Archive-only list for patches
 help / color / mirror / Atom feed
* 6.18.37 has problems with nfs4 (server), 6.18.36 works
@ 2026-07-01 16:14 Wolfgang Walter
  2026-07-01 23:43 ` Chuck Lever
  0 siblings, 1 reply; 6+ messages in thread
From: Wolfgang Walter @ 2026-07-01 16:14 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Jeff Layton, Alexandr Alexandrov,
	Yang Erkun, Chuck Lever

Hello,

after upgrading to v6.18.37 our nfs-server had problems after about 1 
day. I do not dare to bisect it as caused a relative long downtime.

I would consider running av6.18.37 with

Revert "NFSD: Defer sub-object cleanup in export put callbacks"

reverted if this makes sense.

Of course I'm not sure if this was introduced wth 6.18.37 but we never 
saw that with earlier versions of v6.18.37.

Here is what it logged when ist started:

[77046.588449] R10: 00000000000c0000 R11: dc8c000000000000 R12: 
ffff8ae33e7ff630
[77046.588450] R13: ffff8ae49b33e14c R14: ffff8ae1b8008000 R15: 
ffff8ae49b33e138
[77046.588451] FS:  0000000000000000(0000) GS:ffff8ae7065cf000(0000) 
knlGS:0000000000000000
[77046.588453] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[77046.588454] CR2: 0000000000000000 CR3: 00000011a3624002 CR4: 
00000000001726f0
[77046.588456] Call Trace:
[77046.588457]  <TASK>
[77046.588458]  ? __state_in_grace+0x2a/0xc0 [grace]
[77046.588461]  _raw_spin_lock+0x29/0x30
[77046.588464]  nfsd4_lock+0xbcd/0x1690 [nfsd]
[77046.588511]  nfsd4_proc_compound+0x325/0x680 [nfsd]
[77046.588553]  nfsd_dispatch+0xc6/0x210 [nfsd]
[77046.588598]  svc_process_common+0x4c3/0x6a0 [sunrpc]
[77046.588648]  ? __pfx_nfsd_dispatch+0x10/0x10 [nfsd]
[77046.588692]  svc_process+0x142/0x210 [sunrpc]
[77046.588737]  svc_recv+0x7e5/0x9b0 [sunrpc]
[77046.588782]  ? __pfx_nfsd+0x10/0x10 [nfsd]
[77046.588826]  nfsd+0x8f/0xf0 [nfsd]
[77046.588867]  kthread+0xfc/0x230
[77046.588870]  ? __pfx_kthread+0x10/0x10
[77046.588873]  ret_from_fork+0x231/0x260
[77046.588875]  ? __pfx_kthread+0x10/0x10
[77046.588878]  ret_from_fork_asm+0x1a/0x30
[77046.588881]  </TASK>
[77046.596608] watchdog: BUG: soft lockup - CPU#16 stuck for 75s! 
[kworker/u97:6:227618]
[77046.596612] Modules linked in: rpcsec_gss_krb5 msr 8021q garp stp llc 
mrp binfmt_misc intel_rapl_msr intel_rapl_common sb_edac 
x86_pkg_temp_thermal intel_powerclamp coretemp ipmi_ssif kvm_intel kvm 
snd_pcm irqbypass polyval_clmulni snd_timer ghash_clmulni_intel rapl ast 
snd intel_cstate drm_client_lib vga16fb soundcore drm_shmem_helper 
intel_uncore drm_kms_helper vgastate pcspkr iTCO_wdt mei_me 
intel_pmc_bxt iTCO_vendor_support i2c_algo_bit mei watchdog ioatdma 
evdev joydev acpi_power_meter ipmi_si acpi_ipmi ipmi_devintf 
ipmi_msghandler button sg nfsd nfs_acl lockd chacha20poly1305 
auth_rpcgss aesni_intel grace cryptd nfs_localio drbd drm sunrpc fuse 
lru_cache loop efi_pstore configfs ip_tables x_tables autofs4 ext4 crc16 
