Linux NFS development
 help / color / mirror / Atom feed
* Re: 6.18.37 has problems with nfs4 (server), 6.18.36 works
       [not found] <6eccafaaaa60651ef091257c3439c46b@stwm.de>
@ 2026-07-01 23:43 ` Chuck Lever
  2026-07-02 16:53   ` Wolfgang Walter
  0 siblings, 1 reply; 5+ messages in thread
From: Chuck Lever @ 2026-07-01 23:43 UTC (permalink / raw)
  To: Wolfgang Walter
  Cc: stable, Greg Kroah-Hartman, patches, Jeff Layton,
	Alexandr Alexandrov, Yang Erkun, linux-nfs

Hi Wolfgang,

Thanks for the report, and for narrowing it to 6.18.36 vs 6.18.37.

You've picked the right commit to suspect: 95f9eb19d5e6 ("Revert
'NFSD: Defer sub-object cleanup in export put callbacks'") is the
*only* change to the NFS server between 6.18.36 and 6.18.37, so an
A/B test around it is exactly the right experiment. Two things would
let us pin this down.

1. The full kernel log. The trace you sent begins in the middle of a
register dump, and the task that actually triggered the stall isn't
in it -- the RCU stall names CPU 13 / PID 8887 (nfsd), and that
backtrace is above where your paste starts. Could you send the
complete log from the first "soft lockup" / "rcu ... stall" /
"hung task" line onward, with all CPU backtraces? The part before
what you already sent is the piece I need. If the machine wedges
hard, a serial console or netconsole capture (or pstore/ramoops read
back after reboot) will get the whole thing.

While you're at it: roughly what was the server doing (client count,
NFS version, and was an "exportfs -r", mount, or umount in play), and
does it reproduce or was it a one-off after ~1 day?

2. The revert test, if you're willing to spend the rebuild. On a
v6.18.37 tree:

    git revert --no-edit 95f9eb19d5e6

That reverts the revert -- i.e. restores the 6.18.36 behavior for this
code. If that build stays healthy, it strongly implicates the change;
if it still locks up, we've ruled it out and should look at the NFSv4
laundromat/grace-period path instead. One caveat: this also brings
back a separate problem the revert fixed (a lingering mount reference
that can make "exportfs -r" followed by umount fail with EBUSY), so
treat it as a diagnostic build, not something to run long term.

With the full backtrace I can usually tell quickly whether the export
cache change is even on the code path that hung, or whether 6.18.37
just happened to expose something else.

--
Chuck Lever

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: 6.18.37 has problems with nfs4 (server), 6.18.36 works
  2026-07-01 23:43 ` 6.18.37 has problems with nfs4 (server), 6.18.36 works Chuck Lever
@ 2026-07-02 16:53   ` Wolfgang Walter
  2026-07-03 16:03     ` Chuck Lever
  0 siblings, 1 reply; 5+ messages in thread
From: Wolfgang Walter @ 2026-07-02 16:53 UTC (permalink / raw)
  To: Chuck Lever
  Cc: stable, Greg Kroah-Hartman, patches, Jeff Layton,
	Alexandr Alexandrov, Yang Erkun, linux-nfs

Hi!

Am 2026-07-02 01:43, schrieb Chuck Lever:
> Hi Wolfgang,
> 
> Thanks for the report, and for narrowing it to 6.18.36 vs 6.18.37.
> 
> You've picked the right commit to suspect: 95f9eb19d5e6 ("Revert
> 'NFSD: Defer sub-object cleanup in export put callbacks'") is the
> *only* change to the NFS server between 6.18.36 and 6.18.37, so an
> A/B test around it is exactly the right experiment. Two things would
> let us pin this down.
> 
> 1. The full kernel log. The trace you sent begins in the middle of a
> register dump, and the task that actually triggered the stall isn't
> in it -- the RCU stall names CPU 13 / PID 8887 (nfsd), and that
> backtrace is above where your paste starts. Could you send the
> complete log from the first "soft lockup" / "rcu ... stall" /
> "hung task" line onward, with all CPU backtraces? The part before
> what you already sent is the piece I need. If the machine wedges
> hard, a serial console or netconsole capture (or pstore/ramoops read
> back after reboot) will get the whole thing.

systemd-journald didn't catch it. But /var/log/messages seems to have 
logged it, hope this is it:

Jul  1 16:27:24 fileserver kernel: [76950.437185] PGD 0 P4D 0
Jul  1 16:27:24 fileserver kernel: [76950.437193] Oops: Oops: 0000 [#1] 
SMP NOPTI
Jul  1 16:27:24 fileserver kernel: [76950.437202] CPU: 2 UID: 0 PID: 
8844 Comm: nfsd Not tainted 6.18.37-debian64.all+1.3 #1 PREEMPT(full)
Jul  1 16:27:24 fileserver kernel: [76950.437215] Hardware name: 
Supermicro X10DRi/X10DRI-T, BIOS 1.1a 10/16/2015
Jul  1 16:27:24 fileserver kernel: [76950.437225] RIP: 
0010:__list_del_entry_valid_or_report+0x8/0x110
Jul  1 16:27:24 fileserver kernel: [76950.437240] Code: 48 89 c1 e8 ea 
18 94 ff 0f 0b 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 
90 90 90 90 90 f3 0f 1e fa 48 83 ec 10 <48> 8b 17 48 8b 4f 08 48 89 fe 
48 85 d2 0f 84 b8 a3 95 ff 48 85 c9
Jul  1 16:27:24 fileserver kernel: [76950.437262] RSP: 
0018:ffffd3aba4433c88 EFLAGS: 00010286
Jul  1 16:27:24 fileserver kernel: [76950.437271] RAX: 0000000000000000 
RBX: 0000000000000000 RCX: ffff8acfa99d4e10
Jul  1 16:27:24 fileserver kernel: [76950.437281] RDX: 0000000000000001 
RSI: 0000000000000001 RDI: 0000000000000000
Jul  1 16:27:24 fileserver kernel: [76950.437290] RBP: ffffffff99659a00 
R08: 0000000000480000 R09: ffff8ae70680f000
Jul  1 16:27:24 fileserver kernel: [76950.437299] R10: 0000000000480000 
R11: 0000000000000002 R12: ffffd3aba4433ca8
Jul  1 16:27:24 fileserver kernel: [76950.437308] R13: ffff8acfa99d4e10 
R14: ffff8acfa99d4f68 R15: ffff8ae7072d8000
Jul  1 16:27:24 fileserver kernel: [76950.437318] FS:  
0000000000000000(0000) GS:ffff8ae7065cf000(0000) knlGS:0000000000000000
Jul  1 16:27:24 fileserver kernel: [76950.437328] CS:  0010 DS: 0000 ES: 
0000 CR0: 0000000080050033
Jul  1 16:27:24 fileserver kernel: [76950.437336] CR2: 0000000000000000 
CR3: 00000011a3624002 CR4: 00000000001726f0
Jul  1 16:27:24 fileserver kernel: [76950.437345] Call Trace:
Jul  1 16:27:24 fileserver kernel: [76950.437351]  <TASK>
Jul  1 16:27:24 fileserver kernel: [76950.437358]  
remove_blocked_locks+0x91/0x1d0 [nfsd]
Jul  1 16:27:24 fileserver kernel: [76950.437453]  
__destroy_client+0x1b4/0x2a0 [nfsd]
Jul  1 16:27:24 fileserver kernel: [76950.437500]  
nfsd4_destroy_clientid+0xe6/0x1c0 [nfsd]
Jul  1 16:27:24 fileserver kernel: [76950.437545]  
nfsd4_proc_compound+0x325/0x680 [nfsd]
Jul  1 16:27:24 fileserver kernel: [76950.437594]  
