Bug 171061 - Reproducible kernel panic on NFS unmount
Reproducible kernel panic on NFS unmount
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Steve Dickson
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2005-10-17 16:03 EDT by Nickolai Zeldovich
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-05 17:20:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
program to call umount2(MNT_FORCE | MNT_DETACH) (334 bytes, text/plain)
2005-10-17 16:03 EDT, Nickolai Zeldovich
no flags Details
Shell script to trigger bug (507 bytes, text/plain)
2005-10-17 16:04 EDT, Nickolai Zeldovich
no flags Details

  None (edit)
Description Nickolai Zeldovich 2005-10-17 16:03:44 EDT
(I sent a similar bug report to LKML, but lacking a response there, I decided 
to file it here for posterity and tracking.)

There seems to be some bug in the 2.6.12-1.1447_FC4 kernel NFS client: if 
you unmount at the right time, when the TCP connection to the NFS server 
is closed, and there's an outstanding request, the reconnect timer doesn't 
seem to be deleted(?), and RPC_REESTABLISH_TIMEOUT/HZ seconds later, the 
kernel panics with something like: 

kernel BUG at kernel/timer.c:418! 
invalid operand: 0000 [#1] 
Kernel panic - not syncing: Fatal exception in interrupt 

and the call trace is different every time. 

The attached shell script (and funmount.c program) reproduce the problem. 
Run the shell script with one argument (nfs-server:/exported/path) and it 
will do the following: 

* mount the NFS server 
* set up iptables to RST the TCP connection 
* create an outstanding request to the NFS server (statvfs) 
* call umount2(/mountpoint, MNT_FORCE | MNT_DETACH) 
* 15 seconds later, the kernel panics 

-- kolya
Comment 1 Nickolai Zeldovich 2005-10-17 16:03:44 EDT
Created attachment 120081 [details]
program to call umount2(MNT_FORCE | MNT_DETACH)
Comment 2 Nickolai Zeldovich 2005-10-17 16:04:47 EDT
Created attachment 120082 [details]
Shell script to trigger bug
Comment 3 Steve Dickson 2005-10-31 15:28:43 EST
This appears to be fixed in the latest FC4 kernel. 
Comment 4 Dave Jones 2005-11-10 15:06:13 EST
2.6.14-1.1637_FC4 has been released as an update for FC4.
Please retest with this update, as a large amount of code has been changed in
this release, which may have fixed your problem.

Thank you.
Comment 5 Dave Jones 2006-02-03 02:11:55 EST
This is a mass-update to all currently open kernel bugs.

A new kernel update has been released (Version: 2.6.15-1.1830_FC4)
based upon a new upstream kernel release.

Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.

This bug has been placed in NEEDINFO_REPORTER state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.

Thank you.
Comment 6 John Thacker 2006-05-05 17:20:52 EDT
Closing per previous comments.
Appears to have been fixed in the upstream kernel and in 
released FC4 kernels.

Note You need to log in before you can comment on or make changes to this bug.