* 6.18.37 has problems with nfs4 (server), 6.18.36 works
@ 2026-07-01 16:14 Wolfgang Walter
2026-07-01 23:43 ` Chuck Lever
0 siblings, 1 reply; 6+ messages in thread
From: Wolfgang Walter @ 2026-07-01 16:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeff Layton, Alexandr Alexandrov,
Yang Erkun, Chuck Lever
Hello,
after upgrading to v6.18.37 our nfs-server had problems after about 1
day. I do not dare to bisect it as caused a relative long downtime.
I would consider running av6.18.37 with
Revert "NFSD: Defer sub-object cleanup in export put callbacks"
reverted if this makes sense.
Of course I'm not sure if this was introduced wth 6.18.37 but we never
saw that with earlier versions of v6.18.37.
Here is what it logged when ist started:
[77046.588449] R10: 00000000000c0000 R11: dc8c000000000000 R12:
ffff8ae33e7ff630
[77046.588450] R13: ffff8ae49b33e14c R14: ffff8ae1b8008000 R15:
ffff8ae49b33e138
[77046.588451] FS: 0000000000000000(0000) GS:ffff8ae7065cf000(0000)
knlGS:0000000000000000
[77046.588453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[77046.588454] CR2: 0000000000000000 CR3: 00000011a3624002 CR4:
00000000001726f0
[77046.588456] Call Trace:
[77046.588457] <TASK>
[77046.588458] ? __state_in_grace+0x2a/0xc0 [grace]
[77046.588461] _raw_spin_lock+0x29/0x30
[77046.588464] nfsd4_lock+0xbcd/0x1690 [nfsd]
[77046.588511] nfsd4_proc_compound+0x325/0x680 [nfsd]
[77046.588553] nfsd_dispatch+0xc6/0x210 [nfsd]
[77046.588598] svc_process_common+0x4c3/0x6a0 [sunrpc]
[77046.588648] ? __pfx_nfsd_dispatch+0x10/0x10 [nfsd]
[77046.588692] svc_process+0x142/0x210 [sunrpc]
[77046.588737] svc_recv+0x7e5/0x9b0 [sunrpc]
[77046.588782] ? __pfx_nfsd+0x10/0x10 [nfsd]
[77046.588826] nfsd+0x8f/0xf0 [nfsd]
[77046.588867] kthread+0xfc/0x230
[77046.588870] ? __pfx_kthread+0x10/0x10
[77046.588873] ret_from_fork+0x231/0x260
[77046.588875] ? __pfx_kthread+0x10/0x10
[77046.588878] ret_from_fork_asm+0x1a/0x30
[77046.588881] </TASK>
[77046.596608] watchdog: BUG: soft lockup - CPU#16 stuck for 75s!
[kworker/u97:6:227618]
[77046.596612] Modules linked in: rpcsec_gss_krb5 msr 8021q garp stp llc
mrp binfmt_misc intel_rapl_msr intel_rapl_common sb_edac
x86_pkg_temp_thermal intel_powerclamp coretemp ipmi_ssif kvm_intel kvm
snd_pcm irqbypass polyval_clmulni snd_timer ghash_clmulni_intel rapl ast
snd intel_cstate drm_client_lib vga16fb soundcore drm_shmem_helper
intel_uncore drm_kms_helper vgastate pcspkr iTCO_wdt mei_me
intel_pmc_bxt iTCO_vendor_support i2c_algo_bit mei watchdog ioatdma
evdev joydev acpi_power_meter ipmi_si acpi_ipmi ipmi_devintf
ipmi_msghandler button sg nfsd nfs_acl lockd chacha20poly1305
auth_rpcgss aesni_intel grace cryptd nfs_localio drbd drm sunrpc fuse
lru_cache loop efi_pstore configfs ip_tables x_tables autofs4 ext4 crc16
mbcache jbd2 efivarfs raid10 raid456 async_raid6_recov async_memcpy
async_pq async_xor async_tx xor raid6_pq raid0 linear dm_mod raid1
hid_generic md_mod ses enclosure usbhid hid sd_mod ixgbe libie_fwlog
xfrm_algo dca mdio_devres of_mdio ahci fixed_phy xhci_pci libahci
fwnode_mdio mpt3sas ehci_pci
