Bug 483617 - reproducible panic in debugfs_remove when unmounting gfs2 filesystem
reproducible panic in debugfs_remove when unmounting gfs2 filesystem
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
urgent Severity high
: rc
: ---
Assigned To: Abhijith Das
Cluster QE
: ZStream
Depends On:
Blocks: 483701 485910 485920
  Show dependency treegraph
Reported: 2009-02-02 11:29 EST by Jeff Layton
Modified: 2014-06-18 03:38 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-02 04:01:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
This should fix the problem (1.21 KB, patch)
2009-02-04 14:54 EST, Abhijith Das
no flags Details | Diff

  None (edit)
Description Jeff Layton 2009-02-02 11:29:51 EST
Easily reproducible panic when unmounting a GFS2 filesystem. It seems like I saw this panic in rawhide a few months ago, so I expect that this is a known issue.

general protection fault: 0000 [1] SMP 
last sysfs file: /kernel/dlm/lt1/event_done
CPU 1 
Modules linked in: autofs4 hidp rfcomm l2cap bluetooth lock_dlm gfs2 dlm configfs rpcsec_gss_krb5 auth_rpcgss testmgr_cipher testmgr aead crypto_blkcipher crypto_algapi des sunrpc ip6t_REJECT xt_tcpudp ip6table_filter ip6_tables x_tables ipv6 xfrm_nalgo crypto_api dm_multipath scsi_dh video hwmon backlight sbs i2c_ec button battery asus_acpi acpi_memhotplug ac parport_pc lp parport floppy xen_vbd 8139too i2c_piix4 xen_platform_pci 8139cp i2c_core mii pcspkr serio_raw dm_snapshot dm_zero dm_mirror dm_log dm_mod ata_piix libata sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
Pid: 2639, comm: umount.gfs2 Not tainted 2.6.18-128.el5debug #1
RIP: 0010:[<ffffffff8012304c>]  [<ffffffff8012304c>] debugfs_remove+0x12/0xc2
RSP: 0018:ffff8100081ede68  EFLAGS: 00010202
RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6b6b RCX: 0000000000000001
RDX: ffff81001e7858c0 RSI: 0000000000000000 RDI: 6b6b6b6b6b6b6b6b
RBP: ffffffff8848c880 R08: ffff81001e7858c0 R09: 0000000000000001
R10: 0000000000000246 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fff35b0b250 R15: 0000000000000000
FS:  00002b9274fb0210(0000) GS:ffff81001ffea430(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00002b6672dbb51c CR3: 00000000081d2000 CR4: 00000000000006e0
Process umount.gfs2 (pid: 2639, threadinfo ffff8100081ec000, task ffff810006afa240)
Stack:  00007fff35b0b250 ffff81000e85a000 ffffffff8848c880 ffffffff8845fddd
 ffff8100180ae2c8 ffffffff800ea763 ffff8100180ae2c8 ffff81001c7ef5f0
 ffff8100180ae2c8 ffffffff800f4225 ffff81000f3ac410 ffff81001c7ef5f0
Call Trace:
 [<ffffffff8845fddd>] :gfs2:gfs2_delete_debugfs_file+0x24/0x48
 [<ffffffff800ea763>] deactivate_super+0x6c/0x84
 [<ffffffff800f4225>] sys_umount+0x246/0x28a
 [<ffffffff800be99f>] audit_syscall_entry+0x16e/0x1a1
 [<ffffffff800602a6>] tracesys+0xd5/0xdf

Code: 48 8b 6f 58 48 85 ed 0f 84 9f 00 00 00 48 8b 45 40 48 85 c0 
RIP  [<ffffffff8012304c>] debugfs_remove+0x12/0xc2
 RSP <ffff8100081ede68>
 <0>Kernel panic - not syncing: Fatal exception
Comment 1 Abhijith Das 2009-02-04 14:54:42 EST
Created attachment 330912 [details]
This should fix the problem

This is the RHEL5 version of the following upstream fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=88a19ad066c1aab2f9713beb670525fcc06e1c09
Comment 2 Abhijith Das 2009-02-04 23:37:57 EST
Posted above patch to rhkernel-list
Comment 3 Steve Whitehouse 2009-02-05 05:54:07 EST
Do we need to clone this for 5.3.z ?
Comment 4 RHEL Product and Program Management 2009-02-05 07:06:06 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 5 Jeff Layton 2009-02-05 09:33:49 EST
Confirmed. Patch seems to fix the panic.
Comment 7 Steve Whitehouse 2009-02-05 10:35:03 EST

I'd like to have this cloned for z-stream for 5.3. Can I do that, or do I have to ask you to do it, or ...?
Comment 9 Nate Straz 2009-02-05 10:41:42 EST
What was the procedure to reproduce this panic?
Comment 10 Steve Whitehouse 2009-02-05 10:48:42 EST
Just umount the fs. Some people always seem to see it, others never see it. Its a simple use-after-free bug.
Comment 11 Jeff Layton 2009-02-05 10:52:40 EST
It's easily reproducible if you're using kernel-debug since the memory poisoning helps trigger the panic.
Comment 12 RHEL Product and Program Management 2009-02-16 10:04:21 EST
Updating PM score.
Comment 14 Don Zickus 2009-02-23 15:03:31 EST
in kernel-2.6.18-132.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Please do NOT transition this bugzilla state to VERIFIED until our QE team
has sent specific instructions indicating when to do so.  However feel free
to provide a comment indicating that this fix has been verified.
Comment 16 Nate Straz 2009-06-23 11:52:18 EDT
I tried the scenario in comment #11 with the debug version of 2.6.18-154.el5 and was not able to hit the panic.
Comment 18 errata-xmlrpc 2009-09-02 04:01:43 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.