Re: 6.18.19 (and probably earlier): get BUG nfsd_file (Not tainted): Objects remaining on __kmem_cache_shutdown()

[Wolfgang Walter <linux@stwm.de>]

Am 2026-03-27 20:45, schrieb Chuck Lever:
> Hello Wolfgang -
> 
> On Fri, Mar 27, 2026, at 2:37 PM, Wolfgang Walter wrote:
>> Hello,
>> 
>> wenn rebooting our nfs-server I get almost always the following BUG:
>> 
>> Mar 27 18:27:40 rummelplatz kernel: BUG nfsd_file (Not tainted): 
>> Objects
>> remaining on __kmem_cache_shutdown()
>> Mar 27 18:27:40 rummelplatz kernel:
>> -----------------------------------------------------------------------------
>> Mar 27 18:27:40 rummelplatz kernel: Object 0x000000004cc0c6e6
>> @offset=144
>> Mar 27 18:27:40 rummelplatz kernel: Slab 0x00000000e17f7a52 objects=28
>> used=1 fp=0x00000000988570d2
>> flags=0x57ffffc0000200(workingset|node=1|zone=2|lastcpupid=0x1fffff)
>> Mar 27 18:27:40 rummelplatz kernel: Disabling lock debugging due to
>> kernel taint
> 
>> The kernel is vanilla stable 6.18.19. I built it myself.
> 
> Perhaps your kernel is missing commit 8072e34e1387 ("nfsd: fix
> nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg()").

This patch is included in stable 6.18.20 as commit

c07dc84ed67c5a182273171639bacbbb87c12175

=======================================================
commit c07dc84ed67c5a182273171639bacbbb87c12175
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Mon Dec 1 17:09:55 2025 -0500

     nfsd: fix nfsd_file reference leak in 
nfsd4_add_rdaccess_to_wrdeleg()

     commit 8072e34e1387d03102b788677d491e2bcceef6f5 upstream.

     nfsd4_add_rdaccess_to_wrdeleg() unconditionally overwrites
     fp->fi_fds[O_RDONLY] with a newly acquired nfsd_file. However, if
     the client already has a SHARE_ACCESS_READ open from a previous OPEN
     operation, this action overwrites the existing pointer without
     releasing its reference, orphaning the previous reference.

     Additionally, the function originally stored the same nfsd_file
     pointer in both fp->fi_fds[O_RDONLY] and fp->fi_rdeleg_file with
     only a single reference. When put_deleg_file() runs, it clears
     fi_rdeleg_file and calls nfs4_file_put_access() to release the file.

     However, nfs4_file_put_access() only releases fi_fds[O_RDONLY] when
     the fi_access[O_RDONLY] counter drops to zero. If another READ open
     exists on the file, the counter remains elevated and the nfsd_file
     reference from the delegation is never released. This potentially
     causes open conflicts on that file.

     Then, on server shutdown, these leaks cause 
__nfsd_file_cache_purge()
     to encounter files with an elevated reference count that cannot be
     cleaned up, ultimately triggering a BUG() in kmem_cache_destroy()
     because there are still nfsd_file objects allocated in that cache.

     Fixes: e7a8ebc305f2 ("NFSD: Offer write delegation for OPEN with 
OPEN4_SHARE_ACCESS_WRITE")
     Cc: stable@vger.kernel.org
     Reviewed-by: Jeff Layton <jlayton@kernel.org>
     Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
     Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
=======================================================

(in stable since v6.20.4)

Regards
-- 
Wolfgang Walter
Studierendenwerk München Oberbayern
Anstalt des öffentlichen Rechts