[77046.596647] libphy raid_class xhci_hcd libata ehci_hcd mdio_bus
scsi_transport_sas i2c_i801 usbcore ptp i2c_smbus lpc_ich scsi_mod
pps_core usb_common mdio scsi_common wmi
[77046.596655] CPU: 16 UID: 0 PID: 227618 Comm: kworker/u97:6 Tainted: G
D L 6.18.37-debian64.all+1.3 #1 PREEMPT(full)
[77046.596658] Tainted: [D]=DIE, [L]=SOFTLOCKUP
[77046.596658] Hardware name: Supermicro X10DRi/X10DRI-T, BIOS 1.1a
10/16/2015
[77046.596659] Workqueue: nfsd4 laundromat_main [nfsd]
[77046.596702] RIP: 0010:native_queued_spin_lock_slowpath+0x28d/0x2c0
[77046.596706] Code: 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 40 31
4e 99 48 03 04 f5 80 f0 78 98 48 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42
08 <85> c0 74 f7 48 8b 32 48 85 f6 74 81 0f 18 0e e9 79 ff ff ff bf 01
[77046.596708] RSP: 0018:ffffd3abb77c3d70 EFLAGS: 00000246
[77046.596709] RAX: 0000000000000000 RBX: ffff8ae7072d80d0 RCX:
ffff8ae7072d812c
[77046.596710] RDX: ffff8ae69fcb2140 RSI: 0000000000000003 RDI:
ffff8ae7072d812c
[77046.596711] RBP: ffff8ae7072d812c R08: 0000000000440000 R09:
ffff8ae7067cf000
[77046.596713] R10: 0000000000440000 R11: ffff8ae7072d81e8 R12:
000000000000002f
[77046.596714] R13: ffffd3abb77c3e08 R14: ffff8ae7072d80b0 R15:
ffff8ae7072d80c0
[77046.596715] FS: 0000000000000000(0000) GS:ffff8ae7067cf000(0000)
knlGS:0000000000000000
[77046.596717] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[77046.596718] CR2: 00007f93e9a0e3d8 CR3: 00000011a3624005 CR4:
00000000001726f0
[77046.596719] Call Trace:
[77046.596721] <TASK>
[77046.596722] _raw_spin_lock+0x29/0x30
[77046.596725] laundromat_main+0x3c1/0x940 [nfsd]
[77046.596766] process_one_work+0x18c/0x350
[77046.596770] worker_thread+0x196/0x300
[77046.596772] ? __pfx_worker_thread+0x10/0x10
[77046.596775] kthread+0xfc/0x230
[77046.596778] ? __pfx_kthread+0x10/0x10
[77046.596780] ? __pfx_kthread+0x10/0x10
[77046.596783] ret_from_fork+0x231/0x260
[77046.596786] ? __pfx_kthread+0x10/0x10
[77046.596788] ret_from_fork_asm+0x1a/0x30
[77046.596791] </TASK>
[77047.256123] rcu: INFO: rcu_preempt self-detected stall on CPU
[77047.256431] rcu: 13-....: (83975 ticks this GP)
idle=4dc4/1/0x4000000000000000 softirq=9553877/9553878 fqs=41109
[77047.256701] rcu: (t=84006 jiffies g=22811861 q=552187 ncpus=24)
[77047.256973] CPU: 13 UID: 0 PID: 8887 Comm: nfsd Tainted: G D
L 6.18.37-debian64.all+1.3 #1 PREEMPT(full)
[77047.256976] Tainted: [D]=DIE, [L]=SOFTLOCKUP
Regards
--
Wolfgang Walter
Studierendenwerk München Oberbayern
Anstalt des öffentlichen Rechts
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: 6.18.37 has problems with nfs4 (server), 6.18.36 works
2026-07-01 16:14 6.18.37 has problems with nfs4 (server), 6.18.36 works Wolfgang Walter
@ 2026-07-01 23:43 ` Chuck Lever
2026-07-02 16:53 ` Wolfgang Walter
0 siblings, 1 reply; 6+ messages in thread
From: Chuck Lever @ 2026-07-01 23:43 UTC (permalink / raw)
To: Wolfgang Walter
Cc: stable, Greg Kroah-Hartman, patches, Jeff Layton,
Alexandr Alexandrov, Yang Erkun, linux-nfs
Hi Wolfgang,
Thanks for the report, and for narrowing it to 6.18.36 vs 6.18.37.
You've picked the right commit to suspect: 95f9eb19d5e6 ("Revert
'NFSD: Defer sub-object cleanup in export put callbacks'") is the
*only* change to the NFS server between 6.18.36 and 6.18.37, so an
A/B test around it is exactly the right experiment. Two things would
let us pin this down.
1. The full kernel log. The trace you sent begins in the middle of a
register dump, and the task that actually triggered the stall isn't
in it -- the RCU stall names CPU 13 / PID 8887 (nfsd), and that
backtrace is above where your paste starts. Could you send the
complete log from the first "soft lockup" / "rcu ... stall" /
"hung task" line onward, with all CPU backtraces? The part before
what you already sent is the piece I need. If the machine wedges
hard, a serial console or netconsole capture (or pstore/ramoops read
back after reboot) will get the whole thing.
While you're at it: roughly what was the server doing (client count,
NFS version, and was an "exportfs -r", mount, or umount in play), and
does it reproduce or was it a one-off after ~1 day?
2. The revert test, if you're willing to spend the rebuild. On a
v6.18.37 tree:
git revert --no-edit 95f9eb19d5e6
That reverts the revert -- i.e. restores the 6.18.36 behavior for this
code. If that build stays healthy, it strongly implicates the change;
if it still locks up, we've ruled it out and should look at the NFSv4
laundromat/grace-period path instead. One caveat: this also brings
back a separate problem the revert fixed (a lingering mount reference
that can make "exportfs -r" followed by umount fail with EBUSY), so
treat it as a diagnostic build, not something to run long term.
With the full backtrace I can usually tell quickly whether the export
cache change is even on the code path that hung, or whether 6.18.37
just happened to expose something else.
--
Chuck Lever
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: 6.18.37 has problems with nfs4 (server), 6.18.36 works
2026-07-01 23:43 ` Chuck Lever
@ 2026-07-02 16:53 ` Wolfgang Walter
2026-07-03 16:03 ` Chuck Lever
0 siblings, 1 reply; 6+ messages in thread
From: Wolfgang Walter @ 2026-07-02 16:53 UTC (permalink / raw)
To: Chuck Lever
Cc: stable, Greg Kroah-Hartman, patches, Jeff Layton,
Alexandr Alexandrov, Yang Erkun, linux-nfs
Hi!
Am 2026-07-02 01:43, schrieb Chuck Lever:
> Hi Wolfgang,
>
> Thanks for the report, and for narrowing it to 6.18.36 vs 6.18.37.
>
> You've picked the right commit to suspect: 95f9eb19d5e6 ("Revert
> 'NFSD: Defer sub-object cleanup in export put callbacks'") is the
> *only* change to the NFS server between 6.18.36 and 6.18.37, so an
> A/B test around it is exactly the right experiment. Two things would
> let us pin this down.
>
> 1. The full kernel log. The trace you sent begins in the middle of a
> register dump, and the task that actually triggered the stall isn't
> in it -- the RCU stall names CPU 13 / PID 8887 (nfsd), and that
> backtrace is above where your paste starts. Could you send the
> complete log from the first "soft lockup" / "rcu ... stall" /
> "hung task" line onward, with all CPU backtraces? The part before
> what you already sent is the piece I need. If the machine wedges
> hard, a serial console or netconsole capture (or pstore/ramoops read
> back after reboot) will get the whole thing.
systemd-journald didn't catch it. But /var/log/messages seems to have
logged it, hope this is it:
Jul 1 16:27:24 fileserver kernel: [76950.437185] PGD 0 P4D 0
Jul 1 16:27:24 fileserver kernel: [76950.437193] Oops: Oops: 0000 [#1]
SMP NOPTI
Jul 1 16:27:24 fileserver kernel: [76950.437202] CPU: 2 UID: 0 PID:
8844 Comm: nfsd Not tainted 6.18.37-debian64.all+1.3 #1 PREEMPT(full)
Jul 1 16:27:24 fileserver kernel: [76950.437215] Hardware name:
Supermicro X10DRi/X10DRI-T, BIOS 1.1a 10/16/2015
Jul 1 16:27:24 fileserver kernel: [76950.437225] RIP:
0010:__list_del_entry_valid_or_report+0x8/0x110
Jul 1 16:27:24 fileserver kernel: [76950.437240] Code: 48 89 c1 e8 ea
18 94 ff 0f 0b 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 f3 0f 1e fa 48 83 ec 10 <48> 8b 17 48 8b 4f 08 48 89 fe
48 85 d2 0f 84 b8 a3 95 ff 48 85 c9
Jul 1 16:27:24 fileserver kernel: [76950.437262] RSP:
0018:ffffd3aba4433c88 EFLAGS: 00010286
Jul 1 16:27:24 fileserver kernel: [76950.437271] RAX: 0000000000000000
RBX: 0000000000000000 RCX: ffff8acfa99d4e10
Jul 1 16:27:24 fileserver kernel: [76950.437281] RDX: 0000000000000001
RSI: 0000000000000001 RDI: 0000000000000000
Jul 1 16:27:24 fileserver kernel: [76950.437290] RBP: ffffffff99659a00
R08: 0000000000480000 R09: ffff8ae70680f000
Jul 1 16:27:24 fileserver kernel: [76950.437299] R10: 0000000000480000
R11: 0000000000000002 R12: ffffd3aba4433ca8
Jul 1 16:27:24 fileserver kernel: [76950.437308] R13: ffff8acfa99d4e10
R14: ffff8acfa99d4f68 R15: ffff8ae7072d8000
Jul 1 16:27:24 fileserver kernel: [76950.437318] FS:
0000000000000000(0000) GS:ffff8ae7065cf000(0000) knlGS:0000000000000000
Jul 1 16:27:24 fileserver kernel: [76950.437328] CS: 0010 DS: 0000 ES:
0000 CR0: 0000000080050033
Jul 1 16:27:24 fileserver kernel: [76950.437336] CR2: 0000000000000000
CR3: 00000011a3624002 CR4: 00000000001726f0
Jul 1 16:27:24 fileserver kernel: [76950.437345] Call Trace:
Jul 1 16:27:24 fileserver kernel: [76950.437351] <TASK>
Jul 1 16:27:24 fileserver kernel: [76950.437358]
remove_blocked_locks+0x91/0x1d0 [nfsd]
Jul 1 16:27:24 fileserver kernel: [76950.437453]
__destroy_client+0x1b4/0x2a0 [nfsd]
Jul 1 16:27:24 fileserver kernel: [76950.437500]
nfsd4_destroy_clientid+0xe6/0x1c0 [nfsd]
Jul 1 16:27:24 fileserver kernel: [76950.437545]
nfsd4_proc_compound+0x325/0x680 [nfsd]
Jul 1 16:27:24 fileserver kernel: [76950.437594]
nfsd_dispatch+0xc6/0x210 [nfsd]
Jul 1 16:27:24 fileserver kernel: [76950.437652]
svc_process_common+0x4c3/0x6a0 [sunrpc]
Jul 1 16:27:24 fileserver kernel: [76950.437772] ?
__pfx_nfsd_dispatch+0x10/0x10 [nfsd]
Jul 1 16:27:24 fileserver kernel: [76950.437837]
svc_process+0x142/0x210 [sunrpc]
Jul 1 16:27:24 fileserver kernel: [76950.437900] svc_recv+0x7e5/0x9b0
[sunrpc]
Jul 1 16:27:24 fileserver kernel: [76950.437955] ?