nfsd_dispatch+0xc6/0x210 [nfsd]
Jul  1 16:27:24 fileserver kernel: [76950.437652]  
svc_process_common+0x4c3/0x6a0 [sunrpc]
Jul  1 16:27:24 fileserver kernel: [76950.437772]  ? 
__pfx_nfsd_dispatch+0x10/0x10 [nfsd]
Jul  1 16:27:24 fileserver kernel: [76950.437837]  
svc_process+0x142/0x210 [sunrpc]
Jul  1 16:27:24 fileserver kernel: [76950.437900]  svc_recv+0x7e5/0x9b0 
[sunrpc]
Jul  1 16:27:24 fileserver kernel: [76950.437955]  ? 
__pfx_nfsd+0x10/0x10 [nfsd]
Jul  1 16:27:24 fileserver kernel: [76950.438008]  nfsd+0x8f/0xf0 [nfsd]
Jul  1 16:27:24 fileserver kernel: [76950.438058]  kthread+0xfc/0x230
Jul  1 16:27:24 fileserver kernel: [76950.438068]  ? 
__pfx_kthread+0x10/0x10
Jul  1 16:27:24 fileserver kernel: [76950.438077]  
ret_from_fork+0x231/0x260
Jul  1 16:27:24 fileserver kernel: [76950.438086]  ? 
__pfx_kthread+0x10/0x10
Jul  1 16:27:24 fileserver kernel: [76950.438094]  
ret_from_fork_asm+0x1a/0x30
Jul  1 16:27:24 fileserver kernel: [76950.438104]  </TASK>
Jul  1 16:27:24 fileserver kernel: [76950.438108] Modules linked in: 
rpcsec_gss_krb5 msr 8021q garp stp llc mrp binfmt_misc intel_rapl_msr 
intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp 
ipmi_ssif kvm_intel kvm snd_pcm irqbypass polyval_clmulni snd_timer 
ghash_clmulni_intel rapl ast snd intel_cstate drm_client_lib vga16fb 
soundcore drm_shmem_helper intel_uncore drm_kms_helper vgastate pcspkr 
iTCO_wdt mei_me intel_pmc_bxt iTCO_vendor_support i2c_algo_bit mei 
watchdog ioatdma evdev joydev acpi_power_meter ipmi_si acpi_ipmi 
ipmi_devintf ipmi_msghandler button sg nfsd nfs_acl lockd 
chacha20poly1305 fileserverth_rpcgss aesni_intel grace cryptd 
nfs_localio drbd drm sunrpc fuse lru_cache loop efi_pstore configfs 
ip_tables x_tables fileservertofs4 ext4 crc16 mbcache jbd2 efivarfs 
raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor 
async_tx xor raid6_pq raid0 linear dm_mod raid1 hid_generic md_mod ses 
enclosure usbhid hid sd_mod ixgbe libie_fwlog xfrm_algo dca mdio_devres 
of_mdio ahci fixed_phy xhci_pci libahci fwnode_mdio mpt3sas ehci_pci
Jul  1 16:27:24 fileserver kernel: [76950.438181]  libphy raid_class 
xhci_hcd libata ehci_hcd mdio_bus scsi_transport_sas i2c_i801 usbcore 
ptp i2c_smbus lpc_ich scsi_mod pps_core usb_common mdio scsi_common wmi
Jul  1 16:27:24 fileserver kernel: [76950.439549] CR2: 0000000000000000
Jul  1 16:27:24 fileserver kernel: [76950.439820] ---[ end trace 
0000000000000000 ]---