mbcache jbd2 efivarfs raid10 raid456 async_raid6_recov async_memcpy 
async_pq async_xor async_tx xor raid6_pq raid0 linear dm_mod raid1 
hid_generic md_mod ses enclosure usbhid hid sd_mod ixgbe libie_fwlog 
xfrm_algo dca mdio_devres of_mdio ahci fixed_phy xhci_pci libahci 
fwnode_mdio mpt3sas ehci_pci
[77046.596647]  libphy raid_class xhci_hcd libata ehci_hcd mdio_bus 
scsi_transport_sas i2c_i801 usbcore ptp i2c_smbus lpc_ich scsi_mod 
pps_core usb_common mdio scsi_common wmi
[77046.596655] CPU: 16 UID: 0 PID: 227618 Comm: kworker/u97:6 Tainted: G 
      D      L      6.18.37-debian64.all+1.3 #1 PREEMPT(full)
[77046.596658] Tainted: [D]=DIE, [L]=SOFTLOCKUP
[77046.596658] Hardware name: Supermicro X10DRi/X10DRI-T, BIOS 1.1a 
10/16/2015
[77046.596659] Workqueue: nfsd4 laundromat_main [nfsd]
[77046.596702] RIP: 0010:native_queued_spin_lock_slowpath+0x28d/0x2c0
[77046.596706] Code: 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 40 31 
4e 99 48 03 04 f5 80 f0 78 98 48 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 
08 <85> c0 74 f7 48 8b 32 48 85 f6 74 81 0f 18 0e e9 79 ff ff ff bf 01
[77046.596708] RSP: 0018:ffffd3abb77c3d70 EFLAGS: 00000246
[77046.596709] RAX: 0000000000000000 RBX: ffff8ae7072d80d0 RCX: 
ffff8ae7072d812c
[77046.596710] RDX: ffff8ae69fcb2140 RSI: 0000000000000003 RDI: 
ffff8ae7072d812c
[77046.596711] RBP: ffff8ae7072d812c R08: 0000000000440000 R09: 
ffff8ae7067cf000
[77046.596713] R10: 0000000000440000 R11: ffff8ae7072d81e8 R12: 
000000000000002f
[77046.596714] R13: ffffd3abb77c3e08 R14: ffff8ae7072d80b0 R15: 
ffff8ae7072d80c0
[77046.596715] FS:  0000000000000000(0000) GS:ffff8ae7067cf000(0000) 
knlGS:0000000000000000
[77046.596717] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[77046.596718] CR2: 00007f93e9a0e3d8 CR3: 00000011a3624005 CR4: 
00000000001726f0
[77046.596719] Call Trace:
[77046.596721]  <TASK>
[77046.596722]  _raw_spin_lock+0x29/0x30
[77046.596725]  laundromat_main+0x3c1/0x940 [nfsd]
[77046.596766]  process_one_work+0x18c/0x350
[77046.596770]  worker_thread+0x196/0x300
[77046.596772]  ? __pfx_worker_thread+0x10/0x10
[77046.596775]  kthread+0xfc/0x230
[77046.596778]  ? __pfx_kthread+0x10/0x10
[77046.596780]  ? __pfx_kthread+0x10/0x10
[77046.596783]  ret_from_fork+0x231/0x260
[77046.596786]  ? __pfx_kthread+0x10/0x10
[77046.596788]  ret_from_fork_asm+0x1a/0x30
[77046.596791]  </TASK>
[77047.256123] rcu: INFO: rcu_preempt self-detected stall on CPU
[77047.256431] rcu:     13-....: (83975 ticks this GP) 
idle=4dc4/1/0x4000000000000000 softirq=9553877/9553878 fqs=41109
[77047.256701] rcu:     (t=84006 jiffies g=22811861 q=552187 ncpus=24)
[77047.256973] CPU: 13 UID: 0 PID: 8887 Comm: nfsd Tainted: G      D     
  L      6.18.37-debian64.all+1.3 #1 PREEMPT(full)
[77047.256976] Tainted: [D]=DIE, [L]=SOFTLOCKUP



Regards
-- 
Wolfgang Walter
Studierendenwerk München Oberbayern
Anstalt des öffentlichen Rechts