__pfx_nfsd+0x10/0x10 [nfsd]
Jul 1 16:27:24 fileserver kernel: [76950.438008] nfsd+0x8f/0xf0 [nfsd]
Jul 1 16:27:24 fileserver kernel: [76950.438058] kthread+0xfc/0x230
Jul 1 16:27:24 fileserver kernel: [76950.438068] ?
__pfx_kthread+0x10/0x10
Jul 1 16:27:24 fileserver kernel: [76950.438077]
ret_from_fork+0x231/0x260
Jul 1 16:27:24 fileserver kernel: [76950.438086] ?
__pfx_kthread+0x10/0x10
Jul 1 16:27:24 fileserver kernel: [76950.438094]
ret_from_fork_asm+0x1a/0x30
Jul 1 16:27:24 fileserver kernel: [76950.438104] </TASK>
Jul 1 16:27:24 fileserver kernel: [76950.438108] Modules linked in:
rpcsec_gss_krb5 msr 8021q garp stp llc mrp binfmt_misc intel_rapl_msr
intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp
ipmi_ssif kvm_intel kvm snd_pcm irqbypass polyval_clmulni snd_timer
ghash_clmulni_intel rapl ast snd intel_cstate drm_client_lib vga16fb
soundcore drm_shmem_helper intel_uncore drm_kms_helper vgastate pcspkr
iTCO_wdt mei_me intel_pmc_bxt iTCO_vendor_support i2c_algo_bit mei
watchdog ioatdma evdev joydev acpi_power_meter ipmi_si acpi_ipmi
ipmi_devintf ipmi_msghandler button sg nfsd nfs_acl lockd
chacha20poly1305 fileserverth_rpcgss aesni_intel grace cryptd
nfs_localio drbd drm sunrpc fuse lru_cache loop efi_pstore configfs
ip_tables x_tables fileservertofs4 ext4 crc16 mbcache jbd2 efivarfs
raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor
async_tx xor raid6_pq raid0 linear dm_mod raid1 hid_generic md_mod ses
enclosure usbhid hid sd_mod ixgbe libie_fwlog xfrm_algo dca mdio_devres
of_mdio ahci fixed_phy xhci_pci libahci fwnode_mdio mpt3sas ehci_pci
Jul 1 16:27:24 fileserver kernel: [76950.438181] libphy raid_class
xhci_hcd libata ehci_hcd mdio_bus scsi_transport_sas i2c_i801 usbcore
ptp i2c_smbus lpc_ich scsi_mod pps_core usb_common mdio scsi_common wmi
Jul 1 16:27:24 fileserver kernel: [76950.439549] CR2: 0000000000000000
Jul 1 16:27:24 fileserver kernel: [76950.439820] ---[ end trace
0000000000000000 ]---
>
> While you're at it: roughly what was the server doing (client count,
> NFS version, and was an "exportfs -r", mount, or umount in play), and
> does it reproduce or was it a one-off after ~1 day?
NFS 4.2 with sec=krb5p
The kernel of the clients vary, a lot have a 6.18 kernel, but a lot also
use their distribution kernels.
I would think that at that moment when it crashed about 50 people were
still using it. Probably quit some people where shuting down der clients
at that time as it was almost 16:30.
It happened suddenly. Nothing special on the server.
It wasn't a reproduce, it was the first time 6.18.37 was running, I
upgraded to 6.18.37 the evening before.
We had to hard reset the server after about 1/2 our as neither rebooting
nor syncing seemed to make progress.
As this did some damage to the filesystem we hat to fsck it which needed
some time so I decided to downgrade to 6.18.36 again.
