[BUG] NFS server panics in tcp_sendpage
NFS server panics in tcp_sendpage
Issue: Kernel panics on RHEL 5.8 NFS server when RHEL 5.8 client accesses.
Environment:
- Red Hat enterprise Linux (RHEL) 5.8 NFS server with /proc/fs/nfsd/max_block_size set to 1048576
- NFS client mounting an export on the NFS server using an rsize/wsize of 1048576
- TCP being used for NFS communication
Fixed in RHEL5.8.z, kernel-2.6.18-308.11.1.el5 (see latest 5.8.z errata). Currently tracked in RHEL5.9 Bug 814626.
Workaround:
Decrease the maximum IO size to something less than 1MB by writing to /proc/fs/nfsd/max_block_size, for example:
echo 524288 >/proc/fs/nfsd/max_block_size
Note this has to be done after mounting /proc/fs/nfsd, but before starting nfsd. It is recommended this change be made via /etc/modprobe.d/modprobe.conf.dist as follows:
# grep max_block_size /etc/modprobe.d/modprobe.conf.dist install nfsd /sbin/modprobe --first-time --ignore-install nfsd && { /bin/mount -t nfsd nfsd /proc/fs/nfsd > /dev/null 2>&1 || :; echo 524288 > /proc/fs/nfsd/max_block_size; } #
Root Cause:
The rq_pages array has 1MB/PAGE_SIZE+2 elements. The loop in svc_recv attempts to allocate sv_bufsz/PAGE_SIZE+2 pages. But the NFS server is setting sv_bufsz to over a megabyte, with the result that svc_recv may attempt to allocate sv_bufsz/PAGE_SIZE+3 pages and run past the end of the array, overwriting rq_respages.