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: 6.18.37 has problems with nfs4 (server), 6.18.36 works
  2026-07-01 16:14 6.18.37 has problems with nfs4 (server), 6.18.36 works Wolfgang Walter
@ 2026-07-01 23:43 ` Chuck Lever
  2026-07-02 16:53   ` Wolfgang Walter
  0 siblings, 1 reply; 6+ messages in thread
From: Chuck Lever @ 2026-07-01 23:43 UTC (permalink / raw)
  To: Wolfgang Walter
  Cc: stable, Greg Kroah-Hartman, patches, Jeff Layton,
	Alexandr Alexandrov, Yang Erkun, linux-nfs

Hi Wolfgang,

Thanks for the report, and for narrowing it to 6.18.36 vs 6.18.37.

You've picked the right commit to suspect: 95f9eb19d5e6 ("Revert
'NFSD: Defer sub-object cleanup in export put callbacks'") is the
*only* change to the NFS server between 6.18.36 and 6.18.37, so an
A/B test around it is exactly the right experiment. Two things would
let us pin this down.

1. The full kernel log. The trace you sent begins in the middle of a
register dump, and the task that actually triggered the stall isn't
in it -- the RCU stall names CPU 13 / PID 8887 (nfsd), and that
backtrace is above where your paste starts. Could you send the
complete log from the first "soft lockup" / "rcu ... stall" /
"hung task" line onward, with all CPU backtraces? The part before
what you already sent is the piece I need. If the machine wedges
hard, a serial console or netconsole capture (or pstore/ramoops read
back after reboot) will get the whole thing.

While you're at it: roughly what was the server doing (client count,
NFS version, and was an "exportfs -r", mount, or umount in play), and
does it reproduce or was it a one-off after ~1 day?

2. The revert test, if you're willing to spend the rebuild. On a
v6.18.37 tree:

    git revert --no-edit 95f9eb19d5e6

That reverts the revert -- i.e. restores the 6.18.36 behavior for this
code. If that build stays healthy, it strongly implicates the change;
if it still locks up, we've ruled it out and should look at the NFSv4
laundromat/grace-period path instead. One caveat: this also brings
back a separate problem the revert fixed (a lingering mount reference
that can make "exportfs -r" followed by umount fail with EBUSY), so
treat it as a diagnostic build, not something to run long term.

With the full backtrace I can usually tell quickly whether the export
cache change is even on the code path that hung, or whether 6.18.37
just happened to expose something else.

--
Chuck Lever

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: 6.18.37 has problems with nfs4 (server), 6.18.36 works
  2026-07-01 23:43 ` Chuck Lever
@ 2026-07-02 16:53   ` Wolfgang Walter
  2026-07-03 16:03     ` Chuck Lever
  0 siblings, 1 reply; 6+ messages in thread
From: Wolfgang Walter @ 2026-07-02 16:53 UTC (permalink / raw)
  To: Chuck Lever
  Cc: stable, Greg Kroah-Hartman, patches, Jeff Layton,
	Alexandr Alexandrov, Yang Erkun, linux-nfs

Hi!

Am 2026-07-02 01:43, schrieb Chuck Lever:
> Hi Wolfgang,
> 
> Thanks for the report, and for narrowing it to 6.18.36 vs 6.18.37.
> 
> You've picked the right commit to suspect: 95f9eb19d5e6 ("Revert
> 'NFSD: Defer sub-object cleanup in export put callbacks'") is the
> *only* change to the NFS server between 6.18.36 and 6.18.37, so an
> A/B test around it is exactly the right experiment. Two things would
> let us pin this down.
> 
> 1. The full kernel log. The trace you sent begins in the middle of a
> register dump, and the task that actually triggered the stall isn't
> in it -- the RCU stall names CPU 13 / PID 8887 (nfsd), and that
> backtrace is above where your paste starts. Could you send the
> complete log from the first "soft lockup" / "rcu ... stall" /
> "hung task" line onward, with all CPU backtraces? The part before
> what you already sent is the piece I need. If the machine wedges
> hard, a serial console or netconsole capture (or pstore/ramoops read
> back after reboot) will get the whole thing.