>
> 2. The revert test, if you're willing to spend the rebuild. On a
> v6.18.37 tree:
>
> git revert --no-edit 95f9eb19d5e6
>
> That reverts the revert -- i.e. restores the 6.18.36 behavior for this
> code. If that build stays healthy, it strongly implicates the change;
> if it still locks up, we've ruled it out and should look at the NFSv4
> laundromat/grace-period path instead. One caveat: this also brings
> back a separate problem the revert fixed (a lingering mount reference
> that can make "exportfs -r" followed by umount fail with EBUSY), so
> treat it as a diagnostic build, not something to run long term.
>
Ok, I think this would be acceptable. Maybe I encountered that in
6.18.19, I wrote a report that nfsd got stuck when rebooting, but maybe
it is something different as it seems to have disappeared in the last
6.18 kernels.
So I will give 3.18.37 with this change reverted a try.
Regards and thanks for your help,
--
Wolfgang Walter
Studierendenwerk München Oberbayern
Anstalt des öffentlichen Rechts
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: 6.18.37 has problems with nfs4 (server), 6.18.36 works
2026-07-02 16:53 ` Wolfgang Walter
@ 2026-07-03 16:03 ` Chuck Lever
2026-07-03 18:30 ` Wolfgang Walter
0 siblings, 1 reply; 6+ messages in thread
From: Chuck Lever @ 2026-07-03 16:03 UTC (permalink / raw)
To: Wolfgang Walter
Cc: stable, Greg Kroah-Hartman, patches, Jeff Layton,
Alexandr Alexandrov, Yang Erkun, linux-nfs
Hi Wolfgang, and stable@ --
Short version for stable@: 6.18.37 does not need a revert of
95f9eb19d5e6 ("Revert 'NFSD: Defer sub-object cleanup in export
put callbacks'"). That commit is correct for 6.18, and it is
not the cause of Wolfgang's crash. Please leave it in place.
The reasoning: 95f9eb19d5e6 touches only fs/nfsd/export.c,
export.h, and nfsctl.c. Wolfgang's oops is in
remove_blocked_locks() -> __destroy_client() ->
nfsd4_destroy_clientid(), entirely within fs/nfsd/nfs4state.c,
which the revert does not modify. That path is byte-for-byte
identical across 6.18.36, 6.18.37, and current mainline, so the
revert cannot have introduced the bug and no missing backport
repairs it. The 6.18.36-good / 6.18.37-bad split is a timing
coincidence; I believe the same latent bug is present in both.
Because the defect is present upstream as well, the fix belongs
in mainline first and is then backported to 6.18.y and the other
affected trees.
Wolfgang - to confirm this and capture the allocation and free
stacks, a KASAN-enabled kernel would settle it. On a v6.18.37
tree:
1. Add to your .config (keep your usual CONFIG_DEBUG_INFO so
symbols resolve):
CONFIG_KASAN=y
CONFIG_KASAN_GENERIC=y
CONFIG_KASAN_INLINE=y
CONFIG_STACKTRACE=y
2. Build and boot that kernel. Stay on 6.18.37 -- you do not
need the revert-the-revert build I suggested earlier; that
experiment no longer tells us anything.
3. When it trips, KASAN prints a "BUG: KASAN: use-after-free"
report with "Allocated by" and "Freed by" call stacks.
That report, in full, is what I need -- it should land in
/var/log/messages just as the last oops did.
One caveat: KASAN roughly doubles memory use and adds CPU cost,
so weigh that before running it on the production server. If
that is not practical, a full log from the first stall line
onward, with all CPU backtraces, captured over netconsole or
serial, is a useful second best.
I will draft a candidate upstream fix from the analysis so far
and send it separately. If KASAN on the production box is not
an option, testing that patch may be the least disruptive way
to confirm.
Thanks for the careful report and the bisect.