> 
> While you're at it: roughly what was the server doing (client count,
> NFS version, and was an "exportfs -r", mount, or umount in play), and
> does it reproduce or was it a one-off after ~1 day?

NFS 4.2 with sec=krb5p

The kernel of the clients vary, a lot have a 6.18 kernel, but a lot also 
use their distribution kernels.

I would think that at that moment when it crashed about 50 people were 
still using it. Probably quit some people where shuting down der clients 
at that time as it was almost 16:30.

It happened suddenly. Nothing special on the server.

It wasn't a reproduce, it was the first time 6.18.37 was running, I 
upgraded to 6.18.37 the evening before.

We had to hard reset the server after about 1/2 our as neither rebooting 
nor syncing seemed to make progress.

As this did some damage to the filesystem we hat to fsck it which needed 
some time so I decided to downgrade to 6.18.36 again.

> 
> 2. The revert test, if you're willing to spend the rebuild. On a
> v6.18.37 tree:
> 
>     git revert --no-edit 95f9eb19d5e6
> 
> That reverts the revert -- i.e. restores the 6.18.36 behavior for this
> code. If that build stays healthy, it strongly implicates the change;
> if it still locks up, we've ruled it out and should look at the NFSv4
> laundromat/grace-period path instead. One caveat: this also brings
> back a separate problem the revert fixed (a lingering mount reference
> that can make "exportfs -r" followed by umount fail with EBUSY), so
> treat it as a diagnostic build, not something to run long term.
> 

Ok, I think this would be acceptable. Maybe I encountered that in 
6.18.19, I wrote a report that nfsd got stuck when rebooting, but maybe 
it is something different as it seems to have disappeared in the last 
6.18 kernels.

So I will give 3.18.37 with this change reverted a try.

Regards and thanks for your help,
-- 
Wolfgang Walter
Studierendenwerk München Oberbayern
Anstalt des öffentlichen Rechts

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: 6.18.37 has problems with nfs4 (server), 6.18.36 works
  2026-07-02 16:53   ` Wolfgang Walter
@ 2026-07-03 16:03     ` Chuck Lever
  2026-07-03 18:30       ` Wolfgang Walter
  0 siblings, 1 reply; 5+ messages in thread
From: Chuck Lever @ 2026-07-03 16:03 UTC (permalink / raw)
  To: Wolfgang Walter
  Cc: stable, Greg Kroah-Hartman, patches, Jeff Layton,
	Alexandr Alexandrov, Yang Erkun, linux-nfs

Hi Wolfgang, and stable@ --

Short version for stable@: 6.18.37 does not need a revert of
95f9eb19d5e6 ("Revert 'NFSD: Defer sub-object cleanup in export
put callbacks'").  That commit is correct for 6.18, and it is
not the cause of Wolfgang's crash.  Please leave it in place.

The reasoning: 95f9eb19d5e6 touches only fs/nfsd/export.c,
export.h, and nfsctl.c.  Wolfgang's oops is in
remove_blocked_locks() -> __destroy_client() ->
nfsd4_destroy_clientid(), entirely within fs/nfsd/nfs4state.c,
which the revert does not modify.  That path is byte-for-byte
identical across 6.18.36, 6.18.37, and current mainline, so the
revert cannot have introduced the bug and no missing backport
repairs it.  The 6.18.36-good / 6.18.37-bad split is a timing
coincidence; I believe the same latent bug is present in both.

Because the defect is present upstream as well, the fix belongs
in mainline first and is then backported to 6.18.y and the other
affected trees.

Wolfgang - to confirm this and capture the allocation and free
stacks, a KASAN-enabled kernel would settle it.  On a v6.18.37
tree:

  1. Add to your .config (keep your usual CONFIG_DEBUG_INFO so
     symbols resolve):

       CONFIG_KASAN=y
       CONFIG_KASAN_GENERIC=y
       CONFIG_KASAN_INLINE=y
       CONFIG_STACKTRACE=y

  2. Build and boot that kernel.  Stay on 6.18.37 -- you do not
     need the revert-the-revert build I suggested earlier; that
     experiment no longer tells us anything.

  3. When it trips, KASAN prints a "BUG: KASAN: use-after-free"
     report with "Allocated by" and "Freed by" call stacks.
     That report, in full, is what I need -- it should land in
     /var/log/messages just as the last oops did.

One caveat: KASAN roughly doubles memory use and adds CPU cost,
so weigh that before running it on the production server.  If
that is not practical, a full log from the first stall line
onward, with all CPU backtraces, captured over netconsole or
serial, is a useful second best.

I will draft a candidate upstream fix from the analysis so far
and send it separately.  If KASAN on the production box is not
an option, testing that patch may be the least disruptive way
to confirm.

Thanks for the careful report and the bisect.

Chuck

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: 6.18.37 has problems with nfs4 (server), 6.18.36 works
  2026-07-03 16:03     ` Chuck Lever
@ 2026-07-03 18:30       ` Wolfgang Walter
  2026-07-03 20:59         ` Chuck Lever
  0 siblings, 1 reply; 5+ messages in thread
From: Wolfgang Walter @ 2026-07-03 18:30 UTC (permalink / raw)
  To: Chuck Lever
  Cc: stable, Greg Kroah-Hartman, patches, Jeff Layton,
	Alexandr Alexandrov, Yang Erkun, linux-nfs

Hello Chuck,

Am 2026-07-03 18:03, schrieb Chuck Lever:
> Hi Wolfgang, and stable@ --
> 
> Short version for stable@: 6.18.37 does not need a revert of
> 95f9eb19d5e6 ("Revert 'NFSD: Defer sub-object cleanup in export
> put callbacks'").  That commit is correct for 6.18, and it is
> not the cause of Wolfgang's crash.  Please leave it in place.

Ok. I run v6.18.37 with the patch reverted since about a day (just for 
the record). But according to your analysis, that's just a coincidence.

> 
> The reasoning: 95f9eb19d5e6 touches only fs/nfsd/export.c,
> export.h, and nfsctl.c.  Wolfgang's oops is in
> remove_blocked_locks() -> __destroy_client() ->
> nfsd4_destroy_clientid(), entirely within fs/nfsd/nfs4state.c,
> which the revert does not modify.  That path is byte-for-byte
> identical across 6.18.36, 6.18.37, and current mainline, so the
> revert cannot have introduced the bug and no missing backport
> repairs it.  The 6.18.36-good / 6.18.37-bad split is a timing
> coincidence; I believe the same latent bug is present in both.
> 
> Because the defect is present upstream as well, the fix belongs
> in mainline first and is then backported to 6.18.y and the other
> affected trees.
> 
> Wolfgang - to confirm this and capture the allocation and free
> stacks, a KASAN-enabled kernel would settle it.  On a v6.18.37
> tree:
> 
>   1. Add to your .config (keep your usual CONFIG_DEBUG_INFO so
>      symbols resolve):
> 
>        CONFIG_KASAN=y
>        CONFIG_KASAN_GENERIC=y
>        CONFIG_KASAN_INLINE=y
>        CONFIG_STACKTRACE=y
> 
>   2. Build and boot that kernel.  Stay on 6.18.37 -- you do not
>      need the revert-the-revert build I suggested earlier; that
>      experiment no longer tells us anything.
> 
>   3. When it trips, KASAN prints a "BUG: KASAN: use-after-free"
>      report with "Allocated by" and "Freed by" call stacks.
>      That report, in full, is what I need -- it should land in
>      /var/log/messages just as the last oops did.
> 
> One caveat: KASAN roughly doubles memory use and adds CPU cost,
> so weigh that before running it on the production server.  If
> that is not practical, a full log from the first stall line
> onward, with all CPU backtraces, captured over netconsole or
> serial, is a useful second best.
> 
> I will draft a candidate upstream fix from the analysis so far
> and send it separately.  If KASAN on the production box is not
> an option, testing that patch may be the least disruptive way
> to confirm.
> 

I think the memory usage should not be a problem, higher cpu usage 
neither.

But as it is a coincidence the probability to catch that error is 
probably very low. We use v6.18 kernels since v6.18.1 on that fileserver 
and this error never occured before.

Or do you think it happens more often, but without symptoms, and KASAN 
would detect it?

So I will try running a v3.18.37 + your patch applied. This of course 
can not prove that it fixes the problem because it almost never happens, 
but probably this would detect if if the patch had side effects.

Regards,
-- 
Wolfgang Walter
Studierendenwerk München Oberbayern
Anstalt des öffentlichen Rechts

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: 6.18.37 has problems with nfs4 (server), 6.18.36 works
  2026-07-03 18:30       ` Wolfgang Walter
@ 2026-07-03 20:59         ` Chuck Lever
  0 siblings, 0 replies; 5+ messages in thread
From: Chuck Lever @ 2026-07-03 20:59 UTC (permalink / raw)
  To: Wolfgang Walter
  Cc: stable, Greg Kroah-Hartman, patches, Jeff Layton,
	Alexandr Alexandrov, yangerkun, linux-nfs



On Fri, Jul 3, 2026, at 2:30 PM, Wolfgang Walter wrote:
> Hello Chuck,
>
> Am 2026-07-03 18:03, schrieb Chuck Lever:
>> Hi Wolfgang, and stable@ --
>> 
>> Short version for stable@: 6.18.37 does not need a revert of
>> 95f9eb19d5e6 ("Revert 'NFSD: Defer sub-object cleanup in export
>> put callbacks'").  That commit is correct for 6.18, and it is
>> not the cause of Wolfgang's crash.  Please leave it in place.
>
> Ok. I run v6.18.37 with the patch reverted since about a day (just for 
> the record). But according to your analysis, that's just a coincidence.
>
>> 
>> The reasoning: 95f9eb19d5e6 touches only fs/nfsd/export.c,
>> export.h, and nfsctl.c.  Wolfgang's oops is in
>> remove_blocked_locks() -> __destroy_client() ->
>> nfsd4_destroy_clientid(), entirely within fs/nfsd/nfs4state.c,
>> which the revert does not modify.  That path is byte-for-byte
>> identical across 6.18.36, 6.18.37, and current mainline, so the
>> revert cannot have introduced the bug and no missing backport
>> repairs it.  The 6.18.36-good / 6.18.37-bad split is a timing
>> coincidence; I believe the same latent bug is present in both.
>> 
>> Because the defect is present upstream as well, the fix belongs
>> in mainline first and is then backported to 6.18.y and the other
>> affected trees.
>> 
>> Wolfgang - to confirm this and capture the allocation and free
>> stacks, a KASAN-enabled kernel would settle it.  On a v6.18.37
>> tree:
>> 
>>   1. Add to your .config (keep your usual CONFIG_DEBUG_INFO so
>>      symbols resolve):
>> 
>>        CONFIG_KASAN=y
>>        CONFIG_KASAN_GENERIC=y
>>        CONFIG_KASAN_INLINE=y
>>        CONFIG_STACKTRACE=y
>> 
>>   2. Build and boot that kernel.  Stay on 6.18.37 -- you do not
>>      need the revert-the-revert build I suggested earlier; that
>>      experiment no longer tells us anything.
>> 
>>   3. When it trips, KASAN prints a "BUG: KASAN: use-after-free"
>>      report with "Allocated by" and "Freed by" call stacks.
>>      That report, in full, is what I need -- it should land in
>>      /var/log/messages just as the last oops did.
>> 
>> One caveat: KASAN roughly doubles memory use and adds CPU cost,
>> so weigh that before running it on the production server.  If
>> that is not practical, a full log from the first stall line
>> onward, with all CPU backtraces, captured over netconsole or
>> serial, is a useful second best.
>> 
>> I will draft a candidate upstream fix from the analysis so far
>> and send it separately.  If KASAN on the production box is not
>> an option, testing that patch may be the least disruptive way
>> to confirm.
>> 
>
> I think the memory usage should not be a problem, higher cpu usage 
> neither.
>
> But as it is a coincidence the probability to catch that error is 
> probably very low. We use v6.18 kernels since v6.18.1 on that fileserver 
> and this error never occured before.
>
> Or do you think it happens more often, but without symptoms, and KASAN 
> would detect it?
>
> So I will try running a v3.18.37 + your patch applied. This of course 
> can not prove that it fixes the problem because it almost never happens, 
> but probably this would detect if if the patch had side effects.

Correct: your reproduction of the crash does not appear to
be strongly correlated with any particular kernel release. I
based my analysis strictly on the additional stack trace data
you sent earlier today.

I think it's more likely that your 50 client workload hit a
particular race that exposed a pre-existing UAF. KASAN will
change execution timing, certainly, but I can't predict
whether it will make the race window bigger.

So you can only test whether my patch causes new regressions,
not whether it prevents your crasher. :-(


-- 
Chuck Lever

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-07-03 20:59 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <6eccafaaaa60651ef091257c3439c46b@stwm.de>
2026-07-01 23:43 ` 6.18.37 has problems with nfs4 (server), 6.18.36 works Chuck Lever
2026-07-02 16:53   ` Wolfgang Walter
2026-07-03 16:03     ` Chuck Lever
2026-07-03 18:30       ` Wolfgang Walter
2026-07-03 20:59         ` Chuck Lever

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox