfsd] [<3296f54e>] nfsd_dispatch+0xbf/0x165 [nfsd] [<32931cac>] svc_process+0x323/0x55f [sunrpc] [<3296f355>] nfsd+0x18f/0x2c9 [nfsd] [<3296f1c6>] nfsd+0x0/0x2c9 [nfsd] [<021041d9>] kernel_thread_helper+0x5/0xb Code: 0f 0b 1a 01 c1 61 98 32 ff 02 3b 57 20 89 d6 74 61 3b 52 0c
woke up this morning to find the -391 kernel is even worse with this problem. lots of copies this backtrace in dmesg. Additionally, the client had been trying to save a jpeg (webcam applet). It was prepending 2KB of zeros before the data, and occasionally would just hang in close() (I'll bet the hangs coincide with the oops on the server).
client in this case was a debian box running 2.6.3-rc2. I'm going to update that to run latest tree, and see if the problem persists. (though despite this, no matter what, the server obviously shouldn't oops even if this does fix the problem).
Neil Brown fixed this in 2.6.7-rc2.