Chuck
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: 6.18.37 has problems with nfs4 (server), 6.18.36 works
2026-07-03 16:03 ` Chuck Lever
@ 2026-07-03 18:30 ` Wolfgang Walter
2026-07-03 20:59 ` Chuck Lever
0 siblings, 1 reply; 6+ messages in thread
From: Wolfgang Walter @ 2026-07-03 18:30 UTC (permalink / raw)
To: Chuck Lever
Cc: stable, Greg Kroah-Hartman, patches, Jeff Layton,
Alexandr Alexandrov, Yang Erkun, linux-nfs
Hello Chuck,
Am 2026-07-03 18:03, schrieb Chuck Lever:
> Hi Wolfgang, and stable@ --
>
> Short version for stable@: 6.18.37 does not need a revert of
> 95f9eb19d5e6 ("Revert 'NFSD: Defer sub-object cleanup in export
> put callbacks'"). That commit is correct for 6.18, and it is
> not the cause of Wolfgang's crash. Please leave it in place.
Ok. I run v6.18.37 with the patch reverted since about a day (just for
the record). But according to your analysis, that's just a coincidence.
>
> The reasoning: 95f9eb19d5e6 touches only fs/nfsd/export.c,
> export.h, and nfsctl.c. Wolfgang's oops is in
> remove_blocked_locks() -> __destroy_client() ->
> nfsd4_destroy_clientid(), entirely within fs/nfsd/nfs4state.c,
> which the revert does not modify. That path is byte-for-byte
> identical across 6.18.36, 6.18.37, and current mainline, so the
> revert cannot have introduced the bug and no missing backport
> repairs it. The 6.18.36-good / 6.18.37-bad split is a timing
> coincidence; I believe the same latent bug is present in both.
>
> Because the defect is present upstream as well, the fix belongs
> in mainline first and is then backported to 6.18.y and the other
> affected trees.
>
> Wolfgang - to confirm this and capture the allocation and free
> stacks, a KASAN-enabled kernel would settle it. On a v6.18.37
> tree:
>
> 1. Add to your .config (keep your usual CONFIG_DEBUG_INFO so
> symbols resolve):
>
> CONFIG_KASAN=y
> CONFIG_KASAN_GENERIC=y
> CONFIG_KASAN_INLINE=y
> CONFIG_STACKTRACE=y
>
> 2. Build and boot that kernel. Stay on 6.18.37 -- you do not
> need the revert-the-revert build I suggested earlier; that
> experiment no longer tells us anything.
>
> 3. When it trips, KASAN prints a "BUG: KASAN: use-after-free"
> report with "Allocated by" and "Freed by" call stacks.
> That report, in full, is what I need -- it should land in
> /var/log/messages just as the last oops did.
>
> One caveat: KASAN roughly doubles memory use and adds CPU cost,
> so weigh that before running it on the production server. If
> that is not practical, a full log from the first stall line
> onward, with all CPU backtraces, captured over netconsole or
> serial, is a useful second best.
>
> I will draft a candidate upstream fix from the analysis so far
> and send it separately. If KASAN on the production box is not
> an option, testing that patch may be the least disruptive way
> to confirm.
>
I think the memory usage should not be a problem, higher cpu usage
neither.
But as it is a coincidence the probability to catch that error is
probably very low. We use v6.18 kernels since v6.18.1 on that fileserver
and this error never occured before.
Or do you think it happens more often, but without symptoms, and KASAN
would detect it?
So I will try running a v3.18.37 + your patch applied. This of course
can not prove that it fixes the problem because it almost never happens,
but probably this would detect if if the patch had side effects.
Regards,
--
Wolfgang Walter
Studierendenwerk München Oberbayern
Anstalt des öffentlichen Rechts
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: 6.18.37 has problems with nfs4 (server), 6.18.36 works
2026-07-03 18:30 ` Wolfgang Walter
@ 2026-07-03 20:59 ` Chuck Lever
0 siblings, 0 replies; 6+ messages in thread
From: Chuck Lever @ 2026-07-03 20:59 UTC (permalink / raw)
To: Wolfgang Walter
Cc: stable, Greg Kroah-Hartman, patches, Jeff Layton,
Alexandr Alexandrov, yangerkun, linux-nfs
On Fri, Jul 3, 2026, at 2:30 PM, Wolfgang Walter wrote:
> Hello Chuck,
>
> Am 2026-07-03 18:03, schrieb Chuck Lever:
>> Hi Wolfgang, and stable@ --
>>
>> Short version for stable@: 6.18.37 does not need a revert of
>> 95f9eb19d5e6 ("Revert 'NFSD: Defer sub-object cleanup in export
>> put callbacks'"). That commit is correct for 6.18, and it is
>> not the cause of Wolfgang's crash. Please leave it in place.
>
> Ok. I run v6.18.37 with the patch reverted since about a day (just for
> the record). But according to your analysis, that's just a coincidence.
>
>>
>> The reasoning: 95f9eb19d5e6 touches only fs/nfsd/export.c,
>> export.h, and nfsctl.c. Wolfgang's oops is in
>> remove_blocked_locks() -> __destroy_client() ->
>> nfsd4_destroy_clientid(), entirely within fs/nfsd/nfs4state.c,
>> which the revert does not modify. That path is byte-for-byte
>> identical across 6.18.36, 6.18.37, and current mainline, so the
>> revert cannot have introduced the bug and no missing backport
>> repairs it. The 6.18.36-good / 6.18.37-bad split is a timing
>> coincidence; I believe the same latent bug is present in both.
>>
>> Because the defect is present upstream as well, the fix belongs
>> in mainline first and is then backported to 6.18.y and the other
>> affected trees.
>>
>> Wolfgang - to confirm this and capture the allocation and free
>> stacks, a KASAN-enabled kernel would settle it. On a v6.18.37
>> tree:
>>
>> 1. Add to your .config (keep your usual CONFIG_DEBUG_INFO so
>> symbols resolve):
>>
>> CONFIG_KASAN=y
>> CONFIG_KASAN_GENERIC=y
>> CONFIG_KASAN_INLINE=y
>> CONFIG_STACKTRACE=y
>>
>> 2. Build and boot that kernel. Stay on 6.18.37 -- you do not
>> need the revert-the-revert build I suggested earlier; that
>> experiment no longer tells us anything.
>>
>> 3. When it trips, KASAN prints a "BUG: KASAN: use-after-free"
>> report with "Allocated by" and "Freed by" call stacks.
>> That report, in full, is what I need -- it should land in
>> /var/log/messages just as the last oops did.
>>
>> One caveat: KASAN roughly doubles memory use and adds CPU cost,
>> so weigh that before running it on the production server. If
>> that is not practical, a full log from the first stall line
>> onward, with all CPU backtraces, captured over netconsole or
>> serial, is a useful second best.
>>
>> I will draft a candidate upstream fix from the analysis so far
>> and send it separately. If KASAN on the production box is not
>> an option, testing that patch may be the least disruptive way
>> to confirm.
>>
>
> I think the memory usage should not be a problem, higher cpu usage
> neither.
>
> But as it is a coincidence the probability to catch that error is
> probably very low. We use v6.18 kernels since v6.18.1 on that fileserver
> and this error never occured before.
>
> Or do you think it happens more often, but without symptoms, and KASAN
> would detect it?
>
> So I will try running a v3.18.37 + your patch applied. This of course
> can not prove that it fixes the problem because it almost never happens,
> but probably this would detect if if the patch had side effects.
Correct: your reproduction of the crash does not appear to
be strongly correlated with any particular kernel release. I
based my analysis strictly on the additional stack trace data
you sent earlier today.
I think it's more likely that your 50 client workload hit a
particular race that exposed a pre-existing UAF. KASAN will
change execution timing, certainly, but I can't predict
whether it will make the race window bigger.
So you can only test whether my patch causes new regressions,
not whether it prevents your crasher. :-(
--
Chuck Lever
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-07-03 20:59 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-01 16:14 6.18.37 has problems with nfs4 (server), 6.18.36 works Wolfgang Walter
2026-07-01 23:43 ` Chuck Lever
2026-07-02 16:53 ` Wolfgang Walter
2026-07-03 16:03 ` Chuck Lever
2026-07-03 18:30 ` Wolfgang Walter
2026-07-03 20:59 ` Chuck Lever
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox