diff --git a/kernel.spec b/kernel.spec index 393ce6640..29b4ed10b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -940,6 +940,9 @@ Patch13943: tcp-increase-tcp_maxseg-socket-option-minimum.patch Patch13944: tcp-make-tcp_maxseg-minimum-more-correct.patch Patch13945: tcp-protect-sysctl_tcp_cookie_size-reads.patch +# rhbz#673207 (f14) +Patch13950: sunrpc-kernel-panic-when-mount-nfsv4.patch + %endif BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root @@ -1803,6 +1806,9 @@ ApplyPatch tcp-increase-tcp_maxseg-socket-option-minimum.patch ApplyPatch tcp-make-tcp_maxseg-minimum-more-correct.patch ApplyPatch tcp-protect-sysctl_tcp_cookie_size-reads.patch +# rhbz#673207 (f14) +ApplyPatch sunrpc-kernel-panic-when-mount-nfsv4.patch + # END OF PATCH APPLICATIONS %endif @@ -2424,6 +2430,9 @@ fi %changelog +* Sun Jan 30 2011 Chuck Ebbert +- Copy sunrpc oops fix from F14 + * Wed Jan 26 2011 Chuck Ebbert - TCP networking fixes from 2.6.36.3, including one CVE CVE-2010-4165: possible kernel oops from user MSS diff --git a/sunrpc-kernel-panic-when-mount-nfsv4.patch b/sunrpc-kernel-panic-when-mount-nfsv4.patch new file mode 100644 index 000000000..c4e8214a4 --- /dev/null +++ b/sunrpc-kernel-panic-when-mount-nfsv4.patch @@ -0,0 +1,139 @@ +From: Trond Myklebust +Date: Mon, 20 Dec 2010 21:19:26 +0000 (+0000) +Subject: kernel panic when mount NFSv4 +X-Git-Tag: v2.6.38-rc1~407^2~38 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=beb0f0a9fba1fa98b378329a9a5b0a73f25097ae + +kernel panic when mount NFSv4 + +On Tue, 2010-12-14 at 16:58 +0800, Mi Jinlong wrote: +> Hi, +> +> When testing NFSv4 at RHEL6 with kernel 2.6.32, I got a kernel panic +> at NFS client's __rpc_create_common function. +> +> The panic place is: +> rpc_mkpipe +> __rpc_lookup_create() <=== find pipefile *idmap* +> __rpc_mkpipe() <=== pipefile is *idmap* +> __rpc_create_common() +> ****** BUG_ON(!d_unhashed(dentry)); ****** *panic* +> +> It means that the dentry's d_flags have be set DCACHE_UNHASHED, +> but it should not be set here. +> +> Is someone known this bug? or give me some idea? +> +> A reproduce program is append, but it can't reproduce the bug every time. +> the export is: "/nfsroot *(rw,no_root_squash,fsid=0,insecure)" +> +> And the panic message is append. +> +> ============================================================================ +> #!/bin/sh +> +> LOOPTOTAL=768 +> LOOPCOUNT=0 +> ret=0 +> +> while [ $LOOPCOUNT -ne $LOOPTOTAL ] +> do +> ((LOOPCOUNT += 1)) +> service nfs restart +> /usr/sbin/rpc.idmapd +> mount -t nfs4 127.0.0.1:/ /mnt|| return 1; +> ls -l /var/lib/nfs/rpc_pipefs/nfs/*/ +> umount /mnt +> echo $LOOPCOUNT +> done +> +> =============================================================================== +> Code: af 60 01 00 00 89 fa 89 f0 e8 64 cf 89 f0 e8 5c 7c 64 cf 31 c0 8b 5c 24 10 8b +> 74 24 14 8b 7c 24 18 8b 6c 24 1c 83 c4 20 c3 <0f> 0b eb fc 8b 46 28 c7 44 24 08 20 +> de ee f0 c7 44 24 04 56 ea +> EIP:[] __rpc_create_common+0x8a/0xc0 [sunrpc] SS:ESP 0068:eccb5d28 +> ---[ end trace 8f5606cd08928ed2]--- +> Kernel panic - not syncing: Fatal exception +> Pid:7131, comm: mount.nfs4 Tainted: G D -------------------2.6.32 #1 +> Call Trace: +> [] ? panic+0x42/0xed +> [] ? oops_end+0xbc/0xd0 +> [] ? do_invalid_op+0x0/0x90 +> [] ? do_invalid_op+0x7f/0x90 +> [] ? __rpc_create_common+0x8a/0xc0[sunrpc] +> [] ? rpc_free_task+0x33/0x70[sunrpc] +> [] ? prc_call_sync+0x48/0x60[sunrpc] +> [] ? rpc_ping+0x4e/0x60[sunrpc] +> [] ? rpc_create+0x38f/0x4f0[sunrpc] +> [] ? error_code+0x73/0x78 +> [] ? __rpc_create_common+0x8a/0xc0[sunrpc] +> [] ? d_lookup+0x2a/0x40 +> [] ? rpc_mkpipe+0x111/0x1b0[sunrpc] +> [] ? nfs_create_rpc_client+0xb4/0xf0[nfs] +> [] ? nfs_fscache_get_client_cookie+0x1d/0x50[nfs] +> [] ? nfs_idmap_new+0x7b/0x140[nfs] +> [] ? strlcpy+0x3a/0x60 +> [] ? nfs4_set_client+0xea/0x2b0[nfs] +> [] ? nfs4_create_server+0xac/0x1b0[nfs] +> [] ? krealloc+0x40/0x50 +> [] ? nfs4_remote_get_sb+0x6b/0x250[nfs] +> [] ? kstrdup+0x3c/0x60 +> [] ? vfs_kern_mount+0x69/0x170 +> [] ? nfs_do_root_mount+0x6c/0xa0[nfs] +> [] ? nfs4_try_mount+0x37/0xa0[nfs] +> [] ? nfs4_validate_text_mount_data+-x7d/0xf0[nfs] +> [] ? nfs4_get_sb+0x92/0x2f0 +> [] ? vfs_kern_mount+0x69/0x170 +> [] ? get_fs_type+0x32/0xb0 +> [] ? do_kern_mount+0x3f/0xe0 +> [] ? do_mount+0x2ef/0x740 +> [] ? copy_mount_options+0xb0/0x120 +> [] ? sys_mount+0x6e/0xa0 + +Hi, + +Does the following patch fix the problem? + +Cheers + Trond + +-------------------------- +SUNRPC: Fix a BUG in __rpc_create_common + +From: Trond Myklebust + +Mi Jinlong reports: + +When testing NFSv4 at RHEL6 with kernel 2.6.32, I got a kernel panic +at NFS client's __rpc_create_common function. + +The panic place is: + rpc_mkpipe + __rpc_lookup_create() <=== find pipefile *idmap* + __rpc_mkpipe() <=== pipefile is *idmap* + __rpc_create_common() + ****** BUG_ON(!d_unhashed(dentry)); ****** *panic* + +The test is wrong: we can find ourselves with a hashed negative dentry here +if the idmapper tried to look up the file before we got round to creating +it. + +Just replace the BUG_ON() with a d_drop(dentry). + +Reported-by: Mi Jinlong +Signed-off-by: Trond Myklebust +--- + +diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c +index 10a17a3..5356d95 100644 +--- a/net/sunrpc/rpc_pipe.c ++++ b/net/sunrpc/rpc_pipe.c +@@ -466,7 +466,7 @@ static int __rpc_create_common(struct inode *dir, struct dentry *dentry, + { + struct inode *inode; + +- BUG_ON(!d_unhashed(dentry)); ++ d_drop(dentry); + inode = rpc_get_inode(dir->i_sb, mode); + if (!inode) + goto out_err;