systemd-journald didn't catch it. But /var/log/messages seems to have 
logged it, hope this is it:

Jul  1 16:27:24 fileserver kernel: [76950.437185] PGD 0 P4D 0
Jul  1 16:27:24 fileserver kernel: [76950.437193] Oops: Oops: 0000 [#1] 
SMP NOPTI
Jul  1 16:27:24 fileserver kernel: [76950.437202] CPU: 2 UID: 0 PID: 
8844 Comm: nfsd Not tainted 6.18.37-debian64.all+1.3 #1 PREEMPT(full)
Jul  1 16:27:24 fileserver kernel: [76950.437215] Hardware name: 
Supermicro X10DRi/X10DRI-T, BIOS 1.1a 10/16/2015
Jul  1 16:27:24 fileserver kernel: [76950.437225] RIP: 
0010:__list_del_entry_valid_or_report+0x8/0x110
Jul  1 16:27:24 fileserver kernel: [76950.437240] Code: 48 89 c1 e8 ea 
18 94 ff 0f 0b 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 
90 90 90 90 90 f3 0f 1e fa 48 83 ec 10 <48> 8b 17 48 8b 4f 08 48 89 fe 
48 85 d2 0f 84 b8 a3 95 ff 48 85 c9
Jul  1 16:27:24 fileserver kernel: [76950.437262] RSP: 
0018:ffffd3aba4433c88 EFLAGS: 00010286
Jul  1 16:27:24 fileserver kernel: [76950.437271] RAX: 0000000000000000 
RBX: 0000000000000000 RCX: ffff8acfa99d4e10
Jul  1 16:27:24 fileserver kernel: [76950.437281] RDX: 0000000000000001 
RSI: 0000000000000001 RDI: 0000000000000000
Jul  1 16:27:24 fileserver kernel: [76950.437290] RBP: ffffffff99659a00 
R08: 0000000000480000 R09: ffff8ae70680f000
Jul  1 16:27:24 fileserver kernel: [76950.437299] R10: 0000000000480000 
R11: 0000000000000002 R12: ffffd3aba4433ca8
Jul  1 16:27:24 fileserver kernel: [76950.437308] R13: ffff8acfa99d4e10 
R14: ffff8acfa99d4f68 R15: ffff8ae7072d8000
Jul  1 16:27:24 fileserver kernel: [76950.437318] FS:  
0000000000000000(0000) GS:ffff8ae7065cf000(0000) knlGS:0000000000000000
Jul  1 16:27:24 fileserver kernel: [76950.437328] CS:  0010 DS: 0000 ES: 
0000 CR0: 0000000080050033
Jul  1 16:27:24 fileserver kernel: [76950.437336] CR2: 0000000000000000 
CR3: 00000011a3624002 CR4: 00000000001726f0
Jul  1 16:27:24 fileserver kernel: [76950.437345] Call Trace:
Jul  1 16:27:24 fileserver kernel: [76950.437351]  <TASK>
Jul  1 16:27:24 fileserver kernel: [76950.437358]  
remove_blocked_locks+0x91/0x1d0 [nfsd]
Jul  1 16:27:24 fileserver kernel: [76950.437453]  
__destroy_client+0x1b4/0x2a0 [nfsd]
Jul  1 16:27:24 fileserver kernel: [76950.437500]  
nfsd4_destroy_clientid+0xe6/0x1c0 [nfsd]
Jul  1 16:27:24 fileserver kernel: [76950.437545]  
nfsd4_proc_compound+0x325/0x680 [nfsd]
Jul  1 16:27:24 fileserver kernel: [76950.437594]  
