Red Hat Bugzilla – Bug 171061
Reproducible kernel panic on NFS unmount
Last modified: 2007-11-30 17:11:15 EST
(I sent a similar bug report to LKML, but lacking a response there, I decided
to file it here for posterity and tracking.)
There seems to be some bug in the 2.6.12-1.1447_FC4 kernel NFS client: if
you unmount at the right time, when the TCP connection to the NFS server
is closed, and there's an outstanding request, the reconnect timer doesn't
seem to be deleted(?), and RPC_REESTABLISH_TIMEOUT/HZ seconds later, the
kernel panics with something like:
kernel BUG at kernel/timer.c:418!
invalid operand: 0000 [#1]
Kernel panic - not syncing: Fatal exception in interrupt
and the call trace is different every time.
The attached shell script (and funmount.c program) reproduce the problem.
Run the shell script with one argument (nfs-server:/exported/path) and it
will do the following:
* mount the NFS server
* set up iptables to RST the TCP connection
* create an outstanding request to the NFS server (statvfs)
* call umount2(/mountpoint, MNT_FORCE | MNT_DETACH)
* 15 seconds later, the kernel panics
Created attachment 120081 [details]
program to call umount2(MNT_FORCE | MNT_DETACH)
Created attachment 120082 [details]
Shell script to trigger bug
This appears to be fixed in the latest FC4 kernel.
2.6.14-1.1637_FC4 has been released as an update for FC4.
Please retest with this update, as a large amount of code has been changed in
this release, which may have fixed your problem.
This is a mass-update to all currently open kernel bugs.
A new kernel update has been released (Version: 2.6.15-1.1830_FC4)
based upon a new upstream kernel release.
Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.
This bug has been placed in NEEDINFO_REPORTER state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.
Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.
If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.
Closing per previous comments.
Appears to have been fixed in the upstream kernel and in
released FC4 kernels.