There seems to be some bug in the 2.6.12-1.1447_FC4 kernel NFS client: if
you unmount at the right time, when the TCP connection to the NFS server
is closed, and there's an outstanding request, the reconnect timer doesn't
seem to be deleted(?), and RPC_REESTABLISH_TIMEOUT/HZ seconds later, the
kernel panics with something like:
kernel BUG at kernel/timer.c:418!
invalid operand: 0000 [#1]
...
Kernel panic - not syncing: Fatal exception in interrupt
and the call trace is different every time.
The attached shell script (and funmount.c program) reproduce the problem.
Run the shell script with one argument (nfs-server:/exported/path) and it
will do the following:
* mount the NFS server
* set up iptables to RST the TCP connection
* create an outstanding request to the NFS server (statvfs)
* call umount2(/mountpoint, MNT_FORCE | MNT_DETACH)
* 15 seconds later, the kernel panics
-- kolya
#include <stdio.h>
#include <stdlib.h>
#include <sys/mount.h>
int main(int ac, char **av) {
if (ac != 2) {
fprintf(stderr, "Usage: %s mountpoint\n", av[0]);
return 1;
}
char *pn = av[1];
if (umount2(pn, MNT_FORCE | /* MNT_DETACH */ 2) < 0) {
perror("umount2");
return 1;
}
return 0;
}
#!/bin/sh -x
if [ "$1" = "" ]; then
echo "Usage: $0 nfs-server:/some/path"
exit 1
fi
iptables -F OUTPUT
iptables -P OUTPUT ACCEPT
iptables -N nfs-out-block
iptables -A nfs-out-block -p tcp --dport 2049 -j REJECT --reject-with tcp-reset
mkdir -p /mnt/nfs-crash-test
mount -n "$1" /mnt/nfs-crash-test
iptables -A OUTPUT -j nfs-out-block
df -k /mnt/nfs-crash-test &
( T=0; while [ "$T" != 20 ]; do T=`expr $T + 1`; sleep 1; done ) &
sleep 1
./funmount /mnt/nfs-crash-test
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