nfsd_dispatch+0xc6/0x210 [nfsd]
Jul  1 16:27:24 fileserver kernel: [76950.437652]  
svc_process_common+0x4c3/0x6a0 [sunrpc]
Jul  1 16:27:24 fileserver kernel: [76950.437772]  ? 
__pfx_nfsd_dispatch+0x10/0x10 [nfsd]
Jul  1 16:27:24 fileserver kernel: [76950.437837]  
svc_process+0x142/0x210 [sunrpc]
Jul  1 16:27:24 fileserver kernel: [76950.437900]  svc_recv+0x7e5/0x9b0 
[sunrpc]
Jul  1 16:27:24 fileserver kernel: [76950.437955]  ? 
__pfx_nfsd+0x10/0x10 [nfsd]
Jul  1 16:27:24 fileserver kernel: [76950.438008]  nfsd+0x8f/0xf0 [nfsd]
Jul  1 16:27:24 fileserver kernel: [76950.438058]  kthread+0xfc/0x230
Jul  1 16:27:24 fileserver kernel: [76950.438068]  ? 
__pfx_kthread+0x10/0x10
Jul  1 16:27:24 fileserver kernel: [76950.438077]  
ret_from_fork+0x231/0x260
Jul  1 16:27:24 fileserver kernel: [76950.438086]  ? 
__pfx_kthread+0x10/0x10
Jul  1 16:27:24 fileserver kernel: [76950.438094]  
ret_from_fork_asm+0x1a/0x30
Jul  1 16:27:24 fileserver kernel: [76950.438104]  </TASK>
Jul  1 16:27:24 fileserver kernel: [76950.438108] Modules linked in: 
rpcsec_gss_krb5 msr 8021q garp stp llc mrp binfmt_misc intel_rapl_msr 
intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp 
ipmi_ssif kvm_intel kvm snd_pcm irqbypass polyval_clmulni snd_timer 
ghash_clmulni_intel rapl ast snd intel_cstate drm_client_lib vga16fb 
soundcore drm_shmem_helper intel_uncore drm_kms_helper vgastate pcspkr 
iTCO_wdt mei_me intel_pmc_bxt iTCO_vendor_support i2c_algo_bit mei 
watchdog ioatdma evdev joydev acpi_power_meter ipmi_si acpi_ipmi 
ipmi_devintf ipmi_msghandler button sg nfsd nfs_acl lockd 
chacha20poly1305 fileserverth_rpcgss aesni_intel grace cryptd 
nfs_localio drbd drm sunrpc fuse lru_cache loop efi_pstore configfs 
ip_tables x_tables fileservertofs4 ext4 crc16 mbcache jbd2 efivarfs 
raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor 
async_tx xor raid6_pq raid0 linear dm_mod raid1 hid_generic md_mod ses 
enclosure usbhid hid sd_mod ixgbe libie_fwlog xfrm_algo dca mdio_devres 
of_mdio ahci fixed_phy xhci_pci libahci fwnode_mdio mpt3sas ehci_pci
Jul  1 16:27:24 fileserver kernel: [76950.438181]  libphy raid_class 
xhci_hcd libata ehci_hcd mdio_bus scsi_transport_sas i2c_i801 usbcore 
ptp i2c_smbus lpc_ich scsi_mod pps_core usb_common mdio scsi_common wmi
Jul  1 16:27:24 fileserver kernel: [76950.439549] CR2: 0000000000000000
Jul  1 16:27:24 fileserver kernel: [76950.439820] ---[ end trace 
0000000000000000 ]---


