From: Trond Myklebust <trondmy@kernel.org>
To: "hch@infradead.ori" <hch@infradead.org>
Cc: "anna@kernel.org" <anna@kernel.org>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] NFS: Fix directory delegation verifier checks
Date: Tue, 06 Jan 2026 13:32:54 -0500 [thread overview]
Message-ID: <1df4bb7ff3e6fd607c1811d75fcd6dcb860e320e.camel@kernel.org> (raw)
In-Reply-To: <aVyp3SIddHB5sMhp@infradead.org>
On Mon, 2026-01-05 at 22:21 -0800, hch@infradead.ori wrote:
> On Wed, Dec 31, 2025 at 09:52:35PM +0000, Trond Myklebust wrote:
> > Does applying the following on top of Anna's patch fix the Oops?
>
> It does. But now generic/633 crashes reliably:
>
> generic/633 2s ... [ 58.670535] run fstests generic/633 at 2026-
> 01-02 02:00:17
> [ 58.865568] process 'vfstest' launched '/dev/fd/4/file1' with NULL
> argv: empty string added
> [ 58.897522] Oops: general protection fault, probably for non-
> canonical address 0xcccccccccccccd0c: 0000 [#1] SMP NOPTI
> [ 58.898234] CPU: 0 UID: 0 PID: 3852 Comm: vfstest Tainted:
> G N 6.19.0-rc2+ #4535 PREEMPT(full)
> [ 58.898829] Tainted: [N]=TEST
> [ 58.899013] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> [ 58.899594] RIP: 0010:nfs_end_delegation_return+0xda/0x390
> [ 58.899922] Code: 49 89 ce e8 58 be bf ff 48 8b 85 60 ff ff ff 4c
> 8d 68 80 49 39 c6 74 50 4c 8b 7c 24 08 48 8b 1c 24 4d 8b 65 60 4d 85
> e4 74 2e <49> 8b 44 24 40 a8 02 74 25 49 8b 44 24 40 f6 c4 02 75 1b
> 41 8b 47
> [ 58.901063] RSP: 0018:ffffc90001947c90 EFLAGS: 00010286
> [ 58.901419] RAX: ffff88811a3122c0 RBX: ffff888105268970 RCX:
> ffff888111a9a210
> [ 58.901827] RDX: ffff8881039320c0 RSI: ffff888105268940 RDI:
> ffff888111a9a2b0
> [ 58.902236] RBP: ffff888111a9a2b0 R08: 0000000000000000 R09:
> 0000000000000000
> [ 58.902696] R10: ffffc90001947d48 R11: fefefefefefefeff R12:
> cccccccccccccccc
> [ 58.903112] R13: ffff88811a312240 R14: ffff888111a9a210 R15:
> ffff888105268940
> [ 58.903594] FS: 00007f04f92c6740(0000) GS:ffff8882b353d000(0000)
> knlGS:0000000000000000
> [ 58.904125] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 58.904483] CR2: 000055c55fe522d8 CR3: 000000011a3f1004 CR4:
> 0000000000772ef0
> [ 58.904927] PKRU: 55555554
> [ 58.905132] Call Trace:
> [ 58.905294] <TASK>
> [ 58.905434] ? _raw_spin_unlock+0x13/0x30
> [ 58.905689] nfs4_proc_setattr+0xff/0x110
> [ 58.905947] nfs_setattr+0x1c8/0x410
> [ 58.906175] notify_change+0x373/0x510
> [ 58.906415] ? init_object+0x5a/0xc0
> [ 58.906643] ? chown_common+0x1ec/0x220
> [ 58.906885] chown_common+0x1ec/0x220
> [ 58.907126] do_fchownat+0xc3/0xf0
> [ 58.907358] __x64_sys_fchownat+0x1a/0x30
> [ 58.907611] do_syscall_64+0x50/0xf80
> [ 58.907848] entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [ 58.908171] RIP: 0033:0x7f04f93c8e4a
> [ 58.908390] Code: 48 8b 0d b1 6f 0e 00 f7 d8 64 89 01 48 83 c8 ff
> c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 04 01 00
> 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 7e 6f 0e 00 f7 d8 64
> 89 01 48
> [ 58.909467] RSP: 002b:00007ffe4cd3ec98 EFLAGS: 00000246 ORIG_RAX:
> 0000000000000104
> [ 58.909893] RAX: ffffffffffffffda RBX: 00007ffe4cd3ecb0 RCX:
> 00007f04f93c8e4a
> [ 58.910336] RDX: 0000000000002710 RSI: 000055c54836500e RDI:
> 0000000000000003
> [ 58.910872] RBP: 000055c55fd522a0 R08: 0000000000000100 R09:
> 0000000000000001
> [ 58.911350] R10: 0000000000002710 R11: 0000000000000246 R12:
> 0000000000000006
> [ 58.911797] R13: 0000000000002710 R14: 0000000000002710 R15:
> 000055c55fd52313
> [ 58.912234] </TASK>
> [ 58.912373] Modules linked in: kvm_intel kvm irqbypass
> [ 58.912717] ---[ end trace 0000000000000000 ]---
> [ 58.913829] RIP: 0010:nfs_end_delegation_return+0xda/0x390
> [ 58.914177] Code: 49 89 ce e8 58 be bf ff 48 8b 85 60 ff ff ff 4c
> 8d 68 80 49 39 c6 74 50 4c 8b 7c 24 08 48 8b 1c 24 4d 8b 65 60 4d 85
> e4 74 2e <49> 8b 44 24 40 a8 02 74 25 49 8b 44 24 40 f6 c4 02 75 1b
> 41 8b 47
> [ 58.915541] RSP: 0018:ffffc90001947c90 EFLAGS: 00010286
> [ 58.915871] RAX: ffff88811a3122c0 RBX: ffff888105268970 RCX:
> ffff888111a9a210
> [ 58.916317] RDX: ffff8881039320c0 RSI: ffff888105268940 RDI:
> ffff888111a9a2b0
> [ 58.916766] RBP: ffff888111a9a2b0 R08: 0000000000000000 R09:
> 0000000000000000
> [ 58.917299] R10: ffffc90001947d48 R11: fefefefefefefeff R12:
> cccccccccccccccc
> [ 58.917709] R13: ffff88811a312240 R14: ffff888111a9a210 R15:
> ffff888105268940
> [ 58.918109] FS: 00007f04f92c6740(0000) GS:ffff8882b353d000(0000)
> knlGS:0000000000000000
> [ 58.918560] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 58.918944] CR2: 00007fbf39569000 CR3: 000000011a3f1004 CR4:
> 0000000000772ef0
> [ 58.919622] PKRU: 55555554
Sigh... One last patch on top of all the previous ones, but if we hit
another issue I think we need to consider just disabling directory
delegations on the client until all the remaining issues can be fixed
in the next release.
Anna, are you able to reproduce these bugs?
8<-----------------------------------------------------------------
From cbf97626edbf8c0b619d37aca8d6da77f46e69d6 Mon Sep 17 00:00:00 2001
Message-ID: <cbf97626edbf8c0b619d37aca8d6da77f46e69d6.1767719343.git.trond.myklebust@hammerspace.com>
From: Trond Myklebust <trond.myklebust@hammerspace.com>
Date: Tue, 6 Jan 2026 11:54:32 -0500
Subject: [PATCH] NFSv4.x: Directory delegations don't require any state
recovery
The state recovery code in nfs_end_delegation_return() is intended to
allow regular files to recover cached open and lock state. It has no
function for directory delegations, and may cause corruption.
Fixes: 156b09482933 ("NFS: Request a directory delegation on ACCESS, CREATE, and UNLINK")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
---
fs/nfs/delegation.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c
index 2248e3ad089a..c9fa4c1f68fc 100644
--- a/fs/nfs/delegation.c
+++ b/fs/nfs/delegation.c
@@ -581,6 +581,10 @@ static int nfs_end_delegation_return(struct inode *inode, struct nfs_delegation
if (delegation == NULL)
return 0;
+ /* Directory delegations don't require any state recovery */
+ if (!S_ISREG(inode->i_mode))
+ goto out_return;
+
if (!issync)
mode |= O_NONBLOCK;
/* Recall of any remaining application leases */
@@ -604,6 +608,7 @@ static int nfs_end_delegation_return(struct inode *inode, struct nfs_delegation
goto out;
}
+out_return:
err = nfs_do_return_delegation(inode, delegation, issync);
out:
/* Refcount matched in nfs_start_delegation_return_locked() */
--
2.52.0
--
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trondmy@kernel.org, trond.myklebust@hammerspace.com
next prev parent reply other threads:[~2026-01-06 18:32 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-19 20:13 [PATCH] NFS: Fix directory delegation verifier checks Anna Schumaker
2025-12-22 22:35 ` Christoph Hellwig
2025-12-23 1:06 ` Christoph Hellwig
2025-12-31 21:52 ` Trond Myklebust
2026-01-06 6:21 ` hch@infradead.ori
2026-01-06 18:32 ` Trond Myklebust [this message]
2026-01-07 5:23 ` hch@infradead.ori
2026-01-07 15:07 ` Trond Myklebust
2026-01-07 15:30 ` hch@infradead.ori
2026-01-08 9:23 ` hch@infradead.ori
2026-01-07 16:52 ` Anna Schumaker
2026-04-04 18:32 ` Al Viro
2026-04-04 19:07 ` Al Viro
2026-04-05 2:39 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1df4bb7ff3e6fd607c1811d75fcd6dcb860e320e.camel@kernel.org \
--to=trondmy@kernel.org \
--cc=anna@kernel.org \
--cc=hch@infradead.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox