171061 – Reproducible kernel panic on NFS unmount

Bug 171061 - Reproducible kernel panic on NFS unmount

Summary: Reproducible kernel panic on NFS unmount

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Steve Dickson
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-10-17 20:03 UTC by Nickolai Zeldovich
Modified:	2007-11-30 22:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2006-05-05 21:20:52 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
program to call umount2(MNT_FORCE \| MNT_DETACH) (334 bytes, text/plain) 2005-10-17 20:03 UTC, Nickolai Zeldovich	no flags	Details
Shell script to trigger bug (507 bytes, text/plain) 2005-10-17 20:04 UTC, Nickolai Zeldovich	no flags	Details
View All

Description Nickolai Zeldovich 2005-10-17 20:03:44 UTC

(I sent a similar bug report to LKML, but lacking a response there, I decided 
to file it here for posterity and tracking.)

There seems to be some bug in the 2.6.12-1.1447_FC4 kernel NFS client: if 
you unmount at the right time, when the TCP connection to the NFS server 
is closed, and there's an outstanding request, the reconnect timer doesn't 
seem to be deleted(?), and RPC_REESTABLISH_TIMEOUT/HZ seconds later, the 
kernel panics with something like: 

kernel BUG at kernel/timer.c:418! 
invalid operand: 0000 [#1] 
... 
Kernel panic - not syncing: Fatal exception in interrupt 

and the call trace is different every time. 

The attached shell script (and funmount.c program) reproduce the problem. 
Run the shell script with one argument (nfs-server:/exported/path) and it 
will do the following: 

* mount the NFS server 
* set up iptables to RST the TCP connection 
* create an outstanding request to the NFS server (statvfs) 
* call umount2(/mountpoint, MNT_FORCE | MNT_DETACH) 
* 15 seconds later, the kernel panics 

-- kolya

Comment 1 Nickolai Zeldovich 2005-10-17 20:03:44 UTC

Created attachment 120081 [details]
program to call umount2(MNT_FORCE | MNT_DETACH)

Comment 2 Nickolai Zeldovich 2005-10-17 20:04:47 UTC

Created attachment 120082 [details]
Shell script to trigger bug

Comment 3 Steve Dickson 2005-10-31 20:28:43 UTC

This appears to be fixed in the latest FC4 kernel.

Comment 4 Dave Jones 2005-11-10 20:06:13 UTC

2.6.14-1.1637_FC4 has been released as an update for FC4.
Please retest with this update, as a large amount of code has been changed in
this release, which may have fixed your problem.

Thank you.

Comment 5 Dave Jones 2006-02-03 07:11:55 UTC

This is a mass-update to all currently open kernel bugs.

A new kernel update has been released (Version: 2.6.15-1.1830_FC4)
based upon a new upstream kernel release.

Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.

This bug has been placed in NEEDINFO_REPORTER state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.

Thank you.

Comment 6 John Thacker 2006-05-05 21:20:52 UTC

Closing per previous comments.
Appears to have been fixed in the upstream kernel and in 
released FC4 kernels.

Note You need to log in before you can comment on or make changes to this bug.