> 
> While you're at it: roughly what was the server doing (client count,
> NFS version, and was an "exportfs -r", mount, or umount in play), and
> does it reproduce or was it a one-off after ~1 day?

NFS 4.2 with sec=krb5p

The kernel of the clients vary, a lot have a 6.18 kernel, but a lot also 
use their distribution kernels.

I would think that at that moment when it crashed about 50 people were 
still using it. Probably quit some people where shuting down der clients 
at that time as it was almost 16:30.

It happened suddenly. Nothing special on the server.

It wasn't a reproduce, it was the first time 6.18.37 was running, I 
upgraded to 6.18.37 the evening before.

We had to hard reset the server after about 1/2 our as neither rebooting 
nor syncing seemed to make progress.

As this did some damage to the filesystem we hat to fsck it which needed 
some time so I decided to downgrade to 6.18.36 again.

> 
> 2. The revert test, if you're willing to spend the rebuild. On a
> v6.18.37 tree:
> 
>     git revert --no-edit 95f9eb19d5e6
> 
> That reverts the revert -- i.e. restores the 6.18.36 behavior for this
> code. If that build stays healthy, it strongly implicates the change;
> if it still locks up, we've ruled it out and should look at the NFSv4
> laundromat/grace-period path instead. One caveat: this also brings
> back a separate problem the revert fixed (a lingering mount reference
> that can make "exportfs -r" followed by umount fail with EBUSY), so
> treat it as a diagnostic build, not something to run long term.
> 

Ok, I think this would be acceptable. Maybe I encountered that in 
6.18.19, I wrote a report that nfsd got stuck when rebooting, but maybe 
it is something different as it seems to have disappeared in the last 
6.18 kernels.

So I will give 3.18.37 with this change reverted a try.

Regards and thanks for your help,
-- 
Wolfgang Walter
Studierendenwerk München Oberbayern
Anstalt des öffentlichen Rechts

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: 6.18.37 has problems with nfs4 (server), 6.18.36 works
  2026-07-02 16:53   ` Wolfgang Walter
@ 2026-07-03 16:03     ` Chuck Lever
  2026-07-03 18:30       ` Wolfgang Walter
  0 siblings, 1 reply; 6+ messages in thread
From: Chuck Lever @ 2026-07-03 16:03 UTC (permalink / raw)
  To: Wolfgang Walter
  Cc: stable, Greg Kroah-Hartman, patches, Jeff Layton,
	Alexandr Alexandrov, Yang Erkun, linux-nfs

Hi Wolfgang, and stable@ --

Short version for stable@: 6.18.37 does not need a revert of
95f9eb19d5e6 ("Revert 'NFSD: Defer sub-object cleanup in export
put callbacks'").  That commit is correct for 6.18, and it is
not the cause of Wolfgang's crash.  Please leave it in place.

The reasoning: 95f9eb19d5e6 touches only fs/nfsd/export.c,
export.h, and nfsctl.c.  Wolfgang's oops is in
remove_blocked_locks() -> __destroy_client() ->
nfsd4_destroy_clientid(), entirely within fs/nfsd/nfs4state.c,
which the revert does not modify.  That path is byte-for-byte
identical across 6.18.36, 6.18.37, and current mainline, so the
revert cannot have introduced the bug and no missing backport
repairs it.  The 6.18.36-good / 6.18.37-bad split is a timing
coincidence; I believe the same latent bug is present in both.

Because the defect is present upstream as well, the fix belongs
in mainline first and is then backported to 6.18.y and the other
affected trees.

Wolfgang - to confirm this and capture the allocation and free
stacks, a KASAN-enabled kernel would settle it.  On a v6.18.37
tree:

  1. Add to your .config (keep your usual CONFIG_DEBUG_INFO so
     symbols resolve):

       CONFIG_KASAN=y
       CONFIG_KASAN_GENERIC=y
       CONFIG_KASAN_INLINE=y
       CONFIG_STACKTRACE=y

  2. Build and boot that kernel.  Stay on 6.18.37 -- you do not
     need the revert-the-revert build I suggested earlier; that
     experiment no longer tells us anything.

  3. When it trips, KASAN prints a "BUG: KASAN: use-after-free"
     report with "Allocated by" and "Freed by" call stacks.
     That report, in full, is what I need -- it should land in
     /var/log/messages just as the last oops did.

One caveat: KASAN roughly doubles memory use and adds CPU cost,
so weigh that before running it on the production server.  If
that is not practical, a full log from the first stall line
onward, with all CPU backtraces, captured over netconsole or
serial, is a useful second best.

I will draft a candidate upstream fix from the analysis so far
and send it separately.  If KASAN on the production box is not
an option, testing that patch may be the least disruptive way
to confirm.

Thanks for the careful report and the bisect.

