This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 458774 - Kernel BUG at fs/nfs/namespace.c:103 (:nfs:nfs_follow_mountpoint)
Kernel BUG at fs/nfs/namespace.c:103 (:nfs:nfs_follow_mountpoint)
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.2
All Linux
urgent Severity high
: rc
: ---
Assigned To: Steve Dickson
Martin Jenner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-12 03:58 EDT by Vasily Averin
Modified: 2010-10-22 23:35 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 14:41:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
serial console log (34.48 KB, text/plain)
2008-08-12 03:58 EDT, Vasily Averin
no flags Details
tcpdump binary logs, use wireshark to decode it (17.22 KB, application/octet-stream)
2008-08-12 03:59 EDT, Vasily Averin
no flags Details
Patch from Denis V.Lunev (1.06 KB, patch)
2008-08-12 04:07 EDT, Vasily Averin
no flags Details | Diff

  None (edit)
Description Vasily Averin 2008-08-12 03:58:19 EDT
Created attachment 314065 [details]
serial console log

Description of problem:
OpenVZ kernel team discovered reproduceable BUG inside NFS clinet due improper configuration of NFS server. SOme more details can be found in
https://bugzilla.redhat.com/show_bug.cgi?id=458622

Version-Release number of selected component (if applicable):
2.6.18-92.1.10.el5

How reproducible:
NFS server FC8, configuration:
[root@tc27 proc]# cat /etc/exports 
/nfs_share ts27.qa.sw.ru(rw,no_root_squash,no_subtree_check,crossmnt)
/nfs_share/boo *(rw,no_root_squash,no_subtree_check)
[root@tc27 proc]# cat /proc/mounts 
/dev/mapper/vzvg-vz /nfs_share ext3 rw,data=ordered 0 0
/dev/sda1 /nfs_share/boo ext3 rw,data=ordered 0 0

Steps to Reproduce:
use the following script on client side
#!/bin/bash

stat -f /mnt/nfs/ | grep -q 'Type: nfs' ||
mount -v -t nfs tc27:/nfs_share /mnt/nfs -o vers=3,tcp,hard,nointr
{
ls /mnt/nfs
ls /mnt/nfs/boo
} >/dev/null

echo ===========================
grep nfs /proc/mounts
umount /mnt/nfs/

Actual results:
"ls /mnt/nfs/boo" leads to kernel panic

----------- [cut here ] --------- [please bite here ] ---------
Kernel BUG at fs/nfs/namespace.c:103
invalid opcode: 0000 [1] SMP
last sysfs file: /devices/pci0000:00/0000:00:1c.1/0000:02:00.0/irq
CPU 1
Modules linked in: nfs lockd fscache nfs_acl xt_length ipt_ttl xt_tcpmss ipt_TCPMSS iptable_mangle iptable_filter xt_multiport xt_limit ipt_tos ipt_REJECT ip_tables x_tables ipv6 xfrm_nalgo crypto_api autofs4 hidp rfcomm l2cap bluetooth sunrpc dm_multipath video sbs backlight i2c_ec button battery asus_acpi acpi_memhotplug ac lp sg snd_hda_intel snd_hda_codec snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc e1000e floppy ide_cd shpchp pcspkr i2c_i801 cdrom parport_pc serio_raw i2c_core parport dm_snapshot dm_zero dm_mirror dm_mod ata_piix libata sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
Pid: 3043, comm: ls Not tainted 2.6.18-92.1.10.el5 #1
RIP: 0010:[<ffffffff885aef20>]  [<ffffffff885aef20>] :nfs:nfs_follow_mountpoint+0x2d/0x1d9
RSP: 0018:ffff8100b83ebaf8  EFLAGS: 00010246
RAX: ffff8100b792c400 RBX: ffff8100b83eeed0 RCX: 0000000000000002
RDX: 0000000000000000 RSI: ffff8100b83ebea8 RDI: ffff8100b83eeed0
RBP: ffff8100b83ebea8 R08: ffff8100b83ebb28 R09: ffff8100b83ebea8
R10: ffff8100b83ebc08 R11: 0000000000000048 R12: ffff8100b83ebea8
R13: ffff8100c4459a00 R14: 0000000000000000 R15: ffff8100b7d2e00c
FS:  00002ba785ec1a50(0000) GS:ffff8100c77657c0(0000) knlGS:0000000000000000

CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000003586294290 CR3: 00000000b7c58000 CR4: 00000000000006e0
Process ls (pid: 3043, threadinfo ffff8100b83ea000, task ffff8100c732a100)
Stack:  0000000000000000 0000000000000002 ffff8100b83ebc08 ffffffff8011f531
 ffff8100b83ebc08 ffff8100c379ac68 ffffffffffffffff ffffffff00000000
 0000018b00000001 ffff8100c732a100 ffff8100b7f07a40 ffff8100b79a5420
Call Trace:

 [<ffffffff8011f531>] avc_has_perm+0x43/0x55
 [<ffffffff8011fd84>] inode_has_perm+0x56/0x63
 [<ffffffff8011f531>] avc_has_perm+0x43/0x55
 [<ffffffff885a208e>] :nfs:nfs_access_get_cached+0xab/0xfa

 [<ffffffff801247f7>] selinux_inode_follow_link+0x5f/0x6a
 [<ffffffff8000a0e3>] __link_path_walk+0xb71/0xf42
 [<ffffffff8000cd69>] file_read_actor+0x0/0x154
 [<ffffffff8000e782>] link_path_walk+0x5c/0xe5

 [<ffffffff8000c965>] do_path_lookup+0x270/0x2e8
 [<ffffffff8012021f>] selinux_file_alloc_security+0x2a/0x53
 [<ffffffff80023514>] __path_lookup_intent_open+0x56/0x97
 [<ffffffff8001a98d>] open_namei+0x73/0x6d5
 [<ffffffff800668a2>] do_page_fault+0x4fe/0x830
 [<ffffffff80027363>] do_filp_open+0x1c/0x38
 [<ffffffff80019759>] do_sys_open+0x44/0xbe
 [<ffffffff8005d28d>] tracesys+0xd5/0xe0

Code: 0f 0b 68 23 77 5c 88 c2 67 00 49 8b 3c 24 e8 f3 e0 a5 f7 8b
RIP  [<ffffffff885aef20>] :nfs:nfs_follow_mountpoint+0x2d/0x1d9
 RSP <ffff8100b83ebaf8>
 <0>Kernel panic - not syncing: Fatal exception
 <0>Rebooting in 30 seconds..

Additional info:
full serial console logs and tcpdump logs are attached
please decode tcpdump.log file by using wireshark and pay attention to packets #96 and #97:
packet #96:  NFS client send GETATTR CALL for fsid 8001
packet #97:  NFS server send GETATTR REPLY for incorrect fsid (fd00 instead 8001), that lead to BUG on clinet side
Comment 1 Vasily Averin 2008-08-12 03:59:47 EDT
Created attachment 314066 [details]
tcpdump binary logs, use wireshark to decode it
Comment 2 Vasily Averin 2008-08-12 04:07:49 EDT
Created attachment 314067 [details]
Patch from Denis V.Lunev
Comment 5 RHEL Product and Program Management 2008-10-08 09:17:15 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 6 Linda Wang 2008-10-18 17:28:34 EDT
patch posted on 10/18/08: 
http://post-office.corp.redhat.com/archives/rhkernel-list/2008-October/msg00492.html
Comment 7 Don Zickus 2008-10-29 12:17:53 EDT
in kernel-2.6.18-121.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 13 errata-xmlrpc 2009-01-20 14:41:04 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-0225.html

Note You need to log in before you can comment on or make changes to this bug.