Chuck

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: 6.18.37 has problems with nfs4 (server), 6.18.36 works
  2026-07-03 16:03     ` Chuck Lever
@ 2026-07-03 18:30       ` Wolfgang Walter
  2026-07-03 20:59         ` Chuck Lever
  0 siblings, 1 reply; 6+ messages in thread
From: Wolfgang Walter @ 2026-07-03 18:30 UTC (permalink / raw)
  To: Chuck Lever
  Cc: stable, Greg Kroah-Hartman, patches, Jeff Layton,
	Alexandr Alexandrov, Yang Erkun, linux-nfs

Hello Chuck,

Am 2026-07-03 18:03, schrieb Chuck Lever:
> Hi Wolfgang, and stable@ --
> 
> Short version for stable@: 6.18.37 does not need a revert of
> 95f9eb19d5e6 ("Revert 'NFSD: Defer sub-object cleanup in export
> put callbacks'").  That commit is correct for 6.18, and it is
> not the cause of Wolfgang's crash.  Please leave it in place.

Ok. I run v6.18.37 with the patch reverted since about a day (just for 
the record). But according to your analysis, that's just a coincidence.

> 
> The reasoning: 95f9eb19d5e6 touches only fs/nfsd/export.c,
> export.h, and nfsctl.c.  Wolfgang's oops is in
> remove_blocked_locks() -> __destroy_client() ->
> nfsd4_destroy_clientid(), entirely within fs/nfsd/nfs4state.c,
> which the revert does not modify.  That path is byte-for-byte
> identical across 6.18.36, 6.18.37, and current mainline, so the
> revert cannot have introduced the bug and no missing backport
> repairs it.  The 6.18.36-good / 6.18.37-bad split is a timing
> coincidence; I believe the same latent bug is present in both.
> 
> Because the defect is present upstream as well, the fix belongs
> in mainline first and is then backported to 6.18.y and the other
> affected trees.
> 
> Wolfgang - to confirm this and capture the allocation and free
> stacks, a KASAN-enabled kernel would settle it.  On a v6.18.37
> tree:
> 
>   1. Add to your .config (keep your usual CONFIG_DEBUG_INFO so
>      symbols resolve):
> 
>        CONFIG_KASAN=y
>        CONFIG_KASAN_GENERIC=y
>        CONFIG_KASAN_INLINE=y
>        CONFIG_STACKTRACE=y
> 
>   2. Build and boot that kernel.  Stay on 6.18.37 -- you do not
>      need the revert-the-revert build I suggested earlier; that
>      experiment no longer tells us anything.
> 
>   3. When it trips, KASAN prints a "BUG: KASAN: use-after-free"
>      report with "Allocated by" and "Freed by" call stacks.
>      That report, in full, is what I need -- it should land in
>      /var/log/messages just as the last oops did.
> 
> One caveat: KASAN roughly doubles memory use and adds CPU cost,
> so weigh that before running it on the production server.  If
> that is not practical, a full log from the first stall line
> onward, with all CPU backtraces, captured over netconsole or
> serial, is a useful second best.
> 
> I will draft a candidate upstream fix from the analysis so far
> and send it separately.  If KASAN on the production box is not
> an option, testing that patch may be the least disruptive way
> to confirm.
> 

I think the memory usage should not be a problem, higher cpu usage 
neither.

But as it is a coincidence the probability to catch that error is 
probably very low. We use v6.18 kernels since v6.18.1 on that fileserver 
and this error never occured before.

Or do you think it happens more often, but without symptoms, and KASAN 
would detect it?

So I will try running a v3.18.37 + your patch applied. This of course 
can not prove that it fixes the problem because it almost never happens, 
but probably this would detect if if the patch had side effects.

Regards,
-- 
Wolfgang Walter
Studierendenwerk München Oberbayern
Anstalt des öffentlichen Rechts

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: 6.18.37 has problems with nfs4 (server), 6.18.36 works
  2026-07-03 18:30       ` Wolfgang Walter
@ 2026-07-03 20:59         ` Chuck Lever
  0 siblings, 0 replies; 6+ messages in thread
From: Chuck Lever @ 2026-07-03 20:59 UTC (permalink / raw)
  To: Wolfgang Walter
  Cc: stable, Greg Kroah-Hartman, patches, Jeff Layton,
	Alexandr Alexandrov, yangerkun, linux-nfs



On Fri, Jul 3, 2026, at 2:30 PM, Wolfgang Walter wrote:
> Hello Chuck,
>
> Am 2026-07-03 18:03, schrieb Chuck Lever:
>> Hi Wolfgang, and stable@ --
>> 
>> Short version for stable@: 6.18.37 does not need a revert of
>> 95f9eb19d5e6 ("Revert 'NFSD: Defer sub-object cleanup in export
>> put callbacks'").  That commit is correct for 6.18, and it is
>> not the cause of Wolfgang's crash.  Please leave it in place.
>
> Ok. I run v6.18.37 with the patch reverted since about a day (just for 
> the record). But according to your analysis, that's just a coincidence.
>
>> 
>> The reasoning: 95f9eb19d5e6 touches only fs/nfsd/export.c,
>> export.h, and nfsctl.c.  Wolfgang's oops is in
>> remove_blocked_locks() -> __destroy_client() ->
>> nfsd4_destroy_clientid(), entirely within fs/nfsd/nfs4state.c,
>> which the revert does not modify.  That path is byte-for-byte
>> identical across 6.18.36, 6.18.37, and current mainline, so the
>> revert cannot have introduced the bug and no missing backport
>> repairs it.  The 6.18.36-good / 6.18.37-bad split is a timing
>> coincidence; I believe the same latent bug is present in both.
>> 
>> Because the defect is present upstream as well, the fix belongs
>> in mainline first and is then backported to 6.18.y and the other
>> affected trees.
>> 
>> Wolfgang - to confirm this and capture the allocation and free
>> stacks, a KASAN-enabled kernel would settle it.  On a v6.18.37
>> tree:
>> 
>>   1. Add to your .config (keep your usual CONFIG_DEBUG_INFO so
>>      symbols resolve):
>> 
>>        CONFIG_KASAN=y
>>        CONFIG_KASAN_GENERIC=y
>>        CONFIG_KASAN_INLINE=y
>>        CONFIG_STACKTRACE=y
>> 
>>   2. Build and boot that kernel.  Stay on 6.18.37 -- you do not
>>      need the revert-the-revert build I suggested earlier; that
>>      experiment no longer tells us anything.
>> 
>>   3. When it trips, KASAN prints a "BUG: KASAN: use-after-free"
>>      report with "Allocated by" and "Freed by" call stacks.
>>      That report, in full, is what I need -- it should land in
>>      /var/log/messages just as the last oops did.
>> 
>> One caveat: KASAN roughly doubles memory use and adds CPU cost,
>> so weigh that before running it on the production server.  If
>> that is not practical, a full log from the first stall line
>> onward, with all CPU backtraces, captured over netconsole or
>> serial, is a useful second best.
>> 
>> I will draft a candidate upstream fix from the analysis so far
>> and send it separately.  If KASAN on the production box is not
>> an option, testing that patch may be the least disruptive way
>> to confirm.
>> 
>
> I think the memory usage should not be a problem, higher cpu usage 
> neither.
>
> But as it is a coincidence the probability to catch that error is 
> probably very low. We use v6.18 kernels since v6.18.1 on that fileserver 
> and this error never occured before.
>
> Or do you think it happens more often, but without symptoms, and KASAN 
> would detect it?
>
> So I will try running a v3.18.37 + your patch applied. This of course 
> can not prove that it fixes the problem because it almost never happens, 
> but probably this would detect if if the patch had side effects.

Correct: your reproduction of the crash does not appear to
be strongly correlated with any particular kernel release. I
based my analysis strictly on the additional stack trace data
you sent earlier today.

I think it's more likely that your 50 client workload hit a
particular race that exposed a pre-existing UAF. KASAN will
change execution timing, certainly, but I can't predict
whether it will make the race window bigger.

So you can only test whether my patch causes new regressions,
not whether it prevents your crasher. :-(


-- 
Chuck Lever

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-07-03 20:59 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-01 16:14 6.18.37 has problems with nfs4 (server), 6.18.36 works Wolfgang Walter
2026-07-01 23:43 ` Chuck Lever
2026-07-02 16:53   ` Wolfgang Walter
2026-07-03 16:03     ` Chuck Lever
2026-07-03 18:30       ` Wolfgang Walter
2026-07-03 20:59         ` Chuck Lever

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox